php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #70329 openssl_seal problems
Submitted: 2015-08-22 17:51 UTC Modified: 2015-09-06 18:25 UTC
From: totalfix at gmail dot com Assigned: bukka (profile)
Status: Duplicate Package: OpenSSL related
PHP Version: 5.6.12 OS: any
Private report: No CVE-ID: None
 [2015-08-22 17:51 UTC] totalfix at gmail dot com
Description:
------------
1) The function openssl_seal by default uses RC4 cipher, which is considered broken and should not be used.
I believe it is not a best practice to leave a weak cipher as a default option as many non-experts (like me) will use it.

2) Even if you want to change ciphers by using the parameter $method, you are limited to ciphers without initialization vectors (so no AES CBC). This is leaves us with ciphers like AES ECB, which is also not recommended.




Test script:
---------------
openssl_seal($data, $sealed, $ekeys, array($pk1), 'AES-256-CBC');

// this fails, because CBC cannot be used, this is not documented, so the users must use trial and error to figure out which cipher is actually working

Expected result:
----------------
Somebody with cyrpto knowledge could read my text and decide if it's worth looking into. I could be wrong, if so, I apologise in advance.


Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-09-01 00:49 UTC] cmb@php.net
Point #2 has already been reported as bug #60632, and is currently
being addressed.
 [2015-09-06 18:25 UTC] bukka@php.net
-Status: Open +Status: Duplicate -Assigned To: +Assigned To: bukka
 [2015-09-06 18:25 UTC] bukka@php.net
I'm closing this as a duplicate. The reason is that it's requesting two things that can't be sorted out together. So I have created two new feature requests:

https://bugs.php.net/bug.php?id=70438

which is about adding an IV parameter. This has been done and will be part of PHP 7.

And

https://bugs.php.net/bug.php?id=70439

which is for deprecating of using default method. That cannot be done before 7.1 as there hasn't been any discussion. As soon as we have a branch for 7 and master will be for 7.1, I will ping internals about that.

Cheers
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Thu Oct 31 22:01:27 2024 UTC