fedora 25
crypto weakness #26

4

Weakness Breakdown


Definition:

This weakness involves creating non-standard or non-tested algorithms, using weak algorithms or applying cryptographic algorithms incorrectly. Algorithms that were once considered safe are commonly later found to be unsafe, as the algorithms were broken.

Warning code(s):

The crypt functions use a poor one-way hashing algorithm; since they only accept passwords of 8 characters or fewer and only a two-byte salt, they are excessively vulnerable to dictionary attacks given today's faster computing equipment.

File Name:

kdelibs4support-5.38.0/src/kssl/ksslcertificate.cpp

Context:

The highlighted line of code below is the trigger point of this particular Fedora 25 crypto weakness.

 #include <qtemporaryfile.h>

#include "ksslcertchain.h"
#include "ksslutils.h"

#include <klocalizedstring.h>

#include <sys/types.h>

#include <config-kdelibs4support.h> // HAVE_SYS_STAT_H

#if HAVE_SYS_STAT_H
#include <sys/stat.h>
#endif

// this hack provided by Malte Starostik to avoid glibc/openssl bug
// on some systems
#if KSSL_HAVE_SSL
#define crypt _openssl_crypt
#include <openssl/ssl.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include <openssl/x509_vfy.h>
#include <openssl/pem.h>
#undef crypt
#endif

#include <kopenssl.h>
#include "ksslx509v3.h"

static const char hv[] = {'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'A', 'B', 'C', 'D', 'E', 'F'};

class KSSLCertificatePrivate
{
public:
    KSSLCertificatePrivate()
    {
        kossl = KOSSL::self();
        _lastPurpose = KSSLCertificate::None;
    }

    ~KSSLCertificatePrivate()
    {
    }

    KSSLCertificate::KSSLValidation m_stateCache;
    bool m_stateCached;
#if KSSL_HAVE_SSL
    X509 *m_cert;
#endif 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.