From 8c638fcaffcef843f5638e9f1e353198eca0aeb1 Mon Sep 17 00:00:00 2001
From: Vladimir Dubrovin <3proxy@3proxy.ru>
Date: Fri, 8 May 2026 16:45:44 +0300
Subject: [PATCH] Revert usage of OpenSSL blake2 implementation

---
 CMakeLists.txt      |  8 ++-----
 src/3proxy_crypt.c  | 56 ++++++---------------------------------------
 src/Makefile.inc    |  6 ++---
 src/auth.c          | 10 ++++----
 src/blake2_compat.h | 27 ----------------------
 src/conf.c          | 10 ++++----
 src/hashtables.c    | 50 ++++++++++++++++++++++------------------
 7 files changed, 52 insertions(+), 115 deletions(-)
 delete mode 100644 src/blake2_compat.h

diff --git a/CMakeLists.txt b/CMakeLists.txt
index ef0b8df..3677933 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -414,9 +414,7 @@ add_executable(3proxy
     $<TARGET_OBJECTS:ftp_obj>
     $<TARGET_OBJECTS:3proxy_crypt_obj>
 )
-if(NOT OpenSSL_FOUND)
-    target_sources(3proxy PRIVATE ${MD_SOURCES})
-endif()
+target_sources(3proxy PRIVATE ${MD_SOURCES})
 
 if(OpenSSL_FOUND)
     target_sources(3proxy PRIVATE src/ssllib.c src/ssl.c)
@@ -523,9 +521,7 @@ add_executable(3proxy_crypt
     src/3proxy_crypt.c
     $<TARGET_OBJECTS:base64_obj>
 )
-if(NOT OpenSSL_FOUND)
-    target_sources(3proxy_crypt PRIVATE ${MD_SOURCES})
-endif()
+target_sources(3proxy_crypt PRIVATE ${MD_SOURCES})
 target_compile_definitions(3proxy_crypt PRIVATE WITHMAIN)
 target_include_directories(3proxy_crypt PRIVATE
     ${CMAKE_CURRENT_SOURCE_DIR}/src
diff --git a/src/3proxy_crypt.c b/src/3proxy_crypt.c
index 9587583..1bcab05 100644
--- a/src/3proxy_crypt.c
+++ b/src/3proxy_crypt.c
@@ -5,7 +5,7 @@
    please read License Agreement
 
 */
-#include "blake2_compat.h"
+#include "libs/blake2.h"
 #ifdef WITH_SSL
 #include <openssl/evp.h>
 #if OPENSSL_VERSION_NUMBER >= 0x30000000L
@@ -33,50 +33,6 @@ EVP_MD *md4_hash = NULL;
 EVP_MD *md5_hash = NULL;
 #endif
 
-#if defined(WITH_SSL) && OPENSSL_VERSION_NUMBER >= 0x10100000L
-int blake2b_init_3p(blake2b_state *S, size_t outlen) {
-    *S = EVP_MD_CTX_new();
-    if (!*S) return -1;
-    (void)outlen;
-    if (!EVP_DigestInit_ex(*S, EVP_blake2b512(), NULL)) {
-        EVP_MD_CTX_free(*S);
-        *S = NULL;
-        return -1;
-    }
-    return 0;
-}
-
-int blake2b_update_3p(blake2b_state *S, const void *in, size_t inlen) {
-    if (inlen == 0) return 0;
-    return EVP_DigestUpdate(*S, in, inlen) ? 0 : -1;
-}
-
-int blake2b_final_3p(blake2b_state *S, void *out, size_t outlen) {
-    unsigned char tmp[64];
-    unsigned int len = 0;
-    int ret = EVP_DigestFinal_ex(*S, tmp, &len) ? 0 : -1;
-    memset(out, 0, outlen);
-    if (ret == 0) memcpy(out, tmp, outlen);
-    EVP_MD_CTX_free(*S);
-    *S = NULL;
-    return ret;
-}
-#else
-int blake2b_final_3p(blake2b_state *S, void *out, size_t outlen) {
-    int res;
-    
-    if(outlen < 64){
-	unsigned char tmp[64];
-	res = blake2b_final(S, tmp, 64);
-	memcpy(out, tmp, outlen > 64? 64 : outlen);
-	return res;
-    }
-    res = blake2b_final(S, out, 64);
-    if(outlen > 64) memset(out + 64, 0, outlen - 64);
-    return res;
-}
-#endif /* WITH_SSL && OPENSSL >= 1.1 */
-
 void
 _crypt_to64(unsigned char *s, unsigned long v, int n)
 {
@@ -234,13 +190,15 @@ unsigned char * mycrypt(const unsigned char *pw, const unsigned char *salt, unsi
     magic = (unsigned char *)"$3$";
     {
         blake2b_state S;
-        if(blake2b_init_3p(&S, MD5_SIZE) != 0 ||
-           blake2b_update_3p(&S, pw, strlen((char *)pw) + 1) != 0 ||
-           blake2b_update_3p(&S, sp, sl) != 0 ||
-           blake2b_final_3p(&S, final, MD5_SIZE) != 0) {
+        unsigned char _b2tmp[64];
+        if(blake2b_init(&S, 64) != 0 ||
+           blake2b_update(&S, pw, strlen((char *)pw) + 1) != 0 ||
+           blake2b_update(&S, sp, sl) != 0 ||
+           blake2b_final(&S, _b2tmp, 64) != 0) {
             *passwd = 0;
             return NULL;
         }
+        memcpy(final, _b2tmp, MD5_SIZE);
     }
  }
  else {
diff --git a/src/Makefile.inc b/src/Makefile.inc
index 8ffcf40..f949826 100644
--- a/src/Makefile.inc
+++ b/src/Makefile.inc
@@ -128,7 +128,7 @@ redirect$(OBJSUFFICS): redirect.c proxy.h structures.h
 hash$(OBJSUFFICS): hash.c proxy.h structures.h
 	$(CC) $(COUT)hash$(OBJSUFFICS) $(CFLAGS) hash.c
 
-hashtables$(OBJSUFFICS): hashtables.c proxy.h structures.h blake2_compat.h
+hashtables$(OBJSUFFICS): hashtables.c proxy.h structures.h libs/blake2.h
 	$(CC) $(COUT)hashtables$(OBJSUFFICS) $(CFLAGS) hashtables.c
 
 resolve$(OBJSUFFICS): resolve.c proxy.h structures.h
@@ -146,10 +146,10 @@ log$(OBJSUFFICS): log.c proxy.h structures.h
 datatypes$(OBJSUFFICS): datatypes.c proxy.h structures.h
 	$(CC) $(COUT)datatypes$(OBJSUFFICS) $(CFLAGS) datatypes.c
 
-3proxy_crypt$(OBJSUFFICS): 3proxy_crypt.c blake2_compat.h
+3proxy_crypt$(OBJSUFFICS): 3proxy_crypt.c libs/blake2.h
 	$(CC) $(COUT)3proxy_crypt$(OBJSUFFICS) $(CFLAGS) 3proxy_crypt.c
 
-3proxy_cryptmain$(OBJSUFFICS): 3proxy_crypt.c blake2_compat.h
+3proxy_cryptmain$(OBJSUFFICS): 3proxy_crypt.c libs/blake2.h
 	$(CC) $(COUT)3proxy_cryptmain$(OBJSUFFICS) $(CFLAGS) $(DEFINEOPTION)WITHMAIN 3proxy_crypt.c
 
 blake2$(OBJSUFFICS):  libs/blake2b-ref.c
diff --git a/src/auth.c b/src/auth.c
index be26861..837fdab 100644
--- a/src/auth.c
+++ b/src/auth.c
@@ -7,7 +7,7 @@
 */
 
 #include "proxy.h"
-#include "blake2_compat.h"
+#include "libs/blake2.h"
 
 void initbandlims(struct clientparam *param);
 
@@ -231,12 +231,14 @@ int strongauth(struct clientparam * param){
 				if(!strncmp(pass + 1, (char *)param->password, pwl_table.recsize - 1)) return 0;
 			    } else {
 				blake2b_state S;
+				unsigned char _b2tmp[64];
 				unsigned hashsz;
 				hashsz = pwl_table.recsize - 1 < 64 ? pwl_table.recsize - 1 : 64;
 				memset(buf, 0, pwl_table.recsize - 1);
-				blake2b_init_3p(&S, hashsz);
-				blake2b_update_3p(&S, param->password, pwlen + 1);
-				blake2b_final_3p(&S, buf, hashsz);
+				blake2b_init(&S, 64);
+				blake2b_update(&S, param->password, pwlen + 1);
+				blake2b_final(&S, _b2tmp, 64);
+				memcpy(buf, _b2tmp, hashsz);
 				if(!memcmp(pass + 1, buf, pwl_table.recsize - 1)) return 0;
 			    }
 			    return 6;
diff --git a/src/blake2_compat.h b/src/blake2_compat.h
deleted file mode 100644
index 62f5564..0000000
--- a/src/blake2_compat.h
+++ /dev/null
@@ -1,27 +0,0 @@
-#ifndef BLAKE2_COMPAT_H
-#define BLAKE2_COMPAT_H
-
-#if defined(WITH_SSL)
-#include <openssl/opensslv.h>
-#endif
-
-#if defined(WITH_SSL) && OPENSSL_VERSION_NUMBER >= 0x10100000L
-
-#include <openssl/evp.h>
-
-typedef EVP_MD_CTX *blake2b_state;
-
-int blake2b_init_3p(blake2b_state *S, size_t outlen);
-int blake2b_update_3p(blake2b_state *S, const void *in, size_t inlen);
-
-#else
-
-#include "libs/blake2.h"
-
-#define blake2b_init_3p(A,b)   blake2b_init(A,64)
-#define blake2b_update_3p blake2b_update
-
-#endif
-int blake2b_final_3p(blake2b_state *S, void *out, size_t outlen);
-
-#endif /* BLAKE2_COMPAT_H */
diff --git a/src/conf.c b/src/conf.c
index 359d202..845b35a 100644
--- a/src/conf.c
+++ b/src/conf.c
@@ -7,7 +7,7 @@
 */
 
 #include "proxy.h"
-#include "blake2_compat.h"
+#include "libs/blake2.h"
 #ifdef WITH_SSL
 void ssl_install(void);
 #endif
@@ -559,11 +559,13 @@ static int h_users(int argc, unsigned char **argv){
 	if((unsigned)l >= pwl_table.recsize) {
 	    if(*pass != CL) continue;
 	    blake2b_state S;
+	    unsigned char _b2tmp[64];
 	    unsigned hashsz;
 	    hashsz = pwl_table.recsize - 1 < 64 ? pwl_table.recsize - 1 : 64;
-	    blake2b_init_3p(&S, hashsz);
-	    blake2b_update_3p(&S, pw[1], l + 1);
-	    blake2b_final_3p(&S, (uint8_t *)(pass + 1), hashsz);
+	    blake2b_init(&S, 64);
+	    blake2b_update(&S, pw[1], l + 1);
+	    blake2b_final(&S, _b2tmp, 64);
+	    memcpy((uint8_t *)(pass + 1), _b2tmp, hashsz);
 	} else {
 	    memcpy(pass + 1, pw[1], l);
 	}
diff --git a/src/hashtables.c b/src/hashtables.c
index 2b77cdf..5bcb1f3 100644
--- a/src/hashtables.c
+++ b/src/hashtables.c
@@ -1,5 +1,5 @@
 #include "proxy.h"
-#include "blake2_compat.h"
+#include "libs/blake2.h"
 
 
 static void char_index2hash(const struct hashtable *ht, void *index, uint8_t *hash){
@@ -10,9 +10,11 @@ static void char_index2hash(const struct hashtable *ht, void *index, uint8_t *ha
     memset(hash, 0, ht->hash_size);
     if(len <= ht->hash_size) memcpy(hash, index, len);
     else {
-	blake2b_init_3p(&S, ht->hash_size);
-	blake2b_update_3p(&S, index, strlen((const char*)index) + 1);
-	blake2b_final_3p(&S, hash, ht->hash_size);
+	unsigned char _b2tmp[64];
+	blake2b_init(&S, 64);
+	blake2b_update(&S, index, strlen((const char*)index) + 1);
+	blake2b_final(&S, _b2tmp, 64);
+	memcpy(hash, _b2tmp, ht->hash_size);
     }
 }
 
@@ -49,18 +51,20 @@ static void param2hash_add(const struct hashtable *ht, void *index, uint8_t *has
 	if((type & 2048)){ memcpy(hash + offset, SAPORT(&param->srv->intsa), p2len); offset += 2; }
     }
     else {
-	blake2b_init_3p(&S, ht->hash_size);
-	if((type & 2) && param->username)blake2b_update_3p(&S, param->username, ulen);
-        if((type & 4) && param->password)blake2b_update_3p(&S, param->password, plen);
-	if((type & 1) && !(type & 8))blake2b_update_3p(&S, SAADDR(&param->sincr), a1len);
-	if((type & 16))blake2b_update_3p(&S, &param->srv->acl, acllen);
-	if((type & 64))blake2b_update_3p(&S, SAADDR(&param->req), a2len);
-	if((type & 128))blake2b_update_3p(&S, SAPORT(&param->req), 2);
-	if((type & 256) && param->hostname)blake2b_update_3p(&S, param->hostname, hlen);
-	if((type & 512))blake2b_update_3p(&S, &param->operation, sizeof(param->operation));
-	if((type & 1024))blake2b_update_3p(&S, SAADDR(&param->srv->intsa), a3len);
-	if((type & 2048))blake2b_update_3p(&S, SAPORT(&param->srv->intsa), 2);
-	blake2b_final_3p(&S, hash, ht->hash_size);
+	unsigned char _b2tmp[64];
+	blake2b_init(&S, 64);
+	if((type & 2) && param->username)blake2b_update(&S, param->username, ulen);
+        if((type & 4) && param->password)blake2b_update(&S, param->password, plen);
+	if((type & 1) && !(type & 8))blake2b_update(&S, SAADDR(&param->sincr), a1len);
+	if((type & 16))blake2b_update(&S, &param->srv->acl, acllen);
+	if((type & 64))blake2b_update(&S, SAADDR(&param->req), a2len);
+	if((type & 128))blake2b_update(&S, SAPORT(&param->req), 2);
+	if((type & 256) && param->hostname)blake2b_update(&S, param->hostname, hlen);
+	if((type & 512))blake2b_update(&S, &param->operation, sizeof(param->operation));
+	if((type & 1024))blake2b_update(&S, SAADDR(&param->srv->intsa), a3len);
+	if((type & 2048))blake2b_update(&S, SAPORT(&param->srv->intsa), 2);
+	blake2b_final(&S, _b2tmp, 64);
+	memcpy(hash, _b2tmp, ht->hash_size);
     }
     memcpy(param->hash, hash, ht->hash_size);
 }
@@ -74,12 +78,14 @@ void param2hash_search(const struct hashtable *ht, void *index, uint8_t *hash){
 static void udpparam2hash(const struct hashtable *ht, void *index, uint8_t *hash){
     struct clientparam *param = (struct clientparam *)index;
     blake2b_state S;
-    blake2b_init_3p(&S, ht->hash_size);
-    blake2b_update_3p(&S, SAADDR(&param->srv->intsa), SAADDRLEN(&param->srv->intsa));
-    blake2b_update_3p(&S, SAPORT(&param->srv->intsa), 2);
-    blake2b_update_3p(&S, SAADDR(&param->sincr), SAADDRLEN(&param->sincr));
-    blake2b_update_3p(&S, SAPORT(&param->sincr), 2);
-    blake2b_final_3p(&S, hash, ht->hash_size);
+    unsigned char _b2tmp[64];
+    blake2b_init(&S, 64);
+    blake2b_update(&S, SAADDR(&param->srv->intsa), SAADDRLEN(&param->srv->intsa));
+    blake2b_update(&S, SAPORT(&param->srv->intsa), 2);
+    blake2b_update(&S, SAADDR(&param->sincr), SAADDRLEN(&param->sincr));
+    blake2b_update(&S, SAPORT(&param->sincr), 2);
+    blake2b_final(&S, _b2tmp, 64);
+    memcpy(hash, _b2tmp, ht->hash_size);
 }
 
 struct hashtable dns_table = {char_index2hash, char_index2hash, 4, 32};