[...]
> Even though it is 4 functions, I think users will find it easier to
> work with functions called openssl_public_encrypt,
> openssl_private_decrypt etc. It also separates them from possible
> symmetric enryption later on.
>
> How about returning the result like this:
>
> string openssl_public_encrypt(
> string data,
> mixed key,
> [int padding]
> );
>
> I think it's generally better to not alter arguments, better return it
> this way. Is it good enough to report errors by returning an empty
> string? I think so.
I did my patch so it looks like the other openssl functions, so I guess we
should continue using that way of returning through arguments (or change all
functions to return a string to be consistent throughout the module). But from
a user's point of view it's better to keep the current API.
As for reporting errors by returning FALSE, this seems to be a normal
practice in PHP. Also, we shouldn't return any textual error messages, as
unexperienced users might display them to the user and thereby helping attackers gain
information about the private key (see D. Bleichenbacher. Chosen Ciphertext
Attacks against Protocols Based on the RSA Encryption Standard PKCS #1.
Advances in Cryptology-Crypto '98).
Sascha
--
PHP Development Mailing List <http://www.php.net/>
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
To contact the list administrators, e-mail: [EMAIL PROTECTED]
