-
Notifications
You must be signed in to change notification settings - Fork 1.7k
Quantum: Add Open Quantum Safe (OQS) provider signing model #19574
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Pull Request Overview
This PR implements initial support for signature operations in the quantum OpenSSL provider while refactoring existing modules to integrate the new functionality. Key changes include:
- Addition of comprehensive test cases for OpenSSL cryptographic operations in C.
- Integration of signature-specific operations and algorithm consumers/instances in the QL queries.
- Refactoring and unification of the base operation classes for EVP operations.
Reviewed Changes
Copilot reviewed 12 out of 12 changed files in this pull request and generated no comments.
Show a summary per file
File | Description |
---|---|
cpp/ql/test/library-tests/quantum/openssl/openssl_cipher.c | Adds test code demonstrating various OpenSSL cryptographic operations. |
cpp/ql/lib/experimental/quantum/OpenSSL/Operations/OpenSSLOperations.qll | Imports the new signature operation support. |
cpp/ql/lib/experimental/quantum/OpenSSL/Operations/OpenSSLOperationBase.qll | Updates base classes to support both cipher and signature operations. |
cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPSignatureOperation.qll | Introduces new classes for modeling EVP signature operations. |
cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPHashOperation.qll | Refactors hash operation flows to use updated base classes. |
cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPCipherOperation.qll | Refactors cipher operations to leverage new EVPOperation abstractions. |
cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/SignatureAlgorithmValueConsumer.qll | Adds a new consumer for signature algorithms. |
cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/SignatureAlgorithmInstance.qll | Provides support for signature algorithm instance modeling. |
Comments suppressed due to low confidence (1)
cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPSignatureOperation.qll:13
- [nitpick] The class name 'EVP_Cipher_Initializer' is misleading in the context of signature operations. It is recommended to rename it to 'EVP_Signature_Initializer' to better reflect its purpose.
abstract class EVP_Cipher_Initializer extends EVPInitialize {
cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/SignatureAlgorithmInstance.qll
Show resolved
Hide resolved
cpp/ql/lib/experimental/quantum/OpenSSL/AlgorithmInstances/SignatureAlgorithmInstance.qll
Show resolved
Hide resolved
cpp/ql/lib/experimental/quantum/OpenSSL/Operations/OpenSSLOperationBase.qll
Show resolved
Hide resolved
cpp/ql/lib/experimental/quantum/OpenSSL/Operations/ECKeyGenOperation.qll
Show resolved
Hide resolved
@@ -0,0 +1,221 @@ | |||
#include <openssl/evp.h> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Keep an eye out for the next PR (not merged as of this message), that includes the first round of tests. They are being moved under experimental. These will need to be moved to a similar location.
cpp/ql/lib/experimental/quantum/OpenSSL/Operations/OpenSSLOperationBase.qll
Show resolved
Hide resolved
cpp/ql/lib/experimental/quantum/OpenSSL/Operations/OpenSSLOperationBase.qll
Show resolved
Hide resolved
...lib/experimental/quantum/OpenSSL/AlgorithmValueConsumers/SignatureAlgorithmValueConsumer.qll
Show resolved
Hide resolved
/** | ||
* Gets the signature algorithm type based on the normalized algorithm name. | ||
*/ | ||
private predicate knownOpenSSLConstantToSignatureFamilyType( |
Check warning
Code scanning / CodeQL
Acronyms should be PascalCase/camelCase. Warning
/** | ||
* A signature algorithm instance derived from an OpenSSL constant. | ||
*/ | ||
class KnownOpenSSLSignatureConstantAlgorithmInstance extends OpenSSLAlgorithmInstance, |
Check warning
Code scanning / CodeQL
Acronyms should be PascalCase/camelCase. Warning
result = KeyOpAlg::TSignature(KeyOpAlg::OtherSignatureAlgorithmType()) | ||
} | ||
|
||
override OpenSSLAlgorithmValueConsumer getAVC() { result = getterCall } |
Check warning
Code scanning / CodeQL
Acronyms should be PascalCase/camelCase. Warning
|
||
abstract class SignatureAlgorithmValueConsumer extends OpenSSLAlgorithmValueConsumer { } | ||
|
||
class EVPSignatureAlgorithmValueConsumer extends OpenSSLAlgorithmValueConsumer { |
Check warning
Code scanning / CodeQL
Acronyms should be PascalCase/camelCase. Warning
class EVPSignatureAlgorithmValueConsumer extends OpenSSLAlgorithmValueConsumer { | ||
DataFlow::Node valueArgNode; | ||
DataFlow::Node resultNode; | ||
Function consumer; |
Check notice
Code scanning / CodeQL
Field only used in CharPred Note
Expr getIVArg() { none() } | ||
} | ||
|
||
abstract class EVPUpdate extends Call { |
Check warning
Code scanning / CodeQL
Acronyms should be PascalCase/camelCase. Warning
private module AlgGetterToAlgConsumerFlow = DataFlow::Global<AlgGetterToAlgConsumerConfig>; | ||
|
||
|
||
abstract class EVPOperation extends Crypto::OperationInstance { |
Check warning
Code scanning / CodeQL
Acronyms should be PascalCase/camelCase. Warning
if exists(this.getInitCall()) then result = this.getInitCall().getAlgorithmArg() | ||
else none() |
Check warning
Code scanning / CodeQL
Use of 'if' with a 'none()' branch. Warning
} | ||
|
||
abstract class EVPFinal extends EVPOperation { |
Check warning
Code scanning / CodeQL
Acronyms should be PascalCase/camelCase. Warning
override Expr getInputArg() { result = this.getUpdateCalls().getInputArg() } | ||
} | ||
|
||
abstract class EVPOneShot extends EVPOperation { |
Check warning
Code scanning / CodeQL
Acronyms should be PascalCase/camelCase. Warning
No description provided.