alpine 3.7
crypto weakness #286

4

Weakness Breakdown


Definition:

This weakness involves creating non-standard or non-tested algorithms, using weak algorithms or applying cryptographic algorithms incorrectly. Algorithms that were once considered safe are commonly later found to be unsafe, as the algorithms were broken.

Warning code(s):

The crypt functions use a poor one-way hashing algorithm; since they only accept passwords of 8 characters or fewer and only a two-byte salt, they are excessively vulnerable to dictionary attacks given today's faster computing equipment.

File Name:

mkinitfs/src/mkinitfs-3.2.0/nlplug-findfs.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.7 crypto weakness.

 
	r = crypt_load(cd, CRYPT_LUKS1, params);
	if (r < 0) {
		warnx("crypt_load(%s)", data_devnode);
		goto free_out;
	}

	r = crypt_set_data_device(cd, data_devnode);
	if (r < 0) {
		warnx("crypt_set_data_device(%s)", data_devnode);
		goto free_out;
	}

	while (passwd_tries > 0) {
		char pass[1024];

		printf("Enter passphrase for %s: ", c->crypt.data.devnode);
		fflush(stdout);

		if (read_pass(pass, sizeof(pass)) < 0)
			goto free_out;
		passwd_tries--;

		pthread_mutex_lock(&c->crypt.mutex);
		r = crypt_activate_by_passphrase(cd, c->crypt.data.name,
						 CRYPT_ANY_SLOT,
						 pass, strlen(pass),
						 c->crypt.flags);
		pthread_mutex_unlock(&c->crypt.mutex);
		memset(pass, 0, sizeof(pass)); /* wipe pass after use */

		if (r >= 0)
			goto free_out;
		printf("No key available with this passphrase.\n");
	}
	printf("Mounting %s failed, amount of tries exhausted.\n", c->crypt.data.devnode);

free_out:
	crypt_free(cd);
notify_out:
	c->cryptsetup_running = 0;
	notify_main(c);
	return NULL;
}

static void start_thread(struct ueventconf *conf, void *(*thread_main)(void *))
{
	pthread_t tid;
	pthread_attr_t attr;
 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.