add modules

java/ql/lib/semmle/code/java/security/InsufficientKeySize.qll

@@ -15,6 +15,8 @@ abstract class InsufficientKeySizeSink extends DataFlow::Node {
   predicate hasState(DataFlow::FlowState state) { state instanceof DataFlow::FlowStateEmpty }
 }
 
+private module Asymmetric {
+  private module NonEllipticCurve {
     /** A source for an insufficient key size used in RSA, DSA, and DH algorithms. */
     private class AsymmetricNonEcSource extends InsufficientKeySizeSource {
       AsymmetricNonEcSource() {
@@ -26,49 +28,6 @@ private class AsymmetricNonEcSource extends InsufficientKeySizeSource {
       }
     }
 
-/** A source for an insufficient key size used in elliptic curve (EC) algorithms. */
-private class AsymmetricEcSource extends InsufficientKeySizeSource {
-  AsymmetricEcSource() {
-    this.asExpr().(IntegerLiteral).getIntValue() < getMinAsymEcKeySize()
-    or
-    // the below is needed for cases when the key size is embedded in the curve name
-    getEcKeySize(this.asExpr().(StringLiteral).getValue()) < getMinAsymEcKeySize()
-  }
-
-  override predicate hasState(DataFlow::FlowState state) {
-    state = getMinAsymEcKeySize().toString()
-  }
-}
-
-/** A source for an insufficient key size used in AES algorithms. */
-private class SymmetricSource extends InsufficientKeySizeSource {
-  SymmetricSource() { this.asExpr().(IntegerLiteral).getIntValue() < getMinSymKeySize() }
-
-  override predicate hasState(DataFlow::FlowState state) { state = getMinSymKeySize().toString() }
-}
-
-/** Returns the minimum recommended key size for RSA, DSA, and DH algorithms. */
-private int getMinAsymNonEcKeySize() { result = 2048 }
-
-/** Returns the minimum recommended key size for elliptic curve (EC) algorithms. */
-private int getMinAsymEcKeySize() { result = 256 }
-
-/** Returns the minimum recommended key size for AES algorithms. */
-private int getMinSymKeySize() { result = 128 }
-
-/** Returns the key size from an EC algorithm's curve name string */
-bindingset[algorithm]
-private int getEcKeySize(string algorithm) {
-  algorithm.matches("sec%") and // specification such as "secp256r1"
-  result = algorithm.regexpCapture("sec[p|t](\\d+)[a-zA-Z].*", 1).toInt()
-  or
-  algorithm.matches("X9.62%") and //specification such as "X9.62 prime192v2"
-  result = algorithm.regexpCapture("X9\\.62 .*[a-zA-Z](\\d+)[a-zA-Z].*", 1).toInt()
-  or
-  (algorithm.matches("prime%") or algorithm.matches("c2tnb%")) and //specification such as "prime192v2"
-  result = algorithm.regexpCapture(".*[a-zA-Z](\\d+)[a-zA-Z].*", 1).toInt()
-}
-
     /** A sink for an insufficient key size used in RSA, DSA, and DH algorithms. */
     private class AsymmetricNonEcSink extends InsufficientKeySizeSink {
       AsymmetricNonEcSink() {
@@ -86,6 +45,37 @@ private class AsymmetricNonEcSink extends InsufficientKeySizeSink {
       }
     }
 
+    /** Returns the minimum recommended key size for RSA, DSA, and DH algorithms. */
+    private int getMinAsymNonEcKeySize() { result = 2048 }
+
+    /** An instance of an RSA, DSA, or DH algorithm specification. */
+    private class AsymmetricNonEcSpec extends ClassInstanceExpr {
+      AsymmetricNonEcSpec() {
+        this.getConstructedType() instanceof RsaKeyGenParameterSpec or
+        this.getConstructedType() instanceof DsaGenParameterSpec or
+        this.getConstructedType() instanceof DhGenParameterSpec
+      }
+
+      /** Gets the `keysize` argument of this instance. */
+      Argument getKeySizeArg() { result = this.getArgument(0) }
+    }
+  }
+
+  private module EllipticCurve {
+    /** A source for an insufficient key size used in elliptic curve (EC) algorithms. */
+    private class AsymmetricEcSource extends InsufficientKeySizeSource {
+      AsymmetricEcSource() {
+        this.asExpr().(IntegerLiteral).getIntValue() < getMinAsymEcKeySize()
+        or
+        // the below is needed for cases when the key size is embedded in the curve name
+        getEcKeySize(this.asExpr().(StringLiteral).getValue()) < getMinAsymEcKeySize()
+      }
+
+      override predicate hasState(DataFlow::FlowState state) {
+        state = getMinAsymEcKeySize().toString()
+      }
+    }
+
     /** A sink for an insufficient key size used in elliptic curve (EC) algorithms. */
     private class AsymmetricEcSink extends InsufficientKeySizeSink {
       AsymmetricEcSink() {
@@ -103,17 +93,29 @@ private class AsymmetricEcSink extends InsufficientKeySizeSink {
       }
     }
 
-/** A sink for an insufficient key size used in AES algorithms. */
-private class SymmetricSink extends InsufficientKeySizeSink {
-  SymmetricSink() {
-    exists(SymmetricInitMethodAccess ma, SymmetricKeyGenerator kg |
-      kg.getAlgoName() = "AES" and
-      DataFlow::localExprFlow(kg, ma.getQualifier()) and
-      this.asExpr() = ma.getKeySizeArg()
-    )
+    /** Returns the minimum recommended key size for elliptic curve (EC) algorithms. */
+    private int getMinAsymEcKeySize() { result = 256 }
+
+    /** Returns the key size from an EC algorithm's curve name string */
+    bindingset[algorithm]
+    private int getEcKeySize(string algorithm) {
+      algorithm.matches("sec%") and // specification such as "secp256r1"
+      result = algorithm.regexpCapture("sec[p|t](\\d+)[a-zA-Z].*", 1).toInt()
+      or
+      algorithm.matches("X9.62%") and //specification such as "X9.62 prime192v2"
+      result = algorithm.regexpCapture("X9\\.62 .*[a-zA-Z](\\d+)[a-zA-Z].*", 1).toInt()
+      or
+      (algorithm.matches("prime%") or algorithm.matches("c2tnb%")) and //specification such as "prime192v2"
+      result = algorithm.regexpCapture(".*[a-zA-Z](\\d+)[a-zA-Z].*", 1).toInt()
     }
 
-  override predicate hasState(DataFlow::FlowState state) { state = getMinSymKeySize().toString() }
+    /** An instance of an elliptic curve (EC) algorithm specification. */
+    private class AsymmetricEcSpec extends ClassInstanceExpr {
+      AsymmetricEcSpec() { this.getConstructedType() instanceof EcGenParameterSpec }
+
+      /** Gets the `keysize` argument of this instance. */
+      Argument getKeySizeArg() { result = this.getArgument(0) }
+    }
   }
 
   /**
@@ -130,20 +132,6 @@ private class AsymmetricInitMethodAccess extends MethodAccess {
     Argument getKeySizeArg() { result = this.getArgument(0) }
   }
 
-/** A call to the `init` method declared in `javax.crypto.KeyGenerator`. */
-private class SymmetricInitMethodAccess extends MethodAccess {
-  SymmetricInitMethodAccess() { this.getMethod() instanceof KeyGeneratorInitMethod }
-
-  /** Gets the `keysize` argument of this call. */
-  Argument getKeySizeArg() { result = this.getArgument(0) }
-}
-
-/** An instance of a generator that specifies an encryption algorithm. */
-abstract private class AlgoGeneratorObject extends CryptoAlgoSpec {
-  /** Returns an uppercase string representing the algorithm name specified by this generator object. */
-  string getAlgoName() { result = this.getAlgoSpec().(StringLiteral).getValue().toUpperCase() }
-}
-
   /**
    * An instance of a `java.security.KeyPairGenerator`
    * or of a `java.security.AlgorithmParameterGenerator`.
@@ -162,28 +150,48 @@ private class AsymmetricKeyGenerator extends AlgoGeneratorObject {
         ]
     }
   }
+}
+
+private module Symmetric {
+  /** A source for an insufficient key size used in AES algorithms. */
+  private class SymmetricSource extends InsufficientKeySizeSource {
+    SymmetricSource() { this.asExpr().(IntegerLiteral).getIntValue() < getMinSymKeySize() }
+
+    override predicate hasState(DataFlow::FlowState state) { state = getMinSymKeySize().toString() }
+  }
+
+  /** A sink for an insufficient key size used in AES algorithms. */
+  private class SymmetricSink extends InsufficientKeySizeSink {
+    SymmetricSink() {
+      exists(SymmetricInitMethodAccess ma, SymmetricKeyGenerator kg |
+        kg.getAlgoName() = "AES" and
+        DataFlow::localExprFlow(kg, ma.getQualifier()) and
+        this.asExpr() = ma.getKeySizeArg()
+      )
+    }
+
+    override predicate hasState(DataFlow::FlowState state) { state = getMinSymKeySize().toString() }
+  }
+
+  /** Returns the minimum recommended key size for AES algorithms. */
+  private int getMinSymKeySize() { result = 128 }
+
+  /** A call to the `init` method declared in `javax.crypto.KeyGenerator`. */
+  private class SymmetricInitMethodAccess extends MethodAccess {
+    SymmetricInitMethodAccess() { this.getMethod() instanceof KeyGeneratorInitMethod }
+
+    /** Gets the `keysize` argument of this call. */
+    Argument getKeySizeArg() { result = this.getArgument(0) }
+  }
 
   /** An instance of a `javax.crypto.KeyGenerator`. */
   private class SymmetricKeyGenerator extends AlgoGeneratorObject instanceof JavaxCryptoKeyGenerator {
     override Expr getAlgoSpec() { result = JavaxCryptoKeyGenerator.super.getAlgoSpec() }
   }
-
-/** An instance of an RSA, DSA, or DH algorithm specification. */
-private class AsymmetricNonEcSpec extends ClassInstanceExpr {
-  AsymmetricNonEcSpec() {
-    this.getConstructedType() instanceof RsaKeyGenParameterSpec or
-    this.getConstructedType() instanceof DsaGenParameterSpec or
-    this.getConstructedType() instanceof DhGenParameterSpec
 }
 
-  /** Gets the `keysize` argument of this instance. */
-  Argument getKeySizeArg() { result = this.getArgument(0) }
-}
-
-/** An instance of an elliptic curve (EC) algorithm specification. */
-private class AsymmetricEcSpec extends ClassInstanceExpr {
-  AsymmetricEcSpec() { this.getConstructedType() instanceof EcGenParameterSpec }
-
-  /** Gets the `keysize` argument of this instance. */
-  Argument getKeySizeArg() { result = this.getArgument(0) }
+/** An instance of a generator that specifies an encryption algorithm. */
+abstract private class AlgoGeneratorObject extends CryptoAlgoSpec {
+  /** Returns an uppercase string representing the algorithm name specified by this generator object. */
+  string getAlgoName() { result = this.getAlgoSpec().(StringLiteral).getValue().toUpperCase() }
 }