Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 505d880

Browse files
bdrodesbdrodes
committed
Crypto: Add key input support for the graph for key generation operations.
1 parent c54e68c commit 505d880

5 files changed

Lines changed: 35 additions & 9 deletions

File tree

cpp/ql/lib/experimental/quantum/OpenSSL/Operations/KeyGenOperation.qll

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -177,6 +177,10 @@ class KeyGenOperationInstance extends Crypto::KeyGenerationOperationInstance ins
177177
super.getOutputStepFlowingToStep(KeyIO()).getOutput(KeyIO()) = result
178178
}
179179

180+
override predicate hasKeyValueConsumer() {
181+
exists(OperationStep s | s.flowsToOperationStep(this) and s.setsValue(KeyIO()))
182+
}
183+
180184
override Crypto::ConsumerInputDataFlowNode getKeySizeConsumer() {
181185
super.getDominatingInitializersToStep(KeySizeIO()).getInput(KeySizeIO()) = result
182186
}
@@ -194,7 +198,7 @@ class KeyGenOperationInstance extends Crypto::KeyGenerationOperationInstance ins
194198
// .getKeySize()
195199
}
196200

197-
override Crypto::ConsumerInputDataFlowNode getRawKeyValueConsumer() {
201+
override Crypto::ConsumerInputDataFlowNode getKeyValueConsumer() {
198202
super.getDominatingInitializersToStep(KeyIO()).getInput(KeyIO()) = result
199203
}
200204
}

cpp/ql/test/experimental/library-tests/quantum/node_edges.expected

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -32,8 +32,10 @@
3232
| openssl_basic.c:144:46:144:51 | Digest | Source | openssl_basic.c:144:46:144:51 | Digest |
3333
| openssl_basic.c:155:22:155:41 | Key | Algorithm | openssl_basic.c:155:22:155:41 | Key |
3434
| openssl_basic.c:155:22:155:41 | KeyGeneration | Algorithm | openssl_basic.c:155:22:155:41 | KeyGeneration |
35+
| openssl_basic.c:155:22:155:41 | KeyGeneration | KeyInput | openssl_basic.c:155:64:155:66 | Key |
3536
| openssl_basic.c:155:22:155:41 | KeyGeneration | Output | openssl_basic.c:155:22:155:41 | Key |
3637
| openssl_basic.c:155:43:155:55 | MACAlgorithm | H | openssl_basic.c:160:39:160:48 | HashAlgorithm |
38+
| openssl_basic.c:155:64:155:66 | Key | Source | openssl_basic.c:179:43:179:76 | Constant |
3739
| openssl_basic.c:160:59:160:62 | Key | Source | openssl_basic.c:155:22:155:41 | Key |
3840
| openssl_basic.c:163:35:163:41 | Message | Source | openssl_basic.c:181:49:181:87 | Constant |
3941
| openssl_basic.c:167:9:167:27 | SignOperation | Algorithm | openssl_basic.c:167:9:167:27 | SignOperation |
@@ -154,7 +156,9 @@
154156
| openssl_signature.c:548:9:548:23 | KeyGeneration | Algorithm | openssl_signature.c:543:35:543:46 | KeyOperationAlgorithm |
155157
| openssl_signature.c:548:9:548:23 | KeyGeneration | Output | openssl_signature.c:548:34:548:37 | Key |
156158
| openssl_signature.c:548:34:548:37 | Key | Algorithm | openssl_signature.c:543:35:543:46 | KeyOperationAlgorithm |
159+
| openssl_signature.c:575:32:575:37 | Key | Source | openssl_signature.c:575:32:575:37 | Key |
157160
| openssl_signature.c:578:9:578:23 | KeyGeneration | Algorithm | openssl_signature.c:565:50:565:54 | KeyOperationAlgorithm |
161+
| openssl_signature.c:578:9:578:23 | KeyGeneration | KeyInput | openssl_signature.c:575:32:575:37 | Key |
158162
| openssl_signature.c:578:9:578:23 | KeyGeneration | Output | openssl_signature.c:578:34:578:37 | Key |
159163
| openssl_signature.c:578:34:578:37 | Key | Algorithm | openssl_signature.c:565:50:565:54 | KeyOperationAlgorithm |
160164
| openssl_signature.c:702:60:702:71 | KeyOperationAlgorithm | Padding | openssl_signature.c:702:60:702:71 | KeyOperationAlgorithm |

cpp/ql/test/experimental/library-tests/quantum/node_properties.expected

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -23,6 +23,7 @@
2323
| openssl_basic.c:155:22:155:41 | Key | KeyType | Asymmetric | openssl_basic.c:155:22:155:41 | openssl_basic.c:155:22:155:41 |
2424
| openssl_basic.c:155:43:155:55 | MACAlgorithm | Name | HMAC | openssl_basic.c:155:43:155:55 | openssl_basic.c:155:43:155:55 |
2525
| openssl_basic.c:155:43:155:55 | MACAlgorithm | RawName | 855 | openssl_basic.c:155:43:155:55 | openssl_basic.c:155:43:155:55 |
26+
| openssl_basic.c:155:64:155:66 | Key | KeyType | Unknown | openssl_basic.c:155:64:155:66 | openssl_basic.c:155:64:155:66 |
2627
| openssl_basic.c:160:39:160:48 | HashAlgorithm | DigestSize | 256 | openssl_basic.c:160:39:160:48 | openssl_basic.c:160:39:160:48 |
2728
| openssl_basic.c:160:39:160:48 | HashAlgorithm | Name | SHA2 | openssl_basic.c:160:39:160:48 | openssl_basic.c:160:39:160:48 |
2829
| openssl_basic.c:160:39:160:48 | HashAlgorithm | RawName | EVP_sha256 | openssl_basic.c:160:39:160:48 | openssl_basic.c:160:39:160:48 |
@@ -65,6 +66,7 @@
6566
| openssl_signature.c:565:50:565:54 | KeyOperationAlgorithm | Name | DSA | openssl_signature.c:565:50:565:54 | openssl_signature.c:565:50:565:54 |
6667
| openssl_signature.c:565:50:565:54 | KeyOperationAlgorithm | RawName | dsa | openssl_signature.c:565:50:565:54 | openssl_signature.c:565:50:565:54 |
6768
| openssl_signature.c:569:55:569:58 | Constant | Description | 2048 | openssl_signature.c:569:55:569:58 | openssl_signature.c:569:55:569:58 |
69+
| openssl_signature.c:575:32:575:37 | Key | KeyType | Unknown | openssl_signature.c:575:32:575:37 | openssl_signature.c:575:32:575:37 |
6870
| openssl_signature.c:578:34:578:37 | Key | KeyType | Asymmetric | openssl_signature.c:578:34:578:37 | openssl_signature.c:578:34:578:37 |
6971
| openssl_signature.c:602:37:602:77 | Constant | Description | Test message for OpenSSL signature APIs | openssl_signature.c:602:37:602:77 | openssl_signature.c:602:37:602:77 |
7072
| openssl_signature.c:684:24:684:33 | HashAlgorithm | DigestSize | 256 | openssl_signature.c:684:24:684:33 | openssl_signature.c:684:24:684:33 |

cpp/ql/test/experimental/library-tests/quantum/nodes.expected

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,7 @@
2525
| openssl_basic.c:155:22:155:41 | Key |
2626
| openssl_basic.c:155:22:155:41 | KeyGeneration |
2727
| openssl_basic.c:155:43:155:55 | MACAlgorithm |
28+
| openssl_basic.c:155:64:155:66 | Key |
2829
| openssl_basic.c:160:39:160:48 | HashAlgorithm |
2930
| openssl_basic.c:160:59:160:62 | Key |
3031
| openssl_basic.c:163:35:163:41 | Message |
@@ -86,6 +87,7 @@
8687
| openssl_signature.c:548:34:548:37 | Key |
8788
| openssl_signature.c:565:50:565:54 | KeyOperationAlgorithm |
8889
| openssl_signature.c:569:55:569:58 | Constant |
90+
| openssl_signature.c:575:32:575:37 | Key |
8991
| openssl_signature.c:578:9:578:23 | KeyGeneration |
9092
| openssl_signature.c:578:34:578:37 | Key |
9193
| openssl_signature.c:602:37:602:77 | Constant |

shared/quantum/codeql/quantum/experimental/Model.qll

Lines changed: 22 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -295,6 +295,8 @@ module CryptographyBase<LocationSig Location, InputSig<Location> Input> {
295295
(
296296
exists(KeyCreationOperationInstance op | input = op.getKeySizeConsumer())
297297
or
298+
exists(KeyGenerationOperationInstance op | input = op.getKeyValueConsumer())
299+
or
298300
exists(KeyDerivationOperationInstance op |
299301
input = op.getIterationCountConsumer() or
300302
input = op.getOutputKeySizeConsumer()
@@ -539,6 +541,8 @@ module CryptographyBase<LocationSig Location, InputSig<Location> Input> {
539541
(
540542
exists(KeyOperationInstance op | inputNode = op.getKeyConsumer())
541543
or
544+
exists(KeyGenerationOperationInstance op | inputNode = op.getKeyValueConsumer())
545+
or
542546
exists(MacOperationInstance op | inputNode = op.getKeyConsumer())
543547
or
544548
exists(KeyAgreementSecretGenerationOperationInstance op |
@@ -959,10 +963,18 @@ module CryptographyBase<LocationSig Location, InputSig<Location> Input> {
959963
final override string getKeyCreationTypeDescription() { result = "KeyGeneration" }
960964

961965
/**
962-
* Gets a consumer of a raw value that is used to generate the key.
963-
* Not all key generation operations require a raw value.
966+
* Gets the consumer of a key for this key generaiton operation.
967+
* This occurs when a key generation operaiton is based on a raw key value
968+
* or it generates another key or key context from a previously generated key.
964969
*/
965-
abstract ConsumerInputDataFlowNode getRawKeyValueConsumer();
970+
abstract ConsumerInputDataFlowNode getKeyValueConsumer();
971+
972+
/**
973+
* Holds if the key generation operation has a key consumer
974+
* i.e., an input that is explicitly used for the key value.
975+
* This value should correspond to the value returned by `getKeyValueConsumer()`.
976+
*/
977+
abstract predicate hasKeyValueConsumer();
966978
}
967979

968980
abstract class KeyLoadOperationInstance extends KeyCreationOperationInstance {
@@ -1708,10 +1720,8 @@ module CryptographyBase<LocationSig Location, InputSig<Location> Input> {
17081720
node instanceof KeyCreationCandidateAlgorithmNode
17091721
}
17101722

1711-
NodeBase getARawValueSource() {
1712-
result = keyGenInstance.getRawKeyValueConsumer().getConsumer().getAGenericSourceNode()
1713-
or
1714-
result = keyGenInstance.getRawKeyValueConsumer().getConsumer().getAKnownSourceNode()
1723+
KeyArtifactNode getKeyArtifact() {
1724+
result.asElement() = keyGenInstance.getKeyValueConsumer().getConsumer()
17151725
}
17161726

17171727
override NodeBase getChild(string key) {
@@ -1720,7 +1730,11 @@ module CryptographyBase<LocationSig Location, InputSig<Location> Input> {
17201730
// [ALWAYS_KNOWN]
17211731
key = "Output" and
17221732
result = this.getOutputKeyArtifact()
1723-
//TODO: how do I output the raw key if known? If not known, it may not require/have a raw value consumer, don't output
1733+
or
1734+
// [KnOWN_OR_UNKNOWN] only if a raw key is a known input
1735+
key = "KeyInput" and
1736+
keyGenInstance.hasKeyValueConsumer() and
1737+
result = this.getKeyArtifact()
17241738
}
17251739
}
17261740

0 commit comments

Comments
 (0)