fix description of MAC calculation (#1590)

changelogs/client_server/newsfragments/1590.clarification

@@ -0,0 +1 @@
+Fix description of MAC calculation in SAS verification.

content/client-server-api/modules/end_to_end_encryption.md

@@ -776,7 +776,7 @@ The method used to calculate these MACs depends upon the value of the
 message. All current implementations should use the `hkdf-hmac-sha256.v2` method which is
 defined as follows:
 
-The MAC used is HMAC as defined in [RFC
+1. An HMAC key is generated using HKDF, as defined in [RFC
    5869](https://tools.ietf.org/html/rfc5869), using SHA-256 as the hash
    function. The shared secret is supplied as the input keying material. No salt
    is used, and in the info parameter is the concatenation of:
@@ -790,6 +790,10 @@ is used, and in the info parameter is the concatenation of:
    -   The Key ID of the key being MAC-ed, or the string `KEY_IDS` if the
        item being MAC-ed is the list of key IDs.
 
+2. A MAC is then generated using HMAC as defined in [RFC
+   2104](https://tools.ietf.org/html/rfc2104) with the key generated above and
+   using SHA-256 as the hash function.
+
    If a key is being MACed, the MAC is performed on the public key as encoded
    according to the [key algorithm](#key-algorithms).  For example, for `ed25519`
    keys, it is the unpadded base64-encoded key.
@@ -801,7 +805,7 @@ form `{algorithm}:{keyId}`. For example, the key list could look like:
    reconstruct the list from the names in the `mac` property of the
    `m.key.verification.mac` message and ensure that no keys were added or removed.
 
-The MAC values are base64-encoded and sent in a
+3. The MAC values are base64-encoded and sent in a
    [`m.key.verification.mac`](#mkeyverificationmac) message.
 
 {{% boxes/note %}}