Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[8.x] Use lowercase OpenSSL cipher names #38594

Merged
merged 1 commit into from
Aug 30, 2021
Merged

[8.x] Use lowercase OpenSSL cipher names #38594

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 15 additions & 15 deletions src/Illuminate/Encryption/Encrypter.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,10 +30,10 @@ class Encrypter implements EncrypterContract, StringEncrypter
* @var array
*/
private static $supportedCiphers = [
'AES-128-CBC' => ['size' => 16, 'aead' => false],
'AES-256-CBC' => ['size' => 32, 'aead' => false],
'AES-128-GCM' => ['size' => 16, 'aead' => true],
'AES-256-GCM' => ['size' => 32, 'aead' => true],
'aes-128-cbc' => ['size' => 16, 'aead' => false],
'aes-256-cbc' => ['size' => 32, 'aead' => false],
'aes-128-gcm' => ['size' => 16, 'aead' => true],
'aes-256-gcm' => ['size' => 32, 'aead' => true],
];

/**
Expand All @@ -45,11 +45,11 @@ class Encrypter implements EncrypterContract, StringEncrypter
*
* @throws \RuntimeException
*/
public function __construct($key, $cipher = 'AES-128-CBC')
public function __construct($key, $cipher = 'aes-128-cbc')
{
$key = (string) $key;

if (! static::supported($key, $cipher)) {
if (! static::supported($key, strtolower($cipher))) {
$ciphers = implode(', ', array_keys(self::$supportedCiphers));

throw new RuntimeException("Unsupported cipher or incorrect key length. Supported ciphers are: {$ciphers}.");
Expand Down Expand Up @@ -83,7 +83,7 @@ public static function supported($key, $cipher)
*/
public static function generateKey($cipher)
{
return random_bytes(self::$supportedCiphers[$cipher]['size'] ?? 32);
return random_bytes(self::$supportedCiphers[strtolower($cipher)]['size'] ?? 32);
}

/**
Expand All @@ -97,18 +97,18 @@ public static function generateKey($cipher)
*/
public function encrypt($value, $serialize = true)
{
$iv = random_bytes(openssl_cipher_iv_length($this->cipher));
$iv = random_bytes(openssl_cipher_iv_length(strtolower($this->cipher)));

$tag = '';

$value = self::$supportedCiphers[$this->cipher]['aead']
$value = self::$supportedCiphers[strtolower($this->cipher)]['aead']
? \openssl_encrypt(
$serialize ? serialize($value) : $value,
$this->cipher, $this->key, 0, $iv, $tag
strtolower($this->cipher), $this->key, 0, $iv, $tag
)
: \openssl_encrypt(
$serialize ? serialize($value) : $value,
$this->cipher, $this->key, 0, $iv
strtolower($this->cipher), $this->key, 0, $iv
);

if ($value === false) {
Expand All @@ -118,7 +118,7 @@ public function encrypt($value, $serialize = true)
$iv = base64_encode($iv);
$tag = base64_encode($tag);

$mac = self::$supportedCiphers[$this->cipher]['aead']
$mac = self::$supportedCiphers[strtolower($this->cipher)]['aead']
? '' // For AEAD-algoritms, the tag / MAC is returned by openssl_encrypt...
: $this->hash($iv, $value);

Expand Down Expand Up @@ -165,7 +165,7 @@ public function decrypt($payload, $unserialize = true)
// we will then unserialize it and return it out to the caller. If we are
// unable to decrypt this value we will throw out an exception message.
$decrypted = \openssl_decrypt(
$payload['value'], $this->cipher, $this->key, 0, $iv, $tag
$payload['value'], strtolower($this->cipher), $this->key, 0, $iv, $tag
);

if ($decrypted === false) {
Expand Down Expand Up @@ -219,7 +219,7 @@ protected function getJsonPayload($payload)
throw new DecryptException('The payload is invalid.');
}

if (! self::$supportedCiphers[$this->cipher]['aead'] && ! $this->validMac($payload)) {
if (! self::$supportedCiphers[strtolower($this->cipher)]['aead'] && ! $this->validMac($payload)) {
throw new DecryptException('The MAC is invalid.');
}

Expand All @@ -235,7 +235,7 @@ protected function getJsonPayload($payload)
protected function validPayload($payload)
{
return is_array($payload) && isset($payload['iv'], $payload['value'], $payload['mac']) &&
strlen(base64_decode($payload['iv'], true)) === openssl_cipher_iv_length($this->cipher);
strlen(base64_decode($payload['iv'], true)) === openssl_cipher_iv_length(strtolower($this->cipher));
}

/**
Expand Down
23 changes: 18 additions & 5 deletions tests/Encryption/EncrypterTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,19 @@ public function testWithCustomCipher()
$this->assertSame('foo', $e->decrypt($encrypted));
}

public function testCipherNamesCanBeMixedCase()
{
$upper = new Encrypter(str_repeat('b', 16), 'AES-128-GCM');
$encrypted = $upper->encrypt('bar');
$this->assertNotSame('bar', $encrypted);

$lower = new Encrypter(str_repeat('b', 16), 'aes-128-gcm');
$this->assertSame('bar', $lower->decrypt($encrypted));

$mixed = new Encrypter(str_repeat('b', 16), 'aEs-128-GcM');
$this->assertSame('bar', $mixed->decrypt($encrypted));
}

public function testThatAnAeadCipherIncludesTag()
{
$e = new Encrypter(str_repeat('b', 32), 'AES-256-GCM');
Expand All @@ -79,31 +92,31 @@ public function testThatANonAeadCipherIncludesMac()
public function testDoNoAllowLongerKey()
{
$this->expectException(RuntimeException::class);
$this->expectExceptionMessage('Unsupported cipher or incorrect key length. Supported ciphers are: AES-128-CBC, AES-256-CBC, AES-128-GCM, AES-256-GCM.');
$this->expectExceptionMessage('Unsupported cipher or incorrect key length. Supported ciphers are: aes-128-cbc, aes-256-cbc, aes-128-gcm, aes-256-gcm.');

new Encrypter(str_repeat('z', 32));
}

public function testWithBadKeyLength()
{
$this->expectException(RuntimeException::class);
$this->expectExceptionMessage('Unsupported cipher or incorrect key length. Supported ciphers are: AES-128-CBC, AES-256-CBC, AES-128-GCM, AES-256-GCM.');
$this->expectExceptionMessage('Unsupported cipher or incorrect key length. Supported ciphers are: aes-128-cbc, aes-256-cbc, aes-128-gcm, aes-256-gcm.');

new Encrypter(str_repeat('a', 5));
}

public function testWithBadKeyLengthAlternativeCipher()
{
$this->expectException(RuntimeException::class);
$this->expectExceptionMessage('Unsupported cipher or incorrect key length. Supported ciphers are: AES-128-CBC, AES-256-CBC, AES-128-GCM, AES-256-GCM.');
$this->expectExceptionMessage('Unsupported cipher or incorrect key length. Supported ciphers are: aes-128-cbc, aes-256-cbc, aes-128-gcm, aes-256-gcm.');

new Encrypter(str_repeat('a', 16), 'AES-256-CFB8');
new Encrypter(str_repeat('a', 16), 'AES-256-GCM');
Copy link
Contributor Author

@Krisell Krisell Aug 30, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is unrelated to this PR but must have been a typo previously. It did not test what the test name says and was a clone of the neighbor test. Now it tests that a valid cipher but invalid key length throws as expected.

}

public function testWithUnsupportedCipher()
{
$this->expectException(RuntimeException::class);
$this->expectExceptionMessage('Unsupported cipher or incorrect key length. Supported ciphers are: AES-128-CBC, AES-256-CBC, AES-128-GCM, AES-256-GCM.');
$this->expectExceptionMessage('Unsupported cipher or incorrect key length. Supported ciphers are: aes-128-cbc, aes-256-cbc, aes-128-gcm, aes-256-gcm.');

new Encrypter(str_repeat('c', 16), 'AES-256-CFB8');
}
Expand Down