[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

[PATCH] Add support for SASL security layers to ra_svn

From: Vlad Georgescu <vgeorgescu_at_gmail.com>
Date: 2006-11-22 14:14:42 CET

Hi,

Some SASL mechanisms (e.g. DIGEST-MD5, GSSAPI, etc.) support security
layers (i.e. encryption). This patch adds support for such layers,
using the new svn_ra_svn__stream_t interface introduced in r22238. The
presence and level of encryption are negotiated during the
authentication exchange. On the server side, two new svnserve.conf
options (min-encryption and max-encryption) can be used in this
negotiation. For example, setting both to 0 would disable encryption,
setting min-encryption to 128 would require at least 128-bit
encryption etc.

[[[
Add support for SASL security layers to ra_svn.

* subversion/libsvn_ra_svn/ra_svn.h
 (svn_ra_svn_conn_st): New member 'encrypted'.

* subvesion/libsvn_ra_svn/marshal.c
 (svn_ra_svn_create_conn): Initialize conn->encrypted.

* subversion/libsvn_ra_svn/sasl_auth.c
 (sasl_baton_t): New typedef.
 (sasl_read_cb, sasl_write_cb, sasl_timeout_cb, sasl_pending_cb): Implement
  the svn_ra_svn__stream_t interface.
 (svn_ra_svn__enable_sasl_encryption): New function. Wraps the existing
  stream with a SASL encrypted stream.
 (svn_ra_svn__do_auth): Make sure sasl_ctx has the same lifetime as the
  connection. Call svn_ra_svn__enable_sasl_encryption.

* subversion/include/private/ra_svn_sasl.h
 (svn_ra_svn__enable_sasl_encryption): New declaration.

* subversion/include/svn_config.h
 (SVN_CONFIG_OPTION_MIN_SSF, SVN_CONFIG_OPTION_MAX_SSF): New options for
  svnserve.conf.

* subversion/libsvn_repos/repos.c
 (create_conf): Add the new options to the default svnserve.conf.

* subversion/svnserve/sasl_auth.c
 (sasl_auth_request): Make sure sasl_ctx has the same lifetime as the
  connection. Read the new svnserve.conf options. Call
  svn_ra_svn__enable_sasl_encryption after the authentication exchange.
]]]

-- 
Vlad


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org

Received on Wed Nov 22 14:15:10 2006

This is an archived mail posted to the Subversion Dev mailing list.