hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 01:03:14 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #20690 from bdrodes/weak_symmetric_cipher_bug

Browse Source 
Crypto: Fix bug in weak symmetric cipher query
This commit is contained in:
Nicolas Will
2025-10-24 22:38:07 +02:00
committed by GitHub
parent e7bd435bee ed492c7d5a
commit d4787520fd
3 changed files with 20 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
java/ql/src/experimental/quantum/Examples/WeakSymmetricCipher.qll
View File

@@ -8,7 +8,8 @@ predicate isUnapprovedSymmetricCipher(Crypto::KeyOperationAlgorithmNode alg, str
exists(KeyOpAlg::AlgorithmType algType | exists(KeyOpAlg::AlgorithmType algType |
algType = alg.getAlgorithmType() and algType = alg.getAlgorithmType() and
msg = "Use of unapproved symmetric cipher algorithm or API: " + algType.toString() + "." and msg = "Use of unapproved symmetric cipher algorithm or API: " + algType.toString() + "." and
algType != KeyOpAlg::TSymmetricCipher(KeyOpAlg::AES()) algType != KeyOpAlg::TSymmetricCipher(KeyOpAlg::AES()) and
algType instanceof KeyOpAlg::TSymmetricCipher
) )
// NOTE: an org could decide to disallow very specific algorithms as well, shown below // NOTE: an org could decide to disallow very specific algorithms as well, shown below
// ( // (

4
java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownSymmetricCipher/Test.java
View File

@@ -3,6 +3,7 @@ import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey; import javax.crypto.SecretKey;
import java.security.Key; import java.security.Key;
import java.security.NoSuchAlgorithmException; import java.security.NoSuchAlgorithmException;
import javax.crypto.SecretKeyFactory;
public class Test { public class Test {
public static void main(String[] args) throws Exception { public static void main(String[] args) throws Exception {
@@ -73,5 +74,8 @@ public class Test {
Cipher aesGcmCipher = Cipher.getInstance("AES/GCM/NoPadding"); Cipher aesGcmCipher = Cipher.getInstance("AES/GCM/NoPadding");
aesGcmCipher.init(Cipher.ENCRYPT_MODE, aesKey); aesGcmCipher.init(Cipher.ENCRYPT_MODE, aesKey);
byte[] aesGcmEncrypted = aesGcmCipher.doFinal(data); byte[] aesGcmEncrypted = aesGcmCipher.doFinal(data);
// GOOD: not a symmetric cipher (Sanity check)
SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256");
} }
} }

28
java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownSymmetricCipher/WeakSymmetricCipher.expected
View File

@@ -1,14 +1,14 @@
| Test.java:12:59:12:63 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: DES. | | Test.java:13:59:13:63 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: DES. |
| Test.java:14:47:14:51 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: DES. | | Test.java:15:47:15:51 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: DES. |
| Test.java:19:62:19:69 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: DES. | | Test.java:20:62:20:69 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: DES. |
| Test.java:21:50:21:57 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: DES. | | Test.java:22:50:22:57 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: DES. |
| Test.java:26:64:26:73 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: Blowfish. | | Test.java:27:64:27:73 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: Blowfish. |
| Test.java:28:52:28:61 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: Blowfish. | | Test.java:29:52:29:61 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: Blowfish. |
| Test.java:33:59:33:63 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: RC2. | | Test.java:34:59:34:63 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: RC2. |
| Test.java:35:47:35:51 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: RC2. | | Test.java:36:47:36:51 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: RC2. |
| Test.java:40:59:40:63 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: RC4. | | Test.java:41:59:41:63 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: RC4. |
| Test.java:42:47:42:51 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: RC4. | | Test.java:43:47:43:51 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: RC4. |
| Test.java:47:60:47:65 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: IDEA. | | Test.java:48:60:48:65 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: IDEA. |
| Test.java:49:48:49:53 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: IDEA. | | Test.java:50:48:50:53 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: IDEA. |
| Test.java:54:64:54:73 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: Skipjack. | | Test.java:55:64:55:73 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: Skipjack. |
| Test.java:56:52:56:61 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: Skipjack. | | Test.java:57:52:57:61 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: Skipjack. |