hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity

Crypto: Misc. cleanup and completed model refactor for Mac. Passing tests for openssl, refactor still required for JCA.

Browse Source
This commit is contained in:
REDMOND\brodes
2025-07-01 10:37:09 -04:00
parent 8b64a72fe1
commit d32e09ac37
5 changed files with 137 additions and 92 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
cpp/ql/lib/experimental/quantum/OpenSSL/Operations/OpenSSLOperationBase.qll
View File

@@ -127,7 +127,6 @@ class IOType extends TIOType {
}
}
//TODO: add more initializers as needed
/**
* The type of step in an `OperationStep`.
* - `ContextCreationStep`: the creation of a context from an algorithm or key.
@@ -249,8 +248,10 @@ abstract class OperationStep extends Call {
/**
* Gets an AVC for the primary algorithm for this operation.
* A primary algorithm is an AVC that flows to a ctx input directly or
* an AVC that flows to a primary algorithm input directly.
* A primary algorithm is an AVC that either:
* 1) flows to a ctx input directly or
* 2) flows to a primary algorithm input directly
* 3) flows to a key input directly (algorithm held in a key will be considered primary)
* See `AvcContextCreationStep` for details about resetting scenarios.
* Gets the first OperationStep an AVC flows to. If a context input,
* the AVC is considered primary.
@@ -259,15 +260,16 @@ abstract class OperationStep extends Call {
*/
Crypto::AlgorithmValueConsumer getPrimaryAlgorithmValueConsumer() {
exists(DataFlow::Node src, DataFlow::Node sink, IOType t, OperationStep avcConsumingPred |
(t = PrimaryAlgorithmIO() or t = ContextIO()) and
(t = PrimaryAlgorithmIO() or t = ContextIO() or t = KeyIO()) and
avcConsumingPred.flowsToOperationStep(this) and
src.asExpr() = result and
sink = avcConsumingPred.getInput(t) and
AvcToOperationStepFlow::flow(src, sink) and
(
// Case 1: the avcConsumingPred step is a dominating initialization step
t = PrimaryAlgorithmIO() and
avcConsumingPred = this.getDominatingInitializersToStep(PrimaryAlgorithmIO())
// Case 1: the avcConsumingPred step is a dominating primary algorithm initialization step
// or dominating key initialization step
(t = PrimaryAlgorithmIO() or t = KeyIO()) and
avcConsumingPred = this.getDominatingInitializersToStep(t)
or
// Case 2: the pred is a context input
t = ContextIO()
@@ -393,7 +395,9 @@ private class CtxCopyReturnCall extends CtxPassThroughCall, CtxPointerExpr {
override DataFlow::Node getNode2() { result.asExpr() = this }
}
// TODO: is this still needed?
// TODO: is this still needed? It appears to be (tests fail without it) but
// I don't know why as EVP_PKEY_paramgen is an operation step and we pass through
// operation steps already.
/**
* A call to `EVP_PKEY_paramgen` acts as a kind of pass through.
* It's output pkey is eventually used in a new operation generating
@@ -420,28 +424,6 @@ private class CtxParamGenCall extends CtxPassThroughCall {
override DataFlow::Node getNode2() { result = n2 }
}
//TODO: I am not sure CallArgToCtxRet is needed anymore
/**
* If the current node is an argument to a function
* that returns a pointer type, immediately flow through.
* NOTE: this passthrough is required if we allow
* intermediate steps to go into variables that are not a CTX type.
* See for example `CtxParamGenCall`.
*/
private class CallArgToCtxRet extends CtxPassThroughCall, CtxPointerExpr {
DataFlow::Node n1;
DataFlow::Node n2;
CallArgToCtxRet() {
this.getAnArgument() = n1.asExpr() and
n2.asExpr() = this
}
override DataFlow::Node getNode1() { result = n1 }
override DataFlow::Node getNode2() { result = n2 }
}
/**
* A flow configuration from any non-final `OperationStep` to any other `OperationStep`.
*/

99
cpp/ql/test/experimental/library-tests/quantum/node_edges.expected
View File

@@ -34,15 +34,16 @@
| openssl_basic.c:155:22:155:41 | KeyGeneration | Algorithm | openssl_basic.c:155:22:155:41 | KeyGeneration |
| openssl_basic.c:155:22:155:41 | KeyGeneration | KeyInput | openssl_basic.c:155:64:155:66 | Key |
| openssl_basic.c:155:22:155:41 | KeyGeneration | Output | openssl_basic.c:155:22:155:41 | Key |
| openssl_basic.c:155:43:155:55 | MACAlgorithm | H | openssl_basic.c:160:39:160:48 | HashAlgorithm |
| openssl_basic.c:155:43:155:55 | HMACAlgorithm | H | openssl_basic.c:160:39:160:48 | HashAlgorithm |
| openssl_basic.c:155:64:155:66 | Key | Source | openssl_basic.c:179:43:179:76 | Constant |
| openssl_basic.c:160:59:160:62 | Key | Source | openssl_basic.c:155:22:155:41 | Key |
| openssl_basic.c:163:35:163:41 | Message | Source | openssl_basic.c:181:49:181:87 | Constant |
| openssl_basic.c:167:9:167:27 | SignOperation | Algorithm | openssl_basic.c:167:9:167:27 | SignOperation |
| openssl_basic.c:167:9:167:27 | SignOperation | HashAlgorithm | openssl_basic.c:160:39:160:48 | HashAlgorithm |
| openssl_basic.c:167:9:167:27 | SignOperation | Input | openssl_basic.c:163:35:163:41 | Message |
| openssl_basic.c:167:9:167:27 | SignOperation | Key | openssl_basic.c:160:59:160:62 | Key |
| openssl_basic.c:167:9:167:27 | SignOperation | Output | openssl_basic.c:167:34:167:36 | SignatureOutput |
| openssl_basic.c:167:9:167:27 | SignatureOrMACOperation | Algorithm | openssl_basic.c:155:43:155:55 | HMACAlgorithm |
| openssl_basic.c:167:9:167:27 | SignatureOrMACOperation | HashAlgorithm | openssl_basic.c:160:39:160:48 | HashAlgorithm |
| openssl_basic.c:167:9:167:27 | SignatureOrMACOperation | Input | openssl_basic.c:163:35:163:41 | Message |
| openssl_basic.c:167:9:167:27 | SignatureOrMACOperation | Key | openssl_basic.c:160:59:160:62 | Key |
| openssl_basic.c:167:9:167:27 | SignatureOrMACOperation | Nonce | openssl_basic.c:167:9:167:27 | SignatureOrMACOperation |
| openssl_basic.c:167:9:167:27 | SignatureOrMACOperation | Output | openssl_basic.c:167:34:167:36 | SignatureOutput |
| openssl_basic.c:235:51:235:55 | KeyOperationAlgorithm | Mode | openssl_basic.c:235:51:235:55 | KeyOperationAlgorithm |
| openssl_basic.c:235:51:235:55 | KeyOperationAlgorithm | Padding | openssl_basic.c:249:51:249:72 | PaddingAlgorithm |
| openssl_basic.c:238:9:238:25 | KeyGeneration | Algorithm | openssl_basic.c:235:51:235:55 | KeyOperationAlgorithm |
@@ -97,37 +98,67 @@
| openssl_signature.c:133:52:133:55 | Key | Source | openssl_signature.c:548:34:548:37 | Key |
| openssl_signature.c:133:52:133:55 | Key | Source | openssl_signature.c:578:34:578:37 | Key |
| openssl_signature.c:134:38:134:44 | Message | Source | openssl_signature.c:602:37:602:77 | Constant |
| openssl_signature.c:135:9:135:27 | SignOperation | Algorithm | openssl_signature.c:543:35:543:46 | KeyOperationAlgorithm |
| openssl_signature.c:135:9:135:27 | SignOperation | Algorithm | openssl_signature.c:565:50:565:54 | KeyOperationAlgorithm |
| openssl_signature.c:135:9:135:27 | SignOperation | HashAlgorithm | openssl_signature.c:684:24:684:33 | HashAlgorithm |
| openssl_signature.c:135:9:135:27 | SignOperation | HashAlgorithm | openssl_signature.c:740:24:740:33 | HashAlgorithm |
| openssl_signature.c:135:9:135:27 | SignOperation | Input | openssl_signature.c:134:38:134:44 | Message |
| openssl_signature.c:135:9:135:27 | SignOperation | Key | openssl_signature.c:133:52:133:55 | Key |
| openssl_signature.c:135:9:135:27 | SignOperation | Output | openssl_signature.c:135:37:135:40 | SignatureOutput |
| openssl_signature.c:142:9:142:27 | SignOperation | Algorithm | openssl_signature.c:543:35:543:46 | KeyOperationAlgorithm |
| openssl_signature.c:142:9:142:27 | SignOperation | Algorithm | openssl_signature.c:565:50:565:54 | KeyOperationAlgorithm |
| openssl_signature.c:142:9:142:27 | SignOperation | HashAlgorithm | openssl_signature.c:684:24:684:33 | HashAlgorithm |
| openssl_signature.c:142:9:142:27 | SignOperation | HashAlgorithm | openssl_signature.c:740:24:740:33 | HashAlgorithm |
| openssl_signature.c:142:9:142:27 | SignOperation | Input | openssl_signature.c:134:38:134:44 | Message |
| openssl_signature.c:142:9:142:27 | SignOperation | Key | openssl_signature.c:133:52:133:55 | Key |
| openssl_signature.c:142:9:142:27 | SignOperation | Output | openssl_signature.c:142:37:142:46 | SignatureOutput |
| openssl_signature.c:135:9:135:27 | SignatureOrMACOperation | Algorithm | openssl_signature.c:543:35:543:46 | KeyOperationAlgorithm |
| openssl_signature.c:135:9:135:27 | SignatureOrMACOperation | Algorithm | openssl_signature.c:565:50:565:54 | KeyOperationAlgorithm |
| openssl_signature.c:135:9:135:27 | SignatureOrMACOperation | HashAlgorithm | openssl_signature.c:684:24:684:33 | HashAlgorithm |
| openssl_signature.c:135:9:135:27 | SignatureOrMACOperation | HashAlgorithm | openssl_signature.c:740:24:740:33 | HashAlgorithm |
| openssl_signature.c:135:9:135:27 | SignatureOrMACOperation | Input | openssl_signature.c:134:38:134:44 | Message |
| openssl_signature.c:135:9:135:27 | SignatureOrMACOperation | Key | openssl_signature.c:133:52:133:55 | Key |
| openssl_signature.c:135:9:135:27 | SignatureOrMACOperation | Nonce | openssl_signature.c:135:9:135:27 | SignatureOrMACOperation |
| openssl_signature.c:135:9:135:27 | SignatureOrMACOperation | Output | openssl_signature.c:135:37:135:40 | SignatureOutput |
| openssl_signature.c:142:9:142:27 | SignatureOrMACOperation | Algorithm | openssl_signature.c:543:35:543:46 | KeyOperationAlgorithm |
| openssl_signature.c:142:9:142:27 | SignatureOrMACOperation | Algorithm | openssl_signature.c:565:50:565:54 | KeyOperationAlgorithm |
| openssl_signature.c:142:9:142:27 | SignatureOrMACOperation | HashAlgorithm | openssl_signature.c:684:24:684:33 | HashAlgorithm |
| openssl_signature.c:142:9:142:27 | SignatureOrMACOperation | HashAlgorithm | openssl_signature.c:740:24:740:33 | HashAlgorithm |
| openssl_signature.c:142:9:142:27 | SignatureOrMACOperation | Input | openssl_signature.c:134:38:134:44 | Message |
| openssl_signature.c:142:9:142:27 | SignatureOrMACOperation | Key | openssl_signature.c:133:52:133:55 | Key |
| openssl_signature.c:142:9:142:27 | SignatureOrMACOperation | Nonce | openssl_signature.c:142:9:142:27 | SignatureOrMACOperation |
| openssl_signature.c:142:9:142:27 | SignatureOrMACOperation | Output | openssl_signature.c:142:37:142:46 | SignatureOutput |
| openssl_signature.c:165:54:165:57 | Key | Source | openssl_signature.c:548:34:548:37 | Key |
| openssl_signature.c:165:54:165:57 | Key | Source | openssl_signature.c:578:34:578:37 | Key |
| openssl_signature.c:166:40:166:46 | Message | Source | openssl_signature.c:602:37:602:77 | Constant |
| openssl_signature.c:167:9:167:29 | VerifyOperation | Algorithm | openssl_signature.c:543:35:543:46 | KeyOperationAlgorithm |
| openssl_signature.c:167:9:167:29 | VerifyOperation | Algorithm | openssl_signature.c:565:50:565:54 | KeyOperationAlgorithm |
| openssl_signature.c:167:9:167:29 | VerifyOperation | HashAlgorithm | openssl_signature.c:684:24:684:33 | HashAlgorithm |
| openssl_signature.c:167:9:167:29 | VerifyOperation | HashAlgorithm | openssl_signature.c:740:24:740:33 | HashAlgorithm |
| openssl_signature.c:167:9:167:29 | VerifyOperation | Input | openssl_signature.c:134:38:134:44 | Message |
| openssl_signature.c:167:9:167:29 | VerifyOperation | Input | openssl_signature.c:166:40:166:46 | Message |
| openssl_signature.c:167:9:167:29 | VerifyOperation | Key | openssl_signature.c:133:52:133:55 | Key |
| openssl_signature.c:167:9:167:29 | VerifyOperation | Key | openssl_signature.c:165:54:165:57 | Key |
| openssl_signature.c:167:9:167:29 | VerifyOperation | Signature | openssl_signature.c:167:39:167:47 | SignatureInput |
| openssl_signature.c:167:39:167:47 | SignatureInput | Source | openssl_signature.c:142:37:142:46 | SignatureOutput |
| openssl_signature.c:190:57:190:60 | Key | Source | openssl_signature.c:548:34:548:37 | Key |
| openssl_signature.c:190:57:190:60 | Key | Source | openssl_signature.c:578:34:578:37 | Key |
| openssl_signature.c:196:38:196:44 | Message | Source | openssl_signature.c:602:37:602:77 | Constant |
| openssl_signature.c:197:9:197:27 | SignOperation | Algorithm | openssl_signature.c:543:35:543:46 | KeyOperationAlgorithm |
| openssl_signature.c:197:9:197:27 | SignOperation | Algorithm | openssl_signature.c:565:50:565:54 | KeyOperationAlgorithm |
| openssl_signature.c:197:9:197:27 | SignOperation | HashAlgorithm | openssl_signature.c:684:24:684:33 | HashAlgorithm |
| openssl_signature.c:197:9:197:27 | SignOperation | HashAlgorithm | openssl_signature.c:740:24:740:33 | HashAlgorithm |
| openssl_signature.c:197:9:197:27 | SignOperation | Input | openssl_signature.c:196:38:196:44 | Message |
| openssl_signature.c:197:9:197:27 | SignOperation | Key | openssl_signature.c:190:57:190:60 | Key |
| openssl_signature.c:197:9:197:27 | SignOperation | Output | openssl_signature.c:197:37:197:40 | SignatureOutput |
| openssl_signature.c:204:9:204:27 | SignOperation | Algorithm | openssl_signature.c:543:35:543:46 | KeyOperationAlgorithm |
| openssl_signature.c:204:9:204:27 | SignOperation | Algorithm | openssl_signature.c:565:50:565:54 | KeyOperationAlgorithm |
| openssl_signature.c:204:9:204:27 | SignOperation | HashAlgorithm | openssl_signature.c:684:24:684:33 | HashAlgorithm |
| openssl_signature.c:204:9:204:27 | SignOperation | HashAlgorithm | openssl_signature.c:740:24:740:33 | HashAlgorithm |
| openssl_signature.c:204:9:204:27 | SignOperation | Input | openssl_signature.c:196:38:196:44 | Message |
| openssl_signature.c:204:9:204:27 | SignOperation | Key | openssl_signature.c:190:57:190:60 | Key |
| openssl_signature.c:204:9:204:27 | SignOperation | Output | openssl_signature.c:204:37:204:46 | SignatureOutput |
| openssl_signature.c:197:9:197:27 | SignatureOrMACOperation | Algorithm | openssl_signature.c:543:35:543:46 | KeyOperationAlgorithm |
| openssl_signature.c:197:9:197:27 | SignatureOrMACOperation | Algorithm | openssl_signature.c:565:50:565:54 | KeyOperationAlgorithm |
| openssl_signature.c:197:9:197:27 | SignatureOrMACOperation | HashAlgorithm | openssl_signature.c:684:24:684:33 | HashAlgorithm |
| openssl_signature.c:197:9:197:27 | SignatureOrMACOperation | HashAlgorithm | openssl_signature.c:740:24:740:33 | HashAlgorithm |
| openssl_signature.c:197:9:197:27 | SignatureOrMACOperation | Input | openssl_signature.c:196:38:196:44 | Message |
| openssl_signature.c:197:9:197:27 | SignatureOrMACOperation | Key | openssl_signature.c:190:57:190:60 | Key |
| openssl_signature.c:197:9:197:27 | SignatureOrMACOperation | Nonce | openssl_signature.c:197:9:197:27 | SignatureOrMACOperation |
| openssl_signature.c:197:9:197:27 | SignatureOrMACOperation | Output | openssl_signature.c:197:37:197:40 | SignatureOutput |
| openssl_signature.c:204:9:204:27 | SignatureOrMACOperation | Algorithm | openssl_signature.c:543:35:543:46 | KeyOperationAlgorithm |
| openssl_signature.c:204:9:204:27 | SignatureOrMACOperation | Algorithm | openssl_signature.c:565:50:565:54 | KeyOperationAlgorithm |
| openssl_signature.c:204:9:204:27 | SignatureOrMACOperation | HashAlgorithm | openssl_signature.c:684:24:684:33 | HashAlgorithm |
| openssl_signature.c:204:9:204:27 | SignatureOrMACOperation | HashAlgorithm | openssl_signature.c:740:24:740:33 | HashAlgorithm |
| openssl_signature.c:204:9:204:27 | SignatureOrMACOperation | Input | openssl_signature.c:196:38:196:44 | Message |
| openssl_signature.c:204:9:204:27 | SignatureOrMACOperation | Key | openssl_signature.c:190:57:190:60 | Key |
| openssl_signature.c:204:9:204:27 | SignatureOrMACOperation | Nonce | openssl_signature.c:204:9:204:27 | SignatureOrMACOperation |
| openssl_signature.c:204:9:204:27 | SignatureOrMACOperation | Output | openssl_signature.c:204:37:204:46 | SignatureOutput |
| openssl_signature.c:228:59:228:62 | Key | Source | openssl_signature.c:548:34:548:37 | Key |
| openssl_signature.c:228:59:228:62 | Key | Source | openssl_signature.c:578:34:578:37 | Key |
| openssl_signature.c:234:40:234:46 | Message | Source | openssl_signature.c:602:37:602:77 | Constant |
| openssl_signature.c:235:9:235:29 | VerifyOperation | Algorithm | openssl_signature.c:543:35:543:46 | KeyOperationAlgorithm |
| openssl_signature.c:235:9:235:29 | VerifyOperation | Algorithm | openssl_signature.c:565:50:565:54 | KeyOperationAlgorithm |
| openssl_signature.c:235:9:235:29 | VerifyOperation | HashAlgorithm | openssl_signature.c:684:24:684:33 | HashAlgorithm |
| openssl_signature.c:235:9:235:29 | VerifyOperation | HashAlgorithm | openssl_signature.c:740:24:740:33 | HashAlgorithm |
| openssl_signature.c:235:9:235:29 | VerifyOperation | Input | openssl_signature.c:196:38:196:44 | Message |
| openssl_signature.c:235:9:235:29 | VerifyOperation | Input | openssl_signature.c:234:40:234:46 | Message |
| openssl_signature.c:235:9:235:29 | VerifyOperation | Key | openssl_signature.c:190:57:190:60 | Key |
| openssl_signature.c:235:9:235:29 | VerifyOperation | Key | openssl_signature.c:228:59:228:62 | Key |
| openssl_signature.c:235:9:235:29 | VerifyOperation | Signature | openssl_signature.c:235:39:235:47 | SignatureInput |
| openssl_signature.c:235:39:235:47 | SignatureInput | Source | openssl_signature.c:204:37:204:46 | SignatureOutput |
| openssl_signature.c:260:39:260:42 | Key | Source | openssl_signature.c:548:34:548:37 | Key |
| openssl_signature.c:260:39:260:42 | Key | Source | openssl_signature.c:578:34:578:37 | Key |
| openssl_signature.c:263:9:263:21 | SignOperation | Algorithm | openssl_signature.c:543:35:543:46 | KeyOperationAlgorithm |

23
cpp/ql/test/experimental/library-tests/quantum/node_properties.expected
View File

@@ -21,14 +21,15 @@
| openssl_basic.c:144:67:144:73 | HashAlgorithm | Name | MD5 | openssl_basic.c:144:67:144:73 | openssl_basic.c:144:67:144:73 |
| openssl_basic.c:144:67:144:73 | HashAlgorithm | RawName | EVP_md5 | openssl_basic.c:144:67:144:73 | openssl_basic.c:144:67:144:73 |
| openssl_basic.c:155:22:155:41 | Key | KeyType | Asymmetric | openssl_basic.c:155:22:155:41 | openssl_basic.c:155:22:155:41 |
| openssl_basic.c:155:43:155:55 | MACAlgorithm | Name | HMAC | openssl_basic.c:155:43:155:55 | openssl_basic.c:155:43:155:55 |
| openssl_basic.c:155:43:155:55 | MACAlgorithm | RawName | 855 | openssl_basic.c:155:43:155:55 | openssl_basic.c:155:43:155:55 |
| openssl_basic.c:155:43:155:55 | HMACAlgorithm | Name | HMAC | openssl_basic.c:155:43:155:55 | openssl_basic.c:155:43:155:55 |
| openssl_basic.c:155:43:155:55 | HMACAlgorithm | RawName | 855 | openssl_basic.c:155:43:155:55 | openssl_basic.c:155:43:155:55 |
| openssl_basic.c:155:64:155:66 | Key | KeyType | Unknown | openssl_basic.c:155:64:155:66 | openssl_basic.c:155:64:155:66 |
| openssl_basic.c:160:39:160:48 | HashAlgorithm | DigestSize | 256 | openssl_basic.c:160:39:160:48 | openssl_basic.c:160:39:160:48 |
| openssl_basic.c:160:39:160:48 | HashAlgorithm | Name | SHA2 | openssl_basic.c:160:39:160:48 | openssl_basic.c:160:39:160:48 |
| openssl_basic.c:160:39:160:48 | HashAlgorithm | RawName | EVP_sha256 | openssl_basic.c:160:39:160:48 | openssl_basic.c:160:39:160:48 |
| openssl_basic.c:160:59:160:62 | Key | KeyType | Unknown | openssl_basic.c:160:59:160:62 | openssl_basic.c:160:59:160:62 |
| openssl_basic.c:167:9:167:27 | SignOperation | KeyOperationSubtype | Sign | openssl_basic.c:167:9:167:27 | openssl_basic.c:167:9:167:27 |
| openssl_basic.c:167:9:167:27 | SignatureOrMACOperation | KeyOperationSubtype | Mac | openssl_basic.c:167:9:167:27 | openssl_basic.c:167:9:167:27 |
| openssl_basic.c:167:9:167:27 | SignatureOrMACOperation | KeyOperationSubtype | Sign | openssl_basic.c:167:9:167:27 | openssl_basic.c:167:9:167:27 |
| openssl_basic.c:179:43:179:76 | Constant | Description | 01234567890123456789012345678901 | openssl_basic.c:179:43:179:76 | openssl_basic.c:179:43:179:76 |
| openssl_basic.c:180:42:180:59 | Constant | Description | 0123456789012345 | openssl_basic.c:180:42:180:59 | openssl_basic.c:180:42:180:59 |
| openssl_basic.c:181:49:181:87 | Constant | Description | This is a test message for encryption | openssl_basic.c:181:49:181:87 | openssl_basic.c:181:49:181:87 |
@@ -61,11 +62,19 @@
| openssl_signature.c:80:9:80:21 | SignOperation | KeyOperationSubtype | Sign | openssl_signature.c:80:9:80:21 | openssl_signature.c:80:9:80:21 |
| openssl_signature.c:80:53:80:56 | Key | KeyType | Unknown | openssl_signature.c:80:53:80:56 | openssl_signature.c:80:53:80:56 |
| openssl_signature.c:133:52:133:55 | Key | KeyType | Unknown | openssl_signature.c:133:52:133:55 | openssl_signature.c:133:52:133:55 |
| openssl_signature.c:135:9:135:27 | SignOperation | KeyOperationSubtype | Sign | openssl_signature.c:135:9:135:27 | openssl_signature.c:135:9:135:27 |
| openssl_signature.c:142:9:142:27 | SignOperation | KeyOperationSubtype | Sign | openssl_signature.c:142:9:142:27 | openssl_signature.c:142:9:142:27 |
| openssl_signature.c:135:9:135:27 | SignatureOrMACOperation | KeyOperationSubtype | Mac | openssl_signature.c:135:9:135:27 | openssl_signature.c:135:9:135:27 |
| openssl_signature.c:135:9:135:27 | SignatureOrMACOperation | KeyOperationSubtype | Sign | openssl_signature.c:135:9:135:27 | openssl_signature.c:135:9:135:27 |
| openssl_signature.c:142:9:142:27 | SignatureOrMACOperation | KeyOperationSubtype | Mac | openssl_signature.c:142:9:142:27 | openssl_signature.c:142:9:142:27 |
| openssl_signature.c:142:9:142:27 | SignatureOrMACOperation | KeyOperationSubtype | Sign | openssl_signature.c:142:9:142:27 | openssl_signature.c:142:9:142:27 |
| openssl_signature.c:165:54:165:57 | Key | KeyType | Unknown | openssl_signature.c:165:54:165:57 | openssl_signature.c:165:54:165:57 |
| openssl_signature.c:167:9:167:29 | VerifyOperation | KeyOperationSubtype | Verify | openssl_signature.c:167:9:167:29 | openssl_signature.c:167:9:167:29 |
| openssl_signature.c:190:57:190:60 | Key | KeyType | Unknown | openssl_signature.c:190:57:190:60 | openssl_signature.c:190:57:190:60 |
| openssl_signature.c:197:9:197:27 | SignOperation | KeyOperationSubtype | Sign | openssl_signature.c:197:9:197:27 | openssl_signature.c:197:9:197:27 |
| openssl_signature.c:204:9:204:27 | SignOperation | KeyOperationSubtype | Sign | openssl_signature.c:204:9:204:27 | openssl_signature.c:204:9:204:27 |
| openssl_signature.c:197:9:197:27 | SignatureOrMACOperation | KeyOperationSubtype | Mac | openssl_signature.c:197:9:197:27 | openssl_signature.c:197:9:197:27 |
| openssl_signature.c:197:9:197:27 | SignatureOrMACOperation | KeyOperationSubtype | Sign | openssl_signature.c:197:9:197:27 | openssl_signature.c:197:9:197:27 |
| openssl_signature.c:204:9:204:27 | SignatureOrMACOperation | KeyOperationSubtype | Mac | openssl_signature.c:204:9:204:27 | openssl_signature.c:204:9:204:27 |
| openssl_signature.c:204:9:204:27 | SignatureOrMACOperation | KeyOperationSubtype | Sign | openssl_signature.c:204:9:204:27 | openssl_signature.c:204:9:204:27 |
| openssl_signature.c:228:59:228:62 | Key | KeyType | Unknown | openssl_signature.c:228:59:228:62 | openssl_signature.c:228:59:228:62 |
| openssl_signature.c:235:9:235:29 | VerifyOperation | KeyOperationSubtype | Verify | openssl_signature.c:235:9:235:29 | openssl_signature.c:235:9:235:29 |
| openssl_signature.c:260:39:260:42 | Key | KeyType | Unknown | openssl_signature.c:260:39:260:42 | openssl_signature.c:260:39:260:42 |
| openssl_signature.c:263:9:263:21 | SignOperation | KeyOperationSubtype | Sign | openssl_signature.c:263:9:263:21 | openssl_signature.c:263:9:263:21 |
| openssl_signature.c:270:9:270:21 | SignOperation | KeyOperationSubtype | Sign | openssl_signature.c:270:9:270:21 | openssl_signature.c:270:9:270:21 |

20
cpp/ql/test/experimental/library-tests/quantum/nodes.expected
View File

@@ -24,12 +24,12 @@
| openssl_basic.c:144:67:144:73 | HashAlgorithm |
| openssl_basic.c:155:22:155:41 | Key |
| openssl_basic.c:155:22:155:41 | KeyGeneration |
| openssl_basic.c:155:43:155:55 | MACAlgorithm |
| openssl_basic.c:155:43:155:55 | HMACAlgorithm |
| openssl_basic.c:155:64:155:66 | Key |
| openssl_basic.c:160:39:160:48 | HashAlgorithm |
| openssl_basic.c:160:59:160:62 | Key |
| openssl_basic.c:163:35:163:41 | Message |
| openssl_basic.c:167:9:167:27 | SignOperation |
| openssl_basic.c:167:9:167:27 | SignatureOrMACOperation |
| openssl_basic.c:167:34:167:36 | SignatureOutput |
| openssl_basic.c:179:43:179:76 | Constant |
| openssl_basic.c:180:42:180:59 | Constant |
@@ -69,16 +69,24 @@
| openssl_signature.c:80:53:80:56 | Key |
| openssl_signature.c:133:52:133:55 | Key |
| openssl_signature.c:134:38:134:44 | Message |
| openssl_signature.c:135:9:135:27 | SignOperation |
| openssl_signature.c:135:9:135:27 | SignatureOrMACOperation |
| openssl_signature.c:135:37:135:40 | SignatureOutput |
| openssl_signature.c:142:9:142:27 | SignOperation |
| openssl_signature.c:142:9:142:27 | SignatureOrMACOperation |
| openssl_signature.c:142:37:142:46 | SignatureOutput |
| openssl_signature.c:165:54:165:57 | Key |
| openssl_signature.c:166:40:166:46 | Message |
| openssl_signature.c:167:9:167:29 | VerifyOperation |
| openssl_signature.c:167:39:167:47 | SignatureInput |
| openssl_signature.c:190:57:190:60 | Key |
| openssl_signature.c:196:38:196:44 | Message |
| openssl_signature.c:197:9:197:27 | SignOperation |
| openssl_signature.c:197:9:197:27 | SignatureOrMACOperation |
| openssl_signature.c:197:37:197:40 | SignatureOutput |
| openssl_signature.c:204:9:204:27 | SignOperation |
| openssl_signature.c:204:9:204:27 | SignatureOrMACOperation |
| openssl_signature.c:204:37:204:46 | SignatureOutput |
| openssl_signature.c:228:59:228:62 | Key |
| openssl_signature.c:234:40:234:46 | Message |
| openssl_signature.c:235:9:235:29 | VerifyOperation |
| openssl_signature.c:235:39:235:47 | SignatureInput |
| openssl_signature.c:260:39:260:42 | Key |
| openssl_signature.c:263:9:263:21 | SignOperation |
| openssl_signature.c:263:33:263:36 | SignatureOutput |

45
shared/quantum/codeql/quantum/experimental/Model.qll
View File

@@ -1612,12 +1612,8 @@ module CryptographyBase<LocationSig Location, InputSig<Location> Input> {
final class MacOperationNode extends SignatureOrMacOperationNode {
MacOperationNode() {
this.getKeyOperationSubtype() = TMacMode() and
// Consider any operation a mac operation only if all algorithms going to the sink
// are MAC or unknown. This addresses the issue where an API allows for reuse of
// MAC operations for signatures.
forex(KeyOperationAlgorithmNode n | n = this.getAnAlgorithmOrGenericSource() |
n.getAlgorithmType() = KeyOpAlg::TMac(_)
)
// If the type type could be a mac, then we will not consider it a mac operation exclusively.
not exists(KeyOperationSubtype t | t = this.getKeyOperationSubtype() and t = TMacMode())
}
final override string getInternalType() { result = "MACOperation" }
@@ -1628,7 +1624,6 @@ module CryptographyBase<LocationSig Location, InputSig<Location> Input> {
result.asElement() = instance.getInputConsumer().getConsumer()
}
//KeyArtifactNode getAKey() { result.asElement() = instance.getKeyConsumer().getConsumer() }
override NodeBase getChild(string edgeName) {
result = super.getChild(edgeName)
or
@@ -1638,11 +1633,21 @@ module CryptographyBase<LocationSig Location, InputSig<Location> Input> {
}
}
final class HmacAlgorithmNode extends KeyAgreementAlgorithmNode {
abstract class MacAlgorithmNode extends KeyOperationAlgorithmNode {
MacAlgorithmNode() {
instance.(KeyOperationAlgorithmInstance).getAlgorithmType() = KeyOpAlg::TMac(_)
}
override string getInternalType() { result = "MACAlgorithm" }
}
final class HmacAlgorithmNode extends MacAlgorithmNode {
HmacAlgorithmInstance hmacInstance;
HmacAlgorithmNode() { hmacInstance = instance.asAlg() }
override string getInternalType() { result = "HMACAlgorithm" }
NodeBase getHashAlgorithmOrUnknown() {
result.asElement() = hmacInstance.getHashAlgorithmValueConsumer().getASource()
}
@@ -1658,6 +1663,7 @@ module CryptographyBase<LocationSig Location, InputSig<Location> Input> {
}
}
// TODO: CMAC model
class KeyAgreementOperationNode extends OperationNode, TKeyAgreementOperation {
KeyAgreementSecretGenerationOperationInstance instance;
@@ -2008,6 +2014,8 @@ module CryptographyBase<LocationSig Location, InputSig<Location> Input> {
}
class SignatureOrMacOperationNode extends KeyOperationNode {
override SignatureOrMacOperationInstance instance;
SignatureOrMacOperationNode() {
this.getKeyOperationSubtype() = TSignMode()
or
@@ -2017,6 +2025,18 @@ module CryptographyBase<LocationSig Location, InputSig<Location> Input> {
}
override string getInternalType() { result = "SignatureOrMACOperation" }
HashAlgorithmNode getHashAlgorithm() {
result = instance.getHashAlgorithmValueConsumer().getAKnownSourceNode()
}
override NodeBase getChild(string key) {
result = super.getChild(key)
or
// [KNOWN_OR_UNKNOWN]
key = "HashAlgorithm" and
(if exists(this.getHashAlgorithm()) then result = this.getHashAlgorithm() else result = this)
}
}
class SignatureOperationNode extends SignatureOrMacOperationNode {
@@ -2029,9 +2049,8 @@ module CryptographyBase<LocationSig Location, InputSig<Location> Input> {
or
this.getKeyOperationSubtype() = TVerifyMode() and nodeName = "VerifyOperation"
) and
not exists(KeyOperationAlgorithmNode n |
n = this.getAnAlgorithmOrGenericSource() and n.getAlgorithmType() = KeyOpAlg::TMac(_)
)
// If the type could be a mac, then we will not consider it a signature operation exclusively.
not exists(KeyOperationSubtype t | t = this.getKeyOperationSubtype() and t = TMacMode())
}
override string getInternalType() { result = nodeName }
@@ -2040,10 +2059,6 @@ module CryptographyBase<LocationSig Location, InputSig<Location> Input> {
result.asElement() = instance.getSignatureConsumer().getConsumer()
}
HashAlgorithmNode getHashAlgorithm() {
result = instance.getHashAlgorithmValueConsumer().getAKnownSourceNode()
}
override NodeBase getChild(string key) {
result = super.getChild(key)
or