Rust: Add placeholder query and tests for 'cipher' module.

geoffw0 · geoffw0 · commit bdb2f3d091d6 · 2024-12-05T13:38:57.000Z
diff --git a/rust/ql/src/queries/security/CWE-327/BrokenCryptoAlgorithm.ql b/rust/ql/src/queries/security/CWE-327/BrokenCryptoAlgorithm.ql
@@ -0,0 +1,17 @@
+/**
+ * @name Use of a broken or weak cryptographic algorithm
+ * @description Using broken or weak cryptographic algorithms can compromise security.
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 7.5
+ * @precision high
+ * @id rust/weak-cryptographic-algorithm
+ * @tags security
+ *       external/cwe/cwe-327
+ */
+
+import rust
+
+from int i
+where none()
+select i
diff --git a/rust/ql/test/query-tests/security/CWE-327/BrokenCryptoAlgorithm.expected b/rust/ql/test/query-tests/security/CWE-327/BrokenCryptoAlgorithm.expected
diff --git a/rust/ql/test/query-tests/security/CWE-327/BrokenCryptoAlgorithm.qlref b/rust/ql/test/query-tests/security/CWE-327/BrokenCryptoAlgorithm.qlref
@@ -0,0 +1,2 @@
+query: queries/security/CWE-327/BrokenCryptoAlgorithm.ql
+postprocess: utils/InlineExpectationsTestQuery.ql
diff --git a/rust/ql/test/query-tests/security/CWE-327/options.yml b/rust/ql/test/query-tests/security/CWE-327/options.yml
@@ -0,0 +1,9 @@
+qltest_cargo_check: true
+qltest_dependencies:
+    - cipher = { version = "0.4.4" }
+    - rc4 = { version = "0.1.0" }
+    - rabbit = { version = "0.4.1" }
+    - aes = { version = "0.8.4" }
+    - des = { version = "0.8.1" }
+    - rc2 = { version = "0.8.1" }
+    - rc5 = { version = "0.0.1" }
diff --git a/rust/ql/test/query-tests/security/CWE-327/test_cipher.rs b/rust/ql/test/query-tests/security/CWE-327/test_cipher.rs
@@ -0,0 +1,117 @@
+
+use cipher::{consts::*, StreamCipher, KeyInit, KeyIvInit, BlockEncrypt, BlockDecrypt, BlockEncryptMut, BlockDecryptMut};
+use rc4::{Rc4};
+use rabbit::{Rabbit, RabbitKeyOnly};
+use aes::{Aes128, Aes192Enc, Aes256Dec};
+use des::{Des, TdesEde2, TdesEde3, TdesEee2, TdesEee3};
+use rc2::{Rc2};
+use rc5::{RC5_16_16_8, RC5_32_16_16};
+
+// --- tests ---
+
+fn test_stream_cipher(
+    key128: &[u8;16], iv128: &[u8;16], plaintext: &str
+) {
+    let mut data = plaintext.as_bytes().to_vec();
+
+    // rc4 (broken)
+    let rc4_key = rc4::Key::<U16>::from_slice(key128);
+
+    let mut rc4_cipher1 = Rc4::<_>::new(rc4_key); // $ MISSING: Alert[rust/weak-cryptographic-algorithm]
+    rc4_cipher1.apply_keystream(&mut data);
+
+    let mut rc4_cipher2 = Rc4::<U16>::new_from_slice(key128).unwrap(); // $ MISSING: Alert[rust/weak-cryptographic-algorithm]
+    rc4_cipher2.apply_keystream(&mut data);
+
+    let mut rc4_cipher3 = Rc4::<_>::new(rc4_key); // $ MISSING: Alert[rust/weak-cryptographic-algorithm]
+    let _ = rc4_cipher3.try_apply_keystream(&mut data);
+
+    let mut rc4_cipher4 = Rc4::<_>::new(rc4_key); // $ MISSING: Alert[rust/weak-cryptographic-algorithm]
+    let _ = rc4_cipher4.apply_keystream_b2b(plaintext.as_bytes(), &mut data);
+
+    // rabbit
+    let rabbit_key = rabbit::Key::from_slice(key128);
+    let rabbit_iv = rabbit::Iv::from_slice(iv128);
+
+    let mut rabbit_cipher1 = RabbitKeyOnly::new(rabbit_key);
+    rabbit_cipher1.apply_keystream(&mut data);
+
+    let mut rabbit_cipher2 = Rabbit::new(rabbit_key, rabbit_iv);
+    rabbit_cipher2.apply_keystream(&mut data);
+}
+
+fn test_block_cipher(
+    key: &[u8], key128: &[u8;16], key192: &[u8;24], key256: &[u8;32],
+    data: &mut [u8], input: &[u8], block128: &mut [u8;16]
+) {
+    // aes
+    let aes_cipher1 = Aes128::new(key128.into());
+    aes_cipher1.encrypt_block(block128.into());
+    aes_cipher1.decrypt_block(block128.into());
+
+    let aes_cipher2 = Aes192Enc::new_from_slice(key192).unwrap();
+    aes_cipher2.encrypt_block(block128.into());
+
+    let aes_cipher3 = Aes256Dec::new(key256.into());
+    aes_cipher3.decrypt_block(block128.into());
+
+    // des (broken)
+    let des_cipher1 = Des::new(key.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm]
+    des_cipher1.encrypt_block(data.into());
+    des_cipher1.decrypt_block(data.into());
+
+    let des_cipher2 = des::Des::new(key.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm]
+    des_cipher2.encrypt_block(data.into());
+    des_cipher2.decrypt_block(data.into());
+
+    let des_cipher3 = Des::new_from_slice(key).expect("fail"); // $ MISSING: Alert[rust/weak-cryptographic-algorithm]
+    des_cipher3.encrypt_block(data.into());
+    des_cipher3.decrypt_block(data.into());
+
+    let des_cipher4 = Des::new(key.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm]
+    des_cipher4.encrypt_block_b2b(input.into(), data.into());
+    des_cipher4.decrypt_block_b2b(input.into(), data.into());
+
+    let mut des_cipher5 = Des::new(key.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm]
+    des_cipher5.encrypt_block_mut(data.into());
+    des_cipher5.decrypt_block_mut(data.into());
+
+    // triple des (broken)
+    let tdes_cipher1 = TdesEde2::new(key.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm]
+    tdes_cipher1.encrypt_block(data.into());
+    tdes_cipher1.decrypt_block(data.into());
+
+    let tdes_cipher2 = TdesEde3::new(key.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm]
+    tdes_cipher2.encrypt_block(data.into());
+    tdes_cipher2.decrypt_block(data.into());
+
+    let tdes_cipher3 = TdesEee2::new(key.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm]
+    tdes_cipher3.encrypt_block(data.into());
+    tdes_cipher3.decrypt_block(data.into());
+
+    let tdes_cipher4 = TdesEee3::new_from_slice(key).unwrap(); // $ MISSING: Alert[rust/weak-cryptographic-algorithm]
+    tdes_cipher4.encrypt_block(data.into());
+    tdes_cipher4.decrypt_block(data.into());
+
+    // rc2 (broken)
+    let rc2_cipher1 = Rc2::new(key.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm]
+    rc2_cipher1.encrypt_block(data.into());
+    rc2_cipher1.decrypt_block(data.into());
+
+    let rc2_cipher2 = Rc2::new_from_slice(key).expect("fail"); // $ MISSING: Alert[rust/weak-cryptographic-algorithm]
+    rc2_cipher2.encrypt_block(data.into());
+    rc2_cipher2.decrypt_block(data.into());
+
+    let rc2_cipher3 = Rc2::new_with_eff_key_len(key, 64); // $ MISSING: Alert[rust/weak-cryptographic-algorithm]
+    rc2_cipher3.encrypt_block(data.into());
+    rc2_cipher3.decrypt_block(data.into());
+
+    // rc5 (broken)
+    let rc5_cipher1 = RC5_16_16_8::new(key.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm]
+    rc5_cipher1.encrypt_block(data.into());
+    rc5_cipher1.decrypt_block(data.into());
+
+    let rc5_cipher2 = RC5_32_16_16::new_from_slice(key).unwrap(); // $ MISSING: Alert[rust/weak-cryptographic-algorithm]
+    rc5_cipher2.encrypt_block(data.into());
+    rc5_cipher2.decrypt_block(data.into());
+}

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+query: queries/security/CWE-327/BrokenCryptoAlgorithm.ql`
	`2`	`+postprocess: utils/InlineExpectationsTestQuery.ql`