diff --git a/cpp/ql/src/experimental/campaigns/nccoe-pqc-migration/QuantumVulnerableDiscovery/WinCng/WindowsCngPQCVulnerableUsage.qll b/cpp/ql/src/experimental/campaigns/nccoe-pqc-migration/QuantumVulnerableDiscovery/WinCng/WindowsCngPQCVulnerableUsage.qll index 48e9d1326fc..9af62fdfa97 100644 --- a/cpp/ql/src/experimental/campaigns/nccoe-pqc-migration/QuantumVulnerableDiscovery/WinCng/WindowsCngPQCVulnerableUsage.qll +++ b/cpp/ql/src/experimental/campaigns/nccoe-pqc-migration/QuantumVulnerableDiscovery/WinCng/WindowsCngPQCVulnerableUsage.qll @@ -1,67 +1,57 @@ import cpp import WindowsCng -predicate vulnerableCngFunctionName(string name) { - name in ["BCryptSignHash", "BCryptEncrypt"] -} +predicate vulnerableCngFunctionName(string name) { name in ["BCryptSignHash", "BCryptEncrypt"] } -predicate vulnerableCngFunction(Function f) -{ - exists(string name | f.hasGlobalName(name) and vulnerableCngFunctionName(name)) +predicate vulnerableCngFunction(Function f) { + exists(string name | f.hasGlobalName(name) and vulnerableCngFunctionName(name)) } //TODO: Verify NCrypt calls (parameters) & find all other APIs that should be included (i.e. decrypt, etc.) -predicate isExprKeyHandleForBCryptSignHash(Expr e){ - exists( FunctionCall call | - e = call.getArgument(0) - and - vulnerableCngFunction(call.getTarget()) - ) +predicate isExprKeyHandleForBCryptSignHash(Expr e) { + exists(FunctionCall call | + e = call.getArgument(0) and + vulnerableCngFunction(call.getTarget()) + ) } class BCryptSignHashArgumentSink extends BCryptOpenAlgorithmProviderSink { - BCryptSignHashArgumentSink() { - isExprKeyHandleForBCryptSignHash(this.asExpr()) - } + BCryptSignHashArgumentSink() { isExprKeyHandleForBCryptSignHash(this.asExpr()) } } class BCryptOpenAlgorithmProviderPqcVulnerableAlgorithmsSource extends BCryptOpenAlgorithmProviderSource { - BCryptOpenAlgorithmProviderPqcVulnerableAlgorithmsSource() { - this.asExpr() instanceof StringLiteral and - ( - this.asExpr().getValue() in ["DH", "DSA", "ECDSA", "ECDH"] - or this.asExpr().getValue().matches("ECDH%") - or this.asExpr().getValue().matches("RSA%") - ) - } + BCryptOpenAlgorithmProviderPqcVulnerableAlgorithmsSource() { + this.asExpr() instanceof StringLiteral and + ( + this.asExpr().getValue() in ["DH", "DSA", "ECDSA", "ECDH"] or + this.asExpr().getValue().matches("ECDH%") or + this.asExpr().getValue().matches("RSA%") + ) + } } -predicate stepOpenAlgorithmProvider(DataFlow::Node node1, DataFlow::Node node2) -{ - exists( FunctionCall call | - // BCryptOpenAlgorithmProvider 2nd argument specifies the algorithm to be used - node1.asExpr() = call.getArgument(1) - and - call.getTarget().hasGlobalName("BCryptOpenAlgorithmProvider") - and - node2.asDefiningArgument() = call.getArgument(0) - ) +predicate stepOpenAlgorithmProvider(DataFlow::Node node1, DataFlow::Node node2) { + exists(FunctionCall call | + // BCryptOpenAlgorithmProvider 2nd argument specifies the algorithm to be used + node1.asExpr() = call.getArgument(1) and + call.getTarget().hasGlobalName("BCryptOpenAlgorithmProvider") and + node2.asDefiningArgument() = call.getArgument(0) + ) } -predicate stepImportGenerateKeyPair(DataFlow::Node node1, DataFlow::Node node2) -{ - exists( FunctionCall call | - node1.asExpr() = call.getArgument(0) - and - ( call.getTarget().hasGlobalName("BCryptImportKeyPair") or - call.getTarget().hasGlobalName("BCryptGenerateKeyPair")) - and - node2.asDefiningArgument() = call.getArgument(1) - ) +predicate stepImportGenerateKeyPair(DataFlow::Node node1, DataFlow::Node node2) { + exists(FunctionCall call | + node1.asExpr() = call.getArgument(0) and + ( + call.getTarget().hasGlobalName("BCryptImportKeyPair") or + call.getTarget().hasGlobalName("BCryptGenerateKeyPair") + ) and + node2.asDefiningArgument() = call.getArgument(1) + ) } predicate isWindowsCngAsymmetricKeyAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) { - stepOpenAlgorithmProvider(node1, node2) - or - stepImportGenerateKeyPair(node1, node2) -} \ No newline at end of file + stepOpenAlgorithmProvider(node1, node2) + or + stepImportGenerateKeyPair(node1, node2) +}