[tor-commits] [stem/master] Move private hmac helpers into stem.connection

atagar at torproject.org atagar at torproject.org
Sun May 26 19:15:41 UTC 2019 

commit d529c3e2a089fc397959b0bee7c012c31f878aa1
Author: Damian Johnson <atagar at torproject.org>
Date:   Sun May 26 11:44:53 2019 -0700

    Move private hmac helpers into stem.connection
    
    In taking a peek at one of our new stylistic warnings [1] I realized that
    stem.connection is using private methods of stem.util.connection that aren't
    used anywhere else. Clearly they belong with their sole user.
    
    [1] /home/atagar/Desktop/stem/stem/util/connection.py
        line 766  - W504 line break after binary operator    | _hmac_sha256(CRYPTOVARIABLE_EQUALITY_COMPARISON_NONCE, x) ==
---
 stem/connection.py      | 26 +++++++++++++++++++++++---
 stem/util/connection.py | 32 --------------------------------
 2 files changed, 23 insertions(+), 35 deletions(-)

diff --git a/stem/connection.py b/stem/connection.py
index 8a64c887..90997fb9 100644
--- a/stem/connection.py
+++ b/stem/connection.py
@@ -129,6 +129,8 @@ fine-grained control over the authentication process. For instance...
 
 import binascii
 import getpass
+import hashlib
+import hmac
 import os
 
 import stem.control
@@ -147,6 +149,8 @@ AuthMethod = stem.util.enum.Enum('NONE', 'PASSWORD', 'COOKIE', 'SAFECOOKIE', 'UN
 CLIENT_HASH_CONSTANT = b'Tor safe cookie authentication controller-to-server hash'
 SERVER_HASH_CONSTANT = b'Tor safe cookie authentication server-to-controller hash'
 
+CRYPTOVARIABLE_EQUALITY_COMPARISON_NONCE = os.urandom(32)
+
 MISSING_PASSWORD_BUG_MSG = """
 BUG: You provided a password but despite this stem reported that it was
 missing. This shouldn't happen - please let us know about it!
@@ -941,15 +945,18 @@ def authenticate_safecookie(controller, cookie_path, suppress_ctl_errors = True)
     else:
       raise AuthChallengeFailed('Unable to parse AUTHCHALLENGE response: %s' % exc, cookie_path)
 
-  expected_server_hash = stem.util.connection._hmac_sha256(
+  expected_server_hash = _hmac_sha256(
     SERVER_HASH_CONSTANT,
     cookie_data + client_nonce + authchallenge_response.server_nonce)
 
-  if not stem.util.connection._cryptovariables_equal(authchallenge_response.server_hash, expected_server_hash):
+  authchallenge_hmac = _hmac_sha256(CRYPTOVARIABLE_EQUALITY_COMPARISON_NONCE, authchallenge_response.server_hash)
+  expected_hmac = _hmac_sha256(CRYPTOVARIABLE_EQUALITY_COMPARISON_NONCE, expected_server_hash)
+
+  if authchallenge_hmac != expected_hmac:
     raise AuthSecurityFailure('Tor provided the wrong server nonce', cookie_path)
 
   try:
-    client_hash = stem.util.connection._hmac_sha256(
+    client_hash = _hmac_sha256(
       CLIENT_HASH_CONSTANT,
       cookie_data + client_nonce + authchallenge_response.server_nonce)
 
@@ -1100,6 +1107,19 @@ def _read_cookie(cookie_path, is_safecookie):
     raise UnreadableCookieFile(exc_msg, cookie_path, is_safecookie)
 
 
+def _hmac_sha256(key, msg):
+  """
+  Generates a sha256 digest using the given key and message.
+
+  :param str key: starting key for the hash
+  :param str msg: message to be hashed
+
+  :returns: sha256 digest of msg as bytes, hashed using the given key
+  """
+
+  return hmac.new(key, msg, hashlib.sha256).digest()
+
+
 class AuthenticationFailure(Exception):
   """
   Base error for authentication failures.
diff --git a/stem/util/connection.py b/stem/util/connection.py
index 2ddecd74..c23d74e7 100644
--- a/stem/util/connection.py
+++ b/stem/util/connection.py
@@ -55,8 +55,6 @@ Connection and networking based utility functions.
 """
 
 import collections
-import hashlib
-import hmac
 import os
 import platform
 import re
@@ -89,8 +87,6 @@ Resolver = enum.Enum(
 FULL_IPv4_MASK = '255.255.255.255'
 FULL_IPv6_MASK = 'FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF'
 
-CRYPTOVARIABLE_EQUALITY_COMPARISON_NONCE = os.urandom(32)
-
 PORT_USES = None  # port number => description
 
 RESOLVER_COMMAND = {
@@ -739,34 +735,6 @@ def _address_to_binary(address):
     raise ValueError("'%s' is neither an IPv4 or IPv6 address" % address)
 
 
-def _hmac_sha256(key, msg):
-  """
-  Generates a sha256 digest using the given key and message.
-
-  :param str key: starting key for the hash
-  :param str msg: message to be hashed
-
-  :returns: sha256 digest of msg as bytes, hashed using the given key
-  """
-
-  return hmac.new(key, msg, hashlib.sha256).digest()
-
-
-def _cryptovariables_equal(x, y):
-  """
-  Compares two strings for equality securely.
-
-  :param str x: string to be compared.
-  :param str y: the other string to be compared.
-
-  :returns: **True** if both strings are equal, **False** otherwise.
-  """
-
-  return (
-    _hmac_sha256(CRYPTOVARIABLE_EQUALITY_COMPARISON_NONCE, x) ==
-    _hmac_sha256(CRYPTOVARIABLE_EQUALITY_COMPARISON_NONCE, y))
-
-
 # TODO: drop with stem 2.x
 # We renamed our methods to drop a redundant 'get_*' prefix, so alias the old
 # names for backward compatability.

More information about the tor-commits mailing list