feat: support getDerivedKeySizeSrc for argon2 variants

Lordfirespeed · Lordfirespeed · commit 19ed6bb1987e · 2026-01-28T12:43:11.000Z
diff --git a/python/ql/lib/experimental/cryptography/modules/CryptographyModule.qll b/python/ql/lib/experimental/cryptography/modules/CryptographyModule.qll
@@ -146,7 +146,9 @@ module KDF {
 
     // TODO: get encryption algorithm for CBC-based KDF?
     override DataFlow::Node getDerivedKeySizeSrc() {
-      if this.getAlgorithm().getKDFName() in ["KBKDFHMAC", "KBKDFCMAC"]
+      if this.getAlgorithm().getKDFName() = "ARGON2"
+      then result = Utils::getUltimateSrcFromApiNode(this.getKeywordParameter("length"))
+      else if this.getAlgorithm().getKDFName() in ["KBKDFHMAC", "KBKDFCMAC"]
       then result = Utils::getUltimateSrcFromApiNode(this.getParameter(2, "length"))
       else result = Utils::getUltimateSrcFromApiNode(this.getParameter(1, "length"))
     }
