1
1
import cpp
2
2
import WindowsCng
3
3
4
- //TODO: Verify NCrypt calls (parameters) & find all other APIs that should be included (i.e. decrypt, etc.)
5
-
6
-
7
- predicate isCallArgument ( string funcGlobalName , Expr arg , int index ) {
8
- exists ( Call c | c .getArgument ( index ) = arg and c .getTarget ( ) .hasGlobalName ( funcGlobalName ) )
9
- }
10
-
11
- class BCryptSignHashArgumentSink extends BCryptOpenAlgorithmProviderSink {
12
- BCryptSignHashArgumentSink ( ) { isCallArgument ( "BCryptSignHash" , this .asExpr ( ) , 0 ) }
13
- }
14
-
15
- class BCryptEncryptArgumentSink extends BCryptOpenAlgorithmProviderSink {
16
- BCryptEncryptArgumentSink ( ) { isCallArgument ( "BCryptEncrypt" , this .asExpr ( ) , 0 ) }
17
- }
18
-
19
-
20
- class BCryptOpenAlgorithmProviderPqcVulnerableAlgorithmsSource extends BCryptOpenAlgorithmProviderSource {
21
- BCryptOpenAlgorithmProviderPqcVulnerableAlgorithmsSource ( ) {
22
- this .asExpr ( ) instanceof StringLiteral and
23
- (
24
- this .asExpr ( ) .getValue ( ) in [ "DH" , "DSA" , "ECDSA" , "ECDH" ] or
25
- this .asExpr ( ) .getValue ( ) .matches ( "ECDH%" ) or
26
- this .asExpr ( ) .getValue ( ) .matches ( "RSA%" )
27
- )
28
- }
29
- }
30
-
31
4
predicate stepOpenAlgorithmProvider ( DataFlow:: Node node1 , DataFlow:: Node node2 ) {
32
5
exists ( FunctionCall call |
33
6
// BCryptOpenAlgorithmProvider 2nd argument specifies the algorithm to be used
@@ -40,7 +13,10 @@ predicate stepOpenAlgorithmProvider(DataFlow::Node node1, DataFlow::Node node2)
40
13
predicate stepImportGenerateKeyPair ( DataFlow:: Node node1 , DataFlow:: Node node2 ) {
41
14
exists ( FunctionCall call |
42
15
node1 .asExpr ( ) = call .getArgument ( 0 ) and
43
- exists ( string name | name in [ "BCryptImportKeyPair" , "BCryptGenerateKeyPair" ] and call .getTarget ( ) .hasGlobalName ( name ) ) and
16
+ exists ( string name |
17
+ name in [ "BCryptImportKeyPair" , "BCryptGenerateKeyPair" ] and
18
+ call .getTarget ( ) .hasGlobalName ( name )
19
+ ) and
44
20
node2 .asDefiningArgument ( ) = call .getArgument ( 1 )
45
21
)
46
22
}
@@ -50,3 +26,19 @@ predicate isWindowsCngAdditionalTaintStep(DataFlow::Node node1, DataFlow::Node n
50
26
or
51
27
stepImportGenerateKeyPair ( node1 , node2 )
52
28
}
29
+
30
+
31
+ // CNG-specific DataFlow configuration
32
+ class BCryptConfiguration extends DataFlow:: Configuration {
33
+ BCryptConfiguration ( ) { this = "BCryptConfiguration" }
34
+
35
+ override predicate isSource ( DataFlow:: Node source ) {
36
+ source instanceof BCryptOpenAlgorithmProviderSource
37
+ }
38
+
39
+ override predicate isSink ( DataFlow:: Node sink ) { sink instanceof BCryptOpenAlgorithmProviderSink }
40
+
41
+ override predicate isAdditionalFlowStep ( DataFlow:: Node node1 , DataFlow:: Node node2 ) {
42
+ isWindowsCngAdditionalTaintStep ( node1 , node2 )
43
+ }
44
+ }
0 commit comments