make server send challenge envelope to client like the latest spec says

[david415]

in the latest version of the spec the sever sends the client a challenge where the hmac is keyed with the application key K concatenated with scalar_mult(a, b) whereas your code only keys the hmac with the applicaton key.

this ticket is related to auditdrivencrypto/secret-handshake#7

(actually it is the hash of this concatenation but i'll open a separate ticket for the spec.)