Re: [Firebird-devel] pyfirebirdsql can't authenticate with Firebird 3.0 (SRP issues)

[Alex Peshkoff]

On 02/13/14 04:52, Hajime Nakagami wrote:
> Thanks Marius and others.
>
> I'm trying to implement SRP protocol by pure python.
> But something wrong in my python codes, I know.
>
> I have found RemotePassword::getUserHash() return different value with
> getUserHash() in srp.py.
> https://github.com/nakagami/pyfirebirdsql/blob/master/firebirdsql/srp.py#L143
>
> For example ...
>
> [Modified source:firebird/src/auth/SecureRemotePassword/srp.cpp]
> BigInteger RemotePassword::getUserHash(const char* account, const char*
> salt, const char* password)
> {
>      hash.reset();
>      hash.process(account);
>      hash.process(":");
>      hash.process(password);
>      UCharBuffer hash1;
>      hash.getHash(hash1);
>      dumpIt("getUserHash() account", account);
>      dumpIt("getUserHash() salt", salt);
>      dumpIt("getUserHash() password", password);
>      dumpIt("getUserHash() hash1", hash1);
>
>      hash.reset();
>      hash.process(salt);
>      hash.process(hash1);
>      UCharBuffer hash2;
>      hash.getHash(hash2);
>      dumpIt("getUserHash() hash2", hash2);
>      BigInteger rc;
>      hash.getInt(rc);
>      dumpIt("getUserHash() rc", rc);
>
>      return rc;
> }
>
> [Result]
> getUserHash() account: 'SYSDBA'
> getUserHash() salt:
> '2E268803000000079A478A700000002D1A6979000000026E1601C000000054F'
> getUserHash() password: 'masterkey'
> getUserHash() hash1
> e3 95 79 9c 56 52 aa a4 53 62 73 a2 0a a7 40 e2 46 83 5c c4
> getUserHash() hash2
> 98 0c 1c 90 a1 be 65 5f 31 09 3f 56 a9 ef 5c e7 c0 4b 26 2f
> getUserHash() rc: '4DD084A42814499F781537C24753291235DE797C'
>
>
> I think rc seems to be
> 980c1c90a1be655f31093f56a9ef5ce7c04b262f(868036694467267200852895567621828944633719891503L)
> But it is '4DD084A42814499F781537C24753291235DE797C' (equal to
> 0x4DD084A42814499F781537C24753291235DE797C ?)
>
> I don't realize how to convert from hash2 to rc.
> Please let me know the algorithm
>

You should not call Sha1::getSomething() more than once - it's 
destructive operation.

Look here. Mentioned fragment of code is:
     BigInteger rc;
     hash.getInt(rc);
     dumpIt("getUserHash::rc", rc);
     hash.getInt(rc);
     dumpIt("getUserHash::rc", rc);

Output:
getUserHash::rc: '980C1C90A1BE655F31093F56A9EF5CE7C04B262F'
getUserHash::rc: '4DD084A42814499F781537C24753291235DE797C'

It's not hard to make it be callable many times but I see no actual need.

A.


------------------------------------------------------------------------------
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience.  Start now.
http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
Firebird-Devel mailing list, web interface at 
https://lists.sourceforge.net/lists/listinfo/firebird-devel