[PATCH 0/3] cvsserver: correctly validate pserver passwords

[PATCH 0/3] cvsserver: correctly validate pserver passwords

[Carlo Marcelo Arenas Belón]

The first patch should be applied by any user of git-cvsserver, and
hashes for all pserver accounts updated; because the code originally
was using the username instead of the password to validate accounts,
and it might had even worked if the first 2 characters of the password
where the same (ex: cvsuser/cvspassword).

The second one allows for successfully running t9400 in OpenBSD and
will protect the code further from the possible use of an undef
variable, and shows that support for better password hashes than DES
is possible.

Carlo Marcelo Arenas Belón (3):
  git-cvsserver: use crypt correctly to compare password hashes
  git-cvsserver: protect against NULL in crypt(3)
  Documentation: cleanup git-cvsserver

 Documentation/git-cvsserver.txt | 27 +++++++++++++--------------
 git-cvsserver.perl              |  7 ++++---
 t/t9400-git-cvsserver-server.sh |  9 ++++++++-
 3 files changed, 25 insertions(+), 18 deletions(-)

-- 
2.33.0.481.g26d3bed244

[PATCH 1/3] git-cvsserver: use crypt correctly to compare password hashes

[Carlo Marcelo Arenas Belón]

c057bad370 (git-cvsserver: use a password file cvsserver pserver,
2010-05-15) adds a way for `git cvsserver` to provide authenticated
pserver accounts without having clear text passwords, but uses the
username instead of the password to the call for crypt(3).

Correct that, and make sure the documentation correctly indicates how
to obtain hashed passwords that could be used to populate this
configuration, as well as correcting the hash that was used for the
tests.

This change will require that any user of this feature updates the
hashes in their configuration, but has the advantage of using a more
similar format than cvs uses, probably also easying any migration.

Signed-off-by: Carlo Marcelo Arenas Belón <carenas@gmail.com>
---
 Documentation/git-cvsserver.txt | 10 ++++------
 git-cvsserver.perl              |  2 +-
 t/t9400-git-cvsserver-server.sh |  4 +++-
 3 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/Documentation/git-cvsserver.txt b/Documentation/git-cvsserver.txt
index f2e4a47ebe..4d13367c77 100644
--- a/Documentation/git-cvsserver.txt
+++ b/Documentation/git-cvsserver.txt
@@ -118,13 +118,11 @@ for example:
    myuser:$1$BA)@$vbnMJMDym7tA32AamXrm./
 ------
 You can use the 'htpasswd' facility that comes with Apache to make these
-files, but Apache's MD5 crypt method differs from the one used by most C
-library's crypt() function, so don't use the -m option.
+files, but only with the -d option (or -B if your system suports it).
 
-Alternatively you can produce the password with perl's crypt() operator:
------
-   perl -e 'my ($user, $pass) = @ARGV; printf "%s:%s\n", $user, crypt($user, $pass)' $USER password
------
+Preferably use the system specific utility that manages password hash
+creation in your platform (e.g. mkpasswd in Linux, encrypt in OpenBSD or
+pwhash in NetBSD) and paste it in the right location.
 
 Then provide your password via the pserver method, for example:
 ------
diff --git a/git-cvsserver.perl b/git-cvsserver.perl
index ed035f32c2..4c93b5d099 100755
--- a/git-cvsserver.perl
+++ b/git-cvsserver.perl
@@ -222,7 +222,7 @@
         open my $passwd, "<", $authdb or die $!;
         while (<$passwd>) {
             if (m{^\Q$user\E:(.*)}) {
-                if (crypt($user, descramble($password)) eq $1) {
+                if (crypt(descramble($password), $1) eq $1) {
                     $auth_ok = 1;
                 }
             };
diff --git a/t/t9400-git-cvsserver-server.sh b/t/t9400-git-cvsserver-server.sh
index 2d29d486ee..59b40359c7 100755
--- a/t/t9400-git-cvsserver-server.sh
+++ b/t/t9400-git-cvsserver-server.sh
@@ -36,6 +36,8 @@ CVSWORK="$PWD/cvswork"
 CVS_SERVER=git-cvsserver
 export CVSROOT CVS_SERVER
 
+PWDHASH='lac2ItudM3.KM'
+
 rm -rf "$CVSWORK" "$SERVERDIR"
 test_expect_success 'setup' '
   git config push.default matching &&
@@ -54,7 +56,7 @@ test_expect_success 'setup' '
   GIT_DIR="$SERVERDIR" git config --bool gitcvs.enabled true &&
   GIT_DIR="$SERVERDIR" git config gitcvs.logfile "$SERVERDIR/gitcvs.log" &&
   GIT_DIR="$SERVERDIR" git config gitcvs.authdb "$SERVERDIR/auth.db" &&
-  echo cvsuser:cvGVEarMLnhlA > "$SERVERDIR/auth.db"
+  echo "cvsuser:$PWDHASH" >"$SERVERDIR/auth.db"
 '
 
 # note that cvs doesn't accept absolute pathnames
-- 
2.33.0.481.g26d3bed244

[PATCH 2/3] git-cvsserver: protect against NULL in crypt(3)

[Carlo Marcelo Arenas Belón]

Some versions of crypt(3) will return NULL when passed an unsupported
hash type (ex: OpenBSD with DES), so check for undef instead of using
it directly.

Also use this to probe the system and select a better hash function in
the tests, so it can pass successfully.

Signed-off-by: Carlo Marcelo Arenas Belón <carenas@gmail.com>
---
 git-cvsserver.perl              | 7 ++++---
 t/t9400-git-cvsserver-server.sh | 7 ++++++-
 2 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/git-cvsserver.perl b/git-cvsserver.perl
index 4c93b5d099..8e7c34a235 100755
--- a/git-cvsserver.perl
+++ b/git-cvsserver.perl
@@ -222,10 +222,11 @@
         open my $passwd, "<", $authdb or die $!;
         while (<$passwd>) {
             if (m{^\Q$user\E:(.*)}) {
-                if (crypt(descramble($password), $1) eq $1) {
-                    $auth_ok = 1;
+                my $hash = crypt(descramble($password), $1);
+                if (defined $hash) {
+                    $auth_ok = 1 if $hash eq $1;
                 }
-            };
+            }
         }
         close $passwd;
 
diff --git a/t/t9400-git-cvsserver-server.sh b/t/t9400-git-cvsserver-server.sh
index 59b40359c7..17f988edd2 100755
--- a/t/t9400-git-cvsserver-server.sh
+++ b/t/t9400-git-cvsserver-server.sh
@@ -36,7 +36,12 @@ CVSWORK="$PWD/cvswork"
 CVS_SERVER=git-cvsserver
 export CVSROOT CVS_SERVER
 
-PWDHASH='lac2ItudM3.KM'
+if perl -e 'exit(1) if not defined crypt("", "cv")'
+then
+	PWDHASH='lac2ItudM3.KM'
+else
+	PWDHASH='$2b$10$t8fGvE/a9eLmfOLzsZme2uOa2QtoMYwIxq9wZA6aBKtF1Yb7FJIzi'
+fi
 
 rm -rf "$CVSWORK" "$SERVERDIR"
 test_expect_success 'setup' '
-- 
2.33.0.481.g26d3bed244

[PATCH 3/3] Documentation: cleanup git-cvsserver

[Carlo Marcelo Arenas Belón]

Fix a few typos and alignment issues, and while at it update the
example hashes to show most of the ones available in recent crypt(3).

Signed-off-by: Carlo Marcelo Arenas Belón <carenas@gmail.com>
---
 Documentation/git-cvsserver.txt | 17 +++++++++--------
 1 file changed, 9 insertions(+), 8 deletions(-)

diff --git a/Documentation/git-cvsserver.txt b/Documentation/git-cvsserver.txt
index 4d13367c77..4dc57ed254 100644
--- a/Documentation/git-cvsserver.txt
+++ b/Documentation/git-cvsserver.txt
@@ -99,7 +99,7 @@ looks like
 
 ------
 
-Only anonymous access is provided by pserve by default. To commit you
+Only anonymous access is provided by pserver by default. To commit you
 will have to create pserver accounts, simply add a gitcvs.authdb
 setting in the config file of the repositories you want the cvsserver
 to allow writes to, for example:
@@ -114,8 +114,9 @@ The format of these files is username followed by the encrypted password,
 for example:
 
 ------
-   myuser:$1Oyx5r9mdGZ2
-   myuser:$1$BA)@$vbnMJMDym7tA32AamXrm./
+   myuser:sqkNi8zPf01HI
+   myuser:$1$9K7FzU28$VfF6EoPYCJEYcVQwATgOP/
+   myuser:$5$.NqmNH1vwfzGpV8B$znZIcumu1tNLATgV2l6e1/mY8RzhUDHMOaVOeL1cxV3
 ------
 You can use the 'htpasswd' facility that comes with Apache to make these
 files, but only with the -d option (or -B if your system suports it).
@@ -126,7 +127,7 @@ pwhash in NetBSD) and paste it in the right location.
 
 Then provide your password via the pserver method, for example:
 ------
-   cvs -d:pserver:someuser:somepassword <at> server/path/repo.git co <HEAD_name>
+   cvs -d:pserver:someuser:somepassword@server:/path/repo.git co <HEAD_name>
 ------
 No special setup is needed for SSH access, other than having Git tools
 in the PATH. If you have clients that do not accept the CVS_SERVER
@@ -136,7 +137,7 @@ Note: Newer CVS versions (>= 1.12.11) also support specifying
 CVS_SERVER directly in CVSROOT like
 
 ------
-cvs -d ":ext;CVS_SERVER=git cvsserver:user@server/path/repo.git" co <HEAD_name>
+   cvs -d ":ext;CVS_SERVER=git cvsserver:user@server/path/repo.git" co <HEAD_name>
 ------
 This has the advantage that it will be saved in your 'CVS/Root' files and
 you don't need to worry about always setting the correct environment
@@ -184,8 +185,8 @@ allowing access over SSH.
 +
 --
 ------
-     export CVSROOT=:ext:user@server:/var/git/project.git
-     export CVS_SERVER="git cvsserver"
+   export CVSROOT=:ext:user@server:/var/git/project.git
+   export CVS_SERVER="git cvsserver"
 ------
 --
 4. For SSH clients that will make commits, make sure their server-side
@@ -201,7 +202,7 @@ allowing access over SSH.
    `project-master` directory:
 +
 ------
-     cvs co -d project-master master
+   cvs co -d project-master master
 ------
 
 [[dbbackend]]
-- 
2.33.0.481.g26d3bed244

Re: [PATCH 2/3] git-cvsserver: protect against NULL in crypt(3)

[Junio C Hamano]

Carlo Marcelo Arenas Belón  <carenas@gmail.com> writes:

> -                if (crypt(descramble($password), $1) eq $1) {
> -                    $auth_ok = 1;
> +                my $hash = crypt(descramble($password), $1);
> +                if (defined $hash) {
> +                    $auth_ok = 1 if $hash eq $1;
>                  }

It is not wrong per-se to separate the two checks into two separate
parts of the conditional, but because we check for definedness only
because comparison of it with $1 makes sense only when it is
defined, writing it either like this, 

		if (defined $hash and $hash eq $1) {
			$auth_ok = 1;
		}

or even like this,

		$auth_ok = (defined $hash and $hash eq $1);

may be easier to read, no?

Re: [PATCH 2/3] git-cvsserver: protect against NULL in crypt(3)

[Carlo Arenas]

On Thu, Sep 16, 2021 at 3:11 PM Junio C Hamano <gitster@pobox.com> wrote:
>
> Carlo Marcelo Arenas Belón  <carenas@gmail.com> writes:
>
> > -                if (crypt(descramble($password), $1) eq $1) {
> > -                    $auth_ok = 1;
> > +                my $hash = crypt(descramble($password), $1);
> > +                if (defined $hash) {
> > +                    $auth_ok = 1 if $hash eq $1;
> >                  }
>
> It is not wrong per-se to separate the two checks into two separate
> parts of the conditional, but because we check for definedness only
> because comparison of it with $1 makes sense only when it is
> defined, writing it either like this,
>
>                 if (defined $hash and $hash eq $1) {
>                         $auth_ok = 1;
>                 }
>
> or even like this,
>
>                 $auth_ok = (defined $hash and $hash eq $1);
>
> may be easier to read, no?

yes, let's go with the earlier; I was trying to mimic the original
code, but agree on a second read that it looks confusing.
assuming there are no more comments, would you want a reroll?

Carlo

Re: [PATCH 2/3] git-cvsserver: protect against NULL in crypt(3)

[Junio C Hamano]

Carlo Arenas <carenas@gmail.com> writes:

>> It is not wrong per-se to separate the two checks into two separate
>> parts of the conditional, but because we check for definedness only
>> because comparison of it with $1 makes sense only when it is
>> defined, writing it either like this,
>>
>>                 if (defined $hash and $hash eq $1) {
>>                         $auth_ok = 1;
>>                 }
>>
>> or even like this,
>>
>>                 $auth_ok = (defined $hash and $hash eq $1);
>>
>> may be easier to read, no?
>
> yes, let's go with the earlier; I was trying to mimic the original
> code, but agree on a second read that it looks confusing.
> assuming there are no more comments, would you want a reroll?

If there are no more comments, I certainly can tweak it myself, but
I'd rather not have to keep an eye to see if the thread gets any
comment myself to begin with, as it will not scale as the process
when there are multiple contributors and only one maintainer.

So, I'll make a local tweak myself and mark the topic as "On hold",
to let you ping me after waiting for a while to see if the thread
gets other comments that require a reroll.

Thanks.