Rather than passing the necessary parameters to the SRP constructor, I've made them hidden fields in the form. This way a bookmarklet will be

able to read the fields, and authentication can be done without trusting the javascript sent by the server.

I also organized urls.py

1 files changed, 16 insertions, 31 deletions

diff --git a/django/srpproject/srp/views.py b/django/srpproject/srp/views.py
index cbf1389..a55805a 100644
--- a/django/srpproject/srp/views.py
+++ b/django/srpproject/srp/views.py
@@ -15,6 +15,20 @@ def generate_salt():
     salt_chars = "./" + string.ascii_letters + string.digits
     return "".join([randomgen.choice(salt_chars) for i in range(0,16)])
 
+# In upgrades, we'll need to decrypt some AES data
+def decrypt(c, key, plen):
+    from srp import aes
+    import base64
+    moo = aes.AESModeOfOperation()
+    cypherkey = map(ord, key.decode("hex"))
+    try:
+        ciphertext = base64.b64decode(c.replace("_", "+"))
+    except TypeError:
+        return HttpResponse("<error>%s</error>" % request.POST["c"], mimetype="text/xml" )
+    iv = map(ord, ciphertext[:16])
+    ciphertext= map(ord, ciphertext[16:])
+    return moo.decrypt(ciphertext, 0, moo.modeOfOperation["CFB"], cypherkey, len(cypherkey), iv)[:plen]
+
 # We want to avoid information leakage. For users that don't exist, we need salts to be consistent.
 # These "fake" salts are seeded with the username and the django secret_key. They're not as random
 # as true salts should be, but they should be indistinguishable to a hacker who isn't sure whether
@@ -32,11 +46,11 @@ def test_aes(request):
     
 def login_page(request):
     from django.shortcuts import render_to_response
-    return render_to_response('login.html',{'static_files': "http://%s/srp-test/javascript" % request.get_host()})
+    return render_to_response('login.html',{'static_files': "http://%s/srp-test/javascript" % request.get_host(), 'srp_url': "http://%s/srp/" % request.get_host()})
 
 def register_page(request):
     from django.shortcuts import render_to_response
-    return render_to_response('register.html',{'static_files': "http://%s/srp-test/javascript" % request.get_host()})
+    return render_to_response('register.html',{'static_files': "http://%s/srp-test/javascript" % request.get_host(), 'srp_url': "http://%s/srp/" % request.get_host()})
 
 ###
 ### User Registration
@@ -164,32 +178,3 @@ def upgrade_add_verifier(request):
     srpuser.password = ""
     srpuser.save()
     return HttpResponse("<ok/>", mimetype="text/xml")
-
-def decrypt(c, key, plen):
-    from srp import aes
-    import base64
-    moo = aes.AESModeOfOperation()
-    cypherkey = map(ord, key.decode("hex"))
-    try:
-        ciphertext = base64.b64decode(c.replace("_", "+"))
-    except TypeError:
-        return HttpResponse("<error>%s</error>" % request.POST["c"], mimetype="text/xml" )
-    iv = map(ord, ciphertext[:16])
-    ciphertext= map(ord, ciphertext[16:])
-    return moo.decrypt(ciphertext, 0, moo.modeOfOperation["CFB"], cypherkey, len(cypherkey), iv)[:plen]
-
-
-def doaes(request):
-    from srp import aes
-    import base64
-    moo = aes.AESModeOfOperation()
-    cypherkey = map(ord, "6754c921b8dcbd1f8b58748cd87ac60ce857314687a65df05c470a46f438842c".decode("hex"))
-    try:
-        ciphertext = base64.b64decode(request.POST["c"].replace("_", "+"))
-    except TypeError:
-        return HttpResponse("<error>%s</error>" % request.POST["c"], mimetype="text/xml" )
-    iv = map(ord, ciphertext[:16])
-    ciphertext= map(ord, ciphertext[16:])
-    # (self, cipherIn, originalsize, mode, key, size, IV):
-    plaintext = moo.decrypt(ciphertext, int(request.POST["l"]), moo.modeOfOperation["OFB"], cypherkey, len(cypherkey), iv)[:int(request.POST["l"])]
-    return HttpResponse("<P>%s</P>" % plaintext, mimetype="text/xml" )