Crypto: Adding initial hash tests, and updating how hash alg consumers are tied to the operation to address a bug in the design, propagated the analgous change to ciphers.

bdrodes · bdrodes · commit c09b42a2e724 · 2025-05-22T16:11:46.000-04:00
diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPCipherOperation.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPCipherOperation.qll
@@ -10,7 +10,7 @@ private module AlgGetterToAlgConsumerConfig implements DataFlow::ConfigSig {
   }
 
   predicate isSink(DataFlow::Node sink) {
-    exists(EVP_Cipher_Operation c | c.getInitCall().getAlgorithmArg() = sink.asExpr())
+    exists(EVP_Cipher_Operation c | c.getAlgorithmArg() = sink.asExpr())
   }
 }
 
@@ -32,6 +32,8 @@ private module AlgGetterToAlgConsumerFlow = DataFlow::Global<AlgGetterToAlgConsu
 abstract class EVP_Cipher_Operation extends OpenSSLOperation, Crypto::KeyOperationInstance {
   Expr getContextArg() { result = this.(Call).getArgument(0) }
 
+  Expr getAlgorithmArg() { this.getInitCall().getAlgorithmArg() = result }
+
   override Expr getOutputArg() { result = this.(Call).getArgument(1) }
 
   override Crypto::KeyOperationSubtype getKeyOperationSubtype() {
diff --git a/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPHashOperation.qll b/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPHashOperation.qll
@@ -12,6 +12,8 @@ private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgor
 abstract class EVP_Hash_Operation extends OpenSSLOperation, Crypto::HashOperationInstance {
   Expr getContextArg() { result = this.(Call).getArgument(0) }
 
+  Expr getAlgorithmArg() { result = this.getInitCall().getAlgorithmArg() }
+
   EVP_Hash_Initializer getInitCall() {
     CTXFlow::ctxArgFlowsToCtxArg(result.getContextArg(), this.getContextArg())
   }
@@ -23,7 +25,7 @@ abstract class EVP_Hash_Operation extends OpenSSLOperation, Crypto::HashOperatio
    */
   override Crypto::AlgorithmValueConsumer getAnAlgorithmValueConsumer() {
     AlgGetterToAlgConsumerFlow::flow(result.(OpenSSLAlgorithmValueConsumer).getResultNode(),
-      DataFlow::exprNode(this.getInitCall().getAlgorithmArg()))
+      DataFlow::exprNode(this.getAlgorithmArg()))
   }
 }
 
@@ -33,7 +35,7 @@ private module AlgGetterToAlgConsumerConfig implements DataFlow::ConfigSig {
   }
 
   predicate isSink(DataFlow::Node sink) {
-    exists(EVP_Hash_Operation c | c.getInitCall().getAlgorithmArg() = sink.asExpr())
+    exists(EVP_Hash_Operation c | c.getAlgorithmArg() = sink.asExpr())
   }
 }
 
@@ -64,6 +66,8 @@ class EVP_Q_Digest_Operation extends EVP_Hash_Operation {
     // simply return 'this', see modeled hash algorithm consuers for EVP_Q_Digest
     this = result
   }
+
+  override Expr getAlgorithmArg() { result = this.(Call).getArgument(1) }
 }
 
 class EVP_Digest_Operation extends EVP_Hash_Operation {
@@ -72,17 +76,14 @@ class EVP_Digest_Operation extends EVP_Hash_Operation {
   // There is no context argument for this function
   override Expr getContextArg() { none() }
 
-  override Crypto::AlgorithmValueConsumer getAnAlgorithmValueConsumer() {
-    AlgGetterToAlgConsumerFlow::flow(result.(OpenSSLAlgorithmValueConsumer).getResultNode(),
-      DataFlow::exprNode(this.(Call).getArgument(4)))
-  }
-
   override EVP_Hash_Initializer getInitCall() {
     // This variant of digest does not use an init
     // and even if it were used, the init would be ignored/undefined
     none()
   }
 
+  override Expr getAlgorithmArg() { result = this.(Call).getArgument(4) }
+
   override Expr getOutputArg() { result = this.(Call).getArgument(2) }
 
   override Expr getInputArg() { result = this.(Call).getArgument(0) }
diff --git a/cpp/ql/test/library-tests/quantum/openssl/hash_input_sources.expected b/cpp/ql/test/library-tests/quantum/openssl/hash_input_sources.expected
@@ -0,0 +1,2 @@
+| openssl_basic.c:124:13:124:30 | HashOperation | openssl_basic.c:120:37:120:43 | Message | openssl_basic.c:181:49:181:87 | Constant |
+| openssl_basic.c:144:13:144:22 | HashOperation | openssl_basic.c:144:24:144:30 | Message | openssl_basic.c:181:49:181:87 | Constant |
diff --git a/cpp/ql/test/library-tests/quantum/openssl/hash_input_sources.ql b/cpp/ql/test/library-tests/quantum/openssl/hash_input_sources.ql
@@ -0,0 +1,6 @@
+import cpp
+import experimental.quantum.Language
+
+from Crypto::HashOperationNode n, Crypto::MessageArtifactNode m
+where n.getInputArtifact() = m
+select n, m, m.getSourceNode()
diff --git a/cpp/ql/test/library-tests/quantum/openssl/hash_operations.expected b/cpp/ql/test/library-tests/quantum/openssl/hash_operations.expected
@@ -0,0 +1,2 @@
+| openssl_basic.c:124:13:124:30 | HashOperation | openssl_basic.c:124:13:124:30 | Digest | openssl_basic.c:116:38:116:47 | HashAlgorithm | openssl_basic.c:120:37:120:43 | Message |
+| openssl_basic.c:144:13:144:22 | HashOperation | openssl_basic.c:144:13:144:22 | Digest | openssl_basic.c:144:67:144:73 | HashAlgorithm | openssl_basic.c:144:24:144:30 | Message |
diff --git a/cpp/ql/test/library-tests/quantum/openssl/hash_operations.ql b/cpp/ql/test/library-tests/quantum/openssl/hash_operations.ql
@@ -0,0 +1,5 @@
+import cpp
+import experimental.quantum.Language
+
+from Crypto::HashOperationNode n
+select n, n.getDigest(), n.getAnAlgorithmOrGenericSource(), n.getInputArtifact()

Original file line number	Diff line number	Diff line change
`@@ -10,7 +10,7 @@ private module AlgGetterToAlgConsumerConfig implements DataFlow::ConfigSig {`
`10`	`10`	`}`
`11`	`11`
`12`	`12`	`predicate isSink(DataFlow::Node sink) {`
`13`		`- exists(EVP_Cipher_Operation c \| c.getInitCall().getAlgorithmArg() = sink.asExpr())`
	`13`	`+ exists(EVP_Cipher_Operation c \| c.getAlgorithmArg() = sink.asExpr())`
`14`	`14`	`}`
`15`	`15`	`}`
`16`	`16`
`@@ -32,6 +32,8 @@ private module AlgGetterToAlgConsumerFlow = DataFlow::Global<AlgGetterToAlgConsu`
`32`	`32`	`abstract class EVP_Cipher_Operation extends OpenSSLOperation, Crypto::KeyOperationInstance {`
`33`	`33`	`Expr getContextArg() { result = this.(Call).getArgument(0) }`
`34`	`34`
	`35`	`+ Expr getAlgorithmArg() { this.getInitCall().getAlgorithmArg() = result }`
	`36`	`+`
`35`	`37`	`override Expr getOutputArg() { result = this.(Call).getArgument(1) }`
`36`	`38`
`37`	`39`	`override Crypto::KeyOperationSubtype getKeyOperationSubtype() {`
Original file line number	Diff line number	Diff line change
`@@ -12,6 +12,8 @@ private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgor`
`12`	`12`	`abstract class EVP_Hash_Operation extends OpenSSLOperation, Crypto::HashOperationInstance {`
`13`	`13`	`Expr getContextArg() { result = this.(Call).getArgument(0) }`
`14`	`14`
	`15`	`+ Expr getAlgorithmArg() { result = this.getInitCall().getAlgorithmArg() }`
	`16`	`+`
`15`	`17`	`EVP_Hash_Initializer getInitCall() {`
`16`	`18`	`CTXFlow::ctxArgFlowsToCtxArg(result.getContextArg(), this.getContextArg())`
`17`	`19`	`}`
`@@ -23,7 +25,7 @@ abstract class EVP_Hash_Operation extends OpenSSLOperation, Crypto::HashOperatio`
`23`	`25`	`*/`
`24`	`26`	`override Crypto::AlgorithmValueConsumer getAnAlgorithmValueConsumer() {`
`25`	`27`	`AlgGetterToAlgConsumerFlow::flow(result.(OpenSSLAlgorithmValueConsumer).getResultNode(),`
`26`		`- DataFlow::exprNode(this.getInitCall().getAlgorithmArg()))`
	`28`	`+ DataFlow::exprNode(this.getAlgorithmArg()))`
`27`	`29`	`}`
`28`	`30`	`}`
`29`	`31`
`@@ -33,7 +35,7 @@ private module AlgGetterToAlgConsumerConfig implements DataFlow::ConfigSig {`
`33`	`35`	`}`
`34`	`36`
`35`	`37`	`predicate isSink(DataFlow::Node sink) {`
`36`		`- exists(EVP_Hash_Operation c \| c.getInitCall().getAlgorithmArg() = sink.asExpr())`
	`38`	`+ exists(EVP_Hash_Operation c \| c.getAlgorithmArg() = sink.asExpr())`
`37`	`39`	`}`
`38`	`40`	`}`
`39`	`41`
`@@ -64,6 +66,8 @@ class EVP_Q_Digest_Operation extends EVP_Hash_Operation {`
`64`	`66`	`// simply return 'this', see modeled hash algorithm consuers for EVP_Q_Digest`
`65`	`67`	`this = result`
`66`	`68`	`}`
	`69`	`+`
	`70`	`+ override Expr getAlgorithmArg() { result = this.(Call).getArgument(1) }`
`67`	`71`	`}`
`68`	`72`
`69`	`73`	`class EVP_Digest_Operation extends EVP_Hash_Operation {`
`@@ -72,17 +76,14 @@ class EVP_Digest_Operation extends EVP_Hash_Operation {`
`72`	`76`	`// There is no context argument for this function`
`73`	`77`	`override Expr getContextArg() { none() }`
`74`	`78`
`75`		`- override Crypto::AlgorithmValueConsumer getAnAlgorithmValueConsumer() {`
`76`		`- AlgGetterToAlgConsumerFlow::flow(result.(OpenSSLAlgorithmValueConsumer).getResultNode(),`
`77`		`- DataFlow::exprNode(this.(Call).getArgument(4)))`
`78`		`- }`
`79`		`-`
`80`	`79`	`override EVP_Hash_Initializer getInitCall() {`
`81`	`80`	`// This variant of digest does not use an init`
`82`	`81`	`// and even if it were used, the init would be ignored/undefined`
`83`	`82`	`none()`
`84`	`83`	`}`
`85`	`84`
	`85`	`+ override Expr getAlgorithmArg() { result = this.(Call).getArgument(4) }`
	`86`	`+`
`86`	`87`	`override Expr getOutputArg() { result = this.(Call).getArgument(2) }`
`87`	`88`
`88`	`89`	`override Expr getInputArg() { result = this.(Call).getArgument(0) }`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,2 @@`
	`1`	`+\| openssl_basic.c:124:13:124:30 \| HashOperation \| openssl_basic.c:120:37:120:43 \| Message \| openssl_basic.c:181:49:181:87 \| Constant \|`
	`2`	`+\| openssl_basic.c:144:13:144:22 \| HashOperation \| openssl_basic.c:144:24:144:30 \| Message \| openssl_basic.c:181:49:181:87 \| Constant \|`