[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

[PATCH] Make SASL mechanism negotiation smarter

From: Vlad Georgescu <vgeorgescu_at_gmail.com>
Date: 2006-10-11 12:59:04 CEST

Hi,

This is a fix for a problem originally described here:
http://svn.haxx.se/dev/archive-2006-09/0994.shtml

Specifically, if GSSAPI is part of the list of mechanisms sent by the
server, the client will always choose it over the others (because it's
the most secure) even if it isn't really prepared to use it (e.g.
because there are no Kerberos credentials). Thus authentication will
always fail. The correct behavior would be to retry authentication
with the next best mechanism, which is what this patch does.

The patch isn't specific to GSSAPI, but AFAIK only GSSAPI exhibits the
problem that this patch is trying to fix.

[[[
If a SASL mechanism fails sufficiently early (i.e. before the client
sends the initial response), don't automatically fail the
authentication. Instead, fall back to the next best mechanism sent by
the server.

* subversion/libsvn_ra_svn/sasl_auth.c
  (try_auth): If sasl_client_start() fails with a non-fatal error message,
  delete the current mechanism from the list and try again.
]]]

-- 
Vlad


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Received on Wed Oct 11 12:59:18 2006

This is an archived mail posted to the Subversion Dev mailing list.