codeql/cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/BlockAlgorithmInstance.qll at 5334e907170ec18ef4b2a538dea4dbf55d8d3a47 · nicolaswill/codeql · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
import cpp
import experimental.quantum.Language
import OpenSSLAlgorithmInstanceBase
import experimental.quantum.OpenSSL.AlgorithmInstances.KnownAlgorithmConstants
import experimental.quantum.OpenSSL.AlgorithmValueConsumers.DirectAlgorithmValueConsumer
import AlgToAVCFlow

/**
 * Given a `KnownOpenSSLBlockModeAlgorithmConstant`, converts this to a block family type.
 * Does not bind if there is know mapping (no mapping to 'unknown' or 'other').
 */
predicate knownOpenSSLConstantToBlockModeFamilyType(
  KnownOpenSSLBlockModeAlgorithmConstant e, Crypto::TBlockCipherModeOfOperationType type
) {
  exists(string name |
    name = e.getNormalizedName() and
    (
      name.matches("CBC") and type instanceof Crypto::CBC
      or
      name.matches("CFB%") and type instanceof Crypto::CFB
      or
      name.matches("CTR") and type instanceof Crypto::CTR
      or
      name.matches("GCM") and type instanceof Crypto::GCM
      or
      name.matches("OFB") and type instanceof Crypto::OFB
      or
      name.matches("XTS") and type instanceof Crypto::XTS
      or
      name.matches("CCM") and type instanceof Crypto::CCM
      or
      name.matches("GCM") and type instanceof Crypto::GCM
      or
      name.matches("CCM") and type instanceof Crypto::CCM
      or
      name.matches("ECB") and type instanceof Crypto::ECB
    )
  )
}

class KnownOpenSSLBlockModeConstantAlgorithmInstance extends OpenSSLAlgorithmInstance,
  Crypto::ModeOfOperationAlgorithmInstance instanceof KnownOpenSSLBlockModeAlgorithmConstant
{
  OpenSSLAlgorithmValueConsumer getterCall;

  KnownOpenSSLBlockModeConstantAlgorithmInstance() {
    // Two possibilities:
    // 1) The source is a literal and flows to a getter, then we know we have an instance
    // 2) The source is a KnownOpenSSLAlgorithm is call, and we know we have an instance immediately from that
    // Possibility 1:
    this instanceof Literal and
    exists(DataFlow::Node src, DataFlow::Node sink |
      // Sink is an argument to a CipherGetterCall
      sink = getterCall.(OpenSSLAlgorithmValueConsumer).getInputNode() and
      // Source is `this`
      src.asExpr() = this and
      // This traces to a getter
      KnownOpenSSLAlgorithmToAlgorithmValueConsumerFlow::flow(src, sink)
    )
    or
    // Possibility 2:
    this instanceof DirectAlgorithmValueConsumer and getterCall = this
  }

  override Crypto::TBlockCipherModeOfOperationType getModeType() {
    knownOpenSSLConstantToBlockModeFamilyType(this, result)
    or
    not knownOpenSSLConstantToBlockModeFamilyType(this, _) and result = Crypto::OtherMode()
  }

  // NOTE: I'm not going to attempt to parse out the mode specific part, so returning
  // the same as the raw name for now.
  override string getRawModeAlgorithmName() { result = this.(Literal).getValue().toString() }

  override OpenSSLAlgorithmValueConsumer getAVC() { result = getterCall }
}