svn_auth_private.h revision 289180
1/** 2 * @copyright 3 * ==================================================================== 4 * Licensed to the Apache Software Foundation (ASF) under one 5 * or more contributor license agreements. See the NOTICE file 6 * distributed with this work for additional information 7 * regarding copyright ownership. The ASF licenses this file 8 * to you under the Apache License, Version 2.0 (the 9 * "License"); you may not use this file except in compliance 10 * with the License. You may obtain a copy of the License at 11 * 12 * http://www.apache.org/licenses/LICENSE-2.0 13 * 14 * Unless required by applicable law or agreed to in writing, 15 * software distributed under the License is distributed on an 16 * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY 17 * KIND, either express or implied. See the License for the 18 * specific language governing permissions and limitations 19 * under the License. 20 * ==================================================================== 21 * @endcopyright 22 * 23 * @file svn_auth_private.h 24 * @brief Subversion's authentication system - Internal routines 25 */ 26 27#ifndef SVN_AUTH_PRIVATE_H 28#define SVN_AUTH_PRIVATE_H 29 30#include <apr_pools.h> 31#include <apr_hash.h> 32 33#include "svn_types.h" 34#include "svn_error.h" 35 36#ifdef __cplusplus 37extern "C" { 38#endif /* __cplusplus */ 39 40/** SSL server authority verification credential type. 41 * 42 * The followin auth parameters are available to the providers: 43 * 44 * - @c SVN_AUTH_PARAM_SSL_SERVER_FAILURES (@c apr_uint32_t*) 45 * - @c SVN_AUTH_PARAM_SSL_SERVER_CERT_INFO 46 * (@c svn_auth_ssl_server_cert_info_t*) 47 * 48 * The following optional auth parameters are relevant to the providers: 49 * 50 * - @c SVN_AUTH_PARAM_NO_AUTH_CACHE (@c void*) 51 * 52 * @since New in 1.9. 53 */ 54#define SVN_AUTH_CRED_SSL_SERVER_AUTHORITY "svn.ssl.server.authority" 55 56 57 58/* If you add a password type for a provider which stores 59 * passwords on disk in encrypted form, remember to update 60 * svn_auth__simple_save_creds_helper. Otherwise it will be 61 * assumed that your provider stores passwords in plaintext. */ 62#define SVN_AUTH__SIMPLE_PASSWORD_TYPE "simple" 63#define SVN_AUTH__WINCRYPT_PASSWORD_TYPE "wincrypt" 64#define SVN_AUTH__KEYCHAIN_PASSWORD_TYPE "keychain" 65#define SVN_AUTH__KWALLET_PASSWORD_TYPE "kwallet" 66#define SVN_AUTH__GNOME_KEYRING_PASSWORD_TYPE "gnome-keyring" 67#define SVN_AUTH__GPG_AGENT_PASSWORD_TYPE "gpg-agent" 68 69/* A function that stores in *PASSWORD (potentially after decrypting it) 70 the user's password. It might be obtained directly from CREDS, or 71 from an external store, using REALMSTRING and USERNAME as keys. 72 (The behavior is undefined if REALMSTRING or USERNAME are NULL.) 73 If NON_INTERACTIVE is set, the user must not be involved in the 74 retrieval process. Set *DONE to TRUE if a password was stored 75 in *PASSWORD, to FALSE otherwise. POOL is used for any necessary 76 allocation. */ 77typedef svn_error_t * (*svn_auth__password_get_t) 78 (svn_boolean_t *done, 79 const char **password, 80 apr_hash_t *creds, 81 const char *realmstring, 82 const char *username, 83 apr_hash_t *parameters, 84 svn_boolean_t non_interactive, 85 apr_pool_t *pool); 86 87/* A function that stores PASSWORD (or some encrypted version thereof) 88 either directly in CREDS, or externally using REALMSTRING and USERNAME 89 as keys into the external store. If NON_INTERACTIVE is set, the user 90 must not be involved in the storage process. Set *DONE to TRUE if the 91 password was store, to FALSE otherwise. POOL is used for any necessary 92 allocation. */ 93typedef svn_error_t * (*svn_auth__password_set_t) 94 (svn_boolean_t *done, 95 apr_hash_t *creds, 96 const char *realmstring, 97 const char *username, 98 const char *password, 99 apr_hash_t *parameters, 100 svn_boolean_t non_interactive, 101 apr_pool_t *pool); 102 103/* Use PARAMETERS and REALMSTRING to set *CREDENTIALS to a set of 104 pre-cached authentication credentials pulled from the simple 105 credential cache store identified by PASSTYPE. PASSWORD_GET is 106 used to obtain the password value. Allocate *CREDENTIALS from 107 POOL. 108 109 NOTE: This function is a common implementation of code used by 110 several of the simple credential providers (the default disk cache 111 mechanism, Windows CryptoAPI, GNOME Keyring, etc.), typically in 112 their "first_creds" implementation. */ 113svn_error_t * 114svn_auth__simple_creds_cache_get(void **credentials, 115 void **iter_baton, 116 void *provider_baton, 117 apr_hash_t *parameters, 118 const char *realmstring, 119 svn_auth__password_get_t password_get, 120 const char *passtype, 121 apr_pool_t *pool); 122 123/* Use PARAMETERS and REALMSTRING to save CREDENTIALS in the simple 124 credential cache store identified by PASSTYPE. PASSWORD_SET is 125 used to do the actual storage. Use POOL for necessary allocations. 126 Set *SAVED according to whether or not the credentials were 127 successfully stored. 128 129 NOTE: This function is a common implementation of code used by 130 several of the simple credential providers (the default disk cache 131 mechanism, Windows CryptoAPI, GNOME Keyring, etc.) typically in 132 their "save_creds" implementation. */ 133svn_error_t * 134svn_auth__simple_creds_cache_set(svn_boolean_t *saved, 135 void *credentials, 136 void *provider_baton, 137 apr_hash_t *parameters, 138 const char *realmstring, 139 svn_auth__password_set_t password_set, 140 const char *passtype, 141 apr_pool_t *pool); 142 143/* Implementation of svn_auth__password_get_t that retrieves 144 the plaintext password from CREDS when USERNAME matches the stored 145 credentials. */ 146svn_error_t * 147svn_auth__simple_password_get(svn_boolean_t *done, 148 const char **password, 149 apr_hash_t *creds, 150 const char *realmstring, 151 const char *username, 152 apr_hash_t *parameters, 153 svn_boolean_t non_interactive, 154 apr_pool_t *pool); 155 156/* Implementation of svn_auth__password_set_t that stores 157 the plaintext password in CREDS. */ 158svn_error_t * 159svn_auth__simple_password_set(svn_boolean_t *done, 160 apr_hash_t *creds, 161 const char *realmstring, 162 const char *username, 163 const char *password, 164 apr_hash_t *parameters, 165 svn_boolean_t non_interactive, 166 apr_pool_t *pool); 167 168 169/* Use PARAMETERS and REALMSTRING to set *CREDENTIALS to a set of 170 pre-cached authentication credentials pulled from the SSL client 171 certificate passphrase credential cache store identified by 172 PASSTYPE. PASSPHRASE_GET is used to obtain the passphrase value. 173 Allocate *CREDENTIALS from POOL. 174 175 NOTE: This function is a common implementation of code used by 176 several of the ssl client passphrase credential providers (the 177 default disk cache mechanism, Windows CryptoAPI, GNOME Keyring, 178 etc.), typically in their "first_creds" implementation. */ 179svn_error_t * 180svn_auth__ssl_client_cert_pw_cache_get(void **credentials, 181 void **iter_baton, 182 void *provider_baton, 183 apr_hash_t *parameters, 184 const char *realmstring, 185 svn_auth__password_get_t passphrase_get, 186 const char *passtype, 187 apr_pool_t *pool); 188 189/* Use PARAMETERS and REALMSTRING to save CREDENTIALS in the SSL 190 client certificate passphrase credential cache store identified by 191 PASSTYPE. PASSPHRASE_SET is used to do the actual storage. Use 192 POOL for necessary allocations. Set *SAVED according to whether or 193 not the credentials were successfully stored. 194 195 NOTE: This function is a common implementation of code used by 196 several of the simple credential providers (the default disk cache 197 mechanism, Windows CryptoAPI, GNOME Keyring, etc.) typically in 198 their "save_creds" implementation. */ 199svn_error_t * 200svn_auth__ssl_client_cert_pw_cache_set(svn_boolean_t *saved, 201 void *credentials, 202 void *provider_baton, 203 apr_hash_t *parameters, 204 const char *realmstring, 205 svn_auth__password_set_t passphrase_set, 206 const char *passtype, 207 apr_pool_t *pool); 208 209/* This implements the svn_auth__password_get_t interface. 210 Set **PASSPHRASE to the plaintext passphrase retrieved from CREDS; 211 ignore other parameters. */ 212svn_error_t * 213svn_auth__ssl_client_cert_pw_get(svn_boolean_t *done, 214 const char **passphrase, 215 apr_hash_t *creds, 216 const char *realmstring, 217 const char *username, 218 apr_hash_t *parameters, 219 svn_boolean_t non_interactive, 220 apr_pool_t *pool); 221 222/* This implements the svn_auth__password_set_t interface. 223 Store PASSPHRASE in CREDS; ignore other parameters. */ 224svn_error_t * 225svn_auth__ssl_client_cert_pw_set(svn_boolean_t *done, 226 apr_hash_t *creds, 227 const char *realmstring, 228 const char *username, 229 const char *passphrase, 230 apr_hash_t *parameters, 231 svn_boolean_t non_interactive, 232 apr_pool_t *pool); 233 234/* Apply the specified configuration for connecting with SERVER_NAME 235 to the auth baton */ 236svn_error_t * 237svn_auth__make_session_auth(svn_auth_baton_t **session_auth_baton, 238 const svn_auth_baton_t *auth_baton, 239 apr_hash_t *config, 240 const char *server_name, 241 apr_pool_t *result_pool, 242 apr_pool_t *scratch_pool); 243 244#if (defined(WIN32) && !defined(__MINGW32__)) || defined(DOXYGEN) 245/** 246 * Set @a *provider to an authentication provider that implements 247 * ssl authority verification via the Windows CryptoApi. 248 * 249 * This provider automatically validates authority certificates with 250 * the CryptoApi, like Internet Explorer and the Windows network API do. 251 * This allows the rollout of root certificates via Windows Domain 252 * policies, instead of Subversion specific configuration. 253 * 254 * @note This function is only available on Windows. 255 */ 256void 257svn_auth__get_windows_ssl_server_authority_provider( 258 svn_auth_provider_object_t **provider, 259 apr_pool_t *pool); 260#endif 261 262 263#ifdef __cplusplus 264} 265#endif /* __cplusplus */ 266 267#endif /* SVN_AUTH_PRIVATE_H */ 268