Google Git
Sign in
apache / ofbiz-framework / 4e0ed1e6df0b8121d37144573c04bca4a5986c95
commit4e0ed1e6df0b8121d37144573c04bca4a5986c95[log] [tgz]
authorJacques Le Roux <jacques.le.roux@les7arts.com>Fri Jul 23 08:45:51 2021 +0200
committerJacques Le Roux <jacques.le.roux@les7arts.com>Fri Jul 23 09:30:25 2021 +0200
tree9f1502971149a7cc20d8aff83121f09df12ccba0
parentc5a1a91fbd6fab79d47c353cc19befff850191a2 [diff]
Fixed: Static initialization vectors for encryption (OFBIZ-12281)

(after discussing this on security@ofbiz.apache.org, it was decided to open a
Jira issue for that)

I've noticed that OFBiz Framework sometimes uses static initialization vectors
(IV) while creating a cipher:

https://s.apache.org/vhlbj
https://s.apache.org/nyndk

IVs should be unique and ideally unpredictable to avoid producing the same
ciphertexts for the same plaintexts.

The issues can be fixed with something like the following:

byte[] rawIV = new byte[8];
SecureRandom random = new SecureRandom();
random.nextBytes(rawIV).
IvParameterSpec iv = new IvParameterSpec(rawIV);

jleroux: this prepends the IV in order to decrypt the plaintexts. It's similar
to what has been done for the DesCrypt class. But contrary to the DesCrypt class
I did not test.

Thanks: Artem Smotrakov
2 files changed
tree: 9f1502971149a7cc20d8aff83121f09df12ccba0
  1. .github/
  2. applications/
  3. config/
  4. docs/
  5. framework/
  6. gradle/
  7. lib/
  8. runtime/
  9. themes/
  10. .asf.yaml
  11. .gitattributes
  12. .gitignore
  13. .hgignore
  14. .sonarcloud.properties
  15. .xmlcatalog.xml
  16. APACHE2_HEADER
  17. build.gradle
  18. CHANGELOG.adoc
  19. common.gradle
  20. CONTRIBUTING.adoc
  21. gradle.properties
  22. gradlew
  23. gradlew.bat
  24. init-gradle-wrapper.bat
  25. INSTALL
  26. LICENSE
  27. NOTICE
  28. OPTIONAL_LIBRARIES
  29. README.adoc
  30. settings.gradle
  31. VERSION