[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: [PATCH] SSL layer for svnserve

From: Sigfred Håversen <bsdlist_at_mumak.com>
Date: 2004-10-19 14:12:34 CEST

On Tuesday 19 October 2004 11.54, Joe Orton wrote:
> On Mon, Oct 18, 2004 at 08:03:48PM +0200, Sigfred Håversen wrote:
> > I've added a SSL layer to svnserve, and I would like to have some
> > comments on the patch. Instructions how to run "make check" with
> > self-signed certificate, is below.
> Bits of this code do look like they have been copied from neon e.g.
> asn1time_to_string, but you have stripped the copyright notices.
> joe

I thought I was I giving due credit as to whose approach/code I used.

Here is the code from ne_openssl.c :

/* Format an ASN1 time to a string. 'buf' must be at least of size
static void asn1time_to_string(ASN1_TIME *tm, char *buf)
    BIO *bio;

    strncpy(buf, _("[invalid date]"), NE_SSL_VDATELEN-1);

    bio = BIO_new(BIO_s_mem());
    if (bio) {
        if (ASN1_TIME_print(bio, tm))
            BIO_read(bio, buf, NE_SSL_VDATELEN-1);

Here is the corresponding from my patch :

+/* Format an ASN1 time to a string.
+ * Adapted from Neon library.
+ */
+static svn_boolean_t asn1time_to_string(ASN1_TIME *tm, char *buffer,
+ apr_size_t len)
+ int num_read;
+ svn_boolean_t OK = FALSE;
+ BIO *bio = BIO_new(BIO_s_mem());
+ if (bio)
+ {
+ if (ASN1_TIME_print(bio, tm) && len > 1)
+ {
+ num_read = BIO_read(bio, buffer, len-1);
+ if (num_read > 1)
+ {
+ buffer[num_read] = '\0';
+ OK = TRUE;
+ }
+ else
+ }
+ BIO_free(bio);
+ }
+ return OK;

So, from Neon's asn1time_to_string() I saw that I could use a BIO_s_mem to
actually convert the time to ascii format. The code uses Neon's approach, but with
error handling added. Actually, using a BIO to convert ASN1_TIME to a string is
commonly used, as a bit of Googling shows :


In this I thought I gave due credit to Neon. Do you still think
this is not the case?

You will also note other similarities with Neon in fill_server_cert_info().
But how can it not be when using SSL functions to get dates, or
fill out the other fields in svn_auth_ssl_server_cert_info_t *cert_info ?
Even using a switch statement after
"verify_result = SSL_get_verify_result(sess->conn->ssl);" are common,
and in this I again choosed to test for the same values as in Neon, for
compatability reasons.

Now, for the non-trivial parts, I use the Postfix TLS patch by Lutz Jaenicke
(http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/) as a model of
how to work with BIO pairs. As it is, he uses a free license :

This software is free. You can do with it whatever you want. I would however
kindly ask you to acknowledge the use of this package, if you are going use it
in your software, which you might be going to distribute. I would also like to
receive a note if you are a satisfied user :-)"

I did send an e-mail :-) And acknowledge it this way, even though
I've mostly rewritten it.

+ * Adapted from network_biopair_interop() in postfixtls patch by Lutz Jaenicke
+ * at http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/
+ */


To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Tue Oct 19 14:12:58 2004

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.