Skip to content

Commit 7be7743

Browse files
owen-mcowen-mc
committed
Model cryptographic operations
1 parent 3389322 commit 7be7743

File tree

8 files changed

+854
-71
lines changed

8 files changed

+854
-71
lines changed

go/ql/lib/semmle/go/Concepts.qll

Lines changed: 63 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -536,4 +536,67 @@ module Cryptography {
536536
class BlockMode = SC::BlockMode;
537537

538538
class CryptographicAlgorithm = SC::CryptographicAlgorithm;
539+
540+
/** A data flow node that initializes a hash algorithm. */
541+
abstract class HashInit extends DataFlow::Node {
542+
abstract HashingAlgorithm getAlgorithm();
543+
}
544+
545+
/** A data flow node that is an application of a hash algorithm. */
546+
abstract class HashOperation extends CryptographicOperation::Range {
547+
override BlockMode getBlockMode() { none() }
548+
}
549+
550+
/** A data flow node that initializes an encryption algorithm. */
551+
abstract class EncryptionInit extends DataFlow::Node {
552+
abstract EncryptionAlgorithm getAlgorithm();
553+
}
554+
555+
/**
556+
* A data flow node that initializes a block cipher mode of operation, and
557+
* may also propagate taint for encryption algorithms.
558+
*/
559+
abstract class BlockModeInit extends DataFlow::CallNode {
560+
abstract BlockMode getMode();
561+
562+
abstract predicate step(DataFlow::Node node1, DataFlow::Node node2);
563+
}
564+
565+
/**
566+
* A data flow node that is an application of an encryption algorithm, where
567+
* the encryption algorithm and the block cipher mode of operation (if there
568+
* is one) have been initialized separately.
569+
*/
570+
abstract class EncryptionOperation extends CryptographicOperation::Range {
571+
DataFlow::Node encryptionFlowTarget;
572+
DataFlow::Node inputNode;
573+
574+
override DataFlow::Node getInitialization() {
575+
EncryptionFlow::flow(result, encryptionFlowTarget)
576+
}
577+
578+
override EncryptionAlgorithm getAlgorithm() {
579+
result = this.getInitialization().(EncryptionInit).getAlgorithm()
580+
}
581+
582+
override DataFlow::Node getAnInput() { result = inputNode }
583+
584+
override BlockMode getBlockMode() {
585+
result = this.getInitialization().(BlockModeInit).getMode()
586+
}
587+
}
588+
589+
/**
590+
* An `EncryptionOperation` which is a method call where the encryption
591+
* algorithm and block cipher mode of operation (if there is one) flow to the
592+
* receiver and the input is an argument.
593+
*/
594+
abstract class EncryptionMethodCall extends EncryptionOperation instanceof DataFlow::CallNode {
595+
int inputArg;
596+
597+
EncryptionMethodCall() {
598+
encryptionFlowTarget = super.getReceiver() and
599+
inputNode = super.getArgument(inputArg)
600+
}
601+
}
539602
}

0 commit comments

Comments
 (0)