[DISF-1700] Fix SRP missing implementation

Following the RFC2945, if A % N is zero, the server must abort the authentication.
tipee-sa · Aug 31, 2023 · 4750f07 · 4750f07
1 parent 304482d
commit 4750f07
Show file tree

Hide file tree

Showing 4 changed files with 15 additions and 4 deletions.
diff --git a/dist/session.min.js b/dist/session.min.js
diff --git a/dist/session.min.js.map b/dist/session.min.js.map
diff --git a/lib/session.js b/lib/session.js
@@ -153,12 +153,19 @@ define(['srp', 'jquery', 'otp', 'crypto-js'], function (Srp, jQuery, Otp, Crypto
          *  Valide la clef retournée par le serveur.
          */
         validateKey: function () {
-            var that = this;
+            let that = this,
+                M1 = "";
+
+            try {
+                M1 = this.srp.getM1String();
+            } catch (e) {
+                that.promise.reject();
+            }
 
             jQuery.post(
                 config.tipi_url + 'session/login',
                 {
-                    M1: this.srp.getM1String()
+                    M1: M1
                 }
             ).done(function (data) {
                 if (data.M2 && data.M2 === that.srp.getM2String()) {

diff --git a/lib/srp.js b/lib/srp.js
@@ -292,6 +292,10 @@ define(['bignum', 'crypto-js'], function (Bn, CryptoJS) {
          *  @returns {bignum} S
          */
         getS: function () {
+            if (this.getA().mod(this.N).toString() === "0") {
+                throw new Error('invalid client-supplied \'A\', A % N == 0');
+            }
+
             if (this.S === undefined) {
                 //  B - kg ** x
                 this.S = this.getB().modSub(