Either the docs or the implementation seem to be off for the implementation of the NTor handshake. Specifically, the docs (in Section 5.1.4) state: `verify = H(secret_input, t_verify)` and `auth = H(auth_input, t_mac)` where `H(x,t)` is defined as `HMAC_SHA256` with message `x` and key `t`. Looking into the source code, the implementation of these two is via the function `h_tweak`. In all cases, `h_tweak` is called with `h_tweak(input, input_length, t_value)`. However, it then calls the underlying hmac function with the arguments reversed. This has the effect of redefining `verify` as `H(t_verify, secret_input)` and `auth` as `H(t_mac, auth_input)`. I'm not sure what the security implications of this are, but it is confusing. If there is no difference in the security of the result, it'd obviously be easier to update the docs. Otherwise, the patch to `h_tweak` should be obvious, but it will make handshakes with previous implementations fail. **Trac**: **Username**: awick