How does the tor hash-password option work?

Question

I'm trying to write a little python GUI to make interaction with tor control easier on windows, to make using hidden services easier. I'd like to be able to use a password to authenticate, but tor.exe --hash-password mypassword didn't print out anything, and I'd like to be able to hash the password in python anyway.

I looked in main.c and found the function do_hash_password but I don't know which included file to look at to see how all the other functions are used.

score 3 · Answer 1 · answered Jul 09 '16 at 11:58

https://gitweb.torproject.org/torspec.git/tree/control-spec.txt#n3007

If the 'HashedControlPassword' option is set, it must contain the salted
hash of a secret password.  The salted hash is computed according to the
S2K algorithm in RFC 2440 (OpenPGP), and prefixed with the s2k specifier.
This is then encoded in hexadecimal, prefixed by the indicator sequence
"16:".

the code https://gitweb.torproject.org/tor.git/tree/src/common/crypto_s2k.c?id=7a489a638911012069981702065b952a5809d249#n172

score 3 · Answer 2 · answered Aug 17 '21 at 03:07

Here's a quick text explanation on how the password hash generator in Tor works:

Obtain 8 random bytes from the system as Salt
Append the bytes of the user specified password to the salt
Repeat this sequence until the length is 65536 (0x10000) bytes. If repeating the sequence doesn't exactly end up at this number, cut off any excess bytes.
Hash the sequence using SHA1
Your hashed control password will be "16:" + Hex(Salt) + "60" + Hex(Sha1) where + is string concatenation and Hex() is "convert bytes to uppercase hexadecimal"

Testing

To test your implementation, use the password "TestPassword12345678" and the Salt 0x72,0x84,0x07,0x51,0xE1,0xEC,0xE7,0x7D

The resulting hash should be 16:72840751E1ECE77D603D8463393DA85D67E7A9746DA4B3533DC7A37178

Notes

This takes a big shortcut. Namely, the repetition count from step 3 is in reality dynamic.

The formula in use by Tor is count = (16 + (c & 15)) << ((c >> 4) + EXPBIAS);

EXPBIAS is defined as 6 and c is defined as 0x60 (this is the number we insert between the salt and hash in step 5).

Because these numbers are currently constant, the result of the formula is always the same. However, if you make a function that checks the user password against the hash, you don't want to use a constant 0x60 but use the value that is actually in use in the password hash.

score 2 · Answer 3 · answered Jul 09 '16 at 11:11

2

If you're using Windows PowerShell then try this

tor --hash-password YourPasswordhere | out-file -filepath \path\to\somewhere\filename.txt

answered Jul 09 '16 at 11:11

Victor

21
4

score 1 · Answer 4 · answered Nov 09 '22 at 15:21

Seems like on the day you asked this question, the tor --hash-password command had a bug, and now it's fixed. You can use it to hash your password.

For the Windows users, you can use the following command to hash your password:

.\tor.exe --hash-password "mypassword" | echo

The | echo is for printing the output of the command.

score 0 · Answer 5 · answered Feb 16 '20 at 16:39

0

Just simple windows command line to generate the HashedControlPassword

C:/path_to_tor/tor.exe --hash-password mypassword > tor-password.txt

or

cd C:/path_to_tor C:/path_to_tor: tor.exe --hash-password mypassword > tor-password.txt

answered Feb 16 '20 at 16:39

Fredo De France

1
1

score 0 · Accepted Answer · answered Mar 17 '15 at 03:00

0

First off, if --hash-password doesn't work please file a bug on the bug tracker.

You can check out Stem's integration tests to see how to calculate a password hash using Python.

answered Mar 17 '15 at 03:00

Sebastian

2,229
10
26

How does the tor hash-password option work?

6 Answers6

Testing

Notes