You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@subversion.apache.org by Stefan Sperling <st...@elego.de> on 2010/09/02 16:54:11 UTC
Re: sasl mechanisms order
On Sun, Aug 22, 2010 at 01:08:52PM +0200, Stefan Sperling wrote:
> On Sun, Aug 22, 2010 at 12:56:23PM +0200, Stefan Sperling wrote:
> > On Sun, Aug 22, 2010 at 12:17:41PM +0700, Victor Sudakov wrote:
> > > Colleagues, I understand that you are expecting a patch. I am sorry, I
> > > am a systems administrator and not a programmer, my code writing
> > > ability does not go beyond scripting.
> >
> > Can you try this patch and let me know if it works?
>
> Please try this one instead, it's slightly cleaner (no functional change).
> Thanks.
Ping. Did you find time to test this?
Should we file an issue so we don't forget about this?
>
> Index: subversion/libsvn_subr/config_file.c
> ===================================================================
> --- subversion/libsvn_subr/config_file.c (revision 981459)
> +++ subversion/libsvn_subr/config_file.c (working copy)
> @@ -759,6 +759,11 @@ svn_config_ensure(const char *config_dir, apr_pool
> NL
> "### may be cached to disk." NL
> "### username Specifies the default username." NL
> + "### preferred-sasl-mechanism Specifies which SASL mechanism" NL
> + "### among the ones offered by the " NL
> + "### server should be tried first." NL
> + "### See the SASL documentation for" NL
> + "### a list of mechanisms available." NL
> "###" NL
> "### Set store-passwords to 'no' to avoid storing passwords in the" NL
> "### auth/ area of your config directory. It defaults to 'yes'," NL
> Index: subversion/libsvn_ra_svn/client.c
> ===================================================================
> --- subversion/libsvn_ra_svn/client.c (revision 981459)
> +++ subversion/libsvn_ra_svn/client.c (working copy)
> @@ -715,6 +715,7 @@ static svn_error_t *ra_svn_open(svn_ra_session_t *
> reparent with a server that doesn't support reparenting. */
> SVN_ERR(open_session(&sess, url, &uri, tunnel_argv,
> callbacks, callback_baton, sess_pool));
> + sess->config = config;
> session->priv = sess;
>
> return SVN_NO_ERROR;
> Index: subversion/libsvn_ra_svn/ra_svn.h
> ===================================================================
> --- subversion/libsvn_ra_svn/ra_svn.h (revision 981459)
> +++ subversion/libsvn_ra_svn/ra_svn.h (working copy)
> @@ -97,6 +97,7 @@ struct svn_ra_svn__session_baton_t {
> void *callbacks_baton;
> apr_off_t bytes_read, bytes_written; /* apr_off_t's because that's what
> the callback interface uses */
> + apr_hash_t *config;
> };
>
> /* Set a callback for blocked writes on conn. This handler may
> Index: subversion/libsvn_ra_svn/cyrus_auth.c
> ===================================================================
> --- subversion/libsvn_ra_svn/cyrus_auth.c (revision 981459)
> +++ subversion/libsvn_ra_svn/cyrus_auth.c (working copy)
> @@ -27,6 +27,7 @@
> #include <apr_thread_mutex.h>
> #include <apr_version.h>
>
> +#include "svn_config.h"
> #include "svn_types.h"
> #include "svn_string.h"
> #include "svn_error.h"
> @@ -720,6 +721,67 @@ svn_error_t *svn_ra_svn__get_addresses(const char
> return SVN_NO_ERROR;
> }
>
> +
> +/* Return one or more SASL mechanisms from MECHLIST.
> + * SESS is the session baton.
> + * If a preferred SASL mechanism has been defined in the configuration,
> + * prefer it if it occurs within MECHLIST. Else, fall back to EXTERNAL,
> + * then ANONYMOUS, then let SASL decide.
> + * Potentially allocate the returned list of mechanisms in RESULT_POOL.
> + * Use SCRATCH_POOL for temporary allocations. */
> +static const char *
> +get_sasl_mechanisms(svn_ra_svn__session_baton_t *sess,
> + const apr_array_header_t *mechlist,
> + apr_pool_t *result_pool,
> + apr_pool_t *scratch_pool)
> +{
> + const char *mechstring = "";
> + svn_config_t *cfg;
> +
> + cfg = sess->config ? apr_hash_get(sess->config, SVN_CONFIG_CATEGORY_SERVERS,
> + APR_HASH_KEY_STRING) : NULL;
> + if (cfg)
> + {
> + const char *server_group;
> + const char *preferred_mech;
> +
> + server_group = svn_config_find_group(cfg, sess->host,
> + SVN_CONFIG_SECTION_GROUPS,
> + scratch_pool);
> + if (server_group)
> + svn_config_get(cfg, &preferred_mech, server_group,
> + SVN_CONFIG_OPTION_PREFERRED_SASL_MECHANISM, NULL);
> + else
> + preferred_mech = NULL;
> +
> + if (preferred_mech && svn_ra_svn__find_mech(mechlist, preferred_mech))
> + return preferred_mech;
> + }
> +
> + if (svn_ra_svn__find_mech(mechlist, "EXTERNAL"))
> + return "EXTERNAL";
> + else if (svn_ra_svn__find_mech(mechlist, "ANONYMOUS"))
> + return "ANONYMOUS";
> + else
> + {
> + int i;
> +
> + /* Create a string containing the list of mechanisms,
> + * separated by spaces. */
> + for (i = 0; i < mechlist->nelts; i++)
> + {
> + svn_ra_svn_item_t *elt = &APR_ARRAY_IDX(mechlist, i,
> + svn_ra_svn_item_t);
> + mechstring = apr_pstrcat(result_pool,
> + mechstring,
> + i == 0 ? "" : " ",
> + elt->u.word, NULL);
> + }
> + }
> +
> + return mechstring;
> +}
> +
> svn_error_t *
> svn_ra_svn__do_cyrus_auth(svn_ra_svn__session_baton_t *sess,
> apr_array_header_t *mechlist,
> @@ -742,24 +804,7 @@ svn_ra_svn__do_cyrus_auth(svn_ra_svn__session_bato
> sess->conn, pool));
> }
>
> - /* Prefer EXTERNAL, then ANONYMOUS, then let SASL decide. */
> - if (svn_ra_svn__find_mech(mechlist, "EXTERNAL"))
> - mechstring = "EXTERNAL";
> - else if (svn_ra_svn__find_mech(mechlist, "ANONYMOUS"))
> - mechstring = "ANONYMOUS";
> - else
> - {
> - /* Create a string containing the list of mechanisms, separated by spaces. */
> - for (i = 0; i < mechlist->nelts; i++)
> - {
> - svn_ra_svn_item_t *elt = &APR_ARRAY_IDX(mechlist, i, svn_ra_svn_item_t);
> - mechstring = apr_pstrcat(pool,
> - mechstring,
> - i == 0 ? "" : " ",
> - elt->u.word, NULL);
> - }
> - }
> -
> + mechstring = get_sasl_mechanisms(sess, mechlist, pool, pool);
> realmstring = apr_psprintf(pool, "%s %s", sess->realm_prefix, realm);
>
> /* Initialize the credential baton. */
> Index: subversion/include/svn_config.h
> ===================================================================
> --- subversion/include/svn_config.h (revision 981459)
> +++ subversion/include/svn_config.h (working copy)
> @@ -81,6 +81,7 @@ typedef struct svn_config_t svn_config_t;
> #define SVN_CONFIG_OPTION_STORE_SSL_CLIENT_CERT_PP_PLAINTEXT \
> "store-ssl-client-cert-pp-plaintext"
> #define SVN_CONFIG_OPTION_USERNAME "username"
> +#define SVN_CONFIG_OPTION_PREFERRED_SASL_MECHANISM "preferred-sasl-mechanism"
>
> #define SVN_CONFIG_CATEGORY_CONFIG "config"
> #define SVN_CONFIG_SECTION_AUTH "auth"
Re: sasl mechanisms order
Posted by Victor Sudakov <su...@sibptus.tomsk.ru>.
Stefan Sperling wrote:
> > This time it has compiled, but does not work.
> >
> > "svn list svn://admin/test/" works OK (IMHO because the ANONYMOUS
> > mechanism is sufficient for that) but "svn co svn://admin/test/"
> > dumps core immediately.
>
>
> I hope I have found the problem. Does the patch below work better?
I have placed
[auth]
preferred-sasl-mechanism = GSSAPI
into ~/.subversion/config
but the patched svn client even does not try GSSAPI, though I have a
valid tgt and svnserve does advertise GSSAPI. The patched svn uses
DIGEST-MD5 at once.
The patch seems to have totally broken GSSAPI. What kind of additional
debug can I provide?
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
sip:sudakov@sibptus.tomsk.ru
Re: sasl mechanisms order
Posted by Stefan Sperling <st...@elego.de>.
On Tue, Sep 07, 2010 at 02:33:28PM +0700, Victor Sudakov wrote:
> This time it has compiled, but does not work.
>
> "svn list svn://admin/test/" works OK (IMHO because the ANONYMOUS
> mechanism is sufficient for that) but "svn co svn://admin/test/"
> dumps core immediately.
Hi Victor,
I hope I have found the problem. Does the patch below work better?
Thanks,
Stefan
Index: subversion/libsvn_subr/config_file.c
===================================================================
--- subversion/libsvn_subr/config_file.c (revision 997080)
+++ subversion/libsvn_subr/config_file.c (working copy)
@@ -759,6 +759,11 @@ svn_config_ensure(const char *config_dir, apr_pool
NL
"### may be cached to disk." NL
"### username Specifies the default username." NL
+ "### preferred-sasl-mechanism Specifies which SASL mechanism" NL
+ "### among the ones offered by the " NL
+ "### server should be tried first." NL
+ "### See the SASL documentation for" NL
+ "### a list of mechanisms available." NL
"###" NL
"### Set store-passwords to 'no' to avoid storing passwords in the" NL
"### auth/ area of your config directory. It defaults to 'yes'," NL
Index: subversion/libsvn_ra_svn/cyrus_auth.c
===================================================================
--- subversion/libsvn_ra_svn/cyrus_auth.c (revision 997080)
+++ subversion/libsvn_ra_svn/cyrus_auth.c (working copy)
@@ -27,6 +27,7 @@
#include <apr_thread_mutex.h>
#include <apr_version.h>
+#include "svn_config.h"
#include "svn_types.h"
#include "svn_string.h"
#include "svn_error.h"
@@ -720,6 +721,67 @@ svn_error_t *svn_ra_svn__get_addresses(const char
return SVN_NO_ERROR;
}
+
+/* Return one or more SASL mechanisms from MECHLIST.
+ * SESS is the session baton.
+ * If a preferred SASL mechanism has been defined in the configuration,
+ * prefer it if it occurs within MECHLIST. Else, fall back to EXTERNAL,
+ * then ANONYMOUS, then let SASL decide.
+ * Potentially allocate the returned list of mechanisms in RESULT_POOL.
+ * Use SCRATCH_POOL for temporary allocations. */
+static const char *
+get_sasl_mechanisms(svn_ra_svn__session_baton_t *sess,
+ apr_array_header_t *mechlist,
+ apr_pool_t *result_pool,
+ apr_pool_t *scratch_pool)
+{
+ const char *mechstring = "";
+ svn_config_t *cfg;
+
+ cfg = sess->config ? apr_hash_get(sess->config, SVN_CONFIG_CATEGORY_SERVERS,
+ APR_HASH_KEY_STRING) : NULL;
+ if (cfg)
+ {
+ const char *server_group;
+ const char *preferred_mech;
+
+ server_group = svn_config_find_group(cfg, sess->hostname,
+ SVN_CONFIG_SECTION_GROUPS,
+ scratch_pool);
+ if (server_group)
+ svn_config_get(cfg, &preferred_mech, server_group,
+ SVN_CONFIG_OPTION_PREFERRED_SASL_MECHANISM, NULL);
+ else
+ preferred_mech = NULL;
+
+ if (preferred_mech && svn_ra_svn__find_mech(mechlist, preferred_mech))
+ return preferred_mech;
+ }
+
+ if (svn_ra_svn__find_mech(mechlist, "EXTERNAL"))
+ return "EXTERNAL";
+ else if (svn_ra_svn__find_mech(mechlist, "ANONYMOUS"))
+ return "ANONYMOUS";
+ else
+ {
+ int i;
+
+ /* Create a string containing the list of mechanisms,
+ * separated by spaces. */
+ for (i = 0; i < mechlist->nelts; i++)
+ {
+ svn_ra_svn_item_t *elt = &APR_ARRAY_IDX(mechlist, i,
+ svn_ra_svn_item_t);
+ mechstring = apr_pstrcat(result_pool,
+ mechstring,
+ i == 0 ? "" : " ",
+ elt->u.word, NULL);
+ }
+ }
+
+ return mechstring;
+}
+
svn_error_t *
svn_ra_svn__do_cyrus_auth(svn_ra_svn__session_baton_t *sess,
apr_array_header_t *mechlist,
@@ -734,7 +796,6 @@ svn_ra_svn__do_cyrus_auth(svn_ra_svn__session_bato
array terminator). */
sasl_callback_t callbacks[3];
cred_baton_t cred_baton;
- int i;
if (!sess->is_tunneled)
{
@@ -742,24 +803,7 @@ svn_ra_svn__do_cyrus_auth(svn_ra_svn__session_bato
sess->conn, pool));
}
- /* Prefer EXTERNAL, then ANONYMOUS, then let SASL decide. */
- if (svn_ra_svn__find_mech(mechlist, "EXTERNAL"))
- mechstring = "EXTERNAL";
- else if (svn_ra_svn__find_mech(mechlist, "ANONYMOUS"))
- mechstring = "ANONYMOUS";
- else
- {
- /* Create a string containing the list of mechanisms, separated by spaces. */
- for (i = 0; i < mechlist->nelts; i++)
- {
- svn_ra_svn_item_t *elt = &APR_ARRAY_IDX(mechlist, i, svn_ra_svn_item_t);
- mechstring = apr_pstrcat(pool,
- mechstring,
- i == 0 ? "" : " ",
- elt->u.word, NULL);
- }
- }
-
+ mechstring = get_sasl_mechanisms(sess, mechlist, pool, pool);
realmstring = apr_psprintf(pool, "%s %s", sess->realm_prefix, realm);
/* Initialize the credential baton. */
Index: subversion/libsvn_ra_svn/client.c
===================================================================
--- subversion/libsvn_ra_svn/client.c (revision 997080)
+++ subversion/libsvn_ra_svn/client.c (working copy)
@@ -542,14 +542,16 @@ static svn_error_t *parse_url(const char *url, apr
}
/* Open a session to URL, returning it in *SESS_P, allocating it in POOL.
- URI is a parsed version of URL. CALLBACKS and CALLBACKS_BATON
- are provided by the caller of ra_svn_open. If tunnel_argv is non-null,
- it points to a program argument list to use when invoking the tunnel agent.
+ URI is a parsed version of URL. CONFIG is the client configuration.
+ CALLBACKS and CALLBACKS_BATON are provided by the caller of ra_svn_open.
+ If tunnel_argv is non-null, it points to a program argument list to use
+ when invoking the tunnel agent.
*/
static svn_error_t *open_session(svn_ra_svn__session_baton_t **sess_p,
const char *url,
const apr_uri_t *uri,
const char **tunnel_argv,
+ apr_hash_t *config,
const svn_ra_callbacks2_t *callbacks,
void *callbacks_baton,
apr_pool_t *pool)
@@ -573,6 +575,7 @@ static svn_error_t *open_session(svn_ra_svn__sessi
sess->callbacks = callbacks;
sess->callbacks_baton = callbacks_baton;
sess->bytes_read = sess->bytes_written = 0;
+ sess->config = config;
if (tunnel_argv)
SVN_ERR(make_tunnel(tunnel_argv, &conn, pool));
@@ -713,7 +716,7 @@ static svn_error_t *ra_svn_open(svn_ra_session_t *
/* We open the session in a subpool so we can get rid of it if we
reparent with a server that doesn't support reparenting. */
- SVN_ERR(open_session(&sess, url, &uri, tunnel_argv,
+ SVN_ERR(open_session(&sess, url, &uri, tunnel_argv, config,
callbacks, callback_baton, sess_pool));
session->priv = sess;
@@ -749,7 +752,7 @@ static svn_error_t *ra_svn_reparent(svn_ra_session
sess_pool = svn_pool_create(ra_session->pool);
err = parse_url(url, &uri, sess_pool);
if (! err)
- err = open_session(&new_sess, url, &uri, sess->tunnel_argv,
+ err = open_session(&new_sess, url, &uri, sess->tunnel_argv, sess->config,
sess->callbacks, sess->callbacks_baton, sess_pool);
/* We destroy the new session pool on error, since it is allocated in
the main session pool. */
Index: subversion/libsvn_ra_svn/ra_svn.h
===================================================================
--- subversion/libsvn_ra_svn/ra_svn.h (revision 997080)
+++ subversion/libsvn_ra_svn/ra_svn.h (working copy)
@@ -97,6 +97,7 @@ struct svn_ra_svn__session_baton_t {
void *callbacks_baton;
apr_off_t bytes_read, bytes_written; /* apr_off_t's because that's what
the callback interface uses */
+ apr_hash_t *config;
};
/* Set a callback for blocked writes on conn. This handler may
Index: subversion/include/svn_config.h
===================================================================
--- subversion/include/svn_config.h (revision 997080)
+++ subversion/include/svn_config.h (working copy)
@@ -81,6 +81,7 @@ typedef struct svn_config_t svn_config_t;
#define SVN_CONFIG_OPTION_STORE_SSL_CLIENT_CERT_PP_PLAINTEXT \
"store-ssl-client-cert-pp-plaintext"
#define SVN_CONFIG_OPTION_USERNAME "username"
+#define SVN_CONFIG_OPTION_PREFERRED_SASL_MECHANISM "preferred-sasl-mechanism"
#define SVN_CONFIG_CATEGORY_CONFIG "config"
#define SVN_CONFIG_SECTION_AUTH "auth"
Re: sasl mechanisms order
Posted by Victor Sudakov <su...@sibptus.tomsk.ru>.
Stefan Sperling wrote:
> > > > > > Colleagues, I understand that you are expecting a patch. I am sorry, I
> > > > > > am a systems administrator and not a programmer, my code writing
> > > > > > ability does not go beyond scripting.
> > > > >
> > > > > Can you try this patch and let me know if it works?
> > > >
> > > > Please try this one instead, it's slightly cleaner (no functional change).
> > > > Thanks.
> > >
> > > Ping. Did you find time to test this?
> > > Should we file an issue so we don't forget about this?
> >
> > Sorry for the delay, I have been on vacation. Does not compile with
> > your patch.
>
> Ooops, sorry about that.
> I just noticed that my svn builds didn't use SASL at all, so it compiled
> for me because the code was disabled :-/
>
> The updated diff below compiles fine for me, with SASL enabled.
This time it has compiled, but does not work.
"svn list svn://admin/test/" works OK (IMHO because the ANONYMOUS
mechanism is sufficient for that) but "svn co svn://admin/test/"
dumps core immediately.
According to gdb:
GNU gdb 6.1.1 [FreeBSD]
Copyright 2004 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-marcel-freebsd"...
Core was generated by `svn'.
Program terminated with signal 11, Segmentation fault.
Reading symbols from /usr/local/lib/libsvn_client-1.so.0...done.
Loaded symbols for /usr/local/lib/libsvn_client-1.so.0
Reading symbols from /usr/local/lib/libsvn_wc-1.so.0...done.
Loaded symbols for /usr/local/lib/libsvn_wc-1.so.0
Reading symbols from /usr/local/lib/libsvn_ra-1.so.0...done.
Loaded symbols for /usr/local/lib/libsvn_ra-1.so.0
Reading symbols from /usr/local/lib/libsvn_diff-1.so.0...done.
Loaded symbols for /usr/local/lib/libsvn_diff-1.so.0
Reading symbols from /usr/local/lib/libsvn_ra_local-1.so.0...done.
Loaded symbols for /usr/local/lib/libsvn_ra_local-1.so.0
Reading symbols from /usr/local/lib/libsvn_repos-1.so.0...done.
Loaded symbols for /usr/local/lib/libsvn_repos-1.so.0
Reading symbols from /usr/local/lib/libsvn_fs-1.so.0...done.
Loaded symbols for /usr/local/lib/libsvn_fs-1.so.0
Reading symbols from /usr/local/lib/libsvn_fs_fs-1.so.0...done.
Loaded symbols for /usr/local/lib/libsvn_fs_fs-1.so.0
Reading symbols from /usr/local/lib/libsvn_fs_util-1.so.0...done.
Loaded symbols for /usr/local/lib/libsvn_fs_util-1.so.0
Reading symbols from /usr/local/lib/libsvn_ra_svn-1.so.0...done.
Loaded symbols for /usr/local/lib/libsvn_ra_svn-1.so.0
Reading symbols from /usr/local/lib/libsasl2.so.2...done.
Loaded symbols for /usr/local/lib/libsasl2.so.2
Reading symbols from /usr/local/lib/libsvn_ra_neon-1.so.0...done.
Loaded symbols for /usr/local/lib/libsvn_ra_neon-1.so.0
Reading symbols from /usr/local/lib/libsvn_delta-1.so.0...done.
Loaded symbols for /usr/local/lib/libsvn_delta-1.so.0
Reading symbols from /usr/local/lib/libsvn_subr-1.so.0...done.
Loaded symbols for /usr/local/lib/libsvn_subr-1.so.0
Reading symbols from /usr/local/lib/libsqlite3.so.8...done.
Loaded symbols for /usr/local/lib/libsqlite3.so.8
Reading symbols from /usr/local/lib/libaprutil-1.so.3...done.
Loaded symbols for /usr/local/lib/libaprutil-1.so.3
Reading symbols from /usr/local/lib/libgdbm.so.3...done.
Loaded symbols for /usr/local/lib/libgdbm.so.3
Reading symbols from /usr/local/lib/libiconv.so.3...done.
Loaded symbols for /usr/local/lib/libiconv.so.3
Reading symbols from /usr/local/lib/libapr-1.so.4...done.
Loaded symbols for /usr/local/lib/libapr-1.so.4
Reading symbols from /usr/local/lib/libneon.so.27...done.
Loaded symbols for /usr/local/lib/libneon.so.27
Reading symbols from /usr/lib/libssl.so.6...done.
Loaded symbols for /usr/lib/libssl.so.6
Reading symbols from /lib/libz.so.5...done.
Loaded symbols for /lib/libz.so.5
Reading symbols from /usr/lib/libgssapi.so.10...done.
Loaded symbols for /usr/lib/libgssapi.so.10
Reading symbols from /usr/lib/libheimntlm.so.10...done.
Loaded symbols for /usr/lib/libheimntlm.so.10
Reading symbols from /usr/lib/libkrb5.so.10...done.
Loaded symbols for /usr/lib/libkrb5.so.10
Reading symbols from /usr/lib/libhx509.so.10...done.
Loaded symbols for /usr/lib/libhx509.so.10
Reading symbols from /usr/lib/libcom_err.so.5...done.
Loaded symbols for /usr/lib/libcom_err.so.5
Reading symbols from /lib/libcrypto.so.6...done.
Loaded symbols for /lib/libcrypto.so.6
Reading symbols from /usr/lib/libasn1.so.10...done.
Loaded symbols for /usr/lib/libasn1.so.10
Reading symbols from /usr/lib/libroken.so.10...done.
Loaded symbols for /usr/lib/libroken.so.10
Reading symbols from /lib/libcrypt.so.5...done.
Loaded symbols for /lib/libcrypt.so.5
Reading symbols from /usr/local/lib/libexpat.so.6...done.
Loaded symbols for /usr/local/lib/libexpat.so.6
Reading symbols from /lib/libthr.so.3...done.
Loaded symbols for /lib/libthr.so.3
Reading symbols from /lib/libc.so.7...done.
Loaded symbols for /lib/libc.so.7
Reading symbols from /usr/local/lib/sasl2/libsasldb.so.2...done.
Loaded symbols for /usr/local/lib/sasl2/libsasldb.so.2
Reading symbols from /usr/local/lib/sasl2/libcrammd5.so.2...done.
Loaded symbols for /usr/local/lib/sasl2/libcrammd5.so.2
Reading symbols from /usr/local/lib/sasl2/libdigestmd5.so.2...done.
Loaded symbols for /usr/local/lib/sasl2/libdigestmd5.so.2
Reading symbols from /usr/local/lib/sasl2/libotp.so.2...done.
Loaded symbols for /usr/local/lib/sasl2/libotp.so.2
Reading symbols from /usr/lib/libopie.so.6...done.
Loaded symbols for /usr/lib/libopie.so.6
Reading symbols from /lib/libmd.so.5...done.
Loaded symbols for /lib/libmd.so.5
Reading symbols from /usr/local/lib/sasl2/libgssapiv2.so.2...done.
Loaded symbols for /usr/local/lib/sasl2/libgssapiv2.so.2
Reading symbols from /usr/local/lib/sasl2/libplain.so.2...done.
Loaded symbols for /usr/local/lib/sasl2/libplain.so.2
Reading symbols from /usr/local/lib/sasl2/libanonymous.so.2...done.
Loaded symbols for /usr/local/lib/sasl2/libanonymous.so.2
Reading symbols from /usr/local/lib/sasl2/liblogin.so.2...done.
Loaded symbols for /usr/local/lib/sasl2/liblogin.so.2
Reading symbols from /usr/local/lib/sasl2/libntlm.so.2...done.
Loaded symbols for /usr/local/lib/sasl2/libntlm.so.2
Reading symbols from /libexec/ld-elf.so.1...done.
Loaded symbols for /libexec/ld-elf.so.1
#0 find_entry (ht=0x20232323, key=0x281affb1, klen=-1, val=0x0)
at tables/apr_hash.c:260
260 hash = ht->hash_func(key, &klen);
[New Thread 28901140 (LWP 100069)]
(gdb)
(gdb) where
#0 find_entry (ht=0x20232323, key=0x281affb1, klen=-1, val=0x0)
at tables/apr_hash.c:260
#1 0x283c1e1b in apr_hash_get (ht=0x20232323, key=0x281affb1, klen=-1)
at tables/apr_hash.c:330
#2 0x281a881b in svn_ra_svn__do_cyrus_auth (sess=0x28959078,
mechlist=0x2895b9a8, realm=0x2895bae0 "SIBPTUS.TOMSK.RU", pool=0x28959018)
at subversion/libsvn_ra_svn/cyrus_auth.c:741
#3 0x281a28a7 in handle_auth_request (sess=0x28959078, pool=0x28959018)
at subversion/libsvn_ra_svn/client.c:237
#4 0x281a7162 in open_session (sess_p=0xbfbfe728,
url=0x28957070 "svn://admin/test", uri=Variable "uri" is not available.
)
at subversion/libsvn_ra_svn/client.c:627
#5 0x281a7648 in ra_svn_open (session=0x289550b8,
url=0x28957070 "svn://admin/test", callbacks=0x28955058,
callback_baton=0x28955080, config=0x28940890, pool=0x28955018)
at subversion/libsvn_ra_svn/client.c:716
#6 0x281397ae in svn_ra_open3 (session_p=0xbfbfe8b8,
repos_URL=0x28957070 "svn://admin/test", uuid=0x0, callbacks=0x28955058,
callback_baton=0x28955080, config=0x28940890, pool=0x28955018)
at subversion/libsvn_ra/ra_loader.c:480
#7 0x280e7aac in svn_client__open_ra_session_internal (
ra_session=0xbfbfe8b8, base_url=0x28957070 "svn://admin/test",
base_dir=0x0, base_access=0x0, commit_items=0x0, use_admin=0,
read_only_wc=0, ctx=0x28940840, pool=0x28955018)
at subversion/libsvn_client/ra.c:295
#8 0x280e816f in svn_client__ra_session_from_path (ra_session_p=0xbfbfe938,
rev_p=0xbfbfe934, url_p=0xbfbfe930,
path_or_url=0x28957070 "svn://admin/test", base_access=0x0,
peg_revision_p=0xbfbfe9dc, revision=0xbfbfe9e8, ctx=0x28940840,
pool=0x28955018) at subversion/libsvn_client/ra.c:445
#9 0x280c01e7 in svn_client__checkout_internal (result_rev=0x0,
url=0x28957070 "svn://admin/test", path=0x2894ac08 "test",
peg_revision=0xbfbfe9dc, revision=0xbfbfe9e8, ra_cache=0x0,
depth=svn_depth_unknown, ignore_externals=0, allow_unver_obstructions=0,
timestamp_sleep=0x0, ctx=0x28940840, pool=0x28957018)
at subversion/libsvn_client/checkout.c:109
#10 0x280cb4fc in svn_client_checkout3 (result_rev=0x0,
URL=0x28957058 "svn://admin/test", path=0x2894ac08 "test",
peg_revision=0xbfbfe9dc, revision=0xbfbfe9e8, depth=svn_depth_unknown,
ignore_externals=0, allow_unver_obstructions=0, ctx=0x28940840,
pool=0x28957018) at subversion/libsvn_client/deprecated.c:1453
#11 0x0804d378 in svn_cl__checkout (os=0x289401c0, baton=0xbfbfec08,
pool=0x28940018) at subversion/svn/checkout-cmd.c:160
#12 0x08054720 in main (argc=Cannot access memory at address 0xffffffff
) at subversion/svn/main.c:2119
(gdb)
#0 find_entry (ht=0x20232323, key=0x281affb1, klen=-1, val=0x0)
at tables/apr_hash.c:260
#1 0x283c1e1b in apr_hash_get (ht=0x20232323, key=0x281affb1, klen=-1)
at tables/apr_hash.c:330
#2 0x281a881b in svn_ra_svn__do_cyrus_auth (sess=0x28959078,
mechlist=0x2895b9a8, realm=0x2895bae0 "SIBPTUS.TOMSK.RU", pool=0x28959018)
at subversion/libsvn_ra_svn/cyrus_auth.c:741
#3 0x281a28a7 in handle_auth_request (sess=0x28959078, pool=0x28959018)
at subversion/libsvn_ra_svn/client.c:237
#4 0x281a7162 in open_session (sess_p=0xbfbfe728,
url=0x28957070 "svn://admin/test", uri=Variable "uri" is not available.
)
at subversion/libsvn_ra_svn/client.c:627
#5 0x281a7648 in ra_svn_open (session=0x289550b8,
url=0x28957070 "svn://admin/test", callbacks=0x28955058,
callback_baton=0x28955080, config=0x28940890, pool=0x28955018)
at subversion/libsvn_ra_svn/client.c:716
#6 0x281397ae in svn_ra_open3 (session_p=0xbfbfe8b8,
repos_URL=0x28957070 "svn://admin/test", uuid=0x0, callbacks=0x28955058,
callback_baton=0x28955080, config=0x28940890, pool=0x28955018)
at subversion/libsvn_ra/ra_loader.c:480
#7 0x280e7aac in svn_client__open_ra_session_internal (
ra_session=0xbfbfe8b8, base_url=0x28957070 "svn://admin/test",
base_dir=0x0, base_access=0x0, commit_items=0x0, use_admin=0,
read_only_wc=0, ctx=0x28940840, pool=0x28955018)
at subversion/libsvn_client/ra.c:295
#8 0x280e816f in svn_client__ra_session_from_path (ra_session_p=0xbfbfe938,
rev_p=0xbfbfe934, url_p=0xbfbfe930,
path_or_url=0x28957070 "svn://admin/test", base_access=0x0,
peg_revision_p=0xbfbfe9dc, revision=0xbfbfe9e8, ctx=0x28940840,
pool=0x28955018) at subversion/libsvn_client/ra.c:445
#9 0x280c01e7 in svn_client__checkout_internal (result_rev=0x0,
url=0x28957070 "svn://admin/test", path=0x2894ac08 "test",
peg_revision=0xbfbfe9dc, revision=0xbfbfe9e8, ra_cache=0x0,
depth=svn_depth_unknown, ignore_externals=0, allow_unver_obstructions=0,
timestamp_sleep=0x0, ctx=0x28940840, pool=0x28957018)
at subversion/libsvn_client/checkout.c:109
#10 0x280cb4fc in svn_client_checkout3 (result_rev=0x0,
URL=0x28957058 "svn://admin/test", path=0x2894ac08 "test",
peg_revision=0xbfbfe9dc, revision=0xbfbfe9e8, depth=svn_depth_unknown,
ignore_externals=0, allow_unver_obstructions=0, ctx=0x28940840,
pool=0x28957018) at subversion/libsvn_client/deprecated.c:1453
#11 0x0804d378 in svn_cl__checkout (os=0x289401c0, baton=0xbfbfec08,
pool=0x28940018) at subversion/svn/checkout-cmd.c:160
#12 0x08054720 in main (argc=Cannot access memory at address 0xffffffff
) at subversion/svn/main.c:2119
(gdb) quit
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
sip:sudakov@sibptus.tomsk.ru
Re: sasl mechanisms order
Posted by Stefan Sperling <st...@elego.de>.
On Mon, Sep 06, 2010 at 01:59:22PM +0700, Victor Sudakov wrote:
> Stefan Sperling wrote:
> > > > > Colleagues, I understand that you are expecting a patch. I am sorry, I
> > > > > am a systems administrator and not a programmer, my code writing
> > > > > ability does not go beyond scripting.
> > > >
> > > > Can you try this patch and let me know if it works?
> > >
> > > Please try this one instead, it's slightly cleaner (no functional change).
> > > Thanks.
> >
> > Ping. Did you find time to test this?
> > Should we file an issue so we don't forget about this?
>
> Sorry for the delay, I have been on vacation. Does not compile with
> your patch.
Ooops, sorry about that.
I just noticed that my svn builds didn't use SASL at all, so it compiled
for me because the code was disabled :-/
The updated diff below compiles fine for me, with SASL enabled.
Stefan
Index: subversion/libsvn_subr/config_file.c
===================================================================
--- subversion/libsvn_subr/config_file.c (revision 993034)
+++ subversion/libsvn_subr/config_file.c (working copy)
@@ -759,6 +759,11 @@ svn_config_ensure(const char *config_dir, apr_pool
NL
"### may be cached to disk." NL
"### username Specifies the default username." NL
+ "### preferred-sasl-mechanism Specifies which SASL mechanism" NL
+ "### among the ones offered by the " NL
+ "### server should be tried first." NL
+ "### See the SASL documentation for" NL
+ "### a list of mechanisms available." NL
"###" NL
"### Set store-passwords to 'no' to avoid storing passwords in the" NL
"### auth/ area of your config directory. It defaults to 'yes'," NL
Index: subversion/libsvn_ra_svn/cyrus_auth.c
===================================================================
--- subversion/libsvn_ra_svn/cyrus_auth.c (revision 993034)
+++ subversion/libsvn_ra_svn/cyrus_auth.c (working copy)
@@ -27,6 +27,7 @@
#include <apr_thread_mutex.h>
#include <apr_version.h>
+#include "svn_config.h"
#include "svn_types.h"
#include "svn_string.h"
#include "svn_error.h"
@@ -720,6 +721,67 @@ svn_error_t *svn_ra_svn__get_addresses(const char
return SVN_NO_ERROR;
}
+
+/* Return one or more SASL mechanisms from MECHLIST.
+ * SESS is the session baton.
+ * If a preferred SASL mechanism has been defined in the configuration,
+ * prefer it if it occurs within MECHLIST. Else, fall back to EXTERNAL,
+ * then ANONYMOUS, then let SASL decide.
+ * Potentially allocate the returned list of mechanisms in RESULT_POOL.
+ * Use SCRATCH_POOL for temporary allocations. */
+static const char *
+get_sasl_mechanisms(svn_ra_svn__session_baton_t *sess,
+ apr_array_header_t *mechlist,
+ apr_pool_t *result_pool,
+ apr_pool_t *scratch_pool)
+{
+ const char *mechstring = "";
+ svn_config_t *cfg;
+
+ cfg = sess->config ? apr_hash_get(sess->config, SVN_CONFIG_CATEGORY_SERVERS,
+ APR_HASH_KEY_STRING) : NULL;
+ if (cfg)
+ {
+ const char *server_group;
+ const char *preferred_mech;
+
+ server_group = svn_config_find_group(cfg, sess->hostname,
+ SVN_CONFIG_SECTION_GROUPS,
+ scratch_pool);
+ if (server_group)
+ svn_config_get(cfg, &preferred_mech, server_group,
+ SVN_CONFIG_OPTION_PREFERRED_SASL_MECHANISM, NULL);
+ else
+ preferred_mech = NULL;
+
+ if (preferred_mech && svn_ra_svn__find_mech(mechlist, preferred_mech))
+ return preferred_mech;
+ }
+
+ if (svn_ra_svn__find_mech(mechlist, "EXTERNAL"))
+ return "EXTERNAL";
+ else if (svn_ra_svn__find_mech(mechlist, "ANONYMOUS"))
+ return "ANONYMOUS";
+ else
+ {
+ int i;
+
+ /* Create a string containing the list of mechanisms,
+ * separated by spaces. */
+ for (i = 0; i < mechlist->nelts; i++)
+ {
+ svn_ra_svn_item_t *elt = &APR_ARRAY_IDX(mechlist, i,
+ svn_ra_svn_item_t);
+ mechstring = apr_pstrcat(result_pool,
+ mechstring,
+ i == 0 ? "" : " ",
+ elt->u.word, NULL);
+ }
+ }
+
+ return mechstring;
+}
+
svn_error_t *
svn_ra_svn__do_cyrus_auth(svn_ra_svn__session_baton_t *sess,
apr_array_header_t *mechlist,
@@ -734,7 +796,6 @@ svn_ra_svn__do_cyrus_auth(svn_ra_svn__session_bato
array terminator). */
sasl_callback_t callbacks[3];
cred_baton_t cred_baton;
- int i;
if (!sess->is_tunneled)
{
@@ -742,24 +803,7 @@ svn_ra_svn__do_cyrus_auth(svn_ra_svn__session_bato
sess->conn, pool));
}
- /* Prefer EXTERNAL, then ANONYMOUS, then let SASL decide. */
- if (svn_ra_svn__find_mech(mechlist, "EXTERNAL"))
- mechstring = "EXTERNAL";
- else if (svn_ra_svn__find_mech(mechlist, "ANONYMOUS"))
- mechstring = "ANONYMOUS";
- else
- {
- /* Create a string containing the list of mechanisms, separated by spaces. */
- for (i = 0; i < mechlist->nelts; i++)
- {
- svn_ra_svn_item_t *elt = &APR_ARRAY_IDX(mechlist, i, svn_ra_svn_item_t);
- mechstring = apr_pstrcat(pool,
- mechstring,
- i == 0 ? "" : " ",
- elt->u.word, NULL);
- }
- }
-
+ mechstring = get_sasl_mechanisms(sess, mechlist, pool, pool);
realmstring = apr_psprintf(pool, "%s %s", sess->realm_prefix, realm);
/* Initialize the credential baton. */
Index: subversion/libsvn_ra_svn/client.c
===================================================================
--- subversion/libsvn_ra_svn/client.c (revision 993034)
+++ subversion/libsvn_ra_svn/client.c (working copy)
@@ -715,6 +715,7 @@ static svn_error_t *ra_svn_open(svn_ra_session_t *
reparent with a server that doesn't support reparenting. */
SVN_ERR(open_session(&sess, url, &uri, tunnel_argv,
callbacks, callback_baton, sess_pool));
+ sess->config = config;
session->priv = sess;
return SVN_NO_ERROR;
Index: subversion/libsvn_ra_svn/ra_svn.h
===================================================================
--- subversion/libsvn_ra_svn/ra_svn.h (revision 993034)
+++ subversion/libsvn_ra_svn/ra_svn.h (working copy)
@@ -97,6 +97,7 @@ struct svn_ra_svn__session_baton_t {
void *callbacks_baton;
apr_off_t bytes_read, bytes_written; /* apr_off_t's because that's what
the callback interface uses */
+ apr_hash_t *config;
};
/* Set a callback for blocked writes on conn. This handler may
Index: subversion/include/svn_config.h
===================================================================
--- subversion/include/svn_config.h (revision 993034)
+++ subversion/include/svn_config.h (working copy)
@@ -81,6 +81,7 @@ typedef struct svn_config_t svn_config_t;
#define SVN_CONFIG_OPTION_STORE_SSL_CLIENT_CERT_PP_PLAINTEXT \
"store-ssl-client-cert-pp-plaintext"
#define SVN_CONFIG_OPTION_USERNAME "username"
+#define SVN_CONFIG_OPTION_PREFERRED_SASL_MECHANISM "preferred-sasl-mechanism"
#define SVN_CONFIG_CATEGORY_CONFIG "config"
#define SVN_CONFIG_SECTION_AUTH "auth"
Re: sasl mechanisms order
Posted by Victor Sudakov <su...@sibptus.tomsk.ru>.
Stefan Sperling wrote:
> > > > Colleagues, I understand that you are expecting a patch. I am sorry, I
> > > > am a systems administrator and not a programmer, my code writing
> > > > ability does not go beyond scripting.
> > >
> > > Can you try this patch and let me know if it works?
> >
> > Please try this one instead, it's slightly cleaner (no functional change).
> > Thanks.
>
> Ping. Did you find time to test this?
> Should we file an issue so we don't forget about this?
Sorry for the delay, I have been on vacation. Does not compile with
your patch.
On a FreeBSD 6.4 system I have the following error:
===> Building for subversion-1.6.12_1
/usr/local/bin/libtool --tag=CC --silent --mode=compile cc -O2 -fno-strict-aliasing -pipe -g -O2 -I./subversion/include -I./subversion -I/usr/local/include/apr-1 -I/usr/local/include/apr-1 -I/usr/local/include -I/usr/local/include/neon -I/usr/local/include -I/usr/local/include -o subversion/libsvn_ra_svn/cyrus_auth.lo -c subversion/libsvn_ra_svn/cyrus_auth.c
subversion/libsvn_ra_svn/cyrus_auth.c: In function `get_sasl_mechanisms':
subversion/libsvn_ra_svn/cyrus_auth.c:748: error: structure has no member named `host'
subversion/libsvn_ra_svn/cyrus_auth.c:757: warning: passing arg 1 of `svn_ra_svn__find_mech' discards qualifiers from pointer target type
subversion/libsvn_ra_svn/cyrus_auth.c:761: warning: passing arg 1 of `svn_ra_svn__find_mech' discards qualifiers from pointer target type
subversion/libsvn_ra_svn/cyrus_auth.c:763: warning: passing arg 1 of `svn_ra_svn__find_mech' discards qualifiers from pointer target type
*** Error code 1
1 error
*** Error code 1
Stop in /usr/ports/devel/subversion.
*** Error code 1
Stop in /usr/ports/devel/subversion.
On a FreeBSD 8.0 system I have the following error:
===> Building for subversion-1.6.12_1
/usr/local/bin/libtool --tag=CC --silent --mode=compile cc -O2 -pipe -fno-strict-aliasing -I./subversion/include -I./subversion -I/usr/local/include/apr-1 -I/usr/local/include/apr-1 -I/usr/local/include -I/usr/local/include/neon -I/usr/local/include -I/usr/local/include -o subversion/libsvn_ra_svn/cyrus_auth.lo -c subversion/libsvn_ra_svn/cyrus_auth.c
subversion/libsvn_ra_svn/cyrus_auth.c: In function 'get_sasl_mechanisms':
subversion/libsvn_ra_svn/cyrus_auth.c:748: error: 'svn_ra_svn__session_baton_t' has no member named 'host'
subversion/libsvn_ra_svn/cyrus_auth.c:757: warning: passing argument 1 of 'svn_ra_svn__find_mech' discards qualifiers from pointer target type
subversion/libsvn_ra_svn/cyrus_auth.c:761: warning: passing argument 1 of 'svn_ra_svn__find_mech' discards qualifiers from pointer target type
subversion/libsvn_ra_svn/cyrus_auth.c:763: warning: passing argument 1 of 'svn_ra_svn__find_mech' discards qualifiers from pointer target type
*** Error code 1
1 error
*** Error code 1
Stop in /usr/ports/devel/subversion.
*** Error code 1
Stop in /usr/ports/devel/subversion.
It does compile without the patch though.
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
sip:sudakov@sibptus.tomsk.ru