You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@subversion.apache.org by st...@apache.org on 2014/10/08 17:14:14 UTC
svn commit: r1630135 - /subversion/trunk/subversion/svnrdump/svnrdump.c
Author: stsp
Date: Wed Oct 8 15:14:13 2014
New Revision: 1630135
URL: http://svn.apache.org/r1630135
Log:
In svnrdump, deprecate the --trust-server-cert option and add the following
new options exposing all SSL failure modes the underlying API can handle:
--trust-unknown-ca : with --non-interactive, accept SSL server
certificates from unknown certificate authorities
--trust-cn-mismatch : with --non-interactive, accept SSL server
certificates even if the server hostname does not
match the certificate's common name attribute
--trust-expired : with --non-interactive, accept expired SSL server
certificates
--trust-not-yet-valid : with --non-interactive, accept SSL server
certificates from the future
--trust-other-failure : with --non-interactive, accept SSL server
certificates with failures other than the above
* subversion/svnrdump/svnrdump.c
(svn_svnrdump__longopt_t, svn_svnrdump__longopt_t): Add
opt_trust_server_cert_unknown_ca, opt_trust_server_cert_cn_mismatch,
opt_trust_server_cert_expired, opt_trust_server_cert_not_yet_valid,
and opt_trust_server_cert_other_failure.
(svnrdump__options): Add and document the new options.
(init_client_context): Accept new parameters corresponding to the new
options and use svn_cmdline_create_auth_baton2().
(sub_main): Handle new options.
Modified:
subversion/trunk/subversion/svnrdump/svnrdump.c
Modified: subversion/trunk/subversion/svnrdump/svnrdump.c
URL: http://svn.apache.org/viewvc/subversion/trunk/subversion/svnrdump/svnrdump.c?rev=1630135&r1=1630134&r2=1630135&view=diff
==============================================================================
--- subversion/trunk/subversion/svnrdump/svnrdump.c (original)
+++ subversion/trunk/subversion/svnrdump/svnrdump.c Wed Oct 8 15:14:13 2014
@@ -84,6 +84,11 @@ enum svn_svnrdump__longopt_t
opt_force_interactive,
opt_incremental,
opt_trust_server_cert,
+ opt_trust_server_cert_unknown_ca,
+ opt_trust_server_cert_cn_mismatch,
+ opt_trust_server_cert_expired,
+ opt_trust_server_cert_not_yet_valid,
+ opt_trust_server_cert_other_failure,
opt_version
};
@@ -93,6 +98,11 @@ enum svn_svnrdump__longopt_t
opt_auth_password, \
opt_auth_nocache, \
opt_trust_server_cert, \
+ opt_trust_server_cert_unknown_ca, \
+ opt_trust_server_cert_cn_mismatch, \
+ opt_trust_server_cert_expired, \
+ opt_trust_server_cert_not_yet_valid, \
+ opt_trust_server_cert_other_failure, \
opt_non_interactive, \
opt_force_interactive
@@ -154,11 +164,29 @@ static const apr_getopt_option_t svnrdum
" "
" servers:global:http-library=serf")},
{"trust-server-cert", opt_trust_server_cert, 0,
- N_("accept SSL server certificates from unknown\n"
+ N_("deprecated; same as --trust-unknown-ca")},
+ {"trust-unknown-ca", opt_trust_server_cert_unknown_ca, 0,
+ N_("with --non-interactive, accept SSL server\n"
" "
- "certificate authorities without prompting (but only\n"
+ "certificates from unknown certificate authorities")},
+ {"trust-cn-mismatch", opt_trust_server_cert_cn_mismatch, 0,
+ N_("with --non-interactive, accept SSL server\n"
" "
- "with '--non-interactive')") },
+ "certificates even if the server hostname does not\n"
+ " "
+ "match the certificate's common name attribute")},
+ {"trust-expired", opt_trust_server_cert_expired, 0,
+ N_("with --non-interactive, accept expired SSL server\n"
+ " "
+ "certificates")},
+ {"trust-not-yet-valid", opt_trust_server_cert_not_yet_valid, 0,
+ N_("with --non-interactive, accept SSL server\n"
+ " "
+ "certificates from the future")},
+ {"trust-other-failure", opt_trust_server_cert_other_failure, 0,
+ N_("with --non-interactive, accept SSL server\n"
+ " "
+ "certificates with failures other than the above")},
{0, 0, 0, 0}
};
@@ -352,7 +380,11 @@ init_client_context(svn_client_ctx_t **c
const char *config_dir,
const char *repos_url,
svn_boolean_t no_auth_cache,
- svn_boolean_t trust_server_cert,
+ svn_boolean_t trust_unknown_ca,
+ svn_boolean_t trust_cn_mismatch,
+ svn_boolean_t trust_expired,
+ svn_boolean_t trust_not_yet_valid,
+ svn_boolean_t trust_other_failure,
apr_array_header_t *config_options,
apr_pool_t *pool)
{
@@ -416,11 +448,14 @@ init_client_context(svn_client_ctx_t **c
ctx->cancel_func = check_cancel;
/* Default authentication providers for non-interactive use */
- SVN_ERR(svn_cmdline_create_auth_baton(&(ctx->auth_baton), non_interactive,
- username, password, config_dir,
- no_auth_cache, trust_server_cert,
- cfg_config, ctx->cancel_func,
- ctx->cancel_baton, pool));
+ SVN_ERR(svn_cmdline_create_auth_baton2(&(ctx->auth_baton), non_interactive,
+ username, password, config_dir,
+ no_auth_cache, trust_unknown_ca,
+ trust_cn_mismatch, trust_expired,
+ trust_not_yet_valid,
+ trust_other_failure,
+ cfg_config, ctx->cancel_func,
+ ctx->cancel_baton, pool));
*ctx_p = ctx;
return SVN_NO_ERROR;
}
@@ -837,7 +872,11 @@ sub_main(int *exit_code, int argc, const
const char *username = NULL;
const char *password = NULL;
svn_boolean_t no_auth_cache = FALSE;
- svn_boolean_t trust_server_cert = FALSE;
+ svn_boolean_t trust_unknown_ca = FALSE;
+ svn_boolean_t trust_cn_mismatch = FALSE;
+ svn_boolean_t trust_expired = FALSE;
+ svn_boolean_t trust_not_yet_valid = FALSE;
+ svn_boolean_t trust_other_failure = FALSE;
svn_boolean_t non_interactive = FALSE;
svn_boolean_t force_interactive = FALSE;
apr_array_header_t *config_options = NULL;
@@ -959,8 +998,21 @@ sub_main(int *exit_code, int argc, const
SVN_ERR(svn_utf_cstring_to_utf8(&opt_arg, opt_arg, pool));
svn_hash_sets(opt_baton->skip_revprops, opt_arg, opt_arg);
break;
- case opt_trust_server_cert:
- trust_server_cert = TRUE;
+ case opt_trust_server_cert: /* backward compat */
+ case opt_trust_server_cert_unknown_ca:
+ trust_unknown_ca = TRUE;
+ break;
+ case opt_trust_server_cert_cn_mismatch:
+ trust_cn_mismatch = TRUE;
+ break;
+ case opt_trust_server_cert_expired:
+ trust_expired = TRUE;
+ break;
+ case opt_trust_server_cert_not_yet_valid:
+ trust_not_yet_valid = TRUE;
+ break;
+ case opt_trust_server_cert_other_failure:
+ trust_other_failure = TRUE;
break;
case opt_config_option:
if (!config_options)
@@ -1076,12 +1128,29 @@ sub_main(int *exit_code, int argc, const
return SVN_NO_ERROR;
}
- /* --trust-server-cert can only be used with --non-interactive */
- if (trust_server_cert && !non_interactive)
+ /* --trust-* can only be used with --non-interactive */
+ if (!non_interactive)
{
+ if (trust_unknown_ca)
return svn_error_create(SVN_ERR_CL_ARG_PARSING_ERROR, NULL,
- _("--trust-server-cert requires "
+ _("--trust-unknown-ca requires "
"--non-interactive"));
+ if (trust_cn_mismatch)
+ return svn_error_create(SVN_ERR_CL_ARG_PARSING_ERROR, NULL,
+ _("--trust-cn-mismatch requires "
+ "--non-interactive"));
+ if (trust_expired)
+ return svn_error_create(SVN_ERR_CL_ARG_PARSING_ERROR, NULL,
+ _("--trust-expired requires "
+ "--non-interactive"));
+ if (trust_not_yet_valid)
+ return svn_error_create(SVN_ERR_CL_ARG_PARSING_ERROR, NULL,
+ _("--trust-not-yet-valid requires "
+ "--non-interactive"));
+ if (trust_other_failure)
+ return svn_error_create(SVN_ERR_CL_ARG_PARSING_ERROR, NULL,
+ _("--trust-other-failure requires "
+ "--non-interactive"));
}
/* Expect one more non-option argument: the repository URL. */
@@ -1128,7 +1197,11 @@ sub_main(int *exit_code, int argc, const
config_dir,
opt_baton->url,
no_auth_cache,
- trust_server_cert,
+ trust_unknown_ca,
+ trust_cn_mismatch,
+ trust_expired,
+ trust_not_yet_valid,
+ trust_other_failure,
config_options,
pool));