Update crypto.createCipher() to crypto.createCipheriv()

README.md

@@ -14,6 +14,7 @@ It uses the [node-mysql](https://github.com/felixge/node-mysql) module already i
 * `cleanup`: a boolean specifying whether to enable the cleanup events. note that if this is disabled, cleanup will not take place at all and should be done externally.  Sessions with an expiration time of `0` will always be ignored and should also be cleaned up externally.
 * `secret`: key that will be used to encrypt session data.  If this option is not provided then data will be stored in plain text
 * `algorithm`: the algorithm that should be used to encrypt session data.  Defaults to `'aes-256-ctr'`
+* `ivlength`: the length in bytes of the initialization vector (IV) required for the selected algorithm that should be used to encrypt session data.  Defaults to `16`; refer to `crypto.createCipheriv(...)` documentation for more information
 
 
 ## Examples

lib/connect-mysql.js

@@ -17,15 +17,15 @@ function isNumber(obj) {
 }
 
 
-function encryptData(plaintext, secret, algo) {
+function encryptData(plaintext, secret, algo, ivlength) {
   var hmac = digest(secret, plaintext);
 
   var obj = {
     hmac: hmac,
     pt: plaintext
   };
 
-  var ct = encrypt(secret, JSON.stringify(obj), algo);
+  var ct = encrypt(secret, JSON.stringify(obj), algo, ivlength);
 
   return ct;
 }
@@ -53,12 +53,14 @@ function digest(key, obj) {
 }
 
 
-function encrypt(key, pt, algo) {
+function encrypt(key, pt, algo, ivlength) {
   algo = algo || 'aes-256-ctr';
+  ivlength = ivlength || 16;
   pt = (Buffer.isBuffer(pt)) ? pt : new Buffer(pt);
 
-  var cipher = crypto.createCipher(algo, key);
-  var ct = [];
+  var iv = crypto.randomBytes(ivlength);
+  var cipher = crypto.createCipheriv(algo, key, iv);
+  var ct = [iv.toString('hex'), ':'];
 
   ct.push(cipher.update(pt, 'buffer', 'hex'));
   ct.push(cipher.final('hex'));
@@ -68,11 +70,14 @@ function encrypt(key, pt, algo) {
 
 
 function decrypt(key, ct, algo) {
+  var i = ct.indexOf(':');
+  var iv = new Buffer(ct.substring(0,i), 'hex');
+
   algo = algo || 'aes-256-ctr';
-  var cipher = crypto.createDecipher(algo, key);
+  var cipher = crypto.createDecipheriv(algo, key, iv);
   var pt = [];
 
-  pt.push(cipher.update(ct, 'hex', 'utf8'));
+  pt.push(cipher.update(ct.substring(i+1), 'hex', 'utf8'));
   pt.push(cipher.final('utf8'));
 
   return pt.join('');
@@ -103,6 +108,8 @@ module.exports = function(connect) {
 
       if (options.hasOwnProperty('algorithm'))
         this.algorithm = options.algorithm || 'aes-256-ctr';
+      if (options.hasOwnProperty('ivlength'))
+        this.ivlength = options.ivlength || 16;
     }
 
     if (options.hasOwnProperty('pool')) {
@@ -296,7 +303,7 @@ module.exports = function(connect) {
               var session = result[0].session;
 
               if (secret) {
-                session = decryptData(session, secret, this.algo);
+                session = decryptData(session, secret, this.algo, this.ivlength);
               }
 
               session = JSON.parse(session);
@@ -321,7 +328,7 @@ module.exports = function(connect) {
     session = JSON.stringify(session);
 
     if (this.secret) {
-      session = encryptData(session, this.secret, this.algorithm);
+      session = encryptData(session, this.secret, this.algorithm, this.ivlength);
     }
 
     this.query(function(connection, done) {