Skip to content
Permalink
Browse files

Fix an issue with IV generation in SimpleSAML\Utils\Crypto::aesEncryp…

…t().

IVs must be random and one-time (never reused). Additionally, by deriving it from the key, the key length was effectively reduced to 128 bits.
  • Loading branch information...
jaimeperez committed Mar 30, 2017
1 parent 9b300db commit 77df6a932d46daa35e364925eb73a175010dc904
Showing with 1 addition and 1 deletion.
  1. +1 −1 lib/SimpleSAML/Utils/Crypto.php
@@ -86,7 +86,7 @@ private static function _aesEncrypt($data, $secret)
$key = openssl_digest($secret, 'sha256');
$method = 'AES-256-CBC';
$ivSize = 16;
$iv = substr($key, 0, $ivSize);
$iv = openssl_random_pseudo_bytes($ivSize);
return $iv.openssl_encrypt($data, $method, $key, $raw, $iv);
}

0 comments on commit 77df6a9

Please sign in to comment.
You can’t perform that action at this time.