diff options
| author | Michael Olbrich <m.olbrich@pengutronix.de> | 2019-09-25 16:52:41 +0200 |
|---|---|---|
| committer | Michael Olbrich <m.olbrich@pengutronix.de> | 2019-09-28 14:17:45 +0200 |
| commit | d859b8c420a2dfc8d2b7f32ba544b3baf77e3b1e (patch) | |
| tree | 340836b48c231e2e8eb3fe818a738c4b75bcb6b7 /patches | |
| parent | 110deecea312fadc287d0d6984d8c5a19d12cce6 (diff) | |
| download | ptxdist-d859b8c420a2dfc8d2b7f32ba544b3baf77e3b1e.tar.gz ptxdist-d859b8c420a2dfc8d2b7f32ba544b3baf77e3b1e.tar.xz | |
ppp: reimport latest patches from Debian
This add serveral upstream patches that where added to the Debian patch
stack.
One of the new patches replaces the local crypto functions with calls to
openssl. This means that openssl is always needed.
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
Diffstat (limited to 'patches')
49 files changed, 5401 insertions, 517 deletions
diff --git a/patches/ppp-2.4.7/0001-abort-on-errors-in-subdir-builds.patch b/patches/ppp-2.4.7/0001-abort-on-errors-in-subdir-builds.patch new file mode 100644 index 000000000..c6a76ce65 --- /dev/null +++ b/patches/ppp-2.4.7/0001-abort-on-errors-in-subdir-builds.patch @@ -0,0 +1,48 @@ +From: Martin von Gagern <Martin.vGagern@gmx.net> +Date: Sat, 9 Aug 2014 22:44:45 -0400 +Subject: [PATCH] abort on errors in subdir builds + +The current recursive loops do not check the exit status of make +in subdirs which leads to `make` passing even when a subdir failed +to compile or install. + +URL: https://bugs.gentoo.org/334727 +Signed-off-by: Martin von Gagern <Martin.vGagern@gmx.net> +Signed-off-by: Mike Frysinger <vapier@gentoo.org> + +Imported from ppp_2.4.7-2+4.1.debian.tar.xz + +Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> +--- + pppd/plugins/Makefile.linux | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/pppd/plugins/Makefile.linux b/pppd/plugins/Makefile.linux +index ab8cf50d9472..8a90e393a057 100644 +--- a/pppd/plugins/Makefile.linux ++++ b/pppd/plugins/Makefile.linux +@@ -27,7 +27,7 @@ include .depend + endif + + all: $(PLUGINS) +- for d in $(SUBDIRS); do $(MAKE) $(MFLAGS) -C $$d all; done ++ for d in $(SUBDIRS); do $(MAKE) $(MFLAGS) -C $$d all || exit $$?; done + + %.so: %.c + $(CC) -o $@ $(LDFLAGS) $(CFLAGS) $^ +@@ -37,12 +37,12 @@ VERSION = $(shell awk -F '"' '/VERSION/ { print $$2; }' ../patchlevel.h) + install: $(PLUGINS) + $(INSTALL) -d $(LIBDIR) + $(INSTALL) $? $(LIBDIR) +- for d in $(SUBDIRS); do $(MAKE) $(MFLAGS) -C $$d install; done ++ for d in $(SUBDIRS); do $(MAKE) $(MFLAGS) -C $$d install || exit $$?; done + + clean: + rm -f *.o *.so *.a +- for d in $(SUBDIRS); do $(MAKE) $(MFLAGS) -C $$d clean; done ++ for d in $(SUBDIRS); do $(MAKE) $(MFLAGS) -C $$d clean || exit $$?; done + + depend: + $(CPP) -M $(CFLAGS) *.c >.depend +- for d in $(SUBDIRS); do $(MAKE) $(MFLAGS) -C $$d depend; done ++ for d in $(SUBDIRS); do $(MAKE) $(MFLAGS) -C $$d depend || exit $$?; done diff --git a/patches/ppp-2.4.7/0002-scripts-Avoid-killing-wrong-pppd.patch b/patches/ppp-2.4.7/0002-scripts-Avoid-killing-wrong-pppd.patch new file mode 100644 index 000000000..dc24c228e --- /dev/null +++ b/patches/ppp-2.4.7/0002-scripts-Avoid-killing-wrong-pppd.patch @@ -0,0 +1,29 @@ +From: radaiming <radaiming@gmail.com> +Date: Sat, 13 Dec 2014 14:42:34 +0800 +Subject: [PATCH] scripts: Avoid killing wrong pppd + + poff could kill other pppd processes when there are many pppd + running on different serial port. + + Signed-off-by: Ming Dai <radaiming@gmail.com> + +Imported from ppp_2.4.7-2+4.1.debian.tar.xz + +Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> +--- + scripts/poff | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/scripts/poff b/scripts/poff +index 3f55a7f40010..5b45d98a2b6a 100644 +--- a/scripts/poff ++++ b/scripts/poff +@@ -91,7 +91,7 @@ if test "$#" -eq 0 -o "$MODE" = "all" ; then + fi + + # There is an argument, so kill the pppd started on that provider. +-PID=`ps axw | grep "[ /]pppd call $1" | awk '{print $1}'` ++PID=`ps axw | grep "[ /]pppd call $1" | grep -w "$1" | awk '{print $1}'` + if test -n "$PID" ; then + $KILL -$SIG $PID || { + echo "$0: $KILL failed. None ${DONE}." diff --git a/patches/ppp-2.4.7/0003-pppd-Fix-sign-extension-when-displaying-bytes-in-oct.patch b/patches/ppp-2.4.7/0003-pppd-Fix-sign-extension-when-displaying-bytes-in-oct.patch new file mode 100644 index 000000000..2bd23b921 --- /dev/null +++ b/patches/ppp-2.4.7/0003-pppd-Fix-sign-extension-when-displaying-bytes-in-oct.patch @@ -0,0 +1,30 @@ +From: "Philip A. Prindeville" <philipp@redfish-solutions.com> +Date: Fri, 19 Dec 2014 17:52:58 -0700 +Subject: [PATCH] pppd: Fix sign-extension when displaying bytes in octal + +print_string() displays characters as \\%.03o but without first +casting it from "char" to "unsigned char" so it gets sign-extended +to an int. This causes output like \37777777630 instead of \230. + +Signed-off-by: Philip A. Prindeville <philipp@redfish-solutions.com> + +Imported from ppp_2.4.7-2+4.1.debian.tar.xz + +Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> +--- + pppd/utils.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/pppd/utils.c b/pppd/utils.c +index 29bf970905d5..3ac1b60926d2 100644 +--- a/pppd/utils.c ++++ b/pppd/utils.c +@@ -625,7 +625,7 @@ print_string(p, len, printer, arg) + printer(arg, "\\t"); + break; + default: +- printer(arg, "\\%.3o", c); ++ printer(arg, "\\%.3o", (unsigned char) c); + } + } + } diff --git a/patches/ppp-2.4.7/0004-Suppress-false-error-message-on-PPPoE-disconnect.patch b/patches/ppp-2.4.7/0004-Suppress-false-error-message-on-PPPoE-disconnect.patch new file mode 100644 index 000000000..6d4bd5c10 --- /dev/null +++ b/patches/ppp-2.4.7/0004-Suppress-false-error-message-on-PPPoE-disconnect.patch @@ -0,0 +1,33 @@ +From: Simon Farnsworth <simon@farnz.org.uk> +Date: Sun, 1 Mar 2015 11:49:06 +0000 +Subject: [PATCH] Suppress false error message on PPPoE disconnect + +Once the kernel handles PPPoE PADTs correctly[1], a PADT triggered +disconnect will result in EALREADY when pppd tries to clear the session ID. + +Simply ignore the error if, and only if, the error is EALREADY + +[1] https://patchwork.ozlabs.org/patch/444717/ + +Signed-off-by: Simon Farnsworth <simon@farnz.org.uk> + +Imported from ppp_2.4.7-2+4.1.debian.tar.xz + +Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> +--- + pppd/plugins/rp-pppoe/plugin.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/pppd/plugins/rp-pppoe/plugin.c b/pppd/plugins/rp-pppoe/plugin.c +index a8c2bb4f4a6a..da50cdf2b9d3 100644 +--- a/pppd/plugins/rp-pppoe/plugin.c ++++ b/pppd/plugins/rp-pppoe/plugin.c +@@ -270,7 +270,7 @@ PPPOEDisconnectDevice(void) + memcpy(sp.sa_addr.pppoe.dev, conn->ifName, IFNAMSIZ); + memcpy(sp.sa_addr.pppoe.remote, conn->peerEth, ETH_ALEN); + if (connect(conn->sessionSocket, (struct sockaddr *) &sp, +- sizeof(struct sockaddr_pppox)) < 0) ++ sizeof(struct sockaddr_pppox)) < 0 && errno != EALREADY) + error("Failed to disconnect PPPoE socket: %d %m", errno); + close(conn->sessionSocket); + /* don't send PADT?? */ diff --git a/patches/ppp-2.4.7/0005-Send-PADT-on-PPPoE-disconnect.patch b/patches/ppp-2.4.7/0005-Send-PADT-on-PPPoE-disconnect.patch new file mode 100644 index 000000000..28efdfc71 --- /dev/null +++ b/patches/ppp-2.4.7/0005-Send-PADT-on-PPPoE-disconnect.patch @@ -0,0 +1,36 @@ +From: Simon Farnsworth <simon@farnz.org.uk> +Date: Sun, 1 Mar 2015 11:53:58 +0000 +Subject: [PATCH] Send PADT on PPPoE disconnect + +Once we've terminated the PPP session, there is no chance of a PPP layer +disconnect. Some PPPoE relays don't detect the PPP session going down, and +depend on a long timeout or a PPPoE PADT to terminate the session. + +Send a PADT on disconnect to work around these buggy relays. + +Signed-off-by: Simon Farnsworth <simon@farnz.org.uk> + +Imported from ppp_2.4.7-2+4.1.debian.tar.xz + +Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> +--- + pppd/plugins/rp-pppoe/plugin.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/pppd/plugins/rp-pppoe/plugin.c b/pppd/plugins/rp-pppoe/plugin.c +index da50cdf2b9d3..c89be94250bc 100644 +--- a/pppd/plugins/rp-pppoe/plugin.c ++++ b/pppd/plugins/rp-pppoe/plugin.c +@@ -273,9 +273,10 @@ PPPOEDisconnectDevice(void) + sizeof(struct sockaddr_pppox)) < 0 && errno != EALREADY) + error("Failed to disconnect PPPoE socket: %d %m", errno); + close(conn->sessionSocket); +- /* don't send PADT?? */ +- if (conn->discoverySocket >= 0) ++ if (conn->discoverySocket >= 0) { ++ sendPADT(conn, NULL); + close(conn->discoverySocket); ++ } + } + + static void diff --git a/patches/ppp-2.4.7/0006-pppd-ipxcp-Prevent-buffer-overrun-on-remote-router-n.patch b/patches/ppp-2.4.7/0006-pppd-ipxcp-Prevent-buffer-overrun-on-remote-router-n.patch new file mode 100644 index 000000000..7d98127c2 --- /dev/null +++ b/patches/ppp-2.4.7/0006-pppd-ipxcp-Prevent-buffer-overrun-on-remote-router-n.patch @@ -0,0 +1,30 @@ +From: Paul Mackerras <paulus@samba.org> +Date: Fri, 14 Aug 2015 17:56:26 +1000 +Subject: [PATCH] pppd: ipxcp: Prevent buffer overrun on remote router name + +This fixes an if condition to prevent a possible 1-byte overrun +on ipxcp_hisoptions[0].name. + +Reported-by: "Sabas Rosales, Blanca E" <blanca.e.sabas.rosales@intel.com> +Signed-off-by: Paul Mackerras <paulus@ozlabs.org> + +Imported from ppp_2.4.7-2+4.1.debian.tar.xz + +Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> +--- + pppd/ipxcp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/pppd/ipxcp.c b/pppd/ipxcp.c +index 7b2343e15537..aaff10f76200 100644 +--- a/pppd/ipxcp.c ++++ b/pppd/ipxcp.c +@@ -1194,7 +1194,7 @@ ipxcp_reqci(f, inp, len, reject_if_disagree) + case IPX_ROUTER_NAME: + if (cilen >= CILEN_NAME) { + int name_size = cilen - CILEN_NAME; +- if (name_size > sizeof (ho->name)) ++ if (name_size >= sizeof (ho->name)) + name_size = sizeof (ho->name) - 1; + memset (ho->name, 0, sizeof (ho->name)); + memcpy (ho->name, p, name_size); diff --git a/patches/ppp-2.4.7/0007-pppd-Fix-ccp_options.mppe-type.patch b/patches/ppp-2.4.7/0007-pppd-Fix-ccp_options.mppe-type.patch new file mode 100644 index 000000000..475edae24 --- /dev/null +++ b/patches/ppp-2.4.7/0007-pppd-Fix-ccp_options.mppe-type.patch @@ -0,0 +1,30 @@ +From: Sylvain Rochet <gradator@gradator.net> +Date: Wed, 25 Mar 2015 00:25:18 +0100 +Subject: [PATCH] pppd: Fix ccp_options.mppe type + +This corrects the type of ccp_options.mppe; it is actually a bitfield of +MPPE_OPT_* and not a boolean. + +Signed-off-by: Sylvain Rochet <gradator@gradator.net> +Signed-off-by: Paul Mackerras <paulus@samba.org> + +Imported from ppp_2.4.7-2+4.1.debian.tar.xz + +Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> +--- + pppd/ccp.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/pppd/ccp.h b/pppd/ccp.h +index 6f4a2fee0a2c..76446db007c0 100644 +--- a/pppd/ccp.h ++++ b/pppd/ccp.h +@@ -37,7 +37,7 @@ typedef struct ccp_options { + bool predictor_2; /* do Predictor-2? */ + bool deflate_correct; /* use correct code for deflate? */ + bool deflate_draft; /* use draft RFC code for deflate? */ +- bool mppe; /* do MPPE? */ ++ u_char mppe; /* MPPE bitfield */ + u_short bsd_bits; /* # bits/code for BSD Compress */ + u_short deflate_size; /* lg(window size) for Deflate */ + short method; /* code for chosen compression method */ diff --git a/patches/ppp-2.4.7/0008-pppd-Fix-ccp_cilen-calculated-size-if-both-deflate_c.patch b/patches/ppp-2.4.7/0008-pppd-Fix-ccp_cilen-calculated-size-if-both-deflate_c.patch new file mode 100644 index 000000000..d73b4de32 --- /dev/null +++ b/patches/ppp-2.4.7/0008-pppd-Fix-ccp_cilen-calculated-size-if-both-deflate_c.patch @@ -0,0 +1,33 @@ +From: Sylvain Rochet <gradator@gradator.net> +Date: Tue, 24 Mar 2015 21:21:40 +0100 +Subject: [PATCH] pppd: Fix ccp_cilen calculated size if both deflate_correct + and deflate_draft are enabled + +This fixes a bug where ccp_cilen() will return 4 bytes less than +necessary for the addci buffer if both deflate_correct and +deflate_draft are enabled. + +Signed-off-by: Sylvain Rochet <gradator@gradator.net> +Signed-off-by: Paul Mackerras <paulus@samba.org> + +Imported from ppp_2.4.7-2+4.1.debian.tar.xz + +Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> +--- + pppd/ccp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/pppd/ccp.c b/pppd/ccp.c +index 5814f358eb44..7d7922afcfc0 100644 +--- a/pppd/ccp.c ++++ b/pppd/ccp.c +@@ -676,7 +676,8 @@ ccp_cilen(f) + ccp_options *go = &ccp_gotoptions[f->unit]; + + return (go->bsd_compress? CILEN_BSD_COMPRESS: 0) +- + (go->deflate? CILEN_DEFLATE: 0) ++ + (go->deflate && go->deflate_correct? CILEN_DEFLATE: 0) ++ + (go->deflate && go->deflate_draft? CILEN_DEFLATE: 0) + + (go->predictor_1? CILEN_PREDICTOR_1: 0) + + (go->predictor_2? CILEN_PREDICTOR_2: 0) + + (go->mppe? CILEN_MPPE: 0); diff --git a/patches/ppp-2.4.7/0009-Fix-a-typo-in-comment.-Diff-from-Yuuichi-Someya.patch b/patches/ppp-2.4.7/0009-Fix-a-typo-in-comment.-Diff-from-Yuuichi-Someya.patch new file mode 100644 index 000000000..39af8cf33 --- /dev/null +++ b/patches/ppp-2.4.7/0009-Fix-a-typo-in-comment.-Diff-from-Yuuichi-Someya.patch @@ -0,0 +1,24 @@ +From: YASUOKA Masahiko <yasuoka@yasuoka.net> +Date: Wed, 16 Mar 2016 13:39:19 +0900 +Subject: [PATCH] Fix a typo in comment. Diff from Yuuichi Someya. + +Imported from ppp_2.4.7-2+4.1.debian.tar.xz + +Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> +--- + pppd/fsm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/pppd/fsm.c b/pppd/fsm.c +index c200cc3a8438..e9bd34f0e8f4 100644 +--- a/pppd/fsm.c ++++ b/pppd/fsm.c +@@ -468,7 +468,7 @@ fsm_rconfreq(f, id, inp, len) + f->nakloops = 0; + + } else { +- /* we sent CONFACK or CONFREJ */ ++ /* we sent CONFNAK or CONFREJ */ + if (f->state != ACKRCVD) + f->state = REQSENT; + if( code == CONFNAK ) diff --git a/patches/ppp-2.4.7/0010-plog-count-only-relevant-lines-from-syslog.patch b/patches/ppp-2.4.7/0010-plog-count-only-relevant-lines-from-syslog.patch new file mode 100644 index 000000000..c9d56cdbb --- /dev/null +++ b/patches/ppp-2.4.7/0010-plog-count-only-relevant-lines-from-syslog.patch @@ -0,0 +1,24 @@ +From: Dmitry Deshevoy <mityada@gmail.com> +Date: Thu, 31 Mar 2016 23:39:32 +0400 +Subject: [PATCH] plog: count only relevant lines from syslog + +Closes paulusmack/ppp#42 + +Imported from ppp_2.4.7-2+4.1.debian.tar.xz + +Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> +--- + scripts/plog | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/scripts/plog b/scripts/plog +index 84d2c7340cc6..7cb53346413d 100644 +--- a/scripts/plog ++++ b/scripts/plog +@@ -3,5 +3,5 @@ + if [ -s /var/log/ppp.log ]; then + exec tail "$@" /var/log/ppp.log + else +- exec tail "$@" /var/log/syslog | grep ' \(pppd\|chat\)\[' ++ exec grep ' \(pppd\|chat\)\[' /var/log/syslog | tail "$@" + fi diff --git a/patches/ppp-2.4.7/0011-Change-include-from-sys-errno.h-to-errno.h.patch b/patches/ppp-2.4.7/0011-Change-include-from-sys-errno.h-to-errno.h.patch new file mode 100644 index 000000000..ed313eeaa --- /dev/null +++ b/patches/ppp-2.4.7/0011-Change-include-from-sys-errno.h-to-errno.h.patch @@ -0,0 +1,33 @@ +From: Stefan Nickl <Stefan.Nickl@gmail.com> +Date: Wed, 10 Aug 2016 21:32:21 +0200 +Subject: [PATCH] Change include from sys/errno.h to errno.h + +According to POSIX, the canonical location for errno.h is on the top level. + +Signed-off-by: Stefan Nickl <Stefan.Nickl@gmail.com> + +Imported from ppp_2.4.7-2+4.1.debian.tar.xz + +Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> +--- + pppd/sys-linux.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c +index e5e9baf8821f..908aa4f22297 100644 +--- a/pppd/sys-linux.c ++++ b/pppd/sys-linux.c +@@ -73,12 +73,12 @@ + #include <sys/types.h> + #include <sys/socket.h> + #include <sys/time.h> +-#include <sys/errno.h> + #include <sys/file.h> + #include <sys/stat.h> + #include <sys/utsname.h> + #include <sys/sysmacros.h> + ++#include <errno.h> + #include <stdio.h> + #include <stdlib.h> + #include <syslog.h> diff --git a/patches/ppp-2.4.7/0020-allow-use-of-arbitrary-interface-names.patch b/patches/ppp-2.4.7/0012-pppd-allow-use-of-arbitrary-interface-names.patch index 3fb234038..26d56de1d 100644 --- a/patches/ppp-2.4.7/0020-allow-use-of-arbitrary-interface-names.patch +++ b/patches/ppp-2.4.7/0012-pppd-allow-use-of-arbitrary-interface-names.patch @@ -1,22 +1,26 @@ -From: Marco d'Itri <md@linux.it> -Date: Fri, 2 Jun 2017 11:25:19 +0200 -Subject: [PATCH] allow use of arbitrary interface names +From: Paul Mackerras <paulus@samba.org> +Date: Tue, 23 Aug 2016 16:10:21 +1000 +Subject: [PATCH] pppd: allow use of arbitrary interface names This is a modified version of a patch from openSUSE that enables PPP interfaces to be called arbitrary names, rather than simply pppX where X is the unit number. The modifications from the stock openSUSE patch are: -- refresh patch on top of 018_ip-up_option.diff + refresh patch on top of 018_ip up_option.diff - fix a printf format-string vulnerability in pppd/main.c:set_ifunit() - clarify the pppd.8 manpage additions - patch pppstats/pppstats.c to query renamed interfaces without complaint -Origin: vendor, https://build.opensuse.org/source/network/ppp/ppp-2.4.2-ifname.diff?rev=7a0fdeff0b29437dd7f4581c95c7255a +Origin: SUSE Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=458646 Forwarded: no Reviewed-by: Chris Boot <bootc@debian.org> -Last-Update: 2014-01-12 +Signed-off-by: Paul Mackerras <paulus@ozlabs.org> + +Imported from ppp_2.4.7-2+4.1.debian.tar.xz + +Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> --- pppd/main.c | 16 ++++++---------- pppd/options.c | 5 +++++ @@ -27,7 +31,7 @@ Last-Update: 2014-01-12 6 files changed, 50 insertions(+), 17 deletions(-) diff --git a/pppd/main.c b/pppd/main.c -index 59aad6f3854f..3871aa2b3a5e 100644 +index 6d50d1bac1d9..f1986ed68d0b 100644 --- a/pppd/main.c +++ b/pppd/main.c @@ -124,7 +124,7 @@ @@ -53,7 +57,7 @@ index 59aad6f3854f..3871aa2b3a5e 100644 int main(argc, argv) int argc; -@@ -740,8 +733,11 @@ void +@@ -737,8 +730,11 @@ void set_ifunit(iskey) int iskey; { @@ -68,18 +72,18 @@ index 59aad6f3854f..3871aa2b3a5e 100644 if (iskey) { create_pidfile(getpid()); /* write pid to file */ diff --git a/pppd/options.c b/pppd/options.c -index 2de65f9aa8d5..340797386dd6 100644 +index f66b7657bc31..91da515ac533 100644 --- a/pppd/options.c +++ b/pppd/options.c -@@ -116,6 +116,7 @@ int connect_delay = 1000; /* wait this many ms after connect script */ +@@ -114,6 +114,7 @@ char linkname[MAXPATHLEN]; /* logical name for link */ + bool tune_kernel; /* may alter kernel settings */ + int connect_delay = 1000; /* wait this many ms after connect script */ int req_unit = -1; /* requested interface unit */ - char path_ipup[MAXPATHLEN]; /* pathname of ip-up script */ - char path_ipdown[MAXPATHLEN];/* pathname of ip-down script */ +char req_ifname[MAXIFNAMELEN]; /* requested interface name */ bool multilink = 0; /* Enable multilink operation */ char *bundle_name = NULL; /* bundle name for multilink */ bool dump_options; /* print out option values */ -@@ -285,6 +286,10 @@ option_t general_options[] = { +@@ -283,6 +284,10 @@ option_t general_options[] = { "PPP interface unit number to use if possible", OPT_PRIO | OPT_LLIMIT, 0, 0 }, @@ -91,10 +95,10 @@ index 2de65f9aa8d5..340797386dd6 100644 "Print out option values after parsing all options", 1 }, { "dryrun", o_bool, &dryrun, diff --git a/pppd/pppd.8 b/pppd/pppd.8 -index f226392c0280..65bbe721f761 100644 +index e2768b135273..64659cf867b2 100644 --- a/pppd/pppd.8 +++ b/pppd/pppd.8 -@@ -1093,7 +1093,13 @@ under Linux and FreeBSD 2.2.8 and later. +@@ -1073,7 +1073,13 @@ under Linux and FreeBSD 2.2.8 and later. .TP .B unit \fInum Sets the ppp unit number (for a ppp0 or ppp1 etc interface name) for outbound @@ -110,7 +114,7 @@ index f226392c0280..65bbe721f761 100644 .B unset \fIname Remove a variable from the environment variable for scripts that are diff --git a/pppd/pppd.h b/pppd/pppd.h -index 2be649adf582..b11670586244 100644 +index 247fa153739b..1a1bf0b99582 100644 --- a/pppd/pppd.h +++ b/pppd/pppd.h @@ -80,6 +80,16 @@ @@ -130,19 +134,19 @@ index 2be649adf582..b11670586244 100644 /* * Option descriptor structure. -@@ -320,6 +330,7 @@ extern int max_data_rate; /* max bytes/sec through charshunt */ +@@ -318,6 +328,7 @@ extern bool tune_kernel; /* May alter kernel settings as necessary */ + extern int connect_delay; /* Time to delay after connect script */ + extern int max_data_rate; /* max bytes/sec through charshunt */ extern int req_unit; /* interface unit number to use */ - extern char path_ipup[MAXPATHLEN]; /* pathname of ip-up script */ - extern char path_ipdown[MAXPATHLEN]; /* pathname of ip-down script */ +extern char req_ifname[MAXIFNAMELEN]; /* interface name to use */ extern bool multilink; /* enable multilink operation */ extern bool noendpoint; /* don't send or accept endpt. discrim. */ extern char *bundle_name; /* bundle name for multilink */ diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c -index 86cde57664af..878f83bdfe3b 100644 +index 908aa4f22297..9b2f293024ac 100644 --- a/pppd/sys-linux.c +++ b/pppd/sys-linux.c -@@ -650,6 +650,21 @@ static int make_ppp_unit() +@@ -641,6 +641,21 @@ static int make_ppp_unit() } if (x < 0) error("Couldn't create new ppp unit: %m"); diff --git a/patches/ppp-2.4.7/0012-scripts_redialer.patch b/patches/ppp-2.4.7/0012-scripts_redialer.patch deleted file mode 100644 index 19b963bae..000000000 --- a/patches/ppp-2.4.7/0012-scripts_redialer.patch +++ /dev/null @@ -1,162 +0,0 @@ -From: Marco d'Itri <md@linux.it> -Date: Fri, 2 Jun 2017 11:14:10 +0200 -Subject: [PATCH] scripts_redialer - ---- - scripts/redialer | 133 ++++++++++++++++++++++--------------------------------- - 1 file changed, 53 insertions(+), 80 deletions(-) - -diff --git a/scripts/redialer b/scripts/redialer -index 5bbde4e9da4e..c0b748ad0e53 100755 ---- a/scripts/redialer -+++ b/scripts/redialer -@@ -1,96 +1,69 @@ - #!/bin/sh --################################################################### - # --# These parameters control the attack dialing sequence. -+# A chatscript that will attempt to dial multiple numbers in sequence, until -+# you get connected. - # --# Maximum number of attempts to reach the telephone number(s) --MAX_ATTEMPTS=10 -- --# Delay between each of the attempts. This is a parameter to sleep --# so use "15s" for 15 seconds, "1m" for 1 minute, etc. --SLEEP_DELAY=15s -- --################################################################### -+# To use: edit /etc/peers/provider, and change the connect line to read: -+# connect "/usr/local/bin/redialer" - # --# This is a list of telephone numbers. Add new numbers if you wish --# and see the function 'callall' below for the dial process. --PHONE1=555-1212 --PHONE2=411 -+# See below for configuration. - --################################################################### -+# This is a list of chatscripts to use to get connected, and (optional) -+# telephone numbers to call for each of those chatscripts. - # --# If you use the ppp-on script, then these are passed to this routine --# automatically. There is no need to define them here. If not, then --# you will need to set the values. --# --ACCOUNT=my_account_name --PASSWORD=my_password -+# Note that in the chatscripts, you may use #NUMBER#, this will be replaced -+# with the number it is calling. You might want to use this to only have one -+# chatscript that is used for all numbers, or you might need multiple -+# chatscripts. - --################################################################### --# --# Function to initialize the modem and ensure that it is in command --# state. This may not be needed, but it doesn't hurt. --# --function initialize --{ -- chat -v TIMEOUT 3 '' AT 'OK-+++\c-OK' -- return --} -+PHONE1=123456789 -+CHAT1=/etc/chatscripts/provider - --################################################################### --# --# Script to dial a telephone --# --function callnumber --{ --chat -v \ -- ABORT '\nBUSY\r' \ -- ABORT '\nNO ANSWER\r' \ -- ABORT '\nRINGING\r\n\r\nRINGING\r' \ -- '' ATDT$1 \ -- CONNECT '' \ -- ogin:--ogin: $ACCOUNT \ -- assword: $PASSWORD --# --# If the connection was successful then end the whole script with a --# success. --# -- if [ "$?" = "0" ]; then -- exit 0 -- fi -+PHONE2=912345678 -+CHAT2=/etc/chatscripts/provider - -- return --} -+PHONE3=891234567 -+CHAT3=/etc/chatscripts/provider - --################################################################### --# --# Script to dial any telephone number --# --function callall --{ --# echo "dialing attempt number: $1" >/dev/console -- callnumber $PHONE1 --# callnumber $PHONE2 --} -+PHONE4=789123456 -+CHAT4=/etc/chatscripts/provider - --################################################################### --# --# Initialize the modem to ensure that it is in the command state --# --initialize --if [ ! "$?" = "0" ]; then -- exit 1 --fi -+PHONE5=001234567 -+CHAT5=/etc/chatscripts/provider - -+# How long to sleep between retries: - # --# Dial telephone numbers until one answers --# -+# Note that this is a parameter to sleep so use "15s" for 15 seconds, -+# "1m" for 1 minute, etc -+SLEEP_DELAY=1s -+ -+# The code below does the dialing. -+ - attempt=0 - while : ; do -- attempt=`expr $attempt + 1` -- callall $attempt -- if [ "$attempt" = "$MAX_ATTEMPTS" ]; then -- exit 1 -- fi -- sleep "$SLEEP_DELAY" -+ attempt=`expr $attempt + 1` -+ NUMBER=`eval echo '$PHONE'$attempt` -+ CHAT=`eval echo '$CHAT'$attempt` -+ if [ ! "$CHAT" ]; then -+ attempt=0 -+ else -+ logger "Dialing attempt number: $attempt" -+ sed s/#NUMBER#/$NUMBER/ $CHAT >/etc/chatscripts/tmpchat -+ /usr/sbin/chat -v -f /etc/chatscripts/tmpchat -+ rm -f /etc/chatscripts/tmpchat -+ case $? in -+ 0) logger Connection established ; exit 0;; -+ 1) logger chat: exit 1, see manpage for details. ; exit 1;; -+ 2) logger chat: exit 2, see manpage for details. ; exit 2;; -+ 3) logger chat: exit 3, see manpage for details. ;; -+ 4) logger Line busy. ;; -+ 5) logger No Carrier. ;; -+ 6) logger A call is coming. Exiting! ; exit 1;; -+ 7) logger No dialtone. ;; -+ 8) logger An error occured. Exiting! ; exit 1;; -+ *) logger chat: exit $?, see manpage for details. ;; -+ esac -+ logger "Waiting $SLEEP_DELAY seconds before next try." -+ sleep $SLEEP_DELAY -+ fi - done diff --git a/patches/ppp-2.4.7/0013-pppd-Remove-unused-declaration-of-ttyname.patch b/patches/ppp-2.4.7/0013-pppd-Remove-unused-declaration-of-ttyname.patch new file mode 100644 index 000000000..2199e7f7d --- /dev/null +++ b/patches/ppp-2.4.7/0013-pppd-Remove-unused-declaration-of-ttyname.patch @@ -0,0 +1,25 @@ +From: George Burgess IV <george@gbiv.net> +Date: Fri, 9 Sep 2016 17:36:54 -0700 +Subject: [PATCH] pppd: Remove unused declaration of ttyname. + +Signed-off-by: George Burgess IV <george@gbiv.net> + +Imported from ppp_2.4.7-2+4.1.debian.tar.xz + +Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> +--- + pppd/main.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/pppd/main.c b/pppd/main.c +index f1986ed68d0b..76b67d2485b7 100644 +--- a/pppd/main.c ++++ b/pppd/main.c +@@ -257,7 +257,6 @@ static void cleanup_db __P((void)); + static void handle_events __P((void)); + void print_link_stats __P((void)); + +-extern char *ttyname __P((int)); + extern char *getlogin __P((void)); + int main __P((int, char *[])); + diff --git a/patches/ppp-2.4.7/0014-pppd-Provide-error-implementation-in-pppoe-discovery.patch b/patches/ppp-2.4.7/0014-pppd-Provide-error-implementation-in-pppoe-discovery.patch new file mode 100644 index 000000000..39fc3d4f6 --- /dev/null +++ b/patches/ppp-2.4.7/0014-pppd-Provide-error-implementation-in-pppoe-discovery.patch @@ -0,0 +1,52 @@ +From: Stefan Nickl <Stefan.Nickl@gmail.com> +Date: Wed, 10 Aug 2016 16:52:12 +0200 +Subject: [PATCH] pppd: Provide error() implementation in pppoe-discovery + +The pppoe-discovery program calls error() from the CHECK_ROOM macro +defined in pppoe.h. Since pppoe-discovery is a standalone program not +linked with the rest of pppd, the only way this could build is by +linking to glibc's proprietary error(3) function instead of the function +of the same name (but with different arguments) defined in pppd/utils.c. + +So with glibc this builds, but will probably crash when the assertion is +triggered. As the assertion is unlikely to fail, nobody has noticed. + +The build however fails with musl libc or uClibc since they don't +provide the doppelganger. + +Signed-off-by: Stefan Nickl <Stefan.Nickl@gmail.com> + +Imported from ppp_2.4.7-2+4.1.debian.tar.xz + +Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> +--- + pppd/plugins/rp-pppoe/pppoe-discovery.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/pppd/plugins/rp-pppoe/pppoe-discovery.c b/pppd/plugins/rp-pppoe/pppoe-discovery.c +index 3d3bf4eecc81..55037dffb023 100644 +--- a/pppd/plugins/rp-pppoe/pppoe-discovery.c ++++ b/pppd/plugins/rp-pppoe/pppoe-discovery.c +@@ -9,6 +9,7 @@ + * + */ + ++#include <stdarg.h> + #include <stdio.h> + #include <stdlib.h> + #include <unistd.h> +@@ -55,6 +56,14 @@ void die(int status) + exit(status); + } + ++void error(char *fmt, ...) ++{ ++ va_list pvar; ++ va_start(pvar, fmt); ++ vfprintf(stderr, fmt, pvar); ++ va_end(pvar); ++} ++ + /* Initialize frame types to RFC 2516 values. Some broken peers apparently + use different frame types... sigh... */ + diff --git a/patches/ppp-2.4.7/0015-pppoe-include-netinet-in.h-before-linux-in.h.patch b/patches/ppp-2.4.7/0015-pppoe-include-netinet-in.h-before-linux-in.h.patch new file mode 100644 index 000000000..b24e5ef58 --- /dev/null +++ b/patches/ppp-2.4.7/0015-pppoe-include-netinet-in.h-before-linux-in.h.patch @@ -0,0 +1,49 @@ +From: Lubomir Rintel <lkundrak@v3.sk> +Date: Mon, 9 Jan 2017 13:34:23 +0000 +Subject: [PATCH] pppoe: include netinet/in.h before linux/in.h + +This fixes builds with newer kernels. Basically, <netinet/in.h> needs to be +included before <linux/in.h> otherwise the earlier, unaware of the latter, +tries to redefine symbols and structures. Also, <linux/if_pppox.h> doesn't work +alone anymore, since it pulls the headers in the wrong order, so we better +include <netinet/in.h> early. + +Imported from ppp_2.4.7-2+4.1.debian.tar.xz + +Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> +--- + pppd/plugins/rp-pppoe/pppoe.h | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/pppd/plugins/rp-pppoe/pppoe.h b/pppd/plugins/rp-pppoe/pppoe.h +index 9ab2eee3914c..c4aaa6e68856 100644 +--- a/pppd/plugins/rp-pppoe/pppoe.h ++++ b/pppd/plugins/rp-pppoe/pppoe.h +@@ -47,6 +47,10 @@ + #include <sys/socket.h> + #endif + ++/* This has to be included before Linux 4.8's linux/in.h ++ * gets dragged in. */ ++#include <netinet/in.h> ++ + /* Ugly header files on some Linux boxes... */ + #if defined(HAVE_LINUX_IF_H) + #include <linux/if.h> +@@ -84,8 +88,6 @@ typedef unsigned long UINT32_t; + #include <linux/if_ether.h> + #endif + +-#include <netinet/in.h> +- + #ifdef HAVE_NETINET_IF_ETHER_H + #include <sys/types.h> + +@@ -98,7 +100,6 @@ typedef unsigned long UINT32_t; + #endif + + +- + /* Ethernet frame types according to RFC 2516 */ + #define ETH_PPPOE_DISCOVERY 0x8863 + #define ETH_PPPOE_SESSION 0x8864 diff --git a/patches/ppp-2.4.7/0001-adaptive_echos.patch b/patches/ppp-2.4.7/0016-adaptive_echos.patch index 63b67d87e..c0f222824 100644 --- a/patches/ppp-2.4.7/0001-adaptive_echos.patch +++ b/patches/ppp-2.4.7/0016-adaptive_echos.patch @@ -1,7 +1,10 @@ -From: Marco d'Itri <md@linux.it> -Date: Thu, 1 Jun 2017 16:18:34 +0200 +From: Michael Olbrich <m.olbrich@pengutronix.de> +Date: Sat, 28 Sep 2019 08:11:49 +0200 Subject: [PATCH] adaptive_echos +Imported from ppp_2.4.7-2+4.1.debian.tar.xz + +Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> --- pppd/lcp.c | 19 +++++++++++++++++++ pppd/pppd.8 | 5 +++++ @@ -52,7 +55,7 @@ index 8ed2778bfb67..c97a64b7774f 100644 * Make and send the echo request frame. */ diff --git a/pppd/pppd.8 b/pppd/pppd.8 -index e2768b135273..b7fd0bdaab52 100644 +index 64659cf867b2..ec8bfd5c0617 100644 --- a/pppd/pppd.8 +++ b/pppd/pppd.8 @@ -558,6 +558,11 @@ to 1) if the \fIproxyarp\fR option is used, and will enable the diff --git a/patches/ppp-2.4.7/0002-Makefiles-cleanup.patch b/patches/ppp-2.4.7/0017-Makefiles-cleanup.patch index 94871e177..ff9096f70 100644 --- a/patches/ppp-2.4.7/0002-Makefiles-cleanup.patch +++ b/patches/ppp-2.4.7/0017-Makefiles-cleanup.patch @@ -1,11 +1,16 @@ -From: Marco d'Itri <md@linux.it> -Date: Thu, 1 Jun 2017 16:19:36 +0200 +From: Michael Olbrich <m.olbrich@pengutronix.de> +Date: Sat, 28 Sep 2019 08:11:49 +0200 Subject: [PATCH] Makefiles cleanup Factor-out $COPTS and $LDOPTS to allow distributions to easily override them. Properly use $LDFLAGS when linking and $CFLAGS when compiling. Do not strip the installed binaries: this should be done by the packaging system if required. + + +Imported from ppp_2.4.7-2+4.1.debian.tar.xz + +Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> --- chat/Makefile.linux | 5 +++-- pppd/Makefile.linux | 7 ++++--- @@ -84,7 +89,7 @@ index a74c914fd3ac..16b3ee879791 100644 srp-entry: srp-entry.c $(CC) $(CFLAGS) $(LDFLAGS) -o $@ srp-entry.c $(LIBS) diff --git a/pppd/plugins/Makefile.linux b/pppd/plugins/Makefile.linux -index ab8cf50d9472..732cc8b411d2 100644 +index 8a90e393a057..0f9d37d2953b 100644 --- a/pppd/plugins/Makefile.linux +++ b/pppd/plugins/Makefile.linux @@ -1,7 +1,7 @@ @@ -97,7 +102,7 @@ index ab8cf50d9472..732cc8b411d2 100644 DESTDIR = $(INSTROOT)@DESTDIR@ @@ -30,7 +30,7 @@ all: $(PLUGINS) - for d in $(SUBDIRS); do $(MAKE) $(MFLAGS) -C $$d all; done + for d in $(SUBDIRS); do $(MAKE) $(MFLAGS) -C $$d all || exit $$?; done %.so: %.c - $(CC) -o $@ $(LDFLAGS) $(CFLAGS) $^ diff --git a/patches/ppp-2.4.7/0003-Bug-306261-pppd-does-not-properly-close-dev-ppp-on-p.patch b/patches/ppp-2.4.7/0018-Bug-306261-pppd-does-not-properly-close-dev-ppp-on-p.patch index 4c598ea63..41669d12a 100644 --- a/patches/ppp-2.4.7/0003-Bug-306261-pppd-does-not-properly-close-dev-ppp-on-p.patch +++ b/patches/ppp-2.4.7/0018-Bug-306261-pppd-does-not-properly-close-dev-ppp-on-p.patch @@ -1,5 +1,5 @@ From: Simon Peter <dn.tlp@gmx.net> -Date: Fri, 2 Jun 2017 11:03:30 +0200 +Date: Sat, 28 Sep 2019 08:11:49 +0200 Subject: [PATCH] Bug#306261: pppd does not properly close /dev/ppp on persist When using the kernel PPPoE driver, pppd never @@ -14,12 +14,18 @@ the always instantly returning select() on the unclosed fds. The problem also occurs with the upstream version, but does not occur when a pty/tty device is used for the ppp connection. + + + +Imported from ppp_2.4.7-2+4.1.debian.tar.xz + +Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> --- pppd/sys-linux.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c -index e5e9baf8821f..f92174854207 100644 +index 9b2f293024ac..6d29dc8e8594 100644 --- a/pppd/sys-linux.c +++ b/pppd/sys-linux.c @@ -458,6 +458,13 @@ int generic_establish_ppp (int fd) diff --git a/patches/ppp-2.4.7/0004-Bug-284382-ppp-linkpidfile-is-not-created-upon-detac.patch b/patches/ppp-2.4.7/0019-Bug-284382-ppp-linkpidfile-is-not-created-upon-detac.patch index cc65303ad..f785c75d8 100644 --- a/patches/ppp-2.4.7/0004-Bug-284382-ppp-linkpidfile-is-not-created-upon-detac.patch +++ b/patches/ppp-2.4.7/0019-Bug-284382-ppp-linkpidfile-is-not-created-upon-detac.patch @@ -1,5 +1,5 @@ From: "herbert@gondor.apana.org.au" <herbert@gondor.apana.org.au> -Date: Fri, 2 Jun 2017 11:08:21 +0200 +Date: Sat, 28 Sep 2019 08:11:49 +0200 Subject: [PATCH] Bug#284382: ppp: linkpidfile is not created upon detachment Package: ppp @@ -24,15 +24,19 @@ call has now been removed which is why I'm seeing this problem. [...] -- + +Imported from ppp_2.4.7-2+4.1.debian.tar.xz + +Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> --- pppd/main.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/pppd/main.c b/pppd/main.c -index 6d50d1bac1d9..439fedced8ff 100644 +index 76b67d2485b7..8e31365f0c58 100644 --- a/pppd/main.c +++ b/pppd/main.c -@@ -770,8 +770,7 @@ detach() +@@ -765,8 +765,7 @@ detach() /* update pid files if they have been written already */ if (pidfilename[0]) create_pidfile(pid); diff --git a/patches/ppp-2.4.7/0005-support-building-pppdump-with-the-system-zlib.patch b/patches/ppp-2.4.7/0020-support-building-pppdump-with-the-system-zlib.patch index ef5ef1e6d..ef8265d43 100644 --- a/patches/ppp-2.4.7/0005-support-building-pppdump-with-the-system-zlib.patch +++ b/patches/ppp-2.4.7/0020-support-building-pppdump-with-the-system-zlib.patch @@ -1,7 +1,10 @@ -From: Marco d'Itri <md@linux.it> -Date: Fri, 2 Jun 2017 11:09:30 +0200 +From: Michael Olbrich <m.olbrich@pengutronix.de> +Date: Sat, 28 Sep 2019 08:11:49 +0200 Subject: [PATCH] support building pppdump with the system zlib +Imported from ppp_2.4.7-2+4.1.debian.tar.xz + +Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> --- pppdump/Makefile.linux | 28 ++++++++++++++++++++++++++-- 1 file changed, 26 insertions(+), 2 deletions(-) diff --git a/patches/ppp-2.4.7/0006-disable-unneeded-code-in-the-pppoatm-plugin.patch b/patches/ppp-2.4.7/0021-disable-unneeded-code-in-the-pppoatm-plugin.patch index 55e262592..2fb9c5573 100644 --- a/patches/ppp-2.4.7/0006-disable-unneeded-code-in-the-pppoatm-plugin.patch +++ b/patches/ppp-2.4.7/0021-disable-unneeded-code-in-the-pppoatm-plugin.patch @@ -1,5 +1,5 @@ -From: Marco d'Itri <md@linux.it> -Date: Fri, 2 Jun 2017 11:10:13 +0200 +From: Michael Olbrich <m.olbrich@pengutronix.de> +Date: Sat, 28 Sep 2019 08:11:49 +0200 Subject: [PATCH] disable unneeded code in the pppoatm plugin This patch halves the size of the PPPoA plugin by disabling features @@ -10,6 +10,12 @@ It is especially useful for install images and embedded systems. A next step could be removing text2qos.c, text2atm.c, misc.c and ans.c and encourage users interested in the complete features to link the plugin with the real libatm. I really doubt anybody cares, anyway. + + + +Imported from ppp_2.4.7-2+4.1.debian.tar.xz + +Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> --- pppd/plugins/pppoatm/Makefile.linux | 4 ++++ pppd/plugins/pppoatm/pppoatm.c | 4 ++++ diff --git a/patches/ppp-2.4.7/0007-cosmetic-cleanup-of-the-pppoatm-plugin.patch b/patches/ppp-2.4.7/0022-cosmetic-cleanup-of-the-pppoatm-plugin.patch index 551bb2dbb..ee22c74b6 100644 --- a/patches/ppp-2.4.7/0007-cosmetic-cleanup-of-the-pppoatm-plugin.patch +++ b/patches/ppp-2.4.7/0022-cosmetic-cleanup-of-the-pppoatm-plugin.patch @@ -1,8 +1,13 @@ -From: Marco d'Itri <md@linux.it> -Date: Fri, 2 Jun 2017 11:10:33 +0200 +From: Michael Olbrich <m.olbrich@pengutronix.de> +Date: Sat, 28 Sep 2019 08:11:49 +0200 Subject: [PATCH] cosmetic cleanup of the pppoatm plugin Removed some debugging messages and generally cleaned up the source. + + +Imported from ppp_2.4.7-2+4.1.debian.tar.xz + +Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> --- pppd/plugins/pppoatm/pppoatm.c | 23 +++++++++++++---------- 1 file changed, 13 insertions(+), 10 deletions(-) diff --git a/patches/ppp-2.4.7/0022-scripts-README.patch b/patches/ppp-2.4.7/0022-scripts-README.patch deleted file mode 100644 index f786cc81d..000000000 --- a/patches/ppp-2.4.7/0022-scripts-README.patch +++ /dev/null @@ -1,30 +0,0 @@ -From: Marco d'Itri <md@linux.it> -Date: Fri, 2 Jun 2017 11:26:37 +0200 -Subject: [PATCH] scripts README - ---- - scripts/README | 14 ++++++++++++++ - 1 file changed, 14 insertions(+) - -diff --git a/scripts/README b/scripts/README -index 00e032ca6ad4..439c900d657a 100644 ---- a/scripts/README -+++ b/scripts/README -@@ -141,3 +141,17 @@ option. In addition, all ASCII control characters [0x00 to 0x1f], plus 0xff, - are escaped. This may need to be modified depending on the ssh (or - pseudo-tty) implementation which may differ across platforms, for further - optimizations. -+ -+------------------------------------------------------------------------ -+ -+12. pon, poff and ip-up -+ -+These are modified version of the pon/poff/ip-up scripts contributed by Yann -+Dirson <dirson@debian.org>. They allow you to call "pon quick" respectively -+"pon quick my-isp" to just call the provider for running you ip-up scripts in -+/etc/ppp/ip-up.d. This can be useful to check for incoming/flush outgoing -+mail, without the necessary delay before hangup introduced by diald or such. -+ -+These scripts break the possibility to connect to multiple ISPs at once, so -+they are included only here. -+ diff --git a/patches/ppp-2.4.7/0023-no_crypt_hack.patch b/patches/ppp-2.4.7/0023-no_crypt_hack.patch deleted file mode 100644 index 5e8d51bbf..000000000 --- a/patches/ppp-2.4.7/0023-no_crypt_hack.patch +++ /dev/null @@ -1,61 +0,0 @@ -From: Marco d'Itri <md@linux.it> -Date: Fri, 2 Jun 2017 11:27:15 +0200 -Subject: [PATCH] no_crypt_hack - -The udeb package does not have crypt(3). This patch makes -authentication always fail, since it is not needed anyway for dialout. ---- - pppd/Makefile.linux | 4 ++++ - pppd/auth.c | 2 ++ - pppd/session.c | 2 ++ - 3 files changed, 8 insertions(+) - -diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux -index 16b3ee879791..a8694fccd85e 100644 ---- a/pppd/Makefile.linux -+++ b/pppd/Makefile.linux -@@ -121,10 +121,14 @@ CFLAGS += -DHAS_SHADOW - #LIBS += -lshadow $(LIBS) - endif - -+ifdef NO_CRYPT_HACK -+CFLAGS += -DNO_CRYPT_HACK -+else - ifneq ($(wildcard /usr/include/crypt.h),) - CFLAGS += -DHAVE_CRYPT_H=1 - LIBS += -lcrypt - endif -+endif - - ifdef USE_LIBUTIL - CFLAGS += -DHAVE_LOGWTMP=1 -diff --git a/pppd/auth.c b/pppd/auth.c -index 4271af687102..931c6b45043b 100644 ---- a/pppd/auth.c -+++ b/pppd/auth.c -@@ -1442,8 +1442,10 @@ check_passwd(unit, auser, userlen, apasswd, passwdlen, msg) - if (secret[0] != 0 && !login_secret) { - /* password given in pap-secrets - must match */ - if (cryptpap || strcmp(passwd, secret) != 0) { -+#ifndef NO_CRYPT_HACK - char *cbuf = crypt(passwd, secret); - if (!cbuf || strcmp(cbuf, secret) != 0) -+#endif - ret = UPAP_AUTHNAK; - } - } -diff --git a/pppd/session.c b/pppd/session.c -index 56385dd63874..977139665218 100644 ---- a/pppd/session.c -+++ b/pppd/session.c -@@ -351,8 +351,10 @@ session_start(flags, user, passwd, ttyName, msg) - */ - if (pw->pw_passwd == NULL || strlen(pw->pw_passwd) < 2) - return SESSION_FAILED; -+#ifndef NO_CRYPT_HACK - cbuf = crypt(passwd, pw->pw_passwd); - if (!cbuf || strcmp(cbuf, pw->pw_passwd) != 0) -+#endif - return SESSION_FAILED; - } - diff --git a/patches/ppp-2.4.7/0008-pppoe_noads.patch b/patches/ppp-2.4.7/0023-pppoe_noads.patch index 7274b2de4..b4712de17 100644 --- a/patches/ppp-2.4.7/0008-pppoe_noads.patch +++ b/patches/ppp-2.4.7/0023-pppoe_noads.patch @@ -1,16 +1,19 @@ -From: Marco d'Itri <md@linux.it> -Date: Fri, 2 Jun 2017 11:11:22 +0200 +From: Michael Olbrich <m.olbrich@pengutronix.de> +Date: Sat, 28 Sep 2019 08:11:49 +0200 Subject: [PATCH] pppoe_noads +Imported from ppp_2.4.7-2+4.1.debian.tar.xz + +Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> --- pppd/plugins/rp-pppoe/plugin.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/pppd/plugins/rp-pppoe/plugin.c b/pppd/plugins/rp-pppoe/plugin.c -index a8c2bb4f4a6a..c4c85b462afd 100644 +index c89be94250bc..7804b184f0cb 100644 --- a/pppd/plugins/rp-pppoe/plugin.c +++ b/pppd/plugins/rp-pppoe/plugin.c -@@ -376,9 +376,6 @@ plugin_init(void) +@@ -377,9 +377,6 @@ plugin_init(void) } add_options(Options); diff --git a/patches/ppp-2.4.7/0009-make-_PATH_CONNERRS-world-readable.patch b/patches/ppp-2.4.7/0024-make-_PATH_CONNERRS-world-readable.patch index 2c6b0a7e2..557b16901 100644 --- a/patches/ppp-2.4.7/0009-make-_PATH_CONNERRS-world-readable.patch +++ b/patches/ppp-2.4.7/0024-make-_PATH_CONNERRS-world-readable.patch @@ -1,17 +1,22 @@ -From: Marco d'Itri <md@linux.it> -Date: Fri, 2 Jun 2017 11:12:17 +0200 +From: Michael Olbrich <m.olbrich@pengutronix.de> +Date: Sat, 28 Sep 2019 08:11:49 +0200 Subject: [PATCH] make _PATH_CONNERRS world readable There is nothing security-sensitive there. + + +Imported from ppp_2.4.7-2+4.1.debian.tar.xz + +Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> --- pppd/main.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pppd/main.c b/pppd/main.c -index 439fedced8ff..23d21d427df7 100644 +index 8e31365f0c58..ed544315c1df 100644 --- a/pppd/main.c +++ b/pppd/main.c -@@ -1678,7 +1678,7 @@ device_script(program, in, out, dont_wait) +@@ -1673,7 +1673,7 @@ device_script(program, in, out, dont_wait) if (log_to_fd >= 0) errfd = log_to_fd; else diff --git a/patches/ppp-2.4.7/0010-Correct-unkown-unknown-typo.patch b/patches/ppp-2.4.7/0025-Correct-unkown-unknown-typo.patch index 450b05e9d..febfaf869 100644 --- a/patches/ppp-2.4.7/0010-Correct-unkown-unknown-typo.patch +++ b/patches/ppp-2.4.7/0025-Correct-unkown-unknown-typo.patch @@ -1,7 +1,14 @@ -From: Chris Boot <bootc@debian.org> -Date: Fri, 2 Jun 2017 11:12:56 +0200 +From: Michael Olbrich <m.olbrich@pengutronix.de> +Date: Sat, 28 Sep 2019 08:11:49 +0200 Subject: [PATCH] Correct unkown => unknown typo +Author: Chris Boot <bootc@debian.org> +Last-Update: 2013-09-09 + + +Imported from ppp_2.4.7-2+4.1.debian.tar.xz + +Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> --- pppd/plugins/radius/config.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/patches/ppp-2.4.7/0011-pppoe-custom-host-uniq-tag.patch b/patches/ppp-2.4.7/0026-pppoe-custom-host-uniq-tag.patch index 9b4e4a796..5cf266d10 100644 --- a/patches/ppp-2.4.7/0011-pppoe-custom-host-uniq-tag.patch +++ b/patches/ppp-2.4.7/0026-pppoe-custom-host-uniq-tag.patch @@ -9,6 +9,10 @@ so it must be set to a proper value to connect. Signed-off-by: Matteo Croce <matteo@openwrt.org> Signed-off-by: Jo-Philipp Wich <jow@openwrt.org> + +Imported from ppp_2.4.7-2+4.1.debian.tar.xz + +Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> --- pppd/plugins/rp-pppoe/common.c | 14 ++++----- pppd/plugins/rp-pppoe/discovery.c | 51 +++++++++++++-------------------- @@ -132,7 +136,7 @@ index 04877cb8295f..5db8d0defc37 100644 /* Add our maximum MTU/MRU */ diff --git a/pppd/plugins/rp-pppoe/plugin.c b/pppd/plugins/rp-pppoe/plugin.c -index c4c85b462afd..1a7e1e1b4e53 100644 +index 7804b184f0cb..12778d0d9991 100644 --- a/pppd/plugins/rp-pppoe/plugin.c +++ b/pppd/plugins/rp-pppoe/plugin.c @@ -68,6 +68,7 @@ static char *existingSession = NULL; @@ -171,10 +175,10 @@ index c4c85b462afd..1a7e1e1b4e53 100644 conn->serviceName = pppd_pppoe_service; strlcpy(ppp_devnam, devnam, sizeof(ppp_devnam)); diff --git a/pppd/plugins/rp-pppoe/pppoe-discovery.c b/pppd/plugins/rp-pppoe/pppoe-discovery.c -index 3d3bf4eecc81..f4f527128c2f 100644 +index 55037dffb023..ff4c487ffaa9 100644 --- a/pppd/plugins/rp-pppoe/pppoe-discovery.c +++ b/pppd/plugins/rp-pppoe/pppoe-discovery.c -@@ -347,7 +347,7 @@ packetIsForMe(PPPoEConnection *conn, PPPoEPacket *packet) +@@ -356,7 +356,7 @@ packetIsForMe(PPPoEConnection *conn, PPPoEPacket *packet) if (memcmp(packet->ethHdr.h_dest, conn->myEth, ETH_ALEN)) return 0; /* If we're not using the Host-Unique tag, then accept the packet */ @@ -183,7 +187,7 @@ index 3d3bf4eecc81..f4f527128c2f 100644 parsePacket(packet, parseForHostUniq, &forMe); return forMe; -@@ -473,16 +473,12 @@ sendPADI(PPPoEConnection *conn) +@@ -482,16 +482,12 @@ sendPADI(PPPoEConnection *conn) cursor += namelen + TAG_HDR_SIZE; /* If we're using Host-Uniq, copy it over */ @@ -206,7 +210,7 @@ index 3d3bf4eecc81..f4f527128c2f 100644 } packet.length = htons(plen); -@@ -644,7 +640,7 @@ int main(int argc, char *argv[]) +@@ -653,7 +649,7 @@ int main(int argc, char *argv[]) memset(conn, 0, sizeof(PPPoEConnection)); @@ -215,7 +219,7 @@ index 3d3bf4eecc81..f4f527128c2f 100644 switch(opt) { case 'S': conn->serviceName = xstrdup(optarg); -@@ -653,7 +649,23 @@ int main(int argc, char *argv[]) +@@ -662,7 +658,23 @@ int main(int argc, char *argv[]) conn->acName = xstrdup(optarg); break; case 'U': @@ -241,7 +245,7 @@ index 3d3bf4eecc81..f4f527128c2f 100644 case 'D': conn->debugFile = fopen(optarg, "w"); diff --git a/pppd/plugins/rp-pppoe/pppoe.h b/pppd/plugins/rp-pppoe/pppoe.h -index 9ab2eee3914c..86d2b1e47a25 100644 +index c4aaa6e68856..08026f577028 100644 --- a/pppd/plugins/rp-pppoe/pppoe.h +++ b/pppd/plugins/rp-pppoe/pppoe.h @@ -21,6 +21,8 @@ @@ -253,7 +257,7 @@ index 9ab2eee3914c..86d2b1e47a25 100644 /* How do we access raw Ethernet devices? */ #undef USE_LINUX_PACKET -@@ -235,7 +237,7 @@ typedef struct PPPoEConnectionStruct { +@@ -236,7 +238,7 @@ typedef struct PPPoEConnectionStruct { char *serviceName; /* Desired service name, if any */ char *acName; /* Desired AC name, if any */ int synchronous; /* Use synchronous PPP */ @@ -262,7 +266,7 @@ index 9ab2eee3914c..86d2b1e47a25 100644 int printACNames; /* Just print AC names */ FILE *debugFile; /* Debug file for dumping packets */ int numPADOs; /* Number of PADO packets received */ -@@ -291,6 +293,33 @@ void pppoe_printpkt(PPPoEPacket *packet, +@@ -292,6 +294,33 @@ void pppoe_printpkt(PPPoEPacket *packet, void (*printer)(void *, char *, ...), void *arg); void pppoe_log_packet(const char *prefix, PPPoEPacket *packet); diff --git a/patches/ppp-2.4.7/0026-secure-card-interpreter-fix.patch b/patches/ppp-2.4.7/0026-secure-card-interpreter-fix.patch deleted file mode 100644 index fb54a5e9d..000000000 --- a/patches/ppp-2.4.7/0026-secure-card-interpreter-fix.patch +++ /dev/null @@ -1,26 +0,0 @@ -From: Marco d'Itri <md@linux.it> -Date: Fri, 2 Jun 2017 11:29:20 +0200 -Subject: [PATCH] secure-card-interpreter-fix - -This fixes the lintian warning: -I: ppp: example-wrong-path-for-interpreter - usr/share/doc/ppp/examples/scripts/secure-card - (#!/usr/local/bin/expect != /usr/bin/expect) - -Author: Chris Boot <bootc@debian.org> -Forwarded: not-needed -Last-Update: 2013-09-09 ---- - scripts/secure-card | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/scripts/secure-card b/scripts/secure-card -index 0002365e4edb..ae3ae50c14f4 100755 ---- a/scripts/secure-card -+++ b/scripts/secure-card -@@ -1,4 +1,4 @@ --#!/usr/local/bin/expect -f -+#!/usr/bin/expect -f - # - # This script was written by Jim Isaacson <jcisaac@crl.com>. It is - # designed to work as a script to use the SecureCARD(tm) device. This diff --git a/patches/ppp-2.4.7/0013-Add-replacedefaultroute-option.patch b/patches/ppp-2.4.7/0027-Add-replacedefaultroute-option.patch index 376b3453a..19f931b12 100644 --- a/patches/ppp-2.4.7/0013-Add-replacedefaultroute-option.patch +++ b/patches/ppp-2.4.7/0027-Add-replacedefaultroute-option.patch @@ -1,5 +1,5 @@ -From: Marco d'Itri <md@linux.it> -Date: Fri, 2 Jun 2017 11:15:32 +0200 +From: Michael Olbrich <m.olbrich@pengutronix.de> +Date: Sat, 28 Sep 2019 08:11:49 +0200 Subject: [PATCH] Add replacedefaultroute option Adds an option to pppd to control whether to replace existing default routes @@ -13,6 +13,11 @@ Origin: vendor, https://build.opensuse.org/source/network/ppp/ppp-2.4.2-cifdefro Forwarded: no Reviewed-by: Chris Boot <bootc@debian.org> Last-Update: 2014-01-26 + + +Imported from ppp_2.4.7-2+4.1.debian.tar.xz + +Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> --- pppd/ipcp.c | 45 +++++++++++++++++++++++++++---- pppd/ipcp.h | 1 + @@ -150,7 +155,7 @@ index 6cf14c990578..7ecfa79d8668 100644 bool neg_vj; /* Van Jacobson Compression? */ bool old_vj; /* use old (short) form of VJ option? */ diff --git a/pppd/pppd.8 b/pppd/pppd.8 -index b7fd0bdaab52..67181083808b 100644 +index ec8bfd5c0617..481aa8be672b 100644 --- a/pppd/pppd.8 +++ b/pppd/pppd.8 @@ -121,6 +121,11 @@ the gateway, when IPCP negotiation is successfully completed. @@ -180,10 +185,10 @@ index b7fd0bdaab52..67181083808b 100644 .TP .B nodeflate diff --git a/pppd/pppd.h b/pppd/pppd.h -index 247fa153739b..8ade4d817092 100644 +index 1a1bf0b99582..7495df657fe9 100644 --- a/pppd/pppd.h +++ b/pppd/pppd.h -@@ -665,7 +665,11 @@ int sif6addr __P((int, eui64_t, eui64_t)); +@@ -676,7 +676,11 @@ int sif6addr __P((int, eui64_t, eui64_t)); int cif6addr __P((int, eui64_t, eui64_t)); /* Remove an IPv6 address from i/f */ #endif @@ -196,7 +201,7 @@ index 247fa153739b..8ade4d817092 100644 int cifdefaultroute __P((int, u_int32_t, u_int32_t)); /* Delete default route through i/f */ diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c -index f92174854207..86cde57664af 100644 +index 6d29dc8e8594..3f0bbc33c605 100644 --- a/pppd/sys-linux.c +++ b/pppd/sys-linux.c @@ -207,6 +207,8 @@ static unsigned char inbuf[512]; /* buffer for chars read from loopback */ @@ -208,7 +213,7 @@ index f92174854207..86cde57664af 100644 static u_int32_t proxy_arp_addr; /* Addr for proxy arp entry added */ static char proxy_arp_dev[16]; /* Device for proxy arp entry */ static u_int32_t our_old_addr; /* for detecting address changes */ -@@ -1552,6 +1554,9 @@ static int read_route_table(struct rtentry *rt) +@@ -1567,6 +1569,9 @@ static int read_route_table(struct rtentry *rt) p = NULL; } @@ -218,7 +223,7 @@ index f92174854207..86cde57664af 100644 SIN_ADDR(rt->rt_dst) = strtoul(cols[route_dest_col], NULL, 16); SIN_ADDR(rt->rt_gateway) = strtoul(cols[route_gw_col], NULL, 16); SIN_ADDR(rt->rt_genmask) = strtoul(cols[route_mask_col], NULL, 16); -@@ -1621,22 +1626,53 @@ int have_route_to(u_int32_t addr) +@@ -1636,22 +1641,53 @@ int have_route_to(u_int32_t addr) /******************************************************************** * * sifdefaultroute - assign a default route through the address given. @@ -287,7 +292,7 @@ index f92174854207..86cde57664af 100644 memset (&rt, 0, sizeof (rt)); SET_SA_FAMILY (rt.rt_dst, AF_INET); -@@ -1653,6 +1689,12 @@ int sifdefaultroute (int unit, u_int32_t ouraddr, u_int32_t gateway) +@@ -1668,6 +1704,12 @@ int sifdefaultroute (int unit, u_int32_t ouraddr, u_int32_t gateway) error("default route ioctl(SIOCADDRT): %m"); return 0; } @@ -300,7 +305,7 @@ index f92174854207..86cde57664af 100644 have_default_route = 1; return 1; -@@ -1688,6 +1730,16 @@ int cifdefaultroute (int unit, u_int32_t ouraddr, u_int32_t gateway) +@@ -1703,6 +1745,16 @@ int cifdefaultroute (int unit, u_int32_t ouraddr, u_int32_t gateway) return 0; } } diff --git a/patches/ppp-2.4.7/0028-Add-a-SONAME-to-the-pppd-binary.patch b/patches/ppp-2.4.7/0028-Add-a-SONAME-to-the-pppd-binary.patch deleted file mode 100644 index df533456a..000000000 --- a/patches/ppp-2.4.7/0028-Add-a-SONAME-to-the-pppd-binary.patch +++ /dev/null @@ -1,38 +0,0 @@ -From: Chris Boot <bootc@debian.org> -Date: Fri, 2 Jun 2017 11:31:35 +0200 -Subject: [PATCH] Add a SONAME to the pppd binary - - This hack inserts a SONAME into the pppd binary, which allows us to - run dpkg-gensymbols/dh_makeshlibs over the resulting binary. This is - useful so that we can use Debian's standard build infrastructure to - help track the ppp binary's ABI, which is used by plugins. - -Forwarded: not-needed -Last-Update: 2015-12-05 ---- - pppd/Makefile.linux | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux -index a90cbdcf8bb1..f1b2c90bb510 100644 ---- a/pppd/Makefile.linux -+++ b/pppd/Makefile.linux -@@ -206,6 +206,8 @@ endif - - INSTALL= install - -+VERSION = $(shell awk -F '"' '/VERSION/ { print $$2; }' patchlevel.h) -+ - all: $(TARGETS) - - install: pppd -@@ -217,7 +219,8 @@ install: pppd - $(INSTALL) -c -m 444 pppd.8 $(MANDIR) - - pppd: $(PPPDOBJS) -- $(CC) $(LDFLAGS) -o pppd $(PPPDOBJS) $(LIBS) -+ $(CC) $(LDFLAGS) -o pppd $(PPPDOBJS) $(LIBS) \ -+ -Wl,-soname,pppd.so.$(VERSION) - - srp-entry: srp-entry.c - $(CC) $(CFLAGS) $(LDFLAGS) -o $@ srp-entry.c $(LIBS) diff --git a/patches/ppp-2.4.7/0014-ppp-2.3.11-oedod.patch b/patches/ppp-2.4.7/0028-ppp-2.3.11-oedod.dif.patch index ed160e882..8151c3be2 100644 --- a/patches/ppp-2.4.7/0014-ppp-2.3.11-oedod.patch +++ b/patches/ppp-2.4.7/0028-ppp-2.3.11-oedod.dif.patch @@ -1,7 +1,10 @@ -From: Marco d'Itri <md@linux.it> -Date: Fri, 2 Jun 2017 11:16:31 +0200 -Subject: [PATCH] ppp-2.3.11-oedod +From: Michael Olbrich <m.olbrich@pengutronix.de> +Date: Sat, 28 Sep 2019 08:11:49 +0200 +Subject: [PATCH] ppp-2.3.11-oedod.dif +Imported from ppp_2.4.7-2+4.1.debian.tar.xz + +Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> --- pppd/demand.c | 99 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++- pppd/ipcp.c | 2 +- @@ -177,10 +180,10 @@ index 356ff84ead41..c1602f41c206 100644 } else { diff --git a/pppd/pppd.h b/pppd/pppd.h -index 8ade4d817092..2121bc0aa588 100644 +index 7495df657fe9..e65106d4c126 100644 --- a/pppd/pppd.h +++ b/pppd/pppd.h -@@ -583,7 +583,7 @@ void demand_conf __P((void)); /* config interface(s) for demand-dial */ +@@ -594,7 +594,7 @@ void demand_conf __P((void)); /* config interface(s) for demand-dial */ void demand_block __P((void)); /* set all NPs to queue up packets */ void demand_unblock __P((void)); /* set all NPs to pass packets */ void demand_discard __P((void)); /* set all NPs to discard packets */ diff --git a/patches/ppp-2.4.7/0029-Fix-FTBFS-in-rp-pppoe.patch b/patches/ppp-2.4.7/0029-Fix-FTBFS-in-rp-pppoe.patch deleted file mode 100644 index 9a9d34760..000000000 --- a/patches/ppp-2.4.7/0029-Fix-FTBFS-in-rp-pppoe.patch +++ /dev/null @@ -1,36 +0,0 @@ -From: Chris Boot <bootc@debian.org> -Date: Fri, 2 Jun 2017 11:32:22 +0200 -Subject: [PATCH] Fix FTBFS in rp-pppoe - - Include netinet/in.h earlier to avoid a conflict with linux/in.h. See Bug - #824442 (on src:glibc) for information related to this. - -Bug-Debian: https://bugs.debian.org/824442 -Forwarded: no -Last-Update: 2016-11-11 ---- - pppd/plugins/rp-pppoe/pppoe.h | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/pppd/plugins/rp-pppoe/pppoe.h b/pppd/plugins/rp-pppoe/pppoe.h -index 86d2b1e47a25..fee9ab62ee21 100644 ---- a/pppd/plugins/rp-pppoe/pppoe.h -+++ b/pppd/plugins/rp-pppoe/pppoe.h -@@ -49,6 +49,8 @@ - #include <sys/socket.h> - #endif - -+#include <netinet/in.h> -+ - /* Ugly header files on some Linux boxes... */ - #if defined(HAVE_LINUX_IF_H) - #include <linux/if.h> -@@ -86,8 +88,6 @@ typedef unsigned long UINT32_t; - #include <linux/if_ether.h> - #endif - --#include <netinet/in.h> -- - #ifdef HAVE_NETINET_IF_ETHER_H - #include <sys/types.h> - diff --git a/patches/ppp-2.4.7/0015-add-support-for-the-Framed-MTU-Radius-attribute.patch b/patches/ppp-2.4.7/0029-add-support-for-the-Framed-MTU-Radius-attribute.patch index 273d7e25a..3cd1b78e7 100644 --- a/patches/ppp-2.4.7/0015-add-support-for-the-Framed-MTU-Radius-attribute.patch +++ b/patches/ppp-2.4.7/0029-add-support-for-the-Framed-MTU-Radius-attribute.patch @@ -1,11 +1,27 @@ -From: Alexander Klepikov <klepikov_a@up.ua> -Date: Fri, 2 Jun 2017 11:21:27 +0200 +From: Michael Olbrich <m.olbrich@pengutronix.de> +Date: Sat, 28 Sep 2019 08:11:49 +0200 Subject: [PATCH] add support for the Framed-MTU Radius attribute http://ppp.samba.org/cgi-bin/ppp-bugs/incoming?id=1532 +From: klepikov_a@up.ua +To: ppp-bugs@ppp.samba.org +Subject: Radius plugin does not set MTU on ppp interface +Date: Mon, 22 Jan 2007 12:36:59 +0000 (GMT) + +Full_Name: Alexander Klepikov +Version: 2.4.3 +OS: rhl 7.3 (2.4.20-28.7bigmem) +Submission from: (NULL) (213.130.21.73) + + This patch allows radius plugin to deal with Framed-MTU Radius attribute and to set MTU on interface. + + +Imported from ppp_2.4.7-2+4.1.debian.tar.xz + +Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> --- pppd/plugins/radius/radius.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/patches/ppp-2.4.7/0016-ip-up_option.patch b/patches/ppp-2.4.7/0030-018_ip-up_option.patch index 93ef02c5b..06cb2e5bb 100644 --- a/patches/ppp-2.4.7/0016-ip-up_option.patch +++ b/patches/ppp-2.4.7/0030-018_ip-up_option.patch @@ -1,7 +1,10 @@ -From: Marco d'Itri <md@linux.it> -Date: Fri, 2 Jun 2017 11:22:08 +0200 -Subject: [PATCH] ip-up_option +From: Michael Olbrich <m.olbrich@pengutronix.de> +Date: Sat, 28 Sep 2019 08:11:49 +0200 +Subject: [PATCH] 018_ip up_option +Imported from ppp_2.4.7-2+4.1.debian.tar.xz + +Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> --- pppd/ipcp.c | 8 ++++---- pppd/main.c | 3 +++ @@ -48,10 +51,10 @@ index dceca807542a..d6e0e2a699fe 100644 break; } diff --git a/pppd/main.c b/pppd/main.c -index 23d21d427df7..59aad6f3854f 100644 +index ed544315c1df..9164a1eb0f95 100644 --- a/pppd/main.c +++ b/pppd/main.c -@@ -316,6 +316,9 @@ main(argc, argv) +@@ -308,6 +308,9 @@ main(argc, argv) struct protent *protp; char numbuf[16]; @@ -62,7 +65,7 @@ index 23d21d427df7..59aad6f3854f 100644 new_phase(PHASE_INITIALIZE); diff --git a/pppd/options.c b/pppd/options.c -index f66b7657bc31..dc2d7329a93d 100644 +index 91da515ac533..a8f3aa4590a3 100644 --- a/pppd/options.c +++ b/pppd/options.c @@ -114,6 +114,8 @@ char linkname[MAXPATHLEN]; /* logical name for link */ @@ -71,10 +74,10 @@ index f66b7657bc31..dc2d7329a93d 100644 int req_unit = -1; /* requested interface unit */ +char path_ipup[MAXPATHLEN]; /* pathname of ip-up script */ +char path_ipdown[MAXPATHLEN];/* pathname of ip-down script */ + char req_ifname[MAXIFNAMELEN]; /* requested interface name */ bool multilink = 0; /* Enable multilink operation */ char *bundle_name = NULL; /* bundle name for multilink */ - bool dump_options; /* print out option values */ -@@ -299,6 +301,13 @@ option_t general_options[] = { +@@ -304,6 +306,13 @@ option_t general_options[] = { "Unset user environment variable", OPT_A2PRINTER | OPT_NOPRINT, (void *)user_unsetprint }, @@ -89,15 +92,15 @@ index f66b7657bc31..dc2d7329a93d 100644 { "multilink", o_bool, &multilink, "Enable multilink operation", OPT_PRIO | 1 }, diff --git a/pppd/pppd.h b/pppd/pppd.h -index 2121bc0aa588..2be649adf582 100644 +index e65106d4c126..b11670586244 100644 --- a/pppd/pppd.h +++ b/pppd/pppd.h -@@ -318,6 +318,8 @@ extern bool tune_kernel; /* May alter kernel settings as necessary */ +@@ -328,6 +328,8 @@ extern bool tune_kernel; /* May alter kernel settings as necessary */ extern int connect_delay; /* Time to delay after connect script */ extern int max_data_rate; /* max bytes/sec through charshunt */ extern int req_unit; /* interface unit number to use */ +extern char path_ipup[MAXPATHLEN]; /* pathname of ip-up script */ +extern char path_ipdown[MAXPATHLEN]; /* pathname of ip-down script */ + extern char req_ifname[MAXIFNAMELEN]; /* interface name to use */ extern bool multilink; /* enable multilink operation */ extern bool noendpoint; /* don't send or accept endpt. discrim. */ - extern char *bundle_name; /* bundle name for multilink */ diff --git a/patches/ppp-2.4.7/0017-ppp-2.4.2-stripMSdomain.patch b/patches/ppp-2.4.7/0031-ppp-2.4.2-stripMSdomain.patch index 5ac426e19..32629026c 100644 --- a/patches/ppp-2.4.7/0017-ppp-2.4.2-stripMSdomain.patch +++ b/patches/ppp-2.4.7/0031-ppp-2.4.2-stripMSdomain.patch @@ -1,7 +1,10 @@ -From: Marco d'Itri <md@linux.it> -Date: Fri, 2 Jun 2017 11:22:53 +0200 +From: Michael Olbrich <m.olbrich@pengutronix.de> +Date: Sat, 28 Sep 2019 08:11:49 +0200 Subject: [PATCH] ppp-2.4.2-stripMSdomain +Imported from ppp_2.4.7-2+4.1.debian.tar.xz + +Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> --- pppd/chap-new.c | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/patches/ppp-2.4.7/0018-export-CALL_FILE-to-the-link-scripts.patch b/patches/ppp-2.4.7/0032-export-CALL_FILE-to-the-link-scripts.patch index 6bce58107..6a2e17088 100644 --- a/patches/ppp-2.4.7/0018-export-CALL_FILE-to-the-link-scripts.patch +++ b/patches/ppp-2.4.7/0032-export-CALL_FILE-to-the-link-scripts.patch @@ -1,17 +1,20 @@ -From: Marco d'Itri <md@linux.it> -Date: Fri, 2 Jun 2017 11:23:29 +0200 +From: Michael Olbrich <m.olbrich@pengutronix.de> +Date: Sat, 28 Sep 2019 08:11:50 +0200 Subject: [PATCH] export $CALL_FILE to the link scripts +Imported from ppp_2.4.7-2+4.1.debian.tar.xz + +Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> --- pppd/options.c | 1 + pppd/pppd.8 | 3 +++ 2 files changed, 4 insertions(+) diff --git a/pppd/options.c b/pppd/options.c -index dc2d7329a93d..2de65f9aa8d5 100644 +index a8f3aa4590a3..340797386dd6 100644 --- a/pppd/options.c +++ b/pppd/options.c -@@ -1477,6 +1477,7 @@ callfile(argv) +@@ -1482,6 +1482,7 @@ callfile(argv) if ((fname = (char *) malloc(l)) == NULL) novm("call file name"); slprintf(fname, l, "%s%s", _PATH_PEERFILES, arg); @@ -20,10 +23,10 @@ index dc2d7329a93d..2de65f9aa8d5 100644 ok = options_from_file(fname, 1, 1, 1); diff --git a/pppd/pppd.8 b/pppd/pppd.8 -index 67181083808b..f6c9e909254c 100644 +index 481aa8be672b..848ca8a16b77 100644 --- a/pppd/pppd.8 +++ b/pppd/pppd.8 -@@ -1656,6 +1656,9 @@ the connection. +@@ -1662,6 +1662,9 @@ the connection. .B LINKNAME The logical name of the link, set with the \fIlinkname\fR option. .TP diff --git a/patches/ppp-2.4.7/0019-ipv6-accept-remote.patch b/patches/ppp-2.4.7/0033-ipv6-accept-remote.patch index e83406d3b..01376cf14 100644 --- a/patches/ppp-2.4.7/0019-ipv6-accept-remote.patch +++ b/patches/ppp-2.4.7/0033-ipv6-accept-remote.patch @@ -1,7 +1,10 @@ -From: Marco d'Itri <md@linux.it> -Date: Fri, 2 Jun 2017 11:24:22 +0200 +From: Michael Olbrich <m.olbrich@pengutronix.de> +Date: Sat, 28 Sep 2019 08:11:50 +0200 Subject: [PATCH] ipv6-accept-remote +Imported from ppp_2.4.7-2+4.1.debian.tar.xz + +Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> --- pppd/ipv6cp.c | 5 ++++- pppd/ipv6cp.h | 3 ++- @@ -53,7 +56,7 @@ index 2f4c06ddc189..1617707ebbde 100644 int opt_remote; /* histoken set by option */ int use_ip; /* use IP as interface identifier */ diff --git a/pppd/pppd.8 b/pppd/pppd.8 -index f6c9e909254c..f226392c0280 100644 +index 848ca8a16b77..65bbe721f761 100644 --- a/pppd/pppd.8 +++ b/pppd/pppd.8 @@ -463,6 +463,11 @@ With this option, pppd will accept the peer's idea of our local IPv6 diff --git a/patches/ppp-2.4.7/0021-fix-a-potential-buffer-overflow-in-clientid.c-rc_map.patch b/patches/ppp-2.4.7/0034-fix-a-potential-buffer-overflow-in-clientid.c-rc_map.patch index 31edc06cb..2a8a029df 100644 --- a/patches/ppp-2.4.7/0021-fix-a-potential-buffer-overflow-in-clientid.c-rc_map.patch +++ b/patches/ppp-2.4.7/0034-fix-a-potential-buffer-overflow-in-clientid.c-rc_map.patch @@ -1,5 +1,5 @@ -From: Marco d'Itri <md@linux.it> -Date: Fri, 2 Jun 2017 11:25:56 +0200 +From: Michael Olbrich <m.olbrich@pengutronix.de> +Date: Sat, 28 Sep 2019 08:11:50 +0200 Subject: [PATCH] fix a potential buffer overflow in clientid.c:rc_map2id() This fixes the following compile-time warning when building with @@ -19,6 +19,11 @@ Origin: vendor, https://build.opensuse.org/source/network/ppp/ppp-2.4.4-strncatf Forwarded: no Reviewed-by: Chris Boot <bootc@debian.org> Last-Update: 2014-01-12 + + +Imported from ppp_2.4.7-2+4.1.debian.tar.xz + +Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> --- pppd/plugins/radius/clientid.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/patches/ppp-2.4.7/0024-resolv.conf_no_log.patch b/patches/ppp-2.4.7/0035-resolv.conf_no_log.patch index ebdcc2d12..aea6b2082 100644 --- a/patches/ppp-2.4.7/0024-resolv.conf_no_log.patch +++ b/patches/ppp-2.4.7/0035-resolv.conf_no_log.patch @@ -1,7 +1,10 @@ -From: Marco d'Itri <md@linux.it> -Date: Fri, 2 Jun 2017 11:27:40 +0200 +From: Michael Olbrich <m.olbrich@pengutronix.de> +Date: Sat, 28 Sep 2019 08:11:50 +0200 Subject: [PATCH] resolv.conf_no_log +Imported from ppp_2.4.7-2+4.1.debian.tar.xz + +Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> --- pppd/ipcp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/patches/ppp-2.4.7/0025-Debian-specific-changes.patch b/patches/ppp-2.4.7/0036-Debian-specific-changes.patch index fcbba6357..9576af118 100644 --- a/patches/ppp-2.4.7/0025-Debian-specific-changes.patch +++ b/patches/ppp-2.4.7/0036-Debian-specific-changes.patch @@ -1,7 +1,10 @@ -From: Marco d'Itri <md@linux.it> -Date: Fri, 2 Jun 2017 11:28:30 +0200 +From: Michael Olbrich <m.olbrich@pengutronix.de> +Date: Sat, 28 Sep 2019 08:11:50 +0200 Subject: [PATCH] Debian-specific changes. +Imported from ppp_2.4.7-2+4.1.debian.tar.xz + +Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> --- pppd/Makefile.linux | 6 ++---- pppd/pathnames.h | 2 +- @@ -10,7 +13,7 @@ Subject: [PATCH] Debian-specific changes. 4 files changed, 6 insertions(+), 8 deletions(-) diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux -index a8694fccd85e..a90cbdcf8bb1 100644 +index 16b3ee879791..5549145e5791 100644 --- a/pppd/Makefile.linux +++ b/pppd/Makefile.linux @@ -61,14 +61,14 @@ HAVE_MULTILINK=y @@ -30,7 +33,7 @@ index a8694fccd85e..a90cbdcf8bb1 100644 # Enable EAP SRP-SHA1 authentication (requires libsrp) #USE_SRP=y -@@ -182,11 +182,9 @@ LIBS += -ldl +@@ -178,11 +178,9 @@ LIBS += -ldl endif ifdef FILTER diff --git a/patches/ppp-2.4.7/0027-Fix-buffer-overflow-in-rc_mksid.patch b/patches/ppp-2.4.7/0037-Fix-buffer-overflow-in-rc_mksid.patch index 29a6ea1d6..e21f129ad 100644 --- a/patches/ppp-2.4.7/0027-Fix-buffer-overflow-in-rc_mksid.patch +++ b/patches/ppp-2.4.7/0037-Fix-buffer-overflow-in-rc_mksid.patch @@ -1,16 +1,22 @@ -From: Emanuele Rocca <ema@debian.org> -Date: Fri, 2 Jun 2017 11:30:48 +0200 +From: Michael Olbrich <m.olbrich@pengutronix.de> +Date: Sat, 28 Sep 2019 08:11:50 +0200 Subject: [PATCH] Fix buffer overflow in rc_mksid() -rc_mksid converts the PID of pppd to hex to generate a pseudo-unique string. + rc_mksid converts the PID of pppd to hex to generate a pseudo-unique string. + . + If the process id is bigger than 65535 (FFFF), its hex representation will be + longer than 4 characters, resulting in a buffer overflow. + . + The bug can be exploited to cause a remote DoS. + . +Author: Emanuele Rocca <ema@debian.org> +Bug-Debian: https://bugs.debian.org/782450 +Last-Update: <2015-04-14> -If the process id is bigger than 65535 (FFFF), its hex representation will be -longer than 4 characters, resulting in a buffer overflow. -The bug can be exploited to cause a remote DoS. +Imported from ppp_2.4.7-2+4.1.debian.tar.xz -Bug-Debian: https://bugs.debian.org/782450 -Last-Update: <2015-04-14> +Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> --- pppd/plugins/radius/util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/patches/ppp-2.4.7/0038-EAP-TLS-authentication-support-for-PPP.patch b/patches/ppp-2.4.7/0038-EAP-TLS-authentication-support-for-PPP.patch new file mode 100644 index 000000000..bd462d4f8 --- /dev/null +++ b/patches/ppp-2.4.7/0038-EAP-TLS-authentication-support-for-PPP.patch @@ -0,0 +1,3383 @@ +From: Michael Olbrich <m.olbrich@pengutronix.de> +Date: Sat, 28 Sep 2019 08:11:50 +0200 +Subject: [PATCH] EAP-TLS authentication support for PPP + +Origin: https://www.nikhef.nl/~janjust/ppp/download.html +Bug-Debian: https://bugs.debian.org/602503 +Bug-Ubuntu: https://launchpad.net/bugs/643417 +Forwarded: not-needed +Author: Jan Just Keijser <janjust@nikhef.nl> +Last-Update: 2018-11-04 + +This patch is based on ppp-2.4.7-eaptls-mppe-1.102.patch, with the following +changes: + + - Patch refreshed to remove fuzz. + - Trailing spaces removed. + + +Imported from ppp_2.4.7-2+4.1.debian.tar.xz + +Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> +--- + README.eap-tls | 291 +++++++++ + etc.ppp/eaptls-client | 10 + + etc.ppp/eaptls-server | 11 + + etc.ppp/openssl.cnf | 14 + + linux/Makefile.top | 6 +- + pppd/Makefile.linux | 12 + + pppd/auth.c | 413 ++++++++++++- + pppd/ccp.c | 20 +- + pppd/chap-md5.c | 4 + + pppd/eap-tls.c | 1383 +++++++++++++++++++++++++++++++++++++++++++ + pppd/eap-tls.h | 107 ++++ + pppd/eap.c | 463 ++++++++++++++- + pppd/eap.h | 32 +- + pppd/md5.c | 4 + + pppd/md5.h | 3 + + pppd/pathnames.h | 7 + + pppd/plugins/Makefile.linux | 3 + + pppd/plugins/passprompt.c | 3 + + pppd/plugins/passwordfd.c | 4 + + pppd/pppd.8 | 33 ++ + pppd/pppd.h | 9 + + 21 files changed, 2825 insertions(+), 7 deletions(-) + create mode 100644 README.eap-tls + create mode 100644 etc.ppp/eaptls-client + create mode 100644 etc.ppp/eaptls-server + create mode 100644 etc.ppp/openssl.cnf + create mode 100644 pppd/eap-tls.c + create mode 100644 pppd/eap-tls.h + +diff --git a/README.eap-tls b/README.eap-tls +new file mode 100644 +index 000000000000..107e84db5e81 +--- /dev/null ++++ b/README.eap-tls +@@ -0,0 +1,291 @@ ++EAP-TLS authentication support for PPP ++====================================== ++ ++1. Intro ++ ++ The Extensible Authentication Protocol (EAP; RFC 3748) is a ++ security protocol that can be used with PPP. It provides a means ++ to plug in multiple optional authentication methods. ++ ++ Transport Level Security (TLS; RFC 5216) provides for mutual ++ authentication, integrity-protected ciphersuite negotiation and ++ key exchange between two endpoints. It also provides for optional ++ MPPE encryption. ++ ++ EAP-TLS (RFC 2716) incapsulates the TLS messages in EAP packets, ++ allowing TLS mutual authentication to be used as a generic EAP ++ mechanism. It also provides optional encryption using the MPPE ++ protocol. ++ ++ This patch provide EAP-TLS support to pppd. ++ This authentication method can be used in both client or server ++ mode. ++ ++2. Building ++ ++ To build pppd with EAP-TLS support, OpenSSL (http://www.openssl.org) ++ is required. Any version from 0.9.7 should work. ++ ++ Configure, compile, and install as usual. ++ ++3. Configuration ++ ++ On the client side there are two ways to configure EAP-TLS: ++ ++ 1. supply the appropriate 'ca', 'cert' and 'key' command-line parameters ++ ++ 2. edit the /etc/ppp/eaptls-client file. ++ Insert a line for each system with which you use EAP-TLS. ++ The line is composed of this fields separated by tab: ++ ++ - Client name ++ The name used by the client for authentication, can be * ++ - Server name ++ The name of the server, can be * ++ - Client certificate file ++ The file containing the certificate chain for the ++ client in PEM format ++ - Server certificate file ++ If you want to specify the certificate that the ++ server is allowed to use, put the certificate file name. ++ Else put a dash '-'. ++ - CA certificate file ++ The file containing the trusted CA certificates in PEM ++ format. ++ - Client private key file ++ The file containing the client private key in PEM format. ++ ++ ++ On the server side edit the /etc/ppp/eaptls-server file. ++ Insert a line for each system with which you use EAP-TLS. ++ The line is composed of this fields separated by tab: ++ ++ - Client name ++ The name used by the client for authentication, can be * ++ - Server name ++ The name of the server, can be * ++ - Client certificate file ++ If you want to specify the certificate that the ++ client is allowed to use, put the certificate file name. ++ Else put a dash '-'. ++ - Server certificate file ++ The file containing the certificate chain for the ++ server in PEM format ++ - CA certificate file ++ The file containing the trusted CA certificates in PEM format. ++ - Client private key file ++ The file containing the server private key in PEM format. ++ - addresses ++ A list of IP addresses the client is allowed to use. ++ ++ ++ OpenSSL engine support is included starting with v0.95 of this patch. ++ Currently the only engine tested is the 'pkcs11' engine (hardware token ++ support). To use the 'pksc11' engine: ++ - Use a special private key fileiname in the /etc/ppp/eaptls-client file: ++ <engine>:<identifier> ++ e.g. ++ pkcs11:123456 ++ ++ - The certificate can also be loaded from the 'pkcs11' engine using ++ a special client certificate filename in the /etc/ppp/eaptls-client file: ++ <engine>:<identifier> ++ e.g. ++ pkcs11:123456 ++ ++ - Create an /etc/ppp/openssl.cnf file to load the right OpenSSL engine prior ++ to starting 'pppd'. A sample openssl.cnf file is ++ ++ openssl_conf = openssl_def ++ ++ [ openssl_def ] ++ engines = engine_section ++ ++ [ engine_section ] ++ pkcs11 = pkcs11_section ++ ++ [ pkcs11_section ] ++ engine_id = pkcs11 ++ dynamic_path = /usr/lib64/openssl/engines/engine_pkcs11.so ++ MODULE_PATH = /usr/lib64/libeTPkcs11.so ++ init = 0 ++ ++ - There are two ways to specify a password/PIN for the PKCS11 engine: ++ - inside the openssl.cnf file using ++ PIN = your-secret-pin ++ Note The keyword 'PIN' is case sensitive! ++ - Using the 'password' in the ppp options file. ++ From v0.97 of the eap-tls patch the password can also be supplied ++ using the appropriate 'eaptls_passwd_hook' (see plugins/passprompt.c ++ for an example). ++ ++ ++4. Options ++ ++ These pppd options are available: ++ ++ ca <ca-file> ++ Use the CA public certificate found in <ca-file> in PEM format ++ cert <cert-file> ++ Use the client public certificate found in <cert-file> in PEM format ++ or in engine:engine_id format ++ key <key-file> ++ Use the client private key found in <key-file> in PEM format ++ or in engine:engine_id format ++ crl <crl-file> ++ Use the Certificate Revocation List (CRL) file <crl-file> in PEM format. ++ crl-dir <dir> ++ Use CRL files from directory <dir>. It contains CRL files in PEM ++ format and each file contains a CRL. The files are looked up ++ by the issuer name hash value. Use the c_rehash utility ++ to create necessary links. ++ need-peer-eap ++ If the peer doesn't ask us to authenticate or doesn't use eap ++ to authenticate us, disconnect. ++ ++ Note: ++ password-encrypted certificates can be used as of v0.94 of this ++ patch. The password for the eap-tls.key file is specified using ++ the regular ++ password .... ++ statement in the ppp options file, or by using the appropriate ++ plugin which supplies a 'eaptls_passwd_hook' routine. ++ ++5. Connecting ++ ++ If you're setting up a pppd server, edit the EAP-TLS configuration file ++ as written above and then run pppd with the 'auth' option to authenticate ++ the client. The EAP-TLS method will be used if the other eap methods can't ++ be used (no secrets). ++ ++ If you're setting up a client, edit the configuration file and then run ++ pppd with 'remotename' option to specify the server name. Add the ++ 'need-peer-eap' option if you want to be sure the peer ask you to ++ authenticate (and to use eap) and to disconnect if it doesn't. ++ ++6. Example ++ ++ The following example can be used to connect a Linux client with the 'pptp' ++ package to a Linux server running the 'pptpd' (PoPToP) package. The server ++ was configured with a certificate with name (CN) 'pptp-server', the client ++ was configured with a certificate with name (CN) 'pptp-client', both ++ signed by the same Certificate Authority (CA). ++ ++ Server side: ++ - /etc/pptpd.conf file: ++ option /etc/ppp/options-pptpd-eaptls ++ localip 172.16.1.1 ++ remoteip 172.16.1.10-20 ++ - /etc/ppp/options-pptpd-eaptls file: ++ name pptp-server ++ lock ++ mtu 1500 ++ mru 1450 ++ auth ++ lcp-echo-failure 3 ++ lcp-echo-interval 5 ++ nodeflate ++ nobsdcomp ++ nopredictor1 ++ nopcomp ++ noaccomp ++ ++ require-eap ++ require-mppe-128 ++ ++ crl /home/janjust/ppp/keys/crl.pem ++ ++ debug ++ logfile /tmp/pppd.log ++ ++ - /etc/ppp/eaptls-server file: ++ * pptp-server - /etc/ppp/pptp-server.crt /etc/ppp/ca.crt /etc/ppp/pptp-server.key * ++ ++ - On the server, run ++ pptdp --conf /etc/pptpd.conf ++ ++ Client side: ++ - Run ++ pppd noauth require-eap require-mppe-128 \ ++ ipcp-accept-local ipcp-accept-remote noipdefault \ ++ cert /etc/ppp/keys/pptp-client.crt \ ++ key /etc/ppp/keys/pptp-client.key \ ++ ca /etc/ppp/keys/ca.crt \ ++ name pptp-client remotename pptp-server \ ++ debug logfile /tmp/pppd.log ++ pty "pptp pptp-server.example.com --nolaunchpppd" ++ ++ Check /var/log/messages and the files /tmp/pppd.log on both sides for debugging info. ++ ++7. Notes ++ ++ This is experimental code. ++ Send suggestions and comments to Jan Just Keijser <janjust@nikhef.nl> ++ ++8. Changelog of ppp-<>-eaptls-mppe-* patches ++ ++v0.7 (22-Nov-2005) ++ - First version of the patch to include MPPE support ++ - ppp-2.4.3 only ++v0.9 (25-Jul-2006) ++ - Bug fixes ++ - First version for ppp-2.4.4 ++v0.91 (03-Sep-2006) ++ - Added missing #include for md5.h ++ - Last version for ppp-2.4.3 ++v0.92 (22-Apr-2008) ++ - Fix for openssl 0.9.8 issue with md5 function overload. ++v0.93 (14-Aug-2008) ++ - Make sure 'noauth' option can be used to bypass server certificate verification. ++v0.94 (15-Oct-2008) ++ - Added support for password-protected private keys by (ab)using the 'password' field. ++v0.95 (23-Dec-2009) ++ - First version with OpenSSL engine support. ++v0.96 (27-Jan-2010) ++ - Added fully functional support for OpenSSL engines (PKCS#11) ++ - First version for ppp-2.4.5 ++v0.97 (20-Apr-2010) ++ - Some bug fixes for v0.96 ++ - Added support for entering the password via a plugin. The sample plugin ++ .../pppd/plugins/passprompt.c has been extended with EAP-TLS support. ++ The "old" methods using the password option or the /etc/ppp/openssl.cnf file still work. ++ - Added support for specifying the client CA, certificate and private key on the command-line ++ or via the ppp config file. ++v0.98 (20-Apr-2010) ++ - Fix initialisation bug when using ca/cert/key command-line options. ++ - Last version for ppp-2.4.4 ++v0.99 (05-Oct-2010) ++ - Fix coredump when using multilink option. ++v0.991 (08-Aug-2011) ++ - Fix compilation issue with openssl 1.0. ++v0.992 (01-Dec-2011) ++ - Fix compilation issue with eaptls_check_hook and passwordfd plugin. ++v0.993 (24-Apr-2012) ++ - Fix compilation issue when EAP_TLS=n in pppd/Makefile. ++v0.994 (11-Jun-2012) ++ - Fix compilation issue on Ubuntu 11.10. ++v0.995 (27-May-2014) ++ - Add support for a CRL file using the command-line option 'crl' ++ (prior only 'crl-dir' was supported). ++ - Fix segfault when pkcs11 enginename was not specified correctly. ++ - Fix segfault when client was misconfigured. ++ - Disable SSL Session Ticket support as Windows 8 does not support this. ++v0.996 (28-May-2014) ++ - Fix minor bug where SessionTicket message was printed as 'Unknown SSL3 code 4' ++ - Add EAP-TLS-specific options to pppd.8 manual page. ++ - Updated README.eap-tls file with new options and provide an example. ++v0.997 (19-Jun-2014) ++ - Change SSL_OP_NO_TICKETS to SSL_OP_NO_TICKET ++ - Fix bug in initialisation code with fragmented packets. ++v0.998 (13-Mar-2015) ++ - Add fix for https://bugzilla.redhat.com/show_bug.cgi?id=1023620 ++v0.999 (11-May-2017) ++ - Add support for OpenSSL 1.1: the code will now compile against OpenSSL 1.0.x or 1.1.x. ++v1.101 (1-Jun-2018) ++ - Fix vulnerabilities CVE-2018-11574. ++v1.102 (2-Nov-2018) ++ - Add TLS 1.2 support. Windows 7/8 will connect using TLS 1.0, Windows 10 clients using TLS 1.2. ++ This works both when compiling against OpenSSL 1.0.1+ and 1.1+. ++ - Print warning when certificate is either not yet valid or has expired. ++ - Perform better peer certificate checks. ++ - Allow certificate chain files to be used. +diff --git a/etc.ppp/eaptls-client b/etc.ppp/eaptls-client +new file mode 100644 +index 000000000000..7782f0e2a065 +--- /dev/null ++++ b/etc.ppp/eaptls-client +@@ -0,0 +1,10 @@ ++# Parameters for authentication using EAP-TLS (client) ++ ++# client name (can be *) ++# server name (can be *) ++# client certificate file (required) ++# server certificate file (optional, if unused put '-') ++# CA certificate file (required) ++# client private key file (required) ++ ++#client server /root/cert/client.crt - /root/cert/ca.crt /root/cert/client.key +diff --git a/etc.ppp/eaptls-server b/etc.ppp/eaptls-server +new file mode 100644 +index 000000000000..fa53cbd197cf +--- /dev/null ++++ b/etc.ppp/eaptls-server +@@ -0,0 +1,11 @@ ++# Parameters for authentication using EAP-TLS (server) ++ ++# client name (can be *) ++# server name (can be *) ++# client certificate file (optional, if unused put '-') ++# server certificate file (required) ++# CA certificate file (required) ++# server private key file (required) ++# allowed addresses (required, can be *) ++ ++#client server - /root/cert/server.crt /root/cert/ca.crt /root/cert/server.key 192.168.1.0/24 +diff --git a/etc.ppp/openssl.cnf b/etc.ppp/openssl.cnf +new file mode 100644 +index 000000000000..dd32f305d680 +--- /dev/null ++++ b/etc.ppp/openssl.cnf +@@ -0,0 +1,14 @@ ++openssl_conf = openssl_def ++ ++[ openssl_def ] ++engines = engine_section ++ ++[ engine_section ] ++pkcs11 = pkcs11_section ++ ++[ pkcs11_section ] ++engine_id = pkcs11 ++dynamic_path = /usr/lib64/openssl/engines/engine_pkcs11.so ++MODULE_PATH = /usr/lib64/libeTPkcs11.so ++init = 0 ++ +diff --git a/linux/Makefile.top b/linux/Makefile.top +index f63d45e58a78..894f8f32c9e4 100644 +--- a/linux/Makefile.top ++++ b/linux/Makefile.top +@@ -26,7 +26,7 @@ install-progs: + cd pppdump; $(MAKE) $(MFLAGS) install + + install-etcppp: $(ETCDIR) $(ETCDIR)/options $(ETCDIR)/pap-secrets \ +- $(ETCDIR)/chap-secrets ++ $(ETCDIR)/chap-secrets $(ETCDIR)/eaptls-server $(ETCDIR)/eaptls-client + + install-devel: + cd pppd; $(MAKE) $(MFLAGS) install-devel +@@ -37,6 +37,10 @@ $(ETCDIR)/pap-secrets: + $(INSTALL) -c -m 600 etc.ppp/pap-secrets $@ + $(ETCDIR)/chap-secrets: + $(INSTALL) -c -m 600 etc.ppp/chap-secrets $@ ++$(ETCDIR)/eaptls-server: ++ $(INSTALL) -c -m 600 etc.ppp/eaptls-server $@ ++$(ETCDIR)/eaptls-client: ++ $(INSTALL) -c -m 600 etc.ppp/eaptls-client $@ + + $(BINDIR): + $(INSTALL) -d -m 755 $@ +diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux +index 5549145e5791..4a11d5fea748 100644 +--- a/pppd/Makefile.linux ++++ b/pppd/Makefile.linux +@@ -76,6 +76,9 @@ CBCP=y + # Use libutil + USE_LIBUTIL=y + ++# Enable EAP-TLS authentication (requires libssl and libcrypto) ++USE_EAPTLS=y ++ + MAXOCTETS=y + + INCLUDE_DIRS= -I../include +@@ -116,6 +119,15 @@ HEADERS += sha1.h + PPPDOBJS += sha1.o + endif + ++# EAP-TLS ++ifdef USE_EAPTLS ++CFLAGS += -DUSE_EAPTLS=1 -I/usr/kerberos/include ++LIBS += -lssl -lcrypto ++PPPDSRC += eap-tls.c ++HEADERS += eap-tls.h ++PPPDOBJS += eap-tls.o ++endif ++ + ifdef HAS_SHADOW + CFLAGS += -DHAS_SHADOW + #LIBS += -lshadow $(LIBS) +diff --git a/pppd/auth.c b/pppd/auth.c +index 4271af687102..45065c58bfcc 100644 +--- a/pppd/auth.c ++++ b/pppd/auth.c +@@ -109,6 +109,9 @@ + #include "upap.h" + #include "chap-new.h" + #include "eap.h" ++#ifdef USE_EAPTLS ++#include "eap-tls.h" ++#endif + #ifdef CBCP_SUPPORT + #include "cbcp.h" + #endif +@@ -183,6 +186,11 @@ int (*chap_check_hook) __P((void)) = NULL; + /* Hook for a plugin to get the CHAP password for authenticating us */ + int (*chap_passwd_hook) __P((char *user, char *passwd)) = NULL; + ++#ifdef USE_EAPTLS ++/* Hook for a plugin to get the EAP-TLS password for authenticating us */ ++int (*eaptls_passwd_hook) __P((char *user, char *passwd)) = NULL; ++#endif ++ + /* Hook for a plugin to say whether it is OK if the peer + refuses to authenticate. */ + int (*null_auth_hook) __P((struct wordlist **paddrs, +@@ -238,6 +246,14 @@ bool explicit_remote = 0; /* User specified explicit remote name */ + bool explicit_user = 0; /* Set if "user" option supplied */ + bool explicit_passwd = 0; /* Set if "password" option supplied */ + char remote_name[MAXNAMELEN]; /* Peer's name for authentication */ ++#ifdef USE_EAPTLS ++char *cacert_file = NULL; /* CA certificate file (pem format) */ ++char *cert_file = NULL; /* client certificate file (pem format) */ ++char *privkey_file = NULL; /* client private key file (pem format) */ ++char *crl_dir = NULL; /* directory containing CRL files */ ++char *crl_file = NULL; /* Certificate Revocation List (CRL) file (pem format) */ ++bool need_peer_eap = 0; /* Require peer to authenticate us */ ++#endif + + static char *uafname; /* name of most recent +ua file */ + +@@ -254,6 +270,19 @@ static int have_pap_secret __P((int *)); + static int have_chap_secret __P((char *, char *, int, int *)); + static int have_srp_secret __P((char *client, char *server, int need_ip, + int *lacks_ipp)); ++ ++#ifdef USE_EAPTLS ++static int have_eaptls_secret_server ++__P((char *client, char *server, int need_ip, int *lacks_ipp)); ++static int have_eaptls_secret_client __P((char *client, char *server)); ++static int scan_authfile_eaptls __P((FILE * f, char *client, char *server, ++ char *cli_cert, char *serv_cert, ++ char *ca_cert, char *pk, ++ struct wordlist ** addrs, ++ struct wordlist ** opts, ++ char *filename, int flags)); ++#endif ++ + static int ip_addr_check __P((u_int32_t, struct permitted_ip *)); + static int scan_authfile __P((FILE *, char *, char *, char *, + struct wordlist **, struct wordlist **, +@@ -401,6 +430,15 @@ option_t auth_options[] = { + "Set telephone number(s) which are allowed to connect", + OPT_PRIV | OPT_A2LIST }, + ++#ifdef USE_EAPTLS ++ { "ca", o_string, &cacert_file, "EAP-TLS CA certificate in PEM format" }, ++ { "cert", o_string, &cert_file, "EAP-TLS client certificate in PEM format" }, ++ { "key", o_string, &privkey_file, "EAP-TLS client private key in PEM format" }, ++ { "crl-dir", o_string, &crl_dir, "Use CRLs in directory" }, ++ { "crl", o_string, &crl_file, "Use specific CRL file" }, ++ { "need-peer-eap", o_bool, &need_peer_eap, ++ "Require the peer to authenticate us", 1 }, ++#endif /* USE_EAPTLS */ + { NULL } + }; + +@@ -730,6 +768,9 @@ link_established(unit) + lcp_options *wo = &lcp_wantoptions[unit]; + lcp_options *go = &lcp_gotoptions[unit]; + lcp_options *ho = &lcp_hisoptions[unit]; ++#ifdef USE_EAPTLS ++ lcp_options *ao = &lcp_allowoptions[unit]; ++#endif + int i; + struct protent *protp; + +@@ -764,6 +805,22 @@ link_established(unit) + } + } + ++#ifdef USE_EAPTLS ++ if (need_peer_eap && !ao->neg_eap) { ++ warn("eap required to authenticate us but no suitable secrets"); ++ lcp_close(unit, "couldn't negotiate eap"); ++ status = EXIT_AUTH_TOPEER_FAILED; ++ return; ++ } ++ ++ if (need_peer_eap && !ho->neg_eap) { ++ warn("peer doesn't want to authenticate us with eap"); ++ lcp_close(unit, "couldn't negotiate eap"); ++ status = EXIT_PEER_AUTH_FAILED; ++ return; ++ } ++#endif ++ + new_phase(PHASE_AUTHENTICATE); + auth = 0; + if (go->neg_eap) { +@@ -1277,6 +1334,15 @@ auth_check_options() + our_name, 1, &lacks_ip); + } + ++#ifdef USE_EAPTLS ++ if (!can_auth && wo->neg_eap) { ++ can_auth = ++ have_eaptls_secret_server((explicit_remote ? remote_name : ++ NULL), our_name, 1, &lacks_ip); ++ ++ } ++#endif ++ + if (auth_required && !can_auth && noauth_addrs == NULL) { + if (default_auth) { + option_error( +@@ -1331,7 +1397,11 @@ auth_reset(unit) + passwd[0] != 0 || + (hadchap == 1 || (hadchap == -1 && have_chap_secret(user, + (explicit_remote? remote_name: NULL), 0, NULL))) || +- have_srp_secret(user, (explicit_remote? remote_name: NULL), 0, NULL)); ++ have_srp_secret(user, (explicit_remote? remote_name: NULL), 0, NULL) ++#ifdef USE_EAPTLS ++ || have_eaptls_secret_client(user, (explicit_remote? remote_name: NULL)) ++#endif ++ ); + + hadchap = -1; + if (go->neg_upap && !uselogin && !have_pap_secret(NULL)) +@@ -1346,8 +1416,14 @@ auth_reset(unit) + !have_chap_secret((explicit_remote? remote_name: NULL), our_name, + 1, NULL))) && + !have_srp_secret((explicit_remote? remote_name: NULL), our_name, 1, +- NULL)) ++ NULL) ++#ifdef USE_EAPTLS ++ && !have_eaptls_secret_server((explicit_remote? remote_name: NULL), ++ our_name, 1, NULL) ++#endif ++ ) + go->neg_eap = 0; ++ + } + + +@@ -1707,6 +1783,7 @@ have_srp_secret(client, server, need_ip, lacks_ipp) + } + + ++ + /* + * get_secret - open the CHAP secret file and return the secret + * for authenticating the given client on the given server. +@@ -2359,3 +2436,335 @@ auth_script(script) + + auth_script_pid = run_program(script, argv, 0, auth_script_done, NULL, 0); + } ++ ++ ++#ifdef USE_EAPTLS ++static int ++have_eaptls_secret_server(client, server, need_ip, lacks_ipp) ++ char *client; ++ char *server; ++ int need_ip; ++ int *lacks_ipp; ++{ ++ FILE *f; ++ int ret; ++ char *filename; ++ struct wordlist *addrs; ++ char servcertfile[MAXWORDLEN]; ++ char clicertfile[MAXWORDLEN]; ++ char cacertfile[MAXWORDLEN]; ++ char pkfile[MAXWORDLEN]; ++ ++ filename = _PATH_EAPTLSSERVFILE; ++ f = fopen(filename, "r"); ++ if (f == NULL) ++ return 0; ++ ++ if (client != NULL && client[0] == 0) ++ client = NULL; ++ else if (server != NULL && server[0] == 0) ++ server = NULL; ++ ++ ret = ++ scan_authfile_eaptls(f, client, server, clicertfile, servcertfile, ++ cacertfile, pkfile, &addrs, NULL, filename, ++ 0); ++ ++ fclose(f); ++ ++/* ++ if (ret >= 0 && !eaptls_init_ssl(1, cacertfile, servcertfile, ++ clicertfile, pkfile)) ++ ret = -1; ++*/ ++ ++ if (ret >= 0 && need_ip && !some_ip_ok(addrs)) { ++ if (lacks_ipp != 0) ++ *lacks_ipp = 1; ++ ret = -1; ++ } ++ if (addrs != 0) ++ free_wordlist(addrs); ++ ++ return ret >= 0; ++} ++ ++ ++static int ++have_eaptls_secret_client(client, server) ++ char *client; ++ char *server; ++{ ++ FILE *f; ++ int ret; ++ char *filename; ++ struct wordlist *addrs = NULL; ++ char servcertfile[MAXWORDLEN]; ++ char clicertfile[MAXWORDLEN]; ++ char cacertfile[MAXWORDLEN]; ++ char pkfile[MAXWORDLEN]; ++ ++ if (client != NULL && client[0] == 0) ++ client = NULL; ++ else if (server != NULL && server[0] == 0) ++ server = NULL; ++ ++ if (cacert_file && cert_file && privkey_file) ++ return 1; ++ ++ filename = _PATH_EAPTLSCLIFILE; ++ f = fopen(filename, "r"); ++ if (f == NULL) ++ return 0; ++ ++ ret = ++ scan_authfile_eaptls(f, client, server, clicertfile, servcertfile, ++ cacertfile, pkfile, &addrs, NULL, filename, ++ 0); ++ fclose(f); ++ ++/* ++ if (ret >= 0 && !eaptls_init_ssl(0, cacertfile, clicertfile, ++ servcertfile, pkfile)) ++ ret = -1; ++*/ ++ ++ if (addrs != 0) ++ free_wordlist(addrs); ++ ++ return ret >= 0; ++} ++ ++ ++static int ++scan_authfile_eaptls(f, client, server, cli_cert, serv_cert, ca_cert, pk, ++ addrs, opts, filename, flags) ++ FILE *f; ++ char *client; ++ char *server; ++ char *cli_cert; ++ char *serv_cert; ++ char *ca_cert; ++ char *pk; ++ struct wordlist **addrs; ++ struct wordlist **opts; ++ char *filename; ++ int flags; ++{ ++ int newline; ++ int got_flag, best_flag; ++ struct wordlist *ap, *addr_list, *alist, **app; ++ char word[MAXWORDLEN]; ++ ++ if (addrs != NULL) ++ *addrs = NULL; ++ if (opts != NULL) ++ *opts = NULL; ++ addr_list = NULL; ++ if (!getword(f, word, &newline, filename)) ++ return -1; /* file is empty??? */ ++ newline = 1; ++ best_flag = -1; ++ for (;;) { ++ /* ++ * Skip until we find a word at the start of a line. ++ */ ++ while (!newline && getword(f, word, &newline, filename)); ++ if (!newline) ++ break; /* got to end of file */ ++ ++ /* ++ * Got a client - check if it's a match or a wildcard. ++ */ ++ got_flag = 0; ++ if (client != NULL && strcmp(word, client) != 0 && !ISWILD(word)) { ++ newline = 0; ++ continue; ++ } ++ if (!ISWILD(word)) ++ got_flag = NONWILD_CLIENT; ++ ++ /* ++ * Now get a server and check if it matches. ++ */ ++ if (!getword(f, word, &newline, filename)) ++ break; ++ if (newline) ++ continue; ++ if (!ISWILD(word)) { ++ if (server != NULL && strcmp(word, server) != 0) ++ continue; ++ got_flag |= NONWILD_SERVER; ++ } ++ ++ /* ++ * Got some sort of a match - see if it's better than what ++ * we have already. ++ */ ++ if (got_flag <= best_flag) ++ continue; ++ ++ /* ++ * Get the cli_cert ++ */ ++ if (!getword(f, word, &newline, filename)) ++ break; ++ if (newline) ++ continue; ++ if (strcmp(word, "-") != 0) { ++ strlcpy(cli_cert, word, MAXWORDLEN); ++ } else ++ cli_cert[0] = 0; ++ ++ /* ++ * Get serv_cert ++ */ ++ if (!getword(f, word, &newline, filename)) ++ break; ++ if (newline) ++ continue; ++ if (strcmp(word, "-") != 0) { ++ strlcpy(serv_cert, word, MAXWORDLEN); ++ } else ++ serv_cert[0] = 0; ++ ++ /* ++ * Get ca_cert ++ */ ++ if (!getword(f, word, &newline, filename)) ++ break; ++ if (newline) ++ continue; ++ strlcpy(ca_cert, word, MAXWORDLEN); ++ ++ /* ++ * Get pk ++ */ ++ if (!getword(f, word, &newline, filename)) ++ break; ++ if (newline) ++ continue; ++ strlcpy(pk, word, MAXWORDLEN); ++ ++ ++ /* ++ * Now read address authorization info and make a wordlist. ++ */ ++ app = &alist; ++ for (;;) { ++ if (!getword(f, word, &newline, filename) || newline) ++ break; ++ ap = (struct wordlist *) ++ malloc(sizeof(struct wordlist) + strlen(word) + 1); ++ if (ap == NULL) ++ novm("authorized addresses"); ++ ap->word = (char *) (ap + 1); ++ strcpy(ap->word, word); ++ *app = ap; ++ app = &ap->next; ++ } ++ *app = NULL; ++ /* ++ * This is the best so far; remember it. ++ */ ++ best_flag = got_flag; ++ if (addr_list) ++ free_wordlist(addr_list); ++ addr_list = alist; ++ ++ if (!newline) ++ break; ++ } ++ ++ /* scan for a -- word indicating the start of options */ ++ for (app = &addr_list; (ap = *app) != NULL; app = &ap->next) ++ if (strcmp(ap->word, "--") == 0) ++ break; ++ /* ap = start of options */ ++ if (ap != NULL) { ++ ap = ap->next; /* first option */ ++ free(*app); /* free the "--" word */ ++ *app = NULL; /* terminate addr list */ ++ } ++ if (opts != NULL) ++ *opts = ap; ++ else if (ap != NULL) ++ free_wordlist(ap); ++ if (addrs != NULL) ++ *addrs = addr_list; ++ else if (addr_list != NULL) ++ free_wordlist(addr_list); ++ ++ return best_flag; ++} ++ ++ ++int ++get_eaptls_secret(unit, client, server, clicertfile, servcertfile, ++ cacertfile, pkfile, am_server) ++ int unit; ++ char *client; ++ char *server; ++ char *clicertfile; ++ char *servcertfile; ++ char *cacertfile; ++ char *pkfile; ++ int am_server; ++{ ++ FILE *fp; ++ int ret; ++ char *filename = NULL; ++ struct wordlist *addrs = NULL; ++ struct wordlist *opts = NULL; ++ ++ /* in client mode the ca+cert+privkey can also be specified as options */ ++ if (!am_server && cacert_file && cert_file && privkey_file ) ++ { ++ strlcpy( clicertfile, cert_file, MAXWORDLEN ); ++ strlcpy( cacertfile, cacert_file, MAXWORDLEN ); ++ strlcpy( pkfile, privkey_file, MAXWORDLEN ); ++ servcertfile[0] = '\0'; ++ } ++ else ++ { ++ filename = (am_server ? _PATH_EAPTLSSERVFILE : _PATH_EAPTLSCLIFILE); ++ addrs = NULL; ++ ++ fp = fopen(filename, "r"); ++ if (fp == NULL) ++ { ++ error("Can't open eap-tls secret file %s: %m", filename); ++ return 0; ++ } ++ ++ check_access(fp, filename); ++ ++ ret = scan_authfile_eaptls(fp, client, server, clicertfile, servcertfile, ++ cacertfile, pkfile, &addrs, &opts, filename, 0); ++ ++ fclose(fp); ++ ++ if (ret < 0) return 0; ++ } ++ ++ if (eaptls_passwd_hook) ++ { ++ dbglog( "Calling eaptls password hook" ); ++ if ( (*eaptls_passwd_hook)(pkfile, passwd) < 0) ++ { ++ error("Unable to obtain EAP-TLS password for %s (%s) from plugin", ++ client, pkfile); ++ return 0; ++ } ++ } ++ if (am_server) ++ set_allowed_addrs(unit, addrs, opts); ++ else if (opts != NULL) ++ free_wordlist(opts); ++ if (addrs != NULL) ++ free_wordlist(addrs); ++ ++ return 1; ++} ++#endif ++ +diff --git a/pppd/ccp.c b/pppd/ccp.c +index 7d7922afcfc0..0a93b15aeef3 100644 +--- a/pppd/ccp.c ++++ b/pppd/ccp.c +@@ -540,6 +540,9 @@ ccp_resetci(f) + if (go->mppe) { + ccp_options *ao = &ccp_allowoptions[f->unit]; + int auth_mschap_bits = auth_done[f->unit]; ++#ifdef USE_EAPTLS ++ int auth_eap_bits = auth_done[f->unit]; ++#endif + int numbits; + + /* +@@ -567,8 +570,23 @@ ccp_resetci(f) + lcp_close(f->unit, "MPPE required but not available"); + return; + } ++ ++#ifdef USE_EAPTLS ++ /* ++ * MPPE is also possible in combination with EAP-TLS. ++ * It is not possible to detect if we're doing EAP or EAP-TLS ++ * at this stage, hence we accept all forms of EAP. If TLS is ++ * not used then the MPPE keys will not be derived anyway. ++ */ ++ /* Leave only the eap auth bits set */ ++ auth_eap_bits &= (EAP_WITHPEER | EAP_PEER ); ++ ++ if ((numbits == 0) && (auth_eap_bits == 0)) { ++ error("MPPE required, but MS-CHAP[v2] nor EAP-TLS auth are performed."); ++#else + if (!numbits) { +- error("MPPE required, but MS-CHAP[v2] auth not performed."); ++ error("MPPE required, but MS-CHAP[v2] auth not performed."); ++#endif + lcp_close(f->unit, "MPPE required but not available"); + return; + } +diff --git a/pppd/chap-md5.c b/pppd/chap-md5.c +index 77dd4ecc7059..269b52cb2041 100644 +--- a/pppd/chap-md5.c ++++ b/pppd/chap-md5.c +@@ -36,7 +36,11 @@ + #include "chap-new.h" + #include "chap-md5.h" + #include "magic.h" ++#ifdef USE_EAPTLS ++#include "eap-tls.h" ++#else + #include "md5.h" ++#endif /* USE_EAPTLS */ + + #define MD5_HASH_SIZE 16 + #define MD5_MIN_CHALLENGE 16 +diff --git a/pppd/eap-tls.c b/pppd/eap-tls.c +new file mode 100644 +index 000000000000..df4bc1b996c9 +--- /dev/null ++++ b/pppd/eap-tls.c +@@ -0,0 +1,1383 @@ ++/* * eap-tls.c - EAP-TLS implementation for PPP ++ * ++ * Copyright (c) Beniamino Galvani 2005 All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. The name(s) of the authors of this software must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. ++ * ++ * THE AUTHORS OF THIS SOFTWARE DISCLAIM ALL WARRANTIES WITH REGARD TO ++ * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY ++ * AND FITNESS, IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY ++ * SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES ++ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN ++ * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING ++ * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. ++ * ++ */ ++ ++#include <string.h> ++#include <unistd.h> ++#include <sys/types.h> ++#include <sys/stat.h> ++#include <fcntl.h> ++ ++#include <openssl/conf.h> ++#include <openssl/engine.h> ++#include <openssl/hmac.h> ++#include <openssl/err.h> ++#include <openssl/x509v3.h> ++ ++#include "pppd.h" ++#include "eap.h" ++#include "eap-tls.h" ++#include "fsm.h" ++#include "lcp.h" ++#include "pathnames.h" ++ ++/* The openssl configuration file and engines can be loaded only once */ ++static CONF *ssl_config = NULL; ++static ENGINE *cert_engine = NULL; ++static ENGINE *pkey_engine = NULL; ++ ++#ifdef MPPE ++ ++#define EAPTLS_MPPE_KEY_LEN 32 ++ ++/* ++ * The following stuff is only needed if SSL_export_keying_material() is not available ++ */ ++ ++#if OPENSSL_VERSION_NUMBER < 0x10001000L ++ ++/* ++ * https://wiki.openssl.org/index.php/1.1_API_Changes ++ * tries to provide some guidance but ultimately falls short. ++ * ++ */ ++ ++static void HMAC_CTX_free(HMAC_CTX *ctx) ++{ ++ if (ctx != NULL) { ++ HMAC_CTX_cleanup(ctx); ++ OPENSSL_free(ctx); ++ } ++} ++ ++static HMAC_CTX *HMAC_CTX_new(void) ++{ ++ HMAC_CTX *ctx = OPENSSL_malloc(sizeof(*ctx)); ++ if (ctx != NULL) ++ HMAC_CTX_init(ctx); ++ return ctx; ++} ++ ++static size_t SSL_get_client_random(const SSL *ssl, unsigned char *out, ++ size_t outlen) ++{ ++ if (outlen == 0) ++ return sizeof(ssl->s3->client_random); ++ if (outlen > sizeof(ssl->s3->client_random)) ++ outlen = sizeof(ssl->s3->client_random); ++ memcpy(out, ssl->s3->client_random, outlen); ++ return outlen; ++} ++ ++static size_t SSL_get_server_random(const SSL *ssl, unsigned char *out, ++ size_t outlen) ++{ ++ if (outlen == 0) ++ return sizeof(ssl->s3->server_random); ++ if (outlen > sizeof(ssl->s3->server_random)) ++ outlen = sizeof(ssl->s3->server_random); ++ memcpy(out, ssl->s3->server_random, outlen); ++ return outlen; ++} ++ ++static size_t SSL_SESSION_get_master_key(const SSL_SESSION *session, ++ unsigned char *out, size_t outlen) ++{ ++ if (outlen == 0) ++ return session->master_key_length; ++ if (outlen > session->master_key_length) ++ outlen = session->master_key_length; ++ memcpy(out, session->master_key, outlen); ++ return outlen; ++} ++ ++ ++/* ++ * TLS PRF from RFC 2246 ++ */ ++static void P_hash(const EVP_MD *evp_md, ++ const unsigned char *secret, unsigned int secret_len, ++ const unsigned char *seed, unsigned int seed_len, ++ unsigned char *out, unsigned int out_len) ++{ ++ HMAC_CTX *ctx_a, *ctx_out; ++ unsigned char a[HMAC_MAX_MD_CBLOCK]; ++ unsigned int size; ++ ++ ctx_a = HMAC_CTX_new(); ++ ctx_out = HMAC_CTX_new(); ++ HMAC_Init_ex(ctx_a, secret, secret_len, evp_md, NULL); ++ HMAC_Init_ex(ctx_out, secret, secret_len, evp_md, NULL); ++ ++ size = HMAC_size(ctx_out); ++ ++ /* Calculate A(1) */ ++ HMAC_Update(ctx_a, seed, seed_len); ++ HMAC_Final(ctx_a, a, NULL); ++ ++ while (1) { ++ /* Calculate next part of output */ ++ HMAC_Update(ctx_out, a, size); ++ HMAC_Update(ctx_out, seed, seed_len); ++ ++ /* Check if last part */ ++ if (out_len < size) { ++ HMAC_Final(ctx_out, a, NULL); ++ memcpy(out, a, out_len); ++ break; ++ } ++ ++ /* Place digest in output buffer */ ++ HMAC_Final(ctx_out, out, NULL); ++ HMAC_Init_ex(ctx_out, NULL, 0, NULL, NULL); ++ out += size; ++ out_len -= size; ++ ++ /* Calculate next A(i) */ ++ HMAC_Init_ex(ctx_a, NULL, 0, NULL, NULL); ++ HMAC_Update(ctx_a, a, size); ++ HMAC_Final(ctx_a, a, NULL); ++ } ++ ++ HMAC_CTX_free(ctx_a); ++ HMAC_CTX_free(ctx_out); ++ memset(a, 0, sizeof(a)); ++} ++ ++static void PRF(const unsigned char *secret, unsigned int secret_len, ++ const unsigned char *seed, unsigned int seed_len, ++ unsigned char *out, unsigned char *buf, unsigned int out_len) ++{ ++ unsigned int i; ++ unsigned int len = (secret_len + 1) / 2; ++ const unsigned char *s1 = secret; ++ const unsigned char *s2 = secret + (secret_len - len); ++ ++ P_hash(EVP_md5(), s1, len, seed, seed_len, out, out_len); ++ P_hash(EVP_sha1(), s2, len, seed, seed_len, buf, out_len); ++ ++ for (i=0; i < out_len; i++) { ++ out[i] ^= buf[i]; ++ } ++} ++ ++static int SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen, ++ const char *label, size_t llen, ++ const unsigned char *p, size_t plen, ++ int use_context) ++{ ++ unsigned char seed[64 + 2*SSL3_RANDOM_SIZE]; ++ unsigned char buf[4*EAPTLS_MPPE_KEY_LEN]; ++ unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH]; ++ size_t master_key_length; ++ unsigned char *pp; ++ ++ pp = seed; ++ ++ memcpy(pp, label, llen); ++ pp += llen; ++ ++ llen += SSL_get_client_random(s, pp, SSL3_RANDOM_SIZE); ++ pp += SSL3_RANDOM_SIZE; ++ ++ llen += SSL_get_server_random(s, pp, SSL3_RANDOM_SIZE); ++ ++ master_key_length = SSL_SESSION_get_master_key(SSL_get_session(s), master_key, ++ sizeof(master_key)); ++ PRF(master_key, master_key_length, seed, llen, out, buf, olen); ++ ++ return 1; ++} ++ ++#endif /* OPENSSL_VERSION_NUMBER < 0x10001000L */ ++ ++ ++/* ++ * OpenSSL 1.1+ introduced a generic TLS_method() ++ * For older releases we substitute the appropriate method ++ */ ++ ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++ ++#define TLS_method SSLv23_method ++ ++#define SSL3_RT_HEADER 0x100 ++ ++#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */ ++ ++ ++/* ++ * Generate keys according to RFC 2716 and add to reply ++ */ ++void eaptls_gen_mppe_keys(struct eaptls_session *ets, const char *prf_label, ++ int client) ++{ ++ unsigned char out[4*EAPTLS_MPPE_KEY_LEN]; ++ size_t prf_size = strlen(prf_label); ++ unsigned char *p; ++ ++ if (SSL_export_keying_material(ets->ssl, out, sizeof(out), prf_label, prf_size, NULL, 0, 0) != 1) ++ { ++ warn( "EAP-TLS: Failed generating keying material" ); ++ return; ++ } ++ ++ /* ++ * We now have the master send and receive keys. ++ * From these, generate the session send and receive keys. ++ * (see RFC3079 / draft-ietf-pppext-mppe-keys-03.txt for details) ++ */ ++ if (client) ++ { ++ p = out; ++ BCOPY( p, mppe_send_key, sizeof(mppe_send_key) ); ++ p += EAPTLS_MPPE_KEY_LEN; ++ BCOPY( p, mppe_recv_key, sizeof(mppe_recv_key) ); ++ } ++ else ++ { ++ p = out; ++ BCOPY( p, mppe_recv_key, sizeof(mppe_recv_key) ); ++ p += EAPTLS_MPPE_KEY_LEN; ++ BCOPY( p, mppe_send_key, sizeof(mppe_send_key) ); ++ } ++ ++ mppe_keys_set = 1; ++} ++ ++#endif ++ ++void log_ssl_errors( void ) ++{ ++ unsigned long ssl_err = ERR_get_error(); ++ ++ if (ssl_err != 0) ++ dbglog("EAP-TLS SSL error stack:"); ++ while (ssl_err != 0) { ++ dbglog( ERR_error_string( ssl_err, NULL ) ); ++ ssl_err = ERR_get_error(); ++ } ++} ++ ++ ++int password_callback (char *buf, int size, int rwflag, void *u) ++{ ++ if (buf) ++ { ++ strncpy (buf, passwd, size); ++ return strlen (buf); ++ } ++ return 0; ++} ++ ++ ++CONF *eaptls_ssl_load_config( void ) ++{ ++ CONF *config; ++ int ret_code; ++ long error_line = 33; ++ ++ config = NCONF_new( NULL ); ++ dbglog( "Loading OpenSSL config file" ); ++ ret_code = NCONF_load( config, _PATH_OPENSSLCONFFILE, &error_line ); ++ if (ret_code == 0) ++ { ++ warn( "EAP-TLS: Error in OpenSSL config file %s at line %d", _PATH_OPENSSLCONFFILE, error_line ); ++ NCONF_free( config ); ++ config = NULL; ++ ERR_clear_error(); ++ } ++ ++ dbglog( "Loading OpenSSL built-ins" ); ++ ENGINE_load_builtin_engines(); ++ OPENSSL_load_builtin_modules(); ++ ++ dbglog( "Loading OpenSSL configured modules" ); ++ if (CONF_modules_load( config, NULL, 0 ) <= 0 ) ++ { ++ warn( "EAP-TLS: Error loading OpenSSL modules" ); ++ log_ssl_errors(); ++ config = NULL; ++ } ++ ++ return config; ++} ++ ++ENGINE *eaptls_ssl_load_engine( char *engine_name ) ++{ ++ ENGINE *e = NULL; ++ ++ dbglog( "Enabling OpenSSL auto engines" ); ++ ENGINE_register_all_complete(); ++ ++ dbglog( "Loading OpenSSL '%s' engine support", engine_name ); ++ e = ENGINE_by_id( engine_name ); ++ if (!e) ++ { ++ dbglog( "EAP-TLS: Cannot load '%s' engine support, trying 'dynamic'", engine_name ); ++ e = ENGINE_by_id( "dynamic" ); ++ if (e) ++ { ++ if (!ENGINE_ctrl_cmd_string(e, "SO_PATH", engine_name, 0) ++ || !ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0)) ++ { ++ warn( "EAP-TLS: Error loading dynamic engine '%s'", engine_name ); ++ log_ssl_errors(); ++ ENGINE_free(e); ++ e = NULL; ++ } ++ } ++ else ++ { ++ warn( "EAP-TLS: Cannot load dynamic engine support" ); ++ } ++ } ++ ++ if (e) ++ { ++ dbglog( "Initialising engine" ); ++ if(!ENGINE_set_default(e, ENGINE_METHOD_ALL)) ++ { ++ warn( "EAP-TLS: Cannot use that engine" ); ++ log_ssl_errors(); ++ ENGINE_free(e); ++ e = NULL; ++ } ++ } ++ ++ return e; ++} ++ ++/* ++ * Initialize the SSL stacks and tests if certificates, key and crl ++ * for client or server use can be loaded. ++ */ ++SSL_CTX *eaptls_init_ssl(int init_server, char *cacertfile, ++ char *certfile, char *peer_certfile, char *privkeyfile) ++{ ++ char *cert_engine_name = NULL; ++ char *cert_identifier = NULL; ++ char *pkey_engine_name = NULL; ++ char *pkey_identifier = NULL; ++ SSL_CTX *ctx; ++ SSL *ssl; ++ X509_STORE *certstore; ++ X509_LOOKUP *lookup; ++ X509 *tmp; ++ int ret; ++ ++ /* ++ * Without these can't continue ++ */ ++ if (!cacertfile[0]) ++ { ++ error("EAP-TLS: CA certificate missing"); ++ return NULL; ++ } ++ ++ if (!certfile[0]) ++ { ++ error("EAP-TLS: User certificate missing"); ++ return NULL; ++ } ++ ++ if (!privkeyfile[0]) ++ { ++ error("EAP-TLS: User private key missing"); ++ return NULL; ++ } ++ ++ SSL_library_init(); ++ SSL_load_error_strings(); ++ ++ ctx = SSL_CTX_new(TLS_method()); ++ ++ if (!ctx) { ++ error("EAP-TLS: Cannot initialize SSL CTX context"); ++ goto fail; ++ } ++ ++ /* if the certificate filename is of the form engine:id. e.g. ++ pkcs11:12345 ++ then we try to load and use this engine. ++ If the certificate filename starts with a / or . then we ++ ALWAYS assume it is a file and not an engine/pkcs11 identifier ++ */ ++ if ( index( certfile, '/' ) == NULL && index( certfile, '.') == NULL ) ++ { ++ cert_identifier = index( certfile, ':' ); ++ ++ if (cert_identifier) ++ { ++ cert_engine_name = certfile; ++ *cert_identifier = '\0'; ++ cert_identifier++; ++ ++ dbglog( "Found certificate engine '%s'", cert_engine_name ); ++ dbglog( "Found certificate identifier '%s'", cert_identifier ); ++ } ++ } ++ ++ /* if the privatekey filename is of the form engine:id. e.g. ++ pkcs11:12345 ++ then we try to load and use this engine. ++ If the privatekey filename starts with a / or . then we ++ ALWAYS assume it is a file and not an engine/pkcs11 identifier ++ */ ++ if ( index( privkeyfile, '/' ) == NULL && index( privkeyfile, '.') == NULL ) ++ { ++ pkey_identifier = index( privkeyfile, ':' ); ++ ++ if (pkey_identifier) ++ { ++ pkey_engine_name = privkeyfile; ++ *pkey_identifier = '\0'; ++ pkey_identifier++; ++ ++ dbglog( "Found privatekey engine '%s'", pkey_engine_name ); ++ dbglog( "Found privatekey identifier '%s'", pkey_identifier ); ++ } ++ } ++ ++ if (cert_identifier && pkey_identifier) ++ { ++ if (strlen( cert_identifier ) == 0) ++ { ++ if (strlen( pkey_identifier ) == 0) ++ error( "EAP-TLS: both the certificate and privatekey identifiers are missing!" ); ++ else ++ { ++ dbglog( "Substituting privatekey identifier for certificate identifier" ); ++ cert_identifier = pkey_identifier; ++ } ++ } ++ else ++ { ++ if (strlen( pkey_identifier ) == 0) ++ { ++ dbglog( "Substituting certificate identifier for privatekey identifier" ); ++ pkey_identifier = cert_identifier; ++ } ++ } ++ ++ } ++ ++ /* load the openssl config file only once */ ++ if (!ssl_config) ++ { ++ if (cert_engine_name || pkey_engine_name) ++ ssl_config = eaptls_ssl_load_config(); ++ ++ if (ssl_config && cert_engine_name) ++ cert_engine = eaptls_ssl_load_engine( cert_engine_name ); ++ ++ if (ssl_config && pkey_engine_name) ++ { ++ /* don't load the same engine twice */ ++ if ( cert_engine && strcmp( cert_engine_name, pkey_engine_name) == 0 ) ++ pkey_engine = cert_engine; ++ else ++ pkey_engine = eaptls_ssl_load_engine( pkey_engine_name ); ++ } ++ } ++ ++ SSL_CTX_set_default_passwd_cb (ctx, password_callback); ++ ++ if (!SSL_CTX_load_verify_locations(ctx, cacertfile, NULL)) ++ { ++ error("EAP-TLS: Cannot load or verify CA file %s", cacertfile); ++ goto fail; ++ } ++ ++ if (init_server) ++ SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(cacertfile)); ++ ++ if (cert_engine) ++ { ++ struct ++ { ++ const char *s_slot_cert_id; ++ X509 *cert; ++ } cert_info; ++ ++ cert_info.s_slot_cert_id = cert_identifier; ++ cert_info.cert = NULL; ++ ++ if (!ENGINE_ctrl_cmd( cert_engine, "LOAD_CERT_CTRL", 0, &cert_info, NULL, 0 ) ) ++ { ++ error( "EAP-TLS: Error loading certificate with id '%s' from engine", cert_identifier ); ++ goto fail; ++ } ++ ++ if (cert_info.cert) ++ { ++ dbglog( "Got the certificate, adding it to SSL context" ); ++ dbglog( "subject = %s", X509_NAME_oneline( X509_get_subject_name( cert_info.cert ), NULL, 0 ) ); ++ if (SSL_CTX_use_certificate(ctx, cert_info.cert) <= 0) ++ { ++ error("EAP-TLS: Cannot use PKCS11 certificate %s", cert_identifier); ++ goto fail; ++ } ++ } ++ else ++ { ++ warn("EAP-TLS: Cannot load PKCS11 key %s", cert_identifier); ++ log_ssl_errors(); ++ } ++ } ++ else ++ { ++ if (!SSL_CTX_use_certificate_chain_file(ctx, certfile)) ++ { ++ error( "EAP-TLS: Cannot use public certificate %s", certfile ); ++ goto fail; ++ } ++ } ++ ++ ++ /* ++ * Check the Before and After dates of the certificate ++ */ ++ ssl = SSL_new(ctx); ++ tmp = SSL_get_certificate(ssl); ++ ++ ret = X509_cmp_time(X509_get_notBefore(tmp), NULL); ++ if (ret == 0) ++ { ++ warn( "EAP-TLS: Failed to read certificate notBefore field."); ++ } ++ if (ret > 0) ++ { ++ warn( "EAP-TLS: Your certificate is not yet valid!"); ++ } ++ ++ ret = X509_cmp_time(X509_get_notAfter(tmp), NULL); ++ if (ret == 0) ++ { ++ warn( "EAP-TLS: Failed to read certificate notAfter field."); ++ } ++ if (ret < 0) ++ { ++ warn( "EAP-TLS: Your certificate has expired!"); ++ } ++ SSL_free(ssl); ++ ++ if (pkey_engine) ++ { ++ EVP_PKEY *pkey = NULL; ++ PW_CB_DATA cb_data; ++ ++ cb_data.password = passwd; ++ cb_data.prompt_info = pkey_identifier; ++ ++ dbglog( "Loading private key '%s' from engine", pkey_identifier ); ++ pkey = ENGINE_load_private_key(pkey_engine, pkey_identifier, NULL, &cb_data); ++ if (pkey) ++ { ++ dbglog( "Got the private key, adding it to SSL context" ); ++ if (SSL_CTX_use_PrivateKey(ctx, pkey) <= 0) ++ { ++ error("EAP-TLS: Cannot use PKCS11 key %s", pkey_identifier); ++ goto fail; ++ } ++ } ++ else ++ { ++ warn("EAP-TLS: Cannot load PKCS11 key %s", pkey_identifier); ++ log_ssl_errors(); ++ } ++ } ++ else ++ { ++ if (!SSL_CTX_use_PrivateKey_file(ctx, privkeyfile, SSL_FILETYPE_PEM)) ++ { ++ error("EAP-TLS: Cannot use private key %s", privkeyfile); ++ goto fail; ++ } ++ } ++ ++ if (SSL_CTX_check_private_key(ctx) != 1) { ++ error("EAP-TLS: Private key %s fails security check", privkeyfile); ++ goto fail; ++ } ++ ++ /* Explicitly set the NO_TICKETS flag to support Win7/Win8 clients */ ++ SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 ++#ifdef SSL_OP_NO_TICKET ++ | SSL_OP_NO_TICKET ++#endif ++ ); ++ ++ SSL_CTX_set_verify_depth(ctx, 5); ++ SSL_CTX_set_verify(ctx, ++ SSL_VERIFY_PEER | ++ SSL_VERIFY_FAIL_IF_NO_PEER_CERT, ++ &ssl_verify_callback); ++ ++ if (crl_dir) { ++ if (!(certstore = SSL_CTX_get_cert_store(ctx))) { ++ error("EAP-TLS: Failed to get certificate store"); ++ goto fail; ++ } ++ ++ if (!(lookup = ++ X509_STORE_add_lookup(certstore, X509_LOOKUP_hash_dir()))) { ++ error("EAP-TLS: Store lookup for CRL failed"); ++ ++ goto fail; ++ } ++ ++ X509_LOOKUP_add_dir(lookup, crl_dir, X509_FILETYPE_PEM); ++ X509_STORE_set_flags(certstore, X509_V_FLAG_CRL_CHECK); ++ } ++ ++ if (crl_file) { ++ FILE *fp = NULL; ++ X509_CRL *crl = NULL; ++ ++ fp = fopen(crl_file, "r"); ++ if (!fp) { ++ error("EAP-TLS: Cannot open CRL file '%s'", crl_file); ++ goto fail; ++ } ++ ++ crl = PEM_read_X509_CRL(fp, NULL, NULL, NULL); ++ if (!crl) { ++ error("EAP-TLS: Cannot read CRL file '%s'", crl_file); ++ goto fail; ++ } ++ ++ if (!(certstore = SSL_CTX_get_cert_store(ctx))) { ++ error("EAP-TLS: Failed to get certificate store"); ++ goto fail; ++ } ++ if (!X509_STORE_add_crl(certstore, crl)) { ++ error("EAP-TLS: Cannot add CRL to certificate store"); ++ goto fail; ++ } ++ X509_STORE_set_flags(certstore, X509_V_FLAG_CRL_CHECK); ++ ++ } ++ ++ /* ++ * If a peer certificate file was specified, it must be valid, else fail ++ */ ++ if (peer_certfile[0]) { ++ if (!(tmp = get_X509_from_file(peer_certfile))) { ++ error("EAP-TLS: Error loading client certificate from file %s", ++ peer_certfile); ++ goto fail; ++ } ++ X509_free(tmp); ++ } ++ ++ return ctx; ++ ++fail: ++ log_ssl_errors(); ++ SSL_CTX_free(ctx); ++ return NULL; ++} ++ ++/* ++ * Determine the maximum packet size by looking at the LCP handshake ++ */ ++ ++int eaptls_get_mtu(int unit) ++{ ++ int mtu, mru; ++ ++ lcp_options *wo = &lcp_wantoptions[unit]; ++ lcp_options *go = &lcp_gotoptions[unit]; ++ lcp_options *ho = &lcp_hisoptions[unit]; ++ lcp_options *ao = &lcp_allowoptions[unit]; ++ ++ mtu = ho->neg_mru? ho->mru: PPP_MRU; ++ mru = go->neg_mru? MAX(wo->mru, go->mru): PPP_MRU; ++ mtu = MIN(MIN(mtu, mru), ao->mru)- PPP_HDRLEN - 10; ++ ++ dbglog("MTU = %d", mtu); ++ return mtu; ++} ++ ++ ++/* ++ * Init the ssl handshake (server mode) ++ */ ++int eaptls_init_ssl_server(eap_state * esp) ++{ ++ struct eaptls_session *ets; ++ char servcertfile[MAXWORDLEN]; ++ char clicertfile[MAXWORDLEN]; ++ char cacertfile[MAXWORDLEN]; ++ char pkfile[MAXWORDLEN]; ++ /* ++ * Allocate new eaptls session ++ */ ++ esp->es_server.ea_session = malloc(sizeof(struct eaptls_session)); ++ if (!esp->es_server.ea_session) ++ fatal("Allocation error"); ++ ets = esp->es_server.ea_session; ++ ++ if (!esp->es_server.ea_peer) { ++ error("EAP-TLS: Error: client name not set (BUG)"); ++ return 0; ++ } ++ ++ strncpy(ets->peer, esp->es_server.ea_peer, MAXWORDLEN); ++ ++ dbglog( "getting eaptls secret" ); ++ if (!get_eaptls_secret(esp->es_unit, esp->es_server.ea_peer, ++ esp->es_server.ea_name, clicertfile, ++ servcertfile, cacertfile, pkfile, 1)) { ++ error( "EAP-TLS: Cannot get secret/password for client \"%s\", server \"%s\"", ++ esp->es_server.ea_peer, esp->es_server.ea_name ); ++ return 0; ++ } ++ ++ ets->mtu = eaptls_get_mtu(esp->es_unit); ++ ++ ets->ctx = eaptls_init_ssl(1, cacertfile, servcertfile, clicertfile, pkfile); ++ if (!ets->ctx) ++ goto fail; ++ ++ if (!(ets->ssl = SSL_new(ets->ctx))) ++ goto fail; ++ ++ /* ++ * Set auto-retry to avoid timeouts on BIO_read ++ */ ++ SSL_set_mode(ets->ssl, SSL_MODE_AUTO_RETRY); ++ ++ /* ++ * Initialize the BIOs we use to read/write to ssl engine ++ */ ++ ets->into_ssl = BIO_new(BIO_s_mem()); ++ ets->from_ssl = BIO_new(BIO_s_mem()); ++ SSL_set_bio(ets->ssl, ets->into_ssl, ets->from_ssl); ++ ++ SSL_set_msg_callback(ets->ssl, ssl_msg_callback); ++ SSL_set_msg_callback_arg(ets->ssl, ets); ++ ++ /* ++ * Attach the session struct to the connection, so we can later ++ * retrieve it when doing certificate verification ++ */ ++ SSL_set_ex_data(ets->ssl, 0, ets); ++ ++ SSL_set_accept_state(ets->ssl); ++ ++ ets->data = NULL; ++ ets->datalen = 0; ++ ets->alert_sent = 0; ++ ets->alert_recv = 0; ++ ++ /* ++ * If we specified the client certificate file, store it in ets->peercertfile, ++ * so we can check it later in ssl_verify_callback() ++ */ ++ if (clicertfile[0]) ++ strncpy(&ets->peercertfile[0], clicertfile, MAXWORDLEN); ++ else ++ ets->peercertfile[0] = 0; ++ ++ return 1; ++ ++fail: ++ SSL_CTX_free(ets->ctx); ++ return 0; ++} ++ ++/* ++ * Init the ssl handshake (client mode) ++ */ ++int eaptls_init_ssl_client(eap_state * esp) ++{ ++ struct eaptls_session *ets; ++ char servcertfile[MAXWORDLEN]; ++ char clicertfile[MAXWORDLEN]; ++ char cacertfile[MAXWORDLEN]; ++ char pkfile[MAXWORDLEN]; ++ ++ /* ++ * Allocate new eaptls session ++ */ ++ esp->es_client.ea_session = malloc(sizeof(struct eaptls_session)); ++ if (!esp->es_client.ea_session) ++ fatal("Allocation error"); ++ ets = esp->es_client.ea_session; ++ ++ /* ++ * If available, copy server name in ets; it will be used in cert ++ * verify ++ */ ++ if (esp->es_client.ea_peer) ++ strncpy(ets->peer, esp->es_client.ea_peer, MAXWORDLEN); ++ else ++ ets->peer[0] = 0; ++ ++ ets->mtu = eaptls_get_mtu(esp->es_unit); ++ ++ dbglog( "calling get_eaptls_secret" ); ++ if (!get_eaptls_secret(esp->es_unit, esp->es_client.ea_name, ++ ets->peer, clicertfile, ++ servcertfile, cacertfile, pkfile, 0)) { ++ error( "EAP-TLS: Cannot get secret/password for client \"%s\", server \"%s\"", ++ esp->es_client.ea_name, ets->peer ); ++ return 0; ++ } ++ ++ dbglog( "calling eaptls_init_ssl" ); ++ ets->ctx = eaptls_init_ssl(0, cacertfile, clicertfile, servcertfile, pkfile); ++ if (!ets->ctx) ++ goto fail; ++ ++ ets->ssl = SSL_new(ets->ctx); ++ ++ if (!ets->ssl) ++ goto fail; ++ ++ /* ++ * Initialize the BIOs we use to read/write to ssl engine ++ */ ++ dbglog( "Initializing SSL BIOs" ); ++ ets->into_ssl = BIO_new(BIO_s_mem()); ++ ets->from_ssl = BIO_new(BIO_s_mem()); ++ SSL_set_bio(ets->ssl, ets->into_ssl, ets->from_ssl); ++ ++ SSL_set_msg_callback(ets->ssl, ssl_msg_callback); ++ SSL_set_msg_callback_arg(ets->ssl, ets); ++ ++ /* ++ * Attach the session struct to the connection, so we can later ++ * retrieve it when doing certificate verification ++ */ ++ SSL_set_ex_data(ets->ssl, 0, ets); ++ ++ SSL_set_connect_state(ets->ssl); ++ ++ ets->data = NULL; ++ ets->datalen = 0; ++ ets->alert_sent = 0; ++ ets->alert_recv = 0; ++ ++ /* ++ * If we specified the server certificate file, store it in ++ * ets->peercertfile, so we can check it later in ++ * ssl_verify_callback() ++ */ ++ if (servcertfile[0]) ++ strncpy(ets->peercertfile, servcertfile, MAXWORDLEN); ++ else ++ ets->peercertfile[0] = 0; ++ ++ return 1; ++ ++fail: ++ dbglog( "eaptls_init_ssl_client: fail" ); ++ SSL_CTX_free(ets->ctx); ++ return 0; ++ ++} ++ ++void eaptls_free_session(struct eaptls_session *ets) ++{ ++ if (ets->ssl) ++ SSL_free(ets->ssl); ++ ++ if (ets->ctx) ++ SSL_CTX_free(ets->ctx); ++ ++ free(ets); ++} ++ ++/* ++ * Handle a received packet, reassembling fragmented messages and ++ * passing them to the ssl engine ++ */ ++int eaptls_receive(struct eaptls_session *ets, u_char * inp, int len) ++{ ++ u_char flags; ++ u_int tlslen = 0; ++ u_char dummy[65536]; ++ ++ if (len < 1) { ++ warn("EAP-TLS: received no or invalid data"); ++ return 1; ++ } ++ ++ GETCHAR(flags, inp); ++ len--; ++ ++ if (flags & EAP_TLS_FLAGS_LI && len > 4) { ++ /* ++ * LenghtIncluded flag set -> this is the first packet of a message ++ */ ++ ++ /* ++ * the first 4 octets are the length of the EAP-TLS message ++ */ ++ GETLONG(tlslen, inp); ++ len -= 4; ++ ++ if (!ets->data) { ++ ++ if (tlslen > EAP_TLS_MAX_LEN) { ++ error("EAP-TLS: TLS message length > %d, truncated", EAP_TLS_MAX_LEN); ++ tlslen = EAP_TLS_MAX_LEN; ++ } ++ ++ /* ++ * Allocate memory for the whole message ++ */ ++ ets->data = malloc(tlslen); ++ if (!ets->data) ++ fatal("EAP-TLS: allocation error\n"); ++ ++ ets->datalen = 0; ++ ets->tlslen = tlslen; ++ } ++ else ++ warn("EAP-TLS: non-first LI packet? that's odd..."); ++ } ++ else if (!ets->data) { ++ /* ++ * A non fragmented message without LI flag ++ */ ++ ++ ets->data = malloc(len); ++ if (!ets->data) ++ fatal("EAP-TLS: allocation error\n"); ++ ++ ets->datalen = 0; ++ ets->tlslen = len; ++ } ++ ++ if (flags & EAP_TLS_FLAGS_MF) ++ ets->frag = 1; ++ else ++ ets->frag = 0; ++ ++ if (len < 0) { ++ warn("EAP-TLS: received malformed data"); ++ return 1; ++ } ++ ++ if (len + ets->datalen > ets->tlslen) { ++ warn("EAP-TLS: received data > TLS message length"); ++ return 1; ++ } ++ ++ BCOPY(inp, ets->data + ets->datalen, len); ++ ets->datalen += len; ++ ++ if (!ets->frag) { ++ ++ /* ++ * If we have the whole message, pass it to ssl ++ */ ++ ++ if (ets->datalen != ets->tlslen) { ++ warn("EAP-TLS: received data != TLS message length"); ++ return 1; ++ } ++ ++ if (BIO_write(ets->into_ssl, ets->data, ets->datalen) == -1) ++ log_ssl_errors(); ++ ++ SSL_read(ets->ssl, dummy, 65536); ++ ++ free(ets->data); ++ ets->data = NULL; ++ ets->datalen = 0; ++ } ++ ++ return 0; ++} ++ ++/* ++ * Return an eap-tls packet in outp. ++ * A TLS message read from the ssl engine is buffered in ets->data. ++ * At each call we control if there is buffered data and send a ++ * packet of mtu bytes. ++ */ ++int eaptls_send(struct eaptls_session *ets, u_char ** outp) ++{ ++ bool first = 0; ++ int size; ++ u_char fromtls[65536]; ++ int res; ++ u_char *start; ++ ++ start = *outp; ++ ++ if (!ets->data) { ++ ++ if(!ets->alert_sent) ++ SSL_read(ets->ssl, fromtls, 65536); ++ ++ /* ++ * Read from ssl ++ */ ++ if ((res = BIO_read(ets->from_ssl, fromtls, 65536)) == -1) ++ { ++ warn("EAP-TLS send: No data from BIO_read"); ++ return 1; ++ } ++ ++ ets->datalen = res; ++ ++ ets->data = malloc(ets->datalen); ++ BCOPY(fromtls, ets->data, ets->datalen); ++ ++ ets->offset = 0; ++ first = 1; ++ ++ } ++ ++ size = ets->datalen - ets->offset; ++ ++ if (size > ets->mtu) { ++ size = ets->mtu; ++ ets->frag = 1; ++ } else ++ ets->frag = 0; ++ ++ PUTCHAR(EAPT_TLS, *outp); ++ ++ /* ++ * Set right flags and length if necessary ++ */ ++ if (ets->frag && first) { ++ PUTCHAR(EAP_TLS_FLAGS_LI | EAP_TLS_FLAGS_MF, *outp); ++ PUTLONG(ets->datalen, *outp); ++ } else if (ets->frag) { ++ PUTCHAR(EAP_TLS_FLAGS_MF, *outp); ++ } else ++ PUTCHAR(0, *outp); ++ ++ /* ++ * Copy the data in outp ++ */ ++ BCOPY(ets->data + ets->offset, *outp, size); ++ INCPTR(size, *outp); ++ ++ /* ++ * Copy the packet in retransmission buffer ++ */ ++ BCOPY(start, &ets->rtx[0], *outp - start); ++ ets->rtx_len = *outp - start; ++ ++ ets->offset += size; ++ ++ if (ets->offset >= ets->datalen) { ++ ++ /* ++ * The whole message has been sent ++ */ ++ ++ free(ets->data); ++ ets->data = NULL; ++ ets->datalen = 0; ++ ets->offset = 0; ++ } ++ ++ return 0; ++} ++ ++/* ++ * Get the sent packet from the retransmission buffer ++ */ ++void eaptls_retransmit(struct eaptls_session *ets, u_char ** outp) ++{ ++ BCOPY(ets->rtx, *outp, ets->rtx_len); ++ INCPTR(ets->rtx_len, *outp); ++} ++ ++/* ++ * Verify a certificate. ++ * Most of the work (signatures and issuer attributes checking) ++ * is done by ssl; we check the CN in the peer certificate ++ * against the peer name. ++ */ ++int ssl_verify_callback(int ok, X509_STORE_CTX * ctx) ++{ ++ char subject[256]; ++ char cn_str[256]; ++ X509 *peer_cert; ++ int err, depth; ++ SSL *ssl; ++ struct eaptls_session *ets; ++ ++ peer_cert = X509_STORE_CTX_get_current_cert(ctx); ++ err = X509_STORE_CTX_get_error(ctx); ++ depth = X509_STORE_CTX_get_error_depth(ctx); ++ ++ dbglog("certificate verify depth: %d", depth); ++ ++ if (auth_required && !ok) { ++ X509_NAME_oneline(X509_get_subject_name(peer_cert), ++ subject, 256); ++ ++ X509_NAME_get_text_by_NID(X509_get_subject_name(peer_cert), ++ NID_commonName, cn_str, 256); ++ ++ dbglog("Certificate verification error:\n depth: %d CN: %s" ++ "\n err: %d (%s)\n", depth, cn_str, err, ++ X509_verify_cert_error_string(err)); ++ ++ return 0; ++ } ++ ++ ssl = X509_STORE_CTX_get_ex_data(ctx, ++ SSL_get_ex_data_X509_STORE_CTX_idx()); ++ ++ ets = (struct eaptls_session *)SSL_get_ex_data(ssl, 0); ++ ++ if (ets == NULL) { ++ error("Error: SSL_get_ex_data returned NULL"); ++ return 0; ++ } ++ ++ log_ssl_errors(); ++ ++ if (!depth) { /* This is the peer certificate */ ++ ++ X509_NAME_oneline(X509_get_subject_name(peer_cert), ++ subject, 256); ++ ++ X509_NAME_get_text_by_NID(X509_get_subject_name(peer_cert), ++ NID_commonName, cn_str, 256); ++ ++ /* ++ * If acting as client and the name of the server wasn't specified ++ * explicitely, we can't verify the server authenticity ++ */ ++ if (!ets->peer[0]) { ++ warn("Peer name not specified: no check"); ++ return ok; ++ } ++ ++ /* ++ * Check the CN ++ */ ++ if (strcmp(cn_str, ets->peer)) { ++ error ++ ("Certificate verification error: CN (%s) != peer_name (%s)", ++ cn_str, ets->peer); ++ return 0; ++ } ++ ++ warn("Certificate CN: %s , peer name %s", cn_str, ets->peer); ++ ++ /* ++ * If a peer certificate file was specified, here we check it ++ */ ++ if (ets->peercertfile[0]) { ++ if (ssl_cmp_certs(&ets->peercertfile[0], peer_cert) ++ != 0) { ++ error ++ ("Peer certificate doesn't match stored certificate"); ++ return 0; ++ } ++ } ++ } ++ ++ return ok; ++} ++ ++/* ++ * Compare a certificate with the one stored in a file ++ */ ++int ssl_cmp_certs(char *filename, X509 * a) ++{ ++ X509 *b; ++ int ret; ++ ++ if (!(b = get_X509_from_file(filename))) ++ return 1; ++ ++ ret = X509_cmp(a, b); ++ X509_free(b); ++ ++ return ret; ++ ++} ++ ++X509 *get_X509_from_file(char *filename) ++{ ++ FILE *fp; ++ X509 *ret; ++ ++ if (!(fp = fopen(filename, "r"))) ++ return NULL; ++ ++ ret = PEM_read_X509(fp, NULL, NULL, NULL); ++ ++ fclose(fp); ++ ++ return ret; ++} ++ ++/* ++ * Every sent & received message this callback function is invoked, ++ * so we know when alert messages have arrived or are sent and ++ * we can print debug information about TLS handshake. ++ */ ++void ++ssl_msg_callback(int write_p, int version, int content_type, ++ const void *buf, size_t len, SSL * ssl, void *arg) ++{ ++ char string[256]; ++ struct eaptls_session *ets = (struct eaptls_session *)arg; ++ unsigned char code; ++ const unsigned char*msg = buf; ++ int hvers = msg[1] << 8 | msg[2]; ++ ++ if(write_p) ++ strcpy(string, " -> "); ++ else ++ strcpy(string, " <- "); ++ ++ switch(content_type) { ++ ++ case SSL3_RT_HEADER: ++ strcat(string, "SSL/TLS Header: "); ++ switch(hvers) { ++ case SSL3_VERSION: ++ strcat(string, "SSL 3.0"); ++ break; ++ case TLS1_VERSION: ++ strcat(string, "TLS 1.0"); ++ break; ++ case TLS1_1_VERSION: ++ strcat(string, "TLS 1.1"); ++ break; ++ case TLS1_2_VERSION: ++ strcat(string, "TLS 1.2"); ++ break; ++ default: ++ strcat(string, "Unknown version"); ++ } ++ break; ++ ++ case SSL3_RT_ALERT: ++ strcat(string, "Alert: "); ++ code = msg[1]; ++ ++ if (write_p) { ++ ets->alert_sent = 1; ++ ets->alert_sent_desc = code; ++ } else { ++ ets->alert_recv = 1; ++ ets->alert_recv_desc = code; ++ } ++ ++ strcat(string, SSL_alert_desc_string_long(code)); ++ break; ++ ++ case SSL3_RT_CHANGE_CIPHER_SPEC: ++ strcat(string, "ChangeCipherSpec"); ++ break; ++ ++ case SSL3_RT_HANDSHAKE: ++ ++ strcat(string, "Handshake: "); ++ code = msg[0]; ++ ++ switch(code) { ++ case SSL3_MT_HELLO_REQUEST: ++ strcat(string,"Hello Request"); ++ break; ++ case SSL3_MT_CLIENT_HELLO: ++ strcat(string,"Client Hello"); ++ break; ++ case SSL3_MT_SERVER_HELLO: ++ strcat(string,"Server Hello"); ++ break; ++#ifdef SSL3_MT_NEWSESSION_TICKET ++ case SSL3_MT_NEWSESSION_TICKET: ++ strcat(string,"New Session Ticket"); ++ break; ++#endif ++ case SSL3_MT_CERTIFICATE: ++ strcat(string,"Certificate"); ++ break; ++ case SSL3_MT_SERVER_KEY_EXCHANGE: ++ strcat(string,"Server Key Exchange"); ++ break; ++ case SSL3_MT_CERTIFICATE_REQUEST: ++ strcat(string,"Certificate Request"); ++ break; ++ case SSL3_MT_SERVER_DONE: ++ strcat(string,"Server Hello Done"); ++ break; ++ case SSL3_MT_CERTIFICATE_VERIFY: ++ strcat(string,"Certificate Verify"); ++ break; ++ case SSL3_MT_CLIENT_KEY_EXCHANGE: ++ strcat(string,"Client Key Exchange"); ++ break; ++ case SSL3_MT_FINISHED: ++ strcat(string,"Finished: "); ++ hvers = SSL_version(ssl); ++ switch(hvers) { ++ case SSL3_VERSION: ++ strcat(string, "SSL 3.0"); ++ break; ++ case TLS1_VERSION: ++ strcat(string, "TLS 1.0"); ++ break; ++ case TLS1_1_VERSION: ++ strcat(string, "TLS 1.1"); ++ break; ++ case TLS1_2_VERSION: ++ strcat(string, "TLS 1.2"); ++ break; ++ default: ++ strcat(string, "Unknown version"); ++ } ++ break; ++ default: ++ sprintf( string, "Handshake: Unknown SSL3 code received: %d", code ); ++ } ++ break; ++ ++ default: ++ sprintf( string, "SSL message contains unknown content type: %d", content_type ); ++ ++ } ++ ++ /* Alert messages must always be displayed */ ++ if(content_type == SSL3_RT_ALERT) ++ error("%s", string); ++ else ++ dbglog("%s", string); ++} ++ +diff --git a/pppd/eap-tls.h b/pppd/eap-tls.h +new file mode 100644 +index 000000000000..2d45a0b83a0c +--- /dev/null ++++ b/pppd/eap-tls.h +@@ -0,0 +1,107 @@ ++/* ++ * eap-tls.h ++ * ++ * Copyright (c) Beniamino Galvani 2005 All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. The name(s) of the authors of this software must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. ++ * ++ * THE AUTHORS OF THIS SOFTWARE DISCLAIM ALL WARRANTIES WITH REGARD TO ++ * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY ++ * AND FITNESS, IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY ++ * SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES ++ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN ++ * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING ++ * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. ++ * ++ */ ++ ++#ifndef __EAP_TLS_H__ ++#define __EAP_TLS_H__ ++ ++#include "eap.h" ++ ++#include <openssl/ssl.h> ++#include <openssl/bio.h> ++#include <openssl/md5.h> ++ ++#define EAP_TLS_FLAGS_LI 128 /* length included flag */ ++#define EAP_TLS_FLAGS_MF 64 /* more fragments flag */ ++#define EAP_TLS_FLAGS_START 32 /* start flag */ ++ ++#define EAP_TLS_MAX_LEN 65536 /* max eap tls packet size */ ++ ++struct eaptls_session ++{ ++ u_char *data; /* buffered data */ ++ int datalen; /* buffered data len */ ++ int offset; /* from where to send */ ++ int tlslen; /* total length of tls data */ ++ bool frag; /* packet is fragmented */ ++ SSL_CTX *ctx; ++ SSL *ssl; /* ssl connection */ ++ BIO *from_ssl; ++ BIO *into_ssl; ++ char peer[MAXWORDLEN]; /* peer name */ ++ char peercertfile[MAXWORDLEN]; ++ bool alert_sent; ++ u_char alert_sent_desc; ++ bool alert_recv; ++ u_char alert_recv_desc; ++ char rtx[65536]; /* retransmission buffer */ ++ int rtx_len; ++ int mtu; /* unit mtu */ ++}; ++ ++typedef struct pw_cb_data ++{ ++ const void *password; ++ const char *prompt_info; ++} PW_CB_DATA; ++ ++ ++int ssl_verify_callback(int, X509_STORE_CTX *); ++void ssl_msg_callback(int write_p, int version, int ct, const void *buf, ++ size_t len, SSL * ssl, void *arg); ++ ++X509 *get_X509_from_file(char *filename); ++int ssl_cmp_certs(char *filename, X509 * a); ++ ++SSL_CTX *eaptls_init_ssl(int init_server, char *cacertfile, ++ char *certfile, char *peer_certfile, char *privkeyfile); ++int eaptls_init_ssl_server(eap_state * esp); ++int eaptls_init_ssl_client(eap_state * esp); ++void eaptls_free_session(struct eaptls_session *ets); ++ ++int eaptls_receive(struct eaptls_session *ets, u_char * inp, int len); ++int eaptls_send(struct eaptls_session *ets, u_char ** outp); ++void eaptls_retransmit(struct eaptls_session *ets, u_char ** outp); ++ ++int get_eaptls_secret(int unit, char *client, char *server, ++ char *clicertfile, char *servcertfile, char *cacertfile, ++ char *pkfile, int am_server); ++ ++#ifdef MPPE ++#include "mppe.h" /* MPPE_MAX_KEY_LEN */ ++extern u_char mppe_send_key[MPPE_MAX_KEY_LEN]; ++extern u_char mppe_recv_key[MPPE_MAX_KEY_LEN]; ++extern int mppe_keys_set; ++ ++void eaptls_gen_mppe_keys(struct eaptls_session *ets, const char *prf_label, int client); ++ ++#endif ++ ++#endif +diff --git a/pppd/eap.c b/pppd/eap.c +index 6ea6c1f8bff6..032407c3dbb2 100644 +--- a/pppd/eap.c ++++ b/pppd/eap.c +@@ -43,6 +43,11 @@ + * Based on draft-ietf-pppext-eap-srp-03.txt. + */ + ++/* ++ * Modification by Beniamino Galvani, Mar 2005 ++ * Implemented EAP-TLS authentication ++ */ ++ + #define RCSID "$Id: eap.c,v 1.4 2004/11/09 22:39:25 paulus Exp $" + + /* +@@ -62,8 +67,12 @@ + + #include "pppd.h" + #include "pathnames.h" +-#include "md5.h" + #include "eap.h" ++#ifdef USE_EAPTLS ++#include "eap-tls.h" ++#else ++#include "md5.h" ++#endif /* USE_EAPTLS */ + + #ifdef USE_SRP + #include <t_pwd.h> +@@ -209,6 +218,9 @@ int unit; + esp->es_server.ea_id = (u_char)(drand48() * 0x100); + esp->es_client.ea_timeout = EAP_DEFREQTIME; + esp->es_client.ea_maxrequests = EAP_DEFALLOWREQ; ++#ifdef USE_EAPTLS ++ esp->es_client.ea_using_eaptls = 0; ++#endif /* USE_EAPTLS */ + } + + /* +@@ -436,8 +448,16 @@ int status; + u_char vals[2]; + struct b64state bs; + #endif /* USE_SRP */ ++#ifdef USE_EAPTLS ++ struct eaptls_session *ets; ++ int secret_len; ++ char secret[MAXWORDLEN]; ++#endif /* USE_EAPTLS */ + + esp->es_server.ea_timeout = esp->es_savedtime; ++#ifdef USE_EAPTLS ++ esp->es_server.ea_prev_state = esp->es_server.ea_state; ++#endif /* USE_EAPTLS */ + switch (esp->es_server.ea_state) { + case eapBadAuth: + return; +@@ -562,9 +582,79 @@ int status; + break; + } + #endif /* USE_SRP */ ++#ifdef USE_EAPTLS ++ if (!get_secret(esp->es_unit, esp->es_server.ea_peer, ++ esp->es_server.ea_name, secret, &secret_len, 1)) { ++ ++ esp->es_server.ea_state = eapTlsStart; ++ break; ++ } ++#endif /* USE_EAPTLS */ ++ + esp->es_server.ea_state = eapMD5Chall; + break; + ++#ifdef USE_EAPTLS ++ case eapTlsStart: ++ /* Initialize ssl session */ ++ if(!eaptls_init_ssl_server(esp)) { ++ esp->es_server.ea_state = eapBadAuth; ++ break; ++ } ++ ++ esp->es_server.ea_state = eapTlsRecv; ++ break; ++ ++ case eapTlsRecv: ++ ets = (struct eaptls_session *) esp->es_server.ea_session; ++ ++ if(ets->alert_sent) { ++ esp->es_server.ea_state = eapTlsSendAlert; ++ break; ++ } ++ ++ if (status) { ++ esp->es_server.ea_state = eapBadAuth; ++ break; ++ } ++ ets = (struct eaptls_session *) esp->es_server.ea_session; ++ ++ if(ets->frag) ++ esp->es_server.ea_state = eapTlsSendAck; ++ else ++ esp->es_server.ea_state = eapTlsSend; ++ break; ++ ++ case eapTlsSend: ++ ets = (struct eaptls_session *) esp->es_server.ea_session; ++ ++ if(ets->frag) ++ esp->es_server.ea_state = eapTlsRecvAck; ++ else ++ if(SSL_is_init_finished(ets->ssl)) ++ esp->es_server.ea_state = eapTlsRecvClient; ++ else ++ esp->es_server.ea_state = eapTlsRecv; ++ break; ++ ++ case eapTlsSendAck: ++ esp->es_server.ea_state = eapTlsRecv; ++ break; ++ ++ case eapTlsRecvAck: ++ if (status) { ++ esp->es_server.ea_state = eapBadAuth; ++ break; ++ } ++ ++ esp->es_server.ea_state = eapTlsSend; ++ break; ++ ++ case eapTlsSendAlert: ++ esp->es_server.ea_state = eapTlsRecvAlertAck; ++ break; ++#endif /* USE_EAPTLS */ ++ + case eapSRP1: + #ifdef USE_SRP + ts = (struct t_server *)esp->es_server.ea_session; +@@ -718,6 +808,30 @@ eap_state *esp; + INCPTR(esp->es_server.ea_namelen, outp); + break; + ++#ifdef USE_EAPTLS ++ case eapTlsStart: ++ PUTCHAR(EAPT_TLS, outp); ++ PUTCHAR(EAP_TLS_FLAGS_START, outp); ++ eap_figure_next_state(esp, 0); ++ break; ++ ++ case eapTlsSend: ++ eaptls_send(esp->es_server.ea_session, &outp); ++ eap_figure_next_state(esp, 0); ++ break; ++ ++ case eapTlsSendAck: ++ PUTCHAR(EAPT_TLS, outp); ++ PUTCHAR(0, outp); ++ eap_figure_next_state(esp, 0); ++ break; ++ ++ case eapTlsSendAlert: ++ eaptls_send(esp->es_server.ea_session, &outp); ++ eap_figure_next_state(esp, 0); ++ break; ++#endif /* USE_EAPTLS */ ++ + #ifdef USE_SRP + case eapSRP1: + PUTCHAR(EAPT_SRP, outp); +@@ -904,11 +1018,57 @@ static void + eap_server_timeout(arg) + void *arg; + { ++#ifdef USE_EAPTLS ++ u_char *outp; ++ u_char *lenloc; ++ int outlen; ++#endif /* USE_EAPTLS */ ++ + eap_state *esp = (eap_state *) arg; + + if (!eap_server_active(esp)) + return; + ++#ifdef USE_EAPTLS ++ switch(esp->es_server.ea_prev_state) { ++ ++ /* ++ * In eap-tls the state changes after a request, so we return to ++ * previous state ... ++ */ ++ case(eapTlsStart): ++ case(eapTlsSendAck): ++ esp->es_server.ea_state = esp->es_server.ea_prev_state; ++ break; ++ ++ /* ++ * ... or resend the stored data ++ */ ++ case(eapTlsSend): ++ case(eapTlsSendAlert): ++ outp = outpacket_buf; ++ MAKEHEADER(outp, PPP_EAP); ++ PUTCHAR(EAP_REQUEST, outp); ++ PUTCHAR(esp->es_server.ea_id, outp); ++ lenloc = outp; ++ INCPTR(2, outp); ++ ++ eaptls_retransmit(esp->es_server.ea_session, &outp); ++ ++ outlen = (outp - outpacket_buf) - PPP_HDRLEN; ++ PUTSHORT(outlen, lenloc); ++ output(esp->es_unit, outpacket_buf, outlen + PPP_HDRLEN); ++ esp->es_server.ea_requests++; ++ ++ if (esp->es_server.ea_timeout > 0) ++ TIMEOUT(eap_server_timeout, esp, esp->es_server.ea_timeout); ++ ++ return; ++ default: ++ break; ++ } ++#endif /* USE_EAPTLS */ ++ + /* EAP ID number must not change on timeout. */ + eap_send_request(esp); + } +@@ -1166,6 +1326,81 @@ u_char *str; + } + #endif /* USE_SRP */ + ++#ifdef USE_EAPTLS ++/* ++ * Send an EAP-TLS response message with tls data ++ */ ++static void ++eap_tls_response(esp, id) ++eap_state *esp; ++u_char id; ++{ ++ u_char *outp; ++ int outlen; ++ u_char *lenloc; ++ ++ outp = outpacket_buf; ++ ++ MAKEHEADER(outp, PPP_EAP); ++ ++ PUTCHAR(EAP_RESPONSE, outp); ++ PUTCHAR(id, outp); ++ ++ lenloc = outp; ++ INCPTR(2, outp); ++ ++ /* ++ If the id in the request is unchanged, we must retransmit ++ the old data ++ */ ++ if(id == esp->es_client.ea_id) ++ eaptls_retransmit(esp->es_client.ea_session, &outp); ++ else ++ eaptls_send(esp->es_client.ea_session, &outp); ++ ++ outlen = (outp - outpacket_buf) - PPP_HDRLEN; ++ PUTSHORT(outlen, lenloc); ++ ++ output(esp->es_unit, outpacket_buf, PPP_HDRLEN + outlen); ++ ++ esp->es_client.ea_id = id; ++ ++} ++ ++/* ++ * Send an EAP-TLS ack ++ */ ++static void ++eap_tls_sendack(esp, id) ++eap_state *esp; ++u_char id; ++{ ++ u_char *outp; ++ int outlen; ++ u_char *lenloc; ++ ++ outp = outpacket_buf; ++ ++ MAKEHEADER(outp, PPP_EAP); ++ ++ PUTCHAR(EAP_RESPONSE, outp); ++ PUTCHAR(id, outp); ++ esp->es_client.ea_id = id; ++ ++ lenloc = outp; ++ INCPTR(2, outp); ++ ++ PUTCHAR(EAPT_TLS, outp); ++ PUTCHAR(0, outp); ++ ++ outlen = (outp - outpacket_buf) - PPP_HDRLEN; ++ PUTSHORT(outlen, lenloc); ++ ++ output(esp->es_unit, outpacket_buf, PPP_HDRLEN + outlen); ++ ++} ++#endif /* USE_EAPTLS */ ++ + static void + eap_send_nak(esp, id, type) + eap_state *esp; +@@ -1320,6 +1555,11 @@ int len; + char rhostname[256]; + MD5_CTX mdContext; + u_char hash[MD5_SIGNATURE_SIZE]; ++#ifdef USE_EAPTLS ++ u_char flags; ++ struct eaptls_session *ets = esp->es_client.ea_session; ++#endif /* USE_EAPTLS */ ++ + #ifdef USE_SRP + struct t_client *tc; + struct t_num sval, gval, Nval, *Ap, Bval; +@@ -1456,6 +1696,100 @@ int len; + esp->es_client.ea_namelen); + break; + ++#ifdef USE_EAPTLS ++ case EAPT_TLS: ++ ++ switch(esp->es_client.ea_state) { ++ ++ case eapListen: ++ ++ if (len < 1) { ++ error("EAP: received EAP-TLS Listen packet with no data"); ++ /* Bogus request; wait for something real. */ ++ return; ++ } ++ GETCHAR(flags, inp); ++ if(flags & EAP_TLS_FLAGS_START){ ++ ++ esp->es_client.ea_using_eaptls = 1; ++ ++ if (explicit_remote){ ++ esp->es_client.ea_peer = strdup(remote_name); ++ esp->es_client.ea_peerlen = strlen(remote_name); ++ } else ++ esp->es_client.ea_peer = NULL; ++ ++ /* Init ssl session */ ++ if(!eaptls_init_ssl_client(esp)) { ++ dbglog("cannot init ssl"); ++ eap_send_nak(esp, id, EAPT_TLS); ++ esp->es_client.ea_using_eaptls = 0; ++ break; ++ } ++ ++ ets = esp->es_client.ea_session; ++ eap_tls_response(esp, id); ++ esp->es_client.ea_state = (ets->frag ? eapTlsRecvAck : ++ eapTlsRecv); ++ break; ++ } ++ ++ /* The server has sent a bad start packet. */ ++ eap_send_nak(esp, id, EAPT_TLS); ++ break; ++ ++ case eapTlsRecvAck: ++ eap_tls_response(esp, id); ++ esp->es_client.ea_state = (ets->frag ? eapTlsRecvAck : ++ eapTlsRecv); ++ break; ++ ++ case eapTlsRecv: ++ if (len < 1) { ++ error("EAP: discarding EAP-TLS Receive packet with no data"); ++ /* Bogus request; wait for something real. */ ++ return; ++ } ++ eaptls_receive(ets, inp, len); ++ ++ if(ets->frag) { ++ eap_tls_sendack(esp, id); ++ esp->es_client.ea_state = eapTlsRecv; ++ break; ++ } ++ ++ if(ets->alert_recv) { ++ eap_tls_sendack(esp, id); ++ esp->es_client.ea_state = eapTlsRecvFailure; ++ break; ++ } ++ ++ /* Check if TLS handshake is finished */ ++ if(SSL_is_init_finished(ets->ssl)){ ++#ifdef MPPE ++ eaptls_gen_mppe_keys( ets, "client EAP encryption", 1 ); ++#endif ++ eaptls_free_session(ets); ++ eap_tls_sendack(esp, id); ++ esp->es_client.ea_state = eapTlsRecvSuccess; ++ break; ++ } ++ ++ eap_tls_response(esp,id); ++ esp->es_client.ea_state = (ets->frag ? eapTlsRecvAck : ++ eapTlsRecv); ++ ++ break; ++ ++ default: ++ eap_send_nak(esp, id, EAPT_TLS); ++ esp->es_client.ea_using_eaptls = 0; ++ break; ++ } ++ ++ break; ++#endif /* USE_EAPTLS */ ++ + #ifdef USE_SRP + case EAPT_SRP: + if (len < 1) { +@@ -1737,6 +2071,11 @@ int len; + u_char dig[SHA_DIGESTSIZE]; + #endif /* USE_SRP */ + ++#ifdef USE_EAPTLS ++ struct eaptls_session *ets; ++ u_char flags; ++#endif /* USE_EAPTLS */ ++ + if (esp->es_server.ea_id != id) { + dbglog("EAP: discarding Response %d; expected ID %d", id, + esp->es_server.ea_id); +@@ -1776,6 +2115,64 @@ int len; + eap_figure_next_state(esp, 0); + break; + ++#ifdef USE_EAPTLS ++ case EAPT_TLS: ++ switch(esp->es_server.ea_state) { ++ ++ case eapTlsRecv: ++ ++ ets = (struct eaptls_session *) esp->es_server.ea_session; ++ eap_figure_next_state(esp, ++ eaptls_receive(esp->es_server.ea_session, inp, len)); ++ ++ if(ets->alert_recv) { ++ eap_send_failure(esp); ++ break; ++ } ++ break; ++ ++ case eapTlsRecvAck: ++ if(len > 1) { ++ dbglog("EAP-TLS ACK with extra data"); ++ } ++ eap_figure_next_state(esp, 0); ++ break; ++ ++ case eapTlsRecvClient: ++ /* Receive authentication response from client */ ++ ++ if (len > 0) { ++ GETCHAR(flags, inp); ++ ++ if(len == 1 && !flags) { /* Ack = ok */ ++#ifdef MPPE ++ eaptls_gen_mppe_keys( esp->es_server.ea_session, "client EAP encryption", 0 ); ++#endif ++ eap_send_success(esp); ++ } ++ else { /* failure */ ++ warn("Server authentication failed"); ++ eap_send_failure(esp); ++ } ++ } ++ else ++ warn("Bogus EAP-TLS packet received from client"); ++ ++ eaptls_free_session(esp->es_server.ea_session); ++ ++ break; ++ ++ case eapTlsRecvAlertAck: ++ eap_send_failure(esp); ++ break; ++ ++ default: ++ eap_figure_next_state(esp, 1); ++ break; ++ } ++ break; ++#endif /* USE_EAPTLS */ ++ + case EAPT_NOTIFICATION: + dbglog("EAP unexpected Notification; response discarded"); + break; +@@ -1807,6 +2204,13 @@ int len; + esp->es_server.ea_state = eapMD5Chall; + break; + ++#ifdef USE_EAPTLS ++ /* Send EAP-TLS start packet */ ++ case EAPT_TLS: ++ esp->es_server.ea_state = eapTlsStart; ++ break; ++#endif /* USE_EAPTLS */ ++ + default: + dbglog("EAP: peer requesting unknown Type %d", vallen); + switch (esp->es_server.ea_state) { +@@ -2018,13 +2422,27 @@ u_char *inp; + int id; + int len; + { +- if (esp->es_client.ea_state != eapOpen && !eap_client_active(esp)) { ++ if (esp->es_client.ea_state != eapOpen && !eap_client_active(esp) ++#ifdef USE_EAPTLS ++ && esp->es_client.ea_state != eapTlsRecvSuccess ++#endif /* USE_EAPTLS */ ++ ) { + dbglog("EAP unexpected success message in state %s (%d)", + eap_state_name(esp->es_client.ea_state), + esp->es_client.ea_state); + return; + } + ++#ifdef USE_EAPTLS ++ if(esp->es_client.ea_using_eaptls && esp->es_client.ea_state != ++ eapTlsRecvSuccess) { ++ dbglog("EAP-TLS unexpected success message in state %s (%d)", ++ eap_state_name(esp->es_client.ea_state), ++ esp->es_client.ea_state); ++ return; ++ } ++#endif /* USE_EAPTLS */ ++ + if (esp->es_client.ea_timeout > 0) { + UNTIMEOUT(eap_client_timeout, (void *)esp); + } +@@ -2150,6 +2568,9 @@ void *arg; + int code, id, len, rtype, vallen; + u_char *pstart; + u_int32_t uval; ++#ifdef USE_EAPTLS ++ u_char flags; ++#endif /* USE_EAPTLS */ + + if (inlen < EAP_HEADERLEN) + return (0); +@@ -2214,6 +2635,24 @@ void *arg; + } + break; + ++#ifdef USE_EAPTLS ++ case EAPT_TLS: ++ if (len < 1) ++ break; ++ GETCHAR(flags, inp); ++ len--; ++ ++ if(flags == 0 && len == 0){ ++ printer(arg, " Ack"); ++ break; ++ } ++ ++ printer(arg, flags & EAP_TLS_FLAGS_LI ? " L":" -"); ++ printer(arg, flags & EAP_TLS_FLAGS_MF ? "M":"-"); ++ printer(arg, flags & EAP_TLS_FLAGS_START ? "S":"- "); ++ break; ++#endif /* USE_EAPTLS */ ++ + case EAPT_SRP: + if (len < 3) + goto truncated; +@@ -2325,6 +2764,25 @@ void *arg; + } + break; + ++#ifdef USE_EAPTLS ++ case EAPT_TLS: ++ if (len < 1) ++ break; ++ GETCHAR(flags, inp); ++ len--; ++ ++ if(flags == 0 && len == 0){ ++ printer(arg, " Ack"); ++ break; ++ } ++ ++ printer(arg, flags & EAP_TLS_FLAGS_LI ? " L":" -"); ++ printer(arg, flags & EAP_TLS_FLAGS_MF ? "M":"-"); ++ printer(arg, flags & EAP_TLS_FLAGS_START ? "S":"- "); ++ ++ break; ++#endif /* USE_EAPTLS */ ++ + case EAPT_NAK: + if (len <= 0) { + printer(arg, " <missing hint>"); +@@ -2426,3 +2884,4 @@ void *arg; + + return (inp - pstart); + } ++ +diff --git a/pppd/eap.h b/pppd/eap.h +index 199d1849b826..087baad83eed 100644 +--- a/pppd/eap.h ++++ b/pppd/eap.h +@@ -84,6 +84,16 @@ enum eap_state_code { + eapClosed, /* Authentication not in use */ + eapListen, /* Client ready (and timer running) */ + eapIdentify, /* EAP Identify sent */ ++ eapTlsStart, /* Send EAP-TLS start packet */ ++ eapTlsRecv, /* Receive EAP-TLS tls data */ ++ eapTlsSendAck, /* Send EAP-TLS ack */ ++ eapTlsSend, /* Send EAP-TLS tls data */ ++ eapTlsRecvAck, /* Receive EAP-TLS ack */ ++ eapTlsRecvClient, /* Receive EAP-TLS auth response from client*/ ++ eapTlsSendAlert, /* Send EAP-TLS tls alert (server)*/ ++ eapTlsRecvAlertAck, /* Receive EAP-TLS ack after sending alert */ ++ eapTlsRecvSuccess, /* Receive EAP success */ ++ eapTlsRecvFailure, /* Receive EAP failure */ + eapSRP1, /* Sent EAP SRP-SHA1 Subtype 1 */ + eapSRP2, /* Sent EAP SRP-SHA1 Subtype 2 */ + eapSRP3, /* Sent EAP SRP-SHA1 Subtype 3 */ +@@ -95,9 +105,18 @@ enum eap_state_code { + + #define EAP_STATES \ + "Initial", "Pending", "Closed", "Listen", "Identify", \ ++ "TlsStart", "TlsRecv", "TlsSendAck", "TlsSend", "TlsRecvAck", "TlsRecvClient",\ ++ "TlsSendAlert", "TlsRecvAlertAck" , "TlsRecvSuccess", "TlsRecvFailure", \ + "SRP1", "SRP2", "SRP3", "MD5Chall", "Open", "SRP4", "BadAuth" + +-#define eap_client_active(esp) ((esp)->es_client.ea_state == eapListen) ++#ifdef USE_EAPTLS ++#define eap_client_active(esp) ((esp)->es_client.ea_state != eapInitial &&\ ++ (esp)->es_client.ea_state != eapPending &&\ ++ (esp)->es_client.ea_state != eapClosed) ++#else ++#define eap_client_active(esp) ((esp)->es_client.ea_state == eapListen) ++#endif /* USE_EAPTLS */ ++ + #define eap_server_active(esp) \ + ((esp)->es_server.ea_state >= eapIdentify && \ + (esp)->es_server.ea_state <= eapMD5Chall) +@@ -112,11 +131,17 @@ struct eap_auth { + u_short ea_namelen; /* Length of our name */ + u_short ea_peerlen; /* Length of peer's name */ + enum eap_state_code ea_state; ++#ifdef USE_EAPTLS ++ enum eap_state_code ea_prev_state; ++#endif + u_char ea_id; /* Current id */ + u_char ea_requests; /* Number of Requests sent/received */ + u_char ea_responses; /* Number of Responses */ + u_char ea_type; /* One of EAPT_* */ + u_int32_t ea_keyflags; /* SRP shared key usage flags */ ++#ifdef USE_EAPTLS ++ bool ea_using_eaptls; ++#endif + }; + + /* +@@ -139,7 +164,12 @@ typedef struct eap_state { + * Timeouts. + */ + #define EAP_DEFTIMEOUT 3 /* Timeout (seconds) for rexmit */ ++#ifdef USE_EAPTLS ++#define EAP_DEFTRANSMITS 30 /* max # times to transmit */ ++ /* certificates can be long ... */ ++#else + #define EAP_DEFTRANSMITS 10 /* max # times to transmit */ ++#endif /* USE_EAPTLS */ + #define EAP_DEFREQTIME 20 /* Time to wait for peer request */ + #define EAP_DEFALLOWREQ 20 /* max # times to accept requests */ + +diff --git a/pppd/md5.c b/pppd/md5.c +index f1291ce1bd72..6f8f7207c592 100644 +--- a/pppd/md5.c ++++ b/pppd/md5.c +@@ -33,6 +33,8 @@ + *********************************************************************** + */ + ++#ifndef USE_EAPTLS ++ + #include <string.h> + #include "md5.h" + +@@ -305,3 +307,5 @@ UINT4 *in; + ** End of md5.c ** + ******************************** (cut) ******************************** + */ ++#endif /* USE_EAPTLS */ ++ +diff --git a/pppd/md5.h b/pppd/md5.h +index 71e8b00e2dde..14d712171c5e 100644 +--- a/pppd/md5.h ++++ b/pppd/md5.h +@@ -36,6 +36,7 @@ + ** documentation and/or software. ** + *********************************************************************** + */ ++#ifndef USE_EAPTLS + + #ifndef __MD5_INCLUDE__ + +@@ -63,3 +64,5 @@ void MD5_Final (unsigned char hash[], MD5_CTX *mdContext); + + #define __MD5_INCLUDE__ + #endif /* __MD5_INCLUDE__ */ ++ ++#endif /* USE_EAPTLS */ +diff --git a/pppd/pathnames.h b/pppd/pathnames.h +index 46972601fc92..72c2f5b191ee 100644 +--- a/pppd/pathnames.h ++++ b/pppd/pathnames.h +@@ -21,6 +21,13 @@ + #define _PATH_UPAPFILE _ROOT_PATH "/etc/ppp/pap-secrets" + #define _PATH_CHAPFILE _ROOT_PATH "/etc/ppp/chap-secrets" + #define _PATH_SRPFILE _ROOT_PATH "/etc/ppp/srp-secrets" ++ ++#ifdef USE_EAPTLS ++#define _PATH_EAPTLSCLIFILE _ROOT_PATH "/etc/ppp/eaptls-client" ++#define _PATH_EAPTLSSERVFILE _ROOT_PATH "/etc/ppp/eaptls-server" ++#define _PATH_OPENSSLCONFFILE _ROOT_PATH "/etc/ppp/openssl.cnf" ++#endif /* USE_EAPTLS */ ++ + #define _PATH_SYSOPTIONS _ROOT_PATH "/etc/ppp/options" + #define _PATH_IPUP _ROOT_PATH "/etc/ppp/ip-up" + #define _PATH_IPDOWN _ROOT_PATH "/etc/ppp/ip-down" +diff --git a/pppd/plugins/Makefile.linux b/pppd/plugins/Makefile.linux +index 0f9d37d2953b..bc29968d44c9 100644 +--- a/pppd/plugins/Makefile.linux ++++ b/pppd/plugins/Makefile.linux +@@ -4,6 +4,9 @@ CFLAGS = $(COPTS) -I.. -I../../include -fPIC + LDFLAGS = $(LDOPTS) + INSTALL = install + ++# EAP-TLS ++CFLAGS += -DUSE_EAPTLS=1 ++ + DESTDIR = $(INSTROOT)@DESTDIR@ + BINDIR = $(DESTDIR)/sbin + MANDIR = $(DESTDIR)/share/man/man8 +diff --git a/pppd/plugins/passprompt.c b/pppd/plugins/passprompt.c +index babb6dc31bab..6ba73cae2795 100644 +--- a/pppd/plugins/passprompt.c ++++ b/pppd/plugins/passprompt.c +@@ -107,4 +107,7 @@ void plugin_init(void) + { + add_options(options); + pap_passwd_hook = promptpass; ++#ifdef USE_EAPTLS ++ eaptls_passwd_hook = promptpass; ++#endif + } +diff --git a/pppd/plugins/passwordfd.c b/pppd/plugins/passwordfd.c +index d718f3bdf81d..c3f9793e41a0 100644 +--- a/pppd/plugins/passwordfd.c ++++ b/pppd/plugins/passwordfd.c +@@ -79,4 +79,8 @@ void plugin_init (void) + + chap_check_hook = pwfd_check; + chap_passwd_hook = pwfd_passwd; ++ ++#ifdef USE_EAPTLS ++ eaptls_passwd_hook = pwfd_passwd; ++#endif + } +diff --git a/pppd/pppd.8 b/pppd/pppd.8 +index 65bbe721f761..8afa2d1186e2 100644 +--- a/pppd/pppd.8 ++++ b/pppd/pppd.8 +@@ -253,6 +253,12 @@ Alternatively, a value of 0 for \fInr\fR or \fInt\fR disables + compression in the corresponding direction. Use \fInobsdcomp\fR or + \fIbsdcomp 0\fR to disable BSD-Compress compression entirely. + .TP ++.B ca \fIca-file ++(EAP-TLS) Use the file \fIca-file\fR as the X.509 Certificate Authority ++(CA) file (in PEM format), needed for setting up an EAP-TLS connection. ++This option is used on the client-side in conjunction with the \fBcert\fR ++and \fBkey\fR options. ++.TP + .B cdtrcts + Use a non-standard hardware flow control (i.e. DTR/CTS) to control + the flow of data on the serial port. If neither the \fIcrtscts\fR, +@@ -264,6 +270,12 @@ RTS output. Such serial ports use this mode to implement true + bi-directional flow control. The sacrifice is that this flow + control mode does not permit using DTR as a modem control line. + .TP ++.B cert \fIcertfile ++(EAP-TLS) Use the file \fIcertfile\fR as the X.509 certificate (in PEM ++format), needed for setting up an EAP-TLS connection. This option is ++used on the client-side in conjunction with the \fBca\fR and ++\fBkey\fR options. ++.TP + .B chap\-interval \fIn + If this option is given, pppd will rechallenge the peer every \fIn\fR + seconds. +@@ -292,6 +304,18 @@ negotiation by sending its first LCP packet. The default value is + 1000 (1 second). This wait period only applies if the \fBconnect\fR + or \fBpty\fR option is used. + .TP ++.B crl \fIfilename ++(EAP-TLS) Use the file \fIfilename\fR as the Certificate Revocation List ++to check for the validity of the peer's certificate. This option is not ++mandatory for setting up an EAP-TLS connection. Also see the \fBcrl-dir\fR ++option. ++.TP ++.B crl-dir \fIdirectory ++(EAP-TLS) Use the directory \fIdirectory\fR to scan for CRL files in ++has format ($hash.r0) to check for the validity of the peer's certificate. ++This option is not mandatory for setting up an EAP-TLS connection. ++Also see the \fBcrl\fR option. ++.TP + .B debug + Enables connection debugging facilities. + If this option is given, pppd will log the contents of all +@@ -561,6 +585,12 @@ transmitted packets be printed. On most systems, messages printed by + the kernel are logged by syslog(1) to a file as directed in the + /etc/syslog.conf configuration file. + .TP ++.B key \fIkeyfile ++(EAP-TLS) Use the file \fIkeyfile\fR as the private key file (in PEM ++format), needed for setting up an EAP-TLS connection. This option is ++used on the client-side in conjunction with the \fBca\fR and ++\fBcert\fR options. ++.TP + .B ktune + Enables pppd to alter kernel settings as appropriate. Under Linux, + pppd will enable IP forwarding (i.e. set /proc/sys/net/ipv4/ip_forward +@@ -724,6 +754,9 @@ name to \fIname\fR.) + Disable Address/Control compression in both directions (send and + receive). + .TP ++.B need-peer-eap ++(EAP-TLS) Require the peer to verify our authentication credentials. ++.TP + .B noauth + Do not require the peer to authenticate itself. This option is + privileged. +diff --git a/pppd/pppd.h b/pppd/pppd.h +index 567d702181ca..195cbe3c6ffb 100644 +--- a/pppd/pppd.h ++++ b/pppd/pppd.h +@@ -338,6 +338,11 @@ extern bool dump_options; /* print out option values */ + extern bool dryrun; /* check everything, print options, exit */ + extern int child_wait; /* # seconds to wait for children at end */ + ++#ifdef USE_EAPTLS ++extern char *crl_dir; ++extern char *crl_file; ++#endif /* USE_EAPTLS */ ++ + #ifdef MAXOCTETS + extern unsigned int maxoctets; /* Maximum octetes per session (in bytes) */ + extern int maxoctets_dir; /* Direction : +@@ -758,6 +763,10 @@ extern int (*chap_check_hook) __P((void)); + extern int (*chap_passwd_hook) __P((char *user, char *passwd)); + extern void (*multilink_join_hook) __P((void)); + ++#ifdef USE_EAPTLS ++extern int (*eaptls_passwd_hook) __P((char *user, char *passwd)); ++#endif ++ + /* Let a plugin snoop sent and received packets. Useful for L2TP */ + extern void (*snoop_recv_hook) __P((unsigned char *p, int len)); + extern void (*snoop_send_hook) __P((unsigned char *p, int len)); diff --git a/patches/ppp-2.4.7/0039-Replace-vendored-hash-functions-with-libcrypto.patch b/patches/ppp-2.4.7/0039-Replace-vendored-hash-functions-with-libcrypto.patch new file mode 100644 index 000000000..a08af544a --- /dev/null +++ b/patches/ppp-2.4.7/0039-Replace-vendored-hash-functions-with-libcrypto.patch @@ -0,0 +1,1246 @@ +From: Michael Olbrich <m.olbrich@pengutronix.de> +Date: Sat, 28 Sep 2019 08:11:50 +0200 +Subject: [PATCH] Replace vendored hash functions with libcrypto + +Bug-Debian: https://bugs.debian.org/826625 +Forwarded: no +Author: Chris Boot <bootc@debian.org> +Last-Update: 2017-12-17 + +This patch switches ppp's use of the embedded implementations of MD4, MD5 and +SHA1 for those found in OpenSSL's libcrypto. This is inspired by the patch to +switch to the libmd versions of these functions, but using libcrypto is +preferable both due to the patch being slightly less invasive and also because +of our use of the EAP-TLS patch which requires OpenSSL. + + +Imported from ppp_2.4.7-2+4.1.debian.tar.xz + +Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> +--- + pppd/Makefile.linux | 25 ++-- + pppd/chap-md5.c | 2 +- + pppd/chap_ms.c | 40 ++---- + pppd/eap.c | 2 +- + pppd/md4.c | 299 ----------------------------------------- + pppd/md4.h | 64 --------- + pppd/md5.c | 311 ------------------------------------------- + pppd/md5.h | 68 ---------- + pppd/plugins/radius/md5.c | 2 +- + pppd/plugins/radius/radius.c | 2 +- + pppd/plugins/winbind.c | 2 +- + pppd/sha1.c | 170 ----------------------- + pppd/sha1.h | 31 ----- + 13 files changed, 28 insertions(+), 990 deletions(-) + delete mode 100644 pppd/md4.c + delete mode 100644 pppd/md4.h + delete mode 100644 pppd/md5.c + delete mode 100644 pppd/md5.h + delete mode 100644 pppd/sha1.c + delete mode 100644 pppd/sha1.h + +diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux +index 4a11d5fea748..58a634ce8c3b 100644 +--- a/pppd/Makefile.linux ++++ b/pppd/Makefile.linux +@@ -11,16 +11,16 @@ INCDIR = $(DESTDIR)/include + + TARGETS = pppd + +-PPPDSRCS = main.c magic.c fsm.c lcp.c ipcp.c upap.c chap-new.c md5.c ccp.c \ +- ecp.c ipxcp.c auth.c options.c sys-linux.c md4.c chap_ms.c \ ++PPPDSRCS = main.c magic.c fsm.c lcp.c ipcp.c upap.c chap-new.c ccp.c \ ++ ecp.c ipxcp.c auth.c options.c sys-linux.c chap_ms.c \ + demand.c utils.c tty.c eap.c chap-md5.c session.c + + HEADERS = ccp.h session.h chap-new.h ecp.h fsm.h ipcp.h \ +- ipxcp.h lcp.h magic.h md5.h patchlevel.h pathnames.h pppd.h \ ++ ipxcp.h lcp.h magic.h patchlevel.h pathnames.h pppd.h \ + upap.h eap.h + + MANPAGES = pppd.8 +-PPPDOBJS = main.o magic.o fsm.o lcp.o ipcp.o upap.o chap-new.o md5.o ccp.o \ ++PPPDOBJS = main.o magic.o fsm.o lcp.o ipcp.o upap.o chap-new.o ccp.o \ + ecp.o auth.o options.o demand.o utils.o sys-linux.o ipxcp.o tty.o \ + eap.o chap-md5.o session.o + +@@ -33,7 +33,7 @@ endif + # CC = gcc + # + COPTS = -O2 -pipe -Wall -g +-LIBS = ++LIBS = -lcrypto + + # Uncomment the next 2 lines to include support for Microsoft's + # MS-CHAP authentication protocol. Also, edit plugins/radius/Makefile.linux. +@@ -91,8 +91,8 @@ LDFLAGS=$(LDOPTS) + ifdef CHAPMS + CFLAGS += -DCHAPMS=1 + NEEDDES=y +-PPPDOBJS += md4.o chap_ms.o +-HEADERS += md4.h chap_ms.h ++PPPDOBJS += chap_ms.o ++HEADERS += chap_ms.h + ifdef MSLANMAN + CFLAGS += -DMSLANMAN=1 + endif +@@ -104,25 +104,18 @@ endif + # EAP SRP-SHA1 + ifdef USE_SRP + CFLAGS += -DUSE_SRP -DOPENSSL -I/usr/local/ssl/include +-LIBS += -lsrp -L/usr/local/ssl/lib -lcrypto ++LIBS += -lsrp -L/usr/local/ssl/lib + TARGETS += srp-entry + EXTRAINSTALL = $(INSTALL) -c -m 555 srp-entry $(BINDIR)/srp-entry + MANPAGES += srp-entry.8 + EXTRACLEAN += srp-entry.o + NEEDDES=y +-else +-# OpenSSL has an integrated version of SHA-1, and its implementation +-# is incompatible with this local SHA-1 implementation. We must use +-# one or the other, not both. +-PPPDSRCS += sha1.c +-HEADERS += sha1.h +-PPPDOBJS += sha1.o + endif + + # EAP-TLS + ifdef USE_EAPTLS + CFLAGS += -DUSE_EAPTLS=1 -I/usr/kerberos/include +-LIBS += -lssl -lcrypto ++LIBS += -lssl + PPPDSRC += eap-tls.c + HEADERS += eap-tls.h + PPPDOBJS += eap-tls.o +diff --git a/pppd/chap-md5.c b/pppd/chap-md5.c +index 269b52cb2041..7f7967a56842 100644 +--- a/pppd/chap-md5.c ++++ b/pppd/chap-md5.c +@@ -39,7 +39,7 @@ + #ifdef USE_EAPTLS + #include "eap-tls.h" + #else +-#include "md5.h" ++#include <openssl/md5.h> + #endif /* USE_EAPTLS */ + + #define MD5_HASH_SIZE 16 +diff --git a/pppd/chap_ms.c b/pppd/chap_ms.c +index c2bd00f9c6f7..19edb85d27a8 100644 +--- a/pppd/chap_ms.c ++++ b/pppd/chap_ms.c +@@ -89,8 +89,8 @@ + #include "pppd.h" + #include "chap-new.h" + #include "chap_ms.h" +-#include "md4.h" +-#include "sha1.h" ++#include <openssl/md4.h> ++#include <openssl/sha.h> + #include "pppcrypt.h" + #include "magic.h" + +@@ -535,8 +535,8 @@ ChallengeHash(u_char PeerChallenge[16], u_char *rchallenge, + char *username, u_char Challenge[8]) + + { +- SHA1_CTX sha1Context; +- u_char sha1Hash[SHA1_SIGNATURE_SIZE]; ++ SHA_CTX sha1Context; ++ u_char sha1Hash[SHA_DIGEST_LENGTH]; + char *user; + + /* remove domain from "domain\username" */ +@@ -574,23 +574,11 @@ ascii2unicode(char ascii[], int ascii_len, u_char unicode[]) + static void + NTPasswordHash(u_char *secret, int secret_len, u_char hash[MD4_SIGNATURE_SIZE]) + { +-#ifdef __NetBSD__ +- /* NetBSD uses the libc md4 routines which take bytes instead of bits */ +- int mdlen = secret_len; +-#else +- int mdlen = secret_len * 8; +-#endif + MD4_CTX md4Context; + +- MD4Init(&md4Context); +- /* MD4Update can take at most 64 bytes at a time */ +- while (mdlen > 512) { +- MD4Update(&md4Context, secret, 512); +- secret += 64; +- mdlen -= 512; +- } +- MD4Update(&md4Context, secret, mdlen); +- MD4Final(hash, &md4Context); ++ MD4_Init(&md4Context); ++ MD4_Update(&md4Context, secret, secret_len); ++ MD4_Final(hash, &md4Context); + + } + +@@ -671,8 +659,8 @@ GenerateAuthenticatorResponse(u_char PasswordHashHash[MD4_SIGNATURE_SIZE], + 0x6E }; + + int i; +- SHA1_CTX sha1Context; +- u_char Digest[SHA1_SIGNATURE_SIZE]; ++ SHA_CTX sha1Context; ++ u_char Digest[SHA_DIGEST_LENGTH]; + u_char Challenge[8]; + + SHA1_Init(&sha1Context); +@@ -725,8 +713,8 @@ GenerateAuthenticatorResponsePlain + void + mppe_set_keys(u_char *rchallenge, u_char PasswordHashHash[MD4_SIGNATURE_SIZE]) + { +- SHA1_CTX sha1Context; +- u_char Digest[SHA1_SIGNATURE_SIZE]; /* >= MPPE_MAX_KEY_LEN */ ++ SHA_CTX sha1Context; ++ u_char Digest[SHA_DIGEST_LENGTH]; /* >= MPPE_MAX_KEY_LEN */ + + SHA1_Init(&sha1Context); + SHA1_Update(&sha1Context, PasswordHashHash, MD4_SIGNATURE_SIZE); +@@ -769,9 +757,9 @@ void + mppe_set_keys2(u_char PasswordHashHash[MD4_SIGNATURE_SIZE], + u_char NTResponse[24], int IsServer) + { +- SHA1_CTX sha1Context; +- u_char MasterKey[SHA1_SIGNATURE_SIZE]; /* >= MPPE_MAX_KEY_LEN */ +- u_char Digest[SHA1_SIGNATURE_SIZE]; /* >= MPPE_MAX_KEY_LEN */ ++ SHA_CTX sha1Context; ++ u_char MasterKey[SHA_DIGEST_LENGTH]; /* >= MPPE_MAX_KEY_LEN */ ++ u_char Digest[SHA_DIGEST_LENGTH]; /* >= MPPE_MAX_KEY_LEN */ + + u_char SHApad1[40] = + { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +diff --git a/pppd/eap.c b/pppd/eap.c +index 032407c3dbb2..35d111015ff3 100644 +--- a/pppd/eap.c ++++ b/pppd/eap.c +@@ -71,7 +71,7 @@ + #ifdef USE_EAPTLS + #include "eap-tls.h" + #else +-#include "md5.h" ++#include <openssl/md5.h> + #endif /* USE_EAPTLS */ + + #ifdef USE_SRP +diff --git a/pppd/md4.c b/pppd/md4.c +deleted file mode 100644 +index d943e8885f2d..000000000000 +--- a/pppd/md4.c ++++ /dev/null +@@ -1,299 +0,0 @@ +-/* +-** ******************************************************************** +-** md4.c -- Implementation of MD4 Message Digest Algorithm ** +-** Updated: 2/16/90 by Ronald L. Rivest ** +-** (C) 1990 RSA Data Security, Inc. ** +-** ******************************************************************** +-*/ +- +-/* +-** To use MD4: +-** -- Include md4.h in your program +-** -- Declare an MDstruct MD to hold the state of the digest +-** computation. +-** -- Initialize MD using MDbegin(&MD) +-** -- For each full block (64 bytes) X you wish to process, call +-** MD4Update(&MD,X,512) +-** (512 is the number of bits in a full block.) +-** -- For the last block (less than 64 bytes) you wish to process, +-** MD4Update(&MD,X,n) +-** where n is the number of bits in the partial block. A partial +-** block terminates the computation, so every MD computation +-** should terminate by processing a partial block, even if it +-** has n = 0. +-** -- The message digest is available in MD.buffer[0] ... +-** MD.buffer[3]. (Least-significant byte of each word +-** should be output first.) +-** -- You can print out the digest using MDprint(&MD) +-*/ +- +-/* Implementation notes: +-** This implementation assumes that ints are 32-bit quantities. +-*/ +- +-#define TRUE 1 +-#define FALSE 0 +- +-/* Compile-time includes +-*/ +-#include <stdio.h> +-#include "md4.h" +-#include "pppd.h" +- +-/* Compile-time declarations of MD4 "magic constants". +-*/ +-#define I0 0x67452301 /* Initial values for MD buffer */ +-#define I1 0xefcdab89 +-#define I2 0x98badcfe +-#define I3 0x10325476 +-#define C2 013240474631 /* round 2 constant = sqrt(2) in octal */ +-#define C3 015666365641 /* round 3 constant = sqrt(3) in octal */ +-/* C2 and C3 are from Knuth, The Art of Programming, Volume 2 +-** (Seminumerical Algorithms), Second Edition (1981), Addison-Wesley. +-** Table 2, page 660. +-*/ +- +-#define fs1 3 /* round 1 shift amounts */ +-#define fs2 7 +-#define fs3 11 +-#define fs4 19 +-#define gs1 3 /* round 2 shift amounts */ +-#define gs2 5 +-#define gs3 9 +-#define gs4 13 +-#define hs1 3 /* round 3 shift amounts */ +-#define hs2 9 +-#define hs3 11 +-#define hs4 15 +- +-/* Compile-time macro declarations for MD4. +-** Note: The "rot" operator uses the variable "tmp". +-** It assumes tmp is declared as unsigned int, so that the >> +-** operator will shift in zeros rather than extending the sign bit. +-*/ +-#define f(X,Y,Z) ((X&Y) | ((~X)&Z)) +-#define g(X,Y,Z) ((X&Y) | (X&Z) | (Y&Z)) +-#define h(X,Y,Z) (X^Y^Z) +-#define rot(X,S) (tmp=X,(tmp<<S) | (tmp>>(32-S))) +-#define ff(A,B,C,D,i,s) A = rot((A + f(B,C,D) + X[i]),s) +-#define gg(A,B,C,D,i,s) A = rot((A + g(B,C,D) + X[i] + C2),s) +-#define hh(A,B,C,D,i,s) A = rot((A + h(B,C,D) + X[i] + C3),s) +- +-/* MD4print(MDp) +-** Print message digest buffer MDp as 32 hexadecimal digits. +-** Order is from low-order byte of buffer[0] to high-order byte of +-** buffer[3]. +-** Each byte is printed with high-order hexadecimal digit first. +-** This is a user-callable routine. +-*/ +-void +-MD4Print(MDp) +-MD4_CTX *MDp; +-{ +- int i,j; +- for (i=0;i<4;i++) +- for (j=0;j<32;j=j+8) +- printf("%02x",(MDp->buffer[i]>>j) & 0xFF); +-} +- +-/* MD4Init(MDp) +-** Initialize message digest buffer MDp. +-** This is a user-callable routine. +-*/ +-void +-MD4Init(MDp) +-MD4_CTX *MDp; +-{ +- int i; +- MDp->buffer[0] = I0; +- MDp->buffer[1] = I1; +- MDp->buffer[2] = I2; +- MDp->buffer[3] = I3; +- for (i=0;i<8;i++) MDp->count[i] = 0; +- MDp->done = 0; +-} +- +-/* MDblock(MDp,X) +-** Update message digest buffer MDp->buffer using 16-word data block X. +-** Assumes all 16 words of X are full of data. +-** Does not update MDp->count. +-** This routine is not user-callable. +-*/ +-static void +-MDblock(MDp,Xb) +-MD4_CTX *MDp; +-unsigned char *Xb; +-{ +- register unsigned int tmp, A, B, C, D; +- unsigned int X[16]; +- int i; +- +- for (i = 0; i < 16; ++i) { +- X[i] = Xb[0] + (Xb[1] << 8) + (Xb[2] << 16) + (Xb[3] << 24); +- Xb += 4; +- } +- +- A = MDp->buffer[0]; +- B = MDp->buffer[1]; +- C = MDp->buffer[2]; +- D = MDp->buffer[3]; +- /* Update the message digest buffer */ +- ff(A , B , C , D , 0 , fs1); /* Round 1 */ +- ff(D , A , B , C , 1 , fs2); +- ff(C , D , A , B , 2 , fs3); +- ff(B , C , D , A , 3 , fs4); +- ff(A , B , C , D , 4 , fs1); +- ff(D , A , B , C , 5 , fs2); +- ff(C , D , A , B , 6 , fs3); +- ff(B , C , D , A , 7 , fs4); +- ff(A , B , C , D , 8 , fs1); +- ff(D , A , B , C , 9 , fs2); +- ff(C , D , A , B , 10 , fs3); +- ff(B , C , D , A , 11 , fs4); +- ff(A , B , C , D , 12 , fs1); +- ff(D , A , B , C , 13 , fs2); +- ff(C , D , A , B , 14 , fs3); +- ff(B , C , D , A , 15 , fs4); +- gg(A , B , C , D , 0 , gs1); /* Round 2 */ +- gg(D , A , B , C , 4 , gs2); +- gg(C , D , A , B , 8 , gs3); +- gg(B , C , D , A , 12 , gs4); +- gg(A , B , C , D , 1 , gs1); +- gg(D , A , B , C , 5 , gs2); +- gg(C , D , A , B , 9 , gs3); +- gg(B , C , D , A , 13 , gs4); +- gg(A , B , C , D , 2 , gs1); +- gg(D , A , B , C , 6 , gs2); +- gg(C , D , A , B , 10 , gs3); +- gg(B , C , D , A , 14 , gs4); +- gg(A , B , C , D , 3 , gs1); +- gg(D , A , B , C , 7 , gs2); +- gg(C , D , A , B , 11 , gs3); +- gg(B , C , D , A , 15 , gs4); +- hh(A , B , C , D , 0 , hs1); /* Round 3 */ +- hh(D , A , B , C , 8 , hs2); +- hh(C , D , A , B , 4 , hs3); +- hh(B , C , D , A , 12 , hs4); +- hh(A , B , C , D , 2 , hs1); +- hh(D , A , B , C , 10 , hs2); +- hh(C , D , A , B , 6 , hs3); +- hh(B , C , D , A , 14 , hs4); +- hh(A , B , C , D , 1 , hs1); +- hh(D , A , B , C , 9 , hs2); +- hh(C , D , A , B , 5 , hs3); +- hh(B , C , D , A , 13 , hs4); +- hh(A , B , C , D , 3 , hs1); +- hh(D , A , B , C , 11 , hs2); +- hh(C , D , A , B , 7 , hs3); +- hh(B , C , D , A , 15 , hs4); +- MDp->buffer[0] += A; +- MDp->buffer[1] += B; +- MDp->buffer[2] += C; +- MDp->buffer[3] += D; +-} +- +-/* MD4Update(MDp,X,count) +-** Input: X -- a pointer to an array of unsigned characters. +-** count -- the number of bits of X to use. +-** (if not a multiple of 8, uses high bits of last byte.) +-** Update MDp using the number of bits of X given by count. +-** This is the basic input routine for an MD4 user. +-** The routine completes the MD computation when count < 512, so +-** every MD computation should end with one call to MD4Update with a +-** count less than 512. A call with count 0 will be ignored if the +-** MD has already been terminated (done != 0), so an extra call with +-** count 0 can be given as a "courtesy close" to force termination +-** if desired. +-*/ +-void +-MD4Update(MDp,X,count) +-MD4_CTX *MDp; +-unsigned char *X; +-unsigned int count; +-{ +- unsigned int i, tmp, bit, byte, mask; +- unsigned char XX[64]; +- unsigned char *p; +- +- /* return with no error if this is a courtesy close with count +- ** zero and MDp->done is true. +- */ +- if (count == 0 && MDp->done) return; +- /* check to see if MD is already done and report error */ +- if (MDp->done) +- { printf("\nError: MD4Update MD already done."); return; } +- +- /* Add count to MDp->count */ +- tmp = count; +- p = MDp->count; +- while (tmp) +- { tmp += *p; +- *p++ = tmp; +- tmp = tmp >> 8; +- } +- +- /* Process data */ +- if (count == 512) +- { /* Full block of data to handle */ +- MDblock(MDp,X); +- } +- else if (count > 512) /* Check for count too large */ +- { +- printf("\nError: MD4Update called with illegal count value %d.", +- count); +- return; +- } +- else /* partial block -- must be last block so finish up */ +- { +- /* Find out how many bytes and residual bits there are */ +- byte = count >> 3; +- bit = count & 7; +- /* Copy X into XX since we need to modify it */ +- if (count) +- for (i=0;i<=byte;i++) XX[i] = X[i]; +- for (i=byte+1;i<64;i++) XX[i] = 0; +- /* Add padding '1' bit and low-order zeros in last byte */ +- mask = 1 << (7 - bit); +- XX[byte] = (XX[byte] | mask) & ~( mask - 1); +- /* If room for bit count, finish up with this block */ +- if (byte <= 55) +- { +- for (i=0;i<8;i++) XX[56+i] = MDp->count[i]; +- MDblock(MDp,XX); +- } +- else /* need to do two blocks to finish up */ +- { +- MDblock(MDp,XX); +- for (i=0;i<56;i++) XX[i] = 0; +- for (i=0;i<8;i++) XX[56+i] = MDp->count[i]; +- MDblock(MDp,XX); +- } +- /* Set flag saying we're done with MD computation */ +- MDp->done = 1; +- } +-} +- +-/* +-** Finish up MD4 computation and return message digest. +-*/ +-void +-MD4Final(buf, MD) +-unsigned char *buf; +-MD4_CTX *MD; +-{ +- int i, j; +- unsigned int w; +- +- MD4Update(MD, NULL, 0); +- for (i = 0; i < 4; ++i) { +- w = MD->buffer[i]; +- for (j = 0; j < 4; ++j) { +- *buf++ = w; +- w >>= 8; +- } +- } +-} +- +-/* +-** End of md4.c +-****************************(cut)***********************************/ +diff --git a/pppd/md4.h b/pppd/md4.h +deleted file mode 100644 +index 80e8f9a2acca..000000000000 +--- a/pppd/md4.h ++++ /dev/null +@@ -1,64 +0,0 @@ +- +-/* +-** ******************************************************************** +-** md4.h -- Header file for implementation of ** +-** MD4 Message Digest Algorithm ** +-** Updated: 2/13/90 by Ronald L. Rivest ** +-** (C) 1990 RSA Data Security, Inc. ** +-** ******************************************************************** +-*/ +- +-#ifndef __P +-# if defined(__STDC__) || defined(__GNUC__) +-# define __P(x) x +-# else +-# define __P(x) () +-# endif +-#endif +- +- +-/* MDstruct is the data structure for a message digest computation. +-*/ +-typedef struct { +- unsigned int buffer[4]; /* Holds 4-word result of MD computation */ +- unsigned char count[8]; /* Number of bits processed so far */ +- unsigned int done; /* Nonzero means MD computation finished */ +-} MD4_CTX; +- +-/* MD4Init(MD4_CTX *) +-** Initialize the MD4_CTX prepatory to doing a message digest +-** computation. +-*/ +-extern void MD4Init __P((MD4_CTX *MD)); +- +-/* MD4Update(MD,X,count) +-** Input: X -- a pointer to an array of unsigned characters. +-** count -- the number of bits of X to use (an unsigned int). +-** Updates MD using the first "count" bits of X. +-** The array pointed to by X is not modified. +-** If count is not a multiple of 8, MD4Update uses high bits of +-** last byte. +-** This is the basic input routine for a user. +-** The routine terminates the MD computation when count < 512, so +-** every MD computation should end with one call to MD4Update with a +-** count less than 512. Zero is OK for a count. +-*/ +-extern void MD4Update __P((MD4_CTX *MD, unsigned char *X, unsigned int count)); +- +-/* MD4Print(MD) +-** Prints message digest buffer MD as 32 hexadecimal digits. +-** Order is from low-order byte of buffer[0] to high-order byte +-** of buffer[3]. +-** Each byte is printed with high-order hexadecimal digit first. +-*/ +-extern void MD4Print __P((MD4_CTX *)); +- +-/* MD4Final(buf, MD) +-** Returns message digest from MD and terminates the message +-** digest computation. +-*/ +-extern void MD4Final __P((unsigned char *, MD4_CTX *)); +- +-/* +-** End of md4.h +-****************************(cut)***********************************/ +diff --git a/pppd/md5.c b/pppd/md5.c +deleted file mode 100644 +index 6f8f7207c592..000000000000 +--- a/pppd/md5.c ++++ /dev/null +@@ -1,311 +0,0 @@ +- +- +-/* +- *********************************************************************** +- ** md5.c -- the source code for MD5 routines ** +- ** RSA Data Security, Inc. MD5 Message-Digest Algorithm ** +- ** Created: 2/17/90 RLR ** +- ** Revised: 1/91 SRD,AJ,BSK,JT Reference C ver., 7/10 constant corr. ** +- *********************************************************************** +- */ +- +-/* +- *********************************************************************** +- ** Copyright (C) 1990, RSA Data Security, Inc. All rights reserved. ** +- ** ** +- ** License to copy and use this software is granted provided that ** +- ** it is identified as the "RSA Data Security, Inc. MD5 Message- ** +- ** Digest Algorithm" in all material mentioning or referencing this ** +- ** software or this function. ** +- ** ** +- ** License is also granted to make and use derivative works ** +- ** provided that such works are identified as "derived from the RSA ** +- ** Data Security, Inc. MD5 Message-Digest Algorithm" in all ** +- ** material mentioning or referencing the derived work. ** +- ** ** +- ** RSA Data Security, Inc. makes no representations concerning ** +- ** either the merchantability of this software or the suitability ** +- ** of this software for any particular purpose. It is provided "as ** +- ** is" without express or implied warranty of any kind. ** +- ** ** +- ** These notices must be retained in any copies of any part of this ** +- ** documentation and/or software. ** +- *********************************************************************** +- */ +- +-#ifndef USE_EAPTLS +- +-#include <string.h> +-#include "md5.h" +- +-/* +- *********************************************************************** +- ** Message-digest routines: ** +- ** To form the message digest for a message M ** +- ** (1) Initialize a context buffer mdContext using MD5_Init ** +- ** (2) Call MD5_Update on mdContext and M ** +- ** (3) Call MD5_Final on mdContext ** +- ** The message digest is now in mdContext->digest[0...15] ** +- *********************************************************************** +- */ +- +-/* forward declaration */ +-static void Transform (UINT4 *buf, UINT4 *in); +- +-static unsigned char PADDING[64] = { +- 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 +-}; +- +-/* F, G, H and I are basic MD5 functions */ +-#define F(x, y, z) (((x) & (y)) | ((~x) & (z))) +-#define G(x, y, z) (((x) & (z)) | ((y) & (~z))) +-#define H(x, y, z) ((x) ^ (y) ^ (z)) +-#define I(x, y, z) ((y) ^ ((x) | (~z))) +- +-/* ROTATE_LEFT rotates x left n bits */ +-#define ROTATE_LEFT(x, n) (((x) << (n)) | ((x) >> (32-(n)))) +- +-/* FF, GG, HH, and II transformations for rounds 1, 2, 3, and 4 */ +-/* Rotation is separate from addition to prevent recomputation */ +-#define FF(a, b, c, d, x, s, ac) \ +- {(a) += F ((b), (c), (d)) + (x) + (UINT4)(ac); \ +- (a) = ROTATE_LEFT ((a), (s)); \ +- (a) += (b); \ +- } +-#define GG(a, b, c, d, x, s, ac) \ +- {(a) += G ((b), (c), (d)) + (x) + (UINT4)(ac); \ +- (a) = ROTATE_LEFT ((a), (s)); \ +- (a) += (b); \ +- } +-#define HH(a, b, c, d, x, s, ac) \ +- {(a) += H ((b), (c), (d)) + (x) + (UINT4)(ac); \ +- (a) = ROTATE_LEFT ((a), (s)); \ +- (a) += (b); \ +- } +-#define II(a, b, c, d, x, s, ac) \ +- {(a) += I ((b), (c), (d)) + (x) + (UINT4)(ac); \ +- (a) = ROTATE_LEFT ((a), (s)); \ +- (a) += (b); \ +- } +- +-#ifdef __STDC__ +-#define UL(x) x##U +-#else +-#define UL(x) x +-#endif +- +-/* The routine MD5_Init initializes the message-digest context +- mdContext. All fields are set to zero. +- */ +-void MD5_Init (mdContext) +-MD5_CTX *mdContext; +-{ +- mdContext->i[0] = mdContext->i[1] = (UINT4)0; +- +- /* Load magic initialization constants. +- */ +- mdContext->buf[0] = (UINT4)0x67452301; +- mdContext->buf[1] = (UINT4)0xefcdab89; +- mdContext->buf[2] = (UINT4)0x98badcfe; +- mdContext->buf[3] = (UINT4)0x10325476; +-} +- +-/* The routine MD5Update updates the message-digest context to +- account for the presence of each of the characters inBuf[0..inLen-1] +- in the message whose digest is being computed. +- */ +-void MD5_Update (mdContext, inBuf, inLen) +-MD5_CTX *mdContext; +-unsigned char *inBuf; +-unsigned int inLen; +-{ +- UINT4 in[16]; +- int mdi; +- unsigned int i, ii; +- +- /* compute number of bytes mod 64 */ +- mdi = (int)((mdContext->i[0] >> 3) & 0x3F); +- +- /* update number of bits */ +- if ((mdContext->i[0] + ((UINT4)inLen << 3)) < mdContext->i[0]) +- mdContext->i[1]++; +- mdContext->i[0] += ((UINT4)inLen << 3); +- mdContext->i[1] += ((UINT4)inLen >> 29); +- +- while (inLen--) { +- /* add new character to buffer, increment mdi */ +- mdContext->in[mdi++] = *inBuf++; +- +- /* transform if necessary */ +- if (mdi == 0x40) { +- for (i = 0, ii = 0; i < 16; i++, ii += 4) +- in[i] = (((UINT4)mdContext->in[ii+3]) << 24) | +- (((UINT4)mdContext->in[ii+2]) << 16) | +- (((UINT4)mdContext->in[ii+1]) << 8) | +- ((UINT4)mdContext->in[ii]); +- Transform (mdContext->buf, in); +- mdi = 0; +- } +- } +-} +- +-/* The routine MD5Final terminates the message-digest computation and +- ends with the desired message digest in mdContext->digest[0...15]. +- */ +-void MD5_Final (hash, mdContext) +-unsigned char hash[]; +-MD5_CTX *mdContext; +-{ +- UINT4 in[16]; +- int mdi; +- unsigned int i, ii; +- unsigned int padLen; +- +- /* save number of bits */ +- in[14] = mdContext->i[0]; +- in[15] = mdContext->i[1]; +- +- /* compute number of bytes mod 64 */ +- mdi = (int)((mdContext->i[0] >> 3) & 0x3F); +- +- /* pad out to 56 mod 64 */ +- padLen = (mdi < 56) ? (56 - mdi) : (120 - mdi); +- MD5_Update (mdContext, PADDING, padLen); +- +- /* append length in bits and transform */ +- for (i = 0, ii = 0; i < 14; i++, ii += 4) +- in[i] = (((UINT4)mdContext->in[ii+3]) << 24) | +- (((UINT4)mdContext->in[ii+2]) << 16) | +- (((UINT4)mdContext->in[ii+1]) << 8) | +- ((UINT4)mdContext->in[ii]); +- Transform (mdContext->buf, in); +- +- /* store buffer in digest */ +- for (i = 0, ii = 0; i < 4; i++, ii += 4) { +- mdContext->digest[ii] = (unsigned char)(mdContext->buf[i] & 0xFF); +- mdContext->digest[ii+1] = +- (unsigned char)((mdContext->buf[i] >> 8) & 0xFF); +- mdContext->digest[ii+2] = +- (unsigned char)((mdContext->buf[i] >> 16) & 0xFF); +- mdContext->digest[ii+3] = +- (unsigned char)((mdContext->buf[i] >> 24) & 0xFF); +- } +- memcpy(hash, mdContext->digest, 16); +-} +- +-/* Basic MD5 step. Transforms buf based on in. +- */ +-static void Transform (buf, in) +-UINT4 *buf; +-UINT4 *in; +-{ +- UINT4 a = buf[0], b = buf[1], c = buf[2], d = buf[3]; +- +- /* Round 1 */ +-#define S11 7 +-#define S12 12 +-#define S13 17 +-#define S14 22 +- FF ( a, b, c, d, in[ 0], S11, UL(3614090360)); /* 1 */ +- FF ( d, a, b, c, in[ 1], S12, UL(3905402710)); /* 2 */ +- FF ( c, d, a, b, in[ 2], S13, UL( 606105819)); /* 3 */ +- FF ( b, c, d, a, in[ 3], S14, UL(3250441966)); /* 4 */ +- FF ( a, b, c, d, in[ 4], S11, UL(4118548399)); /* 5 */ +- FF ( d, a, b, c, in[ 5], S12, UL(1200080426)); /* 6 */ +- FF ( c, d, a, b, in[ 6], S13, UL(2821735955)); /* 7 */ +- FF ( b, c, d, a, in[ 7], S14, UL(4249261313)); /* 8 */ +- FF ( a, b, c, d, in[ 8], S11, UL(1770035416)); /* 9 */ +- FF ( d, a, b, c, in[ 9], S12, UL(2336552879)); /* 10 */ +- FF ( c, d, a, b, in[10], S13, UL(4294925233)); /* 11 */ +- FF ( b, c, d, a, in[11], S14, UL(2304563134)); /* 12 */ +- FF ( a, b, c, d, in[12], S11, UL(1804603682)); /* 13 */ +- FF ( d, a, b, c, in[13], S12, UL(4254626195)); /* 14 */ +- FF ( c, d, a, b, in[14], S13, UL(2792965006)); /* 15 */ +- FF ( b, c, d, a, in[15], S14, UL(1236535329)); /* 16 */ +- +- /* Round 2 */ +-#define S21 5 +-#define S22 9 +-#define S23 14 +-#define S24 20 +- GG ( a, b, c, d, in[ 1], S21, UL(4129170786)); /* 17 */ +- GG ( d, a, b, c, in[ 6], S22, UL(3225465664)); /* 18 */ +- GG ( c, d, a, b, in[11], S23, UL( 643717713)); /* 19 */ +- GG ( b, c, d, a, in[ 0], S24, UL(3921069994)); /* 20 */ +- GG ( a, b, c, d, in[ 5], S21, UL(3593408605)); /* 21 */ +- GG ( d, a, b, c, in[10], S22, UL( 38016083)); /* 22 */ +- GG ( c, d, a, b, in[15], S23, UL(3634488961)); /* 23 */ +- GG ( b, c, d, a, in[ 4], S24, UL(3889429448)); /* 24 */ +- GG ( a, b, c, d, in[ 9], S21, UL( 568446438)); /* 25 */ +- GG ( d, a, b, c, in[14], S22, UL(3275163606)); /* 26 */ +- GG ( c, d, a, b, in[ 3], S23, UL(4107603335)); /* 27 */ +- GG ( b, c, d, a, in[ 8], S24, UL(1163531501)); /* 28 */ +- GG ( a, b, c, d, in[13], S21, UL(2850285829)); /* 29 */ +- GG ( d, a, b, c, in[ 2], S22, UL(4243563512)); /* 30 */ +- GG ( c, d, a, b, in[ 7], S23, UL(1735328473)); /* 31 */ +- GG ( b, c, d, a, in[12], S24, UL(2368359562)); /* 32 */ +- +- /* Round 3 */ +-#define S31 4 +-#define S32 11 +-#define S33 16 +-#define S34 23 +- HH ( a, b, c, d, in[ 5], S31, UL(4294588738)); /* 33 */ +- HH ( d, a, b, c, in[ 8], S32, UL(2272392833)); /* 34 */ +- HH ( c, d, a, b, in[11], S33, UL(1839030562)); /* 35 */ +- HH ( b, c, d, a, in[14], S34, UL(4259657740)); /* 36 */ +- HH ( a, b, c, d, in[ 1], S31, UL(2763975236)); /* 37 */ +- HH ( d, a, b, c, in[ 4], S32, UL(1272893353)); /* 38 */ +- HH ( c, d, a, b, in[ 7], S33, UL(4139469664)); /* 39 */ +- HH ( b, c, d, a, in[10], S34, UL(3200236656)); /* 40 */ +- HH ( a, b, c, d, in[13], S31, UL( 681279174)); /* 41 */ +- HH ( d, a, b, c, in[ 0], S32, UL(3936430074)); /* 42 */ +- HH ( c, d, a, b, in[ 3], S33, UL(3572445317)); /* 43 */ +- HH ( b, c, d, a, in[ 6], S34, UL( 76029189)); /* 44 */ +- HH ( a, b, c, d, in[ 9], S31, UL(3654602809)); /* 45 */ +- HH ( d, a, b, c, in[12], S32, UL(3873151461)); /* 46 */ +- HH ( c, d, a, b, in[15], S33, UL( 530742520)); /* 47 */ +- HH ( b, c, d, a, in[ 2], S34, UL(3299628645)); /* 48 */ +- +- /* Round 4 */ +-#define S41 6 +-#define S42 10 +-#define S43 15 +-#define S44 21 +- II ( a, b, c, d, in[ 0], S41, UL(4096336452)); /* 49 */ +- II ( d, a, b, c, in[ 7], S42, UL(1126891415)); /* 50 */ +- II ( c, d, a, b, in[14], S43, UL(2878612391)); /* 51 */ +- II ( b, c, d, a, in[ 5], S44, UL(4237533241)); /* 52 */ +- II ( a, b, c, d, in[12], S41, UL(1700485571)); /* 53 */ +- II ( d, a, b, c, in[ 3], S42, UL(2399980690)); /* 54 */ +- II ( c, d, a, b, in[10], S43, UL(4293915773)); /* 55 */ +- II ( b, c, d, a, in[ 1], S44, UL(2240044497)); /* 56 */ +- II ( a, b, c, d, in[ 8], S41, UL(1873313359)); /* 57 */ +- II ( d, a, b, c, in[15], S42, UL(4264355552)); /* 58 */ +- II ( c, d, a, b, in[ 6], S43, UL(2734768916)); /* 59 */ +- II ( b, c, d, a, in[13], S44, UL(1309151649)); /* 60 */ +- II ( a, b, c, d, in[ 4], S41, UL(4149444226)); /* 61 */ +- II ( d, a, b, c, in[11], S42, UL(3174756917)); /* 62 */ +- II ( c, d, a, b, in[ 2], S43, UL( 718787259)); /* 63 */ +- II ( b, c, d, a, in[ 9], S44, UL(3951481745)); /* 64 */ +- +- buf[0] += a; +- buf[1] += b; +- buf[2] += c; +- buf[3] += d; +-} +- +-/* +- *********************************************************************** +- ** End of md5.c ** +- ******************************** (cut) ******************************** +- */ +-#endif /* USE_EAPTLS */ +- +diff --git a/pppd/md5.h b/pppd/md5.h +deleted file mode 100644 +index 14d712171c5e..000000000000 +--- a/pppd/md5.h ++++ /dev/null +@@ -1,68 +0,0 @@ +-/* +- *********************************************************************** +- ** md5.h -- header file for implementation of MD5 ** +- ** RSA Data Security, Inc. MD5 Message-Digest Algorithm ** +- ** Created: 2/17/90 RLR ** +- ** Revised: 12/27/90 SRD,AJ,BSK,JT Reference C version ** +- ** Revised (for MD5): RLR 4/27/91 ** +- ** -- G modified to have y&~z instead of y&z ** +- ** -- FF, GG, HH modified to add in last register done ** +- ** -- Access pattern: round 2 works mod 5, round 3 works mod 3 ** +- ** -- distinct additive constant for each step ** +- ** -- round 4 added, working mod 7 ** +- *********************************************************************** +- */ +- +-/* +- *********************************************************************** +- ** Copyright (C) 1990, RSA Data Security, Inc. All rights reserved. ** +- ** ** +- ** License to copy and use this software is granted provided that ** +- ** it is identified as the "RSA Data Security, Inc. MD5 Message- ** +- ** Digest Algorithm" in all material mentioning or referencing this ** +- ** software or this function. ** +- ** ** +- ** License is also granted to make and use derivative works ** +- ** provided that such works are identified as "derived from the RSA ** +- ** Data Security, Inc. MD5 Message-Digest Algorithm" in all ** +- ** material mentioning or referencing the derived work. ** +- ** ** +- ** RSA Data Security, Inc. makes no representations concerning ** +- ** either the merchantability of this software or the suitability ** +- ** of this software for any particular purpose. It is provided "as ** +- ** is" without express or implied warranty of any kind. ** +- ** ** +- ** These notices must be retained in any copies of any part of this ** +- ** documentation and/or software. ** +- *********************************************************************** +- */ +-#ifndef USE_EAPTLS +- +-#ifndef __MD5_INCLUDE__ +- +-/* typedef a 32-bit type */ +-#ifdef _LP64 +-typedef unsigned int UINT4; +-typedef int INT4; +-#else +-typedef unsigned long UINT4; +-typedef long INT4; +-#endif +-#define _UINT4_T +- +-/* Data structure for MD5 (Message-Digest) computation */ +-typedef struct { +- UINT4 i[2]; /* number of _bits_ handled mod 2^64 */ +- UINT4 buf[4]; /* scratch buffer */ +- unsigned char in[64]; /* input buffer */ +- unsigned char digest[16]; /* actual digest after MD5Final call */ +-} MD5_CTX; +- +-void MD5_Init (MD5_CTX *mdContext); +-void MD5_Update (MD5_CTX *mdContext, unsigned char *inBuf, unsigned int inLen); +-void MD5_Final (unsigned char hash[], MD5_CTX *mdContext); +- +-#define __MD5_INCLUDE__ +-#endif /* __MD5_INCLUDE__ */ +- +-#endif /* USE_EAPTLS */ +diff --git a/pppd/plugins/radius/md5.c b/pppd/plugins/radius/md5.c +index 8af03aa3713e..90d9b025d211 100644 +--- a/pppd/plugins/radius/md5.c ++++ b/pppd/plugins/radius/md5.c +@@ -1,7 +1,7 @@ + /* + * $Id: md5.c,v 1.1 2004/11/14 07:26:26 paulus Exp $ + */ +-#include "md5.h" ++#include <openssl/md5.h> + + void rc_md5_calc (unsigned char *output, unsigned char *input, unsigned int inlen) + { +diff --git a/pppd/plugins/radius/radius.c b/pppd/plugins/radius/radius.c +index 06e00590b635..60282d9b2b9c 100644 +--- a/pppd/plugins/radius/radius.c ++++ b/pppd/plugins/radius/radius.c +@@ -31,7 +31,7 @@ static char const RCSID[] = + #ifdef CHAPMS + #include "chap_ms.h" + #ifdef MPPE +-#include "md5.h" ++#include <openssl/md5.h> + #endif + #endif + #include "radiusclient.h" +diff --git a/pppd/plugins/winbind.c b/pppd/plugins/winbind.c +index bb05acd87dce..5f87a317b677 100644 +--- a/pppd/plugins/winbind.c ++++ b/pppd/plugins/winbind.c +@@ -38,7 +38,7 @@ + #include "chap-new.h" + #include "chap_ms.h" + #ifdef MPPE +-#include "md5.h" ++#include <openssl/md5.h> + #endif + #include "fsm.h" + #include "ipcp.h" +diff --git a/pppd/sha1.c b/pppd/sha1.c +deleted file mode 100644 +index f4f975cf516f..000000000000 +--- a/pppd/sha1.c ++++ /dev/null +@@ -1,170 +0,0 @@ +-/* +- * ftp://ftp.funet.fi/pub/crypt/hash/sha/sha1.c +- * +- * SHA-1 in C +- * By Steve Reid <steve@edmweb.com> +- * 100% Public Domain +- * +- * Test Vectors (from FIPS PUB 180-1) +- * "abc" +- * A9993E36 4706816A BA3E2571 7850C26C 9CD0D89D +- * "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" +- * 84983E44 1C3BD26E BAAE4AA1 F95129E5 E54670F1 +- * A million repetitions of "a" +- * 34AA973C D4C4DAA4 F61EEB2B DBAD2731 6534016F +- */ +- +-/* #define SHA1HANDSOFF * Copies data before messing with it. */ +- +-#include <string.h> +-#include <netinet/in.h> /* htonl() */ +-#include <net/ppp_defs.h> +-#include "sha1.h" +- +-static void +-SHA1_Transform(u_int32_t[5], const unsigned char[64]); +- +-#define rol(value, bits) (((value) << (bits)) | ((value) >> (32 - (bits)))) +- +-/* blk0() and blk() perform the initial expand. */ +-/* I got the idea of expanding during the round function from SSLeay */ +-#define blk0(i) (block->l[i] = htonl(block->l[i])) +-#define blk(i) (block->l[i&15] = rol(block->l[(i+13)&15]^block->l[(i+8)&15] \ +- ^block->l[(i+2)&15]^block->l[i&15],1)) +- +-/* (R0+R1), R2, R3, R4 are the different operations used in SHA1 */ +-#define R0(v,w,x,y,z,i) z+=((w&(x^y))^y)+blk0(i)+0x5A827999+rol(v,5);w=rol(w,30); +-#define R1(v,w,x,y,z,i) z+=((w&(x^y))^y)+blk(i)+0x5A827999+rol(v,5);w=rol(w,30); +-#define R2(v,w,x,y,z,i) z+=(w^x^y)+blk(i)+0x6ED9EBA1+rol(v,5);w=rol(w,30); +-#define R3(v,w,x,y,z,i) z+=(((w|x)&y)|(w&x))+blk(i)+0x8F1BBCDC+rol(v,5);w=rol(w,30); +-#define R4(v,w,x,y,z,i) z+=(w^x^y)+blk(i)+0xCA62C1D6+rol(v,5);w=rol(w,30); +- +- +-/* Hash a single 512-bit block. This is the core of the algorithm. */ +- +-static void +-SHA1_Transform(u_int32_t state[5], const unsigned char buffer[64]) +-{ +- u_int32_t a, b, c, d, e; +- typedef union { +- unsigned char c[64]; +- u_int32_t l[16]; +- } CHAR64LONG16; +- CHAR64LONG16 *block; +- +-#ifdef SHA1HANDSOFF +- static unsigned char workspace[64]; +- block = (CHAR64LONG16 *) workspace; +- memcpy(block, buffer, 64); +-#else +- block = (CHAR64LONG16 *) buffer; +-#endif +- /* Copy context->state[] to working vars */ +- a = state[0]; +- b = state[1]; +- c = state[2]; +- d = state[3]; +- e = state[4]; +- /* 4 rounds of 20 operations each. Loop unrolled. */ +- R0(a,b,c,d,e, 0); R0(e,a,b,c,d, 1); R0(d,e,a,b,c, 2); R0(c,d,e,a,b, 3); +- R0(b,c,d,e,a, 4); R0(a,b,c,d,e, 5); R0(e,a,b,c,d, 6); R0(d,e,a,b,c, 7); +- R0(c,d,e,a,b, 8); R0(b,c,d,e,a, 9); R0(a,b,c,d,e,10); R0(e,a,b,c,d,11); +- R0(d,e,a,b,c,12); R0(c,d,e,a,b,13); R0(b,c,d,e,a,14); R0(a,b,c,d,e,15); +- R1(e,a,b,c,d,16); R1(d,e,a,b,c,17); R1(c,d,e,a,b,18); R1(b,c,d,e,a,19); +- R2(a,b,c,d,e,20); R2(e,a,b,c,d,21); R2(d,e,a,b,c,22); R2(c,d,e,a,b,23); +- R2(b,c,d,e,a,24); R2(a,b,c,d,e,25); R2(e,a,b,c,d,26); R2(d,e,a,b,c,27); +- R2(c,d,e,a,b,28); R2(b,c,d,e,a,29); R2(a,b,c,d,e,30); R2(e,a,b,c,d,31); +- R2(d,e,a,b,c,32); R2(c,d,e,a,b,33); R2(b,c,d,e,a,34); R2(a,b,c,d,e,35); +- R2(e,a,b,c,d,36); R2(d,e,a,b,c,37); R2(c,d,e,a,b,38); R2(b,c,d,e,a,39); +- R3(a,b,c,d,e,40); R3(e,a,b,c,d,41); R3(d,e,a,b,c,42); R3(c,d,e,a,b,43); +- R3(b,c,d,e,a,44); R3(a,b,c,d,e,45); R3(e,a,b,c,d,46); R3(d,e,a,b,c,47); +- R3(c,d,e,a,b,48); R3(b,c,d,e,a,49); R3(a,b,c,d,e,50); R3(e,a,b,c,d,51); +- R3(d,e,a,b,c,52); R3(c,d,e,a,b,53); R3(b,c,d,e,a,54); R3(a,b,c,d,e,55); +- R3(e,a,b,c,d,56); R3(d,e,a,b,c,57); R3(c,d,e,a,b,58); R3(b,c,d,e,a,59); +- R4(a,b,c,d,e,60); R4(e,a,b,c,d,61); R4(d,e,a,b,c,62); R4(c,d,e,a,b,63); +- R4(b,c,d,e,a,64); R4(a,b,c,d,e,65); R4(e,a,b,c,d,66); R4(d,e,a,b,c,67); +- R4(c,d,e,a,b,68); R4(b,c,d,e,a,69); R4(a,b,c,d,e,70); R4(e,a,b,c,d,71); +- R4(d,e,a,b,c,72); R4(c,d,e,a,b,73); R4(b,c,d,e,a,74); R4(a,b,c,d,e,75); +- R4(e,a,b,c,d,76); R4(d,e,a,b,c,77); R4(c,d,e,a,b,78); R4(b,c,d,e,a,79); +- /* Add the working vars back into context.state[] */ +- state[0] += a; +- state[1] += b; +- state[2] += c; +- state[3] += d; +- state[4] += e; +- /* Wipe variables */ +- a = b = c = d = e = 0; +-} +- +- +-/* SHA1Init - Initialize new context */ +- +-void +-SHA1_Init(SHA1_CTX *context) +-{ +- /* SHA1 initialization constants */ +- context->state[0] = 0x67452301; +- context->state[1] = 0xEFCDAB89; +- context->state[2] = 0x98BADCFE; +- context->state[3] = 0x10325476; +- context->state[4] = 0xC3D2E1F0; +- context->count[0] = context->count[1] = 0; +-} +- +- +-/* Run your data through this. */ +- +-void +-SHA1_Update(SHA1_CTX *context, const unsigned char *data, unsigned int len) +-{ +- unsigned int i, j; +- +- j = (context->count[0] >> 3) & 63; +- if ((context->count[0] += len << 3) < (len << 3)) context->count[1]++; +- context->count[1] += (len >> 29); +- i = 64 - j; +- while (len >= i) { +- memcpy(&context->buffer[j], data, i); +- SHA1_Transform(context->state, context->buffer); +- data += i; +- len -= i; +- i = 64; +- j = 0; +- } +- +- memcpy(&context->buffer[j], data, len); +-} +- +- +-/* Add padding and return the message digest. */ +- +-void +-SHA1_Final(unsigned char digest[20], SHA1_CTX *context) +-{ +- u_int32_t i, j; +- unsigned char finalcount[8]; +- +- for (i = 0; i < 8; i++) { +- finalcount[i] = (unsigned char)((context->count[(i >= 4 ? 0 : 1)] +- >> ((3-(i & 3)) * 8) ) & 255); /* Endian independent */ +- } +- SHA1_Update(context, (unsigned char *) "\200", 1); +- while ((context->count[0] & 504) != 448) { +- SHA1_Update(context, (unsigned char *) "\0", 1); +- } +- SHA1_Update(context, finalcount, 8); /* Should cause a SHA1Transform() */ +- for (i = 0; i < 20; i++) { +- digest[i] = (unsigned char) +- ((context->state[i>>2] >> ((3-(i & 3)) * 8) ) & 255); +- } +- /* Wipe variables */ +- i = j = 0; +- memset(context->buffer, 0, 64); +- memset(context->state, 0, 20); +- memset(context->count, 0, 8); +- memset(&finalcount, 0, 8); +-#ifdef SHA1HANDSOFF /* make SHA1Transform overwrite it's own static vars */ +- SHA1Transform(context->state, context->buffer); +-#endif +-} +- +diff --git a/pppd/sha1.h b/pppd/sha1.h +deleted file mode 100644 +index 83f64df25843..000000000000 +--- a/pppd/sha1.h ++++ /dev/null +@@ -1,31 +0,0 @@ +-/* sha1.h */ +- +-/* If OpenSSL is in use, then use that version of SHA-1 */ +-#ifdef OPENSSL +-#include <t_sha.h> +-#define __SHA1_INCLUDE_ +-#endif +- +-#ifndef __SHA1_INCLUDE_ +- +-#ifndef SHA1_SIGNATURE_SIZE +-#ifdef SHA_DIGESTSIZE +-#define SHA1_SIGNATURE_SIZE SHA_DIGESTSIZE +-#else +-#define SHA1_SIGNATURE_SIZE 20 +-#endif +-#endif +- +-typedef struct { +- u_int32_t state[5]; +- u_int32_t count[2]; +- unsigned char buffer[64]; +-} SHA1_CTX; +- +-extern void SHA1_Init(SHA1_CTX *); +-extern void SHA1_Update(SHA1_CTX *, const unsigned char *, unsigned int); +-extern void SHA1_Final(unsigned char[SHA1_SIGNATURE_SIZE], SHA1_CTX *); +- +-#define __SHA1_INCLUDE_ +-#endif /* __SHA1_INCLUDE_ */ +- diff --git a/patches/ppp-2.4.7/0030-pppd-Use-openssl-for-the-DES-instead-of-the-libcrypt.patch b/patches/ppp-2.4.7/0040-pppd-Use-openssl-for-the-DES-instead-of-the-libcrypt.patch index 213b7deb0..bf83278a9 100644 --- a/patches/ppp-2.4.7/0030-pppd-Use-openssl-for-the-DES-instead-of-the-libcrypt.patch +++ b/patches/ppp-2.4.7/0040-pppd-Use-openssl-for-the-DES-instead-of-the-libcrypt.patch @@ -21,18 +21,22 @@ This updates the code to use current openssl. Signed-off-by: Jaroslav Škarvada <jskarvad@redhat.com> Signed-off-by: Paul Mackerras <paulus@ozlabs.org> + +Imported from ppp_2.4.7-2+4.1.debian.tar.xz + +Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> --- pppd/Makefile.linux | 7 ++++--- pppd/pppcrypt.c | 18 +++++++++--------- 2 files changed, 13 insertions(+), 12 deletions(-) diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux -index f1b2c90bb510..4d536f84c7ba 100644 +index 58a634ce8c3b..cb9d4f9dcf22 100644 --- a/pppd/Makefile.linux +++ b/pppd/Makefile.linux @@ -35,10 +35,10 @@ endif COPTS = -O2 -pipe -Wall -g - LIBS = + LIBS = -lcrypto -# Uncomment the next 2 lines to include support for Microsoft's +# Uncomment the next line to include support for Microsoft's @@ -43,7 +47,7 @@ index f1b2c90bb510..4d536f84c7ba 100644 # Don't use MSLANMAN unless you really know what you're doing. #MSLANMAN=y # Uncomment the next line to include support for MPPE. CHAPMS (above) must -@@ -137,7 +137,8 @@ endif +@@ -138,7 +138,8 @@ endif ifdef NEEDDES ifndef USE_CRYPT diff --git a/patches/ppp-2.4.7/0100-pppd-make-makefile-sysroot-aware.patch b/patches/ppp-2.4.7/0100-pppd-make-makefile-sysroot-aware.patch index d5924f373..c205b15ed 100644 --- a/patches/ppp-2.4.7/0100-pppd-make-makefile-sysroot-aware.patch +++ b/patches/ppp-2.4.7/0100-pppd-make-makefile-sysroot-aware.patch @@ -6,42 +6,52 @@ The pppd Makefile is not SYSROOT aware. This patch replaces all occurrences of absolute paths by their corresponding SYSROOT relative ones. Skip the 'wildcard' check completely. Libcrypt is always needed anyways. +Drop search paths in /usr/local and /usr/kerberos. Those are not needed and +don't exist anyways. Signed-off-by: Marc Kleine-Budde <m.kleine-budde@pengutronix.de> Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> --- - pppd/Makefile.linux | 8 +++----- - 1 file changed, 3 insertions(+), 5 deletions(-) + pppd/Makefile.linux | 10 ++++------ + 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux -index 4d536f84c7ba..30eb12f9d11d 100644 +index cb9d4f9dcf22..ea0a7f02766b 100644 --- a/pppd/Makefile.linux +++ b/pppd/Makefile.linux -@@ -100,8 +100,8 @@ endif +@@ -103,8 +103,8 @@ endif # EAP SRP-SHA1 ifdef USE_SRP -CFLAGS += -DUSE_SRP -DOPENSSL -I/usr/local/ssl/include --LIBS += -lsrp -L/usr/local/ssl/lib -lcrypto -+CFLAGS += -DUSE_SRP -DOPENSSL -I$(SYSROOT)/usr/local/ssl/include -+LIBS += -lsrp -L$(SYSROOT)/usr/local/ssl/lib -lcrypto +-LIBS += -lsrp -L/usr/local/ssl/lib ++CFLAGS += -DUSE_SRP -DOPENSSL ++LIBS += -lsrp TARGETS += srp-entry EXTRAINSTALL = $(INSTALL) -c -m 555 srp-entry $(BINDIR)/srp-entry MANPAGES += srp-entry.8 -@@ -124,11 +124,9 @@ endif - ifdef NO_CRYPT_HACK - CFLAGS += -DNO_CRYPT_HACK - else +@@ -114,7 +114,7 @@ endif + + # EAP-TLS + ifdef USE_EAPTLS +-CFLAGS += -DUSE_EAPTLS=1 -I/usr/kerberos/include ++CFLAGS += -DUSE_EAPTLS=1 + LIBS += -lssl + PPPDSRC += eap-tls.c + HEADERS += eap-tls.h +@@ -126,10 +126,8 @@ CFLAGS += -DHAS_SHADOW + #LIBS += -lshadow $(LIBS) + endif + -ifneq ($(wildcard /usr/include/crypt.h),) CFLAGS += -DHAVE_CRYPT_H=1 LIBS += -lcrypt - endif -endif ifdef USE_LIBUTIL CFLAGS += -DHAVE_LOGWTMP=1 -@@ -137,7 +135,7 @@ endif +@@ -138,7 +136,7 @@ endif ifdef NEEDDES ifndef USE_CRYPT diff --git a/patches/ppp-2.4.7/0101-pppd-make-the-self-made-configure-cross-aware.patch b/patches/ppp-2.4.7/0101-pppd-make-the-self-made-configure-cross-aware.patch index 0747d58b6..f57361a4c 100644 --- a/patches/ppp-2.4.7/0101-pppd-make-the-self-made-configure-cross-aware.patch +++ b/patches/ppp-2.4.7/0101-pppd-make-the-self-made-configure-cross-aware.patch @@ -32,13 +32,13 @@ index 6a55e0f08be4..3886564fa495 100755 Linux) makext="linux"; diff --git a/pppd/plugins/Makefile.linux b/pppd/plugins/Makefile.linux -index 732cc8b411d2..193d884b898b 100644 +index bc29968d44c9..e010ad215981 100644 --- a/pppd/plugins/Makefile.linux +++ b/pppd/plugins/Makefile.linux -@@ -44,5 +44,5 @@ clean: - for d in $(SUBDIRS); do $(MAKE) $(MFLAGS) -C $$d clean; done +@@ -47,5 +47,5 @@ clean: + for d in $(SUBDIRS); do $(MAKE) $(MFLAGS) -C $$d clean || exit $$?; done depend: - $(CPP) -M $(CFLAGS) *.c >.depend + $(CC) -M $(CFLAGS) *.c >.depend - for d in $(SUBDIRS); do $(MAKE) $(MFLAGS) -C $$d depend; done + for d in $(SUBDIRS); do $(MAKE) $(MFLAGS) -C $$d depend || exit $$?; done diff --git a/patches/ppp-2.4.7/series b/patches/ppp-2.4.7/series index 84cc56bc0..6aeaf1984 100644 --- a/patches/ppp-2.4.7/series +++ b/patches/ppp-2.4.7/series @@ -1,36 +1,46 @@ # generated by git-ptx-patches #tag:base --start-number 1 -0001-adaptive_echos.patch -0002-Makefiles-cleanup.patch -0003-Bug-306261-pppd-does-not-properly-close-dev-ppp-on-p.patch -0004-Bug-284382-ppp-linkpidfile-is-not-created-upon-detac.patch -0005-support-building-pppdump-with-the-system-zlib.patch -0006-disable-unneeded-code-in-the-pppoatm-plugin.patch -0007-cosmetic-cleanup-of-the-pppoatm-plugin.patch -0008-pppoe_noads.patch -0009-make-_PATH_CONNERRS-world-readable.patch -0010-Correct-unkown-unknown-typo.patch -0011-pppoe-custom-host-uniq-tag.patch -0012-scripts_redialer.patch -0013-Add-replacedefaultroute-option.patch -0014-ppp-2.3.11-oedod.patch -0015-add-support-for-the-Framed-MTU-Radius-attribute.patch -0016-ip-up_option.patch -0017-ppp-2.4.2-stripMSdomain.patch -0018-export-CALL_FILE-to-the-link-scripts.patch -0019-ipv6-accept-remote.patch -0020-allow-use-of-arbitrary-interface-names.patch -0021-fix-a-potential-buffer-overflow-in-clientid.c-rc_map.patch -0022-scripts-README.patch -0023-no_crypt_hack.patch -0024-resolv.conf_no_log.patch -0025-Debian-specific-changes.patch -0026-secure-card-interpreter-fix.patch -0027-Fix-buffer-overflow-in-rc_mksid.patch -0028-Add-a-SONAME-to-the-pppd-binary.patch -0029-Fix-FTBFS-in-rp-pppoe.patch -0030-pppd-Use-openssl-for-the-DES-instead-of-the-libcrypt.patch +0001-abort-on-errors-in-subdir-builds.patch +0002-scripts-Avoid-killing-wrong-pppd.patch +0003-pppd-Fix-sign-extension-when-displaying-bytes-in-oct.patch +0004-Suppress-false-error-message-on-PPPoE-disconnect.patch +0005-Send-PADT-on-PPPoE-disconnect.patch +0006-pppd-ipxcp-Prevent-buffer-overrun-on-remote-router-n.patch +0007-pppd-Fix-ccp_options.mppe-type.patch +0008-pppd-Fix-ccp_cilen-calculated-size-if-both-deflate_c.patch +0009-Fix-a-typo-in-comment.-Diff-from-Yuuichi-Someya.patch +0010-plog-count-only-relevant-lines-from-syslog.patch +0011-Change-include-from-sys-errno.h-to-errno.h.patch +0012-pppd-allow-use-of-arbitrary-interface-names.patch +0013-pppd-Remove-unused-declaration-of-ttyname.patch +0014-pppd-Provide-error-implementation-in-pppoe-discovery.patch +0015-pppoe-include-netinet-in.h-before-linux-in.h.patch +0016-adaptive_echos.patch +0017-Makefiles-cleanup.patch +0018-Bug-306261-pppd-does-not-properly-close-dev-ppp-on-p.patch +0019-Bug-284382-ppp-linkpidfile-is-not-created-upon-detac.patch +0020-support-building-pppdump-with-the-system-zlib.patch +0021-disable-unneeded-code-in-the-pppoatm-plugin.patch +0022-cosmetic-cleanup-of-the-pppoatm-plugin.patch +0023-pppoe_noads.patch +0024-make-_PATH_CONNERRS-world-readable.patch +0025-Correct-unkown-unknown-typo.patch +0026-pppoe-custom-host-uniq-tag.patch +0027-Add-replacedefaultroute-option.patch +0028-ppp-2.3.11-oedod.dif.patch +0029-add-support-for-the-Framed-MTU-Radius-attribute.patch +0030-018_ip-up_option.patch +0031-ppp-2.4.2-stripMSdomain.patch +0032-export-CALL_FILE-to-the-link-scripts.patch +0033-ipv6-accept-remote.patch +0034-fix-a-potential-buffer-overflow-in-clientid.c-rc_map.patch +0035-resolv.conf_no_log.patch +0036-Debian-specific-changes.patch +0037-Fix-buffer-overflow-in-rc_mksid.patch +0038-EAP-TLS-authentication-support-for-PPP.patch +0039-Replace-vendored-hash-functions-with-libcrypto.patch +0040-pppd-Use-openssl-for-the-DES-instead-of-the-libcrypt.patch #tag:ptx --start-number 100 0100-pppd-make-makefile-sysroot-aware.patch 0101-pppd-make-the-self-made-configure-cross-aware.patch -# 96f4a97d9fbe6803172eb6dd4b24afd2 - git-ptx-patches magic +# b0e349fd34b2aac1a9ba4ffb38f43be0 - git-ptx-patches magic |