Skip to content

Commit 7c8177d

Browse files
bdrodesbdrodes
committed
Crypto: Added missing ArtifactPassthrough.qll (forgot to add to merged in branch). Acronym casing fix.
1 parent 73b3398 commit 7c8177d

File tree

2 files changed

+109
-2
lines changed

2 files changed

+109
-2
lines changed

cpp/ql/lib/experimental/quantum/OpenSSL/ArtifactPassthrough.qll

Lines changed: 107 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,107 @@
1+
private import experimental.quantum.Language
2+
3+
/**
4+
* A call to `BN_bn2bin`.
5+
* Commonly used to extract partial bytes from a signature,
6+
* e.g., a signature from DSA_do_sign, passed to DSA_do_verify
7+
* - int BN_bn2bin(const BIGNUM *a, unsigned char *to);
8+
*/
9+
class BnBn2BinCalStep extends AdditionalFlowInputStep {
10+
Call call;
11+
12+
BnBn2BinCalStep() {
13+
call.getTarget().getName() = "BN_bn2bin" and
14+
call.getArgument(0) = this.asIndirectExpr()
15+
}
16+
17+
override DataFlow::Node getOutput() { result.asDefiningArgument() = call.getArgument(1) }
18+
}
19+
20+
/**
21+
* A call to `BN_bin2bn`.
22+
* Commonly used to convert to a signature for DSA_do_verify
23+
* - BIGNUM *BN_bin2bn(const unsigned char *s, int len, BIGNUM *ret);
24+
*/
25+
class BnBin2BnCallStep extends AdditionalFlowInputStep {
26+
Call call;
27+
28+
BnBin2BnCallStep() {
29+
call.getTarget().getName() = "BN_bin2bn" and
30+
call.getArgument(0) = this.asIndirectExpr()
31+
}
32+
33+
override DataFlow::Node getOutput() { result.asDefiningArgument() = call.getArgument(2) }
34+
}
35+
36+
/**
37+
* A call to `RSA_set0_key` or `DSA_SIG_set0`.
38+
* Often used in combination with BN_bin2bn, to construct a signature.
39+
*/
40+
class RsaSet0KeyCallStep extends AdditionalFlowInputStep {
41+
Call call;
42+
43+
RsaSet0KeyCallStep() {
44+
(call.getTarget().getName() = "RSA_set0_key" or call.getTarget().getName() = "DSA_SIG_set0") and
45+
this.asIndirectExpr() in [call.getArgument(1), call.getArgument(2), call.getArgument(3)]
46+
}
47+
48+
override DataFlow::Node getOutput() { result.asDefiningArgument() = call.getArgument(0) }
49+
}
50+
51+
/**
52+
* A call to `d2i_DSA_SIG`. This is a pass through of a signature of one form to another.
53+
* - DSA_SIG *d2i_DSA_SIG(DSA_SIG **sig, const unsigned char **pp, long length);
54+
*/
55+
class D2iDsaSigCallStep extends AdditionalFlowInputStep {
56+
Call call;
57+
58+
D2iDsaSigCallStep() {
59+
call.getTarget().getName() = "d2i_DSA_SIG" and
60+
this.asIndirectExpr() = call.getArgument(1)
61+
}
62+
63+
override DataFlow::Node getOutput() {
64+
// If arg 0 specified, the same pointer is returned, if not specified
65+
// a new allocation is returned.
66+
result.asDefiningArgument() = call.getArgument(0) or
67+
result.asIndirectExpr() = call
68+
}
69+
}
70+
71+
/**
72+
* A call to `DSA_SIG_get0`.
73+
* Converts a DSA_Sig into its components, which are commonly used with BN_bn2Bin to
74+
* construct a char* signature.
75+
* - void DSA_SIG_get0(const DSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps);
76+
*/
77+
class DsaSigGet0CallStep extends AdditionalFlowInputStep {
78+
Call call;
79+
80+
DsaSigGet0CallStep() {
81+
call.getTarget().getName() = "DSA_SIG_get0" and
82+
this.asIndirectExpr() = call.getArgument(0)
83+
}
84+
85+
override DataFlow::Node getOutput() {
86+
result.asDefiningArgument() = call.getArgument(1)
87+
or
88+
result.asDefiningArgument() = call.getArgument(2)
89+
}
90+
}
91+
92+
/**
93+
* A call to `EVP_PKEY_get1_RSA` or `EVP_PKEY_get1_DSA`
94+
* - RSA *EVP_PKEY_get1_RSA(EVP_PKEY *pkey);
95+
* - DSA *EVP_PKEY_get1_DSA(EVP_PKEY *pkey);
96+
* A key input is converted into a key output, a key is not generated.
97+
*/
98+
class EvpPkeyGet1RsaOrDsa extends AdditionalFlowInputStep {
99+
Call c;
100+
101+
EvpPkeyGet1RsaOrDsa() {
102+
c.getTarget().getName() = ["EVP_PKEY_get1_RSA", "EVP_PKEY_get1_DSA"] and
103+
this.asIndirectExpr() = c.getArgument(0)
104+
}
105+
106+
override DataFlow::Node getOutput() { result.asIndirectExpr() = c }
107+
}

cpp/ql/lib/experimental/quantum/OpenSSL/Operations/SignatureOperation.qll

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -533,8 +533,8 @@ class RsaSignorVerify extends SignatureFinalOperation {
533533
/**
534534
* A call to `DSA_do_sign` or `DSA_do_verify`
535535
*/
536-
class DSADoSignOrVerify extends SignatureFinalOperation {
537-
DSADoSignOrVerify() { this.getTarget().getName() in ["DSA_do_sign", "DSA_do_verify"] }
536+
class DsaDoSignOrVerify extends SignatureFinalOperation {
537+
DsaDoSignOrVerify() { this.getTarget().getName() in ["DSA_do_sign", "DSA_do_verify"] }
538538

539539
override DataFlow::Node getInput(IOType type) {
540540
result.asIndirectExpr() = this.getArgument(0) and type = PlaintextIO()

0 commit comments

Comments
 (0)