Use random_bytes instead of self-rolled random function #38018
Conversation
|
Thanks for opening this pull request! The maintainers of this repository would appreciate it if you would create a changelog item based on your changes. |
|
CI Fail. The issue is that the random values are outside of the UTF8 range and thus can't be written to the database. This is probably the reason why the weak "random-text" method was used to generate the IV. Or maybe the code predates random_bytes. The correct implementation would be to use base64Encode before writing the cipher-material to disk or in to the database. |
|
How about this? $iv = \random_bytes($this->ivLength);
$this->cipher->setIV($iv);
$iv = \bin2hex($iv);
...
return $ciphertext.'|'.$iv.'|'.$hmac;And when one needs the iv again it's just: $iv = \hex2bin($iv);
$this->cipher-setIV($iv); |
|
@C0rby That's the correct way of doing it. You can encode the output to ASCII hexadecimal before storing the data, or base64ing it. Your choice. |
IljaN
force-pushed
the
use-better-random-source
branch
from
2d1912b to
816bc5b
Compare
|
@DeepDiver1975 V1 is already tested here: core/tests/lib/Security/CryptoTest.php Line 49 in 816bc5b |
|
Kudos, SonarCloud Quality Gate passed!
|
Description
Replace Secure::generate with random_bytes to strengthen the IV.
This creates a new format for the ecrypted-string with a v2| prefix. The modified encryption
code encrypts the session on disk
Related Issue
Motivation and Context
How Has This Been Tested?
Screenshots (if appropriate):
Types of changes
Checklist: