Completed tying algorithm instances to consumers. Now the model should have known literals for cipher instances, and it traces those instances to consumers (inits) and those inits are traced to cipher operations.

Author: bdrodes

cpp/ql/lib/experimental/Quantum/OpenSSL/EVPCipherAlgorithmSource.qll

@@ -52,11 +52,13 @@ predicate literalToCipherFamilyType(Literal e, Crypto::TCipherType type) {
   )
 }
 
+
 class CipherKnownAlgorithmLiteralAlgorithmInstance extends Crypto::CipherAlgorithmInstance instanceof Literal
 {
+  OpenSSLAlgorithmGetterCall cipherGetterCall;
   CipherKnownAlgorithmLiteralAlgorithmInstance() {
-    exists(EVPCipherGetterCall c, DataFlow::Node src, DataFlow::Node sink |
-      sink = c.getValueArgNode() and
+    exists(DataFlow::Node src, DataFlow::Node sink |
+      sink = cipherGetterCall.getValueArgNode() and
       src.asExpr() = this and
       KnownAlgorithmLiteralToAlgorithmGetterFlow::flow(src, sink) and
       // Not just any known value, but specifically a known cipher operation
@@ -67,7 +69,9 @@ class CipherKnownAlgorithmLiteralAlgorithmInstance extends Crypto::CipherAlgorit
     )
   }
 
-  Crypto::AlgorithmConsumer getConsumer() { none() } //result = consumer }
+  Crypto::AlgorithmConsumer getConsumer() { 
+    AlgGetterToAlgConsumerFlow::flow(cipherGetterCall.getResultNode(), DataFlow::exprNode(result))
+  } 
 
   override Crypto::ModeOfOperationAlgorithmInstance getModeOfOperationAlgorithm() {
     none() // TODO: provider defaults

cpp/ql/lib/experimental/Quantum/OpenSSL/OpenSSLAlgorithmGetter.qll

@@ -2,6 +2,19 @@ import cpp
 import semmle.code.cpp.dataflow.new.DataFlow
 import LibraryDetector
 import OpenSSLKnownAlgorithmConstants
+import experimental.Quantum.Language
+
+module AlgGetterToAlgConsumerConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    exists(OpenSSLAlgorithmGetterCall c | c.getResultNode() = source)
+  }
+
+  predicate isSink(DataFlow::Node sink) {
+    exists(Crypto::AlgorithmConsumer c | c.getInputNode() = sink)
+  }
+}
+
+module AlgGetterToAlgConsumerFlow = DataFlow::Global<AlgGetterToAlgConsumerConfig>;
 
 abstract class AlgorithmPassthroughCall extends Call {
   abstract DataFlow::Node getInNode();
@@ -116,14 +129,7 @@ abstract class OpenSSLAlgorithmGetterCall extends Call {
 }
 
 module KnownAlgorithmLiteralToAlgorithmGetterConfig implements DataFlow::ConfigSig {
-  predicate isSource(DataFlow::Node source) {
-    (
-      source.asExpr() instanceof Literal and
-      // 0 sources, for nid are unknown, and 0 otherwise represents a null assignment (ignore as unknown)
-      exists(source.asExpr().(Literal).getValue().toInt()) implies source.asExpr().(Literal).getValue().toInt() != 0
-      //resolveAlgorithmFromLiteral(source.asExpr(),_,_)
-    )
-  }
+  predicate isSource(DataFlow::Node source) { resolveAlgorithmFromLiteral(source.asExpr(), _, _) }
 
   predicate isSink(DataFlow::Node sink) {
     exists(OpenSSLAlgorithmGetterCall c | c.getValueArgNode() = sink)