moved crypto classes/methods to folder under lib

Author: chanel-y

powershell/ql/lib/semmle/code/powershell/security/cryptography/Concepts.qll

@@ -0,0 +1,4 @@
+import CryptoAlgorithmNames
+import CryptoArtifact
+
+import CryptographyModule

powershell/ql/lib/semmle/code/powershell/security/cryptography/CryptoAlgorithmNames.qll

@@ -0,0 +1,27 @@
+predicate isHashingAlgorithm(string name) {
+  name = [
+      "blake2", "blake2b", "blake2s", "sha2", "sha224", "sha256", "sha384", "sha512", "sha512224",
+      "sha512256", "sha3", "sha3224", "sha3256", "sha3384", "sha3512", "shake128", "shake256",
+      "sm3", "whirlpool", "poly1305", "havel128", "md2", "md4", "md5", "panama", "ripemd",
+      "ripemd128", "ripemd256", "ripemd160", "ripemd320", "sha0", "sha1", "sha", "mgf1", "mgf1sha1",
+      "mdc2", "siphash"
+    ]
+}
+
+predicate isSymmetricAlgorithm(string name) {
+  name = [
+      "aes", "aes128", "aes192", "aes256", "aria", "blowfish", "bf", "ecies", "cast", "cast5",
+      "camellia", "camellia128", "camellia192", "camellia256", "chacha", "chacha20",
+      "chacha20poly1305", "gost", "gostr34102001", "gostr341094", "gostr341194", "gost2814789",
+      "gostr341194", "gost2814789", "gost28147", "gostr341094", "gost89", "gost94", "gost34102012",
+      "gost34112012", "idea", "rabbit", "seed", "sm4", "des", "desx", "3des", "tdes", "2des",
+      "des3", "tripledes", "tdea", "tripledea", "arc2", "rc2", "arc4", "rc4", "arcfour", "arc5",
+      "rc5", "magma", "kuznyechik"
+    ]
+}
+
+predicate isCipherBlockModeAlgorithm(string name) {
+  name = ["cbc", "gcm", "ccm", "cfb", "ofb", "cfb8", "ctr", "openpgp", "xts", "eax", "siv", "ecb"]
+}
+
+string unknownAlgorithm() { result = "UNKNOWN" }

powershell/ql/lib/semmle/code/powershell/security/cryptography/CryptoArtifact.qll

@@ -0,0 +1,38 @@
+import powershell
+import CryptoAlgorithmNames
+import semmle.code.powershell.dataflow.DataFlow
+
+/*
+ * A cryptographic artifact is a DataFlow::Node associated with some
+ * operation, algorithm, or any other aspect of cryptography.
+ */
+
+abstract class CryptographicArtifact extends DataFlow::Node { }
+
+abstract class CryptographicAlgorithm extends CryptographicArtifact {
+  abstract string getName();
+}
+
+abstract class HashAlgorithm extends CryptographicAlgorithm {
+  final string getHashName() {
+    if exists(string n | n = this.getName() and isHashingAlgorithm(n))
+    then isHashingAlgorithm(result) and result = this.getName()
+    else result = unknownAlgorithm()
+  }
+}
+
+abstract class SymmetricAlgorithm extends CryptographicAlgorithm {
+  final string getSymmetricAlgorithmName() {
+    if exists(string n | n = this.getName() and isSymmetricAlgorithm(n))
+    then isSymmetricAlgorithm(result) and result = this.getName()
+    else result = unknownAlgorithm()
+  }
+}
+
+abstract class BlockMode extends CryptographicAlgorithm {
+  final string getBlockModeName() {
+    if exists(string n | n = this.getName() and isCipherBlockModeAlgorithm(n))
+    then isCipherBlockModeAlgorithm(result) and result = this.getName()
+    else result = unknownAlgorithm()
+  }
+}

powershell/ql/lib/semmle/code/powershell/security/cryptography/CryptographyModule.qll

@@ -0,0 +1,198 @@
+import powershell
+import semmle.code.powershell.dataflow.DataFlow
+import semmle.code.powershell.ApiGraphs
+
+import CryptoArtifact
+
+class CryptoAlgorithmObjectCreation extends DataFlow::ObjectCreationNode {
+    string objectName; 
+    CryptoAlgorithmObjectCreation(){
+        objectName = this.getExprNode().getExpr().(CallExpr).getAnArgument().getValue().asString().toLowerCase()
+    }
+    string getObjectName() {
+      result = objectName
+    }
+}
+
+class CryptoAlgorithmCreateCall extends DataFlow::CallNode {
+  string objectName; 
+    CryptoAlgorithmCreateCall() {
+      this = API::getTopLevelMember("system").getMember("security").getMember("cryptography").getMember(objectName).getMember("create").asCall()  
+  }
+
+  string getObjectName() {
+    result = objectName
+  }
+}
+
+class CryptoAlgorithmCreateArgCall extends DataFlow::CallNode {
+  string objectName; 
+    CryptoAlgorithmCreateArgCall() {
+    (
+        this = API::getTopLevelMember("system").getMember("security").getMember("cryptography").getMember(_).getMember("create").asCall() or
+        this = API::getTopLevelMember("system").getMember("security").getMember("cryptography").getMember("create").asCall() 
+    ) and 
+      objectName = this.getAnArgument().asExpr().getValue().asString().toLowerCase()
+  }
+
+  string getObjectName() {
+    result = objectName
+  }
+}
+
+
+class CryptoAlgorithmCreateFromNameCall extends DataFlow::CallNode {
+  string objectName; 
+    CryptoAlgorithmCreateFromNameCall() {
+      this = API::getTopLevelMember("system").getMember("security").getMember("cryptography").getMember("cryptoconfig").getMember("createfromname").asCall() and
+      objectName = this.getAnArgument().asExpr().getValue().asString().toLowerCase()
+  }
+
+  string getObjectName() {
+    result = objectName
+  }
+}
+
+class HashAlgorithmObjectCreation extends HashAlgorithm, CryptoAlgorithmObjectCreation {
+  string algName; 
+    HashAlgorithmObjectCreation() {
+    (
+        this.getObjectName() = "system.security.cryptography." + algName or
+        this.getObjectName() = "system.security.cryptography." + algName + "cryptoserviceprovider"
+    )
+    and
+      isHashingAlgorithm(algName) 
+  }
+
+  override string getName() {
+    result = algName
+  }
+}
+
+class HashAlgorithmCreateCall extends HashAlgorithm, CryptoAlgorithmCreateCall {
+  string algName; 
+    HashAlgorithmCreateCall() {
+        isHashingAlgorithm(this.getObjectName()) and 
+        (
+        this.getObjectName() = algName or 
+        this.getObjectName() = "system.security.cryptography." + algName 
+        )
+  }
+  override string getName() {
+    result = algName
+  }
+}
+
+class HashAlgorithmCreateFromNameCall extends HashAlgorithm, CryptoAlgorithmCreateFromNameCall {
+  string algName; 
+    HashAlgorithmCreateFromNameCall() {
+      (
+        this.getObjectName() = algName or 
+        this.getObjectName() = "system.security.cryptography." + algName 
+      ) and
+      isHashingAlgorithm(algName) 
+  }
+
+  override string getName() {
+    result = algName
+  }
+}
+
+class SymmetricAlgorithmObjectCreation extends SymmetricAlgorithm, CryptoAlgorithmObjectCreation {
+  string algName; 
+    SymmetricAlgorithmObjectCreation() {
+    (
+        this.getObjectName() = "system.security.cryptography." + algName or
+        this.getObjectName() = "system.security.cryptography." + algName + "cryptoserviceprovider" or 
+        this.getObjectName() = "system.security.cryptography.symmetricalgorithm." + algName
+    )
+    and
+      isSymmetricAlgorithm(algName) 
+  }
+
+  override string getName() {
+    result = algName
+  }
+}
+
+class SymmetricAlgorithmCreateCall extends SymmetricAlgorithm, CryptoAlgorithmCreateCall {
+  string algName; 
+    SymmetricAlgorithmCreateCall() {
+        isSymmetricAlgorithm(this.getObjectName()) and 
+        (
+            this.getObjectName() = algName or 
+            this.getObjectName() = "system.security.cryptography." + algName or 
+            this.getObjectName() = "system.security.cryptography.symmetricalgorithm." + algName 
+        )
+  }
+  override string getName() {
+    result = algName
+  }
+}
+
+class SymmetricAlgorithmCreateArgCall extends SymmetricAlgorithm, CryptoAlgorithmCreateArgCall {
+  string algName; 
+    SymmetricAlgorithmCreateArgCall() {
+        
+        (
+            algName = this.getObjectName() and
+            isSymmetricAlgorithm(algName) 
+        ) or 
+        (
+            this.getObjectName() = "system.security.cryptography." + algName and
+            isSymmetricAlgorithm(algName)
+        )
+  }
+  override string getName() {
+    result = algName
+  }
+}
+
+class SymmetricAlgorithmCreateFromNameCall extends SymmetricAlgorithm, CryptoAlgorithmCreateFromNameCall {
+  string algName; 
+    SymmetricAlgorithmCreateFromNameCall() {
+      (
+        this.getObjectName() = algName or 
+        this.getObjectName() = "system.security.cryptography." + algName or
+        this.getObjectName() = "system.security.cryptography.symmetricalgorithm." + algName 
+      ) and
+      isSymmetricAlgorithm(algName) 
+  }
+
+  override string getName() {
+    result = algName
+  }
+}
+
+class CipherBlockStringConstExpr extends BlockMode {
+    string modeName; 
+  CipherBlockStringConstExpr() {
+    exists(StringConstExpr s | 
+        s = this.asExpr().getExpr() and
+        modeName = s.getValueString().toLowerCase() and
+        isCipherBlockModeAlgorithm(modeName)
+    )
+  }
+  override string getName() {
+    result = modeName
+  }
+}
+
+class CipherBlockModeEnum extends BlockMode {
+    string modeName; 
+  CipherBlockModeEnum() {
+    exists(API::Node node | 
+        node =
+        API::getTopLevelMember("system")
+            .getMember("security")
+            .getMember("cryptography")
+            .getMember("ciphermode")
+            .getMember(modeName) and
+        this = node.asSource() and
+        isCipherBlockModeAlgorithm(modeName)
+    )
+  }
+  override string getName() {
+    result = modeName
+  }
+}

powershell/ql/src/queries/security/cwe-327/ApprovedCipherMode.ql

@@ -15,14 +15,9 @@ import powershell
 import semmle.code.powershell.dataflow.DataFlow
 import semmle.code.powershell.dataflow.TaintTracking
 import semmle.code.powershell.ApiGraphs
+import semmle.code.powershell.security.cryptography.Concepts
 import WeakEncryptionFlow::PathGraph
 
-class AesCreation extends ObjectCreation {
-  AesCreation() {
-    this.getAnArgument().getValue().stringMatches("System.Security.Cryptography.AesManaged")
-  }
-}
-
 class AesModeProperty extends MemberExpr {
   AesModeProperty() {
     exists(DataFlow::ObjectCreationNode aesObjectCreation, DataFlow::Node aesObjectAccess |
@@ -38,27 +33,11 @@ class AesModeProperty extends MemberExpr {
   }
 }
 
-class WeakAesMode extends DataFlow::Node {
-  WeakAesMode() {
-    exists(API::Node node, string modeValue |
-      node =
-        API::getTopLevelMember("system")
-            .getMember("security")
-            .getMember("cryptography")
-            .getMember("ciphermode")
-            .getMember(modeValue) and
-      modeValue = ["ecb", "ofb", "cfb", "ctr", "obc"] and
-      this = node.asSource()
-    ) or 
-    exists(StringConstExpr s | 
-      s.getValueString().toLowerCase() = ["ecb", "ofb", "cfb", "ctr", "obc"] and 
-      this.asExpr().getExpr() = s
-    )
-  }
-}
-
 module Config implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source instanceof WeakAesMode }
+  predicate isSource(DataFlow::Node source) { 
+    source instanceof BlockMode and 
+    not source.(BlockMode).getBlockModeName() = ["cbc","cts","xts"]
+  }
 
   predicate isSink(DataFlow::Node sink) {
     sink.(DataFlow::PostUpdateNode).getPreUpdateNode().asExpr().getExpr() =

powershell/ql/src/queries/security/cwe-327/WeakHashes.ql

@@ -14,50 +14,9 @@
 import powershell
 import semmle.code.powershell.ApiGraphs
 import semmle.code.powershell.dataflow.DataFlow
+import semmle.code.powershell.security.cryptography.Concepts
 
-class WeakHashAlgorithmObjectCreation extends DataFlow::ObjectCreationNode {
-  WeakHashAlgorithmObjectCreation() {
-    this.getExprNode().getExpr().(CallExpr).getAnArgument().getValue().asString() = "System.Security.Cryptography.MD5" or 
-    this.getExprNode().getExpr().(CallExpr).getAnArgument().getValue().asString() = "System.Security.Cryptography.MD5CryptoServiceProvider" or 
-    this.getExprNode().getExpr().(CallExpr).getAnArgument().getValue().asString() = "System.Security.Cryptography.SHA1" or
-    this.getExprNode().getExpr().(CallExpr).getAnArgument().getValue().asString() = "System.Security.Cryptography.SHA1CryptoServiceProvider" or
-    this.getExprNode().getExpr().(CallExpr).getAnArgument().getValue().asString() = "System.Security.Cryptography.SHA1Managed"
-  }
-}
-
-class WeakHashAlgorithmCreateCall extends DataFlow::CallNode {
-    WeakHashAlgorithmCreateCall() {
-        this = API::getTopLevelMember("system").getMember("security").getMember("cryptography").getMember("md5").getMember("create").asCall() or
-        this = API::getTopLevelMember("system").getMember("security").getMember("cryptography").getMember("sha1").getMember("create").asCall() 
-  }
-}
-
-class ComputeHashSink extends DataFlow::Node {
-    ComputeHashSink() {
-      exists(DataFlow::ObjectCreationNode ocn, DataFlow::CallNode cn | 
-        (
-            ocn.getExprNode().getExpr().(CallExpr).getAnArgument().getValue().asString() = "System.Security.Cryptography.SHA1Managed" or 
-            ocn.getExprNode().getExpr().(CallExpr).getAnArgument().getValue().asString() = "System.Security.Cryptography.SHA1CryptoServiceProvider"
-        ) and
-        cn.getQualifier().getALocalSource() = ocn and 
-        cn.getLowerCaseName() = "computehash" and
-        cn.getAnArgument() = this
-      )
-    }
-}
-
-class CreateFromNameSink extends DataFlow::CallNode {
-  CreateFromNameSink(){
-      this = API::getTopLevelMember("system").getMember("security").getMember("cryptography").getMember("cryptoconfig").getMember("createfromname").asCall() and 
-      this.getAnArgument().asExpr().getValue().asString() = "System.Security.Cryptography.MD5" or
-      this.getAnArgument().asExpr().getValue().asString() = "MD5" 
-        
-  }
-}
-
-from DataFlow::Node sink 
-where sink instanceof ComputeHashSink or 
-sink instanceof WeakHashAlgorithmObjectCreation or 
-sink instanceof WeakHashAlgorithmCreateCall or 
-sink instanceof CreateFromNameSink
-select sink, "Use of weak cryptographic hash algorithm."
+from HashAlgorithm hashAlg
+where
+  not hashAlg.getHashName() = ["sha256", "sha384", "sha512"]
+select hashAlg, "Use of weak cryptographic hash algorithm: " + hashAlg.getHashName() + "."