[NFR]: crypt->decode throws Warning #15879

destyk · 2022-01-27T15:21:46Z

The current issue is related to the Phalcon\Encryption\Crypt module. It lies in the fact that if any random string that is less than 16 bytes long is passed to the decryption function, then PHP throws a Warning: openssl_decrypt(): the passed IV is only 2 bytes long, cipher expects an IV exactly 16 bytes long.

Example:

// service.php
$di->set('crypt', function () {
    $crypt = new Crypt();
    $crypt
        ->setKey('secretKey')
        ->useSigning(true);

    return $crypt;
}, true);

// ExampleController.php
// ...

$encryptStr = $this->crypt->encryptBase64('plain text');

// throws Warning
$input = $this->crypt->decryptBase64('123');

This problem is, of course, solved by disabling the display of warnings in the production environment. However, I would like to see in the future a function to check the encoded string for the number of bytes required by the cipher in use.

Example:

// ExampleController.php
// ...

$input = 'str data';
if ($this->crypt->isValidInputLength($input)) {
    echo 'input length is valid. You can try to decode';
} else {
    echo 'input length is NOT valid. Don\'t even try to decode';
}

Many thanks in advance and have a nice day! :)

The text was updated successfully, but these errors were encountered:

niden · 2022-01-27T17:37:24Z

@destyk Thank you for reporting this. I will sort it out shortly.

noone-silent · 2022-02-10T05:27:14Z

Why using the complex error handler stuff? Because openssl_cipher_iv_length() raises a warning? Why not simply check with openssl_get_cipher_methods() if the cipher is supported?

niden · 2022-02-10T15:33:21Z

Why using the complex error handler stuff? Because openssl_cipher_iv_length() raises a warning? Why not simply check with openssl_get_cipher_methods() if the cipher is supported?

Yes that was the intent. Your solution is better and faster :)

niden · 2022-02-10T16:58:00Z

Why using the complex error handler stuff? Because openssl_cipher_iv_length() raises a warning? Why not simply check with openssl_get_cipher_methods() if the cipher is supported?

Actually looking at the code - and I forgot about this - the cipher is checked against the available ciphers so it will always be valid. I have simplified the code. Thank you @noone-silent

niden · 2022-02-10T17:08:26Z

Resolved in #15895

Thank you @destyk and @noone-silent

destyk added the new feature request Planned Feature or New Feature Request label Jan 27, 2022

niden added 5.0 The issues we want to solve in the 5.0 release bug A bug report status: medium Medium and removed new feature request Planned Feature or New Feature Request labels Jan 27, 2022

niden self-assigned this Jan 27, 2022

niden added this to Working on it in Phalcon Roadmap Jan 27, 2022

niden mentioned this issue Feb 10, 2022

T15879 crypt length #15895

Merged

5 tasks

niden linked a pull request Feb 10, 2022 that will close this issue

T15879 crypt length #15895

Merged

5 tasks

niden added new feature request Planned Feature or New Feature Request and removed bug A bug report status: medium Medium labels Feb 10, 2022

niden closed this as completed Feb 10, 2022

Phalcon Roadmap automation moved this from Working on it to Implemented Feb 10, 2022

destyk mentioned this issue Feb 11, 2022

[BUG]: $ in phalcon/Encryption/Crypt.zep #15900

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[NFR]: crypt->decode throws Warning #15879

[NFR]: crypt->decode throws Warning #15879

destyk commented Jan 27, 2022

niden commented Jan 27, 2022

noone-silent commented Feb 10, 2022

niden commented Feb 10, 2022

niden commented Feb 10, 2022

niden commented Feb 10, 2022

[NFR]: crypt->decode throws Warning #15879

[NFR]: crypt->decode throws Warning #15879

Comments

destyk commented Jan 27, 2022

niden commented Jan 27, 2022

noone-silent commented Feb 10, 2022

niden commented Feb 10, 2022

niden commented Feb 10, 2022

niden commented Feb 10, 2022