fedora 25
crypto weakness #27

4

Weakness Breakdown


Definition:

This weakness involves creating non-standard or non-tested algorithms, using weak algorithms or applying cryptographic algorithms incorrectly. Algorithms that were once considered safe are commonly later found to be unsafe, as the algorithms were broken.

Warning code(s):

The crypt functions use a poor one-way hashing algorithm; since they only accept passwords of 8 characters or fewer and only a two-byte salt, they are excessively vulnerable to dictionary attacks given today's faster computing equipment.

File Name:

kdelibs4support-5.38.0/src/kssl/ksslutils.h

Context:

The highlighted line of code below is the trigger point of this particular Fedora 25 crypto weakness.

  * Copyright (C) 2000-2003 George Staikos <staikos@kde.org>
 *
 * This library is free software; you can redistribute it and/or
 * modify it under the terms of the GNU Library General Public
 * License as published by the Free Software Foundation; either
 * version 2 of the License, or (at your option) any later version.
 *
 * This library is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * Library General Public License for more details.
 *
 * You should have received a copy of the GNU Library General Public License
 * along with this library; see the file COPYING.LIB.  If not, write to
 * the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
 * Boston, MA 02110-1301, USA.
 */
#ifndef _INCLUDE_KSSLUTILS_H
#define _INCLUDE_KSSLUTILS_H

#include <kdelibs4support_export.h>
#include <ksslconfig.h>

#if KSSL_HAVE_SSL
#define crypt _openssl_crypt
#include <openssl/x509.h>
#undef crypt
#endif
class QString;
class QDateTime;

#if KSSL_HAVE_SSL
// This functionality is missing in OpenSSL
/**
 *  Convert an ASN1 UTCTIME value to a string.  Uses KLocale settings.
 *
 *  @param tm the OpenSSL ASN1_UTCTIME pointer
 *
 *  @return the date formatted in a QString
 *  @see ASN1_UTCTIME_QDateTime
 */
QString ASN1_UTCTIME_QString(ASN1_UTCTIME *tm);

/**
 *  Convert an ASN1 UTCTIME value to a QDateTime.  Uses KLocale settings.
 *
 *  @param tm the OpenSSL ASN1_UTCTIME pointer
 *  @param isGmt set to 1 if the date is set to GMT
 *
 *  @return the date formatted in a QDateTime 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.