diff --git a/lib/SimpleSAML/Utils/Crypto.php b/lib/SimpleSAML/Utils/Crypto.php
index 749d9d2db082b0e7bdf60f6f5ed12218ea29bfa9..f0b723d4f234daeaa8617459c9c4591e160fdb1d 100644
--- a/lib/SimpleSAML/Utils/Crypto.php
+++ b/lib/SimpleSAML/Utils/Crypto.php
@@ -49,6 +49,7 @@ class Crypto
 
         // authenticate the ciphertext
         if (self::secureCompare(hash_hmac('sha256', $iv.$msg, substr($key, 64, 64), true), $hmac)) {
+            /** @var string|false $plaintext */
             $plaintext = openssl_decrypt(
                 $msg,
                 'AES-256-CBC',
diff --git a/lib/SimpleSAML/Utils/HTTP.php b/lib/SimpleSAML/Utils/HTTP.php
index 96cfc62ecc5146a83a5bafdeb4fdc877272e65dd..5367f654d14ca093500f9975fe826b0583f4ab04 100644
--- a/lib/SimpleSAML/Utils/HTTP.php
+++ b/lib/SimpleSAML/Utils/HTTP.php
@@ -756,6 +756,7 @@ class HTTP
     {
         $cfg = \SimpleSAML_Configuration::getInstance();
         $baseDir = $cfg->getBaseDir();
+        /** @var string|false $cur_path */
         $cur_path = realpath($_SERVER['SCRIPT_FILENAME']);
         // make sure we got a string from realpath()
         $cur_path = is_string($cur_path) ? $cur_path : '';