fedora 25
crypto weakness #19

4

Weakness Breakdown


Definition:

This weakness involves creating non-standard or non-tested algorithms, using weak algorithms or applying cryptographic algorithms incorrectly. Algorithms that were once considered safe are commonly later found to be unsafe, as the algorithms were broken.

Warning code(s):

These keysizes are too small given today's computers.

File Name:

kdelibs4support-5.38.0/src/kssl/kopenssl.h

Context:

The highlighted line of code below is the trigger point of this particular Fedora 25 crypto weakness.

                           (*callback)(int, int, void *), void *cb_arg);

    /*
     * Create/destroy a certificate request
     */
    X509_REQ *X509_REQ_new();
    void X509_REQ_free(X509_REQ *a);

    /*
     * Set the public key in the REQ object
     */
    int X509_REQ_set_pubkey(X509_REQ *x, EVP_PKEY *pkey);

    /* for testing */
    int i2d_X509_REQ_fp(FILE *fp, X509_REQ *x);

    /* SMime support */
    STACK *X509_get1_email(X509 *x);
    void X509_email_free(STACK *sk);

    /* Ciphers needed for SMime */
    EVP_CIPHER *EVP_des_ede3_cbc();
    EVP_CIPHER *EVP_des_cbc();
    EVP_CIPHER *EVP_rc2_cbc();
    EVP_CIPHER *EVP_rc2_64_cbc();
    EVP_CIPHER *EVP_rc2_40_cbc();

    /* clear the current error  - use this often*/
    void ERR_clear_error();

    /* retrieve the latest error */
    unsigned long ERR_get_error();

    /* Print the errors to this stream */
    void ERR_print_errors_fp(FILE *fp);

    /* Get a pointer to the SSL session id (reference counted) */
    SSL_SESSION *SSL_get1_session(SSL *ssl);

    /* Frees a pointer to the SSL session id (reference decremented if needed) */
    void SSL_SESSION_free(SSL_SESSION *session);

    /* Set the SSL session to reuse. */
    int SSL_set_session(SSL *ssl, SSL_SESSION *session);

    /* Decode ASN.1 to SSL_SESSION */
    SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, unsigned char **pp, long length);
    /* Encode SSL_SESSION to ASN.1 */
    int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp);
 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.