From ff557a287f552a918e9410d3517dca63ab450d05 Mon Sep 17 00:00:00 2001 From: Jami Cogswell Date: Tue, 18 Oct 2022 23:08:54 -0400 Subject: [PATCH] add min key size predicates --- .../java/security/InsufficientKeySize.qll | 40 +++++++++++++------ 1 file changed, 28 insertions(+), 12 deletions(-) diff --git a/java/ql/lib/semmle/code/java/security/InsufficientKeySize.qll b/java/ql/lib/semmle/code/java/security/InsufficientKeySize.qll index be12385f5cf..8dfd2987eb0 100644 --- a/java/ql/lib/semmle/code/java/security/InsufficientKeySize.qll +++ b/java/ql/lib/semmle/code/java/security/InsufficientKeySize.qll @@ -18,32 +18,45 @@ abstract class InsufficientKeySizeSink extends DataFlow::Node { // *********************************** SOURCES *********************************** /** A source for an insufficient key size used in RSA, DSA, and DH algorithms. */ private class AsymmetricNonEcSource extends InsufficientKeySizeSource { - AsymmetricNonEcSource() { getNodeIntValue(this) < 2048 } + AsymmetricNonEcSource() { getNodeIntValue(this) < getMinAsymNonEcKeySize() } - override predicate hasState(DataFlow::FlowState state) { state = "2048" } + override predicate hasState(DataFlow::FlowState state) { + state = getMinAsymNonEcKeySize().toString() + } } /** A source for an insufficient key size used in elliptic curve (EC) algorithms. */ private class AsymmetricEcSource extends InsufficientKeySizeSource { AsymmetricEcSource() { - getNodeIntValue(this) < 256 + getNodeIntValue(this) < getMinAsymEcKeySize() or // the below is needed for cases when the key size is embedded in the curve name - getEcKeySize(this.asExpr().(StringLiteral).getValue()) < 256 + getEcKeySize(this.asExpr().(StringLiteral).getValue()) < getMinAsymEcKeySize() } - override predicate hasState(DataFlow::FlowState state) { state = "256" } + override predicate hasState(DataFlow::FlowState state) { + state = getMinAsymEcKeySize().toString() + } } /** A source for an insufficient key size used in AES algorithms. */ private class SymmetricSource extends InsufficientKeySizeSource { - SymmetricSource() { getNodeIntValue(this) < 128 } + SymmetricSource() { getNodeIntValue(this) < getMinSymKeySize() } - override predicate hasState(DataFlow::FlowState state) { state = "128" } + override predicate hasState(DataFlow::FlowState state) { state = getMinSymKeySize().toString() } } // ************************** SOURCES HELPER PREDICATES ************************** -/** Returns the integer value of a given Node. */ +/** Returns the minimum recommended key size for RSA, DSA, and DH algorithms. */ +private int getMinAsymNonEcKeySize() { result = 2048 } + +/** Returns the minimum recommended key size for elliptic curve (EC) algorithms. */ +private int getMinAsymEcKeySize() { result = 256 } + +/** Returns the minimum recommended key size for AES algorithms. */ +private int getMinSymKeySize() { result = 128 } + +/** Returns the integer value of a given DataFlow::Node. */ private int getNodeIntValue(DataFlow::Node node) { result = node.asExpr().(IntegerLiteral).getIntValue() } @@ -74,7 +87,9 @@ private class AsymmetricNonEcSink extends InsufficientKeySizeSink { exists(AsymmetricNonEcSpec spec | this.asExpr() = spec.getKeySizeArg()) } - override predicate hasState(DataFlow::FlowState state) { state = "2048" } + override predicate hasState(DataFlow::FlowState state) { + state = getMinAsymNonEcKeySize().toString() + } } /** A sink for an insufficient key size used in elliptic curve (EC) algorithms. */ @@ -89,13 +104,14 @@ private class AsymmetricEcSink extends InsufficientKeySizeSink { exists(AsymmetricEcSpec s | this.asExpr() = s.getKeySizeArg()) } - override predicate hasState(DataFlow::FlowState state) { state = "256" } + override predicate hasState(DataFlow::FlowState state) { + state = getMinAsymEcKeySize().toString() + } } /** A sink for an insufficient key size used in AES algorithms. */ private class SymmetricSink extends InsufficientKeySizeSink { SymmetricSink() { - //hasKeySizeInInitMethod(this, "symmetric") exists(SymmetricInitMethodAccess ma, SymmetricKeyGenerator kg | kg.getAlgoName() = "AES" and DataFlow::localExprFlow(kg, ma.getQualifier()) and @@ -103,7 +119,7 @@ private class SymmetricSink extends InsufficientKeySizeSink { ) } - override predicate hasState(DataFlow::FlowState state) { state = "128" } + override predicate hasState(DataFlow::FlowState state) { state = getMinSymKeySize().toString() } } // ********************** SINKS HELPER CLASSES & PREDICATES **********************