2007-06-29 08:25:45 +03:00
|
|
|
/*
|
|
|
|
|
VTun - Virtual Tunnel over TCP/IP network.
|
|
|
|
|
|
2008-01-08 00:35:18 +02:00
|
|
|
Copyright (C) 1998-2008 Maxim Krasnyansky <max_mk@yahoo.com>
|
2007-06-29 08:25:45 +03:00
|
|
|
|
|
|
|
|
VTun has been derived from VPPP package by Maxim Krasnyansky.
|
|
|
|
|
|
|
|
|
|
This program is free software; you can redistribute it and/or modify
|
|
|
|
|
it under the terms of the GNU General Public License as published by
|
|
|
|
|
the Free Software Foundation; either version 2 of the License, or
|
|
|
|
|
(at your option) any later version.
|
|
|
|
|
|
|
|
|
|
This program is distributed in the hope that it will be useful,
|
|
|
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
GNU General Public License for more details.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
/*
|
2013-07-07 22:54:20 +03:00
|
|
|
* $Id: auth.c,v 1.9.2.5 2013/07/07 19:54:20 mtbishop Exp $
|
2007-06-29 08:25:45 +03:00
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Challenge based authentication.
|
|
|
|
|
* Thanx to Chris Todd<christ@insynq.com> for the good idea.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#include "config.h"
|
|
|
|
|
|
2015-10-08 20:17:30 +03:00
|
|
|
#include <assert.h>
|
2007-06-29 08:25:45 +03:00
|
|
|
#include <stdio.h>
|
|
|
|
|
#include <string.h>
|
|
|
|
|
#include <stdlib.h>
|
|
|
|
|
#include <unistd.h>
|
|
|
|
|
#include <signal.h>
|
|
|
|
|
#include <errno.h>
|
|
|
|
|
#include <fcntl.h>
|
|
|
|
|
#include <signal.h>
|
|
|
|
|
#include <syslog.h>
|
|
|
|
|
#include <time.h>
|
|
|
|
|
|
|
|
|
|
#ifdef HAVE_NETINET_IN_H
|
|
|
|
|
#include <netinet/in.h>
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
#ifdef HAVE_NETINET_TCP_H
|
|
|
|
|
#include <netinet/tcp.h>
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
#ifdef HAVE_ARPA_INET_H
|
|
|
|
|
#include <arpa/inet.h>
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
#include "vtun.h"
|
|
|
|
|
#include "lib.h"
|
|
|
|
|
#include "lock.h"
|
|
|
|
|
#include "auth.h"
|
|
|
|
|
|
|
|
|
|
/* Encryption and Decryption of the challenge key */
|
2015-10-08 20:17:30 +03:00
|
|
|
#include <sodium.h>
|
2007-06-29 08:25:45 +03:00
|
|
|
|
2015-10-08 20:17:30 +03:00
|
|
|
static int derive_key(struct vtun_host *host)
|
2007-06-29 08:25:45 +03:00
|
|
|
{
|
2015-10-08 20:17:30 +03:00
|
|
|
unsigned char salt[crypto_pwhash_scryptsalsa208sha256_SALTBYTES];
|
|
|
|
|
int ret = -1;
|
|
|
|
|
|
|
|
|
|
if (host->key != NULL) {
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
if ((host->key = sodium_malloc(HOST_KEYBYTES)) == NULL) {
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
memset(salt, 0xd1, sizeof salt);
|
|
|
|
|
if (crypto_pwhash_scryptsalsa208sha256
|
|
|
|
|
(host->key, HOST_KEYBYTES, host->passwd, strlen(host->passwd), salt,
|
|
|
|
|
crypto_pwhash_scryptsalsa208sha256_OPSLIMIT_INTERACTIVE,
|
|
|
|
|
crypto_pwhash_scryptsalsa208sha256_MEMLIMIT_INTERACTIVE) == 0) {
|
|
|
|
|
ret = 0;
|
|
|
|
|
}
|
|
|
|
|
sodium_memzero(host->passwd, strlen(host->passwd));
|
|
|
|
|
free(host->passwd);
|
|
|
|
|
host->passwd = NULL;
|
|
|
|
|
vtun_syslog(LOG_DEBUG,"Key ready for host %s.", host->host);
|
|
|
|
|
|
|
|
|
|
return ret;
|
2007-06-29 08:25:45 +03:00
|
|
|
}
|
|
|
|
|
|
2015-10-08 20:17:30 +03:00
|
|
|
static void gen_chal(char *chal)
|
|
|
|
|
{
|
|
|
|
|
randombytes_buf((unsigned char *) chal, VTUN_CHAL_SIZE);
|
2007-06-29 08:25:45 +03:00
|
|
|
}
|
|
|
|
|
|
2015-10-08 20:17:30 +03:00
|
|
|
static void auth_chal(char *chal, const struct vtun_host *host)
|
2007-06-29 08:25:45 +03:00
|
|
|
{
|
2015-10-08 20:17:30 +03:00
|
|
|
crypto_generichash(chal, VTUN_CHAL_SIZE, chal, VTUN_CHAL_SIZE,
|
|
|
|
|
host->key, HOST_KEYBYTES);
|
2007-06-29 08:25:45 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Functions to convert binary flags to character string.
|
|
|
|
|
* string format: <CS64>
|
|
|
|
|
* C - compression, S - speed for shaper and so on.
|
|
|
|
|
*/
|
|
|
|
|
|
2013-07-07 22:54:20 +03:00
|
|
|
static char *bf2cf(struct vtun_host *host)
|
2007-06-29 08:25:45 +03:00
|
|
|
{
|
|
|
|
|
static char str[20], *ptr = str;
|
|
|
|
|
|
|
|
|
|
*(ptr++) = '<';
|
|
|
|
|
|
|
|
|
|
switch( host->flags & VTUN_PROT_MASK ){
|
|
|
|
|
case VTUN_TCP:
|
|
|
|
|
*(ptr++) = 'T';
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case VTUN_UDP:
|
|
|
|
|
*(ptr++) = 'U';
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
switch( host->flags & VTUN_TYPE_MASK ){
|
|
|
|
|
case VTUN_TTY:
|
|
|
|
|
*(ptr++) = 't';
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case VTUN_PIPE:
|
|
|
|
|
*(ptr++) = 'p';
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case VTUN_ETHER:
|
|
|
|
|
*(ptr++) = 'e';
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case VTUN_TUN:
|
|
|
|
|
*(ptr++) = 'u';
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if( (host->flags & VTUN_SHAPE) /* && host->spd_in */)
|
|
|
|
|
ptr += sprintf(ptr,"S%d",host->spd_in);
|
|
|
|
|
|
|
|
|
|
if( host->flags & VTUN_ZLIB )
|
|
|
|
|
ptr += sprintf(ptr,"C%d", host->zlevel);
|
|
|
|
|
|
|
|
|
|
if( host->flags & VTUN_LZO )
|
|
|
|
|
ptr += sprintf(ptr,"L%d", host->zlevel);
|
|
|
|
|
|
|
|
|
|
if( host->flags & VTUN_KEEP_ALIVE )
|
|
|
|
|
*(ptr++) = 'K';
|
|
|
|
|
|
2009-04-24 12:15:33 +03:00
|
|
|
if( host->flags & VTUN_ENCRYPT ) {
|
2015-10-08 13:38:13 +03:00
|
|
|
ptr += sprintf(ptr,"E%d", host->cipher);
|
2009-04-24 12:15:33 +03:00
|
|
|
}
|
2007-06-29 08:25:45 +03:00
|
|
|
|
|
|
|
|
strcat(ptr,">");
|
|
|
|
|
|
|
|
|
|
return str;
|
|
|
|
|
}
|
|
|
|
|
|
2008-01-08 00:12:48 +02:00
|
|
|
/* return 1 on success, otherwise 0
|
|
|
|
|
Example:
|
|
|
|
|
FLAGS: <TuE1>
|
|
|
|
|
*/
|
2007-06-29 08:25:45 +03:00
|
|
|
|
2013-07-07 22:54:20 +03:00
|
|
|
static int cf2bf(char *str, struct vtun_host *host)
|
2007-06-29 08:25:45 +03:00
|
|
|
{
|
|
|
|
|
char *ptr, *p;
|
|
|
|
|
int s;
|
|
|
|
|
|
|
|
|
|
if( (ptr = strchr(str,'<')) ){
|
2008-01-08 00:12:48 +02:00
|
|
|
vtun_syslog(LOG_DEBUG,"Remote Server sends %s.", ptr);
|
2007-06-29 08:25:45 +03:00
|
|
|
ptr++;
|
|
|
|
|
while(*ptr){
|
|
|
|
|
switch(*ptr++){
|
|
|
|
|
case 't':
|
|
|
|
|
host->flags |= VTUN_TTY;
|
|
|
|
|
break;
|
|
|
|
|
case 'p':
|
|
|
|
|
host->flags |= VTUN_PIPE;
|
|
|
|
|
break;
|
|
|
|
|
case 'e':
|
|
|
|
|
host->flags |= VTUN_ETHER;
|
|
|
|
|
break;
|
|
|
|
|
case 'u':
|
|
|
|
|
host->flags |= VTUN_TUN;
|
|
|
|
|
break;
|
|
|
|
|
case 'U':
|
|
|
|
|
host->flags &= ~VTUN_PROT_MASK;
|
|
|
|
|
host->flags |= VTUN_UDP;
|
|
|
|
|
break;
|
|
|
|
|
case 'T':
|
|
|
|
|
host->flags &= ~VTUN_PROT_MASK;
|
|
|
|
|
host->flags |= VTUN_TCP;
|
|
|
|
|
break;
|
|
|
|
|
case 'K':
|
|
|
|
|
host->flags |= VTUN_KEEP_ALIVE;
|
|
|
|
|
break;
|
|
|
|
|
case 'C':
|
|
|
|
|
if((s = strtol(ptr,&p,10)) == ERANGE || ptr == p)
|
|
|
|
|
return 0;
|
|
|
|
|
host->flags |= VTUN_ZLIB;
|
|
|
|
|
host->zlevel = s;
|
|
|
|
|
ptr = p;
|
|
|
|
|
break;
|
|
|
|
|
case 'L':
|
|
|
|
|
if((s = strtol(ptr,&p,10)) == ERANGE || ptr == p)
|
|
|
|
|
return 0;
|
|
|
|
|
host->flags |= VTUN_LZO;
|
|
|
|
|
host->zlevel = s;
|
|
|
|
|
ptr = p;
|
|
|
|
|
break;
|
|
|
|
|
case 'E':
|
2008-01-08 00:12:48 +02:00
|
|
|
/* new form is 'E10', old form is 'E', so remove the
|
|
|
|
|
ptr==p check */
|
|
|
|
|
if((s = strtol(ptr,&p,10)) == ERANGE) {
|
|
|
|
|
vtun_syslog(LOG_ERR,"Garbled encryption method. Bailing out.");
|
2007-06-29 08:25:45 +03:00
|
|
|
return 0;
|
2008-01-08 00:12:48 +02:00
|
|
|
}
|
2007-06-29 08:25:45 +03:00
|
|
|
host->flags |= VTUN_ENCRYPT;
|
2015-10-08 13:38:13 +03:00
|
|
|
host->cipher = s;
|
2007-06-29 08:25:45 +03:00
|
|
|
ptr = p;
|
|
|
|
|
break;
|
|
|
|
|
case 'S':
|
|
|
|
|
if((s = strtol(ptr,&p,10)) == ERANGE || ptr == p)
|
|
|
|
|
return 0;
|
|
|
|
|
if( s ){
|
|
|
|
|
host->flags |= VTUN_SHAPE;
|
|
|
|
|
host->spd_out = s;
|
|
|
|
|
}
|
|
|
|
|
ptr = p;
|
|
|
|
|
break;
|
2008-01-08 00:12:48 +02:00
|
|
|
case 'F':
|
|
|
|
|
/* reserved for Feature transmit */
|
|
|
|
|
break;
|
2007-06-29 08:25:45 +03:00
|
|
|
case '>':
|
|
|
|
|
return 1;
|
|
|
|
|
default:
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Functions to convert binary key data to character string.
|
|
|
|
|
* string format: <char_data>
|
|
|
|
|
*/
|
|
|
|
|
|
2013-07-07 22:54:20 +03:00
|
|
|
static char *cl2cs(char *chal)
|
2007-06-29 08:25:45 +03:00
|
|
|
{
|
|
|
|
|
static char str[VTUN_CHAL_SIZE*2+3], *chr="abcdefghijklmnop";
|
|
|
|
|
register char *ptr = str;
|
|
|
|
|
register int i;
|
|
|
|
|
|
|
|
|
|
*(ptr++) = '<';
|
|
|
|
|
for(i=0; i<VTUN_CHAL_SIZE; i++){
|
|
|
|
|
*(ptr++) = chr[ ((chal[i] & 0xf0) >> 4) ];
|
|
|
|
|
*(ptr++) = chr[ (chal[i] & 0x0f) ];
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
*(ptr++) = '>';
|
|
|
|
|
*ptr = '\0';
|
|
|
|
|
|
|
|
|
|
return str;
|
|
|
|
|
}
|
|
|
|
|
|
2013-07-07 22:54:20 +03:00
|
|
|
static int cs2cl(char *str, char *chal)
|
2007-06-29 08:25:45 +03:00
|
|
|
{
|
|
|
|
|
register char *ptr = str;
|
|
|
|
|
register int i;
|
|
|
|
|
|
|
|
|
|
if( !(ptr = strchr(str,'<')) )
|
|
|
|
|
return 0;
|
|
|
|
|
ptr++;
|
|
|
|
|
if( !strtok(ptr,">") || strlen(ptr) != VTUN_CHAL_SIZE*2 )
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
for(i=0; i<VTUN_CHAL_SIZE && *ptr; i++, ptr+=2) {
|
|
|
|
|
chal[i] = (*ptr - 'a') << 4;
|
|
|
|
|
chal[i] |= *(ptr+1) - 'a';
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Authentication (Server side) */
|
|
|
|
|
struct vtun_host * auth_server(int fd)
|
|
|
|
|
{
|
|
|
|
|
char chal_req[VTUN_CHAL_SIZE], chal_res[VTUN_CHAL_SIZE];
|
|
|
|
|
char buf[VTUN_MESG_SIZE], *str1, *str2;
|
|
|
|
|
struct vtun_host *h = NULL;
|
|
|
|
|
char *host = NULL;
|
|
|
|
|
int stage;
|
|
|
|
|
|
|
|
|
|
set_title("authentication");
|
|
|
|
|
|
|
|
|
|
print_p(fd,"VTUN server ver %s\n",VTUN_VER);
|
|
|
|
|
|
|
|
|
|
stage = ST_HOST;
|
|
|
|
|
|
|
|
|
|
while( readn_t(fd, buf, VTUN_MESG_SIZE, vtun.timeout) > 0 ){
|
|
|
|
|
buf[sizeof(buf)-1]='\0';
|
|
|
|
|
strtok(buf,"\r\n");
|
|
|
|
|
|
|
|
|
|
if( !(str1=strtok(buf," :")) )
|
|
|
|
|
break;
|
|
|
|
|
if( !(str2=strtok(NULL," :")) )
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
switch( stage ){
|
|
|
|
|
case ST_HOST:
|
|
|
|
|
if( !strcmp(str1,"HOST") ){
|
|
|
|
|
host = strdup(str2);
|
|
|
|
|
|
|
|
|
|
gen_chal(chal_req);
|
|
|
|
|
print_p(fd,"OK CHAL: %s\n", cl2cs(chal_req));
|
|
|
|
|
|
|
|
|
|
stage = ST_CHAL;
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
case ST_CHAL:
|
|
|
|
|
if( !strcmp(str1,"CHAL") ){
|
|
|
|
|
if( !cs2cl(str2,chal_res) )
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
if( !(h = find_host(host)) )
|
|
|
|
|
break;
|
2015-10-08 20:17:30 +03:00
|
|
|
derive_key(h);
|
|
|
|
|
auth_chal(chal_req, h);
|
2007-06-29 08:25:45 +03:00
|
|
|
|
2015-10-08 20:17:30 +03:00
|
|
|
if( !sodium_memcmp(chal_req, chal_res, VTUN_CHAL_SIZE) ){
|
2007-06-29 08:25:45 +03:00
|
|
|
/* Auth successeful. */
|
|
|
|
|
|
|
|
|
|
/* Lock host */
|
|
|
|
|
if( lock_host(h) < 0 ){
|
|
|
|
|
/* Multiple connections are denied */
|
|
|
|
|
h = NULL;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
print_p(fd,"OK FLAGS: %s\n", bf2cf(h));
|
|
|
|
|
} else
|
|
|
|
|
h = NULL;
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if( host )
|
|
|
|
|
free(host);
|
|
|
|
|
|
|
|
|
|
if( !h )
|
|
|
|
|
print_p(fd,"ERR\n");
|
|
|
|
|
|
|
|
|
|
return h;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Authentication (Client side) */
|
|
|
|
|
int auth_client(int fd, struct vtun_host *host)
|
|
|
|
|
{
|
|
|
|
|
char buf[VTUN_MESG_SIZE], chal[VTUN_CHAL_SIZE];
|
|
|
|
|
int stage, success=0 ;
|
|
|
|
|
|
|
|
|
|
stage = ST_INIT;
|
|
|
|
|
|
|
|
|
|
while( readn_t(fd, buf, VTUN_MESG_SIZE, vtun.timeout) > 0 ){
|
|
|
|
|
buf[sizeof(buf)-1]='\0';
|
|
|
|
|
switch( stage ){
|
|
|
|
|
case ST_INIT:
|
|
|
|
|
if( !strncmp(buf,"VTUN",4) ){
|
|
|
|
|
stage = ST_HOST;
|
|
|
|
|
print_p(fd,"HOST: %s\n",host->host);
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case ST_HOST:
|
|
|
|
|
if( !strncmp(buf,"OK",2) && cs2cl(buf,chal)){
|
|
|
|
|
stage = ST_CHAL;
|
2015-10-08 20:17:30 +03:00
|
|
|
derive_key(host);
|
|
|
|
|
auth_chal(chal, host);
|
2007-06-29 08:25:45 +03:00
|
|
|
print_p(fd,"CHAL: %s\n", cl2cs(chal));
|
|
|
|
|
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case ST_CHAL:
|
|
|
|
|
if( !strncmp(buf,"OK",2) && cf2bf(buf,host) )
|
|
|
|
|
success = 1;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return success;
|
|
|
|
|
}
|
