alpine 3.6
crypto weakness #53

4

Weakness Breakdown


Definition:

This weakness involves creating non-standard or non-tested algorithms, using weak algorithms or applying cryptographic algorithms incorrectly. Algorithms that were once considered safe are commonly later found to be unsafe, as the algorithms were broken.

Warning code(s):

The crypt functions use a poor one-way hashing algorithm; since they only accept passwords of 8 characters or fewer and only a two-byte salt, they are excessively vulnerable to dictionary attacks given today's faster computing equipment.

File Name:

syslinux/src/syslinux-6.04-pre1/core/lwip/src/netif/ppp/auth.c

Context:

The highlighted line of code below is the trigger point of this particular Alpine 3.6 crypto weakness.

 bool refuse_pap = 0;          /* Don't wanna auth. ourselves with PAP */
bool refuse_chap = 0;         /* Don't wanna auth. ourselves with CHAP */
bool usehostname = 0;         /* Use hostname for our_name */
bool auth_required = 0;       /* Always require authentication from peer */
bool allow_any_ip = 0;        /* Allow peer to use any IP address */
bool explicit_remote = 0;     /* User specified explicit remote name */
char remote_name[MAXNAMELEN]; /* Peer's name for authentication */

#endif /* UNUSED */

/* Bits in auth_pending[] */
#define PAP_WITHPEER    1
#define PAP_PEER        2
#define CHAP_WITHPEER   4
#define CHAP_PEER       8

/* @todo, move this somewhere */
/* Used for storing a sequence of words.  Usually malloced. */
struct wordlist {
  struct wordlist *next;
  char        word[1];
};


extern char *crypt (const char *, const char *);

/* Prototypes for procedures local to this file. */

static void network_phase (int);
static void check_idle (void *);
static void connect_time_expired (void *);
#if 0
static int  plogin (char *, char *, char **, int *);
#endif
static void plogout (void);
static int  null_login (int);
static int  get_pap_passwd (int, char *, char *);
static int  have_pap_secret (void);
static int  have_chap_secret (char *, char *, u32_t);
static int  ip_addr_check (u32_t, struct wordlist *);

#if 0 /* PAP_SUPPORT || CHAP_SUPPORT */
static int  scan_authfile (FILE *, char *, char *, char *,
             struct wordlist **, struct wordlist **,
             char *);
static void free_wordlist (struct wordlist *);
static void auth_script (char *);
static void auth_script_done (void *);
static void set_allowed_addrs (int unit, struct wordlist *addrs);
static int  some_ip_ok (struct wordlist *); 

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.