search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Updated documentation
[CGIscriptor.git] / Private / ChangePassword.html
blobe7e7e0eede0f6f10f8faa1b1e52c6acf1d5928c7
1 <html>
2 <head>
3 <title>Change Password</title>
4 <SCRIPT TYPE="text/ssperl" CGI='$SERVERSALT $LOGINTICKET $RANDOMSALT $REMOTE_ADDR $LOGINUSERNAME $LOGINIPADDRESS $LOGINPATH'>
5 ::create_login_file("~/Private/.Passwords", "~/Private/.Sessions", $REMOTE_ADDR);
6 "";
7 </SCRIPT>
8 <SCRIPT type="text/javascript" LANGUAGE="JavaScript">
9 function createCookie(name,value,days,path) {
10 if (days) {
11 var date = new Date();
12 date.setTime(date.getTime()+(days*24*60*60*1000));
13 var expires = "; expires="+date.toGMTString();
14 }
15 else var expires = "";
16 var match = document.cookie.match('/('+name+'\=[^\;]*\);/');
17 if(match)
18 document.cookie = document.cookie.replace(match[1], name+"="+value);
19 else
20 document.cookie = name+"="+value+expires+"; path=/"+path;
21 };
22
23 function readCookie(name) {
24 var nameEQ = name + "=";
25 var ca = document.cookie.split(';');
26 for(var i=0;i < ca.length;i++) {
27 var c = ca[i];
28 while (c.charAt(0)==' ') c = c.substring(1,c.length);
29 if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length,c.length);
30 }
31 return null;
32 };
33
34 function check_password_fields ( ) {
35 var newpassword = document.getElementById('NEWPASSWORD');
36 var newpasswordrep = document.getElementById('NEWPASSWORDREP');
37 if(newpassword.value == "" || newpasswordrep.value == "") {
38 alert("No passwords");
39 return false;
40 };
41 if(newpassword.value == newpasswordrep.value) {
42 var submitbutton = document.getElementById('SUBMIT');
43 submitbutton.style.color = "Black";
44 return true;
45 };
46 alert("Passwords differ");
47 return false;
48 };
49
50 function eraseCookie(name) {
51 createCookie(name,"",-1);
52 };
53
54 // Combine the PASSWORD with the site SERVERSALT and hash it
55 // Combine this Hash iwth the extra SERVERSALT, and hash them
56 function HashPassword(extsalt) {
57 var hash = HashSessionSeed(extsalt);
58 var password = document.getElementById('PASSWORD');
59 if(password){
60 password.value = hash;
61 } else {
62 alert("NO PASSWORD IN FORM");
63 return 0;
64 };
65 return hash;
66 }
67
68 // REMEMBER: Set the session cookie BEFORE you hash the password!!!
69 function SetSessionCookie() {
70 var seed = '<SCRIPT TYPE="text/ssperl">$LOGINTICKET</SCRIPT>';
71 var hash = HashSessionSeed(seed);
72 // Dom.storage.enabled must be set!
73 if (!sessionStorage || typeof(sessionStorage) == 'undefined' ) {
74 alert('Your browser does not support HTML5 sessionStorage. Set Dom.storage.enabled or try upgrading.');
75 }
76 else sessionStorage.setItem("CGIscriptorPRIVATE", hash);
77 return hash;
78 };
79
80 function HashSessionSeed(sessionseed) {
81 var hash1 = "";
82 var hash2 = "";
83 var passwordvalue = document.getElementById('PASSWORD');
84 var saltvalue = document.getElementById('SERVERSALT');
85 var username = document.getElementById('USERNAME');
86 hash1 = hex_sha1(saltvalue.value+passwordvalue.value+username.value);
87 if(sessionseed != "")
88 hash2 = hex_sha1(sessionseed+hash1);
89 else
90 hash2 = hash1;
91 return hash2;
92 }
93
94 // Remember to hash the repeat too! Or else it will be send in the clear
95 function HashNewPassword() {
96 var hash1 = "";
97 var newpassword = document.getElementById('NEWPASSWORD');
98 var newpasswordrep = document.getElementById('NEWPASSWORDREP');
99 var username = document.getElementById('USERNAME');
100 if(newpassword.value == "" ) {
101 newpassword.value = "";
102 return 0;
103 };
104 if(newpasswordrep && (newpasswordrep.value == ""|| newpassword.value != newpasswordrep.value)) {
105 newpassword.value = "";
106 newpasswordrep.value = "";
107 return 0;
108 };
109 var saltvalue = document.getElementById('SERVERSALT');
110 hash1 = hex_sha1(saltvalue.value+newpassword.value+username.value);
111 newpassword.value = hash1;
112 newpasswordrep.value = hash1;
113 return hash1;
114 };
115
116 function XOR_hex_strings(hex1, hex2) {
117 var resultHex = "";
118 for(var i=0; i < hex1.length; ++i) {
119 var d1 = parseInt(hex1.charAt(i),16);
120 var d2 = parseInt(hex2.charAt(i),16);
121 var resultD = d1^d2;
122 resultHex = resultHex+resultD.toString(16);
123 };
124 return resultHex;
125 };
126
127 function EncryptNewPassword() {
128 var password = document.getElementById('PASSWORD');
129 var saltvalue = document.getElementById('SERVERSALT');
130 var login = document.getElementById('LOGINTICKET');
131 var newpassword = document.getElementById('NEWPASSWORD');
132 var newpasswordrep = document.getElementById('NEWPASSWORDREP');
133 var username = document.getElementById('USERNAME');
134
135 // This hashes the newpassword field!
136 HashNewPassword();
137 hash = hex_sha1(saltvalue.value+password.value+username.value);
138 hash2 = hex_sha1(login.value+hash);
139 var encrypted = XOR_hex_strings(hash2, newpassword.value);
140 newpassword.value = encrypted;
141 newpasswordrep.value = encrypted;
142 return encrypted;
143 };
144
145 function add_cgiparam(elem, attr, param) {
146 var elems = document.getElementsByTagName(elem);
147 for (var i = 0; i < elems.length; i++)
148 {
149 var n=elems[i][attr].indexOf("?");
150 if(n<0)
151 elems[i][attr] = elems[i][attr] + "?" + param;
152 else
153 elems[i][attr] = elems[i][attr] + "&" + param;
154 };
155 };
156
157 function remove_cgiparam(elem, attr, parameter) {
158 var elems = document.getElementsByTagName(elem);
159 for (var i = 0; i < elems.length; i++)
160 {
161 var n=elems[i][attr].indexOf("&"+parameter);
162 if(n>0)
163 elems[i][attr] = elems[i][attr].replace("&"+param, "");
164 var n=elems[i][attr].indexOf(parameter);
165 if(n>0)
166 elems[i][attr] = elems[i][attr].replace(param, "");
167 };
168 };
169
170 function setSessionParameters() {
171 var sessionset = readCookie("CGIscriptorSESSION");
172 if(!sessionset.match(/[\S]/))return false;
173
174 var sessionticket = "";
175 sessionticket = sessionStorage.getItem("CGIscriptorPRIVATE");
176 createCookie("CGIscriptorSESSION",sessionticket, 1, "/Private");
177
178 // Without cookies, use this
179 // var sessionparm = document.getElementById('SESSIONTICKET');
180 // if(sessionparm) sessionparm.value = sessionticket;
181 // add_cgiparam('a', 'href', "SESSIONTICKET="+sessionticket);
182 // add_cgiparam('form', 'action', "SESSIONTICKET="+sessionticket);
183 return true;
184 };
185 function setChallengeParameters() {
186 var sessionset = readCookie("CGIscriptorCHALLENGE");
187 if(!(sessionset && sessionset.match(/[\S]/)))return false;
188
189 var sessionticket = "";
190 sessionticket = sessionStorage.getItem("CGIscriptorPRIVATE");
191 createCookie("CGIscriptorCHALLENGE",sessionticket, 1, "Private");
192
193 // Without cookies, use this
194 // var sessionparm = document.getElementById('CHALLENGETICKET');
195 // if(sessionparm) sessionparm.value = sessionticket;
196 // add_cgiparam('a', 'href', "CHALLENGETICKET="+sessionticket);
197 // add_cgiparam('form', 'action', "CHALLENGETICKET="+sessionticket);
198 return true;
199 };
200
201 window.onload = function() {
202 var challengeSet = setChallengeParameters();
203 if(! challengeSet)
204 setSessionParameters();
205 return true;
206 };
207
208
209 </SCRIPT>
210
211 <script type="text/javascript">
212 /*
213 * A JavaScript implementation of the Secure Hash Algorithm, SHA-1, as defined
214 * in FIPS 180-1
215 * Version 2.2 Copyright Paul Johnston 2000 - 2009.
216 * Other contributors: Greg Holt, Andrew Kepert, Ydnar, Lostinet
217 * Distributed under the BSD License
218 * See http://pajhome.org.uk/crypt/md5 for details.
219 */
220
221 /*
222 * Configurable variables. You may need to tweak these to be compatible with
223 * the server-side, but the defaults work in most cases.
224 */
225 var hexcase = 0; /* hex output format. 0 - lowercase; 1 - uppercase */
226 var b64pad = ""; /* base-64 pad character. "=" for strict RFC compliance */
227
228 /*
229 * These are the functions you'll usually want to call
230 * They take string arguments and return either hex or base-64 encoded strings
231 */
232 function hex_sha1(s) { return rstr2hex(rstr_sha1(str2rstr_utf8(s))); }
233 function b64_sha1(s) { return rstr2b64(rstr_sha1(str2rstr_utf8(s))); }
234 function any_sha1(s, e) { return rstr2any(rstr_sha1(str2rstr_utf8(s)), e); }
235 function hex_hmac_sha1(k, d)
236 { return rstr2hex(rstr_hmac_sha1(str2rstr_utf8(k), str2rstr_utf8(d))); }
237 function b64_hmac_sha1(k, d)
238 { return rstr2b64(rstr_hmac_sha1(str2rstr_utf8(k), str2rstr_utf8(d))); }
239 function any_hmac_sha1(k, d, e)
240 { return rstr2any(rstr_hmac_sha1(str2rstr_utf8(k), str2rstr_utf8(d)), e); }
241
242 /*
243 * Perform a simple self-test to see if the VM is working
244 */
245 function sha1_vm_test()
246 {
247 return hex_sha1("abc").toLowerCase() == "a9993e364706816aba3e25717850c26c9cd0d89d";
248 }
249
250 /*
251 * Calculate the SHA1 of a raw string
252 */
253 function rstr_sha1(s)
254 {
255 return binb2rstr(binb_sha1(rstr2binb(s), s.length * 8));
256 }
257
258 /*
259 * Calculate the HMAC-SHA1 of a key and some data (raw strings)
260 */
261 function rstr_hmac_sha1(key, data)
262 {
263 var bkey = rstr2binb(key);
264 if(bkey.length > 16) bkey = binb_sha1(bkey, key.length * 8);
265
266 var ipad = Array(16), opad = Array(16);
267 for(var i = 0; i < 16; i++)
268 {
269 ipad[i] = bkey[i] ^ 0x36363636;
270 opad[i] = bkey[i] ^ 0x5C5C5C5C;
271 }
272
273 var hash = binb_sha1(ipad.concat(rstr2binb(data)), 512 + data.length * 8);
274 return binb2rstr(binb_sha1(opad.concat(hash), 512 + 160));
275 }
276
277 /*
278 * Convert a raw string to a hex string
279 */
280 function rstr2hex(input)
281 {
282 try { hexcase } catch(e) { hexcase=0; }
283 var hex_tab = hexcase ? "0123456789ABCDEF" : "0123456789abcdef";
284 var output = "";
285 var x;
286 for(var i = 0; i < input.length; i++)
287 {
288 x = input.charCodeAt(i);
289 output += hex_tab.charAt((x >>> 4) & 0x0F)
290 + hex_tab.charAt( x & 0x0F);
291 }
292 return output;
293 }
294
295 /*
296 * Convert a raw string to a base-64 string
297 */
298 function rstr2b64(input)
299 {
300 try { b64pad } catch(e) { b64pad=''; }
301 var tab = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
302 var output = "";
303 var len = input.length;
304 for(var i = 0; i < len; i += 3)
305 {
306 var triplet = (input.charCodeAt(i) << 16)
307 | (i + 1 < len ? input.charCodeAt(i+1) << 8 : 0)
308 | (i + 2 < len ? input.charCodeAt(i+2) : 0);
309 for(var j = 0; j < 4; j++)
310 {
311 if(i * 8 + j * 6 > input.length * 8) output += b64pad;
312 else output += tab.charAt((triplet >>> 6*(3-j)) & 0x3F);
313 }
314 }
315 return output;
316 }
317
318 /*
319 * Convert a raw string to an arbitrary string encoding
320 */
321 function rstr2any(input, encoding)
322 {
323 var divisor = encoding.length;
324 var remainders = Array();
325 var i, q, x, quotient;
326
327 /* Convert to an array of 16-bit big-endian values, forming the dividend */
328 var dividend = Array(Math.ceil(input.length / 2));
329 for(i = 0; i < dividend.length; i++)
330 {
331 dividend[i] = (input.charCodeAt(i * 2) << 8) | input.charCodeAt(i * 2 + 1);
332 }
333
334 /*
335 * Repeatedly perform a long division. The binary array forms the dividend,
336 * the length of the encoding is the divisor. Once computed, the quotient
337 * forms the dividend for the next step. We stop when the dividend is zero.
338 * All remainders are stored for later use.
339 */
340 while(dividend.length > 0)
341 {
342 quotient = Array();
343 x = 0;
344 for(i = 0; i < dividend.length; i++)
345 {
346 x = (x << 16) + dividend[i];
347 q = Math.floor(x / divisor);
348 x -= q * divisor;
349 if(quotient.length > 0 || q > 0)
350 quotient[quotient.length] = q;
351 }
352 remainders[remainders.length] = x;
353 dividend = quotient;
354 }
355
356 /* Convert the remainders to the output string */
357 var output = "";
358 for(i = remainders.length - 1; i >= 0; i--)
359 output += encoding.charAt(remainders[i]);
360
361 /* Append leading zero equivalents */
362 var full_length = Math.ceil(input.length * 8 /
363 (Math.log(encoding.length) / Math.log(2)))
364 for(i = output.length; i < full_length; i++)
365 output = encoding[0] + output;
366
367 return output;
368 }
369
370 /*
371 * Encode a string as utf-8.
372 * For efficiency, this assumes the input is valid utf-16.
373 */
374 function str2rstr_utf8(input)
375 {
376 var output = "";
377 var i = -1;
378 var x, y;
379
380 while(++i < input.length)
381 {
382 /* Decode utf-16 surrogate pairs */
383 x = input.charCodeAt(i);
384 y = i + 1 < input.length ? input.charCodeAt(i + 1) : 0;
385 if(0xD800 <= x && x <= 0xDBFF && 0xDC00 <= y && y <= 0xDFFF)
386 {
387 x = 0x10000 + ((x & 0x03FF) << 10) + (y & 0x03FF);
388 i++;
389 }
390
391 /* Encode output as utf-8 */
392 if(x <= 0x7F)
393 output += String.fromCharCode(x);
394 else if(x <= 0x7FF)
395 output += String.fromCharCode(0xC0 | ((x >>> 6 ) & 0x1F),
396 0x80 | ( x & 0x3F));
397 else if(x <= 0xFFFF)
398 output += String.fromCharCode(0xE0 | ((x >>> 12) & 0x0F),
399 0x80 | ((x >>> 6 ) & 0x3F),
400 0x80 | ( x & 0x3F));
401 else if(x <= 0x1FFFFF)
402 output += String.fromCharCode(0xF0 | ((x >>> 18) & 0x07),
403 0x80 | ((x >>> 12) & 0x3F),
404 0x80 | ((x >>> 6 ) & 0x3F),
405 0x80 | ( x & 0x3F));
406 }
407 return output;
408 }
409
410 /*
411 * Encode a string as utf-16
412 */
413 function str2rstr_utf16le(input)
414 {
415 var output = "";
416 for(var i = 0; i < input.length; i++)
417 output += String.fromCharCode( input.charCodeAt(i) & 0xFF,
418 (input.charCodeAt(i) >>> 8) & 0xFF);
419 return output;
420 }
421
422 function str2rstr_utf16be(input)
423 {
424 var output = "";
425 for(var i = 0; i < input.length; i++)
426 output += String.fromCharCode((input.charCodeAt(i) >>> 8) & 0xFF,
427 input.charCodeAt(i) & 0xFF);
428 return output;
429 }
430
431 /*
432 * Convert a raw string to an array of big-endian words
433 * Characters >255 have their high-byte silently ignored.
434 */
435 function rstr2binb(input)
436 {
437 var output = Array(input.length >> 2);
438 for(var i = 0; i < output.length; i++)
439 output[i] = 0;
440 for(var i = 0; i < input.length * 8; i += 8)
441 output[i>>5] |= (input.charCodeAt(i / 8) & 0xFF) << (24 - i % 32);
442 return output;
443 }
444
445 /*
446 * Convert an array of big-endian words to a string
447 */
448 function binb2rstr(input)
449 {
450 var output = "";
451 for(var i = 0; i < input.length * 32; i += 8)
452 output += String.fromCharCode((input[i>>5] >>> (24 - i % 32)) & 0xFF);
453 return output;
454 }
455
456 /*
457 * Calculate the SHA-1 of an array of big-endian words, and a bit length
458 */
459 function binb_sha1(x, len)
460 {
461 /* append padding */
462 x[len >> 5] |= 0x80 << (24 - len % 32);
463 x[((len + 64 >> 9) << 4) + 15] = len;
464
465 var w = Array(80);
466 var a = 1732584193;
467 var b = -271733879;
468 var c = -1732584194;
469 var d = 271733878;
470 var e = -1009589776;
471
472 for(var i = 0; i < x.length; i += 16)
473 {
474 var olda = a;
475 var oldb = b;
476 var oldc = c;
477 var oldd = d;
478 var olde = e;
479
480 for(var j = 0; j < 80; j++)
481 {
482 if(j < 16) w[j] = x[i + j];
483 else w[j] = bit_rol(w[j-3] ^ w[j-8] ^ w[j-14] ^ w[j-16], 1);
484 var t = safe_add(safe_add(bit_rol(a, 5), sha1_ft(j, b, c, d)),
485 safe_add(safe_add(e, w[j]), sha1_kt(j)));
486 e = d;
487 d = c;
488 c = bit_rol(b, 30);
489 b = a;
490 a = t;
491 }
492
493 a = safe_add(a, olda);
494 b = safe_add(b, oldb);
495 c = safe_add(c, oldc);
496 d = safe_add(d, oldd);
497 e = safe_add(e, olde);
498 }
499 return Array(a, b, c, d, e);
500
501 }
502
503 /*
504 * Perform the appropriate triplet combination function for the current
505 * iteration
506 */
507 function sha1_ft(t, b, c, d)
508 {
509 if(t < 20) return (b & c) | ((~b) & d);
510 if(t < 40) return b ^ c ^ d;
511 if(t < 60) return (b & c) | (b & d) | (c & d);
512 return b ^ c ^ d;
513 }
514
515 /*
516 * Determine the appropriate additive constant for the current iteration
517 */
518 function sha1_kt(t)
519 {
520 return (t < 20) ? 1518500249 : (t < 40) ? 1859775393 :
521 (t < 60) ? -1894007588 : -899497514;
522 }
523
524 /*
525 * Add integers, wrapping at 2^32. This uses 16-bit operations internally
526 * to work around bugs in some JS interpreters.
527 */
528 function safe_add(x, y)
529 {
530 var lsw = (x & 0xFFFF) + (y & 0xFFFF);
531 var msw = (x >> 16) + (y >> 16) + (lsw >> 16);
532 return (msw << 16) | (lsw & 0xFFFF);
533 }
534
535 /*
536 * Bitwise rotate a 32-bit number to the left.
537 */
538 function bit_rol(num, cnt)
539 {
540 return (num << cnt) | (num >>> (32 - cnt));
541 }
542 </script>
543
544 </head>
545 <body>
546 <p ALIGN=RIGHT><a href="index.html?LOGOUT">Logout</a></p>
547 <p ALIGN=RIGHT><a href="index.html">Home page</a></p>
548 <h1 align=CENTER>Change your password</h1>
549 <p>
550 </p>
551 <p>
552 </p>
553
554 <form method="POST" action="index.html" id="LoginForm"
555 onSubmit='if(! check_password_fields())return false;EncryptNewPassword();HashPassword("<SCRIPT TYPE="text/ssperl">
556 $RANDOMSALT</SCRIPT>");true'>
557 <div style="margin-left: 30%; margin-right: 30%; text-align: left">
558 <table>
559 <tr>
560 <td style="text-align: right">Old Password:</td>
561 <td style="text-align: left"><input type="PASSWORD" name="PASSWORD" id="PASSWORD" size="20" /></td>
562 </tr>
563 <tr>
564 <td style="text-align: right">New Password:</td>
565 <td style="text-align: left"><input type="PASSWORD" name="NEWPASSWORD" id="NEWPASSWORD" size="20" />
566 </td>
567 </tr>
568 <tr>
569 <td style="text-align: right">Repeat:</td>
570 <td style="text-align: left"><input type="PASSWORD" name="NEWPASSWORDREP" id="NEWPASSWORDREP" size="20" onChange="check_password_fields();"/></td>
571 </tr>
572 <tr>
573 <td></td>
574 <td style="text-align: left"><input type="submit" id="SUBMIT" value="Change" style="color: Gray" /></td>
575 </tr>
576 </table>
577 <input type="hidden" name="USERNAME" id="USERNAME" size="20" value=<SCRIPT type="text/ssperl">$LOGINUSERNAME</SCRIPT> />
578 <input type="hidden" name="SERVERSALT" id="SERVERSALT" value="<SCRIPT TYPE="text/ssperl">$SERVERSALT</SCRIPT>" />
579 <input type="hidden" name="RANDOMSALT" id="RANDOMSALT" value="<SCRIPT TYPE="text/ssperl">$RANDOMSALT</SCRIPT>" />
580 <input type="hidden" name="LOGINTICKET" id="LOGINTICKET" value="<SCRIPT TYPE="text/ssperl">$LOGINTICKET</SCRIPT>" />
581 <input type="hidden" name="SESSIONTICKET" id="SESSIONTICKET"value="" />
582 <input type="hidden" name="CHALLENGETICKET" id="CHALLENGETICKET" value="" />
583 </div>
584 </form>
585 <p>
586 The Salt and Ticket values are all created using SHA1 on 512 Byte of output from <em>/dev/urandom</em> in HEX.
587 </p>
588 <FONT STYLE="font-size:small">
589 <p> Example Login page for CGIscriptor.pl<br />
590 Copyright &copy; 2012 R.J.J.H. van Son<br />
591 This program is free software: you can redistribute it and/or modify
592 it under the terms of the GNU General Public License as published by
593 the Free Software Foundation, either version 3 of the License, or
594 (at your option) any later version.
595 This program is distributed in the hope that it will be useful,
596 but WITHOUT ANY WARRANTY; without even the implied warranty of
597 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
598 GNU General Public License for more details.<br />
599 You should have received a copy of the GNU General Public License
600 along with this program. If not, see <a href="http://www.gnu.org/licenses/">http://www.gnu.org/licenses/</a>.</p>
601 <p> JavaScript implementation of the Secure Hash Algorithm, SHA-1, as defined in FIPS 180-1<br />
602 Copyright &copy; 2000 - 2009 Paul Johnston, Version 2.2<br />
603 Other contributors: Greg Holt, Andrew Kepert, Ydnar, Lostinet<br />
604 Distributed under the BSD License<br />
605 See <a href="http://pajhome.org.uk/crypt/md5">http://pajhome.org.uk/crypt/md5</a> for details.
606 </FONT>
607
608 </body>
609 </html>
A flexible HTML 4 compliant script/module for CGI-aware embeded Perl, shell-scripts, and other scripting languages, executed at the server side.