php/archived-php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2026-03-24 00:02:20 +01:00
Code Issues Packages Projects Releases Wiki Activity

Fix GH-21083: Skip private_key_bits validation for EC/curve-based keys

Browse Source 
openssl_pkey_new() checks private_key_bits >= 384 before generating any
key. For EC, X25519, ED25519, X448, and ED448 the size is inherent to
the curve or algorithm, so this check doesn't apply and causes failures
when default_bits is missing from openssl.cnf (which is the case in
OpenSSL 3.6's default config).

Skip the minimum-bits check for key types that don't use private_key_bits.

Closes GH-21387.
This commit is contained in:
Ilia Alshanetsky
2026-03-08 17:56:29 -04:00
committed by ndossche
parent 284fd7779d
commit 7950482562
3 changed files with 69 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
NEWS
View File

@@ -5,6 +5,10 @@ PHP NEWS
- Bz2: - Bz2:
. Fix truncation of total output size causing erroneous errors. (ndossche) . Fix truncation of total output size causing erroneous errors. (ndossche)
- OpenSSL:
. Fixed bug GH-21083 (Skip private_key_bits validation for EC/curve-based
keys). (iliaal)
- PCRE: - PCRE:
. Fixed re-entrancy issue on php_pcre_match_impl, php_pcre_replace_impl, . Fixed re-entrancy issue on php_pcre_match_impl, php_pcre_replace_impl,
php_pcre_split_impl, and php_pcre_grep_impl. (David Carlier) php_pcre_split_impl, and php_pcre_grep_impl. (David Carlier)

5
ext/openssl/openssl.c
View File

@@ -3828,7 +3828,10 @@ static int php_openssl_get_evp_pkey_type(int key_type) {
/* {{{ php_openssl_generate_private_key */ /* {{{ php_openssl_generate_private_key */
static EVP_PKEY * php_openssl_generate_private_key(struct php_x509_request * req) static EVP_PKEY * php_openssl_generate_private_key(struct php_x509_request * req)
{ {
if (req->priv_key_bits < MIN_KEY_LENGTH) { if ((req->priv_key_type == OPENSSL_KEYTYPE_RSA ||
req->priv_key_type == OPENSSL_KEYTYPE_DH ||
req->priv_key_type == OPENSSL_KEYTYPE_DSA) &&
req->priv_key_bits < MIN_KEY_LENGTH) {
php_error_docref(NULL, E_WARNING, "Private key length must be at least %d bits, configured to %d", php_error_docref(NULL, E_WARNING, "Private key length must be at least %d bits, configured to %d",
MIN_KEY_LENGTH, req->priv_key_bits); MIN_KEY_LENGTH, req->priv_key_bits);
return NULL; return NULL;

61
ext/openssl/tests/gh21083.phpt Normal file
View File

@@ -0,0 +1,61 @@
--TEST--
GH-21083 (openssl_pkey_new() fails for EC keys when private_key_bits is not set)
--EXTENSIONS--
openssl
--SKIPIF--
<?php if (!defined("OPENSSL_KEYTYPE_EC")) die("skip EC disabled"); ?>
--ENV--
OPENSSL_CONF=
--FILE--
<?php
// Create a minimal openssl.cnf without default_bits (simulates OpenSSL 3.6 default config)
$conf = tempnam(sys_get_temp_dir(), 'ossl');
file_put_contents($conf, "[req]\ndistinguished_name = req_dn\n[req_dn]\n");
// EC key - size is determined by the curve, private_key_bits should not be required
$key = openssl_pkey_new([
'config' => $conf,
'private_key_type' => OPENSSL_KEYTYPE_EC,
'curve_name' => 'prime256v1',
]);
var_dump($key !== false);
$details = openssl_pkey_get_details($key);
var_dump($details['bits']);
var_dump($details['type'] === OPENSSL_KEYTYPE_EC);
echo "EC OK\n";
// X25519 - fixed size key, private_key_bits should not be required
if (defined('OPENSSL_KEYTYPE_X25519')) {
$key = openssl_pkey_new([
'config' => $conf,
'private_key_type' => OPENSSL_KEYTYPE_X25519,
]);
var_dump($key !== false);
echo "X25519 OK\n";
} else {
echo "bool(true)\nX25519 OK\n";
}
// Ed25519 - fixed size key, private_key_bits should not be required
if (defined('OPENSSL_KEYTYPE_ED25519')) {
$key = openssl_pkey_new([
'config' => $conf,
'private_key_type' => OPENSSL_KEYTYPE_ED25519,
]);
var_dump($key !== false);
echo "Ed25519 OK\n";
} else {
echo "bool(true)\nEd25519 OK\n";
}
unlink($conf);
?>
--EXPECT--
bool(true)
int(256)
bool(true)
EC OK
bool(true)
X25519 OK
bool(true)
Ed25519 OK