As far as I can tell from the code, what is defined as:
key = compute_premaster_secret(...)
does not include the given hash invocation step. While RFC 5054 is unclearly worded (see comment below), SRP-6 is clear that M1 should not include K = H(S) and thus this description of the protocol is incorrect. As far as I can tell, nobody else uses this computation of M1 (with K = H(S) as a parameter) and thus it should be dropped from the tabular and comment descriptions.
Edit to add: regardless of which spec is deemed correct or supported or implemented (SPR-6 or RFC 2945) -- it is clear that M1 = H(A, B, H(S)) is not aligning with either of those two, and also (I believe) wasn't implemented in the code.
As far as I can tell from the code, what is defined as:
does not include the given hash invocation step. While RFC 5054 is unclearly worded (see comment below), SRP-6 is clear that
M1should not includeK = H(S)and thus this description of the protocol is incorrect. As far as I can tell, nobody else uses this computation ofM1(withK = H(S)as a parameter) and thus it should be dropped from the tabular and comment descriptions.See also: https://github.com/bcgit/bc-csharp/issues/506#issuecomment-1932665252
Edit to add: regardless of which spec is deemed correct or supported or implemented (SPR-6 or RFC 2945) -- it is clear that
M1 = H(A, B, H(S))is not aligning with either of those two, and also (I believe) wasn't implemented in the code.