On 04/12/2020 16:03, Dimitry Sibiryakov wrote:
04.12.2020 16:20, Mark Rotteveel wrote:
After closer inspection, I found the issue. The SHA-1 hash of DAVIDS
is 00AD377F8297F04FD83DFDBF48AABF316850862F. Seeing that leading
zero, I guessed that might be part of the problem. After stripping
the leading zero from the user hash in Jaybird, the authentication
succeeds.
The roundtrip from hash bytes to BigInteger back to bytes as hash
input (in RemotePassword::clientProof (srp.cpp) and makeProof
(srp.h)), probably strips any leading zero byte(s).
So the question now is whether it is a bug in Firebird Srp
implementation or Jaybird one. I would say the former.
Does the same problem exist with Firebird SRP and SHA-256. This uses a
different codebase to SHA-1, so it would be interesting to know whether
the problem is specific to SHA-1. It also begs the question: if you are
serious about SRP security then why are you still using SHA-1?
Firebird-Devel mailing list, web interface at
https://lists.sourceforge.net/lists/listinfo/firebird-devel
