From 874893b8f51eb452acd16516004a58e459e769b5 Mon Sep 17 00:00:00 2001
From: Rob van Son
-The password is hashed with the server side salt, and then hashed with
-a Random salt. Client and Server both perform these actions and the
-Server only grants access if restults are the same. The server side only
-stores the password hashed with the
+The password is hashed with the user name and server side salt, and then
+hashed with a Random salt. Client and Server both perform these actions
+and the Server only grants access if restults are the same. The server
+side only stores the password hashed with the user name and
server side salt. Neither the plain password, nor the hashed password is
ever exchanged. Only values hashed with the one-time salt are exchanged.
-A new password is hashed with the server side salt, and then encrypted
-(XORed)
-with the old password hashed with the salt. That value is exchanged
-and XORed with the stored old hashed(salt+password). Again, the
-stored password value is never exchanged unencrypted.
+A new password is hashed with the user name and server side salt, and
+then encrypted (XORed)
+with the old password hashed with the user name and salt. That value is
+exchanged and XORed with the stored old hashed(salt+password+username).
+Again, the stored password value is never exchanged unencrypted.
The session authentication mechanism is based on the exchange of ticket identifiers. A ticket identifier is just a string of characters, a name -or a random 40 character hexadecimal string. There are four types of -tickets: +or a random 40 character hexadecimal string. Ticket identifiers should be +"safe" filenames (except user names). There are four types of tickets:
For the authentication and a change of password, the (old) password diff --git a/CGIscriptor.pl b/CGIscriptor.pl index 5ac25d8..af7af7a 100755 --- a/CGIscriptor.pl +++ b/CGIscriptor.pl @@ -3050,25 +3050,29 @@ sub create_login_file #($PasswordDir, $SessionDir, $IPaddress) close(SALTFILE); # Update test account (should be removed in live system) - if(-s "$PasswordDir/test") + my @alltestusers = ("test", "testip", "testchallenge"); + foreach my $testuser (@alltestusers) { - my $storedpassword = `bash -c 'echo -n ${SERVERSALT}test | $ENV{"SHASUMCMD"}'`; - chomp($storedpassword); - open(USERFILE, "<$PasswordDir/test") || die "; - close(USERFILE); - - open(USERFILE, ">$PasswordDir/test") || die ">/Private/.Passwords/test: $!\n"; - # Add Password and Salt - foreach my $line (@USERlines) + if(-s "$PasswordDir/$testuser") { - $line =~ s/^Password: (.*)$/Password: $storedpassword/ig; - $line =~ s/^Salt: (.*)$/Salt: $SERVERSALT/ig; - - print USERFILE $line; + my $storedpassword = `bash -c 'echo -n ${SERVERSALT}test${testuser} | $ENV{"SHASUMCMD"}'`; + chomp($storedpassword); + open(USERFILE, "<$PasswordDir/$testuser") || die "; + close(USERFILE); + + open(USERFILE, ">$PasswordDir/$testuser") || die ">/Private/.Passwords/$testuser: $!\n"; + # Add Password and Salt + foreach my $line (@USERlines) + { + $line =~ s/^Password: (.*)$/Password: $storedpassword/ig; + $line =~ s/^Salt: (.*)$/Salt: $SERVERSALT/ig; + + print USERFILE $line; + }; + close(USERFILE); + }; - close(USERFILE); - }; }; diff --git a/Private/.Passwords/test b/Private/.Passwords/test index ec4d98c..d17bdb6 100644 --- a/Private/.Passwords/test +++ b/Private/.Passwords/test @@ -1,7 +1,7 @@ Type: PASSWORD Username: test -Password: 009f004e6992227857fe2a3610fbecca8a797f31 -Salt: 3fd6865b6ecf749896e57d5fdd7dbf01654a6eb7 +Password: 5bb12b20f411dcc0af61f231916f07cd4ee2e7ed +Salt: 7e7c5457863dceec056d8ad05c1bad042b76e326 AllowedPaths: ^/Private/index.html$ AllowedPaths: ^/Private/[^/]+.html$ AllowedPaths: ^/Private/?$ diff --git a/Private/.Passwords/testip b/Private/.Passwords/testip index cd33836..81d4fb9 100644 --- a/Private/.Passwords/testip +++ b/Private/.Passwords/testip @@ -1,7 +1,7 @@ Type: PASSWORD Username: testip -Password: 009f004e6992227857fe2a3610fbecca8a797f31 -Salt: 3fd6865b6ecf749896e57d5fdd7dbf01654a6eb7 +Password: 106f7bb06f0b3da1b300e8a42b9cd420be1e59d0 +Salt: 7e7c5457863dceec056d8ad05c1bad042b76e326 AllowedPaths: ^/Private/index.html$ AllowedPaths: ^/Private/[^/]+.html$ AllowedPaths: ^/Private/?$ diff --git a/Private/ChangePassword.html b/Private/ChangePassword.html index 7876ab2..e7e7e0e 100644 --- a/Private/ChangePassword.html +++ b/Private/ChangePassword.html @@ -54,25 +54,49 @@ function eraseCookie(name) { // Combine the PASSWORD with the site SERVERSALT and hash it // Combine this Hash iwth the extra SERVERSALT, and hash them function HashPassword(extsalt) { + var hash = HashSessionSeed(extsalt); + var password = document.getElementById('PASSWORD'); + if(password){ + password.value = hash; + } else { + alert("NO PASSWORD IN FORM"); + return 0; + }; + return hash; +} + +// REMEMBER: Set the session cookie BEFORE you hash the password!!! +function SetSessionCookie() { + var seed = ''; + var hash = HashSessionSeed(seed); + // Dom.storage.enabled must be set! + if (!sessionStorage || typeof(sessionStorage) == 'undefined' ) { + alert('Your browser does not support HTML5 sessionStorage. Set Dom.storage.enabled or try upgrading.'); + } + else sessionStorage.setItem("CGIscriptorPRIVATE", hash); + return hash; +}; + +function HashSessionSeed(sessionseed) { var hash1 = ""; var hash2 = ""; var passwordvalue = document.getElementById('PASSWORD'); - if(passwordvalue.value == "") - return 0; var saltvalue = document.getElementById('SERVERSALT'); - hash1 = hex_sha1(saltvalue.value+passwordvalue.value); - if(extsalt != "") - hash2 = hex_sha1(extsalt+hash1); + var username = document.getElementById('USERNAME'); + hash1 = hex_sha1(saltvalue.value+passwordvalue.value+username.value); + if(sessionseed != "") + hash2 = hex_sha1(sessionseed+hash1); else hash2 = hash1; - passwordvalue.value = hash2; return hash2; } + // Remember to hash the repeat too! Or else it will be send in the clear function HashNewPassword() { var hash1 = ""; var newpassword = document.getElementById('NEWPASSWORD'); var newpasswordrep = document.getElementById('NEWPASSWORDREP'); + var username = document.getElementById('USERNAME'); if(newpassword.value == "" ) { newpassword.value = ""; return 0; @@ -83,7 +107,7 @@ function HashNewPassword() { return 0; }; var saltvalue = document.getElementById('SERVERSALT'); - hash1 = hex_sha1(saltvalue.value+newpassword.value); + hash1 = hex_sha1(saltvalue.value+newpassword.value+username.value); newpassword.value = hash1; newpasswordrep.value = hash1; return hash1; @@ -106,9 +130,11 @@ function EncryptNewPassword() { var login = document.getElementById('LOGINTICKET'); var newpassword = document.getElementById('NEWPASSWORD'); var newpasswordrep = document.getElementById('NEWPASSWORDREP'); + var username = document.getElementById('USERNAME'); + // This hashes the newpassword field! HashNewPassword(); - hash = hex_sha1(saltvalue.value+password.value); + hash = hex_sha1(saltvalue.value+password.value+username.value); hash2 = hex_sha1(login.value+hash); var encrypted = XOR_hex_strings(hash2, newpassword.value); newpassword.value = encrypted; @@ -548,7 +574,7 @@ function bit_rol(num, cnt)
The session authentication mechanism is based on the exchange of ticket identifiers. A ticket identifier is just a string of characters, a name -or a random 40 character hexadecimal string. There are four types of -tickets: +or a random 40 character hexadecimal string. Ticket identifiers should be +"safe" filenames (except user names). There are four types of tickets:
For the authentication and a change of password, the (old) password -- 2.11.4.GIT