hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 11:15:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

C++: Add triple-DES to the bad algorithms list.

Browse Source
This commit is contained in:
Geoffrey White
2021-05-17 15:46:41 +01:00
parent 57354def9e
commit 930b9fe3e5
3 changed files with 13 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
cpp/ql/src/semmle/code/cpp/security/Encryption.qll
View File

@@ -10,7 +10,8 @@ import cpp
string getAnInsecureAlgorithmName() {
result =
[
"DES", "RC2", "RC4", "RC5", "ARCFOUR" // ARCFOUR is a variant of RC4
"DES", "RC2", "RC4", "RC5", "ARCFOUR", // ARCFOUR is a variant of RC4
"3DES", "DES3" // also appears separated, e.g. "TRIPLE-DES", which will be matched as "DES".
]
}
@@ -53,12 +54,7 @@ string getInsecureAlgorithmRegex() {
* insecure encyption algorithm.
*/
bindingset[name]
predicate isInsecureEncryption(string name) {
name.regexpMatch(getInsecureAlgorithmRegex()) and
// Check for evidence that an otherwise matching name may in fact not be
// related to insecure encrpytion, e.g. "Triple-DES" is not "DES".
not name.toUpperCase().regexpMatch(".*TRIPLE.*")
}
predicate isInsecureEncryption(string name) { name.regexpMatch(getInsecureAlgorithmRegex()) }
/**
* Holds if there is additional evidence that `name` looks like it might be

4
cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected
View File

@@ -10,11 +10,15 @@
| test2.cpp:239:5:239:11 | call to encrypt | This function call specifies a broken or weak cryptographic algorithm. |
| test.cpp:38:2:38:31 | ENCRYPT_WITH_DES(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
| test.cpp:39:2:39:31 | ENCRYPT_WITH_RC2(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
| test.cpp:41:2:41:32 | ENCRYPT_WITH_3DES(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
| test.cpp:42:2:42:38 | ENCRYPT_WITH_TRIPLE_DES(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
| test.cpp:51:2:51:32 | DES_DO_ENCRYPTION(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
| test.cpp:52:2:52:31 | RUN_DES_ENCODING(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
| test.cpp:53:2:53:25 | DES_ENCODE(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
| test.cpp:54:2:54:26 | DES_SET_KEY(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
| test.cpp:88:2:88:11 | call to encryptDES | This function call specifies a broken or weak cryptographic algorithm. |
| test.cpp:89:2:89:11 | call to encryptRC2 | This function call specifies a broken or weak cryptographic algorithm. |
| test.cpp:91:2:91:12 | call to encrypt3DES | This function call specifies a broken or weak cryptographic algorithm. |
| test.cpp:92:2:92:17 | call to encryptTripleDES | This function call specifies a broken or weak cryptographic algorithm. |
| test.cpp:101:2:101:15 | call to do_des_encrypt | This function call specifies a broken or weak cryptographic algorithm. |
| test.cpp:102:2:102:12 | call to DES_Set_Key | This function call specifies a broken or weak cryptographic algorithm. |

12
cpp/ql/test/query-tests/Security/CWE/CWE-327/test.cpp
View File

@@ -38,15 +38,15 @@ void test_macros(void *data, size_t amount, const char *str)
ENCRYPT_WITH_DES(data, amount); // BAD
ENCRYPT_WITH_RC2(data, amount); // BAD
ENCRYPT_WITH_AES(data, amount); // GOOD (good algorithm)
ENCRYPT_WITH_3DES(data, amount); // GOOD (good enough algorithm)
ENCRYPT_WITH_TRIPLE_DES(data, amount); // GOOD (good enough algorithm)
ENCRYPT_WITH_3DES(data, amount); // BAD
ENCRYPT_WITH_TRIPLE_DES(data, amount); // BAD
ENCRYPT_WITH_RC20(data, amount); // GOOD (if there ever is an RC20 algorithm, we have no reason to believe it's weak)
ENCRYPT_WITH_DES_REMOVED(data, amount); // GOOD (implementation has been deleted)
DESENCRYPT(data, amount); // BAD [NOT DETECTED]
RC2ENCRYPT(data, amount); // BAD [NOT DETECTED]
AESENCRYPT(data, amount); // GOOD (good algorithm)
DES3ENCRYPT(data, amount); // GOOD (good enough algorithm)
DES3ENCRYPT(data, amount); // BAD [NOT DETECTED]
DES_DO_ENCRYPTION(data, amount); // BAD
RUN_DES_ENCODING(data, amount); // BAD
@@ -88,13 +88,13 @@ void test_functions(void *data, size_t amount, const char *str)
encryptDES(data, amount); // BAD
encryptRC2(data, amount); // BAD
encryptAES(data, amount); // GOOD (good algorithm)
encrypt3DES(data, amount); // GOOD (good enough algorithm)
encryptTripleDES(data, amount); // GOOD (good enough algorithm)
encrypt3DES(data, amount); // BAD
encryptTripleDES(data, amount); // BAD
DESEncrypt(data, amount); // BAD
RC2Encrypt(data, amount); // BAD
AESEncrypt(data, amount); // GOOD (good algorithm)
DES3Encrypt(data, amount); // GOOD (good enough algorithm)
DES3Encrypt(data, amount); // BAD [NOT DETECTED]
DoDESEncryption(data, amount); // BAD [NOT DETECTED]
encryptDes(data, amount); // BAD [NOT DETECTED]