alpine 3.8
crypto weakness #4

4

Weakness Breakdown


Definition:

This weakness involves creating non-standard or non-tested algorithms, using weak algorithms or applying cryptographic algorithms incorrectly. Algorithms that were once considered safe are commonly later found to be unsafe, as the algorithms were broken.

Warning code(s):

The crypt functions use a poor one-way hashing algorithm; since they only accept passwords of 8 characters or fewer and only a two-byte salt, they are excessively vulnerable to dictionary attacks given today's faster computing equipment.

File Name:

linux-pam/src/Linux-PAM-1.3.0/modules/pam_unix/passverify.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.8 crypto weakness.

 	if (on(UNIX_BLOWFISH_PASS, ctrl)) {
		char entropy[17];
		crypt_make_salt(entropy, sizeof(entropy) - 1);
		sp = crypt_gensalt_r (algoid, rounds,
				      entropy, sizeof(entropy),
				      salt, sizeof(salt));
	} else {
#endif
		sp = stpcpy(salt, algoid);
		if (on(UNIX_ALGO_ROUNDS, ctrl)) {
			sp += snprintf(sp, sizeof(salt) - (16 + 1 + (sp - salt)), "rounds=%u$ ", rounds);
		}
		crypt_make_salt(sp, 16);
#ifdef HAVE_CRYPT_GENSALT_R
	}
#endif
#ifdef HAVE_CRYPT_R
	sp = NULL;
	cdata = malloc(sizeof(*cdata));
	if (cdata != NULL) {
		cdata->initialized = 0;
		sp = crypt_r(password, salt, cdata);
	}
#else
	sp = crypt(password, salt);
#endif
	if (!sp || strncmp(algoid, sp, strlen(algoid)) != 0) {
		/* libxcrypt/libc doesn't know the algorithm, use MD5 */
		pam_syslog(pamh, LOG_ERR,
			   "Algo %s not supported by the crypto backend, "
			   "falling back to MD5\n",
			   on(UNIX_BLOWFISH_PASS, ctrl) ? "blowfish" :
			   on(UNIX_SHA256_PASS, ctrl) ? "sha256" :
			   on(UNIX_SHA512_PASS, ctrl) ? "sha512" : algoid);
		if(sp) {
		   memset(sp, '\0', strlen(sp));
		}
#ifdef HAVE_CRYPT_R
		free(cdata);
#endif
		return crypt_md5_wrapper(password);
	}
	sp = x_strdup(sp);
#ifdef HAVE_CRYPT_R
	free(cdata);
#endif
	return sp;
}

#ifdef WITH_SELINUX 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.