search

open-quantum-safe / liboqs

C library for prototyping and experimenting with quantum-resistant cryptography
https://openquantumsafe.org/
Other
1.92k stars 466 forks source link

Add CodeQL query to enforce OpenSSL return code handling #1867

Open SWilson4 opened 4 months ago

SWilson4 commented 4 months ago

To prevent issues similar to #1862.

@trailofbits used the following query to detect #1862:

import  cpp

from  FunctionCall  call, Function f 
where
  f = call.getTarget()  and 
  // function name starts with EVP 
  f.getName().matches(  "EVP%"  )  and 
  // and the function does not return a pointer or void 
  not  f.getType() instanceof PointerType  and 
  not  f.getType() instanceof VoidType  and 
  // and the function is not guarded by the OQS_OPENSSL_GUARD macro 
  not  exists(MacroAccess m | 
    m.getLocation().subsumes(call.getLocation())  and 
    m.getMacroName() =  "OQS_OPENSSL_GUARD" 
  )
select call