summaryrefslogtreecommitdiff
path: root/django/srpproject/srp/views.py
diff options
context:
space:
mode:
Diffstat (limited to 'django/srpproject/srp/views.py')
-rw-r--r--django/srpproject/srp/views.py34
1 files changed, 16 insertions, 18 deletions
diff --git a/django/srpproject/srp/views.py b/django/srpproject/srp/views.py
index 4200e8c..ffc5679 100644
--- a/django/srpproject/srp/views.py
+++ b/django/srpproject/srp/views.py
@@ -41,7 +41,7 @@ def register_page(request):
# Step 1. A client submits a username. If the username is available, we generate a salt, store it, and return it.
# Otherwise, we return an error.
def register_salt(request):
- if models.User.objects.filter(name=request.POST["I"]).count() > 0:
+ if models.SRPUser.objects.filter(username=request.POST["I"]).count() > 0:
return HttpResponse("<error>Username already in use</error>", mimetype="text/xml")
request.session["srp_name"] = request.POST["I"]
request.session["srp_salt"] = generate_salt()
@@ -50,8 +50,8 @@ def register_salt(request):
# Step 2. The client creates the password verifier and sends it to the server, along with a username.
def register_user(request):
from django.contrib import auth
- models.User(salt=request.session["srp_salt"], name=request.session["srp_name"], verifier=request.POST["v"]).save()
- auth.models.User.objects.create_user(request.session["srp_name"],'', str(request.POST["v"]))
+ models.SRPUser(salt=request.session["srp_salt"], username=request.session["srp_name"], verifier=request.POST["v"]).save()
+ # auth.models.SRPUser.objects.create_user(request.session["srp_name"],'', str(request.POST["v"]))
del request.session["srp_salt"]
del request.session["srp_name"]
return HttpResponse("<ok/>", mimetype="text/xml");
@@ -77,15 +77,13 @@ def handshake(request):
return HttpResponse("<error>Invalid ephemeral key.</error>", mimetype="text/xml")
else:
try:
- user = models.User.objects.get(name=request.session["srp_I"])
+ user = models.SRPUser.objects.get(username=request.session["srp_I"])
salt = user.salt
v = int(user.verifier, 16)
# We don't want to leak that the username doesn't exist. Make up a fake salt and verifier.
- except models.User.DoesNotExist:
+ except models.SRPUser.DoesNotExist:
salt, x = generate_fake_salt(request.POST["I"])
v = pow(g, x, N)
-
- request.session["srp_v"] = hex(v)[2:-1]
# Ensure that B%N != 0
while True:
@@ -108,21 +106,21 @@ def handshake(request):
# Step 2: The client sends its proof of S. The server confirms, and sends its proof of S.
def verify(request):
import hashlib
- from django.contrib import auth
- if request.POST["M"] == request.session["srp_M"]:
- # H(A, M, K)
- user = auth.authenticate(username=request.session["srp_I"], password=str(request.session["srp_v"]))
- if user != None:
+ from django.contrib.auth import login, authenticate
+ # H(A, M, K)
+ try:
+ user = authenticate(username=request.session["srp_I"], M=(request.POST["M"], request.session["srp_M"]))
+ if user:
response = "<M>%s</M>" % hashlib.sha256("%s%s%s" % (request.session["srp_A"], request.session["srp_M"], request.session["srp_S"])).hexdigest()
- auth.login(request, user)
+ login(request, user)
else:
- # This should only happen when authentication is successful with SRP, but the user isn't in the auth table.
- response = "<error>Authentication failed. This is likely a server problem.</error>"
- else:
- response = "<error>Invalid username or password.</error>"
+ response = "<error>Invalid username or password.</error>"
+ except models.SRPUser.DoesNotExist:
+ # This should only happen when authentication is successful with SRP, but the user isn't in the auth table.
+ response = "<error>Authentication failed. This is likely a server problem.</error>"
+
try:
del request.session["srp_I"]
- del request.session["srp_v"]
del request.session["srp_M"]
del request.session["srp_S"]
del request.session["srp_A"]