David Waite <mass@akuma.org> (mass)
| Patch |
|
r847026,
r847005,
r847004,
r847003,
r846938,
r845591,
r845423,
r845391,
r845360,
r845351,
r845331,
r845311,
r845310,
r845281,
r845258,
r845249,
r844748,
r844725,
r844706,
r844686,
r844676,
r844671,
r844670,
r842961 |
r842961 | kfogel | 2002-08-05 21:22:22 +0000 (Mon, 05 Aug 2002)
* subversion/clients/cmdline/main.c
(svn_cl__options): Remove workaround for an issue in the APR getopt
code which caused a non-null long name to be required. This has
been fixed in APR now, so we no longer need the workaround.
Patch by: David Waite <mass@akuma.org>
r844670 | mass | 2003-01-26 22:40:05 +0000 (Sun, 26 Jan 2003)
Branch /branches/issue-650-ssl-certs/ : ssl server and client certificates.
r844671 | mass | 2003-01-26 22:59:34 +0000 (Sun, 26 Jan 2003)
* subversion/libsvn_ra_dav/session.c:
New function get_server_setting
New function get_server_setting_int
Removed function get_server_settings, moving the logic into svn_ra_dav__open
r844676 | mass | 2003-01-27 07:10:47 +0000 (Mon, 27 Jan 2003)
Added beginning of server certificate support.
* subversion/libsvn_ra_dav/session.c: added struct ssl_verify_baton_t,
for passing in the appropriate server config group, and passing out
any valid error. ssl_set_verify_callback now performs verification.
The ssl-authorities-file config option points to an CA certificate
collection. Still needs proper error reporting.
r844686 | mass | 2003-01-27 19:08:43 +0000 (Mon, 27 Jan 2003)
* subversion/libsvn_ra_dav/session.c : Cleaned up documentation of
get_server_setting and get_server_setting_int to match doxygen style.
Changed pointer declarations to match subversion style (right-aligned
asterisk)
r844706 | mass | 2003-01-28 06:28:06 +0000 (Tue, 28 Jan 2003)
Avoid re-reading the server config, and report errors via neon.
* subversion/libsvn_subr/config_file.c
(svn_config_ensure) : generate comments about SSL server options.
* subversion/libsvn_ra_dav/session.c :
(struct ssl_verify_baton_t) : removed svn_error_t member, added svn_config_t member
(ssl_set_verify_callback) : pass svn_config_t. No need now for a subpool.
r844725 | mass | 2003-01-29 20:02:14 +0000 (Wed, 29 Jan 2003)
Adjusted symbols which began with an ssl prefix, to make it clearer that they
are not part of the OpenSSL library.
* subversion/libsvn_ra_dav/session.c:
(struct svn_ssl_verify_baton_t) : Renamed from ssl_verify_baton_t.
(svn_ssl_set_verify_callback) : Renamed from ssl_set_verify_callback,
adjusted for other symbol name changes.
(svn_ra_dav__open) : Adjusted for above.
r844748 | mass | 2003-01-30 20:01:27 +0000 (Thu, 30 Jan 2003)
Renamed to indicate struct/functions are not API
* subversion/libsvn_ra_dav/session.c
(struct verify_ssl_baton_t) : Renamed from svn_ssl_verify_baton_t
(verify_ssl_callback) : Renamed from svn_ssl_set_verify_callback, adjusted
for verify_ssl_baton_t name-change
(svn_ra_dav__open) : Adjusted accordingly.
r845249 | mass | 2003-03-02 06:40:28 +0000 (Sun, 02 Mar 2003)
* issue-650-ssl-certs: remove branch with previous SSL server cert work, to replaced soon by an auth provider mechanism
r845258 | mass | 2003-03-02 21:41:50 +0000 (Sun, 02 Mar 2003)
create new branch for ssl client and server certificate handling
r845281 | mass | 2003-03-05 06:13:12 +0000 (Wed, 05 Mar 2003)
Work towards proper SSL certificate support in the form of auth providers.
This contains most of the logic needed for server certificate validation
against a configuration, while the client providers are stubbed.
* include/svn_ra_dav.h : New file
(svn_ra_dav_get_ssl_server_file_provider,
svn_ra_dav_get_ssl_client_file_provider,
svn_ra_dav_get_ssl_client_password_file_provider) : new functions
for retrieving config file providers for ssl functionality
* include/svn_auth.h
(SVN_AUTH_CRED_CLIENT_SSL, svn_auth_cred_client_ssl_t) : New auth
credential type to trigger loading client cert files
(SVN_AUTH_CRED_CLIENT_PASS_SSL, svn_auth_cred_client_ssl_pass_t) :
New auth credential type for requesting client cert passwords
(SVN_AUTH_CRED_SERVER_SSL, svn_auth_cred_server_ssl_t) : New auth
credential type for requesting server cert validation overrides
(SVN_AUTH_PARAM_SSL_SERVER_DNAME) : New parameter for passing in
certificate fields
* libsvn_ra_dav/ra_dav.h (svn_ra_session_t) : Added parameters to hold
servers configuration and any override group for the server.
* libsvn_ra_dav/session.c
(get_server_setting) : New function to retrieve a value from the
servers config
(get_server_setting_int) : New function to retrieve a value from the
servers config as an integer
(server_ssl_file_first_credentials, server_ssl_file_provider,
svn_ra_dav_get_ssl_server_file_provider) : implement file-based
server ssl auth provider
(client_ssl_cert_file_first_credentials,
client_ssl_cert_file_provider,
svn_ra_dav_get_ssl_client_file_provider) : implement file-based
client ssl cert loader auth provider
(client_ssl_pw_file_first_credentials,
client_ssl_pw_file_provider,
svn_ra_dav_get_ssl_client_password_file_provider) : implement
file-based client ssl cert password auth provider
(ssl_set_verify_callback) : renamed to server_ssl_callback
(server_ssl_callback) : now uses auth provider
(client_ssl_keypw_callback) : New function, call auth provider
(client_ssl_callback) : same
(get_server_settings) : take a svn_config_t* rather than looking it
up internally, since the lookup is now happening outside the
function anyways.
(svn_ra_dav__open) : load list of trusted certificate authorities
based on config, plug in new callbacks
r845310 | mass | 2003-03-07 07:34:20 +0000 (Fri, 07 Mar 2003)
Correct behavior of SSL server connections; the branch now is back up
to the same point as it was in the previous branch.
* include/svn_auth.h
(SVN_AUTH_PARAM_SSL_SERVER_CERTIFICATE) : added for passing ssl
certificate struct around
(SVN_AUTH_PARAM_SSL_SERVER_FAILURES_MASKED) : added for passing
previously accepted ssl server validation failures forward to next
provider.
(SVN_AUTH_PARAM_CONFIG, SVN_AUTH_PARAM_SERVER_GROUP) : added for
passing in configuration and server group for file-based providers.
* libsvn_subr/config_file.c (svn_config_ensure) : document server ssl
options in generated config file.
* clients/cmdline/main.c (main) : add file-based ssl providers
* libsvn_ra_dav/ra_dav.h (svn_ra_session_t) : remove cfg and server_group
* libsvn_ra_dav/session.c
(server_ssl_file_first_credentials) : use config and server group
from apr_hash_t.
(svn_ra_dav__open) : store cfg and server_group in auth param hash
rather than in svn_ra_session_t structure.
r845311 | mass | 2003-03-07 08:06:55 +0000 (Fri, 07 Mar 2003)
libsvn_subr/config_file, libsvn_ra_dav/session.c, clients/cmdline/main.c : Convert tabs to spaces
r845331 | mass | 2003-03-10 06:25:12 +0000 (Mon, 10 Mar 2003)
Implemented file providers for client certs, including passphrase support
via a line in the config. So, it is now possible to authenticate using a ssl
certificate.
* include/svn_auth.h
(struct svn_auth_cred_client_ssl_t) : now providers return filenames
instead of attempting to load certificate themselves
* libsvn_ra_dav/session.c
(server_ssl_callback) : rename "ignore-ssl-unknown-ca",
"ignore-ssl-host-mismatch" and "ignore-ssl-invalid-date" to instead
have a prefix of "ssl-ignore-*"
(client_ssl_cert_file_first_credentials,
client_ssl_pw_file_first_credentials) : Implemented stub functions
(client_ssl_callback) : altered to match svn_auth_cred_client_ssl_t
* libsvn_subr/config_file.c
(svn_config_ensure) : added ssl client config options
r845351 | mass | 2003-03-11 14:17:09 +0000 (Tue, 11 Mar 2003)
Cleanup from sussman's review.
* libsvn_subr (svn_config_ensure) : Correct example for the SSL server
flags in the generated configuration
* include/svn_ra_dav.h
(svn_ra_dav_get_ssl_server_file_provider,
svn_ra_dav_get_ssl_client_file_provider) : added more-triumphant docs
(svn_ra_dav_get_ssl_pw_file_provider) : renamed from
svn_ra_dav_get_ssl_client_password_file_provider, added more-triumphant
docs
* include/svn_auth. (struct svn_auth_cred_client_ssl_t) : more explicit
docs explaining that cert_file and key_file are full paths
* clients/cmdline/main.c (main) : modified for name change above
* libsvn_ra_dav/session.c : reformat file for 80 columns
(svn_ra_dav_get_ssl_pw_file_provider) : renamed as above
r845360 | mass | 2003-03-12 04:20:49 +0000 (Wed, 12 Mar 2003)
Cleanup of comments
* include/svn_ra_dav.h
(svn_ra_dav_get_ssl_server_file_provider,
svn_ra_dav_get_ssl_client_file_provider,
svn_ra_dav_get_ssl_pw_file_provider) : rewrite doxygen comments
r845391 | mass | 2003-03-14 04:35:46 +0000 (Fri, 14 Mar 2003)
Move the auth providers from svn_ra_dav to svn_client, and update the cmdline
client to match. Also define local versions of some Neon constants to
decouple clients.
* include/svn_ra_dav.h
(svn_ra_dav_get_ssl_server_file_provider,
svn_ra_dav_get_ssl_client_file_provider,
svn_ra_dav_get_ssl_pw_file_provider) : rename to
svn_client_get_ssl_server_file_provider,
svn_client_get_ssl_client_file_provider,
and svn_client_get_ssl_pw_file_provider respectively, and move to
svn_client.h
* include/svn_auth.h
(SVN_AUTH_SSL_NOTYETVALID, SVN_AUTH_SSL_EXPIRED,
SVN_AUTH_SSL_CNMISMATCH, SVN_AUTH_SSL_UNKNOWNCA) : added local versions of
NE_SSL_NOTYETVALID, NE_SSL_EXPIRED, NE_SSL_CNMISMATCH, and
NE_SSL_UNKNOWNCA. This eliminates the dependancy on neon for the
providers (except for retrieving additional data from the
auth_baton later)
* libsvn_ra_dav/session.c
(get_server_setting, get_server_setting_int): made global functions
in config, renamed to svn_config_get_server_setting and
svn_config_get_server_setting_int and moved impl to
libsvn_subr/config.c. Moved providers above into
libsvn_client/auth.c
* cients/cmdline/main.c (main) : update with new svn_client* provider names
* libsvn_client/auth.c : See above
* include/svn_client.h : See above
* include/svn_config.h : See above
* libsvn_subr/config.c : See above
r845423 | mass | 2003-03-16 06:24:47 +0000 (Sun, 16 Mar 2003)
Some cleanup, and new improved/implemented prompting providers for the
command-line client.
* include/svn_ra_dav.h : move to svn_client.h, removing file.
* include/svn_auth.h (struct svn_auth_ssl_cert_type_t) : move out from
svn_auth_cred_client_ssl_t as own type
(SVN_AUTH_PARAM_SSL_SERVER_FAILURES_MASKED): remove masked failures; sussman
commented that auth providers should not be reliant on one-another.
* libsvn_ra_dav/session.c
(svn_ra_dav_get_ssl_server_prompt_provider,
svn_ra_dav_get_ssl_client_prompt_provider,
svn_ra_dav_get_ssl_pw_prompt_provider) : move to
libsvn_client/auth.c
(server_ssl_callback) : remove masked failures; sussman commented that
auth providers should not be reliant on one-another.
(client_ssl_callback) : use neon methods to load client certificate,
based on type
* include/svn_client.h
(svn_client_get_ssl_server_prompt_provider,
svn_client_get_ssl_client_prompt_provider,
svn_client_get_ssl_pw_prompt_provider): renamed from
svn_ra_dav_get_ssl_server_prompt_provider,
svn_ra_dav_get_ssl_client_prompt_provider,
svn_ra_dav_get_ssl_pw_prompt_provider.
(svn_client_get_ssl_server_file_provider) : comment
SVN_AUTH_PARAM_SSL_SERVER_FAILURES_IN requirement.
* libsvn_client/auth.c
(svn_client_get_ssl_server_prompt_provider,
svn_client_get_ssl_client_prompt_provider,
svn_client_get_ssl_pw_prompt_provider,
server_ssl_prompt_first_cred,
client_ssl_prompt_first_cred,
client_ssl_pw_prompt_first_cred) : New functions
(struct server_ssl_prompt_provider,
struct client_ssl_prompt_provider,
struct client_ssl_pass_prompt_provider) : New structures
(client_ssl_cert_file_first_credentials) : correct handling of certain cases
where not all the parameters are specified.
(client_ssl_pw_file_first_credentials) : actually return password
(struct cred_ssl_provider_baton) : structure to hold prompt function / baton
* clients/cmdline/main.c (main) : add prompting providers above
r845591 | sussman | 2003-04-01 22:02:44 +0000 (Tue, 01 Apr 2003)
Fixes/cleanups for the certificate-handling code.
Patch by: David Waite <mass@akuma.org>
* include/svn_auth.h
(SVN_AUTH_PARAM_SSL_SERVER_DNAME,
SVN_AUTH_PARAM_SSL_SERVER_CERTIFICATE) : remove
* include/svn_client.h
(svn_client_get_ssl_server_file_provider,
svn_client_get_ssl_client_file_provider,
svn_client_get_ssl_pw_file_provider) : change void **prompt_baton
to void *prompt_baton
* libsvn_client/auth.c
(server_ssl_file_first_credentials,
client_ssl_cert_file_first_credentials,
client_ssl_pw_file_first_credentials,
client_ssl_pw_prompt_first_cred,
client_ssl_prompt_first_cred,
server_ssl_prompt_first_cred) : set iter_baton reference to NULL
(svn_client_get_ssl_server_file_provider,
svn_client_get_ssl_client_file_provider,
svn_client_get_ssl_pw_file_provider) : see above
(server_ssl_file_first_credentials,
server_ssl_prompt_first_cred) : do not return credentials if not all
failures were approved
(server_ssl_file_first_credentials) : Chris Foote's server file changes -
stringently verify ssl-ignore-unknown-ca, ssl-ignore-invalid-date, and
ssl-ignore-host-mismatch options are set to "true".
* libsvn_ra_dav/session.c
(server_ssl_callback): remove SVN_AUTH_PARAM_SSL_SERVER_CERTIFICATE
initializer, use intermediate "void *creds" to avoid aliasing warning
(client_ssl_keypw_callback, client_ssl_callback): use intermediate
"void *creds" to avoid aliasing warning
r846938 | mass | 2003-08-25 18:00:20 +0000 (Mon, 25 Aug 2003)
First stab at neon 0.24 support. It is usable for SSL with or without
client authentication, but with the following caveats:
- ssl-authorities-file only supports loading a single CA certificate
(due to neon API change)
- client certificate must be a PKCS#12 file (neon API change)
- ssl-authorities-file and client certificate are not currently freed
* subversion/libsvn_ra_dav/session.c
(client_ssl_callback): Added code for Neon 0.24 compatibility
(svn_ra_dav__open): removed dead, #if'd TLS upgrade code. Remove
#if'd persistent connection shutoff code. Added code for Neon
0.24 compatibility
r847003 | mass | 2003-08-30 07:01:14 +0000 (Sat, 30 Aug 2003)
Remove support for .PEM-formatted client certificates. Support for
client PEM certificates is removed in Neon 0.24, and support for
multiple certificate file formats is not neccessary.
* subversion/include/svn_auth.h
(struct svn_auth_ssl_cert_type_t): removed unneeded structure
(struct svn_auth_cred_client_ssl_t): removed members required to
support PEM certificates (optional private key location, and
certificate format selector)
* subversion/libsvn_subr/config_file.c
(svn_config_ensure): remove unused options from generated 'servers'
config, add note that the client certificate is in PKCS12 format.
* subversion/libsvn_client/auth.c
(client_ssl_cert_file_first_credentials,
client_ssl_prompt_first_cred): remove code for choosing and
configuring PEM support
* subversion/libsvn_ra_dav/session.c
(svn_auth_first_credentials): remove code relating to PEM support
r847004 | mass | 2003-08-31 00:51:42 +0000 (Sun, 31 Aug 2003)
Remove remaining traces of ssl-client-key-file and ssl-client-cert-type.
* subversion/include/svn_config.h
(SVN_CONFIG_OPTION_SSL_CLIENT_CERT_TYPE,
SVN_CONFIG_OPTION_SSL_CLIENT_KEY_FILE): remove unused constants
* subversion/libsvn_client/auth.c
(client_ssl_prompt_first_cred): use unused variables
r847005 | mass | 2003-08-31 01:02:24 +0000 (Sun, 31 Aug 2003)
Make changes neccessary for CA certificate loading which is compatible
with both neon 0.23 and 0.24.
This includes documentation and setup changes, the user-affecting one
being the format of the ssl-authorities-file option in the 'servers'
config has changed. It is now meant to be a semicolon-separated list
of individual PEM-encoded CA certificates, where before it was a
single file holding all of the PEM-encoded certificates.
* subversion/include/svn_config.h
(SVN_CONFIG_OPTION_SSL_AUTHORITIES_FILE): rename to
SSL_CONFIG_OPTION_SSL_AUTHORITY_FILES, and change the value to
"ssl-authority-files"
* subversion/libsvn_subr/config_file.c
(svn_config_ensure): update "ssl-authorities-file" to
"ssl-authority-files", document the expected format
(semicolon-delimited PEM files), and update the commented
examples to use the new name and include multiple certificates.
* subversion/libsvn_ra_dav/session.c
(svn_ra_dav__open): loop across files in ssl-authority-files config
value, loading each certificate.
r847026 | mass | 2003-09-02 22:58:04 +0000 (Tue, 02 Sep 2003)
Final cleanups for merging the neon-0.24 code to HEAD
* build/buildcheck.sh
(NEON_WANTED_REGEX): changed to accept both 0.23.x and 0.24.x
(NEON_LATEST_WORKING_VERSION): updated to 0.24.0
* subversion/libsvn_ra_dav/session.c
(client_ssl_callback): do not continue if the certificate specified failed
to load.