php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Request #72247 There is no way to get key length for cipher algorithms
Submitted: 2016-05-20 02:46 UTC Modified: 2019-09-19 01:55 UTC
Votes:2
Avg. Score:5.0 ± 0.0
Reproduced:2 of 2 (100.0%)
Same Version:1 (50.0%)
Same OS:1 (50.0%)
From: S-sword at s-sword dot net Assigned:
Status: Analyzed Package: OpenSSL related
PHP Version: master-Git-2016-05-20 (Git) OS: Windows10/CentOS7.2
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please — but make sure to vote on the bug!
Your email address:
MUST BE VALID
Solve the problem:
28 - 9 = ?
Subscribe to this entry?

 
 [2016-05-20 02:46 UTC] S-sword at s-sword dot net
Description:
------------
Current implementation of OpenSSL functions has openssl_cipher_iv_length, obtaining the initialize vector length for ciphers, but no way to get key length. 
Moreover, in the function openssl_encrypt, the argument $password is used simply as key and cut off if longer than algorithm specified max key length (see below example). 
Then it is insecure to pass the raw password to openssl_enctypt, so we want to apply PBKD; Password Based Key Derivation, in php implemented as Hash functions (hash_pbkdf2), but this algorithm requires the key length.
This is why we cannot migrate from mcrypt to openssl (in mcrypt functions, mcrypt_get_key_size is defined).

To summarize the above, we need the way to get max key length for cipher algorithms, like openssl_cipher_key_length. 

Test script:
---------------
echo(openssl_encrypt('aaa', 'aes-256-cbc', str_pad('', 256, '0')).PHP_EOL);
echo(openssl_encrypt('aaa', 'aes-256-cbc', str_pad('', 300, '0')).PHP_EOL);

// These two code pass different passwords to openssl_encrypt but get same result. 


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2019-09-19 01:55 UTC] bishop@php.net
-Status: Open +Status: Analyzed
 [2019-09-19 01:55 UTC] bishop@php.net
Key length available via either EVP_CIPHER_key_length or EVP_CIPHER_CTX_key_length. Would need to decide if we're going to support variable length ciphers or not. Eg, a signature of:

openssl_get_key_length(string $cipher): int|false

or

openssl_get_key_length(string $cipher, string $encryption_mode): int|false
 
PHP Copyright © 2001-2019 The PHP Group
All rights reserved.
Last updated: Sun Sep 22 10:01:26 2019 UTC