From: emboss <ko1@a...>
Date: Wed, 8 Feb 2012 09:29:38 +0900 (JST)
Subject: [ruby-changes:22414] emboss:r34463 (trunk): * ext/openssl/ossl_cipher.c: Add warning about key as IV.
emboss 2012-02-08 09:29:26 +0900 (Wed, 08 Feb 2012) New Revision: 34463 http://svn.ruby-lang.org/cgi-bin/viewvc.cgi?view=rev&revision=34463 Log: * ext/openssl/ossl_cipher.c: Add warning about key as IV. Modified files: trunk/ChangeLog trunk/ext/openssl/ossl_cipher.c Index: ChangeLog =================================================================== --- ChangeLog (revision 34462) +++ ChangeLog (revision 34463) @@ -1,3 +1,7 @@ +Wed Feb 08 09:19:00 2012 Martin Bosslet <Martin.Bosslet@g...> + + * ext/openssl/ossl_cipher.c: Add warning about key as IV. + Tue Feb 7 20:08:12 2012 Ayumu AIZAWA <ayumu.aizawa@g...> * error.c (exc_inspect): Fix typo. patch from Trent Ogren Index: ext/openssl/ossl_cipher.c =================================================================== --- ext/openssl/ossl_cipher.c (revision 34462) +++ ext/openssl/ossl_cipher.c (revision 34463) @@ -686,6 +686,12 @@ * key = cipher.random_key * iv = cipher.random_iv # also sets the generated IV on the Cipher * + * Although the key is generally a random value, too, it is a bad choice + * as an IV. There are elaborate ways how an attacker can take advantage + * of such an IV. As a general rule of thumb, exposing the key directly + * or indirectly should be avoided at all cost and exceptions only be + * made with good reason. + * * === Calling Cipher#final * * ECB (which should not be used) and CBC are both block-based modes. -- ML: ruby-changes@q... Info: http://www.atdot.net/~ko1/quickml/