alpine 3.7
crypto weakness #278

4

Weakness Breakdown


Definition:

This weakness involves creating non-standard or non-tested algorithms, using weak algorithms or applying cryptographic algorithms incorrectly. Algorithms that were once considered safe are commonly later found to be unsafe, as the algorithms were broken.

Warning code(s):

DES only supports a 56-bit keysize, which is too small given today's computers.

File Name:

qca/src/qca-2.1.3/plugins/qca-ossl/qca-ossl.cpp

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.7 crypto weakness.

 		BIO *bi = BIO_new(BIO_s_mem());
		BIO_write(bi, in.data(), in.size());
		EVP_PKEY *pkey = PEM_read_bio_PUBKEY(bi, NULL, passphrase_cb, NULL);
		BIO_free(bi);

		if(!pkey)
			return ErrorDecode;

		k = pkeyToBase(pkey, false);
		if(k)
			return ConvertGood;
		else
			return ErrorDecode;
	}

	virtual SecureArray privateToDER(const SecureArray &passphrase, PBEAlgorithm pbe) const
	{
		//if(pbe == PBEDefault)
		//	pbe = PBES2_TripleDES_SHA1;

		const EVP_CIPHER *cipher = 0;
		if(pbe == PBES2_TripleDES_SHA1)
			cipher = EVP_des_ede3_cbc();
		else if(pbe == PBES2_DES_SHA1)
			cipher = EVP_des_cbc();

		if(!cipher)
			return SecureArray();

		EVP_PKEY *pkey = get_pkey();

		// OpenSSL does not have DH import/export support
		if(pkey->type == EVP_PKEY_DH)
			return SecureArray();

		BIO *bo = BIO_new(BIO_s_mem());
		if(!passphrase.isEmpty())
			i2d_PKCS8PrivateKey_bio(bo, pkey, cipher, NULL, 0, NULL, (void *)passphrase.data());
		else
			i2d_PKCS8PrivateKey_bio(bo, pkey, NULL, NULL, 0, NULL, NULL);
		SecureArray buf = bio2buf(bo);
		return buf;
	}

	virtual QString privateToPEM(const SecureArray &passphrase, PBEAlgorithm pbe) const
	{
		//if(pbe == PBEDefault)
		//	pbe = PBES2_TripleDES_SHA1;

		const EVP_CIPHER *cipher = 0; 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.