6 changed files with 246 additions and 538 deletions
--- a/0027-pppd-EAP-TLS-patch-v0.997.patch
+++ b/0027-pppd-EAP-TLS-patch-v0.997.patch
@ -1,6 +1,44 @@
-diff -Naur ppp-2.4.7/README.eap-tls ppp-2.4.7-eaptls-mppe-0.999/README.eap-tls
+From 7887b3d84468e1ebfbe5adc373f0816eda2b995a Mon Sep 17 00:00:00 2001
--- ppp-2.4.7/README.eap-tls	1970-01-01 01:00:00.000000000 +0100
+From: Michal Sekletar <msekleta@redhat.com>
-+++ ppp-2.4.7-eaptls-mppe-0.999/README.eap-tls	2017-05-09 14:38:55.129084488 +0200
+Date: Fri, 20 Jun 2014 10:31:43 +0200
 Subject: [PATCH 27/27] pppd: EAP-TLS patch v0.997
 See: http://www.nikhef.nl/~janjust/ppp/download.html
 ---
 README.eap-tls              |  280 ++++++++++
 etc.ppp/eaptls-client       |   10 +
 etc.ppp/eaptls-server       |   11 +
 etc.ppp/openssl.cnf         |   14 +
 linux/Makefile.top          |    6 +-
 pppd/Makefile.linux         |   12 +
 pppd/auth.c                 |  413 ++++++++++++++-
 pppd/ccp.c                  |   20 +-
 pppd/chap-md5.c             |    4 +
 pppd/eap-tls.c              | 1212 +++++++++++++++++++++++++++++++++++++++++++
 pppd/eap-tls.h              |  107 ++++
 pppd/eap.c                  |  449 +++++++++++++++-
 pppd/eap.h                  |   32 +-
 pppd/md5.c                  |    4 +
 pppd/md5.h                  |    3 +
 pppd/pathnames.h            |    7 +
 pppd/plugins/Makefile.linux |    3 +
 pppd/plugins/passprompt.c   |    3 +
 pppd/plugins/passwordfd.c   |    4 +
 pppd/pppd.8                 |   33 ++
 pppd/pppd.h                 |    9 +
 21 files changed, 2629 insertions(+), 7 deletions(-)
 create mode 100644 README.eap-tls
 create mode 100644 etc.ppp/eaptls-client
 create mode 100644 etc.ppp/eaptls-server
 create mode 100644 etc.ppp/openssl.cnf
 create mode 100644 pppd/eap-tls.c
 create mode 100644 pppd/eap-tls.h
 diff --git a/README.eap-tls b/README.eap-tls
 new file mode 100644
 index 0000000..037be0a
 --- /dev/null
 +++ b/README.eap-tls
@@ -0,0 +1,280 @@
 +EAP-TLS authentication support for PPP
 +======================================
@ -282,9 +320,11 @@ diff -Naur ppp-2.4.7/README.eap-tls ppp-2.4.7-eaptls-mppe-0.999/README.eap-tls
 + - change SSL_OP_NO_TICKETS to SSL_OP_NO_TICKET
 + - fix bug in initialisation code with fragmented packets.
 +
-diff -Naur ppp-2.4.7/etc.ppp/eaptls-client ppp-2.4.7-eaptls-mppe-0.999/etc.ppp/eaptls-client
+diff --git a/etc.ppp/eaptls-client b/etc.ppp/eaptls-client
--- ppp-2.4.7/etc.ppp/eaptls-client	1970-01-01 01:00:00.000000000 +0100
+new file mode 100644
-+++ ppp-2.4.7-eaptls-mppe-0.999/etc.ppp/eaptls-client	2017-05-09 14:38:55.129084488 +0200
+index 0000000..7782f0e
 --- /dev/null
 +++ b/etc.ppp/eaptls-client
@@ -0,0 +1,10 @@
 +# Parameters for authentication using EAP-TLS (client)
 +
@ -296,9 +336,11 @@ diff -Naur ppp-2.4.7/etc.ppp/eaptls-client ppp-2.4.7-eaptls-mppe-0.999/etc.ppp/e
 +# client private key file (required)
 +
 +#client	server	/root/cert/client.crt	-	/root/cert/ca.crt	/root/cert/client.key
-diff -Naur ppp-2.4.7/etc.ppp/eaptls-server ppp-2.4.7-eaptls-mppe-0.999/etc.ppp/eaptls-server
+diff --git a/etc.ppp/eaptls-server b/etc.ppp/eaptls-server
--- ppp-2.4.7/etc.ppp/eaptls-server	1970-01-01 01:00:00.000000000 +0100
+new file mode 100644
-+++ ppp-2.4.7-eaptls-mppe-0.999/etc.ppp/eaptls-server	2017-05-09 14:38:55.137084099 +0200
+index 0000000..fa53cbd
 --- /dev/null
 +++ b/etc.ppp/eaptls-server
@@ -0,0 +1,11 @@
 +# Parameters for authentication using EAP-TLS (server)
 +
@ -311,9 +353,11 @@ diff -Naur ppp-2.4.7/etc.ppp/eaptls-server ppp-2.4.7-eaptls-mppe-0.999/etc.ppp/e
 +# allowed addresses (required, can be *)
 +
 +#client	server	-	/root/cert/server.crt	/root/cert/ca.crt	/root/cert/server.key	192.168.1.0/24
-diff -Naur ppp-2.4.7/etc.ppp/openssl.cnf ppp-2.4.7-eaptls-mppe-0.999/etc.ppp/openssl.cnf
+diff --git a/etc.ppp/openssl.cnf b/etc.ppp/openssl.cnf
--- ppp-2.4.7/etc.ppp/openssl.cnf	1970-01-01 01:00:00.000000000 +0100
+new file mode 100644
-+++ ppp-2.4.7-eaptls-mppe-0.999/etc.ppp/openssl.cnf	2017-05-09 14:38:55.137084099 +0200
+index 0000000..dd32f30
 --- /dev/null
 +++ b/etc.ppp/openssl.cnf
@@ -0,0 +1,14 @@
 +openssl_conf = openssl_def
 +
@ -329,10 +373,11 @@ diff -Naur ppp-2.4.7/etc.ppp/openssl.cnf ppp-2.4.7-eaptls-mppe-0.999/etc.ppp/ope
 +MODULE_PATH = /usr/lib64/libeTPkcs11.so
 +init = 0
 +
-diff -Naur ppp-2.4.7/linux/Makefile.top ppp-2.4.7-eaptls-mppe-0.999/linux/Makefile.top
+diff --git a/linux/Makefile.top b/linux/Makefile.top
--- ppp-2.4.7/linux/Makefile.top	2014-08-09 14:31:39.000000000 +0200
+index f42efd5..9a8945a 100644
-+++ ppp-2.4.7-eaptls-mppe-0.999/linux/Makefile.top	2017-05-09 14:38:55.138084052 +0200
+--- a/linux/Makefile.top
-@@ -26,7 +26,7 @@
+++ b/linux/Makefile.top
@@ -28,7 +28,7 @@ install-progs:
 	cd pppdump; $(MAKE) $(MFLAGS) install
 install-etcppp: $(ETCDIR) $(ETCDIR)/options $(ETCDIR)/pap-secrets \
@ -341,7 +386,7 @@ diff -Naur ppp-2.4.7/linux/Makefile.top ppp-2.4.7-eaptls-mppe-0.999/linux/Makefi
 install-devel:
 	cd pppd; $(MAKE) $(MFLAGS) install-devel
-@@ -37,6 +37,10 @@
+@@ -39,6 +39,10 @@ $(ETCDIR)/pap-secrets:
 	$(INSTALL) -c -m 600 etc.ppp/pap-secrets $@
 $(ETCDIR)/chap-secrets:
 	$(INSTALL) -c -m 600 etc.ppp/chap-secrets $@
@ -352,10 +397,11 @@ diff -Naur ppp-2.4.7/linux/Makefile.top ppp-2.4.7-eaptls-mppe-0.999/linux/Makefi
 $(BINDIR):
 	$(INSTALL) -d -m 755 $@
-diff -Naur ppp-2.4.7/pppd/Makefile.linux ppp-2.4.7-eaptls-mppe-0.999/pppd/Makefile.linux
+diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux
--- ppp-2.4.7/pppd/Makefile.linux	2014-08-09 14:31:39.000000000 +0200
+index 943cf83..534ccc2 100644
-+++ ppp-2.4.7-eaptls-mppe-0.999/pppd/Makefile.linux	2017-05-09 14:38:55.138084052 +0200
+--- a/pppd/Makefile.linux
-@@ -76,6 +76,9 @@
+++ b/pppd/Makefile.linux
@@ -79,6 +79,9 @@ CBCP=y
 # Use libutil
 USE_LIBUTIL=y
@ -365,7 +411,7 @@ diff -Naur ppp-2.4.7/pppd/Makefile.linux ppp-2.4.7-eaptls-mppe-0.999/pppd/Makefi
 MAXOCTETS=y
 INCLUDE_DIRS= -I../include
-@@ -115,6 +118,15 @@
+@@ -118,6 +121,15 @@ HEADERS += sha1.h
 PPPDOBJS += sha1.o
 endif
@ -381,9 +427,10 @@ diff -Naur ppp-2.4.7/pppd/Makefile.linux ppp-2.4.7-eaptls-mppe-0.999/pppd/Makefi
 ifdef HAS_SHADOW
 CFLAGS   += -DHAS_SHADOW
 #LIBS     += -lshadow $(LIBS)
-diff -Naur ppp-2.4.7/pppd/auth.c ppp-2.4.7-eaptls-mppe-0.999/pppd/auth.c
+diff --git a/pppd/auth.c b/pppd/auth.c
--- ppp-2.4.7/pppd/auth.c	2014-08-09 14:31:39.000000000 +0200
+index 9e957fa..656ffe9 100644
-+++ ppp-2.4.7-eaptls-mppe-0.999/pppd/auth.c	2017-05-09 14:38:55.139084004 +0200
+--- a/pppd/auth.c
 +++ b/pppd/auth.c
@@ -109,6 +109,9 @@
 #include "upap.h"
 #include "chap-new.h"
@ -394,7 +441,7 @@ diff -Naur ppp-2.4.7/pppd/auth.c ppp-2.4.7-eaptls-mppe-0.999/pppd/auth.c
 #ifdef CBCP_SUPPORT
 #include "cbcp.h"
 #endif
-@@ -183,6 +186,11 @@
+@@ -183,6 +186,11 @@ int (*chap_check_hook) __P((void)) = NULL;
 /* Hook for a plugin to get the CHAP password for authenticating us */
 int (*chap_passwd_hook) __P((char *user, char *passwd)) = NULL;
@ -406,7 +453,7 @@ diff -Naur ppp-2.4.7/pppd/auth.c ppp-2.4.7-eaptls-mppe-0.999/pppd/auth.c
 /* Hook for a plugin to say whether it is OK if the peer
    refuses to authenticate. */
 int (*null_auth_hook) __P((struct wordlist **paddrs,
-@@ -238,6 +246,14 @@
+@@ -238,6 +246,14 @@ bool explicit_remote = 0;	/* User specified explicit remote name */
 bool explicit_user = 0;		/* Set if "user" option supplied */
 bool explicit_passwd = 0;	/* Set if "password" option supplied */
 char remote_name[MAXNAMELEN];	/* Peer's name for authentication */
@ -421,7 +468,7 @@ diff -Naur ppp-2.4.7/pppd/auth.c ppp-2.4.7-eaptls-mppe-0.999/pppd/auth.c
 static char *uafname;		/* name of most recent +ua file */
-@@ -254,6 +270,19 @@
+@@ -254,6 +270,19 @@ static int  have_pap_secret __P((int *));
 static int  have_chap_secret __P((char *, char *, int, int *));
 static int  have_srp_secret __P((char *client, char *server, int need_ip,
     int *lacks_ipp));
@ -441,7 +488,7 @@ diff -Naur ppp-2.4.7/pppd/auth.c ppp-2.4.7-eaptls-mppe-0.999/pppd/auth.c
 static int  ip_addr_check __P((u_int32_t, struct permitted_ip *));
 static int  scan_authfile __P((FILE *, char *, char *, char *,
 			       struct wordlist **, struct wordlist **,
-@@ -401,6 +430,15 @@
+@@ -401,6 +430,15 @@ option_t auth_options[] = {
       "Set telephone number(s) which are allowed to connect",
       OPT_PRIV | OPT_A2LIST },
@ -457,7 +504,7 @@ diff -Naur ppp-2.4.7/pppd/auth.c ppp-2.4.7-eaptls-mppe-0.999/pppd/auth.c
     { NULL }
 };
-@@ -730,6 +768,9 @@
+@@ -730,6 +768,9 @@ link_established(unit)
     lcp_options *wo = &lcp_wantoptions[unit];
     lcp_options *go = &lcp_gotoptions[unit];
     lcp_options *ho = &lcp_hisoptions[unit];
@ -467,7 +514,7 @@ diff -Naur ppp-2.4.7/pppd/auth.c ppp-2.4.7-eaptls-mppe-0.999/pppd/auth.c
     int i;
     struct protent *protp;
-@@ -764,6 +805,22 @@
+@@ -764,6 +805,22 @@ link_established(unit)
 	}
     }
@ -490,7 +537,7 @@ diff -Naur ppp-2.4.7/pppd/auth.c ppp-2.4.7-eaptls-mppe-0.999/pppd/auth.c
     new_phase(PHASE_AUTHENTICATE);
     auth = 0;
     if (go->neg_eap) {
-@@ -1277,6 +1334,15 @@
+@@ -1277,6 +1334,15 @@ auth_check_options()
 				    our_name, 1, &lacks_ip);
     }
@ -506,7 +553,7 @@ diff -Naur ppp-2.4.7/pppd/auth.c ppp-2.4.7-eaptls-mppe-0.999/pppd/auth.c
     if (auth_required && !can_auth && noauth_addrs == NULL) {
 	if (default_auth) {
 	    option_error(
-@@ -1331,7 +1397,11 @@
+@@ -1331,7 +1397,11 @@ auth_reset(unit)
 	passwd[0] != 0 ||
 	(hadchap == 1 || (hadchap == -1 && have_chap_secret(user,
 	    (explicit_remote? remote_name: NULL), 0, NULL))) ||
@ -519,7 +566,7 @@ diff -Naur ppp-2.4.7/pppd/auth.c ppp-2.4.7-eaptls-mppe-0.999/pppd/auth.c
     hadchap = -1;
     if (go->neg_upap && !uselogin && !have_pap_secret(NULL))
-@@ -1346,8 +1416,14 @@
+@@ -1346,8 +1416,14 @@ auth_reset(unit)
 	    !have_chap_secret((explicit_remote? remote_name: NULL), our_name,
 		1, NULL))) &&
 	!have_srp_secret((explicit_remote? remote_name: NULL), our_name, 1,
@ -535,7 +582,7 @@ diff -Naur ppp-2.4.7/pppd/auth.c ppp-2.4.7-eaptls-mppe-0.999/pppd/auth.c
 }
-@@ -1707,6 +1783,7 @@
+@@ -1707,6 +1783,7 @@ have_srp_secret(client, server, need_ip, lacks_ipp)
 }
@ -543,7 +590,7 @@ diff -Naur ppp-2.4.7/pppd/auth.c ppp-2.4.7-eaptls-mppe-0.999/pppd/auth.c
 /*
  * get_secret - open the CHAP secret file and return the secret
  * for authenticating the given client on the given server.
-@@ -2359,3 +2436,335 @@
+@@ -2359,3 +2436,335 @@ auth_script(script)
     auth_script_pid = run_program(script, argv, 0, auth_script_done, NULL, 0);
 }
@ -879,10 +926,11 @@ diff -Naur ppp-2.4.7/pppd/auth.c ppp-2.4.7-eaptls-mppe-0.999/pppd/auth.c
 +}
 +#endif
 +
-diff -Naur ppp-2.4.7/pppd/ccp.c ppp-2.4.7-eaptls-mppe-0.999/pppd/ccp.c
+diff --git a/pppd/ccp.c b/pppd/ccp.c
--- ppp-2.4.7/pppd/ccp.c	2014-08-09 14:31:39.000000000 +0200
+index 5814f35..7dead23 100644
-+++ ppp-2.4.7-eaptls-mppe-0.999/pppd/ccp.c	2017-05-09 14:38:55.148083482 +0200
+--- a/pppd/ccp.c
-@@ -540,6 +540,9 @@
+++ b/pppd/ccp.c
@@ -540,6 +540,9 @@ ccp_resetci(f)
     if (go->mppe) {
 	ccp_options *ao = &ccp_allowoptions[f->unit];
 	int auth_mschap_bits = auth_done[f->unit];
@ -892,7 +940,7 @@ diff -Naur ppp-2.4.7/pppd/ccp.c ppp-2.4.7-eaptls-mppe-0.999/pppd/ccp.c
 	int numbits;
 	/*
-@@ -567,8 +570,23 @@
+@@ -567,8 +570,23 @@ ccp_resetci(f)
 	    lcp_close(f->unit, "MPPE required but not available");
 	    return;
 	}
@ -917,9 +965,10 @@ diff -Naur ppp-2.4.7/pppd/ccp.c ppp-2.4.7-eaptls-mppe-0.999/pppd/ccp.c
 	    lcp_close(f->unit, "MPPE required but not available");
 	    return;
 	}
-diff -Naur ppp-2.4.7/pppd/chap-md5.c ppp-2.4.7-eaptls-mppe-0.999/pppd/chap-md5.c
+diff --git a/pppd/chap-md5.c b/pppd/chap-md5.c
--- ppp-2.4.7/pppd/chap-md5.c	2014-08-09 14:31:39.000000000 +0200
+index 77dd4ec..269b52c 100644
-+++ ppp-2.4.7-eaptls-mppe-0.999/pppd/chap-md5.c	2017-05-09 14:38:55.148083482 +0200
+--- a/pppd/chap-md5.c
 +++ b/pppd/chap-md5.c
@@ -36,7 +36,11 @@
 #include "chap-new.h"
 #include "chap-md5.h"
@ -932,10 +981,12 @@ diff -Naur ppp-2.4.7/pppd/chap-md5.c ppp-2.4.7-eaptls-mppe-0.999/pppd/chap-md5.c
 #define MD5_HASH_SIZE		16
 #define MD5_MIN_CHALLENGE	16
-diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-0.999/pppd/eap-tls.c
+diff --git a/pppd/eap-tls.c b/pppd/eap-tls.c
--- ppp-2.4.7/pppd/eap-tls.c	1970-01-01 01:00:00.000000000 +0100
+new file mode 100644
-+++ ppp-2.4.7-eaptls-mppe-0.999/pppd/eap-tls.c	2017-05-11 10:43:00.345739124 +0200
+index 0000000..edcb0cb
-@@ -0,0 +1,1308 @@
+--- /dev/null
 +++ b/pppd/eap-tls.c
@@ -0,0 +1,1212 @@
 +/*
 + * eap-tls.c - EAP-TLS implementation for PPP
 + *
@ -993,72 +1044,6 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-0.999/pppd/eap-tls.c
 +
 +#ifdef MPPE
 +
 +#if OPENSSL_VERSION_NUMBER < 0x10100000L
 +
 +/*
 + * https://wiki.openssl.org/index.php/1.1_API_Changes
 + * tries to provide some guidance but ultimately falls short.
 + */
 +
 +static void HMAC_CTX_free(HMAC_CTX *ctx)
 +{
 +	if (ctx != NULL) {
 +		HMAC_CTX_cleanup(ctx);
 +		OPENSSL_free(ctx);
 +	}
 +}
 +
 +static HMAC_CTX *HMAC_CTX_new(void)
 +{
 +	HMAC_CTX *ctx = OPENSSL_malloc(sizeof(*ctx));
 +	if (ctx != NULL)
 +		HMAC_CTX_init(ctx);
 +	return ctx;
 +}
 +
 +/*
 + * These were basically jacked directly from the OpenSSL tree
 + * without adjustments.
 + */
 +
 +static size_t SSL_get_client_random(const SSL *ssl, unsigned char *out,
 +				    size_t outlen)
 +{
 +	if (outlen == 0)
 +		return sizeof(ssl->s3->client_random);
 +	if (outlen > sizeof(ssl->s3->client_random))
 +		outlen = sizeof(ssl->s3->client_random);
 +	memcpy(out, ssl->s3->client_random, outlen);
 +	return outlen;
 +}
 +
 +static size_t SSL_get_server_random(const SSL *ssl, unsigned char *out,
 +				    size_t outlen)
 +{
 +	if (outlen == 0)
 +		return sizeof(ssl->s3->server_random);
 +	if (outlen > sizeof(ssl->s3->server_random))
 +		outlen = sizeof(ssl->s3->server_random);
 +	memcpy(out, ssl->s3->server_random, outlen);
 +	return outlen;
 +}
 +
 +static size_t SSL_SESSION_get_master_key(const SSL_SESSION *session,
 +				         unsigned char *out, size_t outlen)
 +{
 +	if (outlen == 0)
 +		return session->master_key_length;
 +	if (outlen > session->master_key_length)
 +		outlen = session->master_key_length;
 +	memcpy(out, session->master_key, outlen);
 +	return outlen;
 +}
 +
 +/* Avoid a deprecated warning in OpenSSL 1.1 whilst still allowing to build against 1.0.x */
 +#define TLS_method           TLSv1_method
 +
 +#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
 +
 +/*
 + * TLS PRF from RFC 2246
 + */
@ -1067,47 +1052,47 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-0.999/pppd/eap-tls.c
 +		   const unsigned char *seed,   unsigned int seed_len,
 +		   unsigned char *out, unsigned int out_len)
 +{
-+	HMAC_CTX *ctx_a, *ctx_out;
+	HMAC_CTX ctx_a, ctx_out;
 +	unsigned char a[HMAC_MAX_MD_CBLOCK];
 +	unsigned int size;
 +
-+	ctx_a = HMAC_CTX_new();
+	HMAC_CTX_init(&ctx_a);
-+	ctx_out = HMAC_CTX_new();
+	HMAC_CTX_init(&ctx_out);
-+	HMAC_Init_ex(ctx_a, secret, secret_len, evp_md, NULL);
+	HMAC_Init_ex(&ctx_a, secret, secret_len, evp_md, NULL);
-+	HMAC_Init_ex(ctx_out, secret, secret_len, evp_md, NULL);
+	HMAC_Init_ex(&ctx_out, secret, secret_len, evp_md, NULL);
 +
-+	size = HMAC_size(ctx_out);
+	size = HMAC_size(&ctx_out);
 +
 +	/* Calculate A(1) */
-+	HMAC_Update(ctx_a, seed, seed_len);
+	HMAC_Update(&ctx_a, seed, seed_len);
-+	HMAC_Final(ctx_a, a, NULL);
+	HMAC_Final(&ctx_a, a, NULL);
 +
 +	while (1) {
 +		/* Calculate next part of output */
-+		HMAC_Update(ctx_out, a, size);
+		HMAC_Update(&ctx_out, a, size);
-+		HMAC_Update(ctx_out, seed, seed_len);
+		HMAC_Update(&ctx_out, seed, seed_len);
 +
 +		/* Check if last part */
 +		if (out_len < size) {
-+			HMAC_Final(ctx_out, a, NULL);
+			HMAC_Final(&ctx_out, a, NULL);
 +			memcpy(out, a, out_len);
 +			break;
 +		}
 +
 +		/* Place digest in output buffer */
-+		HMAC_Final(ctx_out, out, NULL);
+		HMAC_Final(&ctx_out, out, NULL);
-+		HMAC_Init_ex(ctx_out, NULL, 0, NULL, NULL);
+		HMAC_Init_ex(&ctx_out, NULL, 0, NULL, NULL);
 +		out += size;
 +		out_len -= size;
 +
 +		/* Calculate next A(i) */
-+		HMAC_Init_ex(ctx_a, NULL, 0, NULL, NULL);
+		HMAC_Init_ex(&ctx_a, NULL, 0, NULL, NULL);
-+		HMAC_Update(ctx_a, a, size);
+		HMAC_Update(&ctx_a, a, size);
-+		HMAC_Final(ctx_a, a, NULL);
+		HMAC_Final(&ctx_a, a, NULL);
 +	}
 +
-+	HMAC_CTX_free(ctx_a);
+	HMAC_CTX_cleanup(&ctx_a);
-+	HMAC_CTX_free(ctx_out);
+	HMAC_CTX_cleanup(&ctx_out);
 +	memset(a, 0, sizeof(a));
 +}
 +
@ -1141,22 +1126,21 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-0.999/pppd/eap-tls.c
 +    unsigned char *p = seed;
 +	SSL			  *s = ets->ssl;
 +    size_t prf_size;
 +    unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH];
 +    size_t master_key_length;
 +
 +    prf_size = strlen(prf_label);
 +
 +    memcpy(p, prf_label, prf_size);
 +    p += prf_size;
 +
-+    prf_size += SSL_get_client_random(s, p, SSL3_RANDOM_SIZE);
+    memcpy(p, s->s3->client_random, SSL3_RANDOM_SIZE);
 +    p += SSL3_RANDOM_SIZE;
 +    prf_size += SSL3_RANDOM_SIZE;
 +
-+    prf_size += SSL_get_server_random(s, p, SSL3_RANDOM_SIZE);
+    memcpy(p, s->s3->server_random, SSL3_RANDOM_SIZE);
 +    prf_size += SSL3_RANDOM_SIZE;
 +
-+    master_key_length = SSL_SESSION_get_master_key(SSL_get_session(s), master_key,
+    PRF(s->session->master_key, s->session->master_key_length,
-+						   sizeof(master_key));
+        seed, prf_size, out, buf, sizeof(out));
 +    PRF(master_key, master_key_length, seed, prf_size, out, buf, sizeof(out));
 +
 +    /* 
 +     * We now have the master send and receive keys.
@ -1324,7 +1308,7 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-0.999/pppd/eap-tls.c
 +	SSL_library_init();
 +	SSL_load_error_strings();
 +
-+	ctx = SSL_CTX_new(TLS_method());
+	ctx = SSL_CTX_new(TLSv1_method());
 +
 +	if (!ctx) {
 +		error("EAP-TLS: Cannot initialize SSL CTX context");
@ -2128,47 +2112,18 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-0.999/pppd/eap-tls.c
 +	char string[256];
 +	struct eaptls_session *ets = (struct eaptls_session *)arg;
 +	unsigned char code;
 +	const unsigned char*msg = buf;
 +    int hvers = msg[1] << 8 | msg[2];
 +
 +	if(write_p)
 +		strcpy(string, " -> ");
 +	else
 +		strcpy(string, " <- ");
 +
 +	
 +	switch(content_type) {
 +
 +#if OPENSSL_VERSION_NUMBER >= 0x10100000L
 +	case SSL3_RT_HEADER:
 +		strcat(string, "SSL/TLS Header: ");
 +		switch(hvers) {
 +		case SSL3_VERSION:
 +				strcat(string, "SSL 3.0");
 +				break;
 +		case TLS1_VERSION:
 +				strcat(string, "TLS 1.0");
 +				break;
 +		case TLS1_1_VERSION:
 +				strcat(string, "TLS 1.1");
 +				break;
 +		case TLS1_2_VERSION:
 +				strcat(string, "TLS 1.2");
 +				break;
 +		case DTLS1_VERSION:
 +				strcat(string, "DTLS 1.0");
 +				break;
 +		case DTLS1_2_VERSION:
 +				strcat(string, "DTLS 1.2");
 +				break;
 +		default:
 +			strcat(string, "Unknown version");
 +		}
 +		break;
 +#endif /* OPENSSL_VERSION_NUMBER >= 0x10100000L */
 +
 +	case SSL3_RT_ALERT:	
 +		strcat(string, "Alert: ");	
-+		code = msg[1];
+		code = ((const unsigned char *)buf)[1];
 +
 +		if (write_p) {
 +			ets->alert_sent = 1;
@ -2188,7 +2143,7 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-0.999/pppd/eap-tls.c
 +	case SSL3_RT_HANDSHAKE:
 +
 +		strcat(string, "Handshake: ");
-+		code = msg[0];
+		code = ((const unsigned char *)buf)[0];
 +
 +		switch(code) {
 +			case SSL3_MT_HELLO_REQUEST:
@ -2244,9 +2199,11 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-0.999/pppd/eap-tls.c
 +		dbglog("%s", string);
 +}
 +
-diff -Naur ppp-2.4.7/pppd/eap-tls.h ppp-2.4.7-eaptls-mppe-0.999/pppd/eap-tls.h
+diff --git a/pppd/eap-tls.h b/pppd/eap-tls.h
--- ppp-2.4.7/pppd/eap-tls.h	1970-01-01 01:00:00.000000000 +0100
+new file mode 100644
-+++ ppp-2.4.7-eaptls-mppe-0.999/pppd/eap-tls.h	2017-05-09 14:38:55.150083347 +0200
+index 0000000..2d45a0b
 --- /dev/null
 +++ b/pppd/eap-tls.h
@@ -0,0 +1,107 @@
 +/*
 + * eap-tls.h
@ -2355,9 +2312,10 @@ diff -Naur ppp-2.4.7/pppd/eap-tls.h ppp-2.4.7-eaptls-mppe-0.999/pppd/eap-tls.h
 +#endif
 +
 +#endif
-diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-0.999/pppd/eap.c
+diff --git a/pppd/eap.c b/pppd/eap.c
--- ppp-2.4.7/pppd/eap.c	2014-08-09 14:31:39.000000000 +0200
+index faced53..bfbce95 100644
-+++ ppp-2.4.7-eaptls-mppe-0.999/pppd/eap.c	2017-05-09 14:38:55.151083274 +0200
+--- a/pppd/eap.c
 +++ b/pppd/eap.c
@@ -43,6 +43,11 @@
  * Based on draft-ietf-pppext-eap-srp-03.txt.
  */
@ -2384,7 +2342,7 @@ diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-0.999/pppd/eap.c
 #ifdef USE_SRP
 #include <t_pwd.h>
-@@ -209,6 +218,9 @@
+@@ -209,6 +218,9 @@ int unit;
 	esp->es_server.ea_id = (u_char)(drand48() * 0x100);
 	esp->es_client.ea_timeout = EAP_DEFREQTIME;
 	esp->es_client.ea_maxrequests = EAP_DEFALLOWREQ;
@ -2394,7 +2352,7 @@ diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-0.999/pppd/eap.c
 }
 /*
-@@ -436,8 +448,16 @@
+@@ -436,8 +448,16 @@ int status;
 	u_char vals[2];
 	struct b64state bs;
 #endif /* USE_SRP */
@ -2411,7 +2369,7 @@ diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-0.999/pppd/eap.c
 	switch (esp->es_server.ea_state) {
 	case eapBadAuth:
 		return;
-@@ -562,9 +582,79 @@
+@@ -562,9 +582,79 @@ int status;
 			break;
 		}
 #endif /* USE_SRP */
@ -2491,7 +2449,7 @@ diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-0.999/pppd/eap.c
 	case eapSRP1:
 #ifdef USE_SRP
 		ts = (struct t_server *)esp->es_server.ea_session;
-@@ -718,6 +808,30 @@
+@@ -718,6 +808,30 @@ eap_state *esp;
 		INCPTR(esp->es_server.ea_namelen, outp);
 		break;
@ -2522,7 +2480,7 @@ diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-0.999/pppd/eap.c
 #ifdef USE_SRP
 	case eapSRP1:
 		PUTCHAR(EAPT_SRP, outp);
-@@ -904,11 +1018,57 @@
+@@ -904,11 +1018,57 @@ static void
 eap_server_timeout(arg)
 void *arg;
 {
@ -2580,7 +2538,7 @@ diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-0.999/pppd/eap.c
 	/* EAP ID number must not change on timeout. */
 	eap_send_request(esp);
 }
-@@ -1166,6 +1326,81 @@
+@@ -1166,6 +1326,81 @@ u_char *str;
 }
 #endif /* USE_SRP */
@ -2662,7 +2620,7 @@ diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-0.999/pppd/eap.c
 static void
 eap_send_nak(esp, id, type)
 eap_state *esp;
-@@ -1320,6 +1555,11 @@
+@@ -1320,6 +1555,11 @@ int len;
 	char rhostname[256];
 	MD5_CTX mdContext;
 	u_char hash[MD5_SIGNATURE_SIZE];
@ -2674,7 +2632,7 @@ diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-0.999/pppd/eap.c
 #ifdef USE_SRP
 	struct t_client *tc;
 	struct t_num sval, gval, Nval, *Ap, Bval;
-@@ -1456,6 +1696,90 @@
+@@ -1456,6 +1696,90 @@ int len;
 		    esp->es_client.ea_namelen);
 		break;
@ -2765,7 +2723,7 @@ diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-0.999/pppd/eap.c
 #ifdef USE_SRP
 	case EAPT_SRP:
 		if (len < 1) {
-@@ -1737,6 +2061,11 @@
+@@ -1737,6 +2061,11 @@ int len;
 	u_char dig[SHA_DIGESTSIZE];
 #endif /* USE_SRP */
@ -2777,7 +2735,7 @@ diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-0.999/pppd/eap.c
 	if (esp->es_server.ea_id != id) {
 		dbglog("EAP: discarding Response %d; expected ID %d", id,
 		    esp->es_server.ea_id);
-@@ -1776,6 +2105,60 @@
+@@ -1776,6 +2105,60 @@ int len;
 		eap_figure_next_state(esp, 0);
 		break;
@ -2838,7 +2796,7 @@ diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-0.999/pppd/eap.c
 	case EAPT_NOTIFICATION:
 		dbglog("EAP unexpected Notification; response discarded");
 		break;
-@@ -1807,6 +2190,13 @@
+@@ -1807,6 +2190,13 @@ int len;
 			esp->es_server.ea_state = eapMD5Chall;
 			break;
@ -2852,7 +2810,7 @@ diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-0.999/pppd/eap.c
 		default:
 			dbglog("EAP: peer requesting unknown Type %d", vallen);
 			switch (esp->es_server.ea_state) {
-@@ -2018,13 +2408,27 @@
+@@ -2018,13 +2408,27 @@ u_char *inp;
 int id;
 int len;
 {
@ -2881,7 +2839,7 @@ diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-0.999/pppd/eap.c
 	if (esp->es_client.ea_timeout > 0) {
 		UNTIMEOUT(eap_client_timeout, (void *)esp);
 	}
-@@ -2150,6 +2554,9 @@
+@@ -2150,6 +2554,9 @@ void *arg;
 	int code, id, len, rtype, vallen;
 	u_char *pstart;
 	u_int32_t uval;
@ -2891,7 +2849,7 @@ diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-0.999/pppd/eap.c
 	if (inlen < EAP_HEADERLEN)
 		return (0);
-@@ -2214,6 +2621,24 @@
+@@ -2214,6 +2621,24 @@ void *arg;
 			}
 			break;
@ -2916,7 +2874,7 @@ diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-0.999/pppd/eap.c
 		case EAPT_SRP:
 			if (len < 3)
 				goto truncated;
-@@ -2325,6 +2750,25 @@
+@@ -2325,6 +2750,25 @@ void *arg;
 			}
 			break;
@ -2942,15 +2900,16 @@ diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-0.999/pppd/eap.c
 		case EAPT_NAK:
 			if (len <= 0) {
 				printer(arg, " <missing hint>");
-@@ -2426,3 +2870,4 @@
+@@ -2426,3 +2870,4 @@ void *arg;
 	return (inp - pstart);
 }
 +
-diff -Naur ppp-2.4.7/pppd/eap.h ppp-2.4.7-eaptls-mppe-0.999/pppd/eap.h
+diff --git a/pppd/eap.h b/pppd/eap.h
--- ppp-2.4.7/pppd/eap.h	2014-08-09 14:31:39.000000000 +0200
+index 199d184..3fa5391 100644
-+++ ppp-2.4.7-eaptls-mppe-0.999/pppd/eap.h	2017-05-09 14:38:55.152083200 +0200
+--- a/pppd/eap.h
-@@ -84,6 +84,16 @@
+++ b/pppd/eap.h
@@ -84,6 +84,16 @@ enum eap_state_code {
 	eapClosed,	/* Authentication not in use */
 	eapListen,	/* Client ready (and timer running) */
 	eapIdentify,	/* EAP Identify sent */
@ -2967,7 +2926,7 @@ diff -Naur ppp-2.4.7/pppd/eap.h ppp-2.4.7-eaptls-mppe-0.999/pppd/eap.h
 	eapSRP1,	/* Sent EAP SRP-SHA1 Subtype 1 */
 	eapSRP2,	/* Sent EAP SRP-SHA1 Subtype 2 */
 	eapSRP3,	/* Sent EAP SRP-SHA1 Subtype 3 */
-@@ -95,9 +105,18 @@
+@@ -95,9 +105,18 @@ enum eap_state_code {
 #define	EAP_STATES	\
 	"Initial", "Pending", "Closed", "Listen", "Identify", \
@ -2977,8 +2936,8 @@ diff -Naur ppp-2.4.7/pppd/eap.h ppp-2.4.7-eaptls-mppe-0.999/pppd/eap.h
 -#define	eap_client_active(esp)	((esp)->es_client.ea_state == eapListen)
 +#ifdef USE_EAPTLS
-+#define	eap_client_active(esp)	((esp)->es_client.ea_state != eapInitial &&\
+#define	eap_client_active(esp)	((esp)->es_client.ea_state != eapInitial ||\
-+				 (esp)->es_client.ea_state != eapPending &&\
+				 (esp)->es_client.ea_state != eapPending ||\
 +				 (esp)->es_client.ea_state != eapClosed)
 +#else
 +#define eap_client_active(esp)	((esp)->es_client.ea_state == eapListen)
@ -2987,7 +2946,7 @@ diff -Naur ppp-2.4.7/pppd/eap.h ppp-2.4.7-eaptls-mppe-0.999/pppd/eap.h
 #define	eap_server_active(esp)	\
 	((esp)->es_server.ea_state >= eapIdentify && \
 	 (esp)->es_server.ea_state <= eapMD5Chall)
-@@ -112,11 +131,17 @@
+@@ -112,11 +131,17 @@ struct eap_auth {
 	u_short ea_namelen;	/* Length of our name */
 	u_short ea_peerlen;	/* Length of peer's name */
 	enum eap_state_code ea_state;
@ -3005,7 +2964,7 @@ diff -Naur ppp-2.4.7/pppd/eap.h ppp-2.4.7-eaptls-mppe-0.999/pppd/eap.h
 };
 /*
-@@ -139,7 +164,12 @@
+@@ -139,7 +164,12 @@ typedef struct eap_state {
  * Timeouts.
  */
 #define	EAP_DEFTIMEOUT		3	/* Timeout (seconds) for rexmit */
@ -3018,9 +2977,10 @@ diff -Naur ppp-2.4.7/pppd/eap.h ppp-2.4.7-eaptls-mppe-0.999/pppd/eap.h
 #define	EAP_DEFREQTIME		20	/* Time to wait for peer request */
 #define	EAP_DEFALLOWREQ		20	/* max # times to accept requests */
-diff -Naur ppp-2.4.7/pppd/md5.c ppp-2.4.7-eaptls-mppe-0.999/pppd/md5.c
+diff --git a/pppd/md5.c b/pppd/md5.c
--- ppp-2.4.7/pppd/md5.c	2014-08-09 14:31:39.000000000 +0200
+index f1291ce..6f8f720 100644
-+++ ppp-2.4.7-eaptls-mppe-0.999/pppd/md5.c	2017-05-09 14:38:55.152083200 +0200
+--- a/pppd/md5.c
 +++ b/pppd/md5.c
@@ -33,6 +33,8 @@
  ***********************************************************************
  */
@ -3030,15 +2990,16 @@ diff -Naur ppp-2.4.7/pppd/md5.c ppp-2.4.7-eaptls-mppe-0.999/pppd/md5.c
 #include <string.h>
 #include "md5.h"
-@@ -305,3 +307,5 @@
+@@ -305,3 +307,5 @@ UINT4 *in;
  ** End of md5.c                                                      **
  ******************************** (cut) ********************************
  */
 +#endif /* USE_EAPTLS */
 +
-diff -Naur ppp-2.4.7/pppd/md5.h ppp-2.4.7-eaptls-mppe-0.999/pppd/md5.h
+diff --git a/pppd/md5.h b/pppd/md5.h
--- ppp-2.4.7/pppd/md5.h	2014-08-09 14:31:39.000000000 +0200
+index 71e8b00..14d7121 100644
-+++ ppp-2.4.7-eaptls-mppe-0.999/pppd/md5.h	2017-05-09 14:38:55.152083200 +0200
+--- a/pppd/md5.h
 +++ b/pppd/md5.h
@@ -36,6 +36,7 @@
  ** documentation and/or software.                                    **
  ***********************************************************************
@ -3047,16 +3008,17 @@ diff -Naur ppp-2.4.7/pppd/md5.h ppp-2.4.7-eaptls-mppe-0.999/pppd/md5.h
 #ifndef __MD5_INCLUDE__
-@@ -63,3 +64,5 @@
+@@ -63,3 +64,5 @@ void MD5_Final (unsigned char hash[], MD5_CTX *mdContext);
 #define __MD5_INCLUDE__
 #endif /* __MD5_INCLUDE__ */
 +
 +#endif /* USE_EAPTLS */
-diff -Naur ppp-2.4.7/pppd/pathnames.h ppp-2.4.7-eaptls-mppe-0.999/pppd/pathnames.h
+diff --git a/pppd/pathnames.h b/pppd/pathnames.h
--- ppp-2.4.7/pppd/pathnames.h	2014-08-09 14:31:39.000000000 +0200
+index 24e010c..6275df6 100644
-+++ ppp-2.4.7-eaptls-mppe-0.999/pppd/pathnames.h	2017-05-09 14:38:55.153083126 +0200
+--- a/pppd/pathnames.h
-@@ -21,6 +21,13 @@
+++ b/pppd/pathnames.h
@@ -22,6 +22,13 @@
 #define _PATH_UPAPFILE 	 _ROOT_PATH "/etc/ppp/pap-secrets"
 #define _PATH_CHAPFILE 	 _ROOT_PATH "/etc/ppp/chap-secrets"
 #define _PATH_SRPFILE 	 _ROOT_PATH "/etc/ppp/srp-secrets"
@ -3070,10 +3032,11 @@ diff -Naur ppp-2.4.7/pppd/pathnames.h ppp-2.4.7-eaptls-mppe-0.999/pppd/pathnames
 #define _PATH_SYSOPTIONS _ROOT_PATH "/etc/ppp/options"
 #define _PATH_IPUP	 _ROOT_PATH "/etc/ppp/ip-up"
 #define _PATH_IPDOWN	 _ROOT_PATH "/etc/ppp/ip-down"
-diff -Naur ppp-2.4.7/pppd/plugins/Makefile.linux ppp-2.4.7-eaptls-mppe-0.999/pppd/plugins/Makefile.linux
+diff --git a/pppd/plugins/Makefile.linux b/pppd/plugins/Makefile.linux
--- ppp-2.4.7/pppd/plugins/Makefile.linux	2014-08-09 14:31:39.000000000 +0200
+index b474a19..760cad4 100644
-+++ ppp-2.4.7-eaptls-mppe-0.999/pppd/plugins/Makefile.linux	2017-05-09 14:38:55.153083126 +0200
+--- a/pppd/plugins/Makefile.linux
-@@ -4,6 +4,9 @@
+++ b/pppd/plugins/Makefile.linux
@@ -4,6 +4,9 @@ CFLAGS	= $(COPTS) -I.. -I../../include -fPIC
 LDFLAGS	= -shared
 INSTALL	= install
@ -3083,10 +3046,11 @@ diff -Naur ppp-2.4.7/pppd/plugins/Makefile.linux ppp-2.4.7-eaptls-mppe-0.999/ppp
 DESTDIR = $(INSTROOT)@DESTDIR@
 BINDIR = $(DESTDIR)/sbin
 MANDIR = $(DESTDIR)/share/man/man8
-diff -Naur ppp-2.4.7/pppd/plugins/passprompt.c ppp-2.4.7-eaptls-mppe-0.999/pppd/plugins/passprompt.c
+diff --git a/pppd/plugins/passprompt.c b/pppd/plugins/passprompt.c
--- ppp-2.4.7/pppd/plugins/passprompt.c	2014-08-09 14:31:39.000000000 +0200
+index babb6dc..6ba73ca 100644
-+++ ppp-2.4.7-eaptls-mppe-0.999/pppd/plugins/passprompt.c	2017-05-09 14:38:55.153083126 +0200
+--- a/pppd/plugins/passprompt.c
-@@ -107,4 +107,7 @@
+++ b/pppd/plugins/passprompt.c
@@ -107,4 +107,7 @@ void plugin_init(void)
 {
     add_options(options);
     pap_passwd_hook = promptpass;
@ -3094,10 +3058,11 @@ diff -Naur ppp-2.4.7/pppd/plugins/passprompt.c ppp-2.4.7-eaptls-mppe-0.999/pppd/
 +    eaptls_passwd_hook = promptpass;
 +#endif
 }
-diff -Naur ppp-2.4.7/pppd/plugins/passwordfd.c ppp-2.4.7-eaptls-mppe-0.999/pppd/plugins/passwordfd.c
+diff --git a/pppd/plugins/passwordfd.c b/pppd/plugins/passwordfd.c
--- ppp-2.4.7/pppd/plugins/passwordfd.c	2014-08-09 14:31:39.000000000 +0200
+index d718f3b..c3f9793 100644
-+++ ppp-2.4.7-eaptls-mppe-0.999/pppd/plugins/passwordfd.c	2017-05-09 14:38:55.154083052 +0200
+--- a/pppd/plugins/passwordfd.c
-@@ -79,4 +79,8 @@
+++ b/pppd/plugins/passwordfd.c
@@ -79,4 +79,8 @@ void plugin_init (void)
     chap_check_hook = pwfd_check;
     chap_passwd_hook = pwfd_passwd;
@ -3106,10 +3071,11 @@ diff -Naur ppp-2.4.7/pppd/plugins/passwordfd.c ppp-2.4.7-eaptls-mppe-0.999/pppd/
 +    eaptls_passwd_hook = pwfd_passwd;
 +#endif
 }
-diff -Naur ppp-2.4.7/pppd/pppd.8 ppp-2.4.7-eaptls-mppe-0.999/pppd/pppd.8
+diff --git a/pppd/pppd.8 b/pppd/pppd.8
--- ppp-2.4.7/pppd/pppd.8	2014-08-09 14:31:39.000000000 +0200
+index 2dd6e1a..75dd6f3 100644
-+++ ppp-2.4.7-eaptls-mppe-0.999/pppd/pppd.8	2017-05-09 14:38:55.155082978 +0200
+--- a/pppd/pppd.8
-@@ -248,6 +248,12 @@
+++ b/pppd/pppd.8
@@ -248,6 +248,12 @@ Alternatively, a value of 0 for \fInr\fR or \fInt\fR disables
 compression in the corresponding direction.  Use \fInobsdcomp\fR or
 \fIbsdcomp 0\fR to disable BSD-Compress compression entirely.
 .TP
@ -3122,7 +3088,7 @@ diff -Naur ppp-2.4.7/pppd/pppd.8 ppp-2.4.7-eaptls-mppe-0.999/pppd/pppd.8
 .B cdtrcts
 Use a non-standard hardware flow control (i.e. DTR/CTS) to control
 the flow of data on the serial port.  If neither the \fIcrtscts\fR,
-@@ -259,6 +265,12 @@
+@@ -259,6 +265,12 @@ RTS output. Such serial ports use this mode to implement true
 bi-directional flow control. The sacrifice is that this flow
 control mode does not permit using DTR as a modem control line.
 .TP
@ -3135,7 +3101,7 @@ diff -Naur ppp-2.4.7/pppd/pppd.8 ppp-2.4.7-eaptls-mppe-0.999/pppd/pppd.8
 .B chap\-interval \fIn
 If this option is given, pppd will rechallenge the peer every \fIn\fR
 seconds.
-@@ -287,6 +299,18 @@
+@@ -287,6 +299,18 @@ negotiation by sending its first LCP packet.  The default value is
 1000 (1 second).  This wait period only applies if the \fBconnect\fR
 or \fBpty\fR option is used.
 .TP
@ -3154,7 +3120,7 @@ diff -Naur ppp-2.4.7/pppd/pppd.8 ppp-2.4.7-eaptls-mppe-0.999/pppd/pppd.8
 .B debug
 Enables connection debugging facilities.
 If this option is given, pppd will log the contents of all
-@@ -551,6 +575,12 @@
+@@ -551,6 +575,12 @@ transmitted packets be printed.  On most systems, messages printed by
 the kernel are logged by syslog(1) to a file as directed in the
 /etc/syslog.conf configuration file.
 .TP
@ -3167,7 +3133,7 @@ diff -Naur ppp-2.4.7/pppd/pppd.8 ppp-2.4.7-eaptls-mppe-0.999/pppd/pppd.8
 .B ktune
 Enables pppd to alter kernel settings as appropriate.  Under Linux,
 pppd will enable IP forwarding (i.e. set /proc/sys/net/ipv4/ip_forward
-@@ -709,6 +739,9 @@
+@@ -709,6 +739,9 @@ name to \fIname\fR.)
 Disable Address/Control compression in both directions (send and
 receive).
 .TP
@ -3177,10 +3143,11 @@ diff -Naur ppp-2.4.7/pppd/pppd.8 ppp-2.4.7-eaptls-mppe-0.999/pppd/pppd.8
 .B noauth
 Do not require the peer to authenticate itself.  This option is
 privileged.
-diff -Naur ppp-2.4.7/pppd/pppd.h ppp-2.4.7-eaptls-mppe-0.999/pppd/pppd.h
+diff --git a/pppd/pppd.h b/pppd/pppd.h
--- ppp-2.4.7/pppd/pppd.h	2014-08-09 14:31:39.000000000 +0200
+index 5f72f72..523f226 100644
-+++ ppp-2.4.7-eaptls-mppe-0.999/pppd/pppd.h	2017-05-09 14:38:55.156082905 +0200
+--- a/pppd/pppd.h
-@@ -325,6 +325,11 @@
+++ b/pppd/pppd.h
@@ -324,6 +324,11 @@ extern bool	dump_options;	/* print out option values */
 extern bool	dryrun;		/* check everything, print options, exit */
 extern int	child_wait;	/* # seconds to wait for children at end */
@ -3192,7 +3159,7 @@ diff -Naur ppp-2.4.7/pppd/pppd.h ppp-2.4.7-eaptls-mppe-0.999/pppd/pppd.h
 #ifdef MAXOCTETS
 extern unsigned int maxoctets;	     /* Maximum octetes per session (in bytes) */
 extern int       maxoctets_dir;      /* Direction :
-@@ -741,6 +746,10 @@
+@@ -738,6 +743,10 @@ extern int (*chap_check_hook) __P((void));
 extern int (*chap_passwd_hook) __P((char *user, char *passwd));
 extern void (*multilink_join_hook) __P((void));
@ -3203,3 +3170,6 @@ diff -Naur ppp-2.4.7/pppd/pppd.h ppp-2.4.7-eaptls-mppe-0.999/pppd/pppd.h
 /* Let a plugin snoop sent and received packets.  Useful for L2TP */
 extern void (*snoop_recv_hook) __P((unsigned char *p, int len));
 extern void (*snoop_send_hook) __P((unsigned char *p, int len));
 -- 
 1.8.3.1
--- a/0028-Fix-logical-expression-in-eap_client_active-macro.patch
+++ b/0028-Fix-logical-expression-in-eap_client_active-macro.patch
@ -0,0 +1,27 @@
 From fcb95abad72ac043f2e5f5ddcffc42b0783a3c2d Mon Sep 17 00:00:00 2001
 From: Michal Sekletar <msekleta@redhat.com>
 Date: Wed, 10 Dec 2014 12:21:31 +0100
 Subject: [PATCH] Fix logical expression in eap_client_active macro
 ---
 pppd/eap.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)
 diff --git a/pppd/eap.h b/pppd/eap.h
 index 3fa5391..087baad 100644
 --- a/pppd/eap.h
 +++ b/pppd/eap.h
@@ -110,8 +110,8 @@ enum eap_state_code {
 	"SRP1", "SRP2", "SRP3", "MD5Chall", "Open", "SRP4", "BadAuth"
 #ifdef USE_EAPTLS
 -#define	eap_client_active(esp)	((esp)->es_client.ea_state != eapInitial ||\
 -				 (esp)->es_client.ea_state != eapPending ||\
 +#define	eap_client_active(esp)	((esp)->es_client.ea_state != eapInitial &&\
 +				 (esp)->es_client.ea_state != eapPending &&\
 				 (esp)->es_client.ea_state != eapClosed)
 #else
 #define eap_client_active(esp)	((esp)->es_client.ea_state == eapListen)
 -- 
 1.8.3.1
--- a/0029-pppoe-include-netinet-in.h-before-linux-in.h.patch
+++ b/0029-pppoe-include-netinet-in.h-before-linux-in.h.patch
--- a/ppp-2.4.7-DES-openssl.patch
+++ b/ppp-2.4.7-DES-openssl.patch
@ -1,79 +0,0 @@
 diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux
 index 534ccc2..cf11b74 100644
 --- a/pppd/Makefile.linux
 +++ b/pppd/Makefile.linux
@@ -41,7 +41,7 @@ COPTS = -Wall $(RPM_OPT_FLAGS) -DLIBDIR=\""$(LIBDIR)"\"
 # Uncomment the next 2 lines to include support for Microsoft's
 # MS-CHAP authentication protocol.  Also, edit plugins/radius/Makefile.linux.
 CHAPMS=y
 -USE_CRYPT=y
 +#USE_CRYPT=y
 # Don't use MSLANMAN unless you really know what you're doing.
 #MSLANMAN=y
 # Uncomment the next line to include support for MPPE.  CHAPMS (above) must
@@ -147,7 +147,8 @@ endif
 ifdef NEEDDES
 ifndef USE_CRYPT
 -LIBS     += -ldes $(LIBS)
 +CFLAGS   += -I/usr/include/openssl
 +LIBS     += -lcrypto
 else
 CFLAGS   += -DUSE_CRYPT=1
 endif
 diff --git a/pppd/pppcrypt.c b/pppd/pppcrypt.c
 index 8b85b13..6b35375 100644
 --- a/pppd/pppcrypt.c
 +++ b/pppd/pppcrypt.c
@@ -64,7 +64,7 @@ u_char *des_key;	/* OUT 64 bit DES key with parity bits added */
 	des_key[7] = Get7Bits(key, 49);
 #ifndef USE_CRYPT
 -	des_set_odd_parity((des_cblock *)des_key);
 +	DES_set_odd_parity((DES_cblock *)des_key);
 #endif
 }
@@ -158,25 +158,25 @@ u_char *clear;	/* OUT 8 octets */
 }
 #else /* USE_CRYPT */
 -static des_key_schedule	key_schedule;
 +static DES_key_schedule	key_schedule;
 bool
 DesSetkey(key)
 u_char *key;
 {
 -	des_cblock des_key;
 +	DES_cblock des_key;
 	MakeKey(key, des_key);
 -	des_set_key(&des_key, key_schedule);
 +	DES_set_key(&des_key, &key_schedule);
 	return (1);
 }
 bool
 -DesEncrypt(clear, key, cipher)
 +DesEncrypt(clear, cipher)
 u_char *clear;	/* IN  8 octets */
 u_char *cipher;	/* OUT 8 octets */
 {
 -	des_ecb_encrypt((des_cblock *)clear, (des_cblock *)cipher,
 -	    key_schedule, 1);
 +	DES_ecb_encrypt((DES_cblock *)clear, (DES_cblock *)cipher,
 +	    &key_schedule, 1);
 	return (1);
 }
@@ -185,8 +185,8 @@ DesDecrypt(cipher, clear)
 u_char *cipher;	/* IN  8 octets */
 u_char *clear;	/* OUT 8 octets */
 {
 -	des_ecb_encrypt((des_cblock *)cipher, (des_cblock *)clear,
 -	    key_schedule, 0);
 +	DES_ecb_encrypt((DES_cblock *)cipher, (DES_cblock *)clear,
 +	    &key_schedule, 0);
 	return (1);
 }
--- a/ppp-2.4.7-honor-ldflags.patch
+++ b/ppp-2.4.7-honor-ldflags.patch
@ -1,170 +0,0 @@
 diff --git a/chat/Makefile.linux b/chat/Makefile.linux
 index 2445637..83114f1 100644
 --- a/chat/Makefile.linux
 +++ b/chat/Makefile.linux
@@ -18,7 +18,7 @@ INSTALL= install
 all:	chat
 chat:	chat.o
 -	$(CC) -o chat chat.o
 +	$(CC) $(LDFLAGS) -o chat chat.o
 chat.o:	chat.c
 	$(CC) -c $(CFLAGS) -o chat.o chat.c
 diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux
 index cf11b74..089f164 100644
 --- a/pppd/Makefile.linux
 +++ b/pppd/Makefile.linux
@@ -188,7 +188,7 @@ endif
 ifdef PLUGIN
 CFLAGS	+= -DPLUGIN
 -LDFLAGS	+= -Wl,-E
 +LDFLAGS_PLUGIN	+= -Wl,-E
 LIBS	+= -ldl
 endif
@@ -230,7 +230,7 @@ install: pppd
 	$(INSTALL) -c -m 644 pppd.8 $(MANDIR)
 pppd: $(PPPDOBJS)
 -	$(CC) $(CFLAGS) $(LDFLAGS) -o pppd $(PPPDOBJS) $(LIBS)
 +	$(CC) $(CFLAGS) $(LDFLAGS) $(LDFLAGS_PLUGIN) -o pppd $(PPPDOBJS) $(LIBS)
 srp-entry:	srp-entry.c
 	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ srp-entry.c $(LIBS)
 diff --git a/pppd/plugins/Makefile.linux b/pppd/plugins/Makefile.linux
 index 303833a..04fe876 100644
 --- a/pppd/plugins/Makefile.linux
 +++ b/pppd/plugins/Makefile.linux
@@ -1,7 +1,7 @@
 #CC	= gcc
 COPTS	= $(RPM_OPT_FLAGS)
 CFLAGS	= $(COPTS) -I.. -I../../include -fPIC
 -LDFLAGS	= -shared
 +LDFLAGS_SHARED	= -shared
 INSTALL	= install
 # EAP-TLS
@@ -33,7 +33,7 @@ all:	$(PLUGINS)
 	for d in $(SUBDIRS); do $(MAKE) $(MFLAGS) -C $$d all; done
 %.so: %.c
 -	$(CC) -o $@ $(LDFLAGS) $(CFLAGS) $^
 +	$(CC) -o $@ $(LDFLAGS) $(LDFLAGS_SHARED) $(CFLAGS) $^
 VERSION = $(shell awk -F '"' '/VERSION/ { print $$2; }' ../patchlevel.h)
 diff --git a/pppd/plugins/pppoatm/Makefile.linux b/pppd/plugins/pppoatm/Makefile.linux
 index 4c5826f..1961e0e 100644
 --- a/pppd/plugins/pppoatm/Makefile.linux
 +++ b/pppd/plugins/pppoatm/Makefile.linux
@@ -1,7 +1,7 @@
 #CC	= gcc
 COPTS	= $(RPM_OPT_FLAGS)
 CFLAGS	= $(COPTS) -I../.. -I../../../include -fPIC
 -LDFLAGS	= -shared
 +LDFLAGS_SHARED	= -shared
 INSTALL	= install
 #***********************************************************************
@@ -33,7 +33,7 @@ endif
 all: $(PLUGIN)
 $(PLUGIN): $(PLUGIN_OBJS)
 -	$(CC) $(CFLAGS) -o $@ -shared $^ $(LIBS)
 +	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $(LDFLAGS_SHARED) $^ $(LIBS)
 install: all
 	$(INSTALL) -d -m 755 $(LIBDIR)
 diff --git a/pppd/plugins/pppol2tp/Makefile.linux b/pppd/plugins/pppol2tp/Makefile.linux
 index 9cb316d..7b23b25 100644
 --- a/pppd/plugins/pppol2tp/Makefile.linux
 +++ b/pppd/plugins/pppol2tp/Makefile.linux
@@ -1,7 +1,7 @@
 #CC	= gcc
 COPTS	= $(RPM_OPT_FLAGS) -DHAVE_MULTILINK
 CFLAGS	= $(COPTS) -I. -I../.. -I../../../include -fPIC
 -LDFLAGS	= -shared
 +LDFLAGS_SHARED	= -shared
 INSTALL	= install
 #***********************************************************************
@@ -16,7 +16,7 @@ PLUGINS := pppol2tp.so openl2tp.so
 all: $(PLUGINS)
 %.so: %.o
 -	$(CC) $(CFLAGS) -o $@ -shared $^ $(LIBS)
 +	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ $(LDFLAGS_SHARED) $^ $(LIBS)
 install: all
 	$(INSTALL) -d -m 755 $(LIBDIR)
 diff --git a/pppd/plugins/radius/Makefile.linux b/pppd/plugins/radius/Makefile.linux
 index 707326b..2150332 100644
 --- a/pppd/plugins/radius/Makefile.linux
 +++ b/pppd/plugins/radius/Makefile.linux
@@ -43,13 +43,13 @@ install: all
 	$(INSTALL) -c -m 444 pppd-radattr.8 $(MANDIR)
 radius.so: radius.o libradiusclient.a
 -	$(CC) -o radius.so -shared radius.o libradiusclient.a
 +	$(CC) $(LDFLAGS) -o radius.so -shared radius.o libradiusclient.a
 radattr.so: radattr.o
 -	$(CC) -o radattr.so -shared radattr.o
 +	$(CC) $(LDFLAGS) -o radattr.so -shared radattr.o
 radrealms.so: radrealms.o
 -	$(CC) -o radrealms.so -shared radrealms.o
 +	$(CC) $(LDFLAGS) -o radrealms.so -shared radrealms.o
 CLIENTOBJS = avpair.o buildreq.o config.o dict.o ip_util.o \
 	clientid.o sendserver.o lock.o util.o md5.o
 diff --git a/pppd/plugins/rp-pppoe/Makefile.linux b/pppd/plugins/rp-pppoe/Makefile.linux
 index fa49efb..5e06b52 100644
 --- a/pppd/plugins/rp-pppoe/Makefile.linux
 +++ b/pppd/plugins/rp-pppoe/Makefile.linux
@@ -31,7 +31,7 @@ CFLAGS=$(COPTS) -I../../../include '-DRP_VERSION="$(RP_VERSION)"'
 all: rp-pppoe.so pppoe-discovery
 pppoe-discovery: pppoe-discovery.o debug.o common.o
 -	$(CC) -o pppoe-discovery pppoe-discovery.o debug.o -ludev
 +	$(CC) $(LDFLAGS) -o pppoe-discovery pppoe-discovery.o debug.o -ludev
 pppoe-discovery.o: pppoe-discovery.c
 	$(CC) $(CFLAGS) -c -o pppoe-discovery.o pppoe-discovery.c
@@ -40,7 +40,7 @@ debug.o: debug.c
 	$(CC) $(CFLAGS) -c -o debug.o debug.c
 rp-pppoe.so: plugin.o discovery.o if.o common.o
 -	$(CC) -o rp-pppoe.so -shared plugin.o discovery.o if.o common.o
 +	$(CC) $(LDFLAGS) -o rp-pppoe.so -shared plugin.o discovery.o if.o common.o
 install: all
 	$(INSTALL) -d -m 755 $(LIBDIR)
 diff --git a/pppdump/Makefile.linux b/pppdump/Makefile.linux
 index 95c6805..33e5107 100644
 --- a/pppdump/Makefile.linux
 +++ b/pppdump/Makefile.linux
@@ -10,7 +10,7 @@ INSTALL= install
 all:	pppdump
 pppdump: $(OBJS)
 -	$(CC) -o pppdump $(OBJS)
 +	$(CC) $(LDFLAGS) -o pppdump $(OBJS)
 clean:
 	rm -f pppdump $(OBJS) *~
 diff --git a/pppstats/Makefile.linux b/pppstats/Makefile.linux
 index c5ba3b1..eeccf83 100644
 --- a/pppstats/Makefile.linux
 +++ b/pppstats/Makefile.linux
@@ -26,7 +26,7 @@ install: pppstats
 	$(INSTALL) -c -m 444 pppstats.8 $(MANDIR)
 pppstats: $(PPPSTATSRCS)
 -	$(CC) $(CFLAGS) -o pppstats pppstats.c $(LIBS)
 +	$(CC) $(CFLAGS) $(LDFLAGS) -o pppstats pppstats.c $(LIBS)
 clean:
 	rm -f pppstats *~ #* core
--- a/ppp.spec
+++ b/ppp.spec
@ -3,7 +3,7 @@
 Summary: The Point-to-Point Protocol daemon
 Name: ppp
 Version: 2.4.7
-Release: 21%{?dist}
+Release: 11%{?dist}
 License: BSD and LGPLv2+ and GPLv2+ and Public Domain
 Group: System Environment/Daemons
 URL: http://www.samba.org/ppp
@ -48,16 +48,12 @@ Patch0023:      0023-build-sys-install-rp-pppoe-plugin-files-with-standar.patch
 Patch0024:      0024-build-sys-install-pppoatm-plugin-files-with-standard.patch
 Patch0025:      0025-pppd-install-pppd-binary-using-standard-perms-755.patch
 Patch0026:      0026-Revert-pppd-rebase-EAP-TLS-patch-v0.994.patch
-Patch0027:      0027-pppd-EAP-TLS-patch-v0.999.patch
+Patch0027:      0027-pppd-EAP-TLS-patch-v0.997.patch
-Patch0028:      0028-pppoe-include-netinet-in.h-before-linux-in.h.patch
+Patch0028:      0028-Fix-logical-expression-in-eap_client_active-macro.patch
-
+Patch0029:      0029-pppoe-include-netinet-in.h-before-linux-in.h.patch
 # rhbz#1556132
 Patch0029:      ppp-2.4.7-DES-openssl.patch
 # https://github.com/paulusmack/ppp/pull/95
 Patch0030:      ppp-2.4.7-honor-ldflags.patch
 BuildRequires: pam-devel, libpcap-devel, systemd, systemd-devel, glib2-devel
-BuildRequires: openssl-devel
+BuildRequires: pkgconfig(openssl) < 1.1
 Requires: glibc >= 2.0.6, /etc/pam.d/system-auth, libpcap >= 14:0.8.3-6, systemd, initscripts >= 9.54
 Requires(pre): /usr/bin/getent
 Requires(pre): /usr/sbin/groupadd
@ -85,10 +81,9 @@ tar -xJf %{SOURCE12}
 %build
 export RPM_OPT_FLAGS="$RPM_OPT_FLAGS -fPIC -Wall -fno-strict-aliasing"
 export RPM_LD_FLAGS="$LDFLAGS"
 %configure
-make %{?_smp_mflags} LDFLAGS="%{?build_ldflags}"
+make %{?_smp_mflags}
-make -C ppp-watch %{?_smp_mflags} LDFLAGS="%{?build_ldflags}"
+make -C ppp-watch %{?_smp_mflags}
 %install
 make INSTROOT=%{buildroot} install install-etcppp
@ -175,41 +170,6 @@ install -p %{SOURCE11} %{buildroot}%{_sysconfdir}/sysconfig/network-scripts/ifdo
 %doc PLUGINS
 %changelog
 * Mon Apr  9 2018 Jaroslav Škarvada <jskarvad@redhat.com> - 2.4.7-21
 - Link with -E not to break plugins
  Resolves: rhbz#1564459
 * Fri Apr  6 2018 Jaroslav Škarvada <jskarvad@redhat.com> - 2.4.7-20
 - Also build all DSOs with distro's LDFLAGS
  Related: rhbz#1563157
 * Wed Apr  4 2018 Jaroslav Škarvada <jskarvad@redhat.com> - 2.4.7-19
 - Build with distro's LDFLAGS
  Resolves: rhbz#1563157
 * Tue Mar 27 2018 Jaroslav Škarvada <jskarvad@redhat.com> - 2.4.7-18
 - Used openssl for the DES instead of the libcrypt / glibc
  Resolves: rhbz#1556132
 * Fri Feb 09 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 2.4.7-17
 - Escape macros in %%changelog
 * Fri Feb 09 2018 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.7-16
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild
 * Sat Jan 20 2018 Björn Esser <besser82@fedoraproject.org> - 2.4.7-15
 - Rebuilt for switch to libxcrypt
 * Mon Aug 21 2017 Jaroslav Škarvada <jskarvad@redhat.com> - 2.4.7-14
 - EAP-TLS patch updated to version 0.999
 - Switched to openssl-1.1
 * Thu Aug 03 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.7-13
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild
 * Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.7-12
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
 * Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 2.4.7-11
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
@ -262,7 +222,7 @@ install -p %{SOURCE11} %{buildroot}%{_sysconfdir}/sysconfig/network-scripts/ifdo
 - fix post installation scriptlet
 * Fri Jul 12 2013 Michal Sekletar <msekleta@redhat.com> - 2.4.5-32
- don't ship /var/lock/ppp in rpm payload and create it in %%post instead
+- don't ship /var/lock/ppp in rpm payload and create it in %post instead
 - fix installation of tmpfiles.d configuration
 - enable hardened build
 - fix bogus dates in changelog
@ -571,7 +531,7 @@ install -p %{SOURCE11} %{buildroot}%{_sysconfdir}/sysconfig/network-scripts/ifdo
 - automatic rebuild
 * Mon Jun  5 2000 Nalin Dahyabhai <nalin@redhat.com>
- move man pages to %%{_mandir}
+- move man pages to %{_mandir}
 * Thu Jun  1 2000 Nalin Dahyabhai <nalin@redhat.com>
 - change perms using defattr