#22817: SAFECOOKIE description in control spec does not have verifiable test vectors --------------------------+------------------------------------ Reporter: amphetamine | Owner: Type: enhancement | Status: needs_revision Priority: Medium | Milestone: Tor: 0.3.2.x-final Component: Core Tor/Tor | Version: Severity: Normal | Resolution: Keywords: tor-spec | Actual Points: Parent ID: | Points: Reviewer: | Sponsor: --------------------------+------------------------------------
Comment (by amphetamine): Here's a Python session transcript: {{{ python Python 2.7.12 (default, Nov 19 2016, 06:48:10) [GCC 5.4.0 20160609] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import stem.util.connection >>> import binascii >>> >>> expected_server_hash = "f97294895a4c9b3fe04c390f1b3bcda886e54501220726e075140ff636fe0d91" >>> expected_client_hash = "02b6f2e708dffb47efcddbfdc08d24d3f9f87bb416a057b4cf5e553e56125bbb" >>> client_nonce = "f0" >>> server_nonce = "65634AA3D089F94AD841DF2F35685CCD6666086CB674D5E9DE2D516BD2E7318B" >>> cookie = "7aab85f16613633d115be5ea6722b5e0527ae72100bfb0fd64fb5b15a8fcde4b" >>> CLIENT_HASH_CONSTANT = "Tor safe cookie authentication controller-to- server hash" >>> SERVER_HASH_CONSTANT = "Tor safe cookie authentication server-to- controller hash" >>> >>> server_hash = stem.util.connection._hmac_sha256(SERVER_HASH_CONSTANT, binascii.unhexlify(cookie + client_nonce + server_nonce)).encode('hex') >>> client_hash = stem.util.connection._hmac_sha256(CLIENT_HASH_CONSTANT, binascii.unhexlify(cookie + client_nonce + server_nonce)).encode('hex') >>> >>> expected_server_hash == server_hash True >>> expected_client_hash == client_hash True }}} There are also passing tests for a Rust implementation starting here: https://gitlab.com/amphetamine/puccinia/blob/master/src/authentication.rs#L218 I used those tests to generate the above vectors used in Stem, so that should at least corroborate the two together. -- Ticket URL: <https://trac.torproject.org/projects/tor/ticket/22817#comment:4> Tor Bug Tracker & Wiki <https://trac.torproject.org/> The Tor Project: anonymity online _______________________________________________ tor-bugs mailing list tor-bugs@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs