make signature tests work for algorithms

github · GrosQuildu · May 22, 2025 · May 23, 2025 · May 28, 2025 · May 29, 2025
commit 02fb52c3796c9927a5e44f37bc4c7552aad41b02
@@ -2829,6 +2829,8 @@ predicate knownOpenSSLAlgorithmLiteral(string name, int nid, string normalized,
   or
   name = "rsaencryption" and nid = 6 and normalized = "RSA" and algType = "ASYMMETRIC_ENCRYPTION"
   or
+  name = "rsaencryption" and nid = 6 and normalized = "RSA" and algType = "SIGNATURE"
+  or
   name = "rsaes-oaep" and nid = 919 and normalized = "RSA" and algType = "ASYMMETRIC_ENCRYPTION"
   or
   name = "rsaes-oaep" and nid = 919 and normalized = "OAEP" and algType = "ASYMMETRIC_PADDING"

@@ -5,3 +5,4 @@ import PaddingAlgorithmValueConsumer
 import HashAlgorithmValueConsumer
 import EllipticCurveAlgorithmValueConsumer
 import PKeyAlgorithmValueConsumer
+import SignatureAlgorithmValueConsumer
@@ -7,18 +7,18 @@ private import experimental.quantum.OpenSSL.LibraryDetector
 
 abstract class SignatureAlgorithmValueConsumer extends OpenSSLAlgorithmValueConsumer { }
 
-class EVPSignatureAlgorithmValueConsumer extends OpenSSLAlgorithmValueConsumer {
+class EVPSignatureAlgorithmValueConsumer extends SignatureAlgorithmValueConsumer {
   DataFlow::Node valueArgNode;
   DataFlow::Node resultNode;
 
   EVPSignatureAlgorithmValueConsumer() {
     resultNode.asExpr() = this and
-    isPossibleOpenSSLFunction(this.(Call).getTarget()) and
     (
       // EVP_SIGNATURE
       this.(Call).getTarget().getName() = "EVP_SIGNATURE_fetch" and
       valueArgNode.asExpr() = this.(Call).getArgument(1)
-      // EVP_PKEY_get1_DSA, DSA_SIG_new, EVP_RSA_gen
+      // EVP_PKEY_get1_DSA, EVP_PKEY_get1_RSA
+      // DSA_SIG_new, DSA_SIG_get0, RSA_sign ?
     )
   }
 

@@ -129,11 +129,12 @@ abstract class EVP_Signature_Operation extends EVPOperation, Crypto::SignatureOp
     none()
   }
 
+  /**
+   * Keys provided in the initialization call or in a context are found by this method.
+   * Keys in explicit arguments are found by overriden methods in extending classes.
+   */
   override Crypto::ConsumerInputDataFlowNode getKeyConsumer() {
-    // TODO: move to EVPOperation similarly to getAlgorithmArg
-    if exists(this.getInitCall().getKeyArg())
-    then result = DataFlow::exprNode(this.getInitCall().getKeyArg())
-    else none()
+    result = DataFlow::exprNode(this.getInitCall().getKeyArg())
   }
 
   override Crypto::ArtifactOutputDataFlowNode getOutputArtifact() {
@@ -174,7 +175,7 @@ class EVP_Signature_Final_Call extends EVPFinal, EVP_Signature_Operation {
   override Crypto::ConsumerInputDataFlowNode getKeyConsumer() {
     if this.(Call).getTarget().getName() in ["EVP_SignFinal", "EVP_SignFinal_ex"]
     then result = DataFlow::exprNode(this.(Call).getArgument(3))
-    else none()
+    else result = EVP_Signature_Operation.super.getKeyConsumer()
   }
 
   /**

@@ -1,6 +1,3 @@
-# define RSA_PKCS1_PSS_PADDING           6
-# define NID_sha256                      672
-
 # define EVP_PKEY_NONE   NID_undef
 # define EVP_PKEY_RSA    NID_rsaEncryption
 # define EVP_PKEY_RSA2   NID_rsa
@@ -3743,5 +3740,6 @@
 #define LN_undef "undefined"
 #define SN_undef "UNDEF"
 
+#define EVP_MAX_MD_SIZE 64
 #define RSA_PKCS1_PSS_PADDING 6
-# define EVP_MAX_MD_SIZE 64
+#define NID_sha256 672
@@ -28,15 +28,13 @@
 # define         EVP_CTRL_CCM_SET_IV_FIXED       EVP_CTRL_AEAD_SET_IV_FIXED
 # define         EVP_CTRL_CCM_SET_L              0x14
 # define         EVP_CTRL_CCM_SET_MSGLEN         0x15
-# define         EVP_MAX_MD_SIZE                 64
 
 typedef unsigned long size_t;
 
 typedef unsigned char uint8_t;
 typedef unsigned int uint32_t;
 typedef unsigned long long uint64_t;
 
-// Forward declarations for opaque structs
 struct rsa_st;
 struct dsa_st;
 struct dh_st;
@@ -5056,18 +5054,6 @@ int EVP_VerifyUpdate(EVP_MD_CTX * ctx, const void * data, size_t dsize) {
     return 0;
 }
 
-int printf(const char*, ...) {
-    return NULL;
-}
-
-int strlen(const char *s) {
-    return NULL;
-}
-
-void* memset(void *s, int c, size_t n) {
-    return NULL;
-}
-
 int RSA_size(const RSA * rsa) {
     return 0;
 }
@@ -5126,8 +5112,7 @@ BIGNUM * BN_bin2bn(const unsigned char * s, int len, BIGNUM * ret) {
     return NULL;
 }
 
-void OpenSSL_add_all_algorithms(void) ;
-
-void ERR_load_crypto_strings(void) ;
+void OpenSSL_add_all_algorithms(void);
+void ERR_load_crypto_strings(void);
 
 #endif /* OSSL_EVP_H */
@@ -0,0 +1,12 @@
+#ifndef STD_STUBS_H
+#define STD_STUBS_H
+
+unsigned long strlen(const char *s) {
+    return 0;
+}
+
+void* memset(void *s, int c, unsigned long n) {
+    return 0;
+}
+
+#endif /* STD_STUBS_H */
@@ -1,8 +1,17 @@
-#include "includes/evp_stubs.h"
-#include "includes/alg_macro_stubs.h"
-#include "includes/rand_stubs.h"
-
-size_t strlen(const char* str);
+#ifdef USE_REAL_HEADERS
+#include <openssl/evp.h>
+#include <openssl/rsa.h>
+#include <openssl/dsa.h>
+#include <openssl/sha.h>
+#include <openssl/err.h>
+#include <stdio.h>
+#include <string.h>
+#else
+#include "./includes/evp_stubs.h"
+#include "./includes/alg_macro_stubs.h"
+#include "./includes/rand_stubs.h"
+#include "./includes/std_stubs.h"
+#endif
 
 // Sample OpenSSL code that demonstrates various cryptographic operations
 // that can be detected by the quantum model
@@ -218,4 +227,4 @@ int test_main() {
     calculate_hmac_sha256(key, 32, plaintext, plaintext_len, hmac);
 
     return 0;
-} 
+} 
@@ -1,13 +1,16 @@
-#ifndef USE_REAL_HEADERS
-#include "../includes/evp_stubs.h"
-#include "../includes/alg_macro_stubs.h"
-#include "../includes/rand_stubs.h"
-#else
+#ifdef USE_REAL_HEADERS
 #include <openssl/evp.h>
-#include <openssl/err.h>
 #include <openssl/rsa.h>
 #include <openssl/dsa.h>
-#include <openssl/pem.h>
+#include <openssl/sha.h>
+#include <openssl/err.h>
+#include <stdio.h>
+#include <string.h>
+#else
+#include "../includes/evp_stubs.h"
+#include "../includes/alg_macro_stubs.h"
+#include "../includes/rand_stubs.h"
+#include "../includes/std_stubs.h"
 #endif
 
 /* =============================================================================
@@ -76,6 +79,9 @@ int sign_using_evp_sign(const unsigned char *message, size_t message_len,
         EVP_SignUpdate(md_ctx, message, message_len) != 1) {
         goto cleanup;
     }
+
+    // more updates
+    EVP_SignUpdate(md_ctx, message+1, message_len-1);
 
     *signature = allocate_signature_buffer(signature_len, pkey);
     if (!*signature) goto cleanup;
@@ -106,6 +112,7 @@ int verify_using_evp_verify(const unsigned char *message, size_t message_len,
     if (!(md_ctx = EVP_MD_CTX_new()) ||
         EVP_VerifyInit(md_ctx, md) != 1 ||
         EVP_VerifyUpdate(md_ctx, message, message_len) != 1 ||
+        EVP_VerifyUpdate(md_ctx, message+1, message_len-1) != 1 ||
         EVP_VerifyFinal(md_ctx, signature, (unsigned int)signature_len, pkey) != 1) {
         goto cleanup;
     }

@@ -0,0 +1,4 @@
+| openssl_signature.c:332:37:332:48 | RSA-SHA256 | RSA | openssl_signature.c:332:11:332:29 | call to EVP_SIGNATURE_fetch |
+| openssl_signature.c:368:37:368:48 | RSA-SHA256 | RSA | openssl_signature.c:368:11:368:29 | call to EVP_SIGNATURE_fetch |
+| openssl_signature.c:552:35:552:46 | 6 | RSA | openssl_signature.c:552:15:552:33 | call to EVP_PKEY_CTX_new_id |
+| openssl_signature.c:574:50:574:54 | DSA | DSA | openssl_signature.c:574:17:574:42 | call to EVP_PKEY_CTX_new_from_name |
@@ -0,0 +1,6 @@
+import cpp
+import experimental.quantum.Language
+import experimental.quantum.OpenSSL.AlgorithmInstances.SignatureAlgorithmInstance
+
+from KnownOpenSSLSignatureConstantAlgorithmInstance algoInstance
+select algoInstance, algoInstance.getAlgorithmType(), algoInstance.getAVC()