Crypto: Update JCA PBKDF2 modeling: 1) add further inheritance structures to make the inheritance decomposition and caveats clearer, and 2) use getConsumer to establish the hash and hmac consumer. Update the Model to expect hash node types specifically for HMAC getHashALgorithmOrUnknown.

bdrodes · bdrodes · commit 704a06e1fa5d · 2025-10-02T11:45:13.000-04:00
diff --git a/java/ql/lib/experimental/quantum/JCA.qll b/java/ql/lib/experimental/quantum/JCA.qll
@@ -1265,23 +1265,39 @@ module JCAModel {
     override int getFixedDigestLength() { exists(hash_name_to_type_known(hashName, result)) }
   }
 
-  //TODO: handle PBE
-  class Pbkdf2AlgorithmStringLiteral extends KdfAlgorithmStringLiteral,
-    Crypto::Pbkdf2AlgorithmInstance, Crypto::HmacAlgorithmInstance
+  //TODO: handle PBE "with" cases
+  class Pbkdf2WithHmac_Pbkdf2AlgorithmInstance extends Crypto::Pbkdf2AlgorithmInstance,
+    KdfAlgorithmStringLiteral, // this is a parent already, but extending to have immediate access to 'getConsumer()'
+    Pbkdf2WithHmac_KeyOperationAlgorithmStringLiteral
   {
-    Pbkdf2AlgorithmStringLiteral() { super.getKdfType() instanceof Crypto::PBKDF2 }
-
-    override Crypto::AlgorithmValueConsumer getHmacAlgorithmValueConsumer() { result = this }
+    override Crypto::AlgorithmValueConsumer getHmacAlgorithmValueConsumer() {
+      result = this.getConsumer()
+    }
+  }
 
-    override Crypto::AlgorithmValueConsumer getHashAlgorithmValueConsumer() { result = this }
+  // NOTE: must use instanceof to avoid non-monotonic recursion
+  class Pbkdf2WithHmac_HmacAlgorithmInstance extends Crypto::HmacAlgorithmInstance instanceof Pbkdf2WithHmac_KeyOperationAlgorithmStringLiteral
+  {
+    override Crypto::AlgorithmValueConsumer getHashAlgorithmValueConsumer() {
+      result = this.(KdfAlgorithmStringLiteral).getConsumer()
+    }
 
-    override int getKeySizeFixed() { none() }
+    override int getKeySizeFixed() {
+      // already defined by parent key operation algorithm, but extending an instance
+      // still requires we override this method
+      result = super.getKeySizeFixed()
+    }
 
-    override Crypto::ConsumerInputDataFlowNode getKeySizeConsumer() { none() }
+    override Crypto::ConsumerInputDataFlowNode getKeySizeConsumer() {
+      // already defined by parent key operation algorithm, but extending an instance
+      // still requires we override this method
+      result = super.getKeySizeConsumer()
+    }
 
     override string getRawAlgorithmName() {
-      // Note: hard coding "hmac" since that should be the only option
-      result = "Hmac"
+      // already defined by parent key operation algorithm, but extending an instance
+      // still requires we override this method
+      result = super.getRawAlgorithmName()
     }
 
     override Crypto::KeyOpAlg::AlgorithmType getAlgorithmType() {
diff --git a/shared/quantum/codeql/quantum/experimental/Model.qll b/shared/quantum/codeql/quantum/experimental/Model.qll
@@ -1633,7 +1633,7 @@ module CryptographyBase<LocationSig Location, InputSig<Location> Input> {
 
     override string getInternalType() { result = "HMACAlgorithm" }
 
-    NodeBase getHashAlgorithmOrUnknown() {
+    HashAlgorithmNode getHashAlgorithmOrUnknown() {
       result.asElement() = hmacInstance.getHashAlgorithmValueConsumer().getASource()
     }
 

Original file line number	Diff line number	Diff line change
`@@ -1633,7 +1633,7 @@ module CryptographyBase<LocationSig Location, InputSig<Location> Input> {`
`1633`	`1633`
`1634`	`1634`	`override string getInternalType() { result = "HMACAlgorithm" }`
`1635`	`1635`
`1636`		`- NodeBase getHashAlgorithmOrUnknown() {`
	`1636`	`+ HashAlgorithmNode getHashAlgorithmOrUnknown() {`
`1637`	`1637`	`result.asElement() = hmacInstance.getHashAlgorithmValueConsumer().getASource()`
`1638`	`1638`	`}`
`1639`	`1639`