Mozilla shared secret proof

adam-fowler · adam-fowler · commit 7b37f4d290bd · 2024-10-30T00:07:10.000Z
diff --git a/Sources/SRP/client.swift b/Sources/SRP/client.swift
@@ -39,11 +39,11 @@ public struct SRPClient<H: HashFunction> {
     
     /// return shared secret given the username, password, B value and salt from the server
     /// - Parameters:
-    ///   - username: user identifier
-    ///   - password: password
-    ///   - salt: salt
-    ///   - clientKeys: client public/private keys
-    ///   - serverPublicKey: server public key
+    ///   - username: user identifier (I)
+    ///   - password: password (p)
+    ///   - salt: salt (s)
+    ///   - clientKeys: client public/private keys (A,a)
+    ///   - serverPublicKey: server public key (B)
     /// - Throws: `nullServerKey`
     /// - Returns: shared secret
     public func calculateSharedSecret(username: String, password: String, salt: [UInt8], clientKeys: SRPKeyPair, serverPublicKey: SRPKey) throws -> SRPKey {
@@ -54,10 +54,10 @@ public struct SRPClient<H: HashFunction> {
     
     /// return shared secret given a binary password, B value and salt from the server
     /// - Parameters:
-    ///   - password: password
-    ///   - salt: salt
-    ///   - clientKeys: client public/private keys
-    ///   - serverPublicKey: server public key
+    ///   - password: password (p)
+    ///   - salt: salt (s)
+    ///   - clientKeys: client public/private keys (A,a)
+    ///   - serverPublicKey: server public key (B)
     /// - Throws: `nullServerKey`
     /// - Returns: shared secret
     public func calculateSharedSecret(password: [UInt8], salt: [UInt8], clientKeys: SRPKeyPair, serverPublicKey: SRPKey) throws -> SRPKey {
@@ -66,40 +66,56 @@ public struct SRPClient<H: HashFunction> {
         return SRPKey(sharedSecret)
     }
     
-    /// calculate proof of shared secret to send to server
+    /// calculate proof of shared secret to send to server.
+    /// 
+    /// There doesn't seem to be any agreement on the simple version of the client/server proof. 
+    /// Some versions use K (H(S)) instead of S, some pad all values regardless of whether their
+    /// source is a hash or a big num. This is a simple version of the client proof as used by
+    /// the mozilla srp library https://github.com/mozilla/node-srp
+    /// 
     /// - Parameters:
-    ///   - clientPublicKey: client public key
-    ///   - serverPublicKey: server public key
-    ///   - sharedSecret: shared secret
+    ///   - clientPublicKey: client public key (A)
+    ///   - serverPublicKey: server public key (B)
+    ///   - sharedSecret: shared secret (S)
     /// - Returns: The client verification code which should be passed to the server
-    public func calculateSimpleClientProof(clientPublicKey: SRPKey, serverPublicKey: SRPKey, sharedSecret: SRPKey) -> [UInt8] {
+    public func calculateMozillaClientProof(clientPublicKey: SRPKey, serverPublicKey: SRPKey, sharedSecret: SRPKey) -> [UInt8] {
         // get verification code
-        return SRP<H>.calculateSimpleClientProof(clientPublicKey: clientPublicKey, serverPublicKey: serverPublicKey, sharedSecret: sharedSecret, padding: configuration.sizeN)
+        return SRP<H>.calculateMozillaClientProof(clientPublicKey: clientPublicKey, serverPublicKey: serverPublicKey, sharedSecret: sharedSecret, padding: configuration.sizeN)
     }
     
-    /// If the server returns that the client verification code was valiid it will also return a server verification code that the client can use to verify the server is correct
-    ///
+    /// If the server returns that the client verification code was valid it will also return 
+    /// a server verification code that the client can use to verify the server is correct
+    /// 
+    /// There doesn't seem to be any agreement on the simple version of the client/server proof. 
+    /// Some versions use K (H(S)) instead of S, some pad all values regardless of whether their
+    /// source is a hash or a big num. This is a simple version of the server proof as used by
+    /// the mozilla srp library https://github.com/mozilla/node-srp
+    /// 
     /// - Parameters:
-    ///   - code: Verification code returned by server
-    ///   - state: Authentication state
+    ///   - serverProof: Proof returned by server (M2)
+    ///   - clientProof: Proof created by client (M1)
+    ///   - clientKeys: client public key (A,a)
+    ///   - sharedSecret: shared secret (S)
     /// - Throws: `requiresVerificationKey`, `invalidServerCode`
-    public func verifySimpleServerProof(serverProof: [UInt8], clientProof: [UInt8], clientKeys: SRPKeyPair, sharedSecret: SRPKey) throws {
+    public func verifyMozillaServerProof(serverProof: [UInt8], clientProof: [UInt8], clientKeys: SRPKeyPair, sharedSecret: SRPKey) throws {
         // get out version of server proof
-        let HAMS = SRP<H>.calculateSimpleServerVerification(clientPublicKey: clientKeys.public, clientProof: clientProof, sharedSecret: sharedSecret, padding: configuration.sizeN)
+        let hashSharedSecret = [UInt8](H.hash(data: sharedSecret.bytes(padding: configuration.sizeN)))
+        let HAMK = SRP<H>.calculateMozillaServerVerification(clientPublicKey: clientKeys.public, clientProof: clientProof, hashSharedSecret: hashSharedSecret, padding: configuration.sizeN)
         // is it the same
-        guard serverProof == HAMS else { throw SRPClientError.invalidServerCode }
+        guard serverProof == HAMK else { throw SRPClientError.invalidServerCode }
     }
 
     /// calculate proof of shared secret to send to server
+    /// 
+    /// This is the client proof detailed in https://www.rfc-editor.org/rfc/rfc2945
     /// - Parameters:
-    ///   - username: username
-    ///   - salt: The salt value associated with the user returned by the server
-    ///   - clientPublicKey: client public key
-    ///   - serverPublicKey: server public key
-    ///   - sharedSecret: shared secret
+    ///   - username: username (I)
+    ///   - salt: The salt value associated with the user returned by the server (s)
+    ///   - clientPublicKey: client public key (A)
+    ///   - serverPublicKey: server public key (B)
+    ///   - sharedSecret: shared secret (S)
     /// - Returns: The client verification code which should be passed to the server
     public func calculateClientProof(username: String, salt: [UInt8], clientPublicKey: SRPKey, serverPublicKey: SRPKey, sharedSecret: SRPKey) -> [UInt8] {
-
         let hashSharedSecret = [UInt8](H.hash(data: sharedSecret.bytes(padding: configuration.sizeN)))
 
         // get verification code
@@ -110,24 +126,26 @@ public struct SRPClient<H: HashFunction> {
     /// verification code that the client can use to verify the server is correct. This is the calculation 
     /// to verify it is correct
     ///
+    /// This is the server proof detailed in https://www.rfc-editor.org/rfc/rfc2945
     /// - Parameters:
-    ///   - clientPublicKey: Client public key
-    ///   - clientProof: Client proof
-    ///   - sharedSecret: Shared secret
+    ///   - clientPublicKey: Client public key (A)
+    ///   - clientProof: Client proof (M1)
+    ///   - sharedSecret: Shared secret (M2)
     public func calculateServerProof(clientPublicKey: SRPKey, clientProof: [UInt8], sharedSecret: SRPKey) -> [UInt8] {
         let hashSharedSecret = [UInt8](H.hash(data: sharedSecret.bytes(padding: configuration.sizeN)))
-        // get out version of server proof
+        // get our version of server proof
         return SRP<H>.calculateServerVerification(clientPublicKey: clientPublicKey, clientProof: clientProof, hashSharedSecret: hashSharedSecret, padding: configuration.sizeN)
     }
     
     /// If the server returns that the client verification code was valid it will also return a server 
     /// verification code that the client can use to verify the server is correct
     ///
+    /// This is the client/server proof detailed in https://www.rfc-editor.org/rfc/rfc2945
     /// - Parameters:
-    ///   - clientProof: Server proof
-    ///   - clientProof: Client proof
-    ///   - clientKeys: Client keys
-    ///   - sharedSecret: Shared secret
+    ///   - clientProof: Server proof (M2)
+    ///   - clientProof: Client proof (M1)
+    ///   - clientKeys: Client keys (A,a)
+    ///   - sharedSecret: Shared secret (S)
     /// - Throws: `requiresVerificationKey`, `invalidServerCode`
     public func verifyServerProof(serverProof: [UInt8], clientProof: [UInt8], clientKeys: SRPKeyPair, sharedSecret: SRPKey) throws {
         // get our version of server proof
@@ -141,8 +159,8 @@ public struct SRPClient<H: HashFunction> {
     /// server never knows your password so can never leak it.
     ///
     /// - Parameters:
-    ///   - username: username
-    ///   - password: user password
+    ///   - username: username (I)
+    ///   - password: user password (p)
     /// - Returns: tuple containing salt and password verifier
     public func generateSaltAndVerifier(username: String, password: String) -> (salt: [UInt8], verifier: SRPKey) {
         let salt = [UInt8].random(count: 16)
diff --git a/Sources/SRP/server.swift b/Sources/SRP/server.swift
@@ -47,9 +47,9 @@ public struct SRPServer<H: HashFunction> {
 
     /// calculate the shared secret
     /// - Parameters:
-    ///   - clientPublicKey: public key received from client
-    ///   - serverKeys: server key pair
-    ///   - verifier: password verifier
+    ///   - clientPublicKey: public key received from client (A)
+    ///   - serverKeys: server key pair (B,b)
+    ///   - verifier: password verifier (v)
     /// - Returns: shared secret
     public func calculateSharedSecret(clientPublicKey: SRPKey, serverKeys: SRPKeyPair, verifier: SRPKey) throws -> SRPKey {
         guard clientPublicKey.number % configuration.N != BigNum(0) else { throw SRPServerError.nullClientKey }
@@ -63,35 +63,44 @@ public struct SRPServer<H: HashFunction> {
         return SRPKey(S)
     }
 
-    /// verify proof that client has shared secret and return a server verification proof. If verification fails a `invalidClientCode` error is thrown
+    /// verify proof that client has shared secret and return a server verification proof. If verification 
+    /// fails a `invalidClientCode` error is thrown
+    /// 
+    /// There doesn't seem to be any agreement on the simple version of the client/server proof. 
+    /// Some versions use K (H(S)) instead of S, some pad all values regardless of whether their
+    /// source is a hash or a big num. This is a simple version of the client/server proof as used by
+    /// the mozilla srp library https://github.com/mozilla/node-srp
     ///
     /// - Parameters:
-    ///   - proof: Client proof
-    ///   - clientPublicKey: Client public key
-    ///   - serverPublicKey: Server public key
-    ///   - sharedSecret: Shared secret
+    ///   - proof: Client proof (M1)
+    ///   - clientPublicKey: Client public key (A)
+    ///   - serverPublicKey: Server public key (B)
+    ///   - sharedSecret: Shared secret (S)
     /// - Throws: invalidClientCode
     /// - Returns: The server verification code
-    public func verifySimpleClientProof(proof: [UInt8], clientPublicKey: SRPKey, serverPublicKey: SRPKey, sharedSecret: SRPKey) throws -> [UInt8] {
-        let clientProof = SRP<H>.calculateSimpleClientProof(
+    public func verifyMozillaClientProof(proof: [UInt8], clientPublicKey: SRPKey, serverPublicKey: SRPKey, sharedSecret: SRPKey) throws -> [UInt8] {
+        let clientProof = SRP<H>.calculateMozillaClientProof(
             clientPublicKey: clientPublicKey,
             serverPublicKey: serverPublicKey,
             sharedSecret: sharedSecret, 
             padding: configuration.sizeN
         )
         guard clientProof == proof else { throw SRPServerError.invalidClientProof }
-        return SRP<H>.calculateSimpleServerVerification(clientPublicKey: clientPublicKey, clientProof: clientProof, sharedSecret: sharedSecret, padding: configuration.sizeN)
+        let hashSharedSecret = [UInt8](H.hash(data: sharedSecret.bytes(padding: configuration.sizeN)))
+        return SRP<H>.calculateMozillaServerVerification(clientPublicKey: clientPublicKey, clientProof: clientProof, hashSharedSecret: hashSharedSecret, padding: configuration.sizeN)
     }
 
-    /// verify proof that client has shared secret and return a server verification proof. If verification fails a `invalidClientCode` error is thrown
+    /// verify proof that client has shared secret and return a server verification proof. If verification 
+    /// fails a `invalidClientCode` error is thrown
     ///
+    /// This is the client/server proof detailed in https://www.rfc-editor.org/rfc/rfc2945
     /// - Parameters:
-    ///   - code: verification code sent by user
-    ///   - username: username
-    ///   - salt: salt stored with user
-    ///   - clientPublicKey: Client public key
-    ///   - serverPublicKey: Server public key
-    ///   - sharedSecret: Shared secret
+    ///   - code: verification code sent by user (M1)
+    ///   - username: username (I)
+    ///   - salt: salt stored with user (s)
+    ///   - clientPublicKey: Client public key (A)
+    ///   - serverPublicKey: Server public key (B)
+    ///   - sharedSecret: Shared secret (S)
     /// - Throws: invalidClientCode
     /// - Returns: The server verification code
     public func verifyClientProof(proof: [UInt8], username: String, salt: [UInt8], clientPublicKey: SRPKey, serverPublicKey: SRPKey, sharedSecret: SRPKey) throws -> [UInt8] {
diff --git a/Sources/SRP/srp.swift b/Sources/SRP/srp.swift
@@ -9,8 +9,8 @@ public struct SRP<H: HashFunction> {
         BigNum(bytes: [UInt8].init(H.hash(data: clientPublicKey + serverPublicKey)))
     }
     
-    /// Calculate a simpler client verification code H(A | B | S)
-    static func calculateSimpleClientProof(
+    /// Calculate client verification code H(A | B | S) as used by Mozilla
+    static func calculateMozillaClientProof(
         clientPublicKey: SRPKey,
         serverPublicKey: SRPKey,
         sharedSecret: SRPKey,
@@ -20,14 +20,14 @@ public struct SRP<H: HashFunction> {
         return [UInt8](HABK)
     }
     
-    /// Calculate a simpler client verification code H(A | M1 | S)
-    static func calculateSimpleServerVerification(
+    /// Calculate a server verification code H(A | M1 | K) as used by Mozilla
+    static func calculateMozillaServerVerification(
         clientPublicKey: SRPKey,
         clientProof: [UInt8],
-        sharedSecret: SRPKey,
+        hashSharedSecret: [UInt8],
         padding: Int
     ) -> [UInt8] {
-        let HABK = H.hash(data: clientPublicKey.bytes(padding: padding) + clientProof.pad(to: padding) + sharedSecret.bytes(padding: padding))
+        let HABK = H.hash(data: clientPublicKey.bytes(padding: padding) + clientProof + hashSharedSecret)
         return [UInt8](HABK)
     }
 
diff --git a/Tests/SRPTests/SRPTests.swift b/Tests/SRPTests/SRPTests.swift
@@ -65,6 +65,35 @@ final class SRPTests: XCTestCase {
         }
     }
 
+    func testMozillaVerifySRP<H: HashFunction>(configuration: SRPConfiguration<H>) {
+        let username = "adamfowler"
+        let password = "testpassword"
+        let client = SRPClient<H>(configuration: configuration)
+        let server = SRPServer<H>(configuration: configuration)
+
+        let (salt, verifier) = client.generateSaltAndVerifier(username: username, password: password)
+
+        do {
+            // client initiates authentication
+            let clientKeys = client.generateKeys()
+            // provides the server with an A value and username from which it gets the password verifier.
+            // server initiates authentication
+            let serverKeys = server.generateKeys(verifier: verifier)
+            // server passes back B value and a salt which was attached to the user
+            // client calculates verification code from username, password, current authenticator state, B and salt
+            let clientSharedSecret = try client.calculateSharedSecret(username: username, password: password, salt: salt, clientKeys: clientKeys, serverPublicKey: serverKeys.public)
+            let clientProof = client.calculateMozillaClientProof(clientPublicKey: clientKeys.public, serverPublicKey: serverKeys.public, sharedSecret: clientSharedSecret)
+            // client passes proof key to server
+            // server validates the key and then returns a server validation key
+            let serverSharedSecret = try server.calculateSharedSecret(clientPublicKey: clientKeys.public, serverKeys: serverKeys, verifier: verifier)
+            let serverProof = try server.verifyMozillaClientProof(proof: clientProof, clientPublicKey: clientKeys.public, serverPublicKey: serverKeys.public, sharedSecret: serverSharedSecret)
+            // client verifies server validation key
+            try client.verifyMozillaServerProof(serverProof: serverProof, clientProof: clientProof, clientKeys: clientKeys, sharedSecret: clientSharedSecret)
+        } catch {
+            XCTFail("\(error)")
+        }
+    }
+
     func testVerifySRP() {
         testVerifySRP(configuration: SRPConfiguration<SHA256>(.N1024))
         testVerifySRP(configuration: SRPConfiguration<SHA256>(.N1536))
@@ -79,6 +108,16 @@ final class SRPTests: XCTestCase {
         testVerifySRP(configuration: SRPConfiguration<SHA384>(N: BigNum(37), g: BigNum(3)))
     }
 
+    func testVerifyMozillaSRP() {
+        testMozillaVerifySRP(configuration: SRPConfiguration<SHA256>(.N1024))
+        testMozillaVerifySRP(configuration: SRPConfiguration<SHA256>(.N1536))
+        testMozillaVerifySRP(configuration: SRPConfiguration<SHA256>(.N2048))
+        testMozillaVerifySRP(configuration: SRPConfiguration<SHA256>(.N3072))
+        testMozillaVerifySRP(configuration: SRPConfiguration<Insecure.SHA1>(.N4096))
+        testMozillaVerifySRP(configuration: SRPConfiguration<Insecure.SHA1>(.N6144))
+        testMozillaVerifySRP(configuration: SRPConfiguration<Insecure.SHA1>(.N8192))
+    }
+
     func testClientSessionProof() {
         // Cannot find the source for these test vectors so can't verify correctness
         let configuration = SRPConfiguration<Insecure.SHA1>(.N1024)
@@ -173,7 +212,7 @@ final class SRPTests: XCTestCase {
 
         XCTAssertEqual(sharedSecret.hex, "92aaf0f527906aa5e8601f5d707907a03137e1b601e04b5a1deb02a981f4be037b39829a27dba50f1b27545ff2e28729c2b79dcbdd32c9d6b20d340affab91a626a8075806c26fe39df91d0ad979f9b2ee8aad1bc783e7097407b63bfe58d9118b9b0b2a7c5c4cdebaf8e9a460f4bf6247b0da34b760a59fac891757ddedcaf08eed823b090586c63009b2d740cc9f5397be89a2c32cdcfe6d6251ce11e44e6ecbdd9b6d93f30e90896d2527564c7eb9ff70aa91acc0bac1740a11cd184ffb989554ab58117c2196b353d70c356160100ef5f4c28d19f6e59ea2508e8e8aac6001497c27f362edbafb25e0f045bfdf9fb02db9c908f10340a639fe84c31b27")
 
-        let clientProof = client.calculateSimpleClientProof(clientPublicKey: SRPKey(A), serverPublicKey: SRPKey(B), sharedSecret: SRPKey(sharedSecret))
+        let clientProof = client.calculateMozillaClientProof(clientPublicKey: SRPKey(A), serverPublicKey: SRPKey(B), sharedSecret: SRPKey(sharedSecret))
 
         XCTAssertEqual(clientProof.hexdigest(), "27949ec1e0f1625633436865edb037e23eb6bf5cb91873f2a2729373c2039008")
     }
