-
Notifications
You must be signed in to change notification settings - Fork 2k
Expand file tree
/
Copy pathKeyFlow.qll
More file actions
27 lines (23 loc) · 1.04 KB
/
KeyFlow.qll
File metadata and controls
27 lines (23 loc) · 1.04 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
import semmle.code.cpp.dataflow.new.DataFlow
private import Operations.OpenSSLOperations
private import experimental.quantum.Language
/**
* Flow from key creation to key used in a call
*/
module OpenSslKeyFlowConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
// NOTE/ASSUMPTION: it is assumed the operation is also an OpenSslOperation.
// All operations modeled for openssl should be modeled as OpenSslOperation.
exists(Crypto::KeyCreationOperationInstance keygen | keygen.getOutputKeyArtifact() = source)
}
predicate isSink(DataFlow::Node sink) { exists(Call call | call.getAnArgument() = sink.asExpr()) }
//TODO: consideration for additional flow steps? Can a key be copied for example?
}
module OpenSslKeyFlow = TaintTracking::Global<OpenSslKeyFlowConfig>;
Crypto::KeyCreationOperationInstance getSourceKeyCreationInstanceFromArg(Expr arg) {
exists(DataFlow::Node src, DataFlow::Node sink |
OpenSslKeyFlow::flow(src, sink) and
result.getOutputKeyArtifact() = src and
sink.asExpr() = arg
)
}