fedora 24
crypto weakness #277

Weakness Breakdown

Definition:

This weakness involves creating non-standard or non-tested algorithms, using weak algorithms or applying cryptographic algorithms incorrectly. Algorithms that were once considered safe are commonly later found to be unsafe, as the algorithms were broken.

Warning code(s):

The crypt functions use a poor one-way hashing algorithm; since they only accept passwords of 8 characters or fewer and only a two-byte salt, they are excessively vulnerable to dictionary attacks given today's faster computing equipment.

File Name:

grive2-ae06eccb38b2fe250c9ddeac3e3973f80b8a0aa9/libgrive/src/util/Crypt.cc

Context:

The highlighted line of code below is the trigger point of this particular Fedora 24 crypto weakness.

 	of the License.

	This program is distributed in the hope that it will be useful,
	but WITHOUT ANY WARRANTY; without even the implied warranty of
	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
	GNU General Public License for more details.

	You should have received a copy of the GNU General Public License
	along with this program; if not, write to the Free Software
	Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
*/

#include "Crypt.hh"

#include "File.hh"
#include "Exception.hh"
#include "MemMap.hh"

#include <iomanip>

// dependent libraries
#include <gcrypt.h>
#include <boost/throw_exception.hpp>

namespace gr { namespace crypt {

// map 4MB of data at a time
const u64_t read_size = 1024 * 4096 ;

struct MD5::Impl
{
	gcry_md_hd_t hd ;
} ;

MD5::MD5() : m_impl( new Impl )
{
	::gcry_error_t err = ::gcry_md_open( &m_impl->hd, GCRY_MD_MD5, 0 ) ;
	if ( err != GPG_ERR_NO_ERROR )
	{
		BOOST_THROW_EXCEPTION( Exception()
			<< GCryptErr_( ::gcry_strerror(err) )
			<< GCryptApi_( "gcry_md_open" )
		) ;
	}
}

MD5::~MD5()
{
	::gcry_md_close( m_impl->hd ) ;
}