Completed tying algorithm instances to consumers. Now the model should have known literals for cipher instances, and it traces those instances to consumers (inits) and those inits are traced to cipher operations.

2026-04-25 16:55:19 +02:00 · 2025-03-05 15:48:08 -05:00
parent de3ff45cba
commit 6083df2b7f
2 changed files with 21 additions and 11 deletions
--- a/cpp/ql/lib/experimental/Quantum/OpenSSL/EVPCipherAlgorithmSource.qll
+++ b/cpp/ql/lib/experimental/Quantum/OpenSSL/EVPCipherAlgorithmSource.qll
@@ -52,11 +52,13 @@ predicate literalToCipherFamilyType(Literal e, Crypto::TCipherType type) {
  )
 }

+
 class CipherKnownAlgorithmLiteralAlgorithmInstance extends Crypto::CipherAlgorithmInstance instanceof Literal
 {
+  OpenSSLAlgorithmGetterCall cipherGetterCall;
  CipherKnownAlgorithmLiteralAlgorithmInstance() {
-    exists(EVPCipherGetterCall c, DataFlow::Node src, DataFlow::Node sink |
-      sink = c.getValueArgNode() and
+    exists(DataFlow::Node src, DataFlow::Node sink |
+      sink = cipherGetterCall.getValueArgNode() and
      src.asExpr() = this and
      KnownAlgorithmLiteralToAlgorithmGetterFlow::flow(src, sink) and
      // Not just any known value, but specifically a known cipher operation
@@ -67,7 +69,9 @@ class CipherKnownAlgorithmLiteralAlgorithmInstance extends Crypto::CipherAlgorit
    )
  }

-  Crypto::AlgorithmConsumer getConsumer() { none() } //result = consumer }
+  Crypto::AlgorithmConsumer getConsumer() { 
+    AlgGetterToAlgConsumerFlow::flow(cipherGetterCall.getResultNode(), DataFlow::exprNode(result))
+  } 

  override Crypto::ModeOfOperationAlgorithmInstance getModeOfOperationAlgorithm() {
    none() // TODO: provider defaults
--- a/cpp/ql/lib/experimental/Quantum/OpenSSL/OpenSSLAlgorithmGetter.qll
+++ b/cpp/ql/lib/experimental/Quantum/OpenSSL/OpenSSLAlgorithmGetter.qll
@@ -2,6 +2,19 @@ import cpp
 import semmle.code.cpp.dataflow.new.DataFlow
 import LibraryDetector
 import OpenSSLKnownAlgorithmConstants
+import experimental.Quantum.Language
+
+module AlgGetterToAlgConsumerConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    exists(OpenSSLAlgorithmGetterCall c | c.getResultNode() = source)
+  }
+
+  predicate isSink(DataFlow::Node sink) {
+    exists(Crypto::AlgorithmConsumer c | c.getInputNode() = sink)
+  }
+}
+
+module AlgGetterToAlgConsumerFlow = DataFlow::Global<AlgGetterToAlgConsumerConfig>;

 abstract class AlgorithmPassthroughCall extends Call {
  abstract DataFlow::Node getInNode();
@@ -116,14 +129,7 @@ abstract class OpenSSLAlgorithmGetterCall extends Call {
 }

 module KnownAlgorithmLiteralToAlgorithmGetterConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) {
-    (
-      source.asExpr() instanceof Literal and
-      // 0 sources, for nid are unknown, and 0 otherwise represents a null assignment (ignore as unknown)
-      exists(source.asExpr().(Literal).getValue().toInt()) implies source.asExpr().(Literal).getValue().toInt() != 0
-      //resolveAlgorithmFromLiteral(source.asExpr(),_,_)
-    )
-  }
+  predicate isSource(DataFlow::Node source) { resolveAlgorithmFromLiteral(source.asExpr(), _, _) }

  predicate isSink(DataFlow::Node sink) {
    exists(OpenSSLAlgorithmGetterCall c | c.getValueArgNode() = sink)