From aab6051dbdc0cef47c203a95d471bd0417f013fa Mon Sep 17 00:00:00 2001 From: Kazuki Yamaguchi Date: Mon, 3 Oct 2016 15:03:55 +0900 Subject: cipher: fix documentation regarding default IV Remove a sentence "If not explicitly set, the OpenSSL default of an all-zeroes ("\\0") IV is used." It actually works so, but not guranteed by the OpenSSL API. At least I didn't find any formal documentation saying so. --- ext/openssl/ossl_cipher.c | 13 ++++--------- 1 file changed, 4 insertions(+), 9 deletions(-) (limited to 'ext/openssl/ossl_cipher.c') diff --git a/ext/openssl/ossl_cipher.c b/ext/openssl/ossl_cipher.c index 0ad75592..e2ec0bf8 100644 --- a/ext/openssl/ossl_cipher.c +++ b/ext/openssl/ossl_cipher.c @@ -502,9 +502,6 @@ ossl_cipher_set_key(VALUE self, VALUE key) * Cipher#random_iv to create a secure random IV. * * Only call this method after calling Cipher#encrypt or Cipher#decrypt. - * - * If not explicitly set, the OpenSSL default of an all-zeroes ("\\0") IV is - * used. */ static VALUE ossl_cipher_set_iv(VALUE self, VALUE iv) @@ -939,12 +936,10 @@ Init_ossl_cipher(void) * you absolutely need it * * Because of this, you will end up with a mode that explicitly requires - * an IV in any case. Note that for backwards compatibility reasons, - * setting an IV is not explicitly mandated by the Cipher API. If not - * set, OpenSSL itself defaults to an all-zeroes IV ("\\0", not the - * character). Although the IV can be seen as public information, i.e. - * it may be transmitted in public once generated, it should still stay - * unpredictable to prevent certain kinds of attacks. Therefore, ideally + * an IV in any case. Although the IV can be seen as public information, + * i.e. it may be transmitted in public once generated, it should still + * stay unpredictable to prevent certain kinds of attacks. Therefore, + * ideally * * Always create a secure random IV for every encryption of your * Cipher -- cgit v1.2.3