====== PHP RFC: Hash Functions Empty Key Warning ======
  * Version: 0.0
  * Date: 2016-04-20
  * Author: Sammy Kaye Powers, me@sammyk.me
  * Status: Under Discussion
  * First Published at: https://wiki.php.net/rfc/hash-functions-empty-key-warning

===== Introduction =====
In order to increase security of the hashing functions, this RFC proposes raising a warning when the key is empty for hash_hmac(), hash_hmac_file() & mhash().

===== Proposal =====
It's not uncommon to accidentally hash data with an empty or [[http://www.cryptofails.com/post/70059595978/myself-using-the-same-key-to-encrypt-everything|non-string]] key. Doing this [[http://www.hpenterprisesecurity.com/vulncat/en/vulncat/java/key_management_empty_hmac_key.html|has security implications]] that currently happen quietly in the background since [[https://3v4l.org/AF998|PHP has no issue hashing data with an empty key]]. To bring the security issue to the attention of the user, a warning should be raised if the key is empty.

Ideally this would throw a fatal error, but as [[https://twitter.com/ezimuel/status/721006534847832064|Enrico Zimuel pointed out]], it's not technically an error.

===== Proposed PHP Version(s) =====
PHP 7.1

===== Proposed Voting Choices =====
This project requires a 2/3 majority to pass.

===== Patches and Tests =====
[[https://github.com/php/php-src/compare/master...SammyK:hash-hmac-warning?expand=1|The patch is very light weight]] - most of it is just the tests.