[PATCH v2] git-cvsimport: add support for cvs pserver password scrambling.

[PATCH v2] git-cvsimport: add support for cvs pserver password scrambling.

[Dirk Hoerner]

Instead of a cleartext password, the CVS pserver expects a scrambled one
in the authentication request. With this patch it is possible to import
CVS repositories only accessible via pserver and user/password.

Signed-off-by: Dirk Hoerner <dirker@gmail.com>
---
 git-cvsimport.perl   |   39 ++++++++++++++++++++++++++++++++++++++-
 t/t9600-cvsimport.sh |   41 +++++++++++++++++++++++++++++++++++++++++
 2 files changed, 79 insertions(+), 1 deletions(-)

diff --git a/git-cvsimport.perl b/git-cvsimport.perl
index e439202..593832d 100755
--- a/git-cvsimport.perl
+++ b/git-cvsimport.perl
@@ -252,7 +252,8 @@ sub conn {
 				}
 			};
 		}
-		$pass="A" unless $pass;
+
+		$pass = $self->_scramble($pass);
 
 		my ($s, $rep);
 		if ($proxyhost) {
@@ -484,6 +485,42 @@ sub _fetchfile {
 	return $res;
 }
 
+sub _scramble {
+	my ($self, $pass) = @_;
+	my $scrambled = "A";
+
+	return $scrambled unless $pass;
+
+	my $pass_len = length($pass);
+	my @pass_arr = split("", $pass);
+	my $i;
+
+	# from cvs/src/scramble.c
+	my @shifts = (
+		  0,  1,  2,  3,  4,  5,  6,  7,  8,  9, 10, 11, 12, 13, 14, 15,
+		 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31,
+		114,120, 53, 79, 96,109, 72,108, 70, 64, 76, 67,116, 74, 68, 87,
+		111, 52, 75,119, 49, 34, 82, 81, 95, 65,112, 86,118,110,122,105,
+		 41, 57, 83, 43, 46,102, 40, 89, 38,103, 45, 50, 42,123, 91, 35,
+		125, 55, 54, 66,124,126, 59, 47, 92, 71,115, 78, 88,107,106, 56,
+		 36,121,117,104,101,100, 69, 73, 99, 63, 94, 93, 39, 37, 61, 48,
+		 58,113, 32, 90, 44, 98, 60, 51, 33, 97, 62, 77, 84, 80, 85,223,
+		225,216,187,166,229,189,222,188,141,249,148,200,184,136,248,190,
+		199,170,181,204,138,232,218,183,255,234,220,247,213,203,226,193,
+		174,172,228,252,217,201,131,230,197,211,145,238,161,179,160,212,
+		207,221,254,173,202,146,224,151,140,196,205,130,135,133,143,246,
+		192,159,244,239,185,168,215,144,139,165,180,157,147,186,214,176,
+		227,231,219,169,175,156,206,198,129,164,150,210,154,177,134,127,
+		182,128,158,208,162,132,167,209,149,241,153,251,237,236,171,195,
+		243,233,253,240,194,250,191,155,142,137,245,235,163,242,178,152
+	);
+
+	for ($i = 0; $i < $pass_len; $i++) {
+		$scrambled .= pack("C", $shifts[ord($pass_arr[$i])]);
+	}
+
+	return $scrambled;
+}
 
 package main;
 
diff --git a/t/t9600-cvsimport.sh b/t/t9600-cvsimport.sh
index 363345f..57c0eac 100755
--- a/t/t9600-cvsimport.sh
+++ b/t/t9600-cvsimport.sh
@@ -128,4 +128,45 @@ test_expect_success 'import from a CVS working tree' '
 
 test_expect_success 'test entire HEAD' 'test_cmp_branch_tree master'
 
+if ! type nc >/dev/null 2>&1
+then
+	say 'skipping cvsimport pserver test, nc not found'
+	test_done
+	exit
+fi
+
+cat << EOF >expected
+BEGIN AUTH REQUEST
+/cvs
+me
+AyuhedEIc?^]'%=0:q Z,b<3!a>
+END AUTH REQUEST
+EOF
+
+test_expect_success 'connect to pserver with password' '
+
+	echo "I HATE YOU" | nc -l 2401 >actual &
+	test_must_fail git cvsimport -d \
+		:pserver:me:abcdefghijklmnopqrstuvwxyz@localhost:/cvs foo \
+		>/dev/null 2>&1 &&
+	test_cmp expected actual
+'
+
+cat << EOF >expected
+BEGIN AUTH REQUEST
+/cvs
+anonymous
+A
+END AUTH REQUEST
+EOF
+
+test_expect_success 'connect to pserver without password' '
+
+	echo "I HATE YOU" | nc -l 2401 >actual &
+	test_must_fail git cvsimport -d \
+		:pserver:anonymous@localhost:/cvs foo \
+		>/dev/null 2>&1 &&
+	test_cmp expected actual
+'
+
 test_done
-- 
1.6.4

Re: [PATCH v2] git-cvsimport: add support for cvs pserver password scrambling.

[Junio C Hamano]

Dirk Hoerner <dirker@gmail.com> writes:

> Instead of a cleartext password, the CVS pserver expects a scrambled one
> in the authentication request. With this patch it is possible to import
> CVS repositories only accessible via pserver and user/password.
>
> Signed-off-by: Dirk Hoerner <dirker@gmail.com>

Thanks.

While I appreciate your effort to add a test, I'd rather not apply the
test part of your patch for two reasons:

 - It is not a test against a real cvs pserver but is a whitebox test to
   verify that the program says what the program is supposed to spit out
   to the network; and

 - It still is a network test that will fail if the TCP port is occupied
   for whatever reason when the test is run, which will make automated
   build and test cycle unreliable.

Unfortunately, I do not see an easy way to run a real cvs pserver
listening to a local unix domain socket under $TRASH_DIRECTORY, which
would solve both of the above issues.

Re: [PATCH v2] git-cvsimport: add support for cvs pserver password scrambling.

[Dirk Hörner]

Hi Junio,

On Fri, Aug 14, 2009 at 9:25 AM, Junio C Hamano<gitster@pobox.com> wrote:
> Thanks.
>
> While I appreciate your effort to add a test, I'd rather not apply the
> test part of your patch for two reasons:
>
>  - It is not a test against a real cvs pserver but is a whitebox test to
>   verify that the program says what the program is supposed to spit out
>   to the network; and
>
>  - It still is a network test that will fail if the TCP port is occupied
>   for whatever reason when the test is run, which will make automated
>   build and test cycle unreliable.
>
> Unfortunately, I do not see an easy way to run a real cvs pserver
> listening to a local unix domain socket under $TRASH_DIRECTORY, which
> would solve both of the above issues.
>

I agree with you, the tests are not the best. As Dscho stated in one
of the replies to the last version of this patch, the cvs pserver is
quite good to test with because it uses stdin/stdout for
communication. The main problem is git-cvsimport, which right now only
supports tcp sockets.

Ciao,
Dirk