diff --git a/cpp/ql/src/experimental/campaigns/nccoe-pqc-migration/QuantumVulnerableDiscovery/WinCng/WindowsCng.qll b/cpp/ql/src/experimental/campaigns/nccoe-pqc-migration/QuantumVulnerableDiscovery/WinCng/WindowsCng.qll index ba400e9ed4c..72a4d7df8a9 100644 --- a/cpp/ql/src/experimental/campaigns/nccoe-pqc-migration/QuantumVulnerableDiscovery/WinCng/WindowsCng.qll +++ b/cpp/ql/src/experimental/campaigns/nccoe-pqc-migration/QuantumVulnerableDiscovery/WinCng/WindowsCng.qll @@ -33,8 +33,22 @@ predicate vulnProviderLiteral(StringLiteral lit) { ) } -//TODO: Verify NCrypt calls (parameters) & find all other APIs that should be included (i.e. decrypt, etc.) // ------------------ Default SINKS ---------------------- +/** + * Argument at index 0 of call to NCryptSignHash: + * [in] NCRYPT_KEY_HANDLE hKey + */ +class NCryptSignHashArgumentSink extends BCryptOpenAlgorithmProviderSink { + int index; + string funcName; + + NCryptSignHashArgumentSink() { + index = 0 and + funcName = "NCryptSignHash " and + isCallArgument(funcName, this.asExpr(), index) + } +} + /** * Argument at index 0 of call to BCryptSignHash: * [in] BCRYPT_KEY_HANDLE hKey, @@ -85,30 +99,14 @@ class BCryptEncryptArgumentSink extends BCryptOpenAlgorithmProviderSink { * [in] NCRYPT_KEY_HANDLE hKey, */ class NCryptEncryptArgumentSink extends BCryptOpenAlgorithmProviderSink { - int index; - string funcName; + int index; + string funcName; - NCryptEncryptArgumentSink() { - index = 0 and - funcName = "NCryptEncrypt" and - isCallArgument(funcName, this.asExpr(), index) - } -} - - -/** - * Argument at index 1 of call to NCryptEncrypt: - * _Inout_ NCRYPT_KEY_HANDLE hKey, - */ -class SslEncryptPacketArgumentSink extends BCryptOpenAlgorithmProviderSink { - int index; - string funcName; - - SslEncryptPacketArgumentSink() { - index = 1 and - funcName = "SslEncryptPacket" and - isCallArgument(funcName, this.asExpr(), index) - } + NCryptEncryptArgumentSink() { + index = 0 and + funcName = "NCryptEncrypt" and + isCallArgument(funcName, this.asExpr(), index) + } } // ----------------- Default SOURCES ----------------------- diff --git a/cpp/ql/src/experimental/campaigns/nccoe-pqc-migration/QuantumVulnerableDiscovery/WinCng/WindowsCngPQCVulnerableUsage.qll b/cpp/ql/src/experimental/campaigns/nccoe-pqc-migration/QuantumVulnerableDiscovery/WinCng/WindowsCngPQCVulnerableUsage.qll index 436ef57926a..d37fdff66c9 100644 --- a/cpp/ql/src/experimental/campaigns/nccoe-pqc-migration/QuantumVulnerableDiscovery/WinCng/WindowsCngPQCVulnerableUsage.qll +++ b/cpp/ql/src/experimental/campaigns/nccoe-pqc-migration/QuantumVulnerableDiscovery/WinCng/WindowsCngPQCVulnerableUsage.qll @@ -25,11 +25,11 @@ predicate stepOpenAlgorithmProvider(DataFlow::Node node1, DataFlow::Node node2) predicate stepImportGenerateKeyPair(DataFlow::Node node1, DataFlow::Node node2) { exists(FunctionCall call | node1.asExpr() = call.getArgument(0) and - exists(string name | - name in ["BCryptImportKeyPair", "BCryptGenerateKeyPair"] and - call.getTarget().hasGlobalName(name) - ) and - node2.asDefiningArgument() = call.getArgument(1) + exists(string name | call.getTarget().hasGlobalName(name) | + name = "BCryptImportKeyPair" and node2.asDefiningArgument() = call.getArgument(3) + or + name = "BCryptGenerateKeyPair" and node2.asDefiningArgument() = call.getArgument(1) + ) ) }