From ad5e2374ccee99e11b6c942e635d775615a5093e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jaroslav=20=C5=A0karvada?= Date: Mon, 6 Apr 2020 18:33:17 +0200 Subject: [PATCH] Updated EAP-TLS patch to v1.201 --- ...patch => ppp-2.4.8-eaptls-mppe-1.201.patch | 863 ++++++++++++++---- ppp.spec | 8 +- 2 files changed, 697 insertions(+), 174 deletions(-) rename ppp-2.4.8-eaptls-mppe-1.102.patch => ppp-2.4.8-eaptls-mppe-1.201.patch (78%) diff --git a/ppp-2.4.8-eaptls-mppe-1.102.patch b/ppp-2.4.8-eaptls-mppe-1.201.patch similarity index 78% rename from ppp-2.4.8-eaptls-mppe-1.102.patch rename to ppp-2.4.8-eaptls-mppe-1.201.patch index c594eba..ca3e872 100644 --- a/ppp-2.4.8-eaptls-mppe-1.102.patch +++ b/ppp-2.4.8-eaptls-mppe-1.201.patch @@ -1,7 +1,7 @@ -diff -Naur ppp-2.4.7/README.eap-tls ppp-2.4.7-eaptls-mppe-1.102/README.eap-tls ---- ppp-2.4.7/README.eap-tls 1970-01-01 01:00:00.000000000 +0100 -+++ ppp-2.4.7-eaptls-mppe-1.102/README.eap-tls 2018-11-02 17:14:08.101636586 +0100 -@@ -0,0 +1,291 @@ +diff -Naur ppp-2.4.8/README.eap-tls ppp-2.4.8-eaptls-mppe-1.201/README.eap-tls +--- ppp-2.4.8/README.eap-tls 1970-01-01 01:00:00.000000000 +0100 ++++ ppp-2.4.8-eaptls-mppe-1.201/README.eap-tls 2020-04-03 14:02:19.334905035 +0200 +@@ -0,0 +1,301 @@ +EAP-TLS authentication support for PPP +====================================== + @@ -293,9 +293,19 @@ diff -Naur ppp-2.4.7/README.eap-tls ppp-2.4.7-eaptls-mppe-1.102/README.eap-tls + - Print warning when certificate is either not yet valid or has expired. + - Perform better peer certificate checks. + - Allow certificate chain files to be used. -diff -Naur ppp-2.4.7/etc.ppp/eaptls-client ppp-2.4.7-eaptls-mppe-1.102/etc.ppp/eaptls-client ---- ppp-2.4.7/etc.ppp/eaptls-client 1970-01-01 01:00:00.000000000 +0100 -+++ ppp-2.4.7-eaptls-mppe-1.102/etc.ppp/eaptls-client 2018-10-30 16:47:59.527263750 +0100 ++v1.200 (28-Feb-2020) ++ - First version of patch that was used to create a github PR against the main ppp code base. ++ - Add client-side 'capath' option to allow a directory with trusted CA certificates. ++ - Add compile-time Makefile option to have pppd use either the internal MD5+SHA1 functions or ++ use the ones supplied by OpenSSL. ++ - Code now also builds on Solaris (x86 tested) but has not been tested yet, as the Solaris ppp ++ kernel driver does not support MPPE. ++v1.201 (03-Apr-2020) ++ - Force use of TLSv1.2 even if TLSv1.3 is available (with OpenSSL 1.1.1+). This ensures that ++ you can compile and link against OpenSSL 1.1.1+ without breaking the TLS negotiation. +diff -Naur ppp-2.4.8/etc.ppp/eaptls-client ppp-2.4.8-eaptls-mppe-1.201/etc.ppp/eaptls-client +--- ppp-2.4.8/etc.ppp/eaptls-client 1970-01-01 01:00:00.000000000 +0100 ++++ ppp-2.4.8-eaptls-mppe-1.201/etc.ppp/eaptls-client 2020-04-03 14:02:19.334905035 +0200 @@ -0,0 +1,10 @@ +# Parameters for authentication using EAP-TLS (client) + @@ -307,9 +317,9 @@ diff -Naur ppp-2.4.7/etc.ppp/eaptls-client ppp-2.4.7-eaptls-mppe-1.102/etc.ppp/e +# client private key file (required) + +#client server /root/cert/client.crt - /root/cert/ca.crt /root/cert/client.key -diff -Naur ppp-2.4.7/etc.ppp/eaptls-server ppp-2.4.7-eaptls-mppe-1.102/etc.ppp/eaptls-server ---- ppp-2.4.7/etc.ppp/eaptls-server 1970-01-01 01:00:00.000000000 +0100 -+++ ppp-2.4.7-eaptls-mppe-1.102/etc.ppp/eaptls-server 2018-10-30 16:47:59.527263750 +0100 +diff -Naur ppp-2.4.8/etc.ppp/eaptls-server ppp-2.4.8-eaptls-mppe-1.201/etc.ppp/eaptls-server +--- ppp-2.4.8/etc.ppp/eaptls-server 1970-01-01 01:00:00.000000000 +0100 ++++ ppp-2.4.8-eaptls-mppe-1.201/etc.ppp/eaptls-server 2020-04-03 14:02:19.334905035 +0200 @@ -0,0 +1,11 @@ +# Parameters for authentication using EAP-TLS (server) + @@ -322,9 +332,9 @@ diff -Naur ppp-2.4.7/etc.ppp/eaptls-server ppp-2.4.7-eaptls-mppe-1.102/etc.ppp/e +# allowed addresses (required, can be *) + +#client server - /root/cert/server.crt /root/cert/ca.crt /root/cert/server.key 192.168.1.0/24 -diff -Naur ppp-2.4.7/etc.ppp/openssl.cnf ppp-2.4.7-eaptls-mppe-1.102/etc.ppp/openssl.cnf ---- ppp-2.4.7/etc.ppp/openssl.cnf 1970-01-01 01:00:00.000000000 +0100 -+++ ppp-2.4.7-eaptls-mppe-1.102/etc.ppp/openssl.cnf 2018-10-30 16:47:59.527263750 +0100 +diff -Naur ppp-2.4.8/etc.ppp/openssl.cnf ppp-2.4.8-eaptls-mppe-1.201/etc.ppp/openssl.cnf +--- ppp-2.4.8/etc.ppp/openssl.cnf 1970-01-01 01:00:00.000000000 +0100 ++++ ppp-2.4.8-eaptls-mppe-1.201/etc.ppp/openssl.cnf 2020-04-03 14:02:19.334905035 +0200 @@ -0,0 +1,14 @@ +openssl_conf = openssl_def + @@ -340,9 +350,9 @@ diff -Naur ppp-2.4.7/etc.ppp/openssl.cnf ppp-2.4.7-eaptls-mppe-1.102/etc.ppp/ope +MODULE_PATH = /usr/lib64/libeTPkcs11.so +init = 0 + -diff -Naur ppp-2.4.7/linux/Makefile.top ppp-2.4.7-eaptls-mppe-1.102/linux/Makefile.top ---- ppp-2.4.7/linux/Makefile.top 2014-08-09 14:31:39.000000000 +0200 -+++ ppp-2.4.7-eaptls-mppe-1.102/linux/Makefile.top 2018-10-30 16:47:59.528263707 +0100 +diff -Naur ppp-2.4.8/linux/Makefile.top ppp-2.4.8-eaptls-mppe-1.201/linux/Makefile.top +--- ppp-2.4.8/linux/Makefile.top 2019-12-31 02:31:26.000000000 +0100 ++++ ppp-2.4.8-eaptls-mppe-1.201/linux/Makefile.top 2020-04-03 14:02:19.334905035 +0200 @@ -26,7 +26,7 @@ cd pppdump; $(MAKE) $(MFLAGS) install @@ -363,39 +373,134 @@ diff -Naur ppp-2.4.7/linux/Makefile.top ppp-2.4.7-eaptls-mppe-1.102/linux/Makefi $(BINDIR): $(INSTALL) -d -m 755 $@ -diff -Naur ppp-2.4.7/pppd/Makefile.linux ppp-2.4.7-eaptls-mppe-1.102/pppd/Makefile.linux ---- ppp-2.4.7/pppd/Makefile.linux 2014-08-09 14:31:39.000000000 +0200 -+++ ppp-2.4.7-eaptls-mppe-1.102/pppd/Makefile.linux 2018-10-30 16:47:59.528263707 +0100 -@@ -76,6 +76,9 @@ +diff -Naur ppp-2.4.8/pppd/Makefile.linux ppp-2.4.8-eaptls-mppe-1.201/pppd/Makefile.linux +--- ppp-2.4.8/pppd/Makefile.linux 2019-12-31 02:31:26.000000000 +0100 ++++ ppp-2.4.8-eaptls-mppe-1.201/pppd/Makefile.linux 2020-04-03 14:02:19.335905034 +0200 +@@ -11,16 +11,16 @@ + + TARGETS = pppd + +-PPPDSRCS = main.c magic.c fsm.c lcp.c ipcp.c upap.c chap-new.c md5.c ccp.c \ +- ecp.c ipxcp.c auth.c options.c sys-linux.c md4.c chap_ms.c \ ++PPPDSRCS = main.c magic.c fsm.c lcp.c ipcp.c upap.c chap-new.c ccp.c \ ++ ecp.c ipxcp.c auth.c options.c sys-linux.c chap_ms.c \ + demand.c utils.c tty.c eap.c chap-md5.c session.c + + HEADERS = ccp.h session.h chap-new.h ecp.h fsm.h ipcp.h \ +- ipxcp.h lcp.h magic.h md5.h patchlevel.h pathnames.h pppd.h \ ++ ipxcp.h lcp.h magic.h patchlevel.h pathnames.h pppd.h \ + upap.h eap.h + + MANPAGES = pppd.8 +-PPPDOBJS = main.o magic.o fsm.o lcp.o ipcp.o upap.o chap-new.o md5.o ccp.o \ ++PPPDOBJS = main.o magic.o fsm.o lcp.o ipcp.o upap.o chap-new.o ccp.o \ + ecp.o auth.o options.o demand.o utils.o sys-linux.o ipxcp.o tty.o \ + eap.o chap-md5.o session.o + +@@ -81,6 +81,13 @@ # Use libutil USE_LIBUTIL=y -+# Enable EAP-TLS authentication (requires libssl and libcrypto) ++# Enable EAP-TLS authentication (requires MPPE support, libssl and libcrypto) +USE_EAPTLS=y ++ ++# Either use the internal {md5,sha1} routines or use the openssl versions ++USE_OPENSSL_MD5=y ++USE_OPENSSL_SHA1=y + MAXOCTETS=y INCLUDE_DIRS= -I../include -@@ -115,6 +118,15 @@ - PPPDOBJS += sha1.o +@@ -92,8 +99,9 @@ + ifdef CHAPMS + CFLAGS += -DCHAPMS=1 + NEEDDES=y +-PPPDOBJS += md4.o chap_ms.o ++PPPDSRC += md4.c chap_ms.c + HEADERS += md4.h chap_ms.h ++PPPDOBJS += md4.o chap_ms.o + ifdef MSLANMAN + CFLAGS += -DMSLANMAN=1 endif - +@@ -111,11 +119,31 @@ + MANPAGES += srp-entry.8 + EXTRACLEAN += srp-entry.o + NEEDDES=y ++endif ++ +# EAP-TLS +ifdef USE_EAPTLS -+CFLAGS += -DUSE_EAPTLS=1 -I/usr/kerberos/include ++CFLAGS += -DUSE_EAPTLS=1 +LIBS += -lssl -lcrypto +PPPDSRC += eap-tls.c +HEADERS += eap-tls.h +PPPDOBJS += eap-tls.o +endif + - ifdef HAS_SHADOW - CFLAGS += -DHAS_SHADOW - #LIBS += -lshadow $(LIBS) -diff -Naur ppp-2.4.7/pppd/auth.c ppp-2.4.7-eaptls-mppe-1.102/pppd/auth.c ---- ppp-2.4.7/pppd/auth.c 2014-08-09 14:31:39.000000000 +0200 -+++ ppp-2.4.7-eaptls-mppe-1.102/pppd/auth.c 2018-10-30 16:47:59.530263608 +0100 -@@ -109,6 +109,9 @@ ++ifdef USE_OPENSSL_MD5 ++CFLAGS += -DUSE_OPENSSL_MD5=1 ++LIBS += -lcrypto ++else ++PPPDSRC += md5.c ++HEADERS += md5.h ++PPPDOBJS += md5.o ++endif ++ ++ifdef USE_OPENSSL_SHA1 ++CFLAGS += -DUSE_OPENSSL_SHA1=1 ++LIBS += -lcrypto + else +-# OpenSSL has an integrated version of SHA-1, and its implementation +-# is incompatible with this local SHA-1 implementation. We must use +-# one or the other, not both. +-PPPDSRCS += sha1.c ++PPPDSRC += sha1.c + HEADERS += sha1.h + PPPDOBJS += sha1.o + endif +diff -Naur ppp-2.4.8/pppd/Makefile.sol2 ppp-2.4.8-eaptls-mppe-1.201/pppd/Makefile.sol2 +--- ppp-2.4.8/pppd/Makefile.sol2 2019-12-31 02:31:26.000000000 +0100 ++++ ppp-2.4.8-eaptls-mppe-1.201/pppd/Makefile.sol2 2020-04-03 14:02:19.335905034 +0200 +@@ -5,10 +5,10 @@ + + include ../Makedefs.com + +-CFLAGS = -I../include -DSVR4 -DSOL2 $(COPTS) '-DDESTDIR="@DESTDIR@"' ++CFLAGS = -I../include -DSVR4 -DSOL2 $(COPTS) '-DDESTDIR="/usr/local"' + LIBS = -lsocket -lnsl + +-OBJS = main.o magic.o fsm.o lcp.o ipcp.o upap.o chap-new.o eap.o md5.o \ ++OBJS = main.o magic.o fsm.o lcp.o ipcp.o upap.o chap-new.o eap.o \ + tty.o ccp.o ecp.o auth.o options.o demand.o utils.o sys-solaris.o \ + chap-md5.o session.o + +@@ -37,7 +37,21 @@ + + # Uncomment to enable MS-CHAP + CFLAGS += -DUSE_CRYPT -DCHAPMS -DMSLANMAN -DHAVE_CRYPT_H +-OBJS += chap_ms.o pppcrypt.o md4.o sha1.o ++OBJS += chap_ms.o pppcrypt.o md4.o ++ ++# Uncomment to enable MPPE (in both CHAP and EAP-TLS) ++CFLAGS += -DMPPE ++ ++# Uncomment to use the OpenSSL {md5,sha1} routines ++#CFLAGS += -DUSE_OPENSSL_MD5 -DUSE_OPENSSL_SHA1 ++#LIBS += -lcrypto ++# else ++OBJS += md5.o sha1.o ++ ++# Uncomment to enable EAP-TLS ++CFLAGS += -DUSE_EAPTLS ++LIBS += -lcrypto -lssl ++OBJS += eap-tls.o + + # Uncomment for CBCP + #CFLAGS += -DCBCP_SUPPORT +diff -Naur ppp-2.4.8/pppd/auth.c ppp-2.4.8-eaptls-mppe-1.201/pppd/auth.c +--- ppp-2.4.8/pppd/auth.c 2019-12-31 02:31:26.000000000 +0100 ++++ ppp-2.4.8-eaptls-mppe-1.201/pppd/auth.c 2020-04-03 14:02:19.337905032 +0200 +@@ -113,6 +113,9 @@ #include "upap.h" #include "chap-new.h" #include "eap.h" @@ -405,7 +510,7 @@ diff -Naur ppp-2.4.7/pppd/auth.c ppp-2.4.7-eaptls-mppe-1.102/pppd/auth.c #ifdef CBCP_SUPPORT #include "cbcp.h" #endif -@@ -183,6 +186,11 @@ +@@ -186,6 +189,11 @@ /* Hook for a plugin to get the CHAP password for authenticating us */ int (*chap_passwd_hook) __P((char *user, char *passwd)) = NULL; @@ -417,12 +522,13 @@ diff -Naur ppp-2.4.7/pppd/auth.c ppp-2.4.7-eaptls-mppe-1.102/pppd/auth.c /* Hook for a plugin to say whether it is OK if the peer refuses to authenticate. */ int (*null_auth_hook) __P((struct wordlist **paddrs, -@@ -238,6 +246,14 @@ +@@ -241,6 +249,15 @@ bool explicit_user = 0; /* Set if "user" option supplied */ bool explicit_passwd = 0; /* Set if "password" option supplied */ char remote_name[MAXNAMELEN]; /* Peer's name for authentication */ +#ifdef USE_EAPTLS +char *cacert_file = NULL; /* CA certificate file (pem format) */ ++char *ca_path = NULL; /* directory with CA certificates */ +char *cert_file = NULL; /* client certificate file (pem format) */ +char *privkey_file = NULL; /* client private key file (pem format) */ +char *crl_dir = NULL; /* directory containing CRL files */ @@ -432,7 +538,7 @@ diff -Naur ppp-2.4.7/pppd/auth.c ppp-2.4.7-eaptls-mppe-1.102/pppd/auth.c static char *uafname; /* name of most recent +ua file */ -@@ -254,6 +270,19 @@ +@@ -257,6 +274,19 @@ static int have_chap_secret __P((char *, char *, int, int *)); static int have_srp_secret __P((char *client, char *server, int need_ip, int *lacks_ipp)); @@ -452,12 +558,13 @@ diff -Naur ppp-2.4.7/pppd/auth.c ppp-2.4.7-eaptls-mppe-1.102/pppd/auth.c static int ip_addr_check __P((u_int32_t, struct permitted_ip *)); static int scan_authfile __P((FILE *, char *, char *, char *, struct wordlist **, struct wordlist **, -@@ -401,6 +430,15 @@ +@@ -404,6 +434,16 @@ "Set telephone number(s) which are allowed to connect", OPT_PRIV | OPT_A2LIST }, +#ifdef USE_EAPTLS + { "ca", o_string, &cacert_file, "EAP-TLS CA certificate in PEM format" }, ++ { "capath", o_string, &ca_path, "EAP-TLS CA certificate directory" }, + { "cert", o_string, &cert_file, "EAP-TLS client certificate in PEM format" }, + { "key", o_string, &privkey_file, "EAP-TLS client private key in PEM format" }, + { "crl-dir", o_string, &crl_dir, "Use CRLs in directory" }, @@ -468,7 +575,7 @@ diff -Naur ppp-2.4.7/pppd/auth.c ppp-2.4.7-eaptls-mppe-1.102/pppd/auth.c { NULL } }; -@@ -730,6 +768,9 @@ +@@ -737,6 +777,9 @@ lcp_options *wo = &lcp_wantoptions[unit]; lcp_options *go = &lcp_gotoptions[unit]; lcp_options *ho = &lcp_hisoptions[unit]; @@ -478,7 +585,7 @@ diff -Naur ppp-2.4.7/pppd/auth.c ppp-2.4.7-eaptls-mppe-1.102/pppd/auth.c int i; struct protent *protp; -@@ -764,6 +805,22 @@ +@@ -771,6 +814,22 @@ } } @@ -501,7 +608,7 @@ diff -Naur ppp-2.4.7/pppd/auth.c ppp-2.4.7-eaptls-mppe-1.102/pppd/auth.c new_phase(PHASE_AUTHENTICATE); auth = 0; if (go->neg_eap) { -@@ -1277,6 +1334,15 @@ +@@ -1291,6 +1350,15 @@ our_name, 1, &lacks_ip); } @@ -517,7 +624,7 @@ diff -Naur ppp-2.4.7/pppd/auth.c ppp-2.4.7-eaptls-mppe-1.102/pppd/auth.c if (auth_required && !can_auth && noauth_addrs == NULL) { if (default_auth) { option_error( -@@ -1331,7 +1397,11 @@ +@@ -1345,7 +1413,11 @@ passwd[0] != 0 || (hadchap == 1 || (hadchap == -1 && have_chap_secret(user, (explicit_remote? remote_name: NULL), 0, NULL))) || @@ -530,7 +637,7 @@ diff -Naur ppp-2.4.7/pppd/auth.c ppp-2.4.7-eaptls-mppe-1.102/pppd/auth.c hadchap = -1; if (go->neg_upap && !uselogin && !have_pap_secret(NULL)) -@@ -1346,8 +1416,14 @@ +@@ -1360,8 +1432,14 @@ !have_chap_secret((explicit_remote? remote_name: NULL), our_name, 1, NULL))) && !have_srp_secret((explicit_remote? remote_name: NULL), our_name, 1, @@ -546,7 +653,7 @@ diff -Naur ppp-2.4.7/pppd/auth.c ppp-2.4.7-eaptls-mppe-1.102/pppd/auth.c } -@@ -1707,6 +1783,7 @@ +@@ -1721,6 +1799,7 @@ } @@ -554,7 +661,7 @@ diff -Naur ppp-2.4.7/pppd/auth.c ppp-2.4.7-eaptls-mppe-1.102/pppd/auth.c /* * get_secret - open the CHAP secret file and return the secret * for authenticating the given client on the given server. -@@ -2359,3 +2436,335 @@ +@@ -2373,3 +2452,345 @@ auth_script_pid = run_program(script, argv, 0, auth_script_done, NULL, 0); } @@ -631,7 +738,7 @@ diff -Naur ppp-2.4.7/pppd/auth.c ppp-2.4.7-eaptls-mppe-1.102/pppd/auth.c + else if (server != NULL && server[0] == 0) + server = NULL; + -+ if (cacert_file && cert_file && privkey_file) ++ if ((cacert_file || ca_path) && cert_file && privkey_file) + return 1; + + filename = _PATH_EAPTLSCLIFILE; @@ -823,13 +930,14 @@ diff -Naur ppp-2.4.7/pppd/auth.c ppp-2.4.7-eaptls-mppe-1.102/pppd/auth.c + +int +get_eaptls_secret(unit, client, server, clicertfile, servcertfile, -+ cacertfile, pkfile, am_server) ++ cacertfile, capath, pkfile, am_server) + int unit; + char *client; + char *server; + char *clicertfile; + char *servcertfile; + char *cacertfile; ++ char *capath; + char *pkfile; + int am_server; +{ @@ -839,13 +947,22 @@ diff -Naur ppp-2.4.7/pppd/auth.c ppp-2.4.7-eaptls-mppe-1.102/pppd/auth.c + struct wordlist *addrs = NULL; + struct wordlist *opts = NULL; + -+ /* in client mode the ca+cert+privkey can also be specified as options */ -+ if (!am_server && cacert_file && cert_file && privkey_file ) ++ /* maybe overkill, but it eases debugging */ ++ bzero(clicertfile, MAXWORDLEN); ++ bzero(servcertfile, MAXWORDLEN); ++ bzero(cacertfile, MAXWORDLEN); ++ bzero(capath, MAXWORDLEN); ++ bzero(pkfile, MAXWORDLEN); ++ ++ /* the ca+cert+privkey can also be specified as options */ ++ if (!am_server && (cacert_file || ca_path) && cert_file && privkey_file ) + { + strlcpy( clicertfile, cert_file, MAXWORDLEN ); -+ strlcpy( cacertfile, cacert_file, MAXWORDLEN ); ++ if (cacert_file) ++ strlcpy( cacertfile, cacert_file, MAXWORDLEN ); ++ if (ca_path) ++ strlcpy( capath, ca_path, MAXWORDLEN ); + strlcpy( pkfile, privkey_file, MAXWORDLEN ); -+ servcertfile[0] = '\0'; + } + else + { @@ -890,10 +1007,10 @@ diff -Naur ppp-2.4.7/pppd/auth.c ppp-2.4.7-eaptls-mppe-1.102/pppd/auth.c +} +#endif + -diff -Naur ppp-2.4.7/pppd/ccp.c ppp-2.4.7-eaptls-mppe-1.102/pppd/ccp.c ---- ppp-2.4.7/pppd/ccp.c 2014-08-09 14:31:39.000000000 +0200 -+++ ppp-2.4.7-eaptls-mppe-1.102/pppd/ccp.c 2018-10-30 16:47:59.531263554 +0100 -@@ -540,6 +540,9 @@ +diff -Naur ppp-2.4.8/pppd/ccp.c ppp-2.4.8-eaptls-mppe-1.201/pppd/ccp.c +--- ppp-2.4.8/pppd/ccp.c 2019-12-31 02:31:26.000000000 +0100 ++++ ppp-2.4.8-eaptls-mppe-1.201/pppd/ccp.c 2020-04-03 14:02:19.337905032 +0200 +@@ -539,6 +539,9 @@ if (go->mppe) { ccp_options *ao = &ccp_allowoptions[f->unit]; int auth_mschap_bits = auth_done[f->unit]; @@ -903,7 +1020,7 @@ diff -Naur ppp-2.4.7/pppd/ccp.c ppp-2.4.7-eaptls-mppe-1.102/pppd/ccp.c int numbits; /* -@@ -567,8 +570,23 @@ +@@ -566,8 +569,23 @@ lcp_close(f->unit, "MPPE required but not available"); return; } @@ -928,28 +1045,68 @@ diff -Naur ppp-2.4.7/pppd/ccp.c ppp-2.4.7-eaptls-mppe-1.102/pppd/ccp.c lcp_close(f->unit, "MPPE required but not available"); return; } -diff -Naur ppp-2.4.7/pppd/chap-md5.c ppp-2.4.7-eaptls-mppe-1.102/pppd/chap-md5.c ---- ppp-2.4.7/pppd/chap-md5.c 2014-08-09 14:31:39.000000000 +0200 -+++ ppp-2.4.7-eaptls-mppe-1.102/pppd/chap-md5.c 2018-10-30 16:47:59.532263499 +0100 +diff -Naur ppp-2.4.8/pppd/chap-md5.c ppp-2.4.8-eaptls-mppe-1.201/pppd/chap-md5.c +--- ppp-2.4.8/pppd/chap-md5.c 2019-12-31 02:31:26.000000000 +0100 ++++ ppp-2.4.8-eaptls-mppe-1.201/pppd/chap-md5.c 2020-04-03 14:02:19.337905032 +0200 @@ -36,7 +36,11 @@ #include "chap-new.h" #include "chap-md5.h" #include "magic.h" -+#ifdef USE_EAPTLS -+#include "eap-tls.h" ++#ifdef USE_OPENSSL_MD5 ++#include "openssl/md5.h" +#else #include "md5.h" -+#endif /* USE_EAPTLS */ ++#endif /* USE_OPENSSL_MD5 */ #define MD5_HASH_SIZE 16 #define MD5_MIN_CHALLENGE 16 -diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-1.102/pppd/eap-tls.c ---- ppp-2.4.7/pppd/eap-tls.c 1970-01-01 01:00:00.000000000 +0100 -+++ ppp-2.4.7-eaptls-mppe-1.102/pppd/eap-tls.c 2018-11-02 16:53:05.996742547 +0100 -@@ -0,0 +1,1383 @@ +diff -Naur ppp-2.4.8/pppd/chap_ms.c ppp-2.4.8-eaptls-mppe-1.201/pppd/chap_ms.c +--- ppp-2.4.8/pppd/chap_ms.c 2019-12-31 02:31:26.000000000 +0100 ++++ ppp-2.4.8-eaptls-mppe-1.201/pppd/chap_ms.c 2020-04-03 14:02:19.338905030 +0200 +@@ -534,7 +534,7 @@ + char *username, u_char Challenge[8]) + + { +- SHA1_CTX sha1Context; ++ SHA_CTX sha1Context; + u_char sha1Hash[SHA1_SIGNATURE_SIZE]; + char *user; + +@@ -670,7 +670,7 @@ + 0x6E }; + + int i; +- SHA1_CTX sha1Context; ++ SHA_CTX sha1Context; + u_char Digest[SHA1_SIGNATURE_SIZE]; + u_char Challenge[8]; + +@@ -724,7 +724,7 @@ + void + mppe_set_keys(u_char *rchallenge, u_char PasswordHashHash[MD4_SIGNATURE_SIZE]) + { +- SHA1_CTX sha1Context; ++ SHA_CTX sha1Context; + u_char Digest[SHA1_SIGNATURE_SIZE]; /* >= MPPE_MAX_KEY_LEN */ + + SHA1_Init(&sha1Context); +@@ -768,7 +768,7 @@ + mppe_set_keys2(u_char PasswordHashHash[MD4_SIGNATURE_SIZE], + u_char NTResponse[24], int IsServer) + { +- SHA1_CTX sha1Context; ++ SHA_CTX sha1Context; + u_char MasterKey[SHA1_SIGNATURE_SIZE]; /* >= MPPE_MAX_KEY_LEN */ + u_char Digest[SHA1_SIGNATURE_SIZE]; /* >= MPPE_MAX_KEY_LEN */ + +diff -Naur ppp-2.4.8/pppd/eap-tls.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap-tls.c +--- ppp-2.4.8/pppd/eap-tls.c 1970-01-01 01:00:00.000000000 +0100 ++++ ppp-2.4.8-eaptls-mppe-1.201/pppd/eap-tls.c 2020-04-03 14:02:19.338905030 +0200 +@@ -0,0 +1,1442 @@ +/* * eap-tls.c - EAP-TLS implementation for PPP + * + * Copyright (c) Beniamino Galvani 2005 All rights reserved. ++ * Jan Just Keijser 2006-2019 All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions @@ -978,6 +1135,7 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-1.102/pppd/eap-tls.c + */ + +#include ++#include +#include +#include +#include @@ -1001,10 +1159,6 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-1.102/pppd/eap-tls.c +static ENGINE *cert_engine = NULL; +static ENGINE *pkey_engine = NULL; + -+#ifdef MPPE -+ -+#define EAPTLS_MPPE_KEY_LEN 32 -+ +/* + * The following stuff is only needed if SSL_export_keying_material() is not available + */ @@ -1178,9 +1332,41 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-1.102/pppd/eap-tls.c + +#define SSL3_RT_HEADER 0x100 + ++#ifndef SSL_CTX_set_max_proto_version ++/** Mimics SSL_CTX_set_max_proto_version for OpenSSL < 1.1 */ ++static inline int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, long tls_ver_max) ++{ ++ long sslopt = 0; ++ ++ if (tls_ver_max < TLS1_VERSION) ++ { ++ sslopt |= SSL_OP_NO_TLSv1; ++ } ++#ifdef SSL_OP_NO_TLSv1_1 ++ if (tls_ver_max < TLS1_1_VERSION) ++ { ++ sslopt |= SSL_OP_NO_TLSv1_1; ++ } ++#endif ++#ifdef SSL_OP_NO_TLSv1_2 ++ if (tls_ver_max < TLS1_2_VERSION) ++ { ++ sslopt |= SSL_OP_NO_TLSv1_2; ++ } ++#endif ++ SSL_CTX_set_options(ctx, sslopt); ++ ++ return 1; ++} ++#endif /* SSL_CTX_set_max_proto_version */ ++ +#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */ + + ++#ifdef MPPE ++ ++#define EAPTLS_MPPE_KEY_LEN 32 ++ +/* + * Generate keys according to RFC 2716 and add to reply + */ @@ -1220,7 +1406,7 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-1.102/pppd/eap-tls.c + mppe_keys_set = 1; +} + -+#endif ++#endif /* MPPE */ + +void log_ssl_errors( void ) +{ @@ -1327,7 +1513,7 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-1.102/pppd/eap-tls.c + * Initialize the SSL stacks and tests if certificates, key and crl + * for client or server use can be loaded. + */ -+SSL_CTX *eaptls_init_ssl(int init_server, char *cacertfile, ++SSL_CTX *eaptls_init_ssl(int init_server, char *cacertfile, char *capath, + char *certfile, char *peer_certfile, char *privkeyfile) +{ + char *cert_engine_name = NULL; @@ -1340,25 +1526,32 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-1.102/pppd/eap-tls.c + X509_LOOKUP *lookup; + X509 *tmp; + int ret; ++#if defined(TLS1_2_VERSION) ++ long tls_version = TLS1_2_VERSION; ++#elif defined(TLS1_1_VERSION) ++ long tls_version = TLS1_1_VERSION; ++#else ++ long tls_version = TLS1_VERSION; ++#endif + + /* + * Without these can't continue + */ -+ if (!cacertfile[0]) ++ if (!(cacertfile[0] || capath[0])) + { -+ error("EAP-TLS: CA certificate missing"); ++ error("EAP-TLS: CA certificate file or path missing"); + return NULL; + } + + if (!certfile[0]) + { -+ error("EAP-TLS: User certificate missing"); ++ error("EAP-TLS: Certificate missing"); + return NULL; + } + + if (!privkeyfile[0]) + { -+ error("EAP-TLS: User private key missing"); ++ error("EAP-TLS: Private key missing"); + return NULL; + } + @@ -1458,9 +1651,14 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-1.102/pppd/eap-tls.c + + SSL_CTX_set_default_passwd_cb (ctx, password_callback); + -+ if (!SSL_CTX_load_verify_locations(ctx, cacertfile, NULL)) ++ if (strlen(cacertfile) == 0) cacertfile = NULL; ++ if (strlen(capath) == 0) capath = NULL; ++ ++ if (!SSL_CTX_load_verify_locations(ctx, cacertfile, capath)) + { -+ error("EAP-TLS: Cannot load or verify CA file %s", cacertfile); ++ error("EAP-TLS: Cannot load verify locations"); ++ if (cacertfile) dbglog("CA certificate file = [%s]", cacertfile); ++ if (capath) dbglog("CA certificate path = [%s]", capath); + goto fail; + } + @@ -1583,6 +1781,9 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-1.102/pppd/eap-tls.c +#endif + ); + ++ dbglog("EAP-TLS: Setting max protocol version to 0x%X", tls_version); ++ SSL_CTX_set_max_proto_version(ctx, tls_version); ++ + SSL_CTX_set_verify_depth(ctx, 5); + SSL_CTX_set_verify(ctx, + SSL_VERIFY_PEER | @@ -1685,6 +1886,7 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-1.102/pppd/eap-tls.c + char servcertfile[MAXWORDLEN]; + char clicertfile[MAXWORDLEN]; + char cacertfile[MAXWORDLEN]; ++ char capath[MAXWORDLEN]; + char pkfile[MAXWORDLEN]; + /* + * Allocate new eaptls session @@ -1704,7 +1906,7 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-1.102/pppd/eap-tls.c + dbglog( "getting eaptls secret" ); + if (!get_eaptls_secret(esp->es_unit, esp->es_server.ea_peer, + esp->es_server.ea_name, clicertfile, -+ servcertfile, cacertfile, pkfile, 1)) { ++ servcertfile, cacertfile, capath, pkfile, 1)) { + error( "EAP-TLS: Cannot get secret/password for client \"%s\", server \"%s\"", + esp->es_server.ea_peer, esp->es_server.ea_name ); + return 0; @@ -1712,7 +1914,7 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-1.102/pppd/eap-tls.c + + ets->mtu = eaptls_get_mtu(esp->es_unit); + -+ ets->ctx = eaptls_init_ssl(1, cacertfile, servcertfile, clicertfile, pkfile); ++ ets->ctx = eaptls_init_ssl(1, cacertfile, capath, servcertfile, clicertfile, pkfile); + if (!ets->ctx) + goto fail; + @@ -1772,6 +1974,7 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-1.102/pppd/eap-tls.c + char servcertfile[MAXWORDLEN]; + char clicertfile[MAXWORDLEN]; + char cacertfile[MAXWORDLEN]; ++ char capath[MAXWORDLEN]; + char pkfile[MAXWORDLEN]; + + /* @@ -1796,14 +1999,14 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-1.102/pppd/eap-tls.c + dbglog( "calling get_eaptls_secret" ); + if (!get_eaptls_secret(esp->es_unit, esp->es_client.ea_name, + ets->peer, clicertfile, -+ servcertfile, cacertfile, pkfile, 0)) { ++ servcertfile, cacertfile, capath, pkfile, 0)) { + error( "EAP-TLS: Cannot get secret/password for client \"%s\", server \"%s\"", + esp->es_client.ea_name, ets->peer ); + return 0; + } + + dbglog( "calling eaptls_init_ssl" ); -+ ets->ctx = eaptls_init_ssl(0, cacertfile, clicertfile, servcertfile, pkfile); ++ ets->ctx = eaptls_init_ssl(0, cacertfile, capath, clicertfile, servcertfile, pkfile); + if (!ets->ctx) + goto fail; + @@ -2255,6 +2458,12 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-1.102/pppd/eap-tls.c + strcat(string, "ChangeCipherSpec"); + break; + ++#ifdef SSL3_RT_INNER_CONTENT_TYPE ++ case SSL3_RT_INNER_CONTENT_TYPE: ++ strcat(string, "InnerContentType (TLS1.3)"); ++ break; ++#endif ++ + case SSL3_RT_HANDSHAKE: + + strcat(string, "Handshake: "); @@ -2309,6 +2518,12 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-1.102/pppd/eap-tls.c + case TLS1_2_VERSION: + strcat(string, "TLS 1.2"); + break; ++#ifdef TLS1_3_VERSION ++ case TLS1_3_VERSION: ++ strcat(string, "TLS 1.3 (not supported)"); ++ break; ++#endif ++ + default: + strcat(string, "Unknown version"); + } @@ -2330,14 +2545,15 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-1.102/pppd/eap-tls.c + dbglog("%s", string); +} + -diff -Naur ppp-2.4.7/pppd/eap-tls.h ppp-2.4.7-eaptls-mppe-1.102/pppd/eap-tls.h ---- ppp-2.4.7/pppd/eap-tls.h 1970-01-01 01:00:00.000000000 +0100 -+++ ppp-2.4.7-eaptls-mppe-1.102/pppd/eap-tls.h 2018-10-30 16:47:59.534263383 +0100 +diff -Naur ppp-2.4.8/pppd/eap-tls.h ppp-2.4.8-eaptls-mppe-1.201/pppd/eap-tls.h +--- ppp-2.4.8/pppd/eap-tls.h 1970-01-01 01:00:00.000000000 +0100 ++++ ppp-2.4.8-eaptls-mppe-1.201/pppd/eap-tls.h 2020-04-03 14:02:19.338905030 +0200 @@ -0,0 +1,107 @@ +/* + * eap-tls.h + * + * Copyright (c) Beniamino Galvani 2005 All rights reserved. ++ * Jan Just Keijser 2006-2019 All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions @@ -2372,7 +2588,6 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.h ppp-2.4.7-eaptls-mppe-1.102/pppd/eap-tls.h + +#include +#include -+#include + +#define EAP_TLS_FLAGS_LI 128 /* length included flag */ +#define EAP_TLS_FLAGS_MF 64 /* more fragments flag */ @@ -2416,7 +2631,7 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.h ppp-2.4.7-eaptls-mppe-1.102/pppd/eap-tls.h +X509 *get_X509_from_file(char *filename); +int ssl_cmp_certs(char *filename, X509 * a); + -+SSL_CTX *eaptls_init_ssl(int init_server, char *cacertfile, ++SSL_CTX *eaptls_init_ssl(int init_server, char *cacertfile, char *capath, + char *certfile, char *peer_certfile, char *privkeyfile); +int eaptls_init_ssl_server(eap_state * esp); +int eaptls_init_ssl_client(eap_state * esp); @@ -2428,7 +2643,7 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.h ppp-2.4.7-eaptls-mppe-1.102/pppd/eap-tls.h + +int get_eaptls_secret(int unit, char *client, char *server, + char *clicertfile, char *servcertfile, char *cacertfile, -+ char *pkfile, int am_server); ++ char *capath, char *pkfile, int am_server); + +#ifdef MPPE +#include "mppe.h" /* MPPE_MAX_KEY_LEN */ @@ -2441,9 +2656,9 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.h ppp-2.4.7-eaptls-mppe-1.102/pppd/eap-tls.h +#endif + +#endif -diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-1.102/pppd/eap.c ---- ppp-2.4.7/pppd/eap.c 2014-08-09 14:31:39.000000000 +0200 -+++ ppp-2.4.7-eaptls-mppe-1.102/pppd/eap.c 2018-10-30 16:47:59.537263209 +0100 +diff -Naur ppp-2.4.8/pppd/eap.c ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c +--- ppp-2.4.8/pppd/eap.c 2019-12-31 02:31:26.000000000 +0100 ++++ ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.c 2020-04-03 14:02:19.339905029 +0200 @@ -43,6 +43,11 @@ * Based on draft-ietf-pppext-eap-srp-03.txt. */ @@ -2462,15 +2677,30 @@ diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-1.102/pppd/eap.c #include "pathnames.h" -#include "md5.h" #include "eap.h" -+#ifdef USE_EAPTLS -+#include "eap-tls.h" ++#ifdef USE_OPENSSL_MD5 ++#include "openssl/md5.h" +#else +#include "md5.h" -+#endif /* USE_EAPTLS */ ++#endif /* USE_OPENSSL_MD5 */ #ifdef USE_SRP #include -@@ -209,6 +218,9 @@ +@@ -72,8 +81,12 @@ + #include "pppcrypt.h" + #endif /* USE_SRP */ + +-#ifndef SHA_DIGESTSIZE +-#define SHA_DIGESTSIZE 20 ++#ifdef USE_EAPTLS ++#include "eap-tls.h" ++#endif /* USE_EAPTLS */ ++ ++#ifndef SHA_DIGEST_LENGTH ++#define SHA_DIGEST_LENGTH 20 + #endif + + +@@ -208,6 +221,9 @@ esp->es_server.ea_id = (u_char)(drand48() * 0x100); esp->es_client.ea_timeout = EAP_DEFREQTIME; esp->es_client.ea_maxrequests = EAP_DEFALLOWREQ; @@ -2480,7 +2710,18 @@ diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-1.102/pppd/eap.c } /* -@@ -436,8 +448,16 @@ +@@ -316,8 +332,8 @@ + { + struct tm *tp; + char tbuf[9]; +- SHA1_CTX ctxt; +- u_char dig[SHA_DIGESTSIZE]; ++ SHA_CTX ctxt; ++ u_char dig[SHA_DIGEST_LENGTH]; + time_t reftime; + + if (pn_secret == NULL) +@@ -435,8 +451,16 @@ u_char vals[2]; struct b64state bs; #endif /* USE_SRP */ @@ -2497,7 +2738,7 @@ diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-1.102/pppd/eap.c switch (esp->es_server.ea_state) { case eapBadAuth: return; -@@ -562,9 +582,79 @@ +@@ -561,9 +585,79 @@ break; } #endif /* USE_SRP */ @@ -2577,7 +2818,20 @@ diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-1.102/pppd/eap.c case eapSRP1: #ifdef USE_SRP ts = (struct t_server *)esp->es_server.ea_session; -@@ -718,6 +808,30 @@ +@@ -647,10 +741,10 @@ + char *str; + #ifdef USE_SRP + struct t_server *ts; +- u_char clear[8], cipher[8], dig[SHA_DIGESTSIZE], *optr, *cp; ++ u_char clear[8], cipher[8], dig[SHA_DIGEST_LENGTH], *optr, *cp; + int i, j; + struct b64state b64; +- SHA1_CTX ctxt; ++ SHA_CTX ctxt; + #endif /* USE_SRP */ + + /* Handle both initial auth and restart */ +@@ -717,6 +811,30 @@ INCPTR(esp->es_server.ea_namelen, outp); break; @@ -2608,7 +2862,48 @@ diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-1.102/pppd/eap.c #ifdef USE_SRP case eapSRP1: PUTCHAR(EAPT_SRP, outp); -@@ -904,11 +1018,57 @@ +@@ -763,8 +881,8 @@ + PUTLONG(SRPVAL_EBIT, outp); + ts = (struct t_server *)esp->es_server.ea_session; + assert(ts != NULL); +- BCOPY(t_serverresponse(ts), outp, SHA_DIGESTSIZE); +- INCPTR(SHA_DIGESTSIZE, outp); ++ BCOPY(t_serverresponse(ts), outp, SHA_DIGEST_LENGTH); ++ INCPTR(SHA_DIGEST_LENGTH, outp); + + if (pncrypt_setkey(0)) { + /* Generate pseudonym */ +@@ -804,9 +922,9 @@ + /* Set length and pad out to next 20 octet boundary */ + i = outp - optr - 1; + *optr = i; +- i %= SHA_DIGESTSIZE; ++ i %= SHA_DIGEST_LENGTH; + if (i != 0) { +- while (i < SHA_DIGESTSIZE) { ++ while (i < SHA_DIGEST_LENGTH) { + *outp++ = drand48() * 0x100; + i++; + } +@@ -822,14 +940,14 @@ + while (optr < outp) { + SHA1Final(dig, &ctxt); + cp = dig; +- while (cp < dig + SHA_DIGESTSIZE) ++ while (cp < dig + SHA_DIGEST_LENGTH) + *optr++ ^= *cp++; + SHA1Init(&ctxt); + SHA1Update(&ctxt, &esp->es_server.ea_id, 1); + SHA1Update(&ctxt, esp->es_server.ea_skey, + SESSION_KEY_LEN); +- SHA1Update(&ctxt, optr - SHA_DIGESTSIZE, +- SHA_DIGESTSIZE); ++ SHA1Update(&ctxt, optr - SHA_DIGEST_LENGTH, ++ SHA_DIGEST_LENGTH); + } + } + break; +@@ -903,11 +1021,57 @@ eap_server_timeout(arg) void *arg; { @@ -2666,7 +2961,20 @@ diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-1.102/pppd/eap.c /* EAP ID number must not change on timeout. */ eap_send_request(esp); } -@@ -1166,6 +1326,81 @@ +@@ -1154,17 +1318,92 @@ + PUTCHAR(id, outp); + esp->es_client.ea_id = id; + msglen = EAP_HEADERLEN + 2 * sizeof (u_char) + sizeof (u_int32_t) + +- SHA_DIGESTSIZE; ++ SHA_DIGEST_LENGTH; + PUTSHORT(msglen, outp); + PUTCHAR(EAPT_SRP, outp); + PUTCHAR(EAPSRP_CVALIDATOR, outp); + PUTLONG(flags, outp); +- BCOPY(str, outp, SHA_DIGESTSIZE); ++ BCOPY(str, outp, SHA_DIGEST_LENGTH); + + output(esp->es_unit, outpacket_buf, PPP_HDRLEN + msglen); } #endif /* USE_SRP */ @@ -2748,7 +3056,44 @@ diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-1.102/pppd/eap.c static void eap_send_nak(esp, id, type) eap_state *esp; -@@ -1320,6 +1555,11 @@ +@@ -1251,8 +1490,8 @@ + { + u_char val; + u_char *datp, *digp; +- SHA1_CTX ctxt; +- u_char dig[SHA_DIGESTSIZE]; ++ SHA_CTX ctxt; ++ u_char dig[SHA_DIGEST_LENGTH]; + int dsize, fd, olen = len; + + /* +@@ -1261,21 +1500,21 @@ + */ + val = id; + while (len > 0) { +- if ((dsize = len % SHA_DIGESTSIZE) == 0) +- dsize = SHA_DIGESTSIZE; ++ if ((dsize = len % SHA_DIGEST_LENGTH) == 0) ++ dsize = SHA_DIGEST_LENGTH; + len -= dsize; + datp = inp + len; + SHA1Init(&ctxt); + SHA1Update(&ctxt, &val, 1); + SHA1Update(&ctxt, esp->es_client.ea_skey, SESSION_KEY_LEN); + if (len > 0) { +- SHA1Update(&ctxt, datp, SHA_DIGESTSIZE); ++ SHA1Update(&ctxt, datp, SHA_DIGEST_LENGTH); + } else { + SHA1Update(&ctxt, esp->es_client.ea_name, + esp->es_client.ea_namelen); + } + SHA1Final(dig, &ctxt); +- for (digp = dig; digp < dig + SHA_DIGESTSIZE; digp++) ++ for (digp = dig; digp < dig + SHA_DIGEST_LENGTH; digp++) + *datp++ ^= *digp; + } + +@@ -1319,12 +1558,17 @@ char rhostname[256]; MD5_CTX mdContext; u_char hash[MD5_SIGNATURE_SIZE]; @@ -2760,7 +3105,15 @@ diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-1.102/pppd/eap.c #ifdef USE_SRP struct t_client *tc; struct t_num sval, gval, Nval, *Ap, Bval; -@@ -1456,6 +1696,100 @@ + u_char vals[2]; +- SHA1_CTX ctxt; +- u_char dig[SHA_DIGESTSIZE]; ++ SHA_CTX ctxt; ++ u_char dig[SHA_DIGEST_LENGTH]; + int fd; + #endif /* USE_SRP */ + +@@ -1455,6 +1699,100 @@ esp->es_client.ea_namelen); break; @@ -2861,8 +3214,41 @@ diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-1.102/pppd/eap.c #ifdef USE_SRP case EAPT_SRP: if (len < 1) { -@@ -1737,6 +2071,11 @@ - u_char dig[SHA_DIGESTSIZE]; +@@ -1639,7 +1977,7 @@ + esp->es_client.ea_id, id); + } + } else { +- len -= sizeof (u_int32_t) + SHA_DIGESTSIZE; ++ len -= sizeof (u_int32_t) + SHA_DIGEST_LENGTH; + if (len < 0 || t_clientverify(tc, inp + + sizeof (u_int32_t)) != 0) { + error("EAP: SRP server verification " +@@ -1649,7 +1987,7 @@ + GETLONG(esp->es_client.ea_keyflags, inp); + /* Save pseudonym if user wants it. */ + if (len > 0 && esp->es_usepseudo) { +- INCPTR(SHA_DIGESTSIZE, inp); ++ INCPTR(SHA_DIGEST_LENGTH, inp); + write_pseudonym(esp, inp, len, id); + } + } +@@ -1676,7 +2014,7 @@ + esp->es_client.ea_namelen); + SHA1Final(dig, &ctxt); + eap_srp_response(esp, id, EAPSRP_LWRECHALLENGE, dig, +- SHA_DIGESTSIZE); ++ SHA_DIGEST_LENGTH); + break; + + default: +@@ -1732,10 +2070,15 @@ + #ifdef USE_SRP + struct t_server *ts; + struct t_num A; +- SHA1_CTX ctxt; +- u_char dig[SHA_DIGESTSIZE]; ++ eHA_CTX ctxt; ++ u_char dig[SHA_DIGEST_LENGTH]; #endif /* USE_SRP */ +#ifdef USE_EAPTLS @@ -2873,7 +3259,7 @@ diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-1.102/pppd/eap.c if (esp->es_server.ea_id != id) { dbglog("EAP: discarding Response %d; expected ID %d", id, esp->es_server.ea_id); -@@ -1776,6 +2115,64 @@ +@@ -1775,6 +2118,64 @@ eap_figure_next_state(esp, 0); break; @@ -2938,7 +3324,7 @@ diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-1.102/pppd/eap.c case EAPT_NOTIFICATION: dbglog("EAP unexpected Notification; response discarded"); break; -@@ -1807,6 +2204,13 @@ +@@ -1806,6 +2207,13 @@ esp->es_server.ea_state = eapMD5Chall; break; @@ -2952,7 +3338,37 @@ diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-1.102/pppd/eap.c default: dbglog("EAP: peer requesting unknown Type %d", vallen); switch (esp->es_server.ea_state) { -@@ -2018,13 +2422,27 @@ +@@ -1923,9 +2331,9 @@ + eap_figure_next_state(esp, 1); + break; + } +- if (len < sizeof (u_int32_t) + SHA_DIGESTSIZE) { ++ if (len < sizeof (u_int32_t) + SHA_DIGEST_LENGTH) { + error("EAP: M1 length %d < %d", len, +- sizeof (u_int32_t) + SHA_DIGESTSIZE); ++ sizeof (u_int32_t) + SHA_DIGEST_LENGTH); + eap_figure_next_state(esp, 1); + break; + } +@@ -1962,7 +2370,7 @@ + info("EAP: unexpected SRP Subtype 4 Response"); + return; + } +- if (len != SHA_DIGESTSIZE) { ++ if (len != SHA_DIGEST_LENGTH) { + error("EAP: bad Lightweight rechallenge " + "response"); + return; +@@ -1976,7 +2384,7 @@ + SHA1Update(&ctxt, esp->es_server.ea_peer, + esp->es_server.ea_peerlen); + SHA1Final(dig, &ctxt); +- if (BCMP(dig, inp, SHA_DIGESTSIZE) != 0) { ++ if (BCMP(dig, inp, SHA_DIGEST_LENGTH) != 0) { + error("EAP: failed Lightweight rechallenge"); + eap_send_failure(esp); + break; +@@ -2017,13 +2425,27 @@ int id; int len; { @@ -2981,7 +3397,7 @@ diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-1.102/pppd/eap.c if (esp->es_client.ea_timeout > 0) { UNTIMEOUT(eap_client_timeout, (void *)esp); } -@@ -2150,6 +2568,9 @@ +@@ -2149,6 +2571,9 @@ int code, id, len, rtype, vallen; u_char *pstart; u_int32_t uval; @@ -2991,7 +3407,7 @@ diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-1.102/pppd/eap.c if (inlen < EAP_HEADERLEN) return (0); -@@ -2214,6 +2635,24 @@ +@@ -2213,6 +2638,24 @@ } break; @@ -3016,7 +3432,21 @@ diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-1.102/pppd/eap.c case EAPT_SRP: if (len < 3) goto truncated; -@@ -2325,6 +2764,25 @@ +@@ -2280,10 +2723,10 @@ + if (uval != 0) { + printer(arg, " f<%X>", uval); + } +- if ((vallen = len) > SHA_DIGESTSIZE) +- vallen = SHA_DIGESTSIZE; ++ if ((vallen = len) > SHA_DIGEST_LENGTH) ++ vallen = SHA_DIGEST_LENGTH; + printer(arg, " ", len, inp, +- len < SHA_DIGESTSIZE ? "?" : ""); ++ len < SHA_DIGEST_LENGTH ? "?" : ""); + INCPTR(vallen, inp); + len -= vallen; + if (len > 0) { +@@ -2324,6 +2767,25 @@ } break; @@ -3042,14 +3472,36 @@ diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-1.102/pppd/eap.c case EAPT_NAK: if (len <= 0) { printer(arg, " "); -@@ -2426,3 +2884,4 @@ +@@ -2387,7 +2849,7 @@ + printer(arg, " f<%X>", uval); + } + printer(arg, " ", len, inp, +- len == SHA_DIGESTSIZE ? "" : "?"); ++ len == SHA_DIGEST_LENGTH ? "" : "?"); + INCPTR(len, inp); + len = 0; + break; +@@ -2397,9 +2859,9 @@ + + case EAPSRP_LWRECHALLENGE: + printer(arg, " ", len, inp, +- len == SHA_DIGESTSIZE ? "" : "?"); +- if ((vallen = len) > SHA_DIGESTSIZE) +- vallen = SHA_DIGESTSIZE; ++ len == SHA_DIGEST_LENGTH ? "" : "?"); ++ if ((vallen = len) > SHA_DIGEST_LENGTH) ++ vallen = SHA_DIGEST_LENGTH; + INCPTR(vallen, inp); + len -= vallen; + break; +@@ -2425,3 +2887,4 @@ return (inp - pstart); } + -diff -Naur ppp-2.4.7/pppd/eap.h ppp-2.4.7-eaptls-mppe-1.102/pppd/eap.h ---- ppp-2.4.7/pppd/eap.h 2014-08-09 14:31:39.000000000 +0200 -+++ ppp-2.4.7-eaptls-mppe-1.102/pppd/eap.h 2018-10-30 16:47:59.537263209 +0100 +diff -Naur ppp-2.4.8/pppd/eap.h ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.h +--- ppp-2.4.8/pppd/eap.h 2019-12-31 02:31:26.000000000 +0100 ++++ ppp-2.4.8-eaptls-mppe-1.201/pppd/eap.h 2020-04-03 14:02:19.340905028 +0200 @@ -84,6 +84,16 @@ eapClosed, /* Authentication not in use */ eapListen, /* Client ready (and timer running) */ @@ -3118,44 +3570,9 @@ diff -Naur ppp-2.4.7/pppd/eap.h ppp-2.4.7-eaptls-mppe-1.102/pppd/eap.h #define EAP_DEFREQTIME 20 /* Time to wait for peer request */ #define EAP_DEFALLOWREQ 20 /* max # times to accept requests */ -diff -Naur ppp-2.4.7/pppd/md5.c ppp-2.4.7-eaptls-mppe-1.102/pppd/md5.c ---- ppp-2.4.7/pppd/md5.c 2014-08-09 14:31:39.000000000 +0200 -+++ ppp-2.4.7-eaptls-mppe-1.102/pppd/md5.c 2018-10-30 16:47:59.538263156 +0100 -@@ -33,6 +33,8 @@ - *********************************************************************** - */ - -+#ifndef USE_EAPTLS -+ - #include - #include "md5.h" - -@@ -305,3 +307,5 @@ - ** End of md5.c ** - ******************************** (cut) ******************************** - */ -+#endif /* USE_EAPTLS */ -+ -diff -Naur ppp-2.4.7/pppd/md5.h ppp-2.4.7-eaptls-mppe-1.102/pppd/md5.h ---- ppp-2.4.7/pppd/md5.h 2014-08-09 14:31:39.000000000 +0200 -+++ ppp-2.4.7-eaptls-mppe-1.102/pppd/md5.h 2018-10-30 16:47:59.538263156 +0100 -@@ -36,6 +36,7 @@ - ** documentation and/or software. ** - *********************************************************************** - */ -+#ifndef USE_EAPTLS - - #ifndef __MD5_INCLUDE__ - -@@ -63,3 +64,5 @@ - - #define __MD5_INCLUDE__ - #endif /* __MD5_INCLUDE__ */ -+ -+#endif /* USE_EAPTLS */ -diff -Naur ppp-2.4.7/pppd/pathnames.h ppp-2.4.7-eaptls-mppe-1.102/pppd/pathnames.h ---- ppp-2.4.7/pppd/pathnames.h 2014-08-09 14:31:39.000000000 +0200 -+++ ppp-2.4.7-eaptls-mppe-1.102/pppd/pathnames.h 2018-10-30 16:47:59.539263095 +0100 +diff -Naur ppp-2.4.8/pppd/pathnames.h ppp-2.4.8-eaptls-mppe-1.201/pppd/pathnames.h +--- ppp-2.4.8/pppd/pathnames.h 2019-12-31 02:31:26.000000000 +0100 ++++ ppp-2.4.8-eaptls-mppe-1.201/pppd/pathnames.h 2020-04-03 14:02:19.340905028 +0200 @@ -21,6 +21,13 @@ #define _PATH_UPAPFILE _ROOT_PATH "/etc/ppp/pap-secrets" #define _PATH_CHAPFILE _ROOT_PATH "/etc/ppp/chap-secrets" @@ -3170,9 +3587,9 @@ diff -Naur ppp-2.4.7/pppd/pathnames.h ppp-2.4.7-eaptls-mppe-1.102/pppd/pathnames #define _PATH_SYSOPTIONS _ROOT_PATH "/etc/ppp/options" #define _PATH_IPUP _ROOT_PATH "/etc/ppp/ip-up" #define _PATH_IPDOWN _ROOT_PATH "/etc/ppp/ip-down" -diff -Naur ppp-2.4.7/pppd/plugins/Makefile.linux ppp-2.4.7-eaptls-mppe-1.102/pppd/plugins/Makefile.linux ---- ppp-2.4.7/pppd/plugins/Makefile.linux 2014-08-09 14:31:39.000000000 +0200 -+++ ppp-2.4.7-eaptls-mppe-1.102/pppd/plugins/Makefile.linux 2018-10-30 16:47:59.539263095 +0100 +diff -Naur ppp-2.4.8/pppd/plugins/Makefile.linux ppp-2.4.8-eaptls-mppe-1.201/pppd/plugins/Makefile.linux +--- ppp-2.4.8/pppd/plugins/Makefile.linux 2019-12-31 02:31:26.000000000 +0100 ++++ ppp-2.4.8-eaptls-mppe-1.201/pppd/plugins/Makefile.linux 2020-04-03 14:02:19.340905028 +0200 @@ -4,6 +4,9 @@ LDFLAGS_SHARED = -shared INSTALL = install @@ -3183,9 +3600,9 @@ diff -Naur ppp-2.4.7/pppd/plugins/Makefile.linux ppp-2.4.7-eaptls-mppe-1.102/ppp DESTDIR = $(INSTROOT)@DESTDIR@ BINDIR = $(DESTDIR)/sbin MANDIR = $(DESTDIR)/share/man/man8 -diff -Naur ppp-2.4.7/pppd/plugins/passprompt.c ppp-2.4.7-eaptls-mppe-1.102/pppd/plugins/passprompt.c ---- ppp-2.4.7/pppd/plugins/passprompt.c 2014-08-09 14:31:39.000000000 +0200 -+++ ppp-2.4.7-eaptls-mppe-1.102/pppd/plugins/passprompt.c 2018-10-30 16:47:59.540263023 +0100 +diff -Naur ppp-2.4.8/pppd/plugins/passprompt.c ppp-2.4.8-eaptls-mppe-1.201/pppd/plugins/passprompt.c +--- ppp-2.4.8/pppd/plugins/passprompt.c 2019-12-31 02:31:26.000000000 +0100 ++++ ppp-2.4.8-eaptls-mppe-1.201/pppd/plugins/passprompt.c 2020-04-03 14:02:19.340905028 +0200 @@ -107,4 +107,7 @@ { add_options(options); @@ -3194,9 +3611,9 @@ diff -Naur ppp-2.4.7/pppd/plugins/passprompt.c ppp-2.4.7-eaptls-mppe-1.102/pppd/ + eaptls_passwd_hook = promptpass; +#endif } -diff -Naur ppp-2.4.7/pppd/plugins/passwordfd.c ppp-2.4.7-eaptls-mppe-1.102/pppd/plugins/passwordfd.c ---- ppp-2.4.7/pppd/plugins/passwordfd.c 2014-08-09 14:31:39.000000000 +0200 -+++ ppp-2.4.7-eaptls-mppe-1.102/pppd/plugins/passwordfd.c 2018-10-30 16:47:59.540263023 +0100 +diff -Naur ppp-2.4.8/pppd/plugins/passwordfd.c ppp-2.4.8-eaptls-mppe-1.201/pppd/plugins/passwordfd.c +--- ppp-2.4.8/pppd/plugins/passwordfd.c 2019-12-31 02:31:26.000000000 +0100 ++++ ppp-2.4.8-eaptls-mppe-1.201/pppd/plugins/passwordfd.c 2020-04-03 14:02:19.340905028 +0200 @@ -79,4 +79,8 @@ chap_check_hook = pwfd_check; @@ -3206,10 +3623,21 @@ diff -Naur ppp-2.4.7/pppd/plugins/passwordfd.c ppp-2.4.7-eaptls-mppe-1.102/pppd/ + eaptls_passwd_hook = pwfd_passwd; +#endif } -diff -Naur ppp-2.4.7/pppd/pppd.8 ppp-2.4.7-eaptls-mppe-1.102/pppd/pppd.8 ---- ppp-2.4.7/pppd/pppd.8 2014-08-09 14:31:39.000000000 +0200 -+++ ppp-2.4.7-eaptls-mppe-1.102/pppd/pppd.8 2018-10-30 16:47:59.542262870 +0100 -@@ -248,6 +248,12 @@ +diff -Naur ppp-2.4.8/pppd/pppcrypt.c ppp-2.4.8-eaptls-mppe-1.201/pppd/pppcrypt.c +--- ppp-2.4.8/pppd/pppcrypt.c 2019-12-31 02:31:26.000000000 +0100 ++++ ppp-2.4.8-eaptls-mppe-1.201/pppd/pppcrypt.c 2020-04-03 14:02:19.340905028 +0200 +@@ -31,6 +31,7 @@ + */ + + #include ++#include + #include "pppd.h" + #include "pppcrypt.h" + +diff -Naur ppp-2.4.8/pppd/pppd.8 ppp-2.4.8-eaptls-mppe-1.201/pppd/pppd.8 +--- ppp-2.4.8/pppd/pppd.8 2019-12-31 02:31:26.000000000 +0100 ++++ ppp-2.4.8-eaptls-mppe-1.201/pppd/pppd.8 2020-04-03 14:02:19.341905027 +0200 +@@ -260,6 +260,12 @@ compression in the corresponding direction. Use \fInobsdcomp\fR or \fIbsdcomp 0\fR to disable BSD-Compress compression entirely. .TP @@ -3222,7 +3650,7 @@ diff -Naur ppp-2.4.7/pppd/pppd.8 ppp-2.4.7-eaptls-mppe-1.102/pppd/pppd.8 .B cdtrcts Use a non-standard hardware flow control (i.e. DTR/CTS) to control the flow of data on the serial port. If neither the \fIcrtscts\fR, -@@ -259,6 +265,12 @@ +@@ -271,6 +277,12 @@ bi-directional flow control. The sacrifice is that this flow control mode does not permit using DTR as a modem control line. .TP @@ -3235,7 +3663,7 @@ diff -Naur ppp-2.4.7/pppd/pppd.8 ppp-2.4.7-eaptls-mppe-1.102/pppd/pppd.8 .B chap\-interval \fIn If this option is given, pppd will rechallenge the peer every \fIn\fR seconds. -@@ -287,6 +299,18 @@ +@@ -299,6 +311,18 @@ 1000 (1 second). This wait period only applies if the \fBconnect\fR or \fBpty\fR option is used. .TP @@ -3254,7 +3682,7 @@ diff -Naur ppp-2.4.7/pppd/pppd.8 ppp-2.4.7-eaptls-mppe-1.102/pppd/pppd.8 .B debug Enables connection debugging facilities. If this option is given, pppd will log the contents of all -@@ -551,6 +575,12 @@ +@@ -563,6 +587,12 @@ the kernel are logged by syslog(1) to a file as directed in the /etc/syslog.conf configuration file. .TP @@ -3267,7 +3695,7 @@ diff -Naur ppp-2.4.7/pppd/pppd.8 ppp-2.4.7-eaptls-mppe-1.102/pppd/pppd.8 .B ktune Enables pppd to alter kernel settings as appropriate. Under Linux, pppd will enable IP forwarding (i.e. set /proc/sys/net/ipv4/ip_forward -@@ -709,6 +739,9 @@ +@@ -721,6 +751,9 @@ Disable Address/Control compression in both directions (send and receive). .TP @@ -3277,10 +3705,10 @@ diff -Naur ppp-2.4.7/pppd/pppd.8 ppp-2.4.7-eaptls-mppe-1.102/pppd/pppd.8 .B noauth Do not require the peer to authenticate itself. This option is privileged. -diff -Naur ppp-2.4.7/pppd/pppd.h ppp-2.4.7-eaptls-mppe-1.102/pppd/pppd.h ---- ppp-2.4.7/pppd/pppd.h 2014-08-09 14:31:39.000000000 +0200 -+++ ppp-2.4.7-eaptls-mppe-1.102/pppd/pppd.h 2018-10-30 16:47:59.542262870 +0100 -@@ -325,6 +325,11 @@ +diff -Naur ppp-2.4.8/pppd/pppd.h ppp-2.4.8-eaptls-mppe-1.201/pppd/pppd.h +--- ppp-2.4.8/pppd/pppd.h 2019-12-31 02:31:26.000000000 +0100 ++++ ppp-2.4.8-eaptls-mppe-1.201/pppd/pppd.h 2020-04-03 14:02:19.341905027 +0200 +@@ -341,6 +341,11 @@ extern bool dryrun; /* check everything, print options, exit */ extern int child_wait; /* # seconds to wait for children at end */ @@ -3292,7 +3720,7 @@ diff -Naur ppp-2.4.7/pppd/pppd.h ppp-2.4.7-eaptls-mppe-1.102/pppd/pppd.h #ifdef MAXOCTETS extern unsigned int maxoctets; /* Maximum octetes per session (in bytes) */ extern int maxoctets_dir; /* Direction : -@@ -741,6 +746,10 @@ +@@ -763,6 +768,10 @@ extern int (*chap_passwd_hook) __P((char *user, char *passwd)); extern void (*multilink_join_hook) __P((void)); @@ -3303,3 +3731,94 @@ diff -Naur ppp-2.4.7/pppd/pppd.h ppp-2.4.7-eaptls-mppe-1.102/pppd/pppd.h /* Let a plugin snoop sent and received packets. Useful for L2TP */ extern void (*snoop_recv_hook) __P((unsigned char *p, int len)); extern void (*snoop_send_hook) __P((unsigned char *p, int len)); +diff -Naur ppp-2.4.8/pppd/sha1.c ppp-2.4.8-eaptls-mppe-1.201/pppd/sha1.c +--- ppp-2.4.8/pppd/sha1.c 2019-12-31 02:31:26.000000000 +0100 ++++ ppp-2.4.8-eaptls-mppe-1.201/pppd/sha1.c 2020-04-03 14:02:19.341905027 +0200 +@@ -101,7 +101,7 @@ + /* SHA1Init - Initialize new context */ + + void +-SHA1_Init(SHA1_CTX *context) ++SHA1_Init(SHA_CTX *context) + { + /* SHA1 initialization constants */ + context->state[0] = 0x67452301; +@@ -116,7 +116,7 @@ + /* Run your data through this. */ + + void +-SHA1_Update(SHA1_CTX *context, const unsigned char *data, unsigned int len) ++SHA1_Update(SHA_CTX *context, const unsigned char *data, size_t len) + { + unsigned int i, j; + +@@ -140,7 +140,7 @@ + /* Add padding and return the message digest. */ + + void +-SHA1_Final(unsigned char digest[20], SHA1_CTX *context) ++SHA1_Final(unsigned char *digest, SHA_CTX *context) + { + u_int32_t i, j; + unsigned char finalcount[8]; +diff -Naur ppp-2.4.8/pppd/sha1.h ppp-2.4.8-eaptls-mppe-1.201/pppd/sha1.h +--- ppp-2.4.8/pppd/sha1.h 2019-12-31 02:31:26.000000000 +0100 ++++ ppp-2.4.8-eaptls-mppe-1.201/pppd/sha1.h 2020-04-03 14:02:19.341905027 +0200 +@@ -1,11 +1,5 @@ + /* sha1.h */ + +-/* If OpenSSL is in use, then use that version of SHA-1 */ +-#ifdef OPENSSL +-#include +-#define __SHA1_INCLUDE_ +-#endif +- + #ifndef __SHA1_INCLUDE_ + + #ifndef SHA1_SIGNATURE_SIZE +@@ -20,11 +14,11 @@ + u_int32_t state[5]; + u_int32_t count[2]; + unsigned char buffer[64]; +-} SHA1_CTX; ++} SHA_CTX; + +-extern void SHA1_Init(SHA1_CTX *); +-extern void SHA1_Update(SHA1_CTX *, const unsigned char *, unsigned int); +-extern void SHA1_Final(unsigned char[SHA1_SIGNATURE_SIZE], SHA1_CTX *); ++extern void SHA1_Init(SHA_CTX *context); ++extern void SHA1_Update(SHA_CTX *context, const unsigned char *data, size_t len); ++extern void SHA1_Final(unsigned char *data, SHA_CTX *context); + + #define __SHA1_INCLUDE_ + #endif /* __SHA1_INCLUDE_ */ +diff -Naur ppp-2.4.8/pppd/sys-solaris.c ppp-2.4.8-eaptls-mppe-1.201/pppd/sys-solaris.c +--- ppp-2.4.8/pppd/sys-solaris.c 2019-12-31 02:31:26.000000000 +0100 ++++ ppp-2.4.8-eaptls-mppe-1.201/pppd/sys-solaris.c 2020-04-03 14:02:19.342905025 +0200 +@@ -1550,6 +1550,26 @@ + #endif /* defined(INET6) && defined(SOL2) */ + } + ++ ++ ++/* ++ * netif_get_mtu - get the MTU on the PPP network interface. ++ */ ++int ++netif_get_mtu(int unit) ++{ ++ struct ifreq ifr; ++ ++ memset (&ifr, '\0', sizeof (ifr)); ++ strlcpy(ifr.ifr_name, ifname, sizeof (ifr.ifr_name)); ++ ++ if (ioctl(ipfd, SIOCGIFMTU, (caddr_t) &ifr) < 0) { ++ error("ioctl(SIOCGIFMTU): %m (line %d)", __LINE__); ++ return 0; ++ } ++ return ifr.ifr_mtu; ++} ++ + /* + * tty_send_config - configure the transmit characteristics of + * the ppp interface. diff --git a/ppp.spec b/ppp.spec index 9c8f483..320796d 100644 --- a/ppp.spec +++ b/ppp.spec @@ -2,7 +2,7 @@ Name: ppp Version: 2.4.8 -Release: 3%{?dist} +Release: 4%{?dist} Summary: The Point-to-Point Protocol daemon License: BSD and LGPLv2+ and GPLv2+ and Public Domain URL: http://www.samba.org/ppp @@ -46,7 +46,8 @@ Patch0022: ppp-2.4.8-build-sys-compile-pppol2tp-with-multilink-support.patc Patch0023: 0023-build-sys-install-rp-pppoe-plugin-files-with-standar.patch Patch0024: 0024-build-sys-install-pppoatm-plugin-files-with-standard.patch Patch0025: ppp-2.4.8-pppd-install-pppd-binary-using-standard-perms-755.patch -Patch0026: ppp-2.4.8-eaptls-mppe-1.102.patch +# https://www.nikhef.nl/~janjust/ppp/ppp-2.4.8-eaptls-mppe-1.201.patch +Patch0026: ppp-2.4.8-eaptls-mppe-1.201.patch Patch0032: ppp-2.4.8-CVE-2020-8597.patch @@ -183,6 +184,9 @@ mkdir -p %{buildroot}%{_rundir}/lock/ppp %doc PLUGINS %changelog +* Mon Apr 6 2020 Jaroslav Škarvada - 2.4.8-4 +- Updated EAP-TLS patch to v1.201 + * Fri Feb 28 2020 Tom Stellard - 2.4.8-3 - Use make_build macro - https://docs.fedoraproject.org/en-US/packaging-guidelines/#_parallel_make