split rsa/dsa/dh

Jami Cogswell · jcogs33 · commit 1f4bd009934d · 2022-12-01T11:56:44.000-05:00
diff --git a/java/ql/lib/semmle/code/java/security/InsufficientKeySize.qll b/java/ql/lib/semmle/code/java/security/InsufficientKeySize.qll
@@ -20,41 +20,121 @@ abstract class InsufficientKeySizeSink extends DataFlow::Node {
 private module Asymmetric {
   /** Provides models for non-elliptic-curve asymmetric cryptography. */
   private module NonEllipticCurve {
-    /** A source for an insufficient key size used in RSA, DSA, and DH algorithms. */
-    private class Source extends InsufficientKeySizeSource {
-      Source() { this.asExpr().(IntegerLiteral).getIntValue() < getMinKeySize() }
+    private module Rsa {
+      /** A source for an insufficient key size used in an RSA algorithm. */
+      private class Source extends InsufficientKeySizeSource {
+        Source() { this.asExpr().(IntegerLiteral).getIntValue() < getMinKeySize() }
 
-      override predicate hasState(DataFlow::FlowState state) { state = getMinKeySize().toString() }
+        override predicate hasState(DataFlow::FlowState state) {
+          state = getMinKeySize().toString()
+        }
+      }
+
+      /** A sink for an insufficient key size used in an RSA algorithm. */
+      private class Sink extends InsufficientKeySizeSink {
+        Sink() {
+          exists(KeyPairGenInit kpgInit, KeyPairGen kpg |
+            kpg.getAlgoName() = "RSA" and
+            DataFlow::localExprFlow(kpg, kpgInit.getQualifier()) and
+            this.asExpr() = kpgInit.getKeySizeArg()
+          )
+          or
+          exists(Spec spec | this.asExpr() = spec.getKeySizeArg())
+        }
+
+        override predicate hasState(DataFlow::FlowState state) {
+          state = getMinKeySize().toString()
+        }
+      }
+
+      /** Returns the minimum recommended key size for an RSA algorithm. */
+      private int getMinKeySize() { result = minSecureKeySizeRsa() }
+
+      /** An instance of an RSA algorithm specification. */
+      private class Spec extends ClassInstanceExpr {
+        Spec() { this.getConstructedType() instanceof RsaKeyGenParameterSpec }
+
+        /** Gets the `keysize` argument of this instance. */
+        Argument getKeySizeArg() { result = this.getArgument(0) }
+      }
     }
 
-    /** A sink for an insufficient key size used in RSA, DSA, and DH algorithms. */
-    private class Sink extends InsufficientKeySizeSink {
-      Sink() {
-        exists(KeyPairGenInit kpgInit, KeyPairGen kpg |
-          kpg.getAlgoName().matches(["RSA", "DSA", "DH"]) and
-          DataFlow::localExprFlow(kpg, kpgInit.getQualifier()) and
-          this.asExpr() = kpgInit.getKeySizeArg()
-        )
-        or
-        exists(Spec spec | this.asExpr() = spec.getKeySizeArg())
+    private module Dsa {
+      /** A source for an insufficient key size used a DSA algorithm. */
+      private class Source extends InsufficientKeySizeSource {
+        Source() { this.asExpr().(IntegerLiteral).getIntValue() < getMinKeySize() }
+
+        override predicate hasState(DataFlow::FlowState state) {
+          state = getMinKeySize().toString()
+        }
       }
 
-      override predicate hasState(DataFlow::FlowState state) { state = getMinKeySize().toString() }
+      /** A sink for an insufficient key size used in a DSA algorithm. */
+      private class Sink extends InsufficientKeySizeSink {
+        Sink() {
+          exists(KeyPairGenInit kpgInit, KeyPairGen kpg |
+            kpg.getAlgoName() = "DSA" and
+            DataFlow::localExprFlow(kpg, kpgInit.getQualifier()) and
+            this.asExpr() = kpgInit.getKeySizeArg()
+          )
+          or
+          exists(Spec spec | this.asExpr() = spec.getKeySizeArg())
+        }
+
+        override predicate hasState(DataFlow::FlowState state) {
+          state = getMinKeySize().toString()
+        }
+      }
+
+      /** Returns the minimum recommended key size for a DSA algorithm. */
+      private int getMinKeySize() { result = minSecureKeySizeDsa() }
+
+      /** An instance of a DSA algorithm specification. */
+      private class Spec extends ClassInstanceExpr {
+        Spec() { this.getConstructedType() instanceof DsaGenParameterSpec }
+
+        /** Gets the `keysize` argument of this instance. */
+        Argument getKeySizeArg() { result = this.getArgument(0) }
+      }
     }
 
-    /** Returns the minimum recommended key size for RSA, DSA, and DH algorithms. */
-    private int getMinKeySize() { result = minSecureKeySizeAsymmetricNonEc() }
+    private module Dh {
+      /** A source for an insufficient key size used in a DH algorithm. */
+      private class Source extends InsufficientKeySizeSource {
+        Source() { this.asExpr().(IntegerLiteral).getIntValue() < getMinKeySize() }
 
-    /** An instance of an RSA, DSA, or DH algorithm specification. */
-    private class Spec extends ClassInstanceExpr {
-      Spec() {
-        this.getConstructedType() instanceof RsaKeyGenParameterSpec or
-        this.getConstructedType() instanceof DsaGenParameterSpec or
-        this.getConstructedType() instanceof DhGenParameterSpec
+        override predicate hasState(DataFlow::FlowState state) {
+          state = getMinKeySize().toString()
+        }
       }
 
-      /** Gets the `keysize` argument of this instance. */
-      Argument getKeySizeArg() { result = this.getArgument(0) }
+      /** A sink for an insufficient key size used in a DH algorithm. */
+      private class Sink extends InsufficientKeySizeSink {
+        Sink() {
+          exists(KeyPairGenInit kpgInit, KeyPairGen kpg |
+            kpg.getAlgoName() = "DH" and
+            DataFlow::localExprFlow(kpg, kpgInit.getQualifier()) and
+            this.asExpr() = kpgInit.getKeySizeArg()
+          )
+          or
+          exists(Spec spec | this.asExpr() = spec.getKeySizeArg())
+        }
+
+        override predicate hasState(DataFlow::FlowState state) {
+          state = getMinKeySize().toString()
+        }
+      }
+
+      /** Returns the minimum recommended key size for a DH algorithm. */
+      private int getMinKeySize() { result = minSecureKeySizeDh() }
+
+      /** An instance of an RSA, DSA, or DH algorithm specification. */
+      private class Spec extends ClassInstanceExpr {
+        Spec() { this.getConstructedType() instanceof DhGenParameterSpec }
+
+        /** Gets the `keysize` argument of this instance. */
+        Argument getKeySizeArg() { result = this.getArgument(0) }
+      }
     }
   }
 
@@ -88,7 +168,7 @@ private module Asymmetric {
     }
 
     /** Returns the minimum recommended key size for elliptic curve (EC) algorithms. */
-    private int getMinKeySize() { result = minSecureKeySizeAsymmetricEc() }
+    private int getMinKeySize() { result = minSecureKeySizeEcc() }
 
     /** Returns the key size from an EC algorithm's curve name string */
     bindingset[algorithm]
@@ -169,7 +249,7 @@ private module Symmetric {
   }
 
   /** Returns the minimum recommended key size for AES algorithms. */
-  private int getMinKeySize() { result = minSecureKeySizeSymmetric() }
+  private int getMinKeySize() { result = minSecureKeySizeAes() }
 
   /** A call to the `init` method declared in `javax.crypto.KeyGenerator`. */
   private class KeyGenInit extends MethodAccess {
diff --git a/java/ql/lib/semmle/code/java/security/internal/EncryptionKeySizes.qll b/java/ql/lib/semmle/code/java/security/internal/EncryptionKeySizes.qll
@@ -5,11 +5,17 @@
  * Such that we can share this logic across our CodeQL analysis of different languages.
  */
 
-/** Returns the minimum recommended key size for asymmetric algorithms (RSA, DSA, and DH). */
-int minSecureKeySizeAsymmetricNonEc() { result = 2048 }
+/** Returns the minimum recommended key size for RSA. */
+int minSecureKeySizeRsa() { result = 2048 }
 
-/** Returns the minimum recommended key size for elliptic curve (EC) algorithms. */
-int minSecureKeySizeAsymmetricEc() { result = 256 }
+/** Returns the minimum recommended key size for DSA. */
+int minSecureKeySizeDsa() { result = 2048 }
 
-/** Returns the minimum recommended key size for symmetric algorithmms (AES). */
-int minSecureKeySizeSymmetric() { result = 128 }
+/** Returns the minimum recommended key size for DH. */
+int minSecureKeySizeDh() { result = 2048 }
+
+/** Returns the minimum recommended key size for elliptic curve cryptography. */
+int minSecureKeySizeEcc() { result = 256 }
+
+/** Returns the minimum recommended key size for AES. */
+int minSecureKeySizeAes() { result = 128 }
diff --git a/python/ql/lib/semmle/python/Concepts.qll b/python/ql/lib/semmle/python/Concepts.qll
@@ -1142,21 +1142,21 @@ module Cryptography {
       abstract class RsaRange extends Range {
         final override string getName() { result = "RSA" }
 
-        final override int minimumSecureKeySize() { result = minSecureKeySizeAsymmetricNonEc() }
+        final override int minimumSecureKeySize() { result = minSecureKeySizeRsa() }
       }
 
       /** A data-flow node that generates a new DSA key-pair. */
       abstract class DsaRange extends Range {
         final override string getName() { result = "DSA" }
 
-        final override int minimumSecureKeySize() { result = minSecureKeySizeAsymmetricNonEc() }
+        final override int minimumSecureKeySize() { result = minSecureKeySizeDsa() }
       }
 
       /** A data-flow node that generates a new ECC key-pair. */
       abstract class EccRange extends Range {
         final override string getName() { result = "ECC" }
 
-        final override int minimumSecureKeySize() { result = minSecureKeySizeAsymmetricEc() }
+        final override int minimumSecureKeySize() { result = minSecureKeySizeEcc() }
       }
     }
   }
diff --git a/python/ql/lib/semmle/python/security/internal/EncryptionKeySizes.qll b/python/ql/lib/semmle/python/security/internal/EncryptionKeySizes.qll
@@ -5,11 +5,17 @@
  * Such that we can share this logic across our CodeQL analysis of different languages.
  */
 
-/** Returns the minimum recommended key size for asymmetric algorithms (RSA, DSA, and DH). */
-int minSecureKeySizeAsymmetricNonEc() { result = 2048 }
+/** Returns the minimum recommended key size for RSA. */
+int minSecureKeySizeRsa() { result = 2048 }
 
-/** Returns the minimum recommended key size for elliptic curve (EC) algorithms. */
-int minSecureKeySizeAsymmetricEc() { result = 256 }
+/** Returns the minimum recommended key size for DSA. */
+int minSecureKeySizeDsa() { result = 2048 }
 
-/** Returns the minimum recommended key size for symmetric algorithmms (AES). */
-int minSecureKeySizeSymmetric() { result = 128 }
+/** Returns the minimum recommended key size for DH. */
+int minSecureKeySizeDh() { result = 2048 }
+
+/** Returns the minimum recommended key size for elliptic curve cryptography. */
+int minSecureKeySizeEcc() { result = 256 }
+
+/** Returns the minimum recommended key size for AES. */
+int minSecureKeySizeAes() { result = 128 }

Original file line number	Diff line number	Diff line change
`@@ -1142,21 +1142,21 @@ module Cryptography {`
`1142`	`1142`	`abstract class RsaRange extends Range {`
`1143`	`1143`	`final override string getName() { result = "RSA" }`
`1144`	`1144`
`1145`		`- final override int minimumSecureKeySize() { result = minSecureKeySizeAsymmetricNonEc() }`
	`1145`	`+ final override int minimumSecureKeySize() { result = minSecureKeySizeRsa() }`
`1146`	`1146`	`}`
`1147`	`1147`
`1148`	`1148`	`/** A data-flow node that generates a new DSA key-pair. */`
`1149`	`1149`	`abstract class DsaRange extends Range {`
`1150`	`1150`	`final override string getName() { result = "DSA" }`
`1151`	`1151`
`1152`		`- final override int minimumSecureKeySize() { result = minSecureKeySizeAsymmetricNonEc() }`
	`1152`	`+ final override int minimumSecureKeySize() { result = minSecureKeySizeDsa() }`
`1153`	`1153`	`}`
`1154`	`1154`
`1155`	`1155`	`/** A data-flow node that generates a new ECC key-pair. */`
`1156`	`1156`	`abstract class EccRange extends Range {`
`1157`	`1157`	`final override string getName() { result = "ECC" }`
`1158`	`1158`
`1159`		`- final override int minimumSecureKeySize() { result = minSecureKeySizeAsymmetricEc() }`
	`1159`	`+ final override int minimumSecureKeySize() { result = minSecureKeySizeEcc() }`
`1160`	`1160`	`}`
`1161`	`1161`	`}`
`1162`	`1162`	`}`