$info = "podaci uspješno spremljeni";
} else {
$info = "greška prilikom spremanja";
}
}
//endif
//UREDI
if (isset($_REQUEST['uredi'])) {
$oznaka_grupe = htmlspecialchars($_REQUEST['oznaka_grupe']);
$cijena = htmlspecialchars($_REQUEST['cijena']);
// ovdje imam funkciju za specijalne karaktere--> to je i prvi korak za sprečavanje sql injectiona--> ako postoji bilo kakvih navodnika prebacuje to u encoding
$min_br_pol = htmlspecialchars($_REQUEST['min_br_pol']);
$max_br_pol = htmlspecialchars($_REQUEST['max_br_pol']);
$sql2 = "UPDATE grupa SET oznaka_grupe='{$oznaka_grupe}',cijena='{$cijena}',min_br_pol='{$min_br_pol}',max_br_pol='{$max_br_pol}' WHERE ID_grupa={$id}";
//vitičasta zagrada je radi sigurnosti da se ne bi sql zbunio sa nekim navodnikom i sl.
if (zapis($con, $sql2)) {
$item = upit($con, $sql);
// ovo stavim kako bi odmah prilikom izmjene podatka došlo i do promjena u formi
$info = "podaci uspješno promijenjeni";
} else {
$info = "greška prilikom izmjena";
}
}
if (isset($info)) {
echo "<p>" . $info . "</p>";
}
?>
<div id="div-obrazac" class="col-xs-3">
<?php
$grupa = getGrupa(1);
function srp()
{
global $timeout;
$phase = "unknown";
if (!isset($_GET["phase"])) {
crit("phase parameter missing");
} else {
$phase = $_GET["phase"];
}
if ($phase == "0") {
// create entry in db
if (!isset($_GET["I"])) {
crit("I missing");
}
if (!isset($_GET["P"])) {
crit("P missing");
}
if (!isset($_GET["hash"])) {
crit("hash missing");
}
if (!isset($_GET["N_size"])) {
crit("N_size missing");
}
if (!isset($_GET["enc_client_state"])) {
crit("enc_client_state missing");
}
$hash = $_GET["hash"];
if ($hash != "SHA256") {
crit("only SHA256 supported");
}
if ($_GET["N_size"] != "1024") {
crit("only N_size 1024 supported");
}
$I = $_GET["I"];
$P = $_GET["P"];
// secret, forget
if (strlen($P) < 10) {
crit("P too short");
}
$Ng = Ng(1024);
//$N_bin = get_random_hex(64);
//$N_hex = bin2hex($N_bin);
$N_hex = $Ng["N"];
$N_gmp = gmp_init($N_hex, 16);
$N_base36 = gmp_strval($N_gmp, 36);
//$g_bin = get_random_bytes(64);
//$g_hex = bin2hex($g_bin);
$g_hex = $Ng["g"];
$g_gmp = gmp_init($g_hex, 16);
$g_base36 = gmp_strval($g_gmp, 36);
$k_bin = H(gmp_bytes($N_gmp) . pad(gmp_bytes($g_gmp)));
$k_hex = bin2hex($k_bin);
$k_gmp = gmp_init($k_hex, 16);
$k_base36 = gmp_strval($k_gmp, 36);
//$s_bin = get_random_bytes(128);
$s_bin = "¾²SyѨX
µ§'g:\$Aî";
// example
$s_hex = bin2hex($s_bin);
$x_bin = H($s_bin . H($I . ":" . $P));
$x_hex = bin2hex($x_bin);
$x_gmp = gmp_init($x_hex, 16);
// secret, forget
$x_dec = gmp_strval($x_gmp);
if (strlen($x_dec) < 32) {
crit("x_dec too short");
}
$v_gmp = gmp_powm($g_gmp, $x_gmp, $N_gmp);
// secret
$v_dec = gmp_strval($v_gmp);
if (strlen($v_dec) < 32) {
crit("v_dec too short");
}
$v_base36 = gmp_strval($v_gmp, 36);
// 7556AA045AEF2CDD07ABAF0F665C3E818913186F
$srow = array();
$srow["I"] = $I;
// public
$srow["s_hex"] = $s_hex;
// public
$srow["g_base36"] = $g_base36;
// public
$srow["N_base36"] = $N_base36;
// public
$srow["k_base36"] = $k_base36;
// public, k nie trzeba zapisywac, bo wynika z N i g, ale tak szybciej
$srow["v_base36"] = $v_base36;
// pretty secret
$srow["phase"] = 0;
$srow["time"] = time();
$enc_server_state = zapis($srow);
$enc_server_state = "";
$link = mycon();
$I_escaped = mysql_real_escape_string($I, $link);
if (strlen($I_escaped) >= 256 || strlen($hash) >= 32 || strlen($s_hex) >= 256 || strlen($g_base36) >= 1024 || strlen($N_base36) >= 1024 || strlen($v_base36) >= 1024) {
crit("db will truncate field");
}
$q = sprintf("INSERT INTO dane (identity, hash, s_hex, g_base36, N_base36, v_base36) VALUES ('%s', '%s', '%s', '%s', '%s', '%s')", $I_escaped, $hash, $s_hex, $g_base36, $N_base36, $v_base36);
$result = mysql_query($q, $link) or crit("Blad zapytania");
echo mysql_error($link);
if (mysql_affected_rows($link) == 0) {
crit("User nie dopisany");
}
return array("protocol" => "SRP-6a", "phase" => 0, "type" => "replay", "status" => "ok", "enc_client_state" => $_GET["enc_client_state"], "enc_server_state" => $enc_server_state);
} else {
if ($phase == 1) {
if (!isset($_GET["I"])) {
crit("I missing");
}
if (!isset($_GET["hash"])) {
crit("hash missing");
}
if (!isset($_GET["enc_client_state"])) {
crit("enc_client_state missing");
}
if (!isset($_GET["enc_server_state"])) {
crit("enc_server_state missing");
}
if ($_GET["hash"] != "SHA256") {
crit("only SHA256 supported");
}
if ($_GET["enc_server_state"] != "") {
crit("enc_server_state should be empty");
//$srow = read_enc_state($_GET["enc_server_state"], 0);
}
$I = $_GET["I"];
if (strlen($I) < 3) {
crit("username (I) too short");
}
$link = mycon();
$I_escaped = mysql_real_escape_string($I, $link);
$q = sprintf("SELECT identity, hash, s_hex, g_base36, N_base36, v_base36 FROM dane WHERE identity = '%s'", $I_escaped);
$result = mysql_query($q, $link) or crit("Blad zapytania");
if (mysql_affected_rows($link) != 1) {
crit("Should be 1, no such username");
}
if (mysql_num_rows($result) != 1) {
crit("no such username");
}
$row_db = mysql_fetch_array($result);
if ($row_db["hash"] != $_GET["hash"]) {
crit("username exists, but different hash algo");
}
$srow = array();
$srow["I"] = $I;
$srow["s_hex"] = $row_db["s_hex"];
// public
$srow["g_base36"] = $row_db["g_base36"];
// public
$srow["N_base36"] = $row_db["N_base36"];
// public
$srow["v_base36"] = $row_db["v_base36"];
// secret
$g_gmp = gmp_init($srow["g_base36"], 36);
$g_bin = gmp_bytes($g_gmp);
$N_gmp = gmp_init($srow["N_base36"], 36);
$N_bin = gmp_bytes($N_gmp);
$k_hex = H($N_bin . pad($g_bin));
$k_gmp = gmp_init($k_hex, 16);
$srow["k_base36"] = gmp_strval($k_gmp, 36);
$v_gmp = gmp_init($srow["v_base36"], 36);
// secret
$b_bin = get_random_bytes(128);
// rfc 5054: at least 256 bit
$b_hex = bin2hex($b_bin);
$b_gmp = gmp_init($b_hex, 16);
$b_base36 = gmp_strval($b_gmp, 36);
$srow["b_base36"] = $b_base36;
// secret (only server knowns)
$B_gmp = gmp_mod(gmp_add(gmp_mul($k_gmp, $v_gmp), gmp_powm($g_gmp, $b_gmp, $N_gmp)), $N_gmp);
// TODO: timming attack on powm
$B_base36 = gmp_strval($B_gmp, 36);
$srow["B_base36"] = $B_base36;
// public
$srow["phase"] = 1;
$srow["time"] = time();
$enc_server_state = zapis($srow);
return array("protocol" => "SRP-6a", "phase" => 1, "type" => "replay", "status" => "ok", "timeout" => $timeout, "enc_client_state" => $_GET["enc_client_state"], "hash" => $row_db["hash"], "s_hex" => $srow["s_hex"], "g_base36" => $srow["g_base36"], "N_base36" => $srow["N_base36"], "B_base36" => $B_base36, "enc_server_state" => $enc_server_state);
} else {
if ($phase == 2) {
// klient otrzymal, s, H, g, N, B
// client oblicza x = H(s~H(I~P))
// client generuje rendomowe a
// client oblicza A=g^a, i nam wysyla
// klient oblicza u = H(A~B)
// klient oblicza S = (B - k*g^v)^(a+u*x)
// klient oblicza M1 = H(A~B~S) i wysyla do serwera
if (!isset($_GET["A_base36"])) {
crit("A_base36 missing");
}
if (!isset($_GET["M1_hex"])) {
crit("M1_hex missing");
}
if (!isset($_GET["enc_client_state"])) {
crit("enc_client_state missing");
}
if (!isset($_GET["enc_server_state"])) {
crit("enc_server_state missing");
}
$srow = read_enc_state($_GET["enc_server_state"], 2);
$N_gmp = gmp_init($srow["N_base36"], 36);
$g_gmp = gmp_init($srow["g_base36"], 36);
$v_gmp = gmp_init($srow["v_base36"], 36);
$b_gmp = gmp_init($srow["b_base36"], 36);
$srow["A_base36"] = $_GET["A_base36"];
$A_gmp = gmp_init($srow["A_base36"], 36);
// public
$A_bin = gmp_bytes($A_gmp);
$A_hex = gmp_strval($A_gmp, 16);
// debug
$AN_gmp = gmp_mod($A_gmp, $N_gmp);
if (gmp_cmp($AN_gmp, "0") == 0) {
crit("A trivial");
}
$B_gmp = gmp_init($srow["B_base36"], 36);
$B_bin = gmp_bytes($B_gmp);
$B_hex = gmp_strval($B_gmp, 16);
// debug
$u_bin = H(pad($A_bin) . pad($B_bin));
$u_hex = bin2hex($u_bin);
$u_gmp = gmp_init($u_hex, 16);
// at least 32 bit, 32 is sufficient
$srow["u_base36"] = gmp_strval($u_gmp, 36);
// secret
$S_gmp = gmp_powm(gmp_mod(gmp_mul($A_gmp, gmp_powm($v_gmp, $u_gmp, $N_gmp)), $N_gmp), $b_gmp, $N_gmp);
// timing attack on powm
$S_bin = gmp_bytes($S_gmp);
$srow["S_base36"] = gmp_strval($S_gmp, 36);
// secret
$S_hex = gmp_strval($S_gmp, 16);
// debug
$M1_bin = H($A_bin . $B_bin . $S_bin);
$M1_hex = bin2hex($M1_bin);
if ($M1_hex != $_GET["M1_hex"]) {
crit("M1 are different, probably bad password");
}
$M2_bin = H($A_bin . $M1_bin . $S_bin);
$M2_hex = bin2hex($M2_bin);
$K_bin = H($S_bin);
$K_hex = bin2hex($K_bin);
$srow["M1_hex"] = $M1_hex;
// public
$srow["M2_hex"] = $M2_hex;
// public
$srow["K_hex"] = $K_hex;
// secret
$srow["phase"] = 2;
$srow["time"] = time();
$enc_server_state = zapis($srow);
return array("protocol" => "SRP-6a", "phase" => 2, "type" => "replay", "status" => "ok", "timeout" => $timeout, "enc_server_state" => $enc_server_state, "enc_client_state" => $_GET["enc_client_state"], "M2_hex" => $srow["M2_hex"]);
} else {
if ($phase == 3) {
// klient oblicza M2 = H(A~M1~S)
// klient potwierdza poprawnosc otrzymanego M2
// klient oblicza K = H(S)
// klient oblicza M = H( (H(N) xor H(g))~H(I)~s~A~B~K )
if (!isset($_GET["M_hex"])) {
crit("M_hex missing");
}
if (!isset($_GET['enc_client_state'])) {
crit("enc_client_state missing");
}
if (!isset($_GET['enc_server_state'])) {
crit("enc_server_state missing");
}
$srow = read_enc_state($_GET['enc_server_state'], 3);
$N_gmp = gmp_init($srow["N_base36"], 36);
$N_bin = gmp_bytes($N_gmp);
$g_gmp = gmp_init($srow["g_base36"], 36);
$g_bin = gmp_bytes($g_gmp);
$A_gmp = gmp_init($srow["A_base36"], 36);
$A_bin = gmp_bytes($A_gmp);
$B_gmp = gmp_init($srow["B_base36"], 36);
$B_bin = gmp_bytes($B_gmp);
$s_bin = hex2bin($srow["s_hex"]);
$I = $srow["I"];
$K_hex = $srow["K_hex"];
$K_bin = hex2bin($K_hex);
$M_bin = HM((H($N_bin) ^ H($g_bin)) . H($I) . $s_bin . $A_bin . $B_bin, $K_bin);
$M_hex = bin2hex($M_bin);
if ($M_hex != $_GET["M_hex"]) {
crit("M_hex are different");
}
$Z_bin = HM($A_bin . $M_bin, $K_bin);
$Z_hex = bin2hex($Z_bin);
$srow["M_hex"] = $M_hex;
// public
$srow["Z_hex"] = $Z_hex;
// public
$srow["phase"] = 3;
$srow["time"] = time();
$enc_server_state = zapis($srow);
return array("protocol" => "SRP-6a", "phase" => 3, "type" => "replay", "status" => "ok", "timeout" => $timeout, "enc_server_state" => $enc_server_state, "enc_client_state" => $_GET["enc_client_state"], "Z_hex" => $srow["Z_hex"]);
} else {
crit("unknown phase");
}
}
}
}
}
?>
<div class="container">
<div class="row">
<?php
$con = spajanje();
if (isset($_GET['obrisi'])) {
// obrisi je dolje nešto tipa submita jer mi je prvo zadan link kuda se preusmjerava ova stranica pa parametar ID te parametar OBRISI
$id = $_GET['id'];
$sql = "DELETE FROM grupa WHERE ID_grupa={$id}";
if (zapis($con, $sql)) {
// dohvaćam sve korisnike i u funkciju ugnjezdim sql koji će raditi DELETE
$info = "grupaje uspješno obrisana";
} else {
$info = "greška pri brisanju grupe";
}
}
$sql = "SELECT * FROM grupa";
$grupe = upit($con, $sql);
?>
<?php
if (isset($info)) {
echo "<p>" . $info . "</p>";
}
} elseif ($argv[1] == "START") {
startovka($argv[2]);
$pdf->Output($G["dir"] . "/print/startovka.pdf", "F");
system("evince \"" . $G["dir"] . "/print/startovka.pdf\"");
} elseif ($argv[1] == "STARTT") {
startovkaTeams($argv[2]);
$pdf->Output($G["dir"] . "/print/startovka_druzstva.pdf", "F");
system("evince \"" . $G["dir"] . "/print/startovka_druzstva.pdf\"");
} elseif ($argv[1] == "PREZENCKA") {
prezencka();
$pdf->Output($G["dir"] . "/print/prezencka.pdf", "F");
system("evince \"" . $G["dir"] . "/print/prezencka.pdf\"");
} elseif ($argv[1] == "BEHY") {
behy();
} elseif ($argv[1] == "ZAPIS") {
zapis();
$pdf->Output($G["dir"] . "/print/zapis.pdf", "F");
system("evince \"" . $G["dir"] . "/print/zapis.pdf\"");
} elseif (count($behy) == 1) {
if ($G["teamy"]) {
zrobpdfteamy($behy[0]);
} else {
zrobpdf($behy[0]);
}
$beh = $behy[0];
$pdf->Output($G["dir"] . "/print/" . $beh . ($G["teamy"] ? "_druzstva" : "") . ".pdf", "F");
system("evince \"" . $G["dir"] . "/print/" . $beh . ($G["teamy"] ? "_druzstva" : "") . ".pdf\"");
} elseif ($argv[1] == "") {
echo "\nTlacove zostavy casomiery\n\n";
echo "pouzitie: vysledky [ZOSTAVA | [beh [beh [...]]]\n\n";
echo "PREZENCKA\t\ttabulka pre prezentaciu\n";
