Article delegate-en/3965 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A3962@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en

[DeleGate-En] Re: parameter encryption with -Fenc (Re: Delegate - encrypted .cdh config on win xp)
05 May 2008 12:16:49 GMT "Killian, Jan" <ppahqbdyi-5bnwhwbfselr.ml@ml.delegate.org>


Hi Yutaka,

Thanks for your kind and detailed explanation of the credhy/enc/imp
concepts.

I tried the first 2 methods with 9.8.1 and 9.7.7-fix1, but it does not
work for me on xp sp2.

0. Unencrypted:

    * edited dg.cnf to contain:
        MYAUTH=**USERDOMAIN**\\**USERNAME**:**PASSWORD**:http-proxy

    * excecuted:
        "d:\app\delegate\dg.exe" -P**PORT** -r -vt  -- SERVER=http
PROXY="**PARENT_PROXY**:**PARENT_PROXY_PORT**" DGROOT="d:\tmp\.dg"
ADMIN="**USERNAME**" CACHE=no RES_WAIT=0 PERMIT=*:*:-/22
+=d:\tmp\.dg\dg.cnf

    => everything worked OK


1. Credhy:

    * generated random config password:
        1a1dd8f59d8d585ca91bffd8f9db50b7

    * encrypted config file:
        "d:\app\delegate\dg.exe" DGROOT="d:\tmp\.dg" -Fcredhy
1a1dd8f59d8d585ca91bffd8f9db50b7  <  dg.cnf  >  dg.cdh
        KEY =
62201621622B273AB65F44C8597779D45461D4267A8E119BA7576FA82102728ACDFC
        CRC32 = 0xB1004B5D 2969586525

    * stored config password in dgauth:
        "d:\app\delegate\dg.exe" DGROOT="d:\tmp\.dg" -Fauth -a
config:1a1dd8f59d8d585ca91bffd8f9db50b7 -dgauth@admin
        **** Specify the key of encryption for 'dgauth'
        **** CRYPT=pass:temppwd
        +OK added the auth.
        PATH:
d:\tmp\.dg/adm/authorizer/-dgauth@admin/e42d0b5c151e782b46c5374afb07528f
        AUTH: dgauth://config@-dgauth@admin:8787
        PASS: a900f83595ab4c61e25be86188fe355f
0B0A6EC74A42BFF7FDAD3304C5BD0DFF205F6D8F61425A1DF90D109ADE77958867768790
44D11B862EEB61FA7E5749EXPIRE: 1B

    * started delegate:
        * "d:\app\delegate\dg.exe" -P**PORT** -r -vt  -- SERVER=http
PROXY="**PARENT_PROXY**:**PARENT_PROXY_PORT**" DGROOT="d:\tmp\.dg"
ADMIN="**USERNAME**" CACHE=no RES_WAIT=0 PERMIT=*:*:-/22
+=d:\tmp\.dg\dg.cdh
        **** Specify the key of encryption for 'dgauth'
        **** CRYPT=pass:temppwd
        "d:\tmp\.dg/act/pid/**PORT**": kill(2572,SIGTERM) = -1 (0) **
ERROR **
        Config: WindowsNT; FileSize-Bits=64/64,32/32,32;
sockbuf=0000/0000X; sockpair=8192/64512,2016++; thread=Winthread;
stty=none; fmem=953/0/2047M; MSC=1400
        DeleGate/9.7.7-fix1 (November 14, 2007)

    => browser connection to proxy timed out:

        05/05 13:55:47.36 [2104] 0+0: ... gethostname(**HOSTNAME**)
        05/05 13:55:47.36 [2104] 0+0: configuring default RESOLV ...
        05/05 13:55:47.36 [2104] 0+0: ... gethostname()='**HOSTNAME**'
        05/05 13:55:47.36 [2104] 0+0: ... SYS: **HOSTNAME** -> **MY_IP**
        05/05 13:55:47.42 [2104] 0+0: ... DNS: **MY_IP** ->
**HOSTNAME**.**MY_DOMAIN**
        05/05 13:55:47.42 [2104] 0+0: ... DNS available
        05/05 13:55:47.42 [2104] 0+0: ... NIS not available (no default
domain)
        05/05 13:55:47.42 [2104] 0+0: ... export RES_ORDER=CFD
        05/05 13:55:47.42 [2104] 0+0: export RESOLV=cache,file,dns (set
by default)
 
SRCSIGN=9.7.7-fix1:20071114171500+0900:2e734f2b9afeeb83:Author@DeleGate..
ORG:InIqseLisMa5s/g8g4TxnCZqRxPujG6ho6PMayMdxITXCowDzJC6CqkGe2DJSCCpaaMZ
wzVIPinIp0Y/9UMecCDEtCNaMe6Jrx6ZvT8KwUdLhaj5OJxu9kyuaiT4em/iPlfQPmVrpvRU
yT26/4uYWkbp+6i+onxQ8zk9yb0jpAE=
        BLDSIGN=9.7.7-fix1:20071114171724+0900:2e734f2b9afeeb83::-
        05/05 13:55:47.43 [2104] 0+0: --INITIALIZATION
START-08050513+0100: 9.7.7-fix1 on WindowsNT--
        05/05 13:55:47.43 [2104] 0+0: EXECDIR=d:\app\delegate
        05/05 13:55:47.43 [2104] 0+0: BINSHELL=/bin/sh
        05/05 13:55:47.43 [2104] 0+0: MAXIMA=delegated:64 for small
mem=945M
        (WIN) 55:47.434 [2104] #### send_file (2104,1)[1876,7] ->
2104[1864,0] (0,Err=87)
        (WIN) 55:47.434 [2104] #### file to be sent fd=1 -> 0 8380000
137887744
        05/05 13:55:47.51 [2104] 0+0: #### KEY CRYPT=master DUMPED
4B0D8D8C TO
d:\tmp\.dg/adm/authorizer/31b73f7af387eceac89f05ba7df52d25/save/-dgauth
        05/05 13:55:47.51 [2104] 0+0: #### start a service...
        05/05 13:55:47.53 [2104] 0+0:
server_open(delegate,:**PORT**,listen=20)
        05/05 13:55:47.53 [2104] 0+0: server_open(delegate,:**PORT**)
BOUND
        05/05 13:55:52.65 [3512] 0+0: ## RES_ORDER=CFD
        05/05 13:55:52.67 [3512] 0+0: ... gethostname(**HOSTNAME**)
 
SRCSIGN=9.7.7-fix1:20071114171500+0900:2e734f2b9afeeb83:Author@DeleGate..
ORG:InIqseLisMa5s/g8g4TxnCZqRxPujG6ho6PMayMdxITXCowDzJC6CqkGe2DJSCCpaaMZ
wzVIPinIp0Y/9UMecCDEtCNaMe6Jrx6ZvT8KwUdLhaj5OJxu9kyuaiT4em/iPlfQPmVrpvRU
yT26/4uYWkbp+6i+onxQ8zk9yb0jpAE=
        BLDSIGN=9.7.7-fix1:20071114171724+0900:2e734f2b9afeeb83::-
        05/05 13:55:52.68 [3512] 0+0: --INITIALIZATION
START-08050513+0100: 9.7.7-fix1 on WindowsNT--
        05/05 13:55:52.68 [3512] 0+0: EXECDIR=d:\app\delegate
        05/05 13:55:52.68 [3512] 0+0: BINSHELL=/bin/sh
        05/05 13:55:52.68 [3512] 0+0: MAXIMA=delegated:64 for small
mem=946M
        05/05 13:55:52.70 [3512] 0+0:
server_open(delegate,:**PORT**,listen=20)
        05/05 13:55:52.75 [3512] 0+0: server_open(delegate,:**PORT**)
BOUND
        05/05 13:55:52.75 [3512] 0+0: DGROOT=d:\tmp\.dg^M
        05/05 13:55:52.75 [3512] 0+0: <DeleGate/9.7.7-fix1> [3512]
-P**PORT** READY^M
        05/05 13:55:52.75 [3512] 0+0: PORT= **PORT**/10 (38,148)
        05/05 13:55:52.75 [3512] 0+0: OWNER=nobody => OWNER=?/?(?/?)
        05/05 13:55:52.76 [3512] 0+0: REMITTABLE =
http,https/{80,443},gopher,ftp,wais
        05/05 13:55:52.78 [3512] 0+0: --- [dgzlib1] 0 dglibdgzlib1.dll
        05/05 13:55:52.78 [3512] 0+0: --- [d:\app\delegate\dgzlib1.dll]
        05/05 13:55:52.78 [3512] 0+0: --- [dgzlib1] 10000000
d:\app\delegate\dgzlib1.dll
        05/05 13:55:52.78 [3512] 0+0: ---- [dgzlib1] loaded 15 syms,
unknown=0+0, already=0
        05/05 13:55:52.78 [3512] 0+0: +++ loaded Zlib
1.2.3.f-DeleGate-v2
        05/05 13:55:52.78 [3512] 0+0: #### gzip/gunzip = dynamically
linked
        05/05 13:55:52.78 [3512] 0+0: ADMIN=**USERNAME**
protocol=http(specialist)
        05/05 13:55:52.78 [3512] 0+0: WORKDIR=d:\tmp\.dg/work/**PORT**
        05/05 13:55:52.79 [3512] 0+0: MOUNT[0]X[2] /-/builtin/icons/* =
default
        05/05 13:55:52.79 [3512] 0+0: MOUNT[1]X[3] /-/* =
forbidden,from=!.RELIABLE,default
        05/05 13:55:52.79 [3512] 0+0: MOUNT[2]X[0] /-* = default
        05/05 13:55:52.79 [3512] 0+0: MOUNT[3]X[1] /=* = default
        05/05 13:55:52.79 [3512] 0+0: MOUNT[4]=[4] /favicon.ico
builtin:icons/ysato/default.ico
default,direction=fo,onerror=404,expires=15m
        05/05 13:55:52.79 [3512] 0+0: #### stack size limit = FFFFFFFF
(-1)
        05/05 13:55:52.79 [3512] 0+0: Stay open PIDFILE for accept()
lock[fd=14]
        05/05 13:55:52.79 [3512] 0+0:
StickyReport[15,16]127.0.0.1:1823><127.0.0.1:1824 8192/64512 8192/65536
        05/05 13:55:52.79 [3512] 0+0: env[49]
LIBPATH=.;C:\WINDOWS\system32;d:\tmp\.dg/lib;d:\app\delegate;d:\tmp\.dg/
etc
        05/05 13:55:52.79 [3512] 0+0: arg[1]
LIBPATH=.;D:\Tmp\.dg;d:\tmp\.dg/lib;d:\app\delegate;d:\tmp\.dg/etc
        05/05 13:55:52.79 [3512] 0+0: arg[2] RESOLV=cache,file,dns
        05/05 13:55:52.79 [3512] 0+0: arg[3] SERVER=http
        05/05 13:55:52.79 [3512] 0+0: arg[4]
PROXY=**PARENT_PROXY**:**PARENT_PROXY_PORT**
        05/05 13:55:52.79 [3512] 0+0: arg[5] DGROOT=d:\tmp\.dg
        05/05 13:55:52.79 [3512] 0+0: arg[6] ADMIN=**USERNAME**
        05/05 13:55:52.79 [3512] 0+0: arg[7] CACHE=no
        05/05 13:55:52.79 [3512] 0+0: arg[8] RES_WAIT=0
        05/05 13:55:52.79 [3512] 0+0: arg[9] PERMIT=*:*:-/22
        05/05 13:55:52.82 [3512] 0+0: Encrypted with the CRYPT
MasterKey: 350->351 ${ETCDIR}/params/${PORT}.cdh
        05/05 13:55:52.82 [3512] 0+0: DELEGATE_Modified[1]: 481ef5c8
1209988552
        05/05 13:55:52.82 [3512] 0+0: --INITIALIZATION
DONE-08050513+0100: 9.7.7-fix1 on WindowsNT--
        (WIN) 55:58.184 [3512] spawn() = 380 [2584], children(alive=1/1)
0.047s
        05/05 13:55:58.18 [3512] 1+0: spawn() = 380 [2584],
children(alive=1/1) 0.047s
        05/05 13:56:28.48 [3580] 0+0: PORT> -P**PORT**
        05/05 13:56:28.48 [3580] 0+0: Kill(3512,15)
        (WIN) 56:28.481 [3580] kill(3512,15) = -1, failed
GetExitCodeProcess()
        05/05 13:56:28.48 [3580] 0+0: Kill(3512,15)=-1, errno=0
        (WIN) 56:28.496 [3580] [672] svc DO_FINALIZE 0 0
        (WIN) 56:28.668 [3512] [2276] svc Terminate...
        05/05 13:56:28.67 [3512] 1+0: TERMINATE...
        05/05 13:56:28.68 [3512] 1+0: #### KEY CRYPT=master DUMPED
4B0D8D8C TO
d:\tmp\.dg/adm/authorizer/31b73f7af387eceac89f05ba7df52d25/save/-dgauth
        05/05 13:56:28.68 [3512] 1+0: Kill(380,15)
        05/05 13:56:28.68 [3512] 1+0: StickyKill(15): 1/1 killed
        05/05 13:56:28.68 [3512] 1+0: unlinked
d:\tmp\.dg/work/**PORT**/3512
        05/05 13:56:28.68 [3512] 1+0: removed d:\tmp\.dg/work/**PORT**/
        (WIN) 56:28.684 [3512] wait3(N) = 380 [2584] 0,
children(alive=0/1) 0.00s
        05/05 13:56:28.68 [3512] 1+0: wait3(N) = 380 [2584] 0,
children(alive=0/1) 0.00s
        05/05 13:56:28.70 [3512] 1+0: TERMINATED.
        05/05 13:56:28.70 [3512] 1+0: AcceptByMain: break on TERMINATE.
        05/05 13:56:28.70 [3512] 1+0: main loop break on TERMINATE.
        05/05 13:56:28.70 [3512] 1+0: _main() done
        05/05 13:56:28.70 [3512] 1+0: SetStatus: STOPPED
        (WIN) 56:28.700 [3512] [1980] svc SetStatus: STOPPED
        05/05 13:56:28.70 [3512] 1+0: SetStatus: STOP
        (WIN) 56:28.700 [3512] [2276] svc SetStatus: STOP
        (WIN) 56:28.700 [3512] [1980] svc ExitThread() from
ServiceStart()
        (WIN) 56:28.700 [3512] [2276] svc start_service() done (1,1,0)
        (WIN) 56:28.700 [3512] [2276] svc DO_INITIALIZE -> DO_FINALIZE
        (WIN) 56:28.700 [3512] [2276] svc DO_FINALIZE 0 0


    * With 9.8.1 I also noticed that the browser request made delegate
spawn another dg.exe process, that was not later killed with -Fkill.
With 9.7.7-fix1 I cannot reproduce it anymore.



2. Enc:

    * encrypted config file:
        "d:\app\delegate\dg.exe" DGROOT="d:\tmp\.dg" -Fenc -ktemppwd <
dg.cnf  >  dg.enc

    * started delegate:
        "d:\app\delegate\dg.exe" -P**PORT** -r -vt  -- SERVER=http
PROXY="**PARENT_PROXY**:**PARENT_PROXY_PORT**" DGROOT="d:\tmp\.dg"
ADMIN="**USERNAME**" CACHE=no RES_WAIT=0 PERMIT=*:*:-/22
+=d:\tmp\.dg\dg.enc
        **** PASSWD=ext:::temppwd
        Config: WindowsNT; FileSize-Bits=64/64,32/32,32;
sockbuf=0000/0000X; sockpair=8192/64512,2016++; thread=Winthread;
stty=none; fmem=954/0/2047M; MSC=1400
        DeleGate/9.7.7-fix1 (November 14, 2007)


    => browser immeadiatelly reported that it cannot connect to proxy:

        05/05 14:05:53.06 [2692] 0+0: ... gethostname(**HOSTNAME**)
        05/05 14:05:53.06 [2692] 0+0: configuring default RESOLV ...
        05/05 14:05:53.06 [2692] 0+0: ... gethostname()='**HOSTNAME**'
        05/05 14:05:53.06 [2692] 0+0: ... SYS: **HOSTNAME** -> **MY_IP**
        05/05 14:05:53.13 [2692] 0+0: ... DNS: **MY_IP** ->
**HOSTNAME**.**MY_DOMAIN**
        05/05 14:05:53.13 [2692] 0+0: ... DNS available
        05/05 14:05:53.13 [2692] 0+0: ... NIS not available (no default
domain)
        05/05 14:05:53.13 [2692] 0+0: ... export RES_ORDER=CFD
        05/05 14:05:53.13 [2692] 0+0: export RESOLV=cache,file,dns (set
by default)
 
SRCSIGN=9.7.7-fix1:20071114171500+0900:2e734f2b9afeeb83:Author@DeleGate..
ORG:InIqseLisMa5s/g8g4TxnCZqRxPujG6ho6PMayMdxITXCowDzJC6CqkGe2DJSCCpaaMZ
wzVIPinIp0Y/9UMecCDEtCNaMe6Jrx6ZvT8KwUdLhaj5OJxu9kyuaiT4em/iPlfQPmVrpvRU
yT26/4uYWkbp+6i+onxQ8zk9yb0jpAE=
        BLDSIGN=9.7.7-fix1:20071114171724+0900:2e734f2b9afeeb83::-
        05/05 14:05:53.13 [2692] 0+0: --INITIALIZATION
START-08050514+0100: 9.7.7-fix1 on WindowsNT--
        05/05 14:05:53.13 [2692] 0+0: EXECDIR=d:\app\delegate
        05/05 14:05:53.13 [2692] 0+0: BINSHELL=/bin/sh
        05/05 14:05:53.13 [2692] 0+0: MAXIMA=delegated:64 for small
mem=955M
        (WIN) 05:53.141 [2692] #### send_file (2692,1)[1880,7] ->
2692[1896,0] (0,Err=87)
        (WIN) 05:53.141 [2692] #### file to be sent fd=1 -> 0 A840000
176422912
        05/05 14:05:53.22 [2692] 0+0: CRC ERROR 0 FFFFFFB0
        05/05 14:05:53.22 [2692] 0+0: #### KEY PASSWD=ext DUMPED
61E46143 TO
/var/tmp/authorizer/6ca8a167c094fa1d8952965a912a2c63/save/-dgauth
        05/05 14:05:53.22 [2692] 0+0: #### start a service...
        05/05 14:05:53.23 [2692] 0+0:
server_open(delegate,:**PORT**,listen=20)
        05/05 14:05:53.23 [2692] 0+0: server_open(delegate,:**PORT**)
BOUND


Could you kindly look at it, if you see where I'm making anything wrong?

Thanks,
Jan 

-----Original Message-----
From: Yutaka Sato [mailto:feedback@delegate.org] 
Sent: Thursday, April 24, 2008 10:34 AM
To: feedback@delegate.org
Cc: Killian, Jan
Subject: parameter encryption with -Fenc (Re: Delegate - encrypted .cdh
config on win xp)

Jan,

In message <_A3961@delegate-en.ML_> on 04/24/08(16:23:34) I wrote:
 | |Then I encrypt the config:
 | |> "d:\app\delegate\dg.exe" DGROOT="d:\tmp\.dg" -Fcredhy testpwd  <
dg.conf  >  dg.cdh
...
 | |**** Specify the key of encryption for 'dgauth'
 | |**** CRYPT=pass:testpwd
 |
 |Here you need to specify the "MasterKey" for the repository of
passwords
 |into which your "testpwd", the passphrase for encryption of
configuration
 |parameters, is stored.  And your passphrase needs to has been stored
into
 |the repository as follows, encrypted with a specified MasterKey:
 |
 | > dg.exe DGROOT=d:/tmp/.dg -Fauth -a config:testpwd -dgauth@admin
 | **** Specify the key of encryption for 'dgauth'
 | **** CRYPT=pass:MasterKey
 |
 |See <URL:http://www.delegate.org/delegate/Manual.htm?EncryptedConf>
for
 |more details.

I should have said that the encryption of configuration parameters by
"-Fcredhy" (introduced at DeleGate/9.0.1 ) was a very tentative one
without
ability of verification of integirity of the decripted data (with CRC or
MD5 or so).  Thus it generates broken data if a given key for decryption
is not equal to the one at the encryption, as shown in your case.

I added another way of encryption at DeleGate/9.4.0 by "-Fenc" which is
simpler (without password repository) and safer (with integirty check).
You can use it as follows:

 a) to see the usage

  > d.exe -Fenc
  Usage: -Fenc [-kKey] [infile] [-o outfile] [-a arg1 arg2 ...]

 b) generate an encrypted parameter

  > dg.exe -Fenc -ktestpwd -a MYAUTH=user:pass ADMIN=foo@bar
 
+=enc:ext::1bt.fMObaW4Mc0Y34Bp5tEPLoMY6pkvjB4RYCymttSPWd5vp6ghqieamCg==:

  (this "+=enc:ext::...:" is an encrypted representation of
"MYAUTH=user:pass ADMIN=foo@bar" with the encryption key "testpwd")

 c) use the encrypted parameter

  > dg.exe -v -P9999
+=enc:ext::1bt.fMObaW4Mc0Y34Bp5tEPLoMY6pkvjB4RYCymttSPWd5vp6ghqieamCg==:
SERVER=http ...
  **** PASSWD=ext:::testpwd

A little more tips:

 1) encryption
  > dg.exe -Fenc -ktestpwd < conf > conf.enc

 2) decription
  > dg.exe -Fdec -ktestpwd < conf.enc > conf

 3a) substitution (asked the password interactively)
  > dg.exe +=conf.enc
  **** PASSWD=ext:::testpwd

 3b) substitution giving the password
  > dg.exe +=conf.enc PASSWD=ext:::testpwd

 3c) substitution without an external file for configuration
  > dg.exe +=enc:ext::1bt. ............. :"

Cheers,
Yutaka
--
  9 9   Yutaka Sato <y.sato@delegate.org> http://delegate.org/y.sato/
 ( ~ )  National Institute of Advanced Industrial Science and Technology
_<   >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
Do the more with the less -- B. Fuller


  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V