[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

[PATCH] SASL support ready for review and testing

From: Vlad Georgescu <vgeorgescu_at_gmail.com>
Date: 2006-07-10 15:42:27 CEST

Hey folks,

I finally have something for you to play with. Before I get into
details, here are a few things you should know:
1. To implement security layers (i.e. encryption) I used the
svn_ra_svn_stream_t implementation from the svnserve-ssl branch.
2. I haven't tested this patch with GSSAPI or KERBEROS_V4. If you have
a working Kerberos setup, you are encouraged to try this out.
3. No win32 support yet.

To test this:

- Install Cyrus SASL version 2.0.0 or later

- Put this in your svnserve.conf:
  [sasl]
  use-sasl = true
  min-enc-strength = 0
  max-enc-strenght = 256

  min-enc-strength and max-enc-strength are the minimum and maximum encryption
strengths that you want SASL to provide. 0 means no encryption, 1
means integriy-checking only, and values greater than 1 correspond to
the key length, in bits. Both options default to 0 at the moment.

- Put this in your /usr/lib/sasl2/Subversion.conf :
  pwcheck_method: auxprop
  mech_list: ANONYMOUS CRAM-MD5 DIGEST-MD5 .. etc

  Cyrus SASL also supports another password-checking method via a
standalone daemon, saslauthd. It only works with plaintext passwords
though, so until we have SSL support for ra_svn, it doesn't make much
sense to use it.

  There are many more options that you can specify. See the SASL docs
for details.

- Add users to the password database:
  # saslpasswd2 -c user -u realm -a Subversion

  Replace realm with the realm specified in svnserve.conf.

- Make sure the user who owns svnserve has read access to the password
database (usually /etc/sasldb2). If you are going to use OTP you also
need write access.

[[[
Fix issue #1144: Add full SASL authentication support to ra_svn.

* configure.in:
  Define SVN_HAVE_SASL.

* subversion/include/svn_config.h
  (SVN_CONFIG_SECTION_SASL): New section.
  (SVN_CONFIG_OPTION_USE_SASL,
   SVN_CONFIG_OPTION_MIN_ENC_STRENGTH,
   SVN_CONFIG_OPTION_MAX_ENC_STRENGTH): New options.

* subversion/libsvn_repos/repos.c
  (create_conf): Change default contents of svnserve.conf
  to document the new options.

* subversion/libsvn_ra_svn/client.c
  (ra_svn_session_baton_t): Moved to ra_svn.h and renamed to
  svn_ra_svn__session_baton_t. Changed all occurrences to reflect this.
  (find_mech, read_success): Moved to simple_auth.c.
  (do_auth): Moved to trivial_auth.c and renamed to svn_ra_svn__handle_auth.
  (auth_response): Renamed to svn_ra_svn__auth_response.
  (svn_ra_svn__init): Call svn_ra_svn__sasl_init.
  (make_tunnel). Don't set conn->proc. It doesn't exist anymore.

* subversion/libsvn_ra_svn/ra_svn_sasl.h: New file.

* subversion/libsvn_ra_svn/sasl_auth.c: New file.

* subversion/libsvn_ra_svn/simple_auth.c: New file. Contains
  functions taken from client.c.

* subversion/libsvn_ra_svn/streams.c: New file (copied from the
svnserve-ssl branch).
  (sock_read_cb): Instead of always setting the timeout on sock to 0
after the read,
  set it to the value before the read.

* subversion/libsvn_ra_svn/marshal.c: See r19264, r19283 and r19368.

* subversion/libsvn_ra_svn/ra_svn.h
  (pending_fn_t, timeout_fn_t, svn_ra_svn_stream_t): New typedefs.
  (svn_ra_svn_conn_st): Added new member: is_encrypted.
  Removed "in_file", "out_file", and "proc" members
  in favor of "in_stream" and "out_stream".
  (svn_ra_svn__session_baton_t): New typedef. Copied from client.c.
  (svn_ra_svn__stream_pair_from_sock,
   svn_ra_svn__stream_pair_from_files,
   svn_ra_svn__stream_create,
   svn_ra_svn__stream_write
   svn_ra_svn__stream_read,
   svn_ra_svn__stream_timeout,
   svn_ra_svn__stream_pending,
   svn_ra_svn__handle_auth,
   svn_ra_svn__auth_response,
   svn_ra_svn__sasl_init): New declarations.

* subversion/svnserve/sasl_auth.c: New file

* subversion/svnserve/serve.c
  (server_baton_t): Added new member: use_sasl. Moved to server.h.
  (authn_type, access_type): Moved to server.h.
  (get_access): This function is now public.
  (auth_request): Renamed to simple_auth_request.
  (auth_request): New function. Calls simple_auth_request or
  sasl_auth_request.
  (must_have_access): Also use the value of b->use_sasl to determine
  whether or not an authentication request should be performed.
  (find_repos): Read the value of SVN_CONFIG_OPTION_USE_SASL. Put it
in b->use_sasl.

* subversion/svnserve/main.c
  (main): Call sasl_init().

* subversion/svnserve/server.h
  (server_baton_t): New typedef. Copied from serve.c.
  (authn_type, access_type): New enums. Copied from serve.c.
  (sasl_init, sasl_auth_request): New declarations.
]]]

-- 
Vlad


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Received on Mon Jul 10 15:44:23 2006

This is an archived mail posted to the Subversion Dev mailing list.