From e7535b3effb2f812f4c278d889a879441eb424cc Mon Sep 17 00:00:00 2001 From: "REDMOND\\brodes" Date: Mon, 19 May 2025 13:09:33 -0400 Subject: [PATCH 1/7] Crypto: Updating JCA to use new key size predicate returning int for elliptic curve. --- java/ql/lib/experimental/quantum/JCA.qll | 9 ++------- shared/quantum/codeql/quantum/experimental/Model.qll | 4 ++-- 2 files changed, 4 insertions(+), 9 deletions(-) diff --git a/java/ql/lib/experimental/quantum/JCA.qll b/java/ql/lib/experimental/quantum/JCA.qll index 867d6f2c9b8f..70c65ef581d6 100644 --- a/java/ql/lib/experimental/quantum/JCA.qll +++ b/java/ql/lib/experimental/quantum/JCA.qll @@ -1606,13 +1606,8 @@ module JCAModel { else result = Crypto::OtherEllipticCurveType() } - override string getKeySize() { - exists(int keySize | - Crypto::ellipticCurveNameToKeySizeAndFamilyMapping(this.getRawEllipticCurveName(), keySize, - _) - | - result = keySize.toString() - ) + override int getKeySize() { + Crypto::ellipticCurveNameToKeySizeAndFamilyMapping(this.getRawEllipticCurveName(), result, _) } EllipticCurveAlgorithmValueConsumer getConsumer() { result = consumer } diff --git a/shared/quantum/codeql/quantum/experimental/Model.qll b/shared/quantum/codeql/quantum/experimental/Model.qll index a87aee2e69c4..8e1e6247484c 100644 --- a/shared/quantum/codeql/quantum/experimental/Model.qll +++ b/shared/quantum/codeql/quantum/experimental/Model.qll @@ -972,7 +972,7 @@ module CryptographyBase Input> { abstract TEllipticCurveType getEllipticCurveType(); - abstract string getKeySize(); + abstract int getKeySize(); /** * The 'parsed' curve name, e.g., "P-256" or "secp256r1" @@ -2613,7 +2613,7 @@ module CryptographyBase Input> { or // [ONLY_KNOWN] key = "KeySize" and - value = instance.asAlg().getKeySize() and + value = instance.asAlg().getKeySize().toString() and location = this.getLocation() or // [KNOWN_OR_UNKNOWN] From bbbdf89e46828a72c69d16efffba2c6e233dd41f Mon Sep 17 00:00:00 2001 From: "REDMOND\\brodes" Date: Mon, 19 May 2025 13:10:11 -0400 Subject: [PATCH 2/7] Crypto: OpenSSL ellipitic curve algorithm instances and consumers. --- .../EllipticCurveAlgorithmInstance.qll | 45 +++++++++++++++++++ .../KnownAlgorithmConstants.qll | 9 ++++ .../OpenSSLAlgorithmInstances.qll | 1 + .../EllipticCurveAlgorithmValueConsumer.qll | 35 +++++++++++++++ .../OpenSSLAlgorithmValueConsumers.qll | 1 + 5 files changed, 91 insertions(+) create mode 100644 cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/EllipticCurveAlgorithmInstance.qll create mode 100644 cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/EllipticCurveAlgorithmValueConsumer.qll diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/EllipticCurveAlgorithmInstance.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/EllipticCurveAlgorithmInstance.qll new file mode 100644 index 000000000000..802bf8e0168b --- /dev/null +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/EllipticCurveAlgorithmInstance.qll @@ -0,0 +1,45 @@ +import cpp +import experimental.quantum.Language +import KnownAlgorithmConstants +import OpenSSLAlgorithmInstanceBase +import AlgToAVCFlow + +//ellipticCurveNameToKeySizeAndFamilyMapping(name, size, family) +class KnownOpenSSLEllitpicCurveConstantAlgorithmInstance extends OpenSSLAlgorithmInstance, + Crypto::EllipticCurveInstance instanceof KnownOpenSSLEllipticCurveAlgorithmConstant +{ + OpenSSLAlgorithmValueConsumer getterCall; + + KnownOpenSSLEllitpicCurveConstantAlgorithmInstance() { + // Two possibilities: + // 1) The source is a literal and flows to a getter, then we know we have an instance + // 2) The source is a KnownOpenSSLAlgorithm is call, and we know we have an instance immediately from that + // Possibility 1: + this instanceof Literal and + exists(DataFlow::Node src, DataFlow::Node sink | + // Sink is an argument to a CipherGetterCall + sink = getterCall.(OpenSSLAlgorithmValueConsumer).getInputNode() and + // Source is `this` + src.asExpr() = this and + // This traces to a getter + KnownOpenSSLAlgorithmToAlgorithmValueConsumerFlow::flow(src, sink) + ) + or + // Possibility 2: + this instanceof DirectAlgorithmValueConsumer and getterCall = this + } + + override OpenSSLAlgorithmValueConsumer getAVC() { result = getterCall } + + override string getRawEllipticCurveName() { result = this.(Literal).getValue().toString() } + + override Crypto::TEllipticCurveType getEllipticCurveType() { + Crypto::ellipticCurveNameToKeySizeAndFamilyMapping(this.(KnownOpenSSLEllipticCurveAlgorithmConstant) + .getNormalizedName(), _, result) + } + + override int getKeySize() { + Crypto::ellipticCurveNameToKeySizeAndFamilyMapping(this.(KnownOpenSSLEllipticCurveAlgorithmConstant) + .getNormalizedName(), result, _) + } +} diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/KnownAlgorithmConstants.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/KnownAlgorithmConstants.qll index 77caf0bb378c..2d59f8b98c7a 100644 --- a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/KnownAlgorithmConstants.qll +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/KnownAlgorithmConstants.qll @@ -67,6 +67,15 @@ class KnownOpenSSLHashAlgorithmConstant extends KnownOpenSSLAlgorithmConstant { } } +class KnownOpenSSLEllipticCurveAlgorithmConstant extends KnownOpenSSLAlgorithmConstant { + string algType; + + KnownOpenSSLEllipticCurveAlgorithmConstant() { + resolveAlgorithmFromExpr(this, _, algType) and + algType.toLowerCase().matches("elliptic_curve") + } +} + /** * Resolves a call to a 'direct algorithm getter', e.g., EVP_MD5() * This approach to fetching algorithms was used in OpenSSL 1.0.2. diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/OpenSSLAlgorithmInstances.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/OpenSSLAlgorithmInstances.qll index 7a77a4c3e13e..55beb58588b3 100644 --- a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/OpenSSLAlgorithmInstances.qll +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/OpenSSLAlgorithmInstances.qll @@ -3,3 +3,4 @@ import CipherAlgorithmInstance import PaddingAlgorithmInstance import BlockAlgorithmInstance import HashAlgorithmInstance +import EllipticCurveAlgorithmInstance diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/EllipticCurveAlgorithmValueConsumer.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/EllipticCurveAlgorithmValueConsumer.qll new file mode 100644 index 000000000000..79cddd7613d5 --- /dev/null +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/EllipticCurveAlgorithmValueConsumer.qll @@ -0,0 +1,35 @@ +import cpp +import experimental.quantum.Language +import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants +import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase +import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstances + +abstract class EllipticCurveValueConsumer extends OpenSSLAlgorithmValueConsumer { } + +//https://docs.openssl.org/3.0/man3/EC_KEY_new/#name +class EVPEllipticCurveALgorithmConsumer extends EllipticCurveValueConsumer { + DataFlow::Node valueArgNode; + DataFlow::Node resultNode; + + EVPEllipticCurveALgorithmConsumer() { + resultNode.asExpr() = this.(Call) and // in all cases the result is the return + isPossibleOpenSSLFunction(this.(Call).getTarget()) and + ( + this.(Call).getTarget().getName() in ["EVP_EC_gen", "EC_KEY_new_by_curve_name"] and + valueArgNode.asExpr() = this.(Call).getArgument(0) + or + this.(Call).getTarget().getName() in [ + "EC_KEY_new_by_curve_name_ex", "EVP_PKEY_CTX_set_ec_paramgen_curve_nid" + ] and + valueArgNode.asExpr() = this.(Call).getArgument(2) + ) + } + + override Crypto::AlgorithmInstance getAKnownAlgorithmSource() { + exists(OpenSSLAlgorithmInstance i | i.getAVC() = this and result = i) + } + + override DataFlow::Node getResultNode() { result = resultNode } + + override Crypto::ConsumerInputDataFlowNode getInputNode() { result = valueArgNode } +} diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/OpenSSLAlgorithmValueConsumers.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/OpenSSLAlgorithmValueConsumers.qll index 0638595afb88..f6ebdf5c8c45 100644 --- a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/OpenSSLAlgorithmValueConsumers.qll +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/OpenSSLAlgorithmValueConsumers.qll @@ -3,3 +3,4 @@ import CipherAlgorithmValueConsumer import DirectAlgorithmValueConsumer import PaddingAlgorithmValueConsumer import HashAlgorithmValueConsumer +import EllipticCurveAlgorithmValueConsumer From d05d38f00c7f2b97741400f1d06c7461c65e18a1 Mon Sep 17 00:00:00 2001 From: "REDMOND\\brodes" Date: Mon, 19 May 2025 13:48:15 -0400 Subject: [PATCH 3/7] Crypto: Removing unused class field. --- .../AlgorithmInstances/KnownAlgorithmConstants.qll | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/KnownAlgorithmConstants.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/KnownAlgorithmConstants.qll index 2d59f8b98c7a..c4c537a34abc 100644 --- a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/KnownAlgorithmConstants.qll +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/KnownAlgorithmConstants.qll @@ -68,11 +68,11 @@ class KnownOpenSSLHashAlgorithmConstant extends KnownOpenSSLAlgorithmConstant { } class KnownOpenSSLEllipticCurveAlgorithmConstant extends KnownOpenSSLAlgorithmConstant { - string algType; - KnownOpenSSLEllipticCurveAlgorithmConstant() { - resolveAlgorithmFromExpr(this, _, algType) and - algType.toLowerCase().matches("elliptic_curve") + exists(string algType | + resolveAlgorithmFromExpr(this, _, algType) and + algType.toLowerCase().matches("elliptic_curve") + ) } } From 3e54e4d6b6bb6892775134aa599144dc76e858b4 Mon Sep 17 00:00:00 2001 From: "REDMOND\\brodes" Date: Mon, 19 May 2025 13:49:29 -0400 Subject: [PATCH 4/7] Crypto: Fixing typo. --- .../EllipticCurveAlgorithmValueConsumer.qll | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/EllipticCurveAlgorithmValueConsumer.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/EllipticCurveAlgorithmValueConsumer.qll index 79cddd7613d5..aa08d4ea50e9 100644 --- a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/EllipticCurveAlgorithmValueConsumer.qll +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/EllipticCurveAlgorithmValueConsumer.qll @@ -7,11 +7,11 @@ import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstances abstract class EllipticCurveValueConsumer extends OpenSSLAlgorithmValueConsumer { } //https://docs.openssl.org/3.0/man3/EC_KEY_new/#name -class EVPEllipticCurveALgorithmConsumer extends EllipticCurveValueConsumer { +class EVPEllipticCurveAlgorithmConsumer extends EllipticCurveValueConsumer { DataFlow::Node valueArgNode; DataFlow::Node resultNode; - EVPEllipticCurveALgorithmConsumer() { + EVPEllipticCurveAlgorithmConsumer() { resultNode.asExpr() = this.(Call) and // in all cases the result is the return isPossibleOpenSSLFunction(this.(Call).getTarget()) and ( From e5641eff234d4911a4b6db3b130850298243fc72 Mon Sep 17 00:00:00 2001 From: "REDMOND\\brodes" Date: Mon, 19 May 2025 13:50:41 -0400 Subject: [PATCH 5/7] Crypto: Typo fix --- .../AlgorithmInstances/EllipticCurveAlgorithmInstance.qll | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/EllipticCurveAlgorithmInstance.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/EllipticCurveAlgorithmInstance.qll index 802bf8e0168b..2da079b23e41 100644 --- a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/EllipticCurveAlgorithmInstance.qll +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/EllipticCurveAlgorithmInstance.qll @@ -5,12 +5,12 @@ import OpenSSLAlgorithmInstanceBase import AlgToAVCFlow //ellipticCurveNameToKeySizeAndFamilyMapping(name, size, family) -class KnownOpenSSLEllitpicCurveConstantAlgorithmInstance extends OpenSSLAlgorithmInstance, +class KnownOpenSSLEllipticCurveConstantAlgorithmInstance extends OpenSSLAlgorithmInstance, Crypto::EllipticCurveInstance instanceof KnownOpenSSLEllipticCurveAlgorithmConstant { OpenSSLAlgorithmValueConsumer getterCall; - KnownOpenSSLEllitpicCurveConstantAlgorithmInstance() { + KnownOpenSSLEllipticCurveConstantAlgorithmInstance() { // Two possibilities: // 1) The source is a literal and flows to a getter, then we know we have an instance // 2) The source is a KnownOpenSSLAlgorithm is call, and we know we have an instance immediately from that From 03a6e134ba4020bce6c14393e6ab60349c149e33 Mon Sep 17 00:00:00 2001 From: "REDMOND\\brodes" Date: Mon, 19 May 2025 13:51:42 -0400 Subject: [PATCH 6/7] Crypto: Removed dead comment. --- .../AlgorithmInstances/EllipticCurveAlgorithmInstance.qll | 1 - 1 file changed, 1 deletion(-) diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/EllipticCurveAlgorithmInstance.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/EllipticCurveAlgorithmInstance.qll index 2da079b23e41..c5eac8afc897 100644 --- a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/EllipticCurveAlgorithmInstance.qll +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/EllipticCurveAlgorithmInstance.qll @@ -4,7 +4,6 @@ import KnownAlgorithmConstants import OpenSSLAlgorithmInstanceBase import AlgToAVCFlow -//ellipticCurveNameToKeySizeAndFamilyMapping(name, size, family) class KnownOpenSSLEllipticCurveConstantAlgorithmInstance extends OpenSSLAlgorithmInstance, Crypto::EllipticCurveInstance instanceof KnownOpenSSLEllipticCurveAlgorithmConstant { From 4309499c363bebe9cc9f47b7c57e9f97846f153b Mon Sep 17 00:00:00 2001 From: "REDMOND\\brodes" Date: Mon, 19 May 2025 15:44:15 -0400 Subject: [PATCH 7/7] Switching to private imports. --- .../OpenSSL/AlgorithmInstances/AlgToAVCFlow.qll | 7 ++++--- .../BlockAlgorithmInstance.qll | 11 ++++++----- .../CipherAlgorithmInstance.qll | 17 +++++++++-------- .../EllipticCurveAlgorithmInstance.qll | 12 +++++++----- .../HashAlgorithmInstance.qll | 9 +++++---- .../KnownAlgorithmConstants.qll | 2 +- .../OpenSSLAlgorithmInstanceBase.qll | 4 ++-- .../PaddingAlgorithmInstance.qll | 11 ++++++----- .../CipherAlgorithmValueConsumer.qll | 10 +++++----- .../DirectAlgorithmValueConsumer.qll | 6 +++--- .../EllipticCurveAlgorithmValueConsumer.qll | 9 +++++---- .../HashAlgorithmValueConsumer.qll | 13 +++++-------- .../OpenSSLAlgorithmValueConsumerBase.qll | 4 ++-- .../PaddingAlgorithmValueConsumer.qll | 10 +++++----- .../OpenSSL/Operations/EVPCipherInitializer.qll | 4 ++-- .../OpenSSL/Operations/EVPCipherOperation.qll | 10 +++++----- .../OpenSSL/Operations/EVPHashOperation.qll | 12 ++++++------ .../OpenSSL/Operations/OpenSSLOperationBase.qll | 2 +- 18 files changed, 79 insertions(+), 74 deletions(-) diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/AlgToAVCFlow.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/AlgToAVCFlow.qll index 72c3ffcfad44..045e3649e410 100644 --- a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/AlgToAVCFlow.qll +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/AlgToAVCFlow.qll @@ -1,7 +1,8 @@ import cpp -import semmle.code.cpp.dataflow.new.DataFlow -import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants -import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers +private import experimental.quantum.Language +private import semmle.code.cpp.dataflow.new.DataFlow +private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants +private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers /** * Traces 'known algorithms' to AVCs, specifically diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/BlockAlgorithmInstance.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/BlockAlgorithmInstance.qll index 2566c1188a6c..299d8c886940 100644 --- a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/BlockAlgorithmInstance.qll +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/BlockAlgorithmInstance.qll @@ -1,9 +1,10 @@ import cpp -import experimental.quantum.Language -import OpenSSLAlgorithmInstanceBase -import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants -import experimental.quantum.OpenSSL.AlgorithmValueConsumers.DirectAlgorithmValueConsumer -import AlgToAVCFlow +private import experimental.quantum.Language +private import OpenSSLAlgorithmInstanceBase +private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants +private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.DirectAlgorithmValueConsumer +private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase +private import AlgToAVCFlow /** * Given a `KnownOpenSSLBlockModeAlgorithmConstant`, converts this to a block family type. diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/CipherAlgorithmInstance.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/CipherAlgorithmInstance.qll index 7483572848eb..d76265e1c70e 100644 --- a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/CipherAlgorithmInstance.qll +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/CipherAlgorithmInstance.qll @@ -1,12 +1,13 @@ import cpp -import experimental.quantum.Language -import KnownAlgorithmConstants -import Crypto::KeyOpAlg as KeyOpAlg -import OpenSSLAlgorithmInstanceBase -import PaddingAlgorithmInstance -import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers -import AlgToAVCFlow -import BlockAlgorithmInstance +private import experimental.quantum.Language +private import KnownAlgorithmConstants +private import Crypto::KeyOpAlg as KeyOpAlg +private import OpenSSLAlgorithmInstanceBase +private import PaddingAlgorithmInstance +private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase +private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.DirectAlgorithmValueConsumer +private import AlgToAVCFlow +private import BlockAlgorithmInstance /** * Given a `KnownOpenSSLCipherAlgorithmConstant`, converts this to a cipher family type. diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/EllipticCurveAlgorithmInstance.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/EllipticCurveAlgorithmInstance.qll index c5eac8afc897..d80529dd1c63 100644 --- a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/EllipticCurveAlgorithmInstance.qll +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/EllipticCurveAlgorithmInstance.qll @@ -1,8 +1,10 @@ import cpp -import experimental.quantum.Language -import KnownAlgorithmConstants -import OpenSSLAlgorithmInstanceBase -import AlgToAVCFlow +private import experimental.quantum.Language +private import KnownAlgorithmConstants +private import OpenSSLAlgorithmInstanceBase +private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase +private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.DirectAlgorithmValueConsumer +private import AlgToAVCFlow class KnownOpenSSLEllipticCurveConstantAlgorithmInstance extends OpenSSLAlgorithmInstance, Crypto::EllipticCurveInstance instanceof KnownOpenSSLEllipticCurveAlgorithmConstant @@ -17,7 +19,7 @@ class KnownOpenSSLEllipticCurveConstantAlgorithmInstance extends OpenSSLAlgorith this instanceof Literal and exists(DataFlow::Node src, DataFlow::Node sink | // Sink is an argument to a CipherGetterCall - sink = getterCall.(OpenSSLAlgorithmValueConsumer).getInputNode() and + sink = getterCall.getInputNode() and // Source is `this` src.asExpr() = this and // This traces to a getter diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/HashAlgorithmInstance.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/HashAlgorithmInstance.qll index 985e36dbdd71..6cd9faab7df4 100644 --- a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/HashAlgorithmInstance.qll +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/HashAlgorithmInstance.qll @@ -1,8 +1,9 @@ import cpp -import experimental.quantum.Language -import KnownAlgorithmConstants -import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers -import AlgToAVCFlow +private import experimental.quantum.Language +private import KnownAlgorithmConstants +private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers +private import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstanceBase +private import AlgToAVCFlow predicate knownOpenSSLConstantToHashFamilyType( KnownOpenSSLHashAlgorithmConstant e, Crypto::THashType type diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/KnownAlgorithmConstants.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/KnownAlgorithmConstants.qll index c4c537a34abc..5e7e16b13dc6 100644 --- a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/KnownAlgorithmConstants.qll +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/KnownAlgorithmConstants.qll @@ -1,5 +1,5 @@ import cpp -import experimental.quantum.OpenSSL.LibraryDetector +private import experimental.quantum.OpenSSL.LibraryDetector predicate resolveAlgorithmFromExpr(Expr e, string normalizedName, string algType) { resolveAlgorithmFromCall(e, normalizedName, algType) diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/OpenSSLAlgorithmInstanceBase.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/OpenSSLAlgorithmInstanceBase.qll index dc49c139cf05..b05ee9180b9b 100644 --- a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/OpenSSLAlgorithmInstanceBase.qll +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/OpenSSLAlgorithmInstanceBase.qll @@ -1,5 +1,5 @@ -import experimental.quantum.Language -import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase +private import experimental.quantum.Language +private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase abstract class OpenSSLAlgorithmInstance extends Crypto::AlgorithmInstance { abstract OpenSSLAlgorithmValueConsumer getAVC(); diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/PaddingAlgorithmInstance.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/PaddingAlgorithmInstance.qll index 4fb4d0818697..2979f1c303fb 100644 --- a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/PaddingAlgorithmInstance.qll +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/PaddingAlgorithmInstance.qll @@ -1,9 +1,10 @@ import cpp -import experimental.quantum.Language -import OpenSSLAlgorithmInstanceBase -import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants -import AlgToAVCFlow -import experimental.quantum.OpenSSL.AlgorithmValueConsumers.DirectAlgorithmValueConsumer +private import experimental.quantum.Language +private import OpenSSLAlgorithmInstanceBase +private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants +private import AlgToAVCFlow +private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.DirectAlgorithmValueConsumer +private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase /** * Given a `KnownOpenSSLPaddingAlgorithmConstant`, converts this to a padding family type. diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/CipherAlgorithmValueConsumer.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/CipherAlgorithmValueConsumer.qll index 8fa65860b60c..00fc4d735a5c 100644 --- a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/CipherAlgorithmValueConsumer.qll +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/CipherAlgorithmValueConsumer.qll @@ -1,9 +1,9 @@ import cpp -import experimental.quantum.Language -import experimental.quantum.OpenSSL.LibraryDetector -import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants -import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstanceBase -import OpenSSLAlgorithmValueConsumerBase +private import experimental.quantum.Language +private import experimental.quantum.OpenSSL.LibraryDetector +private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants +private import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstanceBase +private import OpenSSLAlgorithmValueConsumerBase abstract class CipherAlgorithmValueConsumer extends OpenSSLAlgorithmValueConsumer { } diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/DirectAlgorithmValueConsumer.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/DirectAlgorithmValueConsumer.qll index ffc9a7c3991e..f710ff613c2a 100644 --- a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/DirectAlgorithmValueConsumer.qll +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/DirectAlgorithmValueConsumer.qll @@ -1,7 +1,7 @@ import cpp -import experimental.quantum.Language -import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants -import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase +private import experimental.quantum.Language +private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants +private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase // TODO: can self referential to itself, which is also an algorithm (Known algorithm) /** diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/EllipticCurveAlgorithmValueConsumer.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/EllipticCurveAlgorithmValueConsumer.qll index aa08d4ea50e9..79aada45bd98 100644 --- a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/EllipticCurveAlgorithmValueConsumer.qll +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/EllipticCurveAlgorithmValueConsumer.qll @@ -1,8 +1,9 @@ import cpp -import experimental.quantum.Language -import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants -import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase -import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstances +private import experimental.quantum.Language +private import experimental.quantum.OpenSSL.LibraryDetector +private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants +private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase +private import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstances abstract class EllipticCurveValueConsumer extends OpenSSLAlgorithmValueConsumer { } diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/HashAlgorithmValueConsumer.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/HashAlgorithmValueConsumer.qll index b041b986754c..a1c0a214b9af 100644 --- a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/HashAlgorithmValueConsumer.qll +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/HashAlgorithmValueConsumer.qll @@ -1,12 +1,9 @@ -// import EVPHashInitializer -// import EVPHashOperation -// import EVPHashAlgorithmSource import cpp -import experimental.quantum.Language -import semmle.code.cpp.dataflow.new.DataFlow -import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase -import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstances -import experimental.quantum.OpenSSL.LibraryDetector +private import experimental.quantum.Language +private import semmle.code.cpp.dataflow.new.DataFlow +private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase +private import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstances +private import experimental.quantum.OpenSSL.LibraryDetector abstract class HashAlgorithmValueConsumer extends OpenSSLAlgorithmValueConsumer { } diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/OpenSSLAlgorithmValueConsumerBase.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/OpenSSLAlgorithmValueConsumerBase.qll index 3f6e2bd4dc89..200b08849f51 100644 --- a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/OpenSSLAlgorithmValueConsumerBase.qll +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/OpenSSLAlgorithmValueConsumerBase.qll @@ -1,5 +1,5 @@ -import experimental.quantum.Language -import semmle.code.cpp.dataflow.new.DataFlow +private import experimental.quantum.Language +private import semmle.code.cpp.dataflow.new.DataFlow abstract class OpenSSLAlgorithmValueConsumer extends Crypto::AlgorithmValueConsumer instanceof Call { /** diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/PaddingAlgorithmValueConsumer.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/PaddingAlgorithmValueConsumer.qll index 3f7ce20d6b3a..bb33ad653817 100644 --- a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/PaddingAlgorithmValueConsumer.qll +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/PaddingAlgorithmValueConsumer.qll @@ -1,9 +1,9 @@ import cpp -import experimental.quantum.Language -import experimental.quantum.OpenSSL.LibraryDetector -import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants -import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstanceBase -import OpenSSLAlgorithmValueConsumerBase +private import experimental.quantum.Language +private import experimental.quantum.OpenSSL.LibraryDetector +private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants +private import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstanceBase +private import OpenSSLAlgorithmValueConsumerBase abstract class PaddingAlgorithmValueConsumer extends OpenSSLAlgorithmValueConsumer { } diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPCipherInitializer.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPCipherInitializer.qll index 3e8607ef8ecb..353a89645ec0 100644 --- a/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPCipherInitializer.qll +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPCipherInitializer.qll @@ -3,8 +3,8 @@ * Models cipher initialization for EVP cipher operations. */ -import experimental.quantum.Language -import experimental.quantum.OpenSSL.CtxFlow as CTXFlow +private import experimental.quantum.Language +private import experimental.quantum.OpenSSL.CtxFlow as CTXFlow module EncValToInitEncArgConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { source.asExpr().getValue().toInt() in [0, 1] } diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPCipherOperation.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPCipherOperation.qll index f22bcae69275..736da3ca2078 100644 --- a/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPCipherOperation.qll +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPCipherOperation.qll @@ -1,8 +1,8 @@ -import experimental.quantum.Language -import experimental.quantum.OpenSSL.CtxFlow as CTXFlow -import EVPCipherInitializer -import OpenSSLOperationBase -import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers +private import experimental.quantum.Language +private import experimental.quantum.OpenSSL.CtxFlow as CTXFlow +private import EVPCipherInitializer +private import OpenSSLOperationBase +private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers private module AlgGetterToAlgConsumerConfig implements DataFlow::ConfigSig { predicate isSource(DataFlow::Node source) { diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPHashOperation.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPHashOperation.qll index a187b62a7bdd..94de9e1cb427 100644 --- a/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPHashOperation.qll +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPHashOperation.qll @@ -2,12 +2,12 @@ * https://docs.openssl.org/3.0/man3/EVP_DigestInit/#synopsis */ -import experimental.quantum.Language -import experimental.quantum.OpenSSL.CtxFlow as CTXFlow -import experimental.quantum.OpenSSL.LibraryDetector -import OpenSSLOperationBase -import EVPHashInitializer -import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers +private import experimental.quantum.Language +private import experimental.quantum.OpenSSL.CtxFlow as CTXFlow +private import experimental.quantum.OpenSSL.LibraryDetector +private import OpenSSLOperationBase +private import EVPHashInitializer +private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers // import EVPHashConsumers abstract class EVP_Hash_Operation extends OpenSSLOperation, Crypto::HashOperationInstance { diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/OpenSSLOperationBase.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/OpenSSLOperationBase.qll index 4798f5650a9b..f9753e92c5d2 100644 --- a/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/OpenSSLOperationBase.qll +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/OpenSSLOperationBase.qll @@ -1,4 +1,4 @@ -import experimental.quantum.Language +private import experimental.quantum.Language abstract class OpenSSLOperation extends Crypto::OperationInstance instanceof Call { abstract Expr getInputArg();