Crypto: Update CtxFlow to flow from any "source ctx" which is any ctx that is an argument or a return.

Author: bdrodes

cpp/ql/lib/experimental/quantum/OpenSSL/CtxFlow.qll

@@ -63,6 +63,15 @@ private class CtxPointerArgument extends CtxPointerExpr {
   Call getCall() { result.getAnArgument() = this }
 }
 
+/**
+ * A call returning a CtxPointerExpr.
+ */
+private class CtxPointerReturn extends CtxPointerExpr {
+  CtxPointerReturn() { exists(Call c | c = this) }
+
+  Call getCall() { result = this.(Call) }
+}
+
 /**
  * A call whose target contains 'free' or 'reset' and has an argument of type
  * CtxPointerArgument.
@@ -97,10 +106,26 @@ private class CtxCopyReturnCall extends Call, CtxPointerExpr {
 }
 
 /**
- * Flow from any CtxPointerArgument to any other CtxPointerArgument
+ * A source Ctx of interest is any argument or return of type CtxPointerExpr.
+ */
+private class CtxPointerSource extends CtxPointerExpr {
+  CtxPointerSource() {
+    this instanceof CtxPointerReturn or
+    this instanceof CtxPointerArgument
+  }
+
+  DataFlow::Node asNode() {
+    result.asExpr() = this
+    or
+    result.asDefiningArgument() = this
+  }
+}
+
+/**
+ * Flow from any CtxPointerSource to any CtxPointerArgument.
  */
-module OpenSSLCtxArgumentFlowConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) { source.asExpr() instanceof CtxPointerArgument }
+module OpenSSLCtxSourceToArgumentFlowConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) { exists(CtxPointerSource s | s.asNode() = source) }
 
   predicate isSink(DataFlow::Node sink) { sink.asExpr() instanceof CtxPointerArgument }
 
@@ -125,15 +150,15 @@ module OpenSSLCtxArgumentFlowConfig implements DataFlow::ConfigSig {
   }
 }
 
-module OpenSSLCtxArgumentFlow = DataFlow::Global<OpenSSLCtxArgumentFlowConfig>;
+module OpenSSLCtxSourceToArgumentFlow = DataFlow::Global<OpenSSLCtxSourceToArgumentFlowConfig>;
 
 /**
  * Holds if there is a context flow from the source to the sink.
  */
-predicate ctxArgFlowsToCtxArg(CtxPointerArgument source, CtxPointerArgument sink) {
+predicate ctxArgOrRetFlowsToCtxArg(CtxPointerSource source, CtxPointerArgument sink) {
   exists(DataFlow::Node a, DataFlow::Node b |
-    OpenSSLCtxArgumentFlow::flow(a, b) and
-    a.asExpr() = source and
+    OpenSSLCtxSourceToArgumentFlow::flow(a, b) and
+    a = source.asNode() and
     b.asExpr() = sink
   )
 }

cpp/ql/lib/experimental/quantum/OpenSSL/Operations/OpenSSLOperationBase.qll

@@ -122,7 +122,7 @@ abstract class EVPOperation extends OpenSSLOperation {
    * Finds the initialization call, may be none.
    */
   EVPInitialize getInitCall() {
-    CTXFlow::ctxArgFlowsToCtxArg(result.getContextArg(), this.getContextArg())
+    CTXFlow::ctxArgOrRetFlowsToCtxArg(result.getContextArg(), this.getContextArg())
   }
 
   Crypto::ArtifactOutputDataFlowNode getOutputArtifact() {
@@ -138,14 +138,15 @@ abstract class EVPOperation extends OpenSSLOperation {
 }
 
 /**
- * The final calls of the EVP API.
+ * An EVP final call,
+ * which is typicall usesed in an update/final pattern.
  */
 abstract class EVPFinal extends EVPOperation {
   /**
    * All update calls that were executed before this final call.
    */
   EVPUpdate getUpdateCalls() {
-    CTXFlow::ctxArgFlowsToCtxArg(result.getContextArg(), this.getContextArg())
+    CTXFlow::ctxArgOrRetFlowsToCtxArg(result.getContextArg(), this.getContextArg())
   }
 
   /**