• CodeQL query help documentation »
• CodeQL query help for C and C++ »

Certificate not checked

ID: cpp/certificate-not-checked
Kind: problem
Security severity: 7.5
Severity: error
Precision: medium
Tags:
   - security
   - external/cwe/cwe-295
Query suites:
   - cpp-security-extended.qls
   - cpp-security-and-quality.qls

Click to see the query in the CodeQL repository

After fetching an SSL certificate, always check the result of certificate verification.

Recommendation

Always check the result of SSL certificate verification. A certificate that has been revoked may indicate that data is coming from an attacker, whereas a certificate that has expired or was self-signed may indicate an increased likelihood that the data is malicious.

Example

In this example, the SSL_get_peer_certificate function is used to get the certificate of a peer. However it is unsafe to use that information without checking if the certificate is valid.

// ...

X509 *cert = SSL_get_peer_certificate(ssl); // BAD (SSL_get_verify_result is never called)

// ...

In the corrected example, we use SSL_get_verify_result to check that certificate verification was successful.

// ...

X509 *cert = SSL_get_peer_certificate(ssl); // GOOD
if (cert)
{
	result = SSL_get_verify_result(ssl);
	if (result == X509_V_OK)
	{
		// ...

References

• Common Weakness Enumeration: CWE-295.

• © GitHub, Inc.
• Terms
• Privacy