alpine 3.9
crypto weakness #1

4

Weakness Breakdown


Definition:

This weakness involves creating non-standard or non-tested algorithms, using weak algorithms or applying cryptographic algorithms incorrectly. Algorithms that were once considered safe are commonly later found to be unsafe, as the algorithms were broken.

Warning code(s):

The crypt functions use a poor one-way hashing algorithm; since they only accept passwords of 8 characters or fewer and only a two-byte salt, they are excessively vulnerable to dictionary attacks given today's faster computing equipment.

File Name:

doas/src/OpenDoas-6.0/doas.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.9 crypto weakness.

 		if (nflag)
			errx(1, "Authorization required");

		pass = pw->pw_passwd;
		if (pass[0] == 'x' && pass[1] == '\0') {
			struct spwd *sp;
			if (!(sp = getspnam(myname)))
				errx(1, "Authorization failed");
			pass = sp->sp_pwdp;
		}

		char *challenge, *response, rbuf[1024], cbuf[128], host[HOST_NAME_MAX + 1];
		if (gethostname(host, sizeof(host)))
			snprintf(host, sizeof(host), "?");
		snprintf(cbuf, sizeof(cbuf),
				"\rdoas (%.32s@%.32s) password: ", myname, host);
		challenge = cbuf;

		response = readpassphrase(challenge, rbuf, sizeof(rbuf), RPP_REQUIRE_TTY);
		if (response == NULL && errno == ENOTTY) {
			syslog(LOG_AUTHPRIV | LOG_NOTICE,
			    "tty required for %s", myname);
			errx(1, "a tty is required");
		}
		if (strcmp(crypt(response, pass), pass) != 0) {
			syslog(LOG_AUTHPRIV | LOG_NOTICE, "failed auth for %s", myname);
			errc(1, EPERM, NULL);
		}
		explicit_bzero(rbuf, sizeof(rbuf));
	}
#else
	if (!(rule->options & NOPASS))
		errx(1, "Authorization required");
#endif /* HAVE_BSD_AUTH_H */

	if (pledge("stdio rpath getpw exec id", NULL) == -1)
		err(1, "pledge");

	pw = getpwuid(target);
	if (!pw)
		errx(1, "no passwd entry for target");

#ifdef HAVE_BSD_AUTH_H
	if (setusercontext(NULL, pw, target, LOGIN_SETGROUP |
	    LOGIN_SETPRIORITY | LOGIN_SETRESOURCES | LOGIN_SETUMASK |
	    LOGIN_SETUSER) != 0)
		errx(1, "failed to set user context for target");
#else
	if (setresgid(pw->pw_gid, pw->pw_gid, pw->pw_gid) != 0)
		errx(1, "setresgid"); 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.