Hello again, I did my research and I was able to rewrite the code <https://github.com/TheDcoder/torhash/tree/openssl> (branched as openssl) using OpenSSL's libcrypto for hashing, but I was unsatisfied due to a few reasons which I think are not worth mentioning (mainly how libcrypto's API is designed and its dependencies).
After some more looking around for a good cryptography library, I found LibTomCrypt which sounded just like what I was looking for... and I was right! It is what I was looking for, it has minimal dependencies and is cross-platform. The API is also much simpler and cleaner (IMHO) than libcrypto. So I went ahead and rewrote the code <https://github.com/TheDcoder/torhash/commit/d0bef22e4ac48b3e220ffbdd463ccae4b976d86d> again to use LibTomCrypt and it worked a treat. I have finished the proof of concept by implementing <https://github.com/TheDcoder/torhash/commit/39f24db29a46105eb022cfe626680c803069b223> a reasonably secure random salt with the help of LibTomCrypt's secure prng interface which uses platform-native methods (and an ANSI C method as a fallback) to generate random bytes. I assume the code is production ready at the moment. Though I would be happy to hear any input that you guys might have to offer :) Regards, Damon H. (TheDcoder) On 03/05/19 1:15 PM, Damon (TheDcoder) wrote: > > Hello everyone! > > I have written a very simple tool called torhash > <https://github.com/TheDcoder/torhash> to generate hashed > passwords/strings according to the instructions in control spec to > authenticate with the controller interface (TC?). I did not actually > study the S2K algorithm since I found it hard to understand RFC 2440, > I studied source code and bit by bit I figured out what was happening > behind the scenes! > > The reason I did this is that I am working on another program called > ProxAllium <https://proxallium.dtw.tools/> which acts as a graphical > user interface for Tor, I am currently in the process of rewriting > <https://github.com/DcodingTheWeb/ProxAllium/tree/next-gen> it in C to > make it cross-platform (along with a few other reasons...). I hit a > roadblock while I was implementing support for interacting with the > controller interface, I had to make a choice between calling Tor to > generate the hashed password or to hash the password in the program > itself. I felt like hashing the password in the program itself was the > right choice, I had a few other weak reasons to not call Tor for > hashing the password but my gut was the main motivator behind this choice. > > I created torhash (apologies about the bad name choice) as a > proof-of-concept and to improve my general programming skills, I had > no prior experience working with cryptography or hash functions on > this level, so I went with the simplest library I could find for > hashing the data. I could have gone with OpenSSL, as I believe that it > is the de-facto cross-platform standard for cryptography and > cryptographic hashing, I am currently looking into using it, but I am > not yet sure if this is a good idea. > > I would be grateful if some of you can take out some time to have a > look, I am very excited to hear your opinions and any advice that you > may have to help me improve, the code itself is very simple and short > (114 lines of code). Pardon any mistakes or bad code that I may have > written, I have only begun programming relatively recently and my > experience with low-level development (with C) is very recent. > > Thank you for reading and for the input in advance! > > > Best Regards, > > Damon H. (TheDcoder) >
_______________________________________________ tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev