From b242b4bba6420ebd80d6dedc191a18d42131ae22 Mon Sep 17 00:00:00 2001
From: "REDMOND\\brodes" <brodes@microsoft.com>
Date: Tue, 8 Nov 2022 12:49:57 -0500
Subject: [PATCH] More re-org

---
 .../WinCng/WindowsCng.qll                     | 30 +++++++++++-
 .../WinCng/WindowsCngPQCVulnerableUsage.ql    | 19 +-------
 .../WinCng/WindowsCngPQCVulnerableUsage.qll   | 48 ++++++++-----------
 3 files changed, 49 insertions(+), 48 deletions(-)

diff --git a/cpp/ql/src/experimental/campaigns/nccoe-pqc-migration/QuantumVulnerableDiscovery/WinCng/WindowsCng.qll b/cpp/ql/src/experimental/campaigns/nccoe-pqc-migration/QuantumVulnerableDiscovery/WinCng/WindowsCng.qll
index 92f54b7ed0e..44900790b63 100644
--- a/cpp/ql/src/experimental/campaigns/nccoe-pqc-migration/QuantumVulnerableDiscovery/WinCng/WindowsCng.qll
+++ b/cpp/ql/src/experimental/campaigns/nccoe-pqc-migration/QuantumVulnerableDiscovery/WinCng/WindowsCng.qll
@@ -2,6 +2,32 @@ import cpp
 import DataFlow::PathGraph
 import semmle.code.cpp.dataflow.TaintTracking
 
-abstract class BCryptOpenAlgorithmProviderSink extends DataFlow::Node {}
-abstract class BCryptOpenAlgorithmProviderSource extends DataFlow::Node {}
+abstract class BCryptOpenAlgorithmProviderSink extends DataFlow::Node { }
 
+abstract class BCryptOpenAlgorithmProviderSource extends DataFlow::Node { }
+
+predicate isCallArgument(string funcGlobalName, Expr arg, int index) {
+  exists(Call c | c.getArgument(index) = arg and c.getTarget().hasGlobalName(funcGlobalName))
+}
+
+//TODO: Verify NCrypt calls (parameters) & find all other APIs that should be included (i.e. decrypt, etc.)
+// ------------------ SINKS ----------------------
+class BCryptSignHashArgumentSink extends BCryptOpenAlgorithmProviderSink {
+  BCryptSignHashArgumentSink() { isCallArgument("BCryptSignHash", this.asExpr(), 0) }
+}
+
+class BCryptEncryptArgumentSink extends BCryptOpenAlgorithmProviderSink {
+  BCryptEncryptArgumentSink() { isCallArgument("BCryptEncrypt", this.asExpr(), 0) }
+}
+
+// ----------------- SOURCES -----------------------
+class BCryptOpenAlgorithmProviderPqcVulnerableAlgorithmsSource extends BCryptOpenAlgorithmProviderSource {
+  BCryptOpenAlgorithmProviderPqcVulnerableAlgorithmsSource() {
+    this.asExpr() instanceof StringLiteral and
+    (
+      this.asExpr().getValue() in ["DH", "DSA", "ECDSA", "ECDH"] or
+      this.asExpr().getValue().matches("ECDH%") or
+      this.asExpr().getValue().matches("RSA%")
+    )
+  }
+}
diff --git a/cpp/ql/src/experimental/campaigns/nccoe-pqc-migration/QuantumVulnerableDiscovery/WinCng/WindowsCngPQCVulnerableUsage.ql b/cpp/ql/src/experimental/campaigns/nccoe-pqc-migration/QuantumVulnerableDiscovery/WinCng/WindowsCngPQCVulnerableUsage.ql
index b77ad05ced0..ca1fd22e5f1 100644
--- a/cpp/ql/src/experimental/campaigns/nccoe-pqc-migration/QuantumVulnerableDiscovery/WinCng/WindowsCngPQCVulnerableUsage.ql
+++ b/cpp/ql/src/experimental/campaigns/nccoe-pqc-migration/QuantumVulnerableDiscovery/WinCng/WindowsCngPQCVulnerableUsage.ql
@@ -16,25 +16,8 @@ import DataFlow::PathGraph
 import WindowsCng
 import WindowsCngPQCVulnerableUsage
 
-// CNG-specific DataFlow configuration
-class BCryptConfiguration extends DataFlow::Configuration {
-	BCryptConfiguration() {
-		this = "BCryptConfiguration"
-	}
-	override predicate isSource(DataFlow::Node source) {
-        source instanceof BCryptOpenAlgorithmProviderSource
-	}
- 
-	override predicate isSink(DataFlow::Node sink) { 
-        sink instanceof BCryptOpenAlgorithmProviderSink 
-    }
-
-    override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
-        isWindowsCngAdditionalTaintStep( node1, node2)
-    }
-}
 
 from BCryptConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink
 where config.hasFlowPath(source, sink)
 select sink.getNode(), source, sink, "PQC vulnerable algorithm $@ in use has been detected.",
-    source.getNode().asExpr(), source.getNode().asExpr().toString()
\ No newline at end of file
+  source.getNode().asExpr(), source.getNode().asExpr().toString()
diff --git a/cpp/ql/src/experimental/campaigns/nccoe-pqc-migration/QuantumVulnerableDiscovery/WinCng/WindowsCngPQCVulnerableUsage.qll b/cpp/ql/src/experimental/campaigns/nccoe-pqc-migration/QuantumVulnerableDiscovery/WinCng/WindowsCngPQCVulnerableUsage.qll
index 412941a48e5..0accc61f8db 100644
--- a/cpp/ql/src/experimental/campaigns/nccoe-pqc-migration/QuantumVulnerableDiscovery/WinCng/WindowsCngPQCVulnerableUsage.qll
+++ b/cpp/ql/src/experimental/campaigns/nccoe-pqc-migration/QuantumVulnerableDiscovery/WinCng/WindowsCngPQCVulnerableUsage.qll
@@ -1,33 +1,6 @@
 import cpp
 import WindowsCng
 
-//TODO: Verify NCrypt calls (parameters) & find all other APIs that should be included (i.e. decrypt, etc.)
-
-
-predicate isCallArgument(string funcGlobalName, Expr arg, int index){
-    exists(Call c | c.getArgument(index) = arg and c.getTarget().hasGlobalName(funcGlobalName))
-}
-
-class BCryptSignHashArgumentSink extends BCryptOpenAlgorithmProviderSink {
-  BCryptSignHashArgumentSink() { isCallArgument("BCryptSignHash", this.asExpr(), 0) }
-}
-
-class BCryptEncryptArgumentSink extends BCryptOpenAlgorithmProviderSink {
-    BCryptEncryptArgumentSink() { isCallArgument("BCryptEncrypt", this.asExpr(), 0) }
-  }
-  
-
-class BCryptOpenAlgorithmProviderPqcVulnerableAlgorithmsSource extends BCryptOpenAlgorithmProviderSource {
-  BCryptOpenAlgorithmProviderPqcVulnerableAlgorithmsSource() {
-    this.asExpr() instanceof StringLiteral and
-    (
-      this.asExpr().getValue() in ["DH", "DSA", "ECDSA", "ECDH"] or
-      this.asExpr().getValue().matches("ECDH%") or
-      this.asExpr().getValue().matches("RSA%")
-    )
-  }
-}
-
 predicate stepOpenAlgorithmProvider(DataFlow::Node node1, DataFlow::Node node2) {
   exists(FunctionCall call |
     // BCryptOpenAlgorithmProvider 2nd argument specifies the algorithm to be used
@@ -40,7 +13,10 @@ predicate stepOpenAlgorithmProvider(DataFlow::Node node1, DataFlow::Node node2)
 predicate stepImportGenerateKeyPair(DataFlow::Node node1, DataFlow::Node node2) {
   exists(FunctionCall call |
     node1.asExpr() = call.getArgument(0) and
-    exists(string name | name in ["BCryptImportKeyPair", "BCryptGenerateKeyPair"] and call.getTarget().hasGlobalName(name)) and
+    exists(string name |
+      name in ["BCryptImportKeyPair", "BCryptGenerateKeyPair"] and
+      call.getTarget().hasGlobalName(name)
+    ) and
     node2.asDefiningArgument() = call.getArgument(1)
   )
 }
@@ -50,3 +26,19 @@ predicate isWindowsCngAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node n
   or
   stepImportGenerateKeyPair(node1, node2)
 }
+
+
+// CNG-specific DataFlow configuration
+class BCryptConfiguration extends DataFlow::Configuration {
+  BCryptConfiguration() { this = "BCryptConfiguration" }
+
+  override predicate isSource(DataFlow::Node source) {
+    source instanceof BCryptOpenAlgorithmProviderSource
+  }
+
+  override predicate isSink(DataFlow::Node sink) { sink instanceof BCryptOpenAlgorithmProviderSink }
+
+  override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
+    isWindowsCngAdditionalTaintStep(node1, node2)
+  }
+}