Hi Everyone,
Re: https://cwe.mitre.org/data/definitions/295.html . The code in Example 2:
<QUOTE>
The following OpenSSL code obtains a certificate and verifies it.
cert = SSL_get_peer_certificate(ssl);
if (cert && (SSL_get_verify_result(ssl)==X509_V_OK)) {
// do secret things
}
</QUOTE>
The sharp edge is here (and used throughout the examples):
cert = SSL_get_peer_certificate(ssl);
I think it would be a good idea to point out for readers that
SSL_get_peer_certificate(...) can return NULL _if_ Anonymous
Diffie-Hellman (or Anonymous ECDH) is used. That's because a server
does not send a certificate (even if one is available) when ADH is
used. And clearly state ADH should not be used in cipher suites
because it is equivalent to sending a certificate but not validating
that certificate.
I prefer something like this to make a missing certificate an explicit error:
cert = SSL_get_peer_certificate(ssl);
if (cert == NULL) {
/* No certificate. ADH? Reject the connection. */
return error;
}
if (SSL_get_verify_result(ssl) != X509_V_OK) {
/* Validation failed. */
return error;
}
/* Do secret things */
/* Decrement the reference count. */
X509_free(cert);
Jeff
