Skip to content

Quantum: Add Open Quantum Safe (OQS) provider signing model #19574

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 3 commits into from

Conversation

GrosQuildu
Copy link

No description provided.

@Copilot Copilot AI review requested due to automatic review settings May 23, 2025 16:14
@GrosQuildu GrosQuildu requested review from a team as code owners May 23, 2025 16:14
@github-actions github-actions bot added the C++ label May 23, 2025
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR implements initial support for signature operations in the quantum OpenSSL provider while refactoring existing modules to integrate the new functionality. Key changes include:

  • Addition of comprehensive test cases for OpenSSL cryptographic operations in C.
  • Integration of signature-specific operations and algorithm consumers/instances in the QL queries.
  • Refactoring and unification of the base operation classes for EVP operations.

Reviewed Changes

Copilot reviewed 12 out of 12 changed files in this pull request and generated no comments.

Show a summary per file
File Description
cpp/ql/test/library-tests/quantum/openssl/openssl_cipher.c Adds test code demonstrating various OpenSSL cryptographic operations.
cpp/ql/lib/experimental/quantum/OpenSSL/Operations/OpenSSLOperations.qll Imports the new signature operation support.
cpp/ql/lib/experimental/quantum/OpenSSL/Operations/OpenSSLOperationBase.qll Updates base classes to support both cipher and signature operations.
cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPSignatureOperation.qll Introduces new classes for modeling EVP signature operations.
cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPHashOperation.qll Refactors hash operation flows to use updated base classes.
cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPCipherOperation.qll Refactors cipher operations to leverage new EVPOperation abstractions.
cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/SignatureAlgorithmValueConsumer.qll Adds a new consumer for signature algorithms.
cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/SignatureAlgorithmInstance.qll Provides support for signature algorithm instance modeling.
Comments suppressed due to low confidence (1)

cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPSignatureOperation.qll:13

  • [nitpick] The class name 'EVP_Cipher_Initializer' is misleading in the context of signature operations. It is recommended to rename it to 'EVP_Signature_Initializer' to better reflect its purpose.
abstract class EVP_Cipher_Initializer extends EVPInitialize {

@@ -0,0 +1,221 @@
#include <openssl/evp.h>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Keep an eye out for the next PR (not merged as of this message), that includes the first round of tests. They are being moved under experimental. These will need to be moved to a similar location.

@nicolaswill nicolaswill self-requested a review May 27, 2025 23:13
@nicolaswill nicolaswill changed the title Signature work for OQS provider Quantum: Add Open Quantum Safe (OQS) provider signing model May 27, 2025
/**
* Gets the signature algorithm type based on the normalized algorithm name.
*/
private predicate knownOpenSSLConstantToSignatureFamilyType(

Check warning

Code scanning / CodeQL

Acronyms should be PascalCase/camelCase. Warning

Acronyms in knownOpenSSLConstantToSignatureFamilyType should be PascalCase/camelCase.
/**
* A signature algorithm instance derived from an OpenSSL constant.
*/
class KnownOpenSSLSignatureConstantAlgorithmInstance extends OpenSSLAlgorithmInstance,

Check warning

Code scanning / CodeQL

Acronyms should be PascalCase/camelCase. Warning

Acronyms in KnownOpenSSLSignatureConstantAlgorithmInstance should be PascalCase/camelCase.
result = KeyOpAlg::TSignature(KeyOpAlg::OtherSignatureAlgorithmType())
}

override OpenSSLAlgorithmValueConsumer getAVC() { result = getterCall }

Check warning

Code scanning / CodeQL

Acronyms should be PascalCase/camelCase. Warning

Acronyms in getAVC should be PascalCase/camelCase.

abstract class SignatureAlgorithmValueConsumer extends OpenSSLAlgorithmValueConsumer { }

class EVPSignatureAlgorithmValueConsumer extends OpenSSLAlgorithmValueConsumer {

Check warning

Code scanning / CodeQL

Acronyms should be PascalCase/camelCase. Warning

Acronyms in EVPSignatureAlgorithmValueConsumer should be PascalCase/camelCase.
class EVPSignatureAlgorithmValueConsumer extends OpenSSLAlgorithmValueConsumer {
DataFlow::Node valueArgNode;
DataFlow::Node resultNode;
Function consumer;

Check notice

Code scanning / CodeQL

Field only used in CharPred Note

Field is only used in CharPred.
Expr getIVArg() { none() }
}

abstract class EVPUpdate extends Call {

Check warning

Code scanning / CodeQL

Acronyms should be PascalCase/camelCase. Warning

Acronyms in EVPUpdate should be PascalCase/camelCase.
private module AlgGetterToAlgConsumerFlow = DataFlow::Global<AlgGetterToAlgConsumerConfig>;


abstract class EVPOperation extends Crypto::OperationInstance {

Check warning

Code scanning / CodeQL

Acronyms should be PascalCase/camelCase. Warning

Acronyms in EVPOperation should be PascalCase/camelCase.
Comment on lines +68 to +69
if exists(this.getInitCall()) then result = this.getInitCall().getAlgorithmArg()
else none()

Check warning

Code scanning / CodeQL

Use of 'if' with a 'none()' branch. Warning

Use a conjunction instead.
}

abstract class EVPFinal extends EVPOperation {

Check warning

Code scanning / CodeQL

Acronyms should be PascalCase/camelCase. Warning

Acronyms in EVPFinal should be PascalCase/camelCase.
override Expr getInputArg() { result = this.getUpdateCalls().getInputArg() }
}

abstract class EVPOneShot extends EVPOperation {

Check warning

Code scanning / CodeQL

Acronyms should be PascalCase/camelCase. Warning

Acronyms in EVPOneShot should be PascalCase/camelCase.
@GrosQuildu GrosQuildu closed this May 28, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants