php/archived-php-src
1
0
Fork 0
mirror of https://github.com/php/php-src.git synced 2026-03-24 00:02:20 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'PHP-8.5'

Browse Source 
* PHP-8.5:
  Fix GH-21083: Skip private_key_bits validation for EC/curve-based keys
This commit is contained in:
ndossche
2026-03-12 22:02:01 +01:00
parent b0aa6b9626 757dadcf1f
commit e9b3ea82b5
2 changed files with 65 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
ext/openssl/openssl_backend_common.c
View File

@@ -1444,7 +1444,10 @@ static const char *php_openssl_get_evp_pkey_name(int key_type) {
EVP_PKEY *php_openssl_generate_private_key(struct php_x509_request * req) EVP_PKEY *php_openssl_generate_private_key(struct php_x509_request * req)
{ {
if (req->priv_key_bits < MIN_KEY_LENGTH) { if ((req->priv_key_type == OPENSSL_KEYTYPE_RSA ||
req->priv_key_type == OPENSSL_KEYTYPE_DH ||
req->priv_key_type == OPENSSL_KEYTYPE_DSA) &&
req->priv_key_bits < MIN_KEY_LENGTH) {
php_error_docref(NULL, E_WARNING, "Private key length must be at least %d bits, configured to %d", php_error_docref(NULL, E_WARNING, "Private key length must be at least %d bits, configured to %d",
MIN_KEY_LENGTH, req->priv_key_bits); MIN_KEY_LENGTH, req->priv_key_bits);
return NULL; return NULL;

61
ext/openssl/tests/gh21083.phpt Normal file
View File

@@ -0,0 +1,61 @@
--TEST--
GH-21083 (openssl_pkey_new() fails for EC keys when private_key_bits is not set)
--EXTENSIONS--
openssl
--SKIPIF--
<?php if (!defined("OPENSSL_KEYTYPE_EC")) die("skip EC disabled"); ?>
--ENV--
OPENSSL_CONF=
--FILE--
<?php
// Create a minimal openssl.cnf without default_bits (simulates OpenSSL 3.6 default config)
$conf = tempnam(sys_get_temp_dir(), 'ossl');
file_put_contents($conf, "[req]\ndistinguished_name = req_dn\n[req_dn]\n");
// EC key - size is determined by the curve, private_key_bits should not be required
$key = openssl_pkey_new([
'config' => $conf,
'private_key_type' => OPENSSL_KEYTYPE_EC,
'curve_name' => 'prime256v1',
]);
var_dump($key !== false);
$details = openssl_pkey_get_details($key);
var_dump($details['bits']);
var_dump($details['type'] === OPENSSL_KEYTYPE_EC);
echo "EC OK\n";
// X25519 - fixed size key, private_key_bits should not be required
if (defined('OPENSSL_KEYTYPE_X25519')) {
$key = openssl_pkey_new([
'config' => $conf,
'private_key_type' => OPENSSL_KEYTYPE_X25519,
]);
var_dump($key !== false);
echo "X25519 OK\n";
} else {
echo "bool(true)\nX25519 OK\n";
}
// Ed25519 - fixed size key, private_key_bits should not be required
if (defined('OPENSSL_KEYTYPE_ED25519')) {
$key = openssl_pkey_new([
'config' => $conf,
'private_key_type' => OPENSSL_KEYTYPE_ED25519,
]);
var_dump($key !== false);
echo "Ed25519 OK\n";
} else {
echo "bool(true)\nEd25519 OK\n";
}
unlink($conf);
?>
--EXPECT--
bool(true)
int(256)
bool(true)
EC OK
bool(true)
X25519 OK
bool(true)
Ed25519 OK