search

ddspringle / framework-one-secure-auth

An example fw/1 application with secure single and two-factor (2FA) authentication and session management functions
Apache License 2.0
31 stars 5 forks source link

Wrong IV length: must be 16 bytes long #10

Closed myleslee closed 5 years ago

myleslee commented 6 years ago

Such an error will display after registration form is submitted.

Environment: Lucee 5.2.7+63 (Commanbox) + MySQL 5.7

StackTrace

lucee.runtime.exp.NativeException: Wrong IV length: must be 16 bytes long at 
com.sun.crypto.provider.CipherCore.init(CipherCore.java:516) at 
com.sun.crypto.provider.AESCipher.engineInit(AESCipher.java:339) at 
javax.crypto.Cipher.implInit(Cipher.java:806) at 
javax.crypto.Cipher.chooseProvider(Cipher.java:864) at 
javax.crypto.Cipher.init(Cipher.java:1396) at 
javax.crypto.Cipher.init(Cipher.java:1327) at 
lucee.runtime.crypt.Cryptor._crypt(Cryptor.java:132) at 
lucee.runtime.crypt.Cryptor.crypt(Cryptor.java:63) at 
lucee.runtime.crypt.Cryptor.encrypt(Cryptor.java:155) at 
lucee.runtime.crypt.Cryptor.encrypt(Cryptor.java:170) at 
lucee.runtime.functions.other.Encrypt.invoke(Encrypt.java:68) at 
lucee.runtime.functions.other.Encrypt.call(Encrypt.java:50) at 
model.services.securityservice_cfc$cf.udfCall1(/model/services/SecurityService.cfc:135) at 
model.services.securityservice_cfc$cf.udfCall(/model/services/SecurityService.cfc) at 
lucee.runtime.type.UDFImpl.implementation(UDFImpl.java:107) at 
lucee.runtime.type.UDFImpl._call(UDFImpl.java:357) at 
lucee.runtime.type.UDFImpl.call(UDFImpl.java:226) at 
lucee.runtime.ComponentImpl._call(ComponentImpl.java:687) at 
lucee.runtime.ComponentImpl._call(ComponentImpl.java:567) at 
lucee.runtime.ComponentImpl.call(ComponentImpl.java:1988) at 
lucee.runtime.util.VariableUtilImpl.callFunctionWithoutNamedValues(VariableUtilImpl.java:756) at 
lucee.runtime.PageContextImpl.getFunction(PageContextImpl.java:1718) at 
home.controllers.main_cfc$cf.udfCall(/home/controllers/main.cfc:134) at 
lucee.runtime.type.UDFImpl.implementation(UDFImpl.java:107) at
lucee.runtime.type.UDFImpl._call(UDFImpl.java:357) at 
lucee.runtime.type.UDFImpl.callWithNamedValues(UDFImpl.java:212) at lucee.runtime.ComponentImpl._call(ComponentImpl.java:689) at lucee.runtime.ComponentImpl._call(ComponentImpl.java:567) at 
lucee.runtime.ComponentImpl.callWithNamedValues(ComponentImpl.java:2005) at 
lucee.runtime.util.VariableUtilImpl.callFunctionWithNamedValues(VariableUtilImpl.java:869) at 
lucee.runtime.functions.dynamicEvaluation.Invoke.call(Invoke.java:50) at 
framework.one_cfc$cf.udfCalla(/framework/one.cfc:1629) at 
framework.one_cfc$cf.udfCall(/framework/one.cfc) at 
lucee.runtime.type.UDFImpl.implementation(UDFImpl.java:107) at 
lucee.runtime.type.UDFImpl._call(UDFImpl.java:357) at 
lucee.runtime.type.UDFImpl.call(UDFImpl.java:226) at 
lucee.runtime.type.scope.UndefinedImpl.call(UndefinedImpl.java:771) at 
lucee.runtime.util.VariableUtilImpl.callFunctionWithoutNamedValues(VariableUtilImpl.java:756) at 
lucee.runtime.PageContextImpl.getFunction(PageContextImpl.java:1718) at 
framework.one_cfc$cf.udfCall6(/framework/one.cfc:890) at 
framework.one_cfc$cf.udfCall(/framework/one.cfc) at 
lucee.runtime.type.UDFImpl.implementation(UDFImpl.java:107) at 
lucee.runtime.type.UDFImpl._call(UDFImpl.java:357) at 
lucee.runtime.type.UDFImpl.call(UDFImpl.java:226) at 
lucee.runtime.ComponentImpl._call(ComponentImpl.java:687) at 
lucee.runtime.ComponentImpl._call(ComponentImpl.java:567) at 
lucee.runtime.ComponentImpl.call(ComponentImpl.java:1988) at 
lucee.runtime.util.VariableUtilImpl.callFunctionWithoutNamedValues(VariableUtilImpl.java:756) at 
lucee.runtime.PageContextImpl.getFunction(PageContextImpl.java:1718) at 
application_cfc$cf.udfCall(/Application.cfc:298) at 
lucee.runtime.type.UDFImpl.implementation(UDFImpl.java:107) at 
lucee.runtime.type.UDFImpl._call(UDFImpl.java:357) at 
lucee.runtime.type.UDFImpl.call(UDFImpl.java:226) at 
lucee.runtime.ComponentImpl._call(ComponentImpl.java:687) at 
lucee.runtime.ComponentImpl._call(ComponentImpl.java:567) at lucee.runtime.ComponentImpl.call(ComponentImpl.java:1988) at 
lucee.runtime.listener.ModernAppListener.call(ModernAppListener.java:424) at 
lucee.runtime.listener.ModernAppListener._onRequest(ModernAppListener.java:223) at 
lucee.runtime.listener.MixedAppListener.onRequest(MixedAppListener.java:43) at 
lucee.runtime.PageContextImpl.execute(PageContextImpl.java:2464) at 
lucee.runtime.PageContextImpl._execute(PageContextImpl.java:2454) at 
lucee.runtime.PageContextImpl.executeCFML(PageContextImpl.java:2427) at 
lucee.runtime.engine.Request.exe(Request.java:44) at 
lucee.runtime.engine.CFMLEngineImpl._service(CFMLEngineImpl.java:1091) at 
lucee.runtime.engine.CFMLEngineImpl.serviceCFML(CFMLEngineImpl.java:1039) at 
lucee.loader.engine.CFMLEngineWrapper.serviceCFML(CFMLEngineWrapper.java:102) at 
lucee.loader.servlet.CFMLServlet.service(CFMLServlet.java:51) at 
javax.servlet.http.HttpServlet.service(HttpServlet.java:790) at 
io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74) at 
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at 
org.cfmlprojects.regexpathinfofilter.RegexPathInfoFilter.doFilter(RegexPathInfoFilter.java:47) at 
io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:61) at 
io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at 
io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at 
io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at 
io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:64) at 
io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at 
io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:132) at 
io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at 
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at 
io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at 
io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at 
io.undertow.security.handlers.AuthenticationMechanismsHandler.handleRequest(AuthenticationMechanismsHandler.java:60) at 
io.undertow.servlet.handlers.security.CachedAuthenticatedSessionHandler.handleRequest(CachedAuthenticatedSessionHandler.java:77) at 
io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at 
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at 
io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at 
io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:292) at io.undertow.servlet.handlers.ServletInitialHandler.access$100(ServletInitialHandler.java:81) at 
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:138) at 
io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) at 
io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) at 
io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at 
io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:272) at 
io.undertow.servlet.handlers.ServletInitialHandler.access$000(ServletInitialHandler.java:81) at 
io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:104) at 
io.undertow.server.Connectors.executeRootHandler(Connectors.java:336) at 
io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:830) at 
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) at 
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) at 
java.lang.Thread.run(Thread.java:745) Caused by: java.security.InvalidAlgorithmParameterException: Wrong IV length: must be 16 bytes long ... 101 more

application.securityService

screen shot 2018-07-23 at 21 13 57

As shown above, the encryptionIV1 is 12-byte long (B0O9PAmQSxo=). If I append four equality signs to it to make it 16-byte long (B0O9PAmQSxo=====), then dataEnc() will pass. But I doubt it's feasible to hard-code a number of 16 here.

screen shot 2018-07-23 at 21 14 18

Any insights will be appreciated. :)

ddspringle commented 6 years ago

Sorry about the issue... I was trying to fix something in ACF a couple commits back and didn't think it through and created a bug.

In the meantime, you can use this version of the SecurityService.cfc. with the code you have. This is the version prior to the implementation of initialization vectors (what's currently broke) and should work for you temporarily.

I'll work on a fix for this and get it rolled out in the next day or two. Once the fix is in you'll have to create a new keyring to get the appropriate length IV's.

ddspringle commented 5 years ago

Sorry for the overly long delay in getting a fix in for this issue. Been slammed at work on a big project with a tight deadline. Finally got the time to get it figured out and resolved.