don't accept suspicious certificates if !have_terminal

ChangeLog

@@ -1,6 +1,10 @@
 ChangeLog for davfs2
 --------------------
 
+2009-11-03 Werner Baumann (werner.baumann@onlinehome.de)
+    * webdav.c, ssl_verify:
+      Don't accept suspidious certificates if !have_terminal.
+
 2009-10-18 Werner Baumann (werner.baumann@onlinehome.de)
     * mount_davfs.c, webdav.c:
       Don't ask the user for unverified certificates

THANKS

@@ -49,6 +49,7 @@ monstruooo <monstruooo@users.sourceforge.net>
 Muthu Kumar <kmkumar@users.sourceforge.net>
 Scott Lamb <slamb@users.sourceforge.net>
 Andreas Lauser <andlaus@users.sourceforge.net>
+Holger Librenz <me@holger-librenz.de>
 Reddy T. Mahesh <tmahesh@users.sourceforge.net>
 Juergen P. Messerer <messi@users.sourceforge.net>
 Arkadiusz Miskiewicz <arekm@users.sourceforge.net>

configure.ac

@@ -21,7 +21,7 @@
 
 
 AC_PREREQ(2.59)
-AC_INIT(davfs2, 1.4.3, http://savannah.nongnu.org/projects/davfs2)
+AC_INIT(davfs2, 1.4.4-pre1, http://savannah.nongnu.org/projects/davfs2)
 AC_CONFIG_SRCDIR([src/cache.c])
 AC_CONFIG_AUX_DIR([config])
 AM_INIT_AUTOMAKE

po/cs.po

@@ -7,7 +7,7 @@ msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: http://savannah.nongnu.org/support/?"
 "func=additem&group=davfs2\n"
-"POT-Creation-Date: 2009-10-18 18:17+0200\n"
+"POT-Creation-Date: 2009-11-01 20:01+0100\n"
 "PO-Revision-Date: 2007-05-03 19:50+0200\n"
 "Last-Translator: Vítězslav Kotrla <vitko@post.cz>\n"
 "Language-Team:  <cs@li.org>\n"
@@ -776,51 +776,51 @@ msgstr "%i nemůže otevřít soubor vyrovnávací paměti"
 msgid "%i error writing to cache file"
 msgstr "%i chyba při zápisu do souboru vyrovnávací paměti"
 
-#: src/webdav.c:1923 src/webdav.c:1926
+#: src/webdav.c:1922 src/webdav.c:1925
 msgid "error processing server certificate"
 msgstr "chyba při zpracování certifikátu serveru"
 
-#: src/webdav.c:1933 src/webdav.c:1969
+#: src/webdav.c:1936 src/webdav.c:1970
 msgid "the server certificate is not yet valid"
 msgstr "certifikát serveru zatím není platný"
 
-#: src/webdav.c:1935 src/webdav.c:1972
+#: src/webdav.c:1938 src/webdav.c:1973
 msgid "the server certificate has expired"
 msgstr "platnost certifikátu serveru vypršela"
 
-#: src/webdav.c:1937 src/webdav.c:1975
+#: src/webdav.c:1940 src/webdav.c:1976
 msgid "the server certificate does not match the server name"
 msgstr "certifikát serveru nedopovídá jménu serveru"
 
-#: src/webdav.c:1939 src/webdav.c:1978
+#: src/webdav.c:1942 src/webdav.c:1979
 msgid "the server certificate is not trusted"
 msgstr "certifikát serveru je nedůvěryhodný"
 
-#: src/webdav.c:1941 src/webdav.c:1981
+#: src/webdav.c:1944 src/webdav.c:1982
 msgid "unknown certificate error"
 msgstr "neznámá chyba certifikátu"
 
-#: src/webdav.c:1942
+#: src/webdav.c:1945
 #, c-format
 msgid "  issuer:      %s"
 msgstr "  vydavatel:      %s"
 
-#: src/webdav.c:1944
+#: src/webdav.c:1947
 #, c-format
 msgid "  subject:     %s"
 msgstr "  subjekt:     %s"
 
-#: src/webdav.c:1946
+#: src/webdav.c:1949
 #, c-format
 msgid "  identity:    %s"
 msgstr "  identita:    %s"
 
-#: src/webdav.c:1948
+#: src/webdav.c:1951
 #, c-format
 msgid "  fingerprint: %s"
 msgstr "  otisk: %s"
 
-#: src/webdav.c:1951
+#: src/webdav.c:1953
 #, c-format
 msgid ""
 "You only should accept this certificate, if you can\n"
@@ -831,27 +831,27 @@ msgstr ""
 "ověřit jeho otisk! Server může být podvržen nebo může\n"
 "dojít k útoku s prostředníkem (man-in-the-middle attack).\n"
 
-#: src/webdav.c:1954
+#: src/webdav.c:1956
 #, c-format
 msgid "Accept certificate for this session? [y,N] "
 msgstr "Přijmout certifikát pro toto sezení? [y,N] "
 
-#: src/webdav.c:1982
+#: src/webdav.c:1983
 #, c-format
 msgid "  issuer: %s"
 msgstr "  vydavatel: %s"
 
-#: src/webdav.c:1983
+#: src/webdav.c:1984
 #, c-format
 msgid "  subject: %s"
 msgstr "  subjekt: %s"
 
-#: src/webdav.c:1984
+#: src/webdav.c:1985
 #, c-format
 msgid "  identity: %s"
 msgstr "  identita: %s"
 
-#: src/webdav.c:1987
+#: src/webdav.c:1988
 msgid "  accepted by user"
 msgstr "  přijat uživatelem"
 

po/davfs2.pot

@@ -9,7 +9,7 @@ msgstr ""
 "Project-Id-Version: PACKAGE VERSION\n"
 "Report-Msgid-Bugs-To: http://savannah.nongnu.org/support/?"
 "func=additem&group=davfs2\n"
-"POT-Creation-Date: 2009-10-18 18:17+0200\n"
+"POT-Creation-Date: 2009-11-01 20:01+0100\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <LL@li.org>\n"
@@ -697,51 +697,51 @@ msgstr ""
 msgid "%i error writing to cache file"
 msgstr ""
 
-#: src/webdav.c:1923 src/webdav.c:1926
+#: src/webdav.c:1922 src/webdav.c:1925
 msgid "error processing server certificate"
 msgstr ""
 
-#: src/webdav.c:1933 src/webdav.c:1969
+#: src/webdav.c:1936 src/webdav.c:1970
 msgid "the server certificate is not yet valid"
 msgstr ""
 
-#: src/webdav.c:1935 src/webdav.c:1972
+#: src/webdav.c:1938 src/webdav.c:1973
 msgid "the server certificate has expired"
 msgstr ""
 
-#: src/webdav.c:1937 src/webdav.c:1975
+#: src/webdav.c:1940 src/webdav.c:1976
 msgid "the server certificate does not match the server name"
 msgstr ""
 
-#: src/webdav.c:1939 src/webdav.c:1978
+#: src/webdav.c:1942 src/webdav.c:1979
 msgid "the server certificate is not trusted"
 msgstr ""
 
-#: src/webdav.c:1941 src/webdav.c:1981
+#: src/webdav.c:1944 src/webdav.c:1982
 msgid "unknown certificate error"
 msgstr ""
 
-#: src/webdav.c:1942
+#: src/webdav.c:1945
 #, c-format
 msgid "  issuer:      %s"
 msgstr ""
 
-#: src/webdav.c:1944
+#: src/webdav.c:1947
 #, c-format
 msgid "  subject:     %s"
 msgstr ""
 
-#: src/webdav.c:1946
+#: src/webdav.c:1949
 #, c-format
 msgid "  identity:    %s"
 msgstr ""
 
-#: src/webdav.c:1948
+#: src/webdav.c:1951
 #, c-format
 msgid "  fingerprint: %s"
 msgstr ""
 
-#: src/webdav.c:1951
+#: src/webdav.c:1953
 #, c-format
 msgid ""
 "You only should accept this certificate, if you can\n"
@@ -749,26 +749,26 @@ msgid ""
 "or there might be a man-in-the-middle-attack.\n"
 msgstr ""
 
-#: src/webdav.c:1954
+#: src/webdav.c:1956
 #, c-format
 msgid "Accept certificate for this session? [y,N] "
 msgstr ""
 
-#: src/webdav.c:1982
+#: src/webdav.c:1983
 #, c-format
 msgid "  issuer: %s"
 msgstr ""
 
-#: src/webdav.c:1983
+#: src/webdav.c:1984
 #, c-format
 msgid "  subject: %s"
 msgstr ""
 
-#: src/webdav.c:1984
+#: src/webdav.c:1985
 #, c-format
 msgid "  identity: %s"
 msgstr ""
 
-#: src/webdav.c:1987
+#: src/webdav.c:1988
 msgid "  accepted by user"
 msgstr ""

po/de.po

@@ -8,7 +8,7 @@ msgstr ""
 "Project-Id-Version: davfs2 1.3.3\n"
 "Report-Msgid-Bugs-To: http://savannah.nongnu.org/support/?"
 "func=additem&group=davfs2\n"
-"POT-Creation-Date: 2009-10-18 18:17+0200\n"
+"POT-Creation-Date: 2009-11-01 20:01+0100\n"
 "PO-Revision-Date: 2009-01-02 12:26+0100\n"
 "Last-Translator: Werner Baumann <werner.baumann@onlinehome.de>\n"
 "Language-Team: \n"
@@ -783,51 +783,51 @@ msgstr "%i kann die Cache-Datei nicht öffnen"
 msgid "%i error writing to cache file"
 msgstr "%i Fehler beim Schreiben der Cache-Datei"
 
-#: src/webdav.c:1923 src/webdav.c:1926
+#: src/webdav.c:1922 src/webdav.c:1925
 msgid "error processing server certificate"
 msgstr "Fehler beim Analysieren des Server-Zertifikats"
 
-#: src/webdav.c:1933 src/webdav.c:1969
+#: src/webdav.c:1936 src/webdav.c:1970
 msgid "the server certificate is not yet valid"
 msgstr "das Server-Zertifikat ist noch nicht gültig"
 
-#: src/webdav.c:1935 src/webdav.c:1972
+#: src/webdav.c:1938 src/webdav.c:1973
 msgid "the server certificate has expired"
 msgstr "das Server-Zertifikat ist nicht mehr gültig"
 
-#: src/webdav.c:1937 src/webdav.c:1975
+#: src/webdav.c:1940 src/webdav.c:1976
 msgid "the server certificate does not match the server name"
 msgstr "das Server-Zertifikat passt nicht zum Namen des Servers"
 
-#: src/webdav.c:1939 src/webdav.c:1978
+#: src/webdav.c:1942 src/webdav.c:1979
 msgid "the server certificate is not trusted"
 msgstr "wir trauen dem Zertifikat nicht"
 
-#: src/webdav.c:1941 src/webdav.c:1981
+#: src/webdav.c:1944 src/webdav.c:1982
 msgid "unknown certificate error"
 msgstr "Fehler beim Analysieren des Server-Zertifikats"
 
-#: src/webdav.c:1942
+#: src/webdav.c:1945
 #, c-format
 msgid "  issuer:      %s"
 msgstr "  Aussteller:    %s"
 
-#: src/webdav.c:1944
+#: src/webdav.c:1947
 #, c-format
 msgid "  subject:     %s"
 msgstr "  Inhaber:       %s"
 
-#: src/webdav.c:1946
+#: src/webdav.c:1949
 #, c-format
 msgid "  identity:    %s"
 msgstr "  Name:          %s"
 
-#: src/webdav.c:1948
+#: src/webdav.c:1951
 #, c-format
 msgid "  fingerprint: %s"
 msgstr "  Fingerabdruck: %s"
 
-#: src/webdav.c:1951
+#: src/webdav.c:1953
 #, c-format
 msgid ""
 "You only should accept this certificate, if you can\n"
@@ -838,26 +838,26 @@ msgstr ""
 "dass der Fingerabdruck stimmt. Der Server könnte gefälscht sein oder\n"
 "ein Angreifer könnte sich in die Verbindung zum Server eingeschaltet haben.\n"
 
-#: src/webdav.c:1954
+#: src/webdav.c:1956
 #, c-format
 msgid "Accept certificate for this session? [y,N] "
 msgstr "Ich akzeptiere das Zertifikat für diese Sitzung [j,N]: "
 
-#: src/webdav.c:1982
+#: src/webdav.c:1983
 #, c-format
 msgid "  issuer: %s"
 msgstr "  Aussteller des Zertifikats: %s"
 
-#: src/webdav.c:1983
+#: src/webdav.c:1984
 #, c-format
 msgid "  subject: %s"
 msgstr "  Inhaber des Zertifikats: %s"
 
-#: src/webdav.c:1984
+#: src/webdav.c:1985
 #, c-format
 msgid "  identity: %s"
 msgstr "  Name: %s"
 
-#: src/webdav.c:1987
+#: src/webdav.c:1988
 msgid "  accepted by user"
 msgstr "  durch den Benutzer akzeptiert"

src/webdav.c

@@ -1917,7 +1917,6 @@ ssl_verify(void *userdata, int failures, const ne_ssl_certificate *cert)
     char *issuer = ne_ssl_readable_dname(ne_ssl_cert_issuer(cert));
     char *subject = ne_ssl_readable_dname(ne_ssl_cert_subject(cert));
     char *digest = ne_calloc(NE_SSL_DIGESTLEN);
-    int ret = 0;
     if (!issuer || !subject || ne_ssl_cert_digest(cert, digest) != 0) {
         if (have_terminal) {
             error(0, 0, _("error processing server certificate"));
@@ -1925,9 +1924,13 @@ ssl_verify(void *userdata, int failures, const ne_ssl_certificate *cert)
             syslog(LOG_MAKEPRI(LOG_DAEMON, LOG_ERR),
                    _("error processing server certificate"));
         }
-        ret = -1;
+        if (issuer) free(issuer);
+        if (subject) free(subject);
+        if (digest) free(digest);
+        return -1;
     }
 
+    int ret = -1;
     if (have_terminal) {
         if (failures & NE_SSL_NOTYETVALID)
             error(0, 0, _("the server certificate is not yet valid"));
@@ -1947,7 +1950,6 @@ ssl_verify(void *userdata, int failures, const ne_ssl_certificate *cert)
         printf("\n");
         printf(_("  fingerprint: %s"), digest);
         printf("\n");
-        if (!ret) {
             printf(_("You only should accept this certificate, if you can\n"
                      "verify the fingerprint! The server might be faked\n"
                      "or there might be a man-in-the-middle-attack.\n"));
@@ -1958,10 +1960,9 @@ ssl_verify(void *userdata, int failures, const ne_ssl_certificate *cert)
             len = getline(&s, &n, stdin);
             if (len < 0)
                 abort();
-            if (rpmatch(s) < 1)
-                ret = -1;
+            if (rpmatch(s) > 0)
+                ret = 0;
             free(s);
-        }
     } 
 
     if (failures & NE_SSL_NOTYETVALID)
@@ -1987,9 +1988,9 @@ ssl_verify(void *userdata, int failures, const ne_ssl_certificate *cert)
         syslog(LOG_MAKEPRI(LOG_DAEMON, LOG_ERR), _("  accepted by user"));
     }
 
-    free(issuer);
-    free(subject);
-    free(digest);
+    if (issuer) free(issuer);
+    if (subject) free(subject);
+    if (digest) free(digest);
     return ret;
 }