16f6c0aecf
Inline adoc files when they are included exactly once. Also fix language tags because this inlining gives us better information on what language the code is written in.
54 lines
1.3 KiB
Plaintext
54 lines
1.3 KiB
Plaintext
== Why is this an issue?
|
|
|
|
Without OAEP in RSA encryption, it takes less work for an attacker to decrypt the data or infer patterns from the ciphertext. This rule logs an issue when ``++openssl_public_encrypt++`` is used with one the following padding constants: ``++OPENSSL_NO_PADDING++`` or ``++OPENSSL_PKCS1_PADDING++`` or ``++OPENSSL_SSLV23_PADDING++``.
|
|
|
|
=== Noncompliant code example
|
|
|
|
[source,php]
|
|
----
|
|
function encrypt($data, $key) {
|
|
$crypted='';
|
|
openssl_public_encrypt($data, $crypted, $key, OPENSSL_NO_PADDING); // Noncompliant
|
|
return $crypted;
|
|
}
|
|
----
|
|
|
|
=== Compliant solution
|
|
|
|
[source,php]
|
|
----
|
|
function encrypt($data, $key) {
|
|
$crypted='';
|
|
openssl_public_encrypt($data, $crypted, $key, OPENSSL_PKCS1_OAEP_PADDING);
|
|
return $crypted;
|
|
}
|
|
----
|
|
|
|
include::../see.adoc[]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
=== Message
|
|
|
|
Use an RSA algorithm with a OAEP padding: OPENSSL_PKCS1_OAEP_PADDING.
|
|
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
=== on 16 Jul 2018, 14:28:55 Pierre-Yves Nicolas wrote:
|
|
The code examples are not consistent with the description in the parent RSPEC:
|
|
|
|
____
|
|
This rule logs an issue as soon as a literal value starts with RSA/NONE.
|
|
____
|
|
|
|
include::../comments-and-links.adoc[]
|
|
|
|
endif::env-github,rspecator-view[]
|