srp: compute K = H(S) correctly.

According to [the specification] section _The SRP protocol_, `K` (which corresponds to the session key) is computed as follows: ``` K = H(S) ``` where `H` is the digest algorithm, and `S` is the common exponential value. In the [current implementation], `K` is equal to `S`, which does not follow the SRP protocol specification. This commit fixes this issue by computing the right value for `K`. [the specification]: http://srp.stanford.edu/ndss.html#SECTION00032200000000000000 [current implementation]: https://github.com/RustCrypto/PAKEs/blob/8e46d6bfa24d44e6671616d730e978157b2b23e3/srp/src/client.rs#L211
redoz · Jun 25, 2024 · f90ee7e · f90ee7e
1 parent f112625
commit f90ee7e
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 18 deletions.
diff --git a/srp/src/client.rs b/srp/src/client.rs
@@ -50,7 +50,7 @@
 //! ```rust
 //! # let client = crate::srp::client::SrpClient::<sha2::Sha256>::new(&crate::srp::groups::G_2048);
 //! # let verifier = client.process_reply(b"", b"", b"", b"", b"1").unwrap();
-//! # fn send_proof(_: &[u8]) -> Vec<u8> { vec![173, 202, 13, 26, 207, 73, 0, 46, 121, 238, 48, 170, 96, 146, 60, 49, 88, 76, 12, 184, 152, 76, 207, 220, 140, 205, 190, 189, 117, 6, 131, 63] }
+//! # fn send_proof(_: &[u8]) -> Vec<u8> { vec![221, 102, 210, 152, 16, 177, 213, 105, 198, 179, 106, 50, 197, 133, 139, 189, 121, 42, 129, 79, 131, 65, 19, 84, 233, 155, 225, 45, 184, 243, 37, 135]}
 //!
 //! let client_proof = verifier.proof();
 //! let server_proof = send_proof(client_proof);
@@ -235,20 +235,18 @@ impl<'a, D: Digest> SrpClient<'a, D> {
  let identity_hash = Self::compute_identity_hash(username, password);
  let x = Self::compute_x(identity_hash.as_slice(), salt);
 
- let key = self.compute_premaster_secret(&b_pub, &k, &x, &a, &u);
+ let s = self.compute_premaster_secret(&b_pub, &k, &x, &a, &u);
 
- let m1 = compute_m1::<D>(
- &a_pub.to_bytes_be(),
- &b_pub.to_bytes_be(),
- &key.to_bytes_be(),
- );
+ let key = D::digest(s.to_bytes_be());
+
+ let m1 = compute_m1::<D>(&a_pub.to_bytes_be(), &b_pub.to_bytes_be(), key.as_slice());
 
- let m2 = compute_m2::<D>(&a_pub.to_bytes_be(), &m1, &key.to_bytes_be());
+ let m2 = compute_m2::<D>(&a_pub.to_bytes_be(), &m1, key.as_slice());
 
  Ok(SrpClientVerifier {
  m1,
  m2,
- key: key.to_bytes_be(),
+ key: key.to_vec(),
  })
  }
 

diff --git a/srp/src/server.rs b/srp/src/server.rs
@@ -41,7 +41,7 @@
 //! ```rust
 //! # let server = crate::srp::server::SrpServer::<sha2::Sha256>::new(&crate::srp::groups::G_2048);
 //! # let verifier = server.process_reply(b"", b"", b"1").unwrap();
-//! # fn get_client_proof()-> Vec<u8> { vec![26, 80, 8, 243, 111, 162, 238, 171, 208, 237, 207, 46, 46, 137, 44, 213, 105, 208, 84, 224, 244, 216, 103, 145, 14, 103, 182, 56, 242, 4, 179, 57] };
+//! # fn get_client_proof()-> Vec<u8> { vec![23, 114, 237, 254, 188, 79, 108, 224, 243, 235, 111, 117, 125, 247, 69, 205, 106, 176, 176, 80, 240, 125, 25, 227, 117, 155, 148, 139, 217, 121, 74, 208] };
 //! # fn send_proof(_: &[u8]) { };
 //!
 //! let client_proof = get_client_proof();
@@ -174,20 +174,18 @@ impl<'a, D: Digest> SrpServer<'a, D> {
 
  let u = compute_u::<D>(&a_pub.to_bytes_be(), &b_pub.to_bytes_be());
 
- let key = self.compute_premaster_secret(&a_pub, &v, &u, &b);
+ let s = self.compute_premaster_secret(&a_pub, &v, &u, &b);
 
- let m1 = compute_m1::<D>(
- &a_pub.to_bytes_be(),
- &b_pub.to_bytes_be(),
- &key.to_bytes_be(),
- );
+ let key = D::digest(s.to_bytes_be());
+
+ let m1 = compute_m1::<D>(&a_pub.to_bytes_be(), &b_pub.to_bytes_be(), key.as_slice());
 
- let m2 = compute_m2::<D>(&a_pub.to_bytes_be(), &m1, &key.to_bytes_be());
+ let m2 = compute_m2::<D>(&a_pub.to_bytes_be(), &m1, key.as_slice());
 
  Ok(SrpServerVerifier {
  m1,
  m2,
- key: key.to_bytes_be(),
+ key: key.to_vec(),
  })
  }