Quantum: Add Open Quantum Safe (OQS) provider signing model #19574
Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR implements initial support for signature operations in the quantum OpenSSL provider while refactoring existing modules to integrate the new functionality. Key changes include:
- Addition of comprehensive test cases for OpenSSL cryptographic operations in C.
- Integration of signature-specific operations and algorithm consumers/instances in the QL queries.
- Refactoring and unification of the base operation classes for EVP operations.
Reviewed Changes
Copilot reviewed 12 out of 12 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| cpp/ql/test/library-tests/quantum/openssl/openssl_cipher.c | Adds test code demonstrating various OpenSSL cryptographic operations. |
| cpp/ql/lib/experimental/quantum/OpenSSL/Operations/OpenSSLOperations.qll | Imports the new signature operation support. |
| cpp/ql/lib/experimental/quantum/OpenSSL/Operations/OpenSSLOperationBase.qll | Updates base classes to support both cipher and signature operations. |
| cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPSignatureOperation.qll | Introduces new classes for modeling EVP signature operations. |
| cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPHashOperation.qll | Refactors hash operation flows to use updated base classes. |
| cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPCipherOperation.qll | Refactors cipher operations to leverage new EVPOperation abstractions. |
| cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/SignatureAlgorithmValueConsumer.qll | Adds a new consumer for signature algorithms. |
| cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/SignatureAlgorithmInstance.qll | Provides support for signature algorithm instance modeling. |
Comments suppressed due to low confidence (1)
cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPSignatureOperation.qll:13
- [nitpick] The class name 'EVP_Cipher_Initializer' is misleading in the context of signature operations. It is recommended to rename it to 'EVP_Signature_Initializer' to better reflect its purpose.
abstract class EVP_Cipher_Initializer extends EVPInitialize {
cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/SignatureAlgorithmInstance.qll
Show resolved
Hide resolved
cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/SignatureAlgorithmInstance.qll
Show resolved
Hide resolved
cpp/ql/lib/experimental/quantum/OpenSSL/Operations/OpenSSLOperationBase.qll
Show resolved
Hide resolved
cpp/ql/lib/experimental/quantum/OpenSSL/Operations/ECKeyGenOperation.qll
Show resolved
Hide resolved
| @@ -0,0 +1,221 @@ | |||
| #include <openssl/evp.h> | |||
There was a problem hiding this comment.
Keep an eye out for the next PR (not merged as of this message), that includes the first round of tests. They are being moved under experimental. These will need to be moved to a similar location.
cpp/ql/lib/experimental/quantum/OpenSSL/Operations/OpenSSLOperationBase.qll
Show resolved
Hide resolved
cpp/ql/lib/experimental/quantum/OpenSSL/Operations/OpenSSLOperationBase.qll
Show resolved
Hide resolved
...lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/SignatureAlgorithmValueConsumer.qll
Show resolved
Hide resolved
nicolaswill
changed the title
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| /** | ||
| * Gets the signature algorithm type based on the normalized algorithm name. | ||
| */ | ||
| private predicate knownOpenSSLConstantToSignatureFamilyType( |
Check warning
Code scanning / CodeQL
Acronyms should be PascalCase/camelCase. Warning
| /** | ||
| * A signature algorithm instance derived from an OpenSSL constant. | ||
| */ | ||
| class KnownOpenSSLSignatureConstantAlgorithmInstance extends OpenSSLAlgorithmInstance, |
Check warning
Code scanning / CodeQL
Acronyms should be PascalCase/camelCase. Warning
| result = KeyOpAlg::TSignature(KeyOpAlg::OtherSignatureAlgorithmType()) | ||
| } | ||
|
|
||
| override OpenSSLAlgorithmValueConsumer getAVC() { result = getterCall } |
Check warning
Code scanning / CodeQL
Acronyms should be PascalCase/camelCase. Warning
|
|
||
| abstract class SignatureAlgorithmValueConsumer extends OpenSSLAlgorithmValueConsumer { } | ||
|
|
||
| class EVPSignatureAlgorithmValueConsumer extends OpenSSLAlgorithmValueConsumer { |
Check warning
Code scanning / CodeQL
Acronyms should be PascalCase/camelCase. Warning
| class EVPSignatureAlgorithmValueConsumer extends OpenSSLAlgorithmValueConsumer { | ||
| DataFlow::Node valueArgNode; | ||
| DataFlow::Node resultNode; | ||
| Function consumer; |
Check notice
Code scanning / CodeQL
Field only used in CharPred Note
| Expr getIVArg() { none() } | ||
| } | ||
|
|
||
| abstract class EVPUpdate extends Call { |
Check warning
Code scanning / CodeQL
Acronyms should be PascalCase/camelCase. Warning
| private module AlgGetterToAlgConsumerFlow = DataFlow::Global<AlgGetterToAlgConsumerConfig>; | ||
|
|
||
|
|
||
| abstract class EVPOperation extends Crypto::OperationInstance { |
Check warning
Code scanning / CodeQL
Acronyms should be PascalCase/camelCase. Warning
| if exists(this.getInitCall()) then result = this.getInitCall().getAlgorithmArg() | ||
| else none() |
Check warning
Code scanning / CodeQL
Use of 'if' with a 'none()' branch. Warning
| } | ||
|
|
||
| abstract class EVPFinal extends EVPOperation { |
Check warning
Code scanning / CodeQL
Acronyms should be PascalCase/camelCase. Warning
| override Expr getInputArg() { result = this.getUpdateCalls().getInputArg() } | ||
| } | ||
|
|
||
| abstract class EVPOneShot extends EVPOperation { |
Check warning
Code scanning / CodeQL
Acronyms should be PascalCase/camelCase. Warning
No description provided.