alpine 3.7
crypto weakness #295

4

Weakness Breakdown


Definition:

This weakness involves creating non-standard or non-tested algorithms, using weak algorithms or applying cryptographic algorithms incorrectly. Algorithms that were once considered safe are commonly later found to be unsafe, as the algorithms were broken.

Warning code(s):

The crypt functions use a poor one-way hashing algorithm; since they only accept passwords of 8 characters or fewer and only a two-byte salt, they are excessively vulnerable to dictionary attacks given today's faster computing equipment.

File Name:

mkinitfs/src/mkinitfs-3.2.0/nlplug-findfs.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.7 crypto weakness.

 	if (!rc && type) {
		if (strcmp("linux_raid_member", type) == 0) {
			start_mdadm(ev->devnode);
		} else if (strcmp("LVM2_member", type) == 0) {
			start_lvm2(ev->devnode);
		} else if (strcmp("zfs_member", type) == 0) {
			start_zpool(uuid);
		} else if (scanbootmedia) {
			rc = scandev(conf, ev->devnode, type);
		}
	}

	if (type)
		free(type);
	if (label)
		free(label);
	if (uuid)
		free(uuid);

	return rc;
}

/* search for crypt.data and crypt.header.
   returns true if we are ready to start cryptsetup. */
static int search_cryptdevs(struct uevent *ev, struct cryptconf *crypt)
{
	if (crypt->data.devnode[0] == '\0' && searchdev(ev, crypt->data.device, 0)) {
		strncpy(crypt->data.devnode,
			crypt->data.device[0] == '/' ? crypt->data.device : ev->devnode,
			sizeof(crypt->data.devnode));
		/* if we don't have header or header is found, then we are
		   ready to start crypsetup */
		return (crypt->header.device == NULL)
			|| (crypt->header.devnode[0] != '\0');
	}

	if (crypt->header.device == NULL)
		return 0;

	if (crypt->header.devnode[0] == '\0' && searchdev(ev, crypt->header.device, 0)) {
		strncpy(crypt->header.devnode,
			crypt->header.device[0] == '/' ? crypt->header.device : ev->devnode,
			sizeof(crypt->header.devnode));
		/* if we also have found data dev, then we are ready to
		   start cryptsetup */
		return crypt->data.devnode[0] != '\0';
	}
	return 0;
}
 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.