rpms/ppp
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Updated EAP-TLS patch to v1.300

Browse Source
This commit is contained in:
Jaroslav Škarvada 2020-04-07 10:23:05 +02:00
parent ad5e2374cc
commit e4e647d22e
2 changed files with 284 additions and 157 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

432
ppp-2.4.8-eaptls-mppe-1.201.patch → ppp-2.4.8-eaptls-mppe-1.300.patch
View File

@ -1,7 +1,7 @@
diff -Naur ppp-2.4.8/README.eap-tls ppp-2.4.8-eaptls-mppe-1.201/README.eap-tls diff -Naur ppp-2.4.8/README.eap-tls ppp-2.4.8-eaptls-mppe-1.300/README.eap-tls
--- ppp-2.4.8/README.eap-tls 1970-01-01 01:00:00.000000000 +0100 --- ppp-2.4.8/README.eap-tls 1970-01-01 01:00:00.000000000 +0100
+++ ppp-2.4.8-eaptls-mppe-1.201/README.eap-tls 2020-04-03 14:02:19.334905035 +0200 +++ ppp-2.4.8-eaptls-mppe-1.300/README.eap-tls 2020-04-07 10:09:50.565118206 +0200
@@ -0,0 +1,301 @@ @@ -0,0 +1,307 @@
+EAP-TLS authentication support for PPP +EAP-TLS authentication support for PPP
+====================================== +======================================
+ +
@ -296,16 +296,22 @@ diff -Naur ppp-2.4.8/README.eap-tls ppp-2.4.8-eaptls-mppe-1.201/README.eap-tls
+v1.200 (28-Feb-2020) +v1.200 (28-Feb-2020)
+ - First version of patch that was used to create a github PR against the main ppp code base. + - First version of patch that was used to create a github PR against the main ppp code base.
+ - Add client-side 'capath' option to allow a directory with trusted CA certificates. + - Add client-side 'capath' option to allow a directory with trusted CA certificates.
+ - Add compile-time Makefile option to have pppd use either the internal MD5+SHA1 functions or + - Add compile-time Makefile option to have pppd use either the internal MD5+SHA1 functions or
+ use the ones supplied by OpenSSL. + use the ones supplied by OpenSSL.
+ - Code now also builds on Solaris (x86 tested) but has not been tested yet, as the Solaris ppp + - Code now also builds on Solaris (x86 tested) but has not been tested yet, as the Solaris ppp
+ kernel driver does not support MPPE. + kernel driver does not support MPPE.
+v1.201 (03-Apr-2020) +v1.201 (03-Apr-2020)
+ - Force use of TLSv1.2 even if TLSv1.3 is available (with OpenSSL 1.1.1+). This ensures that + - Force use of TLSv1.2 even if TLSv1.3 is available (with OpenSSL 1.1.1+). This ensures that
+ you can compile and link against OpenSSL 1.1.1+ without breaking the TLS negotiation. + you can compile and link against OpenSSL 1.1.1+ without breaking the TLS negotiation.
diff -Naur ppp-2.4.8/etc.ppp/eaptls-client ppp-2.4.8-eaptls-mppe-1.201/etc.ppp/eaptls-client +v1.300 (03-Apr-2020)
+ - Add (experimental) TLS 1.3 support. This is based on draft-ietf-emu-eap-tls13-05 (expired) and
+ requires OpenSSL 1.1.1+ to be effective.
+ - Add new option 'max-tls-version' to specify the highest version of the TLS protocol to use
+ (defaults to TLS1.2 for now - so to use TLS1.3 you need to explicitly add 'max-tls-version 1.3')
+
diff -Naur ppp-2.4.8/etc.ppp/eaptls-client ppp-2.4.8-eaptls-mppe-1.300/etc.ppp/eaptls-client
--- ppp-2.4.8/etc.ppp/eaptls-client 1970-01-01 01:00:00.000000000 +0100 --- ppp-2.4.8/etc.ppp/eaptls-client 1970-01-01 01:00:00.000000000 +0100
+++ ppp-2.4.8-eaptls-mppe-1.201/etc.ppp/eaptls-client 2020-04-03 14:02:19.334905035 +0200 +++ ppp-2.4.8-eaptls-mppe-1.300/etc.ppp/eaptls-client 2020-04-07 10:09:50.566118204 +0200
@@ -0,0 +1,10 @@ @@ -0,0 +1,10 @@
+# Parameters for authentication using EAP-TLS (client) +# Parameters for authentication using EAP-TLS (client)
+ +
@ -317,9 +323,9 @@ diff -Naur ppp-2.4.8/etc.ppp/eaptls-client ppp-2.4.8-eaptls-mppe-1.201/etc.ppp/e
+# client private key file (required) +# client private key file (required)
+ +
+#client server /root/cert/client.crt - /root/cert/ca.crt /root/cert/client.key +#client server /root/cert/client.crt - /root/cert/ca.crt /root/cert/client.key
diff -Naur ppp-2.4.8/etc.ppp/eaptls-server ppp-2.4.8-eaptls-mppe-1.201/etc.ppp/eaptls-server diff -Naur ppp-2.4.8/etc.ppp/eaptls-server ppp-2.4.8-eaptls-mppe-1.300/etc.ppp/eaptls-server
--- ppp-2.4.8/etc.ppp/eaptls-server 1970-01-01 01:00:00.000000000 +0100 --- ppp-2.4.8/etc.ppp/eaptls-server 1970-01-01 01:00:00.000000000 +0100
+++ ppp-2.4.8-eaptls-mppe-1.201/etc.ppp/eaptls-server 2020-04-03 14:02:19.334905035 +0200 +++ ppp-2.4.8-eaptls-mppe-1.300/etc.ppp/eaptls-server 2020-04-07 10:09:50.566118204 +0200
@@ -0,0 +1,11 @@ @@ -0,0 +1,11 @@
+# Parameters for authentication using EAP-TLS (server) +# Parameters for authentication using EAP-TLS (server)
+ +
@ -332,9 +338,9 @@ diff -Naur ppp-2.4.8/etc.ppp/eaptls-server ppp-2.4.8-eaptls-mppe-1.201/etc.ppp/e
+# allowed addresses (required, can be *) +# allowed addresses (required, can be *)
+ +
+#client server - /root/cert/server.crt /root/cert/ca.crt /root/cert/server.key 192.168.1.0/24 +#client server - /root/cert/server.crt /root/cert/ca.crt /root/cert/server.key 192.168.1.0/24
diff -Naur ppp-2.4.8/etc.ppp/openssl.cnf ppp-2.4.8-eaptls-mppe-1.201/etc.ppp/openssl.cnf diff -Naur ppp-2.4.8/etc.ppp/openssl.cnf ppp-2.4.8-eaptls-mppe-1.300/etc.ppp/openssl.cnf
--- ppp-2.4.8/etc.ppp/openssl.cnf 1970-01-01 01:00:00.000000000 +0100 --- ppp-2.4.8/etc.ppp/openssl.cnf 1970-01-01 01:00:00.000000000 +0100
+++ ppp-2.4.8-eaptls-mppe-1.201/etc.ppp/openssl.cnf 2020-04-03 14:02:19.334905035 +0200 +++ ppp-2.4.8-eaptls-mppe-1.300/etc.ppp/openssl.cnf 2020-04-07 10:09:50.566118204 +0200
@@ -0,0 +1,14 @@ @@ -0,0 +1,14 @@
+openssl_conf = openssl_def +openssl_conf = openssl_def
+ +
@ -350,9 +356,9 @@ diff -Naur ppp-2.4.8/etc.ppp/openssl.cnf ppp-2.4.8-eaptls-mppe-1.201/etc.ppp/ope
+MODULE_PATH = /usr/lib64/libeTPkcs11.so +MODULE_PATH = /usr/lib64/libeTPkcs11.so
+init = 0 +init = 0
+ +
diff -Naur ppp-2.4.8/linux/Makefile.top ppp-2.4.8-eaptls-mppe-1.201/linux/Makefile.top diff -Naur ppp-2.4.8/linux/Makefile.top ppp-2.4.8-eaptls-mppe-1.300/linux/Makefile.top
--- ppp-2.4.8/linux/Makefile.top 2019-12-31 02:31:26.000000000 +0100 --- ppp-2.4.8/linux/Makefile.top 2019-12-31 02:31:26.000000000 +0100
+++ ppp-2.4.8-eaptls-mppe-1.201/linux/Makefile.top 2020-04-03 14:02:19.334905035 +0200 +++ ppp-2.4.8-eaptls-mppe-1.300/linux/Makefile.top 2020-04-07 10:09:50.566118204 +0200
@@ -26,7 +26,7 @@ @@ -26,7 +26,7 @@
cd pppdump; $(MAKE) $(MFLAGS) install cd pppdump; $(MAKE) $(MFLAGS) install
@ -373,9 +379,9 @@ diff -Naur ppp-2.4.8/linux/Makefile.top ppp-2.4.8-eaptls-mppe-1.201/linux/Makefi
$(BINDIR): $(BINDIR):
$(INSTALL) -d -m 755 $@ $(INSTALL) -d -m 755 $@
diff -Naur ppp-2.4.8/pppd/Makefile.linux ppp-2.4.8-eaptls-mppe-1.201/pppd/Makefile.linux diff -Naur ppp-2.4.8/pppd/Makefile.linux ppp-2.4.8-eaptls-mppe-1.300/pppd/Makefile.linux
--- ppp-2.4.8/pppd/Makefile.linux 2019-12-31 02:31:26.000000000 +0100 --- ppp-2.4.8/pppd/Makefile.linux 2019-12-31 02:31:26.000000000 +0100
+++ ppp-2.4.8-eaptls-mppe-1.201/pppd/Makefile.linux 2020-04-03 14:02:19.335905034 +0200 +++ ppp-2.4.8-eaptls-mppe-1.300/pppd/Makefile.linux 2020-04-07 10:10:01.427104384 +0200
@@ -11,16 +11,16 @@ @@ -11,16 +11,16 @@
TARGETS = pppd TARGETS = pppd
@ -458,9 +464,9 @@ diff -Naur ppp-2.4.8/pppd/Makefile.linux ppp-2.4.8-eaptls-mppe-1.201/pppd/Makefi
HEADERS += sha1.h HEADERS += sha1.h
PPPDOBJS += sha1.o PPPDOBJS += sha1.o
endif endif
diff -Naur ppp-2.4.8/pppd/Makefile.sol2 ppp-2.4.8-eaptls-mppe-1.201/pppd/Makefile.sol2 diff -Naur ppp-2.4.8/pppd/Makefile.sol2 ppp-2.4.8-eaptls-mppe-1.300/pppd/Makefile.sol2
--- ppp-2.4.8/pppd/Makefile.sol2 2019-12-31 02:31:26.000000000 +0100 --- ppp-2.4.8/pppd/Makefile.sol2 2019-12-31 02:31:26.000000000 +0100
+++ ppp-2.4.8-eaptls-mppe-1.201/pppd/Makefile.sol2 2020-04-03 14:02:19.335905034 +0200 +++ ppp-2.4.8-eaptls-mppe-1.300/pppd/Makefile.sol2 2020-04-07 10:09:50.566118204 +0200
@@ -5,10 +5,10 @@ @@ -5,10 +5,10 @@
include ../Makedefs.com include ../Makedefs.com
@ -497,9 +503,9 @@ diff -Naur ppp-2.4.8/pppd/Makefile.sol2 ppp-2.4.8-eaptls-mppe-1.201/pppd/Makefil
# Uncomment for CBCP # Uncomment for CBCP
#CFLAGS += -DCBCP_SUPPORT #CFLAGS += -DCBCP_SUPPORT
diff -Naur ppp-2.4.8/pppd/auth.c ppp-2.4.8-eaptls-mppe-1.201/pppd/auth.c diff -Naur ppp-2.4.8/pppd/auth.c ppp-2.4.8-eaptls-mppe-1.300/pppd/auth.c
--- ppp-2.4.8/pppd/auth.c 2019-12-31 02:31:26.000000000 +0100 --- ppp-2.4.8/pppd/auth.c 2019-12-31 02:31:26.000000000 +0100
+++ ppp-2.4.8-eaptls-mppe-1.201/pppd/auth.c 2020-04-03 14:02:19.337905032 +0200 +++ ppp-2.4.8-eaptls-mppe-1.300/pppd/auth.c 2020-04-07 10:09:50.567118203 +0200
@@ -113,6 +113,9 @@ @@ -113,6 +113,9 @@
#include "upap.h" #include "upap.h"
#include "chap-new.h" #include "chap-new.h"
@ -522,7 +528,7 @@ diff -Naur ppp-2.4.8/pppd/auth.c ppp-2.4.8-eaptls-mppe-1.201/pppd/auth.c
/* Hook for a plugin to say whether it is OK if the peer /* Hook for a plugin to say whether it is OK if the peer
refuses to authenticate. */ refuses to authenticate. */
int (*null_auth_hook) __P((struct wordlist **paddrs, int (*null_auth_hook) __P((struct wordlist **paddrs,
@@ -241,6 +249,15 @@ @@ -241,6 +249,16 @@
bool explicit_user = 0; /* Set if "user" option supplied */ bool explicit_user = 0; /* Set if "user" option supplied */
bool explicit_passwd = 0; /* Set if "password" option supplied */ bool explicit_passwd = 0; /* Set if "password" option supplied */
char remote_name[MAXNAMELEN]; /* Peer's name for authentication */ char remote_name[MAXNAMELEN]; /* Peer's name for authentication */
@ -533,12 +539,13 @@ diff -Naur ppp-2.4.8/pppd/auth.c ppp-2.4.8-eaptls-mppe-1.201/pppd/auth.c
+char *privkey_file = NULL; /* client private key file (pem format) */ +char *privkey_file = NULL; /* client private key file (pem format) */
+char *crl_dir = NULL; /* directory containing CRL files */ +char *crl_dir = NULL; /* directory containing CRL files */
+char *crl_file = NULL; /* Certificate Revocation List (CRL) file (pem format) */ +char *crl_file = NULL; /* Certificate Revocation List (CRL) file (pem format) */
+char *max_tls_version = NULL; /* Maximum TLS protocol version (default=1.2) */
+bool need_peer_eap = 0; /* Require peer to authenticate us */ +bool need_peer_eap = 0; /* Require peer to authenticate us */
+#endif +#endif
static char *uafname; /* name of most recent +ua file */ static char *uafname; /* name of most recent +ua file */
@@ -257,6 +274,19 @@ @@ -257,6 +275,19 @@
static int have_chap_secret __P((char *, char *, int, int *)); static int have_chap_secret __P((char *, char *, int, int *));
static int have_srp_secret __P((char *client, char *server, int need_ip, static int have_srp_secret __P((char *client, char *server, int need_ip,
int *lacks_ipp)); int *lacks_ipp));
@ -558,7 +565,7 @@ diff -Naur ppp-2.4.8/pppd/auth.c ppp-2.4.8-eaptls-mppe-1.201/pppd/auth.c
static int ip_addr_check __P((u_int32_t, struct permitted_ip *)); static int ip_addr_check __P((u_int32_t, struct permitted_ip *));
static int scan_authfile __P((FILE *, char *, char *, char *, static int scan_authfile __P((FILE *, char *, char *, char *,
struct wordlist **, struct wordlist **, struct wordlist **, struct wordlist **,
@@ -404,6 +434,16 @@ @@ -404,6 +435,18 @@
"Set telephone number(s) which are allowed to connect", "Set telephone number(s) which are allowed to connect",
OPT_PRIV | OPT_A2LIST }, OPT_PRIV | OPT_A2LIST },
@ -569,13 +576,15 @@ diff -Naur ppp-2.4.8/pppd/auth.c ppp-2.4.8-eaptls-mppe-1.201/pppd/auth.c
+ { "key", o_string, &privkey_file, "EAP-TLS client private key in PEM format" }, + { "key", o_string, &privkey_file, "EAP-TLS client private key in PEM format" },
+ { "crl-dir", o_string, &crl_dir, "Use CRLs in directory" }, + { "crl-dir", o_string, &crl_dir, "Use CRLs in directory" },
+ { "crl", o_string, &crl_file, "Use specific CRL file" }, + { "crl", o_string, &crl_file, "Use specific CRL file" },
+ { "max-tls-version", o_string, &max_tls_version,
+ "Maximum TLS version (1.0/1.1/1.2 (default)/1.3)" },
+ { "need-peer-eap", o_bool, &need_peer_eap, + { "need-peer-eap", o_bool, &need_peer_eap,
+ "Require the peer to authenticate us", 1 }, + "Require the peer to authenticate us", 1 },
+#endif /* USE_EAPTLS */ +#endif /* USE_EAPTLS */
{ NULL } { NULL }
}; };
@@ -737,6 +777,9 @@ @@ -737,6 +780,9 @@
lcp_options *wo = &lcp_wantoptions[unit]; lcp_options *wo = &lcp_wantoptions[unit];
lcp_options *go = &lcp_gotoptions[unit]; lcp_options *go = &lcp_gotoptions[unit];
lcp_options *ho = &lcp_hisoptions[unit]; lcp_options *ho = &lcp_hisoptions[unit];
@ -585,7 +594,7 @@ diff -Naur ppp-2.4.8/pppd/auth.c ppp-2.4.8-eaptls-mppe-1.201/pppd/auth.c
int i; int i;
struct protent *protp; struct protent *protp;
@@ -771,6 +814,22 @@ @@ -771,6 +817,22 @@
} }
} }
@ -608,7 +617,7 @@ diff -Naur ppp-2.4.8/pppd/auth.c ppp-2.4.8-eaptls-mppe-1.201/pppd/auth.c
new_phase(PHASE_AUTHENTICATE); new_phase(PHASE_AUTHENTICATE);
auth = 0; auth = 0;
if (go->neg_eap) { if (go->neg_eap) {
@@ -1291,6 +1350,15 @@ @@ -1291,6 +1353,15 @@
our_name, 1, &lacks_ip); our_name, 1, &lacks_ip);
} }
@ -624,7 +633,7 @@ diff -Naur ppp-2.4.8/pppd/auth.c ppp-2.4.8-eaptls-mppe-1.201/pppd/auth.c
if (auth_required && !can_auth && noauth_addrs == NULL) { if (auth_required && !can_auth && noauth_addrs == NULL) {
if (default_auth) { if (default_auth) {
option_error( option_error(
@@ -1345,7 +1413,11 @@ @@ -1345,7 +1416,11 @@
passwd[0] != 0 || passwd[0] != 0 ||
(hadchap == 1 || (hadchap == -1 && have_chap_secret(user, (hadchap == 1 || (hadchap == -1 && have_chap_secret(user,
(explicit_remote? remote_name: NULL), 0, NULL))) || (explicit_remote? remote_name: NULL), 0, NULL))) ||
@ -637,7 +646,7 @@ diff -Naur ppp-2.4.8/pppd/auth.c ppp-2.4.8-eaptls-mppe-1.201/pppd/auth.c
hadchap = -1; hadchap = -1;
if (go->neg_upap && !uselogin && !have_pap_secret(NULL)) if (go->neg_upap && !uselogin && !have_pap_secret(NULL))
@@ -1360,8 +1432,14 @@ @@ -1360,8 +1435,14 @@
!have_chap_secret((explicit_remote? remote_name: NULL), our_name, !have_chap_secret((explicit_remote? remote_name: NULL), our_name,
1, NULL))) && 1, NULL))) &&
!have_srp_secret((explicit_remote? remote_name: NULL), our_name, 1, !have_srp_secret((explicit_remote? remote_name: NULL), our_name, 1,
@ -653,7 +662,7 @@ diff -Naur ppp-2.4.8/pppd/auth.c ppp-2.4.8-eaptls-mppe-1.201/pppd/auth.c
} }
@@ -1721,6 +1799,7 @@ @@ -1721,6 +1802,7 @@
} }
@ -661,7 +670,7 @@ diff -Naur ppp-2.4.8/pppd/auth.c ppp-2.4.8-eaptls-mppe-1.201/pppd/auth.c
/* /*
* get_secret - open the CHAP secret file and return the secret * get_secret - open the CHAP secret file and return the secret
* for authenticating the given client on the given server. * for authenticating the given client on the given server.
@@ -2373,3 +2452,345 @@ @@ -2373,3 +2455,345 @@
auth_script_pid = run_program(script, argv, 0, auth_script_done, NULL, 0); auth_script_pid = run_program(script, argv, 0, auth_script_done, NULL, 0);
} }
@ -1007,9 +1016,9 @@ diff -Naur ppp-2.4.8/pppd/auth.c ppp-2.4.8-eaptls-mppe-1.201/pppd/auth.c
+} +}
+#endif +#endif
+ +
diff -Naur ppp-2.4.8/pppd/ccp.c ppp-2.4.8-eaptls-mppe-1.201/pppd/ccp.c diff -Naur ppp-2.4.8/pppd/ccp.c ppp-2.4.8-eaptls-mppe-1.300/pppd/ccp.c
--- ppp-2.4.8/pppd/ccp.c 2019-12-31 02:31:26.000000000 +0100 --- ppp-2.4.8/pppd/ccp.c 2019-12-31 02:31:26.000000000 +0100
+++ ppp-2.4.8-eaptls-mppe-1.201/pppd/ccp.c 2020-04-03 14:02:19.337905032 +0200 +++ ppp-2.4.8-eaptls-mppe-1.300/pppd/ccp.c 2020-04-07 10:09:50.567118203 +0200
@@ -539,6 +539,9 @@ @@ -539,6 +539,9 @@
if (go->mppe) { if (go->mppe) {
ccp_options *ao = &ccp_allowoptions[f->unit]; ccp_options *ao = &ccp_allowoptions[f->unit];
@ -1045,9 +1054,9 @@ diff -Naur ppp-2.4.8/pppd/ccp.c ppp-2.4.8-eaptls-mppe-1.201/pppd/ccp.c
lcp_close(f->unit, "MPPE required but not available"); lcp_close(f->unit, "MPPE required but not available");
return; return;
} }
diff -Naur ppp-2.4.8/pppd/chap-md5.c ppp-2.4.8-eaptls-mppe-1.201/pppd/chap-md5.c diff -Naur ppp-2.4.8/pppd/chap-md5.c ppp-2.4.8-eaptls-mppe-1.300/pppd/chap-md5.c
--- ppp-2.4.8/pppd/chap-md5.c 2019-12-31 02:31:26.000000000 +0100 --- ppp-2.4.8/pppd/chap-md5.c 2019-12-31 02:31:26.000000000 +0100
+++ ppp-2.4.8-eaptls-mppe-1.201/pppd/chap-md5.c 2020-04-03 14:02:19.337905032 +0200 +++ ppp-2.4.8-eaptls-mppe-1.300/pppd/chap-md5.c 2020-04-07 10:09:50.567118203 +0200
@@ -36,7 +36,11 @@ @@ -36,7 +36,11 @@
#include "chap-new.h" #include "chap-new.h"
#include "chap-md5.h" #include "chap-md5.h"
@ -1060,9 +1069,9 @@ diff -Naur ppp-2.4.8/pppd/chap-md5.c ppp-2.4.8-eaptls-mppe-1.201/pppd/chap-md5.c
#define MD5_HASH_SIZE 16 #define MD5_HASH_SIZE 16
#define MD5_MIN_CHALLENGE 16 #define MD5_MIN_CHALLENGE 16
diff -Naur ppp-2.4.8/pppd/chap_ms.c ppp-2.4.8-eaptls-mppe-1.201/pppd/chap_ms.c diff -Naur ppp-2.4.8/pppd/chap_ms.c ppp-2.4.8-eaptls-mppe-1.300/pppd/chap_ms.c
--- ppp-2.4.8/pppd/chap_ms.c 2019-12-31 02:31:26.000000000 +0100 --- ppp-2.4.8/pppd/chap_ms.c 2019-12-31 02:31:26.000000000 +0100
+++ ppp-2.4.8-eaptls-mppe-1.201/pppd/chap_ms.c 2020-04-03 14:02:19.338905030 +0200 +++ ppp-2.4.8-eaptls-mppe-1.300/pppd/chap_ms.c 2020-04-07 10:09:50.567118203 +0200
@@ -534,7 +534,7 @@ @@ -534,7 +534,7 @@
char *username, u_char Challenge[8]) char *username, u_char Challenge[8])
@ -1099,10 +1108,10 @@ diff -Naur ppp-2.4.8/pppd/chap_ms.c ppp-2.4.8-eaptls-mppe-1.201/pppd/chap_ms.c
u_char MasterKey[SHA1_SIGNATURE_SIZE]; /* >= MPPE_MAX_KEY_LEN */ u_char MasterKey[SHA1_SIGNATURE_SIZE]; /* >= MPPE_MAX_KEY_LEN */
u_char Digest[SHA1_SIGNATURE_SIZE]; /* >= MPPE_MAX_KEY_LEN */ u_char Digest[SHA1_SIGNATURE_SIZE]; /* >= MPPE_MAX_KEY_LEN */
diff -Naur ppp-2.4.8/pppd/eap-tls.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap-tls.c diff -Naur ppp-2.4.8/pppd/eap-tls.c ppp-2.4.8-eaptls-mppe-1.300/pppd/eap-tls.c
--- ppp-2.4.8/pppd/eap-tls.c 1970-01-01 01:00:00.000000000 +0100 --- ppp-2.4.8/pppd/eap-tls.c 1970-01-01 01:00:00.000000000 +0100
+++ ppp-2.4.8-eaptls-mppe-1.201/pppd/eap-tls.c 2020-04-03 14:02:19.338905030 +0200 +++ ppp-2.4.8-eaptls-mppe-1.300/pppd/eap-tls.c 2020-04-07 10:09:50.568118202 +0200
@@ -0,0 +1,1442 @@ @@ -0,0 +1,1560 @@
+/* * eap-tls.c - EAP-TLS implementation for PPP +/* * eap-tls.c - EAP-TLS implementation for PPP
+ * + *
+ * Copyright (c) Beniamino Galvani 2005 All rights reserved. + * Copyright (c) Beniamino Galvani 2005 All rights reserved.
@ -1154,11 +1163,32 @@ diff -Naur ppp-2.4.8/pppd/eap-tls.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap-tls.c
+#include "lcp.h" +#include "lcp.h"
+#include "pathnames.h" +#include "pathnames.h"
+ +
+typedef struct pw_cb_data
+{
+ const void *password;
+ const char *prompt_info;
+} PW_CB_DATA;
+
+/* The openssl configuration file and engines can be loaded only once */ +/* The openssl configuration file and engines can be loaded only once */
+static CONF *ssl_config = NULL; +static CONF *ssl_config = NULL;
+static ENGINE *cert_engine = NULL; +static ENGINE *cert_engine = NULL;
+static ENGINE *pkey_engine = NULL; +static ENGINE *pkey_engine = NULL;
+ +
+/* TLSv1.3 do we have a session ticket ? */
+static int have_session_ticket = 0;
+
+int ssl_verify_callback(int, X509_STORE_CTX *);
+void ssl_msg_callback(int write_p, int version, int ct, const void *buf,
+ size_t len, SSL * ssl, void *arg);
+int ssl_new_session_cb(SSL *s, SSL_SESSION *sess);
+
+X509 *get_X509_from_file(char *filename);
+int ssl_cmp_certs(char *filename, X509 * a);
+
+#ifdef MPPE
+
+#define EAPTLS_MPPE_KEY_LEN 32
+
+/* +/*
+ * The following stuff is only needed if SSL_export_keying_material() is not available + * The following stuff is only needed if SSL_export_keying_material() is not available
+ */ + */
@ -1363,21 +1393,35 @@ diff -Naur ppp-2.4.8/pppd/eap-tls.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap-tls.c
+#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */ +#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
+ +
+ +
+#ifdef MPPE
+
+#define EAPTLS_MPPE_KEY_LEN 32
+
+/* +/*
+ * Generate keys according to RFC 2716 and add to reply + * Generate keys according to RFC 2716 and add to reply
+ */ + */
+void eaptls_gen_mppe_keys(struct eaptls_session *ets, const char *prf_label, +void eaptls_gen_mppe_keys(struct eaptls_session *ets, int client)
+ int client)
+{ +{
+ unsigned char out[4*EAPTLS_MPPE_KEY_LEN]; + unsigned char out[4*EAPTLS_MPPE_KEY_LEN];
+ size_t prf_size = strlen(prf_label); + const char *prf_label;
+ size_t prf_size;
+ unsigned char eap_tls13_context[] = { EAPT_TLS };
+ unsigned char *context = NULL;
+ size_t context_len = 0;
+ unsigned char *p; + unsigned char *p;
+ +
+ if (SSL_export_keying_material(ets->ssl, out, sizeof(out), prf_label, prf_size, NULL, 0, 0) != 1) + dbglog("EAP-TLS generating MPPE keys");
+ if (ets->tls_v13)
+ {
+ prf_label = "EXPORTER_EAP_TLS_Key_Material";
+ context = eap_tls13_context;
+ context_len = 1;
+ }
+ else
+ {
+ prf_label = "client EAP encryption";
+ }
+
+ dbglog("EAP-TLS PRF label = %s", prf_label);
+ prf_size = strlen(prf_label);
+ if (SSL_export_keying_material(ets->ssl, out, sizeof(out), prf_label, prf_size,
+ context, context_len, 0) != 1)
+ { + {
+ warn( "EAP-TLS: Failed generating keying material" ); + warn( "EAP-TLS: Failed generating keying material" );
+ return; + return;
@ -1525,13 +1569,13 @@ diff -Naur ppp-2.4.8/pppd/eap-tls.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap-tls.c
+ X509_STORE *certstore; + X509_STORE *certstore;
+ X509_LOOKUP *lookup; + X509_LOOKUP *lookup;
+ X509 *tmp; + X509 *tmp;
+ int ret; + int ret;
+#if defined(TLS1_2_VERSION) +#if defined(TLS1_2_VERSION)
+ long tls_version = TLS1_2_VERSION; + long tls_version = TLS1_2_VERSION;
+#elif defined(TLS1_1_VERSION) +#elif defined(TLS1_1_VERSION)
+ long tls_version = TLS1_1_VERSION; + long tls_version = TLS1_1_VERSION;
+#else +#else
+ long tls_version = TLS1_VERSION; + long tls_version = TLS1_VERSION;
+#endif +#endif
+ +
+ /* + /*
@ -1781,8 +1825,51 @@ diff -Naur ppp-2.4.8/pppd/eap-tls.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap-tls.c
+#endif +#endif
+ ); + );
+ +
+ dbglog("EAP-TLS: Setting max protocol version to 0x%X", tls_version); + /* OpenSSL 1.1.1+ does not include RC4 ciphers by default.
+ SSL_CTX_set_max_proto_version(ctx, tls_version); + * This causes totally obsolete WinXP clients to fail. If you really
+ * need ppp+EAP-TLS+openssl 1.1.1+WinXP then enable RC4 cipers and
+ * make sure that you use an OpenSSL that supports them
+
+ SSL_CTX_set_cipher_list(ctx, "RC4");
+ */
+
+
+ /* Set up a SSL Session cache with a callback. This is needed for TLSv1.3+.
+ * During the initial handshake the server signals to the client early on
+ * that the handshake is finished, even before the client has sent its
+ * credentials to the server. The actual connection (and moment that the
+ * client sends its credentials) only starts after the arrival of the first
+ * session ticket. The 'ssl_new_session_cb' catches this ticket.
+ */
+ SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_CLIENT | SSL_SESS_CACHE_NO_INTERNAL_STORE);
+ SSL_CTX_sess_set_new_cb(ctx, ssl_new_session_cb);
+
+ /* As EAP-TLS+TLSv1.3 is highly experimental we offer the user a chance to override */
+ if (max_tls_version)
+ {
+ if (strncmp(max_tls_version, "1.0", 3) == 0)
+ tls_version = TLS1_VERSION;
+ else if (strncmp(max_tls_version, "1.1", 3) == 0)
+ tls_version = TLS1_1_VERSION;
+ else if (strncmp(max_tls_version, "1.2", 3) == 0)
+#ifdef TLS1_2_VERSION
+ tls_version = TLS1_2_VERSION;
+#else
+ {
+ warn("TLSv1.2 not available. Defaulting to TLSv1.1");
+ tls_version = TLS_1_1_VERSION;
+ }
+#endif
+ else if (strncmp(max_tls_version, "1.3", 3) == 0)
+#ifdef TLS1_3_VERSION
+ tls_version = TLS1_3_VERSION;
+#else
+ warn("TLSv1.3 not available.");
+#endif
+ }
+
+ dbglog("EAP-TLS: Setting max protocol version to 0x%X", tls_version);
+ SSL_CTX_set_max_proto_version(ctx, tls_version);
+ +
+ SSL_CTX_set_verify_depth(ctx, 5); + SSL_CTX_set_verify_depth(ctx, 5);
+ SSL_CTX_set_verify(ctx, + SSL_CTX_set_verify(ctx,
@ -1944,6 +2031,8 @@ diff -Naur ppp-2.4.8/pppd/eap-tls.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap-tls.c
+ +
+ SSL_set_accept_state(ets->ssl); + SSL_set_accept_state(ets->ssl);
+ +
+ ets->tls_v13 = 0;
+
+ ets->data = NULL; + ets->data = NULL;
+ ets->datalen = 0; + ets->datalen = 0;
+ ets->alert_sent = 0; + ets->alert_sent = 0;
@ -2034,6 +2123,8 @@ diff -Naur ppp-2.4.8/pppd/eap-tls.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap-tls.c
+ +
+ SSL_set_connect_state(ets->ssl); + SSL_set_connect_state(ets->ssl);
+ +
+ ets->tls_v13 = 0;
+
+ ets->data = NULL; + ets->data = NULL;
+ ets->datalen = 0; + ets->datalen = 0;
+ ets->alert_sent = 0; + ets->alert_sent = 0;
@ -2069,6 +2160,20 @@ diff -Naur ppp-2.4.8/pppd/eap-tls.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap-tls.c
+ free(ets); + free(ets);
+} +}
+ +
+
+int eaptls_is_init_finished(struct eaptls_session *ets)
+{
+ if (ets->ssl && SSL_is_init_finished(ets->ssl))
+ {
+ if (ets->tls_v13)
+ return have_session_ticket;
+ else
+ return 1;
+ }
+
+ return 0;
+}
+
+/* +/*
+ * Handle a received packet, reassembling fragmented messages and + * Handle a received packet, reassembling fragmented messages and
+ * passing them to the ssl engine + * passing them to the ssl engine
@ -2189,10 +2294,12 @@ diff -Naur ppp-2.4.8/pppd/eap-tls.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap-tls.c
+ +
+ start = *outp; + start = *outp;
+ +
+ if (!ets->data) { + if (!ets->data)
+ + {
+ if(!ets->alert_sent) + if(!ets->alert_sent)
+ SSL_read(ets->ssl, fromtls, 65536); + {
+ res = SSL_read(ets->ssl, fromtls, 65536);
+ }
+ +
+ /* + /*
+ * Read from ssl + * Read from ssl
@ -2435,7 +2542,7 @@ diff -Naur ppp-2.4.8/pppd/eap-tls.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap-tls.c
+ strcat(string, "TLS 1.2"); + strcat(string, "TLS 1.2");
+ break; + break;
+ default: + default:
+ strcat(string, "Unknown version"); + sprintf(string, "SSL/TLS Header: Unknown version (%d)", hvers);
+ } + }
+ break; + break;
+ +
@ -2459,9 +2566,9 @@ diff -Naur ppp-2.4.8/pppd/eap-tls.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap-tls.c
+ break; + break;
+ +
+#ifdef SSL3_RT_INNER_CONTENT_TYPE +#ifdef SSL3_RT_INNER_CONTENT_TYPE
+ case SSL3_RT_INNER_CONTENT_TYPE: + case SSL3_RT_INNER_CONTENT_TYPE:
+ strcat(string, "InnerContentType (TLS1.3)"); + strcat(string, "InnerContentType (TLS1.3)");
+ break; + break;
+#endif +#endif
+ +
+ case SSL3_RT_HANDSHAKE: + case SSL3_RT_HANDSHAKE:
@ -2484,6 +2591,16 @@ diff -Naur ppp-2.4.8/pppd/eap-tls.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap-tls.c
+ strcat(string,"New Session Ticket"); + strcat(string,"New Session Ticket");
+ break; + break;
+#endif +#endif
+#ifdef SSL3_MT_END_OF_EARLY_DATA
+ case SSL3_MT_END_OF_EARLY_DATA:
+ strcat(string,"End of Early Data");
+ break;
+#endif
+#ifdef SSL3_MT_ENCRYPTED_EXTENSIONS
+ case SSL3_MT_ENCRYPTED_EXTENSIONS:
+ strcat(string,"Encryped Extensions");
+ break;
+#endif
+ case SSL3_MT_CERTIFICATE: + case SSL3_MT_CERTIFICATE:
+ strcat(string,"Certificate"); + strcat(string,"Certificate");
+ break; + break;
@ -2519,11 +2636,11 @@ diff -Naur ppp-2.4.8/pppd/eap-tls.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap-tls.c
+ strcat(string, "TLS 1.2"); + strcat(string, "TLS 1.2");
+ break; + break;
+#ifdef TLS1_3_VERSION +#ifdef TLS1_3_VERSION
+ case TLS1_3_VERSION: + case TLS1_3_VERSION:
+ strcat(string, "TLS 1.3 (not supported)"); + strcat(string, "TLS 1.3 (experimental)");
+ break; + ets->tls_v13 = 1;
+ break;
+#endif +#endif
+
+ default: + default:
+ strcat(string, "Unknown version"); + strcat(string, "Unknown version");
+ } + }
@ -2545,10 +2662,20 @@ diff -Naur ppp-2.4.8/pppd/eap-tls.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap-tls.c
+ dbglog("%s", string); + dbglog("%s", string);
+} +}
+ +
diff -Naur ppp-2.4.8/pppd/eap-tls.h ppp-2.4.8-eaptls-mppe-1.201/pppd/eap-tls.h +int
+ssl_new_session_cb(SSL *s, SSL_SESSION *sess)
+{
+ dbglog("EAP-TLS: Post-Handshake New Session Ticket arrived:");
+ have_session_ticket = 1;
+
+ /* always return success */
+ return 1;
+}
+
diff -Naur ppp-2.4.8/pppd/eap-tls.h ppp-2.4.8-eaptls-mppe-1.300/pppd/eap-tls.h
--- ppp-2.4.8/pppd/eap-tls.h 1970-01-01 01:00:00.000000000 +0100 --- ppp-2.4.8/pppd/eap-tls.h 1970-01-01 01:00:00.000000000 +0100
+++ ppp-2.4.8-eaptls-mppe-1.201/pppd/eap-tls.h 2020-04-03 14:02:19.338905030 +0200 +++ ppp-2.4.8-eaptls-mppe-1.300/pppd/eap-tls.h 2020-04-07 10:09:50.568118202 +0200
@@ -0,0 +1,107 @@ @@ -0,0 +1,96 @@
+/* +/*
+ * eap-tls.h + * eap-tls.h
+ * + *
@ -2599,11 +2726,12 @@ diff -Naur ppp-2.4.8/pppd/eap-tls.h ppp-2.4.8-eaptls-mppe-1.201/pppd/eap-tls.h
+{ +{
+ u_char *data; /* buffered data */ + u_char *data; /* buffered data */
+ int datalen; /* buffered data len */ + int datalen; /* buffered data len */
+ int offset; /* from where to send */ + int offset; /* from where to send */
+ int tlslen; /* total length of tls data */ + int tlslen; /* total length of tls data */
+ bool frag; /* packet is fragmented */ + bool frag; /* packet is fragmented */
+ bool tls_v13; /* whether we've negotiated TLSv1.3 */
+ SSL_CTX *ctx; + SSL_CTX *ctx;
+ SSL *ssl; /* ssl connection */ + SSL *ssl; /* ssl connection */
+ BIO *from_ssl; + BIO *from_ssl;
+ BIO *into_ssl; + BIO *into_ssl;
+ char peer[MAXWORDLEN]; /* peer name */ + char peer[MAXWORDLEN]; /* peer name */
@ -2612,24 +2740,11 @@ diff -Naur ppp-2.4.8/pppd/eap-tls.h ppp-2.4.8-eaptls-mppe-1.201/pppd/eap-tls.h
+ u_char alert_sent_desc; + u_char alert_sent_desc;
+ bool alert_recv; + bool alert_recv;
+ u_char alert_recv_desc; + u_char alert_recv_desc;
+ char rtx[65536]; /* retransmission buffer */ + char rtx[EAP_TLS_MAX_LEN]; /* retransmission buffer */
+ int rtx_len; + int rtx_len;
+ int mtu; /* unit mtu */ + int mtu; /* unit mtu */
+}; +};
+ +
+typedef struct pw_cb_data
+{
+ const void *password;
+ const char *prompt_info;
+} PW_CB_DATA;
+
+
+int ssl_verify_callback(int, X509_STORE_CTX *);
+void ssl_msg_callback(int write_p, int version, int ct, const void *buf,
+ size_t len, SSL * ssl, void *arg);
+
+X509 *get_X509_from_file(char *filename);
+int ssl_cmp_certs(char *filename, X509 * a);
+ +
+SSL_CTX *eaptls_init_ssl(int init_server, char *cacertfile, char *capath, +SSL_CTX *eaptls_init_ssl(int init_server, char *cacertfile, char *capath,
+ char *certfile, char *peer_certfile, char *privkeyfile); + char *certfile, char *peer_certfile, char *privkeyfile);
@ -2637,6 +2752,8 @@ diff -Naur ppp-2.4.8/pppd/eap-tls.h ppp-2.4.8-eaptls-mppe-1.201/pppd/eap-tls.h
+int eaptls_init_ssl_client(eap_state * esp); +int eaptls_init_ssl_client(eap_state * esp);
+void eaptls_free_session(struct eaptls_session *ets); +void eaptls_free_session(struct eaptls_session *ets);
+ +
+int eaptls_is_init_finished(struct eaptls_session *ets);
+
+int eaptls_receive(struct eaptls_session *ets, u_char * inp, int len); +int eaptls_receive(struct eaptls_session *ets, u_char * inp, int len);
+int eaptls_send(struct eaptls_session *ets, u_char ** outp); +int eaptls_send(struct eaptls_session *ets, u_char ** outp);
+void eaptls_retransmit(struct eaptls_session *ets, u_char ** outp); +void eaptls_retransmit(struct eaptls_session *ets, u_char ** outp);
@ -2651,14 +2768,13 @@ diff -Naur ppp-2.4.8/pppd/eap-tls.h ppp-2.4.8-eaptls-mppe-1.201/pppd/eap-tls.h
+extern u_char mppe_recv_key[MPPE_MAX_KEY_LEN]; +extern u_char mppe_recv_key[MPPE_MAX_KEY_LEN];
+extern int mppe_keys_set; +extern int mppe_keys_set;
+ +
+void eaptls_gen_mppe_keys(struct eaptls_session *ets, const char *prf_label, int client); +void eaptls_gen_mppe_keys(struct eaptls_session *ets, int client);
+
+#endif +#endif
+ +
+#endif +#endif
diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.300/pppd/eap.c
--- ppp-2.4.8/pppd/eap.c 2019-12-31 02:31:26.000000000 +0100 --- ppp-2.4.8/pppd/eap.c 2019-12-31 02:31:26.000000000 +0100
+++ ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c 2020-04-03 14:02:19.339905029 +0200 +++ ppp-2.4.8-eaptls-mppe-1.300/pppd/eap.c 2020-04-07 10:09:50.569118201 +0200
@@ -43,6 +43,11 @@ @@ -43,6 +43,11 @@
* Based on draft-ietf-pppext-eap-srp-03.txt. * Based on draft-ietf-pppext-eap-srp-03.txt.
*/ */
@ -2738,7 +2854,7 @@ diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c
switch (esp->es_server.ea_state) { switch (esp->es_server.ea_state) {
case eapBadAuth: case eapBadAuth:
return; return;
@@ -561,9 +585,79 @@ @@ -561,9 +585,81 @@
break; break;
} }
#endif /* USE_SRP */ #endif /* USE_SRP */
@ -2794,18 +2910,20 @@ diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c
+ if(SSL_is_init_finished(ets->ssl)) + if(SSL_is_init_finished(ets->ssl))
+ esp->es_server.ea_state = eapTlsRecvClient; + esp->es_server.ea_state = eapTlsRecvClient;
+ else + else
+ esp->es_server.ea_state = eapTlsRecv; + /* JJK Add "TLS empty record" message here ??? */
+ esp->es_server.ea_state = eapTlsRecv;
+ break; + break;
+ +
+ case eapTlsSendAck: + case eapTlsSendAck:
+ esp->es_server.ea_state = eapTlsRecv; + esp->es_server.ea_state = eapTlsRecv;
+ break; + break;
+ +
+ case eapTlsRecvAck: + case eapTlsRecvAck:
+ if (status) { + if (status)
+ esp->es_server.ea_state = eapBadAuth; + {
+ break; + esp->es_server.ea_state = eapBadAuth;
+ } + break;
+ }
+ +
+ esp->es_server.ea_state = eapTlsSend; + esp->es_server.ea_state = eapTlsSend;
+ break; + break;
@ -2818,7 +2936,18 @@ diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c
case eapSRP1: case eapSRP1:
#ifdef USE_SRP #ifdef USE_SRP
ts = (struct t_server *)esp->es_server.ea_session; ts = (struct t_server *)esp->es_server.ea_session;
@@ -647,10 +741,10 @@ @@ -629,6 +725,10 @@
}
if (esp->es_server.ea_state == eapBadAuth)
eap_send_failure(esp);
+
+#ifdef USE_EAPTLS
+ dbglog("EAP id=0x%2x '%s' -> '%s'", esp->es_server.ea_id, eap_state_name(esp->es_server.ea_prev_state), eap_state_name(esp->es_server.ea_state));
+#endif /* USE_EAPTLS */
}
/*
@@ -647,10 +747,10 @@
char *str; char *str;
#ifdef USE_SRP #ifdef USE_SRP
struct t_server *ts; struct t_server *ts;
@ -2831,7 +2960,7 @@ diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c
#endif /* USE_SRP */ #endif /* USE_SRP */
/* Handle both initial auth and restart */ /* Handle both initial auth and restart */
@@ -717,6 +811,30 @@ @@ -717,6 +817,30 @@
INCPTR(esp->es_server.ea_namelen, outp); INCPTR(esp->es_server.ea_namelen, outp);
break; break;
@ -2862,7 +2991,7 @@ diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c
#ifdef USE_SRP #ifdef USE_SRP
case eapSRP1: case eapSRP1:
PUTCHAR(EAPT_SRP, outp); PUTCHAR(EAPT_SRP, outp);
@@ -763,8 +881,8 @@ @@ -763,8 +887,8 @@
PUTLONG(SRPVAL_EBIT, outp); PUTLONG(SRPVAL_EBIT, outp);
ts = (struct t_server *)esp->es_server.ea_session; ts = (struct t_server *)esp->es_server.ea_session;
assert(ts != NULL); assert(ts != NULL);
@ -2873,7 +3002,7 @@ diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c
if (pncrypt_setkey(0)) { if (pncrypt_setkey(0)) {
/* Generate pseudonym */ /* Generate pseudonym */
@@ -804,9 +922,9 @@ @@ -804,9 +928,9 @@
/* Set length and pad out to next 20 octet boundary */ /* Set length and pad out to next 20 octet boundary */
i = outp - optr - 1; i = outp - optr - 1;
*optr = i; *optr = i;
@ -2885,7 +3014,7 @@ diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c
*outp++ = drand48() * 0x100; *outp++ = drand48() * 0x100;
i++; i++;
} }
@@ -822,14 +940,14 @@ @@ -822,14 +946,14 @@
while (optr < outp) { while (optr < outp) {
SHA1Final(dig, &ctxt); SHA1Final(dig, &ctxt);
cp = dig; cp = dig;
@ -2903,7 +3032,7 @@ diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c
} }
} }
break; break;
@@ -903,11 +1021,57 @@ @@ -903,11 +1027,57 @@
eap_server_timeout(arg) eap_server_timeout(arg)
void *arg; void *arg;
{ {
@ -2961,7 +3090,7 @@ diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c
/* EAP ID number must not change on timeout. */ /* EAP ID number must not change on timeout. */
eap_send_request(esp); eap_send_request(esp);
} }
@@ -1154,17 +1318,92 @@ @@ -1154,17 +1324,90 @@
PUTCHAR(id, outp); PUTCHAR(id, outp);
esp->es_client.ea_id = id; esp->es_client.ea_id = id;
msglen = EAP_HEADERLEN + 2 * sizeof (u_char) + sizeof (u_int32_t) + msglen = EAP_HEADERLEN + 2 * sizeof (u_char) + sizeof (u_int32_t) +
@ -2987,16 +3116,16 @@ diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c
+eap_state *esp; +eap_state *esp;
+u_char id; +u_char id;
+{ +{
+ u_char *outp; + u_char *outp;
+ int outlen; + int outlen;
+ u_char *lenloc; + u_char *lenloc;
+ +
+ outp = outpacket_buf; + outp = outpacket_buf;
+ +
+ MAKEHEADER(outp, PPP_EAP); + MAKEHEADER(outp, PPP_EAP);
+ +
+ PUTCHAR(EAP_RESPONSE, outp); + PUTCHAR(EAP_RESPONSE, outp);
+ PUTCHAR(id, outp); + PUTCHAR(id, outp);
+ +
+ lenloc = outp; + lenloc = outp;
+ INCPTR(2, outp); + INCPTR(2, outp);
@ -3016,7 +3145,6 @@ diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c
+ output(esp->es_unit, outpacket_buf, PPP_HDRLEN + outlen); + output(esp->es_unit, outpacket_buf, PPP_HDRLEN + outlen);
+ +
+ esp->es_client.ea_id = id; + esp->es_client.ea_id = id;
+
+} +}
+ +
+/* +/*
@ -3049,14 +3177,13 @@ diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c
+ PUTSHORT(outlen, lenloc); + PUTSHORT(outlen, lenloc);
+ +
+ output(esp->es_unit, outpacket_buf, PPP_HDRLEN + outlen); + output(esp->es_unit, outpacket_buf, PPP_HDRLEN + outlen);
+
+} +}
+#endif /* USE_EAPTLS */ +#endif /* USE_EAPTLS */
+ +
static void static void
eap_send_nak(esp, id, type) eap_send_nak(esp, id, type)
eap_state *esp; eap_state *esp;
@@ -1251,8 +1490,8 @@ @@ -1251,8 +1494,8 @@
{ {
u_char val; u_char val;
u_char *datp, *digp; u_char *datp, *digp;
@ -3067,7 +3194,7 @@ diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c
int dsize, fd, olen = len; int dsize, fd, olen = len;
/* /*
@@ -1261,21 +1500,21 @@ @@ -1261,21 +1504,21 @@
*/ */
val = id; val = id;
while (len > 0) { while (len > 0) {
@ -3093,7 +3220,7 @@ diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c
*datp++ ^= *digp; *datp++ ^= *digp;
} }
@@ -1319,12 +1558,17 @@ @@ -1319,12 +1562,17 @@
char rhostname[256]; char rhostname[256];
MD5_CTX mdContext; MD5_CTX mdContext;
u_char hash[MD5_SIGNATURE_SIZE]; u_char hash[MD5_SIGNATURE_SIZE];
@ -3113,7 +3240,7 @@ diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c
int fd; int fd;
#endif /* USE_SRP */ #endif /* USE_SRP */
@@ -1455,6 +1699,100 @@ @@ -1455,6 +1703,96 @@
esp->es_client.ea_namelen); esp->es_client.ea_namelen);
break; break;
@ -3134,11 +3261,11 @@ diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c
+ +
+ esp->es_client.ea_using_eaptls = 1; + esp->es_client.ea_using_eaptls = 1;
+ +
+ if (explicit_remote){ + if (explicit_remote){
+ esp->es_client.ea_peer = strdup(remote_name); + esp->es_client.ea_peer = strdup(remote_name);
+ esp->es_client.ea_peerlen = strlen(remote_name); + esp->es_client.ea_peerlen = strlen(remote_name);
+ } else + } else
+ esp->es_client.ea_peer = NULL; + esp->es_client.ea_peer = NULL;
+ +
+ /* Init ssl session */ + /* Init ssl session */
+ if(!eaptls_init_ssl_client(esp)) { + if(!eaptls_init_ssl_client(esp)) {
@ -3150,8 +3277,7 @@ diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c
+ +
+ ets = esp->es_client.ea_session; + ets = esp->es_client.ea_session;
+ eap_tls_response(esp, id); + eap_tls_response(esp, id);
+ esp->es_client.ea_state = (ets->frag ? eapTlsRecvAck : + esp->es_client.ea_state = (ets->frag ? eapTlsRecvAck : eapTlsRecv);
+ eapTlsRecv);
+ break; + break;
+ } + }
+ +
@ -3161,8 +3287,7 @@ diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c
+ +
+ case eapTlsRecvAck: + case eapTlsRecvAck:
+ eap_tls_response(esp, id); + eap_tls_response(esp, id);
+ esp->es_client.ea_state = (ets->frag ? eapTlsRecvAck : + esp->es_client.ea_state = (ets->frag ? eapTlsRecvAck : eapTlsRecv);
+ eapTlsRecv);
+ break; + break;
+ +
+ case eapTlsRecv: + case eapTlsRecv:
@ -3186,9 +3311,9 @@ diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c
+ } + }
+ +
+ /* Check if TLS handshake is finished */ + /* Check if TLS handshake is finished */
+ if(SSL_is_init_finished(ets->ssl)){ + if(eaptls_is_init_finished(ets)) {
+#ifdef MPPE +#ifdef MPPE
+ eaptls_gen_mppe_keys( ets, "client EAP encryption", 1 ); + eaptls_gen_mppe_keys(ets, 1);
+#endif +#endif
+ eaptls_free_session(ets); + eaptls_free_session(ets);
+ eap_tls_sendack(esp, id); + eap_tls_sendack(esp, id);
@ -3197,10 +3322,8 @@ diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c
+ } + }
+ +
+ eap_tls_response(esp,id); + eap_tls_response(esp,id);
+ esp->es_client.ea_state = (ets->frag ? eapTlsRecvAck : + esp->es_client.ea_state = (ets->frag ? eapTlsRecvAck : eapTlsRecv);
+ eapTlsRecv); + break;
+
+ break;
+ +
+ default: + default:
+ eap_send_nak(esp, id, EAPT_TLS); + eap_send_nak(esp, id, EAPT_TLS);
@ -3270,6 +3393,7 @@ diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c
+ case eapTlsRecv: + case eapTlsRecv:
+ +
+ ets = (struct eaptls_session *) esp->es_server.ea_session; + ets = (struct eaptls_session *) esp->es_server.ea_session;
+
+ eap_figure_next_state(esp, + eap_figure_next_state(esp,
+ eaptls_receive(esp->es_server.ea_session, inp, len)); + eaptls_receive(esp->es_server.ea_session, inp, len));
+ +
@ -3288,13 +3412,12 @@ diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c
+ +
+ case eapTlsRecvClient: + case eapTlsRecvClient:
+ /* Receive authentication response from client */ + /* Receive authentication response from client */
+
+ if (len > 0) { + if (len > 0) {
+ GETCHAR(flags, inp); + GETCHAR(flags, inp);
+ +
+ if(len == 1 && !flags) { /* Ack = ok */ + if(len == 1 && !flags) { /* Ack = ok */
+#ifdef MPPE +#ifdef MPPE
+ eaptls_gen_mppe_keys( esp->es_server.ea_session, "client EAP encryption", 0 ); + eaptls_gen_mppe_keys( esp->es_server.ea_session, 0 );
+#endif +#endif
+ eap_send_success(esp); + eap_send_success(esp);
+ } + }
@ -3499,9 +3622,9 @@ diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c
return (inp - pstart); return (inp - pstart);
} }
+ +
diff -Naur ppp-2.4.8/pppd/eap.h ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.h diff -Naur ppp-2.4.8/pppd/eap.h ppp-2.4.8-eaptls-mppe-1.300/pppd/eap.h
--- ppp-2.4.8/pppd/eap.h 2019-12-31 02:31:26.000000000 +0100 --- ppp-2.4.8/pppd/eap.h 2019-12-31 02:31:26.000000000 +0100
+++ ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.h 2020-04-03 14:02:19.340905028 +0200 +++ ppp-2.4.8-eaptls-mppe-1.300/pppd/eap.h 2020-04-07 10:09:50.569118201 +0200
@@ -84,6 +84,16 @@ @@ -84,6 +84,16 @@
eapClosed, /* Authentication not in use */ eapClosed, /* Authentication not in use */
eapListen, /* Client ready (and timer running) */ eapListen, /* Client ready (and timer running) */
@ -3570,9 +3693,9 @@ diff -Naur ppp-2.4.8/pppd/eap.h ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.h
#define EAP_DEFREQTIME 20 /* Time to wait for peer request */ #define EAP_DEFREQTIME 20 /* Time to wait for peer request */
#define EAP_DEFALLOWREQ 20 /* max # times to accept requests */ #define EAP_DEFALLOWREQ 20 /* max # times to accept requests */
diff -Naur ppp-2.4.8/pppd/pathnames.h ppp-2.4.8-eaptls-mppe-1.201/pppd/pathnames.h diff -Naur ppp-2.4.8/pppd/pathnames.h ppp-2.4.8-eaptls-mppe-1.300/pppd/pathnames.h
--- ppp-2.4.8/pppd/pathnames.h 2019-12-31 02:31:26.000000000 +0100 --- ppp-2.4.8/pppd/pathnames.h 2019-12-31 02:31:26.000000000 +0100
+++ ppp-2.4.8-eaptls-mppe-1.201/pppd/pathnames.h 2020-04-03 14:02:19.340905028 +0200 +++ ppp-2.4.8-eaptls-mppe-1.300/pppd/pathnames.h 2020-04-07 10:09:50.569118201 +0200
@@ -21,6 +21,13 @@ @@ -21,6 +21,13 @@
#define _PATH_UPAPFILE _ROOT_PATH "/etc/ppp/pap-secrets" #define _PATH_UPAPFILE _ROOT_PATH "/etc/ppp/pap-secrets"
#define _PATH_CHAPFILE _ROOT_PATH "/etc/ppp/chap-secrets" #define _PATH_CHAPFILE _ROOT_PATH "/etc/ppp/chap-secrets"
@ -3587,9 +3710,9 @@ diff -Naur ppp-2.4.8/pppd/pathnames.h ppp-2.4.8-eaptls-mppe-1.201/pppd/pathnames
#define _PATH_SYSOPTIONS _ROOT_PATH "/etc/ppp/options" #define _PATH_SYSOPTIONS _ROOT_PATH "/etc/ppp/options"
#define _PATH_IPUP _ROOT_PATH "/etc/ppp/ip-up" #define _PATH_IPUP _ROOT_PATH "/etc/ppp/ip-up"
#define _PATH_IPDOWN _ROOT_PATH "/etc/ppp/ip-down" #define _PATH_IPDOWN _ROOT_PATH "/etc/ppp/ip-down"
diff -Naur ppp-2.4.8/pppd/plugins/Makefile.linux ppp-2.4.8-eaptls-mppe-1.201/pppd/plugins/Makefile.linux diff -Naur ppp-2.4.8/pppd/plugins/Makefile.linux ppp-2.4.8-eaptls-mppe-1.300/pppd/plugins/Makefile.linux
--- ppp-2.4.8/pppd/plugins/Makefile.linux 2019-12-31 02:31:26.000000000 +0100 --- ppp-2.4.8/pppd/plugins/Makefile.linux 2019-12-31 02:31:26.000000000 +0100
+++ ppp-2.4.8-eaptls-mppe-1.201/pppd/plugins/Makefile.linux 2020-04-03 14:02:19.340905028 +0200 +++ ppp-2.4.8-eaptls-mppe-1.300/pppd/plugins/Makefile.linux 2020-04-07 10:09:50.569118201 +0200
@@ -4,6 +4,9 @@ @@ -4,6 +4,9 @@
LDFLAGS_SHARED = -shared LDFLAGS_SHARED = -shared
INSTALL = install INSTALL = install
@ -3600,9 +3723,9 @@ diff -Naur ppp-2.4.8/pppd/plugins/Makefile.linux ppp-2.4.8-eaptls-mppe-1.201/ppp
DESTDIR = $(INSTROOT)@DESTDIR@ DESTDIR = $(INSTROOT)@DESTDIR@
BINDIR = $(DESTDIR)/sbin BINDIR = $(DESTDIR)/sbin
MANDIR = $(DESTDIR)/share/man/man8 MANDIR = $(DESTDIR)/share/man/man8
diff -Naur ppp-2.4.8/pppd/plugins/passprompt.c ppp-2.4.8-eaptls-mppe-1.201/pppd/plugins/passprompt.c diff -Naur ppp-2.4.8/pppd/plugins/passprompt.c ppp-2.4.8-eaptls-mppe-1.300/pppd/plugins/passprompt.c
--- ppp-2.4.8/pppd/plugins/passprompt.c 2019-12-31 02:31:26.000000000 +0100 --- ppp-2.4.8/pppd/plugins/passprompt.c 2019-12-31 02:31:26.000000000 +0100
+++ ppp-2.4.8-eaptls-mppe-1.201/pppd/plugins/passprompt.c 2020-04-03 14:02:19.340905028 +0200 +++ ppp-2.4.8-eaptls-mppe-1.300/pppd/plugins/passprompt.c 2020-04-07 10:09:50.569118201 +0200
@@ -107,4 +107,7 @@ @@ -107,4 +107,7 @@
{ {
add_options(options); add_options(options);
@ -3611,9 +3734,9 @@ diff -Naur ppp-2.4.8/pppd/plugins/passprompt.c ppp-2.4.8-eaptls-mppe-1.201/pppd/
+ eaptls_passwd_hook = promptpass; + eaptls_passwd_hook = promptpass;
+#endif +#endif
} }
diff -Naur ppp-2.4.8/pppd/plugins/passwordfd.c ppp-2.4.8-eaptls-mppe-1.201/pppd/plugins/passwordfd.c diff -Naur ppp-2.4.8/pppd/plugins/passwordfd.c ppp-2.4.8-eaptls-mppe-1.300/pppd/plugins/passwordfd.c
--- ppp-2.4.8/pppd/plugins/passwordfd.c 2019-12-31 02:31:26.000000000 +0100 --- ppp-2.4.8/pppd/plugins/passwordfd.c 2019-12-31 02:31:26.000000000 +0100
+++ ppp-2.4.8-eaptls-mppe-1.201/pppd/plugins/passwordfd.c 2020-04-03 14:02:19.340905028 +0200 +++ ppp-2.4.8-eaptls-mppe-1.300/pppd/plugins/passwordfd.c 2020-04-07 10:09:50.569118201 +0200
@@ -79,4 +79,8 @@ @@ -79,4 +79,8 @@
chap_check_hook = pwfd_check; chap_check_hook = pwfd_check;
@ -3623,9 +3746,9 @@ diff -Naur ppp-2.4.8/pppd/plugins/passwordfd.c ppp-2.4.8-eaptls-mppe-1.201/pppd/
+ eaptls_passwd_hook = pwfd_passwd; + eaptls_passwd_hook = pwfd_passwd;
+#endif +#endif
} }
diff -Naur ppp-2.4.8/pppd/pppcrypt.c ppp-2.4.8-eaptls-mppe-1.201/pppd/pppcrypt.c diff -Naur ppp-2.4.8/pppd/pppcrypt.c ppp-2.4.8-eaptls-mppe-1.300/pppd/pppcrypt.c
--- ppp-2.4.8/pppd/pppcrypt.c 2019-12-31 02:31:26.000000000 +0100 --- ppp-2.4.8/pppd/pppcrypt.c 2019-12-31 02:31:26.000000000 +0100
+++ ppp-2.4.8-eaptls-mppe-1.201/pppd/pppcrypt.c 2020-04-03 14:02:19.340905028 +0200 +++ ppp-2.4.8-eaptls-mppe-1.300/pppd/pppcrypt.c 2020-04-07 10:09:50.569118201 +0200
@@ -31,6 +31,7 @@ @@ -31,6 +31,7 @@
*/ */
@ -3634,9 +3757,9 @@ diff -Naur ppp-2.4.8/pppd/pppcrypt.c ppp-2.4.8-eaptls-mppe-1.201/pppd/pppcrypt.c
#include "pppd.h" #include "pppd.h"
#include "pppcrypt.h" #include "pppcrypt.h"
diff -Naur ppp-2.4.8/pppd/pppd.8 ppp-2.4.8-eaptls-mppe-1.201/pppd/pppd.8 diff -Naur ppp-2.4.8/pppd/pppd.8 ppp-2.4.8-eaptls-mppe-1.300/pppd/pppd.8
--- ppp-2.4.8/pppd/pppd.8 2019-12-31 02:31:26.000000000 +0100 --- ppp-2.4.8/pppd/pppd.8 2019-12-31 02:31:26.000000000 +0100
+++ ppp-2.4.8-eaptls-mppe-1.201/pppd/pppd.8 2020-04-03 14:02:19.341905027 +0200 +++ ppp-2.4.8-eaptls-mppe-1.300/pppd/pppd.8 2020-04-07 10:09:50.570118199 +0200
@@ -260,6 +260,12 @@ @@ -260,6 +260,12 @@
compression in the corresponding direction. Use \fInobsdcomp\fR or compression in the corresponding direction. Use \fInobsdcomp\fR or
\fIbsdcomp 0\fR to disable BSD-Compress compression entirely. \fIbsdcomp 0\fR to disable BSD-Compress compression entirely.
@ -3705,22 +3828,23 @@ diff -Naur ppp-2.4.8/pppd/pppd.8 ppp-2.4.8-eaptls-mppe-1.201/pppd/pppd.8
.B noauth .B noauth
Do not require the peer to authenticate itself. This option is Do not require the peer to authenticate itself. This option is
privileged. privileged.
diff -Naur ppp-2.4.8/pppd/pppd.h ppp-2.4.8-eaptls-mppe-1.201/pppd/pppd.h diff -Naur ppp-2.4.8/pppd/pppd.h ppp-2.4.8-eaptls-mppe-1.300/pppd/pppd.h
--- ppp-2.4.8/pppd/pppd.h 2019-12-31 02:31:26.000000000 +0100 --- ppp-2.4.8/pppd/pppd.h 2019-12-31 02:31:26.000000000 +0100
+++ ppp-2.4.8-eaptls-mppe-1.201/pppd/pppd.h 2020-04-03 14:02:19.341905027 +0200 +++ ppp-2.4.8-eaptls-mppe-1.300/pppd/pppd.h 2020-04-07 10:09:50.570118199 +0200
@@ -341,6 +341,11 @@ @@ -341,6 +341,12 @@
extern bool dryrun; /* check everything, print options, exit */ extern bool dryrun; /* check everything, print options, exit */
extern int child_wait; /* # seconds to wait for children at end */ extern int child_wait; /* # seconds to wait for children at end */
+#ifdef USE_EAPTLS +#ifdef USE_EAPTLS
+extern char *crl_dir; +extern char *crl_dir;
+extern char *crl_file; +extern char *crl_file;
+extern char *max_tls_version;
+#endif /* USE_EAPTLS */ +#endif /* USE_EAPTLS */
+ +
#ifdef MAXOCTETS #ifdef MAXOCTETS
extern unsigned int maxoctets; /* Maximum octetes per session (in bytes) */ extern unsigned int maxoctets; /* Maximum octetes per session (in bytes) */
extern int maxoctets_dir; /* Direction : extern int maxoctets_dir; /* Direction :
@@ -763,6 +768,10 @@ @@ -763,6 +769,10 @@
extern int (*chap_passwd_hook) __P((char *user, char *passwd)); extern int (*chap_passwd_hook) __P((char *user, char *passwd));
extern void (*multilink_join_hook) __P((void)); extern void (*multilink_join_hook) __P((void));
@ -3731,9 +3855,9 @@ diff -Naur ppp-2.4.8/pppd/pppd.h ppp-2.4.8-eaptls-mppe-1.201/pppd/pppd.h
/* Let a plugin snoop sent and received packets. Useful for L2TP */ /* Let a plugin snoop sent and received packets. Useful for L2TP */
extern void (*snoop_recv_hook) __P((unsigned char *p, int len)); extern void (*snoop_recv_hook) __P((unsigned char *p, int len));
extern void (*snoop_send_hook) __P((unsigned char *p, int len)); extern void (*snoop_send_hook) __P((unsigned char *p, int len));
diff -Naur ppp-2.4.8/pppd/sha1.c ppp-2.4.8-eaptls-mppe-1.201/pppd/sha1.c diff -Naur ppp-2.4.8/pppd/sha1.c ppp-2.4.8-eaptls-mppe-1.300/pppd/sha1.c
--- ppp-2.4.8/pppd/sha1.c 2019-12-31 02:31:26.000000000 +0100 --- ppp-2.4.8/pppd/sha1.c 2019-12-31 02:31:26.000000000 +0100
+++ ppp-2.4.8-eaptls-mppe-1.201/pppd/sha1.c 2020-04-03 14:02:19.341905027 +0200 +++ ppp-2.4.8-eaptls-mppe-1.300/pppd/sha1.c 2020-04-07 10:09:50.570118199 +0200
@@ -101,7 +101,7 @@ @@ -101,7 +101,7 @@
/* SHA1Init - Initialize new context */ /* SHA1Init - Initialize new context */
@ -3761,9 +3885,9 @@ diff -Naur ppp-2.4.8/pppd/sha1.c ppp-2.4.8-eaptls-mppe-1.201/pppd/sha1.c
{ {
u_int32_t i, j; u_int32_t i, j;
unsigned char finalcount[8]; unsigned char finalcount[8];
diff -Naur ppp-2.4.8/pppd/sha1.h ppp-2.4.8-eaptls-mppe-1.201/pppd/sha1.h diff -Naur ppp-2.4.8/pppd/sha1.h ppp-2.4.8-eaptls-mppe-1.300/pppd/sha1.h
--- ppp-2.4.8/pppd/sha1.h 2019-12-31 02:31:26.000000000 +0100 --- ppp-2.4.8/pppd/sha1.h 2019-12-31 02:31:26.000000000 +0100
+++ ppp-2.4.8-eaptls-mppe-1.201/pppd/sha1.h 2020-04-03 14:02:19.341905027 +0200 +++ ppp-2.4.8-eaptls-mppe-1.300/pppd/sha1.h 2020-04-07 10:09:50.570118199 +0200
@@ -1,11 +1,5 @@ @@ -1,11 +1,5 @@
/* sha1.h */ /* sha1.h */
@ -3792,9 +3916,9 @@ diff -Naur ppp-2.4.8/pppd/sha1.h ppp-2.4.8-eaptls-mppe-1.201/pppd/sha1.h
#define __SHA1_INCLUDE_ #define __SHA1_INCLUDE_
#endif /* __SHA1_INCLUDE_ */ #endif /* __SHA1_INCLUDE_ */
diff -Naur ppp-2.4.8/pppd/sys-solaris.c ppp-2.4.8-eaptls-mppe-1.201/pppd/sys-solaris.c diff -Naur ppp-2.4.8/pppd/sys-solaris.c ppp-2.4.8-eaptls-mppe-1.300/pppd/sys-solaris.c
--- ppp-2.4.8/pppd/sys-solaris.c 2019-12-31 02:31:26.000000000 +0100 --- ppp-2.4.8/pppd/sys-solaris.c 2019-12-31 02:31:26.000000000 +0100
+++ ppp-2.4.8-eaptls-mppe-1.201/pppd/sys-solaris.c 2020-04-03 14:02:19.342905025 +0200 +++ ppp-2.4.8-eaptls-mppe-1.300/pppd/sys-solaris.c 2020-04-07 10:09:50.571118198 +0200
@@ -1550,6 +1550,26 @@ @@ -1550,6 +1550,26 @@
#endif /* defined(INET6) && defined(SOL2) */ #endif /* defined(INET6) && defined(SOL2) */
} }

9
ppp.spec
View File

@ -2,7 +2,7 @@
Name: ppp Name: ppp
Version: 2.4.8 Version: 2.4.8
Release: 4%{?dist} Release: 5%{?dist}
Summary: The Point-to-Point Protocol daemon Summary: The Point-to-Point Protocol daemon
License: BSD and LGPLv2+ and GPLv2+ and Public Domain License: BSD and LGPLv2+ and GPLv2+ and Public Domain
URL: http://www.samba.org/ppp URL: http://www.samba.org/ppp
@ -46,8 +46,8 @@ Patch0022: ppp-2.4.8-build-sys-compile-pppol2tp-with-multilink-support.patc
Patch0023: 0023-build-sys-install-rp-pppoe-plugin-files-with-standar.patch Patch0023: 0023-build-sys-install-rp-pppoe-plugin-files-with-standar.patch
Patch0024: 0024-build-sys-install-pppoatm-plugin-files-with-standard.patch Patch0024: 0024-build-sys-install-pppoatm-plugin-files-with-standard.patch
Patch0025: ppp-2.4.8-pppd-install-pppd-binary-using-standard-perms-755.patch Patch0025: ppp-2.4.8-pppd-install-pppd-binary-using-standard-perms-755.patch
# https://www.nikhef.nl/~janjust/ppp/ppp-2.4.8-eaptls-mppe-1.201.patch # https://www.nikhef.nl/~janjust/ppp/ppp-2.4.8-eaptls-mppe-1.300.patch
Patch0026: ppp-2.4.8-eaptls-mppe-1.201.patch Patch0026: ppp-2.4.8-eaptls-mppe-1.300.patch
Patch0032: ppp-2.4.8-CVE-2020-8597.patch Patch0032: ppp-2.4.8-CVE-2020-8597.patch
@ -184,6 +184,9 @@ mkdir -p %{buildroot}%{_rundir}/lock/ppp
%doc PLUGINS %doc PLUGINS
%changelog %changelog
* Tue Apr 7 2020 Jaroslav Škarvada <jskarvad@redhat.com> - 2.4.8-5
- Updated EAP-TLS patch to v1.300
* Mon Apr 6 2020 Jaroslav Škarvada <jskarvad@redhat.com> - 2.4.8-4 * Mon Apr 6 2020 Jaroslav Škarvada <jskarvad@redhat.com> - 2.4.8-4
- Updated EAP-TLS patch to v1.201 - Updated EAP-TLS patch to v1.201