[tor-bugs] #17556 [Tor]: Doc or implementation error in NTor handshake
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Nov 9 04:45:08 UTC 2015
#17556: Doc or implementation error in NTor handshake
--------------------+--------------------------
Reporter: awick | Owner:
Type: defect | Status: reopened
Priority: Medium | Milestone:
Component: Tor | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Sponsor: |
--------------------+--------------------------
Changes (by awick):
* status: closed => reopened
* resolution: not a bug =>
Comment:
Sorry, going to reopen again, because I think there is still an issue.
(As an aside, I'm finding this because I'm implementing this section of
the protocol, and I'm finding a discrepancy between how `KEY_SEED`,
`verify`, and `auth` are computed. According to the docs, they should all
be computed the same way. It is not a bug in my crypto library or in the
input; I've verified the inputs are identical between the implementations,
my HMAC_SHA256 is correct, and I verified that swapping inputs for two of
the three values makes the handshake work.)
Looking at them in more detail:
In the case of `verify` / `auth` / `h_tweak`, just as you say, the
eventual call to `crypto_hmac_sha256` turns into `crypto_hmac_sha256(out,
T->t_mac, s.auth_input)`.
However, In the case of KEY_SEED /
`crypto_expand_key_maerial_rfc5869_sha256()`, the eventual call to
`crypto_hmac_sha256` turns into `crypto_hmac_sha256(prk, s.secret_input,
T->t_key);
By the docs, these should be the same, as they are all defined as
H(something, tweak).
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17556#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list