fedora 24
crypto weakness #297

4

Weakness Breakdown


Definition:

This weakness involves creating non-standard or non-tested algorithms, using weak algorithms or applying cryptographic algorithms incorrectly. Algorithms that were once considered safe are commonly later found to be unsafe, as the algorithms were broken.

Warning code(s):

The crypt functions use a poor one-way hashing algorithm; since they only accept passwords of 8 characters or fewer and only a two-byte salt, they are excessively vulnerable to dictionary attacks given today's faster computing equipment.

File Name:

freeradius-client-1.1.7/src/local.c

Context:

The highlighted line of code below is the trigger point of this particular Fedora 24 crypto weakness.

 #endif

	if ((pw = getpwnam(username)) == NULL) {
		endpwent();
		rc_log(LOG_NOTICE, "authentication FAILED, type local, username %s", username);
		printf(SC_LOCAL_FAILED);
		return NULL;
	}
	endpwent();

#ifdef SHADOW_PASSWORD
        if((spw = getspnam(pw->pw_name)) == NULL) {
			endspent();
			rc_log(LOG_NOTICE, "authentication FAILED, type local, username %s", username);
			printf(SC_LOCAL_FAILED);
			return NULL;
        }
        else
        {
        	pw->pw_passwd = spw->sp_pwdp;
        }
        endspent();
#endif /* SHADOW_PASSWORD */

	xpasswd = crypt(passwd, pw->pw_passwd);

	if (*pw->pw_passwd == '\0' || !xpasswd || strcmp(xpasswd, pw->pw_passwd)) {
		rc_log(LOG_NOTICE, "authentication FAILED, type local, username %s", username);
		printf(SC_LOCAL_FAILED);
		return NULL;
	}

	rc_log(LOG_NOTICE, "authentication OK, type local, username %s", username);
	printf(SC_LOCAL_OK);

	return local_login;
}

void
local_login(rc_handle *rh, char const *username)
{
	char *login_local = rc_conf_str(rh, "login_local");

	/* login should spot this... but who knows what old /bin/logins
	 * may be still around
	 */
	if (*username == '-') {
		rc_log(LOG_WARNING, "username can't start with a dash");
		exit(ERROR_RC);
	} 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.