razor-whitelist never works

can RAZOR use server proxy ?

Re: can RAZOR use server proxy ?

Sampei02 wrote:
> I installed Razor-agents into my mail server (Fedora Core 4) which is in
> my internal network; I'm using Squid proxy server to go to internet
> infact it's the only server on  public network
> How can I specificy to Razor components to use my proxy server (with
> specified port) to discovery Razor servers ?

You can't. Squid is a HTTP/FTP proxy, but razor doesn't use either of those
protocols to communicate with the razor servers.

Squid can proxy HTTP requests, FTP, requests Gopher requests. However it cannot
proxy arbitrary Internet traffic such as IRC, SSH, Telnet, SMTP, etc. That's
what a Socks5 proxy is for.

Squid is essentially intended to be a file-transfer caching system. It does so
by acting as a proxy for protocols that transfer files. Socks5 on the other
hand, isn't a cache, it's just a proxy, and it can proxy any TCP/IP request the
client may have.

However, these days, very few people use socks5 proxyies. They use stateful
firewalls with overloaded-NAT (aka PAT) instead. It works in a similar fashion,
but is transparent to the client.

> Now Razor tries directly to connect  to 66.151.150.12 (2703 port)....
> but the only channel to go out is by using proxy server !?

If you have a real proxy, such as a SOCKS5 proxy, you might be able to get razor
to use that. However, right now there don't seem to be any options to do so.

You might be able to use a tool like "socksify" from the Dante proxy package to
launch your razor tools inside a socks-capable wrapper.

You might also be able to just re-compile Razor2 with the appropriate socks
library linked in (ie: -lsocks).

-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

Re: can RAZOR use server proxy ?

Authentication in Core.pm

Hi,

this is a somewhat technical question as to how Razor handles passwords 
specified on the command line, e.g. "-pass=secret". In authenticate (in 
Core.pm) it says:

     my ($iv1, $iv2) = xor_key($options->{pass});
     my ($my_digest) = hmac_sha1($resp{achal}, $iv1, $iv2);

     %qr = ( a => 'auth', aresp => $my_digest );
     $queries[0] = makesis(%qr);

I'm trying to do this in Java, but since I'm not a Perl programmer I don't 
quite understand the above code. I did find out that passwords sent to 
(and generated by) Razor are 64 chars long, which I assume is some 
encoding of a possibly shorter string, e.g. "secret". Is $options->{pass} 
this shorter string, or is it already encoded? I think it's the shorter 
string, because the encoding seems to happen by xor_key and hmac_sha1. But 
how, exactly (in natural language)? What is $resp{achal}?

Thanx for any help!

-Jörg

(Just to avoid a misunderstanding: I'm not implementing "JRazor" from 
scratch, but using code from the Spamato project, www.spamato.net, which 
however seems to lack this specific funcionality.)

--

-- 
Jörg Zieren           http://www.zieren.de            +49 170 7516134
For a list of common abbreviations, see http://www.zieren.de/abk.html
Please do not communicate my address to *any* website/service/company!

-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid0944&bid$1720&dat1642

Re: Authentication in Core.pm

Jörg Zieren wrote:
> Hi,
> 
> this is a somewhat technical question as to how Razor handles passwords
> specified on the command line, e.g. "-pass=secret". In authenticate (in
> Core.pm) it says:
> 
>     my ($iv1, $iv2) = xor_key($options->{pass});
>     my ($my_digest) = hmac_sha1($resp{achal}, $iv1, $iv2);
> 
>     %qr = ( a => 'auth', aresp => $my_digest );
>     $queries[0] = makesis(%qr);
> 
> I'm trying to do this in Java, but since I'm not a Perl programmer I
> don't quite understand the above code. I did find out that passwords
> sent to (and generated by) Razor are 64 chars long, which I assume is
> some encoding of a possibly shorter string, e.g. "secret". 

Erm, the string sent to the server, based on the above, is the output of
hmac-sha1. Hmac-sha1 is a VERY standard cryptographic message authentication
code (MAC). It's so standard it's RFC-speced.

HMAC is specified by this RFC:
 http://www.faqs.org/rfcs/rfc2104.html

As is SHA1
http://www.faqs.org/rfcs/rfc3174.html

hmac-sha1 will always generate a 160-bit MAC, no matter what the inputs are.

Is
> $options->{pass} this shorter string, or is it already encoded? I think
> it's the shorter string, because the encoding seems to happen by xor_key
> and hmac_sha1. But how, exactly (in natural language)? What is
> $resp{achal}?
> 

That would appear to be a challenge string issued by the server. It's probably
contained in a response from some earlier part of the conversation with the server.

What they appear to be doing is using you password as a key to hmac-sha1, and
generating the MAC for the challenge string sent by the server.

This is more-or-less a SHA1 version of CRAM-MD5

http://en.wikipedia.org/wiki/CRAM-MD5

-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid0944&bid$1720&dat1642

Re: can RAZOR use server proxy ?

Sampei02 wrote:
> On my "proxy server" is only installed Squid to cache http traffic and
> no proxy protocols.
> I didn't understand this:
> Can I use the "socksify" tool to redirect Razor requests to go out to
> public netwotk if I have no socks5 application in my squid "proxy" ?

Since my previous message wasn't clear:

You cannot use squid to act as a proxy for razor.

Squid is not a general purpose proxy, it is a http proxy.
Razor is not a http client, therefore it cannot use squid.

>> must I install socks server into my squid ?

No, you could use a more standard method of allowing a NAT translation at your
firewall, and not proxy at all.

-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=110944&bid=241720&dat=121642

Re: Authentication in Core.pm

Jörg Zieren wrote:
> I'm trying to do this in Java, but since I'm not a Perl programmer I 
> don't quite understand the above code. I did find out that passwords 
> sent to (and generated by) Razor are 64 chars long, which I assume is 
> some encoding of a possibly shorter string, e.g. "secret". Is 
> $options->{pass} this shorter string, or is it already encoded? I think 
> it's the shorter string, because the encoding seems to happen by xor_key 
> and hmac_sha1. But how, exactly (in natural language)? What is 
> $resp{achal}?

Maybe I wasn't quite clear here. My question was this: I specify a 
password of, say, 10 chars. This, however, is "processed" to yield a 
"longer" string (and I guess this is where I wasn't too specific from a 
cryptographic point of view . As I found out by now, that's done by 
xor_key, which returns two strings of 64 chars length. After that we have 
strings of a fixed length of 64 chars, which are then processed together 
with the challenge.

The Spamato equivalent of xor_key works a little different, and that's 
what confused me. But I think I'm enlightened now 

-Jörg

--

-- 
Jörg Zieren           http://www.zieren.de            +49 170 7516134
For a list of common abbreviations, see http://www.zieren.de/abk.html
Please do not communicate my address to *any* website/service/company!

-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid0944&bid$1720&dat1642

Re: Authentication in Core.pm

Jörg Zieren wrote:
> Jörg Zieren wrote:
>> I'm trying to do this in Java, but since I'm not a Perl programmer I
>> don't quite understand the above code. I did find out that passwords
>> sent to (and generated by) Razor are 64 chars long, which I assume is
>> some encoding of a possibly shorter string, e.g. "secret". Is
>> $options->{pass} this shorter string, or is it already encoded? I
>> think it's the shorter string, because the encoding seems to happen by
>> xor_key and hmac_sha1. But how, exactly (in natural language)? What is
>> $resp{achal}?
> 
> Maybe I wasn't quite clear here. My question was this: I specify a
> password of, say, 10 chars. This, however, is "processed" to yield a
> "longer" string (and I guess this is where I wasn't too specific from a
> cryptographic point of view . 

Yes.. It is processed to be longer.. In fact, It is always processed into a
160-bit HMAC-SHA1 result. That 160 bit result is always 20 characters long, no
matter how big or small the password. However, on the wire, it might be larger
still if they base64 or ascii-hex encode it.

> As I found out by now, that's done by
> xor_key, which returns two strings of 64 chars length. 

Yes, those are the ipad and opad in the HMAC documentation.

After that we
> have strings of a fixed length of 64 chars, which are then processed
> together with the challenge.

Yes, which is HMAC-SHA1.

Please, read my previous message on this subject. It's got all the materials you
need.

-------------------------------------------------------
This SF.Net email is sponsored by xPML, a groundbreaking scripting language
that extends applications into web and mobile media. Attend the live webcast
and join the prime developer group breaking into this new coding territory!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid0944&bid$1720&dat1642

RE: can RAZOR use server proxy ?