Adding KDF iteration count inventory filters.

Author: bdrodes

java/ql/src/experimental/Quantum/InventoryFilters/KnownWeakKDFIterationCount.ql

@@ -0,0 +1,15 @@
+/**
+ * @name Detects known weak KDf iteration counts (less than 100k and the count is statically known)
+ * @id java/crypto_inventory_filters/known_weak_kdf_iteration_count
+ * @kind problem
+ */
+
+import java
+import experimental.Quantum.Language
+
+from Crypto::KeyDerivationOperationNode op, Literal l
+where
+  op.getIterationCount().asElement() = l and
+  l.getValue().toInt() < 100000
+select op, "Key derivation operation configures iteration count below 100k: $@", l,
+  l.getValue().toString()

java/ql/src/experimental/Quantum/InventoryFilters/UnknownKDFIterationCount.ql

@@ -0,0 +1,19 @@
+/**
+ * @name Detects unknown KDf iteration counts
+ * @id java/crypto_inventory_filters/unknown_kdf_iteration_count
+ * @kind problem
+ */
+
+import java
+import experimental.Quantum.Language
+
+from Crypto::KeyDerivationOperationNode op, Element e, string msg
+where
+  e = op.getIterationCount().asElement() and
+  not e instanceof Literal and
+  msg = "Key derivation operation with unknown iteration: $@"
+  or
+  not exists(op.getIterationCount()) and
+  e = op.asElement() and
+  msg = "Key derivation operation with no iteration configuration."
+select op, msg, e, e.toString()