fedora 25
crypto weakness #17

4

Weakness Breakdown


Definition:

This weakness involves creating non-standard or non-tested algorithms, using weak algorithms or applying cryptographic algorithms incorrectly. Algorithms that were once considered safe are commonly later found to be unsafe, as the algorithms were broken.

Warning code(s):

The crypt functions use a poor one-way hashing algorithm; since they only accept passwords of 8 characters or fewer and only a two-byte salt, they are excessively vulnerable to dictionary attacks given today's faster computing equipment.

File Name:

kdelibs4support-5.38.0/src/kssl/kopenssl.h

Context:

The highlighted line of code below is the trigger point of this particular Fedora 25 crypto weakness.

 // IF YOU ARE USING THIS CLASS, YOU ARE MAKING A MISTAKE.

#ifndef __KOPENSSLPROXY_H
#define __KOPENSSLPROXY_H

#define KOSSL KOpenSSLProxy
class KOpenSSLProxyPrivate;

#include <ksslconfig.h>

#if KSSL_HAVE_SSL
#define crypt _openssl_crypt
#include <openssl/ssl.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include <openssl/pem.h>
#include <openssl/bio.h>
#include <openssl/rand.h>
#include <openssl/asn1.h>
#include <openssl/pkcs7.h>
#include <openssl/pkcs12.h>
#include <openssl/evp.h>
#include <openssl/stack.h>
#include <openssl/bn.h>
#undef crypt
#if OPENSSL_VERSION_NUMBER >= 0x10000000L
#define STACK _STACK
#define OSSL_SKVALUE_RTYPE void
#define OSSL_MORECONST const
#else
#define OSSL_SKVALUE_RTYPE char
#define OSSL_MORECONST
#endif
#endif

/**
 * Dynamically load and wrap OpenSSL.
 *
 * @author George Staikos <staikos@kde.org>
 * @see KSSL
 * @short KDE OpenSSL Wrapper
 * @internal
 */
class KOpenSSLProxy
{
public:

    /**
     * Return an instance of class KOpenSSLProxy *
     * You cannot delete this object.  It is a singleton class. 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.