Fix TODOs for openssl queries, add additional support for BN_CTX* models and querying for unbalanced BN_CTX usage

Author: ex0dus-0x

cpp/lib/trailofbits/crypto/openssl/bn.qll

@@ -4,7 +4,8 @@ import trailofbits.crypto.common
 // BIGNUM *BN_new(void);
 class BN_new extends CustomAllocator {
   BN_new() {
-    this.getQualifiedName() = "BN_new" and (
+    this.getQualifiedName() = "BN_new" and
+    (
       dealloc instanceof BN_free or
       dealloc instanceof BN_clear_free
     )
@@ -14,7 +15,8 @@ class BN_new extends CustomAllocator {
 // BIGNUM *BN_secure_new(void);
 class BN_secure_new extends CustomAllocator {
   BN_secure_new() {
-    this.getQualifiedName() = "BN_secure_new" and (
+    this.getQualifiedName() = "BN_secure_new" and
+    (
       dealloc instanceof BN_free or
       dealloc instanceof BN_clear_free
     )
@@ -23,24 +25,16 @@ class BN_secure_new extends CustomAllocator {
 
 // void BN_free(BIGNUM *a);
 class BN_free extends CustomDeallocator {
-  BN_free() {
-    this.getQualifiedName() = "BN_free"
-  }
+  BN_free() { this.getQualifiedName() = "BN_free" }
 
-  override int getPointer() {
-    result = 0
-  }
+  override int getPointer() { result = 0 }
 }
 
 // void BN_clear_free(BIGNUM *a);
 class BN_clear_free extends CustomDeallocator {
-  BN_clear_free() {
-    this.getQualifiedName() = "BN_clear_free"
-  }
+  BN_clear_free() { this.getQualifiedName() = "BN_clear_free" }
 
-  override int getPointer() {
-    result = 0
-  }
+  override int getPointer() { result = 0 }
 }
 
 // void BN_clear(BIGNUM *a);
@@ -50,18 +44,92 @@ class BN_clear extends FunctionCall {
   Expr getBignum() { result = this.getArgument(0) }
 }
 
-//  int BN_rand(BIGNUM *rnd, int bits, int top, int bottom);
+//  int BN_rand(BIGNUM *rnd, int bits, int top, int bottom); (and variants)
+/// Reference: https://docs.openssl.org/master/man3/BN_rand/#synopsis
 class BN_rand extends FunctionCall {
-  BN_rand() { this.getTarget().getName() = "BN_rand" }
-
-  Expr getBignum() {
-    result = this.getArgument(0)
+  BN_rand() {
+    this.getTarget().getName().matches("BN\\_rand%") or
+    this.getTarget().getName().matches("BN\\_priv\\_rand%") or
+    this.getTarget().getName().matches("BN\\_pseudo\\_rand%")
   }
+
+  Expr getBignum() { result = this.getArgument(0) }
 }
 
 class BIGNUM extends FunctionCall {
-  BIGNUM () {
+  BIGNUM() {
     this.getTarget() instanceof BN_new or
     this.getTarget() instanceof BN_secure_new
   }
 }
+
+// BN_CTX *BN_CTX_new(void);
+class BN_CTX_new extends CustomAllocator {
+  BN_CTX_new() {
+    this.getName() = "BN_CTX_new" and
+    dealloc instanceof BN_CTX_free
+  }
+}
+
+// BN_CTX *BN_CTX_secure_new(void);
+class BN_CTX_secure_new extends CustomAllocator {
+  BN_CTX_secure_new() {
+    this.getName() = "BN_CTX_secure_new" and
+    dealloc instanceof BN_CTX_free
+  }
+}
+
+// void BN_CTX_free(BN_CTX *c);
+class BN_CTX_free extends CustomDeallocator {
+  BN_CTX_free() { this.getName() = "BN_CTX_free" }
+
+  override int getPointer() { result = 0 }
+}
+
+// void BN_CTX_start(BN_CTX *ctx);
+class BN_CTX_start extends Expr {
+  BN_CTX_start() {
+    exists(FunctionCall fc |
+      fc = this and
+      fc.getTarget().getName() = "BN_CTX_start"
+    )
+  }
+
+  Expr getContext() { result = this.(FunctionCall).getArgument(0) }
+}
+
+// void BN_CTX_end(BN_CTX *ctx);
+class BN_CTX_end extends Expr {
+  BN_CTX_end() {
+    exists(FunctionCall fc |
+      fc = this and
+      fc.getTarget().getName() = "BN_CTX_end"
+    )
+  }
+
+  Expr getContext() { result = this.(FunctionCall).getArgument(0) }
+}
+
+// BIGNUM *BN_CTX_get(BN_CTX *ctx);
+class BN_CTX_get extends Expr {
+  BN_CTX_get() {
+    exists(FunctionCall fc |
+      fc = this and
+      fc.getTarget().getName() = "BN_CTX_get"
+    )
+  }
+
+  Expr getContext() { result = this.(FunctionCall).getArgument(0) }
+}
+
+class BN_CTX extends Expr {
+  BN_CTX() {
+    exists(FunctionCall fc |
+      fc = this and
+      (
+        fc.getTarget() instanceof BN_CTX_new or
+        fc.getTarget() instanceof BN_CTX_secure_new
+      )
+    )
+  }
+}

cpp/src/crypto/BnCtxFreeBeforeEnd.ql

@@ -0,0 +1,55 @@
+/**
+ * @name BN_CTX_free called before BN_CTX_end
+ * @id tob/cpp/bn-ctx-free-before-end
+ * @description Detects BN_CTX_free called before BN_CTX_end, which violates the required lifecycle
+ * @kind path-problem
+ * @tags correctness crypto
+ * @problem.severity error
+ * @precision high
+ * @group cryptography
+ */
+
+import cpp
+import trailofbits.crypto.libraries
+import semmle.code.cpp.dataflow.new.DataFlow
+import semmle.code.cpp.controlflow.ControlFlowGraph
+import DataFlow::PathGraph
+
+/**
+ * Tracks BN_CTX from BN_CTX_start to BN_CTX_free without going through BN_CTX_end
+ */
+module BnCtxFreeBeforeEndConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    exists(BN_CTX_start start |
+      source.asExpr() = start.getContext()
+    )
+  }
+
+  predicate isSink(DataFlow::Node sink) {
+    exists(CustomDeallocatorCall free |
+      free.getTarget() instanceof BN_CTX_free and
+      sink.asExpr() = free.getPointer()
+    )
+  }
+
+  predicate isBarrier(DataFlow::Node node) {
+    // If the context flows through BN_CTX_end, it's properly handled
+    exists(BN_CTX_end end |
+      node.asExpr() = end.getContext()
+    )
+  }
+}
+
+module BnCtxFreeBeforeEndFlow = DataFlow::Global<BnCtxFreeBeforeEndConfig>;
+
+from BnCtxFreeBeforeEndFlow::PathNode source, BnCtxFreeBeforeEndFlow::PathNode sink,
+     BN_CTX_start start, CustomDeallocatorCall free
+where
+  BnCtxFreeBeforeEndFlow::flowPath(source, sink) and
+  source.getNode().asExpr() = start.getContext() and
+  sink.getNode().asExpr() = free.getPointer() and
+  free.getTarget() instanceof BN_CTX_free
+select free, source, sink,
+  "BN_CTX_free called at line " + free.getLocation().getStartLine().toString() +
+  " before BN_CTX_end after BN_CTX_start at line " +
+  start.getLocation().getStartLine().toString()

cpp/src/crypto/MissingBnCtxEnd.ql

@@ -0,0 +1,29 @@
+/**
+ * @name Missing BN_CTX_end after BN_CTX_start
+ * @id tob/cpp/missing-bn-ctx-end
+ * @description Detects BN_CTX_start calls without corresponding BN_CTX_end calls
+ * @kind problem
+ * @tags correctness crypto
+ * @problem.severity warning
+ * @precision medium
+ * @group cryptography
+ */
+
+import cpp
+import trailofbits.crypto.libraries
+import semmle.code.cpp.dataflow.new.DataFlow
+import semmle.code.cpp.controlflow.Guards
+
+predicate hasMatchingEnd(BN_CTX_start start) {
+  exists(BN_CTX_end end, Function f |
+    start.getEnclosingFunction() = f and
+    end.getEnclosingFunction() = f and
+    DataFlow::localFlow(DataFlow::exprNode(start.getContext()),
+                        DataFlow::exprNode(end.getContext()))
+  )
+}
+
+from BN_CTX_start start
+where not hasMatchingEnd(start)
+select start.getLocation(),
+  "BN_CTX_start called without corresponding BN_CTX_end"

cpp/src/crypto/MissingZeroization.ql

@@ -13,14 +13,15 @@ import cpp
 import trailofbits.crypto.libraries
 import semmle.code.cpp.dataflow.new.DataFlow
 
-// TODO: Handle `BN_clear_free` as well.
 predicate isCleared(Expr bignum) {
   exists(BN_clear clear |
     DataFlow::localFlow(DataFlow::exprNode(bignum), DataFlow::exprNode(clear.getArgument(0)))
+  ) or
+  exists(BN_clear_free clear_free |
+    DataFlow::localFlow(DataFlow::exprNode(bignum), DataFlow::exprNode(clear_free.getArgument(0)))
   )
 }
 
-// TODO: Add support for remaining OpenSSL PRNG functions.
 predicate isRandom(Expr bignum) {
   exists(BN_rand rand |
     DataFlow::localFlow(DataFlow::exprNode(bignum), DataFlow::exprNode(rand.getArgument(0)))
@@ -29,4 +30,5 @@ predicate isRandom(Expr bignum) {
 
 from BIGNUM bignum
 where isRandom(bignum) and not isCleared(bignum)
-select bignum.getLocation(), "Bignum is initialized with random data but is not zeroized before it goes out of scope"
+select bignum.getLocation(),
+  "Bignum is initialized with random data but is not zeroized before it goes out of scope"