hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #4255 from fatenhealy/IncreaseInsufficientKeySizeValue

Browse Source 
Increase insufficient key size value from 1024 to 2048
This commit is contained in:
Tamás Vajk
2020-09-22 23:06:12 +02:00
committed by GitHub
parent 475519c9ee a89d13a5ee
commit 5ab5e75b85
6 changed files with 18 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
change-notes/1.26/analysis-csharp.md
View File

@@ -12,7 +12,7 @@ The following changes in version 1.26 affect C# analysis in all applications.
| **Query** | **Expected impact** | **Change** | | **Query** | **Expected impact** | **Change** |
|------------------------------|------------------------|-----------------------------------| |------------------------------|------------------------|-----------------------------------|
| Weak encryption: Insufficient key size (`cs/insufficient-key-size`) | More results | The required key size has been increased from 1024 to 2048. |
## Removal of old queries ## Removal of old queries

8
csharp/ql/src/Security Features/InsufficientKeySize.cs
View File

@@ -11,7 +11,7 @@ namespace InsufficientKeySize
{ {
try try
{ {
RSACryptoServiceProvider rsa = new RSACryptoServiceProvider(512); // BAD RSACryptoServiceProvider rsa = new RSACryptoServiceProvider(1024); // BAD
rsa.ImportParameters(key); rsa.ImportParameters(key);
return rsa.Encrypt(plaintext, true); return rsa.Encrypt(plaintext, true);
} }
@@ -27,7 +27,7 @@ namespace InsufficientKeySize
try try
{ {
RSACryptoServiceProvider rsa = new RSACryptoServiceProvider(); // BAD RSACryptoServiceProvider rsa = new RSACryptoServiceProvider(); // BAD
rsa = new RSACryptoServiceProvider(1024); // GOOD rsa = new RSACryptoServiceProvider(2048); // GOOD
rsa.ImportParameters(key); rsa.ImportParameters(key);
return rsa.Encrypt(plaintext, true); return rsa.Encrypt(plaintext, true);
} }
@@ -58,7 +58,7 @@ namespace InsufficientKeySize
try try
{ {
DSACryptoServiceProvider dsa = new DSACryptoServiceProvider(); // BAD DSACryptoServiceProvider dsa = new DSACryptoServiceProvider(); // BAD
dsa = new DSACryptoServiceProvider(1024); // GOOD dsa = new DSACryptoServiceProvider(2048); // GOOD
dsa.ImportParameters(key); dsa.ImportParameters(key);
return dsa.SignData(plaintext); return dsa.SignData(plaintext);
} }
@@ -121,7 +121,7 @@ namespace InsufficientKeySize
try try
{ {
// Create a new instance of DSACryptoServiceProvider. // Create a new instance of DSACryptoServiceProvider.
using (DSACryptoServiceProvider DSA = new DSACryptoServiceProvider(1024)) // GOOD using (DSACryptoServiceProvider DSA = new DSACryptoServiceProvider(2048)) // GOOD
{ {
// Import the key information. // Import the key information.
DSA.ImportParameters(DSAKeyInfo); DSA.ImportParameters(DSAKeyInfo);

2
csharp/ql/src/Security Features/InsufficientKeySize.qhelp
View File

@@ -8,7 +8,7 @@ are vulnerable to brute force attack when too small a key size is used.</p>
</overview> </overview>
<recommendation> <recommendation>
<p>The key should be at least 1024-bit long when using RSA encryption, and 128-bit long when using <p>The key should be at least 2048-bit long when using RSA encryption, and 128-bit long when using
symmetric encryption.</p> symmetric encryption.</p>
</recommendation> </recommendation>

8
csharp/ql/src/Security Features/InsufficientKeySize.ql
View File

@@ -29,8 +29,8 @@ predicate incorrectUseOfDSA(ObjectCreation e, string msg) {
.getTarget() .getTarget()
.getDeclaringType() .getDeclaringType()
.hasQualifiedName("System.Security.Cryptography", "DSACryptoServiceProvider") and .hasQualifiedName("System.Security.Cryptography", "DSACryptoServiceProvider") and
exists(Expr i | e.getArgument(0) = i and i.getValue().toInt() < 1024) and exists(Expr i | e.getArgument(0) = i and i.getValue().toInt() < 2048) and
msg = "Key size should be at least 1024 bits for DSA encryption." msg = "Key size should be at least 2048 bits for DSA encryption."
} }
predicate incorrectUseOfRSA(ObjectCreation e, string msg) { predicate incorrectUseOfRSA(ObjectCreation e, string msg) {
@@ -38,8 +38,8 @@ predicate incorrectUseOfRSA(ObjectCreation e, string msg) {
.getTarget() .getTarget()
.getDeclaringType() .getDeclaringType()
.hasQualifiedName("System.Security.Cryptography", "RSACryptoServiceProvider") and .hasQualifiedName("System.Security.Cryptography", "RSACryptoServiceProvider") and
exists(Expr i | e.getArgument(0) = i and i.getValue().toInt() < 1024) and exists(Expr i | e.getArgument(0) = i and i.getValue().toInt() < 2048) and
msg = "Key size should be at least 1024 bits for RSA encryption." msg = "Key size should be at least 2048 bits for RSA encryption."
} }
from Expr e, string msg from Expr e, string msg

12
csharp/ql/test/query-tests/Security Features/CWE-327/InsufficientKeySize/InsufficientKeySize.cs
View File

@@ -13,18 +13,18 @@ public class InsufficientKeySize
// GOOD: Key size is greater than 128 // GOOD: Key size is greater than 128
new RC2CryptoServiceProvider().EffectiveKeySize = 256; new RC2CryptoServiceProvider().EffectiveKeySize = 256;
// BAD: Key size is less than 1024. // BAD: Key size is less than 2048.
DSACryptoServiceProvider dsaBad = new DSACryptoServiceProvider(512); DSACryptoServiceProvider dsaBad = new DSACryptoServiceProvider(512);
// GOOD: Key size defaults to 1024. // GOOD: Key size defaults to 2048.
DSACryptoServiceProvider dsaGood1 = new DSACryptoServiceProvider(); DSACryptoServiceProvider dsaGood1 = new DSACryptoServiceProvider();
// GOOD: Key size is greater than 1024. // GOOD: Key size is greater than 2048.
DSACryptoServiceProvider dsaGood2 = new DSACryptoServiceProvider(2048); DSACryptoServiceProvider dsaGood2 = new DSACryptoServiceProvider(2048);
// BAD: Key size is less than 1024. // BAD: Key size is less than 2048.
RSACryptoServiceProvider rsaBad = new RSACryptoServiceProvider(512); RSACryptoServiceProvider rsaBad = new RSACryptoServiceProvider(512);
// GOOD: Key size defaults to 1024. // GOOD: Key size defaults to 2048.
RSACryptoServiceProvider rsaGood1 = new RSACryptoServiceProvider(); RSACryptoServiceProvider rsaGood1 = new RSACryptoServiceProvider();
// GOOD: Key size is greater than 1024. // GOOD: Key size is greater than 2048.
RSACryptoServiceProvider rsaGood2 = new RSACryptoServiceProvider(2048); RSACryptoServiceProvider rsaGood2 = new RSACryptoServiceProvider(2048);
} }
} }

4
csharp/ql/test/query-tests/Security Features/CWE-327/InsufficientKeySize/InsufficientKeySize.expected
View File

@@ -1,3 +1,3 @@
| InsufficientKeySize.cs:10:9:10:60 | ... = ... | Key size should be at least 128 bits for RC2 encryption. | | InsufficientKeySize.cs:10:9:10:60 | ... = ... | Key size should be at least 128 bits for RC2 encryption. |
| InsufficientKeySize.cs:17:43:17:75 | object creation of type DSACryptoServiceProvider | Key size should be at least 1024 bits for DSA encryption. | | InsufficientKeySize.cs:17:43:17:75 | object creation of type DSACryptoServiceProvider | Key size should be at least 2048 bits for DSA encryption. |
| InsufficientKeySize.cs:24:43:24:75 | object creation of type RSACryptoServiceProvider | Key size should be at least 1024 bits for RSA encryption. | | InsufficientKeySize.cs:24:43:24:75 | object creation of type RSACryptoServiceProvider | Key size should be at least 2048 bits for RSA encryption. |