1 //! SRP client implementation.
4 //! First create SRP client struct by passing to it SRP parameters (shared
5 //! between client and server) and randomly generated `a`:
8 //! use srp::groups::G_2048;
11 //! let mut a = [0u8; 64];
12 //! rng.fill_bytes(&mut a);
13 //! let client = SrpClient::<Sha256>::new(&a, &G_2048);
16 //! Next send handshake data (username and `a_pub`) to the server and receive
17 //! `salt` and `b_pub`:
20 //! let a_pub = client.get_a_pub();
21 //! let (salt, b_pub) = conn.send_handshake(username, a_pub);
24 //! Compute private key using `salt` with any password hashing function.
25 //! You can use method from SRP-6a, but it's recommended to use specialized
26 //! password hashing algorithm instead (e.g. PBKDF2, argon2 or scrypt).
27 //! Next create verifier instance, note that `get_verifier` consumes client and
28 //! can return error in case of malicious `b_pub`.
31 //! let private_key = srp_private_key::<Sha256>(username, password, salt);
32 //! let verifier = client.get_verifier(&private_key, &b_pub)?;
35 //! Finally verify the server: first generate user proof,
36 //! send it to the server and verify server proof in the reply. Note that
37 //! `verify_server` method will return error in case of incorrect server reply.
40 //! let user_proof = verifier.get_proof();
41 //! let server_proof = conn.send_proof(user_proof);
42 //! let key = verifier.verify_server(server_proof)?;
45 //! `key` contains shared secret key between user and the server. Alternatively
46 //! you can directly extract shared secret key using `get_key()` method and
47 //! handle authentication through different (secure!) means (e.g. by using
48 //! authenticated cipher mode).
50 //! For user registration on the server first generate salt (e.g. 32 bytes long)
51 //! and get password verifier which depends on private key. Send useranme, salt
52 //! and password verifier over protected channel to protect against
53 //! Man-in-the-middle (MITM) attack for registration.
56 //! let pwd_verifier = client.get_password_verifier(&private_key);
57 //! conn.send_registration_data(username, salt, pwd_verifier);
59 use std::marker::PhantomData;
61 use digest::{Digest, Output};
62 use num_bigint::BigUint;
64 use crate::tools::powm;
65 use crate::types::{SrpAuthError, SrpGroup};
67 /// SRP client state before handshake with the server.
68 pub struct SrpClient<'a, D: Digest> {
77 /// SRP client state after handshake with the server.
78 pub struct SrpClientVerifier<D: Digest> {
80 server_proof: Output<D>,
84 /// Compute user private key as described in the RFC 5054. Consider using proper
85 /// password hashing algorithm instead.
86 pub fn srp_private_key<D: Digest>(username: &[u8], password: &[u8], salt: &[u8]) -> Output<D> {
96 d.update(p.as_slice());
100 impl<'a, D: Digest> SrpClient<'a, D> {
101 /// Create new SRP client instance.
102 pub fn new(a: &[u8], params: &'a SrpGroup) -> Self {
103 let a = BigUint::from_bytes_be(a);
104 let a_pub = params.powm(&a);
110 d: Default::default(),
114 /// Get password verfier for user registration on the server
115 pub fn get_password_verifier(&self, private_key: &[u8]) -> Vec<u8> {
116 let x = BigUint::from_bytes_be(private_key);
117 let v = self.params.powm(&x);
121 fn calc_key(&self, b_pub: &BigUint, x: &BigUint, u: &BigUint) -> Output<D> {
122 let n = &self.params.n;
123 let k = self.params.compute_k::<D>();
124 let interm = (k * self.params.powm(x)) % n;
125 // Because we do operation in modulo N we can get: (kv + g^b) < kv
126 let v = if *b_pub > interm {
127 (b_pub - &interm) % n
129 (n + b_pub - &interm) % n
131 // S = |B - kg^x| ^ (a + ux)
132 let s = powm(&v, &(&self.a + (u * x) % n), n);
133 D::digest(&s.to_bytes_be())
136 /// Process server reply to the handshake.
137 pub fn process_reply(
141 ) -> Result<SrpClientVerifier<D>, SrpAuthError> {
143 let mut d = D::new();
144 d.update(&self.a_pub.to_bytes_be());
146 let h = d.finalize();
147 BigUint::from_bytes_be(h.as_slice())
150 let b_pub = BigUint::from_bytes_be(b_pub);
152 // Safeguard against malicious B
153 if &b_pub % &self.params.n == BigUint::default() {
154 return Err(SrpAuthError {
155 description: "Malicious b_pub value",
159 let x = BigUint::from_bytes_be(private_key);
160 let key = self.calc_key(&b_pub, &x, &u);
163 let mut d = D::new();
164 d.update(&self.a_pub.to_bytes_be());
165 d.update(&b_pub.to_bytes_be());
172 let mut d = D::new();
173 d.update(&self.a_pub.to_bytes_be());
179 Ok(SrpClientVerifier {
186 /// Process server reply to the handshake with username and salt.
187 pub fn process_reply_with_username_and_salt(
193 ) -> Result<SrpClientVerifier<D>, SrpAuthError> {
195 let mut d = D::new();
196 d.update(&self.a_pub.to_bytes_be());
198 let h = d.finalize();
199 BigUint::from_bytes_be(h.as_slice())
202 let b_pub = BigUint::from_bytes_be(b_pub);
204 // Safeguard against malicious B
205 if &b_pub % &self.params.n == BigUint::default() {
206 return Err(SrpAuthError {
207 description: "Malicious b_pub value",
211 let x = BigUint::from_bytes_be(private_key);
212 let key = self.calc_key(&b_pub, &x, &u);
213 // M1 = H(H(N)^H(g), H(I), salt, A, B, K)
215 let mut d = D::new();
217 let h = d.finalize_reset();
218 let I: &[u8] = h.as_slice();
220 d.update(self.params.compute_hash_n_xor_hash_g::<D>());
223 d.update(&self.a_pub.to_bytes_be());
224 d.update(&b_pub.to_bytes_be());
225 d.update(&key.to_vec());
228 let x = proof.to_vec().as_slice();
232 let mut d = D::new();
233 d.update(&self.a_pub.to_bytes_be());
239 Ok(SrpClientVerifier {
246 /// Get public ephemeral value for handshaking with the server.
247 pub fn get_a_pub(&self) -> Vec<u8> {
248 self.a_pub.to_bytes_be()
252 impl<D: Digest> SrpClientVerifier<D> {
253 /// Get shared secret key without authenticating server, e.g. for using with
254 /// authenticated encryption modes. DO NOT USE this method without
255 /// some kind of secure authentication
256 pub fn get_key(self) -> Output<D> {
260 /// Verification data for sending to the server.
261 pub fn get_proof(&self) -> Output<D> {
265 /// Verify server reply to verification data. It will return shared secret
266 /// key in case of success.
267 pub fn verify_server(self, reply: &[u8]) -> Result<Output<D>, SrpAuthError> {
268 if self.server_proof.as_slice() != reply {
270 description: "Incorrect server proof",