// JavaScript implementation of challenge-response login on Xcas var xcasSecurity = (function() { // wrap login/logout functions, including the hashing algorithm, in its own namespace /* * A JavaScript implementation of the Secure Hash Algorithm, SHA-1, as defined * in FIPS PUB 180-1 * Copyright (C) Paul Johnston 2000 - 2002. * See http://pajhome.org.uk/site/legal.html for details. */ /* * Convert a 32-bit number to a hex string with ms-byte first */ var hex_chr = "0123456789abcdef"; function hex(num) { var str = ""; for (var j = 7; j >= 0; j--) str += hex_chr.charAt((num >> (j * 4)) & 0x0F); return str; } /* * Convert a string to a sequence of 16-word blocks, stored as an array. * Append padding bits and the length, as described in the SHA1 standard. */ function str2blks_SHA1(str) { var nblk = ((str.length + 8) >> 6) + 1; var blks = new Array(nblk * 16); for (var i = 0; i < nblk * 16; i++) blks[i] = 0; for (var i = 0; i < str.length; i++) blks[i >> 2] |= str.charCodeAt(i) << (24 - (i % 4) * 8); blks[i >> 2] |= 0x80 << (24 - (i % 4) * 8); blks[nblk * 16 - 1] = str.length * 8; return blks; } /* * Add integers, wrapping at 2^32. This uses 16-bit operations internally * to work around bugs in some JS interpreters. */ function safe_add(x, y) { var lsw = (x & 0xFFFF) + (y & 0xFFFF); var msw = (x >> 16) + (y >> 16) + (lsw >> 16); return (msw << 16) | (lsw & 0xFFFF); } /* * Bitwise rotate a 32-bit number to the left */ function rol(num, cnt) { return (num << cnt) | (num >>> (32 - cnt)); } /* * Perform the appropriate triplet combination function for the current * iteration */ function ft(t, b, c, d) { if (t < 20) return (b & c) | ((~b) & d); if (t < 40) return b ^ c ^ d; if (t < 60) return (b & c) | (b & d) | (c & d); return b ^ c ^ d; } /* * Determine the appropriate additive constant for the current iteration */ function kt(t) { return (t < 20) ? 1518500249 : (t < 40) ? 1859775393 : (t < 60) ? -1894007588 : -899497514; } /* * Take a string and return the hex representation of its SHA-1. */ function calcSHA1(str) { var x = str2blks_SHA1(str); var w = new Array(80); var a = 1732584193; var b = -271733879; var c = -1732584194; var d = 271733878; var e = -1009589776; for (var i = 0; i < x.length; i += 16) { var olda = a; var oldb = b; var oldc = c; var oldd = d; var olde = e; for (var j = 0; j < 80; j++) { if (j < 16) w[j] = x[i + j]; else w[j] = rol(w[j - 3] ^ w[j - 8] ^ w[j - 14] ^ w[j - 16], 1); var t = safe_add(safe_add(rol(a, 5), ft(j, b, c, d)), safe_add(safe_add(e, w[j]), kt(j))); e = d; d = c; c = rol(b, 30); b = a; a = t; } a = safe_add(a, olda); b = safe_add(b, oldb); c = safe_add(c, oldc); d = safe_add(d, oldd); e = safe_add(e, olde); } return hex(a) + hex(b) + hex(c) + hex(d) + hex(e); } // private methods var siteRootUrl = ""; this.sendRequest = function(url) { try { var httpRequest = null; try { httpRequest = new ActiveXObject("Msxml2.XMLHTTP"); } catch (e) { httpRequest = new XMLHttpRequest(); // Mozilla } httpRequest.open("GET", url, false); httpRequest.setRequestHeader("Pragma", "no-cache"); httpRequest.setRequestHeader("Cache-Control", "no-cache"); httpRequest.send(null); return httpRequest; } catch (e) { throwError(errorMessages["requestFailed"] + " (" + url + ")\n\n" + e.toString(), httpRequest); } }; this.getChallenge = function(userName) { var url = siteRootUrl + "Services/Security.asmx/InitializeLogin?loginid=" + encodeURIComponent(userName); var httpRequest = sendRequest(url); if ((httpRequest.status != HTTP_STATUS_OK) && (httpRequest.status != HTTP_STATUS_ACCESS_DENIED)) throwError(errorMessages["getChallengeFailed"], httpRequest); var doc = httpRequest.responseXML; if (!doc) throwError(errorMessages["getChallengeFailed"], httpRequest); if (typeof (doc.documentElement.textContent) != 'undefined') return doc.documentElement.textContent; // Moz & Opera if (typeof (doc.text) != 'undefined') return doc.text; // IE (& Opera, but there it has additional whitespace) var serializer = new XMLSerializer(); return serializer.serializeToString(doc.documentElement.firstChild); // Safari }; this.sendResponse = function(response) { var url = siteRootUrl + "Services/Security.asmx/Login?response=" + response; var httpRequest = sendRequest(url); if (httpRequest.status == HTTP_STATUS_ACCESS_DENIED) return null; var doc = httpRequest.responseXML; if (!doc) throwError(errorMessages["sendResponseFailed"], httpRequest); var result = null; if (typeof (doc.documentElement.textContent) != 'undefined') result = doc.documentElement.textContent; // Moz & Opera else if (typeof (doc.text) != 'undefined') result = doc.text; // IE (& Opera, but there it has additional whitespace) else { var serializer = new XMLSerializer(); result = serializer.serializeToString(doc.documentElement.firstChild); // Safari } if (result != "true") return null; if (httpRequest.status == HTTP_STATUS_OK) return httpRequest; throwError(errorMessages["sendResponseFailed"], httpRequest); }; // public methods return { setSiteRootUrl: function(url) { siteRootUrl = url; }, errorMessages: { requestFailed: "RequestFailed", getChallengeFailed: "GetChallengeFailed", sendResponseFailed: "SendResponseFailed" }, login: function(loginId, password) { var challenge = getChallenge(loginId); return sendResponse(calcSHA1(password + challenge)); }, rememberLogin: function() { sendRequest(siteRootUrl + "Services/CurrentUser.asmx/WhoAmI"); }, logout: function() { return sendRequest(siteRootUrl + "Services/Security.asmx/Logout"); }, throwError: function(msg, request) { var e = "" + msg; if (request) { e += " (" + request.status + " " + request.statusText + ")"; } throw e; } } })();