[bug #14506] CVS 1.12.12 GSSAPI hang
anonymous
URL:
<http://savannah.nongnu.org/bugs/?func=detailitem&item_id=14506>
Summary: CVS 1.12.12 GSSAPI hang
Project: Concurrent Versions System
Submitted by: None
Submitted on: Пнд 12.09.2005 at 02:13
Category: None
Severity: 3 - Normal
Item Group: None
Status: None
Privacy: Public
Assigned to: None
Open/Closed: Open
Release:
Fixed Release: None
Fixed Feature Release: None
_______________________________________________________
Details:
gserver_authenticate_connection() use "obsolets" fread()/fwrite().
Must use buf_read_data()/buf_output() instead.
_______________________________________________________
Reply to this item at:
<http://savannah.nongnu.org/bugs/?func=detailitem&item_id=14506>
_______________________________________________
Message sent via/by Savannah
http://savannah.nongnu.org/
Derek Robert Price
Update of bug #14506 (project cvs):
Status: None => Postponed
_______________________________________________________
Follow-up Comment #1:
I can't easily test GSSAPI here. This would be much easier if you could
supply a tested patch.
Thanks,
Serguei E Leontiev
Follow-up Comment #2, bug #14506 (project cvs):
Probably #14504 correct not complete
:gsx-csp:lse.users 07:53:48 cvs-1.12.12.hostname$ cvs -d
:gserver:gsx-csp:/var/cvsroot co mybuild
cvs [checkout aborted]: error from server gsx-csp: cvs [pserver aborted]:
can't get canonical hostname for `(null)': Name or service not known
I attachmen two work around patch for 1.12.12:
#14504 - cvs-1.12.12-hostname.patch
#14506 - cvs-1.12.12-fread.patch
I don't undenstand. Do You needed use buf_read_data()/buf_output() in
gssapi-client.c:connect_to_gserver() ?
_______________________________________________________
Additional Item Attachment:
File name: cvs-1.12.12-fread.patch Size:3 KB
Workaround #14506
<http://savannah.nongnu.org/bugs/download.php?item_id=14506&item_file_id=2944>
Serguei E Leontiev
Additional Item Attachment, bug #14506 (project cvs):
File name: cvs-1.12.12-hostname.patch Size:0 KB
Workaround #14504
<http://savannah.nongnu.org/bugs/download.php?item_id=14506&item_file_id=2945>
Serguei E Leontiev
Follow-up Comment #3, bug #14506 (project cvs):
Sorry, I am mistake and test current version before you commit. I try it late
(I need some time for connect GSSAPI cvs server machine to
`:ext:ano...@savannah.nongnu.org:/cvsroot/cvs').
Derek Robert Price
Update of bug #14506 (project cvs):
Status: Postponed => Need Info
_______________________________________________________
Follow-up Comment #4:
Aside from some nitpicks, your changes to gserver_authenticate_connection
look good. Could you include a ChangeLog entry?
>From the same patch file, why did you replace a call to send() with a call to
writev()? Are you having problems with send? I'd rather not change the call
without some other reason or benefit since I don't have a feel for how
portable writev() is and I know send() already works on many platforms.
I think your hostname patch is unnecessary after my recent change to fix [bug
#14504]
(http://savannah.nongnu.org/cgi-bin/viewcvs/cvs/ccvs/src/main.c.diff?r1=1.253&r2=1.254).
Thanks,
anonymous
Follow-up Comment #5, bug #14506 (project cvs):
I try fist tests current version with `cvs-1.12.12.1-fread.patch' - work
fine.
But, I don't undenstand do-loop at gssapi-client.c:104. I don't know how
cause two or more iteration by it. It not seems very good.
P.S.
Strongly, two send() may cause delay (double acknovelegment) to TCP
communication, if nagle algorithm disabled. By some thing I remove use
writev() from patch, because nagle algorithm common use.
Sorry my best English.
_______________________________________________________
Additional Item Attachment:
File name: cvs-1.12.12.1-fread.patch Size:3 KB
<http://savannah.nongnu.org/bugs/download.php?item_id=14506&item_file_id=2950>
Serguei E Leontiev
Follow-up Comment #6, bug #14506 (project cvs):
Yes, You may include my ID (Serguei E. Leontiev <l...@CryptoPro.ru>) to
ChangeLog.
Serguei E Leontiev
Follow-up Comment #7, bug #14506 (project cvs):
I improve main loop of connect_to_gserver ().
But, gserver_authenticate_connection() don't have loop.
For GSS-API implementation by Kerberos this good. If GSS-API used not
Kerberos, then server detect error "GSSAPI authentication failed: %s".
For connection with encryption (-x) or authentication (-a) see also bug
#14601
_______________________________________________________
Additional Item Attachment:
File name: cvs-1.12.12.1-gssapi.patch Size:10 KB
patch to improve GSS-API (SuSE 9.3 & RHEL4 - OK)
<http://savannah.nongnu.org/bugs/download.php?item_id=14506&item_file_id=2973>
Serguei E Leontiev
Follow-up Comment #8, bug #14506 (project cvs):
unfortunately Solaris don't have kbr5 library and krb5 functions.
I change "Kerberos specific code" to more common case.
P.S.
Solaris 8/9 have default GSS-API mechnism - diffie_hellman_640_0
May be, this fact needed add to documentation?
_______________________________________________________
Additional Item Attachment:
File name: cvs-1.12.12.1-gssapi-solaris.patch Size:17 KB
patch to improve GSS-API (SuSE 9.3, RHEL4 & Solaris 9 - OK))
<http://savannah.nongnu.org/bugs/download.php?item_id=14506&item_file_id=2975>
Serguei E Leontiev
Follow-up Comment #9, bug #14506 (project cvs):
Hi Derek,
I submit to bugzilla new version patch. Main goal this version - add simple
use regression tests for `gserver'.
1. I add to sanity.sh test `gserver'. This test create "Kerberos 5 sand-box
EXAMPLE.COM", and don't needed to Kerberos 5 infrastrukture. May be Your able
start this test on yours personal computer;
2. Compile gserver/client for Solaris 9/10;
3. Repair detected bugs.
TODO:
This patch not ideal, but ideal solution need to improve other part of CVS.
This need to discussion:
a. Regress test need local user `client'. Because gserver authentication
start without root definition, gserver_authenticate_connection() can't use
CVSROOT/passwd for user maping. May be add command line option for point of
CVSROOT/passwd?
b. May be add documentation for gserver? Informationly I may
add it, but languge :(.
c. Windows ports don't have gserver. Do you need add SSPI to CVS? This medium
work - 6-12 weeks.
d. Root command worked without any protection. May be start
encryption/indegrity check immediate after authentification by option `-x'
and `-a'?
For additional information see patchs for ChangeLog files.
Sorry for my best English.
_______________________________________________________
Additional Item Attachment:
File name: gssapi-et-all-051002.patch Size:50 KB
Patch for bug#14506, bug#14601, bug#14641, bug#14687
<http://savannah.nongnu.org/bugs/download.php?item_id=14506&item_file_id=3017>
Carson Gaspar
Follow-up Comment #10, bug #14506 (project cvs):
This is still broken (at least under Solaris) in today's HEAD. The minimal
changes required to fix it are the replacement of fread/fwrite. Can we plase
get these changes merged in? It's been over 3 years... I can generate a
minimal diff if that will help (although real GSSAPI support without the krb5
kludges would be a good thing...)
_______________________________________________________
Reply to this item at:
<http://savannah.nongnu.org/bugs/?14506>