From 8d359f4d8e27bf5992508bc11486a482d270d6f8 Mon Sep 17 00:00:00 2001 From: ausiv4 Date: Fri, 24 Jul 2009 13:58:33 +0000 Subject: Fixing previous mistake --- proper-random/django/srpproject/__init__.py | 0 proper-random/django/srpproject/manage.py | 11 -- proper-random/django/srpproject/settings.py | 80 ----------- proper-random/django/srpproject/srp/__init__.py | 0 proper-random/django/srpproject/srp/models.py | 12 -- proper-random/django/srpproject/srp/views.py | 183 ------------------------ proper-random/django/srpproject/urls.py | 24 ---- 7 files changed, 310 deletions(-) delete mode 100644 proper-random/django/srpproject/__init__.py delete mode 100644 proper-random/django/srpproject/manage.py delete mode 100644 proper-random/django/srpproject/settings.py delete mode 100644 proper-random/django/srpproject/srp/__init__.py delete mode 100644 proper-random/django/srpproject/srp/models.py delete mode 100644 proper-random/django/srpproject/srp/views.py delete mode 100644 proper-random/django/srpproject/urls.py (limited to 'proper-random/django/srpproject') diff --git a/proper-random/django/srpproject/__init__.py b/proper-random/django/srpproject/__init__.py deleted file mode 100644 index e69de29..0000000 diff --git a/proper-random/django/srpproject/manage.py b/proper-random/django/srpproject/manage.py deleted file mode 100644 index 5e78ea9..0000000 --- a/proper-random/django/srpproject/manage.py +++ /dev/null @@ -1,11 +0,0 @@ -#!/usr/bin/env python -from django.core.management import execute_manager -try: - import settings # Assumed to be in the same directory. -except ImportError: - import sys - sys.stderr.write("Error: Can't find the file 'settings.py' in the directory containing %r. It appears you've customized things.\nYou'll have to run django-admin.py, passing it your settings module.\n(If the file settings.py does indeed exist, it's causing an ImportError somehow.)\n" % __file__) - sys.exit(1) - -if __name__ == "__main__": - execute_manager(settings) diff --git a/proper-random/django/srpproject/settings.py b/proper-random/django/srpproject/settings.py deleted file mode 100644 index 804c81d..0000000 --- a/proper-random/django/srpproject/settings.py +++ /dev/null @@ -1,80 +0,0 @@ -# Django settings for srpproject project. - -DEBUG = True -TEMPLATE_DEBUG = DEBUG - -ADMINS = ( - # ('Your Name', 'your_email@domain.com'), -) - -MANAGERS = ADMINS - -DATABASE_ENGINE = 'mysql' # 'postgresql_psycopg2', 'postgresql', 'mysql', 'sqlite3' or 'ado_mssql'. -DATABASE_NAME = 'srp' # Or path to database file if using sqlite3. -DATABASE_USER = 'USER' # Not used with sqlite3. -DATABASE_PASSWORD = 'SECRET_PASSWORD' # Not used with sqlite3. -DATABASE_HOST = '' # Set to empty string for localhost. Not used with sqlite3. -DATABASE_PORT = '' # Set to empty string for default. Not used with sqlite3. - -# Local time zone for this installation. Choices can be found here: -# http://en.wikipedia.org/wiki/List_of_tz_zones_by_name -# although not all choices may be available on all operating systems. -# If running in a Windows environment this must be set to the same as your -# system time zone. -TIME_ZONE = 'America/Chicago' - -# Language code for this installation. All choices can be found here: -# http://www.i18nguy.com/unicode/language-identifiers.html -LANGUAGE_CODE = 'en-us' - -SITE_ID = 1 - -# If you set this to False, Django will make some optimizations so as not -# to load the internationalization machinery. -USE_I18N = True - -# Absolute path to the directory that holds media. -# Example: "/home/media/media.lawrence.com/" -MEDIA_ROOT = '' - -# URL that handles the media served from MEDIA_ROOT. Make sure to use a -# trailing slash if there is a path component (optional in other cases). -# Examples: "http://media.lawrence.com", "http://example.com/media/" -MEDIA_URL = '' - -# URL prefix for admin media -- CSS, JavaScript and images. Make sure to use a -# trailing slash. -# Examples: "http://foo.com/media/", "/media/". -ADMIN_MEDIA_PREFIX = '/media/' - -# Make this unique, and don't share it with anybody. -SECRET_KEY = 'zr3&lo)n@c%i^2*f3qlax#oembv@yl0%_d@p&gs1w^edqosy^+' - -# List of callables that know how to import templates from various sources. -TEMPLATE_LOADERS = ( - 'django.template.loaders.filesystem.load_template_source', - 'django.template.loaders.app_directories.load_template_source', -# 'django.template.loaders.eggs.load_template_source', -) - -MIDDLEWARE_CLASSES = ( - 'django.middleware.common.CommonMiddleware', - 'django.contrib.sessions.middleware.SessionMiddleware', - 'django.contrib.auth.middleware.AuthenticationMiddleware', -) - -ROOT_URLCONF = 'srpproject.urls' - -TEMPLATE_DIRS = ( - # Put strings here, like "/home/html/django_templates" or "C:/www/django/templates". - # Always use forward slashes, even on Windows. - # Don't forget to use absolute paths, not relative paths. -) - -INSTALLED_APPS = ( - 'django.contrib.auth', - 'django.contrib.contenttypes', - 'django.contrib.sessions', - 'django.contrib.sites', - 'srpproject.srp' -) diff --git a/proper-random/django/srpproject/srp/__init__.py b/proper-random/django/srpproject/srp/__init__.py deleted file mode 100644 index e69de29..0000000 diff --git a/proper-random/django/srpproject/srp/models.py b/proper-random/django/srpproject/srp/models.py deleted file mode 100644 index 62d4c3e..0000000 --- a/proper-random/django/srpproject/srp/models.py +++ /dev/null @@ -1,12 +0,0 @@ -from django.db import models -from django.contrib import auth -# Create your models here. - -class User(models.Model): - salt = models.CharField(max_length=16) - name = models.CharField(max_length=20, unique=True) - verifier = models.CharField(max_length=65, null=True) - - def delete(self): - auth.models.objects.filter(username=self.name).delete() - super(User, self).delete() diff --git a/proper-random/django/srpproject/srp/views.py b/proper-random/django/srpproject/srp/views.py deleted file mode 100644 index 9d2563b..0000000 --- a/proper-random/django/srpproject/srp/views.py +++ /dev/null @@ -1,183 +0,0 @@ -# Create your views here. - -from django.http import HttpResponse - -from srp import models - -### -### General methods -### - -# We need randomly generated salts. This is about 100 bits of entropy. -def generate_salt(): - import string, random - randomgen = random.SystemRandom() - salt_chars = "!@#$%^&*(),./?`~;:" + string.ascii_letters + string.digits - return "".join([randomgen.choice(salt_chars) for i in range(0,16)]) - -# We want to avoid information leakage. For users that don't exist, we need salts to be consistent. -# These "fake" salts are seeded with the username and the django secret_key. They're not as random -# as true salts should be, but they should be indistinguishable to a hacker who isn't sure whether -# or not an account exists. -def generate_fake_salt(I): - import string, random, settings, hashlib - random.seed("%s:%s" % (I, settings.SECRET_KEY)) - salt_chars = "!@#$%^&*(),./?`~;:" + string.ascii_letters + string.digits - salt = "".join([random.choice(salt_chars) for i in range(0,16)]) - return salt, int(hashlib.sha256("%s:%s" % (salt, settings.SECRET_KEY)).hexdigest(), 16) - -def login_page(request): - return HttpResponse(""" - - - - - - - - - - -
- Username:
- Password:
- -
- -""" % (request.get_host(), request.get_host(), request.get_host(),request.get_host(), request.get_host(), request.get_host())) - -def register_page(request): - return HttpResponse(""" - - - - - - - - - - -
- Username:
- Password:
- Password:
- -
- -""" % (request.get_host(), request.get_host(), request.get_host(),request.get_host(), request.get_host(), request.get_host())) - -### -### User Registration -### - -# Step 1. A client submits a username. If the username is available, we generate a salt, store it, and return it. -# Otherwise, we return an error. -def register_salt(request): - if models.User.objects.filter(name=request.POST["I"]).count() > 0: - return HttpResponse("Username already in use", mimetype="text/xml") - request.session["srp_name"] = request.POST["I"] - request.session["srp_salt"] = generate_salt() - return HttpResponse("%s" % request.session["srp_salt"], mimetype="text/xml") - -# Step 2. The client creates the password verifier and sends it to the server, along with a username. -def register_user(request): - from django.contrib import auth - models.User(salt=request.session["srp_salt"], name=request.session["srp_name"], verifier=request.POST["v"]).save() - auth.models.User.objects.create_user(request.session["srp_name"],'', str(request.POST["v"])) - del request.session["srp_salt"] - del request.session["srp_name"] - return HttpResponse("", mimetype="text/xml"); - -# Step 3: The client initiates the login process. - -### -### User Login -### - -# Step 1: The user sends an identifier and public ephemeral key, A -# The server responds with the salt and public ephemeral key, B -def handshake(request): - import random, hashlib - randomgen = random.SystemRandom() - request.session["srp_I"] = request.POST["I"] - A = int(request.POST["A"], 16) - request.session["srp_A"] = request.POST["A"] - g = 2 - N = 125617018995153554710546479714086468244499594888726646874671447258204721048803 - k = 88846390364205216646376352624313659232912717719075174937149043299744712465496 - if A % N == 0: - return HttpResponse("Invalid ephemeral key.", mimetype="text/xml") - else: - try: - user = models.User.objects.get(name=request.session["srp_I"]) - salt = user.salt - v = int(user.verifier, 16) - # We don't want to leak that the username doesn't exist. Make up a fake salt and verifier. - except models.User.DoesNotExist: - salt, x = generate_fake_salt(request.POST["I"]) - v = pow(g, x, N) - - request.session["srp_v"] = hex(v)[2:-1] - - # Ensure that B%N != 0 - while True: - b = randomgen.getrandbits(32) - B = k*v + pow(g,b,N) - u = int(hashlib.sha256("%s%s" % (hex(A)[2:-1],hex(B)[2:-1])).hexdigest(), 16) - if B % N != 0 and u % N != 0: break - - response = "" % (salt, hex(B)[2:-1]) - # Ideally, we could return this response and then calculate M concurrently with the user - # Unfortunately, django isn't designed to do computations after responding. - # Maybe someone will find a way. - S = pow(A*pow(v,u,N), b, N) - request.session["srp_S"] = hex(S)[2:-1] - Mstr = "%s%s%s" % (hex(A)[2:-1],hex(B)[2:-1],hex(S)[2:-1]) - response = "" % (salt, hex(B)[2:-1]) - request.session["srp_M"] = hashlib.sha256(Mstr).hexdigest() - return HttpResponse(response, mimetype="text/xml") - -# Step 2: The client sends its proof of S. The server confirms, and sends its proof of S. -def verify(request): - import hashlib - from django.contrib import auth - if request.POST["M"] == request.session["srp_M"]: - # H(A, M, K) - user = auth.authenticate(username=request.session["srp_I"], password=str(request.session["srp_v"])) - if user != None: - response = "%s" % hashlib.sha256("%s%s%s" % (request.session["srp_A"], request.session["srp_M"], request.session["srp_S"])).hexdigest() - auth.login(request, user) - else: - response = "Authentication failed. This is likely a server problem." - else: - response = "Invalid username or password." - try: - del request.session["srp_I"] - del request.session["srp_v"] - del request.session["srp_M"] - del request.session["srp_S"] - del request.session["srp_A"] - except KeyError: - pass - return HttpResponse(response, mimetype="text/xml") diff --git a/proper-random/django/srpproject/urls.py b/proper-random/django/srpproject/urls.py deleted file mode 100644 index a2da712..0000000 --- a/proper-random/django/srpproject/urls.py +++ /dev/null @@ -1,24 +0,0 @@ -from django.conf.urls.defaults import * - -# Uncomment the next two lines to enable the admin: -# from django.contrib import admin -# admin.autodiscover() -from srpproject.srp import views - -urlpatterns = patterns('', - # Example: - # (r'^srpproject/', include('srpproject.foo.urls')), - - # Uncomment the admin/doc line below and add 'django.contrib.admindocs' - # to INSTALLED_APPS to enable admin documentation: - # (r'^admin/doc/', include('django.contrib.admindocs.urls')), - - # Uncomment the next line to enable the admin: - # (r'^admin/(.*)', admin.site.root), - (r'^srp/register/salt/$', views.register_salt), - (r'^srp/register/user/$', views.register_user), - (r'^srp/handshake/$', views.handshake), - (r'^srp/authenticate/$', views.verify), - (r'^srp/login/$', views.login_page), - (r'^srp/register/$', views.register_page), -) -- cgit v1.2.3