merge main

Author: GrosQuildu

.github/workflows/build-ripunzip.yml

@@ -6,18 +6,18 @@ on:
       ripunzip-version:
         description: "what reference to checktout from google/runzip"
         required: false
-        default: v1.2.1
+        default: v2.0.2
       openssl-version:
         description: "what reference to checkout from openssl/openssl for Linux"
         required: false
-        default: openssl-3.3.0
+        default: openssl-3.5.0
 
 jobs:
   build:
     strategy:
       fail-fast: false
       matrix:
-        os: [ubuntu-22.04, macos-13, windows-2019]
+        os: [ubuntu-22.04, macos-13, windows-2022]
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v4

.github/workflows/csharp-qltest.yml

@@ -36,7 +36,7 @@ jobs:
   unit-tests:
     strategy:
       matrix:
-        os: [ubuntu-latest, windows-2019]
+        os: [ubuntu-latest, windows-latest]
     runs-on: ${{ matrix.os }}
     steps:
       - uses: actions/checkout@v4

MODULE.bazel

@@ -239,24 +239,24 @@ go_deps = use_extension("@gazelle//:extensions.bzl", "go_deps")
 go_deps.from_file(go_mod = "//go/extractor:go.mod")
 use_repo(go_deps, "org_golang_x_mod", "org_golang_x_tools")
 
-lfs_files = use_repo_rule("//misc/bazel:lfs.bzl", "lfs_files")
+lfs_archive = use_repo_rule("//misc/bazel:lfs.bzl", "lfs_archive")
 
-lfs_files(
+lfs_archive(
     name = "ripunzip-linux",
-    srcs = ["//misc/ripunzip:ripunzip-linux"],
-    executable = True,
+    src = "//misc/ripunzip:ripunzip-Linux.zip",
+    build_file = "//misc/ripunzip:BUILD.ripunzip.bazel",
 )
 
-lfs_files(
+lfs_archive(
     name = "ripunzip-windows",
-    srcs = ["//misc/ripunzip:ripunzip-windows.exe"],
-    executable = True,
+    src = "//misc/ripunzip:ripunzip-Windows.zip",
+    build_file = "//misc/ripunzip:BUILD.ripunzip.bazel",
 )
 
-lfs_files(
+lfs_archive(
     name = "ripunzip-macos",
-    srcs = ["//misc/ripunzip:ripunzip-macos"],
-    executable = True,
+    src = "//misc/ripunzip:ripunzip-macOS.zip",
+    build_file = "//misc/ripunzip:BUILD.ripunzip.bazel",
 )
 
 register_toolchains(

cpp/downgrades/59cb96ca699929b63941e81905f9b8de7eed59a6/preprocdirects.ql

@@ -11,7 +11,7 @@ int getKind(int kind) {
   if kind = 14
   then result = 6 // Represent MSFT #import as #include
   else
-    if kind = 15 or kind = 6
+    if kind = 15 or kind = 16
     then result = 3 // Represent #elifdef and #elifndef as #elif
     else result = kind
 }

cpp/misc/bulk_generation_targets.json

@@ -0,0 +1,9 @@
+{
+  "strategy": "dca",
+  "language": "cpp",
+  "targets": [
+      { "name": "openssl", "with-sources": false, "with-sinks": false },
+      { "name": "sqlite", "with-sources": false, "with-sinks": false }
+  ],
+  "destination": "cpp/ql/lib/ext/generated"
+}

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/BlockAlgorithmInstance.qll

@@ -71,7 +71,11 @@ class KnownOpenSSLBlockModeConstantAlgorithmInstance extends OpenSSLAlgorithmIns
 
   // NOTE: I'm not going to attempt to parse out the mode specific part, so returning
   // the same as the raw name for now.
-  override string getRawModeAlgorithmName() { result = this.(Literal).getValue().toString() }
+  override string getRawModeAlgorithmName() {
+    result = this.(Literal).getValue().toString()
+    or
+    result = this.(Call).getTarget().getName()
+  }
 
   override OpenSSLAlgorithmValueConsumer getAVC() { result = getterCall }
 }

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/CipherAlgorithmInstance.qll

@@ -102,7 +102,11 @@ class KnownOpenSSLCipherConstantAlgorithmInstance extends OpenSSLAlgorithmInstan
     // TODO or trace through getter ctx to set padding
   }
 
-  override string getRawAlgorithmName() { result = this.(Literal).getValue().toString() }
+  override string getRawAlgorithmName() {
+    result = this.(Literal).getValue().toString()
+    or
+    result = this.(Call).getTarget().getName()
+  }
 
   override int getKeySizeFixed() {
     this.(KnownOpenSSLCipherAlgorithmConstant).getExplicitKeySize() = result

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/EllipticCurveAlgorithmInstance.qll

@@ -32,7 +32,11 @@ class KnownOpenSSLEllipticCurveConstantAlgorithmInstance extends OpenSSLAlgorith
 
   override OpenSSLAlgorithmValueConsumer getAVC() { result = getterCall }
 
-  override string getRawEllipticCurveName() { result = this.(Literal).getValue().toString() }
+  override string getRawEllipticCurveName() {
+    result = this.(Literal).getValue().toString()
+    or
+    result = this.(Call).getTarget().getName()
+  }
 
   override Crypto::TEllipticCurveType getEllipticCurveType() {
     Crypto::ellipticCurveNameToKeySizeAndFamilyMapping(this.getParsedEllipticCurveName(), _, result)

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/HashAlgorithmInstance.qll

@@ -76,7 +76,11 @@ class KnownOpenSSLHashConstantAlgorithmInstance extends OpenSSLAlgorithmInstance
     not knownOpenSSLConstantToHashFamilyType(this, _) and result = Crypto::OtherHashType()
   }
 
-  override string getRawHashAlgorithmName() { result = this.(Literal).getValue().toString() }
+  override string getRawHashAlgorithmName() {
+    result = this.(Literal).getValue().toString()
+    or
+    result = this.(Call).getTarget().getName()
+  }
 
   override int getFixedDigestLength() {
     this.(KnownOpenSSLHashAlgorithmConstant).getExplicitDigestLength() = result

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/KeyAgreementAlgorithmInstance.qll

@@ -0,0 +1,63 @@
+import cpp
+private import experimental.quantum.Language
+private import KnownAlgorithmConstants
+private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
+private import experimental.quantum.OpenSSL.AlgorithmInstances.OpenSSLAlgorithmInstanceBase
+private import AlgToAVCFlow
+
+predicate knownOpenSSLConstantToKeyAgreementFamilyType(
+  KnownOpenSSLKeyAgreementAlgorithmConstant e, Crypto::TKeyAgreementType type
+) {
+  exists(string name |
+    name = e.getNormalizedName() and
+    (
+      name = "ECDH" and type = Crypto::ECDH()
+      or
+      name = "DH" and type = Crypto::DH()
+      or
+      name = "EDH" and type = Crypto::EDH()
+      or
+      name = "ESDH" and type = Crypto::EDH()
+    )
+  )
+}
+
+class KnownOpenSSLHashConstantAlgorithmInstance extends OpenSSLAlgorithmInstance,
+  Crypto::KeyAgreementAlgorithmInstance instanceof KnownOpenSSLKeyAgreementAlgorithmConstant
+{
+  OpenSSLAlgorithmValueConsumer getterCall;
+
+  KnownOpenSSLHashConstantAlgorithmInstance() {
+    // Two possibilities:
+    // 1) The source is a literal and flows to a getter, then we know we have an instance
+    // 2) The source is a KnownOpenSSLAlgorithm is call, and we know we have an instance immediately from that
+    // Possibility 1:
+    this instanceof Literal and
+    exists(DataFlow::Node src, DataFlow::Node sink |
+      // Sink is an argument to a CipherGetterCall
+      sink = getterCall.getInputNode() and
+      // Source is `this`
+      src.asExpr() = this and
+      // This traces to a getter
+      KnownOpenSSLAlgorithmToAlgorithmValueConsumerFlow::flow(src, sink)
+    )
+    or
+    // Possibility 2:
+    this instanceof DirectAlgorithmValueConsumer and getterCall = this
+  }
+
+  override OpenSSLAlgorithmValueConsumer getAVC() { result = getterCall }
+
+  override Crypto::TKeyAgreementType getKeyAgreementType() {
+    knownOpenSSLConstantToKeyAgreementFamilyType(this, result)
+    or
+    not knownOpenSSLConstantToKeyAgreementFamilyType(this, _) and
+    result = Crypto::OtherKeyAgreementType()
+  }
+
+  override string getRawKeyAgreementAlgorithmName() {
+    result = this.(Literal).getValue().toString()
+    or
+    result = this.(Call).getTarget().getName()
+  }
+}