From: HimbeerserverDE <himbeerserverde@gmail.com>
Date: Fri, 17 Feb 2023 21:17:02 +0000 (+0100)
Subject: rfc compliant client proof
X-Git-Url: https://git.lizzy.rs/?a=commitdiff_plain;h=ef7861180220c64aef79fbdda44b02e584445813;p=PAKEs.git

rfc compliant client proof
---

diff --git a/srp/src/client.rs b/srp/src/client.rs
index ee8fd8d..263e5f3 100644
--- a/srp/src/client.rs
+++ b/srp/src/client.rs
@@ -203,6 +203,7 @@ impl<'a, D: Digest> SrpClient<'a, D> {
         let key = self.compute_premaster_secret(&b_pub, &k, &x, &a, &u);
 
         let m1 = compute_m1::<D>(
+            self.params,
             &a_pub.to_bytes_be(),
             &b_pub.to_bytes_be(),
             &key.to_bytes_be(),
diff --git a/srp/src/server.rs b/srp/src/server.rs
index 0ecc17c..b7d3eff 100644
--- a/srp/src/server.rs
+++ b/srp/src/server.rs
@@ -145,6 +145,7 @@ impl<'a, D: Digest> SrpServer<'a, D> {
         let key = self.compute_premaster_secret(&a_pub, &v, &u, &b);
 
         let m1 = compute_m1::<D>(
+            self.params,
             &a_pub.to_bytes_be(),
             &b_pub.to_bytes_be(),
             &key.to_bytes_be(),
diff --git a/srp/src/utils.rs b/srp/src/utils.rs
index a9372bd..6eeb3a3 100644
--- a/srp/src/utils.rs
+++ b/srp/src/utils.rs
@@ -25,10 +25,25 @@ pub fn compute_k<D: Digest>(params: &SrpGroup) -> BigUint {
     BigUint::from_bytes_be(d.finalize().as_slice())
 }
 
-// M1 = H(A, B, K) this doesn't follow the spec but apparently no one does for M1
-// M1 should equal =  H(H(N) XOR H(g) | H(U) | s | A | B | K) according to the spec
-pub fn compute_m1<D: Digest>(a_pub: &[u8], b_pub: &[u8], key: &[u8]) -> Output<D> {
+// M1 = H(H(N) XOR H(g) | H(U) | s | A | B | K)
+pub fn compute_m1<D: Digest>(
+    params: &SrpGroup,
+    a_pub: &[u8],
+    b_pub: &[u8],
+    key: &[u8],
+) -> Output<D> {
+    let mut d_n = D::new();
+    d_n.update(params.n.to_bytes_be());
+    let h_n = d_n.finalize();
+
+    let mut d_g = D::new();
+    d_g.update(params.g.to_bytes_be());
+    let h_g = d_g.finalize();
+
+    let ng_xor: Vec<u8> = h_n.iter().zip(h_g.iter()).map(|(n, g)| n ^ g).collect();
+
     let mut d = D::new();
+    d.update(ng_xor);
     d.update(a_pub);
     d.update(b_pub);
     d.update(key);