From 8fb79ebb3bc7f7122e78b6aca819e93377617e1a Mon Sep 17 00:00:00 2001
From: YYTVicky <61596169+YYTVicky@users.noreply.github.com>
Date: Thu, 5 Mar 2020 23:45:34 -0500
Subject: [PATCH] Update CryptoFunctions.java

---
 .../drill/exec/expr/fn/impl/CryptoFunctions.java       | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/exec/java-exec/src/main/java/org/apache/drill/exec/expr/fn/impl/CryptoFunctions.java b/exec/java-exec/src/main/java/org/apache/drill/exec/expr/fn/impl/CryptoFunctions.java
index 68c47532a..1578cc9ad 100644
--- a/exec/java-exec/src/main/java/org/apache/drill/exec/expr/fn/impl/CryptoFunctions.java
+++ b/exec/java-exec/src/main/java/org/apache/drill/exec/expr/fn/impl/CryptoFunctions.java
@@ -297,7 +297,8 @@ public void setup() {
         keyByteArray = sha.digest(keyByteArray);
         keyByteArray = java.util.Arrays.copyOf(keyByteArray, 16);
         javax.crypto.spec.SecretKeySpec secretKey = new javax.crypto.spec.SecretKeySpec(keyByteArray, "AES");
-
+        
+        /** AES/ECB/PKCS5Padding is not secure, recommend AES/CFB/PKCS5Padding */
         cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
         cipher.init(Cipher.ENCRYPT_MODE, secretKey);
       } catch (Exception e) {
@@ -350,15 +351,18 @@ public static class AESDecryptFunction implements DrillSimpleFunc {
 
     @Override
     public void setup() {
+      /**For secure concern, key should be randomly generated*/
       String key = org.apache.drill.exec.expr.fn.impl.StringFunctionHelpers.toStringFromUTF8(rawKey.start, rawKey.end, rawKey.buffer);
 
       try {
         byte[] keyByteArray = key.getBytes("UTF-8");
+        
+        /**SHA-1 is not secure, recommend SHA-512*/
         java.security.MessageDigest sha = java.security.MessageDigest.getInstance("SHA-1");
         keyByteArray = sha.digest(keyByteArray);
         keyByteArray = java.util.Arrays.copyOf(keyByteArray, 16);
         javax.crypto.spec.SecretKeySpec secretKey = new javax.crypto.spec.SecretKeySpec(keyByteArray, "AES");
-
+        /** AES/ECB/PKCS5Padding is not secure, recommend AES/CFB/PKCS5Padding */
         cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
         cipher.init(Cipher.DECRYPT_MODE, secretKey);
       } catch (Exception e) {
@@ -385,4 +389,4 @@ public void eval() {
 
   }
 
-}
\ No newline at end of file
+}