From ed492c7d5a1837e75083c93d55d7f32005ee6caf Mon Sep 17 00:00:00 2001 From: "REDMOND\\brodes" Date: Fri, 24 Oct 2025 08:16:22 -0400 Subject: [PATCH] Crypto: Fixed bug in WeakSymmetricCipher.qll, forgot to not only filter if !=AES but the algorithm must still be a SymmetriCipher algorithm. --- .../quantum/Examples/WeakSymmetricCipher.qll | 3 +- .../WeakOrUnknownSymmetricCipher/Test.java | 4 +++ .../WeakSymmetricCipher.expected | 28 +++++++++---------- 3 files changed, 20 insertions(+), 15 deletions(-) diff --git a/java/ql/src/experimental/quantum/Examples/WeakSymmetricCipher.qll b/java/ql/src/experimental/quantum/Examples/WeakSymmetricCipher.qll index 457d2b6cd18d..29493b24071d 100644 --- a/java/ql/src/experimental/quantum/Examples/WeakSymmetricCipher.qll +++ b/java/ql/src/experimental/quantum/Examples/WeakSymmetricCipher.qll @@ -8,7 +8,8 @@ predicate isUnapprovedSymmetricCipher(Crypto::KeyOperationAlgorithmNode alg, str exists(KeyOpAlg::AlgorithmType algType | algType = alg.getAlgorithmType() and msg = "Use of unapproved symmetric cipher algorithm or API: " + algType.toString() + "." and - algType != KeyOpAlg::TSymmetricCipher(KeyOpAlg::AES()) + algType != KeyOpAlg::TSymmetricCipher(KeyOpAlg::AES()) and + algType instanceof KeyOpAlg::TSymmetricCipher ) // NOTE: an org could decide to disallow very specific algorithms as well, shown below // ( diff --git a/java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownSymmetricCipher/Test.java b/java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownSymmetricCipher/Test.java index 5f48f75eeb00..fde9f9a24d19 100644 --- a/java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownSymmetricCipher/Test.java +++ b/java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownSymmetricCipher/Test.java @@ -3,6 +3,7 @@ import javax.crypto.SecretKey; import java.security.Key; import java.security.NoSuchAlgorithmException; +import javax.crypto.SecretKeyFactory; public class Test { public static void main(String[] args) throws Exception { @@ -73,5 +74,8 @@ public static void main(String[] args) throws Exception { Cipher aesGcmCipher = Cipher.getInstance("AES/GCM/NoPadding"); aesGcmCipher.init(Cipher.ENCRYPT_MODE, aesKey); byte[] aesGcmEncrypted = aesGcmCipher.doFinal(data); + + // GOOD: not a symmetric cipher (Sanity check) + SecretKeyFactory factory = SecretKeyFactory.getInstance("PBKDF2WithHmacSHA256"); } } \ No newline at end of file diff --git a/java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownSymmetricCipher/WeakSymmetricCipher.expected b/java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownSymmetricCipher/WeakSymmetricCipher.expected index 13a316ee9b50..3ba5071e0264 100644 --- a/java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownSymmetricCipher/WeakSymmetricCipher.expected +++ b/java/ql/test/experimental/query-tests/quantum/examples/WeakOrUnknownSymmetricCipher/WeakSymmetricCipher.expected @@ -1,14 +1,14 @@ -| Test.java:12:59:12:63 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: DES. | -| Test.java:14:47:14:51 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: DES. | -| Test.java:19:62:19:69 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: DES. | -| Test.java:21:50:21:57 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: DES. | -| Test.java:26:64:26:73 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: Blowfish. | -| Test.java:28:52:28:61 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: Blowfish. | -| Test.java:33:59:33:63 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: RC2. | -| Test.java:35:47:35:51 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: RC2. | -| Test.java:40:59:40:63 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: RC4. | -| Test.java:42:47:42:51 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: RC4. | -| Test.java:47:60:47:65 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: IDEA. | -| Test.java:49:48:49:53 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: IDEA. | -| Test.java:54:64:54:73 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: Skipjack. | -| Test.java:56:52:56:61 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: Skipjack. | +| Test.java:13:59:13:63 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: DES. | +| Test.java:15:47:15:51 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: DES. | +| Test.java:20:62:20:69 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: DES. | +| Test.java:22:50:22:57 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: DES. | +| Test.java:27:64:27:73 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: Blowfish. | +| Test.java:29:52:29:61 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: Blowfish. | +| Test.java:34:59:34:63 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: RC2. | +| Test.java:36:47:36:51 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: RC2. | +| Test.java:41:59:41:63 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: RC4. | +| Test.java:43:47:43:51 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: RC4. | +| Test.java:48:60:48:65 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: IDEA. | +| Test.java:50:48:50:53 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: IDEA. | +| Test.java:55:64:55:73 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: Skipjack. | +| Test.java:57:52:57:61 | KeyOperationAlgorithm | Use of unapproved symmetric cipher algorithm or API: Skipjack. |