Hi Internals,
I just spent this entire Saturday debugging a code to discover that OpenSSL
truncates over sized keys.
Yeah, I was using a 256-bit length key with AES-128-CBC then trying to
decrypt it in another program never works.
Did some research I found that Ruby did it a few years ago
https://github.com/ruby/ruby/commit/ce635262f53b760284d56bb1027baebaaec175d1?fbclid=IwAR2W3mJEljXwedq4VkhWjkXO0fsiEliORsuPSN2YqOAhkZk1fGfC3CqkPaU
.
And in fact, its better to throw or even warn/notice about it instead of
silently allowing it, what you think?
Regards,
Leo
On Sat, Aug 31, 2019 at 11:34 PM Leo Cavalcante lc@leocavalcante.com
wrote:
...
Yeah, I was using a 256-bit length key with AES-128-CBC then trying to
decrypt it in another program never works.And in fact, its better to throw or even warn/notice about it instead of
silently allowing it, what you think?
I can't imagine a legitimate scenario necessitating too much, or too
little, key bits.
So, I think this is throw-worthy, perhaps a \RangeException. This isn't my
area of expertise though -- so I'm copying Sara who, if memory serves, has
recently been dealing with crypto.
See also Bug #722471.