Review

Detector:

Findbugs

Target:

project '

commons-httpclient

' version

4.2.1

Tags:

Potential Misuse

Anomaly identified by the detector. Please review whether this anomaly corresponds to a misuse.

Finding:	finding-2
In File:	org/apache/http/impl/auth/NTLMEngineImpl.java
In Method:	getNTLM2SessionResponse(String, byte[], byte[])
Code with Finding:	class NTLMEngineImpl { /** * Calculates the NTLM2 Session Response for the given challenge, using the * specified password and client challenge. * * @param password * The user's password. * @param challenge * The Type 2 challenge from the server. * @param clientChallenge * The random 8-byte client challenge. * * @return The NTLM2 Session Response. This is placed in the NTLM response * field of the Type 3 message; the LM response field contains the * client challenge, null-padded to 24 bytes. */ static byte[] getNTLM2SessionResponse(String password, byte[] challenge, byte[] clientChallenge) throws NTLMEngineException { try { byte[] ntlmHash = ntlmHash(password); // Look up MD5 algorithm (was necessary on jdk 1.4.2) // This used to be needed, but java 1.5.0_07 includes the MD5 // algorithm (finally) // Class x = Class.forName("gnu.crypto.hash.MD5"); // Method updateMethod = x.getMethod("update",new // Class[]{byte[].class}); // Method digestMethod = x.getMethod("digest",new Class[0]); // Object mdInstance = x.newInstance(); // updateMethod.invoke(mdInstance,new Object[]{challenge}); // updateMethod.invoke(mdInstance,new Object[]{clientChallenge}); // byte[] digest = (byte[])digestMethod.invoke(mdInstance,new // Object[0]); MessageDigest md5 = MessageDigest.getInstance("MD5"); md5.update(challenge); md5.update(clientChallenge); byte[] digest = md5.digest(); byte[] sessionHash = new byte[8]; System.arraycopy(digest, 0, sessionHash, 0, 8); return lmResponse(ntlmHash, sessionHash); } catch (Exception e) { if (e instanceof NTLMEngineException) throw (NTLMEngineException) e; throw new NTLMEngineException(e.getMessage(), e); } } }

Metadata

Hit	Rank	Desc	Type	Violations
Yes	2	SECMD5: MD5 is not a recommended cryptographic hash function	WEAK_MESSAGE_DIGEST_MD5

Reviewer Name:	anna
Comment:	The MD5 hash is used for a challenge which is a vulnerability.