php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Doc Bug #80430 openssl_encrypt() is not verifying that key is present or not.
Submitted: 2020-11-27 07:55 UTC Modified: 2020-12-28 14:35 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:0 (0.0%)
From: m dot saifmumtaz at gmail dot com Assigned: cmb (profile)
Status: Closed Package: OpenSSL related
PHP Version: 7.4.13 OS: Linux OpenSuse Tumbleweed
Private report: No CVE-ID: None
 [2020-11-27 07:55 UTC] m dot saifmumtaz at gmail dot com
Description:
------------
openssl_encrypt() is not verifying the key lenght for given ciphering method. it encrpts and decrypts even with empty key. it is not verifying the key in any mode even with aes-gcm have same problem

Test script:
---------------
$key="";
$plaintext = "message to be encrypted";
$cipher = "aes-128-cbc";
if (in_array($cipher, openssl_get_cipher_methods()))
{
    $ivlen = openssl_cipher_iv_length($cipher);
    $iv = openssl_random_pseudo_bytes($ivlen);
    $ciphertext = openssl_encrypt($plaintext, $cipher, $key, $options=0, $iv);
    //store $cipher, $iv, and $tag for decryption later
    $original_plaintext = openssl_decrypt($ciphertext, $cipher, $key, $options=0, $iv);
    echo $original_plaintext."\n";
}

Expected result:
----------------
it must throw error if key length is not enough or empty.


Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-12-27 18:16 UTC] bukka@php.net
-Type: Bug +Type: Documentation Problem
 [2020-12-27 18:16 UTC] bukka@php.net
This is actually more a documentation issue or requested as the 3rd argument is not a key but more a passphrase (that's how it's now called in PHP 8 - before we called it password which is how it's called in the code). The logic is basically that if it's shorter, then it's padded with '\0' characters otherwise if longer it's trimmed. That's how it has been always working and we can't really change it without breaking a code or having that as optional thing.
 [2020-12-28 14:35 UTC] cmb@php.net
-Status: Open +Status: Verified -Assigned To: +Assigned To: cmb
 [2020-12-28 14:37 UTC] cmb@php.net
Automatic comment from SVN on behalf of cmb
Revision: http://svn.php.net/viewvc/?view=revision&revision=352242
Log: Fix #80430: openssl_encrypt() is not verifying that key is present or not
 [2020-12-28 14:38 UTC] phpdocbot@php.net
Automatic comment on behalf of cmb
Revision: http://git.php.net/?p=doc/en.git;a=commit;h=f467e8922859bc0760f1323575b6729fa3e1f4b2
Log: Fix #80430: openssl_encrypt() is not verifying that key is present or not
 [2020-12-28 14:38 UTC] phpdocbot@php.net
-Status: Verified +Status: Closed
 [2020-12-28 21:27 UTC] mumumu@php.net
Automatic comment from SVN on behalf of mumumu
Revision: http://svn.php.net/viewvc/?view=revision&revision=352257
Log: Fix #80430: openssl_encrypt() is not verifying that key is present or not
 [2020-12-28 21:30 UTC] phpdocbot@php.net
Automatic comment on behalf of mumumu
Revision: http://git.php.net/?p=doc/ja.git;a=commit;h=6df2710b2d420a1a3f2fc9a0dfe8ed31deee111c
Log: Fix #80430: openssl_encrypt() is not verifying that key is present or not
 [2020-12-30 11:58 UTC] nikic@php.net
Automatic comment on behalf of mumumu
Revision: http://git.php.net/?p=doc/ja.git;a=commit;h=ecf2abb5ed6ea2f8356748d25e0d580d88e19ffb
Log: Fix #80430: openssl_encrypt() is not verifying that key is present or not
 
PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Sun Sep 19 12:03:36 2021 UTC