Early Bird Registration for DrupalCon Portland 2024 is open! Register by 23:59 PST on 31 March 2024, to get $100 off your ticket.
The mcrypt encryption method uses the ECB mode, which does not require an IV. The module still generates an IV and passes it to mcrypt unnecessarily. I recommend we remove it to avoid confusion. On a side note, the IV does not seem to be stored anywhere, which means the encryption would break if it was changed to some other mode that uses the IV.
Comment | File | Size | Author |
---|---|---|---|
#4 | remove-iv-2576957-4.patch | 1.6 KB | glekli |
#2 | remove-iv-2576957-1.patch | 1.61 KB | glekli |
Comments
Comment #2
glekli CreditAttribution: glekli commentedComment #4
glekli CreditAttribution: glekli commentedThat patch was on top of #2576541: Enable HMAC based validation. Attaching a new one against 7.x-2.x.
Comment #5
glekli CreditAttribution: glekli commentedComment #6
rlhawkThe new Mcrypt AES (CBC Mode) encryption method, introduced in Encrypt 7.x-2.2, uses a properly-generated IV. I'm marking this issue as fixed.