Fix client ephemeral key entropy: architectural consistency and validation

Simon Massey · Simon Massey · commit 4aeaea2366e0 · 2025-08-05T16:03:06.000+01:00
This commit resolves a critical architectural inconsistency between client and server ephemeral key generation that resulted in reduced entropy for client keys. Problem: - Client used function pattern: this.N = function() { return new BigInteger(...) } - Server used property pattern: this.N = new BigInteger(...) - randomA(N) was incorrectly passed the constructor function instead of BigInteger - Result: client generated ~252 bits entropy vs server's 2048 bits Solution: - Unified architecture: both client and server now use property pattern - Updated all this.N() calls to this.N property access (7 locations) - Updated all this.g() calls to this.g property access (4 locations) - Fixed randomA() to use this.N internally without parameter - Added input validation to prevent functions in crypto operations - Enhanced build process with JSHint linting Testing: - Client now generates correct 2048-bit ephemeral keys (512 hex chars) - Server maintains 2048-bit generation (consistent behavior) - All existing tests pass with architectural fix - Added entropy validation test to prevent regression Technical Details: - Fixes issue #28: Client ephemeral key generation uses 252 bits instead of 2048 bits - Implements architectural consistency plan from issue #29 - Maintains backward compatibility for all public APIs - No breaking changes to existing functionality
diff --git a/.jshintrc b/.jshintrc
@@ -0,0 +1,41 @@
+{
+  "esversion": 11,
+  "browser": true,
+  "node": true,
+  "strict": false,
+  "undef": false,
+  "unused": false,
+  "predef": [
+    "BigInteger",
+    "randomStrings",
+    "SHA256",
+    "globalThis",
+    "module",
+    "exports",
+    "require",
+    "console",
+    "CryptoJS",
+    "random16byteHex",
+    "define",
+    "self"
+  ],
+  "maxerr": 200,
+  "evil": true,
+  "expr": true,
+  "funcscope": false,
+  "iterator": false,
+  "lastsemic": true,
+  "laxbreak": false,
+  "laxcomma": false,
+  "loopfunc": false,
+  "multistr": false,
+  "onecase": false,
+  "proto": false,
+  "regexdash": false,
+  "scripturl": false,
+  "smarttabs": false,
+  "shadow": true,
+  "sub": false,
+  "supernew": false,
+  "validthis": false
+}
diff --git a/browser.js b/browser.js
@@ -161,20 +161,16 @@ function srpClientFactory (N_base10, g_base10, k_base16) {
 	};
 
 	// public helper
-	/* jshint ignore:start */
 	SRP6JavascriptClientSession.prototype.fromHex = function(s) {
 		"use strict";
 		return new BigInteger(""+s, 16); // jdk1.7 rhino requires string concat
 	};
-	/* jshint ignore:end */
 
 	// public helper to hide BigInteger from the linter
-	/* jshint ignore:start */
 	SRP6JavascriptClientSession.prototype.BigInteger = function(string, radix) {
 		"use strict";
 		return new BigInteger(""+string, radix); // jdk1.7 rhino requires string concat
 	};
-	/* jshint ignore:end */
 
 
 	// public getter of the current workflow state. 
@@ -224,9 +220,7 @@ function srpClientFactory (N_base10, g_base10, k_base16) {
 		"use strict";
 		var s = null;
 		
-		/* jshint ignore:start */
 		s = randomStrings.hex(32); // 16 bytes
-		/* jshint ignore:end */
 
 		// if you invoke without passing the string parameter the '+' operator uses 'undefined' so no nullpointer risk here
 		var ss = this.H((new Date())+':'+opionalServerSalt+':'+s);
@@ -299,7 +293,6 @@ function srpClientFactory (N_base10, g_base10, k_base16) {
 		//console.log("SRP6JavascriptClientSession.prototype.computeU");
 		this.check(Astr, "Astr");
 		this.check(Bstr, "Bstr");
-		/* jshint ignore:start */
 		var output = this.H(Astr+Bstr);
 		//console.log("js raw u:"+output);
 		var u = new BigInteger(""+output,16);
@@ -308,16 +301,13 @@ function srpClientFactory (N_base10, g_base10, k_base16) {
 		throw new Error("SRP6Exception bad shared public value 'u' as u==0");
 		}
 		return u;
-		/* jshint ignore:end */
 	};
 
 	SRP6JavascriptClientSession.prototype.random16byteHex = function() {
 		"use strict";
 
 		var r1 = null;
-		/* jshint ignore:start */
 		r1 = random16byteHex.random();
-		/* jshint ignore:end */
 		return r1;
 	};
 
@@ -413,9 +403,7 @@ function srpClientFactory (N_base10, g_base10, k_base16) {
 
 		var ZERO = null;
 		
-		/* jshint ignore:start */
 		ZERO = BigInteger.ZERO;
-		/* jshint ignore:end */
 		
 		if (this.B.mod(this.N()).equals(ZERO)) {
 			throw new Error("SRP6Exception bad server public value 'B' as B == 0 (mod N)");
diff --git a/client-exports.js b/client-exports.js
@@ -119,7 +119,7 @@ function srpClientFactory (N_base10, g_base10, k_base16) {
 			
 			//console.log("js hash:"+hash)
 			//console.log("js x before modN "+this.fromHex(hash));
-			this.x = this.fromHex(hash).mod(this.N());
+			this.x = this.fromHex(hash).mod(this.N);
 			return this.x;
 		};
 
@@ -149,32 +149,34 @@ function srpClientFactory (N_base10, g_base10, k_base16) {
 			this.check(B, "B");
 
 			var exp = u.multiply(x).add(a);
-			var tmp = this.g().modPow(x, this.N()).multiply(k);
-			return B.subtract(tmp).modPow(exp, this.N());
+			var tmp = this.g.modPow(x, this.N).multiply(k);
+			return B.subtract(tmp).modPow(exp, this.N);
 		};
 	}
 
 	// public helper
 	SRP6JavascriptClientSession.prototype.toHex = function(n) {
 		"use strict";
+		if (n === null || n === undefined || typeof n.toString !== 'function') {
+			throw new Error("Invalid parameter for hex conversion: " + typeof n);
+		}
 		return n.toString(16);
 	};
 
 	// public helper
-	/* jshint ignore:start */
 	SRP6JavascriptClientSession.prototype.fromHex = function(s) {
 		"use strict";
+		if (s === null || s === undefined || typeof s !== 'string') {
+			throw new Error("Invalid hex string for BigInteger conversion: " + typeof s);
+		}
 		return new BigInteger(""+s, 16); // jdk1.7 rhino requires string concat
 	};
-	/* jshint ignore:end */
 
 	// public helper to hide BigInteger from the linter
-	/* jshint ignore:start */
 	SRP6JavascriptClientSession.prototype.BigInteger = function(string, radix) {
 		"use strict";
 		return new BigInteger(""+string, radix); // jdk1.7 rhino requires string concat
 	};
-	/* jshint ignore:end */
 
 
 	// public getter of the current workflow state. 
@@ -224,9 +226,7 @@ function srpClientFactory (N_base10, g_base10, k_base16) {
 		"use strict";
 		var s = null;
 		
-		/* jshint ignore:start */
 		s = randomStrings.hex(32); // 16 bytes
-		/* jshint ignore:end */
 
 		// if you invoke without passing the string parameter the '+' operator uses 'undefined' so no nullpointer risk here
 		var ss = this.H((new Date())+':'+opionalServerSalt+':'+s);
@@ -249,7 +249,7 @@ function srpClientFactory (N_base10, g_base10, k_base16) {
 		// no need to check the parameters as generateX will do this
 		var x = this.generateX(salt, identity, password);
 		//console.log("js x: "+this.toHex(x));
-		this.v = this.g().modPow(x, this.N());
+		this.v = this.g.modPow(x, this.N);
 		//console.log("js v: "+this.toHex(this.v));
 		return this.toHex(this.v);
 	};
@@ -299,7 +299,6 @@ function srpClientFactory (N_base10, g_base10, k_base16) {
 		//console.log("SRP6JavascriptClientSession.prototype.computeU");
 		this.check(Astr, "Astr");
 		this.check(Bstr, "Bstr");
-		/* jshint ignore:start */
 		var output = this.H(Astr+Bstr);
 		//console.log("js raw u:"+output);
 		var u = new BigInteger(""+output,16);
@@ -308,16 +307,13 @@ function srpClientFactory (N_base10, g_base10, k_base16) {
 		throw new Error("SRP6Exception bad shared public value 'u' as u==0");
 		}
 		return u;
-		/* jshint ignore:end */
 	};
 
 	SRP6JavascriptClientSession.prototype.random16byteHex = function() {
 		"use strict";
 
 		var r1 = null;
-		/* jshint ignore:start */
 		r1 = random16byteHex.random();
-		/* jshint ignore:end */
 		return r1;
 	};
 
@@ -330,13 +326,14 @@ function srpClientFactory (N_base10, g_base10, k_base16) {
 	 * to the generated random number.
 	 * @param N The safe prime.
 	*/
-	SRP6JavascriptClientSession.prototype.randomA = function(N) {
+	SRP6JavascriptClientSession.prototype.randomA = function() {
 		"use strict";
 
-		//console.log("N:"+N);
+		//console.log("N:"+this.N);
+
 
 		// our ideal number of random  bits to use for `a` as long as its bigger than 256 bits
-		var hexLength = this.toHex(N).length;
+		var hexLength = this.toHex(this.N).length;
 
 		var ZERO = this.BigInteger("0", 10);
 		var ONE = this.BigInteger("1", 10);
@@ -366,7 +363,7 @@ function srpClientFactory (N_base10, g_base10, k_base16) {
 			// this protected against a buggy browser random number generated generating a constant value
 			// we mod(N) to wrap to the range [0,N) then loop if we get 0 to give [1,N)
 			// mod(N) is broken due to buggy library code so we workaround with modPow(1,N)
-			r = (oneTimeBi.add(rBi)).modPow(ONE, N);
+			r = (oneTimeBi.add(rBi)).modPow(ONE, this.N);
 		}
 
 		//console.log("r:"+r);
@@ -413,11 +410,9 @@ function srpClientFactory (N_base10, g_base10, k_base16) {
 
 		var ZERO = null;
 		
-		/* jshint ignore:start */
 		ZERO = BigInteger.ZERO;
-		/* jshint ignore:end */
 		
-		if (this.B.mod(this.N()).equals(ZERO)) {
+		if (this.B.mod(this.N).equals(ZERO)) {
 			throw new Error("SRP6Exception bad server public value 'B' as B == 0 (mod N)");
 		}
 		
@@ -432,11 +427,11 @@ function srpClientFactory (N_base10, g_base10, k_base16) {
 
 		//console.log("N:"+this.toHex(this.N).toString(16));
 
-		this.a = this.randomA(this.N);
+		this.a = this.randomA();
 
 		//console.log("a:" + this.toHex(this.a));
 
-		this.A = this.g().modPow(this.a, this.N());
+		this.A = this.g.modPow(this.a, this.N);
 		//console.log("A:" + this.toHex(this.A));
 		this.check(this.A, "A");
 		
@@ -531,13 +526,9 @@ function srpClientFactory (N_base10, g_base10, k_base16) {
 
     SRP6JavascriptClientSessionSHA256.prototype = new SRP6JavascriptClientSession();
 
-    SRP6JavascriptClientSessionSHA256.prototype.N = function() {
-        return new BigInteger(N_base10, 10);
-    }
+    SRP6JavascriptClientSessionSHA256.prototype.N = new BigInteger(N_base10, 10);
 
-    SRP6JavascriptClientSessionSHA256.prototype.g = function() {
-        return new BigInteger(g_base10, 10);
-    }
+    SRP6JavascriptClientSessionSHA256.prototype.g = new BigInteger(g_base10, 10);
 
     SRP6JavascriptClientSessionSHA256.prototype.H = function (x) {
             return SHA256(x).toString().toLowerCase();
diff --git a/package.json b/package.json
@@ -15,7 +15,8 @@
     "test:e2e:headed": "HEADED=true npm run test:e2e",
     "test:e2e:debug": "DEBUG=true HEADED=true npm run test:e2e",
     "test:e2e:slow": "SLOW=true npm run test:e2e",
-    "build": "npm run build-es && npm run build-server",
+    "build": "npm run build-es && npm run build-server && npm run lint",
+    "lint": "npx jshint client.mjs server.mjs browser.js",
     "build-legacy": "mkdir -p dist && npm run build-es && rollup -c rollup.config.js",
     "test:umd": "npm run build-legacy && npm run build-server && mocha e2e/tests/umd.e2e.test.js --timeout 10000",
     "test:umd:headed": "HEADED=true npm run test:umd",
@@ -54,6 +55,7 @@
     "express": "^5.1.0",
     "jasmine-node": "^1.14.5",
     "jsonfn": "^0.31.0",
+    "jshint": "^2.13.6",
     "mocha": "^11.7.1",
     "puppeteer": "^24.15.0",
     "rollup": "^4.46.2",
diff --git a/server-exports.js b/server-exports.js
@@ -82,7 +82,7 @@ function srpServerFactory (N_base10, g_base10, k_base16) {
       //return {I: this.I, v: this.toHex(this.v), s: this.toHex(this.salt), b: this.toHex(this.b)};
       this.I = obj.I;
       this.v = this.fromHex(obj.v);
-      this.salt = this.fromHex(obj.salt);
+      this.salt = this.fromHex(obj.s);  // Note: stored as 's', not 'salt'
       this.b = this.fromHex(obj.b);
       this.B = this.g.modPow(this.b, this.N).add(this.v.multiply(this.k)).mod(this.N);
       this.state = this.STEP_1;
@@ -92,24 +92,26 @@ function srpServerFactory (N_base10, g_base10, k_base16) {
   // public helper
   SRP6JavascriptServerSession.prototype.toHex = function(n) {
     "use strict";
+    if (n === null || n === undefined || typeof n.toString !== 'function') {
+      throw new Error("Invalid parameter for hex conversion: " + typeof n);
+    }
     return n.toString(16);
   };
 
   // public helper
-  /* jshint ignore:start */
   SRP6JavascriptServerSession.prototype.fromHex = function(s) {
     "use strict";
+    if (s === null || s === undefined || typeof s !== 'string') {
+      throw new Error("Invalid hex string for BigInteger conversion: " + typeof s);
+    }
     return new BigInteger(""+s, 16); // jdk1.7 rhino requires string concat
   };
-  /* jshint ignore:end */
 
   // public helper to hide BigInteger from the linter
-  /* jshint ignore:start */
   SRP6JavascriptServerSession.prototype.BigInteger = function(string, radix) {
     "use strict";
     return new BigInteger(""+string, radix); // jdk1.7 rhino requires string concat
   };
-  /* jshint ignore:end */
 
 
   // public getter of the current workflow state. 
@@ -209,7 +211,6 @@ function srpServerFactory (N_base10, g_base10, k_base16) {
     //console.log("SRP6JavascriptServerSession.prototype.computeU");
     this.check(Astr, "Astr");
     this.check(Bstr, "Bstr");
-    /* jshint ignore:start */
     var output = this.H(Astr+Bstr);
     //console.log("js raw u:"+output);
     var u = new BigInteger(""+output,16);
@@ -218,16 +219,13 @@ function srpServerFactory (N_base10, g_base10, k_base16) {
       throw new Error("SRP6Exception bad shared public value 'u' as u==0");
     }
     return u;
-    /* jshint ignore:end */
   };
 
   SRP6JavascriptServerSession.prototype.random16byteHex = function() {
       "use strict";
 
       var r1 = null;
-      /* jshint ignore:start */
       r1 = random16byteHex.random();
-      /* jshint ignore:end */
       return r1;
   };
 
@@ -242,6 +240,7 @@ function srpServerFactory (N_base10, g_base10, k_base16) {
   SRP6JavascriptServerSession.prototype.randomB = function() {
       "use strict";
 
+
       // our ideal number of random  bits to use for `a` as long as its bigger than 256 bits
       var hexLength = this.toHex(this.N).length;
 
diff --git a/test/testrunner-esm.js b/test/testrunner-esm.js
