Uploaded image for project: 'SonarPython'
  1. SonarPython
  2. SONARPY-828

Rule S3329: Cipher Block Chaining IV's should be random and unique

    XMLWordPrintable

    Details

    • Type: New Feature
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.3
    • Component/s: Rules
    • Labels:

      Description

      This rule raises issues if the IV for CBC mode is hard-coded when encrypting data.

      PyCryptodome

      For PyCryptodome the IV has to be checked in the following method calls (the second argument has to be AES.MODE_CBC):

      • Crypto.Cipher.AES.new(..., AES.MODE_CBC, iv)
      • Crypto.Cipher.ARC2.new(..., AES.MODE_CBC, iv)
      • Crypto.Cipher.Blowfish.new(..., AES.MODE_CBC, iv)
      • Crypto.Cipher.CAST.new(..., AES.MODE_CBC, iv)
      • Crypto.Cipher.DES.new(..., AES.MODE_CBC, iv)
      • Crypto.Cipher.DES3.new(..., AES.MODE_CBC, iv)

      This functions return an object. An issue should only be raised if encrypt() is called on the object. The new() line should be raised as secondary location, since the IV is set there.

      cryptography

      For cryptography the IV has to be checked in the following method calls:

      • cryptography.hazmat.primitives.ciphers.modes.CBC(iv)

      This function is used as second parameter in the constructor of cryptography.hazmat.primitives.ciphers.Cipher. An issue should only be raised if encryptor() is called on the object. The CBC() line should be raised as secondary location, since the IV is set there.

      Code samples: https://github.com/SonarSource/security-expected-issues/tree/S3329_python/python/rules/vulnerabilities/RSPEC-3329

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              guillaume.dequenne Guillaume Dequenne
              Reporter:
              hendrik.buchwald Hendrik Buchwald
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Due:
                Created:
                Updated:
                Resolved: