Hi Matt , first of all, thanks a lot for this awesome library. It’s been really helpful so far!
I’m currently using it to implement the iCloud SRP login flow. During integration I noticed that Apple’s implementation slightly deviates from the SRP-6a standard.
One difference is in the calculation of x, where the identity is not included. Apple appears to use: x = H(s | H(":" | P))
Since the library fortunately allows overriding the x calculation, I was able to adapt this part cleanly.
However, there is another deviation regarding the computation of M1. Apple expects g to be padded when calculating M1:
M1 = H(H(N) XOR H(PAD(g)) | H(U) | s | A | B | K)
While researching this, I found that the definition of M1 in older SRP specifications wasn't entirely clear, which led to multiple implementations that use a padded g. secure-remote-password/srp.net#19
At the moment, the library does not provide a way to influence the M1 calculation. My first thought was to introduce something like a setM1 hook (similar to the existing ones). However, the current implementation also relies on the internal helper function xorBytes, which is not accessible from the outside. Also given that this is only a very small variation in the formula, introducing a full customization hook might be maybe an overkill.
I looked for other implementations and noticed that the Python library pysrp introduced a dedicated RFC5054 compatibility mode that explicitly enables padding of g in M1:
https://github.com/cocagne/pysrp/blob/2f0211d7965290664af1537a0164dbb82a7270ff/srp/_pysrp.py#L208
Would you consider adding optional support for this kind of RFC5054-style compatibility, for example via a similar configuration flag or hook, or do you have any other ideas?
Also i completely understand if this feature request is out of scope, but since similar variants seem to exist in the wild, it might help others facing the same interoperability issues. :) Thank you!
Hi Matt , first of all, thanks a lot for this awesome library. It’s been really helpful so far!
I’m currently using it to implement the iCloud SRP login flow. During integration I noticed that Apple’s implementation slightly deviates from the SRP-6a standard.
One difference is in the calculation of
x, where the identity is not included. Apple appears to use:x = H(s | H(":" | P))Since the library fortunately allows overriding the
xcalculation, I was able to adapt this part cleanly.However, there is another deviation regarding the computation of
M1. Apple expectsgto be padded when calculatingM1:M1 = H(H(N) XOR H(PAD(g)) | H(U) | s | A | B | K)While researching this, I found that the definition of M1 in older SRP specifications wasn't entirely clear, which led to multiple implementations that use a padded g. secure-remote-password/srp.net#19
At the moment, the library does not provide a way to influence the
M1calculation. My first thought was to introduce something like asetM1hook (similar to the existing ones). However, the current implementation also relies on the internal helper function xorBytes, which is not accessible from the outside. Also given that this is only a very small variation in the formula, introducing a full customization hook might be maybe an overkill.I looked for other implementations and noticed that the Python library pysrp introduced a dedicated RFC5054 compatibility mode that explicitly enables padding of
ginM1:https://github.com/cocagne/pysrp/blob/2f0211d7965290664af1537a0164dbb82a7270ff/srp/_pysrp.py#L208
Would you consider adding optional support for this kind of RFC5054-style compatibility, for example via a similar configuration flag or hook, or do you have any other ideas?
Also i completely understand if this feature request is out of scope, but since similar variants seem to exist in the wild, it might help others facing the same interoperability issues. :) Thank you!