Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:90200
Return-Path: <albertcasademont@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 42714 invoked from network); 6 Jan 2016 16:18:00 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 6 Jan 2016 16:18:00 -0000
Authentication-Results: pb1.pair.com header.from=albertcasademont@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=albertcasademont@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.223.181 as permitted sender)
X-PHP-List-Original-Sender: albertcasademont@gmail.com
X-Host-Fingerprint: 209.85.223.181 mail-io0-f181.google.com  
Received: from [209.85.223.181] ([209.85.223.181:36289] helo=mail-io0-f181.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 5F/F2-21755-63E3D865 for <internals@lists.php.net>; Wed, 06 Jan 2016 11:17:58 -0500
Received: by mail-io0-f181.google.com with SMTP id g73so24262173ioe.3
        for <internals@lists.php.net>; Wed, 06 Jan 2016 08:17:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :cc:content-type;
        bh=DtYWM7fiEZMCPyCQbVV4kSfC2L+1fdxNQqj53E+w/XU=;
        b=Ke8CmuyG08VuipjeCEFrZKjyFQFd1XEcSFZR6iv/oU0m09m9BPHY8rDjai0Q31KSIF
         rjPEl2bqkZJm25HLSRDl3XS7M0e/wySMqSCT8EKMBw4a7GJbfLqSzFpeMzJZjrwpgWe2
         0GBTfRIIFPgo9vFmp/b4fts7QHB0LkDfhGOClVJgU7sPhI+EQ0H/QUmNGUT5xvUCKiLM
         gmGyRC6tJC93gcGvL/BcQyeoxp4/xHLhUZfUAG/YGiwkX9RHHUzGYd/bRGTiMjyfvmuA
         r+GLsczwRCb47pYF23AkHbsWQBuNkIVfpNI6MhlL+okjVqZhB6v/tpC80LB4cTJ6MqrT
         H60A==
X-Received: by 10.107.7.22 with SMTP id 22mr35451829ioh.17.1452097075835; Wed,
 06 Jan 2016 08:17:55 -0800 (PST)
MIME-Version: 1.0
Received: by 10.79.32.2 with HTTP; Wed, 6 Jan 2016 08:17:36 -0800 (PST)
In-Reply-To: <CAEKnhAFFazCoVct5gMs9NGAUwWm6YEDY2+j2HDhr8k2U=QwMiA@mail.gmail.com>
References: <CAEKnhAHGK0Uj-nGyGGXWXS1jE6P+nqLgLMJjje3pyT78hVUBLA@mail.gmail.com>
 <CAEYWF=7tMegJ9GDA8ZQBpybp6JNec65-hF+j1Z=X_UxY_i5Z7Q@mail.gmail.com> <CAEKnhAFFazCoVct5gMs9NGAUwWm6YEDY2+j2HDhr8k2U=QwMiA@mail.gmail.com>
Date: Wed, 6 Jan 2016 18:17:36 +0200
Message-ID: <CAMA5aFZ1oh=C_P8LD5V-KnembR9mi9OdsCSjEmhr5KVH7UPGYw@mail.gmail.com>
To: Jakub Zelenka <bukka@php.net>
Cc: Bishop Bettini <bishop@php.net>, Scott Arciszewski <scott@paragonie.com>, 
	PHP internals list <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=001a113f8f3a629d550528acb2ae
Subject: Re: [PHP-DEV] [RFC] OpenSSL AEAD support
From: albertcasademont@gmail.com (Albert Casademont)

--001a113f8f3a629d550528acb2ae
Content-Type: text/plain; charset=UTF-8

+1 thanks Jakub!

On Wed, Jan 6, 2016 at 6:09 PM, Jakub Zelenka <bukka@php.net> wrote:

> Hi,
>
> On Wed, Jan 6, 2016 at 3:35 PM, Bishop Bettini <bishop@php.net> wrote:
>
> > Hi Jakub,
> >
> > On Wed, Jan 6, 2016 at 10:01 AM, Jakub Zelenka <bukka@php.net> wrote:
> >>
> >> https://wiki.php.net/rfc/openssl_aead
> >
> >
> > I think the API might need to be more generic so that any future cipher
> > modes with different parameters could also be passed in.
> >
> > The reference model I'd suggest is the "context" parameter passed to
> > stream related-functions.  Userland creates a context, then passes the
> > context to the encrypt/decrypt functions. The context is specific to the
> > wrapper and drives specific behavior. Encrypt can add to the context any
> > specific cipher state that needs to be passed along to decrypt.
> >
> > Using this model, the openssl API might look like:
> >
> > $context = openssl_context_create([ 'aead' => [ 'aad' => '...',
> > 'tag_length' => '...' ]]);
> > $ciphertext = openssl_encrypt(
> >     $data, $method, $password, $options, $iv,
> >     $context // here is the new parameter, encapsulating all cipher
> > specifics
> > );
> >
> > echo $context['aead']['tag']; // populated by openssl_encrypt
> >
> > $plaintext = openssl_decrypt(
> >     $ciphertext, $method, $password, $options, $iv,
> >     $context // fully-reversible, because all necessary data are in
> context
> > );
> >
> >
> Please see note in https://wiki.php.net/rfc/openssl_aead#rejected_features
> . Any context related features will add a lot to the size of the
> implementation. In this case it would also mean introducing an object with
> dimension handler to the openssl ext which doesn't really match with the
> rest of the extension API. The proposed API is more conformant to the rest
> and the code addition is also limited which is very important from the
> maintenance point of view.
>
> I have got already an extension where you can do all of this context
> related stuff ( see https://github.com/bukka/php-crypto ) but I don't
> think
> that anything like this should be part of the openssl ext. I think we
> should concentrate on adding just the most important features with minimal
> code addition to openssl ext and also concentrate on the fixing the actual
> bugs. Bare in mind that all of this has to be maintained for very long time
> and when you look to the regular contributors to openssl ext, you won't see
> too many people...
>
> To sum it up this is a minimal proposal to add AEAD support to openssl ext.
> Anything context related is out of scope of this RFC.
>
> Cheers
>
> Jakub
>

--001a113f8f3a629d550528acb2ae--