diff --git a/cpp/ql/lib/experimental/Quantum/Language.qll b/cpp/ql/lib/experimental/Quantum/Language.qll index c9398c9e324..8f400858f07 100644 --- a/cpp/ql/lib/experimental/Quantum/Language.qll +++ b/cpp/ql/lib/experimental/Quantum/Language.qll @@ -1,4 +1,4 @@ -private import Base +private import codeql.cryptography.Model private import cpp as Lang module CryptoInput implements InputSig { diff --git a/cpp/ql/lib/experimental/Quantum/OpenSSL.qll b/cpp/ql/lib/experimental/Quantum/OpenSSL.qll index 18feda6c8c6..bf38e5c0ab5 100644 --- a/cpp/ql/lib/experimental/Quantum/OpenSSL.qll +++ b/cpp/ql/lib/experimental/Quantum/OpenSSL.qll @@ -77,6 +77,8 @@ module OpenSSLModel { HKDF() { algorithmStringToKDFFetchArgFlow("HKDF", origin, this) } + override string getRawAlgorithmName() { result = origin.getValue() } + override Crypto::HashAlgorithm getHashAlgorithm() { none() } override Crypto::LocatableElement getOrigin(string name) { @@ -89,6 +91,8 @@ module OpenSSLModel { PKCS12KDF() { algorithmStringToKDFFetchArgFlow("PKCS12KDF", origin, this) } + override string getRawAlgorithmName() { result = origin.getValue() } + override Crypto::HashAlgorithm getHashAlgorithm() { none() } override Crypto::NodeBase getOrigin(string name) { diff --git a/cpp/ql/lib/qlpack.yml b/cpp/ql/lib/qlpack.yml index 6ffc77714d4..489de9f6cef 100644 --- a/cpp/ql/lib/qlpack.yml +++ b/cpp/ql/lib/qlpack.yml @@ -6,6 +6,7 @@ extractor: cpp library: true upgrades: upgrades dependencies: + codeql/cryptography: ${workspace} codeql/dataflow: ${workspace} codeql/mad: ${workspace} codeql/rangeanalysis: ${workspace} diff --git a/cpp/ql/src/experimental/Quantum/cbom.sh b/misc/scripts/cryptography/cbom.sh similarity index 79% rename from cpp/ql/src/experimental/Quantum/cbom.sh rename to misc/scripts/cryptography/cbom.sh index df1c58b1efb..9cbef951bbf 100755 --- a/cpp/ql/src/experimental/Quantum/cbom.sh +++ b/misc/scripts/cryptography/cbom.sh @@ -2,7 +2,7 @@ CODEQL_PATH="/Users/nicolaswill/Library/Application Support/Code/User/globalStorage/github.vscode-codeql/distribution5/codeql/codeql" DATABASE_PATH="/Users/nicolaswill/openssl_codeql/openssl/openssl_db" -QUERY_FILE="CBOMGraph.ql" +QUERY_FILE="/Users/nicolaswill/pqc/codeql/cpp/ql/src/experimental/Quantum/CBOMGraph.ql" OUTPUT_DIR="graph_output" python3 generate_cbom.py -c "$CODEQL_PATH" -d "$DATABASE_PATH" -q "$QUERY_FILE" -o "$OUTPUT_DIR" diff --git a/cpp/ql/src/experimental/Quantum/generate_cbom.py b/misc/scripts/cryptography/generate_cbom.py similarity index 100% rename from cpp/ql/src/experimental/Quantum/generate_cbom.py rename to misc/scripts/cryptography/generate_cbom.py diff --git a/cpp/ql/lib/experimental/Quantum/Base.qll b/shared/cryptography/codeql/cryptography/Model.qll similarity index 93% rename from cpp/ql/lib/experimental/Quantum/Base.qll rename to shared/cryptography/codeql/cryptography/Model.qll index 68b3bc08cf7..eba25db60d2 100644 --- a/cpp/ql/lib/experimental/Quantum/Base.qll +++ b/shared/cryptography/codeql/cryptography/Model.qll @@ -94,7 +94,7 @@ module CryptographyBase Input> { */ abstract string getAlgorithmName(); - /** + /** * Gets the raw name of this algorithm from source (no parsing or formatting) */ abstract string getRawAlgorithmName(); @@ -151,7 +151,6 @@ module CryptographyBase Input> { abstract THashType getHashType(); override string getAlgorithmName() { this.hashTypeToNameMapping(this.getHashType(), result) } - } /** @@ -199,26 +198,23 @@ module CryptographyBase Input> { } newtype TEllipticCurveFamilyType = - // We're saying by this that all of these have an identical interface / properties / edges - NIST() or - SEC() or - NUMS() or - PRIME() or - BRAINPOOL() or - CURVE25519() or - CURVE448() or - C2() or - SM2() or - ES() or - OtherEllipticCurveFamilyType() - + // We're saying by this that all of these have an identical interface / properties / edges + NIST() or + SEC() or + NUMS() or + PRIME() or + BRAINPOOL() or + CURVE25519() or + CURVE448() or + C2() or + SM2() or + ES() or + OtherEllipticCurveFamilyType() /** * Elliptic curve algorithm */ abstract class EllipticCurve extends Algorithm { - - abstract string getKeySize(Location location); abstract TEllipticCurveFamilyType getCurveFamilyType(); @@ -235,18 +231,18 @@ module CryptographyBase Input> { // other properties, like field type are possible, but not modeled until considered necessary } - override string getAlgorithmName() { result = this.getRawAlgorithmName().toUpperCase()} + override string getAlgorithmName() { result = this.getRawAlgorithmName().toUpperCase() } /** * Mandating that for Elliptic Curves specifically, users are responsible - * for providing as the 'raw' name, the official name of the algorithm. - * Casing doesn't matter, we will enforce further naming restrictions on - * `getAlgorithmName` by default. + * for providing as the 'raw' name, the official name of the algorithm. + * Casing doesn't matter, we will enforce further naming restrictions on + * `getAlgorithmName` by default. * Rationale: elliptic curve names can have a lot of variation in their components * (e.g., "secp256r1" vs "P-256"), trying to produce generalized set of properties - * is possible to capture all cases, but such modeling is likely not necessary. - * if all properties need to be captured, we can reassess how names are generated. + * is possible to capture all cases, but such modeling is likely not necessary. + * if all properties need to be captured, we can reassess how names are generated. */ - override abstract string getRawAlgorithmName(); + abstract override string getRawAlgorithmName(); } } diff --git a/shared/cryptography/qlpack.yml b/shared/cryptography/qlpack.yml new file mode 100644 index 00000000000..768c64a0704 --- /dev/null +++ b/shared/cryptography/qlpack.yml @@ -0,0 +1,7 @@ +name: codeql/cryptography +version: 0.0.0-dev +groups: shared +library: true +dependencies: + codeql/util: ${workspace} +warnOnImplicitThis: true \ No newline at end of file