Crypto: Alterations to OpenSSL cipher algorithms to use new fixed keysize predicate.

Author: bdrodes

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/CipherAlgorithmInstance.qll

@@ -104,11 +104,8 @@ class KnownOpenSSLCipherConstantAlgorithmInstance extends OpenSSLAlgorithmInstan
 
   override string getRawAlgorithmName() { result = this.(Literal).getValue().toString() }
 
-  override string getKeySizeFixed() {
-    exists(int keySize |
-      this.(KnownOpenSSLCipherAlgorithmConstant).getExplicitKeySize() = keySize and
-      result = keySize.toString()
-    )
+  override int getKeySizeFixed() {
+    this.(KnownOpenSSLCipherAlgorithmConstant).getExplicitKeySize() = result
   }
 
   override Crypto::KeyOpAlg::Algorithm getAlgorithmType() {

java/ql/lib/experimental/quantum/JCA.qll

@@ -353,7 +353,7 @@ module JCAModel {
       else result instanceof KeyOpAlg::TUnknownKeyOperationAlgorithmType
     }
 
-    override string getKeySizeFixed() {
+    override int getKeySizeFixed() {
       none() // TODO: implement to handle variants such as AES-128
     }
 
@@ -1104,7 +1104,7 @@ module JCAModel {
       KeyGeneratorFlowAnalysisImpl::getInitFromUse(this, _, _).getKeySizeArg() = result.asExpr()
     }
 
-    override string getKeySizeFixed() { none() }
+    override int getKeySizeFixed() { none() }
   }
 
   class KeyGeneratorCipherAlgorithm extends CipherStringLiteralAlgorithmInstance {
@@ -1310,7 +1310,7 @@ module JCAModel {
       result.asExpr() = this.getKeySpecInstantiation().(PBEKeySpecInstantiation).getKeyLengthArg()
     }
 
-    override string getKeySizeFixed() { none() }
+    override int getKeySizeFixed() { none() }
 
     override string getOutputKeySizeFixed() { none() }
 

shared/quantum/codeql/quantum/experimental/Model.qll

@@ -841,7 +841,7 @@ module CryptographyBase<LocationSig Location, InputSig<Location> Input> {
      * This will be automatically inferred and applied at the node level.
      * See `fixedImplicitCipherKeySize`.
      */
-    abstract string getKeySizeFixed();
+    abstract int getKeySizeFixed();
 
     /**
      * Gets a consumer for the key size in bits specified for this algorithm variant.
@@ -1044,7 +1044,7 @@ module CryptographyBase<LocationSig Location, InputSig<Location> Input> {
     abstract KeyArtifactType getOutputKeyType();
 
     // Defaults or fixed values
-    string getKeySizeFixed() { none() }
+    int getKeySizeFixed() { none() }
 
     // Consumer input nodes
     abstract ConsumerInputDataFlowNode getKeySizeConsumer();
@@ -1900,7 +1900,7 @@ module CryptographyBase<LocationSig Location, InputSig<Location> Input> {
       or
       // [ONLY_KNOWN]
       key = "DefaultKeySize" and
-      value = kdfInstance.getKeySizeFixed() and
+      value = kdfInstance.getKeySizeFixed().toString() and
       location = this.getLocation()
       or
       // [ONLY_KNOWN] - TODO: refactor for known unknowns
@@ -2259,13 +2259,10 @@ module CryptographyBase<LocationSig Location, InputSig<Location> Input> {
     /**
      * Gets the key size variant of this algorithm in bits, e.g., 128 for "AES-128".
      */
-    string getKeySizeFixed() {
+    int getKeySizeFixed() {
       result = instance.asAlg().getKeySizeFixed()
       or
-      exists(int size |
-        KeyOpAlg::fixedImplicitCipherKeySize(instance.asAlg().getAlgorithmType(), size) and
-        result = size.toString()
-      )
+      KeyOpAlg::fixedImplicitCipherKeySize(instance.asAlg().getAlgorithmType(), result)
     }
 
     /**
@@ -2333,7 +2330,7 @@ module CryptographyBase<LocationSig Location, InputSig<Location> Input> {
       // [ONLY_KNOWN]
       key = "KeySize" and
       (
-        value = this.getKeySizeFixed() and
+        value = this.getKeySizeFixed().toString() and
         location = this.getLocation()
         or
         node_as_property(this.getKeySize(), value, location)