Resolving hash and cipher types for openssl not using literals but KnownOpenSSLAlgorithmConstant.

bdrodes · bdrodes · commit ae574f7cf2b6 · 2025-03-11T13:35:02.000-04:00
diff --git a/cpp/ql/lib/experimental/Quantum/OpenSSL/EVPCipherAlgorithmSource.qll b/cpp/ql/lib/experimental/Quantum/OpenSSL/EVPCipherAlgorithmSource.qll
@@ -9,9 +9,9 @@ import OpenSSLAlgorithmGetter
  * If the literal does not represent any known cipher algorithm,
  * this predicate will not hold (i.e., it will not bind an unknown to an unknown cipher type)
  */
-predicate literalToCipherFamilyType(Literal e, Crypto::TCipherType type) {
-  exists(string name, string algType | algType.toLowerCase().matches("%encryption") |
-    resolveAlgorithmFromLiteral(e, name, algType) and
+predicate knownOpenSSLConstantToCipherFamilyType(KnownOpenSSLAlgorithmConstant e, Crypto::TCipherType type) {
+  exists(string name | e.getAlgType().toLowerCase().matches("%encryption") |
+    name = e.getNormalizedName() and
     (
       name.matches("AES%") and type instanceof Crypto::AES
       or
@@ -97,5 +97,9 @@ class KnownOpenSSLCipherConstantAlgorithmInstance extends Crypto::CipherAlgorith
 
   override string getRawAlgorithmName() { result = this.(Literal).getValue().toString() }
 
-  override Crypto::TCipherType getCipherFamily() { literalToCipherFamilyType(this, result) }
-}
+  override Crypto::TCipherType getCipherFamily() { 
+    knownOpenSSLConstantToCipherFamilyType(this, result) 
+    or
+    not knownOpenSSLConstantToCipherFamilyType(this, _) and result = Crypto::OtherCipherType()
+  }
+}
diff --git a/cpp/ql/lib/experimental/Quantum/OpenSSL/EVPHashAlgorithmSource.qll b/cpp/ql/lib/experimental/Quantum/OpenSSL/EVPHashAlgorithmSource.qll
@@ -2,9 +2,9 @@ import cpp
 import experimental.Quantum.Language
 import OpenSSLAlgorithmGetter
 
-predicate literalToHashFamilyType(Literal e, Crypto::THashType type) {
-  exists(string name, string algType | algType.toLowerCase().matches("hash") |
-    resolveAlgorithmFromLiteral(e, name, algType) and
+predicate knownOpenSSLConstantToHashFamilyType(KnownOpenSSLAlgorithmConstant e, Crypto::THashType type) {
+  exists(string name | e.getAlgType().toLowerCase().matches("hash") |
+    name = e.getNormalizedName() and
     (
       name.matches("BLAKE2B") and type instanceof Crypto::BLAKE2B
       or
@@ -70,7 +70,10 @@ class KnownOpenSSLHashConstantAlgorithmInstance extends Crypto::HashAlgorithmIns
     AlgGetterToAlgConsumerFlow::flow(getterCall.getResultNode(), DataFlow::exprNode(result))
   }
 
-  override Crypto::THashType getHashFamily() { literalToHashFamilyType(this, result) }
+  override Crypto::THashType getHashFamily() { 
+    knownOpenSSLConstantToHashFamilyType(this, result) or
+    not knownOpenSSLConstantToHashFamilyType(this, _) and result = Crypto::OtherHashType()
+  }
 
   override string getRawAlgorithmName() { result = this.(Literal).getValue().toString() }
 
