don't include mode-of-operation into the algorithm names

2026-04-30 11:15:13 +02:00 · 2021-11-03 14:54:50 +01:00
parent 5975e19f53
commit 523c15cd72
3 changed files with 14 additions and 28 deletions
--- a/javascript/ql/lib/semmle/javascript/security/CryptoAlgorithms.qll
+++ b/javascript/ql/lib/semmle/javascript/security/CryptoAlgorithms.qll
@@ -31,22 +31,14 @@ private module AlgorithmNames {
  }

  predicate isStrongEncryptionAlgorithm(string name) {
-    name = [appendMode("AES"), "AES128", "AES192", "AES256", "AES512", "RSA", "RABBIT", "BLOWFISH"]
-  }
-
-  /**
-   * Gets the name with a mode of operation added as a suffix.
-   */
-  bindingset[name]
-  private string appendMode(string name) {
-    result = name + ["", "CBC", "ECB", "CFB", "OFB", "CTR", "GCM"]
+    name = ["AES", "AES128", "AES192", "AES256", "AES512", "RSA", "RABBIT", "BLOWFISH"]
  }

  predicate isWeakEncryptionAlgorithm(string name) {
    name =
      [
-        appendMode("DES"), appendMode("3DES"), "TRIPLEDES", "TDEA", "TRIPLEDEA", "ARC2", "RC2",
-        "ARC4", "RC4", "ARCFOUR", "ARC5", "RC5"
+        "DES", "3DES", "TRIPLEDES", "TDEA", "TRIPLEDEA", "ARC2", "RC2", "ARC4", "RC4", "ARCFOUR",
+        "ARC5", "RC5"
      ]
  }

@@ -93,11 +85,12 @@ abstract class CryptographicAlgorithm extends TCryptographicAlgorithm {

  /**
   * Holds if the name of this algorithm matches `name` modulo case,
-   * white space, dashes, and underscores.
+   * white space, dashes, underscores, and anything after a dash in the name.
   */
  bindingset[name]
  predicate matchesName(string name) {
-    name.toUpperCase().regexpReplaceAll("[-_ ]", "") = getName()
+    name.toUpperCase().regexpCapture("^(\\w+)(?:-.*)?$", 1).regexpReplaceAll("[-_ ]", "") =
+      getName()
  }

  /**
--- a/javascript/ql/test/query-tests/Security/CWE-326/InsufficientKeySize.expected
+++ b/javascript/ql/test/query-tests/Security/CWE-326/InsufficientKeySize.expected
@@ -4,8 +4,8 @@
 | tst.js:14:14:14:60 | CryptoJ ... e: 2 }) | Creation of an symmetric PBKDF2 key uses 64 bits, which is below 128 and considered breakable. |
 | tst.js:15:14:15:60 | CryptoJ ... e: 2 }) | Creation of an symmetric EVPKDF key uses 64 bits, which is below 128 and considered breakable. |
 | tst.js:19:12:19:57 | forge.r ... rd, 64) | Creation of an symmetric RC2 key uses 64 bits, which is below 128 and considered breakable. |
-| tst.js:26:12:26:53 | forge.c ... , key2) | Creation of an symmetric AESCBC key uses 64 bits, which is below 128 and considered breakable. |
-| tst.js:30:12:30:56 | forge.c ... , key3) | Creation of an symmetric 3DESCBC key uses 64 bits, which is below 128 and considered breakable. |
+| tst.js:26:12:26:53 | forge.c ... , key2) | Creation of an symmetric AES key uses 64 bits, which is below 128 and considered breakable. |
+| tst.js:30:12:30:56 | forge.c ... , key3) | Creation of an symmetric 3DES key uses 64 bits, which is below 128 and considered breakable. |
 | tst.js:35:13:35:43 | crypto. ... an(512) | Creation of an asymmetric key uses 512 bits, which is below 2048 and considered breakable. |
 | tst.js:39:13:39:33 | new Nod ... : 512}) | Creation of an asymmetric RSA key uses 512 bits, which is below 2048 and considered breakable. |
 | tst.js:43:1:43:31 | key.gen ...  65537) | Creation of an asymmetric RSA key uses 512 bits, which is below 2048 and considered breakable. |
--- a/python/ql/lib/semmle/python/concepts/CryptoAlgorithms.qll
+++ b/python/ql/lib/semmle/python/concepts/CryptoAlgorithms.qll
@@ -31,22 +31,14 @@ private module AlgorithmNames {
  }

  predicate isStrongEncryptionAlgorithm(string name) {
-    name = [appendMode("AES"), "AES128", "AES192", "AES256", "AES512", "RSA", "RABBIT", "BLOWFISH"]
-  }
-
-  /**
-   * Gets the name with a mode of operation added as a suffix.
-   */
-  bindingset[name]
-  private string appendMode(string name) {
-    result = name + ["", "CBC", "ECB", "CFB", "OFB", "CTR", "GCM"]
+    name = ["AES", "AES128", "AES192", "AES256", "AES512", "RSA", "RABBIT", "BLOWFISH"]
  }

  predicate isWeakEncryptionAlgorithm(string name) {
    name =
      [
-        appendMode("DES"), appendMode("3DES"), "TRIPLEDES", "TDEA", "TRIPLEDEA", "ARC2", "RC2",
-        "ARC4", "RC4", "ARCFOUR", "ARC5", "RC5"
+        "DES", "3DES", "TRIPLEDES", "TDEA", "TRIPLEDEA", "ARC2", "RC2", "ARC4", "RC4", "ARCFOUR",
+        "ARC5", "RC5"
      ]
  }

@@ -93,11 +85,12 @@ abstract class CryptographicAlgorithm extends TCryptographicAlgorithm {

  /**
   * Holds if the name of this algorithm matches `name` modulo case,
-   * white space, dashes, and underscores.
+   * white space, dashes, underscores, and anything after a dash in the name.
   */
  bindingset[name]
  predicate matchesName(string name) {
-    name.toUpperCase().regexpReplaceAll("[-_ ]", "") = getName()
+    name.toUpperCase().regexpCapture("^(\\w+)(?:-.*)?$", 1).regexpReplaceAll("[-_ ]", "") =
+      getName()
  }

  /**