Check for insecure cipher modes

ECB is a known insecure cipher mode and needs to be checked for. Currently this test will only scan for pyca/cryptography's use of ECB. Future patches should check for PyCrypto and others. Change-Id: I27c30cb93e814eb3b3ce6732e94a76128b5b9e81
2015-09-04 13:50:45 -07:00 · 2015-09-04 13:50:45 -07:00 · 057e63f3ae
commit 057e63f3ae
parent 2a9061560a
3 changed files with 21 additions and 0 deletions
--- a/bandit/config/bandit.yaml
+++ b/bandit/config/bandit.yaml
@ -119,6 +119,10 @@ blacklist_calls:
                Use of insecure cipher {func}. Replace with a known secure
                cipher such as AES.
            level: HIGH
+        - cipher_modes:
+            qualnames:
+                - cryptography.hazmat.primitives.ciphers.modes.ECB
+            message: Use of insecure cipher mode {func}.
        - mktemp_q:
            qualnames: [tempfile.mktemp]
            message: Use of insecure and deprecated function (mktemp).
--- a/examples/cipher-modes.py
+++ b/examples/cipher-modes.py
@ -0,0 +1,12 @@
+from cryptography.hazmat.primitives.ciphers.modes import CBC
+from cryptography.hazmat.primitives.ciphers.modes import ECB
+
+
+# Insecure mode
+mode = ECB(iv)
+
+# Secure cipher and mode
+cipher = AES.new(key, blockalgo.MODE_CTR, iv)
+
+# Secure mode
+mode = CBC(iv)
--- a/tests/functional/test_functional.py
+++ b/tests/functional/test_functional.py
@ -97,6 +97,11 @@ class FunctionalTests(testtools.TestCase):
        expect = {'SEVERITY': {'LOW': 1, 'HIGH': 8}, 'CONFIDENCE': {'HIGH': 9}}
        self.check_example('ciphers.py', expect)

+    def test_cipher_modes(self):
+        '''Test for insecure cipher modes.'''
+        expect = {'SEVERITY': {'MEDIUM': 1}, 'CONFIDENCE': {'HIGH': 1}}
+        self.check_example('cipher-modes.py', expect)
+
    def test_eval(self):
        '''Test the `eval` example.'''
        expect = {'SEVERITY': {'MEDIUM': 3}, 'CONFIDENCE': {'HIGH': 3}}