aboutsummaryrefslogtreecommitdiffstats
path: root/lib/crypto
diff options
context:
space:
mode:
authorPaul Guyot <[email protected]>2014-05-15 16:29:34 +0200
committerPaul Guyot <[email protected]>2014-05-15 16:38:12 +0200
commiteee8d83ad1766b038b16102eb2006eaa7c21b4e5 (patch)
treec8f7734ed17a3f1dab16be45c8b2215be60e897a /lib/crypto
parent5ade234d37600ea80dbb309f431c615937ea253d (diff)
downloadotp-eee8d83ad1766b038b16102eb2006eaa7c21b4e5.tar.gz
otp-eee8d83ad1766b038b16102eb2006eaa7c21b4e5.tar.bz2
otp-eee8d83ad1766b038b16102eb2006eaa7c21b4e5.zip
Fix bug in SRP implementation
SRP didn't work with smaller primes as user secret was improperly computed. Formula is: (B - (k * g^x)) ^ (a + (u * x)) % N Previously, the code computed a + (u * x) % N instead of a + (u * x). a typically is a 256 bits random number (RFC 5054 says it should be at least 256 bits), u and x are SHA1 signatures (160 bits). So a + (u * x) can differ from a + (u * x) % N for N primes smaller than 320 bits.
Diffstat (limited to 'lib/crypto')
-rw-r--r--lib/crypto/c_src/crypto.c4
-rw-r--r--lib/crypto/test/crypto_SUITE.erl28
2 files changed, 29 insertions, 3 deletions
diff --git a/lib/crypto/c_src/crypto.c b/lib/crypto/c_src/crypto.c
index 3020cadc56..a2868850d7 100644
--- a/lib/crypto/c_src/crypto.c
+++ b/lib/crypto/c_src/crypto.c
@@ -2892,8 +2892,8 @@ static ERL_NIF_TERM srp_user_secret_nif(ErlNifEnv* env, int argc, const ERL_NIF_
/* a + (u * x) */
bn_exp2 = BN_new();
- BN_mod_mul(bn_result, bn_u, bn_exponent, bn_prime, bn_ctx);
- BN_mod_add(bn_exp2, bn_a, bn_result, bn_prime, bn_ctx);
+ BN_mul(bn_result, bn_u, bn_exponent, bn_ctx);
+ BN_add(bn_exp2, bn_a, bn_result);
/* (B - (k * g^x)) ^ (a + (u * x)) % N */
BN_mod_exp(bn_result, bn_base, bn_exp2, bn_prime, bn_ctx);
diff --git a/lib/crypto/test/crypto_SUITE.erl b/lib/crypto/test/crypto_SUITE.erl
index 479c947029..03aa3964a5 100644
--- a/lib/crypto/test/crypto_SUITE.erl
+++ b/lib/crypto/test/crypto_SUITE.erl
@@ -690,7 +690,7 @@ group_config(ecdsa = Type, Config) ->
SignVerify = [{Type, sha, Public, Private, Msg}],
[{sign_verify, SignVerify} | Config];
group_config(srp, Config) ->
- GenerateCompute = [srp3(), srp6(), srp6a()],
+ GenerateCompute = [srp3(), srp6(), srp6a(), srp6a_smaller_prime()],
[{generate_compute, GenerateCompute} | Config];
group_config(ecdh, Config) ->
Compute = ecdh(),
@@ -1496,6 +1496,32 @@ srp6() ->
ClientPublic = crypto:mod_pow(Generator, ClientPrivate, Prime),
srp(ClientPrivate, Generator, Prime, Version, Verifier, ServerPublic, ServerPrivate, UserPassHash, Scrambler, SessionKey).
+
+srp6a_smaller_prime() ->
+ Username = <<"alice">>,
+ Password = <<"password123">>,
+ Salt = <<"mystrongsalt">>,
+ Prime = hexstr2bin("894B645E89E1535BBDAD5B8B290650530801B18EBFBF5E8FAB3C82872A3E9BB7"),
+ Generator = <<7>>,
+ Version = '6a',
+ Scrambler = hexstr2bin("18DE4A002AD05EF464B19AE2B6929F9B1319C7AA"),
+ Verifier = hexstr2bin("867401D5DE10964768184EAF246B322760C847604075FA66A4423907"
+ "8428BCA5"),
+ ClientPrivate = hexstr2bin("C49F832EE8D67ECF9E7F2785EB0622D8B3FE2344C00F96E1AEF4103C"
+ "A44D51F9"),
+ ServerPrivate = hexstr2bin("6C78CCEAAEC15E69068A87795B2A20ED7B45CFC5A254EBE2F17F144A"
+ "4D99DB18"),
+ ClientPublic = hexstr2bin("2452A57166BBBF690DB77539BAF9C57CD1ED99D5AA15ED925AD9B5C3"
+ "64BBEDFF"),
+ ServerPublic = hexstr2bin("2C0464DE84B91E4963A3546CAC0EFE55F31F49208C3F0AD7EE55F444"
+ "8F38BA7F"),
+
+ SessionKey = hexstr2bin("65581B2302580BD26F522A5A421CF969B9CCBCE4051196B034A2A9D22065D848"),
+ UserPassHash = crypto:hash(sha, [Salt, crypto:hash(sha, [Username, <<$:>>, Password])]),
+ Verifier = crypto:mod_pow(Generator, UserPassHash, Prime),
+ ClientPublic = crypto:mod_pow(Generator, ClientPrivate, Prime),
+ srp(ClientPrivate, Generator, Prime, Version, Verifier, ServerPublic, ServerPrivate, UserPassHash, Scrambler, SessionKey).
+
srp6a() ->
Username = <<"alice">>,
Password = <<"password123">>,