diff options
| author | ausiv4 <ausiv4@eb105b4a-77de-11de-a249-6bf219df57d5> | 2009-08-12 17:01:23 +0000 |
|---|---|---|
| committer | ausiv4 <ausiv4@eb105b4a-77de-11de-a249-6bf219df57d5> | 2009-08-12 17:01:23 +0000 |
| commit | 124ef39cb84dec12d21a36e98039e6a5042e7317 (patch) | |
| tree | 91a0b28d2bf6b3b952d8b575a752d45193ca2d8b /django/srpproject/srp/views.py | |
| parent | 900dc01238f0c0f6830d487d93f9176e711104fe (diff) | |
When upgrading the user from a non-srp account to an SRP account, the client must send the server the password. I wasn't happy about doing this
in plaintext, so I've incorporated slowAES on both the client and the server to encrypt the password before it is sent, using the key generated
in the first SRP transaction.
Diffstat (limited to 'django/srpproject/srp/views.py')
| -rw-r--r-- | django/srpproject/srp/views.py | 36 |
1 files changed, 35 insertions, 1 deletions
diff --git a/django/srpproject/srp/views.py b/django/srpproject/srp/views.py index 8529fa9..cbf1389 100644 --- a/django/srpproject/srp/views.py +++ b/django/srpproject/srp/views.py @@ -25,6 +25,10 @@ def generate_fake_salt(I): salt_chars = "./" + string.ascii_letters + string.digits salt = "".join([random.choice(salt_chars) for i in range(0,16)]) return salt, int(hashlib.sha256("%s:%s" % (salt, settings.SECRET_KEY)).hexdigest(), 16) + +def test_aes(request): + from django.shortcuts import render_to_response + return render_to_response('aes.html',{'static_files': "http://%s/srp-test/javascript" % request.get_host()}) def login_page(request): from django.shortcuts import render_to_response @@ -150,7 +154,8 @@ def upgrade_add_verifier(request): from django.contrib.auth.models import User import hashlib salt = generate_salt() - x = int(hashlib.sha256(salt + hashlib.sha256("%s:%s" % (request.session["srp_I"], request.POST["p"])).hexdigest()).hexdigest(), 16) + key = hashlib.sha256(request.session["srp_S"]).hexdigest() + x = int(hashlib.sha256(salt + hashlib.sha256("%s:%s" % (request.session["srp_I"], decrypt(request.POST["p"], key, int(request.POST["l"])))).hexdigest()).hexdigest(), 16) user = User.objects.get(username=request.session["srp_I"]) srpuser = SRPUser() srpuser.__dict__.update(user.__dict__) @@ -159,3 +164,32 @@ def upgrade_add_verifier(request): srpuser.password = "" srpuser.save() return HttpResponse("<ok/>", mimetype="text/xml") + +def decrypt(c, key, plen): + from srp import aes + import base64 + moo = aes.AESModeOfOperation() + cypherkey = map(ord, key.decode("hex")) + try: + ciphertext = base64.b64decode(c.replace("_", "+")) + except TypeError: + return HttpResponse("<error>%s</error>" % request.POST["c"], mimetype="text/xml" ) + iv = map(ord, ciphertext[:16]) + ciphertext= map(ord, ciphertext[16:]) + return moo.decrypt(ciphertext, 0, moo.modeOfOperation["CFB"], cypherkey, len(cypherkey), iv)[:plen] + + +def doaes(request): + from srp import aes + import base64 + moo = aes.AESModeOfOperation() + cypherkey = map(ord, "6754c921b8dcbd1f8b58748cd87ac60ce857314687a65df05c470a46f438842c".decode("hex")) + try: + ciphertext = base64.b64decode(request.POST["c"].replace("_", "+")) + except TypeError: + return HttpResponse("<error>%s</error>" % request.POST["c"], mimetype="text/xml" ) + iv = map(ord, ciphertext[:16]) + ciphertext= map(ord, ciphertext[16:]) + # (self, cipherIn, originalsize, mode, key, size, IV): + plaintext = moo.decrypt(ciphertext, int(request.POST["l"]), moo.modeOfOperation["OFB"], cypherkey, len(cypherkey), iv)[:int(request.POST["l"])] + return HttpResponse("<P>%s</P>" % plaintext, mimetype="text/xml" ) |