|
1 | | -/** |
2 | | - * Provides classes modeling cryptographic algorithms, separated into strong and weak variants. |
3 | | - * |
4 | | - * The classification into strong and weak are based on Wikipedia, OWASP and google (2017). |
5 | | - */ |
| 1 | +/** DEPRECATED: Use `semmle.python.concepts.CryptoAlgorithms` instead. */ |
6 | 2 |
|
7 | | -/** |
8 | | - * Names of cryptographic algorithms, separated into strong and weak variants. |
9 | | - * |
10 | | - * The names are normalized: upper-case, no spaces, dashes or underscores. |
11 | | - * |
12 | | - * The names are inspired by the names used in real world crypto libraries. |
13 | | - * |
14 | | - * The classification into strong and weak are based on Wikipedia, OWASP and google (2017). |
15 | | - */ |
16 | | -private module AlgorithmNames { |
17 | | - predicate isStrongHashingAlgorithm(string name) { |
18 | | - name = "DSA" or |
19 | | - name = "ED25519" or |
20 | | - name = "ES256" or |
21 | | - name = "ECDSA256" or |
22 | | - name = "ES384" or |
23 | | - name = "ECDSA384" or |
24 | | - name = "ES512" or |
25 | | - name = "ECDSA512" or |
26 | | - name = "SHA2" or |
27 | | - name = "SHA224" or |
28 | | - name = "SHA256" or |
29 | | - name = "SHA384" or |
30 | | - name = "SHA512" or |
31 | | - name = "SHA3" |
32 | | - } |
33 | | - |
34 | | - predicate isWeakHashingAlgorithm(string name) { |
35 | | - name = "HAVEL128" or |
36 | | - name = "MD2" or |
37 | | - name = "MD4" or |
38 | | - name = "MD5" or |
39 | | - name = "PANAMA" or |
40 | | - name = "RIPEMD" or |
41 | | - name = "RIPEMD128" or |
42 | | - name = "RIPEMD256" or |
43 | | - name = "RIPEMD160" or |
44 | | - name = "RIPEMD320" or |
45 | | - name = "SHA0" or |
46 | | - name = "SHA1" |
47 | | - } |
48 | | - |
49 | | - predicate isStrongEncryptionAlgorithm(string name) { |
50 | | - name = "AES" or |
51 | | - name = "AES128" or |
52 | | - name = "AES192" or |
53 | | - name = "AES256" or |
54 | | - name = "AES512" or |
55 | | - name = "RSA" or |
56 | | - name = "RABBIT" or |
57 | | - name = "BLOWFISH" |
58 | | - } |
59 | | - |
60 | | - predicate isWeakEncryptionAlgorithm(string name) { |
61 | | - name = "DES" or |
62 | | - name = "3DES" or |
63 | | - name = "TRIPLEDES" or |
64 | | - name = "TDEA" or |
65 | | - name = "TRIPLEDEA" or |
66 | | - name = "ARC2" or |
67 | | - name = "RC2" or |
68 | | - name = "ARC4" or |
69 | | - name = "RC4" or |
70 | | - name = "ARCFOUR" or |
71 | | - name = "ARC5" or |
72 | | - name = "RC5" |
73 | | - } |
74 | | - |
75 | | - predicate isStrongPasswordHashingAlgorithm(string name) { |
76 | | - name = "ARGON2" or |
77 | | - name = "PBKDF2" or |
78 | | - name = "BCRYPT" or |
79 | | - name = "SCRYPT" |
80 | | - } |
81 | | - |
82 | | - predicate isWeakPasswordHashingAlgorithm(string name) { none() } |
83 | | -} |
84 | | - |
85 | | -private import AlgorithmNames |
86 | | - |
87 | | -/** |
88 | | - * A cryptographic algorithm. |
89 | | - */ |
90 | | -private newtype TCryptographicAlgorithm = |
91 | | - MkHashingAlgorithm(string name, boolean isWeak) { |
92 | | - isStrongHashingAlgorithm(name) and isWeak = false |
93 | | - or |
94 | | - isWeakHashingAlgorithm(name) and isWeak = true |
95 | | - } or |
96 | | - MkEncryptionAlgorithm(string name, boolean isWeak) { |
97 | | - isStrongEncryptionAlgorithm(name) and isWeak = false |
98 | | - or |
99 | | - isWeakEncryptionAlgorithm(name) and isWeak = true |
100 | | - } or |
101 | | - MkPasswordHashingAlgorithm(string name, boolean isWeak) { |
102 | | - isStrongPasswordHashingAlgorithm(name) and isWeak = false |
103 | | - or |
104 | | - isWeakPasswordHashingAlgorithm(name) and isWeak = true |
105 | | - } |
106 | | - |
107 | | -/** |
108 | | - * A cryptographic algorithm. |
109 | | - */ |
110 | | -abstract class CryptographicAlgorithm extends TCryptographicAlgorithm { |
111 | | - /** Gets a textual representation of this element. */ |
112 | | - string toString() { result = getName() } |
113 | | - |
114 | | - /** |
115 | | - * Gets the normalized name of this algorithm (upper-case, no spaces, dashes or underscores). |
116 | | - */ |
117 | | - abstract string getName(); |
118 | | - |
119 | | - /** |
120 | | - * Holds if the name of this algorithm matches `name` modulo case, |
121 | | - * white space, dashes, and underscores. |
122 | | - */ |
123 | | - bindingset[name] |
124 | | - predicate matchesName(string name) { |
125 | | - name.toUpperCase().regexpReplaceAll("[-_ ]", "") = getName() |
126 | | - } |
127 | | - |
128 | | - /** |
129 | | - * Holds if this algorithm is weak. |
130 | | - */ |
131 | | - abstract predicate isWeak(); |
132 | | -} |
133 | | - |
134 | | -/** |
135 | | - * A hashing algorithm such as `MD5` or `SHA512`. |
136 | | - */ |
137 | | -class HashingAlgorithm extends MkHashingAlgorithm, CryptographicAlgorithm { |
138 | | - string name; |
139 | | - boolean isWeak; |
140 | | - |
141 | | - HashingAlgorithm() { this = MkHashingAlgorithm(name, isWeak) } |
142 | | - |
143 | | - override string getName() { result = name } |
144 | | - |
145 | | - override predicate isWeak() { isWeak = true } |
146 | | -} |
147 | | - |
148 | | -/** |
149 | | - * An encryption algorithm such as `DES` or `AES512`. |
150 | | - */ |
151 | | -class EncryptionAlgorithm extends MkEncryptionAlgorithm, CryptographicAlgorithm { |
152 | | - string name; |
153 | | - boolean isWeak; |
154 | | - |
155 | | - EncryptionAlgorithm() { this = MkEncryptionAlgorithm(name, isWeak) } |
156 | | - |
157 | | - override string getName() { result = name } |
158 | | - |
159 | | - override predicate isWeak() { isWeak = true } |
160 | | -} |
161 | | - |
162 | | -/** |
163 | | - * A password hashing algorithm such as `PBKDF2` or `SCRYPT`. |
164 | | - */ |
165 | | -class PasswordHashingAlgorithm extends MkPasswordHashingAlgorithm, CryptographicAlgorithm { |
166 | | - string name; |
167 | | - boolean isWeak; |
168 | | - |
169 | | - PasswordHashingAlgorithm() { this = MkPasswordHashingAlgorithm(name, isWeak) } |
170 | | - |
171 | | - override string getName() { result = name } |
172 | | - |
173 | | - override predicate isWeak() { isWeak = true } |
174 | | -} |
| 3 | +import semmle.python.concepts.CryptoAlgorithms |
0 commit comments