Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 5c474f6

Browse files
artem-smotrakovartem-smotrakov
committed
Better comments and descriptions
1 parent f245dc3 commit 5c474f6

2 files changed

Lines changed: 17 additions & 24 deletions

File tree

java/ql/src/experimental/Security/CWE/CWE-208/NotConstantTimeCryptoComparison.qhelp

Lines changed: 4 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -21,12 +21,12 @@ and does not depend on the contents of the arrays.
2121
<example>
2222
<p>
2323
The following example uses <code>Arrays.equals()</code> method for comparing MAC.
24-
This method implements a not-constant time algorithm:
24+
This method implements a non-constant time algorithm:
2525
</p>
2626
<sample src="UnsafeMacComparison.java" />
2727

2828
<p>
29-
The next example example uses a safe not-constant time algorithm for comparing MAC:
29+
The next example uses a safe constant time algorithm for comparing MAC:
3030
</p>
3131
<sample src="SafeMacComparison.java" />
3232

@@ -35,19 +35,11 @@ The next example example uses a safe not-constant time algorithm for comparing M
3535
<references>
3636
<li>
3737
Wikipedia:
38-
<a href="https://en.wikipedia.org/wiki/Timing_attack">Timint attack</a>.
39-
</li>
40-
li>
41-
Common Weakness Enumeration:
42-
<a href="https://cwe.mitre.org/data/definitions/208.html">CWE-208: Observable Timing Discrepancy</a>.
43-
</li>
44-
<li>
45-
Common Weakness Enumeration:
46-
<a href="https://cwe.mitre.org/data/definitions/385.html">CWE-385: Covert Timing Channel</a>.
38+
<a href="https://en.wikipedia.org/wiki/Timing_attack">Timing attack</a>.
4739
</li>
4840
<li>
4941
Java API Specification:
50-
<a href="https://docs.oracle.com/javase/8/docs/api/java/security/MessageDigest.html#isEqual-byte:A-byte:A-">MessageDigest.isEqual() method</a>
42+
<a href="https://docs.oracle.com/en/java/javase/11/docs/api/java.base/java/security/MessageDigest.html#isEqual(byte[],byte[])">MessageDigest.isEqual() method</a>
5143
</li>
5244
</references>
5345
</qhelp>

java/ql/src/experimental/Security/CWE/CWE-208/NotConstantTimeCryptoComparison.ql

Lines changed: 13 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -1,13 +1,14 @@
11
/**
2-
* @name Using a not-constant time algorithm for comparison results of a cryptographic operation
2+
* @name Using a non-constant time algorithm for comparing results of a cryptographic operation
33
* @description When comparing results of a cryptographic operation, a constant time algorithm should be used.
44
* Otherwise, an attacker may be able to implement a timing attack.
55
* A successful attack may result in leaking secrets or authentication bypass.
66
* @kind path-problem
77
* @problem.severity error
88
* @precision high
9-
* @id java/not-constant-time-crypto-comparison
9+
* @id java/non-constant-time-crypto-comparison
1010
* @tags security
11+
* external/cwe/cwe-385
1112
* external/cwe/cwe-208
1213
*/
1314

@@ -16,11 +17,11 @@ import semmle.code.java.dataflow.TaintTracking
1617
import DataFlow::PathGraph
1718

1819
/**
19-
* A method that returns a result of a cryptographic operation
20+
* A method that returns the result of a cryptographic operation
2021
* such as encryption, decryption, signing, etc.
2122
*/
22-
private class ReturnCryptoOperatinoResultMethod extends Method {
23-
ReturnCryptoOperatinoResultMethod() {
23+
private class ReturnCryptoOperationResultMethod extends Method {
24+
ReturnCryptoOperationResultMethod() {
2425
getDeclaringType().hasQualifiedName("javax.crypto", ["Mac", "Cipher"]) and
2526
hasName("doFinal")
2627
or
@@ -30,14 +31,14 @@ private class ReturnCryptoOperatinoResultMethod extends Method {
3031
}
3132

3233
/**
33-
* A configuration that tracks data flows from cryptographic operations
34-
* to methods that compare data using a not-constant time algorithm.
34+
* A configuration that tracks data flow from cryptographic operations
35+
* to methods that compare data using a non-constant time algorithm.
3536
*/
36-
private class NotConstantTimeCryptoComparisonConfig extends TaintTracking::Configuration {
37-
NotConstantTimeCryptoComparisonConfig() { this = "NotConstantTimeCryptoComparisonConfig" }
37+
private class NonConstantTimeCryptoComparisonConfig extends TaintTracking::Configuration {
38+
NonConstantTimeCryptoComparisonConfig() { this = "NonConstantTimeCryptoComparisonConfig" }
3839

3940
override predicate isSource(DataFlow::Node source) {
40-
exists(MethodAccess ma | ma.getMethod() instanceof ReturnCryptoOperatinoResultMethod |
41+
exists(MethodAccess ma | ma.getMethod() instanceof ReturnCryptoOperationResultMethod |
4142
ma = source.asExpr()
4243
)
4344
}
@@ -59,7 +60,7 @@ private class NotConstantTimeCryptoComparisonConfig extends TaintTracking::Confi
5960
}
6061
}
6162

62-
from DataFlow::PathNode source, DataFlow::PathNode sink, NotConstantTimeCryptoComparisonConfig conf
63+
from DataFlow::PathNode source, DataFlow::PathNode sink, NonConstantTimeCryptoComparisonConfig conf
6364
where conf.hasFlowPath(source, sink)
6465
select sink.getNode(), source, sink,
65-
"Using a not-constant time algorithm for comparison results of a cryptographic operation."
66+
"Using a non-constant time algorithm for comparing results of a cryptographic operation."

0 commit comments

Comments
 (0)