feat: add predicates relating to lanes, memory_cost KDF parameters

Lordfirespeed · Lordfirespeed · commit fac677dafa32 · 2026-01-28T12:22:00.000Z
diff --git a/python/ql/lib/experimental/cryptography/CryptoArtifact.qll b/python/ql/lib/experimental/cryptography/CryptoArtifact.qll
@@ -135,6 +135,10 @@ abstract class KeyDerivationOperation extends CryptographicOperation {
 
   DataFlow::Node getHashConfigSrc() { none() }
 
+  DataFlow::Node getLanesConfigSrc() { none() }
+
+  DataFlow::Node getMemoryCostConfigSrc() { none() }
+
   // TODO: get encryption algorithm for CBC-based KDF?
   DataFlow::Node getDerivedKeySizeSrc() { none() }
 
@@ -147,6 +151,10 @@ abstract class KeyDerivationOperation extends CryptographicOperation {
 
   abstract predicate requiresHash();
 
+  abstract predicate requiresLanes();
+
+  abstract predicate requiresMemoryCost();
+
   //abstract predicate requiresKeySize(); // Going to assume all requires a size
   abstract predicate requiresMode();
 }
diff --git a/python/ql/lib/experimental/cryptography/modules/CryptographyModule.qll b/python/ql/lib/experimental/cryptography/modules/CryptographyModule.qll
@@ -116,6 +116,10 @@ module KDF {
 
     override predicate requiresIteration() { this.getAlgorithm().getKDFName() in ["PBKDF2HMAC", "ARGON2"] }
 
+    override predicate requiresLanes() { this.getAlgorithm().getKDFName() in ["ARGON2"] }
+
+    override predicate requiresMemoryCost() { this.getAlgorithm().getKDFName() in ["ARGON2"] }
+
     override DataFlow::Node getIterationSizeSrc() {
       this.requiresIteration() and
       if this.getAlgorithm().getKDFName() = "ARGON2"
@@ -144,6 +148,18 @@ module KDF {
       result = Utils::getUltimateSrcFromApiNode(this.getParameter(0, "algorithm"))
     }
 
+    override DataFlow::Node getLanesConfigSrc() {
+      this.requiresLanes() and 
+      // ASSUMPTION: ONLY EVER in keyword parameter
+      result = Utils::getUltimateSrcFromApiNode(this.getKeywordParameter("lanes"))
+    }
+
+    override DataFlow::Node getMemoryCostConfigSrc() {
+      this.requiresMemoryCost() and
+      // ASSUMPTION: ONLY EVER in keyword parameter
+      result = Utils::getUltimateSrcFromApiNode(this.getKeywordParameter("memory_cost"))
+    }
+
     // TODO: get encryption algorithm for CBC-based KDF?
     override DataFlow::Node getDerivedKeySizeSrc() {
       if this.getAlgorithm().getKDFName() = "ARGON2"
diff --git a/python/ql/lib/experimental/cryptography/modules/stdlib/HashlibModule.qll b/python/ql/lib/experimental/cryptography/modules/stdlib/HashlibModule.qll
@@ -197,6 +197,10 @@ module KDF {
     override predicate requiresSalt() { any() }
 
     override predicate requiresIteration() { any() }
+
+    override predicate requiresLanes() { none() }
+
+    override predicate requiresMemoryCost() { none() }
   }
 
   // TODO: better modeling of scrypt
@@ -233,5 +237,9 @@ module KDF {
     override predicate requiresSalt() { any() }
 
     override predicate requiresIteration() { none() }
+
+    override predicate requiresLanes() { none() }
+
+    override predicate requiresMemoryCost() { none() }
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -197,6 +197,10 @@ module KDF {`
`197`	`197`	`override predicate requiresSalt() { any() }`
`198`	`198`
`199`	`199`	`override predicate requiresIteration() { any() }`
	`200`	`+`
	`201`	`+ override predicate requiresLanes() { none() }`
	`202`	`+`
	`203`	`+ override predicate requiresMemoryCost() { none() }`
`200`	`204`	`}`
`201`	`205`
`202`	`206`	`// TODO: better modeling of scrypt`
`@@ -233,5 +237,9 @@ module KDF {`
`233`	`237`	`override predicate requiresSalt() { any() }`
`234`	`238`
`235`	`239`	`override predicate requiresIteration() { none() }`
	`240`	`+`
	`241`	`+ override predicate requiresLanes() { none() }`
	`242`	`+`
	`243`	`+ override predicate requiresMemoryCost() { none() }`
`236`	`244`	`}`
`237`	`245`	`}`