[sasl] SCRAM: PBKDF2 algorithm description wrong?!?

[Tobias Markmann <tmarkmann at googlemail.com>]

Hi,

http://tools.ietf.org/html/draft-ietf-sasl-scram-10 describes the Hi function this way:

Hi(str, salt, i):

U0 := HMAC(str, salt + INT(1))
U1 := HMAC(str, U0)
U2 := HMAC(str, U1)
...
Ui-1 := HMAC(str, Ui-2)
Ui := HMAC(str, Ui-1)

Hi := U0 XOR U1 XOR U2 XOR ... XOR Ui

If I interpret this correctly for i = 1 you have to calculate U0 and U1 and XOR those values.

However this isn't compatible to existing implementations. For i = 1 you seem to have to return only U0.

This is how I implemented it in Lua:

local function Hi(hmac, str, salt, i)

local Ust = hmac(str, salt.."\0\0\0\1");

local res = Ust;

for n=1,i-1 do

Und = hmac(str, Ust)

res = binaryXOR(res, Und)

Ust = Und

end

return res

end

See the i-1 as upper end of the loop!

So my question: Did I interpret the pseudo code wrong or is the pseudo code wrong? Would it be problematic to include a couple of test vectors, like those Simon published (http://josefsson.org/sasl-gs2/draft-josefsson-pbkdf2-test-vectors.txt) in the RFC?

Cheers,

Tobias Markmann