Browse Source

report de [15196] [15197] [15198]

svn/root/tags/spip-3.0.0-alpha1
Cerdic 13 years ago
parent
commit
a7e8e9a954
  1. 2
      .gitattributes
  2. 5
      ecrire/action/editer_auteur.php
  3. 414
      ecrire/auth/sha256.inc.php
  4. 55
      ecrire/auth/spip.php
  5. 6
      ecrire/inc/securiser_action.php
  6. 24
      prive/javascript/login.js
  7. 62
      prive/javascript/sha256.js
  8. 2
      squelettes-dist/formulaires/inscription.php
  9. 11
      squelettes-dist/formulaires/mot_de_passe.php

2
.gitattributes vendored

@ -56,6 +56,7 @@ ecrire/action/tester.php -text
ecrire/action/tester_taille.php -text
ecrire/action/tourner.php -text
ecrire/action/virtualiser.php -text
ecrire/auth/sha256.inc.php -text
ecrire/balise/formulaire_.php -text
ecrire/balise/index.php -text
ecrire/balise/logo_.php -text
@ -726,6 +727,7 @@ prive/javascript/jquery.js -text
prive/javascript/login.js -text
prive/javascript/multilang.js -text
prive/javascript/pause.js -text
prive/javascript/sha256.js -text
prive/minipres.css -text
prive/modeles/application.html -text
prive/modeles/audio.html -text

5
ecrire/action/editer_auteur.php

@ -107,9 +107,10 @@ function auteurs_set($id_auteur, $set = null) {
// Modification de statut, changement de rubrique ?
$c = array();
foreach (array(
'statut', 'new_login','new_pass','webmestre','restreintes','id_parent'
'statut', 'new_login','new_pass','login','pass','webmestre','restreintes','id_parent'
) as $champ)
$c[preg_replace(',^new_,','',$champ)] = _request($champ,$set);
if (_request($champ,$set))
$c[preg_replace(',^new_,','',$champ)] = _request($champ,$set);
$err .= instituer_auteur($id_auteur, $c);

414
ecrire/auth/sha256.inc.php

@ -0,0 +1,414 @@
<?php
/*
* Transparent SHA-256 Implementation for PHP 4 and PHP 5
*
* Author: Perry McGee (pmcgee@nanolink.ca)
* Website: http://www.nanolink.ca/pub/sha256
*
* Copyright (C) 2006,2007,2008,2009 Nanolink Solutions
*
* Created: Feb 11, 2006
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
* or see <http://www.gnu.org/licenses/>.
*
* Include:
*
* require_once("[path/]sha256.inc.php");
*
* Usage Options:
*
* 1) $shaStr = hash('sha256', $string_to_hash);
*
* 2) $shaStr = sha256($string_to_hash[, bool ignore_php5_hash = false]);
*
* 3) $obj = new nanoSha2([bool $upper_case_output = false]);
* $shaStr = $obj->hash($string_to_hash[, bool $ignore_php5_hash = false]);
*
* Reference: http://csrc.nist.gov/groups/ST/toolkit/secure_hashing.html
*
* 2007-12-13: Cleaned up for initial public release
* 2008-05-10: Moved all helper functions into a class. API access unchanged.
* 2009-06-23: Created abstraction of hash() routine
* 2009-07-23: Added detection of 32 vs 64bit platform, and patches.
* Ability to define "_NANO_SHA2_UPPER" to yeild upper case hashes.
* 2009-08-01: Added ability to attempt to use mhash() prior to running pure
* php code.
*
* NOTE: Some sporadic versions of PHP do not handle integer overflows the
* same as the majority of builds. If you get hash results of:
* 7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff
*
* If you do not have permissions to change PHP versions (if you did
* you'd probably upgrade to PHP 5 anyway) it is advised you install a
* module that will allow you to use their hashing routines, examples are:
* - mhash module : http://ca3.php.net/mhash
* - Suhosin : http://www.hardened-php.net/suhosin/
*
* If you install the Suhosin module, this script will transparently
* use their routine and define the PHP routine as _nano_sha256().
*
* If the mhash module is present, and $ignore_php5_hash = false the
* script will attempt to use the output from mhash prior to running
* the PHP code.
*/
if (!class_exists('nanoSha2'))
{
class nanoSha2
{
// php 4 - 5 compatable class properties
var $toUpper;
var $platform;
// Php 4 - 6 compatable constructor
function nanoSha2($toUpper = false) {
// Determine if the caller wants upper case or not.
$this->toUpper = is_bool($toUpper)
? $toUpper
: ((defined('_NANO_SHA2_UPPER')) ? true : false);
// Deteremine if the system is 32 or 64 bit.
$tmpInt = (int)4294967295;
$this->platform = ($tmpInt > 0) ? 64 : 32;
}
// Do the SHA-256 Padding routine (make input a multiple of 512 bits)
function char_pad($str)
{
$tmpStr = $str;
$l = strlen($tmpStr)*8; // # of bits from input string
$tmpStr .= "\x80"; // append the "1" bit followed by 7 0's
$k = (512 - (($l + 8 + 64) % 512)) / 8; // # of 0 bytes to append
$k += 4; // PHP Strings will never exceed (2^31)-1, 1st 32bits of
// the 64-bit value representing $l can be all 0's
for ($x = 0; $x < $k; $x++) {
$tmpStr .= "\0";
}
// append the 32-bits representing # of bits from input string ($l)
$tmpStr .= chr((($l>>24) & 0xFF));
$tmpStr .= chr((($l>>16) & 0xFF));
$tmpStr .= chr((($l>>8) & 0xFF));
$tmpStr .= chr(($l & 0xFF));
return $tmpStr;
}
// Here are the bitwise and functions as defined in FIPS180-2 Standard
function addmod2n($x, $y, $n = 4294967296) // Z = (X + Y) mod 2^32
{
$mask = 0x80000000;
if ($x < 0) {
$x &= 0x7FFFFFFF;
$x = (float)$x + $mask;
}
if ($y < 0) {
$y &= 0x7FFFFFFF;
$y = (float)$y + $mask;
}
$r = $x + $y;
if ($r >= $n) {
while ($r >= $n) {
$r -= $n;
}
}
return (int)$r;
}
// Logical bitwise right shift (PHP default is arithmetic shift)
function SHR($x, $n) // x >> n
{
if ($n >= 32) { // impose some limits to keep it 32-bit
return (int)0;
}
if ($n <= 0) {
return (int)$x;
}
$mask = 0x40000000;
if ($x < 0) {
$x &= 0x7FFFFFFF;
$mask = $mask >> ($n-1);
return ($x >> $n) | $mask;
}
return (int)$x >> (int)$n;
}
function ROTR($x, $n) { return (int)(($this->SHR($x, $n) | ($x << (32-$n)) & 0xFFFFFFFF)); }
function Ch($x, $y, $z) { return ($x & $y) ^ ((~$x) & $z); }
function Maj($x, $y, $z) { return ($x & $y) ^ ($x & $z) ^ ($y & $z); }
function Sigma0($x) { return (int) ($this->ROTR($x, 2)^$this->ROTR($x, 13)^$this->ROTR($x, 22)); }
function Sigma1($x) { return (int) ($this->ROTR($x, 6)^$this->ROTR($x, 11)^$this->ROTR($x, 25)); }
function sigma_0($x) { return (int) ($this->ROTR($x, 7)^$this->ROTR($x, 18)^$this->SHR($x, 3)); }
function sigma_1($x) { return (int) ($this->ROTR($x, 17)^$this->ROTR($x, 19)^$this->SHR($x, 10)); }
/*
* Custom functions to provide PHP support
*/
// split a byte-string into integer array values
function int_split($input)
{
$l = strlen($input);
if ($l <= 0) {
return (int)0;
}
if (($l % 4) != 0) { // invalid input
return false;
}
for ($i = 0; $i < $l; $i += 4)
{
$int_build = (ord($input[$i]) << 24);
$int_build += (ord($input[$i+1]) << 16);
$int_build += (ord($input[$i+2]) << 8);
$int_build += (ord($input[$i+3]));
$result[] = $int_build;
}
return $result;
}
/**
* Process and return the hash.
*
* @param $str Input string to hash
* @param $ig_func Option param to ignore checking for php > 5.1.2
* @return string Hexadecimal representation of the message digest
*/
function hash($str, $ig_func = false)
{
unset($binStr); // binary representation of input string
unset($hexStr); // 256-bit message digest in readable hex format
// check for php's internal sha256 function, ignore if ig_func==true
if ($ig_func == false) {
if (version_compare(PHP_VERSION,'5.1.2','>=')) {
return hash("sha256", $str, false);
} else if (function_exists('mhash') && defined('MHASH_SHA256')) {
return base64_encode(bin2hex(mhash(MHASH_SHA256, $str)));
}
}
/*
* SHA-256 Constants
* Sequence of sixty-four constant 32-bit words representing the
* first thirty-two bits of the fractional parts of the cube roots
* of the first sixtyfour prime numbers.
*/
$K = array((int)0x428a2f98, (int)0x71374491, (int)0xb5c0fbcf,
(int)0xe9b5dba5, (int)0x3956c25b, (int)0x59f111f1,
(int)0x923f82a4, (int)0xab1c5ed5, (int)0xd807aa98,
(int)0x12835b01, (int)0x243185be, (int)0x550c7dc3,
(int)0x72be5d74, (int)0x80deb1fe, (int)0x9bdc06a7,
(int)0xc19bf174, (int)0xe49b69c1, (int)0xefbe4786,
(int)0x0fc19dc6, (int)0x240ca1cc, (int)0x2de92c6f,
(int)0x4a7484aa, (int)0x5cb0a9dc, (int)0x76f988da,
(int)0x983e5152, (int)0xa831c66d, (int)0xb00327c8,
(int)0xbf597fc7, (int)0xc6e00bf3, (int)0xd5a79147,
(int)0x06ca6351, (int)0x14292967, (int)0x27b70a85,
(int)0x2e1b2138, (int)0x4d2c6dfc, (int)0x53380d13,
(int)0x650a7354, (int)0x766a0abb, (int)0x81c2c92e,
(int)0x92722c85, (int)0xa2bfe8a1, (int)0xa81a664b,
(int)0xc24b8b70, (int)0xc76c51a3, (int)0xd192e819,
(int)0xd6990624, (int)0xf40e3585, (int)0x106aa070,
(int)0x19a4c116, (int)0x1e376c08, (int)0x2748774c,
(int)0x34b0bcb5, (int)0x391c0cb3, (int)0x4ed8aa4a,
(int)0x5b9cca4f, (int)0x682e6ff3, (int)0x748f82ee,
(int)0x78a5636f, (int)0x84c87814, (int)0x8cc70208,
(int)0x90befffa, (int)0xa4506ceb, (int)0xbef9a3f7,
(int)0xc67178f2);
// Pre-processing: Padding the string
$binStr = $this->char_pad($str);
// Parsing the Padded Message (Break into N 512-bit blocks)
$M = str_split($binStr, 64);
// Set the initial hash values
$h[0] = (int)0x6a09e667;
$h[1] = (int)0xbb67ae85;
$h[2] = (int)0x3c6ef372;
$h[3] = (int)0xa54ff53a;
$h[4] = (int)0x510e527f;
$h[5] = (int)0x9b05688c;
$h[6] = (int)0x1f83d9ab;
$h[7] = (int)0x5be0cd19;
// loop through message blocks and compute hash. ( For i=1 to N : )
$N = count($M);
for ($i = 0; $i < $N; $i++)
{
// Break input block into 16 32bit words (message schedule prep)
$MI = $this->int_split($M[$i]);
// Initialize working variables
$_a = (int)$h[0];
$_b = (int)$h[1];
$_c = (int)$h[2];
$_d = (int)$h[3];
$_e = (int)$h[4];
$_f = (int)$h[5];
$_g = (int)$h[6];
$_h = (int)$h[7];
unset($_s0);
unset($_s1);
unset($_T1);
unset($_T2);
$W = array();
// Compute the hash and update
for ($t = 0; $t < 16; $t++)
{
// Prepare the first 16 message schedule values as we loop
$W[$t] = $MI[$t];
// Compute hash
$_T1 = $this->addmod2n($this->addmod2n($this->addmod2n($this->addmod2n($_h, $this->Sigma1($_e)), $this->Ch($_e, $_f, $_g)), $K[$t]), $W[$t]);
$_T2 = $this->addmod2n($this->Sigma0($_a), $this->Maj($_a, $_b, $_c));
// Update working variables
$_h = $_g; $_g = $_f; $_f = $_e; $_e = $this->addmod2n($_d, $_T1);
$_d = $_c; $_c = $_b; $_b = $_a; $_a = $this->addmod2n($_T1, $_T2);
}
for (; $t < 64; $t++)
{
// Continue building the message schedule as we loop
$_s0 = $W[($t+1)&0x0F];
$_s0 = $this->sigma_0($_s0);
$_s1 = $W[($t+14)&0x0F];
$_s1 = $this->sigma_1($_s1);
$W[$t&0xF] = $this->addmod2n($this->addmod2n($this->addmod2n($W[$t&0xF], $_s0), $_s1), $W[($t+9)&0x0F]);
// Compute hash
$_T1 = $this->addmod2n($this->addmod2n($this->addmod2n($this->addmod2n($_h, $this->Sigma1($_e)), $this->Ch($_e, $_f, $_g)), $K[$t]), $W[$t&0xF]);
$_T2 = $this->addmod2n($this->Sigma0($_a), $this->Maj($_a, $_b, $_c));
// Update working variables
$_h = $_g; $_g = $_f; $_f = $_e; $_e = $this->addmod2n($_d, $_T1);
$_d = $_c; $_c = $_b; $_b = $_a; $_a = $this->addmod2n($_T1, $_T2);
}
$h[0] = $this->addmod2n($h[0], $_a);
$h[1] = $this->addmod2n($h[1], $_b);
$h[2] = $this->addmod2n($h[2], $_c);
$h[3] = $this->addmod2n($h[3], $_d);
$h[4] = $this->addmod2n($h[4], $_e);
$h[5] = $this->addmod2n($h[5], $_f);
$h[6] = $this->addmod2n($h[6], $_g);
$h[7] = $this->addmod2n($h[7], $_h);
}
// Convert the 32-bit words into human readable hexadecimal format.
$hexStr = sprintf("%08x%08x%08x%08x%08x%08x%08x%08x", $h[0], $h[1], $h[2], $h[3], $h[4], $h[5], $h[6], $h[7]);
return ($this->toUpper) ? strtoupper($hexStr) : $hexStr;
}
}
}
if (!function_exists('str_split'))
{
/**
* Splits a string into an array of strings with specified length.
* Compatability with older verions of PHP
*/
function str_split($string, $split_length = 1)
{
$sign = ($split_length < 0) ? -1 : 1;
$strlen = strlen($string);
$split_length = abs($split_length);
if (($split_length == 0) || ($strlen == 0)) {
$result = false;
} elseif ($split_length >= $strlen) {
$result[] = $string;
} else {
$length = $split_length;
for ($i = 0; $i < $strlen; $i++)
{
$i = (($sign < 0) ? $i + $length : $i);
$result[] = substr($string, $sign*$i, $length);
$i--;
$i = (($sign < 0) ? $i : $i + $length);
$length = (($i + $split_length) > $strlen)
? ($strlen - ($i + 1))
: $split_length;
}
}
return $result;
}
}
/**
* Main routine called from an application using this include.
*
* General usage:
* require_once('sha256.inc.php');
* $hashstr = sha256('abc');
*
* Note:
* PHP Strings are limitd to (2^31)-1, so it is not worth it to
* check for input strings > 2^64 as the FIPS180-2 defines.
*/
// 2009-07-23: Added check for function as the Suhosin plugin adds this routine.
if (!function_exists('sha256')) {
function sha256($str, $ig_func = false) {
$obj = new nanoSha2((defined('_NANO_SHA2_UPPER')) ? true : false);
return $obj->hash($str, $ig_func);
}
} else {
function _nano_sha256($str, $ig_func = false) {
$obj = new nanoSha2((defined('_NANO_SHA2_UPPER')) ? true : false);
return $obj->hash($str, $ig_func);
}
}
// support to give php4 the hash() routine which abstracts this code.
if (!function_exists('hash'))
{
function hash($algo, $data)
{
if (empty($algo) || !is_string($algo) || !is_string($data)) {
return false;
}
if (function_exists($algo)) {
return $algo($data);
}
}
}
?>

55
ecrire/auth/spip.php

@ -19,9 +19,19 @@ function auth_spip_dist ($login, $pass, $serveur='') {
$login = auth_spip_retrouver_login($login);
$md5pass = $md5next = "";
if (preg_match(",^\{([0-9a-f]{32});([0-9a-f]{32})\}$,i",$pass,$regs)){
$md5pass = $regs[1];
$md5next = $regs[2];
$shapass = $shanext = "";
if (preg_match(",^\{([0-9a-f]{64});([0-9a-f]{64})\}$,i",$pass,$regs)){
$shapass = $regs[1];
$shanext = $regs[2];
$pass="";
}
// compat avec une base mixte md5/sha256 : le js a envoye les 2 hash
elseif (preg_match(",^\{([0-9a-f]{64});([0-9a-f]{64});([0-9a-f]{32});([0-9a-f]{32})\}$,i",$pass,$regs)){
$shapass = $regs[1];
$shanext = $regs[2];
$md5pass = $regs[3];
$md5next = $regs[4];
$pass="";
}
// si envoi non crypte, crypter maintenant
@ -29,22 +39,31 @@ function auth_spip_dist ($login, $pass, $serveur='') {
$row = sql_fetsel("alea_actuel, alea_futur", "spip_auteurs", "login=" . sql_quote($login),'','','','',$serveur);
if ($row) {
//var_dump('pas la !');
include_spip('auth/sha256.inc');
$shapass = sha256($row['alea_actuel'] . $pass);
$shanext = sha256($row['alea_futur'] . $pass);
$md5pass = md5($row['alea_actuel'] . $pass);
$md5next = md5($row['alea_futur'] . $pass);
}
}
// login inexistant ou mot de passe vide
if (!$md5pass) return array();
if (!$shapass AND !$md5pass) return array();
$row = sql_fetsel("*", "spip_auteurs", "login=" . sql_quote($login) . " AND pass=" . sql_quote($shapass) . " AND statut<>'5poubelle'",'','','','',$serveur);
$row = sql_fetsel("*", "spip_auteurs", "login=" . sql_quote($login) . " AND pass=" . sql_quote($md5pass) . " AND statut<>'5poubelle'",'','','','',$serveur);
// compat avec les anciennes bases en md5
if (!$row AND $md5pass)
$row = sql_fetsel("*", "spip_auteurs", "login=" . sql_quote($login) . " AND pass=" . sql_quote($md5pass) . " AND statut<>'5poubelle'",'','','','',$serveur);
// login/mot de passe incorrect
if (!$row) return array();
// fait tourner le codage du pass dans la base
if ($md5next) {
if ($shanext) {
include_spip('inc/acces'); // pour creer_uniqid
@sql_update('spip_auteurs', array('alea_actuel' => 'alea_futur', 'pass' => sql_quote($md5next), 'alea_futur' => sql_quote(creer_uniqid())), "id_auteur=" . $row['id_auteur'],'',$serveur);
@sql_update('spip_auteurs', array('alea_actuel' => 'alea_futur', 'pass' => sql_quote($shanext), 'alea_futur' => sql_quote(creer_uniqid())), "id_auteur=" . $row['id_auteur'],'',$serveur);
// En profiter pour verifier la securite de tmp/
verifier_htaccess(_DIR_TMP);
}
@ -52,9 +71,15 @@ function auth_spip_dist ($login, $pass, $serveur='') {
}
function auth_spip_formulaire_login($flux){
// faut il encore envoyer md5 ?
// on regarde si il reste des pass md5 en base pour des auteurs en statut pas poubelle
// les hash md5 ont une longueur 32, les sha 64
$compat_md5 = sql_countsel("spip_auteurs", "length(pass)=32 AND statut<>'poubelle'");
// javascript qui gere la securite du login en evitant de faire circuler le pass en clair
$flux['data'].=
'<script type="text/javascript" src="'._DIR_JAVASCRIPT.'md5.js"></script>'
($compat_md5?'<script type="text/javascript" src="'._DIR_JAVASCRIPT.'md5.js"></script>':'')
. '<script type="text/javascript" src="'._DIR_JAVASCRIPT.'sha256.js"></script>'
.'<script type="text/javascript" src="'._DIR_JAVASCRIPT.'login.js"></script>'
.'<script type="text/javascript">/*<![CDATA[*/'
."var alea_actuel='".$flux['args']['contexte']['_alea_actuel']."';"
@ -63,6 +88,7 @@ function auth_spip_formulaire_login($flux){
."var page_auteur = '".generer_url_public('informer_auteur')."';"
."var informe_auteur_en_cours = false;"
."var attente_informe = 0;"
."var compat_md5 = ".($compat_md5?"true;":"false;")
."(function($){
$('#password')
.after(\"<em id='pass_securise'><img src='"._DIR_IMG_PACK."securise.gif' width='16' height='16' alt='<:login_securise:>' title='<:login_securise:>' \/><\/em>\");
@ -89,7 +115,7 @@ function auth_spip_autoriser_modifier_login($serveur=''){
/**
* Verification de la validite d'un login pour le mode d'auth concerne
*
*
* @param string $new_login
* @param int $id_auteur
* si auteur existant deja
@ -218,7 +244,7 @@ function auth_spip_verifier_pass($login, $new_pass, $id_auteur=0, $serveur=''){
// login et mot de passe
if (strlen($new_pass) < 6)
return _T('info_passe_trop_court');
return '';
}
@ -232,10 +258,11 @@ function auth_spip_modifier_pass($login, $new_pass, $id_auteur, $serveur=''){
$c = array();
include_spip('inc/acces');
include_spip('auth/sha256.inc');
$htpass = generer_htpass($new_pass);
$alea_actuel = creer_uniqid();
$alea_futur = creer_uniqid();
$pass = md5($alea_actuel.$new_pass);
$pass = sha256($alea_actuel.$new_pass);
$c['pass'] = $pass;
$c['htpass'] = $htpass;
$c['alea_actuel'] = $alea_actuel;
@ -249,12 +276,12 @@ function auth_spip_modifier_pass($login, $new_pass, $id_auteur, $serveur=''){
/**
* Synchroniser les fichiers htpasswd
*
*
* @param int $id_auteur
* @param array $champs
* @param array $options
* all=>true permet de demander la regeneration complete des acces apres operation en base (import, upgrade)
* @return void
* @return void
*/
function auth_spip_synchroniser_distant($id_auteur, $champs, $options = array(), $serveur=''){
// ne rien faire pour une base distante : on ne sait pas regenerer les htaccess

6
ecrire/inc/securiser_action.php

@ -110,7 +110,8 @@ function _action_auteur($action, $id_auteur, $pass, $alea) {
exit;
}
}
return md5($action.$id_auteur.$pass.@$GLOBALS['meta'][$alea]);
include_spip('auth/sha256.inc');
return sha256($action.$id_auteur.$pass.@$GLOBALS['meta'][$alea]);
}
// http://doc.spip.org/@calculer_action_auteur
@ -154,7 +155,8 @@ function secret_du_site() {
// http://doc.spip.org/@calculer_cle_action
function calculer_cle_action($action) {
return md5($action . secret_du_site());
include_spip('auth/sha256.inc');
return sha256($action . secret_du_site());
}
// http://doc.spip.org/@verifier_cle_action

24
prive/javascript/login.js

@ -24,13 +24,23 @@ function informe_auteur(c){
affiche_login_secure();
}
function calcule_md5_pass(pass){
if (alea_actuel && !pass.match(/^\{([0-9a-f]{32});([0-9a-f]{32})\}$/i)) {
function calcule_hash_pass(pass){
if ((alea_actuel || alea_futur)
&& !pass.match(/^\{([0-9a-f]{32});([0-9a-f]{32})\}$/i)
&& !pass.match(/^\{([0-9a-f]{64});([0-9a-f]{64});([0-9a-f]{32});([0-9a-f]{32})\}$/i)
&& sha256_self_test() // verifions que le hash sha est operationnel
) {
var hash = "";
hash = hex_sha256(alea_actuel + pass);
var md5p = calcMD5(alea_actuel + pass);
var md5n = calcMD5(alea_futur + pass);
hash = hash+';'+hex_sha256(alea_futur + pass);
// envoyer aussi le md5 si demande (compatibilite)
if (window.calcMD5){
hash = hash+';'+calcMD5(alea_actuel + pass);
hash = hash+';'+calcMD5(alea_futur + pass);
}
jQuery('input[name=password]').attr('value','{'+md5p+';'+md5n+'}');
jQuery('input[name=password]').attr('value','{'+hash+'}');
}
}
@ -60,8 +70,8 @@ function login_submit(){
}
// Si on a l'alea, on peut lancer le submit apres avoir hashe le pass
if (alea_actuel) {
calcule_md5_pass(pass);
if (alea_actuel || alea_futur) {
calcule_hash_pass(pass);
}
// si on arrive pas a avoir une reponse, vider le pass pour forcer un passage en 2 fois
else if(informe_auteur_en_cours)

62
prive/javascript/sha256.js

@ -0,0 +1,62 @@
/* A JavaScript implementation of the Secure Hash Algorithm, SHA-256
* Version 0.3 Copyright Angel Marin 2003-2004 - http://anmar.eu.org/
* Distributed under the BSD License
* Some bits taken from Paul Johnston's SHA-1 implementation
*/
var chrsz = 8; /* bits per input character. 8 - ASCII; 16 - Unicode */
function safe_add (x, y) {
var lsw = (x & 0xFFFF) + (y & 0xFFFF);
var msw = (x >> 16) + (y >> 16) + (lsw >> 16);
return (msw << 16) | (lsw & 0xFFFF);
}
function S (X, n) {return ( X >>> n ) | (X << (32 - n));}
function R (X, n) {return ( X >>> n );}
function Ch(x, y, z) {return ((x & y) ^ ((~x) & z));}
function Maj(x, y, z) {return ((x & y) ^ (x & z) ^ (y & z));}
function Sigma0256(x) {return (S(x, 2) ^ S(x, 13) ^ S(x, 22));}
function Sigma1256(x) {return (S(x, 6) ^ S(x, 11) ^ S(x, 25));}
function Gamma0256(x) {return (S(x, 7) ^ S(x, 18) ^ R(x, 3));}
function Gamma1256(x) {return (S(x, 17) ^ S(x, 19) ^ R(x, 10));}
function core_sha256 (m, l) {
var K = new Array(0x428A2F98,0x71374491,0xB5C0FBCF,0xE9B5DBA5,0x3956C25B,0x59F111F1,0x923F82A4,0xAB1C5ED5,0xD807AA98,0x12835B01,0x243185BE,0x550C7DC3,0x72BE5D74,0x80DEB1FE,0x9BDC06A7,0xC19BF174,0xE49B69C1,0xEFBE4786,0xFC19DC6,0x240CA1CC,0x2DE92C6F,0x4A7484AA,0x5CB0A9DC,0x76F988DA,0x983E5152,0xA831C66D,0xB00327C8,0xBF597FC7,0xC6E00BF3,0xD5A79147,0x6CA6351,0x14292967,0x27B70A85,0x2E1B2138,0x4D2C6DFC,0x53380D13,0x650A7354,0x766A0ABB,0x81C2C92E,0x92722C85,0xA2BFE8A1,0xA81A664B,0xC24B8B70,0xC76C51A3,0xD192E819,0xD6990624,0xF40E3585,0x106AA070,0x19A4C116,0x1E376C08,0x2748774C,0x34B0BCB5,0x391C0CB3,0x4ED8AA4A,0x5B9CCA4F,0x682E6FF3,0x748F82EE,0x78A5636F,0x84C87814,0x8CC70208,0x90BEFFFA,0xA4506CEB,0xBEF9A3F7,0xC67178F2);
var HASH = new Array(0x6A09E667, 0xBB67AE85, 0x3C6EF372, 0xA54FF53A, 0x510E527F, 0x9B05688C, 0x1F83D9AB, 0x5BE0CD19);
var W = new Array(64);
var a, b, c, d, e, f, g, h, i, j;
var T1, T2;
/* append padding */
m[l >> 5] |= 0x80 << (24 - l % 32);
m[((l + 64 >> 9) << 4) + 15] = l;
for ( var i = 0; i<m.length; i+=16 ) {
a = HASH[0]; b = HASH[1]; c = HASH[2]; d = HASH[3]; e = HASH[4]; f = HASH[5]; g = HASH[6]; h = HASH[7];
for ( var j = 0; j<64; j++) {
if (j < 16) W[j] = m[j + i];
else W[j] = safe_add(safe_add(safe_add(Gamma1256(W[j - 2]), W[j - 7]), Gamma0256(W[j - 15])), W[j - 16]);
T1 = safe_add(safe_add(safe_add(safe_add(h, Sigma1256(e)), Ch(e, f, g)), K[j]), W[j]);
T2 = safe_add(Sigma0256(a), Maj(a, b, c));
h = g; g = f; f = e; e = safe_add(d, T1); d = c; c = b; b = a; a = safe_add(T1, T2);
}
HASH[0] = safe_add(a, HASH[0]); HASH[1] = safe_add(b, HASH[1]); HASH[2] = safe_add(c, HASH[2]); HASH[3] = safe_add(d, HASH[3]); HASH[4] = safe_add(e, HASH[4]); HASH[5] = safe_add(f, HASH[5]); HASH[6] = safe_add(g, HASH[6]); HASH[7] = safe_add(h, HASH[7]);
}
return HASH;
}
function str2binb (str) {
var bin = Array();
var mask = (1 << chrsz) - 1;
for(var i = 0; i < str.length * chrsz; i += chrsz)
bin[i>>5] |= (str.charCodeAt(i / chrsz) & mask) << (24 - i%32);
return bin;
}
function binb2hex (binarray) {
var hexcase = 0; /* hex output format. 0 - lowercase; 1 - uppercase */
var hex_tab = hexcase ? "0123456789ABCDEF" : "0123456789abcdef";
var str = "";
for (var i = 0; i < binarray.length * 4; i++) {
str += hex_tab.charAt((binarray[i>>2] >> ((3 - i%4)*8+4)) & 0xF) + hex_tab.charAt((binarray[i>>2] >> ((3 - i%4)*8 )) & 0xF);
}
return str;
}
function hex_sha256(s){return binb2hex(core_sha256(str2binb(s),s.length * chrsz));}
/* test if the JS-interpreter is working properly */
function sha256_self_test(){
return hex_sha256("message digest") == "f7846f55cf23e14eebeab5b4e1550cad5b509e3348fbc4efa3a1413d393cb650";
}

2
squelettes-dist/formulaires/inscription.php vendored

@ -214,10 +214,8 @@ function test_login($nom, $mail) {
function creer_pass_pour_auteur($id_auteur) {
include_spip('inc/acces');
$pass = creer_pass_aleatoire(8, $id_auteur);
include_spip('action/editer_auteur');
instituer_auteur($id_auteur, array('pass'=>$pass));
return $pass;
}

11
squelettes-dist/formulaires/mot_de_passe.php vendored

@ -75,18 +75,15 @@ function formulaires_mot_de_passe_traiter_dist($id_auteur=null){
}
elseif ($p=_request('p')) {
$p = preg_replace(',[^0-9a-f.],i','',$p);
$row = sql_fetsel('id_auteur,login','spip_auteurs',array('cookie_oubli='.sql_quote($p),"statut<>'5poubelle'","pass<>''"));
$row = sql_fetsel('id_auteur,login,source','spip_auteurs',array('cookie_oubli='.sql_quote($p),"statut<>'5poubelle'","pass<>''"));
}
if ($row
&& ($id_auteur = $row['id_auteur'])
&& ($oubli = _request('oubli'))) {
include_spip('inc/acces');
$mdpass = md5($oubli);
$htpass = generer_htpass($oubli);
include_spip('base/abstract_sql');
sql_updateq('spip_auteurs', array('htpass' =>$htpass, 'pass'=>$mdpass, 'alea_actuel'=>'', 'cookie_oubli'=>''), "id_auteur=" . intval($id_auteur));
include_spip('action/editer_auteur');
instituer_auteur($id_auteur, array('pass'=>$oubli));
$login = $row['login'];
$message = "<b>" . _T('pass_nouveau_enregistre') . "</b>".
"<p>" . _T('pass_rappel_login', array('login' => $login));

Loading…
Cancel
Save