Skip to content

Commit bd0efbe

Browse files
committed
Crypto: Overhaul of EVP final/init/update to now use a more general 'OperationStep' mechanic.
1 parent 9a064de commit bd0efbe

18 files changed

+2013
-1122
lines changed

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/MACAlgorithmInstance.qll

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -56,11 +56,13 @@ class KnownOpenSslHMacConstantAlgorithmInstance extends Crypto::HMACAlgorithmIns
5656
// and we can simply grab that model's AVC
5757
exists(OpenSslAlgorithmInstance inst | inst.getAvc() = result and inst = this)
5858
else
59-
// ASSUMPTION: If no explicit algorithm is given, then it is assumed to be configured by
60-
// a signature operation
61-
exists(Crypto::SignatureOperationInstance s |
62-
s.getHashAlgorithmValueConsumer() = result and
63-
s.getAnAlgorithmValueConsumer() = this.getAvc()
59+
// ASSUMPTION: If no explicit algorithm is given, then find
60+
// where the current AVC traces to a HashAlgorithmIO consuming operation step.
61+
// TODO: need to consider getting reset values, tracing down to the first set for now
62+
exists(OperationStep s, AvcContextCreationStep avc |
63+
avc = this.getAvc() and
64+
avc.flowsToOperationStep(s) and
65+
s.getAlgorithmValueConsumerForInput(HashAlgorithmIO()) = result
6466
)
6567
}
6668
}

cpp/ql/lib/experimental/quantum/OpenSSL/CtxFlow.qll

Lines changed: 0 additions & 221 deletions
This file was deleted.
Lines changed: 69 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,69 @@
1+
/**
2+
* In OpenSSL, flow between 'context' parameters is often used to
3+
* store state/config of how an operation will eventually be performed.
4+
* Tracing algorithms and configurations to operations therefore
5+
* requires tracing context parameters for many OpenSSL apis.
6+
*
7+
* This library provides a dataflow analysis to track context parameters
8+
* between any two functions accepting openssl context parameters.
9+
* The dataflow takes into consideration flowing through duplication and copy calls
10+
* as well as flow through flow killers (free/reset calls).
11+
*
12+
* TODO: we may need to revisit 'free' as a dataflow killer, depending on how
13+
* we want to model use after frees.
14+
*
15+
* This library also provides classes to represent context Types and relevant
16+
* arguments/expressions.
17+
*/
18+
19+
import semmle.code.cpp.dataflow.new.DataFlow
20+
21+
/**
22+
* An openSSL CTX type, which is type for which the stripped underlying type
23+
* matches the pattern 'evp_%ctx_%st'.
24+
* This includes types like:
25+
* - EVP_CIPHER_CTX
26+
* - EVP_MD_CTX
27+
* - EVP_PKEY_CTX
28+
*/
29+
class CtxType extends Type {
30+
CtxType() {
31+
// It is possible for users to use the underlying type of the CTX variables
32+
// these have a name matching 'evp_%ctx_%st
33+
this.getUnspecifiedType().stripType().getName().matches("evp_%ctx_%st")
34+
or
35+
// In principal the above check should be sufficient, but in case of build mode none issues
36+
// i.e., if a typedef cannot be resolved,
37+
// or issues with properly stubbing test cases, we also explicitly check for the wrapping type defs
38+
// i.e., patterns matching 'EVP_%_CTX'
39+
exists(Type base | base = this or base = this.(DerivedType).getBaseType() |
40+
base.getName().matches("EVP_%_CTX")
41+
)
42+
}
43+
}
44+
45+
/**
46+
* A pointer to a CtxType
47+
*/
48+
class CtxPointerExpr extends Expr {
49+
CtxPointerExpr() {
50+
this.getType() instanceof CtxType and
51+
this.getType() instanceof PointerType
52+
}
53+
}
54+
55+
/**
56+
* A call argument of type CtxPointerExpr.
57+
*/
58+
class CtxPointerArgument extends CtxPointerExpr {
59+
CtxPointerArgument() { exists(Call c | c.getAnArgument() = this) }
60+
61+
Call getCall() { result.getAnArgument() = this }
62+
}
63+
64+
/**
65+
* A call returning a CtxPointerExpr.
66+
*/
67+
private class CtxPointerReturn extends CtxPointerExpr instanceof Call {
68+
Call getCall() { result = this }
69+
}

0 commit comments

Comments
 (0)