Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:48325
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Message-ID: <A8.40.27340.20403FB4@pb1.pair.com>
To: internals@lists.php.net
Date: Tue, 18 May 2010 14:17:51 -0700
User-Agent: Thunderbird 2.0.0.21 (Macintosh/20090302)
MIME-Version: 1.0
References: <D0.2B.05421.113F1FB4@pb1.pair.com> <AANLkTilSOPh0yWZ6dcXCK-v7fcQDeRUcV85M6aOeD4in@mail.gmail.com>
In-Reply-To: <AANLkTilSOPh0yWZ6dcXCK-v7fcQDeRUcV85M6aOeD4in@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: Re: [PHP-DEV] openssl_(en|de)crypt missing IV
From: pollita@php.net (Sara Golemon)

>> Fixing this is a simple matter, but I wanted to bounce approaches for BC (or
>> lack thereof) off everyone else since this version of openssl_encrypt() is
>> already "in the wild".
> 
>> I think it's worth a BC break.  Comments?
> 
> To break BC is a no go, even if your arguments are appealing (even in
> a major version).
> 

I disagree about it's no-go-ness, given the fact that these functions 
aren't particularly usable as-is, but it's also not worth a fight.

Given the comments made on list my intentions are as follows:

1) Add $iv as a fifth, optional parameter to openssl_(en|de)crypt()
2) Throw a warning if openssl_encrypt() is used without an IV
3) Add openssl_cipher_get_iv_length($cipher)

I intend to make these changes on both trunk and PHP_5_3 because, IMO, 
this is a bug, not merely a missing feature.

The only BC break is the warning raised when using openssl_encrypt() 
without an IV.  Given the extremely bad practice using a NULL IV 
represents, I think this is a reasonable course of action.

-Sara