aucpace_conflux/

server.rs

use crate::Database;
use crate::constants::MIN_SSID_LEN;
use crate::utils::{
    H0, compute_authenticator_messages, compute_first_session_key, compute_session_key,
    compute_ssid, generate_keypair, generate_nonce, generate_server_keypair,
};
use crate::{Error, Result};
use core::marker::PhantomData;
use curve25519_dalek::traits::IsIdentity;
use curve25519_dalek::{
    digest::consts::U64,
    digest::{Digest, Output},
    ristretto::RistrettoPoint,
    scalar::Scalar,
};
use password_hash::{ParamsString, SaltString};
use rand_core::{TryCryptoRng, TryRngCore};
use subtle::ConstantTimeEq;

#[cfg(feature = "partial_augmentation")]
use crate::database::PartialAugDatabase;

#[cfg(feature = "strong_aucpace")]
use crate::database::StrongDatabase;

#[cfg(feature = "serde")]
use crate::utils::{serde_paramsstring, serde_saltstring};

#[cfg(feature = "serde")]
use serde::{Deserialize, Serialize};

/// A non-copy wrapper around u64
#[derive(Clone)]
struct ServerSecret(u64);

impl ServerSecret {
    fn new<CSPRNG: TryRngCore + TryCryptoRng>(rng: &mut CSPRNG) -> Result<Self> {
        Ok(Self(rng.try_next_u64().map_err(|_| Error::Rng)?))
    }
}

/// Implementation of the server side of the `AuCPace` protocol
pub struct AuCPaceServer<D, CSPRNG, const K1: usize>
where
    D: Digest + Default,
    CSPRNG: TryRngCore + TryCryptoRng,
{
    /// The CSPRNG used to generate random values where needed
    rng: CSPRNG,

    /// the secret used to obscure when a password lookup failed
    secret: ServerSecret,

    d: PhantomData<D>,
}

impl<D, CSPRNG, const K1: usize> AuCPaceServer<D, CSPRNG, K1>
where
    D: Digest<OutputSize = U64> + Default,
    CSPRNG: TryRngCore + TryCryptoRng,
{
    /// Create a new server
    pub fn new(mut rng: CSPRNG) -> Result<Self> {
        let secret = ServerSecret::new(&mut rng)?;
        Ok(Self {
            rng,
            secret,
            d: PhantomData,
        })
    }

    /// Create a new server in the SSID agreement phase
    ///
    /// # Return:
    /// ([`next_step`](AuCPaceServerSsidEstablish), [`message`](ServerMessage::Nonce))
    /// - [`next_step`](AuCPaceServerSsidEstablish): the server in the SSID establishment stage
    /// - [`message`](ServerMessage::Nonce): the message to send to the server
    ///
    pub fn begin(
        &mut self,
    ) -> Result<(
        AuCPaceServerSsidEstablish<D, K1>,
        ServerMessage<'static, K1>,
    )> {
        let next_step = AuCPaceServerSsidEstablish::new(self.secret.clone(), &mut self.rng)?;
        let message = ServerMessage::Nonce(next_step.nonce);
        Ok((next_step, message))
    }

    /// Create a new server in the Augmentation layer phase, provided an SSID
    ///
    /// # Argument:
    /// `ssid`: Some data to be hashed and act as the sub-session ID
    ///
    /// # Return:
    /// - Ok([`next_step`](AuCPaceServerAugLayer)): the server in the SSID establishment stage
    /// - Err([`Error::InsecureSsid`](Error::InsecureSsid)): the SSID provided was not long enough to be secure
    ///
    pub fn begin_prestablished_ssid<S>(&mut self, ssid: S) -> Result<AuCPaceServerAugLayer<D, K1>>
    where
        S: AsRef<[u8]>,
    {
        // if the SSID isn't long enough return an error
        if ssid.as_ref().len() < MIN_SSID_LEN {
            return Err(Error::InsecureSsid);
        }

        // hash the SSID and begin the next step
        let mut hasher: D = H0();
        hasher.update(ssid);
        let ssid_hash = hasher.finalize();
        let next_step = AuCPaceServerAugLayer::new(self.secret.clone(), ssid_hash);
        Ok(next_step)
    }

    /// Generate a new long-term keypair
    ///
    /// This is inteded to be used when registering a user when using partial augmentation.
    /// As well as on all password changes.
    ///
    /// # Return:
    /// (`private_key`, `public_key`):
    /// - `private_key`: the private key
    /// - `public_key`: the public key
    ///
    #[cfg(feature = "partial_augmentation")]
    pub fn generate_long_term_keypair(&mut self) -> Result<(Scalar, RistrettoPoint)> {
        generate_server_keypair::<D, _>(&mut self.rng)
    }
}

/// Server in the SSID agreement phase
#[derive(zeroize::Zeroize, zeroize::ZeroizeOnDrop)]
pub struct AuCPaceServerSsidEstablish<D, const K1: usize>
where
    D: Digest<OutputSize = U64> + Default,
{
    #[zeroize(skip)]
    secret: ServerSecret,
    nonce: [u8; K1],
    _d: PhantomData<D>,
}

impl<D, const K1: usize> AuCPaceServerSsidEstablish<D, K1>
where
    D: Digest<OutputSize = U64> + Default,
{
    fn new<CSPRNG>(secret: ServerSecret, rng: &mut CSPRNG) -> Result<Self>
    where
        CSPRNG: TryRngCore + TryCryptoRng,
    {
        Ok(Self {
            secret,
            nonce: generate_nonce(rng)?,
            _d: PhantomData,
        })
    }

    /// Consume the client's nonce - `t` and progress to the augmentation layer
    ///
    /// # arguments:
    /// - `client_nonce` - the nonce received from the server
    ///
    /// # return:
    /// [`next_step`](AuCPaceServerAugLayer): the server in the augmentation layer
    ///
    #[must_use]
    pub fn agree_ssid(self, client_nonce: [u8; K1]) -> AuCPaceServerAugLayer<D, K1> {
        let ssid = compute_ssid::<D, K1>(self.nonce, client_nonce);
        AuCPaceServerAugLayer::new(self.secret.clone(), ssid)
    }
}

/// Server in the Augmentation layer phase
#[derive(zeroize::Zeroize, zeroize::ZeroizeOnDrop)]
pub struct AuCPaceServerAugLayer<D, const K1: usize>
where
    D: Digest<OutputSize = U64> + Default,
{
    #[zeroize(skip)]
    secret: ServerSecret,
    #[zeroize(skip)]
    ssid: Output<D>,
}

impl<D, const K1: usize> AuCPaceServerAugLayer<D, K1>
where
    D: Digest<OutputSize = U64> + Default,
{
    const fn new(secret: ServerSecret, ssid: Output<D>) -> Self {
        Self { secret, ssid }
    }

    /// Accept the user's username and generate the `ClientInfo` for the response.
    /// Moves the protocol into the `CPace` substep phase
    ///
    /// # Arguments:
    /// - `username`: the client's username
    /// - `database`: the password verifier database to retrieve the client's information from
    ///
    /// # Return:
    /// ([`next_step`](AuCPaceServerCPaceSubstep), [`message`](ServerMessage::AugmentationInfo))
    /// - [`next_step`](AuCPaceServerCPaceSubstep): the server in the `CPace` substep stage
    /// - [`message`](ServerMessage::AugmentationInfo): the message to send to the client
    ///
    pub fn generate_client_info<U, DB, CSPRNG>(
        self,
        username: U,
        database: &DB,
        mut rng: CSPRNG,
    ) -> Result<(
        AuCPaceServerCPaceSubstep<D, CSPRNG, K1>,
        ServerMessage<'static, K1>,
    )>
    where
        U: AsRef<[u8]>,
        DB: Database<PasswordVerifier = RistrettoPoint>,
        CSPRNG: TryRngCore + TryCryptoRng,
    {
        let (x, x_pub) = generate_server_keypair::<D, _>(&mut rng)?;

        // generate the prs and client message
        let (prs, message) = self.generate_prs(username.as_ref(), database, &mut rng, x, x_pub)?;
        let next_step = AuCPaceServerCPaceSubstep::new(self.ssid, prs, rng);

        Ok((next_step, message))
    }

    /// Accept the user's username and generate the `ClientInfo` for the response.
    /// Moves the protocol into the `CPace` substep phase
    ///
    /// This method performs the "partial augmentation" variant of the protocol.
    /// This means that instead of generating `x` and `x_pub` as ephemeral keys, a long term keypair is
    /// retrieved from the database instead. This comes with decreased security in the case of
    /// server compromise but significantly decreases the amount of computation the server has to
    /// do. The reference paper goes into more detail on the tradeoffs and why you might choose to
    /// use this method.
    ///
    /// # Arguments:
    /// - `username`: the client's username
    /// - `database`: the password verifier database to retrieve the client's information from
    ///    This is a `PartialAugDatabase` so we can lookup the server's long term keypair.
    ///
    /// # Return:
    /// ([`next_step`](AuCPaceServerCPaceSubstep), [`message`](ServerMessage::AugmentationInfo))
    /// - [`next_step`](AuCPaceServerCPaceSubstep): the server in the `CPace` substep stage
    /// - [`message`](ServerMessage::AugmentationInfo): the message to send to the client
    ///
    #[cfg(feature = "partial_augmentation")]
    pub fn generate_client_info_partial_aug<U, DB, CSPRNG>(
        self,
        username: U,
        database: &DB,
        mut rng: CSPRNG,
    ) -> Result<(
        AuCPaceServerCPaceSubstep<D, CSPRNG, K1>,
        ServerMessage<'static, K1>,
    )>
    where
        U: AsRef<[u8]>,
        DB: Database<PasswordVerifier = RistrettoPoint>
            + PartialAugDatabase<PrivateKey = Scalar, PublicKey = RistrettoPoint>,
        CSPRNG: TryRngCore + TryCryptoRng,
    {
        let user = username.as_ref();
        let (prs, message) = if let Some((x, x_pub)) = database.lookup_long_term_keypair(user) {
            // generate the prs and client message
            self.generate_prs(user, database, &mut rng, x, x_pub)?
        } else {
            // if the user does not have a keypair stored then we generate a random point on the
            // curve to be the public key, and handle the failed lookup as normal
            let x_pub = {
                let mut seed = [0u8; 32];
                rng.try_fill_bytes(&mut seed).map_err(|_| Error::Rng)?;
                let mut hasher: D = crate::utils::H1();
                hasher.update(&seed);
                RistrettoPoint::from_hash(hasher)
            };
            self.lookup_failed(user, x_pub, &mut rng)?
        };
        let next_step = AuCPaceServerCPaceSubstep::new(self.ssid, prs, rng);

        Ok((next_step, message))
    }

    /// Accept the user's username, and blinded point U and generate the `ClientInfo` for the response.
    /// Moves the protocol into the `CPace` substep phase
    ///
    /// This method performs the Strong variant of the protocol.
    /// This means that the information is blinded in transit so that it is impossible to do any
    /// precomputation to attack the user's password before the actual verifier database is compromised.
    ///
    /// # Arguments:
    /// - `username`: the client's username
    /// - `blinded`: the client's blinded point `U`
    /// - `database`: the password verifier database to retrieve the client's information from
    ///    This is a `PartialAugDatabase` so we can lookup the server's long term keypair.
    ///
    /// # Return:
    /// ([`next_step`](AuCPaceServerCPaceSubstep), [`message`](ServerMessage::AugmentationInfo))
    /// - [`next_step`](AuCPaceServerCPaceSubstep): the server in the `CPace` substep stage
    /// - [`message`](ServerMessage::AugmentationInfo): the message to send to the client
    ///
    #[cfg(feature = "strong_aucpace")]
    pub fn generate_client_info_strong<U, DB, CSPRNG>(
        self,
        username: U,
        blinded: RistrettoPoint,
        database: &DB,
        mut rng: CSPRNG,
    ) -> Result<(
        AuCPaceServerCPaceSubstep<D, CSPRNG, K1>,
        ServerMessage<'static, K1>,
    )>
    where
        U: AsRef<[u8]>,
        DB: StrongDatabase<PasswordVerifier = RistrettoPoint, Exponent = Scalar>,
        CSPRNG: TryRngCore + TryCryptoRng,
    {
        let (x, x_pub) = generate_server_keypair::<D, _>(&mut rng)?;

        // generate the prs and client message
        let (prs, message) =
            self.generate_prs_strong(username.as_ref(), blinded, database, &mut rng, x, x_pub)?;
        let next_step = AuCPaceServerCPaceSubstep::new(self.ssid, prs, rng);

        Ok((next_step, message))
    }

    /// Accept the user's username, and blinded point U and generate the `ClientInfo` for the response.
    /// Moves the protocol into the `CPace` substep phase
    ///
    /// This method performs the Strong + Partially augmented variant of the protocol.
    /// This means that the information is blinded in transit so that it is impossible to do any
    /// precomputation to attack the user's password before the actual verifier database is compromised.
    /// And that the server looks up the user's long term keypair in the database instead of generating it.
    ///
    /// # Arguments:
    /// - `username`: the client's username
    /// - `blinded`: the client's blinded point `U`
    /// - `database`: the password verifier database to retrieve the client's information from
    ///    This is a `PartialAugDatabase` so we can lookup the server's long term keypair.
    ///
    /// # Return:
    /// ([`next_step`](AuCPaceServerCPaceSubstep), [`message`](ServerMessage::AugmentationInfo))
    /// - [`next_step`](AuCPaceServerCPaceSubstep): the server in the `CPace` substep stage
    /// - [`message`](ServerMessage::AugmentationInfo): the message to send to the client
    ///
    #[cfg(all(feature = "strong_aucpace", feature = "partial_augmentation"))]
    pub fn generate_client_info_partial_strong<U, DB, CSPRNG>(
        self,
        username: U,
        blinded: RistrettoPoint,
        database: &DB,
        mut rng: CSPRNG,
    ) -> Result<(
        AuCPaceServerCPaceSubstep<D, CSPRNG, K1>,
        ServerMessage<'static, K1>,
    )>
    where
        U: AsRef<[u8]>,
        DB: StrongDatabase<PasswordVerifier = RistrettoPoint, Exponent = Scalar>
            + PartialAugDatabase<PrivateKey = Scalar, PublicKey = RistrettoPoint>,
        CSPRNG: TryRngCore + TryCryptoRng,
    {
        let user = username.as_ref();
        let (prs, message) = if let Some((x, x_pub)) = database.lookup_long_term_keypair(user) {
            // generate the prs and client message
            self.generate_prs_strong(user, blinded, database, &mut rng, x, x_pub)?
        } else {
            // if the user does not have a keypair stored then we generate a random point on the
            // curve to be the public key, and handle the failed lookup as normal
            let x_pub = {
                let mut seed = [0u8; 32];
                rng.try_fill_bytes(&mut seed).map_err(|_| Error::Rng)?;
                let mut hasher: D = crate::utils::H1();
                hasher.update(&seed);
                RistrettoPoint::from_hash(hasher)
            };
            self.lookup_failed_strong(user, blinded, x_pub, &mut rng)?
        };
        let next_step = AuCPaceServerCPaceSubstep::new(self.ssid, prs, rng);

        Ok((next_step, message))
    }

    /// Generate the Password Related String (PRS) and the message to be sent to the user.
    fn generate_prs<DB, CSPRNG>(
        &self,
        username: &[u8],
        database: &DB,
        rng: &mut CSPRNG,
        x: Scalar,
        x_pub: RistrettoPoint,
    ) -> Result<([u8; 32], ServerMessage<'static, K1>)>
    where
        DB: Database<PasswordVerifier = RistrettoPoint>,
        CSPRNG: TryRngCore + TryCryptoRng,
    {
        if let Some((w, salt, sigma)) = database.lookup_verifier(username.as_ref()) {
            let cofactor = Scalar::ONE;
            let prs = (w * x * cofactor).compress().to_bytes();
            let message = ServerMessage::AugmentationInfo {
                // this will have to be provided by the trait in future
                group: "ristretto255",
                x_pub,
                salt,
                pbkdf_params: sigma,
            };
            Ok((prs, message))
        } else {
            // handle the failure case
            self.lookup_failed(username, x_pub, rng)
        }
    }

    /// Generate the Password Related String (PRS) and the message to be sent to the user.
    /// This variant uses a strong database
    #[cfg(feature = "strong_aucpace")]
    fn generate_prs_strong<DB, CSPRNG>(
        &self,
        username: &[u8],
        blinded: RistrettoPoint,
        database: &DB,
        rng: &mut CSPRNG,
        x: Scalar,
        x_pub: RistrettoPoint,
    ) -> Result<([u8; 32], ServerMessage<'static, K1>)>
    where
        DB: StrongDatabase<PasswordVerifier = RistrettoPoint, Exponent = Scalar>,
        CSPRNG: TryRngCore + TryCryptoRng,
    {
        if let Some((w, q, sigma)) = database.lookup_verifier_strong(username.as_ref()) {
            let cofactor = Scalar::ONE;
            let prs = (w * (x * cofactor)).compress().to_bytes();
            let uq = blinded * (q * cofactor);
            if uq.is_identity() {
                return Err(Error::IllegalPointError);
            }
            let message = ServerMessage::StrongAugmentationInfo {
                // this will have to be provided by the trait in future
                group: "ristretto255",
                x_pub,
                blinded_salt: uq,
                pbkdf_params: sigma,
            };
            Ok((prs, message))
        } else {
            // handle the failure case
            self.lookup_failed_strong(username, blinded, x_pub, rng)
        }
    }

    /// Generate the message for if the lookup failed
    fn lookup_failed<CSPRNG>(
        &self,
        username: &[u8],
        x_pub: RistrettoPoint,
        rng: &mut CSPRNG,
    ) -> Result<([u8; 32], ServerMessage<'static, K1>)>
    where
        CSPRNG: TryRngCore + TryCryptoRng,
    {
        let prs = {
            let mut tmp = [0u8; 32];
            rng.try_fill_bytes(&mut tmp).map_err(|_| Error::Rng)?;
            tmp
        };

        // generate the salt from the hash of the server secret and the user's name
        let mut hasher: D = Default::default();
        hasher.update(self.secret.0.to_le_bytes());
        hasher.update(username);
        let hash = hasher.finalize();
        let hash_bytes: &[u8] = hash.as_ref();

        // It is okay to expect here because SaltString has a buffer of 64 bytes by requirement
        // from the PHC spec. 48 bytes of data when encoded as base64 transform to 64 bytes.
        // This gives us the most entropy possible from the hash in the SaltString.
        let salt = SaltString::encode_b64(&hash_bytes[..48]).map_err(Error::PasswordHashing)?;

        let message = ServerMessage::AugmentationInfo {
            group: "ristretto255",
            x_pub,
            salt,
            pbkdf_params: ParamsString::default(),
        };

        Ok((prs, message))
    }

    /// Generate the message for if the lookup failed
    #[cfg(feature = "strong_aucpace")]
    fn lookup_failed_strong<CSPRNG>(
        &self,
        username: &[u8],
        blinded: RistrettoPoint,
        x_pub: RistrettoPoint,
        rng: &mut CSPRNG,
    ) -> Result<([u8; 32], ServerMessage<'static, K1>)>
    where
        CSPRNG: TryRngCore + TryCryptoRng,
    {
        let prs = {
            let mut tmp = [0u8; 32];
            rng.try_fill_bytes(&mut tmp).map_err(|_| Error::Rng)?;
            tmp
        };

        // generate q from the hash of the username and the server secret
        let mut hasher: D = Default::default();
        hasher.update(self.secret.0.to_le_bytes());
        hasher.update(username);
        let cofactor = Scalar::ONE;
        let q = Scalar::from_hash(hasher);
        let fake_blinded_salt = blinded * (q * cofactor);

        // check uq isn't the neutral element
        if fake_blinded_salt.is_identity() {
            return Err(Error::IllegalPointError);
        }

        let message = ServerMessage::StrongAugmentationInfo {
            group: "ristretto255",
            x_pub,
            blinded_salt: fake_blinded_salt,
            pbkdf_params: ParamsString::default(),
        };

        Ok((prs, message))
    }
}

/// Server in the `CPace` substep phase
#[derive(zeroize::Zeroize, zeroize::ZeroizeOnDrop)]
pub struct AuCPaceServerCPaceSubstep<D, CSPRNG, const K1: usize>
where
    D: Digest<OutputSize = U64> + Default,
    CSPRNG: TryRngCore + TryCryptoRng,
{
    #[zeroize(skip)]
    ssid: Output<D>,
    prs: [u8; 32],
    #[zeroize(skip)]
    rng: CSPRNG,
}

impl<D, CSPRNG, const K1: usize> AuCPaceServerCPaceSubstep<D, CSPRNG, K1>
where
    D: Digest<OutputSize = U64> + Default,
    CSPRNG: TryRngCore + TryCryptoRng,
{
    const fn new(ssid: Output<D>, prs: [u8; 32], rng: CSPRNG) -> Self {
        Self { ssid, prs, rng }
    }

    /// Generate a public key
    /// moving the protocol onto the second half of the `CPace` substep - Receive Server Pubkey
    ///
    /// # Arguments:
    /// - `channel_identifier` - `CI` from the protocol definition, in the context of TCP/IP this
    ///     is usually some combination of the server and client's IP address and TCP port numbers.
    ///     It's purpose is to prevent relay attacks.
    /// - `rng` - the CSPRNG used when generating the public/private keypair
    ///
    /// # Return:
    /// ([`next_step`](AuCPaceServerRecvClientKey), [`message`](ServerMessage::PublicKey))
    /// - [`next_step`](AuCPaceServerRecvClientKey): the server waiting for the client's public key
    /// - [`message`](ServerMessage::PublicKey): the message to send to the client
    ///
    pub fn generate_public_key<CI: AsRef<[u8]>>(
        mut self,
        channel_identifier: CI,
    ) -> Result<(
        AuCPaceServerRecvClientKey<D, K1>,
        ServerMessage<'static, K1>,
    )> {
        let (priv_key, pub_key) = generate_keypair::<D, CSPRNG, CI>(
            &mut self.rng,
            self.ssid,
            self.prs,
            channel_identifier,
        )?;

        let next_step = AuCPaceServerRecvClientKey::new(self.ssid, priv_key);
        let message = ServerMessage::PublicKey(pub_key);

        Ok((next_step, message))
    }
}

/// Server in the `CPace` substep phase
#[derive(zeroize::Zeroize, zeroize::ZeroizeOnDrop)]
pub struct AuCPaceServerRecvClientKey<D, const K1: usize>
where
    D: Digest<OutputSize = U64> + Default,
{
    #[zeroize(skip)]
    ssid: Output<D>,
    priv_key: Scalar,
}

impl<D, const K1: usize> AuCPaceServerRecvClientKey<D, K1>
where
    D: Digest<OutputSize = U64> + Default,
{
    const fn new(ssid: Output<D>, priv_key: Scalar) -> Self {
        Self { ssid, priv_key }
    }

    /// Receive the client's public key
    /// This completes the `CPace` substep and moves the client on to explicit mutual authentication.
    ///
    /// # Arguments:
    /// - `client_pubkey` - the client's public key
    ///
    /// # Return:
    /// [`next_step`](AuCPaceServerExpMutAuth): the server in the Explicit Mutual Authentication phase
    ///
    pub fn receive_client_pubkey(
        self,
        client_pubkey: RistrettoPoint,
    ) -> Result<AuCPaceServerExpMutAuth<D, K1>> {
        // check for the neutral point
        if client_pubkey.is_identity() {
            return Err(Error::IllegalPointError);
        }

        let sk1 = compute_first_session_key::<D>(self.ssid, self.priv_key, client_pubkey);
        Ok(AuCPaceServerExpMutAuth::new(self.ssid, sk1))
    }

    /// Allow exiting the protocol early in the case of implicit authentication
    /// Note: this should only be used in special circumstances and the
    ///       explicit mutual authentication stage should be used in all other cases
    ///
    /// # Arguments:
    /// - `client_pubkey` - the client's public key
    ///
    /// # Return:
    /// `sk`: the session key reached by the `AuCPace` protocol
    ///
    pub fn implicit_auth(
        self,
        client_pubkey: RistrettoPoint,
    ) -> Result<secret_utils::wrappers::SecretKey> {
        // check for the neutral point
        if client_pubkey.is_identity() {
            return Err(Error::IllegalPointError);
        }

        let sk1 = compute_first_session_key::<D>(self.ssid, self.priv_key, client_pubkey);
        Ok(secret_utils::wrappers::SecretKey::from(
            compute_session_key::<D>(self.ssid, sk1).as_slice().to_vec(),
        ))
    }
}

/// Server in the Explicity Mutual Authenticaton phase
#[derive(zeroize::Zeroize, zeroize::ZeroizeOnDrop)]
pub struct AuCPaceServerExpMutAuth<D, const K1: usize>
where
    D: Digest<OutputSize = U64> + Default,
{
    #[zeroize(skip)]
    ssid: Output<D>,
    #[zeroize(skip)]
    sk1: Output<D>,
}

impl<D, const K1: usize> AuCPaceServerExpMutAuth<D, K1>
where
    D: Digest<OutputSize = U64> + Default,
{
    const fn new(ssid: Output<D>, sk1: Output<D>) -> Self {
        Self { ssid, sk1 }
    }

    /// Receive the server's authenticator.
    /// This completes the protocol and returns the derived key.
    ///
    /// # Arguments:
    /// - `server_authenticator` - the server's authenticator
    ///
    /// # Return:
    /// either:
    /// - Ok((`sk`, `message`)):
    ///     - `sk` - the session key reached by the `AuCPace` protocol
    ///     - [`message`](ServerMessage::Authenticator) - the message to send to the client
    /// - Err([`Error::MutualAuthFail`](Error::MutualAuthFail)): an error if the authenticator we computed doesn't match
    ///     the client's authenticator, compared in constant time.
    ///
    pub fn receive_client_authenticator(
        self,
        client_authenticator: [u8; 64],
    ) -> Result<(
        secret_utils::wrappers::SecretKey,
        ServerMessage<'static, K1>,
    )> {
        let (ta, tb) = compute_authenticator_messages::<D>(self.ssid, self.sk1);
        if tb.ct_eq(&client_authenticator).into() {
            let sk = compute_session_key::<D>(self.ssid, self.sk1);
            let ta_arr = ta
                .as_slice()
                .try_into()
                .map_err(|_| Error::HashSizeInvalid)?;
            let message = ServerMessage::Authenticator(ta_arr);
            Ok((
                secret_utils::wrappers::SecretKey::from(sk.as_slice().to_vec()),
                message,
            ))
        } else {
            Err(Error::MutualAuthFail)
        }
    }
}

/// An enum representing the different messages the server can send to the client
#[derive(Debug)]
#[cfg_attr(feature = "serde", derive(Serialize, Deserialize))]
pub enum ServerMessage<'a, const K1: usize> {
    /// SSID establishment message - the server's nonce: `s`
    Nonce(#[cfg_attr(feature = "serde", serde(with = "serde_byte_array"))] [u8; K1]),

    /// Information required for the AuCPace Augmentation layer sub-step
    AugmentationInfo {
        /// J from the protocol definition
        group: &'a str,

        /// X from the protocol definition
        x_pub: RistrettoPoint,

        /// the salt used with the PBKDF
        #[cfg_attr(feature = "serde", serde(with = "serde_saltstring"))]
        salt: SaltString,

        /// the parameters for the PBKDF used - sigma from the protocol definition
        #[cfg_attr(feature = "serde", serde(with = "serde_paramsstring"))]
        pbkdf_params: ParamsString,
    },

    /// Information required for the AuCPace Augmentation layer sub-step
    #[cfg(feature = "strong_aucpace")]
    StrongAugmentationInfo {
        /// J from the protocol definition
        group: &'a str,

        /// X from the protocol definition
        x_pub: RistrettoPoint,

        /// the blinded salt used with the PBKDF
        blinded_salt: RistrettoPoint,

        /// the parameters for the PBKDF used - sigma from the protocol definition
        #[cfg_attr(feature = "serde", serde(with = "serde_paramsstring"))]
        pbkdf_params: ParamsString,
    },

    /// `CPace` substep message - the server's public key: `Ya`
    PublicKey(RistrettoPoint),

    /// Explicit Mutual Authentication - the server's authenticator: `Ta`
    Authenticator(#[cfg_attr(feature = "serde", serde(with = "serde_byte_array"))] [u8; 64]),
}

#[cfg(test)]
mod tests {
    #[allow(unused)]
    use super::*;
    #[allow(unused)]
    use curve25519_dalek::constants::RISTRETTO_BASEPOINT_POINT;

    #[test]
    #[cfg(all(feature = "sha2", feature = "getrandom"))]
    fn test_server_doesnt_accept_insecure_ssid() {
        use crate::Server;
        use rand::rngs::OsRng;
        let mut server = Server::new(OsRng).expect("failed to initialize server RNG");
        let res = server.begin_prestablished_ssid("bad ssid");
        assert!(matches!(res, Err(Error::InsecureSsid)));
    }

    #[test]
    #[cfg(feature = "sha2")]
    fn test_server_doesnt_accept_invalid_pubkey() {
        use crate::utils::H0;
        use curve25519_dalek::traits::Identity;
        let ssid = H0::<sha2::Sha512>().finalize();
        let aug_server: AuCPaceServerRecvClientKey<sha2::Sha512, 16> =
            AuCPaceServerRecvClientKey::new(ssid, Scalar::from(420u32));
        let res = aug_server.receive_client_pubkey(RistrettoPoint::identity());

        if let Err(e) = res {
            assert_eq!(e, Error::IllegalPointError);
        } else {
            panic!("Client accepted illegal point.");
        }
    }

    #[test]
    #[cfg(feature = "sha2")]
    fn test_server_doesnt_accept_invalid_pubkey_implicit_auth() {
        use crate::utils::H0;
        use curve25519_dalek::traits::Identity;
        let ssid = H0::<sha2::Sha512>().finalize();
        let aug_server: AuCPaceServerRecvClientKey<sha2::Sha512, 16> =
            AuCPaceServerRecvClientKey::new(ssid, Scalar::from(420u32));
        let res = aug_server.implicit_auth(RistrettoPoint::identity());

        if let Err(e) = res {
            assert_eq!(e, Error::IllegalPointError);
        } else {
            panic!("Client accepted illegal point.");
        }
    }

    #[cfg(all(feature = "sha2", feature = "strong_aucpace"))]
    struct FakeDatabase();

    #[cfg(all(feature = "sha2", feature = "strong_aucpace"))]
    impl StrongDatabase for FakeDatabase {
        type PasswordVerifier = RistrettoPoint;
        type Exponent = Scalar;

        fn lookup_verifier_strong(
            &self,
            _username: &[u8],
        ) -> Option<(Self::PasswordVerifier, Self::Exponent, ParamsString)> {
            Some((
                RISTRETTO_BASEPOINT_POINT,
                Scalar::ZERO,
                ParamsString::default(),
            ))
        }

        fn store_verifier_strong(
            &mut self,
            _username: &[u8],
            _uad: Option<&[u8]>,
            _verifier: Self::PasswordVerifier,
            _secret_exponent: Self::Exponent,
            _params: ParamsString,
        ) {
            unimplemented!()
        }
    }

    #[cfg(all(feature = "sha2", feature = "strong_aucpace"))]
    impl PartialAugDatabase for FakeDatabase {
        type PrivateKey = Scalar;
        type PublicKey = RistrettoPoint;

        fn lookup_long_term_keypair(
            &self,
            _username: &[u8],
        ) -> Option<(Self::PrivateKey, Self::PublicKey)> {
            Some((Scalar::ZERO, RISTRETTO_BASEPOINT_POINT))
        }

        fn store_long_term_keypair(
            &mut self,
            _username: &[u8],
            _priv_key: Self::PrivateKey,
            _pub_key: Self::PublicKey,
        ) -> Result<()> {
            unimplemented!()
        }
    }

    #[test]
    #[cfg(all(feature = "sha2", feature = "getrandom", feature = "strong_aucpace"))]
    fn test_server_doesnt_accept_invalid_uq() {
        use crate::utils::H0;
        use curve25519_dalek::traits::Identity;
        use rand::rngs::OsRng;

        let ssid = H0::<sha2::Sha512>().finalize();
        let aug_server: AuCPaceServerAugLayer<sha2::Sha512, 16> =
            AuCPaceServerAugLayer::new(ServerSecret(25519), ssid);
        let res = aug_server.generate_client_info_strong(
            b"bobbyyyy",
            RistrettoPoint::identity(),
            &FakeDatabase(),
            OsRng,
        );

        if let Err(e) = res {
            assert_eq!(e, Error::IllegalPointError);
        } else {
            panic!("Client accepted illegal point.");
        }
    }

    #[test]
    #[cfg(all(feature = "sha2", feature = "getrandom", feature = "strong_aucpace"))]
    fn test_server_doesnt_accept_invalid_uq_partial() {
        use crate::utils::H0;
        use curve25519_dalek::traits::Identity;
        use rand::rngs::OsRng;

        let ssid = H0::<sha2::Sha512>().finalize();
        let aug_server: AuCPaceServerAugLayer<sha2::Sha512, 16> =
            AuCPaceServerAugLayer::new(ServerSecret(25519), ssid);
        let res = aug_server.generate_client_info_partial_strong(
            b"bobbyyyy",
            RistrettoPoint::identity(),
            &FakeDatabase(),
            OsRng,
        );

        if let Err(e) = res {
            assert_eq!(e, Error::IllegalPointError);
        } else {
            panic!("Client accepted illegal point.");
        }
    }

    #[test]
    #[cfg(all(feature = "sha2", feature = "getrandom"))]
    fn test_server_lookup_failed_returns_ok() {
        use crate::utils::H0;
        use rand::rngs::OsRng;

        // Fake DB that always returns None for lookup_verifier to force lookup_failed path
        struct NoneDb;
        impl Database for NoneDb {
            type PasswordVerifier = RistrettoPoint;

            fn lookup_verifier(
                &self,
                _username: &[u8],
            ) -> Option<(Self::PasswordVerifier, SaltString, ParamsString)> {
                None
            }

            fn store_verifier(
                &mut self,
                _username: &[u8],
                _salt: SaltString,
                _uad: Option<&[u8]>,
                _verifier: Self::PasswordVerifier,
                _params: ParamsString,
            ) {
                unimplemented!()
            }
        }

        let ssid = H0::<sha2::Sha512>().finalize();
        let aug_server: AuCPaceServerAugLayer<sha2::Sha512, 16> =
            AuCPaceServerAugLayer::new(ServerSecret(25519), ssid);

        // This should take the lookup_failed path and not panic; it should return Ok
        let res = aug_server.generate_client_info(b"missing-user", &NoneDb, OsRng);

        assert!(res.is_ok());
        if let Ok((_next_step, ServerMessage::AugmentationInfo { .. })) = res {
            // ok
        } else {
            panic!("Expected AugmentationInfo on lookup_failed path");
        }
    }
}