v0.2.0

13 files changed, 170 insertions, 89 deletions

diff --git a/src/client.rs b/src/client.rs
index ee19e88..87990a6 100644
--- a/src/client.rs
+++ b/src/client.rs
@@ -2,12 +2,14 @@
 //! 
 //! # Usage
 //! First create SRP client struct by passing to it SRP parameters (shared
-//! between client and server) and RNG instance (OS RNG is recommended):
+//! between client and server) and randomly generated `a`:
 //! 
 //! ```ignore
-//! let srp_params = SrpParams{n, g, k};
-//! let mut rng = rand::os::OsRng::new().unwrap();
-//! let client = SrpClient::<Sha256>::new(&srp_params, &mut rng);
+//! use srp::groups::G_2048;
+//! use sha2::Sha256;
+//!
+//! let a = rng.gen_iter::<u8>().take(64).collect::<Vec<u8>>();
+//! let client = SrpClient::<Sha256>::new(&a, &srp_params);
 //! ```
 //! 
 //! Next send handshake data (username and `a_pub`) to the server and receive
@@ -25,7 +27,7 @@
 //! can return error in case of malicious `b_pub`.
 //! 
 //! ```ignore
-//! let private_key = srp6a_private_key::<Sha256>(username, password, salt);
+//! let private_key = srp_private_key::<Sha256>(username, password, salt);
 //! let verifier = client.get_verifier(&private_key, &b_pub)?;
 //! ```
 //!
@@ -53,19 +55,20 @@
 //! let pwd_verifier = SrpClient::<Sha256>::register(&private_key, &srp_params);
 //! conn.send_registration_data(username, salt, pwd_verifier);
 //! ```
+
+//let buf = rng.gen_iter::<u8>().take(l).collect::<Vec<u8>>();
 use std::marker::PhantomData;
 
-use rand::Rng;
 use num::{BigUint, Zero};
 use digest::Digest;
 use generic_array::GenericArray;
 
 use tools::powm;
-use types::{SrpAuthError, SrpParams};
+use types::{SrpAuthError, SrpGroup};
 
 /// SRP client state before handshake with the server.
 pub struct SrpClient<'a, D: Digest> {
-    params: &'a SrpParams,
+    params: &'a SrpGroup,
 
     a: BigUint,
     a_pub: BigUint,
@@ -80,11 +83,10 @@ pub struct SrpClientVerifier<D: Digest> {
     key: GenericArray<u8, D::OutputSize>,
 }
 
-/// Compute user private key as described in the SRP6a. Consider using proper
+/// Compute user private key as described in the RFC 5054. Consider using proper
 /// password hashing algorithm instead.
-pub fn srp6a_private_key<D: Digest>(username: &[u8], password: &[u8],
-        salt: &[u8]
-    ) -> GenericArray<u8, D::OutputSize>
+pub fn srp_private_key<D: Digest>(username: &[u8], password: &[u8], salt: &[u8])
+    -> GenericArray<u8, D::OutputSize>
 {
     let p = {
         let mut d = D::new();
@@ -101,10 +103,8 @@ pub fn srp6a_private_key<D: Digest>(username: &[u8], password: &[u8],
 
 impl<'a, D: Digest> SrpClient<'a, D> {
     /// Create new SRP client instance.
-    pub fn new<R: Rng>(params: &'a SrpParams, rng: &mut R) -> Self {
-        let l = params.n.bits()/8; 
-        let buf = rng.gen_iter::<u8>().take(l).collect::<Vec<u8>>();
-        let a = BigUint::from_bytes_le(&buf);
+    pub fn new(a: &[u8], params: &'a SrpGroup) -> Self {
+        let a = BigUint::from_bytes_be(a);
         let a_pub = params.powm(&a);
 
         Self { params, a, a_pub, d: Default::default() }
@@ -112,16 +112,17 @@ impl<'a, D: Digest> SrpClient<'a, D> {
 
     /// Get password verfier for user registration on the server
     pub fn get_password_verifier(&self, private_key: &[u8]) -> Vec<u8> {
-        let x = BigUint::from_bytes_le(&private_key);
+        let x = BigUint::from_bytes_be(&private_key);
         let v = self.params.powm(&x);
-        v.to_bytes_le()
+        v.to_bytes_be()
     }
 
     fn calc_key(&self, b_pub: &BigUint, x: &BigUint, u: &BigUint)
         -> GenericArray<u8, D::OutputSize>
     {
         let n = &self.params.n;
-        let interm = (&self.params.k * self.params.powm(x)) % n;
+        let k = self.params.compute_k::<D>();
+        let interm = (k * self.params.powm(x)) % n;
         // Because we do operation in modulo N we can get: (kv + g^b) < kv
         let v = if b_pub > &interm {
             (b_pub - &interm) % n
@@ -130,7 +131,7 @@ impl<'a, D: Digest> SrpClient<'a, D> {
         };
         // S = |B - kg^x| ^ (a + ux)
         let s = powm(&v, &(&self.a + (u*x) % n ), n);
-        D::digest(&s.to_bytes_le())
+        D::digest(&s.to_bytes_be())
     }
 
     /// Process server reply to the handshake.
@@ -139,25 +140,25 @@ impl<'a, D: Digest> SrpClient<'a, D> {
     {
         let u = {
             let mut d = D::new();
-            d.input(&self.a_pub.to_bytes_le());
+            d.input(&self.a_pub.to_bytes_be());
             d.input(b_pub);
-            BigUint::from_bytes_le(&d.result())
+            BigUint::from_bytes_be(&d.result())
         };
 
-        let b_pub = BigUint::from_bytes_le(b_pub);
+        let b_pub = BigUint::from_bytes_be(b_pub);
 
         // Safeguard against malicious B
         if &b_pub % &self.params.n == BigUint::zero() {
             return Err(SrpAuthError{ description: "Malicious b_pub value" })
         }
 
-        let x = BigUint::from_bytes_le(&private_key);
+        let x = BigUint::from_bytes_be(&private_key);
         let key = self.calc_key(&b_pub, &x, &u);
         // M1 = H(A, B, K)
         let proof = {
             let mut d = D::new();
-            d.input(&self.a_pub.to_bytes_le());
-            d.input(&b_pub.to_bytes_le());
+            d.input(&self.a_pub.to_bytes_be());
+            d.input(&b_pub.to_bytes_be());
             d.input(&key);
             d.result()
         };
@@ -165,7 +166,7 @@ impl<'a, D: Digest> SrpClient<'a, D> {
         // M2 = H(A, M1, K)
         let server_proof = {
             let mut d = D::new();
-            d.input(&self.a_pub.to_bytes_le());
+            d.input(&self.a_pub.to_bytes_be());
             d.input(&proof);
             d.input(&key);
             d.result()
@@ -180,7 +181,7 @@ impl<'a, D: Digest> SrpClient<'a, D> {
 
     /// Get public ephemeral value for handshaking with the server.
     pub fn get_a_pub(&self) -> Vec<u8> {
-        self.a_pub.to_bytes_le()
+        self.a_pub.to_bytes_be()
     }
 }
 
diff --git a/src/groups.rs b/src/groups.rs
new file mode 100644
index 0000000..246134e
--- /dev/null
+++ b/src/groups.rs
@@ -0,0 +1,56 @@
+//! Groups from [RFC 5054](https://tools.ietf.org/html/rfc5054)
+//! 
+//! It is strongly recommended to use them instead of custom generated
+//! groups. Additionally it is not recommended to use `G_1024` and `G_1536`,
+//! they are provided only for compatability with the legacy software.
+use types::SrpGroup;
+use num::BigUint;
+
+lazy_static! {
+    pub static ref G_1024: SrpGroup = SrpGroup {
+        n: BigUint::from_bytes_be(include_bytes!("groups/1024.bin")),
+        g: BigUint::from_bytes_be(&[2]),
+    };
+}
+
+lazy_static! {
+    pub static ref G_1536: SrpGroup = SrpGroup {
+        n: BigUint::from_bytes_be(include_bytes!("groups/1536.bin")),
+        g: BigUint::from_bytes_be(&[2]),
+    };
+}
+
+lazy_static! {
+    pub static ref G_2048: SrpGroup = SrpGroup {
+        n: BigUint::from_bytes_be(include_bytes!("groups/2048.bin")),
+        g: BigUint::from_bytes_be(&[2]),
+    };
+}
+
+lazy_static! {
+    pub static ref G_3072: SrpGroup = SrpGroup {
+        n: BigUint::from_bytes_be(include_bytes!("groups/3072.bin")),
+        g: BigUint::from_bytes_be(&[5]),
+    };
+}
+
+lazy_static! {
+    pub static ref G_4096: SrpGroup = SrpGroup {
+        n: BigUint::from_bytes_be(include_bytes!("groups/4096.bin")),
+        g: BigUint::from_bytes_be(&[5]),
+    };
+}
+
+lazy_static! {
+    pub static ref G_6144: SrpGroup = SrpGroup {
+        n: BigUint::from_bytes_be(include_bytes!("groups/6144.bin")),
+        g: BigUint::from_bytes_be(&[5]),
+    };
+}
+
+lazy_static! {
+    pub static ref G_8192: SrpGroup = SrpGroup {
+        n: BigUint::from_bytes_be(include_bytes!("groups/8192.bin")),
+        g: BigUint::from_bytes_be(&[19]),
+    };
+}
diff --git a/src/groups/1024.bin b/src/groups/1024.bin
new file mode 100644
index 0000000..7ce0aa3
--- /dev/null
+++ b/src/groups/1024.bin
@@ -0,0 +1,3 @@
+�
+����֜3�
+����`ra�u�<��1L�%ev�t�t���8;H֒������P���I\`���]�״aTֶΎ��i�]I�U�){���)�ffW�h��<rl�/����n���Q8��vC[��/���
\ No newline at end of file
diff --git a/src/groups/1536.bin b/src/groups/1536.bin
new file mode 100644
index 0000000..c3a5972
--- /dev/null
+++ b/src/groups/1536.bin
@@ -0,0 +1 @@
+��<��9'z��*��{�ۥ���L���aK�M_O_Un'��QƩK�`z)X�;���C��U��"����|�g�Ё4�ȹy��`�㺶=GT���ű�vN?KSݝ���>+���n�
�94�'�/�=$�Ćew.C}l��BsJ�̷��|&J㩾��/鸵).Z�^�G��碌$B���I�#M�v���5��
\ No newline at end of file
diff --git a/src/groups/2048.bin b/src/groups/2048.bin
new file mode 100644
index 0000000..23207c6
--- /dev/null
+++ b/src/groups/2048.bin
@@ -0,0 +1,2 @@
+�k�A2J���f�^�X/�r�e���1��=�`P�s)˴��큓�uwg�=�#�K1
�H���P�9i��g��`��:�f�����)��/��U�y��^�
t
+���tsY�A��>�(Dkw;ʗ�:#��v� zCld��ҹ�F[�2��wHTE#�$��}^�z'u���,���/�xa`'��z毇Ns�S)��{��*V���Âq�5��������؟z�5�#mR_Tu�e�r�֎���J�s
\ No newline at end of file
diff --git a/src/groups/3072.bin b/src/groups/3072.bin
new file mode 100644
index 0000000..7e1a84d
--- /dev/null
+++ b/src/groups/3072.bin
diff --git a/src/groups/4096.bin b/src/groups/4096.bin
new file mode 100644
index 0000000..82463c0
--- /dev/null
+++ b/src/groups/4096.bin
diff --git a/src/groups/6144.bin b/src/groups/6144.bin
new file mode 100644
index 0000000..83a559a
--- /dev/null
+++ b/src/groups/6144.bin
diff --git a/src/groups/8192.bin b/src/groups/8192.bin
new file mode 100644
index 0000000..b1f32ac
--- /dev/null
+++ b/src/groups/8192.bin
diff --git a/src/k_sha1_1024.bin b/src/k_sha1_1024.bin
new file mode 100644
index 0000000..4408438
--- /dev/null
+++ b/src/k_sha1_1024.bin
@@ -0,0 +1 @@
+uV�Z�,���f\>��o
\ No newline at end of file
diff --git a/src/lib.rs b/src/lib.rs
index 20c0432..df11ae9 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -1,12 +1,13 @@
 //! [Secure Remote Password][1] (SRP) protocol implementation.
 //! 
-//! This implementation uses little-endian serialization of big integers and is
-//! generic over hash functions using `Digest` trait, so you will need to choose
-//! a hash function, e.g. `Sha256` from `sha2` crate. Additionally this crate
-//! allows to use a specialized password hashing algorithms for private key
-//! computation instead of method described in the SRP literature.
+//! This implementation is generic over hash functions using
+//! [`Digest`](https://docs.rs/digest) trait, so you will need to choose a hash
+//! function, e.g. `Sha256` from [`sha2`](https://crates.io/crates/sha2) crate.
+//! Additionally this crate allows to use a specialized password hashing
+//! algorithm for private key computation instead of method described in the
+//! SRP literature.
 //! 
-//! Currently compatability with over implementations was not tested.
+//! Compatability with over implementations was not yet tested.
 //! 
 //! # Usage
 //! Add `srp` dependecy to your `Cargo.toml`:
@@ -28,10 +29,12 @@
 //! # Algorithm description
 //! Here we briefly describe implemented algroithm. For additionall information
 //! refer to SRP literature. All arithmetic is done modulo `N`, where `N` is a 
-//! large safe prime (`N = 2q+1`, where `q` is prime).
+//! large safe prime (`N = 2q+1`, where `q` is prime). Additionally `g` MUST be
+//! a generator modulo `N`. It's STRONGLY recommended to use SRP parameters
+//! provided by this crate in the [`groups`](groups/index.html) module.
 //! 
-//! Client |       | Server
-//! -------|-------|--------
+//!        Client           |               |      Server
+//! ------------------------|---------------|------------------------
 //!                         |    — `I` —>   | (lookup `s`, `v`)
 //! `x = PH(P, s)`          | <— `s`, `v` — | 
 //! `a_pub = g^a`           |  — `a_pub` —> | `b_pub = k*v + g^b`
@@ -47,30 +50,30 @@
 //! - `I` — user identity (username)
 //! - `P` — user password
 //! - `H` — one-way hash function
-//! - `HP` — password hashing algroithm, in the SRP described as
-//! `H(s || I || P)` or `H(s || P)`
+//! - `PH` — password hashing algroithm, in the RFC 5054 described as
+//! `H(s || H(I || ":" || P))`
 //! - `^` — (modular) exponentiation
 //! - `x` — user private key
 //! - `s` — salt generated by user and stored on the server
 //! - `v` — password verifier equal to `g^x` and stored on the server
-//! - `a`, `b` — secret ephemeral values
+//! - `a`, `b` — secret ephemeral values (at least 256 bits in length)
 //! - `A`, `B` — Public ephemeral values
 //! - `u` — scrambling parameter
-//! - `g` — a generator modulo `N`
 //! - `k` — multiplier parameter (`k = H(N || g)` in SRP-6a)
 //!
 //! [1]: https://en.wikipedia.org/wiki/Secure_Remote_Password_protocol
+//! [2]: https://tools.ietf.org/html/rfc5054
 extern crate num;
 extern crate digest;
 extern crate generic_array;
-extern crate rand;
+#[macro_use]
+extern crate lazy_static;
+
+#[cfg(test)]
+extern crate sha_1;
 
 mod tools;
 pub mod client;
 pub mod server;
 pub mod types;
-
-/// 1024 bit prime number which can be used as `n` in the `SrpParams`.
-///
-/// For conversion to `BigUint` use `BigUint::from_bytes_le(SRP_PRIME)`.
-pub const PRIME: &'static [u8] = include_bytes!("prime.bin");
+pub mod groups;
diff --git a/src/server.rs b/src/server.rs
index e82ebf6..137d6b3 100644
--- a/src/server.rs
+++ b/src/server.rs
@@ -2,13 +2,16 @@
 //!
 //! # Usage
 //! First receive user's username and public value `a_pub`, retrieve from a
-//! database `UserRecord` for a given username and initialize SRP server state:
+//! database `UserRecord` for a given username, generate `b` (e.g. 512 bits
+//! long) and initialize SRP server instance:
 //! 
 //! ```ignore
-//! let mut rng = rand::os::OsRng::new().unwrap();
+//! use srp::groups::G_2048;
+//!
 //! let (username, a_pub) = conn.receive_handshake();
 //! let user = db.retrieve_user_record(username);
-//! let server = SrpServer::<Sha256>::new(&user, &a_pub, &srp_params, &mut rng)?;
+//! let b = rng.gen_iter::<u8>().take(64).collect::<Vec<u8>>();
+//! let server = SrpServer::<Sha256>::new(&user, &a_pub, &b, &G_2048)?;
 //! ```
 //! 
 //! Next send to user `b_pub` and `salt` from user record:
@@ -18,7 +21,8 @@
 //! conn.reply_to_handshake(&user.salt, b_pub);
 //! ```
 //! 
-//! And finally recieve user proof, verify it and send server proof as reply:
+//! And finally recieve user proof, verify it and send server proof in the
+//! reply:
 //! 
 //! ```ignore
 //! let user_proof = conn.receive_proof();
@@ -31,13 +35,12 @@
 //! encryption.
 use std::marker::PhantomData;
 
-use rand::Rng;
 use num::{BigUint, Zero};
 use digest::Digest;
 use generic_array::GenericArray;
 
 use tools::powm;
-use types::{SrpAuthError, SrpParams};
+use types::{SrpAuthError, SrpGroup};
 
 /// Data provided by users upon registration, usually stored in the database.
 pub struct UserRecord<'a> {
@@ -59,61 +62,47 @@ pub struct SrpServer<D: Digest> {
 }
 
 impl< D: Digest> SrpServer< D> {
-    /// Create new server state with randomly generated `b`.
-    pub fn new<R: Rng>(user: &UserRecord, a_pub: &[u8], params: &SrpParams,
-            rng: &mut R)
-        -> Result<Self, SrpAuthError>
-    {
-        let l = params.n.bits()/8; 
-        let b = rng.gen_iter::<u8>().take(l).collect::<Vec<u8>>();
-        Self::new_with_b(user, a_pub, &b, params)
-    }
-
-    /// Create new server state with given `b`.
-    ///
-    /// Usefull if it's not convenient to keep `SrpServer` state between
-    /// handshake and verification steps. (e.g. when working over HTTP and
-    /// storing `b` in a database)
-    pub fn new_with_b(user: &UserRecord, a_pub: &[u8], b: &[u8],
-                params: &SrpParams)
+    /// Create new server state.
+    pub fn new(user: &UserRecord, a_pub: &[u8], b: &[u8], params: &SrpGroup)
         -> Result<Self, SrpAuthError>
     {
-        let a_pub = BigUint::from_bytes_le(a_pub);
+        let a_pub = BigUint::from_bytes_be(a_pub);
         // Safeguard against malicious A
         if &a_pub % &params.n == BigUint::zero() {
             return Err(SrpAuthError { description: "Malicious a_pub value" })
         }
-        let v = BigUint::from_bytes_le(user.verifier);
-        let b = BigUint::from_bytes_le(b)  % &params.n;
+        let v = BigUint::from_bytes_be(user.verifier);
+        let b = BigUint::from_bytes_be(b)  % &params.n;
+        let k = params.compute_k::<D>();
         // kv + g^b
-        let interm = (&params.k * &v) % &params.n;
+        let interm = (k * &v) % &params.n;
         let b_pub = (interm + &params.powm(&b)) % &params.n;
         // H(A || B)
         let u = {
             let mut d = D::new();
-            d.input(&a_pub.to_bytes_le());
-            d.input(&b_pub.to_bytes_le());
+            d.input(&a_pub.to_bytes_be());
+            d.input(&b_pub.to_bytes_be());
             d.result()
         };
         let d = Default::default();
         //(Av^u) ^ b
         let key = {
-            let u =  BigUint::from_bytes_le(&u);
+            let u =  BigUint::from_bytes_be(&u);
             let t = (&a_pub * powm(&v, &u, &params.n)) % &params.n;
             let s = powm(&t, &b, &params.n);
-            D::digest(&s.to_bytes_le())
+            D::digest(&s.to_bytes_be())
         };
         Ok(Self { b, a_pub, b_pub, key, d})
     }
 
     /// Get private `b` value. (see `new_with_b` documentation)
     pub fn get_b(&self) -> Vec<u8> {
-        self.b.to_bytes_le()
+        self.b.to_bytes_be()
     }
 
     /// Get public `b_pub` value for sending to the user.
     pub fn get_b_pub(&self) -> Vec<u8> {
-        self.b_pub.to_bytes_le()
+        self.b_pub.to_bytes_be()
     }
 
     /// Get shared secret between user and the server. (do not forget to verify
@@ -129,14 +118,14 @@ impl< D: Digest> SrpServer< D> {
     {
         // M = H(A, B, K)
         let mut d = D::new();
-        d.input(&self.a_pub.to_bytes_le());
-        d.input(&self.b_pub.to_bytes_le());
+        d.input(&self.a_pub.to_bytes_be());
+        d.input(&self.b_pub.to_bytes_be());
         d.input(&self.key);
 
         if user_proof == d.result().as_slice() {
             // H(A, M, K)
             let mut d = D::new();
-            d.input(&self.a_pub.to_bytes_le());
+            d.input(&self.a_pub.to_bytes_be());
             d.input(user_proof);
             d.input(&self.key);
             Ok(d.result())
diff --git a/src/types.rs b/src/types.rs
index aa8a0dc..810132c 100644
--- a/src/types.rs
+++ b/src/types.rs
@@ -2,6 +2,7 @@
 use std::{fmt, error};
 use num::BigUint;
 use tools::powm;
+use digest::Digest;
 
 /// SRP authentification error.
 #[derive(Debug, Copy, Clone, Eq, PartialEq)]
@@ -21,19 +22,43 @@ impl error::Error for SrpAuthError {
     }
 }
 
-/// Parameters of SRP shared between client and server.
+/// Group used for SRP computations
 #[derive(Debug, Clone, Eq, PartialEq)]
-pub struct SrpParams {
+pub struct SrpGroup {
     /// A large safe prime (N = 2q+1, where q is prime)
     pub n: BigUint,
-    /// A generator modulo N (e.g. 2)
+    /// A generator modulo N
     pub g: BigUint,
-    /// Multiplier parameter (k = H(N, g) in SRP-6a, k = 3 for legacy SRP-6)
-    pub k: BigUint,
 }
 
-impl SrpParams {
+impl SrpGroup {
     pub(crate) fn powm(&self, v: &BigUint) -> BigUint {
         powm(&self.g, v, &self.n)
     }
+
+    /// Compute `k` with given hash function and return SRP parameters
+    pub(crate) fn compute_k<D: Digest>(&self) -> BigUint {
+        let n = self.n.to_bytes_be();
+        let g_bytes = self.g.to_bytes_be();
+        let mut buf = vec![0u8; n.len()];
+        let l = n.len() - g_bytes.len();
+        buf[l..].copy_from_slice(&g_bytes);
+
+        let mut d = D::new();
+        d.input(&n);
+        d.input(&buf);
+        BigUint::from_bytes_be(&d.result())
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use ::groups::G_1024;
+    use sha_1::Sha1;
+
+    #[test]
+    fn test_k_1024_sha1() {
+        let k = G_1024.compute_k::<Sha1>().to_bytes_be();
+        assert_eq!(&k, include_bytes!("k_sha1_1024.bin"));
+    }
 }