The mcrypt encryption method uses the ECB mode, which does not require an IV. The module still generates an IV and passes it to mcrypt unnecessarily. I recommend we remove it to avoid confusion. On a side note, the IV does not seem to be stored anywhere, which means the encryption would break if it was changed to some other mode that uses the IV.

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Gergely Lekli created an issue. See original summary.

glekli’s picture

FileSize
1.61 KB

Status: Needs review » Needs work

The last submitted patch, 2: remove-iv-2576957-1.patch, failed testing.

glekli’s picture

FileSize
1.6 KB

That patch was on top of #2576541: Enable HMAC based validation. Attaching a new one against 7.x-2.x.

glekli’s picture

Status: Needs work » Needs review
rlhawk’s picture

Status: Needs review » Fixed

The new Mcrypt AES (CBC Mode) encryption method, introduced in Encrypt 7.x-2.2, uses a properly-generated IV. I'm marking this issue as fixed.

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.