From d0834a9bdb3d81a5cd89a7ded548eeca3a4517bf Mon Sep 17 00:00:00 2001 From: Andrey Bondrov Date: Sun, 14 Apr 2019 01:31:52 +0000 Subject: [PATCH 01/12] MassBuild#1671: Increase release tag --- ppp.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ppp.spec b/ppp.spec index 2cf0663..fb1c3c1 100644 --- a/ppp.spec +++ b/ppp.spec @@ -3,7 +3,7 @@ Summary: The PPP daemon and documentation Name: ppp Version: 2.4.7 -Release: 7 +Release: 8 License: BSD-like Group: System/Servers Url: http://www.samba.org/ppp/ From af0790cd33a471da0c54315f4151f4e523b251e9 Mon Sep 17 00:00:00 2001 From: Mikhail Novosyolov Date: Tue, 14 May 2019 01:51:33 +0300 Subject: [PATCH 02/12] FTBFS with glibc 2.28+ --- FEDORA-glibc-2.28.patch | 107 ++++++++++++++++++++++++++++++++++++++++ ppp.spec | 4 +- 2 files changed, 110 insertions(+), 1 deletion(-) create mode 100644 FEDORA-glibc-2.28.patch diff --git a/FEDORA-glibc-2.28.patch b/FEDORA-glibc-2.28.patch new file mode 100644 index 0000000..f6a6570 --- /dev/null +++ b/FEDORA-glibc-2.28.patch @@ -0,0 +1,107 @@ +From 3c7b86229f7bd2600d74db14b1fe5b3896be3875 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jaroslav=20=C5=A0karvada?= +Date: Fri, 6 Apr 2018 14:27:18 +0200 +Subject: [PATCH] pppd: Use openssl for the DES instead of the libcrypt / glibc +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[https://github.com/paulusmack/ppp/commit/3c7b86229f7bd2600d74db14b1fe5b3896be3875] + +It seems the latest glibc (in Fedora glibc-2.27.9000-12.fc29) dropped +libcrypt. The libxcrypt standalone package can be used instead, but +it dropped the old setkey/encrypt API which ppp uses for DES. There +is support for using openssl in pppcrypt.c, but it contains typos +preventing it from compiling and seems to be written for an ancient +openssl version. + +This updates the code to use current openssl. + +[paulus@ozlabs.org - wrote the commit description, fixed comment in + Makefile.linux.] + +Signed-off-by: Jaroslav Škarvada +Signed-off-by: Paul Mackerras +--- + pppd/Makefile.linux | 7 ++++--- + pppd/pppcrypt.c | 18 +++++++++--------- + 2 files changed, 13 insertions(+), 12 deletions(-) +--- ppp-2.4.7.orig/pppd/Makefile.linux ++++ ppp-2.4.7/pppd/Makefile.linux +@@ -35,10 +35,10 @@ endif + COPTS = -O2 -pipe -Wall -g + LIBS = -lcrypto + +-# Uncomment the next 2 lines to include support for Microsoft's ++# Uncomment the next line to include support for Microsoft's + # MS-CHAP authentication protocol. Also, edit plugins/radius/Makefile.linux. + CHAPMS=y +-USE_CRYPT=y ++#USE_CRYPT=y + # Don't use MSLANMAN unless you really know what you're doing. + #MSLANMAN=y + # Uncomment the next line to include support for MPPE. CHAPMS (above) must +@@ -142,7 +142,8 @@ endif + + ifdef NEEDDES + ifndef USE_CRYPT +-LIBS += -ldes $(LIBS) ++CFLAGS += -I/usr/include/openssl ++LIBS += -lcrypto + else + CFLAGS += -DUSE_CRYPT=1 + endif +--- ppp-2.4.7.orig/pppd/pppcrypt.c ++++ ppp-2.4.7/pppd/pppcrypt.c +@@ -64,7 +64,7 @@ u_char *des_key; /* OUT 64 bit DES key w + des_key[7] = Get7Bits(key, 49); + + #ifndef USE_CRYPT +- des_set_odd_parity((des_cblock *)des_key); ++ DES_set_odd_parity((DES_cblock *)des_key); + #endif + } + +@@ -158,25 +158,25 @@ u_char *clear; /* OUT 8 octets */ + } + + #else /* USE_CRYPT */ +-static des_key_schedule key_schedule; ++static DES_key_schedule key_schedule; + + bool + DesSetkey(key) + u_char *key; + { +- des_cblock des_key; ++ DES_cblock des_key; + MakeKey(key, des_key); +- des_set_key(&des_key, key_schedule); ++ DES_set_key(&des_key, &key_schedule); + return (1); + } + + bool +-DesEncrypt(clear, key, cipher) ++DesEncrypt(clear, cipher) + u_char *clear; /* IN 8 octets */ + u_char *cipher; /* OUT 8 octets */ + { +- des_ecb_encrypt((des_cblock *)clear, (des_cblock *)cipher, +- key_schedule, 1); ++ DES_ecb_encrypt((DES_cblock *)clear, (DES_cblock *)cipher, ++ &key_schedule, 1); + return (1); + } + +@@ -185,8 +185,8 @@ DesDecrypt(cipher, clear) + u_char *cipher; /* IN 8 octets */ + u_char *clear; /* OUT 8 octets */ + { +- des_ecb_encrypt((des_cblock *)cipher, (des_cblock *)clear, +- key_schedule, 0); ++ DES_ecb_encrypt((DES_cblock *)cipher, (DES_cblock *)clear, ++ &key_schedule, 0); + return (1); + } + diff --git a/ppp.spec b/ppp.spec index fb1c3c1..0ed13ac 100644 --- a/ppp.spec +++ b/ppp.spec @@ -3,7 +3,7 @@ Summary: The PPP daemon and documentation Name: ppp Version: 2.4.7 -Release: 8 +Release: 9 License: BSD-like Group: System/Servers Url: http://www.samba.org/ppp/ @@ -40,6 +40,7 @@ Patch12: ppp-2.4.5-makeopt2.patch Patch13: ppp-2.4.7-nostrip.patch Patch14: ppp-2.4.7-linux48.patch Patch15: ppp-2.4.7-eaptls-mppe-1.101_CVE-2018-11574.patch +Patch16: FEDORA-glibc-2.28.patch BuildRequires: libtool BuildRequires: atm-devel BuildRequires: pcap-devel @@ -210,6 +211,7 @@ popd %patch13 -p1 -b .nostrip %patch14 -p1 -b .linux48 %patch15 -p1 +patch -p1 < %{PATCH16} tar -xJf %{SOURCE112} From 9e3365b4f47e9652fa462adb57997a1c7e72ad8a Mon Sep 17 00:00:00 2001 From: NixTux Commit Bot Date: Sat, 4 Jan 2020 06:29:45 +0300 Subject: [PATCH 03/12] bot: rpm5 -> rpm4 (1) --- ppp.spec | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/ppp.spec b/ppp.spec index 0ed13ac..bd8b061 100644 --- a/ppp.spec +++ b/ppp.spec @@ -237,10 +237,10 @@ perl -pi -e "s/#HAVE_INET6/HAVE_INET6/" pppd/Makefile.linux %build perl -pi -e "s/openssl/openssl -DOPENSSL_NO_SHA1/;" openssl/crypto/sha/Makefile -%configure2_5x -%make RPM_OPT_FLAGS="%{optflags}" LIBDIR=%{_libdir} -%make -C pppd/plugins -f Makefile.linux -%make -C ppp-watch %{?_smp_mflags} +%configure +%make_build RPM_OPT_FLAGS="%{optflags}" LIBDIR=%{_libdir} +%make_build -C pppd/plugins -f Makefile.linux +%make_build -C ppp-watch %{?_smp_mflags} %install mkdir -p %{buildroot}{%{_sbindir},%{_bindir},/usr/X11R6/bin/,%{_mandir}/man8,%{_sysconfdir}/{ppp/peers,pam.d}} From 41aeafe1af4898a0e6c8fa285f2aee5ce7b9adfc Mon Sep 17 00:00:00 2001 From: NixTux Commit Bot Date: Mon, 13 Jan 2020 17:58:58 +0300 Subject: [PATCH 04/12] bot: rpm5 -> rpm4 (8) --- ppp.spec | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ppp.spec b/ppp.spec index bd8b061..5df58f3 100644 --- a/ppp.spec +++ b/ppp.spec @@ -238,9 +238,9 @@ perl -pi -e "s/#HAVE_INET6/HAVE_INET6/" pppd/Makefile.linux perl -pi -e "s/openssl/openssl -DOPENSSL_NO_SHA1/;" openssl/crypto/sha/Makefile %configure -%make_build RPM_OPT_FLAGS="%{optflags}" LIBDIR=%{_libdir} -%make_build -C pppd/plugins -f Makefile.linux -%make_build -C ppp-watch %{?_smp_mflags} +%make RPM_OPT_FLAGS="%{optflags}" LIBDIR=%{_libdir} +%make -C pppd/plugins -f Makefile.linux +%make -C ppp-watch %{?_smp_mflags} %install mkdir -p %{buildroot}{%{_sbindir},%{_bindir},/usr/X11R6/bin/,%{_mandir}/man8,%{_sysconfdir}/{ppp/peers,pam.d}} From da7df9d30925c3f35931f37ec4d89e69814c8093 Mon Sep 17 00:00:00 2001 From: Alexander Stefanov Date: Sat, 7 Mar 2020 16:57:52 +0000 Subject: [PATCH 05/12] fix CVE-2020-8597 --- ...70b8f3db727fe798b65f3377fe6787575426.patch | 37 +++++++++++++++++++ ppp.spec | 4 ++ 2 files changed, 41 insertions(+) create mode 100644 8d7970b8f3db727fe798b65f3377fe6787575426.patch diff --git a/8d7970b8f3db727fe798b65f3377fe6787575426.patch b/8d7970b8f3db727fe798b65f3377fe6787575426.patch new file mode 100644 index 0000000..5d7c51b --- /dev/null +++ b/8d7970b8f3db727fe798b65f3377fe6787575426.patch @@ -0,0 +1,37 @@ +From 8d7970b8f3db727fe798b65f3377fe6787575426 Mon Sep 17 00:00:00 2001 +From: Paul Mackerras +Date: Mon, 3 Feb 2020 15:53:28 +1100 +Subject: [PATCH] pppd: Fix bounds check in EAP code + +Given that we have just checked vallen < len, it can never be the case +that vallen >= len + sizeof(rhostname). This fixes the check so we +actually avoid overflowing the rhostname array. + +Reported-by: Ilja Van Sprundel +Signed-off-by: Paul Mackerras +--- + pppd/eap.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/pppd/eap.c b/pppd/eap.c +index 94407f56..1b93db01 100644 +--- a/pppd/eap.c ++++ b/pppd/eap.c +@@ -1420,7 +1420,7 @@ int len; + } + + /* Not so likely to happen. */ +- if (vallen >= len + sizeof (rhostname)) { ++ if (len - vallen >= sizeof (rhostname)) { + dbglog("EAP: trimming really long peer name down"); + BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1); + rhostname[sizeof (rhostname) - 1] = '\0'; +@@ -1846,7 +1846,7 @@ int len; + } + + /* Not so likely to happen. */ +- if (vallen >= len + sizeof (rhostname)) { ++ if (len - vallen >= sizeof (rhostname)) { + dbglog("EAP: trimming really long peer name down"); + BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1); + rhostname[sizeof (rhostname) - 1] = '\0'; diff --git a/ppp.spec b/ppp.spec index 5df58f3..5706830 100644 --- a/ppp.spec +++ b/ppp.spec @@ -41,6 +41,9 @@ Patch13: ppp-2.4.7-nostrip.patch Patch14: ppp-2.4.7-linux48.patch Patch15: ppp-2.4.7-eaptls-mppe-1.101_CVE-2018-11574.patch Patch16: FEDORA-glibc-2.28.patch +# CVE-2020-8597 +# remote code execution +Patch17: 8d7970b8f3db727fe798b65f3377fe6787575426.patch BuildRequires: libtool BuildRequires: atm-devel BuildRequires: pcap-devel @@ -211,6 +214,7 @@ popd %patch13 -p1 -b .nostrip %patch14 -p1 -b .linux48 %patch15 -p1 +%patch17 -p1 patch -p1 < %{PATCH16} tar -xJf %{SOURCE112} From d171cd598c7ace43afa24c9fc1164542363ba1f6 Mon Sep 17 00:00:00 2001 From: Alexander Stefanov Date: Mon, 9 Mar 2020 15:05:03 +0000 Subject: [PATCH 06/12] add ppp-2.4.5-libtool-tag.patch --- ppp-2.4.5-libtool-tag.patch | 15 +++++++++++++++ ppp.spec | 2 ++ 2 files changed, 17 insertions(+) create mode 100644 ppp-2.4.5-libtool-tag.patch diff --git a/ppp-2.4.5-libtool-tag.patch b/ppp-2.4.5-libtool-tag.patch new file mode 100644 index 0000000..cd9a399 --- /dev/null +++ b/ppp-2.4.5-libtool-tag.patch @@ -0,0 +1,15 @@ +--- ppp-2.4.5/pppd/plugins/dhcp/Makefile.linux~ 2013-02-19 13:15:32.000000000 +0100 ++++ ppp-2.4.5/pppd/plugins/dhcp/Makefile.linux 2013-02-19 13:15:52.645439658 +0100 +@@ -17,10 +17,10 @@ $(PLUGIN): $(LTLIB) + gcc -o $@ $(OBJS:%.lo=.libs/%.o) $(LIBS) + + $(LTLIB): $(OBJS) +- libtool --mode=link gcc $(CFLAGS) -o $@ $(OBJS) $(LIBS) ++ libtool --tag=CC --mode=link gcc $(CFLAGS) -o $@ $(OBJS) $(LIBS) + + %.lo: %.c +- libtool --mode=compile gcc $(CFLAGS) -c $< ++ libtool --tag=CC --mode=compile gcc $(CFLAGS) -c $< + + clean: + rm -f *.o *.lo *.so diff --git a/ppp.spec b/ppp.spec index 5706830..6e27b02 100644 --- a/ppp.spec +++ b/ppp.spec @@ -44,6 +44,7 @@ Patch16: FEDORA-glibc-2.28.patch # CVE-2020-8597 # remote code execution Patch17: 8d7970b8f3db727fe798b65f3377fe6787575426.patch +Patch18: ppp-2.4.5-libtool-tag.patch BuildRequires: libtool BuildRequires: atm-devel BuildRequires: pcap-devel @@ -215,6 +216,7 @@ popd %patch14 -p1 -b .linux48 %patch15 -p1 %patch17 -p1 +%patch18 -p1 patch -p1 < %{PATCH16} tar -xJf %{SOURCE112} From c14476bbd9f2eae207d501b117e987c59a2e8a12 Mon Sep 17 00:00:00 2001 From: Alexander Stefanov Date: Mon, 9 Mar 2020 15:09:13 +0000 Subject: [PATCH 07/12] skip multiarch --- ppp.spec | 3 --- 1 file changed, 3 deletions(-) diff --git a/ppp.spec b/ppp.spec index 6e27b02..6626778 100644 --- a/ppp.spec +++ b/ppp.spec @@ -122,7 +122,6 @@ PPP over ATM plugin for %{name}. %files devel %doc README* %{_includedir}/pppd/* -%{multiarch_includedir}/pppd/pathnames.h #---------------------------------------------------------------------------- @@ -255,8 +254,6 @@ mkdir -p %{buildroot}{%{_sbindir},%{_bindir},/usr/X11R6/bin/,%{_mandir}/man8,%{_ %makeinstall INSTROOT=%{buildroot} SUBDIRS="pppoatm rp-pppoe radius pppol2tp" %makeinstall ROOT=%{buildroot} mandir=/usr/share/man -C ppp-watch install -%multiarch_includes %{buildroot}%{_includedir}/pppd/pathnames.h - # (gg) Allow stripping chmod u+w %{buildroot}%{_sbindir}/* From 222f9b110b19c9110fe3dfcad39ace8e380849d2 Mon Sep 17 00:00:00 2001 From: Alexander Stefanov Date: Thu, 7 May 2020 23:25:22 +0000 Subject: [PATCH 08/12] remove -x permission to avoid perl bloat --- ppp.spec | 3 +++ 1 file changed, 3 insertions(+) diff --git a/ppp.spec b/ppp.spec index 6626778..414a1af 100644 --- a/ppp.spec +++ b/ppp.spec @@ -220,6 +220,9 @@ patch -p1 < %{PATCH16} tar -xJf %{SOURCE112} +chmod go+r scripts/* +find scripts -type f | xargs chmod a-x + # lib64 fixes perl -pi -e "s|^(LIBDIR.*)\\\$\(DESTDIR\)/lib|\1\\\$(INSTROOT)%{_libdir}|g" pppd/Makefile.linux pppd/plugins/Makefile.linux pppd/plugins/{pppoatm,radius,rp-pppoe,pppol2tp}/Makefile.linux perl -pi -e "s|(--prefix=/usr)|\1 --libdir=%{_libdir}|g" pppd/plugins/radius/Makefile.linux From 1b883672f923c21f0173c6d104e7a1ce1b0512bd Mon Sep 17 00:00:00 2001 From: Alexander Stefanov Date: Thu, 7 Jan 2021 20:05:20 +0000 Subject: [PATCH 09/12] 2.4.9 --- .abf.yml | 4 +- ...> 0004-doc-add-configuration-samples.patch | 76 +- ...itps-use-change_resolv_conf-function.patch | 85 + ...-t-put-connect-errors-log-to-etc-ppp.patch | 45 +- ...se-SOCK_CLOEXEC-when-creating-socket.patch | 149 + ...pd-move-pppd-database-to-var-run-ppp.patch | 44 + ...ppoe-add-manpage-for-pppoe-discovery.patch | 115 + 0018-scritps-fix-ip-up.local-sample.patch | 27 + ...-pppd-put-lock-files-in-var-lock-ppp.patch | 26 + ...l-rp-pppoe-plugin-files-with-standar.patch | 20 + ...l-pppoatm-plugin-files-with-standard.patch | 26 + ...70b8f3db727fe798b65f3377fe6787575426.patch | 37 - FEDORA-glibc-2.28.patch | 107 - README.pppoatm | 5 - ifdown-ppp | 0 ifup-ppp | 18 +- ip-down | 20 - ip-up | 26 +- ipv6-up | 6 +- ppp-2.4.2-pie.patch | 36 - ppp-2.4.3-etcppp.patch | 12 - ppp-2.4.3-libatm.patch | 11 - ppp-2.4.3-pam.conf | 5 - ppp-2.4.3-pic.patch | 37 - ppp-2.4.3-pppdump-Makefile.patch | 8 - ppp-2.4.4-multipledefrt.patch | 51 - ppp-2.4.5-includes-sha1.patch | 10 - ppp-2.4.5-libtool-tag.patch | 15 - ppp-2.4.5-makeopt2.patch | 10 - ...4.7-eaptls-mppe-1.101_CVE-2018-11574.patch | 3231 ----------------- ppp-2.4.7-linux48.patch | 35 - ppp-2.4.7-make.patch | 116 - ppp-2.4.7-noexttraffic.patch | 101 - ppp-2.4.7-nostrip.patch | 86 - ...pppd-binary-using-standard-perms-755.patch | 29 + ...-don-t-want-to-accidentally-leak-fds.patch | 143 + ...hardcode-LIBDIR-but-set-it-according.patch | 99 + ppp-2.4.9-config.patch | 21 + ppp-2.4.9-configure-cflags-allow-commas.patch | 17 + ppp-2.4.9-everywhere-O_CLOEXEC-harder.patch | 241 ++ ppp.logrotate => ppp-logrotate.conf | 0 ppp-options.patch | 8 - ppp-pam.conf | 5 + ppp-tmpfiles.conf | 4 +- ppp.spec | 267 +- 45 files changed, 1247 insertions(+), 4187 deletions(-) rename ppp-2.3.6-sample.patch => 0004-doc-add-configuration-samples.patch (85%) create mode 100644 0006-scritps-use-change_resolv_conf-function.patch rename ppp-2.4.4-dontwriteetc.patch => 0011-build-sys-don-t-put-connect-errors-log-to-etc-ppp.patch (60%) create mode 100644 0014-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch create mode 100644 0015-pppd-move-pppd-database-to-var-run-ppp.patch create mode 100644 0016-rp-pppoe-add-manpage-for-pppoe-discovery.patch create mode 100644 0018-scritps-fix-ip-up.local-sample.patch create mode 100644 0020-pppd-put-lock-files-in-var-lock-ppp.patch create mode 100644 0023-build-sys-install-rp-pppoe-plugin-files-with-standar.patch create mode 100644 0024-build-sys-install-pppoatm-plugin-files-with-standard.patch delete mode 100644 8d7970b8f3db727fe798b65f3377fe6787575426.patch delete mode 100644 FEDORA-glibc-2.28.patch delete mode 100644 README.pppoatm mode change 100755 => 100644 ifdown-ppp mode change 100755 => 100644 ifup-ppp delete mode 100644 ppp-2.4.2-pie.patch delete mode 100644 ppp-2.4.3-etcppp.patch delete mode 100644 ppp-2.4.3-libatm.patch delete mode 100644 ppp-2.4.3-pam.conf delete mode 100644 ppp-2.4.3-pic.patch delete mode 100644 ppp-2.4.3-pppdump-Makefile.patch delete mode 100644 ppp-2.4.4-multipledefrt.patch delete mode 100644 ppp-2.4.5-includes-sha1.patch delete mode 100644 ppp-2.4.5-libtool-tag.patch delete mode 100644 ppp-2.4.5-makeopt2.patch delete mode 100644 ppp-2.4.7-eaptls-mppe-1.101_CVE-2018-11574.patch delete mode 100644 ppp-2.4.7-linux48.patch delete mode 100644 ppp-2.4.7-make.patch delete mode 100644 ppp-2.4.7-noexttraffic.patch delete mode 100644 ppp-2.4.7-nostrip.patch create mode 100644 ppp-2.4.8-pppd-install-pppd-binary-using-standard-perms-755.patch create mode 100644 ppp-2.4.8-pppd-we-don-t-want-to-accidentally-leak-fds.patch create mode 100644 ppp-2.4.9-build-sys-don-t-hardcode-LIBDIR-but-set-it-according.patch create mode 100644 ppp-2.4.9-config.patch create mode 100644 ppp-2.4.9-configure-cflags-allow-commas.patch create mode 100644 ppp-2.4.9-everywhere-O_CLOEXEC-harder.patch rename ppp.logrotate => ppp-logrotate.conf (100%) delete mode 100644 ppp-options.patch create mode 100644 ppp-pam.conf diff --git a/.abf.yml b/.abf.yml index 27d3323..6959964 100644 --- a/.abf.yml +++ b/.abf.yml @@ -1,5 +1,3 @@ sources: - ppp-2.4.1-mppe-crypto.tar.bz2: 9652e5a21131239f6e8499d4dbc448a9eeee132f - ppp-2.4.7.tar.gz: 808b023172ea7189bc0d49935bf37a5382a1fe13 - ppp-dhcpc.tar.bz2: 8b49c9b8ccde83f69c4b0c9cae6454cdba0845ca + 2.4.9.tar.gz: 4241f65a5f8e1efb3874b9c7887d38ae4d05d112 ppp-watch.tar.xz: 74b6db205dc46fc179a2a3bc3d726ddfeb03c801 diff --git a/ppp-2.3.6-sample.patch b/0004-doc-add-configuration-samples.patch similarity index 85% rename from ppp-2.3.6-sample.patch rename to 0004-doc-add-configuration-samples.patch index 92eee6c..0cea037 100644 --- a/ppp-2.3.6-sample.patch +++ b/0004-doc-add-configuration-samples.patch @@ -1,5 +1,30 @@ ---- ppp-2.3.3/sample/auth-down.sample Tue Jan 6 17:53:27 1998 -+++ ppp-2.3.3/sample/auth-down Tue Jan 6 17:53:27 1998 +From d7faeb88f684c8b2ae193b2c5b5b358ac757fcfa Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Fri, 4 Apr 2014 11:39:09 +0200 +Subject: [PATCH 04/27] doc: add configuration samples + +--- + sample/auth-down | 17 ++++++ + sample/auth-up | 17 ++++++ + sample/ip-down | 22 ++++++++ + sample/ip-up | 23 ++++++++ + sample/options | 153 +++++++++++++++++++++++++++++++++++++++++++++++++++ + sample/options.ttyXX | 14 +++++ + sample/pap-secrets | 28 ++++++++++ + 7 files changed, 274 insertions(+) + create mode 100644 sample/auth-down + create mode 100644 sample/auth-up + create mode 100644 sample/ip-down + create mode 100644 sample/ip-up + create mode 100644 sample/options + create mode 100644 sample/options.ttyXX + create mode 100644 sample/pap-secrets + +diff --git a/sample/auth-down b/sample/auth-down +new file mode 100644 +index 0000000..edde65d +--- /dev/null ++++ b/sample/auth-down @@ -0,0 +1,17 @@ +#!/bin/sh +# @@ -18,8 +43,11 @@ +echo auth-down `date +'%y/%m/%d %T'` $* >> /var/log/pppstats + +# last line ---- ppp-2.3.3/sample/auth-up.sample Tue Jan 6 17:53:27 1998 -+++ ppp-2.3.3/sample/auth-up Tue Jan 6 17:53:27 1998 +diff --git a/sample/auth-up b/sample/auth-up +new file mode 100644 +index 0000000..54722a3 +--- /dev/null ++++ b/sample/auth-up @@ -0,0 +1,17 @@ +#!/bin/sh +# @@ -38,8 +66,11 @@ +echo auth-up `date +'%y/%m/%d %T'` $* >> /var/log/pppstats + +# last line ---- ppp-2.3.3/sample/ip-down.sample Tue Jan 6 17:53:27 1998 -+++ ppp-2.3.3/sample/ip-down Tue Jan 6 17:53:27 1998 +diff --git a/sample/ip-down b/sample/ip-down +new file mode 100644 +index 0000000..b771fb6 +--- /dev/null ++++ b/sample/ip-down @@ -0,0 +1,22 @@ +#!/bin/sh +# @@ -63,13 +94,16 @@ +export PATH + +# last line ---- ppp-2.3.3/sample/ip-up.sample Tue Jan 6 17:53:27 1998 -+++ ppp-2.3.3/sample/ip-up Tue Jan 6 17:53:27 1998 +diff --git a/sample/ip-up b/sample/ip-up +new file mode 100644 +index 0000000..7ce7c8d +--- /dev/null ++++ b/sample/ip-up @@ -0,0 +1,23 @@ +#!/bin/sh +# +# This script is run by the pppd after the link is established. -+# It should be used to add routes, set IP address, run the mailq ++# It should be used to add routes, set IP address, run the mailq +# etc. +# +# This script is called with the following arguments: @@ -89,8 +123,11 @@ +export PATH + +# last line ---- ppp-2.3.3/sample/options.sample Tue Jan 6 17:53:27 1998 -+++ ppp-2.3.3/sample/options Tue Jan 6 17:53:27 1998 +diff --git a/sample/options b/sample/options +new file mode 100644 +index 0000000..8d0a3f9 +--- /dev/null ++++ b/sample/options @@ -0,0 +1,153 @@ +# /etc/ppp/options + @@ -245,8 +282,11 @@ +noipx + +# ------ ---- ppp-2.3.3/sample/options.ttyXX.sample Tue Jan 6 17:53:27 1998 -+++ ppp-2.3.3/sample/options.ttyXX Tue Jan 6 17:53:27 1998 +diff --git a/sample/options.ttyXX b/sample/options.ttyXX +new file mode 100644 +index 0000000..d4202f5 +--- /dev/null ++++ b/sample/options.ttyXX @@ -0,0 +1,14 @@ +# If you need to set up multiple serial lines then copy this file to +# options. for each tty with a modem on it. @@ -262,8 +302,11 @@ +# is the IP address of your host +# +hostname-s1:hostname ---- ppp-2.3.3/sample/pap-secrets.sample Tue Jan 6 17:53:27 1998 -+++ ppp-2.3.3/sample/pap-secrets Tue Jan 6 17:53:27 1998 +diff --git a/sample/pap-secrets b/sample/pap-secrets +new file mode 100644 +index 0000000..098971b +--- /dev/null ++++ b/sample/pap-secrets @@ -0,0 +1,28 @@ +# Secrets for authentication using PAP +# client server secret IP addresses @@ -293,3 +336,6 @@ +#root hostname "*" - +#support hostname "*" - +#stats hostname "*" - +-- +1.8.3.1 + diff --git a/0006-scritps-use-change_resolv_conf-function.patch b/0006-scritps-use-change_resolv_conf-function.patch new file mode 100644 index 0000000..cbf8713 --- /dev/null +++ b/0006-scritps-use-change_resolv_conf-function.patch @@ -0,0 +1,85 @@ +From 01419dfb684d501b57f1c24dcfdbcf9da93ccca2 Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Fri, 4 Apr 2014 18:12:47 +0200 +Subject: [PATCH 06/27] scritps: use change_resolv_conf function + +Don't handle /etc/resolv.conf manually, but use a helper function from +initscripts. Also change path where we save DNS servers supplied by peer while +we are at it. + +Resolves: #132482 +--- + pppd/pppd.8 | 2 +- + scripts/ip-down.local.add | 9 +++++---- + scripts/ip-up.local.add | 17 ++++++++++------- + 3 files changed, 16 insertions(+), 12 deletions(-) + +diff --git a/pppd/pppd.8 b/pppd/pppd.8 +index e2768b1..2dd6e1a 100644 +--- a/pppd/pppd.8 ++++ b/pppd/pppd.8 +@@ -1099,7 +1099,7 @@ Ask the peer for up to 2 DNS server addresses. The addresses supplied + by the peer (if any) are passed to the /etc/ppp/ip\-up script in the + environment variables DNS1 and DNS2, and the environment variable + USEPEERDNS will be set to 1. In addition, pppd will create an +-/etc/ppp/resolv.conf file containing one or two nameserver lines with ++/var/run/ppp/resolv.conf file containing one or two nameserver lines with + the address(es) supplied by the peer. + .TP + .B user \fIname +diff --git a/scripts/ip-down.local.add b/scripts/ip-down.local.add +index b93590e..163f71e 100644 +--- a/scripts/ip-down.local.add ++++ b/scripts/ip-down.local.add +@@ -9,12 +9,13 @@ + # + # Nick Walker (nickwalker@email.com) + # ++. /etc/sysconfig/network-scripts/network-functions + +-if [ -n "$USEPEERDNS" -a -f /etc/ppp/resolv.conf ]; then +- if [ -f /etc/ppp/resolv.prev ]; then +- cp -f /etc/ppp/resolv.prev /etc/resolv.conf ++if [ -n "$USEPEERDNS" -a -f /var/run/ppp/resolv.conf ]; then ++ if [ -f /var/run/ppp/resolv.prev ]; then ++ change_resolv_conf /var/run/ppp/resolv.prev + else +- rm -f /etc/resolv.conf ++ change_resolv_conf + fi + fi + +diff --git a/scripts/ip-up.local.add b/scripts/ip-up.local.add +index 8017209..26cf5f8 100644 +--- a/scripts/ip-up.local.add ++++ b/scripts/ip-up.local.add +@@ -9,16 +9,19 @@ + # + # Nick Walker (nickwalker@email.com) + # ++. /etc/sysconfig/network-scripts/network-functions + +-if [ -n "$USEPEERDNS" -a -f /etc/ppp/resolv.conf ]; then +- rm -f /etc/ppp/resolv.prev ++if [ -n "$USEPEERDNS" -a -f /var/run/ppp/resolv.conf ]; then ++ rm -f /var/run/ppp/resolv.prev + if [ -f /etc/resolv.conf ]; then +- cp /etc/resolv.conf /etc/ppp/resolv.prev +- grep domain /etc/ppp/resolv.prev > /etc/resolv.conf +- grep search /etc/ppp/resolv.prev >> /etc/resolv.conf +- cat /etc/ppp/resolv.conf >> /etc/resolv.conf ++ cp /etc/resolv.conf /var/run/ppp/resolv.prev ++ rscf=/var/run/ppp/resolv.new ++ grep domain /var/run/ppp/resolv.prev > $rscf ++ grep search /var/run/ppp/resolv.prev >> $rscf ++ change_resolv_conf $rscf ++ rm -f $rscf + else +- cp /etc/ppp/resolv.conf /etc ++ change_resolv_conf /var/run/ppp/resolv.conf + fi + fi + +-- +1.8.3.1 + diff --git a/ppp-2.4.4-dontwriteetc.patch b/0011-build-sys-don-t-put-connect-errors-log-to-etc-ppp.patch similarity index 60% rename from ppp-2.4.4-dontwriteetc.patch rename to 0011-build-sys-don-t-put-connect-errors-log-to-etc-ppp.patch index 8651e32..56ac388 100644 --- a/ppp-2.4.4-dontwriteetc.patch +++ b/0011-build-sys-don-t-put-connect-errors-log-to-etc-ppp.patch @@ -1,6 +1,20 @@ ---- ppp-2.4.4/chat/chat.8.dontwriteetc 2004-11-13 07:22:49.000000000 -0500 -+++ ppp-2.4.4/chat/chat.8 2006-11-17 12:09:28.000000000 -0500 -@@ -200,7 +200,7 @@ +From b4ef433be936c90e356da7a590b032cdee219a3f Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Fri, 4 Apr 2014 19:06:05 +0200 +Subject: [PATCH 11/27] build-sys: don't put connect-errors log to /etc/ppp/ + +Resolves: #118837 +--- + chat/chat.8 | 2 +- + linux/Makefile.top | 8 +++++++- + pppd/pathnames.h | 4 ++-- + 3 files changed, 10 insertions(+), 4 deletions(-) + +diff --git a/chat/chat.8 b/chat/chat.8 +index 6d10836..78d6939 100644 +--- a/chat/chat.8 ++++ b/chat/chat.8 +@@ -200,7 +200,7 @@ The \fBSAY\fR directive allows the script to send strings to the user at the terminal via standard error. If \fBchat\fR is being run by pppd, and pppd is running as a daemon (detached from its controlling terminal), standard error will normally be redirected to the file @@ -9,18 +23,20 @@ .LP \fBSAY\fR strings must be enclosed in single or double quotes. If carriage return and line feed are needed in the string to be output, ---- ppp-2.4.4/linux/Makefile.top.dontwriteetc 2006-06-04 01:04:14.000000000 -0400 -+++ ppp-2.4.4/linux/Makefile.top 2006-11-17 12:10:06.000000000 -0500 -@@ -5,6 +5,8 @@ +diff --git a/linux/Makefile.top b/linux/Makefile.top +index f63d45e..f42efd5 100644 +--- a/linux/Makefile.top ++++ b/linux/Makefile.top +@@ -5,6 +5,8 @@ BINDIR = $(DESTDIR)/sbin INCDIR = $(DESTDIR)/include MANDIR = $(DESTDIR)/share/man ETCDIR = $(INSTROOT)@SYSCONF@/ppp -+RUNDIR = $(INSTROOT)/var/run/ppp -+LOGDIR = $(INSTROOT)/var/log/ppp ++RUNDIR = $(DESTDIR)/var/run/ppp ++LOGDIR = $(DESTDIR)/var/log/ppp # uid 0 = root INSTALL= install -@@ -16,7 +18,7 @@ +@@ -16,7 +18,7 @@ all: cd pppstats; $(MAKE) $(MFLAGS) all cd pppdump; $(MAKE) $(MFLAGS) all @@ -29,7 +45,7 @@ install-progs: cd chat; $(MAKE) $(MFLAGS) install -@@ -44,6 +46,10 @@ +@@ -44,6 +46,10 @@ $(MANDIR)/man8: $(INSTALL) -d -m 755 $@ $(ETCDIR): $(INSTALL) -d -m 755 $@ @@ -40,8 +56,10 @@ clean: rm -f `find . -name '*.[oas]' -print` ---- ppp-2.4.4/pppd/pathnames.h.dontwriteetc 2005-08-25 19:59:34.000000000 -0400 -+++ ppp-2.4.4/pppd/pathnames.h 2006-11-17 11:42:16.000000000 -0500 +diff --git a/pppd/pathnames.h b/pppd/pathnames.h +index a427cb8..bef3160 100644 +--- a/pppd/pathnames.h ++++ b/pppd/pathnames.h @@ -28,9 +28,9 @@ #define _PATH_AUTHUP _ROOT_PATH "/etc/ppp/auth-up" #define _PATH_AUTHDOWN _ROOT_PATH "/etc/ppp/auth-down" @@ -54,3 +72,6 @@ #define _PATH_USEROPT ".ppprc" #define _PATH_PSEUDONYM ".ppp_pseudonym" +-- +1.8.3.1 + diff --git a/0014-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch b/0014-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch new file mode 100644 index 0000000..1352370 --- /dev/null +++ b/0014-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch @@ -0,0 +1,149 @@ +diff --git a/pppd/plugins/pppoatm/pppoatm.c b/pppd/plugins/pppoatm/pppoatm.c +index d693350..c31bb34 100644 +--- a/pppd/plugins/pppoatm/pppoatm.c ++++ b/pppd/plugins/pppoatm/pppoatm.c +@@ -135,7 +135,7 @@ static int connect_pppoatm(void) + + if (!device_got_set) + no_device_given_pppoatm(); +- fd = socket(AF_ATMPVC, SOCK_DGRAM, 0); ++ fd = socket(AF_ATMPVC, SOCK_DGRAM | SOCK_CLOEXEC, 0); + if (fd < 0) + fatal("failed to create socket: %m"); + memset(&qos, 0, sizeof qos); +diff --git a/pppd/plugins/pppol2tp/openl2tp.c b/pppd/plugins/pppol2tp/openl2tp.c +index 9643b96..1099575 100644 +--- a/pppd/plugins/pppol2tp/openl2tp.c ++++ b/pppd/plugins/pppol2tp/openl2tp.c +@@ -83,7 +83,7 @@ static int openl2tp_client_create(void) + int result; + + if (openl2tp_fd < 0) { +- openl2tp_fd = socket(PF_UNIX, SOCK_DGRAM, 0); ++ openl2tp_fd = socket(PF_UNIX, SOCK_DGRAM | SOCK_CLOEXEC, 0); + if (openl2tp_fd < 0) { + error("openl2tp connection create: %m"); + return -ENOTCONN; +diff --git a/pppd/plugins/pppol2tp/pppol2tp.c b/pppd/plugins/pppol2tp/pppol2tp.c +index a7e3400..e64a778 100644 +--- a/pppd/plugins/pppol2tp/pppol2tp.c ++++ b/pppd/plugins/pppol2tp/pppol2tp.c +@@ -208,7 +208,7 @@ static void send_config_pppol2tp(int mtu, + struct ifreq ifr; + int fd; + +- fd = socket(AF_INET, SOCK_DGRAM, 0); ++ fd = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0); + if (fd >= 0) { + memset (&ifr, '\0', sizeof (ifr)); + strlcpy(ifr.ifr_name, ifname, sizeof(ifr.ifr_name)); +diff --git a/pppd/plugins/pppoe/if.c b/pppd/plugins/pppoe/if.c +index 91e9a57..72aba41 100644 +--- a/pppd/plugins/pppoe/if.c ++++ b/pppd/plugins/pppoe/if.c +@@ -116,7 +116,7 @@ openInterface(char const *ifname, UINT16_t type, unsigned char *hwaddr) + stype = SOCK_PACKET; + #endif + +- if ((fd = socket(domain, stype, htons(type))) < 0) { ++ if ((fd = socket(domain, stype | SOCK_CLOEXEC, htons(type))) < 0) { + /* Give a more helpful message for the common error case */ + if (errno == EPERM) { + fatal("Cannot create raw socket -- pppoe must be run as root."); +diff --git a/pppd/plugins/pppoe/plugin.c b/pppd/plugins/pppoe/plugin.c +index a8c2bb4..24bdf8f 100644 +--- a/pppd/plugins/pppoe/plugin.c ++++ b/pppd/plugins/pppoe/plugin.c +@@ -137,7 +137,7 @@ PPPOEConnectDevice(void) + /* server equipment). */ + /* Opening this socket just before waitForPADS in the discovery() */ + /* function would be more appropriate, but it would mess-up the code */ +- conn->sessionSocket = socket(AF_PPPOX, SOCK_STREAM, PX_PROTO_OE); ++ conn->sessionSocket = socket(AF_PPPOX, SOCK_STREAM | SOCK_CLOEXEC, PX_PROTO_OE); + if (conn->sessionSocket < 0) { + error("Failed to create PPPoE socket: %m"); + return -1; +@@ -148,7 +148,7 @@ PPPOEConnectDevice(void) + lcp_wantoptions[0].mru = conn->mru; + + /* Update maximum MRU */ +- s = socket(AF_INET, SOCK_DGRAM, 0); ++ s = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0); + if (s < 0) { + error("Can't get MTU for %s: %m", conn->ifName); + goto errout; +@@ -320,7 +320,7 @@ PPPoEDevnameHook(char *cmd, char **argv, int doit) + } + + /* Open a socket */ +- if ((fd = socket(PF_PACKET, SOCK_RAW, 0)) < 0) { ++ if ((fd = socket(PF_PACKET, SOCK_RAW | SOCK_CLOEXEC, 0)) < 0) { + r = 0; + } + +diff --git a/pppd/plugins/pppoe/pppoe-discovery.c b/pppd/plugins/pppoe/pppoe-discovery.c +index 3d3bf4e..c0d927d 100644 +--- a/pppd/plugins/pppoe/pppoe-discovery.c ++++ b/pppd/plugins/pppoe/pppoe-discovery.c +@@ -121,7 +121,7 @@ openInterface(char const *ifname, UINT16_t type, unsigned char *hwaddr) + stype = SOCK_PACKET; + #endif + +- if ((fd = socket(domain, stype, htons(type))) < 0) { ++ if ((fd = socket(domain, stype | SOCK_CLOEXEC, htons(type))) < 0) { + /* Give a more helpful message for the common error case */ + if (errno == EPERM) { + fatal("Cannot create raw socket -- pppoe must be run as root."); +diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c +index 00a2cf5..0690019 100644 +--- a/pppd/sys-linux.c ++++ b/pppd/sys-linux.c +@@ -308,12 +308,12 @@ static int modify_flags(int fd, int clear_bits, int set_bits) + void sys_init(void) + { + /* Get an internet socket for doing socket ioctls. */ +- sock_fd = socket(AF_INET, SOCK_DGRAM, 0); ++ sock_fd = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0); + if (sock_fd < 0) + fatal("Couldn't create IP socket: %m(%d)", errno); + + #ifdef INET6 +- sock6_fd = socket(AF_INET6, SOCK_DGRAM, 0); ++ sock6_fd = socket(AF_INET6, SOCK_DGRAM | SOCK_CLOEXEC, 0); + if (sock6_fd < 0) + sock6_fd = -errno; /* save errno for later */ + #endif +@@ -1857,7 +1857,7 @@ get_if_hwaddr(u_char *addr, char *name) + struct ifreq ifreq; + int ret, sock_fd; + +- sock_fd = socket(AF_INET, SOCK_DGRAM, 0); ++ sock_fd = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0); + if (sock_fd < 0) + return -1; + memset(&ifreq.ifr_hwaddr, 0, sizeof(struct sockaddr)); +@@ -2067,7 +2067,7 @@ int ppp_available(void) + /* + * Open a socket for doing the ioctl operations. + */ +- s = socket(AF_INET, SOCK_DGRAM, 0); ++ s = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0); + if (s < 0) + return 0; + +diff --git a/pppd/tty.c b/pppd/tty.c +index bc96695..8e76a5d 100644 +--- a/pppd/tty.c ++++ b/pppd/tty.c +@@ -896,7 +896,7 @@ open_socket(dest) + *sep = ':'; + + /* get a socket and connect it to the other end */ +- sock = socket(PF_INET, SOCK_STREAM, 0); ++ sock = socket(PF_INET, SOCK_STREAM | SOCK_CLOEXEC, 0); + if (sock < 0) { + error("Can't create socket: %m"); + return -1; +-- +1.8.3.1 + diff --git a/0015-pppd-move-pppd-database-to-var-run-ppp.patch b/0015-pppd-move-pppd-database-to-var-run-ppp.patch new file mode 100644 index 0000000..88b84d5 --- /dev/null +++ b/0015-pppd-move-pppd-database-to-var-run-ppp.patch @@ -0,0 +1,44 @@ +From f2c855462ff56be4121409c7e048cd2503fe0ccf Mon Sep 17 00:00:00 2001 +From: Jiri Skala +Date: Mon, 7 Apr 2014 14:26:20 +0200 +Subject: [PATCH 15/27] pppd: move pppd database to /var/run/ppp + +Resolves: #560014 +--- + pppd/pathnames.h | 11 ++++------- + 1 file changed, 4 insertions(+), 7 deletions(-) + +diff --git a/pppd/pathnames.h b/pppd/pathnames.h +index bef3160..24e010c 100644 +--- a/pppd/pathnames.h ++++ b/pppd/pathnames.h +@@ -6,8 +6,9 @@ + + #ifdef HAVE_PATHS_H + #include +- ++#define _PPP_SUBDIR "ppp/" + #else /* HAVE_PATHS_H */ ++#define _PPP_SUBDIR + #ifndef _PATH_VARRUN + #define _PATH_VARRUN "/etc/ppp/" + #endif +@@ -46,13 +47,9 @@ + #endif /* IPX_CHANGE */ + + #ifdef __STDC__ +-#define _PATH_PPPDB _ROOT_PATH _PATH_VARRUN "pppd2.tdb" ++#define _PATH_PPPDB _ROOT_PATH _PATH_VARRUN _PPP_SUBDIR "pppd2.tdb" + #else /* __STDC__ */ +-#ifdef HAVE_PATHS_H +-#define _PATH_PPPDB "/var/run/pppd2.tdb" +-#else +-#define _PATH_PPPDB "/etc/ppp/pppd2.tdb" +-#endif ++#define _PATH_PPPDB _PATH_VARRUN _PPP_SUBDIR "pppd2.tdb" + #endif /* __STDC__ */ + + #ifdef PLUGIN +-- +1.8.3.1 + diff --git a/0016-rp-pppoe-add-manpage-for-pppoe-discovery.patch b/0016-rp-pppoe-add-manpage-for-pppoe-discovery.patch new file mode 100644 index 0000000..b7f7c91 --- /dev/null +++ b/0016-rp-pppoe-add-manpage-for-pppoe-discovery.patch @@ -0,0 +1,115 @@ +diff --git a/pppd/plugins/pppoe/Makefile.linux b/pppd/plugins/pppoe/Makefile.linux +index 3cd9101..9918091 100644 +--- a/pppd/plugins/pppoe/Makefile.linux ++++ b/pppd/plugins/pppoe/Makefile.linux +@@ -16,6 +16,7 @@ + + DESTDIR = $(INSTROOT)@DESTDIR@ + BINDIR = $(DESTDIR)/sbin ++MANDIR = $(DESTDIR)/share/man/man8 + LIBDIR = $(DESTDIR)/lib/$(shell gcc -print-multi-os-directory 2> /dev/null)/pppd/$(PPPDVERSION) + + PPPDVERSION = $(shell awk -F '"' '/VERSION/ { print $$2; }' ../../patchlevel.h) +@@ -46,6 +47,7 @@ install: all + $(LN_S) pppoe.so $(LIBDIR)/rp-pppoe.so + $(INSTALL) -d -m 755 $(BINDIR) + $(INSTALL) -c -m 555 pppoe-discovery $(BINDIR) ++ $(INSTALL) -c -m 444 pppoe-discovery.8 $(MANDIR) + + clean: + rm -f *.o *.so pppoe-discovery +diff --git a/pppd/plugins/pppoe/pppoe-discovery.8 b/pppd/plugins/pppoe/pppoe-discovery.8 +new file mode 100644 +index 0000000..d0a93db +--- /dev/null ++++ b/pppd/plugins/pppoe/pppoe-discovery.8 +@@ -0,0 +1,86 @@ ++.\" pppoe-discovery.8 written by ++.\" Ben Hutchings , based on pppoe.8. ++.\" Licenced under the GPL version 2 or later. ++.TH PPPOE-DISCOVERY 8 ++.SH NAME ++pppoe\-discovery \- perform PPPoE discovery ++.SH SYNOPSIS ++.B pppoe\-discovery ++[ ++.I options ++] ++.br ++.BR pppoe\-discovery " { " \-V " | " \-h " }" ++.SH DESCRIPTION ++.LP ++\fBpppoe\-discovery\fR performs the same discovery process as ++\fBpppoe\fR, but does not initiate a session. ++It sends a PADI packet and then prints the names of access ++concentrators in each PADO packet it receives. ++.SH OPTIONS ++.TP ++.BI \-I " interface" ++.RS ++The \fB\-I\fR option specifies the Ethernet interface to use. ++Under Linux, it is typically eth0 or eth1. ++The interface should be \(lqup\(rq before you start ++\fBpppoe\-discovery\fR, but should \fInot\fR be configured to have an ++IP address. ++The default interface is eth0. ++.RE ++.TP ++.BI \-D " file_name" ++.RS ++The \fB\-D\fR option causes every packet to be dumped to the specified ++\fIfile_name\fR. ++This is intended for debugging only. ++.RE ++.TP ++.B \-U ++.RS ++Causes \fBpppoe\-discovery\fR to use the Host-Uniq tag in its discovery ++packets. ++This lets you run multiple instances of \fBpppoe\-discovery\fR and/or ++\fBpppoe\fR without having their discovery packets interfere with one ++another. ++You must supply this option to \fIall\fR instances that you intend to ++run simultaneously. ++.RE ++.TP ++.BI \-S " service_name" ++.RS ++Specifies the desired service name. ++\fBpppoe\-discovery\fR will only accept access concentrators which can ++provide the specified service. ++In most cases, you should \fInot\fR specify this option. ++Use it only if you know that there are multiple access concentrators ++or know that you need a specific service name. ++.RE ++.TP ++.BI \-C " ac_name" ++.RS ++Specifies the desired access concentrator name. ++\fBpppoe\-discovery\fR will only accept the specified access ++concentrator. ++In most cases, you should \fInot\fR specify this option. ++Use it only if you know that there are multiple access concentrators. ++If both the \fB\-S\fR and \fB\-C\fR options are specified, they must ++\fIboth\fR match. ++.RE ++.TP ++.B \-A ++.RS ++This option is accepted for compatibility with \fBpppoe\fR, but has no ++effect. ++.RE ++.TP ++.BR \-V " | " \-h ++.RS ++Either of these options causes \fBpppoe\-discovery\fR to print its ++version number and usage information, then exit. ++.RE ++.SH AUTHORS ++\fBpppoe\-discovery\fR was written by Marco d'Itri , ++based on \fBpppoe\fR by David F. Skoll . ++.SH SEE ALSO ++pppoe(8), pppoe-sniff(8) +-- +1.8.3.1 + diff --git a/0018-scritps-fix-ip-up.local-sample.patch b/0018-scritps-fix-ip-up.local-sample.patch new file mode 100644 index 0000000..c36e0b8 --- /dev/null +++ b/0018-scritps-fix-ip-up.local-sample.patch @@ -0,0 +1,27 @@ +From 40960f91cdd06da387616ec838ae2599e7f01cee Mon Sep 17 00:00:00 2001 +From: Jiri Skala +Date: Mon, 7 Apr 2014 15:24:01 +0200 +Subject: [PATCH 18/27] scritps: fix ip-up.local sample + +Resolves: #613717 +--- + scripts/ip-up.local.add | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/scripts/ip-up.local.add b/scripts/ip-up.local.add +index 26cf5f8..282337c 100644 +--- a/scripts/ip-up.local.add ++++ b/scripts/ip-up.local.add +@@ -18,6 +18,9 @@ if [ -n "$USEPEERDNS" -a -f /var/run/ppp/resolv.conf ]; then + rscf=/var/run/ppp/resolv.new + grep domain /var/run/ppp/resolv.prev > $rscf + grep search /var/run/ppp/resolv.prev >> $rscf ++ if [ -f /var/run/ppp/resolv.conf ]; then ++ cat /var/run/ppp/resolv.conf >> $rscf ++ fi + change_resolv_conf $rscf + rm -f $rscf + else +-- +1.8.3.1 + diff --git a/0020-pppd-put-lock-files-in-var-lock-ppp.patch b/0020-pppd-put-lock-files-in-var-lock-ppp.patch new file mode 100644 index 0000000..93d26c5 --- /dev/null +++ b/0020-pppd-put-lock-files-in-var-lock-ppp.patch @@ -0,0 +1,26 @@ +From c5a5f795b1defcb6d168e79c4d1fc371dfc556ca Mon Sep 17 00:00:00 2001 +From: Jiri Skala +Date: Wed, 9 Apr 2014 09:29:50 +0200 +Subject: [PATCH 20/27] pppd: put lock files in /var/lock/ppp + +Resolves: #708260 +--- + pppd/utils.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/pppd/utils.c b/pppd/utils.c +index 6051b9a..8407492 100644 +--- a/pppd/utils.c ++++ b/pppd/utils.c +@@ -846,7 +846,7 @@ complete_read(int fd, void *buf, size_t count) + /* Procedures for locking the serial device using a lock file. */ + #ifndef LOCK_DIR + #ifdef __linux__ +-#define LOCK_DIR "/var/lock" ++#define LOCK_DIR "/var/lock/ppp" + #else + #ifdef SVR4 + #define LOCK_DIR "/var/spool/locks" +-- +1.8.3.1 + diff --git a/0023-build-sys-install-rp-pppoe-plugin-files-with-standar.patch b/0023-build-sys-install-rp-pppoe-plugin-files-with-standar.patch new file mode 100644 index 0000000..23b1f93 --- /dev/null +++ b/0023-build-sys-install-rp-pppoe-plugin-files-with-standar.patch @@ -0,0 +1,20 @@ +diff --git a/pppd/plugins/pppoe/Makefile.linux b/pppd/plugins/pppoe/Makefile.linux +index 2df887b..6cb8397 100644 +--- a/pppd/plugins/pppoe/Makefile.linux ++++ b/pppd/plugins/pppoe/Makefile.linux +@@ -43,12 +43,12 @@ pppoe.so: plugin.o discovery.o if.o common.o + + install: all + $(INSTALL) -d -m 755 $(LIBDIR) +- $(INSTALL) -c -m 4550 pppoe.so $(LIBDIR) ++ $(INSTALL) -c -m 755 pppoe.so $(LIBDIR) + # Symlink for backward compatibility + $(LN_S) pppoe.so $(LIBDIR)/rp-pppoe.so + $(INSTALL) -d -m 755 $(BINDIR) +- $(INSTALL) -c -m 555 pppoe-discovery $(BINDIR) +- $(INSTALL) -c -m 444 pppoe-discovery.8 $(MANDIR) ++ $(INSTALL) -c -m 755 pppoe-discovery $(BINDIR) ++ $(INSTALL) -c -m 644 pppoe-discovery.8 $(MANDIR) + + clean: + rm -f *.o *.so pppoe-discovery diff --git a/0024-build-sys-install-pppoatm-plugin-files-with-standard.patch b/0024-build-sys-install-pppoatm-plugin-files-with-standard.patch new file mode 100644 index 0000000..9982d92 --- /dev/null +++ b/0024-build-sys-install-pppoatm-plugin-files-with-standard.patch @@ -0,0 +1,26 @@ +From 0fdb22ef3d3cc3b297372451d60bd6c61d047d27 Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Thu, 10 Apr 2014 10:08:41 +0200 +Subject: [PATCH 24/27] build-sys: install pppoatm plugin files with standard + perms + +--- + pppd/plugins/pppoatm/Makefile.linux | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/pppd/plugins/pppoatm/Makefile.linux b/pppd/plugins/pppoatm/Makefile.linux +index 769794b..4c5826f 100644 +--- a/pppd/plugins/pppoatm/Makefile.linux ++++ b/pppd/plugins/pppoatm/Makefile.linux +@@ -37,7 +37,7 @@ $(PLUGIN): $(PLUGIN_OBJS) + + install: all + $(INSTALL) -d -m 755 $(LIBDIR) +- $(INSTALL) -c -m 4550 $(PLUGIN) $(LIBDIR) ++ $(INSTALL) -c -m 755 $(PLUGIN) $(LIBDIR) + + clean: + rm -f *.o *.so +-- +1.8.3.1 + diff --git a/8d7970b8f3db727fe798b65f3377fe6787575426.patch b/8d7970b8f3db727fe798b65f3377fe6787575426.patch deleted file mode 100644 index 5d7c51b..0000000 --- a/8d7970b8f3db727fe798b65f3377fe6787575426.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 8d7970b8f3db727fe798b65f3377fe6787575426 Mon Sep 17 00:00:00 2001 -From: Paul Mackerras -Date: Mon, 3 Feb 2020 15:53:28 +1100 -Subject: [PATCH] pppd: Fix bounds check in EAP code - -Given that we have just checked vallen < len, it can never be the case -that vallen >= len + sizeof(rhostname). This fixes the check so we -actually avoid overflowing the rhostname array. - -Reported-by: Ilja Van Sprundel -Signed-off-by: Paul Mackerras ---- - pppd/eap.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/pppd/eap.c b/pppd/eap.c -index 94407f56..1b93db01 100644 ---- a/pppd/eap.c -+++ b/pppd/eap.c -@@ -1420,7 +1420,7 @@ int len; - } - - /* Not so likely to happen. */ -- if (vallen >= len + sizeof (rhostname)) { -+ if (len - vallen >= sizeof (rhostname)) { - dbglog("EAP: trimming really long peer name down"); - BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1); - rhostname[sizeof (rhostname) - 1] = '\0'; -@@ -1846,7 +1846,7 @@ int len; - } - - /* Not so likely to happen. */ -- if (vallen >= len + sizeof (rhostname)) { -+ if (len - vallen >= sizeof (rhostname)) { - dbglog("EAP: trimming really long peer name down"); - BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1); - rhostname[sizeof (rhostname) - 1] = '\0'; diff --git a/FEDORA-glibc-2.28.patch b/FEDORA-glibc-2.28.patch deleted file mode 100644 index f6a6570..0000000 --- a/FEDORA-glibc-2.28.patch +++ /dev/null @@ -1,107 +0,0 @@ -From 3c7b86229f7bd2600d74db14b1fe5b3896be3875 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Jaroslav=20=C5=A0karvada?= -Date: Fri, 6 Apr 2018 14:27:18 +0200 -Subject: [PATCH] pppd: Use openssl for the DES instead of the libcrypt / glibc -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -[https://github.com/paulusmack/ppp/commit/3c7b86229f7bd2600d74db14b1fe5b3896be3875] - -It seems the latest glibc (in Fedora glibc-2.27.9000-12.fc29) dropped -libcrypt. The libxcrypt standalone package can be used instead, but -it dropped the old setkey/encrypt API which ppp uses for DES. There -is support for using openssl in pppcrypt.c, but it contains typos -preventing it from compiling and seems to be written for an ancient -openssl version. - -This updates the code to use current openssl. - -[paulus@ozlabs.org - wrote the commit description, fixed comment in - Makefile.linux.] - -Signed-off-by: Jaroslav Škarvada -Signed-off-by: Paul Mackerras ---- - pppd/Makefile.linux | 7 ++++--- - pppd/pppcrypt.c | 18 +++++++++--------- - 2 files changed, 13 insertions(+), 12 deletions(-) ---- ppp-2.4.7.orig/pppd/Makefile.linux -+++ ppp-2.4.7/pppd/Makefile.linux -@@ -35,10 +35,10 @@ endif - COPTS = -O2 -pipe -Wall -g - LIBS = -lcrypto - --# Uncomment the next 2 lines to include support for Microsoft's -+# Uncomment the next line to include support for Microsoft's - # MS-CHAP authentication protocol. Also, edit plugins/radius/Makefile.linux. - CHAPMS=y --USE_CRYPT=y -+#USE_CRYPT=y - # Don't use MSLANMAN unless you really know what you're doing. - #MSLANMAN=y - # Uncomment the next line to include support for MPPE. CHAPMS (above) must -@@ -142,7 +142,8 @@ endif - - ifdef NEEDDES - ifndef USE_CRYPT --LIBS += -ldes $(LIBS) -+CFLAGS += -I/usr/include/openssl -+LIBS += -lcrypto - else - CFLAGS += -DUSE_CRYPT=1 - endif ---- ppp-2.4.7.orig/pppd/pppcrypt.c -+++ ppp-2.4.7/pppd/pppcrypt.c -@@ -64,7 +64,7 @@ u_char *des_key; /* OUT 64 bit DES key w - des_key[7] = Get7Bits(key, 49); - - #ifndef USE_CRYPT -- des_set_odd_parity((des_cblock *)des_key); -+ DES_set_odd_parity((DES_cblock *)des_key); - #endif - } - -@@ -158,25 +158,25 @@ u_char *clear; /* OUT 8 octets */ - } - - #else /* USE_CRYPT */ --static des_key_schedule key_schedule; -+static DES_key_schedule key_schedule; - - bool - DesSetkey(key) - u_char *key; - { -- des_cblock des_key; -+ DES_cblock des_key; - MakeKey(key, des_key); -- des_set_key(&des_key, key_schedule); -+ DES_set_key(&des_key, &key_schedule); - return (1); - } - - bool --DesEncrypt(clear, key, cipher) -+DesEncrypt(clear, cipher) - u_char *clear; /* IN 8 octets */ - u_char *cipher; /* OUT 8 octets */ - { -- des_ecb_encrypt((des_cblock *)clear, (des_cblock *)cipher, -- key_schedule, 1); -+ DES_ecb_encrypt((DES_cblock *)clear, (DES_cblock *)cipher, -+ &key_schedule, 1); - return (1); - } - -@@ -185,8 +185,8 @@ DesDecrypt(cipher, clear) - u_char *cipher; /* IN 8 octets */ - u_char *clear; /* OUT 8 octets */ - { -- des_ecb_encrypt((des_cblock *)cipher, (des_cblock *)clear, -- key_schedule, 0); -+ DES_ecb_encrypt((DES_cblock *)cipher, (DES_cblock *)clear, -+ &key_schedule, 0); - return (1); - } - diff --git a/README.pppoatm b/README.pppoatm deleted file mode 100644 index a9dcbbc..0000000 --- a/README.pppoatm +++ /dev/null @@ -1,5 +0,0 @@ -Example of pppd use - - ./pppd plugin plugins/pppoatm.so 0.80 192.0.2.1:192.0.2.2 - -http://www.sfgoth.com/~mitch/linux/atm/pppoatm/ diff --git a/ifdown-ppp b/ifdown-ppp old mode 100755 new mode 100644 diff --git a/ifup-ppp b/ifup-ppp old mode 100755 new mode 100644 index 1893909..fb30639 --- a/ifup-ppp +++ b/ifup-ppp @@ -42,10 +42,10 @@ if [ "${2}" = "boot" -a "${ONBOOT}" = "no" ]; then fi [ -x /usr/sbin/pppd ] || { - gprintf "pppd does not exist or is not executable\n" - gprintf "ifup-ppp for %s exiting\n" ${DEVICE} + echo $"pppd does not exist or is not executable" + echo $"ifup-ppp for ${DEVICE} exiting" /usr/bin/logger -p daemon.info -t ifup-ppp \ - "pppd does not exist or is not executable for %s" ${DEVICE} + $"pppd does not exist or is not executable for ${DEVICE}" exit 1 } @@ -56,7 +56,7 @@ if [ "$TYPE" = "xDSL" ] ; then exit $? else /usr/bin/logger -p daemon.info -t ifup-ppp \ - "adsl-start does not exist or is not executable for %s" ${DEVICE} + $"adsl-start does not exist or is not executable for ${DEVICE}" exit 1 fi fi @@ -71,15 +71,15 @@ if [ ! -f ${PEERCONF} ]; then if [ -z "${WVDIALSECT}" ] ; then CHATSCRIPT=/etc/sysconfig/network-scripts/chat-${DEVNAME} [ -f ${CHATSCRIPT} ] || { - gprintf "/etc/sysconfig/network-scripts/chat-%s does not exist\n" ${DEVNAME} - gprintf "ifup-ppp for %s exiting\n" ${DEVNAME} + echo $"/etc/sysconfig/network-scripts/chat-${DEVNAME} does not exist" + echo $"ifup-ppp for ${DEVNAME} exiting" /usr/bin/logger -p daemon.info -t ifup-ppp \ - "/etc/sysconfig/network-scripts/chat-%s does not exist for %s" ${DEVNAME} ${DEVICE} + $"/etc/sysconfig/network-scripts/chat-${DEVNAME} does not exist for ${DEVICE}" exit 1 } fi /usr/bin/logger -s -p daemon.notice -t ifup-ppp \ - "Setting up a new %s config file" ${PEERCONF} + $"Setting up a new ${PEERCONF} config file" if [ -f /etc/ppp/peers/${DEVICE} ]; then cp -f /etc/ppp/peers/${DEVICE} ${PEERCONF} else @@ -139,7 +139,7 @@ else fi /usr/bin/logger -p daemon.info -t ifup-ppp \ - "pppd started for %s on %s at %s" ${DEVNAME} ${MODEMPORT} ${LINESPEED} + $"pppd started for ${DEVNAME} on ${MODEMPORT} at ${LINESPEED}" $exec pppd $opts ${MODEMPORT} ${LINESPEED} \ ipparam ${DEVNAME} linkname ${DEVNAME} call ${DEVNAME}\ diff --git a/ip-down b/ip-down index e77af59..bfb0871 100644 --- a/ip-down +++ b/ip-down @@ -8,30 +8,10 @@ export PATH LOGDEVICE=$6 REALDEVICE=$1 -export PATH=/sbin:/usr/sbin:/bin:/usr/bin - -cp -f /etc/resolv.conf /etc/resolv.conf.tmp -fgrep -v "# ppp temp entry" /etc/resolv.conf.tmp > /etc/resolv.conf -chmod 0644 /etc/resolv.conf -rm -f /etc/resolv.conf.tmp - /etc/ppp/ip-down.ipv6to4 ${LOGDEVICE} [ -x /etc/ppp/ip-down.local ] && /etc/ppp/ip-down.local "$@" -# These variables are for the use of the scripts run by run-parts -PPP_IFACE="$1" -PPP_TTY="$2" -PPP_SPEED="$3" -PPP_LOCAL="$4" -PPP_REMOTE="$5" -PPP_IPPARAM="$6" -export PPP_IFACE PPP_TTY PPP_SPEED PPP_LOCAL PPP_REMOTE PPP_IPPARAM - -if [ -d /etc/ppp/ip-down.d/ -a -x /usr/bin/run-parts ]; then - /usr/bin/run-parts /etc/ppp/ip-down.d/ -fi - /etc/sysconfig/network-scripts/ifdown-post --realdevice ${REALDEVICE} \ ifcfg-${LOGDEVICE} diff --git a/ip-up b/ip-up index bd6d3f9..e610674 100644 --- a/ip-up +++ b/ip-up @@ -1,6 +1,6 @@ #!/bin/bash # This file should not be modified -- make local changes to -# /etc/ppp/ip-up.local or put scripts in /etc/ppp/ip-up.d instead +# /etc/ppp/ip-up.local instead PATH=/sbin:/usr/sbin:/bin:/usr/bin export PATH @@ -8,32 +8,10 @@ export PATH LOGDEVICE=$6 REALDEVICE=$1 -if [ -f /etc/sysconfig/network-scripts/ifcfg-${LOGDEVICE} ]; then - /etc/sysconfig/network-scripts/ifup-post --realdevice ${REALDEVICE} ifcfg-${LOGDEVICE} -else - [ -n "$DNS1" ] && echo "nameserver $DNS1 # ppp temp entry" >> /etc/resolv.conf - [ -n "$DNS2" ] && echo "nameserver $DNS2 # ppp temp entry" >> /etc/resolv.conf -fi +[ -f /etc/sysconfig/network-scripts/ifcfg-${LOGDEVICE} ] && /etc/sysconfig/network-scripts/ifup-post --realdevice ${REALDEVICE} ifcfg-${LOGDEVICE} /etc/ppp/ip-up.ipv6to4 ${LOGDEVICE} [ -x /etc/ppp/ip-up.local ] && /etc/ppp/ip-up.local "$@" -# These variables are for the use of the scripts run by run-parts -PPP_IFACE="$1" -PPP_TTY="$2" -PPP_SPEED="$3" -PPP_LOCAL="$4" -PPP_REMOTE="$5" -PPP_IPPARAM="$6" -export PPP_IFACE PPP_TTY PPP_SPEED PPP_LOCAL PPP_REMOTE PPP_IPPARAM - -if [ -d /etc/ppp/ip-up.d/ -a -x /usr/bin/run-parts ]; then - /usr/bin/run-parts /etc/ppp/ip-up.d/ -fi - -if [ -x /usr/sbin/sendmail ];then - /usr/sbin/sendmail -q 2>/dev/null >/dev/null & -fi - exit 0 diff --git a/ipv6-up b/ipv6-up index 54219e4..059afec 100644 --- a/ipv6-up +++ b/ipv6-up @@ -1,4 +1,4 @@ -#!/bin/sh +#!/bin/bash # # ipv6-up # @@ -50,8 +50,8 @@ CONFIG=$LOGDEVICE [ -f "$CONFIG" ] || CONFIG=ifcfg-$CONFIG source_config -# Test whether IPv6 configuration is enabled for this interface, else stop -[ "$IPV6INIT" = "yes" ] || exit 0 +# Test whether IPv6 configuration is disabled for this interface +[[ "$IPV6INIT" = [nN0]* ]] && exit 0 [ -f /etc/sysconfig/network-scripts/network-functions-ipv6 ] || exit 1 . /etc/sysconfig/network-scripts/network-functions-ipv6 diff --git a/ppp-2.4.2-pie.patch b/ppp-2.4.2-pie.patch deleted file mode 100644 index 81eaa92..0000000 --- a/ppp-2.4.2-pie.patch +++ /dev/null @@ -1,36 +0,0 @@ -diff -Naurp ppp-2.4.4/chat/Makefile.linux ppp-2.4.4.oden/chat/Makefile.linux ---- ppp-2.4.4/chat/Makefile.linux 2008-12-17 18:26:54.000000000 +0100 -+++ ppp-2.4.4.oden/chat/Makefile.linux 2008-12-17 18:27:10.000000000 +0100 -@@ -18,10 +18,10 @@ INSTALL= install - all: chat - - chat: chat.o -- $(CC) -o chat chat.o -+ $(CC) -pie -o chat chat.o - - chat.o: chat.c -- $(CC) -c $(CFLAGS) -o chat.o chat.c -+ $(CC) -c $(CFLAGS) -fPIC -o chat.o chat.c - - install: chat - mkdir -p $(BINDIR) $(MANDIR) -diff -Naurp ppp-2.4.4/pppd/Makefile.linux ppp-2.4.4.oden/pppd/Makefile.linux ---- ppp-2.4.4/pppd/Makefile.linux 2008-12-17 18:26:54.000000000 +0100 -+++ ppp-2.4.4.oden/pppd/Makefile.linux 2008-12-17 18:27:10.000000000 +0100 -@@ -212,7 +212,7 @@ install: pppd - $(INSTALL) -c -m 444 pppd.8 $(MANDIR) - - pppd: $(PPPDOBJS) -- $(CC) $(CFLAGS) $(LDFLAGS) -o pppd $(PPPDOBJS) $(LIBS) -+ $(CC) $(CFLAGS) -pie $(LDFLAGS) -o pppd $(PPPDOBJS) $(LIBS) - - srp-entry: srp-entry.c - $(CC) $(CFLAGS) $(LDFLAGS) -o $@ srp-entry.c $(LIBS) -@@ -226,3 +226,6 @@ clean: - - depend: - $(CPP) -M $(CFLAGS) $(PPPDSRCS) >.depend -+ -+%.o: %.c -+ $(CC) -c $(CFLAGS) -fPIC -o $@ $< -\ No newline at end of file diff --git a/ppp-2.4.3-etcppp.patch b/ppp-2.4.3-etcppp.patch deleted file mode 100644 index 307cf91..0000000 --- a/ppp-2.4.3-etcppp.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -Naurp ppp-2.4.4/linux/Makefile.top ppp-2.4.4.oden/linux/Makefile.top ---- ppp-2.4.4/linux/Makefile.top 2008-12-17 18:28:06.000000000 +0100 -+++ ppp-2.4.4.oden/linux/Makefile.top 2008-12-17 18:28:20.000000000 +0100 -@@ -18,7 +18,7 @@ all: - cd pppstats; $(MAKE) $(MFLAGS) all - cd pppdump; $(MAKE) $(MFLAGS) all - --install: $(BINDIR) $(RUNDIR) $(LOGDIR) $(MANDIR)/man8 install-progs install-devel -+install: $(BINDIR) $(RUNDIR) $(LOGDIR) $(MANDIR)/man8 install-progs install-devel install-etcppp - - install-progs: - cd chat; $(MAKE) $(MFLAGS) install diff --git a/ppp-2.4.3-libatm.patch b/ppp-2.4.3-libatm.patch deleted file mode 100644 index 7e181b7..0000000 --- a/ppp-2.4.3-libatm.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- ppp-2.4.3/pppd/plugins/pppoatm/Makefile.linux.libatm 2005-04-22 17:38:12.966429706 +0200 -+++ ppp-2.4.3/pppd/plugins/pppoatm/Makefile.linux 2005-04-22 17:38:14.484456865 +0200 -@@ -19,7 +19,7 @@ - # or leave it unset to build the few routines we actually _use_ into - # the plugin directly. - # --#HAVE_LIBATM=yes -+HAVE_LIBATM=yes - - ifdef HAVE_LIBATM - LIBS := -latm diff --git a/ppp-2.4.3-pam.conf b/ppp-2.4.3-pam.conf deleted file mode 100644 index cdb33b0..0000000 --- a/ppp-2.4.3-pam.conf +++ /dev/null @@ -1,5 +0,0 @@ -#%PAM-1.0 -auth required pam_nologin.so -auth include system-auth -account include system-auth -session include system-auth diff --git a/ppp-2.4.3-pic.patch b/ppp-2.4.3-pic.patch deleted file mode 100644 index 7990999..0000000 --- a/ppp-2.4.3-pic.patch +++ /dev/null @@ -1,37 +0,0 @@ ---- ppp-2.4.3/pppd/plugins/dhcp/Makefile.linux.pic 2002-09-30 12:21:58.000000000 +0200 -+++ ppp-2.4.3/pppd/plugins/dhcp/Makefile.linux 2005-04-22 18:16:36.631205640 +0200 -@@ -2,20 +2,30 @@ - PLUGIN=dhcpc.so - CFLAGS=-I../.. -I../../../include -O2 - -+SRCS = dhcpc.c clientpacket.c packet.c socket.c options.c -+OBJS = $(SRCS:%.c=%.lo) -+LIBS = -shared -Wl,-soname,dhcpc.so -+LTLIB = libdhcpc.la -+ - all: $(PLUGIN) - - install: all - $(INSTALL) -d -m 755 $(LIBDIR) - $(INSTALL) -s -c -m 755 dhcpc.so $(LIBDIR) - --dhcpc.so: dhcpc.o clientpacket.o packet.o socket.o options.o -- gcc -o dhcpc.so -shared dhcpc.o clientpacket.o packet.o socket.o options.o -+$(PLUGIN): $(LTLIB) -+ gcc -o $@ $(OBJS:%.lo=.libs/%.o) $(LIBS) -+ -+$(LTLIB): $(OBJS) -+ libtool --mode=link gcc $(CFLAGS) -o $@ $(OBJS) $(LIBS) - -+%.lo: %.c -+ libtool --mode=compile gcc $(CFLAGS) -c $< - - clean: -- rm -f *.o *.so -+ rm -f *.o *.lo *.so - - distclean: -- rm -f *.o *.so -+ rm -f *.o *.lo *.so - - dist-clean: distclean diff --git a/ppp-2.4.3-pppdump-Makefile.patch b/ppp-2.4.3-pppdump-Makefile.patch deleted file mode 100644 index 6bdebc4..0000000 --- a/ppp-2.4.3-pppdump-Makefile.patch +++ /dev/null @@ -1,8 +0,0 @@ ---- ppp-2.4.3/pppdump/Makefile.linux.pppdump-Makefile 2005-04-22 17:16:57.197750609 +0200 -+++ ppp-2.4.3/pppdump/Makefile.linux 2005-04-22 17:18:46.636667134 +0200 -@@ -18,4 +18,4 @@ - install: - mkdir -p $(BINDIR) $(MANDIR) - $(INSTALL) -s -c pppdump $(BINDIR) -- $(INSTALL) -c -m 444 pppdump.8 $(MANDIR) -+ $(INSTALL) -c pppdump.8 $(MANDIR) diff --git a/ppp-2.4.4-multipledefrt.patch b/ppp-2.4.4-multipledefrt.patch deleted file mode 100644 index 7d723f2..0000000 --- a/ppp-2.4.4-multipledefrt.patch +++ /dev/null @@ -1,51 +0,0 @@ -diff -p -up ppp-2.4.4/pppd/ipcp.c.multipledefrt ppp-2.4.4/pppd/ipcp.c ---- ppp-2.4.4/pppd/ipcp.c.multipledefrt 2005-08-26 01:59:34.000000000 +0200 -+++ ppp-2.4.4/pppd/ipcp.c 2008-06-03 10:39:15.000000000 +0200 -@@ -196,6 +196,8 @@ static option_t ipcp_option_list[] = { - { "-defaultroute", o_bool, &ipcp_allowoptions[0].default_route, - "disable defaultroute option", OPT_ALIAS | OPT_A2CLR, - &ipcp_wantoptions[0].default_route }, -+ { "multipledefaultroutes", o_bool, &ipcp_wantoptions[0].multiple_def_routes, -+ "Add default route even if one already exists", 1 }, - - { "proxyarp", o_bool, &ipcp_wantoptions[0].proxy_arp, - "Add proxy ARP entry", OPT_ENABLE|1, &ipcp_allowoptions[0].proxy_arp }, -diff -p -up ppp-2.4.4/pppd/ipcp.h.multipledefrt ppp-2.4.4/pppd/ipcp.h ---- ppp-2.4.4/pppd/ipcp.h.multipledefrt 2002-12-05 00:03:32.000000000 +0100 -+++ ppp-2.4.4/pppd/ipcp.h 2008-06-03 10:41:46.000000000 +0200 -@@ -70,6 +70,7 @@ typedef struct ipcp_options { - bool old_addrs; /* Use old (IP-Addresses) option? */ - bool req_addr; /* Ask peer to send IP address? */ - bool default_route; /* Assign default route through interface? */ -+ bool multiple_def_routes; /* Allow multiple default routes? */ - bool proxy_arp; /* Make proxy ARP entry for peer? */ - bool neg_vj; /* Van Jacobson Compression? */ - bool old_vj; /* use old (short) form of VJ option? */ -diff -p -up ppp-2.4.4/pppd/pppd.8.multipledefrt ppp-2.4.4/pppd/pppd.8 ---- ppp-2.4.4/pppd/pppd.8.multipledefrt 2008-06-03 10:35:47.000000000 +0200 -+++ ppp-2.4.4/pppd/pppd.8 2008-06-03 10:39:59.000000000 +0200 -@@ -120,6 +120,12 @@ Add a default route to the system routin - the gateway, when IPCP negotiation is successfully completed. - This entry is removed when the PPP connection is broken. This option - is privileged if the \fInodefaultroute\fR option has been specified. -+.B multipledefaultroutes -+This option is a flag to the defaultroute option. If defaultroute is -+set and this flag is also set, pppd will add the new default route -+even if there is already a default route, allowing multiple default -+routes. -+.TP - .TP - .B disconnect \fIscript - Execute the command specified by \fIscript\fR, by passing it to a -diff -p -up ppp-2.4.4/pppd/sys-linux.c.multipledefrt ppp-2.4.4/pppd/sys-linux.c ---- ppp-2.4.4/pppd/sys-linux.c.multipledefrt 2008-06-03 10:35:47.000000000 +0200 -+++ ppp-2.4.4/pppd/sys-linux.c 2008-06-03 10:40:14.000000000 +0200 -@@ -1588,7 +1588,7 @@ int sifdefaultroute (int unit, u_int32_t - { - struct rtentry rt; - -- if (defaultroute_exists(&rt) && strcmp(rt.rt_dev, ifname) != 0) { -+ if (!ipcp_wantoptions[0].multiple_def_routes && defaultroute_exists(&rt) && strcmp(rt.rt_dev, ifname) != 0) { - if (rt.rt_flags & RTF_GATEWAY) - error("not replacing existing default route via %I", - SIN_ADDR(rt.rt_gateway)); diff --git a/ppp-2.4.5-includes-sha1.patch b/ppp-2.4.5-includes-sha1.patch deleted file mode 100644 index 7dfac19..0000000 --- a/ppp-2.4.5-includes-sha1.patch +++ /dev/null @@ -1,10 +0,0 @@ ---- ppp-2.4.5.tpg/pppd/sha1.c 2009-11-16 22:26:07.000000000 +0000 -+++ ppp-2.4.5.tpg/pppd/sha1.c.tpg 2009-12-31 20:15:51.000000000 +0000 -@@ -18,6 +18,7 @@ - - #include - #include /* htonl() */ -+#include /* u_int32_t */ - #include - #include "sha1.h" - diff --git a/ppp-2.4.5-libtool-tag.patch b/ppp-2.4.5-libtool-tag.patch deleted file mode 100644 index cd9a399..0000000 --- a/ppp-2.4.5-libtool-tag.patch +++ /dev/null @@ -1,15 +0,0 @@ ---- ppp-2.4.5/pppd/plugins/dhcp/Makefile.linux~ 2013-02-19 13:15:32.000000000 +0100 -+++ ppp-2.4.5/pppd/plugins/dhcp/Makefile.linux 2013-02-19 13:15:52.645439658 +0100 -@@ -17,10 +17,10 @@ $(PLUGIN): $(LTLIB) - gcc -o $@ $(OBJS:%.lo=.libs/%.o) $(LIBS) - - $(LTLIB): $(OBJS) -- libtool --mode=link gcc $(CFLAGS) -o $@ $(OBJS) $(LIBS) -+ libtool --tag=CC --mode=link gcc $(CFLAGS) -o $@ $(OBJS) $(LIBS) - - %.lo: %.c -- libtool --mode=compile gcc $(CFLAGS) -c $< -+ libtool --tag=CC --mode=compile gcc $(CFLAGS) -c $< - - clean: - rm -f *.o *.lo *.so diff --git a/ppp-2.4.5-makeopt2.patch b/ppp-2.4.5-makeopt2.patch deleted file mode 100644 index 7ce1f7b..0000000 --- a/ppp-2.4.5-makeopt2.patch +++ /dev/null @@ -1,10 +0,0 @@ ---- ppp-2.4.5/pppd/plugins/dhcp/Makefile.linux 2009-12-31 19:46:24.000000000 +0000 -+++ ppp-2.4.5/pppd/plugins/dhcp/Makefile.linux.tpg 2009-12-31 19:55:34.000000000 +0000 -@@ -1,6 +1,6 @@ - - PLUGIN=dhcpc.so --CFLAGS=-I../.. -I../../../include -O2 -+CFLAGS=-I../.. -I../../../include -Wall $(RPM_OPT_FLAGS) - - SRCS = dhcpc.c clientpacket.c packet.c socket.c options.c - OBJS = $(SRCS:%.c=%.lo) diff --git a/ppp-2.4.7-eaptls-mppe-1.101_CVE-2018-11574.patch b/ppp-2.4.7-eaptls-mppe-1.101_CVE-2018-11574.patch deleted file mode 100644 index 6f9743e..0000000 --- a/ppp-2.4.7-eaptls-mppe-1.101_CVE-2018-11574.patch +++ /dev/null @@ -1,3231 +0,0 @@ -Origin: https://www.nikhef.nl/~janjust/ppp/ppp-2.4.7-eaptls-mppe-1.101.patch -diff -Naur ppp-2.4.7/README.eap-tls ppp-2.4.7-eaptls-mppe-1.101b/README.eap-tls ---- ppp-2.4.7/README.eap-tls 1970-01-01 01:00:00.000000000 +0100 -+++ ppp-2.4.7-eaptls-mppe-1.101b/README.eap-tls 2018-06-02 01:42:04.021165440 +0200 -@@ -0,0 +1,286 @@ -+EAP-TLS authentication support for PPP -+====================================== -+ -+1. Intro -+ -+ The Extensible Authentication Protocol (EAP; RFC 3748) is a -+ security protocol that can be used with PPP. It provides a means -+ to plug in multiple optional authentication methods. -+ -+ Transport Level Security (TLS; RFC 2246) provides for mutual -+ authentication, integrity-protected ciphersuite negotiation and -+ key exchange between two endpoints. It also provides for optional -+ MPPE encryption. -+ -+ EAP-TLS (RFC 2716) incapsulates the TLS messages in EAP packets, -+ allowing TLS mutual authentication to be used as a generic EAP -+ mechanism. It also provides optional encryption using the MPPE -+ protocol. -+ -+ This patch provide EAP-TLS support to pppd. -+ This authentication method can be used in both client or server -+ mode. -+ -+2. Building -+ -+ To build pppd with EAP-TLS support, OpenSSL (http://www.openssl.org) -+ is required. Any version from 0.9.7 should work. -+ -+ Configure, compile, and install as usual. -+ -+3. Configuration -+ -+ On the client side there are two ways to configure EAP-TLS: -+ -+ 1. supply the appropriate 'ca', 'cert' and 'key' command-line parameters -+ -+ 2. edit the /etc/ppp/eaptls-client file. -+ Insert a line for each system with which you use EAP-TLS. -+ The line is composed of this fields separated by tab: -+ -+ - Client name -+ The name used by the client for authentication, can be * -+ - Server name -+ The name of the server, can be * -+ - Client certificate file -+ The file containing the certificate chain for the -+ client in PEM format -+ - Server certificate file -+ If you want to specify the certificate that the -+ server is allowed to use, put the certificate file name. -+ Else put a dash '-'. -+ - CA certificate file -+ The file containing the trusted CA certificates in PEM -+ format. -+ - Client private key file -+ The file containing the client private key in PEM format. -+ -+ -+ On the server side edit the /etc/ppp/eaptls-server file. -+ Insert a line for each system with which you use EAP-TLS. -+ The line is composed of this fields separated by tab: -+ -+ - Client name -+ The name used by the client for authentication, can be * -+ - Server name -+ The name of the server, can be * -+ - Client certificate file -+ If you want to specify the certificate that the -+ client is allowed to use, put the certificate file name. -+ Else put a dash '-'. -+ - Server certificate file -+ The file containing the certificate chain for the -+ server in PEM format -+ - CA certificate file -+ The file containing the trusted CA certificates in PEM format. -+ - Client private key file -+ The file containing the server private key in PEM format. -+ - addresses -+ A list of IP addresses the client is allowed to use. -+ -+ -+ OpenSSL engine support is included starting with v0.95 of this patch. -+ Currently the only engine tested is the 'pkcs11' engine (hardware token -+ support). To use the 'pksc11' engine: -+ - Use a special private key fileiname in the /etc/ppp/eaptls-client file: -+ : -+ e.g. -+ pkcs11:123456 -+ -+ - The certificate can also be loaded from the 'pkcs11' engine using -+ a special client certificate filename in the /etc/ppp/eaptls-client file: -+ : -+ e.g. -+ pkcs11:123456 -+ -+ - Create an /etc/ppp/openssl.cnf file to load the right OpenSSL engine prior -+ to starting 'pppd'. A sample openssl.cnf file is -+ -+ openssl_conf = openssl_def -+ -+ [ openssl_def ] -+ engines = engine_section -+ -+ [ engine_section ] -+ pkcs11 = pkcs11_section -+ -+ [ pkcs11_section ] -+ engine_id = pkcs11 -+ dynamic_path = /usr/lib64/openssl/engines/engine_pkcs11.so -+ MODULE_PATH = /usr/lib64/libeTPkcs11.so -+ init = 0 -+ -+ - There are two ways to specify a password/PIN for the PKCS11 engine: -+ - inside the openssl.cnf file using -+ PIN = your-secret-pin -+ Note The keyword 'PIN' is case sensitive! -+ - Using the 'password' in the ppp options file. -+ From v0.97 of the eap-tls patch the password can also be supplied -+ using the appropriate 'eaptls_passwd_hook' (see plugins/passprompt.c -+ for an example). -+ -+ -+4. Options -+ -+ These pppd options are available: -+ -+ ca -+ Use the CA public certificate found in in PEM format -+ cert -+ Use the client public certificate found in in PEM format -+ or in engine:engine_id format -+ key -+ Use the client private key found in in PEM format -+ or in engine:engine_id format -+ crl -+ Use the Certificate Revocation List (CRL) file in PEM format. -+ crl-dir -+ Use CRL files from directory . It contains CRL files in PEM -+ format and each file contains a CRL. The files are looked up -+ by the issuer name hash value. Use the c_rehash utility -+ to create necessary links. -+ need-peer-eap -+ If the peer doesn't ask us to authenticate or doesn't use eap -+ to authenticate us, disconnect. -+ -+ Note: -+ password-encrypted certificates can be used as of v0.94 of this -+ patch. The password for the eap-tls.key file is specified using -+ the regular -+ password .... -+ statement in the ppp options file, or by using the appropriate -+ plugin which supplies a 'eaptls_passwd_hook' routine. -+ -+5. Connecting -+ -+ If you're setting up a pppd server, edit the EAP-TLS configuration file -+ as written above and then run pppd with the 'auth' option to authenticate -+ the client. The EAP-TLS method will be used if the other eap methods can't -+ be used (no secrets). -+ -+ If you're setting up a client, edit the configuration file and then run -+ pppd with 'remotename' option to specify the server name. Add the -+ 'need-peer-eap' option if you want to be sure the peer ask you to -+ authenticate (and to use eap) and to disconnect if it doesn't. -+ -+6. Example -+ -+ The following example can be used to connect a Linux client with the 'pptp' -+ package to a Linux server running the 'pptpd' (PoPToP) package. The server -+ was configured with a certificate with name (CN) 'pptp-server', the client -+ was configured with a certificate with name (CN) 'pptp-client', both -+ signed by the same Certificate Authority (CA). -+ -+ Server side: -+ - /etc/pptpd.conf file: -+ option /etc/ppp/options-pptpd-eaptls -+ localip 172.16.1.1 -+ remoteip 172.16.1.10-20 -+ - /etc/ppp/options-pptpd-eaptls file: -+ name pptp-server -+ lock -+ mtu 1500 -+ mru 1450 -+ auth -+ lcp-echo-failure 3 -+ lcp-echo-interval 5 -+ nodeflate -+ nobsdcomp -+ nopredictor1 -+ nopcomp -+ noaccomp -+ -+ require-eap -+ require-mppe-128 -+ -+ crl /home/janjust/ppp/keys/crl.pem -+ -+ debug -+ logfile /tmp/pppd.log -+ -+ - /etc/ppp/eaptls-server file: -+ * pptp-server - /etc/ppp/pptp-server.crt /etc/ppp/ca.crt /etc/ppp/pptp-server.key * -+ -+ - On the server, run -+ pptdp --conf /etc/pptpd.conf -+ -+ Client side: -+ - Run -+ pppd noauth require-eap require-mppe-128 \ -+ ipcp-accept-local ipcp-accept-remote noipdefault \ -+ cert /etc/ppp/keys/pptp-client.crt \ -+ key /etc/ppp/keys/pptp-client.key \ -+ ca /etc/ppp/keys/ca.crt \ -+ name pptp-client remotename pptp-server \ -+ debug logfile /tmp/pppd.log -+ pty "pptp pptp-server.example.com --nolaunchpppd" -+ -+ Check /var/log/messages and the files /tmp/pppd.log on both sides for debugging info. -+ -+7. Notes -+ -+ This is experimental code. -+ Send suggestions and comments to Jan Just Keijser -+ -+8. Changelog of ppp-<>-eaptls-mppe-* patches -+ -+v0.7 (22-Nov-2005) -+ - First version of the patch to include MPPE support -+ - ppp-2.4.3 only -+v0.9 (25-Jul-2006) -+ - Bug fixes -+ - First version for ppp-2.4.4 -+v0.91 (03-Sep-2006) -+ - Added missing #include for md5.h -+ - Last version for ppp-2.4.3 -+v0.92 (22-Apr-2008) -+ - Fix for openssl 0.9.8 issue with md5 function overload. -+v0.93 (14-Aug-2008) -+ - Make sure 'noauth' option can be used to bypass server certificate verification. -+v0.94 (15-Oct-2008) -+ - Added support for password-protected private keys by (ab)using the 'password' field. -+v0.95 (23-Dec-2009) -+ - First version with OpenSSL engine support. -+v0.96 (27-Jan-2010) -+ - Added fully functional support for OpenSSL engines (PKCS#11) -+ - First version for ppp-2.4.5 -+v0.97 (20-Apr-2010) -+ - Some bug fixes for v0.96 -+ - Added support for entering the password via a plugin. The sample plugin -+ .../pppd/plugins/passprompt.c has been extended with EAP-TLS support. -+ The "old" methods using the password option or the /etc/ppp/openssl.cnf file still work. -+ - Added support for specifying the client CA, certificate and private key on the command-line -+ or via the ppp config file. -+v0.98 (20-Apr-2010) -+ - Fix initialisation bug when using ca/cert/key command-line options. -+ - Last version for ppp-2.4.4 -+v0.99 (05-Oct-2010) -+ - Fix coredump when using multilink option. -+v0.991 (08-Aug-2011) -+ - Fix compilation issue with openssl 1.0. -+v0.992 (01-Dec-2011) -+ - Fix compilation issue with eaptls_check_hook and passwordfd plugin. -+v0.993 (24-Apr-2012) -+ - Fix compilation issue when EAP_TLS=n in pppd/Makefile. -+v0.994 (11-Jun-2012) -+ - Fix compilation issue on Ubuntu 11.10. -+v0.995 (27-May-2014) -+ - Add support for a CRL file using the command-line option 'crl' -+ (prior only 'crl-dir' was supported). -+ - Fix segfault when pkcs11 enginename was not specified correctly. -+ - Fix segfault when client was misconfigured. -+ - Disable SSL Session Ticket support as Windows 8 does not support this. -+v0.996 (28-May-2014) -+ - Fix minor bug where SessionTicket message was printed as 'Unknown SSL3 code 4' -+ - Add EAP-TLS-specific options to pppd.8 manual page. -+ - Updated README.eap-tls file with new options and provide an example. -+v0.997 (19-Jun-2014) -+ - Change SSL_OP_NO_TICKETS to SSL_OP_NO_TICKET -+ - Fix bug in initialisation code with fragmented packets. -+v0.998 (13-Mar-2015) -+ - Added fix for https://bugzilla.redhat.com/show_bug.cgi?id=1023620 -+v0.999 (11-May-2017) -+ - Added support for OpenSSL 1.1: the code will now compile against OpenSSL 1.0.x or 1.1.x. -+v1.101 (1-Jun-2018) -+ - Fix vulnerabilities CVE-2018-11574. -+ -diff -Naur ppp-2.4.7/etc.ppp/eaptls-client ppp-2.4.7-eaptls-mppe-1.101b/etc.ppp/eaptls-client ---- ppp-2.4.7/etc.ppp/eaptls-client 1970-01-01 01:00:00.000000000 +0100 -+++ ppp-2.4.7-eaptls-mppe-1.101b/etc.ppp/eaptls-client 2018-06-02 01:42:04.021165440 +0200 -@@ -0,0 +1,10 @@ -+# Parameters for authentication using EAP-TLS (client) -+ -+# client name (can be *) -+# server name (can be *) -+# client certificate file (required) -+# server certificate file (optional, if unused put '-') -+# CA certificate file (required) -+# client private key file (required) -+ -+#client server /root/cert/client.crt - /root/cert/ca.crt /root/cert/client.key -diff -Naur ppp-2.4.7/etc.ppp/eaptls-server ppp-2.4.7-eaptls-mppe-1.101b/etc.ppp/eaptls-server ---- ppp-2.4.7/etc.ppp/eaptls-server 1970-01-01 01:00:00.000000000 +0100 -+++ ppp-2.4.7-eaptls-mppe-1.101b/etc.ppp/eaptls-server 2018-06-02 01:42:04.021165440 +0200 -@@ -0,0 +1,11 @@ -+# Parameters for authentication using EAP-TLS (server) -+ -+# client name (can be *) -+# server name (can be *) -+# client certificate file (optional, if unused put '-') -+# server certificate file (required) -+# CA certificate file (required) -+# server private key file (required) -+# allowed addresses (required, can be *) -+ -+#client server - /root/cert/server.crt /root/cert/ca.crt /root/cert/server.key 192.168.1.0/24 -diff -Naur ppp-2.4.7/etc.ppp/openssl.cnf ppp-2.4.7-eaptls-mppe-1.101b/etc.ppp/openssl.cnf ---- ppp-2.4.7/etc.ppp/openssl.cnf 1970-01-01 01:00:00.000000000 +0100 -+++ ppp-2.4.7-eaptls-mppe-1.101b/etc.ppp/openssl.cnf 2018-06-02 01:42:04.021165440 +0200 -@@ -0,0 +1,14 @@ -+openssl_conf = openssl_def -+ -+[ openssl_def ] -+engines = engine_section -+ -+[ engine_section ] -+pkcs11 = pkcs11_section -+ -+[ pkcs11_section ] -+engine_id = pkcs11 -+dynamic_path = /usr/lib64/openssl/engines/engine_pkcs11.so -+MODULE_PATH = /usr/lib64/libeTPkcs11.so -+init = 0 -+ -diff -Naur ppp-2.4.7/linux/Makefile.top ppp-2.4.7-eaptls-mppe-1.101b/linux/Makefile.top ---- ppp-2.4.7/linux/Makefile.top 2014-08-09 14:31:39.000000000 +0200 -+++ ppp-2.4.7-eaptls-mppe-1.101b/linux/Makefile.top 2018-06-02 01:42:04.021165440 +0200 -@@ -26,7 +26,7 @@ - cd pppdump; $(MAKE) $(MFLAGS) install - - install-etcppp: $(ETCDIR) $(ETCDIR)/options $(ETCDIR)/pap-secrets \ -- $(ETCDIR)/chap-secrets -+ $(ETCDIR)/chap-secrets $(ETCDIR)/eaptls-server $(ETCDIR)/eaptls-client - - install-devel: - cd pppd; $(MAKE) $(MFLAGS) install-devel -@@ -37,6 +37,10 @@ - $(INSTALL) -c -m 600 etc.ppp/pap-secrets $@ - $(ETCDIR)/chap-secrets: - $(INSTALL) -c -m 600 etc.ppp/chap-secrets $@ -+$(ETCDIR)/eaptls-server: -+ $(INSTALL) -c -m 600 etc.ppp/eaptls-server $@ -+$(ETCDIR)/eaptls-client: -+ $(INSTALL) -c -m 600 etc.ppp/eaptls-client $@ - - $(BINDIR): - $(INSTALL) -d -m 755 $@ -diff -Naur ppp-2.4.7/pppd/Makefile.linux ppp-2.4.7-eaptls-mppe-1.101b/pppd/Makefile.linux ---- ppp-2.4.7/pppd/Makefile.linux 2014-08-09 14:31:39.000000000 +0200 -+++ ppp-2.4.7-eaptls-mppe-1.101b/pppd/Makefile.linux 2018-06-02 01:42:04.021165440 +0200 -@@ -76,6 +76,9 @@ - # Use libutil - USE_LIBUTIL=y - -+# Enable EAP-TLS authentication (requires libssl and libcrypto) -+USE_EAPTLS=y -+ - MAXOCTETS=y - - INCLUDE_DIRS= -I../include -@@ -115,6 +118,15 @@ - PPPDOBJS += sha1.o - endif - -+# EAP-TLS -+ifdef USE_EAPTLS -+CFLAGS += -DUSE_EAPTLS=1 -I/usr/kerberos/include -+LIBS += -lssl -lcrypto -+PPPDSRC += eap-tls.c -+HEADERS += eap-tls.h -+PPPDOBJS += eap-tls.o -+endif -+ - ifdef HAS_SHADOW - CFLAGS += -DHAS_SHADOW - #LIBS += -lshadow $(LIBS) -diff -Naur ppp-2.4.7/pppd/auth.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/auth.c ---- ppp-2.4.7/pppd/auth.c 2014-08-09 14:31:39.000000000 +0200 -+++ ppp-2.4.7-eaptls-mppe-1.101b/pppd/auth.c 2018-06-02 01:42:04.022165436 +0200 -@@ -109,6 +109,9 @@ - #include "upap.h" - #include "chap-new.h" - #include "eap.h" -+#ifdef USE_EAPTLS -+#include "eap-tls.h" -+#endif - #ifdef CBCP_SUPPORT - #include "cbcp.h" - #endif -@@ -183,6 +186,11 @@ - /* Hook for a plugin to get the CHAP password for authenticating us */ - int (*chap_passwd_hook) __P((char *user, char *passwd)) = NULL; - -+#ifdef USE_EAPTLS -+/* Hook for a plugin to get the EAP-TLS password for authenticating us */ -+int (*eaptls_passwd_hook) __P((char *user, char *passwd)) = NULL; -+#endif -+ - /* Hook for a plugin to say whether it is OK if the peer - refuses to authenticate. */ - int (*null_auth_hook) __P((struct wordlist **paddrs, -@@ -238,6 +246,14 @@ - bool explicit_user = 0; /* Set if "user" option supplied */ - bool explicit_passwd = 0; /* Set if "password" option supplied */ - char remote_name[MAXNAMELEN]; /* Peer's name for authentication */ -+#ifdef USE_EAPTLS -+char *cacert_file = NULL; /* CA certificate file (pem format) */ -+char *cert_file = NULL; /* client certificate file (pem format) */ -+char *privkey_file = NULL; /* client private key file (pem format) */ -+char *crl_dir = NULL; /* directory containing CRL files */ -+char *crl_file = NULL; /* Certificate Revocation List (CRL) file (pem format) */ -+bool need_peer_eap = 0; /* Require peer to authenticate us */ -+#endif - - static char *uafname; /* name of most recent +ua file */ - -@@ -254,6 +270,19 @@ - static int have_chap_secret __P((char *, char *, int, int *)); - static int have_srp_secret __P((char *client, char *server, int need_ip, - int *lacks_ipp)); -+ -+#ifdef USE_EAPTLS -+static int have_eaptls_secret_server -+__P((char *client, char *server, int need_ip, int *lacks_ipp)); -+static int have_eaptls_secret_client __P((char *client, char *server)); -+static int scan_authfile_eaptls __P((FILE * f, char *client, char *server, -+ char *cli_cert, char *serv_cert, -+ char *ca_cert, char *pk, -+ struct wordlist ** addrs, -+ struct wordlist ** opts, -+ char *filename, int flags)); -+#endif -+ - static int ip_addr_check __P((u_int32_t, struct permitted_ip *)); - static int scan_authfile __P((FILE *, char *, char *, char *, - struct wordlist **, struct wordlist **, -@@ -401,6 +430,15 @@ - "Set telephone number(s) which are allowed to connect", - OPT_PRIV | OPT_A2LIST }, - -+#ifdef USE_EAPTLS -+ { "ca", o_string, &cacert_file, "EAP-TLS CA certificate in PEM format" }, -+ { "cert", o_string, &cert_file, "EAP-TLS client certificate in PEM format" }, -+ { "key", o_string, &privkey_file, "EAP-TLS client private key in PEM format" }, -+ { "crl-dir", o_string, &crl_dir, "Use CRLs in directory" }, -+ { "crl", o_string, &crl_file, "Use specific CRL file" }, -+ { "need-peer-eap", o_bool, &need_peer_eap, -+ "Require the peer to authenticate us", 1 }, -+#endif /* USE_EAPTLS */ - { NULL } - }; - -@@ -730,6 +768,9 @@ - lcp_options *wo = &lcp_wantoptions[unit]; - lcp_options *go = &lcp_gotoptions[unit]; - lcp_options *ho = &lcp_hisoptions[unit]; -+#ifdef USE_EAPTLS -+ lcp_options *ao = &lcp_allowoptions[unit]; -+#endif - int i; - struct protent *protp; - -@@ -764,6 +805,22 @@ - } - } - -+#ifdef USE_EAPTLS -+ if (need_peer_eap && !ao->neg_eap) { -+ warn("eap required to authenticate us but no suitable secrets"); -+ lcp_close(unit, "couldn't negotiate eap"); -+ status = EXIT_AUTH_TOPEER_FAILED; -+ return; -+ } -+ -+ if (need_peer_eap && !ho->neg_eap) { -+ warn("peer doesn't want to authenticate us with eap"); -+ lcp_close(unit, "couldn't negotiate eap"); -+ status = EXIT_PEER_AUTH_FAILED; -+ return; -+ } -+#endif -+ - new_phase(PHASE_AUTHENTICATE); - auth = 0; - if (go->neg_eap) { -@@ -1277,6 +1334,15 @@ - our_name, 1, &lacks_ip); - } - -+#ifdef USE_EAPTLS -+ if (!can_auth && wo->neg_eap) { -+ can_auth = -+ have_eaptls_secret_server((explicit_remote ? remote_name : -+ NULL), our_name, 1, &lacks_ip); -+ -+ } -+#endif -+ - if (auth_required && !can_auth && noauth_addrs == NULL) { - if (default_auth) { - option_error( -@@ -1331,7 +1397,11 @@ - passwd[0] != 0 || - (hadchap == 1 || (hadchap == -1 && have_chap_secret(user, - (explicit_remote? remote_name: NULL), 0, NULL))) || -- have_srp_secret(user, (explicit_remote? remote_name: NULL), 0, NULL)); -+ have_srp_secret(user, (explicit_remote? remote_name: NULL), 0, NULL) -+#ifdef USE_EAPTLS -+ || have_eaptls_secret_client(user, (explicit_remote? remote_name: NULL)) -+#endif -+ ); - - hadchap = -1; - if (go->neg_upap && !uselogin && !have_pap_secret(NULL)) -@@ -1346,8 +1416,14 @@ - !have_chap_secret((explicit_remote? remote_name: NULL), our_name, - 1, NULL))) && - !have_srp_secret((explicit_remote? remote_name: NULL), our_name, 1, -- NULL)) -+ NULL) -+#ifdef USE_EAPTLS -+ && !have_eaptls_secret_server((explicit_remote? remote_name: NULL), -+ our_name, 1, NULL) -+#endif -+ ) - go->neg_eap = 0; -+ - } - - -@@ -1707,6 +1783,7 @@ - } - - -+ - /* - * get_secret - open the CHAP secret file and return the secret - * for authenticating the given client on the given server. -@@ -2359,3 +2436,335 @@ - - auth_script_pid = run_program(script, argv, 0, auth_script_done, NULL, 0); - } -+ -+ -+#ifdef USE_EAPTLS -+static int -+have_eaptls_secret_server(client, server, need_ip, lacks_ipp) -+ char *client; -+ char *server; -+ int need_ip; -+ int *lacks_ipp; -+{ -+ FILE *f; -+ int ret; -+ char *filename; -+ struct wordlist *addrs; -+ char servcertfile[MAXWORDLEN]; -+ char clicertfile[MAXWORDLEN]; -+ char cacertfile[MAXWORDLEN]; -+ char pkfile[MAXWORDLEN]; -+ -+ filename = _PATH_EAPTLSSERVFILE; -+ f = fopen(filename, "r"); -+ if (f == NULL) -+ return 0; -+ -+ if (client != NULL && client[0] == 0) -+ client = NULL; -+ else if (server != NULL && server[0] == 0) -+ server = NULL; -+ -+ ret = -+ scan_authfile_eaptls(f, client, server, clicertfile, servcertfile, -+ cacertfile, pkfile, &addrs, NULL, filename, -+ 0); -+ -+ fclose(f); -+ -+/* -+ if (ret >= 0 && !eaptls_init_ssl(1, cacertfile, servcertfile, -+ clicertfile, pkfile)) -+ ret = -1; -+*/ -+ -+ if (ret >= 0 && need_ip && !some_ip_ok(addrs)) { -+ if (lacks_ipp != 0) -+ *lacks_ipp = 1; -+ ret = -1; -+ } -+ if (addrs != 0) -+ free_wordlist(addrs); -+ -+ return ret >= 0; -+} -+ -+ -+static int -+have_eaptls_secret_client(client, server) -+ char *client; -+ char *server; -+{ -+ FILE *f; -+ int ret; -+ char *filename; -+ struct wordlist *addrs = NULL; -+ char servcertfile[MAXWORDLEN]; -+ char clicertfile[MAXWORDLEN]; -+ char cacertfile[MAXWORDLEN]; -+ char pkfile[MAXWORDLEN]; -+ -+ if (client != NULL && client[0] == 0) -+ client = NULL; -+ else if (server != NULL && server[0] == 0) -+ server = NULL; -+ -+ if (cacert_file && cert_file && privkey_file) -+ return 1; -+ -+ filename = _PATH_EAPTLSCLIFILE; -+ f = fopen(filename, "r"); -+ if (f == NULL) -+ return 0; -+ -+ ret = -+ scan_authfile_eaptls(f, client, server, clicertfile, servcertfile, -+ cacertfile, pkfile, &addrs, NULL, filename, -+ 0); -+ fclose(f); -+ -+/* -+ if (ret >= 0 && !eaptls_init_ssl(0, cacertfile, clicertfile, -+ servcertfile, pkfile)) -+ ret = -1; -+*/ -+ -+ if (addrs != 0) -+ free_wordlist(addrs); -+ -+ return ret >= 0; -+} -+ -+ -+static int -+scan_authfile_eaptls(f, client, server, cli_cert, serv_cert, ca_cert, pk, -+ addrs, opts, filename, flags) -+ FILE *f; -+ char *client; -+ char *server; -+ char *cli_cert; -+ char *serv_cert; -+ char *ca_cert; -+ char *pk; -+ struct wordlist **addrs; -+ struct wordlist **opts; -+ char *filename; -+ int flags; -+{ -+ int newline; -+ int got_flag, best_flag; -+ struct wordlist *ap, *addr_list, *alist, **app; -+ char word[MAXWORDLEN]; -+ -+ if (addrs != NULL) -+ *addrs = NULL; -+ if (opts != NULL) -+ *opts = NULL; -+ addr_list = NULL; -+ if (!getword(f, word, &newline, filename)) -+ return -1; /* file is empty??? */ -+ newline = 1; -+ best_flag = -1; -+ for (;;) { -+ /* -+ * Skip until we find a word at the start of a line. -+ */ -+ while (!newline && getword(f, word, &newline, filename)); -+ if (!newline) -+ break; /* got to end of file */ -+ -+ /* -+ * Got a client - check if it's a match or a wildcard. -+ */ -+ got_flag = 0; -+ if (client != NULL && strcmp(word, client) != 0 && !ISWILD(word)) { -+ newline = 0; -+ continue; -+ } -+ if (!ISWILD(word)) -+ got_flag = NONWILD_CLIENT; -+ -+ /* -+ * Now get a server and check if it matches. -+ */ -+ if (!getword(f, word, &newline, filename)) -+ break; -+ if (newline) -+ continue; -+ if (!ISWILD(word)) { -+ if (server != NULL && strcmp(word, server) != 0) -+ continue; -+ got_flag |= NONWILD_SERVER; -+ } -+ -+ /* -+ * Got some sort of a match - see if it's better than what -+ * we have already. -+ */ -+ if (got_flag <= best_flag) -+ continue; -+ -+ /* -+ * Get the cli_cert -+ */ -+ if (!getword(f, word, &newline, filename)) -+ break; -+ if (newline) -+ continue; -+ if (strcmp(word, "-") != 0) { -+ strlcpy(cli_cert, word, MAXWORDLEN); -+ } else -+ cli_cert[0] = 0; -+ -+ /* -+ * Get serv_cert -+ */ -+ if (!getword(f, word, &newline, filename)) -+ break; -+ if (newline) -+ continue; -+ if (strcmp(word, "-") != 0) { -+ strlcpy(serv_cert, word, MAXWORDLEN); -+ } else -+ serv_cert[0] = 0; -+ -+ /* -+ * Get ca_cert -+ */ -+ if (!getword(f, word, &newline, filename)) -+ break; -+ if (newline) -+ continue; -+ strlcpy(ca_cert, word, MAXWORDLEN); -+ -+ /* -+ * Get pk -+ */ -+ if (!getword(f, word, &newline, filename)) -+ break; -+ if (newline) -+ continue; -+ strlcpy(pk, word, MAXWORDLEN); -+ -+ -+ /* -+ * Now read address authorization info and make a wordlist. -+ */ -+ app = &alist; -+ for (;;) { -+ if (!getword(f, word, &newline, filename) || newline) -+ break; -+ ap = (struct wordlist *) -+ malloc(sizeof(struct wordlist) + strlen(word) + 1); -+ if (ap == NULL) -+ novm("authorized addresses"); -+ ap->word = (char *) (ap + 1); -+ strcpy(ap->word, word); -+ *app = ap; -+ app = &ap->next; -+ } -+ *app = NULL; -+ /* -+ * This is the best so far; remember it. -+ */ -+ best_flag = got_flag; -+ if (addr_list) -+ free_wordlist(addr_list); -+ addr_list = alist; -+ -+ if (!newline) -+ break; -+ } -+ -+ /* scan for a -- word indicating the start of options */ -+ for (app = &addr_list; (ap = *app) != NULL; app = &ap->next) -+ if (strcmp(ap->word, "--") == 0) -+ break; -+ /* ap = start of options */ -+ if (ap != NULL) { -+ ap = ap->next; /* first option */ -+ free(*app); /* free the "--" word */ -+ *app = NULL; /* terminate addr list */ -+ } -+ if (opts != NULL) -+ *opts = ap; -+ else if (ap != NULL) -+ free_wordlist(ap); -+ if (addrs != NULL) -+ *addrs = addr_list; -+ else if (addr_list != NULL) -+ free_wordlist(addr_list); -+ -+ return best_flag; -+} -+ -+ -+int -+get_eaptls_secret(unit, client, server, clicertfile, servcertfile, -+ cacertfile, pkfile, am_server) -+ int unit; -+ char *client; -+ char *server; -+ char *clicertfile; -+ char *servcertfile; -+ char *cacertfile; -+ char *pkfile; -+ int am_server; -+{ -+ FILE *fp; -+ int ret; -+ char *filename = NULL; -+ struct wordlist *addrs = NULL; -+ struct wordlist *opts = NULL; -+ -+ /* in client mode the ca+cert+privkey can also be specified as options */ -+ if (!am_server && cacert_file && cert_file && privkey_file ) -+ { -+ strlcpy( clicertfile, cert_file, MAXWORDLEN ); -+ strlcpy( cacertfile, cacert_file, MAXWORDLEN ); -+ strlcpy( pkfile, privkey_file, MAXWORDLEN ); -+ servcertfile[0] = '\0'; -+ } -+ else -+ { -+ filename = (am_server ? _PATH_EAPTLSSERVFILE : _PATH_EAPTLSCLIFILE); -+ addrs = NULL; -+ -+ fp = fopen(filename, "r"); -+ if (fp == NULL) -+ { -+ error("Can't open eap-tls secret file %s: %m", filename); -+ return 0; -+ } -+ -+ check_access(fp, filename); -+ -+ ret = scan_authfile_eaptls(fp, client, server, clicertfile, servcertfile, -+ cacertfile, pkfile, &addrs, &opts, filename, 0); -+ -+ fclose(fp); -+ -+ if (ret < 0) return 0; -+ } -+ -+ if (eaptls_passwd_hook) -+ { -+ dbglog( "Calling eaptls password hook" ); -+ if ( (*eaptls_passwd_hook)(pkfile, passwd) < 0) -+ { -+ error("Unable to obtain EAP-TLS password for %s (%s) from plugin", -+ client, pkfile); -+ return 0; -+ } -+ } -+ if (am_server) -+ set_allowed_addrs(unit, addrs, opts); -+ else if (opts != NULL) -+ free_wordlist(opts); -+ if (addrs != NULL) -+ free_wordlist(addrs); -+ -+ return 1; -+} -+#endif -+ -diff -Naur ppp-2.4.7/pppd/ccp.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/ccp.c ---- ppp-2.4.7/pppd/ccp.c 2014-08-09 14:31:39.000000000 +0200 -+++ ppp-2.4.7-eaptls-mppe-1.101b/pppd/ccp.c 2018-06-02 01:42:04.022165436 +0200 -@@ -540,6 +540,9 @@ - if (go->mppe) { - ccp_options *ao = &ccp_allowoptions[f->unit]; - int auth_mschap_bits = auth_done[f->unit]; -+#ifdef USE_EAPTLS -+ int auth_eap_bits = auth_done[f->unit]; -+#endif - int numbits; - - /* -@@ -567,8 +570,23 @@ - lcp_close(f->unit, "MPPE required but not available"); - return; - } -+ -+#ifdef USE_EAPTLS -+ /* -+ * MPPE is also possible in combination with EAP-TLS. -+ * It is not possible to detect if we're doing EAP or EAP-TLS -+ * at this stage, hence we accept all forms of EAP. If TLS is -+ * not used then the MPPE keys will not be derived anyway. -+ */ -+ /* Leave only the eap auth bits set */ -+ auth_eap_bits &= (EAP_WITHPEER | EAP_PEER ); -+ -+ if ((numbits == 0) && (auth_eap_bits == 0)) { -+ error("MPPE required, but MS-CHAP[v2] nor EAP-TLS auth are performed."); -+#else - if (!numbits) { -- error("MPPE required, but MS-CHAP[v2] auth not performed."); -+ error("MPPE required, but MS-CHAP[v2] auth not performed."); -+#endif - lcp_close(f->unit, "MPPE required but not available"); - return; - } -diff -Naur ppp-2.4.7/pppd/chap-md5.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/chap-md5.c ---- ppp-2.4.7/pppd/chap-md5.c 2014-08-09 14:31:39.000000000 +0200 -+++ ppp-2.4.7-eaptls-mppe-1.101b/pppd/chap-md5.c 2018-06-02 01:42:04.022165436 +0200 -@@ -36,7 +36,11 @@ - #include "chap-new.h" - #include "chap-md5.h" - #include "magic.h" -+#ifdef USE_EAPTLS -+#include "eap-tls.h" -+#else - #include "md5.h" -+#endif /* USE_EAPTLS */ - - #define MD5_HASH_SIZE 16 - #define MD5_MIN_CHALLENGE 16 -diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap-tls.c ---- ppp-2.4.7/pppd/eap-tls.c 1970-01-01 01:00:00.000000000 +0100 -+++ ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap-tls.c 2018-06-02 01:42:16.790124406 +0200 -@@ -0,0 +1,1313 @@ -+/* -+ * eap-tls.c - EAP-TLS implementation for PPP -+ * -+ * Copyright (c) Beniamino Galvani 2005 All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. The name(s) of the authors of this software must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. -+ * -+ * THE AUTHORS OF THIS SOFTWARE DISCLAIM ALL WARRANTIES WITH REGARD TO -+ * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -+ * AND FITNESS, IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY -+ * SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN -+ * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING -+ * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -+ * -+ */ -+ -+#include -+#include -+#include -+#include -+#include -+ -+#include -+#include -+#include -+#include -+#include -+ -+#include "pppd.h" -+#include "eap.h" -+#include "eap-tls.h" -+#include "fsm.h" -+#include "lcp.h" -+#include "pathnames.h" -+ -+/* The openssl configuration file and engines can be loaded only once */ -+static CONF *ssl_config = NULL; -+static ENGINE *cert_engine = NULL; -+static ENGINE *pkey_engine = NULL; -+ -+#ifdef MPPE -+ -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+ -+/* -+ * https://wiki.openssl.org/index.php/1.1_API_Changes -+ * tries to provide some guidance but ultimately falls short. -+ */ -+ -+ -+static void HMAC_CTX_free(HMAC_CTX *ctx) -+{ -+ if (ctx != NULL) { -+ HMAC_CTX_cleanup(ctx); -+ OPENSSL_free(ctx); -+ } -+} -+ -+static HMAC_CTX *HMAC_CTX_new(void) -+{ -+ HMAC_CTX *ctx = OPENSSL_malloc(sizeof(*ctx)); -+ if (ctx != NULL) -+ HMAC_CTX_init(ctx); -+ return ctx; -+} -+ -+/* -+ * These were basically jacked directly from the OpenSSL tree -+ * without adjustments. -+ */ -+ -+static size_t SSL_get_client_random(const SSL *ssl, unsigned char *out, -+ size_t outlen) -+{ -+ if (outlen == 0) -+ return sizeof(ssl->s3->client_random); -+ if (outlen > sizeof(ssl->s3->client_random)) -+ outlen = sizeof(ssl->s3->client_random); -+ memcpy(out, ssl->s3->client_random, outlen); -+ return outlen; -+} -+ -+static size_t SSL_get_server_random(const SSL *ssl, unsigned char *out, -+ size_t outlen) -+{ -+ if (outlen == 0) -+ return sizeof(ssl->s3->server_random); -+ if (outlen > sizeof(ssl->s3->server_random)) -+ outlen = sizeof(ssl->s3->server_random); -+ memcpy(out, ssl->s3->server_random, outlen); -+ return outlen; -+} -+ -+static size_t SSL_SESSION_get_master_key(const SSL_SESSION *session, -+ unsigned char *out, size_t outlen) -+{ -+ if (outlen == 0) -+ return session->master_key_length; -+ if (outlen > session->master_key_length) -+ outlen = session->master_key_length; -+ memcpy(out, session->master_key, outlen); -+ return outlen; -+} -+ -+/* Avoid a deprecated warning in OpenSSL 1.1 whilst still allowing to build against 1.0.x */ -+#define TLS_method TLSv1_method -+ -+#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */ -+ -+/* -+ * TLS PRF from RFC 2246 -+ */ -+static void P_hash(const EVP_MD *evp_md, -+ const unsigned char *secret, unsigned int secret_len, -+ const unsigned char *seed, unsigned int seed_len, -+ unsigned char *out, unsigned int out_len) -+{ -+ HMAC_CTX *ctx_a, *ctx_out; -+ unsigned char a[HMAC_MAX_MD_CBLOCK]; -+ unsigned int size; -+ -+ ctx_a = HMAC_CTX_new(); -+ ctx_out = HMAC_CTX_new(); -+ HMAC_Init_ex(ctx_a, secret, secret_len, evp_md, NULL); -+ HMAC_Init_ex(ctx_out, secret, secret_len, evp_md, NULL); -+ -+ size = HMAC_size(ctx_out); -+ -+ /* Calculate A(1) */ -+ HMAC_Update(ctx_a, seed, seed_len); -+ HMAC_Final(ctx_a, a, NULL); -+ -+ while (1) { -+ /* Calculate next part of output */ -+ HMAC_Update(ctx_out, a, size); -+ HMAC_Update(ctx_out, seed, seed_len); -+ -+ /* Check if last part */ -+ if (out_len < size) { -+ HMAC_Final(ctx_out, a, NULL); -+ memcpy(out, a, out_len); -+ break; -+ } -+ -+ /* Place digest in output buffer */ -+ HMAC_Final(ctx_out, out, NULL); -+ HMAC_Init_ex(ctx_out, NULL, 0, NULL, NULL); -+ out += size; -+ out_len -= size; -+ -+ /* Calculate next A(i) */ -+ HMAC_Init_ex(ctx_a, NULL, 0, NULL, NULL); -+ HMAC_Update(ctx_a, a, size); -+ HMAC_Final(ctx_a, a, NULL); -+ } -+ -+ HMAC_CTX_free(ctx_a); -+ HMAC_CTX_free(ctx_out); -+ memset(a, 0, sizeof(a)); -+} -+ -+static void PRF(const unsigned char *secret, unsigned int secret_len, -+ const unsigned char *seed, unsigned int seed_len, -+ unsigned char *out, unsigned char *buf, unsigned int out_len) -+{ -+ unsigned int i; -+ unsigned int len = (secret_len + 1) / 2; -+ const unsigned char *s1 = secret; -+ const unsigned char *s2 = secret + (secret_len - len); -+ -+ P_hash(EVP_md5(), s1, len, seed, seed_len, out, out_len); -+ P_hash(EVP_sha1(), s2, len, seed, seed_len, buf, out_len); -+ -+ for (i=0; i < out_len; i++) { -+ out[i] ^= buf[i]; -+ } -+} -+ -+#define EAPTLS_MPPE_KEY_LEN 32 -+ -+/* -+ * Generate keys according to RFC 2716 and add to reply -+ */ -+void eaptls_gen_mppe_keys(struct eaptls_session *ets, const char *prf_label, -+ int client) -+{ -+ unsigned char out[4*EAPTLS_MPPE_KEY_LEN], buf[4*EAPTLS_MPPE_KEY_LEN]; -+ unsigned char seed[64 + 2*SSL3_RANDOM_SIZE]; -+ unsigned char *p = seed; -+ SSL *s = ets->ssl; -+ size_t prf_size; -+ unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH]; -+ size_t master_key_length; -+ -+ prf_size = strlen(prf_label); -+ -+ memcpy(p, prf_label, prf_size); -+ p += prf_size; -+ -+ prf_size += SSL_get_client_random(s, p, SSL3_RANDOM_SIZE); -+ p += SSL3_RANDOM_SIZE; -+ -+ prf_size += SSL_get_server_random(s, p, SSL3_RANDOM_SIZE); -+ -+ master_key_length = SSL_SESSION_get_master_key(SSL_get_session(s), master_key, -+ sizeof(master_key)); -+ PRF(master_key, master_key_length, seed, prf_size, out, buf, sizeof(out)); -+ -+ /* -+ * We now have the master send and receive keys. -+ * From these, generate the session send and receive keys. -+ * (see RFC3079 / draft-ietf-pppext-mppe-keys-03.txt for details) -+ */ -+ if (client) -+ { -+ p = out; -+ BCOPY( p, mppe_send_key, sizeof(mppe_send_key) ); -+ p += EAPTLS_MPPE_KEY_LEN; -+ BCOPY( p, mppe_recv_key, sizeof(mppe_recv_key) ); -+ } -+ else -+ { -+ p = out; -+ BCOPY( p, mppe_recv_key, sizeof(mppe_recv_key) ); -+ p += EAPTLS_MPPE_KEY_LEN; -+ BCOPY( p, mppe_send_key, sizeof(mppe_send_key) ); -+ } -+ -+ mppe_keys_set = 1; -+} -+ -+#endif -+ -+void log_ssl_errors( void ) -+{ -+ unsigned long ssl_err = ERR_get_error(); -+ -+ if (ssl_err != 0) -+ dbglog("EAP-TLS SSL error stack:"); -+ while (ssl_err != 0) { -+ dbglog( ERR_error_string( ssl_err, NULL ) ); -+ ssl_err = ERR_get_error(); -+ } -+} -+ -+ -+int password_callback (char *buf, int size, int rwflag, void *u) -+{ -+ if (buf) -+ { -+ strncpy (buf, passwd, size); -+ return strlen (buf); -+ } -+ return 0; -+} -+ -+ -+CONF *eaptls_ssl_load_config( void ) -+{ -+ CONF *config; -+ int ret_code; -+ long error_line = 33; -+ -+ config = NCONF_new( NULL ); -+ dbglog( "Loading OpenSSL config file" ); -+ ret_code = NCONF_load( config, _PATH_OPENSSLCONFFILE, &error_line ); -+ if (ret_code == 0) -+ { -+ warn( "EAP-TLS: Error in OpenSSL config file %s at line %d", _PATH_OPENSSLCONFFILE, error_line ); -+ NCONF_free( config ); -+ config = NULL; -+ ERR_clear_error(); -+ } -+ -+ dbglog( "Loading OpenSSL built-ins" ); -+ ENGINE_load_builtin_engines(); -+ OPENSSL_load_builtin_modules(); -+ -+ dbglog( "Loading OpenSSL configured modules" ); -+ if (CONF_modules_load( config, NULL, 0 ) <= 0 ) -+ { -+ warn( "EAP-TLS: Error loading OpenSSL modules" ); -+ log_ssl_errors(); -+ config = NULL; -+ } -+ -+ return config; -+} -+ -+ENGINE *eaptls_ssl_load_engine( char *engine_name ) -+{ -+ ENGINE *e = NULL; -+ -+ dbglog( "Enabling OpenSSL auto engines" ); -+ ENGINE_register_all_complete(); -+ -+ dbglog( "Loading OpenSSL '%s' engine support", engine_name ); -+ e = ENGINE_by_id( engine_name ); -+ if (!e) -+ { -+ dbglog( "EAP-TLS: Cannot load '%s' engine support, trying 'dynamic'", engine_name ); -+ e = ENGINE_by_id( "dynamic" ); -+ if (e) -+ { -+ if (!ENGINE_ctrl_cmd_string(e, "SO_PATH", engine_name, 0) -+ || !ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0)) -+ { -+ warn( "EAP-TLS: Error loading dynamic engine '%s'", engine_name ); -+ log_ssl_errors(); -+ ENGINE_free(e); -+ e = NULL; -+ } -+ } -+ else -+ { -+ warn( "EAP-TLS: Cannot load dynamic engine support" ); -+ } -+ } -+ -+ if (e) -+ { -+ dbglog( "Initialising engine" ); -+ if(!ENGINE_set_default(e, ENGINE_METHOD_ALL)) -+ { -+ warn( "EAP-TLS: Cannot use that engine" ); -+ log_ssl_errors(); -+ ENGINE_free(e); -+ e = NULL; -+ } -+ } -+ -+ return e; -+} -+ -+/* -+ * Initialize the SSL stacks and tests if certificates, key and crl -+ * for client or server use can be loaded. -+ */ -+SSL_CTX *eaptls_init_ssl(int init_server, char *cacertfile, -+ char *certfile, char *peer_certfile, char *privkeyfile) -+{ -+ char *cert_engine_name = NULL; -+ char *cert_identifier = NULL; -+ char *pkey_engine_name = NULL; -+ char *pkey_identifier = NULL; -+ SSL_CTX *ctx; -+ X509_STORE *certstore; -+ X509_LOOKUP *lookup; -+ X509 *tmp; -+ -+ /* -+ * Without these can't continue -+ */ -+ if (!cacertfile[0]) -+ { -+ error("EAP-TLS: CA certificate missing"); -+ return NULL; -+ } -+ -+ if (!certfile[0]) -+ { -+ error("EAP-TLS: User certificate missing"); -+ return NULL; -+ } -+ -+ if (!privkeyfile[0]) -+ { -+ error("EAP-TLS: User private key missing"); -+ return NULL; -+ } -+ -+ SSL_library_init(); -+ SSL_load_error_strings(); -+ -+ ctx = SSL_CTX_new(TLS_method()); -+ -+ if (!ctx) { -+ error("EAP-TLS: Cannot initialize SSL CTX context"); -+ goto fail; -+ } -+ -+ /* if the certificate filename is of the form engine:id. e.g. -+ pkcs11:12345 -+ then we try to load and use this engine. -+ If the certificate filename starts with a / or . then we -+ ALWAYS assume it is a file and not an engine/pkcs11 identifier -+ */ -+ if ( index( certfile, '/' ) == NULL && index( certfile, '.') == NULL ) -+ { -+ cert_identifier = index( certfile, ':' ); -+ -+ if (cert_identifier) -+ { -+ cert_engine_name = certfile; -+ *cert_identifier = '\0'; -+ cert_identifier++; -+ -+ dbglog( "Found certificate engine '%s'", cert_engine_name ); -+ dbglog( "Found certificate identifier '%s'", cert_identifier ); -+ } -+ } -+ -+ /* if the privatekey filename is of the form engine:id. e.g. -+ pkcs11:12345 -+ then we try to load and use this engine. -+ If the privatekey filename starts with a / or . then we -+ ALWAYS assume it is a file and not an engine/pkcs11 identifier -+ */ -+ if ( index( privkeyfile, '/' ) == NULL && index( privkeyfile, '.') == NULL ) -+ { -+ pkey_identifier = index( privkeyfile, ':' ); -+ -+ if (pkey_identifier) -+ { -+ pkey_engine_name = privkeyfile; -+ *pkey_identifier = '\0'; -+ pkey_identifier++; -+ -+ dbglog( "Found privatekey engine '%s'", pkey_engine_name ); -+ dbglog( "Found privatekey identifier '%s'", pkey_identifier ); -+ } -+ } -+ -+ if (cert_identifier && pkey_identifier) -+ { -+ if (strlen( cert_identifier ) == 0) -+ { -+ if (strlen( pkey_identifier ) == 0) -+ error( "EAP-TLS: both the certificate and privatekey identifiers are missing!" ); -+ else -+ { -+ dbglog( "Substituting privatekey identifier for certificate identifier" ); -+ cert_identifier = pkey_identifier; -+ } -+ } -+ else -+ { -+ if (strlen( pkey_identifier ) == 0) -+ { -+ dbglog( "Substituting certificate identifier for privatekey identifier" ); -+ pkey_identifier = cert_identifier; -+ } -+ } -+ -+ } -+ -+ /* load the openssl config file only once */ -+ if (!ssl_config) -+ { -+ if (cert_engine_name || pkey_engine_name) -+ ssl_config = eaptls_ssl_load_config(); -+ -+ if (ssl_config && cert_engine_name) -+ cert_engine = eaptls_ssl_load_engine( cert_engine_name ); -+ -+ if (ssl_config && pkey_engine_name) -+ { -+ /* don't load the same engine twice */ -+ if ( cert_engine && strcmp( cert_engine_name, pkey_engine_name) == 0 ) -+ pkey_engine = cert_engine; -+ else -+ pkey_engine = eaptls_ssl_load_engine( pkey_engine_name ); -+ } -+ } -+ -+ SSL_CTX_set_default_passwd_cb (ctx, password_callback); -+ -+ if (!SSL_CTX_load_verify_locations(ctx, cacertfile, NULL)) -+ { -+ error("EAP-TLS: Cannot load or verify CA file %s", cacertfile); -+ goto fail; -+ } -+ -+ if (init_server) -+ SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(cacertfile)); -+ -+ if (cert_engine) -+ { -+ struct -+ { -+ const char *s_slot_cert_id; -+ X509 *cert; -+ } cert_info; -+ -+ cert_info.s_slot_cert_id = cert_identifier; -+ cert_info.cert = NULL; -+ -+ if (!ENGINE_ctrl_cmd( cert_engine, "LOAD_CERT_CTRL", 0, &cert_info, NULL, 0 ) ) -+ { -+ error( "EAP-TLS: Error loading certificate with id '%s' from engine", cert_identifier ); -+ goto fail; -+ } -+ -+ if (cert_info.cert) -+ { -+ dbglog( "Got the certificate, adding it to SSL context" ); -+ dbglog( "subject = %s", X509_NAME_oneline( X509_get_subject_name( cert_info.cert ), NULL, 0 ) ); -+ if (SSL_CTX_use_certificate(ctx, cert_info.cert) <= 0) -+ { -+ error("EAP-TLS: Cannot use PKCS11 certificate %s", cert_identifier); -+ goto fail; -+ } -+ } -+ else -+ { -+ warn("EAP-TLS: Cannot load PKCS11 key %s", cert_identifier); -+ log_ssl_errors(); -+ } -+ } -+ else -+ { -+ if (!SSL_CTX_use_certificate_file(ctx, certfile, SSL_FILETYPE_PEM)) -+ { -+ error( "EAP-TLS: Cannot use public certificate %s", certfile ); -+ goto fail; -+ } -+ } -+ -+ if (pkey_engine) -+ { -+ EVP_PKEY *pkey = NULL; -+ PW_CB_DATA cb_data; -+ -+ cb_data.password = passwd; -+ cb_data.prompt_info = pkey_identifier; -+ -+ dbglog( "Loading private key '%s' from engine", pkey_identifier ); -+ pkey = ENGINE_load_private_key(pkey_engine, pkey_identifier, NULL, &cb_data); -+ if (pkey) -+ { -+ dbglog( "Got the private key, adding it to SSL context" ); -+ if (SSL_CTX_use_PrivateKey(ctx, pkey) <= 0) -+ { -+ error("EAP-TLS: Cannot use PKCS11 key %s", pkey_identifier); -+ goto fail; -+ } -+ } -+ else -+ { -+ warn("EAP-TLS: Cannot load PKCS11 key %s", pkey_identifier); -+ log_ssl_errors(); -+ } -+ } -+ else -+ { -+ if (!SSL_CTX_use_PrivateKey_file(ctx, privkeyfile, SSL_FILETYPE_PEM)) -+ { -+ error("EAP-TLS: Cannot use private key %s", privkeyfile); -+ goto fail; -+ } -+ } -+ -+ if (SSL_CTX_check_private_key(ctx) != 1) { -+ error("EAP-TLS: Private key %s fails security check", privkeyfile); -+ goto fail; -+ } -+ -+ /* Explicitly set the NO_TICKETS flag to support Win7/Win8 clients */ -+ SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 -+#ifdef SSL_OP_NO_TICKET -+ | SSL_OP_NO_TICKET -+#endif -+); -+ SSL_CTX_set_verify_depth(ctx, 5); -+ SSL_CTX_set_verify(ctx, -+ SSL_VERIFY_PEER | -+ SSL_VERIFY_FAIL_IF_NO_PEER_CERT, -+ &ssl_verify_callback); -+ -+ if (crl_dir) { -+ if (!(certstore = SSL_CTX_get_cert_store(ctx))) { -+ error("EAP-TLS: Failed to get certificate store"); -+ goto fail; -+ } -+ -+ if (!(lookup = -+ X509_STORE_add_lookup(certstore, X509_LOOKUP_hash_dir()))) { -+ error("EAP-TLS: Store lookup for CRL failed"); -+ -+ goto fail; -+ } -+ -+ X509_LOOKUP_add_dir(lookup, crl_dir, X509_FILETYPE_PEM); -+ X509_STORE_set_flags(certstore, X509_V_FLAG_CRL_CHECK); -+ } -+ -+ if (crl_file) { -+ FILE *fp = NULL; -+ X509_CRL *crl = NULL; -+ -+ fp = fopen(crl_file, "r"); -+ if (!fp) { -+ error("EAP-TLS: Cannot open CRL file '%s'", crl_file); -+ goto fail; -+ } -+ -+ crl = PEM_read_X509_CRL(fp, NULL, NULL, NULL); -+ if (!crl) { -+ error("EAP-TLS: Cannot read CRL file '%s'", crl_file); -+ goto fail; -+ } -+ -+ if (!(certstore = SSL_CTX_get_cert_store(ctx))) { -+ error("EAP-TLS: Failed to get certificate store"); -+ goto fail; -+ } -+ if (!X509_STORE_add_crl(certstore, crl)) { -+ error("EAP-TLS: Cannot add CRL to certificate store"); -+ goto fail; -+ } -+ X509_STORE_set_flags(certstore, X509_V_FLAG_CRL_CHECK); -+ -+ } -+ -+ /* -+ * If a peer certificate file was specified, it must be valid, else fail -+ */ -+ if (peer_certfile[0]) { -+ if (!(tmp = get_X509_from_file(peer_certfile))) { -+ error("EAP-TLS: Error loading client certificate from file %s", -+ peer_certfile); -+ goto fail; -+ } -+ X509_free(tmp); -+ } -+ -+ return ctx; -+ -+fail: -+ log_ssl_errors(); -+ SSL_CTX_free(ctx); -+ return NULL; -+} -+ -+/* -+ * Determine the maximum packet size by looking at the LCP handshake -+ */ -+ -+int eaptls_get_mtu(int unit) -+{ -+ int mtu, mru; -+ -+ lcp_options *wo = &lcp_wantoptions[unit]; -+ lcp_options *go = &lcp_gotoptions[unit]; -+ lcp_options *ho = &lcp_hisoptions[unit]; -+ lcp_options *ao = &lcp_allowoptions[unit]; -+ -+ mtu = ho->neg_mru? ho->mru: PPP_MRU; -+ mru = go->neg_mru? MAX(wo->mru, go->mru): PPP_MRU; -+ mtu = MIN(MIN(mtu, mru), ao->mru)- PPP_HDRLEN - 10; -+ -+ dbglog("MTU = %d", mtu); -+ return mtu; -+} -+ -+ -+/* -+ * Init the ssl handshake (server mode) -+ */ -+int eaptls_init_ssl_server(eap_state * esp) -+{ -+ struct eaptls_session *ets; -+ char servcertfile[MAXWORDLEN]; -+ char clicertfile[MAXWORDLEN]; -+ char cacertfile[MAXWORDLEN]; -+ char pkfile[MAXWORDLEN]; -+ /* -+ * Allocate new eaptls session -+ */ -+ esp->es_server.ea_session = malloc(sizeof(struct eaptls_session)); -+ if (!esp->es_server.ea_session) -+ fatal("Allocation error"); -+ ets = esp->es_server.ea_session; -+ -+ if (!esp->es_server.ea_peer) { -+ error("EAP-TLS: Error: client name not set (BUG)"); -+ return 0; -+ } -+ -+ strncpy(ets->peer, esp->es_server.ea_peer, MAXWORDLEN); -+ -+ dbglog( "getting eaptls secret" ); -+ if (!get_eaptls_secret(esp->es_unit, esp->es_server.ea_peer, -+ esp->es_server.ea_name, clicertfile, -+ servcertfile, cacertfile, pkfile, 1)) { -+ error( "EAP-TLS: Cannot get secret/password for client \"%s\", server \"%s\"", -+ esp->es_server.ea_peer, esp->es_server.ea_name ); -+ return 0; -+ } -+ -+ ets->mtu = eaptls_get_mtu(esp->es_unit); -+ -+ ets->ctx = eaptls_init_ssl(1, cacertfile, servcertfile, clicertfile, pkfile); -+ if (!ets->ctx) -+ goto fail; -+ -+ if (!(ets->ssl = SSL_new(ets->ctx))) -+ goto fail; -+ -+ /* -+ * Set auto-retry to avoid timeouts on BIO_read -+ */ -+ SSL_set_mode(ets->ssl, SSL_MODE_AUTO_RETRY); -+ -+ /* -+ * Initialize the BIOs we use to read/write to ssl engine -+ */ -+ ets->into_ssl = BIO_new(BIO_s_mem()); -+ ets->from_ssl = BIO_new(BIO_s_mem()); -+ SSL_set_bio(ets->ssl, ets->into_ssl, ets->from_ssl); -+ -+ SSL_set_msg_callback(ets->ssl, ssl_msg_callback); -+ SSL_set_msg_callback_arg(ets->ssl, ets); -+ -+ /* -+ * Attach the session struct to the connection, so we can later -+ * retrieve it when doing certificate verification -+ */ -+ SSL_set_ex_data(ets->ssl, 0, ets); -+ -+ SSL_set_accept_state(ets->ssl); -+ -+ ets->data = NULL; -+ ets->datalen = 0; -+ ets->alert_sent = 0; -+ ets->alert_recv = 0; -+ -+ /* -+ * If we specified the client certificate file, store it in ets->peercertfile, -+ * so we can check it later in ssl_verify_callback() -+ */ -+ if (clicertfile[0]) -+ strncpy(&ets->peercertfile[0], clicertfile, MAXWORDLEN); -+ else -+ ets->peercertfile[0] = 0; -+ -+ return 1; -+ -+fail: -+ SSL_CTX_free(ets->ctx); -+ return 0; -+} -+ -+/* -+ * Init the ssl handshake (client mode) -+ */ -+int eaptls_init_ssl_client(eap_state * esp) -+{ -+ struct eaptls_session *ets; -+ char servcertfile[MAXWORDLEN]; -+ char clicertfile[MAXWORDLEN]; -+ char cacertfile[MAXWORDLEN]; -+ char pkfile[MAXWORDLEN]; -+ -+ /* -+ * Allocate new eaptls session -+ */ -+ esp->es_client.ea_session = malloc(sizeof(struct eaptls_session)); -+ if (!esp->es_client.ea_session) -+ fatal("Allocation error"); -+ ets = esp->es_client.ea_session; -+ -+ /* -+ * If available, copy server name in ets; it will be used in cert -+ * verify -+ */ -+ if (esp->es_client.ea_peer) -+ strncpy(ets->peer, esp->es_client.ea_peer, MAXWORDLEN); -+ else -+ ets->peer[0] = 0; -+ -+ ets->mtu = eaptls_get_mtu(esp->es_unit); -+ -+ dbglog( "calling get_eaptls_secret" ); -+ if (!get_eaptls_secret(esp->es_unit, esp->es_client.ea_name, -+ ets->peer, clicertfile, -+ servcertfile, cacertfile, pkfile, 0)) { -+ error( "EAP-TLS: Cannot get secret/password for client \"%s\", server \"%s\"", -+ esp->es_client.ea_name, ets->peer ); -+ return 0; -+ } -+ -+ dbglog( "calling eaptls_init_ssl" ); -+ ets->ctx = eaptls_init_ssl(0, cacertfile, clicertfile, servcertfile, pkfile); -+ if (!ets->ctx) -+ goto fail; -+ -+ ets->ssl = SSL_new(ets->ctx); -+ -+ if (!ets->ssl) -+ goto fail; -+ -+ /* -+ * Initialize the BIOs we use to read/write to ssl engine -+ */ -+ dbglog( "Initializing SSL BIOs" ); -+ ets->into_ssl = BIO_new(BIO_s_mem()); -+ ets->from_ssl = BIO_new(BIO_s_mem()); -+ SSL_set_bio(ets->ssl, ets->into_ssl, ets->from_ssl); -+ -+ SSL_set_msg_callback(ets->ssl, ssl_msg_callback); -+ SSL_set_msg_callback_arg(ets->ssl, ets); -+ -+ /* -+ * Attach the session struct to the connection, so we can later -+ * retrieve it when doing certificate verification -+ */ -+ SSL_set_ex_data(ets->ssl, 0, ets); -+ -+ SSL_set_connect_state(ets->ssl); -+ -+ ets->data = NULL; -+ ets->datalen = 0; -+ ets->alert_sent = 0; -+ ets->alert_recv = 0; -+ -+ /* -+ * If we specified the server certificate file, store it in -+ * ets->peercertfile, so we can check it later in -+ * ssl_verify_callback() -+ */ -+ if (servcertfile[0]) -+ strncpy(ets->peercertfile, servcertfile, MAXWORDLEN); -+ else -+ ets->peercertfile[0] = 0; -+ -+ return 1; -+ -+fail: -+ dbglog( "eaptls_init_ssl_client: fail" ); -+ SSL_CTX_free(ets->ctx); -+ return 0; -+ -+} -+ -+void eaptls_free_session(struct eaptls_session *ets) -+{ -+ if (ets->ssl) -+ SSL_free(ets->ssl); -+ -+ if (ets->ctx) -+ SSL_CTX_free(ets->ctx); -+ -+ free(ets); -+} -+ -+/* -+ * Handle a received packet, reassembling fragmented messages and -+ * passing them to the ssl engine -+ */ -+int eaptls_receive(struct eaptls_session *ets, u_char * inp, int len) -+{ -+ u_char flags; -+ u_int tlslen = 0; -+ u_char dummy[65536]; -+ -+ if (len < 1) { -+ warn("EAP-TLS: received no or invalid data"); -+ return 1; -+ } -+ -+ GETCHAR(flags, inp); -+ len--; -+ -+ if (flags & EAP_TLS_FLAGS_LI && len >= 4) { -+ /* -+ * LenghtIncluded flag set -> this is the first packet of a message -+ */ -+ -+ /* -+ * the first 4 octets are the length of the EAP-TLS message -+ */ -+ GETLONG(tlslen, inp); -+ len -= 4; -+ -+ if (!ets->data) { -+ -+ if (tlslen > EAP_TLS_MAX_LEN) { -+ error("EAP-TLS: TLS message length > %d, truncated", EAP_TLS_MAX_LEN); -+ tlslen = EAP_TLS_MAX_LEN; -+ } -+ -+ /* -+ * Allocate memory for the whole message -+ */ -+ ets->data = malloc(tlslen); -+ if (!ets->data) -+ fatal("EAP-TLS: allocation error\n"); -+ -+ ets->datalen = 0; -+ ets->tlslen = tlslen; -+ } -+ else -+ warn("EAP-TLS: non-first LI packet? that's odd..."); -+ } -+ else if (!ets->data) { -+ /* -+ * A non fragmented message without LI flag -+ */ -+ -+ ets->data = malloc(len); -+ if (!ets->data) -+ fatal("EAP-TLS: allocation error\n"); -+ -+ ets->datalen = 0; -+ ets->tlslen = len; -+ } -+ -+ if (flags & EAP_TLS_FLAGS_MF) -+ ets->frag = 1; -+ else -+ ets->frag = 0; -+ -+ if (len < 0) { -+ warn("EAP-TLS: received malformed data"); -+ return 1; -+ } -+ -+ if (len + ets->datalen > ets->tlslen) { -+ warn("EAP-TLS: received data > TLS message length"); -+ return 1; -+ } -+ -+ BCOPY(inp, ets->data + ets->datalen, len); -+ ets->datalen += len; -+ -+ if (!ets->frag) { -+ -+ /* -+ * If we have the whole message, pass it to ssl -+ */ -+ -+ if (ets->datalen != ets->tlslen) { -+ warn("EAP-TLS: received data != TLS message length"); -+ return 1; -+ } -+ -+ if (BIO_write(ets->into_ssl, ets->data, ets->datalen) == -1) -+ log_ssl_errors(); -+ -+ SSL_read(ets->ssl, dummy, 65536); -+ -+ free(ets->data); -+ ets->data = NULL; -+ ets->datalen = 0; -+ } -+ -+ return 0; -+} -+ -+/* -+ * Return an eap-tls packet in outp. -+ * A TLS message read from the ssl engine is buffered in ets->data. -+ * At each call we control if there is buffered data and send a -+ * packet of mtu bytes. -+ */ -+int eaptls_send(struct eaptls_session *ets, u_char ** outp) -+{ -+ bool first = 0; -+ int size; -+ u_char fromtls[65536]; -+ int res; -+ u_char *start; -+ -+ start = *outp; -+ -+ if (!ets->data) { -+ -+ if(!ets->alert_sent) -+ SSL_read(ets->ssl, fromtls, 65536); -+ -+ /* -+ * Read from ssl -+ */ -+ if ((res = BIO_read(ets->from_ssl, fromtls, 65536)) == -1) -+ fatal("No data from BIO_read"); -+ -+ ets->datalen = res; -+ -+ ets->data = malloc(ets->datalen); -+ BCOPY(fromtls, ets->data, ets->datalen); -+ -+ ets->offset = 0; -+ first = 1; -+ -+ } -+ -+ size = ets->datalen - ets->offset; -+ -+ if (size > ets->mtu) { -+ size = ets->mtu; -+ ets->frag = 1; -+ } else -+ ets->frag = 0; -+ -+ PUTCHAR(EAPT_TLS, *outp); -+ -+ /* -+ * Set right flags and length if necessary -+ */ -+ if (ets->frag && first) { -+ PUTCHAR(EAP_TLS_FLAGS_LI | EAP_TLS_FLAGS_MF, *outp); -+ PUTLONG(ets->datalen, *outp); -+ } else if (ets->frag) { -+ PUTCHAR(EAP_TLS_FLAGS_MF, *outp); -+ } else -+ PUTCHAR(0, *outp); -+ -+ /* -+ * Copy the data in outp -+ */ -+ BCOPY(ets->data + ets->offset, *outp, size); -+ INCPTR(size, *outp); -+ -+ /* -+ * Copy the packet in retransmission buffer -+ */ -+ BCOPY(start, &ets->rtx[0], *outp - start); -+ ets->rtx_len = *outp - start; -+ -+ ets->offset += size; -+ -+ if (ets->offset >= ets->datalen) { -+ -+ /* -+ * The whole message has been sent -+ */ -+ -+ free(ets->data); -+ ets->data = NULL; -+ ets->datalen = 0; -+ ets->offset = 0; -+ } -+ -+ return 0; -+} -+ -+/* -+ * Get the sent packet from the retransmission buffer -+ */ -+void eaptls_retransmit(struct eaptls_session *ets, u_char ** outp) -+{ -+ BCOPY(ets->rtx, *outp, ets->rtx_len); -+ INCPTR(ets->rtx_len, *outp); -+} -+ -+/* -+ * Verify a certificate. -+ * Most of the work (signatures and issuer attributes checking) -+ * is done by ssl; we check the CN in the peer certificate -+ * against the peer name. -+ */ -+int ssl_verify_callback(int preverify_ok, X509_STORE_CTX * ctx) -+{ -+ char subject[256]; -+ char cn_str[256]; -+ X509 *peer_cert; -+ int err, depth; -+ int ok = preverify_ok; -+ SSL *ssl; -+ struct eaptls_session *ets; -+ -+ peer_cert = X509_STORE_CTX_get_current_cert(ctx); -+ err = X509_STORE_CTX_get_error(ctx); -+ depth = X509_STORE_CTX_get_error_depth(ctx); -+ -+ dbglog("certificate verify depth: %d", depth); -+ -+ if (auth_required && !ok) { -+ X509_NAME_oneline(X509_get_subject_name(peer_cert), -+ subject, 256); -+ -+ X509_NAME_get_text_by_NID(X509_get_subject_name(peer_cert), -+ NID_commonName, cn_str, 256); -+ -+ dbglog("Certificate verification error:\n depth: %d CN: %s" -+ "\n err: %d (%s)\n", depth, cn_str, err, -+ X509_verify_cert_error_string(err)); -+ -+ return 0; -+ } -+ -+ ssl = X509_STORE_CTX_get_ex_data(ctx, -+ SSL_get_ex_data_X509_STORE_CTX_idx()); -+ -+ ets = (struct eaptls_session *)SSL_get_ex_data(ssl, 0); -+ -+ if (ets == NULL) { -+ error("Error: SSL_get_ex_data returned NULL"); -+ return 0; -+ } -+ -+ log_ssl_errors(); -+ -+ if (!depth) { /* This is the peer certificate */ -+ -+ X509_NAME_oneline(X509_get_subject_name(peer_cert), -+ subject, 256); -+ -+ X509_NAME_get_text_by_NID(X509_get_subject_name(peer_cert), -+ NID_commonName, cn_str, 256); -+ -+ /* -+ * If acting as client and the name of the server wasn't specified -+ * explicitely, we can't verify the server authenticity -+ */ -+ if (!ets->peer[0]) { -+ warn("Peer name not specified: no check"); -+ return 1; -+ } -+ -+ /* -+ * Check the CN -+ */ -+ if (strcmp(cn_str, ets->peer)) { -+ error -+ ("Certificate verification error: CN (%s) != peer_name (%s)", -+ cn_str, ets->peer); -+ return 0; -+ } -+ -+ warn("Certificate CN: %s , peer name %s", cn_str, ets->peer); -+ -+ /* -+ * If a peer certificate file was specified, here we check it -+ */ -+ if (ets->peercertfile[0]) { -+ if (ssl_cmp_certs(&ets->peercertfile[0], peer_cert) -+ != 0) { -+ error -+ ("Peer certificate doesn't match stored certificate"); -+ return 0; -+ } -+ } -+ } -+ -+ return 1; -+} -+ -+/* -+ * Compare a certificate with the one stored in a file -+ */ -+int ssl_cmp_certs(char *filename, X509 * a) -+{ -+ X509 *b; -+ int ret; -+ -+ if (!(b = get_X509_from_file(filename))) -+ return 1; -+ -+ ret = X509_cmp(a, b); -+ X509_free(b); -+ -+ return ret; -+ -+} -+ -+X509 *get_X509_from_file(char *filename) -+{ -+ FILE *fp; -+ X509 *ret; -+ -+ if (!(fp = fopen(filename, "r"))) -+ return NULL; -+ -+ ret = PEM_read_X509(fp, NULL, NULL, NULL); -+ -+ fclose(fp); -+ -+ return ret; -+} -+ -+/* -+ * Every sent & received message this callback function is invoked, -+ * so we know when alert messages have arrived or are sent and -+ * we can print debug information about TLS handshake. -+ */ -+void -+ssl_msg_callback(int write_p, int version, int content_type, -+ const void *buf, size_t len, SSL * ssl, void *arg) -+{ -+ char string[256]; -+ struct eaptls_session *ets = (struct eaptls_session *)arg; -+ unsigned char code; -+ const unsigned char*msg = buf; -+ int hvers = msg[1] << 8 | msg[2]; -+ -+ if(write_p) -+ strcpy(string, " -> "); -+ else -+ strcpy(string, " <- "); -+ -+ switch(content_type) { -+ -+ case SSL3_RT_HEADER: -+ strcat(string, "SSL/TLS Header: "); -+ switch(hvers) { -+ case SSL3_VERSION: -+ strcat(string, "SSL 3.0"); -+ break; -+ case TLS1_VERSION: -+ strcat(string, "TLS 1.0"); -+ break; -+ case TLS1_1_VERSION: -+ strcat(string, "TLS 1.1"); -+ break; -+ case TLS1_2_VERSION: -+ strcat(string, "TLS 1.2"); -+ break; -+ case DTLS1_VERSION: -+ strcat(string, "DTLS 1.0"); -+ break; -+ case DTLS1_2_VERSION: -+ strcat(string, "DTLS 1.2"); -+ break; -+ default: -+ strcat(string, "Unknown version"); -+ } -+ break; -+ -+ case SSL3_RT_ALERT: -+ strcat(string, "Alert: "); -+ code = msg[1]; -+ -+ if (write_p) { -+ ets->alert_sent = 1; -+ ets->alert_sent_desc = code; -+ } else { -+ ets->alert_recv = 1; -+ ets->alert_recv_desc = code; -+ } -+ -+ strcat(string, SSL_alert_desc_string_long(code)); -+ break; -+ -+ case SSL3_RT_CHANGE_CIPHER_SPEC: -+ strcat(string, "ChangeCipherSpec"); -+ break; -+ -+ case SSL3_RT_HANDSHAKE: -+ -+ strcat(string, "Handshake: "); -+ code = msg[0]; -+ -+ switch(code) { -+ case SSL3_MT_HELLO_REQUEST: -+ strcat(string,"Hello Request"); -+ break; -+ case SSL3_MT_CLIENT_HELLO: -+ strcat(string,"Client Hello"); -+ break; -+ case SSL3_MT_SERVER_HELLO: -+ strcat(string,"Server Hello"); -+ break; -+#ifdef SSL3_MT_NEWSESSION_TICKET -+ case SSL3_MT_NEWSESSION_TICKET: -+ strcat(string,"New Session Ticket"); -+ break; -+#endif -+ case SSL3_MT_CERTIFICATE: -+ strcat(string,"Certificate"); -+ break; -+ case SSL3_MT_SERVER_KEY_EXCHANGE: -+ strcat(string,"Server Key Exchange"); -+ break; -+ case SSL3_MT_CERTIFICATE_REQUEST: -+ strcat(string,"Certificate Request"); -+ break; -+ case SSL3_MT_SERVER_DONE: -+ strcat(string,"Server Hello Done"); -+ break; -+ case SSL3_MT_CERTIFICATE_VERIFY: -+ strcat(string,"Certificate Verify"); -+ break; -+ case SSL3_MT_CLIENT_KEY_EXCHANGE: -+ strcat(string,"Client Key Exchange"); -+ break; -+ case SSL3_MT_FINISHED: -+ strcat(string,"Finished"); -+ break; -+ -+ default: -+ sprintf( string, "Handshake: Unknown SSL3 code received: %d", code ); -+ } -+ break; -+ -+ default: -+ sprintf( string, "SSL message contains unknown content type: %d", content_type ); -+ -+ } -+ -+ /* Alert messages must always be displayed */ -+ if(content_type == SSL3_RT_ALERT) -+ error("%s", string); -+ else -+ dbglog("%s", string); -+} -+ -diff -Naur ppp-2.4.7/pppd/eap-tls.h ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap-tls.h ---- ppp-2.4.7/pppd/eap-tls.h 1970-01-01 01:00:00.000000000 +0100 -+++ ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap-tls.h 2018-06-02 01:42:04.023165433 +0200 -@@ -0,0 +1,107 @@ -+/* -+ * eap-tls.h -+ * -+ * Copyright (c) Beniamino Galvani 2005 All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. The name(s) of the authors of this software must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. -+ * -+ * THE AUTHORS OF THIS SOFTWARE DISCLAIM ALL WARRANTIES WITH REGARD TO -+ * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -+ * AND FITNESS, IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY -+ * SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN -+ * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING -+ * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -+ * -+ */ -+ -+#ifndef __EAP_TLS_H__ -+#define __EAP_TLS_H__ -+ -+#include "eap.h" -+ -+#include -+#include -+#include -+ -+#define EAP_TLS_FLAGS_LI 128 /* length included flag */ -+#define EAP_TLS_FLAGS_MF 64 /* more fragments flag */ -+#define EAP_TLS_FLAGS_START 32 /* start flag */ -+ -+#define EAP_TLS_MAX_LEN 65536 /* max eap tls packet size */ -+ -+struct eaptls_session -+{ -+ u_char *data; /* buffered data */ -+ int datalen; /* buffered data len */ -+ int offset; /* from where to send */ -+ int tlslen; /* total length of tls data */ -+ bool frag; /* packet is fragmented */ -+ SSL_CTX *ctx; -+ SSL *ssl; /* ssl connection */ -+ BIO *from_ssl; -+ BIO *into_ssl; -+ char peer[MAXWORDLEN]; /* peer name */ -+ char peercertfile[MAXWORDLEN]; -+ bool alert_sent; -+ u_char alert_sent_desc; -+ bool alert_recv; -+ u_char alert_recv_desc; -+ char rtx[65536]; /* retransmission buffer */ -+ int rtx_len; -+ int mtu; /* unit mtu */ -+}; -+ -+typedef struct pw_cb_data -+{ -+ const void *password; -+ const char *prompt_info; -+} PW_CB_DATA; -+ -+ -+int ssl_verify_callback(int, X509_STORE_CTX *); -+void ssl_msg_callback(int write_p, int version, int ct, const void *buf, -+ size_t len, SSL * ssl, void *arg); -+ -+X509 *get_X509_from_file(char *filename); -+int ssl_cmp_certs(char *filename, X509 * a); -+ -+SSL_CTX *eaptls_init_ssl(int init_server, char *cacertfile, -+ char *certfile, char *peer_certfile, char *privkeyfile); -+int eaptls_init_ssl_server(eap_state * esp); -+int eaptls_init_ssl_client(eap_state * esp); -+void eaptls_free_session(struct eaptls_session *ets); -+ -+int eaptls_receive(struct eaptls_session *ets, u_char * inp, int len); -+int eaptls_send(struct eaptls_session *ets, u_char ** outp); -+void eaptls_retransmit(struct eaptls_session *ets, u_char ** outp); -+ -+int get_eaptls_secret(int unit, char *client, char *server, -+ char *clicertfile, char *servcertfile, char *cacertfile, -+ char *pkfile, int am_server); -+ -+#ifdef MPPE -+#include "mppe.h" /* MPPE_MAX_KEY_LEN */ -+extern u_char mppe_send_key[MPPE_MAX_KEY_LEN]; -+extern u_char mppe_recv_key[MPPE_MAX_KEY_LEN]; -+extern int mppe_keys_set; -+ -+void eaptls_gen_mppe_keys(struct eaptls_session *ets, const char *prf_label, int client); -+ -+#endif -+ -+#endif -diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap.c ---- ppp-2.4.7/pppd/eap.c 2014-08-09 14:31:39.000000000 +0200 -+++ ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap.c 2018-06-02 01:42:04.023165433 +0200 -@@ -43,6 +43,11 @@ - * Based on draft-ietf-pppext-eap-srp-03.txt. - */ - -+/* -+ * Modification by Beniamino Galvani, Mar 2005 -+ * Implemented EAP-TLS authentication -+ */ -+ - #define RCSID "$Id: eap.c,v 1.4 2004/11/09 22:39:25 paulus Exp $" - - /* -@@ -62,8 +67,12 @@ - - #include "pppd.h" - #include "pathnames.h" --#include "md5.h" - #include "eap.h" -+#ifdef USE_EAPTLS -+#include "eap-tls.h" -+#else -+#include "md5.h" -+#endif /* USE_EAPTLS */ - - #ifdef USE_SRP - #include -@@ -209,6 +218,9 @@ - esp->es_server.ea_id = (u_char)(drand48() * 0x100); - esp->es_client.ea_timeout = EAP_DEFREQTIME; - esp->es_client.ea_maxrequests = EAP_DEFALLOWREQ; -+#ifdef USE_EAPTLS -+ esp->es_client.ea_using_eaptls = 0; -+#endif /* USE_EAPTLS */ - } - - /* -@@ -436,8 +448,16 @@ - u_char vals[2]; - struct b64state bs; - #endif /* USE_SRP */ -+#ifdef USE_EAPTLS -+ struct eaptls_session *ets; -+ int secret_len; -+ char secret[MAXWORDLEN]; -+#endif /* USE_EAPTLS */ - - esp->es_server.ea_timeout = esp->es_savedtime; -+#ifdef USE_EAPTLS -+ esp->es_server.ea_prev_state = esp->es_server.ea_state; -+#endif /* USE_EAPTLS */ - switch (esp->es_server.ea_state) { - case eapBadAuth: - return; -@@ -562,9 +582,79 @@ - break; - } - #endif /* USE_SRP */ -+#ifdef USE_EAPTLS -+ if (!get_secret(esp->es_unit, esp->es_server.ea_peer, -+ esp->es_server.ea_name, secret, &secret_len, 1)) { -+ -+ esp->es_server.ea_state = eapTlsStart; -+ break; -+ } -+#endif /* USE_EAPTLS */ -+ - esp->es_server.ea_state = eapMD5Chall; - break; - -+#ifdef USE_EAPTLS -+ case eapTlsStart: -+ /* Initialize ssl session */ -+ if(!eaptls_init_ssl_server(esp)) { -+ esp->es_server.ea_state = eapBadAuth; -+ break; -+ } -+ -+ esp->es_server.ea_state = eapTlsRecv; -+ break; -+ -+ case eapTlsRecv: -+ ets = (struct eaptls_session *) esp->es_server.ea_session; -+ -+ if(ets->alert_sent) { -+ esp->es_server.ea_state = eapTlsSendAlert; -+ break; -+ } -+ -+ if (status) { -+ esp->es_server.ea_state = eapBadAuth; -+ break; -+ } -+ ets = (struct eaptls_session *) esp->es_server.ea_session; -+ -+ if(ets->frag) -+ esp->es_server.ea_state = eapTlsSendAck; -+ else -+ esp->es_server.ea_state = eapTlsSend; -+ break; -+ -+ case eapTlsSend: -+ ets = (struct eaptls_session *) esp->es_server.ea_session; -+ -+ if(ets->frag) -+ esp->es_server.ea_state = eapTlsRecvAck; -+ else -+ if(SSL_is_init_finished(ets->ssl)) -+ esp->es_server.ea_state = eapTlsRecvClient; -+ else -+ esp->es_server.ea_state = eapTlsRecv; -+ break; -+ -+ case eapTlsSendAck: -+ esp->es_server.ea_state = eapTlsRecv; -+ break; -+ -+ case eapTlsRecvAck: -+ if (status) { -+ esp->es_server.ea_state = eapBadAuth; -+ break; -+ } -+ -+ esp->es_server.ea_state = eapTlsSend; -+ break; -+ -+ case eapTlsSendAlert: -+ esp->es_server.ea_state = eapTlsRecvAlertAck; -+ break; -+#endif /* USE_EAPTLS */ -+ - case eapSRP1: - #ifdef USE_SRP - ts = (struct t_server *)esp->es_server.ea_session; -@@ -718,6 +808,30 @@ - INCPTR(esp->es_server.ea_namelen, outp); - break; - -+#ifdef USE_EAPTLS -+ case eapTlsStart: -+ PUTCHAR(EAPT_TLS, outp); -+ PUTCHAR(EAP_TLS_FLAGS_START, outp); -+ eap_figure_next_state(esp, 0); -+ break; -+ -+ case eapTlsSend: -+ eaptls_send(esp->es_server.ea_session, &outp); -+ eap_figure_next_state(esp, 0); -+ break; -+ -+ case eapTlsSendAck: -+ PUTCHAR(EAPT_TLS, outp); -+ PUTCHAR(0, outp); -+ eap_figure_next_state(esp, 0); -+ break; -+ -+ case eapTlsSendAlert: -+ eaptls_send(esp->es_server.ea_session, &outp); -+ eap_figure_next_state(esp, 0); -+ break; -+#endif /* USE_EAPTLS */ -+ - #ifdef USE_SRP - case eapSRP1: - PUTCHAR(EAPT_SRP, outp); -@@ -904,11 +1018,57 @@ - eap_server_timeout(arg) - void *arg; - { -+#ifdef USE_EAPTLS -+ u_char *outp; -+ u_char *lenloc; -+ int outlen; -+#endif /* USE_EAPTLS */ -+ - eap_state *esp = (eap_state *) arg; - - if (!eap_server_active(esp)) - return; - -+#ifdef USE_EAPTLS -+ switch(esp->es_server.ea_prev_state) { -+ -+ /* -+ * In eap-tls the state changes after a request, so we return to -+ * previous state ... -+ */ -+ case(eapTlsStart): -+ case(eapTlsSendAck): -+ esp->es_server.ea_state = esp->es_server.ea_prev_state; -+ break; -+ -+ /* -+ * ... or resend the stored data -+ */ -+ case(eapTlsSend): -+ case(eapTlsSendAlert): -+ outp = outpacket_buf; -+ MAKEHEADER(outp, PPP_EAP); -+ PUTCHAR(EAP_REQUEST, outp); -+ PUTCHAR(esp->es_server.ea_id, outp); -+ lenloc = outp; -+ INCPTR(2, outp); -+ -+ eaptls_retransmit(esp->es_server.ea_session, &outp); -+ -+ outlen = (outp - outpacket_buf) - PPP_HDRLEN; -+ PUTSHORT(outlen, lenloc); -+ output(esp->es_unit, outpacket_buf, outlen + PPP_HDRLEN); -+ esp->es_server.ea_requests++; -+ -+ if (esp->es_server.ea_timeout > 0) -+ TIMEOUT(eap_server_timeout, esp, esp->es_server.ea_timeout); -+ -+ return; -+ default: -+ break; -+ } -+#endif /* USE_EAPTLS */ -+ - /* EAP ID number must not change on timeout. */ - eap_send_request(esp); - } -@@ -1166,6 +1326,81 @@ - } - #endif /* USE_SRP */ - -+#ifdef USE_EAPTLS -+/* -+ * Send an EAP-TLS response message with tls data -+ */ -+static void -+eap_tls_response(esp, id) -+eap_state *esp; -+u_char id; -+{ -+ u_char *outp; -+ int outlen; -+ u_char *lenloc; -+ -+ outp = outpacket_buf; -+ -+ MAKEHEADER(outp, PPP_EAP); -+ -+ PUTCHAR(EAP_RESPONSE, outp); -+ PUTCHAR(id, outp); -+ -+ lenloc = outp; -+ INCPTR(2, outp); -+ -+ /* -+ If the id in the request is unchanged, we must retransmit -+ the old data -+ */ -+ if(id == esp->es_client.ea_id) -+ eaptls_retransmit(esp->es_client.ea_session, &outp); -+ else -+ eaptls_send(esp->es_client.ea_session, &outp); -+ -+ outlen = (outp - outpacket_buf) - PPP_HDRLEN; -+ PUTSHORT(outlen, lenloc); -+ -+ output(esp->es_unit, outpacket_buf, PPP_HDRLEN + outlen); -+ -+ esp->es_client.ea_id = id; -+ -+} -+ -+/* -+ * Send an EAP-TLS ack -+ */ -+static void -+eap_tls_sendack(esp, id) -+eap_state *esp; -+u_char id; -+{ -+ u_char *outp; -+ int outlen; -+ u_char *lenloc; -+ -+ outp = outpacket_buf; -+ -+ MAKEHEADER(outp, PPP_EAP); -+ -+ PUTCHAR(EAP_RESPONSE, outp); -+ PUTCHAR(id, outp); -+ esp->es_client.ea_id = id; -+ -+ lenloc = outp; -+ INCPTR(2, outp); -+ -+ PUTCHAR(EAPT_TLS, outp); -+ PUTCHAR(0, outp); -+ -+ outlen = (outp - outpacket_buf) - PPP_HDRLEN; -+ PUTSHORT(outlen, lenloc); -+ -+ output(esp->es_unit, outpacket_buf, PPP_HDRLEN + outlen); -+ -+} -+#endif /* USE_EAPTLS */ -+ - static void - eap_send_nak(esp, id, type) - eap_state *esp; -@@ -1320,6 +1555,11 @@ - char rhostname[256]; - MD5_CTX mdContext; - u_char hash[MD5_SIGNATURE_SIZE]; -+#ifdef USE_EAPTLS -+ u_char flags; -+ struct eaptls_session *ets = esp->es_client.ea_session; -+#endif /* USE_EAPTLS */ -+ - #ifdef USE_SRP - struct t_client *tc; - struct t_num sval, gval, Nval, *Ap, Bval; -@@ -1456,6 +1696,100 @@ - esp->es_client.ea_namelen); - break; - -+#ifdef USE_EAPTLS -+ case EAPT_TLS: -+ -+ switch(esp->es_client.ea_state) { -+ -+ case eapListen: -+ -+ if (len < 1) { -+ error("EAP: received EAP-TLS Listen packet with no data"); -+ /* Bogus request; wait for something real. */ -+ return; -+ } -+ GETCHAR(flags, inp); -+ if(flags & EAP_TLS_FLAGS_START){ -+ -+ esp->es_client.ea_using_eaptls = 1; -+ -+ if (explicit_remote){ -+ esp->es_client.ea_peer = strdup(remote_name); -+ esp->es_client.ea_peerlen = strlen(remote_name); -+ } else -+ esp->es_client.ea_peer = NULL; -+ -+ /* Init ssl session */ -+ if(!eaptls_init_ssl_client(esp)) { -+ dbglog("cannot init ssl"); -+ eap_send_nak(esp, id, EAPT_TLS); -+ esp->es_client.ea_using_eaptls = 0; -+ break; -+ } -+ -+ ets = esp->es_client.ea_session; -+ eap_tls_response(esp, id); -+ esp->es_client.ea_state = (ets->frag ? eapTlsRecvAck : -+ eapTlsRecv); -+ break; -+ } -+ -+ /* The server has sent a bad start packet. */ -+ eap_send_nak(esp, id, EAPT_TLS); -+ break; -+ -+ case eapTlsRecvAck: -+ eap_tls_response(esp, id); -+ esp->es_client.ea_state = (ets->frag ? eapTlsRecvAck : -+ eapTlsRecv); -+ break; -+ -+ case eapTlsRecv: -+ if (len < 1) { -+ error("EAP: discarding EAP-TLS Receive packet with no data"); -+ /* Bogus request; wait for something real. */ -+ return; -+ } -+ eaptls_receive(ets, inp, len); -+ -+ if(ets->frag) { -+ eap_tls_sendack(esp, id); -+ esp->es_client.ea_state = eapTlsRecv; -+ break; -+ } -+ -+ if(ets->alert_recv) { -+ eap_tls_sendack(esp, id); -+ esp->es_client.ea_state = eapTlsRecvFailure; -+ break; -+ } -+ -+ /* Check if TLS handshake is finished */ -+ if(SSL_is_init_finished(ets->ssl)){ -+#ifdef MPPE -+ eaptls_gen_mppe_keys( ets, "client EAP encryption", 1 ); -+#endif -+ eaptls_free_session(ets); -+ eap_tls_sendack(esp, id); -+ esp->es_client.ea_state = eapTlsRecvSuccess; -+ break; -+ } -+ -+ eap_tls_response(esp,id); -+ esp->es_client.ea_state = (ets->frag ? eapTlsRecvAck : -+ eapTlsRecv); -+ -+ break; -+ -+ default: -+ eap_send_nak(esp, id, EAPT_TLS); -+ esp->es_client.ea_using_eaptls = 0; -+ break; -+ } -+ -+ break; -+#endif /* USE_EAPTLS */ -+ - #ifdef USE_SRP - case EAPT_SRP: - if (len < 1) { -@@ -1737,6 +2071,11 @@ - u_char dig[SHA_DIGESTSIZE]; - #endif /* USE_SRP */ - -+#ifdef USE_EAPTLS -+ struct eaptls_session *ets; -+ u_char flags; -+#endif /* USE_EAPTLS */ -+ - if (esp->es_server.ea_id != id) { - dbglog("EAP: discarding Response %d; expected ID %d", id, - esp->es_server.ea_id); -@@ -1776,6 +2115,64 @@ - eap_figure_next_state(esp, 0); - break; - -+#ifdef USE_EAPTLS -+ case EAPT_TLS: -+ switch(esp->es_server.ea_state) { -+ -+ case eapTlsRecv: -+ -+ ets = (struct eaptls_session *) esp->es_server.ea_session; -+ eap_figure_next_state(esp, -+ eaptls_receive(esp->es_server.ea_session, inp, len)); -+ -+ if(ets->alert_recv) { -+ eap_send_failure(esp); -+ break; -+ } -+ break; -+ -+ case eapTlsRecvAck: -+ if(len > 1) { -+ dbglog("EAP-TLS ACK with extra data"); -+ } -+ eap_figure_next_state(esp, 0); -+ break; -+ -+ case eapTlsRecvClient: -+ /* Receive authentication response from client */ -+ -+ if (len > 0) { -+ GETCHAR(flags, inp); -+ -+ if(len == 1 && !flags) { /* Ack = ok */ -+#ifdef MPPE -+ eaptls_gen_mppe_keys( esp->es_server.ea_session, "client EAP encryption", 0 ); -+#endif -+ eap_send_success(esp); -+ } -+ else { /* failure */ -+ warn("Server authentication failed"); -+ eap_send_failure(esp); -+ } -+ } -+ else -+ warn("Bogus EAP-TLS packet received from client"); -+ -+ eaptls_free_session(esp->es_server.ea_session); -+ -+ break; -+ -+ case eapTlsRecvAlertAck: -+ eap_send_failure(esp); -+ break; -+ -+ default: -+ eap_figure_next_state(esp, 1); -+ break; -+ } -+ break; -+#endif /* USE_EAPTLS */ -+ - case EAPT_NOTIFICATION: - dbglog("EAP unexpected Notification; response discarded"); - break; -@@ -1807,6 +2204,13 @@ - esp->es_server.ea_state = eapMD5Chall; - break; - -+#ifdef USE_EAPTLS -+ /* Send EAP-TLS start packet */ -+ case EAPT_TLS: -+ esp->es_server.ea_state = eapTlsStart; -+ break; -+#endif /* USE_EAPTLS */ -+ - default: - dbglog("EAP: peer requesting unknown Type %d", vallen); - switch (esp->es_server.ea_state) { -@@ -2018,13 +2422,27 @@ - int id; - int len; - { -- if (esp->es_client.ea_state != eapOpen && !eap_client_active(esp)) { -+ if (esp->es_client.ea_state != eapOpen && !eap_client_active(esp) -+#ifdef USE_EAPTLS -+ && esp->es_client.ea_state != eapTlsRecvSuccess -+#endif /* USE_EAPTLS */ -+ ) { - dbglog("EAP unexpected success message in state %s (%d)", - eap_state_name(esp->es_client.ea_state), - esp->es_client.ea_state); - return; - } - -+#ifdef USE_EAPTLS -+ if(esp->es_client.ea_using_eaptls && esp->es_client.ea_state != -+ eapTlsRecvSuccess) { -+ dbglog("EAP-TLS unexpected success message in state %s (%d)", -+ eap_state_name(esp->es_client.ea_state), -+ esp->es_client.ea_state); -+ return; -+ } -+#endif /* USE_EAPTLS */ -+ - if (esp->es_client.ea_timeout > 0) { - UNTIMEOUT(eap_client_timeout, (void *)esp); - } -@@ -2150,6 +2568,9 @@ - int code, id, len, rtype, vallen; - u_char *pstart; - u_int32_t uval; -+#ifdef USE_EAPTLS -+ u_char flags; -+#endif /* USE_EAPTLS */ - - if (inlen < EAP_HEADERLEN) - return (0); -@@ -2214,6 +2635,24 @@ - } - break; - -+#ifdef USE_EAPTLS -+ case EAPT_TLS: -+ if (len < 1) -+ break; -+ GETCHAR(flags, inp); -+ len--; -+ -+ if(flags == 0 && len == 0){ -+ printer(arg, " Ack"); -+ break; -+ } -+ -+ printer(arg, flags & EAP_TLS_FLAGS_LI ? " L":" -"); -+ printer(arg, flags & EAP_TLS_FLAGS_MF ? "M":"-"); -+ printer(arg, flags & EAP_TLS_FLAGS_START ? "S":"- "); -+ break; -+#endif /* USE_EAPTLS */ -+ - case EAPT_SRP: - if (len < 3) - goto truncated; -@@ -2325,6 +2764,25 @@ - } - break; - -+#ifdef USE_EAPTLS -+ case EAPT_TLS: -+ if (len < 1) -+ break; -+ GETCHAR(flags, inp); -+ len--; -+ -+ if(flags == 0 && len == 0){ -+ printer(arg, " Ack"); -+ break; -+ } -+ -+ printer(arg, flags & EAP_TLS_FLAGS_LI ? " L":" -"); -+ printer(arg, flags & EAP_TLS_FLAGS_MF ? "M":"-"); -+ printer(arg, flags & EAP_TLS_FLAGS_START ? "S":"- "); -+ -+ break; -+#endif /* USE_EAPTLS */ -+ - case EAPT_NAK: - if (len <= 0) { - printer(arg, " "); -@@ -2426,3 +2884,4 @@ - - return (inp - pstart); - } -+ -diff -Naur ppp-2.4.7/pppd/eap.h ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap.h ---- ppp-2.4.7/pppd/eap.h 2014-08-09 14:31:39.000000000 +0200 -+++ ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap.h 2018-06-02 01:42:04.023165433 +0200 -@@ -84,6 +84,16 @@ - eapClosed, /* Authentication not in use */ - eapListen, /* Client ready (and timer running) */ - eapIdentify, /* EAP Identify sent */ -+ eapTlsStart, /* Send EAP-TLS start packet */ -+ eapTlsRecv, /* Receive EAP-TLS tls data */ -+ eapTlsSendAck, /* Send EAP-TLS ack */ -+ eapTlsSend, /* Send EAP-TLS tls data */ -+ eapTlsRecvAck, /* Receive EAP-TLS ack */ -+ eapTlsRecvClient, /* Receive EAP-TLS auth response from client*/ -+ eapTlsSendAlert, /* Send EAP-TLS tls alert (server)*/ -+ eapTlsRecvAlertAck, /* Receive EAP-TLS ack after sending alert */ -+ eapTlsRecvSuccess, /* Receive EAP success */ -+ eapTlsRecvFailure, /* Receive EAP failure */ - eapSRP1, /* Sent EAP SRP-SHA1 Subtype 1 */ - eapSRP2, /* Sent EAP SRP-SHA1 Subtype 2 */ - eapSRP3, /* Sent EAP SRP-SHA1 Subtype 3 */ -@@ -95,9 +105,18 @@ - - #define EAP_STATES \ - "Initial", "Pending", "Closed", "Listen", "Identify", \ -+ "TlsStart", "TlsRecv", "TlsSendAck", "TlsSend", "TlsRecvAck", "TlsRecvClient",\ -+ "TlsSendAlert", "TlsRecvAlertAck" , "TlsRecvSuccess", "TlsRecvFailure", \ - "SRP1", "SRP2", "SRP3", "MD5Chall", "Open", "SRP4", "BadAuth" - --#define eap_client_active(esp) ((esp)->es_client.ea_state == eapListen) -+#ifdef USE_EAPTLS -+#define eap_client_active(esp) ((esp)->es_client.ea_state != eapInitial &&\ -+ (esp)->es_client.ea_state != eapPending &&\ -+ (esp)->es_client.ea_state != eapClosed) -+#else -+#define eap_client_active(esp) ((esp)->es_client.ea_state == eapListen) -+#endif /* USE_EAPTLS */ -+ - #define eap_server_active(esp) \ - ((esp)->es_server.ea_state >= eapIdentify && \ - (esp)->es_server.ea_state <= eapMD5Chall) -@@ -112,11 +131,17 @@ - u_short ea_namelen; /* Length of our name */ - u_short ea_peerlen; /* Length of peer's name */ - enum eap_state_code ea_state; -+#ifdef USE_EAPTLS -+ enum eap_state_code ea_prev_state; -+#endif - u_char ea_id; /* Current id */ - u_char ea_requests; /* Number of Requests sent/received */ - u_char ea_responses; /* Number of Responses */ - u_char ea_type; /* One of EAPT_* */ - u_int32_t ea_keyflags; /* SRP shared key usage flags */ -+#ifdef USE_EAPTLS -+ bool ea_using_eaptls; -+#endif - }; - - /* -@@ -139,7 +164,12 @@ - * Timeouts. - */ - #define EAP_DEFTIMEOUT 3 /* Timeout (seconds) for rexmit */ -+#ifdef USE_EAPTLS -+#define EAP_DEFTRANSMITS 30 /* max # times to transmit */ -+ /* certificates can be long ... */ -+#else - #define EAP_DEFTRANSMITS 10 /* max # times to transmit */ -+#endif /* USE_EAPTLS */ - #define EAP_DEFREQTIME 20 /* Time to wait for peer request */ - #define EAP_DEFALLOWREQ 20 /* max # times to accept requests */ - -diff -Naur ppp-2.4.7/pppd/md5.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/md5.c ---- ppp-2.4.7/pppd/md5.c 2014-08-09 14:31:39.000000000 +0200 -+++ ppp-2.4.7-eaptls-mppe-1.101b/pppd/md5.c 2018-06-02 01:42:04.023165433 +0200 -@@ -33,6 +33,8 @@ - *********************************************************************** - */ - -+#ifndef USE_EAPTLS -+ - #include - #include "md5.h" - -@@ -305,3 +307,5 @@ - ** End of md5.c ** - ******************************** (cut) ******************************** - */ -+#endif /* USE_EAPTLS */ -+ -diff -Naur ppp-2.4.7/pppd/md5.h ppp-2.4.7-eaptls-mppe-1.101b/pppd/md5.h ---- ppp-2.4.7/pppd/md5.h 2014-08-09 14:31:39.000000000 +0200 -+++ ppp-2.4.7-eaptls-mppe-1.101b/pppd/md5.h 2018-06-02 01:42:04.024165430 +0200 -@@ -36,6 +36,7 @@ - ** documentation and/or software. ** - *********************************************************************** - */ -+#ifndef USE_EAPTLS - - #ifndef __MD5_INCLUDE__ - -@@ -63,3 +64,5 @@ - - #define __MD5_INCLUDE__ - #endif /* __MD5_INCLUDE__ */ -+ -+#endif /* USE_EAPTLS */ -diff -Naur ppp-2.4.7/pppd/pathnames.h ppp-2.4.7-eaptls-mppe-1.101b/pppd/pathnames.h ---- ppp-2.4.7/pppd/pathnames.h 2014-08-09 14:31:39.000000000 +0200 -+++ ppp-2.4.7-eaptls-mppe-1.101b/pppd/pathnames.h 2018-06-02 01:42:04.024165430 +0200 -@@ -21,6 +21,13 @@ - #define _PATH_UPAPFILE _ROOT_PATH "/etc/ppp/pap-secrets" - #define _PATH_CHAPFILE _ROOT_PATH "/etc/ppp/chap-secrets" - #define _PATH_SRPFILE _ROOT_PATH "/etc/ppp/srp-secrets" -+ -+#ifdef USE_EAPTLS -+#define _PATH_EAPTLSCLIFILE _ROOT_PATH "/etc/ppp/eaptls-client" -+#define _PATH_EAPTLSSERVFILE _ROOT_PATH "/etc/ppp/eaptls-server" -+#define _PATH_OPENSSLCONFFILE _ROOT_PATH "/etc/ppp/openssl.cnf" -+#endif /* USE_EAPTLS */ -+ - #define _PATH_SYSOPTIONS _ROOT_PATH "/etc/ppp/options" - #define _PATH_IPUP _ROOT_PATH "/etc/ppp/ip-up" - #define _PATH_IPDOWN _ROOT_PATH "/etc/ppp/ip-down" -diff -Naur ppp-2.4.7/pppd/plugins/Makefile.linux ppp-2.4.7-eaptls-mppe-1.101b/pppd/plugins/Makefile.linux ---- ppp-2.4.7/pppd/plugins/Makefile.linux 2014-08-09 14:31:39.000000000 +0200 -+++ ppp-2.4.7-eaptls-mppe-1.101b/pppd/plugins/Makefile.linux 2018-06-02 01:42:04.024165430 +0200 -@@ -4,6 +4,9 @@ - LDFLAGS = -shared - INSTALL = install - -+# EAP-TLS -+CFLAGS += -DUSE_EAPTLS=1 -+ - DESTDIR = $(INSTROOT)@DESTDIR@ - BINDIR = $(DESTDIR)/sbin - MANDIR = $(DESTDIR)/share/man/man8 -diff -Naur ppp-2.4.7/pppd/plugins/passprompt.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/plugins/passprompt.c ---- ppp-2.4.7/pppd/plugins/passprompt.c 2014-08-09 14:31:39.000000000 +0200 -+++ ppp-2.4.7-eaptls-mppe-1.101b/pppd/plugins/passprompt.c 2018-06-02 01:42:04.024165430 +0200 -@@ -107,4 +107,7 @@ - { - add_options(options); - pap_passwd_hook = promptpass; -+#ifdef USE_EAPTLS -+ eaptls_passwd_hook = promptpass; -+#endif - } -diff -Naur ppp-2.4.7/pppd/plugins/passwordfd.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/plugins/passwordfd.c ---- ppp-2.4.7/pppd/plugins/passwordfd.c 2014-08-09 14:31:39.000000000 +0200 -+++ ppp-2.4.7-eaptls-mppe-1.101b/pppd/plugins/passwordfd.c 2018-06-02 01:42:04.024165430 +0200 -@@ -79,4 +79,8 @@ - - chap_check_hook = pwfd_check; - chap_passwd_hook = pwfd_passwd; -+ -+#ifdef USE_EAPTLS -+ eaptls_passwd_hook = pwfd_passwd; -+#endif - } -diff -Naur ppp-2.4.7/pppd/pppd.8 ppp-2.4.7-eaptls-mppe-1.101b/pppd/pppd.8 ---- ppp-2.4.7/pppd/pppd.8 2014-08-09 14:31:39.000000000 +0200 -+++ ppp-2.4.7-eaptls-mppe-1.101b/pppd/pppd.8 2018-06-02 01:42:04.025165427 +0200 -@@ -248,6 +248,12 @@ - compression in the corresponding direction. Use \fInobsdcomp\fR or - \fIbsdcomp 0\fR to disable BSD-Compress compression entirely. - .TP -+.B ca \fIca-file -+(EAP-TLS) Use the file \fIca-file\fR as the X.509 Certificate Authority -+(CA) file (in PEM format), needed for setting up an EAP-TLS connection. -+This option is used on the client-side in conjunction with the \fBcert\fR -+and \fBkey\fR options. -+.TP - .B cdtrcts - Use a non-standard hardware flow control (i.e. DTR/CTS) to control - the flow of data on the serial port. If neither the \fIcrtscts\fR, -@@ -259,6 +265,12 @@ - bi-directional flow control. The sacrifice is that this flow - control mode does not permit using DTR as a modem control line. - .TP -+.B cert \fIcertfile -+(EAP-TLS) Use the file \fIcertfile\fR as the X.509 certificate (in PEM -+format), needed for setting up an EAP-TLS connection. This option is -+used on the client-side in conjunction with the \fBca\fR and -+\fBkey\fR options. -+.TP - .B chap\-interval \fIn - If this option is given, pppd will rechallenge the peer every \fIn\fR - seconds. -@@ -287,6 +299,18 @@ - 1000 (1 second). This wait period only applies if the \fBconnect\fR - or \fBpty\fR option is used. - .TP -+.B crl \fIfilename -+(EAP-TLS) Use the file \fIfilename\fR as the Certificate Revocation List -+to check for the validity of the peer's certificate. This option is not -+mandatory for setting up an EAP-TLS connection. Also see the \fBcrl-dir\fR -+option. -+.TP -+.B crl-dir \fIdirectory -+(EAP-TLS) Use the directory \fIdirectory\fR to scan for CRL files in -+has format ($hash.r0) to check for the validity of the peer's certificate. -+This option is not mandatory for setting up an EAP-TLS connection. -+Also see the \fBcrl\fR option. -+.TP - .B debug - Enables connection debugging facilities. - If this option is given, pppd will log the contents of all -@@ -551,6 +575,12 @@ - the kernel are logged by syslog(1) to a file as directed in the - /etc/syslog.conf configuration file. - .TP -+.B key \fIkeyfile -+(EAP-TLS) Use the file \fIkeyfile\fR as the private key file (in PEM -+format), needed for setting up an EAP-TLS connection. This option is -+used on the client-side in conjunction with the \fBca\fR and -+\fBcert\fR options. -+.TP - .B ktune - Enables pppd to alter kernel settings as appropriate. Under Linux, - pppd will enable IP forwarding (i.e. set /proc/sys/net/ipv4/ip_forward -@@ -709,6 +739,9 @@ - Disable Address/Control compression in both directions (send and - receive). - .TP -+.B need-peer-eap -+(EAP-TLS) Require the peer to verify our authentication credentials. -+.TP - .B noauth - Do not require the peer to authenticate itself. This option is - privileged. -diff -Naur ppp-2.4.7/pppd/pppd.h ppp-2.4.7-eaptls-mppe-1.101b/pppd/pppd.h ---- ppp-2.4.7/pppd/pppd.h 2014-08-09 14:31:39.000000000 +0200 -+++ ppp-2.4.7-eaptls-mppe-1.101b/pppd/pppd.h 2018-06-02 01:42:04.025165427 +0200 -@@ -325,6 +325,11 @@ - extern bool dryrun; /* check everything, print options, exit */ - extern int child_wait; /* # seconds to wait for children at end */ - -+#ifdef USE_EAPTLS -+extern char *crl_dir; -+extern char *crl_file; -+#endif /* USE_EAPTLS */ -+ - #ifdef MAXOCTETS - extern unsigned int maxoctets; /* Maximum octetes per session (in bytes) */ - extern int maxoctets_dir; /* Direction : -@@ -741,6 +746,10 @@ - extern int (*chap_passwd_hook) __P((char *user, char *passwd)); - extern void (*multilink_join_hook) __P((void)); - -+#ifdef USE_EAPTLS -+extern int (*eaptls_passwd_hook) __P((char *user, char *passwd)); -+#endif -+ - /* Let a plugin snoop sent and received packets. Useful for L2TP */ - extern void (*snoop_recv_hook) __P((unsigned char *p, int len)); - extern void (*snoop_send_hook) __P((unsigned char *p, int len)); diff --git a/ppp-2.4.7-linux48.patch b/ppp-2.4.7-linux48.patch deleted file mode 100644 index 9b0920d..0000000 --- a/ppp-2.4.7-linux48.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 33797aa193a2751da26f9af120e39c110defe4d1 Mon Sep 17 00:00:00 2001 -From: Lubomir Rintel -Date: Sat, 10 Dec 2016 19:53:56 +0100 -Subject: [PATCH] pppoe: include netinet/in.h before linux/in.h - -To fix build breakage. ---- - pppd/plugins/rp-pppoe/pppoe.h | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/pppd/plugins/rp-pppoe/pppoe.h b/pppd/plugins/rp-pppoe/pppoe.h -index 9ab2eee..f77f5b7 100644 ---- a/pppd/plugins/rp-pppoe/pppoe.h -+++ b/pppd/plugins/rp-pppoe/pppoe.h -@@ -15,6 +15,8 @@ - - #include "config.h" - -+#include -+ - #if defined(HAVE_NETPACKET_PACKET_H) || defined(HAVE_LINUX_IF_PACKET_H) - #define _POSIX_SOURCE 1 /* For sigaction defines */ - #endif -@@ -84,8 +86,6 @@ typedef unsigned long UINT32_t; - #include - #endif - --#include -- - #ifdef HAVE_NETINET_IF_ETHER_H - #include - --- -2.9.3 - diff --git a/ppp-2.4.7-make.patch b/ppp-2.4.7-make.patch deleted file mode 100644 index e6c417a..0000000 --- a/ppp-2.4.7-make.patch +++ /dev/null @@ -1,116 +0,0 @@ -diff -urN ppp-2.4.7/chat/Makefile.linux ppp-2.4.7-patched/chat/Makefile.linux ---- ppp-2.4.7/chat/Makefile.linux 2014-08-09 23:31:39.000000000 +1100 -+++ ppp-2.4.7-patched/chat/Makefile.linux 2014-08-11 16:19:06.400359190 +1100 -@@ -10,7 +10,7 @@ - CDEF4= -DFNDELAY=O_NDELAY # Old name value - CDEFS= $(CDEF1) $(CDEF2) $(CDEF3) $(CDEF4) - --COPTS= -O2 -g -pipe -+COPTS= $(RPM_OPT_FLAGS) - CFLAGS= $(COPTS) $(CDEFS) - - INSTALL= install -diff -urN ppp-2.4.7/pppd/Makefile.linux ppp-2.4.7-patched/pppd/Makefile.linux ---- ppp-2.4.7/pppd/Makefile.linux 2014-08-09 23:31:39.000000000 +1100 -+++ ppp-2.4.7-patched/pppd/Makefile.linux 2014-08-11 16:19:35.206814899 +1100 -@@ -30,10 +30,10 @@ - include .depend - endif - --# CC = gcc -+CC = gcc - # --COPTS = -O2 -pipe -Wall -g --LIBS = -+COPTS = -Wall $(RPM_OPT_FLAGS) -+LIBS = -lutil - - # Uncomment the next 2 lines to include support for Microsoft's - # MS-CHAP authentication protocol. Also, edit plugins/radius/Makefile.linux. -@@ -61,7 +61,7 @@ - USE_TDB=y - - HAS_SHADOW=y --#USE_PAM=y -+USE_PAM=y - HAVE_INET6=y - - # Enable plugins -diff -urN ppp-2.4.7/pppd/plugins/Makefile.linux ppp-2.4.7-patched/pppd/plugins/Makefile.linux ---- ppp-2.4.7/pppd/plugins/Makefile.linux 2014-08-09 23:31:39.000000000 +1100 -+++ ppp-2.4.7-patched/pppd/plugins/Makefile.linux 2014-08-11 16:19:06.400359190 +1100 -@@ -1,5 +1,5 @@ - #CC = gcc --COPTS = -O2 -g -+COPTS = $(RPM_OPT_FLAGS) - CFLAGS = $(COPTS) -I.. -I../../include -fPIC - LDFLAGS = -shared - INSTALL = install -diff -urN ppp-2.4.7/pppd/plugins/pppoatm/Makefile.linux ppp-2.4.7-patched/pppd/plugins/pppoatm/Makefile.linux ---- ppp-2.4.7/pppd/plugins/pppoatm/Makefile.linux 2014-08-09 23:31:39.000000000 +1100 -+++ ppp-2.4.7-patched/pppd/plugins/pppoatm/Makefile.linux 2014-08-11 16:19:06.400359190 +1100 -@@ -1,5 +1,5 @@ - #CC = gcc --COPTS = -O2 -g -+COPTS = $(RPM_OPT_FLAGS) - CFLAGS = $(COPTS) -I../.. -I../../../include -fPIC - LDFLAGS = -shared - INSTALL = install -diff -urN ppp-2.4.7/pppd/plugins/pppol2tp/Makefile.linux ppp-2.4.7-patched/pppd/plugins/pppol2tp/Makefile.linux ---- ppp-2.4.7/pppd/plugins/pppol2tp/Makefile.linux 2014-08-09 23:31:39.000000000 +1100 -+++ ppp-2.4.7-patched/pppd/plugins/pppol2tp/Makefile.linux 2014-08-11 16:19:06.401359205 +1100 -@@ -1,5 +1,5 @@ - #CC = gcc --COPTS = -O2 -g -+COPTS = $(RPM_OPT_FLAGS) - CFLAGS = $(COPTS) -I. -I../.. -I../../../include -fPIC - LDFLAGS = -shared - INSTALL = install -diff -urN ppp-2.4.7/pppd/plugins/radius/Makefile.linux ppp-2.4.7-patched/pppd/plugins/radius/Makefile.linux ---- ppp-2.4.7/pppd/plugins/radius/Makefile.linux 2014-08-09 23:31:39.000000000 +1100 -+++ ppp-2.4.7-patched/pppd/plugins/radius/Makefile.linux 2014-08-11 16:19:06.401359205 +1100 -@@ -12,7 +12,7 @@ - INSTALL = install - - PLUGIN=radius.so radattr.so radrealms.so --CFLAGS=-I. -I../.. -I../../../include -O2 -fPIC -DRC_LOG_FACILITY=LOG_DAEMON -+CFLAGS=-I. -I../.. -I../../../include $(RPM_OPT_FLAGS) -fPIC -DRC_LOG_FACILITY=LOG_DAEMON - - # Uncomment the next line to include support for Microsoft's - # MS-CHAP authentication protocol. -diff -urN ppp-2.4.7/pppd/plugins/rp-pppoe/Makefile.linux ppp-2.4.7-patched/pppd/plugins/rp-pppoe/Makefile.linux ---- ppp-2.4.7/pppd/plugins/rp-pppoe/Makefile.linux 2014-08-09 23:31:39.000000000 +1100 -+++ ppp-2.4.7-patched/pppd/plugins/rp-pppoe/Makefile.linux 2014-08-11 16:19:06.401359205 +1100 -@@ -25,7 +25,7 @@ - # Version is set ONLY IN THE MAKEFILE! Don't delete this! - RP_VERSION=3.8p - --COPTS=-O2 -g -+COPTS=$(RPM_OPT_FLAGS) - CFLAGS=$(COPTS) -I../../../include '-DRP_VERSION="$(RP_VERSION)"' - all: rp-pppoe.so pppoe-discovery - -diff -urN ppp-2.4.7/pppdump/Makefile.linux ppp-2.4.7-patched/pppdump/Makefile.linux ---- ppp-2.4.7/pppdump/Makefile.linux 2014-08-09 23:31:39.000000000 +1100 -+++ ppp-2.4.7-patched/pppdump/Makefile.linux 2014-08-11 16:19:06.401359205 +1100 -@@ -2,7 +2,7 @@ - BINDIR = $(DESTDIR)/sbin - MANDIR = $(DESTDIR)/share/man/man8 - --CFLAGS= -O -I../include/net -+CFLAGS= $(RPM_OPT_FLAGS) -I../include/net - OBJS = pppdump.o bsd-comp.o deflate.o zlib.o - - INSTALL= install -diff -urN ppp-2.4.7/pppstats/Makefile.linux ppp-2.4.7-patched/pppstats/Makefile.linux ---- ppp-2.4.7/pppstats/Makefile.linux 2014-08-09 23:31:39.000000000 +1100 -+++ ppp-2.4.7-patched/pppstats/Makefile.linux 2014-08-11 16:19:06.401359205 +1100 -@@ -10,7 +10,7 @@ - PPPSTATOBJS = pppstats.o - - #CC = gcc --COPTS = -O -+COPTS = $(RPM_OPT_FLAGS) - COMPILE_FLAGS = -I../include - LIBS = - diff --git a/ppp-2.4.7-noexttraffic.patch b/ppp-2.4.7-noexttraffic.patch deleted file mode 100644 index 8d0e2bd..0000000 --- a/ppp-2.4.7-noexttraffic.patch +++ /dev/null @@ -1,101 +0,0 @@ -diff -urN ppp-2.4.7/pppd/auth.c ppp-2.4.7-patched/pppd/auth.c ---- ppp-2.4.7/pppd/auth.c 2014-08-09 23:31:39.000000000 +1100 -+++ ppp-2.4.7-patched/pppd/auth.c 2014-08-11 16:25:36.701647610 +1100 -@@ -243,6 +243,11 @@ - - extern char *crypt __P((const char *, const char *)); - -+#ifdef NOEXT_TRAFFIC -+/* Boolean to care for external traffic or not. Defined in options.c */ -+extern int noexttraffic; -+#endif -+ - /* Prototypes for procedures local to this file. */ - - static void network_phase __P((int)); -@@ -1189,6 +1194,14 @@ - tlim = idle_time_hook(&idle); - } else { - itime = MIN(idle.xmit_idle, idle.recv_idle); -+#ifdef NOEXT_TRAFFIC /* modified version, additional commandline-switch noext-traffic */ -+ if (!noexttraffic) -+ itime = MIN(idle.xmit_idle, idle.recv_idle); -+ else -+ itime = idle.xmit_idle; -+#else /* standard version */ -+ itime = MIN(idle.xmit_idle, idle.recv_idle); -+#endif - tlim = idle_time_limit - itime; - } - if (tlim <= 0) { -diff -urN ppp-2.4.7/pppd/Makefile.linux ppp-2.4.7-patched/pppd/Makefile.linux ---- ppp-2.4.7/pppd/Makefile.linux 2014-08-11 16:25:19.064360401 +1100 -+++ ppp-2.4.7-patched/pppd/Makefile.linux 2014-08-11 16:25:36.702647626 +1100 -@@ -60,6 +60,8 @@ - # Linux distributions: Please leave TDB ENABLED in your builds. - USE_TDB=y - -+NOEXT_TRAFFIC=y -+ - HAS_SHADOW=y - USE_PAM=y - HAVE_INET6=y -@@ -97,6 +99,10 @@ - endif - endif - -+ifdef NOEXT_TRAFFIC -+CFLAGS += -DNOEXT_TRAFFIC -+endif -+ - # EAP SRP-SHA1 - ifdef USE_SRP - CFLAGS += -DUSE_SRP -DOPENSSL -I/usr/local/ssl/include -diff -urN ppp-2.4.7/pppd/options.c ppp-2.4.7-patched/pppd/options.c ---- ppp-2.4.7/pppd/options.c 2014-08-09 23:31:39.000000000 +1100 -+++ ppp-2.4.7-patched/pppd/options.c 2014-08-11 16:25:36.702647626 +1100 -@@ -129,6 +129,10 @@ - #endif - - -+#ifdef NOEXT_TRAFFIC -+int noexttraffic = 0; /* decide whether or not we want to care for traffic from extern */ -+#endif -+ - extern option_t auth_options[]; - extern struct stat devstat; - -@@ -325,6 +329,9 @@ - { "active-filter", o_special, setactivefilter, - "set filter for active pkts", OPT_PRIO }, - #endif -+#ifdef NOEXT_TRAFFIC -+ { "noext-traffic", o_bool, (void *)&noexttraffic, "ignore external pkts for timeout", 1 }, -+#endif - - #ifdef MAXOCTETS - { "maxoctets", o_int, &maxoctets, -diff -urN ppp-2.4.7/pppd/pppd.8 ppp-2.4.7-patched/pppd/pppd.8 ---- ppp-2.4.7/pppd/pppd.8 2014-08-09 23:31:39.000000000 +1100 -+++ ppp-2.4.7-patched/pppd/pppd.8 2014-08-11 16:25:36.703647643 +1100 -@@ -295,6 +295,20 @@ - \fIdebug\fR. This information can be directed to a file by setting up - /etc/syslog.conf appropriately (see syslog.conf(5)). - .TP -+.B noext-traffic -+Do not count incoming traffic against the idle time set with the idle -+option. The default idle option behavior is to count both outgoing -+and incoming traffic. This can be very helpful when remote hosts -+keeping sending unwanted traffic, thereby keeping the connection up. -+ -+Note that this \fIcannot\fR prevent programs from responding to incoming -+requests and in doing so defeat the idle option. The route program -+\fIreject\fR parameter might help in that case when enough is known about -+IP address space of the site generating the unwanted requests. If you -+initiated contact with the site generating the requests, say with a -+web browser, then denying ingress with the "reject" parameter probably -+won't be a viable option. -+. - .B default\-asyncmap - Disable asyncmap negotiation, forcing all control characters to be - escaped for both the transmit and the receive direction. diff --git a/ppp-2.4.7-nostrip.patch b/ppp-2.4.7-nostrip.patch deleted file mode 100644 index 6d65c39..0000000 --- a/ppp-2.4.7-nostrip.patch +++ /dev/null @@ -1,86 +0,0 @@ -diff -urN ppp-2.4.7/chat/Makefile.linux ppp-2.4.7-patched/chat/Makefile.linux ---- ppp-2.4.7/chat/Makefile.linux 2014-08-11 16:36:30.888408015 +1100 -+++ ppp-2.4.7-patched/chat/Makefile.linux 2014-08-11 16:36:51.996758000 +1100 -@@ -25,7 +25,7 @@ - - install: chat - mkdir -p $(BINDIR) $(MANDIR) -- $(INSTALL) -s -c chat $(BINDIR) -+ $(INSTALL) -c chat $(BINDIR) - $(INSTALL) -c -m 644 chat.8 $(MANDIR) - - clean: -diff -urN ppp-2.4.7/pppd/Makefile.linux ppp-2.4.7-patched/pppd/Makefile.linux ---- ppp-2.4.7/pppd/Makefile.linux 2014-08-11 16:36:30.888408015 +1100 -+++ ppp-2.4.7-patched/pppd/Makefile.linux 2014-08-11 16:36:51.997758017 +1100 -@@ -108,7 +108,7 @@ - CFLAGS += -DUSE_SRP -DOPENSSL -I/usr/local/ssl/include - LIBS += -lsrp -L/usr/local/ssl/lib -lcrypto - TARGETS += srp-entry --EXTRAINSTALL = $(INSTALL) -s -c -m 555 srp-entry $(BINDIR)/srp-entry -+EXTRAINSTALL = $(INSTALL) -c -m 555 srp-entry $(BINDIR)/srp-entry - MANPAGES += srp-entry.8 - EXTRACLEAN += srp-entry.o - NEEDDES=y -@@ -214,7 +214,7 @@ - install: pppd - mkdir -p $(BINDIR) $(MANDIR) - $(EXTRAINSTALL) -- $(INSTALL) -s -c -m 555 pppd $(BINDIR)/pppd -+ $(INSTALL) -c -m 555 pppd $(BINDIR)/pppd - if chgrp pppusers $(BINDIR)/pppd 2>/dev/null; then \ - chmod o-rx,u+s $(BINDIR)/pppd; fi - $(INSTALL) -c -m 444 pppd.8 $(MANDIR) -diff -urN ppp-2.4.7/pppd/plugins/radius/Makefile.linux ppp-2.4.7-patched/pppd/plugins/radius/Makefile.linux ---- ppp-2.4.7/pppd/plugins/radius/Makefile.linux 2014-08-11 16:36:30.877407833 +1100 -+++ ppp-2.4.7-patched/pppd/plugins/radius/Makefile.linux 2014-08-11 16:36:51.997758017 +1100 -@@ -36,9 +36,9 @@ - - install: all - $(INSTALL) -d -m 755 $(LIBDIR) -- $(INSTALL) -s -c -m 755 radius.so $(LIBDIR) -- $(INSTALL) -s -c -m 755 radattr.so $(LIBDIR) -- $(INSTALL) -s -c -m 755 radrealms.so $(LIBDIR) -+ $(INSTALL) -c -m 755 radius.so $(LIBDIR) -+ $(INSTALL) -c -m 755 radattr.so $(LIBDIR) -+ $(INSTALL) -c -m 755 radrealms.so $(LIBDIR) - $(INSTALL) -c -m 444 pppd-radius.8 $(MANDIR) - $(INSTALL) -c -m 444 pppd-radattr.8 $(MANDIR) - -diff -urN ppp-2.4.7/pppd/plugins/rp-pppoe/Makefile.linux ppp-2.4.7-patched/pppd/plugins/rp-pppoe/Makefile.linux ---- ppp-2.4.7/pppd/plugins/rp-pppoe/Makefile.linux 2014-08-11 16:36:30.877407833 +1100 -+++ ppp-2.4.7-patched/pppd/plugins/rp-pppoe/Makefile.linux 2014-08-11 16:36:51.997758017 +1100 -@@ -43,9 +43,9 @@ - - install: all - $(INSTALL) -d -m 755 $(LIBDIR) -- $(INSTALL) -s -c -m 4550 rp-pppoe.so $(LIBDIR) -+ $(INSTALL) -c -m 4550 rp-pppoe.so $(LIBDIR) - $(INSTALL) -d -m 755 $(BINDIR) -- $(INSTALL) -s -c -m 555 pppoe-discovery $(BINDIR) -+ $(INSTALL) -c -m 555 pppoe-discovery $(BINDIR) - - clean: - rm -f *.o *.so pppoe-discovery -diff -urN ppp-2.4.7/pppdump/Makefile.linux ppp-2.4.7-patched/pppdump/Makefile.linux ---- ppp-2.4.7/pppdump/Makefile.linux 2014-08-11 16:36:30.882407916 +1100 -+++ ppp-2.4.7-patched/pppdump/Makefile.linux 2014-08-11 16:37:15.211143063 +1100 -@@ -17,5 +17,5 @@ - - install: - mkdir -p $(BINDIR) $(MANDIR) -- $(INSTALL) -s -c pppdump $(BINDIR) -+ $(INSTALL) -c pppdump $(BINDIR) - $(INSTALL) -c pppdump.8 $(MANDIR) -diff -urN ppp-2.4.7/pppstats/Makefile.linux ppp-2.4.7-patched/pppstats/Makefile.linux ---- ppp-2.4.7/pppstats/Makefile.linux 2014-08-11 16:36:30.877407833 +1100 -+++ ppp-2.4.7-patched/pppstats/Makefile.linux 2014-08-11 16:36:51.998758034 +1100 -@@ -22,7 +22,7 @@ - - install: pppstats - -mkdir -p $(MANDIR) -- $(INSTALL) -s -c pppstats $(BINDIR) -+ $(INSTALL) -c pppstats $(BINDIR) - $(INSTALL) -c -m 444 pppstats.8 $(MANDIR) - - pppstats: $(PPPSTATSRCS) diff --git a/ppp-2.4.8-pppd-install-pppd-binary-using-standard-perms-755.patch b/ppp-2.4.8-pppd-install-pppd-binary-using-standard-perms-755.patch new file mode 100644 index 0000000..bedb902 --- /dev/null +++ b/ppp-2.4.8-pppd-install-pppd-binary-using-standard-perms-755.patch @@ -0,0 +1,29 @@ +From ab8b06cdc1075abc67f77e7c3bb684e20071d614 Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Thu, 10 Apr 2014 10:09:41 +0200 +Subject: [PATCH 25/27] pppd: install pppd binary using standard perms (755) + +--- + pppd/Makefile.linux | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux +index 0e8107f..534ccc2 100644 +--- a/pppd/Makefile.linux ++++ b/pppd/Makefile.linux +@@ -223,10 +223,10 @@ all: $(TARGETS) + install: pppd + mkdir -p $(BINDIR) $(MANDIR) + $(EXTRAINSTALL) +- $(INSTALL) -c -m 555 pppd $(BINDIR)/pppd ++ $(INSTALL) -c -m 755 pppd $(BINDIR)/pppd + if chgrp pppusers $(BINDIR)/pppd 2>/dev/null; then \ + chmod o-rx,u+s $(BINDIR)/pppd; fi +- $(INSTALL) -c -m 444 pppd.8 $(MANDIR) ++ $(INSTALL) -c -m 644 pppd.8 $(MANDIR) + + pppd: $(PPPDOBJS) + $(CC) $(CFLAGS) $(LDFLAGS) $(LDFLAGS_PLUGIN) -o pppd $(PPPDOBJS) $(LIBS) +-- +1.8.3.1 + diff --git a/ppp-2.4.8-pppd-we-don-t-want-to-accidentally-leak-fds.patch b/ppp-2.4.8-pppd-we-don-t-want-to-accidentally-leak-fds.patch new file mode 100644 index 0000000..1b4a9cd --- /dev/null +++ b/ppp-2.4.8-pppd-we-don-t-want-to-accidentally-leak-fds.patch @@ -0,0 +1,143 @@ +From 82cd789df0f022eb6f3d28646e7a61d1d0715805 Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Mon, 7 Apr 2014 12:23:36 +0200 +Subject: [PATCH 12/27] pppd: we don't want to accidentally leak fds + +--- + pppd/auth.c | 20 ++++++++++---------- + pppd/options.c | 2 +- + pppd/sys-linux.c | 4 ++-- + 3 files changed, 13 insertions(+), 13 deletions(-) + +diff --git a/pppd/auth.c b/pppd/auth.c +index 4271af6..9e957fa 100644 +--- a/pppd/auth.c ++++ b/pppd/auth.c +@@ -428,7 +428,7 @@ setupapfile(argv) + free(fname); + return 0; + } +- ufile = fopen(fname, "r"); ++ ufile = fopen(fname, "re"); + if (seteuid(euid) == -1) + fatal("unable to regain privileges: %m"); + if (ufile == NULL) { +@@ -1413,7 +1413,7 @@ check_passwd(unit, auser, userlen, apasswd, passwdlen, msg) + filename = _PATH_UPAPFILE; + addrs = opts = NULL; + ret = UPAP_AUTHNAK; +- f = fopen(filename, "r"); ++ f = fopen(filename, "re"); + if (f == NULL) { + error("Can't open PAP password file %s: %m", filename); + +@@ -1512,7 +1512,7 @@ null_login(unit) + if (ret <= 0) { + filename = _PATH_UPAPFILE; + addrs = NULL; +- f = fopen(filename, "r"); ++ f = fopen(filename, "re"); + if (f == NULL) + return 0; + check_access(f, filename); +@@ -1559,7 +1559,7 @@ get_pap_passwd(passwd) + } + + filename = _PATH_UPAPFILE; +- f = fopen(filename, "r"); ++ f = fopen(filename, "re"); + if (f == NULL) + return 0; + check_access(f, filename); +@@ -1597,7 +1597,7 @@ have_pap_secret(lacks_ipp) + } + + filename = _PATH_UPAPFILE; +- f = fopen(filename, "r"); ++ f = fopen(filename, "re"); + if (f == NULL) + return 0; + +@@ -1642,7 +1642,7 @@ have_chap_secret(client, server, need_ip, lacks_ipp) + } + + filename = _PATH_CHAPFILE; +- f = fopen(filename, "r"); ++ f = fopen(filename, "re"); + if (f == NULL) + return 0; + +@@ -1684,7 +1684,7 @@ have_srp_secret(client, server, need_ip, lacks_ipp) + struct wordlist *addrs; + + filename = _PATH_SRPFILE; +- f = fopen(filename, "r"); ++ f = fopen(filename, "re"); + if (f == NULL) + return 0; + +@@ -1740,7 +1740,7 @@ get_secret(unit, client, server, secret, secret_len, am_server) + addrs = NULL; + secbuf[0] = 0; + +- f = fopen(filename, "r"); ++ f = fopen(filename, "re"); + if (f == NULL) { + error("Can't open chap secret file %s: %m", filename); + return 0; +@@ -1797,7 +1797,7 @@ get_srp_secret(unit, client, server, secret, am_server) + filename = _PATH_SRPFILE; + addrs = NULL; + +- fp = fopen(filename, "r"); ++ fp = fopen(filename, "re"); + if (fp == NULL) { + error("Can't open srp secret file %s: %m", filename); + return 0; +@@ -2203,7 +2203,7 @@ scan_authfile(f, client, server, secret, addrs, opts, filename, flags) + */ + if (word[0] == '@' && word[1] == '/') { + strlcpy(atfile, word+1, sizeof(atfile)); +- if ((sf = fopen(atfile, "r")) == NULL) { ++ if ((sf = fopen(atfile, "re")) == NULL) { + warn("can't open indirect secret file %s", atfile); + continue; + } +diff --git a/pppd/options.c b/pppd/options.c +index 45fa742..1d754ae 100644 +--- a/pppd/options.c ++++ b/pppd/options.c +@@ -427,7 +427,7 @@ options_from_file(filename, must_exist, check_prot, priv) + option_error("unable to drop privileges to open %s: %m", filename); + return 0; + } +- f = fopen(filename, "r"); ++ f = fopen(filename, "re"); + err = errno; + if (check_prot && seteuid(euid) == -1) + fatal("unable to regain privileges"); +diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c +index 72a7727..8a12fa0 100644 +--- a/pppd/sys-linux.c ++++ b/pppd/sys-linux.c +@@ -1412,7 +1412,7 @@ static char *path_to_procfs(const char *tail) + /* Default the mount location of /proc */ + strlcpy (proc_path, "/proc", sizeof(proc_path)); + proc_path_len = 5; +- fp = fopen(MOUNTED, "r"); ++ fp = fopen(MOUNTED, "re"); + if (fp != NULL) { + while ((mntent = getmntent(fp)) != NULL) { + if (strcmp(mntent->mnt_type, MNTTYPE_IGNORE) == 0) +@@ -1472,7 +1472,7 @@ static int open_route_table (void) + close_route_table(); + + path = path_to_procfs("/net/route"); +- route_fd = fopen (path, "r"); ++ route_fd = fopen (path, "re"); + if (route_fd == NULL) { + error("can't open routing table %s: %m", path); + return 0; +-- +1.8.3.1 + diff --git a/ppp-2.4.9-build-sys-don-t-hardcode-LIBDIR-but-set-it-according.patch b/ppp-2.4.9-build-sys-don-t-hardcode-LIBDIR-but-set-it-according.patch new file mode 100644 index 0000000..c2c8cce --- /dev/null +++ b/ppp-2.4.9-build-sys-don-t-hardcode-LIBDIR-but-set-it-according.patch @@ -0,0 +1,99 @@ +diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux +index 6a4b897..8f29c1f 100644 +--- a/pppd/Makefile.linux ++++ b/pppd/Makefile.linux +@@ -12,6 +12,7 @@ DESTDIR = $(INSTROOT)@DESTDIR@ + BINDIR = $(DESTDIR)/sbin + MANDIR = $(DESTDIR)/share/man/man8 + INCDIR = $(DESTDIR)/include ++LIBDIR = $(DESTDIR)/lib/$(shell gcc -print-multi-os-directory 2> /dev/null) + + TARGETS = pppd + +@@ -93,7 +94,7 @@ INCLUDE_DIRS= -I../include + + COMPILE_FLAGS= -DHAVE_PATHS_H -DIPX_CHANGE -DHAVE_MMAP -pipe + +-CFLAGS= $(COPTS) $(COMPILE_FLAGS) $(INCLUDE_DIRS) '-DDESTDIR="@DESTDIR@"' ++CFLAGS= $(COPTS) $(COMPILE_FLAGS) $(INCLUDE_DIRS) '-DDESTDIR="@DESTDIR@"' -DLIBDIR=\""$(LIBDIR)"\" + + ifdef CHAPMS + CFLAGS += -DCHAPMS=1 +diff --git a/pppd/pathnames.h b/pppd/pathnames.h +index 524d608..c7eadbb 100644 +--- a/pppd/pathnames.h ++++ b/pppd/pathnames.h +@@ -62,7 +62,7 @@ + + #ifdef PLUGIN + #ifdef __STDC__ +-#define _PATH_PLUGIN DESTDIR "/lib/pppd/" VERSION ++#define _PATH_PLUGIN LIBDIR "/pppd/" VERSION + #else /* __STDC__ */ + #define _PATH_PLUGIN "/usr/lib/pppd" + #endif /* __STDC__ */ +diff --git a/pppd/plugins/Makefile.linux b/pppd/plugins/Makefile.linux +index 6403e3d..f42d18c 100644 +--- a/pppd/plugins/Makefile.linux ++++ b/pppd/plugins/Makefile.linux +@@ -5,7 +5,7 @@ COPTS=@CFLAGS@ + DESTDIR = $(INSTROOT)@DESTDIR@ + BINDIR = $(DESTDIR)/sbin + MANDIR = $(DESTDIR)/share/man/man8 +-LIBDIR = $(DESTDIR)/lib/pppd/$(VERSION) ++LIBDIR = $(DESTDIR)/lib/$(shell gcc -print-multi-os-directory 2> /dev/null)/pppd/$(VERSION) + + CFLAGS = $(COPTS) -I.. -I../../include -fPIC + LDFLAGS_SHARED = -shared +diff --git a/pppd/plugins/pppoatm/Makefile.linux b/pppd/plugins/pppoatm/Makefile.linux +index d3a8086..c2aff0c 100644 +--- a/pppd/plugins/pppoatm/Makefile.linux ++++ b/pppd/plugins/pppoatm/Makefile.linux +@@ -4,7 +4,7 @@ CC=$(CROSS_COMPILE)@CC@ + COPTS=@CFLAGS@ + + DESTDIR = $(INSTROOT)@DESTDIR@ +-LIBDIR = $(DESTDIR)/lib/pppd/$(VERSION) ++LIBDIR = $(DESTDIR)/lib/$(shell gcc -print-multi-os-directory 2> /dev/null)/pppd/$(VERSION) + + VERSION = $(shell awk -F '"' '/VERSION/ { print $$2; }' ../../patchlevel.h) + +diff --git a/pppd/plugins/pppoe/Makefile.linux b/pppd/plugins/pppoe/Makefile.linux +index c415ce3..d3b7392 100644 +--- a/pppd/plugins/pppoe/Makefile.linux ++++ b/pppd/plugins/pppoe/Makefile.linux +@@ -18,7 +18,7 @@ COPTS=@CFLAGS@ + + DESTDIR = $(INSTROOT)@DESTDIR@ + BINDIR = $(DESTDIR)/sbin +-LIBDIR = $(DESTDIR)/lib/pppd/$(PPPDVERSION) ++LIBDIR = $(DESTDIR)/lib/$(shell gcc -print-multi-os-directory 2> /dev/null)/pppd/$(PPPDVERSION) + + PPPDVERSION = $(shell awk -F '"' '/VERSION/ { print $$2; }' ../../patchlevel.h) + +diff --git a/pppd/plugins/pppol2tp/Makefile.linux b/pppd/plugins/pppol2tp/Makefile.linux +index 1aa1c0b..e4442f9 100644 +--- a/pppd/plugins/pppol2tp/Makefile.linux ++++ b/pppd/plugins/pppol2tp/Makefile.linux +@@ -4,7 +4,7 @@ CC=$(CROSS_COMPILE)@CC@ + COPTS=@CFLAGS@ + + DESTDIR = $(INSTROOT)/@DESTDIR@ +-LIBDIR = $(DESTDIR)/lib/pppd/$(VERSION) ++LIBDIR = $(DESTDIR)/lib/$(shell gcc -print-multi-os-directory 2> /dev/null)/pppd/$(VERSION) + + VERSION = $(shell awk -F '"' '/VERSION/ { print $$2; }' ../../patchlevel.h) + +diff --git a/pppd/plugins/radius/Makefile.linux b/pppd/plugins/radius/Makefile.linux +index 489aef2..d2ef044 100644 +--- a/pppd/plugins/radius/Makefile.linux ++++ b/pppd/plugins/radius/Makefile.linux +@@ -9,7 +9,7 @@ COPTS=@CFLAGS@ + + DESTDIR = $(INSTROOT)@DESTDIR@ + MANDIR = $(DESTDIR)/share/man/man8 +-LIBDIR = $(DESTDIR)/lib/pppd/$(VERSION) ++LIBDIR = $(DESTDIR)/lib/$(shell gcc -print-multi-os-directory 2> /dev/null)/pppd/$(VERSION) + + VERSION = $(shell awk -F '"' '/VERSION/ { print $$2; }' ../../patchlevel.h) + diff --git a/ppp-2.4.9-config.patch b/ppp-2.4.9-config.patch new file mode 100644 index 0000000..fc7c781 --- /dev/null +++ b/ppp-2.4.9-config.patch @@ -0,0 +1,21 @@ +diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux +index e77373e..07df6a7 100644 +--- a/pppd/Makefile.linux ++++ b/pppd/Makefile.linux +@@ -68,14 +68,14 @@ USE_TDB=y + #SYSTEMD=y + + HAS_SHADOW=y +-#USE_PAM=y ++USE_PAM=y + HAVE_INET6=y + + # Enable plugins + PLUGIN=y + + # Enable Microsoft proprietary Callback Control Protocol +-#CBCP=y ++CBCP=y + + # Enable EAP SRP-SHA1 authentication (requires libsrp) + #USE_SRP=y diff --git a/ppp-2.4.9-configure-cflags-allow-commas.patch b/ppp-2.4.9-configure-cflags-allow-commas.patch new file mode 100644 index 0000000..5a4ef98 --- /dev/null +++ b/ppp-2.4.9-configure-cflags-allow-commas.patch @@ -0,0 +1,17 @@ +diff --git a/configure b/configure +index f977663..c7031c2 100755 +--- a/configure ++++ b/configure +@@ -121,9 +121,9 @@ mkmkf() { + rm -f $2 + if [ -f $1 ]; then + echo " $2 <= $1" +- sed -e "s,@DESTDIR@,$DESTDIR,g" -e "s,@SYSCONF@,$SYSCONF,g" \ +- -e "s,@CROSS_COMPILE@,$CROSS_COMPILE,g" -e "s,@CC@,$CC,g" \ +- -e "s,@CFLAGS@,$CFLAGS,g" $1 >$2 ++ sed -e "s|@DESTDIR@|$DESTDIR|g" -e "s|@SYSCONF@|$SYSCONF|g" \ ++ -e "s|@CROSS_COMPILE@|$CROSS_COMPILE|g" -e "s|@CC@|$CC|g" \ ++ -e "s|@CFLAGS@|$CFLAGS|g" $1 >$2 + fi + } + diff --git a/ppp-2.4.9-everywhere-O_CLOEXEC-harder.patch b/ppp-2.4.9-everywhere-O_CLOEXEC-harder.patch new file mode 100644 index 0000000..84a3bdb --- /dev/null +++ b/ppp-2.4.9-everywhere-O_CLOEXEC-harder.patch @@ -0,0 +1,241 @@ +From 302c1b736cb656c7885a0cba270fd953a672d8a8 Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Mon, 7 Apr 2014 13:56:34 +0200 +Subject: [PATCH 13/27] everywhere: O_CLOEXEC harder + +--- + pppd/eap.c | 2 +- + pppd/main.c | 4 ++-- + pppd/options.c | 4 ++-- + pppd/sys-linux.c | 22 +++++++++++----------- + pppd/tdb.c | 4 ++-- + pppd/tty.c | 4 ++-- + pppd/utils.c | 6 +++--- + 7 files changed, 23 insertions(+), 23 deletions(-) + +diff --git a/pppd/eap.c b/pppd/eap.c +index 6ea6c1f..faced53 100644 +--- a/pppd/eap.c ++++ b/pppd/eap.c +@@ -1226,7 +1226,7 @@ mode_t modebits; + + if ((path = name_of_pn_file()) == NULL) + return (-1); +- fd = open(path, modebits, S_IRUSR | S_IWUSR); ++ fd = open(path, modebits, S_IRUSR | S_IWUSR | O_CLOEXEC); + err = errno; + free(path); + errno = err; +diff --git a/pppd/main.c b/pppd/main.c +index 6d50d1b..4880377 100644 +--- a/pppd/main.c ++++ b/pppd/main.c +@@ -420,7 +420,7 @@ main(argc, argv) + die(0); + + /* Make sure fds 0, 1, 2 are open to somewhere. */ +- fd_devnull = open(_PATH_DEVNULL, O_RDWR); ++ fd_devnull = open(_PATH_DEVNULL, O_RDWR | O_CLOEXEC); + if (fd_devnull < 0) + fatal("Couldn't open %s: %m", _PATH_DEVNULL); + while (fd_devnull <= 2) { +@@ -1679,7 +1679,7 @@ device_script(program, in, out, dont_wait) + if (log_to_fd >= 0) + errfd = log_to_fd; + else +- errfd = open(_PATH_CONNERRS, O_WRONLY | O_APPEND | O_CREAT, 0644); ++ errfd = open(_PATH_CONNERRS, O_WRONLY | O_APPEND | O_CREAT | O_CLOEXEC, 0644); + + ++conn_running; + pid = safe_fork(in, out, errfd); +diff --git a/pppd/options.c b/pppd/options.c +index 1d754ae..8e62635 100644 +--- a/pppd/options.c ++++ b/pppd/options.c +@@ -1544,9 +1544,9 @@ setlogfile(argv) + option_error("unable to drop permissions to open %s: %m", *argv); + return 0; + } +- fd = open(*argv, O_WRONLY | O_APPEND | O_CREAT | O_EXCL, 0644); ++ fd = open(*argv, O_WRONLY | O_APPEND | O_CREAT | O_EXCL | O_CLOEXEC, 0644); + if (fd < 0 && errno == EEXIST) +- fd = open(*argv, O_WRONLY | O_APPEND); ++ fd = open(*argv, O_WRONLY | O_APPEND | O_CLOEXEC); + err = errno; + if (!privileged_option && seteuid(euid) == -1) + fatal("unable to regain privileges: %m"); +diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c +index 8a12fa0..00a2cf5 100644 +--- a/pppd/sys-linux.c ++++ b/pppd/sys-linux.c +@@ -459,7 +459,7 @@ int generic_establish_ppp (int fd) + goto err; + } + dbglog("using channel %d", chindex); +- fd = open("/dev/ppp", O_RDWR); ++ fd = open("/dev/ppp", O_RDWR | O_CLOEXEC); + if (fd < 0) { + error("Couldn't reopen /dev/ppp: %m"); + goto err; +@@ -619,7 +619,7 @@ static int make_ppp_unit() + dbglog("in make_ppp_unit, already had /dev/ppp open?"); + close(ppp_dev_fd); + } +- ppp_dev_fd = open("/dev/ppp", O_RDWR); ++ ppp_dev_fd = open("/dev/ppp", O_RDWR | O_CLOEXEC); + if (ppp_dev_fd < 0) + fatal("Couldn't open /dev/ppp: %m"); + flags = fcntl(ppp_dev_fd, F_GETFL); +@@ -693,7 +693,7 @@ int bundle_attach(int ifnum) + if (!new_style_driver) + return -1; + +- master_fd = open("/dev/ppp", O_RDWR); ++ master_fd = open("/dev/ppp", O_RDWR | O_CLOEXEC); + if (master_fd < 0) + fatal("Couldn't open /dev/ppp: %m"); + if (ioctl(master_fd, PPPIOCATTACH, &ifnum) < 0) { +@@ -1715,7 +1715,7 @@ int sifproxyarp (int unit, u_int32_t his_adr) + if (tune_kernel) { + forw_path = path_to_procfs("/sys/net/ipv4/ip_forward"); + if (forw_path != 0) { +- int fd = open(forw_path, O_WRONLY); ++ int fd = open(forw_path, O_WRONLY | O_CLOEXEC); + if (fd >= 0) { + if (write(fd, "1", 1) != 1) + error("Couldn't enable IP forwarding: %m"); +@@ -2030,7 +2030,7 @@ int ppp_available(void) + sscanf(utsname.release, "%d.%d.%d", &osmaj, &osmin, &ospatch); + kernel_version = KVERSION(osmaj, osmin, ospatch); + +- fd = open("/dev/ppp", O_RDWR); ++ fd = open("/dev/ppp", O_RDWR | O_CLOEXEC); + if (fd >= 0) { + new_style_driver = 1; + +@@ -2208,7 +2208,7 @@ void logwtmp (const char *line, const char *name, const char *host) + #if __GLIBC__ >= 2 + updwtmp(_PATH_WTMP, &ut); + #else +- wtmp = open(_PATH_WTMP, O_APPEND|O_WRONLY); ++ wtmp = open(_PATH_WTMP, O_APPEND|O_WRONLY|O_CLOEXEC); + if (wtmp >= 0) { + flock(wtmp, LOCK_EX); + +@@ -2394,7 +2394,7 @@ int sifaddr (int unit, u_int32_t our_adr, u_int32_t his_adr, + int fd; + + path = path_to_procfs("/sys/net/ipv4/ip_dynaddr"); +- if (path != 0 && (fd = open(path, O_WRONLY)) >= 0) { ++ if (path != 0 && (fd = open(path, O_WRONLY | O_CLOEXEC)) >= 0) { + if (write(fd, "1", 1) != 1) + error("Couldn't enable dynamic IP addressing: %m"); + close(fd); +@@ -2570,7 +2570,7 @@ get_pty(master_fdp, slave_fdp, slave_name, uid) + /* + * Try the unix98 way first. + */ +- mfd = open("/dev/ptmx", O_RDWR); ++ mfd = open("/dev/ptmx", O_RDWR | O_CLOEXEC); + if (mfd >= 0) { + int ptn; + if (ioctl(mfd, TIOCGPTN, &ptn) >= 0) { +@@ -2581,7 +2581,7 @@ get_pty(master_fdp, slave_fdp, slave_name, uid) + if (ioctl(mfd, TIOCSPTLCK, &ptn) < 0) + warn("Couldn't unlock pty slave %s: %m", pty_name); + #endif +- if ((sfd = open(pty_name, O_RDWR | O_NOCTTY)) < 0) ++ if ((sfd = open(pty_name, O_RDWR | O_NOCTTY | O_CLOEXEC)) < 0) + { + warn("Couldn't open pty slave %s: %m", pty_name); + close(mfd); +@@ -2592,10 +2592,10 @@ get_pty(master_fdp, slave_fdp, slave_name, uid) + for (i = 0; i < 64; ++i) { + slprintf(pty_name, sizeof(pty_name), "/dev/pty%c%x", + 'p' + i / 16, i % 16); +- mfd = open(pty_name, O_RDWR, 0); ++ mfd = open(pty_name, O_RDWR | O_CLOEXEC, 0); + if (mfd >= 0) { + pty_name[5] = 't'; +- sfd = open(pty_name, O_RDWR | O_NOCTTY, 0); ++ sfd = open(pty_name, O_RDWR | O_NOCTTY | O_CLOEXEC, 0); + if (sfd >= 0) { + fchown(sfd, uid, -1); + fchmod(sfd, S_IRUSR | S_IWUSR); +diff --git a/pppd/tdb.c b/pppd/tdb.c +index bdc5828..c7ab71c 100644 +--- a/pppd/tdb.c ++++ b/pppd/tdb.c +@@ -1724,7 +1724,7 @@ TDB_CONTEXT *tdb_open_ex(const char *name, int hash_size, int tdb_flags, + goto internal; + } + +- if ((tdb->fd = open(name, open_flags, mode)) == -1) { ++ if ((tdb->fd = open(name, open_flags | O_CLOEXEC, mode)) == -1) { + TDB_LOG((tdb, 5, "tdb_open_ex: could not open file %s: %s\n", + name, strerror(errno))); + goto fail; /* errno set by open(2) */ +@@ -1967,7 +1967,7 @@ int tdb_reopen(TDB_CONTEXT *tdb) + } + if (close(tdb->fd) != 0) + TDB_LOG((tdb, 0, "tdb_reopen: WARNING closing tdb->fd failed!\n")); +- tdb->fd = open(tdb->name, tdb->open_flags & ~(O_CREAT|O_TRUNC), 0); ++ tdb->fd = open(tdb->name, (tdb->open_flags & ~(O_CREAT|O_TRUNC)) | O_CLOEXEC, 0); + if (tdb->fd == -1) { + TDB_LOG((tdb, 0, "tdb_reopen: open failed (%s)\n", strerror(errno))); + goto fail; +diff --git a/pppd/tty.c b/pppd/tty.c +index d571b11..bc96695 100644 +--- a/pppd/tty.c ++++ b/pppd/tty.c +@@ -569,7 +569,7 @@ int connect_tty() + status = EXIT_OPEN_FAILED; + goto errret; + } +- real_ttyfd = open(devnam, O_NONBLOCK | O_RDWR, 0); ++ real_ttyfd = open(devnam, O_NONBLOCK | O_RDWR | O_CLOEXEC, 0); + err = errno; + if (prio < OPRIO_ROOT && seteuid(0) == -1) + fatal("Unable to regain privileges"); +@@ -723,7 +723,7 @@ int connect_tty() + if (connector == NULL && modem && devnam[0] != 0) { + int i; + for (;;) { +- if ((i = open(devnam, O_RDWR)) >= 0) ++ if ((i = open(devnam, O_RDWR | O_CLOEXEC)) >= 0) + break; + if (errno != EINTR) { + error("Failed to reopen %s: %m", devnam); +diff --git a/pppd/utils.c b/pppd/utils.c +index 29bf970..6051b9a 100644 +--- a/pppd/utils.c ++++ b/pppd/utils.c +@@ -918,14 +918,14 @@ lock(dev) + slprintf(lock_file, sizeof(lock_file), "%s/LCK..%s", LOCK_DIR, dev); + #endif + +- while ((fd = open(lock_file, O_EXCL | O_CREAT | O_RDWR, 0644)) < 0) { ++ while ((fd = open(lock_file, O_EXCL | O_CREAT | O_RDWR | O_CLOEXEC, 0644)) < 0) { + if (errno != EEXIST) { + error("Can't create lock file %s: %m", lock_file); + break; + } + + /* Read the lock file to find out who has the device locked. */ +- fd = open(lock_file, O_RDONLY, 0); ++ fd = open(lock_file, O_RDONLY | O_CLOEXEC, 0); + if (fd < 0) { + if (errno == ENOENT) /* This is just a timing problem. */ + continue; +@@ -1004,7 +1004,7 @@ relock(pid) + + if (lock_file[0] == 0) + return -1; +- fd = open(lock_file, O_WRONLY, 0); ++ fd = open(lock_file, O_WRONLY | O_CLOEXEC, 0); + if (fd < 0) { + error("Couldn't reopen lock file %s: %m", lock_file); + lock_file[0] = 0; +-- +1.8.3.1 + diff --git a/ppp.logrotate b/ppp-logrotate.conf similarity index 100% rename from ppp.logrotate rename to ppp-logrotate.conf diff --git a/ppp-options.patch b/ppp-options.patch deleted file mode 100644 index 498df78..0000000 --- a/ppp-options.patch +++ /dev/null @@ -1,8 +0,0 @@ ---- ppp-2.4.0/etc.ppp/options Sat Feb 27 04:09:52 1999 -+++ ppp-2.4.0/etc.ppp/options.geoff Thu Aug 31 09:20:12 2000 -@@ -1 +1,5 @@ - lock -+noauth -+noipdefault -+usepeerdns -+ diff --git a/ppp-pam.conf b/ppp-pam.conf new file mode 100644 index 0000000..968e252 --- /dev/null +++ b/ppp-pam.conf @@ -0,0 +1,5 @@ +#%PAM-1.0 +auth include password-auth +account required pam_nologin.so +account include password-auth +session include password-auth diff --git a/ppp-tmpfiles.conf b/ppp-tmpfiles.conf index 5b1a93d..a07719c 100644 --- a/ppp-tmpfiles.conf +++ b/ppp-tmpfiles.conf @@ -1,2 +1,2 @@ -d /var/run/ppp 0755 root root - -f /var/run/ppp/resolv.conf 0644 root root - +d /run/ppp 0755 root root +d /run/lock/ppp 0755 root root diff --git a/ppp.spec b/ppp.spec index 414a1af..a962251 100644 --- a/ppp.spec +++ b/ppp.spec @@ -1,50 +1,43 @@ -%bcond_without inet6 +%define _disable_ld_no_undefined %nil Summary: The PPP daemon and documentation Name: ppp -Version: 2.4.7 -Release: 9 +Version: 2.4.9 +Release: 1 License: BSD-like Group: System/Servers Url: http://www.samba.org/ppp/ -Source0: ftp://ftp.samba.org/pub/ppp/%{name}-%{version}.tar.gz -Source1: ppp-2.4.3-pam.conf -Source2: ppp-2.4.1-mppe-crypto.tar.bz2 -Source3: README.pppoatm -Source4: ppp.logrotate -Source5: ppp-dhcpc.tar.bz2 -Source6: ppp-tmpfiles.conf -Source104: ip-down -Source105: ip-down.ipv6to4 -Source106: ip-up -Source107: ip-up.ipv6to4 -Source108: ipv6-down -Source109: ipv6-up -Source110: ifup-ppp -Source111: ifdown-ppp -Source112: ppp-watch.tar.xz -Patch0: ppp-2.4.7-make.patch -Patch1: ppp-2.3.6-sample.patch -Patch2: ppp-options.patch -Patch3: ppp-2.4.3-pppdump-Makefile.patch -Patch4: ppp-2.4.7-noexttraffic.patch -# (blino) use external libatm for pppoatm plugin -Patch5: ppp-2.4.3-libatm.patch -Patch6: ppp-2.4.2-pie.patch -Patch7: ppp-2.4.4-multipledefrt.patch -Patch8: ppp-2.4.4-dontwriteetc.patch -Patch9: ppp-2.4.3-pic.patch -Patch10: ppp-2.4.3-etcppp.patch -Patch11: ppp-2.4.5-includes-sha1.patch -Patch12: ppp-2.4.5-makeopt2.patch -Patch13: ppp-2.4.7-nostrip.patch -Patch14: ppp-2.4.7-linux48.patch -Patch15: ppp-2.4.7-eaptls-mppe-1.101_CVE-2018-11574.patch -Patch16: FEDORA-glibc-2.28.patch -# CVE-2020-8597 -# remote code execution -Patch17: 8d7970b8f3db727fe798b65f3377fe6787575426.patch -Patch18: ppp-2.4.5-libtool-tag.patch +Source0: https://github.com/paulusmack/ppp/archive/%{version}.tar.gz +Source1: ppp-pam.conf +Source2: ppp-logrotate.conf +Source3: ppp-tmpfiles.conf +Source4: ip-down +Source5: ip-down.ipv6to4 +Source6: ip-up +Source7: ip-up.ipv6to4 +Source8: ipv6-down +Source9: ipv6-up +Source10: ifup-ppp +Source11: ifdown-ppp +Source12: ppp-watch.tar.xz + +Patch0002: ppp-2.4.9-config.patch +Patch0004: 0004-doc-add-configuration-samples.patch +Patch0005: ppp-2.4.9-build-sys-don-t-hardcode-LIBDIR-but-set-it-according.patch +Patch0006: 0006-scritps-use-change_resolv_conf-function.patch +Patch0011: 0011-build-sys-don-t-put-connect-errors-log-to-etc-ppp.patch +Patch0012: ppp-2.4.8-pppd-we-don-t-want-to-accidentally-leak-fds.patch +Patch0013: ppp-2.4.9-everywhere-O_CLOEXEC-harder.patch +Patch0014: 0014-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch +Patch0015: 0015-pppd-move-pppd-database-to-var-run-ppp.patch +Patch0016: 0016-rp-pppoe-add-manpage-for-pppoe-discovery.patch +Patch0018: 0018-scritps-fix-ip-up.local-sample.patch +Patch0020: 0020-pppd-put-lock-files-in-var-lock-ppp.patch +Patch0023: 0023-build-sys-install-rp-pppoe-plugin-files-with-standar.patch +Patch0024: 0024-build-sys-install-pppoatm-plugin-files-with-standard.patch +Patch0025: ppp-2.4.8-pppd-install-pppd-binary-using-standard-perms-755.patch +Patch0026: ppp-2.4.9-configure-cflags-allow-commas.patch + BuildRequires: libtool BuildRequires: atm-devel BuildRequires: pcap-devel @@ -67,11 +60,12 @@ The ppp package should be installed if your machine need to support the PPP protocol. %files -%doc FAQ PLUGINS README* scripts sample +%doc FAQ README README.cbcp README.linux README.MPPE README.MSCHAP80 README.MSCHAP81 README.pwfd README.pppoe scripts sample README.eap-tls %{_sbindir}/chat +%{_sbindir}/pppd %{_sbindir}/pppdump -%attr(5755,root,root) %{_sbindir}/pppd -%attr(0755,root,daemon) %{_sbindir}/pppstats +%{_sbindir}/pppoe-discovery +%{_sbindir}/pppstats %{_sbindir}/ppp-watch %dir %{_sysconfdir}/ppp %{_sysconfdir}/ppp/ip-up @@ -80,31 +74,29 @@ the PPP protocol. %{_sysconfdir}/ppp/ip-down.ipv6to4 %{_sysconfdir}/ppp/ipv6-up %{_sysconfdir}/ppp/ipv6-down -%config %{_sysconfdir}/ppp/eaptls-client -%config %{_sysconfdir}/ppp/eaptls-server -%{_sysconfdir}/sysconfig/network-scripts/ifdown-ppp -%{_sysconfdir}/sysconfig/network-scripts/ifup-ppp -%{_mandir}/man*/* -%exclude %{_mandir}/man8/*rad* -%dir %{_libdir}/pppd -%{_libdir}/pppd/%{version} -%exclude %{_libdir}/pppd/%{version}/pppoatm.so -%exclude %{_libdir}/pppd/%{version}/rp-pppoe.so -%exclude %{_libdir}/pppd/%{version}/rad* -%exclude %{_libdir}/pppd/%{version}/dhcpc.so -%{_tmpfilesdir}/%{name}.conf -%ghost %dir %{_var}/run/ppp -%ghost %{_var}/run/ppp/resolv.conf -%attr(700, root, root) %dir %{_var}/log/ppp -%{_var}/log/ppp/* -%attr(0600,root,daemon) %config(noreplace) %{_sysconfdir}/ppp/chap-secrets -%attr(0600,root,daemon) %config(noreplace) %{_sysconfdir}/ppp/options -%attr(0600,root,daemon) %config(noreplace) %{_sysconfdir}/ppp/pap-secrets -%attr(0600,root,daemon) %{_sysconfdir}/ppp/connect-errors -%attr(0600,root,daemon) %{_sysconfdir}/ppp/resolv.conf -%attr(755,root,daemon) %dir %{_sysconfdir}/ppp/peers +%{_mandir}/man8/chat.8* +%{_mandir}/man8/pppd.8* +%{_mandir}/man8/pppdump.8* +%{_mandir}/man8/pppd-radattr.8* +%{_mandir}/man8/pppd-radius.8* +%{_mandir}/man8/pppstats.8* +%{_mandir}/man8/pppoe-discovery.8* +%{_mandir}/man8/ppp-watch.8* +%{_libdir}/pppd +%ghost %dir %{_rundir}/ppp +%ghost %dir %{_rundir}/lock/ppp +%dir %{_sysconfdir}/logrotate.d +%attr(700, root, root) %dir %{_localstatedir}/log/ppp +%config(noreplace) %{_sysconfdir}/ppp/eaptls-client +%config(noreplace) %{_sysconfdir}/ppp/eaptls-server +%config(noreplace) %{_sysconfdir}/ppp/chap-secrets +%config(noreplace) %{_sysconfdir}/ppp/options +%config(noreplace) %{_sysconfdir}/ppp/pap-secrets %config(noreplace) %{_sysconfdir}/pam.d/ppp %config(noreplace) %{_sysconfdir}/logrotate.d/ppp +%{_tmpfilesdir}/ppp.conf +%{_sysconfdir}/sysconfig/network-scripts/ifdown-ppp +%{_sysconfdir}/sysconfig/network-scripts/ifup-ppp %post %tmpfiles_create %{_tmpfilesdir}/%{name}.conf @@ -170,125 +162,44 @@ Radius plugin for %{name}. #---------------------------------------------------------------------------- -%package dhcp -Summary: DHCP plugin for %{name} -Group: System/Servers -Requires: %{name} = %{EVRD} - -%description dhcp -DHCP plugin for %{name}. - -%files dhcp -%doc pppd/plugins/dhcp/README -%doc pppd/plugins/dhcp/AUTHORS -%doc pppd/plugins/dhcp/COPYING -%{_libdir}/pppd/%{version}/dhcpc.so - -#---------------------------------------------------------------------------- - %prep %setup -q -%patch0 -p1 -b .make -%patch1 -p1 -b .sample -%patch2 -p1 -b .options -%patch3 -p1 -b .pppdump-Makefile +%autopatch -p1 -# (gg) add noext-traffic option -%patch4 -p1 -b .noext - -%patch5 -p1 -b .libatm -%patch6 -p1 -b .pie -%patch7 -p1 -b .multipledefrt - -tar -xjf %{SOURCE2} -pushd pppd/plugins - tar -xjf %{SOURCE5} -popd - -%patch8 -p1 -b .dontwriteetc - -%patch9 -p1 -b .pic -%patch10 -p1 -b .etcppp -%patch11 -p1 -b .incsha1 -%patch12 -p1 -b .dhcp -%patch13 -p1 -b .nostrip -%patch14 -p1 -b .linux48 -%patch15 -p1 -%patch17 -p1 -%patch18 -p1 -patch -p1 < %{PATCH16} - -tar -xJf %{SOURCE112} - -chmod go+r scripts/* -find scripts -type f | xargs chmod a-x - -# lib64 fixes -perl -pi -e "s|^(LIBDIR.*)\\\$\(DESTDIR\)/lib|\1\\\$(INSTROOT)%{_libdir}|g" pppd/Makefile.linux pppd/plugins/Makefile.linux pppd/plugins/{pppoatm,radius,rp-pppoe,pppol2tp}/Makefile.linux -perl -pi -e "s|(--prefix=/usr)|\1 --libdir=%{_libdir}|g" pppd/plugins/radius/Makefile.linux -perl -pi -e "/_PATH_PLUGIN/ and s,(?:/usr/lib|DESTDIR (\")/lib),\$1%{_libdir}," pppd/pathnames.h -# enable the dhcp plugin -perl -p -i -e "s|^(PLUGINS :=)|SUBDIRS += dhcp\n\$1|g" pppd/plugins/Makefile.linux - -# fix /usr/local in scripts path -perl -pi -e "s|/usr/local/bin/pppd|%{_sbindir}/pppd|g; - s|/usr/local/bin/ssh|%{_bindir}/ssh|g; - s|/usr/local/bin/expect|%{_bindir}/expect|g" \ - scripts/ppp-on-rsh \ - scripts/ppp-on-ssh \ - scripts/secure-card - -%if %{with inet6} -perl -pi -e "s/#HAVE_INET6/HAVE_INET6/" pppd/Makefile.linux -%endif +tar -xJf %{SOURCE12} %build -perl -pi -e "s/openssl/openssl -DOPENSSL_NO_SHA1/;" openssl/crypto/sha/Makefile - -%configure -%make RPM_OPT_FLAGS="%{optflags}" LIBDIR=%{_libdir} -%make -C pppd/plugins -f Makefile.linux -%make -C ppp-watch %{?_smp_mflags} +%configure --cflags="$RPM_OPT_FLAGS -fPIC -Wall -fno-strict-aliasing" +%make_build LDFLAGS="%{ldflags} -pie" +%make_build -C ppp-watch LDFLAGS="%{ldflags} -pie" %install -mkdir -p %{buildroot}{%{_sbindir},%{_bindir},/usr/X11R6/bin/,%{_mandir}/man8,%{_sysconfdir}/{ppp/peers,pam.d}} - -%makeinstall LIBDIR=%{buildroot}%{_libdir}/pppd/%{version}/ INSTALL=install -C pppd/plugins/dhcp -%makeinstall INSTROOT=%{buildroot} SUBDIRS="pppoatm rp-pppoe radius pppol2tp" -%makeinstall ROOT=%{buildroot} mandir=/usr/share/man -C ppp-watch install - -# (gg) Allow stripping -chmod u+w %{buildroot}%{_sbindir}/* - -chmod go+r scripts/* +make INSTROOT=%{buildroot} install install-etcppp +find scripts -type f | xargs chmod a-x +make ROOT=%{buildroot} -C ppp-watch install +# create log files dir +install -d %{buildroot}%{_localstatedir}/log/ppp +# install pam config +install -d %{buildroot}%{_sysconfdir}/pam.d install -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/pam.d/ppp -install -m 644 %{SOURCE3} %{_builddir}/%{name}-%{version}/ - -# (stew) fix permissions -chmod 0755 `find %{buildroot} -name "*\.so"` - -# Provide pointers for people who expect stuff in old places -touch %{buildroot}%{_var}/log/ppp/connect-errors -touch %{buildroot}%{_var}/run/ppp/resolv.conf -ln -s ../../var/log/ppp/connect-errors %{buildroot}%{_sysconfdir}/ppp/connect-errors -ln -s ../../var/run/ppp/resolv.conf %{buildroot}%{_sysconfdir}/ppp/resolv.conf - -# Logrotate script -mkdir -p %{buildroot}%{_sysconfdir}/logrotate.d -install -m 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/logrotate.d/ppp - -# install tmpfiles conf -install -m644 -D %{SOURCE6} %{buildroot}%{_tmpfilesdir}/%{name}.conf - +# install logrotate script +install -d %{buildroot}%{_sysconfdir}/logrotate.d +install -m 644 -p %{SOURCE2} %{buildroot}%{_sysconfdir}/logrotate.d/ppp +# install tmpfiles drop-in +install -d %{buildroot}%{_tmpfilesdir} +install -m 644 -p %{SOURCE3} %{buildroot}%{_tmpfilesdir}/ppp.conf # install scripts (previously owned by initscripts package) install -d %{buildroot}%{_sysconfdir}/ppp -install -p %{SOURCE104} %{buildroot}%{_sysconfdir}/ppp/ip-down -install -p %{SOURCE105} %{buildroot}%{_sysconfdir}/ppp/ip-down.ipv6to4 -install -p %{SOURCE106} %{buildroot}%{_sysconfdir}/ppp/ip-up -install -p %{SOURCE107} %{buildroot}%{_sysconfdir}/ppp/ip-up.ipv6to4 -install -p %{SOURCE108} %{buildroot}%{_sysconfdir}/ppp/ipv6-down -install -p %{SOURCE109} %{buildroot}%{_sysconfdir}/ppp/ipv6-up - +install -p %{SOURCE4} %{buildroot}%{_sysconfdir}/ppp/ip-down +install -p %{SOURCE5} %{buildroot}%{_sysconfdir}/ppp/ip-down.ipv6to4 +install -p %{SOURCE6} %{buildroot}%{_sysconfdir}/ppp/ip-up +install -p %{SOURCE7} %{buildroot}%{_sysconfdir}/ppp/ip-up.ipv6to4 +install -p %{SOURCE8} %{buildroot}%{_sysconfdir}/ppp/ipv6-down +install -p %{SOURCE9} %{buildroot}%{_sysconfdir}/ppp/ipv6-up install -d %{buildroot}%{_sysconfdir}/sysconfig/network-scripts/ -install -p %{SOURCE110} %{buildroot}%{_sysconfdir}/sysconfig/network-scripts/ifup-ppp -install -p %{SOURCE111} %{buildroot}%{_sysconfdir}/sysconfig/network-scripts/ifdown-ppp +install -p %{SOURCE10} %{buildroot}%{_sysconfdir}/sysconfig/network-scripts/ifup-ppp +install -p %{SOURCE11} %{buildroot}%{_sysconfdir}/sysconfig/network-scripts/ifdown-ppp +# ghosts +mkdir -p %{buildroot}%{_rundir}/ppp +mkdir -p %{buildroot}%{_rundir}/lock/ppp + From b5f85a09ff17d9538a11d6d7ab07828156afd3da Mon Sep 17 00:00:00 2001 From: Victor Ryzhikh Date: Fri, 8 Jan 2021 04:32:05 +0000 Subject: [PATCH 10/12] 2.4.9 --- ppp.spec | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ppp.spec b/ppp.spec index a962251..d9388a6 100644 --- a/ppp.spec +++ b/ppp.spec @@ -50,6 +50,8 @@ BuildRequires: glib2-devel Requires(post): systemd Requires: glibc >= 2.0.6 Requires: initscripts >= 9.54 +Conflicts: %{name} < 1:2.4.9 +Obsoletes: %{name} < 1:2.4.9 %description The ppp package contains the PPP (Point-to-Point Protocol) daemon From b09daaa63fb817a2cc187f576216fcc922251962 Mon Sep 17 00:00:00 2001 From: Victor Ryzhikh Date: Fri, 8 Jan 2021 04:48:25 +0000 Subject: [PATCH 11/12] 2.4.9 --- ppp.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ppp.spec b/ppp.spec index d9388a6..d820a03 100644 --- a/ppp.spec +++ b/ppp.spec @@ -50,8 +50,8 @@ BuildRequires: glib2-devel Requires(post): systemd Requires: glibc >= 2.0.6 Requires: initscripts >= 9.54 -Conflicts: %{name} < 1:2.4.9 -Obsoletes: %{name} < 1:2.4.9 +Conflicts: %{name} < 2.4.9 +Obsoletes: %{name} < 2.4.9 %description The ppp package contains the PPP (Point-to-Point Protocol) daemon From 9d8359f1d2ce22056799dc450facea4eab1917df Mon Sep 17 00:00:00 2001 From: Victor Ryzhikh Date: Fri, 8 Jan 2021 04:56:20 +0000 Subject: [PATCH 12/12] 2.4.9 --- ppp.spec | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ppp.spec b/ppp.spec index d820a03..fa057ce 100644 --- a/ppp.spec +++ b/ppp.spec @@ -52,6 +52,8 @@ Requires: glibc >= 2.0.6 Requires: initscripts >= 9.54 Conflicts: %{name} < 2.4.9 Obsoletes: %{name} < 2.4.9 +Conflicts: %{name}-dhcp < 2.4.9 +Obsoletes: %{name}-dhcp < 2.4.9 %description The ppp package contains the PPP (Point-to-Point Protocol) daemon