From 85c9bdba5541ca83d6a064e54869c8950a03910f Mon Sep 17 00:00:00 2001 From: Kabir Oberai Date: Mon, 4 Nov 2024 21:14:48 -0500 Subject: [PATCH 1/2] Fix handling of s2k_fo --- Xcodes/AppleAPI/Sources/AppleAPI/Client.swift | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/Xcodes/AppleAPI/Sources/AppleAPI/Client.swift b/Xcodes/AppleAPI/Sources/AppleAPI/Client.swift index 0826472d..ef43d131 100644 --- a/Xcodes/AppleAPI/Sources/AppleAPI/Client.swift +++ b/Xcodes/AppleAPI/Sources/AppleAPI/Client.swift @@ -54,7 +54,7 @@ public class Client { let iterations = srpInit.iteration do { - guard let encryptedPassword = self.pbkdf2(password: password, saltData: decodedSalt, keyByteCount: 32, prf: CCPseudoRandomAlgorithm(kCCPRFHmacAlgSHA256), rounds: iterations) else { + guard let encryptedPassword = self.pbkdf2(password: password, saltData: decodedSalt, keyByteCount: 32, prf: CCPseudoRandomAlgorithm(kCCPRFHmacAlgSHA256), rounds: iterations, protocol: srpInit.protocol) else { return Fail(error: AuthenticationError.srpInvalidPublicKey) .eraseToAnyPublisher() } @@ -308,9 +308,13 @@ public class Client { return Data(hash) } - private func pbkdf2(password: String, saltData: Data, keyByteCount: Int, prf: CCPseudoRandomAlgorithm, rounds: Int) -> Data? { + private func pbkdf2(password: String, saltData: Data, keyByteCount: Int, prf: CCPseudoRandomAlgorithm, rounds: Int, protocol srpProtocol: SRPProtocol) -> Data? { guard let passwordData = password.data(using: .utf8) else { return nil } - let hashedPasswordData = sha256(data: passwordData) + let hashedPasswordDataRaw = sha256(data: passwordData) + let hashedPasswordData = switch srpProtocol { + case .s2k: hashedPasswordDataRaw + case .s2k_fo: Data(hashedPasswordDataRaw.hexEncodedString().lowercased().utf8) + } var derivedKeyData = Data(repeating: 0, count: keyByteCount) let derivedCount = derivedKeyData.count @@ -584,6 +588,7 @@ public struct ServerSRPInitResponse: Decodable { let salt: String let b: String let c: String + let `protocol`: SRPProtocol } From 8654756d67280a4db34072af4a8facd26f5b6864 Mon Sep 17 00:00:00 2001 From: Kabir Oberai Date: Mon, 4 Nov 2024 21:21:12 -0500 Subject: [PATCH 2/2] comment --- Xcodes/AppleAPI/Sources/AppleAPI/Client.swift | 1 + 1 file changed, 1 insertion(+) diff --git a/Xcodes/AppleAPI/Sources/AppleAPI/Client.swift b/Xcodes/AppleAPI/Sources/AppleAPI/Client.swift index ef43d131..1e8e4735 100644 --- a/Xcodes/AppleAPI/Sources/AppleAPI/Client.swift +++ b/Xcodes/AppleAPI/Sources/AppleAPI/Client.swift @@ -313,6 +313,7 @@ public class Client { let hashedPasswordDataRaw = sha256(data: passwordData) let hashedPasswordData = switch srpProtocol { case .s2k: hashedPasswordDataRaw + // the legacy s2k_fo protocol requires hex-encoding the digest before performing PBKDF2. case .s2k_fo: Data(hashedPasswordDataRaw.hexEncodedString().lowercased().utf8) }