Skip to content

JS: Allow NonKeyCiphers to include truncated SHA-512 MDs in Forge JS libr… #12825

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
May 2, 2023
Merged

JS: Allow NonKeyCiphers to include truncated SHA-512 MDs in Forge JS libr… #12825

merged 5 commits into from
May 2, 2023

Conversation

smiddy007
Copy link
Contributor

The Forge module in CryptoLibraries.qll now correctly classifies SHA-512/224, SHA-512/256, and SHA-512/384 hashes used in message digests as NonKeyCiphers.

Purpose was to match the following code in InsufficientPasswordHash.ql
var hasher = forge.md.sha512.sha256.create();
var hashed = hasher.update(password); // BAD

However, SHA512224, SHA512256, AND SHA512384 are not include in the CryptoAlgorithmNames.qll file. Something else may need to be updated so that the algorithm reflected in message digest is the truncated hash, instead of just SHA512.

@smiddy007 smiddy007 requested a review from a team as a code owner April 14, 2023 03:24
@github-actions github-actions bot added the JS label Apr 14, 2023
@owen-mc owen-mc changed the title Allow NonKeyCiphers to include truncated SHA-512 MDs in Forge JS libr… JS: Allow NonKeyCiphers to include truncated SHA-512 MDs in Forge JS libr… Apr 14, 2023
asgerf
asgerf approved these changes Apr 14, 2023
View reviewed changes
Copy link
Contributor

@asgerf asgerf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! 👍

asgerf
asgerf requested changes Apr 14, 2023
View reviewed changes
Copy link
Contributor

@asgerf asgerf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually there seems to be some issues with the change note. Otherwise looks good

@erik-krogh
Copy link
Contributor

There is also a format issue in CryptoLibraries.qll.

You can run the auto-formatter either in VSCode (ctrl+shift+p: format document),
or with the command-line: codeql query format -i <path-to-CryptoLibraries.qll>.

@smiddy007 smiddy007 requested a review from asgerf April 19, 2023 17:52
@asgerf asgerf merged commit 67afbee into github:main May 2, 2023
@asgerf
Copy link
Contributor

asgerf commented May 2, 2023

Thanks for the contribution @smiddy007! Sorry it took this long to get it merged

@smiddy007 smiddy007 deleted the JS-Allow-Truncated-Hash-Forge-NonKeyCipher branch May 2, 2023 18:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@asgerf asgerf asgerf approved these changes

Assignees
No one assigned
Labels
documentation JS
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@smiddy007 @erik-krogh @asgerf