New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Detect Invalid Initialization Vector Size. #26
Comments
Thanks for the heads up. I'll incorporate the enhanced error checking. |
You're welcome! The change you made near line 643 of StreamCryptor.swift is not correct. It should be: iv.utf8.count
|
Thanks for the catch. Unfortunately, I’ve got a nasty habit of making that particular mistake. Thanks again for catching it. |
Happens to us all! Actually this made me aware of the fact that we're relying on some possibly undocumented behavior in how |
Since this code is based on IDZSwiftCommonCrypto it has inherited some of that library's flaws. While the library currently pays quite a bit of attention to keys, it has no error checking on IV size.
If a user supplies too small an IV, some uninitialized bytes will used by CommonCrypto. This is not a security risk, it just leads to incorrect results and difficult to track down bugs.
We're adding additional error checking to try to catch these problems before they occur.
You may want to take a look at iosdevzone/IDZSwiftCommonCrypto#79 to see the changes we're making!
The text was updated successfully, but these errors were encountered: