Crypto: Modify suggested queries per misc. side conversations on standards. Remove redundant query. Fix QL-for-QL issues.

Author: bdrodes

java/ql/src/experimental/quantum/Analysis/NonceReuse.ql

@@ -4,7 +4,7 @@
  * @id java/quantum/reused-nonce
  * @kind problem
  * @problem.severity error
- * @precision medium
+ * @precision high
  * @tags quantum
  *       experimental
  */

java/ql/src/experimental/quantum/Analysis/ReusedNonce.ql

@@ -1,5 +1,5 @@
 /**
- * @name Weak Asymetric Key Size
+ * @name Weak Asymmetric Key Size
  * @id java/quantum/weak-asymmetric-key-size
  * @description An asymmetric cipher with a short key size is in use
  * @kind problem
@@ -20,5 +20,5 @@ where
   // Can't be an elliptic curve
   not Crypto::isEllipticCurveAlgorithmName(algName)
 select op,
-  "Use of weak asymmetric key size (int bits)" + keySize.toString() + " for algorithm " +
-    algName.toString() + " at config source $@", configSrc, configSrc.toString()
+  "Use of weak asymmetric key size (" + keySize.toString() + " bits) for algorithm " +
+    algName.toString() + " at config source $@", configSrc, configSrc.toString()

java/ql/src/experimental/quantum/Analysis/WeakAsymmetric.ql

@@ -15,15 +15,17 @@ import experimental.quantum.Language
 class WeakAESBlockModeAlgNode extends Crypto::KeyOperationAlgorithmNode {
   WeakAESBlockModeAlgNode() {
     this.getAlgorithmType() = Crypto::KeyOpAlg::TSymmetricCipher(Crypto::KeyOpAlg::AES()) and
-    (this.getModeOfOperation().getModeType() = Crypto::KeyOpAlg::ECB() or
-     this.getModeOfOperation().getModeType() = Crypto::KeyOpAlg::CFB() or
-     this.getModeOfOperation().getModeType() = Crypto::KeyOpAlg::OFB() or
-     this.getModeOfOperation().getModeType() = Crypto::KeyOpAlg::CTR()
+    (
+      this.getModeOfOperation().getModeType() = Crypto::KeyOpAlg::ECB() or
+      this.getModeOfOperation().getModeType() = Crypto::KeyOpAlg::CFB() or
+      this.getModeOfOperation().getModeType() = Crypto::KeyOpAlg::OFB() or
+      this.getModeOfOperation().getModeType() = Crypto::KeyOpAlg::CTR()
     )
   }
 }
 
 from Crypto::KeyOperationNode op, Crypto::KeyOperationOutputNode codeNode
-where op.getAKnownAlgorithm() instanceof WeakAESBlockModeAlgNode and
-    codeNode = op.getAnOutputArtifact()
+where
+  op.getAKnownAlgorithm() instanceof WeakAESBlockModeAlgNode and
+  codeNode = op.getAnOutputArtifact()
 select op, "Weak AES block mode instance."

java/ql/src/experimental/quantum/Analysis/WeakBlockModes.ql

@@ -1,19 +1,34 @@
 /**
  * @name Weak hashes
  * @description Finds uses of cryptographic hashing algorithms that are unapproved or otherwise weak.
- * @id java/quantum/slices/weak-hashes
+ * @id java/quantum/weak-hashes
  * @kind problem
  * @problem.severity error
  * @precision high
  * @tags external/cwe/cwe-327
+ *       quantum
+ *       experimental
  */
 
 import java
 import experimental.quantum.Language
 
-from Crypto::HashAlgorithmNode alg, string name, string msg
+from Crypto::HashAlgorithmNode alg, Crypto::HashType htype, string msg
 where
-  name = alg.getAlgorithmName() and
-  not name in ["SHA256", "SHA384", "SHA512", "SHA-256", "SHA-384", "SHA-512"] and
-  msg = "Use of unapproved hash algorithm or API " + name + "."
+  htype = alg.getHashType() and
+  (
+    htype != Crypto::SHA2() and
+    msg = "Use of unapproved hash algorithm or API " + htype.toString() + "."
+    or
+    htype = Crypto::SHA2() and
+    not exists(alg.getDigestLength()) and
+    msg =
+      "Use of approved hash algorithm or API type " + htype.toString() + " but unknown digest size."
+    or
+    htype = Crypto::SHA2() and
+    alg.getDigestLength() < 256 and
+    msg =
+      "Use of approved hash algorithm or API type " + htype.toString() + " but weak digest size (" +
+        alg.getDigestLength() + ")."
+  )
 select alg, msg

java/ql/src/experimental/quantum/Analysis/WeakHashing.ql

@@ -1,7 +1,7 @@
 /**
  * @name Weak known key derivation function output length
  * @description Detects key derivation operations with a known weak output length
- * @id java/quantum/weak-kdf-iteration-count
+ * @id java/quantum/weak-kdf-key-size
  * @kind problem
  * @problem.severity error
  * @precision high
@@ -17,4 +17,4 @@ where
   op.getOutputKeySize().asElement() = l and
   l.getValue().toInt() < 256
 select op, "Key derivation operation configures output key length below 256: $@", l,
-  l.getValue().toString()
+  l.getValue().toString()

java/ql/src/experimental/quantum/Analysis/WeakKDFKeySize.ql

@@ -11,14 +11,15 @@
 
 import experimental.quantum.Language
 
-class WeakRSAAlgorithmNode extends Crypto::KeyOperationAlgorithmNode {
-  WeakRSAAlgorithmNode() {
+class WeakRsaAlgorithmNode extends Crypto::KeyOperationAlgorithmNode {
+  WeakRsaAlgorithmNode() {
     this.getAlgorithmType() = Crypto::KeyOpAlg::TAsymmetricCipher(Crypto::KeyOpAlg::RSA()) and
     this.getKeySizeFixed() < 2048
   }
 }
 
 from Crypto::KeyOperationNode op, string message
-where op.getAKnownAlgorithm() instanceof WeakRSAAlgorithmNode and
-     message = "Weak RSA instance found with key length <2048"
+where
+  op.getAKnownAlgorithm() instanceof WeakRsaAlgorithmNode and
+  message = "Weak RSA instance found with key length <2048"
 select op, message

java/ql/src/experimental/quantum/Analysis/WeakRSA.ql

@@ -1,19 +1,30 @@
 /**
  * @name Weak symmetric ciphers
  * @description Finds uses of cryptographic symmetric cipher algorithms that are unapproved or otherwise weak.
- * @id java/quantum/slices/weak-ciphers
+ * @id java/quantum/weak-ciphers
  * @kind problem
  * @problem.severity error
  * @precision high
  * @tags external/cwe/cwe-327
+ *       quantum
+ *       experimental
  */
 
 import java
 import experimental.quantum.Language
+import Crypto::KeyOpAlg as KeyOpAlg
 
-from Crypto::KeyOperationAlgorithmNode alg, string name, string msg
+from Crypto::KeyOperationAlgorithmNode alg, KeyOpAlg::AlgorithmType algType, string msg
 where
-  name = alg.getAlgorithmName() and
-  name in ["DES", "TripleDES", "DoubleDES", "RC2", "RC4", "IDEA", "Blowfish"] and
-  msg = "Use of unapproved symmetric cipher algorithm or API: " + name + "."
-select alg, msg
+  algType = alg.getAlgorithmType() and
+  (
+    algType = KeyOpAlg::TSymmetricCipher(KeyOpAlg::DES()) or
+    algType = KeyOpAlg::TSymmetricCipher(KeyOpAlg::TRIPLE_DES()) or
+    algType = KeyOpAlg::TSymmetricCipher(KeyOpAlg::DOUBLE_DES()) or
+    algType = KeyOpAlg::TSymmetricCipher(KeyOpAlg::RC2()) or
+    algType = KeyOpAlg::TSymmetricCipher(KeyOpAlg::RC4()) or
+    algType = KeyOpAlg::TSymmetricCipher(KeyOpAlg::IDEA()) or
+    algType = KeyOpAlg::TSymmetricCipher(KeyOpAlg::BLOWFISH())
+  ) and
+  msg = "Use of unapproved symmetric cipher algorithm or API: " + algType.toString() + "."
+select alg, msg

java/ql/src/experimental/quantum/Analysis/WeakSymmetricCiphers.ql

@@ -344,7 +344,7 @@ module Types {
   /**
    * Elliptic curve algorithms
    */
-  newtype TEllipticCurveFamilyType =
+  newtype TEllipticCurveType =
     NIST() or
     SEC() or
     NUMS() or
@@ -357,7 +357,7 @@ module Types {
     ES() or
     OtherEllipticCurveType()
 
-  class EllipticCurveFamilyType extends TEllipticCurveFamilyType {
+  class EllipticCurveType extends TEllipticCurveType {
     string toString() {
       this = NIST() and result = "NIST"
       or
@@ -445,7 +445,7 @@ module Types {
    */
   bindingset[rawName]
   predicate ellipticCurveNameToKnownKeySizeAndFamilyMapping(
-    string rawName, int keySize, TEllipticCurveFamilyType curveFamily
+    string rawName, int keySize, TEllipticCurveType curveFamily
   ) {
     exists(string curveName | curveName = rawName.toUpperCase() |
       isSecCurve(curveName, keySize) and curveFamily = SEC()