C++: Add triple-DES to the bad algorithms list.

geoffw0 · geoffw0 · commit 930b9fe3e5e1 · 2021-05-17T15:51:17.000+01:00
diff --git a/cpp/ql/src/semmle/code/cpp/security/Encryption.qll b/cpp/ql/src/semmle/code/cpp/security/Encryption.qll
@@ -10,7 +10,8 @@ import cpp
 string getAnInsecureAlgorithmName() {
   result =
     [
-      "DES", "RC2", "RC4", "RC5", "ARCFOUR" // ARCFOUR is a variant of RC4
+      "DES", "RC2", "RC4", "RC5", "ARCFOUR", // ARCFOUR is a variant of RC4
+      "3DES", "DES3" // also appears separated, e.g. "TRIPLE-DES", which will be matched as "DES".
     ]
 }
 
@@ -53,12 +54,7 @@ string getInsecureAlgorithmRegex() {
  * insecure encyption algorithm.
  */
 bindingset[name]
-predicate isInsecureEncryption(string name) {
-  name.regexpMatch(getInsecureAlgorithmRegex()) and
-  // Check for evidence that an otherwise matching name may in fact not be
-  // related to insecure encrpytion, e.g. "Triple-DES" is not "DES".
-  not name.toUpperCase().regexpMatch(".*TRIPLE.*")
-}
+predicate isInsecureEncryption(string name) { name.regexpMatch(getInsecureAlgorithmRegex()) }
 
 /**
  * Holds if there is additional evidence that `name` looks like it might be
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected b/cpp/ql/test/query-tests/Security/CWE/CWE-327/BrokenCryptoAlgorithm.expected
@@ -10,11 +10,15 @@
 | test2.cpp:239:5:239:11 | call to encrypt | This function call specifies a broken or weak cryptographic algorithm. |
 | test.cpp:38:2:38:31 | ENCRYPT_WITH_DES(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
 | test.cpp:39:2:39:31 | ENCRYPT_WITH_RC2(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
+| test.cpp:41:2:41:32 | ENCRYPT_WITH_3DES(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
+| test.cpp:42:2:42:38 | ENCRYPT_WITH_TRIPLE_DES(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
 | test.cpp:51:2:51:32 | DES_DO_ENCRYPTION(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
 | test.cpp:52:2:52:31 | RUN_DES_ENCODING(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
 | test.cpp:53:2:53:25 | DES_ENCODE(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
 | test.cpp:54:2:54:26 | DES_SET_KEY(data,amount) | This macro invocation specifies a broken or weak cryptographic algorithm. |
 | test.cpp:88:2:88:11 | call to encryptDES | This function call specifies a broken or weak cryptographic algorithm. |
 | test.cpp:89:2:89:11 | call to encryptRC2 | This function call specifies a broken or weak cryptographic algorithm. |
+| test.cpp:91:2:91:12 | call to encrypt3DES | This function call specifies a broken or weak cryptographic algorithm. |
+| test.cpp:92:2:92:17 | call to encryptTripleDES | This function call specifies a broken or weak cryptographic algorithm. |
 | test.cpp:101:2:101:15 | call to do_des_encrypt | This function call specifies a broken or weak cryptographic algorithm. |
 | test.cpp:102:2:102:12 | call to DES_Set_Key | This function call specifies a broken or weak cryptographic algorithm. |
diff --git a/cpp/ql/test/query-tests/Security/CWE/CWE-327/test.cpp b/cpp/ql/test/query-tests/Security/CWE/CWE-327/test.cpp
@@ -38,15 +38,15 @@ void test_macros(void *data, size_t amount, const char *str)
 	ENCRYPT_WITH_DES(data, amount); // BAD
 	ENCRYPT_WITH_RC2(data, amount); // BAD
 	ENCRYPT_WITH_AES(data, amount); // GOOD (good algorithm)
-	ENCRYPT_WITH_3DES(data, amount); // GOOD (good enough algorithm)
-	ENCRYPT_WITH_TRIPLE_DES(data, amount); // GOOD (good enough algorithm)
+	ENCRYPT_WITH_3DES(data, amount); // BAD
+	ENCRYPT_WITH_TRIPLE_DES(data, amount); // BAD
 	ENCRYPT_WITH_RC20(data, amount); // GOOD (if there ever is an RC20 algorithm, we have no reason to believe it's weak)
 	ENCRYPT_WITH_DES_REMOVED(data, amount); // GOOD (implementation has been deleted)
 
 	DESENCRYPT(data, amount); // BAD [NOT DETECTED]
 	RC2ENCRYPT(data, amount); // BAD [NOT DETECTED]
 	AESENCRYPT(data, amount); // GOOD (good algorithm)
-	DES3ENCRYPT(data, amount); // GOOD (good enough algorithm)
+	DES3ENCRYPT(data, amount); // BAD [NOT DETECTED]
 
 	DES_DO_ENCRYPTION(data, amount); // BAD
 	RUN_DES_ENCODING(data, amount); // BAD
@@ -88,13 +88,13 @@ void test_functions(void *data, size_t amount, const char *str)
 	encryptDES(data, amount); // BAD
 	encryptRC2(data, amount); // BAD
 	encryptAES(data, amount); // GOOD (good algorithm)
-	encrypt3DES(data, amount); // GOOD (good enough algorithm)
-	encryptTripleDES(data, amount); // GOOD (good enough algorithm)
+	encrypt3DES(data, amount); // BAD
+	encryptTripleDES(data, amount); // BAD
 
 	DESEncrypt(data, amount); // BAD
 	RC2Encrypt(data, amount); // BAD
 	AESEncrypt(data, amount); // GOOD (good algorithm)
-	DES3Encrypt(data, amount); // GOOD (good enough algorithm)
+	DES3Encrypt(data, amount); // BAD [NOT DETECTED]
 
 	DoDESEncryption(data, amount); // BAD [NOT DETECTED]
 	encryptDes(data, amount); // BAD [NOT DETECTED]
