CWE Rule 295

Improper Certificate Validation

Since R2026a

expand all in page

Description

The product does not validate, or incorrectly validates, a certificate

Polyspace Implementation

The rule checker checks for these issues:

  • Validity of certificate not checked

  • Unsafe certificate accepted

Examples

expand all

Issue

This issue occurs when any of these conditions is true:

  • The returned value of SSL_get_peer_certificate() or SSL_get_verify_result() is immediately discarded.

  • Only one of SSL_get_verify_result() and SSL_get_peer_certificate() is called.

Risk

Unless certificates are checked for validity, the code can accept revoked or invalid certificates, which allows the program to communicate with malicious hosts.

Fix

Before using a certificate, verify its validity:

  • Store the return value of SSL_get_peer_certificate() and check for valid hostname.

  • After calling SSL_get_peer_certificate(), call SSL_get_verify_result().

Example

In this example, the returned value of SSL_get_peer_certificate() is immediately discarded. Polyspace® reports a violation of this rule.


#include <stdio.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/x509v3.h>
void check_certificate_noncompliant2(SSL *ssl) {
	X509 *cert;
	long foo;
	SSL_get_peer_certificate(ssl); //Noncompliant
	foo = SSL_get_verify_result(ssl); 
	if(X509_V_OK == foo) {  
		// do secret things
	}
}

Correction

To fix this violation, verify the hostname:

#include <stdio.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/x509v3.h>
extern const char* hostname;
void check_certificate_compliant2(SSL *ssl) {
	X509 *cert;
	long foo;
	cert = SSL_get_peer_certificate(ssl); //Compliant
	foo = SSL_get_verify_result(ssl); 
	if(cert && X509_V_OK == foo) {  
		// Verify hostname
            if (X509_check_host(cert, hostname, 0, 0, NULL) == 1) {
                // do secret things
            } else {
                // Handle hostname verification failure
            }
	}
}

Issue

This issue occurs when the code compares the return value of SSL_get_verify_result() against a value other than X509_V_OK

Risk

This issue allows the program to accept self-signed certificates. Because the identity of the host is not proved by a trusted third-party, it is possible that a malicious entity is spoofing the host using self-signed certificates. Not verifying the safety of the certificate makes the code vulnerable to such attacks.

Fix

Check that the return value of SSL_get_verify_result() is X509_V_OK. Avoid accepting other return values.

Example

This example accepts a value of SSL verification other than X509_V_OK. Polyspace reports a violation.

#include <stdio.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/x509v3.h>
extern const char* hostname;
void check_certificate_noncompliant2(SSL *ssl) {
	X509 *cert;
	long foo;
	cert = SSL_get_peer_certificate(ssl); 
	int result = SSL_get_verify_result(ssl); 
	if(cert && (X509_V_OK == result) || (X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN == result)) {  //Noncompliant
		// Verify hostname
            if (X509_check_host(cert, hostname, 0, 0, NULL) == 1) {
                // do secret things
            } else {
                // Handle hostname verification failure
            }
	}
}

Correction

To fix this issue, avoid accepting any value other than X509_V_OK as the returned value of SSL_get_verify_result().

#include <stdio.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/x509v3.h>
extern const char* hostname;
void check_certificate_compliant(SSL *ssl) {
	X509 *cert;
	long foo;
	cert = SSL_get_peer_certificate(ssl); 
	int result = SSL_get_verify_result(ssl); 
	if(cert && (X509_V_OK == result) ) {  //Compliant
		// Verify hostname
            if (X509_check_host(cert, hostname, 0, 0, NULL) == 1) {
                // do secret things
            } else {
                // Handle hostname verification failure
            }
	}
}

Check Information

Category: Authentication Errors
PQL Name: std.cwe_native.R295

Version History

Introduced in R2026a

See Also

Topics

External Websites