Crypto: Adding tests for insecure iv or nonce. Updating generic literal sources to include array literals.

2026-05-05 05:35:13 +02:00 · 2025-10-08 12:47:58 -04:00
parent bd34b6ce02
commit 83ff70bcd8
5 changed files with 241 additions and 5 deletions
--- a/java/ql/lib/experimental/quantum/Language.qll
+++ b/java/ql/lib/experimental/quantum/Language.qll
@@ -93,8 +93,9 @@ private class GenericRemoteDataSource extends Crypto::GenericRemoteDataSource {
  override string getAdditionalDescription() { result = this.toString() }
 }

-private class ConstantDataSource extends Crypto::GenericConstantSourceInstance instanceof Literal {
-  ConstantDataSource() {
+private class ConstantDataSourceLiteral extends Crypto::GenericConstantSourceInstance instanceof Literal
+{
+  ConstantDataSourceLiteral() {
    // TODO: this is an API specific workaround for JCA, as 'EC' is a constant that may be used
    // where typical algorithms are specified, but EC specifically means set up a
    // default curve container, that will later be specified explicitly (or if not a default)
@@ -112,6 +113,20 @@ private class ConstantDataSource extends Crypto::GenericConstantSourceInstance i
  override string getAdditionalDescription() { result = this.toString() }
 }

+private class ConstantDataSourceArrayInitializer extends Crypto::GenericConstantSourceInstance instanceof ArrayInit
+{
+  ConstantDataSourceArrayInitializer() { exists(Literal l | this.getAnInit() = l) }
+
+  override DataFlow::Node getOutputNode() { result.asExpr() = this }
+
+  override predicate flowsTo(Crypto::FlowAwareElement other) {
+    // TODO: separate config to avoid blowing up data-flow analysis
+    GenericDataSourceFlow::flow(this.getOutputNode(), other.getInputNode())
+  }
+
+  override string getAdditionalDescription() { result = this.toString() }
+}
+
 /**
 * An instance of random number generation, modeled as the expression
 * tied to an output node (i.e., the result of the source of randomness)