diff --git a/cpp/ql/lib/experimental/quantum/Language.qll b/cpp/ql/lib/experimental/quantum/Language.qll index ab3ce039cc5c..75ed05ef6fa2 100644 --- a/cpp/ql/lib/experimental/quantum/Language.qll +++ b/cpp/ql/lib/experimental/quantum/Language.qll @@ -94,7 +94,10 @@ private class ConstantDataSource extends Crypto::GenericConstantSourceInstance i // where typical algorithms are specified, but EC specifically means set up a // default curve container, that will later be specified explicitly (or if not a default) // curve is used. - this.getValue() != "EC" + this.getValue() != "EC" and + // Exclude all 0's as algorithms. Currently we know of no algorithm defined as 0, and + // the typical case is 0 is assigned to represent null. + this.getValue().toInt() != 0 } override DataFlow::Node getOutputNode() { result.asExpr() = this } diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/AlgToAVCFlow.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/AlgToAVCFlow.qll index 045e3649e410..c2df3989f811 100644 --- a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/AlgToAVCFlow.qll +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/AlgToAVCFlow.qll @@ -3,6 +3,7 @@ private import experimental.quantum.Language private import semmle.code.cpp.dataflow.new.DataFlow private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers +private import PaddingAlgorithmInstance /** * Traces 'known algorithms' to AVCs, specifically @@ -19,6 +20,9 @@ module KnownOpenSSLAlgorithmToAlgorithmValueConsumerConfig implements DataFlow:: predicate isSink(DataFlow::Node sink) { exists(OpenSSLAlgorithmValueConsumer c | c.getInputNode() = sink and + // exclude padding algorithm consumers, since + // these consumers take in different constant values + // not in the typical "known algorithm" set not c instanceof PaddingAlgorithmValueConsumer ) } @@ -43,9 +47,7 @@ module KnownOpenSSLAlgorithmToAlgorithmValueConsumerFlow = DataFlow::Global; module RSAPaddingAlgorithmToPaddingAlgorithmValueConsumerConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { - source.asExpr() instanceof KnownOpenSSLAlgorithmConstant - } + predicate isSource(DataFlow::Node source) { source.asExpr() instanceof OpenSSLPaddingLiteral } predicate isSink(DataFlow::Node sink) { exists(PaddingAlgorithmValueConsumer c | c.getInputNode() = sink) diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/BlockAlgorithmInstance.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/BlockAlgorithmInstance.qll index 299d8c886940..1bc7d12e9847 100644 --- a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/BlockAlgorithmInstance.qll +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/BlockAlgorithmInstance.qll @@ -8,7 +8,7 @@ private import AlgToAVCFlow /** * Given a `KnownOpenSSLBlockModeAlgorithmConstant`, converts this to a block family type. - * Does not bind if there is know mapping (no mapping to 'unknown' or 'other'). + * Does not bind if there is no mapping (no mapping to 'unknown' or 'other'). */ predicate knownOpenSSLConstantToBlockModeFamilyType( KnownOpenSSLBlockModeAlgorithmConstant e, Crypto::TBlockCipherModeOfOperationType type diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/CipherAlgorithmInstance.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/CipherAlgorithmInstance.qll index 0e41b50300c8..a6415df31c6f 100644 --- a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/CipherAlgorithmInstance.qll +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/CipherAlgorithmInstance.qll @@ -11,7 +11,7 @@ private import BlockAlgorithmInstance /** * Given a `KnownOpenSSLCipherAlgorithmConstant`, converts this to a cipher family type. - * Does not bind if there is know mapping (no mapping to 'unknown' or 'other'). + * Does not bind if there is no mapping (no mapping to 'unknown' or 'other'). */ predicate knownOpenSSLConstantToCipherFamilyType( KnownOpenSSLCipherAlgorithmConstant e, Crypto::KeyOpAlg::TAlgorithm type diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/KnownAlgorithmConstants.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/KnownAlgorithmConstants.qll index 5e7e16b13dc6..0491aba51799 100644 --- a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/KnownAlgorithmConstants.qll +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/KnownAlgorithmConstants.qll @@ -1,5 +1,4 @@ import cpp -private import experimental.quantum.OpenSSL.LibraryDetector predicate resolveAlgorithmFromExpr(Expr e, string normalizedName, string algType) { resolveAlgorithmFromCall(e, normalizedName, algType) @@ -20,7 +19,7 @@ class KnownOpenSSLCipherAlgorithmConstant extends KnownOpenSSLAlgorithmConstant KnownOpenSSLCipherAlgorithmConstant() { resolveAlgorithmFromExpr(this, _, algType) and - algType.toLowerCase().matches("%encryption") + algType.matches("%ENCRYPTION") } int getExplicitKeySize() { @@ -37,7 +36,7 @@ class KnownOpenSSLPaddingAlgorithmConstant extends KnownOpenSSLAlgorithmConstant KnownOpenSSLPaddingAlgorithmConstant() { resolveAlgorithmFromExpr(this, _, algType) and - algType.toLowerCase().matches("%padding") + algType.matches("%PADDING") } } @@ -46,7 +45,7 @@ class KnownOpenSSLBlockModeAlgorithmConstant extends KnownOpenSSLAlgorithmConsta KnownOpenSSLBlockModeAlgorithmConstant() { resolveAlgorithmFromExpr(this, _, algType) and - algType.toLowerCase().matches("%block_mode") + algType.matches("%BLOCK_MODE") } } @@ -55,7 +54,7 @@ class KnownOpenSSLHashAlgorithmConstant extends KnownOpenSSLAlgorithmConstant { KnownOpenSSLHashAlgorithmConstant() { resolveAlgorithmFromExpr(this, _, algType) and - algType.toLowerCase().matches("%hash") + algType.matches("%HASH") } int getExplicitDigestLength() { @@ -71,7 +70,7 @@ class KnownOpenSSLEllipticCurveAlgorithmConstant extends KnownOpenSSLAlgorithmCo KnownOpenSSLEllipticCurveAlgorithmConstant() { exists(string algType | resolveAlgorithmFromExpr(this, _, algType) and - algType.toLowerCase().matches("elliptic_curve") + algType.matches("ELLIPTIC_CURVE") ) } } @@ -89,7 +88,6 @@ class KnownOpenSSLEllipticCurveAlgorithmConstant extends KnownOpenSSLAlgorithmCo * alias = "dss1" and target = "dsaWithSHA1" */ predicate resolveAlgorithmFromCall(Call c, string normalized, string algType) { - isPossibleOpenSSLFunction(c.getTarget()) and exists(string name, string parsedTargetName | parsedTargetName = c.getTarget().getName().replaceAll("EVP_", "").toLowerCase().replaceAll("_", "-") and diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/PaddingAlgorithmInstance.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/PaddingAlgorithmInstance.qll index 2979f1c303fb..8db2dc3ab4b7 100644 --- a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/PaddingAlgorithmInstance.qll +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/PaddingAlgorithmInstance.qll @@ -6,9 +6,26 @@ private import AlgToAVCFlow private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.DirectAlgorithmValueConsumer private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase +/** + * A class to define padding specific integer values. + * from rsa.h in openssl: + * # define RSA_PKCS1_PADDING 1 + * # define RSA_NO_PADDING 3 + * # define RSA_PKCS1_OAEP_PADDING 4 + * # define RSA_X931_PADDING 5 + * # define RSA_PKCS1_PSS_PADDING 6 + * # define RSA_PKCS1_WITH_TLS_PADDING 7 + * # define RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING 8 + */ +class OpenSSLPaddingLiteral extends Literal { + // TODO: we can be more specific about where the literal is in a larger expression + // to avoid literals that are clealy not representing an algorithm, e.g., array indices. + OpenSSLPaddingLiteral() { this.getValue().toInt() in [0, 1, 3, 4, 5, 6, 7, 8] } +} + /** * Given a `KnownOpenSSLPaddingAlgorithmConstant`, converts this to a padding family type. - * Does not bind if there is know mapping (no mapping to 'unknown' or 'other'). + * Does not bind if there is no mapping (no mapping to 'unknown' or 'other'). */ predicate knownOpenSSLConstantToPaddingFamilyType( KnownOpenSSLPaddingAlgorithmConstant e, Crypto::TPaddingType type @@ -60,19 +77,8 @@ class KnownOpenSSLPaddingConstantAlgorithmInstance extends OpenSSLAlgorithmInsta this instanceof KnownOpenSSLPaddingAlgorithmConstant and isPaddingSpecificConsumer = false or - // Possibility 3: - // from rsa.h in openssl: - // # define RSA_PKCS1_PADDING 1 - // # define RSA_NO_PADDING 3 - // # define RSA_PKCS1_OAEP_PADDING 4 - // # define RSA_X931_PADDING 5 - // /* EVP_PKEY_ only */ - // # define RSA_PKCS1_PSS_PADDING 6 - // # define RSA_PKCS1_WITH_TLS_PADDING 7 - // /* internal RSA_ only */ - // # define RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING 8 - this instanceof Literal and - this.getValue().toInt() in [0, 1, 3, 4, 5, 6, 7, 8] and + // Possibility 3: padding-specific literal + this instanceof OpenSSLPaddingLiteral and exists(DataFlow::Node src, DataFlow::Node sink | // Sink is an argument to a CipherGetterCall sink = getterCall.(OpenSSLAlgorithmValueConsumer).getInputNode() and @@ -88,24 +94,24 @@ class KnownOpenSSLPaddingConstantAlgorithmInstance extends OpenSSLAlgorithmInsta override OpenSSLAlgorithmValueConsumer getAVC() { result = getterCall } + Crypto::TPaddingType getKnownPaddingType() { + this.(Literal).getValue().toInt() in [1, 7, 8] and result = Crypto::PKCS1_v1_5() + or + this.(Literal).getValue().toInt() = 3 and result = Crypto::NoPadding() + or + this.(Literal).getValue().toInt() = 4 and result = Crypto::OAEP() + or + this.(Literal).getValue().toInt() = 5 and result = Crypto::ANSI_X9_23() + or + this.(Literal).getValue().toInt() = 6 and result = Crypto::PSS() + } + override Crypto::TPaddingType getPaddingType() { isPaddingSpecificConsumer = true and ( - if this.(Literal).getValue().toInt() in [1, 7, 8] - then result = Crypto::PKCS1_v1_5() - else - if this.(Literal).getValue().toInt() = 3 - then result = Crypto::NoPadding() - else - if this.(Literal).getValue().toInt() = 4 - then result = Crypto::OAEP() - else - if this.(Literal).getValue().toInt() = 5 - then result = Crypto::ANSI_X9_23() - else - if this.(Literal).getValue().toInt() = 6 - then result = Crypto::PSS() - else result = Crypto::OtherPadding() + result = this.getKnownPaddingType() + or + not exists(this.getKnownPaddingType()) and result = Crypto::OtherPadding() ) or isPaddingSpecificConsumer = false and diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/CipherAlgorithmValueConsumer.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/CipherAlgorithmValueConsumer.qll index 00fc4d735a5c..8aa5d946baee 100644 --- a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/CipherAlgorithmValueConsumer.qll +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/CipherAlgorithmValueConsumer.qll @@ -1,6 +1,5 @@ import cpp private import experimental.quantum.Language -private import experimental.quantum.OpenSSL.LibraryDetector private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants private import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstanceBase private import OpenSSLAlgorithmValueConsumerBase @@ -14,7 +13,6 @@ class EVPCipherAlgorithmValueConsumer extends CipherAlgorithmValueConsumer { EVPCipherAlgorithmValueConsumer() { resultNode.asExpr() = this and - isPossibleOpenSSLFunction(this.(Call).getTarget()) and ( this.(Call).getTarget().getName() in [ "EVP_get_cipherbyname", "EVP_get_cipherbyobj", "EVP_get_cipherbynid" diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/EllipticCurveAlgorithmValueConsumer.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/EllipticCurveAlgorithmValueConsumer.qll index 79aada45bd98..4bff4cb05db2 100644 --- a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/EllipticCurveAlgorithmValueConsumer.qll +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/EllipticCurveAlgorithmValueConsumer.qll @@ -1,6 +1,5 @@ import cpp private import experimental.quantum.Language -private import experimental.quantum.OpenSSL.LibraryDetector private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase private import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstances @@ -14,7 +13,6 @@ class EVPEllipticCurveAlgorithmConsumer extends EllipticCurveValueConsumer { EVPEllipticCurveAlgorithmConsumer() { resultNode.asExpr() = this.(Call) and // in all cases the result is the return - isPossibleOpenSSLFunction(this.(Call).getTarget()) and ( this.(Call).getTarget().getName() in ["EVP_EC_gen", "EC_KEY_new_by_curve_name"] and valueArgNode.asExpr() = this.(Call).getArgument(0) diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/OpenSSLAlgorithmValueConsumerBase.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/OpenSSLAlgorithmValueConsumerBase.qll index 200b08849f51..b0cdee1f8f5d 100644 --- a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/OpenSSLAlgorithmValueConsumerBase.qll +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/OpenSSLAlgorithmValueConsumerBase.qll @@ -1,5 +1,4 @@ private import experimental.quantum.Language -private import semmle.code.cpp.dataflow.new.DataFlow abstract class OpenSSLAlgorithmValueConsumer extends Crypto::AlgorithmValueConsumer instanceof Call { /** diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/PKeyAlgorithmValueConsumer.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/PKeyAlgorithmValueConsumer.qll index 8da40884a3af..0d40ceeb68af 100644 --- a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/PKeyAlgorithmValueConsumer.qll +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/PKeyAlgorithmValueConsumer.qll @@ -1,6 +1,5 @@ import cpp private import experimental.quantum.Language -private import experimental.quantum.OpenSSL.LibraryDetector private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumerBase private import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstances @@ -13,7 +12,6 @@ class EVPPKeyAlgorithmConsumer extends PKeyValueConsumer { EVPPKeyAlgorithmConsumer() { resultNode.asExpr() = this.(Call) and // in all cases the result is the return - isPossibleOpenSSLFunction(this.(Call).getTarget()) and ( // NOTE: some of these consumers are themselves key gen operations, // in these cases, the operation will be created separately for the same function. diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/PaddingAlgorithmValueConsumer.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/PaddingAlgorithmValueConsumer.qll index bb33ad653817..c60918519c80 100644 --- a/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/PaddingAlgorithmValueConsumer.qll +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/PaddingAlgorithmValueConsumer.qll @@ -1,6 +1,5 @@ import cpp private import experimental.quantum.Language -private import experimental.quantum.OpenSSL.LibraryDetector private import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants private import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstanceBase private import OpenSSLAlgorithmValueConsumerBase @@ -16,11 +15,8 @@ class EVP_PKEY_CTX_set_rsa_padding_AlgorithmValueConsumer extends PaddingAlgorit EVP_PKEY_CTX_set_rsa_padding_AlgorithmValueConsumer() { resultNode.asExpr() = this and - isPossibleOpenSSLFunction(this.(Call).getTarget()) and - ( - this.(Call).getTarget().getName() in ["EVP_PKEY_CTX_set_rsa_padding"] and - valueArgNode.asExpr() = this.(Call).getArgument(1) - ) + this.(Call).getTarget().getName() = "EVP_PKEY_CTX_set_rsa_padding" and + valueArgNode.asExpr() = this.(Call).getArgument(1) } override DataFlow::Node getResultNode() { result = resultNode } diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/CtxFlow.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/CtxFlow.qll index 88e4a1c378b0..cbce19fb5dfe 100644 --- a/cpp/ql/lib/experimental/quantum/OpenSSL/CtxFlow.qll +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/CtxFlow.qll @@ -20,79 +20,107 @@ import semmle.code.cpp.dataflow.new.DataFlow -class CTXType extends Type { - CTXType() { - // TODO: should we limit this to an openssl path? - this.getUnspecifiedType().stripType().getName().matches("evp_%ctx_%st") - } +/** + * An openSSL CTX type, which is type for which the stripped underlying type + * matches the pattern 'evp_%ctx_%st'. + * This includes types like: + * - EVP_CIPHER_CTX + * - EVP_MD_CTX + * - EVP_PKEY_CTX + */ +private class CtxType extends Type { + CtxType() { this.getUnspecifiedType().stripType().getName().matches("evp_%ctx_%st") } } -class CTXPointerExpr extends Expr { - CTXPointerExpr() { - this.getType() instanceof CTXType and +/** + * A pointer to a CtxType + */ +private class CtxPointerExpr extends Expr { + CtxPointerExpr() { + this.getType() instanceof CtxType and this.getType() instanceof PointerType } } -class CTXPointerArgument extends CTXPointerExpr { - CTXPointerArgument() { exists(Call c | c.getAnArgument() = this) } +/** + * A call argument of type CtxPointerExpr. + */ +private class CtxPointerArgument extends CtxPointerExpr { + CtxPointerArgument() { exists(Call c | c.getAnArgument() = this) } Call getCall() { result.getAnArgument() = this } } -class CTXClearCall extends Call { - CTXClearCall() { +/** + * A call whose target contains 'free' or 'reset' and has an argument of type + * CtxPointerArgument. + */ +private class CtxClearCall extends Call { + CtxClearCall() { this.getTarget().getName().toLowerCase().matches(["%free%", "%reset%"]) and - this.getAnArgument() instanceof CTXPointerArgument + this.getAnArgument() instanceof CtxPointerArgument } } -class CTXCopyOutArgCall extends Call { - CTXCopyOutArgCall() { - this.getTarget().getName().toLowerCase().matches(["%copy%"]) and - this.getAnArgument() instanceof CTXPointerArgument +/** + * A call whose target contains 'copy' and has an argument of type + * CtxPointerArgument. + */ +private class CtxCopyOutArgCall extends Call { + CtxCopyOutArgCall() { + this.getTarget().getName().toLowerCase().matches("%copy%") and + this.getAnArgument() instanceof CtxPointerArgument } } -class CTXCopyReturnCall extends Call { - CTXCopyReturnCall() { - this.getTarget().getName().toLowerCase().matches(["%dup%"]) and - this.getAnArgument() instanceof CTXPointerArgument and - this instanceof CTXPointerExpr +/** + * A call whose target contains 'dup' and has an argument of type + * CtxPointerArgument. + */ +private class CtxCopyReturnCall extends Call, CtxPointerExpr { + CtxCopyReturnCall() { + this.getTarget().getName().toLowerCase().matches("%dup%") and + this.getAnArgument() instanceof CtxPointerArgument } } -module OpenSSLCTXArgumentFlowConfig implements DataFlow::ConfigSig { - predicate isSource(DataFlow::Node source) { source.asExpr() instanceof CTXPointerArgument } +/** + * Flow from any CtxPointerArgument to any other CtxPointerArgument + */ +module OpenSSLCtxArgumentFlowConfig implements DataFlow::ConfigSig { + predicate isSource(DataFlow::Node source) { source.asExpr() instanceof CtxPointerArgument } - predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof CTXPointerArgument } + predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof CtxPointerArgument } predicate isBarrier(DataFlow::Node node) { - exists(CTXClearCall c | c.getAnArgument() = node.asExpr()) + exists(CtxClearCall c | c.getAnArgument() = node.asExpr()) } predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) { - exists(CTXCopyOutArgCall c | + exists(CtxCopyOutArgCall c | c.getAnArgument() = node1.asExpr() and c.getAnArgument() = node2.asExpr() and node1.asExpr() != node2.asExpr() and - node2.asExpr().getType() instanceof CTXType + node2.asExpr().getType() instanceof CtxType ) or - exists(CTXCopyReturnCall c | + exists(CtxCopyReturnCall c | c.getAnArgument() = node1.asExpr() and c = node2.asExpr() and node1.asExpr() != node2.asExpr() and - node2.asExpr().getType() instanceof CTXType + node2.asExpr().getType() instanceof CtxType ) } } -module OpenSSLCTXArgumentFlow = DataFlow::Global; +module OpenSSLCtxArgumentFlow = DataFlow::Global; -predicate ctxArgFlowsToCtxArg(CTXPointerArgument source, CTXPointerArgument sink) { +/** + * Holds if there is a context flow from the source to the sink. + */ +predicate ctxArgFlowsToCtxArg(CtxPointerArgument source, CtxPointerArgument sink) { exists(DataFlow::Node a, DataFlow::Node b | - OpenSSLCTXArgumentFlow::flow(a, b) and + OpenSSLCtxArgumentFlow::flow(a, b) and a.asExpr() = source and b.asExpr() = sink ) diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/OpenSSL.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/OpenSSL.qll index a232ffa6f3a7..68fdfb731241 100644 --- a/cpp/ql/lib/experimental/quantum/OpenSSL/OpenSSL.qll +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/OpenSSL.qll @@ -1,10 +1,6 @@ -import cpp -import semmle.code.cpp.dataflow.new.DataFlow - module OpenSSLModel { - import experimental.quantum.Language - import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstances - import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers - import experimental.quantum.OpenSSL.Operations.OpenSSLOperations - import experimental.quantum.OpenSSL.Random + import AlgorithmInstances.OpenSSLAlgorithmInstances + import AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers + import Operations.OpenSSLOperations + import Random } diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/ECKeyGenOperation.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/ECKeyGenOperation.qll index 9dc723bb5d11..4f07ecc0f9e3 100644 --- a/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/ECKeyGenOperation.qll +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/ECKeyGenOperation.qll @@ -1,5 +1,4 @@ private import experimental.quantum.Language -private import experimental.quantum.OpenSSL.LibraryDetector private import experimental.quantum.OpenSSL.CtxFlow as CTXFlow private import OpenSSLOperationBase private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers @@ -18,10 +17,7 @@ private module AlgGetterToAlgConsumerConfig implements DataFlow::ConfigSig { private module AlgGetterToAlgConsumerFlow = DataFlow::Global; class ECKeyGenOperation extends OpenSSLOperation, Crypto::KeyGenerationOperationInstance { - ECKeyGenOperation() { - this.(Call).getTarget().getName() = "EC_KEY_generate_key" and - isPossibleOpenSSLFunction(this.(Call).getTarget()) - } + ECKeyGenOperation() { this.(Call).getTarget().getName() = "EC_KEY_generate_key" } override Expr getOutputArg() { result = this.(Call) // return value of call diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPHashOperation.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPHashOperation.qll index 81248d5bad10..43d10545357e 100644 --- a/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPHashOperation.qll +++ b/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPHashOperation.qll @@ -4,7 +4,6 @@ private import experimental.quantum.Language private import experimental.quantum.OpenSSL.CtxFlow as CTXFlow -private import experimental.quantum.OpenSSL.LibraryDetector private import OpenSSLOperationBase private import EVPHashInitializer private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers @@ -42,10 +41,7 @@ private module AlgGetterToAlgConsumerFlow = DataFlow::Global