quantum-c#: refactor AVCs for hashes and signatures.

fcasal · fcasal · commit e344505283f5 · 2025-06-25T12:35:08.000+01:00
diff --git a/csharp/ql/lib/experimental/quantum/dotnet/AlgorithmInstances.qll b/csharp/ql/lib/experimental/quantum/dotnet/AlgorithmInstances.qll
@@ -27,33 +27,9 @@ abstract class SigningAlgorithmInstance extends Crypto::KeyOperationAlgorithmIns
 
   override Crypto::ConsumerInputDataFlowNode getKeySizeConsumer() { none() }
 
-
   override int getKeySizeFixed() { none() }
 }
 
-class EcdsaAlgorithmInstance extends SigningAlgorithmInstance instanceof SigningCreateCall {
-  EcdsaAlgorithmInstance() { this instanceof ECDsaCreateCall }
-
-  EcdsaAlgorithmValueConsumer getConsumer() { result = super.getQualifier() }
-
-  override string getRawAlgorithmName() { result = "ECDsa" }
-
-  override Crypto::KeyOpAlg::Algorithm getAlgorithmType() {
-    result = Crypto::KeyOpAlg::TSignature(Crypto::KeyOpAlg::ECDSA())
-  }
-}
-
-class RsaAlgorithmInstance extends SigningAlgorithmInstance {
-  RsaAlgorithmInstance() { this = any(RSACreateCall c).getQualifier() }
-
-  override string getRawAlgorithmName() { result = "RSA" }
-
-  override Crypto::KeyOpAlg::Algorithm getAlgorithmType() {
-    // TODO there is no RSA TSignature type, so we use OtherSignatureAlgorithmType
-    result = Crypto::KeyOpAlg::TSignature(Crypto::KeyOpAlg::OtherSignatureAlgorithmType())
-  }
-}
-
 class HashAlgorithmNameInstance extends Crypto::HashAlgorithmInstance instanceof HashAlgorithmName {
   HashAlgorithmNameConsumer consumer;
 
diff --git a/csharp/ql/lib/experimental/quantum/dotnet/AlgorithmValueConsumers.qll b/csharp/ql/lib/experimental/quantum/dotnet/AlgorithmValueConsumers.qll
@@ -4,18 +4,6 @@ private import AlgorithmInstances
 private import OperationInstances
 private import Cryptography
 
-class EcdsaAlgorithmValueConsumer extends Crypto::AlgorithmValueConsumer {
-  ECDsaCreateCall call;
-
-  EcdsaAlgorithmValueConsumer() { this = call.getAlgorithmArg() }
-
-  override Crypto::ConsumerInputDataFlowNode getInputNode() { result.asExpr() = this }
-
-  override Crypto::AlgorithmInstance getAKnownAlgorithmSource() {
-    exists(EcdsaAlgorithmInstance l | l.getConsumer() = this and result = l)
-  }
-}
-
 class HashAlgorithmNameConsumer extends Crypto::AlgorithmValueConsumer {
   HashAlgorithmNameUser call;
 
diff --git a/csharp/ql/lib/experimental/quantum/dotnet/Cryptography.qll b/csharp/ql/lib/experimental/quantum/dotnet/Cryptography.qll
@@ -37,7 +37,7 @@ class HashAlgorithmType extends CryptographyType {
 // This class models Create calls for the ECDsa and RSA classes in .NET.
 class CryptographyCreateCall extends MethodCall {
   CryptographyCreateCall() {
-    this.getTarget().getName() = "Create" and
+    this.getTarget().hasName("Create") and
     this.getQualifier().getType() instanceof CryptographyType
   }
 
@@ -58,27 +58,35 @@ class CryptographyCreateCall extends MethodCall {
   }
 }
 
-class ECDsaCreateCall extends CryptographyCreateCall {
-  ECDsaCreateCall() { this.getQualifier().getType().hasName("ECDsa") }
+class EcdsaType extends CryptographyType {
+  EcdsaType() { this.hasName("ECDsa") }
+}
+
+class RsaType extends CryptographyType {
+  RsaType() { this.hasName("RSA") }
+}
+
+class EcdsaCreateCall extends CryptographyCreateCall {
+  EcdsaCreateCall() { this.getQualifier().getType().hasName("ECDsa") }
 }
 
 // This class is used to model the `ECDsa.Create(ECParameters)` call
-class ECDsaCreateCallWithParameters extends ECDsaCreateCall {
+class ECDsaCreateCallWithParameters extends EcdsaCreateCall {
   ECDsaCreateCallWithParameters() { this.getArgument(0).getType() instanceof ECParameters }
 }
 
-class ECDsaCreateCallWithECCurve extends ECDsaCreateCall {
+class ECDsaCreateCallWithECCurve extends EcdsaCreateCall {
   ECDsaCreateCallWithECCurve() { this.getArgument(0).getType() instanceof ECCurve }
 }
 
-class RSACreateCall extends CryptographyCreateCall {
-  RSACreateCall() { this.getQualifier().getType().hasName("RSA") }
+class RsaCreateCall extends CryptographyCreateCall {
+  RsaCreateCall() { this.getQualifier().getType().hasName("RSA") }
 }
 
 class SigningCreateCall extends CryptographyCreateCall {
   SigningCreateCall() {
-    this instanceof ECDsaCreateCall or
-    this instanceof RSACreateCall
+    this instanceof EcdsaCreateCall or
+    this instanceof RsaCreateCall
   }
 }
 
@@ -95,10 +103,9 @@ class HashAlgorithmCreateCall extends Crypto::AlgorithmValueConsumer instanceof
   override Crypto::ConsumerInputDataFlowNode getInputNode() { none() }
 }
 
-class HashAlgorithmQualifier extends Crypto::HashAlgorithmInstance instanceof Expr {
-  HashAlgorithmQualifier() {
-    this = any(HashAlgorithmCreateCall c).(CryptographyCreateCall).getQualifier()
-  }
+class HashAlgorithmQualifier extends Crypto::AlgorithmValueConsumer, Crypto::HashAlgorithmInstance instanceof Expr
+{
+  HashAlgorithmQualifier() { this = any(HashUse c).getQualifier() }
 
   override Crypto::THashType getHashFamily() {
     result = getHashFamily(this.getRawHashAlgorithmName())
@@ -109,6 +116,10 @@ class HashAlgorithmQualifier extends Crypto::HashAlgorithmInstance instanceof Ex
   override int getFixedDigestLength() {
     hashAlgorithmToFamily(this.getRawHashAlgorithmName(), _, result)
   }
+
+  override Crypto::AlgorithmInstance getAKnownAlgorithmSource() { result = this }
+
+  override Crypto::ConsumerInputDataFlowNode getInputNode() { none() }
 }
 
 class NamedCurvePropertyAccess extends PropertyAccess {
@@ -264,6 +275,37 @@ class HashUse extends Crypto::AlgorithmValueConsumer instanceof MethodCall {
   override Crypto::AlgorithmInstance getAKnownAlgorithmSource() { result = super.getQualifier() }
 
   override Crypto::ConsumerInputDataFlowNode getInputNode() { none() }
+
+  Expr getQualifier() { result = super.getQualifier() }
+}
+
+abstract class SignerQualifier extends Crypto::AlgorithmValueConsumer, SigningAlgorithmInstance instanceof Expr
+{
+  SignerQualifier() { this = any(SignerUse s).getQualifier() }
+
+  override Crypto::AlgorithmInstance getAKnownAlgorithmSource() { result = this }
+
+  override Crypto::ConsumerInputDataFlowNode getInputNode() { none() }
+}
+
+class EcdsaSignerQualifier extends SignerQualifier instanceof Expr {
+  EcdsaSignerQualifier() { super.getType() instanceof EcdsaType }
+
+  override string getRawAlgorithmName() { result = "ECDsa" }
+
+  override Crypto::KeyOpAlg::Algorithm getAlgorithmType() {
+    result = Crypto::KeyOpAlg::TSignature(Crypto::KeyOpAlg::ECDSA())
+  }
+}
+
+class RsaSignerQualifier extends SignerQualifier instanceof Expr {
+  RsaSignerQualifier() { super.getType() instanceof RsaType }
+
+  override string getRawAlgorithmName() { result = "RSA" }
+
+  override Crypto::KeyOpAlg::Algorithm getAlgorithmType() {
+    result = Crypto::KeyOpAlg::TSignature(Crypto::KeyOpAlg::OtherSignatureAlgorithmType())
+  }
 }
 
 class SignerUse extends MethodCall {
diff --git a/csharp/ql/lib/experimental/quantum/dotnet/FlowAnalysis.qll b/csharp/ql/lib/experimental/quantum/dotnet/FlowAnalysis.qll
@@ -54,20 +54,6 @@ module CreationToUseFlow<CreationCallSig Creation, UseCallSig Use> {
   }
 }
 
-/**
- * Flow from a known ECDsa property access to a `ECDsa.Create(sink)` call.
- */
-module SigningNamedCurveToSignatureCreateFlowConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node src) { src.asExpr() instanceof NamedCurvePropertyAccess }
-
-  predicate isSink(DataFlow::Node sink) {
-    exists(EcdsaAlgorithmValueConsumer consumer | sink = consumer.getInputNode())
-  }
-}
-
-module SigningNamedCurveToSignatureCreateFlow =
-  DataFlow::Global<SigningNamedCurveToSignatureCreateFlowConfig>;
-
 module HashAlgorithmNameToUseConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node src) { src.asExpr() instanceof HashAlgorithmName }
 
diff --git a/csharp/ql/lib/experimental/quantum/dotnet/OperationInstances.qll b/csharp/ql/lib/experimental/quantum/dotnet/OperationInstances.qll
@@ -5,10 +5,9 @@ private import AlgorithmValueConsumers
 private import FlowAnalysis
 private import Cryptography
 
-class ECDsaORRSASigningOperationInstance extends Crypto::SignatureOperationInstance instanceof SignerUse
-{
+class SigningOperationInstance extends Crypto::SignatureOperationInstance instanceof SignerUse {
   override Crypto::AlgorithmValueConsumer getAnAlgorithmValueConsumer() {
-    result = SigningCreateToUseFlow::getCreationFromUse(this, _, _).getAlgorithmArg()
+    result = super.getQualifier()
   }
 
   override Crypto::KeyOperationSubtype getKeyOperationSubtype() {
@@ -52,9 +51,7 @@ class HashOperationInstance extends Crypto::HashOperationInstance instanceof Has
   }
 
   override Crypto::AlgorithmValueConsumer getAnAlgorithmValueConsumer() {
-    if exists(HashCreateToUseFlow::getCreationFromUse(this, _, _))
-    then result = HashCreateToUseFlow::getCreationFromUse(this, _, _)
-    else result = this
+    result = super.getQualifier()
   }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -5,10 +5,9 @@ private import AlgorithmValueConsumers`
`5`	`5`	`private import FlowAnalysis`
`6`	`6`	`private import Cryptography`
`7`	`7`
`8`		`-class ECDsaORRSASigningOperationInstance extends Crypto::SignatureOperationInstance instanceof SignerUse`
`9`		`-{`
	`8`	`+class SigningOperationInstance extends Crypto::SignatureOperationInstance instanceof SignerUse {`
`10`	`9`	`override Crypto::AlgorithmValueConsumer getAnAlgorithmValueConsumer() {`
`11`		`- result = SigningCreateToUseFlow::getCreationFromUse(this, _, _).getAlgorithmArg()`
	`10`	`+ result = super.getQualifier()`
`12`	`11`	`}`
`13`	`12`
`14`	`13`	`override Crypto::KeyOperationSubtype getKeyOperationSubtype() {`
`@@ -52,9 +51,7 @@ class HashOperationInstance extends Crypto::HashOperationInstance instanceof Has`
`52`	`51`	`}`
`53`	`52`
`54`	`53`	`override Crypto::AlgorithmValueConsumer getAnAlgorithmValueConsumer() {`
`55`		`- if exists(HashCreateToUseFlow::getCreationFromUse(this, _, _))`
`56`		`- then result = HashCreateToUseFlow::getCreationFromUse(this, _, _)`
`57`		`- else result = this`
	`54`	`+ result = super.getQualifier()`
`58`	`55`	`}`
`59`	`56`	`}`
`60`	`57`