Crypto: Misc. cleanup and completed model refactor for Mac. Passing tests for openssl, refactor still required for JCA.

Author: bdrodes

cpp/ql/lib/experimental/quantum/OpenSSL/Operations/OpenSSLOperationBase.qll

@@ -127,7 +127,6 @@ class IOType extends TIOType {
   }
 }
 
-//TODO: add more initializers as needed
 /**
  * The type of step in an `OperationStep`.
  * - `ContextCreationStep`: the creation of a context from an algorithm or key.
@@ -249,8 +248,10 @@ abstract class OperationStep extends Call {
 
   /**
    * Gets an AVC for the primary algorithm for this operation.
-   * A primary algorithm is an AVC that flows to a ctx input directly or
-   * an AVC that flows to a primary algorithm input directly.
+   * A primary algorithm is an AVC that either:
+   * 1) flows to a ctx input directly or
+   * 2) flows to a primary algorithm input directly
+   * 3) flows to a key input directly (algorithm held in a key will be considered primary)
    * See `AvcContextCreationStep` for details about resetting scenarios.
    * Gets the first OperationStep an AVC flows to. If a context input,
    * the AVC is considered primary.
@@ -259,15 +260,16 @@ abstract class OperationStep extends Call {
    */
   Crypto::AlgorithmValueConsumer getPrimaryAlgorithmValueConsumer() {
     exists(DataFlow::Node src, DataFlow::Node sink, IOType t, OperationStep avcConsumingPred |
-      (t = PrimaryAlgorithmIO() or t = ContextIO()) and
+      (t = PrimaryAlgorithmIO() or t = ContextIO() or t = KeyIO()) and
       avcConsumingPred.flowsToOperationStep(this) and
       src.asExpr() = result and
       sink = avcConsumingPred.getInput(t) and
       AvcToOperationStepFlow::flow(src, sink) and
       (
-        // Case 1: the avcConsumingPred step is a dominating initialization step
-        t = PrimaryAlgorithmIO() and
-        avcConsumingPred = this.getDominatingInitializersToStep(PrimaryAlgorithmIO())
+        // Case 1: the avcConsumingPred step is a dominating primary algorithm initialization step
+        // or dominating key initialization step
+        (t = PrimaryAlgorithmIO() or t = KeyIO()) and
+        avcConsumingPred = this.getDominatingInitializersToStep(t)
         or
         // Case 2: the pred is a context input
         t = ContextIO()
@@ -393,7 +395,9 @@ private class CtxCopyReturnCall extends CtxPassThroughCall, CtxPointerExpr {
   override DataFlow::Node getNode2() { result.asExpr() = this }
 }
 
-// TODO: is this still needed?
+// TODO: is this still needed? It appears to be (tests fail without it) but
+// I don't know why as EVP_PKEY_paramgen is an operation step and we pass through
+// operation steps already.
 /**
  * A call to `EVP_PKEY_paramgen` acts as a kind of pass through.
  * It's output pkey is eventually used in a new operation generating
@@ -420,28 +424,6 @@ private class CtxParamGenCall extends CtxPassThroughCall {
   override DataFlow::Node getNode2() { result = n2 }
 }
 
-//TODO: I am not sure CallArgToCtxRet is needed anymore
-/**
- * If the current node is an argument to a function
- * that returns a pointer type, immediately flow through.
- * NOTE: this passthrough is required if we allow
- * intermediate steps to go into variables that are not a CTX type.
- * See for example `CtxParamGenCall`.
- */
-private class CallArgToCtxRet extends CtxPassThroughCall, CtxPointerExpr {
-  DataFlow::Node n1;
-  DataFlow::Node n2;
-
-  CallArgToCtxRet() {
-    this.getAnArgument() = n1.asExpr() and
-    n2.asExpr() = this
-  }
-
-  override DataFlow::Node getNode1() { result = n1 }
-
-  override DataFlow::Node getNode2() { result = n2 }
-}
-
 /**
  * A flow configuration from any non-final `OperationStep` to any other `OperationStep`.
  */

cpp/ql/test/experimental/library-tests/quantum/node_edges.expected

@@ -34,15 +34,16 @@
 | openssl_basic.c:155:22:155:41 | KeyGeneration | Algorithm | openssl_basic.c:155:22:155:41 | KeyGeneration |
 | openssl_basic.c:155:22:155:41 | KeyGeneration | KeyInput | openssl_basic.c:155:64:155:66 | Key |
 | openssl_basic.c:155:22:155:41 | KeyGeneration | Output | openssl_basic.c:155:22:155:41 | Key |
-| openssl_basic.c:155:43:155:55 | MACAlgorithm | H | openssl_basic.c:160:39:160:48 | HashAlgorithm |
+| openssl_basic.c:155:43:155:55 | HMACAlgorithm | H | openssl_basic.c:160:39:160:48 | HashAlgorithm |
 | openssl_basic.c:155:64:155:66 | Key | Source | openssl_basic.c:179:43:179:76 | Constant |
 | openssl_basic.c:160:59:160:62 | Key | Source | openssl_basic.c:155:22:155:41 | Key |
 | openssl_basic.c:163:35:163:41 | Message | Source | openssl_basic.c:181:49:181:87 | Constant |
-| openssl_basic.c:167:9:167:27 | SignOperation | Algorithm | openssl_basic.c:167:9:167:27 | SignOperation |
-| openssl_basic.c:167:9:167:27 | SignOperation | HashAlgorithm | openssl_basic.c:160:39:160:48 | HashAlgorithm |
-| openssl_basic.c:167:9:167:27 | SignOperation | Input | openssl_basic.c:163:35:163:41 | Message |
-| openssl_basic.c:167:9:167:27 | SignOperation | Key | openssl_basic.c:160:59:160:62 | Key |
-| openssl_basic.c:167:9:167:27 | SignOperation | Output | openssl_basic.c:167:34:167:36 | SignatureOutput |
+| openssl_basic.c:167:9:167:27 | SignatureOrMACOperation | Algorithm | openssl_basic.c:155:43:155:55 | HMACAlgorithm |
+| openssl_basic.c:167:9:167:27 | SignatureOrMACOperation | HashAlgorithm | openssl_basic.c:160:39:160:48 | HashAlgorithm |
+| openssl_basic.c:167:9:167:27 | SignatureOrMACOperation | Input | openssl_basic.c:163:35:163:41 | Message |
+| openssl_basic.c:167:9:167:27 | SignatureOrMACOperation | Key | openssl_basic.c:160:59:160:62 | Key |
+| openssl_basic.c:167:9:167:27 | SignatureOrMACOperation | Nonce | openssl_basic.c:167:9:167:27 | SignatureOrMACOperation |
+| openssl_basic.c:167:9:167:27 | SignatureOrMACOperation | Output | openssl_basic.c:167:34:167:36 | SignatureOutput |
 | openssl_basic.c:235:51:235:55 | KeyOperationAlgorithm | Mode | openssl_basic.c:235:51:235:55 | KeyOperationAlgorithm |
 | openssl_basic.c:235:51:235:55 | KeyOperationAlgorithm | Padding | openssl_basic.c:249:51:249:72 | PaddingAlgorithm |
 | openssl_basic.c:238:9:238:25 | KeyGeneration | Algorithm | openssl_basic.c:235:51:235:55 | KeyOperationAlgorithm |
@@ -97,37 +98,67 @@
 | openssl_signature.c:133:52:133:55 | Key | Source | openssl_signature.c:548:34:548:37 | Key |
 | openssl_signature.c:133:52:133:55 | Key | Source | openssl_signature.c:578:34:578:37 | Key |
 | openssl_signature.c:134:38:134:44 | Message | Source | openssl_signature.c:602:37:602:77 | Constant |
-| openssl_signature.c:135:9:135:27 | SignOperation | Algorithm | openssl_signature.c:543:35:543:46 | KeyOperationAlgorithm |
-| openssl_signature.c:135:9:135:27 | SignOperation | Algorithm | openssl_signature.c:565:50:565:54 | KeyOperationAlgorithm |
-| openssl_signature.c:135:9:135:27 | SignOperation | HashAlgorithm | openssl_signature.c:684:24:684:33 | HashAlgorithm |
-| openssl_signature.c:135:9:135:27 | SignOperation | HashAlgorithm | openssl_signature.c:740:24:740:33 | HashAlgorithm |
-| openssl_signature.c:135:9:135:27 | SignOperation | Input | openssl_signature.c:134:38:134:44 | Message |
-| openssl_signature.c:135:9:135:27 | SignOperation | Key | openssl_signature.c:133:52:133:55 | Key |
-| openssl_signature.c:135:9:135:27 | SignOperation | Output | openssl_signature.c:135:37:135:40 | SignatureOutput |
-| openssl_signature.c:142:9:142:27 | SignOperation | Algorithm | openssl_signature.c:543:35:543:46 | KeyOperationAlgorithm |
-| openssl_signature.c:142:9:142:27 | SignOperation | Algorithm | openssl_signature.c:565:50:565:54 | KeyOperationAlgorithm |
-| openssl_signature.c:142:9:142:27 | SignOperation | HashAlgorithm | openssl_signature.c:684:24:684:33 | HashAlgorithm |
-| openssl_signature.c:142:9:142:27 | SignOperation | HashAlgorithm | openssl_signature.c:740:24:740:33 | HashAlgorithm |
-| openssl_signature.c:142:9:142:27 | SignOperation | Input | openssl_signature.c:134:38:134:44 | Message |
-| openssl_signature.c:142:9:142:27 | SignOperation | Key | openssl_signature.c:133:52:133:55 | Key |
-| openssl_signature.c:142:9:142:27 | SignOperation | Output | openssl_signature.c:142:37:142:46 | SignatureOutput |
+| openssl_signature.c:135:9:135:27 | SignatureOrMACOperation | Algorithm | openssl_signature.c:543:35:543:46 | KeyOperationAlgorithm |
+| openssl_signature.c:135:9:135:27 | SignatureOrMACOperation | Algorithm | openssl_signature.c:565:50:565:54 | KeyOperationAlgorithm |
+| openssl_signature.c:135:9:135:27 | SignatureOrMACOperation | HashAlgorithm | openssl_signature.c:684:24:684:33 | HashAlgorithm |
+| openssl_signature.c:135:9:135:27 | SignatureOrMACOperation | HashAlgorithm | openssl_signature.c:740:24:740:33 | HashAlgorithm |
+| openssl_signature.c:135:9:135:27 | SignatureOrMACOperation | Input | openssl_signature.c:134:38:134:44 | Message |
+| openssl_signature.c:135:9:135:27 | SignatureOrMACOperation | Key | openssl_signature.c:133:52:133:55 | Key |
+| openssl_signature.c:135:9:135:27 | SignatureOrMACOperation | Nonce | openssl_signature.c:135:9:135:27 | SignatureOrMACOperation |
+| openssl_signature.c:135:9:135:27 | SignatureOrMACOperation | Output | openssl_signature.c:135:37:135:40 | SignatureOutput |
+| openssl_signature.c:142:9:142:27 | SignatureOrMACOperation | Algorithm | openssl_signature.c:543:35:543:46 | KeyOperationAlgorithm |
+| openssl_signature.c:142:9:142:27 | SignatureOrMACOperation | Algorithm | openssl_signature.c:565:50:565:54 | KeyOperationAlgorithm |
+| openssl_signature.c:142:9:142:27 | SignatureOrMACOperation | HashAlgorithm | openssl_signature.c:684:24:684:33 | HashAlgorithm |
+| openssl_signature.c:142:9:142:27 | SignatureOrMACOperation | HashAlgorithm | openssl_signature.c:740:24:740:33 | HashAlgorithm |
+| openssl_signature.c:142:9:142:27 | SignatureOrMACOperation | Input | openssl_signature.c:134:38:134:44 | Message |
+| openssl_signature.c:142:9:142:27 | SignatureOrMACOperation | Key | openssl_signature.c:133:52:133:55 | Key |
+| openssl_signature.c:142:9:142:27 | SignatureOrMACOperation | Nonce | openssl_signature.c:142:9:142:27 | SignatureOrMACOperation |
+| openssl_signature.c:142:9:142:27 | SignatureOrMACOperation | Output | openssl_signature.c:142:37:142:46 | SignatureOutput |
+| openssl_signature.c:165:54:165:57 | Key | Source | openssl_signature.c:548:34:548:37 | Key |
+| openssl_signature.c:165:54:165:57 | Key | Source | openssl_signature.c:578:34:578:37 | Key |
+| openssl_signature.c:166:40:166:46 | Message | Source | openssl_signature.c:602:37:602:77 | Constant |
+| openssl_signature.c:167:9:167:29 | VerifyOperation | Algorithm | openssl_signature.c:543:35:543:46 | KeyOperationAlgorithm |
+| openssl_signature.c:167:9:167:29 | VerifyOperation | Algorithm | openssl_signature.c:565:50:565:54 | KeyOperationAlgorithm |
+| openssl_signature.c:167:9:167:29 | VerifyOperation | HashAlgorithm | openssl_signature.c:684:24:684:33 | HashAlgorithm |
+| openssl_signature.c:167:9:167:29 | VerifyOperation | HashAlgorithm | openssl_signature.c:740:24:740:33 | HashAlgorithm |
+| openssl_signature.c:167:9:167:29 | VerifyOperation | Input | openssl_signature.c:134:38:134:44 | Message |
+| openssl_signature.c:167:9:167:29 | VerifyOperation | Input | openssl_signature.c:166:40:166:46 | Message |
+| openssl_signature.c:167:9:167:29 | VerifyOperation | Key | openssl_signature.c:133:52:133:55 | Key |
+| openssl_signature.c:167:9:167:29 | VerifyOperation | Key | openssl_signature.c:165:54:165:57 | Key |
+| openssl_signature.c:167:9:167:29 | VerifyOperation | Signature | openssl_signature.c:167:39:167:47 | SignatureInput |
+| openssl_signature.c:167:39:167:47 | SignatureInput | Source | openssl_signature.c:142:37:142:46 | SignatureOutput |
 | openssl_signature.c:190:57:190:60 | Key | Source | openssl_signature.c:548:34:548:37 | Key |
 | openssl_signature.c:190:57:190:60 | Key | Source | openssl_signature.c:578:34:578:37 | Key |
 | openssl_signature.c:196:38:196:44 | Message | Source | openssl_signature.c:602:37:602:77 | Constant |
-| openssl_signature.c:197:9:197:27 | SignOperation | Algorithm | openssl_signature.c:543:35:543:46 | KeyOperationAlgorithm |
-| openssl_signature.c:197:9:197:27 | SignOperation | Algorithm | openssl_signature.c:565:50:565:54 | KeyOperationAlgorithm |
-| openssl_signature.c:197:9:197:27 | SignOperation | HashAlgorithm | openssl_signature.c:684:24:684:33 | HashAlgorithm |
-| openssl_signature.c:197:9:197:27 | SignOperation | HashAlgorithm | openssl_signature.c:740:24:740:33 | HashAlgorithm |
-| openssl_signature.c:197:9:197:27 | SignOperation | Input | openssl_signature.c:196:38:196:44 | Message |
-| openssl_signature.c:197:9:197:27 | SignOperation | Key | openssl_signature.c:190:57:190:60 | Key |
-| openssl_signature.c:197:9:197:27 | SignOperation | Output | openssl_signature.c:197:37:197:40 | SignatureOutput |
-| openssl_signature.c:204:9:204:27 | SignOperation | Algorithm | openssl_signature.c:543:35:543:46 | KeyOperationAlgorithm |
-| openssl_signature.c:204:9:204:27 | SignOperation | Algorithm | openssl_signature.c:565:50:565:54 | KeyOperationAlgorithm |
-| openssl_signature.c:204:9:204:27 | SignOperation | HashAlgorithm | openssl_signature.c:684:24:684:33 | HashAlgorithm |
-| openssl_signature.c:204:9:204:27 | SignOperation | HashAlgorithm | openssl_signature.c:740:24:740:33 | HashAlgorithm |
-| openssl_signature.c:204:9:204:27 | SignOperation | Input | openssl_signature.c:196:38:196:44 | Message |
-| openssl_signature.c:204:9:204:27 | SignOperation | Key | openssl_signature.c:190:57:190:60 | Key |
-| openssl_signature.c:204:9:204:27 | SignOperation | Output | openssl_signature.c:204:37:204:46 | SignatureOutput |
+| openssl_signature.c:197:9:197:27 | SignatureOrMACOperation | Algorithm | openssl_signature.c:543:35:543:46 | KeyOperationAlgorithm |
+| openssl_signature.c:197:9:197:27 | SignatureOrMACOperation | Algorithm | openssl_signature.c:565:50:565:54 | KeyOperationAlgorithm |
+| openssl_signature.c:197:9:197:27 | SignatureOrMACOperation | HashAlgorithm | openssl_signature.c:684:24:684:33 | HashAlgorithm |
+| openssl_signature.c:197:9:197:27 | SignatureOrMACOperation | HashAlgorithm | openssl_signature.c:740:24:740:33 | HashAlgorithm |
+| openssl_signature.c:197:9:197:27 | SignatureOrMACOperation | Input | openssl_signature.c:196:38:196:44 | Message |
+| openssl_signature.c:197:9:197:27 | SignatureOrMACOperation | Key | openssl_signature.c:190:57:190:60 | Key |
+| openssl_signature.c:197:9:197:27 | SignatureOrMACOperation | Nonce | openssl_signature.c:197:9:197:27 | SignatureOrMACOperation |
+| openssl_signature.c:197:9:197:27 | SignatureOrMACOperation | Output | openssl_signature.c:197:37:197:40 | SignatureOutput |
+| openssl_signature.c:204:9:204:27 | SignatureOrMACOperation | Algorithm | openssl_signature.c:543:35:543:46 | KeyOperationAlgorithm |
+| openssl_signature.c:204:9:204:27 | SignatureOrMACOperation | Algorithm | openssl_signature.c:565:50:565:54 | KeyOperationAlgorithm |
+| openssl_signature.c:204:9:204:27 | SignatureOrMACOperation | HashAlgorithm | openssl_signature.c:684:24:684:33 | HashAlgorithm |
+| openssl_signature.c:204:9:204:27 | SignatureOrMACOperation | HashAlgorithm | openssl_signature.c:740:24:740:33 | HashAlgorithm |
+| openssl_signature.c:204:9:204:27 | SignatureOrMACOperation | Input | openssl_signature.c:196:38:196:44 | Message |
+| openssl_signature.c:204:9:204:27 | SignatureOrMACOperation | Key | openssl_signature.c:190:57:190:60 | Key |
+| openssl_signature.c:204:9:204:27 | SignatureOrMACOperation | Nonce | openssl_signature.c:204:9:204:27 | SignatureOrMACOperation |
+| openssl_signature.c:204:9:204:27 | SignatureOrMACOperation | Output | openssl_signature.c:204:37:204:46 | SignatureOutput |
+| openssl_signature.c:228:59:228:62 | Key | Source | openssl_signature.c:548:34:548:37 | Key |
+| openssl_signature.c:228:59:228:62 | Key | Source | openssl_signature.c:578:34:578:37 | Key |
+| openssl_signature.c:234:40:234:46 | Message | Source | openssl_signature.c:602:37:602:77 | Constant |
+| openssl_signature.c:235:9:235:29 | VerifyOperation | Algorithm | openssl_signature.c:543:35:543:46 | KeyOperationAlgorithm |
+| openssl_signature.c:235:9:235:29 | VerifyOperation | Algorithm | openssl_signature.c:565:50:565:54 | KeyOperationAlgorithm |
+| openssl_signature.c:235:9:235:29 | VerifyOperation | HashAlgorithm | openssl_signature.c:684:24:684:33 | HashAlgorithm |
+| openssl_signature.c:235:9:235:29 | VerifyOperation | HashAlgorithm | openssl_signature.c:740:24:740:33 | HashAlgorithm |
+| openssl_signature.c:235:9:235:29 | VerifyOperation | Input | openssl_signature.c:196:38:196:44 | Message |
+| openssl_signature.c:235:9:235:29 | VerifyOperation | Input | openssl_signature.c:234:40:234:46 | Message |
+| openssl_signature.c:235:9:235:29 | VerifyOperation | Key | openssl_signature.c:190:57:190:60 | Key |
+| openssl_signature.c:235:9:235:29 | VerifyOperation | Key | openssl_signature.c:228:59:228:62 | Key |
+| openssl_signature.c:235:9:235:29 | VerifyOperation | Signature | openssl_signature.c:235:39:235:47 | SignatureInput |
+| openssl_signature.c:235:39:235:47 | SignatureInput | Source | openssl_signature.c:204:37:204:46 | SignatureOutput |
 | openssl_signature.c:260:39:260:42 | Key | Source | openssl_signature.c:548:34:548:37 | Key |
 | openssl_signature.c:260:39:260:42 | Key | Source | openssl_signature.c:578:34:578:37 | Key |
 | openssl_signature.c:263:9:263:21 | SignOperation | Algorithm | openssl_signature.c:543:35:543:46 | KeyOperationAlgorithm |