Merge pull request #14289 from microsoft/jb1/16-cryptography-models-libraries-and-queries-migration

16 cryptography models libraries and queries migration

python/ql/lib/experimental/cryptography/Concepts.qll

@@ -0,0 +1,6 @@
+import experimental.cryptography.CryptoArtifact
+import experimental.cryptography.CryptoAlgorithmNames
+import semmle.python.ApiGraphs
+import experimental.cryptography.modules.stdlib.HashlibModule as HashLibModule
+import experimental.cryptography.modules.stdlib.HmacModule as HMacModule
+import experimental.cryptography.modules.CryptographyModule as CryptographyModule

python/ql/lib/experimental/cryptography/CryptoAlgorithmNames.qll

@@ -0,0 +1,228 @@
+/**
+ * Names of known cryptographic algorithms.
+ * The names are standardized into upper-case, no spaces, dashes or underscores.
+ */
+
+/**
+ * Returns a string to represent generally unknown algorithms.
+ * Predicate is to be used to get a consistent string representation
+ * for unknown algorithms.
+ */
+string unknownAlgorithm() { result = "UNKNOWN" }
+
+string getHashType() { result = "HASH" }
+
+string getSymmetricEncryptionType() { result = "SYMMETRIC_ENCRYPTION" }
+
+string getAsymmetricEncryptionType() { result = "ASYMMETRIC_ENCRYPTION" }
+
+string getKeyDerivationType() { result = "KEY_DERIVATION" }
+
+string getCipherBlockModeType() { result = "BLOCK_MODE" }
+
+string getSymmetricPaddingType() { result = "SYMMETRIC_PADDING" }
+
+string getAsymmetricPaddingType() { result = "ASYMMETRIC_PADDING" }
+
+string getEllipticCurveType() { result = "ELLIPTIC_CURVE" }
+
+string getSignatureType() { result = "SIGNATURE" }
+
+string getKeyExchangeType() { result = "KEY_EXCHANGE" }
+
+predicate isKnownType(string algType) {
+  algType in [
+      getHashType(), getSymmetricEncryptionType(), getAsymmetricEncryptionType(),
+      getKeyDerivationType(), getCipherBlockModeType(), getSymmetricPaddingType(),
+      getAsymmetricPaddingType(), getEllipticCurveType(), getSignatureType(), getKeyExchangeType()
+    ]
+}
+
+predicate isKnownAlgorithm(string name) { isKnownAlgorithm(name, _) }
+
+predicate isKnownAlgorithm(string name, string algType) {
+  isHashingAlgorithm(name) and algType = "HASH"
+  or
+  isEncryptionAlgorithm(name, algType) and
+  algType in ["SYMMETRIC_ENCRYPTION", "ASYMMETRIC_ENCRYPTION"]
+  or
+  isKeyDerivationAlgorithm(name) and algType = "KEY_DERIVATION"
+  or
+  isCipherBlockModeAlgorithm(name) and algType = "BLOCK_MODE"
+  or
+  isPaddingAlgorithm(name, algType) and algType in ["SYMMETRIC_PADDING", "ASYMMETRIC_PADDING"]
+  or
+  isEllipticCurveAlgorithm(name) and algType = "ELLIPTIC_CURVE"
+  or
+  isSignatureAlgorithm(name) and algType = "SIGNATURE"
+  or
+  isKeyExchangeAlgorithm(name) and algType = "KEY_EXCHANGE"
+}
+
+/**
+ * Holds if `name` is a known hashing algorithm in the model/library.
+ */
+predicate isHashingAlgorithm(string name) {
+  name =
+    [
+      "BLAKE2", "BLAKE2B", "BLAKE2S", "SHA2", "SHA224", "SHA256", "SHA384", "SHA512", "SHA512224",
+      "SHA512256", "SHA3", "SHA3224", "SHA3256", "SHA3384", "SHA3512", "SHAKE128", "SHAKE256",
+      "SM3", "WHIRLPOOL", "POLY1305", "HAVEL128", "MD2", "MD4", "MD5", "PANAMA", "RIPEMD",
+      "RIPEMD128", "RIPEMD256", "RIPEMD160", "RIPEMD320", "SHA0", "SHA1", "SHA", "MGF1", "MGF1SHA1",
+      "MDC2", "SIPHASH"
+    ]
+}
+
+predicate isEncryptionAlgorithm(string name, string algType) {
+  isAsymmetricEncryptionAlgorithm(name) and algType = "ASYMMETRIC_ENCRYPTION"
+  or
+  isSymmetricEncryptionAlgorithm(name) and algType = "SYMMETRIC_ENCRYPTION"
+}
+
+predicate isEncryptionAlgorithm(string name) { isEncryptionAlgorithm(name, _) }
+
+/**
+ * Holds if `name` corresponds to a known symmetric encryption algorithm.
+ */
+predicate isSymmetricEncryptionAlgorithm(string name) {
+  // NOTE: AES is meant to caputure all possible key lengths
+  name =
+    [
+      "AES", "AES128", "AES192", "AES256", "ARIA", "BLOWFISH", "BF", "ECIES", "CAST", "CAST5",
+      "CAMELLIA", "CAMELLIA128", "CAMELLIA192", "CAMELLIA256", "CHACHA", "CHACHA20",
+      "CHACHA20POLY1305", "GOST", "GOSTR34102001", "GOSTR341094", "GOSTR341194", "GOST2814789",
+      "GOSTR341194", "GOST2814789", "GOST28147", "GOSTR341094", "GOST89", "GOST94", "GOST34102012",
+      "GOST34112012", "IDEA", "RABBIT", "SEED", "SM4", "DES", "DESX", "3DES", "TDES", "2DES",
+      "DES3", "TRIPLEDES", "TDEA", "TRIPLEDEA", "ARC2", "RC2", "ARC4", "RC4", "ARCFOUR", "ARC5",
+      "RC5", "MAGMA", "KUZNYECHIK"
+    ]
+}
+
+/**
+ * Holds if `name` corresponds to a known key derivation algorithm.
+ */
+predicate isKeyDerivationAlgorithm(string name) {
+  name =
+    [
+      "ARGON2", "CONCATKDF", "CONCATKDFHASH", "CONCATKDFHMAC", "KBKDFCMAC", "BCRYPT", "HKDF",
+      "HKDFEXPAND", "KBKDF", "KBKDFHMAC", "PBKDF1", "PBKDF2", "PBKDF2HMAC", "PKCS5", "SCRYPT",
+      "X963KDF", "EVPKDF"
+    ]
+}
+
+/**
+ * Holds if `name` corresponds to a known cipher block mode
+ */
+predicate isCipherBlockModeAlgorithm(string name) {
+  name = ["CBC", "GCM", "CCM", "CFB", "OFB", "CFB8", "CTR", "OPENPGP", "XTS", "EAX", "SIV", "ECB"]
+}
+
+/**
+ * Holds if `name` corresponds to a known padding algorithm
+ */
+predicate isPaddingAlgorithm(string name, string algType) {
+  isSymmetricPaddingAlgorithm(name) and algType = "SYMMETRIC_PADDING"
+  or
+  isAsymmetricPaddingAlgorithm(name) and algType = "ASYMMETRIC_PADDING"
+}
+
+/**
+ * holds if `name` corresponds to a known symmetric padding algorithm
+ */
+predicate isSymmetricPaddingAlgorithm(string name) { name = ["PKCS7", "ANSIX923"] }
+
+/**
+ * Holds if `name` corresponds to a known asymmetric padding algorithm
+ */
+predicate isAsymmetricPaddingAlgorithm(string name) { name = ["OAEP", "PKCS1V15", "PSS", "KEM"] }
+
+predicate isBrainpoolCurve(string curveName, int keySize) {
+  // ALL BRAINPOOL CURVES
+  keySize in [160, 192, 224, 256, 320, 384, 512] and
+  (
+    curveName = "BRAINPOOLP" + keySize.toString() + "R1"
+    or
+    curveName = "BRAINPOOLP" + keySize.toString() + "T1"
+  )
+}
+
+predicate isSecCurve(string curveName, int keySize) {
+  // ALL SEC CURVES
+  keySize in [112, 113, 128, 131, 160, 163, 192, 193, 224, 233, 239, 256, 283, 384, 409, 521, 571] and
+  exists(string suff | suff in ["R1", "R2", "K1"] |
+    curveName = "SECT" + keySize.toString() + suff or
+    curveName = "SECP" + keySize.toString() + suff
+  )
+}
+
+predicate isC2Curve(string curveName, int keySize) {
+  // ALL C2 CURVES
+  keySize in [163, 176, 191, 208, 239, 272, 304, 359, 368, 431] and
+  exists(string pre, string suff |
+    pre in ["PNB", "ONB", "TNB"] and suff in ["V1", "V2", "V3", "V4", "V5", "W1", "R1"]
+  |
+    curveName = "C2" + pre + keySize.toString() + suff
+  )
+}
+
+predicate isPrimeCurve(string curveName, int keySize) {
+  // ALL PRIME CURVES
+  keySize in [192, 239, 256] and
+  exists(string suff | suff in ["V1", "V2", "V3"] | curveName = "PRIME" + keySize.toString() + suff)
+}
+
+predicate isEllipticCurveAlgorithm(string curveName) { isEllipticCurveAlgorithm(curveName, _) }
+
+/**
+ * Holds if `name` corresponds to a known elliptic curve.
+ */
+predicate isEllipticCurveAlgorithm(string curveName, int keySize) {
+  isSecCurve(curveName, keySize)
+  or
+  isBrainpoolCurve(curveName, keySize)
+  or
+  isC2Curve(curveName, keySize)
+  or
+  isPrimeCurve(curveName, keySize)
+  or
+  curveName = "ES256" and keySize = 256
+  or
+  curveName = "CURVE25519" and keySize = 255
+  or
+  curveName = "X25519" and keySize = 255
+  or
+  curveName = "ED25519" and keySize = 255
+  or
+  curveName = "CURVE448" and keySize = 448 // TODO: need to check the key size
+  or
+  curveName = "ED448" and keySize = 448
+  or
+  curveName = "X448" and keySize = 448
+  or
+  curveName = "NUMSP256T1" and keySize = 256
+  or
+  curveName = "NUMSP384T1" and keySize = 384
+  or
+  curveName = "NUMSP512T1" and keySize = 512
+}
+
+/**
+ * Holds if `name` corresponds to a known signature algorithm.
+ */
+predicate isSignatureAlgorithm(string name) {
+  name =
+    [
+      "DSA", "ECDSA", "EDDSA", "ES256", "ES256K", "ES384", "ES512", "ED25519", "ED448", "ECDSA256",
+      "ECDSA384", "ECDSA512"
+    ]
+}
+
+/**
+ * Holds if `name` is a key exchange algorithm.
+ */
+predicate isKeyExchangeAlgorithm(string name) { name = ["ECDH", "DIFFIEHELLMAN", "X25519", "X448"] }
+
+/**
+ * Holds if `name` corresponds to a known asymmetric encryption.
+ */
+predicate isAsymmetricEncryptionAlgorithm(string name) { name = ["RSA"] }

python/ql/lib/experimental/cryptography/CryptoArtifact.qll

@@ -0,0 +1,264 @@
+import python
+private import semmle.python.ApiGraphs
+private import experimental.cryptography.CryptoAlgorithmNames
+private import experimental.cryptography.utils.Utils as Utils
+
+/*
+ * A cryptographic artifact is a DataFlow::Node associated with some
+ * operation, algorithm, or any other aspect of cryptography.
+ */
+
+abstract class CryptographicArtifact extends DataFlow::Node { }
+
+/**
+ * Associates a symmetric encryption algorithm with a block mode.
+ * The DataFlow::Node representing this association should be the
+ * point where the algorithm and block mode are combined.
+ * This may be at the call to encryption or in the construction
+ * of an object prior to encryption.
+ */
+abstract class SymmetricCipher extends CryptographicArtifact {
+  abstract SymmetricEncryptionAlgorithm getEncryptionAlgorithm();
+
+  abstract BlockMode getBlockMode();
+
+  final predicate hasBlockMode() { exists(this.getBlockMode()) }
+}
+
+/**
+ * A cryptographic operation is a method call that invokes a cryptographic
+ * algorithm (encrypt/decrypt) or a function in support of a cryptographic algorithm
+ * (key generation).
+ *
+ * Since operations are related to or in support of algorithms, operations must
+ * provide a reference to their associated algorithm. Often operataions themselves
+ * encapsulate algorithms, so operations can also extend CryptographicAlgorithm
+ * and refer to themselves as the target algorithm.
+ */
+abstract class CryptographicOperation extends CryptographicArtifact, API::CallNode {
+  bindingset[paramName, ind]
+  final DataFlow::Node getParameterSource(int ind, string paramName) {
+    result = Utils::getUltimateSrcFromApiNode(this.(API::CallNode).getParameter(ind, paramName))
+  }
+
+  final string getAlgorithmName() {
+    if exists(this.getAlgorithm().getName())
+    then result = this.getAlgorithm().getName()
+    else result = unknownAlgorithm()
+  }
+
+  final predicate hasAlgorithm() { exists(this.getAlgorithm()) }
+
+  final predicate isUnknownAlgorithm() {
+    this.getAlgorithmName() = unknownAlgorithm()
+    or
+    not this.hasAlgorithm()
+  }
+
+  // TODO: this might have to be parameterized by a configuration source for
+  //       situations where an operation is passed an algorithm
+  abstract CryptographicAlgorithm getAlgorithm();
+}
+
+/** A key generation operation for asymmetric keys */
+abstract class KeyGen extends CryptographicOperation {
+  int getAKeySizeInBits() { result = this.getKeySizeInBits(_) }
+
+  final predicate hasKeySize(DataFlow::Node configSrc) { exists(this.getKeySizeInBits(configSrc)) }
+
+  final predicate hasKeySize() { exists(this.getAKeySizeInBits()) }
+
+  abstract DataFlow::Node getKeyConfigSrc();
+
+  abstract int getKeySizeInBits(DataFlow::Node configSrc);
+}
+
+abstract class AsymmetricKeyGen extends KeyGen { }
+
+abstract class SymmetricKeyGen extends KeyGen { }
+
+/**
+ * A cryptographic algorithm is a `CryptographicArtifact`
+ * representing a cryptographic algorithm (see `CryptoAlgorithmNames.qll`).
+ * Cryptographic algorithms can be functions referencing common crypto algorithms (e.g., hashlib.md5)
+ * or strings that are used in cryptographic operation configurations (e.g., hashlib.new("md5")).
+ * Cryptogrpahic algorithms may also be operations that wrap or abstract one or
+ * more algorithms (e.g., cyrptography.fernet.Fernet and AES, CBC and PKCS7).
+ *
+ * In principle, this class should model the location where an algorithm enters the program, not
+ * necessarily where it is used.
+ */
+abstract class CryptographicAlgorithm extends CryptographicArtifact {
+  abstract string getName();
+
+  // TODO: handle case where name isn't known, not just unknown?
+  /**
+   * Normalizes a raw name into a normalized name as found in `CryptoAlgorithmNames.qll`.
+   * Subclassess should override for more api-specific normalization.
+   * By deafult, converts a raw name to upper-case with no hyphen, underscore, hash, or space.
+   */
+  bindingset[s]
+  string normalizeName(string s) {
+    exists(string normStr | normStr = s.toUpperCase().regexpReplaceAll("[-_ ]", "") |
+      result = normStr and isKnownAlgorithm(result)
+      or
+      result = unknownAlgorithm() and not isKnownAlgorithm(normStr)
+    )
+  }
+}
+
+// class UnknownAlgorithm extends DataFlow::Node instanceof CryptographicAlgorithm{
+//   UnknownAlgorithm(){
+//     super.getName() = unknownAlgorithm()
+//   }
+// }
+abstract class HashAlgorithm extends CryptographicAlgorithm {
+  final string getHashName() {
+    if exists(string n | n = this.getName() and isHashingAlgorithm(n))
+    then isHashingAlgorithm(result) and result = this.getName()
+    else result = unknownAlgorithm()
+  }
+}
+
+abstract class KeyDerivationAlgorithm extends CryptographicAlgorithm {
+  final string getKDFName() {
+    if exists(string n | n = this.getName() and isKeyDerivationAlgorithm(n))
+    then isKeyDerivationAlgorithm(result) and result = this.getName()
+    else result = unknownAlgorithm()
+  }
+}
+
+abstract class KeyDerivationOperation extends CryptographicOperation {
+  DataFlow::Node getIterationSizeSrc() { none() }
+
+  DataFlow::Node getSaltConfigSrc() { none() }
+
+  DataFlow::Node getHashConfigSrc() { none() }
+
+  // TODO: get encryption algorithm for CBC-based KDF?
+  DataFlow::Node getDerivedKeySizeSrc() { none() }
+
+  DataFlow::Node getModeSrc() { none() }
+
+  // TODO: add more to cover all the parameters of most KDF operations? Perhaps subclass for each type?
+  abstract predicate requiresIteration();
+
+  abstract predicate requiresSalt();
+
+  abstract predicate requiresHash();
+
+  //abstract predicate requiresKeySize(); // Going to assume all requires a size
+  abstract predicate requiresMode();
+}
+
+/**
+ * A parent class to represent any algorithm for which
+ * asymmetric cryptography is involved.
+ * Intended to be distinct from AsymmetricEncryptionAlgorithm
+ * which is intended only for asymmetric algorithms that specifically encrypt.
+ */
+abstract class AsymmetricAlgorithm extends CryptographicAlgorithm { }
+
+abstract class EncryptionAlgorithm extends CryptographicAlgorithm {
+  final predicate isAsymmetric() { this instanceof AsymmetricEncryptionAlgorithm }
+
+  final predicate isSymmetric() { not this.isAsymmetric() }
+  // NOTE: DO_NOT add getEncryptionName here, we rely on the fact the parent
+  //       class does not have this common predicate.
+}
+
+/**
+ * Algorithms directly or indirectly related to asymmetric encryption,
+ * e.g., RSA, DSA, but also RSA padding algorithms
+ */
+abstract class AsymmetricEncryptionAlgorithm extends AsymmetricAlgorithm, EncryptionAlgorithm {
+  final string getEncryptionName() {
+    if exists(string n | n = this.getName() and isAsymmetricEncryptionAlgorithm(n))
+    then isAsymmetricEncryptionAlgorithm(result) and result = this.getName()
+    else result = unknownAlgorithm()
+  }
+}
+
+/**
+ * Algorithms directly or indirectly related to symmetric encryption,
+ * e.g., AES, DES, but also block modes and padding
+ */
+abstract class SymmetricEncryptionAlgorithm extends EncryptionAlgorithm {
+  final string getEncryptionName() {
+    if exists(string n | n = this.getName() and isSymmetricEncryptionAlgorithm(n))
+    then isSymmetricEncryptionAlgorithm(result) and result = this.getName()
+    else result = unknownAlgorithm()
+  }
+  // TODO: add a stream cipher predicate?
+}
+
+// Used only to categorize all padding into a single object,
+// DO_NOT add predicates here. Only for categorization purposes.
+abstract class PaddingAlgorithm extends CryptographicAlgorithm { }
+
+abstract class SymmetricPadding extends PaddingAlgorithm {
+  final string getPaddingName() {
+    if exists(string n | n = this.getName() and isSymmetricPaddingAlgorithm(n))
+    then isSymmetricPaddingAlgorithm(result) and result = this.getName()
+    else result = unknownAlgorithm()
+  }
+}
+
+abstract class AsymmetricPadding extends PaddingAlgorithm {
+  final string getPaddingName() {
+    if exists(string n | n = this.getName() and isAsymmetricPaddingAlgorithm(n))
+    then isAsymmetricPaddingAlgorithm(result) and result = this.getName()
+    else result = unknownAlgorithm()
+  }
+}
+
+abstract class EllipticCurveAlgorithm extends AsymmetricAlgorithm {
+  final string getCurveName() {
+    if exists(string n | n = this.getName() and isEllipticCurveAlgorithm(n))
+    then isEllipticCurveAlgorithm(result) and result = this.getName()
+    else result = unknownAlgorithm()
+  }
+
+  final int getCurveBitSize() { isEllipticCurveAlgorithm(this.getCurveName(), result) }
+}
+
+abstract class BlockMode extends CryptographicAlgorithm {
+  final string getBlockModeName() {
+    if exists(string n | n = this.getName() and isCipherBlockModeAlgorithm(n))
+    then isCipherBlockModeAlgorithm(result) and result = this.getName()
+    else result = unknownAlgorithm()
+  }
+
+  /**
+   * Gets the source of the IV configuration.
+   */
+  abstract DataFlow::Node getIVorNonce();
+
+  final predicate hasIVorNonce() { exists(this.getIVorNonce()) }
+}
+
+abstract class KeyWrapOperation extends CryptographicOperation { }
+
+abstract class AuthenticatedEncryptionAlgorithm extends SymmetricEncryptionAlgorithm {
+  final string getAuthticatedEncryptionName() {
+    if exists(string n | n = this.getName() and isSymmetricEncryptionAlgorithm(n))
+    then isSymmetricEncryptionAlgorithm(result) and result = this.getName()
+    else result = unknownAlgorithm()
+  }
+}
+
+abstract class KeyExchangeAlgorithm extends AsymmetricAlgorithm {
+  final string getKeyExchangeName() {
+    if exists(string n | n = this.getName() and isKeyExchangeAlgorithm(n))
+    then isKeyExchangeAlgorithm(result) and result = this.getName()
+    else result = unknownAlgorithm()
+  }
+}
+
+abstract class SigningAlgorithm extends AsymmetricAlgorithm {
+  final string getSigningName() {
+    if exists(string n | n = this.getName() and isSignatureAlgorithm(n))
+    then isSignatureAlgorithm(result) and result = this.getName()
+    else result = unknownAlgorithm()
+  }
+}

python/ql/lib/experimental/cryptography/modules/stdlib/HashlibModule.qll

@@ -0,0 +1,237 @@
+import python
+import semmle.python.ApiGraphs
+import experimental.cryptography.CryptoArtifact
+private import experimental.cryptography.utils.Utils as Utils
+private import experimental.cryptography.CryptoAlgorithmNames
+
+/**
+ * `hashlib` is a ptyhon standard library module for hashing algorithms.
+ *    https://docs.python.org/3/library/hashlib.html
+ * This is an abstract class to reference all hashlib artifacts.
+ */
+// -----------------------------------------------
+// Hash Artifacts
+// -----------------------------------------------
+module Hashes {
+  /**
+   * Represents a hash algorithm used by `hashlib.new`, where the hash algorithm is a string in the first argument.
+   */
+  class HashlibNewHashAlgorithm extends HashAlgorithm {
+    HashlibNewHashAlgorithm() {
+      this =
+        Utils::getUltimateSrcFromApiNode(API::moduleImport("hashlib")
+              .getMember("new")
+              .getACall()
+              .getParameter(0, "name"))
+    }
+
+    override string getName() {
+      result = super.normalizeName(this.asExpr().(StrConst).getText())
+      or
+      // if not a known/static string, assume from an outside source and the algorithm is UNKNOWN
+      not this.asExpr() instanceof StrConst and result = unknownAlgorithm()
+    }
+  }
+
+  /**
+   * Identifies hashlib.pbdkf2_hmac calls, identifying the hash algorithm used
+   * in the hmac (matching kdf is handled separately by `HashlibPbkdf2HMACArtifact`).
+   *
+   *   https://docs.python.org/3/library/hashlib.html#hashlib.pbkdf2_hmac
+   */
+  class HashlibPbkdf2HMACHashAlgorithm extends HashAlgorithm {
+    HashlibPbkdf2HMACHashAlgorithm() {
+      this =
+        Utils::getUltimateSrcFromApiNode(API::moduleImport("hashlib")
+              .getMember("pbkdf2_hmac")
+              .getACall()
+              .getParameter(0, "hash_name"))
+    }
+
+    override string getName() {
+      result = super.normalizeName(this.asExpr().(StrConst).getText())
+      or
+      // if not a known/static string, assume from an outside source and the algorithm is UNKNOWN
+      not this.asExpr() instanceof StrConst and result = unknownAlgorithm()
+    }
+  }
+
+  /**
+   *  Gets a call to `hashlib.file_digest` where the hash algorithm is the first argument in `digest`
+   * `nameSrc` is the source of the first argument.
+   *
+   *    https://docs.python.org/3/library/hashlib.html#hashlib.file_digest
+   *
+   *  NOTE: the digest argument can be, in addition to a string,
+   *  a callable that returns a hash object or a hash constructor.
+   *  These cases are not considered here since they would be detected separately.
+   *  Specifically, other non-string cases are themselves considered sources for alerts, e.g.,
+   *  references to hashlib.sha512 is found by `HashlibMemberAlgorithm`.
+   *  The only exception is if the source is not a string constant or HashlibMemberAlgorithm.
+   *  In these cases, the algorithm is considered 'UNKNOWN'.
+   */
+  class HashlibFileDigestAlgorithm extends HashAlgorithm {
+    HashlibFileDigestAlgorithm() {
+      this =
+        Utils::getUltimateSrcFromApiNode(API::moduleImport("hashlib")
+              .getMember("file_digest")
+              .getACall()
+              .getParameter(1, "digest")) and
+      // Ignore sources that are hash constructors, allow `HashlibMemberAlgorithm` to detect these
+      this != hashlibMemberHashAlgorithm(_) and
+      // Ignore sources that are HMAC objects, to be handled by HmacModule
+      this != API::moduleImport("hmac").getMember("new").getACall() and
+      this != API::moduleImport("hmac").getMember("HMAC").getACall()
+    }
+
+    override string getName() {
+      // Name is a string constant or consider the name unknown
+      // NOTE: we are excluding hmac.new and hmac.HMAC constructor calls so we are expecting
+      //      a string or an outside configuration only
+      result = super.normalizeName(this.asExpr().(StrConst).getText())
+      or
+      not this.asExpr() instanceof StrConst and
+      result = unknownAlgorithm()
+    }
+  }
+
+  /**
+   * Gets a member access of hashlib that is an algorithm invocation.
+   * `hashName` is the name of the hash algorithm.
+   *
+   * Note: oringally a variant of this predicate was in codeql/github/main
+   *       to a predicate to avoid a bad join order.
+   */
+  // Copying use of nomagic from similar predicate in codeql/main
+  pragma[nomagic]
+  DataFlow::Node hashlibMemberHashAlgorithm(string hashName) {
+    result = API::moduleImport("hashlib").getMember(hashName).asSource() and
+    // Don't matches known non-hash members
+    not hashName in [
+        "new", "pbkdf2_hmac", "algorithms_available", "algorithms_guaranteed", "file_digest"
+      ] and
+    // Don't match things like __file__
+    not hashName.regexpMatch("_.*")
+  }
+
+  /**
+   *  Identifies hashing algorithm members (i.e., functions) of the `hashlib` module,
+   *  e.g., `hashlib.sha512`.
+   */
+  class HashlibMemberAlgorithm extends HashAlgorithm {
+    HashlibMemberAlgorithm() { this = hashlibMemberHashAlgorithm(_) }
+
+    override string getName() {
+      exists(string rawName |
+        result = super.normalizeName(rawName) and this = hashlibMemberHashAlgorithm(rawName)
+      )
+    }
+  }
+}
+
+// -----------------------------------------------
+// Key Derivation Functions
+// -----------------------------------------------
+module KDF {
+  // NOTE: Only finds the params of `pbkdf2_hmac` that are non-optional
+  //       dk_len is optional, i.e., can be None, and if addressed in this predicate
+  //       would result in an unsatisfiable predicate.
+  predicate hashlibPBDKF2HMACKDFRequiredParams(
+    HashlibPbkdf2HMACOperation kdf, API::Node hashParam, API::Node saltParam,
+    API::Node iterationParam
+  ) {
+    kdf.getParameter(0, "hash_name") = hashParam and
+    kdf.getParameter(2, "salt") = saltParam and
+    kdf.getParameter(3, "iterations") = iterationParam
+  }
+
+  predicate hashlibPBDKF2HMACKDFOptionalParams(HashlibPbkdf2HMACOperation kdf, API::Node keylenParam) {
+    kdf.getParameter(4, "dklen") = keylenParam
+  }
+
+  /**
+   * Identifies kery derivation function hashlib.pbdkf2_hmac accesses.
+   *   https://docs.python.org/3/library/hashlib.html#hashlib.pbkdf2_hmac
+   */
+  class HashlibPbkdf2HMACOperation extends KeyDerivationAlgorithm, KeyDerivationOperation {
+    HashlibPbkdf2HMACOperation() {
+      this = API::moduleImport("hashlib").getMember("pbkdf2_hmac").getACall()
+    }
+
+    override string getName() { result = super.normalizeName("pbkdf2_hmac") }
+
+    override DataFlow::Node getIterationSizeSrc() {
+      exists(API::Node it | hashlibPBDKF2HMACKDFRequiredParams(this, _, _, it) |
+        result = Utils::getUltimateSrcFromApiNode(it)
+      )
+    }
+
+    override DataFlow::Node getSaltConfigSrc() {
+      exists(API::Node s | hashlibPBDKF2HMACKDFRequiredParams(this, _, s, _) |
+        result = Utils::getUltimateSrcFromApiNode(s)
+      )
+    }
+
+    override DataFlow::Node getHashConfigSrc() {
+      exists(API::Node h | hashlibPBDKF2HMACKDFRequiredParams(this, h, _, _) |
+        result = Utils::getUltimateSrcFromApiNode(h)
+      )
+    }
+
+    override DataFlow::Node getDerivedKeySizeSrc() {
+      exists(API::Node dk | hashlibPBDKF2HMACKDFOptionalParams(this, dk) |
+        result = Utils::getUltimateSrcFromApiNode(dk)
+      )
+    }
+
+    // TODO: if DK is none, then the length is based on the hash type, if hash length not known, must call this unknown
+    //    The issue is the src is what we model not the size
+    //    For now, we are not modeling this and are relying on the fact that the accepted hashes are of accepted length.
+    //    I.e., any query looking at length will ignore cases where it is unknown
+    override KeyDerivationAlgorithm getAlgorithm() { result = this }
+
+    override predicate requiresHash() { any() }
+
+    override predicate requiresMode() { none() }
+
+    override predicate requiresSalt() { any() }
+
+    override predicate requiresIteration() { any() }
+  }
+
+  // TODO: better modeling of scrypt
+  /**
+   * Identifies key derivation fucntion hashlib.scrypt accesses.
+   */
+  class HashlibScryptAlgorithm extends KeyDerivationAlgorithm, KeyDerivationOperation {
+    HashlibScryptAlgorithm() { this = API::moduleImport("hashlib").getMember("scrypt").getACall() }
+
+    override string getName() { result = super.normalizeName("scrypt") }
+
+    override DataFlow::Node getIterationSizeSrc() { none() }
+
+    override DataFlow::Node getSaltConfigSrc() {
+      // TODO: need to address getting salt from params, unsure how this works in CodeQL
+      // since the signature is defined as hashlib.scrypt(password, *, salt, n, r, p, maxmem=0, dklen=64)
+      // What position is 'salt' then such that we can reliably extract it?
+      none()
+    }
+
+    override DataFlow::Node getHashConfigSrc() { none() }
+
+    override DataFlow::Node getDerivedKeySizeSrc() {
+      //TODO: see comment for getSaltConfigSrc above
+      none()
+    }
+
+    override KeyDerivationAlgorithm getAlgorithm() { result = this }
+
+    override predicate requiresHash() { none() }
+
+    override predicate requiresMode() { none() }
+
+    override predicate requiresSalt() { any() }
+
+    override predicate requiresIteration() { none() }
+  }
+}

python/ql/lib/experimental/cryptography/modules/stdlib/HmacModule.qll

@@ -0,0 +1,71 @@
+import python
+import semmle.python.ApiGraphs
+import experimental.cryptography.CryptoArtifact
+private import experimental.cryptography.utils.Utils as Utils
+private import experimental.cryptography.CryptoAlgorithmNames
+private import experimental.cryptography.modules.stdlib.HashlibModule as HashlibModule
+
+/**
+ * `hmac` is a ptyhon standard library module for key-based hashing algorithms.
+ *    https://docs.python.org/3/library/hmac.html
+ */
+// -----------------------------------------------
+// Hash Artifacts
+// -----------------------------------------------
+module Hashes {
+  class GenericHmacHashCall extends API::CallNode {
+    GenericHmacHashCall() {
+      this = API::moduleImport("hmac").getMember("new").getACall() or
+      this = API::moduleImport("hmac").getMember("HMAC").getACall() or
+      this = API::moduleImport("hmac").getMember("digest").getACall()
+    }
+  }
+
+  DataFlow::Node getDigestModParamSrc(GenericHmacHashCall call) {
+    result = Utils::getUltimateSrcFromApiNode(call.(API::CallNode).getParameter(2, "digestmod"))
+  }
+
+  /**
+   * This class captures the common behavior for all HMAC operations:
+   *    hmac.HMAC     https://docs.python.org/3/library/hmac.html#hmac.HMAC
+   *    hmac.new      https://docs.python.org/3/library/hmac.html#hmac.new
+   *    hmac.digest   https://docs.python.org/3/library/hmac.html#hmac.digest
+   * These operations commonly set the algorithm as a string in the third argument (`digestmod`)
+   * of the operation itself.
+   *
+   * NOTE: `digestmod` is the digest name, digest constructor or module for the HMAC object to use, however
+   *    this class only identifies string names. The other forms are found by CryptopgraphicArtifacts,
+   *    modeled in `HmacHMACConsArtifact` and `Hashlib.qll`, specifically through hashlib.new and
+   *    direct member accesses (e.g., hashlib.md5).
+   *
+   * Where no `digestmod` exists, the algorithm is assumed to be `md5` per the docs found here:
+   *  https://docs.python.org/3/library/hmac.html#hmac.new
+   *
+   * Where `digestmod` exists but is not a string and not a hashlib algorithm, it is assumed
+   * to be `UNKNOWN`. Note this includes cases wheere the digest is provided as a `A module supporting PEP 247.`
+   * Such modules are currently not modeled.
+   */
+  class HmacGenericAlgorithm extends HashAlgorithm {
+    HmacGenericAlgorithm() {
+      exists(GenericHmacHashCall c |
+        if not exists(getDigestModParamSrc(c)) then this = c else this = getDigestModParamSrc(c)
+      ) and
+      // Ignore case where the algorithm is a hashlib algorithm, rely on `HashlibMemberAlgorithm` to catch these cases
+      not this instanceof HashlibModule::Hashes::HashlibMemberAlgorithm
+      // NOTE: the docs say the digest can be `A module supporting PEP 247.`, however, this is not modeled, and will be considered UNKNOWN
+    }
+
+    override string getName() {
+      // when the this is a generic hmac call
+      // it means the algorithm parameter was not identified, assume the default case of 'md5' (per the docs)
+      if this instanceof GenericHmacHashCall
+      then result = super.normalizeName("MD5")
+      else (
+        // Else get the string name, if its a string constant, or UNKNOWN if otherwise
+        result = super.normalizeName(this.asExpr().(StrConst).getText())
+        or
+        not this.asExpr() instanceof StrConst and result = unknownAlgorithm()
+      )
+    }
+  }
+}

python/ql/lib/experimental/cryptography/utils/CallCfgNodeWithTarget.qll

@@ -0,0 +1,12 @@
+/**
+ * Patches all DataFlow::CallCfgNode adding a getTarget predicate to a new
+ * subclass of CallCfgNode
+ */
+
+import python
+private import semmle.python.dataflow.new.internal.TypeTrackerSpecific
+private import semmle.python.ApiGraphs
+
+class CallCfgNodeWithTarget extends DataFlow::Node instanceof DataFlow::CallCfgNode {
+  DataFlow::Node getTarget() { returnStep(result, this) }
+}

python/ql/lib/experimental/cryptography/utils/Utils.qll

@@ -0,0 +1,21 @@
+import python
+private import semmle.python.ApiGraphs
+private import experimental.cryptography.utils.CallCfgNodeWithTarget
+
+/**
+ * Gets an ultimate local source (not a source in a library)
+ */
+DataFlow::Node getUltimateSrcFromApiNode(API::Node n) {
+  result = n.getAValueReachingSink() and
+  (
+    // the result is a call to a library only
+    result instanceof CallCfgNodeWithTarget and
+    not result.(CallCfgNodeWithTarget).getTarget().asExpr().getEnclosingModule().inSource()
+    or
+    // the result is not a call, and not a function signataure or parameter
+    not result instanceof CallCfgNodeWithTarget and
+    not result instanceof DataFlow::ParameterNode and
+    not result.asExpr() instanceof FunctionExpr and
+    result.asExpr().getEnclosingModule().inSource()
+  )
+}

python/ql/src/experimental/cryptography/example_alerts/UnknownAsymmetricKeyGen.ql

@@ -0,0 +1,21 @@
+/**
+ * @name Unknown key generation key size
+ * @description
+ * @id py/unknown-asymmetric-key-gen-size
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @tags external/cwe/cwe-326
+ */
+
+import python
+import experimental.cryptography.Concepts
+
+from AsymmetricKeyGen op, DataFlow::Node configSrc, string algName
+where
+  not op.hasKeySize(configSrc) and
+  configSrc = op.getKeyConfigSrc() and
+  algName = op.getAlgorithm().getName()
+select op,
+  "Non-statically verifiable key size used for key generation for algorithm " + algName.toString() +
+    " at config source $@", configSrc, configSrc.toString()

python/ql/src/experimental/cryptography/example_alerts/WeakAsymmetricKeyGen.ql

@@ -0,0 +1,23 @@
+/**
+ * @name Weak key generation key size (< 2048 bits)
+ * @description
+ * @id py/weak-asymmetric-key-gen-size
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @tags external/cwe/cwe-326
+ */
+
+import python
+import experimental.cryptography.Concepts
+
+from AsymmetricKeyGen op, DataFlow::Node configSrc, int keySize, string algName
+where
+  keySize = op.getKeySizeInBits(configSrc) and
+  keySize < 2048 and
+  algName = op.getAlgorithm().getName() and
+  // Can't be an elliptic curve
+  not isEllipticCurveAlgorithm(algName, _)
+select op,
+  "Use of weak asymmetric key size (int bits)" + keySize.toString() + " for algorithm " +
+    algName.toString() + " at config source $@", configSrc, configSrc.toString()

python/ql/src/experimental/cryptography/example_alerts/WeakAsymmetricPadding.ql

@@ -0,0 +1,17 @@
+/**
+ * @name Weak or unknown asymmetric padding
+ * @description
+ * @id py/weak-asymmetric-padding
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ */
+
+import python
+import experimental.cryptography.Concepts
+
+from AsymmetricPadding pad, string name
+where
+  name = pad.getPaddingName() and
+  not name = ["OAEP", "KEM", "PSS"]
+select pad, "Use of unapproved, weak, or unknown asymmetric padding algorithm or API: " + name

python/ql/src/experimental/cryptography/example_alerts/WeakBlockMode.ql

@@ -0,0 +1,48 @@
+/**
+ * @name Weak block mode
+ * @description Finds uses of symmetric encryption block modes that are weak, obsolete, or otherwise unaccepted.
+ * @id py/weak-block-mode
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @tags external/cwe/cwe-327
+ */
+
+import python
+import experimental.cryptography.Concepts
+
+from CryptographicArtifact op, string msg
+where
+  // False positive hack, some projects are directly including all of cryptography,
+  // filter any match that is in cryptography/hazmat
+  // Specifically happening for ECB being used in keywrap operations internally to the cryptography keywrap/unwrap API
+  not op.asExpr()
+      .getLocation()
+      .getFile()
+      .getAbsolutePath()
+      .toString()
+      .matches("%cryptography/hazmat/%") and
+  (
+    op instanceof BlockMode and
+    // ECB is only allowed for KeyWrapOperations, i.e., only alert on ECB is not a KeyWrapOperation
+    (op.(BlockMode).getBlockModeName() = "ECB" implies not op instanceof KeyWrapOperation) and
+    exists(string name | name = op.(BlockMode).getBlockModeName() |
+      // Only CBC, CTS, XTS modes are allowed.
+      //  https://liquid.microsoft.com/Web/Object/Read/MS.Security/Requirements/Microsoft.Security.Cryptography.10002
+      not name = ["CBC", "CTS", "XTS"] and
+      if name = unknownAlgorithm()
+      then msg = "Use of unrecognized block mode algorithm."
+      else
+        if name in ["GCM", "CCM"]
+        then
+          msg =
+            "Use of block mode algorithm " + name +
+              " requires special crypto board approval/review."
+        else msg = "Use of unapproved block mode algorithm or API " + name + "."
+    )
+    or
+    op instanceof SymmetricCipher and
+    not op.(SymmetricCipher).hasBlockMode() and
+    msg = "Cipher has unspecified block mode algorithm."
+  )
+select op, msg

python/ql/src/experimental/cryptography/example_alerts/WeakBlockModeIVorNonce.ql

@@ -0,0 +1,37 @@
+/**
+ * @name Weak block mode IV or nonce
+ * @description Finds initialization vectors or nonces used by block modes that are weak, obsolete, or otherwise unaccepted.
+ *              Looks for IVs or nonces that are not generated by a cryptographically secure random number generator
+ *
+ *            NOTE: for simplicity, if an IV or nonce is not known or not form os.urandom it is flagged.
+ *                  More specific considerations, such as correct use of nonces are currently not handled.
+ *                  In particular, GCM requires the use of a nonce. Using urandom is possible but may still be configured
+ *                  incorrectly. We currently assume that GCM is flagged as a block mode regardless through a separate
+ *                  query, and such uses will need to be reivewed by the crypto board.
+ *
+ *                  Additionally, some functions, which infer a mode and IV may be flagged by this query.
+ *                  For now, we will rely on users suppressing these cases rather than filtering them out.
+ *                  The exception is Fernet, which is explicitly ignored since it's implementation uses os.urandom.
+ * @id py/weak-block-mode-iv-or-nonce
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ */
+
+import python
+import experimental.cryptography.Concepts
+
+from BlockMode op, string msg, DataFlow::Node conf
+where
+  not op instanceof CryptographyModule::Encryption::SymmetricEncryption::Fernet::CryptographyFernet and
+  (
+    not op.hasIVorNonce() or
+    not API::moduleImport("os").getMember("urandom").getACall() = op.getIVorNonce()
+  ) and
+  (
+    if not op.hasIVorNonce()
+    then conf = op and msg = "Block mode is missing IV/Nonce initialization."
+    else conf = op.getIVorNonce()
+  ) and
+  msg = "Block mode is not using an accepted IV/Nonce initialization: $@"
+select op, msg, conf, conf.toString()

python/ql/src/experimental/cryptography/example_alerts/WeakEllipticCurve.ql

@@ -0,0 +1,32 @@
+/**
+ * @name Weak elliptic curve
+ * @description Finds uses of cryptography algorithms that are unapproved or otherwise weak.
+ * @id py/weak-elliptic-curve
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @tags external/cwe/cwe-327
+ */
+
+import python
+import experimental.cryptography.Concepts
+
+from EllipticCurveAlgorithm op, string msg, string name
+where
+  (
+    name = op.getCurveName() and
+    name = unknownAlgorithm() and
+    msg = "Use of unrecognized curve algorithm."
+    or
+    name != unknownAlgorithm() and
+    name = op.getCurveName() and
+    not name =
+      [
+        "SECP256R1", "PRIME256V1", //P-256
+        "SECP384R1", //P-384
+        "SECP521R1", //P-521
+        "ED25519", "X25519"
+      ] and
+    msg = "Use of weak curve algorithm " + name + "."
+  )
+select op, msg

python/ql/src/experimental/cryptography/example_alerts/WeakHashes.ql

@@ -0,0 +1,21 @@
+/**
+ * @name Weak hashes
+ * @description Finds uses of cryptography algorithms that are unapproved or otherwise weak.
+ * @id py/weak-hashes
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @tags external/cwe/cwe-327
+ */
+
+import python
+import experimental.cryptography.Concepts
+
+from HashAlgorithm op, string name, string msg
+where
+  name = op.getHashName() and
+  not name = ["SHA256", "SHA384", "SHA512"] and
+  if name = unknownAlgorithm()
+  then msg = "Use of unrecognized hash algorithm."
+  else msg = "Use of unapproved hash algorithm or API " + name + "."
+select op, msg

python/ql/src/experimental/cryptography/example_alerts/WeakKDFAlgorithm.ql

@@ -0,0 +1,22 @@
+/**
+ * @name Weak KDF algorithm.
+ * @description Approved KDF algorithms must one of the following
+ *  ["PBKDF2" , "PBKDF2HMAC", "KBKDF", "KBKDFHMAC", "CONCATKDF", "CONCATKDFHASH"]
+ * @assumption The value being used to derive a key (either a key or a password) is correct for the algorithm (i.e., a key is used for KBKDF and a password for PBKDF).
+ * @kind problem
+ * @id py/weak-kdf-algorithm
+ * @problem.severity error
+ * @precision high
+ */
+
+import python
+import experimental.cryptography.Concepts
+
+from KeyDerivationAlgorithm op
+where
+  not op.getKDFName() =
+    [
+      "PBKDF2", "PBKDF2HMAC", "KBKDF", "KBKDFHMAC", "KBKDFCMAC", "CONCATKDF", "CONCATKDFHASH",
+      "CONCATKDFHMAC"
+    ]
+select op, "Use of unapproved, weak, or unknown key derivation algorithm or API."

python/ql/src/experimental/cryptography/example_alerts/WeakKDFIteration.ql

@@ -0,0 +1,31 @@
+/**
+ * @name Use iteration count at least 100k to prevent brute force attacks
+ * @description When deriving cryptographic keys from user-provided inputs such as password,
+ * use sufficient iteration count (at least 100k).
+ *
+ * This query will alert if the iteration count is less than 10000 (i.e., a constant <100000 is observed)
+ * or if the source for the iteration count is not known statically.
+ * @kind problem
+ * @id py/kdf-low-iteration-count
+ * @problem.severity error
+ * @precision high
+ */
+
+import python
+import experimental.cryptography.Concepts
+private import experimental.cryptography.utils.Utils as Utils
+
+from KeyDerivationOperation op, string msg, DataFlow::Node iterConfSrc
+where
+  op.requiresIteration() and
+  iterConfSrc = op.getIterationSizeSrc() and
+  (
+    exists(iterConfSrc.asExpr().(IntegerLiteral).getValue()) and
+    iterConfSrc.asExpr().(IntegerLiteral).getValue() < 10000 and
+    msg = "Iteration count is too low. "
+    or
+    not exists(iterConfSrc.asExpr().(IntegerLiteral).getValue()) and
+    msg = "Iteration count is not a statically verifiable size. "
+  )
+select op, msg + "Iteration count must be a minimum of 10000. Iteration Config: $@",
+  iterConfSrc.asExpr(), iterConfSrc.asExpr().toString()

python/ql/src/experimental/cryptography/example_alerts/WeakKDFKeyLength.ql

@@ -0,0 +1,32 @@
+/**
+ * @name Small KDF derived key length.
+ * @description KDF derived keys should be a minimum of 128 bits (16 bytes).
+ * @assumption If the key length is not explicitly provided (e.g., it is None or otherwise not specified) assumes the length is derived from the hash length.
+ * @kind problem
+ * @id py/kdf-small-key-size
+ * @problem.severity error
+ * @precision high
+ */
+
+import python
+import experimental.cryptography.Concepts
+private import experimental.cryptography.utils.Utils as Utils
+
+from KeyDerivationOperation op, string msg, DataFlow::Node derivedKeySizeSrc
+where
+  // NOTE/ASSUMPTION: if the key size is not specified or explicitly None, it is common that the size is derived from the hash used.
+  //       The only acceptable hashes are currently "SHA256", "SHA384", "SHA512", which are all large enough.
+  //       We will currently rely on other acceptable hash queries therefore to determine if the size is
+  //       is sufficient where the key is not specified.
+  derivedKeySizeSrc = op.getDerivedKeySizeSrc() and
+  not derivedKeySizeSrc.asExpr() instanceof None and
+  (
+    exists(derivedKeySizeSrc.asExpr().(IntegerLiteral).getValue()) and
+    derivedKeySizeSrc.asExpr().(IntegerLiteral).getValue() < 16 and
+    msg = "Derived key size is too small. "
+    or
+    not exists(derivedKeySizeSrc.asExpr().(IntegerLiteral).getValue()) and
+    msg = "Derived key size is not a statically verifiable size. "
+  )
+select op, msg + "Derived key size must be a minimum of 16 (bytes). Derived Key Size Config: $@",
+  derivedKeySizeSrc.asExpr(), derivedKeySizeSrc.asExpr().toString()

python/ql/src/experimental/cryptography/example_alerts/WeakKDFMode.ql

@@ -0,0 +1,28 @@
+/**
+ * @name Weak KDF Modee
+ * @description KDF mode, if specified, must be CounterMode
+ * @kind problem
+ * @id py/kdf-weak-mode
+ * @problem.severity error
+ * @precision high
+ */
+
+import python
+import experimental.cryptography.Concepts
+private import experimental.cryptography.utils.Utils as Utils
+
+from KeyDerivationOperation op, DataFlow::Node modeConfSrc
+where
+  op.requiresMode() and
+  modeConfSrc = op.getModeSrc() and
+  not modeConfSrc =
+    API::moduleImport("cryptography")
+        .getMember("hazmat")
+        .getMember("primitives")
+        .getMember("kdf")
+        .getMember("kbkdf")
+        .getMember("Mode")
+        .getMember("CounterMode")
+        .asSource()
+select op, "Key derivation mode is not set to CounterMode. Mode Config: $@", modeConfSrc,
+  modeConfSrc.toString()

python/ql/src/experimental/cryptography/example_alerts/WeakKDFSaltGen.ql

@@ -0,0 +1,20 @@
+/**
+ * @name Weak KDF salt generation.
+ * @description KDF salts must be generated by an approved random number generator (os.urandom)
+ * @kind problem
+ * @id py/kdf-weak-salt-gen
+ * @problem.severity error
+ * @precision high
+ */
+
+import python
+import experimental.cryptography.Concepts
+private import experimental.cryptography.utils.Utils as Utils
+
+from KeyDerivationOperation op, DataFlow::Node saltSrc
+where
+  op.requiresSalt() and
+  not API::moduleImport("os").getMember("urandom").getACall() = saltSrc and
+  saltSrc = op.getSaltConfigSrc()
+select op, "Salt configuration is not from an accepted random source: $@. Must be os.urandom",
+  saltSrc, saltSrc.toString()

python/ql/src/experimental/cryptography/example_alerts/WeakKDFSaltSize.ql

@@ -0,0 +1,32 @@
+/**
+ * @name Small KDF salt length.
+ * @description KDF salts should be a minimum of 128 bits (16 bytes).
+ *
+ * This alerts if a constant traces to to a salt length sink less than 128-bits or
+ * if the value that traces to a salt length sink is not known statically.
+ * @kind problem
+ * @id py/kdf-small-salt-size
+ * @problem.severity error
+ * @precision high
+ */
+
+import python
+import experimental.cryptography.Concepts
+private import experimental.cryptography.utils.Utils as Utils
+
+from KeyDerivationOperation op, DataFlow::Node randConfSrc, API::CallNode call, string msg
+where
+  op.requiresSalt() and
+  API::moduleImport("os").getMember("urandom").getACall() = call and
+  call = op.getSaltConfigSrc() and
+  randConfSrc = Utils::getUltimateSrcFromApiNode(call.getParameter(0, "size")) and
+  (
+    not exists(randConfSrc.asExpr().(IntegerLiteral).getValue()) and
+    msg = "Salt config is not a statically verifiable size. "
+    or
+    randConfSrc.asExpr().(IntegerLiteral).getValue() < 16 and
+    msg = "Salt config is insufficiently large. "
+  )
+select op,
+  msg + "Salt size must be a minimum of 16 (bytes). os.urandom Config: $@, Size Config: $@", call,
+  call.toString(), randConfSrc, randConfSrc.toString()

python/ql/src/experimental/cryptography/example_alerts/WeakSymmetricEncryption.ql

@@ -0,0 +1,24 @@
+/**
+ * @name Weak symmetric encryption algorithm
+ * @description Finds uses of symmetric cryptography algorithms that are weak, obsolete, or otherwise unaccepted.
+ *
+ *              The key lengths allowed are 128, 192, and 256 bits. These are all the key lengths supported by AES, so any
+ *              application of AES is considered acceptable.
+ * @id py/weak-symmetric-encryption
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @tags external/cwe/cwe-327
+ */
+
+import python
+import experimental.cryptography.Concepts
+
+from SymmetricEncryptionAlgorithm op, string name, string msg
+where
+  name = op.getEncryptionName() and
+  not name = ["AES", "AES128", "AES192", "AES256"] and
+  if name = unknownAlgorithm()
+  then msg = "Use of unrecognized symmetric encryption algorithm."
+  else msg = "Use of unapproved symmetric encryption algorithm or API " + name + "."
+select op, msg

python/ql/src/experimental/cryptography/inventory/new_models/AllAsymmetricAlgorithms.ql

@@ -0,0 +1,15 @@
+/**
+ * @name All Asymmetric Algorithms
+ * @description Finds all potential usage of asymmeric keys (RSA & ECC) using the supported libraries.
+ * @kind problem
+ * @id py/quantum-readiness/cbom/all-asymmetric-algorithms
+ * @problem.severity error
+ * @preci cbom
+ *       cryptography
+ */
+
+import python
+import experimental.cryptography.Concepts
+
+from AsymmetricAlgorithm alg
+select alg, "Use of algorithm " + alg.getName()

python/ql/src/experimental/cryptography/inventory/new_models/AllCryptoAlgorithms.ql

@@ -0,0 +1,16 @@
+/**
+ * @name All Cryptographic Algorithms
+ * @description Finds all potential usage of cryptographic algorithms usage using the supported libraries.
+ * @kind problem
+ * @id py/quantum-readiness/cbom/all-cryptographic-algorithms
+ * @problem.severity error
+ * @precision high
+ * @tags cbom
+ *       cryptography
+ */
+
+import python
+import experimental.cryptography.Concepts
+
+from CryptographicAlgorithm alg
+select alg, "Use of algorithm " + alg.getName()

python/ql/src/experimental/cryptography/inventory/new_models/AsymmetricEncryptionAlgorithms.ql

@@ -0,0 +1,16 @@
+/**
+ * @name Asymmetric Encryption Algorithms
+ * @description Finds all potential usage of asymmeric keys for encryption or key exchange using the supported libraries.
+ * @kind problem
+ * @id py/quantum-readiness/cbom/all-asymmetric-encryption-algorithms
+ * @problem.severity error
+ * @precision high
+ * @tags cbom
+ *       cryptography
+ */
+
+import python
+import experimental.cryptography.Concepts
+
+from AsymmetricEncryptionAlgorithm alg
+select alg, "Use of algorithm " + alg.getEncryptionName()

python/ql/src/experimental/cryptography/inventory/new_models/AsymmetricKeyGenOperation.ql

@@ -0,0 +1,19 @@
+/**
+ * @name Known asymmetric key source generation
+ * @description Finds all known potential sources for asymmetric key generation while using the supported libraries.
+ * @kind problem
+ * @id py/quantum-readiness/cbom/asymmetric-key-generation
+ * @problem.severity error
+ * @precision high
+ * @tags cbom
+ *       cryptography
+ */
+
+import python
+import experimental.cryptography.Concepts
+
+from AsymmetricKeyGen op, DataFlow::Node confSrc
+where op.getKeyConfigSrc() = confSrc
+select op,
+  "Asymmetric key generation for algorithm " + op.getAlgorithm().getName() +
+    " with key config source $@", confSrc, confSrc.toString()

python/ql/src/experimental/cryptography/inventory/new_models/AsymmetricPaddingAlgorithms.ql

@@ -0,0 +1,15 @@
+/**
+ * @name Asymmetric Padding Schemes
+ * @description Finds all potential usage of padding schemes used with asymmeric algorithms.
+ * @kind problem
+ * @id py/quantum-readiness/cbom/asymmetric-padding-schemes
+ * @problem.severity error
+ * @tags cbom
+ *       cryptography
+ */
+
+import python
+import experimental.cryptography.Concepts
+
+from AsymmetricPadding alg
+select alg, "Use of algorithm " + alg.getPaddingName()

python/ql/src/experimental/cryptography/inventory/new_models/AuthenticatedEncryptionAlgorithms.ql

@@ -0,0 +1,16 @@
+/**
+ * @name Authenticated Encryption Algorithms
+ * @description Finds all potential usage of authenticated encryption schemes using the supported libraries.
+ * @kind problem
+ * @id py/quantum-readiness/cbom/authenticated-encryption-algorithms
+ * @problem.severity error
+ * @precision high
+ * @tags cbom
+ *       cryptography
+ */
+
+import python
+import experimental.cryptography.Concepts
+
+from AuthenticatedEncryptionAlgorithm alg
+select alg, "Use of algorithm " + alg.getAuthticatedEncryptionName()

python/ql/src/experimental/cryptography/inventory/new_models/BlockModeAlgorithms.ql

@@ -0,0 +1,16 @@
+/**
+ * @name Block cipher mode of operation
+ * @description Finds all potential block cipher modes of operations using the supported libraries.
+ * @kind problem
+ * @id py/quantum-readiness/cbom/block-cipher-mode
+ * @problem.severity error
+ * @precision high
+ * @tags cbom
+ *       cryptography
+ */
+
+import python
+import experimental.cryptography.Concepts
+
+from BlockMode alg
+select alg, "Use of algorithm " + alg.getBlockModeName()

python/ql/src/experimental/cryptography/inventory/new_models/BlockModeKnownIVsOrNonces.ql

@@ -0,0 +1,16 @@
+/**
+ * @name Initialization Vector (IV) or nonces
+ * @description Finds all potential sources for initialization vectors (IV) or nonce used in block ciphers while using the supported libraries.
+ * @kind problem
+ * @id py/quantum-readiness/cbom/iv-sources
+ * @problem.severity error
+ * @precision high
+ * @tags cbom
+ *       cryptography
+ */
+
+import python
+import experimental.cryptography.Concepts
+
+from BlockMode alg
+select alg.getIVorNonce().asExpr(), "Block mode IV/Nonce source"

python/ql/src/experimental/cryptography/inventory/new_models/BlockModeUnknownIVsOrNonces.ql

@@ -0,0 +1,17 @@
+/**
+ * @name Unknown Initialization Vector (IV) or nonces
+ * @description Finds all potentially unknown sources for initialization vectors (IV) or nonce used in block ciphers while using the supported libraries.
+ * @kind problem
+ * @id py/quantum-readiness/cbom/unkown-iv-sources
+ * @problem.severity error
+ * @precision high
+ * @tags cbom
+ *       cryptography
+ */
+
+import python
+import experimental.cryptography.Concepts
+
+from BlockMode alg
+where not alg.hasIVorNonce()
+select alg, "Block mode with unknown IV or Nonce configuration"

python/ql/src/experimental/cryptography/inventory/new_models/EllipticCurveAlgorithms.ql

@@ -0,0 +1,18 @@
+/**
+ * @name Elliptic Curve Algorithms
+ * @description Finds all potential usage of elliptic curve algorithms using the supported libraries.
+ * @kind problem
+ * @id py/quantum-readiness/cbom/elliptic-curve-algorithms
+ * @problem.severity error
+ * @precision high
+ * @tags cbom
+ *       cryptography
+ */
+
+import python
+import experimental.cryptography.Concepts
+
+from EllipticCurveAlgorithm alg
+select alg,
+  "Use of algorithm " + alg.getCurveName() + " with key size (in bits) " +
+    alg.getCurveBitSize().toString()

python/ql/src/experimental/cryptography/inventory/new_models/HashingAlgorithms.ql

@@ -0,0 +1,16 @@
+/**
+ * @name Hash Algorithms
+ * @description Finds all potential usage of cryptographic hash algorithms using the supported libraries.
+ * @kind problem
+ * @id py/quantum-readiness/cbom/hash-algorithms
+ * @problem.severity error
+ * @precision high
+ * @tags cbom
+ *       cryptography
+ */
+
+import python
+import experimental.cryptography.Concepts
+
+from HashAlgorithm alg
+select alg, "Use of algorithm " + alg.getName()

python/ql/src/experimental/cryptography/inventory/new_models/KeyDerivationAlgorithms.ql

@@ -0,0 +1,18 @@
+/**
+ * @name Key Derivation Algorithms
+ * @description Finds all potential usage of key derivation using the supported libraries.
+ * @kind problem
+ * @id py/quantum-readiness/cbom/key-derivation
+ * @problem.severity error
+ * @precision high
+ * @tags cbom
+ *       cryptography
+ */
+
+import python
+import experimental.cryptography.Concepts
+
+from KeyDerivationOperation op
+// TODO: pull out all configuration from the operation?
+select op,
+  "Use of key derivation algorithm " + op.getAlgorithm().(KeyDerivationAlgorithm).getKDFName()

python/ql/src/experimental/cryptography/inventory/new_models/KeyExchangeAlgorithms.ql

@@ -0,0 +1,16 @@
+/**
+ * @name Key Exchange Algorithms
+ * @description Finds all potential usage of key exchange using the supported libraries.
+ * @kind problem
+ * @id py/quantum-readiness/cbom/key-exchange
+ * @problem.severity error
+ * @precision high
+ * @tags cbom
+ *       cryptography
+ */
+
+import python
+import experimental.cryptography.Concepts
+
+from KeyExchangeAlgorithm alg
+select alg, "Use of algorithm " + alg.getName()

python/ql/src/experimental/cryptography/inventory/new_models/SigningAlgorithms.ql

@@ -0,0 +1,16 @@
+/**
+ * @name Signing Algorithms
+ * @description Finds all potential usage of signing algorithms using the supported libraries.
+ * @kind problem
+ * @id py/quantum-readiness/cbom/signing-algorithms
+ * @problem.severity error
+ * @precision high
+ * @tags cbom
+ *       cryptography
+ */
+
+import python
+import experimental.cryptography.Concepts
+
+from SigningAlgorithm alg
+select alg, "Use of algorithm " + alg.getName()

python/ql/src/experimental/cryptography/inventory/new_models/SymmetricEncryptionAlgorithms.ql

@@ -0,0 +1,16 @@
+/**
+ * @name Symmetric Encryption Algorithms
+ * @description Finds all potential usage of symmetric encryption algorithms using the supported libraries.
+ * @kind problem
+ * @id py/quantum-readiness/cbom/symmetric-encryption-algorithms
+ * @problem.severity error
+ * @precision high
+ * @tags cbom
+ *       cryptography
+ */
+
+import python
+import experimental.cryptography.Concepts
+
+from SymmetricEncryptionAlgorithm alg
+select alg, "Use of algorithm " + alg.getEncryptionName()

python/ql/src/experimental/cryptography/inventory/new_models/SymmetricPaddingAlgorithms.ql

@@ -0,0 +1,15 @@
+/**
+ * @name Symmetric Padding Schemes
+ * @description Finds all potential usage of padding schemes used with symmeric algorithms.
+ * @kind problem
+ * @id py/quantum-readiness/cbom/symmetric-padding-schemes
+ * @problem.severity error
+ * @tags cbom
+ *       cryptography
+ */
+
+import python
+import experimental.cryptography.Concepts
+
+from SymmetricPadding alg
+select alg, "Use of algorithm " + alg.getPaddingName()

python/ql/src/experimental/cryptography/inventory/old_models/AllCryptoAlgorithms.ql

@@ -0,0 +1,20 @@
+/**
+ * @name All Cryptographic Algorithms
+ * @description Finds all potential usage of cryptographic algorithms usage using the supported libraries.
+ * @kind problem
+ * @id py/quantum-readiness/cbom/classic-model/all-cryptographic-algorithms
+ * @problem.severity error
+ * @precision high
+ * @tags cbom
+ *       cryptography
+ */
+
+import python
+import semmle.python.Concepts
+
+from Cryptography::CryptographicOperation operation, string algName
+where
+  algName = operation.getAlgorithm().getName()
+  or
+  algName = operation.getBlockMode()
+select operation, "Use of algorithm " + algName

python/ql/src/experimental/cryptography/inventory/old_models/BlockModeAlgorithms.ql

@@ -0,0 +1,17 @@
+/**
+ * @name Block cipher mode of operation
+ * @description Finds all potential block cipher modes of operations using the supported libraries.
+ * @kind problem
+ * @id py/quantum-readiness/cbom/classic-model/block-cipher-mode
+ * @problem.severity error
+ * @precision high
+ * @tags cbom
+ *       cryptography
+ */
+
+import python
+import semmle.python.Concepts
+
+from Cryptography::CryptographicOperation operation, string algName
+where algName = operation.getBlockMode()
+select operation, "Use of algorithm " + algName

python/ql/src/experimental/cryptography/inventory/old_models/HashingAlgorithms.ql

@@ -0,0 +1,22 @@
+/**
+ * @name Hash Algorithms
+ * @description Finds all potential usage of cryptographic hash algorithms using the supported libraries.
+ * @kind problem
+ * @id py/quantum-readiness/cbom/classic-model/hash-algorithms
+ * @problem.severity error
+ * @precision high
+ * @tags cbom
+ *       cryptography
+ */
+
+import python
+import semmle.python.Concepts
+
+from Cryptography::CryptographicOperation operation, Cryptography::CryptographicAlgorithm algorithm
+where
+  algorithm = operation.getAlgorithm() and
+  (
+    algorithm instanceof Cryptography::HashingAlgorithm or
+    algorithm instanceof Cryptography::PasswordHashingAlgorithm
+  )
+select operation, "Use of algorithm " + operation.getAlgorithm().getName()