Expand description

An implementation of the World of Warcraft flavor of SRP6 used for authentication with the Login Server. It is only tested and verified on 1.12.1, but should work for other versions.

The implementation is intended to abstract away as much of the protocol as possible, and limits itself to the specific requirements of the World of Warcraft implementation. For example, all key sizes are limited to exactly 32 bytes since the network packet fields describing public keys are of a fixed size in the protocol and key sizes of any other sizes are not possible.

This crate does not deal with parsing the network packets necessary to obtain the required parameters. The WoWDev wiki (archive) contains a reference list of packets and the examples implement the required functionality.



The crate is split into:

  • A server module containing structs for use on the server.
  • A client module containing structs for use on the client.
  • A header_crypto module containing structs and traits for decrypting world packets.
  • An error module for errors that are shared by all modules.
  • A normalized_string module used for all modules to correctly handle strings.

A server example can be found in examples/server.rs and a client example can be found in examples/client.rs. These examples will perform the full SRP6 connection and reconnection. The server will work with a 1.12.1 client, using the username and password a and a. The client will work not with any other server since it ignores everything that is not absolutely necessary for showcasing the crate.

Running the examples

  1. Clone the repo with git clone https://github.com/gtker/wow_srp.
  2. Run the server with cargo run --example server inside the directory. This runs a simple authentication server that accepts the username “a” and the password “a”. Anything else panics.
  3. Run a real client with the realmlist set to localhost or run the client example with cargo run --example client.


Add the following to your Cargo.toml:

wow_srp = { version = "0.4.1" }

Then go to either the client module or server module for specific instructions.


Two different arbitrary precision integer libraries can be used, either:

  • num-bigint. A slow pure Rust implementation without external dependencies. This is enabled by default, and requires no opt in.

  • rug. A fast wrapper around the GMP library with external dependencies, as described in the gmp_mpfr_sys documentation. This is enabled with the fast-math feature and disabling default features. So instead of the above do this:

wow_srp = { version = "0.4.1", default-features = false, features = ["fast-math"] }

The fast-math feature leads to a 50% decrease in total time. It is highly recommended to enable this feature for production usage since it also theoretically has better security.

To see the performance difference on your setup you can run cargo bench for the default version, and cargo bench --features fast-math --no-default-features for the fast-math version.


wow_srp has a Minimum Supported Rust Version (MSRV) of 1.48.0. The MSRV may be increased in PATCH versions before wow_srp reaches 1.0.0 (MAJOR.MINOR.PATCH).

Other implementations

  • Ember is a C++ implementation for 1.12 with a clean, tested implementation of the protocol.
  • ArcEmu is a C++ implementation for 3.3.5.
  • vMangos is a C++ implementation.
  • WoWCore is a Pascal implementation that has 1.12, 2.4.3 and 3.3.5 versions.
  • Shadowburn is an Elixir implementation.


Contains all functionality related to the client part.

The various errors that can happen during the SRP6 process.

Functionality for encrypting/decrypting World Packet headers.

Functionality for keeping strings in a format the client expects.

Contains all functionality related to the server part, including the generation of values for the database.


Represents a public key for both the client and server.


Called g in RFC2945. Statically set to 7. Used for generating the public keys for both server and client, and the session key. The length in bytes is always 1 since there are no generators greater than 255.

The length in bytes for GENERATOR. Will always be 1 since there are no generators greater than 255. Constant is provided here since the CMD_AUTH_LOGON_CHALLENGE packet requires it.

Static large safe prime (N) value. The big endian version of LARGE_SAFE_PRIME_LITTLE_ENDIAN. This version should not be sent over the network and should generally not be used.

The size in bytes of the large safe prime.

Static large safe prime (N) value. The little endian version of LARGE_SAFE_PRIME_BIG_ENDIAN. This is the version that should be sent over the network in the CMD_AUTH_LOGON_CHALLENGE_Server packet.

Password verifier size in bytes.

Length of a proof in bytes.

Length in bytes for both client and server public key.

The size of the reconnect challenge data in bytes.

The salt is always 32 bytes since the client expects a 32 byte salt field in the CMD_AUTH_LOGON_CHALLENGE_Server packet and will use leading zeros in the calculation.

Size of the session key in bytes.