Without OAEP in RSA encryption, it takes less work for an attacker to decrypt the data or infer patterns from the ciphertext. This rule logs an
issue when openssl_public_encrypt is used with one the following padding constants: OPENSSL_NO_PADDING or
OPENSSL_PKCS1_PADDING or OPENSSL_SSLV23_PADDING.
Noncompliant Code Example
function encrypt($data, $key) {
$crypted='';
openssl_public_encrypt($data, $crypted, $key, OPENSSL_NO_PADDING); // Noncompliant
return $crypted;
}
Compliant Solution
function encrypt($data, $key) {
$crypted='';
openssl_public_encrypt($data, $crypted, $key, OPENSSL_PKCS1_OAEP_PADDING);
return $crypted;
}
See
Deprecated
This rule is deprecated; use {rule:php:S5542} instead.
