More comments, and added sink BCryptGenerateKeyPair

2026-02-15 14:33:40 +01:00 · 2022-11-08 14:21:10 -05:00
parent f5ce07d22c
commit 24382453c3
2 changed files with 31 additions and 2 deletions
--- a/cpp/ql/src/experimental/campaigns/nccoe-pqc-migration/QuantumVulnerableDiscovery/WinCng/WindowsCng.qll
+++ b/cpp/ql/src/experimental/campaigns/nccoe-pqc-migration/QuantumVulnerableDiscovery/WinCng/WindowsCng.qll
@@ -2,8 +2,14 @@ import cpp
 import DataFlow::PathGraph
 import semmle.code.cpp.dataflow.TaintTracking

+/**
+ * Base abstract class to be extended to allow indirect extensions of vulnerable sinks.
+ */
 abstract class BCryptOpenAlgorithmProviderSink extends DataFlow::Node { }

+/**
+ * Base abstract class to be extended to allow indirect extensions of vulnerable sources.
+ */
 abstract class BCryptOpenAlgorithmProviderSource extends DataFlow::Node { }

 // ------------------ Helper Predicates ----------------------
@@ -30,7 +36,8 @@ predicate vulnProviderLiteral(StringLiteral lit) {
 //TODO: Verify NCrypt calls (parameters) & find all other APIs that should be included (i.e. decrypt, etc.)
 // ------------------ Default SINKS ----------------------
 /**
- * Argument at index 0 of call to BCryptSignHash
+ * Argument at index 0 of call to BCryptSignHash:
+ *     [in]           BCRYPT_KEY_HANDLE hKey,
 */
 class BCryptSignHashArgumentSink extends BCryptOpenAlgorithmProviderSink {
  int index;
@@ -44,7 +51,23 @@ class BCryptSignHashArgumentSink extends BCryptOpenAlgorithmProviderSink {
 }

 /**
- * Argument at index 0 of call to BCryptEncrypt
+ * Argument at index 0 of call to BCryptGenerateKeyPair:
+ *    [in, out] BCRYPT_ALG_HANDLE hAlgorithm,
+ */
+class BCryptGenerateKeyPair extends BCryptOpenAlgorithmProviderSink {
+  int index;
+  string funcName;
+
+  BCryptGenerateKeyPair() {
+    index = 0 and
+    funcName = "BCryptGenerateKeyPair" and
+    isCallArgument(funcName, this.asExpr(), index)
+  }
+}
+
+/**
+ * Argument at index 0 of call to BCryptEncrypt:
+ *     [in, out]           BCRYPT_KEY_HANDLE hKey,
 */
 class BCryptEncryptArgumentSink extends BCryptOpenAlgorithmProviderSink {
  int index;
--- a/cpp/ql/src/experimental/campaigns/nccoe-pqc-migration/QuantumVulnerableDiscovery/WinCng/WindowsCngPQCVulnerableUsage.qll
+++ b/cpp/ql/src/experimental/campaigns/nccoe-pqc-migration/QuantumVulnerableDiscovery/WinCng/WindowsCngPQCVulnerableUsage.qll
@@ -48,10 +48,16 @@ predicate isWindowsCngAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node n
 class BCryptConfiguration extends DataFlow::Configuration {
  BCryptConfiguration() { this = "BCryptConfiguration" }

+  /**
+   * Uses indirect extensions of BCryptOpenAlgorithmProviderSource
+   */
  override predicate isSource(DataFlow::Node source) {
    source instanceof BCryptOpenAlgorithmProviderSource
  }

+  /**
+   * Uses indirect extensions of BCryptOpenAlgorithmProviderSink
+   */
  override predicate isSink(DataFlow::Node sink) { sink instanceof BCryptOpenAlgorithmProviderSink }

  override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {