hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-19 22:14:01 +02:00
Code Issues Packages Projects Releases Wiki Activity

Crypto: Adding initial openssl tests, fixing a bug in hash modeling found through tests, and updating CODEOWNERS for quantum tests

Browse Source
This commit is contained in:
REDMOND\brodes
2025-05-22 14:35:14 -04:00
parent 007683f06a
commit 41f008d4f3
20 changed files with 9028 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
cpp/ql/test/experimental/library-tests/quantum/openssl/cipher_key_sources.expected Normal file
View File

@@ -0,0 +1,2 @@
| openssl_basic.c:40:13:40:31 | EncryptOperation | openssl_basic.c:31:49:31:51 | Key | openssl_basic.c:179:43:179:76 | Constant |
| openssl_basic.c:90:11:90:29 | DecryptOperation | openssl_basic.c:77:45:77:47 | Key | openssl_basic.c:179:43:179:76 | Constant |

6
cpp/ql/test/experimental/library-tests/quantum/openssl/cipher_key_sources.ql Normal file
View File

@@ -0,0 +1,6 @@
import cpp
import experimental.quantum.Language
from Crypto::CipherOperationNode op, Crypto::KeyArtifactNode k
where op.getAKey() = k
select op, k, k.getSourceNode()

2
cpp/ql/test/experimental/library-tests/quantum/openssl/cipher_nonce_sources.expected Normal file
View File

@@ -0,0 +1,2 @@
| openssl_basic.c:40:13:40:31 | EncryptOperation | openssl_basic.c:31:54:31:55 | Nonce | openssl_basic.c:180:42:180:59 | Constant |
| openssl_basic.c:90:11:90:29 | DecryptOperation | openssl_basic.c:77:50:77:51 | Nonce | openssl_basic.c:180:42:180:59 | Constant |

6
cpp/ql/test/experimental/library-tests/quantum/openssl/cipher_nonce_sources.ql Normal file
View File

@@ -0,0 +1,6 @@
import cpp
import experimental.quantum.Language
from Crypto::CipherOperationNode op, Crypto::NonceArtifactNode n
where op.getANonce() = n
select op, n, n.getSourceNode()

8
cpp/ql/test/experimental/library-tests/quantum/openssl/cipher_operations.expected Normal file
View File

@@ -0,0 +1,8 @@
| openssl_basic.c:40:13:40:31 | EncryptOperation | openssl_basic.c:35:54:35:62 | Message | openssl_basic.c:40:13:40:31 | KeyOperationOutput | openssl_basic.c:23:62:23:65 | Key | openssl_basic.c:23:68:23:71 | Nonce | openssl_basic.c:23:37:23:51 | KeyOperationAlgorithm | Encrypt |
| openssl_basic.c:40:13:40:31 | EncryptOperation | openssl_basic.c:35:54:35:62 | Message | openssl_basic.c:40:13:40:31 | KeyOperationOutput | openssl_basic.c:23:62:23:65 | Key | openssl_basic.c:31:54:31:55 | Nonce | openssl_basic.c:23:37:23:51 | KeyOperationAlgorithm | Encrypt |
| openssl_basic.c:40:13:40:31 | EncryptOperation | openssl_basic.c:35:54:35:62 | Message | openssl_basic.c:40:13:40:31 | KeyOperationOutput | openssl_basic.c:31:49:31:51 | Key | openssl_basic.c:23:68:23:71 | Nonce | openssl_basic.c:23:37:23:51 | KeyOperationAlgorithm | Encrypt |
| openssl_basic.c:40:13:40:31 | EncryptOperation | openssl_basic.c:35:54:35:62 | Message | openssl_basic.c:40:13:40:31 | KeyOperationOutput | openssl_basic.c:31:49:31:51 | Key | openssl_basic.c:31:54:31:55 | Nonce | openssl_basic.c:23:37:23:51 | KeyOperationAlgorithm | Encrypt |
| openssl_basic.c:90:11:90:29 | DecryptOperation | openssl_basic.c:81:49:81:58 | Message | openssl_basic.c:90:11:90:29 | KeyOperationOutput | openssl_basic.c:69:58:69:61 | Key | openssl_basic.c:69:64:69:67 | Nonce | openssl_basic.c:69:33:69:47 | KeyOperationAlgorithm | Decrypt |
| openssl_basic.c:90:11:90:29 | DecryptOperation | openssl_basic.c:81:49:81:58 | Message | openssl_basic.c:90:11:90:29 | KeyOperationOutput | openssl_basic.c:69:58:69:61 | Key | openssl_basic.c:77:50:77:51 | Nonce | openssl_basic.c:69:33:69:47 | KeyOperationAlgorithm | Decrypt |
| openssl_basic.c:90:11:90:29 | DecryptOperation | openssl_basic.c:81:49:81:58 | Message | openssl_basic.c:90:11:90:29 | KeyOperationOutput | openssl_basic.c:77:45:77:47 | Key | openssl_basic.c:69:64:69:67 | Nonce | openssl_basic.c:69:33:69:47 | KeyOperationAlgorithm | Decrypt |
| openssl_basic.c:90:11:90:29 | DecryptOperation | openssl_basic.c:81:49:81:58 | Message | openssl_basic.c:90:11:90:29 | KeyOperationOutput | openssl_basic.c:77:45:77:47 | Key | openssl_basic.c:77:50:77:51 | Nonce | openssl_basic.c:69:33:69:47 | KeyOperationAlgorithm | Decrypt |

6
cpp/ql/test/experimental/library-tests/quantum/openssl/cipher_operations.ql Normal file
View File

@@ -0,0 +1,6 @@
import cpp
import experimental.quantum.Language
from Crypto::CipherOperationNode n
select n, n.getAnInputArtifact(), n.getAnOutputArtifact(), n.getAKey(), n.getANonce(),
n.getAnAlgorithmOrGenericSource(), n.getKeyOperationSubtype()

1
cpp/ql/test/experimental/library-tests/quantum/openssl/cipher_plaintext_sources.expected Normal file
View File

@@ -0,0 +1 @@
| openssl_basic.c:40:13:40:31 | EncryptOperation | openssl_basic.c:35:54:35:62 | Message | openssl_basic.c:181:49:181:87 | Constant |

6
cpp/ql/test/experimental/library-tests/quantum/openssl/cipher_plaintext_sources.ql Normal file
View File

@@ -0,0 +1,6 @@
import cpp
import experimental.quantum.Language
from Crypto::CipherOperationNode n, Crypto::MessageArtifactNode m
where n.getAnInputArtifact() = m
select n, m, m.getSourceNode()

2
cpp/ql/test/experimental/library-tests/quantum/openssl/hash_input_sources.expected Normal file
View File

@@ -0,0 +1,2 @@
| openssl_basic.c:124:13:124:30 | HashOperation | openssl_basic.c:120:37:120:43 | Message | openssl_basic.c:181:49:181:87 | Constant |
| openssl_basic.c:144:13:144:22 | HashOperation | openssl_basic.c:144:24:144:30 | Message | openssl_basic.c:181:49:181:87 | Constant |

6
cpp/ql/test/experimental/library-tests/quantum/openssl/hash_input_sources.ql Normal file
View File

@@ -0,0 +1,6 @@
import cpp
import experimental.quantum.Language
from Crypto::HashOperationNode n, Crypto::MessageArtifactNode m
where n.getInputArtifact() = m
select n, m, m.getSourceNode()

2
cpp/ql/test/experimental/library-tests/quantum/openssl/hash_operations.expected Normal file
View File

@@ -0,0 +1,2 @@
| openssl_basic.c:124:13:124:30 | HashOperation | openssl_basic.c:124:13:124:30 | Digest | openssl_basic.c:116:38:116:47 | HashAlgorithm | openssl_basic.c:120:37:120:43 | Message |
| openssl_basic.c:144:13:144:22 | HashOperation | openssl_basic.c:144:13:144:22 | Digest | openssl_basic.c:144:67:144:73 | HashAlgorithm | openssl_basic.c:144:24:144:30 | Message |

5
cpp/ql/test/experimental/library-tests/quantum/openssl/hash_operations.ql Normal file
View File

@@ -0,0 +1,5 @@
import cpp
import experimental.quantum.Language
from Crypto::HashOperationNode n
select n, n.getDigest(), n.getAnAlgorithmOrGenericSource(), n.getInputArtifact()

3741
cpp/ql/test/experimental/library-tests/quantum/openssl/includes/alg_macro_stubs.h Normal file
View File

File diff suppressed because it is too large Load Diff

4986
cpp/ql/test/experimental/library-tests/quantum/openssl/includes/evp_stubs.h Normal file
View File

File diff suppressed because it is too large Load Diff

3
cpp/ql/test/experimental/library-tests/quantum/openssl/includes/rand_stubs.h Normal file
View File

@@ -0,0 +1,3 @@
int RAND_bytes(unsigned char *buf, int num);
int RAND_pseudo_bytes(unsigned char *buf, int num);

221
cpp/ql/test/experimental/library-tests/quantum/openssl/openssl_basic.c Normal file
View File

@@ -0,0 +1,221 @@
#include "includes/evp_stubs.h"
#include "includes/alg_macro_stubs.h"
#include "includes/rand_stubs.h"
size_t strlen(const char* str);
// Sample OpenSSL code that demonstrates various cryptographic operations
// that can be detected by the quantum model
// Function to perform AES-256-GCM encryption
int encrypt_aes_gcm(const unsigned char *plaintext, int plaintext_len,
const unsigned char *key, const unsigned char *iv, int iv_len,
unsigned char *ciphertext, unsigned char *tag) {
EVP_CIPHER_CTX *ctx;
int len;
int ciphertext_len;
// Create and initialize the context
if(!(ctx = EVP_CIPHER_CTX_new()))
return -1;
// Initialize the encryption operation
if(1 != EVP_EncryptInit_ex(ctx, EVP_aes_256_gcm(), NULL, NULL, NULL))
return -1;
// Set IV length (for GCM mode)
if(1 != EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN, iv_len, NULL))
return -1;
// Initialize key and IV
if(1 != EVP_EncryptInit_ex(ctx, NULL, NULL, key, iv))
return -1;
// Provide the plaintext to be encrypted
if(1 != EVP_EncryptUpdate(ctx, ciphertext, &len, plaintext, plaintext_len))
return -1;
ciphertext_len = len;
// Finalize the encryption
if(1 != EVP_EncryptFinal_ex(ctx, ciphertext + len, &len))
return -1;
ciphertext_len += len;
// Get the tag
if(1 != EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, 16, tag))
return -1;
// Clean up
EVP_CIPHER_CTX_free(ctx);
return ciphertext_len;
}
// Function to perform AES-256-GCM decryption
int decrypt_aes_gcm(const unsigned char *ciphertext, int ciphertext_len,
const unsigned char *tag, const unsigned char *key,
const unsigned char *iv, int iv_len,
unsigned char *plaintext) {
EVP_CIPHER_CTX *ctx;
int len;
int plaintext_len;
int ret;
// Create and initialize the context
if(!(ctx = EVP_CIPHER_CTX_new()))
return -1;
// Initialize the decryption operation
if(!EVP_DecryptInit_ex(ctx, EVP_aes_256_gcm(), NULL, NULL, NULL))
return -1;
// Set IV length
if(!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN, iv_len, NULL))
return -1;
// Initialize key and IV
if(!EVP_DecryptInit_ex(ctx, NULL, NULL, key, iv))
return -1;
// Provide the ciphertext to be decrypted
if(!EVP_DecryptUpdate(ctx, plaintext, &len, ciphertext, ciphertext_len))
return -1;
plaintext_len = len;
// Set expected tag value
if(!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, 16, (void*)tag))
return -1;
// Finalize the decryption
ret = EVP_DecryptFinal_ex(ctx, plaintext + len, &len);
// Clean up
EVP_CIPHER_CTX_free(ctx);
if(ret > 0) {
// Success
plaintext_len += len;
return plaintext_len;
} else {
// Verification failed
return -1;
}
}
// Function to calculate SHA-256 hash
int calculate_sha256(const unsigned char *message, size_t message_len,
unsigned char *digest) {
EVP_MD_CTX *mdctx;
unsigned int digest_len;
// Create and initialize the context
if(!(mdctx = EVP_MD_CTX_new()))
return 0;
// Initialize the hash operation
if(1 != EVP_DigestInit_ex(mdctx, EVP_sha256(), NULL))
return 0;
// Provide the message to be hashed
if(1 != EVP_DigestUpdate(mdctx, message, message_len))
return 0;
// Finalize the hash
if(1 != EVP_DigestFinal_ex(mdctx, digest, &digest_len))
return 0;
// Clean up
EVP_MD_CTX_free(mdctx);
return 1;
}
// Function to generate random bytes
int generate_random_bytes(unsigned char *buffer, size_t length) {
return RAND_bytes(buffer, length);
}
// Function using direct EVP_Digest function (one-shot hash)
int calculate_md5_oneshot(const unsigned char *message, size_t message_len,
unsigned char *digest) {
unsigned int digest_len;
// Calculate MD5 in a single call
if(1 != EVP_Digest(message, message_len, digest, &digest_len, EVP_md5(), NULL))
return 0;
return 1;
}
// Function using HMAC
int calculate_hmac_sha256(const unsigned char *key, size_t key_len,
const unsigned char *message, size_t message_len,
unsigned char *mac) {
EVP_MD_CTX *ctx = EVP_MD_CTX_new();
EVP_PKEY *pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, key, key_len);
if (!ctx || !pkey)
return 0;
if (EVP_DigestSignInit(ctx, NULL, EVP_sha256(), NULL, pkey) != 1)
return 0;
if (EVP_DigestSignUpdate(ctx, message, message_len) != 1)
return 0;
size_t mac_len = 32; // SHA-256 output size
if (EVP_DigestSignFinal(ctx, mac, &mac_len) != 1)
return 0;
EVP_MD_CTX_free(ctx);
EVP_PKEY_free(pkey);
return 1;
}
// Test function
int test_main() {
// Test encryption and decryption
unsigned char *key = (unsigned char *)"01234567890123456789012345678901"; // 32 bytes
unsigned char *iv = (unsigned char *)"0123456789012345"; // 16 bytes
unsigned char *plaintext = (unsigned char *)"This is a test message for encryption";
unsigned char ciphertext[1024];
unsigned char tag[16];
unsigned char decrypted[1024];
int plaintext_len = strlen((char *)plaintext);
int ciphertext_len;
int decrypted_len;
// Test SHA-256 hash
unsigned char hash[32];
// Test random generation
unsigned char random_bytes[32];
// // Initialize OpenSSL
// ERR_load_crypto_strings();
// Encrypt data
ciphertext_len = encrypt_aes_gcm(plaintext, plaintext_len, key, iv, 16, ciphertext, tag);
// Decrypt data
decrypted_len = decrypt_aes_gcm(ciphertext, ciphertext_len, tag, key, iv, 16, decrypted);
//printf("decrypted: %s\n", decrypted);
// Calculate hash
calculate_sha256(plaintext, plaintext_len, hash);
// Generate random bytes
generate_random_bytes(random_bytes, 32);
// Calculate one-shot MD5
unsigned char md5_hash[16];
calculate_md5_oneshot(plaintext, plaintext_len, md5_hash);
// Calculate HMAC
unsigned char hmac[32];
calculate_hmac_sha256(key, 32, plaintext, plaintext_len, hmac);
return 0;
}