search

php / php-src

The PHP Interpreter
https://www.php.net
Other
38.22k stars 7.75k forks source link

openssl_private_decrypt - different behaviour on alpine v3.20 #15936

Closed mrVrAlex closed 1 month ago

mrVrAlex commented 1 month ago

Description

Hello, try run following code in 2 docker images

and check results.
openssl_private_decrypt not getting error. In old Alpine version results is expected

https://3v4l.org/vrTcG#v8.3.11

Resulted (for alpine 3.20) in this output:

bool(true)
bool(false)

But I expected this output instead (alpine 3.19):

bool(false)
string(48) "error:0200009F:rsa routines::pkcs decoding error"

Please help understand. It is some problem with OpenSSL in Alpine or it is problem somewhere in PHP source??

PHP Version

PHP 8.3.11

Operating System

Alpine 3.20

nielsdos commented 1 month ago

This is a breaking change in OpenSSL to fix a padding oracle in this specific OPENSSL_PKCS1_PADDING algorithm. When you updated the Alpine image you pulled in a new version of OpenSSL with that fix included. See also https://github.com/php/php-src/security/advisories/GHSA-hh26-4ppw-5864 for a full explanation. In short: this is a deliberate change in OpenSSL and PHP can't do anything about this.

bukka commented 1 week ago

Just a note here that without that changes, the PHP is vulnerable to the Marvin Attack so PHP does not want to do anything about this. You should ideally try to update your application to use OPENSSL_PKCS1_OAEP_PADDING padding algorithm if you can.