alpine 3.6
crypto weakness #5

4

Weakness Breakdown


Definition:

This weakness involves creating non-standard or non-tested algorithms, using weak algorithms or applying cryptographic algorithms incorrectly. Algorithms that were once considered safe are commonly later found to be unsafe, as the algorithms were broken.

Warning code(s):

The crypt functions use a poor one-way hashing algorithm; since they only accept passwords of 8 characters or fewer and only a two-byte salt, they are excessively vulnerable to dictionary attacks given today's faster computing equipment.

File Name:

uwsgi/src/uwsgi-2.0.17/plugins/router_basicauth/router_basicauth.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.6 crypto weakness.

 		char *cpwd = colon2+1;
		size_t clen = strlen(cpwd);

		// now we check which algo to use
		// {SHA} ?
		if (!uwsgi_starts_with(cpwd, clen, "{SHA}", 5)) {
			crypted = htpasswd_check_sha1(colon+1);
			if (crypted) need_free = 1;
			goto check;
		}


		if (clen < 13) break;

		if (clen > 13) cpwd[13] = 0;

#if defined(__linux__) && defined(__GLIBC__)
		struct crypt_data cd;
		cd.initialized = 0;
		// we do as nginx here
		cd.current_salt[0] = ~cpwd[0];
		crypted = crypt_r( colon+1, cpwd, &cd);
#else
		if (uwsgi.threads > 1) pthread_mutex_lock(&ur_basicauth_crypt_mutex);
		crypted = crypt( colon+1, cpwd);
		if (uwsgi.threads > 1) pthread_mutex_unlock(&ur_basicauth_crypt_mutex);
#endif
check:
		if (!crypted) continue;

		if (!strcmp( crypted, cpwd )) {
			if (!uwsgi_strncmp(auth, colon-auth, line, colon2-line)) {
				fclose(htpasswd);
				if (need_free) free(crypted);
				return colon-auth;
			}
		}

		if (need_free) free(crypted);
	}
	
	fclose(htpasswd);

	return 0;
}

static int uwsgi_routing_func_basicauth(struct wsgi_request *wsgi_req, struct uwsgi_route *ur) {

	// skip if already authenticated
	if (wsgi_req->remote_user_len > 0) { 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.