1 //! SRP server implementation
4 //! First receive user's username and public value `a_pub`, retrieve from a
5 //! database the salt and verifier for a given username. Generate `b` and public value `b_pub`.
9 //! use crate::srp::groups::G_2048;
10 //! use sha2::Sha256; // Note: You should probably use a proper password KDF
11 //! # use crate::srp::server::SrpServer;
12 //! # fn get_client_request()-> (Vec<u8>, Vec<u8>) { (vec![], vec![])}
13 //! # fn get_user(_: &[u8])-> (Vec<u8>, Vec<u8>) { (vec![], vec![])}
15 //! let server = SrpServer::<Sha256>::new(&G_2048);
16 //! let (username, a_pub) = get_client_request();
17 //! let (salt, v) = get_user(&username);
18 //! let mut b = [0u8; 64];
19 //! // rng.fill_bytes(&mut b);
20 //! let b_pub = server.compute_public_ephemeral(&b, &v);
23 //! Next send to user `b_pub` and `salt` from user record
25 //! Next process the user response:
28 //! # let server = crate::srp::server::SrpServer::<sha2::Sha256>::new(&crate::srp::groups::G_2048);
29 //! # fn get_client_response() -> Vec<u8> { vec![1] }
30 //! # let b = [0u8; 64];
33 //! let a_pub = get_client_response();
34 //! let verifier = server.process_reply(&b, v, &a_pub).unwrap();
38 //! And finally receive user proof, verify it and send server proof in the
42 //! # let server = crate::srp::server::SrpServer::<sha2::Sha256>::new(&crate::srp::groups::G_2048);
43 //! # let verifier = server.process_reply(b"", b"", b"1").unwrap();
44 //! # fn get_client_proof()-> Vec<u8> { vec![26, 80, 8, 243, 111, 162, 238, 171, 208, 237, 207, 46, 46, 137, 44, 213, 105, 208, 84, 224, 244, 216, 103, 145, 14, 103, 182, 56, 242, 4, 179, 57] };
45 //! # fn send_proof(_: &[u8]) { };
47 //! let client_proof = get_client_proof();
48 //! verifier.verify_client(&client_proof).unwrap();
49 //! send_proof(verifier.proof());
53 //! `key` contains shared secret key between user and the server. You can extract shared secret
54 //! key using `key()` method.
56 //! # let server = crate::srp::server::SrpServer::<sha2::Sha256>::new(&crate::srp::groups::G_2048);
57 //! # let verifier = server.process_reply(b"", b"", b"1").unwrap();
62 use std::marker::PhantomData;
64 use digest::{Digest, Output};
65 use num_bigint::BigUint;
66 use subtle::ConstantTimeEq;
68 use crate::types::{SrpAuthError, SrpGroup};
69 use crate::utils::{compute_k, compute_m1, compute_m2, compute_u};
72 pub struct SrpServer<'a, D: Digest> {
77 /// SRP server state after handshake with the client.
78 pub struct SrpServerVerifier<D: Digest> {
84 impl<'a, D: Digest> SrpServer<'a, D> {
85 /// Create new server state.
86 pub fn new(params: &'a SrpGroup) -> Self {
89 d: Default::default(),
94 pub fn compute_b_pub(&self, b: &BigUint, k: &BigUint, v: &BigUint) -> BigUint {
95 let inter = (k * v) % &self.params.n;
96 (inter + self.params.g.modpow(b, &self.params.n)) % &self.params.n
99 // <premaster secret> = (A * v^u) ^ b % N
100 pub fn compute_premaster_secret(
108 let base = (a_pub * v.modpow(u, &self.params.n)) % &self.params.n;
109 base.modpow(b, &self.params.n)
112 /// Get public ephemeral value for sending to the client.
113 pub fn compute_public_ephemeral(&self, b: &[u8], v: &[u8]) -> Vec<u8> {
115 &BigUint::from_bytes_be(b),
116 &compute_k::<D>(self.params),
117 &BigUint::from_bytes_be(v),
122 /// Process client reply to the handshake.
123 /// b is a random value,
124 /// v is the provided during initial user registration
125 pub fn process_reply(
130 ) -> Result<SrpServerVerifier<D>, SrpAuthError> {
131 let b = BigUint::from_bytes_be(b);
132 let v = BigUint::from_bytes_be(v);
133 let a_pub = BigUint::from_bytes_be(a_pub);
135 let k = compute_k::<D>(self.params);
136 let b_pub = self.compute_b_pub(&b, &k, &v);
138 // Safeguard against malicious A
139 if &a_pub % &self.params.n == BigUint::default() {
140 return Err(SrpAuthError::IllegalParameter("a_pub".to_owned()));
143 let u = compute_u::<D>(&a_pub.to_bytes_be(), &b_pub.to_bytes_be());
145 let key = self.compute_premaster_secret(&a_pub, &v, &u, &b);
147 let m1 = compute_m1::<D>(
148 &a_pub.to_bytes_be(),
149 &b_pub.to_bytes_be(),
153 let m2 = compute_m2::<D>(&a_pub.to_bytes_be(), &m1, &key.to_bytes_be());
155 Ok(SrpServerVerifier {
158 key: key.to_bytes_be(),
163 impl<D: Digest> SrpServerVerifier<D> {
164 /// Get shared secret between user and the server. (do not forget to verify
165 /// that keys are the same!)
166 pub fn key(&self) -> &[u8] {
170 /// Verification data for sending to the client.
171 pub fn proof(&self) -> &[u8] {
176 /// Process user proof of having the same shared secret.
177 pub fn verify_client(&self, reply: &[u8]) -> Result<(), SrpAuthError> {
178 if self.m1.ct_eq(reply).unwrap_u8() != 1 {
180 Err(SrpAuthError::BadRecordMac("client".to_owned()))