Narrow NonConstantTimeCryptoComparison.ql to timing attack on signatures and MACs only

artem-smotrakov · artem-smotrakov · commit 8b557765b30b · 2021-08-01T09:47:06.000+02:00
diff --git a/java/ql/src/experimental/Security/CWE/CWE-208/NonConstantTimeCryptoComparison.qhelp b/java/ql/src/experimental/Security/CWE/CWE-208/NonConstantTimeCryptoComparison.qhelp
@@ -3,16 +3,16 @@
 
 <overview>
 <p>
-When comparing results of cryptographic operations, such as MAC or digital signature,
-a constant-time algorithm should be used. In other words, the comparison time should not depend on
-the content of the input. Otherwise, attackers may be able to implement a timing attack
-if they can control input. A successful timing attack may result in leaking secrets or authentication bypass.
+A constant-time algorithm should be used for checking a MAC or a digital signature.
+In other words, the comparison time should not depend on the content of the input. 
+Otherwise, attackers may be able to implement a timing attack if they control inputs.
+A successful attack may uncover a valid MAC or signature that in turn can result in authentication bypass.
 </p>
 </overview>
 
 <recommendation>
 <p>
-Use <code>MessageDigest.isEqual()</code> method to compare results of cryptographic operations.
+Use <code>MessageDigest.isEqual()</code> method to check MACs and signatures.
 If this method is used, then the calculation time depends only on the length of input byte arrays,
 and does not depend on the contents of the arrays.
 </p>
diff --git a/java/ql/src/experimental/Security/CWE/CWE-208/NonConstantTimeCryptoComparison.ql b/java/ql/src/experimental/Security/CWE/CWE-208/NonConstantTimeCryptoComparison.ql
@@ -1,12 +1,12 @@
 /**
- * @name Using a non-constant-time algorithm for comparing results of a cryptographic operation
- * @description When comparing results of a cryptographic operation, a constant-time algorithm should be used.
- *              Otherwise, attackers may be able to implement a timing attack if they can control input.
- *              A successful attack may result in leaking secrets or authentication bypass.
+ * @name Using a non-constant-time algorithm for comparing MAC or signature
+ * @description When checking MAC or signature, a constant-time algorithm should be used.
+ *              Otherwise, attackers may be able to implement a timing attack if they control inputs.
+ *              A successful attack may uncover a valid MAC or signature that in turn can result in authentication bypass.
  * @kind path-problem
  * @problem.severity warning
  * @precision high
- * @id java/non-constant-time-crypto-comparison
+ * @id java/non-constant-time-in-signature-check
  * @tags security
  *       external/cwe/cwe-208
  */
@@ -25,6 +25,9 @@ abstract private class ProduceCryptoCall extends MethodAccess {
 
   /** Return the result of cryptographic operation. */
   Expr output() { result = output }
+
+  /** Return a type of the result of cryptographic operation such as MAC, signature or ciphertext. */
+  abstract string getResultType();
 }
 
 /** A method call that produces a MAC. */
@@ -37,6 +40,8 @@ private class ProduceMacCall extends ProduceCryptoCall {
       getMethod().hasStringSignature("doFinal(byte[], int)") and getArgument(0) = output
     )
   }
+
+  override string getResultType() { result = "MAC" }
 }
 
 /** A method call that produces a signature. */
@@ -49,6 +54,8 @@ private class ProduceSignatureCall extends ProduceCryptoCall {
       getMethod().hasStringSignature("sign(byte[], int, int)") and getArgument(0) = output
     )
   }
+
+  override string getResultType() { result = "signature" }
 }
 
 /**
@@ -98,6 +105,8 @@ private class ProduceCiphertextCall extends ProduceCryptoCall {
       config.hasFlowTo(DataFlow3::exprNode(this.getQualifier()))
     )
   }
+
+  override string getResultType() { result = "ciphertext" }
 }
 
 /** Holds if `fromNode` to `toNode` is a dataflow step that updates a cryptographic operation. */
@@ -173,13 +182,9 @@ private class UserInputInCryptoOperationConfig extends TaintTracking2::Configura
 
 /** A source that produces result of cryptographic operation. */
 private class CryptoOperationSource extends DataFlow::Node {
-  Expr cryptoOperation;
+  ProduceCryptoCall call;
 
-  CryptoOperationSource() {
-    exists(ProduceCryptoCall call | call.output() = this.asExpr() |
-      cryptoOperation = call.getQualifier()
-    )
-  }
+  CryptoOperationSource() { call.output() = this.asExpr() }
 
   /** Holds if remote user input was used in the cryptographic operation. */
   predicate includesUserInput() {
@@ -188,9 +193,11 @@ private class CryptoOperationSource extends DataFlow::Node {
     |
       config.hasFlowPath(source, sink)
     |
-      sink.getNode().asExpr() = cryptoOperation
+      sink.getNode().asExpr() = call.getQualifier()
     )
   }
+
+  ProduceCryptoCall getCall() { result = call }
 }
 
 /** Methods that use a non-constant-time algorithm for comparing inputs. */
@@ -329,8 +336,8 @@ from DataFlow::PathNode source, DataFlow::PathNode sink, NonConstantTimeCryptoCo
 where
   conf.hasFlowPath(source, sink) and
   (
-    source.getNode().(CryptoOperationSource).includesUserInput() or
+    source.getNode().(CryptoOperationSource).includesUserInput() and
     sink.getNode().(NonConstantTimeComparisonSink).includesUserInput()
   )
-select sink.getNode(), source, sink,
-  "Using a non-constant-time algorithm for comparing results of a cryptographic operation."
+select sink.getNode(), source, sink, "Using a non-constant-time method for cheching a $@.", source,
+  source.getNode().(CryptoOperationSource).getCall().getResultType()
diff --git a/java/ql/test/experimental/query-tests/security/CWE-208/NonConstantTimeCryptoComparison.expected b/java/ql/test/experimental/query-tests/security/CWE-208/NonConstantTimeCryptoComparison.expected
@@ -1,50 +1,50 @@
 edges
-| NonConstantTimeCryptoComparison.java:20:28:20:44 | doFinal(...) : byte[] | NonConstantTimeCryptoComparison.java:21:43:21:51 | actualMac |
-| NonConstantTimeCryptoComparison.java:29:28:29:40 | doFinal(...) : byte[] | NonConstantTimeCryptoComparison.java:30:84:30:92 | actualMac : byte[] |
-| NonConstantTimeCryptoComparison.java:30:84:30:92 | actualMac : byte[] | NonConstantTimeCryptoComparison.java:30:66:30:93 | castToObjectArray(...) |
-| NonConstantTimeCryptoComparison.java:37:21:37:29 | actualMac : byte[] | NonConstantTimeCryptoComparison.java:39:43:39:51 | actualMac |
-| NonConstantTimeCryptoComparison.java:57:28:57:40 | sign(...) : byte[] | NonConstantTimeCryptoComparison.java:58:40:58:48 | signature |
-| NonConstantTimeCryptoComparison.java:68:21:68:29 | signature : byte[] | NonConstantTimeCryptoComparison.java:69:40:69:48 | signature |
-| NonConstantTimeCryptoComparison.java:87:22:87:41 | doFinal(...) : byte[] | NonConstantTimeCryptoComparison.java:89:45:89:47 | tag |
-| NonConstantTimeCryptoComparison.java:102:24:102:26 | tag : byte[] | NonConstantTimeCryptoComparison.java:103:40:103:42 | tag |
-| NonConstantTimeCryptoComparison.java:116:52:116:54 | tag : ByteBuffer | NonConstantTimeCryptoComparison.java:118:40:118:42 | tag : ByteBuffer |
-| NonConstantTimeCryptoComparison.java:118:40:118:42 | tag : ByteBuffer | NonConstantTimeCryptoComparison.java:118:40:118:50 | array(...) |
-| NonConstantTimeCryptoComparison.java:128:52:128:54 | tag : ByteBuffer | NonConstantTimeCryptoComparison.java:129:49:129:51 | tag |
-| NonConstantTimeCryptoComparison.java:146:22:146:46 | doFinal(...) : byte[] | NonConstantTimeCryptoComparison.java:147:40:147:42 | tag |
-| NonConstantTimeCryptoComparison.java:177:34:177:50 | doFinal(...) : byte[] | NonConstantTimeCryptoComparison.java:180:26:180:36 | computedTag |
+| NonConstantTimeCryptoComparison.java:21:32:21:48 | doFinal(...) : byte[] | NonConstantTimeCryptoComparison.java:23:47:23:55 | actualMac |
+| NonConstantTimeCryptoComparison.java:33:32:33:44 | doFinal(...) : byte[] | NonConstantTimeCryptoComparison.java:35:88:35:96 | actualMac : byte[] |
+| NonConstantTimeCryptoComparison.java:35:88:35:96 | actualMac : byte[] | NonConstantTimeCryptoComparison.java:35:70:35:97 | castToObjectArray(...) |
+| NonConstantTimeCryptoComparison.java:46:25:46:33 | actualMac : byte[] | NonConstantTimeCryptoComparison.java:48:47:48:55 | actualMac |
+| NonConstantTimeCryptoComparison.java:71:32:71:44 | sign(...) : byte[] | NonConstantTimeCryptoComparison.java:73:44:73:52 | signature |
+| NonConstantTimeCryptoComparison.java:85:25:85:33 | signature : byte[] | NonConstantTimeCryptoComparison.java:87:44:87:52 | signature |
+| NonConstantTimeCryptoComparison.java:111:26:111:45 | doFinal(...) : byte[] | NonConstantTimeCryptoComparison.java:113:49:113:51 | tag |
+| NonConstantTimeCryptoComparison.java:128:28:128:30 | tag : byte[] | NonConstantTimeCryptoComparison.java:130:44:130:46 | tag |
+| NonConstantTimeCryptoComparison.java:146:56:146:58 | tag : ByteBuffer | NonConstantTimeCryptoComparison.java:148:44:148:46 | tag : ByteBuffer |
+| NonConstantTimeCryptoComparison.java:148:44:148:46 | tag : ByteBuffer | NonConstantTimeCryptoComparison.java:148:44:148:54 | array(...) |
+| NonConstantTimeCryptoComparison.java:160:56:160:58 | tag : ByteBuffer | NonConstantTimeCryptoComparison.java:162:53:162:55 | tag |
+| NonConstantTimeCryptoComparison.java:185:26:185:50 | doFinal(...) : byte[] | NonConstantTimeCryptoComparison.java:187:44:187:46 | tag |
+| NonConstantTimeCryptoComparison.java:220:34:220:50 | doFinal(...) : byte[] | NonConstantTimeCryptoComparison.java:223:26:223:36 | computedTag |
 nodes
-| NonConstantTimeCryptoComparison.java:20:28:20:44 | doFinal(...) : byte[] | semmle.label | doFinal(...) : byte[] |
-| NonConstantTimeCryptoComparison.java:21:43:21:51 | actualMac | semmle.label | actualMac |
-| NonConstantTimeCryptoComparison.java:29:28:29:40 | doFinal(...) : byte[] | semmle.label | doFinal(...) : byte[] |
-| NonConstantTimeCryptoComparison.java:30:66:30:93 | castToObjectArray(...) | semmle.label | castToObjectArray(...) |
-| NonConstantTimeCryptoComparison.java:30:84:30:92 | actualMac : byte[] | semmle.label | actualMac : byte[] |
-| NonConstantTimeCryptoComparison.java:37:21:37:29 | actualMac : byte[] | semmle.label | actualMac : byte[] |
-| NonConstantTimeCryptoComparison.java:39:43:39:51 | actualMac | semmle.label | actualMac |
-| NonConstantTimeCryptoComparison.java:57:28:57:40 | sign(...) : byte[] | semmle.label | sign(...) : byte[] |
-| NonConstantTimeCryptoComparison.java:58:40:58:48 | signature | semmle.label | signature |
-| NonConstantTimeCryptoComparison.java:68:21:68:29 | signature : byte[] | semmle.label | signature : byte[] |
-| NonConstantTimeCryptoComparison.java:69:40:69:48 | signature | semmle.label | signature |
-| NonConstantTimeCryptoComparison.java:87:22:87:41 | doFinal(...) : byte[] | semmle.label | doFinal(...) : byte[] |
-| NonConstantTimeCryptoComparison.java:89:45:89:47 | tag | semmle.label | tag |
-| NonConstantTimeCryptoComparison.java:102:24:102:26 | tag : byte[] | semmle.label | tag : byte[] |
-| NonConstantTimeCryptoComparison.java:103:40:103:42 | tag | semmle.label | tag |
-| NonConstantTimeCryptoComparison.java:116:52:116:54 | tag : ByteBuffer | semmle.label | tag : ByteBuffer |
-| NonConstantTimeCryptoComparison.java:118:40:118:42 | tag : ByteBuffer | semmle.label | tag : ByteBuffer |
-| NonConstantTimeCryptoComparison.java:118:40:118:50 | array(...) | semmle.label | array(...) |
-| NonConstantTimeCryptoComparison.java:128:52:128:54 | tag : ByteBuffer | semmle.label | tag : ByteBuffer |
-| NonConstantTimeCryptoComparison.java:129:49:129:51 | tag | semmle.label | tag |
-| NonConstantTimeCryptoComparison.java:146:22:146:46 | doFinal(...) : byte[] | semmle.label | doFinal(...) : byte[] |
-| NonConstantTimeCryptoComparison.java:147:40:147:42 | tag | semmle.label | tag |
-| NonConstantTimeCryptoComparison.java:177:34:177:50 | doFinal(...) : byte[] | semmle.label | doFinal(...) : byte[] |
-| NonConstantTimeCryptoComparison.java:180:26:180:36 | computedTag | semmle.label | computedTag |
+| NonConstantTimeCryptoComparison.java:21:32:21:48 | doFinal(...) : byte[] | semmle.label | doFinal(...) : byte[] |
+| NonConstantTimeCryptoComparison.java:23:47:23:55 | actualMac | semmle.label | actualMac |
+| NonConstantTimeCryptoComparison.java:33:32:33:44 | doFinal(...) : byte[] | semmle.label | doFinal(...) : byte[] |
+| NonConstantTimeCryptoComparison.java:35:70:35:97 | castToObjectArray(...) | semmle.label | castToObjectArray(...) |
+| NonConstantTimeCryptoComparison.java:35:88:35:96 | actualMac : byte[] | semmle.label | actualMac : byte[] |
+| NonConstantTimeCryptoComparison.java:46:25:46:33 | actualMac : byte[] | semmle.label | actualMac : byte[] |
+| NonConstantTimeCryptoComparison.java:48:47:48:55 | actualMac | semmle.label | actualMac |
+| NonConstantTimeCryptoComparison.java:71:32:71:44 | sign(...) : byte[] | semmle.label | sign(...) : byte[] |
+| NonConstantTimeCryptoComparison.java:73:44:73:52 | signature | semmle.label | signature |
+| NonConstantTimeCryptoComparison.java:85:25:85:33 | signature : byte[] | semmle.label | signature : byte[] |
+| NonConstantTimeCryptoComparison.java:87:44:87:52 | signature | semmle.label | signature |
+| NonConstantTimeCryptoComparison.java:111:26:111:45 | doFinal(...) : byte[] | semmle.label | doFinal(...) : byte[] |
+| NonConstantTimeCryptoComparison.java:113:49:113:51 | tag | semmle.label | tag |
+| NonConstantTimeCryptoComparison.java:128:28:128:30 | tag : byte[] | semmle.label | tag : byte[] |
+| NonConstantTimeCryptoComparison.java:130:44:130:46 | tag | semmle.label | tag |
+| NonConstantTimeCryptoComparison.java:146:56:146:58 | tag : ByteBuffer | semmle.label | tag : ByteBuffer |
+| NonConstantTimeCryptoComparison.java:148:44:148:46 | tag : ByteBuffer | semmle.label | tag : ByteBuffer |
+| NonConstantTimeCryptoComparison.java:148:44:148:54 | array(...) | semmle.label | array(...) |
+| NonConstantTimeCryptoComparison.java:160:56:160:58 | tag : ByteBuffer | semmle.label | tag : ByteBuffer |
+| NonConstantTimeCryptoComparison.java:162:53:162:55 | tag | semmle.label | tag |
+| NonConstantTimeCryptoComparison.java:185:26:185:50 | doFinal(...) : byte[] | semmle.label | doFinal(...) : byte[] |
+| NonConstantTimeCryptoComparison.java:187:44:187:46 | tag | semmle.label | tag |
+| NonConstantTimeCryptoComparison.java:220:34:220:50 | doFinal(...) : byte[] | semmle.label | doFinal(...) : byte[] |
+| NonConstantTimeCryptoComparison.java:223:26:223:36 | computedTag | semmle.label | computedTag |
 #select
-| NonConstantTimeCryptoComparison.java:21:43:21:51 | actualMac | NonConstantTimeCryptoComparison.java:20:28:20:44 | doFinal(...) : byte[] | NonConstantTimeCryptoComparison.java:21:43:21:51 | actualMac | Using a non-constant-time algorithm for comparing results of a cryptographic operation. |
-| NonConstantTimeCryptoComparison.java:30:66:30:93 | castToObjectArray(...) | NonConstantTimeCryptoComparison.java:29:28:29:40 | doFinal(...) : byte[] | NonConstantTimeCryptoComparison.java:30:66:30:93 | castToObjectArray(...) | Using a non-constant-time algorithm for comparing results of a cryptographic operation. |
-| NonConstantTimeCryptoComparison.java:39:43:39:51 | actualMac | NonConstantTimeCryptoComparison.java:37:21:37:29 | actualMac : byte[] | NonConstantTimeCryptoComparison.java:39:43:39:51 | actualMac | Using a non-constant-time algorithm for comparing results of a cryptographic operation. |
-| NonConstantTimeCryptoComparison.java:58:40:58:48 | signature | NonConstantTimeCryptoComparison.java:57:28:57:40 | sign(...) : byte[] | NonConstantTimeCryptoComparison.java:58:40:58:48 | signature | Using a non-constant-time algorithm for comparing results of a cryptographic operation. |
-| NonConstantTimeCryptoComparison.java:69:40:69:48 | signature | NonConstantTimeCryptoComparison.java:68:21:68:29 | signature : byte[] | NonConstantTimeCryptoComparison.java:69:40:69:48 | signature | Using a non-constant-time algorithm for comparing results of a cryptographic operation. |
-| NonConstantTimeCryptoComparison.java:89:45:89:47 | tag | NonConstantTimeCryptoComparison.java:87:22:87:41 | doFinal(...) : byte[] | NonConstantTimeCryptoComparison.java:89:45:89:47 | tag | Using a non-constant-time algorithm for comparing results of a cryptographic operation. |
-| NonConstantTimeCryptoComparison.java:103:40:103:42 | tag | NonConstantTimeCryptoComparison.java:102:24:102:26 | tag : byte[] | NonConstantTimeCryptoComparison.java:103:40:103:42 | tag | Using a non-constant-time algorithm for comparing results of a cryptographic operation. |
-| NonConstantTimeCryptoComparison.java:118:40:118:50 | array(...) | NonConstantTimeCryptoComparison.java:116:52:116:54 | tag : ByteBuffer | NonConstantTimeCryptoComparison.java:118:40:118:50 | array(...) | Using a non-constant-time algorithm for comparing results of a cryptographic operation. |
-| NonConstantTimeCryptoComparison.java:129:49:129:51 | tag | NonConstantTimeCryptoComparison.java:128:52:128:54 | tag : ByteBuffer | NonConstantTimeCryptoComparison.java:129:49:129:51 | tag | Using a non-constant-time algorithm for comparing results of a cryptographic operation. |
-| NonConstantTimeCryptoComparison.java:180:26:180:36 | computedTag | NonConstantTimeCryptoComparison.java:177:34:177:50 | doFinal(...) : byte[] | NonConstantTimeCryptoComparison.java:180:26:180:36 | computedTag | Using a non-constant-time algorithm for comparing results of a cryptographic operation. |
+| NonConstantTimeCryptoComparison.java:23:47:23:55 | actualMac | NonConstantTimeCryptoComparison.java:21:32:21:48 | doFinal(...) : byte[] | NonConstantTimeCryptoComparison.java:23:47:23:55 | actualMac | Using a non-constant-time method for cheching a $@. | NonConstantTimeCryptoComparison.java:21:32:21:48 | doFinal(...) : byte[] | MAC |
+| NonConstantTimeCryptoComparison.java:35:70:35:97 | castToObjectArray(...) | NonConstantTimeCryptoComparison.java:33:32:33:44 | doFinal(...) : byte[] | NonConstantTimeCryptoComparison.java:35:70:35:97 | castToObjectArray(...) | Using a non-constant-time method for cheching a $@. | NonConstantTimeCryptoComparison.java:33:32:33:44 | doFinal(...) : byte[] | MAC |
+| NonConstantTimeCryptoComparison.java:48:47:48:55 | actualMac | NonConstantTimeCryptoComparison.java:46:25:46:33 | actualMac : byte[] | NonConstantTimeCryptoComparison.java:48:47:48:55 | actualMac | Using a non-constant-time method for cheching a $@. | NonConstantTimeCryptoComparison.java:46:25:46:33 | actualMac : byte[] | MAC |
+| NonConstantTimeCryptoComparison.java:73:44:73:52 | signature | NonConstantTimeCryptoComparison.java:71:32:71:44 | sign(...) : byte[] | NonConstantTimeCryptoComparison.java:73:44:73:52 | signature | Using a non-constant-time method for cheching a $@. | NonConstantTimeCryptoComparison.java:71:32:71:44 | sign(...) : byte[] | signature |
+| NonConstantTimeCryptoComparison.java:87:44:87:52 | signature | NonConstantTimeCryptoComparison.java:85:25:85:33 | signature : byte[] | NonConstantTimeCryptoComparison.java:87:44:87:52 | signature | Using a non-constant-time method for cheching a $@. | NonConstantTimeCryptoComparison.java:85:25:85:33 | signature : byte[] | signature |
+| NonConstantTimeCryptoComparison.java:113:49:113:51 | tag | NonConstantTimeCryptoComparison.java:111:26:111:45 | doFinal(...) : byte[] | NonConstantTimeCryptoComparison.java:113:49:113:51 | tag | Using a non-constant-time method for cheching a $@. | NonConstantTimeCryptoComparison.java:111:26:111:45 | doFinal(...) : byte[] | ciphertext |
+| NonConstantTimeCryptoComparison.java:130:44:130:46 | tag | NonConstantTimeCryptoComparison.java:128:28:128:30 | tag : byte[] | NonConstantTimeCryptoComparison.java:130:44:130:46 | tag | Using a non-constant-time method for cheching a $@. | NonConstantTimeCryptoComparison.java:128:28:128:30 | tag : byte[] | ciphertext |
+| NonConstantTimeCryptoComparison.java:148:44:148:54 | array(...) | NonConstantTimeCryptoComparison.java:146:56:146:58 | tag : ByteBuffer | NonConstantTimeCryptoComparison.java:148:44:148:54 | array(...) | Using a non-constant-time method for cheching a $@. | NonConstantTimeCryptoComparison.java:146:56:146:58 | tag : ByteBuffer | ciphertext |
+| NonConstantTimeCryptoComparison.java:162:53:162:55 | tag | NonConstantTimeCryptoComparison.java:160:56:160:58 | tag : ByteBuffer | NonConstantTimeCryptoComparison.java:162:53:162:55 | tag | Using a non-constant-time method for cheching a $@. | NonConstantTimeCryptoComparison.java:160:56:160:58 | tag : ByteBuffer | ciphertext |
+| NonConstantTimeCryptoComparison.java:187:44:187:46 | tag | NonConstantTimeCryptoComparison.java:185:26:185:50 | doFinal(...) : byte[] | NonConstantTimeCryptoComparison.java:187:44:187:46 | tag | Using a non-constant-time method for cheching a $@. | NonConstantTimeCryptoComparison.java:185:26:185:50 | doFinal(...) : byte[] | ciphertext |
diff --git a/java/ql/test/experimental/query-tests/security/CWE-208/NonConstantTimeCryptoComparison.java b/java/ql/test/experimental/query-tests/security/CWE-208/NonConstantTimeCryptoComparison.java

Original file line number	Diff line number	Diff line change
`@@ -1,12 +1,12 @@`
`1`	`1`	`/**`
`2`		`- * @name Using a non-constant-time algorithm for comparing results of a cryptographic operation`
`3`		`- * @description When comparing results of a cryptographic operation, a constant-time algorithm should be used.`
`4`		`- * Otherwise, attackers may be able to implement a timing attack if they can control input.`
`5`		`- * A successful attack may result in leaking secrets or authentication bypass.`
	`2`	`+ * @name Using a non-constant-time algorithm for comparing MAC or signature`
	`3`	`+ * @description When checking MAC or signature, a constant-time algorithm should be used.`
	`4`	`+ * Otherwise, attackers may be able to implement a timing attack if they control inputs.`
	`5`	`+ * A successful attack may uncover a valid MAC or signature that in turn can result in authentication bypass.`
`6`	`6`	`* @kind path-problem`
`7`	`7`	`* @problem.severity warning`
`8`	`8`	`* @precision high`
`9`		`- * @id java/non-constant-time-crypto-comparison`
	`9`	`+ * @id java/non-constant-time-in-signature-check`
`10`	`10`	`* @tags security`
`11`	`11`	`* external/cwe/cwe-208`
`12`	`12`	`*/`
`@@ -25,6 +25,9 @@ abstract private class ProduceCryptoCall extends MethodAccess {`
`25`	`25`
`26`	`26`	`/** Return the result of cryptographic operation. */`
`27`	`27`	`Expr output() { result = output }`
	`28`	`+`
	`29`	`+ /** Return a type of the result of cryptographic operation such as MAC, signature or ciphertext. */`
	`30`	`+ abstract string getResultType();`
`28`	`31`	`}`
`29`	`32`
`30`	`33`	`/** A method call that produces a MAC. */`
`@@ -37,6 +40,8 @@ private class ProduceMacCall extends ProduceCryptoCall {`
`37`	`40`	`getMethod().hasStringSignature("doFinal(byte[], int)") and getArgument(0) = output`
`38`	`41`	`)`
`39`	`42`	`}`
	`43`	`+`
	`44`	`+ override string getResultType() { result = "MAC" }`
`40`	`45`	`}`
`41`	`46`
`42`	`47`	`/** A method call that produces a signature. */`
`@@ -49,6 +54,8 @@ private class ProduceSignatureCall extends ProduceCryptoCall {`
`49`	`54`	`getMethod().hasStringSignature("sign(byte[], int, int)") and getArgument(0) = output`
`50`	`55`	`)`
`51`	`56`	`}`
	`57`	`+`
	`58`	`+ override string getResultType() { result = "signature" }`
`52`	`59`	`}`
`53`	`60`
`54`	`61`	`/**`
`@@ -98,6 +105,8 @@ private class ProduceCiphertextCall extends ProduceCryptoCall {`
`98`	`105`	`config.hasFlowTo(DataFlow3::exprNode(this.getQualifier()))`
`99`	`106`	`)`
`100`	`107`	`}`
	`108`	`+`
	`109`	`+ override string getResultType() { result = "ciphertext" }`
`101`	`110`	`}`
`102`	`111`
`103`	`112`	/** Holds if `fromNode` to `toNode` is a dataflow step that updates a cryptographic operation. */
`@@ -173,13 +182,9 @@ private class UserInputInCryptoOperationConfig extends TaintTracking2::Configura`
`173`	`182`
`174`	`183`	`/** A source that produces result of cryptographic operation. */`
`175`	`184`	`private class CryptoOperationSource extends DataFlow::Node {`
`176`		`- Expr cryptoOperation;`
	`185`	`+ ProduceCryptoCall call;`
`177`	`186`
`178`		`- CryptoOperationSource() {`
`179`		`- exists(ProduceCryptoCall call \| call.output() = this.asExpr() \|`
`180`		`- cryptoOperation = call.getQualifier()`
`181`		`- )`
`182`		`- }`
	`187`	`+ CryptoOperationSource() { call.output() = this.asExpr() }`
`183`	`188`
`184`	`189`	`/** Holds if remote user input was used in the cryptographic operation. */`
`185`	`190`	`predicate includesUserInput() {`
`@@ -188,9 +193,11 @@ private class CryptoOperationSource extends DataFlow::Node {`
`188`	`193`	`\|`
`189`	`194`	`config.hasFlowPath(source, sink)`
`190`	`195`	`\|`
`191`		`- sink.getNode().asExpr() = cryptoOperation`
	`196`	`+ sink.getNode().asExpr() = call.getQualifier()`
`192`	`197`	`)`
`193`	`198`	`}`
	`199`	`+`
	`200`	`+ ProduceCryptoCall getCall() { result = call }`
`194`	`201`	`}`
`195`	`202`
`196`	`203`	`/** Methods that use a non-constant-time algorithm for comparing inputs. */`
`@@ -329,8 +336,8 @@ from DataFlow::PathNode source, DataFlow::PathNode sink, NonConstantTimeCryptoCo`
`329`	`336`	`where`
`330`	`337`	`conf.hasFlowPath(source, sink) and`
`331`	`338`	`(`
`332`		`- source.getNode().(CryptoOperationSource).includesUserInput() or`
	`339`	`+ source.getNode().(CryptoOperationSource).includesUserInput() and`
`333`	`340`	`sink.getNode().(NonConstantTimeComparisonSink).includesUserInput()`
`334`	`341`	`)`
`335`		`-select sink.getNode(), source, sink,`
`336`		`- "Using a non-constant-time algorithm for comparing results of a cryptographic operation."`
	`342`	`+select sink.getNode(), source, sink, "Using a non-constant-time method for cheching a $@.", source,`
	`343`	`+ source.getNode().(CryptoOperationSource).getCall().getResultType()`