Newsgroups: php.internals Path: news.php.net Xref: news.php.net php.internals:96724 Return-Path: Mailing-List: contact internals-help@lists.php.net; run by ezmlm Delivered-To: mailing list internals@lists.php.net Received: (qmail 63487 invoked from network); 3 Nov 2016 16:11:09 -0000 Received: from unknown (HELO lists.php.net) (127.0.0.1) by localhost with SMTP; 3 Nov 2016 16:11:09 -0000 Authentication-Results: pb1.pair.com smtp.mail=scott@paragonie.com; spf=pass; sender-id=pass Authentication-Results: pb1.pair.com header.from=scott@paragonie.com; sender-id=pass Received-SPF: pass (pb1.pair.com: domain paragonie.com designates 209.85.218.54 as permitted sender) X-PHP-List-Original-Sender: scott@paragonie.com X-Host-Fingerprint: 209.85.218.54 mail-oi0-f54.google.com Received: from [209.85.218.54] ([209.85.218.54:33283] helo=mail-oi0-f54.google.com) by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP id 3A/ED-34238-A916B185 for ; Thu, 03 Nov 2016 11:11:08 -0500 Received: by mail-oi0-f54.google.com with SMTP id 128so95742842oih.0 for ; Thu, 03 Nov 2016 09:11:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paragonie-com.20150623.gappssmtp.com; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=cI3zBeg7clOmZJ0OD9ql+K8x+Wh/ZRqJCtPlYXC/hDE=; b=puPlwZo3MbvX7leSht7K1j/UfbdZfQmP3zyg+RJwHTLrld+GTBEChJ/ppWKo2CxPQM lMMqgs2rqLOv631H4w+x/lnhDnLWuL15ZYvHScyM3V/ZyGRibe4KtDSbM19AcKwneQIW 2YDqGnJjrCNUqdFScYIltU6K5Fqn4yqnLYr1T2zqjX8qZx76jj3CDDJcZQbQxfKUlxIh eAm051aUVaLjbcJ0Kj4wNkpolEy7gyCa8Wq4LAHCmvdF7+JL6pjLUMvdF7qv1SV8c4Ue 4yQ6Q7hZPFuOqtxFP4LSYhw9p1RvKFIezNyjiUWl1nzKwbjEnR38sClljMG498zE+9Nk 49dw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=cI3zBeg7clOmZJ0OD9ql+K8x+Wh/ZRqJCtPlYXC/hDE=; b=Lq9YLYvkQ9iQ6FRqx8X+ymZDYaXJBHsrz/Ps5P9479OxThecMOOhbjkhtdP6dMyw69 yJGwnWyDz4zpRJdyMR6Y2AUopIpJ6LpbgqjgeLMEv6PR2a3ML4w12ofGPS1pFkxXg/MR 5ae0yI0HNjiVOzcV9wawK5dLKIFdufkvuuZofLB8X57agyy1FWA/4fatqyA6cPf0o8os 9a4y0t8M1uGvax9GF8HnqZnVzu101kETPWqDLj9aLkKl/mneW4KaWVt/iIGJHSzHAvxC FRtac35SeulNFSKHRG2vNK7JptVHRTL0jWX7iChsMKvDeTkO1BDvQiNv4MmwxUhcrUO6 FMsw== X-Gm-Message-State: ABUngvcBhgrGvAIlePZGEHyI0E2726777C2pM1TLNU4pnqRiI27/BkPBYd/eqWwlfQ1bMtPNXz8fI/gEPUu1/Q== X-Received: by 10.157.63.199 with SMTP id i7mr6373860ote.63.1478189463364; Thu, 03 Nov 2016 09:11:03 -0700 (PDT) MIME-Version: 1.0 Received: by 10.157.37.92 with HTTP; Thu, 3 Nov 2016 09:11:03 -0700 (PDT) Date: Thu, 3 Nov 2016 12:11:03 -0400 Message-ID: To: PHP Internals Content-Type: multipart/alternative; boundary=001a113d6d64dfff98054067cd62 Subject: OpenSSL - New Defaults From: scott@paragonie.com (Scott Arciszewski) --001a113d6d64dfff98054067cd62 Content-Type: text/plain; charset=UTF-8 Hi, Can we change openssl_public_encrypt() and openssl_private_decrypt() from defaulting to PKCS1v1.5 padding, in favor of defaulting to OAEP? I'll create an RFC for this later. It will just prevent a lot of issues. To wit: - https://framework.zend.com/security/advisory/ZF2015-10 - https://github.com/garyr/portunus/blob/89853c180c85c71baac7015cb77ff8ddae129942/src/Portunus/Crypt/RSA/PrivateKey.php#L20 - https://github.com/NorseBlue/Sikker/blob/c158bab1e676d751e5228cb17ecf9593c6b94e95/src/Asymmetric/Keys/PrivateKey.php#L72 If we can't stop PHP developers who aren't cryptographers from writing their own high-level RSA implementation, we can at least make it safer by default. Scott Arciszewski Chief Development Officer Paragon Initiative Enterprises --001a113d6d64dfff98054067cd62--