diff options
author | Ivan Kanakarakis <ivan.kanak@gmail.com> | 2018-07-13 20:15:04 +0300 |
---|---|---|
committer | Ivan Kanakarakis <ivan.kanak@gmail.com> | 2018-08-02 14:44:45 +0300 |
commit | 7323f5c20efb59424d853c822e7a26d1aa3e84aa (patch) | |
tree | 7084b291c0e0b080d331d31f397fa5cbe3f7c129 /src/saml2/authn.py | |
parent | d5e4e1b386306fb1e4118ae7bdf52a459328a18f (diff) | |
download | pysaml2-7323f5c20efb59424d853c822e7a26d1aa3e84aa.tar.gz |
Always generate a random IV for AES operations
Quoting @obi1kenobi:
> Initialization vector reuse like this is a security concern, since it leaks
> information about the encrypted data to attackers, regardless of the
> encryption mode used.
> Instead of relying on a fixed, randomly-generated IV, it would be better to
> randomly-generate a new IV for every encryption operation.
Breaks AESCipher ECB support
Reported as CVE-2017-1000246
Fixes #417
Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
Diffstat (limited to 'src/saml2/authn.py')
-rw-r--r-- | src/saml2/authn.py | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/saml2/authn.py b/src/saml2/authn.py index 32f91247..049622e7 100644 --- a/src/saml2/authn.py +++ b/src/saml2/authn.py @@ -120,7 +120,7 @@ class UsernamePasswordMako(UserAuthnMethod): self.return_to = return_to self.active = {} self.query_param = "upm_answer" - self.aes = AESCipher(self.srv.symkey.encode(), srv.iv) + self.aes = AESCipher(self.srv.symkey.encode()) def __call__(self, cookie=None, policy_url=None, logo_url=None, query="", **kwargs): |