Skip to content

Commit b2e79e2

Browse files
RasmusWLbdrodes
RasmusWL
and
bdrodes
committed
Python/Ruby/JS Crypto: Add a few algorithms + block modes
I have tried to add a few links to support the claim that these algorithms are strong/safe. It wasn't always super easy, so in some cases I have ended up just linking to the documentation of the `cryptography` Python package. Co-authored-by: REDMOND\brodes <[email protected]>
1 parent d55e9d5 commit b2e79e2

File tree

2 files changed

+21
-2
lines changed

2 files changed

+21
-2
lines changed

python/ql/lib/semmle/python/concepts/internal/CryptoAlgorithmNames.qll

Lines changed: 13 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,8 +14,20 @@
1414
predicate isStrongHashingAlgorithm(string name) {
1515
name =
1616
[
17+
// see https://cryptography.io/en/latest/hazmat/primitives/cryptographic-hashes/#blake2
18+
// and https://www.blake2.net/
19+
"BLAKE2", "BLAKE2B", "BLAKE2S",
20+
// see https://github.com/BLAKE3-team/BLAKE3
21+
"BLAKE3",
22+
//
1723
"DSA", "ED25519", "ES256", "ECDSA256", "ES384", "ECDSA384", "ES512", "ECDSA512", "SHA2",
18-
"SHA224", "SHA256", "SHA384", "SHA512", "SHA3", "SHA3224", "SHA3256", "SHA3384", "SHA3512"
24+
"SHA224", "SHA256", "SHA384", "SHA512", "SHA3", "SHA3224", "SHA3256", "SHA3384", "SHA3512",
25+
// see https://cryptography.io/en/latest/hazmat/primitives/cryptographic-hashes/#cryptography.hazmat.primitives.hashes.SHAKE128
26+
"SHAKE128", "SHAKE256",
27+
// see https://cryptography.io/en/latest/hazmat/primitives/cryptographic-hashes/#sm3
28+
"SM3",
29+
// see https://security.stackexchange.com/a/216297
30+
"WHIRLPOOL",
1931
]
2032
}
2133

python/ql/lib/semmle/python/internal/ConceptsShared.qll

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -81,7 +81,14 @@ module Cryptography {
8181
* data of arbitrary length using a block encryption algorithm.
8282
*/
8383
class BlockMode extends string {
84-
BlockMode() { this = ["ECB", "CBC", "GCM", "CCM", "CFB", "OFB", "CTR", "OPENPGP"] }
84+
BlockMode() {
85+
this =
86+
[
87+
"ECB", "CBC", "GCM", "CCM", "CFB", "OFB", "CTR", "OPENPGP",
88+
"XTS", // https://csrc.nist.gov/publications/detail/sp/800-38e/final
89+
"EAX" // https://en.wikipedia.org/wiki/EAX_mode
90+
]
91+
}
8592

8693
/** Holds if this block mode is considered to be insecure. */
8794
predicate isWeak() { this = "ECB" }

0 commit comments

Comments
 (0)