search

i2p / i2p.i2p

I2P is an anonymizing network, offering a simple layer that identity-sensitive applications can use to securely communicate. All data is wrapped with several layers of encryption, and the network is both distributed and dynamic, with no trusted parties.
https://geti2p.net
Other
1.93k stars 303 forks source link

multiable Hardcoded Secrets cve #57

Open s-b-repo opened 9 months ago

s-b-repo commented 9 months ago

private static final boolean USE_SYSTEM_AES = hasAESNI() && CryptoCheck.isUnlimited();

private static final boolean CACHE = true;
private static final int CACHE_SIZE = 8;
private static final SecretKeySpec ZERO_KEY = new SecretKeySpec(new byte[32], "AES"); line 52

Hardcoded value array {...} is used as a cipher key. Generate the value with a cryptographically strong random number generator such as java.security.SecureRandom instead. ‎core/java/src/net/i2p/crypto/CryptixAESEngine.java Open this link in a new tab 2 steps in 1 file

Hardcoded Secret

} catch (NoSuchMethodError nsme) { // JamVM, gij try { Cipher cipher = Cipher.getInstance("AES/CBC/NoPadding"); SecretKeySpec key = new SecretKeySpec(new byte[32], "AES"); 27 line

Hardcoded value array {...} is used as a cipher key. Generate the value with a cryptographically strong random number generator such as java.security.SecureRandom instead. [‎core/java/src/net/i2p/crypto/CryptoCheck.java]

private static final boolean USE_SYSTEM_AES = hasAESNI() && CryptoCheck.isUnlimited();

private static final boolean CACHE = true;
private static final int CACHE_SIZE = 8;
private static final SecretKeySpec ZERO_KEY = new SecretKeySpec(new byte[32], "AES");

line 53

Hardcoded value array {...} is used as a cipher key. Generate the value with a cryptographically strong random number generator such as java.security.SecureRandom instead. ‎core/java/src/net/i2p/crypto/CryptixAESEngine.java

KeyFactory kf = KeyFactory.getInstance("RSA"); // private key is modulus (pubkey) + exponent BigInteger[] nd = split(pk.getData()); // modulus exponent KeySpec ks = new RSAPrivateKeySpec(nd[0], nd[1]); line 513

Hardcoded value array {...} is used as a cipher key. Generate the value with a cryptographically strong random number generator such as java.security.SecureRandom instead. [‎core/java/src/net/i2p/crypto/SigUtil.java]

s-b-repo commented 9 months ago

https://www.youtube.com/watch?v=i9BhLrASxtk&pp=ygUQaGFyZGNvZGVkIHNlY3JldA%3D%3D

eyedeekay commented 9 months ago

Are you talking about the array of bytes? If that's the case these are best described as hardcoded non-secrets, these are expressly null values of these keys. Likely not a bug.