From: HimbeerserverDE <himbeerserverde@gmail.com>
Date: Fri, 17 Feb 2023 21:38:24 +0000 (+0100)
Subject: exclude password from hash used in client proof
X-Git-Url: https://git.lizzy.rs/?a=commitdiff_plain;h=eff5cdc41f1d542c2a3d6b7be6f99de29376f5cb;p=PAKEs.git

exclude password from hash used in client proof
---

diff --git a/srp/src/client.rs b/srp/src/client.rs
index eed1153..845c6f8 100644
--- a/srp/src/client.rs
+++ b/srp/src/client.rs
@@ -200,11 +200,15 @@ impl<'a, D: Digest> SrpClient<'a, D> {
         let identity_hash = Self::compute_identity_hash(username, password);
         let x = Self::compute_x(identity_hash.as_slice(), salt);
 
+        let mut d = D::new();
+        d.update(username);
+        let username_hash = d.finalize();
+
         let key = self.compute_premaster_secret(&b_pub, &k, &x, &a, &u);
 
         let m1 = compute_m1::<D>(
             self.params,
-            identity_hash.as_slice(),
+            username_hash.as_slice(),
             &a_pub.to_bytes_be(),
             &b_pub.to_bytes_be(),
             &key.to_bytes_be(),
diff --git a/srp/src/server.rs b/srp/src/server.rs
index e1eb331..08c0475 100644
--- a/srp/src/server.rs
+++ b/srp/src/server.rs
@@ -145,13 +145,13 @@ impl<'a, D: Digest> SrpServer<'a, D> {
 
         let mut d = D::new();
         d.update(username);
-        let identity_hash = d.finalize();
+        let username_hash = d.finalize();
 
         let key = self.compute_premaster_secret(&a_pub, &v, &u, &b);
 
         let m1 = compute_m1::<D>(
             self.params,
-            identity_hash.as_slice(),
+            username_hash.as_slice(),
             &a_pub.to_bytes_be(),
             &b_pub.to_bytes_be(),
             &key.to_bytes_be(),