hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-23 07:45:17 +02:00
Code Issues Packages Projects Releases Wiki Activity

Crypto: Refactor casing and documentation

Browse Source
This commit is contained in:
Nicolas Will
2025-06-25 15:23:33 +02:00
parent 8ee03e48ca
commit 710e08088f
4 changed files with 139 additions and 136 deletions
Download Patch File Download Diff File Expand all files Collapse all files

114
java/ql/lib/experimental/quantum/JCA.qll
View File

@@ -205,7 +205,7 @@ module JCAModel {
}
bindingset[name]
predicate mac_name_to_mac_type_known(Crypto::TMACType type, string name) {
predicate mac_name_to_mac_type_known(Crypto::TMacType type, string name) {
type = Crypto::THMAC() and
name.toUpperCase().matches("HMAC%")
}
@@ -373,12 +373,12 @@ module JCAModel {
oaep_padding_string_components(any(CipherStringLiteral s).getPadding(), hash, mfg)
}
class OAEPPaddingHashAlgorithmInstance extends OAEPPaddingAlgorithmInstance,
class OaepPaddingHashAlgorithmInstance extends OaepPaddingAlgorithmInstance,
Crypto::HashAlgorithmInstance instanceof CipherStringLiteral
{
string hashName;
OAEPPaddingHashAlgorithmInstance() {
OaepPaddingHashAlgorithmInstance() {
oaep_padding_string_components(super.getPadding(), hashName, _)
}
@@ -389,12 +389,12 @@ module JCAModel {
override int getFixedDigestLength() { exists(hash_name_to_type_known(hashName, result)) }
}
class OAEPPaddingAlgorithmInstance extends Crypto::OAEPPaddingAlgorithmInstance,
class OaepPaddingAlgorithmInstance extends Crypto::OaepPaddingAlgorithmInstance,
CipherStringLiteralPaddingAlgorithmInstance
{
override Crypto::HashAlgorithmInstance getOAEPEncodingHashAlgorithm() { result = this }
override Crypto::HashAlgorithmInstance getOaepEncodingHashAlgorithm() { result = this }
override Crypto::HashAlgorithmInstance getMGF1HashAlgorithm() { none() } // TODO
override Crypto::HashAlgorithmInstance getMgf1HashAlgorithm() { none() } // TODO
}
/**
@@ -1156,9 +1156,7 @@ module JCAModel {
}
module KeySpecInstantiationToGenerateSecretFlowConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node src) {
exists(KeySpecInstantiation call | src.asExpr() = call)
}
predicate isSource(DataFlow::Node src) { src.asExpr() instanceof KeySpecInstantiation }
predicate isSink(DataFlow::Node sink) {
exists(SecretKeyFactoryGenerateSecretCall call | sink.asExpr() = call.getKeySpecArg())
@@ -1207,29 +1205,29 @@ module JCAModel {
predicate isIntermediate() { none() }
}
class KDFAlgorithmStringLiteral extends Crypto::KeyDerivationAlgorithmInstance instanceof StringLiteral
class KdfAlgorithmStringLiteral extends Crypto::KeyDerivationAlgorithmInstance instanceof StringLiteral
{
SecretKeyFactoryKDFAlgorithmValueConsumer consumer;
KDFAlgorithmStringLiteral() {
KdfAlgorithmStringLiteral() {
kdf_names(this.getValue()) and
KDFAlgorithmStringToGetInstanceFlow::flow(DataFlow::exprNode(this), consumer.getInputNode())
}
override string getRawKDFAlgorithmName() { result = super.getValue() }
override string getRawKdfAlgorithmName() { result = super.getValue() }
override Crypto::TKeyDerivationType getKDFType() {
override Crypto::TKeyDerivationType getKdfType() {
result = kdf_name_to_kdf_type(super.getValue(), _)
}
SecretKeyFactoryKDFAlgorithmValueConsumer getConsumer() { result = consumer }
}
class PBKDF2AlgorithmStringLiteral extends KDFAlgorithmStringLiteral,
Crypto::PBKDF2AlgorithmInstance, Crypto::HMACAlgorithmInstance, Crypto::HashAlgorithmInstance,
class Pbkdf2AlgorithmStringLiteral extends KdfAlgorithmStringLiteral,
Crypto::Pbkdf2AlgorithmInstance, Crypto::HmacAlgorithmInstance, Crypto::HashAlgorithmInstance,
Crypto::AlgorithmValueConsumer
{
PBKDF2AlgorithmStringLiteral() { super.getKDFType() instanceof Crypto::PBKDF2 }
Pbkdf2AlgorithmStringLiteral() { super.getKdfType() instanceof Crypto::PBKDF2 }
override Crypto::ConsumerInputDataFlowNode getInputNode() { none() }
@@ -1244,16 +1242,16 @@ module JCAModel {
}
override string getRawMacAlgorithmName() {
result = super.getRawKDFAlgorithmName().splitAt("PBKDF2With", 1)
result = super.getRawKdfAlgorithmName().splitAt("PBKDF2With", 1)
}
override string getRawHashAlgorithmName() {
result = super.getRawKDFAlgorithmName().splitAt("WithHmac", 1)
result = super.getRawKdfAlgorithmName().splitAt("WithHmac", 1)
}
override Crypto::TMACType getMacType() { result instanceof Crypto::THMAC }
override Crypto::TMacType getMacType() { result instanceof Crypto::THMAC }
override Crypto::AlgorithmValueConsumer getHMACAlgorithmValueConsumer() { result = this }
override Crypto::AlgorithmValueConsumer getHmacAlgorithmValueConsumer() { result = this }
override Crypto::AlgorithmValueConsumer getHashAlgorithmValueConsumer() { result = this }
}
@@ -1267,7 +1265,7 @@ module JCAModel {
override Crypto::ConsumerInputDataFlowNode getInputNode() { result.asExpr() = this }
override Crypto::AlgorithmInstance getAKnownAlgorithmSource() {
exists(KDFAlgorithmStringLiteral l | l.getConsumer() = this and result = l)
exists(KdfAlgorithmStringLiteral l | l.getConsumer() = this and result = l)
}
SecretKeyFactoryGetInstanceCall getInstantiation() { result = call }
@@ -1442,105 +1440,105 @@ module JCAModel {
* MACs
*/
module MACKnownAlgorithmToConsumerConfig implements DataFlow::ConfigSig {
module MacKnownAlgorithmToConsumerConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node src) { mac_names(src.asExpr().(StringLiteral).getValue()) }
predicate isSink(DataFlow::Node sink) {
exists(MACGetInstanceCall call | sink.asExpr() = call.getAlgorithmArg())
exists(MacGetInstanceCall call | sink.asExpr() = call.getAlgorithmArg())
}
}
module MACKnownAlgorithmToConsumerFlow = DataFlow::Global<MACKnownAlgorithmToConsumerConfig>;
module MacKnownAlgorithmToConsumerFlow = DataFlow::Global<MacKnownAlgorithmToConsumerConfig>;
module MACGetInstanceToMACOperationFlowConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node src) { src.asExpr() instanceof MACGetInstanceCall }
module MacGetInstanceToMacOperationFlowConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node src) { src.asExpr() instanceof MacGetInstanceCall }
predicate isSink(DataFlow::Node sink) {
exists(MACOperationCall call | sink.asExpr() = call.(MethodCall).getQualifier()) or
exists(MACInitCall call | sink.asExpr() = call.(MethodCall).getQualifier())
exists(MacOperationCall call | sink.asExpr() = call.(MethodCall).getQualifier()) or
exists(MacInitCall call | sink.asExpr() = call.(MethodCall).getQualifier())
}
}
module MACGetInstanceToMACOperationFlow =
DataFlow::Global<MACGetInstanceToMACOperationFlowConfig>;
module MacGetInstanceToMacOperationFlow =
DataFlow::Global<MacGetInstanceToMacOperationFlowConfig>;
module MACInitCallToMACOperationFlowConfig implements DataFlow::ConfigSig {
module MacInitCallToMacOperationFlowConfig implements DataFlow::ConfigSig {
// TODO: use flow state with one config
predicate isSource(DataFlow::Node src) {
exists(MACInitCall init | src.asExpr() = init.getQualifier())
exists(MacInitCall init | src.asExpr() = init.getQualifier())
}
predicate isSink(DataFlow::Node sink) {
exists(MACOperationCall call | sink.asExpr() = call.(MethodCall).getQualifier())
exists(MacOperationCall call | sink.asExpr() = call.(MethodCall).getQualifier())
}
}
module MACInitCallToMACOperationFlow = DataFlow::Global<MACInitCallToMACOperationFlowConfig>;
module MacInitCallToMacOperationFlow = DataFlow::Global<MacInitCallToMacOperationFlowConfig>;
class KnownMACAlgorithm extends Crypto::MACAlgorithmInstance instanceof StringLiteral {
MACGetInstanceAlgorithmValueConsumer consumer;
class KnownMacAlgorithm extends Crypto::MacAlgorithmInstance instanceof StringLiteral {
MacGetInstanceAlgorithmValueConsumer consumer;
KnownMACAlgorithm() {
KnownMacAlgorithm() {
mac_names(this.getValue()) and
MACKnownAlgorithmToConsumerFlow::flow(DataFlow::exprNode(this), consumer.getInputNode())
MacKnownAlgorithmToConsumerFlow::flow(DataFlow::exprNode(this), consumer.getInputNode())
}
MACGetInstanceAlgorithmValueConsumer getConsumer() { result = consumer }
MacGetInstanceAlgorithmValueConsumer getConsumer() { result = consumer }
override string getRawMacAlgorithmName() { result = super.getValue() }
override Crypto::TMACType getMacType() {
override Crypto::TMacType getMacType() {
if mac_name_to_mac_type_known(_, super.getValue())
then mac_name_to_mac_type_known(result, super.getValue())
else result instanceof Crypto::TOtherMACType
}
}
class MACGetInstanceCall extends MethodCall {
MACGetInstanceCall() { this.getCallee().hasQualifiedName("javax.crypto", "Mac", "getInstance") }
class MacGetInstanceCall extends MethodCall {
MacGetInstanceCall() { this.getCallee().hasQualifiedName("javax.crypto", "Mac", "getInstance") }
Expr getAlgorithmArg() { result = this.getArgument(0) }
MACOperationCall getOperation() {
MACGetInstanceToMACOperationFlow::flow(DataFlow::exprNode(this),
MacOperationCall getOperation() {
MacGetInstanceToMacOperationFlow::flow(DataFlow::exprNode(this),
DataFlow::exprNode(result.(MethodCall).getQualifier()))
}
MACInitCall getInitCall() {
MACGetInstanceToMACOperationFlow::flow(DataFlow::exprNode(this),
MacInitCall getInitCall() {
MacGetInstanceToMacOperationFlow::flow(DataFlow::exprNode(this),
DataFlow::exprNode(result.getQualifier()))
}
}
class MACInitCall extends MethodCall {
MACInitCall() { this.getCallee().hasQualifiedName("javax.crypto", "Mac", "init") }
class MacInitCall extends MethodCall {
MacInitCall() { this.getCallee().hasQualifiedName("javax.crypto", "Mac", "init") }
Expr getKeyArg() {
result = this.getArgument(0) and this.getMethod().getParameterType(0).hasName("Key")
}
MACOperationCall getOperation() {
MACInitCallToMACOperationFlow::flow(DataFlow::exprNode(this.getQualifier()),
MacOperationCall getOperation() {
MacInitCallToMacOperationFlow::flow(DataFlow::exprNode(this.getQualifier()),
DataFlow::exprNode(result.(MethodCall).getQualifier()))
}
}
class MACGetInstanceAlgorithmValueConsumer extends Crypto::AlgorithmValueConsumer {
MACGetInstanceCall call;
class MacGetInstanceAlgorithmValueConsumer extends Crypto::AlgorithmValueConsumer {
MacGetInstanceCall call;
MACGetInstanceAlgorithmValueConsumer() { this = call.getAlgorithmArg() }
MacGetInstanceAlgorithmValueConsumer() { this = call.getAlgorithmArg() }
override Crypto::ConsumerInputDataFlowNode getInputNode() { result.asExpr() = this }
override Crypto::AlgorithmInstance getAKnownAlgorithmSource() {
exists(KnownMACAlgorithm l | l.getConsumer() = this and result = l)
exists(KnownMacAlgorithm l | l.getConsumer() = this and result = l)
}
}
class MACOperationCall extends Crypto::MACOperationInstance instanceof MethodCall {
class MacOperationCall extends Crypto::MacOperationInstance instanceof MethodCall {
Expr output;
MACOperationCall() {
MacOperationCall() {
super.getMethod().getDeclaringType().hasQualifiedName("javax.crypto", "Mac") and
(
super.getMethod().hasStringSignature(["doFinal()", "doFinal(byte[])"]) and this = output
@@ -1551,13 +1549,13 @@ module JCAModel {
}
override Crypto::AlgorithmValueConsumer getAnAlgorithmValueConsumer() {
exists(MACGetInstanceCall instantiation |
exists(MacGetInstanceCall instantiation |
instantiation.getOperation() = this and result = instantiation.getAlgorithmArg()
)
}
override Crypto::ConsumerInputDataFlowNode getKeyConsumer() {
exists(MACGetInstanceCall instantiation, MACInitCall initCall |
exists(MacGetInstanceCall instantiation, MacInitCall initCall |
instantiation.getOperation() = this and
initCall.getOperation() = this and
instantiation.getInitCall() = initCall and