More re-org

2026-02-15 14:33:40 +01:00 · 2022-11-08 12:49:57 -05:00
parent da8a7f36d1
commit b242b4bba6
3 changed files with 49 additions and 48 deletions
--- a/cpp/ql/src/experimental/campaigns/nccoe-pqc-migration/QuantumVulnerableDiscovery/WinCng/WindowsCng.qll
+++ b/cpp/ql/src/experimental/campaigns/nccoe-pqc-migration/QuantumVulnerableDiscovery/WinCng/WindowsCng.qll
@@ -2,6 +2,32 @@ import cpp
 import DataFlow::PathGraph
 import semmle.code.cpp.dataflow.TaintTracking

-abstract class BCryptOpenAlgorithmProviderSink extends DataFlow::Node {}
-abstract class BCryptOpenAlgorithmProviderSource extends DataFlow::Node {}
+abstract class BCryptOpenAlgorithmProviderSink extends DataFlow::Node { }

+abstract class BCryptOpenAlgorithmProviderSource extends DataFlow::Node { }
+
+predicate isCallArgument(string funcGlobalName, Expr arg, int index) {
+  exists(Call c | c.getArgument(index) = arg and c.getTarget().hasGlobalName(funcGlobalName))
+}
+
+//TODO: Verify NCrypt calls (parameters) & find all other APIs that should be included (i.e. decrypt, etc.)
+// ------------------ SINKS ----------------------
+class BCryptSignHashArgumentSink extends BCryptOpenAlgorithmProviderSink {
+  BCryptSignHashArgumentSink() { isCallArgument("BCryptSignHash", this.asExpr(), 0) }
+}
+
+class BCryptEncryptArgumentSink extends BCryptOpenAlgorithmProviderSink {
+  BCryptEncryptArgumentSink() { isCallArgument("BCryptEncrypt", this.asExpr(), 0) }
+}
+
+// ----------------- SOURCES -----------------------
+class BCryptOpenAlgorithmProviderPqcVulnerableAlgorithmsSource extends BCryptOpenAlgorithmProviderSource {
+  BCryptOpenAlgorithmProviderPqcVulnerableAlgorithmsSource() {
+    this.asExpr() instanceof StringLiteral and
+    (
+      this.asExpr().getValue() in ["DH", "DSA", "ECDSA", "ECDH"] or
+      this.asExpr().getValue().matches("ECDH%") or
+      this.asExpr().getValue().matches("RSA%")
+    )
+  }
+}
--- a/cpp/ql/src/experimental/campaigns/nccoe-pqc-migration/QuantumVulnerableDiscovery/WinCng/WindowsCngPQCVulnerableUsage.ql
+++ b/cpp/ql/src/experimental/campaigns/nccoe-pqc-migration/QuantumVulnerableDiscovery/WinCng/WindowsCngPQCVulnerableUsage.ql
@@ -16,25 +16,8 @@ import DataFlow::PathGraph
 import WindowsCng
 import WindowsCngPQCVulnerableUsage

-// CNG-specific DataFlow configuration
-class BCryptConfiguration extends DataFlow::Configuration {
-	BCryptConfiguration() {
-		this = "BCryptConfiguration"
-	}
-	override predicate isSource(DataFlow::Node source) {
-        source instanceof BCryptOpenAlgorithmProviderSource
-	}
- 
-	override predicate isSink(DataFlow::Node sink) { 
-        sink instanceof BCryptOpenAlgorithmProviderSink 
-    }
-
-    override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
-        isWindowsCngAdditionalTaintStep( node1, node2)
-    }
-}

 from BCryptConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink
 where config.hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "PQC vulnerable algorithm $@ in use has been detected.",
-    source.getNode().asExpr(), source.getNode().asExpr().toString()
+  source.getNode().asExpr(), source.getNode().asExpr().toString()
--- a/cpp/ql/src/experimental/campaigns/nccoe-pqc-migration/QuantumVulnerableDiscovery/WinCng/WindowsCngPQCVulnerableUsage.qll
+++ b/cpp/ql/src/experimental/campaigns/nccoe-pqc-migration/QuantumVulnerableDiscovery/WinCng/WindowsCngPQCVulnerableUsage.qll
@@ -1,33 +1,6 @@
 import cpp
 import WindowsCng

-//TODO: Verify NCrypt calls (parameters) & find all other APIs that should be included (i.e. decrypt, etc.)
-
-
-predicate isCallArgument(string funcGlobalName, Expr arg, int index){
-    exists(Call c | c.getArgument(index) = arg and c.getTarget().hasGlobalName(funcGlobalName))
-}
-
-class BCryptSignHashArgumentSink extends BCryptOpenAlgorithmProviderSink {
-  BCryptSignHashArgumentSink() { isCallArgument("BCryptSignHash", this.asExpr(), 0) }
-}
-
-class BCryptEncryptArgumentSink extends BCryptOpenAlgorithmProviderSink {
-    BCryptEncryptArgumentSink() { isCallArgument("BCryptEncrypt", this.asExpr(), 0) }
-  }
-  
-
-class BCryptOpenAlgorithmProviderPqcVulnerableAlgorithmsSource extends BCryptOpenAlgorithmProviderSource {
-  BCryptOpenAlgorithmProviderPqcVulnerableAlgorithmsSource() {
-    this.asExpr() instanceof StringLiteral and
-    (
-      this.asExpr().getValue() in ["DH", "DSA", "ECDSA", "ECDH"] or
-      this.asExpr().getValue().matches("ECDH%") or
-      this.asExpr().getValue().matches("RSA%")
-    )
-  }
-}
-
 predicate stepOpenAlgorithmProvider(DataFlow::Node node1, DataFlow::Node node2) {
  exists(FunctionCall call |
    // BCryptOpenAlgorithmProvider 2nd argument specifies the algorithm to be used
@@ -40,7 +13,10 @@ predicate stepOpenAlgorithmProvider(DataFlow::Node node1, DataFlow::Node node2)
 predicate stepImportGenerateKeyPair(DataFlow::Node node1, DataFlow::Node node2) {
  exists(FunctionCall call |
    node1.asExpr() = call.getArgument(0) and
-    exists(string name | name in ["BCryptImportKeyPair", "BCryptGenerateKeyPair"] and call.getTarget().hasGlobalName(name)) and
+    exists(string name |
+      name in ["BCryptImportKeyPair", "BCryptGenerateKeyPair"] and
+      call.getTarget().hasGlobalName(name)
+    ) and
    node2.asDefiningArgument() = call.getArgument(1)
  )
 }
@@ -50,3 +26,19 @@ predicate isWindowsCngAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node n
  or
  stepImportGenerateKeyPair(node1, node2)
 }
+
+
+// CNG-specific DataFlow configuration
+class BCryptConfiguration extends DataFlow::Configuration {
+  BCryptConfiguration() { this = "BCryptConfiguration" }
+
+  override predicate isSource(DataFlow::Node source) {
+    source instanceof BCryptOpenAlgorithmProviderSource
+  }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof BCryptOpenAlgorithmProviderSink }
+
+  override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    isWindowsCngAdditionalTaintStep(node1, node2)
+  }
+}