You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
118 lines
2.8 KiB
118 lines
2.8 KiB
package srp |
|
|
|
import ( |
|
"crypto/sha256" |
|
"crypto/sha512" |
|
"math/big" |
|
|
|
"github.com/go-faster/errors" |
|
"golang.org/x/crypto/pbkdf2" |
|
) |
|
|
|
// Hash computes user password hash using parameters from server. |
|
// |
|
// See https://core.telegram.org/api/srp#checking-the-password-with-srp. |
|
func (s SRP) Hash(password, srpB, random []byte, i Input) (Answer, error) { |
|
p := s.bigFromBytes(i.P) |
|
if err := checkInput(i.G, p); err != nil { |
|
return Answer{}, errors.Wrap(err, "validate algo") |
|
} |
|
|
|
g := big.NewInt(int64(i.G)) |
|
// It is safe to use FillBytes directly because we know that 64-bit G always smaller than |
|
// 256-bit destination array. |
|
var gBytes [256]byte |
|
g.FillBytes(gBytes[:]) |
|
|
|
// random 2048-bit number a |
|
a := s.bigFromBytes(random) |
|
|
|
// `g_a = pow(g, a) mod p` |
|
ga, ok := s.pad256FromBig(s.bigExp(g, a, p)) |
|
if !ok { |
|
return Answer{}, errors.New("g_a is too big") |
|
} |
|
|
|
// `g_b = srp_B` |
|
gb := s.pad256(srpB) |
|
|
|
// `u = H(g_a | g_b)` |
|
u := s.bigFromBytes(s.hash(ga[:], gb[:])) |
|
|
|
// `x = PH2(password, salt1, salt2)` |
|
// `v = pow(g, x) mod p` |
|
x, v := s.computeXV(password, i.Salt1, i.Salt2, g, p) |
|
|
|
// `k = (k * v) mod p` |
|
k := s.bigFromBytes(s.hash(i.P, gBytes[:])) |
|
|
|
// `k_v = (k * v) % p` |
|
kv := k.Mul(k, v).Mod(k, p) |
|
|
|
// `t = (g_b - k_v) % p` |
|
t := s.bigFromBytes(srpB) |
|
if t.Sub(t, kv).Cmp(big.NewInt(0)) == -1 { |
|
t.Add(t, p) |
|
} |
|
|
|
// `s_a = pow(t, a + u * x) mod p` |
|
sa, ok := s.pad256FromBig(s.bigExp(t, u.Mul(u, x).Add(u, a), p)) |
|
if !ok { |
|
return Answer{}, errors.New("s_a is too big") |
|
} |
|
|
|
// `k_a = H(s_a)` |
|
ka := sha256.Sum256(sa[:]) |
|
|
|
// `M1 = H(H(p) xor H(g) | H2(salt1) | H2(salt2) | g_a | g_b | k_a)` |
|
xorHpHg := xor32(sha256.Sum256(i.P), sha256.Sum256(gBytes[:])) |
|
M1 := s.hash( |
|
xorHpHg[:], |
|
s.hash(i.Salt1), |
|
s.hash(i.Salt2), |
|
ga[:], |
|
gb[:], |
|
ka[:], |
|
) |
|
|
|
return Answer{ |
|
A: ga[:], |
|
M1: M1, |
|
}, nil |
|
} |
|
|
|
// The main hashing function H is sha256: |
|
// |
|
// H(data) := sha256(data) |
|
func (s SRP) hash(data ...[]byte) []byte { |
|
h := sha256.New() |
|
for i := range data { |
|
h.Write(data[i]) |
|
} |
|
return h.Sum(nil) |
|
} |
|
|
|
// The salting hashing function SH is defined as follows: |
|
// |
|
// SH(data, salt) := H(salt | data | salt) |
|
func (s SRP) saltHash(data, salt []byte) []byte { |
|
return s.hash(salt, data, salt) |
|
} |
|
|
|
// The primary password hashing function is defined as follows: |
|
// |
|
// PH1(password, salt1, salt2) := SH(SH(password, salt1), salt2) |
|
func (s SRP) primary(password, salt1, salt2 []byte) []byte { |
|
return s.saltHash(s.saltHash(password, salt1), salt2) |
|
} |
|
|
|
// The secondary password hashing function is defined as follows: |
|
// |
|
// PH2(password, salt1, salt2) := SH(pbkdf2(sha512, PH1(password, salt1, salt2), salt1, 100000), salt2) |
|
func (s SRP) secondary(password, salt1, salt2 []byte) []byte { |
|
return s.saltHash(s.pbkdf2(s.primary(password, salt1, salt2), salt1, 100000), salt2) |
|
} |
|
|
|
func (s SRP) pbkdf2(ph1, salt1 []byte, n int) []byte { |
|
return pbkdf2.Key(ph1, salt1, n, 64, sha512.New) |
|
}
|
|
|