Add EC-SRP5 authentication (RouterOS >= 6.43)

Client: auto-detects 03 response and performs EC-SRP5 handshake Server: --ecsrp5 flag enables Curve25519 Weierstrass EC-SRP5 auth btest -s -a admin -p password --ecsrp5 Protocol: [len][payload] framing (no 0x06 handler, unlike Winbox) Crypto: Curve25519 in Weierstrass form, SHA256, SRP key exchange Based on MarginResearch/mikrotik_authentication (Apache 2.0). Verified against MikroTik RouterOS 7.x via MITM protocol analysis. 34 tests (10 unit, 6 EC-SRP5 integration, 8 base integration, 10 doc-tests). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-31 16:56:38 +04:00
parent 8fe4e72bb3
commit 58274da859
15 changed files with 1303 additions and 38 deletions
--- a/src/client.rs
+++ b/src/client.rs
@@ -37,29 +37,45 @@ pub async fn run_client(
    send_command(&mut stream, &cmd).await?;

    let resp = recv_response(&mut stream).await?;
-    match (auth_user.as_deref(), auth_pass.as_deref()) {
-        (Some(user), Some(pass)) => {
-            auth::client_authenticate(&mut stream, resp, user, pass).await?;
-        }
-        _ => {
-            if resp == AUTH_REQUIRED {
+    if resp == AUTH_OK {
+        // No auth required
+    } else if resp == AUTH_REQUIRED {
+        // MD5 auth
+        match (auth_user.as_deref(), auth_pass.as_deref()) {
+            (Some(user), Some(pass)) => {
+                auth::client_authenticate(&mut stream, resp, user, pass).await?;
+            }
+            _ => {
                return Err(BtestError::Protocol(
-                    "Server requires authentication but no credentials provided".into(),
+                    "Server requires authentication but no credentials provided (-a/-p)".into(),
                ));
            }
-            if resp == [0x03, 0x00, 0x00, 0x00] {
+        }
+    } else if resp == [0x03, 0x00, 0x00, 0x00] {
+        // EC-SRP5 auth (RouterOS >= 6.43)
+        match (auth_user.as_deref(), auth_pass.as_deref()) {
+            (Some(user), Some(pass)) => {
+                crate::ecsrp5::client_authenticate(&mut stream, user, pass).await?;
+                // After EC-SRP5, server sends AUTH_OK
+                let post_auth = recv_response(&mut stream).await?;
+                if post_auth != AUTH_OK {
+                    return Err(BtestError::Protocol(format!(
+                        "Unexpected post-EC-SRP5 response: {:02x?}",
+                        post_auth
+                    )));
+                }
+            }
+            _ => {
                return Err(BtestError::Protocol(
-                    "Server requires EC-SRP5 authentication (RouterOS >= 6.43) which is not yet supported. \
-                     Try disabling authentication on the MikroTik btest server, or provide -a/-p credentials".into(),
+                    "Server requires EC-SRP5 authentication. Provide credentials with -a/-p".into(),
                ));
            }
-            if resp != AUTH_OK {
-                return Err(BtestError::Protocol(format!(
-                    "Unexpected server response: {:02x?}",
-                    resp
-                )));
-            }
        }
+    } else {
+        return Err(BtestError::Protocol(format!(
+            "Unexpected server response: {:02x?}",
+            resp
+        )));
    }

    tracing::info!(