From dd0fa791aa49bffe3fae5b57f92683396dbd916a Mon Sep 17 00:00:00 2001 From: Geoffrey White <40627776+geoffw0@users.noreply.github.com> Date: Thu, 5 Dec 2024 17:28:45 +0000 Subject: [PATCH] Rust: Add qhelp. --- .../CWE-327/BrokenCryptoAlgorithm.qhelp | 62 +++++++++++++++++++ .../CWE-327/BrokenCryptoAlgorithmBad.rs | 2 + .../CWE-327/BrokenCryptoAlgorithmGood.rs | 2 + 3 files changed, 66 insertions(+) create mode 100644 rust/ql/src/queries/security/CWE-327/BrokenCryptoAlgorithm.qhelp create mode 100644 rust/ql/src/queries/security/CWE-327/BrokenCryptoAlgorithmBad.rs create mode 100644 rust/ql/src/queries/security/CWE-327/BrokenCryptoAlgorithmGood.rs diff --git a/rust/ql/src/queries/security/CWE-327/BrokenCryptoAlgorithm.qhelp b/rust/ql/src/queries/security/CWE-327/BrokenCryptoAlgorithm.qhelp new file mode 100644 index 00000000000..f93c77e83f2 --- /dev/null +++ b/rust/ql/src/queries/security/CWE-327/BrokenCryptoAlgorithm.qhelp @@ -0,0 +1,62 @@ + + + +

+ Using broken or weak cryptographic algorithms can leave data + vulnerable to being decrypted or forged by an attacker. +

+ +

+ Many cryptographic algorithms provided by cryptography + libraries are known to be weak, or flawed. Using such an + algorithm means that encrypted or hashed data is less + secure than it appears to be. +

+ +

+ This query alerts on any use of a weak cryptographic algorithm, that is + not a hashing algorithm. Use of broken or weak cryptographic hash + functions are handled by the + rust/weak-sensitive-data-hashing query. +

+ + + + +

+ Ensure that you use a strong, modern cryptographic + algorithm, such as AES-128 or RSA-2048. +

+ + + + +

+ The following code uses the des crate from the + RustCrypto family to encrypt some secret data. The + DES algorithm is old and considered very weak. +

+ + + +

+ Instead we should use a strong modern algorithm. In this + case we have selected the 256-bit version of the AES + algorithm. +

+ + + + + + +
  • NIST, FIPS 140 Annex a: Approved Security Functions.
    • +
  • NIST, SP 800-131A: Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths.
    • +
  • OWASP: Cryptographic Storage Cheat Sheet - Algorithms. +
    • +     + +     diff --git a/rust/ql/src/queries/security/CWE-327/BrokenCryptoAlgorithmBad.rs b/rust/ql/src/queries/security/CWE-327/BrokenCryptoAlgorithmBad.rs new file mode 100644 index 00000000000..3e86462c62a --- /dev/null +++ b/rust/ql/src/queries/security/CWE-327/BrokenCryptoAlgorithmBad.rs @@ -0,0 +1,2 @@ +let des_cipher = cbc::Encryptor::::new(key.into(), iv.into()); // BAD: weak encryption +let encryption_result = des_cipher.encrypt_padded_mut::(data, data_len); diff --git a/rust/ql/src/queries/security/CWE-327/BrokenCryptoAlgorithmGood.rs b/rust/ql/src/queries/security/CWE-327/BrokenCryptoAlgorithmGood.rs new file mode 100644 index 00000000000..6cafbc69bf7 --- /dev/null +++ b/rust/ql/src/queries/security/CWE-327/BrokenCryptoAlgorithmGood.rs @@ -0,0 +1,2 @@ +let aes_cipher = cbc::Encryptor::::new(key.into(), iv.into()); // GOOD: strong encryption +let encryption_result = aes_cipher.encrypt_padded_mut::(data, data_len);