Many hyperlinks are disabled.
Use anonymous login
to enable hyperlinks.
Overview
Comment: | Security enhancement: Do not store the passwords for remote URLs directly, but instead store the sha1_shared_secret() encoding of those passwords. It is the SHA1 encoding that gets transmitted to the server anyhow, so we might as well just store that. The SHA1 encoding cannot be used to log in. The password is still protected using obscure() even though it is now a SHA1 hash. |
---|---|
Downloads: | Tarball | ZIP archive | SQL archive |
Timelines: | family | ancestors | descendants | both | trunk |
Files: | files | file ages | folders |
SHA3-256: |
41ba6ea7db6ce2ce159709ce9b95dee4 |
User & Date: | drh 2022-12-30 20:54:10 |
References
2023-02-18
| ||
15:14 | • Wiki page "To Do List" ... (artifact: 38abf0c395 user: drh) | |
Context
2022-12-30
| ||
21:12 | Improved comment on the db_obscure() routine. No functional code changes. ... (check-in: aa1a0b31e2 user: drh tags: trunk) | |
20:54 | Security enhancement: Do not store the passwords for remote URLs directly, but instead store the sha1_shared_secret() encoding of those passwords. It is the SHA1 encoding that gets transmitted to the server anyhow, so we might as well just store that. The SHA1 encoding cannot be used to log in. The password is still protected using obscure() even though it is now a SHA1 hash. ... (check-in: 41ba6ea7db user: drh tags: trunk) | |
16:32 | Show the parent-project-* CONFIG entries (if they exist) with the "fossil remote config-data" command. When parsing a URL, if the URL comes from the CONFIG table, remember the CONFIG table entry that supplied the password. ... (check-in: 6d0083adce user: drh tags: trunk) | |
Changes
Changes to src/db.c.
︙ | ︙ | |||
1393 1394 1395 1396 1397 1398 1399 | int nIn = sqlite3_value_bytes(argv[0]); char *zOut, *zTemp; if( 0==zIn ) return; if( 0==(zOut = sqlite3_malloc64( nIn * 2 + 3 )) ){ sqlite3_result_error_nomem(context); return; } | > > > > > | | 1393 1394 1395 1396 1397 1398 1399 1400 1401 1402 1403 1404 1405 1406 1407 1408 1409 1410 1411 1412 | int nIn = sqlite3_value_bytes(argv[0]); char *zOut, *zTemp; if( 0==zIn ) return; if( 0==(zOut = sqlite3_malloc64( nIn * 2 + 3 )) ){ sqlite3_result_error_nomem(context); return; } if( sqlite3_user_data(context)==0 ){ zTemp = obscure((char*)zIn); }else{ zTemp = unobscure((char*)zIn); } strcpy(zOut, zTemp); fossil_free(zTemp); sqlite3_result_text(context, zOut, strlen(zOut), sqlite3_free); } /* ** Return True if zName is a protected (a.k.a. "sensitive") setting. */ |
︙ | ︙ |
Changes to src/http.c.
︙ | ︙ | |||
88 89 90 91 92 93 94 | zPw = 0; }else{ /* Password failure while doing a sync from the command-line interface */ url_prompt_for_password(); zPw = g.url.passwd; } | | > | > > > > > > < > > > > > > > | > > > > > > > > | 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 | zPw = 0; }else{ /* Password failure while doing a sync from the command-line interface */ url_prompt_for_password(); zPw = g.url.passwd; } /* The login card wants the SHA1 hash of the password (as computed by ** sha1_shared_secret()), not the original password. So convert the ** password to its SHA1 encoding if it isn't already a SHA1 hash. ** ** We assume that a hexadecimal string of exactly 40 characters is a ** SHA1 hash, not an original password. If a user has a password which ** just happens to be a 40-character hex string, then this routine won't ** be able to distinguish it from a hash, the translation will not be ** performed, and the sync won't work. */ if( zPw && zPw[0] && (strlen(zPw)!=40 || !validate16(zPw,40)) ){ const char *zProjectCode = 0; if( g.url.flags & URL_USE_PARENT ){ zProjectCode = db_get("parent-project-code", 0); }else{ zProjectCode = db_get("project-code", 0); } zPw = sha1_shared_secret(zPw, zLogin, zProjectCode); if( g.url.pwConfig!=0 ){ char *x = obscure(zPw); db_set(g.url.pwConfig/*works-like:"x"*/, x, 0); fossil_free(x); } fossil_free(g.url.passwd); g.url.passwd = fossil_strdup(zPw); } blob_append(&pw, zPw, -1); sha1sum_blob(&pw, &sig); blob_appendf(pLogin, "login %F %b %b\n", zLogin, &nonce, &sig); blob_reset(&pw); blob_reset(&sig); blob_reset(&nonce); |
︙ | ︙ |
Changes to src/sqlcmd.c.
︙ | ︙ | |||
244 245 246 247 248 249 250 251 252 253 254 255 256 257 | db_protect_only(PROTECT_NONE); sqlite3_set_authorizer(db, db_top_authorizer, db); if( local_bSqlCmdTest ){ sqlite3_create_function(db, "db_protect", 1, SQLITE_UTF8, 0, sqlcmd_db_protect, 0, 0); sqlite3_create_function(db, "db_protect_pop", 0, SQLITE_UTF8, 0, sqlcmd_db_protect_pop, 0, 0); } return SQLITE_OK; } /* ** atexit() handler that cleans up global state modified by this module. */ | > > | 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 | db_protect_only(PROTECT_NONE); sqlite3_set_authorizer(db, db_top_authorizer, db); if( local_bSqlCmdTest ){ sqlite3_create_function(db, "db_protect", 1, SQLITE_UTF8, 0, sqlcmd_db_protect, 0, 0); sqlite3_create_function(db, "db_protect_pop", 0, SQLITE_UTF8, 0, sqlcmd_db_protect_pop, 0, 0); sqlite3_create_function(db, "shared_secret", 2, SQLITE_UTF8, 0, sha1_shared_secret_sql_function, 0, 0); } return SQLITE_OK; } /* ** atexit() handler that cleans up global state modified by this module. */ |
︙ | ︙ |
Changes to src/sync.c.
︙ | ︙ | |||
558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 | ** ** Make REF the new default URL, replacing the prior default. ** REF may be a URL or a NAME from a prior "add". */ void remote_url_cmd(void){ char *zUrl, *zArg; int nArg; db_find_and_open_repository(0, 0); /* We should be done with options.. */ verify_all_options(); /* 2021-10-25: A note about data structures. ** ** The remote URLs are stored in the CONFIG table. The URL is stored | > > | 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 | ** ** Make REF the new default URL, replacing the prior default. ** REF may be a URL or a NAME from a prior "add". */ void remote_url_cmd(void){ char *zUrl, *zArg; int nArg; int showPw; db_find_and_open_repository(0, 0); showPw = find_option("show-passwords",0,0)!=0; /* We should be done with options.. */ verify_all_options(); /* 2021-10-25: A note about data structures. ** ** The remote URLs are stored in the CONFIG table. The URL is stored |
︙ | ︙ | |||
758 759 760 761 762 763 764 | db_multi_exec("DELETE FROM config WHERE name glob 'sync-pw:*'"); db_multi_exec("DELETE FROM config WHERE name = 'last-sync-pw'"); db_protect_pop(); db_commit_transaction(); return; } if( strncmp(zArg, "config-data", nArg)==0 ){ | | > > | | > > | | | | | | > | 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 | db_multi_exec("DELETE FROM config WHERE name glob 'sync-pw:*'"); db_multi_exec("DELETE FROM config WHERE name = 'last-sync-pw'"); db_protect_pop(); db_commit_transaction(); return; } if( strncmp(zArg, "config-data", nArg)==0 ){ /* Undocumented command: "fossil remote config-data [-show-passwords]" ** ** Show the CONFIG table entries that relate to remembering remote URLs */ Stmt q; int n; sqlite3_create_function(g.db, "unobscure", 1, SQLITE_UTF8, &g.db, db_obscure, 0, 0); n = db_int(13, "SELECT max(length(name))" " FROM config" " WHERE name GLOB 'sync-*:*'" " OR name GLOB 'last-sync-*'" " OR name GLOB 'parent-project-*'" ); db_prepare(&q, "SELECT name," " CASE WHEN name NOT LIKE '%%sync-pw%%' AND name<>'parent-project-pw'" " THEN value" " WHEN %d THEN unobscure(value)" " ELSE printf('%%.*c',length(value)/2-1,'*') END" " FROM config" " WHERE name GLOB 'sync-*:*'" " OR name GLOB 'last-sync-*'" " OR name GLOB 'parent-project-*'" " ORDER BY name LIKE '%%sync-pw%%' OR name='parent-project-pw', name", showPw ); while( db_step(&q)==SQLITE_ROW ){ fossil_print("%-*s %s\n", n, db_column_text(&q,0), db_column_text(&q,1) ); } |
︙ | ︙ |
Changes to src/xfer.c.
︙ | ︙ | |||
796 797 798 799 800 801 802 | ** Check the signature on an application/x-fossil payload received by ** the HTTP server. The signature is a line of the following form: ** ** login LOGIN NONCE SIGNATURE ** ** The NONCE is the SHA1 hash of the remainder of the input. ** SIGNATURE is the SHA1 checksum of the NONCE concatenated | | > > | 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 | ** Check the signature on an application/x-fossil payload received by ** the HTTP server. The signature is a line of the following form: ** ** login LOGIN NONCE SIGNATURE ** ** The NONCE is the SHA1 hash of the remainder of the input. ** SIGNATURE is the SHA1 checksum of the NONCE concatenated ** with the sha1_shared_secret() encoding of the users password. ** ** SIGNATURE = sha1_sum( NONCE + sha1_shared_secret(PASSWORD) ); ** ** The parameters to this routine are ephemeral blobs holding the ** LOGIN, NONCE and SIGNATURE. ** ** This routine attempts to locate the user and verify the signature. ** If everything checks out, the USER.CAP column for the USER table ** is consulted to set privileges in the global g variable. |
︙ | ︙ |