alpine 3.8
crypto weakness #1

4

Weakness Breakdown


Definition:

This weakness involves creating non-standard or non-tested algorithms, using weak algorithms or applying cryptographic algorithms incorrectly. Algorithms that were once considered safe are commonly later found to be unsafe, as the algorithms were broken.

Warning code(s):

The crypt functions use a poor one-way hashing algorithm; since they only accept passwords of 8 characters or fewer and only a two-byte salt, they are excessively vulnerable to dictionary attacks given today's faster computing equipment.

File Name:

apg/src/apg-2.2.3/apg.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.8 crypto weakness.

  printf ("-l              spell generated password\n");
 printf ("-t              print pronunciation for generated pronounceable password\n");
#ifdef APG_USE_CRYPT
 printf ("-y              print crypted passwords\n");
#endif /* APG_USE_CRYPT */
 printf ("-q              quiet mode (do not print warnings)\n");
 printf ("-h              print this help screen\n");
 printf ("-v              print version information\n");
}

#ifdef APG_USE_CRYPT
/*
** crypt_passstring() - produce crypted password.
** INPUT:
**   const char * - password string
** OUTPUT:
**   char * - crypted password 
** NOTES:
**   none.
*/
char * crypt_passstring (const char *p)
{
 char salt[10];
 gen_rand_pass (salt, 10, 10, S_SL|S_CL|S_NB);
 return (crypt(p, salt));
}
#endif /* APG_USE_CRYPT */
#endif /* CLISERV */

/*
** checkopt() - check options.
** INPUT:
**   char * - options string.
** OUTPUT:
**   none.
** NOTES:
**   option should contain only numeral symbols.
*/
void
checkopt(char *opt)
{
 int i;

 for(i=0; i < strlen(opt);i++)
  if(opt[i] != '0' && opt[i] != '1' && opt[i] != '2' && opt[i] != '3' &&
     opt[i] != '4' && opt[i] != '5' && opt[i] != '6' && opt[i] != '7' &&
     opt[i] != '8' && opt[i] != '9')
      err_app_fatal ("checkopt", "wrong option format");
}
 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.