/* retrieve ssl server CA failure overrides (if any) from servers config */ static svn_error_t * ssl_server_trust_file_first_credentials(void **credentials, void **iter_baton, void *provider_baton, apr_hash_t *parameters, const char *realmstring, apr_pool_t *pool) { apr_uint32_t *failures = svn_hash_gets(parameters, SVN_AUTH_PARAM_SSL_SERVER_FAILURES); const svn_auth_ssl_server_cert_info_t *cert_info = svn_hash_gets(parameters, SVN_AUTH_PARAM_SSL_SERVER_CERT_INFO); apr_hash_t *creds_hash = NULL; const char *config_dir; svn_error_t *error = SVN_NO_ERROR; *credentials = NULL; *iter_baton = NULL; /* Check if this is a permanently accepted certificate */ config_dir = svn_hash_gets(parameters, SVN_AUTH_PARAM_CONFIG_DIR); error = svn_config_read_auth_data(&creds_hash, SVN_AUTH_CRED_SSL_SERVER_TRUST, realmstring, config_dir, pool); svn_error_clear(error); if (! error && creds_hash) { svn_string_t *trusted_cert, *this_cert, *failstr; apr_uint32_t last_failures = 0; trusted_cert = svn_hash_gets(creds_hash, SVN_CONFIG_AUTHN_ASCII_CERT_KEY); this_cert = svn_string_create(cert_info->ascii_cert, pool); failstr = svn_hash_gets(creds_hash, SVN_CONFIG_AUTHN_FAILURES_KEY); if (failstr) SVN_ERR(svn_cstring_atoui(&last_failures, failstr->data)); /* If the cert is trusted and there are no new failures, we * accept it by clearing all failures. */ if (trusted_cert && svn_string_compare(this_cert, trusted_cert) && (*failures & ~last_failures) == 0) { *failures = 0; } } /* If all failures are cleared now, we return the creds */ if (! *failures) { svn_auth_cred_ssl_server_trust_t *creds = apr_pcalloc(pool, sizeof(*creds)); creds->may_save = FALSE; /* No need to save it again... */ *credentials = creds; } return SVN_NO_ERROR; }
svn_error_t * svn_auth__ssl_client_cert_pw_file_first_creds_helper (void **credentials_p, void **iter_baton, void *provider_baton, apr_hash_t *parameters, const char *realmstring, svn_auth__password_get_t passphrase_get, const char *passtype, apr_pool_t *pool) { svn_config_t *cfg = apr_hash_get(parameters, SVN_AUTH_PARAM_CONFIG_CATEGORY_SERVERS, APR_HASH_KEY_STRING); const char *server_group = apr_hash_get(parameters, SVN_AUTH_PARAM_SERVER_GROUP, APR_HASH_KEY_STRING); svn_boolean_t non_interactive = apr_hash_get(parameters, SVN_AUTH_PARAM_NON_INTERACTIVE, APR_HASH_KEY_STRING) != NULL; const char *password = svn_config_get_server_setting(cfg, server_group, SVN_CONFIG_OPTION_SSL_CLIENT_CERT_PASSWORD, NULL); if (! password) { svn_error_t *err; apr_hash_t *creds_hash = NULL; const char *config_dir = apr_hash_get(parameters, SVN_AUTH_PARAM_CONFIG_DIR, APR_HASH_KEY_STRING); /* Try to load passphrase from the auth/ cache. */ err = svn_config_read_auth_data(&creds_hash, SVN_AUTH_CRED_SSL_CLIENT_CERT_PW, realmstring, config_dir, pool); svn_error_clear(err); if (! err && creds_hash) { if (!passphrase_get(&password, creds_hash, realmstring, NULL, parameters, non_interactive, pool)) password = NULL; } } if (password) { svn_auth_cred_ssl_client_cert_pw_t *cred = apr_palloc(pool, sizeof(*cred)); cred->password = password; cred->may_save = FALSE; *credentials_p = cred; } else *credentials_p = NULL; *iter_baton = NULL; return SVN_NO_ERROR; }
/*** Helper Functions ***/ static svn_error_t * prompt_for_simple_creds(svn_auth_cred_simple_t **cred_p, simple_prompt_provider_baton_t *pb, apr_hash_t *parameters, const char *realmstring, svn_boolean_t first_time, svn_boolean_t may_save, apr_pool_t *pool) { const char *def_username = NULL, *def_password = NULL; *cred_p = NULL; /* If we're allowed to check for default usernames and passwords, do so. */ if (first_time) { def_username = apr_hash_get(parameters, SVN_AUTH_PARAM_DEFAULT_USERNAME, APR_HASH_KEY_STRING); /* No default username? Try the auth cache. */ if (! def_username) { const char *config_dir = apr_hash_get(parameters, SVN_AUTH_PARAM_CONFIG_DIR, APR_HASH_KEY_STRING); apr_hash_t *creds_hash = NULL; svn_string_t *str; svn_error_t *err; err = svn_config_read_auth_data(&creds_hash, SVN_AUTH_CRED_SIMPLE, realmstring, config_dir, pool); svn_error_clear(err); if (! err && creds_hash) { str = apr_hash_get(creds_hash, SVN_AUTH__AUTHFILE_USERNAME_KEY, APR_HASH_KEY_STRING); if (str && str->data) def_username = str->data; } } #if 0 /* Still no default username? Try the UID. */ if (! def_username) def_username = svn_user_get_name(pool); #endif def_password = apr_hash_get(parameters, SVN_AUTH_PARAM_DEFAULT_PASSWORD, APR_HASH_KEY_STRING); } /* If we have defaults, just build the cred here and return it. * * ### I do wonder why this is here instead of in a separate * ### 'defaults' provider that would run before the prompt * ### provider... Hmmm. */ if (def_username && def_password) { *cred_p = apr_palloc(pool, sizeof(**cred_p)); (*cred_p)->username = apr_pstrdup(pool, def_username); (*cred_p)->password = apr_pstrdup(pool, def_password); (*cred_p)->may_save = TRUE; } else { SVN_ERR(pb->prompt_func(cred_p, pb->prompt_baton, realmstring, def_username, may_save, pool)); } return SVN_NO_ERROR; }