Quantum: Add base classes for OpenSSL EVP methods #19607

GrosQuildu · 2025-05-28T12:37:47Z

Changes OpenSSLOperation and adds base classes for OpenSSL's EVP API. Mostly a refactor to make existing code nicer.
The PR fixes some tests too.
Made on top of #19564

Copilot

Pull Request Overview

This PR adds foundational QL modeling for OpenSSL operations under the experimental quantum API and introduces corresponding library-tests for both hash and cipher operations.

Introduces base and specialized QL classes for EVP crypto operations (hash, cipher, keygen, etc.)
Adds new .ql queries under library-tests/quantum/openssl and their expected result files
Updates CODEOWNERS to include deeper experimental paths and imports EVPSignatureOperation

Reviewed Changes

Copilot reviewed 25 out of 25 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
cpp/ql/test/experimental/library-tests/quantum/openssl/*.ql	New test queries for hash, cipher, key, and nonce sources
cpp/ql/test/experimental/library-tests/quantum/openssl/*.expected	Expected output for the new test queries
cpp/ql/lib/experimental/quantum/OpenSSL/Operations/OpenSSLOperations.qll	Imported `EVPSignatureOperation` into main operations
cpp/ql/lib/experimental/quantum/OpenSSL/Operations/OpenSSLOperationBase.qll	Added context flow, algorithm consumer, and base methods
cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVP*.qll	Refactored individual EVP operation classes
cpp/ql/lib/experimental/quantum/OpenSSL/CtxFlow.qll	Extended context type matching for CTX flow
CODEOWNERS	Broadened experimental/quantum path pattern

Comments suppressed due to low confidence (3)

cpp/ql/lib/experimental/quantum/OpenSSL/Operations/OpenSSLOperations.qll:5

You’ve added EVPSignatureOperation to the main operations import but there are no corresponding tests for signature flows. Consider adding library-tests for signature init, update, and final calls to ensure full coverage.

import EVPSignatureOperation

cpp/ql/lib/experimental/quantum/OpenSSL/Operations/OpenSSLOperationBase.qll:111

[nitpick] The newly added abstract method getOutputArg lacks a doc comment. Adding a brief description will help maintainers understand its contract and intended use.

abstract Expr getOutputArg();

cpp/ql/lib/experimental/quantum/OpenSSL/Operations/ECKeyGenOperation.qll:15

In getOutputKeyArtifact you’re using result.asExpr() whereas most other output artifacts use asDefiningArgument(). Verify that this correctly models the artifact’s definition point in the dataflow.

result.asExpr() = this.(Call).getArgument(0)

Copilot · 2025-05-28T12:40:35Z

cpp/ql/lib/experimental/quantum/OpenSSL/Operations/EVPHashOperation.qll


-  override Crypto::ConsumerInputDataFlowNode getInputConsumer() { result = this.getInputNode() }
+  override Crypto::ArtifactOutputDataFlowNode getOutputArtifact() {


[nitpick] There’s repeated boilerplate in many EVP* classes for overriding getOutputArtifact and getInputConsumer just to call the super implementation. Consider moving those common overrides into a shared intermediate base to reduce duplication.

Copilot · 2025-05-28T12:40:35Z

CODEOWNERS

@@ -16,7 +16,7 @@
 /java/ql/test-kotlin2/ @github/codeql-kotlin

 # Experimental CodeQL cryptography
-**/experimental/quantum/ @github/ps-codeql
+**/experimental/**/quantum/ @github/ps-codeql


[nitpick] The new glob **/experimental/**/quantum/ may match more paths than intended. If you only want the QL modules under a specific directory, consider narrowing the pattern to avoid unintended CODEOWNERS assignments.

Suggested change

**/experimental/**/quantum/ @github/ps-codeql

/experimental/cryptography/quantum/ @github/ps-codeql