From 0c47ac079400510bf3761b9d2aa899875b33313d Mon Sep 17 00:00:00 2001 From: DistroBaker Date: Tue, 5 Jan 2021 21:57:18 +0000 Subject: [PATCH] Merged update from upstream sources This is an automated DistroBaker update from upstream sources. If you do not know what this is about or would like to opt out, contact the OSCI team. Source: https://src.fedoraproject.org/rpms/ppp.git#23f594e00896a75b4cf3690aa4a32e0d11917cf7 --- .gitignore | 1 + ...ys-use-gcc-as-our-compiler-of-choice.patch | 25 - ...t-strip-binaries-during-installation.patch | 111 - ...-use-prefix-usr-instead-of-usr-local.patch | 89 - 0010-build-sys-enable-CBCP.patch | 26 - ...se-SOCK_CLOEXEC-when-creating-socket.patch | 47 +- ...ppoe-add-manpage-for-pppoe-discovery.patch | 23 +- ...l-rp-pppoe-plugin-files-with-standar.patch | 30 +- ppp-2.4.8-CVE-2020-8597.patch | 37 - ...e-pppol2tp-plugin-with-RPM_OPT_FLAGS.patch | 23 - ...pile-pppol2tp-with-multilink-support.patch | 24 - ppp-2.4.8-build-sys-enable-PAM-support.patch | 25 - ...e-compiler-flags-handed-to-us-by-rpm.patch | 121 - ppp-2.4.8-eaptls-mppe-1.300.patch | 3948 ----------------- ppp-2.4.8-man-fix.patch | 46 - ....8-pppd-introduce-ipv6-accept-remote.patch | 57 - ...-sys-linux-rework-get_first_ethernet.patch | 383 -- ppp-2.4.8-ws-2019-workaround.patch | 27 - ...hardcode-LIBDIR-but-set-it-according.patch | 121 +- ppp-2.4.9-config.patch | 21 + ppp-2.4.9-configure-cflags-allow-commas.patch | 17 + ...pp-2.4.9-everywhere-O_CLOEXEC-harder.patch | 4 +- ppp.spec | 64 +- sources | 2 +- 24 files changed, 143 insertions(+), 5129 deletions(-) delete mode 100644 0001-build-sys-use-gcc-as-our-compiler-of-choice.patch delete mode 100644 0007-build-sys-don-t-strip-binaries-during-installation.patch delete mode 100644 0008-build-sys-use-prefix-usr-instead-of-usr-local.patch delete mode 100644 0010-build-sys-enable-CBCP.patch delete mode 100644 ppp-2.4.8-CVE-2020-8597.patch delete mode 100644 ppp-2.4.8-build-sys-compile-pppol2tp-plugin-with-RPM_OPT_FLAGS.patch delete mode 100644 ppp-2.4.8-build-sys-compile-pppol2tp-with-multilink-support.patch delete mode 100644 ppp-2.4.8-build-sys-enable-PAM-support.patch delete mode 100644 ppp-2.4.8-build-sys-utilize-compiler-flags-handed-to-us-by-rpm.patch delete mode 100644 ppp-2.4.8-eaptls-mppe-1.300.patch delete mode 100644 ppp-2.4.8-man-fix.patch delete mode 100644 ppp-2.4.8-pppd-introduce-ipv6-accept-remote.patch delete mode 100644 ppp-2.4.8-sys-linux-rework-get_first_ethernet.patch delete mode 100644 ppp-2.4.8-ws-2019-workaround.patch rename ppp-2.4.8-build-sys-don-t-hardcode-LIBDIR-but-set-it-according.patch => ppp-2.4.9-build-sys-don-t-hardcode-LIBDIR-but-set-it-according.patch (56%) create mode 100644 ppp-2.4.9-config.patch create mode 100644 ppp-2.4.9-configure-cflags-allow-commas.patch rename ppp-2.4.8-everywhere-O_CLOEXEC-harder.patch => ppp-2.4.9-everywhere-O_CLOEXEC-harder.patch (99%) diff --git a/.gitignore b/.gitignore index 94b2a80..3a9dd7f 100644 --- a/.gitignore +++ b/.gitignore @@ -3,3 +3,4 @@ ppp-2.4.5.tar.gz /ppp-watch.tar.xz /ppp-2.4.7.tar.gz /ppp-2.4.8.tar.gz +/ppp-2.4.9.tar.gz diff --git a/0001-build-sys-use-gcc-as-our-compiler-of-choice.patch b/0001-build-sys-use-gcc-as-our-compiler-of-choice.patch deleted file mode 100644 index b8a76ca..0000000 --- a/0001-build-sys-use-gcc-as-our-compiler-of-choice.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 486e36d184cbaee7e34bb582ea6fdf3bfa9ca531 Mon Sep 17 00:00:00 2001 -From: Michal Sekletar -Date: Fri, 4 Apr 2014 11:23:42 +0200 -Subject: [PATCH 01/27] build-sys: use gcc as our compiler of choice - ---- - pppd/Makefile.linux | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux -index a74c914..1d9ea78 100644 ---- a/pppd/Makefile.linux -+++ b/pppd/Makefile.linux -@@ -30,7 +30,7 @@ ifeq (.depend,$(wildcard .depend)) - include .depend - endif - --# CC = gcc -+CC = gcc - # - COPTS = -O2 -pipe -Wall -g - LIBS = --- -1.8.3.1 - diff --git a/0007-build-sys-don-t-strip-binaries-during-installation.patch b/0007-build-sys-don-t-strip-binaries-during-installation.patch deleted file mode 100644 index 9f542a6..0000000 --- a/0007-build-sys-don-t-strip-binaries-during-installation.patch +++ /dev/null @@ -1,111 +0,0 @@ -From b9fb631a493c5f1b490c8e9645eb6ebab4b25cc8 Mon Sep 17 00:00:00 2001 -From: Michal Sekletar -Date: Fri, 4 Apr 2014 18:37:00 +0200 -Subject: [PATCH 07/27] build-sys: don't strip binaries during installation - -We don't want that when building rpms. rpmbuild does final stripping of binaries -for us and generetes debuginfo rpm. ---- - chat/Makefile.linux | 2 +- - pppd/Makefile.linux | 4 ++-- - pppd/plugins/radius/Makefile.linux | 6 +++--- - pppd/plugins/rp-pppoe/Makefile.linux | 4 ++-- - pppdump/Makefile.linux | 2 +- - pppstats/Makefile.linux | 2 +- - 6 files changed, 10 insertions(+), 10 deletions(-) - -diff --git a/chat/Makefile.linux b/chat/Makefile.linux -index 848cd8d..2445637 100644 ---- a/chat/Makefile.linux -+++ b/chat/Makefile.linux -@@ -25,7 +25,7 @@ chat.o: chat.c - - install: chat - mkdir -p $(BINDIR) $(MANDIR) -- $(INSTALL) -s -c chat $(BINDIR) -+ $(INSTALL) -c chat $(BINDIR) - $(INSTALL) -c -m 644 chat.8 $(MANDIR) - - clean: -diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux -index 8ed56c1..4f27100 100644 ---- a/pppd/Makefile.linux -+++ b/pppd/Makefile.linux -@@ -102,7 +102,7 @@ ifdef USE_SRP - CFLAGS += -DUSE_SRP -DOPENSSL -I/usr/local/ssl/include - LIBS += -lsrp -L/usr/local/ssl/lib -lcrypto - TARGETS += srp-entry --EXTRAINSTALL = $(INSTALL) -s -c -m 555 srp-entry $(BINDIR)/srp-entry -+EXTRAINSTALL = $(INSTALL) -c -m 555 srp-entry $(BINDIR)/srp-entry - MANPAGES += srp-entry.8 - EXTRACLEAN += srp-entry.o - NEEDDES=y -@@ -208,7 +208,7 @@ all: $(TARGETS) - install: pppd - mkdir -p $(BINDIR) $(MANDIR) - $(EXTRAINSTALL) -- $(INSTALL) -s -c -m 555 pppd $(BINDIR)/pppd -+ $(INSTALL) -c -m 555 pppd $(BINDIR)/pppd - if chgrp pppusers $(BINDIR)/pppd 2>/dev/null; then \ - chmod o-rx,u+s $(BINDIR)/pppd; fi - $(INSTALL) -c -m 444 pppd.8 $(MANDIR) -diff --git a/pppd/plugins/radius/Makefile.linux b/pppd/plugins/radius/Makefile.linux -index 179d0b7..707326b 100644 ---- a/pppd/plugins/radius/Makefile.linux -+++ b/pppd/plugins/radius/Makefile.linux -@@ -36,9 +36,9 @@ all: $(PLUGIN) - - install: all - $(INSTALL) -d -m 755 $(LIBDIR) -- $(INSTALL) -s -c -m 755 radius.so $(LIBDIR) -- $(INSTALL) -s -c -m 755 radattr.so $(LIBDIR) -- $(INSTALL) -s -c -m 755 radrealms.so $(LIBDIR) -+ $(INSTALL) -c -m 755 radius.so $(LIBDIR) -+ $(INSTALL) -c -m 755 radattr.so $(LIBDIR) -+ $(INSTALL) -c -m 755 radrealms.so $(LIBDIR) - $(INSTALL) -c -m 444 pppd-radius.8 $(MANDIR) - $(INSTALL) -c -m 444 pppd-radattr.8 $(MANDIR) - -diff --git a/pppd/plugins/rp-pppoe/Makefile.linux b/pppd/plugins/rp-pppoe/Makefile.linux -index 1305ed8..3cd9101 100644 ---- a/pppd/plugins/rp-pppoe/Makefile.linux -+++ b/pppd/plugins/rp-pppoe/Makefile.linux -@@ -43,9 +43,9 @@ rp-pppoe.so: plugin.o discovery.o if.o common.o - - install: all - $(INSTALL) -d -m 755 $(LIBDIR) -- $(INSTALL) -s -c -m 4550 rp-pppoe.so $(LIBDIR) -+ $(INSTALL) -c -m 4550 rp-pppoe.so $(LIBDIR) - $(INSTALL) -d -m 755 $(BINDIR) -- $(INSTALL) -s -c -m 555 pppoe-discovery $(BINDIR) -+ $(INSTALL) -c -m 555 pppoe-discovery $(BINDIR) - - clean: - rm -f *.o *.so pppoe-discovery -diff --git a/pppdump/Makefile.linux b/pppdump/Makefile.linux -index d0a5032..95c6805 100644 ---- a/pppdump/Makefile.linux -+++ b/pppdump/Makefile.linux -@@ -17,5 +17,5 @@ clean: - - install: - mkdir -p $(BINDIR) $(MANDIR) -- $(INSTALL) -s -c pppdump $(BINDIR) -+ $(INSTALL) -c pppdump $(BINDIR) - $(INSTALL) -c -m 444 pppdump.8 $(MANDIR) -diff --git a/pppstats/Makefile.linux b/pppstats/Makefile.linux -index 42aba73..c5ba3b1 100644 ---- a/pppstats/Makefile.linux -+++ b/pppstats/Makefile.linux -@@ -22,7 +22,7 @@ all: pppstats - - install: pppstats - -mkdir -p $(MANDIR) -- $(INSTALL) -s -c pppstats $(BINDIR) -+ $(INSTALL) -c pppstats $(BINDIR) - $(INSTALL) -c -m 444 pppstats.8 $(MANDIR) - - pppstats: $(PPPSTATSRCS) --- -1.8.3.1 - diff --git a/0008-build-sys-use-prefix-usr-instead-of-usr-local.patch b/0008-build-sys-use-prefix-usr-instead-of-usr-local.patch deleted file mode 100644 index e82c957..0000000 --- a/0008-build-sys-use-prefix-usr-instead-of-usr-local.patch +++ /dev/null @@ -1,89 +0,0 @@ -From 343728d5de6e44bd67923503e62eefaad50760a4 Mon Sep 17 00:00:00 2001 -From: Michal Sekletar -Date: Fri, 4 Apr 2014 18:47:01 +0200 -Subject: [PATCH 08/27] build-sys: use prefix /usr instead of /usr/local - ---- - configure | 2 +- - pppd/Makefile.linux | 4 ++-- - scripts/ppp-on-rsh | 2 +- - scripts/ppp-on-ssh | 4 ++-- - scripts/secure-card | 2 +- - 5 files changed, 7 insertions(+), 7 deletions(-) - -diff --git a/configure b/configure -index 6a55e0f..db54d77 100755 ---- a/configure -+++ b/configure -@@ -2,7 +2,7 @@ - # $Id: configure,v 1.38 2008/06/15 07:08:49 paulus Exp $ - - # Where to install stuff by default --DESTDIR=/usr/local -+DESTDIR=/usr - SYSCONF=/etc - - # if [ -d /NextApps ]; then -diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux -index 4f27100..95c2598 100644 ---- a/pppd/Makefile.linux -+++ b/pppd/Makefile.linux -@@ -99,8 +99,8 @@ endif - - # EAP SRP-SHA1 - ifdef USE_SRP --CFLAGS += -DUSE_SRP -DOPENSSL -I/usr/local/ssl/include --LIBS += -lsrp -L/usr/local/ssl/lib -lcrypto -+CFLAGS += -DUSE_SRP -DOPENSSL -I/usr/include/openssl -+LIBS += -lsrp -L/usr/lib -lcrypto - TARGETS += srp-entry - EXTRAINSTALL = $(INSTALL) -c -m 555 srp-entry $(BINDIR)/srp-entry - MANPAGES += srp-entry.8 -diff --git a/scripts/ppp-on-rsh b/scripts/ppp-on-rsh -index 30a50db..a80616a 100755 ---- a/scripts/ppp-on-rsh -+++ b/scripts/ppp-on-rsh -@@ -26,7 +26,7 @@ PPPD_RHOST=myremotehost - # For this example, we assume that pppd on both local and remote - # machines reside in the same place, /usr/local/bin/pppd - # --PPPD_LOC=/usr/local/bin/pppd -+PPPD_LOC=/usr/sbin/pppd - - # - # The location of local options file (where rsh client is running). -diff --git a/scripts/ppp-on-ssh b/scripts/ppp-on-ssh -index 0e41aca..c27e80a 100755 ---- a/scripts/ppp-on-ssh -+++ b/scripts/ppp-on-ssh -@@ -26,7 +26,7 @@ PPPD_RHOST=myremotehost - # For this example, we assume that pppd on both local and remote - # machines reside in the same place, /usr/local/bin/pppd - # --PPPD_LOC=/usr/local/bin/pppd -+PPPD_LOC=/usr/sbin/pppd - - # - # The location of local options file (where ssh client is running). -@@ -52,7 +52,7 @@ PPPD_REM_OPT=/etc/ppp/options-ssh-rem - # - # The location of ssh client on the local machine - # --SSH_LOC=/usr/local/bin/ssh -+SSH_LOC=/usr/bin/ssh - - export PPPD_LOC PPPD_LOC_OPT PPPD_REM_OPT PPPD_RHOST SSH_LOC - -diff --git a/scripts/secure-card b/scripts/secure-card -index 0002365..ae3ae50 100755 ---- a/scripts/secure-card -+++ b/scripts/secure-card -@@ -1,4 +1,4 @@ --#!/usr/local/bin/expect -f -+#!/usr/bin/expect -f - # - # This script was written by Jim Isaacson . It is - # designed to work as a script to use the SecureCARD(tm) device. This --- -1.8.3.1 - diff --git a/0010-build-sys-enable-CBCP.patch b/0010-build-sys-enable-CBCP.patch deleted file mode 100644 index 87c3b72..0000000 --- a/0010-build-sys-enable-CBCP.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 8015a0ef23a874f288d5e77ffafe1d7f4281725d Mon Sep 17 00:00:00 2001 -From: Michal Sekletar -Date: Fri, 4 Apr 2014 18:59:24 +0200 -Subject: [PATCH 10/27] build-sys: enable CBCP - -Resolves: #199278 ---- - pppd/Makefile.linux | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux -index 95c2598..65700fa 100644 ---- a/pppd/Makefile.linux -+++ b/pppd/Makefile.linux -@@ -68,7 +68,7 @@ HAVE_INET6=y - PLUGIN=y - - # Enable Microsoft proprietary Callback Control Protocol --#CBCP=y -+CBCP=y - - # Enable EAP SRP-SHA1 authentication (requires libsrp) - #USE_SRP=y --- -1.8.3.1 - diff --git a/0014-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch b/0014-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch index 08d67f7..1352370 100644 --- a/0014-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch +++ b/0014-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch @@ -1,19 +1,3 @@ -From 2a97ab28ee00586e5f06b3ef3a0e43ea0c7c6499 Mon Sep 17 00:00:00 2001 -From: Michal Sekletar -Date: Mon, 7 Apr 2014 14:21:41 +0200 -Subject: [PATCH 14/27] everywhere: use SOCK_CLOEXEC when creating socket - ---- - pppd/plugins/pppoatm/pppoatm.c | 2 +- - pppd/plugins/pppol2tp/openl2tp.c | 2 +- - pppd/plugins/pppol2tp/pppol2tp.c | 2 +- - pppd/plugins/rp-pppoe/if.c | 2 +- - pppd/plugins/rp-pppoe/plugin.c | 6 +++--- - pppd/plugins/rp-pppoe/pppoe-discovery.c | 2 +- - pppd/sys-linux.c | 10 +++++----- - pppd/tty.c | 2 +- - 8 files changed, 14 insertions(+), 14 deletions(-) - diff --git a/pppd/plugins/pppoatm/pppoatm.c b/pppd/plugins/pppoatm/pppoatm.c index d693350..c31bb34 100644 --- a/pppd/plugins/pppoatm/pppoatm.c @@ -53,10 +37,10 @@ index a7e3400..e64a778 100644 if (fd >= 0) { memset (&ifr, '\0', sizeof (ifr)); strlcpy(ifr.ifr_name, ifname, sizeof(ifr.ifr_name)); -diff --git a/pppd/plugins/rp-pppoe/if.c b/pppd/plugins/rp-pppoe/if.c +diff --git a/pppd/plugins/pppoe/if.c b/pppd/plugins/pppoe/if.c index 91e9a57..72aba41 100644 ---- a/pppd/plugins/rp-pppoe/if.c -+++ b/pppd/plugins/rp-pppoe/if.c +--- a/pppd/plugins/pppoe/if.c ++++ b/pppd/plugins/pppoe/if.c @@ -116,7 +116,7 @@ openInterface(char const *ifname, UINT16_t type, unsigned char *hwaddr) stype = SOCK_PACKET; #endif @@ -66,10 +50,10 @@ index 91e9a57..72aba41 100644 /* Give a more helpful message for the common error case */ if (errno == EPERM) { fatal("Cannot create raw socket -- pppoe must be run as root."); -diff --git a/pppd/plugins/rp-pppoe/plugin.c b/pppd/plugins/rp-pppoe/plugin.c +diff --git a/pppd/plugins/pppoe/plugin.c b/pppd/plugins/pppoe/plugin.c index a8c2bb4..24bdf8f 100644 ---- a/pppd/plugins/rp-pppoe/plugin.c -+++ b/pppd/plugins/rp-pppoe/plugin.c +--- a/pppd/plugins/pppoe/plugin.c ++++ b/pppd/plugins/pppoe/plugin.c @@ -137,7 +137,7 @@ PPPOEConnectDevice(void) /* server equipment). */ /* Opening this socket just before waitForPADS in the discovery() */ @@ -97,10 +81,10 @@ index a8c2bb4..24bdf8f 100644 r = 0; } -diff --git a/pppd/plugins/rp-pppoe/pppoe-discovery.c b/pppd/plugins/rp-pppoe/pppoe-discovery.c +diff --git a/pppd/plugins/pppoe/pppoe-discovery.c b/pppd/plugins/pppoe/pppoe-discovery.c index 3d3bf4e..c0d927d 100644 ---- a/pppd/plugins/rp-pppoe/pppoe-discovery.c -+++ b/pppd/plugins/rp-pppoe/pppoe-discovery.c +--- a/pppd/plugins/pppoe/pppoe-discovery.c ++++ b/pppd/plugins/pppoe/pppoe-discovery.c @@ -121,7 +121,7 @@ openInterface(char const *ifname, UINT16_t type, unsigned char *hwaddr) stype = SOCK_PACKET; #endif @@ -109,7 +93,7 @@ index 3d3bf4e..c0d927d 100644 + if ((fd = socket(domain, stype | SOCK_CLOEXEC, htons(type))) < 0) { /* Give a more helpful message for the common error case */ if (errno == EPERM) { - rp_fatal("Cannot create raw socket -- pppoe must be run as root."); + fatal("Cannot create raw socket -- pppoe must be run as root."); diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c index 00a2cf5..0690019 100644 --- a/pppd/sys-linux.c @@ -136,7 +120,7 @@ index 00a2cf5..0690019 100644 - sock_fd = socket(AF_INET, SOCK_DGRAM, 0); + sock_fd = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0); if (sock_fd < 0) - return 0; + return -1; memset(&ifreq.ifr_hwaddr, 0, sizeof(struct sockaddr)); @@ -2067,7 +2067,7 @@ int ppp_available(void) /* @@ -147,15 +131,6 @@ index 00a2cf5..0690019 100644 if (s < 0) return 0; -@@ -2860,7 +2860,7 @@ ether_to_eui64(eui64_t *p_eui64) - int skfd; - const unsigned char *ptr; - -- skfd = socket(PF_INET6, SOCK_DGRAM, 0); -+ skfd = socket(PF_INET6, SOCK_DGRAM | SOCK_CLOEXEC, 0); - if(skfd == -1) - { - warn("could not open IPv6 socket"); diff --git a/pppd/tty.c b/pppd/tty.c index bc96695..8e76a5d 100644 --- a/pppd/tty.c diff --git a/0016-rp-pppoe-add-manpage-for-pppoe-discovery.patch b/0016-rp-pppoe-add-manpage-for-pppoe-discovery.patch index a13fe79..b7f7c91 100644 --- a/0016-rp-pppoe-add-manpage-for-pppoe-discovery.patch +++ b/0016-rp-pppoe-add-manpage-for-pppoe-discovery.patch @@ -1,18 +1,7 @@ -From a30efa2cc99a5b6ab220de04cbcc7db38888a17a Mon Sep 17 00:00:00 2001 -From: Michal Sekletar -Date: Mon, 7 Apr 2014 14:29:45 +0200 -Subject: [PATCH 16/27] rp-pppoe: add manpage for pppoe-discovery - ---- - pppd/plugins/rp-pppoe/Makefile.linux | 2 + - pppd/plugins/rp-pppoe/pppoe-discovery.8 | 86 +++++++++++++++++++++++++++++++++ - 2 files changed, 88 insertions(+) - create mode 100644 pppd/plugins/rp-pppoe/pppoe-discovery.8 - -diff --git a/pppd/plugins/rp-pppoe/Makefile.linux b/pppd/plugins/rp-pppoe/Makefile.linux +diff --git a/pppd/plugins/pppoe/Makefile.linux b/pppd/plugins/pppoe/Makefile.linux index 3cd9101..9918091 100644 ---- a/pppd/plugins/rp-pppoe/Makefile.linux -+++ b/pppd/plugins/rp-pppoe/Makefile.linux +--- a/pppd/plugins/pppoe/Makefile.linux ++++ b/pppd/plugins/pppoe/Makefile.linux @@ -16,6 +16,7 @@ DESTDIR = $(INSTROOT)@DESTDIR@ @@ -22,18 +11,18 @@ index 3cd9101..9918091 100644 PPPDVERSION = $(shell awk -F '"' '/VERSION/ { print $$2; }' ../../patchlevel.h) @@ -46,6 +47,7 @@ install: all - $(INSTALL) -c -m 4550 rp-pppoe.so $(LIBDIR) + $(LN_S) pppoe.so $(LIBDIR)/rp-pppoe.so $(INSTALL) -d -m 755 $(BINDIR) $(INSTALL) -c -m 555 pppoe-discovery $(BINDIR) + $(INSTALL) -c -m 444 pppoe-discovery.8 $(MANDIR) clean: rm -f *.o *.so pppoe-discovery -diff --git a/pppd/plugins/rp-pppoe/pppoe-discovery.8 b/pppd/plugins/rp-pppoe/pppoe-discovery.8 +diff --git a/pppd/plugins/pppoe/pppoe-discovery.8 b/pppd/plugins/pppoe/pppoe-discovery.8 new file mode 100644 index 0000000..d0a93db --- /dev/null -+++ b/pppd/plugins/rp-pppoe/pppoe-discovery.8 ++++ b/pppd/plugins/pppoe/pppoe-discovery.8 @@ -0,0 +1,86 @@ +.\" pppoe-discovery.8 written by +.\" Ben Hutchings , based on pppoe.8. diff --git a/0023-build-sys-install-rp-pppoe-plugin-files-with-standar.patch b/0023-build-sys-install-rp-pppoe-plugin-files-with-standar.patch index 7a18e07..23b1f93 100644 --- a/0023-build-sys-install-rp-pppoe-plugin-files-with-standar.patch +++ b/0023-build-sys-install-rp-pppoe-plugin-files-with-standar.patch @@ -1,24 +1,15 @@ -From 769521a3798fd554ddc7333cb1255cd1b40790e8 Mon Sep 17 00:00:00 2001 -From: Michal Sekletar -Date: Thu, 10 Apr 2014 10:00:55 +0200 -Subject: [PATCH 23/27] build-sys: install rp-pppoe plugin files with standard - perms - -This is needed to properly generate debuginfo package. ---- - pppd/plugins/rp-pppoe/Makefile.linux | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/pppd/plugins/rp-pppoe/Makefile.linux b/pppd/plugins/rp-pppoe/Makefile.linux -index b949716..fa49efb 100644 ---- a/pppd/plugins/rp-pppoe/Makefile.linux -+++ b/pppd/plugins/rp-pppoe/Makefile.linux -@@ -44,10 +44,10 @@ rp-pppoe.so: plugin.o discovery.o if.o common.o +diff --git a/pppd/plugins/pppoe/Makefile.linux b/pppd/plugins/pppoe/Makefile.linux +index 2df887b..6cb8397 100644 +--- a/pppd/plugins/pppoe/Makefile.linux ++++ b/pppd/plugins/pppoe/Makefile.linux +@@ -43,12 +43,12 @@ pppoe.so: plugin.o discovery.o if.o common.o install: all $(INSTALL) -d -m 755 $(LIBDIR) -- $(INSTALL) -c -m 4550 rp-pppoe.so $(LIBDIR) -+ $(INSTALL) -c -m 755 rp-pppoe.so $(LIBDIR) +- $(INSTALL) -c -m 4550 pppoe.so $(LIBDIR) ++ $(INSTALL) -c -m 755 pppoe.so $(LIBDIR) + # Symlink for backward compatibility + $(LN_S) pppoe.so $(LIBDIR)/rp-pppoe.so $(INSTALL) -d -m 755 $(BINDIR) - $(INSTALL) -c -m 555 pppoe-discovery $(BINDIR) - $(INSTALL) -c -m 444 pppoe-discovery.8 $(MANDIR) @@ -27,6 +18,3 @@ index b949716..fa49efb 100644 clean: rm -f *.o *.so pppoe-discovery --- -1.8.3.1 - diff --git a/ppp-2.4.8-CVE-2020-8597.patch b/ppp-2.4.8-CVE-2020-8597.patch deleted file mode 100644 index 5d7c51b..0000000 --- a/ppp-2.4.8-CVE-2020-8597.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 8d7970b8f3db727fe798b65f3377fe6787575426 Mon Sep 17 00:00:00 2001 -From: Paul Mackerras -Date: Mon, 3 Feb 2020 15:53:28 +1100 -Subject: [PATCH] pppd: Fix bounds check in EAP code - -Given that we have just checked vallen < len, it can never be the case -that vallen >= len + sizeof(rhostname). This fixes the check so we -actually avoid overflowing the rhostname array. - -Reported-by: Ilja Van Sprundel -Signed-off-by: Paul Mackerras ---- - pppd/eap.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/pppd/eap.c b/pppd/eap.c -index 94407f56..1b93db01 100644 ---- a/pppd/eap.c -+++ b/pppd/eap.c -@@ -1420,7 +1420,7 @@ int len; - } - - /* Not so likely to happen. */ -- if (vallen >= len + sizeof (rhostname)) { -+ if (len - vallen >= sizeof (rhostname)) { - dbglog("EAP: trimming really long peer name down"); - BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1); - rhostname[sizeof (rhostname) - 1] = '\0'; -@@ -1846,7 +1846,7 @@ int len; - } - - /* Not so likely to happen. */ -- if (vallen >= len + sizeof (rhostname)) { -+ if (len - vallen >= sizeof (rhostname)) { - dbglog("EAP: trimming really long peer name down"); - BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1); - rhostname[sizeof (rhostname) - 1] = '\0'; diff --git a/ppp-2.4.8-build-sys-compile-pppol2tp-plugin-with-RPM_OPT_FLAGS.patch b/ppp-2.4.8-build-sys-compile-pppol2tp-plugin-with-RPM_OPT_FLAGS.patch deleted file mode 100644 index fd53ac7..0000000 --- a/ppp-2.4.8-build-sys-compile-pppol2tp-plugin-with-RPM_OPT_FLAGS.patch +++ /dev/null @@ -1,23 +0,0 @@ -From d69eb9a8aa284014dd7dd282813989eda9d84d74 Mon Sep 17 00:00:00 2001 -From: Michal Sekletar -Date: Wed, 9 Apr 2014 09:56:09 +0200 -Subject: [PATCH 21/27] build-sys: compile pppol2tp plugin with RPM_OPT_FLAGS - ---- - pppd/plugins/pppol2tp/Makefile.linux | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/pppd/plugins/pppol2tp/Makefile.linux b/pppd/plugins/pppol2tp/Makefile.linux -index 4339566..9a635b8 100644 ---- a/pppd/plugins/pppol2tp/Makefile.linux -+++ b/pppd/plugins/pppol2tp/Makefile.linux -@@ -1,5 +1,5 @@ - #CC = gcc --COPTS = -O2 -g -+COPTS = $(RPM_OPT_FLAGS) - CFLAGS = $(COPTS) -I. -I../.. -I../../../include -fPIC - LDFLAGS_SHARED = -shared - INSTALL = install --- -1.8.3.1 - diff --git a/ppp-2.4.8-build-sys-compile-pppol2tp-with-multilink-support.patch b/ppp-2.4.8-build-sys-compile-pppol2tp-with-multilink-support.patch deleted file mode 100644 index d801308..0000000 --- a/ppp-2.4.8-build-sys-compile-pppol2tp-with-multilink-support.patch +++ /dev/null @@ -1,24 +0,0 @@ -From a0060c5d48ef742bff4fe9ba9c276a5c21795ce8 Mon Sep 17 00:00:00 2001 -From: Michal Sekletar -Date: Wed, 9 Apr 2014 09:58:38 +0200 -Subject: [PATCH 22/27] build-sys: compile pppol2tp with multilink support - -Resolves: #817013 ---- - pppd/plugins/pppol2tp/Makefile.linux | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/pppd/plugins/pppol2tp/Makefile.linux b/pppd/plugins/pppol2tp/Makefile.linux -index 9a635b8..9cb316d 100644 ---- a/pppd/plugins/pppol2tp/Makefile.linux -+++ b/pppd/plugins/pppol2tp/Makefile.linux -@@ -1,5 +1,5 @@ - #CC = gcc --COPTS = $(RPM_OPT_FLAGS) -+COPTS = $(RPM_OPT_FLAGS) -DHAVE_MULTILINK - CFLAGS = $(COPTS) -I. -I../.. -I../../../include -fPIC - LDFLAGS_SHARED = -shared - INSTALL = install --- -1.8.3.1 - diff --git a/ppp-2.4.8-build-sys-enable-PAM-support.patch b/ppp-2.4.8-build-sys-enable-PAM-support.patch deleted file mode 100644 index 355410c..0000000 --- a/ppp-2.4.8-build-sys-enable-PAM-support.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 0d71a32b73b71c9793d0b304320858062faf00d1 Mon Sep 17 00:00:00 2001 -From: Michal Sekletar -Date: Fri, 4 Apr 2014 11:25:43 +0200 -Subject: [PATCH 02/27] build-sys: enable PAM support - ---- - pppd/Makefile.linux | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux -index 1d9ea78..5a44d30 100644 ---- a/pppd/Makefile.linux -+++ b/pppd/Makefile.linux -@@ -61,7 +61,7 @@ HAVE_MULTILINK=y - #SYSTEMD=y - - HAS_SHADOW=y --#USE_PAM=y -+USE_PAM=y - HAVE_INET6=y - - # Enable plugins --- -1.8.3.1 - diff --git a/ppp-2.4.8-build-sys-utilize-compiler-flags-handed-to-us-by-rpm.patch b/ppp-2.4.8-build-sys-utilize-compiler-flags-handed-to-us-by-rpm.patch deleted file mode 100644 index dc0c5df..0000000 --- a/ppp-2.4.8-build-sys-utilize-compiler-flags-handed-to-us-by-rpm.patch +++ /dev/null @@ -1,121 +0,0 @@ -From d729b06f0ac7a5ebd3648ef60bef0499b59bf82d Mon Sep 17 00:00:00 2001 -From: Michal Sekletar -Date: Fri, 4 Apr 2014 11:29:39 +0200 -Subject: [PATCH 03/27] build-sys: utilize compiler flags handed to us by - rpmbuild - ---- - chat/Makefile.linux | 2 +- - pppd/Makefile.linux | 3 +-- - pppd/plugins/Makefile.linux | 2 +- - pppd/plugins/pppoatm/Makefile.linux | 2 +- - pppd/plugins/radius/Makefile.linux | 2 +- - pppd/plugins/rp-pppoe/Makefile.linux | 2 +- - pppdump/Makefile.linux | 2 +- - pppstats/Makefile.linux | 2 +- - 8 files changed, 8 insertions(+), 9 deletions(-) - -diff --git a/chat/Makefile.linux b/chat/Makefile.linux -index 1065ac5..848cd8d 100644 ---- a/chat/Makefile.linux -+++ b/chat/Makefile.linux -@@ -10,7 +10,7 @@ CDEF3= -UNO_SLEEP # Use the usleep function - CDEF4= -DFNDELAY=O_NDELAY # Old name value - CDEFS= $(CDEF1) $(CDEF2) $(CDEF3) $(CDEF4) - --COPTS= -O2 -g -pipe -+COPTS= $(RPM_OPT_FLAGS) - CFLAGS= $(COPTS) $(CDEFS) - - INSTALL= install -diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux -index 5a44d30..63872eb 100644 ---- a/pppd/Makefile.linux -+++ b/pppd/Makefile.linux -@@ -32,8 +32,7 @@ endif - - CC = gcc - # --COPTS = -O2 -pipe -Wall -g --LIBS = -+COPTS = -Wall $(RPM_OPT_FLAGS) - - # Uncomment the next line to include support for Microsoft's - # MS-CHAP authentication protocol. Also, edit plugins/radius/Makefile.linux. -diff --git a/pppd/plugins/Makefile.linux b/pppd/plugins/Makefile.linux -index 0a7ec7b..e09a369 100644 ---- a/pppd/plugins/Makefile.linux -+++ b/pppd/plugins/Makefile.linux -@@ -1,5 +1,5 @@ - #CC = gcc --COPTS = -O2 -g -+COPTS = $(RPM_OPT_FLAGS) - CFLAGS = $(COPTS) -I.. -I../../include -fPIC - LDFLAGS_SHARED = -shared - INSTALL = install -diff --git a/pppd/plugins/pppoatm/Makefile.linux b/pppd/plugins/pppoatm/Makefile.linux -index 20f62e6..5a81447 100644 ---- a/pppd/plugins/pppoatm/Makefile.linux -+++ b/pppd/plugins/pppoatm/Makefile.linux -@@ -1,5 +1,5 @@ - #CC = gcc --COPTS = -O2 -g -+COPTS = $(RPM_OPT_FLAGS) - CFLAGS = $(COPTS) -I../.. -I../../../include -fPIC - LDFLAGS_SHARED = -shared - INSTALL = install -diff --git a/pppd/plugins/radius/Makefile.linux b/pppd/plugins/radius/Makefile.linux -index 24ed3e5..45b3b8d 100644 ---- a/pppd/plugins/radius/Makefile.linux -+++ b/pppd/plugins/radius/Makefile.linux -@@ -12,7 +12,7 @@ VERSION = $(shell awk -F '"' '/VERSION/ { print $$2; }' ../../patchlevel.h) - INSTALL = install - - PLUGIN=radius.so radattr.so radrealms.so --CFLAGS=-I. -I../.. -I../../../include -O2 -fPIC -DRC_LOG_FACILITY=LOG_DAEMON -+CFLAGS=-I. -I../.. -I../../../include $(RPM_OPT_FLAGS) -DRC_LOG_FACILITY=LOG_DAEMON - - # Uncomment the next line to include support for Microsoft's - # MS-CHAP authentication protocol. -diff --git a/pppd/plugins/rp-pppoe/Makefile.linux b/pppd/plugins/rp-pppoe/Makefile.linux -index 5d7a271..352991a 100644 ---- a/pppd/plugins/rp-pppoe/Makefile.linux -+++ b/pppd/plugins/rp-pppoe/Makefile.linux -@@ -25,7 +25,7 @@ INSTALL = install - # Version is set ONLY IN THE MAKEFILE! Don't delete this! - RP_VERSION=3.8p - --COPTS=-O2 -g -+COPTS=$(RPM_OPT_FLAGS) - CFLAGS=$(COPTS) -I../../../include '-DRP_VERSION="$(RP_VERSION)"' - all: rp-pppoe.so pppoe-discovery - -diff --git a/pppdump/Makefile.linux b/pppdump/Makefile.linux -index ac028f6..d0a5032 100644 ---- a/pppdump/Makefile.linux -+++ b/pppdump/Makefile.linux -@@ -2,7 +2,7 @@ DESTDIR = $(INSTROOT)@DESTDIR@ - BINDIR = $(DESTDIR)/sbin - MANDIR = $(DESTDIR)/share/man/man8 - --CFLAGS= -O -I../include/net -+CFLAGS= $(RPM_OPT_FLAGS) -I../include/net - OBJS = pppdump.o bsd-comp.o deflate.o zlib.o - - INSTALL= install -diff --git a/pppstats/Makefile.linux b/pppstats/Makefile.linux -index cca6f0f..42aba73 100644 ---- a/pppstats/Makefile.linux -+++ b/pppstats/Makefile.linux -@@ -10,7 +10,7 @@ PPPSTATSRCS = pppstats.c - PPPSTATOBJS = pppstats.o - - #CC = gcc --COPTS = -O -+COPTS = $(RPM_OPT_FLAGS) - COMPILE_FLAGS = -I../include - LIBS = - --- -1.8.3.1 - diff --git a/ppp-2.4.8-eaptls-mppe-1.300.patch b/ppp-2.4.8-eaptls-mppe-1.300.patch deleted file mode 100644 index 65b1434..0000000 --- a/ppp-2.4.8-eaptls-mppe-1.300.patch +++ /dev/null @@ -1,3948 +0,0 @@ -diff -Naur ppp-2.4.8/README.eap-tls ppp-2.4.8-eaptls-mppe-1.300/README.eap-tls ---- ppp-2.4.8/README.eap-tls 1970-01-01 01:00:00.000000000 +0100 -+++ ppp-2.4.8-eaptls-mppe-1.300/README.eap-tls 2020-04-07 10:09:50.565118206 +0200 -@@ -0,0 +1,307 @@ -+EAP-TLS authentication support for PPP -+====================================== -+ -+1. Intro -+ -+ The Extensible Authentication Protocol (EAP; RFC 3748) is a -+ security protocol that can be used with PPP. It provides a means -+ to plug in multiple optional authentication methods. -+ -+ Transport Level Security (TLS; RFC 5216) provides for mutual -+ authentication, integrity-protected ciphersuite negotiation and -+ key exchange between two endpoints. It also provides for optional -+ MPPE encryption. -+ -+ EAP-TLS (RFC 2716) incapsulates the TLS messages in EAP packets, -+ allowing TLS mutual authentication to be used as a generic EAP -+ mechanism. It also provides optional encryption using the MPPE -+ protocol. -+ -+ This patch provide EAP-TLS support to pppd. -+ This authentication method can be used in both client or server -+ mode. -+ -+2. Building -+ -+ To build pppd with EAP-TLS support, OpenSSL (http://www.openssl.org) -+ is required. Any version from 0.9.7 should work. -+ -+ Configure, compile, and install as usual. -+ -+3. Configuration -+ -+ On the client side there are two ways to configure EAP-TLS: -+ -+ 1. supply the appropriate 'ca', 'cert' and 'key' command-line parameters -+ -+ 2. edit the /etc/ppp/eaptls-client file. -+ Insert a line for each system with which you use EAP-TLS. -+ The line is composed of this fields separated by tab: -+ -+ - Client name -+ The name used by the client for authentication, can be * -+ - Server name -+ The name of the server, can be * -+ - Client certificate file -+ The file containing the certificate chain for the -+ client in PEM format -+ - Server certificate file -+ If you want to specify the certificate that the -+ server is allowed to use, put the certificate file name. -+ Else put a dash '-'. -+ - CA certificate file -+ The file containing the trusted CA certificates in PEM -+ format. -+ - Client private key file -+ The file containing the client private key in PEM format. -+ -+ -+ On the server side edit the /etc/ppp/eaptls-server file. -+ Insert a line for each system with which you use EAP-TLS. -+ The line is composed of this fields separated by tab: -+ -+ - Client name -+ The name used by the client for authentication, can be * -+ - Server name -+ The name of the server, can be * -+ - Client certificate file -+ If you want to specify the certificate that the -+ client is allowed to use, put the certificate file name. -+ Else put a dash '-'. -+ - Server certificate file -+ The file containing the certificate chain for the -+ server in PEM format -+ - CA certificate file -+ The file containing the trusted CA certificates in PEM format. -+ - Client private key file -+ The file containing the server private key in PEM format. -+ - addresses -+ A list of IP addresses the client is allowed to use. -+ -+ -+ OpenSSL engine support is included starting with v0.95 of this patch. -+ Currently the only engine tested is the 'pkcs11' engine (hardware token -+ support). To use the 'pksc11' engine: -+ - Use a special private key fileiname in the /etc/ppp/eaptls-client file: -+ : -+ e.g. -+ pkcs11:123456 -+ -+ - The certificate can also be loaded from the 'pkcs11' engine using -+ a special client certificate filename in the /etc/ppp/eaptls-client file: -+ : -+ e.g. -+ pkcs11:123456 -+ -+ - Create an /etc/ppp/openssl.cnf file to load the right OpenSSL engine prior -+ to starting 'pppd'. A sample openssl.cnf file is -+ -+ openssl_conf = openssl_def -+ -+ [ openssl_def ] -+ engines = engine_section -+ -+ [ engine_section ] -+ pkcs11 = pkcs11_section -+ -+ [ pkcs11_section ] -+ engine_id = pkcs11 -+ dynamic_path = /usr/lib64/openssl/engines/engine_pkcs11.so -+ MODULE_PATH = /usr/lib64/libeTPkcs11.so -+ init = 0 -+ -+ - There are two ways to specify a password/PIN for the PKCS11 engine: -+ - inside the openssl.cnf file using -+ PIN = your-secret-pin -+ Note The keyword 'PIN' is case sensitive! -+ - Using the 'password' in the ppp options file. -+ From v0.97 of the eap-tls patch the password can also be supplied -+ using the appropriate 'eaptls_passwd_hook' (see plugins/passprompt.c -+ for an example). -+ -+ -+4. Options -+ -+ These pppd options are available: -+ -+ ca -+ Use the CA public certificate found in in PEM format -+ cert -+ Use the client public certificate found in in PEM format -+ or in engine:engine_id format -+ key -+ Use the client private key found in in PEM format -+ or in engine:engine_id format -+ crl -+ Use the Certificate Revocation List (CRL) file in PEM format. -+ crl-dir -+ Use CRL files from directory . It contains CRL files in PEM -+ format and each file contains a CRL. The files are looked up -+ by the issuer name hash value. Use the c_rehash utility -+ to create necessary links. -+ need-peer-eap -+ If the peer doesn't ask us to authenticate or doesn't use eap -+ to authenticate us, disconnect. -+ -+ Note: -+ password-encrypted certificates can be used as of v0.94 of this -+ patch. The password for the eap-tls.key file is specified using -+ the regular -+ password .... -+ statement in the ppp options file, or by using the appropriate -+ plugin which supplies a 'eaptls_passwd_hook' routine. -+ -+5. Connecting -+ -+ If you're setting up a pppd server, edit the EAP-TLS configuration file -+ as written above and then run pppd with the 'auth' option to authenticate -+ the client. The EAP-TLS method will be used if the other eap methods can't -+ be used (no secrets). -+ -+ If you're setting up a client, edit the configuration file and then run -+ pppd with 'remotename' option to specify the server name. Add the -+ 'need-peer-eap' option if you want to be sure the peer ask you to -+ authenticate (and to use eap) and to disconnect if it doesn't. -+ -+6. Example -+ -+ The following example can be used to connect a Linux client with the 'pptp' -+ package to a Linux server running the 'pptpd' (PoPToP) package. The server -+ was configured with a certificate with name (CN) 'pptp-server', the client -+ was configured with a certificate with name (CN) 'pptp-client', both -+ signed by the same Certificate Authority (CA). -+ -+ Server side: -+ - /etc/pptpd.conf file: -+ option /etc/ppp/options-pptpd-eaptls -+ localip 172.16.1.1 -+ remoteip 172.16.1.10-20 -+ - /etc/ppp/options-pptpd-eaptls file: -+ name pptp-server -+ lock -+ mtu 1500 -+ mru 1450 -+ auth -+ lcp-echo-failure 3 -+ lcp-echo-interval 5 -+ nodeflate -+ nobsdcomp -+ nopredictor1 -+ nopcomp -+ noaccomp -+ -+ require-eap -+ require-mppe-128 -+ -+ crl /home/janjust/ppp/keys/crl.pem -+ -+ debug -+ logfile /tmp/pppd.log -+ -+ - /etc/ppp/eaptls-server file: -+ * pptp-server - /etc/ppp/pptp-server.crt /etc/ppp/ca.crt /etc/ppp/pptp-server.key * -+ -+ - On the server, run -+ pptdp --conf /etc/pptpd.conf -+ -+ Client side: -+ - Run -+ pppd noauth require-eap require-mppe-128 \ -+ ipcp-accept-local ipcp-accept-remote noipdefault \ -+ cert /etc/ppp/keys/pptp-client.crt \ -+ key /etc/ppp/keys/pptp-client.key \ -+ ca /etc/ppp/keys/ca.crt \ -+ name pptp-client remotename pptp-server \ -+ debug logfile /tmp/pppd.log -+ pty "pptp pptp-server.example.com --nolaunchpppd" -+ -+ Check /var/log/messages and the files /tmp/pppd.log on both sides for debugging info. -+ -+7. Notes -+ -+ This is experimental code. -+ Send suggestions and comments to Jan Just Keijser -+ -+8. Changelog of ppp-<>-eaptls-mppe-* patches -+ -+v0.7 (22-Nov-2005) -+ - First version of the patch to include MPPE support -+ - ppp-2.4.3 only -+v0.9 (25-Jul-2006) -+ - Bug fixes -+ - First version for ppp-2.4.4 -+v0.91 (03-Sep-2006) -+ - Added missing #include for md5.h -+ - Last version for ppp-2.4.3 -+v0.92 (22-Apr-2008) -+ - Fix for openssl 0.9.8 issue with md5 function overload. -+v0.93 (14-Aug-2008) -+ - Make sure 'noauth' option can be used to bypass server certificate verification. -+v0.94 (15-Oct-2008) -+ - Added support for password-protected private keys by (ab)using the 'password' field. -+v0.95 (23-Dec-2009) -+ - First version with OpenSSL engine support. -+v0.96 (27-Jan-2010) -+ - Added fully functional support for OpenSSL engines (PKCS#11) -+ - First version for ppp-2.4.5 -+v0.97 (20-Apr-2010) -+ - Some bug fixes for v0.96 -+ - Added support for entering the password via a plugin. The sample plugin -+ .../pppd/plugins/passprompt.c has been extended with EAP-TLS support. -+ The "old" methods using the password option or the /etc/ppp/openssl.cnf file still work. -+ - Added support for specifying the client CA, certificate and private key on the command-line -+ or via the ppp config file. -+v0.98 (20-Apr-2010) -+ - Fix initialisation bug when using ca/cert/key command-line options. -+ - Last version for ppp-2.4.4 -+v0.99 (05-Oct-2010) -+ - Fix coredump when using multilink option. -+v0.991 (08-Aug-2011) -+ - Fix compilation issue with openssl 1.0. -+v0.992 (01-Dec-2011) -+ - Fix compilation issue with eaptls_check_hook and passwordfd plugin. -+v0.993 (24-Apr-2012) -+ - Fix compilation issue when EAP_TLS=n in pppd/Makefile. -+v0.994 (11-Jun-2012) -+ - Fix compilation issue on Ubuntu 11.10. -+v0.995 (27-May-2014) -+ - Add support for a CRL file using the command-line option 'crl' -+ (prior only 'crl-dir' was supported). -+ - Fix segfault when pkcs11 enginename was not specified correctly. -+ - Fix segfault when client was misconfigured. -+ - Disable SSL Session Ticket support as Windows 8 does not support this. -+v0.996 (28-May-2014) -+ - Fix minor bug where SessionTicket message was printed as 'Unknown SSL3 code 4' -+ - Add EAP-TLS-specific options to pppd.8 manual page. -+ - Updated README.eap-tls file with new options and provide an example. -+v0.997 (19-Jun-2014) -+ - Change SSL_OP_NO_TICKETS to SSL_OP_NO_TICKET -+ - Fix bug in initialisation code with fragmented packets. -+v0.998 (13-Mar-2015) -+ - Add fix for https://bugzilla.redhat.com/show_bug.cgi?id=1023620 -+v0.999 (11-May-2017) -+ - Add support for OpenSSL 1.1: the code will now compile against OpenSSL 1.0.x or 1.1.x. -+v1.101 (1-Jun-2018) -+ - Fix vulnerabilities CVE-2018-11574. -+v1.102 (2-Nov-2018) -+ - Add TLS 1.2 support. Windows 7/8 will connect using TLS 1.0, Windows 10 clients using TLS 1.2. -+ This works both when compiling against OpenSSL 1.0.1+ and 1.1+. -+ - Print warning when certificate is either not yet valid or has expired. -+ - Perform better peer certificate checks. -+ - Allow certificate chain files to be used. -+v1.200 (28-Feb-2020) -+ - First version of patch that was used to create a github PR against the main ppp code base. -+ - Add client-side 'capath' option to allow a directory with trusted CA certificates. -+ - Add compile-time Makefile option to have pppd use either the internal MD5+SHA1 functions or -+ use the ones supplied by OpenSSL. -+ - Code now also builds on Solaris (x86 tested) but has not been tested yet, as the Solaris ppp -+ kernel driver does not support MPPE. -+v1.201 (03-Apr-2020) -+ - Force use of TLSv1.2 even if TLSv1.3 is available (with OpenSSL 1.1.1+). This ensures that -+ you can compile and link against OpenSSL 1.1.1+ without breaking the TLS negotiation. -+v1.300 (03-Apr-2020) -+ - Add (experimental) TLS 1.3 support. This is based on draft-ietf-emu-eap-tls13-05 (expired) and -+ requires OpenSSL 1.1.1+ to be effective. -+ - Add new option 'max-tls-version' to specify the highest version of the TLS protocol to use -+ (defaults to TLS1.2 for now - so to use TLS1.3 you need to explicitly add 'max-tls-version 1.3') -+ -diff -Naur ppp-2.4.8/etc.ppp/eaptls-client ppp-2.4.8-eaptls-mppe-1.300/etc.ppp/eaptls-client ---- ppp-2.4.8/etc.ppp/eaptls-client 1970-01-01 01:00:00.000000000 +0100 -+++ ppp-2.4.8-eaptls-mppe-1.300/etc.ppp/eaptls-client 2020-04-07 10:09:50.566118204 +0200 -@@ -0,0 +1,10 @@ -+# Parameters for authentication using EAP-TLS (client) -+ -+# client name (can be *) -+# server name (can be *) -+# client certificate file (required) -+# server certificate file (optional, if unused put '-') -+# CA certificate file (required) -+# client private key file (required) -+ -+#client server /root/cert/client.crt - /root/cert/ca.crt /root/cert/client.key -diff -Naur ppp-2.4.8/etc.ppp/eaptls-server ppp-2.4.8-eaptls-mppe-1.300/etc.ppp/eaptls-server ---- ppp-2.4.8/etc.ppp/eaptls-server 1970-01-01 01:00:00.000000000 +0100 -+++ ppp-2.4.8-eaptls-mppe-1.300/etc.ppp/eaptls-server 2020-04-07 10:09:50.566118204 +0200 -@@ -0,0 +1,11 @@ -+# Parameters for authentication using EAP-TLS (server) -+ -+# client name (can be *) -+# server name (can be *) -+# client certificate file (optional, if unused put '-') -+# server certificate file (required) -+# CA certificate file (required) -+# server private key file (required) -+# allowed addresses (required, can be *) -+ -+#client server - /root/cert/server.crt /root/cert/ca.crt /root/cert/server.key 192.168.1.0/24 -diff -Naur ppp-2.4.8/etc.ppp/openssl.cnf ppp-2.4.8-eaptls-mppe-1.300/etc.ppp/openssl.cnf ---- ppp-2.4.8/etc.ppp/openssl.cnf 1970-01-01 01:00:00.000000000 +0100 -+++ ppp-2.4.8-eaptls-mppe-1.300/etc.ppp/openssl.cnf 2020-04-07 10:09:50.566118204 +0200 -@@ -0,0 +1,14 @@ -+openssl_conf = openssl_def -+ -+[ openssl_def ] -+engines = engine_section -+ -+[ engine_section ] -+pkcs11 = pkcs11_section -+ -+[ pkcs11_section ] -+engine_id = pkcs11 -+dynamic_path = /usr/lib64/openssl/engines/engine_pkcs11.so -+MODULE_PATH = /usr/lib64/libeTPkcs11.so -+init = 0 -+ -diff -Naur ppp-2.4.8/linux/Makefile.top ppp-2.4.8-eaptls-mppe-1.300/linux/Makefile.top ---- ppp-2.4.8/linux/Makefile.top 2019-12-31 02:31:26.000000000 +0100 -+++ ppp-2.4.8-eaptls-mppe-1.300/linux/Makefile.top 2020-04-07 10:09:50.566118204 +0200 -@@ -26,7 +26,7 @@ - cd pppdump; $(MAKE) $(MFLAGS) install - - install-etcppp: $(ETCDIR) $(ETCDIR)/options $(ETCDIR)/pap-secrets \ -- $(ETCDIR)/chap-secrets -+ $(ETCDIR)/chap-secrets $(ETCDIR)/eaptls-server $(ETCDIR)/eaptls-client - - install-devel: - cd pppd; $(MAKE) $(MFLAGS) install-devel -@@ -37,6 +37,10 @@ - $(INSTALL) -c -m 600 etc.ppp/pap-secrets $@ - $(ETCDIR)/chap-secrets: - $(INSTALL) -c -m 600 etc.ppp/chap-secrets $@ -+$(ETCDIR)/eaptls-server: -+ $(INSTALL) -c -m 600 etc.ppp/eaptls-server $@ -+$(ETCDIR)/eaptls-client: -+ $(INSTALL) -c -m 600 etc.ppp/eaptls-client $@ - - $(BINDIR): - $(INSTALL) -d -m 755 $@ -diff -Naur ppp-2.4.8/pppd/Makefile.linux ppp-2.4.8-eaptls-mppe-1.300/pppd/Makefile.linux ---- ppp-2.4.8/pppd/Makefile.linux 2019-12-31 02:31:26.000000000 +0100 -+++ ppp-2.4.8-eaptls-mppe-1.300/pppd/Makefile.linux 2020-04-07 10:10:01.427104384 +0200 -@@ -11,16 +11,16 @@ - - TARGETS = pppd - --PPPDSRCS = main.c magic.c fsm.c lcp.c ipcp.c upap.c chap-new.c md5.c ccp.c \ -- ecp.c ipxcp.c auth.c options.c sys-linux.c md4.c chap_ms.c \ -+PPPDSRCS = main.c magic.c fsm.c lcp.c ipcp.c upap.c chap-new.c ccp.c \ -+ ecp.c ipxcp.c auth.c options.c sys-linux.c chap_ms.c \ - demand.c utils.c tty.c eap.c chap-md5.c session.c - - HEADERS = ccp.h session.h chap-new.h ecp.h fsm.h ipcp.h \ -- ipxcp.h lcp.h magic.h md5.h patchlevel.h pathnames.h pppd.h \ -+ ipxcp.h lcp.h magic.h patchlevel.h pathnames.h pppd.h \ - upap.h eap.h - - MANPAGES = pppd.8 --PPPDOBJS = main.o magic.o fsm.o lcp.o ipcp.o upap.o chap-new.o md5.o ccp.o \ -+PPPDOBJS = main.o magic.o fsm.o lcp.o ipcp.o upap.o chap-new.o ccp.o \ - ecp.o auth.o options.o demand.o utils.o sys-linux.o ipxcp.o tty.o \ - eap.o chap-md5.o session.o - -@@ -81,6 +81,13 @@ - # Use libutil - USE_LIBUTIL=y - -+# Enable EAP-TLS authentication (requires MPPE support, libssl and libcrypto) -+USE_EAPTLS=y -+ -+# Either use the internal {md5,sha1} routines or use the openssl versions -+USE_OPENSSL_MD5=y -+USE_OPENSSL_SHA1=y -+ - MAXOCTETS=y - - INCLUDE_DIRS= -I../include -@@ -92,8 +99,9 @@ - ifdef CHAPMS - CFLAGS += -DCHAPMS=1 - NEEDDES=y --PPPDOBJS += md4.o chap_ms.o -+PPPDSRC += md4.c chap_ms.c - HEADERS += md4.h chap_ms.h -+PPPDOBJS += md4.o chap_ms.o - ifdef MSLANMAN - CFLAGS += -DMSLANMAN=1 - endif -@@ -111,11 +119,31 @@ - MANPAGES += srp-entry.8 - EXTRACLEAN += srp-entry.o - NEEDDES=y -+endif -+ -+# EAP-TLS -+ifdef USE_EAPTLS -+CFLAGS += -DUSE_EAPTLS=1 -+LIBS += -lssl -lcrypto -+PPPDSRC += eap-tls.c -+HEADERS += eap-tls.h -+PPPDOBJS += eap-tls.o -+endif -+ -+ifdef USE_OPENSSL_MD5 -+CFLAGS += -DUSE_OPENSSL_MD5=1 -+LIBS += -lcrypto -+else -+PPPDSRC += md5.c -+HEADERS += md5.h -+PPPDOBJS += md5.o -+endif -+ -+ifdef USE_OPENSSL_SHA1 -+CFLAGS += -DUSE_OPENSSL_SHA1=1 -+LIBS += -lcrypto - else --# OpenSSL has an integrated version of SHA-1, and its implementation --# is incompatible with this local SHA-1 implementation. We must use --# one or the other, not both. --PPPDSRCS += sha1.c -+PPPDSRC += sha1.c - HEADERS += sha1.h - PPPDOBJS += sha1.o - endif -diff -Naur ppp-2.4.8/pppd/Makefile.sol2 ppp-2.4.8-eaptls-mppe-1.300/pppd/Makefile.sol2 ---- ppp-2.4.8/pppd/Makefile.sol2 2019-12-31 02:31:26.000000000 +0100 -+++ ppp-2.4.8-eaptls-mppe-1.300/pppd/Makefile.sol2 2020-04-07 10:09:50.566118204 +0200 -@@ -5,10 +5,10 @@ - - include ../Makedefs.com - --CFLAGS = -I../include -DSVR4 -DSOL2 $(COPTS) '-DDESTDIR="@DESTDIR@"' -+CFLAGS = -I../include -DSVR4 -DSOL2 $(COPTS) '-DDESTDIR="/usr/local"' - LIBS = -lsocket -lnsl - --OBJS = main.o magic.o fsm.o lcp.o ipcp.o upap.o chap-new.o eap.o md5.o \ -+OBJS = main.o magic.o fsm.o lcp.o ipcp.o upap.o chap-new.o eap.o \ - tty.o ccp.o ecp.o auth.o options.o demand.o utils.o sys-solaris.o \ - chap-md5.o session.o - -@@ -37,7 +37,21 @@ - - # Uncomment to enable MS-CHAP - CFLAGS += -DUSE_CRYPT -DCHAPMS -DMSLANMAN -DHAVE_CRYPT_H --OBJS += chap_ms.o pppcrypt.o md4.o sha1.o -+OBJS += chap_ms.o pppcrypt.o md4.o -+ -+# Uncomment to enable MPPE (in both CHAP and EAP-TLS) -+CFLAGS += -DMPPE -+ -+# Uncomment to use the OpenSSL {md5,sha1} routines -+#CFLAGS += -DUSE_OPENSSL_MD5 -DUSE_OPENSSL_SHA1 -+#LIBS += -lcrypto -+# else -+OBJS += md5.o sha1.o -+ -+# Uncomment to enable EAP-TLS -+CFLAGS += -DUSE_EAPTLS -+LIBS += -lcrypto -lssl -+OBJS += eap-tls.o - - # Uncomment for CBCP - #CFLAGS += -DCBCP_SUPPORT -diff -Naur ppp-2.4.8/pppd/auth.c ppp-2.4.8-eaptls-mppe-1.300/pppd/auth.c ---- ppp-2.4.8/pppd/auth.c 2019-12-31 02:31:26.000000000 +0100 -+++ ppp-2.4.8-eaptls-mppe-1.300/pppd/auth.c 2020-04-07 10:09:50.567118203 +0200 -@@ -113,6 +113,9 @@ - #include "upap.h" - #include "chap-new.h" - #include "eap.h" -+#ifdef USE_EAPTLS -+#include "eap-tls.h" -+#endif - #ifdef CBCP_SUPPORT - #include "cbcp.h" - #endif -@@ -186,6 +189,11 @@ - /* Hook for a plugin to get the CHAP password for authenticating us */ - int (*chap_passwd_hook) __P((char *user, char *passwd)) = NULL; - -+#ifdef USE_EAPTLS -+/* Hook for a plugin to get the EAP-TLS password for authenticating us */ -+int (*eaptls_passwd_hook) __P((char *user, char *passwd)) = NULL; -+#endif -+ - /* Hook for a plugin to say whether it is OK if the peer - refuses to authenticate. */ - int (*null_auth_hook) __P((struct wordlist **paddrs, -@@ -241,6 +249,16 @@ - bool explicit_user = 0; /* Set if "user" option supplied */ - bool explicit_passwd = 0; /* Set if "password" option supplied */ - char remote_name[MAXNAMELEN]; /* Peer's name for authentication */ -+#ifdef USE_EAPTLS -+char *cacert_file = NULL; /* CA certificate file (pem format) */ -+char *ca_path = NULL; /* directory with CA certificates */ -+char *cert_file = NULL; /* client certificate file (pem format) */ -+char *privkey_file = NULL; /* client private key file (pem format) */ -+char *crl_dir = NULL; /* directory containing CRL files */ -+char *crl_file = NULL; /* Certificate Revocation List (CRL) file (pem format) */ -+char *max_tls_version = NULL; /* Maximum TLS protocol version (default=1.2) */ -+bool need_peer_eap = 0; /* Require peer to authenticate us */ -+#endif - - static char *uafname; /* name of most recent +ua file */ - -@@ -257,6 +275,19 @@ - static int have_chap_secret __P((char *, char *, int, int *)); - static int have_srp_secret __P((char *client, char *server, int need_ip, - int *lacks_ipp)); -+ -+#ifdef USE_EAPTLS -+static int have_eaptls_secret_server -+__P((char *client, char *server, int need_ip, int *lacks_ipp)); -+static int have_eaptls_secret_client __P((char *client, char *server)); -+static int scan_authfile_eaptls __P((FILE * f, char *client, char *server, -+ char *cli_cert, char *serv_cert, -+ char *ca_cert, char *pk, -+ struct wordlist ** addrs, -+ struct wordlist ** opts, -+ char *filename, int flags)); -+#endif -+ - static int ip_addr_check __P((u_int32_t, struct permitted_ip *)); - static int scan_authfile __P((FILE *, char *, char *, char *, - struct wordlist **, struct wordlist **, -@@ -404,6 +435,18 @@ - "Set telephone number(s) which are allowed to connect", - OPT_PRIV | OPT_A2LIST }, - -+#ifdef USE_EAPTLS -+ { "ca", o_string, &cacert_file, "EAP-TLS CA certificate in PEM format" }, -+ { "capath", o_string, &ca_path, "EAP-TLS CA certificate directory" }, -+ { "cert", o_string, &cert_file, "EAP-TLS client certificate in PEM format" }, -+ { "key", o_string, &privkey_file, "EAP-TLS client private key in PEM format" }, -+ { "crl-dir", o_string, &crl_dir, "Use CRLs in directory" }, -+ { "crl", o_string, &crl_file, "Use specific CRL file" }, -+ { "max-tls-version", o_string, &max_tls_version, -+ "Maximum TLS version (1.0/1.1/1.2 (default)/1.3)" }, -+ { "need-peer-eap", o_bool, &need_peer_eap, -+ "Require the peer to authenticate us", 1 }, -+#endif /* USE_EAPTLS */ - { NULL } - }; - -@@ -737,6 +780,9 @@ - lcp_options *wo = &lcp_wantoptions[unit]; - lcp_options *go = &lcp_gotoptions[unit]; - lcp_options *ho = &lcp_hisoptions[unit]; -+#ifdef USE_EAPTLS -+ lcp_options *ao = &lcp_allowoptions[unit]; -+#endif - int i; - struct protent *protp; - -@@ -771,6 +817,22 @@ - } - } - -+#ifdef USE_EAPTLS -+ if (need_peer_eap && !ao->neg_eap) { -+ warn("eap required to authenticate us but no suitable secrets"); -+ lcp_close(unit, "couldn't negotiate eap"); -+ status = EXIT_AUTH_TOPEER_FAILED; -+ return; -+ } -+ -+ if (need_peer_eap && !ho->neg_eap) { -+ warn("peer doesn't want to authenticate us with eap"); -+ lcp_close(unit, "couldn't negotiate eap"); -+ status = EXIT_PEER_AUTH_FAILED; -+ return; -+ } -+#endif -+ - new_phase(PHASE_AUTHENTICATE); - auth = 0; - if (go->neg_eap) { -@@ -1291,6 +1353,15 @@ - our_name, 1, &lacks_ip); - } - -+#ifdef USE_EAPTLS -+ if (!can_auth && wo->neg_eap) { -+ can_auth = -+ have_eaptls_secret_server((explicit_remote ? remote_name : -+ NULL), our_name, 1, &lacks_ip); -+ -+ } -+#endif -+ - if (auth_required && !can_auth && noauth_addrs == NULL) { - if (default_auth) { - option_error( -@@ -1345,7 +1416,11 @@ - passwd[0] != 0 || - (hadchap == 1 || (hadchap == -1 && have_chap_secret(user, - (explicit_remote? remote_name: NULL), 0, NULL))) || -- have_srp_secret(user, (explicit_remote? remote_name: NULL), 0, NULL)); -+ have_srp_secret(user, (explicit_remote? remote_name: NULL), 0, NULL) -+#ifdef USE_EAPTLS -+ || have_eaptls_secret_client(user, (explicit_remote? remote_name: NULL)) -+#endif -+ ); - - hadchap = -1; - if (go->neg_upap && !uselogin && !have_pap_secret(NULL)) -@@ -1360,8 +1435,14 @@ - !have_chap_secret((explicit_remote? remote_name: NULL), our_name, - 1, NULL))) && - !have_srp_secret((explicit_remote? remote_name: NULL), our_name, 1, -- NULL)) -+ NULL) -+#ifdef USE_EAPTLS -+ && !have_eaptls_secret_server((explicit_remote? remote_name: NULL), -+ our_name, 1, NULL) -+#endif -+ ) - go->neg_eap = 0; -+ - } - - -@@ -1721,6 +1802,7 @@ - } - - -+ - /* - * get_secret - open the CHAP secret file and return the secret - * for authenticating the given client on the given server. -@@ -2373,3 +2455,345 @@ - - auth_script_pid = run_program(script, argv, 0, auth_script_done, NULL, 0); - } -+ -+ -+#ifdef USE_EAPTLS -+static int -+have_eaptls_secret_server(client, server, need_ip, lacks_ipp) -+ char *client; -+ char *server; -+ int need_ip; -+ int *lacks_ipp; -+{ -+ FILE *f; -+ int ret; -+ char *filename; -+ struct wordlist *addrs; -+ char servcertfile[MAXWORDLEN]; -+ char clicertfile[MAXWORDLEN]; -+ char cacertfile[MAXWORDLEN]; -+ char pkfile[MAXWORDLEN]; -+ -+ filename = _PATH_EAPTLSSERVFILE; -+ f = fopen(filename, "r"); -+ if (f == NULL) -+ return 0; -+ -+ if (client != NULL && client[0] == 0) -+ client = NULL; -+ else if (server != NULL && server[0] == 0) -+ server = NULL; -+ -+ ret = -+ scan_authfile_eaptls(f, client, server, clicertfile, servcertfile, -+ cacertfile, pkfile, &addrs, NULL, filename, -+ 0); -+ -+ fclose(f); -+ -+/* -+ if (ret >= 0 && !eaptls_init_ssl(1, cacertfile, servcertfile, -+ clicertfile, pkfile)) -+ ret = -1; -+*/ -+ -+ if (ret >= 0 && need_ip && !some_ip_ok(addrs)) { -+ if (lacks_ipp != 0) -+ *lacks_ipp = 1; -+ ret = -1; -+ } -+ if (addrs != 0) -+ free_wordlist(addrs); -+ -+ return ret >= 0; -+} -+ -+ -+static int -+have_eaptls_secret_client(client, server) -+ char *client; -+ char *server; -+{ -+ FILE *f; -+ int ret; -+ char *filename; -+ struct wordlist *addrs = NULL; -+ char servcertfile[MAXWORDLEN]; -+ char clicertfile[MAXWORDLEN]; -+ char cacertfile[MAXWORDLEN]; -+ char pkfile[MAXWORDLEN]; -+ -+ if (client != NULL && client[0] == 0) -+ client = NULL; -+ else if (server != NULL && server[0] == 0) -+ server = NULL; -+ -+ if ((cacert_file || ca_path) && cert_file && privkey_file) -+ return 1; -+ -+ filename = _PATH_EAPTLSCLIFILE; -+ f = fopen(filename, "r"); -+ if (f == NULL) -+ return 0; -+ -+ ret = -+ scan_authfile_eaptls(f, client, server, clicertfile, servcertfile, -+ cacertfile, pkfile, &addrs, NULL, filename, -+ 0); -+ fclose(f); -+ -+/* -+ if (ret >= 0 && !eaptls_init_ssl(0, cacertfile, clicertfile, -+ servcertfile, pkfile)) -+ ret = -1; -+*/ -+ -+ if (addrs != 0) -+ free_wordlist(addrs); -+ -+ return ret >= 0; -+} -+ -+ -+static int -+scan_authfile_eaptls(f, client, server, cli_cert, serv_cert, ca_cert, pk, -+ addrs, opts, filename, flags) -+ FILE *f; -+ char *client; -+ char *server; -+ char *cli_cert; -+ char *serv_cert; -+ char *ca_cert; -+ char *pk; -+ struct wordlist **addrs; -+ struct wordlist **opts; -+ char *filename; -+ int flags; -+{ -+ int newline; -+ int got_flag, best_flag; -+ struct wordlist *ap, *addr_list, *alist, **app; -+ char word[MAXWORDLEN]; -+ -+ if (addrs != NULL) -+ *addrs = NULL; -+ if (opts != NULL) -+ *opts = NULL; -+ addr_list = NULL; -+ if (!getword(f, word, &newline, filename)) -+ return -1; /* file is empty??? */ -+ newline = 1; -+ best_flag = -1; -+ for (;;) { -+ /* -+ * Skip until we find a word at the start of a line. -+ */ -+ while (!newline && getword(f, word, &newline, filename)); -+ if (!newline) -+ break; /* got to end of file */ -+ -+ /* -+ * Got a client - check if it's a match or a wildcard. -+ */ -+ got_flag = 0; -+ if (client != NULL && strcmp(word, client) != 0 && !ISWILD(word)) { -+ newline = 0; -+ continue; -+ } -+ if (!ISWILD(word)) -+ got_flag = NONWILD_CLIENT; -+ -+ /* -+ * Now get a server and check if it matches. -+ */ -+ if (!getword(f, word, &newline, filename)) -+ break; -+ if (newline) -+ continue; -+ if (!ISWILD(word)) { -+ if (server != NULL && strcmp(word, server) != 0) -+ continue; -+ got_flag |= NONWILD_SERVER; -+ } -+ -+ /* -+ * Got some sort of a match - see if it's better than what -+ * we have already. -+ */ -+ if (got_flag <= best_flag) -+ continue; -+ -+ /* -+ * Get the cli_cert -+ */ -+ if (!getword(f, word, &newline, filename)) -+ break; -+ if (newline) -+ continue; -+ if (strcmp(word, "-") != 0) { -+ strlcpy(cli_cert, word, MAXWORDLEN); -+ } else -+ cli_cert[0] = 0; -+ -+ /* -+ * Get serv_cert -+ */ -+ if (!getword(f, word, &newline, filename)) -+ break; -+ if (newline) -+ continue; -+ if (strcmp(word, "-") != 0) { -+ strlcpy(serv_cert, word, MAXWORDLEN); -+ } else -+ serv_cert[0] = 0; -+ -+ /* -+ * Get ca_cert -+ */ -+ if (!getword(f, word, &newline, filename)) -+ break; -+ if (newline) -+ continue; -+ strlcpy(ca_cert, word, MAXWORDLEN); -+ -+ /* -+ * Get pk -+ */ -+ if (!getword(f, word, &newline, filename)) -+ break; -+ if (newline) -+ continue; -+ strlcpy(pk, word, MAXWORDLEN); -+ -+ -+ /* -+ * Now read address authorization info and make a wordlist. -+ */ -+ app = &alist; -+ for (;;) { -+ if (!getword(f, word, &newline, filename) || newline) -+ break; -+ ap = (struct wordlist *) -+ malloc(sizeof(struct wordlist) + strlen(word) + 1); -+ if (ap == NULL) -+ novm("authorized addresses"); -+ ap->word = (char *) (ap + 1); -+ strcpy(ap->word, word); -+ *app = ap; -+ app = &ap->next; -+ } -+ *app = NULL; -+ /* -+ * This is the best so far; remember it. -+ */ -+ best_flag = got_flag; -+ if (addr_list) -+ free_wordlist(addr_list); -+ addr_list = alist; -+ -+ if (!newline) -+ break; -+ } -+ -+ /* scan for a -- word indicating the start of options */ -+ for (app = &addr_list; (ap = *app) != NULL; app = &ap->next) -+ if (strcmp(ap->word, "--") == 0) -+ break; -+ /* ap = start of options */ -+ if (ap != NULL) { -+ ap = ap->next; /* first option */ -+ free(*app); /* free the "--" word */ -+ *app = NULL; /* terminate addr list */ -+ } -+ if (opts != NULL) -+ *opts = ap; -+ else if (ap != NULL) -+ free_wordlist(ap); -+ if (addrs != NULL) -+ *addrs = addr_list; -+ else if (addr_list != NULL) -+ free_wordlist(addr_list); -+ -+ return best_flag; -+} -+ -+ -+int -+get_eaptls_secret(unit, client, server, clicertfile, servcertfile, -+ cacertfile, capath, pkfile, am_server) -+ int unit; -+ char *client; -+ char *server; -+ char *clicertfile; -+ char *servcertfile; -+ char *cacertfile; -+ char *capath; -+ char *pkfile; -+ int am_server; -+{ -+ FILE *fp; -+ int ret; -+ char *filename = NULL; -+ struct wordlist *addrs = NULL; -+ struct wordlist *opts = NULL; -+ -+ /* maybe overkill, but it eases debugging */ -+ bzero(clicertfile, MAXWORDLEN); -+ bzero(servcertfile, MAXWORDLEN); -+ bzero(cacertfile, MAXWORDLEN); -+ bzero(capath, MAXWORDLEN); -+ bzero(pkfile, MAXWORDLEN); -+ -+ /* the ca+cert+privkey can also be specified as options */ -+ if (!am_server && (cacert_file || ca_path) && cert_file && privkey_file ) -+ { -+ strlcpy( clicertfile, cert_file, MAXWORDLEN ); -+ if (cacert_file) -+ strlcpy( cacertfile, cacert_file, MAXWORDLEN ); -+ if (ca_path) -+ strlcpy( capath, ca_path, MAXWORDLEN ); -+ strlcpy( pkfile, privkey_file, MAXWORDLEN ); -+ } -+ else -+ { -+ filename = (am_server ? _PATH_EAPTLSSERVFILE : _PATH_EAPTLSCLIFILE); -+ addrs = NULL; -+ -+ fp = fopen(filename, "r"); -+ if (fp == NULL) -+ { -+ error("Can't open eap-tls secret file %s: %m", filename); -+ return 0; -+ } -+ -+ check_access(fp, filename); -+ -+ ret = scan_authfile_eaptls(fp, client, server, clicertfile, servcertfile, -+ cacertfile, pkfile, &addrs, &opts, filename, 0); -+ -+ fclose(fp); -+ -+ if (ret < 0) return 0; -+ } -+ -+ if (eaptls_passwd_hook) -+ { -+ dbglog( "Calling eaptls password hook" ); -+ if ( (*eaptls_passwd_hook)(pkfile, passwd) < 0) -+ { -+ error("Unable to obtain EAP-TLS password for %s (%s) from plugin", -+ client, pkfile); -+ return 0; -+ } -+ } -+ if (am_server) -+ set_allowed_addrs(unit, addrs, opts); -+ else if (opts != NULL) -+ free_wordlist(opts); -+ if (addrs != NULL) -+ free_wordlist(addrs); -+ -+ return 1; -+} -+#endif -+ -diff -Naur ppp-2.4.8/pppd/ccp.c ppp-2.4.8-eaptls-mppe-1.300/pppd/ccp.c ---- ppp-2.4.8/pppd/ccp.c 2019-12-31 02:31:26.000000000 +0100 -+++ ppp-2.4.8-eaptls-mppe-1.300/pppd/ccp.c 2020-04-07 10:09:50.567118203 +0200 -@@ -539,6 +539,9 @@ - if (go->mppe) { - ccp_options *ao = &ccp_allowoptions[f->unit]; - int auth_mschap_bits = auth_done[f->unit]; -+#ifdef USE_EAPTLS -+ int auth_eap_bits = auth_done[f->unit]; -+#endif - int numbits; - - /* -@@ -566,8 +569,23 @@ - lcp_close(f->unit, "MPPE required but not available"); - return; - } -+ -+#ifdef USE_EAPTLS -+ /* -+ * MPPE is also possible in combination with EAP-TLS. -+ * It is not possible to detect if we're doing EAP or EAP-TLS -+ * at this stage, hence we accept all forms of EAP. If TLS is -+ * not used then the MPPE keys will not be derived anyway. -+ */ -+ /* Leave only the eap auth bits set */ -+ auth_eap_bits &= (EAP_WITHPEER | EAP_PEER ); -+ -+ if ((numbits == 0) && (auth_eap_bits == 0)) { -+ error("MPPE required, but MS-CHAP[v2] nor EAP-TLS auth are performed."); -+#else - if (!numbits) { -- error("MPPE required, but MS-CHAP[v2] auth not performed."); -+ error("MPPE required, but MS-CHAP[v2] auth not performed."); -+#endif - lcp_close(f->unit, "MPPE required but not available"); - return; - } -diff -Naur ppp-2.4.8/pppd/chap-md5.c ppp-2.4.8-eaptls-mppe-1.300/pppd/chap-md5.c ---- ppp-2.4.8/pppd/chap-md5.c 2019-12-31 02:31:26.000000000 +0100 -+++ ppp-2.4.8-eaptls-mppe-1.300/pppd/chap-md5.c 2020-04-07 10:09:50.567118203 +0200 -@@ -36,7 +36,11 @@ - #include "chap-new.h" - #include "chap-md5.h" - #include "magic.h" -+#ifdef USE_OPENSSL_MD5 -+#include "openssl/md5.h" -+#else - #include "md5.h" -+#endif /* USE_OPENSSL_MD5 */ - - #define MD5_HASH_SIZE 16 - #define MD5_MIN_CHALLENGE 16 -diff -Naur ppp-2.4.8/pppd/chap_ms.c ppp-2.4.8-eaptls-mppe-1.300/pppd/chap_ms.c ---- ppp-2.4.8/pppd/chap_ms.c 2019-12-31 02:31:26.000000000 +0100 -+++ ppp-2.4.8-eaptls-mppe-1.300/pppd/chap_ms.c 2020-04-07 10:09:50.567118203 +0200 -@@ -534,7 +534,7 @@ - char *username, u_char Challenge[8]) - - { -- SHA1_CTX sha1Context; -+ SHA_CTX sha1Context; - u_char sha1Hash[SHA1_SIGNATURE_SIZE]; - char *user; - -@@ -670,7 +670,7 @@ - 0x6E }; - - int i; -- SHA1_CTX sha1Context; -+ SHA_CTX sha1Context; - u_char Digest[SHA1_SIGNATURE_SIZE]; - u_char Challenge[8]; - -@@ -724,7 +724,7 @@ - void - mppe_set_keys(u_char *rchallenge, u_char PasswordHashHash[MD4_SIGNATURE_SIZE]) - { -- SHA1_CTX sha1Context; -+ SHA_CTX sha1Context; - u_char Digest[SHA1_SIGNATURE_SIZE]; /* >= MPPE_MAX_KEY_LEN */ - - SHA1_Init(&sha1Context); -@@ -768,7 +768,7 @@ - mppe_set_keys2(u_char PasswordHashHash[MD4_SIGNATURE_SIZE], - u_char NTResponse[24], int IsServer) - { -- SHA1_CTX sha1Context; -+ SHA_CTX sha1Context; - u_char MasterKey[SHA1_SIGNATURE_SIZE]; /* >= MPPE_MAX_KEY_LEN */ - u_char Digest[SHA1_SIGNATURE_SIZE]; /* >= MPPE_MAX_KEY_LEN */ - -diff -Naur ppp-2.4.8/pppd/eap-tls.c ppp-2.4.8-eaptls-mppe-1.300/pppd/eap-tls.c ---- ppp-2.4.8/pppd/eap-tls.c 1970-01-01 01:00:00.000000000 +0100 -+++ ppp-2.4.8-eaptls-mppe-1.300/pppd/eap-tls.c 2020-04-07 10:09:50.568118202 +0200 -@@ -0,0 +1,1560 @@ -+/* * eap-tls.c - EAP-TLS implementation for PPP -+ * -+ * Copyright (c) Beniamino Galvani 2005 All rights reserved. -+ * Jan Just Keijser 2006-2019 All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. The name(s) of the authors of this software must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. -+ * -+ * THE AUTHORS OF THIS SOFTWARE DISCLAIM ALL WARRANTIES WITH REGARD TO -+ * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -+ * AND FITNESS, IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY -+ * SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN -+ * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING -+ * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -+ * -+ */ -+ -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#include -+#include -+#include -+#include -+#include -+ -+#include "pppd.h" -+#include "eap.h" -+#include "eap-tls.h" -+#include "fsm.h" -+#include "lcp.h" -+#include "pathnames.h" -+ -+typedef struct pw_cb_data -+{ -+ const void *password; -+ const char *prompt_info; -+} PW_CB_DATA; -+ -+/* The openssl configuration file and engines can be loaded only once */ -+static CONF *ssl_config = NULL; -+static ENGINE *cert_engine = NULL; -+static ENGINE *pkey_engine = NULL; -+ -+/* TLSv1.3 do we have a session ticket ? */ -+static int have_session_ticket = 0; -+ -+int ssl_verify_callback(int, X509_STORE_CTX *); -+void ssl_msg_callback(int write_p, int version, int ct, const void *buf, -+ size_t len, SSL * ssl, void *arg); -+int ssl_new_session_cb(SSL *s, SSL_SESSION *sess); -+ -+X509 *get_X509_from_file(char *filename); -+int ssl_cmp_certs(char *filename, X509 * a); -+ -+#ifdef MPPE -+ -+#define EAPTLS_MPPE_KEY_LEN 32 -+ -+/* -+ * The following stuff is only needed if SSL_export_keying_material() is not available -+ */ -+ -+#if OPENSSL_VERSION_NUMBER < 0x10001000L -+ -+/* -+ * https://wiki.openssl.org/index.php/1.1_API_Changes -+ * tries to provide some guidance but ultimately falls short. -+ * -+ */ -+ -+static void HMAC_CTX_free(HMAC_CTX *ctx) -+{ -+ if (ctx != NULL) { -+ HMAC_CTX_cleanup(ctx); -+ OPENSSL_free(ctx); -+ } -+} -+ -+static HMAC_CTX *HMAC_CTX_new(void) -+{ -+ HMAC_CTX *ctx = OPENSSL_malloc(sizeof(*ctx)); -+ if (ctx != NULL) -+ HMAC_CTX_init(ctx); -+ return ctx; -+} -+ -+static size_t SSL_get_client_random(const SSL *ssl, unsigned char *out, -+ size_t outlen) -+{ -+ if (outlen == 0) -+ return sizeof(ssl->s3->client_random); -+ if (outlen > sizeof(ssl->s3->client_random)) -+ outlen = sizeof(ssl->s3->client_random); -+ memcpy(out, ssl->s3->client_random, outlen); -+ return outlen; -+} -+ -+static size_t SSL_get_server_random(const SSL *ssl, unsigned char *out, -+ size_t outlen) -+{ -+ if (outlen == 0) -+ return sizeof(ssl->s3->server_random); -+ if (outlen > sizeof(ssl->s3->server_random)) -+ outlen = sizeof(ssl->s3->server_random); -+ memcpy(out, ssl->s3->server_random, outlen); -+ return outlen; -+} -+ -+static size_t SSL_SESSION_get_master_key(const SSL_SESSION *session, -+ unsigned char *out, size_t outlen) -+{ -+ if (outlen == 0) -+ return session->master_key_length; -+ if (outlen > session->master_key_length) -+ outlen = session->master_key_length; -+ memcpy(out, session->master_key, outlen); -+ return outlen; -+} -+ -+ -+/* -+ * TLS PRF from RFC 2246 -+ */ -+static void P_hash(const EVP_MD *evp_md, -+ const unsigned char *secret, unsigned int secret_len, -+ const unsigned char *seed, unsigned int seed_len, -+ unsigned char *out, unsigned int out_len) -+{ -+ HMAC_CTX *ctx_a, *ctx_out; -+ unsigned char a[HMAC_MAX_MD_CBLOCK]; -+ unsigned int size; -+ -+ ctx_a = HMAC_CTX_new(); -+ ctx_out = HMAC_CTX_new(); -+ HMAC_Init_ex(ctx_a, secret, secret_len, evp_md, NULL); -+ HMAC_Init_ex(ctx_out, secret, secret_len, evp_md, NULL); -+ -+ size = HMAC_size(ctx_out); -+ -+ /* Calculate A(1) */ -+ HMAC_Update(ctx_a, seed, seed_len); -+ HMAC_Final(ctx_a, a, NULL); -+ -+ while (1) { -+ /* Calculate next part of output */ -+ HMAC_Update(ctx_out, a, size); -+ HMAC_Update(ctx_out, seed, seed_len); -+ -+ /* Check if last part */ -+ if (out_len < size) { -+ HMAC_Final(ctx_out, a, NULL); -+ memcpy(out, a, out_len); -+ break; -+ } -+ -+ /* Place digest in output buffer */ -+ HMAC_Final(ctx_out, out, NULL); -+ HMAC_Init_ex(ctx_out, NULL, 0, NULL, NULL); -+ out += size; -+ out_len -= size; -+ -+ /* Calculate next A(i) */ -+ HMAC_Init_ex(ctx_a, NULL, 0, NULL, NULL); -+ HMAC_Update(ctx_a, a, size); -+ HMAC_Final(ctx_a, a, NULL); -+ } -+ -+ HMAC_CTX_free(ctx_a); -+ HMAC_CTX_free(ctx_out); -+ memset(a, 0, sizeof(a)); -+} -+ -+static void PRF(const unsigned char *secret, unsigned int secret_len, -+ const unsigned char *seed, unsigned int seed_len, -+ unsigned char *out, unsigned char *buf, unsigned int out_len) -+{ -+ unsigned int i; -+ unsigned int len = (secret_len + 1) / 2; -+ const unsigned char *s1 = secret; -+ const unsigned char *s2 = secret + (secret_len - len); -+ -+ P_hash(EVP_md5(), s1, len, seed, seed_len, out, out_len); -+ P_hash(EVP_sha1(), s2, len, seed, seed_len, buf, out_len); -+ -+ for (i=0; i < out_len; i++) { -+ out[i] ^= buf[i]; -+ } -+} -+ -+static int SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen, -+ const char *label, size_t llen, -+ const unsigned char *p, size_t plen, -+ int use_context) -+{ -+ unsigned char seed[64 + 2*SSL3_RANDOM_SIZE]; -+ unsigned char buf[4*EAPTLS_MPPE_KEY_LEN]; -+ unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH]; -+ size_t master_key_length; -+ unsigned char *pp; -+ -+ pp = seed; -+ -+ memcpy(pp, label, llen); -+ pp += llen; -+ -+ llen += SSL_get_client_random(s, pp, SSL3_RANDOM_SIZE); -+ pp += SSL3_RANDOM_SIZE; -+ -+ llen += SSL_get_server_random(s, pp, SSL3_RANDOM_SIZE); -+ -+ master_key_length = SSL_SESSION_get_master_key(SSL_get_session(s), master_key, -+ sizeof(master_key)); -+ PRF(master_key, master_key_length, seed, llen, out, buf, olen); -+ -+ return 1; -+} -+ -+#endif /* OPENSSL_VERSION_NUMBER < 0x10001000L */ -+ -+ -+/* -+ * OpenSSL 1.1+ introduced a generic TLS_method() -+ * For older releases we substitute the appropriate method -+ */ -+ -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+ -+#define TLS_method SSLv23_method -+ -+#define SSL3_RT_HEADER 0x100 -+ -+#ifndef SSL_CTX_set_max_proto_version -+/** Mimics SSL_CTX_set_max_proto_version for OpenSSL < 1.1 */ -+static inline int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, long tls_ver_max) -+{ -+ long sslopt = 0; -+ -+ if (tls_ver_max < TLS1_VERSION) -+ { -+ sslopt |= SSL_OP_NO_TLSv1; -+ } -+#ifdef SSL_OP_NO_TLSv1_1 -+ if (tls_ver_max < TLS1_1_VERSION) -+ { -+ sslopt |= SSL_OP_NO_TLSv1_1; -+ } -+#endif -+#ifdef SSL_OP_NO_TLSv1_2 -+ if (tls_ver_max < TLS1_2_VERSION) -+ { -+ sslopt |= SSL_OP_NO_TLSv1_2; -+ } -+#endif -+ SSL_CTX_set_options(ctx, sslopt); -+ -+ return 1; -+} -+#endif /* SSL_CTX_set_max_proto_version */ -+ -+#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */ -+ -+ -+/* -+ * Generate keys according to RFC 2716 and add to reply -+ */ -+void eaptls_gen_mppe_keys(struct eaptls_session *ets, int client) -+{ -+ unsigned char out[4*EAPTLS_MPPE_KEY_LEN]; -+ const char *prf_label; -+ size_t prf_size; -+ unsigned char eap_tls13_context[] = { EAPT_TLS }; -+ unsigned char *context = NULL; -+ size_t context_len = 0; -+ unsigned char *p; -+ -+ dbglog("EAP-TLS generating MPPE keys"); -+ if (ets->tls_v13) -+ { -+ prf_label = "EXPORTER_EAP_TLS_Key_Material"; -+ context = eap_tls13_context; -+ context_len = 1; -+ } -+ else -+ { -+ prf_label = "client EAP encryption"; -+ } -+ -+ dbglog("EAP-TLS PRF label = %s", prf_label); -+ prf_size = strlen(prf_label); -+ if (SSL_export_keying_material(ets->ssl, out, sizeof(out), prf_label, prf_size, -+ context, context_len, 0) != 1) -+ { -+ warn( "EAP-TLS: Failed generating keying material" ); -+ return; -+ } -+ -+ /* -+ * We now have the master send and receive keys. -+ * From these, generate the session send and receive keys. -+ * (see RFC3079 / draft-ietf-pppext-mppe-keys-03.txt for details) -+ */ -+ if (client) -+ { -+ p = out; -+ BCOPY( p, mppe_send_key, sizeof(mppe_send_key) ); -+ p += EAPTLS_MPPE_KEY_LEN; -+ BCOPY( p, mppe_recv_key, sizeof(mppe_recv_key) ); -+ } -+ else -+ { -+ p = out; -+ BCOPY( p, mppe_recv_key, sizeof(mppe_recv_key) ); -+ p += EAPTLS_MPPE_KEY_LEN; -+ BCOPY( p, mppe_send_key, sizeof(mppe_send_key) ); -+ } -+ -+ mppe_keys_set = 1; -+} -+ -+#endif /* MPPE */ -+ -+void log_ssl_errors( void ) -+{ -+ unsigned long ssl_err = ERR_get_error(); -+ -+ if (ssl_err != 0) -+ dbglog("EAP-TLS SSL error stack:"); -+ while (ssl_err != 0) { -+ dbglog( ERR_error_string( ssl_err, NULL ) ); -+ ssl_err = ERR_get_error(); -+ } -+} -+ -+ -+int password_callback (char *buf, int size, int rwflag, void *u) -+{ -+ if (buf) -+ { -+ strncpy (buf, passwd, size); -+ return strlen (buf); -+ } -+ return 0; -+} -+ -+ -+CONF *eaptls_ssl_load_config( void ) -+{ -+ CONF *config; -+ int ret_code; -+ long error_line = 33; -+ -+ config = NCONF_new( NULL ); -+ dbglog( "Loading OpenSSL config file" ); -+ ret_code = NCONF_load( config, _PATH_OPENSSLCONFFILE, &error_line ); -+ if (ret_code == 0) -+ { -+ warn( "EAP-TLS: Error in OpenSSL config file %s at line %d", _PATH_OPENSSLCONFFILE, error_line ); -+ NCONF_free( config ); -+ config = NULL; -+ ERR_clear_error(); -+ } -+ -+ dbglog( "Loading OpenSSL built-ins" ); -+ ENGINE_load_builtin_engines(); -+ OPENSSL_load_builtin_modules(); -+ -+ dbglog( "Loading OpenSSL configured modules" ); -+ if (CONF_modules_load( config, NULL, 0 ) <= 0 ) -+ { -+ warn( "EAP-TLS: Error loading OpenSSL modules" ); -+ log_ssl_errors(); -+ config = NULL; -+ } -+ -+ return config; -+} -+ -+ENGINE *eaptls_ssl_load_engine( char *engine_name ) -+{ -+ ENGINE *e = NULL; -+ -+ dbglog( "Enabling OpenSSL auto engines" ); -+ ENGINE_register_all_complete(); -+ -+ dbglog( "Loading OpenSSL '%s' engine support", engine_name ); -+ e = ENGINE_by_id( engine_name ); -+ if (!e) -+ { -+ dbglog( "EAP-TLS: Cannot load '%s' engine support, trying 'dynamic'", engine_name ); -+ e = ENGINE_by_id( "dynamic" ); -+ if (e) -+ { -+ if (!ENGINE_ctrl_cmd_string(e, "SO_PATH", engine_name, 0) -+ || !ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0)) -+ { -+ warn( "EAP-TLS: Error loading dynamic engine '%s'", engine_name ); -+ log_ssl_errors(); -+ ENGINE_free(e); -+ e = NULL; -+ } -+ } -+ else -+ { -+ warn( "EAP-TLS: Cannot load dynamic engine support" ); -+ } -+ } -+ -+ if (e) -+ { -+ dbglog( "Initialising engine" ); -+ if(!ENGINE_set_default(e, ENGINE_METHOD_ALL)) -+ { -+ warn( "EAP-TLS: Cannot use that engine" ); -+ log_ssl_errors(); -+ ENGINE_free(e); -+ e = NULL; -+ } -+ } -+ -+ return e; -+} -+ -+/* -+ * Initialize the SSL stacks and tests if certificates, key and crl -+ * for client or server use can be loaded. -+ */ -+SSL_CTX *eaptls_init_ssl(int init_server, char *cacertfile, char *capath, -+ char *certfile, char *peer_certfile, char *privkeyfile) -+{ -+ char *cert_engine_name = NULL; -+ char *cert_identifier = NULL; -+ char *pkey_engine_name = NULL; -+ char *pkey_identifier = NULL; -+ SSL_CTX *ctx; -+ SSL *ssl; -+ X509_STORE *certstore; -+ X509_LOOKUP *lookup; -+ X509 *tmp; -+ int ret; -+#if defined(TLS1_2_VERSION) -+ long tls_version = TLS1_2_VERSION; -+#elif defined(TLS1_1_VERSION) -+ long tls_version = TLS1_1_VERSION; -+#else -+ long tls_version = TLS1_VERSION; -+#endif -+ -+ /* -+ * Without these can't continue -+ */ -+ if (!(cacertfile[0] || capath[0])) -+ { -+ error("EAP-TLS: CA certificate file or path missing"); -+ return NULL; -+ } -+ -+ if (!certfile[0]) -+ { -+ error("EAP-TLS: Certificate missing"); -+ return NULL; -+ } -+ -+ if (!privkeyfile[0]) -+ { -+ error("EAP-TLS: Private key missing"); -+ return NULL; -+ } -+ -+ SSL_library_init(); -+ SSL_load_error_strings(); -+ -+ ctx = SSL_CTX_new(TLS_method()); -+ -+ if (!ctx) { -+ error("EAP-TLS: Cannot initialize SSL CTX context"); -+ goto fail; -+ } -+ -+ /* if the certificate filename is of the form engine:id. e.g. -+ pkcs11:12345 -+ then we try to load and use this engine. -+ If the certificate filename starts with a / or . then we -+ ALWAYS assume it is a file and not an engine/pkcs11 identifier -+ */ -+ if ( index( certfile, '/' ) == NULL && index( certfile, '.') == NULL ) -+ { -+ cert_identifier = index( certfile, ':' ); -+ -+ if (cert_identifier) -+ { -+ cert_engine_name = certfile; -+ *cert_identifier = '\0'; -+ cert_identifier++; -+ -+ dbglog( "Found certificate engine '%s'", cert_engine_name ); -+ dbglog( "Found certificate identifier '%s'", cert_identifier ); -+ } -+ } -+ -+ /* if the privatekey filename is of the form engine:id. e.g. -+ pkcs11:12345 -+ then we try to load and use this engine. -+ If the privatekey filename starts with a / or . then we -+ ALWAYS assume it is a file and not an engine/pkcs11 identifier -+ */ -+ if ( index( privkeyfile, '/' ) == NULL && index( privkeyfile, '.') == NULL ) -+ { -+ pkey_identifier = index( privkeyfile, ':' ); -+ -+ if (pkey_identifier) -+ { -+ pkey_engine_name = privkeyfile; -+ *pkey_identifier = '\0'; -+ pkey_identifier++; -+ -+ dbglog( "Found privatekey engine '%s'", pkey_engine_name ); -+ dbglog( "Found privatekey identifier '%s'", pkey_identifier ); -+ } -+ } -+ -+ if (cert_identifier && pkey_identifier) -+ { -+ if (strlen( cert_identifier ) == 0) -+ { -+ if (strlen( pkey_identifier ) == 0) -+ error( "EAP-TLS: both the certificate and privatekey identifiers are missing!" ); -+ else -+ { -+ dbglog( "Substituting privatekey identifier for certificate identifier" ); -+ cert_identifier = pkey_identifier; -+ } -+ } -+ else -+ { -+ if (strlen( pkey_identifier ) == 0) -+ { -+ dbglog( "Substituting certificate identifier for privatekey identifier" ); -+ pkey_identifier = cert_identifier; -+ } -+ } -+ -+ } -+ -+ /* load the openssl config file only once */ -+ if (!ssl_config) -+ { -+ if (cert_engine_name || pkey_engine_name) -+ ssl_config = eaptls_ssl_load_config(); -+ -+ if (ssl_config && cert_engine_name) -+ cert_engine = eaptls_ssl_load_engine( cert_engine_name ); -+ -+ if (ssl_config && pkey_engine_name) -+ { -+ /* don't load the same engine twice */ -+ if ( cert_engine && strcmp( cert_engine_name, pkey_engine_name) == 0 ) -+ pkey_engine = cert_engine; -+ else -+ pkey_engine = eaptls_ssl_load_engine( pkey_engine_name ); -+ } -+ } -+ -+ SSL_CTX_set_default_passwd_cb (ctx, password_callback); -+ -+ if (strlen(cacertfile) == 0) cacertfile = NULL; -+ if (strlen(capath) == 0) capath = NULL; -+ -+ if (!SSL_CTX_load_verify_locations(ctx, cacertfile, capath)) -+ { -+ error("EAP-TLS: Cannot load verify locations"); -+ if (cacertfile) dbglog("CA certificate file = [%s]", cacertfile); -+ if (capath) dbglog("CA certificate path = [%s]", capath); -+ goto fail; -+ } -+ -+ if (init_server) -+ SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(cacertfile)); -+ -+ if (cert_engine) -+ { -+ struct -+ { -+ const char *s_slot_cert_id; -+ X509 *cert; -+ } cert_info; -+ -+ cert_info.s_slot_cert_id = cert_identifier; -+ cert_info.cert = NULL; -+ -+ if (!ENGINE_ctrl_cmd( cert_engine, "LOAD_CERT_CTRL", 0, &cert_info, NULL, 0 ) ) -+ { -+ error( "EAP-TLS: Error loading certificate with id '%s' from engine", cert_identifier ); -+ goto fail; -+ } -+ -+ if (cert_info.cert) -+ { -+ dbglog( "Got the certificate, adding it to SSL context" ); -+ dbglog( "subject = %s", X509_NAME_oneline( X509_get_subject_name( cert_info.cert ), NULL, 0 ) ); -+ if (SSL_CTX_use_certificate(ctx, cert_info.cert) <= 0) -+ { -+ error("EAP-TLS: Cannot use PKCS11 certificate %s", cert_identifier); -+ goto fail; -+ } -+ } -+ else -+ { -+ warn("EAP-TLS: Cannot load PKCS11 key %s", cert_identifier); -+ log_ssl_errors(); -+ } -+ } -+ else -+ { -+ if (!SSL_CTX_use_certificate_chain_file(ctx, certfile)) -+ { -+ error( "EAP-TLS: Cannot use public certificate %s", certfile ); -+ goto fail; -+ } -+ } -+ -+ -+ /* -+ * Check the Before and After dates of the certificate -+ */ -+ ssl = SSL_new(ctx); -+ tmp = SSL_get_certificate(ssl); -+ -+ ret = X509_cmp_time(X509_get_notBefore(tmp), NULL); -+ if (ret == 0) -+ { -+ warn( "EAP-TLS: Failed to read certificate notBefore field."); -+ } -+ if (ret > 0) -+ { -+ warn( "EAP-TLS: Your certificate is not yet valid!"); -+ } -+ -+ ret = X509_cmp_time(X509_get_notAfter(tmp), NULL); -+ if (ret == 0) -+ { -+ warn( "EAP-TLS: Failed to read certificate notAfter field."); -+ } -+ if (ret < 0) -+ { -+ warn( "EAP-TLS: Your certificate has expired!"); -+ } -+ SSL_free(ssl); -+ -+ if (pkey_engine) -+ { -+ EVP_PKEY *pkey = NULL; -+ PW_CB_DATA cb_data; -+ -+ cb_data.password = passwd; -+ cb_data.prompt_info = pkey_identifier; -+ -+ dbglog( "Loading private key '%s' from engine", pkey_identifier ); -+ pkey = ENGINE_load_private_key(pkey_engine, pkey_identifier, NULL, &cb_data); -+ if (pkey) -+ { -+ dbglog( "Got the private key, adding it to SSL context" ); -+ if (SSL_CTX_use_PrivateKey(ctx, pkey) <= 0) -+ { -+ error("EAP-TLS: Cannot use PKCS11 key %s", pkey_identifier); -+ goto fail; -+ } -+ } -+ else -+ { -+ warn("EAP-TLS: Cannot load PKCS11 key %s", pkey_identifier); -+ log_ssl_errors(); -+ } -+ } -+ else -+ { -+ if (!SSL_CTX_use_PrivateKey_file(ctx, privkeyfile, SSL_FILETYPE_PEM)) -+ { -+ error("EAP-TLS: Cannot use private key %s", privkeyfile); -+ goto fail; -+ } -+ } -+ -+ if (SSL_CTX_check_private_key(ctx) != 1) { -+ error("EAP-TLS: Private key %s fails security check", privkeyfile); -+ goto fail; -+ } -+ -+ /* Explicitly set the NO_TICKETS flag to support Win7/Win8 clients */ -+ SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 -+#ifdef SSL_OP_NO_TICKET -+ | SSL_OP_NO_TICKET -+#endif -+ ); -+ -+ /* OpenSSL 1.1.1+ does not include RC4 ciphers by default. -+ * This causes totally obsolete WinXP clients to fail. If you really -+ * need ppp+EAP-TLS+openssl 1.1.1+WinXP then enable RC4 cipers and -+ * make sure that you use an OpenSSL that supports them -+ -+ SSL_CTX_set_cipher_list(ctx, "RC4"); -+ */ -+ -+ -+ /* Set up a SSL Session cache with a callback. This is needed for TLSv1.3+. -+ * During the initial handshake the server signals to the client early on -+ * that the handshake is finished, even before the client has sent its -+ * credentials to the server. The actual connection (and moment that the -+ * client sends its credentials) only starts after the arrival of the first -+ * session ticket. The 'ssl_new_session_cb' catches this ticket. -+ */ -+ SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_CLIENT | SSL_SESS_CACHE_NO_INTERNAL_STORE); -+ SSL_CTX_sess_set_new_cb(ctx, ssl_new_session_cb); -+ -+ /* As EAP-TLS+TLSv1.3 is highly experimental we offer the user a chance to override */ -+ if (max_tls_version) -+ { -+ if (strncmp(max_tls_version, "1.0", 3) == 0) -+ tls_version = TLS1_VERSION; -+ else if (strncmp(max_tls_version, "1.1", 3) == 0) -+ tls_version = TLS1_1_VERSION; -+ else if (strncmp(max_tls_version, "1.2", 3) == 0) -+#ifdef TLS1_2_VERSION -+ tls_version = TLS1_2_VERSION; -+#else -+ { -+ warn("TLSv1.2 not available. Defaulting to TLSv1.1"); -+ tls_version = TLS_1_1_VERSION; -+ } -+#endif -+ else if (strncmp(max_tls_version, "1.3", 3) == 0) -+#ifdef TLS1_3_VERSION -+ tls_version = TLS1_3_VERSION; -+#else -+ warn("TLSv1.3 not available."); -+#endif -+ } -+ -+ dbglog("EAP-TLS: Setting max protocol version to 0x%X", tls_version); -+ SSL_CTX_set_max_proto_version(ctx, tls_version); -+ -+ SSL_CTX_set_verify_depth(ctx, 5); -+ SSL_CTX_set_verify(ctx, -+ SSL_VERIFY_PEER | -+ SSL_VERIFY_FAIL_IF_NO_PEER_CERT, -+ &ssl_verify_callback); -+ -+ if (crl_dir) { -+ if (!(certstore = SSL_CTX_get_cert_store(ctx))) { -+ error("EAP-TLS: Failed to get certificate store"); -+ goto fail; -+ } -+ -+ if (!(lookup = -+ X509_STORE_add_lookup(certstore, X509_LOOKUP_hash_dir()))) { -+ error("EAP-TLS: Store lookup for CRL failed"); -+ -+ goto fail; -+ } -+ -+ X509_LOOKUP_add_dir(lookup, crl_dir, X509_FILETYPE_PEM); -+ X509_STORE_set_flags(certstore, X509_V_FLAG_CRL_CHECK); -+ } -+ -+ if (crl_file) { -+ FILE *fp = NULL; -+ X509_CRL *crl = NULL; -+ -+ fp = fopen(crl_file, "r"); -+ if (!fp) { -+ error("EAP-TLS: Cannot open CRL file '%s'", crl_file); -+ goto fail; -+ } -+ -+ crl = PEM_read_X509_CRL(fp, NULL, NULL, NULL); -+ if (!crl) { -+ error("EAP-TLS: Cannot read CRL file '%s'", crl_file); -+ goto fail; -+ } -+ -+ if (!(certstore = SSL_CTX_get_cert_store(ctx))) { -+ error("EAP-TLS: Failed to get certificate store"); -+ goto fail; -+ } -+ if (!X509_STORE_add_crl(certstore, crl)) { -+ error("EAP-TLS: Cannot add CRL to certificate store"); -+ goto fail; -+ } -+ X509_STORE_set_flags(certstore, X509_V_FLAG_CRL_CHECK); -+ -+ } -+ -+ /* -+ * If a peer certificate file was specified, it must be valid, else fail -+ */ -+ if (peer_certfile[0]) { -+ if (!(tmp = get_X509_from_file(peer_certfile))) { -+ error("EAP-TLS: Error loading client certificate from file %s", -+ peer_certfile); -+ goto fail; -+ } -+ X509_free(tmp); -+ } -+ -+ return ctx; -+ -+fail: -+ log_ssl_errors(); -+ SSL_CTX_free(ctx); -+ return NULL; -+} -+ -+/* -+ * Determine the maximum packet size by looking at the LCP handshake -+ */ -+ -+int eaptls_get_mtu(int unit) -+{ -+ int mtu, mru; -+ -+ lcp_options *wo = &lcp_wantoptions[unit]; -+ lcp_options *go = &lcp_gotoptions[unit]; -+ lcp_options *ho = &lcp_hisoptions[unit]; -+ lcp_options *ao = &lcp_allowoptions[unit]; -+ -+ mtu = ho->neg_mru? ho->mru: PPP_MRU; -+ mru = go->neg_mru? MAX(wo->mru, go->mru): PPP_MRU; -+ mtu = MIN(MIN(mtu, mru), ao->mru)- PPP_HDRLEN - 10; -+ -+ dbglog("MTU = %d", mtu); -+ return mtu; -+} -+ -+ -+/* -+ * Init the ssl handshake (server mode) -+ */ -+int eaptls_init_ssl_server(eap_state * esp) -+{ -+ struct eaptls_session *ets; -+ char servcertfile[MAXWORDLEN]; -+ char clicertfile[MAXWORDLEN]; -+ char cacertfile[MAXWORDLEN]; -+ char capath[MAXWORDLEN]; -+ char pkfile[MAXWORDLEN]; -+ /* -+ * Allocate new eaptls session -+ */ -+ esp->es_server.ea_session = malloc(sizeof(struct eaptls_session)); -+ if (!esp->es_server.ea_session) -+ fatal("Allocation error"); -+ ets = esp->es_server.ea_session; -+ -+ if (!esp->es_server.ea_peer) { -+ error("EAP-TLS: Error: client name not set (BUG)"); -+ return 0; -+ } -+ -+ strncpy(ets->peer, esp->es_server.ea_peer, MAXWORDLEN); -+ -+ dbglog( "getting eaptls secret" ); -+ if (!get_eaptls_secret(esp->es_unit, esp->es_server.ea_peer, -+ esp->es_server.ea_name, clicertfile, -+ servcertfile, cacertfile, capath, pkfile, 1)) { -+ error( "EAP-TLS: Cannot get secret/password for client \"%s\", server \"%s\"", -+ esp->es_server.ea_peer, esp->es_server.ea_name ); -+ return 0; -+ } -+ -+ ets->mtu = eaptls_get_mtu(esp->es_unit); -+ -+ ets->ctx = eaptls_init_ssl(1, cacertfile, capath, servcertfile, clicertfile, pkfile); -+ if (!ets->ctx) -+ goto fail; -+ -+ if (!(ets->ssl = SSL_new(ets->ctx))) -+ goto fail; -+ -+ /* -+ * Set auto-retry to avoid timeouts on BIO_read -+ */ -+ SSL_set_mode(ets->ssl, SSL_MODE_AUTO_RETRY); -+ -+ /* -+ * Initialize the BIOs we use to read/write to ssl engine -+ */ -+ ets->into_ssl = BIO_new(BIO_s_mem()); -+ ets->from_ssl = BIO_new(BIO_s_mem()); -+ SSL_set_bio(ets->ssl, ets->into_ssl, ets->from_ssl); -+ -+ SSL_set_msg_callback(ets->ssl, ssl_msg_callback); -+ SSL_set_msg_callback_arg(ets->ssl, ets); -+ -+ /* -+ * Attach the session struct to the connection, so we can later -+ * retrieve it when doing certificate verification -+ */ -+ SSL_set_ex_data(ets->ssl, 0, ets); -+ -+ SSL_set_accept_state(ets->ssl); -+ -+ ets->tls_v13 = 0; -+ -+ ets->data = NULL; -+ ets->datalen = 0; -+ ets->alert_sent = 0; -+ ets->alert_recv = 0; -+ -+ /* -+ * If we specified the client certificate file, store it in ets->peercertfile, -+ * so we can check it later in ssl_verify_callback() -+ */ -+ if (clicertfile[0]) -+ strncpy(&ets->peercertfile[0], clicertfile, MAXWORDLEN); -+ else -+ ets->peercertfile[0] = 0; -+ -+ return 1; -+ -+fail: -+ SSL_CTX_free(ets->ctx); -+ return 0; -+} -+ -+/* -+ * Init the ssl handshake (client mode) -+ */ -+int eaptls_init_ssl_client(eap_state * esp) -+{ -+ struct eaptls_session *ets; -+ char servcertfile[MAXWORDLEN]; -+ char clicertfile[MAXWORDLEN]; -+ char cacertfile[MAXWORDLEN]; -+ char capath[MAXWORDLEN]; -+ char pkfile[MAXWORDLEN]; -+ -+ /* -+ * Allocate new eaptls session -+ */ -+ esp->es_client.ea_session = malloc(sizeof(struct eaptls_session)); -+ if (!esp->es_client.ea_session) -+ fatal("Allocation error"); -+ ets = esp->es_client.ea_session; -+ -+ /* -+ * If available, copy server name in ets; it will be used in cert -+ * verify -+ */ -+ if (esp->es_client.ea_peer) -+ strncpy(ets->peer, esp->es_client.ea_peer, MAXWORDLEN); -+ else -+ ets->peer[0] = 0; -+ -+ ets->mtu = eaptls_get_mtu(esp->es_unit); -+ -+ dbglog( "calling get_eaptls_secret" ); -+ if (!get_eaptls_secret(esp->es_unit, esp->es_client.ea_name, -+ ets->peer, clicertfile, -+ servcertfile, cacertfile, capath, pkfile, 0)) { -+ error( "EAP-TLS: Cannot get secret/password for client \"%s\", server \"%s\"", -+ esp->es_client.ea_name, ets->peer ); -+ return 0; -+ } -+ -+ dbglog( "calling eaptls_init_ssl" ); -+ ets->ctx = eaptls_init_ssl(0, cacertfile, capath, clicertfile, servcertfile, pkfile); -+ if (!ets->ctx) -+ goto fail; -+ -+ ets->ssl = SSL_new(ets->ctx); -+ -+ if (!ets->ssl) -+ goto fail; -+ -+ /* -+ * Initialize the BIOs we use to read/write to ssl engine -+ */ -+ dbglog( "Initializing SSL BIOs" ); -+ ets->into_ssl = BIO_new(BIO_s_mem()); -+ ets->from_ssl = BIO_new(BIO_s_mem()); -+ SSL_set_bio(ets->ssl, ets->into_ssl, ets->from_ssl); -+ -+ SSL_set_msg_callback(ets->ssl, ssl_msg_callback); -+ SSL_set_msg_callback_arg(ets->ssl, ets); -+ -+ /* -+ * Attach the session struct to the connection, so we can later -+ * retrieve it when doing certificate verification -+ */ -+ SSL_set_ex_data(ets->ssl, 0, ets); -+ -+ SSL_set_connect_state(ets->ssl); -+ -+ ets->tls_v13 = 0; -+ -+ ets->data = NULL; -+ ets->datalen = 0; -+ ets->alert_sent = 0; -+ ets->alert_recv = 0; -+ -+ /* -+ * If we specified the server certificate file, store it in -+ * ets->peercertfile, so we can check it later in -+ * ssl_verify_callback() -+ */ -+ if (servcertfile[0]) -+ strncpy(ets->peercertfile, servcertfile, MAXWORDLEN); -+ else -+ ets->peercertfile[0] = 0; -+ -+ return 1; -+ -+fail: -+ dbglog( "eaptls_init_ssl_client: fail" ); -+ SSL_CTX_free(ets->ctx); -+ return 0; -+ -+} -+ -+void eaptls_free_session(struct eaptls_session *ets) -+{ -+ if (ets->ssl) -+ SSL_free(ets->ssl); -+ -+ if (ets->ctx) -+ SSL_CTX_free(ets->ctx); -+ -+ free(ets); -+} -+ -+ -+int eaptls_is_init_finished(struct eaptls_session *ets) -+{ -+ if (ets->ssl && SSL_is_init_finished(ets->ssl)) -+ { -+ if (ets->tls_v13) -+ return have_session_ticket; -+ else -+ return 1; -+ } -+ -+ return 0; -+} -+ -+/* -+ * Handle a received packet, reassembling fragmented messages and -+ * passing them to the ssl engine -+ */ -+int eaptls_receive(struct eaptls_session *ets, u_char * inp, int len) -+{ -+ u_char flags; -+ u_int tlslen = 0; -+ u_char dummy[65536]; -+ -+ if (len < 1) { -+ warn("EAP-TLS: received no or invalid data"); -+ return 1; -+ } -+ -+ GETCHAR(flags, inp); -+ len--; -+ -+ if (flags & EAP_TLS_FLAGS_LI && len > 4) { -+ /* -+ * LenghtIncluded flag set -> this is the first packet of a message -+ */ -+ -+ /* -+ * the first 4 octets are the length of the EAP-TLS message -+ */ -+ GETLONG(tlslen, inp); -+ len -= 4; -+ -+ if (!ets->data) { -+ -+ if (tlslen > EAP_TLS_MAX_LEN) { -+ error("EAP-TLS: TLS message length > %d, truncated", EAP_TLS_MAX_LEN); -+ tlslen = EAP_TLS_MAX_LEN; -+ } -+ -+ /* -+ * Allocate memory for the whole message -+ */ -+ ets->data = malloc(tlslen); -+ if (!ets->data) -+ fatal("EAP-TLS: allocation error\n"); -+ -+ ets->datalen = 0; -+ ets->tlslen = tlslen; -+ } -+ else -+ warn("EAP-TLS: non-first LI packet? that's odd..."); -+ } -+ else if (!ets->data) { -+ /* -+ * A non fragmented message without LI flag -+ */ -+ -+ ets->data = malloc(len); -+ if (!ets->data) -+ fatal("EAP-TLS: allocation error\n"); -+ -+ ets->datalen = 0; -+ ets->tlslen = len; -+ } -+ -+ if (flags & EAP_TLS_FLAGS_MF) -+ ets->frag = 1; -+ else -+ ets->frag = 0; -+ -+ if (len < 0) { -+ warn("EAP-TLS: received malformed data"); -+ return 1; -+ } -+ -+ if (len + ets->datalen > ets->tlslen) { -+ warn("EAP-TLS: received data > TLS message length"); -+ return 1; -+ } -+ -+ BCOPY(inp, ets->data + ets->datalen, len); -+ ets->datalen += len; -+ -+ if (!ets->frag) { -+ -+ /* -+ * If we have the whole message, pass it to ssl -+ */ -+ -+ if (ets->datalen != ets->tlslen) { -+ warn("EAP-TLS: received data != TLS message length"); -+ return 1; -+ } -+ -+ if (BIO_write(ets->into_ssl, ets->data, ets->datalen) == -1) -+ log_ssl_errors(); -+ -+ SSL_read(ets->ssl, dummy, 65536); -+ -+ free(ets->data); -+ ets->data = NULL; -+ ets->datalen = 0; -+ } -+ -+ return 0; -+} -+ -+/* -+ * Return an eap-tls packet in outp. -+ * A TLS message read from the ssl engine is buffered in ets->data. -+ * At each call we control if there is buffered data and send a -+ * packet of mtu bytes. -+ */ -+int eaptls_send(struct eaptls_session *ets, u_char ** outp) -+{ -+ bool first = 0; -+ int size; -+ u_char fromtls[65536]; -+ int res; -+ u_char *start; -+ -+ start = *outp; -+ -+ if (!ets->data) -+ { -+ if(!ets->alert_sent) -+ { -+ res = SSL_read(ets->ssl, fromtls, 65536); -+ } -+ -+ /* -+ * Read from ssl -+ */ -+ if ((res = BIO_read(ets->from_ssl, fromtls, 65536)) == -1) -+ { -+ warn("EAP-TLS send: No data from BIO_read"); -+ return 1; -+ } -+ -+ ets->datalen = res; -+ -+ ets->data = malloc(ets->datalen); -+ BCOPY(fromtls, ets->data, ets->datalen); -+ -+ ets->offset = 0; -+ first = 1; -+ -+ } -+ -+ size = ets->datalen - ets->offset; -+ -+ if (size > ets->mtu) { -+ size = ets->mtu; -+ ets->frag = 1; -+ } else -+ ets->frag = 0; -+ -+ PUTCHAR(EAPT_TLS, *outp); -+ -+ /* -+ * Set right flags and length if necessary -+ */ -+ if (ets->frag && first) { -+ PUTCHAR(EAP_TLS_FLAGS_LI | EAP_TLS_FLAGS_MF, *outp); -+ PUTLONG(ets->datalen, *outp); -+ } else if (ets->frag) { -+ PUTCHAR(EAP_TLS_FLAGS_MF, *outp); -+ } else -+ PUTCHAR(0, *outp); -+ -+ /* -+ * Copy the data in outp -+ */ -+ BCOPY(ets->data + ets->offset, *outp, size); -+ INCPTR(size, *outp); -+ -+ /* -+ * Copy the packet in retransmission buffer -+ */ -+ BCOPY(start, &ets->rtx[0], *outp - start); -+ ets->rtx_len = *outp - start; -+ -+ ets->offset += size; -+ -+ if (ets->offset >= ets->datalen) { -+ -+ /* -+ * The whole message has been sent -+ */ -+ -+ free(ets->data); -+ ets->data = NULL; -+ ets->datalen = 0; -+ ets->offset = 0; -+ } -+ -+ return 0; -+} -+ -+/* -+ * Get the sent packet from the retransmission buffer -+ */ -+void eaptls_retransmit(struct eaptls_session *ets, u_char ** outp) -+{ -+ BCOPY(ets->rtx, *outp, ets->rtx_len); -+ INCPTR(ets->rtx_len, *outp); -+} -+ -+/* -+ * Verify a certificate. -+ * Most of the work (signatures and issuer attributes checking) -+ * is done by ssl; we check the CN in the peer certificate -+ * against the peer name. -+ */ -+int ssl_verify_callback(int ok, X509_STORE_CTX * ctx) -+{ -+ char subject[256]; -+ char cn_str[256]; -+ X509 *peer_cert; -+ int err, depth; -+ SSL *ssl; -+ struct eaptls_session *ets; -+ -+ peer_cert = X509_STORE_CTX_get_current_cert(ctx); -+ err = X509_STORE_CTX_get_error(ctx); -+ depth = X509_STORE_CTX_get_error_depth(ctx); -+ -+ dbglog("certificate verify depth: %d", depth); -+ -+ if (auth_required && !ok) { -+ X509_NAME_oneline(X509_get_subject_name(peer_cert), -+ subject, 256); -+ -+ X509_NAME_get_text_by_NID(X509_get_subject_name(peer_cert), -+ NID_commonName, cn_str, 256); -+ -+ dbglog("Certificate verification error:\n depth: %d CN: %s" -+ "\n err: %d (%s)\n", depth, cn_str, err, -+ X509_verify_cert_error_string(err)); -+ -+ return 0; -+ } -+ -+ ssl = X509_STORE_CTX_get_ex_data(ctx, -+ SSL_get_ex_data_X509_STORE_CTX_idx()); -+ -+ ets = (struct eaptls_session *)SSL_get_ex_data(ssl, 0); -+ -+ if (ets == NULL) { -+ error("Error: SSL_get_ex_data returned NULL"); -+ return 0; -+ } -+ -+ log_ssl_errors(); -+ -+ if (!depth) { /* This is the peer certificate */ -+ -+ X509_NAME_oneline(X509_get_subject_name(peer_cert), -+ subject, 256); -+ -+ X509_NAME_get_text_by_NID(X509_get_subject_name(peer_cert), -+ NID_commonName, cn_str, 256); -+ -+ /* -+ * If acting as client and the name of the server wasn't specified -+ * explicitely, we can't verify the server authenticity -+ */ -+ if (!ets->peer[0]) { -+ warn("Peer name not specified: no check"); -+ return ok; -+ } -+ -+ /* -+ * Check the CN -+ */ -+ if (strcmp(cn_str, ets->peer)) { -+ error -+ ("Certificate verification error: CN (%s) != peer_name (%s)", -+ cn_str, ets->peer); -+ return 0; -+ } -+ -+ warn("Certificate CN: %s , peer name %s", cn_str, ets->peer); -+ -+ /* -+ * If a peer certificate file was specified, here we check it -+ */ -+ if (ets->peercertfile[0]) { -+ if (ssl_cmp_certs(&ets->peercertfile[0], peer_cert) -+ != 0) { -+ error -+ ("Peer certificate doesn't match stored certificate"); -+ return 0; -+ } -+ } -+ } -+ -+ return ok; -+} -+ -+/* -+ * Compare a certificate with the one stored in a file -+ */ -+int ssl_cmp_certs(char *filename, X509 * a) -+{ -+ X509 *b; -+ int ret; -+ -+ if (!(b = get_X509_from_file(filename))) -+ return 1; -+ -+ ret = X509_cmp(a, b); -+ X509_free(b); -+ -+ return ret; -+ -+} -+ -+X509 *get_X509_from_file(char *filename) -+{ -+ FILE *fp; -+ X509 *ret; -+ -+ if (!(fp = fopen(filename, "r"))) -+ return NULL; -+ -+ ret = PEM_read_X509(fp, NULL, NULL, NULL); -+ -+ fclose(fp); -+ -+ return ret; -+} -+ -+/* -+ * Every sent & received message this callback function is invoked, -+ * so we know when alert messages have arrived or are sent and -+ * we can print debug information about TLS handshake. -+ */ -+void -+ssl_msg_callback(int write_p, int version, int content_type, -+ const void *buf, size_t len, SSL * ssl, void *arg) -+{ -+ char string[256]; -+ struct eaptls_session *ets = (struct eaptls_session *)arg; -+ unsigned char code; -+ const unsigned char*msg = buf; -+ int hvers = msg[1] << 8 | msg[2]; -+ -+ if(write_p) -+ strcpy(string, " -> "); -+ else -+ strcpy(string, " <- "); -+ -+ switch(content_type) { -+ -+ case SSL3_RT_HEADER: -+ strcat(string, "SSL/TLS Header: "); -+ switch(hvers) { -+ case SSL3_VERSION: -+ strcat(string, "SSL 3.0"); -+ break; -+ case TLS1_VERSION: -+ strcat(string, "TLS 1.0"); -+ break; -+ case TLS1_1_VERSION: -+ strcat(string, "TLS 1.1"); -+ break; -+ case TLS1_2_VERSION: -+ strcat(string, "TLS 1.2"); -+ break; -+ default: -+ sprintf(string, "SSL/TLS Header: Unknown version (%d)", hvers); -+ } -+ break; -+ -+ case SSL3_RT_ALERT: -+ strcat(string, "Alert: "); -+ code = msg[1]; -+ -+ if (write_p) { -+ ets->alert_sent = 1; -+ ets->alert_sent_desc = code; -+ } else { -+ ets->alert_recv = 1; -+ ets->alert_recv_desc = code; -+ } -+ -+ strcat(string, SSL_alert_desc_string_long(code)); -+ break; -+ -+ case SSL3_RT_CHANGE_CIPHER_SPEC: -+ strcat(string, "ChangeCipherSpec"); -+ break; -+ -+#ifdef SSL3_RT_INNER_CONTENT_TYPE -+ case SSL3_RT_INNER_CONTENT_TYPE: -+ strcat(string, "InnerContentType (TLS1.3)"); -+ break; -+#endif -+ -+ case SSL3_RT_HANDSHAKE: -+ -+ strcat(string, "Handshake: "); -+ code = msg[0]; -+ -+ switch(code) { -+ case SSL3_MT_HELLO_REQUEST: -+ strcat(string,"Hello Request"); -+ break; -+ case SSL3_MT_CLIENT_HELLO: -+ strcat(string,"Client Hello"); -+ break; -+ case SSL3_MT_SERVER_HELLO: -+ strcat(string,"Server Hello"); -+ break; -+#ifdef SSL3_MT_NEWSESSION_TICKET -+ case SSL3_MT_NEWSESSION_TICKET: -+ strcat(string,"New Session Ticket"); -+ break; -+#endif -+#ifdef SSL3_MT_END_OF_EARLY_DATA -+ case SSL3_MT_END_OF_EARLY_DATA: -+ strcat(string,"End of Early Data"); -+ break; -+#endif -+#ifdef SSL3_MT_ENCRYPTED_EXTENSIONS -+ case SSL3_MT_ENCRYPTED_EXTENSIONS: -+ strcat(string,"Encryped Extensions"); -+ break; -+#endif -+ case SSL3_MT_CERTIFICATE: -+ strcat(string,"Certificate"); -+ break; -+ case SSL3_MT_SERVER_KEY_EXCHANGE: -+ strcat(string,"Server Key Exchange"); -+ break; -+ case SSL3_MT_CERTIFICATE_REQUEST: -+ strcat(string,"Certificate Request"); -+ break; -+ case SSL3_MT_SERVER_DONE: -+ strcat(string,"Server Hello Done"); -+ break; -+ case SSL3_MT_CERTIFICATE_VERIFY: -+ strcat(string,"Certificate Verify"); -+ break; -+ case SSL3_MT_CLIENT_KEY_EXCHANGE: -+ strcat(string,"Client Key Exchange"); -+ break; -+ case SSL3_MT_FINISHED: -+ strcat(string,"Finished: "); -+ hvers = SSL_version(ssl); -+ switch(hvers) { -+ case SSL3_VERSION: -+ strcat(string, "SSL 3.0"); -+ break; -+ case TLS1_VERSION: -+ strcat(string, "TLS 1.0"); -+ break; -+ case TLS1_1_VERSION: -+ strcat(string, "TLS 1.1"); -+ break; -+ case TLS1_2_VERSION: -+ strcat(string, "TLS 1.2"); -+ break; -+#ifdef TLS1_3_VERSION -+ case TLS1_3_VERSION: -+ strcat(string, "TLS 1.3 (experimental)"); -+ ets->tls_v13 = 1; -+ break; -+#endif -+ default: -+ strcat(string, "Unknown version"); -+ } -+ break; -+ default: -+ sprintf( string, "Handshake: Unknown SSL3 code received: %d", code ); -+ } -+ break; -+ -+ default: -+ sprintf( string, "SSL message contains unknown content type: %d", content_type ); -+ -+ } -+ -+ /* Alert messages must always be displayed */ -+ if(content_type == SSL3_RT_ALERT) -+ error("%s", string); -+ else -+ dbglog("%s", string); -+} -+ -+int -+ssl_new_session_cb(SSL *s, SSL_SESSION *sess) -+{ -+ dbglog("EAP-TLS: Post-Handshake New Session Ticket arrived:"); -+ have_session_ticket = 1; -+ -+ /* always return success */ -+ return 1; -+} -+ -diff -Naur ppp-2.4.8/pppd/eap-tls.h ppp-2.4.8-eaptls-mppe-1.300/pppd/eap-tls.h ---- ppp-2.4.8/pppd/eap-tls.h 1970-01-01 01:00:00.000000000 +0100 -+++ ppp-2.4.8-eaptls-mppe-1.300/pppd/eap-tls.h 2020-04-07 10:09:50.568118202 +0200 -@@ -0,0 +1,96 @@ -+/* -+ * eap-tls.h -+ * -+ * Copyright (c) Beniamino Galvani 2005 All rights reserved. -+ * Jan Just Keijser 2006-2019 All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. The name(s) of the authors of this software must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. -+ * -+ * THE AUTHORS OF THIS SOFTWARE DISCLAIM ALL WARRANTIES WITH REGARD TO -+ * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -+ * AND FITNESS, IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY -+ * SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN -+ * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING -+ * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -+ * -+ */ -+ -+#ifndef __EAP_TLS_H__ -+#define __EAP_TLS_H__ -+ -+#include "eap.h" -+ -+#include -+#include -+ -+#define EAP_TLS_FLAGS_LI 128 /* length included flag */ -+#define EAP_TLS_FLAGS_MF 64 /* more fragments flag */ -+#define EAP_TLS_FLAGS_START 32 /* start flag */ -+ -+#define EAP_TLS_MAX_LEN 65536 /* max eap tls packet size */ -+ -+struct eaptls_session -+{ -+ u_char *data; /* buffered data */ -+ int datalen; /* buffered data len */ -+ int offset; /* from where to send */ -+ int tlslen; /* total length of tls data */ -+ bool frag; /* packet is fragmented */ -+ bool tls_v13; /* whether we've negotiated TLSv1.3 */ -+ SSL_CTX *ctx; -+ SSL *ssl; /* ssl connection */ -+ BIO *from_ssl; -+ BIO *into_ssl; -+ char peer[MAXWORDLEN]; /* peer name */ -+ char peercertfile[MAXWORDLEN]; -+ bool alert_sent; -+ u_char alert_sent_desc; -+ bool alert_recv; -+ u_char alert_recv_desc; -+ char rtx[EAP_TLS_MAX_LEN]; /* retransmission buffer */ -+ int rtx_len; -+ int mtu; /* unit mtu */ -+}; -+ -+ -+SSL_CTX *eaptls_init_ssl(int init_server, char *cacertfile, char *capath, -+ char *certfile, char *peer_certfile, char *privkeyfile); -+int eaptls_init_ssl_server(eap_state * esp); -+int eaptls_init_ssl_client(eap_state * esp); -+void eaptls_free_session(struct eaptls_session *ets); -+ -+int eaptls_is_init_finished(struct eaptls_session *ets); -+ -+int eaptls_receive(struct eaptls_session *ets, u_char * inp, int len); -+int eaptls_send(struct eaptls_session *ets, u_char ** outp); -+void eaptls_retransmit(struct eaptls_session *ets, u_char ** outp); -+ -+int get_eaptls_secret(int unit, char *client, char *server, -+ char *clicertfile, char *servcertfile, char *cacertfile, -+ char *capath, char *pkfile, int am_server); -+ -+#ifdef MPPE -+#include "mppe.h" /* MPPE_MAX_KEY_LEN */ -+extern u_char mppe_send_key[MPPE_MAX_KEY_LEN]; -+extern u_char mppe_recv_key[MPPE_MAX_KEY_LEN]; -+extern int mppe_keys_set; -+ -+void eaptls_gen_mppe_keys(struct eaptls_session *ets, int client); -+#endif -+ -+#endif -diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.300/pppd/eap.c ---- ppp-2.4.8/pppd/eap.c 2019-12-31 02:31:26.000000000 +0100 -+++ ppp-2.4.8-eaptls-mppe-1.300/pppd/eap.c 2020-04-07 10:09:50.569118201 +0200 -@@ -43,6 +43,11 @@ - * Based on draft-ietf-pppext-eap-srp-03.txt. - */ - -+/* -+ * Modification by Beniamino Galvani, Mar 2005 -+ * Implemented EAP-TLS authentication -+ */ -+ - #define RCSID "$Id: eap.c,v 1.4 2004/11/09 22:39:25 paulus Exp $" - - /* -@@ -62,8 +67,12 @@ - - #include "pppd.h" - #include "pathnames.h" --#include "md5.h" - #include "eap.h" -+#ifdef USE_OPENSSL_MD5 -+#include "openssl/md5.h" -+#else -+#include "md5.h" -+#endif /* USE_OPENSSL_MD5 */ - - #ifdef USE_SRP - #include -@@ -72,8 +81,12 @@ - #include "pppcrypt.h" - #endif /* USE_SRP */ - --#ifndef SHA_DIGESTSIZE --#define SHA_DIGESTSIZE 20 -+#ifdef USE_EAPTLS -+#include "eap-tls.h" -+#endif /* USE_EAPTLS */ -+ -+#ifndef SHA_DIGEST_LENGTH -+#define SHA_DIGEST_LENGTH 20 - #endif - - -@@ -208,6 +221,9 @@ - esp->es_server.ea_id = (u_char)(drand48() * 0x100); - esp->es_client.ea_timeout = EAP_DEFREQTIME; - esp->es_client.ea_maxrequests = EAP_DEFALLOWREQ; -+#ifdef USE_EAPTLS -+ esp->es_client.ea_using_eaptls = 0; -+#endif /* USE_EAPTLS */ - } - - /* -@@ -316,8 +332,8 @@ - { - struct tm *tp; - char tbuf[9]; -- SHA1_CTX ctxt; -- u_char dig[SHA_DIGESTSIZE]; -+ SHA_CTX ctxt; -+ u_char dig[SHA_DIGEST_LENGTH]; - time_t reftime; - - if (pn_secret == NULL) -@@ -435,8 +451,16 @@ - u_char vals[2]; - struct b64state bs; - #endif /* USE_SRP */ -+#ifdef USE_EAPTLS -+ struct eaptls_session *ets; -+ int secret_len; -+ char secret[MAXWORDLEN]; -+#endif /* USE_EAPTLS */ - - esp->es_server.ea_timeout = esp->es_savedtime; -+#ifdef USE_EAPTLS -+ esp->es_server.ea_prev_state = esp->es_server.ea_state; -+#endif /* USE_EAPTLS */ - switch (esp->es_server.ea_state) { - case eapBadAuth: - return; -@@ -561,9 +585,81 @@ - break; - } - #endif /* USE_SRP */ -+#ifdef USE_EAPTLS -+ if (!get_secret(esp->es_unit, esp->es_server.ea_peer, -+ esp->es_server.ea_name, secret, &secret_len, 1)) { -+ -+ esp->es_server.ea_state = eapTlsStart; -+ break; -+ } -+#endif /* USE_EAPTLS */ -+ - esp->es_server.ea_state = eapMD5Chall; - break; - -+#ifdef USE_EAPTLS -+ case eapTlsStart: -+ /* Initialize ssl session */ -+ if(!eaptls_init_ssl_server(esp)) { -+ esp->es_server.ea_state = eapBadAuth; -+ break; -+ } -+ -+ esp->es_server.ea_state = eapTlsRecv; -+ break; -+ -+ case eapTlsRecv: -+ ets = (struct eaptls_session *) esp->es_server.ea_session; -+ -+ if(ets->alert_sent) { -+ esp->es_server.ea_state = eapTlsSendAlert; -+ break; -+ } -+ -+ if (status) { -+ esp->es_server.ea_state = eapBadAuth; -+ break; -+ } -+ ets = (struct eaptls_session *) esp->es_server.ea_session; -+ -+ if(ets->frag) -+ esp->es_server.ea_state = eapTlsSendAck; -+ else -+ esp->es_server.ea_state = eapTlsSend; -+ break; -+ -+ case eapTlsSend: -+ ets = (struct eaptls_session *) esp->es_server.ea_session; -+ -+ if(ets->frag) -+ esp->es_server.ea_state = eapTlsRecvAck; -+ else -+ if(SSL_is_init_finished(ets->ssl)) -+ esp->es_server.ea_state = eapTlsRecvClient; -+ else -+ /* JJK Add "TLS empty record" message here ??? */ -+ esp->es_server.ea_state = eapTlsRecv; -+ break; -+ -+ case eapTlsSendAck: -+ esp->es_server.ea_state = eapTlsRecv; -+ break; -+ -+ case eapTlsRecvAck: -+ if (status) -+ { -+ esp->es_server.ea_state = eapBadAuth; -+ break; -+ } -+ -+ esp->es_server.ea_state = eapTlsSend; -+ break; -+ -+ case eapTlsSendAlert: -+ esp->es_server.ea_state = eapTlsRecvAlertAck; -+ break; -+#endif /* USE_EAPTLS */ -+ - case eapSRP1: - #ifdef USE_SRP - ts = (struct t_server *)esp->es_server.ea_session; -@@ -629,6 +725,10 @@ - } - if (esp->es_server.ea_state == eapBadAuth) - eap_send_failure(esp); -+ -+#ifdef USE_EAPTLS -+ dbglog("EAP id=0x%2x '%s' -> '%s'", esp->es_server.ea_id, eap_state_name(esp->es_server.ea_prev_state), eap_state_name(esp->es_server.ea_state)); -+#endif /* USE_EAPTLS */ - } - - /* -@@ -647,10 +747,10 @@ - char *str; - #ifdef USE_SRP - struct t_server *ts; -- u_char clear[8], cipher[8], dig[SHA_DIGESTSIZE], *optr, *cp; -+ u_char clear[8], cipher[8], dig[SHA_DIGEST_LENGTH], *optr, *cp; - int i, j; - struct b64state b64; -- SHA1_CTX ctxt; -+ SHA_CTX ctxt; - #endif /* USE_SRP */ - - /* Handle both initial auth and restart */ -@@ -717,6 +817,30 @@ - INCPTR(esp->es_server.ea_namelen, outp); - break; - -+#ifdef USE_EAPTLS -+ case eapTlsStart: -+ PUTCHAR(EAPT_TLS, outp); -+ PUTCHAR(EAP_TLS_FLAGS_START, outp); -+ eap_figure_next_state(esp, 0); -+ break; -+ -+ case eapTlsSend: -+ eaptls_send(esp->es_server.ea_session, &outp); -+ eap_figure_next_state(esp, 0); -+ break; -+ -+ case eapTlsSendAck: -+ PUTCHAR(EAPT_TLS, outp); -+ PUTCHAR(0, outp); -+ eap_figure_next_state(esp, 0); -+ break; -+ -+ case eapTlsSendAlert: -+ eaptls_send(esp->es_server.ea_session, &outp); -+ eap_figure_next_state(esp, 0); -+ break; -+#endif /* USE_EAPTLS */ -+ - #ifdef USE_SRP - case eapSRP1: - PUTCHAR(EAPT_SRP, outp); -@@ -763,8 +887,8 @@ - PUTLONG(SRPVAL_EBIT, outp); - ts = (struct t_server *)esp->es_server.ea_session; - assert(ts != NULL); -- BCOPY(t_serverresponse(ts), outp, SHA_DIGESTSIZE); -- INCPTR(SHA_DIGESTSIZE, outp); -+ BCOPY(t_serverresponse(ts), outp, SHA_DIGEST_LENGTH); -+ INCPTR(SHA_DIGEST_LENGTH, outp); - - if (pncrypt_setkey(0)) { - /* Generate pseudonym */ -@@ -804,9 +928,9 @@ - /* Set length and pad out to next 20 octet boundary */ - i = outp - optr - 1; - *optr = i; -- i %= SHA_DIGESTSIZE; -+ i %= SHA_DIGEST_LENGTH; - if (i != 0) { -- while (i < SHA_DIGESTSIZE) { -+ while (i < SHA_DIGEST_LENGTH) { - *outp++ = drand48() * 0x100; - i++; - } -@@ -822,14 +946,14 @@ - while (optr < outp) { - SHA1Final(dig, &ctxt); - cp = dig; -- while (cp < dig + SHA_DIGESTSIZE) -+ while (cp < dig + SHA_DIGEST_LENGTH) - *optr++ ^= *cp++; - SHA1Init(&ctxt); - SHA1Update(&ctxt, &esp->es_server.ea_id, 1); - SHA1Update(&ctxt, esp->es_server.ea_skey, - SESSION_KEY_LEN); -- SHA1Update(&ctxt, optr - SHA_DIGESTSIZE, -- SHA_DIGESTSIZE); -+ SHA1Update(&ctxt, optr - SHA_DIGEST_LENGTH, -+ SHA_DIGEST_LENGTH); - } - } - break; -@@ -903,11 +1027,57 @@ - eap_server_timeout(arg) - void *arg; - { -+#ifdef USE_EAPTLS -+ u_char *outp; -+ u_char *lenloc; -+ int outlen; -+#endif /* USE_EAPTLS */ -+ - eap_state *esp = (eap_state *) arg; - - if (!eap_server_active(esp)) - return; - -+#ifdef USE_EAPTLS -+ switch(esp->es_server.ea_prev_state) { -+ -+ /* -+ * In eap-tls the state changes after a request, so we return to -+ * previous state ... -+ */ -+ case(eapTlsStart): -+ case(eapTlsSendAck): -+ esp->es_server.ea_state = esp->es_server.ea_prev_state; -+ break; -+ -+ /* -+ * ... or resend the stored data -+ */ -+ case(eapTlsSend): -+ case(eapTlsSendAlert): -+ outp = outpacket_buf; -+ MAKEHEADER(outp, PPP_EAP); -+ PUTCHAR(EAP_REQUEST, outp); -+ PUTCHAR(esp->es_server.ea_id, outp); -+ lenloc = outp; -+ INCPTR(2, outp); -+ -+ eaptls_retransmit(esp->es_server.ea_session, &outp); -+ -+ outlen = (outp - outpacket_buf) - PPP_HDRLEN; -+ PUTSHORT(outlen, lenloc); -+ output(esp->es_unit, outpacket_buf, outlen + PPP_HDRLEN); -+ esp->es_server.ea_requests++; -+ -+ if (esp->es_server.ea_timeout > 0) -+ TIMEOUT(eap_server_timeout, esp, esp->es_server.ea_timeout); -+ -+ return; -+ default: -+ break; -+ } -+#endif /* USE_EAPTLS */ -+ - /* EAP ID number must not change on timeout. */ - eap_send_request(esp); - } -@@ -1154,17 +1324,90 @@ - PUTCHAR(id, outp); - esp->es_client.ea_id = id; - msglen = EAP_HEADERLEN + 2 * sizeof (u_char) + sizeof (u_int32_t) + -- SHA_DIGESTSIZE; -+ SHA_DIGEST_LENGTH; - PUTSHORT(msglen, outp); - PUTCHAR(EAPT_SRP, outp); - PUTCHAR(EAPSRP_CVALIDATOR, outp); - PUTLONG(flags, outp); -- BCOPY(str, outp, SHA_DIGESTSIZE); -+ BCOPY(str, outp, SHA_DIGEST_LENGTH); - - output(esp->es_unit, outpacket_buf, PPP_HDRLEN + msglen); - } - #endif /* USE_SRP */ - -+#ifdef USE_EAPTLS -+/* -+ * Send an EAP-TLS response message with tls data -+ */ -+static void -+eap_tls_response(esp, id) -+eap_state *esp; -+u_char id; -+{ -+ u_char *outp; -+ int outlen; -+ u_char *lenloc; -+ -+ outp = outpacket_buf; -+ -+ MAKEHEADER(outp, PPP_EAP); -+ -+ PUTCHAR(EAP_RESPONSE, outp); -+ PUTCHAR(id, outp); -+ -+ lenloc = outp; -+ INCPTR(2, outp); -+ -+ /* -+ If the id in the request is unchanged, we must retransmit -+ the old data -+ */ -+ if(id == esp->es_client.ea_id) -+ eaptls_retransmit(esp->es_client.ea_session, &outp); -+ else -+ eaptls_send(esp->es_client.ea_session, &outp); -+ -+ outlen = (outp - outpacket_buf) - PPP_HDRLEN; -+ PUTSHORT(outlen, lenloc); -+ -+ output(esp->es_unit, outpacket_buf, PPP_HDRLEN + outlen); -+ -+ esp->es_client.ea_id = id; -+} -+ -+/* -+ * Send an EAP-TLS ack -+ */ -+static void -+eap_tls_sendack(esp, id) -+eap_state *esp; -+u_char id; -+{ -+ u_char *outp; -+ int outlen; -+ u_char *lenloc; -+ -+ outp = outpacket_buf; -+ -+ MAKEHEADER(outp, PPP_EAP); -+ -+ PUTCHAR(EAP_RESPONSE, outp); -+ PUTCHAR(id, outp); -+ esp->es_client.ea_id = id; -+ -+ lenloc = outp; -+ INCPTR(2, outp); -+ -+ PUTCHAR(EAPT_TLS, outp); -+ PUTCHAR(0, outp); -+ -+ outlen = (outp - outpacket_buf) - PPP_HDRLEN; -+ PUTSHORT(outlen, lenloc); -+ -+ output(esp->es_unit, outpacket_buf, PPP_HDRLEN + outlen); -+} -+#endif /* USE_EAPTLS */ -+ - static void - eap_send_nak(esp, id, type) - eap_state *esp; -@@ -1251,8 +1494,8 @@ - { - u_char val; - u_char *datp, *digp; -- SHA1_CTX ctxt; -- u_char dig[SHA_DIGESTSIZE]; -+ SHA_CTX ctxt; -+ u_char dig[SHA_DIGEST_LENGTH]; - int dsize, fd, olen = len; - - /* -@@ -1261,21 +1504,21 @@ - */ - val = id; - while (len > 0) { -- if ((dsize = len % SHA_DIGESTSIZE) == 0) -- dsize = SHA_DIGESTSIZE; -+ if ((dsize = len % SHA_DIGEST_LENGTH) == 0) -+ dsize = SHA_DIGEST_LENGTH; - len -= dsize; - datp = inp + len; - SHA1Init(&ctxt); - SHA1Update(&ctxt, &val, 1); - SHA1Update(&ctxt, esp->es_client.ea_skey, SESSION_KEY_LEN); - if (len > 0) { -- SHA1Update(&ctxt, datp, SHA_DIGESTSIZE); -+ SHA1Update(&ctxt, datp, SHA_DIGEST_LENGTH); - } else { - SHA1Update(&ctxt, esp->es_client.ea_name, - esp->es_client.ea_namelen); - } - SHA1Final(dig, &ctxt); -- for (digp = dig; digp < dig + SHA_DIGESTSIZE; digp++) -+ for (digp = dig; digp < dig + SHA_DIGEST_LENGTH; digp++) - *datp++ ^= *digp; - } - -@@ -1319,12 +1562,17 @@ - char rhostname[256]; - MD5_CTX mdContext; - u_char hash[MD5_SIGNATURE_SIZE]; -+#ifdef USE_EAPTLS -+ u_char flags; -+ struct eaptls_session *ets = esp->es_client.ea_session; -+#endif /* USE_EAPTLS */ -+ - #ifdef USE_SRP - struct t_client *tc; - struct t_num sval, gval, Nval, *Ap, Bval; - u_char vals[2]; -- SHA1_CTX ctxt; -- u_char dig[SHA_DIGESTSIZE]; -+ SHA_CTX ctxt; -+ u_char dig[SHA_DIGEST_LENGTH]; - int fd; - #endif /* USE_SRP */ - -@@ -1455,6 +1703,96 @@ - esp->es_client.ea_namelen); - break; - -+#ifdef USE_EAPTLS -+ case EAPT_TLS: -+ -+ switch(esp->es_client.ea_state) { -+ -+ case eapListen: -+ -+ if (len < 1) { -+ error("EAP: received EAP-TLS Listen packet with no data"); -+ /* Bogus request; wait for something real. */ -+ return; -+ } -+ GETCHAR(flags, inp); -+ if(flags & EAP_TLS_FLAGS_START){ -+ -+ esp->es_client.ea_using_eaptls = 1; -+ -+ if (explicit_remote){ -+ esp->es_client.ea_peer = strdup(remote_name); -+ esp->es_client.ea_peerlen = strlen(remote_name); -+ } else -+ esp->es_client.ea_peer = NULL; -+ -+ /* Init ssl session */ -+ if(!eaptls_init_ssl_client(esp)) { -+ dbglog("cannot init ssl"); -+ eap_send_nak(esp, id, EAPT_TLS); -+ esp->es_client.ea_using_eaptls = 0; -+ break; -+ } -+ -+ ets = esp->es_client.ea_session; -+ eap_tls_response(esp, id); -+ esp->es_client.ea_state = (ets->frag ? eapTlsRecvAck : eapTlsRecv); -+ break; -+ } -+ -+ /* The server has sent a bad start packet. */ -+ eap_send_nak(esp, id, EAPT_TLS); -+ break; -+ -+ case eapTlsRecvAck: -+ eap_tls_response(esp, id); -+ esp->es_client.ea_state = (ets->frag ? eapTlsRecvAck : eapTlsRecv); -+ break; -+ -+ case eapTlsRecv: -+ if (len < 1) { -+ error("EAP: discarding EAP-TLS Receive packet with no data"); -+ /* Bogus request; wait for something real. */ -+ return; -+ } -+ eaptls_receive(ets, inp, len); -+ -+ if(ets->frag) { -+ eap_tls_sendack(esp, id); -+ esp->es_client.ea_state = eapTlsRecv; -+ break; -+ } -+ -+ if(ets->alert_recv) { -+ eap_tls_sendack(esp, id); -+ esp->es_client.ea_state = eapTlsRecvFailure; -+ break; -+ } -+ -+ /* Check if TLS handshake is finished */ -+ if(eaptls_is_init_finished(ets)) { -+#ifdef MPPE -+ eaptls_gen_mppe_keys(ets, 1); -+#endif -+ eaptls_free_session(ets); -+ eap_tls_sendack(esp, id); -+ esp->es_client.ea_state = eapTlsRecvSuccess; -+ break; -+ } -+ -+ eap_tls_response(esp,id); -+ esp->es_client.ea_state = (ets->frag ? eapTlsRecvAck : eapTlsRecv); -+ break; -+ -+ default: -+ eap_send_nak(esp, id, EAPT_TLS); -+ esp->es_client.ea_using_eaptls = 0; -+ break; -+ } -+ -+ break; -+#endif /* USE_EAPTLS */ -+ - #ifdef USE_SRP - case EAPT_SRP: - if (len < 1) { -@@ -1639,7 +1977,7 @@ - esp->es_client.ea_id, id); - } - } else { -- len -= sizeof (u_int32_t) + SHA_DIGESTSIZE; -+ len -= sizeof (u_int32_t) + SHA_DIGEST_LENGTH; - if (len < 0 || t_clientverify(tc, inp + - sizeof (u_int32_t)) != 0) { - error("EAP: SRP server verification " -@@ -1649,7 +1987,7 @@ - GETLONG(esp->es_client.ea_keyflags, inp); - /* Save pseudonym if user wants it. */ - if (len > 0 && esp->es_usepseudo) { -- INCPTR(SHA_DIGESTSIZE, inp); -+ INCPTR(SHA_DIGEST_LENGTH, inp); - write_pseudonym(esp, inp, len, id); - } - } -@@ -1676,7 +2014,7 @@ - esp->es_client.ea_namelen); - SHA1Final(dig, &ctxt); - eap_srp_response(esp, id, EAPSRP_LWRECHALLENGE, dig, -- SHA_DIGESTSIZE); -+ SHA_DIGEST_LENGTH); - break; - - default: -@@ -1732,10 +2070,15 @@ - #ifdef USE_SRP - struct t_server *ts; - struct t_num A; -- SHA1_CTX ctxt; -- u_char dig[SHA_DIGESTSIZE]; -+ eHA_CTX ctxt; -+ u_char dig[SHA_DIGEST_LENGTH]; - #endif /* USE_SRP */ - -+#ifdef USE_EAPTLS -+ struct eaptls_session *ets; -+ u_char flags; -+#endif /* USE_EAPTLS */ -+ - if (esp->es_server.ea_id != id) { - dbglog("EAP: discarding Response %d; expected ID %d", id, - esp->es_server.ea_id); -@@ -1775,6 +2118,64 @@ - eap_figure_next_state(esp, 0); - break; - -+#ifdef USE_EAPTLS -+ case EAPT_TLS: -+ switch(esp->es_server.ea_state) { -+ -+ case eapTlsRecv: -+ -+ ets = (struct eaptls_session *) esp->es_server.ea_session; -+ -+ eap_figure_next_state(esp, -+ eaptls_receive(esp->es_server.ea_session, inp, len)); -+ -+ if(ets->alert_recv) { -+ eap_send_failure(esp); -+ break; -+ } -+ break; -+ -+ case eapTlsRecvAck: -+ if(len > 1) { -+ dbglog("EAP-TLS ACK with extra data"); -+ } -+ eap_figure_next_state(esp, 0); -+ break; -+ -+ case eapTlsRecvClient: -+ /* Receive authentication response from client */ -+ if (len > 0) { -+ GETCHAR(flags, inp); -+ -+ if(len == 1 && !flags) { /* Ack = ok */ -+#ifdef MPPE -+ eaptls_gen_mppe_keys( esp->es_server.ea_session, 0 ); -+#endif -+ eap_send_success(esp); -+ } -+ else { /* failure */ -+ warn("Server authentication failed"); -+ eap_send_failure(esp); -+ } -+ } -+ else -+ warn("Bogus EAP-TLS packet received from client"); -+ -+ eaptls_free_session(esp->es_server.ea_session); -+ -+ break; -+ -+ case eapTlsRecvAlertAck: -+ eap_send_failure(esp); -+ break; -+ -+ default: -+ eap_figure_next_state(esp, 1); -+ break; -+ } -+ break; -+#endif /* USE_EAPTLS */ -+ - case EAPT_NOTIFICATION: - dbglog("EAP unexpected Notification; response discarded"); - break; -@@ -1806,6 +2207,13 @@ - esp->es_server.ea_state = eapMD5Chall; - break; - -+#ifdef USE_EAPTLS -+ /* Send EAP-TLS start packet */ -+ case EAPT_TLS: -+ esp->es_server.ea_state = eapTlsStart; -+ break; -+#endif /* USE_EAPTLS */ -+ - default: - dbglog("EAP: peer requesting unknown Type %d", vallen); - switch (esp->es_server.ea_state) { -@@ -1923,9 +2331,9 @@ - eap_figure_next_state(esp, 1); - break; - } -- if (len < sizeof (u_int32_t) + SHA_DIGESTSIZE) { -+ if (len < sizeof (u_int32_t) + SHA_DIGEST_LENGTH) { - error("EAP: M1 length %d < %d", len, -- sizeof (u_int32_t) + SHA_DIGESTSIZE); -+ sizeof (u_int32_t) + SHA_DIGEST_LENGTH); - eap_figure_next_state(esp, 1); - break; - } -@@ -1962,7 +2370,7 @@ - info("EAP: unexpected SRP Subtype 4 Response"); - return; - } -- if (len != SHA_DIGESTSIZE) { -+ if (len != SHA_DIGEST_LENGTH) { - error("EAP: bad Lightweight rechallenge " - "response"); - return; -@@ -1976,7 +2384,7 @@ - SHA1Update(&ctxt, esp->es_server.ea_peer, - esp->es_server.ea_peerlen); - SHA1Final(dig, &ctxt); -- if (BCMP(dig, inp, SHA_DIGESTSIZE) != 0) { -+ if (BCMP(dig, inp, SHA_DIGEST_LENGTH) != 0) { - error("EAP: failed Lightweight rechallenge"); - eap_send_failure(esp); - break; -@@ -2017,13 +2425,27 @@ - int id; - int len; - { -- if (esp->es_client.ea_state != eapOpen && !eap_client_active(esp)) { -+ if (esp->es_client.ea_state != eapOpen && !eap_client_active(esp) -+#ifdef USE_EAPTLS -+ && esp->es_client.ea_state != eapTlsRecvSuccess -+#endif /* USE_EAPTLS */ -+ ) { - dbglog("EAP unexpected success message in state %s (%d)", - eap_state_name(esp->es_client.ea_state), - esp->es_client.ea_state); - return; - } - -+#ifdef USE_EAPTLS -+ if(esp->es_client.ea_using_eaptls && esp->es_client.ea_state != -+ eapTlsRecvSuccess) { -+ dbglog("EAP-TLS unexpected success message in state %s (%d)", -+ eap_state_name(esp->es_client.ea_state), -+ esp->es_client.ea_state); -+ return; -+ } -+#endif /* USE_EAPTLS */ -+ - if (esp->es_client.ea_timeout > 0) { - UNTIMEOUT(eap_client_timeout, (void *)esp); - } -@@ -2149,6 +2571,9 @@ - int code, id, len, rtype, vallen; - u_char *pstart; - u_int32_t uval; -+#ifdef USE_EAPTLS -+ u_char flags; -+#endif /* USE_EAPTLS */ - - if (inlen < EAP_HEADERLEN) - return (0); -@@ -2213,6 +2638,24 @@ - } - break; - -+#ifdef USE_EAPTLS -+ case EAPT_TLS: -+ if (len < 1) -+ break; -+ GETCHAR(flags, inp); -+ len--; -+ -+ if(flags == 0 && len == 0){ -+ printer(arg, " Ack"); -+ break; -+ } -+ -+ printer(arg, flags & EAP_TLS_FLAGS_LI ? " L":" -"); -+ printer(arg, flags & EAP_TLS_FLAGS_MF ? "M":"-"); -+ printer(arg, flags & EAP_TLS_FLAGS_START ? "S":"- "); -+ break; -+#endif /* USE_EAPTLS */ -+ - case EAPT_SRP: - if (len < 3) - goto truncated; -@@ -2280,10 +2723,10 @@ - if (uval != 0) { - printer(arg, " f<%X>", uval); - } -- if ((vallen = len) > SHA_DIGESTSIZE) -- vallen = SHA_DIGESTSIZE; -+ if ((vallen = len) > SHA_DIGEST_LENGTH) -+ vallen = SHA_DIGEST_LENGTH; - printer(arg, " ", len, inp, -- len < SHA_DIGESTSIZE ? "?" : ""); -+ len < SHA_DIGEST_LENGTH ? "?" : ""); - INCPTR(vallen, inp); - len -= vallen; - if (len > 0) { -@@ -2324,6 +2767,25 @@ - } - break; - -+#ifdef USE_EAPTLS -+ case EAPT_TLS: -+ if (len < 1) -+ break; -+ GETCHAR(flags, inp); -+ len--; -+ -+ if(flags == 0 && len == 0){ -+ printer(arg, " Ack"); -+ break; -+ } -+ -+ printer(arg, flags & EAP_TLS_FLAGS_LI ? " L":" -"); -+ printer(arg, flags & EAP_TLS_FLAGS_MF ? "M":"-"); -+ printer(arg, flags & EAP_TLS_FLAGS_START ? "S":"- "); -+ -+ break; -+#endif /* USE_EAPTLS */ -+ - case EAPT_NAK: - if (len <= 0) { - printer(arg, " "); -@@ -2387,7 +2849,7 @@ - printer(arg, " f<%X>", uval); - } - printer(arg, " ", len, inp, -- len == SHA_DIGESTSIZE ? "" : "?"); -+ len == SHA_DIGEST_LENGTH ? "" : "?"); - INCPTR(len, inp); - len = 0; - break; -@@ -2397,9 +2859,9 @@ - - case EAPSRP_LWRECHALLENGE: - printer(arg, " ", len, inp, -- len == SHA_DIGESTSIZE ? "" : "?"); -- if ((vallen = len) > SHA_DIGESTSIZE) -- vallen = SHA_DIGESTSIZE; -+ len == SHA_DIGEST_LENGTH ? "" : "?"); -+ if ((vallen = len) > SHA_DIGEST_LENGTH) -+ vallen = SHA_DIGEST_LENGTH; - INCPTR(vallen, inp); - len -= vallen; - break; -@@ -2425,3 +2887,4 @@ - - return (inp - pstart); - } -+ -diff -Naur ppp-2.4.8/pppd/eap.h ppp-2.4.8-eaptls-mppe-1.300/pppd/eap.h ---- ppp-2.4.8/pppd/eap.h 2019-12-31 02:31:26.000000000 +0100 -+++ ppp-2.4.8-eaptls-mppe-1.300/pppd/eap.h 2020-04-07 10:09:50.569118201 +0200 -@@ -84,6 +84,16 @@ - eapClosed, /* Authentication not in use */ - eapListen, /* Client ready (and timer running) */ - eapIdentify, /* EAP Identify sent */ -+ eapTlsStart, /* Send EAP-TLS start packet */ -+ eapTlsRecv, /* Receive EAP-TLS tls data */ -+ eapTlsSendAck, /* Send EAP-TLS ack */ -+ eapTlsSend, /* Send EAP-TLS tls data */ -+ eapTlsRecvAck, /* Receive EAP-TLS ack */ -+ eapTlsRecvClient, /* Receive EAP-TLS auth response from client*/ -+ eapTlsSendAlert, /* Send EAP-TLS tls alert (server)*/ -+ eapTlsRecvAlertAck, /* Receive EAP-TLS ack after sending alert */ -+ eapTlsRecvSuccess, /* Receive EAP success */ -+ eapTlsRecvFailure, /* Receive EAP failure */ - eapSRP1, /* Sent EAP SRP-SHA1 Subtype 1 */ - eapSRP2, /* Sent EAP SRP-SHA1 Subtype 2 */ - eapSRP3, /* Sent EAP SRP-SHA1 Subtype 3 */ -@@ -95,9 +105,18 @@ - - #define EAP_STATES \ - "Initial", "Pending", "Closed", "Listen", "Identify", \ -+ "TlsStart", "TlsRecv", "TlsSendAck", "TlsSend", "TlsRecvAck", "TlsRecvClient",\ -+ "TlsSendAlert", "TlsRecvAlertAck" , "TlsRecvSuccess", "TlsRecvFailure", \ - "SRP1", "SRP2", "SRP3", "MD5Chall", "Open", "SRP4", "BadAuth" - --#define eap_client_active(esp) ((esp)->es_client.ea_state == eapListen) -+#ifdef USE_EAPTLS -+#define eap_client_active(esp) ((esp)->es_client.ea_state != eapInitial &&\ -+ (esp)->es_client.ea_state != eapPending &&\ -+ (esp)->es_client.ea_state != eapClosed) -+#else -+#define eap_client_active(esp) ((esp)->es_client.ea_state == eapListen) -+#endif /* USE_EAPTLS */ -+ - #define eap_server_active(esp) \ - ((esp)->es_server.ea_state >= eapIdentify && \ - (esp)->es_server.ea_state <= eapMD5Chall) -@@ -112,11 +131,17 @@ - u_short ea_namelen; /* Length of our name */ - u_short ea_peerlen; /* Length of peer's name */ - enum eap_state_code ea_state; -+#ifdef USE_EAPTLS -+ enum eap_state_code ea_prev_state; -+#endif - u_char ea_id; /* Current id */ - u_char ea_requests; /* Number of Requests sent/received */ - u_char ea_responses; /* Number of Responses */ - u_char ea_type; /* One of EAPT_* */ - u_int32_t ea_keyflags; /* SRP shared key usage flags */ -+#ifdef USE_EAPTLS -+ bool ea_using_eaptls; -+#endif - }; - - /* -@@ -139,7 +164,12 @@ - * Timeouts. - */ - #define EAP_DEFTIMEOUT 3 /* Timeout (seconds) for rexmit */ -+#ifdef USE_EAPTLS -+#define EAP_DEFTRANSMITS 30 /* max # times to transmit */ -+ /* certificates can be long ... */ -+#else - #define EAP_DEFTRANSMITS 10 /* max # times to transmit */ -+#endif /* USE_EAPTLS */ - #define EAP_DEFREQTIME 20 /* Time to wait for peer request */ - #define EAP_DEFALLOWREQ 20 /* max # times to accept requests */ - -diff -Naur ppp-2.4.8/pppd/pathnames.h ppp-2.4.8-eaptls-mppe-1.300/pppd/pathnames.h ---- ppp-2.4.8/pppd/pathnames.h 2019-12-31 02:31:26.000000000 +0100 -+++ ppp-2.4.8-eaptls-mppe-1.300/pppd/pathnames.h 2020-04-07 10:09:50.569118201 +0200 -@@ -21,6 +21,13 @@ - #define _PATH_UPAPFILE _ROOT_PATH "/etc/ppp/pap-secrets" - #define _PATH_CHAPFILE _ROOT_PATH "/etc/ppp/chap-secrets" - #define _PATH_SRPFILE _ROOT_PATH "/etc/ppp/srp-secrets" -+ -+#ifdef USE_EAPTLS -+#define _PATH_EAPTLSCLIFILE _ROOT_PATH "/etc/ppp/eaptls-client" -+#define _PATH_EAPTLSSERVFILE _ROOT_PATH "/etc/ppp/eaptls-server" -+#define _PATH_OPENSSLCONFFILE _ROOT_PATH "/etc/ppp/openssl.cnf" -+#endif /* USE_EAPTLS */ -+ - #define _PATH_SYSOPTIONS _ROOT_PATH "/etc/ppp/options" - #define _PATH_IPUP _ROOT_PATH "/etc/ppp/ip-up" - #define _PATH_IPDOWN _ROOT_PATH "/etc/ppp/ip-down" -diff -Naur ppp-2.4.8/pppd/plugins/Makefile.linux ppp-2.4.8-eaptls-mppe-1.300/pppd/plugins/Makefile.linux ---- ppp-2.4.8/pppd/plugins/Makefile.linux 2019-12-31 02:31:26.000000000 +0100 -+++ ppp-2.4.8-eaptls-mppe-1.300/pppd/plugins/Makefile.linux 2020-04-07 10:09:50.569118201 +0200 -@@ -4,6 +4,9 @@ - LDFLAGS_SHARED = -shared - INSTALL = install - -+# EAP-TLS -+CFLAGS += -DUSE_EAPTLS=1 -+ - DESTDIR = $(INSTROOT)@DESTDIR@ - BINDIR = $(DESTDIR)/sbin - MANDIR = $(DESTDIR)/share/man/man8 -diff -Naur ppp-2.4.8/pppd/plugins/passprompt.c ppp-2.4.8-eaptls-mppe-1.300/pppd/plugins/passprompt.c ---- ppp-2.4.8/pppd/plugins/passprompt.c 2019-12-31 02:31:26.000000000 +0100 -+++ ppp-2.4.8-eaptls-mppe-1.300/pppd/plugins/passprompt.c 2020-04-07 10:09:50.569118201 +0200 -@@ -107,4 +107,7 @@ - { - add_options(options); - pap_passwd_hook = promptpass; -+#ifdef USE_EAPTLS -+ eaptls_passwd_hook = promptpass; -+#endif - } -diff -Naur ppp-2.4.8/pppd/plugins/passwordfd.c ppp-2.4.8-eaptls-mppe-1.300/pppd/plugins/passwordfd.c ---- ppp-2.4.8/pppd/plugins/passwordfd.c 2019-12-31 02:31:26.000000000 +0100 -+++ ppp-2.4.8-eaptls-mppe-1.300/pppd/plugins/passwordfd.c 2020-04-07 10:09:50.569118201 +0200 -@@ -79,4 +79,8 @@ - - chap_check_hook = pwfd_check; - chap_passwd_hook = pwfd_passwd; -+ -+#ifdef USE_EAPTLS -+ eaptls_passwd_hook = pwfd_passwd; -+#endif - } -diff -Naur ppp-2.4.8/pppd/pppcrypt.c ppp-2.4.8-eaptls-mppe-1.300/pppd/pppcrypt.c ---- ppp-2.4.8/pppd/pppcrypt.c 2019-12-31 02:31:26.000000000 +0100 -+++ ppp-2.4.8-eaptls-mppe-1.300/pppd/pppcrypt.c 2020-04-07 10:09:50.569118201 +0200 -@@ -31,6 +31,7 @@ - */ - - #include -+#include - #include "pppd.h" - #include "pppcrypt.h" - -diff -Naur ppp-2.4.8/pppd/pppd.8 ppp-2.4.8-eaptls-mppe-1.300/pppd/pppd.8 ---- ppp-2.4.8/pppd/pppd.8 2019-12-31 02:31:26.000000000 +0100 -+++ ppp-2.4.8-eaptls-mppe-1.300/pppd/pppd.8 2020-04-07 10:09:50.570118199 +0200 -@@ -260,6 +260,12 @@ - compression in the corresponding direction. Use \fInobsdcomp\fR or - \fIbsdcomp 0\fR to disable BSD-Compress compression entirely. - .TP -+.B ca \fIca-file -+(EAP-TLS) Use the file \fIca-file\fR as the X.509 Certificate Authority -+(CA) file (in PEM format), needed for setting up an EAP-TLS connection. -+This option is used on the client-side in conjunction with the \fBcert\fR -+and \fBkey\fR options. -+.TP - .B cdtrcts - Use a non-standard hardware flow control (i.e. DTR/CTS) to control - the flow of data on the serial port. If neither the \fIcrtscts\fR, -@@ -271,6 +277,12 @@ - bi-directional flow control. The sacrifice is that this flow - control mode does not permit using DTR as a modem control line. - .TP -+.B cert \fIcertfile -+(EAP-TLS) Use the file \fIcertfile\fR as the X.509 certificate (in PEM -+format), needed for setting up an EAP-TLS connection. This option is -+used on the client-side in conjunction with the \fBca\fR and -+\fBkey\fR options. -+.TP - .B chap\-interval \fIn - If this option is given, pppd will rechallenge the peer every \fIn\fR - seconds. -@@ -299,6 +311,18 @@ - 1000 (1 second). This wait period only applies if the \fBconnect\fR - or \fBpty\fR option is used. - .TP -+.B crl \fIfilename -+(EAP-TLS) Use the file \fIfilename\fR as the Certificate Revocation List -+to check for the validity of the peer's certificate. This option is not -+mandatory for setting up an EAP-TLS connection. Also see the \fBcrl-dir\fR -+option. -+.TP -+.B crl-dir \fIdirectory -+(EAP-TLS) Use the directory \fIdirectory\fR to scan for CRL files in -+has format ($hash.r0) to check for the validity of the peer's certificate. -+This option is not mandatory for setting up an EAP-TLS connection. -+Also see the \fBcrl\fR option. -+.TP - .B debug - Enables connection debugging facilities. - If this option is given, pppd will log the contents of all -@@ -563,6 +587,12 @@ - the kernel are logged by syslog(1) to a file as directed in the - /etc/syslog.conf configuration file. - .TP -+.B key \fIkeyfile -+(EAP-TLS) Use the file \fIkeyfile\fR as the private key file (in PEM -+format), needed for setting up an EAP-TLS connection. This option is -+used on the client-side in conjunction with the \fBca\fR and -+\fBcert\fR options. -+.TP - .B ktune - Enables pppd to alter kernel settings as appropriate. Under Linux, - pppd will enable IP forwarding (i.e. set /proc/sys/net/ipv4/ip_forward -@@ -721,6 +751,9 @@ - Disable Address/Control compression in both directions (send and - receive). - .TP -+.B need-peer-eap -+(EAP-TLS) Require the peer to verify our authentication credentials. -+.TP - .B noauth - Do not require the peer to authenticate itself. This option is - privileged. -diff -Naur ppp-2.4.8/pppd/pppd.h ppp-2.4.8-eaptls-mppe-1.300/pppd/pppd.h ---- ppp-2.4.8/pppd/pppd.h 2019-12-31 02:31:26.000000000 +0100 -+++ ppp-2.4.8-eaptls-mppe-1.300/pppd/pppd.h 2020-04-07 10:09:50.570118199 +0200 -@@ -341,6 +341,12 @@ - extern bool dryrun; /* check everything, print options, exit */ - extern int child_wait; /* # seconds to wait for children at end */ - -+#ifdef USE_EAPTLS -+extern char *crl_dir; -+extern char *crl_file; -+extern char *max_tls_version; -+#endif /* USE_EAPTLS */ -+ - #ifdef MAXOCTETS - extern unsigned int maxoctets; /* Maximum octetes per session (in bytes) */ - extern int maxoctets_dir; /* Direction : -@@ -763,6 +769,10 @@ - extern int (*chap_passwd_hook) __P((char *user, char *passwd)); - extern void (*multilink_join_hook) __P((void)); - -+#ifdef USE_EAPTLS -+extern int (*eaptls_passwd_hook) __P((char *user, char *passwd)); -+#endif -+ - /* Let a plugin snoop sent and received packets. Useful for L2TP */ - extern void (*snoop_recv_hook) __P((unsigned char *p, int len)); - extern void (*snoop_send_hook) __P((unsigned char *p, int len)); -diff -Naur ppp-2.4.8/pppd/sha1.c ppp-2.4.8-eaptls-mppe-1.300/pppd/sha1.c ---- ppp-2.4.8/pppd/sha1.c 2019-12-31 02:31:26.000000000 +0100 -+++ ppp-2.4.8-eaptls-mppe-1.300/pppd/sha1.c 2020-04-07 10:09:50.570118199 +0200 -@@ -101,7 +101,7 @@ - /* SHA1Init - Initialize new context */ - - void --SHA1_Init(SHA1_CTX *context) -+SHA1_Init(SHA_CTX *context) - { - /* SHA1 initialization constants */ - context->state[0] = 0x67452301; -@@ -116,7 +116,7 @@ - /* Run your data through this. */ - - void --SHA1_Update(SHA1_CTX *context, const unsigned char *data, unsigned int len) -+SHA1_Update(SHA_CTX *context, const unsigned char *data, size_t len) - { - unsigned int i, j; - -@@ -140,7 +140,7 @@ - /* Add padding and return the message digest. */ - - void --SHA1_Final(unsigned char digest[20], SHA1_CTX *context) -+SHA1_Final(unsigned char *digest, SHA_CTX *context) - { - u_int32_t i, j; - unsigned char finalcount[8]; -diff -Naur ppp-2.4.8/pppd/sha1.h ppp-2.4.8-eaptls-mppe-1.300/pppd/sha1.h ---- ppp-2.4.8/pppd/sha1.h 2019-12-31 02:31:26.000000000 +0100 -+++ ppp-2.4.8-eaptls-mppe-1.300/pppd/sha1.h 2020-04-07 10:09:50.570118199 +0200 -@@ -1,11 +1,5 @@ - /* sha1.h */ - --/* If OpenSSL is in use, then use that version of SHA-1 */ --#ifdef OPENSSL --#include --#define __SHA1_INCLUDE_ --#endif -- - #ifndef __SHA1_INCLUDE_ - - #ifndef SHA1_SIGNATURE_SIZE -@@ -20,11 +14,11 @@ - u_int32_t state[5]; - u_int32_t count[2]; - unsigned char buffer[64]; --} SHA1_CTX; -+} SHA_CTX; - --extern void SHA1_Init(SHA1_CTX *); --extern void SHA1_Update(SHA1_CTX *, const unsigned char *, unsigned int); --extern void SHA1_Final(unsigned char[SHA1_SIGNATURE_SIZE], SHA1_CTX *); -+extern void SHA1_Init(SHA_CTX *context); -+extern void SHA1_Update(SHA_CTX *context, const unsigned char *data, size_t len); -+extern void SHA1_Final(unsigned char *data, SHA_CTX *context); - - #define __SHA1_INCLUDE_ - #endif /* __SHA1_INCLUDE_ */ -diff -Naur ppp-2.4.8/pppd/sys-solaris.c ppp-2.4.8-eaptls-mppe-1.300/pppd/sys-solaris.c ---- ppp-2.4.8/pppd/sys-solaris.c 2019-12-31 02:31:26.000000000 +0100 -+++ ppp-2.4.8-eaptls-mppe-1.300/pppd/sys-solaris.c 2020-04-07 10:09:50.571118198 +0200 -@@ -1550,6 +1550,26 @@ - #endif /* defined(INET6) && defined(SOL2) */ - } - -+ -+ -+/* -+ * netif_get_mtu - get the MTU on the PPP network interface. -+ */ -+int -+netif_get_mtu(int unit) -+{ -+ struct ifreq ifr; -+ -+ memset (&ifr, '\0', sizeof (ifr)); -+ strlcpy(ifr.ifr_name, ifname, sizeof (ifr.ifr_name)); -+ -+ if (ioctl(ipfd, SIOCGIFMTU, (caddr_t) &ifr) < 0) { -+ error("ioctl(SIOCGIFMTU): %m (line %d)", __LINE__); -+ return 0; -+ } -+ return ifr.ifr_mtu; -+} -+ - /* - * tty_send_config - configure the transmit characteristics of - * the ppp interface. diff --git a/ppp-2.4.8-man-fix.patch b/ppp-2.4.8-man-fix.patch deleted file mode 100644 index 4ecf1f5..0000000 --- a/ppp-2.4.8-man-fix.patch +++ /dev/null @@ -1,46 +0,0 @@ -diff --git a/pppdump/pppdump.8 b/pppdump/pppdump.8 -index 4072e68..1116b85 100644 ---- a/pppdump/pppdump.8 -+++ b/pppdump/pppdump.8 -@@ -13,6 +13,8 @@ pppdump \- convert PPP record file to readable format - ]] [ - .B \-r - ] [ -+.B \-a -+] [ - .B \-m \fImru - ] [ - .I file \fR... -@@ -54,6 +56,9 @@ Reverses the direction indicators, so that `sent' is printed for - bytes or packets received, and `rcvd' is printed for bytes or packets - sent. - .TP -+.B \-a -+Prints absolute times. -+.TP - .B \-m \fImru - Use \fImru\fR as the MRU (maximum receive unit) for both directions of - the link when checking for over-length PPP packets (with the \fB\-p\fR -diff --git a/pppstats/pppstats.8 b/pppstats/pppstats.8 -index 4ac101e..cabf4d7 100644 ---- a/pppstats/pppstats.8 -+++ b/pppstats/pppstats.8 -@@ -7,6 +7,8 @@ pppstats \- print PPP statistics - [ - .B \-a - ] [ -+.B \-d -+] [ - .B \-v - ] [ - .B \-r -@@ -41,6 +43,9 @@ reports show statistics for the time since the link was initiated. - Without this option, the second and subsequent reports show statistics - for the time since the last report. - .TP -+.B \-d -+Show data rate (kB/s) instead of bytes. -+.TP - .B \-c \fIcount - Repeat the display - .I count diff --git a/ppp-2.4.8-pppd-introduce-ipv6-accept-remote.patch b/ppp-2.4.8-pppd-introduce-ipv6-accept-remote.patch deleted file mode 100644 index eddef5b..0000000 --- a/ppp-2.4.8-pppd-introduce-ipv6-accept-remote.patch +++ /dev/null @@ -1,57 +0,0 @@ -From abef895f9d144f05a83045136b77277352dc450f Mon Sep 17 00:00:00 2001 -From: David Woodhouse -Date: Fri, 4 Apr 2014 18:53:33 +0200 -Subject: [PATCH 09/27] pppd: introduce ipv6-accept-remote - ---- - pppd/ipv6cp.c | 5 ++++- - pppd/ipv6cp.h | 3 ++- - 2 files changed, 6 insertions(+), 2 deletions(-) - -diff --git a/pppd/ipv6cp.c b/pppd/ipv6cp.c -index caa2b26..5a56c95 100644 ---- a/pppd/ipv6cp.c -+++ b/pppd/ipv6cp.c -@@ -245,6 +245,8 @@ static option_t ipv6cp_option_list[] = { - - { "ipv6cp-accept-local", o_bool, &ipv6cp_allowoptions[0].accept_local, - "Accept peer's interface identifier for us", 1 }, -+ { "ipv6cp-accept-remote", o_bool, &ipv6cp_allowoptions[0].accept_remote, -+ "Accept peer's interface identifier for itself", 1 }, - - { "defaultroute6", o_bool, &ipv6cp_wantoptions[0].default_route, - "Add default IPv6 route", OPT_ENABLE|1, &ipv6cp_allowoptions[0].default_route }, -@@ -437,6 +439,7 @@ ipv6cp_init(unit) - memset(ao, 0, sizeof(*ao)); - - wo->accept_local = 1; -+ wo->accept_remote = 1; - wo->neg_ifaceid = 1; - ao->neg_ifaceid = 1; - -@@ -962,7 +965,7 @@ ipv6cp_reqci(f, inp, len, reject_if_disagree) - orc = CONFREJ; /* Reject CI */ - break; - } -- if (!eui64_iszero(wo->hisid) && -+ if (!eui64_iszero(wo->hisid) && !wo->accept_remote && - !eui64_equals(ifaceid, wo->hisid) && - eui64_iszero(go->hisid)) { - -diff --git a/pppd/ipv6cp.h b/pppd/ipv6cp.h -index cc4568d..8c7552e 100644 ---- a/pppd/ipv6cp.h -+++ b/pppd/ipv6cp.h -@@ -150,7 +150,8 @@ - int neg_ifaceid; /* Negotiate interface identifier? */ - int req_ifaceid; /* Ask peer to send interface identifier? */ - int default_route; /* Assign default route through interface? */ -- int accept_local; /* accept peer's value for iface id? */ -+ int accept_local; /* accept peer's value for our iface id? */ -+ int accept_remote; /* accept peer's value for his iface id? */ - int opt_local; /* ourtoken set by option */ - int opt_remote; /* histoken set by option */ - int use_ip; /* use IP as interface identifier */ --- -1.8.3.1 - diff --git a/ppp-2.4.8-sys-linux-rework-get_first_ethernet.patch b/ppp-2.4.8-sys-linux-rework-get_first_ethernet.patch deleted file mode 100644 index 780e068..0000000 --- a/ppp-2.4.8-sys-linux-rework-get_first_ethernet.patch +++ /dev/null @@ -1,383 +0,0 @@ -From 6edc865bd02ab591b9121d4a5f6dc3cdbe5af809 Mon Sep 17 00:00:00 2001 -From: Michal Sekletar -Date: Wed, 9 Apr 2014 09:18:24 +0200 -Subject: [PATCH 19/27] sys-linux: rework get_first_ethernet() - -We can't assume that host has ethernet NIC named "eth0". Rather than guessing we -better ask udev. We iterate over symlinks symlinks in /sys/class/net and -for each device we determine if it is ethernet device and additionally we query -udev database for sub-type of the device. If we find PCI or USB device which has -ethernet datalink type and appropriate sub-type we return its name. If we don't -succeed in determining more information about device we will return "good -enough" device which in turn is first device with ethernet datalink type. - -Note that we now have two copies of get_first_ethernet() in the source code. This -is bad and should be fixed in the future. - -This commit replaces ppp-2.4.5-eth.patch. - -Resolves: #682381 ---- - pppd/Makefile.linux | 3 + - pppd/multilink.c | 4 +- - pppd/plugins/rp-pppoe/Makefile.linux | 4 +- - pppd/plugins/rp-pppoe/pppoe-discovery.c | 117 +++++++++++++++++++++++++++++++- - pppd/pppd.h | 2 +- - pppd/sys-linux.c | 115 +++++++++++++++++++++++++++++-- - 6 files changed, 232 insertions(+), 13 deletions(-) - -diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux -index 53df4d2..0e8107f 100644 ---- a/pppd/Makefile.linux -+++ b/pppd/Makefile.linux -@@ -32,6 +32,9 @@ include .depend - endif - - CC = gcc -+ -+LIBS = -ludev -+ - # - COPTS = -Wall $(RPM_OPT_FLAGS) -DLIBDIR=\""$(LIBDIR)"\" - -diff --git a/pppd/multilink.c b/pppd/multilink.c -index 135cab0..2f0ed50 100644 ---- a/pppd/multilink.c -+++ b/pppd/multilink.c -@@ -436,12 +436,12 @@ static int - get_default_epdisc(ep) - struct epdisc *ep; - { -- char *p; -+ char *p = NULL; - struct hostent *hp; - u_int32_t addr; - - /* First try for an ethernet MAC address */ -- p = get_first_ethernet(); -+ get_first_ethernet(&p); - if (p != 0 && get_if_hwaddr(ep->value, p) >= 0) { - ep->class = EPD_MAC; - ep->length = 6; -diff --git a/pppd/plugins/rp-pppoe/Makefile.linux b/pppd/plugins/rp-pppoe/Makefile.linux -index 9918091..b949716 100644 ---- a/pppd/plugins/rp-pppoe/Makefile.linux -+++ b/pppd/plugins/rp-pppoe/Makefile.linux -@@ -30,8 +30,8 @@ COPTS=$(RPM_OPT_FLAGS) - CFLAGS=$(COPTS) -I../../../include '-DRP_VERSION="$(RP_VERSION)"' - all: rp-pppoe.so pppoe-discovery - --pppoe-discovery: pppoe-discovery.o debug.o -- $(CC) $(LDFLAGS) -o pppoe-discovery pppoe-discovery.o debug.o -+pppoe-discovery: pppoe-discovery.o debug.o common.o -+ $(CC) $(LDFLAGS) -o pppoe-discovery pppoe-discovery.o debug.o -ludev - - pppoe-discovery.o: pppoe-discovery.c - $(CC) $(CFLAGS) -I../../.. -c -o pppoe-discovery.o pppoe-discovery.c -diff --git a/pppd/plugins/rp-pppoe/pppoe-discovery.c b/pppd/plugins/rp-pppoe/pppoe-discovery.c -index c0d927d..2bd910f 100644 ---- a/pppd/plugins/rp-pppoe/pppoe-discovery.c -+++ b/pppd/plugins/rp-pppoe/pppoe-discovery.c -@@ -47,8 +47,13 @@ - #include - #endif - -+#include -+#include -+#include -+ - char *xstrdup(const char *s); - void usage(void); -+int get_first_ethernet(char **_r); - - void die(int status) - { -@@ -681,8 +686,15 @@ int main(int argc, char *argv[]) - } - - /* default interface name */ -- if (!conn->ifName) -- conn->ifName = strdup("eth0"); -+ if (!conn->ifName) { -+ char *eth_dev; -+ if (get_first_ethernet(ð_dev) < 0) { -+ fprintf(stderr, "No ethernet device on the host.\n"); -+ exit(1); -+ } -+ conn->ifName = eth_dev; -+ } -+ - - conn->discoverySocket = -1; - conn->sessionSocket = -1; -@@ -722,3 +734,104 @@ void usage(void) - " -h -- Print usage information.\n"); - fprintf(stderr, "\nVersion " RP_VERSION "\n"); - } -+ -+/* -+ * get_first_ethernet - return the name of the first ethernet-style -+ * interface on this system. -+ */ -+int -+get_first_ethernet(char **_r) -+{ -+ int r = 0; -+ DIR *d = NULL; -+ struct dirent *entry = NULL; -+ struct udev *udev = NULL; -+ struct udev_device *dev = NULL; -+ char *eth_dev = NULL; -+ -+ d = opendir("/sys/class/net"); -+ if (!d) { -+ fprintf(stderr, "Failed to open dir /sys/class/net : %m\n"); -+ r = -errno; -+ goto fail; -+ } -+ -+ udev = udev_new(); -+ if (!udev) { -+ fprintf(stderr, "Failed to talk to systemd-udevd\n"); -+ r = -EIO; -+ goto fail; -+ } -+ -+ while ((entry = readdir(d)) != NULL) { -+ char syspath[PATH_MAX] = {}; -+ const char *type = NULL; -+ -+ if ((strcmp(entry->d_name, ".") == 0) || (strcmp(entry->d_name, "..") == 0)) -+ continue; -+ -+ sprintf(syspath, "/sys/class/net/%s", entry->d_name); -+ -+ dev = udev_device_new_from_syspath(udev, syspath); -+ if (!dev) -+ continue; -+ -+ type = udev_device_get_sysattr_value(dev, "type"); -+ if (strcmp(type, "1") == 0) { -+ const char *pci_dev_subclass = NULL, *usb_dev_subclass = NULL; -+ -+ pci_dev_subclass = udev_device_get_property_value(dev, -+ "ID_PCI_SUBCLASS_FROM_DATABASE"); -+ usb_dev_subclass = udev_device_get_property_value(dev, -+ "ID_USB_SUBCLASS_FROM_DATABASE"); -+ -+ if ((pci_dev_subclass && strcmp(pci_dev_subclass, "Ethernet controller") == 0) || -+ (usb_dev_subclass && (strcmp(usb_dev_subclass, "Ethernet Networking") == 0 || -+ strcmp(usb_dev_subclass, "Ethernet Emulation") == 0))) { -+ char *d = NULL; -+ -+ d = strdup(entry->d_name); -+ if (!d) { -+ r = -ENOMEM; -+ goto fail; -+ } -+ -+ free(eth_dev); -+ eth_dev = d; -+ break; -+ } else if (!eth_dev) { -+ eth_dev = strdup(entry->d_name); -+ if (!eth_dev) { -+ r = -ENOMEM; -+ goto fail; -+ } -+ } -+ } -+ -+ udev_device_unref(dev); -+ dev = NULL; -+ } -+ -+ if (dev) -+ udev_device_unref(dev); -+ udev_unref(udev); -+ closedir(d); -+ -+ *_r = eth_dev; -+ -+ return 0; -+ -+fail: -+ if (dev) -+ udev_device_unref(dev); -+ -+ if (udev) -+ udev_unref(udev); -+ -+ if (d) -+ closedir(d); -+ -+ free(eth_dev); -+ -+ return r; -+} -diff --git a/pppd/pppd.h b/pppd/pppd.h -index de271c1..aaddba1 100644 ---- a/pppd/pppd.h -+++ b/pppd/pppd.h -@@ -691,7 +691,7 @@ int sipxfaddr __P((int, unsigned long, unsigned char *)); - int cipxfaddr __P((int)); - #endif - int get_if_hwaddr __P((u_char *addr, char *name)); --char *get_first_ethernet __P((void)); -+int get_first_ethernet __P((char **_r)); - - /* Procedures exported from options.c */ - int setipaddr __P((char *, char **, int)); /* Set local/remote ip addresses */ -diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c -index 0690019..ec09c50 100644 ---- a/pppd/sys-linux.c -+++ b/pppd/sys-linux.c -@@ -92,6 +92,9 @@ - #include - #include - #include -+#include -+ -+#include - - /* This is in netdevice.h. However, this compile will fail miserably if - you attempt to include netdevice.h because it has so many references -@@ -1873,10 +1876,101 @@ get_if_hwaddr(u_char *addr, char *name) - * get_first_ethernet - return the name of the first ethernet-style - * interface on this system. - */ --char * --get_first_ethernet() --{ -- return "eth0"; -+int -+get_first_ethernet(char **_r) -+{ -+ int r = 0; -+ DIR *d = NULL; -+ struct dirent *entry = NULL; -+ struct udev *udev = NULL; -+ struct udev_device *dev = NULL; -+ char *eth_dev = NULL; -+ -+ d = opendir("/sys/class/net"); -+ if (!d) { -+ fprintf(stderr, "Failed to open dir /sys/class/net : %m\n"); -+ r = -errno; -+ goto fail; -+ } -+ -+ udev = udev_new(); -+ if (!udev) { -+ fprintf(stderr, "Failed to talk to systemd-udevd\n"); -+ r = -EIO; -+ goto fail; -+ } -+ -+ while ((entry = readdir(d)) != NULL) { -+ char syspath[PATH_MAX] = {}; -+ const char *type = NULL; -+ -+ if ((strcmp(entry->d_name, ".") == 0) || (strcmp(entry->d_name, "..") == 0)) -+ continue; -+ -+ sprintf(syspath, "/sys/class/net/%s", entry->d_name); -+ -+ dev = udev_device_new_from_syspath(udev, syspath); -+ if (!dev) -+ continue; -+ -+ type = udev_device_get_sysattr_value(dev, "type"); -+ if (strcmp(type, "1") == 0) { -+ const char *pci_dev_subclass = NULL, *usb_dev_subclass = NULL; -+ -+ pci_dev_subclass = udev_device_get_property_value(dev, -+ "ID_PCI_SUBCLASS_FROM_DATABASE"); -+ usb_dev_subclass = udev_device_get_property_value(dev, -+ "ID_USB_SUBCLASS_FROM_DATABASE"); -+ -+ if ((pci_dev_subclass && strcmp(pci_dev_subclass, "Ethernet controller") == 0) || -+ (usb_dev_subclass && (strcmp(usb_dev_subclass, "Ethernet Networking") == 0 || -+ strcmp(usb_dev_subclass, "Ethernet Emulation") == 0))) { -+ char *d = NULL; -+ -+ d = strdup(entry->d_name); -+ if (!d) { -+ r = -ENOMEM; -+ goto fail; -+ } -+ -+ free(eth_dev); -+ eth_dev = d; -+ break; -+ } else if (!eth_dev) { -+ eth_dev = strdup(entry->d_name); -+ if (!eth_dev) { -+ r = -ENOMEM; -+ goto fail; -+ } -+ } -+ } -+ -+ udev_device_unref(dev); -+ dev = NULL; -+ } -+ -+ if (dev) -+ udev_device_unref(dev); -+ udev_unref(udev); -+ closedir(d); -+ -+ *_r = eth_dev; -+ -+ return 0; -+ -+fail: -+ if (dev) -+ udev_device_unref(dev); -+ -+ if (udev) -+ udev_unref(udev); -+ -+ if (d) -+ closedir(d); -+ -+ free(eth_dev); -+ -+ return r; - } - - /******************************************************************** -@@ -2859,6 +2953,7 @@ ether_to_eui64(eui64_t *p_eui64) - struct ifreq ifr; - int skfd; - const unsigned char *ptr; -+ char *eth_dev = NULL; - - skfd = socket(PF_INET6, SOCK_DGRAM | SOCK_CLOEXEC, 0); - if(skfd == -1) -@@ -2867,11 +2962,19 @@ ether_to_eui64(eui64_t *p_eui64) - return 0; - } - -- strcpy(ifr.ifr_name, "eth0"); -+ if (get_first_ethernet(ð_dev) < 0) -+ { -+ warn("no ethernet device present on the host"); -+ return 0; -+ } -+ -+ strcpy(ifr.ifr_name, eth_dev); -+ free(eth_dev); -+ - if(ioctl(skfd, SIOCGIFHWADDR, &ifr) < 0) - { - close(skfd); -- warn("could not obtain hardware address for eth0"); -+ warn("could not obtain hardware address for %s", ifr.ifr_name); - return 0; - } - close(skfd); --- -1.8.3.1 - diff --git a/ppp-2.4.8-ws-2019-workaround.patch b/ppp-2.4.8-ws-2019-workaround.patch deleted file mode 100644 index 837a206..0000000 --- a/ppp-2.4.8-ws-2019-workaround.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 3cd95baf3f1de1d5a9bc89be0f4c3215ceb5aefe Mon Sep 17 00:00:00 2001 -From: yannayl -Date: Sun, 12 Jul 2020 12:12:08 +0300 -Subject: [PATCH] Accept Malformed Windows Success Message - -Windows Server 2019 skip a space when sending a success message. -This commit accepts such a malformed message and continues normally. - -Signed-off-by: Yannay Linveh -Signed-off-by: yannayl ---- - pppd/chap_ms.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/pppd/chap_ms.c b/pppd/chap_ms.c -index 1de50428..ffb6bd13 100644 ---- a/pppd/chap_ms.c -+++ b/pppd/chap_ms.c -@@ -423,6 +423,8 @@ chapms2_check_success(int id, unsigned char *msg, int len) - len -= MS_AUTH_RESPONSE_LENGTH; - if ((len >= 3) && !strncmp((char *)msg, " M=", 3)) { - msg += 3; /* Eat the delimiter */ -+ } else if ((len >= 2) && !strncmp((char *)msg, "M=", 2)) { -+ msg += 2; /* Eat the delimiter */ - } else if (len) { - /* Packet has extra text which does not begin " M=" */ - error("MS-CHAPv2 Success packet is badly formed."); diff --git a/ppp-2.4.8-build-sys-don-t-hardcode-LIBDIR-but-set-it-according.patch b/ppp-2.4.9-build-sys-don-t-hardcode-LIBDIR-but-set-it-according.patch similarity index 56% rename from ppp-2.4.8-build-sys-don-t-hardcode-LIBDIR-but-set-it-according.patch rename to ppp-2.4.9-build-sys-don-t-hardcode-LIBDIR-but-set-it-according.patch index 2d6bdd6..c2c8cce 100644 --- a/ppp-2.4.8-build-sys-don-t-hardcode-LIBDIR-but-set-it-according.patch +++ b/ppp-2.4.9-build-sys-don-t-hardcode-LIBDIR-but-set-it-according.patch @@ -1,24 +1,8 @@ -From 69711944745af0078da77e108d30f89fd7e06108 Mon Sep 17 00:00:00 2001 -From: Michal Sekletar -Date: Fri, 4 Apr 2014 12:01:33 +0200 -Subject: [PATCH 05/27] build-sys: don't hardcode LIBDIR, but set it according - to the target platform - ---- - pppd/Makefile.linux | 3 ++- - pppd/pathnames.h | 2 +- - pppd/plugins/Makefile.linux | 2 +- - pppd/plugins/pppoatm/Makefile.linux | 2 +- - pppd/plugins/pppol2tp/Makefile.linux | 4 ++-- - pppd/plugins/radius/Makefile.linux | 2 +- - pppd/plugins/rp-pppoe/Makefile.linux | 2 +- - 7 files changed, 9 insertions(+), 8 deletions(-) - diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux -index 63872eb..8ed56c1 100644 +index 6a4b897..8f29c1f 100644 --- a/pppd/Makefile.linux +++ b/pppd/Makefile.linux -@@ -8,6 +8,7 @@ DESTDIR = $(INSTROOT)@DESTDIR@ +@@ -12,6 +12,7 @@ DESTDIR = $(INSTROOT)@DESTDIR@ BINDIR = $(DESTDIR)/sbin MANDIR = $(DESTDIR)/share/man/man8 INCDIR = $(DESTDIR)/include @@ -26,20 +10,20 @@ index 63872eb..8ed56c1 100644 TARGETS = pppd -@@ -32,7 +33,7 @@ endif +@@ -93,7 +94,7 @@ INCLUDE_DIRS= -I../include - CC = gcc - # --COPTS = -Wall $(RPM_OPT_FLAGS) -+COPTS = -Wall $(RPM_OPT_FLAGS) -DLIBDIR=\""$(LIBDIR)"\" + COMPILE_FLAGS= -DHAVE_PATHS_H -DIPX_CHANGE -DHAVE_MMAP -pipe - # Uncomment the next line to include support for Microsoft's - # MS-CHAP authentication protocol. Also, edit plugins/radius/Makefile.linux. +-CFLAGS= $(COPTS) $(COMPILE_FLAGS) $(INCLUDE_DIRS) '-DDESTDIR="@DESTDIR@"' ++CFLAGS= $(COPTS) $(COMPILE_FLAGS) $(INCLUDE_DIRS) '-DDESTDIR="@DESTDIR@"' -DLIBDIR=\""$(LIBDIR)"\" + + ifdef CHAPMS + CFLAGS += -DCHAPMS=1 diff --git a/pppd/pathnames.h b/pppd/pathnames.h -index a33f046..a427cb8 100644 +index 524d608..c7eadbb 100644 --- a/pppd/pathnames.h +++ b/pppd/pathnames.h -@@ -57,7 +57,7 @@ +@@ -62,7 +62,7 @@ #ifdef PLUGIN #ifdef __STDC__ @@ -49,24 +33,24 @@ index a33f046..a427cb8 100644 #define _PATH_PLUGIN "/usr/lib/pppd" #endif /* __STDC__ */ diff --git a/pppd/plugins/Makefile.linux b/pppd/plugins/Makefile.linux -index e09a369..b474a19 100644 +index 6403e3d..f42d18c 100644 --- a/pppd/plugins/Makefile.linux +++ b/pppd/plugins/Makefile.linux -@@ -7,7 +7,7 @@ INSTALL = install +@@ -5,7 +5,7 @@ COPTS=@CFLAGS@ DESTDIR = $(INSTROOT)@DESTDIR@ BINDIR = $(DESTDIR)/sbin MANDIR = $(DESTDIR)/share/man/man8 -LIBDIR = $(DESTDIR)/lib/pppd/$(VERSION) -+LIBDIR = $(DESTDIR)/lib/$(shell $(CC) -print-multi-os-directory 2> /dev/null)/pppd/$(VERSION) ++LIBDIR = $(DESTDIR)/lib/$(shell gcc -print-multi-os-directory 2> /dev/null)/pppd/$(VERSION) - SUBDIRS := rp-pppoe pppoatm pppol2tp - # Uncomment the next line to include the radius authentication plugin + CFLAGS = $(COPTS) -I.. -I../../include -fPIC + LDFLAGS_SHARED = -shared diff --git a/pppd/plugins/pppoatm/Makefile.linux b/pppd/plugins/pppoatm/Makefile.linux -index 5a81447..769794b 100644 +index d3a8086..c2aff0c 100644 --- a/pppd/plugins/pppoatm/Makefile.linux +++ b/pppd/plugins/pppoatm/Makefile.linux -@@ -7,7 +7,7 @@ INSTALL = install - #*********************************************************************** +@@ -4,7 +4,7 @@ CC=$(CROSS_COMPILE)@CC@ + COPTS=@CFLAGS@ DESTDIR = $(INSTROOT)@DESTDIR@ -LIBDIR = $(DESTDIR)/lib/pppd/$(VERSION) @@ -74,39 +58,11 @@ index 5a81447..769794b 100644 VERSION = $(shell awk -F '"' '/VERSION/ { print $$2; }' ../../patchlevel.h) -diff --git a/pppd/plugins/pppol2tp/Makefile.linux b/pppd/plugins/pppol2tp/Makefile.linux -index ea3538e..4339566 100644 ---- a/pppd/plugins/pppol2tp/Makefile.linux -+++ b/pppd/plugins/pppol2tp/Makefile.linux -@@ -6,8 +6,8 @@ INSTALL = install - - #*********************************************************************** - --DESTDIR = @DESTDIR@ --LIBDIR = $(DESTDIR)/lib/pppd/$(VERSION) -+DESTDIR = $(INSTROOT)@DESTDIR@ -+LIBDIR = $(DESTDIR)/lib/$(shell gcc -print-multi-os-directory 2> /dev/null)/pppd/$(VERSION) - - VERSION = $(shell awk -F '"' '/VERSION/ { print $$2; }' ../../patchlevel.h) - -diff --git a/pppd/plugins/radius/Makefile.linux b/pppd/plugins/radius/Makefile.linux -index 45b3b8d..179d0b7 100644 ---- a/pppd/plugins/radius/Makefile.linux -+++ b/pppd/plugins/radius/Makefile.linux -@@ -5,7 +5,7 @@ - - DESTDIR = $(INSTROOT)@DESTDIR@ - MANDIR = $(DESTDIR)/share/man/man8 --LIBDIR = $(DESTDIR)/lib/pppd/$(VERSION) -+LIBDIR = $(DESTDIR)/lib/$(shell gcc -print-multi-os-directory 2> /dev/null)/pppd/$(VERSION) - - VERSION = $(shell awk -F '"' '/VERSION/ { print $$2; }' ../../patchlevel.h) - -diff --git a/pppd/plugins/rp-pppoe/Makefile.linux b/pppd/plugins/rp-pppoe/Makefile.linux -index 352991a..1305ed8 100644 ---- a/pppd/plugins/rp-pppoe/Makefile.linux -+++ b/pppd/plugins/rp-pppoe/Makefile.linux -@@ -16,7 +16,7 @@ +diff --git a/pppd/plugins/pppoe/Makefile.linux b/pppd/plugins/pppoe/Makefile.linux +index c415ce3..d3b7392 100644 +--- a/pppd/plugins/pppoe/Makefile.linux ++++ b/pppd/plugins/pppoe/Makefile.linux +@@ -18,7 +18,7 @@ COPTS=@CFLAGS@ DESTDIR = $(INSTROOT)@DESTDIR@ BINDIR = $(DESTDIR)/sbin @@ -115,6 +71,29 @@ index 352991a..1305ed8 100644 PPPDVERSION = $(shell awk -F '"' '/VERSION/ { print $$2; }' ../../patchlevel.h) --- -1.8.3.1 - +diff --git a/pppd/plugins/pppol2tp/Makefile.linux b/pppd/plugins/pppol2tp/Makefile.linux +index 1aa1c0b..e4442f9 100644 +--- a/pppd/plugins/pppol2tp/Makefile.linux ++++ b/pppd/plugins/pppol2tp/Makefile.linux +@@ -4,7 +4,7 @@ CC=$(CROSS_COMPILE)@CC@ + COPTS=@CFLAGS@ + + DESTDIR = $(INSTROOT)/@DESTDIR@ +-LIBDIR = $(DESTDIR)/lib/pppd/$(VERSION) ++LIBDIR = $(DESTDIR)/lib/$(shell gcc -print-multi-os-directory 2> /dev/null)/pppd/$(VERSION) + + VERSION = $(shell awk -F '"' '/VERSION/ { print $$2; }' ../../patchlevel.h) + +diff --git a/pppd/plugins/radius/Makefile.linux b/pppd/plugins/radius/Makefile.linux +index 489aef2..d2ef044 100644 +--- a/pppd/plugins/radius/Makefile.linux ++++ b/pppd/plugins/radius/Makefile.linux +@@ -9,7 +9,7 @@ COPTS=@CFLAGS@ + + DESTDIR = $(INSTROOT)@DESTDIR@ + MANDIR = $(DESTDIR)/share/man/man8 +-LIBDIR = $(DESTDIR)/lib/pppd/$(VERSION) ++LIBDIR = $(DESTDIR)/lib/$(shell gcc -print-multi-os-directory 2> /dev/null)/pppd/$(VERSION) + + VERSION = $(shell awk -F '"' '/VERSION/ { print $$2; }' ../../patchlevel.h) + diff --git a/ppp-2.4.9-config.patch b/ppp-2.4.9-config.patch new file mode 100644 index 0000000..fc7c781 --- /dev/null +++ b/ppp-2.4.9-config.patch @@ -0,0 +1,21 @@ +diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux +index e77373e..07df6a7 100644 +--- a/pppd/Makefile.linux ++++ b/pppd/Makefile.linux +@@ -68,14 +68,14 @@ USE_TDB=y + #SYSTEMD=y + + HAS_SHADOW=y +-#USE_PAM=y ++USE_PAM=y + HAVE_INET6=y + + # Enable plugins + PLUGIN=y + + # Enable Microsoft proprietary Callback Control Protocol +-#CBCP=y ++CBCP=y + + # Enable EAP SRP-SHA1 authentication (requires libsrp) + #USE_SRP=y diff --git a/ppp-2.4.9-configure-cflags-allow-commas.patch b/ppp-2.4.9-configure-cflags-allow-commas.patch new file mode 100644 index 0000000..5a4ef98 --- /dev/null +++ b/ppp-2.4.9-configure-cflags-allow-commas.patch @@ -0,0 +1,17 @@ +diff --git a/configure b/configure +index f977663..c7031c2 100755 +--- a/configure ++++ b/configure +@@ -121,9 +121,9 @@ mkmkf() { + rm -f $2 + if [ -f $1 ]; then + echo " $2 <= $1" +- sed -e "s,@DESTDIR@,$DESTDIR,g" -e "s,@SYSCONF@,$SYSCONF,g" \ +- -e "s,@CROSS_COMPILE@,$CROSS_COMPILE,g" -e "s,@CC@,$CC,g" \ +- -e "s,@CFLAGS@,$CFLAGS,g" $1 >$2 ++ sed -e "s|@DESTDIR@|$DESTDIR|g" -e "s|@SYSCONF@|$SYSCONF|g" \ ++ -e "s|@CROSS_COMPILE@|$CROSS_COMPILE|g" -e "s|@CC@|$CC|g" \ ++ -e "s|@CFLAGS@|$CFLAGS|g" $1 >$2 + fi + } + diff --git a/ppp-2.4.8-everywhere-O_CLOEXEC-harder.patch b/ppp-2.4.9-everywhere-O_CLOEXEC-harder.patch similarity index 99% rename from ppp-2.4.8-everywhere-O_CLOEXEC-harder.patch rename to ppp-2.4.9-everywhere-O_CLOEXEC-harder.patch index 87613af..84a3bdb 100644 --- a/ppp-2.4.8-everywhere-O_CLOEXEC-harder.patch +++ b/ppp-2.4.9-everywhere-O_CLOEXEC-harder.patch @@ -43,8 +43,8 @@ index 6d50d1b..4880377 100644 if (log_to_fd >= 0) errfd = log_to_fd; else -- errfd = open(_PATH_CONNERRS, O_WRONLY | O_APPEND | O_CREAT, 0600); -+ errfd = open(_PATH_CONNERRS, O_WRONLY | O_APPEND | O_CREAT | O_CLOEXEC, 0600); +- errfd = open(_PATH_CONNERRS, O_WRONLY | O_APPEND | O_CREAT, 0644); ++ errfd = open(_PATH_CONNERRS, O_WRONLY | O_APPEND | O_CREAT | O_CLOEXEC, 0644); ++conn_running; pid = safe_fork(in, out, errfd); diff --git a/ppp.spec b/ppp.spec index 537625c..b2c7658 100644 --- a/ppp.spec +++ b/ppp.spec @@ -1,8 +1,8 @@ %global _hardened_build 1 Name: ppp -Version: 2.4.8 -Release: 8%{?dist} +Version: 2.4.9 +Release: 1%{?dist} Summary: The Point-to-Point Protocol daemon License: BSD and LGPLv2+ and GPLv2+ and Public Domain URL: http://www.samba.org/ppp @@ -22,38 +22,22 @@ Source11: ifdown-ppp Source12: ppp-watch.tar.xz # Fedora-specific -Patch0001: 0001-build-sys-use-gcc-as-our-compiler-of-choice.patch -Patch0002: ppp-2.4.8-build-sys-enable-PAM-support.patch -Patch0003: ppp-2.4.8-build-sys-utilize-compiler-flags-handed-to-us-by-rpm.patch -Patch0004: 0004-doc-add-configuration-samples.patch -Patch0005: ppp-2.4.8-build-sys-don-t-hardcode-LIBDIR-but-set-it-according.patch -Patch0006: 0006-scritps-use-change_resolv_conf-function.patch -Patch0007: 0007-build-sys-don-t-strip-binaries-during-installation.patch -Patch0008: 0008-build-sys-use-prefix-usr-instead-of-usr-local.patch -Patch0009: ppp-2.4.8-pppd-introduce-ipv6-accept-remote.patch -Patch0010: 0010-build-sys-enable-CBCP.patch -Patch0011: 0011-build-sys-don-t-put-connect-errors-log-to-etc-ppp.patch -Patch0012: ppp-2.4.8-pppd-we-don-t-want-to-accidentally-leak-fds.patch -Patch0013: ppp-2.4.8-everywhere-O_CLOEXEC-harder.patch -Patch0014: 0014-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch -Patch0015: 0015-pppd-move-pppd-database-to-var-run-ppp.patch -Patch0016: 0016-rp-pppoe-add-manpage-for-pppoe-discovery.patch -Patch0018: 0018-scritps-fix-ip-up.local-sample.patch -Patch0019: ppp-2.4.8-sys-linux-rework-get_first_ethernet.patch -Patch0020: 0020-pppd-put-lock-files-in-var-lock-ppp.patch -Patch0021: ppp-2.4.8-build-sys-compile-pppol2tp-plugin-with-RPM_OPT_FLAGS.patch -Patch0022: ppp-2.4.8-build-sys-compile-pppol2tp-with-multilink-support.patch -Patch0023: 0023-build-sys-install-rp-pppoe-plugin-files-with-standar.patch -Patch0024: 0024-build-sys-install-pppoatm-plugin-files-with-standard.patch -Patch0025: ppp-2.4.8-pppd-install-pppd-binary-using-standard-perms-755.patch -# https://www.nikhef.nl/~janjust/ppp/ppp-2.4.8-eaptls-mppe-1.300.patch -Patch0026: ppp-2.4.8-eaptls-mppe-1.300.patch - -Patch0032: ppp-2.4.8-CVE-2020-8597.patch -# rhbz#1612918, https://github.com/paulusmack/ppp/pull/149 -Patch0033: ppp-2.4.8-man-fix.patch -# rhbz#1867047, https://github.com/paulusmack/ppp/commit/3cd95baf3f1de1d5a9bc89be0f4c3215ceb5aefe.patch -Patch0034: ppp-2.4.8-ws-2019-workaround.patch +Patch0002: ppp-2.4.9-config.patch +Patch0004: 0004-doc-add-configuration-samples.patch +Patch0005: ppp-2.4.9-build-sys-don-t-hardcode-LIBDIR-but-set-it-according.patch +Patch0006: 0006-scritps-use-change_resolv_conf-function.patch +Patch0011: 0011-build-sys-don-t-put-connect-errors-log-to-etc-ppp.patch +Patch0012: ppp-2.4.8-pppd-we-don-t-want-to-accidentally-leak-fds.patch +Patch0013: ppp-2.4.9-everywhere-O_CLOEXEC-harder.patch +Patch0014: 0014-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch +Patch0015: 0015-pppd-move-pppd-database-to-var-run-ppp.patch +Patch0016: 0016-rp-pppoe-add-manpage-for-pppoe-discovery.patch +Patch0018: 0018-scritps-fix-ip-up.local-sample.patch +Patch0020: 0020-pppd-put-lock-files-in-var-lock-ppp.patch +Patch0023: 0023-build-sys-install-rp-pppoe-plugin-files-with-standar.patch +Patch0024: 0024-build-sys-install-pppoatm-plugin-files-with-standard.patch +Patch0025: ppp-2.4.8-pppd-install-pppd-binary-using-standard-perms-755.patch +Patch0026: ppp-2.4.9-configure-cflags-allow-commas.patch BuildRequires: gcc BuildRequires: pam-devel, libpcap-devel, systemd, systemd-devel, glib2-devel @@ -93,11 +77,9 @@ This package contains the header files for building plugins for ppp. tar -xJf %{SOURCE12} %build -export RPM_OPT_FLAGS="$RPM_OPT_FLAGS -fPIC -Wall -fno-strict-aliasing" -export RPM_LD_FLAGS="$LDFLAGS" -%configure -%{make_build} LDFLAGS="%{?build_ldflags}" -%{make_build} -C ppp-watch LDFLAGS="%{?build_ldflags}" +%configure --cflags="$RPM_OPT_FLAGS -fPIC -Wall -fno-strict-aliasing" +%{make_build} LDFLAGS="%{?build_ldflags} -pie" +%{make_build} -C ppp-watch LDFLAGS="%{?build_ldflags} -pie" %install make INSTROOT=%{buildroot} install install-etcppp @@ -188,6 +170,10 @@ mkdir -p %{buildroot}%{_rundir}/lock/ppp %doc PLUGINS %changelog +* Tue Jan 5 2021 Jaroslav Škarvada - 2.4.9-1 +- New version + Resolves: rhbz#1912617 + * Mon Aug 10 2020 Jaroslav Škarvada - 2.4.8-8 - Added workaround for Windows Server 2019 Resolves: rhbz#1867047 diff --git a/sources b/sources index f30d28e..db4f244 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ SHA512 (ppp-watch.tar.xz) = aee10735facf918b9a1e33408c9f19d8240c2cd265837da87ac9f58e097eece6bbe1abcaf426e2f10369d1368f6e9e68d2e07d005a19857f17d6318708ec438a -SHA512 (ppp-2.4.8.tar.gz) = a99b3b6c7bd80cd133bda4e29d33c793a76f3b67e1f8db774547e88932ce29564fad390a4f51d3fe30a75e006499b95000b042ae0f64cd360548426f8091a478 +SHA512 (ppp-2.4.9.tar.gz) = c309f8f69f534c05547cd2f66dade0e0f198ea4c2928a7e899e660280786b3e965437a67b8c5bb81c59d0fa1818b4eb7b701d2dce015a420d380422d2bca4e1a