Crypto: Minor fixes to WeakBlockModes, WeakHash to consider SHA3 ok, Added unknown hash.

Author: bdrodes

java/ql/src/experimental/quantum/Analysis/UnknownHash.ql

@@ -0,0 +1,17 @@
+/**
+ * @name Unknown hashes
+ * @description Finds uses of cryptographic hashing algorithms of unknown type.
+ * @id java/quantum/unknown-hash
+ * @kind problem
+ * @problem.severity error
+ * @precision high
+ * @tags quantum
+ *       experimental
+ */
+
+import java
+import experimental.quantum.Language
+
+from Crypto::HashAlgorithmNode alg
+where not exists(alg.getHashType())
+select alg, "Use of unknown hash algorithm or API."

java/ql/src/experimental/quantum/Analysis/WeakBlockModes.ql

@@ -13,19 +13,21 @@ import java
 import experimental.quantum.Language
 
 class WeakAESBlockModeAlgNode extends Crypto::KeyOperationAlgorithmNode {
+  Crypto::ModeOfOperationAlgorithmNode mode;
+
   WeakAESBlockModeAlgNode() {
     this.getAlgorithmType() = Crypto::KeyOpAlg::TSymmetricCipher(Crypto::KeyOpAlg::AES()) and
+    mode = super.getModeOfOperation() and
     (
-      this.getModeOfOperation().getModeType() = Crypto::KeyOpAlg::ECB() or
-      this.getModeOfOperation().getModeType() = Crypto::KeyOpAlg::CFB() or
-      this.getModeOfOperation().getModeType() = Crypto::KeyOpAlg::OFB() or
-      this.getModeOfOperation().getModeType() = Crypto::KeyOpAlg::CTR()
+      mode.getModeType() = Crypto::KeyOpAlg::ECB() or
+      mode.getModeType() = Crypto::KeyOpAlg::CFB() or
+      mode.getModeType() = Crypto::KeyOpAlg::OFB() or
+      mode.getModeType() = Crypto::KeyOpAlg::CTR()
     )
   }
+
+  Crypto::ModeOfOperationAlgorithmNode getMode() { result = mode }
 }
 
-from Crypto::KeyOperationNode op, Crypto::KeyOperationOutputNode codeNode
-where
-  op.getAKnownAlgorithm() instanceof WeakAESBlockModeAlgNode and
-  codeNode = op.getAnOutputArtifact()
-select op, "Weak AES block mode instance."
+from WeakAESBlockModeAlgNode alg
+select alg, "Weak AES block mode instance $@.", alg.getMode(), alg.getMode().toString()

…rimental/quantum/Analysis/WeakHashing.ql …xperimental/quantum/Analysis/WeakHash.qljava/ql/src/experimental/quantum/Analysis/WeakHashing.ql renamed to java/ql/src/experimental/quantum/Analysis/WeakHash.ql java/ql/src/experimental/quantum/Analysis/WeakHashing.ql renamed to java/ql/src/experimental/quantum/Analysis/WeakHash.ql

@@ -1,7 +1,7 @@
 /**
  * @name Weak hashes
  * @description Finds uses of cryptographic hashing algorithms that are unapproved or otherwise weak.
- * @id java/quantum/weak-hashes
+ * @id java/quantum/weak-hash
  * @kind problem
  * @problem.severity error
  * @precision high
@@ -17,15 +17,15 @@ from Crypto::HashAlgorithmNode alg, Crypto::HashType htype, string msg
 where
   htype = alg.getHashType() and
   (
-    htype != Crypto::SHA2() and
+    (htype != Crypto::SHA2() and htype != Crypto::SHA2()) and
     msg = "Use of unapproved hash algorithm or API " + htype.toString() + "."
     or
-    htype = Crypto::SHA2() and
+    (htype = Crypto::SHA2() or htype = Crypto::SHA3()) and
     not exists(alg.getDigestLength()) and
     msg =
       "Use of approved hash algorithm or API type " + htype.toString() + " but unknown digest size."
     or
-    htype = Crypto::SHA2() and
+    (htype = Crypto::SHA2() or htype = Crypto::SHA3()) and
     alg.getDigestLength() < 256 and
     msg =
       "Use of approved hash algorithm or API type " + htype.toString() + " but weak digest size (" +