From 07fe2d8976db0ec267bd57ded90778f0d7695478 Mon Sep 17 00:00:00 2001
From: Azul <azul@leap.se>
Date: Mon, 2 Jul 2012 17:50:33 +0200
Subject: reject server response with error message if B=0

---
 javascript/spec/login.js | 13 ++++++++++++-
 javascript/srp.js        |  5 +++++
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/javascript/spec/login.js b/javascript/spec/login.js
index 55cfa16..ea86584 100644
--- a/javascript/spec/login.js
+++ b/javascript/spec/login.js
@@ -5,7 +5,7 @@ describe("Login", function() {
     expect(typeof srp.identify).toBe('function');
   });
 
-  describe("Successfull Login (INTEGRATION)", function (){
+  describe("(INTEGRATION)", function (){
     // a valid auth attempt for the user / password given in the spec runner:
     var a = 'af141ae6';
     var B = '887005895b1f5528b4e4dfdce914f73e763b96d3c901d2f41d8b8cd26255a75';
@@ -51,6 +51,17 @@ describe("Login", function() {
       expect(this.srp.success).toHaveBeenCalled();
       expect(window.location.hash).toBe("#logged_in")
     });
+    
+    it("rejects B = 0", function(){
+      this.srp.error_message = sinon.spy();
+      this.srp.identify();
+
+      this.expectRequest('handshake/', 'I=user&A='+A);
+      this.respondJSON({s: salt, B: 0});
+      // aborting if B=0
+      expect(this.requests).toEqual([]);
+      expect(this.srp.error_message).toHaveBeenCalled();
+    });
   });
 
 
diff --git a/javascript/srp.js b/javascript/srp.js
index b84786e..b04a350 100644
--- a/javascript/srp.js
+++ b/javascript/srp.js
@@ -185,6 +185,11 @@ function SRP()
     if(response.error) {
       that.error_message(response.error);
     }
+    // B = 0 will make the algorithm always succeed - refuse such a server
+    // answer
+    else if(response.B == 0) {
+      that.error_message("Server send random number 0 - this is not allowed");
+    }
     // If there is no algorithm specified, calculate M given s, B, and P
     else if(!response.a)
     {
-- 
cgit v1.2.3