alpine 3.6
crypto weakness #3

4

Weakness Breakdown


Definition:

This weakness involves creating non-standard or non-tested algorithms, using weak algorithms or applying cryptographic algorithms incorrectly. Algorithms that were once considered safe are commonly later found to be unsafe, as the algorithms were broken.

Warning code(s):

The crypt functions use a poor one-way hashing algorithm; since they only accept passwords of 8 characters or fewer and only a two-byte salt, they are excessively vulnerable to dictionary attacks given today's faster computing equipment.

File Name:

libtorrent/src/libtorrent-0.13.6/src/utils/rc4.h

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.6 crypto weakness.

   RC4()                                                               { }

#ifdef USE_CYRUS_RC4
  RC4(const unsigned char key[], int len)                             { rc4_init(&m_key, key, len); }

  void crypt(const void* indata, void* outdata, unsigned int length)  { rc4_encrypt(&m_key, (const char*)indata, (char*)outdata, length); }
  void crypt(void* data, unsigned int length)                         { rc4_encrypt(&m_key, (const char*)data, (char*)data, length); }

private:
  rc4_context_t m_key;

#else
#ifdef USE_OPENSSL
  RC4(const unsigned char key[], int len)                             { RC4_set_key(&m_key, len, key); }

  void crypt(const void* indata, void* outdata, unsigned int length)  { ::RC4(&m_key, length, (const unsigned char*)indata, (unsigned char*)outdata); }
  void crypt(void* data, unsigned int length)                         { ::RC4(&m_key, length, (unsigned char*)data, (unsigned char*)data); }

private:
  RC4_KEY m_key;

#else
  RC4(const unsigned char key[], int len) { }

  void crypt(const void* indata, void* outdata, unsigned int length) { }
  void crypt(void* data, unsigned int length) {}
#endif
#endif
};

};

#endif 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.