Skip to content

Commit f34a625

Browse files
owen-mcowen-mc
committed
Model cryptographic operations
1 parent fac5296 commit f34a625

File tree

8 files changed

+879
-70
lines changed

8 files changed

+879
-70
lines changed

go/ql/lib/semmle/go/Concepts.qll

Lines changed: 67 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -536,4 +536,71 @@ module Cryptography {
536536
class BlockMode = SC::BlockMode;
537537

538538
class CryptographicAlgorithm = SC::CryptographicAlgorithm;
539+
540+
/** A data flow node that initializes a hash algorithm. */
541+
abstract class HashAlgorithmInit extends DataFlow::Node {
542+
/** Gets the hash algorithm being initialized. */
543+
abstract HashingAlgorithm getAlgorithm();
544+
}
545+
546+
/** A data flow node that is an application of a hash algorithm. */
547+
abstract class HashOperation extends CryptographicOperation::Range {
548+
override BlockMode getBlockMode() { none() }
549+
}
550+
551+
/** A data flow node that initializes an encryption algorithm. */
552+
abstract class EncryptionAlgorithmInit extends DataFlow::Node {
553+
/** Gets the encryption algorithm being initialized. */
554+
abstract EncryptionAlgorithm getAlgorithm();
555+
}
556+
557+
/**
558+
* A data flow node that initializes a block cipher mode of operation, and
559+
* may also propagate taint for encryption algorithms.
560+
*/
561+
abstract class BlockModeInit extends DataFlow::CallNode {
562+
/** Gets the block cipher mode of operation being initialized. */
563+
abstract BlockMode getMode();
564+
565+
/** Gets a step propagating the encryption algorithm through this call. */
566+
abstract predicate step(DataFlow::Node node1, DataFlow::Node node2);
567+
}
568+
569+
/**
570+
* A data flow node that is an application of an encryption algorithm, where
571+
* the encryption algorithm and the block cipher mode of operation (if there
572+
* is one) have been initialized separately.
573+
*/
574+
abstract class EncryptionOperation extends CryptographicOperation::Range {
575+
DataFlow::Node encryptionFlowTarget;
576+
DataFlow::Node inputNode;
577+
578+
override DataFlow::Node getInitialization() {
579+
EncryptionFlow::flow(result, encryptionFlowTarget)
580+
}
581+
582+
override EncryptionAlgorithm getAlgorithm() {
583+
result = this.getInitialization().(EncryptionAlgorithmInit).getAlgorithm()
584+
}
585+
586+
override DataFlow::Node getAnInput() { result = inputNode }
587+
588+
override BlockMode getBlockMode() {
589+
result = this.getInitialization().(BlockModeInit).getMode()
590+
}
591+
}
592+
593+
/**
594+
* An `EncryptionOperation` which is a method call where the encryption
595+
* algorithm and block cipher mode of operation (if there is one) flow to the
596+
* receiver and the input is an argument.
597+
*/
598+
abstract class EncryptionMethodCall extends EncryptionOperation instanceof DataFlow::CallNode {
599+
int inputArg;
600+
601+
EncryptionMethodCall() {
602+
encryptionFlowTarget = super.getReceiver() and
603+
inputNode = super.getArgument(inputArg)
604+
}
605+
}
539606
}

0 commit comments

Comments
 (0)