Rather than passing the necessary parameters to the SRP constructor, I've made them hidden fields in the form. This way a bookmarklet will be

able to read the fields, and authentication can be done without trusting the javascript sent by the server.

I also organized urls.py

4 files changed, 34 insertions, 48 deletions

diff --git a/django/srpproject/srp/views.py b/django/srpproject/srp/views.py
index cbf1389..a55805a 100644
--- a/django/srpproject/srp/views.py
+++ b/django/srpproject/srp/views.py
@@ -15,6 +15,20 @@ def generate_salt():
     salt_chars = "./" + string.ascii_letters + string.digits
     return "".join([randomgen.choice(salt_chars) for i in range(0,16)])
 
+# In upgrades, we'll need to decrypt some AES data
+def decrypt(c, key, plen):
+    from srp import aes
+    import base64
+    moo = aes.AESModeOfOperation()
+    cypherkey = map(ord, key.decode("hex"))
+    try:
+        ciphertext = base64.b64decode(c.replace("_", "+"))
+    except TypeError:
+        return HttpResponse("<error>%s</error>" % request.POST["c"], mimetype="text/xml" )
+    iv = map(ord, ciphertext[:16])
+    ciphertext= map(ord, ciphertext[16:])
+    return moo.decrypt(ciphertext, 0, moo.modeOfOperation["CFB"], cypherkey, len(cypherkey), iv)[:plen]
+
 # We want to avoid information leakage. For users that don't exist, we need salts to be consistent.
 # These "fake" salts are seeded with the username and the django secret_key. They're not as random
 # as true salts should be, but they should be indistinguishable to a hacker who isn't sure whether
@@ -32,11 +46,11 @@ def test_aes(request):
     
 def login_page(request):
     from django.shortcuts import render_to_response
-    return render_to_response('login.html',{'static_files': "http://%s/srp-test/javascript" % request.get_host()})
+    return render_to_response('login.html',{'static_files': "http://%s/srp-test/javascript" % request.get_host(), 'srp_url': "http://%s/srp/" % request.get_host()})
 
 def register_page(request):
     from django.shortcuts import render_to_response
-    return render_to_response('register.html',{'static_files': "http://%s/srp-test/javascript" % request.get_host()})
+    return render_to_response('register.html',{'static_files': "http://%s/srp-test/javascript" % request.get_host(), 'srp_url': "http://%s/srp/" % request.get_host()})
 
 ###
 ### User Registration
@@ -164,32 +178,3 @@ def upgrade_add_verifier(request):
     srpuser.password = ""
     srpuser.save()
     return HttpResponse("<ok/>", mimetype="text/xml")
-
-def decrypt(c, key, plen):
-    from srp import aes
-    import base64
-    moo = aes.AESModeOfOperation()
-    cypherkey = map(ord, key.decode("hex"))
-    try:
-        ciphertext = base64.b64decode(c.replace("_", "+"))
-    except TypeError:
-        return HttpResponse("<error>%s</error>" % request.POST["c"], mimetype="text/xml" )
-    iv = map(ord, ciphertext[:16])
-    ciphertext= map(ord, ciphertext[16:])
-    return moo.decrypt(ciphertext, 0, moo.modeOfOperation["CFB"], cypherkey, len(cypherkey), iv)[:plen]
-
-
-def doaes(request):
-    from srp import aes
-    import base64
-    moo = aes.AESModeOfOperation()
-    cypherkey = map(ord, "6754c921b8dcbd1f8b58748cd87ac60ce857314687a65df05c470a46f438842c".decode("hex"))
-    try:
-        ciphertext = base64.b64decode(request.POST["c"].replace("_", "+"))
-    except TypeError:
-        return HttpResponse("<error>%s</error>" % request.POST["c"], mimetype="text/xml" )
-    iv = map(ord, ciphertext[:16])
-    ciphertext= map(ord, ciphertext[16:])
-    # (self, cipherIn, originalsize, mode, key, size, IV):
-    plaintext = moo.decrypt(ciphertext, int(request.POST["l"]), moo.modeOfOperation["OFB"], cypherkey, len(cypherkey), iv)[:int(request.POST["l"])]
-    return HttpResponse("<P>%s</P>" % plaintext, mimetype="text/xml" )
diff --git a/django/srpproject/templates/login.html b/django/srpproject/templates/login.html
index 9de4268..edaf4dc 100644
--- a/django/srpproject/templates/login.html
+++ b/django/srpproject/templates/login.html
@@ -13,24 +13,20 @@
     <script type="text/javascript">
     function login()
     {
-        var username = document.getElementById("srp_username").value;
-        var password = document.getElementById("srp_password").value;
-        var url = window.location.protocol+"//"+window.location.host+"/srp/";
-        srp = new SRP(username, password, "django", url);
-        srp.success = function()
-        {
-            alert("We win");
-        };
+        srp = new SRP();
         srp.identify();
         return false;
     }
     </script>
  </head>
  <body>
-    <form action="." onsubmit="return login()">
+    <form action="{{ srp_url }}/noJs/" onsubmit="return login()">
     <table>
     <tr><td>Username:</td><td><input type="text" id="srp_username" /></td></tr>
     <tr><td>Password:</td><td><input type="password" id="srp_password" /></td></tr>
+    <input type="hidden" id="srp_url" value="{{ srp_url }}"/>
+    <input type="hidden" id="srp_forward" value="#"/>
+    <input type="hidden" id="srp_server" value="django"/>
     </table>
     <input type="submit"/>
     </form>
diff --git a/django/srpproject/templates/register.html b/django/srpproject/templates/register.html
index 102daed..6e6d44a 100644
--- a/django/srpproject/templates/register.html
+++ b/django/srpproject/templates/register.html
@@ -19,10 +19,7 @@
             alert("Password cannot be blank");
         else
         {
-            var username = document.getElementById("srp_username").value;
-            var password = document.getElementById("srp_password").value;
-            var url = window.location.protocol+"//"+window.location.host+"/srp/";
-            srp = new SRP(username, password, "django", url);
+            srp = new SRP();
             srp.success = function()
             {
                 alert("We win");
@@ -39,6 +36,9 @@
     <tr><td>Username:</td><td><input type="text" id="srp_username" /></td></tr>
     <tr><td>Password:</td><td><input type="password" id="srp_password" /></td></tr>
     <tr><td>Confirm:</td><td><input type="password" id="confirm_password" /></td></tr>
+    <input type="hidden" id="srp_url" value="{{ srp_url }}"/>
+    <input type="hidden" id="srp_forward" value="{{ srp_url }}login/"/>
+    <input type="hidden" id="srp_server" value="django"/>
     </table>
     <input type="submit"/>
     </form>
diff --git a/django/srpproject/urls.py b/django/srpproject/urls.py
index 07f446f..43a609d 100644
--- a/django/srpproject/urls.py
+++ b/django/srpproject/urls.py
@@ -15,14 +15,19 @@ urlpatterns = patterns('',
 
     # Uncomment the next line to enable the admin:
     # (r'^admin/(.*)', admin.site.root),
+
+    # Login and regiser pages. These are mainly for testing.
+    (r'^srp/register/$', views.register_page),
+    (r'^srp/login/$', views.login_page),
+
     (r'^srp/register/salt/$', views.register_salt),
     (r'^srp/register/user/$', views.register_user),
+
+    # 
     (r'^srp/handshake/$', views.handshake),
     (r'^srp/authenticate/$', views.verify),
-    (r'^srp/login/$', views.login_page),
-    (r'^srp/register/$', views.register_page),
+
+    # Only include these if you are upgrading an existing installation to SRP
     (r'^srp/upgrade/authenticate/$', views.upgrade_auth),
     (r'^srp/upgrade/verifier/$', views.upgrade_add_verifier),
-    (r'^srp/aes/$', views.test_aes),
-    (r'^srp/aes/post/$', views.doaes),
 )