spip
/
spip
32
14
Fork 13
Code Issues 430 Pull Requests 7 Projects Releases Wiki Activity
Browse Source

report de [15196] [15197] [15198]

svn/root/tags/spip-3.0.0-alpha1
Cerdic 13 years ago
parent
0735cd977a
commit
a7e8e9a954
9 changed files with 547 additions and 34 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 2
      .gitattributes
  2. 5
      ecrire/action/editer_auteur.php
  3. 414
      ecrire/auth/sha256.inc.php
  4. 55
      ecrire/auth/spip.php
  5. 6
      ecrire/inc/securiser_action.php
  6. 24
      prive/javascript/login.js
  7. 62
      prive/javascript/sha256.js
  8. 2
      squelettes-dist/formulaires/inscription.php
  9. 11
      squelettes-dist/formulaires/mot_de_passe.php

2
.gitattributes vendored
Unescape View File

@ -56,6 +56,7 @@ ecrire/action/tester.php -text
ecrire/action/tester_taille.php -text
ecrire/action/tourner.php -text
ecrire/action/virtualiser.php -text
ecrire/auth/sha256.inc.php -text
ecrire/balise/formulaire_.php -text
ecrire/balise/index.php -text
ecrire/balise/logo_.php -text
@ -726,6 +727,7 @@ prive/javascript/jquery.js -text
prive/javascript/login.js -text
prive/javascript/multilang.js -text
prive/javascript/pause.js -text
prive/javascript/sha256.js -text
prive/minipres.css -text
prive/modeles/application.html -text
prive/modeles/audio.html -text

5
ecrire/action/editer_auteur.php
Unescape View File

@ -107,9 +107,10 @@ function auteurs_set($id_auteur, $set = null) {
// Modification de statut, changement de rubrique ?
$c = array();
foreach (array(
'statut', 'new_login','new_pass','webmestre','restreintes','id_parent'
'statut', 'new_login','new_pass','login','pass','webmestre','restreintes','id_parent'
) as $champ)
$c[preg_replace(',^new_,','',$champ)] = _request($champ,$set);
if (_request($champ,$set))
$c[preg_replace(',^new_,','',$champ)] = _request($champ,$set);
$err .= instituer_auteur($id_auteur, $c);

414
ecrire/auth/sha256.inc.php
Unescape View File

@ -0,0 +1,414 @@
<?php
/*
* Transparent SHA-256 Implementation for PHP 4 and PHP 5
*
* Author: Perry McGee (pmcgee@nanolink.ca)
* Website: http://www.nanolink.ca/pub/sha256
*
* Copyright (C) 2006,2007,2008,2009 Nanolink Solutions
*
* Created: Feb 11, 2006
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
* or see <http://www.gnu.org/licenses/>.
*
* Include:
*
* require_once("[path/]sha256.inc.php");
*
* Usage Options:
*
* 1) $shaStr = hash('sha256', $string_to_hash);
*
* 2) $shaStr = sha256($string_to_hash[, bool ignore_php5_hash = false]);
*
* 3) $obj = new nanoSha2([bool $upper_case_output = false]);
* $shaStr = $obj->hash($string_to_hash[, bool $ignore_php5_hash = false]);
*
* Reference: http://csrc.nist.gov/groups/ST/toolkit/secure_hashing.html
*
* 2007-12-13: Cleaned up for initial public release
* 2008-05-10: Moved all helper functions into a class. API access unchanged.
* 2009-06-23: Created abstraction of hash() routine
* 2009-07-23: Added detection of 32 vs 64bit platform, and patches.
* Ability to define "_NANO_SHA2_UPPER" to yeild upper case hashes.
* 2009-08-01: Added ability to attempt to use mhash() prior to running pure
* php code.
*
* NOTE: Some sporadic versions of PHP do not handle integer overflows the
* same as the majority of builds. If you get hash results of:
* 7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff7fffffff
*
* If you do not have permissions to change PHP versions (if you did
* you'd probably upgrade to PHP 5 anyway) it is advised you install a
* module that will allow you to use their hashing routines, examples are:
* - mhash module : http://ca3.php.net/mhash
* - Suhosin : http://www.hardened-php.net/suhosin/
*
* If you install the Suhosin module, this script will transparently
* use their routine and define the PHP routine as _nano_sha256().
*
* If the mhash module is present, and $ignore_php5_hash = false the
* script will attempt to use the output from mhash prior to running
* the PHP code.
*/
if (!class_exists('nanoSha2'))
{
class nanoSha2
{
// php 4 - 5 compatable class properties
var $toUpper;
var $platform;
// Php 4 - 6 compatable constructor
function nanoSha2($toUpper = false) {
// Determine if the caller wants upper case or not.
$this->toUpper = is_bool($toUpper)
? $toUpper
: ((defined('_NANO_SHA2_UPPER')) ? true : false);
// Deteremine if the system is 32 or 64 bit.
$tmpInt = (int)4294967295;
$this->platform = ($tmpInt > 0) ? 64 : 32;
}
// Do the SHA-256 Padding routine (make input a multiple of 512 bits)
function char_pad($str)
{
$tmpStr = $str;
$l = strlen($tmpStr)*8; // # of bits from input string
$tmpStr .= "\x80"; // append the "1" bit followed by 7 0's
$k = (512 - (($l + 8 + 64) % 512)) / 8; // # of 0 bytes to append
$k += 4; // PHP Strings will never exceed (2^31)-1, 1st 32bits of
// the 64-bit value representing $l can be all 0's
for ($x = 0; $x < $k; $x++) {
$tmpStr .= "\0";
}
// append the 32-bits representing # of bits from input string ($l)
$tmpStr .= chr((($l>>24) & 0xFF));
$tmpStr .= chr((($l>>16) & 0xFF));
$tmpStr .= chr((($l>>8) & 0xFF));
$tmpStr .= chr(($l & 0xFF));
return $tmpStr;
}
// Here are the bitwise and functions as defined in FIPS180-2 Standard
function addmod2n($x, $y, $n = 4294967296) // Z = (X + Y) mod 2^32
{
$mask = 0x80000000;
if ($x < 0) {
$x &= 0x7FFFFFFF;
$x = (float)$x + $mask;
}
if ($y < 0) {
$y &= 0x7FFFFFFF;
$y = (float)$y + $mask;
}
$r = $x + $y;
if ($r >= $n) {
while ($r >= $n) {
$r -= $n;
}
}
return (int)$r;
}
// Logical bitwise right shift (PHP default is arithmetic shift)
function SHR($x, $n) // x >> n
{
if ($n >= 32) { // impose some limits to keep it 32-bit
return (int)0;
}
if ($n <= 0) {
return (int)$x;
}
$mask = 0x40000000;
if ($x < 0) {
$x &= 0x7FFFFFFF;
$mask = $mask >> ($n-1);
return ($x >> $n) | $mask;
}
return (int)$x >> (int)$n;
}
function ROTR($x, $n) { return (int)(($this->SHR($x, $n) | ($x << (32-$n)) & 0xFFFFFFFF)); }
function Ch($x, $y, $z) { return ($x & $y) ^ ((~$x) & $z); }
function Maj($x, $y, $z) { return ($x & $y) ^ ($x & $z) ^ ($y & $z); }
function Sigma0($x) { return (int) ($this->ROTR($x, 2)^$this->ROTR($x, 13)^$this->ROTR($x, 22)); }
function Sigma1($x) { return (int) ($this->ROTR($x, 6)^$this->ROTR($x, 11)^$this->ROTR($x, 25)); }
function sigma_0($x) { return (int) ($this->ROTR($x, 7)^$this->ROTR($x, 18)^$this->SHR($x, 3)); }
function sigma_1($x) { return (int) ($this->ROTR($x, 17)^$this->ROTR($x, 19)^$this->SHR($x, 10)); }
/*
* Custom functions to provide PHP support
*/
// split a byte-string into integer array values
function int_split($input)
{
$l = strlen($input);
if ($l <= 0) {
return (int)0;
}
if (($l % 4) != 0) { // invalid input
return false;
}
for ($i = 0; $i < $l; $i += 4)
{
$int_build = (ord($input[$i]) << 24);
$int_build += (ord($input[$i+1]) << 16);
$int_build += (ord($input[$i+2]) << 8);
$int_build += (ord($input[$i+3]));
$result[] = $int_build;
}
return $result;
}
/**
* Process and return the hash.
*
* @param $str Input string to hash
* @param $ig_func Option param to ignore checking for php > 5.1.2
* @return string Hexadecimal representation of the message digest
*/
function hash($str, $ig_func = false)
{
unset($binStr); // binary representation of input string
unset($hexStr); // 256-bit message digest in readable hex format
// check for php's internal sha256 function, ignore if ig_func==true
if ($ig_func == false) {
if (version_compare(PHP_VERSION,'5.1.2','>=')) {
return hash("sha256", $str, false);
} else if (function_exists('mhash') && defined('MHASH_SHA256')) {
return base64_encode(bin2hex(mhash(MHASH_SHA256, $str)));
}
}
/*
* SHA-256 Constants
* Sequence of sixty-four constant 32-bit words representing the
* first thirty-two bits of the fractional parts of the cube roots
* of the first sixtyfour prime numbers.
*/
$K = array((int)0x428a2f98, (int)0x71374491, (int)0xb5c0fbcf,
(int)0xe9b5dba5, (int)0x3956c25b, (int)0x59f111f1,
(int)0x923f82a4, (int)0xab1c5ed5, (int)0xd807aa98,
(int)0x12835b01, (int)0x243185be, (int)0x550c7dc3,
(int)0x72be5d74, (int)0x80deb1fe, (int)0x9bdc06a7,
(int)0xc19bf174, (int)0xe49b69c1, (int)0xefbe4786,
(int)0x0fc19dc6, (int)0x240ca1cc, (int)0x2de92c6f,
(int)0x4a7484aa, (int)0x5cb0a9dc, (int)0x76f988da,
(int)0x983e5152, (int)0xa831c66d, (int)0xb00327c8,
(int)0xbf597fc7, (int)0xc6e00bf3, (int)0xd5a79147,
(int)0x06ca6351, (int)0x14292967, (int)0x27b70a85,
(int)0x2e1b2138, (int)0x4d2c6dfc, (int)0x53380d13,
(int)0x650a7354, (int)0x766a0abb, (int)0x81c2c92e,
(int)0x92722c85, (int)0xa2bfe8a1, (int)0xa81a664b,
(int)0xc24b8b70, (int)0xc76c51a3, (int)0xd192e819,
(int)0xd6990624, (int)0xf40e3585, (int)0x106aa070,
(int)0x19a4c116, (int)0x1e376c08, (int)0x2748774c,
(int)0x34b0bcb5, (int)0x391c0cb3, (int)0x4ed8aa4a,
(int)0x5b9cca4f, (int)0x682e6ff3, (int)0x748f82ee,
(int)0x78a5636f, (int)0x84c87814, (int)0x8cc70208,
(int)0x90befffa, (int)0xa4506ceb, (int)0xbef9a3f7,
(int)0xc67178f2);
// Pre-processing: Padding the string
$binStr = $this->char_pad($str);
// Parsing the Padded Message (Break into N 512-bit blocks)
$M = str_split($binStr, 64);
// Set the initial hash values
$h[0] = (int)0x6a09e667;
$h[1] = (int)0xbb67ae85;
$h[2] = (int)0x3c6ef372;
$h[3] = (int)0xa54ff53a;
$h[4] = (int)0x510e527f;
$h[5] = (int)0x9b05688c;
$h[6] = (int)0x1f83d9ab;
$h[7] = (int)0x5be0cd19;
// loop through message blocks and compute hash. ( For i=1 to N : )
$N = count($M);
for ($i = 0; $i < $N; $i++)
{
// Break input block into 16 32bit words (message schedule prep)
$MI = $this->int_split($M[$i]);
// Initialize working variables
$_a = (int)$h[0];
$_b = (int)$h[1];
$_c = (int)$h[2];
$_d = (int)$h[3];
$_e = (int)$h[4];
$_f = (int)$h[5];
$_g = (int)$h[6];
$_h = (int)$h[7];
unset($_s0);
unset($_s1);
unset($_T1);
unset($_T2);
$W = array();
// Compute the hash and update
for ($t = 0; $t < 16; $t++)
{
// Prepare the first 16 message schedule values as we loop
$W[$t] = $MI[$t];
// Compute hash
$_T1 = $this->addmod2n($this->addmod2n($this->addmod2n($this->addmod2n($_h, $this->Sigma1($_e)), $this->Ch($_e, $_f, $_g)), $K[$t]), $W[$t]);
$_T2 = $this->addmod2n($this->Sigma0($_a), $this->Maj($_a, $_b, $_c));
// Update working variables
$_h = $_g; $_g = $_f; $_f = $_e; $_e = $this->addmod2n($_d, $_T1);
$_d = $_c; $_c = $_b; $_b = $_a; $_a = $this->addmod2n($_T1, $_T2);
}
for (; $t < 64; $t++)
{
// Continue building the message schedule as we loop
$_s0 = $W[($t+1)&0x0F];
$_s0 = $this->sigma_0($_s0);
$_s1 = $W[($t+14)&0x0F];
$_s1 = $this->sigma_1($_s1);
$W[$t&0xF] = $this->addmod2n($this->addmod2n($this->addmod2n($W[$t&0xF], $_s0), $_s1), $W[($t+9)&0x0F]);
// Compute hash
$_T1 = $this->addmod2n($this->addmod2n($this->addmod2n($this->addmod2n($_h, $this->Sigma1($_e)), $this->Ch($_e, $_f, $_g)), $K[$t]), $W[$t&0xF]);
$_T2 = $this->addmod2n($this->Sigma0($_a), $this->Maj($_a, $_b, $_c));
// Update working variables
$_h = $_g; $_g = $_f; $_f = $_e; $_e = $this->addmod2n($_d, $_T1);
$_d = $_c; $_c = $_b; $_b = $_a; $_a = $this->addmod2n($_T1, $_T2);
}
$h[0] = $this->addmod2n($h[0], $_a);
$h[1] = $this->addmod2n($h[1], $_b);
$h[2] = $this->addmod2n($h[2], $_c);
$h[3] = $this->addmod2n($h[3], $_d);
$h[4] = $this->addmod2n($h[4], $_e);
$h[5] = $this->addmod2n($h[5], $_f);
$h[6] = $this->addmod2n($h[6], $_g);
$h[7] = $this->addmod2n($h[7], $_h);
}
// Convert the 32-bit words into human readable hexadecimal format.
$hexStr = sprintf("%08x%08x%08x%08x%08x%08x%08x%08x", $h[0], $h[1], $h[2], $h[3], $h[4], $h[5], $h[6], $h[7]);
return ($this->toUpper) ? strtoupper($hexStr) : $hexStr;
}
}
}
if (!function_exists('str_split'))
{
/**
* Splits a string into an array of strings with specified length.
* Compatability with older verions of PHP
*/
function str_split($string, $split_length = 1)
{
$sign = ($split_length < 0) ? -1 : 1;
$strlen = strlen($string);
$split_length = abs($split_length);
if (($split_length == 0) || ($strlen == 0)) {
$result = false;
} elseif ($split_length >= $strlen) {
$result[] = $string;
} else {
$length = $split_length;
for ($i = 0; $i < $strlen; $i++)
{
$i = (($sign < 0) ? $i + $length : $i);
$result[] = substr($string, $sign*$i, $length);
$i--;
$i = (($sign < 0) ? $i : $i + $length);
$length = (($i + $split_length) > $strlen)
? ($strlen - ($i + 1))
: $split_length;
}
}
return $result;
}
}
/**
* Main routine called from an application using this include.
*
* General usage:
* require_once('sha256.inc.php');
* $hashstr = sha256('abc');
*
* Note:
* PHP Strings are limitd to (2^31)-1, so it is not worth it to
* check for input strings > 2^64 as the FIPS180-2 defines.
*/
// 2009-07-23: Added check for function as the Suhosin plugin adds this routine.
if (!function_exists('sha256')) {
function sha256($str, $ig_func = false) {
$obj = new nanoSha2((defined('_NANO_SHA2_UPPER')) ? true : false);
return $obj->hash($str, $ig_func);
}
} else {
function _nano_sha256($str, $ig_func = false) {
$obj = new nanoSha2((defined('_NANO_SHA2_UPPER')) ? true : false);
return $obj->hash($str, $ig_func);
}
}
// support to give php4 the hash() routine which abstracts this code.
if (!function_exists('hash'))
{
function hash($algo, $data)
{
if (empty($algo) || !is_string($algo) || !is_string($data)) {
return false;
}
if (function_exists($algo)) {
return $algo($data);
}
}
}
?>

55
ecrire/auth/spip.php
Unescape View File

@ -19,9 +19,19 @@ function auth_spip_dist ($login, $pass, $serveur='') {
$login = auth_spip_retrouver_login($login);
$md5pass = $md5next = "";
if (preg_match(",^\{([0-9a-f]{32});([0-9a-f]{32})\}$,i",$pass,$regs)){
$md5pass = $regs[1];
$md5next = $regs[2];
$shapass = $shanext = "";
if (preg_match(",^\{([0-9a-f]{64});([0-9a-f]{64})\}$,i",$pass,$regs)){
$shapass = $regs[1];
$shanext = $regs[2];
$pass="";
}
// compat avec une base mixte md5/sha256 : le js a envoye les 2 hash
elseif (preg_match(",^\{([0-9a-f]{64});([0-9a-f]{64});([0-9a-f]{32});([0-9a-f]{32})\}$,i",$pass,$regs)){
$shapass = $regs[1];
$shanext = $regs[2];
$md5pass = $regs[3];
$md5next = $regs[4];
$pass="";
}
// si envoi non crypte, crypter maintenant
@ -29,22 +39,31 @@ function auth_spip_dist ($login, $pass, $serveur='') {
$row = sql_fetsel("alea_actuel, alea_futur", "spip_auteurs", "login=" . sql_quote($login),'','','','',$serveur);
if ($row) {
//var_dump('pas la !');
include_spip('auth/sha256.inc');
$shapass = sha256($row['alea_actuel'] . $pass);
$shanext = sha256($row['alea_futur'] . $pass);
$md5pass = md5($row['alea_actuel'] . $pass);
$md5next = md5($row['alea_futur'] . $pass);
}
}
// login inexistant ou mot de passe vide
if (!$md5pass) return array();
if (!$shapass AND !$md5pass) return array();
$row = sql_fetsel("*", "spip_auteurs", "login=" . sql_quote($login) . " AND pass=" . sql_quote($shapass) . " AND statut<>'5poubelle'",'','','','',$serveur);
$row = sql_fetsel("*", "spip_auteurs", "login=" . sql_quote($login) . " AND pass=" . sql_quote($md5pass) . " AND statut<>'5poubelle'",'','','','',$serveur);
// compat avec les anciennes bases en md5
if (!$row AND $md5pass)
$row = sql_fetsel("*", "spip_auteurs", "login=" . sql_quote($login) . " AND pass=" . sql_quote($md5pass) . " AND statut<>'5poubelle'",'','','','',$serveur);
// login/mot de passe incorrect
if (!$row) return array();
// fait tourner le codage du pass dans la base
if ($md5next) {
if ($shanext) {
include_spip('inc/acces'); // pour creer_uniqid
@sql_update('spip_auteurs', array('alea_actuel' => 'alea_futur', 'pass' => sql_quote($md5next), 'alea_futur' => sql_quote(creer_uniqid())), "id_auteur=" . $row['id_auteur'],'',$serveur);
@sql_update('spip_auteurs', array('alea_actuel' => 'alea_futur', 'pass' => sql_quote($shanext), 'alea_futur' => sql_quote(creer_uniqid())), "id_auteur=" . $row['id_auteur'],'',$serveur);
// En profiter pour verifier la securite de tmp/
verifier_htaccess(_DIR_TMP);
}
@ -52,9 +71,15 @@ function auth_spip_dist ($login, $pass, $serveur='') {
}
function auth_spip_formulaire_login($flux){
// faut il encore envoyer md5 ?
// on regarde si il reste des pass md5 en base pour des auteurs en statut pas poubelle
// les hash md5 ont une longueur 32, les sha 64
$compat_md5 = sql_countsel("spip_auteurs", "length(pass)=32 AND statut<>'poubelle'");
// javascript qui gere la securite du login en evitant de faire circuler le pass en clair
$flux['data'].=
'<script type="text/javascript" src="'._DIR_JAVASCRIPT.'md5.js"></script>'
($compat_md5?'<script type="text/javascript" src="'._DIR_JAVASCRIPT.'md5.js"></script>':'')
. '<script type="text/javascript" src="'._DIR_JAVASCRIPT.'sha256.js"></script>'
.'<script type="text/javascript" src="'._DIR_JAVASCRIPT.'login.js"></script>'
.'<script type="text/javascript">/*<![CDATA[*/'
."var alea_actuel='".$flux['args']['contexte']['_alea_actuel']."';"
@ -63,6 +88,7 @@ function auth_spip_formulaire_login($flux){
."var page_auteur = '".generer_url_public('informer_auteur')."';"
."var informe_auteur_en_cours = false;"
."var attente_informe = 0;"
."var compat_md5 = ".($compat_md5?"true;":"false;")
."(function($){
$('#password')
.after(\"<em id='pass_securise'><img src='"._DIR_IMG_PACK."securise.gif' width='16' height='16' alt='<:login_securise:>' title='<:login_securise:>' \/><\/em>\");
@ -89,7 +115,7 @@ function auth_spip_autoriser_modifier_login($serveur=''){
/**
* Verification de la validite d'un login pour le mode d'auth concerne
*
*
* @param string $new_login
* @param int $id_auteur
* si auteur existant deja
@ -218,7 +244,7 @@ function auth_spip_verifier_pass($login, $new_pass, $id_auteur=0, $serveur=''){
// login et mot de passe
if (strlen($new_pass) < 6)
return _T('info_passe_trop_court');
return '';
}
@ -232,10 +258,11 @@ function auth_spip_modifier_pass($login, $new_pass, $id_auteur, $serveur=''){
$c = array();
include_spip('inc/acces');
include_spip('auth/sha256.inc');
$htpass = generer_htpass($new_pass);
$alea_actuel = creer_uniqid();
$alea_futur = creer_uniqid();
$pass = md5($alea_actuel.$new_pass);
$pass = sha256($alea_actuel.$new_pass);
$c['pass'] = $pass;
$c['htpass'] = $htpass;
$c['alea_actuel'] = $alea_actuel;
@ -249,12 +276,12 @@ function auth_spip_modifier_pass($login, $new_pass, $id_auteur, $serveur=''){
/**
* Synchroniser les fichiers htpasswd
*
*
* @param int $id_auteur
* @param array $champs
* @param array $options
* all=>true permet de demander la regeneration complete des acces apres operation en base (import, upgrade)
* @return void
* @return void
*/
function auth_spip_synchroniser_distant($id_auteur, $champs, $options = array(), $serveur=''){
// ne rien faire pour une base distante : on ne sait pas regenerer les htaccess

6
ecrire/inc/securiser_action.php
Unescape View File

@ -110,7 +110,8 @@ function _action_auteur($action, $id_auteur, $pass, $alea) {
exit;
}
}
return md5($action.$id_auteur.$pass.@$GLOBALS['meta'][$alea]);
include_spip('auth/sha256.inc');
return sha256($action.$id_auteur.$pass.@$GLOBALS['meta'][$alea]);
}
// http://doc.spip.org/@calculer_action_auteur
@ -154,7 +155,8 @@ function secret_du_site() {
// http://doc.spip.org/@calculer_cle_action
function calculer_cle_action($action) {
return md5($action . secret_du_site());
include_spip('auth/sha256.inc');
return sha256($action . secret_du_site());
}
// http://doc.spip.org/@verifier_cle_action

24
prive/javascript/login.js
Unescape View File

@ -24,13 +24,23 @@ function informe_auteur(c){
affiche_login_secure();
}
function calcule_md5_pass(pass){
if (alea_actuel && !pass.match(/^\{([0-9a-f]{32});([0-9a-f]{32})\}$/i)) {
function calcule_hash_pass(pass){
if ((alea_actuel || alea_futur)
&& !pass.match(/^\{([0-9a-f]{32});([0-9a-f]{32})\}$/i)
&& !pass.match(/^\{([0-9a-f]{64});([0-9a-f]{64});([0-9a-f]{32});([0-9a-f]{32})\}$/i)
&& sha256_self_test() // verifions que le hash sha est operationnel
) {
var hash = "";
hash = hex_sha256(alea_actuel + pass);
var md5p = calcMD5(alea_actuel + pass);
var md5n = calcMD5(alea_futur + pass);
hash = hash+';'+hex_sha256(alea_futur + pass);
// envoyer aussi le md5 si demande (compatibilite)
if (window.calcMD5){
hash = hash+';'+calcMD5(alea_actuel + pass);
hash = hash+';'+calcMD5(alea_futur + pass);
}
jQuery('input[name=password]').attr('value','{'+md5p+';'+md5n+'}');
jQuery('input[name=password]').attr('value','{'+hash+'}');
}
}
@ -60,8 +70,8 @@ function login_submit(){
}
// Si on a l'alea, on peut lancer le submit apres avoir hashe le pass
if (alea_actuel) {
calcule_md5_pass(pass);
if (alea_actuel || alea_futur) {
calcule_hash_pass(pass);
}
// si on arrive pas a avoir une reponse, vider le pass pour forcer un passage en 2 fois
else if(informe_auteur_en_cours)

62
prive/javascript/sha256.js
Unescape View File

@ -0,0 +1,62 @@
/* A JavaScript implementation of the Secure Hash Algorithm, SHA-256
* Version 0.3 Copyright Angel Marin 2003-2004 - http://anmar.eu.org/
* Distributed under the BSD License
* Some bits taken from Paul Johnston's SHA-1 implementation
*/
var chrsz = 8; /* bits per input character. 8 - ASCII; 16 - Unicode */
function safe_add (x, y) {
var lsw = (x & 0xFFFF) + (y & 0xFFFF);
var msw = (x >> 16) + (y >> 16) + (lsw >> 16);
return (msw << 16) | (lsw & 0xFFFF);
}
function S (X, n) {return ( X >>> n ) | (X << (32 - n));}
function R (X, n) {return ( X >>> n );}
function Ch(x, y, z) {return ((x & y) ^ ((~x) & z));}
function Maj(x, y, z) {return ((x & y) ^ (x & z) ^ (y & z));}
function Sigma0256(x) {return (S(x, 2) ^ S(x, 13) ^ S(x, 22));}
function Sigma1256(x) {return (S(x, 6) ^ S(x, 11) ^ S(x, 25));}
function Gamma0256(x) {return (S(x, 7) ^ S(x, 18) ^ R(x, 3));}
function Gamma1256(x) {return (S(x, 17) ^ S(x, 19) ^ R(x, 10));}
function core_sha256 (m, l) {
var K = new Array(0x428A2F98,0x71374491,0xB5C0FBCF,0xE9B5DBA5,0x3956C25B,0x59F111F1,0x923F82A4,0xAB1C5ED5,0xD807AA98,0x12835B01,0x243185BE,0x550C7DC3,0x72BE5D74,0x80DEB1FE,0x9BDC06A7,0xC19BF174,0xE49B69C1,0xEFBE4786,0xFC19DC6,0x240CA1CC,0x2DE92C6F,0x4A7484AA,0x5CB0A9DC,0x76F988DA,0x983E5152,0xA831C66D,0xB00327C8,0xBF597FC7,0xC6E00BF3,0xD5A79147,0x6CA6351,0x14292967,0x27B70A85,0x2E1B2138,0x4D2C6DFC,0x53380D13,0x650A7354,0x766A0ABB,0x81C2C92E,0x92722C85,0xA2BFE8A1,0xA81A664B,0xC24B8B70,0xC76C51A3,0xD192E819,0xD6990624,0xF40E3585,0x106AA070,0x19A4C116,0x1E376C08,0x2748774C,0x34B0BCB5,0x391C0CB3,0x4ED8AA4A,0x5B9CCA4F,0x682E6FF3,0x748F82EE,0x78A5636F,0x84C87814,0x8CC70208,0x90BEFFFA,0xA4506CEB,0xBEF9A3F7,0xC67178F2);
var HASH = new Array(0x6A09E667, 0xBB67AE85, 0x3C6EF372, 0xA54FF53A, 0x510E527F, 0x9B05688C, 0x1F83D9AB, 0x5BE0CD19);
var W = new Array(64);
var a, b, c, d, e, f, g, h, i, j;
var T1, T2;
/* append padding */
m[l >> 5] |= 0x80 << (24 - l % 32);
m[((l + 64 >> 9) << 4) + 15] = l;
for ( var i = 0; i<m.length; i+=16 ) {
a = HASH[0]; b = HASH[1]; c = HASH[2]; d = HASH[3]; e = HASH[4]; f = HASH[5]; g = HASH[6]; h = HASH[7];
for ( var j = 0; j<64; j++) {
if (j < 16) W[j] = m[j + i];
else W[j] = safe_add(safe_add(safe_add(Gamma1256(W[j - 2]), W[j - 7]), Gamma0256(W[j - 15])), W[j - 16]);
T1 = safe_add(safe_add(safe_add(safe_add(h, Sigma1256(e)), Ch(e, f, g)), K[j]), W[j]);
T2 = safe_add(Sigma0256(a), Maj(a, b, c));
h = g; g = f; f = e; e = safe_add(d, T1); d = c; c = b; b = a; a = safe_add(T1, T2);
}
HASH[0] = safe_add(a, HASH[0]); HASH[1] = safe_add(b, HASH[1]); HASH[2] = safe_add(c, HASH[2]); HASH[3] = safe_add(d, HASH[3]); HASH[4] = safe_add(e, HASH[4]); HASH[5] = safe_add(f, HASH[5]); HASH[6] = safe_add(g, HASH[6]); HASH[7] = safe_add(h, HASH[7]);
}
return HASH;
}
function str2binb (str) {
var bin = Array();
var mask = (1 << chrsz) - 1;
for(var i = 0; i < str.length * chrsz; i += chrsz)
bin[i>>5] |= (str.charCodeAt(i / chrsz) & mask) << (24 - i%32);
return bin;
}
function binb2hex (binarray) {
var hexcase = 0; /* hex output format. 0 - lowercase; 1 - uppercase */
var hex_tab = hexcase ? "0123456789ABCDEF" : "0123456789abcdef";
var str = "";
for (var i = 0; i < binarray.length * 4; i++) {
str += hex_tab.charAt((binarray[i>>2] >> ((3 - i%4)*8+4)) & 0xF) + hex_tab.charAt((binarray[i>>2] >> ((3 - i%4)*8 )) & 0xF);
}
return str;
}
function hex_sha256(s){return binb2hex(core_sha256(str2binb(s),s.length * chrsz));}
/* test if the JS-interpreter is working properly */
function sha256_self_test(){
return hex_sha256("message digest") == "f7846f55cf23e14eebeab5b4e1550cad5b509e3348fbc4efa3a1413d393cb650";
}

2
squelettes-dist/formulaires/inscription.php vendored
Unescape View File

@ -214,10 +214,8 @@ function test_login($nom, $mail) {
function creer_pass_pour_auteur($id_auteur) {
include_spip('inc/acces');
$pass = creer_pass_aleatoire(8, $id_auteur);
include_spip('action/editer_auteur');
instituer_auteur($id_auteur, array('pass'=>$pass));
return $pass;
}

11
squelettes-dist/formulaires/mot_de_passe.php vendored
Unescape View File

@ -75,18 +75,15 @@ function formulaires_mot_de_passe_traiter_dist($id_auteur=null){
}
elseif ($p=_request('p')) {
$p = preg_replace(',[^0-9a-f.],i','',$p);
$row = sql_fetsel('id_auteur,login','spip_auteurs',array('cookie_oubli='.sql_quote($p),"statut<>'5poubelle'","pass<>''"));
$row = sql_fetsel('id_auteur,login,source','spip_auteurs',array('cookie_oubli='.sql_quote($p),"statut<>'5poubelle'","pass<>''"));
}
if ($row
&& ($id_auteur = $row['id_auteur'])
&& ($oubli = _request('oubli'))) {
include_spip('inc/acces');
$mdpass = md5($oubli);
$htpass = generer_htpass($oubli);
include_spip('base/abstract_sql');
sql_updateq('spip_auteurs', array('htpass' =>$htpass, 'pass'=>$mdpass, 'alea_actuel'=>'', 'cookie_oubli'=>''), "id_auteur=" . intval($id_auteur));
include_spip('action/editer_auteur');
instituer_auteur($id_auteur, array('pass'=>$oubli));
$login = $row['login'];
$message = "<b>" . _T('pass_nouveau_enregistre') . "</b>".
"<p>" . _T('pass_rappel_login', array('login' => $login));

Write Preview
Loading…
Cancel
Save