Skip to content

Quantum: Add OpenSSL PKEY algorithm value consumers. #19547

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
May 21, 2025
Merged

Quantum: Add OpenSSL PKEY algorithm value consumers. #19547

merged 2 commits into from
May 21, 2025

Conversation

bdrodes
Copy link
Contributor

@bdrodes bdrodes commented May 20, 2025

Value consumer modeling for PKEY alg consumers in openssl.

@bdrodes
Crypto: Adding alg value consumers for EVP PKEY for openssl. As part …
6ffb049 
…of the additional modeling, updated the generic dataflow source to match JCA with how "EC" is handled as a consumed algorithm for PKEY.
@Copilot Copilot AI review requested due to automatic review settings May 20, 2025 18:19
@bdrodes bdrodes requested a review from a team as a code owner May 20, 2025 18:19
@github-actions github-actions bot added the C++ label May 20, 2025
Copilot
Copilot AI reviewed May 20, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

Adds modeling of PKEY algorithm value consumers for OpenSSL in CodeQL, enabling data-flow analysis for EVP_PKEY_* operations.

  • Introduces a new PKeyAlgorithmValueConsumer subclass (EVPPKeyAlgorithmConsumer) to capture algorithm arguments for various EVP_PKEY functions.
  • Registers the new consumer in OpenSSLAlgorithmValueConsumers.qll.
  • Updates Language.qll to use the new taint-tracking API (TaintTracking) and adds a ConstantDataSource for literals.

Reviewed Changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/PKeyAlgorithmValueConsumer.qll New consumer class capturing algorithm arguments for EVP_PKEY calls
cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/OpenSSLAlgorithmValueConsumers.qll Imports the new PKey algorithm value consumer
cpp/ql/lib/experimental/quantum/Language.qll Switches to TaintTracking API and adds ConstantDataSource
Comments suppressed due to low confidence (2)

cpp/ql/lib/experimental/quantum/Language.qll:110

  • The DataFlow::ConfigSig interface is referenced but DataFlow is no longer imported; add back import semmle.code.cpp.dataflow.new.DataFlow or update this to use TaintTracking.
module ArtifactUniversalFlowConfig implements DataFlow::ConfigSig {

cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/PKeyAlgorithmValueConsumer.qll:10

  • No unit tests have been added for this new consumer; consider adding tests that cover each EVP_PKEY_* function case to validate correct data-flow modeling.
class EVPPKeyAlgorithmConsumer extends PKeyValueConsumer {

github-advanced-security[bot]
github-advanced-security bot found potential problems May 20, 2025
View reviewed changes
cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/PKeyAlgorithmValueConsumer.qll

abstract class PKeyValueConsumer extends OpenSSLAlgorithmValueConsumer { }

class EVPPKeyAlgorithmConsumer extends PKeyValueConsumer {

Check warning

Code scanning / CodeQL

Acronyms should be PascalCase/camelCase. Warning

Acronyms in EVPPKeyAlgorithmConsumer should be PascalCase/camelCase.
@nicolaswill nicolaswill changed the title Crypto: openssl PKEY algorithm value consumers. Quantum: Add OpenSSL PKEY algorithm value consumers. May 21, 2025
nicolaswill
nicolaswill reviewed May 21, 2025
View reviewed changes
cpp/ql/lib/experimental/quantum/Language.qll
@@ -86,6 +86,27 @@ module GenericDataSourceFlowConfig implements DataFlow::ConfigSig {
}
}

module GenericDataSourceFlow = TaintTracking::Global<GenericDataSourceFlowConfig>;

private class ConstantDataSource extends Crypto::GenericConstantSourceInstance instanceof Literal {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you test this with MRVA or DCA before merging? I worry the performance impact will be severe from this.

@nicolaswill nicolaswill self-requested a review May 21, 2025 16:59
@nicolaswill nicolaswill merged commit 9637aec into github:main May 21, 2025
13 checks passed
@nicolaswill nicolaswill deleted the openssl_pkey_alg_value_consumers branch May 21, 2025 17:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@nicolaswill nicolaswill nicolaswill approved these changes

Assignees
No one assigned
Labels
C++
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@bdrodes @nicolaswill