Adding an instantiation of the additional flow step class to automatically apply to generic dataflow. Flow step passthrough comes from the algorithm to getter flow passthroughs.

bdrodes · bdrodes · commit c83cb533ce4d · 2025-03-10T15:56:01.000-04:00
diff --git a/cpp/ql/lib/experimental/Quantum/OpenSSL/OpenSSL.qll b/cpp/ql/lib/experimental/Quantum/OpenSSL/OpenSSL.qll
@@ -8,6 +8,8 @@ module OpenSSLModel {
   import experimental.Quantum.OpenSSL.EVPCipherAlgorithmSource
   import experimental.Quantum.OpenSSL.EVPHashAlgorithmSource
   import experimental.Quantum.OpenSSL.Random
+  // Imports the additional algorithm flow step for OpenSSL
+  import experimental.Quantum.OpenSSL.OpenSSLAlgorithmGetter
 
 
 //   // TODO: trace CTX from init variants to the context arg of EVP update calls
diff --git a/cpp/ql/lib/experimental/Quantum/OpenSSL/OpenSSLAlgorithmGetter.qll b/cpp/ql/lib/experimental/Quantum/OpenSSL/OpenSSLAlgorithmGetter.qll
@@ -4,6 +4,14 @@ import LibraryDetector
 import OpenSSLKnownAlgorithmConstants
 import experimental.Quantum.Language
 
+class OpenSSLAlgorithmAdditionalFlowStep extends AdditionalFlowInputStep {
+  OpenSSLAlgorithmAdditionalFlowStep() { exists(AlgorithmPassthroughCall c | c.getInNode() = this) }
+
+  override DataFlow::Node getOutput() {
+    exists(AlgorithmPassthroughCall c | c.getInNode() = this and c.getOutNode() = result)
+  }
+}
+
 module AlgGetterToAlgConsumerConfig implements DataFlow::ConfigSig {
   predicate isSource(DataFlow::Node source) {
     exists(OpenSSLAlgorithmGetterCall c | c.getResultNode() = source)
