From b251485612f1fe23374d7054987121ca44bb37ea Mon Sep 17 00:00:00 2001 From: Joost de Bruijn Date: Sat, 12 Jul 2025 12:10:08 +0000 Subject: [PATCH 1/3] fix: check priv_key_bits only for relevant private key types --- ext/openssl/openssl_backend_common.c | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/ext/openssl/openssl_backend_common.c b/ext/openssl/openssl_backend_common.c index 42b70c72a9cd0..8f9ff54263457 100644 --- a/ext/openssl/openssl_backend_common.c +++ b/ext/openssl/openssl_backend_common.c @@ -1437,17 +1437,16 @@ static const char *php_openssl_get_evp_pkey_name(int key_type) { EVP_PKEY *php_openssl_generate_private_key(struct php_x509_request * req) { - if (req->priv_key_bits < MIN_KEY_LENGTH) { - php_error_docref(NULL, E_WARNING, "Private key length must be at least %d bits, configured to %d", - MIN_KEY_LENGTH, req->priv_key_bits); - return NULL; - } - int type = php_openssl_get_evp_pkey_type(req->priv_key_type); if (type < 0) { php_error_docref(NULL, E_WARNING, "Unsupported private key type"); return NULL; } + if ((type == EVP_PKEY_RSA || type == EVP_PKEY_DSA || type == EVP_PKEY_DH) && req->priv_key_bits < MIN_KEY_LENGTH) { + php_error_docref(NULL, E_WARNING, "Private key length must be at least %d bits, configured to %d", + MIN_KEY_LENGTH, req->priv_key_bits); + return NULL; + } const char *name = php_openssl_get_evp_pkey_name(req->priv_key_type); int egdsocket, seeded; From 94238fb5766748849edacaec43c504bec5d41146 Mon Sep 17 00:00:00 2001 From: Joost de Bruijn Date: Sat, 12 Jul 2025 12:30:58 +0000 Subject: [PATCH 2/3] test: add tests for key length enforcement --- .../openssl_key_type_bits_enforcement.phpt | 59 +++++++++++++++++++ 1 file changed, 59 insertions(+) create mode 100644 ext/openssl/tests/openssl_key_type_bits_enforcement.phpt diff --git a/ext/openssl/tests/openssl_key_type_bits_enforcement.phpt b/ext/openssl/tests/openssl_key_type_bits_enforcement.phpt new file mode 100644 index 0000000000000..c443128ea533b --- /dev/null +++ b/ext/openssl/tests/openssl_key_type_bits_enforcement.phpt @@ -0,0 +1,59 @@ +--TEST-- +openssl: test key type and bit length enforcement in php_openssl_generate_private_key +--EXTENSIONS-- +openssl +--SKIPIF-- + +--FILE-- += MIN_KEY_LENGTH +foreach ([OPENSSL_KEYTYPE_RSA, OPENSSL_KEYTYPE_DSA, OPENSSL_KEYTYPE_DH] as $type) { + test_key($type, 2048); // valid +} +// Should succeed: EC with curve only + test_key(OPENSSL_KEYTYPE_EC); +// Should succeed: EC with bits too low + test_key(OPENSSL_KEYTYPE_EC, 256); +?> +--EXPECT-- +bool(false) +bool(false) +bool(false) +bool(true) +bool(true) +bool(true) +bool(true) +bool(true) \ No newline at end of file From bf267a5f21a678b27d2665d8dce12ad1ad19d1c0 Mon Sep 17 00:00:00 2001 From: Joost de Bruijn Date: Sun, 13 Jul 2025 13:38:44 +0000 Subject: [PATCH 3/3] test: smaller key size to speed up tests --- ext/openssl/tests/openssl_key_type_bits_enforcement.phpt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ext/openssl/tests/openssl_key_type_bits_enforcement.phpt b/ext/openssl/tests/openssl_key_type_bits_enforcement.phpt index c443128ea533b..66b22b6626286 100644 --- a/ext/openssl/tests/openssl_key_type_bits_enforcement.phpt +++ b/ext/openssl/tests/openssl_key_type_bits_enforcement.phpt @@ -41,7 +41,7 @@ foreach ([OPENSSL_KEYTYPE_RSA, OPENSSL_KEYTYPE_DSA, OPENSSL_KEYTYPE_DH] as $type } // Should succeed: RSA, DSA, DH with bits >= MIN_KEY_LENGTH foreach ([OPENSSL_KEYTYPE_RSA, OPENSSL_KEYTYPE_DSA, OPENSSL_KEYTYPE_DH] as $type) { - test_key($type, 2048); // valid + test_key($type, 1024); // valid, but small to keep test fast } // Should succeed: EC with curve only test_key(OPENSSL_KEYTYPE_EC);