Updated EAP-TLS patch to v1.101

Resolves: CVE-2018-11574
2018-06-11 23:59:15 +02:00 · 2018-06-11 23:59:15 +02:00 · ad8f16ddb2
parent 8870b357ca
commit ad8f16ddb2
4 changed files with 130 additions and 6194 deletions
--- a/0017-pppd-rebase-EAP-TLS-patch-v0.994.patch
+++ b/0017-pppd-rebase-EAP-TLS-patch-v0.994.patch
--- a/0026-Revert-pppd-rebase-EAP-TLS-patch-v0.994.patch
+++ b/0026-Revert-pppd-rebase-EAP-TLS-patch-v0.994.patch
--- a/0027-pppd-EAP-TLS-patch-v0.999.patch
+++ b/0027-pppd-EAP-TLS-patch-v0.999.patch
@ -1,7 +1,7 @@
-diff -Naur ppp-2.4.7/README.eap-tls ppp-2.4.7-eaptls-mppe-0.999/README.eap-tls
+diff -Naur ppp-2.4.7/README.eap-tls ppp-2.4.7-eaptls-mppe-1.101b/README.eap-tls
 --- ppp-2.4.7/README.eap-tls	1970-01-01 01:00:00.000000000 +0100
-+++ ppp-2.4.7-eaptls-mppe-0.999/README.eap-tls	2017-05-09 14:38:55.129084488 +0200
-@@ -0,0 +1,280 @@
+++ ppp-2.4.7-eaptls-mppe-1.101b/README.eap-tls	2018-06-02 01:42:04.021165440 +0200
+@@ -0,0 +1,286 @@
 +EAP-TLS authentication support for PPP
 +======================================
 +
@ -277,14 +277,20 @@ diff -Naur ppp-2.4.7/README.eap-tls ppp-2.4.7-eaptls-mppe-0.999/README.eap-tls
 +v0.996   (28-May-2014)
 + - Fix minor bug where SessionTicket message was printed as 'Unknown SSL3 code 4'
 + - Add EAP-TLS-specific options to pppd.8 manual page.
-+ - Updated README.eap-tls file with new option and provide an example.
+ - Updated README.eap-tls file with new options and provide an example.
 +v0.997   (19-Jun-2014)
-+ - change SSL_OP_NO_TICKETS to SSL_OP_NO_TICKET
-+ - fix bug in initialisation code with fragmented packets.
+ - Change SSL_OP_NO_TICKETS to SSL_OP_NO_TICKET
+ - Fix bug in initialisation code with fragmented packets.
+v0.998   (13-Mar-2015)
+ - Added fix for https://bugzilla.redhat.com/show_bug.cgi?id=1023620
+v0.999   (11-May-2017)
+ - Added support for OpenSSL 1.1: the code will now compile against OpenSSL 1.0.x or 1.1.x.
+v1.101 (1-Jun-2018)
+ - Fix vulnerabilities CVE-2018-11574.
 +
-diff -Naur ppp-2.4.7/etc.ppp/eaptls-client ppp-2.4.7-eaptls-mppe-0.999/etc.ppp/eaptls-client
+diff -Naur ppp-2.4.7/etc.ppp/eaptls-client ppp-2.4.7-eaptls-mppe-1.101b/etc.ppp/eaptls-client
 --- ppp-2.4.7/etc.ppp/eaptls-client	1970-01-01 01:00:00.000000000 +0100
-+++ ppp-2.4.7-eaptls-mppe-0.999/etc.ppp/eaptls-client	2017-05-09 14:38:55.129084488 +0200
+++ ppp-2.4.7-eaptls-mppe-1.101b/etc.ppp/eaptls-client	2018-06-02 01:42:04.021165440 +0200
@@ -0,0 +1,10 @@
 +# Parameters for authentication using EAP-TLS (client)
 +
@ -296,9 +302,9 @@ diff -Naur ppp-2.4.7/etc.ppp/eaptls-client ppp-2.4.7-eaptls-mppe-0.999/etc.ppp/e
 +# client private key file (required)
 +
 +#client	server	/root/cert/client.crt	-	/root/cert/ca.crt	/root/cert/client.key
-diff -Naur ppp-2.4.7/etc.ppp/eaptls-server ppp-2.4.7-eaptls-mppe-0.999/etc.ppp/eaptls-server
+diff -Naur ppp-2.4.7/etc.ppp/eaptls-server ppp-2.4.7-eaptls-mppe-1.101b/etc.ppp/eaptls-server
 --- ppp-2.4.7/etc.ppp/eaptls-server	1970-01-01 01:00:00.000000000 +0100
-+++ ppp-2.4.7-eaptls-mppe-0.999/etc.ppp/eaptls-server	2017-05-09 14:38:55.137084099 +0200
+++ ppp-2.4.7-eaptls-mppe-1.101b/etc.ppp/eaptls-server	2018-06-02 01:42:04.021165440 +0200
@@ -0,0 +1,11 @@
 +# Parameters for authentication using EAP-TLS (server)
 +
@ -311,9 +317,9 @@ diff -Naur ppp-2.4.7/etc.ppp/eaptls-server ppp-2.4.7-eaptls-mppe-0.999/etc.ppp/e
 +# allowed addresses (required, can be *)
 +
 +#client	server	-	/root/cert/server.crt	/root/cert/ca.crt	/root/cert/server.key	192.168.1.0/24
-diff -Naur ppp-2.4.7/etc.ppp/openssl.cnf ppp-2.4.7-eaptls-mppe-0.999/etc.ppp/openssl.cnf
+diff -Naur ppp-2.4.7/etc.ppp/openssl.cnf ppp-2.4.7-eaptls-mppe-1.101b/etc.ppp/openssl.cnf
 --- ppp-2.4.7/etc.ppp/openssl.cnf	1970-01-01 01:00:00.000000000 +0100
-+++ ppp-2.4.7-eaptls-mppe-0.999/etc.ppp/openssl.cnf	2017-05-09 14:38:55.137084099 +0200
+++ ppp-2.4.7-eaptls-mppe-1.101b/etc.ppp/openssl.cnf	2018-06-02 01:42:04.021165440 +0200
@@ -0,0 +1,14 @@
 +openssl_conf = openssl_def
 +
@ -329,9 +335,9 @@ diff -Naur ppp-2.4.7/etc.ppp/openssl.cnf ppp-2.4.7-eaptls-mppe-0.999/etc.ppp/ope
 +MODULE_PATH = /usr/lib64/libeTPkcs11.so
 +init = 0
 +
-diff -Naur ppp-2.4.7/linux/Makefile.top ppp-2.4.7-eaptls-mppe-0.999/linux/Makefile.top
+diff -Naur ppp-2.4.7/linux/Makefile.top ppp-2.4.7-eaptls-mppe-1.101b/linux/Makefile.top
 --- ppp-2.4.7/linux/Makefile.top	2014-08-09 14:31:39.000000000 +0200
-+++ ppp-2.4.7-eaptls-mppe-0.999/linux/Makefile.top	2017-05-09 14:38:55.138084052 +0200
+++ ppp-2.4.7-eaptls-mppe-1.101b/linux/Makefile.top	2018-06-02 01:42:04.021165440 +0200
@@ -26,7 +26,7 @@
 	cd pppdump; $(MAKE) $(MFLAGS) install
 
@ -352,9 +358,9 @@ diff -Naur ppp-2.4.7/linux/Makefile.top ppp-2.4.7-eaptls-mppe-0.999/linux/Makefi
 
 $(BINDIR):
 	$(INSTALL) -d -m 755 $@
-diff -Naur ppp-2.4.7/pppd/Makefile.linux ppp-2.4.7-eaptls-mppe-0.999/pppd/Makefile.linux
+diff -Naur ppp-2.4.7/pppd/Makefile.linux ppp-2.4.7-eaptls-mppe-1.101b/pppd/Makefile.linux
 --- ppp-2.4.7/pppd/Makefile.linux	2014-08-09 14:31:39.000000000 +0200
-+++ ppp-2.4.7-eaptls-mppe-0.999/pppd/Makefile.linux	2017-05-09 14:38:55.138084052 +0200
+++ ppp-2.4.7-eaptls-mppe-1.101b/pppd/Makefile.linux	2018-06-02 01:42:04.021165440 +0200
@@ -76,6 +76,9 @@
 # Use libutil
 USE_LIBUTIL=y
@ -381,9 +387,9 @@ diff -Naur ppp-2.4.7/pppd/Makefile.linux ppp-2.4.7-eaptls-mppe-0.999/pppd/Makefi
 ifdef HAS_SHADOW
 CFLAGS   += -DHAS_SHADOW
 #LIBS     += -lshadow $(LIBS)
-diff -Naur ppp-2.4.7/pppd/auth.c ppp-2.4.7-eaptls-mppe-0.999/pppd/auth.c
+diff -Naur ppp-2.4.7/pppd/auth.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/auth.c
 --- ppp-2.4.7/pppd/auth.c	2014-08-09 14:31:39.000000000 +0200
-+++ ppp-2.4.7-eaptls-mppe-0.999/pppd/auth.c	2017-05-09 14:38:55.139084004 +0200
+++ ppp-2.4.7-eaptls-mppe-1.101b/pppd/auth.c	2018-06-02 01:42:04.022165436 +0200
@@ -109,6 +109,9 @@
 #include "upap.h"
 #include "chap-new.h"
@ -879,9 +885,9 @@ diff -Naur ppp-2.4.7/pppd/auth.c ppp-2.4.7-eaptls-mppe-0.999/pppd/auth.c
 +}
 +#endif
 +
-diff -Naur ppp-2.4.7/pppd/ccp.c ppp-2.4.7-eaptls-mppe-0.999/pppd/ccp.c
+diff -Naur ppp-2.4.7/pppd/ccp.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/ccp.c
 --- ppp-2.4.7/pppd/ccp.c	2014-08-09 14:31:39.000000000 +0200
-+++ ppp-2.4.7-eaptls-mppe-0.999/pppd/ccp.c	2017-05-09 14:38:55.148083482 +0200
+++ ppp-2.4.7-eaptls-mppe-1.101b/pppd/ccp.c	2018-06-02 01:42:04.022165436 +0200
@@ -540,6 +540,9 @@
     if (go->mppe) {
 	ccp_options *ao = &ccp_allowoptions[f->unit];
@ -917,9 +923,9 @@ diff -Naur ppp-2.4.7/pppd/ccp.c ppp-2.4.7-eaptls-mppe-0.999/pppd/ccp.c
 	    lcp_close(f->unit, "MPPE required but not available");
 	    return;
 	}
-diff -Naur ppp-2.4.7/pppd/chap-md5.c ppp-2.4.7-eaptls-mppe-0.999/pppd/chap-md5.c
+diff -Naur ppp-2.4.7/pppd/chap-md5.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/chap-md5.c
 --- ppp-2.4.7/pppd/chap-md5.c	2014-08-09 14:31:39.000000000 +0200
-+++ ppp-2.4.7-eaptls-mppe-0.999/pppd/chap-md5.c	2017-05-09 14:38:55.148083482 +0200
+++ ppp-2.4.7-eaptls-mppe-1.101b/pppd/chap-md5.c	2018-06-02 01:42:04.022165436 +0200
@@ -36,7 +36,11 @@
 #include "chap-new.h"
 #include "chap-md5.h"
@ -932,10 +938,10 @@ diff -Naur ppp-2.4.7/pppd/chap-md5.c ppp-2.4.7-eaptls-mppe-0.999/pppd/chap-md5.c
 
 #define MD5_HASH_SIZE		16
 #define MD5_MIN_CHALLENGE	16
-diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-0.999/pppd/eap-tls.c
+diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap-tls.c
 --- ppp-2.4.7/pppd/eap-tls.c	1970-01-01 01:00:00.000000000 +0100
-+++ ppp-2.4.7-eaptls-mppe-0.999/pppd/eap-tls.c	2017-05-11 10:43:00.345739124 +0200
-@@ -0,0 +1,1308 @@
+++ ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap-tls.c	2018-06-02 01:42:16.790124406 +0200
+@@ -0,0 +1,1313 @@
 +/*
 + * eap-tls.c - EAP-TLS implementation for PPP
 + *
@ -1000,6 +1006,7 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-0.999/pppd/eap-tls.c
 + * tries to provide some guidance but ultimately falls short.
 + */
 +
+
 +static void HMAC_CTX_free(HMAC_CTX *ctx)
 +{
 +	if (ctx != NULL) {
@ -1803,46 +1810,47 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-0.999/pppd/eap-tls.c
 +int eaptls_receive(struct eaptls_session *ets, u_char * inp, int len)
 +{
 +	u_char flags;
-+	u_int tlslen;
+	u_int tlslen = 0;
 +	u_char dummy[65536];
 +
+	if (len < 1) {
+		warn("EAP-TLS: received no or invalid data");
+		return 1;
+	}
+		
 +	GETCHAR(flags, inp);
 +	len--;
 +
-+    if (flags & EAP_TLS_FLAGS_LI && !ets->data) {
-+ 
+    if (flags & EAP_TLS_FLAGS_LI && len >= 4) {
 +		/*
-+		 * This is the first packet of a message
+		 * LenghtIncluded flag set -> this is the first packet of a message
 +		*/
-+ 
+
+		/*
+		 * the first 4 octets are the length of the EAP-TLS message
+		 */
 +		GETLONG(tlslen, inp);
 +		len -= 4;
 +
-+		if (tlslen > EAP_TLS_MAX_LEN) {
-+			error("Error: tls message length > %d, truncated",
-+				EAP_TLS_MAX_LEN);
-+			tlslen = EAP_TLS_MAX_LEN;
+		if (!ets->data) {
+
+			if (tlslen > EAP_TLS_MAX_LEN) {
+				error("EAP-TLS: TLS message length > %d, truncated", EAP_TLS_MAX_LEN);
+				tlslen = EAP_TLS_MAX_LEN;
+			}
+
+			/*
+			 * Allocate memory for the whole message
+			*/
+			ets->data = malloc(tlslen);
+			if (!ets->data)
+				fatal("EAP-TLS: allocation error\n");
+
+			ets->datalen = 0;
+			ets->tlslen = tlslen;
 +		}
-+
-+		/*
-+		 * Allocate memory for the whole message
-+		*/
-+		ets->data = malloc(tlslen);
-+		if (!ets->data)
-+			fatal("EAP TLS: allocation error\n");
-+
-+		ets->datalen = 0;
-+		ets->tlslen = tlslen;
-+
-+	}
-+	else if (flags & EAP_TLS_FLAGS_LI && ets->data) {
-+		/*
-+		 * Non first with LI (strange...)
-+		*/
-+ 
-+		GETLONG(tlslen, inp);
-+		len -= 4;
-+ 
+		else
+			warn("EAP-TLS: non-first LI packet? that's odd...");
 +	}
 +	else if (!ets->data) {
 +		/*
@ -1851,7 +1859,7 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-0.999/pppd/eap-tls.c
 + 
 +		ets->data = malloc(len);
 +		if (!ets->data)
-+			fatal("EAP TLS: allocation error\n");
+			fatal("EAP-TLS: allocation error\n");
 + 
 +		ets->datalen = 0;
 +		ets->tlslen = len;
@ -1862,8 +1870,13 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-0.999/pppd/eap-tls.c
 +	else
 +		ets->frag = 0;
 +
+	if (len < 0) {
+		warn("EAP-TLS: received malformed data");
+		return 1;
+	}
+
 +	if (len + ets->datalen > ets->tlslen) {
-+		warn("EAP TLS: received data > TLS message length");
+		warn("EAP-TLS: received data > TLS message length");
 +		return 1;
 +	}
 +
@ -1877,7 +1890,7 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-0.999/pppd/eap-tls.c
 +		 */
 +
 +		if (ets->datalen != ets->tlslen) {
-+			warn("EAP TLS: received data != TLS message length");
+			warn("EAP-TLS: received data != TLS message length");
 +			return 1;
 +		}
 +
@ -2138,7 +2151,6 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-0.999/pppd/eap-tls.c
 +
 +	switch(content_type) {
 +
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
 +	case SSL3_RT_HEADER:
 +		strcat(string, "SSL/TLS Header: ");
 +		switch(hvers) {
@ -2164,7 +2176,6 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-0.999/pppd/eap-tls.c
 +			strcat(string, "Unknown version");
 +		}
 +		break;
-+#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */
 +
 +	case SSL3_RT_ALERT:	
 +		strcat(string, "Alert: ");	
@ -2244,9 +2255,9 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-0.999/pppd/eap-tls.c
 +		dbglog("%s", string);
 +}
 +
-diff -Naur ppp-2.4.7/pppd/eap-tls.h ppp-2.4.7-eaptls-mppe-0.999/pppd/eap-tls.h
+diff -Naur ppp-2.4.7/pppd/eap-tls.h ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap-tls.h
 --- ppp-2.4.7/pppd/eap-tls.h	1970-01-01 01:00:00.000000000 +0100
-+++ ppp-2.4.7-eaptls-mppe-0.999/pppd/eap-tls.h	2017-05-09 14:38:55.150083347 +0200
+++ ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap-tls.h	2018-06-02 01:42:04.023165433 +0200
@@ -0,0 +1,107 @@
 +/*
 + * eap-tls.h
@ -2355,9 +2366,9 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.h ppp-2.4.7-eaptls-mppe-0.999/pppd/eap-tls.h
 +#endif
 +
 +#endif
-diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-0.999/pppd/eap.c
+diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap.c
 --- ppp-2.4.7/pppd/eap.c	2014-08-09 14:31:39.000000000 +0200
-+++ ppp-2.4.7-eaptls-mppe-0.999/pppd/eap.c	2017-05-09 14:38:55.151083274 +0200
+++ ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap.c	2018-06-02 01:42:04.023165433 +0200
@@ -43,6 +43,11 @@
  * Based on draft-ietf-pppext-eap-srp-03.txt.
  */
@ -2674,7 +2685,7 @@ diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-0.999/pppd/eap.c
 #ifdef USE_SRP
 	struct t_client *tc;
 	struct t_num sval, gval, Nval, *Ap, Bval;
-@@ -1456,6 +1696,90 @@
+@@ -1456,6 +1696,100 @@
 		    esp->es_client.ea_namelen);
 		break;
 
@ -2685,6 +2696,11 @@ diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-0.999/pppd/eap.c
 +
 +		case eapListen:
 +
+			if (len < 1) {
+				error("EAP: received EAP-TLS Listen packet with no data");
+				/* Bogus request; wait for something real. */
+				return;
+			}
 +			GETCHAR(flags, inp);
 +			if(flags & EAP_TLS_FLAGS_START){
 +
@ -2722,6 +2738,11 @@ diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-0.999/pppd/eap.c
 +			break;
 +
 +		case eapTlsRecv:
+			if (len < 1) {
+				error("EAP: discarding EAP-TLS Receive packet with no data");
+				/* Bogus request; wait for something real. */
+				return;
+			}
 +			eaptls_receive(ets, inp, len);
 +
 +			if(ets->frag) {
@ -2765,7 +2786,7 @@ diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-0.999/pppd/eap.c
 #ifdef USE_SRP
 	case EAPT_SRP:
 		if (len < 1) {
-@@ -1737,6 +2061,11 @@
+@@ -1737,6 +2071,11 @@
 	u_char dig[SHA_DIGESTSIZE];
 #endif /* USE_SRP */
 
@ -2777,7 +2798,7 @@ diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-0.999/pppd/eap.c
 	if (esp->es_server.ea_id != id) {
 		dbglog("EAP: discarding Response %d; expected ID %d", id,
 		    esp->es_server.ea_id);
-@@ -1776,6 +2105,60 @@
+@@ -1776,6 +2115,64 @@
 		eap_figure_next_state(esp, 0);
 		break;
 
@ -2786,6 +2807,7 @@ diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-0.999/pppd/eap.c
 +		switch(esp->es_server.ea_state) {
 +
 +		case eapTlsRecv:
+	
 +			ets = (struct eaptls_session *) esp->es_server.ea_session;
 +			eap_figure_next_state(esp, 
 +				eaptls_receive(esp->es_server.ea_session, inp, len));
@ -2806,19 +2828,22 @@ diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-0.999/pppd/eap.c
 +		case eapTlsRecvClient:
 +			/* Receive authentication response from client */
 +
-+			GETCHAR(flags, inp);
+			if (len > 0) {
+				GETCHAR(flags, inp);
 +
-+			if(len == 1 && !flags) {	/* Ack = ok */
+				if(len == 1 && !flags) {	/* Ack = ok */
 +#ifdef MPPE
-+ 				eaptls_gen_mppe_keys( esp->es_server.ea_session, "client EAP encryption", 0 );
+ 					eaptls_gen_mppe_keys( esp->es_server.ea_session, "client EAP encryption", 0 );
 +#endif
-+				eap_send_success(esp);
-+			}
-+			else {			/* failure */
-+				eaptls_receive(esp->es_server.ea_session, inp, len);
-+				warn("Server authentication failed");
-+				eap_send_failure(esp);
+					eap_send_success(esp);
+				}
+				else {			/* failure */
+					warn("Server authentication failed");
+					eap_send_failure(esp);
+				}
 +			}
+			else
+				warn("Bogus EAP-TLS packet received from client");
 +
 +			eaptls_free_session(esp->es_server.ea_session);
 +
@ -2838,7 +2863,7 @@ diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-0.999/pppd/eap.c
 	case EAPT_NOTIFICATION:
 		dbglog("EAP unexpected Notification; response discarded");
 		break;
-@@ -1807,6 +2190,13 @@
+@@ -1807,6 +2204,13 @@
 			esp->es_server.ea_state = eapMD5Chall;
 			break;
 
@ -2852,7 +2877,7 @@ diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-0.999/pppd/eap.c
 		default:
 			dbglog("EAP: peer requesting unknown Type %d", vallen);
 			switch (esp->es_server.ea_state) {
-@@ -2018,13 +2408,27 @@
+@@ -2018,13 +2422,27 @@
 int id;
 int len;
 {
@ -2881,7 +2906,7 @@ diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-0.999/pppd/eap.c
 	if (esp->es_client.ea_timeout > 0) {
 		UNTIMEOUT(eap_client_timeout, (void *)esp);
 	}
-@@ -2150,6 +2554,9 @@
+@@ -2150,6 +2568,9 @@
 	int code, id, len, rtype, vallen;
 	u_char *pstart;
 	u_int32_t uval;
@ -2891,7 +2916,7 @@ diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-0.999/pppd/eap.c
 
 	if (inlen < EAP_HEADERLEN)
 		return (0);
-@@ -2214,6 +2621,24 @@
+@@ -2214,6 +2635,24 @@
 			}
 			break;
 
@ -2916,7 +2941,7 @@ diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-0.999/pppd/eap.c
 		case EAPT_SRP:
 			if (len < 3)
 				goto truncated;
-@@ -2325,6 +2750,25 @@
+@@ -2325,6 +2764,25 @@
 			}
 			break;
 
@ -2942,14 +2967,14 @@ diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-0.999/pppd/eap.c
 		case EAPT_NAK:
 			if (len <= 0) {
 				printer(arg, " <missing hint>");
-@@ -2426,3 +2870,4 @@
+@@ -2426,3 +2884,4 @@
 
 	return (inp - pstart);
 }
 +
-diff -Naur ppp-2.4.7/pppd/eap.h ppp-2.4.7-eaptls-mppe-0.999/pppd/eap.h
+diff -Naur ppp-2.4.7/pppd/eap.h ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap.h
 --- ppp-2.4.7/pppd/eap.h	2014-08-09 14:31:39.000000000 +0200
-+++ ppp-2.4.7-eaptls-mppe-0.999/pppd/eap.h	2017-05-09 14:38:55.152083200 +0200
+++ ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap.h	2018-06-02 01:42:04.023165433 +0200
@@ -84,6 +84,16 @@
 	eapClosed,	/* Authentication not in use */
 	eapListen,	/* Client ready (and timer running) */
@ -3018,9 +3043,9 @@ diff -Naur ppp-2.4.7/pppd/eap.h ppp-2.4.7-eaptls-mppe-0.999/pppd/eap.h
 #define	EAP_DEFREQTIME		20	/* Time to wait for peer request */
 #define	EAP_DEFALLOWREQ		20	/* max # times to accept requests */
 
-diff -Naur ppp-2.4.7/pppd/md5.c ppp-2.4.7-eaptls-mppe-0.999/pppd/md5.c
+diff -Naur ppp-2.4.7/pppd/md5.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/md5.c
 --- ppp-2.4.7/pppd/md5.c	2014-08-09 14:31:39.000000000 +0200
-+++ ppp-2.4.7-eaptls-mppe-0.999/pppd/md5.c	2017-05-09 14:38:55.152083200 +0200
+++ ppp-2.4.7-eaptls-mppe-1.101b/pppd/md5.c	2018-06-02 01:42:04.023165433 +0200
@@ -33,6 +33,8 @@
  ***********************************************************************
  */
@ -3036,9 +3061,9 @@ diff -Naur ppp-2.4.7/pppd/md5.c ppp-2.4.7-eaptls-mppe-0.999/pppd/md5.c
  */
 +#endif /* USE_EAPTLS */
 +
-diff -Naur ppp-2.4.7/pppd/md5.h ppp-2.4.7-eaptls-mppe-0.999/pppd/md5.h
+diff -Naur ppp-2.4.7/pppd/md5.h ppp-2.4.7-eaptls-mppe-1.101b/pppd/md5.h
 --- ppp-2.4.7/pppd/md5.h	2014-08-09 14:31:39.000000000 +0200
-+++ ppp-2.4.7-eaptls-mppe-0.999/pppd/md5.h	2017-05-09 14:38:55.152083200 +0200
+++ ppp-2.4.7-eaptls-mppe-1.101b/pppd/md5.h	2018-06-02 01:42:04.024165430 +0200
@@ -36,6 +36,7 @@
  ** documentation and/or software.                                    **
  ***********************************************************************
@ -3053,9 +3078,9 @@ diff -Naur ppp-2.4.7/pppd/md5.h ppp-2.4.7-eaptls-mppe-0.999/pppd/md5.h
 #endif /* __MD5_INCLUDE__ */
 +
 +#endif /* USE_EAPTLS */
-diff -Naur ppp-2.4.7/pppd/pathnames.h ppp-2.4.7-eaptls-mppe-0.999/pppd/pathnames.h
+diff -Naur ppp-2.4.7/pppd/pathnames.h ppp-2.4.7-eaptls-mppe-1.101b/pppd/pathnames.h
 --- ppp-2.4.7/pppd/pathnames.h	2014-08-09 14:31:39.000000000 +0200
-+++ ppp-2.4.7-eaptls-mppe-0.999/pppd/pathnames.h	2017-05-09 14:38:55.153083126 +0200
+++ ppp-2.4.7-eaptls-mppe-1.101b/pppd/pathnames.h	2018-06-02 01:42:04.024165430 +0200
@@ -21,6 +21,13 @@
 #define _PATH_UPAPFILE 	 _ROOT_PATH "/etc/ppp/pap-secrets"
 #define _PATH_CHAPFILE 	 _ROOT_PATH "/etc/ppp/chap-secrets"
@ -3070,9 +3095,9 @@ diff -Naur ppp-2.4.7/pppd/pathnames.h ppp-2.4.7-eaptls-mppe-0.999/pppd/pathnames
 #define _PATH_SYSOPTIONS _ROOT_PATH "/etc/ppp/options"
 #define _PATH_IPUP	 _ROOT_PATH "/etc/ppp/ip-up"
 #define _PATH_IPDOWN	 _ROOT_PATH "/etc/ppp/ip-down"
-diff -Naur ppp-2.4.7/pppd/plugins/Makefile.linux ppp-2.4.7-eaptls-mppe-0.999/pppd/plugins/Makefile.linux
+diff -Naur ppp-2.4.7/pppd/plugins/Makefile.linux ppp-2.4.7-eaptls-mppe-1.101b/pppd/plugins/Makefile.linux
 --- ppp-2.4.7/pppd/plugins/Makefile.linux	2014-08-09 14:31:39.000000000 +0200
-+++ ppp-2.4.7-eaptls-mppe-0.999/pppd/plugins/Makefile.linux	2017-05-09 14:38:55.153083126 +0200
+++ ppp-2.4.7-eaptls-mppe-1.101b/pppd/plugins/Makefile.linux	2018-06-02 01:42:04.024165430 +0200
@@ -4,6 +4,9 @@
 LDFLAGS	= -shared
 INSTALL	= install
@ -3083,9 +3108,9 @@ diff -Naur ppp-2.4.7/pppd/plugins/Makefile.linux ppp-2.4.7-eaptls-mppe-0.999/ppp
 DESTDIR = $(INSTROOT)@DESTDIR@
 BINDIR = $(DESTDIR)/sbin
 MANDIR = $(DESTDIR)/share/man/man8
-diff -Naur ppp-2.4.7/pppd/plugins/passprompt.c ppp-2.4.7-eaptls-mppe-0.999/pppd/plugins/passprompt.c
+diff -Naur ppp-2.4.7/pppd/plugins/passprompt.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/plugins/passprompt.c
 --- ppp-2.4.7/pppd/plugins/passprompt.c	2014-08-09 14:31:39.000000000 +0200
-+++ ppp-2.4.7-eaptls-mppe-0.999/pppd/plugins/passprompt.c	2017-05-09 14:38:55.153083126 +0200
+++ ppp-2.4.7-eaptls-mppe-1.101b/pppd/plugins/passprompt.c	2018-06-02 01:42:04.024165430 +0200
@@ -107,4 +107,7 @@
 {
     add_options(options);
@ -3094,9 +3119,9 @@ diff -Naur ppp-2.4.7/pppd/plugins/passprompt.c ppp-2.4.7-eaptls-mppe-0.999/pppd/
 +    eaptls_passwd_hook = promptpass;
 +#endif
 }
-diff -Naur ppp-2.4.7/pppd/plugins/passwordfd.c ppp-2.4.7-eaptls-mppe-0.999/pppd/plugins/passwordfd.c
+diff -Naur ppp-2.4.7/pppd/plugins/passwordfd.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/plugins/passwordfd.c
 --- ppp-2.4.7/pppd/plugins/passwordfd.c	2014-08-09 14:31:39.000000000 +0200
-+++ ppp-2.4.7-eaptls-mppe-0.999/pppd/plugins/passwordfd.c	2017-05-09 14:38:55.154083052 +0200
+++ ppp-2.4.7-eaptls-mppe-1.101b/pppd/plugins/passwordfd.c	2018-06-02 01:42:04.024165430 +0200
@@ -79,4 +79,8 @@
 
     chap_check_hook = pwfd_check;
@ -3106,9 +3131,9 @@ diff -Naur ppp-2.4.7/pppd/plugins/passwordfd.c ppp-2.4.7-eaptls-mppe-0.999/pppd/
 +    eaptls_passwd_hook = pwfd_passwd;
 +#endif
 }
-diff -Naur ppp-2.4.7/pppd/pppd.8 ppp-2.4.7-eaptls-mppe-0.999/pppd/pppd.8
+diff -Naur ppp-2.4.7/pppd/pppd.8 ppp-2.4.7-eaptls-mppe-1.101b/pppd/pppd.8
 --- ppp-2.4.7/pppd/pppd.8	2014-08-09 14:31:39.000000000 +0200
-+++ ppp-2.4.7-eaptls-mppe-0.999/pppd/pppd.8	2017-05-09 14:38:55.155082978 +0200
+++ ppp-2.4.7-eaptls-mppe-1.101b/pppd/pppd.8	2018-06-02 01:42:04.025165427 +0200
@@ -248,6 +248,12 @@
 compression in the corresponding direction.  Use \fInobsdcomp\fR or
 \fIbsdcomp 0\fR to disable BSD-Compress compression entirely.
@ -3177,9 +3202,9 @@ diff -Naur ppp-2.4.7/pppd/pppd.8 ppp-2.4.7-eaptls-mppe-0.999/pppd/pppd.8
 .B noauth
 Do not require the peer to authenticate itself.  This option is
 privileged.
-diff -Naur ppp-2.4.7/pppd/pppd.h ppp-2.4.7-eaptls-mppe-0.999/pppd/pppd.h
+diff -Naur ppp-2.4.7/pppd/pppd.h ppp-2.4.7-eaptls-mppe-1.101b/pppd/pppd.h
 --- ppp-2.4.7/pppd/pppd.h	2014-08-09 14:31:39.000000000 +0200
-+++ ppp-2.4.7-eaptls-mppe-0.999/pppd/pppd.h	2017-05-09 14:38:55.156082905 +0200
+++ ppp-2.4.7-eaptls-mppe-1.101b/pppd/pppd.h	2018-06-02 01:42:04.025165427 +0200
@@ -325,6 +325,11 @@
 extern bool	dryrun;		/* check everything, print options, exit */
 extern int	child_wait;	/* # seconds to wait for children at end */
--- a/ppp.spec
+++ b/ppp.spec
@ -3,7 +3,7 @@
 Summary: The Point-to-Point Protocol daemon
 Name: ppp
 Version: 2.4.7
-Release: 21%{?dist}
+Release: 22%{?dist}
 License: BSD and LGPLv2+ and GPLv2+ and Public Domain
 Group: System Environment/Daemons
 URL: http://www.samba.org/ppp
@ -38,7 +38,6 @@ Patch0013:      0013-everywhere-O_CLOEXEC-harder.patch
 Patch0014:      0014-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch
 Patch0015:      0015-pppd-move-pppd-database-to-var-run-ppp.patch
 Patch0016:      0016-rp-pppoe-add-manpage-for-pppoe-discovery.patch
-Patch0017:      0017-pppd-rebase-EAP-TLS-patch-v0.994.patch
 Patch0018:      0018-scritps-fix-ip-up.local-sample.patch
 Patch0019:      0019-sys-linux-rework-get_first_ethernet.patch
 Patch0020:      0020-pppd-put-lock-files-in-var-lock-ppp.patch
@ -47,8 +46,7 @@ Patch0022:      0022-build-sys-compile-pppol2tp-with-multilink-support.patch
 Patch0023:      0023-build-sys-install-rp-pppoe-plugin-files-with-standar.patch
 Patch0024:      0024-build-sys-install-pppoatm-plugin-files-with-standard.patch
 Patch0025:      0025-pppd-install-pppd-binary-using-standard-perms-755.patch
-Patch0026:      0026-Revert-pppd-rebase-EAP-TLS-patch-v0.994.patch
-Patch0027:      0027-pppd-EAP-TLS-patch-v0.999.patch
+Patch0026:      ppp-2.4.7-eaptls-mppe-1.101.patch
 Patch0028:      0028-pppoe-include-netinet-in.h-before-linux-in.h.patch

 # rhbz#1556132
@ -175,6 +173,10 @@ install -p %{SOURCE11} %{buildroot}%{_sysconfdir}/sysconfig/network-scripts/ifdo
 %doc PLUGINS

 %changelog
+* Tue Jun  5 2018 Jaroslav Škarvada <jskarvad@redhat.com> - 2.4.7-22
+- Updated EAP-TLS patch to v1.101
+  Resolves: CVE-2018-11574
+
 * Mon Apr  9 2018 Jaroslav Škarvada <jskarvad@redhat.com> - 2.4.7-21
 - Link with -E not to break plugins
  Resolves: rhbz#1564459