C and C++ Binaries

MISC.CRYPTO.NOPAD : パディング無しの暗号化

要旨

RSA の暗号化もしくは復号化が Optimal Asymmetric Encryption Padding(OAEP)無しで実行されています。

プロパティ

クラス名 Encryption without Padding
日本語クラス名 パディング無しの暗号化
クラス分類 セキュリティ (security)
ニーモニック MISC.CRYPTO.NOPAD
カテゴリー
CWE CWE:325 Missing Cryptographic Step
  CWE:331 Insufficient Entropy
  CWE:780 Use of RSA Algorithm without OAEP
DISA-6r1 DISA-6r1:V-222396 The application must implement DoD-approved encryption to protect the confidentiality of remote access sessions.
  DISA-6r1:V-222397 The application must implement cryptographic mechanisms to protect the integrity of remote access sessions.
  DISA-6r1:V-222589 The application must use appropriate cryptography in order to protect stored DoD information when required by the information owner or DoD policy.
  DISA-6r1:V-222596 The application must protect the confidentiality and integrity of transmitted information.
DISA-5r3 DISA-5r3:V-69257 The application must implement DoD-approved encryption to protect the confidentiality of remote access sessions.
  DISA-5r3:V-69259 The application must implement cryptographic mechanisms to protect the integrity of remote access sessions.
  DISA-5r3:V-70229 The application must use appropriate cryptography in order to protect stored DoD information when required by the information owner or DoD policy.
  DISA-5r3:V-70245 The application must protect the confidentiality and integrity of transmitted information.
DISA-4r3 DISA-4r3:V-69257 The application must implement DoD-approved encryption to protect the confidentiality of remote access sessions.
  DISA-4r3:V-69259 The application must implement cryptographic mechanisms to protect the integrity of remote access sessions.
  DISA-4r3:V-70229 The application must use appropriate cryptography in order to protect stored DoD information when required by the information owner or DoD policy.
  DISA-4r3:V-70245 The application must protect the confidentiality and integrity of transmitted information.
DISA-3r10 DISA-3r10:V-6135 The designer will ensure the appropriate cryptography is used to protect stored DoD information if required by the information owner.
  DISA-3r10:V-6136 The designer will ensure data transmitted through a commercial or wireless network is protected using an appropriate form of cryptography.
OWASP-2017 OWASP-2017:A3 Sensitive data exposure
  OWASP-2017:A6 Security misconfiguration
OWASP-2021 OWASP-2021:A2 Cryptographic failures
  OWASP-2021:A5 Security misconfiguration
対応言語 C および C++ で利用可能です。
有効/無効設定 このワーニングクラスのチェックはデフォルトで有効になっています。チェックを無効にするにはプロジェクト設定ファイル (configuration file)に以下の WARNING_FILTER ルールを追加してください。 
WARNING_FILTER += discard class="Encryption without Padding"


#include <stdlib.h>
#include <stdio.h>
#include "openssl/rsa.h"

int encrypt_and_send(unsigned char *cleartext, RSA *pubkey)
{
    int sz = RSA_size(pubkey);
    char *cyphertext = malloc(sz);
    int rv;
    if (!cyphertext) return -1;
    if (RSA_public_encrypt(sz, cleartext, cyphertext, pubkey, RSA_NO_PADDING) == -1)  /* Encryption Without Padding
                                                                                       * warning issued here */
    {
        free(cyphertext);
        return -1;
    }
    rv = send_to_server(cyphertext); 
    free(cyphertext);
    return rv;
}

ワーニングを引き起こす関数

CodeSonar ships with library models that allow it to functions such as OpenSSL RSA_public_encrypt() and Win32 CryptEncrypt() that perform RSA encryption or decryption. If one of these functions is called with a value that leads to the operation being performed without padding in the relevant parameter position, a warning will be issued.

If you have created a custom library model for some function f() in terms of one of these existing models, calls to f() will also be capable of triggering Encryption without Padding warnings.

関連のある設定ファイルパラメータ

設定ファイルの以下のパラメータがこのワーニングクラスのチェックに影響します。