bugfix - zero padded salts do not break login anymore
authorAzul <azul@riseup.net>
Fri, 5 Oct 2012 14:34:07 +0000 (16:34 +0200)
committerAzul <azul@riseup.net>
Fri, 5 Oct 2012 14:34:07 +0000 (16:34 +0200)
lib/srp/util.rb
test/session_test.rb

index 1e4beac..3bed1d3 100644 (file)
@@ -41,7 +41,7 @@ d15dc7d7b46154d6b6ce8ef4ad69b15d4982559b297bcf1885c529f566660e5
 
     #  Hashes the hex args
     def sha256_hex(*args)
-      h = args.join('')
+      h = args.map{|a| a.length.odd? ? "0#{a}" : a }.join('')
       sha256_str([h].pack('H*'))
     end
 
index f41b34b..9d1b92f 100644 (file)
@@ -24,5 +24,20 @@ class SessionTest < Test::Unit::TestCase
     assert_equal m2, session.authenticate(m)
   end
 
-
+  def test_zero_padded_salt
+    @username = "RLNFB7"
+    password = "NRH9NRT958BO"
+    @salt = "0401b02e".hex
+    @verifier = "943c7bf983b9afd0e08ba7d9c9da68cbf8bc88f05d564f002bd669130bb66ceb2b5aafa5c4a9cac09f42a17f7079b67a964365022283cc249446a165ca9e02855d188ca193bf0b4703d0d83254623e3e91576ba1f3b353981836226f3e9c36b7592a6a0daa608018273e7d3a3cb8615eee3606af9eec4a83e1947c8717f9415e".hex
+    aa = "ea40a95b4ccf1934767e9098f0f5639f5b83321eb77137f3c7b50bb90323651ebbe14b08956e471d4b96ae12c96814fbc56bfe408afd4cffca17d53dc30653a2e9e0e57f5b97e8736a5a90470708a32f63e6417651303e331d6c3bf3d229379dd746fb9f47220ee52b6da008ce88710de27c058841d56644d58e98e1c8795371".hex
+    b = "78e12fc099be1409e0fce3bf84484d89d58710bcc3d8a0e05227fb291be3fb28".hex
+    bb = "d8d50a862b7e8a897f8b0554c4a474e8aa152bd08f23436773fbb977e81cbf5e8262937ffb7ad6b72e3aa7f72deec947cdb286ab466e490d7c544bf443331ad12657c8f9bb2aabf508b73ea1ed29d03a060f5f2a70baef858bdb79c5c878844c058fe10c2cc746b0fb701e98d8d6405ab7d0b65bb4f87cf8e47b25ae4ee6e53b".hex
+    m = "d5cbec7254ce66f421ceddbfe8a0a8991b5be2aa9c25d868f073f4459dfc358b".hex
+    client = SRP::Client.new(@username, password, @salt)
+    assert_equal @verifier.to_s(16), client.verifier.to_s(16)
+    session = SRP::Session.new(self, aa)
+    session.send(:initialize_server, aa, b) # seeding b to compare to py_srp
+    assert_equal bb.to_s(16), session.bb.to_s(16)
+    assert session.authenticate(m)
+  end
 end