search

i2p / i2p.i2p

I2P is an anonymizing network, offering a simple layer that identity-sensitive applications can use to securely communicate. All data is wrapped with several layers of encryption, and the network is both distributed and dynamic, with no trusted parties.
https://geti2p.net
Other
1.93k stars 303 forks source link

multiable Use of Password Hash With Insufficient Computational Effort :CVE #62

Open s-b-repo opened 9 months ago

s-b-repo commented 9 months ago

The SHA-1 hash (used in java.security.MessageDigest.getInstance) is insecure. Consider changing it to a secure hash algorithm 

boolean useBitzi = true;
    if (SystemVersion.isApache() ||            // Harmony
        SystemVersion.isGNU()) {               // JamVM or gij
        try {

128: MessageDigest.getInstance("SHA-1");

[‎core/java/src/net/i2p/crypto/SHA1.java

 */
public static MessageDigest getInstance() {
    if (!_useBitzi) {
        try {

65: return MessageDigest.getInstance("SHA-1"); [‎core/java/src/com/nettgryppa/security/HashCash.java

    throw new IllegalArgumentException("Resource may not contain a colon.");

HashCash result = new HashCash();

179: MessageDigest md = MessageDigest.getInstance("SHA1");

[‎core/java/src/com/nettgryppa/security/HashCash.java]

 *  @return 16 bytes, or null on error
 */
public static byte[] md5Sum(byte[] data) {
    try {

229: MessageDigest md = MessageDigest.getInstance("MD5");

[‎core/java/src/net/i2p/util/PasswordManager.java] core/java/src/net/i2p/util/PasswordManager.java#L229)

The MD5 hash (used in java.security.MessageDigest.getInstance) is insecure. Consider changing it to a secure hash algorithm

    // for backwards compatability.  next time we have a backwards
    // incompatible change, we should update this by removing ", 32"
    // SEE NOTES ABOVE
    try {

108: MessageDigest md = MessageDigest.getInstance("MD5");

/router/java/src/net/i2p/router/transport/udp/SSUHMACGenerator.java#L108)

    s.append(ipInt);
    s.append('+');
    s.append(inetSalt);
    MessageDigest md;

95: md = MessageDigest.getInstance("SHA1");

apps/imagegen/identicon/core/src/main/java/com/docuverse/identicon/IdenticonUtil.java#L95)