In the Python version, key.py has two nested state machines: the outer one accepts two events (got_code and got_pake) and ensures that the inner one always receives the got_code event first. This was a quick hack to fix a bug, in which I didn't make the inner state machine tolerant of getting the PAKE message first (this can happen if you're using input_code, and you wait long enough between typing the nameplate and typing the rest of the words: the peer's PAKE message can arrive any time after you commit to the nameplate, but we don't know the code locally until you finish typing the words).
On the other hand, if you use set_code or generate_code, then you'll know the code long before you learn the peer's PAKE message. And you need to actually generate+send the PAKE message as soon as you can: if both sides wait until they've heard from their peer before sending anything, then no progress can be made.
The key.rs machine currently defers sending both messages until both have arrived, so it only works if run against a different implementation which starts sending the PAKE earlier.
In the Python version, key.py has two nested state machines: the outer one accepts two events (
got_codeandgot_pake) and ensures that the inner one always receives thegot_codeevent first. This was a quick hack to fix a bug, in which I didn't make the inner state machine tolerant of getting the PAKE message first (this can happen if you're usinginput_code, and you wait long enough between typing the nameplate and typing the rest of the words: the peer's PAKE message can arrive any time after you commit to the nameplate, but we don't know the code locally until you finish typing the words).On the other hand, if you use
set_codeorgenerate_code, then you'll know the code long before you learn the peer's PAKE message. And you need to actually generate+send the PAKE message as soon as you can: if both sides wait until they've heard from their peer before sending anything, then no progress can be made.The key.rs machine currently defers sending both messages until both have arrived, so it only works if run against a different implementation which starts sending the PAKE earlier.