search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Reorganizing login sessions
[CGIscriptor.git] / Private / ChangePassword.html
blob765edf1235cd09efaba7c79f9611e78d47f40eeb
1 <html>
2 <head>
3 <title>Change Password</title>
4 <SCRIPT TYPE="text/ssperl" CGI='$SERVERSALT $LOGINTICKET $RANDOMSALT $REMOTE_ADDR $LOGINUSERNAME $LOGINIPADDRESS $LOGINPATH'>
5 ::create_login_file("~/Private/.Passwords", "~/Private/.Sessions", $REMOTE_ADDR);
6 "";
7 </SCRIPT>
8 <SCRIPT type="text/javascript" LANGUAGE="JavaScript">
9 function createCookie(name,value,days,path) {
10 if (days) {
11 var date = new Date();
12 date.setTime(date.getTime()+(days*24*60*60*1000));
13 var expires = "; expires="+date.toGMTString();
14 }
15 else var expires = "";
16 document.cookie = name+"="+value+expires+"; path=/"+path;
17 };
18
19 function readCookie(name) {
20 var nameEQ = name + "=";
21 var ca = document.cookie.split(';');
22 for(var i=0;i < ca.length;i++) {
23 var c = ca[i];
24 while (c.charAt(0)==' ') c = c.substring(1,c.length);
25 if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length,c.length);
26 }
27 return null;
28 };
29
30 function check_password_fields ( ) {
31 var newpassword = document.getElementById('NEWPASSWORD');
32 var newpasswordrep = document.getElementById('NEWPASSWORDREP');
33 if(newpassword.value == "" || newpasswordrep.value == "") {
34 alert("No passwords");
35 return false;
36 };
37 if(newpassword.value == newpasswordrep.value) {
38 var submitbutton = document.getElementById('SUBMIT');
39 submitbutton.style.color = "Black";
40 return true;
41 };
42 alert("Passwords differ");
43 return false;
44 };
45
46 function eraseCookie(name) {
47 createCookie(name,"",-1);
48 };
49
50 // Combine the PASSWORD with the site SERVERSALT and hash it
51 // Combine this Hash iwth the extra SERVERSALT, and hash them
52 function HashPassword(extsalt) {
53 var hash1 = "";
54 var hash2 = "";
55 var passwordvalue = document.getElementById('PASSWORD');
56 if(passwordvalue.value == "")
57 return 0;
58 var saltvalue = document.getElementById('SERVERSALT');
59 hash1 = hex_sha1(saltvalue.value+passwordvalue.value);
60 if(extsalt != "")
61 hash2 = hex_sha1(extsalt+hash1);
62 else
63 hash2 = hash1;
64 passwordvalue.value = hash2;
65 return hash2;
66 }
67 // Remember to hash the repeat too! Or else it will be send in the clear
68 function HashNewPassword() {
69 var hash1 = "";
70 var newpassword = document.getElementById('NEWPASSWORD');
71 var newpasswordrep = document.getElementById('NEWPASSWORDREP');
72 if(newpassword.value == "" ) {
73 newpassword.value = "";
74 return 0;
75 };
76 if(newpasswordrep && (newpasswordrep.value == ""|| newpassword.value != newpasswordrep.value)) {
77 newpassword.value = "";
78 newpasswordrep.value = "";
79 return 0;
80 };
81 var saltvalue = document.getElementById('SERVERSALT');
82 hash1 = hex_sha1(saltvalue.value+newpassword.value);
83 newpassword.value = hash1;
84 newpasswordrep.value = hash1;
85 return hash1;
86 };
87
88 function XOR_hex_strings(hex1, hex2) {
89 var resultHex = "";
90 for(var i=0; i < hex1.length; ++i) {
91 var d1 = parseInt(hex1.charAt(i),16);
92 var d2 = parseInt(hex2.charAt(i),16);
93 var resultD = d1^d2;
94 resultHex = resultHex+resultD.toString(16);
95 };
96 return resultHex;
97 };
98
99 function EncryptNewPassword() {
100 var password = document.getElementById('PASSWORD');
101 var saltvalue = document.getElementById('SERVERSALT');
102 var login = document.getElementById('LOGINTICKET');
103 var newpassword = document.getElementById('NEWPASSWORD');
104 var newpasswordrep = document.getElementById('NEWPASSWORDREP');
105
106 HashNewPassword();
107 hash = hex_sha1(saltvalue.value+password.value);
108 hash2 = hex_sha1(login.value+hash);
109 var encrypted = XOR_hex_strings(hash2, newpassword.value);
110 newpassword.value = encrypted;
111 newpasswordrep.value = encrypted;
112 return encrypted;
113 };
114
115 function add_cgiparam(elem, attr, param) {
116 var elems = document.getElementsByTagName(elem);
117 for (var i = 0; i < elems.length; i++)
118 {
119 var n=elems[i][attr].indexOf("?");
120 if(n<0)
121 elems[i][attr] = elems[i][attr] + "?" + param;
122 else
123 elems[i][attr] = elems[i][attr] + "&" + param;
124 };
125 };
126
127 function remove_cgiparam(elem, attr, parameter) {
128 var elems = document.getElementsByTagName(elem);
129 for (var i = 0; i < elems.length; i++)
130 {
131 var n=elems[i][attr].indexOf("&"+parameter);
132 if(n>0)
133 elems[i][attr] = elems[i][attr].replace("&"+param, "");
134 var n=elems[i][attr].indexOf(parameter);
135 if(n>0)
136 elems[i][attr] = elems[i][attr].replace(param, "");
137 };
138 };
139
140 window.onload = function() {
141 var sessionticket = readCookie("CGIscriptor");
142 var sessionparm = document.getElementById('SESSIONTICKET');
143 if(sessionparm) sessionparm.value = sessionticket;
144 add_cgiparam('a', 'href', "SESSIONTICKET="+sessionticket);
145 add_cgiparam('form', 'action', "SESSIONTICKET="+sessionticket);
146 return true;
147 };
148
149 </SCRIPT>
150
151 <script type="text/javascript">
152 /*
153 * A JavaScript implementation of the Secure Hash Algorithm, SHA-1, as defined
154 * in FIPS 180-1
155 * Version 2.2 Copyright Paul Johnston 2000 - 2009.
156 * Other contributors: Greg Holt, Andrew Kepert, Ydnar, Lostinet
157 * Distributed under the BSD License
158 * See http://pajhome.org.uk/crypt/md5 for details.
159 */
160
161 /*
162 * Configurable variables. You may need to tweak these to be compatible with
163 * the server-side, but the defaults work in most cases.
164 */
165 var hexcase = 0; /* hex output format. 0 - lowercase; 1 - uppercase */
166 var b64pad = ""; /* base-64 pad character. "=" for strict RFC compliance */
167
168 /*
169 * These are the functions you'll usually want to call
170 * They take string arguments and return either hex or base-64 encoded strings
171 */
172 function hex_sha1(s) { return rstr2hex(rstr_sha1(str2rstr_utf8(s))); }
173 function b64_sha1(s) { return rstr2b64(rstr_sha1(str2rstr_utf8(s))); }
174 function any_sha1(s, e) { return rstr2any(rstr_sha1(str2rstr_utf8(s)), e); }
175 function hex_hmac_sha1(k, d)
176 { return rstr2hex(rstr_hmac_sha1(str2rstr_utf8(k), str2rstr_utf8(d))); }
177 function b64_hmac_sha1(k, d)
178 { return rstr2b64(rstr_hmac_sha1(str2rstr_utf8(k), str2rstr_utf8(d))); }
179 function any_hmac_sha1(k, d, e)
180 { return rstr2any(rstr_hmac_sha1(str2rstr_utf8(k), str2rstr_utf8(d)), e); }
181
182 /*
183 * Perform a simple self-test to see if the VM is working
184 */
185 function sha1_vm_test()
186 {
187 return hex_sha1("abc").toLowerCase() == "a9993e364706816aba3e25717850c26c9cd0d89d";
188 }
189
190 /*
191 * Calculate the SHA1 of a raw string
192 */
193 function rstr_sha1(s)
194 {
195 return binb2rstr(binb_sha1(rstr2binb(s), s.length * 8));
196 }
197
198 /*
199 * Calculate the HMAC-SHA1 of a key and some data (raw strings)
200 */
201 function rstr_hmac_sha1(key, data)
202 {
203 var bkey = rstr2binb(key);
204 if(bkey.length > 16) bkey = binb_sha1(bkey, key.length * 8);
205
206 var ipad = Array(16), opad = Array(16);
207 for(var i = 0; i < 16; i++)
208 {
209 ipad[i] = bkey[i] ^ 0x36363636;
210 opad[i] = bkey[i] ^ 0x5C5C5C5C;
211 }
212
213 var hash = binb_sha1(ipad.concat(rstr2binb(data)), 512 + data.length * 8);
214 return binb2rstr(binb_sha1(opad.concat(hash), 512 + 160));
215 }
216
217 /*
218 * Convert a raw string to a hex string
219 */
220 function rstr2hex(input)
221 {
222 try { hexcase } catch(e) { hexcase=0; }
223 var hex_tab = hexcase ? "0123456789ABCDEF" : "0123456789abcdef";
224 var output = "";
225 var x;
226 for(var i = 0; i < input.length; i++)
227 {
228 x = input.charCodeAt(i);
229 output += hex_tab.charAt((x >>> 4) & 0x0F)
230 + hex_tab.charAt( x & 0x0F);
231 }
232 return output;
233 }
234
235 /*
236 * Convert a raw string to a base-64 string
237 */
238 function rstr2b64(input)
239 {
240 try { b64pad } catch(e) { b64pad=''; }
241 var tab = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
242 var output = "";
243 var len = input.length;
244 for(var i = 0; i < len; i += 3)
245 {
246 var triplet = (input.charCodeAt(i) << 16)
247 | (i + 1 < len ? input.charCodeAt(i+1) << 8 : 0)
248 | (i + 2 < len ? input.charCodeAt(i+2) : 0);
249 for(var j = 0; j < 4; j++)
250 {
251 if(i * 8 + j * 6 > input.length * 8) output += b64pad;
252 else output += tab.charAt((triplet >>> 6*(3-j)) & 0x3F);
253 }
254 }
255 return output;
256 }
257
258 /*
259 * Convert a raw string to an arbitrary string encoding
260 */
261 function rstr2any(input, encoding)
262 {
263 var divisor = encoding.length;
264 var remainders = Array();
265 var i, q, x, quotient;
266
267 /* Convert to an array of 16-bit big-endian values, forming the dividend */
268 var dividend = Array(Math.ceil(input.length / 2));
269 for(i = 0; i < dividend.length; i++)
270 {
271 dividend[i] = (input.charCodeAt(i * 2) << 8) | input.charCodeAt(i * 2 + 1);
272 }
273
274 /*
275 * Repeatedly perform a long division. The binary array forms the dividend,
276 * the length of the encoding is the divisor. Once computed, the quotient
277 * forms the dividend for the next step. We stop when the dividend is zero.
278 * All remainders are stored for later use.
279 */
280 while(dividend.length > 0)
281 {
282 quotient = Array();
283 x = 0;
284 for(i = 0; i < dividend.length; i++)
285 {
286 x = (x << 16) + dividend[i];
287 q = Math.floor(x / divisor);
288 x -= q * divisor;
289 if(quotient.length > 0 || q > 0)
290 quotient[quotient.length] = q;
291 }
292 remainders[remainders.length] = x;
293 dividend = quotient;
294 }
295
296 /* Convert the remainders to the output string */
297 var output = "";
298 for(i = remainders.length - 1; i >= 0; i--)
299 output += encoding.charAt(remainders[i]);
300
301 /* Append leading zero equivalents */
302 var full_length = Math.ceil(input.length * 8 /
303 (Math.log(encoding.length) / Math.log(2)))
304 for(i = output.length; i < full_length; i++)
305 output = encoding[0] + output;
306
307 return output;
308 }
309
310 /*
311 * Encode a string as utf-8.
312 * For efficiency, this assumes the input is valid utf-16.
313 */
314 function str2rstr_utf8(input)
315 {
316 var output = "";
317 var i = -1;
318 var x, y;
319
320 while(++i < input.length)
321 {
322 /* Decode utf-16 surrogate pairs */
323 x = input.charCodeAt(i);
324 y = i + 1 < input.length ? input.charCodeAt(i + 1) : 0;
325 if(0xD800 <= x && x <= 0xDBFF && 0xDC00 <= y && y <= 0xDFFF)
326 {
327 x = 0x10000 + ((x & 0x03FF) << 10) + (y & 0x03FF);
328 i++;
329 }
330
331 /* Encode output as utf-8 */
332 if(x <= 0x7F)
333 output += String.fromCharCode(x);
334 else if(x <= 0x7FF)
335 output += String.fromCharCode(0xC0 | ((x >>> 6 ) & 0x1F),
336 0x80 | ( x & 0x3F));
337 else if(x <= 0xFFFF)
338 output += String.fromCharCode(0xE0 | ((x >>> 12) & 0x0F),
339 0x80 | ((x >>> 6 ) & 0x3F),
340 0x80 | ( x & 0x3F));
341 else if(x <= 0x1FFFFF)
342 output += String.fromCharCode(0xF0 | ((x >>> 18) & 0x07),
343 0x80 | ((x >>> 12) & 0x3F),
344 0x80 | ((x >>> 6 ) & 0x3F),
345 0x80 | ( x & 0x3F));
346 }
347 return output;
348 }
349
350 /*
351 * Encode a string as utf-16
352 */
353 function str2rstr_utf16le(input)
354 {
355 var output = "";
356 for(var i = 0; i < input.length; i++)
357 output += String.fromCharCode( input.charCodeAt(i) & 0xFF,
358 (input.charCodeAt(i) >>> 8) & 0xFF);
359 return output;
360 }
361
362 function str2rstr_utf16be(input)
363 {
364 var output = "";
365 for(var i = 0; i < input.length; i++)
366 output += String.fromCharCode((input.charCodeAt(i) >>> 8) & 0xFF,
367 input.charCodeAt(i) & 0xFF);
368 return output;
369 }
370
371 /*
372 * Convert a raw string to an array of big-endian words
373 * Characters >255 have their high-byte silently ignored.
374 */
375 function rstr2binb(input)
376 {
377 var output = Array(input.length >> 2);
378 for(var i = 0; i < output.length; i++)
379 output[i] = 0;
380 for(var i = 0; i < input.length * 8; i += 8)
381 output[i>>5] |= (input.charCodeAt(i / 8) & 0xFF) << (24 - i % 32);
382 return output;
383 }
384
385 /*
386 * Convert an array of big-endian words to a string
387 */
388 function binb2rstr(input)
389 {
390 var output = "";
391 for(var i = 0; i < input.length * 32; i += 8)
392 output += String.fromCharCode((input[i>>5] >>> (24 - i % 32)) & 0xFF);
393 return output;
394 }
395
396 /*
397 * Calculate the SHA-1 of an array of big-endian words, and a bit length
398 */
399 function binb_sha1(x, len)
400 {
401 /* append padding */
402 x[len >> 5] |= 0x80 << (24 - len % 32);
403 x[((len + 64 >> 9) << 4) + 15] = len;
404
405 var w = Array(80);
406 var a = 1732584193;
407 var b = -271733879;
408 var c = -1732584194;
409 var d = 271733878;
410 var e = -1009589776;
411
412 for(var i = 0; i < x.length; i += 16)
413 {
414 var olda = a;
415 var oldb = b;
416 var oldc = c;
417 var oldd = d;
418 var olde = e;
419
420 for(var j = 0; j < 80; j++)
421 {
422 if(j < 16) w[j] = x[i + j];
423 else w[j] = bit_rol(w[j-3] ^ w[j-8] ^ w[j-14] ^ w[j-16], 1);
424 var t = safe_add(safe_add(bit_rol(a, 5), sha1_ft(j, b, c, d)),
425 safe_add(safe_add(e, w[j]), sha1_kt(j)));
426 e = d;
427 d = c;
428 c = bit_rol(b, 30);
429 b = a;
430 a = t;
431 }
432
433 a = safe_add(a, olda);
434 b = safe_add(b, oldb);
435 c = safe_add(c, oldc);
436 d = safe_add(d, oldd);
437 e = safe_add(e, olde);
438 }
439 return Array(a, b, c, d, e);
440
441 }
442
443 /*
444 * Perform the appropriate triplet combination function for the current
445 * iteration
446 */
447 function sha1_ft(t, b, c, d)
448 {
449 if(t < 20) return (b & c) | ((~b) & d);
450 if(t < 40) return b ^ c ^ d;
451 if(t < 60) return (b & c) | (b & d) | (c & d);
452 return b ^ c ^ d;
453 }
454
455 /*
456 * Determine the appropriate additive constant for the current iteration
457 */
458 function sha1_kt(t)
459 {
460 return (t < 20) ? 1518500249 : (t < 40) ? 1859775393 :
461 (t < 60) ? -1894007588 : -899497514;
462 }
463
464 /*
465 * Add integers, wrapping at 2^32. This uses 16-bit operations internally
466 * to work around bugs in some JS interpreters.
467 */
468 function safe_add(x, y)
469 {
470 var lsw = (x & 0xFFFF) + (y & 0xFFFF);
471 var msw = (x >> 16) + (y >> 16) + (lsw >> 16);
472 return (msw << 16) | (lsw & 0xFFFF);
473 }
474
475 /*
476 * Bitwise rotate a 32-bit number to the left.
477 */
478 function bit_rol(num, cnt)
479 {
480 return (num << cnt) | (num >>> (32 - cnt));
481 }
482 </script>
483
484 </head>
485 <body>
486 <h1 align=CENTER>Change your password</h1>
487 <p>
488 </p>
489 <p>
490 </p>
491
492 <form method="POST" action="index.html" id="LoginForm"
493 onSubmit='if(! check_password_fields())return false;EncryptNewPassword();HashPassword("<SCRIPT TYPE="text/ssperl">
494 $RANDOMSALT</SCRIPT>");true'>
495 <div style="margin-left: 30%; margin-right: 30%; text-align: left">
496 <table>
497 <tr>
498 <td style="text-align: right">Old Password:</td>
499 <td style="text-align: left"><input type="PASSWORD" name="PASSWORD" id="PASSWORD" size="20" /></td>
500 </tr>
501 <tr>
502 <td style="text-align: right">New Password:</td>
503 <td style="text-align: left"><input type="PASSWORD" name="NEWPASSWORD" id="NEWPASSWORD" size="20" />
504 </td>
505 </tr>
506 <tr>
507 <td style="text-align: right">Repeat:</td>
508 <td style="text-align: left"><input type="PASSWORD" name="NEWPASSWORDREP" id="NEWPASSWORDREP" size="20" onChange="check_password_fields();"/></td>
509 </tr>
510 <tr>
511 <td></td>
512 <td style="text-align: left"><input type="submit" id="SUBMIT" value="Change" style="color: Gray" /></td>
513 </tr>
514 </table>
515 <input type="hidden" name="USERNAME" size="20" value=<SCRIPT type="text/ssperl">$LOGINUSERNAME</SCRIPT> />
516 <input type="hidden" name="SERVERSALT" id="SERVERSALT" value="<SCRIPT TYPE="text/ssperl">$SERVERSALT</SCRIPT>" />
517 <input type="hidden" name="RANDOMSALT" id="RANDOMSALT" value="<SCRIPT TYPE="text/ssperl">$RANDOMSALT</SCRIPT>" />
518 <input type="hidden" name="LOGINTICKET" id="LOGINTICKET" value="<SCRIPT TYPE="text/ssperl">$LOGINTICKET</SCRIPT>" />
519 <input type="hidden" name="SESSIONTICKET" value="" />
520 </div>
521 </form>
522 <p>
523 The Salt and Ticket values are all created using SHA1 on 512 Byte of output from <em>/dev/urandom</em> in HEX.
524 </p>
525 <FONT STYLE="font-size:small">
526 <p> Example Login page for CGIscriptor.pl<br />
527 Copyright &copy; 2012 R.J.J.H. van Son<br />
528 This program is free software: you can redistribute it and/or modify
529 it under the terms of the GNU General Public License as published by
530 the Free Software Foundation, either version 3 of the License, or
531 (at your option) any later version.
532 This program is distributed in the hope that it will be useful,
533 but WITHOUT ANY WARRANTY; without even the implied warranty of
534 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
535 GNU General Public License for more details.<br />
536 You should have received a copy of the GNU General Public License
537 along with this program. If not, see <a href="http://www.gnu.org/licenses/">http://www.gnu.org/licenses/</a>.</p>
538 <p> JavaScript implementation of the Secure Hash Algorithm, SHA-1, as defined in FIPS 180-1<br />
539 Copyright &copy; 2000 - 2009 Paul Johnston, Version 2.2<br />
540 Other contributors: Greg Holt, Andrew Kepert, Ydnar, Lostinet<br />
541 Distributed under the BSD License<br />
542 See <a href="http://pajhome.org.uk/crypt/md5">http://pajhome.org.uk/crypt/md5</a> for details.
543 </FONT>
544
545 </body>
546 </html>
A flexible HTML 4 compliant script/module for CGI-aware embeded Perl, shell-scripts, and other scripting languages, executed at the server side.