Move CryptoAlgorithms::AlgorithmsName into a separate internal/CryptoAlgorithmNames.qll

2026-04-30 11:15:13 +02:00 · 2021-12-21 11:10:35 +00:00
parent f16d77615d
commit a2104de8a0
8 changed files with 225 additions and 226 deletions
--- a/python/ql/lib/semmle/python/concepts/CryptoAlgorithms.qll
+++ b/python/ql/lib/semmle/python/concepts/CryptoAlgorithms.qll
@@ -4,81 +4,7 @@
 * The classification into strong and weak are based on Wikipedia, OWASP and google (2017).
 */

-/**
- * Names of cryptographic algorithms, separated into strong and weak variants.
- *
- * The names are normalized: upper-case, no spaces, dashes or underscores.
- *
- * The names are inspired by the names used in real world crypto libraries.
- *
- * The classification into strong and weak are based on Wikipedia, OWASP and google (2017).
- */
-module AlgorithmNames {
-  /**
-   * Holds if `name` corresponds to a strong hashing algorithm.
-   */
-  predicate isStrongHashingAlgorithm(string name) {
-    name =
-      [
-        "DSA", "ED25519", "ES256", "ECDSA256", "ES384", "ECDSA384", "ES512", "ECDSA512", "SHA2",
-        "SHA224", "SHA256", "SHA384", "SHA512", "SHA3", "SHA3224", "SHA3256", "SHA3384", "SHA3512"
-      ]
-  }
-
-  /**
-   * Holds if `name` corresponds to a weak hashing algorithm.
-   */
-  predicate isWeakHashingAlgorithm(string name) {
-    name =
-      [
-        "HAVEL128", "MD2", "MD4", "MD5", "PANAMA", "RIPEMD", "RIPEMD128", "RIPEMD256", "RIPEMD160",
-        "RIPEMD320", "SHA0", "SHA1"
-      ]
-  }
-
-  /**
-   * Holds if `name` corresponds to a strong encryption algorithm.
-   */
-  predicate isStrongEncryptionAlgorithm(string name) {
-    name =
-      [
-        "AES", "AES128", "AES192", "AES256", "AES512", "AES-128", "AES-192", "AES-256", "AES-512",
-        "ARIA", "BLOWFISH", "BF", "ECIES", "CAST", "CAST5", "CAMELLIA", "CAMELLIA128",
-        "CAMELLIA192", "CAMELLIA256", "CAMELLIA-128", "CAMELLIA-192", "CAMELLIA-256", "CHACHA",
-        "GOST", "GOST89", "IDEA", "RABBIT", "RSA", "SEED", "SM4"
-      ]
-  }
-
-  /**
-   * Holds if `name` corresponds to a weak encryption algorithm.
-   */
-  predicate isWeakEncryptionAlgorithm(string name) {
-    name =
-      [
-        "DES", "3DES", "DES3", "TRIPLEDES", "DESX", "TDEA", "TRIPLEDEA", "ARC2", "RC2", "ARC4",
-        "RC4", "ARCFOUR", "ARC5", "RC5"
-      ]
-  }
-
-  /**
-   * Holds if `name` corresponds to a strong password hashing algorithm.
-   */
-  predicate isStrongPasswordHashingAlgorithm(string name) {
-    name = ["ARGON2", "PBKDF2", "BCRYPT", "SCRYPT"]
-  }
-
-  /**
-   * Holds if `name` corresponds to a weak password hashing algorithm.
-   */
-  predicate isWeakPasswordHashingAlgorithm(string name) { name = "EVPKDF" }
-
-  /**
-   * Holds if `name` corresponds to a weak block cipher mode of operation.
-   */
-  predicate isWeakBlockMode(string name) { name = "ECB" }
-}
-
-private import AlgorithmNames
+private import internal.CryptoAlgorithmNames

 /**
 * A cryptographic algorithm.
--- a/python/ql/lib/semmle/python/concepts/internal/CryptoAlgorithmNames.qll
+++ b/python/ql/lib/semmle/python/concepts/internal/CryptoAlgorithmNames.qll
@@ -0,0 +1,72 @@
+/**
+ * Names of cryptographic algorithms, separated into strong and weak variants.
+ *
+ * The names are normalized: upper-case, no spaces, dashes or underscores.
+ *
+ * The names are inspired by the names used in real world crypto libraries.
+ *
+ * The classification into strong and weak are based on Wikipedia, OWASP and google (2017).
+ */
+
+/**
+ * Holds if `name` corresponds to a strong hashing algorithm.
+ */
+predicate isStrongHashingAlgorithm(string name) {
+  name =
+    [
+      "DSA", "ED25519", "ES256", "ECDSA256", "ES384", "ECDSA384", "ES512", "ECDSA512", "SHA2",
+      "SHA224", "SHA256", "SHA384", "SHA512", "SHA3", "SHA3224", "SHA3256", "SHA3384", "SHA3512"
+    ]
+}
+
+/**
+ * Holds if `name` corresponds to a weak hashing algorithm.
+ */
+predicate isWeakHashingAlgorithm(string name) {
+  name =
+    [
+      "HAVEL128", "MD2", "MD4", "MD5", "PANAMA", "RIPEMD", "RIPEMD128", "RIPEMD256", "RIPEMD160",
+      "RIPEMD320", "SHA0", "SHA1"
+    ]
+}
+
+/**
+ * Holds if `name` corresponds to a strong encryption algorithm.
+ */
+predicate isStrongEncryptionAlgorithm(string name) {
+  name =
+    [
+      "AES", "AES128", "AES192", "AES256", "AES512", "AES-128", "AES-192", "AES-256", "AES-512",
+      "ARIA", "BLOWFISH", "BF", "ECIES", "CAST", "CAST5", "CAMELLIA", "CAMELLIA128", "CAMELLIA192",
+      "CAMELLIA256", "CAMELLIA-128", "CAMELLIA-192", "CAMELLIA-256", "CHACHA", "GOST", "GOST89",
+      "IDEA", "RABBIT", "RSA", "SEED", "SM4"
+    ]
+}
+
+/**
+ * Holds if `name` corresponds to a weak encryption algorithm.
+ */
+predicate isWeakEncryptionAlgorithm(string name) {
+  name =
+    [
+      "DES", "3DES", "DES3", "TRIPLEDES", "DESX", "TDEA", "TRIPLEDEA", "ARC2", "RC2", "ARC4", "RC4",
+      "ARCFOUR", "ARC5", "RC5"
+    ]
+}
+
+/**
+ * Holds if `name` corresponds to a strong password hashing algorithm.
+ */
+predicate isStrongPasswordHashingAlgorithm(string name) {
+  name = ["ARGON2", "PBKDF2", "BCRYPT", "SCRYPT"]
+}
+
+/**
+ * Holds if `name` corresponds to a weak password hashing algorithm.
+ */
+predicate isWeakPasswordHashingAlgorithm(string name) { name = "EVPKDF" }
+
+/**
+ * Holds if `name` corresponds to a weak block cipher mode of operation.
+ */
+predicate isWeakBlockMode(string name) { name = "ECB" }