- Notifications
You must be signed in to change notification settings - Fork 1.7k
/
Copy pathTlsSettingsMisconfiguration.ql
99 lines (90 loc) · 3.64 KB
/
TlsSettingsMisconfiguration.ql
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
/**
* @name boost::asio TLS settings misconfiguration
* @description Using the TLS or SSLv23 protocol from the boost::asio library, but not disabling deprecated protocols, or disabling minimum-recommended protocols.
* @kind problem
* @problem.severity error
* @precision medium
* @security-severity 7.5
* @id cpp/boost/tls-settings-misconfiguration
* @tags security
* external/cwe/cwe-326
*/
import cpp
import semmle.code.cpp.security.boostorg.asio.protocols
predicateisSourceImpl(DataFlow::Nodesource,ConstructorCallcc){
exists(BoostorgAsio::SslContextClassc|c.getAContructorCall()=ccandcc=source.asExpr())
}
predicateisSinkImpl(DataFlow::Nodesink,FunctionCallfcSetOptions){
exists(BoostorgAsio::SslSetOptionsFunctionf|
f.getACallToThisFunction()=fcSetOptionsand
fcSetOptions.getQualifier()=sink.asIndirectExpr()
)
}
module ExistsAnyFlowConfig implements DataFlow::ConfigSig{
predicateisSource(DataFlow::Nodesource){isSourceImpl(source, _)}
predicateisSink(DataFlow::Nodesink){isSinkImpl(sink, _)}
}
module ExistsAnyFlow = DataFlow::Global<ExistsAnyFlowConfig>;
bindingset[flag]
predicateisOptionSet(ConstructorCallcc,intflag,FunctionCallfcSetOptions){
exists(
VariableAccesscontextSetOptions, BoostorgAsio::SslSetOptionsFunctionf, DataFlow::Nodesource,
DataFlow::Nodesink
|
isSourceImpl(source,cc)and
isSinkImpl(sink,fcSetOptions)and
ExistsAnyFlow::flow(source,sink)and
f.getACallToThisFunction()=fcSetOptionsand
contextSetOptions=fcSetOptions.getQualifier()and
forex(ExproptionArgument|
optionArgument=fcSetOptions.getArgument(0)and
BoostorgAsio::SslOptionFlow::flowTo(DataFlow::exprNode(optionArgument))
|
optionArgument.getValue().toInt().bitShiftRight(16).bitAnd(flag)=flag
)
)
}
bindingset[flag]
predicateisOptionNotSet(ConstructorCallcc,intflag){notisOptionSet(cc,flag, _)}
fromExprprotocolSource,ExprprotocolSink,ConstructorCallcc,Expre,stringmsg
where
BoostorgAsio::SslContextCallTlsProtocolFlow::flow(DataFlow::exprNode(protocolSource),
DataFlow::exprNode(protocolSink))and
cc.getArgument(0)=protocolSinkand
(
BoostorgAsio::isExprSslV23BoostProtocol(protocolSource)and
not(
isOptionSet(cc, BoostorgAsio::getShiftedSslOptionsNoSsl3(), _)and
isOptionSet(cc, BoostorgAsio::getShiftedSslOptionsNoTls1(), _)and
isOptionSet(cc, BoostorgAsio::getShiftedSslOptionsNoTls1_1(), _)and
isOptionNotSet(cc, BoostorgAsio::getShiftedSslOptionsNoTls1_2())
)
or
BoostorgAsio::isExprTlsBoostProtocol(protocolSource)and
not BoostorgAsio::isExprSslV23BoostProtocol(protocolSource)and
not(
isOptionSet(cc, BoostorgAsio::getShiftedSslOptionsNoTls1(), _)and
isOptionSet(cc, BoostorgAsio::getShiftedSslOptionsNoTls1_1(), _)and
isOptionNotSet(cc, BoostorgAsio::getShiftedSslOptionsNoTls1_2())
)
)and
(
BoostorgAsio::isExprSslV23BoostProtocol(protocolSource)and
isOptionNotSet(cc, BoostorgAsio::getShiftedSslOptionsNoSsl3())and
e=ccand
msg="no_sslv3 has not been set"
or
isOptionNotSet(cc, BoostorgAsio::getShiftedSslOptionsNoTls1())and
e=ccand
msg="no_tlsv1 has not been set"
or
isOptionNotSet(cc, BoostorgAsio::getShiftedSslOptionsNoTls1_1())and
e=ccand
msg="no_tlsv1_1 has not been set"
or
isOptionSet(cc, BoostorgAsio::getShiftedSslOptionsNoTls1_2(),e)and
msg="no_tlsv1_2 was set"
)
selectcc,
"This usage of 'boost::asio::ssl::context::context' with protocol $@ is not configured correctly: The option $@.",
protocolSource,protocolSource.toString(),e,msg
