[packages/vtun.git] / vtun-sslauth.patch

diff -urNp -x '*.orig' vtun-3.0.4.org/auth.c vtun-3.0.4/auth.c
--- vtun-3.0.4.org/auth.c	2016-10-01 23:29:28.000000000 +0200
+++ vtun-3.0.4/auth.c	2021-10-03 20:19:55.633327588 +0200
@@ -23,6 +23,10 @@
 /*
  * Challenge based authentication. 
  * Thanx to Chris Todd<christ@insynq.com> for the good idea.
+ *
+ * Artur R. Czechowski <arturcz@hell.pl>, 02/17/2002
+ * 	Add support for connectin ssl to non-ssl vtuns (sslauth option)
+ * 	Use /dev/random in non-ssl gen_chal  (if possible)
  */ 
 
 #include "config.h"
@@ -55,34 +59,57 @@
 #include "lock.h"
 #include "auth.h"
 
-/* Encryption and Decryption of the challenge key */
 #ifdef HAVE_SSL
 
 #include <openssl/md5.h>
 #include <openssl/blowfish.h>
 #include <openssl/rand.h>
 
-static void gen_chal(char *buf)
+#endif /* HAVE_SSL */
+
+/* Okay, start the "blue-wire" non-ssl auth patch stuff */
+void nonssl_encrypt_chal(char *chal, char *pwd)
+{
+   char *xor_msk = pwd;
+   register int i, xor_len = strlen(xor_msk);
+
+   syslog(LOG_INFO, "Use nonSSL-aware challenge/response");
+   for(i=0; i < VTUN_CHAL_SIZE; i++)
+      chal[i] ^= xor_msk[i%xor_len];
+}
+
+inline void nonssl_decrypt_chal(char *chal, char *pwd)
+{
+   nonssl_encrypt_chal(chal, pwd);
+}
+/* Mostly ended here, other than a couple replaced #ifdefs */
+
+/* Encryption and Decryption of the challenge-key */
+#ifdef HAVE_SSL
+
+void gen_chal(char *buf)
 {
    RAND_bytes(buf, VTUN_CHAL_SIZE);
 }
 
-static void encrypt_chal(char *chal, char *pwd)
+void ssl_encrypt_chal(char *chal, char *pwd)
 { 
    register int i;
    BF_KEY key;
 
+   syslog(LOG_INFO, "Use SSL-aware challenge/response");
    BF_set_key(&key, 16, MD5(pwd,strlen(pwd),NULL));
 
    for(i=0; i < VTUN_CHAL_SIZE; i += 8 )
       BF_ecb_encrypt(chal + i,  chal + i, &key, BF_ENCRYPT);
 }
 
-static void decrypt_chal(char *chal, char *pwd)
+void ssl_decrypt_chal(char *chal, char *pwd)
 { 
    register int i;
    BF_KEY key;
 
+   syslog(LOG_INFO, "Use SSL-aware challenge/response");
    BF_set_key(&key, 16, MD5(pwd,strlen(pwd),NULL));
 
    for(i=0; i < VTUN_CHAL_SIZE; i += 8 )
@@ -91,30 +118,43 @@ static void decrypt_chal(char *chal, cha
 
 #else /* HAVE_SSL */
 
-static void encrypt_chal(char *chal, char *pwd)
+/* Generate PSEUDO random challenge key. */
+void gen_chal(char *buf)
 { 
-   char * xor_msk = pwd;
-   register int i, xor_len = strlen(xor_msk);
+   register int i;
+   unsigned int seed;
+   char *pseed;
+   int fd,cnt,len;
+
+   if((fd=open("/dev/random",O_RDONLY))!=-1) {
+      pseed=(char *)&seed;
+      len=cnt=sizeof(seed);
+      while(cnt>0) {
+         cnt=read(fd,pseed,len);
+         len=len-cnt;
+         pseed=pseed+cnt;
+      }
+   } else {
+      seed=time(NULL);
+   }
+   srand(seed);
 
    for(i=0; i < VTUN_CHAL_SIZE; i++)
-      chal[i] ^= xor_msk[i%xor_len];
+      buf[i] = (unsigned int)(255.0 * rand()/RAND_MAX);
 }
 
-static void inline decrypt_chal(char *chal, char *pwd)
+void ssl_encrypt_chal(char *chal, char *pwd)
 { 
-   encrypt_chal(chal, pwd);
+	syslog(LOG_ERR,"Cannot use `sslauth yes' without SSL support - fallback to `sslauth no'");
+	nonssl_encrypt_chal(chal,pwd);
 }
 
-/* Generate PSEUDO random challenge key. */
-static void gen_chal(char *buf)
+void ssl_decrypt_chal(char *chal, char *pwd)
 {
-   register int i;
- 
-   srand(time(NULL));
-
-   for(i=0; i < VTUN_CHAL_SIZE; i++)
-      buf[i] = (unsigned int)(255.0 * rand()/RAND_MAX);
+	syslog(LOG_ERR,"Cannot use `sslauth yes' without SSL support - fallback to `sslauth no'");
+	nonssl_decrypt_chal(chal,pwd);
 }
+
 #endif /* HAVE_SSL */
 
 /* 
@@ -123,7 +163,7 @@ static void gen_chal(char *buf)
  * C - compression, S - speed for shaper and so on.
  */ 
 
-static char *bf2cf(struct vtun_host *host)
+char *bf2cf(struct vtun_host *host)
 {
      static char str[20], *ptr = str;
 
@@ -187,7 +227,7 @@ static char *bf2cf(struct vtun_host *hos
    FLAGS: <TuE1>
 */
 
-static int cf2bf(char *str, struct vtun_host *host)
+int cf2bf(char *str, struct vtun_host *host)
 {
      char *ptr, *p;
      int s;
@@ -277,7 +317,7 @@ static int cf2bf(char *str, struct vtun_
  * string format:  <char_data> 
  */ 
 
-static char *cl2cs(char *chal)
+char *cl2cs(char *chal)
 {
      static char str[VTUN_CHAL_SIZE*2+3], *chr="abcdefghijklmnop";
      register char *ptr = str;
@@ -295,7 +335,7 @@ static char *cl2cs(char *chal)
      return str;
 }
 
-static int cs2cl(char *str, char *chal)
+int cs2cl(char *str, char *chal)
 {
      register char *ptr = str;
      register int i;
@@ -358,7 +398,11 @@ struct vtun_host * auth_server(int fd)
 		   if( !(h = find_host(host)) )
 		      break;
 
-		   decrypt_chal(chal_res, h->passwd);   		
+		   if (h->sslauth) {
+		      ssl_decrypt_chal(chal_res, h->passwd);   		
+		   } else {
+		      nonssl_decrypt_chal(chal_res, h->passwd);   		
+		   }
 	
 		   if( !memcmp(chal_req, chal_res, VTUN_CHAL_SIZE) ){
 		      /* Auth successeful. */
@@ -410,7 +454,11 @@ int auth_client(int fd, struct vtun_host
 		   if( !strncmp(buf,"OK",2) && cs2cl(buf,chal)){
 		      stage = ST_CHAL;
 					
-		      encrypt_chal(chal,host->passwd);
+		      if (host->sslauth) {
+		         ssl_encrypt_chal(chal,host->passwd);
+		      } else {
+		         nonssl_encrypt_chal(chal,host->passwd);
+		      }
 		      print_p(fd,"CHAL: %s\n", cl2cs(chal));
 
 		      continue;
diff -urNp -x '*.orig' vtun-3.0.4.org/cfg_file.y vtun-3.0.4/cfg_file.y
--- vtun-3.0.4.org/cfg_file.y	2016-10-01 23:27:51.000000000 +0200
+++ vtun-3.0.4/cfg_file.y	2021-10-03 20:19:55.633327588 +0200
@@ -74,7 +74,7 @@ int yyerror(char *s);
 %token K_OPTIONS K_DEFAULT K_PORT K_BINDADDR K_PERSIST K_TIMEOUT
 %token K_PASSWD K_PROG K_PPP K_SPEED K_IFCFG K_FWALL K_ROUTE K_DEVICE 
 %token K_MULTI K_SRCADDR K_IFACE K_ADDR
-%token K_TYPE K_PROT K_NAT_HACK K_COMPRESS K_ENCRYPT K_KALIVE K_STAT
+%token K_TYPE K_PROT K_NAT_HACK K_COMPRESS K_ENCRYPT K_KALIVE K_STAT K_SSLAUTH
 %token K_UP K_DOWN K_SYSLOG K_IPROUTE
 
 %token <str> K_HOST K_ERROR
@@ -285,6 +285,13 @@ host_option: '\n'
 			}
 			compress
 
+  | K_SSLAUTH NUM 	{ 
+	      		  parse_host->sslauth = $2;
+
+			  if(vtun.sslauth == -1) 
+			     vtun.sslauth = $2; 	
+			}
+
   | K_ENCRYPT NUM 	{  
 			  if( $2 ){
 			     parse_host->flags |= VTUN_ENCRYPT;
diff -urNp -x '*.orig' vtun-3.0.4.org/cfg_kwords.h vtun-3.0.4/cfg_kwords.h
--- vtun-3.0.4.org/cfg_kwords.h	2016-10-01 23:27:51.000000000 +0200
+++ vtun-3.0.4/cfg_kwords.h	2021-10-03 20:19:55.633327588 +0200
@@ -37,6 +37,7 @@ struct kword cfg_keyword[] = {
    { "addr",  	 K_ADDR }, 
    { "iface",  	 K_IFACE }, 
    { "bindaddr", K_BINDADDR },
+   { "sslauth",	 K_SSLAUTH }, 
    { "persist",	 K_PERSIST }, 
    { "multi",	 K_MULTI }, 
    { "iface",    K_IFACE }, 
diff -urNp -x '*.orig' vtun-3.0.4.org/main.c vtun-3.0.4/main.c
--- vtun-3.0.4.org/main.c	2016-10-01 23:37:39.000000000 +0200
+++ vtun-3.0.4/main.c	2021-10-03 20:19:55.633327588 +0200
@@ -79,6 +79,7 @@ int main(int argc, char *argv[], char *e
      vtun.cfg_file = VTUN_CONFIG_FILE;
      vtun.persist = -1;
      vtun.timeout = -1;
+     vtun.sslauth = -1;
 	
      /* Dup strings because parser will try to free them */
      vtun.ppp   = strdup("/usr/sbin/pppd");
@@ -101,6 +102,11 @@ int main(int argc, char *argv[], char *e
      default_host.ka_interval = 30;
      default_host.ka_maxfail  = 4;
      default_host.loc_fd = default_host.rmt_fd = -1;
+#ifdef HAVE_SSL
+     default_host.sslauth = 1;
+#else	/* HAVE_SSL */
+     default_host.sslauth = 0;
+#endif	/* HAVE_SSL */
 
      /* Start logging to syslog and stderr */
      openlog("vtund", LOG_PID | LOG_NDELAY | LOG_PERROR, LOG_DAEMON);
@@ -181,6 +187,16 @@ int main(int argc, char *argv[], char *e
 	vtun.persist = 0;
      if(vtun.timeout == -1)
 	vtun.timeout = VTUN_TIMEOUT;
+    /* 
+     * Want to save behaviour from older version: stronger authentication
+     * if compiled with --enable-ssl, weaker otherwise
+     */
+     if(vtun.sslauth == -1)
+#ifdef HAVE_SSL
+	vtun.sslauth = 1;
+#else	/* HAVE_SSL */
+	vtun.sslauth = 0;
+#endif	/* HAVE_SSL */
 
      switch( vtun.svr_type ){
 	case -1:
diff -urNp -x '*.orig' vtun-3.0.4.org/vtun.h vtun-3.0.4/vtun.h
--- vtun-3.0.4.org/vtun.h	2016-10-01 23:27:51.000000000 +0200
+++ vtun-3.0.4/vtun.h	2021-10-03 20:19:55.633327588 +0200
@@ -100,6 +100,9 @@ struct vtun_host {
    int  rmt_fd;
    int  loc_fd;
 
+   /* SSL strong auth */
+   int  sslauth;
+
    /* Persist mode */
    int  persist;
 
@@ -205,6 +208,7 @@ extern llist host_list;
 struct vtun_opts {
    int  timeout;
    int  persist;
+   int  sslauth;
 
    char *cfg_file;
Commit	Line	Data
fd77cfe7 JR	1	diff -urNp -x '*.orig' vtun-3.0.4.org/auth.c vtun-3.0.4/auth.c
	2	--- vtun-3.0.4.org/auth.c 2016-10-01 23:29:28.000000000 +0200
	3	+++ vtun-3.0.4/auth.c 2021-10-03 20:19:55.633327588 +0200
89f3a989	4	@@ -23,6 +23,10 @@
	5	/*
	6	* Challenge based authentication.
	7	* Thanx to Chris Todd<christ@insynq.com> for the good idea.
8c9e995e	8	+ *
6acf7f8d	9	+ * Artur R. Czechowski <arturcz@hell.pl>, 02/17/2002
8c9e995e	10	+ * Add support for connectin ssl to non-ssl vtuns (sslauth option)
6acf7f8d	11	+ * Use /dev/random in non-ssl gen_chal (if possible)
8c9e995e	12	*/
	13
	14	#include "config.h"
89f3a989	15	@@ -55,34 +59,57 @@
6acf7f8d	16	#include "lock.h"
	17	#include "auth.h"
	18
	19	-/* Encryption and Decryption of the challenge key */
	20	#ifdef HAVE_SSL
89f3a989	21
	22	#include <openssl/md5.h>
	23	#include <openssl/blowfish.h>
	24	#include <openssl/rand.h>
	25
b0608415	26	-static void gen_chal(char *buf)
89f3a989	27	+#endif /* HAVE_SSL */
6acf7f8d	28	+
89f3a989	29	+/* Okay, start the "blue-wire" non-ssl auth patch stuff */
6acf7f8d	30	+void nonssl_encrypt_chal(char chal, char pwd)
89f3a989	31	+{
89f3a989	32	+ char *xor_msk = pwd;
6acf7f8d	33	+ register int i, xor_len = strlen(xor_msk);
6acf7f8d	34	+
89f3a989	35	+ syslog(LOG_INFO, "Use nonSSL-aware challenge/response");
6acf7f8d	36	+ for(i=0; i < VTUN_CHAL_SIZE; i++)
	37	+ chal[i] ^= xor_msk[i%xor_len];
	38	+}
	39	+
89f3a989	40	+inline void nonssl_decrypt_chal(char chal, char pwd)
89f3a989	41	+{
6acf7f8d	42	+ nonssl_encrypt_chal(chal, pwd);
6acf7f8d	43	+}
89f3a989	44	+/* Mostly ended here, other than a couple replaced #ifdefs */
6acf7f8d	45	+
89f3a989	46	+/* Encryption and Decryption of the challenge-key */
6acf7f8d	47	+#ifdef HAVE_SSL
89f3a989	48	+
b0608415	49	+void gen_chal(char *buf)
6acf7f8d	50	{
8c9e995e	51	RAND_bytes(buf, VTUN_CHAL_SIZE);
	52	}
	53
b0608415	54	-static void encrypt_chal(char chal, char pwd)
8c9e995e	55	+void ssl_encrypt_chal(char chal, char pwd)
	56	{
	57	register int i;
	58	BF_KEY key;
6acf7f8d	59
89f3a989	60	+ syslog(LOG_INFO, "Use SSL-aware challenge/response");
6acf7f8d	61	BF_set_key(&key, 16, MD5(pwd,strlen(pwd),NULL));
	62
	63	for(i=0; i < VTUN_CHAL_SIZE; i += 8 )
8c9e995e	64	BF_ecb_encrypt(chal + i, chal + i, &key, BF_ENCRYPT);
	65	}
	66
b0608415	67	-static void decrypt_chal(char chal, char pwd)
8c9e995e	68	+void ssl_decrypt_chal(char chal, char pwd)
	69	{
	70	register int i;
	71	BF_KEY key;
6acf7f8d	72
89f3a989	73	+ syslog(LOG_INFO, "Use SSL-aware challenge/response");
6acf7f8d	74	BF_set_key(&key, 16, MD5(pwd,strlen(pwd),NULL));
	75
	76	for(i=0; i < VTUN_CHAL_SIZE; i += 8 )
fd77cfe7	77	@@ -91,30 +118,43 @@ static void decrypt_chal(char *chal, cha
8c9e995e	78
	79	#else /* HAVE_SSL */
	80
b0608415 AG	81	-static void encrypt_chal(char chal, char pwd)
	82	+/* Generate PSEUDO random challenge key. */
	83	+void gen_chal(char *buf)
	84	{
8c9e995e	85	- char * xor_msk = pwd;
8c9e995e	86	- register int i, xor_len = strlen(xor_msk);
b0608415	87	+ register int i;
6acf7f8d	88	+ unsigned int seed;
	89	+ char *pseed;
	90	+ int fd,cnt,len;
	91	+
	92	+ if((fd=open("/dev/random",O_RDONLY))!=-1) {
	93	+ pseed=(char *)&seed;
	94	+ len=cnt=sizeof(seed);
	95	+ while(cnt>0) {
	96	+ cnt=read(fd,pseed,len);
	97	+ len=len-cnt;
	98	+ pseed=pseed+cnt;
	99	+ }
	100	+ } else {
	101	+ seed=time(NULL);
	102	+ }
	103	+ srand(seed);
	104
8c9e995e	105	for(i=0; i < VTUN_CHAL_SIZE; i++)
b0608415 AG	106	- chal[i] ^= xor_msk[i%xor_len];
b0608415 AG	107	+ buf[i] = (unsigned int)(255.0 * rand()/RAND_MAX);
8c9e995e	108	}
b0608415 AG	109
b0608415 AG	110	-static void inline decrypt_chal(char chal, char pwd)
8c9e995e	111	+void ssl_encrypt_chal(char chal, char pwd)
b0608415 AG	112	{
b0608415 AG	113	- encrypt_chal(chal, pwd);
6acf7f8d	114	+ syslog(LOG_ERR,"Cannot use `sslauth yes' without SSL support - fallback to `sslauth no'");
6acf7f8d	115	+ nonssl_encrypt_chal(chal,pwd);
b0608415 AG	116	}
	117
	118	-/* Generate PSEUDO random challenge key. */
	119	-static void gen_chal(char *buf)
8c9e995e	120	+void ssl_decrypt_chal(char chal, char pwd)
b0608415 AG	121	{
	122	- register int i;
	123	-
	124	- srand(time(NULL));
	125	-
	126	- for(i=0; i < VTUN_CHAL_SIZE; i++)
	127	- buf[i] = (unsigned int)(255.0 * rand()/RAND_MAX);
6acf7f8d	128	+ syslog(LOG_ERR,"Cannot use `sslauth yes' without SSL support - fallback to `sslauth no'");
6acf7f8d	129	+ nonssl_decrypt_chal(chal,pwd);
b0608415	130	}
8c9e995e	131	+
	132	#endif /* HAVE_SSL */
	133
8c9e995e	134	/*
fd77cfe7	135	@@ -123,7 +163,7 @@ static void gen_chal(char *buf)
b0608415 AG	136	* C - compression, S - speed for shaper and so on.
	137	*/
	138
	139	-static char bf2cf(struct vtun_host host)
	140	+char bf2cf(struct vtun_host host)
	141	{
	142	static char str[20], *ptr = str;
	143
fd77cfe7	144	@@ -187,7 +227,7 @@ static char bf2cf(struct vtun_host hos
b0608415 AG	145	FLAGS: <TuE1>
	146	*/
	147
	148	-static int cf2bf(char str, struct vtun_host host)
	149	+int cf2bf(char str, struct vtun_host host)
	150	{
	151	char ptr, p;
	152	int s;
fd77cfe7	153	@@ -277,7 +317,7 @@ static int cf2bf(char *str, struct vtun_
b0608415 AG	154	* string format: <char_data>
	155	*/
	156
	157	-static char cl2cs(char chal)
	158	+char cl2cs(char chal)
	159	{
	160	static char str[VTUN_CHAL_SIZE2+3], chr="abcdefghijklmnop";
	161	register char *ptr = str;
fd77cfe7	162	@@ -295,7 +335,7 @@ static char cl2cs(char chal)
b0608415 AG	163	return str;
	164	}
	165
	166	-static int cs2cl(char str, char chal)
	167	+int cs2cl(char str, char chal)
	168	{
	169	register char *ptr = str;
	170	register int i;
fd77cfe7	171	@@ -358,7 +398,11 @@ struct vtun_host * auth_server(int fd)
8c9e995e	172	if( !(h = find_host(host)) )
	173	break;
	174
	175	- decrypt_chal(chal_res, h->passwd);
	176	+ if (h->sslauth) {
	177	+ ssl_decrypt_chal(chal_res, h->passwd);
	178	+ } else {
	179	+ nonssl_decrypt_chal(chal_res, h->passwd);
	180	+ }
	181
	182	if( !memcmp(chal_req, chal_res, VTUN_CHAL_SIZE) ){
	183	/* Auth successeful. */
fd77cfe7	184	@@ -410,7 +454,11 @@ int auth_client(int fd, struct vtun_host
8c9e995e	185	if( !strncmp(buf,"OK",2) && cs2cl(buf,chal)){
	186	stage = ST_CHAL;
	187
	188	- encrypt_chal(chal,host->passwd);
	189	+ if (host->sslauth) {
	190	+ ssl_encrypt_chal(chal,host->passwd);
	191	+ } else {
	192	+ nonssl_encrypt_chal(chal,host->passwd);
	193	+ }
	194	print_p(fd,"CHAL: %s\n", cl2cs(chal));
	195
	196	continue;
fd77cfe7 JR	197	diff -urNp -x '*.orig' vtun-3.0.4.org/cfg_file.y vtun-3.0.4/cfg_file.y
	198	--- vtun-3.0.4.org/cfg_file.y 2016-10-01 23:27:51.000000000 +0200
	199	+++ vtun-3.0.4/cfg_file.y 2021-10-03 20:19:55.633327588 +0200
	200	@@ -74,7 +74,7 @@ int yyerror(char *s);
89f3a989	201	%token K_OPTIONS K_DEFAULT K_PORT K_BINDADDR K_PERSIST K_TIMEOUT
8c9e995e	202	%token K_PASSWD K_PROG K_PPP K_SPEED K_IFCFG K_FWALL K_ROUTE K_DEVICE
8c9e995e	203	%token K_MULTI K_SRCADDR K_IFACE K_ADDR
0128b96b JR	204	-%token K_TYPE K_PROT K_NAT_HACK K_COMPRESS K_ENCRYPT K_KALIVE K_STAT
0128b96b JR	205	+%token K_TYPE K_PROT K_NAT_HACK K_COMPRESS K_ENCRYPT K_KALIVE K_STAT K_SSLAUTH
8c9e995e	206	%token K_UP K_DOWN K_SYSLOG K_IPROUTE
	207
	208	%token <str> K_HOST K_ERROR
fd77cfe7	209	@@ -285,6 +285,13 @@ host_option: '\n'
8c9e995e	210	}
8c9e995e	211	compress
89f3a989	212
8c9e995e	213	+ \| K_SSLAUTH NUM {
	214	+ parse_host->sslauth = $2;
	215	+
	216	+ if(vtun.sslauth == -1)
	217	+ vtun.sslauth = $2;
	218	+ }
89f3a989	219	+
8c9e995e	220	\| K_ENCRYPT NUM {
89f3a989	221	if( $2 ){
89f3a989	222	parse_host->flags \|= VTUN_ENCRYPT;
fd77cfe7 JR	223	diff -urNp -x '*.orig' vtun-3.0.4.org/cfg_kwords.h vtun-3.0.4/cfg_kwords.h
	224	--- vtun-3.0.4.org/cfg_kwords.h 2016-10-01 23:27:51.000000000 +0200
	225	+++ vtun-3.0.4/cfg_kwords.h 2021-10-03 20:19:55.633327588 +0200
	226	@@ -37,6 +37,7 @@ struct kword cfg_keyword[] = {
8c9e995e	227	{ "addr", K_ADDR },
8c9e995e	228	{ "iface", K_IFACE },
89f3a989	229	{ "bindaddr", K_BINDADDR },
8c9e995e	230	+ { "sslauth", K_SSLAUTH },
	231	{ "persist", K_PERSIST },
	232	{ "multi", K_MULTI },
	233	{ "iface", K_IFACE },
fd77cfe7 JR	234	diff -urNp -x '*.orig' vtun-3.0.4.org/main.c vtun-3.0.4/main.c
	235	--- vtun-3.0.4.org/main.c 2016-10-01 23:37:39.000000000 +0200
	236	+++ vtun-3.0.4/main.c 2021-10-03 20:19:55.633327588 +0200
	237	@@ -79,6 +79,7 @@ int main(int argc, char argv[], char e
6acf7f8d	238	vtun.cfg_file = VTUN_CONFIG_FILE;
	239	vtun.persist = -1;
	240	vtun.timeout = -1;
	241	+ vtun.sslauth = -1;
	242
	243	/* Dup strings because parser will try to free them */
	244	vtun.ppp = strdup("/usr/sbin/pppd");
fd77cfe7	245	@@ -101,6 +102,11 @@ int main(int argc, char argv[], char e
6acf7f8d	246	default_host.ka_interval = 30;
fd77cfe7	247	default_host.ka_maxfail = 4;
6acf7f8d	248	default_host.loc_fd = default_host.rmt_fd = -1;
	249	+#ifdef HAVE_SSL
	250	+ default_host.sslauth = 1;
	251	+#else /* HAVE_SSL */
	252	+ default_host.sslauth = 0;
	253	+#endif /* HAVE_SSL */
	254
	255	/* Start logging to syslog and stderr */
	256	openlog("vtund", LOG_PID \| LOG_NDELAY \| LOG_PERROR, LOG_DAEMON);
fd77cfe7	257	@@ -181,6 +187,16 @@ int main(int argc, char argv[], char e
6acf7f8d	258	vtun.persist = 0;
	259	if(vtun.timeout == -1)
	260	vtun.timeout = VTUN_TIMEOUT;
	261	+ /*
	262	+ * Want to save behaviour from older version: stronger authentication
	263	+ * if compiled with --enable-ssl, weaker otherwise
	264	+ */
	265	+ if(vtun.sslauth == -1)
	266	+#ifdef HAVE_SSL
	267	+ vtun.sslauth = 1;
	268	+#else /* HAVE_SSL */
	269	+ vtun.sslauth = 0;
	270	+#endif /* HAVE_SSL */
	271
	272	switch( vtun.svr_type ){
	273	case -1:
fd77cfe7 JR	274	diff -urNp -x '*.orig' vtun-3.0.4.org/vtun.h vtun-3.0.4/vtun.h
	275	--- vtun-3.0.4.org/vtun.h 2016-10-01 23:27:51.000000000 +0200
	276	+++ vtun-3.0.4/vtun.h 2021-10-03 20:19:55.633327588 +0200
	277	@@ -100,6 +100,9 @@ struct vtun_host {
8c9e995e	278	int rmt_fd;
	279	int loc_fd;
	280
	281	+ /* SSL strong auth */
	282	+ int sslauth;
	283	+
	284	/* Persist mode */
	285	int persist;
	286
fd77cfe7	287	@@ -205,6 +208,7 @@ extern llist host_list;
8c9e995e	288	struct vtun_opts {
	289	int timeout;
	290	int persist;
	291	+ int sslauth;
	292
	293	char *cfg_file;
	294