Hi list, A couple of bug reports have highlighted the fact that our openssl_encrypt and openssl_decrupt functions have no way of getting or setting tags required for authenticated cipher modes (i.e. GCM, CCM, OCB (not sure if this is available in OpenSSL)).
https://bugs.php.net/bug.php?id=68962 https://bugs.php.net/bug.php?id=67304 Further to this, we have no way of setting any associated data. I think we absolutely must provide a method for users to be able to use authenticated encryption, and would like some opinions on how much flexibility we give users, and the best method for exposing this functionality. At the very basic end of the spectrum, we could have openssl_get_tag and openssl_set_tag, or add an extra parameter to the end of openssl_encrypt and openssl_decrypt (pass by ref for encrypt, like preg $matches) this would cover the majority of use cases. However I absolutely think that the associated data also needs to be supported, and possibly the ability to change the tag length. At this point we're starting to get into the territory where an $options array is needed, or we add a lot of parameters to the end of functions. I don't really think it's good to add up to 3 more params to these functions. What do you guys and girls think is the best way of tackling this? Cheers, Leigh. -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php
