subversion-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bert Huijben" <b...@qqmail.nl>
Subject RE: servers "ssl-authority-files" with svn lib
Date Fri, 22 Nov 2013 14:08:37 GMT


From: Kai-Uwe.Schieser@hydrometer.de [mailto:Kai-Uwe.Schieser@hydrometer.de]

Sent: donderdag 21 november 2013 18:15
To: stsp@elego.de
Cc: users@subversion.apache.org
Subject: Re: servers "ssl-authority-files" with svn lib

> Hi Stefan! 
> 
> Thanks for your response. 
> You are right. Code would make things much clearer ;-). Sorry for that. 
> 
> OK. So here is the constructor of my simple client. 
> 
> CODE START: 
> 
> SimpleSVNClient::SimpleSVNClient(const string& configDir) 
> { 
>         if(!aprPoolInitFlag) 
>     { 
>         apr_initialize(); 
>         apr_pool_initialize(); 
>         aprPoolInitFlag = true; 
>     } 
>     
>     m_pool = svn_pool_create(0); 
>     
>     if(0 == m_pool) 
>     { 
>         ...error handling... 
>     } 
>     
>     const char* configDir_temp = 0; 
>     m_configDir = configDir; 
>     if(configDir.length() > 0) 
>     { 
>         configDir_temp = configDir.c_str(); 
>     } 
>     
>     svn_config_ensure(configDir_temp, m_pool); 
>     
>     apr_array_header_t* providers = apr_array_make(m_pool, 8,
sizeof(svn_auth_provider_object_t *)); 
>     svn_auth_provider_object_t *provider; 
> 
>     svn_client_get_simple_provider(&provider, m_pool); 
>     *(svn_auth_provider_object_t **)apr_array_push(providers) = provider; 
> 
>     svn_client_get_username_provider(&provider, m_pool); 
>     *(svn_auth_provider_object_t **)apr_array_push(providers) = provider; 
>       
>     // add ssl providers 
>     // file first then prompt providers 
>     svn_client_get_ssl_server_trust_file_provider(&provider, m_pool); 
>     *(svn_auth_provider_object_t **)apr_array_push(providers) = provider; 
> 
>     svn_client_get_ssl_client_cert_file_provider(&provider, m_pool); 
>     *(svn_auth_provider_object_t **)apr_array_push(providers) = provider; 
> 
>     svn_client_get_ssl_client_cert_pw_file_provider(&provider, m_pool); 
>     *(svn_auth_provider_object_t **)apr_array_push(providers) = provider; 
> 
>     svn_auth_baton_t* ab; 
>     svn_auth_open(&ab, providers, m_pool); 

This looks good, but if you are programming for Windows you should also load
the Windows specific authorization providers or you will store your
passwords unencrypted.

The documentation also recommends using svn_ra_initialize(),
svn_utf_initialize2() and svn_dso_initialize(), but I don't think this will
explain your problem.
>     
>     if(0 == ab) 
>     { 
>         ...error handling... 
>     } 
>     
>     // initialize m_ctx structure 
>     svn_client_create_context(&m_ctx, m_pool); 
>     // get the config based on the configDir passed in 
>     svn_config_get_config(&m_ctx->config, configDir_temp, m_pool); 
>     // tell the auth functions where the config is 
>     svn_auth_set_parameter(ab, SVN_AUTH_PARAM_CONFIG_DIR, configDir_temp);

>     m_ctx->auth_baton = ab; 
> } 
> 
> CODE END 
> 
> 
> And here is the checkout method of the class (SVNRevision is a wrapper for
the svn_revision): 
> 
> CODE START: 
> 
> long int SimpleSVNClient::checkout(const string& url, const string&
destPath, const BMSVNRevision& revision, 
>                                     const bool recursive, const bool
ignoreExt, const SVNRevision& pegRevision) 
> { 
>     int ret; 
>     apr_pool_t* pool = svn_pool_create(0); 
>     if(0 == pool) 
>     { 
>         ...error handling... 
>     } 

I would recommend using nested pools, not only global pools. That way memory
usage is better optimized and you avoid leaking memory in a lot of cases.
>     
>     const char* int_path = svn_path_internal_style(destPath.c_str(),
pool); 

svn_path_internal_style() is deprecated and is simply broken for Windows
drive roots. Please switch to the svn_dirent_*() api.

> 
>     svn_revnum_t revnum = 0; 
>     svn_error_t* err = svn_client_checkout2(&revnum, url.c_str(),
destPath.c_str(), pegRevision.getSVNRevision(), 
>                                             revision.getSVNRevision(),
recursive, ignoreExt, m_ctx, pool); 
>     
>     ret = revnum; 
>     if(err) 
>    { 
>         ...error handling... 
>     } 
>     
>     svn_pool_destroy(pool); 
>     
>     return ret; 
> } 
> 
> CODE END 
> 
> The whole thing crashes when svn_client_checkout2 is called. 
> In between I set the login of course: 
> 
> CODE START 
> 
> void SimpleSVNClient::setLogin(const string& username, const string&
password) 
> { 
>     m_username = username; 
>     m_password = password; 
>     
>     svn_auth_baton_t* ab = m_ctx->auth_baton; 
>     svn_auth_set_parameter(ab, SVN_AUTH_PARAM_DEFAULT_USERNAME,
m_username.c_str()); 
>     svn_auth_set_parameter(ab, SVN_AUTH_PARAM_DEFAULT_PASSWORD,
m_password.c_str()); 
> } 

This is a likely cause for your problem. svn_auth_set_parameter() doesn't
copy the values you pass it (see its documentation), so it will just store a
reference to the current value stored in m_username and m_password. Once
these values are modified or freed things will break very hard. You should
duplicate the strings in the right pool or be extremely careful to keep
those values untouched until after you close all things that might reference
this auth baton.




There are quite a few bindings that may make your life much easier by hiding
these low level details for you. E.g. the high level JavaHL (Java) and
SharpSvn (.Net on Windows) code would +- simplify your code to just:

using(SvnClient client = new SvnClient())
{
    client.Authentication.DefaultCredentials = new
NetworkCredentials(.....); // Fallback if cache fails
    // client.Authentication.ForceCredentials.(...); // svn --username
--password equivalent

    long revnum;

    client.Checkout(new Uri("http://my-server/my-repos"), "C:\\wc"", out
revnum);
}

(This example is for SharpSvn; The JavaHL example would probably not be that
more code, but I'm not fluent in that)

	Bert

> 
> CODE END 
> 
> Bye, Kai 
> 
> 
> Stefan Sperling <stsp@elego.de> schrieb am 21.11.2013 13:59:49:
> 
> > Von: Stefan Sperling <stsp@elego.de> 
> > An: Kai-Uwe.Schieser@hydrometer.de 
> > Kopie: users@subversion.apache.org 
> > Datum: 21.11.2013 13:59 
> > Betreff: Re: servers "ssl-authority-files" with svn lib 
> > 
> > On Wed, Nov 20, 2013 at 06:53:48PM +0100, Kai-
> > Uwe.Schieser@hydrometer.de wrote:
> > > Please add me to the answer list, cause I am not subscribed.
> > > 
> > > 
> > > Hi there!
> > > 
> > > I am using the binary package of Subversion library version 1.7.9 in
my 
> > > software project.
> > > I have written a simple client that I use in an other software to
simply 
> > > checkout from a repository and update it to a specified revision 
> > > automatically.
> > > 
> > > Due to the certificate of  the server, that must be accepted by the 
> > > client, I set the ssl-authority-files to a local certificate file.in
the 
> > > servers file of subversion.
> > > I tested if it works right with the Tortoise svn-client and it does
the 
> > > job. The entry is something like ssl-authority-files=
> > > C:/svn.hostname.de.crt
> > > 
> > > If I try to checkout with the library the whole software crashes
without 
> > > any error messages. 
> > > 
> > > It seems the entry in the servers file ,makes my simple client
crashing. 
> > > As I mentioned the Tortoise works fine with the entry
ssl-authority-files. 
> > > 
> > > The simple client library works fine, when I accepted the certificate 
> > > permenantly in the Tortoise before I checkout with the lib.
> > > 
> > > Do I need to activate something in my library to ensure the proper
usage 
> > > of the servers file entry ssl-authority-files ?
> > > I am sure the entry is evaluated, because I get an error nmessage,
when I 
> > > enter a wrong file name.
> > > 
> > > 
> > > I hope you hava an idea. Thanks,
> > > Kai 
> > 
> > It is hard to tell where the problem could be without seeing the
> > source code of your client.
> > 
> > But here's a guess: Are you seeting up authentication providers
properly?
> > See the function svn_cmdline_create_auth_baton() in this file:
> > https://svn.apache.org/repos/asf/subversion/trunk/subversion/
> > libsvn_subr/cmdline.c
> 
> 
> ________________________________________
> Bitte überlegen Sie, ob Sie diese Nachricht wirklich ausdrucken müssen/
before printing, think about environmental responsibility.
> 
> Hydrometer GmbH, Industriestraße 13, 91522 Ansbach
> Telefon + 49 981 1806 0, Telefax +49 981 1806 615
> Sitz der Gesellschaft: Ansbach, Registergericht: Ansbach HRB 69
> Geschäftsführer: Frank Gutzeit (Sprecher), Dr.-Ing. Robert Westphal,
Thomas Gastner, Adam Mechel
> 
> Der Inhalt der vorstehenden E-Mail ist nicht rechtlich bindend. Diese
E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen.
Informieren Sie uns bitte, wenn Sie diese E-Mail fälschlicherweise erhalten
haben. Bitte löschen Sie in diesem Fall die Nachricht. Jede unerlaubte Form
der Reproduktion, Bekanntgabe, Änderung, Verteilung und/oder Publikation
dieser E-Mail ist strengstens untersagt.
> 
> The contents of the above mentioned e-mail is not legally binding. This
e-mail contains confidential and/or legally protected information. Please
inform us if you have received this e-mail by mistake and delete it in such
a case. Each unauthorized reproduction, disclosure, alteration, distribution
and/or publication of this e-mail is strictly prohibited.
> 
>


Mime
View raw message