From cb8e9f7b3dec1963e0d985b1b2541b260a132762 Mon Sep 17 00:00:00 2001 From: Azul Date: Mon, 15 Oct 2012 12:54:24 +0200 Subject: expecting the salt to be send with key salt --- src/srp.js | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) (limited to 'src') diff --git a/src/srp.js b/src/srp.js index 972b211..b348e69 100644 --- a/src/srp.js +++ b/src/srp.js @@ -19,9 +19,14 @@ function SRP(remote, session) // B = 0 will make the algorithm always succeed // -> refuse such a server answer if(response.B === 0) { - srp.error("Server send random number 0 - this is not allowed"); - } else { - session.calculations(response.s, response.B); + srp.error("Server send random number 0 - could not login."); + } + else if(! response.salt || response.salt === 0) { + srp.error("Server failed to send salt - could not login."); + } + else + { + session.calculations(response.salt, response.B); remote.authenticate(session, confirm_authentication); } } -- cgit v1.2.3 From 5e7d79423cbc8b4cb48e2619f871bc223fd5ccdd Mon Sep 17 00:00:00 2001 From: Azul Date: Tue, 16 Oct 2012 15:20:57 +0200 Subject: added unit tests for session calculations --- src/srp_session.js | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) (limited to 'src') diff --git a/src/srp_session.js b/src/srp_session.js index 07c1e25..7554e4a 100644 --- a/src/srp_session.js +++ b/src/srp_session.js @@ -1,4 +1,4 @@ -SRP.prototype.Session = function() { +SRP.prototype.Session = function(login, password) { // Variables session will be used in the SRP protocol var Nstr = "eeaf0ab9adb38dd69c33f80afa8fc5e86072618775ff3c0b9ea2314c9c256576d674df7496ea81d3383b4813d692c6e0e0d5d8e250b98be48e495c1d6089dad15dc7d7b46154d6b6ce8ef4ad69b15d4982559b297bcf1885c529f566660e57ec68edbc3c05726cc02fd4cbf4976eaa9afd5138fe8376435b9fc61d2fc0eb06e3"; @@ -20,9 +20,9 @@ SRP.prototype.Session = function() { var M = null; var M2 = null; var authenticated = false; - var I = document.getElementById("srp_username").value; - var pass = document.getElementById("srp_password").value; - var V; + var I = login || document.getElementById("srp_username").value; + var pass = password || document.getElementById("srp_password").value; + var x, V; var salt; // *** Accessor methods *** @@ -68,7 +68,8 @@ SRP.prototype.Session = function() { // Calculates the X value and return it as a BigInteger this.calcX = function(salt) { - return new BigInteger(SHA256(hex2a(salt + SHA256(I + ":" + pass))), 16); + x = x || new BigInteger(SHA256(hex2a(salt + SHA256(I + ":" + pass))), 16); + return x; }; this.getV = function(salt) -- cgit v1.2.3 From aeab3e93f45d2d8882d93ec20531aafd3cd9df45 Mon Sep 17 00:00:00 2001 From: Azul Date: Tue, 16 Oct 2012 17:06:35 +0200 Subject: not caching x,V,salt to avoid conflicts --- src/srp_session.js | 26 ++++++++------------------ 1 file changed, 8 insertions(+), 18 deletions(-) (limited to 'src') diff --git a/src/srp_session.js b/src/srp_session.js index 7554e4a..cbb95d8 100644 --- a/src/srp_session.js +++ b/src/srp_session.js @@ -22,15 +22,12 @@ SRP.prototype.Session = function(login, password) { var authenticated = false; var I = login || document.getElementById("srp_username").value; var pass = password || document.getElementById("srp_password").value; - var x, V; - var salt; // *** Accessor methods *** // allows setting the random number A for testing - this.calculateAndSetA = function(_a) - { + this.calculateAndSetA = function(_a) { a = new BigInteger(_a, 16); A = g.modPow(a, N); Astr = A.toString(16); @@ -42,40 +39,33 @@ SRP.prototype.Session = function(login, password) { } // Returns the user's identity - this.getI = function() - { + this.getI = function() { return I; }; // some 16 byte random number this.getSalt = function() { - salt = salt || new BigInteger(64, rng).toString(16); - return salt + return new BigInteger(64, rng).toString(16); } // Returns the BigInteger, g - this.getg = function() - { + this.getg = function() { return g; }; // Returns the BigInteger, N - this.getN = function() - { + this.getN = function() { return N; }; // Calculates the X value and return it as a BigInteger - this.calcX = function(salt) - { - x = x || new BigInteger(SHA256(hex2a(salt + SHA256(I + ":" + pass))), 16); - return x; + this.calcX = function(salt) { + return new BigInteger(SHA256(hex2a(salt + SHA256(I + ":" + pass))), 16); }; this.getV = function(salt) { - V = V || this.getg().modPow(this.calcX(salt), this.getN()); - return V; + return this.getg().modPow(this.calcX(salt), this.getN()); } // Calculate S, M, and M2 -- cgit v1.2.3 From d21474a0290edab1c765741d484335d83f50be75 Mon Sep 17 00:00:00 2001 From: Azul Date: Tue, 16 Oct 2012 17:24:12 +0200 Subject: use M2 as the key for the server auth --- src/srp.js | 2 +- src/srp_session.js | 3 ++- 2 files changed, 3 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/srp.js b/src/srp.js index b348e69..e66c2fa 100644 --- a/src/srp.js +++ b/src/srp.js @@ -35,7 +35,7 @@ function SRP(remote, session) // If an error occurs, raise it as an alert. function confirm_authentication(response) { - if (session.validate(response.M)) + if (session.validate(response.M2)) srp.success(); else srp.error("Server key does not match"); diff --git a/src/srp_session.js b/src/srp_session.js index cbb95d8..8f45a44 100644 --- a/src/srp_session.js +++ b/src/srp_session.js @@ -7,7 +7,8 @@ SRP.prototype.Session = function(login, password) { var k = new BigInteger("bf66c44a428916cad64aa7c679f3fd897ad4c375e9bbb4cbf2f5de241d618ef0", 16); var rng = new SecureRandom(); - var a = new BigInteger(32, rng); +// var a = new BigInteger(32, rng); + var a = new BigInteger("d498c3d024ec17689b5320e33fc349a3f3f91320384155b3043fa410c90eab71", 16); var A = g.modPow(a, N); while(A.mod(N) == 0) { -- cgit v1.2.3 From 5a0ceeb1ca0055719a9b8977a799362163955766 Mon Sep 17 00:00:00 2001 From: Azul Date: Wed, 17 Oct 2012 12:06:37 +0200 Subject: hand success and error messages to identify by default also cleaned up some other parts that were not needed anymore --- src/srp.js | 16 +++++----------- 1 file changed, 5 insertions(+), 11 deletions(-) (limited to 'src') diff --git a/src/srp.js b/src/srp.js index e66c2fa..c986443 100644 --- a/src/srp.js +++ b/src/srp.js @@ -9,8 +9,10 @@ function SRP(remote, session) this.session = session; // Start the login process by identifying the user - this.identify = function() + this.identify = function(success, error) { + srp.success = success; + srp.error = error; remote.handshake(session, receive_salts); // Receive login salts from the server, start calculations @@ -64,18 +66,10 @@ function SRP(remote, session) }; // This function is called when authentication is successful. - // Developers can set this to other functions in specific implementations - // and change the functionality. + // It's a dummy. Please hand the real thing to the call to identify. this.success = function() { - var forward_url = document.getElementById("srp_forward").value; - if(forward_url.charAt(0) != "#") - window.location = forward_url; - else - { - window.location = forward_url; - alert("Login successful."); - } + alert("Login successful."); }; }; -- cgit v1.2.3 From 8c1cc0f4903b1b6eabffe6681744ea02a870af7f Mon Sep 17 00:00:00 2001 From: Azul Date: Fri, 19 Oct 2012 17:49:53 +0200 Subject: added success and error callbacks to register --- src/srp.js | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) (limited to 'src') diff --git a/src/srp.js b/src/srp.js index c986443..7060598 100644 --- a/src/srp.js +++ b/src/srp.js @@ -11,8 +11,7 @@ function SRP(remote, session) // Start the login process by identifying the user this.identify = function(success, error) { - srp.success = success; - srp.error = error; + store_callbacks(success, error); remote.handshake(session, receive_salts); // Receive login salts from the server, start calculations @@ -45,8 +44,9 @@ function SRP(remote, session) }; // Initiate the registration process - this.register = function() + this.register = function(success, error) { + store_callbacks(success, error); remote.register(session, srp.registered_user); }; @@ -71,5 +71,14 @@ function SRP(remote, session) { alert("Login successful."); }; + + function store_callbacks(success, error) { + if (typeof success == "function") { + srp.success = success; + } + if (typeof error == "function") { + srp.error = error; + } + } }; -- cgit v1.2.3 From 23350b54ec2723e1b2e333626567c9fe9d1e2644 Mon Sep 17 00:00:00 2001 From: Azul Date: Fri, 19 Oct 2012 18:01:04 +0200 Subject: don't expect create to return an ok * it returns the user * it will return errors if sth. goes wrong. --- src/srp.js | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/srp.js b/src/srp.js index 7060598..6d1e8c1 100644 --- a/src/srp.js +++ b/src/srp.js @@ -53,8 +53,10 @@ function SRP(remote, session) // The user has been registered successfully, now login this.registered_user = function(response) { - if(response.ok) - { + if(response.errors) { + srp.error(response.errors) + } + else { srp.identify(); } }; -- cgit v1.2.3