bring in changes from cryptsweeper

Author: Lordfirespeed

python/ql/lib/experimental/cryptography/CryptoAlgorithmNames.qll

@@ -104,7 +104,9 @@ predicate isSymmetricEncryptionAlgorithm(string name) {
 predicate isKeyDerivationAlgorithm(string name) {
   name =
     [
-      "ARGON2", "ARGON2D", "ARGON2I", "ARGON2ID", "CONCATKDF", "CONCATKDFHASH", "CONCATKDFHMAC",
+      // 'ARGON2' should only be used in cases where the specific variant in use cannot be discerned reliably
+      "ARGON2", "ARGON2D", "ARGON2I", "ARGON2ID",
+      "CONCATKDF", "CONCATKDFHASH", "CONCATKDFHMAC",
       "KBKDFCMAC", "BCRYPT", "HKDF", "HKDFEXPAND", "KBKDF", "KBKDFHMAC", "PBKDF1", "PBKDF2",
       "PBKDF2HMAC", "PKCS5", "SCRYPT", "X963KDF", "EVPKDF"
     ]

python/ql/lib/experimental/cryptography/CryptoArtifact.qll

@@ -20,7 +20,7 @@ abstract class CryptographicArtifact extends DataFlow::Node { }
 abstract class SymmetricCipher extends CryptographicArtifact {
   abstract SymmetricEncryptionAlgorithm getEncryptionAlgorithm();
 
-  abstract BlockMode getBlockMode();
+  abstract BlockModeInstance getBlockMode();
 
   final predicate hasBlockMode() { exists(this.getBlockMode()) }
 }
@@ -55,9 +55,14 @@ abstract class CryptographicOperation extends CryptographicArtifact, API::CallNo
     not this.hasAlgorithm()
   }
 
+  /** Gets the data flow node where the cryptographic algorithm used in this operation is configured. */
+  abstract DataFlow::Node getInitialisation();
   // TODO: this might have to be parameterized by a configuration source for
   //       situations where an operation is passed an algorithm
+  /** Gets the algorithm used, if it matches a known `CryptographicAlgorithm`. */
   abstract CryptographicAlgorithm getAlgorithm();
+  /** Gets an input the algorithm is used on, for example the plain text input to be encrypted. */
+  abstract DataFlow::Node getAnInput();
 }
 
 /** A key generation operation for asymmetric keys */
@@ -129,10 +134,11 @@ abstract class KeyDerivationAlgorithm extends CryptographicAlgorithm {
 }
 
 abstract class KeyDerivationOperation extends CryptographicOperation {
-  DataFlow::Node getIterationSizeSrc() { none() }
-
+  DataFlow::Node getSaltConfigSink() { none() }
   DataFlow::Node getSaltConfigSrc() { none() }
 
+  DataFlow::Node getIterationSizeSrc() { none() }
+
   DataFlow::Node getHashConfigSrc() { none() }
 
   DataFlow::Node getLanesConfigSrc() { none() }
@@ -175,6 +181,8 @@ abstract class EncryptionAlgorithm extends CryptographicAlgorithm {
   //       class does not have this common predicate.
 }
 
+abstract class EncryptionOperation extends CryptographicOperation { }
+
 /**
  * Algorithms directly or indirectly related to asymmetric encryption,
  * e.g., RSA, DSA, but also RSA padding algorithms
@@ -200,6 +208,8 @@ abstract class SymmetricEncryptionAlgorithm extends EncryptionAlgorithm {
   // TODO: add a stream cipher predicate?
 }
 
+abstract class SymmetricEncryptionOperation extends EncryptionOperation { }
+
 // Used only to categorize all padding into a single object,
 // DO_NOT add predicates here. Only for categorization purposes.
 abstract class PaddingAlgorithm extends CryptographicAlgorithm { }
@@ -230,7 +240,7 @@ abstract class EllipticCurveAlgorithm extends AsymmetricAlgorithm {
   final int getCurveBitSize() { isEllipticCurveAlgorithm(this.getCurveName(), result) }
 }
 
-abstract class BlockMode extends CryptographicAlgorithm {
+abstract class BlockModeInstance extends CryptographicAlgorithm {
   final string getBlockModeName() {
     if exists(string n | n = this.getName() and isCipherBlockModeAlgorithm(n))
     then isCipherBlockModeAlgorithm(result) and result = this.getName()
@@ -240,21 +250,38 @@ abstract class BlockMode extends CryptographicAlgorithm {
   /**
    * Gets the source of the IV configuration.
    */
-  abstract DataFlow::Node getIVorNonce();
+  abstract DataFlow::Node getIVOrNonceSrc();
+
+  /**
+   * Gets the sink of the IV configuration.
+   */
+  abstract DataFlow::Node getIVOrNonceSink();
 
-  final predicate hasIVorNonce() { exists(this.getIVorNonce()) }
+  final predicate hasIVorNonce() { exists(this.getIVOrNonceSrc()) }
 }
 
 abstract class KeyWrapOperation extends CryptographicOperation { }
 
 abstract class AuthenticatedEncryptionAlgorithm extends SymmetricEncryptionAlgorithm {
-  final string getAuthticatedEncryptionName() {
+  final string getAuthenticatedEncryptionName() {
     if exists(string n | n = this.getName() and isSymmetricEncryptionAlgorithm(n))
     then isSymmetricEncryptionAlgorithm(result) and result = this.getName()
     else result = unknownAlgorithm()
   }
 }
 
+abstract class AuthenticatedEncryptionOperation extends SymmetricEncryptionOperation {
+  /**
+   * Gets the source of the IV configuration.
+   */
+  abstract DataFlow::Node getIVOrNonceSrc();
+
+  /**
+   * Gets the sink of the IV configuration.
+   */
+  abstract DataFlow::Node getIVOrNonceSink();
+}
+
 abstract class KeyExchangeAlgorithm extends AsymmetricAlgorithm {
   final string getKeyExchangeName() {
     if exists(string n | n = this.getName() and isKeyExchangeAlgorithm(n))