diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/AlgToAVCFlow.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/AlgToAVCFlow.qll index 72c3ffcfad44..045e3649e410 100644 --- a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/AlgToAVCFlow.qll +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/AlgToAVCFlow.qll @@ -1,7 +1,8 @@ import cpp -import semmle.code.cpp.dataflow.new.DataFlow -import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants -import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers +private import experimental.quantum.Language +private import semmle.code.cpp.dataflow.new.DataFlow +private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants +private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers /** * Traces 'known algorithms' to AVCs, specifically diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/BlockAlgorithmInstance.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/BlockAlgorithmInstance.qll index 2566c1188a6c..299d8c886940 100644 --- a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/BlockAlgorithmInstance.qll +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/BlockAlgorithmInstance.qll @@ -1,9 +1,10 @@ import cpp -import experimental.quantum.Language -import OpenSSLAlgorithmInstanceBase -import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants -import experimental.quantum.OpenSSL.AlgorithmValueConsumers.DirectAlgorithmValueConsumer -import AlgToAVCFlow +private import experimental.quantum.Language +private import OpenSSLAlgorithmInstanceBase +private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants +private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.DirectAlgorithmValueConsumer +private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase +private import AlgToAVCFlow /** * Given a `KnownOpenSSLBlockModeAlgorithmConstant`, converts this to a block family type. diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/CipherAlgorithmInstance.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/CipherAlgorithmInstance.qll index 7483572848eb..d76265e1c70e 100644 --- a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/CipherAlgorithmInstance.qll +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/CipherAlgorithmInstance.qll @@ -1,12 +1,13 @@ import cpp -import experimental.quantum.Language -import KnownAlgorithmConstants -import Crypto::KeyOpAlg as KeyOpAlg -import OpenSSLAlgorithmInstanceBase -import PaddingAlgorithmInstance -import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers -import AlgToAVCFlow -import BlockAlgorithmInstance +private import experimental.quantum.Language +private import KnownAlgorithmConstants +private import Crypto::KeyOpAlg as KeyOpAlg +private import OpenSSLAlgorithmInstanceBase +private import PaddingAlgorithmInstance +private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase +private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.DirectAlgorithmValueConsumer +private import AlgToAVCFlow +private import BlockAlgorithmInstance /** * Given a `KnownOpenSSLCipherAlgorithmConstant`, converts this to a cipher family type. diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/EllipticCurveAlgorithmInstance.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/EllipticCurveAlgorithmInstance.qll new file mode 100644 index 000000000000..d80529dd1c63 --- /dev/null +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/EllipticCurveAlgorithmInstance.qll @@ -0,0 +1,46 @@ +import cpp +private import experimental.quantum.Language +private import KnownAlgorithmConstants +private import OpenSSLAlgorithmInstanceBase +private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase +private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.DirectAlgorithmValueConsumer +private import AlgToAVCFlow + +class KnownOpenSSLEllipticCurveConstantAlgorithmInstance extends OpenSSLAlgorithmInstance, + Crypto::EllipticCurveInstance instanceof KnownOpenSSLEllipticCurveAlgorithmConstant +{ + OpenSSLAlgorithmValueConsumer getterCall; + + KnownOpenSSLEllipticCurveConstantAlgorithmInstance() { + // Two possibilities: + // 1) The source is a literal and flows to a getter, then we know we have an instance + // 2) The source is a KnownOpenSSLAlgorithm is call, and we know we have an instance immediately from that + // Possibility 1: + this instanceof Literal and + exists(DataFlow::Node src, DataFlow::Node sink | + // Sink is an argument to a CipherGetterCall + sink = getterCall.getInputNode() and + // Source is `this` + src.asExpr() = this and + // This traces to a getter + KnownOpenSSLAlgorithmToAlgorithmValueConsumerFlow::flow(src, sink) + ) + or + // Possibility 2: + this instanceof DirectAlgorithmValueConsumer and getterCall = this + } + + override OpenSSLAlgorithmValueConsumer getAVC() { result = getterCall } + + override string getRawEllipticCurveName() { result = this.(Literal).getValue().toString() } + + override Crypto::TEllipticCurveType getEllipticCurveType() { + Crypto::ellipticCurveNameToKeySizeAndFamilyMapping(this.(KnownOpenSSLEllipticCurveAlgorithmConstant) + .getNormalizedName(), _, result) + } + + override int getKeySize() { + Crypto::ellipticCurveNameToKeySizeAndFamilyMapping(this.(KnownOpenSSLEllipticCurveAlgorithmConstant) + .getNormalizedName(), result, _) + } +} diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/HashAlgorithmInstance.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/HashAlgorithmInstance.qll index 985e36dbdd71..6cd9faab7df4 100644 --- a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/HashAlgorithmInstance.qll +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/HashAlgorithmInstance.qll @@ -1,8 +1,9 @@ import cpp -import experimental.quantum.Language -import KnownAlgorithmConstants -import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers -import AlgToAVCFlow +private import experimental.quantum.Language +private import KnownAlgorithmConstants +private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers +private import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstanceBase +private import AlgToAVCFlow predicate knownOpenSSLConstantToHashFamilyType( KnownOpenSSLHashAlgorithmConstant e, Crypto::THashType type diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/KnownAlgorithmConstants.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/KnownAlgorithmConstants.qll index 77caf0bb378c..5e7e16b13dc6 100644 --- a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/KnownAlgorithmConstants.qll +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/KnownAlgorithmConstants.qll @@ -1,5 +1,5 @@ import cpp -import experimental.quantum.OpenSSL.LibraryDetector +private import experimental.quantum.OpenSSL.LibraryDetector predicate resolveAlgorithmFromExpr(Expr e, string normalizedName, string algType) { resolveAlgorithmFromCall(e, normalizedName, algType) @@ -67,6 +67,15 @@ class KnownOpenSSLHashAlgorithmConstant extends KnownOpenSSLAlgorithmConstant { } } +class KnownOpenSSLEllipticCurveAlgorithmConstant extends KnownOpenSSLAlgorithmConstant { + KnownOpenSSLEllipticCurveAlgorithmConstant() { + exists(string algType | + resolveAlgorithmFromExpr(this, _, algType) and + algType.toLowerCase().matches("elliptic_curve") + ) + } +} + /** * Resolves a call to a 'direct algorithm getter', e.g., EVP_MD5() * This approach to fetching algorithms was used in OpenSSL 1.0.2. diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/OpenSSLAlgorithmInstanceBase.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/OpenSSLAlgorithmInstanceBase.qll index dc49c139cf05..b05ee9180b9b 100644 --- a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/OpenSSLAlgorithmInstanceBase.qll +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/OpenSSLAlgorithmInstanceBase.qll @@ -1,5 +1,5 @@ -import experimental.quantum.Language -import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase +private import experimental.quantum.Language +private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase abstract class OpenSSLAlgorithmInstance extends Crypto::AlgorithmInstance { abstract OpenSSLAlgorithmValueConsumer getAVC(); diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/OpenSSLAlgorithmInstances.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/OpenSSLAlgorithmInstances.qll index 7a77a4c3e13e..55beb58588b3 100644 --- a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/OpenSSLAlgorithmInstances.qll +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/OpenSSLAlgorithmInstances.qll @@ -3,3 +3,4 @@ import CipherAlgorithmInstance import PaddingAlgorithmInstance import BlockAlgorithmInstance import HashAlgorithmInstance +import EllipticCurveAlgorithmInstance diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/PaddingAlgorithmInstance.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/PaddingAlgorithmInstance.qll index 4fb4d0818697..2979f1c303fb 100644 --- a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/PaddingAlgorithmInstance.qll +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/PaddingAlgorithmInstance.qll @@ -1,9 +1,10 @@ import cpp -import experimental.quantum.Language -import OpenSSLAlgorithmInstanceBase -import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants -import AlgToAVCFlow -import experimental.quantum.OpenSSL.AlgorithmValueConsumers.DirectAlgorithmValueConsumer +private import experimental.quantum.Language +private import OpenSSLAlgorithmInstanceBase +private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants +private import AlgToAVCFlow +private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.DirectAlgorithmValueConsumer +private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase /** * Given a `KnownOpenSSLPaddingAlgorithmConstant`, converts this to a padding family type. diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/CipherAlgorithmValueConsumer.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/CipherAlgorithmValueConsumer.qll index 8fa65860b60c..00fc4d735a5c 100644 --- a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/CipherAlgorithmValueConsumer.qll +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/CipherAlgorithmValueConsumer.qll @@ -1,9 +1,9 @@ import cpp -import experimental.quantum.Language -import experimental.quantum.OpenSSL.LibraryDetector -import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants -import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstanceBase -import OpenSSLAlgorithmValueConsumerBase +private import experimental.quantum.Language +private import experimental.quantum.OpenSSL.LibraryDetector +private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants +private import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstanceBase +private import OpenSSLAlgorithmValueConsumerBase abstract class CipherAlgorithmValueConsumer extends OpenSSLAlgorithmValueConsumer { } diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/DirectAlgorithmValueConsumer.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/DirectAlgorithmValueConsumer.qll index ffc9a7c3991e..f710ff613c2a 100644 --- a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/DirectAlgorithmValueConsumer.qll +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/DirectAlgorithmValueConsumer.qll @@ -1,7 +1,7 @@ import cpp -import experimental.quantum.Language -import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants -import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase +private import experimental.quantum.Language +private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants +private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase // TODO: can self referential to itself, which is also an algorithm (Known algorithm) /** diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/EllipticCurveAlgorithmValueConsumer.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/EllipticCurveAlgorithmValueConsumer.qll new file mode 100644 index 000000000000..79aada45bd98 --- /dev/null +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/EllipticCurveAlgorithmValueConsumer.qll @@ -0,0 +1,36 @@ +import cpp +private import experimental.quantum.Language +private import experimental.quantum.OpenSSL.LibraryDetector +private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants +private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase +private import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstances + +abstract class EllipticCurveValueConsumer extends OpenSSLAlgorithmValueConsumer { } + +//https://docs.openssl.org/3.0/man3/EC_KEY_new/#name +class EVPEllipticCurveAlgorithmConsumer extends EllipticCurveValueConsumer { + DataFlow::Node valueArgNode; + DataFlow::Node resultNode; + + EVPEllipticCurveAlgorithmConsumer() { + resultNode.asExpr() = this.(Call) and // in all cases the result is the return + isPossibleOpenSSLFunction(this.(Call).getTarget()) and + ( + this.(Call).getTarget().getName() in ["EVP_EC_gen", "EC_KEY_new_by_curve_name"] and + valueArgNode.asExpr() = this.(Call).getArgument(0) + or + this.(Call).getTarget().getName() in [ + "EC_KEY_new_by_curve_name_ex", "EVP_PKEY_CTX_set_ec_paramgen_curve_nid" + ] and + valueArgNode.asExpr() = this.(Call).getArgument(2) + ) + } + + override Crypto::AlgorithmInstance getAKnownAlgorithmSource() { + exists(OpenSSLAlgorithmInstance i | i.getAVC() = this and result = i) + } + + override DataFlow::Node getResultNode() { result = resultNode } + + override Crypto::ConsumerInputDataFlowNode getInputNode() { result = valueArgNode } +} diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/HashAlgorithmValueConsumer.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/HashAlgorithmValueConsumer.qll index b041b986754c..a1c0a214b9af 100644 --- a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/HashAlgorithmValueConsumer.qll +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/HashAlgorithmValueConsumer.qll @@ -1,12 +1,9 @@ -// import EVPHashInitializer -// import EVPHashOperation -// import EVPHashAlgorithmSource import cpp -import experimental.quantum.Language -import semmle.code.cpp.dataflow.new.DataFlow -import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase -import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstances -import experimental.quantum.OpenSSL.LibraryDetector +private import experimental.quantum.Language +private import semmle.code.cpp.dataflow.new.DataFlow +private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase +private import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstances +private import experimental.quantum.OpenSSL.LibraryDetector abstract class HashAlgorithmValueConsumer extends OpenSSLAlgorithmValueConsumer { } diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/OpenSSLAlgorithmValueConsumerBase.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/OpenSSLAlgorithmValueConsumerBase.qll index 3f6e2bd4dc89..200b08849f51 100644 --- a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/OpenSSLAlgorithmValueConsumerBase.qll +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/OpenSSLAlgorithmValueConsumerBase.qll @@ -1,5 +1,5 @@ -import experimental.quantum.Language -import semmle.code.cpp.dataflow.new.DataFlow +private import experimental.quantum.Language +private import semmle.code.cpp.dataflow.new.DataFlow abstract class OpenSSLAlgorithmValueConsumer extends Crypto::AlgorithmValueConsumer instanceof Call { /** diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/OpenSSLAlgorithmValueConsumers.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/OpenSSLAlgorithmValueConsumers.qll index 0638595afb88..f6ebdf5c8c45 100644 --- a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/OpenSSLAlgorithmValueConsumers.qll +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/OpenSSLAlgorithmValueConsumers.qll @@ -3,3 +3,4 @@ import CipherAlgorithmValueConsumer import DirectAlgorithmValueConsumer import PaddingAlgorithmValueConsumer import HashAlgorithmValueConsumer +import EllipticCurveAlgorithmValueConsumer diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/PaddingAlgorithmValueConsumer.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/PaddingAlgorithmValueConsumer.qll index 3f7ce20d6b3a..bb33ad653817 100644 --- a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/PaddingAlgorithmValueConsumer.qll +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/PaddingAlgorithmValueConsumer.qll @@ -1,9 +1,9 @@ import cpp -import experimental.quantum.Language -import experimental.quantum.OpenSSL.LibraryDetector -import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants -import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstanceBase -import OpenSSLAlgorithmValueConsumerBase +private import experimental.quantum.Language +private import experimental.quantum.OpenSSL.LibraryDetector +private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants +private import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstanceBase +private import OpenSSLAlgorithmValueConsumerBase abstract class PaddingAlgorithmValueConsumer extends OpenSSLAlgorithmValueConsumer { } diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPCipherInitializer.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPCipherInitializer.qll index 3e8607ef8ecb..353a89645ec0 100644 --- a/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPCipherInitializer.qll +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPCipherInitializer.qll @@ -3,8 +3,8 @@ * Models cipher initialization for EVP cipher operations. */ -import experimental.quantum.Language -import experimental.quantum.OpenSSL.CtxFlow as CTXFlow +private import experimental.quantum.Language +private import experimental.quantum.OpenSSL.CtxFlow as CTXFlow module EncValToInitEncArgConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source.asExpr().getValue().toInt() in [0, 1] } diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPCipherOperation.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPCipherOperation.qll index 263985857374..bb884f6db530 100644 --- a/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPCipherOperation.qll +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPCipherOperation.qll @@ -1,8 +1,8 @@ -import experimental.quantum.Language -import experimental.quantum.OpenSSL.CtxFlow as CTXFlow -import EVPCipherInitializer -import OpenSSLOperationBase -import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers +private import experimental.quantum.Language +private import experimental.quantum.OpenSSL.CtxFlow as CTXFlow +private import EVPCipherInitializer +private import OpenSSLOperationBase +private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers private module AlgGetterToAlgConsumerConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPHashOperation.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPHashOperation.qll index 6d0013df9d58..81248d5bad10 100644 --- a/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPHashOperation.qll +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPHashOperation.qll @@ -2,12 +2,12 @@ * https://docs.openssl.org/3.0/man3/EVP_DigestInit/#synopsis */ -import experimental.quantum.Language -import experimental.quantum.OpenSSL.CtxFlow as CTXFlow -import experimental.quantum.OpenSSL.LibraryDetector -import OpenSSLOperationBase -import EVPHashInitializer -import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers +private import experimental.quantum.Language +private import experimental.quantum.OpenSSL.CtxFlow as CTXFlow +private import experimental.quantum.OpenSSL.LibraryDetector +private import OpenSSLOperationBase +private import EVPHashInitializer +private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers // import EVPHashConsumers abstract class EVP_Hash_Operation extends OpenSSLOperation, Crypto::HashOperationInstance { diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/OpenSSLOperationBase.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/OpenSSLOperationBase.qll index 4798f5650a9b..f9753e92c5d2 100644 --- a/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/OpenSSLOperationBase.qll +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/OpenSSLOperationBase.qll @@ -1,4 +1,4 @@ -import experimental.quantum.Language +private import experimental.quantum.Language abstract class OpenSSLOperation extends Crypto::OperationInstance instanceof Call { abstract Expr getInputArg(); diff --git a/java/ql/lib/experimental/quantum/JCA.qll b/java/ql/lib/experimental/quantum/JCA.qll index 867d6f2c9b8f..70c65ef581d6 100644 --- a/java/ql/lib/experimental/quantum/JCA.qll +++ b/java/ql/lib/experimental/quantum/JCA.qll @@ -1606,13 +1606,8 @@ module JCAModel { else result = Crypto::OtherEllipticCurveType() } - override string getKeySize() { - exists(int keySize | - Crypto::ellipticCurveNameToKeySizeAndFamilyMapping(this.getRawEllipticCurveName(), keySize, - _) - | - result = keySize.toString() - ) + override int getKeySize() { + Crypto::ellipticCurveNameToKeySizeAndFamilyMapping(this.getRawEllipticCurveName(), result, _) } EllipticCurveAlgorithmValueConsumer getConsumer() { result = consumer } diff --git a/shared/quantum/codeql/quantum/experimental/Model.qll b/shared/quantum/codeql/quantum/experimental/Model.qll index a87aee2e69c4..8e1e6247484c 100644 --- a/shared/quantum/codeql/quantum/experimental/Model.qll +++ b/shared/quantum/codeql/quantum/experimental/Model.qll @@ -972,7 +972,7 @@ module CryptographyBase Input> { abstract TEllipticCurveType getEllipticCurveType(); - abstract string getKeySize(); + abstract int getKeySize(); /** * The 'parsed' curve name, e.g., "P-256" or "secp256r1" @@ -2613,7 +2613,7 @@ module CryptographyBase Input> { or // [ONLY_KNOWN] key = "KeySize" and - value = instance.asAlg().getKeySize() and + value = instance.asAlg().getKeySize().toString() and location = this.getLocation() or // [KNOWN_OR_UNKNOWN]