php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Doc Bug #80430 openssl_encrypt() is not verifying that key is present or not.
Submitted: 2020-11-27 07:55 UTC Modified: 2020-12-28 14:35 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:1 (100.0%)
Same OS:0 (0.0%)
From: m dot saifmumtaz at gmail dot com Assigned: cmb (profile)
Status: Closed Package: OpenSSL related
PHP Version: 7.4.13 OS: Linux OpenSuse Tumbleweed
Private report: No CVE-ID: None
View Add Comment Developer Edit
Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know!
Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem:
33 + 45 = ?
Subscribe to this entry?

 
 [2020-11-27 07:55 UTC] m dot saifmumtaz at gmail dot com 
Description:
------------
openssl_encrypt() is not verifying the key lenght for given ciphering method. it encrpts and decrypts even with empty key. it is not verifying the key in any mode even with aes-gcm have same problem

Test script:
---------------
$key="";
$plaintext = "message to be encrypted";
$cipher = "aes-128-cbc";
if (in_array($cipher, openssl_get_cipher_methods()))
{
    $ivlen = openssl_cipher_iv_length($cipher);
    $iv = openssl_random_pseudo_bytes($ivlen);
    $ciphertext = openssl_encrypt($plaintext, $cipher, $key, $options=0, $iv);
    //store $cipher, $iv, and $tag for decryption later
    $original_plaintext = openssl_decrypt($ciphertext, $cipher, $key, $options=0, $iv);
    echo $original_plaintext."\n";
}

Expected result:
----------------
it must throw error if key length is not enough or empty.

Patches

Add a Patch

Pull Requests

Add a Pull Request

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2020-12-27 18:16 UTC] bukka@php.net
-Type: Bug +Type: Documentation Problem
 [2020-12-27 18:16 UTC] bukka@php.net 
This is actually more a documentation issue or requested as the 3rd argument is not a key but more a passphrase (that's how it's now called in PHP 8 - before we called it password which is how it's called in the code). The logic is basically that if it's shorter, then it's padded with '\0' characters otherwise if longer it's trimmed. That's how it has been always working and we can't really change it without breaking a code or having that as optional thing.
 [2020-12-28 14:35 UTC] cmb@php.net
-Status: Open +Status: Verified -Assigned To: +Assigned To: cmb
 [2020-12-28 14:37 UTC] cmb@php.net 
Automatic comment from SVN on behalf of cmb
Revision: http://svn.php.net/viewvc/?view=revision&revision=352242
Log: Fix #80430: openssl_encrypt() is not verifying that key is present or not
 [2020-12-28 14:38 UTC] phpdocbot@php.net 
Automatic comment on behalf of cmb
Revision: http://git.php.net/?p=doc/en.git;a=commit;h=f467e8922859bc0760f1323575b6729fa3e1f4b2
Log: Fix #80430: openssl_encrypt() is not verifying that key is present or not
 [2020-12-28 14:38 UTC] phpdocbot@php.net
-Status: Verified +Status: Closed
 [2020-12-28 21:27 UTC] mumumu@php.net 
Automatic comment from SVN on behalf of mumumu
Revision: http://svn.php.net/viewvc/?view=revision&revision=352257
Log: Fix #80430: openssl_encrypt() is not verifying that key is present or not
 [2020-12-28 21:30 UTC] phpdocbot@php.net 
Automatic comment on behalf of mumumu
Revision: http://git.php.net/?p=doc/ja.git;a=commit;h=6df2710b2d420a1a3f2fc9a0dfe8ed31deee111c
Log: Fix #80430: openssl_encrypt() is not verifying that key is present or not
 [2020-12-30 11:58 UTC] nikic@php.net 
Automatic comment on behalf of mumumu
Revision: http://git.php.net/?p=doc/ja.git;a=commit;h=ecf2abb5ed6ea2f8356748d25e0d580d88e19ffb
Log: Fix #80430: openssl_encrypt() is not verifying that key is present or not
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Sat Apr 20 01:01:28 2024 UTC