challenge response code with sha512 instead of sha256
Posted: Sun Sep 03, 2006 4:55 pm
I see that the Challenge/response tutorial now supports sha256 including the javascript version,
Is there a way to replace this with the php build in sha512 version?
I think I already managed to change some code but do not know where to start to replace the javascript ...
The javascript code in the form go's like this ... should I replace it with something from php or ajax?!?
Thanks for your support!
Is there a way to replace this with the php build in sha512 version?
I think I already managed to change some code but do not know where to start to replace the javascript ...
Code: Select all
(login.php)
Original: $expected_response = SHA256::hash($response_string);
New: $expected_response = hash('sha512', $response_string);
Original: if(SHA256::hash($_POST['userpass']) == $user['password'])
New: if(hash('sha512',($_POST['userpass'])) == $user['password'])
and
(index.php)
Orininal: $challenge = SHA256::hash(uniqid(mt_rand(), true));
New: $challenge = hash('sha512', (uniqid(mt_rand(), true)));Code: Select all
<script language="javascript" src="sha256.js" type="text/javascript"></script>
<!--
Include a javascript function to manipulate our form data, i.e. to generate a Response string, delete
userpass and challenge prior to allowing submission. Rem: we don't want to send a plain text password!
-->
<script language="javascript" type="text/javascript">
<!--
function doChallengeResponse() {
str = document.login_form.username.value.toLowerCase() + ":" +
sha256_digest(document.login_form.userpass.value) + ":" +
document.login_form.challenge.value;
document.login_form.userpass.value = "";
document.login_form.challenge.value = "";
document.login_form.response.value = sha256_digest(str);
return false;
}
// -->
</script>
</head>
<body>
<h3>Challenge Response Login Form</h3>
<br />
<br />
<!--
Our form has 4 fields - but only 2 are submitted. The doChallengeResponse() javascript function
will generate a Response and set it as the value of 'response'. The same function will also unset
the value of the 'userpass' field, and 'challenge' field which we DO NOT want sent!
The javacript function is called when the user submits the form - see the onsubmit tag...
-->
<form method="post" action="login.php" name="login_form" id="login_form" onsubmit="doChallengeResponse()">
Username: <input type="text" name="username" id="username" value="" size="16" />
<br />
Password: <input type="password" name="userpass" id="userpass" value="" size="16" />
<br /><br />
<input type="reset" name="u_reset" id="u_reset" value="Reset" /> <input type="submit" name="u_submit" id="u_submit" value="Login" />
<!--
Insert the Challenge value from the server with a small PHP echo()
-->
<input type="hidden" name="challenge" id="challenge" value="<?php echo($challenge); ?>" />
<!--
Our 'response' field will be filled by the javascript function once the Response string is generated
-->
<input type="hidden" name="response" id="response" value="" />
</form>