Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Stricter content length in ASNObject #2

Merged
merged 3 commits into from
Apr 29, 2024
Merged

Stricter content length in ASNObject #2

merged 3 commits into from
Apr 29, 2024

Conversation

paragonie-security
Copy link
Contributor

Also fixes a PHP 8 deprecation

@paragonie-security
Ensure no leading zeroes in content length
c6aa3ff 
Also fixes a PHP 8 deprecation
paragonie-security
paragonie-security commented Apr 23, 2024
View reviewed changes
lib/ASN1/Universal/OctetString.php
$result = '';

//Actual content
while (strlen($value) >= 2) {
// get the hex value byte by byte from the string and and add it to binary result
$result .= chr(hexdec(substr($value, 0, 2)));
$result .= @chr(hexdec(substr($value, 0, 2)));
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We may want to replace chr($val) with pack('C', $val).

https://paragonie.com/blog/2017/02/cryptographically-secure-php-development#chr

@paragonie-security paragonie-security changed the title Ensure no leading zeroes in content length Stricter content length in ASNObject Apr 23, 2024
paragonie-security added a commit to paragonie/phpecc that referenced this pull request Apr 23, 2024
@paragonie-security
Fix tests
a998653 
Depends on genkgo/php-asn1#2
This was referenced Apr 23, 2024
Closed
Open
@frederikbosch frederikbosch merged commit f21be41 into genkgo:master Apr 29, 2024
3 checks passed
@frederikbosch
Copy link
Contributor

For now I did not replace chr($val) with pack('C', $val). To be honest, I am no security expert. I forked this because I thought at least someone should maintain the library. If you believe the pack('C', $int) is better, please create a PR for this. My only concern with the PR was the use of the @ sign. I always try to avoid it. When I am going to revise the library, I will probably remove it.

@paragonie-security
Copy link
Contributor Author

paragonie-security commented Apr 29, 2024
edited
Loading

There's some weird behavior that this library seems to be relying on. That code in question seems to expect hex data, but sometimes operates over raw bytes. If you "fix" this bug, you get a bunch of test failures. I suspect there be dragons here.

@frederikbosch
Copy link
Contributor

That's exactly why I also chose to leave this for now. First, I am going to make this library use strict types and add phpstan. Then let's see which other optimizations and fixes we can introduce.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@paragonie-security @frederikbosch