1. connect2id Avatar connect2id
  2. Crypto
  3. Nimbus-SRP
  4. Issues

Verifier generator bug

Issue #10 resolved
Vladimir Dzhuvinov created an issue

Reported by Daniel N, email:

Hi,

I have tested the Nimbus SRP lib and I found a bug in the "public BigInteger generateVerifier(final BigInteger salt, final String userID, final String password)” method in SRP6VerifierGenerator.java

The type conversion of the salt from BigInteger to byte[] are not removing the sign bit which causes the verifier v to be calculated wrongly.

The code bellow solves the problem, I have tested against the SRP Test Vectors in RFC 5054:

    public BigInteger generateVerifier(final BigInteger salt, final String userID, final String password) {

        byte[] userIDBytes = null;

        if (userID != null)
            userIDBytes = userID.getBytes(Charset.forName("UTF-8"));

                byte[] salt_arr = salt.toByteArray();
                if (salt_arr[0] == 0) {
                    byte[] tmp = new byte[salt_arr.length - 1];
                    System.arraycopy(salt_arr, 1, tmp, 0, tmp.length);
                    salt_arr = tmp;
                }

        return generateVerifier(salt_arr, userIDBytes, password.getBytes(Charset.forName("UTF-8")));
    }

BR Daniel

Comments (1)

  2. Log in to comment
Assignee
Type
bug
Priority
major
Status
resolved
Votes
0
Watchers
1
Jira: the preferred issue tracker for Bitbucket. Join the team!