search

AsyncHttpClient / async-http-client

Asynchronous Http and WebSocket Client library for Java
Other
6.29k stars 1.59k forks source link

Insecure cipher and hash function usage #1784

Closed xingweitian closed 1 year ago

xingweitian commented 3 years ago

Hi there, we found that the following places using the insecure cipher and hash functions:

/home/xwt/IdeaProjects/async-http-client-latest/client/src/main/java/org/asynchttpclient/util/MessageDigestUtils.java:23: error: [algorithm.not.allowed] Algorithm: MD5 is not allowed by the current rules
      return MessageDigest.getInstance("MD5");
                                       ^
/home/xwt/IdeaProjects/async-http-client-latest/client/src/main/java/org/asynchttpclient/util/MessageDigestUtils.java:31: error: [algorithm.not.allowed] Algorithm: SHA1 is not allowed by the current rules
      return MessageDigest.getInstance("SHA1");
                                       ^
/home/xwt/IdeaProjects/async-http-client-latest/client/src/main/java/org/asynchttpclient/ntlm/NtlmEngine.java:505: error: [algorithm.not.allowed] Algorithm: MD5 is not allowed by the current rules
            final MessageDigest md5 = MessageDigest.getInstance("MD5");
                                                                ^
/home/xwt/IdeaProjects/async-http-client-latest/client/src/main/java/org/asynchttpclient/ntlm/NtlmEngine.java:1464: error: [algorithm.not.allowed] Algorithm: MD5 is not allowed by the current rules
                md5 = MessageDigest.getInstance("MD5");
                                                ^
/home/xwt/IdeaProjects/async-http-client-latest/client/src/main/java/org/asynchttpclient/ntlm/NtlmEngine.java:446: error: [algorithm.not.allowed] Algorithm: DES/ECB/NOPADDING is not allowed by the current rules
                    Cipher des = Cipher.getInstance("DES/ECB/NoPadding");
                                                    ^
/home/xwt/IdeaProjects/async-http-client-latest/client/src/main/java/org/asynchttpclient/ntlm/NtlmEngine.java:449: error: [algorithm.not.allowed] Algorithm: DES/ECB/NOPADDING is not allowed by the current rules
                    des = Cipher.getInstance("DES/ECB/NoPadding");
                                             ^
/home/xwt/IdeaProjects/async-http-client-latest/client/src/main/java/org/asynchttpclient/ntlm/NtlmEngine.java:473: error: [algorithm.not.allowed] Algorithm: RC4 is not allowed by the current rules
            final Cipher rc4 = Cipher.getInstance("RC4");
                                                  ^
/home/xwt/IdeaProjects/async-http-client-latest/client/src/main/java/org/asynchttpclient/ntlm/NtlmEngine.java:538: error: [algorithm.not.allowed] Algorithm: DES/ECB/NOPADDING is not allowed by the current rules
            final Cipher des = Cipher.getInstance("DES/ECB/NoPadding");
                                                  ^
/home/xwt/IdeaProjects/async-http-client-latest/client/src/main/java/org/asynchttpclient/ntlm/NtlmEngine.java:626: error: [algorithm.not.allowed] Algorithm: DES/ECB/NOPADDING is not allowed by the current rules
            final Cipher des = Cipher.getInstance("DES/ECB/NoPadding");
                                                  ^
hyperxpro commented 1 year ago

This is fine and safe as per the spec of NTLM.