imap-send: explicitly verify the peer certificate

Message ID	pull.1886.git.1742819282360.gitgitgadget@gmail.com (mailing list archive)
State	Accepted
Commit	fa8cd29676ca78e83f4218c73033c262d5eeba01
Headers	show Received: from mail-wr1-f45.google.com (mail-wr1-f45.google.com [209.85.221.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 021C32C80 for <git@vger.kernel.org>; Mon, 24 Mar 2025 12:28:05 +0000 (UTC) Message-Id: <pull.1886.git.1742819282360.gitgitgadget@gmail.com> Date: Mon, 24 Mar 2025 12:28:02 +0000 Subject: [PATCH] imap-send: explicitly verify the peer certificate Fcc: Sent Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk MIME-Version: 1.0 To: git@vger.kernel.org Cc: Johannes Schindelin <johannes.schindelin@gmx.de>, Johannes Schindelin <johannes.schindelin@gmx.de> From: Johannes Schindelin <johannes.schindelin@gmx.de>
Series	imap-send: explicitly verify the peer certificate \| expand imap-send: explicitly verify the peer certificate

Message ID

pull.1886.git.1742819282360.gitgitgadget@gmail.com (mailing list archive)

State

Accepted

Commit

fa8cd29676ca78e83f4218c73033c262d5eeba01

Headers

Message-Id: <pull.1886.git.1742819282360.gitgitgadget@gmail.com>
Date: Mon, 24 Mar 2025 12:28:02 +0000
Subject: [PATCH] imap-send: explicitly verify the peer certificate
Fcc: Sent
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
MIME-Version: 1.0
To: git@vger.kernel.org
Cc: Johannes Schindelin <johannes.schindelin@gmx.de>,
    Johannes Schindelin <johannes.schindelin@gmx.de>
From: Johannes Schindelin <johannes.schindelin@gmx.de>

Series

imap-send: explicitly verify the peer certificate | expand

Commit Message

Johannes Schindelin March 24, 2025, 12:28 p.m. UTC

From: Johannes Schindelin <johannes.schindelin@gmx.de>

It is a bug to obtain the peer certificate without verifying it.

Having said that, from my reading of
https://www.openssl.org/docs/man1.1.1/man3/SSL_set_verify.html, it would
appear that Git is saved by the fact that it calls
`SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL)` already early on.

In other words, that `SSL_VERIFY_PEER` combined with the `NULL`
parameter (i.e. no overridden callback) would _already_ verify the peer
certificate.  The fact that we later call `SSL_get_peer_certificate()`
is mistaken by CodeQL to mean that that peer certificate still needs to
be verified, but that had already happened at that point.

Nevertheless, it is better to verify the peer certificate explicitly
than to rely on some side effect that is really hard to reason about
(and that took me more than one business day to analyze fully). It also
makes it easier for static analyzers to validate the correctness of the
code.

Signed-off-by: Johannes Schindelin <johannes.schindelin@gmx.de>
---
    imap-send: explicitly verify the peer certificate

Published-As: https://github.com/gitgitgadget/git/releases/tag/pr-1886%2Fdscho%2Fimap-send-verify-peer-certificate-v1
Fetch-It-Via: git fetch https://github.com/gitgitgadget/git pr-1886/dscho/imap-send-verify-peer-certificate-v1
Pull-Request: https://github.com/gitgitgadget/git/pull/1886

 imap-send.c | 2 ++
 1 file changed, 2 insertions(+)


base-commit: 683c54c999c301c2cd6f715c411407c413b1d84e

diff --git a/imap-send.c b/imap-send.c
index 6c8f84e836b..27dc033c7f8 100644
--- a/imap-send.c
+++ b/imap-send.c
@@ -324,6 +324,8 @@  static int ssl_socket_connect(struct imap_socket *sock,
 		cert = SSL_get_peer_certificate(sock->ssl);
 		if (!cert)
 			return error("unable to get peer certificate.");
+		if (SSL_get_verify_result(sock->ssl) != X509_V_OK)
+			return error("unable to verify peer certificate");
 		if (verify_hostname(cert, cfg->host) < 0)
 			return -1;
 	}

imap-send: explicitly verify the peer certificate

Commit Message

Patch