hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 01:03:14 +01:00
Code Issues Packages Projects Releases Wiki Activity

Crypto: Fix for non-monotonic recursion in JCA

Browse Source
This commit is contained in:
REDMOND\brodes
2025-10-01 14:36:26 -04:00
parent 92dac0341c
commit d49efefefa
1 changed files with 65 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

94
java/ql/lib/experimental/quantum/JCA.qll
View File

@@ -119,15 +119,15 @@ module JCAModel {
bindingset[name] bindingset[name]
Crypto::HashType hash_name_to_type_known(string name, int digestLength) { Crypto::HashType hash_name_to_type_known(string name, int digestLength) {
name = "SHA-1" and result instanceof Crypto::SHA1 and digestLength = 160 name in ["SHA-1", "SHA1"] and result instanceof Crypto::SHA1 and digestLength = 160
or or
name = ["SHA-256", "SHA-384", "SHA-512"] and name in ["SHA-256", "SHA-384", "SHA-512", "SHA256", "SHA384", "SHA512"] and
result instanceof Crypto::SHA2 and result instanceof Crypto::SHA2 and
digestLength = name.splitAt("-", 1).toInt() digestLength = name.replaceAll("-", "").splitAt("SHA", 1).toInt()
or or
name = ["SHA3-224", "SHA3-256", "SHA3-384", "SHA3-512"] and name in ["SHA3-224", "SHA3-256", "SHA3-384", "SHA3-512", "SHA3256", "SHA3384", "SHA3512"] and
result instanceof Crypto::SHA3 and result instanceof Crypto::SHA3 and
digestLength = name.splitAt("-", 1).toInt() digestLength = name.replaceAll("-", "").splitAt("SHA3", 1).toInt()
or or
( (
name.matches("BLAKE2b%") and name.matches("BLAKE2b%") and
@@ -1222,37 +1222,73 @@ module JCAModel {
SecretKeyFactoryKDFAlgorithmValueConsumer getConsumer() { result = consumer } SecretKeyFactoryKDFAlgorithmValueConsumer getConsumer() { result = consumer }
} }
class PBKDF2WithHmac_KeyOperationAlgorithmStringLiteral extends Crypto::KeyOperationAlgorithmInstance instanceof KdfAlgorithmStringLiteral
{
PBKDF2WithHmac_KeyOperationAlgorithmStringLiteral() {
this.(StringLiteral).getValue().toUpperCase().matches(["PBKDF2WithHmac%"].toUpperCase())
}
override Crypto::KeyOpAlg::AlgorithmType getAlgorithmType() {
result = KeyOpAlg::TMac(KeyOpAlg::HMAC())
}
override Crypto::ConsumerInputDataFlowNode getKeySizeConsumer() {
// TODO: trace to any key size initializer?
none()
}
override int getKeySizeFixed() {
// TODO: are there known fixed key sizes to consider?
none()
}
override Crypto::ModeOfOperationAlgorithmInstance getModeOfOperationAlgorithm() { none() }
override Crypto::PaddingAlgorithmInstance getPaddingAlgorithm() { none() }
override string getRawAlgorithmName() {
// Note: hardcoding "hmac" since that should be the only option
result = "Hmac"
}
}
class PBKDF2WithHmac_HashAlgorithmStringLiteral extends Crypto::HashAlgorithmInstance instanceof PBKDF2WithHmac_KeyOperationAlgorithmStringLiteral
{
string hashName;
PBKDF2WithHmac_HashAlgorithmStringLiteral() {
hashName = this.(StringLiteral).getValue().splitAt("WithHmac", 1)
}
override string getRawHashAlgorithmName() { result = this.(StringLiteral).getValue() }
override Crypto::THashType getHashFamily() { result = hash_name_to_type_known(hashName, _) }
override int getFixedDigestLength() { exists(hash_name_to_type_known(hashName, result)) }
}
//TODO: handle PBE
class Pbkdf2AlgorithmStringLiteral extends KdfAlgorithmStringLiteral, class Pbkdf2AlgorithmStringLiteral extends KdfAlgorithmStringLiteral,
Crypto::Pbkdf2AlgorithmInstance, Crypto::HmacAlgorithmInstance, Crypto::HashAlgorithmInstance, Crypto::Pbkdf2AlgorithmInstance, Crypto::HmacAlgorithmInstance
Crypto::AlgorithmValueConsumer
{ {
Pbkdf2AlgorithmStringLiteral() { super.getKdfType() instanceof Crypto::PBKDF2 } Pbkdf2AlgorithmStringLiteral() { super.getKdfType() instanceof Crypto::PBKDF2 }
override Crypto::ConsumerInputDataFlowNode getInputNode() { none() }
override Crypto::AlgorithmInstance getAKnownAlgorithmSource() { result = this }
override Crypto::THashType getHashFamily() {
result = hash_name_to_type_known(this.getRawHashAlgorithmName(), _)
}
override int getFixedDigestLength() {
exists(hash_name_to_type_known(this.getRawHashAlgorithmName(), result))
}
override string getRawMacAlgorithmName() {
result = super.getRawKdfAlgorithmName().splitAt("PBKDF2With", 1)
}
override string getRawHashAlgorithmName() {
result = super.getRawKdfAlgorithmName().splitAt("WithHmac", 1)
}
override Crypto::MacType getMacType() { result = Crypto::HMAC() }
override Crypto::AlgorithmValueConsumer getHmacAlgorithmValueConsumer() { result = this } override Crypto::AlgorithmValueConsumer getHmacAlgorithmValueConsumer() { result = this }
override Crypto::AlgorithmValueConsumer getHashAlgorithmValueConsumer() { result = this } override Crypto::AlgorithmValueConsumer getHashAlgorithmValueConsumer() { result = this }
override int getKeySizeFixed() { none() }
override Crypto::ConsumerInputDataFlowNode getKeySizeConsumer() { none() }
override string getRawAlgorithmName() {
// Note: hard coding "hmac" since that should be the only option
result = "Hmac"
}
override Crypto::KeyOpAlg::AlgorithmType getAlgorithmType() {
result = KeyOpAlg::TMac(KeyOpAlg::HMAC())
}
} }
class SecretKeyFactoryKDFAlgorithmValueConsumer extends Crypto::AlgorithmValueConsumer instanceof Expr class SecretKeyFactoryKDFAlgorithmValueConsumer extends Crypto::AlgorithmValueConsumer instanceof Expr