• CodeQL query help documentation »
• CodeQL query help for C and C++ »

Certificate result conflation

ID: cpp/certificate-result-conflation Kind: problem Security severity: 7.5 Severity: error Precision: medium Tags: - security - external/cwe/cwe-295 Query suites: - cpp-security-extended.qls - cpp-security-and-quality.qls 

Click to see the query in the CodeQL repository

When checking the result of SSL certificate verification, accepting any error code may allow an attacker to impersonate someone who is trusted.

Recommendation

When checking an SSL certificate with SSL_get_verify_result, only X509_V_OK is a success code. If there is any other result the certificate should not be accepted.

Example

In this example the error code X509_V_ERR_CERT_HAS_EXPIRED is treated the same as an OK result. An expired certificate should not be accepted as it is more likely to be compromised than a valid certificate.

// ...if(cert=SSL_get_peer_certificate(ssl)){result=SSL_get_verify_result(ssl);if((result==X509_V_OK)||(result==X509_V_ERR_CERT_HAS_EXPIRED))// BAD (conflates OK and a non-OK codes){do_ok();}else{do_error();}}

In the corrected example, only a result of X509_V_OK is accepted.

// ...if(cert=SSL_get_peer_certificate(ssl)){result=SSL_get_verify_result(ssl);if(result==X509_V_OK)// GOOD{do_ok();}else{do_error();}}

References

• Common Weakness Enumeration: CWE-295.

• © GitHub, Inc.
• Terms
• Privacy