diff options
Diffstat (limited to 'src/client.rs')
| -rw-r--r-- | src/client.rs | 212 |
1 files changed, 0 insertions, 212 deletions
diff --git a/src/client.rs b/src/client.rs deleted file mode 100644 index 4348f4f..0000000 --- a/src/client.rs +++ /dev/null @@ -1,212 +0,0 @@ -//! SRP client implementation. -//! -//! # Usage -//! First create SRP client struct by passing to it SRP parameters (shared -//! between client and server) and randomly generated `a`: -//! -//! ```ignore -//! use srp::groups::G_2048; -//! use sha2::Sha256; -//! -//! let a = rng.gen_iter::<u8>().take(64).collect::<Vec<u8>>(); -//! let client = SrpClient::<Sha256>::new(&a, &G_2048); -//! ``` -//! -//! Next send handshake data (username and `a_pub`) to the server and receive -//! `salt` and `b_pub`: -//! -//! ```ignore -//! let a_pub = client.get_a_pub(); -//! let (salt, b_pub) = conn.send_handshake(username, a_pub); -//! ``` -//! -//! Compute private key using `salt` with any password hashing function. -//! You can use method from SRP-6a, but it's recommended to use specialized -//! password hashing algorithm instead (e.g. PBKDF2, argon2 or scrypt). -//! Next create verifier instance, note that `get_verifier` consumes client and -//! can return error in case of malicious `b_pub`. -//! -//! ```ignore -//! let private_key = srp_private_key::<Sha256>(username, password, salt); -//! let verifier = client.get_verifier(&private_key, &b_pub)?; -//! ``` -//! -//! Finally verify the server: first generate user proof, -//! send it to the server and verify server proof in the reply. Note that -//! `verify_server` method will return error in case of incorrect server reply. -//! -//! ```ignore -//! let user_proof = verifier.get_proof(); -//! let server_proof = conn.send_proof(user_proof); -//! let key = verifier.verify_server(server_proof)?; -//! ``` -//! -//! `key` contains shared secret key between user and the server. Alternatively -//! you can directly extract shared secret key using `get_key()` method and -//! handle authentification through different (secure!) means (e.g. by using -//! authentificated cipher mode). -//! -//! For user registration on the server first generate salt (e.g. 32 bytes long) -//! and get password verifier which depends on private key. Send useranme, salt -//! and password verifier over protected channel to protect against MitM for -//! registration. -//! -//! ```ignore -//! let pwd_verifier = client.get_password_verifier(&private_key); -//! conn.send_registration_data(username, salt, pwd_verifier); -//! ``` - -//let buf = rng.gen_iter::<u8>().take(l).collect::<Vec<u8>>(); -use std::marker::PhantomData; - -use num::{BigUint, Zero}; -use digest::Digest; -use generic_array::GenericArray; - -use tools::powm; -use types::{SrpAuthError, SrpGroup}; - -/// SRP client state before handshake with the server. -pub struct SrpClient<'a, D: Digest> { - params: &'a SrpGroup, - - a: BigUint, - a_pub: BigUint, - - d: PhantomData<D> -} - -/// SRP client state after handshake with the server. -pub struct SrpClientVerifier<D: Digest> { - proof: GenericArray<u8, D::OutputSize>, - server_proof: GenericArray<u8, D::OutputSize>, - key: GenericArray<u8, D::OutputSize>, -} - -/// Compute user private key as described in the RFC 5054. Consider using proper -/// password hashing algorithm instead. -pub fn srp_private_key<D: Digest>(username: &[u8], password: &[u8], salt: &[u8]) - -> GenericArray<u8, D::OutputSize> -{ - let p = { - let mut d = D::new(); - d.input(username); - d.input(b":"); - d.input(password); - d.result() - }; - let mut d = D::new(); - d.input(salt); - d.input(&p); - d.result() -} - -impl<'a, D: Digest> SrpClient<'a, D> { - /// Create new SRP client instance. - pub fn new(a: &[u8], params: &'a SrpGroup) -> Self { - let a = BigUint::from_bytes_be(a); - let a_pub = params.powm(&a); - - Self { params, a, a_pub, d: Default::default() } - } - - /// Get password verfier for user registration on the server - pub fn get_password_verifier(&self, private_key: &[u8]) -> Vec<u8> { - let x = BigUint::from_bytes_be(&private_key); - let v = self.params.powm(&x); - v.to_bytes_be() - } - - fn calc_key(&self, b_pub: &BigUint, x: &BigUint, u: &BigUint) - -> GenericArray<u8, D::OutputSize> - { - let n = &self.params.n; - let k = self.params.compute_k::<D>(); - let interm = (k * self.params.powm(x)) % n; - // Because we do operation in modulo N we can get: (kv + g^b) < kv - let v = if b_pub > &interm { - (b_pub - &interm) % n - } else { - (n + b_pub - &interm) % n - }; - // S = |B - kg^x| ^ (a + ux) - let s = powm(&v, &(&self.a + (u*x) % n ), n); - D::digest(&s.to_bytes_be()) - } - - /// Process server reply to the handshake. - pub fn process_reply(self, private_key: &[u8], b_pub: &[u8]) - -> Result<SrpClientVerifier<D>, SrpAuthError> - { - let u = { - let mut d = D::new(); - d.input(&self.a_pub.to_bytes_be()); - d.input(b_pub); - BigUint::from_bytes_be(&d.result()) - }; - - let b_pub = BigUint::from_bytes_be(b_pub); - - // Safeguard against malicious B - if &b_pub % &self.params.n == BigUint::zero() { - return Err(SrpAuthError{ description: "Malicious b_pub value" }) - } - - let x = BigUint::from_bytes_be(&private_key); - let key = self.calc_key(&b_pub, &x, &u); - // M1 = H(A, B, K) - let proof = { - let mut d = D::new(); - d.input(&self.a_pub.to_bytes_be()); - d.input(&b_pub.to_bytes_be()); - d.input(&key); - d.result() - }; - - // M2 = H(A, M1, K) - let server_proof = { - let mut d = D::new(); - d.input(&self.a_pub.to_bytes_be()); - d.input(&proof); - d.input(&key); - d.result() - }; - - Ok(SrpClientVerifier { - proof: proof, - server_proof: server_proof, - key: key, - }) - } - - /// Get public ephemeral value for handshaking with the server. - pub fn get_a_pub(&self) -> Vec<u8> { - self.a_pub.to_bytes_be() - } -} - -impl<D: Digest> SrpClientVerifier<D> { - /// Get shared secret key without authenticating server, e.g. for using with - /// authenticated encryption modes. DO NOT USE this method without - /// some kind of secure authentification. - pub fn get_key(self) -> GenericArray<u8, D::OutputSize> { - self.key - } - - /// Verification data for sending to the server. - pub fn get_proof(&self) -> GenericArray<u8, D::OutputSize> { - self.proof.clone() - } - - /// Verify server reply to verification data. It will return shared secret - /// key in case of success. - pub fn verify_server(self, reply: &[u8]) - -> Result<GenericArray<u8, D::OutputSize>, SrpAuthError> - { - if self.server_proof.as_slice() != reply { - Err(SrpAuthError{ description: "Incorrect server proof" }) - } else { - Ok(self.key) - } - } -} |