[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

[PATCH] Apply this svn patch

From: Blair Zajac <blair_at_orcaware.com>
Date: 2002-02-23 00:57:40 CET

Could somebody apply this patch? It's a slightly modified version of
the neon 0.19.2 patch. This one adds a to do comment regarding how SSL
certificates should be handled from the discussion held this week.

Best,
Blair

-- 
Blair Zajac <blair@orcaware.com>
Web and OS performance plots - http://www.orcaware.com/orca/
2002-02-22  Blair Zajac  <blair@orcaware.com>
	Fix issue #625.
	* CHANGES: Update to use neon 0.19.2.
	* INSTALL (Contents): Update to use neon 0.19.2.
	* build/buildcheck.sh (NEON_WANTED): Check for neon 0.19.2
	* subversion/libsvn_ra_dav/session.c (svn_ra_dav__open): Upgrade
	to neon 0.19.2 which removed the ne_session_server() function and
	replaced it with ne_session_create() which takes the URI scheme,
	hostname and port.  Replace a call to removed ne_set_secure() to
	ne_supports_ssl().
	(ssl_set_verify_callback): New function.
	* packages/rpm/README: Update to use neon 0.19.2.
	* packages/rpm/subversion.spec: Update to use neon 0.19.2.
Index: ./subversion/libsvn_ra_dav/session.c
===================================================================
--- ./subversion/libsvn_ra_dav/session.c
+++ ./subversion/libsvn_ra_dav/session.c	Fri Feb 22 15:31:29 2002
@@ -83,6 +83,37 @@
 }
 
 
+/* A neon-session callback to validate the SSL certificate when the CA
+   is unknown or there are other SSL certificate problems. */
+static int ssl_set_verify_callback(void *userdata, int failures,
+                                   const ne_ssl_certificate *cert)
+{
+  /* XXX Right now this accepts any SSL server certificates.
+     Subversion should perform checks of the SSL certificates and keep
+     any information related to the certificates in $HOME/.subversion
+     and not in the .svn directories so that the same information can
+     be used for multiple working copies.
+
+     Upon connecting to an SSL svn server, this is was subversion
+     should do:
+
+     1) Check if a copy of the SSL certificate exists for the given
+     svn server hostname in $HOME/.subversion.  If it is there, then
+     just continue processing the svn request.  Otherwise, print all
+     the information about the svn server's SSL certificate and ask if
+     the user wants to:
+     a) Cancel the request.
+     b) Continue this request but do the store the SSL certificate so
+        that the next request will require the same revalidation.
+     c) Accept the SSL certificate forever.  Store a copy of the
+        certificate in $HOME/.subversion.
+
+     Also, when checking the certificate, warn if the certificate is
+     not properly signed by a CA.
+   */
+  return 0;
+}
+
 /* ### need an ne_session_dup to avoid the second gethostbyname
  * call and make this halfway sane. */
 
@@ -99,6 +130,7 @@
   ne_session *sess, *sess2;
   struct uri uri = { 0 };
   svn_ra_session_t *ras;
+  int is_ssl_session;
 
   /* Sanity check the URI */
   if (uri_parse(repository, &uri, NULL) 
@@ -116,45 +148,27 @@
                             "network socket initialization failed");
   }
 
-  /* Create two neon session objects, and set their properties... */
-  sess = ne_session_create();
-  sess2 = ne_session_create();
-
 #if 0
   /* #### enable this block for debugging output on stderr. */
   ne_debug_init(stderr, NE_DBG_HTTP|NE_DBG_HTTPBODY);
 #endif
 
-#if 0
-  /* Turn off persistent connections. */
-  ne_set_persist(sess, 0);
-  ne_set_persist(sess2, 0);
-#endif
-
-  /* make sure we will eventually destroy the session */
-  apr_pool_cleanup_register(pool, sess, cleanup_session, apr_pool_cleanup_null);
-  apr_pool_cleanup_register(pool, sess2, cleanup_session, apr_pool_cleanup_null);
-
-  ne_set_useragent(sess, "SVN/" SVN_VERSION);
-  ne_set_useragent(sess2, "SVN/" SVN_VERSION);
-
   /* we want to know if the repository is actually somewhere else */
   /* ### not yet: http_redirect_register(sess, ... ); */
 
-  if (strcasecmp(uri.scheme, "https") == 0)
+  is_ssl_session = (strcasecmp(uri.scheme, "https") == 0);
+  if (is_ssl_session)
     {
       if (uri.port == -1)
         {
           uri.port = 443;
         }
-      if (ne_set_secure(sess, 1))
+      if (ne_supports_ssl() == 0)
         {
           uri_free(&uri);
           return svn_error_create(SVN_ERR_RA_SOCK_INIT, 0, NULL, pool,
                                   "SSL is not supported");
         }
-
-      ne_set_secure(sess2, 1);
     }
 #if 0
   else
@@ -170,16 +184,32 @@
       uri.port = 80;
     }
 
-  if (ne_session_server(sess, uri.host, uri.port))
+  /* Create two neon session objects, and set their properties... */
+  sess = ne_session_create(uri.scheme, uri.host, uri.port);
+  sess2 = ne_session_create(uri.scheme, uri.host, uri.port);
+
+  /* For SSL connections, when the CA certificate is not known for the
+     server certificate or the server cert has other verification
+     problems, neon will fail the connection unless we add a callback
+     to tell it to ignore the problem.  */
+  if (is_ssl_session)
     {
-      svn_error_t *err =
-        svn_error_createf(SVN_ERR_RA_HOSTNAME_LOOKUP, 0, NULL, pool,
-                          "Hostname not found: %s", uri.host);
-      uri_free(&uri);
-      return err;
+      ne_ssl_set_verify(sess, ssl_set_verify_callback, NULL);
+      ne_ssl_set_verify(sess2, ssl_set_verify_callback, NULL);
     }
 
-  ne_session_server(sess2, uri.host, uri.port);
+#if 0
+  /* Turn off persistent connections. */
+  ne_set_persist(sess, 0);
+  ne_set_persist(sess2, 0);
+#endif
+
+  /* make sure we will eventually destroy the session */
+  apr_pool_cleanup_register(pool, sess, cleanup_session, apr_pool_cleanup_null);
+  apr_pool_cleanup_register(pool, sess2, cleanup_session, apr_pool_cleanup_null);
+
+  ne_set_useragent(sess, "SVN/" SVN_VERSION);
+  ne_set_useragent(sess2, "SVN/" SVN_VERSION);
 
   /* clean up trailing slashes from the URL */
   len = strlen(uri.path);
Index: ./build/buildcheck.sh
===================================================================
--- ./build/buildcheck.sh
+++ ./build/buildcheck.sh	Tue Feb 19 15:21:40 2002
@@ -53,7 +53,7 @@
 #--------------------------------------------------------------------------
 # check for the correct version of Neon
 #
-NEON_WANTED=0.18.5
+NEON_WANTED=0.19.2
 if test -d ./neon; then
   NEON_VERSION="`./ac-helpers/get-neon-ver.sh neon`"
   if test "$NEON_WANTED" != "$NEON_VERSION"; then
Index: ./INSTALL
===================================================================
--- ./INSTALL
+++ ./.svn/tmp/INSTALL.60556.00001.tmp	Fri Feb 22 15:55:28 2002
@@ -132,7 +132,7 @@
       Build.
 
 
-      5.  Neon library 0.18.5
+      5.  Neon library 0.19.2
 
       The Neon library allows a Subversion client to interact with remote
       repositories over the Internet. Although in theory you could have
@@ -144,10 +144,10 @@
       want Subversion to build it. The source code is included with the
       latest Subversion tarball, and it can also be obtained from:
 
-          http://www.webdav.org/neon/neon-0.18.5.tar.gz
+          http://www.webdav.org/neon/neon-0.19.2.tar.gz
 
       Unpack the archive using tar/gunzip and rename the resulting
-      directory from "./neon-0.18.5/" to "./neon/".
+      directory from "./neon-0.19.2/" to "./neon/".
 
       Without source code, a previously compiled library can be picked up
       from the standard locations. If you want to specify a nonstandard
@@ -362,7 +362,7 @@
           apache*.i386.rpm (Version 2.0.32 or greater)
           db*.i386.rpm     (Version 4.0.14 or greater)
           expat            (Comes with RedHat)
-          neon             (Version 0.18.5 or greater)
+          neon             (Version 0.19.2 or greater)
 
       After downloading, install it (as root user):
 
@@ -537,7 +537,7 @@
       supported at this time.
 
       To build the client components, you'll need a copy of neon
-      0.18.5.  See section I.5 for details on where to get one and what
+      0.19.2.  See section I.5 for details on where to get one and what
       to do with it when you get it.
 
       [NOTE: The neon library supports secure connections with OpenSSL
Index: ./CHANGES
===================================================================
--- ./CHANGES
+++ ./CHANGES	Tue Feb 19 15:21:16 2002
@@ -1,3 +1,6 @@
+Version 0.10
+ * build system evolution
+     - upgrade to neon 0.19.2
 
 Version 0.9 (released 15 Feb 2002, revision 1302)
 
Index: ./packages/rpm/subversion.spec
===================================================================
--- ./packages/rpm/subversion.spec
+++ ./packages/rpm/subversion.spec	Fri Feb 22 15:55:05 2002
@@ -1,5 +1,5 @@
 %define apache_version 2.0.32-0.4
-%define neon_version 0.18.5
+%define neon_version 0.19.2
 %define apr_date 2002.02.15
 Summary: A Concurrent Versioning system similar to but better than CVS.
 Name: subversion
@@ -60,6 +60,9 @@
 the Apache directories and configuration.
 
 %changelog
+* Fri Feb 22 2002 Blair Zajac <blair@orcaware.com> 0.10.0-1364
+- Updated to neon-0.19.2.
+
 * Mon Feb 11 2002 David Summers <david@summersoft.fay.ar.us> 0.8.0-1250
 - Back to using apr and apr-util separately from apache.
 
Index: ./packages/rpm/README
===================================================================
--- ./packages/rpm/README
+++ ./packages/rpm/README	Tue Feb 19 15:22:02 2002
@@ -15,7 +15,7 @@
 
        db >= 4.0.14
        expat (comes with RedHat)
-       neon = 0.18.5
+       neon = 0.19.2
        apache >= 2.0.32 (for subversion-server)
 
     B. To compile:
@@ -25,7 +25,7 @@
        apache-devel >= 2.0.32
        expat-devel
        libtool >= 1.4.2
-       neon = 0.18.5
+       neon = 0.19.2
        python >= 1.5.2 (2.0 or greater to run check programs)
 
     The non-standard packages apache-2.0.32, db, and neon, can be found at:
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Sat Oct 21 14:37:09 2006

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.