|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #77156 Useless warning for AEAD
Submitted: 2018-11-14 22:56 UTC Modified: -
Avg. Score:2.6 ± 1.5
Reproduced:4 of 4 (100.0%)
Same Version:2 (50.0%)
Same OS:2 (50.0%)
From: obreham at gmail dot com Assigned:
Status: Open Package: OpenSSL related
PHP Version: 7.1.24 OS: Windows
Private report: No CVE-ID: None
View Add Comment Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
You can add a comment by following this link or if you reported this bug, you can edit this bug over here.
Block user comment
Status: Assign to:
Bug Type:
From: obreham at gmail dot com
New email:
PHP Version: OS:


 [2018-11-14 22:56 UTC] obreham at gmail dot com
PHP version: 7.1.9

The documentation for openssl_encrypt() indicates that the default &$tag = NULL, which should be true for any case.

But if a $tag is deliberately passed - even when set to NULL - with a cipher that does not support AEAD, a warning is triggered.  This warning is not even mentioned in the documentation.

There are no needs for this warning, especially when it is the default value (NULL).  The function does set the $tag to NULL (no matter its initial value) and the correct encrypted data is returned.  Nothing unexpected happens.

As an aside, there is also a typo in the error message, it should read "does not" and not "doesn not".

Test script:
$tag = null;
$encrypted = openssl_encrypt(
var_dump($tag, $encrypted);

Expected result:
string(8) "/fQItQ=="

Actual result:
Warning:  openssl_encrypt(): The authenticated tag cannot be provided for cipher that doesn not support AEAD in C:\wamp\www\test\test.php on line 8

string(8) "/fQItQ=="


Add a Patch

Pull Requests

Add a Pull Request

PHP Copyright © 2001-2021 The PHP Group
All rights reserved.
Last updated: Sun Jan 17 22:01:33 2021 UTC