Skip to content

Commit 48dc280

Browse files
bdrodesbdrodes
committed
Crypto: Fix issue with OAEP padding edges regressing.
1 parent 5d29240 commit 48dc280

File tree

2 files changed

+15
-11
lines changed

2 files changed

+15
-11
lines changed

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/HashAlgorithmValueConsumer.qll

Lines changed: 6 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@ class Evp_Q_Digest_Algorithm_Consumer extends HashAlgorithmValueConsumer {
1313
Evp_Q_Digest_Algorithm_Consumer() { this.(Call).getTarget().getName() = "EVP_Q_digest" }
1414

1515
override Crypto::ConsumerInputDataFlowNode getInputNode() {
16-
result.asExpr() = this.(Call).getArgument(1)
16+
result.asIndirectExpr() = this.(Call).getArgument(1)
1717
}
1818

1919
override Crypto::AlgorithmInstance getAKnownAlgorithmSource() {
@@ -42,7 +42,7 @@ class EvpPkeySetCtxALgorithmConsumer extends HashAlgorithmValueConsumer {
4242
"EVP_PKEY_CTX_set_rsa_mgf1_md_name", "EVP_PKEY_CTX_set_rsa_oaep_md_name",
4343
"EVP_PKEY_CTX_set_dsa_paramgen_md_props"
4444
] and
45-
valueArgNode.asExpr() = this.(Call).getArgument(1)
45+
valueArgNode.asIndirectExpr() = this.(Call).getArgument(1)
4646
}
4747

4848
override DataFlow::Node getResultNode() { none() }
@@ -69,13 +69,13 @@ class EvpDigestAlgorithmValueConsumer extends HashAlgorithmValueConsumer {
6969
this.(Call).getTarget().getName() in [
7070
"EVP_get_digestbyname", "EVP_get_digestbynid", "EVP_get_digestbyobj"
7171
] and
72-
valueArgNode.asExpr() = this.(Call).getArgument(0)
72+
valueArgNode.asIndirectExpr() = this.(Call).getArgument(0)
7373
or
7474
this.(Call).getTarget().getName() = "EVP_MD_fetch" and
75-
valueArgNode.asExpr() = this.(Call).getArgument(1)
75+
valueArgNode.asIndirectExpr() = this.(Call).getArgument(1)
7676
or
7777
this.(Call).getTarget().getName() = "EVP_DigestSignInit_ex" and
78-
valueArgNode.asExpr() = this.(Call).getArgument(2)
78+
valueArgNode.asIndirectExpr() = this.(Call).getArgument(2)
7979
)
8080
}
8181

@@ -93,6 +93,7 @@ class RsaSignOrVerifyHashAlgorithmValueConsumer extends HashAlgorithmValueConsum
9393

9494
RsaSignOrVerifyHashAlgorithmValueConsumer() {
9595
this.(Call).getTarget().getName() in ["RSA_sign", "RSA_verify"] and
96+
// arg 0 is an int, use asExpr
9697
valueArgNode.asExpr() = this.(Call).getArgument(0)
9798
}
9899

cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPPKeyCtxInitializer.qll

Lines changed: 9 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -106,14 +106,14 @@ class EvpCtxSetHashInitializer extends OperationStep {
106106
override DataFlow::Node getInput(IOType type) {
107107
result.asIndirectExpr() = this.getArgument(0) and type = ContextIO()
108108
or
109-
result.asExpr() = this.getArgument(1) and
109+
result.asIndirectExpr() = this.getArgument(1) and
110110
type = HashAlgorithmIO() and
111111
isOaep = false and
112112
isMgf1 = false
113113
or
114-
result.asExpr() = this.getArgument(1) and type = HashAlgorithmOaepIO() and isOaep = true
114+
result.asIndirectExpr() = this.getArgument(1) and type = HashAlgorithmOaepIO() and isOaep = true
115115
or
116-
result.asExpr() = this.getArgument(1) and type = HashAlgorithmMgf1IO() and isMgf1 = true
116+
result.asIndirectExpr() = this.getArgument(1) and type = HashAlgorithmMgf1IO() and isMgf1 = true
117117
}
118118

119119
override DataFlow::Node getOutput(IOType type) {
@@ -157,7 +157,7 @@ class EvpCtxSetMacKeyInitializer extends OperationStep {
157157
result.asExpr() = this.getArgument(2) and type = KeySizeIO()
158158
or
159159
// the raw key that is configured into the output key
160-
result.asExpr() = this.getArgument(1) and type = KeyIO()
160+
result.asIndirectExpr() = this.getArgument(1) and type = KeyIO()
161161
}
162162

163163
override DataFlow::Node getOutput(IOType type) {
@@ -175,6 +175,7 @@ class EvpCtxSetPaddingInitializer extends OperationStep {
175175
override DataFlow::Node getInput(IOType type) {
176176
result.asIndirectExpr() = this.getArgument(0) and type = ContextIO()
177177
or
178+
// The algorithm is an int: use asExpr
178179
result.asExpr() = this.getArgument(1) and type = PaddingAlgorithmIO()
179180
}
180181

@@ -211,11 +212,13 @@ class EvpCtxSetSaltLengthInitializer extends OperationStep {
211212
class EvpPkeyGet1RsaOrDsa extends OperationStep {
212213
EvpPkeyGet1RsaOrDsa() { this.getTarget().getName() = ["EVP_PKEY_get1_RSA", "EVP_PKEY_get1_DSA"] }
213214

214-
override DataFlow::Node getOutput(IOType type) { result.asExpr() = this and type = KeyIO() }
215+
override DataFlow::Node getOutput(IOType type) {
216+
result.asIndirectExpr() = this and type = KeyIO()
217+
}
215218

216219
override DataFlow::Node getInput(IOType type) {
217220
// Key being loaded or created from another location
218-
result.asExpr() = this.getArgument(0) and type = KeyIO()
221+
result.asIndirectExpr() = this.getArgument(0) and type = KeyIO()
219222
}
220223

221224
/**

0 commit comments

Comments
 (0)