diff --git a/cpp/ql/src/experimental/crypto/example_alerts/UnknownAsymmetricKeyGen.ql b/cpp/ql/src/experimental/crypto/example_alerts/UnknownAsymmetricKeyGen.ql new file mode 100644 index 00000000000..96575067bc6 --- /dev/null +++ b/cpp/ql/src/experimental/crypto/example_alerts/UnknownAsymmetricKeyGen.ql @@ -0,0 +1,21 @@ +/** + * @name Unknown key generation key size + * @description + * @id cpp/unknown-asymmetric-key-gen-size + * @kind problem + * @problem.severity error + * @precision high + * @tags security + * external/cwe/cwe-326 + */ +import cpp + +import experimental.crypto.Concepts + +from AsymmetricKeyGeneration op, AsymmetricAlgorithm alg +where + alg = op.getAlgorithm() and + not alg instanceof EllipticCurveAlgorithm and + not exists(op.getKeySizeInBits(alg)) +select op, "Use of unknown asymmetric key size for algorithm $@", alg, alg.getName().toString() + diff --git a/cpp/ql/src/experimental/crypto/example_alerts/WeakAsymmetricKeyGen.ql b/cpp/ql/src/experimental/crypto/example_alerts/WeakAsymmetricKeyGen.ql new file mode 100644 index 00000000000..584519c6bd1 --- /dev/null +++ b/cpp/ql/src/experimental/crypto/example_alerts/WeakAsymmetricKeyGen.ql @@ -0,0 +1,22 @@ +/** + * @name Weak asymmetric key generation key size (< 2048 bits) + * @description + * @id cpp/weak-asymmetric-key-gen-size + * @kind problem + * @problem.severity error + * @precision high + * @tags security + * external/cwe/cwe-326 + */ +import cpp + +import experimental.crypto.Concepts + +from AsymmetricKeyGeneration op, AsymmetricAlgorithm alg, Expr configSrc, int size +where + alg = op.getAlgorithm() and + not alg instanceof EllipticCurveAlgorithm and + configSrc = op.getKeyConfigurationSource(alg) and + size = configSrc.getValue().toInt() and + size < 2048 +select op, "Use of weak asymmetric key size (in bits) " + size + " configured at $@ for algorithm $@", configSrc, configSrc.toString(), alg, alg.getName().toString() diff --git a/cpp/ql/src/experimental/crypto/example_alerts/WeakBlockMode.ql b/cpp/ql/src/experimental/crypto/example_alerts/WeakBlockMode.ql new file mode 100644 index 00000000000..5bb52e6b230 --- /dev/null +++ b/cpp/ql/src/experimental/crypto/example_alerts/WeakBlockMode.ql @@ -0,0 +1,32 @@ +/** +* @name Weak block mode +* @description Finds uses of symmetric encryption block modes that are weak, obsolete, or otherwise unaccepted. +* @id cpp/weak-block-mode +* @kind problem +* @problem.severity error +* @precision high +* @tags security +* external/cwe/cwe-327 +*/ +import cpp +import experimental.crypto.Concepts + +from BlockModeAlgorithm alg, string name, string msg, Expr confSink +where +exists(string tmpMsg | + ( + (name = alg.getBlockModeName() and name = unknownAlgorithm() and tmpMsg = "Use of unrecognized block mode algorithm.") + or + ( + name != unknownAlgorithm() and + name = alg.getBlockModeName() and + not name = ["CBC","CTS","XTS"] and + tmpMsg = "Use of weak block mode algorithm " + name + "." + ) + ) + and + if alg.hasConfigurationSink() and alg.configurationSink() != alg + then (confSink = alg.configurationSink() and msg = tmpMsg + " Algorithm used at sink: $@.") + else (confSink = alg and msg = tmpMsg) +) +select alg, msg, confSink, confSink.toString() \ No newline at end of file diff --git a/cpp/ql/src/experimental/crypto/example_alerts/WeakEllipticCurve.ql b/cpp/ql/src/experimental/crypto/example_alerts/WeakEllipticCurve.ql new file mode 100644 index 00000000000..6548e928405 --- /dev/null +++ b/cpp/ql/src/experimental/crypto/example_alerts/WeakEllipticCurve.ql @@ -0,0 +1,38 @@ +/** + * @name Weak elliptic curve + * @description Finds uses of weak, unknown, or otherwise unaccepted elliptic curve algorithms. + * @id cpp/weak-elliptic-curve + * @kind problem + * @problem.severity error + * @precision high + * @tags security + * external/cwe/cwe-327 + */ +import cpp +import experimental.crypto.Concepts + +from EllipticCurveAlgorithm alg, string name, string msg, Expr confSink +where +exists(string tmpMsg | + ( + (name = alg.getCurveName() and name = unknownAlgorithm() and tmpMsg = "Use of unrecognized curve algorithm.") + or + ( + name != unknownAlgorithm() and + name = alg.getCurveName() and + not name = ["SECP256R1", "PRIME256V1",//P-256 + "SECP384R1", //P-384 + "SECP521R1", //P-521 + "NUMSP256T1", + "NUMSP384T1", + "NUMSP512T1", + "ED25519", "X25519"] and + tmpMsg = "Use of weak curve algorithm " + name + "." + ) + ) + and + if alg.hasConfigurationSink() and alg.configurationSink() != alg + then (confSink = alg.configurationSink() and msg = tmpMsg + " Algorithm used at sink: $@.") + else (confSink = alg and msg = tmpMsg) +) +select alg, msg, confSink, confSink.toString() \ No newline at end of file diff --git a/cpp/ql/src/experimental/crypto/example_alerts/WeakEncryption.ql b/cpp/ql/src/experimental/crypto/example_alerts/WeakEncryption.ql new file mode 100644 index 00000000000..f81fd3bfd41 --- /dev/null +++ b/cpp/ql/src/experimental/crypto/example_alerts/WeakEncryption.ql @@ -0,0 +1,35 @@ +/** + * @name Weak cryptography + * @description Finds explicit uses of symmetric encryption algorithms that are weak, unknown, or otherwise unaccepted. + * @kind problem + * @id cpp/weak-crypto/banned-encryption-algorithms + * @problem.severity error + * @precision high + * @tags security + * external/cwe/cwe-327 + */ + +import cpp +import experimental.crypto.Concepts + + +from SymmetricEncryptionAlgorithm alg, Expr confSink, string msg +where +exists (string resMsg | + ( + if alg.getEncryptionName() = unknownAlgorithm() + then ( + alg instanceof Literal and resMsg = "Use of unrecognized symmetric encryption algorithm: " + alg.(Literal).getValueText().toString() + "." + or + not alg instanceof Literal and resMsg = "Use of unrecognized symmetric encryption algorithm." + ) + else (not alg.getEncryptionName().matches("AES%") and resMsg = "Use of banned symmetric encryption algorithm: " + alg.getEncryptionName() + ".") + ) + and + ( + if alg.hasConfigurationSink() and alg.configurationSink() != alg + then (confSink = alg.configurationSink() and msg = resMsg + " Algorithm used at sink: $@.") + else (confSink = alg and msg = resMsg) + ) +) +select alg, msg, confSink, confSink.toString() diff --git a/cpp/ql/src/experimental/crypto/example_alerts/WeakHashes.ql b/cpp/ql/src/experimental/crypto/example_alerts/WeakHashes.ql new file mode 100644 index 00000000000..041696cb80c --- /dev/null +++ b/cpp/ql/src/experimental/crypto/example_alerts/WeakHashes.ql @@ -0,0 +1,36 @@ +/** + * @name Weak cryptography + * @description Finds explicit uses of cryptographic hash algorithms that are weak and obsolete. + * @kind problem + * @id cpp/weak-crypto/banned-hash-algorithms + * @problem.severity error + * @precision high + * @tags security + * external/cwe/cwe-327 + */ + +import cpp +import semmle.code.cpp.dataflow.DataFlow as ASTDataFlow +import experimental.crypto.Concepts + +from HashAlgorithm alg, Expr confSink, string msg +where +exists(string name, string msgTmp | name = alg.getHashName() | + not name = ["SHA256", "SHA384", "SHA512"] and + ( + if name = unknownAlgorithm() + then + ( + not alg instanceof Literal and msgTmp = "Use of unrecognized hash algorithm." + or + alg instanceof Literal and msgTmp = "Use of unrecognized hash algorithm: " + alg.(Literal).getValueText().toString() + "." + + ) + else msgTmp = "Use of banned hash algorithm " + name + "." + ) + and + if alg.hasConfigurationSink() and alg.configurationSink() != alg + then (confSink = alg.configurationSink() and msg = msgTmp + " Algorithm used at sink: $@.") + else (confSink = alg and msg = msgTmp) + ) +select alg, msg, confSink, confSink.toString()