diff --git a/CMakeLists.txt b/CMakeLists.txt index 9428120..024ff10 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -320,10 +320,8 @@ set(3PROXY_CORE_SOURCES src/stringtable.c ) -# MD4/MD5/BLAKE2 sources for 3proxy_crypt +# BLAKE2 source for 3proxy_crypt set(MD_SOURCES - src/libs/md4.c - src/libs/md5.c src/libs/blake2b-ref.c ) @@ -402,6 +400,10 @@ add_executable(3proxy $ ) +if(OpenSSL_FOUND) + target_sources(3proxy PRIVATE src/ssllib.c src/ssl.c) +endif() + target_include_directories(3proxy PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/src ${CMAKE_CURRENT_SOURCE_DIR}/src/libs @@ -444,6 +446,9 @@ target_include_directories(3proxy_crypt PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/src/libs ) target_link_libraries(3proxy_crypt PRIVATE Threads::Threads) +if(OpenSSL_FOUND) + target_link_libraries(3proxy_crypt PRIVATE OpenSSL::SSL OpenSSL::Crypto) +endif() if("${3PROXY_BINARY_PREFIX}" STREQUAL "") set_target_properties(3proxy_crypt PROPERTIES OUTPUT_NAME "mycrypt") else() @@ -527,10 +532,6 @@ foreach(PLUGIN ${DEFAULT_PLUGINS}) add_subdirectory(src/plugins/${PLUGIN}) endforeach() -if(OPENSSL_FOUND) - add_subdirectory(src/plugins/SSLPlugin) -endif() - if(PCRE2_FOUND) add_subdirectory(src/plugins/PCREPlugin) endif() @@ -541,9 +542,6 @@ endif() # Build full list of plugins to be built set(ALL_PLUGINS ${DEFAULT_PLUGINS}) -if(OPENSSL_FOUND) - list(APPEND ALL_PLUGINS SSLPlugin) -endif() if(PCRE2_FOUND) list(APPEND ALL_PLUGINS PCREPlugin) endif() diff --git a/Makefile.FreeBSD b/Makefile.FreeBSD index ce07b2f..06f9f9f 100644 --- a/Makefile.FreeBSD +++ b/Makefile.FreeBSD @@ -36,7 +36,8 @@ PLUGINS ?= StringsPlugin TrafficPlugin TransparentPlugin FilePlugin OPENSSL_CHECK = $(shell echo "\#include \\n int main(){return 0;}" | tr -d \\\\ | $(CC) -x c $(CFLAGS) -o testssl.o - 2>/dev/null && $(CC) $(LDFLAGS) -otestssl testssl.o -lcrypto -lssl 2>/dev/null && rm testssl testssl.o && echo true||echo false) ifeq ($(OPENSSL_CHECK), true) LIBS += -l crypto -l ssl - PLUGINS += SSLPlugin + CFLAGS += -DWITH_SSL + SSL_OBJS = ssllib$(OBJSUFFICS) ssl$(OBJSUFFICS) endif PCRE_CHECK = $(shell echo "\#define PCRE2_CODE_UNIT_WIDTH 8\\n\#include \\n int main(){return 0;}" | tr -d \\\\ | $(CC) -x c $(CFLAGS) -o testpcre.o - 2>/dev/null && $(CC) -o testpcre testpcre.o $(LDFLAGS) -lpcre2-8 2>/dev/null && rm testpcre testpcre.o && echo true||echo false) ifeq ($(PCRE_CHECK), true) diff --git a/Makefile.Linux b/Makefile.Linux index 713830a..2811045 100644 --- a/Makefile.Linux +++ b/Makefile.Linux @@ -38,7 +38,8 @@ PLUGINS ?= StringsPlugin TrafficPlugin TransparentPlugin FilePlugin OPENSSL_CHECK = $(shell echo "\#include \\n int main(){return 0;}" | tr -d \\\\ | $(CC) -x c $(CFLAGS) -o testssl.o - 2>/dev/null && $(CC) $(LDFLAGS) -otestssl testssl.o -lcrypto -lssl 2>/dev/null && rm testssl testssl.o && echo true||echo false) ifeq ($(OPENSSL_CHECK), true) LIBS += -l crypto -l ssl - PLUGINS += SSLPlugin + CFLAGS += -DWITH_SSL + SSL_OBJS = ssllib$(OBJSUFFICS) ssl$(OBJSUFFICS) endif PCRE_CHECK = $(shell echo "\#define PCRE2_CODE_UNIT_WIDTH 8\\n\#include \\n int main(){return 0;}" | tr -d \\\\ | $(CC) -x c $(CFLAGS) -o testpcre.o - 2>/dev/null && $(CC) -o testpcre testpcre.o $(LDFLAGS) -lpcre2-8 2>/dev/null && rm testpcre testpcre.o && echo true||echo false) ifeq ($(PCRE_CHECK), true) diff --git a/Makefile.msvc b/Makefile.msvc index 9651bb5..1070cc6 100644 --- a/Makefile.msvc +++ b/Makefile.msvc @@ -8,7 +8,7 @@ BUILDDIR = ../bin/ CC = cl VERSION = $(VERSION) BUILDDATE = $(BUILDDATE) -CFLAGS = /nologo /MT /W3 /Ox /GS /EHs- /GA /GF /D "MSVC" /D "WITH_WSAPOLL" /D "NDEBUG" /D "WIN32" /D "WITH_SSL" /D "_CONSOLE" /D "_MBCS" /D "_WIN32" /Fp"proxy.pch" /FD /c $(BUILDDATE) $(VERSION) +CFLAGS = /nologo /MT /W3 /Ox /GS /EHs- /GA /GF /D "MSVC" /D "WITH_WSAPOLL" /D "NDEBUG" /D "WIN32" /D "WITH_SSL" /D "_CONSOLE" /D "_MBCS" /D "_WIN32" /Fp"proxy.pch" /FD /c $(BUILDDATE) $(VERSION) COUT = /Fo LN = link LDFLAGS = /nologo /subsystem:console /incremental:no @@ -27,7 +27,8 @@ REMOVECOMMAND = del TYPECOMMAND = type COMPATLIBS = MAKEFILE = Makefile.msvc -PLUGINS = utf8tocp1251 WindowsAuthentication TrafficPlugin StringsPlugin FilePlugin SSLPlugin PCREPlugin +PLUGINS = utf8tocp1251 WindowsAuthentication TrafficPlugin StringsPlugin FilePlugin PCREPlugin +SSL_OBJS = ssllib$(OBJSUFFICS) ssl$(OBJSUFFICS) VERFILE = 3proxy.res $(VERFILE) VERSIONDEP = 3proxy.res $(VERSIONDEP) AFTERCLEAN = if exist src\*.res (del src\*.res) && if exist src\*.err (del src\*.err) diff --git a/Makefile.unix b/Makefile.unix index f386a5d..e0d679a 100644 --- a/Makefile.unix +++ b/Makefile.unix @@ -38,7 +38,8 @@ PLUGINS ?= StringsPlugin TrafficPlugin TransparentPlugin FilePlugin OPENSSL_CHECK = $(shell echo "\#include \\n int main(){return 0;}" | tr -d \\\\ | $(CC) -x c $(CFLAGS) -o testssl.o - 2>/dev/null && $(CC) $(LDFLAGS) -otestssl testssl.o -lcrypto -lssl 2>/dev/null && rm testssl testssl.o && echo true||echo false) ifeq ($(OPENSSL_CHECK), true) LIBS += -l crypto -l ssl - PLUGINS += SSLPlugin + CFLAGS += -DWITH_SSL + SSL_OBJS = ssllib$(OBJSUFFICS) ssl$(OBJSUFFICS) endif PCRE_CHECK = $(shell echo "\#define PCRE2_CODE_UNIT_WIDTH 8\\n\#include \\n int main(){return 0;}" | tr -d \\\\ | $(CC) -x c $(CFLAGS) -o testpcre.o - 2>/dev/null && $(CC) -o testpcre testpcre.o $(LDFLAGS) -lpcre2-8 2>/dev/null && rm testpcre testpcre.o && echo true||echo false) ifeq ($(PCRE_CHECK), true) diff --git a/Makefile.win b/Makefile.win index 835d4bc..c4debb1 100644 --- a/Makefile.win +++ b/Makefile.win @@ -37,7 +37,8 @@ ifndef OPENSSL_CHECK OPENSSL_CHECK = $(shell echo "\#include \\n int main(){return 0;}" | tr -d '\\\\' | cc -x c $(CFLAGS) $(LDFLAGS) -l crypto -l ssl -o testssl - 2>/dev/null && rm testssl && echo true||echo false) ifeq ($(OPENSSL_CHECK), true) LIBS += -l crypto -l ssl - PLUGINS += SSLPlugin + CFLAGS += -DWITH_SSL + SSL_OBJS = ssllib$(OBJSUFFICS) ssl$(OBJSUFFICS) endif PAM_CHECK = $(shell echo "\#include \\n int main(){return 0;}" | tr -d '\\\\' | cc -x c $(CFLAGS) $(LDFLAGS) -l pam -o testpam - 2>/dev/null && rm testpam && echo true||echo false) ifeq ($(PAM_CHECK), true) diff --git a/src/3proxy.c b/src/3proxy.c index f24d5ab..38b566c 100644 --- a/src/3proxy.c +++ b/src/3proxy.c @@ -7,6 +7,9 @@ */ #include "proxy.h" +#ifdef WITH_SSL +void ssl_install(void); +#endif #ifndef _WIN32 #include #ifndef NOPLUGINS @@ -523,6 +526,10 @@ int WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance, LPWSTR lpCmdLine, int _3proxy_mutex_init(&conf.threadinit); #endif +#ifdef WITH_SSL + ssl_install(); +#endif + freeconf(&conf); res = readconfig(fp); conf.version++; diff --git a/src/3proxy_crypt.c b/src/3proxy_crypt.c index a4c0eb5..7ddf28e 100644 --- a/src/3proxy_crypt.c +++ b/src/3proxy_crypt.c @@ -5,11 +5,13 @@ please read License Agreement */ +#include "blake2_compat.h" +#ifdef WITH_SSL +#include #ifndef WITHMAIN -#include "libs/md5.h" +/* MD5 needed for $1$ crypt */ +#endif #endif -#include "libs/md4.h" -#include "libs/blake2.h" #include #define MD5_SIZE 16 @@ -24,6 +26,12 @@ void tohex(unsigned char *in, unsigned char *out, int len); static unsigned char itoa64[] = "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; + +#if defined(WITH_SSL) +EVP_MD *md4 = NULL; +EVP_MD *md5 = NULL; +#endif + void _crypt_to64(unsigned char *s, unsigned long v, int n) { @@ -34,11 +42,13 @@ _crypt_to64(unsigned char *s, unsigned long v, int n) } +#ifdef WITH_SSL unsigned char * ntpwdhash (unsigned char *szHash, const unsigned char *szPassword, int ctohex) { unsigned char szUnicodePass[513]; unsigned int nPasswordLen; - MD4_CTX ctx; + EVP_MD_CTX *ctx; + unsigned int len=sizeof(szUnicodePass); unsigned int i; /* @@ -53,15 +63,20 @@ unsigned char * ntpwdhash (unsigned char *szHash, const unsigned char *szPasswor } /* Encrypt Unicode password to a 16-byte MD4 hash */ - MD4Init(&ctx); - MD4Update(&ctx, szUnicodePass, (nPasswordLen<<1)); - MD4Final(szUnicodePass, &ctx); + ctx = EVP_MD_CTX_new(); + if(!EVP_DigestInit_ex(ctx, md4, NULL)){ + fprintf(stderr, "Failed to init MD4 digest\n"); + } + EVP_DigestUpdate(ctx, szUnicodePass, (nPasswordLen<<1)); + EVP_DigestFinal_ex(ctx, szUnicodePass, &len); + EVP_MD_CTX_free(ctx); if (ctohex){ tohex(szUnicodePass, szHash, 16); } else memcpy(szHash, szUnicodePass, 16); return szHash; } +#endif unsigned char * mycrypt(const unsigned char *pw, const unsigned char *salt, unsigned char *passwd){ @@ -74,34 +89,38 @@ unsigned char * mycrypt(const unsigned char *pw, const unsigned char *salt, unsi int sl; unsigned long l; -#ifndef WITHMAIN +#if defined(WITH_SSL) if(salt[0] == '$' && salt[1] == '1' && salt[2] == '$' && (ep = (unsigned char *)strchr((char *)salt+3, '$'))) { - MD5_CTX ctx,ctx1; + EVP_MD_CTX *ctx, *ctx1; + unsigned int len; int pl, i; sp = salt +3; sl = (int)(ep - sp); magic = (unsigned char *)"$1$"; - MD5Init(&ctx); + ctx = EVP_MD_CTX_new(); + EVP_DigestInit_ex(ctx, md5, NULL); /* The password first, since that is what is most unknown */ - MD5Update(&ctx,pw,strlen((char *)pw)); + EVP_DigestUpdate(ctx,pw,strlen((char *)pw)); /* Then our magic string */ - MD5Update(&ctx,magic,strlen((char *)magic)); + EVP_DigestUpdate(ctx,magic,strlen((char *)magic)); /* Then the raw salt */ - MD5Update(&ctx,sp,sl); + EVP_DigestUpdate(ctx,sp,sl); /* Then just as many unsigned characters of the MD5(pw,salt,pw) */ - MD5Init(&ctx1); - MD5Update(&ctx1,pw,strlen((char *)pw)); - MD5Update(&ctx1,sp,sl); - MD5Update(&ctx1,pw,strlen((char *)pw)); - MD5Final(final,&ctx1); + ctx1 = EVP_MD_CTX_new(); + EVP_DigestInit_ex(ctx1, EVP_md5(), NULL); + EVP_DigestUpdate(ctx1,pw,strlen((char *)pw)); + EVP_DigestUpdate(ctx1,sp,sl); + EVP_DigestUpdate(ctx1,pw,strlen((char *)pw)); + EVP_DigestFinal_ex(ctx1,final,&len); + EVP_MD_CTX_free(ctx1); for(pl = (int)strlen((char *)pw); pl > 0; pl -= MD5_SIZE) - MD5Update(&ctx,final,pl>MD5_SIZE ? MD5_SIZE : pl); + EVP_DigestUpdate(ctx,final,pl>MD5_SIZE ? MD5_SIZE : pl); /* Don't leave anything around in vm they could use. */ memset(final,0,sizeof final); @@ -109,12 +128,13 @@ unsigned char * mycrypt(const unsigned char *pw, const unsigned char *salt, unsi /* Then something really weird... */ for (i = (int)strlen((char *)pw); i ; i >>= 1) if(i&1) - MD5Update(&ctx, final, 1); + EVP_DigestUpdate(ctx, final, 1); else - MD5Update(&ctx, pw, 1); + EVP_DigestUpdate(ctx, pw, 1); - MD5Final(final,&ctx); + EVP_DigestFinal_ex(ctx,final,&len); + EVP_MD_CTX_free(ctx); /* * and now, just to make sure things don't run too fast @@ -122,23 +142,25 @@ unsigned char * mycrypt(const unsigned char *pw, const unsigned char *salt, unsi * need 30 seconds to build a 1000 entry dictionary... */ for(i=0;i<1000;i++) { - MD5Init(&ctx1); + ctx1 = EVP_MD_CTX_new(); + EVP_DigestInit_ex(ctx1, md5, NULL); if(i & 1) - MD5Update(&ctx1,pw,strlen((char *)pw)); + EVP_DigestUpdate(ctx1,pw,strlen((char *)pw)); else - MD5Update(&ctx1,final,MD5_SIZE); + EVP_DigestUpdate(ctx1,final,MD5_SIZE); if(i % 3) - MD5Update(&ctx1,sp,sl); + EVP_DigestUpdate(ctx1,sp,sl); if(i % 7) - MD5Update(&ctx1,pw,strlen((char *)pw)); + EVP_DigestUpdate(ctx1,pw,strlen((char *)pw)); if(i & 1) - MD5Update(&ctx1,final,MD5_SIZE); + EVP_DigestUpdate(ctx1,final,MD5_SIZE); else - MD5Update(&ctx1,pw,strlen((char *)pw)); - MD5Final(final,&ctx1); + EVP_DigestUpdate(ctx1,pw,strlen((char *)pw)); + EVP_DigestFinal_ex(ctx1,final,&len); + EVP_MD_CTX_free(ctx1); } @@ -151,7 +173,13 @@ unsigned char * mycrypt(const unsigned char *pw, const unsigned char *salt, unsi sp = salt +3; sl = (int)(ep - sp); magic = (unsigned char *)"$3$"; - blake2b(final, MD5_SIZE, pw, strlen((char *)pw), sp, sl); + { + blake2b_state S; + blake2b_init(&S, MD5_SIZE); + blake2b_update(&S, pw, strlen((char *)pw) + 1); + blake2b_update(&S, sp, sl); + blake2b_final(&S, final, MD5_SIZE); + } } else { *passwd = 0; @@ -180,25 +208,55 @@ unsigned char * mycrypt(const unsigned char *pw, const unsigned char *salt, unsi } #ifdef WITHMAIN - +#ifdef WITH_SSL +OSSL_LIB_CTX *library_ctx = NULL; +#include +#endif #include int main(int argc, char* argv[]){ unsigned char buf[1024]; unsigned i; if(argc < 2 || argc > 3) { fprintf(stderr, "usage: \n" +#ifdef WITH_SSL "\t%s \n" +#endif "\t%s \n" +#ifdef WITH_SSL "Performs NT crypt if no salt specified, BLAKE2 crypt with salt\n" +#else + "Performs BLAKE2 crypt with salt\n" +#endif "This software uses:\n" - " RSA Data Security, Inc. MD4 Message-Digest Algorithm\n" - " RSA Data Security, Inc. MD5 Message-Digest Algorithm\n", +#ifdef WITH_SSL + " OpenSSL EVP (MD4, MD5, BLAKE2b)\n" +#else + " BLAKE2 reference implementation\n" +#endif + , argv[0], argv[0]); return 1; } +#ifdef WITH_SSL + library_ctx = OSSL_LIB_CTX_new(); + OSSL_PROVIDER_load(library_ctx, "legacy"); + OSSL_PROVIDER_load(library_ctx, "default"); + md4 = EVP_MD_fetch(library_ctx, "MD4", NULL); + if (md4 == NULL) { + fprintf(stderr, "Error fetching MD4\n"); + } + md5 = EVP_MD_fetch(library_ctx, "MD5", NULL); + if (md5 == NULL) { + fprintf(stderr, "Error fetching MD5\n"); + } +#endif if(argc == 2) { +#ifdef WITH_SSL printf("NT:%s\n", ntpwdhash(buf, (unsigned char *)argv[1], 1)); +#else + fprintf(stderr, "NT crypt not available (compiled without OpenSSL)\n"); +#endif } else { i = (int)strlen((char *)argv[1]); diff --git a/src/Makefile.inc b/src/Makefile.inc index 272b7dd..14c982d 100644 --- a/src/Makefile.inc +++ b/src/Makefile.inc @@ -152,21 +152,21 @@ datatypes$(OBJSUFFICS): datatypes.c proxy.h structures.h 3proxy_cryptmain$(OBJSUFFICS): 3proxy_crypt.c $(CC) $(COUT)3proxy_cryptmain$(OBJSUFFICS) $(CFLAGS) $(DEFINEOPTION)WITHMAIN 3proxy_crypt.c -md4$(OBJSUFFICS): libs/md4.h libs/md4.c - $(CC) $(COUT)md4$(OBJSUFFICS) $(CFLAGS) libs/md4.c - -md5$(OBJSUFFICS): libs/md5.h libs/md5.c - $(CC) $(COUT)md5$(OBJSUFFICS) $(CFLAGS) libs/md5.c - blake2$(OBJSUFFICS): libs/blake2.h libs/blake2-impl.h libs/blake2b-ref.c $(CC) $(COUT)blake2$(OBJSUFFICS) $(CFLAGS) libs/blake2b-ref.c -$(BUILDDIR)$(CRYPT_PREFIX)crypt$(EXESUFFICS): md4$(OBJSUFFICS) blake2$(OBJSUFFICS) 3proxy_cryptmain$(OBJSUFFICS) base64$(OBJSUFFICS) - $(LN) $(LNOUT)$(BUILDDIR)$(CRYPT_PREFIX)crypt$(EXESUFFICS) $(LDFLAGS) md4$(OBJSUFFICS) blake2$(OBJSUFFICS) base64$(OBJSUFFICS) 3proxy_cryptmain$(OBJSUFFICS) +$(BUILDDIR)$(CRYPT_PREFIX)crypt$(EXESUFFICS): blake2$(OBJSUFFICS) 3proxy_cryptmain$(OBJSUFFICS) base64$(OBJSUFFICS) + $(LN) $(LNOUT)$(BUILDDIR)$(CRYPT_PREFIX)crypt$(EXESUFFICS) $(LDFLAGS) blake2$(OBJSUFFICS) base64$(OBJSUFFICS) 3proxy_cryptmain$(OBJSUFFICS) $(LIBS) stringtable$(OBJSUFFICS): stringtable.c $(CC) $(COUT)stringtable$(OBJSUFFICS) $(CFLAGS) stringtable.c -$(BUILDDIR)3proxy$(EXESUFFICS): 3proxy$(OBJSUFFICS) mainfunc$(OBJSUFFICS) srvproxy$(OBJSUFFICS) srvpop3p$(OBJSUFFICS) srvsmtpp$(OBJSUFFICS) srvftppr$(OBJSUFFICS) srvsocks$(OBJSUFFICS) srvtcppm$(OBJSUFFICS) srvtlspr$(OBJSUFFICS) srvauto$(OBJSUFFICS) srvudppm$(OBJSUFFICS) sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) auth$(OBJSUFFICS) acl$(OBJSUFFICS) limiter$(OBJSUFFICS) redirect$(OBJSUFFICS) authradius$(OBJSUFFICS) hash$(OBJSUFFICS) hashtables$(OBJSUFFICS) resolve$(OBJSUFFICS) sql$(OBJSUFFICS) conf$(OBJSUFFICS) log$(OBJSUFFICS) datatypes$(OBJSUFFICS) md4$(OBJSUFFICS) md5$(OBJSUFFICS) blake2$(OBJSUFFICS) 3proxy_crypt$(OBJSUFFICS) base64$(OBJSUFFICS) ftp$(OBJSUFFICS) stringtable$(OBJSUFFICS) srvwebadmin$(OBJSUFFICS) srvdnspr$(OBJSUFFICS) plugins$(OBJSUFFICS) $(COMPATLIBS) $(VERSIONDEP) - $(LN) $(LNOUT)$(BUILDDIR)3proxy$(EXESUFFICS) $(LDFLAGS) $(VERFILE) 3proxy$(OBJSUFFICS) mainfunc$(OBJSUFFICS) auth$(OBJSUFFICS) acl$(OBJSUFFICS) limiter$(OBJSUFFICS) redirect$(OBJSUFFICS) authradius$(OBJSUFFICS) hash$(OBJSUFFICS) hashtables$(OBJSUFFICS) resolve$(OBJSUFFICS) sql$(OBJSUFFICS) conf$(OBJSUFFICS) datatypes$(OBJSUFFICS) srvauto$(OBJSUFFICS) srvproxy$(OBJSUFFICS) srvpop3p$(OBJSUFFICS) srvsmtpp$(OBJSUFFICS) srvftppr$(OBJSUFFICS) srvsocks$(OBJSUFFICS) srvtcppm$(OBJSUFFICS) srvtlspr$(OBJSUFFICS) srvudppm$(OBJSUFFICS) sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS) 3proxy_crypt$(OBJSUFFICS) md5$(OBJSUFFICS) blake2$(OBJSUFFICS) md4$(OBJSUFFICS) base64$(OBJSUFFICS) ftp$(OBJSUFFICS) stringtable$(OBJSUFFICS) srvwebadmin$(OBJSUFFICS) srvdnspr$(OBJSUFFICS) plugins$(OBJSUFFICS) $(COMPATLIBS) $(LIBS) +ssllib$(OBJSUFFICS): ssllib.c + $(CC) $(COUT)ssllib$(OBJSUFFICS) $(CFLAGS) ssllib.c + +ssl$(OBJSUFFICS): ssl.c + $(CC) $(COUT)ssl$(OBJSUFFICS) $(CFLAGS) ssl.c + +$(BUILDDIR)3proxy$(EXESUFFICS): 3proxy$(OBJSUFFICS) mainfunc$(OBJSUFFICS) srvproxy$(OBJSUFFICS) srvpop3p$(OBJSUFFICS) srvsmtpp$(OBJSUFFICS) srvftppr$(OBJSUFFICS) srvsocks$(OBJSUFFICS) srvtcppm$(OBJSUFFICS) srvtlspr$(OBJSUFFICS) srvauto$(OBJSUFFICS) srvudppm$(OBJSUFFICS) sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) auth$(OBJSUFFICS) acl$(OBJSUFFICS) limiter$(OBJSUFFICS) redirect$(OBJSUFFICS) authradius$(OBJSUFFICS) hash$(OBJSUFFICS) hashtables$(OBJSUFFICS) resolve$(OBJSUFFICS) sql$(OBJSUFFICS) conf$(OBJSUFFICS) log$(OBJSUFFICS) datatypes$(OBJSUFFICS) blake2$(OBJSUFFICS) 3proxy_crypt$(OBJSUFFICS) base64$(OBJSUFFICS) ftp$(OBJSUFFICS) stringtable$(OBJSUFFICS) srvwebadmin$(OBJSUFFICS) srvdnspr$(OBJSUFFICS) plugins$(OBJSUFFICS) $(SSL_OBJS) $(COMPATLIBS) $(VERSIONDEP) + $(LN) $(LNOUT)$(BUILDDIR)3proxy$(EXESUFFICS) $(LDFLAGS) $(VERFILE) 3proxy$(OBJSUFFICS) mainfunc$(OBJSUFFICS) auth$(OBJSUFFICS) acl$(OBJSUFFICS) limiter$(OBJSUFFICS) redirect$(OBJSUFFICS) authradius$(OBJSUFFICS) hash$(OBJSUFFICS) hashtables$(OBJSUFFICS) resolve$(OBJSUFFICS) sql$(OBJSUFFICS) conf$(OBJSUFFICS) datatypes$(OBJSUFFICS) srvauto$(OBJSUFFICS) srvproxy$(OBJSUFFICS) srvpop3p$(OBJSUFFICS) srvsmtpp$(OBJSUFFICS) srvftppr$(OBJSUFFICS) srvsocks$(OBJSUFFICS) srvtcppm$(OBJSUFFICS) srvtlspr$(OBJSUFFICS) srvudppm$(OBJSUFFICS) sockmap$(OBJSUFFICS) sockgetchar$(OBJSUFFICS) common$(OBJSUFFICS) log$(OBJSUFFICS) 3proxy_crypt$(OBJSUFFICS) blake2$(OBJSUFFICS) base64$(OBJSUFFICS) ftp$(OBJSUFFICS) stringtable$(OBJSUFFICS) srvwebadmin$(OBJSUFFICS) srvdnspr$(OBJSUFFICS) plugins$(OBJSUFFICS) $(SSL_OBJS) $(COMPATLIBS) $(LIBS) diff --git a/src/auth.c b/src/auth.c index 0727cb3..85ea0e4 100644 --- a/src/auth.c +++ b/src/auth.c @@ -223,8 +223,10 @@ int strongauth(struct clientparam * param){ if (!param->pwtype && param->password) { if (pw_table.ihashtable && hashresolv(&pw_table, param, &dummy, NULL)) return 0; +#ifdef WITH_SSL if (pwnt_table.ihashtable && hashresolv(&pwnt_table, param, &dummy, NULL)) return 0; +#endif #ifndef NOCRYPT if (pwcr_table.ihashtable && hashresolv(&pwcr_table, param, cryptpw, NULL)) { if (!strcmp(cryptpw, (char *)mycrypt(param->password, (unsigned char *)cryptpw, buf))) diff --git a/src/authradius.c b/src/authradius.c index 2ff0c4a..fc3fdae 100644 --- a/src/authradius.c +++ b/src/authradius.c @@ -8,7 +8,7 @@ #ifndef NORADIUS #include "proxy.h" -#include "libs/md5.h" +#include #define AUTH_VECTOR_LEN 16 #define MAX_STRING_LEN 254 @@ -183,14 +183,19 @@ char *strNcpy(char *dest, const char *src, int n) return dest; } +extern EVP_MD *md4; +extern EVP_MD *md5; + + void md5_calc(unsigned char *output, unsigned char *input, unsigned int inlen) { - MD5_CTX context; - - MD5Init(&context); - MD5Update(&context, input, inlen); - MD5Final(output, &context); + EVP_MD_CTX *ctx = EVP_MD_CTX_new(); + unsigned int len = 0; + EVP_DigestInit_ex(ctx, md5, NULL); + EVP_DigestUpdate(ctx, input, inlen); + EVP_DigestFinal_ex(ctx, output, &len); + EVP_MD_CTX_free(ctx); } diff --git a/src/blake2_compat.h b/src/blake2_compat.h new file mode 100644 index 0000000..63b5d92 --- /dev/null +++ b/src/blake2_compat.h @@ -0,0 +1,76 @@ +#ifndef BLAKE2_COMPAT_H +#define BLAKE2_COMPAT_H + +#if defined(WITH_SSL) +#include +#endif + +#if defined(WITH_SSL) && OPENSSL_VERSION_NUMBER >= 0x10100000L + +#include +#include + +#if OPENSSL_VERSION_NUMBER >= 0x30000000L +#include +#include +#endif + +/* + * OpenSSL 1.1.0+ BLAKE2b implementation. + * Provides the same streaming API as libs/blake2.h but uses EVP internally. + * + * OpenSSL 3.0+: uses OSSL_DIGEST_PARAM_SIZE for proper custom output sizes. + * OpenSSL 1.1.x: computes full 64-byte output and truncates in blake2b_final. + */ + +typedef EVP_MD_CTX *blake2b_state; + +static int blake2b_init(blake2b_state *S, size_t outlen) { + *S = EVP_MD_CTX_new(); + if (!*S) return -1; + +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + size_t sz = outlen; + OSSL_PARAM params[2]; + params[0] = OSSL_PARAM_construct_size_t(OSSL_DIGEST_PARAM_SIZE, &sz); + params[1] = OSSL_PARAM_construct_end(); + + if (!EVP_DigestInit_ex2(*S, EVP_blake2b512(), params)) { +#else + (void)outlen; + if (!EVP_DigestInit_ex(*S, EVP_blake2b512(), NULL)) { +#endif + EVP_MD_CTX_free(*S); + *S = NULL; + return -1; + } + return 0; +} + +static int blake2b_update(blake2b_state *S, const void *in, size_t inlen) { + if (inlen == 0) return 0; + return EVP_DigestUpdate(*S, in, inlen) ? 0 : -1; +} + +static int blake2b_final(blake2b_state *S, void *out, size_t outlen) { +#if OPENSSL_VERSION_NUMBER >= 0x30000000L + unsigned int len = 0; + int ret = EVP_DigestFinal_ex(*S, out, &len) ? 0 : -1; +#else + unsigned char tmp[64]; + unsigned int len = 0; + int ret = EVP_DigestFinal_ex(*S, tmp, &len) ? 0 : -1; + if (ret == 0) memcpy(out, tmp, outlen); +#endif + EVP_MD_CTX_free(*S); + *S = NULL; + return ret; +} + +#else + +#include "libs/blake2.h" + +#endif + +#endif /* BLAKE2_COMPAT_H */ diff --git a/src/conf.c b/src/conf.c index bad0d2e..7ff54e3 100644 --- a/src/conf.c +++ b/src/conf.c @@ -7,6 +7,9 @@ */ #include "proxy.h" +#ifdef WITH_SSL +void ssl_install(void); +#endif #ifndef _WIN32 #include #include @@ -526,9 +529,11 @@ static int h_users(int argc, unsigned char **argv){ if (arg[1] && arg[2] && arg[3] == ':') { pw[1] = (char *)(arg + 4); if (arg[1] == 'N' && arg[2] == 'T') { +#ifdef WITH_SSL if (!pwnt_table.ihashtable && inithashtable(&pwnt_table, 16, 32, 1048576)) return 3; hashadd(&pwnt_table, pw, &dummy, MAX_COUNTER_TIME); +#endif continue; } if (arg[1] == 'C' && arg[2] == 'R') { @@ -1447,6 +1452,11 @@ static int h_authcache(int argc, unsigned char **argv){ } static int h_plugin(int argc, unsigned char **argv){ +#ifdef WITH_SSL + if(argc >= 3 && !strcmp((char *)argv[2], "ssl_plugin")){ + return 0; + } +#endif #ifdef NOPLUGINS return 999; #else @@ -1875,7 +1885,9 @@ void freeconf(struct extparam *confp){ _3proxy_mutex_unlock(&connlim_mutex); destroyhashtable(&pw_table); +#ifdef WITH_SSL destroyhashtable(&pwnt_table); +#endif destroyhashtable(&pwcr_table); confp->logfunc = lognone; @@ -1946,6 +1958,9 @@ int reload (void){ int error = -2; _3proxy_mutex_lock(&config_mutex); +#ifdef WITH_SSL + ssl_install(); +#endif conf.paused++; freeconf(&conf); conf.paused++; diff --git a/src/hashtables.c b/src/hashtables.c index df8c5d9..1d2acd4 100644 --- a/src/hashtables.c +++ b/src/hashtables.c @@ -1,11 +1,13 @@ #include "proxy.h" -#include "libs/blake2.h" +#include "blake2_compat.h" static void char_index2hash(const struct hashtable *ht, void *index, uint8_t *hash){ - char* name = index; + blake2b_state S; - blake2b(hash, ht->hash_size, index, strlen((const char*)index), NULL, 0); + blake2b_init(&S, ht->hash_size); + blake2b_update(&S, index, strlen((const char*)index) + 1); + blake2b_final(&S, hash, ht->hash_size); } static void param2hash_add(const struct hashtable *ht, void *index, uint8_t *hash){ @@ -36,7 +38,11 @@ void param2hash_search(const struct hashtable *ht, void *index, uint8_t *hash){ static void user2hash_search(const struct hashtable *ht, void *index, uint8_t *hash){ struct clientparam *param = (struct clientparam *)index; - blake2b(hash, ht->hash_size, param->username, strlen((const char *)param->username), NULL, 0); + blake2b_state S; + + blake2b_init(&S, ht->hash_size); + blake2b_update(&S, param->username, strlen((const char *)param->username) + 1); + blake2b_final(&S, hash, ht->hash_size); } static void udpparam2hash(const struct hashtable *ht, void *index, uint8_t *hash){ @@ -80,14 +86,16 @@ static void pwnt2hash_add(const struct hashtable *ht, void *index, uint8_t *hash } +#ifdef WITH_SSL static void pwnt2hash_search(const struct hashtable *ht, void *index, uint8_t *hash){ struct clientparam *param = (struct clientparam *)index; - unsigned char pass[40]; + unsigned char pass[40]; char *pw[2] = {(char *)param->username, (char *)pass}; ntpwdhash(pass, param->password, 1); pwnt2hash_add(ht, pw, hash); } +#endif @@ -95,5 +103,7 @@ struct hashtable dns_table = {char_index2hash, char_index2hash, 4, 12}; struct hashtable dns6_table = {char_index2hash, char_index2hash, 16, 12}; struct hashtable auth_table = {param2hash_add, param2hash_search, sizeof(struct authcache), 12}; struct hashtable pw_table = {pw2hash_add, pw2hash_search, 0, 12}; +#ifdef WITH_SSL struct hashtable pwnt_table = {pwnt2hash_add, pwnt2hash_search, 0, 12}; +#endif struct hashtable pwcr_table = {char_index2hash, user2hash_search, 64, 12}; diff --git a/src/libs/md4.c b/src/libs/md4.c deleted file mode 100644 index e09d340..0000000 --- a/src/libs/md4.c +++ /dev/null @@ -1,290 +0,0 @@ -/* - * md4c.c MD4 message-digest algorithm - * - * License to copy and use this software is granted provided that it - * is identified as the "RSA Data Security, Inc. MD4 Message-Digest - * Algorithm" in all material mentioning or referencing this software - * or this function. - * - * License is also granted to make and use derivative works provided - * that such works are identified as "derived from the RSA Data - * Security, Inc. MD4 Message-Digest Algorithm" in all material - * mentioning or referencing the derived work. - * - * RSA Data Security, Inc. makes no representations concerning either - * the merchantability of this software or the suitability of this - * software for any particular purpose. It is provided "as is" - * without express or implied warranty of any kind. - * - * These notices must be retained in any copies of any part of this - * documentation and/or software. - * - * Copyright 1990,1991,1992 RSA Data Security, Inc. - */ - - -#include "md4.h" - -/* Constants for MD4Transform routine. - */ -#define S11 3 -#define S12 7 -#define S13 11 -#define S14 19 -#define S21 3 -#define S22 5 -#define S23 9 -#define S24 13 -#define S31 3 -#define S32 9 -#define S33 11 -#define S34 15 - -static void MD4Transform PROTO_LIST ((UINT4 [4], unsigned char [64])); -static void Encode PROTO_LIST - ((unsigned char *, UINT4 *, unsigned int)); -static void Decode PROTO_LIST - ((UINT4 *, unsigned char *, unsigned int)); -static void MD4_memcpy PROTO_LIST ((POINTER, POINTER, unsigned int)); -static void MD4_memset PROTO_LIST ((POINTER, int, unsigned int)); - -static unsigned char PADDING[64] = { - 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 -}; - -/* F, G and H are basic MD4 functions. - */ -#define F(x, y, z) (((x) & (y)) | ((~x) & (z))) -#define G(x, y, z) (((x) & (y)) | ((x) & (z)) | ((y) & (z))) -#define H(x, y, z) ((x) ^ (y) ^ (z)) - -/* ROTATE_LEFT rotates x left n bits. - */ -#define ROTATE_LEFT(x, n) (((x) << (n)) | ((x) >> (32-(n)))) - -/* FF, GG and HH are transformations for rounds 1, 2 and 3 */ -/* Rotation is separate from addition to prevent recomputation */ - -#define FF(a, b, c, d, x, s) { \ - (a) += F ((b), (c), (d)) + (x); \ - (a) = ROTATE_LEFT ((a), (s)); \ - } -#define GG(a, b, c, d, x, s) { \ - (a) += G ((b), (c), (d)) + (x) + (UINT4)0x5a827999; \ - (a) = ROTATE_LEFT ((a), (s)); \ - } -#define HH(a, b, c, d, x, s) { \ - (a) += H ((b), (c), (d)) + (x) + (UINT4)0x6ed9eba1; \ - (a) = ROTATE_LEFT ((a), (s)); \ - } - -void md4_calc(unsigned char *output, unsigned char *input, unsigned inlen) -{ - MD4_CTX context; - - MD4Init(&context); - MD4Update(&context, input, inlen); - MD4Final(output, &context); -} - -/* MD4 initialization. Begins an MD4 operation, writing a new context. - */ -void MD4Init ( MD4_CTX *context) -{ - context->count[0] = context->count[1] = 0; - - /* Load magic initialization constants. - */ - context->state[0] = 0x67452301; - context->state[1] = 0xefcdab89; - context->state[2] = 0x98badcfe; - context->state[3] = 0x10325476; -} - -/* MD4 block update operation. Continues an MD4 message-digest - operation, processing another message block, and updating the - context. - */ -void MD4Update (MD4_CTX *context, unsigned char *input, unsigned inputLen) -{ - unsigned int i, index, partLen; - - /* Compute number of bytes mod 64 */ - index = (unsigned int)((context->count[0] >> 3) & 0x3F); - /* Update number of bits */ - if ((context->count[0] += ((UINT4)inputLen << 3)) - < ((UINT4)inputLen << 3)) - context->count[1]++; - context->count[1] += ((UINT4)inputLen >> 29); - - partLen = 64 - index; - - /* Transform as many times as possible. - */ - if (inputLen >= partLen) { - MD4_memcpy - ((POINTER)&context->buffer[index], (POINTER)input, partLen); - MD4Transform (context->state, context->buffer); - - for (i = partLen; i + 63 < inputLen; i += 64) - MD4Transform (context->state, &input[i]); - - index = 0; - } - else - i = 0; - - /* Buffer remaining input */ - MD4_memcpy - ((POINTER)&context->buffer[index], (POINTER)&input[i], - inputLen-i); -} - -/* MD4 finalization. Ends an MD4 message-digest operation, writing the - the message digest and zeroizing the context. - */ -void MD4Final (unsigned char digest[16], MD4_CTX *context) -{ - unsigned char bits[8]; - unsigned int index, padLen; - - /* Save number of bits */ - Encode (bits, context->count, 8); - - /* Pad out to 56 mod 64. - */ - index = (unsigned int)((context->count[0] >> 3) & 0x3f); - padLen = (index < 56) ? (56 - index) : (120 - index); - MD4Update (context, PADDING, padLen); - - /* Append length (before padding) */ - MD4Update (context, bits, 8); - /* Store state in digest */ - Encode (digest, context->state, 16); - - /* Zeroize sensitive information. - */ - MD4_memset ((POINTER)context, 0, sizeof (*context)); -} - -/* MD4 basic transformation. Transforms state based on block. - */ -static void MD4Transform (UINT4 state[4], unsigned char block[64]) -{ - UINT4 a = state[0], b = state[1], c = state[2], d = state[3], x[16]; - - Decode (x, block, 64); - - /* Round 1 */ - FF (a, b, c, d, x[ 0], S11); /* 1 */ - FF (d, a, b, c, x[ 1], S12); /* 2 */ - FF (c, d, a, b, x[ 2], S13); /* 3 */ - FF (b, c, d, a, x[ 3], S14); /* 4 */ - FF (a, b, c, d, x[ 4], S11); /* 5 */ - FF (d, a, b, c, x[ 5], S12); /* 6 */ - FF (c, d, a, b, x[ 6], S13); /* 7 */ - FF (b, c, d, a, x[ 7], S14); /* 8 */ - FF (a, b, c, d, x[ 8], S11); /* 9 */ - FF (d, a, b, c, x[ 9], S12); /* 10 */ - FF (c, d, a, b, x[10], S13); /* 11 */ - FF (b, c, d, a, x[11], S14); /* 12 */ - FF (a, b, c, d, x[12], S11); /* 13 */ - FF (d, a, b, c, x[13], S12); /* 14 */ - FF (c, d, a, b, x[14], S13); /* 15 */ - FF (b, c, d, a, x[15], S14); /* 16 */ - - /* Round 2 */ - GG (a, b, c, d, x[ 0], S21); /* 17 */ - GG (d, a, b, c, x[ 4], S22); /* 18 */ - GG (c, d, a, b, x[ 8], S23); /* 19 */ - GG (b, c, d, a, x[12], S24); /* 20 */ - GG (a, b, c, d, x[ 1], S21); /* 21 */ - GG (d, a, b, c, x[ 5], S22); /* 22 */ - GG (c, d, a, b, x[ 9], S23); /* 23 */ - GG (b, c, d, a, x[13], S24); /* 24 */ - GG (a, b, c, d, x[ 2], S21); /* 25 */ - GG (d, a, b, c, x[ 6], S22); /* 26 */ - GG (c, d, a, b, x[10], S23); /* 27 */ - GG (b, c, d, a, x[14], S24); /* 28 */ - GG (a, b, c, d, x[ 3], S21); /* 29 */ - GG (d, a, b, c, x[ 7], S22); /* 30 */ - GG (c, d, a, b, x[11], S23); /* 31 */ - GG (b, c, d, a, x[15], S24); /* 32 */ - - /* Round 3 */ - HH (a, b, c, d, x[ 0], S31); /* 33 */ - HH (d, a, b, c, x[ 8], S32); /* 34 */ - HH (c, d, a, b, x[ 4], S33); /* 35 */ - HH (b, c, d, a, x[12], S34); /* 36 */ - HH (a, b, c, d, x[ 2], S31); /* 37 */ - HH (d, a, b, c, x[10], S32); /* 38 */ - HH (c, d, a, b, x[ 6], S33); /* 39 */ - HH (b, c, d, a, x[14], S34); /* 40 */ - HH (a, b, c, d, x[ 1], S31); /* 41 */ - HH (d, a, b, c, x[ 9], S32); /* 42 */ - HH (c, d, a, b, x[ 5], S33); /* 43 */ - HH (b, c, d, a, x[13], S34); /* 44 */ - HH (a, b, c, d, x[ 3], S31); /* 45 */ - HH (d, a, b, c, x[11], S32); /* 46 */ - HH (c, d, a, b, x[ 7], S33); /* 47 */ - HH (b, c, d, a, x[15], S34); /* 48 */ - - state[0] += a; - state[1] += b; - state[2] += c; - state[3] += d; - - /* Zeroize sensitive information. - */ - MD4_memset ((POINTER)x, 0, sizeof (x)); -} - -/* Encodes input (UINT4) into output (unsigned char). Assumes len is - a multiple of 4. - */ -static void Encode (unsigned char *output, UINT4 *input, unsigned len) -{ - unsigned int i, j; - - for (i = 0, j = 0; j < len; i++, j += 4) { - output[j] = (unsigned char)(input[i] & 0xff); - output[j+1] = (unsigned char)((input[i] >> 8) & 0xff); - output[j+2] = (unsigned char)((input[i] >> 16) & 0xff); - output[j+3] = (unsigned char)((input[i] >> 24) & 0xff); - } -} - -/* Decodes input (unsigned char) into output (UINT4). Assumes len is - a multiple of 4. - */ -static void Decode (UINT4 *output, unsigned char *input, unsigned len) - -{ - unsigned int i, j; - - for (i = 0, j = 0; j < len; i++, j += 4) - output[i] = ((UINT4)input[j]) | (((UINT4)input[j+1]) << 8) | - (((UINT4)input[j+2]) << 16) | (((UINT4)input[j+3]) << 24); -} - -/* Note: Replace "for loop" with standard memcpy if possible. - */ -static void MD4_memcpy (POINTER output, POINTER input, unsigned len) -{ - unsigned int i; - - for (i = 0; i < len; i++) - output[i] = input[i]; -} - -/* Note: Replace "for loop" with standard memset if possible. - */ -static void MD4_memset (POINTER output, int value, unsigned len) -{ - unsigned int i; - - for (i = 0; i < len; i++) - ((char *)output)[i] = (char)value; -} diff --git a/src/libs/md4.h b/src/libs/md4.h deleted file mode 100644 index de07d79..0000000 --- a/src/libs/md4.h +++ /dev/null @@ -1,83 +0,0 @@ -#ifndef _LRAD_MD4_H -#define _LRAD_MD4_H - -#ifndef _LRAD_PROTO_H -#define _LRAD_PROTO_H -/* GLOBAL.H - RSAREF types and constants - */ - -/* PROTOTYPES should be set to one if and only if the compiler supports - function argument prototyping. - The following makes PROTOTYPES default to 0 if it has not already - been defined with C compiler flags. - */ -#ifndef PROTOTYPES -# if __STDC__ -# define PROTOTYPES 1 -# else -# define PROTOTYPES 0 -# endif -#endif - -/* POINTER defines a generic pointer type */ -typedef unsigned char *POINTER; -#define _POINTER_T - -/* UINT2 defines a two byte word */ -typedef unsigned short int UINT2; -#define _UINT2_T - -/* UINT4 defines a four byte word */ -typedef unsigned int UINT4; -#define _UINT4_T - -/* PROTO_LIST is defined depending on how PROTOTYPES is defined above. - If using PROTOTYPES, then PROTO_LIST returns the list, otherwise it - returns an empty list. - */ -#if PROTOTYPES -#define PROTO_LIST(list) list -#else -#define PROTO_LIST(list) () -#endif -#endif /* _LRAD_PROTO_H */ - -/* MD4.H - header file for MD4C.C - */ - -/* Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All - rights reserved. - - License to copy and use this software is granted provided that it - is identified as the "RSA Data Security, Inc. MD4 Message-Digest - Algorithm" in all material mentioning or referencing this software - or this function. - - License is also granted to make and use derivative works provided - that such works are identified as "derived from the RSA Data - Security, Inc. MD4 Message-Digest Algorithm" in all material - mentioning or referencing the derived work. - - RSA Data Security, Inc. makes no representations concerning either - the merchantability of this software or the suitability of this - software for any particular purpose. It is provided "as is" - without express or implied warranty of any kind. - - These notices must be retained in any copies of any part of this - documentation and/or software. - */ - -/* MD4 context. */ -typedef struct { - UINT4 state[4]; /* state (ABCD) */ - UINT4 count[2]; /* number of bits, modulo 2^64 (lsb first) */ - unsigned char buffer[64]; /* input buffer */ -} MD4_CTX; - -void md4_calc (unsigned char *, unsigned char *, unsigned int); -void MD4Init PROTO_LIST ((MD4_CTX *)); -void MD4Update PROTO_LIST - ((MD4_CTX *, unsigned char *, unsigned int)); -void MD4Final PROTO_LIST ((unsigned char [16], MD4_CTX *)); - -#endif /* _LRAD_MD4_H */ diff --git a/src/libs/md5.c b/src/libs/md5.c deleted file mode 100644 index 09d8559..0000000 --- a/src/libs/md5.c +++ /dev/null @@ -1,325 +0,0 @@ -/* MD5C.C - RSA Data Security, Inc., MD5 message-digest algorithm - */ - -/* Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All -rights reserved. - -License to copy and use this software is granted provided that it -is identified as the "RSA Data Security, Inc. MD5 Message-Digest -Algorithm" in all material mentioning or referencing this software -or this function. - -License is also granted to make and use derivative works provided -that such works are identified as "derived from the RSA Data -Security, Inc. MD5 Message-Digest Algorithm" in all material -mentioning or referencing the derived work. - -RSA Data Security, Inc. makes no representations concerning either -the merchantability of this software or the suitability of this -software for any particular purpose. It is provided "as is" -without express or implied warranty of any kind. - -These notices must be retained in any copies of any part of this -documentation and/or software. - */ - -#include "md5.h" - -/* Constants for MD5Transform routine. - */ -#define S11 7 -#define S12 12 -#define S13 17 -#define S14 22 -#define S21 5 -#define S22 9 -#define S23 14 -#define S24 20 -#define S31 4 -#define S32 11 -#define S33 16 -#define S34 23 -#define S41 6 -#define S42 10 -#define S43 15 -#define S44 21 - -void librad_md5_calc(unsigned char *output, unsigned char *input, - unsigned int inputlen); -static void MD5Transform PROTO_LIST ((UINT4 [4], const unsigned char [64])); -static void Encode PROTO_LIST - ((unsigned char *, UINT4 *, unsigned int)); -static void Decode PROTO_LIST - ((UINT4 *, const unsigned char *, unsigned int)); -static void MD5_memcpy PROTO_LIST ((POINTER, CONSTPOINTER, unsigned int)); -static void MD5_memset PROTO_LIST ((POINTER, int, unsigned int)); - -static const unsigned char PADDING[64] = { - 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 -}; - -/* F, G, H and I are basic MD5 functions. - */ -#define F(x, y, z) (((x) & (y)) | ((~x) & (z))) -#define G(x, y, z) (((x) & (z)) | ((y) & (~z))) -#define H(x, y, z) ((x) ^ (y) ^ (z)) -#define I(x, y, z) ((y) ^ ((x) | (~z))) - -/* ROTATE_LEFT rotates x left n bits. - */ -#define ROTATE_LEFT(x, n) (((x) << (n)) | ((x) >> (32-(n)))) - -/* FF, GG, HH, and II transformations for rounds 1, 2, 3, and 4. -Rotation is separate from addition to prevent recomputation. - */ -#define FF(a, b, c, d, x, s, ac) { \ - (a) += F ((b), (c), (d)) + (x) + (UINT4)(ac); \ - (a) = ROTATE_LEFT ((a), (s)); \ - (a) += (b); \ - } -#define GG(a, b, c, d, x, s, ac) { \ - (a) += G ((b), (c), (d)) + (x) + (UINT4)(ac); \ - (a) = ROTATE_LEFT ((a), (s)); \ - (a) += (b); \ - } -#define HH(a, b, c, d, x, s, ac) { \ - (a) += H ((b), (c), (d)) + (x) + (UINT4)(ac); \ - (a) = ROTATE_LEFT ((a), (s)); \ - (a) += (b); \ - } -#define II(a, b, c, d, x, s, ac) { \ - (a) += I ((b), (c), (d)) + (x) + (UINT4)(ac); \ - (a) = ROTATE_LEFT ((a), (s)); \ - (a) += (b); \ - } - -void librad_md5_calc(unsigned char *output, unsigned char *input, - unsigned int inlen) -{ - MD5_CTX context; - - MD5Init(&context); - MD5Update(&context, input, inlen); - MD5Final(output, &context); -} - -/* MD5 initialization. Begins an MD5 operation, writing a new context. - */ -void MD5Init (MD5_CTX *context) -{ - context->count[0] = context->count[1] = 0; - /* Load magic initialization constants. -*/ - context->state[0] = 0x67452301; - context->state[1] = 0xefcdab89; - context->state[2] = 0x98badcfe; - context->state[3] = 0x10325476; -} - -/* MD5 block update operation. Continues an MD5 message-digest - operation, processing another message block, and updating the - context. - */ -void MD5Update (MD5_CTX *context, const unsigned char *input, unsigned inputLen) -{ - unsigned int i, index, partLen; - - /* Compute number of bytes mod 64 */ - index = (unsigned int)((context->count[0] >> 3) & 0x3F); - - /* Update number of bits */ - if ((context->count[0] += ((UINT4)inputLen << 3)) - < ((UINT4)inputLen << 3)) - context->count[1]++; - context->count[1] += ((UINT4)inputLen >> 29); - - partLen = 64 - index; - - /* Transform as many times as possible. -*/ - if (inputLen >= partLen) { - MD5_memcpy - ((POINTER)&context->buffer[index], (CONSTPOINTER)input, partLen); - MD5Transform (context->state, context->buffer); - - for (i = partLen; i + 63 < inputLen; i += 64) - MD5Transform (context->state, &input[i]); - - index = 0; - } - else - i = 0; - - /* Buffer remaining input */ - MD5_memcpy - ((POINTER)&context->buffer[index], (CONSTPOINTER)&input[i], - inputLen-i); -} - -/* MD5 finalization. Ends an MD5 message-digest operation, writing the - the message digest and zeroizing the context. - */ -void MD5Final (unsigned char digest[16], MD5_CTX *context) -{ - unsigned char bits[8]; - unsigned int index, padLen; - - /* Save number of bits */ - Encode (bits, context->count, 8); - - /* Pad out to 56 mod 64. -*/ - index = (unsigned int)((context->count[0] >> 3) & 0x3f); - padLen = (index < 56) ? (56 - index) : (120 - index); - MD5Update (context, PADDING, padLen); - - /* Append length (before padding) */ - MD5Update (context, bits, 8); - - /* Store state in digest */ - Encode (digest, context->state, 16); - - /* Zeroize sensitive information. -*/ - MD5_memset ((POINTER)context, 0, sizeof (*context)); -} - -/* MD5 basic transformation. Transforms state based on block. - */ -static void MD5Transform (UINT4 state[4], const unsigned char block[64]) -{ - UINT4 a = state[0], b = state[1], c = state[2], d = state[3], x[16]; - - Decode (x, block, 64); - - /* Round 1 */ - FF (a, b, c, d, x[ 0], S11, 0xd76aa478); /* 1 */ - FF (d, a, b, c, x[ 1], S12, 0xe8c7b756); /* 2 */ - FF (c, d, a, b, x[ 2], S13, 0x242070db); /* 3 */ - FF (b, c, d, a, x[ 3], S14, 0xc1bdceee); /* 4 */ - FF (a, b, c, d, x[ 4], S11, 0xf57c0faf); /* 5 */ - FF (d, a, b, c, x[ 5], S12, 0x4787c62a); /* 6 */ - FF (c, d, a, b, x[ 6], S13, 0xa8304613); /* 7 */ - FF (b, c, d, a, x[ 7], S14, 0xfd469501); /* 8 */ - FF (a, b, c, d, x[ 8], S11, 0x698098d8); /* 9 */ - FF (d, a, b, c, x[ 9], S12, 0x8b44f7af); /* 10 */ - FF (c, d, a, b, x[10], S13, 0xffff5bb1); /* 11 */ - FF (b, c, d, a, x[11], S14, 0x895cd7be); /* 12 */ - FF (a, b, c, d, x[12], S11, 0x6b901122); /* 13 */ - FF (d, a, b, c, x[13], S12, 0xfd987193); /* 14 */ - FF (c, d, a, b, x[14], S13, 0xa679438e); /* 15 */ - FF (b, c, d, a, x[15], S14, 0x49b40821); /* 16 */ - - /* Round 2 */ - GG (a, b, c, d, x[ 1], S21, 0xf61e2562); /* 17 */ - GG (d, a, b, c, x[ 6], S22, 0xc040b340); /* 18 */ - GG (c, d, a, b, x[11], S23, 0x265e5a51); /* 19 */ - GG (b, c, d, a, x[ 0], S24, 0xe9b6c7aa); /* 20 */ - GG (a, b, c, d, x[ 5], S21, 0xd62f105d); /* 21 */ - GG (d, a, b, c, x[10], S22, 0x2441453); /* 22 */ - GG (c, d, a, b, x[15], S23, 0xd8a1e681); /* 23 */ - GG (b, c, d, a, x[ 4], S24, 0xe7d3fbc8); /* 24 */ - GG (a, b, c, d, x[ 9], S21, 0x21e1cde6); /* 25 */ - GG (d, a, b, c, x[14], S22, 0xc33707d6); /* 26 */ - GG (c, d, a, b, x[ 3], S23, 0xf4d50d87); /* 27 */ - GG (b, c, d, a, x[ 8], S24, 0x455a14ed); /* 28 */ - GG (a, b, c, d, x[13], S21, 0xa9e3e905); /* 29 */ - GG (d, a, b, c, x[ 2], S22, 0xfcefa3f8); /* 30 */ - GG (c, d, a, b, x[ 7], S23, 0x676f02d9); /* 31 */ - GG (b, c, d, a, x[12], S24, 0x8d2a4c8a); /* 32 */ - - /* Round 3 */ - HH (a, b, c, d, x[ 5], S31, 0xfffa3942); /* 33 */ - HH (d, a, b, c, x[ 8], S32, 0x8771f681); /* 34 */ - HH (c, d, a, b, x[11], S33, 0x6d9d6122); /* 35 */ - HH (b, c, d, a, x[14], S34, 0xfde5380c); /* 36 */ - HH (a, b, c, d, x[ 1], S31, 0xa4beea44); /* 37 */ - HH (d, a, b, c, x[ 4], S32, 0x4bdecfa9); /* 38 */ - HH (c, d, a, b, x[ 7], S33, 0xf6bb4b60); /* 39 */ - HH (b, c, d, a, x[10], S34, 0xbebfbc70); /* 40 */ - HH (a, b, c, d, x[13], S31, 0x289b7ec6); /* 41 */ - HH (d, a, b, c, x[ 0], S32, 0xeaa127fa); /* 42 */ - HH (c, d, a, b, x[ 3], S33, 0xd4ef3085); /* 43 */ - HH (b, c, d, a, x[ 6], S34, 0x4881d05); /* 44 */ - HH (a, b, c, d, x[ 9], S31, 0xd9d4d039); /* 45 */ - HH (d, a, b, c, x[12], S32, 0xe6db99e5); /* 46 */ - HH (c, d, a, b, x[15], S33, 0x1fa27cf8); /* 47 */ - HH (b, c, d, a, x[ 2], S34, 0xc4ac5665); /* 48 */ - - /* Round 4 */ - II (a, b, c, d, x[ 0], S41, 0xf4292244); /* 49 */ - II (d, a, b, c, x[ 7], S42, 0x432aff97); /* 50 */ - II (c, d, a, b, x[14], S43, 0xab9423a7); /* 51 */ - II (b, c, d, a, x[ 5], S44, 0xfc93a039); /* 52 */ - II (a, b, c, d, x[12], S41, 0x655b59c3); /* 53 */ - II (d, a, b, c, x[ 3], S42, 0x8f0ccc92); /* 54 */ - II (c, d, a, b, x[10], S43, 0xffeff47d); /* 55 */ - II (b, c, d, a, x[ 1], S44, 0x85845dd1); /* 56 */ - II (a, b, c, d, x[ 8], S41, 0x6fa87e4f); /* 57 */ - II (d, a, b, c, x[15], S42, 0xfe2ce6e0); /* 58 */ - II (c, d, a, b, x[ 6], S43, 0xa3014314); /* 59 */ - II (b, c, d, a, x[13], S44, 0x4e0811a1); /* 60 */ - II (a, b, c, d, x[ 4], S41, 0xf7537e82); /* 61 */ - II (d, a, b, c, x[11], S42, 0xbd3af235); /* 62 */ - II (c, d, a, b, x[ 2], S43, 0x2ad7d2bb); /* 63 */ - II (b, c, d, a, x[ 9], S44, 0xeb86d391); /* 64 */ - - state[0] += a; - state[1] += b; - state[2] += c; - state[3] += d; - - /* Zeroize sensitive information. -*/ - MD5_memset ((POINTER)x, 0, sizeof (x)); -} - -/* Encodes input (UINT4) into output (unsigned char). Assumes len is - a multiple of 4. - */ -static void Encode (unsigned char *output, UINT4 *input, unsigned len) -{ - unsigned int i, j; - - for (i = 0, j = 0; j < len; i++, j += 4) { - output[j] = (unsigned char)(input[i] & 0xff); - output[j+1] = (unsigned char)((input[i] >> 8) & 0xff); - output[j+2] = (unsigned char)((input[i] >> 16) & 0xff); - output[j+3] = (unsigned char)((input[i] >> 24) & 0xff); - } -} - -/* Decodes input (unsigned char) into output (UINT4). Assumes len is - a multiple of 4. - */ -static void Decode (UINT4 *output, const unsigned char *input, unsigned len) -{ - unsigned int i, j; - - for (i = 0, j = 0; j < len; i++, j += 4) - output[i] = ((UINT4)input[j]) | (((UINT4)input[j+1]) << 8) | - (((UINT4)input[j+2]) << 16) | (((UINT4)input[j+3]) << 24); -} - -/* Note: Replace "for loop" with standard memcpy if possible. - */ - -static void MD5_memcpy (POINTER output, CONSTPOINTER input, unsigned len) -{ - unsigned int i; - - for (i = 0; i < len; i++) - output[i] = input[i]; -} - -/* Note: Replace "for loop" with standard memset if possible. - */ -static void MD5_memset (POINTER output, int value, unsigned len) -{ - unsigned int i; - - for (i = 0; i < len; i++) - ((char *)output)[i] = (char)value; -} diff --git a/src/libs/md5.h b/src/libs/md5.h deleted file mode 100644 index 9209cde..0000000 --- a/src/libs/md5.h +++ /dev/null @@ -1,94 +0,0 @@ -#ifndef _LRAD_MD5_H -#define _LRAD_MD5_H - -#ifndef _LRAD_PROTO_H -#define _LRAD_PROTO_H -/* GLOBAL.H - RSAREF types and constants - */ - -/* PROTOTYPES should be set to one if and only if the compiler supports - function argument prototyping. - The following makes PROTOTYPES default to 0 if it has not already - been defined with C compiler flags. - */ -#ifndef PROTOTYPES -# if __STDC__ -# define PROTOTYPES 1 -# else -# define PROTOTYPES 0 -# endif -#endif - -/* POINTER defines a generic pointer type */ -#ifndef _POINTER_T -typedef unsigned char *POINTER; -#endif -typedef const unsigned char *CONSTPOINTER; - -/* UINT2 defines a two byte word */ -#ifndef _UINT2_T -typedef unsigned short int UINT2; -#endif - -/* UINT4 defines a four byte word */ -#ifndef _UINT4_T -typedef unsigned int UINT4; -#endif - -/* PROTO_LIST is defined depending on how PROTOTYPES is defined above. - If using PROTOTYPES, then PROTO_LIST returns the list, otherwise it - returns an empty list. - */ -#if PROTOTYPES -#define PROTO_LIST(list) list -#else -#define PROTO_LIST(list) () -#endif -#endif /* _LRAD_PROTO_H */ - -/* - * FreeRADIUS defines to ensure globally unique MD5 function names, - * so that we don't pick up vendor-specific broken MD5 libraries. - */ -#define MD5_CTX librad_MD5_CTX -#define MD5Init librad_MD5Init -#define MD5Update librad_MD5Update -#define MD5Final librad_MD5Final - -/* MD5.H - header file for MD5C.C - */ - -/* Copyright (C) 1991-2, RSA Data Security, Inc. Created 1991. All -rights reserved. - -License to copy and use this software is granted provided that it -is identified as the "RSA Data Security, Inc. MD5 Message-Digest -Algorithm" in all material mentioning or referencing this software -or this function. - -License is also granted to make and use derivative works provided -that such works are identified as "derived from the RSA Data -Security, Inc. MD5 Message-Digest Algorithm" in all material -mentioning or referencing the derived work. - -RSA Data Security, Inc. makes no representations concerning either -the merchantability of this software or the suitability of this -software for any particular purpose. It is provided "as is" -without express or implied warranty of any kind. - -These notices must be retained in any copies of any part of this -documentation and/or software. - */ - -/* MD5 context. */ -typedef struct { - UINT4 state[4]; /* state (ABCD) */ - UINT4 count[2]; /* number of bits, modulo 2^64 (lsb first) */ - unsigned char buffer[64]; /* input buffer */ -} MD5_CTX; - -void MD5Init PROTO_LIST ((MD5_CTX *)); -void MD5Update PROTO_LIST - ((MD5_CTX *, const unsigned char *, unsigned int)); -void MD5Final PROTO_LIST ((unsigned char [16], MD5_CTX *)); -#endif /* _LRAD_MD5_H */ diff --git a/src/plugins/SSLPlugin/CMakeLists.txt b/src/plugins/SSLPlugin/CMakeLists.txt deleted file mode 100644 index 30b4e13..0000000 --- a/src/plugins/SSLPlugin/CMakeLists.txt +++ /dev/null @@ -1,17 +0,0 @@ -# SSLPlugin - requires OpenSSL - -if(NOT TARGET OpenSSL::SSL) - message(STATUS "SSLPlugin requires OpenSSL, skipping") - return() -endif() - -add_3proxy_plugin(SSLPlugin - SOURCES - ssl_plugin.c - my_ssl.c - LIBRARIES - OpenSSL::SSL - OpenSSL::Crypto - COMPILE_DEFINITIONS - WITH_SSL -) diff --git a/src/plugins/SSLPlugin/Makefile b/src/plugins/SSLPlugin/Makefile deleted file mode 100644 index e7c51ad..0000000 --- a/src/plugins/SSLPlugin/Makefile +++ /dev/null @@ -1 +0,0 @@ -include Makefile.var diff --git a/src/plugins/SSLPlugin/Makefile.inc b/src/plugins/SSLPlugin/Makefile.inc deleted file mode 100644 index 1afc984..0000000 --- a/src/plugins/SSLPlugin/Makefile.inc +++ /dev/null @@ -1,14 +0,0 @@ -all: $(BUILDDIR)SSLPlugin$(DLSUFFICS) - - - -ssl_plugin$(OBJSUFFICS): ssl_plugin.c - $(CC) $(DCFLAGS) $(CFLAGS) ssl_plugin.c - -my_ssl$(OBJSUFFICS): my_ssl.c - $(CC) $(DCFLAGS) $(CFLAGS) my_ssl.c - - -$(BUILDDIR)SSLPlugin$(DLSUFFICS): ssl_plugin$(OBJSUFFICS) my_ssl$(OBJSUFFICS) - $(LN) $(LNOUT)../../$(BUILDDIR)SSLPlugin$(DLSUFFICS) $(LDFLAGS) $(DLFLAGS) ssl_plugin$(OBJSUFFICS) my_ssl$(OBJSUFFICS) $(LIBS) - \ No newline at end of file diff --git a/src/proxy.h b/src/proxy.h index a692a57..245f12a 100644 --- a/src/proxy.h +++ b/src/proxy.h @@ -15,6 +15,12 @@ #ifndef _3PROXY_H_ #define _3PROXY_H_ #include "version.h" + +#ifndef WITH_SSL +#ifndef NORADIUS +#define NORADIUS +#endif +#endif #include #include #include @@ -232,7 +238,9 @@ extern int paused; extern int demon; unsigned char * mycrypt(const unsigned char *key, const unsigned char *salt, unsigned char *buf); +#ifdef WITH_SSL unsigned char * ntpwdhash (unsigned char *szHash, const unsigned char *szPassword, int tohex); +#endif int de64 (const unsigned char *in, unsigned char *out, int maxlen); unsigned char* en64 (const unsigned char *in, unsigned char *out, int inlen); void tohex(unsigned char *in, unsigned char *out, int len); diff --git a/src/plugins/SSLPlugin/ssl_plugin.c b/src/ssl.c similarity index 96% rename from src/plugins/SSLPlugin/ssl_plugin.c rename to src/ssl.c index 8d5a4ed..d2a1bd6 100644 --- a/src/plugins/SSLPlugin/ssl_plugin.c +++ b/src/ssl.c @@ -5,23 +5,19 @@ */ -#include "../../structures.h" +#include "structures.h" #include #include #include #include #include -#include "../../proxy.h" -#include "my_ssl.h" +#include "proxy.h" +#include "ssl.h" #ifndef _WIN32 #define WINAPI #endif -#ifdef __cplusplus -extern "C" { -#endif - #ifndef isnumber #define isnumber(i_n_arg) ((i_n_arg>='0')&&(i_n_arg<='9')) #endif @@ -62,11 +58,6 @@ static char * server_cipher_list = NULL; static char * client_sni = NULL; static int client_mode = 0; -typedef struct _ssl_conn { - SSL_CTX *ctx; - SSL *ssl; -} ssl_conn; - struct SSLsock { SOCKET s; @@ -92,8 +83,8 @@ static struct SSLsock *searchSSL(void* state, SOCKET s){ #define SOSTATE ((struct SSLstate *)(param->sostate)) static void addSSL( - SOCKET cli_s, SSL_CONN cli_conn, - SOCKET srv_s, SSL_CONN srv_conn, + SOCKET cli_s, SSL_CONN cli_conn, + SOCKET srv_s, SSL_CONN srv_conn, struct clientparam* param){ if(!param->sostate) return; if (cli_s != INVALID_SOCKET){ @@ -264,7 +255,7 @@ SSL_CONN ssl_handshake_to_server(SOCKET s, char * hostname, SSL_CONFIG *config, } if(hostname && *hostname && config->client_verify){ X509_VERIFY_PARAM *param; - + param = SSL_get0_param(conn->ssl); X509_VERIFY_PARAM_set1_host(param, hostname, strlen(hostname)); } @@ -305,7 +296,7 @@ SSL_CONN ssl_handshake_to_server(SOCKET s, char * hostname, SSL_CONFIG *config, if(server_cert){ X509 *cert; - cert = SSL_get_peer_certificate(conn->ssl); + cert = SSL_get_peer_certificate(conn->ssl); if(!cert) { ssl_conn_free(conn); return NULL; @@ -375,7 +366,7 @@ SSL_CONN ssl_handshake_to_client(SOCKET s, SSL_CONFIG *config, X509 *server_cert return NULL; } - cert = SSL_get_peer_certificate(conn->ssl); + cert = SSL_get_peer_certificate(conn->ssl); if ( cert != NULL ) X509_free(cert); @@ -424,7 +415,7 @@ int domitm(struct clientparam* param){ } ClientConn = ssl_handshake_to_client(param->clisock, PCONF, FakeCert, PCONF->server_key?PCONF->server_key:PCONF->CA_key, &errSSL); - + _ssl_cert_free(FakeCert); if ( ClientConn == NULL ) { param->res = 8012; @@ -462,7 +453,7 @@ int docli(struct clientparam* param){ X509 * getCert (const char *fname){ BIO *f; X509 *CA_cert; - + f = BIO_new_file(fname, "r"); if(!f) return NULL; CA_cert=PEM_read_bio_X509(f, NULL, NULL, NULL); @@ -478,7 +469,7 @@ EVP_PKEY * getKey(const char *fname){ if(!f) return NULL; key = PEM_read_bio_PrivateKey(f, NULL, NULL, NULL); BIO_free(f); - + return key; } @@ -532,8 +523,8 @@ SSL_CTX * ssl_cli_ctx(SSL_CONFIG *config, X509 *server_cert, EVP_PKEY *server_ke else if(config->server_ca_store){ SSL_CTX_load_verify_store(ctx, config->server_ca_store); } -#endif - else +#endif + else SSL_CTX_set_default_verify_paths(ctx); SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT|SSL_VERIFY_CLIENT_ONCE, NULL); } @@ -545,7 +536,7 @@ static void* ssl_filter_open(void * idata, struct srvparam * srv){ char fname[256]; char *errSSL; struct ssl_config *sc; - + sc = malloc(sizeof(struct ssl_config)); if(!sc) return NULL; memset(sc, 0, sizeof(struct ssl_config)); @@ -689,8 +680,8 @@ static void* ssl_filter_open(void * idata, struct srvparam * srv){ else if(sc->client_ca_store){ SSL_CTX_load_verify_store(sc->srv_ctx, sc->client_ca_store); } -#endif - else +#endif + else SSL_CTX_set_default_verify_paths(sc->srv_ctx); SSL_CTX_set_verify(sc->srv_ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL); } @@ -777,7 +768,7 @@ static FILTER_ACTION ssl_parent(struct clientparam * param){ static void ssl_filter_clear(void *state){ struct clientparam *param; - + if(!state) return; param = STATE->param; free(state); @@ -834,13 +825,13 @@ static struct filter ssl_filter = { "ssl_filter", ssl_filter_open, ssl_filter_client, - NULL, - ssl_filter_connect, - ssl_filter_afterauth, - NULL, NULL, + NULL, + ssl_filter_connect, + ssl_filter_afterauth, + NULL, NULL, ssl_filter_predata, NULL, NULL, - ssl_filter_clear, + ssl_filter_clear, ssl_filter_close }; @@ -1027,7 +1018,7 @@ static int h_client_alpn(int argc, unsigned char **argv){ for(len = 0, i = 1; i < argc; i++){ int l; - + l = strlen((char *)argv[i]); if(l >= 255) return 2; client_alpn_protos.protos[len++] = l; @@ -1084,7 +1075,7 @@ int string_to_version(unsigned char *ver){ if(!strcasecmp(versions[i].sver, (char *)ver)) return versions[i].iver; } return 0; -} +} static int h_client_min_proto_version(int argc, unsigned char **argv){ client_min_proto_version = argc>1? string_to_version(argv[1]) : 0; @@ -1178,21 +1169,13 @@ static struct symbol ssl_symbols[] = { }; -#ifdef WATCOM -#pragma aux ssl_plugin "*" parm caller [ ] value struct float struct routine [eax] modify [eax ecx edx] -#undef PLUGINCALL -#define PLUGINCALL -#endif - -PLUGINAPI int PLUGINCALL ssl_plugin (struct pluginlink * pluginlink, - int argc, char** argv){ - +void ssl_install(void){ h_nomitm(0, NULL); h_noserv(0, NULL); h_nocli(0, NULL); - pl = pluginlink; + pl = &pluginlink; free(certcache); certcache = NULL; @@ -1244,18 +1227,13 @@ PLUGINAPI int PLUGINCALL ssl_plugin (struct pluginlink * pluginlink, pl->symbols.next = ssl_symbols; } - tcppmfunc = (PROXYFUNC)pl->findbyname("tcppm"); - if(!tcppmfunc){return 13;} - proxyfunc = (PROXYFUNC)pl->findbyname("proxy"); + tcppmfunc = (PROXYFUNC)pl->findbyname("tcppm"); + if(!tcppmfunc) return; + proxyfunc = (PROXYFUNC)pl->findbyname("proxy"); if(!proxyfunc)proxyfunc = tcppmfunc; - smtppfunc = (PROXYFUNC)pl->findbyname("smtpp"); + smtppfunc = (PROXYFUNC)pl->findbyname("smtpp"); if(!smtppfunc)smtppfunc = tcppmfunc; - ftpprfunc = (PROXYFUNC)pl->findbyname("ftppr"); + ftpprfunc = (PROXYFUNC)pl->findbyname("ftppr"); if(!ftpprfunc)ftpprfunc = tcppmfunc; - return 0; - } -#ifdef __cplusplus -} -#endif diff --git a/src/plugins/SSLPlugin/my_ssl.h b/src/ssl.h similarity index 89% rename from src/plugins/SSLPlugin/my_ssl.h rename to src/ssl.h index 3f2cc51..ff7468a 100644 --- a/src/plugins/SSLPlugin/my_ssl.h +++ b/src/ssl.h @@ -1,5 +1,5 @@ -#ifndef __my_ssl_h__ -#define __my_ssl_h__ +#ifndef __ssl_h__ +#define __ssl_h__ // // opaque connection structure @@ -10,6 +10,11 @@ typedef void *SSL_CONN; // typedef void *SSL_CERT; +typedef struct _ssl_conn { + SSL_CTX *ctx; + SSL *ssl; +} ssl_conn; + struct alpn { unsigned char *protos; unsigned int protos_len; @@ -65,7 +70,7 @@ SSL_CONN ssl_handshake_to_client(SOCKET s, SSL_CONFIG *config, X509 *server_cert SSL_CONN ssl_handshake_to_server(SOCKET s, char * hostname, SSL_CONFIG *config, SSL_CERT *server_cert, char **errSSL); // -// SSL/TLS Read/Write +// SSL/TLS Read/Write // int ssl_read(SSL_CONN connection, void * buf, int bufsize); int ssl_write(SSL_CONN connection, void * buf, int bufsize); @@ -83,5 +88,10 @@ void _ssl_cert_free(SSL_CERT cert); void ssl_init(void); char * getSSLErr(void); +// +// Built-in SSL installation (called from 3proxy.c) +// +void ssl_install(void); + extern struct sockfuncs sso; -#endif // __my_ssl_h__ \ No newline at end of file +#endif // __ssl_h__ diff --git a/src/plugins/SSLPlugin/my_ssl.c b/src/ssllib.c similarity index 86% rename from src/plugins/SSLPlugin/my_ssl.c rename to src/ssllib.c index f76bd52..8f08e83 100644 --- a/src/plugins/SSLPlugin/my_ssl.c +++ b/src/ssllib.c @@ -7,7 +7,7 @@ #define _CRT_SECURE_NO_WARNINGS -#include "../../structures.h" +#include "structures.h" #include #include #ifndef _WIN32 @@ -20,27 +20,21 @@ #include #include #include +#include -#include "../../proxy.h" -#include "my_ssl.h" +#include "proxy.h" +#include "ssl.h" - - -typedef struct _ssl_conn { - SSL_CTX *ctx; - SSL *ssl; -} ssl_conn; - _3proxy_mutex_t ssl_file_mutex; static char errbuf[256]; -static char hexMap[] = { - '0', '1', '2', '3', '4', '5', '6', '7', +static char hexMap[] = { + '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'A', 'B', 'C', 'D', 'E', 'F' - }; + }; static BIO *bio_err=NULL; @@ -50,25 +44,25 @@ char * getSSLErr(){ return ERR_error_string(ERR_get_error(), errbuf); } -static size_t bin2hex (const unsigned char* bin, size_t bin_length, char* str, size_t str_length) +static size_t bin2hex (const unsigned char* bin, size_t bin_length, char* str, size_t str_length) { char *p; size_t i; - - if ( str_length < ( (bin_length*2)+1) ) - return 0; - p = str; - for ( i=0; i < bin_length; ++i ) - { - *p++ = hexMap[(*(unsigned char *)bin) >> 4]; - *p++ = hexMap[(*(unsigned char *)bin) & 0xf]; + if ( str_length < ( (bin_length*2)+1) ) + return 0; + + p = str; + for ( i=0; i < bin_length; ++i ) + { + *p++ = hexMap[(*(unsigned char *)bin) >> 4]; + *p++ = hexMap[(*(unsigned char *)bin) & 0xf]; ++bin; - } - - *p = 0; + } - return p - str; + *p = 0; + + return p - str; } static int add_ext(X509 *cert, int nid, char *value) @@ -227,11 +221,11 @@ void _ssl_cert_free(SSL_CERT cert) } - -/* This array will store all of the mutexes available to OpenSSL. */ + +/* This array will store all of the mutexes available to OpenSSL. */ static _3proxy_mutex_t *mutex_buf= NULL; - - + + static void locking_function(int mode, int n, const char * file, int line) { if (mode & CRYPTO_LOCK) @@ -239,7 +233,7 @@ static void locking_function(int mode, int n, const char * file, int line) else _3proxy_mutex_unlock(mutex_buf + n); } - + static unsigned long id_function(void) { #ifdef _WIN32 @@ -248,11 +242,11 @@ static unsigned long id_function(void) return ((unsigned long)pthread_self()); #endif } - + int thread_setup(void) { int i; - + mutex_buf = malloc(CRYPTO_num_locks( ) * sizeof(_3proxy_mutex_t)); if (!mutex_buf) return 0; @@ -262,11 +256,11 @@ int thread_setup(void) CRYPTO_set_locking_callback(locking_function); return 1; } - + int thread_cleanup(void) { int i; - + if (!mutex_buf) return 0; CRYPTO_set_id_callback(NULL); @@ -284,15 +278,31 @@ int ssl_file_init = 0; int ssl_init_done = 0; +OSSL_LIB_CTX *library_ctx = NULL; +extern EVP_MD *md4; +extern EVP_MD *md5; + + void ssl_init() { if(!ssl_init_done){ + ssl_init_done = 1; thread_setup(); SSLeay_add_ssl_algorithms(); SSL_load_error_strings(); _3proxy_mutex_init(&ssl_file_mutex); bio_err=BIO_new_fp(stderr,BIO_NOCLOSE); - } + library_ctx = OSSL_LIB_CTX_new(); + OSSL_PROVIDER_load(library_ctx, "legacy"); + OSSL_PROVIDER_load(library_ctx, "default"); + md4 = EVP_MD_fetch(library_ctx, "MD4", NULL); + if (md4 == NULL) { + printf("Error fetching MD4\n"); + } + md5 = EVP_MD_fetch(library_ctx, "MD5", NULL); + if (md5 == NULL) { + printf("Error fetching MD5\n"); + } + } } - diff --git a/src/structures.h b/src/structures.h index 225c1f2..602c178 100644 --- a/src/structures.h +++ b/src/structures.h @@ -771,7 +771,9 @@ extern struct hashtable dns_table; extern struct hashtable dns6_table; extern struct hashtable auth_table; extern struct hashtable pw_table; +#ifdef WITH_SSL extern struct hashtable pwnt_table; +#endif extern struct hashtable pwcr_table; extern struct hashtable udp_table;