srp: DRY out monty_form (#243)

tarcieri · web-flow · commit 73c8245af146 · 2026-01-12T22:30:22.000-07:00
Perhaps the upstream behavior should be changed to match
diff --git a/srp/src/client.rs b/srp/src/client.rs
@@ -7,7 +7,10 @@ use subtle::ConstantTimeEq;
 use crate::{
     Group,
     errors::AuthError,
-    utils::{compute_hash, compute_k, compute_m1, compute_m1_rfc5054, compute_m2, compute_u},
+    utils::{
+        compute_hash, compute_k, compute_m1_legacy, compute_m1_rfc5054, compute_m2, compute_u,
+        monty_form,
+    },
 };
 
 /// SRP client implementation.
@@ -179,8 +182,8 @@ impl<G: Group, D: Digest> Client<G, D> {
         a: &BoxedUint,
         u: &BoxedUint,
     ) -> BoxedUint {
-        let b_pub = self.monty_form(b_pub);
-        let k = self.monty_form(k);
+        let b_pub = monty_form(b_pub, self.g.params());
+        let k = monty_form(k, self.g.params());
 
         // B - kg^x
         let base = b_pub - k * self.g.pow(x);
@@ -292,7 +295,7 @@ impl<G: Group, D: Digest> Client<G, D> {
             .to_be_bytes_trimmed_vartime()
             .to_vec();
 
-        let m1 = compute_m1::<D>(&a_pub_bytes, b_pub_bytes, &key);
+        let m1 = compute_m1_legacy::<D>(&a_pub_bytes, b_pub_bytes, &key);
         let m2 = compute_m2::<D>(&a_pub_bytes, &m1, &key);
         Ok(LegacyClientVerifier { m1, m2, key })
     }
@@ -302,12 +305,6 @@ impl<G: Group, D: Digest> Client<G, D> {
         if self.username_in_x { username } else { &[] }
     }
 
-    /// Convert an integer into the Montgomery domain, returning a [`BoxedMontyForm`] modulo `N`.
-    fn monty_form(&self, x: &BoxedUint) -> BoxedMontyForm {
-        let precision = self.n().bits_precision();
-        BoxedMontyForm::new(x.resize(precision), self.g.params())
-    }
-
     /// Get the modulus `N`.
     fn n(&self) -> &Odd<BoxedUint> {
         self.g.params().modulus()
diff --git a/srp/src/server.rs b/srp/src/server.rs
@@ -7,7 +7,10 @@ use subtle::ConstantTimeEq;
 use crate::{
     Group,
     errors::AuthError,
-    utils::{compute_hash, compute_k, compute_m1, compute_m1_rfc5054, compute_m2, compute_u},
+    utils::{
+        compute_hash, compute_k, compute_m1_legacy, compute_m1_rfc5054, compute_m2, compute_u,
+        monty_form,
+    },
 };
 
 /// SRP server implementation.
@@ -105,8 +108,8 @@ impl<G: Group, D: Digest> Server<G, D> {
     /// Compute the server's public ephemeral: `k*v + g^b % N`.
     #[must_use]
     pub fn compute_b_pub(&self, b: &BoxedUint, k: &BoxedUint, v: &BoxedUint) -> BoxedUint {
-        let k = self.monty_form(k);
-        let v = self.monty_form(v);
+        let k = monty_form(k, self.g.params());
+        let v = monty_form(v, self.g.params());
         (k * v + self.g.pow(b)).retrieve()
     }
 
@@ -119,8 +122,8 @@ impl<G: Group, D: Digest> Server<G, D> {
         u: &BoxedUint,
         b: &BoxedUint,
     ) -> BoxedUint {
-        let a_pub = self.monty_form(a_pub);
-        let v = self.monty_form(v);
+        let a_pub = monty_form(a_pub, self.g.params());
+        let v = monty_form(v, self.g.params());
 
         // (A * v^u)
         (a_pub * v.pow(u)).pow(b).retrieve()
@@ -223,7 +226,7 @@ impl<G: Group, D: Digest> Server<G, D> {
 
         let key = self.compute_premaster_secret(&a_pub, &v, &u, &b);
 
-        let m1 = compute_m1::<D>(
+        let m1 = compute_m1_legacy::<D>(
             a_pub_bytes,
             &b_pub_bytes,
             &key.to_be_bytes_trimmed_vartime(),
@@ -238,12 +241,6 @@ impl<G: Group, D: Digest> Server<G, D> {
         })
     }
 
-    /// Convert an integer into the Montgomery domain, returning a [`BoxedMontyForm`] modulo `N`.
-    fn monty_form(&self, x: &BoxedUint) -> BoxedMontyForm {
-        let precision = self.n().bits_precision();
-        BoxedMontyForm::new(x.resize(precision), self.g.params())
-    }
-
     /// Get the modulus `N`.
     fn n(&self) -> &Odd<BoxedUint> {
         self.g.params().modulus()
diff --git a/srp/src/utils.rs b/srp/src/utils.rs
@@ -1,8 +1,11 @@
 use alloc::vec::Vec;
-use crypto_bigint::{BoxedUint, modular::BoxedMontyForm};
+use crypto_bigint::{
+    BoxedUint, Resize,
+    modular::{BoxedMontyForm, BoxedMontyParams},
+};
 use digest::{Digest, Output};
 
-// u = H(PAD(A) | PAD(B))
+/// `u = H(PAD(A) | PAD(B))`
 #[must_use]
 pub fn compute_u<D: Digest>(a_pub: &[u8], b_pub: &[u8]) -> BoxedUint {
     let mut u = D::new();
@@ -11,7 +14,7 @@ pub fn compute_u<D: Digest>(a_pub: &[u8], b_pub: &[u8]) -> BoxedUint {
     BoxedUint::from_be_slice_vartime(&u.finalize())
 }
 
-// k = H(N | PAD(g))
+/// `k = H(N | PAD(g))`
 #[must_use]
 pub fn compute_k<D: Digest>(g: &BoxedMontyForm) -> BoxedUint {
     let n = g.params().modulus().to_be_bytes();
@@ -26,7 +29,7 @@ pub fn compute_k<D: Digest>(g: &BoxedMontyForm) -> BoxedUint {
     BoxedUint::from_be_slice_vartime(d.finalize().as_slice())
 }
 
-// H(N) XOR H(PAD(g))
+/// `H(N) XOR H(PAD(g))`
 #[must_use]
 pub fn compute_hash_n_xor_hash_g<D: Digest>(g: &BoxedMontyForm) -> Vec<u8> {
     let n = g.params().modulus().to_be_bytes();
@@ -44,24 +47,14 @@ pub fn compute_hash_n_xor_hash_g<D: Digest>(g: &BoxedMontyForm) -> Vec<u8> {
         .collect()
 }
 
-// M1 = H(A, B, K) this doesn't follow the spec but apparently no one does for M1
-#[must_use]
-pub fn compute_m1<D: Digest>(a_pub: &[u8], b_pub: &[u8], key: &[u8]) -> Output<D> {
-    let mut d = D::new();
-    d.update(a_pub);
-    d.update(b_pub);
-    d.update(key);
-    d.finalize()
-}
-
 #[must_use]
 pub fn compute_hash<D: Digest>(data: &[u8]) -> Output<D> {
     let mut d = D::new();
     d.update(data);
     d.finalize()
 }
 
-// M1 = H(H(N) XOR H(g) | H(U) | s | A | B | K) following RFC5054
+/// `M1 = H(H(N) XOR H(g) | H(U) | s | A | B | K)` following RFC5054
 #[must_use]
 pub fn compute_m1_rfc5054<D: Digest>(
     g: &BoxedMontyForm,
@@ -81,7 +74,17 @@ pub fn compute_m1_rfc5054<D: Digest>(
     d.finalize()
 }
 
-// M2 = H(A, M1, K)
+/// `M1 = H(A, B, K)`
+#[must_use]
+pub fn compute_m1_legacy<D: Digest>(a_pub: &[u8], b_pub: &[u8], key: &[u8]) -> Output<D> {
+    let mut d = D::new();
+    d.update(a_pub);
+    d.update(b_pub);
+    d.update(key);
+    d.finalize()
+}
+
+/// `M2 = H(A, M1, K)`
 #[must_use]
 pub fn compute_m2<D: Digest>(a_pub: &[u8], m1: &Output<D>, key: &[u8]) -> Output<D> {
     let mut d = D::new();
@@ -90,3 +93,10 @@ pub fn compute_m2<D: Digest>(a_pub: &[u8], m1: &Output<D>, key: &[u8]) -> Output
     d.update(key);
     d.finalize()
 }
+
+/// Convert the given value into Montgomery form, resizing it in the process.
+/// Convert an integer into the Montgomery domain, returning a [`BoxedMontyForm`] modulo `N`.
+pub(crate) fn monty_form(x: &BoxedUint, n: &BoxedMontyParams) -> BoxedMontyForm {
+    let precision = n.modulus().bits_precision();
+    BoxedMontyForm::new(x.resize(precision), n)
+}
