Crypto: Updating insecure iv/nonce to consider if an operation is known for it, and if so do not alert on non-secure random if it is tied to decryption

bdrodes · bdrodes · commit f524de4afc2a · 2025-10-08T16:27:18.000-04:00
diff --git a/java/ql/src/experimental/quantum/Analysis/InsecureIVorNonceSource.ql b/java/ql/src/experimental/quantum/Analysis/InsecureIVorNonceSource.ql
@@ -2,7 +2,10 @@
  * @name Insecure nonce/iv (static value or weak random source)
  * @id java/quantum/insecure-iv-or-nonce
  * @description A nonce/iv is generated from a source that is not secure. This can lead to
- *              vulnerabilities such as replay attacks or key recovery.
+ *              vulnerabilities such as replay attacks or key recovery. Insecure generation
+ *              is any static nonce, or any known insecure source for a nonce/iv if
+ *              the value is used for an encryption operation (decryption operations are ignored
+ *              as the nonce/iv would be provided alongside the ciphertext).
  * @kind problem
  * @problem.severity error
  * @precision high
@@ -12,8 +15,33 @@
 
 import experimental.quantum.Language
 
-from Crypto::NonceArtifactNode nonce, Crypto::NodeBase src
+from Crypto::NonceArtifactNode nonce, Crypto::NodeBase src, Crypto::NodeBase op, string msg
 where
   nonce.getSourceNode() = src and
-  not src.asElement() instanceof SecureRandomnessInstance
-select nonce, "Nonce or IV uses insecure or constant source $@", src, src.toString()
+  (
+    // Case 1: Any constant nonce/iv is bad, regardless of how it is used
+    src.asElement() instanceof Crypto::GenericConstantSourceInstance and
+    op = nonce and // binding op by not using it
+    msg = "Nonce or IV uses constant source $@"
+    or
+    // Case 2: The nonce has a non-random source and there is no known operation for the nonce
+    //         assume it is used for encryption
+    not src.asElement() instanceof SecureRandomnessInstance and
+    not src.asElement() instanceof Crypto::GenericConstantSourceInstance and
+    not exists(Crypto::CipherOperationNode o | o.getANonce() = nonce) and
+    op = nonce and // binding op, but not using it
+    msg =
+      "Nonce or IV uses insecure source $@ with no observed nonce usage (assuming could be for encryption)."
+    or
+    // Case 3: The nonce has a non-random source and is used in an encryption operation
+    not src.asElement() instanceof SecureRandomnessInstance and
+    not src.asElement() instanceof Crypto::GenericConstantSourceInstance and
+    op.(Crypto::CipherOperationNode).getANonce() = nonce and
+    (
+      op.(Crypto::CipherOperationNode).getKeyOperationSubtype() instanceof Crypto::TEncryptMode
+      or
+      op.(Crypto::CipherOperationNode).getKeyOperationSubtype() instanceof Crypto::TWrapMode
+    ) and
+    msg = "Nonce or IV uses insecure source $@ at encryption operation $@"
+  )
+select nonce, msg, src, src.toString(), op, op.toString()
diff --git a/java/ql/test/experimental/query-tests/quantum/InsecureOrUnknownNonceSource/InsecureIVorNonceSource.expected b/java/ql/test/experimental/query-tests/quantum/InsecureOrUnknownNonceSource/InsecureIVorNonceSource.expected
@@ -1,7 +1,7 @@
-| InsecureIVorNonceSource.java:20:51:20:56 | Nonce | Nonce or IV uses insecure or constant source $@ | InsecureIVorNonceSource.java:14:21:14:81 | Constant | Constant |
-| InsecureIVorNonceSource.java:49:51:49:56 | Nonce | Nonce or IV uses insecure or constant source $@ | InsecureIVorNonceSource.java:42:21:42:21 | Constant | Constant |
-| InsecureIVorNonceSource.java:65:51:65:56 | Nonce | Nonce or IV uses insecure or constant source $@ | InsecureIVorNonceSource.java:57:13:57:62 | Constant | Constant |
-| InsecureIVorNonceSource.java:65:51:65:56 | Nonce | Nonce or IV uses insecure or constant source $@ | InsecureIVorNonceSource.java:58:13:58:63 | Constant | Constant |
-| InsecureIVorNonceSource.java:81:51:81:56 | Nonce | Nonce or IV uses insecure or constant source $@ | InsecureIVorNonceSource.java:73:13:73:73 | Constant | Constant |
-| InsecureIVorNonceSource.java:81:51:81:56 | Nonce | Nonce or IV uses insecure or constant source $@ | InsecureIVorNonceSource.java:74:13:74:74 | Constant | Constant |
-| InsecureIVorNonceSource.java:206:51:206:56 | Nonce | Nonce or IV uses insecure or constant source $@ | InsecureIVorNonceSource.java:194:26:194:30 | RandomNumberGeneration | RandomNumberGeneration |
+| InsecureIVorNonceSource.java:20:51:20:56 | Nonce | Nonce or IV uses constant source $@ | InsecureIVorNonceSource.java:14:21:14:81 | Constant | Constant | InsecureIVorNonceSource.java:20:51:20:56 | Nonce | Nonce |
+| InsecureIVorNonceSource.java:49:51:49:56 | Nonce | Nonce or IV uses constant source $@ | InsecureIVorNonceSource.java:42:21:42:21 | Constant | Constant | InsecureIVorNonceSource.java:49:51:49:56 | Nonce | Nonce |
+| InsecureIVorNonceSource.java:65:51:65:56 | Nonce | Nonce or IV uses constant source $@ | InsecureIVorNonceSource.java:57:13:57:62 | Constant | Constant | InsecureIVorNonceSource.java:65:51:65:56 | Nonce | Nonce |
+| InsecureIVorNonceSource.java:65:51:65:56 | Nonce | Nonce or IV uses constant source $@ | InsecureIVorNonceSource.java:58:13:58:63 | Constant | Constant | InsecureIVorNonceSource.java:65:51:65:56 | Nonce | Nonce |
+| InsecureIVorNonceSource.java:81:51:81:56 | Nonce | Nonce or IV uses constant source $@ | InsecureIVorNonceSource.java:73:13:73:73 | Constant | Constant | InsecureIVorNonceSource.java:81:51:81:56 | Nonce | Nonce |
+| InsecureIVorNonceSource.java:81:51:81:56 | Nonce | Nonce or IV uses constant source $@ | InsecureIVorNonceSource.java:74:13:74:74 | Constant | Constant | InsecureIVorNonceSource.java:81:51:81:56 | Nonce | Nonce |
+| InsecureIVorNonceSource.java:206:51:206:56 | Nonce | Nonce or IV uses insecure source $@ at encryption operation $@ | InsecureIVorNonceSource.java:194:26:194:30 | RandomNumberGeneration | RandomNumberGeneration | InsecureIVorNonceSource.java:208:16:208:31 | EncryptOperation | EncryptOperation |
