Merge pull request #9982 from joefarebrother/rsa-without-oaep

joefarebrother · web-flow · commit ac79866799bb · 2022-08-23T09:14:46.000+01:00
Java: Add query for RSA without OAEP
diff --git a/java/ql/lib/semmle/code/java/security/RsaWithoutOaepQuery.qll b/java/ql/lib/semmle/code/java/security/RsaWithoutOaepQuery.qll
@@ -0,0 +1,23 @@
+/** Definitions for the RSA without OAEP query */
+
+import java
+import Encryption
+import semmle.code.java.dataflow.DataFlow
+
+/** A configuration for finding RSA ciphers initialized without using OAEP padding. */
+class RsaWithoutOaepConfig extends DataFlow::Configuration {
+  RsaWithoutOaepConfig() { this = "RsaWithoutOaepConfig" }
+
+  override predicate isSource(DataFlow::Node src) {
+    exists(CompileTimeConstantExpr specExpr, string spec |
+      specExpr.getStringValue() = spec and
+      specExpr = src.asExpr() and
+      spec.matches("RSA/%") and
+      not spec.matches("%OAEP%")
+    )
+  }
+
+  override predicate isSink(DataFlow::Node sink) {
+    exists(CryptoAlgoSpec cr | sink.asExpr() = cr.getAlgoSpec())
+  }
+}
diff --git a/java/ql/src/Security/CWE/CWE-780/RsaWithoutOaep.java b/java/ql/src/Security/CWE/CWE-780/RsaWithoutOaep.java
@@ -0,0 +1,7 @@
+// BAD: No padding scheme is used
+Cipher rsa = Cipher.getInstance("RSA/ECB/NoPadding");
+...
+
+//GOOD: OAEP padding is used
+Cipher rsa = Cipher.getInstance("RSA/ECB/OAEPWithSHA-1AndMGF1Padding");
+...
diff --git a/java/ql/src/Security/CWE/CWE-780/RsaWithoutOaep.qhelp b/java/ql/src/Security/CWE/CWE-780/RsaWithoutOaep.qhelp
@@ -0,0 +1,27 @@
+<!DOCTYPE qhelp PUBLIC "-//Semmle//qhelp//EN" "qhelp.dtd">
+<qhelp>
+
+  <overview>
+    <p>Cryptographic algorithms often use padding schemes to make the plaintext less predictable. The OAEP (Optimal Asymmetric Encryption Padding) scheme should be used with RSA encryption.
+    Using an outdated padding scheme such as PKCS1, or no padding at all, can weaken the encryption by making it vulnerable to a padding oracle attack.
+    </p>
+  </overview>
+
+  <recommendation>
+    <p>Use the OAEP scheme when using RSA encryption.</p>
+  </recommendation>
+
+  <example>
+    <p>In the following example, the BAD case shows no padding being used, whereas the GOOD case shows an OAEP scheme being used.</p>
+    <sample src="RsaWithoutOaep.java" />
+  </example>
+
+  <references>
+    <li>
+      <a href="https://github.com/MobSF/owasp-mstg/blob/master/Document/0x04g-Testing-Cryptography.md#padding-oracle-attacks-due-to-weaker-padding-or-block-operation-implementations">Mobile Security Testing Guide</a>.
+    </li>
+    <li>
+      <a href="https://robertheaton.com/2013/07/29/padding-oracle-attack/">The Padding Oracle Attack</a>.
+    </li>
+  </references>
+</qhelp>
diff --git a/java/ql/src/Security/CWE/CWE-780/RsaWithoutOaep.ql b/java/ql/src/Security/CWE/CWE-780/RsaWithoutOaep.ql
@@ -0,0 +1,20 @@
+/**
+ * @name Use of RSA algorithm without OAEP
+ * @description Using RSA encryption without OAEP padding can result in a padding oracle attack, leading to a weaker encryption.
+ * @kind path-problem
+ * @problem.severity warning
+ * @security-severity 7.5
+ * @precision high
+ * @id java/rsa-without-oaep
+ * @tags security
+ *       external/cwe/cwe-780
+ */
+
+import java
+import semmle.code.java.security.RsaWithoutOaepQuery
+import DataFlow::PathGraph
+
+from RsaWithoutOaepConfig conf, DataFlow::PathNode source, DataFlow::PathNode sink
+where conf.hasFlowPath(source, sink)
+select source, source, sink,
+  "This specification is used to initialize an RSA cipher without OAEP padding $@.", sink, "here"
diff --git a/java/ql/src/change-notes/2022-08-05-rsa-without-oaep.md b/java/ql/src/change-notes/2022-08-05-rsa-without-oaep.md
@@ -0,0 +1,4 @@
+---
+category: newQuery
+---
+* A new query "Use of RSA algorithm without OAEP" (`java/rsa-without-oaep`) has been added. This query finds uses of RSA encryption that don't use the OAEP scheme.
diff --git a/java/ql/test/query-tests/security/CWE-780/RsaWithoutOaepTest.expected b/java/ql/test/query-tests/security/CWE-780/RsaWithoutOaepTest.expected
diff --git a/java/ql/test/query-tests/security/CWE-780/RsaWithoutOaepTest.java b/java/ql/test/query-tests/security/CWE-780/RsaWithoutOaepTest.java
@@ -0,0 +1,17 @@
+import javax.crypto.Cipher;
+
+class RsaWithoutOaep {
+    public void test() throws Exception {
+        Cipher rsaBad = Cipher.getInstance("RSA/ECB/NoPadding"); // $hasTaintFlow
+
+        Cipher rsaGood = Cipher.getInstance("RSA/ECB/OAEPWithSHA-1AndMGF1Padding"); 
+    }
+
+    public Cipher getCipher(String spec) throws Exception {
+        return Cipher.getInstance(spec); // $hasTaintFlow
+    }
+
+    public void test2() throws Exception {
+        Cipher rsa = getCipher("RSA/ECB/NoPadding");
+    }
+}
diff --git a/java/ql/test/query-tests/security/CWE-780/RsaWithoutOaepTest.ql b/java/ql/test/query-tests/security/CWE-780/RsaWithoutOaepTest.ql
@@ -0,0 +1,10 @@
+import java
+import TestUtilities.InlineExpectationsTest
+import TestUtilities.InlineFlowTest
+import semmle.code.java.security.RsaWithoutOaepQuery
+
+class HasFlowTest extends InlineFlowTest {
+  override DataFlow::Configuration getTaintFlowConfig() { result instanceof RsaWithoutOaepConfig }
+
+  override DataFlow::Configuration getValueFlowConfig() { none() }
+}

-Original file line number
+Diff line change
@@ @@ -0,0 +1,4 @@ @@
 +---
 +category: newQuery
 +---
 +* A new query "Use of RSA algorithm without OAEP" (`java/rsa-without-oaep`) has been added. This query finds uses of RSA encryption that don't use the OAEP scheme.