Python: cryptography module upgrades #11678
Conversation
… adding 'isKnown' support to get the universe of possible options. Finally added an unknown algorithm stub, so if no match is found, we can consistently have a string representing unknown.
…te, and to have a fail safe 'unknown' option. If a block mode is unknown, the isWeak predicate will not stipulate the algorithm is weak by default. An isKnown predicate is added to determine if the algorithm is known.
… finding block modes that aren't known. This avoids cases where the library is updated and we don't recognize new modes as being weak or strong, instead they would've been ignored entirely.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| class Hashlibpbkdf2HMAC extends Cryptography::CryptographicOperation::Range, API::CallNode { | ||
| string hashName; | ||
|
|
||
| Hashlibpbkdf2HMAC() { |
Check warning
Code scanning / CodeQL
Acronyms should be PascalCase/camelCase.
| private API::CallNode hashlibpbkdf2HMACCall(string algorithmName) | ||
| { | ||
| algorithmName = | ||
| result.getParameter(0, "hash_name").getAValueReachingSink().asExpr().(StrConst).getText() and |
Check warning
Code scanning / CodeQL
Acronyms should be PascalCase/camelCase.
| override Cryptography::BlockMode getBlockModeRaw() { | ||
| // `modeName` is of the form "MODE_<BlockMode>" | ||
| exists(string modeName | | ||
| if resolveModeName(modeName) |
Check warning
Code scanning / CodeQL
Using implicit `this`
| */ | ||
| predicate isWeakCipherBlockModeAlgorithm(string name) | ||
| { | ||
| name = ["ECB"] |
Check warning
Code scanning / CodeQL
Singleton set literal
RasmusWL
changed the title
|
as discussed offline, I'll take a look at how much of this we can easily accept, and how much might need further consideration. |
…d should be caught through name normalization. Added EAX block mode.
…s. Updated stdlib framework to include hmac hashing library.
| class HMACDirectHash extends Cryptography::CryptographicOperation::Range, API::CallNode { | ||
| string hashName; | ||
|
|
||
| HMACDirectHash() { |
Check warning
Code scanning / CodeQL
Acronyms should be PascalCase/camelCase.
| class HMACUpdateCall extends Cryptography::CryptographicOperation::Range, API::CallNode { | ||
| string hashName; | ||
|
|
||
| HMACUpdateCall() { |
Check warning
Code scanning / CodeQL
Acronyms should be PascalCase/camelCase.
| private API::CallNode baseHMACOperation(string algorithmName) { | ||
| ( | ||
| result = API::moduleImport("hmac").getMember("new").getACall() or | ||
| result = API::moduleImport("hmac").getMember("digest").getACall() or |
Check warning
Code scanning / CodeQL
Acronyms should be PascalCase/camelCase.
Updates to python crypto API support. Additional algorithms added, support for 'unknown' algorithms and block modes added, and support added for the cryptography module pbkdf2_hmac.