39 lines
980 B
Plaintext
39 lines
980 B
Plaintext
Without OAEP in RSA encryption, it takes less work for an attacker to decrypt the data or infer patterns from the ciphertext. This rule logs an issue when ``++openssl_public_encrypt++`` is used with one the following padding constants: ``++OPENSSL_NO_PADDING++`` or ``++OPENSSL_PKCS1_PADDING++`` or ``++OPENSSL_SSLV23_PADDING++``.
|
|
|
|
== Noncompliant Code Example
|
|
|
|
----
|
|
function encrypt($data, $key) {
|
|
$crypted='';
|
|
openssl_public_encrypt($data, $crypted, $key, OPENSSL_NO_PADDING); // Noncompliant
|
|
return $crypted;
|
|
}
|
|
----
|
|
|
|
== Compliant Solution
|
|
|
|
----
|
|
function encrypt($data, $key) {
|
|
$crypted='';
|
|
openssl_public_encrypt($data, $crypted, $key, OPENSSL_PKCS1_OAEP_PADDING);
|
|
return $crypted;
|
|
}
|
|
----
|
|
|
|
include::../see.adoc[]
|
|
|
|
ifdef::env-github,rspecator-view[]
|
|
|
|
'''
|
|
== Implementation Specification
|
|
(visible only on this page)
|
|
|
|
include::message.adoc[]
|
|
|
|
'''
|
|
== Comments And Links
|
|
(visible only on this page)
|
|
|
|
include::comments-and-links.adoc[]
|
|
endif::env-github,rspecator-view[]
|