Skip to content

Allow passing $tag for non-authenticated encryption #6333

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
Closed

Allow passing $tag for non-authenticated encryption #6333

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 0 additions & 2 deletions ext/openssl/openssl.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7156,8 +7156,6 @@ PHP_OPENSSL_API zend_string* php_openssl_encrypt(
}
} else if (tag) {
ZEND_TRY_ASSIGN_REF_NULL(tag);
php_error_docref(NULL, E_WARNING,
"The authenticated tag cannot be provided for cipher that doesn not support AEAD");
} else if (mode.is_aead) {
php_error_docref(NULL, E_WARNING, "A tag should be provided when using AEAD mode");
zend_string_release_ex(outbuf, 0);
Expand Down
6 changes: 6 additions & 0 deletions ext/openssl/tests/openssl_decrypt_basic.phpt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,9 +28,15 @@ var_dump(rtrim($output));
$encrypted = openssl_encrypt($data, "bf-ecb", $password, OPENSSL_DONT_ZERO_PAD_KEY);
$output = openssl_decrypt($encrypted, "bf-ecb", $password, OPENSSL_DONT_ZERO_PAD_KEY);
var_dump($output);

// It's okay to pass $tag for a non-AAD cipher. It will be populated with null in that case.
openssl_encrypt($data, $method, $password, 0, $iv, $tag);
var_dump($tag);

?>
--EXPECT--
string(45) "openssl_encrypt() and openssl_decrypt() tests"
string(45) "openssl_encrypt() and openssl_decrypt() tests"
string(45) "openssl_encrypt() and openssl_decrypt() tests"
string(45) "openssl_encrypt() and openssl_decrypt() tests"
NULL
5 changes: 0 additions & 5 deletions ext/openssl/tests/openssl_decrypt_error.phpt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,8 +20,6 @@ var_dump(openssl_decrypt($wrong, $wrong, $password));
var_dump(openssl_decrypt($encrypted, $wrong, $wrong));
var_dump(openssl_decrypt($wrong, $wrong, $wrong));

// invalid using of an authentication tag
var_dump(openssl_encrypt($data, $method, $password, 0, $iv, $wrong));
?>
--EXPECTF--
Warning: openssl_encrypt(): Using an empty Initialization Vector (iv) is potentially insecure and not recommended in %s on line %d
Expand All @@ -41,6 +39,3 @@ bool(false)

Warning: openssl_decrypt(): Unknown cipher algorithm in %s on line %d
bool(false)

Warning: openssl_encrypt(): The authenticated tag cannot be provided for cipher that doesn not support AEAD in %s on line %d
string(44) "yof6cPPH4mLee6TOc0YQSrh4dvywMqxGUyjp0lV6+aM="
6 changes: 0 additions & 6 deletions ext/openssl/tests/openssl_encrypt_error.phpt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,18 +15,12 @@ $arr = array(1);
// wrong parameters tests
var_dump(openssl_encrypt($data, $wrong, $password));

// invalid using of an authentication tag
var_dump(openssl_encrypt($data, $method, $password, 0, $iv, $wrong));

// padding of the key is disabled
var_dump(openssl_encrypt($data, $method, $password, OPENSSL_DONT_ZERO_PAD_KEY, $iv));
?>
--EXPECTF--
Warning: openssl_encrypt(): Unknown cipher algorithm in %s on line %d
bool(false)

Warning: openssl_encrypt(): The authenticated tag cannot be provided for cipher that doesn not support AEAD in %s on line %d
string(44) "iPR4HulskuaP5Z6me5uImk6BqVyJG73+63tkPauVZYk="

Warning: openssl_encrypt(): Key length cannot be set for the cipher algorithm in %s on line %d
bool(false)