pkgs/development/python-modules/pyaes/default-iv.patch at haskell-updates

tjh.dev / nixpkgs

fork atom

nixpkgs mirror (for testing) github.com/NixOS/nixpkgs

nix

fork atom

nixpkgs / pkgs / development / python-modules / pyaes / default-iv.patch

at haskell-updates 51 lines 2.2 kB view raw

wrap content

 1From 034c7eea63a155582109233d2fc1de8e14121908 Mon Sep 17 00:00:00 2001
 2From: Martin Weinelt <hexa@darmstadt.ccc.de>
 3Date: Mon, 2 Mar 2026 12:55:44 +0100
 4Subject: [PATCH] Raise on default IV
 5
 6This disables the static default IV for CBC, CFB and OFB by raising when
 7not IV gets passed. We make sure not to break the API contract this way,
 8so that existing consumers who rely on the default IV get a useful
 9exception message instead of an API break, which could be done in a
10future version.
11
12In CBC mode an IV cannot be predictable or it breaks IND-CPA, this is
13also described as CWE-329.
14
15In CFB and OFB mode an IV still requires to be unique, which does not
16really hold when initializing it statically.
17---
18 pyaes/aes.py | 6 +++---
19 1 file changed, 3 insertions(+), 3 deletions(-)
20
21diff --git a/pyaes/aes.py b/pyaes/aes.py
22index c6e8bc0..fd25547 100644
23--- a/pyaes/aes.py
24+++ b/pyaes/aes.py
25@@ -376,7 +376,7 @@ class AESModeOfOperationCBC(AESBlockModeOfOperation):
26 
27     def __init__(self, key, iv = None):
28         if iv is None:
29-            self._last_cipherblock = [ 0 ] * 16
30+            raise ValueError("Missing IV parameter. This is a security problem, see https://github.com/ricmoo/pyaes/issues/56.")
31         elif len(iv) != 16:
32             raise ValueError('initialization vector must be 16 bytes')
33         else:
34@@ -423,7 +423,7 @@ def __init__(self, key, iv, segment_size = 1):
35         if segment_size == 0: segment_size = 1
36 
37         if iv is None:
38-            self._shift_register = [ 0 ] * 16
39+            raise ValueError("Missing IV parameter. This is a security problem, see https://github.com/ricmoo/pyaes/issues/56.")
40         elif len(iv) != 16:
41             raise ValueError('initialization vector must be 16 bytes')
42         else:
43@@ -495,7 +495,7 @@ class AESModeOfOperationOFB(AESStreamModeOfOperation):
44 
45     def __init__(self, key, iv = None):
46         if iv is None:
47-            self._last_precipherblock = [ 0 ] * 16
48+            raise ValueError("Missing IV parameter. This is a security problem, see https://github.com/ricmoo/pyaes/issues/56.")
49         elif len(iv) != 16:
50             raise ValueError('initialization vector must be 16 bytes')
51         else: