1 //! SRP server implementation
4 //! First receive user's username and public value `a_pub`, retrieve from a
5 //! database `UserRecord` for a given username, generate `b` (e.g. 512 bits
6 //! long) and initialize SRP server instance:
9 //! use srp::groups::G_2048;
11 //! let (username, a_pub) = conn.receive_handshake();
12 //! let user = db.retrieve_user_record(username);
13 //! let b = rng.gen_iter::<u8>().take(64).collect::<Vec<u8>>();
14 //! let server = SrpServer::<Sha256>::new(&user, &a_pub, &b, &G_2048)?;
17 //! Next send to user `b_pub` and `salt` from user record:
20 //! let b_pub = server.get_b_pub();
21 //! conn.reply_to_handshake(&user.salt, b_pub);
24 //! And finally recieve user proof, verify it and send server proof in the
28 //! let user_proof = conn.receive_proof();
29 //! let server_proof = server.verify(user_proof)?;
30 //! conn.send_proof(server_proof);
33 //! To get the shared secret use `get_key` method. As alternative to using
34 //! `verify` method it's also possible to use this key for authentificated
36 use std::marker::PhantomData;
38 use num::{BigUint, Zero};
40 use generic_array::GenericArray;
43 use types::{SrpAuthError, SrpGroup};
45 /// Data provided by users upon registration, usually stored in the database.
46 pub struct UserRecord<'a> {
47 pub username: &'a [u8],
50 pub verifier: &'a [u8],
54 pub struct SrpServer<D: Digest> {
59 key: GenericArray<u8, D::OutputSize>,
64 impl< D: Digest> SrpServer< D> {
65 /// Create new server state.
66 pub fn new(user: &UserRecord, a_pub: &[u8], b: &[u8], params: &SrpGroup)
67 -> Result<Self, SrpAuthError>
69 let a_pub = BigUint::from_bytes_be(a_pub);
70 // Safeguard against malicious A
71 if &a_pub % ¶ms.n == BigUint::zero() {
72 return Err(SrpAuthError { description: "Malicious a_pub value" })
74 let v = BigUint::from_bytes_be(user.verifier);
75 let b = BigUint::from_bytes_be(b) % ¶ms.n;
76 let k = params.compute_k::<D>();
78 let interm = (k * &v) % ¶ms.n;
79 let b_pub = (interm + ¶ms.powm(&b)) % ¶ms.n;
83 d.input(&a_pub.to_bytes_be());
84 d.input(&b_pub.to_bytes_be());
87 let d = Default::default();
90 let u = BigUint::from_bytes_be(&u);
91 let t = (&a_pub * powm(&v, &u, ¶ms.n)) % ¶ms.n;
92 let s = powm(&t, &b, ¶ms.n);
93 D::digest(&s.to_bytes_be())
95 Ok(Self { b, a_pub, b_pub, key, d})
98 /// Get private `b` value. (see `new_with_b` documentation)
99 pub fn get_b(&self) -> Vec<u8> {
103 /// Get public `b_pub` value for sending to the user.
104 pub fn get_b_pub(&self) -> Vec<u8> {
105 self.b_pub.to_bytes_be()
108 /// Get shared secret between user and the server. (do not forget to verify
109 /// that keys are the same!)
110 pub fn get_key(&self) -> GenericArray<u8, D::OutputSize> {
114 /// Process user proof of having the same shared secret and compute
115 /// server proof for sending to the user.
116 pub fn verify(&self, user_proof: &[u8])
117 -> Result<GenericArray<u8, D::OutputSize>, SrpAuthError>
120 let mut d = D::new();
121 d.input(&self.a_pub.to_bytes_be());
122 d.input(&self.b_pub.to_bytes_be());
125 if user_proof == d.result().as_slice() {
127 let mut d = D::new();
128 d.input(&self.a_pub.to_bytes_be());
133 Err(SrpAuthError { description: "Incorrect user proof" })