See branch safecookie of https://gitweb.torproject.org/rransom/torspec.git for a revised ‘safe cookie authentication’ protocol
The spec still doesn't look reader friendly but guess we won't be expecting too many clients to implement this. One other note is that keywords like 'must' should be capitalized similar to other parts of the spec.
This needs testing and a backport, and a few Trac tickets.
We could save some work by writing a handler for this in stem. Currently when you run...
git clone git://git.torproject.org/stem.git ./stem/run_tests.py --integ --target RUN_ALL --tor /path/to/your/tor
You'll exercise all of the connection and authentication use cases within around a minute, including... * no control port or socket * control port * control socket * no auth * password auth * cookie auth * multiple auth methods
This will confirm that you aren't inadvertently breaking something else. Then if we add the safe cookie handshake and integ test it'll be easier for you to test this change as it's developed (test runs with a single target take around eight seconds). I'd be happy to help if you can get just about any python snippet correctly authenticating to your feature.
Cheers! -Damian