Always generate a random IV for AES operations

Quoting @obi1kenobi: > Initialization vector reuse like this is a security concern, since it leaks > information about the encrypted data to attackers, regardless of the > encryption mode used. > Instead of relying on a fixed, randomly-generated IV, it would be better to > randomly-generate a new IV for every encryption operation. Breaks AESCipher ECB support Reported as CVE-2017-1000246 Fixes #417 Signed-off-by: Ivan Kanakarakis <ivan.kanak@gmail.com>
author: Ivan Kanakarakis <ivan.kanak@gmail.com> 2018-07-13 20:15:04 +0300
committer: Ivan Kanakarakis <ivan.kanak@gmail.com> 2018-08-02 14:44:45 +0300
commit: 7323f5c20efb59424d853c822e7a26d1aa3e84aa (patch)
tree: 7084b291c0e0b080d331d31f397fa5cbe3f7c129 /src/saml2/server.py
parent: d5e4e1b386306fb1e4118ae7bdf52a459328a18f (diff)
download: pysaml2-7323f5c20efb59424d853c822e7a26d1aa3e84aa.tar.gz
1 files changed, 0 insertions, 3 deletions
diff --git a/src/saml2/server.py b/src/saml2/server.py
index 0e7e0403..0a2943f2 100644
--- a/src/saml2/server.py
+++ b/src/saml2/server.py
@@ -83,12 +83,9 @@ class Server(Entity):
         self.init_config(stype)
         self.cache = cache
         self.ticket = {}
-        #
         self.session_db = self.choose_session_storage()
-        # Needed for
         self.symkey = symkey
         self.seed = rndstr()
-        self.iv = os.urandom(16)
         self.lock = threading.Lock()
 
     def getvalid_certificate_str(self):
author	Ivan Kanakarakis <ivan.kanak@gmail.com>	2018-07-13 20:15:04 +0300
committer	Ivan Kanakarakis <ivan.kanak@gmail.com>	2018-08-02 14:44:45 +0300
commit	7323f5c20efb59424d853c822e7a26d1aa3e84aa (patch)
tree	7084b291c0e0b080d331d31f397fa5cbe3f7c129 /src/saml2/server.py
parent	d5e4e1b386306fb1e4118ae7bdf52a459328a18f (diff)
download	pysaml2-7323f5c20efb59424d853c822e7a26d1aa3e84aa.tar.gz