hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-28 02:05:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Removed hashes from NotConstantTimeCryptoComparison.ql

Browse Source
This commit is contained in:
Artem Smotrakov
2021-06-14 08:57:10 +02:00
committed by Fosstars
parent 8a69b7b3ac
commit f245dc3ac8
8 changed files with 25 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
java/ql/test/experimental/query-tests/security/CWE-208/NotConstantTimeCryptoComparison.expected
View File

@@ -1,19 +1,15 @@
edges
| NotConstantTimeCryptoComparison.java:14:28:14:44 | doFinal(...) : byte[] | NotConstantTimeCryptoComparison.java:15:43:15:51 | actualMac |
| NotConstantTimeCryptoComparison.java:28:36:28:50 | digest(...) : byte[] | NotConstantTimeCryptoComparison.java:29:16:29:21 | actual |
| NotConstantTimeCryptoComparison.java:44:28:44:40 | sign(...) : byte[] | NotConstantTimeCryptoComparison.java:45:40:45:48 | signature |
| NotConstantTimeCryptoComparison.java:61:22:61:46 | doFinal(...) : byte[] | NotConstantTimeCryptoComparison.java:62:40:62:42 | tag |
| NotConstantTimeCryptoComparison.java:30:28:30:40 | sign(...) : byte[] | NotConstantTimeCryptoComparison.java:31:40:31:48 | signature |
| NotConstantTimeCryptoComparison.java:47:22:47:46 | doFinal(...) : byte[] | NotConstantTimeCryptoComparison.java:48:40:48:42 | tag |
nodes
| NotConstantTimeCryptoComparison.java:14:28:14:44 | doFinal(...) : byte[] | semmle.label | doFinal(...) : byte[] |
| NotConstantTimeCryptoComparison.java:15:43:15:51 | actualMac | semmle.label | actualMac |
| NotConstantTimeCryptoComparison.java:28:36:28:50 | digest(...) : byte[] | semmle.label | digest(...) : byte[] |
| NotConstantTimeCryptoComparison.java:29:16:29:21 | actual | semmle.label | actual |
| NotConstantTimeCryptoComparison.java:44:28:44:40 | sign(...) : byte[] | semmle.label | sign(...) : byte[] |
| NotConstantTimeCryptoComparison.java:45:40:45:48 | signature | semmle.label | signature |
| NotConstantTimeCryptoComparison.java:61:22:61:46 | doFinal(...) : byte[] | semmle.label | doFinal(...) : byte[] |
| NotConstantTimeCryptoComparison.java:62:40:62:42 | tag | semmle.label | tag |
| NotConstantTimeCryptoComparison.java:30:28:30:40 | sign(...) : byte[] | semmle.label | sign(...) : byte[] |
| NotConstantTimeCryptoComparison.java:31:40:31:48 | signature | semmle.label | signature |
| NotConstantTimeCryptoComparison.java:47:22:47:46 | doFinal(...) : byte[] | semmle.label | doFinal(...) : byte[] |
| NotConstantTimeCryptoComparison.java:48:40:48:42 | tag | semmle.label | tag |
#select
| NotConstantTimeCryptoComparison.java:15:43:15:51 | actualMac | NotConstantTimeCryptoComparison.java:14:28:14:44 | doFinal(...) : byte[] | NotConstantTimeCryptoComparison.java:15:43:15:51 | actualMac | Using a not-constant time algorithm for comparison results of a cryptographic operation. |
| NotConstantTimeCryptoComparison.java:29:16:29:21 | actual | NotConstantTimeCryptoComparison.java:28:36:28:50 | digest(...) : byte[] | NotConstantTimeCryptoComparison.java:29:16:29:21 | actual | Using a not-constant time algorithm for comparison results of a cryptographic operation. |
| NotConstantTimeCryptoComparison.java:45:40:45:48 | signature | NotConstantTimeCryptoComparison.java:44:28:44:40 | sign(...) : byte[] | NotConstantTimeCryptoComparison.java:45:40:45:48 | signature | Using a not-constant time algorithm for comparison results of a cryptographic operation. |
| NotConstantTimeCryptoComparison.java:62:40:62:42 | tag | NotConstantTimeCryptoComparison.java:61:22:61:46 | doFinal(...) : byte[] | NotConstantTimeCryptoComparison.java:62:40:62:42 | tag | Using a not-constant time algorithm for comparison results of a cryptographic operation. |
| NotConstantTimeCryptoComparison.java:31:40:31:48 | signature | NotConstantTimeCryptoComparison.java:30:28:30:40 | sign(...) : byte[] | NotConstantTimeCryptoComparison.java:31:40:31:48 | signature | Using a not-constant time algorithm for comparison results of a cryptographic operation. |
| NotConstantTimeCryptoComparison.java:48:40:48:42 | tag | NotConstantTimeCryptoComparison.java:47:22:47:46 | doFinal(...) : byte[] | NotConstantTimeCryptoComparison.java:48:40:48:42 | tag | Using a not-constant time algorithm for comparison results of a cryptographic operation. |

14
java/ql/test/experimental/query-tests/security/CWE-208/NotConstantTimeCryptoComparison.java
View File

@@ -22,20 +22,6 @@ public class NotConstantTimeCryptoComparison {
return MessageDigest.isEqual(expectedMac, actualMac);
}
// BAD: compare hashes using a not-constant time method
public boolean unsafeCheckMessageDigest(String expectedHash, byte[] data) throws Exception {
MessageDigest md = MessageDigest.getInstance("SHA-256");
String actual = new String(md.digest(data));
return actual.equals(expectedHash);
}
// GOOD: compare hashes using a constant time method
public boolean saferCheckMessageDigest(byte[] expected, byte[] data) throws Exception {
MessageDigest md = MessageDigest.getInstance("SHA-256");
byte[] actual = md.digest(data);
return MessageDigest.isEqual(expected, actual);
}
// BAD: compare signatures using a not-constant time method
public boolean unsafeCheckSignatures(byte[] expected, byte[] data, PrivateKey key) throws Exception {
Signature engine = Signature.getInstance("SHA256withRSA");