Skip to content

Commit f245dc3

Browse files
Removed hashes from NotConstantTimeCryptoComparison.ql
1 parent 8a69b7b commit f245dc3

File tree

8 files changed

+25
-44
lines changed

8 files changed

+25
-44
lines changed

java/ql/src/experimental/Security/CWE/CWE-208/NotConstantTimeCryptoComparison.qhelp

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@
33

44
<overview>
55
<p>
6-
When comparing results of cryptographic operations, such as MAC or cryptographic hash,
6+
When comparing results of cryptographic operations, such as MAC or digital signature,
77
a constant time algorithm should be used. In other words, the comparison time should not depend on
88
the content of the input. Otherwise, an attacker may be able to implement a timing attack.
99
A successful timing attack may result in leaking secrets or authentication bypass.
@@ -20,15 +20,15 @@ and does not depend on the contents of the arrays.
2020

2121
<example>
2222
<p>
23-
The following example uses <code>Arrays.equals()</code> method for comparing cryptographic hashes.
23+
The following example uses <code>Arrays.equals()</code> method for comparing MAC.
2424
This method implements a not-constant time algorithm:
2525
</p>
26-
<sample src="UnsafeCryptoHashComparison.java" />
26+
<sample src="UnsafeMacComparison.java" />
2727

2828
<p>
29-
The next example example uses a safe not-constant time algorithm for comparing cryptographic hashes:
29+
The next example example uses a safe not-constant time algorithm for comparing MAC:
3030
</p>
31-
<sample src="SafeCryptoHashComparison.java" />
31+
<sample src="SafeMacComparison.java" />
3232

3333
</example>
3434

java/ql/src/experimental/Security/CWE/CWE-208/NotConstantTimeCryptoComparison.ql

Lines changed: 0 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -26,9 +26,6 @@ private class ReturnCryptoOperatinoResultMethod extends Method {
2626
or
2727
getDeclaringType().hasQualifiedName("java.security", "Signature") and
2828
hasName("sign")
29-
or
30-
getDeclaringType().hasQualifiedName("java.security", "MessageDigest") and
31-
hasName("digest")
3229
}
3330
}
3431

java/ql/src/experimental/Security/CWE/CWE-208/SafeCryptoHashComparison.java

Lines changed: 0 additions & 5 deletions
This file was deleted.
Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
public boolean check(byte[] expected, byte[] data, SecretKey key) throws Exception {
2+
Mac mac = Mac.getInstance("HmacSHA256");
3+
mac.init(new SecretKeySpec(key.getEncoded(), "HmacSHA256"));
4+
byte[] actual = mac.doFinal(data);
5+
return MessageDigest.isEqual(expected, actual);
6+
}

java/ql/src/experimental/Security/CWE/CWE-208/UnsafeCryptoHashComparison.java

Lines changed: 0 additions & 5 deletions
This file was deleted.
Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,6 @@
1+
public boolean check(byte[] expected, byte[] data, SecretKey key) throws Exception {
2+
Mac mac = Mac.getInstance("HmacSHA256");
3+
mac.init(new SecretKeySpec(key.getEncoded(), "HmacSHA256"));
4+
byte[] actual = mac.doFinal(data);
5+
return Arrays.equals(expected, actual);
6+
}
Lines changed: 8 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -1,19 +1,15 @@
11
edges
22
| NotConstantTimeCryptoComparison.java:14:28:14:44 | doFinal(...) : byte[] | NotConstantTimeCryptoComparison.java:15:43:15:51 | actualMac |
3-
| NotConstantTimeCryptoComparison.java:28:36:28:50 | digest(...) : byte[] | NotConstantTimeCryptoComparison.java:29:16:29:21 | actual |
4-
| NotConstantTimeCryptoComparison.java:44:28:44:40 | sign(...) : byte[] | NotConstantTimeCryptoComparison.java:45:40:45:48 | signature |
5-
| NotConstantTimeCryptoComparison.java:61:22:61:46 | doFinal(...) : byte[] | NotConstantTimeCryptoComparison.java:62:40:62:42 | tag |
3+
| NotConstantTimeCryptoComparison.java:30:28:30:40 | sign(...) : byte[] | NotConstantTimeCryptoComparison.java:31:40:31:48 | signature |
4+
| NotConstantTimeCryptoComparison.java:47:22:47:46 | doFinal(...) : byte[] | NotConstantTimeCryptoComparison.java:48:40:48:42 | tag |
65
nodes
76
| NotConstantTimeCryptoComparison.java:14:28:14:44 | doFinal(...) : byte[] | semmle.label | doFinal(...) : byte[] |
87
| NotConstantTimeCryptoComparison.java:15:43:15:51 | actualMac | semmle.label | actualMac |
9-
| NotConstantTimeCryptoComparison.java:28:36:28:50 | digest(...) : byte[] | semmle.label | digest(...) : byte[] |
10-
| NotConstantTimeCryptoComparison.java:29:16:29:21 | actual | semmle.label | actual |
11-
| NotConstantTimeCryptoComparison.java:44:28:44:40 | sign(...) : byte[] | semmle.label | sign(...) : byte[] |
12-
| NotConstantTimeCryptoComparison.java:45:40:45:48 | signature | semmle.label | signature |
13-
| NotConstantTimeCryptoComparison.java:61:22:61:46 | doFinal(...) : byte[] | semmle.label | doFinal(...) : byte[] |
14-
| NotConstantTimeCryptoComparison.java:62:40:62:42 | tag | semmle.label | tag |
8+
| NotConstantTimeCryptoComparison.java:30:28:30:40 | sign(...) : byte[] | semmle.label | sign(...) : byte[] |
9+
| NotConstantTimeCryptoComparison.java:31:40:31:48 | signature | semmle.label | signature |
10+
| NotConstantTimeCryptoComparison.java:47:22:47:46 | doFinal(...) : byte[] | semmle.label | doFinal(...) : byte[] |
11+
| NotConstantTimeCryptoComparison.java:48:40:48:42 | tag | semmle.label | tag |
1512
#select
1613
| NotConstantTimeCryptoComparison.java:15:43:15:51 | actualMac | NotConstantTimeCryptoComparison.java:14:28:14:44 | doFinal(...) : byte[] | NotConstantTimeCryptoComparison.java:15:43:15:51 | actualMac | Using a not-constant time algorithm for comparison results of a cryptographic operation. |
17-
| NotConstantTimeCryptoComparison.java:29:16:29:21 | actual | NotConstantTimeCryptoComparison.java:28:36:28:50 | digest(...) : byte[] | NotConstantTimeCryptoComparison.java:29:16:29:21 | actual | Using a not-constant time algorithm for comparison results of a cryptographic operation. |
18-
| NotConstantTimeCryptoComparison.java:45:40:45:48 | signature | NotConstantTimeCryptoComparison.java:44:28:44:40 | sign(...) : byte[] | NotConstantTimeCryptoComparison.java:45:40:45:48 | signature | Using a not-constant time algorithm for comparison results of a cryptographic operation. |
19-
| NotConstantTimeCryptoComparison.java:62:40:62:42 | tag | NotConstantTimeCryptoComparison.java:61:22:61:46 | doFinal(...) : byte[] | NotConstantTimeCryptoComparison.java:62:40:62:42 | tag | Using a not-constant time algorithm for comparison results of a cryptographic operation. |
14+
| NotConstantTimeCryptoComparison.java:31:40:31:48 | signature | NotConstantTimeCryptoComparison.java:30:28:30:40 | sign(...) : byte[] | NotConstantTimeCryptoComparison.java:31:40:31:48 | signature | Using a not-constant time algorithm for comparison results of a cryptographic operation. |
15+
| NotConstantTimeCryptoComparison.java:48:40:48:42 | tag | NotConstantTimeCryptoComparison.java:47:22:47:46 | doFinal(...) : byte[] | NotConstantTimeCryptoComparison.java:48:40:48:42 | tag | Using a not-constant time algorithm for comparison results of a cryptographic operation. |

java/ql/test/experimental/query-tests/security/CWE-208/NotConstantTimeCryptoComparison.java

Lines changed: 0 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -22,20 +22,6 @@ public boolean saferMacCheck(byte[] expectedMac, byte[] data) throws Exception {
2222
return MessageDigest.isEqual(expectedMac, actualMac);
2323
}
2424

25-
// BAD: compare hashes using a not-constant time method
26-
public boolean unsafeCheckMessageDigest(String expectedHash, byte[] data) throws Exception {
27-
MessageDigest md = MessageDigest.getInstance("SHA-256");
28-
String actual = new String(md.digest(data));
29-
return actual.equals(expectedHash);
30-
}
31-
32-
// GOOD: compare hashes using a constant time method
33-
public boolean saferCheckMessageDigest(byte[] expected, byte[] data) throws Exception {
34-
MessageDigest md = MessageDigest.getInstance("SHA-256");
35-
byte[] actual = md.digest(data);
36-
return MessageDigest.isEqual(expected, actual);
37-
}
38-
3925
// BAD: compare signatures using a not-constant time method
4026
public boolean unsafeCheckSignatures(byte[] expected, byte[] data, PrivateKey key) throws Exception {
4127
Signature engine = Signature.getInstance("SHA256withRSA");

0 commit comments

Comments
 (0)