Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:96744
Return-Path: <me@kelunik.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 82725 invoked from network); 6 Nov 2016 19:34:17 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 6 Nov 2016 19:34:17 -0000
Authentication-Results: pb1.pair.com smtp.mail=me@kelunik.com; spf=permerror; sender-id=unknown
Authentication-Results: pb1.pair.com header.from=me@kelunik.com; sender-id=unknown
Received-SPF: error (pb1.pair.com: domain kelunik.com from 81.169.146.219 cause and error)
X-PHP-List-Original-Sender: me@kelunik.com
X-Host-Fingerprint: 81.169.146.219 mo4-p00-ob.smtp.rzone.de  
Received: from [81.169.146.219] ([81.169.146.219:30795] helo=mo4-p00-ob.smtp.rzone.de)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id 92/85-33116-7B58F185 for <internals@lists.php.net>; Sun, 06 Nov 2016 14:34:16 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1478460851; l=6929;
	s=domk; d=kelunik.com;
	h=Content-Type:Cc:To:Subject:Date:From:References:In-Reply-To:
	MIME-Version;
	bh=oYexbpXwyThq7J0N93AcyVGsyuNxXUwyjcvZ6GZOsJY=;
	b=K+ZPlD9CspOclg/1rtkMvl0K4/fU+3VXacFb0cZduQawtMEgvyH4SaOsEritRDDSPbw
	QPNkqjQ2F5TZmgrfjTzigucdkbkp0f07CK0Rhd+bcoKGoT2klllWvxbY8c9RnJ3IkzuO4
	pZsVpmS1M6gRMAa9WMR7gMnsaeAPIKibJxo=
X-RZG-AUTH: :IWkkfkWkbvHsXQGmRYmUo9mls2vWuiu+7SLGvomb4bl9EfHtOnc6
X-RZG-CLASS-ID: mo00
Received: from mail-wm0-f54.google.com ([74.125.82.54])
	by smtp.strato.de (RZmta 39.7 AUTH)
	with ESMTPSA id I097c1sA6JYB8uT
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (curve secp384r1 with 384 ECDH bits, eq. 7680 bits RSA))
	(Client did not present a certificate)
	for <internals@lists.php.net>;
	Sun, 6 Nov 2016 20:34:11 +0100 (CET)
Received: by mail-wm0-f54.google.com with SMTP id t79so140781638wmt.0
        for <internals@lists.php.net>; Sun, 06 Nov 2016 11:34:11 -0800 (PST)
X-Gm-Message-State: ABUngvfL/lnvp6tr2QXd5saM9qTenOi5pBpytcUFTcxJa1qDnijhqy+Sp7CYfvbAaTXANO+XZTp78tfqmu3VJg==
X-Received: by 10.194.60.106 with SMTP id g10mr3140986wjr.151.1478460851631;
 Sun, 06 Nov 2016 11:34:11 -0800 (PST)
MIME-Version: 1.0
Received: by 10.80.135.133 with HTTP; Sun, 6 Nov 2016 11:34:11 -0800 (PST)
In-Reply-To: <CAEKnhAF-qbiaHNzenf4STYuNhde7Deep=MQB0SsnEX78QKv8og@mail.gmail.com>
References: <CAKws9z2C9cPYRWP4gAP=JiHEq2bDZT3z9v7JFRWnZiKg-QZH0Q@mail.gmail.com>
 <CAEKnhAF-qbiaHNzenf4STYuNhde7Deep=MQB0SsnEX78QKv8og@mail.gmail.com>
Date: Sun, 6 Nov 2016 20:34:11 +0100
X-Gmail-Original-Message-ID: <CANUQDCgMhLC7p=-YZ2zU5aX1Z3HuH_SGd+unbMHh==A5ntKLtw@mail.gmail.com>
Message-ID: <CANUQDCgMhLC7p=-YZ2zU5aX1Z3HuH_SGd+unbMHh==A5ntKLtw@mail.gmail.com>
To: Jakub Zelenka <bukka@php.net>
Cc: Scott Arciszewski <scott@paragonie.com>, PHP Internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary=047d7b86ead4e049ec0540a6fd75
Subject: Re: [PHP-DEV] OpenSSL - New Defaults
From: me@kelunik.com (Niklas Keller)

--047d7b86ead4e049ec0540a6fd75
Content-Type: text/plain; charset=UTF-8

2016-11-06 20:19 GMT+01:00 Jakub Zelenka <bukka@php.net>:

> Hi,
>
> On Thu, Nov 3, 2016 at 4:11 PM, Scott Arciszewski <scott@paragonie.com>
> wrote:
>
> > Hi,
> >
> > Can we change openssl_public_encrypt() and openssl_private_decrypt() from
> > defaulting to PKCS1v1.5 padding, in favor of defaulting to OAEP?
> >
> > I'll create an RFC for this later. It will just prevent a lot of issues.
> >
> > To wit:
> >
> > - https://framework.zend.com/security/advisory/ZF2015-10
> > -
> > https://github.com/garyr/portunus/blob/89853c180c85c71baac7015cb77ff8
> > ddae129942/src/Portunus/Crypt/RSA/PrivateKey.php#L20
> > -
> > https://github.com/NorseBlue/Sikker/blob/c158bab1e676d751e5228cb17ecf95
> > 93c6b94e95/src/Asymmetric/Keys/PrivateKey.php#L72
> >
> > If we can't stop PHP developers who aren't cryptographers from writing
> > their own high-level RSA implementation, we can at least make it safer by
> > default.
> >
> >
> We can't change default in 7.x as it would be a BC break and in this case a
> very hard to catch BC break as the only way how we could let user know
> about that is a documentation. This is a very low level function and
> PKCSv1.5 is still used a lot so some apps might depend on. I think that the
> default is bad but I don't think that breaking both function without notice
> is a good solution as users might not be able to catch it especially if
> it's some third party protocol that is not very secure but you don't have
> choice because 3rd party won't change it (that was actually the only case
> where I used these functions in practice so it's not made up). And even
> worse if you don't have tests, then it breaks just production without a
> warning...
>
> What I would prefer instead is to deprecate calling
> openssl_(private|public)_(en|de)crypt without a padding parameter. The
> default would stay the same but user would get a deprecation message and
> the parameter would become required in PHP 8. We should add a note to the
> doc, to let the user know what the safest option is. It means OAEP
> for openssl_private_decrypt and openssl_public_encrypt. In case of
> openssl_public_decrypt and openssl_private_encrypt, we support just
> PKCS1v1.5 but if we add support for PSS (would require a little bit of
> tweaking as it works on EVP level only but might add it later), we could
> easily recommend it then.
>
> I have got actually very similar plan for openssl_seal and openssl_open
> that have default method rc4. Again very bad default but the best way how
> to let user know is to deprecate it rather than choose new default and
> break compatibility.
>
> Cheers
>
> Jakub
>

Huge +1 for that plan!

Regards, Niklas

--047d7b86ead4e049ec0540a6fd75--