-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathWeakKDFKeySize.ql
More file actions
59 lines (50 loc) · 1.86 KB
/
WeakKDFKeySize.ql
File metadata and controls
59 lines (50 loc) · 1.86 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
/**
* @name Weak known key derivation function output length
* @description Detects key derivation operations with a known weak output length
* @id java/quantum/examples/weak-kdf-key-size
* @kind path-problem
* @problem.severity error
* @tags quantum
* experimental
*/
import java
import experimental.quantum.Language
module KeySizeConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
source = any(Crypto::GenericSourceInstance i).getOutputNode() or
source = any(Crypto::ArtifactInstance artifact).getOutputNode()
}
predicate isSink(DataFlow::Node sink) {
exists(Crypto::KeyDerivationOperationInstance kdev |
sink = kdev.getKeySizeConsumer().getConsumer().getInputNode()
)
}
predicate isBarrierOut(DataFlow::Node node) {
node = any(Crypto::FlowAwareElement element).getInputNode()
}
predicate isBarrierIn(DataFlow::Node node) {
node = any(Crypto::FlowAwareElement element).getOutputNode()
}
predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
node1.(AdditionalFlowInputStep).getOutput() = node2
or
exists(MethodCall m |
m.getMethod().hasQualifiedName("java.lang", "String", "getBytes") and
node1.asExpr() = m.getQualifier() and
node2.asExpr() = m
)
}
}
module KeySizeFlow = TaintTracking::Global<KeySizeConfig>;
import KeySizeFlow::PathGraph
from
Crypto::KeyDerivationOperationNode op, Literal l, KeySizeFlow::PathNode srcNode,
KeySizeFlow::PathNode sinkNode
where
op.getOutputKeySize().asElement() = l and
l.getValue().toInt() < 256 and
srcNode.getNode().asExpr() = l and
sinkNode.getNode() = op.getKeySizeConsumer().getConsumer().getInputNode() and
KeySizeFlow::flowPath(srcNode, sinkNode)
select sinkNode, srcNode, sinkNode,
"Key derivation operation configures output key length below 256: $@", l, l.getValue().toString()