summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--index.js1
-rw-r--r--spec/RestfulSpecRunner.html4
-rw-r--r--spec/restful/login.js31
-rw-r--r--spec/restful/session.js39
-rw-r--r--src/srp.js46
-rw-r--r--src/srp_session.js32
6 files changed, 100 insertions, 53 deletions
diff --git a/index.js b/index.js
index 9c67ad2..3366662 100644
--- a/index.js
+++ b/index.js
@@ -1,2 +1,3 @@
//= require_tree ./lib
+//= require ./src/srp
//= require_tree ./src
diff --git a/spec/RestfulSpecRunner.html b/spec/RestfulSpecRunner.html
index 8203970..a9d708b 100644
--- a/spec/RestfulSpecRunner.html
+++ b/spec/RestfulSpecRunner.html
@@ -28,6 +28,7 @@
<script type="text/javascript" src="specHelper.js"></script>
<script type="text/javascript" src="restful/signup.js"></script>
<script type="text/javascript" src="restful/login.js"></script>
+ <script type="text/javascript" src="restful/session.js"></script>
<script type="text/javascript">
@@ -66,9 +67,6 @@
<table>
<tr><td>Username:</td><td><input type="text" id="srp_username" value="testuser" /></td></tr>
<tr><td>Password:</td><td><input type="password" id="srp_password" value="password"/></td></tr>
- <input type="hidden" id="srp_url" value=""/>
- <input type="hidden" id="srp_forward" value="#logged_in"/>
- <input type="hidden" id="srp_server" value="django"/>
</table>
<input type="submit"/>
</form>
diff --git a/spec/restful/login.js b/spec/restful/login.js
index 0f6aa4f..9c43c00 100644
--- a/spec/restful/login.js
+++ b/spec/restful/login.js
@@ -5,7 +5,7 @@ describe("Login", function() {
expect(typeof srp.identify).toBe('function');
});
- describe("(INTEGRATION)", function (){
+ describe("(Compatibility with py-srp)", function (){
// these need to be the same as in the spec runner:
var login = "testuser";
var password = "password";
@@ -19,6 +19,7 @@ describe("Login", function() {
var K = 'db6ec0bdab81742315861a828323ff492721bdcd114077a4124bc425e4bf328b';
var M = '640e51d5ac5461591c31811221261f0e0eae7c08ce43c85e9556adbd94ed8c26';
var M2 = '49e48f8ac8c4da0e8a7374f73eeedbee2266e123d23fc1be1568523fc9c24b1e';
+ var V = '6f5fb78184161f4191babaf1a700ff70e4d261054d002466d05f2ec2b45fc8807dbd7ce25dc3c882331eb8bf72a22caf2868e3438477be7ab151d3281d00aa1a9fc5cb6a725abd99e11882f77d52b56b83f95c0ba0b8fbbf4ee1fbb445c35adb5d1aaa48ba761c4a4417f6bb821fb61956c919e47740b316b960653303fe7190';
var A_, callback;
@@ -28,42 +29,48 @@ describe("Login", function() {
specHelper.setupFakeXHR.apply(this);
A_ = this.srp.session.calculateAndSetA(a)
- this.srp.success = sinon.spy();
});
afterEach(function() {
this.xhr.restore();
});
- it("starts with the right A", function(){
+ it("calculates the same A", function(){
expect(A_).toBe(A);
});
- it("calculates the right key", function(){
+ it("calculates the same verifier", function(){
+ expect(this.srp.session.getV().toString(16)).toBe(V);
+ });
+
+ it("calculates the same key", function(){
this.srp.session.calculations(salt, B);
expect(this.srp.session.key()).toBe(K);
});
it("works with JSON responses", function(){
- this.srp.identify();
+ var success = sinon.spy();
+ this.srp.identify(success);
this.expectRequest('sessions', 'login=' +login+ '&A=' +A, 'POST');
- this.respondJSON({s: salt, B: B});
+ this.respondJSON({salt: salt, B: B});
this.expectRequest('sessions/'+login, 'client_auth='+M, 'PUT');
- this.respondJSON({M: M2});
+ this.respondJSON({M2: M2});
- expect(this.srp.success).toHaveBeenCalled();
+ expect(success).toHaveBeenCalled();
});
it("rejects B = 0", function(){
- this.srp.error = sinon.spy();
- this.srp.identify();
+ var success = sinon.spy();
+ var error = sinon.spy();
+ this.srp.identify(success, error);
this.expectRequest('sessions', 'login=' +login+ '&A=' +A, 'POST');
- this.respondJSON({s: salt, B: 0});
+ this.respondJSON({salt: salt, B: 0});
// aborting if B=0
expect(this.requests).toEqual([]);
- expect(this.srp.error).toHaveBeenCalled();
+ expect(error).toHaveBeenCalled();
+ expect(success).not.toHaveBeenCalled();
});
});
diff --git a/spec/restful/session.js b/spec/restful/session.js
new file mode 100644
index 0000000..b7f16f0
--- /dev/null
+++ b/spec/restful/session.js
@@ -0,0 +1,39 @@
+describe("Session", function() {
+
+ // data gathered from py-srp and ruby-srp
+ var compare = {
+ username: "UC6LTQ",
+ password: "PVSQ7DCEIR0B",
+ salt: "d6ed8dba",
+ v: "c86a8c04a4f71cb10bfe3fedb74bae545b9a20e0f3e95b6334fce1cb3384a296f75d774a3829ffd63f405f13f58ffbae415fd234b08b996c11e8618c17961defcebb1d244b388b75cf36882ee97182a900ebeaf7cffa0a83eed294f3a9449a06beb88954952759d2957b80ef851f4cc4fcaa6001fee4f00c273ecdd712d48371",
+ aa: "4decb8543891f5a744b1e9b5bc375a474bfe3c5417e1db176cefcc7ba915338a14f309f8e0a4c7641bc9c9b9bd2e91c4d1beda1772c30d0350c9ba44f7c5911dfe6bb593ac2a2b30f1f6e5ec8a656cb4947c1907cf62f8d7283cbe32eb44b02158b51091ae130afa6063bb28cdea9ae159d4f222571e146f8715bfa31af09868",
+ a: "d498c3d024ec17689b5320e33fc349a3f3f91320384155b3043fa410c90eab71",
+ bb: "5f5bedd1f95b6b0d6809614f162e49753acce6979e1041f4da5bfa91e1dadd2a5470270ed102a49c5f74fd42f2b61a8a1a43218159a22b31a7cbd4670679480e56d0e4e72a22c07e07102ff063045d0c3c96085dec1cc2959453e0299890bd95af76403cec6ec5f212667a75ae6f4a8327183d72c3ee85792ca43820fbccf244",
+ m: "bc30b8781e67a657e93d0a6cf7e7847fc60f79e2b0641e9c26b3522bc8f974cc"
+ }
+
+ var session;
+
+ beforeEach(function() {
+ var srp = new SRP(jqueryRest());
+ session = new srp.Session(compare.username, compare.password);
+ });
+
+ it("has the proper username", function() {
+ expect(session.getI()).toBe(compare.username);
+ });
+
+ it("calculates the proper verifier", function() {
+ expect(session.getV(compare.salt).toString(16)).toBe(compare.v);
+ });
+
+ it("calculates the proper A", function() {
+ expect(session.calculateAndSetA(compare.a)).toBe(compare.aa);
+ });
+
+ it("calculates the proper M", function() {
+ session.calculateAndSetA(compare.a);
+ session.calculations(compare.salt, compare.bb);
+ expect(session.getM()).toBe(compare.m);
+ });
+});
diff --git a/src/srp.js b/src/srp.js
index 972b211..6d1e8c1 100644
--- a/src/srp.js
+++ b/src/srp.js
@@ -9,8 +9,9 @@ function SRP(remote, session)
this.session = session;
// Start the login process by identifying the user
- this.identify = function()
+ this.identify = function(success, error)
{
+ store_callbacks(success, error);
remote.handshake(session, receive_salts);
// Receive login salts from the server, start calculations
@@ -19,9 +20,14 @@ function SRP(remote, session)
// B = 0 will make the algorithm always succeed
// -> refuse such a server answer
if(response.B === 0) {
- srp.error("Server send random number 0 - this is not allowed");
- } else {
- session.calculations(response.s, response.B);
+ srp.error("Server send random number 0 - could not login.");
+ }
+ else if(! response.salt || response.salt === 0) {
+ srp.error("Server failed to send salt - could not login.");
+ }
+ else
+ {
+ session.calculations(response.salt, response.B);
remote.authenticate(session, confirm_authentication);
}
}
@@ -30,7 +36,7 @@ function SRP(remote, session)
// If an error occurs, raise it as an alert.
function confirm_authentication(response)
{
- if (session.validate(response.M))
+ if (session.validate(response.M2))
srp.success();
else
srp.error("Server key does not match");
@@ -38,16 +44,19 @@ function SRP(remote, session)
};
// Initiate the registration process
- this.register = function()
+ this.register = function(success, error)
{
+ store_callbacks(success, error);
remote.register(session, srp.registered_user);
};
// The user has been registered successfully, now login
this.registered_user = function(response)
{
- if(response.ok)
- {
+ if(response.errors) {
+ srp.error(response.errors)
+ }
+ else {
srp.identify();
}
};
@@ -59,18 +68,19 @@ function SRP(remote, session)
};
// This function is called when authentication is successful.
- // Developers can set this to other functions in specific implementations
- // and change the functionality.
+ // It's a dummy. Please hand the real thing to the call to identify.
this.success = function()
{
- var forward_url = document.getElementById("srp_forward").value;
- if(forward_url.charAt(0) != "#")
- window.location = forward_url;
- else
- {
- window.location = forward_url;
- alert("Login successful.");
- }
+ alert("Login successful.");
};
+
+ function store_callbacks(success, error) {
+ if (typeof success == "function") {
+ srp.success = success;
+ }
+ if (typeof error == "function") {
+ srp.error = error;
+ }
+ }
};
diff --git a/src/srp_session.js b/src/srp_session.js
index 07c1e25..8f45a44 100644
--- a/src/srp_session.js
+++ b/src/srp_session.js
@@ -1,4 +1,4 @@
-SRP.prototype.Session = function() {
+SRP.prototype.Session = function(login, password) {
// Variables session will be used in the SRP protocol
var Nstr = "eeaf0ab9adb38dd69c33f80afa8fc5e86072618775ff3c0b9ea2314c9c256576d674df7496ea81d3383b4813d692c6e0e0d5d8e250b98be48e495c1d6089dad15dc7d7b46154d6b6ce8ef4ad69b15d4982559b297bcf1885c529f566660e57ec68edbc3c05726cc02fd4cbf4976eaa9afd5138fe8376435b9fc61d2fc0eb06e3";
@@ -7,7 +7,8 @@ SRP.prototype.Session = function() {
var k = new BigInteger("bf66c44a428916cad64aa7c679f3fd897ad4c375e9bbb4cbf2f5de241d618ef0", 16);
var rng = new SecureRandom();
- var a = new BigInteger(32, rng);
+// var a = new BigInteger(32, rng);
+ var a = new BigInteger("d498c3d024ec17689b5320e33fc349a3f3f91320384155b3043fa410c90eab71", 16);
var A = g.modPow(a, N);
while(A.mod(N) == 0)
{
@@ -20,17 +21,14 @@ SRP.prototype.Session = function() {
var M = null;
var M2 = null;
var authenticated = false;
- var I = document.getElementById("srp_username").value;
- var pass = document.getElementById("srp_password").value;
- var V;
- var salt;
+ var I = login || document.getElementById("srp_username").value;
+ var pass = password || document.getElementById("srp_password").value;
// *** Accessor methods ***
// allows setting the random number A for testing
- this.calculateAndSetA = function(_a)
- {
+ this.calculateAndSetA = function(_a) {
a = new BigInteger(_a, 16);
A = g.modPow(a, N);
Astr = A.toString(16);
@@ -42,39 +40,33 @@ SRP.prototype.Session = function() {
}
// Returns the user's identity
- this.getI = function()
- {
+ this.getI = function() {
return I;
};
// some 16 byte random number
this.getSalt = function() {
- salt = salt || new BigInteger(64, rng).toString(16);
- return salt
+ return new BigInteger(64, rng).toString(16);
}
// Returns the BigInteger, g
- this.getg = function()
- {
+ this.getg = function() {
return g;
};
// Returns the BigInteger, N
- this.getN = function()
- {
+ this.getN = function() {
return N;
};
// Calculates the X value and return it as a BigInteger
- this.calcX = function(salt)
- {
+ this.calcX = function(salt) {
return new BigInteger(SHA256(hex2a(salt + SHA256(I + ":" + pass))), 16);
};
this.getV = function(salt)
{
- V = V || this.getg().modPow(this.calcX(salt), this.getN());
- return V;
+ return this.getg().modPow(this.calcX(salt), this.getN());
}
// Calculate S, M, and M2