diff --git a/0027-pppd-EAP-TLS-patch-v0.997.patch b/0027-pppd-EAP-TLS-patch-v0.999.patch similarity index 89% rename from 0027-pppd-EAP-TLS-patch-v0.997.patch rename to 0027-pppd-EAP-TLS-patch-v0.999.patch index 79ef893..2f71a8e 100644 --- a/0027-pppd-EAP-TLS-patch-v0.997.patch +++ b/0027-pppd-EAP-TLS-patch-v0.999.patch @@ -1,44 +1,6 @@ -From 7887b3d84468e1ebfbe5adc373f0816eda2b995a Mon Sep 17 00:00:00 2001 -From: Michal Sekletar -Date: Fri, 20 Jun 2014 10:31:43 +0200 -Subject: [PATCH 27/27] pppd: EAP-TLS patch v0.997 - -See: http://www.nikhef.nl/~janjust/ppp/download.html ---- - README.eap-tls | 280 ++++++++++ - etc.ppp/eaptls-client | 10 + - etc.ppp/eaptls-server | 11 + - etc.ppp/openssl.cnf | 14 + - linux/Makefile.top | 6 +- - pppd/Makefile.linux | 12 + - pppd/auth.c | 413 ++++++++++++++- - pppd/ccp.c | 20 +- - pppd/chap-md5.c | 4 + - pppd/eap-tls.c | 1212 +++++++++++++++++++++++++++++++++++++++++++ - pppd/eap-tls.h | 107 ++++ - pppd/eap.c | 449 +++++++++++++++- - pppd/eap.h | 32 +- - pppd/md5.c | 4 + - pppd/md5.h | 3 + - pppd/pathnames.h | 7 + - pppd/plugins/Makefile.linux | 3 + - pppd/plugins/passprompt.c | 3 + - pppd/plugins/passwordfd.c | 4 + - pppd/pppd.8 | 33 ++ - pppd/pppd.h | 9 + - 21 files changed, 2629 insertions(+), 7 deletions(-) - create mode 100644 README.eap-tls - create mode 100644 etc.ppp/eaptls-client - create mode 100644 etc.ppp/eaptls-server - create mode 100644 etc.ppp/openssl.cnf - create mode 100644 pppd/eap-tls.c - create mode 100644 pppd/eap-tls.h - -diff --git a/README.eap-tls b/README.eap-tls -new file mode 100644 -index 0000000..037be0a ---- /dev/null -+++ b/README.eap-tls +diff -Naur ppp-2.4.7/README.eap-tls ppp-2.4.7-eaptls-mppe-0.999/README.eap-tls +--- ppp-2.4.7/README.eap-tls 1970-01-01 01:00:00.000000000 +0100 ++++ ppp-2.4.7-eaptls-mppe-0.999/README.eap-tls 2017-05-09 14:38:55.129084488 +0200 @@ -0,0 +1,280 @@ +EAP-TLS authentication support for PPP +====================================== @@ -320,11 +282,9 @@ index 0000000..037be0a + - change SSL_OP_NO_TICKETS to SSL_OP_NO_TICKET + - fix bug in initialisation code with fragmented packets. + -diff --git a/etc.ppp/eaptls-client b/etc.ppp/eaptls-client -new file mode 100644 -index 0000000..7782f0e ---- /dev/null -+++ b/etc.ppp/eaptls-client +diff -Naur ppp-2.4.7/etc.ppp/eaptls-client ppp-2.4.7-eaptls-mppe-0.999/etc.ppp/eaptls-client +--- ppp-2.4.7/etc.ppp/eaptls-client 1970-01-01 01:00:00.000000000 +0100 ++++ ppp-2.4.7-eaptls-mppe-0.999/etc.ppp/eaptls-client 2017-05-09 14:38:55.129084488 +0200 @@ -0,0 +1,10 @@ +# Parameters for authentication using EAP-TLS (client) + @@ -336,11 +296,9 @@ index 0000000..7782f0e +# client private key file (required) + +#client server /root/cert/client.crt - /root/cert/ca.crt /root/cert/client.key -diff --git a/etc.ppp/eaptls-server b/etc.ppp/eaptls-server -new file mode 100644 -index 0000000..fa53cbd ---- /dev/null -+++ b/etc.ppp/eaptls-server +diff -Naur ppp-2.4.7/etc.ppp/eaptls-server ppp-2.4.7-eaptls-mppe-0.999/etc.ppp/eaptls-server +--- ppp-2.4.7/etc.ppp/eaptls-server 1970-01-01 01:00:00.000000000 +0100 ++++ ppp-2.4.7-eaptls-mppe-0.999/etc.ppp/eaptls-server 2017-05-09 14:38:55.137084099 +0200 @@ -0,0 +1,11 @@ +# Parameters for authentication using EAP-TLS (server) + @@ -353,11 +311,9 @@ index 0000000..fa53cbd +# allowed addresses (required, can be *) + +#client server - /root/cert/server.crt /root/cert/ca.crt /root/cert/server.key 192.168.1.0/24 -diff --git a/etc.ppp/openssl.cnf b/etc.ppp/openssl.cnf -new file mode 100644 -index 0000000..dd32f30 ---- /dev/null -+++ b/etc.ppp/openssl.cnf +diff -Naur ppp-2.4.7/etc.ppp/openssl.cnf ppp-2.4.7-eaptls-mppe-0.999/etc.ppp/openssl.cnf +--- ppp-2.4.7/etc.ppp/openssl.cnf 1970-01-01 01:00:00.000000000 +0100 ++++ ppp-2.4.7-eaptls-mppe-0.999/etc.ppp/openssl.cnf 2017-05-09 14:38:55.137084099 +0200 @@ -0,0 +1,14 @@ +openssl_conf = openssl_def + @@ -373,11 +329,10 @@ index 0000000..dd32f30 +MODULE_PATH = /usr/lib64/libeTPkcs11.so +init = 0 + -diff --git a/linux/Makefile.top b/linux/Makefile.top -index f42efd5..9a8945a 100644 ---- a/linux/Makefile.top -+++ b/linux/Makefile.top -@@ -28,7 +28,7 @@ install-progs: +diff -Naur ppp-2.4.7/linux/Makefile.top ppp-2.4.7-eaptls-mppe-0.999/linux/Makefile.top +--- ppp-2.4.7/linux/Makefile.top 2014-08-09 14:31:39.000000000 +0200 ++++ ppp-2.4.7-eaptls-mppe-0.999/linux/Makefile.top 2017-05-09 14:38:55.138084052 +0200 +@@ -26,7 +26,7 @@ cd pppdump; $(MAKE) $(MFLAGS) install install-etcppp: $(ETCDIR) $(ETCDIR)/options $(ETCDIR)/pap-secrets \ @@ -386,7 +341,7 @@ index f42efd5..9a8945a 100644 install-devel: cd pppd; $(MAKE) $(MFLAGS) install-devel -@@ -39,6 +39,10 @@ $(ETCDIR)/pap-secrets: +@@ -37,6 +37,10 @@ $(INSTALL) -c -m 600 etc.ppp/pap-secrets $@ $(ETCDIR)/chap-secrets: $(INSTALL) -c -m 600 etc.ppp/chap-secrets $@ @@ -397,11 +352,10 @@ index f42efd5..9a8945a 100644 $(BINDIR): $(INSTALL) -d -m 755 $@ -diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux -index 943cf83..534ccc2 100644 ---- a/pppd/Makefile.linux -+++ b/pppd/Makefile.linux -@@ -79,6 +79,9 @@ CBCP=y +diff -Naur ppp-2.4.7/pppd/Makefile.linux ppp-2.4.7-eaptls-mppe-0.999/pppd/Makefile.linux +--- ppp-2.4.7/pppd/Makefile.linux 2014-08-09 14:31:39.000000000 +0200 ++++ ppp-2.4.7-eaptls-mppe-0.999/pppd/Makefile.linux 2017-05-09 14:38:55.138084052 +0200 +@@ -76,6 +76,9 @@ # Use libutil USE_LIBUTIL=y @@ -411,7 +365,7 @@ index 943cf83..534ccc2 100644 MAXOCTETS=y INCLUDE_DIRS= -I../include -@@ -118,6 +121,15 @@ HEADERS += sha1.h +@@ -115,6 +118,15 @@ PPPDOBJS += sha1.o endif @@ -427,10 +381,9 @@ index 943cf83..534ccc2 100644 ifdef HAS_SHADOW CFLAGS += -DHAS_SHADOW #LIBS += -lshadow $(LIBS) -diff --git a/pppd/auth.c b/pppd/auth.c -index 9e957fa..656ffe9 100644 ---- a/pppd/auth.c -+++ b/pppd/auth.c +diff -Naur ppp-2.4.7/pppd/auth.c ppp-2.4.7-eaptls-mppe-0.999/pppd/auth.c +--- ppp-2.4.7/pppd/auth.c 2014-08-09 14:31:39.000000000 +0200 ++++ ppp-2.4.7-eaptls-mppe-0.999/pppd/auth.c 2017-05-09 14:38:55.139084004 +0200 @@ -109,6 +109,9 @@ #include "upap.h" #include "chap-new.h" @@ -441,7 +394,7 @@ index 9e957fa..656ffe9 100644 #ifdef CBCP_SUPPORT #include "cbcp.h" #endif -@@ -183,6 +186,11 @@ int (*chap_check_hook) __P((void)) = NULL; +@@ -183,6 +186,11 @@ /* Hook for a plugin to get the CHAP password for authenticating us */ int (*chap_passwd_hook) __P((char *user, char *passwd)) = NULL; @@ -453,7 +406,7 @@ index 9e957fa..656ffe9 100644 /* Hook for a plugin to say whether it is OK if the peer refuses to authenticate. */ int (*null_auth_hook) __P((struct wordlist **paddrs, -@@ -238,6 +246,14 @@ bool explicit_remote = 0; /* User specified explicit remote name */ +@@ -238,6 +246,14 @@ bool explicit_user = 0; /* Set if "user" option supplied */ bool explicit_passwd = 0; /* Set if "password" option supplied */ char remote_name[MAXNAMELEN]; /* Peer's name for authentication */ @@ -468,7 +421,7 @@ index 9e957fa..656ffe9 100644 static char *uafname; /* name of most recent +ua file */ -@@ -254,6 +270,19 @@ static int have_pap_secret __P((int *)); +@@ -254,6 +270,19 @@ static int have_chap_secret __P((char *, char *, int, int *)); static int have_srp_secret __P((char *client, char *server, int need_ip, int *lacks_ipp)); @@ -488,7 +441,7 @@ index 9e957fa..656ffe9 100644 static int ip_addr_check __P((u_int32_t, struct permitted_ip *)); static int scan_authfile __P((FILE *, char *, char *, char *, struct wordlist **, struct wordlist **, -@@ -401,6 +430,15 @@ option_t auth_options[] = { +@@ -401,6 +430,15 @@ "Set telephone number(s) which are allowed to connect", OPT_PRIV | OPT_A2LIST }, @@ -504,7 +457,7 @@ index 9e957fa..656ffe9 100644 { NULL } }; -@@ -730,6 +768,9 @@ link_established(unit) +@@ -730,6 +768,9 @@ lcp_options *wo = &lcp_wantoptions[unit]; lcp_options *go = &lcp_gotoptions[unit]; lcp_options *ho = &lcp_hisoptions[unit]; @@ -514,7 +467,7 @@ index 9e957fa..656ffe9 100644 int i; struct protent *protp; -@@ -764,6 +805,22 @@ link_established(unit) +@@ -764,6 +805,22 @@ } } @@ -537,7 +490,7 @@ index 9e957fa..656ffe9 100644 new_phase(PHASE_AUTHENTICATE); auth = 0; if (go->neg_eap) { -@@ -1277,6 +1334,15 @@ auth_check_options() +@@ -1277,6 +1334,15 @@ our_name, 1, &lacks_ip); } @@ -553,7 +506,7 @@ index 9e957fa..656ffe9 100644 if (auth_required && !can_auth && noauth_addrs == NULL) { if (default_auth) { option_error( -@@ -1331,7 +1397,11 @@ auth_reset(unit) +@@ -1331,7 +1397,11 @@ passwd[0] != 0 || (hadchap == 1 || (hadchap == -1 && have_chap_secret(user, (explicit_remote? remote_name: NULL), 0, NULL))) || @@ -566,7 +519,7 @@ index 9e957fa..656ffe9 100644 hadchap = -1; if (go->neg_upap && !uselogin && !have_pap_secret(NULL)) -@@ -1346,8 +1416,14 @@ auth_reset(unit) +@@ -1346,8 +1416,14 @@ !have_chap_secret((explicit_remote? remote_name: NULL), our_name, 1, NULL))) && !have_srp_secret((explicit_remote? remote_name: NULL), our_name, 1, @@ -582,7 +535,7 @@ index 9e957fa..656ffe9 100644 } -@@ -1707,6 +1783,7 @@ have_srp_secret(client, server, need_ip, lacks_ipp) +@@ -1707,6 +1783,7 @@ } @@ -590,7 +543,7 @@ index 9e957fa..656ffe9 100644 /* * get_secret - open the CHAP secret file and return the secret * for authenticating the given client on the given server. -@@ -2359,3 +2436,335 @@ auth_script(script) +@@ -2359,3 +2436,335 @@ auth_script_pid = run_program(script, argv, 0, auth_script_done, NULL, 0); } @@ -926,11 +879,10 @@ index 9e957fa..656ffe9 100644 +} +#endif + -diff --git a/pppd/ccp.c b/pppd/ccp.c -index 5814f35..7dead23 100644 ---- a/pppd/ccp.c -+++ b/pppd/ccp.c -@@ -540,6 +540,9 @@ ccp_resetci(f) +diff -Naur ppp-2.4.7/pppd/ccp.c ppp-2.4.7-eaptls-mppe-0.999/pppd/ccp.c +--- ppp-2.4.7/pppd/ccp.c 2014-08-09 14:31:39.000000000 +0200 ++++ ppp-2.4.7-eaptls-mppe-0.999/pppd/ccp.c 2017-05-09 14:38:55.148083482 +0200 +@@ -540,6 +540,9 @@ if (go->mppe) { ccp_options *ao = &ccp_allowoptions[f->unit]; int auth_mschap_bits = auth_done[f->unit]; @@ -940,7 +892,7 @@ index 5814f35..7dead23 100644 int numbits; /* -@@ -567,8 +570,23 @@ ccp_resetci(f) +@@ -567,8 +570,23 @@ lcp_close(f->unit, "MPPE required but not available"); return; } @@ -965,10 +917,9 @@ index 5814f35..7dead23 100644 lcp_close(f->unit, "MPPE required but not available"); return; } -diff --git a/pppd/chap-md5.c b/pppd/chap-md5.c -index 77dd4ec..269b52c 100644 ---- a/pppd/chap-md5.c -+++ b/pppd/chap-md5.c +diff -Naur ppp-2.4.7/pppd/chap-md5.c ppp-2.4.7-eaptls-mppe-0.999/pppd/chap-md5.c +--- ppp-2.4.7/pppd/chap-md5.c 2014-08-09 14:31:39.000000000 +0200 ++++ ppp-2.4.7-eaptls-mppe-0.999/pppd/chap-md5.c 2017-05-09 14:38:55.148083482 +0200 @@ -36,7 +36,11 @@ #include "chap-new.h" #include "chap-md5.h" @@ -981,12 +932,10 @@ index 77dd4ec..269b52c 100644 #define MD5_HASH_SIZE 16 #define MD5_MIN_CHALLENGE 16 -diff --git a/pppd/eap-tls.c b/pppd/eap-tls.c -new file mode 100644 -index 0000000..edcb0cb ---- /dev/null -+++ b/pppd/eap-tls.c -@@ -0,0 +1,1212 @@ +diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-0.999/pppd/eap-tls.c +--- ppp-2.4.7/pppd/eap-tls.c 1970-01-01 01:00:00.000000000 +0100 ++++ ppp-2.4.7-eaptls-mppe-0.999/pppd/eap-tls.c 2017-05-11 10:43:00.345739124 +0200 +@@ -0,0 +1,1308 @@ +/* + * eap-tls.c - EAP-TLS implementation for PPP + * @@ -1044,6 +993,72 @@ index 0000000..edcb0cb + +#ifdef MPPE + ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++ ++/* ++ * https://wiki.openssl.org/index.php/1.1_API_Changes ++ * tries to provide some guidance but ultimately falls short. ++ */ ++ ++static void HMAC_CTX_free(HMAC_CTX *ctx) ++{ ++ if (ctx != NULL) { ++ HMAC_CTX_cleanup(ctx); ++ OPENSSL_free(ctx); ++ } ++} ++ ++static HMAC_CTX *HMAC_CTX_new(void) ++{ ++ HMAC_CTX *ctx = OPENSSL_malloc(sizeof(*ctx)); ++ if (ctx != NULL) ++ HMAC_CTX_init(ctx); ++ return ctx; ++} ++ ++/* ++ * These were basically jacked directly from the OpenSSL tree ++ * without adjustments. ++ */ ++ ++static size_t SSL_get_client_random(const SSL *ssl, unsigned char *out, ++ size_t outlen) ++{ ++ if (outlen == 0) ++ return sizeof(ssl->s3->client_random); ++ if (outlen > sizeof(ssl->s3->client_random)) ++ outlen = sizeof(ssl->s3->client_random); ++ memcpy(out, ssl->s3->client_random, outlen); ++ return outlen; ++} ++ ++static size_t SSL_get_server_random(const SSL *ssl, unsigned char *out, ++ size_t outlen) ++{ ++ if (outlen == 0) ++ return sizeof(ssl->s3->server_random); ++ if (outlen > sizeof(ssl->s3->server_random)) ++ outlen = sizeof(ssl->s3->server_random); ++ memcpy(out, ssl->s3->server_random, outlen); ++ return outlen; ++} ++ ++static size_t SSL_SESSION_get_master_key(const SSL_SESSION *session, ++ unsigned char *out, size_t outlen) ++{ ++ if (outlen == 0) ++ return session->master_key_length; ++ if (outlen > session->master_key_length) ++ outlen = session->master_key_length; ++ memcpy(out, session->master_key, outlen); ++ return outlen; ++} ++ ++/* Avoid a deprecated warning in OpenSSL 1.1 whilst still allowing to build against 1.0.x */ ++#define TLS_method TLSv1_method ++ ++#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */ ++ +/* + * TLS PRF from RFC 2246 + */ @@ -1052,47 +1067,47 @@ index 0000000..edcb0cb + const unsigned char *seed, unsigned int seed_len, + unsigned char *out, unsigned int out_len) +{ -+ HMAC_CTX ctx_a, ctx_out; ++ HMAC_CTX *ctx_a, *ctx_out; + unsigned char a[HMAC_MAX_MD_CBLOCK]; + unsigned int size; + -+ HMAC_CTX_init(&ctx_a); -+ HMAC_CTX_init(&ctx_out); -+ HMAC_Init_ex(&ctx_a, secret, secret_len, evp_md, NULL); -+ HMAC_Init_ex(&ctx_out, secret, secret_len, evp_md, NULL); ++ ctx_a = HMAC_CTX_new(); ++ ctx_out = HMAC_CTX_new(); ++ HMAC_Init_ex(ctx_a, secret, secret_len, evp_md, NULL); ++ HMAC_Init_ex(ctx_out, secret, secret_len, evp_md, NULL); + -+ size = HMAC_size(&ctx_out); ++ size = HMAC_size(ctx_out); + + /* Calculate A(1) */ -+ HMAC_Update(&ctx_a, seed, seed_len); -+ HMAC_Final(&ctx_a, a, NULL); ++ HMAC_Update(ctx_a, seed, seed_len); ++ HMAC_Final(ctx_a, a, NULL); + + while (1) { + /* Calculate next part of output */ -+ HMAC_Update(&ctx_out, a, size); -+ HMAC_Update(&ctx_out, seed, seed_len); ++ HMAC_Update(ctx_out, a, size); ++ HMAC_Update(ctx_out, seed, seed_len); + + /* Check if last part */ + if (out_len < size) { -+ HMAC_Final(&ctx_out, a, NULL); ++ HMAC_Final(ctx_out, a, NULL); + memcpy(out, a, out_len); + break; + } + + /* Place digest in output buffer */ -+ HMAC_Final(&ctx_out, out, NULL); -+ HMAC_Init_ex(&ctx_out, NULL, 0, NULL, NULL); ++ HMAC_Final(ctx_out, out, NULL); ++ HMAC_Init_ex(ctx_out, NULL, 0, NULL, NULL); + out += size; + out_len -= size; + + /* Calculate next A(i) */ -+ HMAC_Init_ex(&ctx_a, NULL, 0, NULL, NULL); -+ HMAC_Update(&ctx_a, a, size); -+ HMAC_Final(&ctx_a, a, NULL); ++ HMAC_Init_ex(ctx_a, NULL, 0, NULL, NULL); ++ HMAC_Update(ctx_a, a, size); ++ HMAC_Final(ctx_a, a, NULL); + } + -+ HMAC_CTX_cleanup(&ctx_a); -+ HMAC_CTX_cleanup(&ctx_out); ++ HMAC_CTX_free(ctx_a); ++ HMAC_CTX_free(ctx_out); + memset(a, 0, sizeof(a)); +} + @@ -1126,21 +1141,22 @@ index 0000000..edcb0cb + unsigned char *p = seed; + SSL *s = ets->ssl; + size_t prf_size; ++ unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH]; ++ size_t master_key_length; + + prf_size = strlen(prf_label); + + memcpy(p, prf_label, prf_size); + p += prf_size; + -+ memcpy(p, s->s3->client_random, SSL3_RANDOM_SIZE); ++ prf_size += SSL_get_client_random(s, p, SSL3_RANDOM_SIZE); + p += SSL3_RANDOM_SIZE; -+ prf_size += SSL3_RANDOM_SIZE; + -+ memcpy(p, s->s3->server_random, SSL3_RANDOM_SIZE); -+ prf_size += SSL3_RANDOM_SIZE; ++ prf_size += SSL_get_server_random(s, p, SSL3_RANDOM_SIZE); + -+ PRF(s->session->master_key, s->session->master_key_length, -+ seed, prf_size, out, buf, sizeof(out)); ++ master_key_length = SSL_SESSION_get_master_key(SSL_get_session(s), master_key, ++ sizeof(master_key)); ++ PRF(master_key, master_key_length, seed, prf_size, out, buf, sizeof(out)); + + /* + * We now have the master send and receive keys. @@ -1308,7 +1324,7 @@ index 0000000..edcb0cb + SSL_library_init(); + SSL_load_error_strings(); + -+ ctx = SSL_CTX_new(TLSv1_method()); ++ ctx = SSL_CTX_new(TLS_method()); + + if (!ctx) { + error("EAP-TLS: Cannot initialize SSL CTX context"); @@ -2112,18 +2128,47 @@ index 0000000..edcb0cb + char string[256]; + struct eaptls_session *ets = (struct eaptls_session *)arg; + unsigned char code; ++ const unsigned char*msg = buf; ++ int hvers = msg[1] << 8 | msg[2]; + + if(write_p) + strcpy(string, " -> "); + else + strcpy(string, " <- "); + -+ + switch(content_type) { + ++#if OPENSSL_VERSION_NUMBER >= 0x10100000L ++ case SSL3_RT_HEADER: ++ strcat(string, "SSL/TLS Header: "); ++ switch(hvers) { ++ case SSL3_VERSION: ++ strcat(string, "SSL 3.0"); ++ break; ++ case TLS1_VERSION: ++ strcat(string, "TLS 1.0"); ++ break; ++ case TLS1_1_VERSION: ++ strcat(string, "TLS 1.1"); ++ break; ++ case TLS1_2_VERSION: ++ strcat(string, "TLS 1.2"); ++ break; ++ case DTLS1_VERSION: ++ strcat(string, "DTLS 1.0"); ++ break; ++ case DTLS1_2_VERSION: ++ strcat(string, "DTLS 1.2"); ++ break; ++ default: ++ strcat(string, "Unknown version"); ++ } ++ break; ++#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */ ++ + case SSL3_RT_ALERT: + strcat(string, "Alert: "); -+ code = ((const unsigned char *)buf)[1]; ++ code = msg[1]; + + if (write_p) { + ets->alert_sent = 1; @@ -2143,7 +2188,7 @@ index 0000000..edcb0cb + case SSL3_RT_HANDSHAKE: + + strcat(string, "Handshake: "); -+ code = ((const unsigned char *)buf)[0]; ++ code = msg[0]; + + switch(code) { + case SSL3_MT_HELLO_REQUEST: @@ -2199,11 +2244,9 @@ index 0000000..edcb0cb + dbglog("%s", string); +} + -diff --git a/pppd/eap-tls.h b/pppd/eap-tls.h -new file mode 100644 -index 0000000..2d45a0b ---- /dev/null -+++ b/pppd/eap-tls.h +diff -Naur ppp-2.4.7/pppd/eap-tls.h ppp-2.4.7-eaptls-mppe-0.999/pppd/eap-tls.h +--- ppp-2.4.7/pppd/eap-tls.h 1970-01-01 01:00:00.000000000 +0100 ++++ ppp-2.4.7-eaptls-mppe-0.999/pppd/eap-tls.h 2017-05-09 14:38:55.150083347 +0200 @@ -0,0 +1,107 @@ +/* + * eap-tls.h @@ -2312,10 +2355,9 @@ index 0000000..2d45a0b +#endif + +#endif -diff --git a/pppd/eap.c b/pppd/eap.c -index faced53..bfbce95 100644 ---- a/pppd/eap.c -+++ b/pppd/eap.c +diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-0.999/pppd/eap.c +--- ppp-2.4.7/pppd/eap.c 2014-08-09 14:31:39.000000000 +0200 ++++ ppp-2.4.7-eaptls-mppe-0.999/pppd/eap.c 2017-05-09 14:38:55.151083274 +0200 @@ -43,6 +43,11 @@ * Based on draft-ietf-pppext-eap-srp-03.txt. */ @@ -2342,7 +2384,7 @@ index faced53..bfbce95 100644 #ifdef USE_SRP #include -@@ -209,6 +218,9 @@ int unit; +@@ -209,6 +218,9 @@ esp->es_server.ea_id = (u_char)(drand48() * 0x100); esp->es_client.ea_timeout = EAP_DEFREQTIME; esp->es_client.ea_maxrequests = EAP_DEFALLOWREQ; @@ -2352,7 +2394,7 @@ index faced53..bfbce95 100644 } /* -@@ -436,8 +448,16 @@ int status; +@@ -436,8 +448,16 @@ u_char vals[2]; struct b64state bs; #endif /* USE_SRP */ @@ -2369,7 +2411,7 @@ index faced53..bfbce95 100644 switch (esp->es_server.ea_state) { case eapBadAuth: return; -@@ -562,9 +582,79 @@ int status; +@@ -562,9 +582,79 @@ break; } #endif /* USE_SRP */ @@ -2449,7 +2491,7 @@ index faced53..bfbce95 100644 case eapSRP1: #ifdef USE_SRP ts = (struct t_server *)esp->es_server.ea_session; -@@ -718,6 +808,30 @@ eap_state *esp; +@@ -718,6 +808,30 @@ INCPTR(esp->es_server.ea_namelen, outp); break; @@ -2480,7 +2522,7 @@ index faced53..bfbce95 100644 #ifdef USE_SRP case eapSRP1: PUTCHAR(EAPT_SRP, outp); -@@ -904,11 +1018,57 @@ static void +@@ -904,11 +1018,57 @@ eap_server_timeout(arg) void *arg; { @@ -2538,7 +2580,7 @@ index faced53..bfbce95 100644 /* EAP ID number must not change on timeout. */ eap_send_request(esp); } -@@ -1166,6 +1326,81 @@ u_char *str; +@@ -1166,6 +1326,81 @@ } #endif /* USE_SRP */ @@ -2620,7 +2662,7 @@ index faced53..bfbce95 100644 static void eap_send_nak(esp, id, type) eap_state *esp; -@@ -1320,6 +1555,11 @@ int len; +@@ -1320,6 +1555,11 @@ char rhostname[256]; MD5_CTX mdContext; u_char hash[MD5_SIGNATURE_SIZE]; @@ -2632,7 +2674,7 @@ index faced53..bfbce95 100644 #ifdef USE_SRP struct t_client *tc; struct t_num sval, gval, Nval, *Ap, Bval; -@@ -1456,6 +1696,90 @@ int len; +@@ -1456,6 +1696,90 @@ esp->es_client.ea_namelen); break; @@ -2723,7 +2765,7 @@ index faced53..bfbce95 100644 #ifdef USE_SRP case EAPT_SRP: if (len < 1) { -@@ -1737,6 +2061,11 @@ int len; +@@ -1737,6 +2061,11 @@ u_char dig[SHA_DIGESTSIZE]; #endif /* USE_SRP */ @@ -2735,7 +2777,7 @@ index faced53..bfbce95 100644 if (esp->es_server.ea_id != id) { dbglog("EAP: discarding Response %d; expected ID %d", id, esp->es_server.ea_id); -@@ -1776,6 +2105,60 @@ int len; +@@ -1776,6 +2105,60 @@ eap_figure_next_state(esp, 0); break; @@ -2796,7 +2838,7 @@ index faced53..bfbce95 100644 case EAPT_NOTIFICATION: dbglog("EAP unexpected Notification; response discarded"); break; -@@ -1807,6 +2190,13 @@ int len; +@@ -1807,6 +2190,13 @@ esp->es_server.ea_state = eapMD5Chall; break; @@ -2810,7 +2852,7 @@ index faced53..bfbce95 100644 default: dbglog("EAP: peer requesting unknown Type %d", vallen); switch (esp->es_server.ea_state) { -@@ -2018,13 +2408,27 @@ u_char *inp; +@@ -2018,13 +2408,27 @@ int id; int len; { @@ -2839,7 +2881,7 @@ index faced53..bfbce95 100644 if (esp->es_client.ea_timeout > 0) { UNTIMEOUT(eap_client_timeout, (void *)esp); } -@@ -2150,6 +2554,9 @@ void *arg; +@@ -2150,6 +2554,9 @@ int code, id, len, rtype, vallen; u_char *pstart; u_int32_t uval; @@ -2849,7 +2891,7 @@ index faced53..bfbce95 100644 if (inlen < EAP_HEADERLEN) return (0); -@@ -2214,6 +2621,24 @@ void *arg; +@@ -2214,6 +2621,24 @@ } break; @@ -2874,7 +2916,7 @@ index faced53..bfbce95 100644 case EAPT_SRP: if (len < 3) goto truncated; -@@ -2325,6 +2750,25 @@ void *arg; +@@ -2325,6 +2750,25 @@ } break; @@ -2900,16 +2942,15 @@ index faced53..bfbce95 100644 case EAPT_NAK: if (len <= 0) { printer(arg, " "); -@@ -2426,3 +2870,4 @@ void *arg; +@@ -2426,3 +2870,4 @@ return (inp - pstart); } + -diff --git a/pppd/eap.h b/pppd/eap.h -index 199d184..3fa5391 100644 ---- a/pppd/eap.h -+++ b/pppd/eap.h -@@ -84,6 +84,16 @@ enum eap_state_code { +diff -Naur ppp-2.4.7/pppd/eap.h ppp-2.4.7-eaptls-mppe-0.999/pppd/eap.h +--- ppp-2.4.7/pppd/eap.h 2014-08-09 14:31:39.000000000 +0200 ++++ ppp-2.4.7-eaptls-mppe-0.999/pppd/eap.h 2017-05-09 14:38:55.152083200 +0200 +@@ -84,6 +84,16 @@ eapClosed, /* Authentication not in use */ eapListen, /* Client ready (and timer running) */ eapIdentify, /* EAP Identify sent */ @@ -2926,7 +2967,7 @@ index 199d184..3fa5391 100644 eapSRP1, /* Sent EAP SRP-SHA1 Subtype 1 */ eapSRP2, /* Sent EAP SRP-SHA1 Subtype 2 */ eapSRP3, /* Sent EAP SRP-SHA1 Subtype 3 */ -@@ -95,9 +105,18 @@ enum eap_state_code { +@@ -95,9 +105,18 @@ #define EAP_STATES \ "Initial", "Pending", "Closed", "Listen", "Identify", \ @@ -2936,8 +2977,8 @@ index 199d184..3fa5391 100644 -#define eap_client_active(esp) ((esp)->es_client.ea_state == eapListen) +#ifdef USE_EAPTLS -+#define eap_client_active(esp) ((esp)->es_client.ea_state != eapInitial ||\ -+ (esp)->es_client.ea_state != eapPending ||\ ++#define eap_client_active(esp) ((esp)->es_client.ea_state != eapInitial &&\ ++ (esp)->es_client.ea_state != eapPending &&\ + (esp)->es_client.ea_state != eapClosed) +#else +#define eap_client_active(esp) ((esp)->es_client.ea_state == eapListen) @@ -2946,7 +2987,7 @@ index 199d184..3fa5391 100644 #define eap_server_active(esp) \ ((esp)->es_server.ea_state >= eapIdentify && \ (esp)->es_server.ea_state <= eapMD5Chall) -@@ -112,11 +131,17 @@ struct eap_auth { +@@ -112,11 +131,17 @@ u_short ea_namelen; /* Length of our name */ u_short ea_peerlen; /* Length of peer's name */ enum eap_state_code ea_state; @@ -2964,7 +3005,7 @@ index 199d184..3fa5391 100644 }; /* -@@ -139,7 +164,12 @@ typedef struct eap_state { +@@ -139,7 +164,12 @@ * Timeouts. */ #define EAP_DEFTIMEOUT 3 /* Timeout (seconds) for rexmit */ @@ -2977,10 +3018,9 @@ index 199d184..3fa5391 100644 #define EAP_DEFREQTIME 20 /* Time to wait for peer request */ #define EAP_DEFALLOWREQ 20 /* max # times to accept requests */ -diff --git a/pppd/md5.c b/pppd/md5.c -index f1291ce..6f8f720 100644 ---- a/pppd/md5.c -+++ b/pppd/md5.c +diff -Naur ppp-2.4.7/pppd/md5.c ppp-2.4.7-eaptls-mppe-0.999/pppd/md5.c +--- ppp-2.4.7/pppd/md5.c 2014-08-09 14:31:39.000000000 +0200 ++++ ppp-2.4.7-eaptls-mppe-0.999/pppd/md5.c 2017-05-09 14:38:55.152083200 +0200 @@ -33,6 +33,8 @@ *********************************************************************** */ @@ -2990,16 +3030,15 @@ index f1291ce..6f8f720 100644 #include #include "md5.h" -@@ -305,3 +307,5 @@ UINT4 *in; +@@ -305,3 +307,5 @@ ** End of md5.c ** ******************************** (cut) ******************************** */ +#endif /* USE_EAPTLS */ + -diff --git a/pppd/md5.h b/pppd/md5.h -index 71e8b00..14d7121 100644 ---- a/pppd/md5.h -+++ b/pppd/md5.h +diff -Naur ppp-2.4.7/pppd/md5.h ppp-2.4.7-eaptls-mppe-0.999/pppd/md5.h +--- ppp-2.4.7/pppd/md5.h 2014-08-09 14:31:39.000000000 +0200 ++++ ppp-2.4.7-eaptls-mppe-0.999/pppd/md5.h 2017-05-09 14:38:55.152083200 +0200 @@ -36,6 +36,7 @@ ** documentation and/or software. ** *********************************************************************** @@ -3008,17 +3047,16 @@ index 71e8b00..14d7121 100644 #ifndef __MD5_INCLUDE__ -@@ -63,3 +64,5 @@ void MD5_Final (unsigned char hash[], MD5_CTX *mdContext); +@@ -63,3 +64,5 @@ #define __MD5_INCLUDE__ #endif /* __MD5_INCLUDE__ */ + +#endif /* USE_EAPTLS */ -diff --git a/pppd/pathnames.h b/pppd/pathnames.h -index 24e010c..6275df6 100644 ---- a/pppd/pathnames.h -+++ b/pppd/pathnames.h -@@ -22,6 +22,13 @@ +diff -Naur ppp-2.4.7/pppd/pathnames.h ppp-2.4.7-eaptls-mppe-0.999/pppd/pathnames.h +--- ppp-2.4.7/pppd/pathnames.h 2014-08-09 14:31:39.000000000 +0200 ++++ ppp-2.4.7-eaptls-mppe-0.999/pppd/pathnames.h 2017-05-09 14:38:55.153083126 +0200 +@@ -21,6 +21,13 @@ #define _PATH_UPAPFILE _ROOT_PATH "/etc/ppp/pap-secrets" #define _PATH_CHAPFILE _ROOT_PATH "/etc/ppp/chap-secrets" #define _PATH_SRPFILE _ROOT_PATH "/etc/ppp/srp-secrets" @@ -3032,11 +3070,10 @@ index 24e010c..6275df6 100644 #define _PATH_SYSOPTIONS _ROOT_PATH "/etc/ppp/options" #define _PATH_IPUP _ROOT_PATH "/etc/ppp/ip-up" #define _PATH_IPDOWN _ROOT_PATH "/etc/ppp/ip-down" -diff --git a/pppd/plugins/Makefile.linux b/pppd/plugins/Makefile.linux -index b474a19..760cad4 100644 ---- a/pppd/plugins/Makefile.linux -+++ b/pppd/plugins/Makefile.linux -@@ -4,6 +4,9 @@ CFLAGS = $(COPTS) -I.. -I../../include -fPIC +diff -Naur ppp-2.4.7/pppd/plugins/Makefile.linux ppp-2.4.7-eaptls-mppe-0.999/pppd/plugins/Makefile.linux +--- ppp-2.4.7/pppd/plugins/Makefile.linux 2014-08-09 14:31:39.000000000 +0200 ++++ ppp-2.4.7-eaptls-mppe-0.999/pppd/plugins/Makefile.linux 2017-05-09 14:38:55.153083126 +0200 +@@ -4,6 +4,9 @@ LDFLAGS = -shared INSTALL = install @@ -3046,11 +3083,10 @@ index b474a19..760cad4 100644 DESTDIR = $(INSTROOT)@DESTDIR@ BINDIR = $(DESTDIR)/sbin MANDIR = $(DESTDIR)/share/man/man8 -diff --git a/pppd/plugins/passprompt.c b/pppd/plugins/passprompt.c -index babb6dc..6ba73ca 100644 ---- a/pppd/plugins/passprompt.c -+++ b/pppd/plugins/passprompt.c -@@ -107,4 +107,7 @@ void plugin_init(void) +diff -Naur ppp-2.4.7/pppd/plugins/passprompt.c ppp-2.4.7-eaptls-mppe-0.999/pppd/plugins/passprompt.c +--- ppp-2.4.7/pppd/plugins/passprompt.c 2014-08-09 14:31:39.000000000 +0200 ++++ ppp-2.4.7-eaptls-mppe-0.999/pppd/plugins/passprompt.c 2017-05-09 14:38:55.153083126 +0200 +@@ -107,4 +107,7 @@ { add_options(options); pap_passwd_hook = promptpass; @@ -3058,11 +3094,10 @@ index babb6dc..6ba73ca 100644 + eaptls_passwd_hook = promptpass; +#endif } -diff --git a/pppd/plugins/passwordfd.c b/pppd/plugins/passwordfd.c -index d718f3b..c3f9793 100644 ---- a/pppd/plugins/passwordfd.c -+++ b/pppd/plugins/passwordfd.c -@@ -79,4 +79,8 @@ void plugin_init (void) +diff -Naur ppp-2.4.7/pppd/plugins/passwordfd.c ppp-2.4.7-eaptls-mppe-0.999/pppd/plugins/passwordfd.c +--- ppp-2.4.7/pppd/plugins/passwordfd.c 2014-08-09 14:31:39.000000000 +0200 ++++ ppp-2.4.7-eaptls-mppe-0.999/pppd/plugins/passwordfd.c 2017-05-09 14:38:55.154083052 +0200 +@@ -79,4 +79,8 @@ chap_check_hook = pwfd_check; chap_passwd_hook = pwfd_passwd; @@ -3071,11 +3106,10 @@ index d718f3b..c3f9793 100644 + eaptls_passwd_hook = pwfd_passwd; +#endif } -diff --git a/pppd/pppd.8 b/pppd/pppd.8 -index 2dd6e1a..75dd6f3 100644 ---- a/pppd/pppd.8 -+++ b/pppd/pppd.8 -@@ -248,6 +248,12 @@ Alternatively, a value of 0 for \fInr\fR or \fInt\fR disables +diff -Naur ppp-2.4.7/pppd/pppd.8 ppp-2.4.7-eaptls-mppe-0.999/pppd/pppd.8 +--- ppp-2.4.7/pppd/pppd.8 2014-08-09 14:31:39.000000000 +0200 ++++ ppp-2.4.7-eaptls-mppe-0.999/pppd/pppd.8 2017-05-09 14:38:55.155082978 +0200 +@@ -248,6 +248,12 @@ compression in the corresponding direction. Use \fInobsdcomp\fR or \fIbsdcomp 0\fR to disable BSD-Compress compression entirely. .TP @@ -3088,7 +3122,7 @@ index 2dd6e1a..75dd6f3 100644 .B cdtrcts Use a non-standard hardware flow control (i.e. DTR/CTS) to control the flow of data on the serial port. If neither the \fIcrtscts\fR, -@@ -259,6 +265,12 @@ RTS output. Such serial ports use this mode to implement true +@@ -259,6 +265,12 @@ bi-directional flow control. The sacrifice is that this flow control mode does not permit using DTR as a modem control line. .TP @@ -3101,7 +3135,7 @@ index 2dd6e1a..75dd6f3 100644 .B chap\-interval \fIn If this option is given, pppd will rechallenge the peer every \fIn\fR seconds. -@@ -287,6 +299,18 @@ negotiation by sending its first LCP packet. The default value is +@@ -287,6 +299,18 @@ 1000 (1 second). This wait period only applies if the \fBconnect\fR or \fBpty\fR option is used. .TP @@ -3120,7 +3154,7 @@ index 2dd6e1a..75dd6f3 100644 .B debug Enables connection debugging facilities. If this option is given, pppd will log the contents of all -@@ -551,6 +575,12 @@ transmitted packets be printed. On most systems, messages printed by +@@ -551,6 +575,12 @@ the kernel are logged by syslog(1) to a file as directed in the /etc/syslog.conf configuration file. .TP @@ -3133,7 +3167,7 @@ index 2dd6e1a..75dd6f3 100644 .B ktune Enables pppd to alter kernel settings as appropriate. Under Linux, pppd will enable IP forwarding (i.e. set /proc/sys/net/ipv4/ip_forward -@@ -709,6 +739,9 @@ name to \fIname\fR.) +@@ -709,6 +739,9 @@ Disable Address/Control compression in both directions (send and receive). .TP @@ -3143,11 +3177,10 @@ index 2dd6e1a..75dd6f3 100644 .B noauth Do not require the peer to authenticate itself. This option is privileged. -diff --git a/pppd/pppd.h b/pppd/pppd.h -index 5f72f72..523f226 100644 ---- a/pppd/pppd.h -+++ b/pppd/pppd.h -@@ -324,6 +324,11 @@ extern bool dump_options; /* print out option values */ +diff -Naur ppp-2.4.7/pppd/pppd.h ppp-2.4.7-eaptls-mppe-0.999/pppd/pppd.h +--- ppp-2.4.7/pppd/pppd.h 2014-08-09 14:31:39.000000000 +0200 ++++ ppp-2.4.7-eaptls-mppe-0.999/pppd/pppd.h 2017-05-09 14:38:55.156082905 +0200 +@@ -325,6 +325,11 @@ extern bool dryrun; /* check everything, print options, exit */ extern int child_wait; /* # seconds to wait for children at end */ @@ -3159,7 +3192,7 @@ index 5f72f72..523f226 100644 #ifdef MAXOCTETS extern unsigned int maxoctets; /* Maximum octetes per session (in bytes) */ extern int maxoctets_dir; /* Direction : -@@ -738,6 +743,10 @@ extern int (*chap_check_hook) __P((void)); +@@ -741,6 +746,10 @@ extern int (*chap_passwd_hook) __P((char *user, char *passwd)); extern void (*multilink_join_hook) __P((void)); @@ -3170,6 +3203,3 @@ index 5f72f72..523f226 100644 /* Let a plugin snoop sent and received packets. Useful for L2TP */ extern void (*snoop_recv_hook) __P((unsigned char *p, int len)); extern void (*snoop_send_hook) __P((unsigned char *p, int len)); --- -1.8.3.1 - diff --git a/0028-Fix-logical-expression-in-eap_client_active-macro.patch b/0028-Fix-logical-expression-in-eap_client_active-macro.patch deleted file mode 100644 index fe99133..0000000 --- a/0028-Fix-logical-expression-in-eap_client_active-macro.patch +++ /dev/null @@ -1,27 +0,0 @@ -From fcb95abad72ac043f2e5f5ddcffc42b0783a3c2d Mon Sep 17 00:00:00 2001 -From: Michal Sekletar -Date: Wed, 10 Dec 2014 12:21:31 +0100 -Subject: [PATCH] Fix logical expression in eap_client_active macro - ---- - pppd/eap.h | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/pppd/eap.h b/pppd/eap.h -index 3fa5391..087baad 100644 ---- a/pppd/eap.h -+++ b/pppd/eap.h -@@ -110,8 +110,8 @@ enum eap_state_code { - "SRP1", "SRP2", "SRP3", "MD5Chall", "Open", "SRP4", "BadAuth" - - #ifdef USE_EAPTLS --#define eap_client_active(esp) ((esp)->es_client.ea_state != eapInitial ||\ -- (esp)->es_client.ea_state != eapPending ||\ -+#define eap_client_active(esp) ((esp)->es_client.ea_state != eapInitial &&\ -+ (esp)->es_client.ea_state != eapPending &&\ - (esp)->es_client.ea_state != eapClosed) - #else - #define eap_client_active(esp) ((esp)->es_client.ea_state == eapListen) --- -1.8.3.1 - diff --git a/0029-pppoe-include-netinet-in.h-before-linux-in.h.patch b/0028-pppoe-include-netinet-in.h-before-linux-in.h.patch similarity index 100% rename from 0029-pppoe-include-netinet-in.h-before-linux-in.h.patch rename to 0028-pppoe-include-netinet-in.h-before-linux-in.h.patch diff --git a/ppp.spec b/ppp.spec index 1d8e135..e0ad6da 100644 --- a/ppp.spec +++ b/ppp.spec @@ -3,7 +3,7 @@ Summary: The Point-to-Point Protocol daemon Name: ppp Version: 2.4.7 -Release: 13%{?dist} +Release: 14%{?dist} License: BSD and LGPLv2+ and GPLv2+ and Public Domain Group: System Environment/Daemons URL: http://www.samba.org/ppp @@ -48,12 +48,11 @@ Patch0023: 0023-build-sys-install-rp-pppoe-plugin-files-with-standar.patch Patch0024: 0024-build-sys-install-pppoatm-plugin-files-with-standard.patch Patch0025: 0025-pppd-install-pppd-binary-using-standard-perms-755.patch Patch0026: 0026-Revert-pppd-rebase-EAP-TLS-patch-v0.994.patch -Patch0027: 0027-pppd-EAP-TLS-patch-v0.997.patch -Patch0028: 0028-Fix-logical-expression-in-eap_client_active-macro.patch -Patch0029: 0029-pppoe-include-netinet-in.h-before-linux-in.h.patch +Patch0027: 0027-pppd-EAP-TLS-patch-v0.999.patch +Patch0028: 0028-pppoe-include-netinet-in.h-before-linux-in.h.patch BuildRequires: pam-devel, libpcap-devel, systemd, systemd-devel, glib2-devel -BuildRequires: pkgconfig(openssl) < 1.1 +BuildRequires: openssl-devel Requires: glibc >= 2.0.6, /etc/pam.d/system-auth, libpcap >= 14:0.8.3-6, systemd, initscripts >= 9.54 Requires(pre): /usr/bin/getent Requires(pre): /usr/sbin/groupadd @@ -170,6 +169,10 @@ install -p %{SOURCE11} %{buildroot}%{_sysconfdir}/sysconfig/network-scripts/ifdo %doc PLUGINS %changelog +* Mon Aug 21 2017 Jaroslav Škarvada - 2.4.7-14 +- EAP-TLS patch updated to version 0.999 +- Switched to openssl-1.1 + * Thu Aug 03 2017 Fedora Release Engineering - 2.4.7-13 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild