Use of weak or non-cryptographic hash algorithm in security context

Description

Use of weak or non-cryptographic hash algorithm '$FUNC' in security-sensitive function '$FN_NAME'. MD2, MD4, MD5, SHA-1, and non-cryptographic checksums (CRC32, Adler32, xxHash) should not be used for security purposes. Use SHA-256, SHA-384, SHA-512, SHA-3, or BLAKE2 instead.

Rationale

Use of weak or non-cryptographic hash algorithm '$FUNC' in security-sensitive function '$FN_NAME'. MD2, MD4, MD5, SHA-1, and non-cryptographic checksums (CRC32, Adler32, xxHash) should not be used for security purposes. Use SHA-256, SHA-384, SHA-512, SHA-3, or BLAKE2 instead.

The following code illustrates a vulnerable pattern detected by this rule:

void generate_password_hash(const char *password, unsigned char *out) {
    // VULNERABLE: Use of weak or non-cryptographic hash algorithm in security context
    MD5((unsigned char*)password, strlen(password), out);
}

Remediation

Follow secure coding practices and review the references below for detailed remediation guidance.

Configuration

This detector does not need any configuration.

Use of weak or non-cryptographic hash algorithm in security context

Description

Rationale

Remediation

Configuration

References