Skip to content

use native BigInt instead of the big-integer library#385

Open
mariuz wants to merge 17 commits intomasterfrom
native_BigInt
Open

use native BigInt instead of the big-integer library#385
mariuz wants to merge 17 commits intomasterfrom
native_BigInt

Conversation

@mariuz
Copy link
Copy Markdown
Collaborator

@mariuz mariuz commented Feb 18, 2026
edited
Loading

use native BigInt instead of the big-integer library. This removes the dependency and uses the performant modPow implementation

Changes in lib/srp.js
Removed require('big-integer').
Replaced BigInt(val, 16) with BigInt('0x' + val).
Replaced library methods (.multiply, .add, .mod, etc.) with native operators (*, +, %).
Added the modPow helper function at the end of the file.
Updated toBigInt and toBuffer helpers to handle native BigInt.

Changes in test/srp.js
Removed require('big-integer').
Updated test vectors to use native BigInt syntax (prefixed with 0x).
Replaced .equals() assertions with strict equality ===.

https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/BigInt

mariuz added 10 commits February 18, 2026 16:54
@mariuz
use native BigInt instead of the big-integer library
ab2a37e
@mariuz
Explicitly convert A, B, and private keys (a/b) to BigInt at the entr…
f51511d 
…y points (clientProof and serverSession
@mariuz
Restore robustness (preventing the crash), we need to explicitly hand…
5eee171 
…le number inputs in toBigInt.
@mariuz
Detect Float-like Strings and safe conversions
49e84e2
@mariuz
Fix serverSession: Updated to calculate x (user hash) and apply the (…
80ce22b 
…u * x) % PRIME.N reduction, ensuring it matches the logic in clientSession and the Firebird engine.
@mariuz
use fixed Server key for tests
6205497
@mariuz
Modify serverSession to accept an optional a parameter. If provided, …
1b9b3c8 
…it calculates the session secret using the reduced exponent logic
@mariuz
compare it to cpp implementation
9852962
@mariuz
serverSession must be updated to match the client's behavior by expli…
e7ca6c9 
…citly calculating x and applying the modulo reduction to the exponent
@mariuz
add debug true for srp
77c228f
@mariuz mariuz marked this pull request as draft February 18, 2026 17:36
@mariuz
modify toBigInt to only treat strings as floating-point numbers if th…
fe98c66 
…ey contain a decimal point . or if they are NOT valid hexadecimal strings.
@mariuz
Added a timeout to the SRP attachment test to prevent it from hanging…
809f0c7 
… indefinitely if authentication stalls. add math formulas to the debug logs , remove big-integer that caused the issue where big-integer objects were being converted to decimal strings and then incorrectly parsed as hex by srp.js, causing authentication failures and timeouts.
@mariuz
Copy link
Copy Markdown
Collaborator Author

mariuz commented Feb 18, 2026

The authentication failure was caused by a conflict between the big-integer library and JavaScript's native BigInt implementation, leading to data corruption in the SRP key exchange.

The Root Causes
Variable Shadowing: In lib/wire/connection.js, the line const BigInt = require('big-integer'); shadowed the global native BigInt constructor. This meant that when the code called BigInt(...), it created a big-integer library object instead of a native primitive.

Incorrect Hex Parsing: When parsing the server's public key:

javascript
public: BigInt('0x' + d.buffer.slice(...).toString('utf8'))
The big-integer library defaults to base-10 (decimal) parsing. Passing a string starting with 0x to it often results in 0 or incorrect parsing, whereas native BigInt correctly interprets the 0x prefix as hexadecimal.

Data Corruption via String Conversion: Even if the big-integer object held the correct value, passing it to lib/srp.js caused corruption. The toBigInt helper in test/srp.js converts inputs to strings:

javascript
const str = String(hex); // big-integer.toString() returns DECIMAL (base 10)
return BigInt('0x' + str); // Interprets those DECIMAL digits as HEX
Example:

Value: 16
big-integer string: "16"
test/srp.js interpretation: 0x16 (which is 22 in decimal)
This mismatch meant the client and server were using mathematically different keys, causing the proof verification to fail.

The Fix
Removing the big-integer dependency allows connection.js to use the native BigInt implementation, ensuring consistent hexadecimal parsing and compatibility with test/srp.js).

@mariuz mariuz marked this pull request as ready for review February 18, 2026 21:27
@mariuz
remove big-integer from packages.json
2fb5b71
@mariuz
While a (private key) is typically small (32 bytes) compared to N (12…
abaae84 
…8 bytes), making overflow unlikely, applying the modulo ensures consistency with the Firebird implementation and other clients.
@mariuz
enable SRP256 test , use the specified hash algorithm (SHA-256 for Sr…
eae8b8c 
…p256) when generating the session key K, instead of hardcoding sha1. This ensures compatibility with Firebird's Srp256 implementation. test/srp.js was updated to pass the algorithm to serverSession to match the client behavior during tests
@mariuz
enable SRP256 in FIREBIRD_CONF_AuthServer , also fixes test that indi…
57e74db 
…cates that the Firebird server running in the CI environment is not configured to support the Srp256 authentication plugin (it likely only supports Legacy_Auth or Srp).
Copilot AI mentioned this pull request Feb 19, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mariuz