Compare commits

..

10 Commits
f26 ... master

Author SHA1 Message Date
Jaroslav Škarvada
8870b357ca Link with -E not to break plugins
Resolves: rhbz#1564459
2018-04-09 14:49:53 +02:00
Jaroslav Škarvada
cf1e6c7c6b Also build all DSOs with distro's LDFLAGS
Related: rhbz#1563157
2018-04-06 14:09:44 +02:00
Jaroslav Škarvada
5da2a6a5b0 Build with distro's LDFLAGS
Resolves: rhbz#1563157
2018-04-04 11:33:41 +02:00
Jaroslav Škarvada
5a9cdf3bbf Used openssl for the DES instead of the libcrypt / glibc
Resolves: rhbz#1556132
2018-03-27 17:02:14 +02:00
Igor Gnatenko
93aa42b0f6
Escape macros in %changelog
Reference: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/thread/Y2ZUKK2B7T2IKXPMODNF6HB2O5T5TS6H/
Signed-off-by: Igor Gnatenko <ignatenkobrain@fedoraproject.org>
2018-02-09 09:05:33 +01:00
Fedora Release Engineering
b2dc3349ef - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
Signed-off-by: Fedora Release Engineering <releng@fedoraproject.org>
2018-02-09 05:42:31 +00:00
Björn Esser
ed2a4706b1
Rebuilt for switch to libxcrypt 2018-01-20 23:07:37 +01:00
Jaroslav Škarvada
ebcb6e8d2d EAP-TLS patch updated to version 0.999
Switched to openssl-1.1
2017-08-21 22:00:47 +02:00
Fedora Release Engineering
f3e51c8301 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild 2017-08-03 06:20:11 +00:00
Fedora Release Engineering
3adcba02c6 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild 2017-07-27 09:00:20 +00:00
6 changed files with 538 additions and 246 deletions

View File

@ -1,44 +1,6 @@
From 7887b3d84468e1ebfbe5adc373f0816eda2b995a Mon Sep 17 00:00:00 2001
From: Michal Sekletar <msekleta@redhat.com>
Date: Fri, 20 Jun 2014 10:31:43 +0200
Subject: [PATCH 27/27] pppd: EAP-TLS patch v0.997
See: http://www.nikhef.nl/~janjust/ppp/download.html
---
README.eap-tls | 280 ++++++++++
etc.ppp/eaptls-client | 10 +
etc.ppp/eaptls-server | 11 +
etc.ppp/openssl.cnf | 14 +
linux/Makefile.top | 6 +-
pppd/Makefile.linux | 12 +
pppd/auth.c | 413 ++++++++++++++-
pppd/ccp.c | 20 +-
pppd/chap-md5.c | 4 +
pppd/eap-tls.c | 1212 +++++++++++++++++++++++++++++++++++++++++++
pppd/eap-tls.h | 107 ++++
pppd/eap.c | 449 +++++++++++++++-
pppd/eap.h | 32 +-
pppd/md5.c | 4 +
pppd/md5.h | 3 +
pppd/pathnames.h | 7 +
pppd/plugins/Makefile.linux | 3 +
pppd/plugins/passprompt.c | 3 +
pppd/plugins/passwordfd.c | 4 +
pppd/pppd.8 | 33 ++
pppd/pppd.h | 9 +
21 files changed, 2629 insertions(+), 7 deletions(-)
create mode 100644 README.eap-tls
create mode 100644 etc.ppp/eaptls-client
create mode 100644 etc.ppp/eaptls-server
create mode 100644 etc.ppp/openssl.cnf
create mode 100644 pppd/eap-tls.c
create mode 100644 pppd/eap-tls.h
diff --git a/README.eap-tls b/README.eap-tls
new file mode 100644
index 0000000..037be0a
--- /dev/null
+++ b/README.eap-tls
diff -Naur ppp-2.4.7/README.eap-tls ppp-2.4.7-eaptls-mppe-0.999/README.eap-tls
--- ppp-2.4.7/README.eap-tls 1970-01-01 01:00:00.000000000 +0100
+++ ppp-2.4.7-eaptls-mppe-0.999/README.eap-tls 2017-05-09 14:38:55.129084488 +0200
@@ -0,0 +1,280 @@
+EAP-TLS authentication support for PPP
+======================================
@ -320,11 +282,9 @@ index 0000000..037be0a
+ - change SSL_OP_NO_TICKETS to SSL_OP_NO_TICKET
+ - fix bug in initialisation code with fragmented packets.
+
diff --git a/etc.ppp/eaptls-client b/etc.ppp/eaptls-client
new file mode 100644
index 0000000..7782f0e
--- /dev/null
+++ b/etc.ppp/eaptls-client
diff -Naur ppp-2.4.7/etc.ppp/eaptls-client ppp-2.4.7-eaptls-mppe-0.999/etc.ppp/eaptls-client
--- ppp-2.4.7/etc.ppp/eaptls-client 1970-01-01 01:00:00.000000000 +0100
+++ ppp-2.4.7-eaptls-mppe-0.999/etc.ppp/eaptls-client 2017-05-09 14:38:55.129084488 +0200
@@ -0,0 +1,10 @@
+# Parameters for authentication using EAP-TLS (client)
+
@ -336,11 +296,9 @@ index 0000000..7782f0e
+# client private key file (required)
+
+#client server /root/cert/client.crt - /root/cert/ca.crt /root/cert/client.key
diff --git a/etc.ppp/eaptls-server b/etc.ppp/eaptls-server
new file mode 100644
index 0000000..fa53cbd
--- /dev/null
+++ b/etc.ppp/eaptls-server
diff -Naur ppp-2.4.7/etc.ppp/eaptls-server ppp-2.4.7-eaptls-mppe-0.999/etc.ppp/eaptls-server
--- ppp-2.4.7/etc.ppp/eaptls-server 1970-01-01 01:00:00.000000000 +0100
+++ ppp-2.4.7-eaptls-mppe-0.999/etc.ppp/eaptls-server 2017-05-09 14:38:55.137084099 +0200
@@ -0,0 +1,11 @@
+# Parameters for authentication using EAP-TLS (server)
+
@ -353,11 +311,9 @@ index 0000000..fa53cbd
+# allowed addresses (required, can be *)
+
+#client server - /root/cert/server.crt /root/cert/ca.crt /root/cert/server.key 192.168.1.0/24
diff --git a/etc.ppp/openssl.cnf b/etc.ppp/openssl.cnf
new file mode 100644
index 0000000..dd32f30
--- /dev/null
+++ b/etc.ppp/openssl.cnf
diff -Naur ppp-2.4.7/etc.ppp/openssl.cnf ppp-2.4.7-eaptls-mppe-0.999/etc.ppp/openssl.cnf
--- ppp-2.4.7/etc.ppp/openssl.cnf 1970-01-01 01:00:00.000000000 +0100
+++ ppp-2.4.7-eaptls-mppe-0.999/etc.ppp/openssl.cnf 2017-05-09 14:38:55.137084099 +0200
@@ -0,0 +1,14 @@
+openssl_conf = openssl_def
+
@ -373,11 +329,10 @@ index 0000000..dd32f30
+MODULE_PATH = /usr/lib64/libeTPkcs11.so
+init = 0
+
diff --git a/linux/Makefile.top b/linux/Makefile.top
index f42efd5..9a8945a 100644
--- a/linux/Makefile.top
+++ b/linux/Makefile.top
@@ -28,7 +28,7 @@ install-progs:
diff -Naur ppp-2.4.7/linux/Makefile.top ppp-2.4.7-eaptls-mppe-0.999/linux/Makefile.top
--- ppp-2.4.7/linux/Makefile.top 2014-08-09 14:31:39.000000000 +0200
+++ ppp-2.4.7-eaptls-mppe-0.999/linux/Makefile.top 2017-05-09 14:38:55.138084052 +0200
@@ -26,7 +26,7 @@
cd pppdump; $(MAKE) $(MFLAGS) install
install-etcppp: $(ETCDIR) $(ETCDIR)/options $(ETCDIR)/pap-secrets \
@ -386,7 +341,7 @@ index f42efd5..9a8945a 100644
install-devel:
cd pppd; $(MAKE) $(MFLAGS) install-devel
@@ -39,6 +39,10 @@ $(ETCDIR)/pap-secrets:
@@ -37,6 +37,10 @@
$(INSTALL) -c -m 600 etc.ppp/pap-secrets $@
$(ETCDIR)/chap-secrets:
$(INSTALL) -c -m 600 etc.ppp/chap-secrets $@
@ -397,11 +352,10 @@ index f42efd5..9a8945a 100644
$(BINDIR):
$(INSTALL) -d -m 755 $@
diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux
index 943cf83..534ccc2 100644
--- a/pppd/Makefile.linux
+++ b/pppd/Makefile.linux
@@ -79,6 +79,9 @@ CBCP=y
diff -Naur ppp-2.4.7/pppd/Makefile.linux ppp-2.4.7-eaptls-mppe-0.999/pppd/Makefile.linux
--- ppp-2.4.7/pppd/Makefile.linux 2014-08-09 14:31:39.000000000 +0200
+++ ppp-2.4.7-eaptls-mppe-0.999/pppd/Makefile.linux 2017-05-09 14:38:55.138084052 +0200
@@ -76,6 +76,9 @@
# Use libutil
USE_LIBUTIL=y
@ -411,7 +365,7 @@ index 943cf83..534ccc2 100644
MAXOCTETS=y
INCLUDE_DIRS= -I../include
@@ -118,6 +121,15 @@ HEADERS += sha1.h
@@ -115,6 +118,15 @@
PPPDOBJS += sha1.o
endif
@ -427,10 +381,9 @@ index 943cf83..534ccc2 100644
ifdef HAS_SHADOW
CFLAGS += -DHAS_SHADOW
#LIBS += -lshadow $(LIBS)
diff --git a/pppd/auth.c b/pppd/auth.c
index 9e957fa..656ffe9 100644
--- a/pppd/auth.c
+++ b/pppd/auth.c
diff -Naur ppp-2.4.7/pppd/auth.c ppp-2.4.7-eaptls-mppe-0.999/pppd/auth.c
--- ppp-2.4.7/pppd/auth.c 2014-08-09 14:31:39.000000000 +0200
+++ ppp-2.4.7-eaptls-mppe-0.999/pppd/auth.c 2017-05-09 14:38:55.139084004 +0200
@@ -109,6 +109,9 @@
#include "upap.h"
#include "chap-new.h"
@ -441,7 +394,7 @@ index 9e957fa..656ffe9 100644
#ifdef CBCP_SUPPORT
#include "cbcp.h"
#endif
@@ -183,6 +186,11 @@ int (*chap_check_hook) __P((void)) = NULL;
@@ -183,6 +186,11 @@
/* Hook for a plugin to get the CHAP password for authenticating us */
int (*chap_passwd_hook) __P((char *user, char *passwd)) = NULL;
@ -453,7 +406,7 @@ index 9e957fa..656ffe9 100644
/* Hook for a plugin to say whether it is OK if the peer
refuses to authenticate. */
int (*null_auth_hook) __P((struct wordlist **paddrs,
@@ -238,6 +246,14 @@ bool explicit_remote = 0; /* User specified explicit remote name */
@@ -238,6 +246,14 @@
bool explicit_user = 0; /* Set if "user" option supplied */
bool explicit_passwd = 0; /* Set if "password" option supplied */
char remote_name[MAXNAMELEN]; /* Peer's name for authentication */
@ -468,7 +421,7 @@ index 9e957fa..656ffe9 100644
static char *uafname; /* name of most recent +ua file */
@@ -254,6 +270,19 @@ static int have_pap_secret __P((int *));
@@ -254,6 +270,19 @@
static int have_chap_secret __P((char *, char *, int, int *));
static int have_srp_secret __P((char *client, char *server, int need_ip,
int *lacks_ipp));
@ -488,7 +441,7 @@ index 9e957fa..656ffe9 100644
static int ip_addr_check __P((u_int32_t, struct permitted_ip *));
static int scan_authfile __P((FILE *, char *, char *, char *,
struct wordlist **, struct wordlist **,
@@ -401,6 +430,15 @@ option_t auth_options[] = {
@@ -401,6 +430,15 @@
"Set telephone number(s) which are allowed to connect",
OPT_PRIV | OPT_A2LIST },
@ -504,7 +457,7 @@ index 9e957fa..656ffe9 100644
{ NULL }
};
@@ -730,6 +768,9 @@ link_established(unit)
@@ -730,6 +768,9 @@
lcp_options *wo = &lcp_wantoptions[unit];
lcp_options *go = &lcp_gotoptions[unit];
lcp_options *ho = &lcp_hisoptions[unit];
@ -514,7 +467,7 @@ index 9e957fa..656ffe9 100644
int i;
struct protent *protp;
@@ -764,6 +805,22 @@ link_established(unit)
@@ -764,6 +805,22 @@
}
}
@ -537,7 +490,7 @@ index 9e957fa..656ffe9 100644
new_phase(PHASE_AUTHENTICATE);
auth = 0;
if (go->neg_eap) {
@@ -1277,6 +1334,15 @@ auth_check_options()
@@ -1277,6 +1334,15 @@
our_name, 1, &lacks_ip);
}
@ -553,7 +506,7 @@ index 9e957fa..656ffe9 100644
if (auth_required && !can_auth && noauth_addrs == NULL) {
if (default_auth) {
option_error(
@@ -1331,7 +1397,11 @@ auth_reset(unit)
@@ -1331,7 +1397,11 @@
passwd[0] != 0 ||
(hadchap == 1 || (hadchap == -1 && have_chap_secret(user,
(explicit_remote? remote_name: NULL), 0, NULL))) ||
@ -566,7 +519,7 @@ index 9e957fa..656ffe9 100644
hadchap = -1;
if (go->neg_upap && !uselogin && !have_pap_secret(NULL))
@@ -1346,8 +1416,14 @@ auth_reset(unit)
@@ -1346,8 +1416,14 @@
!have_chap_secret((explicit_remote? remote_name: NULL), our_name,
1, NULL))) &&
!have_srp_secret((explicit_remote? remote_name: NULL), our_name, 1,
@ -582,7 +535,7 @@ index 9e957fa..656ffe9 100644
}
@@ -1707,6 +1783,7 @@ have_srp_secret(client, server, need_ip, lacks_ipp)
@@ -1707,6 +1783,7 @@
}
@ -590,7 +543,7 @@ index 9e957fa..656ffe9 100644
/*
* get_secret - open the CHAP secret file and return the secret
* for authenticating the given client on the given server.
@@ -2359,3 +2436,335 @@ auth_script(script)
@@ -2359,3 +2436,335 @@
auth_script_pid = run_program(script, argv, 0, auth_script_done, NULL, 0);
}
@ -926,11 +879,10 @@ index 9e957fa..656ffe9 100644
+}
+#endif
+
diff --git a/pppd/ccp.c b/pppd/ccp.c
index 5814f35..7dead23 100644
--- a/pppd/ccp.c
+++ b/pppd/ccp.c
@@ -540,6 +540,9 @@ ccp_resetci(f)
diff -Naur ppp-2.4.7/pppd/ccp.c ppp-2.4.7-eaptls-mppe-0.999/pppd/ccp.c
--- ppp-2.4.7/pppd/ccp.c 2014-08-09 14:31:39.000000000 +0200
+++ ppp-2.4.7-eaptls-mppe-0.999/pppd/ccp.c 2017-05-09 14:38:55.148083482 +0200
@@ -540,6 +540,9 @@
if (go->mppe) {
ccp_options *ao = &ccp_allowoptions[f->unit];
int auth_mschap_bits = auth_done[f->unit];
@ -940,7 +892,7 @@ index 5814f35..7dead23 100644
int numbits;
/*
@@ -567,8 +570,23 @@ ccp_resetci(f)
@@ -567,8 +570,23 @@
lcp_close(f->unit, "MPPE required but not available");
return;
}
@ -965,10 +917,9 @@ index 5814f35..7dead23 100644
lcp_close(f->unit, "MPPE required but not available");
return;
}
diff --git a/pppd/chap-md5.c b/pppd/chap-md5.c
index 77dd4ec..269b52c 100644
--- a/pppd/chap-md5.c
+++ b/pppd/chap-md5.c
diff -Naur ppp-2.4.7/pppd/chap-md5.c ppp-2.4.7-eaptls-mppe-0.999/pppd/chap-md5.c
--- ppp-2.4.7/pppd/chap-md5.c 2014-08-09 14:31:39.000000000 +0200
+++ ppp-2.4.7-eaptls-mppe-0.999/pppd/chap-md5.c 2017-05-09 14:38:55.148083482 +0200
@@ -36,7 +36,11 @@
#include "chap-new.h"
#include "chap-md5.h"
@ -981,12 +932,10 @@ index 77dd4ec..269b52c 100644
#define MD5_HASH_SIZE 16
#define MD5_MIN_CHALLENGE 16
diff --git a/pppd/eap-tls.c b/pppd/eap-tls.c
new file mode 100644
index 0000000..edcb0cb
--- /dev/null
+++ b/pppd/eap-tls.c
@@ -0,0 +1,1212 @@
diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-0.999/pppd/eap-tls.c
--- ppp-2.4.7/pppd/eap-tls.c 1970-01-01 01:00:00.000000000 +0100
+++ ppp-2.4.7-eaptls-mppe-0.999/pppd/eap-tls.c 2017-05-11 10:43:00.345739124 +0200
@@ -0,0 +1,1308 @@
+/*
+ * eap-tls.c - EAP-TLS implementation for PPP
+ *
@ -1044,6 +993,72 @@ index 0000000..edcb0cb
+
+#ifdef MPPE
+
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
+
+/*
+ * https://wiki.openssl.org/index.php/1.1_API_Changes
+ * tries to provide some guidance but ultimately falls short.
+ */
+
+static void HMAC_CTX_free(HMAC_CTX *ctx)
+{
+ if (ctx != NULL) {
+ HMAC_CTX_cleanup(ctx);
+ OPENSSL_free(ctx);
+ }
+}
+
+static HMAC_CTX *HMAC_CTX_new(void)
+{
+ HMAC_CTX *ctx = OPENSSL_malloc(sizeof(*ctx));
+ if (ctx != NULL)
+ HMAC_CTX_init(ctx);
+ return ctx;
+}
+
+/*
+ * These were basically jacked directly from the OpenSSL tree
+ * without adjustments.
+ */
+
+static size_t SSL_get_client_random(const SSL *ssl, unsigned char *out,
+ size_t outlen)
+{
+ if (outlen == 0)
+ return sizeof(ssl->s3->client_random);
+ if (outlen > sizeof(ssl->s3->client_random))
+ outlen = sizeof(ssl->s3->client_random);
+ memcpy(out, ssl->s3->client_random, outlen);
+ return outlen;
+}
+
+static size_t SSL_get_server_random(const SSL *ssl, unsigned char *out,
+ size_t outlen)
+{
+ if (outlen == 0)
+ return sizeof(ssl->s3->server_random);
+ if (outlen > sizeof(ssl->s3->server_random))
+ outlen = sizeof(ssl->s3->server_random);
+ memcpy(out, ssl->s3->server_random, outlen);
+ return outlen;
+}
+
+static size_t SSL_SESSION_get_master_key(const SSL_SESSION *session,
+ unsigned char *out, size_t outlen)
+{
+ if (outlen == 0)
+ return session->master_key_length;
+ if (outlen > session->master_key_length)
+ outlen = session->master_key_length;
+ memcpy(out, session->master_key, outlen);
+ return outlen;
+}
+
+/* Avoid a deprecated warning in OpenSSL 1.1 whilst still allowing to build against 1.0.x */
+#define TLS_method TLSv1_method
+
+#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
+
+/*
+ * TLS PRF from RFC 2246
+ */
@ -1052,47 +1067,47 @@ index 0000000..edcb0cb
+ const unsigned char *seed, unsigned int seed_len,
+ unsigned char *out, unsigned int out_len)
+{
+ HMAC_CTX ctx_a, ctx_out;
+ HMAC_CTX *ctx_a, *ctx_out;
+ unsigned char a[HMAC_MAX_MD_CBLOCK];
+ unsigned int size;
+
+ HMAC_CTX_init(&ctx_a);
+ HMAC_CTX_init(&ctx_out);
+ HMAC_Init_ex(&ctx_a, secret, secret_len, evp_md, NULL);
+ HMAC_Init_ex(&ctx_out, secret, secret_len, evp_md, NULL);
+ ctx_a = HMAC_CTX_new();
+ ctx_out = HMAC_CTX_new();
+ HMAC_Init_ex(ctx_a, secret, secret_len, evp_md, NULL);
+ HMAC_Init_ex(ctx_out, secret, secret_len, evp_md, NULL);
+
+ size = HMAC_size(&ctx_out);
+ size = HMAC_size(ctx_out);
+
+ /* Calculate A(1) */
+ HMAC_Update(&ctx_a, seed, seed_len);
+ HMAC_Final(&ctx_a, a, NULL);
+ HMAC_Update(ctx_a, seed, seed_len);
+ HMAC_Final(ctx_a, a, NULL);
+
+ while (1) {
+ /* Calculate next part of output */
+ HMAC_Update(&ctx_out, a, size);
+ HMAC_Update(&ctx_out, seed, seed_len);
+ HMAC_Update(ctx_out, a, size);
+ HMAC_Update(ctx_out, seed, seed_len);
+
+ /* Check if last part */
+ if (out_len < size) {
+ HMAC_Final(&ctx_out, a, NULL);
+ HMAC_Final(ctx_out, a, NULL);
+ memcpy(out, a, out_len);
+ break;
+ }
+
+ /* Place digest in output buffer */
+ HMAC_Final(&ctx_out, out, NULL);
+ HMAC_Init_ex(&ctx_out, NULL, 0, NULL, NULL);
+ HMAC_Final(ctx_out, out, NULL);
+ HMAC_Init_ex(ctx_out, NULL, 0, NULL, NULL);
+ out += size;
+ out_len -= size;
+
+ /* Calculate next A(i) */
+ HMAC_Init_ex(&ctx_a, NULL, 0, NULL, NULL);
+ HMAC_Update(&ctx_a, a, size);
+ HMAC_Final(&ctx_a, a, NULL);
+ HMAC_Init_ex(ctx_a, NULL, 0, NULL, NULL);
+ HMAC_Update(ctx_a, a, size);
+ HMAC_Final(ctx_a, a, NULL);
+ }
+
+ HMAC_CTX_cleanup(&ctx_a);
+ HMAC_CTX_cleanup(&ctx_out);
+ HMAC_CTX_free(ctx_a);
+ HMAC_CTX_free(ctx_out);
+ memset(a, 0, sizeof(a));
+}
+
@ -1126,21 +1141,22 @@ index 0000000..edcb0cb
+ unsigned char *p = seed;
+ SSL *s = ets->ssl;
+ size_t prf_size;
+ unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH];
+ size_t master_key_length;
+
+ prf_size = strlen(prf_label);
+
+ memcpy(p, prf_label, prf_size);
+ p += prf_size;
+
+ memcpy(p, s->s3->client_random, SSL3_RANDOM_SIZE);
+ prf_size += SSL_get_client_random(s, p, SSL3_RANDOM_SIZE);
+ p += SSL3_RANDOM_SIZE;
+ prf_size += SSL3_RANDOM_SIZE;
+
+ memcpy(p, s->s3->server_random, SSL3_RANDOM_SIZE);
+ prf_size += SSL3_RANDOM_SIZE;
+ prf_size += SSL_get_server_random(s, p, SSL3_RANDOM_SIZE);
+
+ PRF(s->session->master_key, s->session->master_key_length,
+ seed, prf_size, out, buf, sizeof(out));
+ master_key_length = SSL_SESSION_get_master_key(SSL_get_session(s), master_key,
+ sizeof(master_key));
+ PRF(master_key, master_key_length, seed, prf_size, out, buf, sizeof(out));
+
+ /*
+ * We now have the master send and receive keys.
@ -1308,7 +1324,7 @@ index 0000000..edcb0cb
+ SSL_library_init();
+ SSL_load_error_strings();
+
+ ctx = SSL_CTX_new(TLSv1_method());
+ ctx = SSL_CTX_new(TLS_method());
+
+ if (!ctx) {
+ error("EAP-TLS: Cannot initialize SSL CTX context");
@ -2112,18 +2128,47 @@ index 0000000..edcb0cb
+ char string[256];
+ struct eaptls_session *ets = (struct eaptls_session *)arg;
+ unsigned char code;
+ const unsigned char*msg = buf;
+ int hvers = msg[1] << 8 | msg[2];
+
+ if(write_p)
+ strcpy(string, " -> ");
+ else
+ strcpy(string, " <- ");
+
+
+ switch(content_type) {
+
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
+ case SSL3_RT_HEADER:
+ strcat(string, "SSL/TLS Header: ");
+ switch(hvers) {
+ case SSL3_VERSION:
+ strcat(string, "SSL 3.0");
+ break;
+ case TLS1_VERSION:
+ strcat(string, "TLS 1.0");
+ break;
+ case TLS1_1_VERSION:
+ strcat(string, "TLS 1.1");
+ break;
+ case TLS1_2_VERSION:
+ strcat(string, "TLS 1.2");
+ break;
+ case DTLS1_VERSION:
+ strcat(string, "DTLS 1.0");
+ break;
+ case DTLS1_2_VERSION:
+ strcat(string, "DTLS 1.2");
+ break;
+ default:
+ strcat(string, "Unknown version");
+ }
+ break;
+#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */
+
+ case SSL3_RT_ALERT:
+ strcat(string, "Alert: ");
+ code = ((const unsigned char *)buf)[1];
+ code = msg[1];
+
+ if (write_p) {
+ ets->alert_sent = 1;
@ -2143,7 +2188,7 @@ index 0000000..edcb0cb
+ case SSL3_RT_HANDSHAKE:
+
+ strcat(string, "Handshake: ");
+ code = ((const unsigned char *)buf)[0];
+ code = msg[0];
+
+ switch(code) {
+ case SSL3_MT_HELLO_REQUEST:
@ -2199,11 +2244,9 @@ index 0000000..edcb0cb
+ dbglog("%s", string);
+}
+
diff --git a/pppd/eap-tls.h b/pppd/eap-tls.h
new file mode 100644
index 0000000..2d45a0b
--- /dev/null
+++ b/pppd/eap-tls.h
diff -Naur ppp-2.4.7/pppd/eap-tls.h ppp-2.4.7-eaptls-mppe-0.999/pppd/eap-tls.h
--- ppp-2.4.7/pppd/eap-tls.h 1970-01-01 01:00:00.000000000 +0100
+++ ppp-2.4.7-eaptls-mppe-0.999/pppd/eap-tls.h 2017-05-09 14:38:55.150083347 +0200
@@ -0,0 +1,107 @@
+/*
+ * eap-tls.h
@ -2312,10 +2355,9 @@ index 0000000..2d45a0b
+#endif
+
+#endif
diff --git a/pppd/eap.c b/pppd/eap.c
index faced53..bfbce95 100644
--- a/pppd/eap.c
+++ b/pppd/eap.c
diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-0.999/pppd/eap.c
--- ppp-2.4.7/pppd/eap.c 2014-08-09 14:31:39.000000000 +0200
+++ ppp-2.4.7-eaptls-mppe-0.999/pppd/eap.c 2017-05-09 14:38:55.151083274 +0200
@@ -43,6 +43,11 @@
* Based on draft-ietf-pppext-eap-srp-03.txt.
*/
@ -2342,7 +2384,7 @@ index faced53..bfbce95 100644
#ifdef USE_SRP
#include <t_pwd.h>
@@ -209,6 +218,9 @@ int unit;
@@ -209,6 +218,9 @@
esp->es_server.ea_id = (u_char)(drand48() * 0x100);
esp->es_client.ea_timeout = EAP_DEFREQTIME;
esp->es_client.ea_maxrequests = EAP_DEFALLOWREQ;
@ -2352,7 +2394,7 @@ index faced53..bfbce95 100644
}
/*
@@ -436,8 +448,16 @@ int status;
@@ -436,8 +448,16 @@
u_char vals[2];
struct b64state bs;
#endif /* USE_SRP */
@ -2369,7 +2411,7 @@ index faced53..bfbce95 100644
switch (esp->es_server.ea_state) {
case eapBadAuth:
return;
@@ -562,9 +582,79 @@ int status;
@@ -562,9 +582,79 @@
break;
}
#endif /* USE_SRP */
@ -2449,7 +2491,7 @@ index faced53..bfbce95 100644
case eapSRP1:
#ifdef USE_SRP
ts = (struct t_server *)esp->es_server.ea_session;
@@ -718,6 +808,30 @@ eap_state *esp;
@@ -718,6 +808,30 @@
INCPTR(esp->es_server.ea_namelen, outp);
break;
@ -2480,7 +2522,7 @@ index faced53..bfbce95 100644
#ifdef USE_SRP
case eapSRP1:
PUTCHAR(EAPT_SRP, outp);
@@ -904,11 +1018,57 @@ static void
@@ -904,11 +1018,57 @@
eap_server_timeout(arg)
void *arg;
{
@ -2538,7 +2580,7 @@ index faced53..bfbce95 100644
/* EAP ID number must not change on timeout. */
eap_send_request(esp);
}
@@ -1166,6 +1326,81 @@ u_char *str;
@@ -1166,6 +1326,81 @@
}
#endif /* USE_SRP */
@ -2620,7 +2662,7 @@ index faced53..bfbce95 100644
static void
eap_send_nak(esp, id, type)
eap_state *esp;
@@ -1320,6 +1555,11 @@ int len;
@@ -1320,6 +1555,11 @@
char rhostname[256];
MD5_CTX mdContext;
u_char hash[MD5_SIGNATURE_SIZE];
@ -2632,7 +2674,7 @@ index faced53..bfbce95 100644
#ifdef USE_SRP
struct t_client *tc;
struct t_num sval, gval, Nval, *Ap, Bval;
@@ -1456,6 +1696,90 @@ int len;
@@ -1456,6 +1696,90 @@
esp->es_client.ea_namelen);
break;
@ -2723,7 +2765,7 @@ index faced53..bfbce95 100644
#ifdef USE_SRP
case EAPT_SRP:
if (len < 1) {
@@ -1737,6 +2061,11 @@ int len;
@@ -1737,6 +2061,11 @@
u_char dig[SHA_DIGESTSIZE];
#endif /* USE_SRP */
@ -2735,7 +2777,7 @@ index faced53..bfbce95 100644
if (esp->es_server.ea_id != id) {
dbglog("EAP: discarding Response %d; expected ID %d", id,
esp->es_server.ea_id);
@@ -1776,6 +2105,60 @@ int len;
@@ -1776,6 +2105,60 @@
eap_figure_next_state(esp, 0);
break;
@ -2796,7 +2838,7 @@ index faced53..bfbce95 100644
case EAPT_NOTIFICATION:
dbglog("EAP unexpected Notification; response discarded");
break;
@@ -1807,6 +2190,13 @@ int len;
@@ -1807,6 +2190,13 @@
esp->es_server.ea_state = eapMD5Chall;
break;
@ -2810,7 +2852,7 @@ index faced53..bfbce95 100644
default:
dbglog("EAP: peer requesting unknown Type %d", vallen);
switch (esp->es_server.ea_state) {
@@ -2018,13 +2408,27 @@ u_char *inp;
@@ -2018,13 +2408,27 @@
int id;
int len;
{
@ -2839,7 +2881,7 @@ index faced53..bfbce95 100644
if (esp->es_client.ea_timeout > 0) {
UNTIMEOUT(eap_client_timeout, (void *)esp);
}
@@ -2150,6 +2554,9 @@ void *arg;
@@ -2150,6 +2554,9 @@
int code, id, len, rtype, vallen;
u_char *pstart;
u_int32_t uval;
@ -2849,7 +2891,7 @@ index faced53..bfbce95 100644
if (inlen < EAP_HEADERLEN)
return (0);
@@ -2214,6 +2621,24 @@ void *arg;
@@ -2214,6 +2621,24 @@
}
break;
@ -2874,7 +2916,7 @@ index faced53..bfbce95 100644
case EAPT_SRP:
if (len < 3)
goto truncated;
@@ -2325,6 +2750,25 @@ void *arg;
@@ -2325,6 +2750,25 @@
}
break;
@ -2900,16 +2942,15 @@ index faced53..bfbce95 100644
case EAPT_NAK:
if (len <= 0) {
printer(arg, " <missing hint>");
@@ -2426,3 +2870,4 @@ void *arg;
@@ -2426,3 +2870,4 @@
return (inp - pstart);
}
+
diff --git a/pppd/eap.h b/pppd/eap.h
index 199d184..3fa5391 100644
--- a/pppd/eap.h
+++ b/pppd/eap.h
@@ -84,6 +84,16 @@ enum eap_state_code {
diff -Naur ppp-2.4.7/pppd/eap.h ppp-2.4.7-eaptls-mppe-0.999/pppd/eap.h
--- ppp-2.4.7/pppd/eap.h 2014-08-09 14:31:39.000000000 +0200
+++ ppp-2.4.7-eaptls-mppe-0.999/pppd/eap.h 2017-05-09 14:38:55.152083200 +0200
@@ -84,6 +84,16 @@
eapClosed, /* Authentication not in use */
eapListen, /* Client ready (and timer running) */
eapIdentify, /* EAP Identify sent */
@ -2926,7 +2967,7 @@ index 199d184..3fa5391 100644
eapSRP1, /* Sent EAP SRP-SHA1 Subtype 1 */
eapSRP2, /* Sent EAP SRP-SHA1 Subtype 2 */
eapSRP3, /* Sent EAP SRP-SHA1 Subtype 3 */
@@ -95,9 +105,18 @@ enum eap_state_code {
@@ -95,9 +105,18 @@
#define EAP_STATES \
"Initial", "Pending", "Closed", "Listen", "Identify", \
@ -2936,8 +2977,8 @@ index 199d184..3fa5391 100644
-#define eap_client_active(esp) ((esp)->es_client.ea_state == eapListen)
+#ifdef USE_EAPTLS
+#define eap_client_active(esp) ((esp)->es_client.ea_state != eapInitial ||\
+ (esp)->es_client.ea_state != eapPending ||\
+#define eap_client_active(esp) ((esp)->es_client.ea_state != eapInitial &&\
+ (esp)->es_client.ea_state != eapPending &&\
+ (esp)->es_client.ea_state != eapClosed)
+#else
+#define eap_client_active(esp) ((esp)->es_client.ea_state == eapListen)
@ -2946,7 +2987,7 @@ index 199d184..3fa5391 100644
#define eap_server_active(esp) \
((esp)->es_server.ea_state >= eapIdentify && \
(esp)->es_server.ea_state <= eapMD5Chall)
@@ -112,11 +131,17 @@ struct eap_auth {
@@ -112,11 +131,17 @@
u_short ea_namelen; /* Length of our name */
u_short ea_peerlen; /* Length of peer's name */
enum eap_state_code ea_state;
@ -2964,7 +3005,7 @@ index 199d184..3fa5391 100644
};
/*
@@ -139,7 +164,12 @@ typedef struct eap_state {
@@ -139,7 +164,12 @@
* Timeouts.
*/
#define EAP_DEFTIMEOUT 3 /* Timeout (seconds) for rexmit */
@ -2977,10 +3018,9 @@ index 199d184..3fa5391 100644
#define EAP_DEFREQTIME 20 /* Time to wait for peer request */
#define EAP_DEFALLOWREQ 20 /* max # times to accept requests */
diff --git a/pppd/md5.c b/pppd/md5.c
index f1291ce..6f8f720 100644
--- a/pppd/md5.c
+++ b/pppd/md5.c
diff -Naur ppp-2.4.7/pppd/md5.c ppp-2.4.7-eaptls-mppe-0.999/pppd/md5.c
--- ppp-2.4.7/pppd/md5.c 2014-08-09 14:31:39.000000000 +0200
+++ ppp-2.4.7-eaptls-mppe-0.999/pppd/md5.c 2017-05-09 14:38:55.152083200 +0200
@@ -33,6 +33,8 @@
***********************************************************************
*/
@ -2990,16 +3030,15 @@ index f1291ce..6f8f720 100644
#include <string.h>
#include "md5.h"
@@ -305,3 +307,5 @@ UINT4 *in;
@@ -305,3 +307,5 @@
** End of md5.c **
******************************** (cut) ********************************
*/
+#endif /* USE_EAPTLS */
+
diff --git a/pppd/md5.h b/pppd/md5.h
index 71e8b00..14d7121 100644
--- a/pppd/md5.h
+++ b/pppd/md5.h
diff -Naur ppp-2.4.7/pppd/md5.h ppp-2.4.7-eaptls-mppe-0.999/pppd/md5.h
--- ppp-2.4.7/pppd/md5.h 2014-08-09 14:31:39.000000000 +0200
+++ ppp-2.4.7-eaptls-mppe-0.999/pppd/md5.h 2017-05-09 14:38:55.152083200 +0200
@@ -36,6 +36,7 @@
** documentation and/or software. **
***********************************************************************
@ -3008,17 +3047,16 @@ index 71e8b00..14d7121 100644
#ifndef __MD5_INCLUDE__
@@ -63,3 +64,5 @@ void MD5_Final (unsigned char hash[], MD5_CTX *mdContext);
@@ -63,3 +64,5 @@
#define __MD5_INCLUDE__
#endif /* __MD5_INCLUDE__ */
+
+#endif /* USE_EAPTLS */
diff --git a/pppd/pathnames.h b/pppd/pathnames.h
index 24e010c..6275df6 100644
--- a/pppd/pathnames.h
+++ b/pppd/pathnames.h
@@ -22,6 +22,13 @@
diff -Naur ppp-2.4.7/pppd/pathnames.h ppp-2.4.7-eaptls-mppe-0.999/pppd/pathnames.h
--- ppp-2.4.7/pppd/pathnames.h 2014-08-09 14:31:39.000000000 +0200
+++ ppp-2.4.7-eaptls-mppe-0.999/pppd/pathnames.h 2017-05-09 14:38:55.153083126 +0200
@@ -21,6 +21,13 @@
#define _PATH_UPAPFILE _ROOT_PATH "/etc/ppp/pap-secrets"
#define _PATH_CHAPFILE _ROOT_PATH "/etc/ppp/chap-secrets"
#define _PATH_SRPFILE _ROOT_PATH "/etc/ppp/srp-secrets"
@ -3032,11 +3070,10 @@ index 24e010c..6275df6 100644
#define _PATH_SYSOPTIONS _ROOT_PATH "/etc/ppp/options"
#define _PATH_IPUP _ROOT_PATH "/etc/ppp/ip-up"
#define _PATH_IPDOWN _ROOT_PATH "/etc/ppp/ip-down"
diff --git a/pppd/plugins/Makefile.linux b/pppd/plugins/Makefile.linux
index b474a19..760cad4 100644
--- a/pppd/plugins/Makefile.linux
+++ b/pppd/plugins/Makefile.linux
@@ -4,6 +4,9 @@ CFLAGS = $(COPTS) -I.. -I../../include -fPIC
diff -Naur ppp-2.4.7/pppd/plugins/Makefile.linux ppp-2.4.7-eaptls-mppe-0.999/pppd/plugins/Makefile.linux
--- ppp-2.4.7/pppd/plugins/Makefile.linux 2014-08-09 14:31:39.000000000 +0200
+++ ppp-2.4.7-eaptls-mppe-0.999/pppd/plugins/Makefile.linux 2017-05-09 14:38:55.153083126 +0200
@@ -4,6 +4,9 @@
LDFLAGS = -shared
INSTALL = install
@ -3046,11 +3083,10 @@ index b474a19..760cad4 100644
DESTDIR = $(INSTROOT)@DESTDIR@
BINDIR = $(DESTDIR)/sbin
MANDIR = $(DESTDIR)/share/man/man8
diff --git a/pppd/plugins/passprompt.c b/pppd/plugins/passprompt.c
index babb6dc..6ba73ca 100644
--- a/pppd/plugins/passprompt.c
+++ b/pppd/plugins/passprompt.c
@@ -107,4 +107,7 @@ void plugin_init(void)
diff -Naur ppp-2.4.7/pppd/plugins/passprompt.c ppp-2.4.7-eaptls-mppe-0.999/pppd/plugins/passprompt.c
--- ppp-2.4.7/pppd/plugins/passprompt.c 2014-08-09 14:31:39.000000000 +0200
+++ ppp-2.4.7-eaptls-mppe-0.999/pppd/plugins/passprompt.c 2017-05-09 14:38:55.153083126 +0200
@@ -107,4 +107,7 @@
{
add_options(options);
pap_passwd_hook = promptpass;
@ -3058,11 +3094,10 @@ index babb6dc..6ba73ca 100644
+ eaptls_passwd_hook = promptpass;
+#endif
}
diff --git a/pppd/plugins/passwordfd.c b/pppd/plugins/passwordfd.c
index d718f3b..c3f9793 100644
--- a/pppd/plugins/passwordfd.c
+++ b/pppd/plugins/passwordfd.c
@@ -79,4 +79,8 @@ void plugin_init (void)
diff -Naur ppp-2.4.7/pppd/plugins/passwordfd.c ppp-2.4.7-eaptls-mppe-0.999/pppd/plugins/passwordfd.c
--- ppp-2.4.7/pppd/plugins/passwordfd.c 2014-08-09 14:31:39.000000000 +0200
+++ ppp-2.4.7-eaptls-mppe-0.999/pppd/plugins/passwordfd.c 2017-05-09 14:38:55.154083052 +0200
@@ -79,4 +79,8 @@
chap_check_hook = pwfd_check;
chap_passwd_hook = pwfd_passwd;
@ -3071,11 +3106,10 @@ index d718f3b..c3f9793 100644
+ eaptls_passwd_hook = pwfd_passwd;
+#endif
}
diff --git a/pppd/pppd.8 b/pppd/pppd.8
index 2dd6e1a..75dd6f3 100644
--- a/pppd/pppd.8
+++ b/pppd/pppd.8
@@ -248,6 +248,12 @@ Alternatively, a value of 0 for \fInr\fR or \fInt\fR disables
diff -Naur ppp-2.4.7/pppd/pppd.8 ppp-2.4.7-eaptls-mppe-0.999/pppd/pppd.8
--- ppp-2.4.7/pppd/pppd.8 2014-08-09 14:31:39.000000000 +0200
+++ ppp-2.4.7-eaptls-mppe-0.999/pppd/pppd.8 2017-05-09 14:38:55.155082978 +0200
@@ -248,6 +248,12 @@
compression in the corresponding direction. Use \fInobsdcomp\fR or
\fIbsdcomp 0\fR to disable BSD-Compress compression entirely.
.TP
@ -3088,7 +3122,7 @@ index 2dd6e1a..75dd6f3 100644
.B cdtrcts
Use a non-standard hardware flow control (i.e. DTR/CTS) to control
the flow of data on the serial port. If neither the \fIcrtscts\fR,
@@ -259,6 +265,12 @@ RTS output. Such serial ports use this mode to implement true
@@ -259,6 +265,12 @@
bi-directional flow control. The sacrifice is that this flow
control mode does not permit using DTR as a modem control line.
.TP
@ -3101,7 +3135,7 @@ index 2dd6e1a..75dd6f3 100644
.B chap\-interval \fIn
If this option is given, pppd will rechallenge the peer every \fIn\fR
seconds.
@@ -287,6 +299,18 @@ negotiation by sending its first LCP packet. The default value is
@@ -287,6 +299,18 @@
1000 (1 second). This wait period only applies if the \fBconnect\fR
or \fBpty\fR option is used.
.TP
@ -3120,7 +3154,7 @@ index 2dd6e1a..75dd6f3 100644
.B debug
Enables connection debugging facilities.
If this option is given, pppd will log the contents of all
@@ -551,6 +575,12 @@ transmitted packets be printed. On most systems, messages printed by
@@ -551,6 +575,12 @@
the kernel are logged by syslog(1) to a file as directed in the
/etc/syslog.conf configuration file.
.TP
@ -3133,7 +3167,7 @@ index 2dd6e1a..75dd6f3 100644
.B ktune
Enables pppd to alter kernel settings as appropriate. Under Linux,
pppd will enable IP forwarding (i.e. set /proc/sys/net/ipv4/ip_forward
@@ -709,6 +739,9 @@ name to \fIname\fR.)
@@ -709,6 +739,9 @@
Disable Address/Control compression in both directions (send and
receive).
.TP
@ -3143,11 +3177,10 @@ index 2dd6e1a..75dd6f3 100644
.B noauth
Do not require the peer to authenticate itself. This option is
privileged.
diff --git a/pppd/pppd.h b/pppd/pppd.h
index 5f72f72..523f226 100644
--- a/pppd/pppd.h
+++ b/pppd/pppd.h
@@ -324,6 +324,11 @@ extern bool dump_options; /* print out option values */
diff -Naur ppp-2.4.7/pppd/pppd.h ppp-2.4.7-eaptls-mppe-0.999/pppd/pppd.h
--- ppp-2.4.7/pppd/pppd.h 2014-08-09 14:31:39.000000000 +0200
+++ ppp-2.4.7-eaptls-mppe-0.999/pppd/pppd.h 2017-05-09 14:38:55.156082905 +0200
@@ -325,6 +325,11 @@
extern bool dryrun; /* check everything, print options, exit */
extern int child_wait; /* # seconds to wait for children at end */
@ -3159,7 +3192,7 @@ index 5f72f72..523f226 100644
#ifdef MAXOCTETS
extern unsigned int maxoctets; /* Maximum octetes per session (in bytes) */
extern int maxoctets_dir; /* Direction :
@@ -738,6 +743,10 @@ extern int (*chap_check_hook) __P((void));
@@ -741,6 +746,10 @@
extern int (*chap_passwd_hook) __P((char *user, char *passwd));
extern void (*multilink_join_hook) __P((void));
@ -3170,6 +3203,3 @@ index 5f72f72..523f226 100644
/* Let a plugin snoop sent and received packets. Useful for L2TP */
extern void (*snoop_recv_hook) __P((unsigned char *p, int len));
extern void (*snoop_send_hook) __P((unsigned char *p, int len));
--
1.8.3.1

View File

@ -1,27 +0,0 @@
From fcb95abad72ac043f2e5f5ddcffc42b0783a3c2d Mon Sep 17 00:00:00 2001
From: Michal Sekletar <msekleta@redhat.com>
Date: Wed, 10 Dec 2014 12:21:31 +0100
Subject: [PATCH] Fix logical expression in eap_client_active macro
---
pppd/eap.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/pppd/eap.h b/pppd/eap.h
index 3fa5391..087baad 100644
--- a/pppd/eap.h
+++ b/pppd/eap.h
@@ -110,8 +110,8 @@ enum eap_state_code {
"SRP1", "SRP2", "SRP3", "MD5Chall", "Open", "SRP4", "BadAuth"
#ifdef USE_EAPTLS
-#define eap_client_active(esp) ((esp)->es_client.ea_state != eapInitial ||\
- (esp)->es_client.ea_state != eapPending ||\
+#define eap_client_active(esp) ((esp)->es_client.ea_state != eapInitial &&\
+ (esp)->es_client.ea_state != eapPending &&\
(esp)->es_client.ea_state != eapClosed)
#else
#define eap_client_active(esp) ((esp)->es_client.ea_state == eapListen)
--
1.8.3.1

View File

@ -0,0 +1,79 @@
diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux
index 534ccc2..cf11b74 100644
--- a/pppd/Makefile.linux
+++ b/pppd/Makefile.linux
@@ -41,7 +41,7 @@ COPTS = -Wall $(RPM_OPT_FLAGS) -DLIBDIR=\""$(LIBDIR)"\"
# Uncomment the next 2 lines to include support for Microsoft's
# MS-CHAP authentication protocol. Also, edit plugins/radius/Makefile.linux.
CHAPMS=y
-USE_CRYPT=y
+#USE_CRYPT=y
# Don't use MSLANMAN unless you really know what you're doing.
#MSLANMAN=y
# Uncomment the next line to include support for MPPE. CHAPMS (above) must
@@ -147,7 +147,8 @@ endif
ifdef NEEDDES
ifndef USE_CRYPT
-LIBS += -ldes $(LIBS)
+CFLAGS += -I/usr/include/openssl
+LIBS += -lcrypto
else
CFLAGS += -DUSE_CRYPT=1
endif
diff --git a/pppd/pppcrypt.c b/pppd/pppcrypt.c
index 8b85b13..6b35375 100644
--- a/pppd/pppcrypt.c
+++ b/pppd/pppcrypt.c
@@ -64,7 +64,7 @@ u_char *des_key; /* OUT 64 bit DES key with parity bits added */
des_key[7] = Get7Bits(key, 49);
#ifndef USE_CRYPT
- des_set_odd_parity((des_cblock *)des_key);
+ DES_set_odd_parity((DES_cblock *)des_key);
#endif
}
@@ -158,25 +158,25 @@ u_char *clear; /* OUT 8 octets */
}
#else /* USE_CRYPT */
-static des_key_schedule key_schedule;
+static DES_key_schedule key_schedule;
bool
DesSetkey(key)
u_char *key;
{
- des_cblock des_key;
+ DES_cblock des_key;
MakeKey(key, des_key);
- des_set_key(&des_key, key_schedule);
+ DES_set_key(&des_key, &key_schedule);
return (1);
}
bool
-DesEncrypt(clear, key, cipher)
+DesEncrypt(clear, cipher)
u_char *clear; /* IN 8 octets */
u_char *cipher; /* OUT 8 octets */
{
- des_ecb_encrypt((des_cblock *)clear, (des_cblock *)cipher,
- key_schedule, 1);
+ DES_ecb_encrypt((DES_cblock *)clear, (DES_cblock *)cipher,
+ &key_schedule, 1);
return (1);
}
@@ -185,8 +185,8 @@ DesDecrypt(cipher, clear)
u_char *cipher; /* IN 8 octets */
u_char *clear; /* OUT 8 octets */
{
- des_ecb_encrypt((des_cblock *)cipher, (des_cblock *)clear,
- key_schedule, 0);
+ DES_ecb_encrypt((DES_cblock *)cipher, (DES_cblock *)clear,
+ &key_schedule, 0);
return (1);
}

View File

@ -0,0 +1,170 @@
diff --git a/chat/Makefile.linux b/chat/Makefile.linux
index 2445637..83114f1 100644
--- a/chat/Makefile.linux
+++ b/chat/Makefile.linux
@@ -18,7 +18,7 @@ INSTALL= install
all: chat
chat: chat.o
- $(CC) -o chat chat.o
+ $(CC) $(LDFLAGS) -o chat chat.o
chat.o: chat.c
$(CC) -c $(CFLAGS) -o chat.o chat.c
diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux
index cf11b74..089f164 100644
--- a/pppd/Makefile.linux
+++ b/pppd/Makefile.linux
@@ -188,7 +188,7 @@ endif
ifdef PLUGIN
CFLAGS += -DPLUGIN
-LDFLAGS += -Wl,-E
+LDFLAGS_PLUGIN += -Wl,-E
LIBS += -ldl
endif
@@ -230,7 +230,7 @@ install: pppd
$(INSTALL) -c -m 644 pppd.8 $(MANDIR)
pppd: $(PPPDOBJS)
- $(CC) $(CFLAGS) $(LDFLAGS) -o pppd $(PPPDOBJS) $(LIBS)
+ $(CC) $(CFLAGS) $(LDFLAGS) $(LDFLAGS_PLUGIN) -o pppd $(PPPDOBJS) $(LIBS)
srp-entry: srp-entry.c
$(CC) $(CFLAGS) $(LDFLAGS) -o $@ srp-entry.c $(LIBS)
diff --git a/pppd/plugins/Makefile.linux b/pppd/plugins/Makefile.linux
index 303833a..04fe876 100644
--- a/pppd/plugins/Makefile.linux
+++ b/pppd/plugins/Makefile.linux
@@ -1,7 +1,7 @@
#CC = gcc
COPTS = $(RPM_OPT_FLAGS)
CFLAGS = $(COPTS) -I.. -I../../include -fPIC
-LDFLAGS = -shared
+LDFLAGS_SHARED = -shared
INSTALL = install
# EAP-TLS
@@ -33,7 +33,7 @@ all: $(PLUGINS)
for d in $(SUBDIRS); do $(MAKE) $(MFLAGS) -C $$d all; done
%.so: %.c
- $(CC) -o $@ $(LDFLAGS) $(CFLAGS) $^
+ $(CC) -o $@ $(LDFLAGS) $(LDFLAGS_SHARED) $(CFLAGS) $^
VERSION = $(shell awk -F '"' '/VERSION/ { print $$2; }' ../patchlevel.h)
diff --git a/pppd/plugins/pppoatm/Makefile.linux b/pppd/plugins/pppoatm/Makefile.linux
index 4c5826f..1961e0e 100644
--- a/pppd/plugins/pppoatm/Makefile.linux
+++ b/pppd/plugins/pppoatm/Makefile.linux
@@ -1,7 +1,7 @@
#CC = gcc
COPTS = $(RPM_OPT_FLAGS)
CFLAGS = $(COPTS) -I../.. -I../../../include -fPIC
-LDFLAGS = -shared
+LDFLAGS_SHARED = -shared
INSTALL = install
#***********************************************************************
@@ -33,7 +33,7 @@ endif
all: $(PLUGIN)
$(PLUGIN): $(PLUGIN_OBJS)
- $(CC) $(CFLAGS) -o $@ -shared $^ $(LIBS)
+ $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $(LDFLAGS_SHARED) $^ $(LIBS)
install: all
$(INSTALL) -d -m 755 $(LIBDIR)
diff --git a/pppd/plugins/pppol2tp/Makefile.linux b/pppd/plugins/pppol2tp/Makefile.linux
index 9cb316d..7b23b25 100644
--- a/pppd/plugins/pppol2tp/Makefile.linux
+++ b/pppd/plugins/pppol2tp/Makefile.linux
@@ -1,7 +1,7 @@
#CC = gcc
COPTS = $(RPM_OPT_FLAGS) -DHAVE_MULTILINK
CFLAGS = $(COPTS) -I. -I../.. -I../../../include -fPIC
-LDFLAGS = -shared
+LDFLAGS_SHARED = -shared
INSTALL = install
#***********************************************************************
@@ -16,7 +16,7 @@ PLUGINS := pppol2tp.so openl2tp.so
all: $(PLUGINS)
%.so: %.o
- $(CC) $(CFLAGS) -o $@ -shared $^ $(LIBS)
+ $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $(LDFLAGS_SHARED) $^ $(LIBS)
install: all
$(INSTALL) -d -m 755 $(LIBDIR)
diff --git a/pppd/plugins/radius/Makefile.linux b/pppd/plugins/radius/Makefile.linux
index 707326b..2150332 100644
--- a/pppd/plugins/radius/Makefile.linux
+++ b/pppd/plugins/radius/Makefile.linux
@@ -43,13 +43,13 @@ install: all
$(INSTALL) -c -m 444 pppd-radattr.8 $(MANDIR)
radius.so: radius.o libradiusclient.a
- $(CC) -o radius.so -shared radius.o libradiusclient.a
+ $(CC) $(LDFLAGS) -o radius.so -shared radius.o libradiusclient.a
radattr.so: radattr.o
- $(CC) -o radattr.so -shared radattr.o
+ $(CC) $(LDFLAGS) -o radattr.so -shared radattr.o
radrealms.so: radrealms.o
- $(CC) -o radrealms.so -shared radrealms.o
+ $(CC) $(LDFLAGS) -o radrealms.so -shared radrealms.o
CLIENTOBJS = avpair.o buildreq.o config.o dict.o ip_util.o \
clientid.o sendserver.o lock.o util.o md5.o
diff --git a/pppd/plugins/rp-pppoe/Makefile.linux b/pppd/plugins/rp-pppoe/Makefile.linux
index fa49efb..5e06b52 100644
--- a/pppd/plugins/rp-pppoe/Makefile.linux
+++ b/pppd/plugins/rp-pppoe/Makefile.linux
@@ -31,7 +31,7 @@ CFLAGS=$(COPTS) -I../../../include '-DRP_VERSION="$(RP_VERSION)"'
all: rp-pppoe.so pppoe-discovery
pppoe-discovery: pppoe-discovery.o debug.o common.o
- $(CC) -o pppoe-discovery pppoe-discovery.o debug.o -ludev
+ $(CC) $(LDFLAGS) -o pppoe-discovery pppoe-discovery.o debug.o -ludev
pppoe-discovery.o: pppoe-discovery.c
$(CC) $(CFLAGS) -c -o pppoe-discovery.o pppoe-discovery.c
@@ -40,7 +40,7 @@ debug.o: debug.c
$(CC) $(CFLAGS) -c -o debug.o debug.c
rp-pppoe.so: plugin.o discovery.o if.o common.o
- $(CC) -o rp-pppoe.so -shared plugin.o discovery.o if.o common.o
+ $(CC) $(LDFLAGS) -o rp-pppoe.so -shared plugin.o discovery.o if.o common.o
install: all
$(INSTALL) -d -m 755 $(LIBDIR)
diff --git a/pppdump/Makefile.linux b/pppdump/Makefile.linux
index 95c6805..33e5107 100644
--- a/pppdump/Makefile.linux
+++ b/pppdump/Makefile.linux
@@ -10,7 +10,7 @@ INSTALL= install
all: pppdump
pppdump: $(OBJS)
- $(CC) -o pppdump $(OBJS)
+ $(CC) $(LDFLAGS) -o pppdump $(OBJS)
clean:
rm -f pppdump $(OBJS) *~
diff --git a/pppstats/Makefile.linux b/pppstats/Makefile.linux
index c5ba3b1..eeccf83 100644
--- a/pppstats/Makefile.linux
+++ b/pppstats/Makefile.linux
@@ -26,7 +26,7 @@ install: pppstats
$(INSTALL) -c -m 444 pppstats.8 $(MANDIR)
pppstats: $(PPPSTATSRCS)
- $(CC) $(CFLAGS) -o pppstats pppstats.c $(LIBS)
+ $(CC) $(CFLAGS) $(LDFLAGS) -o pppstats pppstats.c $(LIBS)
clean:
rm -f pppstats *~ #* core

View File

@ -3,7 +3,7 @@
Summary: The Point-to-Point Protocol daemon
Name: ppp
Version: 2.4.7
Release: 11%{?dist}
Release: 21%{?dist}
License: BSD and LGPLv2+ and GPLv2+ and Public Domain
Group: System Environment/Daemons
URL: http://www.samba.org/ppp
@ -48,12 +48,16 @@ Patch0023: 0023-build-sys-install-rp-pppoe-plugin-files-with-standar.patch
Patch0024: 0024-build-sys-install-pppoatm-plugin-files-with-standard.patch
Patch0025: 0025-pppd-install-pppd-binary-using-standard-perms-755.patch
Patch0026: 0026-Revert-pppd-rebase-EAP-TLS-patch-v0.994.patch
Patch0027: 0027-pppd-EAP-TLS-patch-v0.997.patch
Patch0028: 0028-Fix-logical-expression-in-eap_client_active-macro.patch
Patch0029: 0029-pppoe-include-netinet-in.h-before-linux-in.h.patch
Patch0027: 0027-pppd-EAP-TLS-patch-v0.999.patch
Patch0028: 0028-pppoe-include-netinet-in.h-before-linux-in.h.patch
# rhbz#1556132
Patch0029: ppp-2.4.7-DES-openssl.patch
# https://github.com/paulusmack/ppp/pull/95
Patch0030: ppp-2.4.7-honor-ldflags.patch
BuildRequires: pam-devel, libpcap-devel, systemd, systemd-devel, glib2-devel
BuildRequires: pkgconfig(openssl) < 1.1
BuildRequires: openssl-devel
Requires: glibc >= 2.0.6, /etc/pam.d/system-auth, libpcap >= 14:0.8.3-6, systemd, initscripts >= 9.54
Requires(pre): /usr/bin/getent
Requires(pre): /usr/sbin/groupadd
@ -81,9 +85,10 @@ tar -xJf %{SOURCE12}
%build
export RPM_OPT_FLAGS="$RPM_OPT_FLAGS -fPIC -Wall -fno-strict-aliasing"
export RPM_LD_FLAGS="$LDFLAGS"
%configure
make %{?_smp_mflags}
make -C ppp-watch %{?_smp_mflags}
make %{?_smp_mflags} LDFLAGS="%{?build_ldflags}"
make -C ppp-watch %{?_smp_mflags} LDFLAGS="%{?build_ldflags}"
%install
make INSTROOT=%{buildroot} install install-etcppp
@ -170,6 +175,41 @@ install -p %{SOURCE11} %{buildroot}%{_sysconfdir}/sysconfig/network-scripts/ifdo
%doc PLUGINS
%changelog
* Mon Apr 9 2018 Jaroslav Škarvada <jskarvad@redhat.com> - 2.4.7-21
- Link with -E not to break plugins
Resolves: rhbz#1564459
* Fri Apr 6 2018 Jaroslav Škarvada <jskarvad@redhat.com> - 2.4.7-20
- Also build all DSOs with distro's LDFLAGS
Related: rhbz#1563157
* Wed Apr 4 2018 Jaroslav Škarvada <jskarvad@redhat.com> - 2.4.7-19
- Build with distro's LDFLAGS
Resolves: rhbz#1563157
* Tue Mar 27 2018 Jaroslav Škarvada <jskarvad@redhat.com> - 2.4.7-18
- Used openssl for the DES instead of the libcrypt / glibc
Resolves: rhbz#1556132
* Fri Feb 09 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 2.4.7-17
- Escape macros in %%changelog
* Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.7-16
- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
* Sat Jan 20 2018 Björn Esser <besser82@fedoraproject.org> - 2.4.7-15
- Rebuilt for switch to libxcrypt
* Mon Aug 21 2017 Jaroslav Škarvada <jskarvad@redhat.com> - 2.4.7-14
- EAP-TLS patch updated to version 0.999
- Switched to openssl-1.1
* Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.7-13
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.7-12
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.7-11
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
@ -222,7 +262,7 @@ install -p %{SOURCE11} %{buildroot}%{_sysconfdir}/sysconfig/network-scripts/ifdo
- fix post installation scriptlet
* Fri Jul 12 2013 Michal Sekletar <msekleta@redhat.com> - 2.4.5-32
- don't ship /var/lock/ppp in rpm payload and create it in %post instead
- don't ship /var/lock/ppp in rpm payload and create it in %%post instead
- fix installation of tmpfiles.d configuration
- enable hardened build
- fix bogus dates in changelog
@ -531,7 +571,7 @@ install -p %{SOURCE11} %{buildroot}%{_sysconfdir}/sysconfig/network-scripts/ifdo
- automatic rebuild
* Mon Jun 5 2000 Nalin Dahyabhai <nalin@redhat.com>
- move man pages to %{_mandir}
- move man pages to %%{_mandir}
* Thu Jun 1 2000 Nalin Dahyabhai <nalin@redhat.com>
- change perms using defattr