CWE Rule 295
Description
The product does not validate, or incorrectly validates, a certificate
Polyspace Implementation
The rule checker checks for these issues:
Validity of certificate not checked
Unsafe certificate accepted
Examples
This issue occurs when any of these conditions is true:
The returned value of
SSL_get_peer_certificate()orSSL_get_verify_result()is immediately discarded.Only one of
SSL_get_verify_result()andSSL_get_peer_certificate()is called.
Unless certificates are checked for validity, the code can accept revoked or invalid certificates, which allows the program to communicate with malicious hosts.
Before using a certificate, verify its validity:
Store the return value of
SSL_get_peer_certificate()and check for valid hostname.After calling
SSL_get_peer_certificate(), callSSL_get_verify_result().
In this example, the returned value of
SSL_get_peer_certificate() is immediately discarded.
Polyspace® reports a violation of this
rule.
#include <stdio.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/x509v3.h>
void check_certificate_noncompliant2(SSL *ssl) {
X509 *cert;
long foo;
SSL_get_peer_certificate(ssl); //Noncompliant
foo = SSL_get_verify_result(ssl);
if(X509_V_OK == foo) {
// do secret things
}
}To fix this violation, verify the hostname:
#include <stdio.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/x509v3.h>
extern const char* hostname;
void check_certificate_compliant2(SSL *ssl) {
X509 *cert;
long foo;
cert = SSL_get_peer_certificate(ssl); //Compliant
foo = SSL_get_verify_result(ssl);
if(cert && X509_V_OK == foo) {
// Verify hostname
if (X509_check_host(cert, hostname, 0, 0, NULL) == 1) {
// do secret things
} else {
// Handle hostname verification failure
}
}
}This issue occurs when the code compares the return value of
SSL_get_verify_result() against a value other than
X509_V_OK
This issue allows the program to accept self-signed certificates. Because the identity of the host is not proved by a trusted third-party, it is possible that a malicious entity is spoofing the host using self-signed certificates. Not verifying the safety of the certificate makes the code vulnerable to such attacks.
Check that the return value of SSL_get_verify_result() is
X509_V_OK. Avoid accepting other return values.
This example accepts a value of SSL verification other than
X509_V_OK. Polyspace reports a
violation.
#include <stdio.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/x509v3.h>
extern const char* hostname;
void check_certificate_noncompliant2(SSL *ssl) {
X509 *cert;
long foo;
cert = SSL_get_peer_certificate(ssl);
int result = SSL_get_verify_result(ssl);
if(cert && (X509_V_OK == result) || (X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN == result)) { //Noncompliant
// Verify hostname
if (X509_check_host(cert, hostname, 0, 0, NULL) == 1) {
// do secret things
} else {
// Handle hostname verification failure
}
}
}To fix this issue, avoid accepting any value other than
X509_V_OK as the returned value of
SSL_get_verify_result().
#include <stdio.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/x509v3.h>
extern const char* hostname;
void check_certificate_compliant(SSL *ssl) {
X509 *cert;
long foo;
cert = SSL_get_peer_certificate(ssl);
int result = SSL_get_verify_result(ssl);
if(cert && (X509_V_OK == result) ) { //Compliant
// Verify hostname
if (X509_check_host(cert, hostname, 0, 0, NULL) == 1) {
// do secret things
} else {
// Handle hostname verification failure
}
}
}Check Information
| Category: Authentication Errors |
PQL Name: std.cwe_native.R295 |
Version History
Introduced in R2026a
See Also
External Websites
MATLAB Command
You clicked a link that corresponds to this MATLAB command:
Run the command by entering it in the MATLAB Command Window. Web browsers do not support MATLAB commands.
Select a Web Site
Choose a web site to get translated content where available and see local events and offers. Based on your location, we recommend that you select: .
You can also select a web site from the following list
How to Get Best Site Performance
Select the China site (in Chinese or English) for best site performance. Other MathWorks country sites are not optimized for visits from your location.
Americas
- América Latina (Español)
- Canada (English)
- United States (English)
Europe
- Belgium (English)
- Denmark (English)
- Deutschland (Deutsch)
- España (Español)
- Finland (English)
- France (Français)
- Ireland (English)
- Italia (Italiano)
- Luxembourg (English)
- Netherlands (English)
- Norway (English)
- Österreich (Deutsch)
- Portugal (English)
- Sweden (English)
- Switzerland
- United Kingdom (English)