]>
Commit | Line | Data |
---|---|---|
fd77cfe7 JR |
1 | diff -urNp -x '*.orig' vtun-3.0.4.org/auth.c vtun-3.0.4/auth.c |
2 | --- vtun-3.0.4.org/auth.c 2016-10-01 23:29:28.000000000 +0200 | |
3 | +++ vtun-3.0.4/auth.c 2021-10-03 20:19:55.633327588 +0200 | |
89f3a989 | 4 | @@ -23,6 +23,10 @@ |
5 | /* | |
6 | * Challenge based authentication. | |
7 | * Thanx to Chris Todd<christ@insynq.com> for the good idea. | |
8c9e995e | 8 | + * |
6acf7f8d | 9 | + * Artur R. Czechowski <arturcz@hell.pl>, 02/17/2002 |
8c9e995e | 10 | + * Add support for connectin ssl to non-ssl vtuns (sslauth option) |
6acf7f8d | 11 | + * Use /dev/random in non-ssl gen_chal (if possible) |
8c9e995e | 12 | */ |
13 | ||
14 | #include "config.h" | |
89f3a989 | 15 | @@ -55,34 +59,57 @@ |
6acf7f8d | 16 | #include "lock.h" |
17 | #include "auth.h" | |
18 | ||
19 | -/* Encryption and Decryption of the challenge key */ | |
20 | #ifdef HAVE_SSL | |
89f3a989 | 21 | |
22 | #include <openssl/md5.h> | |
23 | #include <openssl/blowfish.h> | |
24 | #include <openssl/rand.h> | |
25 | ||
b0608415 | 26 | -static void gen_chal(char *buf) |
89f3a989 | 27 | +#endif /* HAVE_SSL */ |
6acf7f8d | 28 | + |
89f3a989 | 29 | +/* Okay, start the "blue-wire" non-ssl auth patch stuff */ |
6acf7f8d | 30 | +void nonssl_encrypt_chal(char *chal, char *pwd) |
89f3a989 | 31 | +{ |
32 | + char *xor_msk = pwd; | |
6acf7f8d | 33 | + register int i, xor_len = strlen(xor_msk); |
34 | + | |
89f3a989 | 35 | + syslog(LOG_INFO, "Use nonSSL-aware challenge/response"); |
6acf7f8d | 36 | + for(i=0; i < VTUN_CHAL_SIZE; i++) |
37 | + chal[i] ^= xor_msk[i%xor_len]; | |
38 | +} | |
39 | + | |
89f3a989 | 40 | +inline void nonssl_decrypt_chal(char *chal, char *pwd) |
41 | +{ | |
6acf7f8d | 42 | + nonssl_encrypt_chal(chal, pwd); |
43 | +} | |
89f3a989 | 44 | +/* Mostly ended here, other than a couple replaced #ifdefs */ |
6acf7f8d | 45 | + |
89f3a989 | 46 | +/* Encryption and Decryption of the challenge-key */ |
6acf7f8d | 47 | +#ifdef HAVE_SSL |
89f3a989 | 48 | + |
b0608415 | 49 | +void gen_chal(char *buf) |
6acf7f8d | 50 | { |
8c9e995e | 51 | RAND_bytes(buf, VTUN_CHAL_SIZE); |
52 | } | |
53 | ||
b0608415 | 54 | -static void encrypt_chal(char *chal, char *pwd) |
8c9e995e | 55 | +void ssl_encrypt_chal(char *chal, char *pwd) |
56 | { | |
57 | register int i; | |
58 | BF_KEY key; | |
6acf7f8d | 59 | |
89f3a989 | 60 | + syslog(LOG_INFO, "Use SSL-aware challenge/response"); |
6acf7f8d | 61 | BF_set_key(&key, 16, MD5(pwd,strlen(pwd),NULL)); |
62 | ||
63 | for(i=0; i < VTUN_CHAL_SIZE; i += 8 ) | |
8c9e995e | 64 | BF_ecb_encrypt(chal + i, chal + i, &key, BF_ENCRYPT); |
65 | } | |
66 | ||
b0608415 | 67 | -static void decrypt_chal(char *chal, char *pwd) |
8c9e995e | 68 | +void ssl_decrypt_chal(char *chal, char *pwd) |
69 | { | |
70 | register int i; | |
71 | BF_KEY key; | |
6acf7f8d | 72 | |
89f3a989 | 73 | + syslog(LOG_INFO, "Use SSL-aware challenge/response"); |
6acf7f8d | 74 | BF_set_key(&key, 16, MD5(pwd,strlen(pwd),NULL)); |
75 | ||
76 | for(i=0; i < VTUN_CHAL_SIZE; i += 8 ) | |
fd77cfe7 | 77 | @@ -91,30 +118,43 @@ static void decrypt_chal(char *chal, cha |
8c9e995e | 78 | |
79 | #else /* HAVE_SSL */ | |
80 | ||
b0608415 AG |
81 | -static void encrypt_chal(char *chal, char *pwd) |
82 | +/* Generate PSEUDO random challenge key. */ | |
83 | +void gen_chal(char *buf) | |
84 | { | |
8c9e995e | 85 | - char * xor_msk = pwd; |
86 | - register int i, xor_len = strlen(xor_msk); | |
b0608415 | 87 | + register int i; |
6acf7f8d | 88 | + unsigned int seed; |
89 | + char *pseed; | |
90 | + int fd,cnt,len; | |
91 | + | |
92 | + if((fd=open("/dev/random",O_RDONLY))!=-1) { | |
93 | + pseed=(char *)&seed; | |
94 | + len=cnt=sizeof(seed); | |
95 | + while(cnt>0) { | |
96 | + cnt=read(fd,pseed,len); | |
97 | + len=len-cnt; | |
98 | + pseed=pseed+cnt; | |
99 | + } | |
100 | + } else { | |
101 | + seed=time(NULL); | |
102 | + } | |
103 | + srand(seed); | |
104 | ||
8c9e995e | 105 | for(i=0; i < VTUN_CHAL_SIZE; i++) |
b0608415 AG |
106 | - chal[i] ^= xor_msk[i%xor_len]; |
107 | + buf[i] = (unsigned int)(255.0 * rand()/RAND_MAX); | |
8c9e995e | 108 | } |
b0608415 AG |
109 | |
110 | -static void inline decrypt_chal(char *chal, char *pwd) | |
8c9e995e | 111 | +void ssl_encrypt_chal(char *chal, char *pwd) |
b0608415 AG |
112 | { |
113 | - encrypt_chal(chal, pwd); | |
6acf7f8d | 114 | + syslog(LOG_ERR,"Cannot use `sslauth yes' without SSL support - fallback to `sslauth no'"); |
115 | + nonssl_encrypt_chal(chal,pwd); | |
b0608415 AG |
116 | } |
117 | ||
118 | -/* Generate PSEUDO random challenge key. */ | |
119 | -static void gen_chal(char *buf) | |
8c9e995e | 120 | +void ssl_decrypt_chal(char *chal, char *pwd) |
b0608415 AG |
121 | { |
122 | - register int i; | |
123 | - | |
124 | - srand(time(NULL)); | |
125 | - | |
126 | - for(i=0; i < VTUN_CHAL_SIZE; i++) | |
127 | - buf[i] = (unsigned int)(255.0 * rand()/RAND_MAX); | |
6acf7f8d | 128 | + syslog(LOG_ERR,"Cannot use `sslauth yes' without SSL support - fallback to `sslauth no'"); |
129 | + nonssl_decrypt_chal(chal,pwd); | |
b0608415 | 130 | } |
8c9e995e | 131 | + |
132 | #endif /* HAVE_SSL */ | |
133 | ||
8c9e995e | 134 | /* |
fd77cfe7 | 135 | @@ -123,7 +163,7 @@ static void gen_chal(char *buf) |
b0608415 AG |
136 | * C - compression, S - speed for shaper and so on. |
137 | */ | |
138 | ||
139 | -static char *bf2cf(struct vtun_host *host) | |
140 | +char *bf2cf(struct vtun_host *host) | |
141 | { | |
142 | static char str[20], *ptr = str; | |
143 | ||
fd77cfe7 | 144 | @@ -187,7 +227,7 @@ static char *bf2cf(struct vtun_host *hos |
b0608415 AG |
145 | FLAGS: <TuE1> |
146 | */ | |
147 | ||
148 | -static int cf2bf(char *str, struct vtun_host *host) | |
149 | +int cf2bf(char *str, struct vtun_host *host) | |
150 | { | |
151 | char *ptr, *p; | |
152 | int s; | |
fd77cfe7 | 153 | @@ -277,7 +317,7 @@ static int cf2bf(char *str, struct vtun_ |
b0608415 AG |
154 | * string format: <char_data> |
155 | */ | |
156 | ||
157 | -static char *cl2cs(char *chal) | |
158 | +char *cl2cs(char *chal) | |
159 | { | |
160 | static char str[VTUN_CHAL_SIZE*2+3], *chr="abcdefghijklmnop"; | |
161 | register char *ptr = str; | |
fd77cfe7 | 162 | @@ -295,7 +335,7 @@ static char *cl2cs(char *chal) |
b0608415 AG |
163 | return str; |
164 | } | |
165 | ||
166 | -static int cs2cl(char *str, char *chal) | |
167 | +int cs2cl(char *str, char *chal) | |
168 | { | |
169 | register char *ptr = str; | |
170 | register int i; | |
fd77cfe7 | 171 | @@ -358,7 +398,11 @@ struct vtun_host * auth_server(int fd) |
8c9e995e | 172 | if( !(h = find_host(host)) ) |
173 | break; | |
174 | ||
175 | - decrypt_chal(chal_res, h->passwd); | |
176 | + if (h->sslauth) { | |
177 | + ssl_decrypt_chal(chal_res, h->passwd); | |
178 | + } else { | |
179 | + nonssl_decrypt_chal(chal_res, h->passwd); | |
180 | + } | |
181 | ||
182 | if( !memcmp(chal_req, chal_res, VTUN_CHAL_SIZE) ){ | |
183 | /* Auth successeful. */ | |
fd77cfe7 | 184 | @@ -410,7 +454,11 @@ int auth_client(int fd, struct vtun_host |
8c9e995e | 185 | if( !strncmp(buf,"OK",2) && cs2cl(buf,chal)){ |
186 | stage = ST_CHAL; | |
187 | ||
188 | - encrypt_chal(chal,host->passwd); | |
189 | + if (host->sslauth) { | |
190 | + ssl_encrypt_chal(chal,host->passwd); | |
191 | + } else { | |
192 | + nonssl_encrypt_chal(chal,host->passwd); | |
193 | + } | |
194 | print_p(fd,"CHAL: %s\n", cl2cs(chal)); | |
195 | ||
196 | continue; | |
fd77cfe7 JR |
197 | diff -urNp -x '*.orig' vtun-3.0.4.org/cfg_file.y vtun-3.0.4/cfg_file.y |
198 | --- vtun-3.0.4.org/cfg_file.y 2016-10-01 23:27:51.000000000 +0200 | |
199 | +++ vtun-3.0.4/cfg_file.y 2021-10-03 20:19:55.633327588 +0200 | |
200 | @@ -74,7 +74,7 @@ int yyerror(char *s); | |
89f3a989 | 201 | %token K_OPTIONS K_DEFAULT K_PORT K_BINDADDR K_PERSIST K_TIMEOUT |
8c9e995e | 202 | %token K_PASSWD K_PROG K_PPP K_SPEED K_IFCFG K_FWALL K_ROUTE K_DEVICE |
203 | %token K_MULTI K_SRCADDR K_IFACE K_ADDR | |
0128b96b JR |
204 | -%token K_TYPE K_PROT K_NAT_HACK K_COMPRESS K_ENCRYPT K_KALIVE K_STAT |
205 | +%token K_TYPE K_PROT K_NAT_HACK K_COMPRESS K_ENCRYPT K_KALIVE K_STAT K_SSLAUTH | |
8c9e995e | 206 | %token K_UP K_DOWN K_SYSLOG K_IPROUTE |
207 | ||
208 | %token <str> K_HOST K_ERROR | |
fd77cfe7 | 209 | @@ -285,6 +285,13 @@ host_option: '\n' |
8c9e995e | 210 | } |
211 | compress | |
89f3a989 | 212 | |
8c9e995e | 213 | + | K_SSLAUTH NUM { |
214 | + parse_host->sslauth = $2; | |
215 | + | |
216 | + if(vtun.sslauth == -1) | |
217 | + vtun.sslauth = $2; | |
218 | + } | |
89f3a989 | 219 | + |
8c9e995e | 220 | | K_ENCRYPT NUM { |
89f3a989 | 221 | if( $2 ){ |
222 | parse_host->flags |= VTUN_ENCRYPT; | |
fd77cfe7 JR |
223 | diff -urNp -x '*.orig' vtun-3.0.4.org/cfg_kwords.h vtun-3.0.4/cfg_kwords.h |
224 | --- vtun-3.0.4.org/cfg_kwords.h 2016-10-01 23:27:51.000000000 +0200 | |
225 | +++ vtun-3.0.4/cfg_kwords.h 2021-10-03 20:19:55.633327588 +0200 | |
226 | @@ -37,6 +37,7 @@ struct kword cfg_keyword[] = { | |
8c9e995e | 227 | { "addr", K_ADDR }, |
228 | { "iface", K_IFACE }, | |
89f3a989 | 229 | { "bindaddr", K_BINDADDR }, |
8c9e995e | 230 | + { "sslauth", K_SSLAUTH }, |
231 | { "persist", K_PERSIST }, | |
232 | { "multi", K_MULTI }, | |
233 | { "iface", K_IFACE }, | |
fd77cfe7 JR |
234 | diff -urNp -x '*.orig' vtun-3.0.4.org/main.c vtun-3.0.4/main.c |
235 | --- vtun-3.0.4.org/main.c 2016-10-01 23:37:39.000000000 +0200 | |
236 | +++ vtun-3.0.4/main.c 2021-10-03 20:19:55.633327588 +0200 | |
237 | @@ -79,6 +79,7 @@ int main(int argc, char *argv[], char *e | |
6acf7f8d | 238 | vtun.cfg_file = VTUN_CONFIG_FILE; |
239 | vtun.persist = -1; | |
240 | vtun.timeout = -1; | |
241 | + vtun.sslauth = -1; | |
242 | ||
243 | /* Dup strings because parser will try to free them */ | |
244 | vtun.ppp = strdup("/usr/sbin/pppd"); | |
fd77cfe7 | 245 | @@ -101,6 +102,11 @@ int main(int argc, char *argv[], char *e |
6acf7f8d | 246 | default_host.ka_interval = 30; |
fd77cfe7 | 247 | default_host.ka_maxfail = 4; |
6acf7f8d | 248 | default_host.loc_fd = default_host.rmt_fd = -1; |
249 | +#ifdef HAVE_SSL | |
250 | + default_host.sslauth = 1; | |
251 | +#else /* HAVE_SSL */ | |
252 | + default_host.sslauth = 0; | |
253 | +#endif /* HAVE_SSL */ | |
254 | ||
255 | /* Start logging to syslog and stderr */ | |
256 | openlog("vtund", LOG_PID | LOG_NDELAY | LOG_PERROR, LOG_DAEMON); | |
fd77cfe7 | 257 | @@ -181,6 +187,16 @@ int main(int argc, char *argv[], char *e |
6acf7f8d | 258 | vtun.persist = 0; |
259 | if(vtun.timeout == -1) | |
260 | vtun.timeout = VTUN_TIMEOUT; | |
261 | + /* | |
262 | + * Want to save behaviour from older version: stronger authentication | |
263 | + * if compiled with --enable-ssl, weaker otherwise | |
264 | + */ | |
265 | + if(vtun.sslauth == -1) | |
266 | +#ifdef HAVE_SSL | |
267 | + vtun.sslauth = 1; | |
268 | +#else /* HAVE_SSL */ | |
269 | + vtun.sslauth = 0; | |
270 | +#endif /* HAVE_SSL */ | |
271 | ||
272 | switch( vtun.svr_type ){ | |
273 | case -1: | |
fd77cfe7 JR |
274 | diff -urNp -x '*.orig' vtun-3.0.4.org/vtun.h vtun-3.0.4/vtun.h |
275 | --- vtun-3.0.4.org/vtun.h 2016-10-01 23:27:51.000000000 +0200 | |
276 | +++ vtun-3.0.4/vtun.h 2021-10-03 20:19:55.633327588 +0200 | |
277 | @@ -100,6 +100,9 @@ struct vtun_host { | |
8c9e995e | 278 | int rmt_fd; |
279 | int loc_fd; | |
280 | ||
281 | + /* SSL strong auth */ | |
282 | + int sslauth; | |
283 | + | |
284 | /* Persist mode */ | |
285 | int persist; | |
286 | ||
fd77cfe7 | 287 | @@ -205,6 +208,7 @@ extern llist host_list; |
8c9e995e | 288 | struct vtun_opts { |
289 | int timeout; | |
290 | int persist; | |
291 | + int sslauth; | |
292 | ||
293 | char *cfg_file; | |
294 |