Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

2 uses of risky/ broken cryptograhic alogrithm CVE #58

Open
s-b-repo opened this issue Oct 17, 2023 · 3 comments
Open

2 uses of risky/ broken cryptograhic alogrithm CVE #58

s-b-repo opened this issue Oct 17, 2023 · 3 comments

Comments

@s-b-repo
Copy link

line #22
// a NoSuchAlgorithmException
} catch (NoSuchMethodError nsme) {
// JamVM, gij
try {
Cipher cipher = Cipher.getInstance("AES/CBC/NoPadding");

The CBC mode used in javax.crypto.Cipher.getInstance does not provide integrity. Consided using Galois/Counter Mode.
[‎core/java/src/net/i2p/crypto/CryptoCheck.java]

line 272
private Cipher acquire() {
Cipher rv = _ciphers.poll();
if (rv == null) {
try {
rv = Cipher.getInstance("AES/CBC/NoPadding");

The CBC mode used in javax.crypto.Cipher.getInstance does not provide integrity. Consided using Galois/Counter Mode.
[‎core/java/src/net/i2p/crypto/CryptixAESEngine.java]
@eyedeekay
Copy link
Contributor

Worth a look. Can you please identify the tool you've been using? I need to see what it's actually looking for.

@s-b-repo
Copy link
Author

snyk make a fork

@s-b-repo
Copy link
Author

Worth a look. Can you please identify the tool you've been using? I need to see what it's actually looking for.

it uses code analysis

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@eyedeekay @s-b-repo