Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit ec79bfa

Browse files
jbjjbj
authored
Merge pull request #2249 from geoffw0/tlsperf
CPP: TlsSettingsMisconfiguration.ql performance and cleanup
2 parents f2a9876 + 983a970 commit ec79bfa

3 files changed

Lines changed: 93 additions & 52 deletions

File tree

cpp/ql/src/Likely Bugs/Protocols/boostorg/TlsSettingsMisconfiguration.ql

Lines changed: 27 additions & 52 deletions
Original file line numberDiff line numberDiff line change
@@ -13,76 +13,52 @@ import semmle.code.cpp.security.boostorg.asio.protocols
1313
class ExistsAnyFlowConfig extends DataFlow::Configuration {
1414
ExistsAnyFlowConfig() { this = "ExistsAnyFlowConfig" }
1515

16-
override predicate isSource(DataFlow::Node source) { any() }
16+
override predicate isSource(DataFlow::Node source) {
17+
exists(BoostorgAsio::SslContextClass c | c.getAContructorCall() = source.asExpr())
18+
}
1719

18-
override predicate isSink(DataFlow::Node sink) { any() }
20+
override predicate isSink(DataFlow::Node sink) {
21+
exists(BoostorgAsio::SslSetOptionsFunction f, FunctionCall fcSetOptions |
22+
f.getACallToThisFunction() = fcSetOptions and
23+
fcSetOptions.getQualifier() = sink.asExpr()
24+
)
25+
}
1926
}
2027

2128
bindingset[flag]
2229
predicate isOptionSet(ConstructorCall cc, int flag, FunctionCall fcSetOptions) {
23-
exists(
24-
BoostorgAsio::SslContextFlowsToSetOptionConfig config, ExistsAnyFlowConfig testConfig,
25-
Expr optionsSink
26-
|
27-
config.hasFlow(DataFlow::exprNode(cc), DataFlow::exprNode(optionsSink)) and
28-
exists(VariableAccess contextSetOptions |
29-
testConfig.hasFlow(DataFlow::exprNode(cc), DataFlow::exprNode(contextSetOptions)) and
30-
exists(BoostorgAsio::SslSetOptionsFunction f | f.getACallToThisFunction() = fcSetOptions |
31-
contextSetOptions = fcSetOptions.getQualifier() and
32-
forall(
33-
Expr optionArgument, BoostorgAsio::SslOptionConfig optionArgConfig,
34-
Expr optionArgumentSource
35-
|
36-
optionArgument = fcSetOptions.getArgument(0) and
37-
optionArgConfig
38-
.hasFlow(DataFlow::exprNode(optionArgumentSource), DataFlow::exprNode(optionArgument))
39-
|
40-
optionArgument.getValue().toInt().bitShiftRight(16).bitAnd(flag) = flag
41-
)
30+
exists(ExistsAnyFlowConfig anyFlowConfig, VariableAccess contextSetOptions |
31+
anyFlowConfig.hasFlow(DataFlow::exprNode(cc), DataFlow::exprNode(contextSetOptions)) and
32+
exists(BoostorgAsio::SslSetOptionsFunction f | f.getACallToThisFunction() = fcSetOptions |
33+
contextSetOptions = fcSetOptions.getQualifier() and
34+
forall(
35+
Expr optionArgument, BoostorgAsio::SslOptionConfig optionArgConfig,
36+
Expr optionArgumentSource
37+
|
38+
optionArgument = fcSetOptions.getArgument(0) and
39+
optionArgConfig
40+
.hasFlow(DataFlow::exprNode(optionArgumentSource), DataFlow::exprNode(optionArgument))
41+
|
42+
optionArgument.getValue().toInt().bitShiftRight(16).bitAnd(flag) = flag
4243
)
4344
)
4445
)
4546
}
4647

4748
bindingset[flag]
4849
predicate isOptionNotSet(ConstructorCall cc, int flag) {
49-
not exists(
50-
BoostorgAsio::SslContextFlowsToSetOptionConfig config, ExistsAnyFlowConfig testConfig,
51-
Expr optionsSink
52-
|
53-
config.hasFlow(DataFlow::exprNode(cc), DataFlow::exprNode(optionsSink)) and
54-
exists(VariableAccess contextSetOptions |
55-
testConfig.hasFlow(DataFlow::exprNode(cc), DataFlow::exprNode(contextSetOptions)) and
56-
exists(FunctionCall fcSetOptions, BoostorgAsio::SslSetOptionsFunction f |
57-
f.getACallToThisFunction() = fcSetOptions
58-
|
59-
contextSetOptions = fcSetOptions.getQualifier() and
60-
forall(
61-
Expr optionArgument, BoostorgAsio::SslOptionConfig optionArgConfig,
62-
Expr optionArgumentSource
63-
|
64-
optionArgument = fcSetOptions.getArgument(0) and
65-
optionArgConfig
66-
.hasFlow(DataFlow::exprNode(optionArgumentSource), DataFlow::exprNode(optionArgument))
67-
|
68-
optionArgument.getValue().toInt().bitShiftRight(16).bitAnd(flag) = flag
69-
)
70-
)
71-
)
72-
)
50+
not exists(FunctionCall fcSetOptions | isOptionSet(cc, flag, fcSetOptions))
7351
}
7452

7553
from
76-
BoostorgAsio::SslContextCallTlsProtocolConfig configConstructor,
77-
BoostorgAsio::SslContextFlowsToSetOptionConfig config, Expr protocolSource, Expr protocolSink,
78-
ConstructorCall cc, Expr e, string msg
54+
BoostorgAsio::SslContextCallTlsProtocolConfig configConstructor, Expr protocolSource,
55+
Expr protocolSink, ConstructorCall cc, Expr e, string msg
7956
where
8057
configConstructor.hasFlow(DataFlow::exprNode(protocolSource), DataFlow::exprNode(protocolSink)) and
8158
cc.getArgument(0) = protocolSink and
8259
(
8360
BoostorgAsio::isExprSslV23BoostProtocol(protocolSource) and
84-
not exists(Expr optionsSink |
85-
config.hasFlow(DataFlow::exprNode(cc), DataFlow::exprNode(optionsSink)) and
61+
not (
8662
isOptionSet(cc, BoostorgAsio::getShiftedSslOptionsNoSsl3(), _) and
8763
isOptionSet(cc, BoostorgAsio::getShiftedSslOptionsNoTls1(), _) and
8864
isOptionSet(cc, BoostorgAsio::getShiftedSslOptionsNoTls1_1(), _) and
@@ -91,8 +67,7 @@ where
9167
or
9268
BoostorgAsio::isExprTlsBoostProtocol(protocolSource) and
9369
not BoostorgAsio::isExprSslV23BoostProtocol(protocolSource) and
94-
not exists(Expr optionsSink |
95-
config.hasFlow(DataFlow::exprNode(cc), DataFlow::exprNode(optionsSink)) and
70+
not (
9671
isOptionSet(cc, BoostorgAsio::getShiftedSslOptionsNoTls1(), _) and
9772
isOptionSet(cc, BoostorgAsio::getShiftedSslOptionsNoTls1_1(), _) and
9873
isOptionNotSet(cc, BoostorgAsio::getShiftedSslOptionsNoTls1_2())

cpp/ql/test/query-tests/Likely Bugs/Protocols/boostorg/TlsSettingsMisconfiguration.expected

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,14 @@
1+
| test2.cpp:15:32:15:33 | call to context | Usage of $@ with protocol $@ is not configured correctly: The option $@. | test2.cpp:15:32:15:33 | call to context | boost::asio::ssl::context::context | test2.cpp:14:40:14:72 | sslv23 | sslv23 | test2.cpp:15:32:15:33 | call to context | no_sslv3 has not been set |
2+
| test2.cpp:23:32:23:65 | call to context | Usage of $@ with protocol $@ is not configured correctly: The option $@. | test2.cpp:23:32:23:65 | call to context | boost::asio::ssl::context::context | test2.cpp:23:32:23:64 | sslv23 | sslv23 | test2.cpp:23:32:23:65 | call to context | no_sslv3 has not been set |
3+
| test2.cpp:23:32:23:65 | call to context | Usage of $@ with protocol $@ is not configured correctly: The option $@. | test2.cpp:23:32:23:65 | call to context | boost::asio::ssl::context::context | test2.cpp:23:32:23:64 | sslv23 | sslv23 | test2.cpp:23:32:23:65 | call to context | no_tlsv1 has not been set |
4+
| test2.cpp:23:32:23:65 | call to context | Usage of $@ with protocol $@ is not configured correctly: The option $@. | test2.cpp:23:32:23:65 | call to context | boost::asio::ssl::context::context | test2.cpp:23:32:23:64 | sslv23 | sslv23 | test2.cpp:23:32:23:65 | call to context | no_tlsv1_1 has not been set |
5+
| test2.cpp:31:32:31:65 | call to context | Usage of $@ with protocol $@ is not configured correctly: The option $@. | test2.cpp:31:32:31:65 | call to context | boost::asio::ssl::context::context | test2.cpp:31:32:31:64 | sslv23 | sslv23 | test2.cpp:31:32:31:65 | call to context | no_sslv3 has not been set |
6+
| test2.cpp:31:32:31:65 | call to context | Usage of $@ with protocol $@ is not configured correctly: The option $@. | test2.cpp:31:32:31:65 | call to context | boost::asio::ssl::context::context | test2.cpp:31:32:31:64 | sslv23 | sslv23 | test2.cpp:31:32:31:65 | call to context | no_tlsv1 has not been set |
7+
| test2.cpp:31:32:31:65 | call to context | Usage of $@ with protocol $@ is not configured correctly: The option $@. | test2.cpp:31:32:31:65 | call to context | boost::asio::ssl::context::context | test2.cpp:31:32:31:64 | sslv23 | sslv23 | test2.cpp:31:32:31:65 | call to context | no_tlsv1_1 has not been set |
8+
| test2.cpp:45:35:45:98 | call to context | Usage of $@ with protocol $@ is not configured correctly: The option $@. | test2.cpp:45:35:45:98 | call to context | boost::asio::ssl::context::context | test2.cpp:45:65:45:97 | sslv23 | sslv23 | test2.cpp:45:35:45:98 | call to context | no_sslv3 has not been set |
9+
| test2.cpp:52:32:52:65 | call to context | Usage of $@ with protocol $@ is not configured correctly: The option $@. | test2.cpp:52:32:52:65 | call to context | boost::asio::ssl::context::context | test2.cpp:52:32:52:64 | sslv23 | sslv23 | test2.cpp:52:32:52:65 | call to context | no_sslv3 has not been set |
10+
| test2.cpp:52:32:52:65 | call to context | Usage of $@ with protocol $@ is not configured correctly: The option $@. | test2.cpp:52:32:52:65 | call to context | boost::asio::ssl::context::context | test2.cpp:52:32:52:64 | sslv23 | sslv23 | test2.cpp:52:32:52:65 | call to context | no_tlsv1 has not been set |
11+
| test2.cpp:52:32:52:65 | call to context | Usage of $@ with protocol $@ is not configured correctly: The option $@. | test2.cpp:52:32:52:65 | call to context | boost::asio::ssl::context::context | test2.cpp:52:32:52:64 | sslv23 | sslv23 | test2.cpp:52:32:52:65 | call to context | no_tlsv1_1 has not been set |
112
| test.cpp:25:32:25:65 | call to context | Usage of $@ with protocol $@ is not configured correctly: The option $@. | test.cpp:25:32:25:65 | call to context | boost::asio::ssl::context::context | test.cpp:25:32:25:64 | sslv23 | sslv23 | test.cpp:25:32:25:65 | call to context | no_sslv3 has not been set |
213
| test.cpp:31:32:31:65 | call to context | Usage of $@ with protocol $@ is not configured correctly: The option $@. | test.cpp:31:32:31:65 | call to context | boost::asio::ssl::context::context | test.cpp:31:32:31:64 | sslv23 | sslv23 | test.cpp:31:32:31:65 | call to context | no_sslv3 has not been set |
314
| test.cpp:31:32:31:65 | call to context | Usage of $@ with protocol $@ is not configured correctly: The option $@. | test.cpp:31:32:31:65 | call to context | boost::asio::ssl::context::context | test.cpp:31:32:31:64 | sslv23 | sslv23 | test.cpp:31:32:31:65 | call to context | no_tlsv1 has not been set |

cpp/ql/test/query-tests/Likely Bugs/Protocols/boostorg/test2.cpp

Lines changed: 55 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,55 @@
1+
#include "asio/boost_simulation.hpp"
2+
3+
void good1()
4+
{
5+
// GOOD
6+
boost::asio::ssl::context::method m = boost::asio::ssl::context::sslv23;
7+
boost::asio::ssl::context ctx(m);
8+
ctx.set_options(boost::asio::ssl::context::no_tlsv1 | boost::asio::ssl::context::no_tlsv1_1 | boost::asio::ssl::context::no_sslv3);
9+
}
10+
11+
void bad1()
12+
{
13+
// BAD: missing disable SSLv3
14+
boost::asio::ssl::context::method m = boost::asio::ssl::context::sslv23;
15+
boost::asio::ssl::context ctx(m);
16+
ctx.set_options(boost::asio::ssl::context::no_tlsv1 | boost::asio::ssl::context::no_tlsv1_1);
17+
}
18+
19+
void good2()
20+
{
21+
// GOOD [FALSE POSITIVE x 3]
22+
boost::asio::ssl::context::options opts = boost::asio::ssl::context::no_tlsv1 | boost::asio::ssl::context::no_tlsv1_1 | boost::asio::ssl::context::no_sslv3;
23+
boost::asio::ssl::context ctx(boost::asio::ssl::context::sslv23);
24+
ctx.set_options(opts);
25+
}
26+
27+
void bad2()
28+
{
29+
// BAD: missing disable SSLv3 [WITH FALSE POSITIVE x 2]
30+
boost::asio::ssl::context::options opts = boost::asio::ssl::context::no_tlsv1 | boost::asio::ssl::context::no_tlsv1_1;
31+
boost::asio::ssl::context ctx(boost::asio::ssl::context::sslv23);
32+
ctx.set_options(opts);
33+
}
34+
35+
void good3()
36+
{
37+
// GOOD
38+
boost::asio::ssl::context *ctx = new boost::asio::ssl::context(boost::asio::ssl::context::sslv23);
39+
ctx->set_options(boost::asio::ssl::context::no_tlsv1 | boost::asio::ssl::context::no_tlsv1_1 | boost::asio::ssl::context::no_sslv3);
40+
}
41+
42+
void bad3()
43+
{
44+
// BAD: missing disable SSLv3
45+
boost::asio::ssl::context *ctx = new boost::asio::ssl::context(boost::asio::ssl::context::sslv23);
46+
ctx->set_options(boost::asio::ssl::context::no_tlsv1 | boost::asio::ssl::context::no_tlsv1_1);
47+
}
48+
49+
void bad4()
50+
{
51+
// BAD: missing disable SSLv3
52+
boost::asio::ssl::context ctx(boost::asio::ssl::context::sslv23);
53+
}
54+
55+

0 commit comments

Comments
 (0)