You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@subversion.apache.org by Paul Burba <pt...@gmail.com> on 2008/09/03 14:58:41 UTC
Re: svn commit: r32860 - in trunk/subversion: include libsvn_subr
On Tue, Sep 2, 2008 at 3:12 PM, <jw...@tigris.org> wrote:
> Author: jwhitlock
> Date: Tue Sep 2 12:12:54 2008
> New Revision: 32860
>
> Log:
> Support storing SSL client certificate passphrases in OSX Keychain.
>
> * subversion/libsvn_subr/cmdline.c (svn_cmdline_set_up_auth_baton): Add OSX
> Keychain SSL client certificate passphrase provider to the providers array.
>
> * subversion/libsvn_subr/macos_keychain.c (keychain_password_set,
> keychain_password_get): Added NULL check for username.
> (keychain_ssl_client_cert_pw_first_creds,
> keychain_ssl_client_cert_pw_save_creds,
> svn_auth_get_keychain_ssl_client_cert_pw_provider): New functions.
> (keychain_ssl_client_cert_pw_provider): New object.
>
> * subversion/libsvn_subr/ssl_client_cert_pw_providers.c
> (svn_auth__ssl_client_cert_pw_file_save_creds_helper): Add OSX Keychain SSL
> client certificate passphrase provider to the list of providers which
> store passphrases encrypted.
>
> * subversion/include/svn_auth.h
> (svn_auth_get_keychain_ssl_client_cert_pw_provider): New function.
>
> Approved by: arfrever
> stylesen
>
> Modified:
> trunk/subversion/include/svn_auth.h
> trunk/subversion/libsvn_subr/cmdline.c
> trunk/subversion/libsvn_subr/macos_keychain.c
> trunk/subversion/libsvn_subr/ssl_client_cert_pw_providers.c
>
> Modified: trunk/subversion/include/svn_auth.h
> URL: http://svn.collab.net/viewvc/svn/trunk/subversion/include/svn_auth.h?pathrev=32860&r1=32859&r2=32860
> ==============================================================================
> --- trunk/subversion/include/svn_auth.h Tue Sep 2 11:03:49 2008 (r32859)
> +++ trunk/subversion/include/svn_auth.h Tue Sep 2 12:12:54 2008 (r32860)
> @@ -825,6 +825,23 @@ svn_auth_get_windows_simple_provider(svn
> void
> svn_auth_get_keychain_simple_provider(svn_auth_provider_object_t **provider,
> apr_pool_t *pool);
> +
> +/**
> + * Create and return @a *provider, an authentication provider of type @c
> + * svn_auth_cred_ssl_client_cert_pw_t that gets/sets information from the
> + * user's ~/.subversion configuration directory. Allocate @a *provider in
> + * @a pool.
> + *
> + * This is like svn_client_get_ssl_client_cert_pw_file_provider(), except
> + * that the password is stored in the Mac OS KeyChain.
> + *
> + * @since New in 1.6
> + * @note This function is only available on Mac OS 10.2 and higher.
> + */
> +void
> +svn_auth_get_keychain_ssl_client_cert_pw_provider
> + (svn_auth_provider_object_t **provider,
> + apr_pool_t *pool);
> #endif /* DARWIN || DOXYGEN */
>
>
>
> Modified: trunk/subversion/libsvn_subr/cmdline.c
> URL: http://svn.collab.net/viewvc/svn/trunk/subversion/libsvn_subr/cmdline.c?pathrev=32860&r1=32859&r2=32860
> ==============================================================================
> --- trunk/subversion/libsvn_subr/cmdline.c Tue Sep 2 11:03:49 2008 (r32859)
> +++ trunk/subversion/libsvn_subr/cmdline.c Tue Sep 2 12:12:54 2008 (r32860)
> @@ -510,6 +510,9 @@ svn_cmdline_set_up_auth_baton(svn_auth_b
> #ifdef SVN_HAVE_KEYCHAIN_SERVICES
> svn_auth_get_keychain_simple_provider(&provider, pool);
> APR_ARRAY_PUSH(providers, svn_auth_provider_object_t *) = provider;
> +
> + svn_auth_get_keychain_ssl_client_cert_pw_provider(&provider, pool);
> + APR_ARRAY_PUSH(providers, svn_auth_provider_object_t *) = provider;
> #endif
> continue;
> }
>
> Modified: trunk/subversion/libsvn_subr/macos_keychain.c
> URL: http://svn.collab.net/viewvc/svn/trunk/subversion/libsvn_subr/macos_keychain.c?pathrev=32860&r1=32859&r2=32860
> ==============================================================================
> --- trunk/subversion/libsvn_subr/macos_keychain.c Tue Sep 2 11:03:49 2008 (r32859)
> +++ trunk/subversion/libsvn_subr/macos_keychain.c Tue Sep 2 12:12:54 2008 (r32860)
> @@ -75,13 +75,17 @@ keychain_password_set(apr_hash_t *creds,
> SecKeychainSetUserInteractionAllowed(FALSE);
>
> status = SecKeychainFindGenericPassword(NULL, strlen(realmstring),
> - realmstring, strlen(username),
> + realmstring, username == NULL
> + ? 0
> + : strlen(username),
> username, 0, NULL, &item);
> if (status)
> {
> if (status == errSecItemNotFound)
> status = SecKeychainAddGenericPassword(NULL, strlen(realmstring),
> - realmstring, strlen(username),
> + realmstring, username == NULL
> + ? 0
> + : strlen(username),
> username, strlen(password),
> password, NULL);
> }
> @@ -117,7 +121,9 @@ keychain_password_get(const char **passw
> SecKeychainSetUserInteractionAllowed(FALSE);
>
> status = SecKeychainFindGenericPassword(NULL, strlen(realmstring),
> - realmstring, strlen(username),
> + realmstring, username == NULL
> + ? 0
> + : strlen(username),
> username, &length, &data, NULL);
>
> if (non_interactive)
> @@ -175,6 +181,52 @@ static const svn_auth_provider_t keychai
> keychain_simple_save_creds
> };
>
> +/* Get cached encrypted credentials from the ssl client cert password
> + provider's cache. */
> +static svn_error_t *
> +keychain_ssl_client_cert_pw_first_creds(void **credentials,
> + void **iter_baton,
> + void *provider_baton,
> + apr_hash_t *parameters,
> + const char *realmstring,
> + apr_pool_t *pool)
> +{
> + return svn_auth__ssl_client_cert_pw_file_first_creds_helper
> + (credentials,
> + iter_baton, provider_baton,
> + parameters, realmstring,
> + keychain_password_get,
> + SVN_AUTH__KEYCHAIN_PASSWORD_TYPE,
> + pool);
> +}
> +
> +/* Save encrypted credentials to the ssl client cert password provider's
> + cache. */
> +static svn_error_t *
> +keychain_ssl_client_cert_pw_save_creds(svn_boolean_t *saved,
> + void *credentials,
> + void *provider_baton,
> + apr_hash_t *parameters,
> + const char *realmstring,
> + apr_pool_t *pool)
> +{
> + return svn_auth__ssl_client_cert_pw_file_save_creds_helper
> + (saved, credentials,
> + provider_baton, parameters,
> + realmstring,
> + keychain_password_set,
> + SVN_AUTH__KEYCHAIN_PASSWORD_TYPE,
> + pool);
> +}
> +
> +static const svn_auth_provider_t keychain_ssl_client_cert_pw_provider = {
> + SVN_AUTH_CRED_SSL_CLIENT_CERT_PW,
> + keychain_ssl_client_cert_pw_first_creds,
> + NULL,
> + keychain_ssl_client_cert_pw_save_creds
> +};
> +
> +
> /* Public API */
> void
> svn_auth_get_keychain_simple_provider(svn_auth_provider_object_t **provider,
> @@ -186,4 +238,14 @@ svn_auth_get_keychain_simple_provider(sv
> *provider = po;
> }
>
> +void
> +svn_auth_get_keychain_ssl_client_cert_pw_provider
> + (svn_auth_provider_object_t **provider,
> + apr_pool_t *pool)
> +{
> + svn_auth_provider_object_t *po = apr_pcalloc(pool, sizeof(*po));
> +
> + po->vtable = &keychain_ssl_client_cert_pw_provider;
> + *provider = po;
> +}
> #endif /* SVN_HAVE_KEYCHAIN_SERVICES */
>
> Modified: trunk/subversion/libsvn_subr/ssl_client_cert_pw_providers.c
> URL: http://svn.collab.net/viewvc/svn/trunk/subversion/libsvn_subr/ssl_client_cert_pw_providers.c?pathrev=32860&r1=32859&r2=32860
> ==============================================================================
> --- trunk/subversion/libsvn_subr/ssl_client_cert_pw_providers.c Tue Sep 2 11:03:49 2008 (r32859)
> +++ trunk/subversion/libsvn_subr/ssl_client_cert_pw_providers.c Tue Sep 2 12:12:54 2008 (r32860)
> @@ -207,7 +207,8 @@ svn_auth__ssl_client_cert_pw_file_save_c
> ahead and store it to disk. Else determine whether saving
> in plaintext is OK. */
> if (strcmp(passtype, SVN_AUTH__KWALLET_PASSWORD_TYPE) == 0
> - || strcmp(passtype, SVN_AUTH__GNOME_KEYRING_PASSWORD_TYPE) == 0)
> + || strcmp(passtype, SVN_AUTH__GNOME_KEYRING_PASSWORD_TYPE) == 0
> + || strcmp(passtype, SVN_AUTH__KEYCHAIN_PASSWORD_TYPE) == 0)
> {
> may_save_passphrase = TRUE;
> }
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: svn-unsubscribe@subversion.tigris.org
> For additional commands, e-mail: svn-help@subversion.tigris.org
Hi Jeremy,
Do you have a windows build environment available? This commit breaks
the build on Windows -- the win32-xp VS2005 builbot is down right now
so you won't have noticed. I'm not sure why this breaks the build
exactly since everything you added is blocked in defined(DARWIN) ||
defined(DOXYGEN) or #ifdef SVN_HAVE_KEYCHAIN_SERVICES.
Somehow svn_auth_get_keychain_ssl_client_cert_pw_provider is ending up
in the libsvn_subr.def (module definition file) when doing a clean
build. Not sure why this is (hand editing the file to remove it fixes
the build). I can try to look into this more later, but just wanted
to give you a heads up.
Paul
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Re: svn commit: r32860 - in trunk/subversion: include libsvn_subr
Posted by Jeremy Whitlock <jc...@gmail.com>.
>> Do you have a windows build environment available? This commit breaks
>> the build on Windows -- the win32-xp VS2005 builbot is down right now
>> so you won't have noticed. I'm not sure why this breaks the build
>> exactly since everything you added is blocked in defined(DARWIN) ||
>> defined(DOXYGEN) or #ifdef SVN_HAVE_KEYCHAIN_SERVICES.
>>
>> Somehow svn_auth_get_keychain_ssl_client_cert_pw_provider is ending up
>> in the libsvn_subr.def (module definition file) when doing a clean
>> build. Not sure why this is (hand editing the file to remove it fixes
>> the build). I can try to look into this more later, but just wanted
>> to give you a heads up.
>
> It looks like the other darwin specific define is special cased in
> build/generator/extractor.py
> as not being available on windows.
>
>
> The .def format has been deprecated for a long time (It was the recommended method until Windows '95 arrived).
>
> Many other projects (including APR) have moved to using a specific define in their headers that is #defined to __declspec(dllexport) when compiling for a DLL on windows.
>
> Implementing a similar change in subversion would allow removing the .def generator support from the python generator.
>
Looks like Bert beat me to explaining this but who should "fix" this?
--
Take care,
Jeremy Whitlock
http://www.thoughtspark.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
RE: svn commit: r32860 - in trunk/subversion: include libsvn_subr
Posted by Bert Huijben <be...@qqmail.nl>.
> -----Original Message-----
> From: Paul Burba [mailto:ptburba@gmail.com]
> Sent: woensdag 3 september 2008 16:59
> To: dev@subversion.tigris.org; jwhitlock@tigris.org
> Cc: svn@subversion.tigris.org
> Subject: Re: svn commit: r32860 - in trunk/subversion: include
> libsvn_subr
>
> On Tue, Sep 2, 2008 at 3:12 PM, <jw...@tigris.org> wrote:
> > Author: jwhitlock
> > Date: Tue Sep 2 12:12:54 2008
> > New Revision: 32860
> >
> > Log:
> > Support storing SSL client certificate passphrases in OSX Keychain.
> >
> > * subversion/libsvn_subr/cmdline.c (svn_cmdline_set_up_auth_baton):
> Add OSX
> > Keychain SSL client certificate passphrase provider to the
> providers array.
> >
> > * subversion/libsvn_subr/macos_keychain.c (keychain_password_set,
> > keychain_password_get): Added NULL check for username.
> > (keychain_ssl_client_cert_pw_first_creds,
> > keychain_ssl_client_cert_pw_save_creds,
> > svn_auth_get_keychain_ssl_client_cert_pw_provider): New functions.
> > (keychain_ssl_client_cert_pw_provider): New object.
> >
> > * subversion/libsvn_subr/ssl_client_cert_pw_providers.c
> > (svn_auth__ssl_client_cert_pw_file_save_creds_helper): Add OSX
> Keychain SSL
> > client certificate passphrase provider to the list of providers
> which
> > store passphrases encrypted.
> >
> > * subversion/include/svn_auth.h
> > (svn_auth_get_keychain_ssl_client_cert_pw_provider): New function.
> >
> > Approved by: arfrever
> > stylesen
> >
> > Modified:
> > trunk/subversion/include/svn_auth.h
> > trunk/subversion/libsvn_subr/cmdline.c
> > trunk/subversion/libsvn_subr/macos_keychain.c
> > trunk/subversion/libsvn_subr/ssl_client_cert_pw_providers.c
> >
> > Modified: trunk/subversion/include/svn_auth.h
> > URL:
> http://svn.collab.net/viewvc/svn/trunk/subversion/include/svn_auth.h?pa
> threv=32860&r1=32859&r2=32860
> >
> =======================================================================
> =======
> > --- trunk/subversion/include/svn_auth.h Tue Sep 2 11:03:49 2008
> (r32859)
> > +++ trunk/subversion/include/svn_auth.h Tue Sep 2 12:12:54 2008
> (r32860)
> > @@ -825,6 +825,23 @@ svn_auth_get_windows_simple_provider(svn
> > void
> > svn_auth_get_keychain_simple_provider(svn_auth_provider_object_t
> **provider,
> > apr_pool_t *pool);
> > +
> > +/**
> > + * Create and return @a *provider, an authentication provider of
> type @c
> > + * svn_auth_cred_ssl_client_cert_pw_t that gets/sets information
> from the
> > + * user's ~/.subversion configuration directory. Allocate @a
> *provider in
> > + * @a pool.
> > + *
> > + * This is like svn_client_get_ssl_client_cert_pw_file_provider(),
> except
> > + * that the password is stored in the Mac OS KeyChain.
> > + *
> > + * @since New in 1.6
> > + * @note This function is only available on Mac OS 10.2 and higher.
> > + */
> > +void
> > +svn_auth_get_keychain_ssl_client_cert_pw_provider
> > + (svn_auth_provider_object_t **provider,
> > + apr_pool_t *pool);
> > #endif /* DARWIN || DOXYGEN */
> >
> >
> >
> > Modified: trunk/subversion/libsvn_subr/cmdline.c
> > URL:
> http://svn.collab.net/viewvc/svn/trunk/subversion/libsvn_subr/cmdline.c
> ?pathrev=32860&r1=32859&r2=32860
> >
> =======================================================================
> =======
> > --- trunk/subversion/libsvn_subr/cmdline.c Tue Sep 2 11:03:49
> 2008 (r32859)
> > +++ trunk/subversion/libsvn_subr/cmdline.c Tue Sep 2 12:12:54
> 2008 (r32860)
> > @@ -510,6 +510,9 @@ svn_cmdline_set_up_auth_baton(svn_auth_b
> > #ifdef SVN_HAVE_KEYCHAIN_SERVICES
> > svn_auth_get_keychain_simple_provider(&provider, pool);
> > APR_ARRAY_PUSH(providers, svn_auth_provider_object_t *) =
> provider;
> > +
> > +
> svn_auth_get_keychain_ssl_client_cert_pw_provider(&provider, pool);
> > + APR_ARRAY_PUSH(providers, svn_auth_provider_object_t *) =
> provider;
> > #endif
> > continue;
> > }
> >
> > Modified: trunk/subversion/libsvn_subr/macos_keychain.c
> > URL:
> http://svn.collab.net/viewvc/svn/trunk/subversion/libsvn_subr/macos_key
> chain.c?pathrev=32860&r1=32859&r2=32860
> >
> =======================================================================
> =======
> > --- trunk/subversion/libsvn_subr/macos_keychain.c Tue Sep 2
> 11:03:49 2008 (r32859)
> > +++ trunk/subversion/libsvn_subr/macos_keychain.c Tue Sep 2
> 12:12:54 2008 (r32860)
> > @@ -75,13 +75,17 @@ keychain_password_set(apr_hash_t *creds,
> > SecKeychainSetUserInteractionAllowed(FALSE);
> >
> > status = SecKeychainFindGenericPassword(NULL, strlen(realmstring),
> > - realmstring,
> strlen(username),
> > + realmstring, username ==
> NULL
> > + ? 0
> > + : strlen(username),
> > username, 0, NULL, &item);
> > if (status)
> > {
> > if (status == errSecItemNotFound)
> > status = SecKeychainAddGenericPassword(NULL,
> strlen(realmstring),
> > - realmstring,
> strlen(username),
> > + realmstring, username
> == NULL
> > + ? 0
> > + : strlen(username),
> > username,
> strlen(password),
> > password, NULL);
> > }
> > @@ -117,7 +121,9 @@ keychain_password_get(const char **passw
> > SecKeychainSetUserInteractionAllowed(FALSE);
> >
> > status = SecKeychainFindGenericPassword(NULL, strlen(realmstring),
> > - realmstring,
> strlen(username),
> > + realmstring, username ==
> NULL
> > + ? 0
> > + : strlen(username),
> > username, &length, &data,
> NULL);
> >
> > if (non_interactive)
> > @@ -175,6 +181,52 @@ static const svn_auth_provider_t keychai
> > keychain_simple_save_creds
> > };
> >
> > +/* Get cached encrypted credentials from the ssl client cert
> password
> > + provider's cache. */
> > +static svn_error_t *
> > +keychain_ssl_client_cert_pw_first_creds(void **credentials,
> > + void **iter_baton,
> > + void *provider_baton,
> > + apr_hash_t *parameters,
> > + const char *realmstring,
> > + apr_pool_t *pool)
> > +{
> > + return svn_auth__ssl_client_cert_pw_file_first_creds_helper
> > + (credentials,
> > + iter_baton, provider_baton,
> > + parameters, realmstring,
> > + keychain_password_get,
> > + SVN_AUTH__KEYCHAIN_PASSWORD_TYPE,
> > + pool);
> > +}
> > +
> > +/* Save encrypted credentials to the ssl client cert password
> provider's
> > + cache. */
> > +static svn_error_t *
> > +keychain_ssl_client_cert_pw_save_creds(svn_boolean_t *saved,
> > + void *credentials,
> > + void *provider_baton,
> > + apr_hash_t *parameters,
> > + const char *realmstring,
> > + apr_pool_t *pool)
> > +{
> > + return svn_auth__ssl_client_cert_pw_file_save_creds_helper
> > + (saved, credentials,
> > + provider_baton, parameters,
> > + realmstring,
> > + keychain_password_set,
> > + SVN_AUTH__KEYCHAIN_PASSWORD_TYPE,
> > + pool);
> > +}
> > +
> > +static const svn_auth_provider_t
> keychain_ssl_client_cert_pw_provider = {
> > + SVN_AUTH_CRED_SSL_CLIENT_CERT_PW,
> > + keychain_ssl_client_cert_pw_first_creds,
> > + NULL,
> > + keychain_ssl_client_cert_pw_save_creds
> > +};
> > +
> > +
> > /* Public API */
> > void
> > svn_auth_get_keychain_simple_provider(svn_auth_provider_object_t
> **provider,
> > @@ -186,4 +238,14 @@ svn_auth_get_keychain_simple_provider(sv
> > *provider = po;
> > }
> >
> > +void
> > +svn_auth_get_keychain_ssl_client_cert_pw_provider
> > + (svn_auth_provider_object_t **provider,
> > + apr_pool_t *pool)
> > +{
> > + svn_auth_provider_object_t *po = apr_pcalloc(pool, sizeof(*po));
> > +
> > + po->vtable = &keychain_ssl_client_cert_pw_provider;
> > + *provider = po;
> > +}
> > #endif /* SVN_HAVE_KEYCHAIN_SERVICES */
> >
> > Modified: trunk/subversion/libsvn_subr/ssl_client_cert_pw_providers.c
> > URL:
> http://svn.collab.net/viewvc/svn/trunk/subversion/libsvn_subr/ssl_clien
> t_cert_pw_providers.c?pathrev=32860&r1=32859&r2=32860
> >
> =======================================================================
> =======
> > --- trunk/subversion/libsvn_subr/ssl_client_cert_pw_providers.c Tue
> Sep 2 11:03:49 2008 (r32859)
> > +++ trunk/subversion/libsvn_subr/ssl_client_cert_pw_providers.c Tue
> Sep 2 12:12:54 2008 (r32860)
> > @@ -207,7 +207,8 @@ svn_auth__ssl_client_cert_pw_file_save_c
> > ahead and store it to disk. Else determine whether saving
> > in plaintext is OK. */
> > if (strcmp(passtype, SVN_AUTH__KWALLET_PASSWORD_TYPE) == 0
> > - || strcmp(passtype, SVN_AUTH__GNOME_KEYRING_PASSWORD_TYPE)
> == 0)
> > + || strcmp(passtype, SVN_AUTH__GNOME_KEYRING_PASSWORD_TYPE)
> == 0
> > + || strcmp(passtype, SVN_AUTH__KEYCHAIN_PASSWORD_TYPE) ==
> 0)
> > {
> > may_save_passphrase = TRUE;
> > }
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: svn-unsubscribe@subversion.tigris.org
> > For additional commands, e-mail: svn-help@subversion.tigris.org
>
> Hi Jeremy,
>
> Do you have a windows build environment available? This commit breaks
> the build on Windows -- the win32-xp VS2005 builbot is down right now
> so you won't have noticed. I'm not sure why this breaks the build
> exactly since everything you added is blocked in defined(DARWIN) ||
> defined(DOXYGEN) or #ifdef SVN_HAVE_KEYCHAIN_SERVICES.
>
> Somehow svn_auth_get_keychain_ssl_client_cert_pw_provider is ending up
> in the libsvn_subr.def (module definition file) when doing a clean
> build. Not sure why this is (hand editing the file to remove it fixes
> the build). I can try to look into this more later, but just wanted
> to give you a heads up.
It looks like the other darwin specific define is special cased in
build/generator/extractor.py
as not being available on windows.
The .def format has been deprecated for a long time (It was the recommended method until Windows '95 arrived).
Many other projects (including APR) have moved to using a specific define in their headers that is #defined to __declspec(dllexport) when compiling for a DLL on windows.
Implementing a similar change in subversion would allow removing the .def generator support from the python generator.
Bert
> Paul
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org