Final bug fixes and new sink.

bdrodes · bdrodes · commit 68d668e71907 · 2022-11-08T15:40:00.000-05:00
diff --git a/cpp/ql/src/experimental/campaigns/nccoe-pqc-migration/QuantumVulnerableDiscovery/WinCng/WindowsCng.qll b/cpp/ql/src/experimental/campaigns/nccoe-pqc-migration/QuantumVulnerableDiscovery/WinCng/WindowsCng.qll
@@ -33,8 +33,22 @@ predicate vulnProviderLiteral(StringLiteral lit) {
   )
 }
 
-//TODO: Verify NCrypt calls (parameters) & find all other APIs that should be included (i.e. decrypt, etc.)
 // ------------------ Default SINKS ----------------------
+/**
+ * Argument at index 0 of call to NCryptSignHash:
+ *     [in]           NCRYPT_KEY_HANDLE hKey
+ */
+class NCryptSignHashArgumentSink extends BCryptOpenAlgorithmProviderSink {
+  int index;
+  string funcName;
+
+  NCryptSignHashArgumentSink() {
+    index = 0 and
+    funcName = "NCryptSignHash " and
+    isCallArgument(funcName, this.asExpr(), index)
+  }
+}
+
 /**
  * Argument at index 0 of call to BCryptSignHash:
  *     [in]           BCRYPT_KEY_HANDLE hKey,
@@ -85,30 +99,14 @@ class BCryptEncryptArgumentSink extends BCryptOpenAlgorithmProviderSink {
  *     [in]           NCRYPT_KEY_HANDLE hKey,
  */
 class NCryptEncryptArgumentSink extends BCryptOpenAlgorithmProviderSink {
- int index;
- string funcName;
-
- NCryptEncryptArgumentSink() {
-   index = 0 and
-   funcName = "NCryptEncrypt" and
-   isCallArgument(funcName, this.asExpr(), index)
- }
-}
-
-
-/**
- * Argument at index 1 of call to NCryptEncrypt:
- *     _Inout_ NCRYPT_KEY_HANDLE  hKey,
- */
-class SslEncryptPacketArgumentSink extends BCryptOpenAlgorithmProviderSink {
- int index;
- string funcName;
+  int index;
+  string funcName;
 
- SslEncryptPacketArgumentSink() {
-   index = 1 and
-   funcName = "SslEncryptPacket" and
-   isCallArgument(funcName, this.asExpr(), index)
- }
+  NCryptEncryptArgumentSink() {
+    index = 0 and
+    funcName = "NCryptEncrypt" and
+    isCallArgument(funcName, this.asExpr(), index)
+  }
 }
 
 // ----------------- Default SOURCES -----------------------
diff --git a/cpp/ql/src/experimental/campaigns/nccoe-pqc-migration/QuantumVulnerableDiscovery/WinCng/WindowsCngPQCVulnerableUsage.qll b/cpp/ql/src/experimental/campaigns/nccoe-pqc-migration/QuantumVulnerableDiscovery/WinCng/WindowsCngPQCVulnerableUsage.qll
@@ -25,11 +25,11 @@ predicate stepOpenAlgorithmProvider(DataFlow::Node node1, DataFlow::Node node2)
 predicate stepImportGenerateKeyPair(DataFlow::Node node1, DataFlow::Node node2) {
   exists(FunctionCall call |
     node1.asExpr() = call.getArgument(0) and
-    exists(string name |
-      name in ["BCryptImportKeyPair", "BCryptGenerateKeyPair"] and
-      call.getTarget().hasGlobalName(name)
-    ) and
-    node2.asDefiningArgument() = call.getArgument(1)
+    exists(string name | call.getTarget().hasGlobalName(name) |
+      name = "BCryptImportKeyPair" and node2.asDefiningArgument() = call.getArgument(3)
+      or
+      name = "BCryptGenerateKeyPair" and node2.asDefiningArgument() = call.getArgument(1)
+    )
   )
 }
 
