key sizes basic support

github · GrosQuildu · May 22, 2025 · May 23, 2025 · May 28, 2025 · May 29, 2025
commit a70cd60b37551552c8eac7a3f69a21b8e79c08ea
@@ -82,7 +82,12 @@ class KnownOpenSSLSignatureAlgorithmConstant extends KnownOpenSSLAlgorithmConsta
 predicate resolveAlgorithmFromCall(Call c, string normalized, string algType) {
   exists(string name, string parsedTargetName |
     parsedTargetName =
-      c.getTarget().getName().replaceAll("EVP_", "").toLowerCase().replaceAll("_", "-") and
+      c.getTarget()
+          .getName()
+          .replaceAll("EVP_", "")
+          .replaceAll("_gen", "")
+          .toLowerCase()
+          .replaceAll("_", "-") and
     name = resolveAlgorithmAlias(parsedTargetName) and
     knownOpenSSLAlgorithmLiteral(name, _, normalized, algType)
   )

@@ -69,7 +69,8 @@ class KnownOpenSSLSignatureConstantAlgorithmInstance extends OpenSSLAlgorithmIns
   override string getRawAlgorithmName() { result = this.(Literal).getValue().toString() }
 
   override int getKeySizeFixed() {
-    // this.(KnownOpenSSLSignatureAlgorithmConstant).getExplicitKeySize() = result
+    // TODO: use ellipticCurveNameToKeySizeAndFamilyMapping or KnownOpenSSLEllipticCurveConstantAlgorithmInstance
+    // TODO: maybe add getExplicitKeySize to KnownOpenSSLSignatureAlgorithmConstant and use it here
     none()
   }
 
@@ -83,11 +84,20 @@ class KnownOpenSSLSignatureConstantAlgorithmInstance extends OpenSSLAlgorithmIns
   override OpenSSLAlgorithmValueConsumer getAVC() { result = getterCall }
 
   override Crypto::ConsumerInputDataFlowNode getKeySizeConsumer() {
-    // TODO: trace to any key size initializer, symmetric and asymmetric
+    // TODO: trace to any key size initializer
+    // probably PKeyAlgorithmValueConsumer and SignatureAlgorithmValueConsumer
     none()
   }
 
+  /**
+   * No mode for signatures.
+   */
   override predicate shouldHaveModeOfOperation() { none() }
 
-  override predicate shouldHavePaddingScheme() { none() }
+  /**
+   * Padding only for RSA.
+   */
+  override predicate shouldHavePaddingScheme() {
+    this.getAlgorithmType() instanceof KeyOpAlg::TAsymmetricCipher
+  }
 }
@@ -15,18 +15,51 @@ class EVPKeyGenInitialize extends EVPInitialize {
   override Expr getAlgorithmArg() { result = getAlgorithmFromCtx(this.getContextArg()) }
 }
 
-class EVPKeyGenOperation extends EVPOperation, Crypto::KeyGenerationOperationInstance {
+/**
+ * All calls that can be tracked via ctx.
+ * For example calls used to set parameters like a key size.
+ */
+class EVPKeyGenUpdate extends EVPUpdate {
+  EVPKeyGenUpdate() {
+    this.(Call).getTarget().getName() in [
+        "EVP_PKEY_CTX_set_rsa_keygen_bits",
+        // TODO: "EVP_PKEY_CTX_set_params"
+      ]
+  }
+
+  /**
+   * No input in our meaning.
+   */
+  override Expr getInputArg() { none() }
+
+  /**
+   * No output in our meaning.
+   */
+  override Expr getOutputArg() { none() }
+
+  Expr getKeySizeArg() {
+    this.(Call).getTarget().getName() = "EVP_PKEY_CTX_set_rsa_keygen_bits" and
+    result = this.(Call).getArgument(1)
+  }
+}
+
+class EVPKeyGenOperation extends EVPFinal, Crypto::KeyGenerationOperationInstance {
   EVPKeyGenOperation() {
     this.(Call).getTarget().getName() in [
-        "EVP_PKEY_generate", "EVP_PKEY_keygen", "EVP_PKEY_Q_keygen", "EVP_PKEY_paramgen"
-        // TODO: "EVP_PKEY_paramgen"
+        "EVP_PKEY_generate", "EVP_PKEY_keygen", "EVP_PKEY_Q_keygen", "EVP_PKEY_paramgen",
+        "EVP_RSA_gen"
+        // TODO: "EVP_PKEY_paramgen" may need special handling
+        // TODO: RSA_generate_key, RSA_generate_key_ex, etc
       ]
   }
 
   override Expr getAlgorithmArg() {
     if this.(Call).getTarget().getName() = "EVP_PKEY_Q_keygen"
     then result = this.(Call).getArgument(0)
-    else result = EVPOperation.super.getAlgorithmArg()
+    else
+      if this.(Call).getTarget().getName() = "EVP_RSA_gen"
+      then result = this
+      else result = EVPFinal.super.getAlgorithmArg()
   }
 
   override Crypto::KeyArtifactType getOutputKeyType() { result = Crypto::TAsymmetricKeyType() }
@@ -36,11 +69,16 @@ class EVPKeyGenOperation extends EVPOperation, Crypto::KeyGenerationOperationIns
   override Expr getOutputArg() { result = this.(Call).getArgument(1) }
 
   override Crypto::ArtifactOutputDataFlowNode getOutputKeyArtifact() {
-    result = EVPOperation.super.getOutputKeyArtifact()
+    result = EVPFinal.super.getOutputKeyArtifact()
   }
 
   override Crypto::ConsumerInputDataFlowNode getKeySizeConsumer() {
-    none() // TODO
+    if this.(Call).getTarget().getName() = "EVP_PKEY_Q_keygen"
+    then result = DataFlow::exprNode(this.(Call).getArgument(3)) // TODO: may be wrong for EC keys
+    else
+      if this.(Call).getTarget().getName() = "EVP_RSA_gen"
+      then result = DataFlow::exprNode(this.(Call).getArgument(0))
+      else result = DataFlow::exprNode(this.getUpdateCalls().(EVPKeyGenUpdate).getKeySizeArg())
   }
 
   override int getKeySizeFixed() {

@@ -20,7 +20,7 @@ abstract class OpenSSLOperation extends Crypto::OperationInstance instanceof Ope
 
   /**
    * Algorithm is either an argument and we track it to AlgorithmValueConsumer
-   * or we have the AlgorithmValueConsumer already and just return it.
+   * or we have the AlgorithmValueConsumer already tracked down and just return it.
    */
   override Crypto::AlgorithmValueConsumer getAnAlgorithmValueConsumer() {
     AlgGetterToAlgConsumerFlow::flow(result.(OpenSSLAlgorithmValueConsumer).getResultNode(),