Crypto: Add support to trace keys, add support to find prior key gen properties that configure downstream operations. Add key size tests

2026-04-28 02:05:14 +02:00 · 2025-06-11 13:58:56 -04:00
parent 7d479940e5
commit d3cff2dff1
5 changed files with 72 additions and 7 deletions
--- a/cpp/ql/lib/experimental/quantum/OpenSSL/KeyFlow.qll
+++ b/cpp/ql/lib/experimental/quantum/OpenSSL/KeyFlow.qll
@@ -0,0 +1,29 @@
+import semmle.code.cpp.dataflow.new.DataFlow
+private import Operations.OpenSSLOperations
+private import experimental.quantum.Language
+
+/**
+ * Flow from key creation to key used in a call
+ */
+module OpenSSLKeyFlowConfig implements DataFlow::ConfigSig {
+  predicate isSource(DataFlow::Node source) {
+    // NOTE/ASSUMPTION: it is assumed the operation is also an OpenSSLOperation.
+    // All operations modeled for openssl should be modeled as OpenSSLOperation.
+    exists(Crypto::KeyCreationOperationInstance keygen | keygen.getOutputKeyArtifact() = source)
+  }
+
+  predicate isSink(DataFlow::Node sink) {
+    exists(Call call | call.(Call).getAnArgument() = sink.asExpr())
+  }
+  //TODO: consideration for additional flow steps? Can a key be copied for example?
+}
+
+module OpenSSLKeyFlow = TaintTracking::Global<OpenSSLKeyFlowConfig>;
+
+Crypto::KeyCreationOperationInstance getSourceKeyCreationInstanceFromArg(Expr arg) {
+  exists(DataFlow::Node src, DataFlow::Node sink |
+    OpenSSLKeyFlow::flow(src, sink) and
+    result.getOutputKeyArtifact() = src and
+    sink.asExpr() = arg
+  )
+}
--- a/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/OpenSSLOperationBase.qll
+++ b/cpp/ql/lib/experimental/quantum/OpenSSL/Operations/OpenSSLOperationBase.qll
@@ -1,5 +1,6 @@
 private import experimental.quantum.Language
 private import experimental.quantum.OpenSSL.CtxFlow
+private import experimental.quantum.OpenSSL.KeyFlow
 private import experimental.quantum.OpenSSL.AlgorithmValueConsumers.OpenSSLAlgorithmValueConsumers
 // Importing these intializers here to ensure the are part of any model that is
 // using OpenSSLOperationBase. This futher ensures that initializers are tied to opeartions
@@ -63,13 +64,29 @@ abstract class EvpAlgorithmInitializer extends EvpInitializer {
 }

 abstract class EvpKeyInitializer extends EvpInitializer {
-  //, EvpAlgorithmInitializer {
  abstract Expr getKeyArg();
-  // /**
-  //  * Any key arg can potentially be traced to find the algorithm used to generate the key.
-  //  */
-  // override Expr getAlgorithmArg(){
-  // }
+}
+
+/**
+ * Any key initializer may initialize the algorithm and the key size through
+ * the key. Extend any instance of key initializer provide initialization
+ * of the algorithm and key size from the key.
+ */
+class EvpInitializerThroughKey extends EvpAlgorithmInitializer, EvpKeySizeInitializer instanceof EvpKeyInitializer
+{
+  //TODO: charpred that traces from creation to key arg, grab creator
+  override CtxPointerSource getContextArg() { result = EvpKeyInitializer.super.getContextArg() }
+
+  override Expr getAlgorithmArg() {
+    result =
+      getSourceKeyCreationInstanceFromArg(this.getKeyArg()).(OpenSSLOperation).getAlgorithmArg()
+  }
+
+  override Expr getKeySizeArg() {
+    result = getSourceKeyCreationInstanceFromArg(this.getKeyArg()).getKeySizeConsumer().asExpr()
+  }
+
+  Expr getKeyArg() { result = EvpKeyInitializer.super.getKeyArg() }
 }

 abstract class EvpIVInitializer extends EvpInitializer {