diff --git a/ppp-2.4.8-eaptls-mppe-1.201.patch b/ppp-2.4.8-eaptls-mppe-1.300.patch similarity index 90% rename from ppp-2.4.8-eaptls-mppe-1.201.patch rename to ppp-2.4.8-eaptls-mppe-1.300.patch index ca3e872..65b1434 100644 --- a/ppp-2.4.8-eaptls-mppe-1.201.patch +++ b/ppp-2.4.8-eaptls-mppe-1.300.patch @@ -1,7 +1,7 @@ -diff -Naur ppp-2.4.8/README.eap-tls ppp-2.4.8-eaptls-mppe-1.201/README.eap-tls +diff -Naur ppp-2.4.8/README.eap-tls ppp-2.4.8-eaptls-mppe-1.300/README.eap-tls --- ppp-2.4.8/README.eap-tls 1970-01-01 01:00:00.000000000 +0100 -+++ ppp-2.4.8-eaptls-mppe-1.201/README.eap-tls 2020-04-03 14:02:19.334905035 +0200 -@@ -0,0 +1,301 @@ ++++ ppp-2.4.8-eaptls-mppe-1.300/README.eap-tls 2020-04-07 10:09:50.565118206 +0200 +@@ -0,0 +1,307 @@ +EAP-TLS authentication support for PPP +====================================== + @@ -296,16 +296,22 @@ diff -Naur ppp-2.4.8/README.eap-tls ppp-2.4.8-eaptls-mppe-1.201/README.eap-tls +v1.200 (28-Feb-2020) + - First version of patch that was used to create a github PR against the main ppp code base. + - Add client-side 'capath' option to allow a directory with trusted CA certificates. -+ - Add compile-time Makefile option to have pppd use either the internal MD5+SHA1 functions or ++ - Add compile-time Makefile option to have pppd use either the internal MD5+SHA1 functions or + use the ones supplied by OpenSSL. + - Code now also builds on Solaris (x86 tested) but has not been tested yet, as the Solaris ppp + kernel driver does not support MPPE. +v1.201 (03-Apr-2020) + - Force use of TLSv1.2 even if TLSv1.3 is available (with OpenSSL 1.1.1+). This ensures that + you can compile and link against OpenSSL 1.1.1+ without breaking the TLS negotiation. -diff -Naur ppp-2.4.8/etc.ppp/eaptls-client ppp-2.4.8-eaptls-mppe-1.201/etc.ppp/eaptls-client ++v1.300 (03-Apr-2020) ++ - Add (experimental) TLS 1.3 support. This is based on draft-ietf-emu-eap-tls13-05 (expired) and ++ requires OpenSSL 1.1.1+ to be effective. ++ - Add new option 'max-tls-version' to specify the highest version of the TLS protocol to use ++ (defaults to TLS1.2 for now - so to use TLS1.3 you need to explicitly add 'max-tls-version 1.3') ++ +diff -Naur ppp-2.4.8/etc.ppp/eaptls-client ppp-2.4.8-eaptls-mppe-1.300/etc.ppp/eaptls-client --- ppp-2.4.8/etc.ppp/eaptls-client 1970-01-01 01:00:00.000000000 +0100 -+++ ppp-2.4.8-eaptls-mppe-1.201/etc.ppp/eaptls-client 2020-04-03 14:02:19.334905035 +0200 ++++ ppp-2.4.8-eaptls-mppe-1.300/etc.ppp/eaptls-client 2020-04-07 10:09:50.566118204 +0200 @@ -0,0 +1,10 @@ +# Parameters for authentication using EAP-TLS (client) + @@ -317,9 +323,9 @@ diff -Naur ppp-2.4.8/etc.ppp/eaptls-client ppp-2.4.8-eaptls-mppe-1.201/etc.ppp/e +# client private key file (required) + +#client server /root/cert/client.crt - /root/cert/ca.crt /root/cert/client.key -diff -Naur ppp-2.4.8/etc.ppp/eaptls-server ppp-2.4.8-eaptls-mppe-1.201/etc.ppp/eaptls-server +diff -Naur ppp-2.4.8/etc.ppp/eaptls-server ppp-2.4.8-eaptls-mppe-1.300/etc.ppp/eaptls-server --- ppp-2.4.8/etc.ppp/eaptls-server 1970-01-01 01:00:00.000000000 +0100 -+++ ppp-2.4.8-eaptls-mppe-1.201/etc.ppp/eaptls-server 2020-04-03 14:02:19.334905035 +0200 ++++ ppp-2.4.8-eaptls-mppe-1.300/etc.ppp/eaptls-server 2020-04-07 10:09:50.566118204 +0200 @@ -0,0 +1,11 @@ +# Parameters for authentication using EAP-TLS (server) + @@ -332,9 +338,9 @@ diff -Naur ppp-2.4.8/etc.ppp/eaptls-server ppp-2.4.8-eaptls-mppe-1.201/etc.ppp/e +# allowed addresses (required, can be *) + +#client server - /root/cert/server.crt /root/cert/ca.crt /root/cert/server.key 192.168.1.0/24 -diff -Naur ppp-2.4.8/etc.ppp/openssl.cnf ppp-2.4.8-eaptls-mppe-1.201/etc.ppp/openssl.cnf +diff -Naur ppp-2.4.8/etc.ppp/openssl.cnf ppp-2.4.8-eaptls-mppe-1.300/etc.ppp/openssl.cnf --- ppp-2.4.8/etc.ppp/openssl.cnf 1970-01-01 01:00:00.000000000 +0100 -+++ ppp-2.4.8-eaptls-mppe-1.201/etc.ppp/openssl.cnf 2020-04-03 14:02:19.334905035 +0200 ++++ ppp-2.4.8-eaptls-mppe-1.300/etc.ppp/openssl.cnf 2020-04-07 10:09:50.566118204 +0200 @@ -0,0 +1,14 @@ +openssl_conf = openssl_def + @@ -350,9 +356,9 @@ diff -Naur ppp-2.4.8/etc.ppp/openssl.cnf ppp-2.4.8-eaptls-mppe-1.201/etc.ppp/ope +MODULE_PATH = /usr/lib64/libeTPkcs11.so +init = 0 + -diff -Naur ppp-2.4.8/linux/Makefile.top ppp-2.4.8-eaptls-mppe-1.201/linux/Makefile.top +diff -Naur ppp-2.4.8/linux/Makefile.top ppp-2.4.8-eaptls-mppe-1.300/linux/Makefile.top --- ppp-2.4.8/linux/Makefile.top 2019-12-31 02:31:26.000000000 +0100 -+++ ppp-2.4.8-eaptls-mppe-1.201/linux/Makefile.top 2020-04-03 14:02:19.334905035 +0200 ++++ ppp-2.4.8-eaptls-mppe-1.300/linux/Makefile.top 2020-04-07 10:09:50.566118204 +0200 @@ -26,7 +26,7 @@ cd pppdump; $(MAKE) $(MFLAGS) install @@ -373,9 +379,9 @@ diff -Naur ppp-2.4.8/linux/Makefile.top ppp-2.4.8-eaptls-mppe-1.201/linux/Makefi $(BINDIR): $(INSTALL) -d -m 755 $@ -diff -Naur ppp-2.4.8/pppd/Makefile.linux ppp-2.4.8-eaptls-mppe-1.201/pppd/Makefile.linux +diff -Naur ppp-2.4.8/pppd/Makefile.linux ppp-2.4.8-eaptls-mppe-1.300/pppd/Makefile.linux --- ppp-2.4.8/pppd/Makefile.linux 2019-12-31 02:31:26.000000000 +0100 -+++ ppp-2.4.8-eaptls-mppe-1.201/pppd/Makefile.linux 2020-04-03 14:02:19.335905034 +0200 ++++ ppp-2.4.8-eaptls-mppe-1.300/pppd/Makefile.linux 2020-04-07 10:10:01.427104384 +0200 @@ -11,16 +11,16 @@ TARGETS = pppd @@ -458,9 +464,9 @@ diff -Naur ppp-2.4.8/pppd/Makefile.linux ppp-2.4.8-eaptls-mppe-1.201/pppd/Makefi HEADERS += sha1.h PPPDOBJS += sha1.o endif -diff -Naur ppp-2.4.8/pppd/Makefile.sol2 ppp-2.4.8-eaptls-mppe-1.201/pppd/Makefile.sol2 +diff -Naur ppp-2.4.8/pppd/Makefile.sol2 ppp-2.4.8-eaptls-mppe-1.300/pppd/Makefile.sol2 --- ppp-2.4.8/pppd/Makefile.sol2 2019-12-31 02:31:26.000000000 +0100 -+++ ppp-2.4.8-eaptls-mppe-1.201/pppd/Makefile.sol2 2020-04-03 14:02:19.335905034 +0200 ++++ ppp-2.4.8-eaptls-mppe-1.300/pppd/Makefile.sol2 2020-04-07 10:09:50.566118204 +0200 @@ -5,10 +5,10 @@ include ../Makedefs.com @@ -497,9 +503,9 @@ diff -Naur ppp-2.4.8/pppd/Makefile.sol2 ppp-2.4.8-eaptls-mppe-1.201/pppd/Makefil # Uncomment for CBCP #CFLAGS += -DCBCP_SUPPORT -diff -Naur ppp-2.4.8/pppd/auth.c ppp-2.4.8-eaptls-mppe-1.201/pppd/auth.c +diff -Naur ppp-2.4.8/pppd/auth.c ppp-2.4.8-eaptls-mppe-1.300/pppd/auth.c --- ppp-2.4.8/pppd/auth.c 2019-12-31 02:31:26.000000000 +0100 -+++ ppp-2.4.8-eaptls-mppe-1.201/pppd/auth.c 2020-04-03 14:02:19.337905032 +0200 ++++ ppp-2.4.8-eaptls-mppe-1.300/pppd/auth.c 2020-04-07 10:09:50.567118203 +0200 @@ -113,6 +113,9 @@ #include "upap.h" #include "chap-new.h" @@ -522,7 +528,7 @@ diff -Naur ppp-2.4.8/pppd/auth.c ppp-2.4.8-eaptls-mppe-1.201/pppd/auth.c /* Hook for a plugin to say whether it is OK if the peer refuses to authenticate. */ int (*null_auth_hook) __P((struct wordlist **paddrs, -@@ -241,6 +249,15 @@ +@@ -241,6 +249,16 @@ bool explicit_user = 0; /* Set if "user" option supplied */ bool explicit_passwd = 0; /* Set if "password" option supplied */ char remote_name[MAXNAMELEN]; /* Peer's name for authentication */ @@ -533,12 +539,13 @@ diff -Naur ppp-2.4.8/pppd/auth.c ppp-2.4.8-eaptls-mppe-1.201/pppd/auth.c +char *privkey_file = NULL; /* client private key file (pem format) */ +char *crl_dir = NULL; /* directory containing CRL files */ +char *crl_file = NULL; /* Certificate Revocation List (CRL) file (pem format) */ ++char *max_tls_version = NULL; /* Maximum TLS protocol version (default=1.2) */ +bool need_peer_eap = 0; /* Require peer to authenticate us */ +#endif static char *uafname; /* name of most recent +ua file */ -@@ -257,6 +274,19 @@ +@@ -257,6 +275,19 @@ static int have_chap_secret __P((char *, char *, int, int *)); static int have_srp_secret __P((char *client, char *server, int need_ip, int *lacks_ipp)); @@ -558,7 +565,7 @@ diff -Naur ppp-2.4.8/pppd/auth.c ppp-2.4.8-eaptls-mppe-1.201/pppd/auth.c static int ip_addr_check __P((u_int32_t, struct permitted_ip *)); static int scan_authfile __P((FILE *, char *, char *, char *, struct wordlist **, struct wordlist **, -@@ -404,6 +434,16 @@ +@@ -404,6 +435,18 @@ "Set telephone number(s) which are allowed to connect", OPT_PRIV | OPT_A2LIST }, @@ -569,13 +576,15 @@ diff -Naur ppp-2.4.8/pppd/auth.c ppp-2.4.8-eaptls-mppe-1.201/pppd/auth.c + { "key", o_string, &privkey_file, "EAP-TLS client private key in PEM format" }, + { "crl-dir", o_string, &crl_dir, "Use CRLs in directory" }, + { "crl", o_string, &crl_file, "Use specific CRL file" }, ++ { "max-tls-version", o_string, &max_tls_version, ++ "Maximum TLS version (1.0/1.1/1.2 (default)/1.3)" }, + { "need-peer-eap", o_bool, &need_peer_eap, + "Require the peer to authenticate us", 1 }, +#endif /* USE_EAPTLS */ { NULL } }; -@@ -737,6 +777,9 @@ +@@ -737,6 +780,9 @@ lcp_options *wo = &lcp_wantoptions[unit]; lcp_options *go = &lcp_gotoptions[unit]; lcp_options *ho = &lcp_hisoptions[unit]; @@ -585,7 +594,7 @@ diff -Naur ppp-2.4.8/pppd/auth.c ppp-2.4.8-eaptls-mppe-1.201/pppd/auth.c int i; struct protent *protp; -@@ -771,6 +814,22 @@ +@@ -771,6 +817,22 @@ } } @@ -608,7 +617,7 @@ diff -Naur ppp-2.4.8/pppd/auth.c ppp-2.4.8-eaptls-mppe-1.201/pppd/auth.c new_phase(PHASE_AUTHENTICATE); auth = 0; if (go->neg_eap) { -@@ -1291,6 +1350,15 @@ +@@ -1291,6 +1353,15 @@ our_name, 1, &lacks_ip); } @@ -624,7 +633,7 @@ diff -Naur ppp-2.4.8/pppd/auth.c ppp-2.4.8-eaptls-mppe-1.201/pppd/auth.c if (auth_required && !can_auth && noauth_addrs == NULL) { if (default_auth) { option_error( -@@ -1345,7 +1413,11 @@ +@@ -1345,7 +1416,11 @@ passwd[0] != 0 || (hadchap == 1 || (hadchap == -1 && have_chap_secret(user, (explicit_remote? remote_name: NULL), 0, NULL))) || @@ -637,7 +646,7 @@ diff -Naur ppp-2.4.8/pppd/auth.c ppp-2.4.8-eaptls-mppe-1.201/pppd/auth.c hadchap = -1; if (go->neg_upap && !uselogin && !have_pap_secret(NULL)) -@@ -1360,8 +1432,14 @@ +@@ -1360,8 +1435,14 @@ !have_chap_secret((explicit_remote? remote_name: NULL), our_name, 1, NULL))) && !have_srp_secret((explicit_remote? remote_name: NULL), our_name, 1, @@ -653,7 +662,7 @@ diff -Naur ppp-2.4.8/pppd/auth.c ppp-2.4.8-eaptls-mppe-1.201/pppd/auth.c } -@@ -1721,6 +1799,7 @@ +@@ -1721,6 +1802,7 @@ } @@ -661,7 +670,7 @@ diff -Naur ppp-2.4.8/pppd/auth.c ppp-2.4.8-eaptls-mppe-1.201/pppd/auth.c /* * get_secret - open the CHAP secret file and return the secret * for authenticating the given client on the given server. -@@ -2373,3 +2452,345 @@ +@@ -2373,3 +2455,345 @@ auth_script_pid = run_program(script, argv, 0, auth_script_done, NULL, 0); } @@ -1007,9 +1016,9 @@ diff -Naur ppp-2.4.8/pppd/auth.c ppp-2.4.8-eaptls-mppe-1.201/pppd/auth.c +} +#endif + -diff -Naur ppp-2.4.8/pppd/ccp.c ppp-2.4.8-eaptls-mppe-1.201/pppd/ccp.c +diff -Naur ppp-2.4.8/pppd/ccp.c ppp-2.4.8-eaptls-mppe-1.300/pppd/ccp.c --- ppp-2.4.8/pppd/ccp.c 2019-12-31 02:31:26.000000000 +0100 -+++ ppp-2.4.8-eaptls-mppe-1.201/pppd/ccp.c 2020-04-03 14:02:19.337905032 +0200 ++++ ppp-2.4.8-eaptls-mppe-1.300/pppd/ccp.c 2020-04-07 10:09:50.567118203 +0200 @@ -539,6 +539,9 @@ if (go->mppe) { ccp_options *ao = &ccp_allowoptions[f->unit]; @@ -1045,9 +1054,9 @@ diff -Naur ppp-2.4.8/pppd/ccp.c ppp-2.4.8-eaptls-mppe-1.201/pppd/ccp.c lcp_close(f->unit, "MPPE required but not available"); return; } -diff -Naur ppp-2.4.8/pppd/chap-md5.c ppp-2.4.8-eaptls-mppe-1.201/pppd/chap-md5.c +diff -Naur ppp-2.4.8/pppd/chap-md5.c ppp-2.4.8-eaptls-mppe-1.300/pppd/chap-md5.c --- ppp-2.4.8/pppd/chap-md5.c 2019-12-31 02:31:26.000000000 +0100 -+++ ppp-2.4.8-eaptls-mppe-1.201/pppd/chap-md5.c 2020-04-03 14:02:19.337905032 +0200 ++++ ppp-2.4.8-eaptls-mppe-1.300/pppd/chap-md5.c 2020-04-07 10:09:50.567118203 +0200 @@ -36,7 +36,11 @@ #include "chap-new.h" #include "chap-md5.h" @@ -1060,9 +1069,9 @@ diff -Naur ppp-2.4.8/pppd/chap-md5.c ppp-2.4.8-eaptls-mppe-1.201/pppd/chap-md5.c #define MD5_HASH_SIZE 16 #define MD5_MIN_CHALLENGE 16 -diff -Naur ppp-2.4.8/pppd/chap_ms.c ppp-2.4.8-eaptls-mppe-1.201/pppd/chap_ms.c +diff -Naur ppp-2.4.8/pppd/chap_ms.c ppp-2.4.8-eaptls-mppe-1.300/pppd/chap_ms.c --- ppp-2.4.8/pppd/chap_ms.c 2019-12-31 02:31:26.000000000 +0100 -+++ ppp-2.4.8-eaptls-mppe-1.201/pppd/chap_ms.c 2020-04-03 14:02:19.338905030 +0200 ++++ ppp-2.4.8-eaptls-mppe-1.300/pppd/chap_ms.c 2020-04-07 10:09:50.567118203 +0200 @@ -534,7 +534,7 @@ char *username, u_char Challenge[8]) @@ -1099,10 +1108,10 @@ diff -Naur ppp-2.4.8/pppd/chap_ms.c ppp-2.4.8-eaptls-mppe-1.201/pppd/chap_ms.c u_char MasterKey[SHA1_SIGNATURE_SIZE]; /* >= MPPE_MAX_KEY_LEN */ u_char Digest[SHA1_SIGNATURE_SIZE]; /* >= MPPE_MAX_KEY_LEN */ -diff -Naur ppp-2.4.8/pppd/eap-tls.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap-tls.c +diff -Naur ppp-2.4.8/pppd/eap-tls.c ppp-2.4.8-eaptls-mppe-1.300/pppd/eap-tls.c --- ppp-2.4.8/pppd/eap-tls.c 1970-01-01 01:00:00.000000000 +0100 -+++ ppp-2.4.8-eaptls-mppe-1.201/pppd/eap-tls.c 2020-04-03 14:02:19.338905030 +0200 -@@ -0,0 +1,1442 @@ ++++ ppp-2.4.8-eaptls-mppe-1.300/pppd/eap-tls.c 2020-04-07 10:09:50.568118202 +0200 +@@ -0,0 +1,1560 @@ +/* * eap-tls.c - EAP-TLS implementation for PPP + * + * Copyright (c) Beniamino Galvani 2005 All rights reserved. @@ -1154,11 +1163,32 @@ diff -Naur ppp-2.4.8/pppd/eap-tls.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap-tls.c +#include "lcp.h" +#include "pathnames.h" + ++typedef struct pw_cb_data ++{ ++ const void *password; ++ const char *prompt_info; ++} PW_CB_DATA; ++ +/* The openssl configuration file and engines can be loaded only once */ +static CONF *ssl_config = NULL; +static ENGINE *cert_engine = NULL; +static ENGINE *pkey_engine = NULL; + ++/* TLSv1.3 do we have a session ticket ? */ ++static int have_session_ticket = 0; ++ ++int ssl_verify_callback(int, X509_STORE_CTX *); ++void ssl_msg_callback(int write_p, int version, int ct, const void *buf, ++ size_t len, SSL * ssl, void *arg); ++int ssl_new_session_cb(SSL *s, SSL_SESSION *sess); ++ ++X509 *get_X509_from_file(char *filename); ++int ssl_cmp_certs(char *filename, X509 * a); ++ ++#ifdef MPPE ++ ++#define EAPTLS_MPPE_KEY_LEN 32 ++ +/* + * The following stuff is only needed if SSL_export_keying_material() is not available + */ @@ -1363,21 +1393,35 @@ diff -Naur ppp-2.4.8/pppd/eap-tls.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap-tls.c +#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */ + + -+#ifdef MPPE -+ -+#define EAPTLS_MPPE_KEY_LEN 32 -+ +/* + * Generate keys according to RFC 2716 and add to reply + */ -+void eaptls_gen_mppe_keys(struct eaptls_session *ets, const char *prf_label, -+ int client) ++void eaptls_gen_mppe_keys(struct eaptls_session *ets, int client) +{ + unsigned char out[4*EAPTLS_MPPE_KEY_LEN]; -+ size_t prf_size = strlen(prf_label); ++ const char *prf_label; ++ size_t prf_size; ++ unsigned char eap_tls13_context[] = { EAPT_TLS }; ++ unsigned char *context = NULL; ++ size_t context_len = 0; + unsigned char *p; + -+ if (SSL_export_keying_material(ets->ssl, out, sizeof(out), prf_label, prf_size, NULL, 0, 0) != 1) ++ dbglog("EAP-TLS generating MPPE keys"); ++ if (ets->tls_v13) ++ { ++ prf_label = "EXPORTER_EAP_TLS_Key_Material"; ++ context = eap_tls13_context; ++ context_len = 1; ++ } ++ else ++ { ++ prf_label = "client EAP encryption"; ++ } ++ ++ dbglog("EAP-TLS PRF label = %s", prf_label); ++ prf_size = strlen(prf_label); ++ if (SSL_export_keying_material(ets->ssl, out, sizeof(out), prf_label, prf_size, ++ context, context_len, 0) != 1) + { + warn( "EAP-TLS: Failed generating keying material" ); + return; @@ -1525,13 +1569,13 @@ diff -Naur ppp-2.4.8/pppd/eap-tls.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap-tls.c + X509_STORE *certstore; + X509_LOOKUP *lookup; + X509 *tmp; -+ int ret; ++ int ret; +#if defined(TLS1_2_VERSION) -+ long tls_version = TLS1_2_VERSION; ++ long tls_version = TLS1_2_VERSION; +#elif defined(TLS1_1_VERSION) -+ long tls_version = TLS1_1_VERSION; ++ long tls_version = TLS1_1_VERSION; +#else -+ long tls_version = TLS1_VERSION; ++ long tls_version = TLS1_VERSION; +#endif + + /* @@ -1781,8 +1825,51 @@ diff -Naur ppp-2.4.8/pppd/eap-tls.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap-tls.c +#endif + ); + -+ dbglog("EAP-TLS: Setting max protocol version to 0x%X", tls_version); -+ SSL_CTX_set_max_proto_version(ctx, tls_version); ++ /* OpenSSL 1.1.1+ does not include RC4 ciphers by default. ++ * This causes totally obsolete WinXP clients to fail. If you really ++ * need ppp+EAP-TLS+openssl 1.1.1+WinXP then enable RC4 cipers and ++ * make sure that you use an OpenSSL that supports them ++ ++ SSL_CTX_set_cipher_list(ctx, "RC4"); ++ */ ++ ++ ++ /* Set up a SSL Session cache with a callback. This is needed for TLSv1.3+. ++ * During the initial handshake the server signals to the client early on ++ * that the handshake is finished, even before the client has sent its ++ * credentials to the server. The actual connection (and moment that the ++ * client sends its credentials) only starts after the arrival of the first ++ * session ticket. The 'ssl_new_session_cb' catches this ticket. ++ */ ++ SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_CLIENT | SSL_SESS_CACHE_NO_INTERNAL_STORE); ++ SSL_CTX_sess_set_new_cb(ctx, ssl_new_session_cb); ++ ++ /* As EAP-TLS+TLSv1.3 is highly experimental we offer the user a chance to override */ ++ if (max_tls_version) ++ { ++ if (strncmp(max_tls_version, "1.0", 3) == 0) ++ tls_version = TLS1_VERSION; ++ else if (strncmp(max_tls_version, "1.1", 3) == 0) ++ tls_version = TLS1_1_VERSION; ++ else if (strncmp(max_tls_version, "1.2", 3) == 0) ++#ifdef TLS1_2_VERSION ++ tls_version = TLS1_2_VERSION; ++#else ++ { ++ warn("TLSv1.2 not available. Defaulting to TLSv1.1"); ++ tls_version = TLS_1_1_VERSION; ++ } ++#endif ++ else if (strncmp(max_tls_version, "1.3", 3) == 0) ++#ifdef TLS1_3_VERSION ++ tls_version = TLS1_3_VERSION; ++#else ++ warn("TLSv1.3 not available."); ++#endif ++ } ++ ++ dbglog("EAP-TLS: Setting max protocol version to 0x%X", tls_version); ++ SSL_CTX_set_max_proto_version(ctx, tls_version); + + SSL_CTX_set_verify_depth(ctx, 5); + SSL_CTX_set_verify(ctx, @@ -1944,6 +2031,8 @@ diff -Naur ppp-2.4.8/pppd/eap-tls.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap-tls.c + + SSL_set_accept_state(ets->ssl); + ++ ets->tls_v13 = 0; ++ + ets->data = NULL; + ets->datalen = 0; + ets->alert_sent = 0; @@ -2034,6 +2123,8 @@ diff -Naur ppp-2.4.8/pppd/eap-tls.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap-tls.c + + SSL_set_connect_state(ets->ssl); + ++ ets->tls_v13 = 0; ++ + ets->data = NULL; + ets->datalen = 0; + ets->alert_sent = 0; @@ -2069,6 +2160,20 @@ diff -Naur ppp-2.4.8/pppd/eap-tls.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap-tls.c + free(ets); +} + ++ ++int eaptls_is_init_finished(struct eaptls_session *ets) ++{ ++ if (ets->ssl && SSL_is_init_finished(ets->ssl)) ++ { ++ if (ets->tls_v13) ++ return have_session_ticket; ++ else ++ return 1; ++ } ++ ++ return 0; ++} ++ +/* + * Handle a received packet, reassembling fragmented messages and + * passing them to the ssl engine @@ -2189,10 +2294,12 @@ diff -Naur ppp-2.4.8/pppd/eap-tls.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap-tls.c + + start = *outp; + -+ if (!ets->data) { -+ ++ if (!ets->data) ++ { + if(!ets->alert_sent) -+ SSL_read(ets->ssl, fromtls, 65536); ++ { ++ res = SSL_read(ets->ssl, fromtls, 65536); ++ } + + /* + * Read from ssl @@ -2435,7 +2542,7 @@ diff -Naur ppp-2.4.8/pppd/eap-tls.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap-tls.c + strcat(string, "TLS 1.2"); + break; + default: -+ strcat(string, "Unknown version"); ++ sprintf(string, "SSL/TLS Header: Unknown version (%d)", hvers); + } + break; + @@ -2459,9 +2566,9 @@ diff -Naur ppp-2.4.8/pppd/eap-tls.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap-tls.c + break; + +#ifdef SSL3_RT_INNER_CONTENT_TYPE -+ case SSL3_RT_INNER_CONTENT_TYPE: -+ strcat(string, "InnerContentType (TLS1.3)"); -+ break; ++ case SSL3_RT_INNER_CONTENT_TYPE: ++ strcat(string, "InnerContentType (TLS1.3)"); ++ break; +#endif + + case SSL3_RT_HANDSHAKE: @@ -2484,6 +2591,16 @@ diff -Naur ppp-2.4.8/pppd/eap-tls.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap-tls.c + strcat(string,"New Session Ticket"); + break; +#endif ++#ifdef SSL3_MT_END_OF_EARLY_DATA ++ case SSL3_MT_END_OF_EARLY_DATA: ++ strcat(string,"End of Early Data"); ++ break; ++#endif ++#ifdef SSL3_MT_ENCRYPTED_EXTENSIONS ++ case SSL3_MT_ENCRYPTED_EXTENSIONS: ++ strcat(string,"Encryped Extensions"); ++ break; ++#endif + case SSL3_MT_CERTIFICATE: + strcat(string,"Certificate"); + break; @@ -2519,11 +2636,11 @@ diff -Naur ppp-2.4.8/pppd/eap-tls.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap-tls.c + strcat(string, "TLS 1.2"); + break; +#ifdef TLS1_3_VERSION -+ case TLS1_3_VERSION: -+ strcat(string, "TLS 1.3 (not supported)"); -+ break; ++ case TLS1_3_VERSION: ++ strcat(string, "TLS 1.3 (experimental)"); ++ ets->tls_v13 = 1; ++ break; +#endif -+ + default: + strcat(string, "Unknown version"); + } @@ -2545,10 +2662,20 @@ diff -Naur ppp-2.4.8/pppd/eap-tls.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap-tls.c + dbglog("%s", string); +} + -diff -Naur ppp-2.4.8/pppd/eap-tls.h ppp-2.4.8-eaptls-mppe-1.201/pppd/eap-tls.h ++int ++ssl_new_session_cb(SSL *s, SSL_SESSION *sess) ++{ ++ dbglog("EAP-TLS: Post-Handshake New Session Ticket arrived:"); ++ have_session_ticket = 1; ++ ++ /* always return success */ ++ return 1; ++} ++ +diff -Naur ppp-2.4.8/pppd/eap-tls.h ppp-2.4.8-eaptls-mppe-1.300/pppd/eap-tls.h --- ppp-2.4.8/pppd/eap-tls.h 1970-01-01 01:00:00.000000000 +0100 -+++ ppp-2.4.8-eaptls-mppe-1.201/pppd/eap-tls.h 2020-04-03 14:02:19.338905030 +0200 -@@ -0,0 +1,107 @@ ++++ ppp-2.4.8-eaptls-mppe-1.300/pppd/eap-tls.h 2020-04-07 10:09:50.568118202 +0200 +@@ -0,0 +1,96 @@ +/* + * eap-tls.h + * @@ -2599,11 +2726,12 @@ diff -Naur ppp-2.4.8/pppd/eap-tls.h ppp-2.4.8-eaptls-mppe-1.201/pppd/eap-tls.h +{ + u_char *data; /* buffered data */ + int datalen; /* buffered data len */ -+ int offset; /* from where to send */ -+ int tlslen; /* total length of tls data */ -+ bool frag; /* packet is fragmented */ ++ int offset; /* from where to send */ ++ int tlslen; /* total length of tls data */ ++ bool frag; /* packet is fragmented */ ++ bool tls_v13; /* whether we've negotiated TLSv1.3 */ + SSL_CTX *ctx; -+ SSL *ssl; /* ssl connection */ ++ SSL *ssl; /* ssl connection */ + BIO *from_ssl; + BIO *into_ssl; + char peer[MAXWORDLEN]; /* peer name */ @@ -2612,24 +2740,11 @@ diff -Naur ppp-2.4.8/pppd/eap-tls.h ppp-2.4.8-eaptls-mppe-1.201/pppd/eap-tls.h + u_char alert_sent_desc; + bool alert_recv; + u_char alert_recv_desc; -+ char rtx[65536]; /* retransmission buffer */ ++ char rtx[EAP_TLS_MAX_LEN]; /* retransmission buffer */ + int rtx_len; + int mtu; /* unit mtu */ +}; + -+typedef struct pw_cb_data -+{ -+ const void *password; -+ const char *prompt_info; -+} PW_CB_DATA; -+ -+ -+int ssl_verify_callback(int, X509_STORE_CTX *); -+void ssl_msg_callback(int write_p, int version, int ct, const void *buf, -+ size_t len, SSL * ssl, void *arg); -+ -+X509 *get_X509_from_file(char *filename); -+int ssl_cmp_certs(char *filename, X509 * a); + +SSL_CTX *eaptls_init_ssl(int init_server, char *cacertfile, char *capath, + char *certfile, char *peer_certfile, char *privkeyfile); @@ -2637,6 +2752,8 @@ diff -Naur ppp-2.4.8/pppd/eap-tls.h ppp-2.4.8-eaptls-mppe-1.201/pppd/eap-tls.h +int eaptls_init_ssl_client(eap_state * esp); +void eaptls_free_session(struct eaptls_session *ets); + ++int eaptls_is_init_finished(struct eaptls_session *ets); ++ +int eaptls_receive(struct eaptls_session *ets, u_char * inp, int len); +int eaptls_send(struct eaptls_session *ets, u_char ** outp); +void eaptls_retransmit(struct eaptls_session *ets, u_char ** outp); @@ -2651,14 +2768,13 @@ diff -Naur ppp-2.4.8/pppd/eap-tls.h ppp-2.4.8-eaptls-mppe-1.201/pppd/eap-tls.h +extern u_char mppe_recv_key[MPPE_MAX_KEY_LEN]; +extern int mppe_keys_set; + -+void eaptls_gen_mppe_keys(struct eaptls_session *ets, const char *prf_label, int client); -+ ++void eaptls_gen_mppe_keys(struct eaptls_session *ets, int client); +#endif + +#endif -diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c +diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.300/pppd/eap.c --- ppp-2.4.8/pppd/eap.c 2019-12-31 02:31:26.000000000 +0100 -+++ ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c 2020-04-03 14:02:19.339905029 +0200 ++++ ppp-2.4.8-eaptls-mppe-1.300/pppd/eap.c 2020-04-07 10:09:50.569118201 +0200 @@ -43,6 +43,11 @@ * Based on draft-ietf-pppext-eap-srp-03.txt. */ @@ -2738,7 +2854,7 @@ diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c switch (esp->es_server.ea_state) { case eapBadAuth: return; -@@ -561,9 +585,79 @@ +@@ -561,9 +585,81 @@ break; } #endif /* USE_SRP */ @@ -2794,18 +2910,20 @@ diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c + if(SSL_is_init_finished(ets->ssl)) + esp->es_server.ea_state = eapTlsRecvClient; + else -+ esp->es_server.ea_state = eapTlsRecv; ++ /* JJK Add "TLS empty record" message here ??? */ ++ esp->es_server.ea_state = eapTlsRecv; + break; + + case eapTlsSendAck: -+ esp->es_server.ea_state = eapTlsRecv; ++ esp->es_server.ea_state = eapTlsRecv; + break; + + case eapTlsRecvAck: -+ if (status) { -+ esp->es_server.ea_state = eapBadAuth; -+ break; -+ } ++ if (status) ++ { ++ esp->es_server.ea_state = eapBadAuth; ++ break; ++ } + + esp->es_server.ea_state = eapTlsSend; + break; @@ -2818,7 +2936,18 @@ diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c case eapSRP1: #ifdef USE_SRP ts = (struct t_server *)esp->es_server.ea_session; -@@ -647,10 +741,10 @@ +@@ -629,6 +725,10 @@ + } + if (esp->es_server.ea_state == eapBadAuth) + eap_send_failure(esp); ++ ++#ifdef USE_EAPTLS ++ dbglog("EAP id=0x%2x '%s' -> '%s'", esp->es_server.ea_id, eap_state_name(esp->es_server.ea_prev_state), eap_state_name(esp->es_server.ea_state)); ++#endif /* USE_EAPTLS */ + } + + /* +@@ -647,10 +747,10 @@ char *str; #ifdef USE_SRP struct t_server *ts; @@ -2831,7 +2960,7 @@ diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c #endif /* USE_SRP */ /* Handle both initial auth and restart */ -@@ -717,6 +811,30 @@ +@@ -717,6 +817,30 @@ INCPTR(esp->es_server.ea_namelen, outp); break; @@ -2862,7 +2991,7 @@ diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c #ifdef USE_SRP case eapSRP1: PUTCHAR(EAPT_SRP, outp); -@@ -763,8 +881,8 @@ +@@ -763,8 +887,8 @@ PUTLONG(SRPVAL_EBIT, outp); ts = (struct t_server *)esp->es_server.ea_session; assert(ts != NULL); @@ -2873,7 +3002,7 @@ diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c if (pncrypt_setkey(0)) { /* Generate pseudonym */ -@@ -804,9 +922,9 @@ +@@ -804,9 +928,9 @@ /* Set length and pad out to next 20 octet boundary */ i = outp - optr - 1; *optr = i; @@ -2885,7 +3014,7 @@ diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c *outp++ = drand48() * 0x100; i++; } -@@ -822,14 +940,14 @@ +@@ -822,14 +946,14 @@ while (optr < outp) { SHA1Final(dig, &ctxt); cp = dig; @@ -2903,7 +3032,7 @@ diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c } } break; -@@ -903,11 +1021,57 @@ +@@ -903,11 +1027,57 @@ eap_server_timeout(arg) void *arg; { @@ -2961,7 +3090,7 @@ diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c /* EAP ID number must not change on timeout. */ eap_send_request(esp); } -@@ -1154,17 +1318,92 @@ +@@ -1154,17 +1324,90 @@ PUTCHAR(id, outp); esp->es_client.ea_id = id; msglen = EAP_HEADERLEN + 2 * sizeof (u_char) + sizeof (u_int32_t) + @@ -2987,16 +3116,16 @@ diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c +eap_state *esp; +u_char id; +{ -+ u_char *outp; -+ int outlen; ++ u_char *outp; ++ int outlen; + u_char *lenloc; + -+ outp = outpacket_buf; ++ outp = outpacket_buf; + -+ MAKEHEADER(outp, PPP_EAP); ++ MAKEHEADER(outp, PPP_EAP); + -+ PUTCHAR(EAP_RESPONSE, outp); -+ PUTCHAR(id, outp); ++ PUTCHAR(EAP_RESPONSE, outp); ++ PUTCHAR(id, outp); + + lenloc = outp; + INCPTR(2, outp); @@ -3016,7 +3145,6 @@ diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c + output(esp->es_unit, outpacket_buf, PPP_HDRLEN + outlen); + + esp->es_client.ea_id = id; -+ +} + +/* @@ -3049,14 +3177,13 @@ diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c + PUTSHORT(outlen, lenloc); + + output(esp->es_unit, outpacket_buf, PPP_HDRLEN + outlen); -+ +} +#endif /* USE_EAPTLS */ + static void eap_send_nak(esp, id, type) eap_state *esp; -@@ -1251,8 +1490,8 @@ +@@ -1251,8 +1494,8 @@ { u_char val; u_char *datp, *digp; @@ -3067,7 +3194,7 @@ diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c int dsize, fd, olen = len; /* -@@ -1261,21 +1500,21 @@ +@@ -1261,21 +1504,21 @@ */ val = id; while (len > 0) { @@ -3093,7 +3220,7 @@ diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c *datp++ ^= *digp; } -@@ -1319,12 +1558,17 @@ +@@ -1319,12 +1562,17 @@ char rhostname[256]; MD5_CTX mdContext; u_char hash[MD5_SIGNATURE_SIZE]; @@ -3113,7 +3240,7 @@ diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c int fd; #endif /* USE_SRP */ -@@ -1455,6 +1699,100 @@ +@@ -1455,6 +1703,96 @@ esp->es_client.ea_namelen); break; @@ -3134,11 +3261,11 @@ diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c + + esp->es_client.ea_using_eaptls = 1; + -+ if (explicit_remote){ -+ esp->es_client.ea_peer = strdup(remote_name); -+ esp->es_client.ea_peerlen = strlen(remote_name); -+ } else -+ esp->es_client.ea_peer = NULL; ++ if (explicit_remote){ ++ esp->es_client.ea_peer = strdup(remote_name); ++ esp->es_client.ea_peerlen = strlen(remote_name); ++ } else ++ esp->es_client.ea_peer = NULL; + + /* Init ssl session */ + if(!eaptls_init_ssl_client(esp)) { @@ -3150,8 +3277,7 @@ diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c + + ets = esp->es_client.ea_session; + eap_tls_response(esp, id); -+ esp->es_client.ea_state = (ets->frag ? eapTlsRecvAck : -+ eapTlsRecv); ++ esp->es_client.ea_state = (ets->frag ? eapTlsRecvAck : eapTlsRecv); + break; + } + @@ -3161,8 +3287,7 @@ diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c + + case eapTlsRecvAck: + eap_tls_response(esp, id); -+ esp->es_client.ea_state = (ets->frag ? eapTlsRecvAck : -+ eapTlsRecv); ++ esp->es_client.ea_state = (ets->frag ? eapTlsRecvAck : eapTlsRecv); + break; + + case eapTlsRecv: @@ -3186,9 +3311,9 @@ diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c + } + + /* Check if TLS handshake is finished */ -+ if(SSL_is_init_finished(ets->ssl)){ ++ if(eaptls_is_init_finished(ets)) { +#ifdef MPPE -+ eaptls_gen_mppe_keys( ets, "client EAP encryption", 1 ); ++ eaptls_gen_mppe_keys(ets, 1); +#endif + eaptls_free_session(ets); + eap_tls_sendack(esp, id); @@ -3197,10 +3322,8 @@ diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c + } + + eap_tls_response(esp,id); -+ esp->es_client.ea_state = (ets->frag ? eapTlsRecvAck : -+ eapTlsRecv); -+ -+ break; ++ esp->es_client.ea_state = (ets->frag ? eapTlsRecvAck : eapTlsRecv); ++ break; + + default: + eap_send_nak(esp, id, EAPT_TLS); @@ -3270,6 +3393,7 @@ diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c + case eapTlsRecv: + + ets = (struct eaptls_session *) esp->es_server.ea_session; ++ + eap_figure_next_state(esp, + eaptls_receive(esp->es_server.ea_session, inp, len)); + @@ -3288,13 +3412,12 @@ diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c + + case eapTlsRecvClient: + /* Receive authentication response from client */ -+ + if (len > 0) { + GETCHAR(flags, inp); + + if(len == 1 && !flags) { /* Ack = ok */ +#ifdef MPPE -+ eaptls_gen_mppe_keys( esp->es_server.ea_session, "client EAP encryption", 0 ); ++ eaptls_gen_mppe_keys( esp->es_server.ea_session, 0 ); +#endif + eap_send_success(esp); + } @@ -3499,9 +3622,9 @@ diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c return (inp - pstart); } + -diff -Naur ppp-2.4.8/pppd/eap.h ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.h +diff -Naur ppp-2.4.8/pppd/eap.h ppp-2.4.8-eaptls-mppe-1.300/pppd/eap.h --- ppp-2.4.8/pppd/eap.h 2019-12-31 02:31:26.000000000 +0100 -+++ ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.h 2020-04-03 14:02:19.340905028 +0200 ++++ ppp-2.4.8-eaptls-mppe-1.300/pppd/eap.h 2020-04-07 10:09:50.569118201 +0200 @@ -84,6 +84,16 @@ eapClosed, /* Authentication not in use */ eapListen, /* Client ready (and timer running) */ @@ -3570,9 +3693,9 @@ diff -Naur ppp-2.4.8/pppd/eap.h ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.h #define EAP_DEFREQTIME 20 /* Time to wait for peer request */ #define EAP_DEFALLOWREQ 20 /* max # times to accept requests */ -diff -Naur ppp-2.4.8/pppd/pathnames.h ppp-2.4.8-eaptls-mppe-1.201/pppd/pathnames.h +diff -Naur ppp-2.4.8/pppd/pathnames.h ppp-2.4.8-eaptls-mppe-1.300/pppd/pathnames.h --- ppp-2.4.8/pppd/pathnames.h 2019-12-31 02:31:26.000000000 +0100 -+++ ppp-2.4.8-eaptls-mppe-1.201/pppd/pathnames.h 2020-04-03 14:02:19.340905028 +0200 ++++ ppp-2.4.8-eaptls-mppe-1.300/pppd/pathnames.h 2020-04-07 10:09:50.569118201 +0200 @@ -21,6 +21,13 @@ #define _PATH_UPAPFILE _ROOT_PATH "/etc/ppp/pap-secrets" #define _PATH_CHAPFILE _ROOT_PATH "/etc/ppp/chap-secrets" @@ -3587,9 +3710,9 @@ diff -Naur ppp-2.4.8/pppd/pathnames.h ppp-2.4.8-eaptls-mppe-1.201/pppd/pathnames #define _PATH_SYSOPTIONS _ROOT_PATH "/etc/ppp/options" #define _PATH_IPUP _ROOT_PATH "/etc/ppp/ip-up" #define _PATH_IPDOWN _ROOT_PATH "/etc/ppp/ip-down" -diff -Naur ppp-2.4.8/pppd/plugins/Makefile.linux ppp-2.4.8-eaptls-mppe-1.201/pppd/plugins/Makefile.linux +diff -Naur ppp-2.4.8/pppd/plugins/Makefile.linux ppp-2.4.8-eaptls-mppe-1.300/pppd/plugins/Makefile.linux --- ppp-2.4.8/pppd/plugins/Makefile.linux 2019-12-31 02:31:26.000000000 +0100 -+++ ppp-2.4.8-eaptls-mppe-1.201/pppd/plugins/Makefile.linux 2020-04-03 14:02:19.340905028 +0200 ++++ ppp-2.4.8-eaptls-mppe-1.300/pppd/plugins/Makefile.linux 2020-04-07 10:09:50.569118201 +0200 @@ -4,6 +4,9 @@ LDFLAGS_SHARED = -shared INSTALL = install @@ -3600,9 +3723,9 @@ diff -Naur ppp-2.4.8/pppd/plugins/Makefile.linux ppp-2.4.8-eaptls-mppe-1.201/ppp DESTDIR = $(INSTROOT)@DESTDIR@ BINDIR = $(DESTDIR)/sbin MANDIR = $(DESTDIR)/share/man/man8 -diff -Naur ppp-2.4.8/pppd/plugins/passprompt.c ppp-2.4.8-eaptls-mppe-1.201/pppd/plugins/passprompt.c +diff -Naur ppp-2.4.8/pppd/plugins/passprompt.c ppp-2.4.8-eaptls-mppe-1.300/pppd/plugins/passprompt.c --- ppp-2.4.8/pppd/plugins/passprompt.c 2019-12-31 02:31:26.000000000 +0100 -+++ ppp-2.4.8-eaptls-mppe-1.201/pppd/plugins/passprompt.c 2020-04-03 14:02:19.340905028 +0200 ++++ ppp-2.4.8-eaptls-mppe-1.300/pppd/plugins/passprompt.c 2020-04-07 10:09:50.569118201 +0200 @@ -107,4 +107,7 @@ { add_options(options); @@ -3611,9 +3734,9 @@ diff -Naur ppp-2.4.8/pppd/plugins/passprompt.c ppp-2.4.8-eaptls-mppe-1.201/pppd/ + eaptls_passwd_hook = promptpass; +#endif } -diff -Naur ppp-2.4.8/pppd/plugins/passwordfd.c ppp-2.4.8-eaptls-mppe-1.201/pppd/plugins/passwordfd.c +diff -Naur ppp-2.4.8/pppd/plugins/passwordfd.c ppp-2.4.8-eaptls-mppe-1.300/pppd/plugins/passwordfd.c --- ppp-2.4.8/pppd/plugins/passwordfd.c 2019-12-31 02:31:26.000000000 +0100 -+++ ppp-2.4.8-eaptls-mppe-1.201/pppd/plugins/passwordfd.c 2020-04-03 14:02:19.340905028 +0200 ++++ ppp-2.4.8-eaptls-mppe-1.300/pppd/plugins/passwordfd.c 2020-04-07 10:09:50.569118201 +0200 @@ -79,4 +79,8 @@ chap_check_hook = pwfd_check; @@ -3623,9 +3746,9 @@ diff -Naur ppp-2.4.8/pppd/plugins/passwordfd.c ppp-2.4.8-eaptls-mppe-1.201/pppd/ + eaptls_passwd_hook = pwfd_passwd; +#endif } -diff -Naur ppp-2.4.8/pppd/pppcrypt.c ppp-2.4.8-eaptls-mppe-1.201/pppd/pppcrypt.c +diff -Naur ppp-2.4.8/pppd/pppcrypt.c ppp-2.4.8-eaptls-mppe-1.300/pppd/pppcrypt.c --- ppp-2.4.8/pppd/pppcrypt.c 2019-12-31 02:31:26.000000000 +0100 -+++ ppp-2.4.8-eaptls-mppe-1.201/pppd/pppcrypt.c 2020-04-03 14:02:19.340905028 +0200 ++++ ppp-2.4.8-eaptls-mppe-1.300/pppd/pppcrypt.c 2020-04-07 10:09:50.569118201 +0200 @@ -31,6 +31,7 @@ */ @@ -3634,9 +3757,9 @@ diff -Naur ppp-2.4.8/pppd/pppcrypt.c ppp-2.4.8-eaptls-mppe-1.201/pppd/pppcrypt.c #include "pppd.h" #include "pppcrypt.h" -diff -Naur ppp-2.4.8/pppd/pppd.8 ppp-2.4.8-eaptls-mppe-1.201/pppd/pppd.8 +diff -Naur ppp-2.4.8/pppd/pppd.8 ppp-2.4.8-eaptls-mppe-1.300/pppd/pppd.8 --- ppp-2.4.8/pppd/pppd.8 2019-12-31 02:31:26.000000000 +0100 -+++ ppp-2.4.8-eaptls-mppe-1.201/pppd/pppd.8 2020-04-03 14:02:19.341905027 +0200 ++++ ppp-2.4.8-eaptls-mppe-1.300/pppd/pppd.8 2020-04-07 10:09:50.570118199 +0200 @@ -260,6 +260,12 @@ compression in the corresponding direction. Use \fInobsdcomp\fR or \fIbsdcomp 0\fR to disable BSD-Compress compression entirely. @@ -3705,22 +3828,23 @@ diff -Naur ppp-2.4.8/pppd/pppd.8 ppp-2.4.8-eaptls-mppe-1.201/pppd/pppd.8 .B noauth Do not require the peer to authenticate itself. This option is privileged. -diff -Naur ppp-2.4.8/pppd/pppd.h ppp-2.4.8-eaptls-mppe-1.201/pppd/pppd.h +diff -Naur ppp-2.4.8/pppd/pppd.h ppp-2.4.8-eaptls-mppe-1.300/pppd/pppd.h --- ppp-2.4.8/pppd/pppd.h 2019-12-31 02:31:26.000000000 +0100 -+++ ppp-2.4.8-eaptls-mppe-1.201/pppd/pppd.h 2020-04-03 14:02:19.341905027 +0200 -@@ -341,6 +341,11 @@ ++++ ppp-2.4.8-eaptls-mppe-1.300/pppd/pppd.h 2020-04-07 10:09:50.570118199 +0200 +@@ -341,6 +341,12 @@ extern bool dryrun; /* check everything, print options, exit */ extern int child_wait; /* # seconds to wait for children at end */ +#ifdef USE_EAPTLS +extern char *crl_dir; +extern char *crl_file; ++extern char *max_tls_version; +#endif /* USE_EAPTLS */ + #ifdef MAXOCTETS extern unsigned int maxoctets; /* Maximum octetes per session (in bytes) */ extern int maxoctets_dir; /* Direction : -@@ -763,6 +768,10 @@ +@@ -763,6 +769,10 @@ extern int (*chap_passwd_hook) __P((char *user, char *passwd)); extern void (*multilink_join_hook) __P((void)); @@ -3731,9 +3855,9 @@ diff -Naur ppp-2.4.8/pppd/pppd.h ppp-2.4.8-eaptls-mppe-1.201/pppd/pppd.h /* Let a plugin snoop sent and received packets. Useful for L2TP */ extern void (*snoop_recv_hook) __P((unsigned char *p, int len)); extern void (*snoop_send_hook) __P((unsigned char *p, int len)); -diff -Naur ppp-2.4.8/pppd/sha1.c ppp-2.4.8-eaptls-mppe-1.201/pppd/sha1.c +diff -Naur ppp-2.4.8/pppd/sha1.c ppp-2.4.8-eaptls-mppe-1.300/pppd/sha1.c --- ppp-2.4.8/pppd/sha1.c 2019-12-31 02:31:26.000000000 +0100 -+++ ppp-2.4.8-eaptls-mppe-1.201/pppd/sha1.c 2020-04-03 14:02:19.341905027 +0200 ++++ ppp-2.4.8-eaptls-mppe-1.300/pppd/sha1.c 2020-04-07 10:09:50.570118199 +0200 @@ -101,7 +101,7 @@ /* SHA1Init - Initialize new context */ @@ -3761,9 +3885,9 @@ diff -Naur ppp-2.4.8/pppd/sha1.c ppp-2.4.8-eaptls-mppe-1.201/pppd/sha1.c { u_int32_t i, j; unsigned char finalcount[8]; -diff -Naur ppp-2.4.8/pppd/sha1.h ppp-2.4.8-eaptls-mppe-1.201/pppd/sha1.h +diff -Naur ppp-2.4.8/pppd/sha1.h ppp-2.4.8-eaptls-mppe-1.300/pppd/sha1.h --- ppp-2.4.8/pppd/sha1.h 2019-12-31 02:31:26.000000000 +0100 -+++ ppp-2.4.8-eaptls-mppe-1.201/pppd/sha1.h 2020-04-03 14:02:19.341905027 +0200 ++++ ppp-2.4.8-eaptls-mppe-1.300/pppd/sha1.h 2020-04-07 10:09:50.570118199 +0200 @@ -1,11 +1,5 @@ /* sha1.h */ @@ -3792,9 +3916,9 @@ diff -Naur ppp-2.4.8/pppd/sha1.h ppp-2.4.8-eaptls-mppe-1.201/pppd/sha1.h #define __SHA1_INCLUDE_ #endif /* __SHA1_INCLUDE_ */ -diff -Naur ppp-2.4.8/pppd/sys-solaris.c ppp-2.4.8-eaptls-mppe-1.201/pppd/sys-solaris.c +diff -Naur ppp-2.4.8/pppd/sys-solaris.c ppp-2.4.8-eaptls-mppe-1.300/pppd/sys-solaris.c --- ppp-2.4.8/pppd/sys-solaris.c 2019-12-31 02:31:26.000000000 +0100 -+++ ppp-2.4.8-eaptls-mppe-1.201/pppd/sys-solaris.c 2020-04-03 14:02:19.342905025 +0200 ++++ ppp-2.4.8-eaptls-mppe-1.300/pppd/sys-solaris.c 2020-04-07 10:09:50.571118198 +0200 @@ -1550,6 +1550,26 @@ #endif /* defined(INET6) && defined(SOL2) */ } diff --git a/ppp.spec b/ppp.spec index 320796d..42eb0e7 100644 --- a/ppp.spec +++ b/ppp.spec @@ -2,7 +2,7 @@ Name: ppp Version: 2.4.8 -Release: 4%{?dist} +Release: 5%{?dist} Summary: The Point-to-Point Protocol daemon License: BSD and LGPLv2+ and GPLv2+ and Public Domain URL: http://www.samba.org/ppp @@ -46,8 +46,8 @@ Patch0022: ppp-2.4.8-build-sys-compile-pppol2tp-with-multilink-support.patc Patch0023: 0023-build-sys-install-rp-pppoe-plugin-files-with-standar.patch Patch0024: 0024-build-sys-install-pppoatm-plugin-files-with-standard.patch Patch0025: ppp-2.4.8-pppd-install-pppd-binary-using-standard-perms-755.patch -# https://www.nikhef.nl/~janjust/ppp/ppp-2.4.8-eaptls-mppe-1.201.patch -Patch0026: ppp-2.4.8-eaptls-mppe-1.201.patch +# https://www.nikhef.nl/~janjust/ppp/ppp-2.4.8-eaptls-mppe-1.300.patch +Patch0026: ppp-2.4.8-eaptls-mppe-1.300.patch Patch0032: ppp-2.4.8-CVE-2020-8597.patch @@ -184,6 +184,9 @@ mkdir -p %{buildroot}%{_rundir}/lock/ppp %doc PLUGINS %changelog +* Tue Apr 7 2020 Jaroslav Škarvada - 2.4.8-5 +- Updated EAP-TLS patch to v1.300 + * Mon Apr 6 2020 Jaroslav Škarvada - 2.4.8-4 - Updated EAP-TLS patch to v1.201