Skip to content

Commit 963e028

Browse files
geoffw0geoffw0
authored
Merge pull request #20238 from geoffw0/scinit
Rust: Update StreamCipherInit to use getCanonicalPath.
2 parents ea8d766 + 401315c commit 963e028

File tree

4 files changed

+40
-40
lines changed

4 files changed

+40
-40
lines changed

rust/ql/lib/codeql/rust/frameworks/rustcrypto/RustCrypto.qll

Lines changed: 14 additions & 20 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,8 @@
55
private import rust
66
private import codeql.rust.Concepts
77
private import codeql.rust.dataflow.DataFlow
8+
private import codeql.rust.internal.TypeInference
9+
private import codeql.rust.internal.Type
810

911
bindingset[algorithmName]
1012
private string simplifyAlgorithmName(string algorithmName) {
@@ -21,28 +23,20 @@ class StreamCipherInit extends Cryptography::CryptographicOperation::Range {
2123

2224
StreamCipherInit() {
2325
// a call to `cipher::KeyInit::new`, `cipher::KeyInit::new_from_slice`,
24-
// `cipher::KeyIvInit::new`, `cipher::KeyIvInit::new_from_slices` or `rc2::Rc2::new_with_eff_key_len`.
25-
exists(PathExpr p, string rawAlgorithmName |
26-
this.asExpr().getExpr().(CallExpr).getFunction() = p and
27-
p.getResolvedCrateOrigin().matches("%/RustCrypto%") and
28-
p.getPath().getText() = ["new", "new_from_slice", "new_from_slices", "new_with_eff_key_len"] and
29-
(
30-
rawAlgorithmName = p.getPath().getQualifier().getText() or
26+
// `cipher::KeyIvInit::new`, `cipher::KeyIvInit::new_from_slices`, `rc2::Rc2::new_with_eff_key_len` or similar.
27+
exists(CallExprBase ce, string rawAlgorithmName |
28+
ce = this.asExpr().getExpr() and
29+
ce.getStaticTarget().getName().getText() =
30+
["new", "new_from_slice", "new_with_eff_key_len", "new_from_slices"] and
31+
// extract the algorithm name from the type of `ce` or its receiver.
32+
exists(Type t, TypePath tp |
33+
t = inferType([ce, ce.(MethodCallExpr).getReceiver()], tp) and
3134
rawAlgorithmName =
32-
p.getPath()
33-
.getQualifier()
34-
.getSegment()
35-
.getGenericArgList()
36-
.getGenericArg(0)
37-
.(TypeArg)
38-
.getTypeRepr()
39-
.(PathTypeRepr)
40-
.getPath()
41-
.getSegment()
42-
.getIdentifier()
43-
.getText()
35+
t.(StructType).asItemNode().(Addressable).getCanonicalPath().splitAt("::")
4436
) and
45-
algorithmName = simplifyAlgorithmName(rawAlgorithmName)
37+
algorithmName = simplifyAlgorithmName(rawAlgorithmName) and
38+
// only match a known cryptographic algorithm
39+
any(Cryptography::CryptographicAlgorithm alg).matchesName(algorithmName)
4640
)
4741
}
4842

rust/ql/test/query-tests/security/CWE-327/BrokenCryptoAlgorithm.expected

Lines changed: 17 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -2,20 +2,22 @@
22
| test_cipher.rs:23:27:23:60 | ...::new_from_slice(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:23:27:23:60 | ...::new_from_slice(...) | The cryptographic algorithm RC4 |
33
| test_cipher.rs:26:27:26:48 | ...::new(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:26:27:26:48 | ...::new(...) | The cryptographic algorithm RC4 |
44
| test_cipher.rs:29:27:29:48 | ...::new(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:29:27:29:48 | ...::new(...) | The cryptographic algorithm RC4 |
5-
| test_cipher.rs:59:23:59:42 | ...::new(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:59:23:59:42 | ...::new(...) | The cryptographic algorithm DES |
6-
| test_cipher.rs:63:23:63:47 | ...::new(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:63:23:63:47 | ...::new(...) | The cryptographic algorithm DES |
7-
| test_cipher.rs:67:23:67:46 | ...::new_from_slice(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:67:23:67:46 | ...::new_from_slice(...) | The cryptographic algorithm DES |
8-
| test_cipher.rs:71:23:71:42 | ...::new(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:71:23:71:42 | ...::new(...) | The cryptographic algorithm DES |
9-
| test_cipher.rs:75:27:75:46 | ...::new(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:75:27:75:46 | ...::new(...) | The cryptographic algorithm DES |
10-
| test_cipher.rs:80:24:80:48 | ...::new(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:80:24:80:48 | ...::new(...) | The cryptographic algorithm 3DES |
5+
| test_cipher.rs:59:29:59:45 | ...::new(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:59:29:59:45 | ...::new(...) | The cryptographic algorithm DES |
6+
| test_cipher.rs:63:23:63:42 | ...::new(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:63:23:63:42 | ...::new(...) | The cryptographic algorithm DES |
7+
| test_cipher.rs:67:23:67:47 | ...::new(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:67:23:67:47 | ...::new(...) | The cryptographic algorithm DES |
8+
| test_cipher.rs:71:23:71:46 | ...::new_from_slice(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:71:23:71:46 | ...::new_from_slice(...) | The cryptographic algorithm DES |
9+
| test_cipher.rs:75:23:75:42 | ...::new(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:75:23:75:42 | ...::new(...) | The cryptographic algorithm DES |
10+
| test_cipher.rs:79:27:79:46 | ...::new(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:79:27:79:46 | ...::new(...) | The cryptographic algorithm DES |
1111
| test_cipher.rs:84:24:84:48 | ...::new(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:84:24:84:48 | ...::new(...) | The cryptographic algorithm 3DES |
12+
| test_cipher.rs:84:24:84:48 | ...::new(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:84:24:84:48 | ...::new(...) | The cryptographic algorithm DES |
1213
| test_cipher.rs:88:24:88:48 | ...::new(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:88:24:88:48 | ...::new(...) | The cryptographic algorithm 3DES |
13-
| test_cipher.rs:92:24:92:52 | ...::new_from_slice(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:92:24:92:52 | ...::new_from_slice(...) | The cryptographic algorithm 3DES |
14-
| test_cipher.rs:97:23:97:42 | ...::new(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:97:23:97:42 | ...::new(...) | The cryptographic algorithm RC2 |
15-
| test_cipher.rs:101:23:101:46 | ...::new_from_slice(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:101:23:101:46 | ...::new_from_slice(...) | The cryptographic algorithm RC2 |
16-
| test_cipher.rs:105:23:105:56 | ...::new_with_eff_key_len(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:105:23:105:56 | ...::new_with_eff_key_len(...) | The cryptographic algorithm RC2 |
17-
| test_cipher.rs:110:23:110:50 | ...::new(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:110:23:110:50 | ...::new(...) | The cryptographic algorithm RC5 |
18-
| test_cipher.rs:114:23:114:55 | ...::new_from_slice(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:114:23:114:55 | ...::new_from_slice(...) | The cryptographic algorithm RC5 |
19-
| test_cipher.rs:132:23:132:76 | ...::new(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:132:23:132:76 | ...::new(...) | The cryptographic algorithm DES |
20-
| test_cipher.rs:138:23:138:76 | ...::new_from_slices(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:138:23:138:76 | ...::new_from_slices(...) | The cryptographic algorithm DES |
21-
| test_cipher.rs:141:23:141:76 | ...::new(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:141:23:141:76 | ...::new(...) | The cryptographic algorithm DES |
14+
| test_cipher.rs:88:24:88:48 | ...::new(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:88:24:88:48 | ...::new(...) | The cryptographic algorithm DES |
15+
| test_cipher.rs:92:24:92:48 | ...::new(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:92:24:92:48 | ...::new(...) | The cryptographic algorithm 3DES |
16+
| test_cipher.rs:92:24:92:48 | ...::new(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:92:24:92:48 | ...::new(...) | The cryptographic algorithm DES |
17+
| test_cipher.rs:96:24:96:52 | ...::new_from_slice(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:96:24:96:52 | ...::new_from_slice(...) | The cryptographic algorithm 3DES |
18+
| test_cipher.rs:96:24:96:52 | ...::new_from_slice(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:96:24:96:52 | ...::new_from_slice(...) | The cryptographic algorithm DES |
19+
| test_cipher.rs:101:23:101:42 | ...::new(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:101:23:101:42 | ...::new(...) | The cryptographic algorithm RC2 |
20+
| test_cipher.rs:105:23:105:46 | ...::new_from_slice(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:105:23:105:46 | ...::new_from_slice(...) | The cryptographic algorithm RC2 |
21+
| test_cipher.rs:109:23:109:56 | ...::new_with_eff_key_len(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:109:23:109:56 | ...::new_with_eff_key_len(...) | The cryptographic algorithm RC2 |
22+
| test_cipher.rs:114:23:114:50 | ...::new(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:114:23:114:50 | ...::new(...) | The cryptographic algorithm RC5 |
23+
| test_cipher.rs:118:23:118:55 | ...::new_from_slice(...) | $@ is broken or weak, and should not be used. | test_cipher.rs:118:23:118:55 | ...::new_from_slice(...) | The cryptographic algorithm RC5 |

rust/ql/test/query-tests/security/CWE-327/CONSISTENCY/PathResolutionConsistency.expected

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,4 +4,4 @@ multipleCallTargets
44
| test_cipher.rs:29:27:29:48 | ...::new(...) |
55
| test_cipher.rs:36:30:36:59 | ...::new(...) |
66
| test_cipher.rs:39:30:39:63 | ...::new(...) |
7-
| test_cipher.rs:110:23:110:50 | ...::new(...) |
7+
| test_cipher.rs:114:23:114:50 | ...::new(...) |

rust/ql/test/query-tests/security/CWE-327/test_cipher.rs

Lines changed: 8 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -42,7 +42,7 @@ fn test_stream_cipher(
4242

4343
fn test_block_cipher(
4444
key: &[u8], key128: &[u8;16], key192: &[u8;24], key256: &[u8;32],
45-
data: &mut [u8], input: &[u8], block128: &mut [u8;16]
45+
data: &mut [u8], input: &[u8], block128: &mut [u8;16], des_key : &cipher::Key<Des>
4646
) {
4747
// aes
4848
let aes_cipher1 = Aes128::new(key128.into());
@@ -56,6 +56,10 @@ fn test_block_cipher(
5656
aes_cipher3.decrypt_block(block128.into());
5757

5858
// des (broken)
59+
let des_cipher0 : Des = Des::new(des_key); // $ Alert[rust/weak-cryptographic-algorithm]
60+
des_cipher0.encrypt_block(data.into());
61+
des_cipher0.decrypt_block(data.into());
62+
5963
let des_cipher1 = Des::new(key.into()); // $ Alert[rust/weak-cryptographic-algorithm]
6064
des_cipher1.encrypt_block(data.into());
6165
des_cipher1.decrypt_block(data.into());
@@ -129,15 +133,15 @@ fn test_cbc(
129133
_ = aes_cipher1.encrypt_padded_mut::<aes::cipher::block_padding::Pkcs7>(data, data_len).unwrap();
130134

131135
// des (broken)
132-
let des_cipher1 = cbc::Encryptor::<des::Des>::new(key.into(), iv.into()); // $ Alert[rust/weak-cryptographic-algorithm]
136+
let des_cipher1 = cbc::Encryptor::<des::Des>::new(key.into(), iv.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm]
133137
_ = des_cipher1.encrypt_padded_mut::<des::cipher::block_padding::Pkcs7>(data, data_len).unwrap();
134138

135139
let des_cipher2 = MyDesEncryptor::new(key.into(), iv.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm]
136140
_ = des_cipher2.encrypt_padded_mut::<des::cipher::block_padding::Pkcs7>(data, data_len).unwrap();
137141

138-
let des_cipher3 = cbc::Encryptor::<des::Des>::new_from_slices(&key, &iv).unwrap(); // $ Alert[rust/weak-cryptographic-algorithm]
142+
let des_cipher3 = cbc::Encryptor::<des::Des>::new_from_slices(&key, &iv).unwrap(); // $ MISSING: Alert[rust/weak-cryptographic-algorithm]
139143
_ = des_cipher3.encrypt_padded_mut::<des::cipher::block_padding::Pkcs7>(data, data_len).unwrap();
140144

141-
let des_cipher4 = cbc::Encryptor::<des::Des>::new(key.into(), iv.into()); // $ Alert[rust/weak-cryptographic-algorithm]
145+
let des_cipher4 = cbc::Encryptor::<des::Des>::new(key.into(), iv.into()); // $ MISSING: Alert[rust/weak-cryptographic-algorithm]
142146
_ = des_cipher4.encrypt_padded_b2b_mut::<des::cipher::block_padding::Pkcs7>(input, data).unwrap();
143147
}

0 commit comments

Comments
 (0)