hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-24 08:15:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Crypto: Reused nonce query updates and test updates to address false positives.

Browse Source
This commit is contained in:
REDMOND\brodes
2025-10-10 12:25:31 -04:00
parent fba80870a6
commit 758759a304
4 changed files with 115 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
java/ql/test/experimental/query-tests/quantum/examples/NonceReuse/NonceReuse.expected
View File

@@ -1,4 +1,4 @@
| Test.java:40:47:40:52 | Nonce | Reuse with nonce $@ | Test.java:49:47:49:52 | Nonce | Nonce |
| Test.java:49:47:49:52 | Nonce | Reuse with nonce $@ | Test.java:40:47:40:52 | Nonce | Nonce |
| Test.java:76:48:76:54 | Nonce | Reuse with nonce $@ | Test.java:82:49:82:55 | Nonce | Nonce |
| Test.java:82:49:82:55 | Nonce | Reuse with nonce $@ | Test.java:76:48:76:54 | Nonce | Nonce |
| Test.java:19:38:19:40 | RandomNumberGeneration | Nonce source is reused, see $@ and $@ | Test.java:40:47:40:52 | Nonce | Nonce | Test.java:49:47:49:52 | Nonce | Nonce |
| Test.java:19:38:19:40 | RandomNumberGeneration | Nonce source is reused, see $@ and $@ | Test.java:49:47:49:52 | Nonce | Nonce | Test.java:40:47:40:52 | Nonce | Nonce |
| Test.java:19:38:19:40 | RandomNumberGeneration | Nonce source is reused, see $@ and $@ | Test.java:76:48:76:54 | Nonce | Nonce | Test.java:82:49:82:55 | Nonce | Nonce |
| Test.java:19:38:19:40 | RandomNumberGeneration | Nonce source is reused, see $@ and $@ | Test.java:82:49:82:55 | Nonce | Nonce | Test.java:76:48:76:54 | Nonce | Nonce |

28
java/ql/test/experimental/query-tests/quantum/examples/NonceReuse/Test.java
View File

@@ -83,6 +83,34 @@ public class Test {
byte[] ciphertext2 = cipher2.doFinal("Simple Test Data".getBytes());
}
public void falsePositive1() throws Exception {
byte[] iv = null;
new SecureRandom().nextBytes(iv);
IvParameterSpec ivSpec = new IvParameterSpec(iv);
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
SecretKey key = generateAESKey();
if (iv != null) {
cipher.init(Cipher.ENCRYPT_MODE, key, ivSpec); // GOOD
byte[] ciphertext = cipher.doFinal("Simple Test Data".getBytes());
} else if(iv.length > 0) {
cipher.init(Cipher.ENCRYPT_MODE, key, ivSpec); // GOOD
byte[] ciphertext = cipher.doFinal("Simple Test Data".getBytes());
}
}
public void falsePositive2() throws Exception {
byte[] iv = null;
new SecureRandom().nextBytes(iv);
IvParameterSpec ivSpec = new IvParameterSpec(iv);
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
SecretKey key = generateAESKey();
cipher.init(Cipher.ENCRYPT_MODE, key, ivSpec); // GOOD
byte[] ciphertext = cipher.doFinal("Simple Test Data".getBytes());
cipher.init(Cipher.DECRYPT_MODE, key, ivSpec); // GOOD
byte[] decryptedData = cipher.doFinal(ciphertext);
}
public static void main(String[] args) {
try {
funcA2();