-
Notifications
You must be signed in to change notification settings - Fork 7.9k
Closed
Description
Description
Silently truncating keys in security-sensitive code/API's sounds horrible.
However, given PHP's commitment to backwards-compatibility, perhaps make truncation "deprecated" for a while, and make it throw in the future?
The following code:
<?php
$cipher = "aes-128-ctr";
$data = "test";
$passphrase = "KeyLengthIs16_12";
$iv = str_repeat("\x00", openssl_cipher_iv_length($cipher));
$flags = 0;
$m1 = openssl_encrypt(
$data,
$cipher,
$passphrase,
$flags,
$iv
);
$passphrase .= "3";
$m2 = openssl_encrypt(
$data,
$cipher,
$passphrase,
$flags,
$iv
);
var_dump($m1 === $m2);
Resulted in this output:
bool(true);
But I expected this output instead:
Fatal error: Uncaught LengthException: cipher key is too long, this cipher expects a key of precisely 16 bytes, 17 bytes provided.
PHP Version
PHP 8.1.7
Operating System
Ubuntu 22.04