From e55ff681bcc5a6c479530d1411a3da75912d78e5 Mon Sep 17 00:00:00 2001 From: Azul Date: Thu, 28 Jun 2012 16:13:13 +0200 Subject: complete ajax flow is working - just auth fails Also we currently generate the salt on the server - this should happen on the client but for now i stick to the srp-js workflow. --- example/http-srp.rb | 15 ++++++++++----- example/models/user.rb | 12 ++++++++---- example/public/srp.js | 10 ++++++++++ example/views/layout.erb | 1 + example/views/signup.erb | 10 +++++----- lib/srp/client.rb | 7 ++----- lib/srp/server.rb | 6 ------ lib/srp/util.rb | 31 +++++++++++++++++++++---------- test/auth_test.rb | 4 ---- 9 files changed, 57 insertions(+), 39 deletions(-) diff --git a/example/http-srp.rb b/example/http-srp.rb index b2de7bf..e83036f 100644 --- a/example/http-srp.rb +++ b/example/http-srp.rb @@ -14,12 +14,17 @@ get '/signup' do erb :signup end -post '/signup' do +# TODO: Client should generate the salt! +# Getting things to work the srp-js way first. +post '/register/salt/' do Log.clear - Log.log(:signup, params) - @user = User.current - @user.signup!(params) - redirect '/' + @user = User.new(params.delete('I')) + erb :salt, :layout => false, :content_type => :xml +end + +post '/register/user/' do + User.current.verifier = params.delete('v').to_i + erb :ok, :layout => false, :content_type => :xml end get '/login' do diff --git a/example/models/user.rb b/example/models/user.rb index 3ad8147..af92300 100644 --- a/example/models/user.rb +++ b/example/models/user.rb @@ -5,17 +5,21 @@ class User @current ||= User.new end + def self.current=(user) + @current = user + end + attr_accessor :login attr_accessor :salt attr_accessor :verifier attr_accessor :active attr_accessor :srp - def signup!(params) - self.login = params.delete('login') - self.salt = params.delete('salt').to_i - self.verifier = params.delete('verifier').to_i + def initialize(login) + self.login = login + self.salt = OpenSSL::Random.random_bytes(10).unpack("H*")[0] self.active = false + User.current = self end def initialize_auth(params) diff --git a/example/public/srp.js b/example/public/srp.js index e68e220..51aba5c 100644 --- a/example/public/srp.js +++ b/example/public/srp.js @@ -1,5 +1,6 @@ $(document).ready(function(){ $('#login-btn').click(on_login); + $('#signup-btn').click(on_signup); }); function on_login(event) { @@ -7,3 +8,12 @@ function on_login(event) { srp.identify(); event.preventDefault(); } + +function on_signup(event) { + srp = new SRP(); + srp.success = function() { + alert("Signed up successfully"); + }; + srp.register(); + event.preventDefault(); +} diff --git a/example/views/layout.erb b/example/views/layout.erb index ab980c8..f4eae0a 100644 --- a/example/views/layout.erb +++ b/example/views/layout.erb @@ -23,6 +23,7 @@ + diff --git a/example/views/signup.erb b/example/views/signup.erb index baeb007..6e1bbf3 100644 --- a/example/views/signup.erb +++ b/example/views/signup.erb @@ -4,18 +4,18 @@ Signup to test secure remote passwords
- +
- - - +
+ +
- + Cancel
diff --git a/lib/srp/client.rb b/lib/srp/client.rb index 7aa147c..9a27174 100644 --- a/lib/srp/client.rb +++ b/lib/srp/client.rb @@ -21,10 +21,7 @@ module SRP aa = modpow(GENERATOR, a, PRIME_N) # A = g^a (mod N) bb, u = server.initialize_auth(aa) client_s = calculate_client_s(x, a, bb, u) - puts "bb: " + bb.to_s - puts "aa: " + aa.to_s - puts "client_s: " + client_s.to_s - server.authenticate(aa, client_s) + server.authenticate(aa, calculate_m(aa,bb,client_s)) end protected @@ -36,7 +33,7 @@ module SRP def calculate_x(username, password, salt) shex = '%x' % [salt] spad = if shex.length.odd? then '0' else '' end - sha1_hex(spad + shex + sha1_str([username, password].join(':'))).hex + sha256_hex(spad + shex + sha256_str([username, password].join(':'))).hex end def calculate_client_s(x, a, bb, u) diff --git a/lib/srp/server.rb b/lib/srp/server.rb index 79d1b75..02d5d8b 100644 --- a/lib/srp/server.rb +++ b/lib/srp/server.rb @@ -39,12 +39,6 @@ module SRP sha256_hex(hashin).hex end - def calculate_m(aa, bb, s) - # todo: we might want to 0fill this like for u - hashin = '%x%x%x' % [aa, bb, s] - sha256_hex(hashin).hex - end - end end diff --git a/lib/srp/util.rb b/lib/srp/util.rb index 0da1f8f..4325537 100644 --- a/lib/srp/util.rb +++ b/lib/srp/util.rb @@ -5,7 +5,12 @@ module SRP module Util # constants both sides know - PRIME_N = <<-EOS.split.join.hex # 1024 bits modulus (N) + # in this case taken from srp-js + PRIME_N = <<-EOS.split.join.hex +115b8b692e0e045692cf280b436735c77a5a9e8a9e7ed56c965f87db5b2a2ece3 + EOS + + BIG_PRIME_N = <<-EOS # 1024 bits modulus (N) eeaf0ab9adb38dd69c33f80afa8fc5e86072618775ff3c0b9ea2314c9c25657 6d674df7496ea81d3383b4813d692c6e0e0d5d8e250b98be48e495c1d6089da d15dc7d7b46154d6b6ce8ef4ad69b15d4982559b297bcf1885c529f566660e5 @@ -25,14 +30,6 @@ d15dc7d7b46154d6b6ce8ef4ad69b15d4982559b297bcf1885c529f566660e5 end end - def sha1_hex(h) - Digest::SHA1.hexdigest([h].pack('H*')) - end - - def sha1_str(s) - Digest::SHA1.hexdigest(s) - end - def sha256_hex(h) Digest::SHA2.hexdigest([h].pack('H*')) end @@ -46,6 +43,13 @@ d15dc7d7b46154d6b6ce8ef4ad69b15d4982559b297bcf1885c529f566660e5 end def multiplier + return "c46d46600d87fef149bd79b81119842f3c20241fda67d06ef412d8f6d9479c58".hex % PRIME_N + @k ||= calculate_multiplier + end + + protected + + def calculate_multiplier n = PRIME_N g = GENERATOR nhex = '%x' % [n] @@ -53,8 +57,15 @@ d15dc7d7b46154d6b6ce8ef4ad69b15d4982559b297bcf1885c529f566660e5 ghex = '%x' % [g] hashin = '0' * (nlen - nhex.length) + nhex \ + '0' * (nlen - ghex.length) + ghex - sha1_hex(hashin).hex % n + sha256_hex(hashin).hex % n end + + def calculate_m(aa, bb, s) + # todo: we might want to 0fill this like for u + hashin = '%x%x%x' % [aa, bb, s] + sha256_hex(hashin).hex + end + end end diff --git a/test/auth_test.rb b/test/auth_test.rb index 0f76404..75aa9ad 100644 --- a/test/auth_test.rb +++ b/test/auth_test.rb @@ -10,10 +10,6 @@ class AuthTest < Test::Unit::TestCase end def test_successful_auth - print "salt: " - puts @client.salt - print "verifier: " - puts @client.verifier assert @client.authenticate(@server, @username, @password) end -- cgit v1.2.3