MISC.CRYPTO.NOPAD : Encryption without Padding

JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.

If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.

If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.

If you access the manual through the hub's Web GUI, the functionality will not be suppressed because the hub is a web server.
Alternatively, your browser may allow you to explicitly disable the security setting that suppresses functionality. See the CodeSonar FAQ for more information.

RSA encryption or decryption is carried out without Optimal Asymmetric Encryption Padding (OAEP).

Class Name

Encryption without Padding

Significance

security

Mnemonic

MISC.CRYPTO.NOPAD

Categories

CWE	CWE:325	Missing Cryptographic Step
	CWE:331	Insufficient Entropy
	CWE:780	Use of RSA Algorithm without OAEP
DISA-6r1	DISA-6r1:V-222396	The application must implement DoD-approved encryption to protect the confidentiality of remote access sessions.
	DISA-6r1:V-222397	The application must implement cryptographic mechanisms to protect the integrity of remote access sessions.
	DISA-6r1:V-222589	The application must use appropriate cryptography in order to protect stored DoD information when required by the information owner or DoD policy.
	DISA-6r1:V-222596	The application must protect the confidentiality and integrity of transmitted information.
DISA-5r3	DISA-5r3:V-69257	The application must implement DoD-approved encryption to protect the confidentiality of remote access sessions.
	DISA-5r3:V-69259	The application must implement cryptographic mechanisms to protect the integrity of remote access sessions.
	DISA-5r3:V-70229	The application must use appropriate cryptography in order to protect stored DoD information when required by the information owner or DoD policy.
	DISA-5r3:V-70245	The application must protect the confidentiality and integrity of transmitted information.
DISA-4r3	DISA-4r3:V-69257	The application must implement DoD-approved encryption to protect the confidentiality of remote access sessions.
	DISA-4r3:V-69259	The application must implement cryptographic mechanisms to protect the integrity of remote access sessions.
	DISA-4r3:V-70229	The application must use appropriate cryptography in order to protect stored DoD information when required by the information owner or DoD policy.
	DISA-4r3:V-70245	The application must protect the confidentiality and integrity of transmitted information.
DISA-3r10	DISA-3r10:V-6135	The designer will ensure the appropriate cryptography is used to protect stored DoD information if required by the information owner.
	DISA-3r10:V-6136	The designer will ensure data transmitted through a commercial or wireless network is protected using an appropriate form of cryptography.
OWASP-2017	OWASP-2017:A3	Sensitive data exposure
	OWASP-2017:A6	Security misconfiguration
OWASP-2021	OWASP-2021:A2	Cryptographic failures
	OWASP-2021:A5	Security misconfiguration

Availability

Available for C and C++.

Enabling

Checks for this warning class are enabled by default. To disable them, add the following WARNING_FILTER rule to the project configuration file.

WARNING_FILTER += discard class="Encryption without Padding"

#include <stdlib.h>
#include <stdio.h>
#include "openssl/rsa.h"

int encrypt_and_send(unsigned char *cleartext, RSA *pubkey)
{
    int sz = RSA_size(pubkey);
    char *cyphertext = malloc(sz);
    int rv;
    if (!cyphertext) return -1;
    if (RSA_public_encrypt(sz, cleartext, cyphertext, pubkey, RSA_NO_PADDING) == -1)  /* Encryption Without Padding
                                                                                       * warning issued here */
    {
        free(cyphertext);
        return -1;
    }
    rv = send_to_server(cyphertext); 
    free(cyphertext);
    return rv;
}

CodeSonar ships with library models that allow it to recognize functions such as OpenSSL RSA_public_encrypt() and Win32 CryptEncrypt() that perform RSA encryption or decryption. If one of these functions is called with a value that leads to the operation being performed without padding in the relevant parameter position, a warning will be issued.

If you have created a custom library model for some function f() in terms of one of these existing models, calls to f() will also be capable of triggering Encryption without Padding warnings.

The following configuration file parameters affect checks for this warning class.

MISC.CRYPTO.NOPAD : Encryption without Padding

Summary

Properties

Example

Triggers

Relevant Configuration File Parameters