From 874893b8f51eb452acd16516004a58e459e769b5 Mon Sep 17 00:00:00 2001
From: Rob van Son <R.J.J.H.vanSon@gmail.com>
Date: Wed, 6 Jun 2012 11:58:10 +0200
Subject: [PATCH] Updated documentation

---
 CGIscriptor.html            | 28 ++++++++++++++--------------
 CGIscriptor.pl              | 36 ++++++++++++++++++++----------------
 Private/.Passwords/test     |  4 ++--
 Private/.Passwords/testip   |  4 ++--
 Private/ChangePassword.html | 44 +++++++++++++++++++++++++++++++++++---------
 Private/Login.html          |  3 ++-
 Private/manual.html         | 26 +++++++++++++-------------
 7 files changed, 88 insertions(+), 57 deletions(-)

diff --git a/CGIscriptor.html b/CGIscriptor.html
index 90d14da..d2bfad1 100644
--- a/CGIscriptor.html
+++ b/CGIscriptor.html
@@ -1555,10 +1555,10 @@ for security).
 The example session model implements 3 functions:
 <ol>
 <li>Login<br />
-The password is hashed with the server side salt, and then hashed with
-a Random salt. Client and Server both perform these actions and the
-Server only grants access if restults are the same. The server side only 
-stores the password hashed with the
+The password is hashed with the user name and server side salt, and then 
+hashed with a Random salt. Client and Server both perform these actions 
+and the Server only grants access if restults are the same. The server 
+side only stores the password hashed with the user name and
 server side salt. Neither the plain password, nor the hashed password is
 ever exchanged. Only values hashed with the one-time salt are exchanged.
 </li>
@@ -1573,11 +1573,11 @@ one-time Session Ticket from a value derived from the password and
 a random string.
 </li>
 <li>Password Change<br />
-A new password is hashed with the server side salt, and then encrypted
-(XORed)
-with the old password hashed with the salt. That value is exchanged 
-and XORed with the stored old hashed(salt+password). Again, the
-stored password value is never exchanged unencrypted.
+A new password is hashed with the user name and server side salt, and 
+then encrypted (XORed)
+with the old password hashed with the user name and salt. That value is 
+exchanged and XORed with the stored old hashed(salt+password+username). 
+Again, the stored password value is never exchanged unencrypted.
 </li>
 </ol>
 </p>
@@ -1585,8 +1585,8 @@ stored password value is never exchanged unencrypted.
 <p>
 The session authentication mechanism is based on the exchange of ticket
 identifiers. A ticket identifier is just a string of characters, a name 
-or a random 40 character hexadecimal string. There are four types of 
-tickets:
+or a random 40 character hexadecimal string. Ticket identifiers should be
+"safe" filenames (except user names). There are four types of tickets:
 <ul>
 <li>PASSWORD: User account descriptors, including a user name and password</li>
 <li>LOGIN: Temporary anonymous tickets used during login</li>
@@ -1634,9 +1634,9 @@ Humans tend to reuse passwords. A compromise of a site running
 CGIscriptor.pl could therefore lead to a compromise of user accounts at 
 other sites. Therefore, plain text passwords are never stored, used, or 
 even exchanged. Instead, a server site SALT value is "encrypted" with 
-the plain password, actually, both are hashed with a one-way secure hash 
-function (SHA1) into a single string. Whenever the word "password" is 
-used, this hash sum is meant.
+the plain password and user name, actually, all are concatenated and hashed 
+with a one-way secure hash function (SHA1) into a single string. 
+Whenever the word "password" is used, this hash sum is meant.
 </p>
 <p>
 For the authentication and a change of password, the (old) password 
diff --git a/CGIscriptor.pl b/CGIscriptor.pl
index 5ac25d8..af7af7a 100755
--- a/CGIscriptor.pl
+++ b/CGIscriptor.pl
@@ -3050,25 +3050,29 @@ sub create_login_file	#($PasswordDir, $SessionDir, $IPaddress)
 		close(SALTFILE);
 		
 		# Update test account (should be removed in live system)
-		if(-s "$PasswordDir/test")
+		my @alltestusers = ("test", "testip", "testchallenge");
+		foreach my $testuser (@alltestusers)
 		{
-			my $storedpassword = `bash -c 'echo -n ${SERVERSALT}test | $ENV{"SHASUMCMD"}'`;
-			chomp($storedpassword);
-			open(USERFILE, "<$PasswordDir/test") || die "</Private/.Passwords/test: $!\n";
-			@USERlines = <USERFILE>;
-			close(USERFILE);
-			
-			open(USERFILE, ">$PasswordDir/test") || die ">/Private/.Passwords/test: $!\n";
-			# Add Password and Salt
-			foreach my $line (@USERlines)
+			if(-s "$PasswordDir/$testuser")
 			{
-				$line =~ s/^Password: (.*)$/Password: $storedpassword/ig;
-				$line =~ s/^Salt: (.*)$/Salt: $SERVERSALT/ig;
-	
-				print USERFILE $line;
+				my $storedpassword = `bash -c 'echo -n ${SERVERSALT}test${testuser} | $ENV{"SHASUMCMD"}'`;
+				chomp($storedpassword);
+				open(USERFILE, "<$PasswordDir/$testuser") || die "</Private/.Passwords/$testuser: $!\n";
+				@USERlines = <USERFILE>;
+				close(USERFILE);
+				
+				open(USERFILE, ">$PasswordDir/$testuser") || die ">/Private/.Passwords/$testuser: $!\n";
+				# Add Password and Salt
+				foreach my $line (@USERlines)
+				{
+					$line =~ s/^Password: (.*)$/Password: $storedpassword/ig;
+					$line =~ s/^Salt: (.*)$/Salt: $SERVERSALT/ig;
+		
+					print USERFILE $line;
+				};
+				close(USERFILE);
+				
 			};
-			close(USERFILE);
-			
 		};
 	};
 	
diff --git a/Private/.Passwords/test b/Private/.Passwords/test
index ec4d98c..d17bdb6 100644
--- a/Private/.Passwords/test
+++ b/Private/.Passwords/test
@@ -1,7 +1,7 @@
 Type: PASSWORD
 Username: test
-Password: 009f004e6992227857fe2a3610fbecca8a797f31
-Salt: 3fd6865b6ecf749896e57d5fdd7dbf01654a6eb7
+Password: 5bb12b20f411dcc0af61f231916f07cd4ee2e7ed
+Salt: 7e7c5457863dceec056d8ad05c1bad042b76e326
 AllowedPaths: ^/Private/index.html$
 AllowedPaths: ^/Private/[^/]+.html$
 AllowedPaths: ^/Private/?$
diff --git a/Private/.Passwords/testip b/Private/.Passwords/testip
index cd33836..81d4fb9 100644
--- a/Private/.Passwords/testip
+++ b/Private/.Passwords/testip
@@ -1,7 +1,7 @@
 Type: PASSWORD
 Username: testip
-Password: 009f004e6992227857fe2a3610fbecca8a797f31
-Salt: 3fd6865b6ecf749896e57d5fdd7dbf01654a6eb7
+Password: 106f7bb06f0b3da1b300e8a42b9cd420be1e59d0
+Salt: 7e7c5457863dceec056d8ad05c1bad042b76e326
 AllowedPaths: ^/Private/index.html$
 AllowedPaths: ^/Private/[^/]+.html$
 AllowedPaths: ^/Private/?$
diff --git a/Private/ChangePassword.html b/Private/ChangePassword.html
index 7876ab2..e7e7e0e 100644
--- a/Private/ChangePassword.html
+++ b/Private/ChangePassword.html
@@ -54,25 +54,49 @@ function eraseCookie(name) {
 // Combine the PASSWORD with the site SERVERSALT and hash it
 // Combine this Hash iwth the extra SERVERSALT, and hash them
 function HashPassword(extsalt) {
+	var hash = HashSessionSeed(extsalt);
+	var password = document.getElementById('PASSWORD');
+	if(password){
+		password.value = hash;
+	} else {
+		alert("NO PASSWORD IN FORM");
+		return 0;
+	};
+	return hash;
+}
+
+// REMEMBER: Set the session cookie BEFORE you hash the password!!!
+function SetSessionCookie() {
+	var seed = '<SCRIPT TYPE="text/ssperl">$LOGINTICKET</SCRIPT>';
+	var hash = HashSessionSeed(seed);
+	// Dom.storage.enabled must be set!
+	if (!sessionStorage || typeof(sessionStorage) == 'undefined' ) {
+		alert('Your browser does not support HTML5 sessionStorage. Set Dom.storage.enabled or try upgrading.');
+	} 
+	else sessionStorage.setItem("CGIscriptorPRIVATE", hash);
+	return hash;
+};
+
+function HashSessionSeed(sessionseed) {
 	var hash1 = "";
 	var hash2 = "";
 	var passwordvalue = document.getElementById('PASSWORD');
-	if(passwordvalue.value == "")
-		return 0;
 	var saltvalue = document.getElementById('SERVERSALT');
- 	hash1 = hex_sha1(saltvalue.value+passwordvalue.value);
- 	if(extsalt != "")
-		hash2 = hex_sha1(extsalt+hash1);
+	var username = document.getElementById('USERNAME');
+ 	hash1 = hex_sha1(saltvalue.value+passwordvalue.value+username.value);
+ 	if(sessionseed != "")
+		hash2 = hex_sha1(sessionseed+hash1);
 	else
 		hash2 = hash1;
- 	passwordvalue.value = hash2;
 	return hash2;
 }
+
 // Remember to hash the repeat too! Or else it will be send in the clear
 function HashNewPassword() {
 	var hash1 = "";
 	var newpassword = document.getElementById('NEWPASSWORD');
 	var newpasswordrep = document.getElementById('NEWPASSWORDREP');
+	var username = document.getElementById('USERNAME');
 	if(newpassword.value == "" ) {
 		newpassword.value = "";
 		return 0;
@@ -83,7 +107,7 @@ function HashNewPassword() {
 		return 0;
 	};
 	var saltvalue = document.getElementById('SERVERSALT');
- 	hash1 = hex_sha1(saltvalue.value+newpassword.value);
+ 	hash1 = hex_sha1(saltvalue.value+newpassword.value+username.value);
  	newpassword.value = hash1;
 	newpasswordrep.value = hash1;
 	return hash1;
@@ -106,9 +130,11 @@ function EncryptNewPassword() {
 	var login = document.getElementById('LOGINTICKET');
 	var newpassword = document.getElementById('NEWPASSWORD');
 	var newpasswordrep = document.getElementById('NEWPASSWORDREP');
+	var username = document.getElementById('USERNAME');
 	
+	// This hashes the newpassword field!
 	HashNewPassword();
-	hash = hex_sha1(saltvalue.value+password.value);
+	hash = hex_sha1(saltvalue.value+password.value+username.value);
 	hash2 = hex_sha1(login.value+hash);
 	var encrypted = XOR_hex_strings(hash2, newpassword.value);
  	newpassword.value = encrypted;
@@ -548,7 +574,7 @@ function bit_rol(num, cnt)
 		<td style="text-align: left"><input type="submit" id="SUBMIT" value="Change" style="color: Gray" /></td>
 	</tr>
 </table>
-  <input type="hidden" name="USERNAME" size="20" value=<SCRIPT type="text/ssperl">$LOGINUSERNAME</SCRIPT> />
+  <input type="hidden" name="USERNAME" id="USERNAME" size="20" value=<SCRIPT type="text/ssperl">$LOGINUSERNAME</SCRIPT> />
   <input type="hidden" name="SERVERSALT" id="SERVERSALT" value="<SCRIPT TYPE="text/ssperl">$SERVERSALT</SCRIPT>" />
   <input type="hidden" name="RANDOMSALT" id="RANDOMSALT" value="<SCRIPT TYPE="text/ssperl">$RANDOMSALT</SCRIPT>" />
   <input type="hidden" name="LOGINTICKET" id="LOGINTICKET" value="<SCRIPT TYPE="text/ssperl">$LOGINTICKET</SCRIPT>" />
diff --git a/Private/Login.html b/Private/Login.html
index 56db805..a9e0ba9 100644
--- a/Private/Login.html
+++ b/Private/Login.html
@@ -60,7 +60,8 @@ function HashSessionSeed(sessionseed) {
 	var hash2 = "";
 	var passwordvalue = document.getElementById('PASSWORD');
 	var saltvalue = document.getElementById('SALT');
- 	hash1 = hex_sha1(saltvalue.value+passwordvalue.value);
+	var username = document.getElementById('USERNAME');
+ 	hash1 = hex_sha1(saltvalue.value+passwordvalue.value+username.value);
  	if(sessionseed != "")
 		hash2 = hex_sha1(sessionseed+hash1);
 	else
diff --git a/Private/manual.html b/Private/manual.html
index 846b959..ee3e4f3 100644
--- a/Private/manual.html
+++ b/Private/manual.html
@@ -122,10 +122,10 @@ for security).
 The example session model implements 3 functions:
 <ol>
 <li>Login<br />
-The password is hashed with the server side salt, and then hashed with
-a Random salt. Client and Server both perform these actions and the
+The password is hashed with the user name and server side salt, and then 
+hashed with a Random salt. Client and Server both perform these actions and the
 Server only grants access if restults are the same. The server side only 
-stores the password hashed with the
+stores the password hashed with the user name and
 server side salt. Neither the plain password, nor the hashed password is
 ever exchanged. Only values hashed with the one-time salt are exchanged.
 </li>
@@ -140,11 +140,11 @@ one-time Session Ticket from a value derived from the password and
 a random string.
 </li>
 <li>Password Change<br />
-A new password is hashed with the server side salt, and then encrypted
-(XORed)
-with the old password hashed with the salt. That value is exchanged 
-and XORed with the stored old hashed(salt+password). Again, the
-stored password value is never exchanged unencrypted.
+A new password is hashed with the user name and server side salt, and 
+then encrypted (XORed)
+with the old password hashed with the user name and salt. That value is 
+exchanged and XORed with the stored old hashed(salt+password+username). 
+Again, the stored password value is never exchanged unencrypted.
 </li>
 </ol>
 </p>
@@ -152,8 +152,8 @@ stored password value is never exchanged unencrypted.
 <p>
 The session authentication mechanism is based on the exchange of ticket
 identifiers. A ticket identifier is just a string of characters, a name 
-or a random 40 character hexadecimal string. There are four types of 
-tickets:
+or a random 40 character hexadecimal string. Ticket identifiers should be
+"safe" filenames (except user names). There are four types of tickets:
 <ul>
 <li>PASSWORD: User account descriptors, including a user name and password</li>
 <li>LOGIN: Temporary anonymous tickets used during login</li>
@@ -201,9 +201,9 @@ Humans tend to reuse passwords. A compromise of a site running
 CGIscriptor.pl could therefore lead to a compromise of user accounts at 
 other sites. Therefore, plain text passwords are never stored, used, or 
 even exchanged. Instead, a server site SALT value is "encrypted" with 
-the plain password, actually, both are hashed with a one-way secure hash 
-function (SHA1) into a single string. Whenever the word "password" is 
-used, this hash sum is meant.
+the plain password and user name, actually, all are concatenated and hashed 
+with a one-way secure hash function (SHA1) into a single string. 
+Whenever the word "password" is used, this hash sum is meant.
 </p>
 <p>
 For the authentication and a change of password, the (old) password 
-- 
2.11.4.GIT