diff --git a/cpp/ql/src/experimental/campaigns/nccoe-pqc-migration/QuantumVulnerableDiscovery/WinCng/WinCng.ql b/cpp/ql/src/experimental/campaigns/nccoe-pqc-migration/QuantumVulnerableDiscovery/WinCng/WinCng.ql deleted file mode 100644 index 7f19a74aa70..00000000000 --- a/cpp/ql/src/experimental/campaigns/nccoe-pqc-migration/QuantumVulnerableDiscovery/WinCng/WinCng.ql +++ /dev/null @@ -1,39 +0,0 @@ -/** - * @id cpp/nist-pqc/pqc-vulnerable-algorithms-cng - * @name Usage of PQC vulnerable algorithms - * @description Usage of PQC vulnerable algorithms. - * @microsoft.severity important - * @kind path-problem - * @problem.severity warning - * @precision high - * @tags security - * pqc - * nist - */ - -import cpp -import DataFlow::PathGraph -import WindowsCng -import WindowsCngPQCVulnerableUsage - -// CNG-specific DataFlow configuration -class BCryptConfiguration extends TaintTracking::Configuration { - BCryptConfiguration() { - this = "BCryptConfiguration" - } - override predicate isSource(DataFlow::Node source) { - source instanceof BCryptOpenAlgorithmProviderSource - } - - override predicate isSink(DataFlow::Node sink) { - sink instanceof BCryptOpenAlgorithmProviderSink - } - - override predicate isAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) { - isWindowsCngAsymmetricKeyAdditionalTaintStep( node1, node2) - } -} - -from BCryptConfiguration config, DataFlow::PathNode source, DataFlow::PathNode sink -where config.hasFlowPath(source, sink) -select sink.getNode(), source, sink, "PQC vulnerable algorithm in use has been detected." \ No newline at end of file diff --git a/cpp/ql/src/experimental/campaigns/nccoe-pqc-migration/QuantumVulnerableDiscovery/WinCng/WindowsCngPQCVulnerableUsage.qll b/cpp/ql/src/experimental/campaigns/nccoe-pqc-migration/QuantumVulnerableDiscovery/WinCng/WindowsCngPQCVulnerableUsage.qll index 17139faabe6..fbac511039b 100644 --- a/cpp/ql/src/experimental/campaigns/nccoe-pqc-migration/QuantumVulnerableDiscovery/WinCng/WindowsCngPQCVulnerableUsage.qll +++ b/cpp/ql/src/experimental/campaigns/nccoe-pqc-migration/QuantumVulnerableDiscovery/WinCng/WindowsCngPQCVulnerableUsage.qll @@ -1,30 +1,28 @@ import cpp import WindowsCng -predicate vulnerableCngFunctionName(string name) { name in ["BCryptSignHash", "BCryptEncrypt"] } - predicate keyGenAndImportFunctionName(string name) { name in ["BCryptImportKeyPair", "BCryptGenerateKeyPair"] } -predicate vulnerableCngFunction(Function f) { - exists(string name | f.hasGlobalName(name) and vulnerableCngFunctionName(name)) -} - predicate keyGenAndImportFunction(Function f){ exists(string name | f.hasGlobalName(name) and keyGenAndImportFunctionName(name)) } //TODO: Verify NCrypt calls (parameters) & find all other APIs that should be included (i.e. decrypt, etc.) -predicate isExprKeyHandleForBCryptSignHash(Expr e) { - exists(FunctionCall call | - e = call.getArgument(0) and - vulnerableCngFunction(call.getTarget()) - ) + + +predicate isCallArgument(string funcGlobalName, Expr arg, int index){ + exists(Call c | c.getArgument(index) = arg and c.getTarget().hasGlobalName(funcGlobalName)) } class BCryptSignHashArgumentSink extends BCryptOpenAlgorithmProviderSink { - BCryptSignHashArgumentSink() { isExprKeyHandleForBCryptSignHash(this.asExpr()) } + BCryptSignHashArgumentSink() { isCallArgument("BCryptSignHash", this.asExpr(), 0) } } +class BCryptEncryptArgumentSink extends BCryptOpenAlgorithmProviderSink { + BCryptEncryptArgumentSink() { isCallArgument("BCryptEncrypt", this.asExpr(), 0) } + } + + class BCryptOpenAlgorithmProviderPqcVulnerableAlgorithmsSource extends BCryptOpenAlgorithmProviderSource { BCryptOpenAlgorithmProviderPqcVulnerableAlgorithmsSource() { this.asExpr() instanceof StringLiteral and