diff options
author | Azul <azul@riseup.net> | 2012-10-15 11:14:28 +0200 |
---|---|---|
committer | Azul <azul@riseup.net> | 2012-10-15 11:14:28 +0200 |
commit | 6feb77060140fe8026812970c4d5ea83da3cd200 (patch) | |
tree | 900cb699aaead6d43c25afd13e773671aa948f6e | |
parent | d6a78049f3356d9d645143362eca74434410bf62 (diff) | |
parent | 09a6d9eb8d0467f311bbae3d6fe2d923244edb21 (diff) |
Merge branch 'feature-jquery-remote' into develop
-rw-r--r-- | lib/SHA256.js | 1 | ||||
-rw-r--r-- | spec/RestfulSpecRunner.html | 5 | ||||
-rw-r--r-- | spec/restful/login.js | 48 | ||||
-rw-r--r-- | spec/restful/signup.js | 10 | ||||
-rw-r--r-- | spec/specHelper.js | 8 | ||||
-rw-r--r-- | src/jqueryRest.js | 78 | ||||
-rw-r--r-- | src/srp_session.js | 59 |
7 files changed, 103 insertions, 106 deletions
diff --git a/lib/SHA256.js b/lib/SHA256.js index 1a852c0..f79b07d 100644 --- a/lib/SHA256.js +++ b/lib/SHA256.js @@ -121,7 +121,6 @@ function SHA256(s){ return str; } - s = Utf8Encode(s); return binb2hex(core_sha256(str2binb(s), s.length * chrsz)); } diff --git a/spec/RestfulSpecRunner.html b/spec/RestfulSpecRunner.html index caf7147..8203970 100644 --- a/spec/RestfulSpecRunner.html +++ b/spec/RestfulSpecRunner.html @@ -12,6 +12,7 @@ <script type="text/javascript" src="lib/sinon/sinon-1.3.4.js"></script> <script type="text/javascript" src="lib/jasmine-sinon.js"></script> + <script type="text/javascript" src="lib/jquery-1.8.2.js"></script> <!-- the files we are testing... --> <script type="text/javascript" src="../lib/SHA256.js"></script> @@ -63,8 +64,8 @@ <body> <form action="." onsubmit="return register()"> <table> - <tr><td>Username:</td><td><input type="text" id="srp_username" value="user" /></td></tr> - <tr><td>Password:</td><td><input type="password" id="srp_password" value="opensesami"/></td></tr> + <tr><td>Username:</td><td><input type="text" id="srp_username" value="testuser" /></td></tr> + <tr><td>Password:</td><td><input type="password" id="srp_password" value="password"/></td></tr> <input type="hidden" id="srp_url" value=""/> <input type="hidden" id="srp_forward" value="#logged_in"/> <input type="hidden" id="srp_server" value="django"/> diff --git a/spec/restful/login.js b/spec/restful/login.js index 729f902..0f6aa4f 100644 --- a/spec/restful/login.js +++ b/spec/restful/login.js @@ -6,21 +6,28 @@ describe("Login", function() { }); describe("(INTEGRATION)", function (){ + // these need to be the same as in the spec runner: + var login = "testuser"; + var password = "password"; // a valid auth attempt for the user / password given in the spec runner: - var a = 'af141ae6'; - var B = '887005895b1f5528b4e4dfdce914f73e763b96d3c901d2f41d8b8cd26255a75'; - var salt = '5d3055e0acd3ddcfc15'; - var M = 'be6d7db2186d5f6a2c55788479b6eaf75229a7ca0d9e7dc1f886f1970a0e8065' - var M2 = '2547cf26318519090f506ab73a68995a2626b1c948e6f603ef9e1b0b78bf0f7b'; - var A, callback; + var a = 'a5cccf937ea1bf72df5cf8099442552f5664da6780a75436d5a59bc77a8a9993'; + var A = 'e67d222244564ccd2e37471f226b999a4e987f3d494c7d80e0d36169efd6c6c6d857a96924c25fc165e5e9b0212a31c30701ec376dc32e36be00bbcd6d2104789d368af984e26fc094374f90ee5746478f14cec45c7e131a3cbce15fe79e98894213dac4e63c3f73f644fe25aa8707bc58859dfd1b36972e4e34169db2622899'; + // just for the sake of having a complete set of test vars: + var b = '6aa5c88d1877af9907ccefad31083e1102a7121dc04706f681f66c8680fb7f05'; + var B = 'd56a80aaafdf9f70598b5d1184f122f326a333fafd37ab76d6f7fba4a9c4ee59545be056335150bd64f04880bc8e76949469379fe9de17cf6f36f3ee11713d05f63050486bc73c545163169999ff01b55c0ca4e90d8856a6e3d3a6ffc70b70d993a5308a37a5c2399874344e083e72b3c9afa083d312dfe9096ea9a65023f135'; + var salt = '628365a0'; + var K = 'db6ec0bdab81742315861a828323ff492721bdcd114077a4124bc425e4bf328b'; + var M = '640e51d5ac5461591c31811221261f0e0eae7c08ce43c85e9556adbd94ed8c26'; + var M2 = '49e48f8ac8c4da0e8a7374f73eeedbee2266e123d23fc1be1568523fc9c24b1e'; + var A_, callback; beforeEach(function() { this.srp = new SRP(jqueryRest()); - A = this.srp.calculateAndSetA(a); specHelper.setupFakeXHR.apply(this); + A_ = this.srp.session.calculateAndSetA(a) this.srp.success = sinon.spy(); }); @@ -28,40 +35,37 @@ describe("Login", function() { this.xhr.restore(); }); - it("works with XML responses", function(){ - this.srp.identify(); - - this.expectRequest('handshake/', 'I=user&A='+A); - this.respondXML("<r s='"+salt+"' B='"+B+"' />"); - this.expectRequest('authenticate/', 'M='+M); - this.respondXML("<M>"+M2+"</M>"); - - expect(this.srp.success).toHaveBeenCalled(); + it("starts with the right A", function(){ + expect(A_).toBe(A); + }); + + it("calculates the right key", function(){ + this.srp.session.calculations(salt, B); + expect(this.srp.session.key()).toBe(K); }); it("works with JSON responses", function(){ this.srp.identify(); - this.expectRequest('handshake/', 'I=user&A='+A); + this.expectRequest('sessions', 'login=' +login+ '&A=' +A, 'POST'); this.respondJSON({s: salt, B: B}); - this.expectRequest('authenticate/', 'M='+M); + this.expectRequest('sessions/'+login, 'client_auth='+M, 'PUT'); this.respondJSON({M: M2}); expect(this.srp.success).toHaveBeenCalled(); }); it("rejects B = 0", function(){ - this.srp.error_message = sinon.spy(); + this.srp.error = sinon.spy(); this.srp.identify(); - this.expectRequest('handshake/', 'I=user&A='+A); + this.expectRequest('sessions', 'login=' +login+ '&A=' +A, 'POST'); this.respondJSON({s: salt, B: 0}); // aborting if B=0 expect(this.requests).toEqual([]); - expect(this.srp.error_message).toHaveBeenCalled(); + expect(this.srp.error).toHaveBeenCalled(); }); }); }); - diff --git a/spec/restful/signup.js b/spec/restful/signup.js index b1ed7e8..7b66dd7 100644 --- a/spec/restful/signup.js +++ b/spec/restful/signup.js @@ -13,13 +13,17 @@ describe("Signup", function() { expect(typeof this.srp.register).toBe('function'); }); + it("calculates the right x", function(){ + expect(this.srp.session.calcX("7686acb8").toString(16)).toBe('84d6bb567ddf584b1d8c8728289644d45dbfbb02deedd05c0f64db96740f0398'); + }); + it("identifies after successful registration (INTEGRATION)", function(){ var callback = sinon.spy(); this.srp.identify = callback; - this.srp.getSalt = function() {return "5d3055e0acd3ddcfc15"}; + this.srp.session.getSalt = function() {return "4c78c3f8"}; this.srp.register(); - this.expectRequest('users', "user[login]=user&user[password_salt]=5d3055e0acd3ddcfc15&user[password_verifier]=adcd57b4a4a05c2e205b0b7b30014d9ff635d8d8db2f502f08e9b9c132800c44") - this.respondJSON({password_salt: "5d3055e0acd3ddcfc15", login: "user", ok: "true"}); + this.expectRequest('users', "user[login]=testuser&user[password_salt]=4c78c3f8&user[password_verifier]=474c26aa42d11f20544a00f7bf9711c4b5cf7aab95ed448df82b95521b96668e7480b16efce81c861870302560ddf6604c67df54f1d04b99d5bb9d0f02c6051ada5dc9d594f0d4314e12f876cfca3dcd99fc9c98c2e6a5e04298b11061fb8549a22cde0564e91514080df79bca1c38c682214d65d590f66b3719f954b078b83c", 'POST') + this.respondJSON({password_salt: "4c78c3f8", login: "testuser", ok: "true"}); expect(callback).toHaveBeenCalled(); }); diff --git a/spec/specHelper.js b/spec/specHelper.js index 21a0cb7..11327af 100644 --- a/spec/specHelper.js +++ b/spec/specHelper.js @@ -12,10 +12,14 @@ var specHelper = (function() { this.respondXML = respondXML; } - function expectRequest(url, content) { + // TODO: validate http verb + function expectRequest(url, content, verb) { expect(this.requests.length).toBe(1); expect(this.requests[0].url).toBe(url); - expect(this.requests[0].requestBody).toBe(content); + expect(decodeURI(this.requests[0].requestBody)).toBe(content); + if (verb) { + expect(this.requests[0].method).toBe(verb); + } } function respondXML(content) { diff --git a/src/jqueryRest.js b/src/jqueryRest.js index 9e7f72b..f50080b 100644 --- a/src/jqueryRest.js +++ b/src/jqueryRest.js @@ -1,50 +1,5 @@ jqueryRest = function() { - function getUrl() - { - return ""; - } - - function paths(path) - { - return path; - } - - // Perform ajax requests at the specified path, with the specified parameters - // Calling back the specified function. - function ajaxRequest(relative_path, params, callback) - { - var full_url = this.geturl() + this.paths(relative_path); - if( window.XMLHttpRequest) { - xhr = new XMLHttpRequest(); - } - else if (window.ActiveXObject){ - try { - xhr = new ActiveXObject("Microsoft.XMLHTTP"); - } catch (e){} - } - else - { - session.error_message("Ajax not supported."); - return; - } - if(xhr){ - xhr.onreadystatechange = function() { - if(xhr.readyState == 4 && xhr.status == 200) { - callback(parseResponse()); - } - }; - xhr.open("POST", full_url, true); - xhr.setRequestHeader("Content-type", "application/x-www-form-urlencoded"); - xhr.setRequestHeader("Content-length", params.length); - xhr.send(params); - } - else - { - session.error_message("Ajax failed."); - } - } - function parseResponse() { if (responseIsXML()) { return parseXML(xhr.responseXML); @@ -98,31 +53,32 @@ jqueryRest = function() { } function sendVerifier(session, callback) { - this.ajaxRequest("users", "user[login]=" + session.getI() + - "&user[password_salt]=" + session.getSalt() + - "&user[password_verifier]=" + session.getV().toString(16), callback); - } - - function handshake(I, Astr, callback) { - this.ajaxRequest("handshake/", "I="+I+"&A="+Astr, callback); + var salt = session.getSalt(); + $.post("users", { user: + { login: session.getI(), + password_salt: salt, + password_verifier: session.getV(salt).toString(16)} + }, callback); } - function authenticate(M, callback) { - this.ajaxRequest("authenticate/", "M="+M, callback); + function handshake(session, callback) { + $.post("sessions", { login: session.getI(), + A: session.getAstr()}, callback); } - function upgrade(M, callback) { - this.ajaxRequest("upgrade/authenticate/", "M="+M, callback); + function authenticate(session, success) { + $.ajax({ + url: "sessions/" + session.getI(), + type: 'PUT', + data: {client_auth: session.getM()}, + success: success + }); } return { - geturl: getUrl, - paths: paths, - ajaxRequest: ajaxRequest, register: register, register_send_verifier: sendVerifier, handshake: handshake, - authenticate: authenticate, - upgrade: upgrade + authenticate: authenticate }; }; diff --git a/src/srp_session.js b/src/srp_session.js index 93bfbe5..07c1e25 100644 --- a/src/srp_session.js +++ b/src/srp_session.js @@ -1,10 +1,10 @@ SRP.prototype.Session = function() { // Variables session will be used in the SRP protocol - var Nstr = "115b8b692e0e045692cf280b436735c77a5a9e8a9e7ed56c965f87db5b2a2ece3"; + var Nstr = "eeaf0ab9adb38dd69c33f80afa8fc5e86072618775ff3c0b9ea2314c9c256576d674df7496ea81d3383b4813d692c6e0e0d5d8e250b98be48e495c1d6089dad15dc7d7b46154d6b6ce8ef4ad69b15d4982559b297bcf1885c529f566660e57ec68edbc3c05726cc02fd4cbf4976eaa9afd5138fe8376435b9fc61d2fc0eb06e3"; var N = new BigInteger(Nstr, 16); var g = new BigInteger("2"); - var k = new BigInteger("c46d46600d87fef149bd79b81119842f3c20241fda67d06ef412d8f6d9479c58", 16); + var k = new BigInteger("bf66c44a428916cad64aa7c679f3fd897ad4c375e9bbb4cbf2f5de241d618ef0", 16); var rng = new SecureRandom(); var a = new BigInteger(32, rng); @@ -66,9 +66,9 @@ SRP.prototype.Session = function() { }; // Calculates the X value and return it as a BigInteger - this.calcX = function(s) + this.calcX = function(salt) { - return new BigInteger(SHA256(s + SHA256(I + ":" + pass)), 16); + return new BigInteger(SHA256(hex2a(salt + SHA256(I + ":" + pass))), 16); }; this.getV = function(salt) @@ -85,18 +85,30 @@ SRP.prototype.Session = function() { var B = new BigInteger(ephemeral, 16); var Bstr = ephemeral; // u = H(A,B) - var u = new BigInteger(SHA256(Astr + Bstr), 16); + var u = new BigInteger(SHA256(hex2a(Astr + Bstr)), 16); // x = H(s, H(I:p)) - var x = new BigInteger(SHA256(salt + SHA256(I + ":" + pass)), 16); + var x = this.calcX(salt); //S = (B - kg^x) ^ (a + ux) var kgx = k.multiply(g.modPow(x, N)); var aux = a.add(u.multiply(x)); S = B.subtract(kgx).modPow(aux, N); - // M = H(H(N) xor H(g), H(I), s, A, B, K) - var Mstr = A.toString(16) + B.toString(16) + S.toString(16); - M = SHA256(Mstr); - M2 = SHA256(A.toString(16) + M + S.toString(16)); + K = SHA256(hex2a(S.toString(16))); + this.calcM(salt, A.toString(16), B.toString(16)); + }; + + // M = H(H(N) xor H(g), H(I), s, A, B, K) + this.calcM = function(salt, Astr, Bstr) { + var hashN = SHA256(hex2a(N.toString(16))) + var hashG = SHA256(hex2a(g.toString(16))) + var hexString = hexXor(hashN, hashG); + hexString += SHA256(I); + hexString += salt; + hexString += Astr; + hexString += Bstr; + hexString += K + M = SHA256(hex2a(hexString)); //M2 = H(A, M, K) + M2 = SHA256(hex2a(Astr + M + K)); }; this.getM = function() { @@ -112,13 +124,11 @@ SRP.prototype.Session = function() { // access the key with this function. this.key = function() { - if(K) return K; - if(authenticated) { - K = SHA256(S.toString(16)); + if(K) { return K; - } - else + } else { this.onError("User has not been authenticated."); + } }; // Encrypt plaintext using slowAES @@ -135,4 +145,23 @@ SRP.prototype.Session = function() { retstring = retstring.replace("+", "_"); return retstring; }; + + function hex2a(hex) { + var str = ''; + for (var i = 0; i < hex.length; i += 2) + str += String.fromCharCode(parseInt(hex.substr(i, 2), 16)); + return str; + } + + function hexXor(a, b) { + var str = ''; + for (var i = 0; i < a.length; i += 2) { + var xor = parseInt(a.substr(i, 2), 16) ^ parseInt(b.substr(i, 2), 16) + xor = xor.toString(16); + str += (xor.length == 1) ? ("0" + xor) : xor + } + return str; + } + + } |