On Fri, Oct 21, 2016 at 07:41:18PM +0800, yuan lixin wrote: > but in the interface "svn_auth_ssl_server_trust_prompt_func_t", > the actual parameter is "failures", not "*failures". so it can not change > the svn's failures in linux, then can not ignore certificate. > could you look at my code for a solution. > > Thank you > --woodsp
libsvn_subr gets 'failures' from the 'parameters' hash: https://svn.apache.org/repos/asf/subversion/trunk/subversion/libsvn_subr/ssl_server_trust_providers.c /* retrieve ssl server CA failure overrides (if any) from servers config */ static svn_error_t * ssl_server_trust_file_first_credentials(void **credentials, void **iter_baton, void *provider_baton, apr_hash_t *parameters, const char *realmstring, apr_pool_t *pool) { apr_uint32_t *failures = svn_hash_gets(parameters, SVN_AUTH_PARAM_SSL_SERVER_FAILURES); const svn_auth_ssl_server_cert_info_t *cert_info = svn_hash_gets(parameters, SVN_AUTH_PARAM_SSL_SERVER_CERT_INFO); apr_hash_t *creds_hash = NULL; const char *config_dir; svn_error_t *error = SVN_NO_ERROR; *credentials = NULL; *iter_baton = NULL; /* Check if this is a permanently accepted certificate */ config_dir = svn_hash_gets(parameters, SVN_AUTH_PARAM_CONFIG_DIR); error = svn_config_read_auth_data(&creds_hash, SVN_AUTH_CRED_SSL_SERVER_TRUST, realmstring, config_dir, pool); svn_error_clear(error); if (! error && creds_hash) { svn_string_t *trusted_cert, *this_cert, *failstr; apr_uint32_t last_failures = 0; trusted_cert = svn_hash_gets(creds_hash, SVN_CONFIG_AUTHN_ASCII_CERT_KEY); this_cert = svn_string_create(cert_info->ascii_cert, pool); failstr = svn_hash_gets(creds_hash, SVN_CONFIG_AUTHN_FAILURES_KEY); if (failstr) SVN_ERR(svn_cstring_atoui(&last_failures, failstr->data)); /* If the cert is trusted and there are no new failures, we * accept it by clearing all failures. */ if (trusted_cert && svn_string_compare(this_cert, trusted_cert) && (*failures & ~last_failures) == 0) { *failures = 0; } } /* If all failures are cleared now, we return the creds */ if (! *failures) { svn_auth_cred_ssl_server_trust_t *creds = apr_pcalloc(pool, sizeof(*creds)); creds->may_save = FALSE; /* No need to save it again... */ *credentials = creds; } return SVN_NO_ERROR; } [...] static const svn_auth_provider_t ssl_server_trust_file_provider = { SVN_AUTH_CRED_SSL_SERVER_TRUST, ssl_server_trust_file_first_credentials, NULL, ssl_server_trust_file_save_credentials, }; So I believe you can create an svn_auth_provider_t with your own implementation of ssl_server_trust_file_first_credentials: static svn_error_t * my_own_server_trust_file_first_credentials(void **credentials, void **iter_baton, void *provider_baton, apr_hash_t *parameters, const char *realmstring, apr_pool_t *pool) { apr_uint32_t *failures = svn_hash_gets(parameters, SVN_AUTH_PARAM_SSL_SERVER_FAILURES); svn_auth_cred_ssl_server_trust_t *creds = apr_pcalloc(pool, sizeof(*creds)); creds->may_save = FALSE; *credentials = creds; *failures = 0; return SVN_NO_ERROR; } And create your own provider: static const svn_auth_provider_t my_own_server_trust_file_provider = { SVN_AUTH_CRED_SSL_SERVER_TRUST, my_own_server_trust_file_first_credentials, NULL, NULL, }; And somehow register this provider when svn_auth_open() is called. I don't know if my idea will really work, but I have no idea what else you could try.
