diff --git a/ChangeLog b/ChangeLog index 3b7c0a0..232f449 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,4 +1,5 @@ 3.0.2: + ref1685781 - vtun3 client should parse vtun2 server encr directives (hch) rfe1744575 - cfg_file.y bugs (mf) rfe1738167 - build on c5 still fails (bc) @@ -68,7 +69,7 @@ ver 2.5: Fixes to support both Linux TUN/TAP drivers. ver 2.5b1: - Encryption fixes: improved challenge generation, padding check. + Encryption fixes: improved challenge generation (jy), padding check. Config parser fixes. Don't allow empty passwords. New config option to specify syslog logging facility. Support for new Linux TUN/TAP driver. diff --git a/Credits b/Credits new file mode 100644 index 0000000..ad9e037 --- /dev/null +++ b/Credits @@ -0,0 +1,142 @@ +Author of this package is Maxim Krasnyansky . + +A lot of thanks to the following people for their suggestions and +contributions: + +Gayaneh Krasnyanskaya(Max's Wife) + Initial Web site creation. And a lot of other help :))) + +Alex Korenkov + Testing, bug reports. + +Shukhrat Zakhidov + Testing, bug reports, suggestions. + +Dag Wieers + Initial RPM packager specification file. + RedHat startup script. + Several bug reports. + SOCKS support suggestions. + +Ted Rolle + Spelling fixes. + +Craig Sanders + Debian startup script. + +Catalin Ciocoiu + Reported compilation problems. + +Timur Danyarhojaev + Added client source address option. + +Andreas Kainz + RPM package improvements. + +Chris Todd + Idea of challenge based authentication. + Initial BlowFish encryption code. + Suggestions. + +Garet Krampe + A lot of great ideas. Mailing list. + Web site mirror. + +Denis Zapolsky + Testing. + +Vadim Zaliva + Solaris patches. Suggestions. + +Hurricane Floyd + Max had several vacations. + Bishop had no power or water, and was able + to experience the Third World. + :))))))))))))))))))) + +James B. MacLean + Client persist mode fix. Suggestions. + +Paul + Stress tests, bug reports, suggestions. + +Maksim Yevenkin + TAP driver for FreeBSD. + +Anthon Walters + Web site mirror. Testing. Initial FAQ. + +Ryan Defelice + OpenBSD package maintainer. Provided OpenBSD server for + development and testing + +Alexander Bergolth + Initial multiple connection handling and host lock functionalities. + Improvements and fixes of source address option. Incorrect error + handling fix. Ideas. Suggestions. + +Hubert Feyrer + NetBSD package. + +Hiroharu Tamaru + Updated FreeBSD 4.0 TUN driver support. + +Terry Donaldson + Provided Solaris 8.0 server for development and testing. + +Daniel Podlejski + TUN/TAP driver modifications for 2.3.99-pre5 kernel. + +Michael Tokarev + File descriptors and memory leaks fix. + Tons of other bug fixes and patches. Suggestions. Ideas. + +Xavier + European web site mirror. + +Chris Snell + Mailing list archives. + +Robert Stone + Security enhancements. Suggestions. Ideas. + Encryption and other subsystems rework for 3.X. + +Steinar H. Gunderson + Tons of stability fixes and problem reports. + Ideas and suggestions. + +Yan Seiner + Testing. Bug reports. Suggestions. + +James Yonan + Encryption and other fixes. Suggestions. + +Greg Olszewski + Config parser and other fixes. Suggestions. + +Kevin P. Fleming + Makefile and config parser enhancement. + Other minor fixes and suggestions. + +Robert R. Wal + Added support for iproute command. + +Willems Luc + Initial SuSE packaging. Testing. + +Nickolai Zeldovich + mlockall() support to prevent VM collapse. + +Dale Fountain + Added multiple cipher support. + Added multiple cipher modes support. + Added support for different sized keys. + Re-sync ciphers when using non-ECB modes over a UDP connection. + Fixed Bug#908824 (persist=keep not re-applying routes) + +Alan Grow + Added a Listening Address/Interface (rfe936523) + Cleaned up the code around that portion of the config. + +Hans Carlos Hoffman + Inventive method for vtund3c->vtund2s encryption (rfe1685781) diff --git a/Makefile.in b/Makefile.in index a93731f..d6e4e5f 100644 --- a/Makefile.in +++ b/Makefile.in @@ -15,7 +15,7 @@ # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # -# $Id: Makefile.in,v 1.11.2.1 2007/06/29 05:26:33 mtbishop Exp $ +# $Id: Makefile.in,v 1.11.2.2 2008/01/07 22:12:57 mtbishop Exp $ # CC = @CC@ CFLAGS = @CFLAGS@ @CPPFLAGS@ @@ -50,7 +50,7 @@ OBJS = main.o cfg_file.tab.o cfg_file.lex.o server.o client.o lib.o \ llist.o auth.o tunnel.o lock.o netlib.o \ tun_dev.o tap_dev.o pty_dev.o pipe_dev.o \ tcp_proto.o udp_proto.o \ - linkfd.o lfd_shaper.o lfd_zlib.o lfd_lzo.o lfd_encrypt.o + linkfd.o lfd_shaper.o lfd_zlib.o lfd_lzo.o lfd_encrypt.o lfd_legacy_encrypt.o CONFIGURE_FILES = Makefile config.status config.cache config.h config.log diff --git a/auth.c b/auth.c index 7a0fc44..34c09fc 100644 --- a/auth.c +++ b/auth.c @@ -17,15 +17,12 @@ */ /* - * $Id: auth.c,v 1.9.2.1 2007/06/29 05:25:45 mtbishop Exp $ + * $Id: auth.c,v 1.9.2.2 2008/01/07 22:12:48 mtbishop Exp $ */ /* * Challenge based authentication. * Thanx to Chris Todd for the good idea. - * - * Jim Yonan, 05/24/2001 - * gen_chal rewrite to use better random number generator */ #include "config.h" @@ -180,7 +177,10 @@ char *bf2cf(struct vtun_host *host) return str; } -/* return 1 on success, otherwise 0 */ +/* return 1 on success, otherwise 0 + Example: + FLAGS: +*/ int cf2bf(char *str, struct vtun_host *host) { @@ -188,6 +188,7 @@ int cf2bf(char *str, struct vtun_host *host) int s; if( (ptr = strchr(str,'<')) ){ + vtun_syslog(LOG_DEBUG,"Remote Server sends %s.", ptr); ptr++; while(*ptr){ switch(*ptr++){ @@ -229,10 +230,19 @@ int cf2bf(char *str, struct vtun_host *host) ptr = p; break; case 'E': - if((s = strtol(ptr,&p,10)) == ERANGE || ptr == p) + /* new form is 'E10', old form is 'E', so remove the + ptr==p check */ + if((s = strtol(ptr,&p,10)) == ERANGE) { + vtun_syslog(LOG_ERR,"Garbled encryption method. Bailing out."); return 0; + } host->flags |= VTUN_ENCRYPT; - host->cipher = s; + if (0 == s) { + host->cipher = VTUN_LEGACY_ENCRYPT; + vtun_syslog(LOG_INFO,"Remote server using older encryption."); + } else { + host->cipher = s; + } ptr = p; break; case 'S': @@ -244,6 +254,9 @@ int cf2bf(char *str, struct vtun_host *host) } ptr = p; break; + case 'F': + /* reserved for Feature transmit */ + break; case '>': return 1; default: diff --git a/lfd_legacy_encrypt.c b/lfd_legacy_encrypt.c new file mode 100644 index 0000000..aac0e10 --- /dev/null +++ b/lfd_legacy_encrypt.c @@ -0,0 +1,154 @@ +/* + VTun - Virtual Tunnel over TCP/IP network. + + Copyright (C) 1998-2000 Maxim Krasnyansky + + VTun has been derived from VPPP package by Maxim Krasnyansky. + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + */ + +/* + * $Id: lfd_legacy_encrypt.c,v 1.1.4.1 2008/01/07 22:12:53 mtbishop Exp $ + * Code added wholesale temporarily from lfd_encrypt 1.2.2.8 + */ + +/* + Encryption module uses software developed by the OpenSSL Project + for use in the OpenSSL Toolkit. (http://www.openssl.org/) + Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. + */ + +/* + * This lfd_encrypt module uses MD5 to create 128 bits encryption + * keys and BlowFish for actual data encryption. + * It is based on code written by Chris Todd with + * several improvements and modifications. + */ + +#include "config.h" + +#include +#include +#include +#include +#include +#include + +#include "vtun.h" +#include "linkfd.h" +#include "lib.h" + +#ifdef HAVE_SSL + +#ifndef __APPLE_CC__ +/* OpenSSL includes */ +#include +#include +#else /* YAY - We're MAC OS */ +#include +#include +#endif /* __APPLE_CC__ */ + +#define ENC_BUF_SIZE VTUN_FRAME_SIZE + 16 +#define ENC_KEY_SIZE 16 + +BF_KEY key; +char * enc_buf; + +int alloc_legacy_encrypt(struct vtun_host *host) +{ + if( !(enc_buf = lfd_alloc(ENC_BUF_SIZE)) ){ + vtun_syslog(LOG_ERR,"Can't allocate buffer for legacy encryptor"); + return -1; + } + + BF_set_key(&key, ENC_KEY_SIZE, MD5(host->passwd,strlen(host->passwd),NULL)); + + vtun_syslog(LOG_INFO, "BlowFish legacy encryption initialized"); + return 0; +} + +int free_legacy_encrypt() +{ + lfd_free(enc_buf); enc_buf = NULL; + return 0; +} + +int legacy_encrypt_buf(int len, char *in, char **out) +{ + register int pad, p; + register char *in_ptr = in, *out_ptr = enc_buf; + + /* 8 - ( len % 8 ) */ + pad = (~len & 0x07) + 1; p = 8 - pad; + + memset(out_ptr, 0, pad); + *out_ptr = (char) pad; + memcpy(out_ptr + pad, in_ptr, p); + BF_ecb_encrypt(out_ptr, out_ptr, &key, BF_ENCRYPT); + out_ptr += 8; in_ptr += p; + len = len - p; + + for (p=0; p < len; p += 8) + BF_ecb_encrypt(in_ptr + p, out_ptr + p, &key, BF_ENCRYPT); + + *out = enc_buf; + return len + 8; +} + +int legacy_decrypt_buf(int len, char *in, char **out) +{ + register int p; + + for (p = 0; p < len; p += 8) + BF_ecb_encrypt(in + p, in + p, &key, BF_DECRYPT); + + p = *in; + if (p < 1 || p > 8) { + vtun_syslog(LOG_INFO, "legacy_decrypt_buf: bad pad length"); + return 0; + } + + *out = in + p; + + return len - p; +} + +/* + * Module structure. + */ +struct lfd_mod lfd_legacy_encrypt = { + "Encryptor", + alloc_legacy_encrypt, + legacy_encrypt_buf, + NULL, + legacy_decrypt_buf, + NULL, + free_legacy_encrypt, + NULL, + NULL +}; + +#else /* HAVE_SSL */ + +int no_legacy_encrypt(struct vtun_host *host) +{ + vtun_syslog(LOG_INFO, "Encryption is not supported"); + return -1; +} + +struct lfd_mod lfd_legacy_encrypt = { + "Encryptor", + no_legacy_encrypt, NULL, NULL, NULL, NULL, NULL, NULL, NULL +}; + +#endif /* HAVE_SSL */ diff --git a/linkfd.c b/linkfd.c index 260b465..5df8bdb 100644 --- a/linkfd.c +++ b/linkfd.c @@ -17,7 +17,7 @@ */ /* - * $Id: linkfd.c,v 1.13.2.1 2007/06/29 05:26:19 mtbishop Exp $ + * $Id: linkfd.c,v 1.13.2.2 2008/01/07 22:12:54 mtbishop Exp $ */ #include "config.h" @@ -365,8 +365,12 @@ int linkfd(struct vtun_host *host) lfd_add_mod(&lfd_lzo); if(host->flags & VTUN_ENCRYPT) - lfd_add_mod(&lfd_encrypt); - + if(host->cipher == VTUN_LEGACY_ENCRYPT) { + lfd_add_mod(&lfd_legacy_encrypt); + } else { + lfd_add_mod(&lfd_encrypt); + } + if(host->flags & VTUN_SHAPE) lfd_add_mod(&lfd_shaper); diff --git a/linkfd.h b/linkfd.h index f38460c..9e54eff 100644 --- a/linkfd.h +++ b/linkfd.h @@ -17,7 +17,7 @@ */ /* - * $Id: linkfd.h,v 1.4.2.1 2007/06/29 05:26:21 mtbishop Exp $ + * $Id: linkfd.h,v 1.4.2.2 2008/01/07 22:12:56 mtbishop Exp $ */ #ifndef _LINKFD_H @@ -87,6 +87,7 @@ struct lfd_mod { extern struct lfd_mod lfd_zlib; extern struct lfd_mod lfd_lzo; extern struct lfd_mod lfd_encrypt; +extern struct lfd_mod lfd_legacy_encrypt; extern struct lfd_mod lfd_shaper; #endif diff --git a/vtun.h b/vtun.h index 05809ee..25aec6d 100644 --- a/vtun.h +++ b/vtun.h @@ -17,7 +17,7 @@ */ /* - * $Id: vtun.h,v 1.12.2.1 2007/06/29 05:26:49 mtbishop Exp $ + * $Id: vtun.h,v 1.12.2.2 2008/01/07 22:12:59 mtbishop Exp $ */ #ifndef _VTUN_H @@ -155,6 +155,8 @@ extern llist host_list; #define VTUN_ENC_AES256CFB 15 #define VTUN_ENC_AES256OFB 16 +#define VTUN_LEGACY_ENCRYPT 999 + /* Mask to drop the flags which will be supplied by the server */ #define VTUN_CLNT_MASK 0xf000