From 24065d78f50b2fba32d63da58fa67407b22e6451 Mon Sep 17 00:00:00 2001 From: ausiv4 Date: Wed, 12 Aug 2009 23:30:24 +0000 Subject: Rather than passing the necessary parameters to the SRP constructor, I've made them hidden fields in the form. This way a bookmarklet will be able to read the fields, and authentication can be done without trusting the javascript sent by the server. I also organized urls.py --- django/srpproject/srp/views.py | 47 ++++++++++++++---------------------------- 1 file changed, 16 insertions(+), 31 deletions(-) (limited to 'django/srpproject/srp') diff --git a/django/srpproject/srp/views.py b/django/srpproject/srp/views.py index cbf1389..a55805a 100644 --- a/django/srpproject/srp/views.py +++ b/django/srpproject/srp/views.py @@ -15,6 +15,20 @@ def generate_salt(): salt_chars = "./" + string.ascii_letters + string.digits return "".join([randomgen.choice(salt_chars) for i in range(0,16)]) +# In upgrades, we'll need to decrypt some AES data +def decrypt(c, key, plen): + from srp import aes + import base64 + moo = aes.AESModeOfOperation() + cypherkey = map(ord, key.decode("hex")) + try: + ciphertext = base64.b64decode(c.replace("_", "+")) + except TypeError: + return HttpResponse("%s" % request.POST["c"], mimetype="text/xml" ) + iv = map(ord, ciphertext[:16]) + ciphertext= map(ord, ciphertext[16:]) + return moo.decrypt(ciphertext, 0, moo.modeOfOperation["CFB"], cypherkey, len(cypherkey), iv)[:plen] + # We want to avoid information leakage. For users that don't exist, we need salts to be consistent. # These "fake" salts are seeded with the username and the django secret_key. They're not as random # as true salts should be, but they should be indistinguishable to a hacker who isn't sure whether @@ -32,11 +46,11 @@ def test_aes(request): def login_page(request): from django.shortcuts import render_to_response - return render_to_response('login.html',{'static_files': "http://%s/srp-test/javascript" % request.get_host()}) + return render_to_response('login.html',{'static_files': "http://%s/srp-test/javascript" % request.get_host(), 'srp_url': "http://%s/srp/" % request.get_host()}) def register_page(request): from django.shortcuts import render_to_response - return render_to_response('register.html',{'static_files': "http://%s/srp-test/javascript" % request.get_host()}) + return render_to_response('register.html',{'static_files': "http://%s/srp-test/javascript" % request.get_host(), 'srp_url': "http://%s/srp/" % request.get_host()}) ### ### User Registration @@ -164,32 +178,3 @@ def upgrade_add_verifier(request): srpuser.password = "" srpuser.save() return HttpResponse("", mimetype="text/xml") - -def decrypt(c, key, plen): - from srp import aes - import base64 - moo = aes.AESModeOfOperation() - cypherkey = map(ord, key.decode("hex")) - try: - ciphertext = base64.b64decode(c.replace("_", "+")) - except TypeError: - return HttpResponse("%s" % request.POST["c"], mimetype="text/xml" ) - iv = map(ord, ciphertext[:16]) - ciphertext= map(ord, ciphertext[16:]) - return moo.decrypt(ciphertext, 0, moo.modeOfOperation["CFB"], cypherkey, len(cypherkey), iv)[:plen] - - -def doaes(request): - from srp import aes - import base64 - moo = aes.AESModeOfOperation() - cypherkey = map(ord, "6754c921b8dcbd1f8b58748cd87ac60ce857314687a65df05c470a46f438842c".decode("hex")) - try: - ciphertext = base64.b64decode(request.POST["c"].replace("_", "+")) - except TypeError: - return HttpResponse("%s" % request.POST["c"], mimetype="text/xml" ) - iv = map(ord, ciphertext[:16]) - ciphertext= map(ord, ciphertext[16:]) - # (self, cipherIn, originalsize, mode, key, size, IV): - plaintext = moo.decrypt(ciphertext, int(request.POST["l"]), moo.modeOfOperation["OFB"], cypherkey, len(cypherkey), iv)[:int(request.POST["l"])] - return HttpResponse("

%s

" % plaintext, mimetype="text/xml" ) -- cgit v1.2.3