1 diff -urNp -x '*.orig' vtun-3.0.4.org/auth.c vtun-3.0.4/auth.c
2 --- vtun-3.0.4.org/auth.c 2016-10-01 23:29:28.000000000 +0200
3 +++ vtun-3.0.4/auth.c 2021-10-03 20:19:55.633327588 +0200
6 * Challenge based authentication.
7 * Thanx to Chris Todd<christ@insynq.com> for the good idea.
9 + * Artur R. Czechowski <arturcz@hell.pl>, 02/17/2002
10 + * Add support for connectin ssl to non-ssl vtuns (sslauth option)
11 + * Use /dev/random in non-ssl gen_chal (if possible)
19 -/* Encryption and Decryption of the challenge key */
22 #include <openssl/md5.h>
23 #include <openssl/blowfish.h>
24 #include <openssl/rand.h>
26 -static void gen_chal(char *buf)
27 +#endif /* HAVE_SSL */
29 +/* Okay, start the "blue-wire" non-ssl auth patch stuff */
30 +void nonssl_encrypt_chal(char *chal, char *pwd)
32 + char *xor_msk = pwd;
33 + register int i, xor_len = strlen(xor_msk);
35 + syslog(LOG_INFO, "Use nonSSL-aware challenge/response");
36 + for(i=0; i < VTUN_CHAL_SIZE; i++)
37 + chal[i] ^= xor_msk[i%xor_len];
40 +inline void nonssl_decrypt_chal(char *chal, char *pwd)
42 + nonssl_encrypt_chal(chal, pwd);
44 +/* Mostly ended here, other than a couple replaced #ifdefs */
46 +/* Encryption and Decryption of the challenge-key */
49 +void gen_chal(char *buf)
51 RAND_bytes(buf, VTUN_CHAL_SIZE);
54 -static void encrypt_chal(char *chal, char *pwd)
55 +void ssl_encrypt_chal(char *chal, char *pwd)
60 + syslog(LOG_INFO, "Use SSL-aware challenge/response");
61 BF_set_key(&key, 16, MD5(pwd,strlen(pwd),NULL));
63 for(i=0; i < VTUN_CHAL_SIZE; i += 8 )
64 BF_ecb_encrypt(chal + i, chal + i, &key, BF_ENCRYPT);
67 -static void decrypt_chal(char *chal, char *pwd)
68 +void ssl_decrypt_chal(char *chal, char *pwd)
73 + syslog(LOG_INFO, "Use SSL-aware challenge/response");
74 BF_set_key(&key, 16, MD5(pwd,strlen(pwd),NULL));
76 for(i=0; i < VTUN_CHAL_SIZE; i += 8 )
77 @@ -91,30 +118,43 @@ static void decrypt_chal(char *chal, cha
81 -static void encrypt_chal(char *chal, char *pwd)
82 +/* Generate PSEUDO random challenge key. */
83 +void gen_chal(char *buf)
85 - char * xor_msk = pwd;
86 - register int i, xor_len = strlen(xor_msk);
92 + if((fd=open("/dev/random",O_RDONLY))!=-1) {
93 + pseed=(char *)&seed;
94 + len=cnt=sizeof(seed);
96 + cnt=read(fd,pseed,len);
105 for(i=0; i < VTUN_CHAL_SIZE; i++)
106 - chal[i] ^= xor_msk[i%xor_len];
107 + buf[i] = (unsigned int)(255.0 * rand()/RAND_MAX);
110 -static void inline decrypt_chal(char *chal, char *pwd)
111 +void ssl_encrypt_chal(char *chal, char *pwd)
113 - encrypt_chal(chal, pwd);
114 + syslog(LOG_ERR,"Cannot use `sslauth yes' without SSL support - fallback to `sslauth no'");
115 + nonssl_encrypt_chal(chal,pwd);
118 -/* Generate PSEUDO random challenge key. */
119 -static void gen_chal(char *buf)
120 +void ssl_decrypt_chal(char *chal, char *pwd)
126 - for(i=0; i < VTUN_CHAL_SIZE; i++)
127 - buf[i] = (unsigned int)(255.0 * rand()/RAND_MAX);
128 + syslog(LOG_ERR,"Cannot use `sslauth yes' without SSL support - fallback to `sslauth no'");
129 + nonssl_decrypt_chal(chal,pwd);
132 #endif /* HAVE_SSL */
135 @@ -123,7 +163,7 @@ static void gen_chal(char *buf)
136 * C - compression, S - speed for shaper and so on.
139 -static char *bf2cf(struct vtun_host *host)
140 +char *bf2cf(struct vtun_host *host)
142 static char str[20], *ptr = str;
144 @@ -187,7 +227,7 @@ static char *bf2cf(struct vtun_host *hos
148 -static int cf2bf(char *str, struct vtun_host *host)
149 +int cf2bf(char *str, struct vtun_host *host)
153 @@ -277,7 +317,7 @@ static int cf2bf(char *str, struct vtun_
154 * string format: <char_data>
157 -static char *cl2cs(char *chal)
158 +char *cl2cs(char *chal)
160 static char str[VTUN_CHAL_SIZE*2+3], *chr="abcdefghijklmnop";
161 register char *ptr = str;
162 @@ -295,7 +335,7 @@ static char *cl2cs(char *chal)
166 -static int cs2cl(char *str, char *chal)
167 +int cs2cl(char *str, char *chal)
169 register char *ptr = str;
171 @@ -358,7 +398,11 @@ struct vtun_host * auth_server(int fd)
172 if( !(h = find_host(host)) )
175 - decrypt_chal(chal_res, h->passwd);
177 + ssl_decrypt_chal(chal_res, h->passwd);
179 + nonssl_decrypt_chal(chal_res, h->passwd);
182 if( !memcmp(chal_req, chal_res, VTUN_CHAL_SIZE) ){
183 /* Auth successeful. */
184 @@ -410,7 +454,11 @@ int auth_client(int fd, struct vtun_host
185 if( !strncmp(buf,"OK",2) && cs2cl(buf,chal)){
188 - encrypt_chal(chal,host->passwd);
189 + if (host->sslauth) {
190 + ssl_encrypt_chal(chal,host->passwd);
192 + nonssl_encrypt_chal(chal,host->passwd);
194 print_p(fd,"CHAL: %s\n", cl2cs(chal));
197 diff -urNp -x '*.orig' vtun-3.0.4.org/cfg_file.y vtun-3.0.4/cfg_file.y
198 --- vtun-3.0.4.org/cfg_file.y 2016-10-01 23:27:51.000000000 +0200
199 +++ vtun-3.0.4/cfg_file.y 2021-10-03 20:19:55.633327588 +0200
200 @@ -74,7 +74,7 @@ int yyerror(char *s);
201 %token K_OPTIONS K_DEFAULT K_PORT K_BINDADDR K_PERSIST K_TIMEOUT
202 %token K_PASSWD K_PROG K_PPP K_SPEED K_IFCFG K_FWALL K_ROUTE K_DEVICE
203 %token K_MULTI K_SRCADDR K_IFACE K_ADDR
204 -%token K_TYPE K_PROT K_NAT_HACK K_COMPRESS K_ENCRYPT K_KALIVE K_STAT
205 +%token K_TYPE K_PROT K_NAT_HACK K_COMPRESS K_ENCRYPT K_KALIVE K_STAT K_SSLAUTH
206 %token K_UP K_DOWN K_SYSLOG K_IPROUTE
208 %token <str> K_HOST K_ERROR
209 @@ -285,6 +285,13 @@ host_option: '\n'
214 + parse_host->sslauth = $2;
216 + if(vtun.sslauth == -1)
222 parse_host->flags |= VTUN_ENCRYPT;
223 diff -urNp -x '*.orig' vtun-3.0.4.org/cfg_kwords.h vtun-3.0.4/cfg_kwords.h
224 --- vtun-3.0.4.org/cfg_kwords.h 2016-10-01 23:27:51.000000000 +0200
225 +++ vtun-3.0.4/cfg_kwords.h 2021-10-03 20:19:55.633327588 +0200
226 @@ -37,6 +37,7 @@ struct kword cfg_keyword[] = {
228 { "iface", K_IFACE },
229 { "bindaddr", K_BINDADDR },
230 + { "sslauth", K_SSLAUTH },
231 { "persist", K_PERSIST },
232 { "multi", K_MULTI },
233 { "iface", K_IFACE },
234 diff -urNp -x '*.orig' vtun-3.0.4.org/main.c vtun-3.0.4/main.c
235 --- vtun-3.0.4.org/main.c 2016-10-01 23:37:39.000000000 +0200
236 +++ vtun-3.0.4/main.c 2021-10-03 20:19:55.633327588 +0200
237 @@ -79,6 +79,7 @@ int main(int argc, char *argv[], char *e
238 vtun.cfg_file = VTUN_CONFIG_FILE;
243 /* Dup strings because parser will try to free them */
244 vtun.ppp = strdup("/usr/sbin/pppd");
245 @@ -101,6 +102,11 @@ int main(int argc, char *argv[], char *e
246 default_host.ka_interval = 30;
247 default_host.ka_maxfail = 4;
248 default_host.loc_fd = default_host.rmt_fd = -1;
250 + default_host.sslauth = 1;
251 +#else /* HAVE_SSL */
252 + default_host.sslauth = 0;
253 +#endif /* HAVE_SSL */
255 /* Start logging to syslog and stderr */
256 openlog("vtund", LOG_PID | LOG_NDELAY | LOG_PERROR, LOG_DAEMON);
257 @@ -181,6 +187,16 @@ int main(int argc, char *argv[], char *e
259 if(vtun.timeout == -1)
260 vtun.timeout = VTUN_TIMEOUT;
262 + * Want to save behaviour from older version: stronger authentication
263 + * if compiled with --enable-ssl, weaker otherwise
265 + if(vtun.sslauth == -1)
268 +#else /* HAVE_SSL */
270 +#endif /* HAVE_SSL */
272 switch( vtun.svr_type ){
274 diff -urNp -x '*.orig' vtun-3.0.4.org/vtun.h vtun-3.0.4/vtun.h
275 --- vtun-3.0.4.org/vtun.h 2016-10-01 23:27:51.000000000 +0200
276 +++ vtun-3.0.4/vtun.h 2021-10-03 20:19:55.633327588 +0200
277 @@ -100,6 +100,9 @@ struct vtun_host {
281 + /* SSL strong auth */
287 @@ -205,6 +208,7 @@ extern llist host_list;