Skip to content
Permalink
Browse files Browse the repository at this point in the history
Fix an issue with IV generation in SimpleSAML\Utils\Crypto::aesEncryp…
…t().

IVs must be random and one-time (never reused). Additionally, by deriving it from the key, the key length was effectively reduced to 128 bits.
  • Loading branch information
Jaime Pérez Crespo committed Mar 30, 2017
1 parent 9b300db commit 77df6a9
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion lib/SimpleSAML/Utils/Crypto.php
Expand Up @@ -86,7 +86,7 @@ private static function _aesEncrypt($data, $secret)
$key = openssl_digest($secret, 'sha256');
$method = 'AES-256-CBC';
$ivSize = 16;
$iv = substr($key, 0, $ivSize);
$iv = openssl_random_pseudo_bytes($ivSize);

return $iv.openssl_encrypt($data, $method, $key, $raw, $iv);
}
Expand Down

0 comments on commit 77df6a9

Please sign in to comment.