Name: boost::asio Use of deprecated hardcoded Protocol

Description:

Using a deprecated hard-coded protocol using the boost::asio library.

ID: cpp/boost/use-of-deprecated-hardcoded-security-protocol

Kind: problem

Severity: error

/**
 * @name boost::asio Use of deprecated hardcoded Protocol
 * @description Using a deprecated hard-coded protocol using the boost::asio library.
 * @kind problem
 * @problem.severity error
 * @id cpp/boost/use-of-deprecated-hardcoded-security-protocol
 * @tags security
 */

import cpp
import semmle.code.cpp.security.boostorg.asio.protocols

from
  BoostorgAsio::SslContextCallConfig config, Expr protocolSource, Expr protocolSink,
  ConstructorCall cc
where
  config.hasFlow(DataFlow::exprNode(protocolSource), DataFlow::exprNode(protocolSink)) and
  not exists(BoostorgAsio::SslContextCallTlsProtocolConfig tlsConfig |
    tlsConfig.hasFlow(DataFlow::exprNode(protocolSource), DataFlow::exprNode(protocolSink))
  ) and
  cc.getArgument(0) = protocolSink and
  exists(BoostorgAsio::SslContextCallBannedProtocolConfig bannedConfig |
    bannedConfig.hasFlow(DataFlow::exprNode(protocolSource), DataFlow::exprNode(protocolSink))
  )
select protocolSink, "Usage of $@ specifying a deprecated hardcoded protocol $@ in function $@.",
  cc, "boost::asio::ssl::context::context", protocolSource, protocolSource.toString(),
  cc.getEnclosingFunction(), cc.getEnclosingFunction().toString()

Using boost::asio library but specifying a deprecated hardcoded protocol.

Recommendation

Only use modern protocols such as TLS 1.2 or TLS 1.3.

Example

In the following example, the sslv2 protocol is specified. This protocol is out of date and its use is not recommended.

     1void useProtocol_bad()
     2{
     3    boost::asio::ssl::context ctx_sslv2(boost::asio::ssl::context::sslv2); // BAD: outdated protocol
     4
     5    // ...
     6}
void useProtocol_bad()
{
	boost::asio::ssl::context ctx_sslv2(boost::asio::ssl::context::sslv2); // BAD: outdated protocol

	// ...
}

In the corrected example, the tlsv13 protocol is used instead.

     1void useProtocol_good()
     2{
     3    boost::asio::ssl::context cxt_tlsv13(boost::asio::ssl::context::tlsv13);
     4
     5    // ...
     6}
void useProtocol_good()
{
	boost::asio::ssl::context cxt_tlsv13(boost::asio::ssl::context::tlsv13);

	// ...
}
References