hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-05 13:45:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

Removed unsafeMacCheckWithArraysDeepEquals() test

Browse Source
This commit is contained in:
Fosstars
2021-08-01 10:12:38 +02:00
parent 0fc487fb04
commit 44e52517ad
2 changed files with 37 additions and 63 deletions
Download Patch File Download Diff File Expand all files Collapse all files

80
java/ql/test/experimental/query-tests/security/CWE-208/TimingAttackAgainstSignagure/Test.expected
View File

@@ -1,50 +1,44 @@
edges
| Test.java:21:32:21:48 | doFinal(...) : byte[] | Test.java:23:47:23:55 | actualMac |
| Test.java:33:32:33:44 | doFinal(...) : byte[] | Test.java:35:88:35:96 | actualMac : byte[] |
| Test.java:35:88:35:96 | actualMac : byte[] | Test.java:35:70:35:97 | castToObjectArray(...) |
| Test.java:46:25:46:33 | actualMac : byte[] | Test.java:48:47:48:55 | actualMac |
| Test.java:71:32:71:44 | sign(...) : byte[] | Test.java:73:44:73:52 | signature |
| Test.java:85:25:85:33 | signature : byte[] | Test.java:87:44:87:52 | signature |
| Test.java:111:26:111:45 | doFinal(...) : byte[] | Test.java:113:49:113:51 | tag |
| Test.java:128:28:128:30 | tag : byte[] | Test.java:130:44:130:46 | tag |
| Test.java:146:56:146:58 | tag : ByteBuffer | Test.java:148:44:148:46 | tag : ByteBuffer |
| Test.java:148:44:148:46 | tag : ByteBuffer | Test.java:148:44:148:54 | array(...) |
| Test.java:160:56:160:58 | tag : ByteBuffer | Test.java:162:53:162:55 | tag |
| Test.java:186:26:186:50 | doFinal(...) : byte[] | Test.java:188:44:188:46 | tag |
| Test.java:221:34:221:50 | doFinal(...) : byte[] | Test.java:224:26:224:36 | computedTag |
| Test.java:34:25:34:33 | actualMac : byte[] | Test.java:36:47:36:55 | actualMac |
| Test.java:59:32:59:44 | sign(...) : byte[] | Test.java:61:44:61:52 | signature |
| Test.java:73:25:73:33 | signature : byte[] | Test.java:75:44:75:52 | signature |
| Test.java:99:26:99:45 | doFinal(...) : byte[] | Test.java:101:49:101:51 | tag |
| Test.java:116:28:116:30 | tag : byte[] | Test.java:118:44:118:46 | tag |
| Test.java:134:56:134:58 | tag : ByteBuffer | Test.java:136:44:136:46 | tag : ByteBuffer |
| Test.java:136:44:136:46 | tag : ByteBuffer | Test.java:136:44:136:54 | array(...) |
| Test.java:148:56:148:58 | tag : ByteBuffer | Test.java:150:53:150:55 | tag |
| Test.java:174:26:174:50 | doFinal(...) : byte[] | Test.java:176:44:176:46 | tag |
| Test.java:201:34:201:50 | doFinal(...) : byte[] | Test.java:204:26:204:36 | computedTag |
nodes
| Test.java:21:32:21:48 | doFinal(...) : byte[] | semmle.label | doFinal(...) : byte[] |
| Test.java:23:47:23:55 | actualMac | semmle.label | actualMac |
| Test.java:33:32:33:44 | doFinal(...) : byte[] | semmle.label | doFinal(...) : byte[] |
| Test.java:35:70:35:97 | castToObjectArray(...) | semmle.label | castToObjectArray(...) |
| Test.java:35:88:35:96 | actualMac : byte[] | semmle.label | actualMac : byte[] |
| Test.java:46:25:46:33 | actualMac : byte[] | semmle.label | actualMac : byte[] |
| Test.java:48:47:48:55 | actualMac | semmle.label | actualMac |
| Test.java:71:32:71:44 | sign(...) : byte[] | semmle.label | sign(...) : byte[] |
| Test.java:73:44:73:52 | signature | semmle.label | signature |
| Test.java:85:25:85:33 | signature : byte[] | semmle.label | signature : byte[] |
| Test.java:87:44:87:52 | signature | semmle.label | signature |
| Test.java:111:26:111:45 | doFinal(...) : byte[] | semmle.label | doFinal(...) : byte[] |
| Test.java:113:49:113:51 | tag | semmle.label | tag |
| Test.java:128:28:128:30 | tag : byte[] | semmle.label | tag : byte[] |
| Test.java:130:44:130:46 | tag | semmle.label | tag |
| Test.java:146:56:146:58 | tag : ByteBuffer | semmle.label | tag : ByteBuffer |
| Test.java:148:44:148:46 | tag : ByteBuffer | semmle.label | tag : ByteBuffer |
| Test.java:148:44:148:54 | array(...) | semmle.label | array(...) |
| Test.java:160:56:160:58 | tag : ByteBuffer | semmle.label | tag : ByteBuffer |
| Test.java:162:53:162:55 | tag | semmle.label | tag |
| Test.java:186:26:186:50 | doFinal(...) : byte[] | semmle.label | doFinal(...) : byte[] |
| Test.java:188:44:188:46 | tag | semmle.label | tag |
| Test.java:221:34:221:50 | doFinal(...) : byte[] | semmle.label | doFinal(...) : byte[] |
| Test.java:224:26:224:36 | computedTag | semmle.label | computedTag |
| Test.java:34:25:34:33 | actualMac : byte[] | semmle.label | actualMac : byte[] |
| Test.java:36:47:36:55 | actualMac | semmle.label | actualMac |
| Test.java:59:32:59:44 | sign(...) : byte[] | semmle.label | sign(...) : byte[] |
| Test.java:61:44:61:52 | signature | semmle.label | signature |
| Test.java:73:25:73:33 | signature : byte[] | semmle.label | signature : byte[] |
| Test.java:75:44:75:52 | signature | semmle.label | signature |
| Test.java:99:26:99:45 | doFinal(...) : byte[] | semmle.label | doFinal(...) : byte[] |
| Test.java:101:49:101:51 | tag | semmle.label | tag |
| Test.java:116:28:116:30 | tag : byte[] | semmle.label | tag : byte[] |
| Test.java:118:44:118:46 | tag | semmle.label | tag |
| Test.java:134:56:134:58 | tag : ByteBuffer | semmle.label | tag : ByteBuffer |
| Test.java:136:44:136:46 | tag : ByteBuffer | semmle.label | tag : ByteBuffer |
| Test.java:136:44:136:54 | array(...) | semmle.label | array(...) |
| Test.java:148:56:148:58 | tag : ByteBuffer | semmle.label | tag : ByteBuffer |
| Test.java:150:53:150:55 | tag | semmle.label | tag |
| Test.java:174:26:174:50 | doFinal(...) : byte[] | semmle.label | doFinal(...) : byte[] |
| Test.java:176:44:176:46 | tag | semmle.label | tag |
| Test.java:201:34:201:50 | doFinal(...) : byte[] | semmle.label | doFinal(...) : byte[] |
| Test.java:204:26:204:36 | computedTag | semmle.label | computedTag |
#select
| Test.java:23:47:23:55 | actualMac | Test.java:21:32:21:48 | doFinal(...) : byte[] | Test.java:23:47:23:55 | actualMac | Timing attack against $@ validation. | Test.java:21:32:21:48 | doFinal(...) : byte[] | MAC |
| Test.java:35:70:35:97 | castToObjectArray(...) | Test.java:33:32:33:44 | doFinal(...) : byte[] | Test.java:35:70:35:97 | castToObjectArray(...) | Timing attack against $@ validation. | Test.java:33:32:33:44 | doFinal(...) : byte[] | MAC |
| Test.java:48:47:48:55 | actualMac | Test.java:46:25:46:33 | actualMac : byte[] | Test.java:48:47:48:55 | actualMac | Timing attack against $@ validation. | Test.java:46:25:46:33 | actualMac : byte[] | MAC |
| Test.java:73:44:73:52 | signature | Test.java:71:32:71:44 | sign(...) : byte[] | Test.java:73:44:73:52 | signature | Timing attack against $@ validation. | Test.java:71:32:71:44 | sign(...) : byte[] | signature |
| Test.java:87:44:87:52 | signature | Test.java:85:25:85:33 | signature : byte[] | Test.java:87:44:87:52 | signature | Timing attack against $@ validation. | Test.java:85:25:85:33 | signature : byte[] | signature |
| Test.java:113:49:113:51 | tag | Test.java:111:26:111:45 | doFinal(...) : byte[] | Test.java:113:49:113:51 | tag | Timing attack against $@ validation. | Test.java:111:26:111:45 | doFinal(...) : byte[] | ciphertext |
| Test.java:130:44:130:46 | tag | Test.java:128:28:128:30 | tag : byte[] | Test.java:130:44:130:46 | tag | Timing attack against $@ validation. | Test.java:128:28:128:30 | tag : byte[] | ciphertext |
| Test.java:148:44:148:54 | array(...) | Test.java:146:56:146:58 | tag : ByteBuffer | Test.java:148:44:148:54 | array(...) | Timing attack against $@ validation. | Test.java:146:56:146:58 | tag : ByteBuffer | ciphertext |
| Test.java:162:53:162:55 | tag | Test.java:160:56:160:58 | tag : ByteBuffer | Test.java:162:53:162:55 | tag | Timing attack against $@ validation. | Test.java:160:56:160:58 | tag : ByteBuffer | ciphertext |
| Test.java:188:44:188:46 | tag | Test.java:186:26:186:50 | doFinal(...) : byte[] | Test.java:188:44:188:46 | tag | Timing attack against $@ validation. | Test.java:186:26:186:50 | doFinal(...) : byte[] | ciphertext |
| Test.java:36:47:36:55 | actualMac | Test.java:34:25:34:33 | actualMac : byte[] | Test.java:36:47:36:55 | actualMac | Timing attack against $@ validation. | Test.java:34:25:34:33 | actualMac : byte[] | MAC |
| Test.java:61:44:61:52 | signature | Test.java:59:32:59:44 | sign(...) : byte[] | Test.java:61:44:61:52 | signature | Timing attack against $@ validation. | Test.java:59:32:59:44 | sign(...) : byte[] | signature |
| Test.java:75:44:75:52 | signature | Test.java:73:25:73:33 | signature : byte[] | Test.java:75:44:75:52 | signature | Timing attack against $@ validation. | Test.java:73:25:73:33 | signature : byte[] | signature |
| Test.java:101:49:101:51 | tag | Test.java:99:26:99:45 | doFinal(...) : byte[] | Test.java:101:49:101:51 | tag | Timing attack against $@ validation. | Test.java:99:26:99:45 | doFinal(...) : byte[] | ciphertext |
| Test.java:118:44:118:46 | tag | Test.java:116:28:116:30 | tag : byte[] | Test.java:118:44:118:46 | tag | Timing attack against $@ validation. | Test.java:116:28:116:30 | tag : byte[] | ciphertext |
| Test.java:136:44:136:54 | array(...) | Test.java:134:56:134:58 | tag : ByteBuffer | Test.java:136:44:136:54 | array(...) | Timing attack against $@ validation. | Test.java:134:56:134:58 | tag : ByteBuffer | ciphertext |
| Test.java:150:53:150:55 | tag | Test.java:148:56:148:58 | tag : ByteBuffer | Test.java:150:53:150:55 | tag | Timing attack against $@ validation. | Test.java:148:56:148:58 | tag : ByteBuffer | ciphertext |
| Test.java:176:44:176:46 | tag | Test.java:174:26:174:50 | doFinal(...) : byte[] | Test.java:176:44:176:46 | tag | Timing attack against $@ validation. | Test.java:174:26:174:50 | doFinal(...) : byte[] | ciphertext |

20
java/ql/test/experimental/query-tests/security/CWE-208/TimingAttackAgainstSignagure/Test.java
View File

@@ -24,18 +24,6 @@ public class Test {
}
}
// BAD: compare MACs using a non-constant-time method
public boolean unsafeMacCheckWithArraysDeepEquals(Socket socket) throws Exception {
try (InputStream is = socket.getInputStream()) {
Mac mac = Mac.getInstance("HmacSHA256");
byte[] data = socket.getInputStream().readAllBytes();
mac.update(data);
byte[] actualMac = mac.doFinal();
byte[] expectedMac = is.readNBytes(32);
return Arrays.deepEquals(castToObjectArray(expectedMac), castToObjectArray(actualMac));
}
}
// BAD: compare MACs using a non-constant-time method
public boolean unsafeMacCheckWithDoFinalWithOutputArray(Socket socket) throws Exception {
try (InputStream is = socket.getInputStream()) {
@@ -200,14 +188,6 @@ public class Test {
}
}
private static Object[] castToObjectArray(byte[] array) {
Object[] result = new Object[array.length];
for (int i = 0; i < array.length; i++) {
result[i] = array[i];
}
return result;
}
// BAD: compare MAC using a non-constant-time loop
public boolean unsafeMacCheckWithLoop(Socket socket) throws Exception {
try (InputStream is = socket.getInputStream()) {