More comments, and added sink BCryptGenerateKeyPair

bdrodes · bdrodes · commit 24382453c3aa · 2022-11-08T14:21:10.000-05:00
diff --git a/cpp/ql/src/experimental/campaigns/nccoe-pqc-migration/QuantumVulnerableDiscovery/WinCng/WindowsCng.qll b/cpp/ql/src/experimental/campaigns/nccoe-pqc-migration/QuantumVulnerableDiscovery/WinCng/WindowsCng.qll
@@ -2,8 +2,14 @@ import cpp
 import DataFlow::PathGraph
 import semmle.code.cpp.dataflow.TaintTracking
 
+/**
+ * Base abstract class to be extended to allow indirect extensions of vulnerable sinks.
+ */
 abstract class BCryptOpenAlgorithmProviderSink extends DataFlow::Node { }
 
+/**
+ * Base abstract class to be extended to allow indirect extensions of vulnerable sources.
+ */
 abstract class BCryptOpenAlgorithmProviderSource extends DataFlow::Node { }
 
 // ------------------ Helper Predicates ----------------------
@@ -30,7 +36,8 @@ predicate vulnProviderLiteral(StringLiteral lit) {
 //TODO: Verify NCrypt calls (parameters) & find all other APIs that should be included (i.e. decrypt, etc.)
 // ------------------ Default SINKS ----------------------
 /**
- * Argument at index 0 of call to BCryptSignHash
+ * Argument at index 0 of call to BCryptSignHash:
+ *     [in]           BCRYPT_KEY_HANDLE hKey,
  */
 class BCryptSignHashArgumentSink extends BCryptOpenAlgorithmProviderSink {
   int index;
@@ -44,7 +51,23 @@ class BCryptSignHashArgumentSink extends BCryptOpenAlgorithmProviderSink {
 }
 
 /**
- * Argument at index 0 of call to BCryptEncrypt
+ * Argument at index 0 of call to BCryptGenerateKeyPair:
+ *    [in, out] BCRYPT_ALG_HANDLE hAlgorithm,
+ */
+class BCryptGenerateKeyPair extends BCryptOpenAlgorithmProviderSink {
+  int index;
+  string funcName;
+
+  BCryptGenerateKeyPair() {
+    index = 0 and
+    funcName = "BCryptGenerateKeyPair" and
+    isCallArgument(funcName, this.asExpr(), index)
+  }
+}
+
+/**
+ * Argument at index 0 of call to BCryptEncrypt:
+ *     [in, out]           BCRYPT_KEY_HANDLE hKey,
  */
 class BCryptEncryptArgumentSink extends BCryptOpenAlgorithmProviderSink {
   int index;
diff --git a/cpp/ql/src/experimental/campaigns/nccoe-pqc-migration/QuantumVulnerableDiscovery/WinCng/WindowsCngPQCVulnerableUsage.qll b/cpp/ql/src/experimental/campaigns/nccoe-pqc-migration/QuantumVulnerableDiscovery/WinCng/WindowsCngPQCVulnerableUsage.qll
@@ -48,10 +48,16 @@ predicate isWindowsCngAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node n
 class BCryptConfiguration extends DataFlow::Configuration {
   BCryptConfiguration() { this = "BCryptConfiguration" }
 
+  /**
+   * Uses indirect extensions of BCryptOpenAlgorithmProviderSource
+   */
   override predicate isSource(DataFlow::Node source) {
     source instanceof BCryptOpenAlgorithmProviderSource
   }
 
+  /**
+   * Uses indirect extensions of BCryptOpenAlgorithmProviderSink
+   */
   override predicate isSink(DataFlow::Node sink) { sink instanceof BCryptOpenAlgorithmProviderSink }
 
   override predicate isAdditionalFlowStep(DataFlow::Node node1, DataFlow::Node node2) {
