Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:96742
Return-Path: <jakub.php@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 79543 invoked from network); 6 Nov 2016 19:19:52 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 6 Nov 2016 19:19:52 -0000
Authentication-Results: pb1.pair.com header.from=jakub.php@gmail.com; sender-id=pass
Authentication-Results: pb1.pair.com smtp.mail=jakub.php@gmail.com; spf=pass; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.217.176 as permitted sender)
X-PHP-List-Original-Sender: jakub.php@gmail.com
X-Host-Fingerprint: 209.85.217.176 mail-ua0-f176.google.com  
Received: from [209.85.217.176] ([209.85.217.176:36295] helo=mail-ua0-f176.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id D3/D4-33116-7528F185 for <internals@lists.php.net>; Sun, 06 Nov 2016 14:19:51 -0500
Received: by mail-ua0-f176.google.com with SMTP id b35so104414776uaa.3
        for <internals@lists.php.net>; Sun, 06 Nov 2016 11:19:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:sender:in-reply-to:references:from:date:message-id
         :subject:to:cc;
        bh=sQ9Uoh2qwywSHaJa7nn4R1cEzP7hdctLACR5cSlXUic=;
        b=j/ik1tN38iAsv5JWgE4TqbMSdK/2/YVDvx0+vy0igjcikzRDj+kLx8NymMQ/XtfI6H
         IlcCF+gAJfsmEbF6EhCMNg9/G/7pV/oMfTjqPZPPiBEZDuSsMKQvy3znycmi6Bn+MMS7
         yHjBUAAKlaf/sw9BV1KO0PEjDfZzsiCBTwgt/q0s+7UqavfFQ+oECC5GBQmuyOvwHR1O
         oS4H9XZV4WWQ9aW0eNWWjJAEIp2XyHeleTAduaIRW4vSOb7N1tpe48yQdVZhloSXKVeE
         jWKfVv4BsDrGwAhoB7XD9tW+bOkV36nRXFo2/U/2FMXZKao7e0L5HMaLjBWXhKWJcCTD
         Vy+Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:sender:in-reply-to:references:from
         :date:message-id:subject:to:cc;
        bh=sQ9Uoh2qwywSHaJa7nn4R1cEzP7hdctLACR5cSlXUic=;
        b=Ht05CzgfLMpZ97ZLnoYdhgnPK5xY/n2ccF7AEP/WpY+zTi3uvEdz+3CF0ps+uZHqCC
         4r8ttrfXXWV+F0JTgKylmM2FBWnJlOq/2hQH0YwafgKInmSiALhSxHu53b91CSlRCJX+
         doo1J44hVI5YqD7qYU3vYVfnKc5WwUjCU2ctitcK3j84+726vJzmNpqgqaUIMqiHf1Bh
         NAkc14Xe2/gufG1mClm9QzzpqUBAm/Bjl0u8FQuGc20XcjGTB+RbuAhz8Yj8YCVFd7D2
         xyCj4unLWBRplze2aKPknGaoEE2nVikDxwPQTG4RH19SRdbyp3RzGcE8K+SpnYvuNAFD
         2OvA==
X-Gm-Message-State: ABUngvfkWW2STZ6HAEk5BdHtdZRDg2voBPYDYaq6W3D3A6IcUNRz/slIL+2LNmD3p0rSgPSFI/NomRrDiAFhnQ==
X-Received: by 10.176.68.103 with SMTP id m94mr1851215uam.75.1478459988668;
 Sun, 06 Nov 2016 11:19:48 -0800 (PST)
MIME-Version: 1.0
Sender: jakub.php@gmail.com
Received: by 10.31.146.135 with HTTP; Sun, 6 Nov 2016 11:19:48 -0800 (PST)
In-Reply-To: <CAKws9z2C9cPYRWP4gAP=JiHEq2bDZT3z9v7JFRWnZiKg-QZH0Q@mail.gmail.com>
References: <CAKws9z2C9cPYRWP4gAP=JiHEq2bDZT3z9v7JFRWnZiKg-QZH0Q@mail.gmail.com>
Date: Sun, 6 Nov 2016 19:19:48 +0000
X-Google-Sender-Auth: FvLpfgr8QFnW5Ba2tH8L8RF9Pns
Message-ID: <CAEKnhAF-qbiaHNzenf4STYuNhde7Deep=MQB0SsnEX78QKv8og@mail.gmail.com>
To: Scott Arciszewski <scott@paragonie.com>
Cc: PHP Internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=94eb2c0ccbaa7074570540a6cad5
Subject: Re: [PHP-DEV] OpenSSL - New Defaults
From: bukka@php.net (Jakub Zelenka)

--94eb2c0ccbaa7074570540a6cad5
Content-Type: text/plain; charset=UTF-8

Hi,

On Thu, Nov 3, 2016 at 4:11 PM, Scott Arciszewski <scott@paragonie.com>
wrote:

> Hi,
>
> Can we change openssl_public_encrypt() and openssl_private_decrypt() from
> defaulting to PKCS1v1.5 padding, in favor of defaulting to OAEP?
>
> I'll create an RFC for this later. It will just prevent a lot of issues.
>
> To wit:
>
> - https://framework.zend.com/security/advisory/ZF2015-10
> -
> https://github.com/garyr/portunus/blob/89853c180c85c71baac7015cb77ff8
> ddae129942/src/Portunus/Crypt/RSA/PrivateKey.php#L20
> -
> https://github.com/NorseBlue/Sikker/blob/c158bab1e676d751e5228cb17ecf95
> 93c6b94e95/src/Asymmetric/Keys/PrivateKey.php#L72
>
> If we can't stop PHP developers who aren't cryptographers from writing
> their own high-level RSA implementation, we can at least make it safer by
> default.
>
>
We can't change default in 7.x as it would be a BC break and in this case a
very hard to catch BC break as the only way how we could let user know
about that is a documentation. This is a very low level function and
PKCSv1.5 is still used a lot so some apps might depend on. I think that the
default is bad but I don't think that breaking both function without notice
is a good solution as users might not be able to catch it especially if
it's some third party protocol that is not very secure but you don't have
choice because 3rd party won't change it (that was actually the only case
where I used these functions in practice so it's not made up). And even
worse if you don't have tests, then it breaks just production without a
warning...

What I would prefer instead is to deprecate calling
openssl_(private|public)_(en|de)crypt without a padding parameter. The
default would stay the same but user would get a deprecation message and
the parameter would become required in PHP 8. We should add a note to the
doc, to let the user know what the safest option is. It means OAEP
for openssl_private_decrypt and openssl_public_encrypt. In case of
openssl_public_decrypt and openssl_private_encrypt, we support just
PKCS1v1.5 but if we add support for PSS (would require a little bit of
tweaking as it works on EVP level only but might add it later), we could
easily recommend it then.

I have got actually very similar plan for openssl_seal and openssl_open
that have default method rc4. Again very bad default but the best way how
to let user know is to deprecate it rather than choose new default and
break compatibility.

Cheers

Jakub

--94eb2c0ccbaa7074570540a6cad5--