Hardcoded static IV and AAD with the reused key in aes-gcm | Crypto Issue | Security Issue
niebardzo opened this issue · 0 comments
niebardzo commented
The IV and AAD are hardcoded in the following file:
https://github.com/zmartzone/liboauth2/blob/master/src/cache.c
Lines: 363 - 368
This creates a static nonce and since aes-gcm is a stream cipher, this can lead to known cryptographic issues, since the same key is being reused. Once fixed, we would need to request the CVE so the users of this lib who rely on the encryption can patch.