github · bdrodes · Oct 1, 2025 · Oct 1, 2025 · Oct 8, 2025 · Oct 8, 2025
@@ -40,7 +40,7 @@ class KnownOpenSslEllipticCurveConstantAlgorithmInstance extends OpenSslAlgorith
     result = this.(Call).getTarget().getName()
   }
 
-  override Crypto::EllipticCurveFamilyType getEllipticCurveFamilyType() {
+  override Crypto::EllipticCurveType getEllipticCurveType() {
     if
       Crypto::ellipticCurveNameToKnownKeySizeAndFamilyMapping(this.getParsedEllipticCurveName(), _,
         _)

@@ -72,7 +72,7 @@ class KnownOpenSslHashConstantAlgorithmInstance extends OpenSslAlgorithmInstance
 
   override OpenSslAlgorithmValueConsumer getAvc() { result = getterCall }
 
-  override Crypto::THashType getHashFamily() {
+  override Crypto::THashType getHashType() {
     knownOpenSslConstantToHashFamilyType(this, result)
     or
     not knownOpenSslConstantToHashFamilyType(this, _) and result = Crypto::OtherHashType()

@@ -110,7 +110,8 @@ module JCAModel {
   predicate signature_names(string name) {
     name.toUpperCase().splitAt("WITH", 1).matches(["RSA%", "ECDSA%", "DSA%"])
     or
-    name.toUpperCase().matches(["RSASSA-PSS", "ED25519", "ED448", "EDDSA", "ML-DSA%", "HSS/LMS"])
+    name.toUpperCase()
+        .matches(["RSASSA-PSS", "ED25519", "ED448", "EDDSA", "ML-DSA%", "HSS/LMS", "DSA"])
   }
 
   bindingset[name]
@@ -257,6 +258,8 @@ module JCAModel {
     name.toUpperCase().matches("ML-DSA%") and type = KeyOpAlg::TSignature(KeyOpAlg::DSA())
     or
     name.toUpperCase() = "HSS/LMS" and type = KeyOpAlg::TSignature(KeyOpAlg::HSS_LMS())
+    or
+    name.toUpperCase() = "DSA" and type = KeyOpAlg::TSignature(KeyOpAlg::DSA())
   }
 
   bindingset[name]
@@ -426,7 +429,7 @@ module JCAModel {
 
     override string getRawHashAlgorithmName() { result = super.getPadding() }
 
-    override Crypto::THashType getHashFamily() { result = hash_name_to_type_known(hashName, _) }
+    override Crypto::THashType getHashType() { result = hash_name_to_type_known(hashName, _) }
 
     override int getFixedDigestLength() { exists(hash_name_to_type_known(hashName, result)) }
   }
@@ -859,7 +862,7 @@ module JCAModel {
 
     override string getRawHashAlgorithmName() { result = super.getValue() }
 
-    override Crypto::THashType getHashFamily() {
+    override Crypto::THashType getHashType() {
       result = hash_name_to_type_known(this.getRawHashAlgorithmName(), _)
     }
 
@@ -1019,7 +1022,8 @@ module JCAModel {
   }
 
   class KeyGenerationAlgorithmValueConsumer extends CipherAlgorithmValueConsumer,
-    KeyAgreementAlgorithmValueConsumer, EllipticCurveAlgorithmValueConsumer instanceof Expr
+    KeyAgreementAlgorithmValueConsumer, EllipticCurveAlgorithmValueConsumer,
+    SignatureAlgorithmValueConsumer instanceof Expr
   {
     KeyGeneratorGetInstanceCall instantiationCall;
 
@@ -1095,21 +1099,6 @@ module JCAModel {
     }
   }
 
-  /**
-   * An instance of `java.security.SecureRandom.nextBytes(byte[])` call.
-   * This is already generally modeled for Java in CodeQL, but
-   * we model it again as part of the crypto API model to have a cohesive model.
-   */
-  class JavaSecuritySecureRandom extends Crypto::RandomNumberGenerationInstance instanceof Call {
-    JavaSecuritySecureRandom() {
-      this.getCallee().hasQualifiedName("java.security", "SecureRandom", "nextBytes")
-    }
-
-    override Crypto::DataFlowNode getOutputNode() { result.asExpr() = this.(Call).getArgument(0) }
-
-    override string getGeneratorName() { result = this.(Call).getCallee().getName() }
-  }
-
   class KeyGeneratorGenerateCall extends Crypto::KeyGenerationOperationInstance instanceof MethodCall
   {
     Crypto::KeyArtifactType type;
@@ -1302,7 +1291,7 @@ module JCAModel {
 
     override string getRawHashAlgorithmName() { result = this.(StringLiteral).getValue() }
 
-    override Crypto::THashType getHashFamily() { result = hash_name_to_type_known(hashName, _) }
+    override Crypto::THashType getHashType() { result = hash_name_to_type_known(hashName, _) }
 
     override int getFixedDigestLength() { exists(hash_name_to_type_known(hashName, result)) }
   }
@@ -1770,7 +1759,7 @@ module JCAModel {
 
     override string getRawHashAlgorithmName() { result = this.(StringLiteral).getValue() }
 
-    override Crypto::THashType getHashFamily() { result = hashType }
+    override Crypto::THashType getHashType() { result = hashType }
 
     override int getFixedDigestLength() { result = digestLength }
   }
@@ -1905,7 +1894,7 @@ module JCAModel {
 
     override string getRawEllipticCurveName() { result = super.getValue() }
 
-    override Crypto::EllipticCurveFamilyType getEllipticCurveFamilyType() {
+    override Crypto::EllipticCurveType getEllipticCurveType() {
       if
         Crypto::ellipticCurveNameToKnownKeySizeAndFamilyMapping(this.getRawEllipticCurveName(), _, _)
       then

@@ -93,8 +93,9 @@ private class GenericRemoteDataSource extends Crypto::GenericRemoteDataSource {
   override string getAdditionalDescription() { result = this.toString() }
 }
 
-private class ConstantDataSource extends Crypto::GenericConstantSourceInstance instanceof Literal {
-  ConstantDataSource() {
+private class ConstantDataSourceLiteral extends Crypto::GenericConstantSourceInstance instanceof Literal
+{
+  ConstantDataSourceLiteral() {
     // TODO: this is an API specific workaround for JCA, as 'EC' is a constant that may be used
     // where typical algorithms are specified, but EC specifically means set up a
     // default curve container, that will later be specified explicitly (or if not a default)
@@ -112,6 +113,20 @@ private class ConstantDataSource extends Crypto::GenericConstantSourceInstance i
   override string getAdditionalDescription() { result = this.toString() }
 }
 
+private class ConstantDataSourceArrayInitializer extends Crypto::GenericConstantSourceInstance instanceof ArrayInit
+{
+  ConstantDataSourceArrayInitializer() { this.getAnInit() instanceof Literal }
+
+  override DataFlow::Node getOutputNode() { result.asExpr() = this }
+
+  override predicate flowsTo(Crypto::FlowAwareElement other) {
+    // TODO: separate config to avoid blowing up data-flow analysis
+    GenericDataSourceFlow::flow(this.getOutputNode(), other.getInputNode())
+  }
+
+  override string getAdditionalDescription() { result = this.toString() }
+}
+
 /**
  * An instance of random number generation, modeled as the expression
  * tied to an output node (i.e., the result of the source of randomness)
@@ -215,7 +230,7 @@ module ArtifactFlowConfig implements DataFlow::ConfigSig {
 
 module GenericDataSourceFlow = TaintTracking::Global<GenericDataSourceFlowConfig>;
 
-module ArtifactFlow = DataFlow::Global<ArtifactFlowConfig>;
+module ArtifactFlow = TaintTracking::Global<ArtifactFlowConfig>;
 
 // Import library-specific modeling
 import JCA
@@ -8,7 +8,7 @@ import experimental.quantum.Language
  * NOTE: TODO: need to handle call by refernece for now. Need to re-evaluate (see notes below)
  * Such functions may be 'wrappers' for some derived value.
  */
-private module WrapperConfig implements DataFlow::ConfigSig {
+private module ArtifactGeneratingWrapperConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) {
     source.asExpr() instanceof Call and
     // not handling references yet, I think we want to flat say references are only ok
@@ -28,25 +28,41 @@ private module WrapperConfig implements DataFlow::ConfigSig {
   predicate isSink(DataFlow::Node sink) { sink.asExpr() = any(Crypto::ArtifactNode i).asElement() }
 }
 
-module WrapperFlow = DataFlow::Global<WrapperConfig>;
+module ArtifactGeneratingWrapperFlow = TaintTracking::Global<ArtifactGeneratingWrapperConfig>;
 
 /**
  * Using a set approach to determine if reuse of an artifact exists.
  * This predicate produces a set of 'wrappers' that flow to the artifact node.
  * This set can be compared with the set to another artifact node to determine if they are the same.
  */
-private DataFlow::Node getWrapperSet(Crypto::NonceArtifactNode a) {
-  WrapperFlow::flow(result, DataFlow::exprNode(a.asElement()))
+private DataFlow::Node getGeneratingWrapperSet(Crypto::NonceArtifactNode a) {
+  ArtifactGeneratingWrapperFlow::flow(result, DataFlow::exprNode(a.asElement()))
   or
   result.asExpr() = a.getSourceElement()
 }
 
+private predicate ancestorOfArtifact(
+  Crypto::ArtifactNode a, Callable enclosingCallable, ControlFlow::Node midOrTarget
+) {
+  a.asElement().(Expr).getEnclosingCallable() = enclosingCallable and
+  (
+    midOrTarget.asExpr() = a.asElement() or
+    midOrTarget.asExpr().(Call).getCallee().calls*(a.asElement().(Expr).getEnclosingCallable())
+  )
+}
+
 /**
  * Two different artifact nodes are considered reuse if any of the following conditions are met:
  * 1. The source for artifact `a` and artifact `b` are the same and the source is a literal.
  * 2. The source for artifact `a` and artifact `b` are not the same and the source is a literal of the same value.
- * 3. For all 'wrappers' that return the source of artifact `a`, and that wrapper also exists for artifact `b`.
- * 4. For all 'wrappers' that return the source of artifact `b`, and that wrapper also exists for artifact `a`.
+ * 3. For all 'wrappers' that return the source of artifact `a`, and each wrapper also exists for artifact `b`.
+ * 4. For all 'wrappers' that return the source of artifact `b`, and each wrapper also exists for artifact `a`.
+ *
+ * The above conditions determine that the use of the IV is from the same source, but the use may
+ * be on separate code paths that do not occur sequentially. We must therefore also find a common callable ancestor
+ * for both uses, and in that ancestor, there must be control flow from the call or use of one to the call or use of the other.
+ * Note that if no shared ancestor callable exists, it means the flow is more nuanced and ignore the shared ancestor
+ * use flow.
  */
 predicate isArtifactReuse(Crypto::ArtifactNode a, Crypto::ArtifactNode b) {
   a != b and
@@ -55,12 +71,32 @@ predicate isArtifactReuse(Crypto::ArtifactNode a, Crypto::ArtifactNode b) {
     or
     a.getSourceElement().(Literal).getValue() = b.getSourceElement().(Literal).getValue()
     or
-    forex(DataFlow::Node e | e = getWrapperSet(a) |
-      exists(DataFlow::Node e2 | e2 = getWrapperSet(b) | e = e2)
+    forex(DataFlow::Node e | e = getGeneratingWrapperSet(a) |
+      exists(DataFlow::Node e2 | e2 = getGeneratingWrapperSet(b) | e = e2)
     )
     or
-    forex(DataFlow::Node e | e = getWrapperSet(b) |
-      exists(DataFlow::Node e2 | e2 = getWrapperSet(a) | e = e2)
+    forex(DataFlow::Node e | e = getGeneratingWrapperSet(b) |
+      exists(DataFlow::Node e2 | e2 = getGeneratingWrapperSet(a) | e = e2)
+    )
+  ) and
+  // If there is a common parent, there is control flow between the two uses in the parent
+  // TODO: this logic needs to be examined/revisited to ensure it is correct
+  (
+    exists(Callable commonParent |
+      ancestorOfArtifact(a, commonParent, _) and
+      ancestorOfArtifact(b, commonParent, _)
+    )
+    implies
+    exists(Callable commonParent, ControlFlow::Node aMid, ControlFlow::Node bMid |
+      ancestorOfArtifact(a, commonParent, aMid) and
+      ancestorOfArtifact(b, commonParent, bMid) and
+      a instanceof Crypto::NonceArtifactNode and
+      b instanceof Crypto::NonceArtifactNode and
+      (
+        aMid.getASuccessor*() = bMid
+        or
+        bMid.getASuccessor*() = aMid
+      )
     )
   )
 }
@@ -0,0 +1,51 @@
+/**
+ * @name Insecure nonce/iv (static value or weak random source)
+ * @id java/quantum/insecure-iv-or-nonce
+ * @description A nonce/iv is generated from a source that is not secure. This can lead to
+ *              vulnerabilities such as replay attacks or key recovery. Insecure generation
+ *              is any static nonce, or any known insecure source for a nonce/iv if
+ *              the value is used for an encryption operation (decryption operations are ignored
+ *              as the nonce/iv would be provided alongside the ciphertext).
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @tags quantum
+ *       experimental
+ */
+
+import experimental.quantum.Language
+
+from Crypto::NonceArtifactNode nonce, Crypto::NodeBase src, Crypto::NodeBase op, string msg
+where
+  nonce.getSourceNode() = src and
+  // NOTE: null nonces should be handled seaparately, often used for default values prior to initialization
+  // failure to initialize should, in practice, lead to a NullPointerException, which is a separate concern
+  // however there may be APIs where NULL uses a default nonce or action.
+  not src.asElement() instanceof NullLiteral and
+  (
+    // Case 1: Any constant nonce/iv is bad, regardless of how it is used
+    src.asElement() instanceof Crypto::GenericConstantSourceInstance and
+    op = nonce and // binding op by not using it
+    msg = "Nonce or IV uses constant source $@"
+    or
+    // Case 2: The nonce has a non-random source and there is no known operation for the nonce
+    //         assume it is used for encryption
+    not src.asElement() instanceof SecureRandomnessInstance and
+    not src.asElement() instanceof Crypto::GenericConstantSourceInstance and
+    not exists(Crypto::CipherOperationNode o | o.getANonce() = nonce) and
+    op = nonce and // binding op, but not using it
+    msg =
+      "Nonce or IV uses insecure source $@ with no observed nonce usage (assuming could be for encryption)."
+    or
+    // Case 3: The nonce has a non-random source and is used in an encryption operation
+    not src.asElement() instanceof SecureRandomnessInstance and
+    not src.asElement() instanceof Crypto::GenericConstantSourceInstance and
+    op.(Crypto::CipherOperationNode).getANonce() = nonce and
+    (
+      op.(Crypto::CipherOperationNode).getKeyOperationSubtype() instanceof Crypto::TEncryptMode
+      or
+      op.(Crypto::CipherOperationNode).getKeyOperationSubtype() instanceof Crypto::TWrapMode
+    ) and
+    msg = "Nonce or IV uses insecure source $@ at encryption operation $@"
+  )
+select nonce, msg, src, src.toString(), op, op.toString()
@@ -0,0 +1,25 @@
+/**
+ * @name Cipher not AES-GCM mode
+ * @id java/quantum/non-aes-gcm
+ * @description An AES cipher is in use without GCM
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @tags quantum
+ *       experimental
+ */
+
+import experimental.quantum.Language
+
+class NonAESGCMAlgorithmNode extends Crypto::KeyOperationAlgorithmNode {
+  NonAESGCMAlgorithmNode() {
+    this.getAlgorithmType() = Crypto::KeyOpAlg::TSymmetricCipher(Crypto::KeyOpAlg::AES()) and
+    this.getModeOfOperation().getModeType() != Crypto::KeyOpAlg::GCM()
+  }
+}
+
+from Crypto::KeyOperationNode op, Crypto::KeyOperationOutputNode codeNode
+where
+  op.getAKnownAlgorithm() instanceof NonAESGCMAlgorithmNode and
+  codeNode = op.getAnOutputArtifact()
+select op, "Non-AES-GCM instance."