Add EC-SRP5 authentication (RouterOS >= 6.43)

Client: auto-detects 03 response and performs EC-SRP5 handshake Server: --ecsrp5 flag enables Curve25519 Weierstrass EC-SRP5 auth btest -s -a admin -p password --ecsrp5 Protocol: [len][payload] framing (no 0x06 handler, unlike Winbox) Crypto: Curve25519 in Weierstrass form, SHA256, SRP key exchange Based on MarginResearch/mikrotik_authentication (Apache 2.0). Verified against MikroTik RouterOS 7.x via MITM protocol analysis. 34 tests (10 unit, 6 EC-SRP5 integration, 8 base integration, 10 doc-tests). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-31 16:56:38 +04:00
parent 8fe4e72bb3
commit 58274da859
15 changed files with 1303 additions and 38 deletions
--- a/src/main.rs
+++ b/src/main.rs
@@ -1,6 +1,7 @@
 mod auth;
 mod bandwidth;
 mod client;
+mod ecsrp5;
 mod protocol;
 mod server;

@@ -56,6 +57,10 @@ struct Cli {
    #[arg(short = 'p', long = "authpass")]
    auth_pass: Option<String>,

+    /// Use EC-SRP5 authentication (RouterOS >= 6.43 compatible)
+    #[arg(long = "ecsrp5")]
+    ecsrp5: bool,
+
    /// NAT mode - send probe packet to open firewall
    #[arg(short = 'n', long = "nat")]
    nat: bool,
@@ -85,7 +90,7 @@ async fn main() -> anyhow::Result<()> {
    if cli.server {
        // Server mode
        tracing::info!("Starting btest server on port {}", cli.port);
-        server::run_server(cli.port, cli.auth_user, cli.auth_pass).await?;
+        server::run_server(cli.port, cli.auth_user, cli.auth_pass, cli.ecsrp5).await?;
    } else if let Some(host) = cli.client {
        // Client mode - must specify at least one direction
        if !cli.transmit && !cli.receive {