Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:90199
Return-Path: <jakub.php@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 40849 invoked from network); 6 Jan 2016 16:09:15 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 6 Jan 2016 16:09:15 -0000
Authentication-Results: pb1.pair.com smtp.mail=jakub.php@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=jakub.php@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.213.44 as permitted sender)
X-PHP-List-Original-Sender: jakub.php@gmail.com
X-Host-Fingerprint: 209.85.213.44 mail-vk0-f44.google.com  
Received: from [209.85.213.44] ([209.85.213.44:34677] helo=mail-vk0-f44.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id D4/A2-21755-82C3D865 for <internals@lists.php.net>; Wed, 06 Jan 2016 11:09:13 -0500
Received: by mail-vk0-f44.google.com with SMTP id a123so127456630vkh.1
        for <internals@lists.php.net>; Wed, 06 Jan 2016 08:09:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:date:message-id:subject
         :from:to:cc:content-type;
        bh=LprhUDdTZ33LcKFD54XFEkPzNcYDyTlDlVa9y83iLaQ=;
        b=SNRkosmWS2+OuctkXg84zt0O1t+6y4uuy6iLYOA8l6D4O6xQr3OvZKmmp0fKBRSMx2
         wj4+Zyt0xdxDLjDxcUTHIb4kAPOEtHcBCYnsYDZS7O0m0qWJcnlDCaoIa6Pelo9E4itK
         zdfa7M6a6pnQ/ZC7/yb+9IjpPvuwiNXKOfe3/RKlUd1gEkOtn6Aa13P+1Eqn+h6UEtr5
         mFPq/FZSDQkP3CG539Vjsf4yV3lodI6/+F6MsHwMxMHf1lmoXCXOvYg1gnDofvhcDWgg
         jIC4CQc0qiBZaslhp+YNM1cpbBwDBdcCV1yCXJ/P6i/s/lcRQSzN3yPnD+x7DF7IHEZj
         1BQg==
MIME-Version: 1.0
X-Received: by 10.31.171.83 with SMTP id u80mr67439657vke.104.1452096550199;
 Wed, 06 Jan 2016 08:09:10 -0800 (PST)
Sender: jakub.php@gmail.com
Received: by 10.31.106.70 with HTTP; Wed, 6 Jan 2016 08:09:10 -0800 (PST)
In-Reply-To: <CAEYWF=7tMegJ9GDA8ZQBpybp6JNec65-hF+j1Z=X_UxY_i5Z7Q@mail.gmail.com>
References: <CAEKnhAHGK0Uj-nGyGGXWXS1jE6P+nqLgLMJjje3pyT78hVUBLA@mail.gmail.com>
	<CAEYWF=7tMegJ9GDA8ZQBpybp6JNec65-hF+j1Z=X_UxY_i5Z7Q@mail.gmail.com>
Date: Wed, 6 Jan 2016 16:09:10 +0000
X-Google-Sender-Auth: E4yENj_-E0LWZHjkYzRhUw-hCk0
Message-ID: <CAEKnhAFFazCoVct5gMs9NGAUwWm6YEDY2+j2HDhr8k2U=QwMiA@mail.gmail.com>
To: bishop@php.net
Cc: Scott Arciszewski <scott@paragonie.com>, PHP internals list <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a114391e40de6460528ac93b7
Subject: Re: [PHP-DEV] [RFC] OpenSSL AEAD support
From: bukka@php.net (Jakub Zelenka)

--001a114391e40de6460528ac93b7
Content-Type: text/plain; charset=UTF-8

Hi,

On Wed, Jan 6, 2016 at 3:35 PM, Bishop Bettini <bishop@php.net> wrote:

> Hi Jakub,
>
> On Wed, Jan 6, 2016 at 10:01 AM, Jakub Zelenka <bukka@php.net> wrote:
>>
>> https://wiki.php.net/rfc/openssl_aead
>
>
> I think the API might need to be more generic so that any future cipher
> modes with different parameters could also be passed in.
>
> The reference model I'd suggest is the "context" parameter passed to
> stream related-functions.  Userland creates a context, then passes the
> context to the encrypt/decrypt functions. The context is specific to the
> wrapper and drives specific behavior. Encrypt can add to the context any
> specific cipher state that needs to be passed along to decrypt.
>
> Using this model, the openssl API might look like:
>
> $context = openssl_context_create([ 'aead' => [ 'aad' => '...',
> 'tag_length' => '...' ]]);
> $ciphertext = openssl_encrypt(
>     $data, $method, $password, $options, $iv,
>     $context // here is the new parameter, encapsulating all cipher
> specifics
> );
>
> echo $context['aead']['tag']; // populated by openssl_encrypt
>
> $plaintext = openssl_decrypt(
>     $ciphertext, $method, $password, $options, $iv,
>     $context // fully-reversible, because all necessary data are in context
> );
>
>
Please see note in https://wiki.php.net/rfc/openssl_aead#rejected_features
. Any context related features will add a lot to the size of the
implementation. In this case it would also mean introducing an object with
dimension handler to the openssl ext which doesn't really match with the
rest of the extension API. The proposed API is more conformant to the rest
and the code addition is also limited which is very important from the
maintenance point of view.

I have got already an extension where you can do all of this context
related stuff ( see https://github.com/bukka/php-crypto ) but I don't think
that anything like this should be part of the openssl ext. I think we
should concentrate on adding just the most important features with minimal
code addition to openssl ext and also concentrate on the fixing the actual
bugs. Bare in mind that all of this has to be maintained for very long time
and when you look to the regular contributors to openssl ext, you won't see
too many people...

To sum it up this is a minimal proposal to add AEAD support to openssl ext.
Anything context related is out of scope of this RFC.

Cheers

Jakub

--001a114391e40de6460528ac93b7--