Crypto: Add support to trace keys, add support to find prior key gen properties that configure downstream operations. Add key size tests

2026-04-27 01:35:13 +02:00 · 2025-06-11 13:58:56 -04:00
parent 7d479940e5
commit d3cff2dff1
5 changed files with 72 additions and 7 deletions
--- a/cpp/ql/lib/experimental/quantum/OpenSSL/KeyFlow.qll
+++ b/cpp/ql/lib/experimental/quantum/OpenSSL/KeyFlow.qll
@@ -0,0 +1,29 @@
+import semmle.code.cpp.dataflow.new.DataFlow
+private import Operations.OpenSSLOperations
+private import experimental.quantum.Language
+
+/**
+ * Flow from key creation to key used in a call
+ */
+module OpenSSLKeyFlowConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    // NOTE/ASSUMPTION: it is assumed the operation is also an OpenSSLOperation.
+    // All operations modeled for openssl should be modeled as OpenSSLOperation.
+    exists(Crypto::KeyCreationOperationInstance keygen | keygen.getOutputKeyArtifact() = source)
+  }
+
+  predicate isSink(DataFlow::Node sink) {
+    exists(Call call | call.(Call).getAnArgument() = sink.asExpr())
+  }
+  //TODO: consideration for additional flow steps? Can a key be copied for example?
+}
+
+module OpenSSLKeyFlow = TaintTracking::Global<OpenSSLKeyFlowConfig>;
+
+Crypto::KeyCreationOperationInstance getSourceKeyCreationInstanceFromArg(Expr arg) {
+  exists(DataFlow::Node src, DataFlow::Node sink |
+    OpenSSLKeyFlow::flow(src, sink) and
+    result.getOutputKeyArtifact() = src and
+    sink.asExpr() = arg
+  )
+}
--- a/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/OpenSSLOperationBase.qll
+++ b/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/OpenSSLOperationBase.qll
@@ -1,5 +1,6 @@
 private import experimental.quantum.Language
 private import experimental.quantum.OpenSSL.CtxFlow
+private import experimental.quantum.OpenSSL.KeyFlow
 private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
 // Importing these intializers here to ensure the are part of any model that is
 // using OpenSSLOperationBase. This futher ensures that initializers are tied to opeartions
@@ -63,13 +64,29 @@ abstract class EvpAlgorithmInitializer extends EvpInitializer {
 }

 abstract class EvpKeyInitializer extends EvpInitializer {
-  //, EvpAlgorithmInitializer {
  abstract Expr getKeyArg();
-  // /**
-  //  * Any key arg can potentially be traced to find the algorithm used to generate the key.
-  //  */
-  // override Expr getAlgorithmArg(){
-  // }
+}
+
+/**
+ * Any key initializer may initialize the algorithm and the key size through
+ * the key. Extend any instance of key initializer provide initialization
+ * of the algorithm and key size from the key.
+ */
+class EvpInitializerThroughKey extends EvpAlgorithmInitializer, EvpKeySizeInitializer instanceof EvpKeyInitializer
+{
+  //TODO: charpred that traces from creation to key arg, grab creator
+  override CtxPointerSource getContextArg() { result = EvpKeyInitializer.super.getContextArg() }
+
+  override Expr getAlgorithmArg() {
+    result =
+      getSourceKeyCreationInstanceFromArg(this.getKeyArg()).(OpenSSLOperation).getAlgorithmArg()
+  }
+
+  override Expr getKeySizeArg() {
+    result = getSourceKeyCreationInstanceFromArg(this.getKeyArg()).getKeySizeConsumer().asExpr()
+  }
+
+  Expr getKeyArg() { result = EvpKeyInitializer.super.getKeyArg() }
 }

 abstract class EvpIVInitializer extends EvpInitializer {
--- a/cpp/ql/test/experimental/library-tests/quantum/key_creation_key_size.expected
+++ b/cpp/ql/test/experimental/library-tests/quantum/key_creation_key_size.expected
@@ -0,0 +1,3 @@
+| openssl_pkey.c:55:9:55:23 | KeyGeneration | openssl_pkey.c:54:47:54:50 | Constant | openssl_pkey.c:54:47:54:50 | 2048 |
+| openssl_signature.c:548:9:548:23 | KeyGeneration | openssl_signature.c:547:51:547:54 | Constant | openssl_signature.c:547:51:547:54 | 2048 |
+| openssl_signature.c:578:9:578:23 | KeyGeneration | openssl_signature.c:569:55:569:58 | Constant | openssl_signature.c:569:55:569:58 | 2048 |
--- a/cpp/ql/test/experimental/library-tests/quantum/key_creation_key_size.ql
+++ b/cpp/ql/test/experimental/library-tests/quantum/key_creation_key_size.ql
@@ -0,0 +1,6 @@
+import cpp
+import experimental.quantum.Language
+
+from Crypto::KeyCreationOperationNode n, Crypto::NodeBase src
+where n.getAKeySizeSource() = src
+select n, src, src.asElement()
--- a/shared/quantum/codeql/quantum/experimental/Model.qll
+++ b/shared/quantum/codeql/quantum/experimental/Model.qll
@@ -1051,7 +1051,11 @@ module CryptographyBase<LocationSig Location, InputSig<Location> Input> {
    digestLength = 512 // TODO: verify
  }

-  abstract private class KeyCreationOperationInstance extends OperationInstance {
+  /**
+   * Users should not extend this class directly, but instead use
+   * `KeyCreationOperationInstance` or `KeyDerivationOperationInstance`.
+   */
+  abstract class KeyCreationOperationInstance extends OperationInstance {
    abstract string getKeyCreationTypeDescription();

    /**
@@ -1732,6 +1736,12 @@ module CryptographyBase<LocationSig Location, InputSig<Location> Input> {

    override string getInternalType() { result = instance.getKeyCreationTypeDescription() }

+    NodeBase getAKeySizeSource() {
+      result = instance.getKeySizeConsumer().getConsumer().getAGenericSourceNode()
+      or
+      result = instance.getKeySizeConsumer().getConsumer().getAKnownSourceNode()
+    }
+
    /**
     * Gets the key artifact produced by this operation.
     */