Hi,
I just noted (too late in the process, I know) that
openssl_random_pseudo_bytes(0) now throws an exception.
This breaks code like
$ivsize = openssl_cipher_iv_length($method);
$iv = openssl_random_pseudo_bytes($ivsize);
$data = openssl_encrypt($string, $method, $key, OPENSSL_RAW_DATA, $iv);
if $method is 'aes-256-ecb' because $ivsize is 0.
I do realize that ECB mode ciphers are deprecated but having them throw an
exception indirectly via openssl_random_pseudo_bytes() seems a bit strange,
even in the context of security.
I checked the RFC https://wiki.php.net/rfc/improve-openssl-random-pseudo-bytes
and it doesn't mention this BC break:
"False-checks on the return value of openssl_random_pseudo_bytes() will do
nothing since the function fails closed. Usage of $crypto_strongwill generate
errors."
While I would have preferred the exception to be thrown only when $ivsize is
not an integer or less than 0 but I guess this cannot be changed at the RC
stage.
I would recommend though that we aim to keep BC breaks to what's mentioned in
RFCs.
- Chris
--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php
