diff --git a/reference/hash/functions/hash-pbkdf2.xml b/reference/hash/functions/hash-pbkdf2.xml
index 1460d0ac84..fd374fd37a 100644
--- a/reference/hash/functions/hash-pbkdf2.xml
+++ b/reference/hash/functions/hash-pbkdf2.xml
@@ -140,9 +140,9 @@
$password = "password";
$iterations = 1000;
-// Generate a random IV using mcrypt_create_iv(),
-// openssl_random_pseudo_bytes() or another suitable source of randomness
-$salt = mcrypt_create_iv(16, MCRYPT_DEV_URANDOM);
+// Generate a random IV using openssl_random_pseudo_bytes()
+// random_bytes() or another suitable source of randomness
+$salt = openssl_random_pseudo_bytes(16);
$hash = hash_pbkdf2("sha256", $password, $salt, $iterations, 20);
echo $hash;
@@ -182,6 +182,7 @@ echo $hash;
hash_init
hash_hmac
hash_hmac_file
+ openssl_pbkdf2
diff --git a/reference/openssl/functions/openssl-get-cipher-methods.xml b/reference/openssl/functions/openssl-get-cipher-methods.xml
index c7806ac1a0..7f294e5d60 100644
--- a/reference/openssl/functions/openssl-get-cipher-methods.xml
+++ b/reference/openssl/functions/openssl-get-cipher-methods.xml
@@ -59,10 +59,19 @@ $ciphers = openssl_get_cipher_methods();
$ciphers_and_aliases = openssl_get_cipher_methods(true);
$cipher_aliases = array_diff($ciphers_and_aliases, $ciphers);
+//ECB mode should be avoided
+$ciphers = array_filter( $ciphers, function($n) { return stripos($n,"ecb")===FALSE; } );
+
+//At least as early as Aug 2016, Openssl declared the following weak: RC2, RC4, DES, 3DES, MD5 based
+$ciphers = array_filter( $ciphers, function($c) { return stripos($c,"des")===FALSE; } );
+$ciphers = array_filter( $ciphers, function($c) { return stripos($c,"rc2")===FALSE; } );
+$ciphers = array_filter( $ciphers, function($c) { return stripos($c,"rc4")===FALSE; } );
+$ciphers = array_filter( $ciphers, function($c) { return stripos($c,"md5")===FALSE; } );
+$cipher_aliases = array_filter( $cipher_aliases, function($c) { return stripos($c,"des")===FALSE; } );
+$cipher_aliases = array_filter( $cipher_aliases, function($c) { return stripos($c,"rc2")===FALSE; } );
+
print_r($ciphers);
-
print_r($cipher_aliases);
-
?>
]]>
@@ -75,108 +84,50 @@ Array
[1] => AES-128-CFB
[2] => AES-128-CFB1
[3] => AES-128-CFB8
- [4] => AES-128-ECB
[5] => AES-128-OFB
[6] => AES-192-CBC
[7] => AES-192-CFB
[8] => AES-192-CFB1
[9] => AES-192-CFB8
- [10] => AES-192-ECB
[11] => AES-192-OFB
[12] => AES-256-CBC
[13] => AES-256-CFB
[14] => AES-256-CFB1
[15] => AES-256-CFB8
- [16] => AES-256-ECB
[17] => AES-256-OFB
[18] => BF-CBC
[19] => BF-CFB
- [20] => BF-ECB
[21] => BF-OFB
[22] => CAST5-CBC
[23] => CAST5-CFB
- [24] => CAST5-ECB
[25] => CAST5-OFB
- [26] => DES-CBC
- [27] => DES-CFB
- [28] => DES-CFB1
- [29] => DES-CFB8
- [30] => DES-ECB
- [31] => DES-EDE
- [32] => DES-EDE-CBC
- [33] => DES-EDE-CFB
- [34] => DES-EDE-OFB
- [35] => DES-EDE3
- [36] => DES-EDE3-CBC
- [37] => DES-EDE3-CFB
- [38] => DES-EDE3-OFB
- [39] => DES-OFB
- [40] => DESX-CBC
[41] => IDEA-CBC
[42] => IDEA-CFB
- [43] => IDEA-ECB
[44] => IDEA-OFB
- [45] => RC2-40-CBC
- [46] => RC2-64-CBC
- [47] => RC2-CBC
- [48] => RC2-CFB
- [49] => RC2-ECB
- [50] => RC2-OFB
- [51] => RC4
- [52] => RC4-40
[53] => aes-128-cbc
[54] => aes-128-cfb
[55] => aes-128-cfb1
[56] => aes-128-cfb8
- [57] => aes-128-ecb
[58] => aes-128-ofb
[59] => aes-192-cbc
[60] => aes-192-cfb
[61] => aes-192-cfb1
[62] => aes-192-cfb8
- [63] => aes-192-ecb
[64] => aes-192-ofb
[65] => aes-256-cbc
[66] => aes-256-cfb
[67] => aes-256-cfb1
[68] => aes-256-cfb8
- [69] => aes-256-ecb
[70] => aes-256-ofb
[71] => bf-cbc
[72] => bf-cfb
- [73] => bf-ecb
[74] => bf-ofb
[75] => cast5-cbc
[76] => cast5-cfb
- [77] => cast5-ecb
[78] => cast5-ofb
- [79] => des-cbc
- [80] => des-cfb
- [81] => des-cfb1
- [82] => des-cfb8
- [83] => des-ecb
- [84] => des-ede
- [85] => des-ede-cbc
- [86] => des-ede-cfb
- [87] => des-ede-ofb
- [88] => des-ede3
- [89] => des-ede3-cbc
- [90] => des-ede3-cfb
- [91] => des-ede3-ofb
- [92] => des-ofb
- [93] => desx-cbc
[94] => idea-cbc
[95] => idea-cfb
- [96] => idea-ecb
[97] => idea-ofb
- [98] => rc2-40-cbc
- [99] => rc2-64-cbc
- [100] => rc2-cbc
- [101] => rc2-cfb
- [102] => rc2-ecb
- [103] => rc2-ofb
- [104] => rc4
- [105] => rc4-40
)
Array
(
@@ -186,11 +137,7 @@ Array
[21] => BF
[26] => CAST
[27] => CAST-cbc
- [32] => DES
- [47] => DES3
- [48] => DESX
[50] => IDEA
- [55] => RC2
[82] => aes128
[83] => aes192
[84] => aes256
@@ -198,11 +145,7 @@ Array
[90] => blowfish
[91] => cast
[92] => cast-cbc
- [97] => des
- [112] => des3
- [113] => desx
[115] => idea
- [120] => rc2
)
]]>
diff --git a/reference/openssl/functions/openssl-pbkdf2.xml b/reference/openssl/functions/openssl-pbkdf2.xml
index 8f37ddda71..4c1164ef76 100644
--- a/reference/openssl/functions/openssl-pbkdf2.xml
+++ b/reference/openssl/functions/openssl-pbkdf2.xml
@@ -4,7 +4,7 @@
openssl_pbkdf2
- Generates a PKCS5 v2 PBKDF2 string, defaults to SHA-1
+ Generates a PKCS5 v2 PBKDF2 string
@@ -18,11 +18,10 @@
stringdigest_algorithm
-
+ openssl_pbkdf2 computes PBKDF2 (Password-Based Key Derivation Function 2),
+ a key derivation function defined in PKCS5 v2.
- &warn.undocumented.func;
-
@@ -32,7 +31,7 @@
password
-
+ Password from which the derived key is generated.
@@ -40,7 +39,7 @@
salt
-
+ PBKDF2 recommends a crytographic salt of at least 64 bits (8 bytes).
@@ -48,7 +47,7 @@
key_length
-
+ Length of desired output key.
@@ -56,7 +55,9 @@
iterations
-
+ The number of iterations desired. NIST
+ recommends at least 10,000.
@@ -64,7 +65,7 @@
digest_algorithm
-
+ Optional hash or digest algorithm from openssl_get_md_methods. Defaults to SHA-1.
@@ -74,10 +75,42 @@
&reftitle.returnvalues;
- Returns string&return.falseforfailure;.
+ Returns raw binary string&return.falseforfailure;.
+
+ &reftitle.examples;
+
+
+ openssl_pbkdf2() example
+
+
+]]>
+
+
+
+
+
+
+
+ &reftitle.seealso;
+
+
+ hash_pbkdf2
+ openssl_get_md_methods
+
+
+