From 20e646de3f7de6ea15c20808416cb5d275251467 Mon Sep 17 00:00:00 2001 From: wbaumann Date: Sat, 7 Nov 2009 17:52:38 +0000 Subject: [PATCH] don't accept suspicious certificates if !have_terminal --- ChangeLog | 4 ++++ THANKS | 1 + configure.ac | 2 +- po/cs.po | 34 +++++++++++++++++----------------- po/davfs2.pot | 34 +++++++++++++++++----------------- po/de.po | 34 +++++++++++++++++----------------- src/webdav.c | 19 ++++++++++--------- 7 files changed, 67 insertions(+), 61 deletions(-) diff --git a/ChangeLog b/ChangeLog index bfc8ec0..3fb871f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,6 +1,10 @@ ChangeLog for davfs2 -------------------- +2009-11-03 Werner Baumann (werner.baumann@onlinehome.de) + * webdav.c, ssl_verify: + Don't accept suspidious certificates if !have_terminal. + 2009-10-18 Werner Baumann (werner.baumann@onlinehome.de) * mount_davfs.c, webdav.c: Don't ask the user for unverified certificates diff --git a/THANKS b/THANKS index 756fb14..1af324e 100644 --- a/THANKS +++ b/THANKS @@ -49,6 +49,7 @@ monstruooo Muthu Kumar Scott Lamb Andreas Lauser +Holger Librenz Reddy T. Mahesh Juergen P. Messerer Arkadiusz Miskiewicz diff --git a/configure.ac b/configure.ac index 1b67db9..5b96c14 100644 --- a/configure.ac +++ b/configure.ac @@ -21,7 +21,7 @@ AC_PREREQ(2.59) -AC_INIT(davfs2, 1.4.3, http://savannah.nongnu.org/projects/davfs2) +AC_INIT(davfs2, 1.4.4-pre1, http://savannah.nongnu.org/projects/davfs2) AC_CONFIG_SRCDIR([src/cache.c]) AC_CONFIG_AUX_DIR([config]) AM_INIT_AUTOMAKE diff --git a/po/cs.po b/po/cs.po index f96bd6f..4d3f1ea 100644 --- a/po/cs.po +++ b/po/cs.po @@ -7,7 +7,7 @@ msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: http://savannah.nongnu.org/support/?" "func=additem&group=davfs2\n" -"POT-Creation-Date: 2009-10-18 18:17+0200\n" +"POT-Creation-Date: 2009-11-01 20:01+0100\n" "PO-Revision-Date: 2007-05-03 19:50+0200\n" "Last-Translator: Vítězslav Kotrla \n" "Language-Team: \n" @@ -776,51 +776,51 @@ msgstr "%i nemůže otevřít soubor vyrovnávací paměti" msgid "%i error writing to cache file" msgstr "%i chyba při zápisu do souboru vyrovnávací paměti" -#: src/webdav.c:1923 src/webdav.c:1926 +#: src/webdav.c:1922 src/webdav.c:1925 msgid "error processing server certificate" msgstr "chyba při zpracování certifikátu serveru" -#: src/webdav.c:1933 src/webdav.c:1969 +#: src/webdav.c:1936 src/webdav.c:1970 msgid "the server certificate is not yet valid" msgstr "certifikát serveru zatím není platný" -#: src/webdav.c:1935 src/webdav.c:1972 +#: src/webdav.c:1938 src/webdav.c:1973 msgid "the server certificate has expired" msgstr "platnost certifikátu serveru vypršela" -#: src/webdav.c:1937 src/webdav.c:1975 +#: src/webdav.c:1940 src/webdav.c:1976 msgid "the server certificate does not match the server name" msgstr "certifikát serveru nedopovídá jménu serveru" -#: src/webdav.c:1939 src/webdav.c:1978 +#: src/webdav.c:1942 src/webdav.c:1979 msgid "the server certificate is not trusted" msgstr "certifikát serveru je nedůvěryhodný" -#: src/webdav.c:1941 src/webdav.c:1981 +#: src/webdav.c:1944 src/webdav.c:1982 msgid "unknown certificate error" msgstr "neznámá chyba certifikátu" -#: src/webdav.c:1942 +#: src/webdav.c:1945 #, c-format msgid " issuer: %s" msgstr " vydavatel: %s" -#: src/webdav.c:1944 +#: src/webdav.c:1947 #, c-format msgid " subject: %s" msgstr " subjekt: %s" -#: src/webdav.c:1946 +#: src/webdav.c:1949 #, c-format msgid " identity: %s" msgstr " identita: %s" -#: src/webdav.c:1948 +#: src/webdav.c:1951 #, c-format msgid " fingerprint: %s" msgstr " otisk: %s" -#: src/webdav.c:1951 +#: src/webdav.c:1953 #, c-format msgid "" "You only should accept this certificate, if you can\n" @@ -831,27 +831,27 @@ msgstr "" "ověřit jeho otisk! Server může být podvržen nebo může\n" "dojít k útoku s prostředníkem (man-in-the-middle attack).\n" -#: src/webdav.c:1954 +#: src/webdav.c:1956 #, c-format msgid "Accept certificate for this session? [y,N] " msgstr "Přijmout certifikát pro toto sezení? [y,N] " -#: src/webdav.c:1982 +#: src/webdav.c:1983 #, c-format msgid " issuer: %s" msgstr " vydavatel: %s" -#: src/webdav.c:1983 +#: src/webdav.c:1984 #, c-format msgid " subject: %s" msgstr " subjekt: %s" -#: src/webdav.c:1984 +#: src/webdav.c:1985 #, c-format msgid " identity: %s" msgstr " identita: %s" -#: src/webdav.c:1987 +#: src/webdav.c:1988 msgid " accepted by user" msgstr " přijat uživatelem" diff --git a/po/davfs2.pot b/po/davfs2.pot index c9c5f89..249f71f 100644 --- a/po/davfs2.pot +++ b/po/davfs2.pot @@ -9,7 +9,7 @@ msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: http://savannah.nongnu.org/support/?" "func=additem&group=davfs2\n" -"POT-Creation-Date: 2009-10-18 18:17+0200\n" +"POT-Creation-Date: 2009-11-01 20:01+0100\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" @@ -697,51 +697,51 @@ msgstr "" msgid "%i error writing to cache file" msgstr "" -#: src/webdav.c:1923 src/webdav.c:1926 +#: src/webdav.c:1922 src/webdav.c:1925 msgid "error processing server certificate" msgstr "" -#: src/webdav.c:1933 src/webdav.c:1969 +#: src/webdav.c:1936 src/webdav.c:1970 msgid "the server certificate is not yet valid" msgstr "" -#: src/webdav.c:1935 src/webdav.c:1972 +#: src/webdav.c:1938 src/webdav.c:1973 msgid "the server certificate has expired" msgstr "" -#: src/webdav.c:1937 src/webdav.c:1975 +#: src/webdav.c:1940 src/webdav.c:1976 msgid "the server certificate does not match the server name" msgstr "" -#: src/webdav.c:1939 src/webdav.c:1978 +#: src/webdav.c:1942 src/webdav.c:1979 msgid "the server certificate is not trusted" msgstr "" -#: src/webdav.c:1941 src/webdav.c:1981 +#: src/webdav.c:1944 src/webdav.c:1982 msgid "unknown certificate error" msgstr "" -#: src/webdav.c:1942 +#: src/webdav.c:1945 #, c-format msgid " issuer: %s" msgstr "" -#: src/webdav.c:1944 +#: src/webdav.c:1947 #, c-format msgid " subject: %s" msgstr "" -#: src/webdav.c:1946 +#: src/webdav.c:1949 #, c-format msgid " identity: %s" msgstr "" -#: src/webdav.c:1948 +#: src/webdav.c:1951 #, c-format msgid " fingerprint: %s" msgstr "" -#: src/webdav.c:1951 +#: src/webdav.c:1953 #, c-format msgid "" "You only should accept this certificate, if you can\n" @@ -749,26 +749,26 @@ msgid "" "or there might be a man-in-the-middle-attack.\n" msgstr "" -#: src/webdav.c:1954 +#: src/webdav.c:1956 #, c-format msgid "Accept certificate for this session? [y,N] " msgstr "" -#: src/webdav.c:1982 +#: src/webdav.c:1983 #, c-format msgid " issuer: %s" msgstr "" -#: src/webdav.c:1983 +#: src/webdav.c:1984 #, c-format msgid " subject: %s" msgstr "" -#: src/webdav.c:1984 +#: src/webdav.c:1985 #, c-format msgid " identity: %s" msgstr "" -#: src/webdav.c:1987 +#: src/webdav.c:1988 msgid " accepted by user" msgstr "" diff --git a/po/de.po b/po/de.po index 89fd630..b3ea048 100644 --- a/po/de.po +++ b/po/de.po @@ -8,7 +8,7 @@ msgstr "" "Project-Id-Version: davfs2 1.3.3\n" "Report-Msgid-Bugs-To: http://savannah.nongnu.org/support/?" "func=additem&group=davfs2\n" -"POT-Creation-Date: 2009-10-18 18:17+0200\n" +"POT-Creation-Date: 2009-11-01 20:01+0100\n" "PO-Revision-Date: 2009-01-02 12:26+0100\n" "Last-Translator: Werner Baumann \n" "Language-Team: \n" @@ -783,51 +783,51 @@ msgstr "%i kann die Cache-Datei nicht öffnen" msgid "%i error writing to cache file" msgstr "%i Fehler beim Schreiben der Cache-Datei" -#: src/webdav.c:1923 src/webdav.c:1926 +#: src/webdav.c:1922 src/webdav.c:1925 msgid "error processing server certificate" msgstr "Fehler beim Analysieren des Server-Zertifikats" -#: src/webdav.c:1933 src/webdav.c:1969 +#: src/webdav.c:1936 src/webdav.c:1970 msgid "the server certificate is not yet valid" msgstr "das Server-Zertifikat ist noch nicht gültig" -#: src/webdav.c:1935 src/webdav.c:1972 +#: src/webdav.c:1938 src/webdav.c:1973 msgid "the server certificate has expired" msgstr "das Server-Zertifikat ist nicht mehr gültig" -#: src/webdav.c:1937 src/webdav.c:1975 +#: src/webdav.c:1940 src/webdav.c:1976 msgid "the server certificate does not match the server name" msgstr "das Server-Zertifikat passt nicht zum Namen des Servers" -#: src/webdav.c:1939 src/webdav.c:1978 +#: src/webdav.c:1942 src/webdav.c:1979 msgid "the server certificate is not trusted" msgstr "wir trauen dem Zertifikat nicht" -#: src/webdav.c:1941 src/webdav.c:1981 +#: src/webdav.c:1944 src/webdav.c:1982 msgid "unknown certificate error" msgstr "Fehler beim Analysieren des Server-Zertifikats" -#: src/webdav.c:1942 +#: src/webdav.c:1945 #, c-format msgid " issuer: %s" msgstr " Aussteller: %s" -#: src/webdav.c:1944 +#: src/webdav.c:1947 #, c-format msgid " subject: %s" msgstr " Inhaber: %s" -#: src/webdav.c:1946 +#: src/webdav.c:1949 #, c-format msgid " identity: %s" msgstr " Name: %s" -#: src/webdav.c:1948 +#: src/webdav.c:1951 #, c-format msgid " fingerprint: %s" msgstr " Fingerabdruck: %s" -#: src/webdav.c:1951 +#: src/webdav.c:1953 #, c-format msgid "" "You only should accept this certificate, if you can\n" @@ -838,26 +838,26 @@ msgstr "" "dass der Fingerabdruck stimmt. Der Server könnte gefälscht sein oder\n" "ein Angreifer könnte sich in die Verbindung zum Server eingeschaltet haben.\n" -#: src/webdav.c:1954 +#: src/webdav.c:1956 #, c-format msgid "Accept certificate for this session? [y,N] " msgstr "Ich akzeptiere das Zertifikat für diese Sitzung [j,N]: " -#: src/webdav.c:1982 +#: src/webdav.c:1983 #, c-format msgid " issuer: %s" msgstr " Aussteller des Zertifikats: %s" -#: src/webdav.c:1983 +#: src/webdav.c:1984 #, c-format msgid " subject: %s" msgstr " Inhaber des Zertifikats: %s" -#: src/webdav.c:1984 +#: src/webdav.c:1985 #, c-format msgid " identity: %s" msgstr " Name: %s" -#: src/webdav.c:1987 +#: src/webdav.c:1988 msgid " accepted by user" msgstr " durch den Benutzer akzeptiert" diff --git a/src/webdav.c b/src/webdav.c index deb6577..8a6b86c 100644 --- a/src/webdav.c +++ b/src/webdav.c @@ -1917,7 +1917,6 @@ ssl_verify(void *userdata, int failures, const ne_ssl_certificate *cert) char *issuer = ne_ssl_readable_dname(ne_ssl_cert_issuer(cert)); char *subject = ne_ssl_readable_dname(ne_ssl_cert_subject(cert)); char *digest = ne_calloc(NE_SSL_DIGESTLEN); - int ret = 0; if (!issuer || !subject || ne_ssl_cert_digest(cert, digest) != 0) { if (have_terminal) { error(0, 0, _("error processing server certificate")); @@ -1925,9 +1924,13 @@ ssl_verify(void *userdata, int failures, const ne_ssl_certificate *cert) syslog(LOG_MAKEPRI(LOG_DAEMON, LOG_ERR), _("error processing server certificate")); } - ret = -1; + if (issuer) free(issuer); + if (subject) free(subject); + if (digest) free(digest); + return -1; } + int ret = -1; if (have_terminal) { if (failures & NE_SSL_NOTYETVALID) error(0, 0, _("the server certificate is not yet valid")); @@ -1947,7 +1950,6 @@ ssl_verify(void *userdata, int failures, const ne_ssl_certificate *cert) printf("\n"); printf(_(" fingerprint: %s"), digest); printf("\n"); - if (!ret) { printf(_("You only should accept this certificate, if you can\n" "verify the fingerprint! The server might be faked\n" "or there might be a man-in-the-middle-attack.\n")); @@ -1958,10 +1960,9 @@ ssl_verify(void *userdata, int failures, const ne_ssl_certificate *cert) len = getline(&s, &n, stdin); if (len < 0) abort(); - if (rpmatch(s) < 1) - ret = -1; + if (rpmatch(s) > 0) + ret = 0; free(s); - } } if (failures & NE_SSL_NOTYETVALID) @@ -1987,9 +1988,9 @@ ssl_verify(void *userdata, int failures, const ne_ssl_certificate *cert) syslog(LOG_MAKEPRI(LOG_DAEMON, LOG_ERR), _(" accepted by user")); } - free(issuer); - free(subject); - free(digest); + if (issuer) free(issuer); + if (subject) free(subject); + if (digest) free(digest); return ret; }