1 //! SRP client implementation.
4 //! First create SRP client struct by passing to it SRP parameters (shared
5 //! between client and server).
7 //! You can use SHA1 from SRP-6a, but it's highly recommended to use specialized
8 //! password hashing algorithm instead (e.g. PBKDF2, argon2 or scrypt).
11 //! use crate::srp::groups::G_2048;
12 //! use sha2::Sha256; // Note: You should probably use a proper password KDF
13 //! # use crate::srp::client::SrpClient;
15 //! let client = SrpClient::<Sha256>::new(&G_2048);
18 //! Next send handshake data (username and `a_pub`) to the server and receive
19 //! `salt` and `b_pub`:
22 //! # let client = crate::srp::client::SrpClient::<sha2::Sha256>::new(&crate::srp::groups::G_2048);
23 //! # fn server_response()-> (Vec<u8>, Vec<u8>) { (vec![], vec![]) }
25 //! let mut a = [0u8; 64];
26 //! // rng.fill_bytes(&mut a);
27 //! let a_pub = client.compute_public_ephemeral(&a);
28 //! let (salt, b_pub) = server_response();
31 //! Process the server response and create verifier instance.
32 //! process_reply can return error in case of malicious `b_pub`.
35 //! # let client = crate::srp::client::SrpClient::<sha2::Sha256>::new(&crate::srp::groups::G_2048);
36 //! # let a = [0u8; 64];
37 //! # let username = b"username";
38 //! # let password = b"password";
39 //! # let salt = b"salt";
40 //! # let b_pub = b"b_pub";
42 //! let private_key = (username, password, salt);
43 //! let verifier = client.process_reply(&a, username, password, salt, b_pub);
46 //! Finally verify the server: first generate user proof,
47 //! send it to the server and verify server proof in the reply. Note that
48 //! `verify_server` method will return error in case of incorrect server reply.
51 //! # let client = crate::srp::client::SrpClient::<sha2::Sha256>::new(&crate::srp::groups::G_2048);
52 //! # let verifier = client.process_reply(b"", b"", b"", b"", b"1").unwrap();
53 //! # fn send_proof(_: &[u8]) -> Vec<u8> { vec![173, 202, 13, 26, 207, 73, 0, 46, 121, 238, 48, 170, 96, 146, 60, 49, 88, 76, 12, 184, 152, 76, 207, 220, 140, 205, 190, 189, 117, 6, 131, 63] }
55 //! let client_proof = verifier.proof();
56 //! let server_proof = send_proof(client_proof);
57 //! verifier.verify_server(&server_proof).unwrap();
60 //! `key` contains shared secret key between user and the server. You can extract shared secret
61 //! key using `key()` method.
63 //! # let client = crate::srp::client::SrpClient::<sha2::Sha256>::new(&crate::srp::groups::G_2048);
64 //! # let verifier = client.process_reply(b"", b"", b"", b"", b"1").unwrap();
70 //! For user registration on the server first generate salt (e.g. 32 bytes long)
71 //! and get password verifier which depends on private key. Send username, salt
72 //! and password verifier over protected channel to protect against
73 //! Man-in-the-middle (MITM) attack for registration.
76 //! # let client = crate::srp::client::SrpClient::<sha2::Sha256>::new(&crate::srp::groups::G_2048);
77 //! # let username = b"username";
78 //! # let password = b"password";
79 //! # let salt = b"salt";
80 //! # fn send_registration_data(_: &[u8], _: &[u8], _: &[u8]) {}
82 //! let pwd_verifier = client.compute_verifier(username, password, salt);
83 //! send_registration_data(username, salt, &pwd_verifier);
86 use std::marker::PhantomData;
88 use digest::{Digest, Output};
89 use num_bigint::BigUint;
90 use subtle::ConstantTimeEq;
92 use crate::types::{SrpAuthError, SrpGroup};
93 use crate::utils::{compute_k, compute_m1, compute_m2, compute_u};
95 /// SRP client state before handshake with the server.
96 pub struct SrpClient<'a, D: Digest> {
101 /// SRP client state after handshake with the server.
102 pub struct SrpClientVerifier<D: Digest> {
108 impl<'a, D: Digest> SrpClient<'a, D> {
109 /// Create new SRP client instance.
110 pub fn new(params: &'a SrpGroup) -> Self {
113 d: Default::default(),
117 pub fn compute_a_pub(&self, a: &BigUint) -> BigUint {
118 self.params.g.modpow(a, &self.params.n)
121 // H(<username> | ":" | <raw password>)
122 pub fn compute_identity_hash(username: &[u8], password: &[u8]) -> Output<D> {
123 let mut d = D::new();
130 // x = H(<salt> | H(<username> | ":" | <raw password>))
131 pub fn compute_x(identity_hash: &[u8], salt: &[u8]) -> BigUint {
132 let mut x = D::new();
134 x.update(identity_hash);
135 BigUint::from_bytes_be(&x.finalize())
138 // (B - (k * g^x)) ^ (a + (u * x)) % N
139 pub fn compute_premaster_secret(
148 let base = (k * (self.params.g.modpow(x, &self.params.n))) % &self.params.n;
149 // Because we do operation in modulo N we can get: b_pub > base. That's not good. So we add N to b_pub to make sure.
151 let base = ((&self.params.n + b_pub) - &base) % &self.params.n;
152 let exp = (u * x) + a;
153 // S = (B - kg^x) ^ (a + ux)
156 base.modpow(&exp, &self.params.n)
160 pub fn compute_v(&self, x: &BigUint) -> BigUint {
161 self.params.g.modpow(x, &self.params.n)
164 /// Get password verifier (v in RFC5054) for user registration on the server.
165 pub fn compute_verifier(&self, username: &[u8], password: &[u8], salt: &[u8]) -> Vec<u8> {
166 let identity_hash = Self::compute_identity_hash(username, password);
167 let x = Self::compute_x(identity_hash.as_slice(), salt);
168 self.compute_v(&x).to_bytes_be()
171 /// Get public ephemeral value for handshaking with the server.
173 pub fn compute_public_ephemeral(&self, a: &[u8]) -> Vec<u8> {
174 self.compute_a_pub(&BigUint::from_bytes_be(a)).to_bytes_be()
177 /// Process server reply to the handshake.
178 /// a is a random value,
179 /// username, password is supplied by the user
180 /// salt and b_pub come from the server
181 pub fn process_reply(
188 ) -> Result<SrpClientVerifier<D>, SrpAuthError> {
189 let a = BigUint::from_bytes_be(a);
190 let a_pub = self.compute_a_pub(&a);
191 let b_pub = BigUint::from_bytes_be(b_pub);
193 // Safeguard against malicious B
194 if &b_pub % &self.params.n == BigUint::default() {
195 return Err(SrpAuthError::IllegalParameter("b_pub".to_owned()));
198 let u = compute_u::<D>(&a_pub.to_bytes_be(), &b_pub.to_bytes_be());
199 let k = compute_k::<D>(self.params);
200 let identity_hash = Self::compute_identity_hash(username, password);
201 let x = Self::compute_x(identity_hash.as_slice(), salt);
203 let key = self.compute_premaster_secret(&b_pub, &k, &x, &a, &u);
205 let m1 = compute_m1::<D>(
206 &a_pub.to_bytes_be(),
207 &b_pub.to_bytes_be(),
211 let m2 = compute_m2::<D>(&a_pub.to_bytes_be(), &m1, &key.to_bytes_be());
213 Ok(SrpClientVerifier {
216 key: key.to_bytes_be(),
221 impl<D: Digest> SrpClientVerifier<D> {
222 /// Get shared secret key without authenticating server, e.g. for using with
223 /// authenticated encryption modes. DO NOT USE this method without
224 /// some kind of secure authentication
225 pub fn key(&self) -> &[u8] {
229 /// Verification data for sending to the server.
230 pub fn proof(&self) -> &[u8] {
234 /// Verify server reply to verification data.
235 pub fn verify_server(&self, reply: &[u8]) -> Result<(), SrpAuthError> {
236 if self.m2.ct_eq(reply).unwrap_u8() != 1 {
238 Err(SrpAuthError::BadRecordMac("server".to_owned()))