Skip to content

Raise on default IV#57

Open
mweinelt wants to merge 1 commit into
ricmoo:masterfrom
mweinelt:raise-on-default-iv
Open

Raise on default IV#57
mweinelt wants to merge 1 commit into
ricmoo:masterfrom
mweinelt:raise-on-default-iv

Conversation

@mweinelt

@mweinelt mweinelt commented Mar 2, 2026
edited
Loading

Copy link
Copy Markdown

This disables the static default IV for CBC, CFB and OFB by raising when not IV gets passed. We make sure not to break the API contract this way, so that existing consumers who rely on the default IV get a useful exception message instead of an API break, which could be done in a future version.

In CBC mode an IV cannot be predictable or it breaks IND-CPA, this is also described as CWE-329.

In CFB and OFB mode an IV still requires to be unique, which does not really hold when initializing it statically.

Fixes: #56

@mweinelt
Raise on default IV
034c7ee 
This disables the static default IV for CBC, CFB and OFB by raising when
not IV gets passed. We make sure not to break the API contract this way,
so that existing consumers who rely on the default IV get a useful
exception message instead of an API break, which could be done in a
future version.

In CBC mode an IV cannot be predictable or it breaks IND-CPA, this is
also described as CWE-329.

In CFB and OFB mode an IV still requires to be unique, which does not
really hold when initializing it statically.
@mweinelt mweinelt mentioned this pull request Mar 2, 2026
Merged
13 tasks
@spartan8806 spartan8806 mentioned this pull request Mar 8, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Insecure (because of) default IV provided

1 participant

@mweinelt