[packages/vtun.git] / vtun-sslauth.patch

diff -uNr vtun-2.5-orig/ChangeLog vtun-2.5/ChangeLog
--- vtun-2.5-orig/ChangeLog	Mon Jan 14 23:42:42 2002
+++ vtun-2.5/ChangeLog	Sun Feb 17 23:12:57 2002
@@ -1,3 +1,9 @@
+ver 2.5arc:
+	 Add sslauth option - possible to connect ssl and non-ssl
+	 clients/servers.
+	 If possible use /dev/random in non-ssl gen_chal for random generator
+	 seed.
+
 ver 2.5:
 	 New config option to keep tun device always open
 	 iproute support
diff -uNr vtun-2.5-orig/auth.c vtun-2.5/auth.c
--- vtun-2.5-orig/auth.c	Thu Sep  6 21:43:41 2001
+++ vtun-2.5/auth.c	Mon Feb 18 00:46:52 2002
@@ -26,6 +26,10 @@
  *
  * Jim Yonan, 05/24/2001
  * 	gen_chal rewrite to use better random number generator 
+ *
+ * Artur R. Czechowski <arturcz@hell.pl>, 02/17/2002
+ * 	Add support for connectin ssl to non-ssl vtuns (sslauth option)
+ * 	Use /dev/random in non-ssl gen_chal  (if possible)
  */ 
 
 #include "config.h"
@@ -58,34 +62,53 @@
 #include "lock.h"
 #include "auth.h"
 
-/* Encryption and Decryption of the challenge key */
 #ifdef HAVE_SSL
-
 #include <md5.h>
 #include <blowfish.h>
 #include <rand.h>
+#endif
+
+void nonssl_encrypt_chal(char *chal, char *pwd)
+{ 
+   char * xor_msk = pwd;
+   register int i, xor_len = strlen(xor_msk);
+
+   syslog(LOG_INFO,"Use nonSSL-aware challenge/response");
+   for(i=0; i < VTUN_CHAL_SIZE; i++)
+      chal[i] ^= xor_msk[i%xor_len];
+}
+
+void inline nonssl_decrypt_chal(char *chal, char *pwd)
+{ 
+   nonssl_encrypt_chal(chal, pwd);
+}
 
+
+/* Encryption and Decryption of the challenge key */
+#ifdef HAVE_SSL
 void gen_chal(char *buf)
 {
    RAND_bytes(buf, VTUN_CHAL_SIZE);
 }
 
-void encrypt_chal(char *chal, char *pwd)
+void ssl_encrypt_chal(char *chal, char *pwd)
 { 
    register int i;
    BF_KEY key;
 
+   syslog(LOG_INFO,"Use SSL-aware challenge/response");
    BF_set_key(&key, 16, MD5(pwd,strlen(pwd),NULL));
 
    for(i=0; i < VTUN_CHAL_SIZE; i += 8 )
       BF_ecb_encrypt(chal + i,  chal + i, &key, BF_ENCRYPT);
 }
 
-void decrypt_chal(char *chal, char *pwd)
+void ssl_decrypt_chal(char *chal, char *pwd)
 { 
    register int i;
    BF_KEY key;
 
+   syslog(LOG_INFO,"Use SSL-aware challenge/response");
    BF_set_key(&key, 16, MD5(pwd,strlen(pwd),NULL));
 
    for(i=0; i < VTUN_CHAL_SIZE; i += 8 )
@@ -94,30 +117,43 @@
 
 #else /* HAVE_SSL */
 
-void encrypt_chal(char *chal, char *pwd)
-{ 
-   char * xor_msk = pwd;
-   register int i, xor_len = strlen(xor_msk);
-
-   for(i=0; i < VTUN_CHAL_SIZE; i++)
-      chal[i] ^= xor_msk[i%xor_len];
-}
-
-void inline decrypt_chal(char *chal, char *pwd)
-{ 
-   encrypt_chal(chal, pwd);
-}
-
 /* Generate PSEUDO random challenge key. */
 void gen_chal(char *buf)
 {
    register int i;
- 
-   srand(time(NULL));
+   unsigned int seed;
+   char *pseed;
+   int fd,cnt,len;
+
+   if((fd=open("/dev/random",O_RDONLY))!=-1) {
+      pseed=(char *)&seed;
+      len=cnt=sizeof(seed);
+      while(cnt>0) {
+         cnt=read(fd,pseed,len);
+         len=len-cnt;
+         pseed=pseed+cnt;
+      }
+   } else {
+      seed=time(NULL);
+   }
+   srand(seed);
 
    for(i=0; i < VTUN_CHAL_SIZE; i++)
       buf[i] = (unsigned int)(255.0 * rand()/RAND_MAX);
 }
+
+void ssl_encrypt_chal(char *chal, char *pwd)
+{
+	syslog(LOG_ERR,"Cannot use `sslauth yes' without SSL support - fallback to `sslauth no'");
+	nonssl_encrypt_chal(chal,pwd);
+}
+
+void ssl_decrypt_chal(char *chal, char *pwd)
+{
+	syslog(LOG_ERR,"Cannot use `sslauth yes' without SSL support - fallback to `sslauth no'");
+	nonssl_decrypt_chal(chal,pwd);
+}
+
 #endif /* HAVE_SSL */
 
 /* 
@@ -336,7 +372,11 @@
 		   if( !(h = find_host(host)) )
 		      break;
 
-		   decrypt_chal(chal_res, h->passwd);   		
+		   if (h->sslauth) {
+		      ssl_decrypt_chal(chal_res, h->passwd);   		
+		   } else {
+		      nonssl_decrypt_chal(chal_res, h->passwd);   		
+		   }
 	
 		   if( !memcmp(chal_req, chal_res, VTUN_CHAL_SIZE) ){
 		      /* Auth successeful. */
@@ -388,7 +428,11 @@
 		   if( !strncmp(buf,"OK",2) && cs2cl(buf,chal)){
 		      stage = ST_CHAL;
 					
-		      encrypt_chal(chal,host->passwd);
+		      if (host->sslauth) {
+		         ssl_encrypt_chal(chal,host->passwd);
+		      } else {
+		         nonssl_encrypt_chal(chal,host->passwd);
+		      }
 		      print_p(fd,"CHAL: %s\n", cl2cs(chal));
 
 		      continue;
diff -uNr vtun-2.5-orig/cfg_file.y vtun-2.5/cfg_file.y
--- vtun-2.5-orig/cfg_file.y	Sat Feb 16 15:49:22 2002
+++ vtun-2.5/cfg_file.y	Sat Feb 16 18:47:56 2002
@@ -73,7 +73,7 @@
 %token K_OPTIONS K_DEFAULT K_PORT K_PERSIST K_TIMEOUT
 %token K_PASSWD K_PROG K_PPP K_SPEED K_IFCFG K_FWALL K_ROUTE K_DEVICE 
 %token K_MULTI K_SRCADDR K_IFACE K_ADDR
-%token K_TYPE K_PROT K_COMPRESS K_ENCRYPT K_KALIVE K_STAT
+%token K_TYPE K_PROT K_COMPRESS K_ENCRYPT K_KALIVE K_STAT K_SSLAUTH
 %token K_UP K_DOWN K_SYSLOG K_IPROUTE
 
 %token <str> K_HOST K_ERROR
@@ -253,6 +253,13 @@
 			  parse_host->flags &= ~(VTUN_ZLIB | VTUN_LZO); 
 			}
 			compress
+
+  | K_SSLAUTH NUM 	{ 
+	      		  parse_host->sslauth = $2;
+
+			  if(vtun.sslauth == -1) 
+			     vtun.sslauth = $2; 	
+			}
 
   | K_ENCRYPT NUM 	{  
 			  if( $2 )
diff -uNr vtun-2.5-orig/cfg_kwords.h vtun-2.5/cfg_kwords.h
--- vtun-2.5-orig/cfg_kwords.h	Sat Dec 29 18:01:01 2001
+++ vtun-2.5/cfg_kwords.h	Sat Feb 16 18:31:30 2002
@@ -36,6 +36,7 @@
    { "srcaddr",  K_SRCADDR }, 
    { "addr",  	 K_ADDR }, 
    { "iface",  	 K_IFACE }, 
+   { "sslauth",	 K_SSLAUTH }, 
    { "persist",	 K_PERSIST }, 
    { "multi",	 K_MULTI }, 
    { "iface",    K_IFACE }, 
diff -uNr vtun-2.5-orig/main.c vtun-2.5/main.c
--- vtun-2.5-orig/main.c	Sat Dec 29 18:01:01 2001
+++ vtun-2.5/main.c	Mon Feb 18 00:31:31 2002
@@ -61,6 +61,7 @@
      vtun.cfg_file = VTUN_CONFIG_FILE;
      vtun.persist = -1;
      vtun.timeout = -1;
+     vtun.sslauth = -1;
 	
      /* Dup strings because parser will try to free them */
      vtun.ppp   = strdup("/usr/sbin/pppd");
@@ -82,6 +83,11 @@
      default_host.ka_interval = 30;
      default_host.ka_failure  = 4;
      default_host.loc_fd = default_host.rmt_fd = -1;
+#ifdef HAVE_SSL
+     default_host.sslauth = 1;
+#else	/* HAVE_SSL */
+     default_host.sslauth = 0;
+#endif	/* HAVE_SSL */
 
      /* Start logging to syslog and stderr */
      openlog("vtund", LOG_PID | LOG_NDELAY | LOG_PERROR, LOG_DAEMON);
@@ -146,6 +152,16 @@
 	vtun.persist = 0;
      if(vtun.timeout == -1)
 	vtun.timeout = VTUN_TIMEOUT;
+    /* 
+     * Want to save behaviour from older version: stronger authentication
+     * if compiled with --enable-ssl, weaker otherwise
+     */
+     if(vtun.sslauth == -1)
+#ifdef HAVE_SSL
+	vtun.sslauth = 1;
+#else	/* HAVE_SSL */
+	vtun.sslauth = 0;
+#endif	/* HAVE_SSL */
 
      switch( vtun.svr_type ){
 	case -1:
diff -uNr vtun-2.5-orig/vtun.h vtun-2.5/vtun.h
--- vtun-2.5-orig/vtun.h	Sat Dec 29 18:01:01 2001
+++ vtun-2.5/vtun.h	Sat Feb 16 18:31:30 2002
@@ -97,6 +97,9 @@
    int  rmt_fd;
    int  loc_fd;
 
+   /* SSL strong auth */
+   int  sslauth;
+
    /* Persist mode */
    int  persist;
 
@@ -170,6 +173,7 @@
 struct vtun_opts {
    int  timeout;
    int  persist;
+   int  sslauth;
 
    char *cfg_file;
Commit	Line	Data
6acf7f8d	1	diff -uNr vtun-2.5-orig/ChangeLog vtun-2.5/ChangeLog
	2	--- vtun-2.5-orig/ChangeLog Mon Jan 14 23:42:42 2002
	3	+++ vtun-2.5/ChangeLog Sun Feb 17 23:12:57 2002
	4	@@ -1,3 +1,9 @@
	5	+ver 2.5arc:
	6	+ Add sslauth option - possible to connect ssl and non-ssl
	7	+ clients/servers.
	8	+ If possible use /dev/random in non-ssl gen_chal for random generator
	9	+ seed.
	10	+
	11	ver 2.5:
	12	New config option to keep tun device always open
	13	iproute support
	14	diff -uNr vtun-2.5-orig/auth.c vtun-2.5/auth.c
8c9e995e	15	--- vtun-2.5-orig/auth.c Thu Sep 6 21:43:41 2001
6acf7f8d	16	+++ vtun-2.5/auth.c Mon Feb 18 00:46:52 2002
6acf7f8d	17	@@ -26,6 +26,10 @@
8c9e995e	18	*
	19	* Jim Yonan, 05/24/2001
	20	* gen_chal rewrite to use better random number generator
	21	+ *
6acf7f8d	22	+ * Artur R. Czechowski <arturcz@hell.pl>, 02/17/2002
8c9e995e	23	+ * Add support for connectin ssl to non-ssl vtuns (sslauth option)
6acf7f8d	24	+ * Use /dev/random in non-ssl gen_chal (if possible)
8c9e995e	25	*/
	26
	27	#include "config.h"
6acf7f8d	28	@@ -58,34 +62,53 @@
	29	#include "lock.h"
	30	#include "auth.h"
	31
	32	-/* Encryption and Decryption of the challenge key */
	33	#ifdef HAVE_SSL
	34	-
	35	#include <md5.h>
	36	#include <blowfish.h>
	37	#include <rand.h>
	38	+#endif
	39	+
	40	+void nonssl_encrypt_chal(char chal, char pwd)
	41	+{
	42	+ char * xor_msk = pwd;
	43	+ register int i, xor_len = strlen(xor_msk);
	44	+
	45	+ syslog(LOG_INFO,"Use nonSSL-aware challenge/response");
	46	+ for(i=0; i < VTUN_CHAL_SIZE; i++)
	47	+ chal[i] ^= xor_msk[i%xor_len];
	48	+}
	49	+
	50	+void inline nonssl_decrypt_chal(char chal, char pwd)
	51	+{
	52	+ nonssl_encrypt_chal(chal, pwd);
	53	+}
	54
	55	+
	56	+/* Encryption and Decryption of the challenge key */
	57	+#ifdef HAVE_SSL
	58	void gen_chal(char *buf)
	59	{
8c9e995e	60	RAND_bytes(buf, VTUN_CHAL_SIZE);
	61	}
	62
	63	-void encrypt_chal(char chal, char pwd)
	64	+void ssl_encrypt_chal(char chal, char pwd)
	65	{
	66	register int i;
	67	BF_KEY key;
6acf7f8d	68
	69	+ syslog(LOG_INFO,"Use SSL-aware challenge/response");
	70	BF_set_key(&key, 16, MD5(pwd,strlen(pwd),NULL));
	71
	72	for(i=0; i < VTUN_CHAL_SIZE; i += 8 )
8c9e995e	73	BF_ecb_encrypt(chal + i, chal + i, &key, BF_ENCRYPT);
	74	}
	75
	76	-void decrypt_chal(char chal, char pwd)
	77	+void ssl_decrypt_chal(char chal, char pwd)
	78	{
	79	register int i;
	80	BF_KEY key;
6acf7f8d	81
	82	+ syslog(LOG_INFO,"Use SSL-aware challenge/response");
	83	BF_set_key(&key, 16, MD5(pwd,strlen(pwd),NULL));
	84
	85	for(i=0; i < VTUN_CHAL_SIZE; i += 8 )
	86	@@ -94,30 +117,43 @@
8c9e995e	87
	88	#else /* HAVE_SSL */
	89
	90	-void encrypt_chal(char chal, char pwd)
	91	-{
	92	- char * xor_msk = pwd;
	93	- register int i, xor_len = strlen(xor_msk);
	94	-
	95	- for(i=0; i < VTUN_CHAL_SIZE; i++)
	96	- chal[i] ^= xor_msk[i%xor_len];
	97	-}
	98	-
	99	-void inline decrypt_chal(char chal, char pwd)
	100	-{
	101	- encrypt_chal(chal, pwd);
	102	-}
	103	-
	104	/* Generate PSEUDO random challenge key. */
	105	void gen_chal(char *buf)
	106	{
6acf7f8d	107	register int i;
	108	-
	109	- srand(time(NULL));
	110	+ unsigned int seed;
	111	+ char *pseed;
	112	+ int fd,cnt,len;
	113	+
	114	+ if((fd=open("/dev/random",O_RDONLY))!=-1) {
	115	+ pseed=(char *)&seed;
	116	+ len=cnt=sizeof(seed);
	117	+ while(cnt>0) {
	118	+ cnt=read(fd,pseed,len);
	119	+ len=len-cnt;
	120	+ pseed=pseed+cnt;
	121	+ }
	122	+ } else {
	123	+ seed=time(NULL);
	124	+ }
	125	+ srand(seed);
	126
8c9e995e	127	for(i=0; i < VTUN_CHAL_SIZE; i++)
	128	buf[i] = (unsigned int)(255.0 * rand()/RAND_MAX);
	129	}
	130	+
	131	+void ssl_encrypt_chal(char chal, char pwd)
	132	+{
6acf7f8d	133	+ syslog(LOG_ERR,"Cannot use `sslauth yes' without SSL support - fallback to `sslauth no'");
6acf7f8d	134	+ nonssl_encrypt_chal(chal,pwd);
8c9e995e	135	+}
	136	+
	137	+void ssl_decrypt_chal(char chal, char pwd)
	138	+{
6acf7f8d	139	+ syslog(LOG_ERR,"Cannot use `sslauth yes' without SSL support - fallback to `sslauth no'");
6acf7f8d	140	+ nonssl_decrypt_chal(chal,pwd);
8c9e995e	141	+}
	142	+
	143	#endif /* HAVE_SSL */
	144
8c9e995e	145	/*
6acf7f8d	146	@@ -336,7 +372,11 @@
8c9e995e	147	if( !(h = find_host(host)) )
	148	break;
	149
	150	- decrypt_chal(chal_res, h->passwd);
	151	+ if (h->sslauth) {
	152	+ ssl_decrypt_chal(chal_res, h->passwd);
	153	+ } else {
	154	+ nonssl_decrypt_chal(chal_res, h->passwd);
	155	+ }
	156
	157	if( !memcmp(chal_req, chal_res, VTUN_CHAL_SIZE) ){
	158	/* Auth successeful. */
6acf7f8d	159	@@ -388,7 +428,11 @@
8c9e995e	160	if( !strncmp(buf,"OK",2) && cs2cl(buf,chal)){
	161	stage = ST_CHAL;
	162
	163	- encrypt_chal(chal,host->passwd);
	164	+ if (host->sslauth) {
	165	+ ssl_encrypt_chal(chal,host->passwd);
	166	+ } else {
	167	+ nonssl_encrypt_chal(chal,host->passwd);
	168	+ }
	169	print_p(fd,"CHAL: %s\n", cl2cs(chal));
	170
	171	continue;
6acf7f8d	172	diff -uNr vtun-2.5-orig/cfg_file.y vtun-2.5/cfg_file.y
8c9e995e	173	--- vtun-2.5-orig/cfg_file.y Sat Feb 16 15:49:22 2002
	174	+++ vtun-2.5/cfg_file.y Sat Feb 16 18:47:56 2002
	175	@@ -73,7 +73,7 @@
	176	%token K_OPTIONS K_DEFAULT K_PORT K_PERSIST K_TIMEOUT
	177	%token K_PASSWD K_PROG K_PPP K_SPEED K_IFCFG K_FWALL K_ROUTE K_DEVICE
	178	%token K_MULTI K_SRCADDR K_IFACE K_ADDR
	179	-%token K_TYPE K_PROT K_COMPRESS K_ENCRYPT K_KALIVE K_STAT
	180	+%token K_TYPE K_PROT K_COMPRESS K_ENCRYPT K_KALIVE K_STAT K_SSLAUTH
	181	%token K_UP K_DOWN K_SYSLOG K_IPROUTE
	182
	183	%token <str> K_HOST K_ERROR
	184	@@ -253,6 +253,13 @@
	185	parse_host->flags &= ~(VTUN_ZLIB \| VTUN_LZO);
	186	}
	187	compress
	188	+
	189	+ \| K_SSLAUTH NUM {
	190	+ parse_host->sslauth = $2;
	191	+
	192	+ if(vtun.sslauth == -1)
	193	+ vtun.sslauth = $2;
	194	+ }
	195
	196	\| K_ENCRYPT NUM {
	197	if( $2 )
6acf7f8d	198	diff -uNr vtun-2.5-orig/cfg_kwords.h vtun-2.5/cfg_kwords.h
8c9e995e	199	--- vtun-2.5-orig/cfg_kwords.h Sat Dec 29 18:01:01 2001
	200	+++ vtun-2.5/cfg_kwords.h Sat Feb 16 18:31:30 2002
	201	@@ -36,6 +36,7 @@
	202	{ "srcaddr", K_SRCADDR },
	203	{ "addr", K_ADDR },
	204	{ "iface", K_IFACE },
	205	+ { "sslauth", K_SSLAUTH },
	206	{ "persist", K_PERSIST },
	207	{ "multi", K_MULTI },
	208	{ "iface", K_IFACE },
6acf7f8d	209	diff -uNr vtun-2.5-orig/main.c vtun-2.5/main.c
	210	--- vtun-2.5-orig/main.c Sat Dec 29 18:01:01 2001
	211	+++ vtun-2.5/main.c Mon Feb 18 00:31:31 2002
	212	@@ -61,6 +61,7 @@
	213	vtun.cfg_file = VTUN_CONFIG_FILE;
	214	vtun.persist = -1;
	215	vtun.timeout = -1;
	216	+ vtun.sslauth = -1;
	217
	218	/* Dup strings because parser will try to free them */
	219	vtun.ppp = strdup("/usr/sbin/pppd");
	220	@@ -82,6 +83,11 @@
	221	default_host.ka_interval = 30;
	222	default_host.ka_failure = 4;
	223	default_host.loc_fd = default_host.rmt_fd = -1;
	224	+#ifdef HAVE_SSL
	225	+ default_host.sslauth = 1;
	226	+#else /* HAVE_SSL */
	227	+ default_host.sslauth = 0;
	228	+#endif /* HAVE_SSL */
	229
	230	/* Start logging to syslog and stderr */
	231	openlog("vtund", LOG_PID \| LOG_NDELAY \| LOG_PERROR, LOG_DAEMON);
	232	@@ -146,6 +152,16 @@
	233	vtun.persist = 0;
	234	if(vtun.timeout == -1)
	235	vtun.timeout = VTUN_TIMEOUT;
	236	+ /*
	237	+ * Want to save behaviour from older version: stronger authentication
	238	+ * if compiled with --enable-ssl, weaker otherwise
	239	+ */
	240	+ if(vtun.sslauth == -1)
	241	+#ifdef HAVE_SSL
	242	+ vtun.sslauth = 1;
	243	+#else /* HAVE_SSL */
	244	+ vtun.sslauth = 0;
	245	+#endif /* HAVE_SSL */
	246
	247	switch( vtun.svr_type ){
	248	case -1:
	249	diff -uNr vtun-2.5-orig/vtun.h vtun-2.5/vtun.h
8c9e995e	250	--- vtun-2.5-orig/vtun.h Sat Dec 29 18:01:01 2001
	251	+++ vtun-2.5/vtun.h Sat Feb 16 18:31:30 2002
	252	@@ -97,6 +97,9 @@
	253	int rmt_fd;
	254	int loc_fd;
	255
	256	+ /* SSL strong auth */
	257	+ int sslauth;
	258	+
	259	/* Persist mode */
	260	int persist;
	261
	262	@@ -170,6 +173,7 @@
	263	struct vtun_opts {
	264	int timeout;
	265	int persist;
	266	+ int sslauth;
	267
	268	char *cfg_file;
	269