diff --git a/nmap-update/nmap-update.c b/nmap-update/nmap-update.c index d3606c343..1380f0e76 100644 --- a/nmap-update/nmap-update.c +++ b/nmap-update/nmap-update.c @@ -880,13 +880,12 @@ static svn_error_t *checkout_svn(const char *url, const char *path) APR_HASH_KEY_STRING); svn_config_set_bool(cfg, SVN_CONFIG_SECTION_GLOBAL, SVN_CONFIG_OPTION_SSL_TRUST_DEFAULT_CA, TRUE); - nmap_update_svn_cmdline_create_auth_baton(&ctx->auth_baton, + nmap_update_svn_cmdline_setup_auth_baton(&ctx->auth_baton, FALSE, /* non_interactive */ options.username, /* username */ options.password, /* password */ NULL, /* config_dir */ FALSE, /* no_auth_cache */ - FALSE, cfg, /* cfg */ NULL, /* cancel_func */ NULL, /* cancel_baton */ diff --git a/nmap-update/svn_auth.c b/nmap-update/svn_auth.c index 4d674a89b..b61905df1 100644 --- a/nmap-update/svn_auth.c +++ b/nmap-update/svn_auth.c @@ -1,6 +1,6 @@ /* The functions in this file have been copied from - subversion-1.6.17/subversion/libsvn_subr/cmdline.c - subversion-1.6.17/subversion/libsvn_subr/simple_providers.c + subversion-1.5.x/subversion/libsvn_subr/cmdline.c + subversion-1.5.x/subversion/libsvn_subr/simple_providers.c The point of copying these functions is to disable automatic username guessing based on UID, and always prompt for a username unless it is already defined in the auth cache or in a configuration file. libsvn_cmdline doesn't @@ -9,12 +9,10 @@ minimum amount of code to disable username guessing. These changes have been made (set off with #if 0): - * Made trust_server_cert always false in svn_cmdline_create_auth_baton. (This - is only to avoid having to also copy in ssl_trust_unknown_server_cert.) * Disabled username guessing in prompt_for_simple_creds. * Made svn_auth_get_simple_prompt_provider have static scope. * Put an "nmap_update_" prefix on svn_auth_get_simple_prompt_provider and - svn_cmdline_create_auth_baton. */ + svn_cmdline_setup_auth_baton. */ /* * ==================================================================== @@ -52,11 +50,24 @@ #include #endif -/* The keys that will be stored on disk. These serve the same role as - similar constants in other providers. */ -#define AUTHN_USERNAME_KEY "username" -#define AUTHN_PASSWORD_KEY "password" -#define AUTHN_PASSTYPE_KEY "passtype" + +/*-----------------------------------------------------------------------*/ +/* File provider */ +/*-----------------------------------------------------------------------*/ + +/* The keys that will be stored on disk */ +#define SVN_AUTH__AUTHFILE_USERNAME_KEY "username" +#define SVN_AUTH__AUTHFILE_PASSWORD_KEY "password" +#define SVN_AUTH__AUTHFILE_PASSTYPE_KEY "passtype" + +#define SVN_AUTH__SIMPLE_PASSWORD_TYPE "simple" +#define SVN_AUTH__WINCRYPT_PASSWORD_TYPE "wincrypt" +#define SVN_AUTH__KEYCHAIN_PASSWORD_TYPE "keychain" + + +/*-----------------------------------------------------------------------*/ +/* Prompt provider */ +/*-----------------------------------------------------------------------*/ /* Baton type for username/password prompting. */ typedef struct @@ -76,6 +87,7 @@ typedef struct int retries; } simple_prompt_iter_baton_t; + /*** Helper Functions ***/ static svn_error_t * prompt_for_simple_creds(svn_auth_cred_simple_t **cred_p, @@ -86,8 +98,7 @@ prompt_for_simple_creds(svn_auth_cred_simple_t **cred_p, svn_boolean_t may_save, apr_pool_t *pool) { - const char *default_username = NULL; - const char *default_password = NULL; + const char *def_username = NULL, *def_password = NULL; *cred_p = NULL; @@ -95,12 +106,12 @@ prompt_for_simple_creds(svn_auth_cred_simple_t **cred_p, so. */ if (first_time) { - default_username = apr_hash_get(parameters, - SVN_AUTH_PARAM_DEFAULT_USERNAME, - APR_HASH_KEY_STRING); + def_username = apr_hash_get(parameters, + SVN_AUTH_PARAM_DEFAULT_USERNAME, + APR_HASH_KEY_STRING); /* No default username? Try the auth cache. */ - if (! default_username) + if (! def_username) { const char *config_dir = apr_hash_get(parameters, SVN_AUTH_PARAM_CONFIG_DIR, @@ -114,37 +125,23 @@ prompt_for_simple_creds(svn_auth_cred_simple_t **cred_p, svn_error_clear(err); if (! err && creds_hash) { - str = apr_hash_get(creds_hash, AUTHN_USERNAME_KEY, + str = apr_hash_get(creds_hash, + SVN_AUTH__AUTHFILE_USERNAME_KEY, APR_HASH_KEY_STRING); if (str && str->data) - default_username = str->data; + def_username = str->data; } } - /* Still no default username? Try the 'servers' file. */ - if (! default_username) - { - svn_config_t *cfg = apr_hash_get(parameters, - SVN_AUTH_PARAM_CONFIG_CATEGORY_SERVERS, - APR_HASH_KEY_STRING); - const char *server_group = apr_hash_get(parameters, - SVN_AUTH_PARAM_SERVER_GROUP, - APR_HASH_KEY_STRING); - default_username = - svn_config_get_server_setting(cfg, server_group, - SVN_CONFIG_OPTION_USERNAME, - NULL); - } - #if 0 /* Still no default username? Try the UID. */ - if (! default_username) - default_username = svn_user_get_name(pool); + if (! def_username) + def_username = svn_user_get_name(pool); #endif - default_password = apr_hash_get(parameters, - SVN_AUTH_PARAM_DEFAULT_PASSWORD, - APR_HASH_KEY_STRING); + def_password = apr_hash_get(parameters, + SVN_AUTH_PARAM_DEFAULT_PASSWORD, + APR_HASH_KEY_STRING); } /* If we have defaults, just build the cred here and return it. @@ -153,17 +150,17 @@ prompt_for_simple_creds(svn_auth_cred_simple_t **cred_p, * ### 'defaults' provider that would run before the prompt * ### provider... Hmmm. */ - if (default_username && default_password) + if (def_username && def_password) { *cred_p = apr_palloc(pool, sizeof(**cred_p)); - (*cred_p)->username = apr_pstrdup(pool, default_username); - (*cred_p)->password = apr_pstrdup(pool, default_password); + (*cred_p)->username = apr_pstrdup(pool, def_username); + (*cred_p)->password = apr_pstrdup(pool, def_password); (*cred_p)->may_save = TRUE; } else { SVN_ERR(pb->prompt_func(cred_p, pb->prompt_baton, realmstring, - default_username, may_save, pool)); + def_username, may_save, pool)); } return SVN_NO_ERROR; @@ -213,7 +210,7 @@ simple_prompt_next_creds(void **credentials_p, SVN_AUTH_PARAM_NO_AUTH_CACHE, APR_HASH_KEY_STRING); - if ((pb->retry_limit >= 0) && (ib->retries >= pb->retry_limit)) + if (ib->retries >= pb->retry_limit) { /* give up, go on to next provider. */ *credentials_p = NULL; @@ -221,9 +218,11 @@ simple_prompt_next_creds(void **credentials_p, } ib->retries++; - return prompt_for_simple_creds((svn_auth_cred_simple_t **) credentials_p, - pb, parameters, realmstring, FALSE, - ! no_auth_cache, pool); + SVN_ERR(prompt_for_simple_creds((svn_auth_cred_simple_t **) credentials_p, + pb, parameters, realmstring, FALSE, + ! no_auth_cache, pool)); + + return SVN_NO_ERROR; } @@ -257,88 +256,63 @@ nmap_update_svn_auth_get_simple_prompt_provider } svn_error_t * -nmap_update_svn_cmdline_create_auth_baton(svn_auth_baton_t **ab, - svn_boolean_t non_interactive, - const char *auth_username, - const char *auth_password, - const char *config_dir, - svn_boolean_t no_auth_cache, - svn_boolean_t trust_server_cert, - svn_config_t *cfg, - svn_cancel_func_t cancel_func, - void *cancel_baton, - apr_pool_t *pool) +nmap_update_svn_cmdline_setup_auth_baton(svn_auth_baton_t **ab, + svn_boolean_t non_interactive, + const char *auth_username, + const char *auth_password, + const char *config_dir, + svn_boolean_t no_auth_cache, + svn_config_t *cfg, + svn_cancel_func_t cancel_func, + void *cancel_baton, + apr_pool_t *pool) { svn_boolean_t store_password_val = TRUE; - svn_boolean_t store_auth_creds_val = TRUE; svn_auth_provider_object_t *provider; - svn_cmdline_prompt_baton2_t *pb = NULL; /* The whole list of registered providers */ - apr_array_header_t *providers; - - /* Populate the registered providers with the platform-specific providers */ - SVN_ERR(svn_auth_get_platform_specific_client_providers - (&providers, cfg, pool)); - - /* If we have a cancellation function, cram it and the stuff it - needs into the prompt baton. */ - if (cancel_func) - { - pb = apr_palloc(pool, sizeof(*pb)); - pb->cancel_func = cancel_func; - pb->cancel_baton = cancel_baton; - pb->config_dir = config_dir; - } - - if (non_interactive == FALSE) - { - /* This provider doesn't prompt the user in order to get creds; - it prompts the user regarding the caching of creds. */ - svn_auth_get_simple_provider2(&provider, - svn_cmdline_auth_plaintext_prompt, - pb, pool); - } - else - { - svn_auth_get_simple_provider2(&provider, NULL, NULL, pool); - } + apr_array_header_t *providers + = apr_array_make(pool, 12, sizeof(svn_auth_provider_object_t *)); + /* The main disk-caching auth providers, for both + 'username/password' creds and 'username' creds. */ +#if defined(WIN32) && !defined(__MINGW32__) + svn_auth_get_windows_simple_provider(&provider, pool); + APR_ARRAY_PUSH(providers, svn_auth_provider_object_t *) = provider; +#endif +#ifdef SVN_HAVE_KEYCHAIN_SERVICES + svn_auth_get_keychain_simple_provider(&provider, pool); + APR_ARRAY_PUSH(providers, svn_auth_provider_object_t *) = provider; +#endif + svn_auth_get_simple_provider(&provider, pool); APR_ARRAY_PUSH(providers, svn_auth_provider_object_t *) = provider; svn_auth_get_username_provider(&provider, pool); APR_ARRAY_PUSH(providers, svn_auth_provider_object_t *) = provider; /* The server-cert, client-cert, and client-cert-password providers. */ - SVN_ERR(svn_auth_get_platform_specific_provider(&provider, - "windows", - "ssl_server_trust", - pool)); - - if (provider) - APR_ARRAY_PUSH(providers, svn_auth_provider_object_t *) = provider; - +#if defined(WIN32) && !defined(__MINGW32__) + svn_auth_get_windows_ssl_server_trust_provider(&provider, pool); + APR_ARRAY_PUSH(providers, svn_auth_provider_object_t *) = provider; +#endif svn_auth_get_ssl_server_trust_file_provider(&provider, pool); APR_ARRAY_PUSH(providers, svn_auth_provider_object_t *) = provider; svn_auth_get_ssl_client_cert_file_provider(&provider, pool); APR_ARRAY_PUSH(providers, svn_auth_provider_object_t *) = provider; - - if (non_interactive == FALSE) - { - /* This provider doesn't prompt the user in order to get creds; - it prompts the user regarding the caching of creds. */ - svn_auth_get_ssl_client_cert_pw_file_provider2 - (&provider, svn_cmdline_auth_plaintext_passphrase_prompt, - pb, pool); - } - else - { - svn_auth_get_ssl_client_cert_pw_file_provider2(&provider, NULL, NULL, - pool); - } + svn_auth_get_ssl_client_cert_pw_file_provider(&provider, pool); APR_ARRAY_PUSH(providers, svn_auth_provider_object_t *) = provider; if (non_interactive == FALSE) { + svn_cmdline_prompt_baton_t *pb = NULL; + + if (cancel_func) + { + pb = apr_palloc(pool, sizeof(*pb)); + + pb->cancel_func = cancel_func; + pb->cancel_baton = cancel_baton; + } + /* Two basic prompt providers: username/password, and just username. */ nmap_update_svn_auth_get_simple_prompt_provider(&provider, svn_cmdline_auth_simple_prompt, @@ -366,15 +340,6 @@ nmap_update_svn_cmdline_create_auth_baton(svn_auth_baton_t **ab, (&provider, svn_cmdline_auth_ssl_client_cert_pw_prompt, pb, 2, pool); APR_ARRAY_PUSH(providers, svn_auth_provider_object_t *) = provider; } -#if 0 - else if (trust_server_cert) - { - /* Remember, only register this provider if non_interactive. */ - svn_auth_get_ssl_server_trust_prompt_provider - (&provider, ssl_trust_unknown_server_cert, NULL, pool); - APR_ARRAY_PUSH(providers, svn_auth_provider_object_t *) = provider; - } -#endif /* Build an authentication baton to give to libsvn_client. */ svn_auth_open(ab, providers, pool); @@ -396,34 +361,24 @@ nmap_update_svn_cmdline_create_auth_baton(svn_auth_baton_t **ab, svn_auth_set_parameter(*ab, SVN_AUTH_PARAM_CONFIG_DIR, config_dir); - /* Determine whether storing passwords in any form is allowed. - * This is the deprecated location for this option, the new - * location is SVN_CONFIG_CATEGORY_SERVERS. The RA layer may - * override the value we set here. */ SVN_ERR(svn_config_get_bool(cfg, &store_password_val, SVN_CONFIG_SECTION_AUTH, SVN_CONFIG_OPTION_STORE_PASSWORDS, - SVN_CONFIG_DEFAULT_OPTION_STORE_PASSWORDS)); + TRUE)); if (! store_password_val) svn_auth_set_parameter(*ab, SVN_AUTH_PARAM_DONT_STORE_PASSWORDS, ""); - /* Determine whether we are allowed to write to the auth/ area. - * This is the deprecated location for this option, the new - * location is SVN_CONFIG_CATEGORY_SERVERS. The RA layer may - * override the value we set here. */ - SVN_ERR(svn_config_get_bool(cfg, &store_auth_creds_val, + /* There are two different ways the user can disable disk caching + of credentials: either via --no-auth-cache, or in the config + file ('store-auth-creds = no'). */ + SVN_ERR(svn_config_get_bool(cfg, &store_password_val, SVN_CONFIG_SECTION_AUTH, SVN_CONFIG_OPTION_STORE_AUTH_CREDS, - SVN_CONFIG_DEFAULT_OPTION_STORE_AUTH_CREDS)); + TRUE)); - if (no_auth_cache || ! store_auth_creds_val) + if (no_auth_cache || ! store_password_val) svn_auth_set_parameter(*ab, SVN_AUTH_PARAM_NO_AUTH_CACHE, ""); -#ifdef SVN_HAVE_GNOME_KEYRING - svn_auth_set_parameter(*ab, SVN_AUTH_PARAM_GNOME_KEYRING_UNLOCK_PROMPT_FUNC, - &svn_cmdline__auth_gnome_keyring_unlock_prompt); -#endif /* SVN_HAVE_GNOME_KEYRING */ - return SVN_NO_ERROR; }