hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-15 14:33:40 +01:00
Code Issues Packages Projects Releases Wiki Activity

Final bug fixes and new sink.

Browse Source
This commit is contained in:
REDMOND\brodes
2022-11-08 15:40:00 -05:00
parent 59ca3b26cd
commit 68d668e719
2 changed files with 27 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
cpp/ql/src/experimental/campaigns/nccoe-pqc-migration/QuantumVulnerableDiscovery/WinCng/WindowsCng.qll
View File

@@ -33,8 +33,22 @@ predicate vulnProviderLiteral(StringLiteral lit) {
)
}
//TODO: Verify NCrypt calls (parameters) & find all other APIs that should be included (i.e. decrypt, etc.)
// ------------------ Default SINKS ----------------------
/**
* Argument at index 0 of call to NCryptSignHash:
* [in] NCRYPT_KEY_HANDLE hKey
*/
class NCryptSignHashArgumentSink extends BCryptOpenAlgorithmProviderSink {
int index;
string funcName;
NCryptSignHashArgumentSink() {
index = 0 and
funcName = "NCryptSignHash " and
isCallArgument(funcName, this.asExpr(), index)
}
}
/**
* Argument at index 0 of call to BCryptSignHash:
* [in] BCRYPT_KEY_HANDLE hKey,
@@ -85,30 +99,14 @@ class BCryptEncryptArgumentSink extends BCryptOpenAlgorithmProviderSink {
* [in] NCRYPT_KEY_HANDLE hKey,
*/
class NCryptEncryptArgumentSink extends BCryptOpenAlgorithmProviderSink {
int index;
string funcName;
int index;
string funcName;
NCryptEncryptArgumentSink() {
index = 0 and
funcName = "NCryptEncrypt" and
isCallArgument(funcName, this.asExpr(), index)
}
}
/**
* Argument at index 1 of call to NCryptEncrypt:
* _Inout_ NCRYPT_KEY_HANDLE hKey,
*/
class SslEncryptPacketArgumentSink extends BCryptOpenAlgorithmProviderSink {
int index;
string funcName;
SslEncryptPacketArgumentSink() {
index = 1 and
funcName = "SslEncryptPacket" and
isCallArgument(funcName, this.asExpr(), index)
}
NCryptEncryptArgumentSink() {
index = 0 and
funcName = "NCryptEncrypt" and
isCallArgument(funcName, this.asExpr(), index)
}
}
// ----------------- Default SOURCES -----------------------

10
cpp/ql/src/experimental/campaigns/nccoe-pqc-migration/QuantumVulnerableDiscovery/WinCng/WindowsCngPQCVulnerableUsage.qll
View File

@@ -25,11 +25,11 @@ predicate stepOpenAlgorithmProvider(DataFlow::Node node1, DataFlow::Node node2)
predicate stepImportGenerateKeyPair(DataFlow::Node node1, DataFlow::Node node2) {
exists(FunctionCall call |
node1.asExpr() = call.getArgument(0) and
exists(string name |
name in ["BCryptImportKeyPair", "BCryptGenerateKeyPair"] and
call.getTarget().hasGlobalName(name)
) and
node2.asDefiningArgument() = call.getArgument(1)
exists(string name | call.getTarget().hasGlobalName(name) |
name = "BCryptImportKeyPair" and node2.asDefiningArgument() = call.getArgument(3)
or
name = "BCryptGenerateKeyPair" and node2.asDefiningArgument() = call.getArgument(1)
)
)
}