[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #17556 [Tor]: Doc or implementation error in NTor handshake
#17556: Doc or implementation error in NTor handshake
--------------------+--------------------------
Reporter: awick | Owner:
Type: defect | Status: reopened
Priority: Medium | Milestone:
Component: Tor | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Sponsor: |
--------------------+--------------------------
Changes (by awick):
* status: closed => reopened
* resolution: not a bug =>
Comment:
Sorry, going to reopen again, because I think there is still an issue.
(As an aside, I'm finding this because I'm implementing this section of
the protocol, and I'm finding a discrepancy between how `KEY_SEED`,
`verify`, and `auth` are computed. According to the docs, they should all
be computed the same way. It is not a bug in my crypto library or in the
input; I've verified the inputs are identical between the implementations,
my HMAC_SHA256 is correct, and I verified that swapping inputs for two of
the three values makes the handshake work.)
Looking at them in more detail:
In the case of `verify` / `auth` / `h_tweak`, just as you say, the
eventual call to `crypto_hmac_sha256` turns into `crypto_hmac_sha256(out,
T->t_mac, s.auth_input)`.
However, In the case of KEY_SEED /
`crypto_expand_key_maerial_rfc5869_sha256()`, the eventual call to
`crypto_hmac_sha256` turns into `crypto_hmac_sha256(prk, s.secret_input,
T->t_key);
By the docs, these should be the same, as they are all defined as
H(something, tweak).
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17556#comment:2>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs