Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:81491 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 37916 invoked from network); 31 Jan 2015 16:21:34 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 31 Jan 2015 16:21:34 -0000 Authentication-Results: pb1.pair.com header.from=leight@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=leight@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.82.172 as permitted sender) X-PHP-List-Original-Sender: leight@gmail.com X-Host-Fingerprint: 74.125.82.172 mail-we0-f172.google.com Received: from [74.125.82.172] ([74.125.82.172:33572] helo=mail-we0-f172.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 13/63-16633-C010DC45 for ; Sat, 31 Jan 2015 11:21:33 -0500 Received: by mail-we0-f172.google.com with SMTP id q59so31995525wes.3 for ; Sat, 31 Jan 2015 08:21:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=LLGnKbf7f4Kq64sLMspL/daeMWiH+DpwFG+DIpu3uhw=; b=nJTlzlmrzOgvUuLtOmDjpUNdCdofz1bJqapJBaZJMg4hOr07eUlG5DWjyffrrL1WPs UZKqmoQOL1VBWyclCWsWiZsZeuc3CbbK1HJovozuB2PHQsKADoRspN9Gif+20IcSnVMt H3eD1IlghTlK5FjK1gOZ5vjmQHqYPoe3fkEX/8YbIsx/WsmJZvmcu99isihpVPRdW4kA E5wfaKqHMqCUEBUYlk4JOn7zkn6eJ7zhXSAIwdA4ItREH2F4zf4uvjtd2OA9SuFyfCH5 LzuNNXotPfl2nEVeIzdWjSQuxcN0xHkZTP8USxrbQHqLjGxZhDRcSA/xxTF+W/NNMtXe DDpA== MIME-Version: 1.0 X-Received: by 10.194.236.200 with SMTP id uw8mr24795074wjc.10.1422721289221; Sat, 31 Jan 2015 08:21:29 -0800 (PST) Received: by 10.216.50.139 with HTTP; Sat, 31 Jan 2015 08:21:29 -0800 (PST) In-Reply-To: References: Date: Sat, 31 Jan 2015 16:21:29 +0000 Message-ID: To: Jason Gerfen Cc: PHP internals Content-Type: text/plain; charset=UTF-8 Subject: Re: [PHP-DEV] OpenSSL ext. improvements for authenticated cipher modes. From: leight@gmail.com (Leigh) On 31 January 2015 at 16:13, Jason Gerfen wrote: > On Sat, Jan 31, 2015 at 8:53 AM, Leigh wrote: >> At the very basic end of the spectrum, we could have openssl_get_tag >> and openssl_set_tag, or add an extra parameter to the end of >> openssl_encrypt and openssl_decrypt (pass by ref for encrypt, like >> preg $matches) this would cover the majority of use cases. >> > > I think exposing this to the user will only cause confusion and allow users > to implement mistakes to the algorithm and mode usage. > set/get tag functions are alto my least favourite options. > > According to the OpenSSL documentation regarding encryption/decryption using > CCM, GCM & OCB modes for authenticated usage would require the additions of > the following constants: > > EVP_CTRL_OCB_SET_TAGLEN > EVP_CTRL_SET_IVLEN > EVP_CTRL_GET_TAG > EVP_CTRL_CCM_SET_L > EVP_CTRL_CCM_SET_IVLEN > EVP_aes_256_gcm() > EVP_aes_128_gcm() > > That coupled with the use of the > > EVP_CIPHER_CTX_ctrl() > > should provide the needed functionality as described in > http://wiki.openssl.org/index.php/EVP_Authenticated_Encryption_and_Decryption > the documentation for using the EVP authenticated modes for > encryption/decryption. > Thanks, I have done some cursory research into how it should be implemented, but I wanted this discussion to be about how we should present the functionality to the user. Implementation details can come second once we have a consensus on what is/isn't too much, and what method we should use to allow this functionality to be used.