JavaScript is not currently enabled, but is required for full CodeSonar manual search and browse functionality.

If you are viewing this file in your hub's Web GUI, enable JavaScript in your browser: you will also need it for GUI functionality.

If you opened this file directly from disk, your browser may be directly suppressing JavaScript functionality: certain browsers perform this suppression on local files (but not files delivered by web servers) for security reasons.

CodeSonar® 9.2p0 CONFIDENTIAL CodeSecure Inc
C and C++
Binaries

MISC.CRYPTO.NOPAD : Encryption without Padding

Summary

RSA encryption or decryption is carried out without Optimal Asymmetric Encryption Padding (OAEP).

Properties

Class Name Encryption without Padding
Significance security
Mnemonic MISC.CRYPTO.NOPAD
Categories
MisraC++2023 MisraC++2023:0.3.2 A function call shall not violate the function's preconditions
CWE CWE:325 Missing Cryptographic Step
  CWE:331 Insufficient Entropy
  CWE:780 Use of RSA Algorithm without OAEP
DISA-6r1 DISA-6r1:V-222396 The application must implement DoD-approved encryption to protect the confidentiality of remote access sessions.
  DISA-6r1:V-222397 The application must implement cryptographic mechanisms to protect the integrity of remote access sessions.
  DISA-6r1:V-222589 The application must use appropriate cryptography in order to protect stored DoD information when required by the information owner or DoD policy.
  DISA-6r1:V-222596 The application must protect the confidentiality and integrity of transmitted information.
DISA-5r3 DISA-5r3:V-69257 The application must implement DoD-approved encryption to protect the confidentiality of remote access sessions.
  DISA-5r3:V-69259 The application must implement cryptographic mechanisms to protect the integrity of remote access sessions.
  DISA-5r3:V-70229 The application must use appropriate cryptography in order to protect stored DoD information when required by the information owner or DoD policy.
  DISA-5r3:V-70245 The application must protect the confidentiality and integrity of transmitted information.
DISA-4r3 DISA-4r3:V-69257 The application must implement DoD-approved encryption to protect the confidentiality of remote access sessions.
  DISA-4r3:V-69259 The application must implement cryptographic mechanisms to protect the integrity of remote access sessions.
  DISA-4r3:V-70229 The application must use appropriate cryptography in order to protect stored DoD information when required by the information owner or DoD policy.
  DISA-4r3:V-70245 The application must protect the confidentiality and integrity of transmitted information.
DISA-3r10 DISA-3r10:V-6135 The designer will ensure the appropriate cryptography is used to protect stored DoD information if required by the information owner.
  DISA-3r10:V-6136 The designer will ensure data transmitted through a commercial or wireless network is protected using an appropriate form of cryptography.
OWASP-2017 OWASP-2017:A3 Sensitive data exposure
  OWASP-2017:A6 Security misconfiguration
OWASP-2021 OWASP-2021:A2 Cryptographic failures
  OWASP-2021:A5 Security misconfiguration
OWASP-2025 OWASP-2025:A04 Cryptographic Failures
Availability Available for C and C++.
Enabling Checks for this warning class are enabled by default. To disable them, add the following WARNING_FILTER rule to the project configuration file. 
WARNING_FILTER += discard class="Encryption without Padding"

Example 

#include <stdlib.h>
#include <stdio.h>
#include "openssl/rsa.h"
int send_to_server(unsigned  char *);
int encrypt_and_send(unsigned char *cleartext, RSA *pubkey)
{
    int sz = RSA_size(pubkey);
    unsigned char *cyphertext = malloc(sz);
    int rv;
    if (!cyphertext) return -1;
    if (RSA_public_encrypt(sz, cleartext, cyphertext, pubkey, RSA_NO_PADDING) == -1)  /* Encryption Without Padding
                                                                                       * warning issued here */
    {
        free(cyphertext);
        return -1;
    }
    rv = send_to_server(cyphertext); 
    free(cyphertext);
    return rv;
}

Triggers

CodeSonar ships with library models that allow it to recognize functions such as OpenSSL RSA_public_encrypt() and Win32 CryptEncrypt() that perform RSA encryption or decryption. If one of these functions is called with a value that leads to the operation being performed without padding in the relevant parameter position, a warning will be issued.

If you have created a custom library model for some function f() in terms of one of these existing models, calls to f() will also be capable of triggering Encryption without Padding warnings.

Relevant Configuration File Parameters

The following configuration file parameters affect checks for this warning class.

 

To report problems with this documentation, please visit https://support.codesecure.com/.