CodeQL: Crypto: Use of a broken or risky cryptographic algorithm #5052
Description
Describe the bug
Reported by CodeQL for Poco 1.15 (pre-release).
EVP_des_ede3_cbc is broken
https://github.com/pocoproject/poco/security/code-scanning/751
if (privateKeyPassphrase.empty())
rc = PEM_write_bio_RSAPrivateKey(bio, _pRSA, 0, 0, 0, 0, 0);
else
rc = PEM_write_bio_RSAPrivateKey(bio, _pRSA, EVP_des_ede3_cbc(),
This file makes use of a broken or weak cryptographic algorithm (specified by
).
reinterpret_cast<unsigned char*>(const_cast<char*>(privateKeyPassphrase.c_str())),
static_cast<int>(privateKeyPassphrase.length()), 0, 0);
if (!rc) throw Poco::FileException("Failed to write private key to file", privateKeyFile);
Rule Tool: CodeQL
Rule ID: cpp/weak-cryptographic-algorithm
Query
Description
Using broken or weak cryptographic algorithms can leave data vulnerable to being decrypted.
Many cryptographic algorithms provided by cryptography libraries are known to be weak, or flawed. Using such an algorithm means that an attacker may be able to easily decrypt the encrypted data.