php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #75407 No warning thrown for a nonexistant cipher method
Submitted: 2017-10-19 11:48 UTC Modified: 2017-10-19 13:10 UTC
From: faxitnow at yahoo dot ca Assigned:
Status: Closed Package: OpenSSL related
PHP Version: Irrelevant OS:
Private report: No CVE-ID: None
View Add Comment Developer Edit
 [2017-10-19 11:48 UTC] faxitnow at yahoo dot ca 
Description:
------------
Using $encrypted = openssl_encrypt($dataEncrypt, "AES-256-XTS", $key, 0, $iv);

Does not throw a warning for a nonexistant cipher method. However, when replacing the "S" with a "C" for example such as "AES-256-XTC" or any letter from the alphabet other than "S" (A to Z except S) does throw a warning such as:

Warning: openssl_encrypt(): Unknown cipher algorithm in path/to/file.php on line X


Test script:
---------------
$key = hash_hmac("sha512", "You can decrypt this all day long, won't get you closer to the truth", "myKey");
$iv = openssl_random_pseudo_bytes(16);
$adminVal = filter_var($userData['is_admin'], FILTER_VALIDATE_BOOLEAN);
$userName = $userData["name"];
$dataEncrypt = $adminVal.$userName;
$encrypted = openssl_encrypt($dataEncrypt, "AES-256-XTS", $key, 0, $iv);

As per a question posted on Stack Overflow at the following URL: 
https://stackoverflow.com/q/46821439/


Expected result:
----------------
The expected result should have thrown a warning such as:
Warning: openssl_encrypt(): Unknown cipher algorithm in path/to/file.php on line X

Actual result:
--------------
No warning thrown, just an empty result. 
string(0) "" when using var_dump($encrypted); from the test script included.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2017-10-19 12:03 UTC] peehaa@php.net
-Status: Open +Status: Feedback
 [2017-10-19 12:03 UTC] peehaa@php.net 
When I do check the supported cipher methods in both my install as on 3v4l I see it listed.

https://3v4l.org/j7gWD

Are you saying it's not listed for you and it doesn't give you an error?
 [2017-10-19 12:16 UTC] faxitnow at yahoo dot ca
-Status: Feedback +Status: Open
 [2017-10-19 12:16 UTC] faxitnow at yahoo dot ca 
Seeing the added comments/activity in the bug report, the manual on the cipher methods http://php.net/manual/en/function.openssl-get-cipher-methods.php does not show any instances of "XTS" anywhere.
 [2017-10-19 12:27 UTC] faxitnow at yahoo dot ca 
In response to: "Are you saying it's not listed for you and it doesn't give you an error?".

When I var_dump'ed using var_dump(openssl_get_cipher_methods()); it does show "AES-256-XTS" in the list but I received no warning back when running the test script as posted. I'm on Windows 7 on 5.6.23. Yet have tested this online at http://phptester.net/ and it too produced the same results as mine.
 [2017-10-19 12:44 UTC] peehaa@php.net
-Status: Open +Status: Feedback
 [2017-10-19 12:44 UTC] peehaa@php.net 
What warning do you expect?

Am I missing something? The bug report expects:

> Warning: openssl_encrypt(): Unknown cipher algorithm in path/to/file.php on line X

But it is actually not unknown.
 [2017-10-19 12:50 UTC] faxitnow at yahoo dot ca 
I expected to get a warning back but as stated in my report, I did not receive one.
 [2017-10-19 13:10 UTC] faxitnow at yahoo dot ca
-Status: Feedback +Status: Closed
 [2017-10-19 13:10 UTC] faxitnow at yahoo dot ca 
The bug report was submitted in error, and that the running of the script resulted in bad output. I will investigate this further to try and determine why the OP, myself and the online testing also produced the same result.
 [2017-10-19 13:11 UTC] spam2 at rhsoft dot net 
[harry@rh:~]$ php -r "print_r(openssl_get_cipher_methods());" | grep -i xts
    [10] => AES-128-XTS
    [29] => AES-256-XTS
    [111] => aes-128-xts
    [134] => aes-256-xts

"the manual on the cipher methods http://php.net/manual/en/function.openssl-get-cipher-methods.php does not show any instances of XTS anywhere" don't matter because it may also depend on openssl - that's why openssl_get_cipher_methods() at all

hence your "PHP Version: Irrelevant" is nonsense
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Thu Apr 25 10:01:29 2024 UTC