Merge branch 'feature-jquery-remote' into develop

7 files changed, 103 insertions, 106 deletions

diff --git a/lib/SHA256.js b/lib/SHA256.js
index 1a852c0..f79b07d 100644
--- a/lib/SHA256.js
+++ b/lib/SHA256.js
@@ -121,7 +121,6 @@ function SHA256(s){
 		return str;
 	}
  
-	s = Utf8Encode(s);
 	return binb2hex(core_sha256(str2binb(s), s.length * chrsz));
  
 }
diff --git a/spec/RestfulSpecRunner.html b/spec/RestfulSpecRunner.html
index caf7147..8203970 100644
--- a/spec/RestfulSpecRunner.html
+++ b/spec/RestfulSpecRunner.html
@@ -12,6 +12,7 @@
 
   <script type="text/javascript" src="lib/sinon/sinon-1.3.4.js"></script>
   <script type="text/javascript" src="lib/jasmine-sinon.js"></script>
+  <script type="text/javascript" src="lib/jquery-1.8.2.js"></script>
 
   <!-- the files we are testing... -->
   <script type="text/javascript" src="../lib/SHA256.js"></script>
@@ -63,8 +64,8 @@
 <body>
     <form action="." onsubmit="return register()">
     <table>
-    <tr><td>Username:</td><td><input type="text" id="srp_username" value="user" /></td></tr>
-    <tr><td>Password:</td><td><input type="password" id="srp_password" value="opensesami"/></td></tr>
+    <tr><td>Username:</td><td><input type="text" id="srp_username" value="testuser" /></td></tr>
+    <tr><td>Password:</td><td><input type="password" id="srp_password" value="password"/></td></tr>
     <input type="hidden" id="srp_url" value=""/>
     <input type="hidden" id="srp_forward" value="#logged_in"/>
     <input type="hidden" id="srp_server" value="django"/>
diff --git a/spec/restful/login.js b/spec/restful/login.js
index 729f902..0f6aa4f 100644
--- a/spec/restful/login.js
+++ b/spec/restful/login.js
@@ -6,21 +6,28 @@ describe("Login", function() {
   });
 
   describe("(INTEGRATION)", function (){
+    // these need to be the same as in the spec runner:
+    var login = "testuser";
+    var password = "password";
     // a valid auth attempt for the user / password given in the spec runner:
-    var a = 'af141ae6';
-    var B = '887005895b1f5528b4e4dfdce914f73e763b96d3c901d2f41d8b8cd26255a75';
-    var salt = '5d3055e0acd3ddcfc15';
-    var M = 'be6d7db2186d5f6a2c55788479b6eaf75229a7ca0d9e7dc1f886f1970a0e8065'
-    var M2 = '2547cf26318519090f506ab73a68995a2626b1c948e6f603ef9e1b0b78bf0f7b';
-    var A, callback;
+    var a = 'a5cccf937ea1bf72df5cf8099442552f5664da6780a75436d5a59bc77a8a9993';
+    var A = 'e67d222244564ccd2e37471f226b999a4e987f3d494c7d80e0d36169efd6c6c6d857a96924c25fc165e5e9b0212a31c30701ec376dc32e36be00bbcd6d2104789d368af984e26fc094374f90ee5746478f14cec45c7e131a3cbce15fe79e98894213dac4e63c3f73f644fe25aa8707bc58859dfd1b36972e4e34169db2622899';
+    // just for the sake of having a complete set of test vars:
+    var b = '6aa5c88d1877af9907ccefad31083e1102a7121dc04706f681f66c8680fb7f05'; 
+    var B = 'd56a80aaafdf9f70598b5d1184f122f326a333fafd37ab76d6f7fba4a9c4ee59545be056335150bd64f04880bc8e76949469379fe9de17cf6f36f3ee11713d05f63050486bc73c545163169999ff01b55c0ca4e90d8856a6e3d3a6ffc70b70d993a5308a37a5c2399874344e083e72b3c9afa083d312dfe9096ea9a65023f135';
+    var salt = '628365a0';
+    var K = 'db6ec0bdab81742315861a828323ff492721bdcd114077a4124bc425e4bf328b';
+    var M = '640e51d5ac5461591c31811221261f0e0eae7c08ce43c85e9556adbd94ed8c26';
+    var M2 = '49e48f8ac8c4da0e8a7374f73eeedbee2266e123d23fc1be1568523fc9c24b1e';
+    var A_, callback;
 
 
     beforeEach(function() {
       this.srp = new SRP(jqueryRest());
-      A = this.srp.calculateAndSetA(a);
 
       specHelper.setupFakeXHR.apply(this);
 
+      A_ = this.srp.session.calculateAndSetA(a)
       this.srp.success = sinon.spy();
     });
 
@@ -28,40 +35,37 @@ describe("Login", function() {
       this.xhr.restore();
     });
 
-    it("works with XML responses", function(){
-      this.srp.identify();
-      
-      this.expectRequest('handshake/', 'I=user&A='+A);
-      this.respondXML("<r s='"+salt+"' B='"+B+"' />");
-      this.expectRequest('authenticate/', 'M='+M);
-      this.respondXML("<M>"+M2+"</M>");
-      
-      expect(this.srp.success).toHaveBeenCalled();
+    it("starts with the right A", function(){
+      expect(A_).toBe(A);
+    });
+
+    it("calculates the right key", function(){
+      this.srp.session.calculations(salt, B);
+      expect(this.srp.session.key()).toBe(K);
     });
 
     it("works with JSON responses", function(){
       this.srp.identify();
 
-      this.expectRequest('handshake/', 'I=user&A='+A);
+      this.expectRequest('sessions', 'login=' +login+ '&A=' +A, 'POST');
       this.respondJSON({s: salt, B: B});
-      this.expectRequest('authenticate/', 'M='+M);
+      this.expectRequest('sessions/'+login, 'client_auth='+M, 'PUT');
       this.respondJSON({M: M2});
 
       expect(this.srp.success).toHaveBeenCalled();
     });
     
     it("rejects B = 0", function(){
-      this.srp.error_message = sinon.spy();
+      this.srp.error = sinon.spy();
       this.srp.identify();
 
-      this.expectRequest('handshake/', 'I=user&A='+A);
+      this.expectRequest('sessions', 'login=' +login+ '&A=' +A, 'POST');
       this.respondJSON({s: salt, B: 0});
       // aborting if B=0
       expect(this.requests).toEqual([]);
-      expect(this.srp.error_message).toHaveBeenCalled();
+      expect(this.srp.error).toHaveBeenCalled();
     });
   });
 
 
 });
-
diff --git a/spec/restful/signup.js b/spec/restful/signup.js
index b1ed7e8..7b66dd7 100644
--- a/spec/restful/signup.js
+++ b/spec/restful/signup.js
@@ -13,13 +13,17 @@ describe("Signup", function() {
     expect(typeof this.srp.register).toBe('function');
   });
 
+  it("calculates the right x", function(){
+    expect(this.srp.session.calcX("7686acb8").toString(16)).toBe('84d6bb567ddf584b1d8c8728289644d45dbfbb02deedd05c0f64db96740f0398');
+  });
+
   it("identifies after successful registration (INTEGRATION)", function(){
     var callback = sinon.spy();
     this.srp.identify = callback;
-    this.srp.getSalt = function() {return "5d3055e0acd3ddcfc15"};
+    this.srp.session.getSalt = function() {return "4c78c3f8"};
     this.srp.register();
-    this.expectRequest('users', "user[login]=user&user[password_salt]=5d3055e0acd3ddcfc15&user[password_verifier]=adcd57b4a4a05c2e205b0b7b30014d9ff635d8d8db2f502f08e9b9c132800c44")
-    this.respondJSON({password_salt: "5d3055e0acd3ddcfc15", login: "user", ok: "true"});
+    this.expectRequest('users', "user[login]=testuser&user[password_salt]=4c78c3f8&user[password_verifier]=474c26aa42d11f20544a00f7bf9711c4b5cf7aab95ed448df82b95521b96668e7480b16efce81c861870302560ddf6604c67df54f1d04b99d5bb9d0f02c6051ada5dc9d594f0d4314e12f876cfca3dcd99fc9c98c2e6a5e04298b11061fb8549a22cde0564e91514080df79bca1c38c682214d65d590f66b3719f954b078b83c", 'POST')
+    this.respondJSON({password_salt: "4c78c3f8", login: "testuser", ok: "true"});
     expect(callback).toHaveBeenCalled();
   });
 
diff --git a/spec/specHelper.js b/spec/specHelper.js
index 21a0cb7..11327af 100644
--- a/spec/specHelper.js
+++ b/spec/specHelper.js
@@ -12,10 +12,14 @@ var specHelper = (function() {
     this.respondXML = respondXML;
   }
 
-  function expectRequest(url, content) {
+  // TODO: validate http verb
+  function expectRequest(url, content, verb) {
     expect(this.requests.length).toBe(1);
     expect(this.requests[0].url).toBe(url);
-    expect(this.requests[0].requestBody).toBe(content);
+    expect(decodeURI(this.requests[0].requestBody)).toBe(content);
+    if (verb) {
+      expect(this.requests[0].method).toBe(verb);
+    }
   }
 
   function respondXML(content) {
diff --git a/src/jqueryRest.js b/src/jqueryRest.js
index 9e7f72b..f50080b 100644
--- a/src/jqueryRest.js
+++ b/src/jqueryRest.js
@@ -1,50 +1,5 @@
 jqueryRest = function() {
 
-  function getUrl()
-  {
-    return "";
-  }
-
-  function paths(path)
-  {
-    return path;
-  }
-
-  // Perform ajax requests at the specified path, with the specified parameters
-  // Calling back the specified function.
-  function ajaxRequest(relative_path, params, callback)
-  {
-    var full_url = this.geturl() + this.paths(relative_path);
-    if( window.XMLHttpRequest) {
-      xhr = new XMLHttpRequest();
-    }
-    else if (window.ActiveXObject){
-      try {
-        xhr = new ActiveXObject("Microsoft.XMLHTTP");
-      } catch (e){}
-    }
-    else
-    {
-      session.error_message("Ajax not supported.");
-      return;
-    }
-    if(xhr){
-      xhr.onreadystatechange = function() {
-        if(xhr.readyState == 4 && xhr.status == 200) {
-          callback(parseResponse());
-        }
-      };
-      xhr.open("POST", full_url, true);
-      xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
-      xhr.setRequestHeader("Content-length", params.length);
-      xhr.send(params);
-    }
-    else
-    {
-      session.error_message("Ajax failed.");
-    }        
-  }
-
   function parseResponse() {
     if (responseIsXML()) {
       return parseXML(xhr.responseXML);
@@ -98,31 +53,32 @@ jqueryRest = function() {
   }
 
   function sendVerifier(session, callback) {
-    this.ajaxRequest("users", "user[login]=" + session.getI() +
-      "&user[password_salt]=" + session.getSalt() +
-      "&user[password_verifier]=" + session.getV().toString(16), callback);
-  }
-
-  function handshake(I, Astr, callback) {
-    this.ajaxRequest("handshake/", "I="+I+"&A="+Astr, callback);
+    var salt = session.getSalt();
+    $.post("users", { user:
+      { login: session.getI(),
+        password_salt: salt,
+        password_verifier: session.getV(salt).toString(16)}
+    }, callback);
   }
 
-  function authenticate(M, callback) {
-    this.ajaxRequest("authenticate/", "M="+M, callback);
+  function handshake(session, callback) {
+    $.post("sessions", { login: session.getI(),
+      A: session.getAstr()}, callback);
   }
 
-  function upgrade(M, callback) {
-    this.ajaxRequest("upgrade/authenticate/", "M="+M, callback);
+  function authenticate(session, success) {
+    $.ajax({
+      url: "sessions/" + session.getI(),
+      type: 'PUT',
+      data: {client_auth: session.getM()},
+      success: success
+    });
   }
 
   return {
-    geturl: getUrl,
-    paths: paths,
-    ajaxRequest: ajaxRequest,
     register: register,
     register_send_verifier: sendVerifier,
     handshake: handshake,
-    authenticate: authenticate,
-    upgrade: upgrade
+    authenticate: authenticate
   };
 };
diff --git a/src/srp_session.js b/src/srp_session.js
index 93bfbe5..07c1e25 100644
--- a/src/srp_session.js
+++ b/src/srp_session.js
@@ -1,10 +1,10 @@
 SRP.prototype.Session = function() {
   
   // Variables session will be used in the SRP protocol
-  var Nstr = "115b8b692e0e045692cf280b436735c77a5a9e8a9e7ed56c965f87db5b2a2ece3";
+  var Nstr = "eeaf0ab9adb38dd69c33f80afa8fc5e86072618775ff3c0b9ea2314c9c256576d674df7496ea81d3383b4813d692c6e0e0d5d8e250b98be48e495c1d6089dad15dc7d7b46154d6b6ce8ef4ad69b15d4982559b297bcf1885c529f566660e57ec68edbc3c05726cc02fd4cbf4976eaa9afd5138fe8376435b9fc61d2fc0eb06e3";
   var N = new BigInteger(Nstr, 16);
   var g = new BigInteger("2");
-  var k = new BigInteger("c46d46600d87fef149bd79b81119842f3c20241fda67d06ef412d8f6d9479c58", 16);
+  var k = new BigInteger("bf66c44a428916cad64aa7c679f3fd897ad4c375e9bbb4cbf2f5de241d618ef0", 16);
 
   var rng = new SecureRandom();
   var a = new BigInteger(32, rng);
@@ -66,9 +66,9 @@ SRP.prototype.Session = function() {
   };
 
   // Calculates the X value and return it as a BigInteger
-  this.calcX = function(s)
+  this.calcX = function(salt)
   {
-    return new BigInteger(SHA256(s + SHA256(I + ":" + pass)), 16);
+    return new BigInteger(SHA256(hex2a(salt + SHA256(I + ":" + pass))), 16);
   };
 
   this.getV = function(salt)
@@ -85,18 +85,30 @@ SRP.prototype.Session = function() {
     var B = new BigInteger(ephemeral, 16); 
     var Bstr = ephemeral;
     // u = H(A,B)
-    var u = new BigInteger(SHA256(Astr + Bstr), 16); 
+    var u = new BigInteger(SHA256(hex2a(Astr + Bstr)), 16); 
     // x = H(s, H(I:p))
-    var x = new BigInteger(SHA256(salt + SHA256(I + ":" + pass)), 16);
+    var x = this.calcX(salt);
     //S = (B - kg^x) ^ (a + ux)
     var kgx = k.multiply(g.modPow(x, N));  
     var aux = a.add(u.multiply(x)); 
     S = B.subtract(kgx).modPow(aux, N); 
-    // M = H(H(N) xor H(g), H(I), s, A, B, K)
-    var Mstr = A.toString(16) + B.toString(16) + S.toString(16); 
-    M = SHA256(Mstr);
-    M2 = SHA256(A.toString(16) + M + S.toString(16)); 
+    K = SHA256(hex2a(S.toString(16)));
+    this.calcM(salt, A.toString(16), B.toString(16));
+  };
+
+  // M = H(H(N) xor H(g), H(I), s, A, B, K)
+  this.calcM = function(salt, Astr, Bstr) {
+    var hashN = SHA256(hex2a(N.toString(16)))
+    var hashG = SHA256(hex2a(g.toString(16)))
+    var hexString = hexXor(hashN, hashG);
+    hexString += SHA256(I);
+    hexString += salt;
+    hexString += Astr;
+    hexString += Bstr;
+    hexString += K
+    M = SHA256(hex2a(hexString));
     //M2 = H(A, M, K)
+    M2 = SHA256(hex2a(Astr + M + K));
   };
 
   this.getM = function() {
@@ -112,13 +124,11 @@ SRP.prototype.Session = function() {
   // access the key with this function.
   this.key = function()
   {
-    if(K) return K;
-    if(authenticated) {
-      K = SHA256(S.toString(16));
+    if(K) {
       return K;
-    }
-    else
+    } else {
       this.onError("User has not been authenticated.");
+    }
   };
 
   // Encrypt plaintext using slowAES
@@ -135,4 +145,23 @@ SRP.prototype.Session = function() {
       retstring = retstring.replace("+", "_");
     return retstring;
   };
+
+  function hex2a(hex) {
+    var str = '';
+    for (var i = 0; i < hex.length; i += 2)
+      str += String.fromCharCode(parseInt(hex.substr(i, 2), 16));
+    return str;
+  }
+
+  function hexXor(a, b) {
+    var str = '';
+    for (var i = 0; i < a.length; i += 2) {
+      var xor = parseInt(a.substr(i, 2), 16) ^ parseInt(b.substr(i, 2), 16)
+      xor = xor.toString(16);
+      str += (xor.length == 1) ? ("0" + xor) : xor
+    }
+    return str;
+  }
+
+
 }