Uploaded image for project: 'SonarCFamily'
  1. SonarCFamily
  2. CPP-2320

Rule S5547: Cipher algorithms should be robust

    Details

    • Type: New Feature
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: C, C++
    • Labels:
      None

      Description

      The goal of this rule is to detect use of weak cipher algorithms.
      It supports botan and crypto++ libraries

      S5547 is a new rule replacing S2278
      Old ticket (won't fix now): https://jira.sonarsource.com/browse/CPP-2022

      botan

      Detection logic
      Look for the following functions:

      • Botan::BlockCipher::create
      • Botan::BlockCipher::create_or_throw
      • Botan::StreamCipher::create
      • Botan::StreamCipher::create_or_throw
      • Botan::Cipher_Mode::create
      • Botan::Cipher_Mode::create_or_throw
      • Botan::get_cipher_mode

      When one is this function is called raise an issue if first parameter (string) shouldn't start with

      • Blowfish
      • DES
      • 3DES
      • DESX
      • CAST-128
      • GOST-28147-89
      • IDEA
      • KASUMI
      • MISTY1
      • XTEA

      Code examples
      https://github.com/SonarSource/security-expected-issues/tree/master/cc%2B%2B/wip/rules/vulnerabilities/RSPEC-5547/botan/examples.cpp

      Crypto++

      Detection logic

      Raise an issue when one of the following namespaces is used:

      • CryptoPP::ARC4
      • CryptoPP::MARC4
      • CryptoPP::Weak{0-9}* (Weak1, Weak2, etc)
      • CryptoPP::BlowfishEncryption
      • CryptoPP::BlowfishDecryption
      • CryptoPP::GOST
      • CryptoPP::GOSTEncryption
      • CryptoPP::GOSTDecryption
      • CryptoPP::IDEA
      • CryptoPP::IDEAEncryption
      • CryptoPP::IDEADecryption
      • CryptoPP::TEA
      • CryptoPP::TEAEncryption
      • CryptoPP::TEADecryption
      • CryptoPP::BTEA
      • CryptoPP::XTEA
      • CryptoPP::DES
      • CryptoPP::DESEncryption
      • CryptoPP::DESDecryption
      • CryptoPP::DES_EDE2
      • CryptoPP::DES_EDE2_Encryption
      • CryptoPP::DES_EDE2_Decryption
      • CryptoPP::DES_EDE3
      • CryptoPP::DES_EDE3_Encryption
      • CryptoPP::DES_EDE3_Decryption
      • CryptoPP::DES_XEX3
      • CryptoPP::DES_XEX3_Encryption
      • CryptoPP::DES_XEX3_Decryption
      • CryptoPP::RC2
      • CryptoPP::RC2Encryption
      • CryptoPP::RC2Decryption

      Code examples
      https://github.com/SonarSource/security-expected-issues/tree/master/cc%2B%2B/wip/rules/vulnerabilities/RSPEC-5547/crypto++/examples.cpp

      OpenSSL

      Detection logic
      Look for the following functions:

      • EVP_bf
      • EVP_cast5
      • EVP_des
      • EVP_idea
      • EVP_rc4
      • EVP_rc2

      Raise ans issue when one of them is called.

      Code examples
      https://github.com/SonarSource/security-expected-issues/tree/master/cc%2B%2B/wip/rules/vulnerabilities/RSPEC-5547/openssl/examples.cpp

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                eric.therond Eric Therond
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated: