search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Implemented challenge. Not all example HTML files ready
[CGIscriptor.git] / Private / index.html
blobfd7cd463fe0d3154ea1c48e114996d561ba69786
1 <html>
2 <head>
3 <title>
4 Private data
5 </title>
6 <script type="text/javascript">
7 function createCookie(name,value,days,path) {
8 if (days) {
9 var date = new Date();
10 date.setTime(date.getTime()+(days*24*60*60*1000));
11 var expires = "; expires="+date.toGMTString();
12 }
13 else var expires = "";
14 var match = document.cookie.match('/('+name+'\=[^\;]*\);/');
15 if(match)
16 document.cookie = document.cookie.replace(match[1], name+"="+value);
17 else
18 document.cookie = name+"="+value+expires+"; path=/"+path;
19 };
20
21
22 function readCookie(name) {
23 var nameEQ = name + "=";
24 var ca = document.cookie.split(';');
25 for(var i=0;i < ca.length;i++) {
26 var c = ca[i];
27 while (c.charAt(0)==' ') c = c.substring(1,c.length);
28 if (c.indexOf(nameEQ) == 0) return c.substring(nameEQ.length,c.length);
29 }
30 return null;
31 };
32
33 function eraseCookie(name) {
34 createCookie(name,"",-1);
35 };
36
37 // Combine the PASSWORD with the site SERVERSALT and hash it
38 // Combine this Hash iwth the extra SERVERSALT, and hash them
39 function HashPassword(extsalt) {
40 var hash = HashSessionSeed(extsalt);
41 var password = document.getElementById('PASSWORD');
42 if(password){
43 password.value = hash;
44 } else {
45 alert("NO PASSWORD IN FORM");
46 return 0;
47 };
48 return hash;
49 }
50
51 // REMEMBER: Set the session cookie BEFORE you hash the password!!!
52 function SetSessionCookie() {
53 var seed = '<SCRIPT TYPE="text/ssperl">$LOGINTICKET</SCRIPT>';
54 var hash = HashSessionSeed(seed);
55 // Dom.storage.enabled must be set!
56 if (!sessionStorage || typeof(sessionStorage) == 'undefined' ) {
57 alert('Your browser does not support HTML5 sessionStorage. Set Dom.storage.enabled or try upgrading.');
58 }
59 else sessionStorage.setItem("CGIscriptorPRIVATE", hash);
60 return hash;
61 };
62
63 function HashSessionSeed(sessionseed) {
64 var hash1 = "";
65 var hash2 = "";
66 var passwordvalue = document.getElementById('PASSWORD');
67 var saltvalue = document.getElementById('SERVERSALT');
68 var username = document.getElementById('USERNAME');
69 hash1 = hex_sha1(saltvalue.value+passwordvalue.value+username.value);
70 if(sessionseed != "")
71 hash2 = hex_sha1(sessionseed+hash1);
72 else
73 hash2 = hash1;
74 return hash2;
75 }
76
77 // Remember to hash the repeat too! Or else it will be send in the clear
78 function HashNewPassword() {
79 var hash1 = "";
80 var newpassword = document.getElementById('NEWPASSWORD');
81 var newpasswordrep = document.getElementById('NEWPASSWORDREP');
82 var username = document.getElementById('USERNAME');
83 if(newpassword.value == "" ) {
84 newpassword.value = "";
85 return 0;
86 };
87 if(newpasswordrep && (newpasswordrep.value == ""|| newpassword.value != newpasswordrep.value)) {
88 newpassword.value = "";
89 newpasswordrep.value = "";
90 return 0;
91 };
92 var saltvalue = document.getElementById('SERVERSALT');
93 hash1 = hex_sha1(saltvalue.value+newpassword.value+username.value);
94 newpassword.value = hash1;
95 newpasswordrep.value = hash1;
96 return hash1;
97 };
98
99 function XOR_hex_strings(hex1, hex2) {
100 var resultHex = "";
101 for(var i=0; i < hex1.length; ++i) {
102 var d1 = parseInt(hex1.charAt(i),16);
103 var d2 = parseInt(hex2.charAt(i),16);
104 var resultD = d1^d2;
105 resultHex = resultHex+resultD.toString(16);
106 };
107 return resultHex;
108 };
109
110 function EncryptNewPassword() {
111 var password = document.getElementById('PASSWORD');
112 var saltvalue = document.getElementById('SERVERSALT');
113 var login = document.getElementById('LOGINTICKET');
114 var newpassword = document.getElementById('NEWPASSWORD');
115 var newpasswordrep = document.getElementById('NEWPASSWORDREP');
116 var username = document.getElementById('USERNAME');
117
118 // This hashes the newpassword field!
119 HashNewPassword();
120 hash = hex_sha1(saltvalue.value+password.value+username.value);
121 hash2 = hex_sha1(login.value+hash);
122 var encrypted = XOR_hex_strings(hash2, newpassword.value);
123 newpassword.value = encrypted;
124 newpasswordrep.value = encrypted;
125 return encrypted;
126 };
127
128 function add_cgiparam(elem, attr, param) {
129 var elems = document.getElementsByTagName(elem);
130 for (var i = 0; i < elems.length; i++)
131 {
132 var n=elems[i][attr].indexOf("?");
133 if(n<0)
134 elems[i][attr] = elems[i][attr] + "?" + param;
135 else
136 elems[i][attr] = elems[i][attr] + "&" + param;
137 };
138 };
139
140 function setSessionParameters() {
141 var sessionset = readCookie("CGIscriptorSESSION");
142 if(!sessionset.match(/[\S]/))return false;
143
144 var sessionticket = "";
145 sessionticket = sessionStorage.getItem("CGIscriptorPRIVATE");
146 createCookie("CGIscriptorSESSION",sessionticket, 1, "Private");
147
148 // Without cookies, use this
149 // var sessionparm = document.getElementById('SESSIONTICKET');
150 // if(sessionparm) sessionparm.value = sessionticket;
151 // add_cgiparam('a', 'href', "SESSIONTICKET="+sessionticket);
152 // add_cgiparam('form', 'action', "SESSIONTICKET="+sessionticket);
153 return true;
154 };
155 function setChallengeParameters() {
156 var sessionset = readCookie("CGIscriptorCHALLENGE");
157 if(!(sessionset && sessionset.match(/[\S]/)))return false;
158
159 var sessionticket = "";
160 var sessionkey = sessionStorage.getItem("CGIscriptorPRIVATE");
161 sessionticket = hex_sha1(sessionset+sessionkey);
162 createCookie("CGIscriptorCHALLENGE",sessionticket, 1, "Private");
163
164 // Without cookies, use this
165 // var sessionparm = document.getElementById('CHALLENGETICKET');
166 // if(sessionparm) sessionparm.value = sessionticket;
167
168 // add_cgiparam('a', 'href', "CHALLENGETICKET="+sessionticket);
169 // add_cgiparam('form', 'action', "CHALLENGETICKET="+sessionticket);
170 return true;
171 };
172
173 window.onload = function() {
174 var challengeSet = setChallengeParameters();
175 if(! challengeSet)
176 setSessionParameters();
177 return true;
178 };
179
180 </script>
181
182 <script type="text/javascript">
183 /*
184 * A JavaScript implementation of the Secure Hash Algorithm, SHA-1, as defined
185 * in FIPS 180-1
186 * Version 2.2 Copyright Paul Johnston 2000 - 2009.
187 * Other contributors: Greg Holt, Andrew Kepert, Ydnar, Lostinet
188 * Distributed under the BSD License
189 * See http://pajhome.org.uk/crypt/md5 for details.
190 */
191
192 /*
193 * Configurable variables. You may need to tweak these to be compatible with
194 * the server-side, but the defaults work in most cases.
195 */
196 var hexcase = 0; /* hex output format. 0 - lowercase; 1 - uppercase */
197 var b64pad = ""; /* base-64 pad character. "=" for strict RFC compliance */
198
199 /*
200 * These are the functions you'll usually want to call
201 * They take string arguments and return either hex or base-64 encoded strings
202 */
203 function hex_sha1(s) { return rstr2hex(rstr_sha1(str2rstr_utf8(s))); }
204 function b64_sha1(s) { return rstr2b64(rstr_sha1(str2rstr_utf8(s))); }
205 function any_sha1(s, e) { return rstr2any(rstr_sha1(str2rstr_utf8(s)), e); }
206 function hex_hmac_sha1(k, d)
207 { return rstr2hex(rstr_hmac_sha1(str2rstr_utf8(k), str2rstr_utf8(d))); }
208 function b64_hmac_sha1(k, d)
209 { return rstr2b64(rstr_hmac_sha1(str2rstr_utf8(k), str2rstr_utf8(d))); }
210 function any_hmac_sha1(k, d, e)
211 { return rstr2any(rstr_hmac_sha1(str2rstr_utf8(k), str2rstr_utf8(d)), e); }
212
213 /*
214 * Perform a simple self-test to see if the VM is working
215 */
216 function sha1_vm_test()
217 {
218 return hex_sha1("abc").toLowerCase() == "a9993e364706816aba3e25717850c26c9cd0d89d";
219 }
220
221 /*
222 * Calculate the SHA1 of a raw string
223 */
224 function rstr_sha1(s)
225 {
226 return binb2rstr(binb_sha1(rstr2binb(s), s.length * 8));
227 }
228
229 /*
230 * Calculate the HMAC-SHA1 of a key and some data (raw strings)
231 */
232 function rstr_hmac_sha1(key, data)
233 {
234 var bkey = rstr2binb(key);
235 if(bkey.length > 16) bkey = binb_sha1(bkey, key.length * 8);
236
237 var ipad = Array(16), opad = Array(16);
238 for(var i = 0; i < 16; i++)
239 {
240 ipad[i] = bkey[i] ^ 0x36363636;
241 opad[i] = bkey[i] ^ 0x5C5C5C5C;
242 }
243
244 var hash = binb_sha1(ipad.concat(rstr2binb(data)), 512 + data.length * 8);
245 return binb2rstr(binb_sha1(opad.concat(hash), 512 + 160));
246 }
247
248 /*
249 * Convert a raw string to a hex string
250 */
251 function rstr2hex(input)
252 {
253 try { hexcase } catch(e) { hexcase=0; }
254 var hex_tab = hexcase ? "0123456789ABCDEF" : "0123456789abcdef";
255 var output = "";
256 var x;
257 for(var i = 0; i < input.length; i++)
258 {
259 x = input.charCodeAt(i);
260 output += hex_tab.charAt((x >>> 4) & 0x0F)
261 + hex_tab.charAt( x & 0x0F);
262 }
263 return output;
264 }
265
266 /*
267 * Convert a raw string to a base-64 string
268 */
269 function rstr2b64(input)
270 {
271 try { b64pad } catch(e) { b64pad=''; }
272 var tab = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
273 var output = "";
274 var len = input.length;
275 for(var i = 0; i < len; i += 3)
276 {
277 var triplet = (input.charCodeAt(i) << 16)
278 | (i + 1 < len ? input.charCodeAt(i+1) << 8 : 0)
279 | (i + 2 < len ? input.charCodeAt(i+2) : 0);
280 for(var j = 0; j < 4; j++)
281 {
282 if(i * 8 + j * 6 > input.length * 8) output += b64pad;
283 else output += tab.charAt((triplet >>> 6*(3-j)) & 0x3F);
284 }
285 }
286 return output;
287 }
288
289 /*
290 * Convert a raw string to an arbitrary string encoding
291 */
292 function rstr2any(input, encoding)
293 {
294 var divisor = encoding.length;
295 var remainders = Array();
296 var i, q, x, quotient;
297
298 /* Convert to an array of 16-bit big-endian values, forming the dividend */
299 var dividend = Array(Math.ceil(input.length / 2));
300 for(i = 0; i < dividend.length; i++)
301 {
302 dividend[i] = (input.charCodeAt(i * 2) << 8) | input.charCodeAt(i * 2 + 1);
303 }
304
305 /*
306 * Repeatedly perform a long division. The binary array forms the dividend,
307 * the length of the encoding is the divisor. Once computed, the quotient
308 * forms the dividend for the next step. We stop when the dividend is zero.
309 * All remainders are stored for later use.
310 */
311 while(dividend.length > 0)
312 {
313 quotient = Array();
314 x = 0;
315 for(i = 0; i < dividend.length; i++)
316 {
317 x = (x << 16) + dividend[i];
318 q = Math.floor(x / divisor);
319 x -= q * divisor;
320 if(quotient.length > 0 || q > 0)
321 quotient[quotient.length] = q;
322 }
323 remainders[remainders.length] = x;
324 dividend = quotient;
325 }
326
327 /* Convert the remainders to the output string */
328 var output = "";
329 for(i = remainders.length - 1; i >= 0; i--)
330 output += encoding.charAt(remainders[i]);
331
332 /* Append leading zero equivalents */
333 var full_length = Math.ceil(input.length * 8 /
334 (Math.log(encoding.length) / Math.log(2)))
335 for(i = output.length; i < full_length; i++)
336 output = encoding[0] + output;
337
338 return output;
339 }
340
341 /*
342 * Encode a string as utf-8.
343 * For efficiency, this assumes the input is valid utf-16.
344 */
345 function str2rstr_utf8(input)
346 {
347 var output = "";
348 var i = -1;
349 var x, y;
350
351 while(++i < input.length)
352 {
353 /* Decode utf-16 surrogate pairs */
354 x = input.charCodeAt(i);
355 y = i + 1 < input.length ? input.charCodeAt(i + 1) : 0;
356 if(0xD800 <= x && x <= 0xDBFF && 0xDC00 <= y && y <= 0xDFFF)
357 {
358 x = 0x10000 + ((x & 0x03FF) << 10) + (y & 0x03FF);
359 i++;
360 }
361
362 /* Encode output as utf-8 */
363 if(x <= 0x7F)
364 output += String.fromCharCode(x);
365 else if(x <= 0x7FF)
366 output += String.fromCharCode(0xC0 | ((x >>> 6 ) & 0x1F),
367 0x80 | ( x & 0x3F));
368 else if(x <= 0xFFFF)
369 output += String.fromCharCode(0xE0 | ((x >>> 12) & 0x0F),
370 0x80 | ((x >>> 6 ) & 0x3F),
371 0x80 | ( x & 0x3F));
372 else if(x <= 0x1FFFFF)
373 output += String.fromCharCode(0xF0 | ((x >>> 18) & 0x07),
374 0x80 | ((x >>> 12) & 0x3F),
375 0x80 | ((x >>> 6 ) & 0x3F),
376 0x80 | ( x & 0x3F));
377 }
378 return output;
379 }
380
381 /*
382 * Encode a string as utf-16
383 */
384 function str2rstr_utf16le(input)
385 {
386 var output = "";
387 for(var i = 0; i < input.length; i++)
388 output += String.fromCharCode( input.charCodeAt(i) & 0xFF,
389 (input.charCodeAt(i) >>> 8) & 0xFF);
390 return output;
391 }
392
393 function str2rstr_utf16be(input)
394 {
395 var output = "";
396 for(var i = 0; i < input.length; i++)
397 output += String.fromCharCode((input.charCodeAt(i) >>> 8) & 0xFF,
398 input.charCodeAt(i) & 0xFF);
399 return output;
400 }
401
402 /*
403 * Convert a raw string to an array of big-endian words
404 * Characters >255 have their high-byte silently ignored.
405 */
406 function rstr2binb(input)
407 {
408 var output = Array(input.length >> 2);
409 for(var i = 0; i < output.length; i++)
410 output[i] = 0;
411 for(var i = 0; i < input.length * 8; i += 8)
412 output[i>>5] |= (input.charCodeAt(i / 8) & 0xFF) << (24 - i % 32);
413 return output;
414 }
415
416 /*
417 * Convert an array of big-endian words to a string
418 */
419 function binb2rstr(input)
420 {
421 var output = "";
422 for(var i = 0; i < input.length * 32; i += 8)
423 output += String.fromCharCode((input[i>>5] >>> (24 - i % 32)) & 0xFF);
424 return output;
425 }
426
427 /*
428 * Calculate the SHA-1 of an array of big-endian words, and a bit length
429 */
430 function binb_sha1(x, len)
431 {
432 /* append padding */
433 x[len >> 5] |= 0x80 << (24 - len % 32);
434 x[((len + 64 >> 9) << 4) + 15] = len;
435
436 var w = Array(80);
437 var a = 1732584193;
438 var b = -271733879;
439 var c = -1732584194;
440 var d = 271733878;
441 var e = -1009589776;
442
443 for(var i = 0; i < x.length; i += 16)
444 {
445 var olda = a;
446 var oldb = b;
447 var oldc = c;
448 var oldd = d;
449 var olde = e;
450
451 for(var j = 0; j < 80; j++)
452 {
453 if(j < 16) w[j] = x[i + j];
454 else w[j] = bit_rol(w[j-3] ^ w[j-8] ^ w[j-14] ^ w[j-16], 1);
455 var t = safe_add(safe_add(bit_rol(a, 5), sha1_ft(j, b, c, d)),
456 safe_add(safe_add(e, w[j]), sha1_kt(j)));
457 e = d;
458 d = c;
459 c = bit_rol(b, 30);
460 b = a;
461 a = t;
462 }
463
464 a = safe_add(a, olda);
465 b = safe_add(b, oldb);
466 c = safe_add(c, oldc);
467 d = safe_add(d, oldd);
468 e = safe_add(e, olde);
469 }
470 return Array(a, b, c, d, e);
471
472 }
473
474 /*
475 * Perform the appropriate triplet combination function for the current
476 * iteration
477 */
478 function sha1_ft(t, b, c, d)
479 {
480 if(t < 20) return (b & c) | ((~b) & d);
481 if(t < 40) return b ^ c ^ d;
482 if(t < 60) return (b & c) | (b & d) | (c & d);
483 return b ^ c ^ d;
484 }
485
486 /*
487 * Determine the appropriate additive constant for the current iteration
488 */
489 function sha1_kt(t)
490 {
491 return (t < 20) ? 1518500249 : (t < 40) ? 1859775393 :
492 (t < 60) ? -1894007588 : -899497514;
493 }
494
495 /*
496 * Add integers, wrapping at 2^32. This uses 16-bit operations internally
497 * to work around bugs in some JS interpreters.
498 */
499 function safe_add(x, y)
500 {
501 var lsw = (x & 0xFFFF) + (y & 0xFFFF);
502 var msw = (x >> 16) + (y >> 16) + (lsw >> 16);
503 return (msw << 16) | (lsw & 0xFFFF);
504 }
505
506 /*
507 * Bitwise rotate a 32-bit number to the left.
508 */
509 function bit_rol(num, cnt)
510 {
511 return (num << cnt) | (num >>> (32 - cnt));
512 }
513 </script>
514 </head>
515 <body>
516 <p ALIGN=RIGHT><a href="?LOGOUT">Logout</a></p>
517 <p ALIGN=RIGHT><a href="ChangePassword.html">Change Password</a></p>
518 <h1 align=CENTER>Private data: You are now logged in as <em><script type="text/ssperl" CGI='$LOGINUSERNAME=""'>$LOGINUSERNAME</script></em></h1>
519 <p align=CENTER>Logged in from <script type="text/ssperl" CGI='$LOGINIPADDRESS="" $LOGINPATH="" $SESSIONTYPE'>
520 "$LOGINIPADDRESS $LOGINPATH <br />Session type: $SESSIONTYPE"
521 </script></p>
522 <p align=CENTER><a href="manual.html">Go to manual</a></p>
523
524 <A NAME="SESSIONTICKETS"><H2 ALIGN="CENTER">SERVER SIDE SESSIONS AND ACCESS CONTROL (LOGIN)</H2></A>
525 <p>
526 An infrastructure for user acount authorization and file access control
527 is available. Each request is matched against a list of URL path patterns.
528 If the request matches, a Session Ticket is required to access the URL.
529 This Session Ticket should be present as a CGI parameter or Cookie:
530 </p>
531 <p>
532 CGI: SESSIONTICKET=&lt;value&gt;<br />
533 Cookie: CGIscriptorSESSION=&lt;value&gt;</p>
534 <p>
535 The example implementation stores Session Tickets as files in a local
536 directory. To create Session Tickets, a Login request must be given
537 with a LOGIN=&lt;value&gt; CGI parameter, a user name and a (doubly hashed)
538 password. The user name and (singly hashed) password are stored in a
539 PASSWORD ticket with the same name as the user account (name cleaned up
540 for security).
541 </p>
542
543 </body>
544 </html>
A flexible HTML 4 compliant script/module for CGI-aware embeded Perl, shell-scripts, and other scripting languages, executed at the server side.