On Sat, Jan 31, 2015 at 8:53 AM, Leigh <lei...@gmail.com> wrote: > Hi list, > > A couple of bug reports have highlighted the fact that our > openssl_encrypt and openssl_decrupt functions have no way of getting > or setting tags required for authenticated cipher modes (i.e. GCM, > CCM, OCB (not sure if this is available in OpenSSL)). > > https://bugs.php.net/bug.php?id=68962 > https://bugs.php.net/bug.php?id=67304 > > Further to this, we have no way of setting any associated data. > > I think we absolutely must provide a method for users to be able to > use authenticated encryption, and would like some opinions on how much > flexibility we give users, and the best method for exposing this > functionality. > > At the very basic end of the spectrum, we could have openssl_get_tag > and openssl_set_tag, or add an extra parameter to the end of > openssl_encrypt and openssl_decrypt (pass by ref for encrypt, like > preg $matches) this would cover the majority of use cases. > > I think exposing this to the user will only cause confusion and allow users to implement mistakes to the algorithm and mode usage.
> However I absolutely think that the associated data also needs to be > supported, and possibly the ability to change the tag length. > > At this point we're starting to get into the territory where an > $options array is needed, or we add a lot of parameters to the end of > functions. I don't really think it's good to add up to 3 more params > to these functions. > > What do you guys and girls think is the best way of tackling this? > > Cheers, > > Leigh. > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > > According to the OpenSSL documentation regarding encryption/decryption using CCM, GCM & OCB modes for authenticated usage would require the additions of the following constants: EVP_CTRL_OCB_SET_TAGLEN EVP_CTRL_SET_IVLEN EVP_CTRL_GET_TAG EVP_CTRL_CCM_SET_L EVP_CTRL_CCM_SET_IVLEN EVP_aes_256_gcm() EVP_aes_128_gcm() That coupled with the use of the EVP_CIPHER_CTX_ctrl() should provide the needed functionality as described in http://wiki.openssl.org/index.php/EVP_Authenticated_Encryption_and_Decryption the documentation for using the EVP authenticated modes for encryption/decryption.
