php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #75407 No warning thrown for a nonexistant cipher method
Submitted: 2017-10-19 11:48 UTC Modified: 2017-10-19 13:10 UTC
From: faxitnow at yahoo dot ca Assigned:
Status: Closed Package: OpenSSL related
PHP Version: Irrelevant OS:
Private report: No CVE-ID: None
View Developer Edit
Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.
Password:
Status:
Package:
Bug Type:
Summary:
From: faxitnow at yahoo dot ca
New email:
PHP Version: OS:

 

 [2017-10-19 11:48 UTC] faxitnow at yahoo dot ca 
Description:
------------
Using $encrypted = openssl_encrypt($dataEncrypt, "AES-256-XTS", $key, 0, $iv);

Does not throw a warning for a nonexistant cipher method. However, when replacing the "S" with a "C" for example such as "AES-256-XTC" or any letter from the alphabet other than "S" (A to Z except S) does throw a warning such as:

Warning: openssl_encrypt(): Unknown cipher algorithm in path/to/file.php on line X


Test script:
---------------
$key = hash_hmac("sha512", "You can decrypt this all day long, won't get you closer to the truth", "myKey");
$iv = openssl_random_pseudo_bytes(16);
$adminVal = filter_var($userData['is_admin'], FILTER_VALIDATE_BOOLEAN);
$userName = $userData["name"];
$dataEncrypt = $adminVal.$userName;
$encrypted = openssl_encrypt($dataEncrypt, "AES-256-XTS", $key, 0, $iv);

As per a question posted on Stack Overflow at the following URL: 
https://stackoverflow.com/q/46821439/


Expected result:
----------------
The expected result should have thrown a warning such as:
Warning: openssl_encrypt(): Unknown cipher algorithm in path/to/file.php on line X

Actual result:
--------------
No warning thrown, just an empty result. 
string(0) "" when using var_dump($encrypted); from the test script included.

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-10-19 12:03 UTC] peehaa@php.net
-Status: Open +Status: Feedback
 [2017-10-19 12:03 UTC] peehaa@php.net 
When I do check the supported cipher methods in both my install as on 3v4l I see it listed.

https://3v4l.org/j7gWD

Are you saying it's not listed for you and it doesn't give you an error?
 [2017-10-19 12:16 UTC] faxitnow at yahoo dot ca
-Status: Feedback +Status: Open
 [2017-10-19 12:16 UTC] faxitnow at yahoo dot ca 
Seeing the added comments/activity in the bug report, the manual on the cipher methods http://php.net/manual/en/function.openssl-get-cipher-methods.php does not show any instances of "XTS" anywhere.
 [2017-10-19 12:27 UTC] faxitnow at yahoo dot ca 
In response to: "Are you saying it's not listed for you and it doesn't give you an error?".

When I var_dump'ed using var_dump(openssl_get_cipher_methods()); it does show "AES-256-XTS" in the list but I received no warning back when running the test script as posted. I'm on Windows 7 on 5.6.23. Yet have tested this online at http://phptester.net/ and it too produced the same results as mine.
 [2017-10-19 12:44 UTC] peehaa@php.net
-Status: Open +Status: Feedback
 [2017-10-19 12:44 UTC] peehaa@php.net 
What warning do you expect?

Am I missing something? The bug report expects:

> Warning: openssl_encrypt(): Unknown cipher algorithm in path/to/file.php on line X

But it is actually not unknown.
 [2017-10-19 12:50 UTC] faxitnow at yahoo dot ca 
I expected to get a warning back but as stated in my report, I did not receive one.
 [2017-10-19 13:10 UTC] faxitnow at yahoo dot ca
-Status: Feedback +Status: Closed
 [2017-10-19 13:10 UTC] faxitnow at yahoo dot ca 
The bug report was submitted in error, and that the running of the script resulted in bad output. I will investigate this further to try and determine why the OP, myself and the online testing also produced the same result.
 [2017-10-19 13:11 UTC] spam2 at rhsoft dot net 
[harry@rh:~]$ php -r "print_r(openssl_get_cipher_methods());" | grep -i xts
    [10] => AES-128-XTS
    [29] => AES-256-XTS
    [111] => aes-128-xts
    [134] => aes-256-xts

"the manual on the cipher methods http://php.net/manual/en/function.openssl-get-cipher-methods.php does not show any instances of XTS anywhere" don't matter because it may also depend on openssl - that's why openssl_get_cipher_methods() at all

hence your "PHP Version: Irrelevant" is nonsense
 
PHP Copyright © 2001-2025 The PHP Group
All rights reserved. 		Last updated: Thu Jul 03 12:01:33 2025 UTC