On Tue, Apr 30, 2013 at 9:39 AM, Frank Young pfcodes@gmail.com wrote:
The digest of relay cells are running digests [ SHA_final() is never called ], so the digest of each cell is dependent on the previously computed digest destined for that node particular node. Hashing is seeded with values determine by the OR which responded with CREATED or REALY EXTENDED cell. I have noticed that, the payload of RELAY_COMMAND_RENDEZVOUS unlike CREATED OR RELAY EXTENDED cells made no provisions for the seeding bytes. This can be referenced in section 1.10 of https://gitweb.torproject.org/torspec.git?a=blob_plain;hb=HEAD;f=rend-spec.t...
Looks like a bug in the spec. In reality, the algorithm for extracting the keys from g^xy and for using the relay crypto is the same as it is for keys produced through the regular "TAP" handshake. I've opened ticket https://trac.torproject.org/projects/tor/ticket/8809 to get the spec fixed.
thanks,