C/C++ Cryptographic Scanning
CBOM
Scan C and C++ codebases for cryptographic usage — detect OpenSSL, BoringSSL, libsodium, and wolfSSL function calls and deprecated algorithms.
Overview
QCecuring’s CBOM scanner analyzes C and C++ source code to discover cryptographic operations across the most common native crypto libraries — OpenSSL, BoringSSL, libsodium, wolfSSL, and mbedTLS. The scanner identifies function calls, algorithm constants, key size parameters, and deprecated patterns that feed into your Cryptographic Bill of Materials.
Key capabilities
- Detect OpenSSL API calls:
EVP_EncryptInit_ex(),EVP_DigestInit(),SSL_CTX_set_cipher_list(),RSA_generate_key_ex(). - Scan BoringSSL usage patterns and identify algorithm selection in TLS configurations.
- Identify libsodium function calls for encryption, signing, hashing, and key exchange.
- Detect wolfSSL and mbedTLS configurations for embedded and IoT applications.
- Flag deprecated functions:
MD5(),SHA1(),DES_ecb_encrypt(),RC4(),BF_encrypt(). - Analyze
CMakeLists.txt,Makefile,conanfile.txt, andvcpkg.jsonfor crypto library dependencies. - Detect hardcoded keys, IVs, and algorithm constants in source and header files.
Typical use cases
- Security teams auditing C/C++ applications, firmware, and system software for deprecated crypto.
- IoT and embedded teams scanning device firmware for weak algorithms before deployment.
- Organizations preparing C/C++ codebases for PQC migration by inventorying current algorithm usage.
- Compliance programs requiring cryptographic inventory across native code applications.
Detected patterns
| Library | What’s Scanned |
|---|---|
| OpenSSL | EVP_* functions, SSL_CTX_* configuration, RSA_*/EC_* key operations, cipher list strings |
| BoringSSL | Same EVP API patterns, TLS configuration, certificate operations |
| libsodium | crypto_secretbox_*, crypto_sign_*, crypto_box_*, crypto_hash_* |
| wolfSSL | wolfSSL_CTX_* configuration, cipher suite selection, certificate loading |
| mbedTLS | mbedtls_ssl_* configuration, mbedtls_pk_* key operations, cipher selection |
| Windows CNG | BCryptOpenAlgorithmProvider(), NCryptOpenKey(), algorithm identifiers |
| Preprocessor | #define constants for algorithm selection, key sizes, cipher modes |
High-level integration flow
- QCecuring scans C/C++ repositories via Git integration or local filesystem access.
- Pattern-based and AST-aware analysis identifies crypto function calls and algorithm constants.
- Build system files are parsed for crypto library dependencies and linked libraries.
- Discovered crypto usage is normalized into CycloneDX CBOM format with algorithm details.
- Results feed into the centralized CBOM inventory with PQC readiness scoring per finding.
Need help integrating QCecuring with C/C++ Cryptographic Scanning?
Ready to Secure Your Enterprise?
Experience how our cryptographic solutions simplify, centralize, and automate identity management for your entire organization.