CodeQL queries 1.25
Skip to end of metadata
Go to start of metadata

Name: boost::asio Use of deprecated hardcoded Protocol

Description: Using a deprecated hard-coded protocol using the boost::asio library.

ID: cpp/boost/use-of-deprecated-hardcoded-security-protocol

Kind: problem

Severity: error

Query: UseOfDeprecatedHardcodedProtocol.ql
 * @name boost::asio Use of deprecated hardcoded Protocol
 * @description Using a deprecated hard-coded protocol using the boost::asio library.
 * @kind problem
 * @problem.severity error
 * @id cpp/boost/use-of-deprecated-hardcoded-security-protocol
 * @tags security

import cpp

  BoostorgAsio::SslContextCallConfig config, Expr protocolSource, Expr protocolSink,
  ConstructorCall cc
  config.hasFlow(DataFlow::exprNode(protocolSource), DataFlow::exprNode(protocolSink)) and
  not exists(BoostorgAsio::SslContextCallTlsProtocolConfig tlsConfig |
    tlsConfig.hasFlow(DataFlow::exprNode(protocolSource), DataFlow::exprNode(protocolSink))
  ) and
  cc.getArgument(0) = protocolSink and
  exists(BoostorgAsio::SslContextCallBannedProtocolConfig bannedConfig |
    bannedConfig.hasFlow(DataFlow::exprNode(protocolSource), DataFlow::exprNode(protocolSink))
select protocolSink, "Usage of $@ specifying a deprecated hardcoded protocol $@ in function $@.",
  cc, "boost::asio::ssl::context::context", protocolSource, protocolSource.toString(),
  cc.getEnclosingFunction(), cc.getEnclosingFunction().toString()

Using boost::asio library but specifying a deprecated hardcoded protocol.


Only use modern protocols such as TLS 1.2 or TLS 1.3.


In the following example, the sslv2 protocol is specified. This protocol is out of date and its use is not recommended.

void useProtocol_bad()
	boost::asio::ssl::context ctx_sslv2(boost::asio::ssl::context::sslv2); // BAD: outdated protocol

	// ...

In the corrected example, the tlsv13 protocol is used instead.

void useProtocol_good()
	boost::asio::ssl::context cxt_tlsv13(boost::asio::ssl::context::tlsv13);

	// ...