You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@subversion.apache.org by Mark Phippard <ma...@gmail.com> on 2008/04/23 14:42:53 UTC
SASL on Windows
I have been playing around with SASL on Windows to test our CollabNet
Subversion packaging for 1.5. It was a bit of an adventure.
The first issue I found was that I needed an svn.conf that looked like this:
pwcheck_method: auxprop
auxprop_plugin: sasldb
mech_list: ANONYMOUS CRAM-MD5
sasldb_path: C:\svn_repository\sasldb
The key was that last line. Our current sasl.txt does not mention
that. From what I can tell, unlike on Linux, on Windows there is no
default path for this file.
The biggest problem however, was that I could not get my client to
connect at all if DIGEST-MD5 was listed in the mech_list. This is a
1.5 client that has libsasl linked to it. Any ideas what I could look
at for this?
--
Thanks
Mark Phippard
http://markphip.blogspot.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: SASL on Windows
Posted by Stefan Küng <to...@gmail.com>.
Mark Phippard wrote:
>> How did you check the TSVN SASL dlls? I checked my build script, and
>> OpenSSL is linked in (or at least it should be).
>
> I was using the Dependency Walker tool and did not see it using
> OpenSSL. I am on an old build of TSVN. Probably Alpha2 or Beta1.
Since TSVN links statically to OpenSSL, you won't see anything in the
dependency walker. OpenSSL recommends linking statically for security
reasons, so that's what TSVN does (it also prevents issues (dll hell)
because of virus scanners and firewall that install an incompatible
version of openssl.dll into the system32 directory).
>> Do you have an svnserve configured and open for test access? Would be great
>> if I could use it to test TSVN on it :)
>
> If I can get it working with the command line, I will try to get
> something available.
That would be great.
Stefan
--
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
\ \_/_\_/> The coolest Interface to (Sub)Version Control
/_/ \_\ http://tortoisesvn.net
Re: SASL on Windows
Posted by Mark Phippard <ma...@gmail.com>.
On Wed, Apr 23, 2008 at 11:39 AM, Stefan Küng <to...@gmail.com> wrote:
> Mark Phippard wrote:
>
>
> > I did not have any problem loading the DLL's. We used the registry
> > setting for that. Granted, I understand your point. If TortoiseSVN
> > did the same, then there would be a problem.
> >
>
> Since there are more svn clients (and other clients using SASL) out there
> than just svn.exe and TSVN, there *will* be problems.
I know and agree. I was just pointing out that this was not the
problem I was having now.
> > The path to the database used by the SASLDB plugin is different. It
> > assumes a default path for this database on Linux. AFAICT, it does
> > not do the same on Windows so you have to set the path in the svn.conf
> > file.
> >
> > I was wondering if DIGEST-MD5 was not working because it is not linked
> > to OpenSSL? I noticed that the DLL you created was not either, but
> > the SVN docs, imply this plugin supports encryption, and I recall the
> > SASL docs saying it uses OpenSSL. So I wonder if the problem is that
> > we do not have this DLL built using OpenSSL?
> >
>
> How did you check the TSVN SASL dlls? I checked my build script, and
> OpenSSL is linked in (or at least it should be).
I was using the Dependency Walker tool and did not see it using
OpenSSL. I am on an old build of TSVN. Probably Alpha2 or Beta1.
> Do you have an svnserve configured and open for test access? Would be great
> if I could use it to test TSVN on it :)
If I can get it working with the command line, I will try to get
something available.
--
Thanks
Mark Phippard
http://markphip.blogspot.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: SASL on Windows
Posted by Stefan Küng <to...@gmail.com>.
Mark Phippard wrote:
> I did not have any problem loading the DLL's. We used the registry
> setting for that. Granted, I understand your point. If TortoiseSVN
> did the same, then there would be a problem.
Since there are more svn clients (and other clients using SASL) out
there than just svn.exe and TSVN, there *will* be problems.
> The path to the database used by the SASLDB plugin is different. It
> assumes a default path for this database on Linux. AFAICT, it does
> not do the same on Windows so you have to set the path in the svn.conf
> file.
>
> I was wondering if DIGEST-MD5 was not working because it is not linked
> to OpenSSL? I noticed that the DLL you created was not either, but
> the SVN docs, imply this plugin supports encryption, and I recall the
> SASL docs saying it uses OpenSSL. So I wonder if the problem is that
> we do not have this DLL built using OpenSSL?
How did you check the TSVN SASL dlls? I checked my build script, and
OpenSSL is linked in (or at least it should be).
Do you have an svnserve configured and open for test access? Would be
great if I could use it to test TSVN on it :)
Stefan
--
___
oo // \\ "De Chelonian Mobile"
(_,\/ \_/ \ TortoiseSVN
\ \_/_\_/> The coolest Interface to (Sub)Version Control
/_/ \_\ http://tortoisesvn.net
Re: DIGEST-MD5 not working with svnserve/SASL
Posted by David Glasser <gl...@davidglasser.net>.
On Thu, May 1, 2008 at 12:31 PM, David Glasser <gl...@davidglasser.net> wrote:
> On Thu, May 1, 2008 at 12:06 PM, Mark Phippard <ma...@gmail.com> wrote:
> > On Thu, May 1, 2008 at 2:54 PM, Eric Gillespie <ep...@pretzelnet.org> wrote:
> > > "Mark Phippard" <ma...@gmail.com> writes:
> > >
> > >
> > > > > May 1 10:50:06 svnfe-test svnserve[1696]: encoded packet size too big (809115648 > 4096)
> > > >
> > > > How did you get that? The new trunk logging?
> > >
> > > No, Cyrus sasl uses syslog on linux, so you'll find that even
> > > without the new logging.
> >
> > OK, thanks. I see it on OSX too, with same error message you saw:
> >
> > May 1 15:04:50 : encoded packet size too big (809115648 > 4096)
> >
> >
> > > > I am not sure why CRAM-MD5 does not have the same problem. Possibly
> > > > because it winds up using pre-SASL code or something?
> > >
> > > No, since we use SASL to hook into our custom user database, we
> > > are certain that we're not bypasing SASL.
> >
> > Well I meant after the authentication maybe DIGEST and CRAM are
> > different. For example, the docs seemed to imply the encryption only
> > kicks in for DIGEST.
>
> You are correct that this is the difference. The client was sending
> an empty string response (encoded as "0: ") when the SASL conversation
> should have been finished. This confused the server, which assumed
> everything coming next was encoded specially (encrypted?).
>
> See r30896; tell me if it fixes things for you (and doesn't break
> other auth versions, etc).
That broke CRAM-MD5. r30905 should make everything happy.
--dave
--
David Glasser | glasser@davidglasser.net | http://www.davidglasser.net/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: DIGEST-MD5 not working with svnserve/SASL
Posted by David Glasser <gl...@davidglasser.net>.
On Thu, May 1, 2008 at 12:06 PM, Mark Phippard <ma...@gmail.com> wrote:
> On Thu, May 1, 2008 at 2:54 PM, Eric Gillespie <ep...@pretzelnet.org> wrote:
> > "Mark Phippard" <ma...@gmail.com> writes:
> >
> >
> > > > May 1 10:50:06 svnfe-test svnserve[1696]: encoded packet size too big (809115648 > 4096)
> > >
> > > How did you get that? The new trunk logging?
> >
> > No, Cyrus sasl uses syslog on linux, so you'll find that even
> > without the new logging.
>
> OK, thanks. I see it on OSX too, with same error message you saw:
>
> May 1 15:04:50 : encoded packet size too big (809115648 > 4096)
>
>
> > > I am not sure why CRAM-MD5 does not have the same problem. Possibly
> > > because it winds up using pre-SASL code or something?
> >
> > No, since we use SASL to hook into our custom user database, we
> > are certain that we're not bypasing SASL.
>
> Well I meant after the authentication maybe DIGEST and CRAM are
> different. For example, the docs seemed to imply the encryption only
> kicks in for DIGEST.
You are correct that this is the difference. The client was sending
an empty string response (encoded as "0: ") when the SASL conversation
should have been finished. This confused the server, which assumed
everything coming next was encoded specially (encrypted?).
See r30896; tell me if it fixes things for you (and doesn't break
other auth versions, etc).
--dave
--
David Glasser | glasser@davidglasser.net | http://www.davidglasser.net/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: DIGEST-MD5 not working with svnserve/SASL
Posted by Mark Phippard <ma...@gmail.com>.
On Thu, May 1, 2008 at 2:54 PM, Eric Gillespie <ep...@pretzelnet.org> wrote:
> "Mark Phippard" <ma...@gmail.com> writes:
>
>
> > > May 1 10:50:06 svnfe-test svnserve[1696]: encoded packet size too big (809115648 > 4096)
> >
> > How did you get that? The new trunk logging?
>
> No, Cyrus sasl uses syslog on linux, so you'll find that even
> without the new logging.
OK, thanks. I see it on OSX too, with same error message you saw:
May 1 15:04:50 : encoded packet size too big (809115648 > 4096)
> > I am not sure why CRAM-MD5 does not have the same problem. Possibly
> > because it winds up using pre-SASL code or something?
>
> No, since we use SASL to hook into our custom user database, we
> are certain that we're not bypasing SASL.
Well I meant after the authentication maybe DIGEST and CRAM are
different. For example, the docs seemed to imply the encryption only
kicks in for DIGEST.
--
Thanks
Mark Phippard
http://markphip.blogspot.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: DIGEST-MD5 not working with svnserve/SASL
Posted by Eric Gillespie <ep...@pretzelnet.org>.
"Mark Phippard" <ma...@gmail.com> writes:
> > May 1 10:50:06 svnfe-test svnserve[1696]: encoded packet size too big (809115648 > 4096)
>
> How did you get that? The new trunk logging?
No, Cyrus sasl uses syslog on linux, so you'll find that even
without the new logging.
> I have been struggling with this all day. I see the same behavior on
> Linux, OSX and Windows. It seems like it does the authentication
> because you can give invalid credentials and get proper error
> messages. So it seems like the problem happens after it
> authenticates.
That's interesting. David is looking at this in gdb now; perhaps
that will help him.
> I am not sure why CRAM-MD5 does not have the same problem. Possibly
> because it winds up using pre-SASL code or something?
No, since we use SASL to hook into our custom user database, we
are certain that we're not bypasing SASL.
--
Eric Gillespie <*> epg@pretzelnet.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: DIGEST-MD5 not working with svnserve/SASL
Posted by Mark Phippard <ma...@gmail.com>.
On Thu, May 1, 2008 at 2:06 PM, Eric Gillespie <ep...@pretzelnet.org> wrote:
> [retitling the thread; not Windows-specific]
>
> "Mark Phippard" <ma...@gmail.com> writes:
>
> > I was wondering if DIGEST-MD5 was not working because it is not linked
> > to OpenSSL? I noticed that the DLL you created was not either, but
> > the SVN docs, imply this plugin supports encryption, and I recall the
> > SASL docs saying it uses OpenSSL. So I wonder if the problem is that
> > we do not have this DLL built using OpenSSL?
>
> I don't think that's it, as I can now confirm that DIGEST-MD5
> does not work with Linux client/server, either. We find this in
> the log file:
>
> May 1 10:50:06 svnfe-test svnserve[1696]: encoded packet size too big (809115648 > 4096)
How did you get that? The new trunk logging?
> That looks to me like an uninitialized or otherwise corrupted len
> variable, or perhaps a char * with the wrong value, pointing to a
> block of memory that has a null byte after 809115648 bytes ;->.
>
> I don't know if it's related, but I made a change to
> ra_svn/cyrus_auth.c in r29241, to fix a gssapi issue. It's
> possible I broke something. It's also possible that more such
> changes are needed.
I have been struggling with this all day. I see the same behavior on
Linux, OSX and Windows. It seems like it does the authentication
because you can give invalid credentials and get proper error
messages. So it seems like the problem happens after it
authenticates.
I am not sure why CRAM-MD5 does not have the same problem. Possibly
because it winds up using pre-SASL code or something?
I've been trying to get a wire trace, unsuccessfully, all day.
--
Thanks
Mark Phippard
http://markphip.blogspot.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
DIGEST-MD5 not working with svnserve/SASL
Posted by Eric Gillespie <ep...@pretzelnet.org>.
[retitling the thread; not Windows-specific]
"Mark Phippard" <ma...@gmail.com> writes:
> I was wondering if DIGEST-MD5 was not working because it is not linked
> to OpenSSL? I noticed that the DLL you created was not either, but
> the SVN docs, imply this plugin supports encryption, and I recall the
> SASL docs saying it uses OpenSSL. So I wonder if the problem is that
> we do not have this DLL built using OpenSSL?
I don't think that's it, as I can now confirm that DIGEST-MD5
does not work with Linux client/server, either. We find this in
the log file:
May 1 10:50:06 svnfe-test svnserve[1696]: encoded packet size too big (809115648 > 4096)
That looks to me like an uninitialized or otherwise corrupted len
variable, or perhaps a char * with the wrong value, pointing to a
block of memory that has a null byte after 809115648 bytes ;->.
I don't know if it's related, but I made a change to
ra_svn/cyrus_auth.c in r29241, to fix a gssapi issue. It's
possible I broke something. It's also possible that more such
changes are needed.
--
Eric Gillespie <*> epg@pretzelnet.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: SASL on Windows
Posted by Mark Phippard <ma...@gmail.com>.
On Wed, Apr 23, 2008 at 11:29 AM, steveking <to...@gmail.com> wrote:
> Mark Phippard wrote:
>
> > I have been playing around with SASL on Windows to test our CollabNet
> > Subversion packaging for 1.5. It was a bit of an adventure.
> >
> > The first issue I found was that I needed an svn.conf that looked like
> this:
> >
> > pwcheck_method: auxprop
> > auxprop_plugin: sasldb
> > mech_list: ANONYMOUS CRAM-MD5
> > sasldb_path: C:\svn_repository\sasldb
> >
> > The key was that last line. Our current sasl.txt does not mention
> > that. From what I can tell, unlike on Linux, on Windows there is no
> > default path for this file.
> >
>
> Well, there is. But I guess that Subversion does not install the SASL dlls
> there but in the svn directory.
> And of course, as I repeatedly warned (not just for SASL but for apr-iconv
> too) this is a desaster waiting to happen. That's why I call
>
> sasl_set_path(SASL_PATH_TYPE_PLUGIN, path_to_install_dir);
>
> in TortoiseSVN to avoid having SASL use dlls which are not built and tested
> for TSVN.
>
> I would recommend that the svn.exe client would do the same (at least on
> Windows).
I did not have any problem loading the DLL's. We used the registry
setting for that. Granted, I understand your point. If TortoiseSVN
did the same, then there would be a problem.
The path to the database used by the SASLDB plugin is different. It
assumes a default path for this database on Linux. AFAICT, it does
not do the same on Windows so you have to set the path in the svn.conf
file.
I was wondering if DIGEST-MD5 was not working because it is not linked
to OpenSSL? I noticed that the DLL you created was not either, but
the SVN docs, imply this plugin supports encryption, and I recall the
SASL docs saying it uses OpenSSL. So I wonder if the problem is that
we do not have this DLL built using OpenSSL?
--
Thanks
Mark Phippard
http://markphip.blogspot.com/
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: SASL on Windows
Posted by steveking <to...@gmail.com>.
Mark Phippard wrote:
> I have been playing around with SASL on Windows to test our CollabNet
> Subversion packaging for 1.5. It was a bit of an adventure.
>
> The first issue I found was that I needed an svn.conf that looked like this:
>
> pwcheck_method: auxprop
> auxprop_plugin: sasldb
> mech_list: ANONYMOUS CRAM-MD5
> sasldb_path: C:\svn_repository\sasldb
>
> The key was that last line. Our current sasl.txt does not mention
> that. From what I can tell, unlike on Linux, on Windows there is no
> default path for this file.
Well, there is. But I guess that Subversion does not install the SASL
dlls there but in the svn directory.
And of course, as I repeatedly warned (not just for SASL but for
apr-iconv too) this is a desaster waiting to happen. That's why I call
sasl_set_path(SASL_PATH_TYPE_PLUGIN, path_to_install_dir);
in TortoiseSVN to avoid having SASL use dlls which are not built and
tested for TSVN.
I would recommend that the svn.exe client would do the same (at least on
Windows).
Stefan
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org