Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:90196 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 32483 invoked from network); 6 Jan 2016 15:35:44 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 6 Jan 2016 15:35:44 -0000 Authentication-Results: pb1.pair.com header.from=bishop.bettini@gmail.com; sender-id=pass Authentication-Results: pb1.pair.com smtp.mail=bishop.bettini@gmail.com; spf=pass; sender-id=pass Received-SPF: pass (pb1.pair.com: domain gmail.com designates 74.125.82.50 as permitted sender) X-PHP-List-Original-Sender: bishop.bettini@gmail.com X-Host-Fingerprint: 74.125.82.50 mail-wm0-f50.google.com Received: from [74.125.82.50] ([74.125.82.50:33228] helo=mail-wm0-f50.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 36/F0-21755-D443D865 for ; Wed, 06 Jan 2016 10:35:42 -0500 Received: by mail-wm0-f50.google.com with SMTP id f206so64105639wmf.0 for ; Wed, 06 Jan 2016 07:35:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:reply-to:sender:in-reply-to:references:from:date :message-id:subject:to:cc:content-type; bh=ujZQzM5v4zHtPGp5Gfq4xJ1qFoCUL7y2MJn45NokqSc=; b=bmqjpn4Lng0dCq3ewISp2fxEqdv+s0PW6KokX4MQPmvS06zSv2m5s2FYj8Vu/7U7cv 2VFEj6DlHjr/kETYxpobBSwlJaJI6iG1K1Y80eCtOpQSsaV/8Ni0oYFiDAoA1v7Z9VZe tWeXiCHKDuu+ozLyUDZ0QjFi+zbL53zY2Jnx+0UruH0VcKmlEhqmcKhCtLJc1GSoW5c+ EkXou8pOUjUF1lMdqqL4eMPm6A8McEVH120WcE1kmWtFe5c0Bq9PDpoqied4LCK66Eom 4uGvZkJj/OuediHFHaFrJAEaCLhsDtqSxNEVLR7EReOfuIVrauyqCsDAGPnp8Mn0V+zz HyiQ== X-Received: by 10.194.9.42 with SMTP id w10mr69440675wja.159.1452094538919; Wed, 06 Jan 2016 07:35:38 -0800 (PST) MIME-Version: 1.0 Reply-To: bishop@php.net Sender: bishop.bettini@gmail.com Received: by 10.194.45.230 with HTTP; Wed, 6 Jan 2016 07:35:09 -0800 (PST) In-Reply-To: References: Date: Wed, 6 Jan 2016 10:35:09 -0500 X-Google-Sender-Auth: vSs7KNYOqNG0JLjiDR4BmKqL2eM Message-ID: To: Jakub Zelenka , Scott Arciszewski Cc: PHP internals list Content-Type: multipart/alternative; boundary=047d7b4504962c36a40528ac1b97 Subject: Re: [PHP-DEV] [RFC] OpenSSL AEAD support From: bishop@php.net (Bishop Bettini) --047d7b4504962c36a40528ac1b97 Content-Type: text/plain; charset=UTF-8 Hi Jakub, On Wed, Jan 6, 2016 at 10:01 AM, Jakub Zelenka wrote: > Hi, > > I would like to propose an addition to the openssl ext - extending > openssl_encrypt and openssl_decrypt to support AEAD (Authenticated > Encryption with Additional Data - GCM and CCM modes support). There was > some discussion in past and people have been asking about that for some > time so I finally finished the implementation (it's more or less rewrite of > both functions) and created this RFC to discuss all concerns if there are > any... > > https://wiki.php.net/rfc/openssl_aead I think the API might need to be more generic so that any future cipher modes with different parameters could also be passed in. The reference model I'd suggest is the "context" parameter passed to stream related-functions. Userland creates a context, then passes the context to the encrypt/decrypt functions. The context is specific to the wrapper and drives specific behavior. Encrypt can add to the context any specific cipher state that needs to be passed along to decrypt. Using this model, the openssl API might look like: $context = openssl_context_create([ 'aead' => [ 'aad' => '...', 'tag_length' => '...' ]]); $ciphertext = openssl_encrypt( $data, $method, $password, $options, $iv, $context // here is the new parameter, encapsulating all cipher specifics ); echo $context['aead']['tag']; // populated by openssl_encrypt $plaintext = openssl_decrypt( $ciphertext, $method, $password, $options, $iv, $context // fully-reversible, because all necessary data are in context ); Might also want to check in with Scott Arciszewski (copied), as he's working on a new crypto API proposal. Cheers, bishop --047d7b4504962c36a40528ac1b97--