rpms
/
ppp
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

EAP-TLS patch updated to version 0.999 

Switched to openssl-1.1
This commit is contained in:
Jaroslav Škarvada 2017-08-21 22:00:47 +02:00
parent f3e51c8301
commit ebcb6e8d2d
4 changed files with 248 additions and 242 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

450
0027-pppd-EAP-TLS-patch-v0.997.patch → 0027-pppd-EAP-TLS-patch-v0.999.patch
View File

@ -1,44 +1,6 @@
From 7887b3d84468e1ebfbe5adc373f0816eda2b995a Mon Sep 17 00:00:00 2001 diff -Naur ppp-2.4.7/README.eap-tls ppp-2.4.7-eaptls-mppe-0.999/README.eap-tls
From: Michal Sekletar <msekleta@redhat.com> --- ppp-2.4.7/README.eap-tls 1970-01-01 01:00:00.000000000 +0100
Date: Fri, 20 Jun 2014 10:31:43 +0200 +++ ppp-2.4.7-eaptls-mppe-0.999/README.eap-tls 2017-05-09 14:38:55.129084488 +0200
Subject: [PATCH 27/27] pppd: EAP-TLS patch v0.997
See: http://www.nikhef.nl/~janjust/ppp/download.html
---
README.eap-tls | 280 ++++++++++
etc.ppp/eaptls-client | 10 +
etc.ppp/eaptls-server | 11 +
etc.ppp/openssl.cnf | 14 +
linux/Makefile.top | 6 +-
pppd/Makefile.linux | 12 +
pppd/auth.c | 413 ++++++++++++++-
pppd/ccp.c | 20 +-
pppd/chap-md5.c | 4 +
pppd/eap-tls.c | 1212 +++++++++++++++++++++++++++++++++++++++++++
pppd/eap-tls.h | 107 ++++
pppd/eap.c | 449 +++++++++++++++-
pppd/eap.h | 32 +-
pppd/md5.c | 4 +
pppd/md5.h | 3 +
pppd/pathnames.h | 7 +
pppd/plugins/Makefile.linux | 3 +
pppd/plugins/passprompt.c | 3 +
pppd/plugins/passwordfd.c | 4 +
pppd/pppd.8 | 33 ++
pppd/pppd.h | 9 +
21 files changed, 2629 insertions(+), 7 deletions(-)
create mode 100644 README.eap-tls
create mode 100644 etc.ppp/eaptls-client
create mode 100644 etc.ppp/eaptls-server
create mode 100644 etc.ppp/openssl.cnf
create mode 100644 pppd/eap-tls.c
create mode 100644 pppd/eap-tls.h
diff --git a/README.eap-tls b/README.eap-tls
new file mode 100644
index 0000000..037be0a
--- /dev/null
+++ b/README.eap-tls
@@ -0,0 +1,280 @@ @@ -0,0 +1,280 @@
+EAP-TLS authentication support for PPP +EAP-TLS authentication support for PPP
+====================================== +======================================
@ -320,11 +282,9 @@ index 0000000..037be0a
+ - change SSL_OP_NO_TICKETS to SSL_OP_NO_TICKET + - change SSL_OP_NO_TICKETS to SSL_OP_NO_TICKET
+ - fix bug in initialisation code with fragmented packets. + - fix bug in initialisation code with fragmented packets.
+ +
diff --git a/etc.ppp/eaptls-client b/etc.ppp/eaptls-client diff -Naur ppp-2.4.7/etc.ppp/eaptls-client ppp-2.4.7-eaptls-mppe-0.999/etc.ppp/eaptls-client
new file mode 100644 --- ppp-2.4.7/etc.ppp/eaptls-client 1970-01-01 01:00:00.000000000 +0100
index 0000000..7782f0e +++ ppp-2.4.7-eaptls-mppe-0.999/etc.ppp/eaptls-client 2017-05-09 14:38:55.129084488 +0200
--- /dev/null
+++ b/etc.ppp/eaptls-client
@@ -0,0 +1,10 @@ @@ -0,0 +1,10 @@
+# Parameters for authentication using EAP-TLS (client) +# Parameters for authentication using EAP-TLS (client)
+ +
@ -336,11 +296,9 @@ index 0000000..7782f0e
+# client private key file (required) +# client private key file (required)
+ +
+#client server /root/cert/client.crt - /root/cert/ca.crt /root/cert/client.key +#client server /root/cert/client.crt - /root/cert/ca.crt /root/cert/client.key
diff --git a/etc.ppp/eaptls-server b/etc.ppp/eaptls-server diff -Naur ppp-2.4.7/etc.ppp/eaptls-server ppp-2.4.7-eaptls-mppe-0.999/etc.ppp/eaptls-server
new file mode 100644 --- ppp-2.4.7/etc.ppp/eaptls-server 1970-01-01 01:00:00.000000000 +0100
index 0000000..fa53cbd +++ ppp-2.4.7-eaptls-mppe-0.999/etc.ppp/eaptls-server 2017-05-09 14:38:55.137084099 +0200
--- /dev/null
+++ b/etc.ppp/eaptls-server
@@ -0,0 +1,11 @@ @@ -0,0 +1,11 @@
+# Parameters for authentication using EAP-TLS (server) +# Parameters for authentication using EAP-TLS (server)
+ +
@ -353,11 +311,9 @@ index 0000000..fa53cbd
+# allowed addresses (required, can be *) +# allowed addresses (required, can be *)
+ +
+#client server - /root/cert/server.crt /root/cert/ca.crt /root/cert/server.key 192.168.1.0/24 +#client server - /root/cert/server.crt /root/cert/ca.crt /root/cert/server.key 192.168.1.0/24
diff --git a/etc.ppp/openssl.cnf b/etc.ppp/openssl.cnf diff -Naur ppp-2.4.7/etc.ppp/openssl.cnf ppp-2.4.7-eaptls-mppe-0.999/etc.ppp/openssl.cnf
new file mode 100644 --- ppp-2.4.7/etc.ppp/openssl.cnf 1970-01-01 01:00:00.000000000 +0100
index 0000000..dd32f30 +++ ppp-2.4.7-eaptls-mppe-0.999/etc.ppp/openssl.cnf 2017-05-09 14:38:55.137084099 +0200
--- /dev/null
+++ b/etc.ppp/openssl.cnf
@@ -0,0 +1,14 @@ @@ -0,0 +1,14 @@
+openssl_conf = openssl_def +openssl_conf = openssl_def
+ +
@ -373,11 +329,10 @@ index 0000000..dd32f30
+MODULE_PATH = /usr/lib64/libeTPkcs11.so +MODULE_PATH = /usr/lib64/libeTPkcs11.so
+init = 0 +init = 0
+ +
diff --git a/linux/Makefile.top b/linux/Makefile.top diff -Naur ppp-2.4.7/linux/Makefile.top ppp-2.4.7-eaptls-mppe-0.999/linux/Makefile.top
index f42efd5..9a8945a 100644 --- ppp-2.4.7/linux/Makefile.top 2014-08-09 14:31:39.000000000 +0200
--- a/linux/Makefile.top +++ ppp-2.4.7-eaptls-mppe-0.999/linux/Makefile.top 2017-05-09 14:38:55.138084052 +0200
+++ b/linux/Makefile.top @@ -26,7 +26,7 @@
@@ -28,7 +28,7 @@ install-progs:
cd pppdump; $(MAKE) $(MFLAGS) install cd pppdump; $(MAKE) $(MFLAGS) install
install-etcppp: $(ETCDIR) $(ETCDIR)/options $(ETCDIR)/pap-secrets \ install-etcppp: $(ETCDIR) $(ETCDIR)/options $(ETCDIR)/pap-secrets \
@ -386,7 +341,7 @@ index f42efd5..9a8945a 100644
install-devel: install-devel:
cd pppd; $(MAKE) $(MFLAGS) install-devel cd pppd; $(MAKE) $(MFLAGS) install-devel
@@ -39,6 +39,10 @@ $(ETCDIR)/pap-secrets: @@ -37,6 +37,10 @@
$(INSTALL) -c -m 600 etc.ppp/pap-secrets $@ $(INSTALL) -c -m 600 etc.ppp/pap-secrets $@
$(ETCDIR)/chap-secrets: $(ETCDIR)/chap-secrets:
$(INSTALL) -c -m 600 etc.ppp/chap-secrets $@ $(INSTALL) -c -m 600 etc.ppp/chap-secrets $@
@ -397,11 +352,10 @@ index f42efd5..9a8945a 100644
$(BINDIR): $(BINDIR):
$(INSTALL) -d -m 755 $@ $(INSTALL) -d -m 755 $@
diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux diff -Naur ppp-2.4.7/pppd/Makefile.linux ppp-2.4.7-eaptls-mppe-0.999/pppd/Makefile.linux
index 943cf83..534ccc2 100644 --- ppp-2.4.7/pppd/Makefile.linux 2014-08-09 14:31:39.000000000 +0200
--- a/pppd/Makefile.linux +++ ppp-2.4.7-eaptls-mppe-0.999/pppd/Makefile.linux 2017-05-09 14:38:55.138084052 +0200
+++ b/pppd/Makefile.linux @@ -76,6 +76,9 @@
@@ -79,6 +79,9 @@ CBCP=y
# Use libutil # Use libutil
USE_LIBUTIL=y USE_LIBUTIL=y
@ -411,7 +365,7 @@ index 943cf83..534ccc2 100644
MAXOCTETS=y MAXOCTETS=y
INCLUDE_DIRS= -I../include INCLUDE_DIRS= -I../include
@@ -118,6 +121,15 @@ HEADERS += sha1.h @@ -115,6 +118,15 @@
PPPDOBJS += sha1.o PPPDOBJS += sha1.o
endif endif
@ -427,10 +381,9 @@ index 943cf83..534ccc2 100644
ifdef HAS_SHADOW ifdef HAS_SHADOW
CFLAGS += -DHAS_SHADOW CFLAGS += -DHAS_SHADOW
#LIBS += -lshadow $(LIBS) #LIBS += -lshadow $(LIBS)
diff --git a/pppd/auth.c b/pppd/auth.c diff -Naur ppp-2.4.7/pppd/auth.c ppp-2.4.7-eaptls-mppe-0.999/pppd/auth.c
index 9e957fa..656ffe9 100644 --- ppp-2.4.7/pppd/auth.c 2014-08-09 14:31:39.000000000 +0200
--- a/pppd/auth.c +++ ppp-2.4.7-eaptls-mppe-0.999/pppd/auth.c 2017-05-09 14:38:55.139084004 +0200
+++ b/pppd/auth.c
@@ -109,6 +109,9 @@ @@ -109,6 +109,9 @@
#include "upap.h" #include "upap.h"
#include "chap-new.h" #include "chap-new.h"
@ -441,7 +394,7 @@ index 9e957fa..656ffe9 100644
#ifdef CBCP_SUPPORT #ifdef CBCP_SUPPORT
#include "cbcp.h" #include "cbcp.h"
#endif #endif
@@ -183,6 +186,11 @@ int (*chap_check_hook) __P((void)) = NULL; @@ -183,6 +186,11 @@
/* Hook for a plugin to get the CHAP password for authenticating us */ /* Hook for a plugin to get the CHAP password for authenticating us */
int (*chap_passwd_hook) __P((char *user, char *passwd)) = NULL; int (*chap_passwd_hook) __P((char *user, char *passwd)) = NULL;
@ -453,7 +406,7 @@ index 9e957fa..656ffe9 100644
/* Hook for a plugin to say whether it is OK if the peer /* Hook for a plugin to say whether it is OK if the peer
refuses to authenticate. */ refuses to authenticate. */
int (*null_auth_hook) __P((struct wordlist **paddrs, int (*null_auth_hook) __P((struct wordlist **paddrs,
@@ -238,6 +246,14 @@ bool explicit_remote = 0; /* User specified explicit remote name */ @@ -238,6 +246,14 @@
bool explicit_user = 0; /* Set if "user" option supplied */ bool explicit_user = 0; /* Set if "user" option supplied */
bool explicit_passwd = 0; /* Set if "password" option supplied */ bool explicit_passwd = 0; /* Set if "password" option supplied */
char remote_name[MAXNAMELEN]; /* Peer's name for authentication */ char remote_name[MAXNAMELEN]; /* Peer's name for authentication */
@ -468,7 +421,7 @@ index 9e957fa..656ffe9 100644
static char *uafname; /* name of most recent +ua file */ static char *uafname; /* name of most recent +ua file */
@@ -254,6 +270,19 @@ static int have_pap_secret __P((int *)); @@ -254,6 +270,19 @@
static int have_chap_secret __P((char *, char *, int, int *)); static int have_chap_secret __P((char *, char *, int, int *));
static int have_srp_secret __P((char *client, char *server, int need_ip, static int have_srp_secret __P((char *client, char *server, int need_ip,
int *lacks_ipp)); int *lacks_ipp));
@ -488,7 +441,7 @@ index 9e957fa..656ffe9 100644
static int ip_addr_check __P((u_int32_t, struct permitted_ip *)); static int ip_addr_check __P((u_int32_t, struct permitted_ip *));
static int scan_authfile __P((FILE *, char *, char *, char *, static int scan_authfile __P((FILE *, char *, char *, char *,
struct wordlist **, struct wordlist **, struct wordlist **, struct wordlist **,
@@ -401,6 +430,15 @@ option_t auth_options[] = { @@ -401,6 +430,15 @@
"Set telephone number(s) which are allowed to connect", "Set telephone number(s) which are allowed to connect",
OPT_PRIV | OPT_A2LIST }, OPT_PRIV | OPT_A2LIST },
@ -504,7 +457,7 @@ index 9e957fa..656ffe9 100644
{ NULL } { NULL }
}; };
@@ -730,6 +768,9 @@ link_established(unit) @@ -730,6 +768,9 @@
lcp_options *wo = &lcp_wantoptions[unit]; lcp_options *wo = &lcp_wantoptions[unit];
lcp_options *go = &lcp_gotoptions[unit]; lcp_options *go = &lcp_gotoptions[unit];
lcp_options *ho = &lcp_hisoptions[unit]; lcp_options *ho = &lcp_hisoptions[unit];
@ -514,7 +467,7 @@ index 9e957fa..656ffe9 100644
int i; int i;
struct protent *protp; struct protent *protp;
@@ -764,6 +805,22 @@ link_established(unit) @@ -764,6 +805,22 @@
} }
} }
@ -537,7 +490,7 @@ index 9e957fa..656ffe9 100644
new_phase(PHASE_AUTHENTICATE); new_phase(PHASE_AUTHENTICATE);
auth = 0; auth = 0;
if (go->neg_eap) { if (go->neg_eap) {
@@ -1277,6 +1334,15 @@ auth_check_options() @@ -1277,6 +1334,15 @@
our_name, 1, &lacks_ip); our_name, 1, &lacks_ip);
} }
@ -553,7 +506,7 @@ index 9e957fa..656ffe9 100644
if (auth_required && !can_auth && noauth_addrs == NULL) { if (auth_required && !can_auth && noauth_addrs == NULL) {
if (default_auth) { if (default_auth) {
option_error( option_error(
@@ -1331,7 +1397,11 @@ auth_reset(unit) @@ -1331,7 +1397,11 @@
passwd[0] != 0 || passwd[0] != 0 ||
(hadchap == 1 || (hadchap == -1 && have_chap_secret(user, (hadchap == 1 || (hadchap == -1 && have_chap_secret(user,
(explicit_remote? remote_name: NULL), 0, NULL))) || (explicit_remote? remote_name: NULL), 0, NULL))) ||
@ -566,7 +519,7 @@ index 9e957fa..656ffe9 100644
hadchap = -1; hadchap = -1;
if (go->neg_upap && !uselogin && !have_pap_secret(NULL)) if (go->neg_upap && !uselogin && !have_pap_secret(NULL))
@@ -1346,8 +1416,14 @@ auth_reset(unit) @@ -1346,8 +1416,14 @@
!have_chap_secret((explicit_remote? remote_name: NULL), our_name, !have_chap_secret((explicit_remote? remote_name: NULL), our_name,
1, NULL))) && 1, NULL))) &&
!have_srp_secret((explicit_remote? remote_name: NULL), our_name, 1, !have_srp_secret((explicit_remote? remote_name: NULL), our_name, 1,
@ -582,7 +535,7 @@ index 9e957fa..656ffe9 100644
} }
@@ -1707,6 +1783,7 @@ have_srp_secret(client, server, need_ip, lacks_ipp) @@ -1707,6 +1783,7 @@
} }
@ -590,7 +543,7 @@ index 9e957fa..656ffe9 100644
/* /*
* get_secret - open the CHAP secret file and return the secret * get_secret - open the CHAP secret file and return the secret
* for authenticating the given client on the given server. * for authenticating the given client on the given server.
@@ -2359,3 +2436,335 @@ auth_script(script) @@ -2359,3 +2436,335 @@
auth_script_pid = run_program(script, argv, 0, auth_script_done, NULL, 0); auth_script_pid = run_program(script, argv, 0, auth_script_done, NULL, 0);
} }
@ -926,11 +879,10 @@ index 9e957fa..656ffe9 100644
+} +}
+#endif +#endif
+ +
diff --git a/pppd/ccp.c b/pppd/ccp.c diff -Naur ppp-2.4.7/pppd/ccp.c ppp-2.4.7-eaptls-mppe-0.999/pppd/ccp.c
index 5814f35..7dead23 100644 --- ppp-2.4.7/pppd/ccp.c 2014-08-09 14:31:39.000000000 +0200
--- a/pppd/ccp.c +++ ppp-2.4.7-eaptls-mppe-0.999/pppd/ccp.c 2017-05-09 14:38:55.148083482 +0200
+++ b/pppd/ccp.c @@ -540,6 +540,9 @@
@@ -540,6 +540,9 @@ ccp_resetci(f)
if (go->mppe) { if (go->mppe) {
ccp_options *ao = &ccp_allowoptions[f->unit]; ccp_options *ao = &ccp_allowoptions[f->unit];
int auth_mschap_bits = auth_done[f->unit]; int auth_mschap_bits = auth_done[f->unit];
@ -940,7 +892,7 @@ index 5814f35..7dead23 100644
int numbits; int numbits;
/* /*
@@ -567,8 +570,23 @@ ccp_resetci(f) @@ -567,8 +570,23 @@
lcp_close(f->unit, "MPPE required but not available"); lcp_close(f->unit, "MPPE required but not available");
return; return;
} }
@ -965,10 +917,9 @@ index 5814f35..7dead23 100644
lcp_close(f->unit, "MPPE required but not available"); lcp_close(f->unit, "MPPE required but not available");
return; return;
} }
diff --git a/pppd/chap-md5.c b/pppd/chap-md5.c diff -Naur ppp-2.4.7/pppd/chap-md5.c ppp-2.4.7-eaptls-mppe-0.999/pppd/chap-md5.c
index 77dd4ec..269b52c 100644 --- ppp-2.4.7/pppd/chap-md5.c 2014-08-09 14:31:39.000000000 +0200
--- a/pppd/chap-md5.c +++ ppp-2.4.7-eaptls-mppe-0.999/pppd/chap-md5.c 2017-05-09 14:38:55.148083482 +0200
+++ b/pppd/chap-md5.c
@@ -36,7 +36,11 @@ @@ -36,7 +36,11 @@
#include "chap-new.h" #include "chap-new.h"
#include "chap-md5.h" #include "chap-md5.h"
@ -981,12 +932,10 @@ index 77dd4ec..269b52c 100644
#define MD5_HASH_SIZE 16 #define MD5_HASH_SIZE 16
#define MD5_MIN_CHALLENGE 16 #define MD5_MIN_CHALLENGE 16
diff --git a/pppd/eap-tls.c b/pppd/eap-tls.c diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-0.999/pppd/eap-tls.c
new file mode 100644 --- ppp-2.4.7/pppd/eap-tls.c 1970-01-01 01:00:00.000000000 +0100
index 0000000..edcb0cb +++ ppp-2.4.7-eaptls-mppe-0.999/pppd/eap-tls.c 2017-05-11 10:43:00.345739124 +0200
--- /dev/null @@ -0,0 +1,1308 @@
+++ b/pppd/eap-tls.c
@@ -0,0 +1,1212 @@
+/* +/*
+ * eap-tls.c - EAP-TLS implementation for PPP + * eap-tls.c - EAP-TLS implementation for PPP
+ * + *
@ -1044,6 +993,72 @@ index 0000000..edcb0cb
+ +
+#ifdef MPPE +#ifdef MPPE
+ +
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+
+/*
+ * https://wiki.openssl.org/index.php/1.1_API_Changes
+ * tries to provide some guidance but ultimately falls short.
+ */
+
+static void HMAC_CTX_free(HMAC_CTX *ctx)
+{
+ if (ctx != NULL) {
+ HMAC_CTX_cleanup(ctx);
+ OPENSSL_free(ctx);
+ }
+}
+
+static HMAC_CTX *HMAC_CTX_new(void)
+{
+ HMAC_CTX *ctx = OPENSSL_malloc(sizeof(*ctx));
+ if (ctx != NULL)
+ HMAC_CTX_init(ctx);
+ return ctx;
+}
+
+/*
+ * These were basically jacked directly from the OpenSSL tree
+ * without adjustments.
+ */
+
+static size_t SSL_get_client_random(const SSL *ssl, unsigned char *out,
+ size_t outlen)
+{
+ if (outlen == 0)
+ return sizeof(ssl->s3->client_random);
+ if (outlen > sizeof(ssl->s3->client_random))
+ outlen = sizeof(ssl->s3->client_random);
+ memcpy(out, ssl->s3->client_random, outlen);
+ return outlen;
+}
+
+static size_t SSL_get_server_random(const SSL *ssl, unsigned char *out,
+ size_t outlen)
+{
+ if (outlen == 0)
+ return sizeof(ssl->s3->server_random);
+ if (outlen > sizeof(ssl->s3->server_random))
+ outlen = sizeof(ssl->s3->server_random);
+ memcpy(out, ssl->s3->server_random, outlen);
+ return outlen;
+}
+
+static size_t SSL_SESSION_get_master_key(const SSL_SESSION *session,
+ unsigned char *out, size_t outlen)
+{
+ if (outlen == 0)
+ return session->master_key_length;
+ if (outlen > session->master_key_length)
+ outlen = session->master_key_length;
+ memcpy(out, session->master_key, outlen);
+ return outlen;
+}
+
+/* Avoid a deprecated warning in OpenSSL 1.1 whilst still allowing to build against 1.0.x */
+#define TLS_method TLSv1_method
+
+#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
+
+/* +/*
+ * TLS PRF from RFC 2246 + * TLS PRF from RFC 2246
+ */ + */
@ -1052,47 +1067,47 @@ index 0000000..edcb0cb
+ const unsigned char *seed, unsigned int seed_len, + const unsigned char *seed, unsigned int seed_len,
+ unsigned char *out, unsigned int out_len) + unsigned char *out, unsigned int out_len)
+{ +{
+ HMAC_CTX ctx_a, ctx_out; + HMAC_CTX *ctx_a, *ctx_out;
+ unsigned char a[HMAC_MAX_MD_CBLOCK]; + unsigned char a[HMAC_MAX_MD_CBLOCK];
+ unsigned int size; + unsigned int size;
+ +
+ HMAC_CTX_init(&ctx_a); + ctx_a = HMAC_CTX_new();
+ HMAC_CTX_init(&ctx_out); + ctx_out = HMAC_CTX_new();
+ HMAC_Init_ex(&ctx_a, secret, secret_len, evp_md, NULL); + HMAC_Init_ex(ctx_a, secret, secret_len, evp_md, NULL);
+ HMAC_Init_ex(&ctx_out, secret, secret_len, evp_md, NULL); + HMAC_Init_ex(ctx_out, secret, secret_len, evp_md, NULL);
+ +
+ size = HMAC_size(&ctx_out); + size = HMAC_size(ctx_out);
+ +
+ /* Calculate A(1) */ + /* Calculate A(1) */
+ HMAC_Update(&ctx_a, seed, seed_len); + HMAC_Update(ctx_a, seed, seed_len);
+ HMAC_Final(&ctx_a, a, NULL); + HMAC_Final(ctx_a, a, NULL);
+ +
+ while (1) { + while (1) {
+ /* Calculate next part of output */ + /* Calculate next part of output */
+ HMAC_Update(&ctx_out, a, size); + HMAC_Update(ctx_out, a, size);
+ HMAC_Update(&ctx_out, seed, seed_len); + HMAC_Update(ctx_out, seed, seed_len);
+ +
+ /* Check if last part */ + /* Check if last part */
+ if (out_len < size) { + if (out_len < size) {
+ HMAC_Final(&ctx_out, a, NULL); + HMAC_Final(ctx_out, a, NULL);
+ memcpy(out, a, out_len); + memcpy(out, a, out_len);
+ break; + break;
+ } + }
+ +
+ /* Place digest in output buffer */ + /* Place digest in output buffer */
+ HMAC_Final(&ctx_out, out, NULL); + HMAC_Final(ctx_out, out, NULL);
+ HMAC_Init_ex(&ctx_out, NULL, 0, NULL, NULL); + HMAC_Init_ex(ctx_out, NULL, 0, NULL, NULL);
+ out += size; + out += size;
+ out_len -= size; + out_len -= size;
+ +
+ /* Calculate next A(i) */ + /* Calculate next A(i) */
+ HMAC_Init_ex(&ctx_a, NULL, 0, NULL, NULL); + HMAC_Init_ex(ctx_a, NULL, 0, NULL, NULL);
+ HMAC_Update(&ctx_a, a, size); + HMAC_Update(ctx_a, a, size);
+ HMAC_Final(&ctx_a, a, NULL); + HMAC_Final(ctx_a, a, NULL);
+ } + }
+ +
+ HMAC_CTX_cleanup(&ctx_a); + HMAC_CTX_free(ctx_a);
+ HMAC_CTX_cleanup(&ctx_out); + HMAC_CTX_free(ctx_out);
+ memset(a, 0, sizeof(a)); + memset(a, 0, sizeof(a));
+} +}
+ +
@ -1126,21 +1141,22 @@ index 0000000..edcb0cb
+ unsigned char *p = seed; + unsigned char *p = seed;
+ SSL *s = ets->ssl; + SSL *s = ets->ssl;
+ size_t prf_size; + size_t prf_size;
+ unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH];
+ size_t master_key_length;
+ +
+ prf_size = strlen(prf_label); + prf_size = strlen(prf_label);
+ +
+ memcpy(p, prf_label, prf_size); + memcpy(p, prf_label, prf_size);
+ p += prf_size; + p += prf_size;
+ +
+ memcpy(p, s->s3->client_random, SSL3_RANDOM_SIZE); + prf_size += SSL_get_client_random(s, p, SSL3_RANDOM_SIZE);
+ p += SSL3_RANDOM_SIZE; + p += SSL3_RANDOM_SIZE;
+ prf_size += SSL3_RANDOM_SIZE;
+ +
+ memcpy(p, s->s3->server_random, SSL3_RANDOM_SIZE); + prf_size += SSL_get_server_random(s, p, SSL3_RANDOM_SIZE);
+ prf_size += SSL3_RANDOM_SIZE;
+ +
+ PRF(s->session->master_key, s->session->master_key_length, + master_key_length = SSL_SESSION_get_master_key(SSL_get_session(s), master_key,
+ seed, prf_size, out, buf, sizeof(out)); + sizeof(master_key));
+ PRF(master_key, master_key_length, seed, prf_size, out, buf, sizeof(out));
+ +
+ /* + /*
+ * We now have the master send and receive keys. + * We now have the master send and receive keys.
@ -1308,7 +1324,7 @@ index 0000000..edcb0cb
+ SSL_library_init(); + SSL_library_init();
+ SSL_load_error_strings(); + SSL_load_error_strings();
+ +
+ ctx = SSL_CTX_new(TLSv1_method()); + ctx = SSL_CTX_new(TLS_method());
+ +
+ if (!ctx) { + if (!ctx) {
+ error("EAP-TLS: Cannot initialize SSL CTX context"); + error("EAP-TLS: Cannot initialize SSL CTX context");
@ -2112,18 +2128,47 @@ index 0000000..edcb0cb
+ char string[256]; + char string[256];
+ struct eaptls_session *ets = (struct eaptls_session *)arg; + struct eaptls_session *ets = (struct eaptls_session *)arg;
+ unsigned char code; + unsigned char code;
+ const unsigned char*msg = buf;
+ int hvers = msg[1] << 8 | msg[2];
+ +
+ if(write_p) + if(write_p)
+ strcpy(string, " -> "); + strcpy(string, " -> ");
+ else + else
+ strcpy(string, " <- "); + strcpy(string, " <- ");
+ +
+
+ switch(content_type) { + switch(content_type) {
+ +
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ case SSL3_RT_HEADER:
+ strcat(string, "SSL/TLS Header: ");
+ switch(hvers) {
+ case SSL3_VERSION:
+ strcat(string, "SSL 3.0");
+ break;
+ case TLS1_VERSION:
+ strcat(string, "TLS 1.0");
+ break;
+ case TLS1_1_VERSION:
+ strcat(string, "TLS 1.1");
+ break;
+ case TLS1_2_VERSION:
+ strcat(string, "TLS 1.2");
+ break;
+ case DTLS1_VERSION:
+ strcat(string, "DTLS 1.0");
+ break;
+ case DTLS1_2_VERSION:
+ strcat(string, "DTLS 1.2");
+ break;
+ default:
+ strcat(string, "Unknown version");
+ }
+ break;
+#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */
+
+ case SSL3_RT_ALERT: + case SSL3_RT_ALERT:
+ strcat(string, "Alert: "); + strcat(string, "Alert: ");
+ code = ((const unsigned char *)buf)[1]; + code = msg[1];
+ +
+ if (write_p) { + if (write_p) {
+ ets->alert_sent = 1; + ets->alert_sent = 1;
@ -2143,7 +2188,7 @@ index 0000000..edcb0cb
+ case SSL3_RT_HANDSHAKE: + case SSL3_RT_HANDSHAKE:
+ +
+ strcat(string, "Handshake: "); + strcat(string, "Handshake: ");
+ code = ((const unsigned char *)buf)[0]; + code = msg[0];
+ +
+ switch(code) { + switch(code) {
+ case SSL3_MT_HELLO_REQUEST: + case SSL3_MT_HELLO_REQUEST:
@ -2199,11 +2244,9 @@ index 0000000..edcb0cb
+ dbglog("%s", string); + dbglog("%s", string);
+} +}
+ +
diff --git a/pppd/eap-tls.h b/pppd/eap-tls.h diff -Naur ppp-2.4.7/pppd/eap-tls.h ppp-2.4.7-eaptls-mppe-0.999/pppd/eap-tls.h
new file mode 100644 --- ppp-2.4.7/pppd/eap-tls.h 1970-01-01 01:00:00.000000000 +0100
index 0000000..2d45a0b +++ ppp-2.4.7-eaptls-mppe-0.999/pppd/eap-tls.h 2017-05-09 14:38:55.150083347 +0200
--- /dev/null
+++ b/pppd/eap-tls.h
@@ -0,0 +1,107 @@ @@ -0,0 +1,107 @@
+/* +/*
+ * eap-tls.h + * eap-tls.h
@ -2312,10 +2355,9 @@ index 0000000..2d45a0b
+#endif +#endif
+ +
+#endif +#endif
diff --git a/pppd/eap.c b/pppd/eap.c diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-0.999/pppd/eap.c
index faced53..bfbce95 100644 --- ppp-2.4.7/pppd/eap.c 2014-08-09 14:31:39.000000000 +0200
--- a/pppd/eap.c +++ ppp-2.4.7-eaptls-mppe-0.999/pppd/eap.c 2017-05-09 14:38:55.151083274 +0200
+++ b/pppd/eap.c
@@ -43,6 +43,11 @@ @@ -43,6 +43,11 @@
* Based on draft-ietf-pppext-eap-srp-03.txt. * Based on draft-ietf-pppext-eap-srp-03.txt.
*/ */
@ -2342,7 +2384,7 @@ index faced53..bfbce95 100644
#ifdef USE_SRP #ifdef USE_SRP
#include <t_pwd.h> #include <t_pwd.h>
@@ -209,6 +218,9 @@ int unit; @@ -209,6 +218,9 @@
esp->es_server.ea_id = (u_char)(drand48() * 0x100); esp->es_server.ea_id = (u_char)(drand48() * 0x100);
esp->es_client.ea_timeout = EAP_DEFREQTIME; esp->es_client.ea_timeout = EAP_DEFREQTIME;
esp->es_client.ea_maxrequests = EAP_DEFALLOWREQ; esp->es_client.ea_maxrequests = EAP_DEFALLOWREQ;
@ -2352,7 +2394,7 @@ index faced53..bfbce95 100644
} }
/* /*
@@ -436,8 +448,16 @@ int status; @@ -436,8 +448,16 @@
u_char vals[2]; u_char vals[2];
struct b64state bs; struct b64state bs;
#endif /* USE_SRP */ #endif /* USE_SRP */
@ -2369,7 +2411,7 @@ index faced53..bfbce95 100644
switch (esp->es_server.ea_state) { switch (esp->es_server.ea_state) {
case eapBadAuth: case eapBadAuth:
return; return;
@@ -562,9 +582,79 @@ int status; @@ -562,9 +582,79 @@
break; break;
} }
#endif /* USE_SRP */ #endif /* USE_SRP */
@ -2449,7 +2491,7 @@ index faced53..bfbce95 100644
case eapSRP1: case eapSRP1:
#ifdef USE_SRP #ifdef USE_SRP
ts = (struct t_server *)esp->es_server.ea_session; ts = (struct t_server *)esp->es_server.ea_session;
@@ -718,6 +808,30 @@ eap_state *esp; @@ -718,6 +808,30 @@
INCPTR(esp->es_server.ea_namelen, outp); INCPTR(esp->es_server.ea_namelen, outp);
break; break;
@ -2480,7 +2522,7 @@ index faced53..bfbce95 100644
#ifdef USE_SRP #ifdef USE_SRP
case eapSRP1: case eapSRP1:
PUTCHAR(EAPT_SRP, outp); PUTCHAR(EAPT_SRP, outp);
@@ -904,11 +1018,57 @@ static void @@ -904,11 +1018,57 @@
eap_server_timeout(arg) eap_server_timeout(arg)
void *arg; void *arg;
{ {
@ -2538,7 +2580,7 @@ index faced53..bfbce95 100644
/* EAP ID number must not change on timeout. */ /* EAP ID number must not change on timeout. */
eap_send_request(esp); eap_send_request(esp);
} }
@@ -1166,6 +1326,81 @@ u_char *str; @@ -1166,6 +1326,81 @@
} }
#endif /* USE_SRP */ #endif /* USE_SRP */
@ -2620,7 +2662,7 @@ index faced53..bfbce95 100644
static void static void
eap_send_nak(esp, id, type) eap_send_nak(esp, id, type)
eap_state *esp; eap_state *esp;
@@ -1320,6 +1555,11 @@ int len; @@ -1320,6 +1555,11 @@
char rhostname[256]; char rhostname[256];
MD5_CTX mdContext; MD5_CTX mdContext;
u_char hash[MD5_SIGNATURE_SIZE]; u_char hash[MD5_SIGNATURE_SIZE];
@ -2632,7 +2674,7 @@ index faced53..bfbce95 100644
#ifdef USE_SRP #ifdef USE_SRP
struct t_client *tc; struct t_client *tc;
struct t_num sval, gval, Nval, *Ap, Bval; struct t_num sval, gval, Nval, *Ap, Bval;
@@ -1456,6 +1696,90 @@ int len; @@ -1456,6 +1696,90 @@
esp->es_client.ea_namelen); esp->es_client.ea_namelen);
break; break;
@ -2723,7 +2765,7 @@ index faced53..bfbce95 100644
#ifdef USE_SRP #ifdef USE_SRP
case EAPT_SRP: case EAPT_SRP:
if (len < 1) { if (len < 1) {
@@ -1737,6 +2061,11 @@ int len; @@ -1737,6 +2061,11 @@
u_char dig[SHA_DIGESTSIZE]; u_char dig[SHA_DIGESTSIZE];
#endif /* USE_SRP */ #endif /* USE_SRP */
@ -2735,7 +2777,7 @@ index faced53..bfbce95 100644
if (esp->es_server.ea_id != id) { if (esp->es_server.ea_id != id) {
dbglog("EAP: discarding Response %d; expected ID %d", id, dbglog("EAP: discarding Response %d; expected ID %d", id,
esp->es_server.ea_id); esp->es_server.ea_id);
@@ -1776,6 +2105,60 @@ int len; @@ -1776,6 +2105,60 @@
eap_figure_next_state(esp, 0); eap_figure_next_state(esp, 0);
break; break;
@ -2796,7 +2838,7 @@ index faced53..bfbce95 100644
case EAPT_NOTIFICATION: case EAPT_NOTIFICATION:
dbglog("EAP unexpected Notification; response discarded"); dbglog("EAP unexpected Notification; response discarded");
break; break;
@@ -1807,6 +2190,13 @@ int len; @@ -1807,6 +2190,13 @@
esp->es_server.ea_state = eapMD5Chall; esp->es_server.ea_state = eapMD5Chall;
break; break;
@ -2810,7 +2852,7 @@ index faced53..bfbce95 100644
default: default:
dbglog("EAP: peer requesting unknown Type %d", vallen); dbglog("EAP: peer requesting unknown Type %d", vallen);
switch (esp->es_server.ea_state) { switch (esp->es_server.ea_state) {
@@ -2018,13 +2408,27 @@ u_char *inp; @@ -2018,13 +2408,27 @@
int id; int id;
int len; int len;
{ {
@ -2839,7 +2881,7 @@ index faced53..bfbce95 100644
if (esp->es_client.ea_timeout > 0) { if (esp->es_client.ea_timeout > 0) {
UNTIMEOUT(eap_client_timeout, (void *)esp); UNTIMEOUT(eap_client_timeout, (void *)esp);
} }
@@ -2150,6 +2554,9 @@ void *arg; @@ -2150,6 +2554,9 @@
int code, id, len, rtype, vallen; int code, id, len, rtype, vallen;
u_char *pstart; u_char *pstart;
u_int32_t uval; u_int32_t uval;
@ -2849,7 +2891,7 @@ index faced53..bfbce95 100644
if (inlen < EAP_HEADERLEN) if (inlen < EAP_HEADERLEN)
return (0); return (0);
@@ -2214,6 +2621,24 @@ void *arg; @@ -2214,6 +2621,24 @@
} }
break; break;
@ -2874,7 +2916,7 @@ index faced53..bfbce95 100644
case EAPT_SRP: case EAPT_SRP:
if (len < 3) if (len < 3)
goto truncated; goto truncated;
@@ -2325,6 +2750,25 @@ void *arg; @@ -2325,6 +2750,25 @@
} }
break; break;
@ -2900,16 +2942,15 @@ index faced53..bfbce95 100644
case EAPT_NAK: case EAPT_NAK:
if (len <= 0) { if (len <= 0) {
printer(arg, " <missing hint>"); printer(arg, " <missing hint>");
@@ -2426,3 +2870,4 @@ void *arg; @@ -2426,3 +2870,4 @@
return (inp - pstart); return (inp - pstart);
} }
+ +
diff --git a/pppd/eap.h b/pppd/eap.h diff -Naur ppp-2.4.7/pppd/eap.h ppp-2.4.7-eaptls-mppe-0.999/pppd/eap.h
index 199d184..3fa5391 100644 --- ppp-2.4.7/pppd/eap.h 2014-08-09 14:31:39.000000000 +0200
--- a/pppd/eap.h +++ ppp-2.4.7-eaptls-mppe-0.999/pppd/eap.h 2017-05-09 14:38:55.152083200 +0200
+++ b/pppd/eap.h @@ -84,6 +84,16 @@
@@ -84,6 +84,16 @@ enum eap_state_code {
eapClosed, /* Authentication not in use */ eapClosed, /* Authentication not in use */
eapListen, /* Client ready (and timer running) */ eapListen, /* Client ready (and timer running) */
eapIdentify, /* EAP Identify sent */ eapIdentify, /* EAP Identify sent */
@ -2926,7 +2967,7 @@ index 199d184..3fa5391 100644
eapSRP1, /* Sent EAP SRP-SHA1 Subtype 1 */ eapSRP1, /* Sent EAP SRP-SHA1 Subtype 1 */
eapSRP2, /* Sent EAP SRP-SHA1 Subtype 2 */ eapSRP2, /* Sent EAP SRP-SHA1 Subtype 2 */
eapSRP3, /* Sent EAP SRP-SHA1 Subtype 3 */ eapSRP3, /* Sent EAP SRP-SHA1 Subtype 3 */
@@ -95,9 +105,18 @@ enum eap_state_code { @@ -95,9 +105,18 @@
#define EAP_STATES \ #define EAP_STATES \
"Initial", "Pending", "Closed", "Listen", "Identify", \ "Initial", "Pending", "Closed", "Listen", "Identify", \
@ -2936,8 +2977,8 @@ index 199d184..3fa5391 100644
-#define eap_client_active(esp) ((esp)->es_client.ea_state == eapListen) -#define eap_client_active(esp) ((esp)->es_client.ea_state == eapListen)
+#ifdef USE_EAPTLS +#ifdef USE_EAPTLS
+#define eap_client_active(esp) ((esp)->es_client.ea_state != eapInitial ||\ +#define eap_client_active(esp) ((esp)->es_client.ea_state != eapInitial &&\
+ (esp)->es_client.ea_state != eapPending ||\ + (esp)->es_client.ea_state != eapPending &&\
+ (esp)->es_client.ea_state != eapClosed) + (esp)->es_client.ea_state != eapClosed)
+#else +#else
+#define eap_client_active(esp) ((esp)->es_client.ea_state == eapListen) +#define eap_client_active(esp) ((esp)->es_client.ea_state == eapListen)
@ -2946,7 +2987,7 @@ index 199d184..3fa5391 100644
#define eap_server_active(esp) \ #define eap_server_active(esp) \
((esp)->es_server.ea_state >= eapIdentify && \ ((esp)->es_server.ea_state >= eapIdentify && \
(esp)->es_server.ea_state <= eapMD5Chall) (esp)->es_server.ea_state <= eapMD5Chall)
@@ -112,11 +131,17 @@ struct eap_auth { @@ -112,11 +131,17 @@
u_short ea_namelen; /* Length of our name */ u_short ea_namelen; /* Length of our name */
u_short ea_peerlen; /* Length of peer's name */ u_short ea_peerlen; /* Length of peer's name */
enum eap_state_code ea_state; enum eap_state_code ea_state;
@ -2964,7 +3005,7 @@ index 199d184..3fa5391 100644
}; };
/* /*
@@ -139,7 +164,12 @@ typedef struct eap_state { @@ -139,7 +164,12 @@
* Timeouts. * Timeouts.
*/ */
#define EAP_DEFTIMEOUT 3 /* Timeout (seconds) for rexmit */ #define EAP_DEFTIMEOUT 3 /* Timeout (seconds) for rexmit */
@ -2977,10 +3018,9 @@ index 199d184..3fa5391 100644
#define EAP_DEFREQTIME 20 /* Time to wait for peer request */ #define EAP_DEFREQTIME 20 /* Time to wait for peer request */
#define EAP_DEFALLOWREQ 20 /* max # times to accept requests */ #define EAP_DEFALLOWREQ 20 /* max # times to accept requests */
diff --git a/pppd/md5.c b/pppd/md5.c diff -Naur ppp-2.4.7/pppd/md5.c ppp-2.4.7-eaptls-mppe-0.999/pppd/md5.c
index f1291ce..6f8f720 100644 --- ppp-2.4.7/pppd/md5.c 2014-08-09 14:31:39.000000000 +0200
--- a/pppd/md5.c +++ ppp-2.4.7-eaptls-mppe-0.999/pppd/md5.c 2017-05-09 14:38:55.152083200 +0200
+++ b/pppd/md5.c
@@ -33,6 +33,8 @@ @@ -33,6 +33,8 @@
*********************************************************************** ***********************************************************************
*/ */
@ -2990,16 +3030,15 @@ index f1291ce..6f8f720 100644
#include <string.h> #include <string.h>
#include "md5.h" #include "md5.h"
@@ -305,3 +307,5 @@ UINT4 *in; @@ -305,3 +307,5 @@
** End of md5.c ** ** End of md5.c **
******************************** (cut) ******************************** ******************************** (cut) ********************************
*/ */
+#endif /* USE_EAPTLS */ +#endif /* USE_EAPTLS */
+ +
diff --git a/pppd/md5.h b/pppd/md5.h diff -Naur ppp-2.4.7/pppd/md5.h ppp-2.4.7-eaptls-mppe-0.999/pppd/md5.h
index 71e8b00..14d7121 100644 --- ppp-2.4.7/pppd/md5.h 2014-08-09 14:31:39.000000000 +0200
--- a/pppd/md5.h +++ ppp-2.4.7-eaptls-mppe-0.999/pppd/md5.h 2017-05-09 14:38:55.152083200 +0200
+++ b/pppd/md5.h
@@ -36,6 +36,7 @@ @@ -36,6 +36,7 @@
** documentation and/or software. ** ** documentation and/or software. **
*********************************************************************** ***********************************************************************
@ -3008,17 +3047,16 @@ index 71e8b00..14d7121 100644
#ifndef __MD5_INCLUDE__ #ifndef __MD5_INCLUDE__
@@ -63,3 +64,5 @@ void MD5_Final (unsigned char hash[], MD5_CTX *mdContext); @@ -63,3 +64,5 @@
#define __MD5_INCLUDE__ #define __MD5_INCLUDE__
#endif /* __MD5_INCLUDE__ */ #endif /* __MD5_INCLUDE__ */
+ +
+#endif /* USE_EAPTLS */ +#endif /* USE_EAPTLS */
diff --git a/pppd/pathnames.h b/pppd/pathnames.h diff -Naur ppp-2.4.7/pppd/pathnames.h ppp-2.4.7-eaptls-mppe-0.999/pppd/pathnames.h
index 24e010c..6275df6 100644 --- ppp-2.4.7/pppd/pathnames.h 2014-08-09 14:31:39.000000000 +0200
--- a/pppd/pathnames.h +++ ppp-2.4.7-eaptls-mppe-0.999/pppd/pathnames.h 2017-05-09 14:38:55.153083126 +0200
+++ b/pppd/pathnames.h @@ -21,6 +21,13 @@
@@ -22,6 +22,13 @@
#define _PATH_UPAPFILE _ROOT_PATH "/etc/ppp/pap-secrets" #define _PATH_UPAPFILE _ROOT_PATH "/etc/ppp/pap-secrets"
#define _PATH_CHAPFILE _ROOT_PATH "/etc/ppp/chap-secrets" #define _PATH_CHAPFILE _ROOT_PATH "/etc/ppp/chap-secrets"
#define _PATH_SRPFILE _ROOT_PATH "/etc/ppp/srp-secrets" #define _PATH_SRPFILE _ROOT_PATH "/etc/ppp/srp-secrets"
@ -3032,11 +3070,10 @@ index 24e010c..6275df6 100644
#define _PATH_SYSOPTIONS _ROOT_PATH "/etc/ppp/options" #define _PATH_SYSOPTIONS _ROOT_PATH "/etc/ppp/options"
#define _PATH_IPUP _ROOT_PATH "/etc/ppp/ip-up" #define _PATH_IPUP _ROOT_PATH "/etc/ppp/ip-up"
#define _PATH_IPDOWN _ROOT_PATH "/etc/ppp/ip-down" #define _PATH_IPDOWN _ROOT_PATH "/etc/ppp/ip-down"
diff --git a/pppd/plugins/Makefile.linux b/pppd/plugins/Makefile.linux diff -Naur ppp-2.4.7/pppd/plugins/Makefile.linux ppp-2.4.7-eaptls-mppe-0.999/pppd/plugins/Makefile.linux
index b474a19..760cad4 100644 --- ppp-2.4.7/pppd/plugins/Makefile.linux 2014-08-09 14:31:39.000000000 +0200
--- a/pppd/plugins/Makefile.linux +++ ppp-2.4.7-eaptls-mppe-0.999/pppd/plugins/Makefile.linux 2017-05-09 14:38:55.153083126 +0200
+++ b/pppd/plugins/Makefile.linux @@ -4,6 +4,9 @@
@@ -4,6 +4,9 @@ CFLAGS = $(COPTS) -I.. -I../../include -fPIC
LDFLAGS = -shared LDFLAGS = -shared
INSTALL = install INSTALL = install
@ -3046,11 +3083,10 @@ index b474a19..760cad4 100644
DESTDIR = $(INSTROOT)@DESTDIR@ DESTDIR = $(INSTROOT)@DESTDIR@
BINDIR = $(DESTDIR)/sbin BINDIR = $(DESTDIR)/sbin
MANDIR = $(DESTDIR)/share/man/man8 MANDIR = $(DESTDIR)/share/man/man8
diff --git a/pppd/plugins/passprompt.c b/pppd/plugins/passprompt.c diff -Naur ppp-2.4.7/pppd/plugins/passprompt.c ppp-2.4.7-eaptls-mppe-0.999/pppd/plugins/passprompt.c
index babb6dc..6ba73ca 100644 --- ppp-2.4.7/pppd/plugins/passprompt.c 2014-08-09 14:31:39.000000000 +0200
--- a/pppd/plugins/passprompt.c +++ ppp-2.4.7-eaptls-mppe-0.999/pppd/plugins/passprompt.c 2017-05-09 14:38:55.153083126 +0200
+++ b/pppd/plugins/passprompt.c @@ -107,4 +107,7 @@
@@ -107,4 +107,7 @@ void plugin_init(void)
{ {
add_options(options); add_options(options);
pap_passwd_hook = promptpass; pap_passwd_hook = promptpass;
@ -3058,11 +3094,10 @@ index babb6dc..6ba73ca 100644
+ eaptls_passwd_hook = promptpass; + eaptls_passwd_hook = promptpass;
+#endif +#endif
} }
diff --git a/pppd/plugins/passwordfd.c b/pppd/plugins/passwordfd.c diff -Naur ppp-2.4.7/pppd/plugins/passwordfd.c ppp-2.4.7-eaptls-mppe-0.999/pppd/plugins/passwordfd.c
index d718f3b..c3f9793 100644 --- ppp-2.4.7/pppd/plugins/passwordfd.c 2014-08-09 14:31:39.000000000 +0200
--- a/pppd/plugins/passwordfd.c +++ ppp-2.4.7-eaptls-mppe-0.999/pppd/plugins/passwordfd.c 2017-05-09 14:38:55.154083052 +0200
+++ b/pppd/plugins/passwordfd.c @@ -79,4 +79,8 @@
@@ -79,4 +79,8 @@ void plugin_init (void)
chap_check_hook = pwfd_check; chap_check_hook = pwfd_check;
chap_passwd_hook = pwfd_passwd; chap_passwd_hook = pwfd_passwd;
@ -3071,11 +3106,10 @@ index d718f3b..c3f9793 100644
+ eaptls_passwd_hook = pwfd_passwd; + eaptls_passwd_hook = pwfd_passwd;
+#endif +#endif
} }
diff --git a/pppd/pppd.8 b/pppd/pppd.8 diff -Naur ppp-2.4.7/pppd/pppd.8 ppp-2.4.7-eaptls-mppe-0.999/pppd/pppd.8
index 2dd6e1a..75dd6f3 100644 --- ppp-2.4.7/pppd/pppd.8 2014-08-09 14:31:39.000000000 +0200
--- a/pppd/pppd.8 +++ ppp-2.4.7-eaptls-mppe-0.999/pppd/pppd.8 2017-05-09 14:38:55.155082978 +0200
+++ b/pppd/pppd.8 @@ -248,6 +248,12 @@
@@ -248,6 +248,12 @@ Alternatively, a value of 0 for \fInr\fR or \fInt\fR disables
compression in the corresponding direction. Use \fInobsdcomp\fR or compression in the corresponding direction. Use \fInobsdcomp\fR or
\fIbsdcomp 0\fR to disable BSD-Compress compression entirely. \fIbsdcomp 0\fR to disable BSD-Compress compression entirely.
.TP .TP
@ -3088,7 +3122,7 @@ index 2dd6e1a..75dd6f3 100644
.B cdtrcts .B cdtrcts
Use a non-standard hardware flow control (i.e. DTR/CTS) to control Use a non-standard hardware flow control (i.e. DTR/CTS) to control
the flow of data on the serial port. If neither the \fIcrtscts\fR, the flow of data on the serial port. If neither the \fIcrtscts\fR,
@@ -259,6 +265,12 @@ RTS output. Such serial ports use this mode to implement true @@ -259,6 +265,12 @@
bi-directional flow control. The sacrifice is that this flow bi-directional flow control. The sacrifice is that this flow
control mode does not permit using DTR as a modem control line. control mode does not permit using DTR as a modem control line.
.TP .TP
@ -3101,7 +3135,7 @@ index 2dd6e1a..75dd6f3 100644
.B chap\-interval \fIn .B chap\-interval \fIn
If this option is given, pppd will rechallenge the peer every \fIn\fR If this option is given, pppd will rechallenge the peer every \fIn\fR
seconds. seconds.
@@ -287,6 +299,18 @@ negotiation by sending its first LCP packet. The default value is @@ -287,6 +299,18 @@
1000 (1 second). This wait period only applies if the \fBconnect\fR 1000 (1 second). This wait period only applies if the \fBconnect\fR
or \fBpty\fR option is used. or \fBpty\fR option is used.
.TP .TP
@ -3120,7 +3154,7 @@ index 2dd6e1a..75dd6f3 100644
.B debug .B debug
Enables connection debugging facilities. Enables connection debugging facilities.
If this option is given, pppd will log the contents of all If this option is given, pppd will log the contents of all
@@ -551,6 +575,12 @@ transmitted packets be printed. On most systems, messages printed by @@ -551,6 +575,12 @@
the kernel are logged by syslog(1) to a file as directed in the the kernel are logged by syslog(1) to a file as directed in the
/etc/syslog.conf configuration file. /etc/syslog.conf configuration file.
.TP .TP
@ -3133,7 +3167,7 @@ index 2dd6e1a..75dd6f3 100644
.B ktune .B ktune
Enables pppd to alter kernel settings as appropriate. Under Linux, Enables pppd to alter kernel settings as appropriate. Under Linux,
pppd will enable IP forwarding (i.e. set /proc/sys/net/ipv4/ip_forward pppd will enable IP forwarding (i.e. set /proc/sys/net/ipv4/ip_forward
@@ -709,6 +739,9 @@ name to \fIname\fR.) @@ -709,6 +739,9 @@
Disable Address/Control compression in both directions (send and Disable Address/Control compression in both directions (send and
receive). receive).
.TP .TP
@ -3143,11 +3177,10 @@ index 2dd6e1a..75dd6f3 100644
.B noauth .B noauth
Do not require the peer to authenticate itself. This option is Do not require the peer to authenticate itself. This option is
privileged. privileged.
diff --git a/pppd/pppd.h b/pppd/pppd.h diff -Naur ppp-2.4.7/pppd/pppd.h ppp-2.4.7-eaptls-mppe-0.999/pppd/pppd.h
index 5f72f72..523f226 100644 --- ppp-2.4.7/pppd/pppd.h 2014-08-09 14:31:39.000000000 +0200
--- a/pppd/pppd.h +++ ppp-2.4.7-eaptls-mppe-0.999/pppd/pppd.h 2017-05-09 14:38:55.156082905 +0200
+++ b/pppd/pppd.h @@ -325,6 +325,11 @@
@@ -324,6 +324,11 @@ extern bool dump_options; /* print out option values */
extern bool dryrun; /* check everything, print options, exit */ extern bool dryrun; /* check everything, print options, exit */
extern int child_wait; /* # seconds to wait for children at end */ extern int child_wait; /* # seconds to wait for children at end */
@ -3159,7 +3192,7 @@ index 5f72f72..523f226 100644
#ifdef MAXOCTETS #ifdef MAXOCTETS
extern unsigned int maxoctets; /* Maximum octetes per session (in bytes) */ extern unsigned int maxoctets; /* Maximum octetes per session (in bytes) */
extern int maxoctets_dir; /* Direction : extern int maxoctets_dir; /* Direction :
@@ -738,6 +743,10 @@ extern int (*chap_check_hook) __P((void)); @@ -741,6 +746,10 @@
extern int (*chap_passwd_hook) __P((char *user, char *passwd)); extern int (*chap_passwd_hook) __P((char *user, char *passwd));
extern void (*multilink_join_hook) __P((void)); extern void (*multilink_join_hook) __P((void));
@ -3170,6 +3203,3 @@ index 5f72f72..523f226 100644
/* Let a plugin snoop sent and received packets. Useful for L2TP */ /* Let a plugin snoop sent and received packets. Useful for L2TP */
extern void (*snoop_recv_hook) __P((unsigned char *p, int len)); extern void (*snoop_recv_hook) __P((unsigned char *p, int len));
extern void (*snoop_send_hook) __P((unsigned char *p, int len)); extern void (*snoop_send_hook) __P((unsigned char *p, int len));
--
1.8.3.1

27
0028-Fix-logical-expression-in-eap_client_active-macro.patch
View File

@ -1,27 +0,0 @@
From fcb95abad72ac043f2e5f5ddcffc42b0783a3c2d Mon Sep 17 00:00:00 2001
From: Michal Sekletar <msekleta@redhat.com>
Date: Wed, 10 Dec 2014 12:21:31 +0100
Subject: [PATCH] Fix logical expression in eap_client_active macro
---
pppd/eap.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/pppd/eap.h b/pppd/eap.h
index 3fa5391..087baad 100644
--- a/pppd/eap.h
+++ b/pppd/eap.h
@@ -110,8 +110,8 @@ enum eap_state_code {
"SRP1", "SRP2", "SRP3", "MD5Chall", "Open", "SRP4", "BadAuth"
#ifdef USE_EAPTLS
-#define eap_client_active(esp) ((esp)->es_client.ea_state != eapInitial ||\
- (esp)->es_client.ea_state != eapPending ||\
+#define eap_client_active(esp) ((esp)->es_client.ea_state != eapInitial &&\
+ (esp)->es_client.ea_state != eapPending &&\
(esp)->es_client.ea_state != eapClosed)
#else
#define eap_client_active(esp) ((esp)->es_client.ea_state == eapListen)
--
1.8.3.1

0
0029-pppoe-include-netinet-in.h-before-linux-in.h.patch → 0028-pppoe-include-netinet-in.h-before-linux-in.h.patch
View File

13
ppp.spec
View File

@ -3,7 +3,7 @@
Summary: The Point-to-Point Protocol daemon Summary: The Point-to-Point Protocol daemon
Name: ppp Name: ppp
Version: 2.4.7 Version: 2.4.7
Release: 13%{?dist} Release: 14%{?dist}
License: BSD and LGPLv2+ and GPLv2+ and Public Domain License: BSD and LGPLv2+ and GPLv2+ and Public Domain
Group: System Environment/Daemons Group: System Environment/Daemons
URL: http://www.samba.org/ppp URL: http://www.samba.org/ppp
@ -48,12 +48,11 @@ Patch0023: 0023-build-sys-install-rp-pppoe-plugin-files-with-standar.patch
Patch0024: 0024-build-sys-install-pppoatm-plugin-files-with-standard.patch Patch0024: 0024-build-sys-install-pppoatm-plugin-files-with-standard.patch
Patch0025: 0025-pppd-install-pppd-binary-using-standard-perms-755.patch Patch0025: 0025-pppd-install-pppd-binary-using-standard-perms-755.patch
Patch0026: 0026-Revert-pppd-rebase-EAP-TLS-patch-v0.994.patch Patch0026: 0026-Revert-pppd-rebase-EAP-TLS-patch-v0.994.patch
Patch0027: 0027-pppd-EAP-TLS-patch-v0.997.patch Patch0027: 0027-pppd-EAP-TLS-patch-v0.999.patch
Patch0028: 0028-Fix-logical-expression-in-eap_client_active-macro.patch Patch0028: 0028-pppoe-include-netinet-in.h-before-linux-in.h.patch
Patch0029: 0029-pppoe-include-netinet-in.h-before-linux-in.h.patch
BuildRequires: pam-devel, libpcap-devel, systemd, systemd-devel, glib2-devel BuildRequires: pam-devel, libpcap-devel, systemd, systemd-devel, glib2-devel
BuildRequires: pkgconfig(openssl) < 1.1 BuildRequires: openssl-devel
Requires: glibc >= 2.0.6, /etc/pam.d/system-auth, libpcap >= 14:0.8.3-6, systemd, initscripts >= 9.54 Requires: glibc >= 2.0.6, /etc/pam.d/system-auth, libpcap >= 14:0.8.3-6, systemd, initscripts >= 9.54
Requires(pre): /usr/bin/getent Requires(pre): /usr/bin/getent
Requires(pre): /usr/sbin/groupadd Requires(pre): /usr/sbin/groupadd
@ -170,6 +169,10 @@ install -p %{SOURCE11} %{buildroot}%{_sysconfdir}/sysconfig/network-scripts/ifdo
%doc PLUGINS %doc PLUGINS
%changelog %changelog
* Mon Aug 21 2017 Jaroslav Škarvada <jskarvad@redhat.com> - 2.4.7-14
- EAP-TLS patch updated to version 0.999
- Switched to openssl-1.1
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.7-13 * Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.7-13
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild