From 77df6a932d46daa35e364925eb73a175010dc904 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaime=20Pe=CC=81rez=20Crespo?= <jaime.perez@uninett.no> Date: Thu, 30 Mar 2017 10:51:00 +0200 Subject: [PATCH] Fix an issue with IV generation in SimpleSAML\Utils\Crypto::aesEncrypt(). IVs must be random and one-time (never reused). Additionally, by deriving it from the key, the key length was effectively reduced to 128 bits. --- lib/SimpleSAML/Utils/Crypto.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/SimpleSAML/Utils/Crypto.php b/lib/SimpleSAML/Utils/Crypto.php index d8a3356d1..22335b323 100644 --- a/lib/SimpleSAML/Utils/Crypto.php +++ b/lib/SimpleSAML/Utils/Crypto.php @@ -86,7 +86,7 @@ class Crypto $key = openssl_digest($secret, 'sha256'); $method = 'AES-256-CBC'; $ivSize = 16; - $iv = substr($key, 0, $ivSize); + $iv = openssl_random_pseudo_bytes($ivSize); return $iv.openssl_encrypt($data, $method, $key, $raw, $iv); } -- GitLab