Crypto: Update KnownAlgoirthmConstants to make a distinction between calls that return a known algorithm and calls that operate on a known algorithm. update KnownAlgorithmConstants to correct algType for signature algorithms. Update all instances and prior uses of the old mechanic to KnownAlgorithmConstants.

Author: bdrodes

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/AlgToAVCFlow.qll

@@ -14,7 +14,9 @@ private import PaddingAlgorithmInstance
  */
 module KnownOpenSSLAlgorithmToAlgorithmValueConsumerConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) {
-    source.asExpr() instanceof KnownOpenSSLAlgorithmConstant
+    source.asExpr() instanceof KnownOpenSSLAlgorithmExpr and
+    // No need to flow direct operations to AVCs
+    not source.asExpr() instanceof OpenSSLDirectAlgorithmOperationCall
   }
 
   predicate isSink(DataFlow::Node sink) {

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/BlockAlgorithmInstance.qll

@@ -7,14 +7,14 @@ private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgor
 private import AlgToAVCFlow
 
 /**
- * Given a `KnownOpenSSLBlockModeAlgorithmConstant`, converts this to a block family type.
+ * Given a `KnownOpenSSLBlockModeAlgorithmExpr`, converts this to a block family type.
  * Does not bind if there is no mapping (no mapping to 'unknown' or 'other').
  */
 predicate knownOpenSSLConstantToBlockModeFamilyType(
-  KnownOpenSSLBlockModeAlgorithmConstant e, Crypto::TBlockCipherModeOfOperationType type
+  KnownOpenSSLBlockModeAlgorithmExpr e, Crypto::TBlockCipherModeOfOperationType type
 ) {
   exists(string name |
-    name = e.getNormalizedName() and
+    name = e.(KnownOpenSSLAlgorithmExpr).getNormalizedName() and
     (
       name.matches("CBC") and type instanceof Crypto::CBC
       or
@@ -40,7 +40,7 @@ predicate knownOpenSSLConstantToBlockModeFamilyType(
 }
 
 class KnownOpenSSLBlockModeConstantAlgorithmInstance extends OpenSSLAlgorithmInstance,
-  Crypto::ModeOfOperationAlgorithmInstance instanceof KnownOpenSSLBlockModeAlgorithmConstant
+  Crypto::ModeOfOperationAlgorithmInstance instanceof KnownOpenSSLBlockModeAlgorithmExpr
 {
   OpenSSLAlgorithmValueConsumer getterCall;
 
@@ -49,7 +49,7 @@ class KnownOpenSSLBlockModeConstantAlgorithmInstance extends OpenSSLAlgorithmIns
     // 1) The source is a literal and flows to a getter, then we know we have an instance
     // 2) The source is a KnownOpenSSLAlgorithm is call, and we know we have an instance immediately from that
     // Possibility 1:
-    this instanceof Literal and
+    this instanceof OpenSSLAlgorithmLiteral and
     exists(DataFlow::Node src, DataFlow::Node sink |
       // Sink is an argument to a CipherGetterCall
       sink = getterCall.(OpenSSLAlgorithmValueConsumer).getInputNode() and
@@ -60,7 +60,8 @@ class KnownOpenSSLBlockModeConstantAlgorithmInstance extends OpenSSLAlgorithmIns
     )
     or
     // Possibility 2:
-    this instanceof DirectAlgorithmValueConsumer and getterCall = this
+    this instanceof OpenSSLAlgorithmCall and
+    getterCall = this
   }
 
   override Crypto::TBlockCipherModeOfOperationType getModeType() {

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/CipherAlgorithmInstance.qll

@@ -10,14 +10,14 @@ private import AlgToAVCFlow
 private import BlockAlgorithmInstance
 
 /**
- * Given a `KnownOpenSSLCipherAlgorithmConstant`, converts this to a cipher family type.
+ * Given a `KnownOpenSSLCipherAlgorithmExpr`, converts this to a cipher family type.
  * Does not bind if there is no mapping (no mapping to 'unknown' or 'other').
  */
 predicate knownOpenSSLConstantToCipherFamilyType(
-  KnownOpenSSLCipherAlgorithmConstant e, Crypto::KeyOpAlg::TAlgorithm type
+  KnownOpenSSLCipherAlgorithmExpr e, Crypto::KeyOpAlg::TAlgorithm type
 ) {
   exists(string name |
-    name = e.getNormalizedName() and
+    name = e.(KnownOpenSSLAlgorithmExpr).getNormalizedName() and
     (
       name.matches("AES%") and type = KeyOpAlg::TSymmetricCipher(KeyOpAlg::AES())
       or
@@ -65,7 +65,7 @@ predicate knownOpenSSLConstantToCipherFamilyType(
 }
 
 class KnownOpenSSLCipherConstantAlgorithmInstance extends OpenSSLAlgorithmInstance,
-  Crypto::KeyOperationAlgorithmInstance instanceof KnownOpenSSLCipherAlgorithmConstant
+  Crypto::KeyOperationAlgorithmInstance instanceof KnownOpenSSLCipherAlgorithmExpr
 {
   OpenSSLAlgorithmValueConsumer getterCall;
 
@@ -74,7 +74,7 @@ class KnownOpenSSLCipherConstantAlgorithmInstance extends OpenSSLAlgorithmInstan
     // 1) The source is a literal and flows to a getter, then we know we have an instance
     // 2) The source is a KnownOpenSSLAlgorithm is call, and we know we have an instance immediately from that
     // Possibility 1:
-    this instanceof Literal and
+    this instanceof OpenSSLAlgorithmLiteral and
     exists(DataFlow::Node src, DataFlow::Node sink |
       // Sink is an argument to a CipherGetterCall
       sink = getterCall.(OpenSSLAlgorithmValueConsumer).getInputNode() and
@@ -85,7 +85,8 @@ class KnownOpenSSLCipherConstantAlgorithmInstance extends OpenSSLAlgorithmInstan
     )
     or
     // Possibility 2:
-    this instanceof DirectAlgorithmValueConsumer and getterCall = this
+    this instanceof OpenSSLAlgorithmCall and
+    getterCall = this
   }
 
   override Crypto::ModeOfOperationAlgorithmInstance getModeOfOperationAlgorithm() {
@@ -109,7 +110,7 @@ class KnownOpenSSLCipherConstantAlgorithmInstance extends OpenSSLAlgorithmInstan
   }
 
   override int getKeySizeFixed() {
-    this.(KnownOpenSSLCipherAlgorithmConstant).getExplicitKeySize() = result
+    this.(KnownOpenSSLCipherAlgorithmExpr).getExplicitKeySize() = result
   }
 
   override Crypto::KeyOpAlg::Algorithm getAlgorithmType() {

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/EllipticCurveAlgorithmInstance.qll

@@ -7,7 +7,7 @@ private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.DirectAlgori
 private import AlgToAVCFlow
 
 class KnownOpenSSLEllipticCurveConstantAlgorithmInstance extends OpenSSLAlgorithmInstance,
-  Crypto::EllipticCurveInstance instanceof KnownOpenSSLEllipticCurveAlgorithmConstant
+  Crypto::EllipticCurveInstance instanceof KnownOpenSSLEllipticCurveAlgorithmExpr
 {
   OpenSSLAlgorithmValueConsumer getterCall;
 
@@ -16,7 +16,7 @@ class KnownOpenSSLEllipticCurveConstantAlgorithmInstance extends OpenSSLAlgorith
     // 1) The source is a literal and flows to a getter, then we know we have an instance
     // 2) The source is a KnownOpenSSLAlgorithm is call, and we know we have an instance immediately from that
     // Possibility 1:
-    this instanceof Literal and
+    this instanceof OpenSSLAlgorithmLiteral and
     exists(DataFlow::Node src, DataFlow::Node sink |
       // Sink is an argument to a CipherGetterCall
       sink = getterCall.getInputNode() and
@@ -27,7 +27,8 @@ class KnownOpenSSLEllipticCurveConstantAlgorithmInstance extends OpenSSLAlgorith
     )
     or
     // Possibility 2:
-    this instanceof DirectAlgorithmValueConsumer and getterCall = this
+    this instanceof OpenSSLAlgorithmCall and
+    getterCall = this
   }
 
   override OpenSSLAlgorithmValueConsumer getAVC() { result = getterCall }
@@ -43,11 +44,11 @@ class KnownOpenSSLEllipticCurveConstantAlgorithmInstance extends OpenSSLAlgorith
   }
 
   override string getParsedEllipticCurveName() {
-    result = this.(KnownOpenSSLEllipticCurveAlgorithmConstant).getNormalizedName()
+    result = this.(KnownOpenSSLAlgorithmExpr).getNormalizedName()
   }
 
   override int getKeySize() {
-    Crypto::ellipticCurveNameToKeySizeAndFamilyMapping(this.(KnownOpenSSLEllipticCurveAlgorithmConstant)
+    Crypto::ellipticCurveNameToKeySizeAndFamilyMapping(this.(KnownOpenSSLAlgorithmExpr)
           .getNormalizedName(), result, _)
   }
 }

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/HashAlgorithmInstance.qll

@@ -6,10 +6,10 @@ private import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmI
 private import AlgToAVCFlow
 
 predicate knownOpenSSLConstantToHashFamilyType(
-  KnownOpenSSLHashAlgorithmConstant e, Crypto::THashType type
+  KnownOpenSSLHashAlgorithmExpr e, Crypto::THashType type
 ) {
   exists(string name |
-    name = e.getNormalizedName() and
+    name = e.(KnownOpenSSLAlgorithmExpr).getNormalizedName() and
     (
       name.matches("BLAKE2B") and type instanceof Crypto::BLAKE2B
       or
@@ -45,7 +45,7 @@ predicate knownOpenSSLConstantToHashFamilyType(
 }
 
 class KnownOpenSSLHashConstantAlgorithmInstance extends OpenSSLAlgorithmInstance,
-  Crypto::HashAlgorithmInstance instanceof KnownOpenSSLHashAlgorithmConstant
+  Crypto::HashAlgorithmInstance instanceof KnownOpenSSLHashAlgorithmExpr
 {
   OpenSSLAlgorithmValueConsumer getterCall;
 
@@ -54,7 +54,7 @@ class KnownOpenSSLHashConstantAlgorithmInstance extends OpenSSLAlgorithmInstance
     // 1) The source is a literal and flows to a getter, then we know we have an instance
     // 2) The source is a KnownOpenSSLAlgorithm is call, and we know we have an instance immediately from that
     // Possibility 1:
-    this instanceof Literal and
+    this instanceof OpenSSLAlgorithmLiteral and
     exists(DataFlow::Node src, DataFlow::Node sink |
       // Sink is an argument to a CipherGetterCall
       sink = getterCall.(OpenSSLAlgorithmValueConsumer).getInputNode() and
@@ -65,7 +65,8 @@ class KnownOpenSSLHashConstantAlgorithmInstance extends OpenSSLAlgorithmInstance
     )
     or
     // Possibility 2:
-    this instanceof DirectAlgorithmValueConsumer and getterCall = this
+    this instanceof OpenSSLAlgorithmCall and
+    getterCall = this
   }
 
   override OpenSSLAlgorithmValueConsumer getAVC() { result = getterCall }
@@ -83,6 +84,6 @@ class KnownOpenSSLHashConstantAlgorithmInstance extends OpenSSLAlgorithmInstance
   }
 
   override int getFixedDigestLength() {
-    this.(KnownOpenSSLHashAlgorithmConstant).getExplicitDigestLength() = result
+    this.(KnownOpenSSLHashAlgorithmExpr).getExplicitDigestLength() = result
   }
 }

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/KeyAgreementAlgorithmInstance.qll

@@ -6,10 +6,10 @@ private import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmI
 private import AlgToAVCFlow
 
 predicate knownOpenSSLConstantToKeyAgreementFamilyType(
-  KnownOpenSSLKeyAgreementAlgorithmConstant e, Crypto::TKeyAgreementType type
+  KnownOpenSSLKeyAgreementAlgorithmExpr e, Crypto::TKeyAgreementType type
 ) {
   exists(string name |
-    name = e.getNormalizedName() and
+    name = e.(KnownOpenSSLAlgorithmExpr).getNormalizedName() and
     (
       name = "ECDH" and type = Crypto::ECDH()
       or
@@ -23,7 +23,7 @@ predicate knownOpenSSLConstantToKeyAgreementFamilyType(
 }
 
 class KnownOpenSSLHashConstantAlgorithmInstance extends OpenSSLAlgorithmInstance,
-  Crypto::KeyAgreementAlgorithmInstance instanceof KnownOpenSSLKeyAgreementAlgorithmConstant
+  Crypto::KeyAgreementAlgorithmInstance instanceof KnownOpenSSLKeyAgreementAlgorithmExpr
 {
   OpenSSLAlgorithmValueConsumer getterCall;
 
@@ -32,7 +32,7 @@ class KnownOpenSSLHashConstantAlgorithmInstance extends OpenSSLAlgorithmInstance
     // 1) The source is a literal and flows to a getter, then we know we have an instance
     // 2) The source is a KnownOpenSSLAlgorithm is call, and we know we have an instance immediately from that
     // Possibility 1:
-    this instanceof Literal and
+    this instanceof OpenSSLAlgorithmLiteral and
     exists(DataFlow::Node src, DataFlow::Node sink |
       // Sink is an argument to a CipherGetterCall
       sink = getterCall.getInputNode() and
@@ -43,7 +43,9 @@ class KnownOpenSSLHashConstantAlgorithmInstance extends OpenSSLAlgorithmInstance
     )
     or
     // Possibility 2:
-    this instanceof DirectAlgorithmValueConsumer and getterCall = this
+    this instanceof OpenSSLAlgorithmCall and
+    this instanceof DirectAlgorithmValueConsumer and
+    getterCall = this
   }
 
   override OpenSSLAlgorithmValueConsumer getAVC() { result = getterCall }