rspec/rules/S2277/php/rule.adoc

Without OAEP in RSA encryption, it takes less work for an attacker to decrypt the data or infer patterns from the ciphertext. This rule logs an issue when `+openssl_public_encrypt+` is used with one the following padding constants: `+OPENSSL_NO_PADDING+` or `+OPENSSL_PKCS1_PADDING+` or `+OPENSSL_SSLV23_PADDING+`.

== Noncompliant Code Example

----
function encrypt($data, $key) {
  $crypted='';
  openssl_public_encrypt($data, $crypted, $key, OPENSSL_NO_PADDING); // Noncompliant
  return $crypted;
}
----

== Compliant Solution

----
function encrypt($data, $key) {
  $crypted='';
  openssl_public_encrypt($data, $crypted, $key, OPENSSL_PKCS1_OAEP_PADDING);
  return $crypted;
}
----

include::../see.adoc[]
Add all rules, update all rules fixing the inline code syntax 2020-12-21 15:38:52 +01:00			Without OAEP in RSA encryption, it takes less work for an attacker to decrypt the data or infer patterns from the ciphertext. This rule logs an issue when `+openssl_public_encrypt+` is used with one the following padding constants: `+OPENSSL_NO_PADDING+` or `+OPENSSL_PKCS1_PADDING+` or `+OPENSSL_SSLV23_PADDING+`.
Add rules 2000-2999 2020-06-30 12:48:07 +02:00
			`== Noncompliant Code Example`

			`----`
			`function encrypt($data, $key) {`
			`$crypted='';`
			`openssl_public_encrypt($data, $crypted, $key, OPENSSL_NO_PADDING); // Noncompliant`
			`return $crypted;`
			`}`
			`----`

			`== Compliant Solution`

			`----`
			`function encrypt($data, $key) {`
			`$crypted='';`
			`openssl_public_encrypt($data, $crypted, $key, OPENSSL_PKCS1_OAEP_PADDING);`
			`return $crypted;`
			`}`
			`----`

			`include::../see.adoc[]`