Hi,
Some SASL mechanisms (e.g. DIGEST-MD5, GSSAPI, etc.) support security
layers (i.e. encryption). This patch adds support for such layers,
using the new svn_ra_svn__stream_t interface introduced in r22238. The
presence and level of encryption are negotiated during the
authentication exchange. On the server side, two new svnserve.conf
options (min-encryption and max-encryption) can be used in this
negotiation. For example, setting both to 0 would disable encryption,
setting min-encryption to 128 would require at least 128-bit
encryption etc.
[[[
Add support for SASL security layers to ra_svn.
* subversion/libsvn_ra_svn/ra_svn.h
(svn_ra_svn_conn_st): New member 'encrypted'.
* subvesion/libsvn_ra_svn/marshal.c
(svn_ra_svn_create_conn): Initialize conn->encrypted.
* subversion/libsvn_ra_svn/sasl_auth.c
(sasl_baton_t): New typedef.
(sasl_read_cb, sasl_write_cb, sasl_timeout_cb, sasl_pending_cb): Implement
the svn_ra_svn__stream_t interface.
(svn_ra_svn__enable_sasl_encryption): New function. Wraps the existing
stream with a SASL encrypted stream.
(svn_ra_svn__do_auth): Make sure sasl_ctx has the same lifetime as the
connection. Call svn_ra_svn__enable_sasl_encryption.
* subversion/include/private/ra_svn_sasl.h
(svn_ra_svn__enable_sasl_encryption): New declaration.
* subversion/include/svn_config.h
(SVN_CONFIG_OPTION_MIN_SSF, SVN_CONFIG_OPTION_MAX_SSF): New options for
svnserve.conf.
* subversion/libsvn_repos/repos.c
(create_conf): Add the new options to the default svnserve.conf.
* subversion/svnserve/sasl_auth.c
(sasl_auth_request): Make sure sasl_ctx has the same lifetime as the
connection. Read the new svnserve.conf options. Call
svn_ra_svn__enable_sasl_encryption after the authentication exchange.
]]]
--
Vlad
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Wed Nov 22 14:15:10 2006