From 384cf4b233a41f0ad693a7cf86bf4ab056e45b61 Mon Sep 17 00:00:00 2001
From: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
Date: Mon, 18 Nov 2019 14:48:10 +0000
Subject: [PATCH] CPP: Recommendation and example for
 UseOfDeprecatedHardcodedProtocol.qhelp.

---
 .../Protocols/UseOfDeprecatedHardcodedProtocol.qhelp  | 11 +++++++++++
 .../Protocols/UseOfDeprecatedHardcodedProtocolBad.cpp |  7 +++++++
 .../UseOfDeprecatedHardcodedProtocolGood.cpp          |  7 +++++++
 3 files changed, 25 insertions(+)
 create mode 100644 cpp/ql/src/Likely Bugs/Protocols/UseOfDeprecatedHardcodedProtocolBad.cpp
 create mode 100644 cpp/ql/src/Likely Bugs/Protocols/UseOfDeprecatedHardcodedProtocolGood.cpp

diff --git a/cpp/ql/src/Likely Bugs/Protocols/UseOfDeprecatedHardcodedProtocol.qhelp b/cpp/ql/src/Likely Bugs/Protocols/UseOfDeprecatedHardcodedProtocol.qhelp
index 9be64e760b9..99b40ccb433 100644
--- a/cpp/ql/src/Likely Bugs/Protocols/UseOfDeprecatedHardcodedProtocol.qhelp	
+++ b/cpp/ql/src/Likely Bugs/Protocols/UseOfDeprecatedHardcodedProtocol.qhelp	
@@ -7,6 +7,17 @@
   <p>Using a deprecated hardcoded protocol instead of negotiating would lock your application to a protocol that has known vulnerabilities or weaknesses.</p>
 </overview>
 
+<recommendation>
+<p>Only use modern protocols such as TLS 1.2 or TLS 1.3.</p>
+</recommendation>
+
+<example>
+<p>In the following example, the <code>sslv2</code> protocol is specified.  This protocol is out-of-date and its use is not recommended.</p>
+<sample src="UseOfDeprecatedHardcodedProtocolBad.cpp"/>
+<p>In the corrected example, the <code>tlsv13</code> protocol is used instead.</p>
+<sample src="UseOfDeprecatedHardcodedProtocolGood.cpp"/>
+</example>
+
 <references>
   <li>
     <a href="https://www.boost.org/doc/libs/1_71_0/doc/html/boost_asio.html">Boost.Asio documentation</a>.
diff --git a/cpp/ql/src/Likely Bugs/Protocols/UseOfDeprecatedHardcodedProtocolBad.cpp b/cpp/ql/src/Likely Bugs/Protocols/UseOfDeprecatedHardcodedProtocolBad.cpp
new file mode 100644
index 00000000000..bab5f543448
--- /dev/null
+++ b/cpp/ql/src/Likely Bugs/Protocols/UseOfDeprecatedHardcodedProtocolBad.cpp	
@@ -0,0 +1,7 @@
+
+void useProtocol_bad()
+{
+	boost::asio::ssl::context ctx_sslv2(boost::asio::ssl::context::sslv2); // BAD: outdated protocol
+
+	// ...
+}
diff --git a/cpp/ql/src/Likely Bugs/Protocols/UseOfDeprecatedHardcodedProtocolGood.cpp b/cpp/ql/src/Likely Bugs/Protocols/UseOfDeprecatedHardcodedProtocolGood.cpp
new file mode 100644
index 00000000000..6214e87eaff
--- /dev/null
+++ b/cpp/ql/src/Likely Bugs/Protocols/UseOfDeprecatedHardcodedProtocolGood.cpp	
@@ -0,0 +1,7 @@
+
+void useProtocol_bad()
+{
+	boost::asio::ssl::context cxt_tlsv13(boost::asio::ssl::context::tlsv13);
+
+	// ...
+}