microsoft · PavelBansky · Aug 26, 2019 · Aug 26, 2019
diff --git a/rules/default/security/TLS/tests/DS112835.test b/rules/default/security/TLS/tests/DS112835.test
@@ -0,0 +1,21 @@
+line: 1 expect DS112835,DS144436,DS440000
+line: 2
+line: 3 expect DS112835,DS144436,DS440000
+line: 4 expect DS112835,DS112835,DS144436,DS440000
+line: 5 expect DS112835,DS112835,DS440000
+line: 6 expect DS112835,DS112835,DS440000
+line: 8 expect DS112835,DS440000
+line: 9 expect DS112835,DS440000
+line: 10
+====
+System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Ssl3;
+System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.SystemDefault;
+System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls;
+System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls11;
+System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
+System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls13;
+
+System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolTypeExtensions.Tls11;
+System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolTypeExtensions.Tls12;
+System.Net.ServicePointManager.SecurityProtocol = SecurityProtocolTypeExtensions.SystemDefault;
+
diff --git a/rules/default/security/TLS/tests/DS112836.test b/rules/default/security/TLS/tests/DS112836.test
@@ -0,0 +1,25 @@
+line: 3 expect DS112836,DS440000,DS440000,DS440000
+line: 4 expect DS112836,DS440000,DS440000,DS440000
+line: 5 expect DS112836,DS440000,DS440000
+line: 6 expect DS112836,DS440000,DS440000
+line: 7 expect DS112836,DS440000,DS440000,DS440000
+line: 8 expect DS112836,DS440000,DS440000,DS440000
+line: 9 expect DS112836,DS440000,DS440000,DS440000
+line: 10 expect DS112836,DS112836,DS440000,DS440000,DS440000
+line: 11 expect DS112836,DS112836,DS440000,DS440000,DS440000
+line: 12 expect DS112836,DS112836,DS440000,DS440000,DS440000
+====
+NetTcpBinding b = new NetTcpBinding();  
+b.Security.Mode = SecurityMode.Transport;  
+b.Security.Transport.SslProtocols = SslProtocolsExtensions.Tls11;
+b.Security.Transport.SslProtocols = SslProtocolsExtensions.Tls12;
+b.Security.Transport.SslProtocols = SslProtocols.Default ;
+b.Security.Transport.SslProtocols = SslProtocols.None;
+b.Security.Transport.SslProtocols = SslProtocols.Ssl2 ;
+b.Security.Transport.SslProtocols = SslProtocols.Ssl3;
+b.Security.Transport.SslProtocols = SslProtocols.Tls;
+b.Security.Transport.SslProtocols = SslProtocols.Tls11;
+b.Security.Transport.SslProtocols = SslProtocols.Tls12;
+b.Security.Transport.SslProtocols = SslProtocols.Tls13;
+
+
diff --git a/rules/default/security/TLS/tests/DS112837.test b/rules/default/security/TLS/tests/DS112837.test
@@ -0,0 +1,8 @@
+line: 1 expect DS112837
+line: 2 expect DS112837
+====
+private const string DisableCachingName = @"TestSwitch.LocalAppContext.DisableCaching";
+private const string DontEnableSchUseStrongCryptoName = @"Switch.System.Net.DontEnableSchUseStrongCrypto";
+AppContext.SetSwitch(DisableCachingName, true);
+AppContext.SetSwitch(DontEnableSchUseStrongCryptoName, true)
+
diff --git a/rules/default/security/TLS/tests/DS112838.test b/rules/default/security/TLS/tests/DS112838.test
@@ -0,0 +1,12 @@
+line: 2
+line: 3
+line: 4 expect DS112838,DS440000
+line: 5 expect DS112838,DS440000
+====
+<xml>
+  <AppContextSwitchOverrides value="Switch.System.Net.DontEnableSchUseStrongCrypto=true"/>
+  <AppContextSwitchOverrides value="Switch.System.ServiceModel.DisableUsingServicePointManagerSecurityProtocols=true"/>
+  <AppContextSwitchOverrides value="Switch.System.Net.DontEnableSystemDefaultTlsVersions=true"/>
+  <AppContextSwitchOverrides value="Switch.System.ServiceModel.DontEnableSystemDefaultTlsVersions=true"/>
+</xml>
+
diff --git a/rules/default/security/TLS/tests/DS112839.test b/rules/default/security/TLS/tests/DS112839.test
@@ -0,0 +1,15 @@
+line: 1 expect DS112839,DS440000
+line: 2 expect DS112839,DS112839,DS440000
+line: 3
+line: 4 expect DS112839,DS440000
+line: 5 expect DS112839,DS112839,DS440000
+line: 6
+====
+SslStream.AuthenticateAsClient()
+SslStream.AuthenticateAsClientAsync()
+BeginAuthenticateAsClient()
+SslStream.AuthenticateAsServer()
+SslStream.AuthenticateAsServerAsync()
+BeginAuthenticateAsServer()
+
+
diff --git a/rules/default/security/TLS/tls_appconfig.json b/rules/default/security/TLS/tls_appconfig.json
@@ -0,0 +1,51 @@
+[
+    {
+        "name": "Possibly hardcoded TLS protocol",
+        "id": "DS112838",
+        "description": "Possibly hardcoded TLS protocol",
+        "recommendation": "Review for security purposes",
+        "applies_to": [
+            ".config"
+        ],
+        "tags": [
+            "Cryptography.Protocol.TLS.Hardcoded"
+        ],
+        "severity": "manual-review",
+        "_comment": "",
+        "rule_info": "DS112838.md",
+        "patterns": [
+            {
+                "pattern": "Switch.System.Net.DontEnableSchUseStrongCrypto",
+                "type": "regex",
+                "scopes": [
+                    "code"
+                ],
+                "_comment": ""
+            },
+            {
+                "pattern": "Switch.System.ServiceModel.DisableUsingServicePointManagerSecurityProtocol",
+                "type": "regex",
+                "scopes": [
+                    "code"
+                ],
+                "_comment": ""
+            },
+            {
+                "pattern": "Switch.System.Net.DontEnableSystemDefaultTlsVersions",
+                "type": "regex",
+                "scopes": [
+                    "code"
+                ],
+                "_comment": ""
+            },
+            {
+                "pattern": "Switch.System.ServiceModel.DontEnableSystemDefaultTlsVersions",
+                "type": "regex",
+                "scopes": [
+                    "code"
+                ],
+                "_comment": ""
+            }
+        ]
+    }
+]
diff --git a/rules/default/security/TLS/tls_appcontext.json b/rules/default/security/TLS/tls_appcontext.json
@@ -0,0 +1,37 @@
+[
+    {
+        "name": "Possibly hardcoded TLS protocol",
+        "id": "DS112837",
+        "description": "Possibly hardcoded TLS protocol",
+        "recommendation": "Review for security purposes",
+        "applies_to": [
+            "csharp",
+            "powershell",
+            "vb"
+        ],
+        "tags": [
+            "Cryptography.Protocol.TLS.Hardcoded"
+        ],
+        "severity": "manual-review",
+        "_comment": "",
+        "rule_info": "DS112837.md",
+        "patterns": [
+            {
+                "pattern": "TestSwitch.LocalAppContext.DisableCaching",
+                "type": "regex",
+                "scopes": [
+                    "code"
+                ],
+                "_comment": ""
+            },
+            {
+                "pattern": "Switch.System.Net.DontEnableSchUseStrongCrypto",
+                "type": "regex",
+                "scopes": [
+                    "code"
+                ],
+                "_comment": ""
+            }
+        ]
+    }
+]
diff --git a/rules/default/security/TLS/tls_functioncall.json b/rules/default/security/TLS/tls_functioncall.json
@@ -0,0 +1,69 @@
+[
+    {
+        "name": "Possibly hardcoded TLS protocol",
+        "id": "DS112839",
+        "description": "Possibly hardcoded TLS protocol",
+        "recommendation": "Review for security purposes",
+        "applies_to": [
+            "csharp",
+            "powershell",
+            "vb"
+        ],
+        "tags": [
+            "Cryptography.Protocol.TLS.Hardcoded"
+        ],
+        "severity": "manual-review",
+        "_comment": "",
+        "rule_info": "DS112839.md",
+        "patterns": [
+            {
+                "pattern": "SslStream.AuthenticateAsClient",
+                "type": "regex",
+                "scopes": [
+                    "code"
+                ],
+                "_comment": ""
+            },
+            {
+                "pattern": "SslStream.AuthenticateAsClientAsync",
+                "type": "regex",
+                "scopes": [
+                    "code"
+                ],
+                "_comment": ""
+            },
+            {
+                "pattern": "BeginAuthenticateAsClient",
+                "type": "regex",
+                "scopes": [
+                    "code"
+                ],
+                "_comment": ""
+            },
+            {
+                "pattern": "SslStream.AuthenticateAsServer",
+                "type": "regex",
+                "scopes": [
+                    "code"
+                ],
+                "_comment": ""
+            },
+            {
+                "pattern": "SslStream.AuthenticateAsServerAsync",
+                "type": "regex",
+                "scopes": [
+                    "code"
+                ],
+                "_comment": ""
+            },
+            {
+                "pattern": "BeginAuthenticateAsServer",
+                "type": "regex",
+                "scopes": [
+                    "code"
+                ],
+                "_comment": ""
+            }
+        ]
+    }
+]
diff --git a/rules/default/security/TLS/tls_generic.json b/rules/default/security/TLS/tls_generic.json
@@ -0,0 +1,99 @@
+[
+    {
+        "name": "Generic: Do not hardcode SSL/TLS versions within an application.",
+        "id": "DS440000",
+        "description": "SSL/TLS version usage should be based on an OS or external configuration.",
+        "recommendation": "",
+        "applies_to": [
+        ],
+        "tags": [
+            "Cryptography.Protocol.TLS.Hardcoded"
+        ],
+        "severity": "important",
+        "_comment": "",
+        "rule_info": "DS440000.md",
+        "patterns": [
+            {
+                "pattern": "(SSL|D?TLS)v?[123_\\.]*",
+                "type": "regex",
+                "scopes": [
+                    "code"
+                ],
+                "modifiers" : ["i"],
+                "_comment": "Generic reference to a SSL/TLS version"
+            }
+        ]
+    },    
+    {
+        "name": "OpenSSL: Do not hardcode SSL/TLS versions within an application.",
+        "id": "DS440010",
+        "description": "SSL/TLS version usage should be based on an OS or external configuration.",
+        "recommendation": "",
+        "applies_to": [
+        ],
+        "tags": [
+            "Cryptography.Protocol.TLS.Hardcoded"
+        ],
+        "severity": "important",
+        "_comment": "Applies to all languages since many just wrap OpenSSL constructs.",
+        "rule_info": "DS440000.md",
+        "patterns": [
+            {
+                "pattern": "SSLv2?3_method|D?TLSv1_([123]_)?(client_|server_)?method",
+                "type": "regex",
+                "scopes": [
+                    "code"
+                ],
+                "_comment": "OpenSSL functions that implement specific protocol versions"
+            },
+            {
+                "pattern": "DTLSv1_listen|SSL_stateless",
+                "type": "regex",
+                "scopes": [
+                    "code"
+                ],
+                "_comment": "OpenSSL functions that implicitly call specific protocol versions"
+            },
+            {
+                "pattern": "SSL_(CTX_)?set_(min|max)_proto_version",
+                "type": "regex",
+                "scopes": [
+                    "code"
+                ],
+                "_comment": ""
+            },
+            {
+                "pattern": "SSL_EXT_TLS_ONLY|SSL_EXT_DTLS_ONLY|SSL_EXT_TLS_IMPLEMENTATION_ONLY|SSL_EXT_SSL3_ALLOWED|SSL_EXT_TLS1_2_AND_BELOW_ONLY|SSL_EXT|TLS1_3_ONLY|SSL_EXT_TLS1_2_SERVER_HELLO|SSL_EXT_TLS1_3_SERVER_HELLO",
+                "type": "regex",
+                "scopes": [
+                    "code"
+                ],
+                "_comment": "OpenSSL extension / options"
+            },
+            {
+                "pattern": "SSL_OP_(NO_(SSLv3|TLSv1|TLSv1_1|TLSv1_2|TLSv1_3|DTLSv1|DTLSv1_2))",
+                "type": "regex",
+                "scopes": [
+                    "code"
+                ],
+                "_comment": "OpenSSL extension / options"
+            },
+            {
+                "pattern": "SSL_OP_[A-Z0-9_]+",
+                "type": "regex",
+                "scopes": [
+                    "code"
+                ],
+                "_comment": "OpenSSL extension / options"
+            },
+            {
+                "pattern": "(AES|DH|DHE|ADH|CAMELLIA|EDH|EXP|DES|IDEA|RC4|NULL|GOST|EXP|ECDH|ECDHE|AECDH|PSK)[A-Z0-9\\-]+-?(SHA|MD|GOST)[A-Z0-9\\-]*",
+                "type": "regex",
+                "scopes": [
+                    "code"
+                ],
+                "_comment": "OpenSSL cipher suite"
+            }
+        ]
+    }
+]
diff --git a/rules/default/security/TLS/tls_python.json b/rules/default/security/TLS/tls_python.json
@@ -0,0 +1,37 @@
+[
+    {
+        "name": "Python- Do not hardcode TLS protocol versions.",
+        "id": "DS440070",
+        "description": "Python- Do not hardcode TLS protocol versions.",
+        "recommendation": "",
+        "applies_to": [
+            "python"
+        ],
+        "tags": [
+            "Cryptography.Protocol.TLS.Hardcoded"
+        ],
+        "severity": "important",
+        "_comment": "",
+        "rule_info": "DS440000.md",
+        "patterns": [
+            {
+                "pattern": "PROTOCOL_(SSL|TLS)v[123_]+(_CLIENT|SERVER)?",
+                "type": "regex",
+                "scopes": [
+                    "code"
+                ],
+                "_comment": ""
+            },
+            {
+                "pattern": "ssl_version",
+                "type": "string",
+                "scopes": [
+                    "code"
+                ],
+                "_comment": ""
+            }
+        ],
+        "fix_its": [
+        ]
+    }
+]