Fossil SCM

Remove lots of debug output. Replace a couple of mprintf() with fossil_strdup() and a couple free() with fossil_free(). Milestone: libfossil has successfully logged in to this version of fossil.

stephan 2025-07-22 17:52 xfer-login-card

Commit 1078a123c1c2ddbd98875d04af278476414d50dda7024ecd59f8974f76f8f24c

Parent 2250a684cc1f5c6…

4 files changed -1 -5 +2 -2 +1 -31

~ src/cgi.c ~ src/http.c ~ src/sha1.c ~ src/xfer.c

M src/cgi.c

-1

		--- src/cgi.c
		+++ src/cgi.c
		@@ -2224,11 +2224,10 @@
2224	2224	rangeEnd = x2+1;
2225	2225	}
2226	2226	}else if( fossil_strcmp(zFieldName, "x-fossil-xfer-login:")==0 ){
2227	2227	g.syncInfo.zLoginCard = fossil_strdup(zVal);
2228	2228	g.syncInfo.bLoginCardHeader = 1;
2229		- /fprintf(stderr, "X-Fossil-Xfer-Login: %s\n", g.syncInfo.zLoginCard);/
2230	2229	}
2231	2230	}
2232	2231	cgi_setenv("REQUEST_SCHEME",zScheme);
2233	2232	cgi_init();
2234	2233	cgi_trace(0);
2235	2234

	--- src/cgi.c
	+++ src/cgi.c
	@@ -2224,11 +2224,10 @@
2224	rangeEnd = x2+1;
2225	}
2226	}else if( fossil_strcmp(zFieldName, "x-fossil-xfer-login:")==0 ){
2227	g.syncInfo.zLoginCard = fossil_strdup(zVal);
2228	g.syncInfo.bLoginCardHeader = 1;
2229	/fprintf(stderr, "X-Fossil-Xfer-Login: %s\n", g.syncInfo.zLoginCard);/
2230	}
2231	}
2232	cgi_setenv("REQUEST_SCHEME",zScheme);
2233	cgi_init();
2234	cgi_trace(0);
2235

	--- src/cgi.c
	+++ src/cgi.c
	@@ -2224,11 +2224,10 @@
2224	rangeEnd = x2+1;
2225	}
2226	}else if( fossil_strcmp(zFieldName, "x-fossil-xfer-login:")==0 ){
2227	g.syncInfo.zLoginCard = fossil_strdup(zVal);
2228	g.syncInfo.bLoginCardHeader = 1;

2229	}
2230	}
2231	cgi_setenv("REQUEST_SCHEME",zScheme);
2232	cgi_init();
2233	cgi_trace(0);
2234

M src/http.c

-5

		--- src/http.c
		+++ src/http.c
		@@ -472,15 +472,10 @@
472	472	blob_zero(&login);
473	473	if( blob_size(pSend)==0 ){
474	474	blob_zero(&payload);
475	475	}else{
476	476	if( mHttpFlags & HTTP_USE_LOGIN ) http_build_login_card(pSend, &login);
477		-#if 0
478		- fprintf(stderr, "# g.syncInfo.bLoginCardHeader=%d login card=%s\n",
479		- g.syncInfo.bLoginCardHeader,
480		- blob_size(&login) ? blob_str(&login) : "<empty>");
481		-#endif
482	477	if( g.syncInfo.bLoginCardHeader ) {
483	478	/* Send the login card as an HTTP header. */
484	479	if( g.fHttpTrace \|\| (mHttpFlags & HTTP_NOCOMPRESS)!=0 ){
485	480	#if 1
486	481	/blob_append(&payload, blob_buffer(pSend), blob_size(pSend));/
487	482

	--- src/http.c
	+++ src/http.c
	@@ -472,15 +472,10 @@
472	blob_zero(&login);
473	if( blob_size(pSend)==0 ){
474	blob_zero(&payload);
475	}else{
476	if( mHttpFlags & HTTP_USE_LOGIN ) http_build_login_card(pSend, &login);
477	#if 0
478	fprintf(stderr, "# g.syncInfo.bLoginCardHeader=%d login card=%s\n",
479	g.syncInfo.bLoginCardHeader,
480	blob_size(&login) ? blob_str(&login) : "<empty>");
481	#endif
482	if( g.syncInfo.bLoginCardHeader ) {
483	/* Send the login card as an HTTP header. */
484	if( g.fHttpTrace \|\| (mHttpFlags & HTTP_NOCOMPRESS)!=0 ){
485	#if 1
486	/blob_append(&payload, blob_buffer(pSend), blob_size(pSend));/
487

	--- src/http.c
	+++ src/http.c
	@@ -472,15 +472,10 @@
472	blob_zero(&login);
473	if( blob_size(pSend)==0 ){
474	blob_zero(&payload);
475	}else{
476	if( mHttpFlags & HTTP_USE_LOGIN ) http_build_login_card(pSend, &login);





477	if( g.syncInfo.bLoginCardHeader ) {
478	/* Send the login card as an HTTP header. */
479	if( g.fHttpTrace \|\| (mHttpFlags & HTTP_NOCOMPRESS)!=0 ){
480	#if 1
481	/blob_append(&payload, blob_buffer(pSend), blob_size(pSend));/
482

M src/sha1.c

+2 -2

		--- src/sha1.c
		+++ src/sha1.c
		@@ -459,11 +459,11 @@
459	459
460	460	/* On the first xfer request of a clone, the project-code is not yet
461	461	** known. Use the cleartext password, since that is all we have.
462	462	*/
463	463	if( zProjectId==0 ){
464		- return mprintf("%s", zPw);
	464	+ return fossil_strdup(zPw);
465	465	}
466	466	}
467	467	zProjCode = zProjectId;
468	468	}
469	469	SHA1Update(&ctx, (unsigned char*)zProjCode, strlen(zProjCode));
		@@ -471,11 +471,11 @@
471	471	SHA1Update(&ctx, (unsigned char*)zLogin, strlen(zLogin));
472	472	SHA1Update(&ctx, (unsigned char*)"/", 1);
473	473	SHA1Update(&ctx, (unsigned const char*)zPw, strlen(zPw));
474	474	SHA1Final(zResult, &ctx);
475	475	DigestToBase16(zResult, zDigest);
476		- return mprintf("%s", zDigest);
	476	+ return fossil_strdup(zDigest);
477	477	}
478	478
479	479	/*
480	480	** Implement the shared_secret() SQL function. shared_secret() takes two or
481	481	** three arguments; the third argument is optional.
482	482

	--- src/sha1.c
	+++ src/sha1.c
	@@ -459,11 +459,11 @@
459
460	/* On the first xfer request of a clone, the project-code is not yet
461	** known. Use the cleartext password, since that is all we have.
462	*/
463	if( zProjectId==0 ){
464	return mprintf("%s", zPw);
465	}
466	}
467	zProjCode = zProjectId;
468	}
469	SHA1Update(&ctx, (unsigned char*)zProjCode, strlen(zProjCode));
	@@ -471,11 +471,11 @@
471	SHA1Update(&ctx, (unsigned char*)zLogin, strlen(zLogin));
472	SHA1Update(&ctx, (unsigned char*)"/", 1);
473	SHA1Update(&ctx, (unsigned const char*)zPw, strlen(zPw));
474	SHA1Final(zResult, &ctx);
475	DigestToBase16(zResult, zDigest);
476	return mprintf("%s", zDigest);
477	}
478
479	/*
480	** Implement the shared_secret() SQL function. shared_secret() takes two or
481	** three arguments; the third argument is optional.
482

	--- src/sha1.c
	+++ src/sha1.c
	@@ -459,11 +459,11 @@
459
460	/* On the first xfer request of a clone, the project-code is not yet
461	** known. Use the cleartext password, since that is all we have.
462	*/
463	if( zProjectId==0 ){
464	return fossil_strdup(zPw);
465	}
466	}
467	zProjCode = zProjectId;
468	}
469	SHA1Update(&ctx, (unsigned char*)zProjCode, strlen(zProjCode));
	@@ -471,11 +471,11 @@
471	SHA1Update(&ctx, (unsigned char*)zLogin, strlen(zLogin));
472	SHA1Update(&ctx, (unsigned char*)"/", 1);
473	SHA1Update(&ctx, (unsigned const char*)zPw, strlen(zPw));
474	SHA1Final(zResult, &ctx);
475	DigestToBase16(zResult, zDigest);
476	return fossil_strdup(zDigest);
477	}
478
479	/*
480	** Implement the shared_secret() SQL function. shared_secret() takes two or
481	** three arguments; the third argument is optional.
482

M src/xfer.c

+1 -31

		--- src/xfer.c
		+++ src/xfer.c
		@@ -790,15 +790,10 @@
790	790	static int check_tail_hash(Blob pHash, Blob pMsg){
791	791	Blob tail;
792	792	int rc;
793	793	blob_tail(pMsg, &tail);
794	794	rc = hname_verify_hash(&tail, blob_buffer(pHash), blob_size(pHash));
795		-#if 0
796		- fprintf(stderr, "check tail=%d hash=[%.s]\ntail=<<%.s>>\n", rc,
797		- blob_size(pHash), blob_str(pHash),
798		- blob_size(&tail), blob_str(&tail));
799		-#endif
800	795	blob_reset(&tail);
801	796	return rc==HNAME_ERROR;
802	797	}
803	798
804	799	/*
		@@ -859,19 +854,10 @@
859	854	blob_copy(&combined, pNonce);
860	855	blob_append(&combined, blob_buffer(&pw), szPw);
861	856	sha1sum_blob(&combined, &hash);
862	857	assert( blob_size(&hash)==40 );
863	858	rc = blob_constant_time_cmp(&hash, pSig);
864		-#if 0
865		- fprintf(stderr,
866		- "check login rc=%d nonce=[%.s] pSig=[%.s] .hash=[%.*s]\n",
867		- rc,
868		- blob_size(pNonce), blob_str(pNonce),
869		- blob_size(pSig), blob_str(pSig),
870		- blob_size(&hash), blob_str(&hash));
871		-
872		-#endif
873	859	blob_reset(&hash);
874	860	blob_reset(&combined);
875	861	if( rc!=0 && szPw!=40 ){
876	862	/* If this server stores cleartext passwords and the password did not
877	863	** match, then perhaps the client is sending SHA1 passwords. Try
		@@ -880,13 +866,13 @@
880	866	const char *zPw = db_column_text(&q, 0);
881	867	char *zSecret = sha1_shared_secret(zPw, blob_str(pLogin), 0);
882	868	blob_zero(&combined);
883	869	blob_copy(&combined, pNonce);
884	870	blob_append(&combined, zSecret, -1);
885		- free(zSecret);
886	871	sha1sum_blob(&combined, &hash);
887	872	rc = blob_constant_time_cmp(&hash, pSig);
	873	+ fossil_free(zSecret);
888	874	blob_reset(&hash);
889	875	blob_reset(&combined);
890	876	}
891	877	if( rc==0 ){
892	878	const char *zCap;
		@@ -1336,16 +1322,10 @@
1336	1322	/* Login card received via HTTP header X-Fossil-Xfer-Login */
1337	1323	blob_zero(&xfer.line);
1338	1324	blob_append(&xfer.line, g.syncInfo.zLoginCard, -1);
1339	1325	xfer.nToken = blob_tokenize(&xfer.line, xfer.aToken,
1340	1326	count(xfer.aToken));
1341		-#if 0
1342		- fprintf(stderr,"%s:%d: g.syncInfo.zLoginCard=[%s]\nnToken=%d tok[0]=%s line=%s\n",
1343		- __FILE__, __LINE__, g.syncInfo.zLoginCard,
1344		- xfer.nToken, xfer.nToken ? blob_str(&xfer.aToken[0]) : "<NULL>",
1345		- blob_str(&xfer.line));
1346		-#endif
1347	1327	fossil_free( g.syncInfo.zLoginCard );
1348	1328	g.syncInfo.zLoginCard = 0;
1349	1329	if( xfer.nToken==4
1350	1330	&& blob_eq(&xfer.aToken[0], "login") ){
1351	1331	goto handle_login_card;
		@@ -1603,28 +1583,18 @@
1603	1583	cgi_reset_content();
1604	1584	@ error multiple\slogin\cards
1605	1585	nErr++;
1606	1586	break;
1607	1587	}else{
1608		-#if 0
1609		- fprintf(stderr, "# handle_login_card: aToken[2]=[%.*s]\n",
1610		- blob_size(&xfer.aToken[2]),
1611		- blob_str(&xfer.aToken[2]));
1612		-#endif
1613	1588	if( check_tail_hash(&xfer.aToken[2], xfer.pIn)
1614	1589	\|\| check_login(&xfer.aToken[1], &xfer.aToken[2], &xfer.aToken[3])
1615	1590	){
1616	1591	cgi_reset_content();
1617	1592	@ error login\sfailed
1618	1593	nErr++;
1619	1594	break;
1620	1595	}
1621		-#if 0
1622		- fprintf(stderr, "# logged in as [%.*s]\n",
1623		- blob_size(&xfer.aToken[1]),
1624		- blob_str(&xfer.aToken[1]));
1625		-#endif
1626	1596	}
1627	1597	}else
1628	1598
1629	1599	/* reqconfig NAME
1630	1600	**
1631	1601

	--- src/xfer.c
	+++ src/xfer.c
	@@ -790,15 +790,10 @@
790	static int check_tail_hash(Blob pHash, Blob pMsg){
791	Blob tail;
792	int rc;
793	blob_tail(pMsg, &tail);
794	rc = hname_verify_hash(&tail, blob_buffer(pHash), blob_size(pHash));
795	#if 0
796	fprintf(stderr, "check tail=%d hash=[%.s]\ntail=<<%.s>>\n", rc,
797	blob_size(pHash), blob_str(pHash),
798	blob_size(&tail), blob_str(&tail));
799	#endif
800	blob_reset(&tail);
801	return rc==HNAME_ERROR;
802	}
803
804	/*
	@@ -859,19 +854,10 @@
859	blob_copy(&combined, pNonce);
860	blob_append(&combined, blob_buffer(&pw), szPw);
861	sha1sum_blob(&combined, &hash);
862	assert( blob_size(&hash)==40 );
863	rc = blob_constant_time_cmp(&hash, pSig);
864	#if 0
865	fprintf(stderr,
866	"check login rc=%d nonce=[%.s] pSig=[%.s] .hash=[%.*s]\n",
867	rc,
868	blob_size(pNonce), blob_str(pNonce),
869	blob_size(pSig), blob_str(pSig),
870	blob_size(&hash), blob_str(&hash));
871
872	#endif
873	blob_reset(&hash);
874	blob_reset(&combined);
875	if( rc!=0 && szPw!=40 ){
876	/* If this server stores cleartext passwords and the password did not
877	** match, then perhaps the client is sending SHA1 passwords. Try
	@@ -880,13 +866,13 @@
880	const char *zPw = db_column_text(&q, 0);
881	char *zSecret = sha1_shared_secret(zPw, blob_str(pLogin), 0);
882	blob_zero(&combined);
883	blob_copy(&combined, pNonce);
884	blob_append(&combined, zSecret, -1);
885	free(zSecret);
886	sha1sum_blob(&combined, &hash);
887	rc = blob_constant_time_cmp(&hash, pSig);

888	blob_reset(&hash);
889	blob_reset(&combined);
890	}
891	if( rc==0 ){
892	const char *zCap;
	@@ -1336,16 +1322,10 @@
1336	/* Login card received via HTTP header X-Fossil-Xfer-Login */
1337	blob_zero(&xfer.line);
1338	blob_append(&xfer.line, g.syncInfo.zLoginCard, -1);
1339	xfer.nToken = blob_tokenize(&xfer.line, xfer.aToken,
1340	count(xfer.aToken));
1341	#if 0
1342	fprintf(stderr,"%s:%d: g.syncInfo.zLoginCard=[%s]\nnToken=%d tok[0]=%s line=%s\n",
1343	__FILE__, __LINE__, g.syncInfo.zLoginCard,
1344	xfer.nToken, xfer.nToken ? blob_str(&xfer.aToken[0]) : "<NULL>",
1345	blob_str(&xfer.line));
1346	#endif
1347	fossil_free( g.syncInfo.zLoginCard );
1348	g.syncInfo.zLoginCard = 0;
1349	if( xfer.nToken==4
1350	&& blob_eq(&xfer.aToken[0], "login") ){
1351	goto handle_login_card;
	@@ -1603,28 +1583,18 @@
1603	cgi_reset_content();
1604	@ error multiple\slogin\cards
1605	nErr++;
1606	break;
1607	}else{
1608	#if 0
1609	fprintf(stderr, "# handle_login_card: aToken[2]=[%.*s]\n",
1610	blob_size(&xfer.aToken[2]),
1611	blob_str(&xfer.aToken[2]));
1612	#endif
1613	if( check_tail_hash(&xfer.aToken[2], xfer.pIn)
1614	\|\| check_login(&xfer.aToken[1], &xfer.aToken[2], &xfer.aToken[3])
1615	){
1616	cgi_reset_content();
1617	@ error login\sfailed
1618	nErr++;
1619	break;
1620	}
1621	#if 0
1622	fprintf(stderr, "# logged in as [%.*s]\n",
1623	blob_size(&xfer.aToken[1]),
1624	blob_str(&xfer.aToken[1]));
1625	#endif
1626	}
1627	}else
1628
1629	/* reqconfig NAME
1630	**
1631

	--- src/xfer.c
	+++ src/xfer.c
	@@ -790,15 +790,10 @@
790	static int check_tail_hash(Blob pHash, Blob pMsg){
791	Blob tail;
792	int rc;
793	blob_tail(pMsg, &tail);
794	rc = hname_verify_hash(&tail, blob_buffer(pHash), blob_size(pHash));





795	blob_reset(&tail);
796	return rc==HNAME_ERROR;
797	}
798
799	/*
	@@ -859,19 +854,10 @@
854	blob_copy(&combined, pNonce);
855	blob_append(&combined, blob_buffer(&pw), szPw);
856	sha1sum_blob(&combined, &hash);
857	assert( blob_size(&hash)==40 );
858	rc = blob_constant_time_cmp(&hash, pSig);









859	blob_reset(&hash);
860	blob_reset(&combined);
861	if( rc!=0 && szPw!=40 ){
862	/* If this server stores cleartext passwords and the password did not
863	** match, then perhaps the client is sending SHA1 passwords. Try
	@@ -880,13 +866,13 @@
866	const char *zPw = db_column_text(&q, 0);
867	char *zSecret = sha1_shared_secret(zPw, blob_str(pLogin), 0);
868	blob_zero(&combined);
869	blob_copy(&combined, pNonce);
870	blob_append(&combined, zSecret, -1);

871	sha1sum_blob(&combined, &hash);
872	rc = blob_constant_time_cmp(&hash, pSig);
873	fossil_free(zSecret);
874	blob_reset(&hash);
875	blob_reset(&combined);
876	}
877	if( rc==0 ){
878	const char *zCap;
	@@ -1336,16 +1322,10 @@
1322	/* Login card received via HTTP header X-Fossil-Xfer-Login */
1323	blob_zero(&xfer.line);
1324	blob_append(&xfer.line, g.syncInfo.zLoginCard, -1);
1325	xfer.nToken = blob_tokenize(&xfer.line, xfer.aToken,
1326	count(xfer.aToken));






1327	fossil_free( g.syncInfo.zLoginCard );
1328	g.syncInfo.zLoginCard = 0;
1329	if( xfer.nToken==4
1330	&& blob_eq(&xfer.aToken[0], "login") ){
1331	goto handle_login_card;
	@@ -1603,28 +1583,18 @@
1583	cgi_reset_content();
1584	@ error multiple\slogin\cards
1585	nErr++;
1586	break;
1587	}else{





1588	if( check_tail_hash(&xfer.aToken[2], xfer.pIn)
1589	\|\| check_login(&xfer.aToken[1], &xfer.aToken[2], &xfer.aToken[3])
1590	){
1591	cgi_reset_content();
1592	@ error login\sfailed
1593	nErr++;
1594	break;
1595	}





1596	}
1597	}else
1598
1599	/* reqconfig NAME
1600	**
1601

Fossil SCM

Keyboard Shortcuts