Doc or implementation error in NTor handshake
Either the docs or the implementation seem to be off for the implementation of the NTor handshake. Specifically, the docs (in Section 5.1.4) state:
verify = H(secret_input, t_verify)
and
auth = H(auth_input, t_mac)
where H(x,t) is defined as HMAC_SHA256 with message x and key t.
Looking into the source code, the implementation of these two is via the function h_tweak. In all cases, h_tweak is called with h_tweak(input, input_length, t_value). However, it then calls the underlying hmac function with the arguments reversed. This has the effect of redefining verify as H(t_verify, secret_input) and auth as H(t_mac, auth_input).
I'm not sure what the security implications of this are, but it is confusing. If there is no difference in the security of the result, it'd obviously be easier to update the docs. Otherwise, the patch to h_tweak should be obvious, but it will make handshakes with previous implementations fail.
Trac:
Username: awick