- rediff patches

[packages/vtun.git] / vtun-sslauth.patch

diff -urNp -x '*.orig' vtun-3.0.4.org/auth.c vtun-3.0.4/auth.c
--- vtun-3.0.4.org/auth.c       2016-10-01 23:29:28.000000000 +0200
+++ vtun-3.0.4/auth.c   2021-10-03 20:19:55.633327588 +0200
@@ -23,6 +23,10 @@
 /*
  * Challenge based authentication. 
  * Thanx to Chris Todd<christ@insynq.com> for the good idea.
+ *
+ * Artur R. Czechowski <arturcz@hell.pl>, 02/17/2002
+ *     Add support for connectin ssl to non-ssl vtuns (sslauth option)
+ *     Use /dev/random in non-ssl gen_chal  (if possible)
  */ 
 
 #include "config.h"
@@ -55,34 +59,57 @@
 #include "lock.h"
 #include "auth.h"
 
-/* Encryption and Decryption of the challenge key */
 #ifdef HAVE_SSL
 
 #include <openssl/md5.h>
 #include <openssl/blowfish.h>
 #include <openssl/rand.h>
 
-static void gen_chal(char *buf)
+#endif /* HAVE_SSL */
+
+/* Okay, start the "blue-wire" non-ssl auth patch stuff */
+void nonssl_encrypt_chal(char *chal, char *pwd)
+{
+   char *xor_msk = pwd;
+   register int i, xor_len = strlen(xor_msk);
+
+   syslog(LOG_INFO, "Use nonSSL-aware challenge/response");
+   for(i=0; i < VTUN_CHAL_SIZE; i++)
+      chal[i] ^= xor_msk[i%xor_len];
+}
+
+inline void nonssl_decrypt_chal(char *chal, char *pwd)
+{
+   nonssl_encrypt_chal(chal, pwd);
+}
+/* Mostly ended here, other than a couple replaced #ifdefs */
+
+/* Encryption and Decryption of the challenge-key */
+#ifdef HAVE_SSL
+
+void gen_chal(char *buf)
 {
    RAND_bytes(buf, VTUN_CHAL_SIZE);
 }
 
-static void encrypt_chal(char *chal, char *pwd)
+void ssl_encrypt_chal(char *chal, char *pwd)
 { 
    register int i;
    BF_KEY key;
 
+   syslog(LOG_INFO, "Use SSL-aware challenge/response");
    BF_set_key(&key, 16, MD5(pwd,strlen(pwd),NULL));
 
    for(i=0; i < VTUN_CHAL_SIZE; i += 8 )
       BF_ecb_encrypt(chal + i,  chal + i, &key, BF_ENCRYPT);
 }
 
-static void decrypt_chal(char *chal, char *pwd)
+void ssl_decrypt_chal(char *chal, char *pwd)
 { 
    register int i;
    BF_KEY key;
 
+   syslog(LOG_INFO, "Use SSL-aware challenge/response");
    BF_set_key(&key, 16, MD5(pwd,strlen(pwd),NULL));
 
    for(i=0; i < VTUN_CHAL_SIZE; i += 8 )
@@ -91,30 +118,43 @@ static void decrypt_chal(char *chal, cha
 
 #else /* HAVE_SSL */
 
-static void encrypt_chal(char *chal, char *pwd)
+/* Generate PSEUDO random challenge key. */
+void gen_chal(char *buf)
 { 
-   char * xor_msk = pwd;
-   register int i, xor_len = strlen(xor_msk);
+   register int i;
+   unsigned int seed;
+   char *pseed;
+   int fd,cnt,len;
+
+   if((fd=open("/dev/random",O_RDONLY))!=-1) {
+      pseed=(char *)&seed;
+      len=cnt=sizeof(seed);
+      while(cnt>0) {
+         cnt=read(fd,pseed,len);
+         len=len-cnt;
+         pseed=pseed+cnt;
+      }
+   } else {
+      seed=time(NULL);
+   }
+   srand(seed);
 
    for(i=0; i < VTUN_CHAL_SIZE; i++)
-      chal[i] ^= xor_msk[i%xor_len];
+      buf[i] = (unsigned int)(255.0 * rand()/RAND_MAX);
 }
 
-static void inline decrypt_chal(char *chal, char *pwd)
+void ssl_encrypt_chal(char *chal, char *pwd)
 { 
-   encrypt_chal(chal, pwd);
+       syslog(LOG_ERR,"Cannot use `sslauth yes' without SSL support - fallback to `sslauth no'");
+       nonssl_encrypt_chal(chal,pwd);
 }
 
-/* Generate PSEUDO random challenge key. */
-static void gen_chal(char *buf)
+void ssl_decrypt_chal(char *chal, char *pwd)
 {
-   register int i;
- 
-   srand(time(NULL));
-
-   for(i=0; i < VTUN_CHAL_SIZE; i++)
-      buf[i] = (unsigned int)(255.0 * rand()/RAND_MAX);
+       syslog(LOG_ERR,"Cannot use `sslauth yes' without SSL support - fallback to `sslauth no'");
+       nonssl_decrypt_chal(chal,pwd);
 }
+
 #endif /* HAVE_SSL */
 
 /* 
@@ -123,7 +163,7 @@ static void gen_chal(char *buf)
  * C - compression, S - speed for shaper and so on.
  */ 
 
-static char *bf2cf(struct vtun_host *host)
+char *bf2cf(struct vtun_host *host)
 {
      static char str[20], *ptr = str;
 
@@ -187,7 +227,7 @@ static char *bf2cf(struct vtun_host *hos
    FLAGS: <TuE1>
 */
 
-static int cf2bf(char *str, struct vtun_host *host)
+int cf2bf(char *str, struct vtun_host *host)
 {
      char *ptr, *p;
      int s;
@@ -277,7 +317,7 @@ static int cf2bf(char *str, struct vtun_
  * string format:  <char_data> 
  */ 
 
-static char *cl2cs(char *chal)
+char *cl2cs(char *chal)
 {
      static char str[VTUN_CHAL_SIZE*2+3], *chr="abcdefghijklmnop";
      register char *ptr = str;
@@ -295,7 +335,7 @@ static char *cl2cs(char *chal)
      return str;
 }
 
-static int cs2cl(char *str, char *chal)
+int cs2cl(char *str, char *chal)
 {
      register char *ptr = str;
      register int i;
@@ -358,7 +398,11 @@ struct vtun_host * auth_server(int fd)
                   if( !(h = find_host(host)) )
                      break;
 
-                  decrypt_chal(chal_res, h->passwd);                   
+                  if (h->sslauth) {
+                     ssl_decrypt_chal(chal_res, h->passwd);            
+                  } else {
+                     nonssl_decrypt_chal(chal_res, h->passwd);                 
+                  }
        
                   if( !memcmp(chal_req, chal_res, VTUN_CHAL_SIZE) ){
                      /* Auth successeful. */
@@ -410,7 +454,11 @@ int auth_client(int fd, struct vtun_host
                   if( !strncmp(buf,"OK",2) && cs2cl(buf,chal)){
                      stage = ST_CHAL;
                                        
-                     encrypt_chal(chal,host->passwd);
+                     if (host->sslauth) {
+                        ssl_encrypt_chal(chal,host->passwd);
+                     } else {
+                        nonssl_encrypt_chal(chal,host->passwd);
+                     }
                      print_p(fd,"CHAL: %s\n", cl2cs(chal));
 
                      continue;
diff -urNp -x '*.orig' vtun-3.0.4.org/cfg_file.y vtun-3.0.4/cfg_file.y
--- vtun-3.0.4.org/cfg_file.y   2016-10-01 23:27:51.000000000 +0200
+++ vtun-3.0.4/cfg_file.y       2021-10-03 20:19:55.633327588 +0200
@@ -74,7 +74,7 @@ int yyerror(char *s);
 %token K_OPTIONS K_DEFAULT K_PORT K_BINDADDR K_PERSIST K_TIMEOUT
 %token K_PASSWD K_PROG K_PPP K_SPEED K_IFCFG K_FWALL K_ROUTE K_DEVICE 
 %token K_MULTI K_SRCADDR K_IFACE K_ADDR
-%token K_TYPE K_PROT K_NAT_HACK K_COMPRESS K_ENCRYPT K_KALIVE K_STAT
+%token K_TYPE K_PROT K_NAT_HACK K_COMPRESS K_ENCRYPT K_KALIVE K_STAT K_SSLAUTH
 %token K_UP K_DOWN K_SYSLOG K_IPROUTE
 
 %token <str> K_HOST K_ERROR
@@ -285,6 +285,13 @@ host_option: '\n'
                        }
                        compress
 
+  | K_SSLAUTH NUM      { 
+                         parse_host->sslauth = $2;
+
+                         if(vtun.sslauth == -1) 
+                            vtun.sslauth = $2;         
+                       }
+
   | K_ENCRYPT NUM      {  
                          if( $2 ){
                             parse_host->flags |= VTUN_ENCRYPT;
diff -urNp -x '*.orig' vtun-3.0.4.org/cfg_kwords.h vtun-3.0.4/cfg_kwords.h
--- vtun-3.0.4.org/cfg_kwords.h 2016-10-01 23:27:51.000000000 +0200
+++ vtun-3.0.4/cfg_kwords.h     2021-10-03 20:19:55.633327588 +0200
@@ -37,6 +37,7 @@ struct kword cfg_keyword[] = {
    { "addr",    K_ADDR }, 
    { "iface",           K_IFACE }, 
    { "bindaddr", K_BINDADDR },
+   { "sslauth",         K_SSLAUTH }, 
    { "persist",         K_PERSIST }, 
    { "multi",   K_MULTI }, 
    { "iface",    K_IFACE }, 
diff -urNp -x '*.orig' vtun-3.0.4.org/main.c vtun-3.0.4/main.c
--- vtun-3.0.4.org/main.c       2016-10-01 23:37:39.000000000 +0200
+++ vtun-3.0.4/main.c   2021-10-03 20:19:55.633327588 +0200
@@ -79,6 +79,7 @@ int main(int argc, char *argv[], char *e
      vtun.cfg_file = VTUN_CONFIG_FILE;
      vtun.persist = -1;
      vtun.timeout = -1;
+     vtun.sslauth = -1;
        
      /* Dup strings because parser will try to free them */
      vtun.ppp   = strdup("/usr/sbin/pppd");
@@ -101,6 +102,11 @@ int main(int argc, char *argv[], char *e
      default_host.ka_interval = 30;
      default_host.ka_maxfail  = 4;
      default_host.loc_fd = default_host.rmt_fd = -1;
+#ifdef HAVE_SSL
+     default_host.sslauth = 1;
+#else  /* HAVE_SSL */
+     default_host.sslauth = 0;
+#endif /* HAVE_SSL */
 
      /* Start logging to syslog and stderr */
      openlog("vtund", LOG_PID | LOG_NDELAY | LOG_PERROR, LOG_DAEMON);
@@ -181,6 +187,16 @@ int main(int argc, char *argv[], char *e
        vtun.persist = 0;
      if(vtun.timeout == -1)
        vtun.timeout = VTUN_TIMEOUT;
+    /* 
+     * Want to save behaviour from older version: stronger authentication
+     * if compiled with --enable-ssl, weaker otherwise
+     */
+     if(vtun.sslauth == -1)
+#ifdef HAVE_SSL
+       vtun.sslauth = 1;
+#else  /* HAVE_SSL */
+       vtun.sslauth = 0;
+#endif /* HAVE_SSL */
 
      switch( vtun.svr_type ){
        case -1:
diff -urNp -x '*.orig' vtun-3.0.4.org/vtun.h vtun-3.0.4/vtun.h
--- vtun-3.0.4.org/vtun.h       2016-10-01 23:27:51.000000000 +0200
+++ vtun-3.0.4/vtun.h   2021-10-03 20:19:55.633327588 +0200
@@ -100,6 +100,9 @@ struct vtun_host {
    int  rmt_fd;
    int  loc_fd;
 
+   /* SSL strong auth */
+   int  sslauth;
+
    /* Persist mode */
    int  persist;
 
@@ -205,6 +208,7 @@ extern llist host_list;
 struct vtun_opts {
    int  timeout;
    int  persist;
+   int  sslauth;
 
    char *cfg_file;