]>
Commit | Line | Data |
---|---|---|
6acf7f8d | 1 | diff -uNr vtun-2.5-orig/ChangeLog vtun-2.5/ChangeLog |
2 | --- vtun-2.5-orig/ChangeLog Mon Jan 14 23:42:42 2002 | |
3 | +++ vtun-2.5/ChangeLog Sun Feb 17 23:12:57 2002 | |
4 | @@ -1,3 +1,9 @@ | |
5 | +ver 2.5arc: | |
6 | + Add sslauth option - possible to connect ssl and non-ssl | |
7 | + clients/servers. | |
8 | + If possible use /dev/random in non-ssl gen_chal for random generator | |
9 | + seed. | |
10 | + | |
11 | ver 2.5: | |
12 | New config option to keep tun device always open | |
13 | iproute support | |
14 | diff -uNr vtun-2.5-orig/auth.c vtun-2.5/auth.c | |
8c9e995e | 15 | --- vtun-2.5-orig/auth.c Thu Sep 6 21:43:41 2001 |
6acf7f8d | 16 | +++ vtun-2.5/auth.c Mon Feb 18 00:46:52 2002 |
17 | @@ -26,6 +26,10 @@ | |
8c9e995e | 18 | * |
19 | * Jim Yonan, 05/24/2001 | |
20 | * gen_chal rewrite to use better random number generator | |
21 | + * | |
6acf7f8d | 22 | + * Artur R. Czechowski <arturcz@hell.pl>, 02/17/2002 |
8c9e995e | 23 | + * Add support for connectin ssl to non-ssl vtuns (sslauth option) |
6acf7f8d | 24 | + * Use /dev/random in non-ssl gen_chal (if possible) |
8c9e995e | 25 | */ |
26 | ||
27 | #include "config.h" | |
6acf7f8d | 28 | @@ -58,34 +62,53 @@ |
29 | #include "lock.h" | |
30 | #include "auth.h" | |
31 | ||
32 | -/* Encryption and Decryption of the challenge key */ | |
33 | #ifdef HAVE_SSL | |
34 | - | |
35 | #include <md5.h> | |
36 | #include <blowfish.h> | |
37 | #include <rand.h> | |
38 | +#endif | |
39 | + | |
40 | +void nonssl_encrypt_chal(char *chal, char *pwd) | |
41 | +{ | |
42 | + char * xor_msk = pwd; | |
43 | + register int i, xor_len = strlen(xor_msk); | |
44 | + | |
45 | + syslog(LOG_INFO,"Use nonSSL-aware challenge/response"); | |
46 | + for(i=0; i < VTUN_CHAL_SIZE; i++) | |
47 | + chal[i] ^= xor_msk[i%xor_len]; | |
48 | +} | |
49 | + | |
50 | +void inline nonssl_decrypt_chal(char *chal, char *pwd) | |
51 | +{ | |
52 | + nonssl_encrypt_chal(chal, pwd); | |
53 | +} | |
54 | ||
55 | + | |
56 | +/* Encryption and Decryption of the challenge key */ | |
57 | +#ifdef HAVE_SSL | |
58 | void gen_chal(char *buf) | |
59 | { | |
8c9e995e | 60 | RAND_bytes(buf, VTUN_CHAL_SIZE); |
61 | } | |
62 | ||
63 | -void encrypt_chal(char *chal, char *pwd) | |
64 | +void ssl_encrypt_chal(char *chal, char *pwd) | |
65 | { | |
66 | register int i; | |
67 | BF_KEY key; | |
6acf7f8d | 68 | |
69 | + syslog(LOG_INFO,"Use SSL-aware challenge/response"); | |
70 | BF_set_key(&key, 16, MD5(pwd,strlen(pwd),NULL)); | |
71 | ||
72 | for(i=0; i < VTUN_CHAL_SIZE; i += 8 ) | |
8c9e995e | 73 | BF_ecb_encrypt(chal + i, chal + i, &key, BF_ENCRYPT); |
74 | } | |
75 | ||
76 | -void decrypt_chal(char *chal, char *pwd) | |
77 | +void ssl_decrypt_chal(char *chal, char *pwd) | |
78 | { | |
79 | register int i; | |
80 | BF_KEY key; | |
6acf7f8d | 81 | |
82 | + syslog(LOG_INFO,"Use SSL-aware challenge/response"); | |
83 | BF_set_key(&key, 16, MD5(pwd,strlen(pwd),NULL)); | |
84 | ||
85 | for(i=0; i < VTUN_CHAL_SIZE; i += 8 ) | |
86 | @@ -94,30 +117,43 @@ | |
8c9e995e | 87 | |
88 | #else /* HAVE_SSL */ | |
89 | ||
90 | -void encrypt_chal(char *chal, char *pwd) | |
91 | -{ | |
92 | - char * xor_msk = pwd; | |
93 | - register int i, xor_len = strlen(xor_msk); | |
94 | - | |
95 | - for(i=0; i < VTUN_CHAL_SIZE; i++) | |
96 | - chal[i] ^= xor_msk[i%xor_len]; | |
97 | -} | |
98 | - | |
99 | -void inline decrypt_chal(char *chal, char *pwd) | |
100 | -{ | |
101 | - encrypt_chal(chal, pwd); | |
102 | -} | |
103 | - | |
104 | /* Generate PSEUDO random challenge key. */ | |
105 | void gen_chal(char *buf) | |
106 | { | |
6acf7f8d | 107 | register int i; |
108 | - | |
109 | - srand(time(NULL)); | |
110 | + unsigned int seed; | |
111 | + char *pseed; | |
112 | + int fd,cnt,len; | |
113 | + | |
114 | + if((fd=open("/dev/random",O_RDONLY))!=-1) { | |
115 | + pseed=(char *)&seed; | |
116 | + len=cnt=sizeof(seed); | |
117 | + while(cnt>0) { | |
118 | + cnt=read(fd,pseed,len); | |
119 | + len=len-cnt; | |
120 | + pseed=pseed+cnt; | |
121 | + } | |
122 | + } else { | |
123 | + seed=time(NULL); | |
124 | + } | |
125 | + srand(seed); | |
126 | ||
8c9e995e | 127 | for(i=0; i < VTUN_CHAL_SIZE; i++) |
128 | buf[i] = (unsigned int)(255.0 * rand()/RAND_MAX); | |
129 | } | |
130 | + | |
131 | +void ssl_encrypt_chal(char *chal, char *pwd) | |
132 | +{ | |
6acf7f8d | 133 | + syslog(LOG_ERR,"Cannot use `sslauth yes' without SSL support - fallback to `sslauth no'"); |
134 | + nonssl_encrypt_chal(chal,pwd); | |
8c9e995e | 135 | +} |
136 | + | |
137 | +void ssl_decrypt_chal(char *chal, char *pwd) | |
138 | +{ | |
6acf7f8d | 139 | + syslog(LOG_ERR,"Cannot use `sslauth yes' without SSL support - fallback to `sslauth no'"); |
140 | + nonssl_decrypt_chal(chal,pwd); | |
8c9e995e | 141 | +} |
142 | + | |
143 | #endif /* HAVE_SSL */ | |
144 | ||
8c9e995e | 145 | /* |
6acf7f8d | 146 | @@ -336,7 +372,11 @@ |
8c9e995e | 147 | if( !(h = find_host(host)) ) |
148 | break; | |
149 | ||
150 | - decrypt_chal(chal_res, h->passwd); | |
151 | + if (h->sslauth) { | |
152 | + ssl_decrypt_chal(chal_res, h->passwd); | |
153 | + } else { | |
154 | + nonssl_decrypt_chal(chal_res, h->passwd); | |
155 | + } | |
156 | ||
157 | if( !memcmp(chal_req, chal_res, VTUN_CHAL_SIZE) ){ | |
158 | /* Auth successeful. */ | |
6acf7f8d | 159 | @@ -388,7 +428,11 @@ |
8c9e995e | 160 | if( !strncmp(buf,"OK",2) && cs2cl(buf,chal)){ |
161 | stage = ST_CHAL; | |
162 | ||
163 | - encrypt_chal(chal,host->passwd); | |
164 | + if (host->sslauth) { | |
165 | + ssl_encrypt_chal(chal,host->passwd); | |
166 | + } else { | |
167 | + nonssl_encrypt_chal(chal,host->passwd); | |
168 | + } | |
169 | print_p(fd,"CHAL: %s\n", cl2cs(chal)); | |
170 | ||
171 | continue; | |
6acf7f8d | 172 | diff -uNr vtun-2.5-orig/cfg_file.y vtun-2.5/cfg_file.y |
8c9e995e | 173 | --- vtun-2.5-orig/cfg_file.y Sat Feb 16 15:49:22 2002 |
174 | +++ vtun-2.5/cfg_file.y Sat Feb 16 18:47:56 2002 | |
175 | @@ -73,7 +73,7 @@ | |
176 | %token K_OPTIONS K_DEFAULT K_PORT K_PERSIST K_TIMEOUT | |
177 | %token K_PASSWD K_PROG K_PPP K_SPEED K_IFCFG K_FWALL K_ROUTE K_DEVICE | |
178 | %token K_MULTI K_SRCADDR K_IFACE K_ADDR | |
179 | -%token K_TYPE K_PROT K_COMPRESS K_ENCRYPT K_KALIVE K_STAT | |
180 | +%token K_TYPE K_PROT K_COMPRESS K_ENCRYPT K_KALIVE K_STAT K_SSLAUTH | |
181 | %token K_UP K_DOWN K_SYSLOG K_IPROUTE | |
182 | ||
183 | %token <str> K_HOST K_ERROR | |
184 | @@ -253,6 +253,13 @@ | |
185 | parse_host->flags &= ~(VTUN_ZLIB | VTUN_LZO); | |
186 | } | |
187 | compress | |
188 | + | |
189 | + | K_SSLAUTH NUM { | |
190 | + parse_host->sslauth = $2; | |
191 | + | |
192 | + if(vtun.sslauth == -1) | |
193 | + vtun.sslauth = $2; | |
194 | + } | |
195 | ||
196 | | K_ENCRYPT NUM { | |
197 | if( $2 ) | |
6acf7f8d | 198 | diff -uNr vtun-2.5-orig/cfg_kwords.h vtun-2.5/cfg_kwords.h |
8c9e995e | 199 | --- vtun-2.5-orig/cfg_kwords.h Sat Dec 29 18:01:01 2001 |
200 | +++ vtun-2.5/cfg_kwords.h Sat Feb 16 18:31:30 2002 | |
201 | @@ -36,6 +36,7 @@ | |
202 | { "srcaddr", K_SRCADDR }, | |
203 | { "addr", K_ADDR }, | |
204 | { "iface", K_IFACE }, | |
205 | + { "sslauth", K_SSLAUTH }, | |
206 | { "persist", K_PERSIST }, | |
207 | { "multi", K_MULTI }, | |
208 | { "iface", K_IFACE }, | |
6acf7f8d | 209 | diff -uNr vtun-2.5-orig/main.c vtun-2.5/main.c |
210 | --- vtun-2.5-orig/main.c Sat Dec 29 18:01:01 2001 | |
211 | +++ vtun-2.5/main.c Mon Feb 18 00:31:31 2002 | |
212 | @@ -61,6 +61,7 @@ | |
213 | vtun.cfg_file = VTUN_CONFIG_FILE; | |
214 | vtun.persist = -1; | |
215 | vtun.timeout = -1; | |
216 | + vtun.sslauth = -1; | |
217 | ||
218 | /* Dup strings because parser will try to free them */ | |
219 | vtun.ppp = strdup("/usr/sbin/pppd"); | |
220 | @@ -82,6 +83,11 @@ | |
221 | default_host.ka_interval = 30; | |
222 | default_host.ka_failure = 4; | |
223 | default_host.loc_fd = default_host.rmt_fd = -1; | |
224 | +#ifdef HAVE_SSL | |
225 | + default_host.sslauth = 1; | |
226 | +#else /* HAVE_SSL */ | |
227 | + default_host.sslauth = 0; | |
228 | +#endif /* HAVE_SSL */ | |
229 | ||
230 | /* Start logging to syslog and stderr */ | |
231 | openlog("vtund", LOG_PID | LOG_NDELAY | LOG_PERROR, LOG_DAEMON); | |
232 | @@ -146,6 +152,16 @@ | |
233 | vtun.persist = 0; | |
234 | if(vtun.timeout == -1) | |
235 | vtun.timeout = VTUN_TIMEOUT; | |
236 | + /* | |
237 | + * Want to save behaviour from older version: stronger authentication | |
238 | + * if compiled with --enable-ssl, weaker otherwise | |
239 | + */ | |
240 | + if(vtun.sslauth == -1) | |
241 | +#ifdef HAVE_SSL | |
242 | + vtun.sslauth = 1; | |
243 | +#else /* HAVE_SSL */ | |
244 | + vtun.sslauth = 0; | |
245 | +#endif /* HAVE_SSL */ | |
246 | ||
247 | switch( vtun.svr_type ){ | |
248 | case -1: | |
249 | diff -uNr vtun-2.5-orig/vtun.h vtun-2.5/vtun.h | |
8c9e995e | 250 | --- vtun-2.5-orig/vtun.h Sat Dec 29 18:01:01 2001 |
251 | +++ vtun-2.5/vtun.h Sat Feb 16 18:31:30 2002 | |
252 | @@ -97,6 +97,9 @@ | |
253 | int rmt_fd; | |
254 | int loc_fd; | |
255 | ||
256 | + /* SSL strong auth */ | |
257 | + int sslauth; | |
258 | + | |
259 | /* Persist mode */ | |
260 | int persist; | |
261 | ||
262 | @@ -170,6 +173,7 @@ | |
263 | struct vtun_opts { | |
264 | int timeout; | |
265 | int persist; | |
266 | + int sslauth; | |
267 | ||
268 | char *cfg_file; | |
269 |