Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:107228 Return-Path: Delivered-To: mailing list internals@lists.php.net Received: (qmail 31204 invoked from network); 19 Sep 2019 04:22:13 -0000 Received: from unknown (HELO php-smtp3.php.net) (208.43.231.12) by pb1.pair.com with SMTP; 19 Sep 2019 04:22:13 -0000 Received: from php-smtp3.php.net (localhost [127.0.0.1]) by php-smtp3.php.net (Postfix) with ESMTP id 365B32C0463 for ; Wed, 18 Sep 2019 18:59:45 -0700 (PDT) X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp3.php.net X-Spam-Level: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,FREEMAIL_FROM, HTML_MESSAGE,RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE, URIBL_BLOCKED autolearn=no autolearn_force=no version=3.4.2 X-Spam-ASN: AS15169 209.85.128.0/17 X-Spam-Virus: No Received: from mail-qt1-f175.google.com (mail-qt1-f175.google.com [209.85.160.175]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by php-smtp3.php.net (Postfix) with ESMTPS for ; Wed, 18 Sep 2019 18:59:44 -0700 (PDT) Received: by mail-qt1-f175.google.com with SMTP id c21so2212659qtj.12 for ; Wed, 18 Sep 2019 18:59:44 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:reply-to :from:date:message-id:subject:to:cc; bh=4oXyPyE+SOtTcvhy2B4p0AQs8yb4Y7GJVqk9e8VyuJw=; b=kxrUAc8PquLYM2IvuDR1LKnszW5Q0xptHeOBToJX+HN8ANDfYacuYwfWoi+rrHduCB AH2ZC+WwCMiQT+Dc0EGB/MGdMbzCraUacfsVebObokvp2iagUQKz9eQltIkTONpqxUSb OuVF61xWb/JOlC2WUD42ZuNhTWXo/ZcBqhbUfCPzjH/gGm4wlrPysWqx7K8PT1fhITqQ TeZSLOQ5JK43sB3U5R80y5ra9skE79PCCVj0OKBB18WdtA1xoDxI91d9d97mOiGfDtgC AuDNxOWn+p364qvEcl3xAgUh05u/oiqRMlaJOxqFo/fmj65IvxUuNgVbhwvh7eBOskko fm7g== X-Gm-Message-State: APjAAAVf/F6zyyTqnmzEo9u4hLxKOmGax/DedGMNb6uMHYdG10+PQjHt 8VDIbJXKOBURNYSQONMl2y+6Mz5jJWohJFjtLYxRuNFPlbg= X-Google-Smtp-Source: APXvYqwFb6HhavFMzotbwrEhYaHlWWmFEubB9oOezwqBqv0Iv+XXl+AAjIgG7G+JuNcRoEzPCReqym0ln10iBXA6DW0= X-Received: by 2002:a0c:b4d2:: with SMTP id h18mr6025300qvf.208.1568858383923; Wed, 18 Sep 2019 18:59:43 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: Reply-To: bishop@php.net Date: Wed, 18 Sep 2019 21:59:18 -0400 Message-ID: To: Leo Cavalcante Cc: PHP internals , Sara Golemon Content-Type: multipart/alternative; boundary="000000000000ad3e910592de4ef0" X-Envelope-From: Subject: Re: [PHP-DEV] Handling over sized keys on OpenSSL From: bishop@php.net (Bishop Bettini) --000000000000ad3e910592de4ef0 Content-Type: text/plain; charset="UTF-8" On Sat, Aug 31, 2019 at 11:34 PM Leo Cavalcante wrote: > ... > Yeah, I was using a 256-bit length key with AES-128-CBC then trying to > decrypt it in another program never works. > > And in fact, its better to throw or even warn/notice about it instead of > silently allowing it, *what you think?* > I can't imagine a legitimate scenario necessitating too much, or too little, key bits. So, I think this is throw-worthy, perhaps a \RangeException. This isn't my area of expertise though -- so I'm copying Sara who, if memory serves, has recently been dealing with crypto. See also Bug #72247[1]. [1]:https://bugs.php.net/bug.php?id=72247 --000000000000ad3e910592de4ef0--