Merge branch 'nic/crypto-test' into knewbury01/JCA-sample

2025-12-26 13:46:31 +01:00 · 2025-02-10 11:48:15 -05:00
parent 6005437001 7a96f5682e
commit 9c8ade7ddd
7 changed files with 34 additions and 26 deletions
--- a/cpp/ql/lib/experimental/Quantum/Language.qll
+++ b/cpp/ql/lib/experimental/Quantum/Language.qll
@@ -1,4 +1,4 @@
-private import Base
+private import codeql.cryptography.Model
 private import cpp as Lang

 module CryptoInput implements InputSig<Lang::Location> {
--- a/cpp/ql/lib/experimental/Quantum/OpenSSL.qll
+++ b/cpp/ql/lib/experimental/Quantum/OpenSSL.qll
@@ -77,6 +77,8 @@ module OpenSSLModel {

    HKDF() { algorithmStringToKDFFetchArgFlow("HKDF", origin, this) }

+    override string getRawAlgorithmName() { result = origin.getValue() }
+
    override Crypto::HashAlgorithm getHashAlgorithm() { none() }

    override Crypto::LocatableElement getOrigin(string name) {
@@ -89,6 +91,8 @@ module OpenSSLModel {

    PKCS12KDF() { algorithmStringToKDFFetchArgFlow("PKCS12KDF", origin, this) }

+    override string getRawAlgorithmName() { result = origin.getValue() }
+
    override Crypto::HashAlgorithm getHashAlgorithm() { none() }

    override Crypto::NodeBase getOrigin(string name) {
--- a/cpp/ql/lib/qlpack.yml
+++ b/cpp/ql/lib/qlpack.yml
@@ -6,6 +6,7 @@ extractor: cpp
 library: true
 upgrades: upgrades
 dependencies:
+  codeql/cryptography: ${workspace}
  codeql/dataflow: ${workspace}
  codeql/mad: ${workspace}
  codeql/rangeanalysis: ${workspace}
--- a/cpp/ql/src/experimental/Quantum/cbom.sh
+++ b/cpp/ql/src/experimental/Quantum/cbom.sh
@@ -2,7 +2,7 @@

 CODEQL_PATH="/Users/nicolaswill/Library/Application Support/Code/User/globalStorage/github.vscode-codeql/distribution5/codeql/codeql"
 DATABASE_PATH="/Users/nicolaswill/openssl_codeql/openssl/openssl_db"
-QUERY_FILE="CBOMGraph.ql"
+QUERY_FILE="/Users/nicolaswill/pqc/codeql/cpp/ql/src/experimental/Quantum/CBOMGraph.ql"
 OUTPUT_DIR="graph_output"

 python3 generate_cbom.py -c "$CODEQL_PATH" -d "$DATABASE_PATH" -q "$QUERY_FILE" -o "$OUTPUT_DIR"
--- a/cpp/ql/src/experimental/Quantum/generate_cbom.py
+++ b/cpp/ql/src/experimental/Quantum/generate_cbom.py
--- a/shared/cryptography/codeql/cryptography/Model.qll
+++ b/shared/cryptography/codeql/cryptography/Model.qll
@@ -94,7 +94,7 @@ module CryptographyBase<LocationSig Location, InputSig<Location> Input> {
     */
    abstract string getAlgorithmName();

-     /**
+    /**
     * Gets the raw name of this algorithm from source (no parsing or formatting)
     */
    abstract string getRawAlgorithmName();
@@ -151,7 +151,6 @@ module CryptographyBase<LocationSig Location, InputSig<Location> Input> {
    abstract THashType getHashType();

    override string getAlgorithmName() { this.hashTypeToNameMapping(this.getHashType(), result) }
-
  }

  /**
@@ -199,26 +198,23 @@ module CryptographyBase<LocationSig Location, InputSig<Location> Input> {
  }

  newtype TEllipticCurveFamilyType =
-  // We're saying by this that all of these have an identical interface / properties / edges
-  NIST() or
-  SEC() or
-  NUMS() or
-  PRIME() or
-  BRAINPOOL() or
-  CURVE25519() or
-  CURVE448() or
-  C2() or
-  SM2() or
-  ES() or
-  OtherEllipticCurveFamilyType()
-
+    // We're saying by this that all of these have an identical interface / properties / edges
+    NIST() or
+    SEC() or
+    NUMS() or
+    PRIME() or
+    BRAINPOOL() or
+    CURVE25519() or
+    CURVE448() or
+    C2() or
+    SM2() or
+    ES() or
+    OtherEllipticCurveFamilyType()

  /**
   * Elliptic curve algorithm
   */
  abstract class EllipticCurve extends Algorithm {
-
-
    abstract string getKeySize(Location location);

    abstract TEllipticCurveFamilyType getCurveFamilyType();
@@ -235,18 +231,18 @@ module CryptographyBase<LocationSig Location, InputSig<Location> Input> {
      // other properties, like field type are possible, but not modeled until considered necessary
    }

-    override string getAlgorithmName() { result = this.getRawAlgorithmName().toUpperCase()}
+    override string getAlgorithmName() { result = this.getRawAlgorithmName().toUpperCase() }

    /**
     * Mandating that for Elliptic Curves specifically, users are responsible
-     * for providing as the 'raw' name, the official name of the algorithm. 
-     * Casing doesn't matter, we will enforce further naming restrictions on 
-     * `getAlgorithmName` by default. 
+     * for providing as the 'raw' name, the official name of the algorithm.
+     * Casing doesn't matter, we will enforce further naming restrictions on
+     * `getAlgorithmName` by default.
     * Rationale: elliptic curve names can have a lot of variation in their components
     * (e.g., "secp256r1" vs "P-256"), trying to produce generalized set of properties
-     * is possible to capture all cases, but such modeling is likely not necessary. 
-     * if all properties need to be captured, we can reassess how names are generated. 
+     * is possible to capture all cases, but such modeling is likely not necessary.
+     * if all properties need to be captured, we can reassess how names are generated.
     */
-    override abstract string getRawAlgorithmName();
+    abstract override string getRawAlgorithmName();
  }
 }
--- a/shared/cryptography/qlpack.yml
+++ b/shared/cryptography/qlpack.yml
@@ -0,0 +1,7 @@
+name: codeql/cryptography
+version: 0.0.0-dev
+groups: shared
+library: true
+dependencies:
+  codeql/util: ${workspace}
+warnOnImplicitThis: true