-
-
Notifications
You must be signed in to change notification settings - Fork 4.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Move to AES-256-GCM for openssl_seal/open #25551
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🐘
This comment was marked as outdated.
This comment was marked as outdated.
$prev = null; | ||
|
||
// We need to be able to extract the IV | ||
if (strlen($encKeyFile) > 12) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Doesn't this mean we'd always go into this block or do I miss something? Is there a case in which this is =< 12
for older files?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure might be for older files yes...
#2182 suggests to move to |
0b21799
to
bc0d48c
Compare
Hi, of course, this is not a PHP lesson, so my apologies if I am doing something obviously wrong. Out of curiosity: I am not able to use openssl_seal()/openssl_open() with the aes-256-gcm cipher. I suspect that PHP does not take the authentication tag into account which is needed to validate the encrypted data. Specifically, the example code works for aes-256-ctr but not for the gcm cipher. I hope the example is fairly minimal. For demonstration purposes I have also added a direct call to openssl_decrypt(), which of course cannot work for the gcm-cipher. However, neither does openssl_open(). So I wonder why your code is able to decrypt data sealed with the gcm cipher?
Example output:
|
Any move here? This is becoming a problem with recent OS (Ubuntu 22.04, Fedora 36...) shipping OpenSSL v3 which removes RC4 cipher by default. See #32003 |
/rebase |
As I have already stated in my previous posts you just cannot simply move the openssl_seal() stuff to AES-256-GCM. Please see my previous posts for example code and explanations and in particular have a look at php/php-src#7737 and the related report php/doc-en#1210 The problem is that still PHP does not return the authentication tag, so you can happily use the GCM cipher to encrypt data, but you will not be able to decrypt it again because the auth tag is not return by openssl_seal(). If one want to stick to openssl_seal() one has either to somehow push the PHP people to implement authenticated ciphers with openssl_seal() or code this kind of sealing by oneself. RC4 is not required for openssl_seal(), but no authenticated cipher text will ATM work with openssl_seal() because it does not return the auth tag back to the caller. |
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
bc0d48c
to
905e6d8
Compare
A potential solution could be to reimplement the 1.) A new scheme that uses AES-256-GCM could be introduced. |
@come-nc IMHO cryptographic processing should fail early. Currently, the encryption of the filekeys is not integrity-protected, meaning that an attacker can replace the filekey by knowing the recipients' public keys and Nextcloud will use it until finally the HMAC check of the individually encrypted file blocks fails. Using GCM mode would already fail upfront. I'd be even more thrilled to get rid of |
... it would even be possible to not use openssl at all and choose something else like Halite. But yes: in order to use autenticated cipher text one has to replace open_ssl() by something similar. If done properly one could then make the use of openssl an option. |
Which would make it more difficult to install Nextcloud as the |
With #35916 I introduced |
Seems obsoloted by #36173 |
Signed-off-by: Roeland Jago Douma roeland@famdouma.nl