Checkout Tools
  • last updated 1 hour ago
Constraints
Constraints: committers
 
Constraints: files
Constraints: dates
Win32: tweak the SSL certificate validation override to avoid hitting the wire

for URL based objects and revocation checks.

The primary purpose of this callback is to resolve SVN_AUTH_SSL_UNKNOWNCA

failures using CryptoAPI and Windows local certificate stores. To do so, we

should be fine with just using the immediately available data on the local

machine.

Doing the opposite of that appears to be troublesome, as always connecting

to remote CRL and OCSP endpoints can result in spurious errors or significant

(user-reported) network stalls caused by timeouts if the endpoints are

inaccessible or unreliable.

The new approach should also be in par with the default basic behavior of

several major browsers, for example:

https://chromium.googlesource.com/chromium/src/net/+/3d1dad1c17ae3ff59e7c35841af94b66f4bca1ba/cert/cert_verify_proc_win.cc#919

* subversion/libsvn_subr/win32_crypto.c

(windows_validate_certificate): Use the CERT_CHAIN_CACHE_ONLY_URL_RETRIEVAL

and CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY flags when preparing the

certificate chain. Ignore errors in obtaining valid revocation information

when verifying the chain, as they could be induced by the new cache-only

behavior.

On OSX, ranlib complains loudly about object files with no symbols.

To silence it, put at least one global scope symbol in every file.

* subversion/libsvn_subr/config_win.c

(svn__fake__config_win): Define when WIN32 is not defined.

* subversion/libsvn_subr/win32_crashrpt.c

(svn__fake__win32_crashrpt): Likewise.

* subversion/libsvn_subr/win32_crypto.c

(svn__fake__win32_crypto): Again.

* subversion/libsvn_subr/win32_xlate.c

(svn__fake__win32_xlate): And again.

* subversion/libsvn_subr/sqlite3wrapper.c

(svn__fake__sqlite3wrapper): Define when SVN_SQLITE_INLINE is not defined.

  1. … 4 more files in changeset.
Revert r1508225, which moved the include of svn_private_config.h before all

includes of our public headers. Public headers shouldn't depend on private

headers and all changes that required this are long reverted on trunk.

This patch excludes all conflicting cases.

* subversion/bindings/swig/perl/libsvn_swig_perl/swigutil_pl.c

* subversion/bindings/swig/python/libsvn_swig_py/swigutil_py.c

* subversion/bindings/swig/ruby/libsvn_swig_ruby/swigutil_rb.c

* subversion/libsvn_auth_gnome_keyring/gnome_keyring.c

* subversion/libsvn_client/add.c

* subversion/libsvn_client/cat.c

* subversion/libsvn_client/changelist.c

* subversion/libsvn_client/cleanup.c

* subversion/libsvn_client/commit.c

* subversion/libsvn_client/commit_util.c

* subversion/libsvn_client/copy.c

* subversion/libsvn_client/copy_foreign.c

* subversion/libsvn_client/ctx.c

* subversion/libsvn_client/delete.c

* subversion/libsvn_client/deprecated.c

* subversion/libsvn_client/diff.c

* subversion/libsvn_client/diff_local.c

* subversion/libsvn_client/diff_summarize.c

* subversion/libsvn_client/export.c

* subversion/libsvn_client/externals.c

* subversion/libsvn_client/import.c

* subversion/libsvn_client/info.c

* subversion/libsvn_client/iprops.c

* subversion/libsvn_client/list.c

* subversion/libsvn_client/locking_commands.c

* subversion/libsvn_client/log.c

* subversion/libsvn_client/merge.c

* subversion/libsvn_client/mergeinfo.c

* subversion/libsvn_client/patch.c

* subversion/libsvn_client/prop_commands.c

* subversion/libsvn_client/ra.c

* subversion/libsvn_client/repos_diff.c

* subversion/libsvn_client/resolved.c

* subversion/libsvn_client/revert.c

* subversion/libsvn_client/switch.c

* subversion/libsvn_client/update.c

* subversion/libsvn_client/util.c

* subversion/libsvn_delta/compat.c

* subversion/libsvn_delta/xdelta.c

* subversion/libsvn_diff/parse-diff.c

* subversion/libsvn_diff/util.c

* subversion/libsvn_fs/access.c

* subversion/libsvn_fs_base/bdb/changes-table.c

* subversion/libsvn_fs_base/bdb/env.c

* subversion/libsvn_fs_base/dag.c

* subversion/libsvn_fs_base/fs.c

* subversion/libsvn_fs_base/lock.c

* subversion/libsvn_fs_base/revs-txns.c

* subversion/libsvn_fs_base/tree.c

* subversion/libsvn_fs_fs/caching.c

* subversion/libsvn_fs_fs/lock.c

* subversion/libsvn_fs_fs/temp_serializer.c

* subversion/libsvn_fs_fs/tree.c

* subversion/libsvn_ra/compat.c

* subversion/libsvn_ra/deprecated.c

* subversion/libsvn_ra/ra_loader.c

* subversion/libsvn_ra_local/ra_plugin.c

* subversion/libsvn_ra_serf/blame.c

* subversion/libsvn_ra_serf/blncache.c

* subversion/libsvn_ra_serf/commit.c

* subversion/libsvn_ra_serf/getlocations.c

* subversion/libsvn_ra_serf/getlocationsegments.c

* subversion/libsvn_ra_serf/getlocks.c

* subversion/libsvn_ra_serf/inherited_props.c

* subversion/libsvn_ra_serf/log.c

* subversion/libsvn_ra_serf/merge.c

* subversion/libsvn_ra_serf/mergeinfo.c

* subversion/libsvn_ra_serf/options.c

* subversion/libsvn_ra_serf/property.c

* subversion/libsvn_ra_serf/replay.c

* subversion/libsvn_ra_serf/serf.c

* subversion/libsvn_ra_serf/update.c

* subversion/libsvn_ra_serf/util.c

* subversion/libsvn_ra_serf/xml.c

* subversion/libsvn_ra_svn/client.c

* subversion/libsvn_ra_svn/editorp.c

* subversion/libsvn_ra_svn/marshal.c

* subversion/libsvn_repos/authz.c

* subversion/libsvn_repos/commit.c

* subversion/libsvn_repos/delta.c

* subversion/libsvn_repos/deprecated.c

* subversion/libsvn_repos/fs-wrap.c

* subversion/libsvn_repos/hooks.c

* subversion/libsvn_repos/log.c

* subversion/libsvn_repos/replay.c

* subversion/libsvn_repos/reporter.c

* subversion/libsvn_repos/repos.c

* subversion/libsvn_repos/rev_hunt.c

* subversion/libsvn_subr/auth.c

* subversion/libsvn_subr/cmdline.c

* subversion/libsvn_subr/compat.c

* subversion/libsvn_subr/config.c

* subversion/libsvn_subr/config_auth.c

* subversion/libsvn_subr/deprecated.c

* subversion/libsvn_subr/dso.c

* subversion/libsvn_subr/hash.c

* subversion/libsvn_subr/io.c

* subversion/libsvn_subr/mergeinfo.c

* subversion/libsvn_subr/opt.c

* subversion/libsvn_subr/properties.c

* subversion/libsvn_subr/simple_providers.c

* subversion/libsvn_subr/sorts.c

* subversion/libsvn_subr/ssl_client_cert_providers.c

* subversion/libsvn_subr/ssl_client_cert_pw_providers.c

* subversion/libsvn_subr/ssl_server_trust_providers.c

* subversion/libsvn_subr/subst.c

* subversion/libsvn_subr/types.c

* subversion/libsvn_subr/username_providers.c

* subversion/libsvn_subr/utf.c

* subversion/libsvn_subr/win32_crypto.c

* subversion/libsvn_wc/adm_crawler.c

* subversion/libsvn_wc/adm_files.c

* subversion/libsvn_wc/conflicts.c

* subversion/libsvn_wc/copy.c

* subversion/libsvn_wc/deprecated.c

* subversion/libsvn_wc/diff_editor.c

* subversion/libsvn_wc/diff_local.c

* subversion/libsvn_wc/entries.c

* subversion/libsvn_wc/externals.c

* subversion/libsvn_wc/info.c

* subversion/libsvn_wc/lock.c

* subversion/libsvn_wc/node.c

* subversion/libsvn_wc/old-and-busted.c

* subversion/libsvn_wc/props.c

* subversion/libsvn_wc/revert.c

* subversion/libsvn_wc/status.c

* subversion/libsvn_wc/update_editor.c

* subversion/libsvn_wc/upgrade.c

* subversion/libsvn_wc/wc_db_update_move.c

* subversion/libsvn_wc/wc_db_wcroot.c

* subversion/mod_dav_svn/repos.c

* subversion/mod_dav_svn/version.c

* subversion/svn/cl-conflicts.c

* subversion/svn/commit-cmd.c

* subversion/svn/conflict-callbacks.c

* subversion/svn/diff-cmd.c

* subversion/svn/help-cmd.c

* subversion/svn/notify.c

* subversion/svn/propedit-cmd.c

* subversion/svn/propget-cmd.c

* subversion/svn/props.c

* subversion/svn/status-cmd.c

* subversion/svn/status.c

* subversion/svn/svn.c

* subversion/svn/util.c

* subversion/svnadmin/svnadmin.c

* subversion/svnlook/svnlook.c

* subversion/svnrdump/dump_editor.c

* subversion/svnrdump/svnrdump.c

* subversion/svnrdump/util.c

* subversion/svnserve/serve.c

* subversion/svnsync/svnsync.c

* subversion/svnsync/sync.c

* subversion/tests/libsvn_fs/fs-test.c

* subversion/tests/libsvn_repos/repos-test.c

* subversion/tests/libsvn_subr/hashdump-test.c

* subversion/tests/libsvn_subr/mergeinfo-test.c

* subversion/tests/libsvn_subr/subst_translate-test.c

* subversion/tests/libsvn_wc/conflict-data-test.c

* subversion/tests/libsvn_wc/op-depth-test.c

* subversion/tests/libsvn_wc/wc-test.c

* subversion/tests/svn_test_fs.c

* tools/server-side/fsfs-stats.c

Move the svn_string_private.h include back to the original location.

  1. … 162 more files in changeset.
Mark platform specific svn_auth_get_* functions as deprecated to discourage

api consumers from using them and point them towards

svn_auth_get_platform_specific_provider().

* subversion/include/svn_auth.h

(svn_auth_get_windows_simple_provider,

svn_auth_get_windows_ssl_client_cert_pw_provider,

svn_auth_get_windows_ssl_server_trust_provider,

svn_auth_get_keychain_simple_provider,

svn_auth_get_keychain_ssl_client_cert_pw_provider,

svn_auth_get_gnome_keyring_simple_provider,

svn_auth_get_gnome_keyring_ssl_client_cert_pw_provider,

svn_auth_get_kwallet_simple_provider,

svn_auth_get_kwallet_ssl_client_cert_pw_provider,

svn_auth_get_gpg_agent_simple_provider): Deprecate

* subversion/libsvn_subr/auth.h

(svn_auth__get_windows_simple_provider,

svn_auth__get_windows_ssl_client_cert_pw_provider,

svn_auth__get_windows_ssl_server_trust_provider,

svn_auth__get_keychain_simple_provider,

svn_auth__get_keychain_ssl_client_cert_pw_provider,

svn_auth__get_gnome_keyring_simple_provider,

svn_auth__get_gnome_keyring_ssl_client_cert_pw_provider,

svn_auth__get_kwallet_simple_provider,

svn_auth__get_kwallet_ssl_client_cert_pw_provider,

svn_auth__get_gpg_agent_simple_provider): Add private delcartions.

* subversion/libsvn_subr/gpg_agent.c,

subversion/libsvn_subr/macos_keychain.c,

subversion/libsvn_subr/win32_crypto.c:

(svn_auth__get_*): Convert public versions to private versions.

* subversion/libsvn_subr/deprecated.c

(svn_auth_get_*): Implement public versions as wrappers of the new private

versions.

* subversion/libsvn_subr/auth.c

(svn_auth_get_platform_specific_provider): Use private versions

of the platform specific svn_auth_get_* functions in order

to avoid warnings about using deprecated functions.

  1. … 6 more files in changeset.
Extend the Windows CRYPTOAPI based ssl certificate verification to properly

handle intermediate authorities, like how webbrowsers handle this.

When I originally implemented the ssl server certificate verification, most

certificates were directly signed by the root authority while since then

most certificates moved to using short lived intermediate authorities.

This re-enables common cases like

$ svn info https://svn.apache.org/repos/asf/

to work directly on Windows, without an initial prompt for accepting a

certificate from an unknown authority, just like it worked a few years ago.

* subversion/include/private/svn_auth_private.h

(SVN_AUTH_CRED_SSL_SERVER_AUTHORITY): Declare new credential type.

(svn_auth__get_windows_ssl_server_authority_provider): New function.

* subversion/libsvn_ra_serf/util.c

(includes): Add svn_auth_private.h.

(ssl_server_cert): Instead of just recording authority failures call a

new (optional) provider to allow

* subversion/libsvn_subr/auth.c

(includes): Add svn_auth_private.h.

(svn_auth_get_platform_specific_provider): Allow loading new provider.

* subversion/libsvn_subr/cmdline.c

(svn_cmdline_create_auth_baton): Hook new provider in the same place as

where we hook the server certificate provider.

* subversion/libsvn_subr/win32_crypto.c

(windows_ssl_server_trust_first_credentials): Fix an old bug, where instead

of properly accepting a failure, we removed the failure where it was

originally stored. (This happened to work in serf an neon for years)

(windows_server_authority_provider): New variable.

(svn_auth__get_windows_ssl_server_authority_provider): New function.

  1. … 4 more files in changeset.
Fix the #include order such that svn_private_config.h is always

included first before any other svn header - if we also include

svn_hash.h.

* subversion/bindings/javahl/native/org_apache_subversion_javahl_ConfigImpl_Category.cpp,

subversion/bindings/swig/perl/libsvn_swig_perl/swigutil_pl.c,

subversion/bindings/swig/python/libsvn_swig_py/swigutil_py.c,

subversion/bindings/swig/ruby/libsvn_swig_ruby/swigutil_rb.c,

subversion/libsvn_auth_gnome_keyring/gnome_keyring.c,

subversion/libsvn_client/add.c,

subversion/libsvn_client/cat.c,

subversion/libsvn_client/changelist.c,

subversion/libsvn_client/cleanup.c,

subversion/libsvn_client/commit.c,

subversion/libsvn_client/commit_util.c,

subversion/libsvn_client/copy.c,

subversion/libsvn_client/copy_foreign.c,

subversion/libsvn_client/ctx.c,

subversion/libsvn_client/delete.c,

subversion/libsvn_client/deprecated.c,

subversion/libsvn_client/diff.c,

subversion/libsvn_client/diff_local.c,

subversion/libsvn_client/diff_summarize.c,

subversion/libsvn_client/export.c,

subversion/libsvn_client/externals.c,

subversion/libsvn_client/import.c,

subversion/libsvn_client/info.c,

subversion/libsvn_client/iprops.c,

subversion/libsvn_client/list.c,

subversion/libsvn_client/locking_commands.c,

subversion/libsvn_client/log.c,

subversion/libsvn_client/merge.c,

subversion/libsvn_client/mergeinfo.c,

subversion/libsvn_client/patch.c,

subversion/libsvn_client/prop_commands.c,

subversion/libsvn_client/ra.c,

subversion/libsvn_client/repos_diff.c,

subversion/libsvn_client/resolved.c,

subversion/libsvn_client/revert.c,

subversion/libsvn_client/status.c,

subversion/libsvn_client/switch.c,

subversion/libsvn_client/update.c,

subversion/libsvn_client/util.c,

subversion/libsvn_delta/compat.c,

subversion/libsvn_delta/xdelta.c,

subversion/libsvn_diff/parse-diff.c,

subversion/libsvn_diff/util.c,

subversion/libsvn_fs/access.c,

subversion/libsvn_fs_base/bdb/changes-table.c,

subversion/libsvn_fs_base/bdb/env.c,

subversion/libsvn_fs_base/dag.c,

subversion/libsvn_fs_base/fs.c,

subversion/libsvn_fs_base/lock.c,

subversion/libsvn_fs_base/revs-txns.c,

subversion/libsvn_fs_base/tree.c,

subversion/libsvn_fs_fs/caching.c,

subversion/libsvn_fs_fs/fs_fs.c,

subversion/libsvn_fs/fs-loader.c,

subversion/libsvn_fs_fs/lock.c,

subversion/libsvn_fs_fs/temp_serializer.c,

subversion/libsvn_fs_fs/tree.c,

subversion/libsvn_fs_util/fs-util.c,

subversion/libsvn_ra/compat.c,

subversion/libsvn_ra/deprecated.c,

subversion/libsvn_ra_local/ra_plugin.c,

subversion/libsvn_ra/ra_loader.c,

subversion/libsvn_ra_serf/blame.c,

subversion/libsvn_ra_serf/blncache.c,

subversion/libsvn_ra_serf/commit.c,

subversion/libsvn_ra_serf/getlocations.c,

subversion/libsvn_ra_serf/getlocationsegments.c,

subversion/libsvn_ra_serf/getlocks.c,

subversion/libsvn_ra_serf/inherited_props.c,

subversion/libsvn_ra_serf/log.c,

subversion/libsvn_ra_serf/merge.c,

subversion/libsvn_ra_serf/mergeinfo.c,

subversion/libsvn_ra_serf/options.c,

subversion/libsvn_ra_serf/property.c,

subversion/libsvn_ra_serf/replay.c,

subversion/libsvn_ra_serf/serf.c,

subversion/libsvn_ra_serf/update.c,

subversion/libsvn_ra_serf/util.c,

subversion/libsvn_ra_serf/xml.c,

subversion/libsvn_ra_svn/client.c,

subversion/libsvn_ra_svn/editorp.c,

subversion/libsvn_ra_svn/marshal.c,

subversion/libsvn_repos/authz.c,

subversion/libsvn_repos/commit.c,

subversion/libsvn_repos/delta.c,

subversion/libsvn_repos/deprecated.c,

subversion/libsvn_repos/fs-wrap.c,

subversion/libsvn_repos/hooks.c,

subversion/libsvn_repos/log.c,

subversion/libsvn_repos/replay.c,

subversion/libsvn_repos/reporter.c,

subversion/libsvn_repos/repos.c,

subversion/libsvn_repos/rev_hunt.c,

subversion/libsvn_subr/auth.c,

subversion/libsvn_subr/cmdline.c,

subversion/libsvn_subr/compat.c,

subversion/libsvn_subr/config_auth.c,

subversion/libsvn_subr/config.c,

subversion/libsvn_subr/deprecated.c,

subversion/libsvn_subr/dso.c,

subversion/libsvn_subr/hash.c,

subversion/libsvn_subr/io.c,

subversion/libsvn_subr/mergeinfo.c,

subversion/libsvn_subr/opt.c,

subversion/libsvn_subr/properties.c,

subversion/libsvn_subr/simple_providers.c,

subversion/libsvn_subr/sorts.c,

subversion/libsvn_subr/ssl_client_cert_providers.c,

subversion/libsvn_subr/ssl_client_cert_pw_providers.c,

subversion/libsvn_subr/ssl_server_trust_providers.c,

subversion/libsvn_subr/subst.c,

subversion/libsvn_subr/types.c,

subversion/libsvn_subr/username_providers.c,

subversion/libsvn_subr/utf.c,

subversion/libsvn_subr/win32_crypto.c,

subversion/libsvn_wc/adm_crawler.c,

subversion/libsvn_wc/adm_files.c,

subversion/libsvn_wc/adm_ops.c,

subversion/libsvn_wc/conflicts.c,

subversion/libsvn_wc/copy.c,

subversion/libsvn_wc/deprecated.c,

subversion/libsvn_wc/diff_editor.c,

subversion/libsvn_wc/diff_local.c,

subversion/libsvn_wc/entries.c,

subversion/libsvn_wc/externals.c,

subversion/libsvn_wc/info.c,

subversion/libsvn_wc/lock.c,

subversion/libsvn_wc/node.c,

subversion/libsvn_wc/old-and-busted.c,

subversion/libsvn_wc/props.c,

subversion/libsvn_wc/revert.c,

subversion/libsvn_wc/status.c,

subversion/libsvn_wc/translate.c,

subversion/libsvn_wc/update_editor.c,

subversion/libsvn_wc/upgrade.c,

subversion/libsvn_wc/wc_db.c,

subversion/libsvn_wc/wc_db_update_move.c,

subversion/libsvn_wc/wc_db_wcroot.c,

subversion/libsvn_wc/workqueue.c,

subversion/mod_dav_svn/activity.c,

subversion/mod_dav_svn/deadprops.c,

subversion/mod_dav_svn/lock.c,

subversion/mod_dav_svn/merge.c,

subversion/mod_dav_svn/mod_dav_svn.c,

subversion/mod_dav_svn/reports/update.c,

subversion/mod_dav_svn/repos.c,

subversion/mod_dav_svn/version.c,

subversion/svnadmin/svnadmin.c,

subversion/svnauth/svnauth.c,

subversion/svn/cl-conflicts.c,

subversion/svn/commit-cmd.c,

subversion/svn/conflict-callbacks.c,

subversion/svn/diff-cmd.c,

subversion/svn/help-cmd.c,

subversion/svnlook/svnlook.c,

subversion/svnmucc/svnmucc.c,

subversion/svn/notify.c,

subversion/svn/propedit-cmd.c,

subversion/svn/propget-cmd.c,

subversion/svn/props.c,

subversion/svnrdump/dump_editor.c,

subversion/svnrdump/svnrdump.c,

subversion/svnrdump/util.c,

subversion/svnserve/serve.c,

subversion/svn/status.c,

subversion/svn/status-cmd.c,

subversion/svn/svn.c,

subversion/svnsync/svnsync.c,

subversion/svnsync/sync.c,

subversion/svn/util.c,

subversion/tests/libsvn_fs/fs-test.c,

subversion/tests/libsvn_repos/repos-test.c,

subversion/tests/libsvn_subr/hashdump-test.c,

subversion/tests/libsvn_subr/mergeinfo-test.c,

subversion/tests/libsvn_subr/subst_translate-test.c,

subversion/tests/libsvn_wc/conflict-data-test.c,

subversion/tests/libsvn_wc/op-depth-test.c,

subversion/tests/libsvn_wc/wc-test.c,

subversion/tests/svn_test_fs.c,

tools/dev/fsfs-reorg.c,

tools/server-side/fsfs-stats.c): #include svn_private_config.h first

  1. … 180 more files in changeset.
Unbreak the windows build after r1460163.

* subversion/libsvn_subr/win32_crypto.c

(svn_hash.h): Include.

Use svn_hash_gets and svn_hash_sets.

* subversion/libsvn_subr/auth.c

* subversion/libsvn_subr/cmdline.c

* subversion/libsvn_subr/compat.c

* subversion/libsvn_subr/config.c

* subversion/libsvn_subr/config_auth.c

* subversion/libsvn_subr/deprecated.c

* subversion/libsvn_subr/dso.c

* subversion/libsvn_subr/hash.c

* subversion/libsvn_subr/io.c

* subversion/libsvn_subr/mergeinfo.c

* subversion/libsvn_subr/opt.c

* subversion/libsvn_subr/properties.c

* subversion/libsvn_subr/simple_providers.c

* subversion/libsvn_subr/ssl_client_cert_providers.c

* subversion/libsvn_subr/ssl_client_cert_pw_providers.c

* subversion/libsvn_subr/ssl_server_trust_providers.c

* subversion/libsvn_subr/subst.c

* subversion/libsvn_subr/types.c

* subversion/libsvn_subr/username_providers.c

* subversion/libsvn_subr/utf.c

* subversion/libsvn_subr/win32_crypto.c

* subversion/libsvn_subr/xml.c

  1. … 21 more files in changeset.
The GCC "pedandic" setting will flag Win32-only source files as

being empty compiliation untits. Work around that by adding

dummy declarations.

* subversion/libsvn_subr/win32_crashrpt.c

(): add dummy code to never have an empty translation unit

* subversion/libsvn_subr/win32_crypto.c

(): same here

* subversion/libsvn_subr/win32_xlate.c

(): and here

  1. … 2 more files in changeset.
Fix crash bug from solution for issues #4112 and #4110 in r1242759.

* subversion/libsvn_subr/win32_crypto.c

(windows_password_decrypter, windows_ssl_client_cert_pw_decrypter):

Check the "done" flag, not the pointer to the "done" flag.

Found by: steveking

Fix conversion compiler warnings.

* subversion/libsvn_subr/win32_crypto.c

(encrypt_data, decrypt_data): cast const BYTE* -> const char*

* subversion/svnserve/serve.c

(repos_path_valid): cast to size_t is fine since we test for equality

within a relatively small buffer

  1. … 1 more file in changeset.
Some logic abstraction / API isolation.

Reviewed by: pburba

* subversion/libsvn_subr/win32_crypto.c

(encrypt_data, decrypt_data): New helper functions which isolate the

actual interaction with the Win32 Crypto API, abstracted from ...

(windows_password_encrypter, windows_ssl_client_cert_pw_encrypter,

windows_password_decrypter, windows_ssl_client_cert_pw_decrypter):

... these functions, which now defer to the new helpers.

Rename and redocument some private functions whose utility has grown

beyond the scope of their original refactored usage.

* subversion/include/private/svn_auth_private.h

(svn_auth__simple_creds_cache_get): Renamed (and redocumented) from

svn_auth__simple_first_creds_helper(). Callers updated.

(svn_auth__simple_creds_cache_set: Renamed (and redocumented) from

svn_auth__simple_save_creds_helper(). Callers updated.

(svn_auth__ssl_client_cert_pw_cache_get): Renamed (and redocumented) from

svn_auth__ssl_client_cert_pw_file_first_creds_helper(). Callers updated.

(svn_auth__ssl_client_cert_pw_cache_set): Renamed (and redocumented) from

svn_auth__ssl_client_cert_pw_file_save_creds_helper(). Callers updated.

* subversion/libsvn_auth_gnome_keyring/gnome_keyring.c,

* subversion/libsvn_subr/ssl_client_cert_pw_providers.c,

* subversion/libsvn_subr/macos_keychain.c,

* subversion/libsvn_subr/gpg_agent.c,

* subversion/libsvn_subr/win32_crypto.c,

* subversion/libsvn_subr/simple_providers.c,

* subversion/libsvn_auth_kwallet/kwallet.cpp

Track function renames.

  1. … 7 more files in changeset.
Followup to r1242759, fix the Windows build.

* subversion/libsvn_subr/win32_crypto.c

(windows_password_encrypter, windows_ssl_client_cert_pw_encrypter):

Fix issues 4112, GNOME keyring --non-interactive prevents passwords on

disk, and 4110, open KDE wallet not used when --non-interactive. This

also delays any GNOME unlock prompt until the keyring is accessed so

matching the KDE behvaiour.

* subversion/include/private/svn_auth_private.h

(svn_auth__password_get_t, svn_auth__simple_password_get): Add boolean

parameter, return svn_error_t.

(svn_auth__simple_password_get, svn_auth__simple_password_set,

svn_auth__ssl_client_cert_pw_get,

svn_auth__ssl_client_cert_pw_set): Adjust to match new prototype.

* subversion/libsvn_auth_gnome_keyring/gnome_keyring.c

(ensure_gnome_keyring_is_unlocked): New, code factored from

functions such as simple_gnome_keyring_first_creds.

(password_get_gnome_keyring, password_set_gnome_keyring): New

prototype, do unlocked check here.

(simple_gnome_keyring_first_creds, simple_gnome_keyring_save_creds,

ssl_client_cert_pw_gnome_keyring_first_creds,

ssl_client_cert_pw_gnome_keyring_save_creds): Don't do unlocked check.

* subversion/libsvn_auth_kwallet/kwallet.cpp

(kwallet_password_get, kwallet_password_set): Adjust to match new

prototype, allow non-interactive access if wallet is unlocked.

* subversion/libsvn_subr/simple_providers.c

(svn_auth__simple_password_get, svn_auth__simple_password_set,

svn_auth__simple_first_creds_helper,

svn_auth__simple_save_creds_helper): Adjust to match new prototype.

* subversion/libsvn_subr/ssl_client_cert_pw_providers.c

(svn_auth__ssl_client_cert_pw_get, svn_auth__ssl_client_cert_pw_set,

svn_auth__ssl_client_cert_pw_file_first_creds_helper,

svn_auth__ssl_client_cert_pw_file_save_creds_helper): Adjust to match

new prototype.

* subversion/libsvn_subr/win32_crypto.c

(windows_password_encrypter, windows_password_decrypter,

windows_ssl_client_cert_pw_encrypter,

windows_ssl_client_cert_pw_decrypter): Adjust to match new prototype.

* subversion/libsvn_subr/macos_keychain.c

(keychain_password_set, keychain_password_get): Adjust to match new

prototype.

* subversion/libsvn_subr/gpg_agent.c

(password_get_gpg_agent, password_set_gpg_agent): Adjust to match new

prototype.

  1. … 7 more files in changeset.
Extract helper function in Windows certificate validation code.

* subversion/libsvn_subr/win32_crypto.c

(certcontext_from_base64): New.

(windows_validate_certificate): Use certcontext_from_base64().

Extend the (Windows only) ssl server certificate validation via cryptoapi

with a certificate revocation check. Also use a proper certificate chain

verification, before trusting the certificate as valid instead of just

parsing the certificate status ourselves.

* subversion/libsvn_subr/win32_crypto.c

(windows_validate_certificate): Add revocation check flag and verify the

certificate chain as a ssl chain instead of reading the status of the

leave certificate ourselves.

Test out my new and fancy ASF commit priviledges by changing the copyright

wording in our license headers to reflect ownership by the ASF.

* NOTICE:

Change terminology to ASF, and update a link.

* subversion/libsvn_subr/opt.c

(svn_opt__print_version_info): Note that the product as a whole is

copyrighted by the ASF, and update the project website.

* everywhere:

Change license text to reflect ASF ownership.

  1. … 891 more files in changeset.
Relicense Subversion under the Apache License, Version 2.0.

* NOTICE: New.

* LICENSE: New.

* COPYING,

subversion/LICENSE: Remove.

* subversion/libsvn_subr/opt.c

(svn_opt__print_version_info): Note that the product as a whole is

copyrighted by the SVN Corp, and that it contains contributions from

many people, as referenced in NOTICE.

* subversion/bindings/swig/python/LICENSE_FOR_PYTHON_BINDINGS:

Relicense the SVN parts under Apache 2.0.

* everywhere:

Change copyright notices in file headers to reflect the Apache 2.0 license.

  1. … 882 more files in changeset.
* subversion/libsvn_subr/win32_crypto.c

(windows_password_encrypter, windows_password_decrypter,

windows_ssl_client_cert_pw_encrypter, windows_ssl_client_cert_pw_decrypter,

windows_validate_certificate): Cast the BYTE* used for windows security

blobs to char* for apr_base64_encode/apr_base64_decode to resolve a

few warnings.

Cleanup trailing whitespace:

for extsn in c h cpp java py pl rb; do

sed -i -e 's/[ \t]*$//' `find . -name "*.$extsn" | xargs grep '[ \t]$' -l`

done

This should have been done before the 1.6.x branch, so I'm going to merge

it over there, to avoid merge conflicts in the future.

  1. … 83 more files in changeset.
To complete issue #2489, implement secure client certificate passphrase

caching for Windows CryptoAPI.

* subversion/include/private/svn_auth_private.h

(svn_auth__ssl_client_cert_pw_file_save_creds_helper): Update documentation

to note that it is used by the windows cryptoapi store.

(svn_auth__ssl_client_cert_pw_get): Add passphrase getter for use by the

Windows crypto provider.

(svn_auth__ssl_client_cert_pw_set): Add passphrase setter for use by the

Windows crypto provider.

* subversion/include/svn_auth.h

(svn_auth_get_windows_ssl_client_cert_pw_provider): Add Windows Crypto api

ssl client certificate passphrase provider.

* subversion/libsvn_subr/auth.c

(svn_auth_get_platform_specific_provider): Handle requests for windows

ssl_client_cert_pw.

* subversion/libsvn_subr/cmdline.c

(svn_cmdline_create_auth_baton): Register Windows Crypto api ssl client

certificate passphrase provider in the auth batton.

* subversion/libsvn_subr/ssl_client_cert_pw_providers.c

(simple_passphrase_get): Renamed to ...

(svn_auth__ssl_client_cert_pw_get): .... and remove static to allow reuse

by the Windows Crypto api implementation.

(simple_passphrase_set): Renamed to ...

svn_auth__ssl_client_cert_pw_set): ... and remove static to allow reuse

by the Windows Crypto api implementation.

(svn_auth__ssl_client_cert_pw_file_save_creds_helper): Mark that passphrases

saved by the Windows Crypto api are encrypted to remove the confirmation

prompt.

(ssl_client_cert_pw_file_first_credentials,

ssl_client_cert_pw_file_save_credentials): Update references to

simple_passphrase_*.

* subversion/libsvn_subr/win32_crypto.c

(windows_ssl_client_cert_pw_encrypter,

windows_ssl_client_cert_pw_decrypter,

windows_ssl_client_cert_pw_first_creds,

windows_ssl_client_cert_pw_save_creds,

windows_ssl_client_cert_pw_provider): Add ssl client certificate passphrase

provider, forwarding caching and save requests to the file provider like

the simple provider.

(svn_auth_get_windows_ssl_client_cert_pw_provider): Add registration function

for the Windows Crypto api ssl client certificate passphrase provider.

* subversion/tests/libsvn_subr/auth-test.c

(test_platform_specific_auth_providers): Test registration of the CryptoApi

provider via svn_auth_get_platform_specific_provider.

  1. … 6 more files in changeset.
Delete trailing whitespace.

Follow-up to r26317 and r27598.

* build/generator/extractor.py:

* build/generator/gen_vcnet_vcproj.py:

* build/generator/gen_win.py:

* contrib/client-side/svnmerge/svnmerge-migrate-history-remotely.py:

* subversion/bindings/ctypes-python/csvn/repos.py:

* subversion/bindings/ctypes-python/csvn/wc.py:

* subversion/bindings/ctypes-python/examples/mucc.py:

* subversion/bindings/ctypes-python/setup.py:

* subversion/bindings/ctypes-python/test/localrepos.py:

* subversion/bindings/ctypes-python/test/remoterepos.py:

* subversion/bindings/ctypes-python/test/run_all.py:

* subversion/bindings/ctypes-python/test/svntypes.py:

* subversion/bindings/ctypes-python/test/wc.py:

* subversion/bindings/javahl/src/org/tigris/subversion/javahl/Operation.java:

* subversion/include/private/svn_auth_private.h:

* subversion/include/private/svn_sqlite.h:

* subversion/include/private/svn_wc_private.h:

* subversion/include/svn_auth.h:

* subversion/include/svn_checksum.h:

* subversion/include/svn_client.h:

* subversion/include/svn_cmdline.h:

* subversion/include/svn_dirent_uri.h:

* subversion/include/svn_path.h:

* subversion/include/svn_props.h:

* subversion/libsvn_client/commit_util.c:

* subversion/libsvn_client/copy.c:

* subversion/libsvn_client/deprecated.c:

* subversion/libsvn_client/export.c:

* subversion/libsvn_client/externals.c:

* subversion/libsvn_client/info.c:

* subversion/libsvn_client/merge.c:

* subversion/libsvn_client/mergeinfo.h:

* subversion/libsvn_client/ra.c:

* subversion/libsvn_client/repos_diff.c:

* subversion/libsvn_fs_base/bdb/checksum-reps-table.c:

* subversion/libsvn_fs_base/bdb/checksum-reps-table.h:

* subversion/libsvn_fs_base/bdb/miscellaneous-table.c:

* subversion/libsvn_fs_base/bdb/reps-table.c:

* subversion/libsvn_fs_base/dag.c:

* subversion/libsvn_fs_base/dag.h:

* subversion/libsvn_fs_base/err.h:

* subversion/libsvn_fs_base/fs.c:

* subversion/libsvn_fs_base/reps-strings.c:

* subversion/libsvn_fs_base/tree.c:

* subversion/libsvn_fs_base/tree.h:

* subversion/libsvn_fs_base/util/fs_skels.c:

* subversion/libsvn_fs_fs/dag.h:

* subversion/libsvn_fs_fs/fs_fs.h:

* subversion/libsvn_fs/fs-loader.c:

* subversion/libsvn_fs/fs-loader.h:

* subversion/libsvn_fs_fs/rep-cache.c:

* subversion/libsvn_fs_fs/rep-cache.h:

* subversion/libsvn_fs_fs/tree.c:

* subversion/libsvn_ra/compat.c:

* subversion/libsvn_ra_neon/log.c:

* subversion/libsvn_ra_neon/session.c:

* subversion/libsvn_ra_serf/log.c:

* subversion/libsvn_ra_serf/update.c:

* subversion/libsvn_ra_serf/util.c:

* subversion/libsvn_ra_serf/win32_auth_sspi.c:

* subversion/libsvn_repos/hooks.c:

* subversion/libsvn_repos/log.c:

* subversion/libsvn_repos/repos.h:

* subversion/libsvn_subr/checksum.c:

* subversion/libsvn_subr/cmdline.c:

* subversion/libsvn_subr/config_file.c:

* subversion/libsvn_subr/config_win.c:

* subversion/libsvn_subr/dirent_uri.c:

* subversion/libsvn_subr/dso.c:

* subversion/libsvn_subr/io.c:

* subversion/libsvn_subr/nls.c:

* subversion/libsvn_subr/simple_providers.c:

* subversion/libsvn_subr/sqlite.c:

* subversion/libsvn_subr/ssl_client_cert_pw_providers.c:

* subversion/libsvn_subr/stream.c:

* subversion/libsvn_subr/win32_crypto.c:

* subversion/libsvn_wc/adm_ops.c:

* subversion/libsvn_wc/diff.c:

* subversion/libsvn_wc/props.c:

* subversion/libsvn_wc/status.c:

* subversion/libsvn_wc/tree_conflicts.c:

* subversion/libsvn_wc/tree_conflicts.h:

* subversion/libsvn_wc/update_editor.c:

* subversion/libsvn_wc/wc_db.h:

* subversion/svn/cl.h:

* subversion/svndumpfilter/main.c:

* subversion/svnlook/main.c:

* subversion/svn/propedit-cmd.c:

* subversion/svn/propget-cmd.c:

* subversion/svnserve/main.c:

* subversion/svn/status-cmd.c:

* subversion/svn/tree-conflicts.c:

* subversion/svn/util.c:

* subversion/tests/cmdline/commit_tests.py:

* subversion/tests/cmdline/copy_tests.py:

* subversion/tests/cmdline/info_tests.py:

* subversion/tests/cmdline/log_tests.py:

* subversion/tests/cmdline/merge_tests.py:

* subversion/tests/cmdline/prop_tests.py:

* subversion/tests/cmdline/revert_tests.py:

* subversion/tests/cmdline/stat_tests.py:

* subversion/tests/cmdline/svntest/actions.py:

* subversion/tests/cmdline/svntest/tree.py:

* subversion/tests/cmdline/switch_tests.py:

* subversion/tests/cmdline/tree_conflict_tests.py:

* subversion/tests/cmdline/update_tests.py:

* subversion/tests/libsvn_repos/repos-test.c:

* subversion/tests/libsvn_subr/checksum-test.c:

* subversion/tests/libsvn_subr/dirent_uri-test.c:

* subversion/tests/libsvn_subr/path-test.c:

* subversion/tests/libsvn_subr/target-test.c:

* subversion/tests/libsvn_wc/tree-conflict-data-test.c:

* tools/examples/svnlook.py: Delete trailing whitespace.

  1. … 112 more files in changeset.
Pass parameters instead of configuration to implementations of

svn_auth__password_get_t / svn_auth__password_set_t.

* subversion/include/private/svn_auth_private.h

(svn_auth__password_get_t, svn_auth__password_set_t,

svn_auth__simple_password_get, svn_auth__simple_password_set): Replace

'config' argument with 'parameters'.

* subversion/libsvn_subr/simple_providers.c

(svn_auth__simple_password_get, svn_auth__simple_password_set): Replace

'config' argument with 'parameters'.

(svn_auth__simple_first_creds_helper): Update call to password_get().

(svn_auth__simple_save_creds_helper): Delete 'cfg' and update call to

password_set().

* subversion/libsvn_subr/ssl_client_cert_pw_providers.c

(simple_passphrase_get, simple_passphrase_set): Replace 'config' argument

with 'parameters'.

(svn_auth__ssl_client_cert_pw_file_first_creds_helper): Update call to

passphrase_get().

(svn_auth__ssl_client_cert_pw_file_save_creds_helper): Delete 'cfg' and

update call to passphrase_set().

* subversion/libsvn_auth_gnome_keyring/gnome_keyring.c

(gnome_keyring_password_get, gnome_keyring_password_set):

* subversion/libsvn_auth_kwallet/kwallet.cpp

(kwallet_password_get, kwallet_password_set):

* subversion/libsvn_subr/macos_keychain.c

(keychain_password_set, keychain_password_get): Replace 'config' argument

with 'parameters'.

* subversion/libsvn_subr/win32_crypto.c

(windows_password_encrypter): Replace 'config' argument with 'parameters'

and update call to svn_auth__simple_password_set().

(windows_password_decrypter): Replace 'config' argument with 'parameters'

and update call to svn_auth__simple_password_get().

  1. … 6 more files in changeset.
* subversion/libsvn_subr/win32_crypto.c

(windows_password_encrypter, windows_password_decrypter): Following up on

r33913 call svn_auth__simple_password_(get/set) with an extra argument.

Pass configuration to implementations of

svn_auth__password_get_t / svn_auth__password_set_t.

* subversion/include/private/svn_auth_private.h

(svn_auth__password_get_t, svn_auth__password_set_t,

svn_auth__simple_password_get, svn_auth__simple_password_set): Add 'config'

argument.

* subversion/libsvn_subr/simple_providers.c

(svn_auth__simple_password_get, svn_auth__simple_password_set): Add 'config'

argument.

(svn_auth__simple_first_creds_helper): Update call to password_get().

(svn_auth__simple_save_creds_helper): Create 'cfg' and update call to

password_set().

* subversion/libsvn_subr/ssl_client_cert_pw_providers.c

(simple_passphrase_get, simple_passphrase_set): Add 'config' argument.

(svn_auth__ssl_client_cert_pw_file_first_creds_helper): Update call to

passphrase_get().

(svn_auth__ssl_client_cert_pw_file_save_creds_helper): Create 'cfg' and

update call to passphrase_set().

* subversion/libsvn_auth_gnome_keyring/gnome_keyring.c

(gnome_keyring_password_get, gnome_keyring_password_set):

* subversion/libsvn_auth_kwallet/kwallet.cpp

(kwallet_password_get, kwallet_password_set):

* subversion/libsvn_subr/macos_keychain.c

(keychain_password_set, keychain_password_get):

* subversion/libsvn_subr/win32_crypto.c

(windows_password_encrypter, windows_password_decrypter): Add 'config'

argument.

  1. … 6 more files in changeset.
Make Windows SSL server trust authentication provider to validate and clear

server certificate unknown CA failure when other failures present. For

example when trusted certificate is installed on different hostname.

* subversion/libsvn_subr/win32_crypto.c

(windows_validate_certificate): Extract real certificate validation from

windows_ssl_server_trust_first_credentials() to separate helper.

(windows_ssl_server_trust_first_credentials): Check certificate when

SVN_AUTH_SSL_UNKNOWNCA failure is present, despite of other failures.

Return credentials only if all failures are cleared.

Following up on the RFC on the mailinglists. Start assuming Windows 2000

(WINNT 5.0) or later when compiling for windows.

* build.conf

(libsvn_subr): Add crypt32.lib to msvc-libs to link to crypt32.dll.

* subversion/libsvn_subr/win32_crypto.c

(global): Remove include of private/svn_atomic.h and now unused

crypto_dll and crypto_dll_loaded variables.

(load_crypto_dll, get_crypto_function):

Remove unused functions.

(windows_password_encrypter, windows_password_decrypter,

windows_ssl_server_trust_first_credentials,

svn_auth_get_windows_ssl_server_trust_provider):

Call crypto api directly, instead of via dynamically loaded function

pointers.

(windows_password_decrypter): Also free retrieved description, fixing

small memory leak.

(windows_ssl_server_trust_provider_baton_t): Remove now unused baton

definition and helper types.

(svn_auth_get_windows_ssl_server_trust_provider):

Remove windows_ssl_server_trust_provider_baton_t initialization.

  1. … 1 more file in changeset.
Load crypt32.dll once per process. Library will be unloaded on process

exit. This is the same behavior as hard linking to the library.

* subversion/libsvn_subr/win32_crypto.c

(load_crypto_dll): Initializer function for svn_atomic__init_once() to load

crypt32.dll.

(get_crypto_function): Use svn_atomic__init_once() to load crypt32.dll

once. Removed unused parameters and return function pointer directly.

(windows_password_encrypter, windows_password_decrypter): Use new

get_crypto_function() semantic.

(windows_ssl_server_trust_provider_baton_t): Remove cryptodll member.

(windows_ssl_server_trust_first_credentials): Remove obsolete check.

(windows_ssl_server_trust_cleanup): Remove.

(svn_auth_get_windows_ssl_server_trust_provider): Use new

get_crypto_function() semantic. Do not register cleanup handler for

unloading crypt32.dll.

Suggested by: rhuijben

Move Windows SSL server trust provider to win32_crypto.c.

* subversion/libsvn_subr/ssl_server_trust_providers.c

(windows_ssl_server_trust_first_credentials,

windows_ssl_server_trust_cleanup,

svn_auth_get_windows_ssl_server_trust_provider): Remove.

* subversion/libsvn_subr/win32_crypto.c

(windows_ssl_server_trust_first_credentials,

windows_ssl_server_trust_cleanup,

svn_auth_get_windows_ssl_server_trust_provider): Moved from

ssl_server_trust_providers.c

  1. … 1 more file in changeset.