Skip to content

openssl_pkey_derive segfaults for DH derive with low key_length param #19428

New issue
New issue
Closed
Bug
Closed
openssl_pkey_derive segfaults for DH derive with low key_length param#19428
Bug
Assignees
bukka
Labels
BugExtension: openssl
@bukka

Description

@bukka
bukka
opened on Aug 8, 2025

Description

This script

<?php

$priv = openssl_pkey_get_private("-----BEGIN PRIVATE KEY-----
MIICJgIBADCCARcGCSqGSIb3DQEDATCCAQgCggEBAJLxRCaZ933uW+AXmabHFDDy
upojBIRlbmQLJZfigDaSA1f9YOTsIv+WwVFTX/J1mtCyx9uBcz0Nt2kmVwxWuc2f
VtCEMPsmLsVXX7xRUFLpyX1Y1IYGBVXQOoOvLWYQjpZgnx47Pkh1Ok1+smffztfC
0DCNt4KorWrbsPcmqBejXHN79KvWFjZmXOksRiNu/Bn76RiqvofC4z8Ri3kHXQG2
197JGZzzFXHadGC3xbkg8UxsNbYhVMKbm0iANfafUH7/hoS9UjAVQYtvwe7YNiW/
HnyfVCrKwcc7sadd8Iphh+3lf5P1AhaQEAMytanrzq9RDXKBxuvpSJifRYasZYsC
AQIEggEEAoIBAGwAYC2E81Y1U2Aox0U7u1+vBcbht/OO87tutMvc4NTLf6NLPHsW
cPqBixs+3rSn4fADzAIvdLBmogjtiIZoB6qyHrllF/2xwTVGEeYaZIupQH3bMK2b
6eUvnpuu4Ytksiz6VpXBBRMrIsj3frM+zUtnq8vKUr+TbjV2qyKR8l3eNDwzqz30
dlbKh9kIhZafclHfRVfyp+fVSKPfgrRAcLUgAbsVjOjPeJ90xQ4DTMZ6vjiv6tHM
hkSjJIcGhRtSBzVF/cT38GyCeTmiIA/dRz2d70lWrqDQCdp9ArijgnpjNKAAulSY
CirnMsGZTDGmLOHg4xOZ5FEAzZI2sFNLlcw=
-----END PRIVATE KEY-----
");

$pub = openssl_pkey_get_public("-----BEGIN PUBLIC KEY-----
MIICJDCCARcGCSqGSIb3DQEDATCCAQgCggEBAJLxRCaZ933uW+AXmabHFDDyupoj
BIRlbmQLJZfigDaSA1f9YOTsIv+WwVFTX/J1mtCyx9uBcz0Nt2kmVwxWuc2fVtCE
MPsmLsVXX7xRUFLpyX1Y1IYGBVXQOoOvLWYQjpZgnx47Pkh1Ok1+smffztfC0DCN
t4KorWrbsPcmqBejXHN79KvWFjZmXOksRiNu/Bn76RiqvofC4z8Ri3kHXQG2197J
GZzzFXHadGC3xbkg8UxsNbYhVMKbm0iANfafUH7/hoS9UjAVQYtvwe7YNiW/Hnyf
VCrKwcc7sadd8Iphh+3lf5P1AhaQEAMytanrzq9RDXKBxuvpSJifRYasZYsCAQID
ggEFAAKCAQAiCSBpxvGgsTorxAWtcAlSmzAJnJxFgSPef0g7OjhESytnc8G2QYmx
ovMt5KVergcitztWh08hZQUdAYm4rI+zMlAFDdN8LWwBT/mGKSzRkWeprd8E7mvy
ucqC1YXCMqmIwPySvLQUB/Dl8kgau7BLAnIJm8VP+MVrn8g9gghD0qRCgPgtEaDV
vocfgnOU43rhKnIgO0cHOKtw2qybSFB8QuZrYugq4j8Bwkrzh6rdMMeyMl/ej5Aj
c0wamOzuBDtXt0T9+Fx3khHaowjCc7xJZRgZCxg43SbqMWJ9lUg94I7+LTX61Gyv
dtlkbGbtoDOnxeNnN93gwQZngGYZYciu
-----END PUBLIC KEY-----
");

echo bin2hex(openssl_pkey_derive($pub,$priv,10));

Results in segfault:

rogram received signal SIGSEGV, Segmentation fault.
Download failed: Invalid argument.  Continuing without source file ./string/../sysdeps/x86_64/multiarch/strlen-avx2.S.
__strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:76
warning: 76	../sysdeps/x86_64/multiarch/strlen-avx2.S: No such file or directory
(gdb) bt
#0  __strlen_avx2 () at ../sysdeps/x86_64/multiarch/strlen-avx2.S:76
#1  0x0000555555d3d80f in format_converter (odp=0x7fffffff9f70, fmt=0x5555569c2341 "s(%u) :  Freeing 0x%016zx (%zu bytes), script=%s\n", ap=0x7fffffff9fd0)
    at /home/jakub/prog/php/83/main/snprintf.c:844
#2  0x0000555555d3e290 in strx_printv (buf=0x7fffffffa350 "[Sat Aug  9 00:09:37 2025]  Script:  '/home/jakub/prog/php/83/ext/openssl/tests/openssl_pkey_derive-dh.phpt'\n", len=512, 
    format=0x5555569c2340 "%s(%u) :  Freeing 0x%016zx (%zu bytes), script=%s\n", ap=0x7fffffff9fd0) at /home/jakub/prog/php/83/main/snprintf.c:1094
#3  0x0000555555d3e508 in ap_php_snprintf (buf=0x7fffffffa350 "[Sat Aug  9 00:09:37 2025]  Script:  '/home/jakub/prog/php/83/ext/openssl/tests/openssl_pkey_derive-dh.phpt'\n", len=512, 
    format=0x5555569c2340 "%s(%u) :  Freeing 0x%016zx (%zu bytes), script=%s\n") at /home/jakub/prog/php/83/main/snprintf.c:1135
#4  0x0000555555d392d1 in php_message_handler_for_zend (message=4, data=0x7fffffffb400) at /home/jakub/prog/php/83/main/main.c:1668
#5  0x0000555555e09b7f in zend_message_dispatcher (message=4, data=0x7fffffffb400) at /home/jakub/prog/php/83/Zend/zend.c:1345
#6  0x0000555555dc04ed in zend_mm_check_leaks (heap=0x7ffff4000040) at /home/jakub/prog/php/83/Zend/zend_alloc.c:2202
#7  0x0000555555dc08e1 in zend_mm_shutdown (heap=0x7ffff4000040, full=false, silent=false) at /home/jakub/prog/php/83/Zend/zend_alloc.c:2298
#8  0x0000555555dc1c19 in shutdown_memory_manager (silent=false, full_shutdown=false) at /home/jakub/prog/php/83/Zend/zend_alloc.c:2800
#9  0x0000555555d3a11a in php_request_shutdown (dummy=0x0) at /home/jakub/prog/php/83/main/main.c:1939
#10 0x0000555555fa94fc in do_cli (argc=2, argv=0x555556e3f6e0) at /home/jakub/prog/php/83/sapi/cli/php_cli.c:1137
#11 0x0000555555fa9a72 in main (argc=2, argv=0x555556e3f6e0) at /home/jakub/prog/php/83/sapi/cli/php_cli.c:1341

PHP Version

PHP 8.3.25-dev (cli) (built: Aug  9 2025 00:05:14) (ZTS DEBUG)
Copyright (c) The PHP Group
Zend Engine v4.3.25-dev, Copyright (c) Zend Technologies

This happens only with OpenSSL 1.1.1. OpenSSL 3.x is fine.

Operating System

Any

Metadata

Metadata

Assignees

Labels

BugExtension: openssl

Type

Bug

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions