Add option trust_server_cert

2012-02-01 18:19:25 +00:00
parent f62e22ba6b
commit c35e92e076
14 changed files with 1336 additions and 1144 deletions
--- a/src/mount_davfs.c
+++ b/src/mount_davfs.c
@ -1043,6 +1043,33 @@ parse_config(dav_args *args)
                  args->trust_ca_cert);
    }

+    if (args->trust_server_cert) {
+        char *f = NULL;
+        expand_home(&args->trust_server_cert, args);
+        if (*args->trust_server_cert == '/') {
+            args->server_cert = ne_ssl_cert_read(args->trust_server_cert);
+        } else {
+            if (!args->privileged) {
+                f = xasprintf("%s/.%s/%s/%s", args->home, PACKAGE,
+                              DAV_CERTS_DIR, args->trust_server_cert);
+                args->server_cert = ne_ssl_cert_read(f);
+            }
+            if (!args->server_cert) {
+                if (f) free(f);
+                f = xasprintf("%s/%s/%s", DAV_SYS_CONF_DIR, DAV_CERTS_DIR,
+                              args->trust_server_cert);
+                args->server_cert = ne_ssl_cert_read(f);
+            }
+            if (args->server_cert) {
+                free(args->trust_server_cert);
+                args->trust_server_cert = f;
+            }
+        }
+        if (!args->server_cert)
+            error(EXIT_FAILURE, 0, _("can't read server certificate %s"),
+                  args->trust_server_cert);
+    }
+
    if (args->secrets)
        expand_home(&args->secrets, args);
    if (!args->privileged && !args->secrets)
@ -1430,6 +1457,10 @@ delete_args(dav_args *args)
        free(args->trust_ca_cert);
    if (args->ca_cert)
        free(args->ca_cert);
+    if (args->trust_server_cert)
+        free(args->trust_server_cert);
+    if (args->server_cert)
+        free(args->server_cert);
    if (args->secrets)
        free(args->secrets);
    if (args->username) {
@ -2116,6 +2147,10 @@ read_config(dav_args *args, const char * filename, int system)
                if (args->trust_ca_cert)
                    free(args->trust_ca_cert);
                args->trust_ca_cert = xstrdup(parmv[1]);
+            } else if (strcmp(parmv[0], "trust_server_cert") == 0) {
+                if (args->trust_server_cert)
+                    free(args->trust_server_cert);
+                args->trust_server_cert = xstrdup(parmv[1]);
            } else if (!system && strcmp(parmv[0], "secrets") == 0) {
                if (args->secrets)
                    free(args->secrets);
--- a/src/mount_davfs.h
+++ b/src/mount_davfs.h
@ -67,6 +67,8 @@ typedef struct {
    char *path;               /* Command line */
    char *trust_ca_cert;      /* User config file, system config file */
    ne_ssl_certificate *ca_cert;
+    char *trust_server_cert;  /* User config file, system config file */
+    ne_ssl_certificate *server_cert;
    char *secrets;            /* User config file */
    char *username;           /* User secrets file, system secrets file */
    char *cl_username;        /* Command line */
--- a/src/webdav.c
+++ b/src/webdav.c
@ -179,6 +179,9 @@ static char *password;
 static char *p_username;
 static char *p_password;

+/* If this is not NULL the server must present exactly this certificate. */
+static ne_ssl_certificate *server_cert;
+
 /* Whether to send expect 100-continue header in PUT requests. */
 static int use_expect100;

@ -321,7 +324,7 @@ update_cookie(ne_request *req, void *userdata, const ne_status *status);
 /*==================*/

 void
-dav_init_webdav(const dav_args *args)
+dav_init_webdav(dav_args *args)
 {
    if (args->neon_debug & ~NE_DBG_HTTPPLAIN)
        syslog(LOG_MAKEPRI(LOG_DAEMON, LOG_DEBUG), "Initializing webdav");
@ -408,11 +411,16 @@ dav_init_webdav(const dav_args *args)
    if (strcmp(args->scheme, "https") == 0) {
        if (!ne_has_support(NE_FEATURE_SSL))
            error(EXIT_FAILURE, 0, _("neon library does not support TLS/SSL"));
-        ne_ssl_set_verify(session, ssl_verify, NULL);
-        ne_ssl_trust_default_ca(session);

-        if (args->ca_cert)
-            ne_ssl_trust_cert(session, args->ca_cert);
+        ne_ssl_set_verify(session, ssl_verify, NULL);
+        if (args->server_cert) {
+            server_cert = args->server_cert;
+            args->server_cert = NULL;
+        } else {
+            ne_ssl_trust_default_ca(session);
+            if (args->ca_cert)
+                ne_ssl_trust_cert(session, args->ca_cert);
+        }

        if (args->clicert) {
            uid_t orig = geteuid();
@ -1937,6 +1945,14 @@ quota_result(void *userdata, const ne_uri *uri, const ne_prop_result_set *set)
 static int
 ssl_verify(void *userdata, int failures, const ne_ssl_certificate *cert)
 {
+    if (server_cert) {
+        if (ne_ssl_cert_cmp(cert, server_cert) == 0)
+            return 0;
+        if (have_terminal)
+            error(0, 0, _("the server certificate is not trusted"));
+        return -1;
+    }
+
    char *issuer = ne_ssl_readable_dname(ne_ssl_cert_issuer(cert));
    char *subject = ne_ssl_readable_dname(ne_ssl_cert_subject(cert));
    char *digest = xcalloc(1, NE_SSL_DIGESTLEN);
--- a/src/webdav.h
+++ b/src/webdav.h
@ -55,7 +55,7 @@ struct dav_props {
   If an error occurs, the program is terminated.
   paramters: if not self explaining, please see mount_davfs.h, struct args. */
 void
-dav_init_webdav(const dav_args* args);
+dav_init_webdav(dav_args* args);


 /* Does an OPTIONS request to check the server capabilities. In case of