Always generate a random IV for AES operations

Quoting @obi1kenobi: > Initialization vector reuse like this is a security concern, since it leaks > information about the encrypted data to attackers, regardless of the > encryption mode used. > Instead of relying on a fixed, randomly-generated IV, it would be better to > randomly-generate a new IV for every encryption operation. Breaks AESCipher ECB support Reported as CVE-2017-1000246 Fixes #417 Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
author: Ivan Kanakarakis <ivan.kanak@gmail.com> 2018-07-13 20:15:04 +0300
committer: Ivan Kanakarakis <ivan.kanak@gmail.com> 2018-08-02 14:44:45 +0300
commit: 7323f5c20efb59424d853c822e7a26d1aa3e84aa (patch)
tree: 7084b291c0e0b080d331d31f397fa5cbe3f7c129 /src/saml2/authn.py
parent: d5e4e1b386306fb1e4118ae7bdf52a459328a18f (diff)
download: pysaml2-7323f5c20efb59424d853c822e7a26d1aa3e84aa.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/src/saml2/authn.py b/src/saml2/authn.py
index 32f91247..049622e7 100644
--- a/src/saml2/authn.py
+++ b/src/saml2/authn.py
@@ -120,7 +120,7 @@ class UsernamePasswordMako(UserAuthnMethod):
         self.return_to = return_to
         self.active = {}
         self.query_param = "upm_answer"
-        self.aes = AESCipher(self.srv.symkey.encode(), srv.iv)
+        self.aes = AESCipher(self.srv.symkey.encode())
 
     def __call__(self, cookie=None, policy_url=None, logo_url=None,
                  query="", **kwargs):
author	Ivan Kanakarakis <ivan.kanak@gmail.com>	2018-07-13 20:15:04 +0300
committer	Ivan Kanakarakis <ivan.kanak@gmail.com>	2018-08-02 14:44:45 +0300
commit	7323f5c20efb59424d853c822e7a26d1aa3e84aa (patch)
tree	7084b291c0e0b080d331d31f397fa5cbe3f7c129 /src/saml2/authn.py
parent	d5e4e1b386306fb1e4118ae7bdf52a459328a18f (diff)
download	pysaml2-7323f5c20efb59424d853c822e7a26d1aa3e84aa.tar.gz