Implement proof generation as per RFC2945.

srp/src/client.rs

@@ -146,6 +146,8 @@ impl<'a, D: Digest> SrpClient<'a, D> {
     /// Process server reply to the handshake.
     pub fn process_reply(
         self,
+        username: &[u8],
+        salt: &[u8],
         private_key: &[u8],
         b_pub: &[u8],
     ) -> Result<SrpClientVerifier<D>, SrpAuthError> {
@@ -167,9 +169,29 @@ impl<'a, D: Digest> SrpClient<'a, D> {
 
         let x = BigUint::from_bytes_be(private_key);
         let key = self.calc_key(&b_pub, &x, &u);
-        // M1 = H(A, B, K)
+        // M = H(H(N) XOR H(g) | H(U) | s | A | B | K)
         let proof = {
+            let hn = {
+                let n = &self.params.n;
+                let mut d = D::new();
+                d.input(n.to_bytes_be());
+                BigUint::from_bytes_be(&d.result())
+            };
+            let hg = {
+                let g = &self.params.g;
+                let mut d = D::new();
+                d.input(g.to_bytes_be());
+                BigUint::from_bytes_be(&d.result())
+            };
+            let hu = {
+                let mut d = D::new();
+                d.input(username);
+                d.result()
+            };
             let mut d = D::new();
+            d.input((hn ^ hg).to_bytes_be());
+            d.input(hu);
+            d.input(salt);
             d.input(&self.a_pub.to_bytes_be());
             d.input(&b_pub.to_bytes_be());
             d.input(&key);

srp/src/server.rs

@@ -52,23 +52,26 @@ pub struct UserRecord<'a> {
 }
 
 /// SRP server state
-pub struct SrpServer<D: Digest> {
+pub struct SrpServer<'a, D: Digest> {
+    user: &'a UserRecord<'a>,
     b: BigUint,
     a_pub: BigUint,
     b_pub: BigUint,
 
     key: GenericArray<u8, D::OutputSize>,
 
     d: PhantomData<D>,
+
+    params: &'a SrpGroup,
 }
 
-impl<D: Digest> SrpServer<D> {
+impl<'a, D: Digest> SrpServer<'a, D> {
     /// Create new server state.
     pub fn new(
-        user: &UserRecord<'_>,
+        user: &'a UserRecord,
         a_pub: &[u8],
         b: &[u8],
-        params: &SrpGroup,
+        params: &'a SrpGroup,
     ) -> Result<Self, SrpAuthError> {
         let a_pub = BigUint::from_bytes_be(a_pub);
         // Safeguard against malicious A
@@ -99,11 +102,13 @@ impl<D: Digest> SrpServer<D> {
             D::digest(&s.to_bytes_be())
         };
         Ok(Self {
+            user,
             b,
             a_pub,
             b_pub,
             key,
             d,
+            params,
         })
     }
 
@@ -129,13 +134,36 @@ impl<D: Digest> SrpServer<D> {
         &self,
         user_proof: &[u8],
     ) -> Result<GenericArray<u8, D::OutputSize>, SrpAuthError> {
-        // M = H(A, B, K)
-        let mut d = D::new();
-        d.input(&self.a_pub.to_bytes_be());
-        d.input(&self.b_pub.to_bytes_be());
-        d.input(&self.key);
+        // M = H(H(N) XOR H(g) | H(U) | s | A | B | K)
+        let proof = {
+            let hn = {
+                let n = &self.params.n;
+                let mut d = D::new();
+                d.input(n.to_bytes_be());
+                BigUint::from_bytes_be(&d.result())
+            };
+            let hg = {
+                let g = &self.params.g;
+                let mut d = D::new();
+                d.input(g.to_bytes_be());
+                BigUint::from_bytes_be(&d.result())
+            };
+            let hu = {
+                let mut d = D::new();
+                d.input(self.user.username);
+                d.result()
+            };
+            let mut d = D::new();
+            d.input((hn ^ hg).to_bytes_be());
+            d.input(hu);
+            d.input(self.user.salt);
+            d.input(&self.a_pub.to_bytes_be());
+            d.input(&self.b_pub.to_bytes_be());
+            d.input(&self.key);
+            d.result()
+        };
 
-        if user_proof == d.result().as_slice() {
+        if user_proof == proof.as_slice() {
             // H(A, M, K)
             let mut d = D::new();
             d.input(&self.a_pub.to_bytes_be());

srp/tests/mod.rs

@@ -37,7 +37,9 @@ fn auth_test(reg_pwd: &[u8], auth_pwd: &[u8]) {
 
     // Client processes handshake reply
     let auth_priv_key = srp_private_key::<Sha256>(username, auth_pwd, salt);
-    let client2 = client.process_reply(&auth_priv_key, &b_pub).unwrap();
+    let client2 = client
+        .process_reply(user.username, user.salt, &auth_priv_key, &b_pub)
+        .unwrap();
     let proof = client2.get_proof();
 
     // Server processes verification data