Skip to content

Commit d478752

Browse files
nicolaswillnicolaswill
authored
Merge pull request #20690 from bdrodes/weak_symmetric_cipher_bug
Crypto: Fix bug in weak symmetric cipher query
2 parents e7bd435 + ed492c7 commit d478752

File tree

3 files changed

+20
-15
lines changed

3 files changed

+20
-15
lines changed

java/ql/src/experimental/quantum/Examples/WeakSymmetricCipher.qll

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,8 @@ predicate isUnapprovedSymmetricCipher(Crypto::KeyOperationAlgorithmNode alg, str
88
exists(KeyOpAlg::AlgorithmType algType |
99
algType = alg.getAlgorithmType() and
1010
msg = "Use of unapproved symmetric cipher algorithm or API: " + algType.toString() + "." and
11-
algType != KeyOpAlg::TSymmetricCipher(KeyOpAlg::AES())
11+
algType != KeyOpAlg::TSymmetricCipher(KeyOpAlg::AES()) and
12+
algType instanceof KeyOpAlg::TSymmetricCipher
1213
)
1314
// NOTE: an org could decide to disallow very specific algorithms as well, shown below
1415
// (

java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownSymmetricCipher/Test.java

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@
33
import javax.crypto.SecretKey;
44
import java.security.Key;
55
import java.security.NoSuchAlgorithmException;
6+
import javax.crypto.SecretKeyFactory;
67

78
public class Test {
89
public static void main(String[] args) throws Exception {
@@ -73,5 +74,8 @@ public static void main(String[] args) throws Exception {
7374
Cipher aesGcmCipher = Cipher.getInstance("AES/GCM/NoPadding");
7475
aesGcmCipher.init(Cipher.ENCRYPT_MODE, aesKey);
7576
byte[] aesGcmEncrypted = aesGcmCipher.doFinal(data);
77+
78+
// GOOD: not a symmetric cipher (Sanity check)
79+
SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256");
7680
}
7781
}

java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownSymmetricCipher/WeakSymmetricCipher.expected

Lines changed: 14 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -1,14 +1,14 @@
1-
| Test.java:12:59:12:63 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: DES. |
2-
| Test.java:14:47:14:51 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: DES. |
3-
| Test.java:19:62:19:69 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: DES. |
4-
| Test.java:21:50:21:57 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: DES. |
5-
| Test.java:26:64:26:73 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: Blowfish. |
6-
| Test.java:28:52:28:61 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: Blowfish. |
7-
| Test.java:33:59:33:63 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: RC2. |
8-
| Test.java:35:47:35:51 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: RC2. |
9-
| Test.java:40:59:40:63 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: RC4. |
10-
| Test.java:42:47:42:51 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: RC4. |
11-
| Test.java:47:60:47:65 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: IDEA. |
12-
| Test.java:49:48:49:53 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: IDEA. |
13-
| Test.java:54:64:54:73 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: Skipjack. |
14-
| Test.java:56:52:56:61 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: Skipjack. |
1+
| Test.java:13:59:13:63 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: DES. |
2+
| Test.java:15:47:15:51 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: DES. |
3+
| Test.java:20:62:20:69 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: DES. |
4+
| Test.java:22:50:22:57 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: DES. |
5+
| Test.java:27:64:27:73 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: Blowfish. |
6+
| Test.java:29:52:29:61 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: Blowfish. |
7+
| Test.java:34:59:34:63 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: RC2. |
8+
| Test.java:36:47:36:51 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: RC2. |
9+
| Test.java:41:59:41:63 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: RC4. |
10+
| Test.java:43:47:43:51 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: RC4. |
11+
| Test.java:48:60:48:65 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: IDEA. |
12+
| Test.java:50:48:50:53 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: IDEA. |
13+
| Test.java:55:64:55:73 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: Skipjack. |
14+
| Test.java:57:52:57:61 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: Skipjack. |

0 commit comments

Comments
 (0)