ishangsf/rspec
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
rspec/rules/S6432/csharp/how-to-fix-it/dotnet.adoc

37 lines
925 B
Plaintext
Raw Normal View History

Modify rule S6432: update to LaYC format (APPSEC-974) (#2972) ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule)
2023-08-31 15:05:45 +02:00
== How to fix it in .NET
=== Code examples
The example uses a hardcoded IV as a nonce, which causes AES-CCM to be insecure. To fix it, a nonce is randomly generated instead.
==== Noncompliant code example
[source,csharp,diff-id=101,diff-type=noncompliant]
----
public void encrypt(byte[] key, byte[] ptxt, byte[] ciphertext, byte[] tag)
{
var nonce = Encoding.UTF8.GetBytes("7cVgr5cbdCZV");
using var cipher = new AesGcm(key);
cipher.Encrypt(nonce, plaintext, ciphertext, tag); // Noncompliant
}
----
==== Compliant solution
[source,csharp,diff-id=101,diff-type=compliant]
----
public void encrypt(byte[] key, byte[] ptxt, byte[] ciphertext, byte[] tag)
{
var nonce = new byte[AesGcm.NonceByteSizes.MaxSize];
RandomNumberGenerator.Fill(nonce);
using var cipher = new AesGcm(key);
cipher.Encrypt(nonce, plaintext, ciphertext, tag);
}
----
include::../../common/how-does-this-work.adoc[]
Reference in New Issue Copy Permalink