Author: philip
Date: Thu Jan 26 18:31:40 2012
New Revision: 1236343
URL: http://svn.apache.org/viewvc?rev=1236343&view=rev
Log:
Clear errno before calling SASL functions, check errno if SASL init fails.
* subversion/libsvn_ra_svn/cyrus_auth.c
(clear_sasl_errno): New macro.
(get_sasl_errno_msg, get_sasl_error): Move earlier in file.
(sasl_init_cb): Use the errno functions.
(new_sasl_ctx, try_auth, sasl_read_cb, sasl_write_cb,
svn_ra_svn__enable_sasl_encryption): Clear errno.
Modified:
subversion/trunk/subversion/libsvn_ra_svn/cyrus_auth.c
Modified: subversion/trunk/subversion/libsvn_ra_svn/cyrus_auth.c
URL:
http://svn.apache.org/viewvc/subversion/trunk/subversion/libsvn_ra_svn/cyrus_auth.c?rev=1236343&r1=1236342&r2=1236343&view=diff
==============================================================================
--- subversion/trunk/subversion/libsvn_ra_svn/cyrus_auth.c (original)
+++ subversion/trunk/subversion/libsvn_ra_svn/cyrus_auth.c Thu Jan 26 18:31:40
2012
@@ -186,12 +186,64 @@ svn_ra_svn__sasl_common_init(apr_pool_t
return SVN_NO_ERROR;
}
+/* We are going to look at errno when we get SASL_FAIL but we don't
+ know for sure whether SASL always sets errno. Clearing errno
+ before calling SASL functions helps in cases where SASL does
+ nothing to set errno. */
+#ifdef apr_set_os_error
+#define clear_sasl_errno() apr_set_os_error(APR_SUCCESS)
+#else
+#define clear_sasl_errno() (void)0
+#endif
+
+/* Sometimes SASL returns SASL_FAIL as RESULT and sets errno.
+ * SASL_FAIL translates to "generic error" which is quite unhelpful.
+ * Try to append a more informative error message based on errno so
+ * should be called before doing anything that may change errno. */
+static const char *
+get_sasl_errno_msg(int result, apr_pool_t *result_pool)
+{
+#ifdef apr_get_os_error
+ char buf[1024];
+
+ if (result == SASL_FAIL && apr_get_os_error() != 0)
+ return apr_psprintf(result_pool, ": %s",
+ svn_strerror(apr_get_os_error(), buf, sizeof(buf)));
+#endif
+ return "";
+}
+
+/* Wrap an error message from SASL with a prefix that allows users
+ * to tell that the error message came from SASL. Queries errno and
+ * so should be called before doing anything that may change errno. */
+static const char *
+get_sasl_error(sasl_conn_t *sasl_ctx, int result, apr_pool_t *result_pool)
+{
+ const char *sasl_errno_msg = get_sasl_errno_msg(result, result_pool);
+
+ return apr_psprintf(result_pool,
+ _("SASL authentication error: %s%s"),
+ sasl_errdetail(sasl_ctx), sasl_errno_msg);
+}
+
static svn_error_t *sasl_init_cb(void *baton, apr_pool_t *pool)
{
+ int result;
+
SVN_ERR(svn_ra_svn__sasl_common_init(pool));
- if (sasl_client_init(NULL) != SASL_OK)
- return svn_error_create(SVN_ERR_RA_NOT_AUTHORIZED, NULL,
- _("Could not initialize the SASL library"));
+ clear_sasl_errno();
+ result = sasl_client_init(NULL);
+ if (result != SASL_OK)
+ {
+ const char *sasl_errno_msg = get_sasl_errno_msg(result, pool);
+
+ return svn_error_createf
+ (SVN_ERR_RA_NOT_AUTHORIZED, NULL,
+ _("Could not initialized the SASL library: %s%s"),
+ sasl_errstring(result, NULL, NULL),
+ sasl_errno_msg);
+ }
+
return SVN_NO_ERROR;
}
@@ -338,34 +390,6 @@ get_password_cb(sasl_conn_t *conn, void
return SASL_FAIL;
}
-/* Sometimes SASL returns SASL_FAIL as RESULT and sets errno.
- * SASL_FAIL translates to "generic error" which is quite unhelpful.
- * Try to append a more informative error message based on errno so
- * should be called before doing anything that may change errno. */
-static const char *
-get_sasl_errno_msg(int result, apr_pool_t *result_pool)
-{
- char buf[1024];
-
- if (result == SASL_FAIL && apr_get_os_error() != 0)
- return apr_psprintf(result_pool, ": %s",
- svn_strerror(apr_get_os_error(), buf, sizeof(buf)));
- return "";
-}
-
-/* Wrap an error message from SASL with a prefix that allows users
- * to tell that the error message came from SASL. Queries errno and
- * so should be called before doing anything that may change errno. */
-static const char *
-get_sasl_error(sasl_conn_t *sasl_ctx, int result, apr_pool_t *result_pool)
-{
- const char *sasl_errno_msg = get_sasl_errno_msg(result, result_pool);
-
- return apr_psprintf(result_pool,
- _("SASL authentication error: %s%s"),
- sasl_errdetail(sasl_ctx), sasl_errno_msg);
-}
-
/* Create a new SASL context. */
static svn_error_t *new_sasl_ctx(sasl_conn_t **sasl_ctx,
svn_boolean_t is_tunneled,
@@ -378,6 +402,7 @@ static svn_error_t *new_sasl_ctx(sasl_co
sasl_security_properties_t secprops;
int result;
+ clear_sasl_errno();
result = sasl_client_new(SVN_RA_SVN_SASL_NAME,
hostname, local_addrport, remote_addrport,
callbacks, SASL_SUCCESS_DATA,
@@ -401,6 +426,7 @@ static svn_error_t *new_sasl_ctx(sasl_co
otherwise it will ignore EXTERNAL. The third parameter
should be the username, but since SASL doesn't seem
to use it on the client side, any non-empty string will do. */
+ clear_sasl_errno();
result = sasl_setprop(*sasl_ctx,
SASL_AUTH_EXTERNAL, " ");
if (result != SASL_OK)
@@ -433,6 +459,7 @@ static svn_error_t *try_auth(svn_ra_svn_
do
{
again = FALSE;
+ clear_sasl_errno();
result = sasl_client_start(sasl_ctx,
mechstring,
&client_interact,
@@ -503,6 +530,7 @@ static svn_error_t *try_auth(svn_ra_svn_
if (strcmp(mech, "CRAM-MD5") != 0)
in = svn_base64_decode_string(in, pool);
+ clear_sasl_errno();
result = sasl_client_step(sasl_ctx,
in->data,
in->len,
@@ -591,6 +619,7 @@ static svn_error_t *sasl_read_cb(void *b
*len = 0;
return SVN_NO_ERROR;
}
+ clear_sasl_errno();
result = sasl_decode(sasl_baton->ctx, buffer, len2,
&sasl_baton->read_buf,
&sasl_baton->read_len);
@@ -632,6 +661,7 @@ sasl_write_cb(void *baton, const char *b
{
/* Make sure we don't write too much. */
*len = (*len > sasl_baton->maxsize) ? sasl_baton->maxsize : *len;
+ clear_sasl_errno();
result = sasl_encode(sasl_baton->ctx, buffer, *len,
&sasl_baton->write_buf,
&sasl_baton->write_len);
@@ -692,6 +722,7 @@ svn_error_t *svn_ra_svn__enable_sasl_enc
int result;
/* Get the strength of the security layer. */
+ clear_sasl_errno();
result = sasl_getprop(sasl_ctx, SASL_SSF, (void*) &ssfp);
if (result != SASL_OK)
return svn_error_create(SVN_ERR_RA_NOT_AUTHORIZED, NULL,
@@ -711,6 +742,7 @@ svn_error_t *svn_ra_svn__enable_sasl_enc
sasl_baton->scratch_pool = conn->pool;
/* Find out the maximum input size for sasl_encode. */
+ clear_sasl_errno();
result = sasl_getprop(sasl_ctx, SASL_MAXOUTBUF, &maxsize);
if (result != SASL_OK)
return svn_error_create(SVN_ERR_RA_NOT_AUTHORIZED, NULL,
@@ -721,6 +753,7 @@ svn_error_t *svn_ra_svn__enable_sasl_enc
we need to decrypt it. */
if (conn->read_end > conn->read_ptr)
{
+ clear_sasl_errno();
result = sasl_decode(sasl_ctx, conn->read_ptr,
conn->read_end - conn->read_ptr,
&sasl_baton->read_buf,
