let key = self.compute_premaster_secret(&b_pub, &k, &x, &a, &u);
let m1 = compute_m1::<D>(
+ self.params,
&a_pub.to_bytes_be(),
&b_pub.to_bytes_be(),
&key.to_bytes_be(),
let key = self.compute_premaster_secret(&a_pub, &v, &u, &b);
let m1 = compute_m1::<D>(
+ self.params,
&a_pub.to_bytes_be(),
&b_pub.to_bytes_be(),
&key.to_bytes_be(),
BigUint::from_bytes_be(d.finalize().as_slice())
}
-// M1 = H(A, B, K) this doesn't follow the spec but apparently no one does for M1
-// M1 should equal = H(H(N) XOR H(g) | H(U) | s | A | B | K) according to the spec
-pub fn compute_m1<D: Digest>(a_pub: &[u8], b_pub: &[u8], key: &[u8]) -> Output<D> {
+// M1 = H(H(N) XOR H(g) | H(U) | s | A | B | K)
+pub fn compute_m1<D: Digest>(
+ params: &SrpGroup,
+ a_pub: &[u8],
+ b_pub: &[u8],
+ key: &[u8],
+) -> Output<D> {
+ let mut d_n = D::new();
+ d_n.update(params.n.to_bytes_be());
+ let h_n = d_n.finalize();
+
+ let mut d_g = D::new();
+ d_g.update(params.g.to_bytes_be());
+ let h_g = d_g.finalize();
+
+ let ng_xor: Vec<u8> = h_n.iter().zip(h_g.iter()).map(|(n, g)| n ^ g).collect();
+
let mut d = D::new();
+ d.update(ng_xor);
d.update(a_pub);
d.update(b_pub);
d.update(key);
projects / PAKEs.git / commitdiff