Suggested query changes.

bdrodes · bdrodes · commit 96116c2d2d38 · 2022-11-08T10:59:13.000-05:00
diff --git a/cpp/ql/src/experimental/campaigns/nccoe-pqc-migration/QuantumVulnerableDiscovery/WinCng.ql b/cpp/ql/src/experimental/campaigns/nccoe-pqc-migration/QuantumVulnerableDiscovery/WinCng.ql
@@ -14,7 +14,7 @@
 import cpp
 import DataFlow::PathGraph
 import WindowsCng
-import WindowsCngPQVAsymmetricKeyUsage
+import WindowsCngPQCVAsymmetricKeyUsage
 
 // CNG-specific DataFlow configuration
 class BCryptConfiguration extends TaintTracking::Configuration {
diff --git a/cpp/ql/src/experimental/campaigns/nccoe-pqc-migration/QuantumVulnerableDiscovery/WindowsCngPQCVAsymmetricKeyUsage.qll b/cpp/ql/src/experimental/campaigns/nccoe-pqc-migration/QuantumVulnerableDiscovery/WindowsCngPQCVAsymmetricKeyUsage.qll
@@ -0,0 +1,57 @@
+import cpp
+import WindowsCng
+//TODO: Verify NCrypt calls (parameters) & find all other APIs that should be included (i.e. decrypt, etc.)
+predicate isExprKeyHandleForBCryptSignHash(Expr e){
+    exists( FunctionCall call |
+        e = call.getArgument(0)
+         and
+         call.getTarget().hasGlobalName("BCryptSignHash")
+    )
+}
+
+class BCryptSignHashArgumentSink extends BCryptOpenAlgorithmProviderSink {
+    BCryptSignHashArgumentSink() {
+    isExprKeyHandleForBCryptSignHash(this.asExpr())
+  }
+}
+
+class BCryptOpenAlgorithmProviderPqcVulnerableAlgorithmsSource extends BCryptOpenAlgorithmProviderSource {
+    BCryptOpenAlgorithmProviderPqcVulnerableAlgorithmsSource() {
+        this.asExpr() instanceof StringLiteral and
+        (
+            this.asExpr().getValue() in ["DH", "DSA", "ECDSA", "ECDH"]
+            or this.asExpr().getValue().matches("ECDH%")
+            or this.asExpr().getValue().matches("RSA%")
+        )
+    }
+}
+
+predicate stepOpenAlgorithmProvider(DataFlow::Node node1, DataFlow::Node node2)
+{
+    exists( FunctionCall call |
+        // BCryptOpenAlgorithmProvider 2nd argument specifies the algorithm to be used
+        node1.asExpr() = call.getArgument(1)
+         and
+         call.getTarget().hasGlobalName("BCryptOpenAlgorithmProvider")
+        and
+        node2.asDefiningArgument() = call.getArgument(0)
+    )
+}
+
+predicate stepImportGenerateKeyPair(DataFlow::Node node1, DataFlow::Node node2)
+{
+    exists( FunctionCall call |
+        node1.asExpr() = call.getArgument(0)
+        and
+        ( call.getTarget().hasGlobalName("BCryptImportKeyPair") or 
+        call.getTarget().hasGlobalName("BCryptGenerateKeyPair"))
+        and
+        node2.asDefiningArgument() = call.getArgument(1)
+    )
+}
+
+predicate isWindowsCngAsymmetricKeyAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node node2) {
+    stepOpenAlgorithmProvider(node1, node2) 
+    or 
+    stepImportGenerateKeyPair(node1, node2)
+}
diff --git a/cpp/ql/src/experimental/campaigns/nccoe-pqc-migration/QuantumVulnerableDiscovery/WindowsCngPQVAsymmetricKeyUsage.qll b/cpp/ql/src/experimental/campaigns/nccoe-pqc-migration/QuantumVulnerableDiscovery/WindowsCngPQVAsymmetricKeyUsage.qll
