rspec/rules/S6432/python/how-to-fix-it/pycryptodome.adoc

== How to fix it in Cryptodome

=== Code examples

The example uses a hardcoded IV as a nonce, which causes AES-CCM to be insecure. To fix it, a nonce is randomly generated instead.

==== Noncompliant code example

[source,python,diff-id=101,diff-type=noncompliant]
----
from Crypto.Cipher import AES

def encrypt(key, plaintext):
    nonce   = '7cVgr5cbdCZV'.encode('utf-8')
    cipher = AES.new(key, AES.MODE_CCM, nonce)

    cipher.encrypt(plaintext)  # Noncompliant
----

==== Compliant solution

[source,python,diff-id=101,diff-type=compliant]
----
from Crypto.Cipher import AES

def encrypt(key, plaintext):
    cipher  = AES.new(key, AES.MODE_CCM)

    cipher.encrypt_and_digest(plaintext)
----

include::../../common/how-does-this-work.adoc[]
Modify rule S6432: update to LaYC format (APPSEC-974) (#2972) ## Review A dedicated reviewer checked the rule description successfully for: - [ ] logical errors and incorrect information - [ ] information gaps and missing content - [ ] text style and tone - [ ] PR summary and labels follow [the guidelines](https://github.com/SonarSource/rspec/#to-modify-an-existing-rule) 2023-08-31 15:05:45 +02:00			`== How to fix it in Cryptodome`

			`=== Code examples`

			`The example uses a hardcoded IV as a nonce, which causes AES-CCM to be insecure. To fix it, a nonce is randomly generated instead.`

			`==== Noncompliant code example`

			`[source,python,diff-id=101,diff-type=noncompliant]`
			`----`
			`from Crypto.Cipher import AES`

			`def encrypt(key, plaintext):`
			`nonce = '7cVgr5cbdCZV'.encode('utf-8')`
			`cipher = AES.new(key, AES.MODE_CCM, nonce)`

			`cipher.encrypt(plaintext) # Noncompliant`
			`----`

			`==== Compliant solution`

			`[source,python,diff-id=101,diff-type=compliant]`
			`----`
			`from Crypto.Cipher import AES`

			`def encrypt(key, plaintext):`
			`cipher = AES.new(key, AES.MODE_CCM)`

			`cipher.encrypt_and_digest(plaintext)`
			`----`

			`include::../../common/how-does-this-work.adoc[]`