ruby-srp 0.2.0 → 0.2.1
Sign up to get free protection for your applications and to get access to all the features.
- data/.gitignore +2 -0
- data/Readme.md +4 -2
- data/lib/ruby-srp.rb +2 -2
- data/lib/srp/session.rb +10 -1
- data/ruby-srp.gemspec +1 -1
- data/test/client_session_test.rb +46 -0
- data/test/session_test.rb +8 -0
- metadata +4 -2
data/.gitignore
ADDED
data/Readme.md
CHANGED
@@ -1,7 +1,9 @@
|
|
1
|
-
*IMPORTANT:* This is an initial test. It's verifying that the algorithm leads to the same secret on the client and server side. However it does not use crypto to send it over yet. So do not rely on it in a production environment yet.
|
2
|
-
|
3
1
|
## Ruby-SRP
|
4
2
|
|
5
3
|
Secure remote password for ruby.
|
6
4
|
|
5
|
+
*IMPORTANT:* This is still in early development. Versions prior to 0.2.1 are known to be insecure due to not validating the ephemeral public keys send.
|
6
|
+
|
7
|
+
So far this library supports the two way authentication provided by SRP. It does not offer encryption for the traffic with the calculated shared secret yet. It should not be hard to add - but we do not need it yet.
|
8
|
+
|
7
9
|
[![Build Status](https://secure.travis-ci.org/leapcode/ruby_srp.png?branch=master)](http://travis-ci.org/leapcode/ruby_srp) [![Code Climate](https://codeclimate.com/badge.png)](https://codeclimate.com/github/leapcode/ruby_srp)
|
data/lib/ruby-srp.rb
CHANGED
@@ -12,6 +12,6 @@ module SRP
|
|
12
12
|
autoload :Authentication, 'srp/authentication'
|
13
13
|
autoload :Util, 'srp/util'
|
14
14
|
autoload :Session, 'srp/session'
|
15
|
-
class WrongPassword < StandardError
|
16
|
-
end
|
15
|
+
class WrongPassword < StandardError ; end
|
16
|
+
class InvalidEphemeral < ArgumentError ; end
|
17
17
|
end
|
data/lib/srp/session.rb
CHANGED
@@ -13,7 +13,9 @@ module SRP
|
|
13
13
|
|
14
14
|
# client -> server: I, A = g^a
|
15
15
|
def handshake(server)
|
16
|
-
|
16
|
+
bb = server.handshake(user.username, aa)
|
17
|
+
validate_ephemeral(bb)
|
18
|
+
@bb = bb
|
17
19
|
end
|
18
20
|
|
19
21
|
# client -> server: M = H(H(N) xor H(g), H(I), s, A, B, K)
|
@@ -79,6 +81,7 @@ module SRP
|
|
79
81
|
|
80
82
|
# only seed b for testing purposes.
|
81
83
|
def initialize_server(aa, ephemeral = nil)
|
84
|
+
validate_ephemeral(aa)
|
82
85
|
@aa = aa
|
83
86
|
@b = ephemeral || bigrand(32).hex
|
84
87
|
end
|
@@ -110,6 +113,12 @@ module SRP
|
|
110
113
|
modpow(base, @b)
|
111
114
|
end
|
112
115
|
|
116
|
+
def validate_ephemeral(ephemeral)
|
117
|
+
if ephemeral.hex % BIG_PRIME_N == 0
|
118
|
+
raise InvalidEphemeral.new 'insecure ephemeral value'
|
119
|
+
end
|
120
|
+
end
|
121
|
+
|
113
122
|
# SRP 6a uses
|
114
123
|
# M = H(H(N) xor H(g), H(I), s, A, B, K)
|
115
124
|
def m
|
data/ruby-srp.gemspec
CHANGED
@@ -0,0 +1,46 @@
|
|
1
|
+
require File.expand_path(File.dirname(__FILE__) + '/test_helper')
|
2
|
+
require 'json'
|
3
|
+
|
4
|
+
class ClientSessionTest < Test::Unit::TestCase
|
5
|
+
|
6
|
+
class UserStub
|
7
|
+
def username; end
|
8
|
+
end
|
9
|
+
|
10
|
+
class ServerStub
|
11
|
+
def initialize(bb)
|
12
|
+
@bb = bb
|
13
|
+
end
|
14
|
+
|
15
|
+
def handshake(username, aa)
|
16
|
+
@bb
|
17
|
+
end
|
18
|
+
end
|
19
|
+
|
20
|
+
def test_retrieval_of_bb
|
21
|
+
bb = SRP::Util::BIG_PRIME_N + 1
|
22
|
+
user = UserStub.new
|
23
|
+
server = ServerStub.new(bb)
|
24
|
+
session = SRP::Session.new(user)
|
25
|
+
session.handshake(server)
|
26
|
+
assert_equal bb, session.instance_variable_get("@bb")
|
27
|
+
end
|
28
|
+
|
29
|
+
def test_validation_of_bb
|
30
|
+
user = UserStub.new
|
31
|
+
server = ServerStub.new(SRP::Util::BIG_PRIME_N)
|
32
|
+
assert_raises SRP::InvalidEphemeral do
|
33
|
+
session = SRP::Session.new(user)
|
34
|
+
session.handshake(server)
|
35
|
+
end
|
36
|
+
end
|
37
|
+
|
38
|
+
def test_calculation_of_aa
|
39
|
+
data = fixture(:failed_js_client)
|
40
|
+
user = {} # stub
|
41
|
+
session = SRP::Session.new(user)
|
42
|
+
session.instance_variable_set("@a", data[:a].hex)
|
43
|
+
assert_equal data[:aa], session.aa
|
44
|
+
end
|
45
|
+
|
46
|
+
end
|
data/test/session_test.rb
CHANGED
@@ -5,6 +5,14 @@ class SessionTest < Test::Unit::TestCase
|
|
5
5
|
|
6
6
|
Struct.new("Client", :username, :salt, :verifier)
|
7
7
|
|
8
|
+
def test_client_public_key_validation
|
9
|
+
aa = SRP::Util::BIG_PRIME_N
|
10
|
+
client = {} # stub
|
11
|
+
assert_raises SRP::InvalidEphemeral do
|
12
|
+
session = SRP::Session.new(client, aa)
|
13
|
+
end
|
14
|
+
end
|
15
|
+
|
8
16
|
def test_equivalance_to_py_srp
|
9
17
|
data = fixture(:py_srp)
|
10
18
|
client = stub_client(data)
|
metadata
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: ruby-srp
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.2.
|
4
|
+
version: 0.2.1
|
5
5
|
prerelease:
|
6
6
|
platform: ruby
|
7
7
|
authors:
|
@@ -9,7 +9,7 @@ authors:
|
|
9
9
|
autorequire:
|
10
10
|
bindir: bin
|
11
11
|
cert_chain: []
|
12
|
-
date: 2013-07
|
12
|
+
date: 2013-08-07 00:00:00.000000000 Z
|
13
13
|
dependencies: []
|
14
14
|
description: SRP client and server based on version 6 of the standard
|
15
15
|
email:
|
@@ -18,6 +18,7 @@ executables: []
|
|
18
18
|
extensions: []
|
19
19
|
extra_rdoc_files: []
|
20
20
|
files:
|
21
|
+
- .gitignore
|
21
22
|
- .gitmodules
|
22
23
|
- .travis.yml
|
23
24
|
- Rakefile
|
@@ -45,6 +46,7 @@ files:
|
|
45
46
|
- lib/srp/util.rb
|
46
47
|
- ruby-srp.gemspec
|
47
48
|
- test/auth_test.rb
|
49
|
+
- test/client_session_test.rb
|
48
50
|
- test/client_test.rb
|
49
51
|
- test/fixtures/failed_js_client.json
|
50
52
|
- test/fixtures/failed_js_login.json
|