Compatibility instructions with 'secure-remote-password' npm package

Question

Compatibility instructions with 'secure-remote-password' npm package

nin-o opened this issue 5 years ago · comments

nin-o commented 5 years ago

Thanks for the hard work on this library.

I noticed this line from the README file:

Based on and is compatible with secure-remote-password npm package by Linus Unnebäck.

We could update the README to explain how to do this (or maybe just having this issue is enough for people to find).

The answer is to do the following:

new SrpServer(new SrpParameters { PaddedLength = 0 })

Alexey Yakovlev · Answer 1 · Wed Dec 04 2019 04:57:53 GMT+0800 (China Standard Time)

Hi @nin-o,

thanks for getting in touch!

The library should be 100% compatible with no tweaks once this PR is merged:

LinusU/secure-remote-password#13

Unfortunately, @LinusU still hasn't merged it yet for some reason. I ended up using git repository URL from this pull request instead of the official npm package in my Javascript projects, so that project.json looks like this:

{
  "name": "whatever",
  "version": "1.2.3",
  "dependencies": {
    "secure-remote-password": "https://github.com/LinusU/secure-remote-password.git#73e5f732b6ca0cdbdc19da1a0c5f48cdbad2cbf0"
  }
}

Please let me know if it works for you.

nin-o · Answer 2 · Thu Dec 05 2019 23:28:18 GMT+0800 (China Standard Time)

Thanks for the quick reply!

Yes we could use the URL to the pull request while we wait for it to be merged.

Do you recommend against setting the padding to 0?

Alexey Yakovlev · Answer 3 · Fri Dec 06 2019 03:24:31 GMT+0800 (China Standard Time)

As far as I remember, padding should be used according to the RFC document.
Most of the other compatible SRP libraries like srptools add this padding, too.
See the related discussion for details.

Daniel Brauer · Answer 4 · Fri Sep 10 2021 12:21:05 GMT+0800 (China Standard Time)

As someone who just spent several hours debugging a client incompatibility, I definitely interpreted “is compatible with” to mean “with default settings”.

I understand that the node version needs updating, but I think it would be worth mentioning the required parameter now. Even once the Node version is gets an update, it would be useful to point out that you need to specify zero padding to work with previous versions.

Alexey Yakovlev · Answer 5 · Sun Sep 12 2021 06:22:22 GMT+0800 (China Standard Time)

Hi @danielbrauer, terribly sorry for the inconvenience.
If you would suggest a correction to the readme, I'd be happy to merge a pull request.

I don't recommend disabling the padding to mimic the wrong behavior of the current version
of the npm package as suggested by the topic starter. The preferable workaround is mentioned above.

Daniel Brauer · Answer 6 · Sun Sep 12 2021 20:18:37 GMT+0800 (China Standard Time)

Hi @yallie, I appreciate the response! SRP just proved difficult to debug the other day because of the random components, and that I couldn't convince VS Mac to show me what was happening in the compiled library. I'm still in far better shape than I would be if you hadn't made this solution. 😄

I'll gladly submit a PR. I understand that updating the npm library is preferable, but do you think it's worth mentioning disabling the padding in the case where the developer does not control the server? With the appropriate caveats, of course.

Alexey Yakovlev · Answer 7 · Sun Sep 12 2021 20:41:30 GMT+0800 (China Standard Time)

do you think it's worth mentioning disabling the padding in the case where the developer does not control the server? With the appropriate caveats, of course.

Yes, you're right, it never occurred to me that sometimes it can be the only option.