Skip to content

Commit 7b0e83f

Browse files
raulgarciamsftraulgarciamsft
committed
Porting Boost.org TLS queries
1 parent c66e5dd commit 7b0e83f

File tree

11 files changed

+961
-0
lines changed

11 files changed

+961
-0
lines changed

cpp/ql/src/Likely Bugs/Protocols/boostorg/TlsSettingsMisconfiguration.qhelp

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
<!DOCTYPE qhelp PUBLIC
2+
"-//Semmle//qhelp//EN"
3+
"qhelp.dtd">
4+
<qhelp>
5+
<overview>
6+
<p>Using TLS or SSLv23 protool from the boost::asio library, but not disabling deprecated protocols or disabling minimum-recommended protocols.</p>
7+
</overview>
8+
9+
<references>
10+
<li>
11+
<a href="https://www.boost.org/doc/libs/1_71_0/doc/html/boost_asio.html">Boost.Asio documentation</a>.
12+
</li>
13+
</references>
14+
</qhelp>
15+

cpp/ql/src/Likely Bugs/Protocols/boostorg/TlsSettingsMisconfiguration.ql

Lines changed: 124 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,124 @@
1+
/**
2+
* @name Boost_asio TLS Settings Misconfiguration
3+
* @description Using TLS or SSLv23 protool from the boost::asio library, but not disabling deprecated protocols or disabling minimum-recommended protocols
4+
* @kind problem
5+
* @problem.severity error
6+
* @id cpp/boost/tls_settings_misconfiguration
7+
* @tags security
8+
*/
9+
10+
import cpp
11+
import semmle.code.cpp.security.boostorg.asio.protocols
12+
13+
class ExistsAnyFlowConfig extends DataFlow::Configuration {
14+
ExistsAnyFlowConfig() {
15+
this = "ExistsAnyFlowConfig"
16+
}
17+
18+
override predicate isSource(DataFlow::Node source) {
19+
any()
20+
}
21+
22+
override predicate isSink(DataFlow::Node sink) {
23+
any()
24+
}
25+
}
26+
27+
bindingset[flag]
28+
predicate isOptionSet( ConstructorCall cc, int flag, FunctionCall fcSetOptions) {
29+
exists( BoostorgAsio::SslContextFlowsToSetOptionConfig config, ExistsAnyFlowConfig testConfig, Expr optionsSink |
30+
config.hasFlow(DataFlow::exprNode(cc), DataFlow::exprNode(optionsSink)) and
31+
exists( VariableAccess contextSetOptions |
32+
testConfig.hasFlow(DataFlow::exprNode(cc), DataFlow::exprNode(contextSetOptions)) and
33+
(
34+
exists( BoostorgAsio::SslSetOptionsFunction f |
35+
f.getACallToThisFunction() = fcSetOptions |
36+
contextSetOptions = fcSetOptions.getQualifier() and
37+
forall( Expr optionArgument, BoostorgAsio::SslOptionConfig optionArgConfig, Expr optionArgumentSource |
38+
optionArgument = fcSetOptions.getArgument(0) and
39+
optionArgConfig.hasFlow(DataFlow::exprNode(optionArgumentSource), DataFlow::exprNode(optionArgument)) |
40+
optionArgument.getValue().toInt().bitShiftRight(16).bitAnd(flag) = flag
41+
)
42+
)
43+
)
44+
)
45+
)
46+
}
47+
48+
bindingset[flag]
49+
predicate isOptionNotSet( ConstructorCall cc, int flag ) {
50+
not exists( BoostorgAsio::SslContextFlowsToSetOptionConfig config, ExistsAnyFlowConfig testConfig, Expr optionsSink |
51+
config.hasFlow(DataFlow::exprNode(cc), DataFlow::exprNode(optionsSink)) and
52+
exists( VariableAccess contextSetOptions |
53+
testConfig.hasFlow(DataFlow::exprNode(cc), DataFlow::exprNode(contextSetOptions)) and
54+
(
55+
exists( FunctionCall fcSetOptions, BoostorgAsio::SslSetOptionsFunction f |
56+
f.getACallToThisFunction() = fcSetOptions |
57+
contextSetOptions = fcSetOptions.getQualifier() and
58+
forall( Expr optionArgument, BoostorgAsio::SslOptionConfig optionArgConfig, Expr optionArgumentSource |
59+
optionArgument = fcSetOptions.getArgument(0) and
60+
optionArgConfig.hasFlow(DataFlow::exprNode(optionArgumentSource), DataFlow::exprNode(optionArgument)) |
61+
optionArgument.getValue().toInt().bitShiftRight(16).bitAnd(flag) = flag
62+
)
63+
)
64+
)
65+
)
66+
)
67+
}
68+
69+
from
70+
BoostorgAsio::SslContextCallTlsProtocolConfig configConstructor,
71+
BoostorgAsio::SslContextFlowsToSetOptionConfig config,
72+
Expr protocolSource, Expr protocolSink,
73+
ConstructorCall cc,
74+
Expr e, string msg
75+
where
76+
configConstructor.hasFlow(DataFlow::exprNode(protocolSource), DataFlow::exprNode(protocolSink)) and
77+
cc.getArgument(0)= protocolSink and (
78+
(
79+
BoostorgAsio::isExprSslV23BoostProtocol(protocolSource) and
80+
not exists( Expr optionsSink |
81+
config.hasFlow(DataFlow::exprNode(cc), DataFlow::exprNode(optionsSink)) and
82+
isOptionSet(cc, BoostorgAsio::getShiftedSslOptionsNoSsl3(), _) and
83+
isOptionSet(cc, BoostorgAsio::getShiftedSslOptionsNoTls1(), _) and
84+
isOptionSet(cc, BoostorgAsio::getShiftedSslOptionsNoTls1_1(), _) and
85+
isOptionNotSet(cc, BoostorgAsio::getShiftedSslOptionsNoTls1_2())
86+
)
87+
) or
88+
(
89+
BoostorgAsio::isExprTlsBoostProtocol(protocolSource) and
90+
not BoostorgAsio::isExprSslV23BoostProtocol(protocolSource) and
91+
not exists( Expr optionsSink |
92+
config.hasFlow(DataFlow::exprNode(cc), DataFlow::exprNode(optionsSink)) and
93+
isOptionSet(cc, BoostorgAsio::getShiftedSslOptionsNoTls1(), _) and
94+
isOptionSet(cc, BoostorgAsio::getShiftedSslOptionsNoTls1_1(), _) and
95+
isOptionNotSet(cc, BoostorgAsio::getShiftedSslOptionsNoTls1_2())
96+
)
97+
)
98+
) and (
99+
(
100+
BoostorgAsio::isExprSslV23BoostProtocol(protocolSource) and
101+
isOptionNotSet(cc, BoostorgAsio::getShiftedSslOptionsNoSsl3()) and
102+
e =cc and
103+
msg = "no_sslv3 has not been set"
104+
) or
105+
(
106+
isOptionNotSet(cc, BoostorgAsio::getShiftedSslOptionsNoTls1()) and
107+
e =cc and
108+
msg = "no_tlsv1 has not been set"
109+
) or
110+
(
111+
isOptionNotSet(cc, BoostorgAsio::getShiftedSslOptionsNoTls1_1()) and
112+
e =cc and
113+
msg = "no_tlsv1_1 has not been set"
114+
) or
115+
(
116+
isOptionSet(cc, BoostorgAsio::getShiftedSslOptionsNoTls1_2(), e) and
117+
msg = "no_tlsv1_2 was set"
118+
)
119+
)
120+
select cc, "Usage of $@ with protocol $@ is not configured correctly: The option $@.",
121+
cc, "boost::asio::ssl::context::context",
122+
protocolSource, protocolSource.toString(),
123+
e, msg
124+

cpp/ql/src/Likely Bugs/Protocols/boostorg/UseOfDeprecatedHardcodedProtocol.qhelp

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,16 @@
1+
<!DOCTYPE qhelp PUBLIC
2+
"-//Semmle//qhelp//EN"
3+
"qhelp.dtd">
4+
<qhelp>
5+
<overview>
6+
<p>Using boost::asio library but specifying a deprecated hardcoded protocol.</p>
7+
<p>Using a deprecated hardcoded protocol instead of negotiting would lock your application to a protocol that has known vulnerabilities or weaknesses.</p>
8+
</overview>
9+
10+
<references>
11+
<li>
12+
<a href="https://www.boost.org/doc/libs/1_71_0/doc/html/boost_asio.html">Boost.Asio documentation</a>.
13+
</li>
14+
</references>
15+
</qhelp>
16+

cpp/ql/src/Likely Bugs/Protocols/boostorg/UseOfDeprecatedHardcodedProtocol.ql

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,33 @@
1+
/**
2+
* @name boost::asio Use of deprecated hardcoded Protocol
3+
* @description Using a deprecated hard-coded protocol using the boost::asio library.
4+
* @kind problem
5+
* @problem.severity error
6+
* @id cpp/boost/use-of-deprecated-hardcoded-security-protocol
7+
* @tags security
8+
*/
9+
10+
import cpp
11+
import semmle.code.cpp.security.boostorg.asio.protocols
12+
13+
from
14+
BoostorgAsio::SslContextCallConfig config,
15+
Expr protocolSource, Expr protocolSink, ConstructorCall cc
16+
where
17+
config.hasFlow(DataFlow::exprNode(protocolSource), DataFlow::exprNode(protocolSink)) and
18+
not exists( BoostorgAsio::SslContextCallTlsProtocolConfig tlsConfig |
19+
tlsConfig.hasFlow(DataFlow::exprNode(protocolSource), DataFlow::exprNode(protocolSink))
20+
) and
21+
cc.getArgument(0) = protocolSink and
22+
(
23+
exists( BoostorgAsio::SslContextCallBannedProtocolConfig bannedConfig |
24+
bannedConfig.hasFlow(DataFlow::exprNode(protocolSource), DataFlow::exprNode(protocolSink))
25+
)
26+
)
27+
select
28+
protocolSink,
29+
"Usage of $@ specifying a deprecated hardcoded protocol $@ in function $@.",
30+
cc, "boost::asio::ssl::context::context",
31+
protocolSource, protocolSource.toString(),
32+
cc.getEnclosingFunction(), cc.getEnclosingFunction().toString()
33+

0 commit comments

Comments
 (0)