[tor-dev] My implementation of hash for controller password - torhash

Damon H. (TheDcoder) TheDcoder at disroot.org
Wed May 8 18:22:42 UTC 2019

Hello again,

I did my research and I was able to rewrite the code
<https://github.com/TheDcoder/torhash/tree/openssl> (branched as
openssl) using OpenSSL's libcrypto for hashing, but I was unsatisfied
due to a few reasons which I think are not worth mentioning (mainly how
libcrypto's API is designed and its dependencies).

After some more looking around for a good cryptography library, I found
LibTomCrypt which sounded just like what I was looking for... and I was
right! It is what I was looking for, it has minimal dependencies and is
cross-platform. The API is also much simpler and cleaner (IMHO) than
libcrypto. So I went ahead and rewrote the code
again to use LibTomCrypt and it worked a treat.

I have finished the proof of concept by implementing
a reasonably secure random salt with the help of LibTomCrypt's secure
prng interface which uses platform-native methods (and an ANSI C method
as a fallback) to generate random bytes.

I assume the code is production ready at the moment. Though I would be
happy to hear any input that you guys might have to offer :)

Damon H. (TheDcoder)

On 03/05/19 1:15 PM, Damon (TheDcoder) wrote:
> Hello everyone!
> I have written a very simple tool called torhash
> <https://github.com/TheDcoder/torhash> to generate hashed
> passwords/strings according to the instructions in control spec to
> authenticate with the controller interface (TC?). I did not actually
> study the S2K algorithm since I found it hard to understand RFC 2440,
> I studied source code and bit by bit I figured out what was happening
> behind the scenes!
> The reason I did this is that I am working on another program called
> ProxAllium <https://proxallium.dtw.tools/> which acts as a graphical
> user interface for Tor, I am currently in the process of rewriting
> <https://github.com/DcodingTheWeb/ProxAllium/tree/next-gen> it in C to
> make it cross-platform (along with a few other reasons...). I hit a
> roadblock while I was implementing support for interacting with the
> controller interface, I had to make a choice between calling Tor to
> generate the hashed password or to hash the password in the program
> itself. I felt like hashing the password in the program itself was the
> right choice, I had a few other weak reasons to not call Tor for
> hashing the password but my gut was the main motivator behind this choice.
> I created torhash (apologies about the bad name choice) as a
> proof-of-concept and to improve my general programming skills, I had
> no prior experience working with cryptography or hash functions on
> this level, so I went with the simplest library I could find for
> hashing the data. I could have gone with OpenSSL, as I believe that it
> is the de-facto cross-platform standard for cryptography and
> cryptographic hashing, I am currently looking into using it, but I am
> not yet sure if this is a good idea.
> I would be grateful if some of you can take out some time to have a
> look, I am very excited to hear your opinions and any advice that you
> may have to help me improve, the code itself is very simple and short
> (114 lines of code). Pardon any mistakes or bad code that I may have
> written, I have only begun programming relatively recently and my
> experience with low-level development (with C) is very recent.
> Thank you for reading and for the input in advance!
> Best Regards,
> Damon H. (TheDcoder)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-dev/attachments/20190508/3991984d/attachment.html>

More information about the tor-dev mailing list