Misc updates for OpenSSL modeling to trace algorithm literals to known alg getters, and converting the literal to a TCipherType.

Author: bdrodes

cpp/ql/lib/experimental/Quantum/Language.qll

@@ -49,19 +49,19 @@ module GenericDataSourceUniversalFlowConfig implements DataFlow::ConfigSig {
 
 
 
-// TODO: I think this will be inefficient, no?
-class ConstantDataSource extends Crypto::GenericConstantOrAllocationSource instanceof Literal {
-  override DataFlow::Node getOutputNode() { 
-    result.asExpr() = this 
-  }
+// // TODO: I think this will be inefficient, no?
+// class ConstantDataSource extends Crypto::GenericConstantOrAllocationSource instanceof Literal {
+//   override DataFlow::Node getOutputNode() { 
+//     result.asExpr() = this 
+//   }
 
-  override predicate flowsTo(Crypto::FlowAwareElement other) {
-    // TODO: separate config to avoid blowing up data-flow analysis
-    GenericDataSourceUniversalFlow::flow(this.getOutputNode(), other.getInputNode())
-  }
+//   override predicate flowsTo(Crypto::FlowAwareElement other) {
+//     // TODO: separate config to avoid blowing up data-flow analysis
+//     GenericDataSourceUniversalFlow::flow(this.getOutputNode(), other.getInputNode())
+//   }
 
-  override string getAdditionalDescription() { result = this.toString() }
-}
+//   override string getAdditionalDescription() { result = this.toString() }
+// }
 
 /**
  * Definitions of various generic data sources

cpp/ql/lib/experimental/Quantum/OpenSSL/CtxFlow.qll

@@ -8,17 +8,14 @@ class CTXType extends Type {
 }
 
 class CTXPointerExpr extends Expr {
-    CTXPointerExpr() {
-        this.getType() instanceof CTXType and
-        this.getType() instanceof PointerType
+  CTXPointerExpr() {
+    this.getType() instanceof CTXType and
+    this.getType() instanceof PointerType
   }
 }
 
 class CTXPointerArgument extends CTXPointerExpr {
-  CTXPointerArgument() {
-    
-    exists(Call c | c.getAnArgument() = this)
-  }
+  CTXPointerArgument() { exists(Call c | c.getAnArgument() = this) }
 
   Call getCall() { result.getAnArgument() = this }
 }
@@ -31,14 +28,14 @@ class CTXClearCall extends Call {
 }
 
 class CTXCopyOutArgCall extends Call {
-    CTXCopyOutArgCall() {
+  CTXCopyOutArgCall() {
     this.getTarget().getName().toLowerCase().matches(["%copy%"]) and
     this.getAnArgument() instanceof CTXPointerArgument
   }
 }
 
 class CTXCopyReturnCall extends Call {
-    CTXCopyReturnCall() {
+  CTXCopyReturnCall() {
     this.getTarget().getName().toLowerCase().matches(["%dup%"]) and
     this.getAnArgument() instanceof CTXPointerArgument and
     this instanceof CTXPointerExpr

cpp/ql/lib/experimental/Quantum/OpenSSL/EVPCipherAlgorithmSource.qll

@@ -0,0 +1,148 @@
+import cpp
+import experimental.Quantum.Language
+import EVPCipherConsumers
+import OpenSSLAlgorithmGetter
+
+predicate literalToCipherFamilyType(Literal e, Crypto::TCipherType type) {
+  exists(string name, string algType | algType.toLowerCase().matches("%encryption") |
+    resolveAlgorithmFromLiteral(e, name, algType) and
+    (
+      name.matches("AES%") and type instanceof Crypto::AES
+      or
+      name.matches("ARIA") and type instanceof Crypto::ARIA
+      or
+      name.matches("BLOWFISH") and type instanceof Crypto::BLOWFISH
+      or
+      name.matches("BF") and type instanceof Crypto::BLOWFISH
+      or
+      name.matches("CAMELLIA%") and type instanceof Crypto::CAMELLIA
+      or
+      name.matches("CHACHA20") and type instanceof Crypto::CHACHA20
+      or
+      name.matches("CAST5") and type instanceof Crypto::CAST5
+      or
+      name.matches("2DES") and type instanceof Crypto::DOUBLEDES
+      or
+      name.matches(["3DES", "TRIPLEDES"]) and type instanceof Crypto::TRIPLEDES
+      or
+      name.matches("DES") and type instanceof Crypto::DES
+      or
+      name.matches("DESX") and type instanceof Crypto::DESX
+      or
+      name.matches("GOST%") and type instanceof Crypto::GOST
+      or
+      name.matches("IDEA") and type instanceof Crypto::IDEA
+      or
+      name.matches("KUZNYECHIK") and type instanceof Crypto::KUZNYECHIK
+      or
+      name.matches("MAGMA") and type instanceof Crypto::MAGMA
+      or
+      name.matches("RC2") and type instanceof Crypto::RC2
+      or
+      name.matches("RC4") and type instanceof Crypto::RC4
+      or
+      name.matches("RC5") and type instanceof Crypto::RC5
+      or
+      name.matches("RSA") and type instanceof Crypto::RSA
+      or
+      name.matches("SEED") and type instanceof Crypto::SEED
+      or
+      name.matches("SM4") and type instanceof Crypto::SM4
+    )
+  )
+}
+
+class CipherKnownAlgorithmLiteralAlgorithmInstance extends Crypto::CipherAlgorithmInstance instanceof Literal
+{
+  CipherKnownAlgorithmLiteralAlgorithmInstance() {
+    exists(EVPCipherGetterCall c, DataFlow::Node src, DataFlow::Node sink |
+      sink = c.getValueArgNode() and
+      src.asExpr() = this and
+      KnownAlgorithmLiteralToAlgorithmGetterFlow::flow(src, sink) and
+      // Not just any known value, but specifically a known cipher operation
+      exists(string algType |
+        resolveAlgorithmFromLiteral(src.asExpr(), _, algType) and
+        algType.toLowerCase().matches("%encryption")
+      )
+    )
+  }
+
+  Crypto::AlgorithmConsumer getConsumer() { none() } //result = consumer }
+
+  override Crypto::ModeOfOperationAlgorithmInstance getModeOfOperationAlgorithm() {
+    none() // TODO: provider defaults
+  }
+
+  override Crypto::PaddingAlgorithmInstance getPaddingAlgorithm() { none() }
+
+  override string getRawAlgorithmName() { result = this.(Literal).getValue().toString() }
+
+  override Crypto::TCipherType getCipherFamily() { literalToCipherFamilyType(this, result) }
+}
+//     override Crypto::TCipherType getCipherFamily() {
+//       if this.cipherNameMappingKnown(_, super.getAlgorithmName())
+//       then this.cipherNameMappingKnown(result, super.getAlgorithmName())
+//       else result instanceof Crypto::OtherCipherType
+//     }
+//     bindingset[name]
+//     private predicate cipherNameMappingKnown(Crypto::TCipherType type, string name) {
+//       name = "AES" and
+//       type instanceof Crypto::AES
+//       or
+//       name = "DES" and
+//       type instanceof Crypto::DES
+//       or
+//       name = "TripleDES" and
+//       type instanceof Crypto::TripleDES
+//       or
+//       name = "IDEA" and
+//       type instanceof Crypto::IDEA
+//       or
+//       name = "CAST5" and
+//       type instanceof Crypto::CAST5
+//       or
+//       name = "ChaCha20" and
+//       type instanceof Crypto::ChaCha20
+//       or
+//       name = "RC4" and
+//       type instanceof Crypto::RC4
+//       or
+//       name = "RC5" and
+//       type instanceof Crypto::RC5
+//       or
+//       name = "RSA" and
+//       type instanceof Crypto::RSA
+//     }
+//     private predicate modeToNameMappingKnown(Crypto::TBlockCipherModeOperationType type, string name) {
+//       type instanceof Crypto::ECB and name = "ECB"
+//       or
+//       type instanceof Crypto::CBC and name = "CBC"
+//       or
+//       type instanceof Crypto::GCM and name = "GCM"
+//       or
+//       type instanceof Crypto::CTR and name = "CTR"
+//       or
+//       type instanceof Crypto::XTS and name = "XTS"
+//       or
+//       type instanceof Crypto::CCM and name = "CCM"
+//       or
+//       type instanceof Crypto::SIV and name = "SIV"
+//       or
+//       type instanceof Crypto::OCB and name = "OCB"
+//     }
+//     override Crypto::TBlockCipherModeOperationType getModeType() {
+//       if this.modeToNameMappingKnown(_, super.getMode())
+//       then this.modeToNameMappingKnown(result, super.getMode())
+//       else result instanceof Crypto::OtherMode
+//     }
+//     override string getRawModeAlgorithmName() { result = super.getMode() }
+//     override string getRawPaddingAlgorithmName() { result = super.getPadding() }
+//     bindingset[name]
+//     private predicate paddingToNameMappingKnown(Crypto::TPaddingType type, string name) {
+//       type instanceof Crypto::NoPadding and name = "NOPADDING"
+//       or
+//       type instanceof Crypto::PKCS7 and name = ["PKCS5Padding", "PKCS7Padding"] // TODO: misnomer in the JCA?
+//       or
+//       type instanceof Crypto::OAEP and name.matches("OAEP%") // TODO: handle OAEPWith%
+//     }
+//   }

cpp/ql/lib/experimental/Quantum/OpenSSL/EVPCipherConsumers.qll

@@ -1,14 +1,14 @@
 import EVPCipherInitializer
 import EVPCipherOperation
-import AlgorithmSource
+import EVPCipherAlgorithmSource
 
 
 class EVP_Cipher_Initializer_Algorithm_Consumer extends Crypto::AlgorithmConsumer instanceof EVPCipherInitializerAlgorithmArgument
 { 
     override DataFlow::Node getInputNode() { result.asExpr() = this }
 
     override Crypto::AlgorithmElement getAKnownAlgorithmSource() {
-        result.(CipherLiteralAlgorithmInstance).getConsumer() = this
+        result.(CipherKnownAlgorithmLiteralAlgorithmInstance).getConsumer() = this
       }
 }
 // //TODO: need a key consumer

cpp/ql/lib/experimental/Quantum/OpenSSL/LibraryDetector.qll

@@ -0,0 +1,10 @@
+import cpp
+
+predicate isPossibleOpenSSLFunction(Function f) {
+    isPossibleOpenSSLLocation(f.getADeclarationLocation())
+  }
+
+predicate isPossibleOpenSSLLocation(Location l){
+    l.toString().toLowerCase().matches("%openssl%")
+}
+