Crypto: Model OpenSSL intermediate digest operations#19521
Merged
nicolaswill merged 3 commits intogithub:mainfrom May 19, 2025
Merged
Crypto: Model OpenSSL intermediate digest operations#19521nicolaswill merged 3 commits intogithub:mainfrom
nicolaswill merged 3 commits intogithub:mainfrom
Conversation
…eling final and update digest separately).
…nd EVP_Final_Call used for ciphers to explicitly say "Cipher", e.g., EVP_Cipher_Update_Call. This is also consistent with the new analogous digest operations.
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
|
||
| // NOTE: not modeled as hash operations, these are intermediate calls | ||
| class EVP_Digest_Update_Call extends Call { | ||
| EVP_Digest_Update_Call() { this.(Call).getTarget().getName() in ["EVP_DigestUpdate"] } |
Check warning
Code scanning / CodeQL
Singleton set literal Warning
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR enhances the OpenSSL quantum library by adding intermediate modeling for EVP digest update/final calls and improving the algorithm-value flow in hash operations.
- Override
getAnAlgorithmValueConsumerinEVP_Hash_Operationto propagate the algorithm from the init call. - Introduce
EVP_Digest_Update_CallandEVP_Digest_Final_Callclasses for intermediate digest calls. - Rename intermediate cipher call classes in
EVPCipherOperation.qlltoEVP_Cipher_Update_CallandEVP_Cipher_Final_Callfor naming consistency.
Reviewed Changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPHashOperation.qll | Added algorithm-value override and new digest intermediate call classes. |
| cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPCipherOperation.qll | Renamed intermediate cipher call classes to include Cipher prefix. |
Comments suppressed due to low confidence (2)
cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPHashOperation.qll:31
- [nitpick] Remove the large commented-out code blocks and TODO comments (lines 31-101) or move them to issue trackers/documentation to improve readability.
// // override Crypto::AlgorithmValueConsumer getAnAlgorithmValueConsumer() {
cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPHashOperation.qll:103
- Introduce unit tests for the new
EVP_Digest_Update_CallandEVP_Digest_Final_Callclasses to verify their data‐flow modeling.
class EVP_Digest_Update_Call extends Call {
| // } | ||
| // } | ||
|
|
||
| // NOTE: not modeled as hash operations, these are intermediate calls |
There was a problem hiding this comment.
[nitpick] Add a concise doc comment above the EVP_Digest_Update_Call and EVP_Digest_Final_Call classes to explain their intended data‐flow role.
Suggested change
| // NOTE: not modeled as hash operations, these are intermediate calls | |
| /** | |
| * Represents an intermediate call to `EVP_DigestUpdate`, which processes | |
| * additional input data for a digest operation. This class models the | |
| * data flow of the input and context arguments used in the update step. | |
| */ |
…s for the OpenSSL.qll model.
nicolaswill
changed the title
nicolaswill
approved these changes
May 19, 2025
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds digest modeling for 'update' and 'final' calls in openssl.