I've been reading about Stanford's Secure Remote Password protocol, and it looks ideal for the sort of environment in which iPhone apps run. Unfortunately, I haven't been able to find a good Objective-C implementation of the protocol. Nor, as far as I can tell, do the crypto libraries in the SDK implement it.
Does anyone know of such an implementation?
Failing that, what's my best bet going to be, do you think? I could try to build OpenSSL into my app, but that feels like a really big thing to add for this one little piece. I could try to translate the JavaScript or Java implementations into Objective-C, but that violates the #1 rule of crypto (use a known, tested implementation).
Couple of follow-up items: first, it should probably be obvious from context, but I'm going to need something that is compatible with closed-source commercial usage (the JavaScript implementation I linked to, I later noticed, is AGPL).
Also, assuming I do end up going with OpenSSL, I'm having real trouble finding an example of using it to do SRP. Their site claims the code is in there, but I can't find any evidence of it, either in the OpenSSL documentation, or grepping the source code (v 0.9.8k). (Or am I seriously misreading things, and I still have to apply one of their patches to the OpenSSL source?)
EDIT:
What I could really use at this point is ready-to-use code, a fairly complete recipe, or some kind of example of using SRP in OpenSSL. I'm pretty sure I could cobble something together from scratch with the protocol docs, but I'm really trying to avoid reinventing the wheel, if I can help it.