Fossil

Check-in [41ba6ea7db]
Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Security enhancement: Do not store the passwords for remote URLs directly, but instead store the sha1_shared_secret() encoding of those passwords. It is the SHA1 encoding that gets transmitted to the server anyhow, so we might as well just store that. The SHA1 encoding cannot be used to log in. The password is still protected using obscure() even though it is now a SHA1 hash.
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256: 41ba6ea7db6ce2ce159709ce9b95dee44f9f5f03a13f2f741f5a6ebc96c5f034
User & Date: drh 2022-12-30 20:54:10
References
2023-02-18
15:14 Wiki page "To Do List" ... (artifact: 38abf0c395 user: drh)
Context
2022-12-30
21:12
Improved comment on the db_obscure() routine. No functional code changes. ... (check-in: aa1a0b31e2 user: drh tags: trunk)
20:54
Security enhancement: Do not store the passwords for remote URLs directly, but instead store the sha1_shared_secret() encoding of those passwords. It is the SHA1 encoding that gets transmitted to the server anyhow, so we might as well just store that. The SHA1 encoding cannot be used to log in. The password is still protected using obscure() even though it is now a SHA1 hash. ... (check-in: 41ba6ea7db user: drh tags: trunk)
16:32
Show the parent-project-* CONFIG entries (if they exist) with the "fossil remote config-data" command. When parsing a URL, if the URL comes from the CONFIG table, remember the CONFIG table entry that supplied the password. ... (check-in: 6d0083adce user: drh tags: trunk)
Changes
Hide Diffs Unified Diffs Ignore Whitespace Patch

Changes to src/db.c.

1393
1394
1395
1396
1397
1398
1399





1400
1401
1402
1403
1404
1405
1406
1407
  int nIn = sqlite3_value_bytes(argv[0]);
  char *zOut, *zTemp;
  if( 0==zIn ) return;
  if( 0==(zOut = sqlite3_malloc64( nIn * 2 + 3 )) ){
    sqlite3_result_error_nomem(context);
    return;
  }





  strcpy(zOut, zTemp = obscure((char*)zIn));
  fossil_free(zTemp);
  sqlite3_result_text(context, zOut, strlen(zOut), sqlite3_free);
}

/*
** Return True if zName is a protected (a.k.a. "sensitive") setting.
*/







>
>
>
>
>
|







1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
  int nIn = sqlite3_value_bytes(argv[0]);
  char *zOut, *zTemp;
  if( 0==zIn ) return;
  if( 0==(zOut = sqlite3_malloc64( nIn * 2 + 3 )) ){
    sqlite3_result_error_nomem(context);
    return;
  }
  if( sqlite3_user_data(context)==0 ){
    zTemp = obscure((char*)zIn);
  }else{
    zTemp = unobscure((char*)zIn);
  }
  strcpy(zOut, zTemp);
  fossil_free(zTemp);
  sqlite3_result_text(context, zOut, strlen(zOut), sqlite3_free);
}

/*
** Return True if zName is a protected (a.k.a. "sensitive") setting.
*/

Changes to src/http.c.

88
89
90
91
92
93
94
95

96






97
98







99








100
101
102
103
104
105
106
    zPw = 0;
  }else{
    /* Password failure while doing a sync from the command-line interface */
    url_prompt_for_password();
    zPw = g.url.passwd;
  }

  /* The login card wants the SHA1 hash of the password, so convert the

  ** password to its SHA1 hash if it isn't already a SHA1 hash.






  */
  /* fossil_print("\nzPw=[%s]\n", zPw); // TESTING ONLY */







  if( zPw && zPw[0] ) zPw = sha1_shared_secret(zPw, zLogin, 0);









  blob_append(&pw, zPw, -1);
  sha1sum_blob(&pw, &sig);
  blob_appendf(pLogin, "login %F %b %b\n", zLogin, &nonce, &sig);
  blob_reset(&pw);
  blob_reset(&sig);
  blob_reset(&nonce);







|
>
|
>
>
>
>
>
>

<
>
>
>
>
>
>
>
|
>
>
>
>
>
>
>
>







88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104

105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
    zPw = 0;
  }else{
    /* Password failure while doing a sync from the command-line interface */
    url_prompt_for_password();
    zPw = g.url.passwd;
  }

  /* The login card wants the SHA1 hash of the password (as computed by
  ** sha1_shared_secret()), not the original password.  So convert the
  ** password to its SHA1 encoding if it isn't already a SHA1 hash.
  **
  ** We assume that a hexadecimal string of exactly 40 characters is a
  ** SHA1 hash, not an original password.  If a user has a password which
  ** just happens to be a 40-character hex string, then this routine won't
  ** be able to distinguish it from a hash, the translation will not be
  ** performed, and the sync won't work.  
  */

  if( zPw && zPw[0] && (strlen(zPw)!=40 || !validate16(zPw,40)) ){
    const char *zProjectCode = 0;
    if( g.url.flags & URL_USE_PARENT ){
      zProjectCode = db_get("parent-project-code", 0);
    }else{
      zProjectCode = db_get("project-code", 0);
    }
    zPw = sha1_shared_secret(zPw, zLogin, zProjectCode);
    if( g.url.pwConfig!=0 ){
      char *x = obscure(zPw);
      db_set(g.url.pwConfig/*works-like:"x"*/, x, 0);
      fossil_free(x);
    }
    fossil_free(g.url.passwd);
    g.url.passwd = fossil_strdup(zPw);
  }

  blob_append(&pw, zPw, -1);
  sha1sum_blob(&pw, &sig);
  blob_appendf(pLogin, "login %F %b %b\n", zLogin, &nonce, &sig);
  blob_reset(&pw);
  blob_reset(&sig);
  blob_reset(&nonce);

Changes to src/sqlcmd.c.

244
245
246
247
248
249
250


251
252
253
254
255
256
257
  db_protect_only(PROTECT_NONE);
  sqlite3_set_authorizer(db, db_top_authorizer, db);
  if( local_bSqlCmdTest ){
    sqlite3_create_function(db, "db_protect", 1, SQLITE_UTF8, 0,
                            sqlcmd_db_protect, 0, 0);
    sqlite3_create_function(db, "db_protect_pop", 0, SQLITE_UTF8, 0,
                            sqlcmd_db_protect_pop, 0, 0);


  }
  return SQLITE_OK;
}

/*
** atexit() handler that cleans up global state modified by this module.
*/







>
>







244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
  db_protect_only(PROTECT_NONE);
  sqlite3_set_authorizer(db, db_top_authorizer, db);
  if( local_bSqlCmdTest ){
    sqlite3_create_function(db, "db_protect", 1, SQLITE_UTF8, 0,
                            sqlcmd_db_protect, 0, 0);
    sqlite3_create_function(db, "db_protect_pop", 0, SQLITE_UTF8, 0,
                            sqlcmd_db_protect_pop, 0, 0);
    sqlite3_create_function(db, "shared_secret", 2, SQLITE_UTF8, 0,
                            sha1_shared_secret_sql_function, 0, 0);
  }
  return SQLITE_OK;
}

/*
** atexit() handler that cleans up global state modified by this module.
*/

Changes to src/sync.c.

558
559
560
561
562
563
564

565

566
567
568
569
570
571
572
**
**     Make REF the new default URL, replacing the prior default.
**     REF may be a URL or a NAME from a prior "add".
*/
void remote_url_cmd(void){
  char *zUrl, *zArg;
  int nArg;

  db_find_and_open_repository(0, 0);


  /* We should be done with options.. */
  verify_all_options();

  /* 2021-10-25: A note about data structures.
  **
  ** The remote URLs are stored in the CONFIG table.  The URL is stored







>

>







558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
**
**     Make REF the new default URL, replacing the prior default.
**     REF may be a URL or a NAME from a prior "add".
*/
void remote_url_cmd(void){
  char *zUrl, *zArg;
  int nArg;
  int showPw;
  db_find_and_open_repository(0, 0);
  showPw = find_option("show-passwords",0,0)!=0;

  /* We should be done with options.. */
  verify_all_options();

  /* 2021-10-25: A note about data structures.
  **
  ** The remote URLs are stored in the CONFIG table.  The URL is stored
758
759
760
761
762
763
764
765
766
767
768
769
770


771
772
773
774
775
776
777
778
779
780


781
782
783
784
785
786

787
788
789
790
791
792
793
    db_multi_exec("DELETE FROM config WHERE name glob 'sync-pw:*'");
    db_multi_exec("DELETE FROM config WHERE name = 'last-sync-pw'");
    db_protect_pop();
    db_commit_transaction();
    return;
  }
  if( strncmp(zArg, "config-data", nArg)==0 ){
    /* Undocumented command:  "fossil remote config-data"
    **
    ** Show the CONFIG table entries that relate to remembering remote URLs
    */
    Stmt q;
    int n;


    n = db_int(13,
       "SELECT max(length(name))"
       "  FROM config"
       " WHERE name GLOB 'sync-*:*'"
          " OR name GLOB 'last-sync-*'"
          " OR name GLOB 'parent-project-*'"
    );
    db_prepare(&q,
       "SELECT name,"
       "       CASE WHEN name LIKE '%%sync-pw%%' OR name='parent-project-pw'"


                  " THEN printf('%%.*c',length(value),'*') ELSE value END"
       "  FROM config"
       " WHERE name GLOB 'sync-*:*'"
          " OR name GLOB 'last-sync-*'"
          " OR name GLOB 'parent-project-*'"
       " ORDER BY name LIKE '%%sync-pw%%' OR name='parent-project-pw', name"

    );
    while( db_step(&q)==SQLITE_ROW ){
      fossil_print("%-*s  %s\n",
        n, db_column_text(&q,0),
        db_column_text(&q,1)
      );
    }







|





>
>








|
|
>
>
|
|
|
|
|
|
>







760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
    db_multi_exec("DELETE FROM config WHERE name glob 'sync-pw:*'");
    db_multi_exec("DELETE FROM config WHERE name = 'last-sync-pw'");
    db_protect_pop();
    db_commit_transaction();
    return;
  }
  if( strncmp(zArg, "config-data", nArg)==0 ){
    /* Undocumented command:  "fossil remote config-data [-show-passwords]"
    **
    ** Show the CONFIG table entries that relate to remembering remote URLs
    */
    Stmt q;
    int n;
    sqlite3_create_function(g.db, "unobscure", 1, SQLITE_UTF8, &g.db,
                            db_obscure, 0, 0);
    n = db_int(13,
       "SELECT max(length(name))"
       "  FROM config"
       " WHERE name GLOB 'sync-*:*'"
          " OR name GLOB 'last-sync-*'"
          " OR name GLOB 'parent-project-*'"
    );
    db_prepare(&q,
      "SELECT name,"
      "  CASE WHEN name NOT LIKE '%%sync-pw%%' AND name<>'parent-project-pw'"
      "       THEN value"
      "       WHEN %d THEN unobscure(value)"
      "       ELSE printf('%%.*c',length(value)/2-1,'*') END"
      "  FROM config"
      " WHERE name GLOB 'sync-*:*'"
         " OR name GLOB 'last-sync-*'"
         " OR name GLOB 'parent-project-*'"
      " ORDER BY name LIKE '%%sync-pw%%' OR name='parent-project-pw', name",
      showPw
    );
    while( db_step(&q)==SQLITE_ROW ){
      fossil_print("%-*s  %s\n",
        n, db_column_text(&q,0),
        db_column_text(&q,1)
      );
    }

Changes to src/xfer.c.

796
797
798
799
800
801
802
803


804
805
806
807
808
809
810
** Check the signature on an application/x-fossil payload received by
** the HTTP server.  The signature is a line of the following form:
**
**        login LOGIN NONCE SIGNATURE
**
** The NONCE is the SHA1 hash of the remainder of the input.
** SIGNATURE is the SHA1 checksum of the NONCE concatenated
** with the users password.


**
** The parameters to this routine are ephemeral blobs holding the
** LOGIN, NONCE and SIGNATURE.
**
** This routine attempts to locate the user and verify the signature.
** If everything checks out, the USER.CAP column for the USER table
** is consulted to set privileges in the global g variable.







|
>
>







796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
** Check the signature on an application/x-fossil payload received by
** the HTTP server.  The signature is a line of the following form:
**
**        login LOGIN NONCE SIGNATURE
**
** The NONCE is the SHA1 hash of the remainder of the input.
** SIGNATURE is the SHA1 checksum of the NONCE concatenated
** with the sha1_shared_secret() encoding of the users password.
**
**   SIGNATURE = sha1_sum( NONCE + sha1_shared_secret(PASSWORD) );
**
** The parameters to this routine are ephemeral blobs holding the
** LOGIN, NONCE and SIGNATURE.
**
** This routine attempts to locate the user and verify the signature.
** If everything checks out, the USER.CAP column for the USER table
** is consulted to set privileges in the global g variable.