C++: Add openssl low-level API

2026-05-02 20:25:13 +02:00 · 2022-02-14 14:47:55 -05:00
parent dbe4770c7d
commit 0e50c4b186
1 changed files with 22 additions and 16 deletions
--- a/cpp/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql
+++ b/cpp/ql/src/Security/CWE/CWE-326/InsufficientKeySize.ql
@@ -14,37 +14,43 @@ import cpp
 import semmle.code.cpp.ir.dataflow.DataFlow
 import semmle.code.cpp.ir.IR

-int getMinimumKeyStrength(string func) {
-  func = "EVP_PKEY_CTX_set_dsa_paramgen_bits" and result = 2048
-  or
-  func = "EVP_PKEY_CTX_set_dh_paramgen_prime_len" and result = 2048
-  or
-  func = "EVP_PKEY_CTX_set_rsa_keygen_bits" and result = 2048
+// Holds if `func` is the name of an encryption function that accepts a key size as parameter `paramIndex`
+int getMinimumKeyStrength(string func, int paramIndex) {
+  func =
+    [
+      "EVP_PKEY_CTX_set_dsa_paramgen_bits", "DSA_generate_parameters_ex",
+      "EVP_PKEY_CTX_set_rsa_keygen_bits", "RSA_generate_key_ex", "RSA_generate_key_fips",
+      "EVP_PKEY_CTX_set_dh_paramgen_prime_len", "DH_generate_parameters_ex"
+    ] and
+  paramIndex = 1 and
+  result = 2048
 }

 class KeyStrengthFlow extends DataFlow::Configuration {
-  KeyStrengthFlow() {
-    this = "KeyStrengthFlow"
-  }
+  KeyStrengthFlow() { this = "KeyStrengthFlow" }

  override predicate isSource(DataFlow::Node node) {
    node.asInstruction() instanceof IntegerConstantInstruction
  }

  override predicate isSink(DataFlow::Node node) {
-    exists(FunctionCall fc, string name|
-      node.asExpr() = fc.getArgument(1) and
+    exists(FunctionCall fc, string name, int param |
+      node.asExpr() = fc.getArgument(param) and
      fc.getTarget().hasGlobalName(name) and
-      exists(getMinimumKeyStrength(name))
+      exists(getMinimumKeyStrength(name, param))
    )
  }
 }

-from DataFlow::PathNode source, DataFlow::PathNode sink, KeyStrengthFlow conf, FunctionCall fc, string name, int bits
+from
+  DataFlow::PathNode source, DataFlow::PathNode sink, KeyStrengthFlow conf, FunctionCall fc,
+  string name, int bits
 where
  conf.hasFlowPath(source, sink) and
  sink.getNode().asExpr() = fc.getArgument(1) and
  fc.getTarget().hasGlobalName(name) and
-  bits = getMinimumKeyStrength(name) and
-  source.getNode().asInstruction().(ConstantValueInstruction).getValue().toInt() <  bits
-select fc, source, sink, "The key size $@ is insufficient for security", source, source.toString()
+  bits = getMinimumKeyStrength(name, _) and
+  source.getNode().asInstruction().(ConstantValueInstruction).getValue().toInt() < bits
+select fc, source, sink,
+  "The key size $@ is less than the recommended key size of " + bits.toString() + " bits.", source,
+  source.toString()