complete ajax flow is working - just auth fails

Also we currently generate the salt on the server - this should happen on the client but for now i stick to the srp-js workflow.

9 files changed, 57 insertions, 39 deletions

diff --git a/example/http-srp.rb b/example/http-srp.rb
index b2de7bf..e83036f 100644
--- a/example/http-srp.rb
+++ b/example/http-srp.rb
@@ -14,12 +14,17 @@ get '/signup' do
   erb :signup
 end
 
-post '/signup' do
+# TODO: Client should generate the salt!
+# Getting things to work the srp-js way first.
+post '/register/salt/' do
   Log.clear
-  Log.log(:signup, params)
-  @user = User.current
-  @user.signup!(params)
-  redirect '/'
+  @user = User.new(params.delete('I'))
+  erb :salt, :layout => false, :content_type => :xml
+end
+
+post '/register/user/' do
+  User.current.verifier = params.delete('v').to_i
+  erb :ok, :layout => false, :content_type => :xml
 end
 
 get '/login' do
diff --git a/example/models/user.rb b/example/models/user.rb
index 3ad8147..af92300 100644
--- a/example/models/user.rb
+++ b/example/models/user.rb
@@ -5,17 +5,21 @@ class User
     @current ||= User.new
   end
 
+  def self.current=(user)
+    @current = user
+  end
+
   attr_accessor :login
   attr_accessor :salt
   attr_accessor :verifier
   attr_accessor :active
   attr_accessor :srp
 
-  def signup!(params)
-    self.login = params.delete('login')
-    self.salt = params.delete('salt').to_i
-    self.verifier = params.delete('verifier').to_i
+  def initialize(login)
+    self.login = login
+    self.salt = OpenSSL::Random.random_bytes(10).unpack("H*")[0]
     self.active = false
+    User.current = self
   end
 
   def initialize_auth(params)
diff --git a/example/public/srp.js b/example/public/srp.js
index e68e220..51aba5c 100644
--- a/example/public/srp.js
+++ b/example/public/srp.js
@@ -1,5 +1,6 @@
 $(document).ready(function(){
   $('#login-btn').click(on_login);
+  $('#signup-btn').click(on_signup);
 });
 
 function on_login(event) {
@@ -7,3 +8,12 @@ function on_login(event) {
   srp.identify();
   event.preventDefault();
 }
+
+function on_signup(event) {
+  srp = new SRP();
+  srp.success = function() {
+    alert("Signed up successfully");
+  };
+  srp.register();
+  event.preventDefault();
+}
diff --git a/example/views/layout.erb b/example/views/layout.erb
index ab980c8..f4eae0a 100644
--- a/example/views/layout.erb
+++ b/example/views/layout.erb
@@ -23,6 +23,7 @@
 
     <script type="text/javascript" src="jquery.min.js"> </script>
     <script type="text/javascript" src="srp.min.js"> </script>
+    <script type="text/javascript" src="srp_register.min.js"> </script>
     <script type="text/javascript" src="srp.js"> </script>
 
   </body>
diff --git a/example/views/signup.erb b/example/views/signup.erb
index baeb007..6e1bbf3 100644
--- a/example/views/signup.erb
+++ b/example/views/signup.erb
@@ -4,18 +4,18 @@
   <legend>Signup to test secure remote passwords</legend>
   <div class="control-group">
     <label class="control-label" for="login">Login</label>
-    <input type="text" class"input-xlarge" name="login"></input>
+    <input type="text" class"input-xlarge" name="srp_username" id="srp_username"></input>
   </div>
 
   <div class="control-group">
     <label class="control-label" for="password">Password</label>
-    <input type="password" class"input-xlarge" name="password"></input>
-    <input type="hidden" class"input-xlarge" name="seed" value="624848790506324805995013"></input>
-    <input type="hidden" class"input-xlarge" name="verifier" value="100580140046706175735129154266794946404091486659235926309138114843862401271008476617107722147233360718775042845375531421388163398889326297385327521531575749857884877960888755227994771967905136828058233126017527751738166121598194480710839381273324624500340831193855479639683906360867824492692241079248646622455"></input>
+    <input type="password" class"input-xlarge" name="srp_password" id="srp_password"></input>
   </div>
 
+  <input type="hidden" id="srp_url" name="srp_url" value="/"></input>
+  <input type="hidden" id="srp_server" name="srp_server" value="django"></input>
   <div class="form-actions">
-    <button type="submit" class="btn btn-primary">Signup</button>
+    <button type="submit" class="btn btn-primary" id="signup-btn">Signup</button>
     <a href="/" class="btn">Cancel</a>
   </div>
 </form>
diff --git a/lib/srp/client.rb b/lib/srp/client.rb
index 7aa147c..9a27174 100644
--- a/lib/srp/client.rb
+++ b/lib/srp/client.rb
@@ -21,10 +21,7 @@ module SRP
       aa = modpow(GENERATOR, a, PRIME_N) # A = g^a (mod N)
       bb, u = server.initialize_auth(aa)
       client_s = calculate_client_s(x, a, bb, u)
-      puts "bb: " + bb.to_s
-      puts "aa: " + aa.to_s
-      puts "client_s: " + client_s.to_s
-      server.authenticate(aa, client_s)
+      server.authenticate(aa, calculate_m(aa,bb,client_s))
     end
 
     protected
@@ -36,7 +33,7 @@ module SRP
     def calculate_x(username, password, salt)
       shex = '%x' % [salt]
       spad = if shex.length.odd? then '0' else '' end
-      sha1_hex(spad + shex + sha1_str([username, password].join(':'))).hex
+      sha256_hex(spad + shex + sha256_str([username, password].join(':'))).hex
     end
 
     def calculate_client_s(x, a, bb, u)
diff --git a/lib/srp/server.rb b/lib/srp/server.rb
index 79d1b75..02d5d8b 100644
--- a/lib/srp/server.rb
+++ b/lib/srp/server.rb
@@ -39,12 +39,6 @@ module SRP
       sha256_hex(hashin).hex
     end
 
-    def calculate_m(aa, bb, s)
-      # todo: we might want to 0fill this like for u
-      hashin = '%x%x%x' % [aa, bb, s]
-      sha256_hex(hashin).hex
-    end
-
   end
 end
 
diff --git a/lib/srp/util.rb b/lib/srp/util.rb
index 0da1f8f..4325537 100644
--- a/lib/srp/util.rb
+++ b/lib/srp/util.rb
@@ -5,7 +5,12 @@ module SRP
   module Util
 
     # constants both sides know
-    PRIME_N = <<-EOS.split.join.hex # 1024 bits modulus (N)
+    # in this case taken from srp-js
+    PRIME_N = <<-EOS.split.join.hex
+115b8b692e0e045692cf280b436735c77a5a9e8a9e7ed56c965f87db5b2a2ece3
+    EOS
+
+    BIG_PRIME_N = <<-EOS # 1024 bits modulus (N)
 eeaf0ab9adb38dd69c33f80afa8fc5e86072618775ff3c0b9ea2314c9c25657
 6d674df7496ea81d3383b4813d692c6e0e0d5d8e250b98be48e495c1d6089da
 d15dc7d7b46154d6b6ce8ef4ad69b15d4982559b297bcf1885c529f566660e5
@@ -25,14 +30,6 @@ d15dc7d7b46154d6b6ce8ef4ad69b15d4982559b297bcf1885c529f566660e5
       end
     end
 
-    def sha1_hex(h)
-      Digest::SHA1.hexdigest([h].pack('H*'))
-    end
-
-    def sha1_str(s)
-      Digest::SHA1.hexdigest(s)
-    end
-
     def sha256_hex(h)
       Digest::SHA2.hexdigest([h].pack('H*'))
     end
@@ -46,6 +43,13 @@ d15dc7d7b46154d6b6ce8ef4ad69b15d4982559b297bcf1885c529f566660e5
     end
 
     def multiplier
+      return "c46d46600d87fef149bd79b81119842f3c20241fda67d06ef412d8f6d9479c58".hex % PRIME_N
+      @k ||= calculate_multiplier
+    end
+
+    protected
+
+    def calculate_multiplier
       n = PRIME_N
       g = GENERATOR
       nhex = '%x' % [n]
@@ -53,8 +57,15 @@ d15dc7d7b46154d6b6ce8ef4ad69b15d4982559b297bcf1885c529f566660e5
       ghex = '%x' % [g]
       hashin = '0' * (nlen - nhex.length) + nhex \
         + '0' * (nlen - ghex.length) + ghex
-      sha1_hex(hashin).hex % n
+      sha256_hex(hashin).hex % n
     end
+
+    def calculate_m(aa, bb, s)
+      # todo: we might want to 0fill this like for u
+      hashin = '%x%x%x' % [aa, bb, s]
+      sha256_hex(hashin).hex
+    end
+
   end
 
 end
diff --git a/test/auth_test.rb b/test/auth_test.rb
index 0f76404..75aa9ad 100644
--- a/test/auth_test.rb
+++ b/test/auth_test.rb
@@ -10,10 +10,6 @@ class AuthTest < Test::Unit::TestCase
   end
 
   def test_successful_auth
-    print "salt: "
-    puts @client.salt
-    print "verifier: "
-    puts @client.verifier
     assert @client.authenticate(@server, @username, @password)
   end