|  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Doc Bug #80843 Remove examples from comments as they are invariably insecure
Submitted: 2021-03-07 11:38 UTC Modified: -
Avg. Score:1.0 ± 0.0
Reproduced:0 of 0 (0.0%)
From: maarten dot bodewes at gmail dot com Assigned:
Status: Open Package: OpenSSL related
PHP Version: 8.0.3 OS:
Private report: No CVE-ID: None
Have you experienced this issue?
Rate the importance of this bug to you:

 [2021-03-07 11:38 UTC] maarten dot bodewes at gmail dot com
From manual page:

Remove examples from the comments sections of the OpenSSL libraries as they are invariably insecure.

Here the most upvoted example for some reason uses SHA3 for HMAC, which is unnecessarily strong and very slow compared to e.g. SHA-256. Much worse is that the IV is not included in the HMAC calculation, which means an attacker can change each of the initial 16 bytes at will. The problem is that I can leave a comment, but it will take years before it gets noticed.

Please remove all those examples from security functions because COPY/PASTE security doesn't exist. At least not from unknown sources that for some reason get upvoted and can never be retracted. Comments should only be applicable to the function itself.

Please write the sample code yourself and have it reviewed by a security professional because the authors of the OpenSSL library clearly are not very capable either; if you confuse passwords and keys then you've got some things to learn yet.

I'm Maarten Bodewes. I've corrected (terrible) examples of mcrypt_encrypt before and indicated that mcrypt was insecure and unmaintained. I'm #1 user for the cryptography tags at StackOverflow and mod at the cryptography site of StackExchange.


Add a Patch

Pull Requests

Add a Pull Request


AllCommentsChangesGit/SVN commitsRelated reports
 [2022-12-30 05:50 UTC] amin dot jab242 at gmail dot com
Thanks (
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sun Apr 14 14:01:29 2024 UTC