Crypto: Adding tests for insecure iv or nonce. Updating generic literal sources to include array literals.

bdrodes · bdrodes · commit 83ff70bcd868 · 2025-10-08T12:47:58.000-04:00
diff --git a/java/ql/lib/experimental/quantum/Language.qll b/java/ql/lib/experimental/quantum/Language.qll
@@ -93,8 +93,9 @@ private class GenericRemoteDataSource extends Crypto::GenericRemoteDataSource {
   override string getAdditionalDescription() { result = this.toString() }
 }
 
-private class ConstantDataSource extends Crypto::GenericConstantSourceInstance instanceof Literal {
-  ConstantDataSource() {
+private class ConstantDataSourceLiteral extends Crypto::GenericConstantSourceInstance instanceof Literal
+{
+  ConstantDataSourceLiteral() {
     // TODO: this is an API specific workaround for JCA, as 'EC' is a constant that may be used
     // where typical algorithms are specified, but EC specifically means set up a
     // default curve container, that will later be specified explicitly (or if not a default)
@@ -112,6 +113,20 @@ private class ConstantDataSource extends Crypto::GenericConstantSourceInstance i
   override string getAdditionalDescription() { result = this.toString() }
 }
 
+private class ConstantDataSourceArrayInitializer extends Crypto::GenericConstantSourceInstance instanceof ArrayInit
+{
+  ConstantDataSourceArrayInitializer() { exists(Literal l | this.getAnInit() = l) }
+
+  override DataFlow::Node getOutputNode() { result.asExpr() = this }
+
+  override predicate flowsTo(Crypto::FlowAwareElement other) {
+    // TODO: separate config to avoid blowing up data-flow analysis
+    GenericDataSourceFlow::flow(this.getOutputNode(), other.getInputNode())
+  }
+
+  override string getAdditionalDescription() { result = this.toString() }
+}
+
 /**
  * An instance of random number generation, modeled as the expression
  * tied to an output node (i.e., the result of the source of randomness)
diff --git a/java/ql/src/experimental/quantum/Analysis/InsecureIVorNonceSource.ql b/java/ql/src/experimental/quantum/Analysis/InsecureIVorNonceSource.ql
@@ -1,7 +1,7 @@
 /**
- * @name Insecure nonce (static value or weak random source)
+ * @name Insecure nonce/iv (static value or weak random source)
  * @id java/quantum/insecure-iv-or-nonce
- * @description A nonce is generated from a source that is not secure. This can lead to
+ * @description A nonce/iv is generated from a source that is not secure. This can lead to
  *              vulnerabilities such as replay attacks or key recovery.
  * @kind problem
  * @problem.severity error
@@ -16,4 +16,4 @@ from Crypto::NonceArtifactNode nonce, Crypto::NodeBase src
 where
   nonce.getSourceNode() = src and
   not src.asElement() instanceof SecureRandomnessInstance
-select nonce, "Nonce or IV uses insecure nonce source $@", src, src.toString()
+select nonce, "Nonce or IV uses insecure or constant source $@", src, src.toString()
diff --git a/java/ql/test/experimental/query-tests/quantum/InsecureNonceSource/InsecureIVorNonceSource.expected b/java/ql/test/experimental/query-tests/quantum/InsecureNonceSource/InsecureIVorNonceSource.expected
@@ -0,0 +1,7 @@
+| InsecureIVorNonceSource.java:20:51:20:56 | Nonce | Nonce or IV uses insecure or constant source $@ | InsecureIVorNonceSource.java:14:21:14:81 | Constant | Constant |
+| InsecureIVorNonceSource.java:49:51:49:56 | Nonce | Nonce or IV uses insecure or constant source $@ | InsecureIVorNonceSource.java:42:21:42:21 | Constant | Constant |
+| InsecureIVorNonceSource.java:65:51:65:56 | Nonce | Nonce or IV uses insecure or constant source $@ | InsecureIVorNonceSource.java:57:13:57:62 | Constant | Constant |
+| InsecureIVorNonceSource.java:65:51:65:56 | Nonce | Nonce or IV uses insecure or constant source $@ | InsecureIVorNonceSource.java:58:13:58:63 | Constant | Constant |
+| InsecureIVorNonceSource.java:81:51:81:56 | Nonce | Nonce or IV uses insecure or constant source $@ | InsecureIVorNonceSource.java:73:13:73:73 | Constant | Constant |
+| InsecureIVorNonceSource.java:81:51:81:56 | Nonce | Nonce or IV uses insecure or constant source $@ | InsecureIVorNonceSource.java:74:13:74:74 | Constant | Constant |
+| InsecureIVorNonceSource.java:206:51:206:56 | Nonce | Nonce or IV uses insecure or constant source $@ | InsecureIVorNonceSource.java:194:26:194:30 | RandomNumberGeneration | RandomNumberGeneration |
diff --git a/java/ql/test/experimental/query-tests/quantum/InsecureNonceSource/InsecureIVorNonceSource.java b/java/ql/test/experimental/query-tests/quantum/InsecureNonceSource/InsecureIVorNonceSource.java
@@ -0,0 +1,210 @@
+import javax.crypto.Cipher;
+import javax.crypto.spec.GCMParameterSpec;
+import javax.crypto.spec.IvParameterSpec;
+import javax.crypto.spec.SecretKeySpec;
+import java.util.Random;
+
+import java.security.SecureRandom;
+import java.util.Arrays;
+
+public class InsecureIVorNonceSource {
+
+    // BAD: AES-GCM with static IV from a byte array
+    public byte[] encryptWithStaticIvByteArrayWithInitializer(byte[] key, byte[] plaintext) throws Exception {
+        byte[] iv = new byte[] { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5 }; // $Source
+
+        GCMParameterSpec ivSpec = new GCMParameterSpec(128, iv);
+        SecretKeySpec keySpec = new SecretKeySpec(key, "AES");
+
+        Cipher cipher = Cipher.getInstance("AES/GCM/PKCS5PADDING");
+        cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $Alert[java/quantum/insecure-iv-or-nonce]
+        cipher.update(plaintext);
+        return cipher.doFinal();
+    }
+
+    // BAD: AES-GCM with static IV from zero-initialized byte array
+    public byte[] encryptWithZeroStaticIvByteArray(byte[] key, byte[] plaintext) throws Exception {
+        byte[] iv = new byte[16]; // $Source
+
+        GCMParameterSpec ivSpec = new GCMParameterSpec(128, iv);
+        SecretKeySpec keySpec = new SecretKeySpec(key, "AES");
+
+        Cipher cipher = Cipher.getInstance("AES/GCM/PKCS5PADDING");
+        cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $Alert[java/quantum/unknown-iv-or-nonce-initialization]
+        cipher.update(plaintext);
+        return cipher.doFinal();
+    }
+
+    // BAD: AES-CBC with static IV from 1-initialized byte array
+    public byte[] encryptWithStaticIvByteArray(byte[] key, byte[] plaintext) throws Exception {
+        byte[] iv = new byte[16]; // $Source
+        for (byte i = 0; i < iv.length; i++) {
+            iv[i] = 1;
+        }
+
+        IvParameterSpec ivSpec = new IvParameterSpec(iv);
+        SecretKeySpec keySpec = new SecretKeySpec(key, "AES");
+
+        Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING");
+        cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $Alert[java/quantum/insecure-iv-or-nonce]
+        cipher.update(plaintext);
+        return cipher.doFinal();
+    }
+
+    // BAD: AES-GCM with static IV from a multidimensional byte array
+    public byte[] encryptWithOneOfStaticIvs01(byte[] key, byte[] plaintext) throws Exception {
+        byte[][] staticIvs = new byte[][] {
+            { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5 },
+            { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 42 }
+        }; // $Source
+
+        GCMParameterSpec ivSpec = new GCMParameterSpec(128, staticIvs[1]);
+        SecretKeySpec keySpec = new SecretKeySpec(key, "AES");
+
+        Cipher cipher = Cipher.getInstance("AES/GCM/PKCS5PADDING");
+        cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $Alert[java/quantum/insecure-iv-or-nonce]
+        cipher.update(plaintext);
+        return cipher.doFinal();
+    }
+
+    // BAD: AES-GCM with static IV from a multidimensional byte array
+    public byte[] encryptWithOneOfStaticIvs02(byte[] key, byte[] plaintext) throws Exception {
+        byte[][] staticIvs = new byte[][] {
+            new byte[] { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 5 },
+            new byte[] { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 0, 1, 2, 3, 4, 42 }
+        }; // $Source
+
+        GCMParameterSpec ivSpec = new GCMParameterSpec(128, staticIvs[1]);
+        SecretKeySpec keySpec = new SecretKeySpec(key, "AES");
+
+        Cipher cipher = Cipher.getInstance("AES/GCM/PKCS5PADDING");
+        cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $Alert[java/quantum/insecure-iv-or-nonce]
+        cipher.update(plaintext);
+        return cipher.doFinal();
+    }
+
+    // BAD: AES-GCM with static IV from a zero-initialized multidimensional byte array
+    public byte[] encryptWithOneOfStaticZeroIvs(byte[] key, byte[] plaintext) throws Exception {
+        byte[][] ivs = new byte[][] {
+            new byte[8], // $Source
+            new byte[16] // $Source
+        };
+
+        GCMParameterSpec ivSpec = new GCMParameterSpec(128, ivs[1]);
+        SecretKeySpec keySpec = new SecretKeySpec(key, "AES");
+
+        Cipher cipher = Cipher.getInstance("AES/GCM/PKCS5PADDING");
+        cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); // $Alert[java/quantum/unknown-iv-or-nonce-initialization]
+        cipher.update(plaintext);
+        return cipher.doFinal();
+    }
+
+    // GOOD: AES-GCM with a random IV
+    public byte[] encryptWithRandomIv(byte[] key, byte[] plaintext) throws Exception {
+        byte[] iv = new byte[16];
+
+        SecureRandom random = SecureRandom.getInstanceStrong();
+        random.nextBytes(iv);
+
+        GCMParameterSpec ivSpec = new GCMParameterSpec(128, iv);
+        SecretKeySpec keySpec = new SecretKeySpec(key, "AES");
+
+        Cipher cipher = Cipher.getInstance("AES/GCM/PKCS5PADDING");
+        cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec);
+        cipher.update(plaintext);
+        return cipher.doFinal();
+    }
+
+    // GOOD: AES-GCM with a random IV
+    public byte[] encryptWithRandomIvByteByByte(byte[] key, byte[] plaintext) throws Exception {
+        SecureRandom random = SecureRandom.getInstanceStrong();
+        byte[] iv = new byte[16];
+        for (int i = 0; i < iv.length; i++) {
+            iv[i] = (byte) random.nextInt();
+        }
+
+        GCMParameterSpec ivSpec = new GCMParameterSpec(128, iv);
+        SecretKeySpec keySpec = new SecretKeySpec(key, "AES");
+
+        Cipher cipher = Cipher.getInstance("AES/GCM/PKCS5PADDING");
+        cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec);
+        cipher.update(plaintext);
+        return cipher.doFinal();
+    }
+
+    // GOOD: AES-GCM with a random IV
+    public byte[] encryptWithRandomIvWithSystemArrayCopy(byte[] key, byte[] plaintext) throws Exception {
+        byte[] randomBytes = new byte[16];
+        SecureRandom.getInstanceStrong().nextBytes(randomBytes);
+
+        byte[] iv = new byte[16];
+        System.arraycopy(randomBytes, 0, iv, 0, 16);
+
+        GCMParameterSpec ivSpec = new GCMParameterSpec(128, iv);
+        SecretKeySpec keySpec = new SecretKeySpec(key, "AES");
+
+        Cipher cipher = Cipher.getInstance("AES/GCM/PKCS5PADDING");
+        cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec);
+        cipher.update(plaintext);
+        return cipher.doFinal();
+    }
+
+    // GOOD: AES-GCM with a random IV
+    public byte[] encryptWithRandomIvWithArraysCopy(byte[] key, byte[] plaintext) throws Exception {
+        byte[] randomBytes = new byte[16];
+        SecureRandom.getInstanceStrong().nextBytes(randomBytes);
+
+        byte[] iv = new byte[16];
+        iv = Arrays.copyOf(randomBytes, 16);
+
+        GCMParameterSpec ivSpec = new GCMParameterSpec(128, iv);
+        SecretKeySpec keySpec = new SecretKeySpec(key, "AES");
+
+        Cipher cipher = Cipher.getInstance("AES/GCM/PKCS5PADDING");
+        cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec);
+        cipher.update(plaintext);
+        return cipher.doFinal();
+    }
+
+    public byte[] generate(int size) throws Exception { 
+        if (size == 0) { 
+            return new byte[0];
+        }
+        byte[] randomBytes = new byte[size];
+        SecureRandom.getInstanceStrong().nextBytes(randomBytes);
+        return randomBytes;
+    }
+
+    // GOOD: AES-CBC with a random IV
+    public byte[] encryptWithGeneratedIvByteArray(byte[] key, byte[] plaintext) throws Exception {
+        byte[] iv = generate(16);
+
+        IvParameterSpec ivSpec = new IvParameterSpec(iv);
+        SecretKeySpec keySpec = new SecretKeySpec(key, "AES");
+
+        Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING");
+        cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); 
+        cipher.update(plaintext);
+        return cipher.doFinal();
+    }
+
+    public byte[] generateInsecureRandomBytes(int numBytes) {
+        Random random = new Random();
+        byte[] bytes = new byte[numBytes];
+        random.nextBytes(bytes); // $Source
+        return bytes;
+    }
+
+    // BAD: AES-CBC with an insecure random IV
+    public byte[] encryptWithGeneratedIvByteArrayInsecure(byte[] key, byte[] plaintext) throws Exception {
+        byte[] iv = generateInsecureRandomBytes(16);
+
+        IvParameterSpec ivSpec = new IvParameterSpec(iv);
+        SecretKeySpec keySpec = new SecretKeySpec(key, "AES");
+
+        Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING");
+        cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec);  // $Alert[java/quantum/insecure-iv-or-nonce]]
+        cipher.update(plaintext);
+        return cipher.doFinal();
+    }
+}
diff --git a/java/ql/test/experimental/query-tests/quantum/InsecureNonceSource/InsecureIVorNonceSource.qlref b/java/ql/test/experimental/query-tests/quantum/InsecureNonceSource/InsecureIVorNonceSource.qlref
@@ -0,0 +1,4 @@
+query: experimental/quantum/Analysis/InsecureIVorNonceSource.ql
+postprocess:
+  - utils/test/PrettyPrintModels.ql
+  - utils/test/InlineExpectationsTestQuery.ql
