we cache neither the verifier nor the secret in the session just in case

People might store the session in a CookieStore - which would probably be a bad idea anyway - but let's be save rather than sorry.

1 files changed, 11 insertions, 15 deletions

diff --git a/lib/srp/authentication.rb b/lib/srp/authentication.rb
index 96f68fe..a2431d0 100644
--- a/lib/srp/authentication.rb
+++ b/lib/srp/authentication.rb
@@ -14,31 +14,27 @@ module SRP
         @b = bigrand(32).hex
         # B = g^b + k v (mod N)
         @bb = (modpow(GENERATOR, @b, PRIME_N) + multiplier * verifier) % PRIME_N
-        @verifier = verifier
       end
 
       def u
         calculate_u(aa, bb, PRIME_N)
       end
 
-      def secret
-        @s ||= calculate_secret
+      # do not cache this - it's secret and someone might store the
+      # session in a CookieStore
+      def secret(verifier)
+        base = (modpow(verifier, u, PRIME_N) * aa) % PRIME_N
+        modpow(base, @b, PRIME_N)
       end
 
-      def m1
-        calculate_m(aa, bb, secret)
+      def m1(verifier)
+        calculate_m(aa, bb, secret(verifier))
       end
 
-      def m2
-        calculate_m(aa, m1, secret)
+      def m2(m1, verifier)
+        calculate_m(aa, m1, secret(verifier))
       end
 
-      protected
-
-      def calculate_secret
-        base = (modpow(@verifier, u, PRIME_N) * aa) % PRIME_N
-        modpow(base, @b, PRIME_N)
-      end
     end
 
     def initialize_auth(aa)
@@ -46,8 +42,8 @@ module SRP
     end
 
     def authenticate(m, session)
-      if(m == session.m1)
-        return session.m2
+      if(m == session.m1(verifier))
+        return session.m2(m, verifier)
       end
     end