@@ -8,6 +8,10 @@ import go
88import semmle.go.dataflow.FunctionInputsAndOutputs
99import semmle.go.concepts.HTTP
1010import semmle.go.concepts.GeneratedFile
11+ private import codeql.concepts.ConceptsShared
12+ private import semmle.go.dataflow.internal.DataFlowImplSpecific
13+
14+ private module ConceptsShared = ConceptsMake< Location , GoDataFlow > ;
1115
1216/**
1317 * A data-flow node that executes an operating system command,
@@ -505,3 +509,98 @@ module UnmarshalingFunction {
505509 abstract string getFormat ( ) ;
506510 }
507511}
512+
513+ /**
514+ * Provides models for cryptographic things.
515+ */
516+ module Cryptography {
517+ private import ConceptsShared:: Cryptography as SC
518+
519+ /**
520+ * A data-flow node that is an application of a cryptographic algorithm. For example,
521+ * encryption, decryption, signature-validation.
522+ *
523+ * Extend this class to refine existing API models. If you want to model new APIs,
524+ * extend `CryptographicOperation::Range` instead.
525+ */
526+ class CryptographicOperation extends SC:: CryptographicOperation { }
527+
528+ class EncryptionAlgorithm = SC:: EncryptionAlgorithm ;
529+
530+ class HashingAlgorithm = SC:: HashingAlgorithm ;
531+
532+ class PasswordHashingAlgorithm = SC:: PasswordHashingAlgorithm ;
533+
534+ module CryptographicOperation = SC:: CryptographicOperation;
535+
536+ class BlockMode = SC:: BlockMode ;
537+
538+ class CryptographicAlgorithm = SC:: CryptographicAlgorithm ;
539+
540+ /** A data flow node that initializes a hash algorithm. */
541+ abstract class HashAlgorithmInit extends DataFlow:: Node {
542+ /** Gets the hash algorithm being initialized. */
543+ abstract HashingAlgorithm getAlgorithm ( ) ;
544+ }
545+
546+ /** A data flow node that is an application of a hash algorithm. */
547+ abstract class HashOperation extends CryptographicOperation:: Range {
548+ override BlockMode getBlockMode ( ) { none ( ) }
549+ }
550+
551+ /** A data flow node that initializes an encryption algorithm. */
552+ abstract class EncryptionAlgorithmInit extends DataFlow:: Node {
553+ /** Gets the encryption algorithm being initialized. */
554+ abstract EncryptionAlgorithm getAlgorithm ( ) ;
555+ }
556+
557+ /**
558+ * A data flow node that initializes a block cipher mode of operation, and
559+ * may also propagate taint for encryption algorithms.
560+ */
561+ abstract class BlockModeInit extends DataFlow:: CallNode {
562+ /** Gets the block cipher mode of operation being initialized. */
563+ abstract BlockMode getMode ( ) ;
564+
565+ /** Gets a step propagating the encryption algorithm through this call. */
566+ abstract predicate step ( DataFlow:: Node node1 , DataFlow:: Node node2 ) ;
567+ }
568+
569+ /**
570+ * A data flow node that is an application of an encryption algorithm, where
571+ * the encryption algorithm and the block cipher mode of operation (if there
572+ * is one) have been initialized separately.
573+ */
574+ abstract class EncryptionOperation extends CryptographicOperation:: Range {
575+ DataFlow:: Node encryptionFlowTarget ;
576+ DataFlow:: Node inputNode ;
577+
578+ override DataFlow:: Node getInitialization ( ) {
579+ EncryptionFlow:: flow ( result , encryptionFlowTarget )
580+ }
581+
582+ override EncryptionAlgorithm getAlgorithm ( ) {
583+ result = this .getInitialization ( ) .( EncryptionAlgorithmInit ) .getAlgorithm ( )
584+ }
585+
586+ override DataFlow:: Node getAnInput ( ) { result = inputNode }
587+
588+ override BlockMode getBlockMode ( ) {
589+ result = this .getInitialization ( ) .( BlockModeInit ) .getMode ( )
590+ }
591+ }
592+
593+ /**
594+ * An `EncryptionOperation` which is a method call where the encryption
595+ * algorithm and block cipher mode of operation (if there is one) flow to the
596+ * receiver and the input is an argument.
597+ */
598+ abstract class EncryptionMethodCall extends EncryptionOperation instanceof DataFlow:: CallNode {
599+ int inputArg ;
600+
601+ EncryptionMethodCall ( ) {
602+ encryptionFlowTarget = super .getReceiver ( ) and
603+ inputNode = super .getArgument ( inputArg )
604+ }
605+ }
606+ }
0 commit comments