search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Layout ChangePassword page
[CGIscriptor.git] / Private / ChangePassword.html
bloba5630d5b549f1a2ad115bad5d813d4de8ac66797
1 <html>
2 <head>
3 <title>Change Password</title>
4 <SCRIPT TYPE="text/ssperl" CGI='$SERVERSALT $SESSIONTICKET $LOGINTICKET $RANDOMSALT $REMOTE_ADDR $LOGINUSERNAME $LOGINIPADDRESS $LOGINPATH'>
5 ::create_login_file("~/Private/.Passwords", "~/Private/.Sessions", $REMOTE_ADDR);
6 "";
7 </SCRIPT>
8 <SCRIPT type="text/javascript" LANGUAGE="JavaScript">
9 function createCookie(name,value,days,path) {
10 if (days) {
11 var date = new Date();
12 date.setTime(date.getTime()+(days*24*60*60*1000));
13 var expires = "; expires="+date.toGMTString();
14 }
15 else var expires = "";
16 document.cookie = name+"="+value+expires+"; path=/"+path;
17 };
18
19 function readCookie(name) {
20 var nameEQ = name + "=";
21 var ca = document.cookie.split(';');
22 for(var i=0;i < ca.length;i++) {
23 var c = ca[i];
24 while (c.charAt(0)==' ') c = c.substring(1,c.length);
25 if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length,c.length);
26 }
27 return null;
28 };
29
30 function check_password_fields ( ) {
31 var newpassword = document.getElementById('NEWPASSWORD');
32 var newpasswordrep = document.getElementById('NEWPASSWORDREP');
33 if(newpassword.value == "" || newpasswordrep.value == "") {
34 alert("No passwords");
35 return false;
36 };
37 if(newpassword.value == newpasswordrep.value) {
38 var submitbutton = document.getElementById('SUBMIT');
39 submitbutton.style.color = "Black";
40 return true;
41 };
42 alert("Passwords differ");
43 return false;
44 };
45
46 function eraseCookie(name) {
47 createCookie(name,"",-1);
48 };
49
50 // Combine the PASSWORD with the site SERVERSALT and hash it
51 // Combine this Hash iwth the extra SERVERSALT, and hash them
52 function HashPassword(extsalt) {
53 var hash1 = "";
54 var hash2 = "";
55 var passwordvalue = document.getElementById('PASSWORD');
56 if(passwordvalue.value == "")
57 return 0;
58 var saltvalue = document.getElementById('SERVERSALT');
59 hash1 = hex_sha1(saltvalue.value+passwordvalue.value);
60 if(extsalt != "")
61 hash2 = hex_sha1(extsalt+hash1);
62 else
63 hash2 = hash1;
64 passwordvalue.value = hash2;
65 return hash2;
66 }
67 // Remember to hash the repeat too! Or else it will be send in the clear
68 function HashNewPassword() {
69 var hash1 = "";
70 var newpassword = document.getElementById('NEWPASSWORD');
71 var newpasswordrep = document.getElementById('NEWPASSWORDREP');
72 if(newpassword.value == "" ) {
73 newpassword.value = "";
74 return 0;
75 };
76 if(newpasswordrep && (newpasswordrep.value == ""|| newpassword.value != newpasswordrep.value)) {
77 newpassword.value = "";
78 newpasswordrep.value = "";
79 return 0;
80 };
81 var saltvalue = document.getElementById('SERVERSALT');
82 hash1 = hex_sha1(saltvalue.value+newpassword.value);
83 newpassword.value = hash1;
84 newpasswordrep.value = hash1;
85 return hash1;
86 };
87
88 function XOR_hex_strings(hex1, hex2) {
89 var resultHex = "";
90 for(var i=0; i < hex1.length; ++i) {
91 var d1 = parseInt(hex1.charAt(i),16);
92 var d2 = parseInt(hex2.charAt(i),16);
93 var resultD = d1^d2;
94 resultHex = resultHex+resultD.toString(16);
95 };
96 return resultHex;
97 };
98
99 function EncryptNewPassword() {
100 var password = document.getElementById('PASSWORD');
101 var saltvalue = document.getElementById('SERVERSALT');
102 var newpassword = document.getElementById('NEWPASSWORD');
103 var newpasswordrep = document.getElementById('NEWPASSWORDREP');
104
105 HashNewPassword();
106 hash = hex_sha1(saltvalue.value+password.value);
107 var encrypted = XOR_hex_strings(hash, newpassword.value);
108 newpassword.value = encrypted;
109 newpasswordrep.value = encrypted;
110 return encrypted;
111 };
112
113 function add_cgiparam(elem, attr, param) {
114 var elems = document.getElementsByTagName(elem);
115 for (var i = 0; i < elems.length; i++)
116 {
117 var n=elems[i][attr].indexOf("?");
118 if(n<0)
119 elems[i][attr] = elems[i][attr] + "?" + param;
120 else
121 elems[i][attr] = elems[i][attr] + "&" + param;
122 };
123 };
124
125 function remove_cgiparam(elem, attr, parameter) {
126 var elems = document.getElementsByTagName(elem);
127 for (var i = 0; i < elems.length; i++)
128 {
129 var n=elems[i][attr].indexOf("&"+parameter);
130 if(n>0)
131 elems[i][attr] = elems[i][attr].replace("&"+param, "");
132 var n=elems[i][attr].indexOf(parameter);
133 if(n>0)
134 elems[i][attr] = elems[i][attr].replace(param, "");
135 };
136 };
137
138 window.onload = function() {
139 var sessionticket = readCookie("CGIscriptor");
140 if(document.location.href.indexOf("SESSIONTICKET") < 0) {
141 if(document.location.href.indexOf("?") < 0)
142 document.location.href = document.location.href+"?SESSIONTICKET="+sessionticket;
143 else
144 document.location.href = document.location.href+"&SESSIONTICKET="+sessionticket;
145 };
146 var sessionparm = document.getElementById('SESSIONTICKET');
147 if(sessionparm) sessionparm.value = sessionticket;
148 add_cgiparam('a', 'href', "SESSIONTICKET="+sessionticket);
149 add_cgiparam('form', 'action', "SESSIONTICKET="+sessionticket);
150 return true;
151 };
152
153 </SCRIPT>
154
155 <script type="text/javascript">
156 /*
157 * A JavaScript implementation of the Secure Hash Algorithm, SHA-1, as defined
158 * in FIPS 180-1
159 * Version 2.2 Copyright Paul Johnston 2000 - 2009.
160 * Other contributors: Greg Holt, Andrew Kepert, Ydnar, Lostinet
161 * Distributed under the BSD License
162 * See http://pajhome.org.uk/crypt/md5 for details.
163 */
164
165 /*
166 * Configurable variables. You may need to tweak these to be compatible with
167 * the server-side, but the defaults work in most cases.
168 */
169 var hexcase = 0; /* hex output format. 0 - lowercase; 1 - uppercase */
170 var b64pad = ""; /* base-64 pad character. "=" for strict RFC compliance */
171
172 /*
173 * These are the functions you'll usually want to call
174 * They take string arguments and return either hex or base-64 encoded strings
175 */
176 function hex_sha1(s) { return rstr2hex(rstr_sha1(str2rstr_utf8(s))); }
177 function b64_sha1(s) { return rstr2b64(rstr_sha1(str2rstr_utf8(s))); }
178 function any_sha1(s, e) { return rstr2any(rstr_sha1(str2rstr_utf8(s)), e); }
179 function hex_hmac_sha1(k, d)
180 { return rstr2hex(rstr_hmac_sha1(str2rstr_utf8(k), str2rstr_utf8(d))); }
181 function b64_hmac_sha1(k, d)
182 { return rstr2b64(rstr_hmac_sha1(str2rstr_utf8(k), str2rstr_utf8(d))); }
183 function any_hmac_sha1(k, d, e)
184 { return rstr2any(rstr_hmac_sha1(str2rstr_utf8(k), str2rstr_utf8(d)), e); }
185
186 /*
187 * Perform a simple self-test to see if the VM is working
188 */
189 function sha1_vm_test()
190 {
191 return hex_sha1("abc").toLowerCase() == "a9993e364706816aba3e25717850c26c9cd0d89d";
192 }
193
194 /*
195 * Calculate the SHA1 of a raw string
196 */
197 function rstr_sha1(s)
198 {
199 return binb2rstr(binb_sha1(rstr2binb(s), s.length * 8));
200 }
201
202 /*
203 * Calculate the HMAC-SHA1 of a key and some data (raw strings)
204 */
205 function rstr_hmac_sha1(key, data)
206 {
207 var bkey = rstr2binb(key);
208 if(bkey.length > 16) bkey = binb_sha1(bkey, key.length * 8);
209
210 var ipad = Array(16), opad = Array(16);
211 for(var i = 0; i < 16; i++)
212 {
213 ipad[i] = bkey[i] ^ 0x36363636;
214 opad[i] = bkey[i] ^ 0x5C5C5C5C;
215 }
216
217 var hash = binb_sha1(ipad.concat(rstr2binb(data)), 512 + data.length * 8);
218 return binb2rstr(binb_sha1(opad.concat(hash), 512 + 160));
219 }
220
221 /*
222 * Convert a raw string to a hex string
223 */
224 function rstr2hex(input)
225 {
226 try { hexcase } catch(e) { hexcase=0; }
227 var hex_tab = hexcase ? "0123456789ABCDEF" : "0123456789abcdef";
228 var output = "";
229 var x;
230 for(var i = 0; i < input.length; i++)
231 {
232 x = input.charCodeAt(i);
233 output += hex_tab.charAt((x >>> 4) & 0x0F)
234 + hex_tab.charAt( x & 0x0F);
235 }
236 return output;
237 }
238
239 /*
240 * Convert a raw string to a base-64 string
241 */
242 function rstr2b64(input)
243 {
244 try { b64pad } catch(e) { b64pad=''; }
245 var tab = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
246 var output = "";
247 var len = input.length;
248 for(var i = 0; i < len; i += 3)
249 {
250 var triplet = (input.charCodeAt(i) << 16)
251 | (i + 1 < len ? input.charCodeAt(i+1) << 8 : 0)
252 | (i + 2 < len ? input.charCodeAt(i+2) : 0);
253 for(var j = 0; j < 4; j++)
254 {
255 if(i * 8 + j * 6 > input.length * 8) output += b64pad;
256 else output += tab.charAt((triplet >>> 6*(3-j)) & 0x3F);
257 }
258 }
259 return output;
260 }
261
262 /*
263 * Convert a raw string to an arbitrary string encoding
264 */
265 function rstr2any(input, encoding)
266 {
267 var divisor = encoding.length;
268 var remainders = Array();
269 var i, q, x, quotient;
270
271 /* Convert to an array of 16-bit big-endian values, forming the dividend */
272 var dividend = Array(Math.ceil(input.length / 2));
273 for(i = 0; i < dividend.length; i++)
274 {
275 dividend[i] = (input.charCodeAt(i * 2) << 8) | input.charCodeAt(i * 2 + 1);
276 }
277
278 /*
279 * Repeatedly perform a long division. The binary array forms the dividend,
280 * the length of the encoding is the divisor. Once computed, the quotient
281 * forms the dividend for the next step. We stop when the dividend is zero.
282 * All remainders are stored for later use.
283 */
284 while(dividend.length > 0)
285 {
286 quotient = Array();
287 x = 0;
288 for(i = 0; i < dividend.length; i++)
289 {
290 x = (x << 16) + dividend[i];
291 q = Math.floor(x / divisor);
292 x -= q * divisor;
293 if(quotient.length > 0 || q > 0)
294 quotient[quotient.length] = q;
295 }
296 remainders[remainders.length] = x;
297 dividend = quotient;
298 }
299
300 /* Convert the remainders to the output string */
301 var output = "";
302 for(i = remainders.length - 1; i >= 0; i--)
303 output += encoding.charAt(remainders[i]);
304
305 /* Append leading zero equivalents */
306 var full_length = Math.ceil(input.length * 8 /
307 (Math.log(encoding.length) / Math.log(2)))
308 for(i = output.length; i < full_length; i++)
309 output = encoding[0] + output;
310
311 return output;
312 }
313
314 /*
315 * Encode a string as utf-8.
316 * For efficiency, this assumes the input is valid utf-16.
317 */
318 function str2rstr_utf8(input)
319 {
320 var output = "";
321 var i = -1;
322 var x, y;
323
324 while(++i < input.length)
325 {
326 /* Decode utf-16 surrogate pairs */
327 x = input.charCodeAt(i);
328 y = i + 1 < input.length ? input.charCodeAt(i + 1) : 0;
329 if(0xD800 <= x && x <= 0xDBFF && 0xDC00 <= y && y <= 0xDFFF)
330 {
331 x = 0x10000 + ((x & 0x03FF) << 10) + (y & 0x03FF);
332 i++;
333 }
334
335 /* Encode output as utf-8 */
336 if(x <= 0x7F)
337 output += String.fromCharCode(x);
338 else if(x <= 0x7FF)
339 output += String.fromCharCode(0xC0 | ((x >>> 6 ) & 0x1F),
340 0x80 | ( x & 0x3F));
341 else if(x <= 0xFFFF)
342 output += String.fromCharCode(0xE0 | ((x >>> 12) & 0x0F),
343 0x80 | ((x >>> 6 ) & 0x3F),
344 0x80 | ( x & 0x3F));
345 else if(x <= 0x1FFFFF)
346 output += String.fromCharCode(0xF0 | ((x >>> 18) & 0x07),
347 0x80 | ((x >>> 12) & 0x3F),
348 0x80 | ((x >>> 6 ) & 0x3F),
349 0x80 | ( x & 0x3F));
350 }
351 return output;
352 }
353
354 /*
355 * Encode a string as utf-16
356 */
357 function str2rstr_utf16le(input)
358 {
359 var output = "";
360 for(var i = 0; i < input.length; i++)
361 output += String.fromCharCode( input.charCodeAt(i) & 0xFF,
362 (input.charCodeAt(i) >>> 8) & 0xFF);
363 return output;
364 }
365
366 function str2rstr_utf16be(input)
367 {
368 var output = "";
369 for(var i = 0; i < input.length; i++)
370 output += String.fromCharCode((input.charCodeAt(i) >>> 8) & 0xFF,
371 input.charCodeAt(i) & 0xFF);
372 return output;
373 }
374
375 /*
376 * Convert a raw string to an array of big-endian words
377 * Characters >255 have their high-byte silently ignored.
378 */
379 function rstr2binb(input)
380 {
381 var output = Array(input.length >> 2);
382 for(var i = 0; i < output.length; i++)
383 output[i] = 0;
384 for(var i = 0; i < input.length * 8; i += 8)
385 output[i>>5] |= (input.charCodeAt(i / 8) & 0xFF) << (24 - i % 32);
386 return output;
387 }
388
389 /*
390 * Convert an array of big-endian words to a string
391 */
392 function binb2rstr(input)
393 {
394 var output = "";
395 for(var i = 0; i < input.length * 32; i += 8)
396 output += String.fromCharCode((input[i>>5] >>> (24 - i % 32)) & 0xFF);
397 return output;
398 }
399
400 /*
401 * Calculate the SHA-1 of an array of big-endian words, and a bit length
402 */
403 function binb_sha1(x, len)
404 {
405 /* append padding */
406 x[len >> 5] |= 0x80 << (24 - len % 32);
407 x[((len + 64 >> 9) << 4) + 15] = len;
408
409 var w = Array(80);
410 var a = 1732584193;
411 var b = -271733879;
412 var c = -1732584194;
413 var d = 271733878;
414 var e = -1009589776;
415
416 for(var i = 0; i < x.length; i += 16)
417 {
418 var olda = a;
419 var oldb = b;
420 var oldc = c;
421 var oldd = d;
422 var olde = e;
423
424 for(var j = 0; j < 80; j++)
425 {
426 if(j < 16) w[j] = x[i + j];
427 else w[j] = bit_rol(w[j-3] ^ w[j-8] ^ w[j-14] ^ w[j-16], 1);
428 var t = safe_add(safe_add(bit_rol(a, 5), sha1_ft(j, b, c, d)),
429 safe_add(safe_add(e, w[j]), sha1_kt(j)));
430 e = d;
431 d = c;
432 c = bit_rol(b, 30);
433 b = a;
434 a = t;
435 }
436
437 a = safe_add(a, olda);
438 b = safe_add(b, oldb);
439 c = safe_add(c, oldc);
440 d = safe_add(d, oldd);
441 e = safe_add(e, olde);
442 }
443 return Array(a, b, c, d, e);
444
445 }
446
447 /*
448 * Perform the appropriate triplet combination function for the current
449 * iteration
450 */
451 function sha1_ft(t, b, c, d)
452 {
453 if(t < 20) return (b & c) | ((~b) & d);
454 if(t < 40) return b ^ c ^ d;
455 if(t < 60) return (b & c) | (b & d) | (c & d);
456 return b ^ c ^ d;
457 }
458
459 /*
460 * Determine the appropriate additive constant for the current iteration
461 */
462 function sha1_kt(t)
463 {
464 return (t < 20) ? 1518500249 : (t < 40) ? 1859775393 :
465 (t < 60) ? -1894007588 : -899497514;
466 }
467
468 /*
469 * Add integers, wrapping at 2^32. This uses 16-bit operations internally
470 * to work around bugs in some JS interpreters.
471 */
472 function safe_add(x, y)
473 {
474 var lsw = (x & 0xFFFF) + (y & 0xFFFF);
475 var msw = (x >> 16) + (y >> 16) + (lsw >> 16);
476 return (msw << 16) | (lsw & 0xFFFF);
477 }
478
479 /*
480 * Bitwise rotate a 32-bit number to the left.
481 */
482 function bit_rol(num, cnt)
483 {
484 return (num << cnt) | (num >>> (32 - cnt));
485 }
486 </script>
487
488 </head>
489 <body>
490 <h1 align=CENTER>Change your password</h1>
491 <p>
492 </p>
493 <p>
494 </p>
495
496 <form method="POST" action="index.html" id="LoginForm"
497 onSubmit='if(! check_password_fields())return false;EncryptNewPassword();HashPassword("<SCRIPT TYPE="text/ssperl">
498 $RANDOMSALT</SCRIPT>");true'>
499 <div style="margin-left: 30%; margin-right: 30%; text-align: left">
500 <table>
501 <tr>
502 <td style="text-align: right">Old Password:</td>
503 <td style="text-align: left"><input type="PASSWORD" name="PASSWORD" id="PASSWORD" size="20" /></td>
504 </tr>
505 <tr>
506 <td style="text-align: right">New Password:</td>
507 <td style="text-align: left"><input type="PASSWORD" name="NEWPASSWORD" id="NEWPASSWORD" size="20" />
508 </td>
509 </tr>
510 <tr>
511 <td style="text-align: right">Repeat:</td>
512 <td style="text-align: left"><input type="PASSWORD" name="NEWPASSWORDREP" id="NEWPASSWORDREP" size="20" onChange="check_password_fields();"/></td>
513 </tr>
514 <tr>
515 <td></td>
516 <td style="text-align: left"><input type="submit" id="SUBMIT" value="Change" style="color: Gray" /></td>
517 </tr>
518 </table>
519 <input type="hidden" name="USERNAME" size="20" value=<SCRIPT type="text/ssperl">$LOGINUSERNAME</SCRIPT> />
520 <input type="hidden" name="SERVERSALT" id="SERVERSALT" value="<SCRIPT TYPE="text/ssperl">$SERVERSALT</SCRIPT>" />
521 <input type="hidden" name="RANDOMSALT" id="RANDOMSALT" value="<SCRIPT TYPE="text/ssperl">$RANDOMSALT</SCRIPT>" />
522 <input type="hidden" name="LOGINTICKET" value="<SCRIPT TYPE="text/ssperl">$LOGINTICKET</SCRIPT>" />
523 <input type="hidden" name="SESSIONTICKET" value="<SCRIPT TYPE="text/ssperl">$SESSIONTICKET</SCRIPT>" />
524 </div>
525 </form>
526 <p>
527 The Salt and Ticket values are all created using SHA1 on 512 Byte of output from <em>/dev/urandom</em> in HEX.
528 </p>
529 <FONT STYLE="font-size:small">
530 <p> Example Login page for CGIscriptor.pl<br />
531 Copyright &copy; 2012 R.J.J.H. van Son<br />
532 This program is free software: you can redistribute it and/or modify
533 it under the terms of the GNU General Public License as published by
534 the Free Software Foundation, either version 3 of the License, or
535 (at your option) any later version.
536 This program is distributed in the hope that it will be useful,
537 but WITHOUT ANY WARRANTY; without even the implied warranty of
538 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
539 GNU General Public License for more details.<br />
540 You should have received a copy of the GNU General Public License
541 along with this program. If not, see <a href="http://www.gnu.org/licenses/">http://www.gnu.org/licenses/</a>.</p>
542 <p> JavaScript implementation of the Secure Hash Algorithm, SHA-1, as defined in FIPS 180-1<br />
543 Copyright &copy; 2000 - 2009 Paul Johnston, Version 2.2<br />
544 Other contributors: Greg Holt, Andrew Kepert, Ydnar, Lostinet<br />
545 Distributed under the BSD License<br />
546 See <a href="http://pajhome.org.uk/crypt/md5">http://pajhome.org.uk/crypt/md5</a> for details.
547 </FONT>
548
549 </body>
550 </html>
A flexible HTML 4 compliant script/module for CGI-aware embeded Perl, shell-scripts, and other scripting languages, executed at the server side.