go to bug id or search bugs for
From manual page: https://php.net/function.openssl-encrypt
Remove examples from the comments sections of the OpenSSL libraries as they are invariably insecure.
Here the most upvoted example for some reason uses SHA3 for HMAC, which is unnecessarily strong and very slow compared to e.g. SHA-256. Much worse is that the IV is not included in the HMAC calculation, which means an attacker can change each of the initial 16 bytes at will. The problem is that I can leave a comment, but it will take years before it gets noticed.
Please remove all those examples from security functions because COPY/PASTE security doesn't exist. At least not from unknown sources that for some reason get upvoted and can never be retracted. Comments should only be applicable to the function itself.
Please write the sample code yourself and have it reviewed by a security professional because the authors of the OpenSSL library clearly are not very capable either; if you confuse passwords and keys then you've got some things to learn yet.
I'm Maarten Bodewes. I've corrected (terrible) examples of mcrypt_encrypt before and indicated that mcrypt was insecure and unmaintained. I'm #1 user for the cryptography tags at StackOverflow and mod at the cryptography site of StackExchange.
Add a Patch
Add a Pull Request