diff --git a/java/ql/src/experimental/quantum/Analysis/UnknownHash.ql b/java/ql/src/experimental/quantum/Analysis/UnknownHash.ql new file mode 100644 index 00000000000..d9dce7a7aba --- /dev/null +++ b/java/ql/src/experimental/quantum/Analysis/UnknownHash.ql @@ -0,0 +1,17 @@ +/** + * @name Unknown hashes + * @description Finds uses of cryptographic hashing algorithms of unknown type. + * @id java/quantum/unknown-hash + * @kind problem + * @problem.severity error + * @precision high + * @tags quantum + * experimental + */ + +import java +import experimental.quantum.Language + +from Crypto::HashAlgorithmNode alg +where not exists(alg.getHashType()) +select alg, "Use of unknown hash algorithm or API." diff --git a/java/ql/src/experimental/quantum/Analysis/WeakBlockModes.ql b/java/ql/src/experimental/quantum/Analysis/WeakBlockModes.ql index fee89507176..189f58eebad 100644 --- a/java/ql/src/experimental/quantum/Analysis/WeakBlockModes.ql +++ b/java/ql/src/experimental/quantum/Analysis/WeakBlockModes.ql @@ -13,19 +13,21 @@ import java import experimental.quantum.Language class WeakAESBlockModeAlgNode extends Crypto::KeyOperationAlgorithmNode { + Crypto::ModeOfOperationAlgorithmNode mode; + WeakAESBlockModeAlgNode() { this.getAlgorithmType() = Crypto::KeyOpAlg::TSymmetricCipher(Crypto::KeyOpAlg::AES()) and + mode = super.getModeOfOperation() and ( - this.getModeOfOperation().getModeType() = Crypto::KeyOpAlg::ECB() or - this.getModeOfOperation().getModeType() = Crypto::KeyOpAlg::CFB() or - this.getModeOfOperation().getModeType() = Crypto::KeyOpAlg::OFB() or - this.getModeOfOperation().getModeType() = Crypto::KeyOpAlg::CTR() + mode.getModeType() = Crypto::KeyOpAlg::ECB() or + mode.getModeType() = Crypto::KeyOpAlg::CFB() or + mode.getModeType() = Crypto::KeyOpAlg::OFB() or + mode.getModeType() = Crypto::KeyOpAlg::CTR() ) } + + Crypto::ModeOfOperationAlgorithmNode getMode() { result = mode } } -from Crypto::KeyOperationNode op, Crypto::KeyOperationOutputNode codeNode -where - op.getAKnownAlgorithm() instanceof WeakAESBlockModeAlgNode and - codeNode = op.getAnOutputArtifact() -select op, "Weak AES block mode instance." +from WeakAESBlockModeAlgNode alg +select alg, "Weak AES block mode instance $@.", alg.getMode(), alg.getMode().toString() diff --git a/java/ql/src/experimental/quantum/Analysis/WeakHashing.ql b/java/ql/src/experimental/quantum/Analysis/WeakHash.ql similarity index 80% rename from java/ql/src/experimental/quantum/Analysis/WeakHashing.ql rename to java/ql/src/experimental/quantum/Analysis/WeakHash.ql index 39bd8c6e463..737643a8f9f 100644 --- a/java/ql/src/experimental/quantum/Analysis/WeakHashing.ql +++ b/java/ql/src/experimental/quantum/Analysis/WeakHash.ql @@ -1,7 +1,7 @@ /** * @name Weak hashes * @description Finds uses of cryptographic hashing algorithms that are unapproved or otherwise weak. - * @id java/quantum/weak-hashes + * @id java/quantum/weak-hash * @kind problem * @problem.severity error * @precision high @@ -17,15 +17,15 @@ from Crypto::HashAlgorithmNode alg, Crypto::HashType htype, string msg where htype = alg.getHashType() and ( - htype != Crypto::SHA2() and + (htype != Crypto::SHA2() and htype != Crypto::SHA2()) and msg = "Use of unapproved hash algorithm or API " + htype.toString() + "." or - htype = Crypto::SHA2() and + (htype = Crypto::SHA2() or htype = Crypto::SHA3()) and not exists(alg.getDigestLength()) and msg = "Use of approved hash algorithm or API type " + htype.toString() + " but unknown digest size." or - htype = Crypto::SHA2() and + (htype = Crypto::SHA2() or htype = Crypto::SHA3()) and alg.getDigestLength() < 256 and msg = "Use of approved hash algorithm or API type " + htype.toString() + " but weak digest size (" +