tweb-i2p/src/lib/crypto/srp.ts

import CryptoWorker from "../crypto/cryptoworker";
import {str2bigInt, isZero,
  bigInt2str, powMod, int2bigInt, mult, mod, sub, bitSize, negative, add, greater} from '../../vendor/leemon';

import {logger, LogTypes} from '../logger';
import { AccountPassword, PasswordKdfAlgo } from "../../layer";
import { bufferConcats, bytesToHex, bytesFromHex, bufferConcat, bytesXor } from "../../helpers/bytes";
//import { MOUNT_CLASS_TO } from "../../config/debug";

const log = logger('SRP', LogTypes.Error);

//MOUNT_CLASS_TO && Object.assign(MOUNT_CLASS_TO, {str2bigInt, bigInt2str, int2bigInt});

export async function makePasswordHash(password: string, client_salt: Uint8Array, server_salt: Uint8Array): Promise<number[]> {
  // ! look into crypto_methods.test.ts
  let buffer: any = await CryptoWorker.sha256Hash(bufferConcats(client_salt, new TextEncoder().encode(password), client_salt));
  //log('encoded 1', bytesToHex(new Uint8Array(buffer)));

  buffer = bufferConcats(server_salt, buffer, server_salt);

  buffer = await CryptoWorker.sha256Hash(buffer);
  //log('encoded 2', buffer, bytesToHex(new Uint8Array(buffer)));

  let hash = await CryptoWorker.pbkdf2(new Uint8Array(buffer), client_salt, 100000);
  //log('encoded 3', hash, bytesToHex(new Uint8Array(hash)));

  hash = bufferConcats(server_salt, hash, server_salt);

  buffer = await CryptoWorker.sha256Hash(hash);
  //log('got password hash:', buffer, bytesToHex(new Uint8Array(buffer)));

  return buffer;
}

export async function computeSRP(password: string, state: AccountPassword, isNew: boolean) {
  const algo = (isNew ? state.new_algo : state.current_algo) as PasswordKdfAlgo.passwordKdfAlgoSHA256SHA256PBKDF2HMACSHA512iter100000SHA256ModPow;
  //console.log('computeSRP:', password, state, isNew, algo);

  const p = str2bigInt(bytesToHex(algo.p), 16);
  const B = str2bigInt(bytesToHex(state.srp_B), 16);
  const g = int2bigInt(algo.g, 32, 256);

  //log('p', bigInt2str(p, 16));
  //log('B', bigInt2str(B, 16));

  /* if(B.compareTo(BigInteger.ZERO) < 0) {
    console.error('srp_B < 0')
  }

  if(B.compareTo(p) <= 0) {
    console.error('srp_B <= p');
  } */

  /* let check_prime_and_good = (bytes: any, g: number) => {
    let good_prime = 'c71caeb9c6b1c9048e6c522f70f13f73980d40238e3e21c14934d037563d930f48198a0aa7c14058229493d22530f4dbfa336f6e0ac925139543aed44cce7c3720fd51f69458705ac68cd4fe6b6b13abdc9746512969328454f18faf8c595f642477fe96bb2a941d5bcd1d4ac8cc49880708fa9b378e3c4f3a9060bee67cf9a4a4a695811051907e162753b56b0f6b410dba74d8a84b2a14b3144e0ef1284754fd17ed950d5965b4b9dd46582db1178d169c6bc465b0d6ff9ca3928fef5b9ae4e418fc15e83ebea0f87fa9ff5eed70050ded2849f47bf959d956850ce929851f0d8115f635b105ee2e4e15d04b2454bf6f4fadf034b10403119cd8e3b92fcc5b';
    
    if(bytesToHex(bytes) === good_prime && [3, 4, 5, 7].indexOf(g) !== -1) {
      return true;
    }

    // TO-DO check_prime_and_good_check
  }; */

  //check_prime_and_good(algo.p, g);

  const pw_hash = await makePasswordHash(password, new Uint8Array(algo.salt1), new Uint8Array(algo.salt2));
  const x = str2bigInt(bytesToHex(new Uint8Array(pw_hash)), 16);

  //log('computed pw_hash:', pw_hash, x, bytesToHex(new Uint8Array(pw_hash)));

  const padArray = function(arr: any[], len: number, fill = 0) {
    return new Uint8Array(Array(len).fill(fill).concat(arr).slice(-len));
  };

  const pForHash = padArray(bytesFromHex(bigInt2str(p, 16)), 256);
  const gForHash = padArray(bytesFromHex(bigInt2str(g, 16)), 256); // like uint8array
  const b_for_hash = padArray(bytesFromHex(bigInt2str(B, 16)), 256);

  /* log(bytesToHex(pForHash));
  log(bytesToHex(gForHash));
  log(bytesToHex(b_for_hash)); */

  const v = powMod(g, x, p);

  const flipper = (arr: Uint8Array | number[]) => {
    const out = new Uint8Array(arr.length);
    for(let i = 0; i < arr.length; i += 4) {
      out[i] = arr[i + 3];
      out[i + 1] = arr[i + 2];
      out[i + 2] = arr[i + 1];
      out[i + 3] = arr[i];
    }
  
    return out;
  };

  // * https://core.telegram.org/api/srp#setting-a-new-2fa-password
  if(isNew) {
    const bytes = bytesFromHex(bigInt2str(v, 16));
    return padArray(/* (isBigEndian ? bytes.reverse() : bytes) */bytes, 256);
  }

  //log('g_x', bigInt2str(g_x, 16));

  let k: any = await CryptoWorker.sha256Hash(bufferConcat(pForHash, gForHash));
  k = str2bigInt(bytesToHex(new Uint8Array(k)), 16);

  //log('k', bigInt2str(k, 16));

  // kg_x = (k * g_x) % p
  const k_v = mod(mult(k, v), p);

  // good

  //log('kg_x', bigInt2str(kg_x, 16));

  const is_good_mod_exp_first = (modexp: any, prime: any) => {
    const diff = sub(prime, modexp);
    const min_diff_bits_count = 2048 - 64;
    const max_mod_exp_size = 256;
    if(negative(diff) ||
      bitSize(diff) < min_diff_bits_count || 
      bitSize(modexp) < min_diff_bits_count || 
      Math.floor((bitSize(modexp) + 7) / 8) > max_mod_exp_size)
        return false;
    return true;
  };

  const generate_and_check_random = async() => {
    while(true) {
      const a = str2bigInt(bytesToHex(flipper(state.secure_random)), 16);
      //const a = str2bigInt('9153faef8f2bb6da91f6e5bc96bc00860a530a572a0f45aac0842b4602d711f8bda8d59fb53705e4ae3e31a3c4f0681955425f224297b8e9efd898fec22046debb7ba8a0bcf2be1ada7b100424ea318fdcef6ccfe6d7ab7d978c0eb76a807d4ab200eb767a22de0d828bc53f42c5a35c2df6e6ceeef9a3487aae8e9ef2271f2f6742e83b8211161fb1a0e037491ab2c2c73ad63c8bd1d739de1b523fe8d461270cedcf240de8da75f31be4933576532955041dc5770c18d3e75d0b357df9da4a5c8726d4fced87d15752400883dc57fa1937ac17608c5446c4774dcd123676d683ce3a1ab9f7e020ca52faafc99969822717c8e07ea383d5fb1a007ba0d170cb', 16);

      //console.log('ITERATION');

      //log('g a p', bigInt2str(g, 16), bigInt2str(a, 16), bigInt2str(p, 16));

      const A = powMod(g, a, p);
      //log('A MODPOW', bigInt2str(A, 16));
      if(is_good_mod_exp_first(A, p)) {
        const a_for_hash = bytesFromHex(bigInt2str(A, 16));

        const s: any = await CryptoWorker.sha256Hash(
          bufferConcat(new Uint8Array(a_for_hash), new Uint8Array(b_for_hash)));
        const u = str2bigInt(bytesToHex(new Uint8Array(s)), 16);
        if(!isZero(u) && !negative(u))
          return {a, a_for_hash, u};
      } 
    }
  }
    

  let {a, a_for_hash, u} = await generate_and_check_random();

  /* log('a', bigInt2str(a, 16));
  log('a_for_hash', bytesToHex(a_for_hash));
  log('u', bigInt2str(u, 16)); */

  // g_b = (B - kg_x) % p
  /* log('B - kg_x', bigInt2str(sub(B, kg_x), 16));
  log('subtract', bigInt2str(B, 16), bigInt2str(kg_x, 16));
  log('B - kg_x', bigInt2str(sub(B, kg_x), 16)); */

  let g_b;
  if(!greater(B, k_v)) {
    //log('negative');
    g_b = add(B, p);
  } else g_b = B;
  g_b = mod(sub(g_b, k_v), p);
  /* let g_b = sub(B, kg_x);
  if(negative(g_b)) g_b = add(g_b, p); */
  
  //log('g_b', bigInt2str(g_b, 16));

  /* if(!is_good_mod_exp_first(g_b, p))
    throw new Error('bad g_b'); */

  let ux = mult(u, x);
  //log('u and x multiply', bigInt2str(u, 16), bigInt2str(x, 16), bigInt2str(ux, 16));
  let a_ux = add(a, ux);
  let S = powMod(g_b, a_ux, p);

  let K = await CryptoWorker.sha256Hash(padArray(bytesFromHex(bigInt2str(S, 16)), 256));

  //log('K', bytesToHex(K), new Uint32Array(new Uint8Array(K).buffer));

  let h1 = await CryptoWorker.sha256Hash(pForHash);
  let h2 = await CryptoWorker.sha256Hash(gForHash);
  h1 = bytesXor(new Uint8Array(h1), new Uint8Array(h2));

  let buff = bufferConcats(h1, 
    await CryptoWorker.sha256Hash(algo.salt1),
    await CryptoWorker.sha256Hash(algo.salt2),
    a_for_hash,
    b_for_hash,
    K
  );

  let M1: any = await CryptoWorker.sha256Hash(buff);

  let out = {
    _: 'inputCheckPasswordSRP', 
    srp_id: state.srp_id, 
    A: new Uint8Array(a_for_hash), 
    M1: new Uint8Array(M1) 
  };


  //log('out', bytesToHex(out.A), bytesToHex(out.M1));
  return out;
  
  /* console.log(gForHash, pForHash, bForHash); */
}