mirror of
https://github.com/github/codeql.git
synced 2026-04-25 16:55:19 +02:00
Completed tying algorithm instances to consumers. Now the model should have known literals for cipher instances, and it traces those instances to consumers (inits) and those inits are traced to cipher operations.
This commit is contained in:
@@ -52,11 +52,13 @@ predicate literalToCipherFamilyType(Literal e, Crypto::TCipherType type) {
|
||||
)
|
||||
}
|
||||
|
||||
|
||||
class CipherKnownAlgorithmLiteralAlgorithmInstance extends Crypto::CipherAlgorithmInstance instanceof Literal
|
||||
{
|
||||
OpenSSLAlgorithmGetterCall cipherGetterCall;
|
||||
CipherKnownAlgorithmLiteralAlgorithmInstance() {
|
||||
exists(EVPCipherGetterCall c, DataFlow::Node src, DataFlow::Node sink |
|
||||
sink = c.getValueArgNode() and
|
||||
exists(DataFlow::Node src, DataFlow::Node sink |
|
||||
sink = cipherGetterCall.getValueArgNode() and
|
||||
src.asExpr() = this and
|
||||
KnownAlgorithmLiteralToAlgorithmGetterFlow::flow(src, sink) and
|
||||
// Not just any known value, but specifically a known cipher operation
|
||||
@@ -67,7 +69,9 @@ class CipherKnownAlgorithmLiteralAlgorithmInstance extends Crypto::CipherAlgorit
|
||||
)
|
||||
}
|
||||
|
||||
Crypto::AlgorithmConsumer getConsumer() { none() } //result = consumer }
|
||||
Crypto::AlgorithmConsumer getConsumer() {
|
||||
AlgGetterToAlgConsumerFlow::flow(cipherGetterCall.getResultNode(), DataFlow::exprNode(result))
|
||||
}
|
||||
|
||||
override Crypto::ModeOfOperationAlgorithmInstance getModeOfOperationAlgorithm() {
|
||||
none() // TODO: provider defaults
|
||||
|
||||
@@ -2,6 +2,19 @@ import cpp
|
||||
import semmle.code.cpp.dataflow.new.DataFlow
|
||||
import LibraryDetector
|
||||
import OpenSSLKnownAlgorithmConstants
|
||||
import experimental.Quantum.Language
|
||||
|
||||
module AlgGetterToAlgConsumerConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) {
|
||||
exists(OpenSSLAlgorithmGetterCall c | c.getResultNode() = source)
|
||||
}
|
||||
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
exists(Crypto::AlgorithmConsumer c | c.getInputNode() = sink)
|
||||
}
|
||||
}
|
||||
|
||||
module AlgGetterToAlgConsumerFlow = DataFlow::Global<AlgGetterToAlgConsumerConfig>;
|
||||
|
||||
abstract class AlgorithmPassthroughCall extends Call {
|
||||
abstract DataFlow::Node getInNode();
|
||||
@@ -116,14 +129,7 @@ abstract class OpenSSLAlgorithmGetterCall extends Call {
|
||||
}
|
||||
|
||||
module KnownAlgorithmLiteralToAlgorithmGetterConfig implements DataFlow::ConfigSig {
|
||||
predicate isSource(DataFlow::Node source) {
|
||||
(
|
||||
source.asExpr() instanceof Literal and
|
||||
// 0 sources, for nid are unknown, and 0 otherwise represents a null assignment (ignore as unknown)
|
||||
exists(source.asExpr().(Literal).getValue().toInt()) implies source.asExpr().(Literal).getValue().toInt() != 0
|
||||
//resolveAlgorithmFromLiteral(source.asExpr(),_,_)
|
||||
)
|
||||
}
|
||||
predicate isSource(DataFlow::Node source) { resolveAlgorithmFromLiteral(source.asExpr(), _, _) }
|
||||
|
||||
predicate isSink(DataFlow::Node sink) {
|
||||
exists(OpenSSLAlgorithmGetterCall c | c.getValueArgNode() = sink)
|
||||
|
||||
Reference in New Issue
Block a user