From 1a63affdcc7a1f6c11e2cade85305684d9cfbf5c Mon Sep 17 00:00:00 2001 From: nathan Date: Sat, 15 Jun 2019 00:42:38 +0200 Subject: [PATCH] Prevent AES IV leak --- src/dorkbox/network/connection/KryoExtra.java | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/dorkbox/network/connection/KryoExtra.java b/src/dorkbox/network/connection/KryoExtra.java index f5d87eca..ca015067 100644 --- a/src/dorkbox/network/connection/KryoExtra.java +++ b/src/dorkbox/network/connection/KryoExtra.java @@ -17,6 +17,7 @@ package dorkbox.network.connection; import java.io.IOException; import java.security.SecureRandom; +import java.util.Arrays; import javax.crypto.Cipher; import javax.crypto.SecretKey; @@ -377,6 +378,8 @@ class KryoExtra extends Kryo { // write out our IV buffer.writeBytes(iv, 0, IV_LENGTH_BYTE); + Arrays.fill(iv, (byte) 0); // overwrite the IV with zeros so we can't leak this value + // have to copy over the orig data, because we used the temp buffer buffer.writeBytes(writer.getBuffer(), 0, encryptedLength);