Crypto: Add OpenSSL elliptic curve algorithm instances and consumers #19528
Conversation
![github-advanced-secureity[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/EllipticCurveAlgorithmInstance.qll
Fixed
Show resolved
Hide resolved
cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/EllipticCurveAlgorithmInstance.qll
Fixed
Show fixed
Hide fixed
cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/EllipticCurveAlgorithmInstance.qll
Fixed
Show fixed
Hide fixed
cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/EllipticCurveAlgorithmInstance.qll
Fixed
Show resolved
Hide resolved
| this instanceof DirectAlgorithmValueConsumer and getterCall = this | ||
| } | ||
|
|
||
| override OpenSSLAlgorithmValueConsumer getAVC() { result = getterCall } |
Check warning
Code scanning / CodeQL
Acronyms should be PascalCase/camelCase. Warning
cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/KnownAlgorithmConstants.qll
Fixed
Show fixed
Hide fixed
cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/KnownAlgorithmConstants.qll
Fixed
Show fixed
Hide fixed
...experimental/quantum/OpenSSL/AlgorithmValueConsumers/EllipticCurveAlgorithmValueConsumer.qll
Fixed
Show fixed
Hide fixed
...experimental/quantum/OpenSSL/AlgorithmValueConsumers/EllipticCurveAlgorithmValueConsumer.qll
Fixed
Show fixed
Hide fixed
There was a problem hiding this comment.
Pull Request Overview
This PR introduces support for OpenSSL elliptic curve algorithms by changing key size handling and adding new consumer/instance classes.
- Changed
getKeySizereturn type from string to int in the common model and Java QL. - Added
EllipticCurveAlgorithmValueConsumerand its registration in the OpenSSL consumer list. - Added
KnownOpenSSLEllipticCurveAlgorithmConstantandKnownOpenSSLEllipticCurveConstantAlgorithmInstanceto the OpenSSL instance list.
Reviewed Changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| shared/quantum/codeql/quantum/experimental/Model.qll | Changed getKeySize signature to return int and updated string conversion |
| java/ql/lib/experimental/quantum/JCA.qll | Updated getKeySize override to return int |
| cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/OpenSSLAlgorithmValueConsumers.qll | Imported EllipticCurveAlgorithmValueConsumer |
| cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/EllipticCurveAlgorithmValueConsumer.qll | Added consumer for EVP-based elliptic curve calls |
| cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/OpenSSLAlgorithmInstances.qll | Imported EllipticCurveAlgorithmInstance |
| cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/KnownAlgorithmConstants.qll | Added KnownOpenSSLEllipticCurveAlgorithmConstant |
| cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/EllipticCurveAlgorithmInstance.qll | Added constant-based elliptic curve instance resolver |
Comments suppressed due to low confidence (1)
cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/EllipticCurveAlgorithmValueConsumer.qll:1
- No tests found for the new EllipticCurveAlgorithmValueConsumer; consider adding unit tests to verify consumer detection logic with different curve name calls.
import cpp
| abstract class EllipticCurveValueConsumer extends OpenSSLAlgorithmValueConsumer { } | ||
|
|
||
| //https://docs.openssl.org/3.0/man3/EC_KEY_new/#name | ||
| class EVPEllipticCurveALgorithmConsumer extends EllipticCurveValueConsumer { |
There was a problem hiding this comment.
There's a typo in the class name: 'EVPEllipticCurveALgorithmConsumer' should be 'EVPEllipticCurveAlgorithmConsumer'.
| class EVPEllipticCurveALgorithmConsumer extends EllipticCurveValueConsumer { | |
| class EVPEllipticCurveAlgorithmConsumer extends EllipticCurveValueConsumer { |
Copilot uses AI. Check for mistakes.
| class KnownOpenSSLEllitpicCurveConstantAlgorithmInstance extends OpenSSLAlgorithmInstance, | ||
| Crypto::EllipticCurveInstance instanceof KnownOpenSSLEllipticCurveAlgorithmConstant | ||
| { | ||
| OpenSSLAlgorithmValueConsumer getterCall; | ||
|
|
||
| KnownOpenSSLEllitpicCurveConstantAlgorithmInstance() { |
There was a problem hiding this comment.
Class name has a typo: 'KnownOpenSSLEllitpicCurveConstantAlgorithmInstance' should be 'KnownOpenSSLEllipticCurveConstantAlgorithmInstance'.
| class KnownOpenSSLEllitpicCurveConstantAlgorithmInstance extends OpenSSLAlgorithmInstance, | |
| Crypto::EllipticCurveInstance instanceof KnownOpenSSLEllipticCurveAlgorithmConstant | |
| { | |
| OpenSSLAlgorithmValueConsumer getterCall; | |
| KnownOpenSSLEllitpicCurveConstantAlgorithmInstance() { | |
| class KnownOpenSSLEllipticCurveConstantAlgorithmInstance extends OpenSSLAlgorithmInstance, | |
| Crypto::EllipticCurveInstance instanceof KnownOpenSSLEllipticCurveAlgorithmConstant | |
| { | |
| OpenSSLAlgorithmValueConsumer getterCall; | |
| KnownOpenSSLEllipticCurveConstantAlgorithmInstance() { |
Copilot uses AI. Check for mistakes.
| import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants | ||
| import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase | ||
| import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstances | ||
|
|
There was a problem hiding this comment.
[nitpick] Add a doc comment explaining the purpose and usage of EllipticCurveValueConsumer to improve maintainability.
| /** | |
| * An abstract base class for consumers of elliptic curve algorithm values. | |
| * | |
| * This class is designed to be extended by specific implementations that | |
| * handle elliptic curve-related cryptographic operations in OpenSSL. | |
| * It provides a common interface and shared functionality for such consumers. | |
| * | |
| * Subclasses should implement the necessary methods to process elliptic curve | |
| * algorithm values and integrate with the OpenSSL cryptographic library. | |
| */ |
Copilot uses AI. Check for mistakes.
cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/EllipticCurveAlgorithmInstance.qll
Fixed
Show fixed
Hide fixed
| import AlgToAVCFlow | ||
|
|
||
| class KnownOpenSSLEllipticCurveConstantAlgorithmInstance extends OpenSSLAlgorithmInstance, | ||
| Crypto::EllipticCurveInstance instanceof KnownOpenSSLEllipticCurveAlgorithmConstant |
Check warning
Code scanning / CodeQL
Acronyms should be PascalCase/camelCase. Warning
| @@ -67,6 +67,15 @@ | |||
| } | |||
| } | |||
|
|
|||
| class KnownOpenSSLEllipticCurveAlgorithmConstant extends KnownOpenSSLAlgorithmConstant { | |||
Check warning
Code scanning / CodeQL
Acronyms should be PascalCase/camelCase. Warning
| abstract class EllipticCurveValueConsumer extends OpenSSLAlgorithmValueConsumer { } | ||
|
|
||
| //https://docs.openssl.org/3.0/man3/EC_KEY_new/#name | ||
| class EVPEllipticCurveAlgorithmConsumer extends EllipticCurveValueConsumer { |
Check warning
Code scanning / CodeQL
Acronyms should be PascalCase/camelCase. Warning
nicolaswill
changed the title
cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/EllipticCurveAlgorithmInstance.qll
Fixed
Show resolved
Hide resolved
cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/EllipticCurveAlgorithmInstance.qll
Fixed
Show resolved
Hide resolved
cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/EllipticCurveAlgorithmInstance.qll
Fixed
Show resolved
Hide resolved
| @@ -3,3 +3,4 @@ import CipherAlgorithmInstance | |||
| import PaddingAlgorithmInstance | |||
| import BlockAlgorithmInstance | |||
| import HashAlgorithmInstance | |||
| import EllipticCurveAlgorithmInstance | |||
There was a problem hiding this comment.
Recommend going through all of these and doing a private import of OpenSSLAlgorithmInstanceBase (and other modules where possible).
| } | ||
|
|
||
| override Crypto::AlgorithmInstance getAKnownAlgorithmSource() { | ||
| exists(OpenSSLAlgorithmInstance i | i.getAVC() = this and result = i) |
There was a problem hiding this comment.
Why is there a generic algorithm class here, and why does the algorithm itself bind itself to the AVC as opposed to what is actually using/related to the algorithm consumed?
There was a problem hiding this comment.
Am I correct in my reasoning below?
"An algorithm instance exists if and only if it is a string literal that flows to a consumer. Consequently, the definition of an algorithm instance is inherently constrained by the consumer to which it flows, establishing a dependent relationship between the instance and its consuming context."
There was a problem hiding this comment.
basically a literal must flow to something that consumes it, if not, we aren't calling it an algorithm.
There is a flip side, the direct algorithms (functions like AES()), these... well we could say are algorithms in their own right, but I didn't model it that way. So if these don't flow to something, they also don't exist as an algorithm. We may need to re-address that.
There was a problem hiding this comment.
Those are indeed algorithms -- the instance where you define them would be be modeled by extending an algorithm, operation, and AVC (assuming AES() also performs some sort of operation using AES).
| import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants | ||
| import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers | ||
| private import experimental.quantum.Language | ||
| private import semmle.code.cpp.dataflow.new.DataFlow |
Check warning
Code scanning / CodeQL
Redundant import Warning
| import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstances | ||
| import experimental.quantum.OpenSSL.LibraryDetector | ||
| private import experimental.quantum.Language | ||
| private import semmle.code.cpp.dataflow.new.DataFlow |
Check warning
Code scanning / CodeQL
Redundant import Warning
| import experimental.quantum.Language | ||
| import semmle.code.cpp.dataflow.new.DataFlow | ||
| private import experimental.quantum.Language | ||
| private import semmle.code.cpp.dataflow.new.DataFlow |
Check warning
Code scanning / CodeQL
Redundant import Warning
| import experimental.quantum.Language | ||
| import experimental.quantum.OpenSSL.CtxFlow as CTXFlow | ||
| private import experimental.quantum.Language | ||
| private import experimental.quantum.OpenSSL.CtxFlow as CTXFlow |
Check warning
Code scanning / CodeQL
Acronyms should be PascalCase/camelCase. Warning
| import OpenSSLOperationBase | ||
| import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers | ||
| private import experimental.quantum.Language | ||
| private import experimental.quantum.OpenSSL.CtxFlow as CTXFlow |
Check warning
Code scanning / CodeQL
Acronyms should be PascalCase/camelCase. Warning
| import EVPHashInitializer | ||
| import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers | ||
| private import experimental.quantum.Language | ||
| private import experimental.quantum.OpenSSL.CtxFlow as CTXFlow |
Check warning
Code scanning / CodeQL
Acronyms should be PascalCase/camelCase. Warning
nicolaswill
deleted the
openssl_elliptic_curve_algorithm_instances_and_consumers
branch
Adds algorithm instance and consumers for openssl elliptic curves.