php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Request #70329 openssl_seal problems
Submitted: 2015-08-22 17:51 UTC Modified: 2015-09-06 18:25 UTC
From: totalfix at gmail dot com Assigned: bukka (profile)
Status: Duplicate Package: OpenSSL related
PHP Version: 5.6.12 OS: any
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: totalfix at gmail dot com
New email:
PHP Version: OS:

 

 [2015-08-22 17:51 UTC] totalfix at gmail dot com 
Description:
------------
1) The function openssl_seal by default uses RC4 cipher, which is considered broken and should not be used.
I believe it is not a best practice to leave a weak cipher as a default option as many non-experts (like me) will use it.

2) Even if you want to change ciphers by using the parameter $method, you are limited to ciphers without initialization vectors (so no AES CBC). This is leaves us with ciphers like AES ECB, which is also not recommended.




Test script:
---------------
openssl_seal($data, $sealed, $ekeys, array($pk1), 'AES-256-CBC');

// this fails, because CBC cannot be used, this is not documented, so the users must use trial and error to figure out which cipher is actually working

Expected result:
----------------
Somebody with cyrpto knowledge could read my text and decide if it's worth looking into. I could be wrong, if so, I apologise in advance.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2015-09-01 00:49 UTC] cmb@php.net 
Point #2 has already been reported as bug #60632, and is currently
being addressed.
 [2015-09-06 18:25 UTC] bukka@php.net
-Status: Open +Status: Duplicate -Assigned To: +Assigned To: bukka
 [2015-09-06 18:25 UTC] bukka@php.net 
I'm closing this as a duplicate. The reason is that it's requesting two things that can't be sorted out together. So I have created two new feature requests:

https://bugs.php.net/bug.php?id=70438

which is about adding an IV parameter. This has been done and will be part of PHP 7.

And

https://bugs.php.net/bug.php?id=70439

which is for deprecating of using default method. That cannot be done before 7.1 as there hasn't been any discussion. As soon as we have a branch for 7 and master will be for 7.1, I will ping internals about that.

Cheers
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Nov 21 16:01:29 2024 UTC