Hey On Sat, Jan 31, 2015 at 4:21 PM, Leigh <lei...@gmail.com> wrote:
> On 31 January 2015 at 16:13, Jason Gerfen <jason.ger...@gmail.com> wrote: > > On Sat, Jan 31, 2015 at 8:53 AM, Leigh <lei...@gmail.com> wrote: > >> At the very basic end of the spectrum, we could have openssl_get_tag > >> and openssl_set_tag, or add an extra parameter to the end of > >> openssl_encrypt and openssl_decrypt (pass by ref for encrypt, like > >> preg $matches) this would cover the majority of use cases. > >> > > > > I think exposing this to the user will only cause confusion and allow > users > > to implement mistakes to the algorithm and mode usage. > > > > set/get tag functions are alto my least favourite options. > > > > > According to the OpenSSL documentation regarding encryption/decryption > using > > CCM, GCM & OCB modes for authenticated usage would require the additions > of > > the following constants: > > > > EVP_CTRL_OCB_SET_TAGLEN > > EVP_CTRL_SET_IVLEN > > EVP_CTRL_GET_TAG > > EVP_CTRL_CCM_SET_L > > EVP_CTRL_CCM_SET_IVLEN > > EVP_aes_256_gcm() > > EVP_aes_128_gcm() > > > > That coupled with the use of the > > > > EVP_CIPHER_CTX_ctrl() > > > > should provide the needed functionality as described in > > > http://wiki.openssl.org/index.php/EVP_Authenticated_Encryption_and_Decryption > > the documentation for using the EVP authenticated modes for > > encryption/decryption. > > > > Thanks, I have done some cursory research into how it should be > implemented, but I wanted this discussion to be about how we should > present the functionality to the user. Implementation details can come > second once we have a consensus on what is/isn't too much, and what > method we should use to allow this functionality to be used. > > -- > PHP Internals - PHP Runtime Development Mailing List > To unsubscribe, visit: http://www.php.net/unsub.php > > Hey, I have already implemented all of this in crypto ext ( https://github.com/bukka/php-crypto ) and also added support for streams (e.g. https://github.com/bukka/php-crypto/blob/master/tests/stream_filters_cipher_gcm_dec_read.phpt ) and objective context. However crypto is and probably quite some time will be in the dev stability. I have put that work on hold for some time (due to php 7 api changes) but plan to resume it soon. Anyway this is a bit different as it is a bit more complex and bit too much for openssl ext. The thing is that the symmetric cypto functions are just openssl_encrypt and openssl_decrypt and they don't have any context. I'm not sure how the proposed openssl_*et_tag would work without context. The options array makes definitely more sense to me. It's basically what I used for stream context ( some doc can be found here: https://github.com/bukka/php-crypto/issues/8 ). The only problem is how to get the resulted tag. I used stream meta array for that in crypto streams. If we don't want to break BC, then we would probably need another ref param openssl_encrypt. Something like: string openssl_encrypt ( string $data , string $method , string $password [, mixed $options = NULL [, string $iv = "" [, string &$tag = NULL ] ] ] ) The options would be overloaded for BC (if it's int, then the same as before or you can use array for further options as AAD...). What's you thoughts? Btw. I think I could do or help with the implementation if there is an interest in that feature in PHP 7 . It would be sort of port from crypto where I also have bunch of test for that (supported are just ccm and gcm). Cheers
