[tor-bugs] #22817 [Core Tor/Tor]: SAFECOOKIE description in control spec does not have verifiable test vectors

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Jul 5 02:39:44 UTC 2017 

#22817: SAFECOOKIE description in control spec does not have verifiable test
vectors
--------------------------+------------------------------------
 Reporter:  amphetamine   |          Owner:
     Type:  enhancement   |         Status:  needs_revision
 Priority:  Medium        |      Milestone:  Tor: 0.3.2.x-final
Component:  Core Tor/Tor  |        Version:
 Severity:  Normal        |     Resolution:
 Keywords:  tor-spec      |  Actual Points:
Parent ID:                |         Points:
 Reviewer:                |        Sponsor:
--------------------------+------------------------------------

Comment (by amphetamine):

 Here's a Python session transcript:
 {{{
 python
 Python 2.7.12 (default, Nov 19 2016, 06:48:10)
 [GCC 5.4.0 20160609] on linux2
 Type "help", "copyright", "credits" or "license" for more information.
 >>> import stem.util.connection
 >>> import binascii
 >>>
 >>> expected_server_hash =
 "f97294895a4c9b3fe04c390f1b3bcda886e54501220726e075140ff636fe0d91"
 >>> expected_client_hash =
 "02b6f2e708dffb47efcddbfdc08d24d3f9f87bb416a057b4cf5e553e56125bbb"
 >>> client_nonce = "f0"
 >>> server_nonce =
 "65634AA3D089F94AD841DF2F35685CCD6666086CB674D5E9DE2D516BD2E7318B"
 >>> cookie =
 "7aab85f16613633d115be5ea6722b5e0527ae72100bfb0fd64fb5b15a8fcde4b"
 >>> CLIENT_HASH_CONSTANT = "Tor safe cookie authentication controller-to-
 server hash"
 >>> SERVER_HASH_CONSTANT = "Tor safe cookie authentication server-to-
 controller hash"
 >>>
 >>> server_hash = stem.util.connection._hmac_sha256(SERVER_HASH_CONSTANT,
 binascii.unhexlify(cookie + client_nonce + server_nonce)).encode('hex')
 >>> client_hash = stem.util.connection._hmac_sha256(CLIENT_HASH_CONSTANT,
 binascii.unhexlify(cookie + client_nonce + server_nonce)).encode('hex')
 >>>
 >>> expected_server_hash == server_hash
 True
 >>> expected_client_hash == client_hash
 True
 }}}

 There are also passing tests for a Rust implementation starting here:
 https://gitlab.com/amphetamine/puccinia/blob/master/src/authentication.rs#L218

 I used those tests to generate the above vectors used in Stem, so that
 should at least corroborate the two together.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22817#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list