C++: Add test cases involving strings and comparisons.

Author: geoffw0

cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected

@@ -13,6 +13,10 @@
 | test2.cpp:49:4:49:24 | call to my_des_implementation | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test2.cpp:304:5:304:19 | call to doDesEncryption | call to doDesEncryption |
 | test2.cpp:49:4:49:24 | call to my_des_implementation | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test2.cpp:305:9:305:23 | call to doDesEncryption | call to doDesEncryption |
 | test2.cpp:49:4:49:24 | call to my_des_implementation | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test2.cpp:321:2:321:57 | ALGO_DES | invocation of macro ALGO_DES |
+| test2.cpp:49:4:49:24 | call to my_des_implementation | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test2.cpp:336:24:336:42 | ENCRYPTION_DES_NAME | invocation of macro ENCRYPTION_DES_NAME |
+| test2.cpp:49:4:49:24 | call to my_des_implementation | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test2.cpp:358:24:358:43 | call to getEncryptionNameDES | call to getEncryptionNameDES |
+| test2.cpp:49:4:49:24 | call to my_des_implementation | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test2.cpp:373:10:373:29 | call to getEncryptionNameDES | call to getEncryptionNameDES |
+| test2.cpp:49:4:49:24 | call to my_des_implementation | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test2.cpp:383:42:383:49 | ALGO_DES | invocation of macro ALGO_DES |
 | test.cpp:38:2:38:31 | ENCRYPT_WITH_DES(data,amount) | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test.cpp:38:2:38:31 | ENCRYPT_WITH_DES(data,amount) | invocation of macro ENCRYPT_WITH_DES |
 | test.cpp:38:2:38:31 | ENCRYPT_WITH_DES(data,amount) | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test.cpp:39:2:39:31 | ENCRYPT_WITH_RC2(data,amount) | invocation of macro ENCRYPT_WITH_RC2 |
 | test.cpp:38:2:38:31 | ENCRYPT_WITH_DES(data,amount) | This file makes use of a broken or weak cryptographic algorithm (specified by $@). | test.cpp:41:2:41:32 | ENCRYPT_WITH_3DES(data,amount) | invocation of macro ENCRYPT_WITH_3DES |

cpp/ql/test/query-tests/Security/CWE/CWE-327/test2.cpp

@@ -323,3 +323,69 @@ void test_assert(int algo, algorithmInfo *algoInfo)
 	// ...
 }
 
+// --- string comparisons ---
+
+int strcmp(const char *s1, const char *s2);
+void abort(void);
+
+#define ENCRYPTION_DES_NAME "DES"
+#define ENCRYPTION_AES_NAME "AES"
+
+void test_string_comparisons1(const char *algo_name)
+{
+	if (strcmp(algo_name, ENCRYPTION_DES_NAME) == 0) // GOOD [FALSE POSITIVE]
+	{
+		abort();
+	}
+	if (strcmp(algo_name, ENCRYPTION_AES_NAME) == 0) // GOOD
+	{
+		// ...
+	}
+}
+
+const char *getEncryptionNameDES()
+{
+	return "DES";
+}
+
+const char *getEncryptionNameAES()
+{
+	return "AES";
+}
+
+void test_string_comparisons2(const char *algo_name)
+{
+	if (strcmp(algo_name, getEncryptionNameDES()) == 0) // GOOD [FALSE POSITIVE]
+	{
+		abort();
+	}
+	if (strcmp(algo_name, getEncryptionNameAES()) == 0) // GOOD
+	{
+		// ...
+	}
+}
+
+const char *getEncryptionName(int algo)
+{
+	switch (algo)
+	{
+	case ALGO_DES:
+		return getEncryptionNameDES(); // GOOD [FALSE POSITIVE]
+	case ALGO_AES:
+		return getEncryptionNameAES(); // GOOD
+	default:
+		abort();
+	}
+}
+
+void test_string_comparisons3(const char *algo_name)
+{
+	if (strcmp(algo_name, getEncryptionName(ALGO_DES)) == 0) // GOOD [FALSE POSITIVE]
+	{
+		abort();
+	}
+	if (strcmp(algo_name, getEncryptionName(ALGO_AES)) == 0) // GOOD
+	{
+		// ...
+	}
+}