Crypto: Refactor type name mapping and fix QL-for-QL alerts

Author: nicolaswill

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/BlockAlgorithmInstance.qll

@@ -5,36 +5,37 @@ private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmCon
 private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.DirectAlgorithmValueConsumer
 private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
 private import AlgToAVCFlow
+private import codeql.quantum.experimental.Standardization::Types::KeyOpAlg as KeyOpAlg
 
 /**
  * Given a `KnownOpenSslBlockModeAlgorithmExpr`, converts this to a block family type.
  * Does not bind if there is no mapping (no mapping to 'unknown' or 'other').
  */
 predicate knownOpenSslConstantToBlockModeFamilyType(
-  KnownOpenSslBlockModeAlgorithmExpr e, Crypto::TBlockCipherModeOfOperationType type
+  KnownOpenSslBlockModeAlgorithmExpr e, KeyOpAlg::ModeOfOperationType type
 ) {
   exists(string name |
     name = e.(KnownOpenSslAlgorithmExpr).getNormalizedName() and
     (
-      name = "CBC" and type instanceof Crypto::CBC
+      name = "CBC" and type instanceof KeyOpAlg::CBC
       or
-      name = "CFB%" and type instanceof Crypto::CFB
+      name = "CFB%" and type instanceof KeyOpAlg::CFB
       or
-      name = "CTR" and type instanceof Crypto::CTR
+      name = "CTR" and type instanceof KeyOpAlg::CTR
       or
-      name = "GCM" and type instanceof Crypto::GCM
+      name = "GCM" and type instanceof KeyOpAlg::GCM
       or
-      name = "OFB" and type instanceof Crypto::OFB
+      name = "OFB" and type instanceof KeyOpAlg::OFB
       or
-      name = "XTS" and type instanceof Crypto::XTS
+      name = "XTS" and type instanceof KeyOpAlg::XTS
       or
-      name = "CCM" and type instanceof Crypto::CCM
+      name = "CCM" and type instanceof KeyOpAlg::CCM
       or
-      name = "GCM" and type instanceof Crypto::GCM
+      name = "GCM" and type instanceof KeyOpAlg::GCM
       or
-      name = "CCM" and type instanceof Crypto::CCM
+      name = "CCM" and type instanceof KeyOpAlg::CCM
       or
-      name = "ECB" and type instanceof Crypto::ECB
+      name = "ECB" and type instanceof KeyOpAlg::ECB
     )
   )
 }
@@ -64,10 +65,10 @@ class KnownOpenSslBlockModeConstantAlgorithmInstance extends OpenSslAlgorithmIns
     getterCall = this
   }
 
-  override Crypto::TBlockCipherModeOfOperationType getModeType() {
+  override KeyOpAlg::ModeOfOperationType getModeType() {
     knownOpenSslConstantToBlockModeFamilyType(this, result)
     or
-    not knownOpenSslConstantToBlockModeFamilyType(this, _) and result = Crypto::OtherMode()
+    not knownOpenSslConstantToBlockModeFamilyType(this, _) and result = KeyOpAlg::OtherMode()
   }
 
   // NOTE: I'm not going to attempt to parse out the mode specific part, so returning

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/CipherAlgorithmInstance.qll

@@ -113,7 +113,7 @@ class KnownOpenSslCipherConstantAlgorithmInstance extends OpenSslAlgorithmInstan
     this.(KnownOpenSslCipherAlgorithmExpr).getExplicitKeySize() = result
   }
 
-  override Crypto::KeyOpAlg::Algorithm getAlgorithmType() {
+  override KeyOpAlg::AlgorithmType getAlgorithmType() {
     knownOpenSslConstantToCipherFamilyType(this, result)
     or
     not knownOpenSslConstantToCipherFamilyType(this, _) and

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/EllipticCurveAlgorithmInstance.qll

@@ -39,16 +39,22 @@ class KnownOpenSslEllipticCurveConstantAlgorithmInstance extends OpenSslAlgorith
     result = this.(Call).getTarget().getName()
   }
 
-  override Crypto::TEllipticCurveType getEllipticCurveType() {
-    Crypto::ellipticCurveNameToKeySizeAndFamilyMapping(this.getParsedEllipticCurveName(), _, result)
+  override Crypto::EllipticCurveFamilyType getEllipticCurveFamilyType() {
+    if
+      Crypto::ellipticCurveNameToKnownKeySizeAndFamilyMapping(this.getParsedEllipticCurveName(), _,
+        _)
+    then
+      Crypto::ellipticCurveNameToKnownKeySizeAndFamilyMapping(this.getParsedEllipticCurveName(), _,
+        result)
+    else result = Crypto::OtherEllipticCurveType()
   }
 
   override string getParsedEllipticCurveName() {
     result = this.(KnownOpenSslAlgorithmExpr).getNormalizedName()
   }
 
   override int getKeySize() {
-    Crypto::ellipticCurveNameToKeySizeAndFamilyMapping(this.(KnownOpenSslAlgorithmExpr)
+    Crypto::ellipticCurveNameToKnownKeySizeAndFamilyMapping(this.(KnownOpenSslAlgorithmExpr)
           .getNormalizedName(), result, _)
   }
 }

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/MACAlgorithmInstance.qll

@@ -39,10 +39,10 @@ class KnownOpenSslMacConstantAlgorithmInstance extends OpenSslAlgorithmInstance,
     result = this.(Call).getTarget().getName()
   }
 
-  override Crypto::TMacType getMacType() {
-    this instanceof KnownOpenSslHMacAlgorithmExpr and result instanceof Crypto::THMAC
+  override Crypto::MacType getMacType() {
+    this instanceof KnownOpenSslHMacAlgorithmExpr and result = Crypto::HMAC()
     or
-    this instanceof KnownOpenSslCMacAlgorithmExpr and result instanceof Crypto::TCMAC
+    this instanceof KnownOpenSslCMacAlgorithmExpr and result = Crypto::CMAC()
   }
 }
 

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/PaddingAlgorithmInstance.qll

@@ -5,6 +5,7 @@ private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmCon
 private import AlgToAVCFlow
 private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.DirectAlgorithmValueConsumer
 private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase
+private import codeql.quantum.experimental.Standardization::Types::KeyOpAlg as KeyOpAlg
 
 /**
  * A class to define padding specific integer values.
@@ -28,18 +29,18 @@ class OpenSslPaddingLiteral extends Literal {
  * Does not bind if there is no mapping (no mapping to 'unknown' or 'other').
  */
 predicate knownOpenSslConstantToPaddingFamilyType(
-  KnownOpenSslPaddingAlgorithmExpr e, Crypto::TPaddingType type
+  KnownOpenSslPaddingAlgorithmExpr e, KeyOpAlg::PaddingSchemeType type
 ) {
   exists(string name |
     name = e.(KnownOpenSslAlgorithmExpr).getNormalizedName() and
     (
-      name = "OAEP" and type = Crypto::OAEP()
+      name = "OAEP" and type = KeyOpAlg::OAEP()
       or
-      name = "PSS" and type = Crypto::PSS()
+      name = "PSS" and type = KeyOpAlg::PSS()
       or
-      name = "PKCS7" and type = Crypto::PKCS7()
+      name = "PKCS7" and type = KeyOpAlg::PKCS7()
       or
-      name = "PKCS1V15" and type = Crypto::PKCS1_v1_5()
+      name = "PKCS1V15" and type = KeyOpAlg::PKCS1_v1_5()
     )
   )
 }
@@ -98,24 +99,24 @@ class KnownOpenSslPaddingConstantAlgorithmInstance extends OpenSslAlgorithmInsta
 
   override OpenSslAlgorithmValueConsumer getAvc() { result = getterCall }
 
-  Crypto::TPaddingType getKnownPaddingType() {
-    this.(Literal).getValue().toInt() in [1, 7, 8] and result = Crypto::PKCS1_v1_5()
+  KeyOpAlg::PaddingSchemeType getKnownPaddingType() {
+    this.(Literal).getValue().toInt() in [1, 7, 8] and result = KeyOpAlg::PKCS1_v1_5()
     or
-    this.(Literal).getValue().toInt() = 3 and result = Crypto::NoPadding()
+    this.(Literal).getValue().toInt() = 3 and result = KeyOpAlg::NoPadding()
     or
-    this.(Literal).getValue().toInt() = 4 and result = Crypto::OAEP()
+    this.(Literal).getValue().toInt() = 4 and result = KeyOpAlg::OAEP()
     or
-    this.(Literal).getValue().toInt() = 5 and result = Crypto::ANSI_X9_23()
+    this.(Literal).getValue().toInt() = 5 and result = KeyOpAlg::ANSI_X9_23()
     or
-    this.(Literal).getValue().toInt() = 6 and result = Crypto::PSS()
+    this.(Literal).getValue().toInt() = 6 and result = KeyOpAlg::PSS()
   }
 
-  override Crypto::TPaddingType getPaddingType() {
+  override KeyOpAlg::PaddingSchemeType getPaddingType() {
     isPaddingSpecificConsumer = true and
     (
       result = this.getKnownPaddingType()
       or
-      not exists(this.getKnownPaddingType()) and result = Crypto::OtherPadding()
+      not exists(this.getKnownPaddingType()) and result = KeyOpAlg::OtherPadding()
     )
     or
     isPaddingSpecificConsumer = false and
@@ -165,7 +166,7 @@ class OaepPaddingAlgorithmInstance extends Crypto::OaepPaddingAlgorithmInstance,
   KnownOpenSslPaddingConstantAlgorithmInstance
 {
   OaepPaddingAlgorithmInstance() {
-    this.(Crypto::PaddingAlgorithmInstance).getPaddingType() = Crypto::OAEP()
+    this.(Crypto::PaddingAlgorithmInstance).getPaddingType() = KeyOpAlg::OAEP()
   }
 
   override Crypto::HashAlgorithmInstance getOaepEncodingHashAlgorithm() {

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/SignatureAlgorithmInstance.qll

@@ -73,7 +73,7 @@ class KnownOpenSslSignatureConstantAlgorithmInstance extends OpenSslAlgorithmIns
     none()
   }
 
-  override KeyOpAlg::Algorithm getAlgorithmType() {
+  override KeyOpAlg::AlgorithmType getAlgorithmType() {
     knownOpenSslConstantToSignatureFamilyType(this, result)
     or
     not knownOpenSslConstantToSignatureFamilyType(this, _) and

java/ql/lib/experimental/quantum/JCA.qll

@@ -5,7 +5,7 @@ import semmle.code.java.controlflow.Dominance
 
 module JCAModel {
   import Language
-  import Crypto::KeyOpAlg as KeyOpAlg
+  import codeql.quantum.experimental.Standardization::Types::KeyOpAlg as KeyOpAlg
 
   abstract class CipherAlgorithmValueConsumer extends Crypto::AlgorithmValueConsumer { }
 
@@ -115,7 +115,7 @@ module JCAModel {
   }
 
   bindingset[name]
-  Crypto::THashType hash_name_to_type_known(string name, int digestLength) {
+  Crypto::HashType hash_name_to_type_known(string name, int digestLength) {
     name = "SHA-1" and result instanceof Crypto::SHA1 and digestLength = 160
     or
     name = ["SHA-256", "SHA-384", "SHA-512"] and
@@ -152,24 +152,22 @@ module JCAModel {
   }
 
   bindingset[name]
-  private predicate mode_name_to_type_known(
-    Crypto::TBlockCipherModeOfOperationType type, string name
-  ) {
-    type = Crypto::ECB() and name = "ECB"
+  private predicate mode_name_to_type_known(KeyOpAlg::ModeOfOperationType type, string name) {
+    type = KeyOpAlg::ECB() and name = "ECB"
     or
-    type = Crypto::CBC() and name = "CBC"
+    type = KeyOpAlg::CBC() and name = "CBC"
     or
-    type = Crypto::GCM() and name = "GCM"
+    type = KeyOpAlg::GCM() and name = "GCM"
     or
-    type = Crypto::CTR() and name = "CTR"
+    type = KeyOpAlg::CTR() and name = "CTR"
     or
-    type = Crypto::XTS() and name = "XTS"
+    type = KeyOpAlg::XTS() and name = "XTS"
     or
-    type = Crypto::CCM() and name = "CCM"
+    type = KeyOpAlg::CCM() and name = "CCM"
     or
-    type = Crypto::SIV() and name = "SIV"
+    type = KeyOpAlg::SIV() and name = "SIV"
     or
-    type = Crypto::OCB() and name = "OCB"
+    type = KeyOpAlg::OCB() and name = "OCB"
   }
 
   bindingset[name]
@@ -206,7 +204,7 @@ module JCAModel {
 
   bindingset[name]
   predicate mac_name_to_mac_type_known(Crypto::TMacType type, string name) {
-    type = Crypto::THMAC() and
+    type = Crypto::HMAC() and
     name.toUpperCase().matches("HMAC%")
   }
 
@@ -298,18 +296,18 @@ module JCAModel {
     override string getRawPaddingAlgorithmName() { result = super.getPadding() }
 
     bindingset[name]
-    private predicate paddingToNameMappingKnown(Crypto::TPaddingType type, string name) {
-      type instanceof Crypto::NoPadding and name = "NOPADDING"
+    private predicate paddingToNameMappingKnown(KeyOpAlg::PaddingSchemeType type, string name) {
+      type instanceof KeyOpAlg::NoPadding and name = "NOPADDING"
       or
-      type instanceof Crypto::PKCS7 and name = ["PKCS5Padding", "PKCS7Padding"] // TODO: misnomer in the JCA?
+      type instanceof KeyOpAlg::PKCS7 and name = ["PKCS5Padding", "PKCS7Padding"] // TODO: misnomer in the JCA?
       or
-      type instanceof Crypto::OAEP and name.matches("OAEP%") // TODO: handle OAEPWith%
+      type instanceof KeyOpAlg::OAEP and name.matches("OAEP%") // TODO: handle OAEPWith%
     }
 
-    override Crypto::TPaddingType getPaddingType() {
+    override KeyOpAlg::PaddingSchemeType getPaddingType() {
       if this.paddingToNameMappingKnown(_, super.getPadding())
       then this.paddingToNameMappingKnown(result, super.getPadding())
-      else result instanceof Crypto::OtherPadding
+      else result instanceof KeyOpAlg::OtherPadding
     }
   }
 
@@ -320,10 +318,10 @@ module JCAModel {
 
     override string getRawModeAlgorithmName() { result = super.getMode() }
 
-    override Crypto::TBlockCipherModeOfOperationType getModeType() {
+    override KeyOpAlg::ModeOfOperationType getModeType() {
       if mode_name_to_type_known(_, super.getMode())
       then mode_name_to_type_known(result, super.getMode())
-      else result instanceof Crypto::OtherMode
+      else result instanceof KeyOpAlg::OtherMode
     }
   }
 
@@ -347,7 +345,7 @@ module JCAModel {
 
     override string getRawAlgorithmName() { result = super.getValue() }
 
-    override KeyOpAlg::Algorithm getAlgorithmType() {
+    override KeyOpAlg::AlgorithmType getAlgorithmType() {
       if cipher_name_to_type_known(_, super.getAlgorithmName())
       then cipher_name_to_type_known(result, super.getAlgorithmName())
       else result instanceof KeyOpAlg::TUnknownKeyOperationAlgorithmType
@@ -1249,7 +1247,7 @@ module JCAModel {
       result = super.getRawKdfAlgorithmName().splitAt("WithHmac", 1)
     }
 
-    override Crypto::TMacType getMacType() { result instanceof Crypto::THMAC }
+    override Crypto::MacType getMacType() { result = Crypto::HMAC() }
 
     override Crypto::AlgorithmValueConsumer getHmacAlgorithmValueConsumer() { result = this }
 
@@ -1487,10 +1485,10 @@ module JCAModel {
 
     override string getRawMacAlgorithmName() { result = super.getValue() }
 
-    override Crypto::TMacType getMacType() {
+    override Crypto::MacType getMacType() {
       if mac_name_to_mac_type_known(_, super.getValue())
       then mac_name_to_mac_type_known(result, super.getValue())
-      else result instanceof Crypto::TOtherMACType
+      else result = Crypto::OtherMacType()
     }
   }
 
@@ -1597,15 +1595,18 @@ module JCAModel {
 
     override string getRawEllipticCurveName() { result = super.getValue() }
 
-    override Crypto::TEllipticCurveType getEllipticCurveType() {
-      if Crypto::ellipticCurveNameToKeySizeAndFamilyMapping(this.getRawEllipticCurveName(), _, _)
+    override Crypto::EllipticCurveFamilyType getEllipticCurveFamilyType() {
+      if
+        Crypto::ellipticCurveNameToKnownKeySizeAndFamilyMapping(this.getRawEllipticCurveName(), _, _)
       then
-        Crypto::ellipticCurveNameToKeySizeAndFamilyMapping(this.getRawEllipticCurveName(), _, result)
+        Crypto::ellipticCurveNameToKnownKeySizeAndFamilyMapping(this.getRawEllipticCurveName(), _,
+          result)
       else result = Crypto::OtherEllipticCurveType()
     }
 
     override int getKeySize() {
-      Crypto::ellipticCurveNameToKeySizeAndFamilyMapping(this.getRawEllipticCurveName(), result, _)
+      Crypto::ellipticCurveNameToKnownKeySizeAndFamilyMapping(this.getRawEllipticCurveName(),
+        result, _)
     }
 
     EllipticCurveAlgorithmValueConsumer getConsumer() { result = consumer }