mirror of
https://github.com/github/codeql.git
synced 2026-01-15 23:44:47 +01:00
102 lines
2.8 KiB
Plaintext
102 lines
2.8 KiB
Plaintext
/**
|
|
* Provides classes modeling cryptographic algorithms, separated into strong and weak variants.
|
|
*
|
|
* The classification into strong and weak are based on Wikipedia, OWASP and Google (2021).
|
|
*/
|
|
|
|
private import internal.CryptoAlgorithmNames
|
|
|
|
/**
|
|
* A cryptographic algorithm.
|
|
*/
|
|
private newtype TCryptographicAlgorithm =
|
|
MkHashingAlgorithm(string name, boolean isWeak) {
|
|
isStrongHashingAlgorithm(name) and isWeak = false
|
|
or
|
|
isWeakHashingAlgorithm(name) and isWeak = true
|
|
} or
|
|
MkEncryptionAlgorithm(string name, boolean isWeak) {
|
|
isStrongEncryptionAlgorithm(name) and isWeak = false
|
|
or
|
|
isWeakEncryptionAlgorithm(name) and isWeak = true
|
|
} or
|
|
MkPasswordHashingAlgorithm(string name, boolean isWeak) {
|
|
isStrongPasswordHashingAlgorithm(name) and isWeak = false
|
|
or
|
|
isWeakPasswordHashingAlgorithm(name) and isWeak = true
|
|
}
|
|
|
|
/**
|
|
* A cryptographic algorithm.
|
|
*/
|
|
abstract class CryptographicAlgorithm extends TCryptographicAlgorithm {
|
|
/** Gets a textual representation of this element. */
|
|
string toString() { result = getName() }
|
|
|
|
/**
|
|
* Gets the normalized name of this algorithm (upper-case, no spaces, dashes or underscores).
|
|
*/
|
|
abstract string getName();
|
|
|
|
/**
|
|
* Holds if the name of this algorithm matches `name` modulo case,
|
|
* white space, dashes, underscores, and anything after a dash in the name
|
|
* (to ignore modes of operation, such as CBC or ECB).
|
|
*/
|
|
bindingset[name]
|
|
predicate matchesName(string name) {
|
|
[name.toUpperCase(), name.toUpperCase().regexpCapture("^(\\w+)(?:-.*)?$", 1)]
|
|
.regexpReplaceAll("[-_ ]", "") = getName()
|
|
}
|
|
|
|
/**
|
|
* Holds if this algorithm is weak.
|
|
*/
|
|
abstract predicate isWeak();
|
|
}
|
|
|
|
/**
|
|
* A hashing algorithm such as `MD5` or `SHA512`.
|
|
*/
|
|
class HashingAlgorithm extends MkHashingAlgorithm, CryptographicAlgorithm {
|
|
string name;
|
|
boolean isWeak;
|
|
|
|
HashingAlgorithm() { this = MkHashingAlgorithm(name, isWeak) }
|
|
|
|
override string getName() { result = name }
|
|
|
|
override predicate isWeak() { isWeak = true }
|
|
}
|
|
|
|
/**
|
|
* An encryption algorithm such as `DES` or `AES512`.
|
|
*/
|
|
class EncryptionAlgorithm extends MkEncryptionAlgorithm, CryptographicAlgorithm {
|
|
string name;
|
|
boolean isWeak;
|
|
|
|
EncryptionAlgorithm() { this = MkEncryptionAlgorithm(name, isWeak) }
|
|
|
|
override string getName() { result = name }
|
|
|
|
override predicate isWeak() { isWeak = true }
|
|
|
|
/** Holds if this algorithm is a stream cipher. */
|
|
predicate isStreamCipher() { isStreamCipher(name) }
|
|
}
|
|
|
|
/**
|
|
* A password hashing algorithm such as `PBKDF2` or `SCRYPT`.
|
|
*/
|
|
class PasswordHashingAlgorithm extends MkPasswordHashingAlgorithm, CryptographicAlgorithm {
|
|
string name;
|
|
boolean isWeak;
|
|
|
|
PasswordHashingAlgorithm() { this = MkPasswordHashingAlgorithm(name, isWeak) }
|
|
|
|
override string getName() { result = name }
|
|
|
|
override predicate isWeak() { isWeak = true }
|
|
}
|