1 diff -uNr vtun-2.5-orig/ChangeLog vtun-2.5/ChangeLog
2 --- vtun-2.5-orig/ChangeLog Mon Jan 14 23:42:42 2002
3 +++ vtun-2.5/ChangeLog Sun Feb 17 23:12:57 2002
6 + Add sslauth option - possible to connect ssl and non-ssl
8 + If possible use /dev/random in non-ssl gen_chal for random generator
12 New config option to keep tun device always open
14 diff -uNr vtun-2.5-orig/auth.c vtun-2.5/auth.c
15 --- vtun-2.5-orig/auth.c Thu Sep 6 21:43:41 2001
16 +++ vtun-2.5/auth.c Mon Feb 18 00:46:52 2002
19 * Jim Yonan, 05/24/2001
20 * gen_chal rewrite to use better random number generator
22 + * Artur R. Czechowski <arturcz@hell.pl>, 02/17/2002
23 + * Add support for connectin ssl to non-ssl vtuns (sslauth option)
24 + * Use /dev/random in non-ssl gen_chal (if possible)
32 -/* Encryption and Decryption of the challenge key */
40 +void nonssl_encrypt_chal(char *chal, char *pwd)
42 + char * xor_msk = pwd;
43 + register int i, xor_len = strlen(xor_msk);
45 + syslog(LOG_INFO,"Use nonSSL-aware challenge/response");
46 + for(i=0; i < VTUN_CHAL_SIZE; i++)
47 + chal[i] ^= xor_msk[i%xor_len];
50 +void inline nonssl_decrypt_chal(char *chal, char *pwd)
52 + nonssl_encrypt_chal(chal, pwd);
56 +/* Encryption and Decryption of the challenge key */
58 void gen_chal(char *buf)
60 RAND_bytes(buf, VTUN_CHAL_SIZE);
63 -void encrypt_chal(char *chal, char *pwd)
64 +void ssl_encrypt_chal(char *chal, char *pwd)
69 + syslog(LOG_INFO,"Use SSL-aware challenge/response");
70 BF_set_key(&key, 16, MD5(pwd,strlen(pwd),NULL));
72 for(i=0; i < VTUN_CHAL_SIZE; i += 8 )
73 BF_ecb_encrypt(chal + i, chal + i, &key, BF_ENCRYPT);
76 -void decrypt_chal(char *chal, char *pwd)
77 +void ssl_decrypt_chal(char *chal, char *pwd)
82 + syslog(LOG_INFO,"Use SSL-aware challenge/response");
83 BF_set_key(&key, 16, MD5(pwd,strlen(pwd),NULL));
85 for(i=0; i < VTUN_CHAL_SIZE; i += 8 )
90 -void encrypt_chal(char *chal, char *pwd)
92 - char * xor_msk = pwd;
93 - register int i, xor_len = strlen(xor_msk);
95 - for(i=0; i < VTUN_CHAL_SIZE; i++)
96 - chal[i] ^= xor_msk[i%xor_len];
99 -void inline decrypt_chal(char *chal, char *pwd)
101 - encrypt_chal(chal, pwd);
104 /* Generate PSEUDO random challenge key. */
105 void gen_chal(char *buf)
114 + if((fd=open("/dev/random",O_RDONLY))!=-1) {
115 + pseed=(char *)&seed;
116 + len=cnt=sizeof(seed);
118 + cnt=read(fd,pseed,len);
127 for(i=0; i < VTUN_CHAL_SIZE; i++)
128 buf[i] = (unsigned int)(255.0 * rand()/RAND_MAX);
131 +void ssl_encrypt_chal(char *chal, char *pwd)
133 + syslog(LOG_ERR,"Cannot use `sslauth yes' without SSL support - fallback to `sslauth no'");
134 + nonssl_encrypt_chal(chal,pwd);
137 +void ssl_decrypt_chal(char *chal, char *pwd)
139 + syslog(LOG_ERR,"Cannot use `sslauth yes' without SSL support - fallback to `sslauth no'");
140 + nonssl_decrypt_chal(chal,pwd);
143 #endif /* HAVE_SSL */
147 if( !(h = find_host(host)) )
150 - decrypt_chal(chal_res, h->passwd);
152 + ssl_decrypt_chal(chal_res, h->passwd);
154 + nonssl_decrypt_chal(chal_res, h->passwd);
157 if( !memcmp(chal_req, chal_res, VTUN_CHAL_SIZE) ){
158 /* Auth successeful. */
160 if( !strncmp(buf,"OK",2) && cs2cl(buf,chal)){
163 - encrypt_chal(chal,host->passwd);
164 + if (host->sslauth) {
165 + ssl_encrypt_chal(chal,host->passwd);
167 + nonssl_encrypt_chal(chal,host->passwd);
169 print_p(fd,"CHAL: %s\n", cl2cs(chal));
172 diff -uNr vtun-2.5-orig/cfg_file.y vtun-2.5/cfg_file.y
173 --- vtun-2.5-orig/cfg_file.y Sat Feb 16 15:49:22 2002
174 +++ vtun-2.5/cfg_file.y Sat Feb 16 18:47:56 2002
176 %token K_OPTIONS K_DEFAULT K_PORT K_PERSIST K_TIMEOUT
177 %token K_PASSWD K_PROG K_PPP K_SPEED K_IFCFG K_FWALL K_ROUTE K_DEVICE
178 %token K_MULTI K_SRCADDR K_IFACE K_ADDR
179 -%token K_TYPE K_PROT K_COMPRESS K_ENCRYPT K_KALIVE K_STAT
180 +%token K_TYPE K_PROT K_COMPRESS K_ENCRYPT K_KALIVE K_STAT K_SSLAUTH
181 %token K_UP K_DOWN K_SYSLOG K_IPROUTE
183 %token <str> K_HOST K_ERROR
185 parse_host->flags &= ~(VTUN_ZLIB | VTUN_LZO);
190 + parse_host->sslauth = $2;
192 + if(vtun.sslauth == -1)
198 diff -uNr vtun-2.5-orig/cfg_kwords.h vtun-2.5/cfg_kwords.h
199 --- vtun-2.5-orig/cfg_kwords.h Sat Dec 29 18:01:01 2001
200 +++ vtun-2.5/cfg_kwords.h Sat Feb 16 18:31:30 2002
202 { "srcaddr", K_SRCADDR },
204 { "iface", K_IFACE },
205 + { "sslauth", K_SSLAUTH },
206 { "persist", K_PERSIST },
207 { "multi", K_MULTI },
208 { "iface", K_IFACE },
209 diff -uNr vtun-2.5-orig/main.c vtun-2.5/main.c
210 --- vtun-2.5-orig/main.c Sat Dec 29 18:01:01 2001
211 +++ vtun-2.5/main.c Mon Feb 18 00:31:31 2002
213 vtun.cfg_file = VTUN_CONFIG_FILE;
218 /* Dup strings because parser will try to free them */
219 vtun.ppp = strdup("/usr/sbin/pppd");
221 default_host.ka_interval = 30;
222 default_host.ka_failure = 4;
223 default_host.loc_fd = default_host.rmt_fd = -1;
225 + default_host.sslauth = 1;
226 +#else /* HAVE_SSL */
227 + default_host.sslauth = 0;
228 +#endif /* HAVE_SSL */
230 /* Start logging to syslog and stderr */
231 openlog("vtund", LOG_PID | LOG_NDELAY | LOG_PERROR, LOG_DAEMON);
234 if(vtun.timeout == -1)
235 vtun.timeout = VTUN_TIMEOUT;
237 + * Want to save behaviour from older version: stronger authentication
238 + * if compiled with --enable-ssl, weaker otherwise
240 + if(vtun.sslauth == -1)
243 +#else /* HAVE_SSL */
245 +#endif /* HAVE_SSL */
247 switch( vtun.svr_type ){
249 diff -uNr vtun-2.5-orig/vtun.h vtun-2.5/vtun.h
250 --- vtun-2.5-orig/vtun.h Sat Dec 29 18:01:01 2001
251 +++ vtun-2.5/vtun.h Sat Feb 16 18:31:30 2002
256 + /* SSL strong auth */