From 20bf14939fbd75e3ee0206c2bf14737e2c7ac2c2 Mon Sep 17 00:00:00 2001 From: Azul Date: Thu, 28 Jun 2012 19:43:40 +0200 Subject: adopted srp algo to srp-js way of doing things. all large integers are now send as hex strings. Using sha256_str all over the place. This finally gives me successful logins. Needs a log of cleanup never the less. --- example/http-srp.rb | 2 +- example/models/user.rb | 10 +++++----- example/public/srp-source | 1 + example/public/srp_register.min.js | 1 + example/views/authenticate.erb | 2 +- example/views/handshake.erb | 2 +- example/views/index.erb | 10 +++++----- example/views/layout.erb | 12 ++++++++++-- example/views/ok.erb | 2 ++ example/views/salt.erb | 2 ++ example/views/xml.erb | 2 ++ lib/srp/client.rb | 10 +++++++--- lib/srp/server.rb | 19 ++++++++++++------- lib/srp/util.rb | 2 +- test/auth_test.rb | 2 +- 15 files changed, 52 insertions(+), 27 deletions(-) create mode 120000 example/public/srp-source create mode 100644 example/public/srp_register.min.js create mode 100644 example/views/ok.erb create mode 100644 example/views/salt.erb create mode 100644 example/views/xml.erb diff --git a/example/http-srp.rb b/example/http-srp.rb index e83036f..ef43844 100644 --- a/example/http-srp.rb +++ b/example/http-srp.rb @@ -23,7 +23,7 @@ post '/register/salt/' do end post '/register/user/' do - User.current.verifier = params.delete('v').to_i + User.current.verifier = params.delete('v').hex erb :ok, :layout => false, :content_type => :xml end diff --git a/example/models/user.rb b/example/models/user.rb index af92300..d374d36 100644 --- a/example/models/user.rb +++ b/example/models/user.rb @@ -1,8 +1,7 @@ class User def self.current - # p "getting #{@current ? @current.login : 'nil'}" - @current ||= User.new + @current end def self.current=(user) @@ -17,19 +16,20 @@ class User def initialize(login) self.login = login - self.salt = OpenSSL::Random.random_bytes(10).unpack("H*")[0] + self.salt = "5d3055e0acd3ddcfc15".hex + # OpenSSL::Random.random_bytes(10).unpack("H*")[0] self.active = false User.current = self end def initialize_auth(params) self.srp = SRP::Server.new(self.salt, self.verifier) - bb, u = self.srp.initialize_auth(params.delete('A').to_i) + bb, u = self.srp.initialize_auth(params.delete('A').hex) return {:B => bb, :u => u} end def authenticate(params) - if m2 = self.srp.authenticate(params.delete('aa').to_i, params.delete('M').to_i) + if m2 = self.srp.authenticate(params.delete('M').hex) self.active = true return {:M2 => m2} else diff --git a/example/public/srp-source b/example/public/srp-source new file mode 120000 index 0000000..2b47f38 --- /dev/null +++ b/example/public/srp-source @@ -0,0 +1 @@ +/oldvar/src/srp-js/javascript/ \ No newline at end of file diff --git a/example/public/srp_register.min.js b/example/public/srp_register.min.js new file mode 100644 index 0000000..6c5a1d5 --- /dev/null +++ b/example/public/srp_register.min.js @@ -0,0 +1 @@ +eval(function(p,a,c,k,e,d){e=function(c){return(c35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)d[e(c)]=k[c]||e(c);k=[function(e){return d[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('9 g(){3 1;b.a.e=9(){1=5;3 w=5.p()+5.o("e/f/");3 c="I="+5.K();5.n(w,c,5.u)};b.a.u=9(){3 2=1.k();8(2.j==4&&2.i==h){8(2.7.6("f").d>0){3 s=1.t(2.7.6("f")[0]);3 x=1.J(s);3 v=1.H().G(x,1.F());1.q(v.E(D))}C 8(2.7.6("r").d>0){1.B(1.t(2.7.6("r")[0]))}}};b.a.q=9(v){3 c="v="+v;3 m=1.p()+1.o("e/A/");1.n(m,c,1.l)};b.a.l=9(){3 2=1.k();8(2.j==4&&2.i==h){8(2.7.6("z").d>0){1.y()}}}};g();',47,47,'|that|xhr|var||this|getElementsByTagName|responseXML|if|function|prototype|SRP|params|length|register|salt|SRP_REGISTER|200|status|readyState|getxhr|register_user|auth_url|ajaxRequest|paths|geturl|register_send_verifier|error||innerxml|register_receive_salt||handshake_url||identify|ok|user|error_message|else|16|toString|getN|modPow|getg||calcX|getI'.split('|'),0,{})) diff --git a/example/views/authenticate.erb b/example/views/authenticate.erb index 7d6e39f..a6bf80d 100644 --- a/example/views/authenticate.erb +++ b/example/views/authenticate.erb @@ -1,6 +1,6 @@ <% if @auth[:M2] %> - <%=@auth[:M2]%> + <%="%x" % [@auth[:M2]]%> <% end %> <% if @auth[:error] %> <%=@auth[:error]%> diff --git a/example/views/handshake.erb b/example/views/handshake.erb index 66fac73..49eca91 100644 --- a/example/views/handshake.erb +++ b/example/views/handshake.erb @@ -1,2 +1,2 @@ - +<%= %Q() % [@user.salt, @auth[:B]] %> diff --git a/example/views/index.erb b/example/views/index.erb index 48d9f71..24d2501 100644 --- a/example/views/index.erb +++ b/example/views/index.erb @@ -21,12 +21,12 @@
- <% if @user.login %> + <% if @user %>

You are signed up as <%= @user.login %>.

<% end %>
- <% if @user.active %> + <% if @user && @user.active %>

You are logged in.

<% end %>
@@ -35,13 +35,13 @@
- <%= button_link(:signup, :primary => !@user.login) %> + <%= button_link(:signup, :primary => !@user) %>
- <%= button_link(:login, :primary => @user.login && !@user.active) %> + <%= button_link(:login, :primary => @user && !@user.active) %>
- <%= button_link(:verify, :primary => @user.active) %> + <%= button_link(:verify, :primary => @user && @user.active) %>
diff --git a/example/views/layout.erb b/example/views/layout.erb index f4eae0a..fc0eaf1 100644 --- a/example/views/layout.erb +++ b/example/views/layout.erb @@ -22,8 +22,16 @@ <%= yield %> - - + + + + + + + + + diff --git a/example/views/ok.erb b/example/views/ok.erb new file mode 100644 index 0000000..b0d4f93 --- /dev/null +++ b/example/views/ok.erb @@ -0,0 +1,2 @@ + + diff --git a/example/views/salt.erb b/example/views/salt.erb new file mode 100644 index 0000000..5b34b93 --- /dev/null +++ b/example/views/salt.erb @@ -0,0 +1,2 @@ + +<%="%x" % @user.salt %> diff --git a/example/views/xml.erb b/example/views/xml.erb new file mode 100644 index 0000000..0e2dcc2 --- /dev/null +++ b/example/views/xml.erb @@ -0,0 +1,2 @@ + +<%= yield %> diff --git a/lib/srp/client.rb b/lib/srp/client.rb index 9a27174..24d0c70 100644 --- a/lib/srp/client.rb +++ b/lib/srp/client.rb @@ -10,7 +10,8 @@ module SRP def initialize(username, password) @username = username @password = password - @salt = bigrand(10).hex + @salt = "5d3055e0acd3ddcfc15".hex # bigrand(10).hex + puts "salt = %i" %@salt @multiplier = multiplier # let's cache it calculate_verifier end @@ -27,13 +28,16 @@ module SRP protected def calculate_verifier x = calculate_x(@username, @password, @salt) + puts "x = %i" % x @verifier = modpow(GENERATOR, x, PRIME_N) + puts "verifier = %i" % @verifier + @verifier end def calculate_x(username, password, salt) shex = '%x' % [salt] - spad = if shex.length.odd? then '0' else '' end - sha256_hex(spad + shex + sha256_str([username, password].join(':'))).hex + spad = "" # if shex.length.odd? then '0' else '' end + sha256_str(spad + shex + sha256_str([username, password].join(':'))).hex end def calculate_client_s(x, a, bb, u) diff --git a/lib/srp/server.rb b/lib/srp/server.rb index 02d5d8b..cf213c9 100644 --- a/lib/srp/server.rb +++ b/lib/srp/server.rb @@ -11,19 +11,23 @@ module SRP end def initialize_auth(aa) + @aa = aa @b = bigrand(32).hex # B = g^b + k v (mod N) @bb = (modpow(GENERATOR, @b, PRIME_N) + multiplier * @verifier) % PRIME_N - u = calculate_u(aa, @bb, PRIME_N) + u = calculate_u(@aa, @bb, PRIME_N) return @bb, u end - def authenticate(aa, m) - u = calculate_u(aa, @bb, PRIME_N) - base = (modpow(@verifier, u, PRIME_N) * aa) % PRIME_N + def authenticate(m) + u = calculate_u(@aa, @bb, PRIME_N) + base = (modpow(@verifier, u, PRIME_N) * @aa) % PRIME_N server_s = modpow(base, @b, PRIME_N) - if(m == calculate_m(aa, @bb, server_s)) - return calculate_m(aa, m, server_s) + if(m == calculate_m(@aa, @bb, server_s)) + puts "A = %x" % [@aa] + puts "M = %x" % [m] + puts "s = %x" % [server_s] + return calculate_m(@aa, m, server_s) end end @@ -34,9 +38,10 @@ module SRP nlen = 2 * ((('%x' % [n]).length * 4 + 7) >> 3) aahex = '%x' % [aa] bbhex = '%x' % [bb] + return sha256_str("%x%x" % [aa, bb]).hex hashin = '0' * (nlen - aahex.length) + aahex \ + '0' * (nlen - bbhex.length) + bbhex - sha256_hex(hashin).hex + sha256_str(hashin).hex end end diff --git a/lib/srp/util.rb b/lib/srp/util.rb index 4325537..efbecaa 100644 --- a/lib/srp/util.rb +++ b/lib/srp/util.rb @@ -63,7 +63,7 @@ d15dc7d7b46154d6b6ce8ef4ad69b15d4982559b297bcf1885c529f566660e5 def calculate_m(aa, bb, s) # todo: we might want to 0fill this like for u hashin = '%x%x%x' % [aa, bb, s] - sha256_hex(hashin).hex + sha256_str(hashin).hex end end diff --git a/test/auth_test.rb b/test/auth_test.rb index 75aa9ad..f93445f 100644 --- a/test/auth_test.rb +++ b/test/auth_test.rb @@ -4,7 +4,7 @@ class AuthTest < Test::Unit::TestCase def setup @username = 'user' - @password = 'opensasemi' + @password = 'opensesami' @client = SRP::Client.new(@username, @password) @server = SRP::Server.new(@client.salt, @client.verifier) end -- cgit v1.2.3