Activate CodeQL Github action

Author: Martyrshot

.github/workflows/codeql.yml

@@ -21,33 +21,74 @@ jobs:
         language: [ 'cpp' ]
 
     steps:
+    - name: Setup directories
+      run: |
+        mkdir $HOME/OQS-bind
+        mkdir $HOME/local_deps
+        mkdir $HOME/local_deps/oqs
+        mkdir $HOME/local_deps/ossl
+
     - name: Checkout repository
       uses: actions/checkout@v3
+      with:
+        path: ${{ runner.workspace }}/OQS-bind
 
     - name: Install build dependencies
       uses: awalsh128/cache-apt-pkgs-action@latest
       with:
-        packages: liburcu-dev libuv1-dev libssl-dev libnghttp2-dev libxml2-dev liblmdb-dev libjson-c-dev pkg-config autoconf automake autotools-dev libtool-bin libjemalloc-dev libedit-dev libcap-dev libidn2-dev libkrb5-dev libmaxminddb-dev zlib1g-dev python3-ply
+        packages: liburcu-dev libuv1-dev libssl-dev libnghttp2-dev libxml2-dev liblmdb-dev libjson-c-dev pkg-config autoconf automake autotools-dev libtool-bin libjemalloc-dev libedit-dev libcap-dev libidn2-dev libkrb5-dev libmaxminddb-dev zlib1g-dev python3-ply astyle cmake gcc ninja-build python3-pytest python3-pytest-xdist unzip xsltproc doxygen graphviz python3-yaml valgrind
+
         version: 1.0
+    - name: Install liboqs
+      run: |
+        git clone https://github.com/open-quantum-safe/liboqs.git
+        cd liboqs
+        mkdir build
+        cd build
+        cmake -GNinja .. -DCMAKE_INSTALL_PREFIX=$liboqs_DIR && ninja && ninja run_tests && ninja install
+      env:
+        liboqs_DIR: ${{ runner.workspace }}/local_deps/oqs
+    - name: Install Openssl3.2.0-alpha2
+      run: |
+        git clone --branch openssl-3.2.0-alpha2 https://github.com/openssl/openssl.git
+        cd openssl
+        ./Configure --prefix=$OPENSSL_ROOT_DIR --openssldir=$OPENSSL_ROOT_DIR no-docs -lm && make && make $NPROC install LIBDIR=lib
+      env:
+        OPENSSL_ROOT_DIR: ${{ runner.workspace }}/local_deps/ossl
+
+    - name: Install OQS-provider
+      run: |
+        git clone https://github.com/open-quantum-safe/oqs-provider.git
+        cd oqs-provider
+        cmake -S . -B _build && cmake --build _build && ctest --test-dir _build && cmake --install _build
+      env:
+        OPENSSL_ROOT_DIR: ${{ runner.workspace }}/local_deps/ossl
+        liboqs_DIR: ${{ runner.workspace }}/local_deps/oqs
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
       uses: github/codeql-action/init@v2
       with:
         languages: ${{ matrix.language }}
 
-    - name: Autobuild
-      uses: github/codeql-action/autobuild@v2
+    #- name: Autobuild
+      #uses: github/codeql-action/autobuild@v2
+      #env:
+      #  OPENSSL_ROOT_DIR: ${{ runner.workspace }}/local_deps/ossl
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
 
     #   If the Autobuild fails above, remove it and uncomment the following three lines.
     #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
-
-    # - run: |
-    #   echo "Run, Build Application using script"
-    #   ./location_of_script_within_repo/buildscript.sh
+    - name: Build bind9
+      run: |
+        cd ${{ runner.workspace }}/OQS-bind
+        autoreconf -fi
+        ./configure CFLAGS="-Wl,--no-as-needed" LIBS="-ldl" --with-openssl=$OPENSSL_ROOT_DIR
+        make -j $NPROC
+      env:
+        OPENSSL_ROOT_DIR: ${{ runner.workspace }}/local_deps/ossl
 
     - name: Perform CodeQL Analysis
       uses: github/codeql-action/analyze@v2

bin/dnssec/dnssec-keygen.c

@@ -828,7 +828,6 @@ keygen(keygen_ctx_t *ctx, isc_mem_t *mctx, int argc, char **argv) {
 				}
 			}
 			dst_key_free(&key);
-
 		}
 	} while (conflict);
 
@@ -885,7 +884,8 @@ main(int argc, char **argv) {
 	int ch;
 	bool set_fips_mode = false;
 #if OPENSSL_VERSION_NUMBER >= 0x30200000L && OPENSSL_API_LEVEL >= 30200
-	OSSL_PROVIDER *fips = NULL, *base = NULL, *oqs = NULL, *default_provider = NULL;
+	OSSL_PROVIDER *fips = NULL, *base = NULL, *oqs = NULL,
+		      *default_provider = NULL;
 #endif
 
 	keygen_ctx_t ctx = {

bin/dnssec/dnssec-signzone.c

@@ -106,11 +106,13 @@ static int nsec_datatype = dns_rdatatype_nsec;
 		     "dns_dbiterator_current()")
 
 #define IS_NSEC3  (nsec_datatype == dns_rdatatype_nsec3)
-#define OPTOUT(x) (((x)&DNS_NSEC3FLAG_OPTOUT) != 0)
+#define OPTOUT(x) (((x) & DNS_NSEC3FLAG_OPTOUT) != 0)
 
 #define REVOKE(x) ((dst_key_flags(x) & DNS_KEYFLAG_REVOKE) != 0)
 
-#define BUFSIZE	  8192 // OQS increased from 2049 to 8192 to account for SPHINCS+ 128S signatures.
+#define BUFSIZE \
+	8192 // OQS increased from 2049 to 8192 to account for SPHINCS+ 128S
+	     // signatures.
 #define MAXDSKEYS 8
 
 #define SIGNER_EVENTCLASS  ISC_EVENTCLASS(0x4453)
@@ -3372,7 +3374,8 @@ main(int argc, char *argv[]) {
 	bool nonsecify = false;
 	bool set_fips_mode = false;
 #if OPENSSL_VERSION_NUMBER >= 0x30200000L && OPENSSL_API_LEVEL >= 30200
-	OSSL_PROVIDER *fips = NULL, *base = NULL, *oqs = NULL, *default_provider = NULL;
+	OSSL_PROVIDER *fips = NULL, *base = NULL, *oqs = NULL,
+		      *default_provider = NULL;
 #endif
 
 	atomic_init(&shuttingdown, false);

bin/named/main.c

@@ -154,7 +154,8 @@ static bool disable6 = false;
 static bool disable4 = false;
 
 #if OPENSSL_VERSION_NUMBER >= 0x30200000L && OPENSSL_API_LEVEL >= 30200
-static OSSL_PROVIDER *fips = NULL, *base = NULL, *oqs = NULL, *default_provider = NULL;
+static OSSL_PROVIDER *fips = NULL, *base = NULL, *oqs = NULL,
+		     *default_provider = NULL;
 #endif
 
 void
@@ -1562,7 +1563,8 @@ main(int argc, char *argv[]) {
 		ERR_clear_error();
 		named_main_earlyfatal("Failed to load default provider");
 	}
-#endif /* if OPENSSL_VERSION_NUMER >= 0x30200000L && OPENSSL_API_LEVEL >= 30200 */
+#endif /* if OPENSSL_VERSION_NUMER >= 0x30200000L && OPENSSL_API_LEVEL >= \
+	  30200 */
 #ifdef ENABLE_AFL
 	if (named_g_fuzz_type != isc_fuzz_none) {
 		named_fuzz_setup();

configure.ac

@@ -697,12 +697,17 @@ AM_CONDITIONAL([USE_ISC_RWLOCK], [test "$enable_pthread_rwlock" != "yes"])
 CRYPTO=OpenSSL
 
 #
-# OpenSSL/LibreSSL is mandatory
+# OpenSSL is mandatory
 #
-PKG_CHECK_MODULES([OPENSSL], [libssl libcrypto], [PKG_CHECK_VERSION([OPENSSL_VERSION], [openssl])],
-		  [AX_CHECK_OPENSSL([:], [AC_MSG_FAILURE([OpenSSL/LibreSSL not found])])])
+AX_CHECK_OPENSSL([:], [AC_MSG_FAILURE([OpenSSL not found])])
 
 AX_SAVE_FLAGS([openssl])
+CFLAGS="$OPENSSL_CFLAGS $CFLAGS"
+LIBS="$OPENSSL_LIBS $LIBS"
+AC_MSG_NOTICE(["OPENSSL_CFLAGS=${OPENSSL_CFLAGS}"])
+AC_MSG_NOTICE(["OPENSSL_LIBS=${OPENSSL_LIBS}"])
+AC_MSG_NOTICE(["OPENSSL_LDFLAGS=${OPENSSL_LDFLAGS}"])
+AC_MSG_NOTICE(["OPENSSL_VERSION=${OPENSSL_VERSION}"])
 
 CFLAGS="$OPENSSL_CFLAGS $CFLAGS"
 LIBS="$OPENSSL_LIBS $LIBS"
@@ -718,7 +723,7 @@ AC_COMPILE_IFELSE(
     [AC_MSG_FAILURE([not found])])
 
 #
-# Check for functions added in OpenSSL or LibreSSL
+# Check for functions added in OpenSSL
 #
 
 AC_CHECK_FUNCS([BIO_read_ex BIO_write_ex])

lib/dns/adb.c

@@ -457,8 +457,8 @@ enum {
  * These are currently used on simple unsigned ints, so they are
  * not really associated with any particular type.
  */
-#define WANT_INET(x)  (((x)&DNS_ADBFIND_INET) != 0)
-#define WANT_INET6(x) (((x)&DNS_ADBFIND_INET6) != 0)
+#define WANT_INET(x)  (((x) & DNS_ADBFIND_INET) != 0)
+#define WANT_INET6(x) (((x) & DNS_ADBFIND_INET6) != 0)
 
 #define EXPIRE_OK(exp, now) ((exp == INT_MAX) || (exp < now))
 
@@ -469,7 +469,7 @@ enum {
  */
 #define STARTATZONE_MATCHES(nf, o)                  \
 	(((nf)->flags & DNS_ADBFIND_STARTATZONE) == \
-	 ((o)&DNS_ADBFIND_STARTATZONE))
+	 ((o) & DNS_ADBFIND_STARTATZONE))
 
 #define ENTER_LEVEL  ISC_LOG_DEBUG(50)
 #define CLEAN_LEVEL  ISC_LOG_DEBUG(100)

lib/dns/dnssec.c

@@ -1155,7 +1155,7 @@ dns_dnssec_verifymessage(isc_buffer_t *source, dns_message_t *msg,
 	dns_rdata_toregion(&rdata, &r);
 	r.length -= sig.siglen;
 	RETERR(dst_context_adddata(ctx, &r));
-	
+
 	/*
 	 * If this is a response, digest the query.
 	 */

lib/dns/dst_api.c

@@ -231,7 +231,7 @@ dst_lib_init(isc_mem_t *mctx, const char *engine) {
 	RETERR(dst__openssloqs_init(&dst_t_func[DST_ALG_FALCON512]));
 	RETERR(dst__openssloqs_init(&dst_t_func[DST_ALG_DILITHIUM2]));
 	RETERR(dst__openssloqs_init(&dst_t_func[DST_ALG_SPHINCSSHA256128S]));
-	
+
 	dst_initialized = true;
 	return (ISC_R_SUCCESS);
 

lib/dns/dst_parse.c

@@ -70,60 +70,63 @@ struct parse_map {
 	const char *tag;
 };
 
-static struct parse_map map[] = { { TAG_RSA_MODULUS, "Modulus:" },
-				  { TAG_RSA_PUBLICEXPONENT, "PublicExponent:" },
-				  { TAG_RSA_PRIVATEEXPONENT, "PrivateExponent"
-							     ":" },
-				  { TAG_RSA_PRIME1, "Prime1:" },
-				  { TAG_RSA_PRIME2, "Prime2:" },
-				  { TAG_RSA_EXPONENT1, "Exponent1:" },
-				  { TAG_RSA_EXPONENT2, "Exponent2:" },
-				  { TAG_RSA_COEFFICIENT, "Coefficient:" },
-				  { TAG_RSA_ENGINE, "Engine:" },
-				  { TAG_RSA_LABEL, "Label:" },
-
-				  { TAG_ECDSA_PRIVATEKEY, "PrivateKey:" },
-				  { TAG_ECDSA_ENGINE, "Engine:" },
-				  { TAG_ECDSA_LABEL, "Label:" },
-
-				  { TAG_EDDSA_PRIVATEKEY, "PrivateKey:" },
-				  { TAG_EDDSA_ENGINE, "Engine:" },
-				  { TAG_EDDSA_LABEL, "Label:" },
-
-				  { TAG_HMACMD5_KEY, "Key:" },
-				  { TAG_HMACMD5_BITS, "Bits:" },
-
-				  { TAG_HMACSHA1_KEY, "Key:" },
-				  { TAG_HMACSHA1_BITS, "Bits:" },
-
-				  { TAG_HMACSHA224_KEY, "Key:" },
-				  { TAG_HMACSHA224_BITS, "Bits:" },
-
-				  { TAG_HMACSHA256_KEY, "Key:" },
-				  { TAG_HMACSHA256_BITS, "Bits:" },
-
-				  { TAG_HMACSHA384_KEY, "Key:" },
-				  { TAG_HMACSHA384_BITS, "Bits:" },
-
-				  { TAG_HMACSHA512_KEY, "Key:" },
-				  { TAG_HMACSHA512_BITS, "Bits:" },
-
-				  { TAG_FALCON512_PRIVATEKEY, "PrivateKey:" },
-				  { TAG_FALCON512_PUBLICKEY, "PublicKey:" },
-				  { TAG_FALCON512_ENGINE, "Engine:" }, // Probably won't use for now
-				  { TAG_FALCON512_LABEL, "Label:" }, // Probably won't use for now
-				  
-				  { TAG_DILITHIUM2_PRIVATEKEY, "PrivateKey:" },
-				  { TAG_DILITHIUM2_PUBLICKEY, "PublicKey:" },
-				  { TAG_DILITHIUM2_ENGINE, "Engine:" }, // Probably won't use for now
-				  { TAG_DILITHIUM2_LABEL, "Label:" }, // Probably won't use for now
-				  
-				  { TAG_SPHINCSSHA256128S_PRIVATEKEY, "PrivateKey:" },
-				  { TAG_SPHINCSSHA256128S_PUBLICKEY, "PublicKey:" },
-				  { TAG_SPHINCSSHA256128S_ENGINE, "Engine:" }, // Probably won't use for now
-				  { TAG_SPHINCSSHA256128S_LABEL, "Label:" }, // Probably won't use for now
-				  
-				  { 0, NULL } };
+static struct parse_map map[] = {
+	{ TAG_RSA_MODULUS, "Modulus:" },
+	{ TAG_RSA_PUBLICEXPONENT, "PublicExponent:" },
+	{ TAG_RSA_PRIVATEEXPONENT, "PrivateExponent"
+				   ":" },
+	{ TAG_RSA_PRIME1, "Prime1:" },
+	{ TAG_RSA_PRIME2, "Prime2:" },
+	{ TAG_RSA_EXPONENT1, "Exponent1:" },
+	{ TAG_RSA_EXPONENT2, "Exponent2:" },
+	{ TAG_RSA_COEFFICIENT, "Coefficient:" },
+	{ TAG_RSA_ENGINE, "Engine:" },
+	{ TAG_RSA_LABEL, "Label:" },
+
+	{ TAG_ECDSA_PRIVATEKEY, "PrivateKey:" },
+	{ TAG_ECDSA_ENGINE, "Engine:" },
+	{ TAG_ECDSA_LABEL, "Label:" },
+
+	{ TAG_EDDSA_PRIVATEKEY, "PrivateKey:" },
+	{ TAG_EDDSA_ENGINE, "Engine:" },
+	{ TAG_EDDSA_LABEL, "Label:" },
+
+	{ TAG_HMACMD5_KEY, "Key:" },
+	{ TAG_HMACMD5_BITS, "Bits:" },
+
+	{ TAG_HMACSHA1_KEY, "Key:" },
+	{ TAG_HMACSHA1_BITS, "Bits:" },
+
+	{ TAG_HMACSHA224_KEY, "Key:" },
+	{ TAG_HMACSHA224_BITS, "Bits:" },
+
+	{ TAG_HMACSHA256_KEY, "Key:" },
+	{ TAG_HMACSHA256_BITS, "Bits:" },
+
+	{ TAG_HMACSHA384_KEY, "Key:" },
+	{ TAG_HMACSHA384_BITS, "Bits:" },
+
+	{ TAG_HMACSHA512_KEY, "Key:" },
+	{ TAG_HMACSHA512_BITS, "Bits:" },
+
+	{ TAG_FALCON512_PRIVATEKEY, "PrivateKey:" },
+	{ TAG_FALCON512_PUBLICKEY, "PublicKey:" },
+	{ TAG_FALCON512_ENGINE, "Engine:" }, // Probably won't use for now
+	{ TAG_FALCON512_LABEL, "Label:" },   // Probably won't use for now
+
+	{ TAG_DILITHIUM2_PRIVATEKEY, "PrivateKey:" },
+	{ TAG_DILITHIUM2_PUBLICKEY, "PublicKey:" },
+	{ TAG_DILITHIUM2_ENGINE, "Engine:" }, // Probably won't use for now
+	{ TAG_DILITHIUM2_LABEL, "Label:" },   // Probably won't use for now
+
+	{ TAG_SPHINCSSHA256128S_PRIVATEKEY, "PrivateKey:" },
+	{ TAG_SPHINCSSHA256128S_PUBLICKEY, "PublicKey:" },
+	{ TAG_SPHINCSSHA256128S_ENGINE, "Engine:" }, // Probably won't use for
+						     // now
+	{ TAG_SPHINCSSHA256128S_LABEL, "Label:" }, // Probably won't use for now
+
+	{ 0, NULL }
+};
 
 static int
 find_value(const char *s, const unsigned int alg) {
@@ -341,10 +344,10 @@ check_hmac_sha(const dst_private_t *priv, unsigned int ntags,
 // we only need to use one of the algorithms tags. This is define is
 // to make the code below easier to read.
 
-#define TAG_OQS_LABEL TAG_FALCON512_LABEL
-#define TAG_OQS_ENGINE TAG_FALCON512_ENGINE
+#define TAG_OQS_LABEL	   TAG_FALCON512_LABEL
+#define TAG_OQS_ENGINE	   TAG_FALCON512_ENGINE
 #define TAG_OQS_PRIVATEKEY TAG_FALCON512_PRIVATEKEY
-#define TAG_OQS_PUBLICKEY TAG_FALCON512_PUBLICKEY
+#define TAG_OQS_PUBLICKEY  TAG_FALCON512_PUBLICKEY
 
 static int
 check_oqs(const dst_private_t *priv, const unsigned int alg, bool external) {
@@ -376,8 +379,8 @@ check_oqs(const dst_private_t *priv, const unsigned int alg, bool external) {
 	if (have[TAG_OQS_ENGINE & mask]) {
 		ok = have[TAG_OQS_LABEL & mask];
 	} else {
-		ok = have[TAG_OQS_PRIVATEKEY & mask]
-			&& have[TAG_OQS_PUBLICKEY & mask];
+		ok = have[TAG_OQS_PRIVATEKEY & mask] &&
+		     have[TAG_OQS_PUBLICKEY & mask];
 	}
 	return (ok ? 0 : -1);
 }