rpms/ppp
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Updated EAP-TLS patch to v1.300

Browse Source
This commit is contained in:
Jaroslav Škarvada 2020-04-07 10:23:05 +02:00
parent ad5e2374cc
commit e4e647d22e
2 changed files with 284 additions and 157 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

432
ppp-2.4.8-eaptls-mppe-1.201.patch → ppp-2.4.8-eaptls-mppe-1.300.patch
View File

@ -1,7 +1,7 @@
diff -Naur ppp-2.4.8/README.eap-tls ppp-2.4.8-eaptls-mppe-1.201/README.eap-tls
diff -Naur ppp-2.4.8/README.eap-tls ppp-2.4.8-eaptls-mppe-1.300/README.eap-tls
--- ppp-2.4.8/README.eap-tls 1970-01-01 01:00:00.000000000 +0100
+++ ppp-2.4.8-eaptls-mppe-1.201/README.eap-tls 2020-04-03 14:02:19.334905035 +0200
@@ -0,0 +1,301 @@
+++ ppp-2.4.8-eaptls-mppe-1.300/README.eap-tls 2020-04-07 10:09:50.565118206 +0200
@@ -0,0 +1,307 @@
+EAP-TLS authentication support for PPP
+======================================
+
@ -296,16 +296,22 @@ diff -Naur ppp-2.4.8/README.eap-tls ppp-2.4.8-eaptls-mppe-1.201/README.eap-tls
+v1.200 (28-Feb-2020)
+ - First version of patch that was used to create a github PR against the main ppp code base.
+ - Add client-side 'capath' option to allow a directory with trusted CA certificates.
+ - Add compile-time Makefile option to have pppd use either the internal MD5+SHA1 functions or
+ - Add compile-time Makefile option to have pppd use either the internal MD5+SHA1 functions or
+ use the ones supplied by OpenSSL.
+ - Code now also builds on Solaris (x86 tested) but has not been tested yet, as the Solaris ppp
+ kernel driver does not support MPPE.
+v1.201 (03-Apr-2020)
+ - Force use of TLSv1.2 even if TLSv1.3 is available (with OpenSSL 1.1.1+). This ensures that
+ you can compile and link against OpenSSL 1.1.1+ without breaking the TLS negotiation.
diff -Naur ppp-2.4.8/etc.ppp/eaptls-client ppp-2.4.8-eaptls-mppe-1.201/etc.ppp/eaptls-client
+v1.300 (03-Apr-2020)
+ - Add (experimental) TLS 1.3 support. This is based on draft-ietf-emu-eap-tls13-05 (expired) and
+ requires OpenSSL 1.1.1+ to be effective.
+ - Add new option 'max-tls-version' to specify the highest version of the TLS protocol to use
+ (defaults to TLS1.2 for now - so to use TLS1.3 you need to explicitly add 'max-tls-version 1.3')
+
diff -Naur ppp-2.4.8/etc.ppp/eaptls-client ppp-2.4.8-eaptls-mppe-1.300/etc.ppp/eaptls-client
--- ppp-2.4.8/etc.ppp/eaptls-client 1970-01-01 01:00:00.000000000 +0100
+++ ppp-2.4.8-eaptls-mppe-1.201/etc.ppp/eaptls-client 2020-04-03 14:02:19.334905035 +0200
+++ ppp-2.4.8-eaptls-mppe-1.300/etc.ppp/eaptls-client 2020-04-07 10:09:50.566118204 +0200
@@ -0,0 +1,10 @@
+# Parameters for authentication using EAP-TLS (client)
+
@ -317,9 +323,9 @@ diff -Naur ppp-2.4.8/etc.ppp/eaptls-client ppp-2.4.8-eaptls-mppe-1.201/etc.ppp/e
+# client private key file (required)
+
+#client server /root/cert/client.crt - /root/cert/ca.crt /root/cert/client.key
diff -Naur ppp-2.4.8/etc.ppp/eaptls-server ppp-2.4.8-eaptls-mppe-1.201/etc.ppp/eaptls-server
diff -Naur ppp-2.4.8/etc.ppp/eaptls-server ppp-2.4.8-eaptls-mppe-1.300/etc.ppp/eaptls-server
--- ppp-2.4.8/etc.ppp/eaptls-server 1970-01-01 01:00:00.000000000 +0100
+++ ppp-2.4.8-eaptls-mppe-1.201/etc.ppp/eaptls-server 2020-04-03 14:02:19.334905035 +0200
+++ ppp-2.4.8-eaptls-mppe-1.300/etc.ppp/eaptls-server 2020-04-07 10:09:50.566118204 +0200
@@ -0,0 +1,11 @@
+# Parameters for authentication using EAP-TLS (server)
+
@ -332,9 +338,9 @@ diff -Naur ppp-2.4.8/etc.ppp/eaptls-server ppp-2.4.8-eaptls-mppe-1.201/etc.ppp/e
+# allowed addresses (required, can be *)
+
+#client server - /root/cert/server.crt /root/cert/ca.crt /root/cert/server.key 192.168.1.0/24
diff -Naur ppp-2.4.8/etc.ppp/openssl.cnf ppp-2.4.8-eaptls-mppe-1.201/etc.ppp/openssl.cnf
diff -Naur ppp-2.4.8/etc.ppp/openssl.cnf ppp-2.4.8-eaptls-mppe-1.300/etc.ppp/openssl.cnf
--- ppp-2.4.8/etc.ppp/openssl.cnf 1970-01-01 01:00:00.000000000 +0100
+++ ppp-2.4.8-eaptls-mppe-1.201/etc.ppp/openssl.cnf 2020-04-03 14:02:19.334905035 +0200
+++ ppp-2.4.8-eaptls-mppe-1.300/etc.ppp/openssl.cnf 2020-04-07 10:09:50.566118204 +0200
@@ -0,0 +1,14 @@
+openssl_conf = openssl_def
+
@ -350,9 +356,9 @@ diff -Naur ppp-2.4.8/etc.ppp/openssl.cnf ppp-2.4.8-eaptls-mppe-1.201/etc.ppp/ope
+MODULE_PATH = /usr/lib64/libeTPkcs11.so
+init = 0
+
diff -Naur ppp-2.4.8/linux/Makefile.top ppp-2.4.8-eaptls-mppe-1.201/linux/Makefile.top
diff -Naur ppp-2.4.8/linux/Makefile.top ppp-2.4.8-eaptls-mppe-1.300/linux/Makefile.top
--- ppp-2.4.8/linux/Makefile.top 2019-12-31 02:31:26.000000000 +0100
+++ ppp-2.4.8-eaptls-mppe-1.201/linux/Makefile.top 2020-04-03 14:02:19.334905035 +0200
+++ ppp-2.4.8-eaptls-mppe-1.300/linux/Makefile.top 2020-04-07 10:09:50.566118204 +0200
@@ -26,7 +26,7 @@
cd pppdump; $(MAKE) $(MFLAGS) install
@ -373,9 +379,9 @@ diff -Naur ppp-2.4.8/linux/Makefile.top ppp-2.4.8-eaptls-mppe-1.201/linux/Makefi
$(BINDIR):
$(INSTALL) -d -m 755 $@
diff -Naur ppp-2.4.8/pppd/Makefile.linux ppp-2.4.8-eaptls-mppe-1.201/pppd/Makefile.linux
diff -Naur ppp-2.4.8/pppd/Makefile.linux ppp-2.4.8-eaptls-mppe-1.300/pppd/Makefile.linux
--- ppp-2.4.8/pppd/Makefile.linux 2019-12-31 02:31:26.000000000 +0100
+++ ppp-2.4.8-eaptls-mppe-1.201/pppd/Makefile.linux 2020-04-03 14:02:19.335905034 +0200
+++ ppp-2.4.8-eaptls-mppe-1.300/pppd/Makefile.linux 2020-04-07 10:10:01.427104384 +0200
@@ -11,16 +11,16 @@
TARGETS = pppd
@ -458,9 +464,9 @@ diff -Naur ppp-2.4.8/pppd/Makefile.linux ppp-2.4.8-eaptls-mppe-1.201/pppd/Makefi
HEADERS += sha1.h
PPPDOBJS += sha1.o
endif
diff -Naur ppp-2.4.8/pppd/Makefile.sol2 ppp-2.4.8-eaptls-mppe-1.201/pppd/Makefile.sol2
diff -Naur ppp-2.4.8/pppd/Makefile.sol2 ppp-2.4.8-eaptls-mppe-1.300/pppd/Makefile.sol2
--- ppp-2.4.8/pppd/Makefile.sol2 2019-12-31 02:31:26.000000000 +0100
+++ ppp-2.4.8-eaptls-mppe-1.201/pppd/Makefile.sol2 2020-04-03 14:02:19.335905034 +0200
+++ ppp-2.4.8-eaptls-mppe-1.300/pppd/Makefile.sol2 2020-04-07 10:09:50.566118204 +0200
@@ -5,10 +5,10 @@
include ../Makedefs.com
@ -497,9 +503,9 @@ diff -Naur ppp-2.4.8/pppd/Makefile.sol2 ppp-2.4.8-eaptls-mppe-1.201/pppd/Makefil
# Uncomment for CBCP
#CFLAGS += -DCBCP_SUPPORT
diff -Naur ppp-2.4.8/pppd/auth.c ppp-2.4.8-eaptls-mppe-1.201/pppd/auth.c
diff -Naur ppp-2.4.8/pppd/auth.c ppp-2.4.8-eaptls-mppe-1.300/pppd/auth.c
--- ppp-2.4.8/pppd/auth.c 2019-12-31 02:31:26.000000000 +0100
+++ ppp-2.4.8-eaptls-mppe-1.201/pppd/auth.c 2020-04-03 14:02:19.337905032 +0200
+++ ppp-2.4.8-eaptls-mppe-1.300/pppd/auth.c 2020-04-07 10:09:50.567118203 +0200
@@ -113,6 +113,9 @@
#include "upap.h"
#include "chap-new.h"
@ -522,7 +528,7 @@ diff -Naur ppp-2.4.8/pppd/auth.c ppp-2.4.8-eaptls-mppe-1.201/pppd/auth.c
/* Hook for a plugin to say whether it is OK if the peer
refuses to authenticate. */
int (*null_auth_hook) __P((struct wordlist **paddrs,
@@ -241,6 +249,15 @@
@@ -241,6 +249,16 @@
bool explicit_user = 0; /* Set if "user" option supplied */
bool explicit_passwd = 0; /* Set if "password" option supplied */
char remote_name[MAXNAMELEN]; /* Peer's name for authentication */
@ -533,12 +539,13 @@ diff -Naur ppp-2.4.8/pppd/auth.c ppp-2.4.8-eaptls-mppe-1.201/pppd/auth.c
+char *privkey_file = NULL; /* client private key file (pem format) */
+char *crl_dir = NULL; /* directory containing CRL files */
+char *crl_file = NULL; /* Certificate Revocation List (CRL) file (pem format) */
+char *max_tls_version = NULL; /* Maximum TLS protocol version (default=1.2) */
+bool need_peer_eap = 0; /* Require peer to authenticate us */
+#endif
static char *uafname; /* name of most recent +ua file */
@@ -257,6 +274,19 @@
@@ -257,6 +275,19 @@
static int have_chap_secret __P((char *, char *, int, int *));
static int have_srp_secret __P((char *client, char *server, int need_ip,
int *lacks_ipp));
@ -558,7 +565,7 @@ diff -Naur ppp-2.4.8/pppd/auth.c ppp-2.4.8-eaptls-mppe-1.201/pppd/auth.c
static int ip_addr_check __P((u_int32_t, struct permitted_ip *));
static int scan_authfile __P((FILE *, char *, char *, char *,
struct wordlist **, struct wordlist **,
@@ -404,6 +434,16 @@
@@ -404,6 +435,18 @@
"Set telephone number(s) which are allowed to connect",
OPT_PRIV | OPT_A2LIST },
@ -569,13 +576,15 @@ diff -Naur ppp-2.4.8/pppd/auth.c ppp-2.4.8-eaptls-mppe-1.201/pppd/auth.c
+ { "key", o_string, &privkey_file, "EAP-TLS client private key in PEM format" },
+ { "crl-dir", o_string, &crl_dir, "Use CRLs in directory" },
+ { "crl", o_string, &crl_file, "Use specific CRL file" },
+ { "max-tls-version", o_string, &max_tls_version,
+ "Maximum TLS version (1.0/1.1/1.2 (default)/1.3)" },
+ { "need-peer-eap", o_bool, &need_peer_eap,
+ "Require the peer to authenticate us", 1 },
+#endif /* USE_EAPTLS */
{ NULL }
};
@@ -737,6 +777,9 @@
@@ -737,6 +780,9 @@
lcp_options *wo = &lcp_wantoptions[unit];
lcp_options *go = &lcp_gotoptions[unit];
lcp_options *ho = &lcp_hisoptions[unit];
@ -585,7 +594,7 @@ diff -Naur ppp-2.4.8/pppd/auth.c ppp-2.4.8-eaptls-mppe-1.201/pppd/auth.c
int i;
struct protent *protp;
@@ -771,6 +814,22 @@
@@ -771,6 +817,22 @@
}
}
@ -608,7 +617,7 @@ diff -Naur ppp-2.4.8/pppd/auth.c ppp-2.4.8-eaptls-mppe-1.201/pppd/auth.c
new_phase(PHASE_AUTHENTICATE);
auth = 0;
if (go->neg_eap) {
@@ -1291,6 +1350,15 @@
@@ -1291,6 +1353,15 @@
our_name, 1, &lacks_ip);
}
@ -624,7 +633,7 @@ diff -Naur ppp-2.4.8/pppd/auth.c ppp-2.4.8-eaptls-mppe-1.201/pppd/auth.c
if (auth_required && !can_auth && noauth_addrs == NULL) {
if (default_auth) {
option_error(
@@ -1345,7 +1413,11 @@
@@ -1345,7 +1416,11 @@
passwd[0] != 0 ||
(hadchap == 1 || (hadchap == -1 && have_chap_secret(user,
(explicit_remote? remote_name: NULL), 0, NULL))) ||
@ -637,7 +646,7 @@ diff -Naur ppp-2.4.8/pppd/auth.c ppp-2.4.8-eaptls-mppe-1.201/pppd/auth.c
hadchap = -1;
if (go->neg_upap && !uselogin && !have_pap_secret(NULL))
@@ -1360,8 +1432,14 @@
@@ -1360,8 +1435,14 @@
!have_chap_secret((explicit_remote? remote_name: NULL), our_name,
1, NULL))) &&
!have_srp_secret((explicit_remote? remote_name: NULL), our_name, 1,
@ -653,7 +662,7 @@ diff -Naur ppp-2.4.8/pppd/auth.c ppp-2.4.8-eaptls-mppe-1.201/pppd/auth.c
}
@@ -1721,6 +1799,7 @@
@@ -1721,6 +1802,7 @@
}
@ -661,7 +670,7 @@ diff -Naur ppp-2.4.8/pppd/auth.c ppp-2.4.8-eaptls-mppe-1.201/pppd/auth.c
/*
* get_secret - open the CHAP secret file and return the secret
* for authenticating the given client on the given server.
@@ -2373,3 +2452,345 @@
@@ -2373,3 +2455,345 @@
auth_script_pid = run_program(script, argv, 0, auth_script_done, NULL, 0);
}
@ -1007,9 +1016,9 @@ diff -Naur ppp-2.4.8/pppd/auth.c ppp-2.4.8-eaptls-mppe-1.201/pppd/auth.c
+}
+#endif
+
diff -Naur ppp-2.4.8/pppd/ccp.c ppp-2.4.8-eaptls-mppe-1.201/pppd/ccp.c
diff -Naur ppp-2.4.8/pppd/ccp.c ppp-2.4.8-eaptls-mppe-1.300/pppd/ccp.c
--- ppp-2.4.8/pppd/ccp.c 2019-12-31 02:31:26.000000000 +0100
+++ ppp-2.4.8-eaptls-mppe-1.201/pppd/ccp.c 2020-04-03 14:02:19.337905032 +0200
+++ ppp-2.4.8-eaptls-mppe-1.300/pppd/ccp.c 2020-04-07 10:09:50.567118203 +0200
@@ -539,6 +539,9 @@
if (go->mppe) {
ccp_options *ao = &ccp_allowoptions[f->unit];
@ -1045,9 +1054,9 @@ diff -Naur ppp-2.4.8/pppd/ccp.c ppp-2.4.8-eaptls-mppe-1.201/pppd/ccp.c
lcp_close(f->unit, "MPPE required but not available");
return;
}
diff -Naur ppp-2.4.8/pppd/chap-md5.c ppp-2.4.8-eaptls-mppe-1.201/pppd/chap-md5.c
diff -Naur ppp-2.4.8/pppd/chap-md5.c ppp-2.4.8-eaptls-mppe-1.300/pppd/chap-md5.c
--- ppp-2.4.8/pppd/chap-md5.c 2019-12-31 02:31:26.000000000 +0100
+++ ppp-2.4.8-eaptls-mppe-1.201/pppd/chap-md5.c 2020-04-03 14:02:19.337905032 +0200
+++ ppp-2.4.8-eaptls-mppe-1.300/pppd/chap-md5.c 2020-04-07 10:09:50.567118203 +0200
@@ -36,7 +36,11 @@
#include "chap-new.h"
#include "chap-md5.h"
@ -1060,9 +1069,9 @@ diff -Naur ppp-2.4.8/pppd/chap-md5.c ppp-2.4.8-eaptls-mppe-1.201/pppd/chap-md5.c
#define MD5_HASH_SIZE 16
#define MD5_MIN_CHALLENGE 16
diff -Naur ppp-2.4.8/pppd/chap_ms.c ppp-2.4.8-eaptls-mppe-1.201/pppd/chap_ms.c
diff -Naur ppp-2.4.8/pppd/chap_ms.c ppp-2.4.8-eaptls-mppe-1.300/pppd/chap_ms.c
--- ppp-2.4.8/pppd/chap_ms.c 2019-12-31 02:31:26.000000000 +0100
+++ ppp-2.4.8-eaptls-mppe-1.201/pppd/chap_ms.c 2020-04-03 14:02:19.338905030 +0200
+++ ppp-2.4.8-eaptls-mppe-1.300/pppd/chap_ms.c 2020-04-07 10:09:50.567118203 +0200
@@ -534,7 +534,7 @@
char *username, u_char Challenge[8])
@ -1099,10 +1108,10 @@ diff -Naur ppp-2.4.8/pppd/chap_ms.c ppp-2.4.8-eaptls-mppe-1.201/pppd/chap_ms.c
u_char MasterKey[SHA1_SIGNATURE_SIZE]; /* >= MPPE_MAX_KEY_LEN */
u_char Digest[SHA1_SIGNATURE_SIZE]; /* >= MPPE_MAX_KEY_LEN */
diff -Naur ppp-2.4.8/pppd/eap-tls.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap-tls.c
diff -Naur ppp-2.4.8/pppd/eap-tls.c ppp-2.4.8-eaptls-mppe-1.300/pppd/eap-tls.c
--- ppp-2.4.8/pppd/eap-tls.c 1970-01-01 01:00:00.000000000 +0100
+++ ppp-2.4.8-eaptls-mppe-1.201/pppd/eap-tls.c 2020-04-03 14:02:19.338905030 +0200
@@ -0,0 +1,1442 @@
+++ ppp-2.4.8-eaptls-mppe-1.300/pppd/eap-tls.c 2020-04-07 10:09:50.568118202 +0200
@@ -0,0 +1,1560 @@
+/* * eap-tls.c - EAP-TLS implementation for PPP
+ *
+ * Copyright (c) Beniamino Galvani 2005 All rights reserved.
@ -1154,11 +1163,32 @@ diff -Naur ppp-2.4.8/pppd/eap-tls.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap-tls.c
+#include "lcp.h"
+#include "pathnames.h"
+
+typedef struct pw_cb_data
+{
+ const void *password;
+ const char *prompt_info;
+} PW_CB_DATA;
+
+/* The openssl configuration file and engines can be loaded only once */
+static CONF *ssl_config = NULL;
+static ENGINE *cert_engine = NULL;
+static ENGINE *pkey_engine = NULL;
+
+/* TLSv1.3 do we have a session ticket ? */
+static int have_session_ticket = 0;
+
+int ssl_verify_callback(int, X509_STORE_CTX *);
+void ssl_msg_callback(int write_p, int version, int ct, const void *buf,
+ size_t len, SSL * ssl, void *arg);
+int ssl_new_session_cb(SSL *s, SSL_SESSION *sess);
+
+X509 *get_X509_from_file(char *filename);
+int ssl_cmp_certs(char *filename, X509 * a);
+
+#ifdef MPPE
+
+#define EAPTLS_MPPE_KEY_LEN 32
+
+/*
+ * The following stuff is only needed if SSL_export_keying_material() is not available
+ */
@ -1363,21 +1393,35 @@ diff -Naur ppp-2.4.8/pppd/eap-tls.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap-tls.c
+#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
+
+
+#ifdef MPPE
+
+#define EAPTLS_MPPE_KEY_LEN 32
+
+/*
+ * Generate keys according to RFC 2716 and add to reply
+ */
+void eaptls_gen_mppe_keys(struct eaptls_session *ets, const char *prf_label,
+ int client)
+void eaptls_gen_mppe_keys(struct eaptls_session *ets, int client)
+{
+ unsigned char out[4*EAPTLS_MPPE_KEY_LEN];
+ size_t prf_size = strlen(prf_label);
+ const char *prf_label;
+ size_t prf_size;
+ unsigned char eap_tls13_context[] = { EAPT_TLS };
+ unsigned char *context = NULL;
+ size_t context_len = 0;
+ unsigned char *p;
+
+ if (SSL_export_keying_material(ets->ssl, out, sizeof(out), prf_label, prf_size, NULL, 0, 0) != 1)
+ dbglog("EAP-TLS generating MPPE keys");
+ if (ets->tls_v13)
+ {
+ prf_label = "EXPORTER_EAP_TLS_Key_Material";
+ context = eap_tls13_context;
+ context_len = 1;
+ }
+ else
+ {
+ prf_label = "client EAP encryption";
+ }
+
+ dbglog("EAP-TLS PRF label = %s", prf_label);
+ prf_size = strlen(prf_label);
+ if (SSL_export_keying_material(ets->ssl, out, sizeof(out), prf_label, prf_size,
+ context, context_len, 0) != 1)
+ {
+ warn( "EAP-TLS: Failed generating keying material" );
+ return;
@ -1525,13 +1569,13 @@ diff -Naur ppp-2.4.8/pppd/eap-tls.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap-tls.c
+ X509_STORE *certstore;
+ X509_LOOKUP *lookup;
+ X509 *tmp;
+ int ret;
+ int ret;
+#if defined(TLS1_2_VERSION)
+ long tls_version = TLS1_2_VERSION;
+ long tls_version = TLS1_2_VERSION;
+#elif defined(TLS1_1_VERSION)
+ long tls_version = TLS1_1_VERSION;
+ long tls_version = TLS1_1_VERSION;
+#else
+ long tls_version = TLS1_VERSION;
+ long tls_version = TLS1_VERSION;
+#endif
+
+ /*
@ -1781,8 +1825,51 @@ diff -Naur ppp-2.4.8/pppd/eap-tls.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap-tls.c
+#endif
+ );
+
+ dbglog("EAP-TLS: Setting max protocol version to 0x%X", tls_version);
+ SSL_CTX_set_max_proto_version(ctx, tls_version);
+ /* OpenSSL 1.1.1+ does not include RC4 ciphers by default.
+ * This causes totally obsolete WinXP clients to fail. If you really
+ * need ppp+EAP-TLS+openssl 1.1.1+WinXP then enable RC4 cipers and
+ * make sure that you use an OpenSSL that supports them
+
+ SSL_CTX_set_cipher_list(ctx, "RC4");
+ */
+
+
+ /* Set up a SSL Session cache with a callback. This is needed for TLSv1.3+.
+ * During the initial handshake the server signals to the client early on
+ * that the handshake is finished, even before the client has sent its
+ * credentials to the server. The actual connection (and moment that the
+ * client sends its credentials) only starts after the arrival of the first
+ * session ticket. The 'ssl_new_session_cb' catches this ticket.
+ */
+ SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_CLIENT | SSL_SESS_CACHE_NO_INTERNAL_STORE);
+ SSL_CTX_sess_set_new_cb(ctx, ssl_new_session_cb);
+
+ /* As EAP-TLS+TLSv1.3 is highly experimental we offer the user a chance to override */
+ if (max_tls_version)
+ {
+ if (strncmp(max_tls_version, "1.0", 3) == 0)
+ tls_version = TLS1_VERSION;
+ else if (strncmp(max_tls_version, "1.1", 3) == 0)
+ tls_version = TLS1_1_VERSION;
+ else if (strncmp(max_tls_version, "1.2", 3) == 0)
+#ifdef TLS1_2_VERSION
+ tls_version = TLS1_2_VERSION;
+#else
+ {
+ warn("TLSv1.2 not available. Defaulting to TLSv1.1");
+ tls_version = TLS_1_1_VERSION;
+ }
+#endif
+ else if (strncmp(max_tls_version, "1.3", 3) == 0)
+#ifdef TLS1_3_VERSION
+ tls_version = TLS1_3_VERSION;
+#else
+ warn("TLSv1.3 not available.");
+#endif
+ }
+
+ dbglog("EAP-TLS: Setting max protocol version to 0x%X", tls_version);
+ SSL_CTX_set_max_proto_version(ctx, tls_version);
+
+ SSL_CTX_set_verify_depth(ctx, 5);
+ SSL_CTX_set_verify(ctx,
@ -1944,6 +2031,8 @@ diff -Naur ppp-2.4.8/pppd/eap-tls.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap-tls.c
+
+ SSL_set_accept_state(ets->ssl);
+
+ ets->tls_v13 = 0;
+
+ ets->data = NULL;
+ ets->datalen = 0;
+ ets->alert_sent = 0;
@ -2034,6 +2123,8 @@ diff -Naur ppp-2.4.8/pppd/eap-tls.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap-tls.c
+
+ SSL_set_connect_state(ets->ssl);
+
+ ets->tls_v13 = 0;
+
+ ets->data = NULL;
+ ets->datalen = 0;
+ ets->alert_sent = 0;
@ -2069,6 +2160,20 @@ diff -Naur ppp-2.4.8/pppd/eap-tls.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap-tls.c
+ free(ets);
+}
+
+
+int eaptls_is_init_finished(struct eaptls_session *ets)
+{
+ if (ets->ssl && SSL_is_init_finished(ets->ssl))
+ {
+ if (ets->tls_v13)
+ return have_session_ticket;
+ else
+ return 1;
+ }
+
+ return 0;
+}
+
+/*
+ * Handle a received packet, reassembling fragmented messages and
+ * passing them to the ssl engine
@ -2189,10 +2294,12 @@ diff -Naur ppp-2.4.8/pppd/eap-tls.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap-tls.c
+
+ start = *outp;
+
+ if (!ets->data) {
+
+ if (!ets->data)
+ {
+ if(!ets->alert_sent)
+ SSL_read(ets->ssl, fromtls, 65536);
+ {
+ res = SSL_read(ets->ssl, fromtls, 65536);
+ }
+
+ /*
+ * Read from ssl
@ -2435,7 +2542,7 @@ diff -Naur ppp-2.4.8/pppd/eap-tls.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap-tls.c
+ strcat(string, "TLS 1.2");
+ break;
+ default:
+ strcat(string, "Unknown version");
+ sprintf(string, "SSL/TLS Header: Unknown version (%d)", hvers);
+ }
+ break;
+
@ -2459,9 +2566,9 @@ diff -Naur ppp-2.4.8/pppd/eap-tls.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap-tls.c
+ break;
+
+#ifdef SSL3_RT_INNER_CONTENT_TYPE
+ case SSL3_RT_INNER_CONTENT_TYPE:
+ strcat(string, "InnerContentType (TLS1.3)");
+ break;
+ case SSL3_RT_INNER_CONTENT_TYPE:
+ strcat(string, "InnerContentType (TLS1.3)");
+ break;
+#endif
+
+ case SSL3_RT_HANDSHAKE:
@ -2484,6 +2591,16 @@ diff -Naur ppp-2.4.8/pppd/eap-tls.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap-tls.c
+ strcat(string,"New Session Ticket");
+ break;
+#endif
+#ifdef SSL3_MT_END_OF_EARLY_DATA
+ case SSL3_MT_END_OF_EARLY_DATA:
+ strcat(string,"End of Early Data");
+ break;
+#endif
+#ifdef SSL3_MT_ENCRYPTED_EXTENSIONS
+ case SSL3_MT_ENCRYPTED_EXTENSIONS:
+ strcat(string,"Encryped Extensions");
+ break;
+#endif
+ case SSL3_MT_CERTIFICATE:
+ strcat(string,"Certificate");
+ break;
@ -2519,11 +2636,11 @@ diff -Naur ppp-2.4.8/pppd/eap-tls.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap-tls.c
+ strcat(string, "TLS 1.2");
+ break;
+#ifdef TLS1_3_VERSION
+ case TLS1_3_VERSION:
+ strcat(string, "TLS 1.3 (not supported)");
+ break;
+ case TLS1_3_VERSION:
+ strcat(string, "TLS 1.3 (experimental)");
+ ets->tls_v13 = 1;
+ break;
+#endif
+
+ default:
+ strcat(string, "Unknown version");
+ }
@ -2545,10 +2662,20 @@ diff -Naur ppp-2.4.8/pppd/eap-tls.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap-tls.c
+ dbglog("%s", string);
+}
+
diff -Naur ppp-2.4.8/pppd/eap-tls.h ppp-2.4.8-eaptls-mppe-1.201/pppd/eap-tls.h
+int
+ssl_new_session_cb(SSL *s, SSL_SESSION *sess)
+{
+ dbglog("EAP-TLS: Post-Handshake New Session Ticket arrived:");
+ have_session_ticket = 1;
+
+ /* always return success */
+ return 1;
+}
+
diff -Naur ppp-2.4.8/pppd/eap-tls.h ppp-2.4.8-eaptls-mppe-1.300/pppd/eap-tls.h
--- ppp-2.4.8/pppd/eap-tls.h 1970-01-01 01:00:00.000000000 +0100
+++ ppp-2.4.8-eaptls-mppe-1.201/pppd/eap-tls.h 2020-04-03 14:02:19.338905030 +0200
@@ -0,0 +1,107 @@
+++ ppp-2.4.8-eaptls-mppe-1.300/pppd/eap-tls.h 2020-04-07 10:09:50.568118202 +0200
@@ -0,0 +1,96 @@
+/*
+ * eap-tls.h
+ *
@ -2599,11 +2726,12 @@ diff -Naur ppp-2.4.8/pppd/eap-tls.h ppp-2.4.8-eaptls-mppe-1.201/pppd/eap-tls.h
+{
+ u_char *data; /* buffered data */
+ int datalen; /* buffered data len */
+ int offset; /* from where to send */
+ int tlslen; /* total length of tls data */
+ bool frag; /* packet is fragmented */
+ int offset; /* from where to send */
+ int tlslen; /* total length of tls data */
+ bool frag; /* packet is fragmented */
+ bool tls_v13; /* whether we've negotiated TLSv1.3 */
+ SSL_CTX *ctx;
+ SSL *ssl; /* ssl connection */
+ SSL *ssl; /* ssl connection */
+ BIO *from_ssl;
+ BIO *into_ssl;
+ char peer[MAXWORDLEN]; /* peer name */
@ -2612,24 +2740,11 @@ diff -Naur ppp-2.4.8/pppd/eap-tls.h ppp-2.4.8-eaptls-mppe-1.201/pppd/eap-tls.h
+ u_char alert_sent_desc;
+ bool alert_recv;
+ u_char alert_recv_desc;
+ char rtx[65536]; /* retransmission buffer */
+ char rtx[EAP_TLS_MAX_LEN]; /* retransmission buffer */
+ int rtx_len;
+ int mtu; /* unit mtu */
+};
+
+typedef struct pw_cb_data
+{
+ const void *password;
+ const char *prompt_info;
+} PW_CB_DATA;
+
+
+int ssl_verify_callback(int, X509_STORE_CTX *);
+void ssl_msg_callback(int write_p, int version, int ct, const void *buf,
+ size_t len, SSL * ssl, void *arg);
+
+X509 *get_X509_from_file(char *filename);
+int ssl_cmp_certs(char *filename, X509 * a);
+
+SSL_CTX *eaptls_init_ssl(int init_server, char *cacertfile, char *capath,
+ char *certfile, char *peer_certfile, char *privkeyfile);
@ -2637,6 +2752,8 @@ diff -Naur ppp-2.4.8/pppd/eap-tls.h ppp-2.4.8-eaptls-mppe-1.201/pppd/eap-tls.h
+int eaptls_init_ssl_client(eap_state * esp);
+void eaptls_free_session(struct eaptls_session *ets);
+
+int eaptls_is_init_finished(struct eaptls_session *ets);
+
+int eaptls_receive(struct eaptls_session *ets, u_char * inp, int len);
+int eaptls_send(struct eaptls_session *ets, u_char ** outp);
+void eaptls_retransmit(struct eaptls_session *ets, u_char ** outp);
@ -2651,14 +2768,13 @@ diff -Naur ppp-2.4.8/pppd/eap-tls.h ppp-2.4.8-eaptls-mppe-1.201/pppd/eap-tls.h
+extern u_char mppe_recv_key[MPPE_MAX_KEY_LEN];
+extern int mppe_keys_set;
+
+void eaptls_gen_mppe_keys(struct eaptls_session *ets, const char *prf_label, int client);
+
+void eaptls_gen_mppe_keys(struct eaptls_session *ets, int client);
+#endif
+
+#endif
diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c
diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.300/pppd/eap.c
--- ppp-2.4.8/pppd/eap.c 2019-12-31 02:31:26.000000000 +0100
+++ ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c 2020-04-03 14:02:19.339905029 +0200
+++ ppp-2.4.8-eaptls-mppe-1.300/pppd/eap.c 2020-04-07 10:09:50.569118201 +0200
@@ -43,6 +43,11 @@
* Based on draft-ietf-pppext-eap-srp-03.txt.
*/
@ -2738,7 +2854,7 @@ diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c
switch (esp->es_server.ea_state) {
case eapBadAuth:
return;
@@ -561,9 +585,79 @@
@@ -561,9 +585,81 @@
break;
}
#endif /* USE_SRP */
@ -2794,18 +2910,20 @@ diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c
+ if(SSL_is_init_finished(ets->ssl))
+ esp->es_server.ea_state = eapTlsRecvClient;
+ else
+ esp->es_server.ea_state = eapTlsRecv;
+ /* JJK Add "TLS empty record" message here ??? */
+ esp->es_server.ea_state = eapTlsRecv;
+ break;
+
+ case eapTlsSendAck:
+ esp->es_server.ea_state = eapTlsRecv;
+ esp->es_server.ea_state = eapTlsRecv;
+ break;
+
+ case eapTlsRecvAck:
+ if (status) {
+ esp->es_server.ea_state = eapBadAuth;
+ break;
+ }
+ if (status)
+ {
+ esp->es_server.ea_state = eapBadAuth;
+ break;
+ }
+
+ esp->es_server.ea_state = eapTlsSend;
+ break;
@ -2818,7 +2936,18 @@ diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c
case eapSRP1:
#ifdef USE_SRP
ts = (struct t_server *)esp->es_server.ea_session;
@@ -647,10 +741,10 @@
@@ -629,6 +725,10 @@
}
if (esp->es_server.ea_state == eapBadAuth)
eap_send_failure(esp);
+
+#ifdef USE_EAPTLS
+ dbglog("EAP id=0x%2x '%s' -> '%s'", esp->es_server.ea_id, eap_state_name(esp->es_server.ea_prev_state), eap_state_name(esp->es_server.ea_state));
+#endif /* USE_EAPTLS */
}
/*
@@ -647,10 +747,10 @@
char *str;
#ifdef USE_SRP
struct t_server *ts;
@ -2831,7 +2960,7 @@ diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c
#endif /* USE_SRP */
/* Handle both initial auth and restart */
@@ -717,6 +811,30 @@
@@ -717,6 +817,30 @@
INCPTR(esp->es_server.ea_namelen, outp);
break;
@ -2862,7 +2991,7 @@ diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c
#ifdef USE_SRP
case eapSRP1:
PUTCHAR(EAPT_SRP, outp);
@@ -763,8 +881,8 @@
@@ -763,8 +887,8 @@
PUTLONG(SRPVAL_EBIT, outp);
ts = (struct t_server *)esp->es_server.ea_session;
assert(ts != NULL);
@ -2873,7 +3002,7 @@ diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c
if (pncrypt_setkey(0)) {
/* Generate pseudonym */
@@ -804,9 +922,9 @@
@@ -804,9 +928,9 @@
/* Set length and pad out to next 20 octet boundary */
i = outp - optr - 1;
*optr = i;
@ -2885,7 +3014,7 @@ diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c
*outp++ = drand48() * 0x100;
i++;
}
@@ -822,14 +940,14 @@
@@ -822,14 +946,14 @@
while (optr < outp) {
SHA1Final(dig, &ctxt);
cp = dig;
@ -2903,7 +3032,7 @@ diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c
}
}
break;
@@ -903,11 +1021,57 @@
@@ -903,11 +1027,57 @@
eap_server_timeout(arg)
void *arg;
{
@ -2961,7 +3090,7 @@ diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c
/* EAP ID number must not change on timeout. */
eap_send_request(esp);
}
@@ -1154,17 +1318,92 @@
@@ -1154,17 +1324,90 @@
PUTCHAR(id, outp);
esp->es_client.ea_id = id;
msglen = EAP_HEADERLEN + 2 * sizeof (u_char) + sizeof (u_int32_t) +
@ -2987,16 +3116,16 @@ diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c
+eap_state *esp;
+u_char id;
+{
+ u_char *outp;
+ int outlen;
+ u_char *outp;
+ int outlen;
+ u_char *lenloc;
+
+ outp = outpacket_buf;
+ outp = outpacket_buf;
+
+ MAKEHEADER(outp, PPP_EAP);
+ MAKEHEADER(outp, PPP_EAP);
+
+ PUTCHAR(EAP_RESPONSE, outp);
+ PUTCHAR(id, outp);
+ PUTCHAR(EAP_RESPONSE, outp);
+ PUTCHAR(id, outp);
+
+ lenloc = outp;
+ INCPTR(2, outp);
@ -3016,7 +3145,6 @@ diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c
+ output(esp->es_unit, outpacket_buf, PPP_HDRLEN + outlen);
+
+ esp->es_client.ea_id = id;
+
+}
+
+/*
@ -3049,14 +3177,13 @@ diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c
+ PUTSHORT(outlen, lenloc);
+
+ output(esp->es_unit, outpacket_buf, PPP_HDRLEN + outlen);
+
+}
+#endif /* USE_EAPTLS */
+
static void
eap_send_nak(esp, id, type)
eap_state *esp;
@@ -1251,8 +1490,8 @@
@@ -1251,8 +1494,8 @@
{
u_char val;
u_char *datp, *digp;
@ -3067,7 +3194,7 @@ diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c
int dsize, fd, olen = len;
/*
@@ -1261,21 +1500,21 @@
@@ -1261,21 +1504,21 @@
*/
val = id;
while (len > 0) {
@ -3093,7 +3220,7 @@ diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c
*datp++ ^= *digp;
}
@@ -1319,12 +1558,17 @@
@@ -1319,12 +1562,17 @@
char rhostname[256];
MD5_CTX mdContext;
u_char hash[MD5_SIGNATURE_SIZE];
@ -3113,7 +3240,7 @@ diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c
int fd;
#endif /* USE_SRP */
@@ -1455,6 +1699,100 @@
@@ -1455,6 +1703,96 @@
esp->es_client.ea_namelen);
break;
@ -3134,11 +3261,11 @@ diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c
+
+ esp->es_client.ea_using_eaptls = 1;
+
+ if (explicit_remote){
+ esp->es_client.ea_peer = strdup(remote_name);
+ esp->es_client.ea_peerlen = strlen(remote_name);
+ } else
+ esp->es_client.ea_peer = NULL;
+ if (explicit_remote){
+ esp->es_client.ea_peer = strdup(remote_name);
+ esp->es_client.ea_peerlen = strlen(remote_name);
+ } else
+ esp->es_client.ea_peer = NULL;
+
+ /* Init ssl session */
+ if(!eaptls_init_ssl_client(esp)) {
@ -3150,8 +3277,7 @@ diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c
+
+ ets = esp->es_client.ea_session;
+ eap_tls_response(esp, id);
+ esp->es_client.ea_state = (ets->frag ? eapTlsRecvAck :
+ eapTlsRecv);
+ esp->es_client.ea_state = (ets->frag ? eapTlsRecvAck : eapTlsRecv);
+ break;
+ }
+
@ -3161,8 +3287,7 @@ diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c
+
+ case eapTlsRecvAck:
+ eap_tls_response(esp, id);
+ esp->es_client.ea_state = (ets->frag ? eapTlsRecvAck :
+ eapTlsRecv);
+ esp->es_client.ea_state = (ets->frag ? eapTlsRecvAck : eapTlsRecv);
+ break;
+
+ case eapTlsRecv:
@ -3186,9 +3311,9 @@ diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c
+ }
+
+ /* Check if TLS handshake is finished */
+ if(SSL_is_init_finished(ets->ssl)){
+ if(eaptls_is_init_finished(ets)) {
+#ifdef MPPE
+ eaptls_gen_mppe_keys( ets, "client EAP encryption", 1 );
+ eaptls_gen_mppe_keys(ets, 1);
+#endif
+ eaptls_free_session(ets);
+ eap_tls_sendack(esp, id);
@ -3197,10 +3322,8 @@ diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c
+ }
+
+ eap_tls_response(esp,id);
+ esp->es_client.ea_state = (ets->frag ? eapTlsRecvAck :
+ eapTlsRecv);
+
+ break;
+ esp->es_client.ea_state = (ets->frag ? eapTlsRecvAck : eapTlsRecv);
+ break;
+
+ default:
+ eap_send_nak(esp, id, EAPT_TLS);
@ -3270,6 +3393,7 @@ diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c
+ case eapTlsRecv:
+
+ ets = (struct eaptls_session *) esp->es_server.ea_session;
+
+ eap_figure_next_state(esp,
+ eaptls_receive(esp->es_server.ea_session, inp, len));
+
@ -3288,13 +3412,12 @@ diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c
+
+ case eapTlsRecvClient:
+ /* Receive authentication response from client */
+
+ if (len > 0) {
+ GETCHAR(flags, inp);
+
+ if(len == 1 && !flags) { /* Ack = ok */
+#ifdef MPPE
+ eaptls_gen_mppe_keys( esp->es_server.ea_session, "client EAP encryption", 0 );
+ eaptls_gen_mppe_keys( esp->es_server.ea_session, 0 );
+#endif
+ eap_send_success(esp);
+ }
@ -3499,9 +3622,9 @@ diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c
return (inp - pstart);
}
+
diff -Naur ppp-2.4.8/pppd/eap.h ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.h
diff -Naur ppp-2.4.8/pppd/eap.h ppp-2.4.8-eaptls-mppe-1.300/pppd/eap.h
--- ppp-2.4.8/pppd/eap.h 2019-12-31 02:31:26.000000000 +0100
+++ ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.h 2020-04-03 14:02:19.340905028 +0200
+++ ppp-2.4.8-eaptls-mppe-1.300/pppd/eap.h 2020-04-07 10:09:50.569118201 +0200
@@ -84,6 +84,16 @@
eapClosed, /* Authentication not in use */
eapListen, /* Client ready (and timer running) */
@ -3570,9 +3693,9 @@ diff -Naur ppp-2.4.8/pppd/eap.h ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.h
#define EAP_DEFREQTIME 20 /* Time to wait for peer request */
#define EAP_DEFALLOWREQ 20 /* max # times to accept requests */
diff -Naur ppp-2.4.8/pppd/pathnames.h ppp-2.4.8-eaptls-mppe-1.201/pppd/pathnames.h
diff -Naur ppp-2.4.8/pppd/pathnames.h ppp-2.4.8-eaptls-mppe-1.300/pppd/pathnames.h
--- ppp-2.4.8/pppd/pathnames.h 2019-12-31 02:31:26.000000000 +0100
+++ ppp-2.4.8-eaptls-mppe-1.201/pppd/pathnames.h 2020-04-03 14:02:19.340905028 +0200
+++ ppp-2.4.8-eaptls-mppe-1.300/pppd/pathnames.h 2020-04-07 10:09:50.569118201 +0200
@@ -21,6 +21,13 @@
#define _PATH_UPAPFILE _ROOT_PATH "/etc/ppp/pap-secrets"
#define _PATH_CHAPFILE _ROOT_PATH "/etc/ppp/chap-secrets"
@ -3587,9 +3710,9 @@ diff -Naur ppp-2.4.8/pppd/pathnames.h ppp-2.4.8-eaptls-mppe-1.201/pppd/pathnames
#define _PATH_SYSOPTIONS _ROOT_PATH "/etc/ppp/options"
#define _PATH_IPUP _ROOT_PATH "/etc/ppp/ip-up"
#define _PATH_IPDOWN _ROOT_PATH "/etc/ppp/ip-down"
diff -Naur ppp-2.4.8/pppd/plugins/Makefile.linux ppp-2.4.8-eaptls-mppe-1.201/pppd/plugins/Makefile.linux
diff -Naur ppp-2.4.8/pppd/plugins/Makefile.linux ppp-2.4.8-eaptls-mppe-1.300/pppd/plugins/Makefile.linux
--- ppp-2.4.8/pppd/plugins/Makefile.linux 2019-12-31 02:31:26.000000000 +0100
+++ ppp-2.4.8-eaptls-mppe-1.201/pppd/plugins/Makefile.linux 2020-04-03 14:02:19.340905028 +0200
+++ ppp-2.4.8-eaptls-mppe-1.300/pppd/plugins/Makefile.linux 2020-04-07 10:09:50.569118201 +0200
@@ -4,6 +4,9 @@
LDFLAGS_SHARED = -shared
INSTALL = install
@ -3600,9 +3723,9 @@ diff -Naur ppp-2.4.8/pppd/plugins/Makefile.linux ppp-2.4.8-eaptls-mppe-1.201/ppp
DESTDIR = $(INSTROOT)@DESTDIR@
BINDIR = $(DESTDIR)/sbin
MANDIR = $(DESTDIR)/share/man/man8
diff -Naur ppp-2.4.8/pppd/plugins/passprompt.c ppp-2.4.8-eaptls-mppe-1.201/pppd/plugins/passprompt.c
diff -Naur ppp-2.4.8/pppd/plugins/passprompt.c ppp-2.4.8-eaptls-mppe-1.300/pppd/plugins/passprompt.c
--- ppp-2.4.8/pppd/plugins/passprompt.c 2019-12-31 02:31:26.000000000 +0100
+++ ppp-2.4.8-eaptls-mppe-1.201/pppd/plugins/passprompt.c 2020-04-03 14:02:19.340905028 +0200
+++ ppp-2.4.8-eaptls-mppe-1.300/pppd/plugins/passprompt.c 2020-04-07 10:09:50.569118201 +0200
@@ -107,4 +107,7 @@
{
add_options(options);
@ -3611,9 +3734,9 @@ diff -Naur ppp-2.4.8/pppd/plugins/passprompt.c ppp-2.4.8-eaptls-mppe-1.201/pppd/
+ eaptls_passwd_hook = promptpass;
+#endif
}
diff -Naur ppp-2.4.8/pppd/plugins/passwordfd.c ppp-2.4.8-eaptls-mppe-1.201/pppd/plugins/passwordfd.c
diff -Naur ppp-2.4.8/pppd/plugins/passwordfd.c ppp-2.4.8-eaptls-mppe-1.300/pppd/plugins/passwordfd.c
--- ppp-2.4.8/pppd/plugins/passwordfd.c 2019-12-31 02:31:26.000000000 +0100
+++ ppp-2.4.8-eaptls-mppe-1.201/pppd/plugins/passwordfd.c 2020-04-03 14:02:19.340905028 +0200
+++ ppp-2.4.8-eaptls-mppe-1.300/pppd/plugins/passwordfd.c 2020-04-07 10:09:50.569118201 +0200
@@ -79,4 +79,8 @@
chap_check_hook = pwfd_check;
@ -3623,9 +3746,9 @@ diff -Naur ppp-2.4.8/pppd/plugins/passwordfd.c ppp-2.4.8-eaptls-mppe-1.201/pppd/
+ eaptls_passwd_hook = pwfd_passwd;
+#endif
}
diff -Naur ppp-2.4.8/pppd/pppcrypt.c ppp-2.4.8-eaptls-mppe-1.201/pppd/pppcrypt.c
diff -Naur ppp-2.4.8/pppd/pppcrypt.c ppp-2.4.8-eaptls-mppe-1.300/pppd/pppcrypt.c
--- ppp-2.4.8/pppd/pppcrypt.c 2019-12-31 02:31:26.000000000 +0100
+++ ppp-2.4.8-eaptls-mppe-1.201/pppd/pppcrypt.c 2020-04-03 14:02:19.340905028 +0200
+++ ppp-2.4.8-eaptls-mppe-1.300/pppd/pppcrypt.c 2020-04-07 10:09:50.569118201 +0200
@@ -31,6 +31,7 @@
*/
@ -3634,9 +3757,9 @@ diff -Naur ppp-2.4.8/pppd/pppcrypt.c ppp-2.4.8-eaptls-mppe-1.201/pppd/pppcrypt.c
#include "pppd.h"
#include "pppcrypt.h"
diff -Naur ppp-2.4.8/pppd/pppd.8 ppp-2.4.8-eaptls-mppe-1.201/pppd/pppd.8
diff -Naur ppp-2.4.8/pppd/pppd.8 ppp-2.4.8-eaptls-mppe-1.300/pppd/pppd.8
--- ppp-2.4.8/pppd/pppd.8 2019-12-31 02:31:26.000000000 +0100
+++ ppp-2.4.8-eaptls-mppe-1.201/pppd/pppd.8 2020-04-03 14:02:19.341905027 +0200
+++ ppp-2.4.8-eaptls-mppe-1.300/pppd/pppd.8 2020-04-07 10:09:50.570118199 +0200
@@ -260,6 +260,12 @@
compression in the corresponding direction. Use \fInobsdcomp\fR or
\fIbsdcomp 0\fR to disable BSD-Compress compression entirely.
@ -3705,22 +3828,23 @@ diff -Naur ppp-2.4.8/pppd/pppd.8 ppp-2.4.8-eaptls-mppe-1.201/pppd/pppd.8
.B noauth
Do not require the peer to authenticate itself. This option is
privileged.
diff -Naur ppp-2.4.8/pppd/pppd.h ppp-2.4.8-eaptls-mppe-1.201/pppd/pppd.h
diff -Naur ppp-2.4.8/pppd/pppd.h ppp-2.4.8-eaptls-mppe-1.300/pppd/pppd.h
--- ppp-2.4.8/pppd/pppd.h 2019-12-31 02:31:26.000000000 +0100
+++ ppp-2.4.8-eaptls-mppe-1.201/pppd/pppd.h 2020-04-03 14:02:19.341905027 +0200
@@ -341,6 +341,11 @@
+++ ppp-2.4.8-eaptls-mppe-1.300/pppd/pppd.h 2020-04-07 10:09:50.570118199 +0200
@@ -341,6 +341,12 @@
extern bool dryrun; /* check everything, print options, exit */
extern int child_wait; /* # seconds to wait for children at end */
+#ifdef USE_EAPTLS
+extern char *crl_dir;
+extern char *crl_file;
+extern char *max_tls_version;
+#endif /* USE_EAPTLS */
+
#ifdef MAXOCTETS
extern unsigned int maxoctets; /* Maximum octetes per session (in bytes) */
extern int maxoctets_dir; /* Direction :
@@ -763,6 +768,10 @@
@@ -763,6 +769,10 @@
extern int (*chap_passwd_hook) __P((char *user, char *passwd));
extern void (*multilink_join_hook) __P((void));
@ -3731,9 +3855,9 @@ diff -Naur ppp-2.4.8/pppd/pppd.h ppp-2.4.8-eaptls-mppe-1.201/pppd/pppd.h
/* Let a plugin snoop sent and received packets. Useful for L2TP */
extern void (*snoop_recv_hook) __P((unsigned char *p, int len));
extern void (*snoop_send_hook) __P((unsigned char *p, int len));
diff -Naur ppp-2.4.8/pppd/sha1.c ppp-2.4.8-eaptls-mppe-1.201/pppd/sha1.c
diff -Naur ppp-2.4.8/pppd/sha1.c ppp-2.4.8-eaptls-mppe-1.300/pppd/sha1.c
--- ppp-2.4.8/pppd/sha1.c 2019-12-31 02:31:26.000000000 +0100
+++ ppp-2.4.8-eaptls-mppe-1.201/pppd/sha1.c 2020-04-03 14:02:19.341905027 +0200
+++ ppp-2.4.8-eaptls-mppe-1.300/pppd/sha1.c 2020-04-07 10:09:50.570118199 +0200
@@ -101,7 +101,7 @@
/* SHA1Init - Initialize new context */
@ -3761,9 +3885,9 @@ diff -Naur ppp-2.4.8/pppd/sha1.c ppp-2.4.8-eaptls-mppe-1.201/pppd/sha1.c
{
u_int32_t i, j;
unsigned char finalcount[8];
diff -Naur ppp-2.4.8/pppd/sha1.h ppp-2.4.8-eaptls-mppe-1.201/pppd/sha1.h
diff -Naur ppp-2.4.8/pppd/sha1.h ppp-2.4.8-eaptls-mppe-1.300/pppd/sha1.h
--- ppp-2.4.8/pppd/sha1.h 2019-12-31 02:31:26.000000000 +0100
+++ ppp-2.4.8-eaptls-mppe-1.201/pppd/sha1.h 2020-04-03 14:02:19.341905027 +0200
+++ ppp-2.4.8-eaptls-mppe-1.300/pppd/sha1.h 2020-04-07 10:09:50.570118199 +0200
@@ -1,11 +1,5 @@
/* sha1.h */
@ -3792,9 +3916,9 @@ diff -Naur ppp-2.4.8/pppd/sha1.h ppp-2.4.8-eaptls-mppe-1.201/pppd/sha1.h
#define __SHA1_INCLUDE_
#endif /* __SHA1_INCLUDE_ */
diff -Naur ppp-2.4.8/pppd/sys-solaris.c ppp-2.4.8-eaptls-mppe-1.201/pppd/sys-solaris.c
diff -Naur ppp-2.4.8/pppd/sys-solaris.c ppp-2.4.8-eaptls-mppe-1.300/pppd/sys-solaris.c
--- ppp-2.4.8/pppd/sys-solaris.c 2019-12-31 02:31:26.000000000 +0100
+++ ppp-2.4.8-eaptls-mppe-1.201/pppd/sys-solaris.c 2020-04-03 14:02:19.342905025 +0200
+++ ppp-2.4.8-eaptls-mppe-1.300/pppd/sys-solaris.c 2020-04-07 10:09:50.571118198 +0200
@@ -1550,6 +1550,26 @@
#endif /* defined(INET6) && defined(SOL2) */
}

9
ppp.spec
View File

@ -2,7 +2,7 @@
Name: ppp
Version: 2.4.8
Release: 4%{?dist}
Release: 5%{?dist}
Summary: The Point-to-Point Protocol daemon
License: BSD and LGPLv2+ and GPLv2+ and Public Domain
URL: http://www.samba.org/ppp
@ -46,8 +46,8 @@ Patch0022: ppp-2.4.8-build-sys-compile-pppol2tp-with-multilink-support.patc
Patch0023: 0023-build-sys-install-rp-pppoe-plugin-files-with-standar.patch
Patch0024: 0024-build-sys-install-pppoatm-plugin-files-with-standard.patch
Patch0025: ppp-2.4.8-pppd-install-pppd-binary-using-standard-perms-755.patch
# https://www.nikhef.nl/~janjust/ppp/ppp-2.4.8-eaptls-mppe-1.201.patch
Patch0026: ppp-2.4.8-eaptls-mppe-1.201.patch
# https://www.nikhef.nl/~janjust/ppp/ppp-2.4.8-eaptls-mppe-1.300.patch
Patch0026: ppp-2.4.8-eaptls-mppe-1.300.patch
Patch0032: ppp-2.4.8-CVE-2020-8597.patch
@ -184,6 +184,9 @@ mkdir -p %{buildroot}%{_rundir}/lock/ppp
%doc PLUGINS
%changelog
* Tue Apr 7 2020 Jaroslav Škarvada <jskarvad@redhat.com> - 2.4.8-5
- Updated EAP-TLS patch to v1.300
* Mon Apr 6 2020 Jaroslav Škarvada <jskarvad@redhat.com> - 2.4.8-4
- Updated EAP-TLS patch to v1.201