diff --git a/java/ql/src/experimental/quantum/Analysis/NonceReuse.ql b/java/ql/src/experimental/quantum/Analysis/NonceReuse.ql deleted file mode 100644 index f185e48d6b2..00000000000 --- a/java/ql/src/experimental/quantum/Analysis/NonceReuse.ql +++ /dev/null @@ -1,17 +0,0 @@ -/** - * @name Reuse of cryptographic nonce - * @description Reuse of nonce in cryptographic operations can lead to vulnerabilities. - * @id java/quantum/reused-nonce - * @kind problem - * @problem.severity error - * @precision medium - * @tags quantum - * experimental - */ - -import java -import ArtifactReuse - -from Crypto::NonceArtifactNode nonce1, Crypto::NonceArtifactNode nonce2 -where isArtifactReuse(nonce1, nonce2) -select nonce1, "Reuse with nonce $@", nonce2, nonce2.toString() \ No newline at end of file diff --git a/java/ql/src/experimental/quantum/Analysis/ReusedNonce.ql b/java/ql/src/experimental/quantum/Analysis/ReusedNonce.ql index ed2872bb67e..c90dbbf5746 100644 --- a/java/ql/src/experimental/quantum/Analysis/ReusedNonce.ql +++ b/java/ql/src/experimental/quantum/Analysis/ReusedNonce.ql @@ -4,7 +4,7 @@ * @id java/quantum/reused-nonce * @kind problem * @problem.severity error - * @precision medium + * @precision high * @tags quantum * experimental */ diff --git a/java/ql/src/experimental/quantum/Analysis/WeakAsymmetric.ql b/java/ql/src/experimental/quantum/Analysis/WeakAsymmetric.ql index 9ae4ea9130e..57a40bf7621 100644 --- a/java/ql/src/experimental/quantum/Analysis/WeakAsymmetric.ql +++ b/java/ql/src/experimental/quantum/Analysis/WeakAsymmetric.ql @@ -1,5 +1,5 @@ /** - * @name Weak Asymetric Key Size + * @name Weak Asymmetric Key Size * @id java/quantum/weak-asymmetric-key-size * @description An asymmetric cipher with a short key size is in use * @kind problem @@ -20,5 +20,5 @@ where // Can't be an elliptic curve not Crypto::isEllipticCurveAlgorithmName(algName) select op, - "Use of weak asymmetric key size (int bits)" + keySize.toString() + " for algorithm " + - algName.toString() + " at config source $@", configSrc, configSrc.toString() \ No newline at end of file + "Use of weak asymmetric key size (" + keySize.toString() + " bits) for algorithm " + + algName.toString() + " at config source $@", configSrc, configSrc.toString() diff --git a/java/ql/src/experimental/quantum/Analysis/WeakBlockModes.ql b/java/ql/src/experimental/quantum/Analysis/WeakBlockModes.ql index 3a2d9765915..fee89507176 100644 --- a/java/ql/src/experimental/quantum/Analysis/WeakBlockModes.ql +++ b/java/ql/src/experimental/quantum/Analysis/WeakBlockModes.ql @@ -15,15 +15,17 @@ import experimental.quantum.Language class WeakAESBlockModeAlgNode extends Crypto::KeyOperationAlgorithmNode { WeakAESBlockModeAlgNode() { this.getAlgorithmType() = Crypto::KeyOpAlg::TSymmetricCipher(Crypto::KeyOpAlg::AES()) and - (this.getModeOfOperation().getModeType() = Crypto::KeyOpAlg::ECB() or - this.getModeOfOperation().getModeType() = Crypto::KeyOpAlg::CFB() or - this.getModeOfOperation().getModeType() = Crypto::KeyOpAlg::OFB() or - this.getModeOfOperation().getModeType() = Crypto::KeyOpAlg::CTR() + ( + this.getModeOfOperation().getModeType() = Crypto::KeyOpAlg::ECB() or + this.getModeOfOperation().getModeType() = Crypto::KeyOpAlg::CFB() or + this.getModeOfOperation().getModeType() = Crypto::KeyOpAlg::OFB() or + this.getModeOfOperation().getModeType() = Crypto::KeyOpAlg::CTR() ) } } from Crypto::KeyOperationNode op, Crypto::KeyOperationOutputNode codeNode -where op.getAKnownAlgorithm() instanceof WeakAESBlockModeAlgNode and - codeNode = op.getAnOutputArtifact() +where + op.getAKnownAlgorithm() instanceof WeakAESBlockModeAlgNode and + codeNode = op.getAnOutputArtifact() select op, "Weak AES block mode instance." diff --git a/java/ql/src/experimental/quantum/Analysis/WeakHashing.ql b/java/ql/src/experimental/quantum/Analysis/WeakHashing.ql index 74a3a19d472..39bd8c6e463 100644 --- a/java/ql/src/experimental/quantum/Analysis/WeakHashing.ql +++ b/java/ql/src/experimental/quantum/Analysis/WeakHashing.ql @@ -1,19 +1,34 @@ /** * @name Weak hashes * @description Finds uses of cryptographic hashing algorithms that are unapproved or otherwise weak. - * @id java/quantum/slices/weak-hashes + * @id java/quantum/weak-hashes * @kind problem * @problem.severity error * @precision high * @tags external/cwe/cwe-327 + * quantum + * experimental */ import java import experimental.quantum.Language -from Crypto::HashAlgorithmNode alg, string name, string msg +from Crypto::HashAlgorithmNode alg, Crypto::HashType htype, string msg where - name = alg.getAlgorithmName() and - not name in ["SHA256", "SHA384", "SHA512", "SHA-256", "SHA-384", "SHA-512"] and - msg = "Use of unapproved hash algorithm or API " + name + "." + htype = alg.getHashType() and + ( + htype != Crypto::SHA2() and + msg = "Use of unapproved hash algorithm or API " + htype.toString() + "." + or + htype = Crypto::SHA2() and + not exists(alg.getDigestLength()) and + msg = + "Use of approved hash algorithm or API type " + htype.toString() + " but unknown digest size." + or + htype = Crypto::SHA2() and + alg.getDigestLength() < 256 and + msg = + "Use of approved hash algorithm or API type " + htype.toString() + " but weak digest size (" + + alg.getDigestLength() + ")." + ) select alg, msg diff --git a/java/ql/src/experimental/quantum/Analysis/WeakKDFKeySize.ql b/java/ql/src/experimental/quantum/Analysis/WeakKDFKeySize.ql index 789d7952997..1bae9ebef4f 100644 --- a/java/ql/src/experimental/quantum/Analysis/WeakKDFKeySize.ql +++ b/java/ql/src/experimental/quantum/Analysis/WeakKDFKeySize.ql @@ -1,7 +1,7 @@ /** * @name Weak known key derivation function output length * @description Detects key derivation operations with a known weak output length - * @id java/quantum/weak-kdf-iteration-count + * @id java/quantum/weak-kdf-key-size * @kind problem * @problem.severity error * @precision high @@ -17,4 +17,4 @@ where op.getOutputKeySize().asElement() = l and l.getValue().toInt() < 256 select op, "Key derivation operation configures output key length below 256: $@", l, - l.getValue().toString() \ No newline at end of file + l.getValue().toString() diff --git a/java/ql/src/experimental/quantum/Analysis/WeakRSA.ql b/java/ql/src/experimental/quantum/Analysis/WeakRSA.ql index 5ed405fe3d9..f365b4d7e75 100644 --- a/java/ql/src/experimental/quantum/Analysis/WeakRSA.ql +++ b/java/ql/src/experimental/quantum/Analysis/WeakRSA.ql @@ -11,14 +11,15 @@ import experimental.quantum.Language -class WeakRSAAlgorithmNode extends Crypto::KeyOperationAlgorithmNode { - WeakRSAAlgorithmNode() { +class WeakRsaAlgorithmNode extends Crypto::KeyOperationAlgorithmNode { + WeakRsaAlgorithmNode() { this.getAlgorithmType() = Crypto::KeyOpAlg::TAsymmetricCipher(Crypto::KeyOpAlg::RSA()) and this.getKeySizeFixed() < 2048 } } from Crypto::KeyOperationNode op, string message -where op.getAKnownAlgorithm() instanceof WeakRSAAlgorithmNode and - message = "Weak RSA instance found with key length <2048" +where + op.getAKnownAlgorithm() instanceof WeakRsaAlgorithmNode and + message = "Weak RSA instance found with key length <2048" select op, message diff --git a/java/ql/src/experimental/quantum/Analysis/WeakSymmetricCiphers.ql b/java/ql/src/experimental/quantum/Analysis/WeakSymmetricCiphers.ql index 8d938e7dd1b..00e59ebe484 100644 --- a/java/ql/src/experimental/quantum/Analysis/WeakSymmetricCiphers.ql +++ b/java/ql/src/experimental/quantum/Analysis/WeakSymmetricCiphers.ql @@ -1,19 +1,30 @@ /** * @name Weak symmetric ciphers * @description Finds uses of cryptographic symmetric cipher algorithms that are unapproved or otherwise weak. - * @id java/quantum/slices/weak-ciphers + * @id java/quantum/weak-ciphers * @kind problem * @problem.severity error * @precision high * @tags external/cwe/cwe-327 + * quantum + * experimental */ import java import experimental.quantum.Language +import Crypto::KeyOpAlg as KeyOpAlg -from Crypto::KeyOperationAlgorithmNode alg, string name, string msg +from Crypto::KeyOperationAlgorithmNode alg, KeyOpAlg::AlgorithmType algType, string msg where - name = alg.getAlgorithmName() and - name in ["DES", "TripleDES", "DoubleDES", "RC2", "RC4", "IDEA", "Blowfish"] and - msg = "Use of unapproved symmetric cipher algorithm or API: " + name + "." -select alg, msg \ No newline at end of file + algType = alg.getAlgorithmType() and + ( + algType = KeyOpAlg::TSymmetricCipher(KeyOpAlg::DES()) or + algType = KeyOpAlg::TSymmetricCipher(KeyOpAlg::TRIPLE_DES()) or + algType = KeyOpAlg::TSymmetricCipher(KeyOpAlg::DOUBLE_DES()) or + algType = KeyOpAlg::TSymmetricCipher(KeyOpAlg::RC2()) or + algType = KeyOpAlg::TSymmetricCipher(KeyOpAlg::RC4()) or + algType = KeyOpAlg::TSymmetricCipher(KeyOpAlg::IDEA()) or + algType = KeyOpAlg::TSymmetricCipher(KeyOpAlg::BLOWFISH()) + ) and + msg = "Use of unapproved symmetric cipher algorithm or API: " + algType.toString() + "." +select alg, msg diff --git a/shared/quantum/codeql/quantum/experimental/Standardization.qll b/shared/quantum/codeql/quantum/experimental/Standardization.qll index c713865f9ac..aac9e30c3b6 100644 --- a/shared/quantum/codeql/quantum/experimental/Standardization.qll +++ b/shared/quantum/codeql/quantum/experimental/Standardization.qll @@ -344,7 +344,7 @@ module Types { /** * Elliptic curve algorithms */ - newtype TEllipticCurveFamilyType = + newtype TEllipticCurveType = NIST() or SEC() or NUMS() or @@ -357,7 +357,7 @@ module Types { ES() or OtherEllipticCurveType() - class EllipticCurveFamilyType extends TEllipticCurveFamilyType { + class EllipticCurveType extends TEllipticCurveType { string toString() { this = NIST() and result = "NIST" or @@ -445,7 +445,7 @@ module Types { */ bindingset[rawName] predicate ellipticCurveNameToKnownKeySizeAndFamilyMapping( - string rawName, int keySize, TEllipticCurveFamilyType curveFamily + string rawName, int keySize, TEllipticCurveType curveFamily ) { exists(string curveName | curveName = rawName.toUpperCase() | isSecCurve(curveName, keySize) and curveFamily = SEC()