Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Quantum: Model OpenSSL EC key generation #19541

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
May 21, 2025
Merged

Quantum: Model OpenSSL EC key generation #19541

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
b564724
Crypto: Alterations to OpenSSL cipher algorithms to use new fixed key…
bdrodes May 20, 2025
c3ed454
Crypto: Changing fixed key size for the key gen operation for EC key …
bdrodes May 20, 2025
efd9386
Update cpp/ql/lib/experimental/quantum/OpenSSL/Operations/ECKeyGenOpe…
bdrodes May 20, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 2 additions & 5 deletions 7 cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/CipherAlgorithmInstance.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -104,11 +104,8 @@ class KnownOpenSSLCipherConstantAlgorithmInstance extends OpenSSLAlgorithmInstan

override string getRawAlgorithmName() { result = this.(Literal).getValue().toString() }

override string getKeySizeFixed() {
exists(int keySize |
this.(KnownOpenSSLCipherAlgorithmConstant).getExplicitKeySize() = keySize and
result = keySize.toString()
)
override int getKeySizeFixed() {
this.(KnownOpenSSLCipherAlgorithmConstant).getExplicitKeySize() = result
}

override Crypto::KeyOpAlg::Algorithm getAlgorithmType() {
Expand Down
7 changes: 5 additions & 2 deletions 7 ...ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/EllipticCurveAlgorithmInstance.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,8 +35,11 @@ class KnownOpenSSLEllipticCurveConstantAlgorithmInstance extends OpenSSLAlgorith
override string getRawEllipticCurveName() { result = this.(Literal).getValue().toString() }

override Crypto::TEllipticCurveType getEllipticCurveType() {
Crypto::ellipticCurveNameToKeySizeAndFamilyMapping(this.(KnownOpenSSLEllipticCurveAlgorithmConstant)
.getNormalizedName(), _, result)
Crypto::ellipticCurveNameToKeySizeAndFamilyMapping(this.getParsedEllipticCurveName(), _, result)
}

override string getParsedEllipticCurveName() {
result = this.(KnownOpenSSLEllipticCurveAlgorithmConstant).getNormalizedName()
}

override int getKeySize() {
Expand Down
65 changes: 65 additions & 0 deletions 65 cpp/ql/lib/experimental/quantum/OpenSSL/Operations/ECKeyGenOperation.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,65 @@
private import experimental.quantum.Language
private import experimental.quantum.OpenSSL.LibraryDetector
private import experimental.quantum.OpenSSL.CtxFlow as CTXFlow

Check warning

Code scanning / CodeQL

Acronyms should be PascalCase/camelCase. Warning

Acronyms in CTXFlow should be PascalCase/camelCase.
private import OpenSSLOperationBase
private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
private import semmle.code.cpp.dataflow.new.DataFlow

Check warning

Code scanning / CodeQL

Redundant import Warning

Redundant import, the module is already imported inside
experimental.quantum.Language
Loading
.

private module AlgGetterToAlgConsumerConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
exists(OpenSSLAlgorithmValueConsumer c | c.getResultNode() = source)
}

predicate isSink(DataFlow::Node sink) {
exists(ECKeyGenOperation c | c.getAlgorithmArg() = sink.asExpr())
}
}

private module AlgGetterToAlgConsumerFlow = DataFlow::Global<AlgGetterToAlgConsumerConfig>;

class ECKeyGenOperation extends OpenSSLOperation, Crypto::KeyGenerationOperationInstance {
ECKeyGenOperation() {
this.(Call).getTarget().getName() = "EC_KEY_generate_key" and
isPossibleOpenSSLFunction(this.(Call).getTarget())
}

override Expr getOutputArg() {
result = this.(Call) // return value of call
}

Expr getAlgorithmArg() { result = this.(Call).getArgument(0) }

override Expr getInputArg() {
// there is no 'input', in the sense that no data is being manipualted by the operation.
bdrodes marked this conversation as resolved.
Show resolved Hide resolved
// There is an input of an algorithm, but that is not the intention of the operation input arg.
none()
}

override Crypto::KeyArtifactType getOutputKeyType() { result = Crypto::TAsymmetricKeyType() }

override Crypto::ArtifactOutputDataFlowNode getOutputKeyArtifact() {
result = this.getOutputNode()
}

override Crypto::AlgorithmValueConsumer getAnAlgorithmValueConsumer() {
AlgGetterToAlgConsumerFlow::flow(result.(OpenSSLAlgorithmValueConsumer).getResultNode(),
DataFlow::exprNode(this.getAlgorithmArg()))
}

override Crypto::ConsumerInputDataFlowNode getKeySizeConsumer() {
none() // no explicit key size, inferred from algorithm
}

override int getKeySizeFixed() {
none()
// TODO: marked as none as the operation itself has no key size, it
// comes from the algorithm source, but note we could grab the
// algorithm source and get the key size (see below).
// We may need to reconsider what is the best approach here.
// result =
// this.getAnAlgorithmValueConsumer()
// .getAKnownAlgorithmSource()
// .(Crypto::EllipticCurveInstance)
// .getKeySize()
}
}
1 change: 1 addition & 0 deletions 1 cpp/ql/lib/experimental/quantum/OpenSSL/Operations/OpenSSLOperations.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
import OpenSSLOperationBase
import EVPCipherOperation
import EVPHashOperation
import ECKeyGenOperation
6 changes: 3 additions & 3 deletions 6 java/ql/lib/experimental/quantum/JCA.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -353,7 +353,7 @@ module JCAModel {
else result instanceof KeyOpAlg::TUnknownKeyOperationAlgorithmType
}

override string getKeySizeFixed() {
override int getKeySizeFixed() {
none() // TODO: implement to handle variants such as AES-128
}

Expand Down Expand Up @@ -1104,7 +1104,7 @@ module JCAModel {
KeyGeneratorFlowAnalysisImpl::getInitFromUse(this, _, _).getKeySizeArg() = result.asExpr()
}

override string getKeySizeFixed() { none() }
override int getKeySizeFixed() { none() }
}

class KeyGeneratorCipherAlgorithm extends CipherStringLiteralAlgorithmInstance {
Expand Down Expand Up @@ -1310,7 +1310,7 @@ module JCAModel {
result.asExpr() = this.getKeySpecInstantiation().(PBEKeySpecInstantiation).getKeyLengthArg()
}

override string getKeySizeFixed() { none() }
override int getKeySizeFixed() { none() }

override string getOutputKeySizeFixed() { none() }

Expand Down
15 changes: 6 additions & 9 deletions 15 shared/quantum/codeql/quantum/experimental/Model.qll
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -841,7 +841,7 @@ module CryptographyBase<LocationSig Location, InputSig<Location> Input> {
* This will be automatically inferred and applied at the node level.
* See `fixedImplicitCipherKeySize`.
*/
abstract string getKeySizeFixed();
abstract int getKeySizeFixed();

/**
* Gets a consumer for the key size in bits specified for this algorithm variant.
Expand Down Expand Up @@ -1044,7 +1044,7 @@ module CryptographyBase<LocationSig Location, InputSig<Location> Input> {
abstract KeyArtifactType getOutputKeyType();

// Defaults or fixed values
string getKeySizeFixed() { none() }
int getKeySizeFixed() { none() }

// Consumer input nodes
abstract ConsumerInputDataFlowNode getKeySizeConsumer();
Expand Down Expand Up @@ -1900,7 +1900,7 @@ module CryptographyBase<LocationSig Location, InputSig<Location> Input> {
or
// [ONLY_KNOWN]
key = "DefaultKeySize" and
value = kdfInstance.getKeySizeFixed() and
value = kdfInstance.getKeySizeFixed().toString() and
location = this.getLocation()
or
// [ONLY_KNOWN] - TODO: refactor for known unknowns
Expand Down Expand Up @@ -2259,13 +2259,10 @@ module CryptographyBase<LocationSig Location, InputSig<Location> Input> {
/**
* Gets the key size variant of this algorithm in bits, e.g., 128 for "AES-128".
*/
string getKeySizeFixed() {
int getKeySizeFixed() {
result = instance.asAlg().getKeySizeFixed()
or
exists(int size |
KeyOpAlg::fixedImplicitCipherKeySize(instance.asAlg().getAlgorithmType(), size) and
result = size.toString()
)
KeyOpAlg::fixedImplicitCipherKeySize(instance.asAlg().getAlgorithmType(), result)
}

/**
Expand Down Expand Up @@ -2333,7 +2330,7 @@ module CryptographyBase<LocationSig Location, InputSig<Location> Input> {
// [ONLY_KNOWN]
key = "KeySize" and
(
value = this.getKeySizeFixed() and
value = this.getKeySizeFixed().toString() and
location = this.getLocation()
or
node_as_property(this.getKeySize(), value, location)
Expand Down
Loading
Morty Proxy This is a proxified and sanitized view of the page, visit original site.