diff --git a/0028-pppoe-include-netinet-in.h-before-linux-in.h.patch b/0028-pppoe-include-netinet-in.h-before-linux-in.h.patch deleted file mode 100644 index 9b0920d3bce06e9b2b1659590fd6fcda74b1f9e7..0000000000000000000000000000000000000000 --- a/0028-pppoe-include-netinet-in.h-before-linux-in.h.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 33797aa193a2751da26f9af120e39c110defe4d1 Mon Sep 17 00:00:00 2001 -From: Lubomir Rintel -Date: Sat, 10 Dec 2016 19:53:56 +0100 -Subject: [PATCH] pppoe: include netinet/in.h before linux/in.h - -To fix build breakage. ---- - pppd/plugins/rp-pppoe/pppoe.h | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/pppd/plugins/rp-pppoe/pppoe.h b/pppd/plugins/rp-pppoe/pppoe.h -index 9ab2eee..f77f5b7 100644 ---- a/pppd/plugins/rp-pppoe/pppoe.h -+++ b/pppd/plugins/rp-pppoe/pppoe.h -@@ -15,6 +15,8 @@ - - #include "config.h" - -+#include -+ - #if defined(HAVE_NETPACKET_PACKET_H) || defined(HAVE_LINUX_IF_PACKET_H) - #define _POSIX_SOURCE 1 /* For sigaction defines */ - #endif -@@ -84,8 +86,6 @@ typedef unsigned long UINT32_t; - #include - #endif - --#include -- - #ifdef HAVE_NETINET_IF_ETHER_H - #include - --- -2.9.3 - diff --git a/ppp-2.4.7-DES-openssl.patch b/ppp-2.4.7-DES-openssl.patch deleted file mode 100644 index ad3b2687aa5868613d3f27604ad77a954da763e4..0000000000000000000000000000000000000000 --- a/ppp-2.4.7-DES-openssl.patch +++ /dev/null @@ -1,79 +0,0 @@ -diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux -index 534ccc2..cf11b74 100644 ---- a/pppd/Makefile.linux -+++ b/pppd/Makefile.linux -@@ -41,7 +41,7 @@ COPTS = -Wall $(RPM_OPT_FLAGS) -DLIBDIR=\""$(LIBDIR)"\" - # Uncomment the next 2 lines to include support for Microsoft's - # MS-CHAP authentication protocol. Also, edit plugins/radius/Makefile.linux. - CHAPMS=y --USE_CRYPT=y -+#USE_CRYPT=y - # Don't use MSLANMAN unless you really know what you're doing. - #MSLANMAN=y - # Uncomment the next line to include support for MPPE. CHAPMS (above) must -@@ -147,7 +147,8 @@ endif - - ifdef NEEDDES - ifndef USE_CRYPT --LIBS += -ldes $(LIBS) -+CFLAGS += -I/usr/include/openssl -+LIBS += -lcrypto - else - CFLAGS += -DUSE_CRYPT=1 - endif -diff --git a/pppd/pppcrypt.c b/pppd/pppcrypt.c -index 8b85b13..6b35375 100644 ---- a/pppd/pppcrypt.c -+++ b/pppd/pppcrypt.c -@@ -64,7 +64,7 @@ u_char *des_key; /* OUT 64 bit DES key with parity bits added */ - des_key[7] = Get7Bits(key, 49); - - #ifndef USE_CRYPT -- des_set_odd_parity((des_cblock *)des_key); -+ DES_set_odd_parity((DES_cblock *)des_key); - #endif - } - -@@ -158,25 +158,25 @@ u_char *clear; /* OUT 8 octets */ - } - - #else /* USE_CRYPT */ --static des_key_schedule key_schedule; -+static DES_key_schedule key_schedule; - - bool - DesSetkey(key) - u_char *key; - { -- des_cblock des_key; -+ DES_cblock des_key; - MakeKey(key, des_key); -- des_set_key(&des_key, key_schedule); -+ DES_set_key(&des_key, &key_schedule); - return (1); - } - - bool --DesEncrypt(clear, key, cipher) -+DesEncrypt(clear, cipher) - u_char *clear; /* IN 8 octets */ - u_char *cipher; /* OUT 8 octets */ - { -- des_ecb_encrypt((des_cblock *)clear, (des_cblock *)cipher, -- key_schedule, 1); -+ DES_ecb_encrypt((DES_cblock *)clear, (DES_cblock *)cipher, -+ &key_schedule, 1); - return (1); - } - -@@ -185,8 +185,8 @@ DesDecrypt(cipher, clear) - u_char *cipher; /* IN 8 octets */ - u_char *clear; /* OUT 8 octets */ - { -- des_ecb_encrypt((des_cblock *)cipher, (des_cblock *)clear, -- key_schedule, 0); -+ DES_ecb_encrypt((DES_cblock *)cipher, (DES_cblock *)clear, -+ &key_schedule, 0); - return (1); - } - diff --git a/ppp-2.4.7-honor-ldflags.patch b/ppp-2.4.7-honor-ldflags.patch deleted file mode 100644 index 2c3e20dbf21a02416fa22e4fa30f88e6e4e88652..0000000000000000000000000000000000000000 --- a/ppp-2.4.7-honor-ldflags.patch +++ /dev/null @@ -1,170 +0,0 @@ -diff --git a/chat/Makefile.linux b/chat/Makefile.linux -index 2445637..83114f1 100644 ---- a/chat/Makefile.linux -+++ b/chat/Makefile.linux -@@ -18,7 +18,7 @@ INSTALL= install - all: chat - - chat: chat.o -- $(CC) -o chat chat.o -+ $(CC) $(LDFLAGS) -o chat chat.o - - chat.o: chat.c - $(CC) -c $(CFLAGS) -o chat.o chat.c -diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux -index cf11b74..089f164 100644 ---- a/pppd/Makefile.linux -+++ b/pppd/Makefile.linux -@@ -188,7 +188,7 @@ endif - - ifdef PLUGIN - CFLAGS += -DPLUGIN --LDFLAGS += -Wl,-E -+LDFLAGS_PLUGIN += -Wl,-E - LIBS += -ldl - endif - -@@ -230,7 +230,7 @@ install: pppd - $(INSTALL) -c -m 644 pppd.8 $(MANDIR) - - pppd: $(PPPDOBJS) -- $(CC) $(CFLAGS) $(LDFLAGS) -o pppd $(PPPDOBJS) $(LIBS) -+ $(CC) $(CFLAGS) $(LDFLAGS) $(LDFLAGS_PLUGIN) -o pppd $(PPPDOBJS) $(LIBS) - - srp-entry: srp-entry.c - $(CC) $(CFLAGS) $(LDFLAGS) -o $@ srp-entry.c $(LIBS) -diff --git a/pppd/plugins/Makefile.linux b/pppd/plugins/Makefile.linux -index 303833a..04fe876 100644 ---- a/pppd/plugins/Makefile.linux -+++ b/pppd/plugins/Makefile.linux -@@ -1,7 +1,7 @@ - #CC = gcc - COPTS = $(RPM_OPT_FLAGS) - CFLAGS = $(COPTS) -I.. -I../../include -fPIC --LDFLAGS = -shared -+LDFLAGS_SHARED = -shared - INSTALL = install - - # EAP-TLS -@@ -33,7 +33,7 @@ all: $(PLUGINS) - for d in $(SUBDIRS); do $(MAKE) $(MFLAGS) -C $$d all; done - - %.so: %.c -- $(CC) -o $@ $(LDFLAGS) $(CFLAGS) $^ -+ $(CC) -o $@ $(LDFLAGS) $(LDFLAGS_SHARED) $(CFLAGS) $^ - - VERSION = $(shell awk -F '"' '/VERSION/ { print $$2; }' ../patchlevel.h) - -diff --git a/pppd/plugins/pppoatm/Makefile.linux b/pppd/plugins/pppoatm/Makefile.linux -index 4c5826f..1961e0e 100644 ---- a/pppd/plugins/pppoatm/Makefile.linux -+++ b/pppd/plugins/pppoatm/Makefile.linux -@@ -1,7 +1,7 @@ - #CC = gcc - COPTS = $(RPM_OPT_FLAGS) - CFLAGS = $(COPTS) -I../.. -I../../../include -fPIC --LDFLAGS = -shared -+LDFLAGS_SHARED = -shared - INSTALL = install - - #*********************************************************************** -@@ -33,7 +33,7 @@ endif - all: $(PLUGIN) - - $(PLUGIN): $(PLUGIN_OBJS) -- $(CC) $(CFLAGS) -o $@ -shared $^ $(LIBS) -+ $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $(LDFLAGS_SHARED) $^ $(LIBS) - - install: all - $(INSTALL) -d -m 755 $(LIBDIR) -diff --git a/pppd/plugins/pppol2tp/Makefile.linux b/pppd/plugins/pppol2tp/Makefile.linux -index 9cb316d..7b23b25 100644 ---- a/pppd/plugins/pppol2tp/Makefile.linux -+++ b/pppd/plugins/pppol2tp/Makefile.linux -@@ -1,7 +1,7 @@ - #CC = gcc - COPTS = $(RPM_OPT_FLAGS) -DHAVE_MULTILINK - CFLAGS = $(COPTS) -I. -I../.. -I../../../include -fPIC --LDFLAGS = -shared -+LDFLAGS_SHARED = -shared - INSTALL = install - - #*********************************************************************** -@@ -16,7 +16,7 @@ PLUGINS := pppol2tp.so openl2tp.so - all: $(PLUGINS) - - %.so: %.o -- $(CC) $(CFLAGS) -o $@ -shared $^ $(LIBS) -+ $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $(LDFLAGS_SHARED) $^ $(LIBS) - - install: all - $(INSTALL) -d -m 755 $(LIBDIR) -diff --git a/pppd/plugins/radius/Makefile.linux b/pppd/plugins/radius/Makefile.linux -index 707326b..2150332 100644 ---- a/pppd/plugins/radius/Makefile.linux -+++ b/pppd/plugins/radius/Makefile.linux -@@ -43,13 +43,13 @@ install: all - $(INSTALL) -c -m 444 pppd-radattr.8 $(MANDIR) - - radius.so: radius.o libradiusclient.a -- $(CC) -o radius.so -shared radius.o libradiusclient.a -+ $(CC) $(LDFLAGS) -o radius.so -shared radius.o libradiusclient.a - - radattr.so: radattr.o -- $(CC) -o radattr.so -shared radattr.o -+ $(CC) $(LDFLAGS) -o radattr.so -shared radattr.o - - radrealms.so: radrealms.o -- $(CC) -o radrealms.so -shared radrealms.o -+ $(CC) $(LDFLAGS) -o radrealms.so -shared radrealms.o - - CLIENTOBJS = avpair.o buildreq.o config.o dict.o ip_util.o \ - clientid.o sendserver.o lock.o util.o md5.o -diff --git a/pppd/plugins/rp-pppoe/Makefile.linux b/pppd/plugins/rp-pppoe/Makefile.linux -index fa49efb..5e06b52 100644 ---- a/pppd/plugins/rp-pppoe/Makefile.linux -+++ b/pppd/plugins/rp-pppoe/Makefile.linux -@@ -31,7 +31,7 @@ CFLAGS=$(COPTS) -I../../../include '-DRP_VERSION="$(RP_VERSION)"' - all: rp-pppoe.so pppoe-discovery - - pppoe-discovery: pppoe-discovery.o debug.o common.o -- $(CC) -o pppoe-discovery pppoe-discovery.o debug.o -ludev -+ $(CC) $(LDFLAGS) -o pppoe-discovery pppoe-discovery.o debug.o -ludev - - pppoe-discovery.o: pppoe-discovery.c - $(CC) $(CFLAGS) -c -o pppoe-discovery.o pppoe-discovery.c -@@ -40,7 +40,7 @@ debug.o: debug.c - $(CC) $(CFLAGS) -c -o debug.o debug.c - - rp-pppoe.so: plugin.o discovery.o if.o common.o -- $(CC) -o rp-pppoe.so -shared plugin.o discovery.o if.o common.o -+ $(CC) $(LDFLAGS) -o rp-pppoe.so -shared plugin.o discovery.o if.o common.o - - install: all - $(INSTALL) -d -m 755 $(LIBDIR) -diff --git a/pppdump/Makefile.linux b/pppdump/Makefile.linux -index 95c6805..33e5107 100644 ---- a/pppdump/Makefile.linux -+++ b/pppdump/Makefile.linux -@@ -10,7 +10,7 @@ INSTALL= install - all: pppdump - - pppdump: $(OBJS) -- $(CC) -o pppdump $(OBJS) -+ $(CC) $(LDFLAGS) -o pppdump $(OBJS) - - clean: - rm -f pppdump $(OBJS) *~ -diff --git a/pppstats/Makefile.linux b/pppstats/Makefile.linux -index c5ba3b1..eeccf83 100644 ---- a/pppstats/Makefile.linux -+++ b/pppstats/Makefile.linux -@@ -26,7 +26,7 @@ install: pppstats - $(INSTALL) -c -m 444 pppstats.8 $(MANDIR) - - pppstats: $(PPPSTATSRCS) -- $(CC) $(CFLAGS) -o pppstats pppstats.c $(LIBS) -+ $(CC) $(CFLAGS) $(LDFLAGS) -o pppstats pppstats.c $(LIBS) - - clean: - rm -f pppstats *~ #* core diff --git a/ppp-2.4.7.tar.gz b/ppp-2.4.7.tar.gz deleted file mode 100644 index 7e931c97cefdb5c48e7d23c9be374d77ffe569b4..0000000000000000000000000000000000000000 Binary files a/ppp-2.4.7.tar.gz and /dev/null differ diff --git a/0021-build-sys-compile-pppol2tp-plugin-with-RPM_OPT_FLAGS.patch b/ppp-2.4.8-build-sys-compile-pppol2tp-plugin-with-RPM_OPT_FLAGS.patch similarity index 96% rename from 0021-build-sys-compile-pppol2tp-plugin-with-RPM_OPT_FLAGS.patch rename to ppp-2.4.8-build-sys-compile-pppol2tp-plugin-with-RPM_OPT_FLAGS.patch index 83402712d36d63df91617e7200bd891fcd010936..fd53ac71f634a877e8a51fb3544802a403beb537 100644 --- a/0021-build-sys-compile-pppol2tp-plugin-with-RPM_OPT_FLAGS.patch +++ b/ppp-2.4.8-build-sys-compile-pppol2tp-plugin-with-RPM_OPT_FLAGS.patch @@ -16,7 +16,7 @@ index 4339566..9a635b8 100644 -COPTS = -O2 -g +COPTS = $(RPM_OPT_FLAGS) CFLAGS = $(COPTS) -I. -I../.. -I../../../include -fPIC - LDFLAGS = -shared + LDFLAGS_SHARED = -shared INSTALL = install -- 1.8.3.1 diff --git a/0022-build-sys-compile-pppol2tp-with-multilink-support.patch b/ppp-2.4.8-build-sys-compile-pppol2tp-with-multilink-support.patch similarity index 96% rename from 0022-build-sys-compile-pppol2tp-with-multilink-support.patch rename to ppp-2.4.8-build-sys-compile-pppol2tp-with-multilink-support.patch index 945933e9e1ff7cb046c2c02326e9eaecfcdcf6ca..d8013085d439a93d320e290257f9b5e29d9ac55a 100644 --- a/0022-build-sys-compile-pppol2tp-with-multilink-support.patch +++ b/ppp-2.4.8-build-sys-compile-pppol2tp-with-multilink-support.patch @@ -17,7 +17,7 @@ index 9a635b8..9cb316d 100644 -COPTS = $(RPM_OPT_FLAGS) +COPTS = $(RPM_OPT_FLAGS) -DHAVE_MULTILINK CFLAGS = $(COPTS) -I. -I../.. -I../../../include -fPIC - LDFLAGS = -shared + LDFLAGS_SHARED = -shared INSTALL = install -- 1.8.3.1 diff --git a/0005-build-sys-don-t-hardcode-LIBDIR-but-set-it-according.patch b/ppp-2.4.8-build-sys-don-t-hardcode-LIBDIR-but-set-it-according.patch similarity index 98% rename from 0005-build-sys-don-t-hardcode-LIBDIR-but-set-it-according.patch rename to ppp-2.4.8-build-sys-don-t-hardcode-LIBDIR-but-set-it-according.patch index 48190ed374e5450ade4363b8642d283952159513..2d6bdd6add78ddc1928aad12e94e05f85f8b5eb5 100644 --- a/0005-build-sys-don-t-hardcode-LIBDIR-but-set-it-according.patch +++ b/ppp-2.4.8-build-sys-don-t-hardcode-LIBDIR-but-set-it-according.patch @@ -33,7 +33,7 @@ index 63872eb..8ed56c1 100644 -COPTS = -Wall $(RPM_OPT_FLAGS) +COPTS = -Wall $(RPM_OPT_FLAGS) -DLIBDIR=\""$(LIBDIR)"\" - # Uncomment the next 2 lines to include support for Microsoft's + # Uncomment the next line to include support for Microsoft's # MS-CHAP authentication protocol. Also, edit plugins/radius/Makefile.linux. diff --git a/pppd/pathnames.h b/pppd/pathnames.h index a33f046..a427cb8 100644 diff --git a/0002-build-sys-enable-PAM-support.patch b/ppp-2.4.8-build-sys-enable-PAM-support.patch similarity index 91% rename from 0002-build-sys-enable-PAM-support.patch rename to ppp-2.4.8-build-sys-enable-PAM-support.patch index 2f1c53b4f135ab807d034a8b76c0cb82a1ceb889..0df20baa64e3e57c9cfea28a680f7e5d22d4317a 100644 --- a/0002-build-sys-enable-PAM-support.patch +++ b/ppp-2.4.8-build-sys-enable-PAM-support.patch @@ -11,8 +11,8 @@ diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux index 1d9ea78..5a44d30 100644 --- a/pppd/Makefile.linux +++ b/pppd/Makefile.linux -@@ -61,7 +61,7 @@ HAVE_MULTILINK=y - USE_TDB=y +@@ -66,7 +66,7 @@ HAVE_MULTILINK=y + #SYSTEMD=y HAS_SHADOW=y -#USE_PAM=y diff --git a/0003-build-sys-utilize-compiler-flags-handed-to-us-by-rpm.patch b/ppp-2.4.8-build-sys-utilize-compiler-flags-handed-to-us-by-rpm.patch similarity index 97% rename from 0003-build-sys-utilize-compiler-flags-handed-to-us-by-rpm.patch rename to ppp-2.4.8-build-sys-utilize-compiler-flags-handed-to-us-by-rpm.patch index 87da38b79b41edcddd50f78d56cae529cb0349fc..dc0c5df117112a237ff608c68880d5600afb8ff5 100644 --- a/0003-build-sys-utilize-compiler-flags-handed-to-us-by-rpm.patch +++ b/ppp-2.4.8-build-sys-utilize-compiler-flags-handed-to-us-by-rpm.patch @@ -40,7 +40,7 @@ index 5a44d30..63872eb 100644 -LIBS = +COPTS = -Wall $(RPM_OPT_FLAGS) - # Uncomment the next 2 lines to include support for Microsoft's + # Uncomment the next line to include support for Microsoft's # MS-CHAP authentication protocol. Also, edit plugins/radius/Makefile.linux. diff --git a/pppd/plugins/Makefile.linux b/pppd/plugins/Makefile.linux index 0a7ec7b..e09a369 100644 @@ -51,7 +51,7 @@ index 0a7ec7b..e09a369 100644 -COPTS = -O2 -g +COPTS = $(RPM_OPT_FLAGS) CFLAGS = $(COPTS) -I.. -I../../include -fPIC - LDFLAGS = -shared + LDFLAGS_SHARED = -shared INSTALL = install diff --git a/pppd/plugins/pppoatm/Makefile.linux b/pppd/plugins/pppoatm/Makefile.linux index 20f62e6..5a81447 100644 @@ -62,7 +62,7 @@ index 20f62e6..5a81447 100644 -COPTS = -O2 -g +COPTS = $(RPM_OPT_FLAGS) CFLAGS = $(COPTS) -I../.. -I../../../include -fPIC - LDFLAGS = -shared + LDFLAGS_SHARED = -shared INSTALL = install diff --git a/pppd/plugins/radius/Makefile.linux b/pppd/plugins/radius/Makefile.linux index 24ed3e5..45b3b8d 100644 diff --git a/ppp-2.4.7-eaptls-mppe-1.101.patch b/ppp-2.4.8-eaptls-mppe-1.300.patch similarity index 69% rename from ppp-2.4.7-eaptls-mppe-1.101.patch rename to ppp-2.4.8-eaptls-mppe-1.300.patch index 127fcf84f30ca38723f9b254e2cee2fcf76616de..65b14347faee6186a01ca33fd82f4496bea2ccc6 100644 --- a/ppp-2.4.7-eaptls-mppe-1.101.patch +++ b/ppp-2.4.8-eaptls-mppe-1.300.patch @@ -1,7 +1,7 @@ -diff -Naur ppp-2.4.7/README.eap-tls ppp-2.4.7-eaptls-mppe-1.101b/README.eap-tls ---- ppp-2.4.7/README.eap-tls 1970-01-01 01:00:00.000000000 +0100 -+++ ppp-2.4.7-eaptls-mppe-1.101b/README.eap-tls 2018-06-02 01:42:04.021165440 +0200 -@@ -0,0 +1,286 @@ +diff -Naur ppp-2.4.8/README.eap-tls ppp-2.4.8-eaptls-mppe-1.300/README.eap-tls +--- ppp-2.4.8/README.eap-tls 1970-01-01 01:00:00.000000000 +0100 ++++ ppp-2.4.8-eaptls-mppe-1.300/README.eap-tls 2020-04-07 10:09:50.565118206 +0200 +@@ -0,0 +1,307 @@ +EAP-TLS authentication support for PPP +====================================== + @@ -11,7 +11,7 @@ diff -Naur ppp-2.4.7/README.eap-tls ppp-2.4.7-eaptls-mppe-1.101b/README.eap-tls + security protocol that can be used with PPP. It provides a means + to plug in multiple optional authentication methods. + -+ Transport Level Security (TLS; RFC 2246) provides for mutual ++ Transport Level Security (TLS; RFC 5216) provides for mutual + authentication, integrity-protected ciphersuite negotiation and + key exchange between two endpoints. It also provides for optional + MPPE encryption. @@ -282,15 +282,36 @@ diff -Naur ppp-2.4.7/README.eap-tls ppp-2.4.7-eaptls-mppe-1.101b/README.eap-tls + - Change SSL_OP_NO_TICKETS to SSL_OP_NO_TICKET + - Fix bug in initialisation code with fragmented packets. +v0.998 (13-Mar-2015) -+ - Added fix for https://bugzilla.redhat.com/show_bug.cgi?id=1023620 ++ - Add fix for https://bugzilla.redhat.com/show_bug.cgi?id=1023620 +v0.999 (11-May-2017) -+ - Added support for OpenSSL 1.1: the code will now compile against OpenSSL 1.0.x or 1.1.x. ++ - Add support for OpenSSL 1.1: the code will now compile against OpenSSL 1.0.x or 1.1.x. +v1.101 (1-Jun-2018) + - Fix vulnerabilities CVE-2018-11574. -+ -diff -Naur ppp-2.4.7/etc.ppp/eaptls-client ppp-2.4.7-eaptls-mppe-1.101b/etc.ppp/eaptls-client ---- ppp-2.4.7/etc.ppp/eaptls-client 1970-01-01 01:00:00.000000000 +0100 -+++ ppp-2.4.7-eaptls-mppe-1.101b/etc.ppp/eaptls-client 2018-06-02 01:42:04.021165440 +0200 ++v1.102 (2-Nov-2018) ++ - Add TLS 1.2 support. Windows 7/8 will connect using TLS 1.0, Windows 10 clients using TLS 1.2. ++ This works both when compiling against OpenSSL 1.0.1+ and 1.1+. ++ - Print warning when certificate is either not yet valid or has expired. ++ - Perform better peer certificate checks. ++ - Allow certificate chain files to be used. ++v1.200 (28-Feb-2020) ++ - First version of patch that was used to create a github PR against the main ppp code base. ++ - Add client-side 'capath' option to allow a directory with trusted CA certificates. ++ - Add compile-time Makefile option to have pppd use either the internal MD5+SHA1 functions or ++ use the ones supplied by OpenSSL. ++ - Code now also builds on Solaris (x86 tested) but has not been tested yet, as the Solaris ppp ++ kernel driver does not support MPPE. ++v1.201 (03-Apr-2020) ++ - Force use of TLSv1.2 even if TLSv1.3 is available (with OpenSSL 1.1.1+). This ensures that ++ you can compile and link against OpenSSL 1.1.1+ without breaking the TLS negotiation. ++v1.300 (03-Apr-2020) ++ - Add (experimental) TLS 1.3 support. This is based on draft-ietf-emu-eap-tls13-05 (expired) and ++ requires OpenSSL 1.1.1+ to be effective. ++ - Add new option 'max-tls-version' to specify the highest version of the TLS protocol to use ++ (defaults to TLS1.2 for now - so to use TLS1.3 you need to explicitly add 'max-tls-version 1.3') ++ +diff -Naur ppp-2.4.8/etc.ppp/eaptls-client ppp-2.4.8-eaptls-mppe-1.300/etc.ppp/eaptls-client +--- ppp-2.4.8/etc.ppp/eaptls-client 1970-01-01 01:00:00.000000000 +0100 ++++ ppp-2.4.8-eaptls-mppe-1.300/etc.ppp/eaptls-client 2020-04-07 10:09:50.566118204 +0200 @@ -0,0 +1,10 @@ +# Parameters for authentication using EAP-TLS (client) + @@ -302,9 +323,9 @@ diff -Naur ppp-2.4.7/etc.ppp/eaptls-client ppp-2.4.7-eaptls-mppe-1.101b/etc.ppp/ +# client private key file (required) + +#client server /root/cert/client.crt - /root/cert/ca.crt /root/cert/client.key -diff -Naur ppp-2.4.7/etc.ppp/eaptls-server ppp-2.4.7-eaptls-mppe-1.101b/etc.ppp/eaptls-server ---- ppp-2.4.7/etc.ppp/eaptls-server 1970-01-01 01:00:00.000000000 +0100 -+++ ppp-2.4.7-eaptls-mppe-1.101b/etc.ppp/eaptls-server 2018-06-02 01:42:04.021165440 +0200 +diff -Naur ppp-2.4.8/etc.ppp/eaptls-server ppp-2.4.8-eaptls-mppe-1.300/etc.ppp/eaptls-server +--- ppp-2.4.8/etc.ppp/eaptls-server 1970-01-01 01:00:00.000000000 +0100 ++++ ppp-2.4.8-eaptls-mppe-1.300/etc.ppp/eaptls-server 2020-04-07 10:09:50.566118204 +0200 @@ -0,0 +1,11 @@ +# Parameters for authentication using EAP-TLS (server) + @@ -317,9 +338,9 @@ diff -Naur ppp-2.4.7/etc.ppp/eaptls-server ppp-2.4.7-eaptls-mppe-1.101b/etc.ppp/ +# allowed addresses (required, can be *) + +#client server - /root/cert/server.crt /root/cert/ca.crt /root/cert/server.key 192.168.1.0/24 -diff -Naur ppp-2.4.7/etc.ppp/openssl.cnf ppp-2.4.7-eaptls-mppe-1.101b/etc.ppp/openssl.cnf ---- ppp-2.4.7/etc.ppp/openssl.cnf 1970-01-01 01:00:00.000000000 +0100 -+++ ppp-2.4.7-eaptls-mppe-1.101b/etc.ppp/openssl.cnf 2018-06-02 01:42:04.021165440 +0200 +diff -Naur ppp-2.4.8/etc.ppp/openssl.cnf ppp-2.4.8-eaptls-mppe-1.300/etc.ppp/openssl.cnf +--- ppp-2.4.8/etc.ppp/openssl.cnf 1970-01-01 01:00:00.000000000 +0100 ++++ ppp-2.4.8-eaptls-mppe-1.300/etc.ppp/openssl.cnf 2020-04-07 10:09:50.566118204 +0200 @@ -0,0 +1,14 @@ +openssl_conf = openssl_def + @@ -335,9 +356,9 @@ diff -Naur ppp-2.4.7/etc.ppp/openssl.cnf ppp-2.4.7-eaptls-mppe-1.101b/etc.ppp/op +MODULE_PATH = /usr/lib64/libeTPkcs11.so +init = 0 + -diff -Naur ppp-2.4.7/linux/Makefile.top ppp-2.4.7-eaptls-mppe-1.101b/linux/Makefile.top ---- ppp-2.4.7/linux/Makefile.top 2014-08-09 14:31:39.000000000 +0200 -+++ ppp-2.4.7-eaptls-mppe-1.101b/linux/Makefile.top 2018-06-02 01:42:04.021165440 +0200 +diff -Naur ppp-2.4.8/linux/Makefile.top ppp-2.4.8-eaptls-mppe-1.300/linux/Makefile.top +--- ppp-2.4.8/linux/Makefile.top 2019-12-31 02:31:26.000000000 +0100 ++++ ppp-2.4.8-eaptls-mppe-1.300/linux/Makefile.top 2020-04-07 10:09:50.566118204 +0200 @@ -26,7 +26,7 @@ cd pppdump; $(MAKE) $(MFLAGS) install @@ -358,39 +379,134 @@ diff -Naur ppp-2.4.7/linux/Makefile.top ppp-2.4.7-eaptls-mppe-1.101b/linux/Makef $(BINDIR): $(INSTALL) -d -m 755 $@ -diff -Naur ppp-2.4.7/pppd/Makefile.linux ppp-2.4.7-eaptls-mppe-1.101b/pppd/Makefile.linux ---- ppp-2.4.7/pppd/Makefile.linux 2014-08-09 14:31:39.000000000 +0200 -+++ ppp-2.4.7-eaptls-mppe-1.101b/pppd/Makefile.linux 2018-06-02 01:42:04.021165440 +0200 -@@ -76,6 +76,9 @@ +diff -Naur ppp-2.4.8/pppd/Makefile.linux ppp-2.4.8-eaptls-mppe-1.300/pppd/Makefile.linux +--- ppp-2.4.8/pppd/Makefile.linux 2019-12-31 02:31:26.000000000 +0100 ++++ ppp-2.4.8-eaptls-mppe-1.300/pppd/Makefile.linux 2020-04-07 10:10:01.427104384 +0200 +@@ -11,16 +11,16 @@ + + TARGETS = pppd + +-PPPDSRCS = main.c magic.c fsm.c lcp.c ipcp.c upap.c chap-new.c md5.c ccp.c \ +- ecp.c ipxcp.c auth.c options.c sys-linux.c md4.c chap_ms.c \ ++PPPDSRCS = main.c magic.c fsm.c lcp.c ipcp.c upap.c chap-new.c ccp.c \ ++ ecp.c ipxcp.c auth.c options.c sys-linux.c chap_ms.c \ + demand.c utils.c tty.c eap.c chap-md5.c session.c + + HEADERS = ccp.h session.h chap-new.h ecp.h fsm.h ipcp.h \ +- ipxcp.h lcp.h magic.h md5.h patchlevel.h pathnames.h pppd.h \ ++ ipxcp.h lcp.h magic.h patchlevel.h pathnames.h pppd.h \ + upap.h eap.h + + MANPAGES = pppd.8 +-PPPDOBJS = main.o magic.o fsm.o lcp.o ipcp.o upap.o chap-new.o md5.o ccp.o \ ++PPPDOBJS = main.o magic.o fsm.o lcp.o ipcp.o upap.o chap-new.o ccp.o \ + ecp.o auth.o options.o demand.o utils.o sys-linux.o ipxcp.o tty.o \ + eap.o chap-md5.o session.o + +@@ -81,6 +81,13 @@ # Use libutil USE_LIBUTIL=y -+# Enable EAP-TLS authentication (requires libssl and libcrypto) ++# Enable EAP-TLS authentication (requires MPPE support, libssl and libcrypto) +USE_EAPTLS=y ++ ++# Either use the internal {md5,sha1} routines or use the openssl versions ++USE_OPENSSL_MD5=y ++USE_OPENSSL_SHA1=y + MAXOCTETS=y INCLUDE_DIRS= -I../include -@@ -115,6 +118,15 @@ - PPPDOBJS += sha1.o +@@ -92,8 +99,9 @@ + ifdef CHAPMS + CFLAGS += -DCHAPMS=1 + NEEDDES=y +-PPPDOBJS += md4.o chap_ms.o ++PPPDSRC += md4.c chap_ms.c + HEADERS += md4.h chap_ms.h ++PPPDOBJS += md4.o chap_ms.o + ifdef MSLANMAN + CFLAGS += -DMSLANMAN=1 endif - +@@ -111,11 +119,31 @@ + MANPAGES += srp-entry.8 + EXTRACLEAN += srp-entry.o + NEEDDES=y ++endif ++ +# EAP-TLS +ifdef USE_EAPTLS -+CFLAGS += -DUSE_EAPTLS=1 -I/usr/kerberos/include ++CFLAGS += -DUSE_EAPTLS=1 +LIBS += -lssl -lcrypto +PPPDSRC += eap-tls.c +HEADERS += eap-tls.h +PPPDOBJS += eap-tls.o +endif + - ifdef HAS_SHADOW - CFLAGS += -DHAS_SHADOW - #LIBS += -lshadow $(LIBS) -diff -Naur ppp-2.4.7/pppd/auth.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/auth.c ---- ppp-2.4.7/pppd/auth.c 2014-08-09 14:31:39.000000000 +0200 -+++ ppp-2.4.7-eaptls-mppe-1.101b/pppd/auth.c 2018-06-02 01:42:04.022165436 +0200 -@@ -109,6 +109,9 @@ ++ifdef USE_OPENSSL_MD5 ++CFLAGS += -DUSE_OPENSSL_MD5=1 ++LIBS += -lcrypto ++else ++PPPDSRC += md5.c ++HEADERS += md5.h ++PPPDOBJS += md5.o ++endif ++ ++ifdef USE_OPENSSL_SHA1 ++CFLAGS += -DUSE_OPENSSL_SHA1=1 ++LIBS += -lcrypto + else +-# OpenSSL has an integrated version of SHA-1, and its implementation +-# is incompatible with this local SHA-1 implementation. We must use +-# one or the other, not both. +-PPPDSRCS += sha1.c ++PPPDSRC += sha1.c + HEADERS += sha1.h + PPPDOBJS += sha1.o + endif +diff -Naur ppp-2.4.8/pppd/Makefile.sol2 ppp-2.4.8-eaptls-mppe-1.300/pppd/Makefile.sol2 +--- ppp-2.4.8/pppd/Makefile.sol2 2019-12-31 02:31:26.000000000 +0100 ++++ ppp-2.4.8-eaptls-mppe-1.300/pppd/Makefile.sol2 2020-04-07 10:09:50.566118204 +0200 +@@ -5,10 +5,10 @@ + + include ../Makedefs.com + +-CFLAGS = -I../include -DSVR4 -DSOL2 $(COPTS) '-DDESTDIR="@DESTDIR@"' ++CFLAGS = -I../include -DSVR4 -DSOL2 $(COPTS) '-DDESTDIR="/usr/local"' + LIBS = -lsocket -lnsl + +-OBJS = main.o magic.o fsm.o lcp.o ipcp.o upap.o chap-new.o eap.o md5.o \ ++OBJS = main.o magic.o fsm.o lcp.o ipcp.o upap.o chap-new.o eap.o \ + tty.o ccp.o ecp.o auth.o options.o demand.o utils.o sys-solaris.o \ + chap-md5.o session.o + +@@ -37,7 +37,21 @@ + + # Uncomment to enable MS-CHAP + CFLAGS += -DUSE_CRYPT -DCHAPMS -DMSLANMAN -DHAVE_CRYPT_H +-OBJS += chap_ms.o pppcrypt.o md4.o sha1.o ++OBJS += chap_ms.o pppcrypt.o md4.o ++ ++# Uncomment to enable MPPE (in both CHAP and EAP-TLS) ++CFLAGS += -DMPPE ++ ++# Uncomment to use the OpenSSL {md5,sha1} routines ++#CFLAGS += -DUSE_OPENSSL_MD5 -DUSE_OPENSSL_SHA1 ++#LIBS += -lcrypto ++# else ++OBJS += md5.o sha1.o ++ ++# Uncomment to enable EAP-TLS ++CFLAGS += -DUSE_EAPTLS ++LIBS += -lcrypto -lssl ++OBJS += eap-tls.o + + # Uncomment for CBCP + #CFLAGS += -DCBCP_SUPPORT +diff -Naur ppp-2.4.8/pppd/auth.c ppp-2.4.8-eaptls-mppe-1.300/pppd/auth.c +--- ppp-2.4.8/pppd/auth.c 2019-12-31 02:31:26.000000000 +0100 ++++ ppp-2.4.8-eaptls-mppe-1.300/pppd/auth.c 2020-04-07 10:09:50.567118203 +0200 +@@ -113,6 +113,9 @@ #include "upap.h" #include "chap-new.h" #include "eap.h" @@ -400,7 +516,7 @@ diff -Naur ppp-2.4.7/pppd/auth.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/auth.c #ifdef CBCP_SUPPORT #include "cbcp.h" #endif -@@ -183,6 +186,11 @@ +@@ -186,6 +189,11 @@ /* Hook for a plugin to get the CHAP password for authenticating us */ int (*chap_passwd_hook) __P((char *user, char *passwd)) = NULL; @@ -412,22 +528,24 @@ diff -Naur ppp-2.4.7/pppd/auth.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/auth.c /* Hook for a plugin to say whether it is OK if the peer refuses to authenticate. */ int (*null_auth_hook) __P((struct wordlist **paddrs, -@@ -238,6 +246,14 @@ +@@ -241,6 +249,16 @@ bool explicit_user = 0; /* Set if "user" option supplied */ bool explicit_passwd = 0; /* Set if "password" option supplied */ char remote_name[MAXNAMELEN]; /* Peer's name for authentication */ +#ifdef USE_EAPTLS +char *cacert_file = NULL; /* CA certificate file (pem format) */ ++char *ca_path = NULL; /* directory with CA certificates */ +char *cert_file = NULL; /* client certificate file (pem format) */ +char *privkey_file = NULL; /* client private key file (pem format) */ +char *crl_dir = NULL; /* directory containing CRL files */ +char *crl_file = NULL; /* Certificate Revocation List (CRL) file (pem format) */ ++char *max_tls_version = NULL; /* Maximum TLS protocol version (default=1.2) */ +bool need_peer_eap = 0; /* Require peer to authenticate us */ +#endif static char *uafname; /* name of most recent +ua file */ -@@ -254,6 +270,19 @@ +@@ -257,6 +275,19 @@ static int have_chap_secret __P((char *, char *, int, int *)); static int have_srp_secret __P((char *client, char *server, int need_ip, int *lacks_ipp)); @@ -447,23 +565,26 @@ diff -Naur ppp-2.4.7/pppd/auth.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/auth.c static int ip_addr_check __P((u_int32_t, struct permitted_ip *)); static int scan_authfile __P((FILE *, char *, char *, char *, struct wordlist **, struct wordlist **, -@@ -401,6 +430,15 @@ +@@ -404,6 +435,18 @@ "Set telephone number(s) which are allowed to connect", OPT_PRIV | OPT_A2LIST }, +#ifdef USE_EAPTLS + { "ca", o_string, &cacert_file, "EAP-TLS CA certificate in PEM format" }, ++ { "capath", o_string, &ca_path, "EAP-TLS CA certificate directory" }, + { "cert", o_string, &cert_file, "EAP-TLS client certificate in PEM format" }, + { "key", o_string, &privkey_file, "EAP-TLS client private key in PEM format" }, + { "crl-dir", o_string, &crl_dir, "Use CRLs in directory" }, + { "crl", o_string, &crl_file, "Use specific CRL file" }, ++ { "max-tls-version", o_string, &max_tls_version, ++ "Maximum TLS version (1.0/1.1/1.2 (default)/1.3)" }, + { "need-peer-eap", o_bool, &need_peer_eap, + "Require the peer to authenticate us", 1 }, +#endif /* USE_EAPTLS */ { NULL } }; -@@ -730,6 +768,9 @@ +@@ -737,6 +780,9 @@ lcp_options *wo = &lcp_wantoptions[unit]; lcp_options *go = &lcp_gotoptions[unit]; lcp_options *ho = &lcp_hisoptions[unit]; @@ -473,7 +594,7 @@ diff -Naur ppp-2.4.7/pppd/auth.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/auth.c int i; struct protent *protp; -@@ -764,6 +805,22 @@ +@@ -771,6 +817,22 @@ } } @@ -496,7 +617,7 @@ diff -Naur ppp-2.4.7/pppd/auth.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/auth.c new_phase(PHASE_AUTHENTICATE); auth = 0; if (go->neg_eap) { -@@ -1277,6 +1334,15 @@ +@@ -1291,6 +1353,15 @@ our_name, 1, &lacks_ip); } @@ -512,7 +633,7 @@ diff -Naur ppp-2.4.7/pppd/auth.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/auth.c if (auth_required && !can_auth && noauth_addrs == NULL) { if (default_auth) { option_error( -@@ -1331,7 +1397,11 @@ +@@ -1345,7 +1416,11 @@ passwd[0] != 0 || (hadchap == 1 || (hadchap == -1 && have_chap_secret(user, (explicit_remote? remote_name: NULL), 0, NULL))) || @@ -525,7 +646,7 @@ diff -Naur ppp-2.4.7/pppd/auth.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/auth.c hadchap = -1; if (go->neg_upap && !uselogin && !have_pap_secret(NULL)) -@@ -1346,8 +1416,14 @@ +@@ -1360,8 +1435,14 @@ !have_chap_secret((explicit_remote? remote_name: NULL), our_name, 1, NULL))) && !have_srp_secret((explicit_remote? remote_name: NULL), our_name, 1, @@ -541,7 +662,7 @@ diff -Naur ppp-2.4.7/pppd/auth.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/auth.c } -@@ -1707,6 +1783,7 @@ +@@ -1721,6 +1802,7 @@ } @@ -549,7 +670,7 @@ diff -Naur ppp-2.4.7/pppd/auth.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/auth.c /* * get_secret - open the CHAP secret file and return the secret * for authenticating the given client on the given server. -@@ -2359,3 +2436,335 @@ +@@ -2373,3 +2455,345 @@ auth_script_pid = run_program(script, argv, 0, auth_script_done, NULL, 0); } @@ -626,7 +747,7 @@ diff -Naur ppp-2.4.7/pppd/auth.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/auth.c + else if (server != NULL && server[0] == 0) + server = NULL; + -+ if (cacert_file && cert_file && privkey_file) ++ if ((cacert_file || ca_path) && cert_file && privkey_file) + return 1; + + filename = _PATH_EAPTLSCLIFILE; @@ -818,13 +939,14 @@ diff -Naur ppp-2.4.7/pppd/auth.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/auth.c + +int +get_eaptls_secret(unit, client, server, clicertfile, servcertfile, -+ cacertfile, pkfile, am_server) ++ cacertfile, capath, pkfile, am_server) + int unit; + char *client; + char *server; + char *clicertfile; + char *servcertfile; + char *cacertfile; ++ char *capath; + char *pkfile; + int am_server; +{ @@ -834,13 +956,22 @@ diff -Naur ppp-2.4.7/pppd/auth.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/auth.c + struct wordlist *addrs = NULL; + struct wordlist *opts = NULL; + -+ /* in client mode the ca+cert+privkey can also be specified as options */ -+ if (!am_server && cacert_file && cert_file && privkey_file ) ++ /* maybe overkill, but it eases debugging */ ++ bzero(clicertfile, MAXWORDLEN); ++ bzero(servcertfile, MAXWORDLEN); ++ bzero(cacertfile, MAXWORDLEN); ++ bzero(capath, MAXWORDLEN); ++ bzero(pkfile, MAXWORDLEN); ++ ++ /* the ca+cert+privkey can also be specified as options */ ++ if (!am_server && (cacert_file || ca_path) && cert_file && privkey_file ) + { + strlcpy( clicertfile, cert_file, MAXWORDLEN ); -+ strlcpy( cacertfile, cacert_file, MAXWORDLEN ); ++ if (cacert_file) ++ strlcpy( cacertfile, cacert_file, MAXWORDLEN ); ++ if (ca_path) ++ strlcpy( capath, ca_path, MAXWORDLEN ); + strlcpy( pkfile, privkey_file, MAXWORDLEN ); -+ servcertfile[0] = '\0'; + } + else + { @@ -885,10 +1016,10 @@ diff -Naur ppp-2.4.7/pppd/auth.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/auth.c +} +#endif + -diff -Naur ppp-2.4.7/pppd/ccp.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/ccp.c ---- ppp-2.4.7/pppd/ccp.c 2014-08-09 14:31:39.000000000 +0200 -+++ ppp-2.4.7-eaptls-mppe-1.101b/pppd/ccp.c 2018-06-02 01:42:04.022165436 +0200 -@@ -540,6 +540,9 @@ +diff -Naur ppp-2.4.8/pppd/ccp.c ppp-2.4.8-eaptls-mppe-1.300/pppd/ccp.c +--- ppp-2.4.8/pppd/ccp.c 2019-12-31 02:31:26.000000000 +0100 ++++ ppp-2.4.8-eaptls-mppe-1.300/pppd/ccp.c 2020-04-07 10:09:50.567118203 +0200 +@@ -539,6 +539,9 @@ if (go->mppe) { ccp_options *ao = &ccp_allowoptions[f->unit]; int auth_mschap_bits = auth_done[f->unit]; @@ -898,7 +1029,7 @@ diff -Naur ppp-2.4.7/pppd/ccp.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/ccp.c int numbits; /* -@@ -567,8 +570,23 @@ +@@ -566,8 +569,23 @@ lcp_close(f->unit, "MPPE required but not available"); return; } @@ -923,29 +1054,68 @@ diff -Naur ppp-2.4.7/pppd/ccp.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/ccp.c lcp_close(f->unit, "MPPE required but not available"); return; } -diff -Naur ppp-2.4.7/pppd/chap-md5.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/chap-md5.c ---- ppp-2.4.7/pppd/chap-md5.c 2014-08-09 14:31:39.000000000 +0200 -+++ ppp-2.4.7-eaptls-mppe-1.101b/pppd/chap-md5.c 2018-06-02 01:42:04.022165436 +0200 +diff -Naur ppp-2.4.8/pppd/chap-md5.c ppp-2.4.8-eaptls-mppe-1.300/pppd/chap-md5.c +--- ppp-2.4.8/pppd/chap-md5.c 2019-12-31 02:31:26.000000000 +0100 ++++ ppp-2.4.8-eaptls-mppe-1.300/pppd/chap-md5.c 2020-04-07 10:09:50.567118203 +0200 @@ -36,7 +36,11 @@ #include "chap-new.h" #include "chap-md5.h" #include "magic.h" -+#ifdef USE_EAPTLS -+#include "eap-tls.h" ++#ifdef USE_OPENSSL_MD5 ++#include "openssl/md5.h" +#else #include "md5.h" -+#endif /* USE_EAPTLS */ ++#endif /* USE_OPENSSL_MD5 */ #define MD5_HASH_SIZE 16 #define MD5_MIN_CHALLENGE 16 -diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap-tls.c ---- ppp-2.4.7/pppd/eap-tls.c 1970-01-01 01:00:00.000000000 +0100 -+++ ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap-tls.c 2018-06-02 01:42:16.790124406 +0200 -@@ -0,0 +1,1313 @@ -+/* -+ * eap-tls.c - EAP-TLS implementation for PPP +diff -Naur ppp-2.4.8/pppd/chap_ms.c ppp-2.4.8-eaptls-mppe-1.300/pppd/chap_ms.c +--- ppp-2.4.8/pppd/chap_ms.c 2019-12-31 02:31:26.000000000 +0100 ++++ ppp-2.4.8-eaptls-mppe-1.300/pppd/chap_ms.c 2020-04-07 10:09:50.567118203 +0200 +@@ -534,7 +534,7 @@ + char *username, u_char Challenge[8]) + + { +- SHA1_CTX sha1Context; ++ SHA_CTX sha1Context; + u_char sha1Hash[SHA1_SIGNATURE_SIZE]; + char *user; + +@@ -670,7 +670,7 @@ + 0x6E }; + + int i; +- SHA1_CTX sha1Context; ++ SHA_CTX sha1Context; + u_char Digest[SHA1_SIGNATURE_SIZE]; + u_char Challenge[8]; + +@@ -724,7 +724,7 @@ + void + mppe_set_keys(u_char *rchallenge, u_char PasswordHashHash[MD4_SIGNATURE_SIZE]) + { +- SHA1_CTX sha1Context; ++ SHA_CTX sha1Context; + u_char Digest[SHA1_SIGNATURE_SIZE]; /* >= MPPE_MAX_KEY_LEN */ + + SHA1_Init(&sha1Context); +@@ -768,7 +768,7 @@ + mppe_set_keys2(u_char PasswordHashHash[MD4_SIGNATURE_SIZE], + u_char NTResponse[24], int IsServer) + { +- SHA1_CTX sha1Context; ++ SHA_CTX sha1Context; + u_char MasterKey[SHA1_SIGNATURE_SIZE]; /* >= MPPE_MAX_KEY_LEN */ + u_char Digest[SHA1_SIGNATURE_SIZE]; /* >= MPPE_MAX_KEY_LEN */ + +diff -Naur ppp-2.4.8/pppd/eap-tls.c ppp-2.4.8-eaptls-mppe-1.300/pppd/eap-tls.c +--- ppp-2.4.8/pppd/eap-tls.c 1970-01-01 01:00:00.000000000 +0100 ++++ ppp-2.4.8-eaptls-mppe-1.300/pppd/eap-tls.c 2020-04-07 10:09:50.568118202 +0200 +@@ -0,0 +1,1560 @@ ++/* * eap-tls.c - EAP-TLS implementation for PPP + * + * Copyright (c) Beniamino Galvani 2005 All rights reserved. ++ * Jan Just Keijser 2006-2019 All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions @@ -974,6 +1144,7 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap-tls.c + */ + +#include ++#include +#include +#include +#include @@ -992,21 +1163,44 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap-tls.c +#include "lcp.h" +#include "pathnames.h" + ++typedef struct pw_cb_data ++{ ++ const void *password; ++ const char *prompt_info; ++} PW_CB_DATA; ++ +/* The openssl configuration file and engines can be loaded only once */ +static CONF *ssl_config = NULL; +static ENGINE *cert_engine = NULL; +static ENGINE *pkey_engine = NULL; + ++/* TLSv1.3 do we have a session ticket ? */ ++static int have_session_ticket = 0; ++ ++int ssl_verify_callback(int, X509_STORE_CTX *); ++void ssl_msg_callback(int write_p, int version, int ct, const void *buf, ++ size_t len, SSL * ssl, void *arg); ++int ssl_new_session_cb(SSL *s, SSL_SESSION *sess); ++ ++X509 *get_X509_from_file(char *filename); ++int ssl_cmp_certs(char *filename, X509 * a); ++ +#ifdef MPPE + -+#if OPENSSL_VERSION_NUMBER < 0x10100000L ++#define EAPTLS_MPPE_KEY_LEN 32 ++ ++/* ++ * The following stuff is only needed if SSL_export_keying_material() is not available ++ */ ++ ++#if OPENSSL_VERSION_NUMBER < 0x10001000L + +/* + * https://wiki.openssl.org/index.php/1.1_API_Changes + * tries to provide some guidance but ultimately falls short. ++ * + */ + -+ +static void HMAC_CTX_free(HMAC_CTX *ctx) +{ + if (ctx != NULL) { @@ -1023,11 +1217,6 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap-tls.c + return ctx; +} + -+/* -+ * These were basically jacked directly from the OpenSSL tree -+ * without adjustments. -+ */ -+ +static size_t SSL_get_client_random(const SSL *ssl, unsigned char *out, + size_t outlen) +{ @@ -1061,10 +1250,6 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap-tls.c + return outlen; +} + -+/* Avoid a deprecated warning in OpenSSL 1.1 whilst still allowing to build against 1.0.x */ -+#define TLS_method TLSv1_method -+ -+#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */ + +/* + * TLS PRF from RFC 2246 @@ -1122,8 +1307,8 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap-tls.c + const unsigned char *seed, unsigned int seed_len, + unsigned char *out, unsigned char *buf, unsigned int out_len) +{ -+ unsigned int i; -+ unsigned int len = (secret_len + 1) / 2; ++ unsigned int i; ++ unsigned int len = (secret_len + 1) / 2; + const unsigned char *s1 = secret; + const unsigned char *s2 = secret + (secret_len - len); + @@ -1135,66 +1320,143 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap-tls.c + } +} + -+#define EAPTLS_MPPE_KEY_LEN 32 ++static int SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen, ++ const char *label, size_t llen, ++ const unsigned char *p, size_t plen, ++ int use_context) ++{ ++ unsigned char seed[64 + 2*SSL3_RANDOM_SIZE]; ++ unsigned char buf[4*EAPTLS_MPPE_KEY_LEN]; ++ unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH]; ++ size_t master_key_length; ++ unsigned char *pp; ++ ++ pp = seed; ++ ++ memcpy(pp, label, llen); ++ pp += llen; ++ ++ llen += SSL_get_client_random(s, pp, SSL3_RANDOM_SIZE); ++ pp += SSL3_RANDOM_SIZE; ++ ++ llen += SSL_get_server_random(s, pp, SSL3_RANDOM_SIZE); ++ ++ master_key_length = SSL_SESSION_get_master_key(SSL_get_session(s), master_key, ++ sizeof(master_key)); ++ PRF(master_key, master_key_length, seed, llen, out, buf, olen); ++ ++ return 1; ++} ++ ++#endif /* OPENSSL_VERSION_NUMBER < 0x10001000L */ ++ + +/* -+ * Generate keys according to RFC 2716 and add to reply ++ * OpenSSL 1.1+ introduced a generic TLS_method() ++ * For older releases we substitute the appropriate method + */ -+void eaptls_gen_mppe_keys(struct eaptls_session *ets, const char *prf_label, -+ int client) ++ ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++ ++#define TLS_method SSLv23_method ++ ++#define SSL3_RT_HEADER 0x100 ++ ++#ifndef SSL_CTX_set_max_proto_version ++/** Mimics SSL_CTX_set_max_proto_version for OpenSSL < 1.1 */ ++static inline int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, long tls_ver_max) +{ -+ unsigned char out[4*EAPTLS_MPPE_KEY_LEN], buf[4*EAPTLS_MPPE_KEY_LEN]; -+ unsigned char seed[64 + 2*SSL3_RANDOM_SIZE]; -+ unsigned char *p = seed; -+ SSL *s = ets->ssl; -+ size_t prf_size; -+ unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH]; -+ size_t master_key_length; ++ long sslopt = 0; ++ ++ if (tls_ver_max < TLS1_VERSION) ++ { ++ sslopt |= SSL_OP_NO_TLSv1; ++ } ++#ifdef SSL_OP_NO_TLSv1_1 ++ if (tls_ver_max < TLS1_1_VERSION) ++ { ++ sslopt |= SSL_OP_NO_TLSv1_1; ++ } ++#endif ++#ifdef SSL_OP_NO_TLSv1_2 ++ if (tls_ver_max < TLS1_2_VERSION) ++ { ++ sslopt |= SSL_OP_NO_TLSv1_2; ++ } ++#endif ++ SSL_CTX_set_options(ctx, sslopt); + -+ prf_size = strlen(prf_label); ++ return 1; ++} ++#endif /* SSL_CTX_set_max_proto_version */ + -+ memcpy(p, prf_label, prf_size); -+ p += prf_size; ++#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */ + -+ prf_size += SSL_get_client_random(s, p, SSL3_RANDOM_SIZE); -+ p += SSL3_RANDOM_SIZE; + -+ prf_size += SSL_get_server_random(s, p, SSL3_RANDOM_SIZE); ++/* ++ * Generate keys according to RFC 2716 and add to reply ++ */ ++void eaptls_gen_mppe_keys(struct eaptls_session *ets, int client) ++{ ++ unsigned char out[4*EAPTLS_MPPE_KEY_LEN]; ++ const char *prf_label; ++ size_t prf_size; ++ unsigned char eap_tls13_context[] = { EAPT_TLS }; ++ unsigned char *context = NULL; ++ size_t context_len = 0; ++ unsigned char *p; ++ ++ dbglog("EAP-TLS generating MPPE keys"); ++ if (ets->tls_v13) ++ { ++ prf_label = "EXPORTER_EAP_TLS_Key_Material"; ++ context = eap_tls13_context; ++ context_len = 1; ++ } ++ else ++ { ++ prf_label = "client EAP encryption"; ++ } + -+ master_key_length = SSL_SESSION_get_master_key(SSL_get_session(s), master_key, -+ sizeof(master_key)); -+ PRF(master_key, master_key_length, seed, prf_size, out, buf, sizeof(out)); ++ dbglog("EAP-TLS PRF label = %s", prf_label); ++ prf_size = strlen(prf_label); ++ if (SSL_export_keying_material(ets->ssl, out, sizeof(out), prf_label, prf_size, ++ context, context_len, 0) != 1) ++ { ++ warn( "EAP-TLS: Failed generating keying material" ); ++ return; ++ } + -+ /* -+ * We now have the master send and receive keys. -+ * From these, generate the session send and receive keys. -+ * (see RFC3079 / draft-ietf-pppext-mppe-keys-03.txt for details) -+ */ -+ if (client) -+ { ++ /* ++ * We now have the master send and receive keys. ++ * From these, generate the session send and receive keys. ++ * (see RFC3079 / draft-ietf-pppext-mppe-keys-03.txt for details) ++ */ ++ if (client) ++ { + p = out; + BCOPY( p, mppe_send_key, sizeof(mppe_send_key) ); + p += EAPTLS_MPPE_KEY_LEN; -+ BCOPY( p, mppe_recv_key, sizeof(mppe_recv_key) ); -+ } -+ else -+ { -+ p = out; -+ BCOPY( p, mppe_recv_key, sizeof(mppe_recv_key) ); ++ BCOPY( p, mppe_recv_key, sizeof(mppe_recv_key) ); ++ } ++ else ++ { ++ p = out; ++ BCOPY( p, mppe_recv_key, sizeof(mppe_recv_key) ); + p += EAPTLS_MPPE_KEY_LEN; + BCOPY( p, mppe_send_key, sizeof(mppe_send_key) ); -+ } ++ } + -+ mppe_keys_set = 1; ++ mppe_keys_set = 1; +} + -+#endif ++#endif /* MPPE */ + +void log_ssl_errors( void ) +{ + unsigned long ssl_err = ERR_get_error(); + -+ if (ssl_err != 0) ++ if (ssl_err != 0) + dbglog("EAP-TLS SSL error stack:"); + while (ssl_err != 0) { + dbglog( ERR_error_string( ssl_err, NULL ) ); @@ -1216,34 +1478,34 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap-tls.c + +CONF *eaptls_ssl_load_config( void ) +{ -+ CONF *config; -+ int ret_code; -+ long error_line = 33; ++ CONF *config; ++ int ret_code; ++ long error_line = 33; + -+ config = NCONF_new( NULL ); ++ config = NCONF_new( NULL ); + dbglog( "Loading OpenSSL config file" ); -+ ret_code = NCONF_load( config, _PATH_OPENSSLCONFFILE, &error_line ); -+ if (ret_code == 0) -+ { -+ warn( "EAP-TLS: Error in OpenSSL config file %s at line %d", _PATH_OPENSSLCONFFILE, error_line ); -+ NCONF_free( config ); -+ config = NULL; -+ ERR_clear_error(); -+ } ++ ret_code = NCONF_load( config, _PATH_OPENSSLCONFFILE, &error_line ); ++ if (ret_code == 0) ++ { ++ warn( "EAP-TLS: Error in OpenSSL config file %s at line %d", _PATH_OPENSSLCONFFILE, error_line ); ++ NCONF_free( config ); ++ config = NULL; ++ ERR_clear_error(); ++ } + + dbglog( "Loading OpenSSL built-ins" ); -+ ENGINE_load_builtin_engines(); -+ OPENSSL_load_builtin_modules(); ++ ENGINE_load_builtin_engines(); ++ OPENSSL_load_builtin_modules(); + + dbglog( "Loading OpenSSL configured modules" ); -+ if (CONF_modules_load( config, NULL, 0 ) <= 0 ) -+ { -+ warn( "EAP-TLS: Error loading OpenSSL modules" ); ++ if (CONF_modules_load( config, NULL, 0 ) <= 0 ) ++ { ++ warn( "EAP-TLS: Error loading OpenSSL modules" ); + log_ssl_errors(); -+ config = NULL; -+ } ++ config = NULL; ++ } + -+ return config; ++ return config; +} + +ENGINE *eaptls_ssl_load_engine( char *engine_name ) @@ -1255,7 +1517,7 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap-tls.c + + dbglog( "Loading OpenSSL '%s' engine support", engine_name ); + e = ENGINE_by_id( engine_name ); -+ if (!e) ++ if (!e) + { + dbglog( "EAP-TLS: Cannot load '%s' engine support, trying 'dynamic'", engine_name ); + e = ENGINE_by_id( "dynamic" ); @@ -1276,7 +1538,7 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap-tls.c + } + } + -+ if (e) ++ if (e) + { + dbglog( "Initialising engine" ); + if(!ENGINE_set_default(e, ENGINE_METHOD_ALL)) @@ -1288,14 +1550,14 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap-tls.c + } + } + -+ return e; ++ return e; +} + +/* + * Initialize the SSL stacks and tests if certificates, key and crl + * for client or server use can be loaded. + */ -+SSL_CTX *eaptls_init_ssl(int init_server, char *cacertfile, ++SSL_CTX *eaptls_init_ssl(int init_server, char *cacertfile, char *capath, + char *certfile, char *peer_certfile, char *privkeyfile) +{ + char *cert_engine_name = NULL; @@ -1303,30 +1565,39 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap-tls.c + char *pkey_engine_name = NULL; + char *pkey_identifier = NULL; + SSL_CTX *ctx; ++ SSL *ssl; + X509_STORE *certstore; + X509_LOOKUP *lookup; + X509 *tmp; ++ int ret; ++#if defined(TLS1_2_VERSION) ++ long tls_version = TLS1_2_VERSION; ++#elif defined(TLS1_1_VERSION) ++ long tls_version = TLS1_1_VERSION; ++#else ++ long tls_version = TLS1_VERSION; ++#endif + + /* + * Without these can't continue + */ -+ if (!cacertfile[0]) -+ { -+ error("EAP-TLS: CA certificate missing"); ++ if (!(cacertfile[0] || capath[0])) ++ { ++ error("EAP-TLS: CA certificate file or path missing"); + return NULL; -+ } ++ } + + if (!certfile[0]) -+ { -+ error("EAP-TLS: User certificate missing"); ++ { ++ error("EAP-TLS: Certificate missing"); + return NULL; -+ } ++ } + + if (!privkeyfile[0]) -+ { -+ error("EAP-TLS: User private key missing"); ++ { ++ error("EAP-TLS: Private key missing"); + return NULL; -+ } ++ } + + SSL_library_init(); + SSL_load_error_strings(); @@ -1422,15 +1693,20 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap-tls.c + } + } + -+ SSL_CTX_set_default_passwd_cb (ctx, password_callback); ++ SSL_CTX_set_default_passwd_cb (ctx, password_callback); + -+ if (!SSL_CTX_load_verify_locations(ctx, cacertfile, NULL)) ++ if (strlen(cacertfile) == 0) cacertfile = NULL; ++ if (strlen(capath) == 0) capath = NULL; ++ ++ if (!SSL_CTX_load_verify_locations(ctx, cacertfile, capath)) + { -+ error("EAP-TLS: Cannot load or verify CA file %s", cacertfile); ++ error("EAP-TLS: Cannot load verify locations"); ++ if (cacertfile) dbglog("CA certificate file = [%s]", cacertfile); ++ if (capath) dbglog("CA certificate path = [%s]", capath); + goto fail; + } + -+ if (init_server) ++ if (init_server) + SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(cacertfile)); + + if (cert_engine) @@ -1468,13 +1744,41 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap-tls.c + } + else + { -+ if (!SSL_CTX_use_certificate_file(ctx, certfile, SSL_FILETYPE_PEM)) ++ if (!SSL_CTX_use_certificate_chain_file(ctx, certfile)) + { + error( "EAP-TLS: Cannot use public certificate %s", certfile ); + goto fail; + } + } + ++ ++ /* ++ * Check the Before and After dates of the certificate ++ */ ++ ssl = SSL_new(ctx); ++ tmp = SSL_get_certificate(ssl); ++ ++ ret = X509_cmp_time(X509_get_notBefore(tmp), NULL); ++ if (ret == 0) ++ { ++ warn( "EAP-TLS: Failed to read certificate notBefore field."); ++ } ++ if (ret > 0) ++ { ++ warn( "EAP-TLS: Your certificate is not yet valid!"); ++ } ++ ++ ret = X509_cmp_time(X509_get_notAfter(tmp), NULL); ++ if (ret == 0) ++ { ++ warn( "EAP-TLS: Failed to read certificate notAfter field."); ++ } ++ if (ret < 0) ++ { ++ warn( "EAP-TLS: Your certificate has expired!"); ++ } ++ SSL_free(ssl); ++ + if (pkey_engine) + { + EVP_PKEY *pkey = NULL; @@ -1517,9 +1821,56 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap-tls.c + /* Explicitly set the NO_TICKETS flag to support Win7/Win8 clients */ + SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 +#ifdef SSL_OP_NO_TICKET -+ | SSL_OP_NO_TICKET ++ | SSL_OP_NO_TICKET ++#endif ++ ); ++ ++ /* OpenSSL 1.1.1+ does not include RC4 ciphers by default. ++ * This causes totally obsolete WinXP clients to fail. If you really ++ * need ppp+EAP-TLS+openssl 1.1.1+WinXP then enable RC4 cipers and ++ * make sure that you use an OpenSSL that supports them ++ ++ SSL_CTX_set_cipher_list(ctx, "RC4"); ++ */ ++ ++ ++ /* Set up a SSL Session cache with a callback. This is needed for TLSv1.3+. ++ * During the initial handshake the server signals to the client early on ++ * that the handshake is finished, even before the client has sent its ++ * credentials to the server. The actual connection (and moment that the ++ * client sends its credentials) only starts after the arrival of the first ++ * session ticket. The 'ssl_new_session_cb' catches this ticket. ++ */ ++ SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_CLIENT | SSL_SESS_CACHE_NO_INTERNAL_STORE); ++ SSL_CTX_sess_set_new_cb(ctx, ssl_new_session_cb); ++ ++ /* As EAP-TLS+TLSv1.3 is highly experimental we offer the user a chance to override */ ++ if (max_tls_version) ++ { ++ if (strncmp(max_tls_version, "1.0", 3) == 0) ++ tls_version = TLS1_VERSION; ++ else if (strncmp(max_tls_version, "1.1", 3) == 0) ++ tls_version = TLS1_1_VERSION; ++ else if (strncmp(max_tls_version, "1.2", 3) == 0) ++#ifdef TLS1_2_VERSION ++ tls_version = TLS1_2_VERSION; ++#else ++ { ++ warn("TLSv1.2 not available. Defaulting to TLSv1.1"); ++ tls_version = TLS_1_1_VERSION; ++ } +#endif -+); ++ else if (strncmp(max_tls_version, "1.3", 3) == 0) ++#ifdef TLS1_3_VERSION ++ tls_version = TLS1_3_VERSION; ++#else ++ warn("TLSv1.3 not available."); ++#endif ++ } ++ ++ dbglog("EAP-TLS: Setting max protocol version to 0x%X", tls_version); ++ SSL_CTX_set_max_proto_version(ctx, tls_version); ++ + SSL_CTX_set_verify_depth(ctx, 5); + SSL_CTX_set_verify(ctx, + SSL_VERIFY_PEER | @@ -1543,33 +1894,33 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap-tls.c + X509_STORE_set_flags(certstore, X509_V_FLAG_CRL_CHECK); + } + -+ if (crl_file) { -+ FILE *fp = NULL; -+ X509_CRL *crl = NULL; ++ if (crl_file) { ++ FILE *fp = NULL; ++ X509_CRL *crl = NULL; + -+ fp = fopen(crl_file, "r"); -+ if (!fp) { -+ error("EAP-TLS: Cannot open CRL file '%s'", crl_file); -+ goto fail; -+ } ++ fp = fopen(crl_file, "r"); ++ if (!fp) { ++ error("EAP-TLS: Cannot open CRL file '%s'", crl_file); ++ goto fail; ++ } + -+ crl = PEM_read_X509_CRL(fp, NULL, NULL, NULL); -+ if (!crl) { -+ error("EAP-TLS: Cannot read CRL file '%s'", crl_file); -+ goto fail; -+ } ++ crl = PEM_read_X509_CRL(fp, NULL, NULL, NULL); ++ if (!crl) { ++ error("EAP-TLS: Cannot read CRL file '%s'", crl_file); ++ goto fail; ++ } + + if (!(certstore = SSL_CTX_get_cert_store(ctx))) { + error("EAP-TLS: Failed to get certificate store"); + goto fail; + } -+ if (!X509_STORE_add_crl(certstore, crl)) { -+ error("EAP-TLS: Cannot add CRL to certificate store"); -+ goto fail; -+ } ++ if (!X509_STORE_add_crl(certstore, crl)) { ++ error("EAP-TLS: Cannot add CRL to certificate store"); ++ goto fail; ++ } + X509_STORE_set_flags(certstore, X509_V_FLAG_CRL_CHECK); + -+ } ++ } + + /* + * If a peer certificate file was specified, it must be valid, else fail @@ -1606,10 +1957,10 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap-tls.c + + mtu = ho->neg_mru? ho->mru: PPP_MRU; + mru = go->neg_mru? MAX(wo->mru, go->mru): PPP_MRU; -+ mtu = MIN(MIN(mtu, mru), ao->mru)- PPP_HDRLEN - 10; ++ mtu = MIN(MIN(mtu, mru), ao->mru)- PPP_HDRLEN - 10; + + dbglog("MTU = %d", mtu); -+ return mtu; ++ return mtu; +} + + @@ -1622,6 +1973,7 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap-tls.c + char servcertfile[MAXWORDLEN]; + char clicertfile[MAXWORDLEN]; + char cacertfile[MAXWORDLEN]; ++ char capath[MAXWORDLEN]; + char pkfile[MAXWORDLEN]; + /* + * Allocate new eaptls session @@ -1641,7 +1993,7 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap-tls.c + dbglog( "getting eaptls secret" ); + if (!get_eaptls_secret(esp->es_unit, esp->es_server.ea_peer, + esp->es_server.ea_name, clicertfile, -+ servcertfile, cacertfile, pkfile, 1)) { ++ servcertfile, cacertfile, capath, pkfile, 1)) { + error( "EAP-TLS: Cannot get secret/password for client \"%s\", server \"%s\"", + esp->es_server.ea_peer, esp->es_server.ea_name ); + return 0; @@ -1649,7 +2001,7 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap-tls.c + + ets->mtu = eaptls_get_mtu(esp->es_unit); + -+ ets->ctx = eaptls_init_ssl(1, cacertfile, servcertfile, clicertfile, pkfile); ++ ets->ctx = eaptls_init_ssl(1, cacertfile, capath, servcertfile, clicertfile, pkfile); + if (!ets->ctx) + goto fail; + @@ -1679,6 +2031,8 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap-tls.c + + SSL_set_accept_state(ets->ssl); + ++ ets->tls_v13 = 0; ++ + ets->data = NULL; + ets->datalen = 0; + ets->alert_sent = 0; @@ -1709,6 +2063,7 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap-tls.c + char servcertfile[MAXWORDLEN]; + char clicertfile[MAXWORDLEN]; + char cacertfile[MAXWORDLEN]; ++ char capath[MAXWORDLEN]; + char pkfile[MAXWORDLEN]; + + /* @@ -1733,14 +2088,14 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap-tls.c + dbglog( "calling get_eaptls_secret" ); + if (!get_eaptls_secret(esp->es_unit, esp->es_client.ea_name, + ets->peer, clicertfile, -+ servcertfile, cacertfile, pkfile, 0)) { ++ servcertfile, cacertfile, capath, pkfile, 0)) { + error( "EAP-TLS: Cannot get secret/password for client \"%s\", server \"%s\"", + esp->es_client.ea_name, ets->peer ); + return 0; + } + + dbglog( "calling eaptls_init_ssl" ); -+ ets->ctx = eaptls_init_ssl(0, cacertfile, clicertfile, servcertfile, pkfile); ++ ets->ctx = eaptls_init_ssl(0, cacertfile, capath, clicertfile, servcertfile, pkfile); + if (!ets->ctx) + goto fail; + @@ -1768,6 +2123,8 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap-tls.c + + SSL_set_connect_state(ets->ssl); + ++ ets->tls_v13 = 0; ++ + ets->data = NULL; + ets->datalen = 0; + ets->alert_sent = 0; @@ -1803,6 +2160,20 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap-tls.c + free(ets); +} + ++ ++int eaptls_is_init_finished(struct eaptls_session *ets) ++{ ++ if (ets->ssl && SSL_is_init_finished(ets->ssl)) ++ { ++ if (ets->tls_v13) ++ return have_session_ticket; ++ else ++ return 1; ++ } ++ ++ return 0; ++} ++ +/* + * Handle a received packet, reassembling fragmented messages and + * passing them to the ssl engine @@ -1821,7 +2192,7 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap-tls.c + GETCHAR(flags, inp); + len--; + -+ if (flags & EAP_TLS_FLAGS_LI && len >= 4) { ++ if (flags & EAP_TLS_FLAGS_LI && len > 4) { + /* + * LenghtIncluded flag set -> this is the first packet of a message + */ @@ -1923,16 +2294,21 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap-tls.c + + start = *outp; + -+ if (!ets->data) { -+ ++ if (!ets->data) ++ { + if(!ets->alert_sent) -+ SSL_read(ets->ssl, fromtls, 65536); ++ { ++ res = SSL_read(ets->ssl, fromtls, 65536); ++ } + + /* + * Read from ssl + */ + if ((res = BIO_read(ets->from_ssl, fromtls, 65536)) == -1) -+ fatal("No data from BIO_read"); ++ { ++ warn("EAP-TLS send: No data from BIO_read"); ++ return 1; ++ } + + ets->datalen = res; + @@ -1945,7 +2321,7 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap-tls.c + } + + size = ets->datalen - ets->offset; -+ ++ + if (size > ets->mtu) { + size = ets->mtu; + ets->frag = 1; @@ -2009,13 +2385,12 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap-tls.c + * is done by ssl; we check the CN in the peer certificate + * against the peer name. + */ -+int ssl_verify_callback(int preverify_ok, X509_STORE_CTX * ctx) ++int ssl_verify_callback(int ok, X509_STORE_CTX * ctx) +{ + char subject[256]; + char cn_str[256]; + X509 *peer_cert; + int err, depth; -+ int ok = preverify_ok; + SSL *ssl; + struct eaptls_session *ets; + @@ -2025,7 +2400,7 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap-tls.c + + dbglog("certificate verify depth: %d", depth); + -+ if (auth_required && !ok) { ++ if (auth_required && !ok) { + X509_NAME_oneline(X509_get_subject_name(peer_cert), + subject, 256); + @@ -2065,7 +2440,7 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap-tls.c + */ + if (!ets->peer[0]) { + warn("Peer name not specified: no check"); -+ return 1; ++ return ok; + } + + /* @@ -2093,7 +2468,7 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap-tls.c + } + } + -+ return 1; ++ return ok; +} + +/* @@ -2142,7 +2517,7 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap-tls.c + struct eaptls_session *ets = (struct eaptls_session *)arg; + unsigned char code; + const unsigned char*msg = buf; -+ int hvers = msg[1] << 8 | msg[2]; ++ int hvers = msg[1] << 8 | msg[2]; + + if(write_p) + strcpy(string, " -> "); @@ -2166,14 +2541,8 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap-tls.c + case TLS1_2_VERSION: + strcat(string, "TLS 1.2"); + break; -+ case DTLS1_VERSION: -+ strcat(string, "DTLS 1.0"); -+ break; -+ case DTLS1_2_VERSION: -+ strcat(string, "DTLS 1.2"); -+ break; + default: -+ strcat(string, "Unknown version"); ++ sprintf(string, "SSL/TLS Header: Unknown version (%d)", hvers); + } + break; + @@ -2196,6 +2565,12 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap-tls.c + strcat(string, "ChangeCipherSpec"); + break; + ++#ifdef SSL3_RT_INNER_CONTENT_TYPE ++ case SSL3_RT_INNER_CONTENT_TYPE: ++ strcat(string, "InnerContentType (TLS1.3)"); ++ break; ++#endif ++ + case SSL3_RT_HANDSHAKE: + + strcat(string, "Handshake: "); @@ -2216,6 +2591,16 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap-tls.c + strcat(string,"New Session Ticket"); + break; +#endif ++#ifdef SSL3_MT_END_OF_EARLY_DATA ++ case SSL3_MT_END_OF_EARLY_DATA: ++ strcat(string,"End of Early Data"); ++ break; ++#endif ++#ifdef SSL3_MT_ENCRYPTED_EXTENSIONS ++ case SSL3_MT_ENCRYPTED_EXTENSIONS: ++ strcat(string,"Encryped Extensions"); ++ break; ++#endif + case SSL3_MT_CERTIFICATE: + strcat(string,"Certificate"); + break; @@ -2235,9 +2620,31 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap-tls.c + strcat(string,"Client Key Exchange"); + break; + case SSL3_MT_FINISHED: -+ strcat(string,"Finished"); ++ strcat(string,"Finished: "); ++ hvers = SSL_version(ssl); ++ switch(hvers) { ++ case SSL3_VERSION: ++ strcat(string, "SSL 3.0"); ++ break; ++ case TLS1_VERSION: ++ strcat(string, "TLS 1.0"); ++ break; ++ case TLS1_1_VERSION: ++ strcat(string, "TLS 1.1"); ++ break; ++ case TLS1_2_VERSION: ++ strcat(string, "TLS 1.2"); ++ break; ++#ifdef TLS1_3_VERSION ++ case TLS1_3_VERSION: ++ strcat(string, "TLS 1.3 (experimental)"); ++ ets->tls_v13 = 1; ++ break; ++#endif ++ default: ++ strcat(string, "Unknown version"); ++ } + break; -+ + default: + sprintf( string, "Handshake: Unknown SSL3 code received: %d", code ); + } @@ -2255,14 +2662,25 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap-tls.c + dbglog("%s", string); +} + -diff -Naur ppp-2.4.7/pppd/eap-tls.h ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap-tls.h ---- ppp-2.4.7/pppd/eap-tls.h 1970-01-01 01:00:00.000000000 +0100 -+++ ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap-tls.h 2018-06-02 01:42:04.023165433 +0200 -@@ -0,0 +1,107 @@ ++int ++ssl_new_session_cb(SSL *s, SSL_SESSION *sess) ++{ ++ dbglog("EAP-TLS: Post-Handshake New Session Ticket arrived:"); ++ have_session_ticket = 1; ++ ++ /* always return success */ ++ return 1; ++} ++ +diff -Naur ppp-2.4.8/pppd/eap-tls.h ppp-2.4.8-eaptls-mppe-1.300/pppd/eap-tls.h +--- ppp-2.4.8/pppd/eap-tls.h 1970-01-01 01:00:00.000000000 +0100 ++++ ppp-2.4.8-eaptls-mppe-1.300/pppd/eap-tls.h 2020-04-07 10:09:50.568118202 +0200 +@@ -0,0 +1,96 @@ +/* + * eap-tls.h + * + * Copyright (c) Beniamino Galvani 2005 All rights reserved. ++ * Jan Just Keijser 2006-2019 All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions @@ -2297,7 +2715,6 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.h ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap-tls.h + +#include +#include -+#include + +#define EAP_TLS_FLAGS_LI 128 /* length included flag */ +#define EAP_TLS_FLAGS_MF 64 /* more fragments flag */ @@ -2309,11 +2726,12 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.h ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap-tls.h +{ + u_char *data; /* buffered data */ + int datalen; /* buffered data len */ -+ int offset; /* from where to send */ -+ int tlslen; /* total length of tls data */ -+ bool frag; /* packet is fragmented */ ++ int offset; /* from where to send */ ++ int tlslen; /* total length of tls data */ ++ bool frag; /* packet is fragmented */ ++ bool tls_v13; /* whether we've negotiated TLSv1.3 */ + SSL_CTX *ctx; -+ SSL *ssl; /* ssl connection */ ++ SSL *ssl; /* ssl connection */ + BIO *from_ssl; + BIO *into_ssl; + char peer[MAXWORDLEN]; /* peer name */ @@ -2322,38 +2740,27 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.h ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap-tls.h + u_char alert_sent_desc; + bool alert_recv; + u_char alert_recv_desc; -+ char rtx[65536]; /* retransmission buffer */ ++ char rtx[EAP_TLS_MAX_LEN]; /* retransmission buffer */ + int rtx_len; + int mtu; /* unit mtu */ +}; + -+typedef struct pw_cb_data -+{ -+ const void *password; -+ const char *prompt_info; -+} PW_CB_DATA; -+ -+ -+int ssl_verify_callback(int, X509_STORE_CTX *); -+void ssl_msg_callback(int write_p, int version, int ct, const void *buf, -+ size_t len, SSL * ssl, void *arg); -+ -+X509 *get_X509_from_file(char *filename); -+int ssl_cmp_certs(char *filename, X509 * a); + -+SSL_CTX *eaptls_init_ssl(int init_server, char *cacertfile, ++SSL_CTX *eaptls_init_ssl(int init_server, char *cacertfile, char *capath, + char *certfile, char *peer_certfile, char *privkeyfile); +int eaptls_init_ssl_server(eap_state * esp); +int eaptls_init_ssl_client(eap_state * esp); +void eaptls_free_session(struct eaptls_session *ets); + ++int eaptls_is_init_finished(struct eaptls_session *ets); ++ +int eaptls_receive(struct eaptls_session *ets, u_char * inp, int len); +int eaptls_send(struct eaptls_session *ets, u_char ** outp); +void eaptls_retransmit(struct eaptls_session *ets, u_char ** outp); + +int get_eaptls_secret(int unit, char *client, char *server, + char *clicertfile, char *servcertfile, char *cacertfile, -+ char *pkfile, int am_server); ++ char *capath, char *pkfile, int am_server); + +#ifdef MPPE +#include "mppe.h" /* MPPE_MAX_KEY_LEN */ @@ -2361,14 +2768,13 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.h ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap-tls.h +extern u_char mppe_recv_key[MPPE_MAX_KEY_LEN]; +extern int mppe_keys_set; + -+void eaptls_gen_mppe_keys(struct eaptls_session *ets, const char *prf_label, int client); -+ ++void eaptls_gen_mppe_keys(struct eaptls_session *ets, int client); +#endif + +#endif -diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap.c ---- ppp-2.4.7/pppd/eap.c 2014-08-09 14:31:39.000000000 +0200 -+++ ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap.c 2018-06-02 01:42:04.023165433 +0200 +diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.300/pppd/eap.c +--- ppp-2.4.8/pppd/eap.c 2019-12-31 02:31:26.000000000 +0100 ++++ ppp-2.4.8-eaptls-mppe-1.300/pppd/eap.c 2020-04-07 10:09:50.569118201 +0200 @@ -43,6 +43,11 @@ * Based on draft-ietf-pppext-eap-srp-03.txt. */ @@ -2387,15 +2793,30 @@ diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap.c #include "pathnames.h" -#include "md5.h" #include "eap.h" -+#ifdef USE_EAPTLS -+#include "eap-tls.h" ++#ifdef USE_OPENSSL_MD5 ++#include "openssl/md5.h" +#else +#include "md5.h" -+#endif /* USE_EAPTLS */ ++#endif /* USE_OPENSSL_MD5 */ #ifdef USE_SRP #include -@@ -209,6 +218,9 @@ +@@ -72,8 +81,12 @@ + #include "pppcrypt.h" + #endif /* USE_SRP */ + +-#ifndef SHA_DIGESTSIZE +-#define SHA_DIGESTSIZE 20 ++#ifdef USE_EAPTLS ++#include "eap-tls.h" ++#endif /* USE_EAPTLS */ ++ ++#ifndef SHA_DIGEST_LENGTH ++#define SHA_DIGEST_LENGTH 20 + #endif + + +@@ -208,6 +221,9 @@ esp->es_server.ea_id = (u_char)(drand48() * 0x100); esp->es_client.ea_timeout = EAP_DEFREQTIME; esp->es_client.ea_maxrequests = EAP_DEFALLOWREQ; @@ -2405,7 +2826,18 @@ diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap.c } /* -@@ -436,8 +448,16 @@ +@@ -316,8 +332,8 @@ + { + struct tm *tp; + char tbuf[9]; +- SHA1_CTX ctxt; +- u_char dig[SHA_DIGESTSIZE]; ++ SHA_CTX ctxt; ++ u_char dig[SHA_DIGEST_LENGTH]; + time_t reftime; + + if (pn_secret == NULL) +@@ -435,8 +451,16 @@ u_char vals[2]; struct b64state bs; #endif /* USE_SRP */ @@ -2422,7 +2854,7 @@ diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap.c switch (esp->es_server.ea_state) { case eapBadAuth: return; -@@ -562,9 +582,79 @@ +@@ -561,9 +585,81 @@ break; } #endif /* USE_SRP */ @@ -2478,18 +2910,20 @@ diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap.c + if(SSL_is_init_finished(ets->ssl)) + esp->es_server.ea_state = eapTlsRecvClient; + else -+ esp->es_server.ea_state = eapTlsRecv; ++ /* JJK Add "TLS empty record" message here ??? */ ++ esp->es_server.ea_state = eapTlsRecv; + break; + + case eapTlsSendAck: -+ esp->es_server.ea_state = eapTlsRecv; ++ esp->es_server.ea_state = eapTlsRecv; + break; + + case eapTlsRecvAck: -+ if (status) { -+ esp->es_server.ea_state = eapBadAuth; -+ break; -+ } ++ if (status) ++ { ++ esp->es_server.ea_state = eapBadAuth; ++ break; ++ } + + esp->es_server.ea_state = eapTlsSend; + break; @@ -2502,7 +2936,31 @@ diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap.c case eapSRP1: #ifdef USE_SRP ts = (struct t_server *)esp->es_server.ea_session; -@@ -718,6 +808,30 @@ +@@ -629,6 +725,10 @@ + } + if (esp->es_server.ea_state == eapBadAuth) + eap_send_failure(esp); ++ ++#ifdef USE_EAPTLS ++ dbglog("EAP id=0x%2x '%s' -> '%s'", esp->es_server.ea_id, eap_state_name(esp->es_server.ea_prev_state), eap_state_name(esp->es_server.ea_state)); ++#endif /* USE_EAPTLS */ + } + + /* +@@ -647,10 +747,10 @@ + char *str; + #ifdef USE_SRP + struct t_server *ts; +- u_char clear[8], cipher[8], dig[SHA_DIGESTSIZE], *optr, *cp; ++ u_char clear[8], cipher[8], dig[SHA_DIGEST_LENGTH], *optr, *cp; + int i, j; + struct b64state b64; +- SHA1_CTX ctxt; ++ SHA_CTX ctxt; + #endif /* USE_SRP */ + + /* Handle both initial auth and restart */ +@@ -717,6 +817,30 @@ INCPTR(esp->es_server.ea_namelen, outp); break; @@ -2533,7 +2991,48 @@ diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap.c #ifdef USE_SRP case eapSRP1: PUTCHAR(EAPT_SRP, outp); -@@ -904,11 +1018,57 @@ +@@ -763,8 +887,8 @@ + PUTLONG(SRPVAL_EBIT, outp); + ts = (struct t_server *)esp->es_server.ea_session; + assert(ts != NULL); +- BCOPY(t_serverresponse(ts), outp, SHA_DIGESTSIZE); +- INCPTR(SHA_DIGESTSIZE, outp); ++ BCOPY(t_serverresponse(ts), outp, SHA_DIGEST_LENGTH); ++ INCPTR(SHA_DIGEST_LENGTH, outp); + + if (pncrypt_setkey(0)) { + /* Generate pseudonym */ +@@ -804,9 +928,9 @@ + /* Set length and pad out to next 20 octet boundary */ + i = outp - optr - 1; + *optr = i; +- i %= SHA_DIGESTSIZE; ++ i %= SHA_DIGEST_LENGTH; + if (i != 0) { +- while (i < SHA_DIGESTSIZE) { ++ while (i < SHA_DIGEST_LENGTH) { + *outp++ = drand48() * 0x100; + i++; + } +@@ -822,14 +946,14 @@ + while (optr < outp) { + SHA1Final(dig, &ctxt); + cp = dig; +- while (cp < dig + SHA_DIGESTSIZE) ++ while (cp < dig + SHA_DIGEST_LENGTH) + *optr++ ^= *cp++; + SHA1Init(&ctxt); + SHA1Update(&ctxt, &esp->es_server.ea_id, 1); + SHA1Update(&ctxt, esp->es_server.ea_skey, + SESSION_KEY_LEN); +- SHA1Update(&ctxt, optr - SHA_DIGESTSIZE, +- SHA_DIGESTSIZE); ++ SHA1Update(&ctxt, optr - SHA_DIGEST_LENGTH, ++ SHA_DIGEST_LENGTH); + } + } + break; +@@ -903,11 +1027,57 @@ eap_server_timeout(arg) void *arg; { @@ -2591,7 +3090,20 @@ diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap.c /* EAP ID number must not change on timeout. */ eap_send_request(esp); } -@@ -1166,6 +1326,81 @@ +@@ -1154,17 +1324,90 @@ + PUTCHAR(id, outp); + esp->es_client.ea_id = id; + msglen = EAP_HEADERLEN + 2 * sizeof (u_char) + sizeof (u_int32_t) + +- SHA_DIGESTSIZE; ++ SHA_DIGEST_LENGTH; + PUTSHORT(msglen, outp); + PUTCHAR(EAPT_SRP, outp); + PUTCHAR(EAPSRP_CVALIDATOR, outp); + PUTLONG(flags, outp); +- BCOPY(str, outp, SHA_DIGESTSIZE); ++ BCOPY(str, outp, SHA_DIGEST_LENGTH); + + output(esp->es_unit, outpacket_buf, PPP_HDRLEN + msglen); } #endif /* USE_SRP */ @@ -2604,16 +3116,16 @@ diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap.c +eap_state *esp; +u_char id; +{ -+ u_char *outp; -+ int outlen; ++ u_char *outp; ++ int outlen; + u_char *lenloc; + -+ outp = outpacket_buf; ++ outp = outpacket_buf; + -+ MAKEHEADER(outp, PPP_EAP); ++ MAKEHEADER(outp, PPP_EAP); + -+ PUTCHAR(EAP_RESPONSE, outp); -+ PUTCHAR(id, outp); ++ PUTCHAR(EAP_RESPONSE, outp); ++ PUTCHAR(id, outp); + + lenloc = outp; + INCPTR(2, outp); @@ -2633,7 +3145,6 @@ diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap.c + output(esp->es_unit, outpacket_buf, PPP_HDRLEN + outlen); + + esp->es_client.ea_id = id; -+ +} + +/* @@ -2666,14 +3177,50 @@ diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap.c + PUTSHORT(outlen, lenloc); + + output(esp->es_unit, outpacket_buf, PPP_HDRLEN + outlen); -+ +} +#endif /* USE_EAPTLS */ + static void eap_send_nak(esp, id, type) eap_state *esp; -@@ -1320,6 +1555,11 @@ +@@ -1251,8 +1494,8 @@ + { + u_char val; + u_char *datp, *digp; +- SHA1_CTX ctxt; +- u_char dig[SHA_DIGESTSIZE]; ++ SHA_CTX ctxt; ++ u_char dig[SHA_DIGEST_LENGTH]; + int dsize, fd, olen = len; + + /* +@@ -1261,21 +1504,21 @@ + */ + val = id; + while (len > 0) { +- if ((dsize = len % SHA_DIGESTSIZE) == 0) +- dsize = SHA_DIGESTSIZE; ++ if ((dsize = len % SHA_DIGEST_LENGTH) == 0) ++ dsize = SHA_DIGEST_LENGTH; + len -= dsize; + datp = inp + len; + SHA1Init(&ctxt); + SHA1Update(&ctxt, &val, 1); + SHA1Update(&ctxt, esp->es_client.ea_skey, SESSION_KEY_LEN); + if (len > 0) { +- SHA1Update(&ctxt, datp, SHA_DIGESTSIZE); ++ SHA1Update(&ctxt, datp, SHA_DIGEST_LENGTH); + } else { + SHA1Update(&ctxt, esp->es_client.ea_name, + esp->es_client.ea_namelen); + } + SHA1Final(dig, &ctxt); +- for (digp = dig; digp < dig + SHA_DIGESTSIZE; digp++) ++ for (digp = dig; digp < dig + SHA_DIGEST_LENGTH; digp++) + *datp++ ^= *digp; + } + +@@ -1319,12 +1562,17 @@ char rhostname[256]; MD5_CTX mdContext; u_char hash[MD5_SIGNATURE_SIZE]; @@ -2685,7 +3232,15 @@ diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap.c #ifdef USE_SRP struct t_client *tc; struct t_num sval, gval, Nval, *Ap, Bval; -@@ -1456,6 +1696,100 @@ + u_char vals[2]; +- SHA1_CTX ctxt; +- u_char dig[SHA_DIGESTSIZE]; ++ SHA_CTX ctxt; ++ u_char dig[SHA_DIGEST_LENGTH]; + int fd; + #endif /* USE_SRP */ + +@@ -1455,6 +1703,96 @@ esp->es_client.ea_namelen); break; @@ -2706,11 +3261,11 @@ diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap.c + + esp->es_client.ea_using_eaptls = 1; + -+ if (explicit_remote){ -+ esp->es_client.ea_peer = strdup(remote_name); -+ esp->es_client.ea_peerlen = strlen(remote_name); -+ } else -+ esp->es_client.ea_peer = NULL; ++ if (explicit_remote){ ++ esp->es_client.ea_peer = strdup(remote_name); ++ esp->es_client.ea_peerlen = strlen(remote_name); ++ } else ++ esp->es_client.ea_peer = NULL; + + /* Init ssl session */ + if(!eaptls_init_ssl_client(esp)) { @@ -2722,8 +3277,7 @@ diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap.c + + ets = esp->es_client.ea_session; + eap_tls_response(esp, id); -+ esp->es_client.ea_state = (ets->frag ? eapTlsRecvAck : -+ eapTlsRecv); ++ esp->es_client.ea_state = (ets->frag ? eapTlsRecvAck : eapTlsRecv); + break; + } + @@ -2733,8 +3287,7 @@ diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap.c + + case eapTlsRecvAck: + eap_tls_response(esp, id); -+ esp->es_client.ea_state = (ets->frag ? eapTlsRecvAck : -+ eapTlsRecv); ++ esp->es_client.ea_state = (ets->frag ? eapTlsRecvAck : eapTlsRecv); + break; + + case eapTlsRecv: @@ -2758,9 +3311,9 @@ diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap.c + } + + /* Check if TLS handshake is finished */ -+ if(SSL_is_init_finished(ets->ssl)){ ++ if(eaptls_is_init_finished(ets)) { +#ifdef MPPE -+ eaptls_gen_mppe_keys( ets, "client EAP encryption", 1 ); ++ eaptls_gen_mppe_keys(ets, 1); +#endif + eaptls_free_session(ets); + eap_tls_sendack(esp, id); @@ -2769,10 +3322,8 @@ diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap.c + } + + eap_tls_response(esp,id); -+ esp->es_client.ea_state = (ets->frag ? eapTlsRecvAck : -+ eapTlsRecv); -+ -+ break; ++ esp->es_client.ea_state = (ets->frag ? eapTlsRecvAck : eapTlsRecv); ++ break; + + default: + eap_send_nak(esp, id, EAPT_TLS); @@ -2786,8 +3337,41 @@ diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap.c #ifdef USE_SRP case EAPT_SRP: if (len < 1) { -@@ -1737,6 +2071,11 @@ - u_char dig[SHA_DIGESTSIZE]; +@@ -1639,7 +1977,7 @@ + esp->es_client.ea_id, id); + } + } else { +- len -= sizeof (u_int32_t) + SHA_DIGESTSIZE; ++ len -= sizeof (u_int32_t) + SHA_DIGEST_LENGTH; + if (len < 0 || t_clientverify(tc, inp + + sizeof (u_int32_t)) != 0) { + error("EAP: SRP server verification " +@@ -1649,7 +1987,7 @@ + GETLONG(esp->es_client.ea_keyflags, inp); + /* Save pseudonym if user wants it. */ + if (len > 0 && esp->es_usepseudo) { +- INCPTR(SHA_DIGESTSIZE, inp); ++ INCPTR(SHA_DIGEST_LENGTH, inp); + write_pseudonym(esp, inp, len, id); + } + } +@@ -1676,7 +2014,7 @@ + esp->es_client.ea_namelen); + SHA1Final(dig, &ctxt); + eap_srp_response(esp, id, EAPSRP_LWRECHALLENGE, dig, +- SHA_DIGESTSIZE); ++ SHA_DIGEST_LENGTH); + break; + + default: +@@ -1732,10 +2070,15 @@ + #ifdef USE_SRP + struct t_server *ts; + struct t_num A; +- SHA1_CTX ctxt; +- u_char dig[SHA_DIGESTSIZE]; ++ eHA_CTX ctxt; ++ u_char dig[SHA_DIGEST_LENGTH]; #endif /* USE_SRP */ +#ifdef USE_EAPTLS @@ -2798,7 +3382,7 @@ diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap.c if (esp->es_server.ea_id != id) { dbglog("EAP: discarding Response %d; expected ID %d", id, esp->es_server.ea_id); -@@ -1776,6 +2115,64 @@ +@@ -1775,6 +2118,64 @@ eap_figure_next_state(esp, 0); break; @@ -2809,6 +3393,7 @@ diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap.c + case eapTlsRecv: + + ets = (struct eaptls_session *) esp->es_server.ea_session; ++ + eap_figure_next_state(esp, + eaptls_receive(esp->es_server.ea_session, inp, len)); + @@ -2827,13 +3412,12 @@ diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap.c + + case eapTlsRecvClient: + /* Receive authentication response from client */ -+ + if (len > 0) { + GETCHAR(flags, inp); + + if(len == 1 && !flags) { /* Ack = ok */ +#ifdef MPPE -+ eaptls_gen_mppe_keys( esp->es_server.ea_session, "client EAP encryption", 0 ); ++ eaptls_gen_mppe_keys( esp->es_server.ea_session, 0 ); +#endif + eap_send_success(esp); + } @@ -2863,7 +3447,7 @@ diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap.c case EAPT_NOTIFICATION: dbglog("EAP unexpected Notification; response discarded"); break; -@@ -1807,6 +2204,13 @@ +@@ -1806,6 +2207,13 @@ esp->es_server.ea_state = eapMD5Chall; break; @@ -2877,7 +3461,37 @@ diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap.c default: dbglog("EAP: peer requesting unknown Type %d", vallen); switch (esp->es_server.ea_state) { -@@ -2018,13 +2422,27 @@ +@@ -1923,9 +2331,9 @@ + eap_figure_next_state(esp, 1); + break; + } +- if (len < sizeof (u_int32_t) + SHA_DIGESTSIZE) { ++ if (len < sizeof (u_int32_t) + SHA_DIGEST_LENGTH) { + error("EAP: M1 length %d < %d", len, +- sizeof (u_int32_t) + SHA_DIGESTSIZE); ++ sizeof (u_int32_t) + SHA_DIGEST_LENGTH); + eap_figure_next_state(esp, 1); + break; + } +@@ -1962,7 +2370,7 @@ + info("EAP: unexpected SRP Subtype 4 Response"); + return; + } +- if (len != SHA_DIGESTSIZE) { ++ if (len != SHA_DIGEST_LENGTH) { + error("EAP: bad Lightweight rechallenge " + "response"); + return; +@@ -1976,7 +2384,7 @@ + SHA1Update(&ctxt, esp->es_server.ea_peer, + esp->es_server.ea_peerlen); + SHA1Final(dig, &ctxt); +- if (BCMP(dig, inp, SHA_DIGESTSIZE) != 0) { ++ if (BCMP(dig, inp, SHA_DIGEST_LENGTH) != 0) { + error("EAP: failed Lightweight rechallenge"); + eap_send_failure(esp); + break; +@@ -2017,13 +2425,27 @@ int id; int len; { @@ -2906,7 +3520,7 @@ diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap.c if (esp->es_client.ea_timeout > 0) { UNTIMEOUT(eap_client_timeout, (void *)esp); } -@@ -2150,6 +2568,9 @@ +@@ -2149,6 +2571,9 @@ int code, id, len, rtype, vallen; u_char *pstart; u_int32_t uval; @@ -2916,7 +3530,7 @@ diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap.c if (inlen < EAP_HEADERLEN) return (0); -@@ -2214,6 +2635,24 @@ +@@ -2213,6 +2638,24 @@ } break; @@ -2941,7 +3555,21 @@ diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap.c case EAPT_SRP: if (len < 3) goto truncated; -@@ -2325,6 +2764,25 @@ +@@ -2280,10 +2723,10 @@ + if (uval != 0) { + printer(arg, " f<%X>", uval); + } +- if ((vallen = len) > SHA_DIGESTSIZE) +- vallen = SHA_DIGESTSIZE; ++ if ((vallen = len) > SHA_DIGEST_LENGTH) ++ vallen = SHA_DIGEST_LENGTH; + printer(arg, " ", len, inp, +- len < SHA_DIGESTSIZE ? "?" : ""); ++ len < SHA_DIGEST_LENGTH ? "?" : ""); + INCPTR(vallen, inp); + len -= vallen; + if (len > 0) { +@@ -2324,6 +2767,25 @@ } break; @@ -2967,14 +3595,36 @@ diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap.c case EAPT_NAK: if (len <= 0) { printer(arg, " "); -@@ -2426,3 +2884,4 @@ +@@ -2387,7 +2849,7 @@ + printer(arg, " f<%X>", uval); + } + printer(arg, " ", len, inp, +- len == SHA_DIGESTSIZE ? "" : "?"); ++ len == SHA_DIGEST_LENGTH ? "" : "?"); + INCPTR(len, inp); + len = 0; + break; +@@ -2397,9 +2859,9 @@ + + case EAPSRP_LWRECHALLENGE: + printer(arg, " ", len, inp, +- len == SHA_DIGESTSIZE ? "" : "?"); +- if ((vallen = len) > SHA_DIGESTSIZE) +- vallen = SHA_DIGESTSIZE; ++ len == SHA_DIGEST_LENGTH ? "" : "?"); ++ if ((vallen = len) > SHA_DIGEST_LENGTH) ++ vallen = SHA_DIGEST_LENGTH; + INCPTR(vallen, inp); + len -= vallen; + break; +@@ -2425,3 +2887,4 @@ return (inp - pstart); } + -diff -Naur ppp-2.4.7/pppd/eap.h ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap.h ---- ppp-2.4.7/pppd/eap.h 2014-08-09 14:31:39.000000000 +0200 -+++ ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap.h 2018-06-02 01:42:04.023165433 +0200 +diff -Naur ppp-2.4.8/pppd/eap.h ppp-2.4.8-eaptls-mppe-1.300/pppd/eap.h +--- ppp-2.4.8/pppd/eap.h 2019-12-31 02:31:26.000000000 +0100 ++++ ppp-2.4.8-eaptls-mppe-1.300/pppd/eap.h 2020-04-07 10:09:50.569118201 +0200 @@ -84,6 +84,16 @@ eapClosed, /* Authentication not in use */ eapListen, /* Client ready (and timer running) */ @@ -3043,44 +3693,9 @@ diff -Naur ppp-2.4.7/pppd/eap.h ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap.h #define EAP_DEFREQTIME 20 /* Time to wait for peer request */ #define EAP_DEFALLOWREQ 20 /* max # times to accept requests */ -diff -Naur ppp-2.4.7/pppd/md5.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/md5.c ---- ppp-2.4.7/pppd/md5.c 2014-08-09 14:31:39.000000000 +0200 -+++ ppp-2.4.7-eaptls-mppe-1.101b/pppd/md5.c 2018-06-02 01:42:04.023165433 +0200 -@@ -33,6 +33,8 @@ - *********************************************************************** - */ - -+#ifndef USE_EAPTLS -+ - #include - #include "md5.h" - -@@ -305,3 +307,5 @@ - ** End of md5.c ** - ******************************** (cut) ******************************** - */ -+#endif /* USE_EAPTLS */ -+ -diff -Naur ppp-2.4.7/pppd/md5.h ppp-2.4.7-eaptls-mppe-1.101b/pppd/md5.h ---- ppp-2.4.7/pppd/md5.h 2014-08-09 14:31:39.000000000 +0200 -+++ ppp-2.4.7-eaptls-mppe-1.101b/pppd/md5.h 2018-06-02 01:42:04.024165430 +0200 -@@ -36,6 +36,7 @@ - ** documentation and/or software. ** - *********************************************************************** - */ -+#ifndef USE_EAPTLS - - #ifndef __MD5_INCLUDE__ - -@@ -63,3 +64,5 @@ - - #define __MD5_INCLUDE__ - #endif /* __MD5_INCLUDE__ */ -+ -+#endif /* USE_EAPTLS */ -diff -Naur ppp-2.4.7/pppd/pathnames.h ppp-2.4.7-eaptls-mppe-1.101b/pppd/pathnames.h ---- ppp-2.4.7/pppd/pathnames.h 2014-08-09 14:31:39.000000000 +0200 -+++ ppp-2.4.7-eaptls-mppe-1.101b/pppd/pathnames.h 2018-06-02 01:42:04.024165430 +0200 +diff -Naur ppp-2.4.8/pppd/pathnames.h ppp-2.4.8-eaptls-mppe-1.300/pppd/pathnames.h +--- ppp-2.4.8/pppd/pathnames.h 2019-12-31 02:31:26.000000000 +0100 ++++ ppp-2.4.8-eaptls-mppe-1.300/pppd/pathnames.h 2020-04-07 10:09:50.569118201 +0200 @@ -21,6 +21,13 @@ #define _PATH_UPAPFILE _ROOT_PATH "/etc/ppp/pap-secrets" #define _PATH_CHAPFILE _ROOT_PATH "/etc/ppp/chap-secrets" @@ -3095,11 +3710,11 @@ diff -Naur ppp-2.4.7/pppd/pathnames.h ppp-2.4.7-eaptls-mppe-1.101b/pppd/pathname #define _PATH_SYSOPTIONS _ROOT_PATH "/etc/ppp/options" #define _PATH_IPUP _ROOT_PATH "/etc/ppp/ip-up" #define _PATH_IPDOWN _ROOT_PATH "/etc/ppp/ip-down" -diff -Naur ppp-2.4.7/pppd/plugins/Makefile.linux ppp-2.4.7-eaptls-mppe-1.101b/pppd/plugins/Makefile.linux ---- ppp-2.4.7/pppd/plugins/Makefile.linux 2014-08-09 14:31:39.000000000 +0200 -+++ ppp-2.4.7-eaptls-mppe-1.101b/pppd/plugins/Makefile.linux 2018-06-02 01:42:04.024165430 +0200 +diff -Naur ppp-2.4.8/pppd/plugins/Makefile.linux ppp-2.4.8-eaptls-mppe-1.300/pppd/plugins/Makefile.linux +--- ppp-2.4.8/pppd/plugins/Makefile.linux 2019-12-31 02:31:26.000000000 +0100 ++++ ppp-2.4.8-eaptls-mppe-1.300/pppd/plugins/Makefile.linux 2020-04-07 10:09:50.569118201 +0200 @@ -4,6 +4,9 @@ - LDFLAGS = -shared + LDFLAGS_SHARED = -shared INSTALL = install +# EAP-TLS @@ -3108,9 +3723,9 @@ diff -Naur ppp-2.4.7/pppd/plugins/Makefile.linux ppp-2.4.7-eaptls-mppe-1.101b/pp DESTDIR = $(INSTROOT)@DESTDIR@ BINDIR = $(DESTDIR)/sbin MANDIR = $(DESTDIR)/share/man/man8 -diff -Naur ppp-2.4.7/pppd/plugins/passprompt.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/plugins/passprompt.c ---- ppp-2.4.7/pppd/plugins/passprompt.c 2014-08-09 14:31:39.000000000 +0200 -+++ ppp-2.4.7-eaptls-mppe-1.101b/pppd/plugins/passprompt.c 2018-06-02 01:42:04.024165430 +0200 +diff -Naur ppp-2.4.8/pppd/plugins/passprompt.c ppp-2.4.8-eaptls-mppe-1.300/pppd/plugins/passprompt.c +--- ppp-2.4.8/pppd/plugins/passprompt.c 2019-12-31 02:31:26.000000000 +0100 ++++ ppp-2.4.8-eaptls-mppe-1.300/pppd/plugins/passprompt.c 2020-04-07 10:09:50.569118201 +0200 @@ -107,4 +107,7 @@ { add_options(options); @@ -3119,9 +3734,9 @@ diff -Naur ppp-2.4.7/pppd/plugins/passprompt.c ppp-2.4.7-eaptls-mppe-1.101b/pppd + eaptls_passwd_hook = promptpass; +#endif } -diff -Naur ppp-2.4.7/pppd/plugins/passwordfd.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/plugins/passwordfd.c ---- ppp-2.4.7/pppd/plugins/passwordfd.c 2014-08-09 14:31:39.000000000 +0200 -+++ ppp-2.4.7-eaptls-mppe-1.101b/pppd/plugins/passwordfd.c 2018-06-02 01:42:04.024165430 +0200 +diff -Naur ppp-2.4.8/pppd/plugins/passwordfd.c ppp-2.4.8-eaptls-mppe-1.300/pppd/plugins/passwordfd.c +--- ppp-2.4.8/pppd/plugins/passwordfd.c 2019-12-31 02:31:26.000000000 +0100 ++++ ppp-2.4.8-eaptls-mppe-1.300/pppd/plugins/passwordfd.c 2020-04-07 10:09:50.569118201 +0200 @@ -79,4 +79,8 @@ chap_check_hook = pwfd_check; @@ -3131,10 +3746,21 @@ diff -Naur ppp-2.4.7/pppd/plugins/passwordfd.c ppp-2.4.7-eaptls-mppe-1.101b/pppd + eaptls_passwd_hook = pwfd_passwd; +#endif } -diff -Naur ppp-2.4.7/pppd/pppd.8 ppp-2.4.7-eaptls-mppe-1.101b/pppd/pppd.8 ---- ppp-2.4.7/pppd/pppd.8 2014-08-09 14:31:39.000000000 +0200 -+++ ppp-2.4.7-eaptls-mppe-1.101b/pppd/pppd.8 2018-06-02 01:42:04.025165427 +0200 -@@ -248,6 +248,12 @@ +diff -Naur ppp-2.4.8/pppd/pppcrypt.c ppp-2.4.8-eaptls-mppe-1.300/pppd/pppcrypt.c +--- ppp-2.4.8/pppd/pppcrypt.c 2019-12-31 02:31:26.000000000 +0100 ++++ ppp-2.4.8-eaptls-mppe-1.300/pppd/pppcrypt.c 2020-04-07 10:09:50.569118201 +0200 +@@ -31,6 +31,7 @@ + */ + + #include ++#include + #include "pppd.h" + #include "pppcrypt.h" + +diff -Naur ppp-2.4.8/pppd/pppd.8 ppp-2.4.8-eaptls-mppe-1.300/pppd/pppd.8 +--- ppp-2.4.8/pppd/pppd.8 2019-12-31 02:31:26.000000000 +0100 ++++ ppp-2.4.8-eaptls-mppe-1.300/pppd/pppd.8 2020-04-07 10:09:50.570118199 +0200 +@@ -260,6 +260,12 @@ compression in the corresponding direction. Use \fInobsdcomp\fR or \fIbsdcomp 0\fR to disable BSD-Compress compression entirely. .TP @@ -3147,7 +3773,7 @@ diff -Naur ppp-2.4.7/pppd/pppd.8 ppp-2.4.7-eaptls-mppe-1.101b/pppd/pppd.8 .B cdtrcts Use a non-standard hardware flow control (i.e. DTR/CTS) to control the flow of data on the serial port. If neither the \fIcrtscts\fR, -@@ -259,6 +265,12 @@ +@@ -271,6 +277,12 @@ bi-directional flow control. The sacrifice is that this flow control mode does not permit using DTR as a modem control line. .TP @@ -3160,7 +3786,7 @@ diff -Naur ppp-2.4.7/pppd/pppd.8 ppp-2.4.7-eaptls-mppe-1.101b/pppd/pppd.8 .B chap\-interval \fIn If this option is given, pppd will rechallenge the peer every \fIn\fR seconds. -@@ -287,6 +299,18 @@ +@@ -299,6 +311,18 @@ 1000 (1 second). This wait period only applies if the \fBconnect\fR or \fBpty\fR option is used. .TP @@ -3179,7 +3805,7 @@ diff -Naur ppp-2.4.7/pppd/pppd.8 ppp-2.4.7-eaptls-mppe-1.101b/pppd/pppd.8 .B debug Enables connection debugging facilities. If this option is given, pppd will log the contents of all -@@ -551,6 +575,12 @@ +@@ -563,6 +587,12 @@ the kernel are logged by syslog(1) to a file as directed in the /etc/syslog.conf configuration file. .TP @@ -3192,7 +3818,7 @@ diff -Naur ppp-2.4.7/pppd/pppd.8 ppp-2.4.7-eaptls-mppe-1.101b/pppd/pppd.8 .B ktune Enables pppd to alter kernel settings as appropriate. Under Linux, pppd will enable IP forwarding (i.e. set /proc/sys/net/ipv4/ip_forward -@@ -709,6 +739,9 @@ +@@ -721,6 +751,9 @@ Disable Address/Control compression in both directions (send and receive). .TP @@ -3202,22 +3828,23 @@ diff -Naur ppp-2.4.7/pppd/pppd.8 ppp-2.4.7-eaptls-mppe-1.101b/pppd/pppd.8 .B noauth Do not require the peer to authenticate itself. This option is privileged. -diff -Naur ppp-2.4.7/pppd/pppd.h ppp-2.4.7-eaptls-mppe-1.101b/pppd/pppd.h ---- ppp-2.4.7/pppd/pppd.h 2014-08-09 14:31:39.000000000 +0200 -+++ ppp-2.4.7-eaptls-mppe-1.101b/pppd/pppd.h 2018-06-02 01:42:04.025165427 +0200 -@@ -325,6 +325,11 @@ +diff -Naur ppp-2.4.8/pppd/pppd.h ppp-2.4.8-eaptls-mppe-1.300/pppd/pppd.h +--- ppp-2.4.8/pppd/pppd.h 2019-12-31 02:31:26.000000000 +0100 ++++ ppp-2.4.8-eaptls-mppe-1.300/pppd/pppd.h 2020-04-07 10:09:50.570118199 +0200 +@@ -341,6 +341,12 @@ extern bool dryrun; /* check everything, print options, exit */ extern int child_wait; /* # seconds to wait for children at end */ +#ifdef USE_EAPTLS +extern char *crl_dir; +extern char *crl_file; ++extern char *max_tls_version; +#endif /* USE_EAPTLS */ + #ifdef MAXOCTETS extern unsigned int maxoctets; /* Maximum octetes per session (in bytes) */ extern int maxoctets_dir; /* Direction : -@@ -741,6 +746,10 @@ +@@ -763,6 +769,10 @@ extern int (*chap_passwd_hook) __P((char *user, char *passwd)); extern void (*multilink_join_hook) __P((void)); @@ -3228,3 +3855,94 @@ diff -Naur ppp-2.4.7/pppd/pppd.h ppp-2.4.7-eaptls-mppe-1.101b/pppd/pppd.h /* Let a plugin snoop sent and received packets. Useful for L2TP */ extern void (*snoop_recv_hook) __P((unsigned char *p, int len)); extern void (*snoop_send_hook) __P((unsigned char *p, int len)); +diff -Naur ppp-2.4.8/pppd/sha1.c ppp-2.4.8-eaptls-mppe-1.300/pppd/sha1.c +--- ppp-2.4.8/pppd/sha1.c 2019-12-31 02:31:26.000000000 +0100 ++++ ppp-2.4.8-eaptls-mppe-1.300/pppd/sha1.c 2020-04-07 10:09:50.570118199 +0200 +@@ -101,7 +101,7 @@ + /* SHA1Init - Initialize new context */ + + void +-SHA1_Init(SHA1_CTX *context) ++SHA1_Init(SHA_CTX *context) + { + /* SHA1 initialization constants */ + context->state[0] = 0x67452301; +@@ -116,7 +116,7 @@ + /* Run your data through this. */ + + void +-SHA1_Update(SHA1_CTX *context, const unsigned char *data, unsigned int len) ++SHA1_Update(SHA_CTX *context, const unsigned char *data, size_t len) + { + unsigned int i, j; + +@@ -140,7 +140,7 @@ + /* Add padding and return the message digest. */ + + void +-SHA1_Final(unsigned char digest[20], SHA1_CTX *context) ++SHA1_Final(unsigned char *digest, SHA_CTX *context) + { + u_int32_t i, j; + unsigned char finalcount[8]; +diff -Naur ppp-2.4.8/pppd/sha1.h ppp-2.4.8-eaptls-mppe-1.300/pppd/sha1.h +--- ppp-2.4.8/pppd/sha1.h 2019-12-31 02:31:26.000000000 +0100 ++++ ppp-2.4.8-eaptls-mppe-1.300/pppd/sha1.h 2020-04-07 10:09:50.570118199 +0200 +@@ -1,11 +1,5 @@ + /* sha1.h */ + +-/* If OpenSSL is in use, then use that version of SHA-1 */ +-#ifdef OPENSSL +-#include +-#define __SHA1_INCLUDE_ +-#endif +- + #ifndef __SHA1_INCLUDE_ + + #ifndef SHA1_SIGNATURE_SIZE +@@ -20,11 +14,11 @@ + u_int32_t state[5]; + u_int32_t count[2]; + unsigned char buffer[64]; +-} SHA1_CTX; ++} SHA_CTX; + +-extern void SHA1_Init(SHA1_CTX *); +-extern void SHA1_Update(SHA1_CTX *, const unsigned char *, unsigned int); +-extern void SHA1_Final(unsigned char[SHA1_SIGNATURE_SIZE], SHA1_CTX *); ++extern void SHA1_Init(SHA_CTX *context); ++extern void SHA1_Update(SHA_CTX *context, const unsigned char *data, size_t len); ++extern void SHA1_Final(unsigned char *data, SHA_CTX *context); + + #define __SHA1_INCLUDE_ + #endif /* __SHA1_INCLUDE_ */ +diff -Naur ppp-2.4.8/pppd/sys-solaris.c ppp-2.4.8-eaptls-mppe-1.300/pppd/sys-solaris.c +--- ppp-2.4.8/pppd/sys-solaris.c 2019-12-31 02:31:26.000000000 +0100 ++++ ppp-2.4.8-eaptls-mppe-1.300/pppd/sys-solaris.c 2020-04-07 10:09:50.571118198 +0200 +@@ -1550,6 +1550,26 @@ + #endif /* defined(INET6) && defined(SOL2) */ + } + ++ ++ ++/* ++ * netif_get_mtu - get the MTU on the PPP network interface. ++ */ ++int ++netif_get_mtu(int unit) ++{ ++ struct ifreq ifr; ++ ++ memset (&ifr, '\0', sizeof (ifr)); ++ strlcpy(ifr.ifr_name, ifname, sizeof (ifr.ifr_name)); ++ ++ if (ioctl(ipfd, SIOCGIFMTU, (caddr_t) &ifr) < 0) { ++ error("ioctl(SIOCGIFMTU): %m (line %d)", __LINE__); ++ return 0; ++ } ++ return ifr.ifr_mtu; ++} ++ + /* + * tty_send_config - configure the transmit characteristics of + * the ppp interface. diff --git a/0013-everywhere-O_CLOEXEC-harder.patch b/ppp-2.4.8-everywhere-O_CLOEXEC-harder.patch similarity index 99% rename from 0013-everywhere-O_CLOEXEC-harder.patch rename to ppp-2.4.8-everywhere-O_CLOEXEC-harder.patch index d720c362dd1131365be51bd7b58bd1011ab30ab6..87613af74c6fddea453a8d2d37e3bd92c5343fb5 100644 --- a/0013-everywhere-O_CLOEXEC-harder.patch +++ b/ppp-2.4.8-everywhere-O_CLOEXEC-harder.patch @@ -146,9 +146,9 @@ index 8a12fa0..00a2cf5 100644 #endif - if ((sfd = open(pty_name, O_RDWR | O_NOCTTY)) < 0) + if ((sfd = open(pty_name, O_RDWR | O_NOCTTY | O_CLOEXEC)) < 0) + { warn("Couldn't open pty slave %s: %m", pty_name); - } - } + close(mfd); @@ -2592,10 +2592,10 @@ get_pty(master_fdp, slave_fdp, slave_name, uid) for (i = 0; i < 64; ++i) { slprintf(pty_name, sizeof(pty_name), "/dev/pty%c%x", diff --git a/0025-pppd-install-pppd-binary-using-standard-perms-755.patch b/ppp-2.4.8-pppd-install-pppd-binary-using-standard-perms-755.patch similarity index 91% rename from 0025-pppd-install-pppd-binary-using-standard-perms-755.patch rename to ppp-2.4.8-pppd-install-pppd-binary-using-standard-perms-755.patch index 428d71ac9d31c5fba258f1319b055d82d5259fc8..bedb90242a0fb83e773ff873e4214d56e1b6350f 100644 --- a/0025-pppd-install-pppd-binary-using-standard-perms-755.patch +++ b/ppp-2.4.8-pppd-install-pppd-binary-using-standard-perms-755.patch @@ -23,7 +23,7 @@ index 0e8107f..534ccc2 100644 + $(INSTALL) -c -m 644 pppd.8 $(MANDIR) pppd: $(PPPDOBJS) - $(CC) $(CFLAGS) $(LDFLAGS) -o pppd $(PPPDOBJS) $(LIBS) + $(CC) $(CFLAGS) $(LDFLAGS) $(LDFLAGS_PLUGIN) -o pppd $(PPPDOBJS) $(LIBS) -- 1.8.3.1 diff --git a/0009-pppd-introduce-ipv6-accept-remote.patch b/ppp-2.4.8-pppd-introduce-ipv6-accept-remote.patch similarity index 89% rename from 0009-pppd-introduce-ipv6-accept-remote.patch rename to ppp-2.4.8-pppd-introduce-ipv6-accept-remote.patch index af0f0152476136816cbce861db54f514896e39fe..eddef5b445f53b10d49ac447c21114c4400c6167 100644 --- a/0009-pppd-introduce-ipv6-accept-remote.patch +++ b/ppp-2.4.8-pppd-introduce-ipv6-accept-remote.patch @@ -19,8 +19,8 @@ index caa2b26..5a56c95 100644 + { "ipv6cp-accept-remote", o_bool, &ipv6cp_allowoptions[0].accept_remote, + "Accept peer's interface identifier for itself", 1 }, - { "ipv6cp-use-ipaddr", o_bool, &ipv6cp_allowoptions[0].use_ip, - "Use (default) IPv4 address as interface identifier", 1 }, + { "defaultroute6", o_bool, &ipv6cp_wantoptions[0].default_route, + "Add default IPv6 route", OPT_ENABLE|1, &ipv6cp_allowoptions[0].default_route }, @@ -437,6 +439,7 @@ ipv6cp_init(unit) memset(ao, 0, sizeof(*ao)); @@ -43,9 +43,9 @@ index cc4568d..8c7552e 100644 --- a/pppd/ipv6cp.h +++ b/pppd/ipv6cp.h @@ -150,7 +150,8 @@ - typedef struct ipv6cp_options { int neg_ifaceid; /* Negotiate interface identifier? */ int req_ifaceid; /* Ask peer to send interface identifier? */ + int default_route; /* Assign default route through interface? */ - int accept_local; /* accept peer's value for iface id? */ + int accept_local; /* accept peer's value for our iface id? */ + int accept_remote; /* accept peer's value for his iface id? */ diff --git a/0012-pppd-we-don-t-want-to-accidentally-leak-fds.patch b/ppp-2.4.8-pppd-we-don-t-want-to-accidentally-leak-fds.patch similarity index 98% rename from 0012-pppd-we-don-t-want-to-accidentally-leak-fds.patch rename to ppp-2.4.8-pppd-we-don-t-want-to-accidentally-leak-fds.patch index cf25dba3f9039b7d7d05edff79e9a952d2f64bcb..1b4a9cd3394f548701378f97fe9cedbd608c39c4 100644 --- a/0012-pppd-we-don-t-want-to-accidentally-leak-fds.patch +++ b/ppp-2.4.8-pppd-we-don-t-want-to-accidentally-leak-fds.patch @@ -14,7 +14,7 @@ index 4271af6..9e957fa 100644 --- a/pppd/auth.c +++ b/pppd/auth.c @@ -428,7 +428,7 @@ setupapfile(argv) - option_error("unable to reset uid before opening %s: %m", fname); + free(fname); return 0; } - ufile = fopen(fname, "r"); diff --git a/0019-sys-linux-rework-get_first_ethernet.patch b/ppp-2.4.8-sys-linux-rework-get_first_ethernet.patch similarity index 97% rename from 0019-sys-linux-rework-get_first_ethernet.patch rename to ppp-2.4.8-sys-linux-rework-get_first_ethernet.patch index 9a8c3dd61bafc87804993ad10461f32e00c3f389..780e068f06f560eade73c500ff057f202362343b 100644 --- a/0019-sys-linux-rework-get_first_ethernet.patch +++ b/ppp-2.4.8-sys-linux-rework-get_first_ethernet.patch @@ -68,12 +68,12 @@ index 9918091..b949716 100644 all: rp-pppoe.so pppoe-discovery -pppoe-discovery: pppoe-discovery.o debug.o -- $(CC) -o pppoe-discovery pppoe-discovery.o debug.o +- $(CC) $(LDFLAGS) -o pppoe-discovery pppoe-discovery.o debug.o +pppoe-discovery: pppoe-discovery.o debug.o common.o -+ $(CC) -o pppoe-discovery pppoe-discovery.o debug.o -ludev ++ $(CC) $(LDFLAGS) -o pppoe-discovery pppoe-discovery.o debug.o -ludev pppoe-discovery.o: pppoe-discovery.c - $(CC) $(CFLAGS) -c -o pppoe-discovery.o pppoe-discovery.c + $(CC) $(CFLAGS) -I../../.. -c -o pppoe-discovery.o pppoe-discovery.c diff --git a/pppd/plugins/rp-pppoe/pppoe-discovery.c b/pppd/plugins/rp-pppoe/pppoe-discovery.c index c0d927d..2bd910f 100644 --- a/pppd/plugins/rp-pppoe/pppoe-discovery.c @@ -111,7 +111,7 @@ index c0d927d..2bd910f 100644 conn->discoverySocket = -1; conn->sessionSocket = -1; @@ -722,3 +734,104 @@ void usage(void) - fprintf(stderr, "Usage: pppoe-discovery [options]\n"); + " -h -- Print usage information.\n"); fprintf(stderr, "\nVersion " RP_VERSION "\n"); } + diff --git a/ppp-2.4.8.tar.gz b/ppp-2.4.8.tar.gz new file mode 100644 index 0000000000000000000000000000000000000000..a95164edb4f9a3262800e030cecdeb515943c8cc Binary files /dev/null and b/ppp-2.4.8.tar.gz differ diff --git a/ppp.spec b/ppp.spec index 8005c994f261e3cafce1ca86efa424891b4df069..72552e670faedf9873510af401332d3a09204356 100644 --- a/ppp.spec +++ b/ppp.spec @@ -1,6 +1,6 @@ Name: ppp -Version: 2.4.7 -Release: 29 +Version: 2.4.8 +Release: 1 Summary: The Point-to-Point Protocol License: BSD and LGPLv2+ and GPLv2+ and Public Domain @@ -30,34 +30,31 @@ Obsoletes: network-scripts-ppp # Patch0001-Patch0028 are from Fedora29 Patch0001: 0001-build-sys-use-gcc-as-our-compiler-of-choice.patch -Patch0002: 0002-build-sys-enable-PAM-support.patch -Patch0003: 0003-build-sys-utilize-compiler-flags-handed-to-us-by-rpm.patch +Patch0002: ppp-2.4.8-build-sys-enable-PAM-support.patch +Patch0003: ppp-2.4.8-build-sys-utilize-compiler-flags-handed-to-us-by-rpm.patch Patch0004: 0004-doc-add-configuration-samples.patch -Patch0005: 0005-build-sys-don-t-hardcode-LIBDIR-but-set-it-according.patch +Patch0005: ppp-2.4.8-build-sys-don-t-hardcode-LIBDIR-but-set-it-according.patch Patch0006: 0006-scritps-use-change_resolv_conf-function.patch Patch0007: 0007-build-sys-don-t-strip-binaries-during-installation.patch Patch0008: 0008-build-sys-use-prefix-usr-instead-of-usr-local.patch -Patch0009: 0009-pppd-introduce-ipv6-accept-remote.patch +Patch0009: ppp-2.4.8-pppd-introduce-ipv6-accept-remote.patch Patch0010: 0010-build-sys-enable-CBCP.patch Patch0011: 0011-build-sys-don-t-put-connect-errors-log-to-etc-ppp.patch -Patch0012: 0012-pppd-we-don-t-want-to-accidentally-leak-fds.patch -Patch0013: 0013-everywhere-O_CLOEXEC-harder.patch +Patch0012: ppp-2.4.8-pppd-we-don-t-want-to-accidentally-leak-fds.patch +Patch0013: ppp-2.4.8-everywhere-O_CLOEXEC-harder.patch Patch0014: 0014-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch Patch0015: 0015-pppd-move-pppd-database-to-var-run-ppp.patch Patch0016: 0016-rp-pppoe-add-manpage-for-pppoe-discovery.patch Patch0018: 0018-scritps-fix-ip-up.local-sample.patch -Patch0019: 0019-sys-linux-rework-get_first_ethernet.patch +Patch0019: ppp-2.4.8-sys-linux-rework-get_first_ethernet.patch Patch0020: 0020-pppd-put-lock-files-in-var-lock-ppp.patch -Patch0021: 0021-build-sys-compile-pppol2tp-plugin-with-RPM_OPT_FLAGS.patch -Patch0022: 0022-build-sys-compile-pppol2tp-with-multilink-support.patch +Patch0021: ppp-2.4.8-build-sys-compile-pppol2tp-plugin-with-RPM_OPT_FLAGS.patch +Patch0022: ppp-2.4.8-build-sys-compile-pppol2tp-with-multilink-support.patch Patch0023: 0023-build-sys-install-rp-pppoe-plugin-files-with-standar.patch Patch0024: 0024-build-sys-install-pppoatm-plugin-files-with-standard.patch -Patch0025: 0025-pppd-install-pppd-binary-using-standard-perms-755.patch -Patch0026: ppp-2.4.7-eaptls-mppe-1.101.patch -Patch0028: 0028-pppoe-include-netinet-in.h-before-linux-in.h.patch +Patch0025: ppp-2.4.8-pppd-install-pppd-binary-using-standard-perms-755.patch +Patch0026: ppp-2.4.8-eaptls-mppe-1.300.patch -Patch0029: ppp-2.4.7-DES-openssl.patch -Patch0030: ppp-2.4.7-honor-ldflags.patch Patch6000: ppp-CVE-2015-3310.patch Patch6001: ppp-CVE-2020-8597.patch @@ -78,7 +75,8 @@ building plugins for the %{name}. %package_help %prep -%autosetup -n %{name}-%{version} -p1 +%setup -qn %{name}-%{version} +%autopatch -p1 tar -xvJf %{SOURCE1} mkdir ppp mkdir network-scripts @@ -94,8 +92,8 @@ cp %{SOURCE9} network-scripts %build export RPM_OPT_FLAGS="$RPM_OPT_FLAGS -fPIC -Wall -fno-strict-aliasing" RPM_LD_FLAGS="$LDFLAGS" %configure -make %{?_smp_mflags} LDFLAGS="%{?build_ldflags}" -make -C ppp-watch %{?_smp_mflags} LDFLAGS="%{?build_ldflags}" +%{make_build} LDFLAGS="%{?build_ldflags}" +%{make_build} -C ppp-watch LDFLAGS="%{?build_ldflags}" %install make install INSTROOT=$RPM_BUILD_ROOT install-etcppp @@ -119,6 +117,10 @@ install -m 644 %{SOURCE10} %{buildroot}%{_sysconfdir}/pam.d/ppp install -m 644 -p %{SOURCE11} %{buildroot}%{_sysconfdir}/logrotate.d/ppp install -m 644 -p %{SOURCE12} %{buildroot}%{_prefix}/lib/tmpfiles.d/ppp.conf +#ghosts +mkdir -p %{buildroot}%{_rundir}/ppp +mkdir -p %{buildroot}%{_rundir}/lock/ppp + %pre /usr/bin/getent group dip >/dev/null 2>&1 || /usr/sbin/groupadd -r -g 40 dip >/dev/null 2>&1 || : @@ -136,11 +138,11 @@ install -m 644 -p %{SOURCE12} %{buildroot}%{_prefix}/lib/tmpfiles.d/ppp.conf %config(noreplace) %{_sysconfdir}/pam.d/ppp %config(noreplace) %{_sysconfdir}/logrotate.d/ppp %{_prefix}/lib/tmpfiles.d/*.conf -%{_libdir}/pppd/2.4.7/*.so +%{_libdir}/pppd/2.4.8/*.so %{_sbindir}/chat %{_sbindir}/ppp* -%ghost %dir /run/ppp -%ghost %dir /run/lock/ppp +%ghost %dir %{_rundir}/ppp +%ghost %dir %{_rundir}/lock/ppp %attr(700, root, root) %dir %{_localstatedir}/log/ppp %files devel @@ -152,6 +154,12 @@ install -m 644 -p %{SOURCE12} %{buildroot}%{_prefix}/lib/tmpfiles.d/ppp.conf %{_mandir}/man8/*.8.gz %changelog +* Tue Jun 30 2020 yuboyun - 2.4.8-1 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:update ppp version from 2.4.7 to 2.4.8 + * Tue Mar 17 2020 chenzhen - 2.4.7-29 - Type:cves - ID:CVE-2020-8597