commit 30de404fb559071168dcc48b0cd9918fbd5a60de Author: CentOS Sources Date: Thu Feb 27 10:00:00 2020 -0500 import ppp-2.4.7-26.el8_1 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..fdcb974 --- /dev/null +++ b/.gitignore @@ -0,0 +1,2 @@ +SOURCES/ppp-2.4.7.tar.gz +SOURCES/ppp-watch.tar.xz diff --git a/.ppp.metadata b/.ppp.metadata new file mode 100644 index 0000000..5193a2a --- /dev/null +++ b/.ppp.metadata @@ -0,0 +1,2 @@ +808b023172ea7189bc0d49935bf37a5382a1fe13 SOURCES/ppp-2.4.7.tar.gz +74b6db205dc46fc179a2a3bc3d726ddfeb03c801 SOURCES/ppp-watch.tar.xz diff --git a/SOURCES/0001-build-sys-use-gcc-as-our-compiler-of-choice.patch b/SOURCES/0001-build-sys-use-gcc-as-our-compiler-of-choice.patch new file mode 100644 index 0000000..b8a76ca --- /dev/null +++ b/SOURCES/0001-build-sys-use-gcc-as-our-compiler-of-choice.patch @@ -0,0 +1,25 @@ +From 486e36d184cbaee7e34bb582ea6fdf3bfa9ca531 Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Fri, 4 Apr 2014 11:23:42 +0200 +Subject: [PATCH 01/27] build-sys: use gcc as our compiler of choice + +--- + pppd/Makefile.linux | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux +index a74c914..1d9ea78 100644 +--- a/pppd/Makefile.linux ++++ b/pppd/Makefile.linux +@@ -30,7 +30,7 @@ ifeq (.depend,$(wildcard .depend)) + include .depend + endif + +-# CC = gcc ++CC = gcc + # + COPTS = -O2 -pipe -Wall -g + LIBS = +-- +1.8.3.1 + diff --git a/SOURCES/0002-build-sys-enable-PAM-support.patch b/SOURCES/0002-build-sys-enable-PAM-support.patch new file mode 100644 index 0000000..2f1c53b --- /dev/null +++ b/SOURCES/0002-build-sys-enable-PAM-support.patch @@ -0,0 +1,25 @@ +From 0d71a32b73b71c9793d0b304320858062faf00d1 Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Fri, 4 Apr 2014 11:25:43 +0200 +Subject: [PATCH 02/27] build-sys: enable PAM support + +--- + pppd/Makefile.linux | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux +index 1d9ea78..5a44d30 100644 +--- a/pppd/Makefile.linux ++++ b/pppd/Makefile.linux +@@ -61,7 +61,7 @@ HAVE_MULTILINK=y + USE_TDB=y + + HAS_SHADOW=y +-#USE_PAM=y ++USE_PAM=y + HAVE_INET6=y + + # Enable plugins +-- +1.8.3.1 + diff --git a/SOURCES/0003-build-sys-utilize-compiler-flags-handed-to-us-by-rpm.patch b/SOURCES/0003-build-sys-utilize-compiler-flags-handed-to-us-by-rpm.patch new file mode 100644 index 0000000..87da38b --- /dev/null +++ b/SOURCES/0003-build-sys-utilize-compiler-flags-handed-to-us-by-rpm.patch @@ -0,0 +1,121 @@ +From d729b06f0ac7a5ebd3648ef60bef0499b59bf82d Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Fri, 4 Apr 2014 11:29:39 +0200 +Subject: [PATCH 03/27] build-sys: utilize compiler flags handed to us by + rpmbuild + +--- + chat/Makefile.linux | 2 +- + pppd/Makefile.linux | 3 +-- + pppd/plugins/Makefile.linux | 2 +- + pppd/plugins/pppoatm/Makefile.linux | 2 +- + pppd/plugins/radius/Makefile.linux | 2 +- + pppd/plugins/rp-pppoe/Makefile.linux | 2 +- + pppdump/Makefile.linux | 2 +- + pppstats/Makefile.linux | 2 +- + 8 files changed, 8 insertions(+), 9 deletions(-) + +diff --git a/chat/Makefile.linux b/chat/Makefile.linux +index 1065ac5..848cd8d 100644 +--- a/chat/Makefile.linux ++++ b/chat/Makefile.linux +@@ -10,7 +10,7 @@ CDEF3= -UNO_SLEEP # Use the usleep function + CDEF4= -DFNDELAY=O_NDELAY # Old name value + CDEFS= $(CDEF1) $(CDEF2) $(CDEF3) $(CDEF4) + +-COPTS= -O2 -g -pipe ++COPTS= $(RPM_OPT_FLAGS) + CFLAGS= $(COPTS) $(CDEFS) + + INSTALL= install +diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux +index 5a44d30..63872eb 100644 +--- a/pppd/Makefile.linux ++++ b/pppd/Makefile.linux +@@ -32,8 +32,7 @@ endif + + CC = gcc + # +-COPTS = -O2 -pipe -Wall -g +-LIBS = ++COPTS = -Wall $(RPM_OPT_FLAGS) + + # Uncomment the next 2 lines to include support for Microsoft's + # MS-CHAP authentication protocol. Also, edit plugins/radius/Makefile.linux. +diff --git a/pppd/plugins/Makefile.linux b/pppd/plugins/Makefile.linux +index 0a7ec7b..e09a369 100644 +--- a/pppd/plugins/Makefile.linux ++++ b/pppd/plugins/Makefile.linux +@@ -1,5 +1,5 @@ + #CC = gcc +-COPTS = -O2 -g ++COPTS = $(RPM_OPT_FLAGS) + CFLAGS = $(COPTS) -I.. -I../../include -fPIC + LDFLAGS = -shared + INSTALL = install +diff --git a/pppd/plugins/pppoatm/Makefile.linux b/pppd/plugins/pppoatm/Makefile.linux +index 20f62e6..5a81447 100644 +--- a/pppd/plugins/pppoatm/Makefile.linux ++++ b/pppd/plugins/pppoatm/Makefile.linux +@@ -1,5 +1,5 @@ + #CC = gcc +-COPTS = -O2 -g ++COPTS = $(RPM_OPT_FLAGS) + CFLAGS = $(COPTS) -I../.. -I../../../include -fPIC + LDFLAGS = -shared + INSTALL = install +diff --git a/pppd/plugins/radius/Makefile.linux b/pppd/plugins/radius/Makefile.linux +index 24ed3e5..45b3b8d 100644 +--- a/pppd/plugins/radius/Makefile.linux ++++ b/pppd/plugins/radius/Makefile.linux +@@ -12,7 +12,7 @@ VERSION = $(shell awk -F '"' '/VERSION/ { print $$2; }' ../../patchlevel.h) + INSTALL = install + + PLUGIN=radius.so radattr.so radrealms.so +-CFLAGS=-I. -I../.. -I../../../include -O2 -fPIC -DRC_LOG_FACILITY=LOG_DAEMON ++CFLAGS=-I. -I../.. -I../../../include $(RPM_OPT_FLAGS) -DRC_LOG_FACILITY=LOG_DAEMON + + # Uncomment the next line to include support for Microsoft's + # MS-CHAP authentication protocol. +diff --git a/pppd/plugins/rp-pppoe/Makefile.linux b/pppd/plugins/rp-pppoe/Makefile.linux +index 5d7a271..352991a 100644 +--- a/pppd/plugins/rp-pppoe/Makefile.linux ++++ b/pppd/plugins/rp-pppoe/Makefile.linux +@@ -25,7 +25,7 @@ INSTALL = install + # Version is set ONLY IN THE MAKEFILE! Don't delete this! + RP_VERSION=3.8p + +-COPTS=-O2 -g ++COPTS=$(RPM_OPT_FLAGS) + CFLAGS=$(COPTS) -I../../../include '-DRP_VERSION="$(RP_VERSION)"' + all: rp-pppoe.so pppoe-discovery + +diff --git a/pppdump/Makefile.linux b/pppdump/Makefile.linux +index ac028f6..d0a5032 100644 +--- a/pppdump/Makefile.linux ++++ b/pppdump/Makefile.linux +@@ -2,7 +2,7 @@ DESTDIR = $(INSTROOT)@DESTDIR@ + BINDIR = $(DESTDIR)/sbin + MANDIR = $(DESTDIR)/share/man/man8 + +-CFLAGS= -O -I../include/net ++CFLAGS= $(RPM_OPT_FLAGS) -I../include/net + OBJS = pppdump.o bsd-comp.o deflate.o zlib.o + + INSTALL= install +diff --git a/pppstats/Makefile.linux b/pppstats/Makefile.linux +index cca6f0f..42aba73 100644 +--- a/pppstats/Makefile.linux ++++ b/pppstats/Makefile.linux +@@ -10,7 +10,7 @@ PPPSTATSRCS = pppstats.c + PPPSTATOBJS = pppstats.o + + #CC = gcc +-COPTS = -O ++COPTS = $(RPM_OPT_FLAGS) + COMPILE_FLAGS = -I../include + LIBS = + +-- +1.8.3.1 + diff --git a/SOURCES/0004-doc-add-configuration-samples.patch b/SOURCES/0004-doc-add-configuration-samples.patch new file mode 100644 index 0000000..0cea037 --- /dev/null +++ b/SOURCES/0004-doc-add-configuration-samples.patch @@ -0,0 +1,341 @@ +From d7faeb88f684c8b2ae193b2c5b5b358ac757fcfa Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Fri, 4 Apr 2014 11:39:09 +0200 +Subject: [PATCH 04/27] doc: add configuration samples + +--- + sample/auth-down | 17 ++++++ + sample/auth-up | 17 ++++++ + sample/ip-down | 22 ++++++++ + sample/ip-up | 23 ++++++++ + sample/options | 153 +++++++++++++++++++++++++++++++++++++++++++++++++++ + sample/options.ttyXX | 14 +++++ + sample/pap-secrets | 28 ++++++++++ + 7 files changed, 274 insertions(+) + create mode 100644 sample/auth-down + create mode 100644 sample/auth-up + create mode 100644 sample/ip-down + create mode 100644 sample/ip-up + create mode 100644 sample/options + create mode 100644 sample/options.ttyXX + create mode 100644 sample/pap-secrets + +diff --git a/sample/auth-down b/sample/auth-down +new file mode 100644 +index 0000000..edde65d +--- /dev/null ++++ b/sample/auth-down +@@ -0,0 +1,17 @@ ++#!/bin/sh ++# ++# A program or script which is executed after the remote system ++# successfully authenticates itself. It is executed with the parameters ++# ++# ++ ++# ++# The environment is cleared before executing this script ++# so the path must be reset ++# ++PATH=/usr/sbin:/sbin:/usr/bin:/bin ++export PATH ++ ++echo auth-down `date +'%y/%m/%d %T'` $* >> /var/log/pppstats ++ ++# last line +diff --git a/sample/auth-up b/sample/auth-up +new file mode 100644 +index 0000000..54722a3 +--- /dev/null ++++ b/sample/auth-up +@@ -0,0 +1,17 @@ ++#!/bin/sh ++# ++# A program or script which is executed after the remote system ++# successfully authenticates itself. It is executed with the parameters ++# ++# ++ ++# ++# The environment is cleared before executing this script ++# so the path must be reset ++# ++PATH=/usr/sbin:/sbin:/usr/bin:/bin ++export PATH ++ ++echo auth-up `date +'%y/%m/%d %T'` $* >> /var/log/pppstats ++ ++# last line +diff --git a/sample/ip-down b/sample/ip-down +new file mode 100644 +index 0000000..b771fb6 +--- /dev/null ++++ b/sample/ip-down +@@ -0,0 +1,22 @@ ++#!/bin/sh ++# ++# This script is run by the pppd _after_ the link is brought down. ++# It should be used to delete routes, unset IP addresses etc. ++# ++# This script is called with the following arguments: ++# Arg Name Example ++# $1 Interface name ppp0 ++# $2 The tty ttyS1 ++# $3 The link speed 38400 ++# $4 Local IP number 12.34.56.78 ++# $5 Peer IP number 12.34.56.99 ++# ++ ++# ++# The environment is cleared before executing this script ++# so the path must be reset ++# ++PATH=/usr/sbin:/sbin:/usr/bin:/bin ++export PATH ++ ++# last line +diff --git a/sample/ip-up b/sample/ip-up +new file mode 100644 +index 0000000..7ce7c8d +--- /dev/null ++++ b/sample/ip-up +@@ -0,0 +1,23 @@ ++#!/bin/sh ++# ++# This script is run by the pppd after the link is established. ++# It should be used to add routes, set IP address, run the mailq ++# etc. ++# ++# This script is called with the following arguments: ++# Arg Name Example ++# $1 Interface name ppp0 ++# $2 The tty ttyS1 ++# $3 The link speed 38400 ++# $4 Local IP number 12.34.56.78 ++# $5 Peer IP number 12.34.56.99 ++# ++ ++# ++# The environment is cleared before executing this script ++# so the path must be reset ++# ++PATH=/usr/sbin:/sbin:/usr/bin:/bin ++export PATH ++ ++# last line +diff --git a/sample/options b/sample/options +new file mode 100644 +index 0000000..8d0a3f9 +--- /dev/null ++++ b/sample/options +@@ -0,0 +1,153 @@ ++# /etc/ppp/options ++ ++# The name of this server. Often, the FQDN is used here. ++#name ++ ++# Enforce the use of the hostname as the name of the local system for ++# authentication purposes (overrides the name option). ++usehostname ++ ++# If no local IP address is given, pppd will use the first IP address ++# that belongs to the local hostname. If "noipdefault" is given, this ++# is disabled and the peer will have to supply an IP address. ++noipdefault ++ ++# With this option, pppd will accept the peer's idea of our local IP ++# address, even if the local IP address was specified in an option. ++#ipcp-accept-local ++ ++# With this option, pppd will accept the peer's idea of its (remote) IP ++# address, even if the remote IP address was specified in an option. ++#ipcp-accept-remote ++ ++# Specify which DNS Servers the incoming Win95 or WinNT Connection should use ++# Two Servers can be remotely configured ++#ms-dns 192.168.1.1 ++#ms-dns 192.168.1.2 ++ ++# Specify which WINS Servers the incoming connection Win95 or WinNT should use ++#wins-addr 192.168.1.50 ++#wins-addr 192.168.1.51 ++ ++# enable this on a server that already has a permanent default route ++#nodefaultroute ++ ++# Run the executable or shell command specified after pppd has terminated ++# the link. This script could, for example, issue commands to the modem ++# to cause it to hang up if hardware modem control signals were not ++# available. ++# If mgetty is running, it will reset the modem anyway. So there is no need ++# to do it here. ++#disconnect "chat -- \d+++\d\c OK ath0 OK" ++ ++# Increase debugging level (same as -d). The debug output is written ++# to syslog LOG_LOCAL2. ++debug ++ ++# Enable debugging code in the kernel-level PPP driver. The argument n ++# is a number which is the sum of the following values: 1 to enable ++# general debug messages, 2 to request that the contents of received ++# packets be printed, and 4 to request that the contents of transmitted ++# packets be printed. ++#kdebug n ++ ++# Require the peer to authenticate itself before allowing network ++# packets to be sent or received. ++# Please do not disable this setting. It is expected to be standard in ++# future releases of pppd. Use the call option (see manpage) to disable ++# authentication for specific peers. ++#auth ++ ++# authentication can either be pap or chap. As most people only want to ++# use pap, you can also disable chap: ++#require-pap ++#refuse-chap ++ ++# Use hardware flow control (i.e. RTS/CTS) to control the flow of data ++# on the serial port. ++crtscts ++ ++# Specifies that pppd should use a UUCP-style lock on the serial device ++# to ensure exclusive access to the device. ++lock ++ ++# Use the modem control lines. ++modem ++ ++# async character map -- 32-bit hex; each bit is a character ++# that needs to be escaped for pppd to receive it. 0x00000001 ++# represents '\x01', and 0x80000000 represents '\x1f'. ++# To allow pppd to work over a rlogin/telnet connection, ou should escape ++# XON (^Q), XOFF (^S) and ^]: (The peer should use "escape ff".) ++#asyncmap 200a0000 ++asyncmap 0 ++ ++# Specifies that certain characters should be escaped on transmission ++# (regardless of whether the peer requests them to be escaped with its ++# async control character map). The characters to be escaped are ++# specified as a list of hex numbers separated by commas. Note that ++# almost any character can be specified for the escape option, unlike ++# the asyncmap option which only allows control characters to be ++# specified. The characters which may not be escaped are those with hex ++# values 0x20 - 0x3f or 0x5e. ++#escape 11,13,ff ++ ++# Set the MRU [Maximum Receive Unit] value to for negotiation. pppd ++# will ask the peer to send packets of no more than bytes. The ++# minimum MRU value is 128. The default MRU value is 1500. A value of ++# 296 is recommended for slow links (40 bytes for TCP/IP header + 256 ++# bytes of data). ++#mru 542 ++ ++# Set the MTU [Maximum Transmit Unit] value to . Unless the peer ++# requests a smaller value via MRU negotiation, pppd will request that ++# the kernel networking code send data packets of no more than n bytes ++# through the PPP network interface. ++#mtu ++ ++# Set the interface netmask to , a 32 bit netmask in "decimal dot" ++# notation (e.g. 255.255.255.0). ++#netmask 255.255.255.0 ++ ++# Don't fork to become a background process (otherwise pppd will do so ++# if a serial device is specified). ++nodetach ++ ++# Set the assumed name of the remote system for authentication purposes ++# to . ++#remotename ++ ++# Add an entry to this system's ARP [Address Resolution Protocol] ++# table with the IP address of the peer and the Ethernet address of this ++# system. {proxyarp,noproxyarp} ++proxyarp ++ ++# Use the system password database for authenticating the peer using ++# PAP. Note: mgetty already provides this option. If this is specified ++# then dialin from users using a script under Linux to fire up ppp wont work. ++#login ++ ++# If this option is given, pppd will send an LCP echo-request frame to ++# the peer every n seconds. Under Linux, the echo-request is sent when ++# no packets have been received from the peer for n seconds. Normally ++# the peer should respond to the echo-request by sending an echo-reply. ++# This option can be used with the lcp-echo-failure option to detect ++# that the peer is no longer connected. ++lcp-echo-interval 30 ++ ++# If this option is given, pppd will presume the peer to be dead if n ++# LCP echo-requests are sent without receiving a valid LCP echo-reply. ++# If this happens, pppd will terminate the connection. Use of this ++# option requires a non-zero value for the lcp-echo-interval parameter. ++# This option can be used to enable pppd to terminate after the physical ++# connection has been broken (e.g., the modem has hung up) in ++# situations where no hardware modem control lines are available. ++lcp-echo-failure 4 ++ ++# Specifies that pppd should disconnect if the link is idle for n seconds. ++idle 600 ++ ++# Disable the IPXCP and IPX protocols. ++noipx ++ ++# ------ +diff --git a/sample/options.ttyXX b/sample/options.ttyXX +new file mode 100644 +index 0000000..d4202f5 +--- /dev/null ++++ b/sample/options.ttyXX +@@ -0,0 +1,14 @@ ++# If you need to set up multiple serial lines then copy this file to ++# options. for each tty with a modem on it. ++# ++# The options.tty file will assign an IP address to each PPP connection ++# as it comes up. They must all be distinct! ++# ++# Example: ++# options.ttyS1 for com2 under DOS. ++# ++# Edit the following line so that the first IP address ++# mentioned is the ip address of the serial port while the second ++# is the IP address of your host ++# ++hostname-s1:hostname +diff --git a/sample/pap-secrets b/sample/pap-secrets +new file mode 100644 +index 0000000..098971b +--- /dev/null ++++ b/sample/pap-secrets +@@ -0,0 +1,28 @@ ++# Secrets for authentication using PAP ++# client server secret IP addresses ++ ++# OUTBOUND CONNECTIONS ++# Here you should add your userid password to connect to your providers via ++# pap. The * means that the password is to be used for ANY host you connect ++# to. Thus you do not have to worry about the foreign machine name. Just ++# replace password with your password. ++# If you have different providers with different passwords then you better ++# remove the following line. ++#hostname * password ++ ++# INBOUND CONNECTIONS ++#client hostname 192.168.1.1 ++ ++# If you add "auth login -chap +pap" to /etc/mgetty+sendfax/login.config, ++# all users in /etc/passwd can use their password for pap-authentication. ++# ++# Every regular user can use PPP and has to use passwords from /etc/passwd ++#* hostname "" ++# UserIDs that cannot use PPP at all. Check your /etc/passwd and add any ++# other accounts that should not be able to use pppd! Replace hostname ++# with your local hostname. ++#guest hostname "*" - ++#master hostname "*" - ++#root hostname "*" - ++#support hostname "*" - ++#stats hostname "*" - +-- +1.8.3.1 + diff --git a/SOURCES/0005-build-sys-don-t-hardcode-LIBDIR-but-set-it-according.patch b/SOURCES/0005-build-sys-don-t-hardcode-LIBDIR-but-set-it-according.patch new file mode 100644 index 0000000..48190ed --- /dev/null +++ b/SOURCES/0005-build-sys-don-t-hardcode-LIBDIR-but-set-it-according.patch @@ -0,0 +1,120 @@ +From 69711944745af0078da77e108d30f89fd7e06108 Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Fri, 4 Apr 2014 12:01:33 +0200 +Subject: [PATCH 05/27] build-sys: don't hardcode LIBDIR, but set it according + to the target platform + +--- + pppd/Makefile.linux | 3 ++- + pppd/pathnames.h | 2 +- + pppd/plugins/Makefile.linux | 2 +- + pppd/plugins/pppoatm/Makefile.linux | 2 +- + pppd/plugins/pppol2tp/Makefile.linux | 4 ++-- + pppd/plugins/radius/Makefile.linux | 2 +- + pppd/plugins/rp-pppoe/Makefile.linux | 2 +- + 7 files changed, 9 insertions(+), 8 deletions(-) + +diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux +index 63872eb..8ed56c1 100644 +--- a/pppd/Makefile.linux ++++ b/pppd/Makefile.linux +@@ -8,6 +8,7 @@ DESTDIR = $(INSTROOT)@DESTDIR@ + BINDIR = $(DESTDIR)/sbin + MANDIR = $(DESTDIR)/share/man/man8 + INCDIR = $(DESTDIR)/include ++LIBDIR = $(DESTDIR)/lib/$(shell gcc -print-multi-os-directory 2> /dev/null) + + TARGETS = pppd + +@@ -32,7 +33,7 @@ endif + + CC = gcc + # +-COPTS = -Wall $(RPM_OPT_FLAGS) ++COPTS = -Wall $(RPM_OPT_FLAGS) -DLIBDIR=\""$(LIBDIR)"\" + + # Uncomment the next 2 lines to include support for Microsoft's + # MS-CHAP authentication protocol. Also, edit plugins/radius/Makefile.linux. +diff --git a/pppd/pathnames.h b/pppd/pathnames.h +index a33f046..a427cb8 100644 +--- a/pppd/pathnames.h ++++ b/pppd/pathnames.h +@@ -57,7 +57,7 @@ + + #ifdef PLUGIN + #ifdef __STDC__ +-#define _PATH_PLUGIN DESTDIR "/lib/pppd/" VERSION ++#define _PATH_PLUGIN LIBDIR "/pppd/" VERSION + #else /* __STDC__ */ + #define _PATH_PLUGIN "/usr/lib/pppd" + #endif /* __STDC__ */ +diff --git a/pppd/plugins/Makefile.linux b/pppd/plugins/Makefile.linux +index e09a369..b474a19 100644 +--- a/pppd/plugins/Makefile.linux ++++ b/pppd/plugins/Makefile.linux +@@ -7,7 +7,7 @@ INSTALL = install + DESTDIR = $(INSTROOT)@DESTDIR@ + BINDIR = $(DESTDIR)/sbin + MANDIR = $(DESTDIR)/share/man/man8 +-LIBDIR = $(DESTDIR)/lib/pppd/$(VERSION) ++LIBDIR = $(DESTDIR)/lib/$(shell $(CC) -print-multi-os-directory 2> /dev/null)/pppd/$(VERSION) + + SUBDIRS := rp-pppoe pppoatm pppol2tp + # Uncomment the next line to include the radius authentication plugin +diff --git a/pppd/plugins/pppoatm/Makefile.linux b/pppd/plugins/pppoatm/Makefile.linux +index 5a81447..769794b 100644 +--- a/pppd/plugins/pppoatm/Makefile.linux ++++ b/pppd/plugins/pppoatm/Makefile.linux +@@ -7,7 +7,7 @@ INSTALL = install + #*********************************************************************** + + DESTDIR = $(INSTROOT)@DESTDIR@ +-LIBDIR = $(DESTDIR)/lib/pppd/$(VERSION) ++LIBDIR = $(DESTDIR)/lib/$(shell gcc -print-multi-os-directory 2> /dev/null)/pppd/$(VERSION) + + VERSION = $(shell awk -F '"' '/VERSION/ { print $$2; }' ../../patchlevel.h) + +diff --git a/pppd/plugins/pppol2tp/Makefile.linux b/pppd/plugins/pppol2tp/Makefile.linux +index ea3538e..4339566 100644 +--- a/pppd/plugins/pppol2tp/Makefile.linux ++++ b/pppd/plugins/pppol2tp/Makefile.linux +@@ -6,8 +6,8 @@ INSTALL = install + + #*********************************************************************** + +-DESTDIR = @DESTDIR@ +-LIBDIR = $(DESTDIR)/lib/pppd/$(VERSION) ++DESTDIR = $(INSTROOT)@DESTDIR@ ++LIBDIR = $(DESTDIR)/lib/$(shell gcc -print-multi-os-directory 2> /dev/null)/pppd/$(VERSION) + + VERSION = $(shell awk -F '"' '/VERSION/ { print $$2; }' ../../patchlevel.h) + +diff --git a/pppd/plugins/radius/Makefile.linux b/pppd/plugins/radius/Makefile.linux +index 45b3b8d..179d0b7 100644 +--- a/pppd/plugins/radius/Makefile.linux ++++ b/pppd/plugins/radius/Makefile.linux +@@ -5,7 +5,7 @@ + + DESTDIR = $(INSTROOT)@DESTDIR@ + MANDIR = $(DESTDIR)/share/man/man8 +-LIBDIR = $(DESTDIR)/lib/pppd/$(VERSION) ++LIBDIR = $(DESTDIR)/lib/$(shell gcc -print-multi-os-directory 2> /dev/null)/pppd/$(VERSION) + + VERSION = $(shell awk -F '"' '/VERSION/ { print $$2; }' ../../patchlevel.h) + +diff --git a/pppd/plugins/rp-pppoe/Makefile.linux b/pppd/plugins/rp-pppoe/Makefile.linux +index 352991a..1305ed8 100644 +--- a/pppd/plugins/rp-pppoe/Makefile.linux ++++ b/pppd/plugins/rp-pppoe/Makefile.linux +@@ -16,7 +16,7 @@ + + DESTDIR = $(INSTROOT)@DESTDIR@ + BINDIR = $(DESTDIR)/sbin +-LIBDIR = $(DESTDIR)/lib/pppd/$(PPPDVERSION) ++LIBDIR = $(DESTDIR)/lib/$(shell gcc -print-multi-os-directory 2> /dev/null)/pppd/$(PPPDVERSION) + + PPPDVERSION = $(shell awk -F '"' '/VERSION/ { print $$2; }' ../../patchlevel.h) + +-- +1.8.3.1 + diff --git a/SOURCES/0006-scritps-use-change_resolv_conf-function.patch b/SOURCES/0006-scritps-use-change_resolv_conf-function.patch new file mode 100644 index 0000000..cbf8713 --- /dev/null +++ b/SOURCES/0006-scritps-use-change_resolv_conf-function.patch @@ -0,0 +1,85 @@ +From 01419dfb684d501b57f1c24dcfdbcf9da93ccca2 Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Fri, 4 Apr 2014 18:12:47 +0200 +Subject: [PATCH 06/27] scritps: use change_resolv_conf function + +Don't handle /etc/resolv.conf manually, but use a helper function from +initscripts. Also change path where we save DNS servers supplied by peer while +we are at it. + +Resolves: #132482 +--- + pppd/pppd.8 | 2 +- + scripts/ip-down.local.add | 9 +++++---- + scripts/ip-up.local.add | 17 ++++++++++------- + 3 files changed, 16 insertions(+), 12 deletions(-) + +diff --git a/pppd/pppd.8 b/pppd/pppd.8 +index e2768b1..2dd6e1a 100644 +--- a/pppd/pppd.8 ++++ b/pppd/pppd.8 +@@ -1099,7 +1099,7 @@ Ask the peer for up to 2 DNS server addresses. The addresses supplied + by the peer (if any) are passed to the /etc/ppp/ip\-up script in the + environment variables DNS1 and DNS2, and the environment variable + USEPEERDNS will be set to 1. In addition, pppd will create an +-/etc/ppp/resolv.conf file containing one or two nameserver lines with ++/var/run/ppp/resolv.conf file containing one or two nameserver lines with + the address(es) supplied by the peer. + .TP + .B user \fIname +diff --git a/scripts/ip-down.local.add b/scripts/ip-down.local.add +index b93590e..163f71e 100644 +--- a/scripts/ip-down.local.add ++++ b/scripts/ip-down.local.add +@@ -9,12 +9,13 @@ + # + # Nick Walker (nickwalker@email.com) + # ++. /etc/sysconfig/network-scripts/network-functions + +-if [ -n "$USEPEERDNS" -a -f /etc/ppp/resolv.conf ]; then +- if [ -f /etc/ppp/resolv.prev ]; then +- cp -f /etc/ppp/resolv.prev /etc/resolv.conf ++if [ -n "$USEPEERDNS" -a -f /var/run/ppp/resolv.conf ]; then ++ if [ -f /var/run/ppp/resolv.prev ]; then ++ change_resolv_conf /var/run/ppp/resolv.prev + else +- rm -f /etc/resolv.conf ++ change_resolv_conf + fi + fi + +diff --git a/scripts/ip-up.local.add b/scripts/ip-up.local.add +index 8017209..26cf5f8 100644 +--- a/scripts/ip-up.local.add ++++ b/scripts/ip-up.local.add +@@ -9,16 +9,19 @@ + # + # Nick Walker (nickwalker@email.com) + # ++. /etc/sysconfig/network-scripts/network-functions + +-if [ -n "$USEPEERDNS" -a -f /etc/ppp/resolv.conf ]; then +- rm -f /etc/ppp/resolv.prev ++if [ -n "$USEPEERDNS" -a -f /var/run/ppp/resolv.conf ]; then ++ rm -f /var/run/ppp/resolv.prev + if [ -f /etc/resolv.conf ]; then +- cp /etc/resolv.conf /etc/ppp/resolv.prev +- grep domain /etc/ppp/resolv.prev > /etc/resolv.conf +- grep search /etc/ppp/resolv.prev >> /etc/resolv.conf +- cat /etc/ppp/resolv.conf >> /etc/resolv.conf ++ cp /etc/resolv.conf /var/run/ppp/resolv.prev ++ rscf=/var/run/ppp/resolv.new ++ grep domain /var/run/ppp/resolv.prev > $rscf ++ grep search /var/run/ppp/resolv.prev >> $rscf ++ change_resolv_conf $rscf ++ rm -f $rscf + else +- cp /etc/ppp/resolv.conf /etc ++ change_resolv_conf /var/run/ppp/resolv.conf + fi + fi + +-- +1.8.3.1 + diff --git a/SOURCES/0007-build-sys-don-t-strip-binaries-during-installation.patch b/SOURCES/0007-build-sys-don-t-strip-binaries-during-installation.patch new file mode 100644 index 0000000..9f542a6 --- /dev/null +++ b/SOURCES/0007-build-sys-don-t-strip-binaries-during-installation.patch @@ -0,0 +1,111 @@ +From b9fb631a493c5f1b490c8e9645eb6ebab4b25cc8 Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Fri, 4 Apr 2014 18:37:00 +0200 +Subject: [PATCH 07/27] build-sys: don't strip binaries during installation + +We don't want that when building rpms. rpmbuild does final stripping of binaries +for us and generetes debuginfo rpm. +--- + chat/Makefile.linux | 2 +- + pppd/Makefile.linux | 4 ++-- + pppd/plugins/radius/Makefile.linux | 6 +++--- + pppd/plugins/rp-pppoe/Makefile.linux | 4 ++-- + pppdump/Makefile.linux | 2 +- + pppstats/Makefile.linux | 2 +- + 6 files changed, 10 insertions(+), 10 deletions(-) + +diff --git a/chat/Makefile.linux b/chat/Makefile.linux +index 848cd8d..2445637 100644 +--- a/chat/Makefile.linux ++++ b/chat/Makefile.linux +@@ -25,7 +25,7 @@ chat.o: chat.c + + install: chat + mkdir -p $(BINDIR) $(MANDIR) +- $(INSTALL) -s -c chat $(BINDIR) ++ $(INSTALL) -c chat $(BINDIR) + $(INSTALL) -c -m 644 chat.8 $(MANDIR) + + clean: +diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux +index 8ed56c1..4f27100 100644 +--- a/pppd/Makefile.linux ++++ b/pppd/Makefile.linux +@@ -102,7 +102,7 @@ ifdef USE_SRP + CFLAGS += -DUSE_SRP -DOPENSSL -I/usr/local/ssl/include + LIBS += -lsrp -L/usr/local/ssl/lib -lcrypto + TARGETS += srp-entry +-EXTRAINSTALL = $(INSTALL) -s -c -m 555 srp-entry $(BINDIR)/srp-entry ++EXTRAINSTALL = $(INSTALL) -c -m 555 srp-entry $(BINDIR)/srp-entry + MANPAGES += srp-entry.8 + EXTRACLEAN += srp-entry.o + NEEDDES=y +@@ -208,7 +208,7 @@ all: $(TARGETS) + install: pppd + mkdir -p $(BINDIR) $(MANDIR) + $(EXTRAINSTALL) +- $(INSTALL) -s -c -m 555 pppd $(BINDIR)/pppd ++ $(INSTALL) -c -m 555 pppd $(BINDIR)/pppd + if chgrp pppusers $(BINDIR)/pppd 2>/dev/null; then \ + chmod o-rx,u+s $(BINDIR)/pppd; fi + $(INSTALL) -c -m 444 pppd.8 $(MANDIR) +diff --git a/pppd/plugins/radius/Makefile.linux b/pppd/plugins/radius/Makefile.linux +index 179d0b7..707326b 100644 +--- a/pppd/plugins/radius/Makefile.linux ++++ b/pppd/plugins/radius/Makefile.linux +@@ -36,9 +36,9 @@ all: $(PLUGIN) + + install: all + $(INSTALL) -d -m 755 $(LIBDIR) +- $(INSTALL) -s -c -m 755 radius.so $(LIBDIR) +- $(INSTALL) -s -c -m 755 radattr.so $(LIBDIR) +- $(INSTALL) -s -c -m 755 radrealms.so $(LIBDIR) ++ $(INSTALL) -c -m 755 radius.so $(LIBDIR) ++ $(INSTALL) -c -m 755 radattr.so $(LIBDIR) ++ $(INSTALL) -c -m 755 radrealms.so $(LIBDIR) + $(INSTALL) -c -m 444 pppd-radius.8 $(MANDIR) + $(INSTALL) -c -m 444 pppd-radattr.8 $(MANDIR) + +diff --git a/pppd/plugins/rp-pppoe/Makefile.linux b/pppd/plugins/rp-pppoe/Makefile.linux +index 1305ed8..3cd9101 100644 +--- a/pppd/plugins/rp-pppoe/Makefile.linux ++++ b/pppd/plugins/rp-pppoe/Makefile.linux +@@ -43,9 +43,9 @@ rp-pppoe.so: plugin.o discovery.o if.o common.o + + install: all + $(INSTALL) -d -m 755 $(LIBDIR) +- $(INSTALL) -s -c -m 4550 rp-pppoe.so $(LIBDIR) ++ $(INSTALL) -c -m 4550 rp-pppoe.so $(LIBDIR) + $(INSTALL) -d -m 755 $(BINDIR) +- $(INSTALL) -s -c -m 555 pppoe-discovery $(BINDIR) ++ $(INSTALL) -c -m 555 pppoe-discovery $(BINDIR) + + clean: + rm -f *.o *.so pppoe-discovery +diff --git a/pppdump/Makefile.linux b/pppdump/Makefile.linux +index d0a5032..95c6805 100644 +--- a/pppdump/Makefile.linux ++++ b/pppdump/Makefile.linux +@@ -17,5 +17,5 @@ clean: + + install: + mkdir -p $(BINDIR) $(MANDIR) +- $(INSTALL) -s -c pppdump $(BINDIR) ++ $(INSTALL) -c pppdump $(BINDIR) + $(INSTALL) -c -m 444 pppdump.8 $(MANDIR) +diff --git a/pppstats/Makefile.linux b/pppstats/Makefile.linux +index 42aba73..c5ba3b1 100644 +--- a/pppstats/Makefile.linux ++++ b/pppstats/Makefile.linux +@@ -22,7 +22,7 @@ all: pppstats + + install: pppstats + -mkdir -p $(MANDIR) +- $(INSTALL) -s -c pppstats $(BINDIR) ++ $(INSTALL) -c pppstats $(BINDIR) + $(INSTALL) -c -m 444 pppstats.8 $(MANDIR) + + pppstats: $(PPPSTATSRCS) +-- +1.8.3.1 + diff --git a/SOURCES/0008-build-sys-use-prefix-usr-instead-of-usr-local.patch b/SOURCES/0008-build-sys-use-prefix-usr-instead-of-usr-local.patch new file mode 100644 index 0000000..e82c957 --- /dev/null +++ b/SOURCES/0008-build-sys-use-prefix-usr-instead-of-usr-local.patch @@ -0,0 +1,89 @@ +From 343728d5de6e44bd67923503e62eefaad50760a4 Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Fri, 4 Apr 2014 18:47:01 +0200 +Subject: [PATCH 08/27] build-sys: use prefix /usr instead of /usr/local + +--- + configure | 2 +- + pppd/Makefile.linux | 4 ++-- + scripts/ppp-on-rsh | 2 +- + scripts/ppp-on-ssh | 4 ++-- + scripts/secure-card | 2 +- + 5 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/configure b/configure +index 6a55e0f..db54d77 100755 +--- a/configure ++++ b/configure +@@ -2,7 +2,7 @@ + # $Id: configure,v 1.38 2008/06/15 07:08:49 paulus Exp $ + + # Where to install stuff by default +-DESTDIR=/usr/local ++DESTDIR=/usr + SYSCONF=/etc + + # if [ -d /NextApps ]; then +diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux +index 4f27100..95c2598 100644 +--- a/pppd/Makefile.linux ++++ b/pppd/Makefile.linux +@@ -99,8 +99,8 @@ endif + + # EAP SRP-SHA1 + ifdef USE_SRP +-CFLAGS += -DUSE_SRP -DOPENSSL -I/usr/local/ssl/include +-LIBS += -lsrp -L/usr/local/ssl/lib -lcrypto ++CFLAGS += -DUSE_SRP -DOPENSSL -I/usr/include/openssl ++LIBS += -lsrp -L/usr/lib -lcrypto + TARGETS += srp-entry + EXTRAINSTALL = $(INSTALL) -c -m 555 srp-entry $(BINDIR)/srp-entry + MANPAGES += srp-entry.8 +diff --git a/scripts/ppp-on-rsh b/scripts/ppp-on-rsh +index 30a50db..a80616a 100755 +--- a/scripts/ppp-on-rsh ++++ b/scripts/ppp-on-rsh +@@ -26,7 +26,7 @@ PPPD_RHOST=myremotehost + # For this example, we assume that pppd on both local and remote + # machines reside in the same place, /usr/local/bin/pppd + # +-PPPD_LOC=/usr/local/bin/pppd ++PPPD_LOC=/usr/sbin/pppd + + # + # The location of local options file (where rsh client is running). +diff --git a/scripts/ppp-on-ssh b/scripts/ppp-on-ssh +index 0e41aca..c27e80a 100755 +--- a/scripts/ppp-on-ssh ++++ b/scripts/ppp-on-ssh +@@ -26,7 +26,7 @@ PPPD_RHOST=myremotehost + # For this example, we assume that pppd on both local and remote + # machines reside in the same place, /usr/local/bin/pppd + # +-PPPD_LOC=/usr/local/bin/pppd ++PPPD_LOC=/usr/sbin/pppd + + # + # The location of local options file (where ssh client is running). +@@ -52,7 +52,7 @@ PPPD_REM_OPT=/etc/ppp/options-ssh-rem + # + # The location of ssh client on the local machine + # +-SSH_LOC=/usr/local/bin/ssh ++SSH_LOC=/usr/bin/ssh + + export PPPD_LOC PPPD_LOC_OPT PPPD_REM_OPT PPPD_RHOST SSH_LOC + +diff --git a/scripts/secure-card b/scripts/secure-card +index 0002365..ae3ae50 100755 +--- a/scripts/secure-card ++++ b/scripts/secure-card +@@ -1,4 +1,4 @@ +-#!/usr/local/bin/expect -f ++#!/usr/bin/expect -f + # + # This script was written by Jim Isaacson . It is + # designed to work as a script to use the SecureCARD(tm) device. This +-- +1.8.3.1 + diff --git a/SOURCES/0009-pppd-introduce-ipv6-accept-remote.patch b/SOURCES/0009-pppd-introduce-ipv6-accept-remote.patch new file mode 100644 index 0000000..af0f015 --- /dev/null +++ b/SOURCES/0009-pppd-introduce-ipv6-accept-remote.patch @@ -0,0 +1,57 @@ +From abef895f9d144f05a83045136b77277352dc450f Mon Sep 17 00:00:00 2001 +From: David Woodhouse +Date: Fri, 4 Apr 2014 18:53:33 +0200 +Subject: [PATCH 09/27] pppd: introduce ipv6-accept-remote + +--- + pppd/ipv6cp.c | 5 ++++- + pppd/ipv6cp.h | 3 ++- + 2 files changed, 6 insertions(+), 2 deletions(-) + +diff --git a/pppd/ipv6cp.c b/pppd/ipv6cp.c +index caa2b26..5a56c95 100644 +--- a/pppd/ipv6cp.c ++++ b/pppd/ipv6cp.c +@@ -245,6 +245,8 @@ static option_t ipv6cp_option_list[] = { + + { "ipv6cp-accept-local", o_bool, &ipv6cp_allowoptions[0].accept_local, + "Accept peer's interface identifier for us", 1 }, ++ { "ipv6cp-accept-remote", o_bool, &ipv6cp_allowoptions[0].accept_remote, ++ "Accept peer's interface identifier for itself", 1 }, + + { "ipv6cp-use-ipaddr", o_bool, &ipv6cp_allowoptions[0].use_ip, + "Use (default) IPv4 address as interface identifier", 1 }, +@@ -437,6 +439,7 @@ ipv6cp_init(unit) + memset(ao, 0, sizeof(*ao)); + + wo->accept_local = 1; ++ wo->accept_remote = 1; + wo->neg_ifaceid = 1; + ao->neg_ifaceid = 1; + +@@ -962,7 +965,7 @@ ipv6cp_reqci(f, inp, len, reject_if_disagree) + orc = CONFREJ; /* Reject CI */ + break; + } +- if (!eui64_iszero(wo->hisid) && ++ if (!eui64_iszero(wo->hisid) && !wo->accept_remote && + !eui64_equals(ifaceid, wo->hisid) && + eui64_iszero(go->hisid)) { + +diff --git a/pppd/ipv6cp.h b/pppd/ipv6cp.h +index cc4568d..8c7552e 100644 +--- a/pppd/ipv6cp.h ++++ b/pppd/ipv6cp.h +@@ -150,7 +150,8 @@ + typedef struct ipv6cp_options { + int neg_ifaceid; /* Negotiate interface identifier? */ + int req_ifaceid; /* Ask peer to send interface identifier? */ +- int accept_local; /* accept peer's value for iface id? */ ++ int accept_local; /* accept peer's value for our iface id? */ ++ int accept_remote; /* accept peer's value for his iface id? */ + int opt_local; /* ourtoken set by option */ + int opt_remote; /* histoken set by option */ + int use_ip; /* use IP as interface identifier */ +-- +1.8.3.1 + diff --git a/SOURCES/0010-build-sys-enable-CBCP.patch b/SOURCES/0010-build-sys-enable-CBCP.patch new file mode 100644 index 0000000..87c3b72 --- /dev/null +++ b/SOURCES/0010-build-sys-enable-CBCP.patch @@ -0,0 +1,26 @@ +From 8015a0ef23a874f288d5e77ffafe1d7f4281725d Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Fri, 4 Apr 2014 18:59:24 +0200 +Subject: [PATCH 10/27] build-sys: enable CBCP + +Resolves: #199278 +--- + pppd/Makefile.linux | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux +index 95c2598..65700fa 100644 +--- a/pppd/Makefile.linux ++++ b/pppd/Makefile.linux +@@ -68,7 +68,7 @@ HAVE_INET6=y + PLUGIN=y + + # Enable Microsoft proprietary Callback Control Protocol +-#CBCP=y ++CBCP=y + + # Enable EAP SRP-SHA1 authentication (requires libsrp) + #USE_SRP=y +-- +1.8.3.1 + diff --git a/SOURCES/0011-build-sys-don-t-put-connect-errors-log-to-etc-ppp.patch b/SOURCES/0011-build-sys-don-t-put-connect-errors-log-to-etc-ppp.patch new file mode 100644 index 0000000..56ac388 --- /dev/null +++ b/SOURCES/0011-build-sys-don-t-put-connect-errors-log-to-etc-ppp.patch @@ -0,0 +1,77 @@ +From b4ef433be936c90e356da7a590b032cdee219a3f Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Fri, 4 Apr 2014 19:06:05 +0200 +Subject: [PATCH 11/27] build-sys: don't put connect-errors log to /etc/ppp/ + +Resolves: #118837 +--- + chat/chat.8 | 2 +- + linux/Makefile.top | 8 +++++++- + pppd/pathnames.h | 4 ++-- + 3 files changed, 10 insertions(+), 4 deletions(-) + +diff --git a/chat/chat.8 b/chat/chat.8 +index 6d10836..78d6939 100644 +--- a/chat/chat.8 ++++ b/chat/chat.8 +@@ -200,7 +200,7 @@ The \fBSAY\fR directive allows the script to send strings to the user + at the terminal via standard error. If \fBchat\fR is being run by + pppd, and pppd is running as a daemon (detached from its controlling + terminal), standard error will normally be redirected to the file +-/etc/ppp/connect\-errors. ++/var/log/ppp/connect\-errors. + .LP + \fBSAY\fR strings must be enclosed in single or double quotes. If + carriage return and line feed are needed in the string to be output, +diff --git a/linux/Makefile.top b/linux/Makefile.top +index f63d45e..f42efd5 100644 +--- a/linux/Makefile.top ++++ b/linux/Makefile.top +@@ -5,6 +5,8 @@ BINDIR = $(DESTDIR)/sbin + INCDIR = $(DESTDIR)/include + MANDIR = $(DESTDIR)/share/man + ETCDIR = $(INSTROOT)@SYSCONF@/ppp ++RUNDIR = $(DESTDIR)/var/run/ppp ++LOGDIR = $(DESTDIR)/var/log/ppp + + # uid 0 = root + INSTALL= install +@@ -16,7 +18,7 @@ all: + cd pppstats; $(MAKE) $(MFLAGS) all + cd pppdump; $(MAKE) $(MFLAGS) all + +-install: $(BINDIR) $(MANDIR)/man8 install-progs install-devel ++install: $(BINDIR) $(RUNDIR) $(LOGDIR) $(MANDIR)/man8 install-progs install-devel + + install-progs: + cd chat; $(MAKE) $(MFLAGS) install +@@ -44,6 +46,10 @@ $(MANDIR)/man8: + $(INSTALL) -d -m 755 $@ + $(ETCDIR): + $(INSTALL) -d -m 755 $@ ++$(RUNDIR): ++ $(INSTALL) -d -m 755 $@ ++$(LOGDIR): ++ $(INSTALL) -d -m 755 $@ + + clean: + rm -f `find . -name '*.[oas]' -print` +diff --git a/pppd/pathnames.h b/pppd/pathnames.h +index a427cb8..bef3160 100644 +--- a/pppd/pathnames.h ++++ b/pppd/pathnames.h +@@ -28,9 +28,9 @@ + #define _PATH_AUTHUP _ROOT_PATH "/etc/ppp/auth-up" + #define _PATH_AUTHDOWN _ROOT_PATH "/etc/ppp/auth-down" + #define _PATH_TTYOPT _ROOT_PATH "/etc/ppp/options." +-#define _PATH_CONNERRS _ROOT_PATH "/etc/ppp/connect-errors" ++#define _PATH_CONNERRS _ROOT_PATH "/var/log/ppp/connect-errors" + #define _PATH_PEERFILES _ROOT_PATH "/etc/ppp/peers/" +-#define _PATH_RESOLV _ROOT_PATH "/etc/ppp/resolv.conf" ++#define _PATH_RESOLV _ROOT_PATH "/var/run/ppp/resolv.conf" + + #define _PATH_USEROPT ".ppprc" + #define _PATH_PSEUDONYM ".ppp_pseudonym" +-- +1.8.3.1 + diff --git a/SOURCES/0012-pppd-we-don-t-want-to-accidentally-leak-fds.patch b/SOURCES/0012-pppd-we-don-t-want-to-accidentally-leak-fds.patch new file mode 100644 index 0000000..cf25dba --- /dev/null +++ b/SOURCES/0012-pppd-we-don-t-want-to-accidentally-leak-fds.patch @@ -0,0 +1,143 @@ +From 82cd789df0f022eb6f3d28646e7a61d1d0715805 Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Mon, 7 Apr 2014 12:23:36 +0200 +Subject: [PATCH 12/27] pppd: we don't want to accidentally leak fds + +--- + pppd/auth.c | 20 ++++++++++---------- + pppd/options.c | 2 +- + pppd/sys-linux.c | 4 ++-- + 3 files changed, 13 insertions(+), 13 deletions(-) + +diff --git a/pppd/auth.c b/pppd/auth.c +index 4271af6..9e957fa 100644 +--- a/pppd/auth.c ++++ b/pppd/auth.c +@@ -428,7 +428,7 @@ setupapfile(argv) + option_error("unable to reset uid before opening %s: %m", fname); + return 0; + } +- ufile = fopen(fname, "r"); ++ ufile = fopen(fname, "re"); + if (seteuid(euid) == -1) + fatal("unable to regain privileges: %m"); + if (ufile == NULL) { +@@ -1413,7 +1413,7 @@ check_passwd(unit, auser, userlen, apasswd, passwdlen, msg) + filename = _PATH_UPAPFILE; + addrs = opts = NULL; + ret = UPAP_AUTHNAK; +- f = fopen(filename, "r"); ++ f = fopen(filename, "re"); + if (f == NULL) { + error("Can't open PAP password file %s: %m", filename); + +@@ -1512,7 +1512,7 @@ null_login(unit) + if (ret <= 0) { + filename = _PATH_UPAPFILE; + addrs = NULL; +- f = fopen(filename, "r"); ++ f = fopen(filename, "re"); + if (f == NULL) + return 0; + check_access(f, filename); +@@ -1559,7 +1559,7 @@ get_pap_passwd(passwd) + } + + filename = _PATH_UPAPFILE; +- f = fopen(filename, "r"); ++ f = fopen(filename, "re"); + if (f == NULL) + return 0; + check_access(f, filename); +@@ -1597,7 +1597,7 @@ have_pap_secret(lacks_ipp) + } + + filename = _PATH_UPAPFILE; +- f = fopen(filename, "r"); ++ f = fopen(filename, "re"); + if (f == NULL) + return 0; + +@@ -1642,7 +1642,7 @@ have_chap_secret(client, server, need_ip, lacks_ipp) + } + + filename = _PATH_CHAPFILE; +- f = fopen(filename, "r"); ++ f = fopen(filename, "re"); + if (f == NULL) + return 0; + +@@ -1684,7 +1684,7 @@ have_srp_secret(client, server, need_ip, lacks_ipp) + struct wordlist *addrs; + + filename = _PATH_SRPFILE; +- f = fopen(filename, "r"); ++ f = fopen(filename, "re"); + if (f == NULL) + return 0; + +@@ -1740,7 +1740,7 @@ get_secret(unit, client, server, secret, secret_len, am_server) + addrs = NULL; + secbuf[0] = 0; + +- f = fopen(filename, "r"); ++ f = fopen(filename, "re"); + if (f == NULL) { + error("Can't open chap secret file %s: %m", filename); + return 0; +@@ -1797,7 +1797,7 @@ get_srp_secret(unit, client, server, secret, am_server) + filename = _PATH_SRPFILE; + addrs = NULL; + +- fp = fopen(filename, "r"); ++ fp = fopen(filename, "re"); + if (fp == NULL) { + error("Can't open srp secret file %s: %m", filename); + return 0; +@@ -2203,7 +2203,7 @@ scan_authfile(f, client, server, secret, addrs, opts, filename, flags) + */ + if (word[0] == '@' && word[1] == '/') { + strlcpy(atfile, word+1, sizeof(atfile)); +- if ((sf = fopen(atfile, "r")) == NULL) { ++ if ((sf = fopen(atfile, "re")) == NULL) { + warn("can't open indirect secret file %s", atfile); + continue; + } +diff --git a/pppd/options.c b/pppd/options.c +index 45fa742..1d754ae 100644 +--- a/pppd/options.c ++++ b/pppd/options.c +@@ -427,7 +427,7 @@ options_from_file(filename, must_exist, check_prot, priv) + option_error("unable to drop privileges to open %s: %m", filename); + return 0; + } +- f = fopen(filename, "r"); ++ f = fopen(filename, "re"); + err = errno; + if (check_prot && seteuid(euid) == -1) + fatal("unable to regain privileges"); +diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c +index 72a7727..8a12fa0 100644 +--- a/pppd/sys-linux.c ++++ b/pppd/sys-linux.c +@@ -1412,7 +1412,7 @@ static char *path_to_procfs(const char *tail) + /* Default the mount location of /proc */ + strlcpy (proc_path, "/proc", sizeof(proc_path)); + proc_path_len = 5; +- fp = fopen(MOUNTED, "r"); ++ fp = fopen(MOUNTED, "re"); + if (fp != NULL) { + while ((mntent = getmntent(fp)) != NULL) { + if (strcmp(mntent->mnt_type, MNTTYPE_IGNORE) == 0) +@@ -1472,7 +1472,7 @@ static int open_route_table (void) + close_route_table(); + + path = path_to_procfs("/net/route"); +- route_fd = fopen (path, "r"); ++ route_fd = fopen (path, "re"); + if (route_fd == NULL) { + error("can't open routing table %s: %m", path); + return 0; +-- +1.8.3.1 + diff --git a/SOURCES/0013-everywhere-O_CLOEXEC-harder.patch b/SOURCES/0013-everywhere-O_CLOEXEC-harder.patch new file mode 100644 index 0000000..d720c36 --- /dev/null +++ b/SOURCES/0013-everywhere-O_CLOEXEC-harder.patch @@ -0,0 +1,241 @@ +From 302c1b736cb656c7885a0cba270fd953a672d8a8 Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Mon, 7 Apr 2014 13:56:34 +0200 +Subject: [PATCH 13/27] everywhere: O_CLOEXEC harder + +--- + pppd/eap.c | 2 +- + pppd/main.c | 4 ++-- + pppd/options.c | 4 ++-- + pppd/sys-linux.c | 22 +++++++++++----------- + pppd/tdb.c | 4 ++-- + pppd/tty.c | 4 ++-- + pppd/utils.c | 6 +++--- + 7 files changed, 23 insertions(+), 23 deletions(-) + +diff --git a/pppd/eap.c b/pppd/eap.c +index 6ea6c1f..faced53 100644 +--- a/pppd/eap.c ++++ b/pppd/eap.c +@@ -1226,7 +1226,7 @@ mode_t modebits; + + if ((path = name_of_pn_file()) == NULL) + return (-1); +- fd = open(path, modebits, S_IRUSR | S_IWUSR); ++ fd = open(path, modebits, S_IRUSR | S_IWUSR | O_CLOEXEC); + err = errno; + free(path); + errno = err; +diff --git a/pppd/main.c b/pppd/main.c +index 6d50d1b..4880377 100644 +--- a/pppd/main.c ++++ b/pppd/main.c +@@ -420,7 +420,7 @@ main(argc, argv) + die(0); + + /* Make sure fds 0, 1, 2 are open to somewhere. */ +- fd_devnull = open(_PATH_DEVNULL, O_RDWR); ++ fd_devnull = open(_PATH_DEVNULL, O_RDWR | O_CLOEXEC); + if (fd_devnull < 0) + fatal("Couldn't open %s: %m", _PATH_DEVNULL); + while (fd_devnull <= 2) { +@@ -1679,7 +1679,7 @@ device_script(program, in, out, dont_wait) + if (log_to_fd >= 0) + errfd = log_to_fd; + else +- errfd = open(_PATH_CONNERRS, O_WRONLY | O_APPEND | O_CREAT, 0600); ++ errfd = open(_PATH_CONNERRS, O_WRONLY | O_APPEND | O_CREAT | O_CLOEXEC, 0600); + + ++conn_running; + pid = safe_fork(in, out, errfd); +diff --git a/pppd/options.c b/pppd/options.c +index 1d754ae..8e62635 100644 +--- a/pppd/options.c ++++ b/pppd/options.c +@@ -1544,9 +1544,9 @@ setlogfile(argv) + option_error("unable to drop permissions to open %s: %m", *argv); + return 0; + } +- fd = open(*argv, O_WRONLY | O_APPEND | O_CREAT | O_EXCL, 0644); ++ fd = open(*argv, O_WRONLY | O_APPEND | O_CREAT | O_EXCL | O_CLOEXEC, 0644); + if (fd < 0 && errno == EEXIST) +- fd = open(*argv, O_WRONLY | O_APPEND); ++ fd = open(*argv, O_WRONLY | O_APPEND | O_CLOEXEC); + err = errno; + if (!privileged_option && seteuid(euid) == -1) + fatal("unable to regain privileges: %m"); +diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c +index 8a12fa0..00a2cf5 100644 +--- a/pppd/sys-linux.c ++++ b/pppd/sys-linux.c +@@ -459,7 +459,7 @@ int generic_establish_ppp (int fd) + goto err; + } + dbglog("using channel %d", chindex); +- fd = open("/dev/ppp", O_RDWR); ++ fd = open("/dev/ppp", O_RDWR | O_CLOEXEC); + if (fd < 0) { + error("Couldn't reopen /dev/ppp: %m"); + goto err; +@@ -619,7 +619,7 @@ static int make_ppp_unit() + dbglog("in make_ppp_unit, already had /dev/ppp open?"); + close(ppp_dev_fd); + } +- ppp_dev_fd = open("/dev/ppp", O_RDWR); ++ ppp_dev_fd = open("/dev/ppp", O_RDWR | O_CLOEXEC); + if (ppp_dev_fd < 0) + fatal("Couldn't open /dev/ppp: %m"); + flags = fcntl(ppp_dev_fd, F_GETFL); +@@ -693,7 +693,7 @@ int bundle_attach(int ifnum) + if (!new_style_driver) + return -1; + +- master_fd = open("/dev/ppp", O_RDWR); ++ master_fd = open("/dev/ppp", O_RDWR | O_CLOEXEC); + if (master_fd < 0) + fatal("Couldn't open /dev/ppp: %m"); + if (ioctl(master_fd, PPPIOCATTACH, &ifnum) < 0) { +@@ -1715,7 +1715,7 @@ int sifproxyarp (int unit, u_int32_t his_adr) + if (tune_kernel) { + forw_path = path_to_procfs("/sys/net/ipv4/ip_forward"); + if (forw_path != 0) { +- int fd = open(forw_path, O_WRONLY); ++ int fd = open(forw_path, O_WRONLY | O_CLOEXEC); + if (fd >= 0) { + if (write(fd, "1", 1) != 1) + error("Couldn't enable IP forwarding: %m"); +@@ -2030,7 +2030,7 @@ int ppp_available(void) + sscanf(utsname.release, "%d.%d.%d", &osmaj, &osmin, &ospatch); + kernel_version = KVERSION(osmaj, osmin, ospatch); + +- fd = open("/dev/ppp", O_RDWR); ++ fd = open("/dev/ppp", O_RDWR | O_CLOEXEC); + if (fd >= 0) { + new_style_driver = 1; + +@@ -2208,7 +2208,7 @@ void logwtmp (const char *line, const char *name, const char *host) + #if __GLIBC__ >= 2 + updwtmp(_PATH_WTMP, &ut); + #else +- wtmp = open(_PATH_WTMP, O_APPEND|O_WRONLY); ++ wtmp = open(_PATH_WTMP, O_APPEND|O_WRONLY|O_CLOEXEC); + if (wtmp >= 0) { + flock(wtmp, LOCK_EX); + +@@ -2394,7 +2394,7 @@ int sifaddr (int unit, u_int32_t our_adr, u_int32_t his_adr, + int fd; + + path = path_to_procfs("/sys/net/ipv4/ip_dynaddr"); +- if (path != 0 && (fd = open(path, O_WRONLY)) >= 0) { ++ if (path != 0 && (fd = open(path, O_WRONLY | O_CLOEXEC)) >= 0) { + if (write(fd, "1", 1) != 1) + error("Couldn't enable dynamic IP addressing: %m"); + close(fd); +@@ -2570,7 +2570,7 @@ get_pty(master_fdp, slave_fdp, slave_name, uid) + /* + * Try the unix98 way first. + */ +- mfd = open("/dev/ptmx", O_RDWR); ++ mfd = open("/dev/ptmx", O_RDWR | O_CLOEXEC); + if (mfd >= 0) { + int ptn; + if (ioctl(mfd, TIOCGPTN, &ptn) >= 0) { +@@ -2581,7 +2581,7 @@ get_pty(master_fdp, slave_fdp, slave_name, uid) + if (ioctl(mfd, TIOCSPTLCK, &ptn) < 0) + warn("Couldn't unlock pty slave %s: %m", pty_name); + #endif +- if ((sfd = open(pty_name, O_RDWR | O_NOCTTY)) < 0) ++ if ((sfd = open(pty_name, O_RDWR | O_NOCTTY | O_CLOEXEC)) < 0) + warn("Couldn't open pty slave %s: %m", pty_name); + } + } +@@ -2592,10 +2592,10 @@ get_pty(master_fdp, slave_fdp, slave_name, uid) + for (i = 0; i < 64; ++i) { + slprintf(pty_name, sizeof(pty_name), "/dev/pty%c%x", + 'p' + i / 16, i % 16); +- mfd = open(pty_name, O_RDWR, 0); ++ mfd = open(pty_name, O_RDWR | O_CLOEXEC, 0); + if (mfd >= 0) { + pty_name[5] = 't'; +- sfd = open(pty_name, O_RDWR | O_NOCTTY, 0); ++ sfd = open(pty_name, O_RDWR | O_NOCTTY | O_CLOEXEC, 0); + if (sfd >= 0) { + fchown(sfd, uid, -1); + fchmod(sfd, S_IRUSR | S_IWUSR); +diff --git a/pppd/tdb.c b/pppd/tdb.c +index bdc5828..c7ab71c 100644 +--- a/pppd/tdb.c ++++ b/pppd/tdb.c +@@ -1724,7 +1724,7 @@ TDB_CONTEXT *tdb_open_ex(const char *name, int hash_size, int tdb_flags, + goto internal; + } + +- if ((tdb->fd = open(name, open_flags, mode)) == -1) { ++ if ((tdb->fd = open(name, open_flags | O_CLOEXEC, mode)) == -1) { + TDB_LOG((tdb, 5, "tdb_open_ex: could not open file %s: %s\n", + name, strerror(errno))); + goto fail; /* errno set by open(2) */ +@@ -1967,7 +1967,7 @@ int tdb_reopen(TDB_CONTEXT *tdb) + } + if (close(tdb->fd) != 0) + TDB_LOG((tdb, 0, "tdb_reopen: WARNING closing tdb->fd failed!\n")); +- tdb->fd = open(tdb->name, tdb->open_flags & ~(O_CREAT|O_TRUNC), 0); ++ tdb->fd = open(tdb->name, (tdb->open_flags & ~(O_CREAT|O_TRUNC)) | O_CLOEXEC, 0); + if (tdb->fd == -1) { + TDB_LOG((tdb, 0, "tdb_reopen: open failed (%s)\n", strerror(errno))); + goto fail; +diff --git a/pppd/tty.c b/pppd/tty.c +index d571b11..bc96695 100644 +--- a/pppd/tty.c ++++ b/pppd/tty.c +@@ -569,7 +569,7 @@ int connect_tty() + status = EXIT_OPEN_FAILED; + goto errret; + } +- real_ttyfd = open(devnam, O_NONBLOCK | O_RDWR, 0); ++ real_ttyfd = open(devnam, O_NONBLOCK | O_RDWR | O_CLOEXEC, 0); + err = errno; + if (prio < OPRIO_ROOT && seteuid(0) == -1) + fatal("Unable to regain privileges"); +@@ -723,7 +723,7 @@ int connect_tty() + if (connector == NULL && modem && devnam[0] != 0) { + int i; + for (;;) { +- if ((i = open(devnam, O_RDWR)) >= 0) ++ if ((i = open(devnam, O_RDWR | O_CLOEXEC)) >= 0) + break; + if (errno != EINTR) { + error("Failed to reopen %s: %m", devnam); +diff --git a/pppd/utils.c b/pppd/utils.c +index 29bf970..6051b9a 100644 +--- a/pppd/utils.c ++++ b/pppd/utils.c +@@ -918,14 +918,14 @@ lock(dev) + slprintf(lock_file, sizeof(lock_file), "%s/LCK..%s", LOCK_DIR, dev); + #endif + +- while ((fd = open(lock_file, O_EXCL | O_CREAT | O_RDWR, 0644)) < 0) { ++ while ((fd = open(lock_file, O_EXCL | O_CREAT | O_RDWR | O_CLOEXEC, 0644)) < 0) { + if (errno != EEXIST) { + error("Can't create lock file %s: %m", lock_file); + break; + } + + /* Read the lock file to find out who has the device locked. */ +- fd = open(lock_file, O_RDONLY, 0); ++ fd = open(lock_file, O_RDONLY | O_CLOEXEC, 0); + if (fd < 0) { + if (errno == ENOENT) /* This is just a timing problem. */ + continue; +@@ -1004,7 +1004,7 @@ relock(pid) + + if (lock_file[0] == 0) + return -1; +- fd = open(lock_file, O_WRONLY, 0); ++ fd = open(lock_file, O_WRONLY | O_CLOEXEC, 0); + if (fd < 0) { + error("Couldn't reopen lock file %s: %m", lock_file); + lock_file[0] = 0; +-- +1.8.3.1 + diff --git a/SOURCES/0014-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch b/SOURCES/0014-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch new file mode 100644 index 0000000..08d67f7 --- /dev/null +++ b/SOURCES/0014-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch @@ -0,0 +1,174 @@ +From 2a97ab28ee00586e5f06b3ef3a0e43ea0c7c6499 Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Mon, 7 Apr 2014 14:21:41 +0200 +Subject: [PATCH 14/27] everywhere: use SOCK_CLOEXEC when creating socket + +--- + pppd/plugins/pppoatm/pppoatm.c | 2 +- + pppd/plugins/pppol2tp/openl2tp.c | 2 +- + pppd/plugins/pppol2tp/pppol2tp.c | 2 +- + pppd/plugins/rp-pppoe/if.c | 2 +- + pppd/plugins/rp-pppoe/plugin.c | 6 +++--- + pppd/plugins/rp-pppoe/pppoe-discovery.c | 2 +- + pppd/sys-linux.c | 10 +++++----- + pppd/tty.c | 2 +- + 8 files changed, 14 insertions(+), 14 deletions(-) + +diff --git a/pppd/plugins/pppoatm/pppoatm.c b/pppd/plugins/pppoatm/pppoatm.c +index d693350..c31bb34 100644 +--- a/pppd/plugins/pppoatm/pppoatm.c ++++ b/pppd/plugins/pppoatm/pppoatm.c +@@ -135,7 +135,7 @@ static int connect_pppoatm(void) + + if (!device_got_set) + no_device_given_pppoatm(); +- fd = socket(AF_ATMPVC, SOCK_DGRAM, 0); ++ fd = socket(AF_ATMPVC, SOCK_DGRAM | SOCK_CLOEXEC, 0); + if (fd < 0) + fatal("failed to create socket: %m"); + memset(&qos, 0, sizeof qos); +diff --git a/pppd/plugins/pppol2tp/openl2tp.c b/pppd/plugins/pppol2tp/openl2tp.c +index 9643b96..1099575 100644 +--- a/pppd/plugins/pppol2tp/openl2tp.c ++++ b/pppd/plugins/pppol2tp/openl2tp.c +@@ -83,7 +83,7 @@ static int openl2tp_client_create(void) + int result; + + if (openl2tp_fd < 0) { +- openl2tp_fd = socket(PF_UNIX, SOCK_DGRAM, 0); ++ openl2tp_fd = socket(PF_UNIX, SOCK_DGRAM | SOCK_CLOEXEC, 0); + if (openl2tp_fd < 0) { + error("openl2tp connection create: %m"); + return -ENOTCONN; +diff --git a/pppd/plugins/pppol2tp/pppol2tp.c b/pppd/plugins/pppol2tp/pppol2tp.c +index a7e3400..e64a778 100644 +--- a/pppd/plugins/pppol2tp/pppol2tp.c ++++ b/pppd/plugins/pppol2tp/pppol2tp.c +@@ -208,7 +208,7 @@ static void send_config_pppol2tp(int mtu, + struct ifreq ifr; + int fd; + +- fd = socket(AF_INET, SOCK_DGRAM, 0); ++ fd = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0); + if (fd >= 0) { + memset (&ifr, '\0', sizeof (ifr)); + strlcpy(ifr.ifr_name, ifname, sizeof(ifr.ifr_name)); +diff --git a/pppd/plugins/rp-pppoe/if.c b/pppd/plugins/rp-pppoe/if.c +index 91e9a57..72aba41 100644 +--- a/pppd/plugins/rp-pppoe/if.c ++++ b/pppd/plugins/rp-pppoe/if.c +@@ -116,7 +116,7 @@ openInterface(char const *ifname, UINT16_t type, unsigned char *hwaddr) + stype = SOCK_PACKET; + #endif + +- if ((fd = socket(domain, stype, htons(type))) < 0) { ++ if ((fd = socket(domain, stype | SOCK_CLOEXEC, htons(type))) < 0) { + /* Give a more helpful message for the common error case */ + if (errno == EPERM) { + fatal("Cannot create raw socket -- pppoe must be run as root."); +diff --git a/pppd/plugins/rp-pppoe/plugin.c b/pppd/plugins/rp-pppoe/plugin.c +index a8c2bb4..24bdf8f 100644 +--- a/pppd/plugins/rp-pppoe/plugin.c ++++ b/pppd/plugins/rp-pppoe/plugin.c +@@ -137,7 +137,7 @@ PPPOEConnectDevice(void) + /* server equipment). */ + /* Opening this socket just before waitForPADS in the discovery() */ + /* function would be more appropriate, but it would mess-up the code */ +- conn->sessionSocket = socket(AF_PPPOX, SOCK_STREAM, PX_PROTO_OE); ++ conn->sessionSocket = socket(AF_PPPOX, SOCK_STREAM | SOCK_CLOEXEC, PX_PROTO_OE); + if (conn->sessionSocket < 0) { + error("Failed to create PPPoE socket: %m"); + return -1; +@@ -148,7 +148,7 @@ PPPOEConnectDevice(void) + lcp_wantoptions[0].mru = conn->mru; + + /* Update maximum MRU */ +- s = socket(AF_INET, SOCK_DGRAM, 0); ++ s = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0); + if (s < 0) { + error("Can't get MTU for %s: %m", conn->ifName); + goto errout; +@@ -320,7 +320,7 @@ PPPoEDevnameHook(char *cmd, char **argv, int doit) + } + + /* Open a socket */ +- if ((fd = socket(PF_PACKET, SOCK_RAW, 0)) < 0) { ++ if ((fd = socket(PF_PACKET, SOCK_RAW | SOCK_CLOEXEC, 0)) < 0) { + r = 0; + } + +diff --git a/pppd/plugins/rp-pppoe/pppoe-discovery.c b/pppd/plugins/rp-pppoe/pppoe-discovery.c +index 3d3bf4e..c0d927d 100644 +--- a/pppd/plugins/rp-pppoe/pppoe-discovery.c ++++ b/pppd/plugins/rp-pppoe/pppoe-discovery.c +@@ -121,7 +121,7 @@ openInterface(char const *ifname, UINT16_t type, unsigned char *hwaddr) + stype = SOCK_PACKET; + #endif + +- if ((fd = socket(domain, stype, htons(type))) < 0) { ++ if ((fd = socket(domain, stype | SOCK_CLOEXEC, htons(type))) < 0) { + /* Give a more helpful message for the common error case */ + if (errno == EPERM) { + rp_fatal("Cannot create raw socket -- pppoe must be run as root."); +diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c +index 00a2cf5..0690019 100644 +--- a/pppd/sys-linux.c ++++ b/pppd/sys-linux.c +@@ -308,12 +308,12 @@ static int modify_flags(int fd, int clear_bits, int set_bits) + void sys_init(void) + { + /* Get an internet socket for doing socket ioctls. */ +- sock_fd = socket(AF_INET, SOCK_DGRAM, 0); ++ sock_fd = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0); + if (sock_fd < 0) + fatal("Couldn't create IP socket: %m(%d)", errno); + + #ifdef INET6 +- sock6_fd = socket(AF_INET6, SOCK_DGRAM, 0); ++ sock6_fd = socket(AF_INET6, SOCK_DGRAM | SOCK_CLOEXEC, 0); + if (sock6_fd < 0) + sock6_fd = -errno; /* save errno for later */ + #endif +@@ -1857,7 +1857,7 @@ get_if_hwaddr(u_char *addr, char *name) + struct ifreq ifreq; + int ret, sock_fd; + +- sock_fd = socket(AF_INET, SOCK_DGRAM, 0); ++ sock_fd = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0); + if (sock_fd < 0) + return 0; + memset(&ifreq.ifr_hwaddr, 0, sizeof(struct sockaddr)); +@@ -2067,7 +2067,7 @@ int ppp_available(void) + /* + * Open a socket for doing the ioctl operations. + */ +- s = socket(AF_INET, SOCK_DGRAM, 0); ++ s = socket(AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0); + if (s < 0) + return 0; + +@@ -2860,7 +2860,7 @@ ether_to_eui64(eui64_t *p_eui64) + int skfd; + const unsigned char *ptr; + +- skfd = socket(PF_INET6, SOCK_DGRAM, 0); ++ skfd = socket(PF_INET6, SOCK_DGRAM | SOCK_CLOEXEC, 0); + if(skfd == -1) + { + warn("could not open IPv6 socket"); +diff --git a/pppd/tty.c b/pppd/tty.c +index bc96695..8e76a5d 100644 +--- a/pppd/tty.c ++++ b/pppd/tty.c +@@ -896,7 +896,7 @@ open_socket(dest) + *sep = ':'; + + /* get a socket and connect it to the other end */ +- sock = socket(PF_INET, SOCK_STREAM, 0); ++ sock = socket(PF_INET, SOCK_STREAM | SOCK_CLOEXEC, 0); + if (sock < 0) { + error("Can't create socket: %m"); + return -1; +-- +1.8.3.1 + diff --git a/SOURCES/0015-pppd-move-pppd-database-to-var-run-ppp.patch b/SOURCES/0015-pppd-move-pppd-database-to-var-run-ppp.patch new file mode 100644 index 0000000..88b84d5 --- /dev/null +++ b/SOURCES/0015-pppd-move-pppd-database-to-var-run-ppp.patch @@ -0,0 +1,44 @@ +From f2c855462ff56be4121409c7e048cd2503fe0ccf Mon Sep 17 00:00:00 2001 +From: Jiri Skala +Date: Mon, 7 Apr 2014 14:26:20 +0200 +Subject: [PATCH 15/27] pppd: move pppd database to /var/run/ppp + +Resolves: #560014 +--- + pppd/pathnames.h | 11 ++++------- + 1 file changed, 4 insertions(+), 7 deletions(-) + +diff --git a/pppd/pathnames.h b/pppd/pathnames.h +index bef3160..24e010c 100644 +--- a/pppd/pathnames.h ++++ b/pppd/pathnames.h +@@ -6,8 +6,9 @@ + + #ifdef HAVE_PATHS_H + #include +- ++#define _PPP_SUBDIR "ppp/" + #else /* HAVE_PATHS_H */ ++#define _PPP_SUBDIR + #ifndef _PATH_VARRUN + #define _PATH_VARRUN "/etc/ppp/" + #endif +@@ -46,13 +47,9 @@ + #endif /* IPX_CHANGE */ + + #ifdef __STDC__ +-#define _PATH_PPPDB _ROOT_PATH _PATH_VARRUN "pppd2.tdb" ++#define _PATH_PPPDB _ROOT_PATH _PATH_VARRUN _PPP_SUBDIR "pppd2.tdb" + #else /* __STDC__ */ +-#ifdef HAVE_PATHS_H +-#define _PATH_PPPDB "/var/run/pppd2.tdb" +-#else +-#define _PATH_PPPDB "/etc/ppp/pppd2.tdb" +-#endif ++#define _PATH_PPPDB _PATH_VARRUN _PPP_SUBDIR "pppd2.tdb" + #endif /* __STDC__ */ + + #ifdef PLUGIN +-- +1.8.3.1 + diff --git a/SOURCES/0016-rp-pppoe-add-manpage-for-pppoe-discovery.patch b/SOURCES/0016-rp-pppoe-add-manpage-for-pppoe-discovery.patch new file mode 100644 index 0000000..a13fe79 --- /dev/null +++ b/SOURCES/0016-rp-pppoe-add-manpage-for-pppoe-discovery.patch @@ -0,0 +1,126 @@ +From a30efa2cc99a5b6ab220de04cbcc7db38888a17a Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Mon, 7 Apr 2014 14:29:45 +0200 +Subject: [PATCH 16/27] rp-pppoe: add manpage for pppoe-discovery + +--- + pppd/plugins/rp-pppoe/Makefile.linux | 2 + + pppd/plugins/rp-pppoe/pppoe-discovery.8 | 86 +++++++++++++++++++++++++++++++++ + 2 files changed, 88 insertions(+) + create mode 100644 pppd/plugins/rp-pppoe/pppoe-discovery.8 + +diff --git a/pppd/plugins/rp-pppoe/Makefile.linux b/pppd/plugins/rp-pppoe/Makefile.linux +index 3cd9101..9918091 100644 +--- a/pppd/plugins/rp-pppoe/Makefile.linux ++++ b/pppd/plugins/rp-pppoe/Makefile.linux +@@ -16,6 +16,7 @@ + + DESTDIR = $(INSTROOT)@DESTDIR@ + BINDIR = $(DESTDIR)/sbin ++MANDIR = $(DESTDIR)/share/man/man8 + LIBDIR = $(DESTDIR)/lib/$(shell gcc -print-multi-os-directory 2> /dev/null)/pppd/$(PPPDVERSION) + + PPPDVERSION = $(shell awk -F '"' '/VERSION/ { print $$2; }' ../../patchlevel.h) +@@ -46,6 +47,7 @@ install: all + $(INSTALL) -c -m 4550 rp-pppoe.so $(LIBDIR) + $(INSTALL) -d -m 755 $(BINDIR) + $(INSTALL) -c -m 555 pppoe-discovery $(BINDIR) ++ $(INSTALL) -c -m 444 pppoe-discovery.8 $(MANDIR) + + clean: + rm -f *.o *.so pppoe-discovery +diff --git a/pppd/plugins/rp-pppoe/pppoe-discovery.8 b/pppd/plugins/rp-pppoe/pppoe-discovery.8 +new file mode 100644 +index 0000000..d0a93db +--- /dev/null ++++ b/pppd/plugins/rp-pppoe/pppoe-discovery.8 +@@ -0,0 +1,86 @@ ++.\" pppoe-discovery.8 written by ++.\" Ben Hutchings , based on pppoe.8. ++.\" Licenced under the GPL version 2 or later. ++.TH PPPOE-DISCOVERY 8 ++.SH NAME ++pppoe\-discovery \- perform PPPoE discovery ++.SH SYNOPSIS ++.B pppoe\-discovery ++[ ++.I options ++] ++.br ++.BR pppoe\-discovery " { " \-V " | " \-h " }" ++.SH DESCRIPTION ++.LP ++\fBpppoe\-discovery\fR performs the same discovery process as ++\fBpppoe\fR, but does not initiate a session. ++It sends a PADI packet and then prints the names of access ++concentrators in each PADO packet it receives. ++.SH OPTIONS ++.TP ++.BI \-I " interface" ++.RS ++The \fB\-I\fR option specifies the Ethernet interface to use. ++Under Linux, it is typically eth0 or eth1. ++The interface should be \(lqup\(rq before you start ++\fBpppoe\-discovery\fR, but should \fInot\fR be configured to have an ++IP address. ++The default interface is eth0. ++.RE ++.TP ++.BI \-D " file_name" ++.RS ++The \fB\-D\fR option causes every packet to be dumped to the specified ++\fIfile_name\fR. ++This is intended for debugging only. ++.RE ++.TP ++.B \-U ++.RS ++Causes \fBpppoe\-discovery\fR to use the Host-Uniq tag in its discovery ++packets. ++This lets you run multiple instances of \fBpppoe\-discovery\fR and/or ++\fBpppoe\fR without having their discovery packets interfere with one ++another. ++You must supply this option to \fIall\fR instances that you intend to ++run simultaneously. ++.RE ++.TP ++.BI \-S " service_name" ++.RS ++Specifies the desired service name. ++\fBpppoe\-discovery\fR will only accept access concentrators which can ++provide the specified service. ++In most cases, you should \fInot\fR specify this option. ++Use it only if you know that there are multiple access concentrators ++or know that you need a specific service name. ++.RE ++.TP ++.BI \-C " ac_name" ++.RS ++Specifies the desired access concentrator name. ++\fBpppoe\-discovery\fR will only accept the specified access ++concentrator. ++In most cases, you should \fInot\fR specify this option. ++Use it only if you know that there are multiple access concentrators. ++If both the \fB\-S\fR and \fB\-C\fR options are specified, they must ++\fIboth\fR match. ++.RE ++.TP ++.B \-A ++.RS ++This option is accepted for compatibility with \fBpppoe\fR, but has no ++effect. ++.RE ++.TP ++.BR \-V " | " \-h ++.RS ++Either of these options causes \fBpppoe\-discovery\fR to print its ++version number and usage information, then exit. ++.RE ++.SH AUTHORS ++\fBpppoe\-discovery\fR was written by Marco d'Itri , ++based on \fBpppoe\fR by David F. Skoll . ++.SH SEE ALSO ++pppoe(8), pppoe-sniff(8) +-- +1.8.3.1 + diff --git a/SOURCES/0018-scritps-fix-ip-up.local-sample.patch b/SOURCES/0018-scritps-fix-ip-up.local-sample.patch new file mode 100644 index 0000000..c36e0b8 --- /dev/null +++ b/SOURCES/0018-scritps-fix-ip-up.local-sample.patch @@ -0,0 +1,27 @@ +From 40960f91cdd06da387616ec838ae2599e7f01cee Mon Sep 17 00:00:00 2001 +From: Jiri Skala +Date: Mon, 7 Apr 2014 15:24:01 +0200 +Subject: [PATCH 18/27] scritps: fix ip-up.local sample + +Resolves: #613717 +--- + scripts/ip-up.local.add | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/scripts/ip-up.local.add b/scripts/ip-up.local.add +index 26cf5f8..282337c 100644 +--- a/scripts/ip-up.local.add ++++ b/scripts/ip-up.local.add +@@ -18,6 +18,9 @@ if [ -n "$USEPEERDNS" -a -f /var/run/ppp/resolv.conf ]; then + rscf=/var/run/ppp/resolv.new + grep domain /var/run/ppp/resolv.prev > $rscf + grep search /var/run/ppp/resolv.prev >> $rscf ++ if [ -f /var/run/ppp/resolv.conf ]; then ++ cat /var/run/ppp/resolv.conf >> $rscf ++ fi + change_resolv_conf $rscf + rm -f $rscf + else +-- +1.8.3.1 + diff --git a/SOURCES/0019-sys-linux-rework-get_first_ethernet.patch b/SOURCES/0019-sys-linux-rework-get_first_ethernet.patch new file mode 100644 index 0000000..9a8c3dd --- /dev/null +++ b/SOURCES/0019-sys-linux-rework-get_first_ethernet.patch @@ -0,0 +1,383 @@ +From 6edc865bd02ab591b9121d4a5f6dc3cdbe5af809 Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Wed, 9 Apr 2014 09:18:24 +0200 +Subject: [PATCH 19/27] sys-linux: rework get_first_ethernet() + +We can't assume that host has ethernet NIC named "eth0". Rather than guessing we +better ask udev. We iterate over symlinks symlinks in /sys/class/net and +for each device we determine if it is ethernet device and additionally we query +udev database for sub-type of the device. If we find PCI or USB device which has +ethernet datalink type and appropriate sub-type we return its name. If we don't +succeed in determining more information about device we will return "good +enough" device which in turn is first device with ethernet datalink type. + +Note that we now have two copies of get_first_ethernet() in the source code. This +is bad and should be fixed in the future. + +This commit replaces ppp-2.4.5-eth.patch. + +Resolves: #682381 +--- + pppd/Makefile.linux | 3 + + pppd/multilink.c | 4 +- + pppd/plugins/rp-pppoe/Makefile.linux | 4 +- + pppd/plugins/rp-pppoe/pppoe-discovery.c | 117 +++++++++++++++++++++++++++++++- + pppd/pppd.h | 2 +- + pppd/sys-linux.c | 115 +++++++++++++++++++++++++++++-- + 6 files changed, 232 insertions(+), 13 deletions(-) + +diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux +index 53df4d2..0e8107f 100644 +--- a/pppd/Makefile.linux ++++ b/pppd/Makefile.linux +@@ -32,6 +32,9 @@ include .depend + endif + + CC = gcc ++ ++LIBS = -ludev ++ + # + COPTS = -Wall $(RPM_OPT_FLAGS) -DLIBDIR=\""$(LIBDIR)"\" + +diff --git a/pppd/multilink.c b/pppd/multilink.c +index 135cab0..2f0ed50 100644 +--- a/pppd/multilink.c ++++ b/pppd/multilink.c +@@ -436,12 +436,12 @@ static int + get_default_epdisc(ep) + struct epdisc *ep; + { +- char *p; ++ char *p = NULL; + struct hostent *hp; + u_int32_t addr; + + /* First try for an ethernet MAC address */ +- p = get_first_ethernet(); ++ get_first_ethernet(&p); + if (p != 0 && get_if_hwaddr(ep->value, p) >= 0) { + ep->class = EPD_MAC; + ep->length = 6; +diff --git a/pppd/plugins/rp-pppoe/Makefile.linux b/pppd/plugins/rp-pppoe/Makefile.linux +index 9918091..b949716 100644 +--- a/pppd/plugins/rp-pppoe/Makefile.linux ++++ b/pppd/plugins/rp-pppoe/Makefile.linux +@@ -30,8 +30,8 @@ COPTS=$(RPM_OPT_FLAGS) + CFLAGS=$(COPTS) -I../../../include '-DRP_VERSION="$(RP_VERSION)"' + all: rp-pppoe.so pppoe-discovery + +-pppoe-discovery: pppoe-discovery.o debug.o +- $(CC) -o pppoe-discovery pppoe-discovery.o debug.o ++pppoe-discovery: pppoe-discovery.o debug.o common.o ++ $(CC) -o pppoe-discovery pppoe-discovery.o debug.o -ludev + + pppoe-discovery.o: pppoe-discovery.c + $(CC) $(CFLAGS) -c -o pppoe-discovery.o pppoe-discovery.c +diff --git a/pppd/plugins/rp-pppoe/pppoe-discovery.c b/pppd/plugins/rp-pppoe/pppoe-discovery.c +index c0d927d..2bd910f 100644 +--- a/pppd/plugins/rp-pppoe/pppoe-discovery.c ++++ b/pppd/plugins/rp-pppoe/pppoe-discovery.c +@@ -47,8 +47,13 @@ + #include + #endif + ++#include ++#include ++#include ++ + char *xstrdup(const char *s); + void usage(void); ++int get_first_ethernet(char **_r); + + void die(int status) + { +@@ -681,8 +686,15 @@ int main(int argc, char *argv[]) + } + + /* default interface name */ +- if (!conn->ifName) +- conn->ifName = strdup("eth0"); ++ if (!conn->ifName) { ++ char *eth_dev; ++ if (get_first_ethernet(ð_dev) < 0) { ++ fprintf(stderr, "No ethernet device on the host.\n"); ++ exit(1); ++ } ++ conn->ifName = eth_dev; ++ } ++ + + conn->discoverySocket = -1; + conn->sessionSocket = -1; +@@ -722,3 +734,104 @@ void usage(void) + fprintf(stderr, "Usage: pppoe-discovery [options]\n"); + fprintf(stderr, "\nVersion " RP_VERSION "\n"); + } ++ ++/* ++ * get_first_ethernet - return the name of the first ethernet-style ++ * interface on this system. ++ */ ++int ++get_first_ethernet(char **_r) ++{ ++ int r = 0; ++ DIR *d = NULL; ++ struct dirent *entry = NULL; ++ struct udev *udev = NULL; ++ struct udev_device *dev = NULL; ++ char *eth_dev = NULL; ++ ++ d = opendir("/sys/class/net"); ++ if (!d) { ++ fprintf(stderr, "Failed to open dir /sys/class/net : %m\n"); ++ r = -errno; ++ goto fail; ++ } ++ ++ udev = udev_new(); ++ if (!udev) { ++ fprintf(stderr, "Failed to talk to systemd-udevd\n"); ++ r = -EIO; ++ goto fail; ++ } ++ ++ while ((entry = readdir(d)) != NULL) { ++ char syspath[PATH_MAX] = {}; ++ const char *type = NULL; ++ ++ if ((strcmp(entry->d_name, ".") == 0) || (strcmp(entry->d_name, "..") == 0)) ++ continue; ++ ++ sprintf(syspath, "/sys/class/net/%s", entry->d_name); ++ ++ dev = udev_device_new_from_syspath(udev, syspath); ++ if (!dev) ++ continue; ++ ++ type = udev_device_get_sysattr_value(dev, "type"); ++ if (strcmp(type, "1") == 0) { ++ const char *pci_dev_subclass = NULL, *usb_dev_subclass = NULL; ++ ++ pci_dev_subclass = udev_device_get_property_value(dev, ++ "ID_PCI_SUBCLASS_FROM_DATABASE"); ++ usb_dev_subclass = udev_device_get_property_value(dev, ++ "ID_USB_SUBCLASS_FROM_DATABASE"); ++ ++ if ((pci_dev_subclass && strcmp(pci_dev_subclass, "Ethernet controller") == 0) || ++ (usb_dev_subclass && (strcmp(usb_dev_subclass, "Ethernet Networking") == 0 || ++ strcmp(usb_dev_subclass, "Ethernet Emulation") == 0))) { ++ char *d = NULL; ++ ++ d = strdup(entry->d_name); ++ if (!d) { ++ r = -ENOMEM; ++ goto fail; ++ } ++ ++ free(eth_dev); ++ eth_dev = d; ++ break; ++ } else if (!eth_dev) { ++ eth_dev = strdup(entry->d_name); ++ if (!eth_dev) { ++ r = -ENOMEM; ++ goto fail; ++ } ++ } ++ } ++ ++ udev_device_unref(dev); ++ dev = NULL; ++ } ++ ++ if (dev) ++ udev_device_unref(dev); ++ udev_unref(udev); ++ closedir(d); ++ ++ *_r = eth_dev; ++ ++ return 0; ++ ++fail: ++ if (dev) ++ udev_device_unref(dev); ++ ++ if (udev) ++ udev_unref(udev); ++ ++ if (d) ++ closedir(d); ++ ++ free(eth_dev); ++ ++ return r; ++} +diff --git a/pppd/pppd.h b/pppd/pppd.h +index de271c1..aaddba1 100644 +--- a/pppd/pppd.h ++++ b/pppd/pppd.h +@@ -691,7 +691,7 @@ int sipxfaddr __P((int, unsigned long, unsigned char *)); + int cipxfaddr __P((int)); + #endif + int get_if_hwaddr __P((u_char *addr, char *name)); +-char *get_first_ethernet __P((void)); ++int get_first_ethernet __P((char **_r)); + + /* Procedures exported from options.c */ + int setipaddr __P((char *, char **, int)); /* Set local/remote ip addresses */ +diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c +index 0690019..ec09c50 100644 +--- a/pppd/sys-linux.c ++++ b/pppd/sys-linux.c +@@ -92,6 +92,9 @@ + #include + #include + #include ++#include ++ ++#include + + /* This is in netdevice.h. However, this compile will fail miserably if + you attempt to include netdevice.h because it has so many references +@@ -1873,10 +1876,101 @@ get_if_hwaddr(u_char *addr, char *name) + * get_first_ethernet - return the name of the first ethernet-style + * interface on this system. + */ +-char * +-get_first_ethernet() +-{ +- return "eth0"; ++int ++get_first_ethernet(char **_r) ++{ ++ int r = 0; ++ DIR *d = NULL; ++ struct dirent *entry = NULL; ++ struct udev *udev = NULL; ++ struct udev_device *dev = NULL; ++ char *eth_dev = NULL; ++ ++ d = opendir("/sys/class/net"); ++ if (!d) { ++ fprintf(stderr, "Failed to open dir /sys/class/net : %m\n"); ++ r = -errno; ++ goto fail; ++ } ++ ++ udev = udev_new(); ++ if (!udev) { ++ fprintf(stderr, "Failed to talk to systemd-udevd\n"); ++ r = -EIO; ++ goto fail; ++ } ++ ++ while ((entry = readdir(d)) != NULL) { ++ char syspath[PATH_MAX] = {}; ++ const char *type = NULL; ++ ++ if ((strcmp(entry->d_name, ".") == 0) || (strcmp(entry->d_name, "..") == 0)) ++ continue; ++ ++ sprintf(syspath, "/sys/class/net/%s", entry->d_name); ++ ++ dev = udev_device_new_from_syspath(udev, syspath); ++ if (!dev) ++ continue; ++ ++ type = udev_device_get_sysattr_value(dev, "type"); ++ if (strcmp(type, "1") == 0) { ++ const char *pci_dev_subclass = NULL, *usb_dev_subclass = NULL; ++ ++ pci_dev_subclass = udev_device_get_property_value(dev, ++ "ID_PCI_SUBCLASS_FROM_DATABASE"); ++ usb_dev_subclass = udev_device_get_property_value(dev, ++ "ID_USB_SUBCLASS_FROM_DATABASE"); ++ ++ if ((pci_dev_subclass && strcmp(pci_dev_subclass, "Ethernet controller") == 0) || ++ (usb_dev_subclass && (strcmp(usb_dev_subclass, "Ethernet Networking") == 0 || ++ strcmp(usb_dev_subclass, "Ethernet Emulation") == 0))) { ++ char *d = NULL; ++ ++ d = strdup(entry->d_name); ++ if (!d) { ++ r = -ENOMEM; ++ goto fail; ++ } ++ ++ free(eth_dev); ++ eth_dev = d; ++ break; ++ } else if (!eth_dev) { ++ eth_dev = strdup(entry->d_name); ++ if (!eth_dev) { ++ r = -ENOMEM; ++ goto fail; ++ } ++ } ++ } ++ ++ udev_device_unref(dev); ++ dev = NULL; ++ } ++ ++ if (dev) ++ udev_device_unref(dev); ++ udev_unref(udev); ++ closedir(d); ++ ++ *_r = eth_dev; ++ ++ return 0; ++ ++fail: ++ if (dev) ++ udev_device_unref(dev); ++ ++ if (udev) ++ udev_unref(udev); ++ ++ if (d) ++ closedir(d); ++ ++ free(eth_dev); ++ ++ return r; + } + + /******************************************************************** +@@ -2859,6 +2953,7 @@ ether_to_eui64(eui64_t *p_eui64) + struct ifreq ifr; + int skfd; + const unsigned char *ptr; ++ char *eth_dev = NULL; + + skfd = socket(PF_INET6, SOCK_DGRAM | SOCK_CLOEXEC, 0); + if(skfd == -1) +@@ -2867,11 +2962,19 @@ ether_to_eui64(eui64_t *p_eui64) + return 0; + } + +- strcpy(ifr.ifr_name, "eth0"); ++ if (get_first_ethernet(ð_dev) < 0) ++ { ++ warn("no ethernet device present on the host"); ++ return 0; ++ } ++ ++ strcpy(ifr.ifr_name, eth_dev); ++ free(eth_dev); ++ + if(ioctl(skfd, SIOCGIFHWADDR, &ifr) < 0) + { + close(skfd); +- warn("could not obtain hardware address for eth0"); ++ warn("could not obtain hardware address for %s", ifr.ifr_name); + return 0; + } + close(skfd); +-- +1.8.3.1 + diff --git a/SOURCES/0020-pppd-put-lock-files-in-var-lock-ppp.patch b/SOURCES/0020-pppd-put-lock-files-in-var-lock-ppp.patch new file mode 100644 index 0000000..93d26c5 --- /dev/null +++ b/SOURCES/0020-pppd-put-lock-files-in-var-lock-ppp.patch @@ -0,0 +1,26 @@ +From c5a5f795b1defcb6d168e79c4d1fc371dfc556ca Mon Sep 17 00:00:00 2001 +From: Jiri Skala +Date: Wed, 9 Apr 2014 09:29:50 +0200 +Subject: [PATCH 20/27] pppd: put lock files in /var/lock/ppp + +Resolves: #708260 +--- + pppd/utils.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/pppd/utils.c b/pppd/utils.c +index 6051b9a..8407492 100644 +--- a/pppd/utils.c ++++ b/pppd/utils.c +@@ -846,7 +846,7 @@ complete_read(int fd, void *buf, size_t count) + /* Procedures for locking the serial device using a lock file. */ + #ifndef LOCK_DIR + #ifdef __linux__ +-#define LOCK_DIR "/var/lock" ++#define LOCK_DIR "/var/lock/ppp" + #else + #ifdef SVR4 + #define LOCK_DIR "/var/spool/locks" +-- +1.8.3.1 + diff --git a/SOURCES/0021-build-sys-compile-pppol2tp-plugin-with-RPM_OPT_FLAGS.patch b/SOURCES/0021-build-sys-compile-pppol2tp-plugin-with-RPM_OPT_FLAGS.patch new file mode 100644 index 0000000..8340271 --- /dev/null +++ b/SOURCES/0021-build-sys-compile-pppol2tp-plugin-with-RPM_OPT_FLAGS.patch @@ -0,0 +1,23 @@ +From d69eb9a8aa284014dd7dd282813989eda9d84d74 Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Wed, 9 Apr 2014 09:56:09 +0200 +Subject: [PATCH 21/27] build-sys: compile pppol2tp plugin with RPM_OPT_FLAGS + +--- + pppd/plugins/pppol2tp/Makefile.linux | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/pppd/plugins/pppol2tp/Makefile.linux b/pppd/plugins/pppol2tp/Makefile.linux +index 4339566..9a635b8 100644 +--- a/pppd/plugins/pppol2tp/Makefile.linux ++++ b/pppd/plugins/pppol2tp/Makefile.linux +@@ -1,5 +1,5 @@ + #CC = gcc +-COPTS = -O2 -g ++COPTS = $(RPM_OPT_FLAGS) + CFLAGS = $(COPTS) -I. -I../.. -I../../../include -fPIC + LDFLAGS = -shared + INSTALL = install +-- +1.8.3.1 + diff --git a/SOURCES/0022-build-sys-compile-pppol2tp-with-multilink-support.patch b/SOURCES/0022-build-sys-compile-pppol2tp-with-multilink-support.patch new file mode 100644 index 0000000..945933e --- /dev/null +++ b/SOURCES/0022-build-sys-compile-pppol2tp-with-multilink-support.patch @@ -0,0 +1,24 @@ +From a0060c5d48ef742bff4fe9ba9c276a5c21795ce8 Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Wed, 9 Apr 2014 09:58:38 +0200 +Subject: [PATCH 22/27] build-sys: compile pppol2tp with multilink support + +Resolves: #817013 +--- + pppd/plugins/pppol2tp/Makefile.linux | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/pppd/plugins/pppol2tp/Makefile.linux b/pppd/plugins/pppol2tp/Makefile.linux +index 9a635b8..9cb316d 100644 +--- a/pppd/plugins/pppol2tp/Makefile.linux ++++ b/pppd/plugins/pppol2tp/Makefile.linux +@@ -1,5 +1,5 @@ + #CC = gcc +-COPTS = $(RPM_OPT_FLAGS) ++COPTS = $(RPM_OPT_FLAGS) -DHAVE_MULTILINK + CFLAGS = $(COPTS) -I. -I../.. -I../../../include -fPIC + LDFLAGS = -shared + INSTALL = install +-- +1.8.3.1 + diff --git a/SOURCES/0023-build-sys-install-rp-pppoe-plugin-files-with-standar.patch b/SOURCES/0023-build-sys-install-rp-pppoe-plugin-files-with-standar.patch new file mode 100644 index 0000000..7a18e07 --- /dev/null +++ b/SOURCES/0023-build-sys-install-rp-pppoe-plugin-files-with-standar.patch @@ -0,0 +1,32 @@ +From 769521a3798fd554ddc7333cb1255cd1b40790e8 Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Thu, 10 Apr 2014 10:00:55 +0200 +Subject: [PATCH 23/27] build-sys: install rp-pppoe plugin files with standard + perms + +This is needed to properly generate debuginfo package. +--- + pppd/plugins/rp-pppoe/Makefile.linux | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/pppd/plugins/rp-pppoe/Makefile.linux b/pppd/plugins/rp-pppoe/Makefile.linux +index b949716..fa49efb 100644 +--- a/pppd/plugins/rp-pppoe/Makefile.linux ++++ b/pppd/plugins/rp-pppoe/Makefile.linux +@@ -44,10 +44,10 @@ rp-pppoe.so: plugin.o discovery.o if.o common.o + + install: all + $(INSTALL) -d -m 755 $(LIBDIR) +- $(INSTALL) -c -m 4550 rp-pppoe.so $(LIBDIR) ++ $(INSTALL) -c -m 755 rp-pppoe.so $(LIBDIR) + $(INSTALL) -d -m 755 $(BINDIR) +- $(INSTALL) -c -m 555 pppoe-discovery $(BINDIR) +- $(INSTALL) -c -m 444 pppoe-discovery.8 $(MANDIR) ++ $(INSTALL) -c -m 755 pppoe-discovery $(BINDIR) ++ $(INSTALL) -c -m 644 pppoe-discovery.8 $(MANDIR) + + clean: + rm -f *.o *.so pppoe-discovery +-- +1.8.3.1 + diff --git a/SOURCES/0024-build-sys-install-pppoatm-plugin-files-with-standard.patch b/SOURCES/0024-build-sys-install-pppoatm-plugin-files-with-standard.patch new file mode 100644 index 0000000..9982d92 --- /dev/null +++ b/SOURCES/0024-build-sys-install-pppoatm-plugin-files-with-standard.patch @@ -0,0 +1,26 @@ +From 0fdb22ef3d3cc3b297372451d60bd6c61d047d27 Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Thu, 10 Apr 2014 10:08:41 +0200 +Subject: [PATCH 24/27] build-sys: install pppoatm plugin files with standard + perms + +--- + pppd/plugins/pppoatm/Makefile.linux | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/pppd/plugins/pppoatm/Makefile.linux b/pppd/plugins/pppoatm/Makefile.linux +index 769794b..4c5826f 100644 +--- a/pppd/plugins/pppoatm/Makefile.linux ++++ b/pppd/plugins/pppoatm/Makefile.linux +@@ -37,7 +37,7 @@ $(PLUGIN): $(PLUGIN_OBJS) + + install: all + $(INSTALL) -d -m 755 $(LIBDIR) +- $(INSTALL) -c -m 4550 $(PLUGIN) $(LIBDIR) ++ $(INSTALL) -c -m 755 $(PLUGIN) $(LIBDIR) + + clean: + rm -f *.o *.so +-- +1.8.3.1 + diff --git a/SOURCES/0025-pppd-install-pppd-binary-using-standard-perms-755.patch b/SOURCES/0025-pppd-install-pppd-binary-using-standard-perms-755.patch new file mode 100644 index 0000000..428d71a --- /dev/null +++ b/SOURCES/0025-pppd-install-pppd-binary-using-standard-perms-755.patch @@ -0,0 +1,29 @@ +From ab8b06cdc1075abc67f77e7c3bb684e20071d614 Mon Sep 17 00:00:00 2001 +From: Michal Sekletar +Date: Thu, 10 Apr 2014 10:09:41 +0200 +Subject: [PATCH 25/27] pppd: install pppd binary using standard perms (755) + +--- + pppd/Makefile.linux | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux +index 0e8107f..534ccc2 100644 +--- a/pppd/Makefile.linux ++++ b/pppd/Makefile.linux +@@ -223,10 +223,10 @@ all: $(TARGETS) + install: pppd + mkdir -p $(BINDIR) $(MANDIR) + $(EXTRAINSTALL) +- $(INSTALL) -c -m 555 pppd $(BINDIR)/pppd ++ $(INSTALL) -c -m 755 pppd $(BINDIR)/pppd + if chgrp pppusers $(BINDIR)/pppd 2>/dev/null; then \ + chmod o-rx,u+s $(BINDIR)/pppd; fi +- $(INSTALL) -c -m 444 pppd.8 $(MANDIR) ++ $(INSTALL) -c -m 644 pppd.8 $(MANDIR) + + pppd: $(PPPDOBJS) + $(CC) $(CFLAGS) $(LDFLAGS) -o pppd $(PPPDOBJS) $(LIBS) +-- +1.8.3.1 + diff --git a/SOURCES/0028-pppoe-include-netinet-in.h-before-linux-in.h.patch b/SOURCES/0028-pppoe-include-netinet-in.h-before-linux-in.h.patch new file mode 100644 index 0000000..9b0920d --- /dev/null +++ b/SOURCES/0028-pppoe-include-netinet-in.h-before-linux-in.h.patch @@ -0,0 +1,35 @@ +From 33797aa193a2751da26f9af120e39c110defe4d1 Mon Sep 17 00:00:00 2001 +From: Lubomir Rintel +Date: Sat, 10 Dec 2016 19:53:56 +0100 +Subject: [PATCH] pppoe: include netinet/in.h before linux/in.h + +To fix build breakage. +--- + pppd/plugins/rp-pppoe/pppoe.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/pppd/plugins/rp-pppoe/pppoe.h b/pppd/plugins/rp-pppoe/pppoe.h +index 9ab2eee..f77f5b7 100644 +--- a/pppd/plugins/rp-pppoe/pppoe.h ++++ b/pppd/plugins/rp-pppoe/pppoe.h +@@ -15,6 +15,8 @@ + + #include "config.h" + ++#include ++ + #if defined(HAVE_NETPACKET_PACKET_H) || defined(HAVE_LINUX_IF_PACKET_H) + #define _POSIX_SOURCE 1 /* For sigaction defines */ + #endif +@@ -84,8 +86,6 @@ typedef unsigned long UINT32_t; + #include + #endif + +-#include +- + #ifdef HAVE_NETINET_IF_ETHER_H + #include + +-- +2.9.3 + diff --git a/SOURCES/ifdown-ppp b/SOURCES/ifdown-ppp new file mode 100755 index 0000000..fca6463 --- /dev/null +++ b/SOURCES/ifdown-ppp @@ -0,0 +1,51 @@ +#! /bin/bash + +cd /etc/sysconfig/network-scripts +. ./network-functions + +CONFIG=$1 +source_config + +if [ "$TYPE" = "xDSL" ] && [ -x /usr/sbin/adsl-stop ] ; then + adsl-stop /etc/sysconfig/network-scripts/$CONFIG + exit $? +fi + +CONFIG=${CONFIG##ifcfg-} + +if [ "${DEMAND}" = "yes" ] && [ -f /var/run/ppp-${CONFIG}.pid ] ; then + PID=$(head -1 /var/run/ppp-${CONFIG}.pid) + kill -TERM ${PID} + sleep 2 + [ ! -d /proc/${PID} ] && exit 0 + sleep 5 + [ ! -d /proc/${PID} ] && exit 0 + kill -TERM ${PID} + [ ! -d /proc/${PID} ] && exit 0 + exit 1 +fi + +file=/var/run/pppwatch-${DEVICE}.pid + +if [ ! -f $file ]; then + # ppp isn't running, or we didn't start it + exit 0 +fi + +PID=$(cat $file) +[ -n "${PID}" ] || exit 1 + +kill -TERM ${PID} > /dev/null 2>&1 +[ ! -d /proc/${PID} ] && exit 0 +sleep 2 +[ ! -d /proc/${PID} ] && exit 0 +sleep 5 +[ ! -d /proc/${PID} ] && exit 0 +sleep 10 +[ ! -d /proc/${PID} ] && exit 0 + +# killing ppp-watch twice in a row causes it to send a SIGKILL to pppd pgrp +kill -TERM ${PID} > /dev/null 2>&1 +[ ! -d /proc/${PID} ] && exit 0 + +exit 1 diff --git a/SOURCES/ifup-ppp b/SOURCES/ifup-ppp new file mode 100755 index 0000000..fb30639 --- /dev/null +++ b/SOURCES/ifup-ppp @@ -0,0 +1,157 @@ +#! /bin/bash + +. /etc/init.d/functions + +cd /etc/sysconfig/network-scripts +. ./network-functions + +# ifup-post for PPP is handled through /etc/ppp/ip-up +if [ "${1}" = daemon ] ; then + # we've been called from ppp-watch, so don't invoke it for persistence + shift +else + # just in case a full path to the configuration file is passed in + CONFIG=${1##*/} # CONFIG=$(basename $1) + [ -f "${CONFIG}" ] || CONFIG=ifcfg-${1} + source_config + # don't start ppp-watch by xDSL + if [ "${DEMAND}" != yes -a "$TYPE" != "xDSL" ] ; then + # let ppp-watch do the right thing + exec /sbin/ppp-watch "${CONFIG##ifcfg-}" "$2" + fi +fi + +CONFIG=$1 +[ -f "${CONFIG}" ] || CONFIG=ifcfg-${1} +source_config + +if [ -z "${DISCONNECTTIMEOUT}" ]; then + DISCONNECTTIMEOUT=2 +fi + +if [ -z "${RETRYTIMEOUT}" ]; then + RETRYTIMEOUT=30 +fi + +if [ -z "${IDLETIMEOUT}" ]; then + IDLETIMEOUT=600 +fi + +if [ "${2}" = "boot" -a "${ONBOOT}" = "no" ]; then + exit +fi + +[ -x /usr/sbin/pppd ] || { + echo $"pppd does not exist or is not executable" + echo $"ifup-ppp for ${DEVICE} exiting" + /usr/bin/logger -p daemon.info -t ifup-ppp \ + $"pppd does not exist or is not executable for ${DEVICE}" + exit 1 +} + +# check that xDSL connection +if [ "$TYPE" = "xDSL" ] ; then + if [ -x /usr/sbin/adsl-start ] ; then + adsl-start /etc/sysconfig/network-scripts/$CONFIG + exit $? + else + /usr/bin/logger -p daemon.info -t ifup-ppp \ + $"adsl-start does not exist or is not executable for ${DEVICE}" + exit 1 + fi +fi + +PEERCONF=/etc/ppp/peers/${DEVNAME} + +if [ "${DEBUG}" = "yes" ]; then + CHATDBG="-v" +fi + +if [ ! -f ${PEERCONF} ]; then + if [ -z "${WVDIALSECT}" ] ; then + CHATSCRIPT=/etc/sysconfig/network-scripts/chat-${DEVNAME} + [ -f ${CHATSCRIPT} ] || { + echo $"/etc/sysconfig/network-scripts/chat-${DEVNAME} does not exist" + echo $"ifup-ppp for ${DEVNAME} exiting" + /usr/bin/logger -p daemon.info -t ifup-ppp \ + $"/etc/sysconfig/network-scripts/chat-${DEVNAME} does not exist for ${DEVICE}" + exit 1 + } + fi + /usr/bin/logger -s -p daemon.notice -t ifup-ppp \ + $"Setting up a new ${PEERCONF} config file" + if [ -f /etc/ppp/peers/${DEVICE} ]; then + cp -f /etc/ppp/peers/${DEVICE} ${PEERCONF} + else + touch ${PEERCONF} + fi + if [ "${WVDIALSECT}" ]; then + echo "connect \"/usr/bin/wvdial --remotename ${DEVNAME} --chat '${WVDIALSECT}'\"" >> ${PEERCONF} + else + echo "connect \"/usr/sbin/chat ${CHATDBG} -f ${CHATSCRIPT}\"" >> ${PEERCONF} + fi +fi + +opts="lock" +if [ "${HARDFLOWCTL}" != no ] ; then + opts="$opts modem crtscts" +fi +if [ "${ESCAPECHARS}" != yes ] ; then + opts="$opts asyncmap 00000000" +fi +if [ "${DEFROUTE}" != no ] ; then + # pppd will no longer delete an existing default route + # so we have to help it out a little here. + DEFRT=$(ip route list match 0.0.0.0/0) + [ -n "${DEFRT}" ] && echo "$DEFRT" > /etc/default-routes + echo "$DEFRT" | while read spec; do + ip route del $spec; + done + opts="$opts defaultroute" +fi +if [ "${PEERDNS}" != no ] ; then + cp -f /etc/resolv.conf /etc/resolv.conf.save + opts="$opts usepeerdns" +fi +if [ -n "${MRU}" ] ; then + opts="$opts mru ${MRU}" +fi +if [ -n "${MTU}" ] ; then + opts="$opts mtu ${MTU}" +fi +if [ -n "${IPADDR}${REMIP}" ] ; then + # if either IP address is set, the following will work. + opts="$opts ${IPADDR}:${REMIP}" +fi +if [ -n "${PAPNAME}" ] ; then + opts="$opts user ${PAPNAME} remotename ${DEVNAME}" +fi +if [ "${DEBUG}" = yes ] ; then + opts="$opts debug" +fi + +if [ ${DEMAND} = yes ] ; then + opts="$opts demand ktune idle ${IDLETIMEOUT} holdoff ${RETRYTIMEOUT}" + exec= +else + opts="$opts nodetach" + exec=exec +fi + +/usr/bin/logger -p daemon.info -t ifup-ppp \ + $"pppd started for ${DEVNAME} on ${MODEMPORT} at ${LINESPEED}" + +$exec pppd $opts ${MODEMPORT} ${LINESPEED} \ + ipparam ${DEVNAME} linkname ${DEVNAME} call ${DEVNAME}\ + noauth \ + ${PPPOPTIONS} || exit + +if [ "${DEMAND}" = "yes" ] ; then + # pppd is a tad slow to write the pid-file. + sleep 2 + if [ -f /var/run/ppp-${DEVNAME}.pid ] ; then + REALDEVICE=$(tail -1 /var/run/ppp-${DEVNAME}.pid) + /etc/sysconfig/network-scripts/ifup-routes ${REALDEVICE} ${DEVNAME} + fi +fi + diff --git a/SOURCES/ip-down b/SOURCES/ip-down new file mode 100644 index 0000000..bfb0871 --- /dev/null +++ b/SOURCES/ip-down @@ -0,0 +1,18 @@ +#!/bin/bash +# This file should not be modified -- make local changes to +# /etc/ppp/ip-down.local instead + +PATH=/sbin:/usr/sbin:/bin:/usr/bin +export PATH + +LOGDEVICE=$6 +REALDEVICE=$1 + +/etc/ppp/ip-down.ipv6to4 ${LOGDEVICE} + +[ -x /etc/ppp/ip-down.local ] && /etc/ppp/ip-down.local "$@" + +/etc/sysconfig/network-scripts/ifdown-post --realdevice ${REALDEVICE} \ + ifcfg-${LOGDEVICE} + +exit 0 diff --git a/SOURCES/ip-down.ipv6to4 b/SOURCES/ip-down.ipv6to4 new file mode 100644 index 0000000..29f1c64 --- /dev/null +++ b/SOURCES/ip-down.ipv6to4 @@ -0,0 +1,114 @@ +#!/bin/sh +# +# ip-down.ipv6to4 +# +# +# Taken from: +# (P) & (C) 2000-2005 by Peter Bieringer +# +# You will find more information on the initscripts-ipv6 homepage at +# http://www.deepspace6.net/projects/initscripts-ipv6.html +# +# Version 2005-09-22 +# +# Calling parameters: +# $1: interface name +# +# Called (mostly) by /etc/ppp/ip-down.local +# like: /etc/ppp/ip-down.ipv6to4 $1 >>/var/log/ppp-ipv6to4.log 2>&1 +# +# Note: this script will *check* whether the existing 6to4 tunnel +# was set before by using "ip-up.ipv6to4" comparing IPv4 address +# of device with the generated 6to4 prefix +# +# Uses following information from /etc/sysconfig/network-scripts/ifcfg-$1: +# IPV6TO4INIT=yes|no: controls configuration +# IPV6TO4_ROUTING="-/ ...": information to setup additional interfaces +# +# IPV6_CONTROL_RADVD=yes|no: controls radvd triggering +# IPV6_RADVD_PIDFILE=: PID file of radvd for sending signals, default is "/var/run/radvd/radvd.pid" +# IPV6_RADVD_TRIGGER_ACTION=startstop|reload|restart|SIGHUP: how to trigger radvd (optional, default is SIGHUP) +# + + +if [ -z "$1" ]; then + echo $"Argument 1 is empty but should contain interface name - skip IPv6to4 initialization" + exit 1 +fi + +# Get global network configuration +. /etc/sysconfig/network + +# Source IPv4 helper functions +cd /etc/sysconfig/network-scripts +. ./network-functions + +CONFIG=$1 +[ -f "$CONFIG" ] || CONFIG=ifcfg-$CONFIG +source_config + +# IPv6 don't need aliases anymore, config is skipped +REALDEVICE=${DEVICE%%:*} +[ "$DEVICE" != "$REALDEVICE" ] && exit 0 + +if [ ! -f /etc/sysconfig/network-scripts/network-functions-ipv6 ]; then + exit 1 +fi + +. /etc/sysconfig/network-scripts/network-functions-ipv6 + + +# Run basic IPv6 test, if not ok, skip IPv6 initialization +ipv6_test testonly || exit 0 + +# Test status of ppp device +ipv6_test_device_status $DEVICE +if [ $? != 0 -a $? != 11 ]; then + # device doesn't exist or other problem occurs + exit 1 +fi + +# Test status of tun6to4 device +ipv6_test_device_status tun6to4 +if [ $? = 0 -o $? = 11 ]; then + # Device exists + valid6to4config="yes" + + # Get IPv4 address from interface + ipv4addr="$(ipv6_get_ipv4addr_of_device $DEVICE)" + if [ -z "$ipv4addr" ]; then + # Has no IPv4 address + valid6to4config="no" + fi + + # Get local IPv4 address of dedicated tunnel + ipv4addr6to4local="$(ipv6_get_ipv4addr_of_tunnel tun6to4 local)" + + # IPv6to4 not enabled on this interface? + if [ $IPV6TO4INIT != "yes" ]; then + # Check against configured 6to4 tunnel to see if this interface was regardless used before + if [ "$ipv4addr" != "$ipv4addr6to4local" ]; then + # IPv4 address of interface does't match local tunnel address, interface was not used for current 6to4 setup + valid6to4config="no" + fi + fi + +fi + +if [ "$valid6to4config" = "yes" ]; then + if [ "$IPV6_CONTROL_RADVD" = "yes" ]; then + # Control running radvd + ipv6_trigger_radvd down "$IPV6_RADVD_TRIGGER_ACTION" $IPV6_RADVD_PIDFILE + fi + + if [ -n "$IPV6TO4_ROUTING" ]; then + # Delete routes to local networks + for devsuf in $IPV6TO4_ROUTING; do + dev="${devsuf%%-*}" + ipv6_cleanup_6to4_device $dev + done + fi + + # Delete all configured 6to4 address + ipv6_cleanup_6to4_tunnels tun6to4 +fi diff --git a/SOURCES/ip-up b/SOURCES/ip-up new file mode 100644 index 0000000..e610674 --- /dev/null +++ b/SOURCES/ip-up @@ -0,0 +1,17 @@ +#!/bin/bash +# This file should not be modified -- make local changes to +# /etc/ppp/ip-up.local instead + +PATH=/sbin:/usr/sbin:/bin:/usr/bin +export PATH + +LOGDEVICE=$6 +REALDEVICE=$1 + +[ -f /etc/sysconfig/network-scripts/ifcfg-${LOGDEVICE} ] && /etc/sysconfig/network-scripts/ifup-post --realdevice ${REALDEVICE} ifcfg-${LOGDEVICE} + +/etc/ppp/ip-up.ipv6to4 ${LOGDEVICE} + +[ -x /etc/ppp/ip-up.local ] && /etc/ppp/ip-up.local "$@" + +exit 0 diff --git a/SOURCES/ip-up.ipv6to4 b/SOURCES/ip-up.ipv6to4 new file mode 100644 index 0000000..6a85bbb --- /dev/null +++ b/SOURCES/ip-up.ipv6to4 @@ -0,0 +1,193 @@ +#!/bin/sh +# +# ip-up.ipv6to4 +# +# +# Taken from: +# (P) & (C) 2000-2005 by Peter Bieringer +# +# You will find more information on the initscripts-ipv6 homepage at +# http://www.deepspace6.net/projects/initscripts-ipv6.html +# +# Version: 2005-09-22 +# +# Calling parameters: +# $1: interface name +# +# Called (mostly) by /etc/ppp/ip-up.local +# like: /etc/ppp/ip-up.ipv6to4 $1 >>/var/log/ppp-ipv6to4.log 2>&1 +# +# Note: this script will *kill* older still existing 6to4 tunnels regardless +# whether they were set before by another device +# +# Uses following information from /etc/sysconfig/network-scripts/ifcfg-$1: +# IPV6TO4INIT=yes|no: controls configuration +# IPV6TO4_IPV4ADDR=: special local address for 6to4 tunneling (only needed behind a NAT gateway) +# IPV6TO4_RELAY=: remote 6to4 relay router address (default: 192.88.99.1) +# IPV6TO4_MTU=: controls IPv6 MTU for the 6to4 link (optional, default is MTU of interface - 20) +# IPV6TO4_ROUTING="-/ ...": information to setup additional interfaces +# Example: IPV6TO4_ROUTING="eth0-:f101::1/64 eth1-:f102::1/64" +# +# IPV6_CONTROL_RADVD=yes|no: controls radvd triggering +# IPV6_RADVD_PIDFILE=: PID file of radvd for sending signals, default is "/var/run/radvd/radvd.pid" +# IPV6_RADVD_TRIGGER_ACTION=startstop|reload|restart|SIGHUP: how to trigger radvd (optional, default is SIGHUP) +# +# Requirements +# radvd-0.6.2p3 or newer supporting option "Base6to4Interface" +# + + +if [ -z "$1" ]; then + echo $"Argument 1 is empty but should contain interface name - skip IPv6to4 initialization" + exit 1 +fi + +# Get global network configuration +. /etc/sysconfig/network + +# Source IPv4 helper functions +cd /etc/sysconfig/network-scripts +. ./network-functions + +CONFIG=$1 +[ -f "$CONFIG" ] || CONFIG=ifcfg-$CONFIG +source_config + +# IPv6 don't need aliases anymore, config is skipped +REALDEVICE=${DEVICE%%:*} +[ "$DEVICE" != "$REALDEVICE" ] && exit 0 + +if [ ! -f /etc/sysconfig/network-scripts/network-functions-ipv6 ]; then + exit 1 +fi + +. /etc/sysconfig/network-scripts/network-functions-ipv6 + + +# Run basic IPv6 test (and make sure the ipv6 module will be loaded), if not ok, skip IPv6 initialization +ipv6_test || exit 1 + +# Setup of 6to4, if configured +valid6to4config="yes" +if [ "$IPV6TO4INIT" = "yes" ]; then + if [ -n "$IPV6TO4_IPV4ADDR" ]; then + # Take 6to4-dedicated configured IPv4 address from config file (precedence 1) + ipv4addr="$IPV6TO4_IPV4ADDR" + else + # Get IPv4 address from interface (precedence 2) + ipv4addr="$(ipv6_get_ipv4addr_of_device $DEVICE)" + if [ -z "$ipv4addr" ]; then + # Take configured IPv4 address of interface from config file (precedence 3) + ipv4addr="$IPADDR" + fi + fi + if [ -n "$ipv4addr" ]; then + # Test for non-global IPv4 address + if ! ipv6_test_ipv4_addr_global_usable $ipv4addr; then + net_log $"Given IPv4 address '$ipv4addr' is not globally usable" info + valid6to4config="no" + fi + else + net_log $"IPv6to4 configuration needs an IPv4 address on related interface or otherwise specified" info + valid6to4config="no" + fi + if [ -z "$IPV6TO4_RELAY" ]; then + IPV6TO4_RELAY="192.88.99.1" + fi + + # Check/generate relay address + ipv6to4_relay="$(ipv6_create_6to4_relay_address $IPV6TO4_RELAY)" + if [ $? -ne 0 ]; then + valid6to4config="no" + fi + + if [ "$valid6to4config" = "yes" ]; then + # Delete routes to local networks + for devsuf in $IPV6TO4_ROUTING; do + dev="${devsuf%%-*}" + ipv6_cleanup_6to4_device $dev + done + + # Cleanup all old data (needed, if "ip-down.ipv6to4" wasn't executed), delete all configured 6to4 address + ipv6_cleanup_6to4_tunnels tun6to4 + + # Get MTU of master device + ipv4mtu="$(/sbin/ip link show dev $DEVICE | awk '/\/ { print $5 }')" + if [ -n "$ipv4mtu" ]; then + # IPv6 tunnel MTU is IPv4 MTU minus 20 for IPv4 header + tunnelmtu=$[ $ipv4mtu - 20 ] + fi + + if [ -n "$IPV6TO4_MTU" ]; then + if [ $IPV6TO4_MTU -gt $tunnelmtu ]; then + net_log $"Warning: configured MTU '$IPV6TO4_MTU' for 6to4 exceeds maximum limit of '$tunnelmtu', ignored" warning + else + tunnelmtu=$IPV6TO4_MTU + fi + fi + + # Setup new data + ipv6_add_6to4_tunnel tun6to4 $ipv4addr "" $tunnelmtu || exit 1 + + # Add route to for compatible addresses (removed later again) + ipv6_add_route "::/96" "::" tun6to4 + + # Add default route, if device matches + if [ "$IPV6_DEFAULTDEV" = "tun6to4" ]; then + if [ -n "$IPV6_DEFAULTGW" ]; then + net_log $"Warning: interface 'tun6to4' does not support 'IPV6_DEFAULTGW', ignored" warning + fi + ipv6_set_default_route $ipv6to4_relay tun6to4 + fi + + # Add static routes + if [ -f /etc/sysconfig/static-routes-ipv6 ]; then + LC_ALL=C grep -w "^tun6to4" /etc/sysconfig/static-routes-ipv6 | while read device network gateway; do + if [ -z "$network" ]; then + continue + fi + if [ -z "$gateway" ]; then + gateway="$ipv6to4_relay" + fi + ipv6_add_route $network $gateway tun6to4 + done + fi + + # Setup additional static IPv6 routes (newer config style) + if [ -f "/etc/sysconfig/network-scripts/route6-tun6to4" ]; then + sed -ne 's/#.*//' -e '/[^[:space:]]/p' /etc/sysconfig/network-scripts/route6-tun6to4 | while read line; do + if echo "$line" | grep -vq 'via'; then + # Add gateway if missing + line="$line via $ipv6to4_relay" + fi + /sbin/ip -6 route add $line + done + fi + + # Cleanup autmatically generated autotunnel (not needed for 6to4) + /sbin/ip -6 route del ::/96 dev tun6to4 + /sbin/ip -6 addr del tun6to4 "::$ipv4addr/128" dev tun6to4 + + if [ "$IPV6_CONTROL_RADVD" = "yes" ]; then + # Control running radvd + ipv6_trigger_radvd up "$IPV6_RADVD_TRIGGER_ACTION" $IPV6_RADVD_PIDFILE + + if [ -n "$IPV6TO4_ROUTING" ]; then + # Generate 6to4 address + ipv6to4prefix="$(ipv6_create_6to4_prefix $ipv4addr)" + if [ -n "$ipv6to4prefix" ]; then + # Add IPv6 address to interface (required interface route will be set automatically) + for devsuf in $IPV6TO4_ROUTING; do + dev="${devsuf%%-*}" + suf="$(echo $devsuf | awk -F- '{ print $2 }')" + ipv6_add_addr_on_device ${dev} ${ipv6to4prefix}${suf} + done + else + net_log $"Error occurred while calculating the IPv6to4 prefix" + fi + else + net_log $"radvd control enabled, but config is not complete" + fi + fi + fi +fi diff --git a/SOURCES/ipv6-down b/SOURCES/ipv6-down new file mode 100644 index 0000000..b290585 --- /dev/null +++ b/SOURCES/ipv6-down @@ -0,0 +1,70 @@ +#!/bin/sh +# +# ipv6-down +# +# Called by pppd after IPV6CP/down was finished +# +# This file should not be modified -- make local changes to +# /etc/ppp/ipv6-down.local instead +# +# +# Taken from: +# (P) & (C) 2001-2006 by Peter Bieringer +# +# You will find more information on the initscripts-ipv6 homepage at +# http://www.deepspace6.net/projects/initscripts-ipv6.html +# +# RHL integration assistance by Pekka Savola +# +# Calling parameters: +# $1: interface name +# $6: logical interface name (set by pppd option ipparam) +# +# Version 2006-08-02 +# +# Uses following information from /etc/sysconfig/network-scripts/ifcfg-$1: +# IPV6INIT=yes|no: controls IPv6 configuration for this interface +# + + +PATH=/sbin:/usr/sbin:/bin:/usr/bin +export PATH + +LOGDEVICE=$6 +REALDEVICE=$1 + +[ -f /etc/sysconfig/network ] || exit 0 +. /etc/sysconfig/network + +cd /etc/sysconfig/network-scripts +. ./network-functions + +CONFIG=$LOGDEVICE +[ -f "$CONFIG" ] || CONFIG=ifcfg-$CONFIG +source_config + +[ -f /etc/sysconfig/network-scripts/network-functions-ipv6 ] || exit 1 +. /etc/sysconfig/network-scripts/network-functions-ipv6 + +[ -x /etc/ppp/ipv6-down.local ] && /etc/ppp/ipv6-down.local "$@" + + +if [ "$IPV6_CONTROL_RADVD" = "yes" ]; then + # Control running radvd + ipv6_trigger_radvd down "$IPV6_RADVD_TRIGGER_ACTION" $IPV6_RADVD_PIDFILE +fi + +# IPv6 test, no module loaded, exit if system is not IPv6-ready +ipv6_test testonly || exit 0 + +# Test device status +ipv6_test_device_status $REALDEVICE +if [ $? != 0 -a $? != 11 ]; then + # device doesn't exist or other problem occurs + exit 1 +fi + +# Delete all current configured IPv6 addresses on this interface +ipv6_cleanup_device $REALDEVICE + +exit 0 diff --git a/SOURCES/ipv6-up b/SOURCES/ipv6-up new file mode 100644 index 0000000..059afec --- /dev/null +++ b/SOURCES/ipv6-up @@ -0,0 +1,112 @@ +#!/bin/bash +# +# ipv6-up +# +# Called by pppd after IPV6CP/up was finished +# +# This file should not be modified -- make local changes to +# /etc/ppp/ipv6-up.local instead +# +# Taken from: +# (P) & (C) 2001-2006 by Peter Bieringer +# +# You will find more information on the initscripts-ipv6 homepage at +# http://www.deepspace6.net/projects/initscripts-ipv6.html +# +# RHL integration assistance by Pekka Savola +# +# Calling parameters: +# $1: interface name +# $6: logical interface name (set by pppd option ipparam) +# +# +# Version: 2006-08-02 +# +# Uses following information from "/etc/sysconfig/network": +# IPV6_DEFAULTDEV=: controls default route (optional) +# +# Uses following information from "/etc/sysconfig/network-scripts/ifcfg-$1": +# IPV6INIT=yes|no: controls IPv6 configuration for this interface +# IPV6ADDR=[/]: specify primary static IPv6 address +# IPV6ADDR_SECONDARIES="[/] ..." (optional) +# IPV6_MTU=: controls IPv6 MTU for this link (optional) +# + + +PATH=/sbin:/usr/sbin:/bin:/usr/bin +export PATH + +LOGDEVICE=$6 +REALDEVICE=$1 + +[ -f /etc/sysconfig/network ] || exit 0 +. /etc/sysconfig/network + +cd /etc/sysconfig/network-scripts +. ./network-functions +. ./network-functions-ipv6 + +CONFIG=$LOGDEVICE +[ -f "$CONFIG" ] || CONFIG=ifcfg-$CONFIG +source_config + +# Test whether IPv6 configuration is disabled for this interface +[[ "$IPV6INIT" = [nN0]* ]] && exit 0 + +[ -f /etc/sysconfig/network-scripts/network-functions-ipv6 ] || exit 1 +. /etc/sysconfig/network-scripts/network-functions-ipv6 + +# IPv6 test, module loaded, exit if system is not IPv6-ready +ipv6_test || exit 1 + +# Test device status +ipv6_test_device_status $REALDEVICE +if [ $? != 0 -a $? != 11 ]; then + # device doesn't exist or other problem occurs + exit 1 +fi + +# Setup IPv6 address on specified interface +if [ -n "$IPV6ADDR" ]; then + ipv6_add_addr_on_device $REALDEVICE $IPV6ADDR || exit 1 +fi + +# Set IPv6 MTU, if given +if [ -n "$IPV6_MTU" ]; then + ipv6_set_mtu $REALDEVICE $IPV6_MTU +fi + +# Setup additional IPv6 addresses from list, if given +if [ -n "$IPV6ADDR_SECONDARIES" ]; then + for ipv6addr in $IPV6ADDR_SECONDARIES; do + ipv6_add_addr_on_device $REALDEVICE $ipv6addr + done +fi + +# Setup default IPv6 route through device +if [ "$IPV6_DEFAULTDEV" = "$LOGDEVICE" ]; then + ipv6_set_default_route "" "$REALDEVICE" "$REALDEVICE" +fi + +# Setup additional static IPv6 routes on specified interface, if given +if [ -f /etc/sysconfig/static-routes-ipv6 ]; then + LC_ALL=C grep -w "^$LOGDEVICE" /etc/sysconfig/static-routes-ipv6 | while read device args; do + ipv6_add_route $args $REALDEVICE + done +fi + +# Setup additional static IPv6 routes (newer config style) +if [ -f "/etc/sysconfig/network-scripts/route6-$DEVICE" ]; then + sed -ne 's/#.*//' -e '/[^[:space:]]/p' "/etc/sysconfig/network-scripts/route6-$DEVICE" | while read line; do + /sbin/ip -6 route add $line + done +fi + +if [ "$IPV6_CONTROL_RADVD" = "yes" ]; then + # Control running radvd + ipv6_trigger_radvd up "$IPV6_RADVD_TRIGGER_ACTION" $IPV6_RADVD_PIDFILE +fi + +[ -x /etc/ppp/ipv6-up.local ] && /etc/ppp/ipv6-up.local "$@" + +exit 0 diff --git a/SOURCES/ppp-2.4.7-CVE-2020-8597.patch b/SOURCES/ppp-2.4.7-CVE-2020-8597.patch new file mode 100644 index 0000000..5d7c51b --- /dev/null +++ b/SOURCES/ppp-2.4.7-CVE-2020-8597.patch @@ -0,0 +1,37 @@ +From 8d7970b8f3db727fe798b65f3377fe6787575426 Mon Sep 17 00:00:00 2001 +From: Paul Mackerras +Date: Mon, 3 Feb 2020 15:53:28 +1100 +Subject: [PATCH] pppd: Fix bounds check in EAP code + +Given that we have just checked vallen < len, it can never be the case +that vallen >= len + sizeof(rhostname). This fixes the check so we +actually avoid overflowing the rhostname array. + +Reported-by: Ilja Van Sprundel +Signed-off-by: Paul Mackerras +--- + pppd/eap.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/pppd/eap.c b/pppd/eap.c +index 94407f56..1b93db01 100644 +--- a/pppd/eap.c ++++ b/pppd/eap.c +@@ -1420,7 +1420,7 @@ int len; + } + + /* Not so likely to happen. */ +- if (vallen >= len + sizeof (rhostname)) { ++ if (len - vallen >= sizeof (rhostname)) { + dbglog("EAP: trimming really long peer name down"); + BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1); + rhostname[sizeof (rhostname) - 1] = '\0'; +@@ -1846,7 +1846,7 @@ int len; + } + + /* Not so likely to happen. */ +- if (vallen >= len + sizeof (rhostname)) { ++ if (len - vallen >= sizeof (rhostname)) { + dbglog("EAP: trimming really long peer name down"); + BCOPY(inp + vallen, rhostname, sizeof (rhostname) - 1); + rhostname[sizeof (rhostname) - 1] = '\0'; diff --git a/SOURCES/ppp-2.4.7-DES-openssl.patch b/SOURCES/ppp-2.4.7-DES-openssl.patch new file mode 100644 index 0000000..ad3b268 --- /dev/null +++ b/SOURCES/ppp-2.4.7-DES-openssl.patch @@ -0,0 +1,79 @@ +diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux +index 534ccc2..cf11b74 100644 +--- a/pppd/Makefile.linux ++++ b/pppd/Makefile.linux +@@ -41,7 +41,7 @@ COPTS = -Wall $(RPM_OPT_FLAGS) -DLIBDIR=\""$(LIBDIR)"\" + # Uncomment the next 2 lines to include support for Microsoft's + # MS-CHAP authentication protocol. Also, edit plugins/radius/Makefile.linux. + CHAPMS=y +-USE_CRYPT=y ++#USE_CRYPT=y + # Don't use MSLANMAN unless you really know what you're doing. + #MSLANMAN=y + # Uncomment the next line to include support for MPPE. CHAPMS (above) must +@@ -147,7 +147,8 @@ endif + + ifdef NEEDDES + ifndef USE_CRYPT +-LIBS += -ldes $(LIBS) ++CFLAGS += -I/usr/include/openssl ++LIBS += -lcrypto + else + CFLAGS += -DUSE_CRYPT=1 + endif +diff --git a/pppd/pppcrypt.c b/pppd/pppcrypt.c +index 8b85b13..6b35375 100644 +--- a/pppd/pppcrypt.c ++++ b/pppd/pppcrypt.c +@@ -64,7 +64,7 @@ u_char *des_key; /* OUT 64 bit DES key with parity bits added */ + des_key[7] = Get7Bits(key, 49); + + #ifndef USE_CRYPT +- des_set_odd_parity((des_cblock *)des_key); ++ DES_set_odd_parity((DES_cblock *)des_key); + #endif + } + +@@ -158,25 +158,25 @@ u_char *clear; /* OUT 8 octets */ + } + + #else /* USE_CRYPT */ +-static des_key_schedule key_schedule; ++static DES_key_schedule key_schedule; + + bool + DesSetkey(key) + u_char *key; + { +- des_cblock des_key; ++ DES_cblock des_key; + MakeKey(key, des_key); +- des_set_key(&des_key, key_schedule); ++ DES_set_key(&des_key, &key_schedule); + return (1); + } + + bool +-DesEncrypt(clear, key, cipher) ++DesEncrypt(clear, cipher) + u_char *clear; /* IN 8 octets */ + u_char *cipher; /* OUT 8 octets */ + { +- des_ecb_encrypt((des_cblock *)clear, (des_cblock *)cipher, +- key_schedule, 1); ++ DES_ecb_encrypt((DES_cblock *)clear, (DES_cblock *)cipher, ++ &key_schedule, 1); + return (1); + } + +@@ -185,8 +185,8 @@ DesDecrypt(cipher, clear) + u_char *cipher; /* IN 8 octets */ + u_char *clear; /* OUT 8 octets */ + { +- des_ecb_encrypt((des_cblock *)cipher, (des_cblock *)clear, +- key_schedule, 0); ++ DES_ecb_encrypt((DES_cblock *)cipher, (DES_cblock *)clear, ++ &key_schedule, 0); + return (1); + } + diff --git a/SOURCES/ppp-2.4.7-coverity-scan-fixes.patch b/SOURCES/ppp-2.4.7-coverity-scan-fixes.patch new file mode 100644 index 0000000..4f61a27 --- /dev/null +++ b/SOURCES/ppp-2.4.7-coverity-scan-fixes.patch @@ -0,0 +1,453 @@ +diff --git a/chat/chat.c b/chat/chat.c +index 710dba9..bf10733 100644 +--- a/chat/chat.c ++++ b/chat/chat.c +@@ -512,6 +512,7 @@ void msgf __V((const char *fmt, ...)) + syslog(LOG_INFO, "%s", line); + if (to_stderr) + fprintf(stderr, "%s\n", line); ++ va_end(args); + } + + /* +@@ -537,6 +538,7 @@ void fatal __V((int code, const char *fmt, ...)) + syslog(LOG_ERR, "%s", line); + if (to_stderr) + fprintf(stderr, "%s\n", line); ++ va_end(args); + terminate(code); + } + +diff --git a/pppd/auth.c b/pppd/auth.c +index 656ffe9..9a7e32d 100644 +--- a/pppd/auth.c ++++ b/pppd/auth.c +@@ -464,6 +464,7 @@ setupapfile(argv) + euid = geteuid(); + if (seteuid(getuid()) == -1) { + option_error("unable to reset uid before opening %s: %m", fname); ++ free(fname); + return 0; + } + ufile = fopen(fname, "re"); +@@ -471,6 +472,7 @@ setupapfile(argv) + fatal("unable to regain privileges: %m"); + if (ufile == NULL) { + option_error("unable to open user login data file %s", fname); ++ free(fname); + return 0; + } + check_access(ufile, fname); +@@ -481,6 +483,7 @@ setupapfile(argv) + || fgets(p, MAXSECRETLEN - 1, ufile) == NULL) { + fclose(ufile); + option_error("unable to read user login data file %s", fname); ++ free(fname); + return 0; + } + fclose(ufile); +@@ -502,6 +505,7 @@ setupapfile(argv) + explicit_passwd = 1; + } + ++ free(fname); + return (1); + } + +diff --git a/pppd/eap-tls.c b/pppd/eap-tls.c +index 1b79abf..f7f42fd 100644 +--- a/pppd/eap-tls.c ++++ b/pppd/eap-tls.c +@@ -693,6 +693,7 @@ int eaptls_init_ssl_server(eap_state * esp) + } + + strncpy(ets->peer, esp->es_server.ea_peer, MAXWORDLEN); ++ ets->peer[MAXWORDLEN - 1] = 0; + + dbglog( "getting eaptls secret" ); + if (!get_eaptls_secret(esp->es_unit, esp->es_server.ea_peer, +@@ -780,7 +781,10 @@ int eaptls_init_ssl_client(eap_state * esp) + * verify + */ + if (esp->es_client.ea_peer) ++ { + strncpy(ets->peer, esp->es_client.ea_peer, MAXWORDLEN); ++ ets->peer[MAXWORDLEN - 1] = 0; ++ } + else + ets->peer[0] = 0; + +@@ -835,7 +839,10 @@ int eaptls_init_ssl_client(eap_state * esp) + * ssl_verify_callback() + */ + if (servcertfile[0]) ++ { + strncpy(ets->peercertfile, servcertfile, MAXWORDLEN); ++ ets->peercertfile[MAXWORDLEN - 1] = 0; ++ } + else + ets->peercertfile[0] = 0; + +diff --git a/pppd/multilink.c b/pppd/multilink.c +index 2f0ed50..67200ba 100644 +--- a/pppd/multilink.c ++++ b/pppd/multilink.c +@@ -445,9 +445,13 @@ get_default_epdisc(ep) + if (p != 0 && get_if_hwaddr(ep->value, p) >= 0) { + ep->class = EPD_MAC; + ep->length = 6; ++ free(p); + return 1; + } + ++ if (p) ++ free(p); ++ + /* see if our hostname corresponds to a reasonable IP address */ + hp = gethostbyname(hostname); + if (hp != NULL) { +diff --git a/pppd/options.c b/pppd/options.c +index 1cef314..bc264d6 100644 +--- a/pppd/options.c ++++ b/pppd/options.c +@@ -1735,7 +1735,7 @@ user_unsetenv(argv) + option_error("unexpected = in name: %s", arg); + return 0; + } +- if (arg == '\0') { ++ if (*arg == '\0') { + option_error("missing variable name for unset"); + return 0; + } +diff --git a/pppd/plugins/pppol2tp/openl2tp.c b/pppd/plugins/pppol2tp/openl2tp.c +index 1099575..7c4fe8b 100644 +--- a/pppd/plugins/pppol2tp/openl2tp.c ++++ b/pppd/plugins/pppol2tp/openl2tp.c +@@ -246,6 +246,9 @@ out: + (*old_pppol2tp_ip_updown_hook)(tunnel_id, session_id, up); + } + ++ if (user_name != NULL) ++ free(user_name); ++ + return; + } + +diff --git a/pppd/plugins/radius/avpair.c b/pppd/plugins/radius/avpair.c +index 716d23f..ec48eb8 100644 +--- a/pppd/plugins/radius/avpair.c ++++ b/pppd/plugins/radius/avpair.c +@@ -121,7 +121,8 @@ VALUE_PAIR *rc_avpair_new (int attrid, void *pval, int len, int vendorcode) + if ((vp = (VALUE_PAIR *) malloc (sizeof (VALUE_PAIR))) + != (VALUE_PAIR *) NULL) + { +- strncpy (vp->name, pda->name, sizeof (vp->name)); ++ strncpy (vp->name, pda->name, NAME_LENGTH); ++ vp->name[NAME_LENGTH] = 0; + vp->attribute = attrid; + vp->vendorcode = vendorcode; + vp->next = (VALUE_PAIR *) NULL; +diff --git a/pppd/plugins/radius/config.c b/pppd/plugins/radius/config.c +index a29e5e8..6e36d89 100644 +--- a/pppd/plugins/radius/config.c ++++ b/pppd/plugins/radius/config.c +@@ -153,6 +153,7 @@ static int set_option_auo(char *filename, int line, OPTION *option, char *p) + *iptr = AUTH_RADIUS_FST; + else { + error("%s: auth_order: unknown keyword: %s", filename, p); ++ free(iptr); + return (-1); + } + +@@ -165,6 +166,7 @@ static int set_option_auo(char *filename, int line, OPTION *option, char *p) + *iptr = (*iptr) | AUTH_RADIUS_SND; + else { + error("%s: auth_order: unknown or unexpected keyword: %s", filename, p); ++ free(iptr); + return (-1); + } + } +@@ -272,7 +274,7 @@ char *rc_conf_str(char *optname) + + if (option == NULL) + fatal("rc_conf_str: unkown config option requested: %s", optname); +- return (char *)option->val; ++ return (char *)option->val; + } + + int rc_conf_int(char *optname) +diff --git a/pppd/plugins/radius/radius.c b/pppd/plugins/radius/radius.c +index 4ba5f52..6f2a0bd 100644 +--- a/pppd/plugins/radius/radius.c ++++ b/pppd/plugins/radius/radius.c +@@ -898,7 +898,8 @@ radius_acct_start(void) + + rstate.start_time = time(NULL); + +- strncpy(rstate.session_id, rc_mksid(), sizeof(rstate.session_id)); ++ strncpy(rstate.session_id, rc_mksid(), MAXSESSIONID); ++ rstate.session_id[MAXSESSIONID] = 0; + + rc_avpair_add(&send, PW_ACCT_SESSION_ID, + rstate.session_id, 0, VENDOR_NONE); +diff --git a/pppd/plugins/radius/radiusclient.h b/pppd/plugins/radius/radiusclient.h +index 51b959a..cff0c26 100644 +--- a/pppd/plugins/radius/radiusclient.h ++++ b/pppd/plugins/radius/radiusclient.h +@@ -440,6 +440,7 @@ UINT4 rc_get_ipaddr __P((char *)); + int rc_good_ipaddr __P((char *)); + const char *rc_ip_hostname __P((UINT4)); + UINT4 rc_own_ipaddress __P((void)); ++UINT4 rc_own_bind_ipaddress __P((void)); + + + /* sendserver.c */ +diff --git a/pppd/plugins/radius/radrealms.c b/pppd/plugins/radius/radrealms.c +index 7a30370..cd006fd 100644 +--- a/pppd/plugins/radius/radrealms.c ++++ b/pppd/plugins/radius/radrealms.c +@@ -68,10 +68,12 @@ lookup_realm(char const *user, + + if ((fd = fopen(radrealms_config, "r")) == NULL) { + option_error("cannot open %s", radrealms_config); ++ free(auths); ++ free(accts); + return; +- } ++ } + info("Reading %s", radrealms_config); +- ++ + while ((fgets(buffer, sizeof(buffer), fd) != NULL)) { + line++; + +@@ -87,6 +89,8 @@ lookup_realm(char const *user, + fclose(fd); + option_error("%s: invalid line %d: %s", radrealms_config, + line, buffer); ++ free(auths); ++ free(accts); + return; + } + info("Parsing '%s' entry:", p); +@@ -101,6 +105,8 @@ lookup_realm(char const *user, + fclose(fd); + option_error("%s: realm name missing on line %d: %s", + radrealms_config, line, buffer); ++ free(auths); ++ free(accts); + return; + } + +@@ -111,6 +117,8 @@ lookup_realm(char const *user, + fclose(fd); + option_error("%s: server address missing on line %d: %s", + radrealms_config, line, buffer); ++ free(auths); ++ free(accts); + return; + } + s->name[s->max] = strdup(p); +@@ -119,6 +127,8 @@ lookup_realm(char const *user, + fclose(fd); + option_error("%s: server port missing on line %d: %s", + radrealms_config, line, buffer); ++ free(auths); ++ free(accts); + return; + } + s->port[s->max] = atoi(p); +diff --git a/pppd/plugins/rp-pppoe/Makefile.linux b/pppd/plugins/rp-pppoe/Makefile.linux +index 5e06b52..5f79284 100644 +--- a/pppd/plugins/rp-pppoe/Makefile.linux ++++ b/pppd/plugins/rp-pppoe/Makefile.linux +@@ -34,10 +34,10 @@ pppoe-discovery: pppoe-discovery.o debug.o common.o + $(CC) $(LDFLAGS) -o pppoe-discovery pppoe-discovery.o debug.o -ludev + + pppoe-discovery.o: pppoe-discovery.c +- $(CC) $(CFLAGS) -c -o pppoe-discovery.o pppoe-discovery.c ++ $(CC) $(CFLAGS) -I../../.. -c -o pppoe-discovery.o pppoe-discovery.c + + debug.o: debug.c +- $(CC) $(CFLAGS) -c -o debug.o debug.c ++ $(CC) $(CFLAGS) -I../../.. -c -o debug.o debug.c + + rp-pppoe.so: plugin.o discovery.o if.o common.o + $(CC) $(LDFLAGS) -o rp-pppoe.so -shared plugin.o discovery.o if.o common.o +diff --git a/pppd/plugins/rp-pppoe/if.c b/pppd/plugins/rp-pppoe/if.c +index 72aba41..50d5693 100644 +--- a/pppd/plugins/rp-pppoe/if.c ++++ b/pppd/plugins/rp-pppoe/if.c +@@ -133,7 +133,8 @@ openInterface(char const *ifname, UINT16_t type, unsigned char *hwaddr) + + /* Fill in hardware address */ + if (hwaddr) { +- strncpy(ifr.ifr_name, ifname, sizeof(ifr.ifr_name)); ++ strncpy(ifr.ifr_name, ifname, IFNAMSIZ); ++ ifr.ifr_name[IFNAMSIZ - 1] = 0; + if (ioctl(fd, SIOCGIFHWADDR, &ifr) < 0) { + error("Can't get hardware address for %s: %m", ifname); + close(fd); +@@ -152,7 +153,8 @@ openInterface(char const *ifname, UINT16_t type, unsigned char *hwaddr) + } + + /* Sanity check on MTU */ +- strncpy(ifr.ifr_name, ifname, sizeof(ifr.ifr_name)); ++ strncpy(ifr.ifr_name, ifname, IFNAMSIZ); ++ ifr.ifr_name[IFNAMSIZ - 1] = 0; + if (ioctl(fd, SIOCGIFMTU, &ifr) < 0) { + error("Can't get MTU for %s: %m", ifname); + } else if (ifr.ifr_mtu < ETH_DATA_LEN) { +@@ -166,7 +168,8 @@ openInterface(char const *ifname, UINT16_t type, unsigned char *hwaddr) + sa.sll_family = AF_PACKET; + sa.sll_protocol = htons(type); + +- strncpy(ifr.ifr_name, ifname, sizeof(ifr.ifr_name)); ++ strncpy(ifr.ifr_name, ifname, IFNAMSIZ); ++ ifr.ifr_name[IFNAMSIZ - 1] = 0; + if (ioctl(fd, SIOCGIFINDEX, &ifr) < 0) { + error("Could not get interface index for %s: %m", ifname); + close(fd); +diff --git a/pppd/plugins/rp-pppoe/plugin.c b/pppd/plugins/rp-pppoe/plugin.c +index 24bdf8f..1856c6b 100644 +--- a/pppd/plugins/rp-pppoe/plugin.c ++++ b/pppd/plugins/rp-pppoe/plugin.c +@@ -153,7 +153,7 @@ PPPOEConnectDevice(void) + error("Can't get MTU for %s: %m", conn->ifName); + goto errout; + } +- strncpy(ifr.ifr_name, conn->ifName, sizeof(ifr.ifr_name)); ++ strlcpy(ifr.ifr_name, conn->ifName, sizeof(ifr.ifr_name)); + if (ioctl(s, SIOCGIFMTU, &ifr) < 0) { + error("Can't get MTU for %s: %m", conn->ifName); + close(s); +@@ -326,7 +326,7 @@ PPPoEDevnameHook(char *cmd, char **argv, int doit) + + /* Try getting interface index */ + if (r) { +- strncpy(ifr.ifr_name, cmd, sizeof(ifr.ifr_name)); ++ strlcpy(ifr.ifr_name, cmd, sizeof(ifr.ifr_name)); + if (ioctl(fd, SIOCGIFINDEX, &ifr) < 0) { + r = 0; + } else { +@@ -345,7 +345,7 @@ PPPoEDevnameHook(char *cmd, char **argv, int doit) + /* Close socket */ + close(fd); + if (r && doit) { +- strncpy(devnam, cmd, sizeof(devnam)); ++ strlcpy(devnam, cmd, sizeof(devnam)); + if (the_channel != &pppoe_channel) { + + the_channel = &pppoe_channel; +diff --git a/pppd/plugins/rp-pppoe/pppoe-discovery.c b/pppd/plugins/rp-pppoe/pppoe-discovery.c +index 2bd910f..502e17f 100644 +--- a/pppd/plugins/rp-pppoe/pppoe-discovery.c ++++ b/pppd/plugins/rp-pppoe/pppoe-discovery.c +@@ -177,7 +177,8 @@ openInterface(char const *ifname, UINT16_t type, unsigned char *hwaddr) + sa.sll_family = AF_PACKET; + sa.sll_protocol = htons(type); + +- strncpy(ifr.ifr_name, ifname, sizeof(ifr.ifr_name)); ++ strncpy(ifr.ifr_name, ifname, IFNAMSIZ); ++ ifr.ifr_name[IFNAMSIZ - 1] = 0; + if (ioctl(fd, SIOCGIFINDEX, &ifr) < 0) { + fatalSys("ioctl(SIOCFIGINDEX): Could not get interface index"); + } +diff --git a/pppd/plugins/rp-pppoe/pppoe.h b/pppd/plugins/rp-pppoe/pppoe.h +index f77f5b7..6118e27 100644 +--- a/pppd/plugins/rp-pppoe/pppoe.h ++++ b/pppd/plugins/rp-pppoe/pppoe.h +@@ -24,6 +24,8 @@ + #include /* For FILE */ + #include /* For pid_t */ + ++#include "pppd/pppd.h" /* For error */ ++ + /* How do we access raw Ethernet devices? */ + #undef USE_LINUX_PACKET + #undef USE_BPF +diff --git a/pppd/plugins/winbind.c b/pppd/plugins/winbind.c +index bb05acd..4638f46 100644 +--- a/pppd/plugins/winbind.c ++++ b/pppd/plugins/winbind.c +@@ -432,6 +432,7 @@ unsigned int run_ntlm_auth(const char *username, + + /* parent */ + if (close(child_out[0]) == -1) { ++ close(child_in[1]); + notice("error closing pipe?!? for child OUT[0]"); + return NOT_AUTHENTICATED; + } +diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c +index 9a1d8a6..ef92486 100644 +--- a/pppd/sys-linux.c ++++ b/pppd/sys-linux.c +@@ -2236,7 +2236,6 @@ int ppp_available(void) + } + } + +- close (s); + if (!ok) { + slprintf(route_buffer, sizeof(route_buffer), + "Sorry - PPP driver version %d.%d.%d is out of date\n", +@@ -2246,6 +2245,7 @@ int ppp_available(void) + } + } + } ++ close(s); + return ok; + } + +@@ -2722,7 +2722,10 @@ get_pty(master_fdp, slave_fdp, slave_name, uid) + warn("Couldn't unlock pty slave %s: %m", pty_name); + #endif + if ((sfd = open(pty_name, O_RDWR | O_NOCTTY | O_CLOEXEC)) < 0) ++ { + warn("Couldn't open pty slave %s: %m", pty_name); ++ close(mfd); ++ } + } + } + #endif /* TIOCGPTN */ +@@ -3011,6 +3014,7 @@ ether_to_eui64(eui64_t *p_eui64) + if (get_first_ethernet(ð_dev) < 0) + { + warn("no ethernet device present on the host"); ++ close(skfd); + return 0; + } + +diff --git a/pppstats/pppstats.c b/pppstats/pppstats.c +index 6367988..4aaa319 100644 +--- a/pppstats/pppstats.c ++++ b/pppstats/pppstats.c +@@ -150,7 +150,8 @@ get_ppp_stats(curp) + #define ifr_name ifr__name + #endif + +- strncpy(req.ifr_name, interface, sizeof(req.ifr_name)); ++ strncpy(req.ifr_name, interface, IFNAMSIZ); ++ req.ifr_name[IFNAMSIZ - 1] = 0; + if (ioctl(s, SIOCGPPPSTATS, &req) < 0) { + fprintf(stderr, "%s: ", progname); + if (errno == ENOTTY) +@@ -176,7 +177,8 @@ get_ppp_cstats(csp) + #define ifr_name ifr__name + #endif + +- strncpy(creq.ifr_name, interface, sizeof(creq.ifr_name)); ++ strncpy(creq.ifr_name, interface, IFNAMSIZ); ++ creq.ifr_name[IFNAMSIZ - 1] = 0; + if (ioctl(s, SIOCGPPPCSTATS, &creq) < 0) { + fprintf(stderr, "%s: ", progname); + if (errno == ENOTTY) { +@@ -526,7 +528,8 @@ main(argc, argv) + #undef ifr_name + #define ifr_name ifr_ifrn.ifrn_name + #endif +- strncpy(ifr.ifr_name, interface, sizeof(ifr.ifr_name)); ++ strncpy(ifr.ifr_name, interface, IFNAMSIZ); ++ ifr.ifr_name[IFNAMSIZ - 1] = 0; + if (ioctl(s, SIOCGIFFLAGS, (caddr_t)&ifr) < 0) { + fprintf(stderr, "%s: nonexistent interface '%s' specified\n", + progname, interface); diff --git a/SOURCES/ppp-2.4.7-eaptls-mppe-1.101.patch b/SOURCES/ppp-2.4.7-eaptls-mppe-1.101.patch new file mode 100644 index 0000000..127fcf8 --- /dev/null +++ b/SOURCES/ppp-2.4.7-eaptls-mppe-1.101.patch @@ -0,0 +1,3230 @@ +diff -Naur ppp-2.4.7/README.eap-tls ppp-2.4.7-eaptls-mppe-1.101b/README.eap-tls +--- ppp-2.4.7/README.eap-tls 1970-01-01 01:00:00.000000000 +0100 ++++ ppp-2.4.7-eaptls-mppe-1.101b/README.eap-tls 2018-06-02 01:42:04.021165440 +0200 +@@ -0,0 +1,286 @@ ++EAP-TLS authentication support for PPP ++====================================== ++ ++1. Intro ++ ++ The Extensible Authentication Protocol (EAP; RFC 3748) is a ++ security protocol that can be used with PPP. It provides a means ++ to plug in multiple optional authentication methods. ++ ++ Transport Level Security (TLS; RFC 2246) provides for mutual ++ authentication, integrity-protected ciphersuite negotiation and ++ key exchange between two endpoints. It also provides for optional ++ MPPE encryption. ++ ++ EAP-TLS (RFC 2716) incapsulates the TLS messages in EAP packets, ++ allowing TLS mutual authentication to be used as a generic EAP ++ mechanism. It also provides optional encryption using the MPPE ++ protocol. ++ ++ This patch provide EAP-TLS support to pppd. ++ This authentication method can be used in both client or server ++ mode. ++ ++2. Building ++ ++ To build pppd with EAP-TLS support, OpenSSL (http://www.openssl.org) ++ is required. Any version from 0.9.7 should work. ++ ++ Configure, compile, and install as usual. ++ ++3. Configuration ++ ++ On the client side there are two ways to configure EAP-TLS: ++ ++ 1. supply the appropriate 'ca', 'cert' and 'key' command-line parameters ++ ++ 2. edit the /etc/ppp/eaptls-client file. ++ Insert a line for each system with which you use EAP-TLS. ++ The line is composed of this fields separated by tab: ++ ++ - Client name ++ The name used by the client for authentication, can be * ++ - Server name ++ The name of the server, can be * ++ - Client certificate file ++ The file containing the certificate chain for the ++ client in PEM format ++ - Server certificate file ++ If you want to specify the certificate that the ++ server is allowed to use, put the certificate file name. ++ Else put a dash '-'. ++ - CA certificate file ++ The file containing the trusted CA certificates in PEM ++ format. ++ - Client private key file ++ The file containing the client private key in PEM format. ++ ++ ++ On the server side edit the /etc/ppp/eaptls-server file. ++ Insert a line for each system with which you use EAP-TLS. ++ The line is composed of this fields separated by tab: ++ ++ - Client name ++ The name used by the client for authentication, can be * ++ - Server name ++ The name of the server, can be * ++ - Client certificate file ++ If you want to specify the certificate that the ++ client is allowed to use, put the certificate file name. ++ Else put a dash '-'. ++ - Server certificate file ++ The file containing the certificate chain for the ++ server in PEM format ++ - CA certificate file ++ The file containing the trusted CA certificates in PEM format. ++ - Client private key file ++ The file containing the server private key in PEM format. ++ - addresses ++ A list of IP addresses the client is allowed to use. ++ ++ ++ OpenSSL engine support is included starting with v0.95 of this patch. ++ Currently the only engine tested is the 'pkcs11' engine (hardware token ++ support). To use the 'pksc11' engine: ++ - Use a special private key fileiname in the /etc/ppp/eaptls-client file: ++ : ++ e.g. ++ pkcs11:123456 ++ ++ - The certificate can also be loaded from the 'pkcs11' engine using ++ a special client certificate filename in the /etc/ppp/eaptls-client file: ++ : ++ e.g. ++ pkcs11:123456 ++ ++ - Create an /etc/ppp/openssl.cnf file to load the right OpenSSL engine prior ++ to starting 'pppd'. A sample openssl.cnf file is ++ ++ openssl_conf = openssl_def ++ ++ [ openssl_def ] ++ engines = engine_section ++ ++ [ engine_section ] ++ pkcs11 = pkcs11_section ++ ++ [ pkcs11_section ] ++ engine_id = pkcs11 ++ dynamic_path = /usr/lib64/openssl/engines/engine_pkcs11.so ++ MODULE_PATH = /usr/lib64/libeTPkcs11.so ++ init = 0 ++ ++ - There are two ways to specify a password/PIN for the PKCS11 engine: ++ - inside the openssl.cnf file using ++ PIN = your-secret-pin ++ Note The keyword 'PIN' is case sensitive! ++ - Using the 'password' in the ppp options file. ++ From v0.97 of the eap-tls patch the password can also be supplied ++ using the appropriate 'eaptls_passwd_hook' (see plugins/passprompt.c ++ for an example). ++ ++ ++4. Options ++ ++ These pppd options are available: ++ ++ ca ++ Use the CA public certificate found in in PEM format ++ cert ++ Use the client public certificate found in in PEM format ++ or in engine:engine_id format ++ key ++ Use the client private key found in in PEM format ++ or in engine:engine_id format ++ crl ++ Use the Certificate Revocation List (CRL) file in PEM format. ++ crl-dir ++ Use CRL files from directory . It contains CRL files in PEM ++ format and each file contains a CRL. The files are looked up ++ by the issuer name hash value. Use the c_rehash utility ++ to create necessary links. ++ need-peer-eap ++ If the peer doesn't ask us to authenticate or doesn't use eap ++ to authenticate us, disconnect. ++ ++ Note: ++ password-encrypted certificates can be used as of v0.94 of this ++ patch. The password for the eap-tls.key file is specified using ++ the regular ++ password .... ++ statement in the ppp options file, or by using the appropriate ++ plugin which supplies a 'eaptls_passwd_hook' routine. ++ ++5. Connecting ++ ++ If you're setting up a pppd server, edit the EAP-TLS configuration file ++ as written above and then run pppd with the 'auth' option to authenticate ++ the client. The EAP-TLS method will be used if the other eap methods can't ++ be used (no secrets). ++ ++ If you're setting up a client, edit the configuration file and then run ++ pppd with 'remotename' option to specify the server name. Add the ++ 'need-peer-eap' option if you want to be sure the peer ask you to ++ authenticate (and to use eap) and to disconnect if it doesn't. ++ ++6. Example ++ ++ The following example can be used to connect a Linux client with the 'pptp' ++ package to a Linux server running the 'pptpd' (PoPToP) package. The server ++ was configured with a certificate with name (CN) 'pptp-server', the client ++ was configured with a certificate with name (CN) 'pptp-client', both ++ signed by the same Certificate Authority (CA). ++ ++ Server side: ++ - /etc/pptpd.conf file: ++ option /etc/ppp/options-pptpd-eaptls ++ localip 172.16.1.1 ++ remoteip 172.16.1.10-20 ++ - /etc/ppp/options-pptpd-eaptls file: ++ name pptp-server ++ lock ++ mtu 1500 ++ mru 1450 ++ auth ++ lcp-echo-failure 3 ++ lcp-echo-interval 5 ++ nodeflate ++ nobsdcomp ++ nopredictor1 ++ nopcomp ++ noaccomp ++ ++ require-eap ++ require-mppe-128 ++ ++ crl /home/janjust/ppp/keys/crl.pem ++ ++ debug ++ logfile /tmp/pppd.log ++ ++ - /etc/ppp/eaptls-server file: ++ * pptp-server - /etc/ppp/pptp-server.crt /etc/ppp/ca.crt /etc/ppp/pptp-server.key * ++ ++ - On the server, run ++ pptdp --conf /etc/pptpd.conf ++ ++ Client side: ++ - Run ++ pppd noauth require-eap require-mppe-128 \ ++ ipcp-accept-local ipcp-accept-remote noipdefault \ ++ cert /etc/ppp/keys/pptp-client.crt \ ++ key /etc/ppp/keys/pptp-client.key \ ++ ca /etc/ppp/keys/ca.crt \ ++ name pptp-client remotename pptp-server \ ++ debug logfile /tmp/pppd.log ++ pty "pptp pptp-server.example.com --nolaunchpppd" ++ ++ Check /var/log/messages and the files /tmp/pppd.log on both sides for debugging info. ++ ++7. Notes ++ ++ This is experimental code. ++ Send suggestions and comments to Jan Just Keijser ++ ++8. Changelog of ppp-<>-eaptls-mppe-* patches ++ ++v0.7 (22-Nov-2005) ++ - First version of the patch to include MPPE support ++ - ppp-2.4.3 only ++v0.9 (25-Jul-2006) ++ - Bug fixes ++ - First version for ppp-2.4.4 ++v0.91 (03-Sep-2006) ++ - Added missing #include for md5.h ++ - Last version for ppp-2.4.3 ++v0.92 (22-Apr-2008) ++ - Fix for openssl 0.9.8 issue with md5 function overload. ++v0.93 (14-Aug-2008) ++ - Make sure 'noauth' option can be used to bypass server certificate verification. ++v0.94 (15-Oct-2008) ++ - Added support for password-protected private keys by (ab)using the 'password' field. ++v0.95 (23-Dec-2009) ++ - First version with OpenSSL engine support. ++v0.96 (27-Jan-2010) ++ - Added fully functional support for OpenSSL engines (PKCS#11) ++ - First version for ppp-2.4.5 ++v0.97 (20-Apr-2010) ++ - Some bug fixes for v0.96 ++ - Added support for entering the password via a plugin. The sample plugin ++ .../pppd/plugins/passprompt.c has been extended with EAP-TLS support. ++ The "old" methods using the password option or the /etc/ppp/openssl.cnf file still work. ++ - Added support for specifying the client CA, certificate and private key on the command-line ++ or via the ppp config file. ++v0.98 (20-Apr-2010) ++ - Fix initialisation bug when using ca/cert/key command-line options. ++ - Last version for ppp-2.4.4 ++v0.99 (05-Oct-2010) ++ - Fix coredump when using multilink option. ++v0.991 (08-Aug-2011) ++ - Fix compilation issue with openssl 1.0. ++v0.992 (01-Dec-2011) ++ - Fix compilation issue with eaptls_check_hook and passwordfd plugin. ++v0.993 (24-Apr-2012) ++ - Fix compilation issue when EAP_TLS=n in pppd/Makefile. ++v0.994 (11-Jun-2012) ++ - Fix compilation issue on Ubuntu 11.10. ++v0.995 (27-May-2014) ++ - Add support for a CRL file using the command-line option 'crl' ++ (prior only 'crl-dir' was supported). ++ - Fix segfault when pkcs11 enginename was not specified correctly. ++ - Fix segfault when client was misconfigured. ++ - Disable SSL Session Ticket support as Windows 8 does not support this. ++v0.996 (28-May-2014) ++ - Fix minor bug where SessionTicket message was printed as 'Unknown SSL3 code 4' ++ - Add EAP-TLS-specific options to pppd.8 manual page. ++ - Updated README.eap-tls file with new options and provide an example. ++v0.997 (19-Jun-2014) ++ - Change SSL_OP_NO_TICKETS to SSL_OP_NO_TICKET ++ - Fix bug in initialisation code with fragmented packets. ++v0.998 (13-Mar-2015) ++ - Added fix for https://bugzilla.redhat.com/show_bug.cgi?id=1023620 ++v0.999 (11-May-2017) ++ - Added support for OpenSSL 1.1: the code will now compile against OpenSSL 1.0.x or 1.1.x. ++v1.101 (1-Jun-2018) ++ - Fix vulnerabilities CVE-2018-11574. ++ +diff -Naur ppp-2.4.7/etc.ppp/eaptls-client ppp-2.4.7-eaptls-mppe-1.101b/etc.ppp/eaptls-client +--- ppp-2.4.7/etc.ppp/eaptls-client 1970-01-01 01:00:00.000000000 +0100 ++++ ppp-2.4.7-eaptls-mppe-1.101b/etc.ppp/eaptls-client 2018-06-02 01:42:04.021165440 +0200 +@@ -0,0 +1,10 @@ ++# Parameters for authentication using EAP-TLS (client) ++ ++# client name (can be *) ++# server name (can be *) ++# client certificate file (required) ++# server certificate file (optional, if unused put '-') ++# CA certificate file (required) ++# client private key file (required) ++ ++#client server /root/cert/client.crt - /root/cert/ca.crt /root/cert/client.key +diff -Naur ppp-2.4.7/etc.ppp/eaptls-server ppp-2.4.7-eaptls-mppe-1.101b/etc.ppp/eaptls-server +--- ppp-2.4.7/etc.ppp/eaptls-server 1970-01-01 01:00:00.000000000 +0100 ++++ ppp-2.4.7-eaptls-mppe-1.101b/etc.ppp/eaptls-server 2018-06-02 01:42:04.021165440 +0200 +@@ -0,0 +1,11 @@ ++# Parameters for authentication using EAP-TLS (server) ++ ++# client name (can be *) ++# server name (can be *) ++# client certificate file (optional, if unused put '-') ++# server certificate file (required) ++# CA certificate file (required) ++# server private key file (required) ++# allowed addresses (required, can be *) ++ ++#client server - /root/cert/server.crt /root/cert/ca.crt /root/cert/server.key 192.168.1.0/24 +diff -Naur ppp-2.4.7/etc.ppp/openssl.cnf ppp-2.4.7-eaptls-mppe-1.101b/etc.ppp/openssl.cnf +--- ppp-2.4.7/etc.ppp/openssl.cnf 1970-01-01 01:00:00.000000000 +0100 ++++ ppp-2.4.7-eaptls-mppe-1.101b/etc.ppp/openssl.cnf 2018-06-02 01:42:04.021165440 +0200 +@@ -0,0 +1,14 @@ ++openssl_conf = openssl_def ++ ++[ openssl_def ] ++engines = engine_section ++ ++[ engine_section ] ++pkcs11 = pkcs11_section ++ ++[ pkcs11_section ] ++engine_id = pkcs11 ++dynamic_path = /usr/lib64/openssl/engines/engine_pkcs11.so ++MODULE_PATH = /usr/lib64/libeTPkcs11.so ++init = 0 ++ +diff -Naur ppp-2.4.7/linux/Makefile.top ppp-2.4.7-eaptls-mppe-1.101b/linux/Makefile.top +--- ppp-2.4.7/linux/Makefile.top 2014-08-09 14:31:39.000000000 +0200 ++++ ppp-2.4.7-eaptls-mppe-1.101b/linux/Makefile.top 2018-06-02 01:42:04.021165440 +0200 +@@ -26,7 +26,7 @@ + cd pppdump; $(MAKE) $(MFLAGS) install + + install-etcppp: $(ETCDIR) $(ETCDIR)/options $(ETCDIR)/pap-secrets \ +- $(ETCDIR)/chap-secrets ++ $(ETCDIR)/chap-secrets $(ETCDIR)/eaptls-server $(ETCDIR)/eaptls-client + + install-devel: + cd pppd; $(MAKE) $(MFLAGS) install-devel +@@ -37,6 +37,10 @@ + $(INSTALL) -c -m 600 etc.ppp/pap-secrets $@ + $(ETCDIR)/chap-secrets: + $(INSTALL) -c -m 600 etc.ppp/chap-secrets $@ ++$(ETCDIR)/eaptls-server: ++ $(INSTALL) -c -m 600 etc.ppp/eaptls-server $@ ++$(ETCDIR)/eaptls-client: ++ $(INSTALL) -c -m 600 etc.ppp/eaptls-client $@ + + $(BINDIR): + $(INSTALL) -d -m 755 $@ +diff -Naur ppp-2.4.7/pppd/Makefile.linux ppp-2.4.7-eaptls-mppe-1.101b/pppd/Makefile.linux +--- ppp-2.4.7/pppd/Makefile.linux 2014-08-09 14:31:39.000000000 +0200 ++++ ppp-2.4.7-eaptls-mppe-1.101b/pppd/Makefile.linux 2018-06-02 01:42:04.021165440 +0200 +@@ -76,6 +76,9 @@ + # Use libutil + USE_LIBUTIL=y + ++# Enable EAP-TLS authentication (requires libssl and libcrypto) ++USE_EAPTLS=y ++ + MAXOCTETS=y + + INCLUDE_DIRS= -I../include +@@ -115,6 +118,15 @@ + PPPDOBJS += sha1.o + endif + ++# EAP-TLS ++ifdef USE_EAPTLS ++CFLAGS += -DUSE_EAPTLS=1 -I/usr/kerberos/include ++LIBS += -lssl -lcrypto ++PPPDSRC += eap-tls.c ++HEADERS += eap-tls.h ++PPPDOBJS += eap-tls.o ++endif ++ + ifdef HAS_SHADOW + CFLAGS += -DHAS_SHADOW + #LIBS += -lshadow $(LIBS) +diff -Naur ppp-2.4.7/pppd/auth.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/auth.c +--- ppp-2.4.7/pppd/auth.c 2014-08-09 14:31:39.000000000 +0200 ++++ ppp-2.4.7-eaptls-mppe-1.101b/pppd/auth.c 2018-06-02 01:42:04.022165436 +0200 +@@ -109,6 +109,9 @@ + #include "upap.h" + #include "chap-new.h" + #include "eap.h" ++#ifdef USE_EAPTLS ++#include "eap-tls.h" ++#endif + #ifdef CBCP_SUPPORT + #include "cbcp.h" + #endif +@@ -183,6 +186,11 @@ + /* Hook for a plugin to get the CHAP password for authenticating us */ + int (*chap_passwd_hook) __P((char *user, char *passwd)) = NULL; + ++#ifdef USE_EAPTLS ++/* Hook for a plugin to get the EAP-TLS password for authenticating us */ ++int (*eaptls_passwd_hook) __P((char *user, char *passwd)) = NULL; ++#endif ++ + /* Hook for a plugin to say whether it is OK if the peer + refuses to authenticate. */ + int (*null_auth_hook) __P((struct wordlist **paddrs, +@@ -238,6 +246,14 @@ + bool explicit_user = 0; /* Set if "user" option supplied */ + bool explicit_passwd = 0; /* Set if "password" option supplied */ + char remote_name[MAXNAMELEN]; /* Peer's name for authentication */ ++#ifdef USE_EAPTLS ++char *cacert_file = NULL; /* CA certificate file (pem format) */ ++char *cert_file = NULL; /* client certificate file (pem format) */ ++char *privkey_file = NULL; /* client private key file (pem format) */ ++char *crl_dir = NULL; /* directory containing CRL files */ ++char *crl_file = NULL; /* Certificate Revocation List (CRL) file (pem format) */ ++bool need_peer_eap = 0; /* Require peer to authenticate us */ ++#endif + + static char *uafname; /* name of most recent +ua file */ + +@@ -254,6 +270,19 @@ + static int have_chap_secret __P((char *, char *, int, int *)); + static int have_srp_secret __P((char *client, char *server, int need_ip, + int *lacks_ipp)); ++ ++#ifdef USE_EAPTLS ++static int have_eaptls_secret_server ++__P((char *client, char *server, int need_ip, int *lacks_ipp)); ++static int have_eaptls_secret_client __P((char *client, char *server)); ++static int scan_authfile_eaptls __P((FILE * f, char *client, char *server, ++ char *cli_cert, char *serv_cert, ++ char *ca_cert, char *pk, ++ struct wordlist ** addrs, ++ struct wordlist ** opts, ++ char *filename, int flags)); ++#endif ++ + static int ip_addr_check __P((u_int32_t, struct permitted_ip *)); + static int scan_authfile __P((FILE *, char *, char *, char *, + struct wordlist **, struct wordlist **, +@@ -401,6 +430,15 @@ + "Set telephone number(s) which are allowed to connect", + OPT_PRIV | OPT_A2LIST }, + ++#ifdef USE_EAPTLS ++ { "ca", o_string, &cacert_file, "EAP-TLS CA certificate in PEM format" }, ++ { "cert", o_string, &cert_file, "EAP-TLS client certificate in PEM format" }, ++ { "key", o_string, &privkey_file, "EAP-TLS client private key in PEM format" }, ++ { "crl-dir", o_string, &crl_dir, "Use CRLs in directory" }, ++ { "crl", o_string, &crl_file, "Use specific CRL file" }, ++ { "need-peer-eap", o_bool, &need_peer_eap, ++ "Require the peer to authenticate us", 1 }, ++#endif /* USE_EAPTLS */ + { NULL } + }; + +@@ -730,6 +768,9 @@ + lcp_options *wo = &lcp_wantoptions[unit]; + lcp_options *go = &lcp_gotoptions[unit]; + lcp_options *ho = &lcp_hisoptions[unit]; ++#ifdef USE_EAPTLS ++ lcp_options *ao = &lcp_allowoptions[unit]; ++#endif + int i; + struct protent *protp; + +@@ -764,6 +805,22 @@ + } + } + ++#ifdef USE_EAPTLS ++ if (need_peer_eap && !ao->neg_eap) { ++ warn("eap required to authenticate us but no suitable secrets"); ++ lcp_close(unit, "couldn't negotiate eap"); ++ status = EXIT_AUTH_TOPEER_FAILED; ++ return; ++ } ++ ++ if (need_peer_eap && !ho->neg_eap) { ++ warn("peer doesn't want to authenticate us with eap"); ++ lcp_close(unit, "couldn't negotiate eap"); ++ status = EXIT_PEER_AUTH_FAILED; ++ return; ++ } ++#endif ++ + new_phase(PHASE_AUTHENTICATE); + auth = 0; + if (go->neg_eap) { +@@ -1277,6 +1334,15 @@ + our_name, 1, &lacks_ip); + } + ++#ifdef USE_EAPTLS ++ if (!can_auth && wo->neg_eap) { ++ can_auth = ++ have_eaptls_secret_server((explicit_remote ? remote_name : ++ NULL), our_name, 1, &lacks_ip); ++ ++ } ++#endif ++ + if (auth_required && !can_auth && noauth_addrs == NULL) { + if (default_auth) { + option_error( +@@ -1331,7 +1397,11 @@ + passwd[0] != 0 || + (hadchap == 1 || (hadchap == -1 && have_chap_secret(user, + (explicit_remote? remote_name: NULL), 0, NULL))) || +- have_srp_secret(user, (explicit_remote? remote_name: NULL), 0, NULL)); ++ have_srp_secret(user, (explicit_remote? remote_name: NULL), 0, NULL) ++#ifdef USE_EAPTLS ++ || have_eaptls_secret_client(user, (explicit_remote? remote_name: NULL)) ++#endif ++ ); + + hadchap = -1; + if (go->neg_upap && !uselogin && !have_pap_secret(NULL)) +@@ -1346,8 +1416,14 @@ + !have_chap_secret((explicit_remote? remote_name: NULL), our_name, + 1, NULL))) && + !have_srp_secret((explicit_remote? remote_name: NULL), our_name, 1, +- NULL)) ++ NULL) ++#ifdef USE_EAPTLS ++ && !have_eaptls_secret_server((explicit_remote? remote_name: NULL), ++ our_name, 1, NULL) ++#endif ++ ) + go->neg_eap = 0; ++ + } + + +@@ -1707,6 +1783,7 @@ + } + + ++ + /* + * get_secret - open the CHAP secret file and return the secret + * for authenticating the given client on the given server. +@@ -2359,3 +2436,335 @@ + + auth_script_pid = run_program(script, argv, 0, auth_script_done, NULL, 0); + } ++ ++ ++#ifdef USE_EAPTLS ++static int ++have_eaptls_secret_server(client, server, need_ip, lacks_ipp) ++ char *client; ++ char *server; ++ int need_ip; ++ int *lacks_ipp; ++{ ++ FILE *f; ++ int ret; ++ char *filename; ++ struct wordlist *addrs; ++ char servcertfile[MAXWORDLEN]; ++ char clicertfile[MAXWORDLEN]; ++ char cacertfile[MAXWORDLEN]; ++ char pkfile[MAXWORDLEN]; ++ ++ filename = _PATH_EAPTLSSERVFILE; ++ f = fopen(filename, "r"); ++ if (f == NULL) ++ return 0; ++ ++ if (client != NULL && client[0] == 0) ++ client = NULL; ++ else if (server != NULL && server[0] == 0) ++ server = NULL; ++ ++ ret = ++ scan_authfile_eaptls(f, client, server, clicertfile, servcertfile, ++ cacertfile, pkfile, &addrs, NULL, filename, ++ 0); ++ ++ fclose(f); ++ ++/* ++ if (ret >= 0 && !eaptls_init_ssl(1, cacertfile, servcertfile, ++ clicertfile, pkfile)) ++ ret = -1; ++*/ ++ ++ if (ret >= 0 && need_ip && !some_ip_ok(addrs)) { ++ if (lacks_ipp != 0) ++ *lacks_ipp = 1; ++ ret = -1; ++ } ++ if (addrs != 0) ++ free_wordlist(addrs); ++ ++ return ret >= 0; ++} ++ ++ ++static int ++have_eaptls_secret_client(client, server) ++ char *client; ++ char *server; ++{ ++ FILE *f; ++ int ret; ++ char *filename; ++ struct wordlist *addrs = NULL; ++ char servcertfile[MAXWORDLEN]; ++ char clicertfile[MAXWORDLEN]; ++ char cacertfile[MAXWORDLEN]; ++ char pkfile[MAXWORDLEN]; ++ ++ if (client != NULL && client[0] == 0) ++ client = NULL; ++ else if (server != NULL && server[0] == 0) ++ server = NULL; ++ ++ if (cacert_file && cert_file && privkey_file) ++ return 1; ++ ++ filename = _PATH_EAPTLSCLIFILE; ++ f = fopen(filename, "r"); ++ if (f == NULL) ++ return 0; ++ ++ ret = ++ scan_authfile_eaptls(f, client, server, clicertfile, servcertfile, ++ cacertfile, pkfile, &addrs, NULL, filename, ++ 0); ++ fclose(f); ++ ++/* ++ if (ret >= 0 && !eaptls_init_ssl(0, cacertfile, clicertfile, ++ servcertfile, pkfile)) ++ ret = -1; ++*/ ++ ++ if (addrs != 0) ++ free_wordlist(addrs); ++ ++ return ret >= 0; ++} ++ ++ ++static int ++scan_authfile_eaptls(f, client, server, cli_cert, serv_cert, ca_cert, pk, ++ addrs, opts, filename, flags) ++ FILE *f; ++ char *client; ++ char *server; ++ char *cli_cert; ++ char *serv_cert; ++ char *ca_cert; ++ char *pk; ++ struct wordlist **addrs; ++ struct wordlist **opts; ++ char *filename; ++ int flags; ++{ ++ int newline; ++ int got_flag, best_flag; ++ struct wordlist *ap, *addr_list, *alist, **app; ++ char word[MAXWORDLEN]; ++ ++ if (addrs != NULL) ++ *addrs = NULL; ++ if (opts != NULL) ++ *opts = NULL; ++ addr_list = NULL; ++ if (!getword(f, word, &newline, filename)) ++ return -1; /* file is empty??? */ ++ newline = 1; ++ best_flag = -1; ++ for (;;) { ++ /* ++ * Skip until we find a word at the start of a line. ++ */ ++ while (!newline && getword(f, word, &newline, filename)); ++ if (!newline) ++ break; /* got to end of file */ ++ ++ /* ++ * Got a client - check if it's a match or a wildcard. ++ */ ++ got_flag = 0; ++ if (client != NULL && strcmp(word, client) != 0 && !ISWILD(word)) { ++ newline = 0; ++ continue; ++ } ++ if (!ISWILD(word)) ++ got_flag = NONWILD_CLIENT; ++ ++ /* ++ * Now get a server and check if it matches. ++ */ ++ if (!getword(f, word, &newline, filename)) ++ break; ++ if (newline) ++ continue; ++ if (!ISWILD(word)) { ++ if (server != NULL && strcmp(word, server) != 0) ++ continue; ++ got_flag |= NONWILD_SERVER; ++ } ++ ++ /* ++ * Got some sort of a match - see if it's better than what ++ * we have already. ++ */ ++ if (got_flag <= best_flag) ++ continue; ++ ++ /* ++ * Get the cli_cert ++ */ ++ if (!getword(f, word, &newline, filename)) ++ break; ++ if (newline) ++ continue; ++ if (strcmp(word, "-") != 0) { ++ strlcpy(cli_cert, word, MAXWORDLEN); ++ } else ++ cli_cert[0] = 0; ++ ++ /* ++ * Get serv_cert ++ */ ++ if (!getword(f, word, &newline, filename)) ++ break; ++ if (newline) ++ continue; ++ if (strcmp(word, "-") != 0) { ++ strlcpy(serv_cert, word, MAXWORDLEN); ++ } else ++ serv_cert[0] = 0; ++ ++ /* ++ * Get ca_cert ++ */ ++ if (!getword(f, word, &newline, filename)) ++ break; ++ if (newline) ++ continue; ++ strlcpy(ca_cert, word, MAXWORDLEN); ++ ++ /* ++ * Get pk ++ */ ++ if (!getword(f, word, &newline, filename)) ++ break; ++ if (newline) ++ continue; ++ strlcpy(pk, word, MAXWORDLEN); ++ ++ ++ /* ++ * Now read address authorization info and make a wordlist. ++ */ ++ app = &alist; ++ for (;;) { ++ if (!getword(f, word, &newline, filename) || newline) ++ break; ++ ap = (struct wordlist *) ++ malloc(sizeof(struct wordlist) + strlen(word) + 1); ++ if (ap == NULL) ++ novm("authorized addresses"); ++ ap->word = (char *) (ap + 1); ++ strcpy(ap->word, word); ++ *app = ap; ++ app = &ap->next; ++ } ++ *app = NULL; ++ /* ++ * This is the best so far; remember it. ++ */ ++ best_flag = got_flag; ++ if (addr_list) ++ free_wordlist(addr_list); ++ addr_list = alist; ++ ++ if (!newline) ++ break; ++ } ++ ++ /* scan for a -- word indicating the start of options */ ++ for (app = &addr_list; (ap = *app) != NULL; app = &ap->next) ++ if (strcmp(ap->word, "--") == 0) ++ break; ++ /* ap = start of options */ ++ if (ap != NULL) { ++ ap = ap->next; /* first option */ ++ free(*app); /* free the "--" word */ ++ *app = NULL; /* terminate addr list */ ++ } ++ if (opts != NULL) ++ *opts = ap; ++ else if (ap != NULL) ++ free_wordlist(ap); ++ if (addrs != NULL) ++ *addrs = addr_list; ++ else if (addr_list != NULL) ++ free_wordlist(addr_list); ++ ++ return best_flag; ++} ++ ++ ++int ++get_eaptls_secret(unit, client, server, clicertfile, servcertfile, ++ cacertfile, pkfile, am_server) ++ int unit; ++ char *client; ++ char *server; ++ char *clicertfile; ++ char *servcertfile; ++ char *cacertfile; ++ char *pkfile; ++ int am_server; ++{ ++ FILE *fp; ++ int ret; ++ char *filename = NULL; ++ struct wordlist *addrs = NULL; ++ struct wordlist *opts = NULL; ++ ++ /* in client mode the ca+cert+privkey can also be specified as options */ ++ if (!am_server && cacert_file && cert_file && privkey_file ) ++ { ++ strlcpy( clicertfile, cert_file, MAXWORDLEN ); ++ strlcpy( cacertfile, cacert_file, MAXWORDLEN ); ++ strlcpy( pkfile, privkey_file, MAXWORDLEN ); ++ servcertfile[0] = '\0'; ++ } ++ else ++ { ++ filename = (am_server ? _PATH_EAPTLSSERVFILE : _PATH_EAPTLSCLIFILE); ++ addrs = NULL; ++ ++ fp = fopen(filename, "r"); ++ if (fp == NULL) ++ { ++ error("Can't open eap-tls secret file %s: %m", filename); ++ return 0; ++ } ++ ++ check_access(fp, filename); ++ ++ ret = scan_authfile_eaptls(fp, client, server, clicertfile, servcertfile, ++ cacertfile, pkfile, &addrs, &opts, filename, 0); ++ ++ fclose(fp); ++ ++ if (ret < 0) return 0; ++ } ++ ++ if (eaptls_passwd_hook) ++ { ++ dbglog( "Calling eaptls password hook" ); ++ if ( (*eaptls_passwd_hook)(pkfile, passwd) < 0) ++ { ++ error("Unable to obtain EAP-TLS password for %s (%s) from plugin", ++ client, pkfile); ++ return 0; ++ } ++ } ++ if (am_server) ++ set_allowed_addrs(unit, addrs, opts); ++ else if (opts != NULL) ++ free_wordlist(opts); ++ if (addrs != NULL) ++ free_wordlist(addrs); ++ ++ return 1; ++} ++#endif ++ +diff -Naur ppp-2.4.7/pppd/ccp.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/ccp.c +--- ppp-2.4.7/pppd/ccp.c 2014-08-09 14:31:39.000000000 +0200 ++++ ppp-2.4.7-eaptls-mppe-1.101b/pppd/ccp.c 2018-06-02 01:42:04.022165436 +0200 +@@ -540,6 +540,9 @@ + if (go->mppe) { + ccp_options *ao = &ccp_allowoptions[f->unit]; + int auth_mschap_bits = auth_done[f->unit]; ++#ifdef USE_EAPTLS ++ int auth_eap_bits = auth_done[f->unit]; ++#endif + int numbits; + + /* +@@ -567,8 +570,23 @@ + lcp_close(f->unit, "MPPE required but not available"); + return; + } ++ ++#ifdef USE_EAPTLS ++ /* ++ * MPPE is also possible in combination with EAP-TLS. ++ * It is not possible to detect if we're doing EAP or EAP-TLS ++ * at this stage, hence we accept all forms of EAP. If TLS is ++ * not used then the MPPE keys will not be derived anyway. ++ */ ++ /* Leave only the eap auth bits set */ ++ auth_eap_bits &= (EAP_WITHPEER | EAP_PEER ); ++ ++ if ((numbits == 0) && (auth_eap_bits == 0)) { ++ error("MPPE required, but MS-CHAP[v2] nor EAP-TLS auth are performed."); ++#else + if (!numbits) { +- error("MPPE required, but MS-CHAP[v2] auth not performed."); ++ error("MPPE required, but MS-CHAP[v2] auth not performed."); ++#endif + lcp_close(f->unit, "MPPE required but not available"); + return; + } +diff -Naur ppp-2.4.7/pppd/chap-md5.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/chap-md5.c +--- ppp-2.4.7/pppd/chap-md5.c 2014-08-09 14:31:39.000000000 +0200 ++++ ppp-2.4.7-eaptls-mppe-1.101b/pppd/chap-md5.c 2018-06-02 01:42:04.022165436 +0200 +@@ -36,7 +36,11 @@ + #include "chap-new.h" + #include "chap-md5.h" + #include "magic.h" ++#ifdef USE_EAPTLS ++#include "eap-tls.h" ++#else + #include "md5.h" ++#endif /* USE_EAPTLS */ + + #define MD5_HASH_SIZE 16 + #define MD5_MIN_CHALLENGE 16 +diff -Naur ppp-2.4.7/pppd/eap-tls.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap-tls.c +--- ppp-2.4.7/pppd/eap-tls.c 1970-01-01 01:00:00.000000000 +0100 ++++ ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap-tls.c 2018-06-02 01:42:16.790124406 +0200 +@@ -0,0 +1,1313 @@ ++/* ++ * eap-tls.c - EAP-TLS implementation for PPP ++ * ++ * Copyright (c) Beniamino Galvani 2005 All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. The name(s) of the authors of this software must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. ++ * ++ * THE AUTHORS OF THIS SOFTWARE DISCLAIM ALL WARRANTIES WITH REGARD TO ++ * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY ++ * AND FITNESS, IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY ++ * SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES ++ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN ++ * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING ++ * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. ++ * ++ */ ++ ++#include ++#include ++#include ++#include ++#include ++ ++#include ++#include ++#include ++#include ++#include ++ ++#include "pppd.h" ++#include "eap.h" ++#include "eap-tls.h" ++#include "fsm.h" ++#include "lcp.h" ++#include "pathnames.h" ++ ++/* The openssl configuration file and engines can be loaded only once */ ++static CONF *ssl_config = NULL; ++static ENGINE *cert_engine = NULL; ++static ENGINE *pkey_engine = NULL; ++ ++#ifdef MPPE ++ ++#if OPENSSL_VERSION_NUMBER < 0x10100000L ++ ++/* ++ * https://wiki.openssl.org/index.php/1.1_API_Changes ++ * tries to provide some guidance but ultimately falls short. ++ */ ++ ++ ++static void HMAC_CTX_free(HMAC_CTX *ctx) ++{ ++ if (ctx != NULL) { ++ HMAC_CTX_cleanup(ctx); ++ OPENSSL_free(ctx); ++ } ++} ++ ++static HMAC_CTX *HMAC_CTX_new(void) ++{ ++ HMAC_CTX *ctx = OPENSSL_malloc(sizeof(*ctx)); ++ if (ctx != NULL) ++ HMAC_CTX_init(ctx); ++ return ctx; ++} ++ ++/* ++ * These were basically jacked directly from the OpenSSL tree ++ * without adjustments. ++ */ ++ ++static size_t SSL_get_client_random(const SSL *ssl, unsigned char *out, ++ size_t outlen) ++{ ++ if (outlen == 0) ++ return sizeof(ssl->s3->client_random); ++ if (outlen > sizeof(ssl->s3->client_random)) ++ outlen = sizeof(ssl->s3->client_random); ++ memcpy(out, ssl->s3->client_random, outlen); ++ return outlen; ++} ++ ++static size_t SSL_get_server_random(const SSL *ssl, unsigned char *out, ++ size_t outlen) ++{ ++ if (outlen == 0) ++ return sizeof(ssl->s3->server_random); ++ if (outlen > sizeof(ssl->s3->server_random)) ++ outlen = sizeof(ssl->s3->server_random); ++ memcpy(out, ssl->s3->server_random, outlen); ++ return outlen; ++} ++ ++static size_t SSL_SESSION_get_master_key(const SSL_SESSION *session, ++ unsigned char *out, size_t outlen) ++{ ++ if (outlen == 0) ++ return session->master_key_length; ++ if (outlen > session->master_key_length) ++ outlen = session->master_key_length; ++ memcpy(out, session->master_key, outlen); ++ return outlen; ++} ++ ++/* Avoid a deprecated warning in OpenSSL 1.1 whilst still allowing to build against 1.0.x */ ++#define TLS_method TLSv1_method ++ ++#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */ ++ ++/* ++ * TLS PRF from RFC 2246 ++ */ ++static void P_hash(const EVP_MD *evp_md, ++ const unsigned char *secret, unsigned int secret_len, ++ const unsigned char *seed, unsigned int seed_len, ++ unsigned char *out, unsigned int out_len) ++{ ++ HMAC_CTX *ctx_a, *ctx_out; ++ unsigned char a[HMAC_MAX_MD_CBLOCK]; ++ unsigned int size; ++ ++ ctx_a = HMAC_CTX_new(); ++ ctx_out = HMAC_CTX_new(); ++ HMAC_Init_ex(ctx_a, secret, secret_len, evp_md, NULL); ++ HMAC_Init_ex(ctx_out, secret, secret_len, evp_md, NULL); ++ ++ size = HMAC_size(ctx_out); ++ ++ /* Calculate A(1) */ ++ HMAC_Update(ctx_a, seed, seed_len); ++ HMAC_Final(ctx_a, a, NULL); ++ ++ while (1) { ++ /* Calculate next part of output */ ++ HMAC_Update(ctx_out, a, size); ++ HMAC_Update(ctx_out, seed, seed_len); ++ ++ /* Check if last part */ ++ if (out_len < size) { ++ HMAC_Final(ctx_out, a, NULL); ++ memcpy(out, a, out_len); ++ break; ++ } ++ ++ /* Place digest in output buffer */ ++ HMAC_Final(ctx_out, out, NULL); ++ HMAC_Init_ex(ctx_out, NULL, 0, NULL, NULL); ++ out += size; ++ out_len -= size; ++ ++ /* Calculate next A(i) */ ++ HMAC_Init_ex(ctx_a, NULL, 0, NULL, NULL); ++ HMAC_Update(ctx_a, a, size); ++ HMAC_Final(ctx_a, a, NULL); ++ } ++ ++ HMAC_CTX_free(ctx_a); ++ HMAC_CTX_free(ctx_out); ++ memset(a, 0, sizeof(a)); ++} ++ ++static void PRF(const unsigned char *secret, unsigned int secret_len, ++ const unsigned char *seed, unsigned int seed_len, ++ unsigned char *out, unsigned char *buf, unsigned int out_len) ++{ ++ unsigned int i; ++ unsigned int len = (secret_len + 1) / 2; ++ const unsigned char *s1 = secret; ++ const unsigned char *s2 = secret + (secret_len - len); ++ ++ P_hash(EVP_md5(), s1, len, seed, seed_len, out, out_len); ++ P_hash(EVP_sha1(), s2, len, seed, seed_len, buf, out_len); ++ ++ for (i=0; i < out_len; i++) { ++ out[i] ^= buf[i]; ++ } ++} ++ ++#define EAPTLS_MPPE_KEY_LEN 32 ++ ++/* ++ * Generate keys according to RFC 2716 and add to reply ++ */ ++void eaptls_gen_mppe_keys(struct eaptls_session *ets, const char *prf_label, ++ int client) ++{ ++ unsigned char out[4*EAPTLS_MPPE_KEY_LEN], buf[4*EAPTLS_MPPE_KEY_LEN]; ++ unsigned char seed[64 + 2*SSL3_RANDOM_SIZE]; ++ unsigned char *p = seed; ++ SSL *s = ets->ssl; ++ size_t prf_size; ++ unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH]; ++ size_t master_key_length; ++ ++ prf_size = strlen(prf_label); ++ ++ memcpy(p, prf_label, prf_size); ++ p += prf_size; ++ ++ prf_size += SSL_get_client_random(s, p, SSL3_RANDOM_SIZE); ++ p += SSL3_RANDOM_SIZE; ++ ++ prf_size += SSL_get_server_random(s, p, SSL3_RANDOM_SIZE); ++ ++ master_key_length = SSL_SESSION_get_master_key(SSL_get_session(s), master_key, ++ sizeof(master_key)); ++ PRF(master_key, master_key_length, seed, prf_size, out, buf, sizeof(out)); ++ ++ /* ++ * We now have the master send and receive keys. ++ * From these, generate the session send and receive keys. ++ * (see RFC3079 / draft-ietf-pppext-mppe-keys-03.txt for details) ++ */ ++ if (client) ++ { ++ p = out; ++ BCOPY( p, mppe_send_key, sizeof(mppe_send_key) ); ++ p += EAPTLS_MPPE_KEY_LEN; ++ BCOPY( p, mppe_recv_key, sizeof(mppe_recv_key) ); ++ } ++ else ++ { ++ p = out; ++ BCOPY( p, mppe_recv_key, sizeof(mppe_recv_key) ); ++ p += EAPTLS_MPPE_KEY_LEN; ++ BCOPY( p, mppe_send_key, sizeof(mppe_send_key) ); ++ } ++ ++ mppe_keys_set = 1; ++} ++ ++#endif ++ ++void log_ssl_errors( void ) ++{ ++ unsigned long ssl_err = ERR_get_error(); ++ ++ if (ssl_err != 0) ++ dbglog("EAP-TLS SSL error stack:"); ++ while (ssl_err != 0) { ++ dbglog( ERR_error_string( ssl_err, NULL ) ); ++ ssl_err = ERR_get_error(); ++ } ++} ++ ++ ++int password_callback (char *buf, int size, int rwflag, void *u) ++{ ++ if (buf) ++ { ++ strncpy (buf, passwd, size); ++ return strlen (buf); ++ } ++ return 0; ++} ++ ++ ++CONF *eaptls_ssl_load_config( void ) ++{ ++ CONF *config; ++ int ret_code; ++ long error_line = 33; ++ ++ config = NCONF_new( NULL ); ++ dbglog( "Loading OpenSSL config file" ); ++ ret_code = NCONF_load( config, _PATH_OPENSSLCONFFILE, &error_line ); ++ if (ret_code == 0) ++ { ++ warn( "EAP-TLS: Error in OpenSSL config file %s at line %d", _PATH_OPENSSLCONFFILE, error_line ); ++ NCONF_free( config ); ++ config = NULL; ++ ERR_clear_error(); ++ } ++ ++ dbglog( "Loading OpenSSL built-ins" ); ++ ENGINE_load_builtin_engines(); ++ OPENSSL_load_builtin_modules(); ++ ++ dbglog( "Loading OpenSSL configured modules" ); ++ if (CONF_modules_load( config, NULL, 0 ) <= 0 ) ++ { ++ warn( "EAP-TLS: Error loading OpenSSL modules" ); ++ log_ssl_errors(); ++ config = NULL; ++ } ++ ++ return config; ++} ++ ++ENGINE *eaptls_ssl_load_engine( char *engine_name ) ++{ ++ ENGINE *e = NULL; ++ ++ dbglog( "Enabling OpenSSL auto engines" ); ++ ENGINE_register_all_complete(); ++ ++ dbglog( "Loading OpenSSL '%s' engine support", engine_name ); ++ e = ENGINE_by_id( engine_name ); ++ if (!e) ++ { ++ dbglog( "EAP-TLS: Cannot load '%s' engine support, trying 'dynamic'", engine_name ); ++ e = ENGINE_by_id( "dynamic" ); ++ if (e) ++ { ++ if (!ENGINE_ctrl_cmd_string(e, "SO_PATH", engine_name, 0) ++ || !ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0)) ++ { ++ warn( "EAP-TLS: Error loading dynamic engine '%s'", engine_name ); ++ log_ssl_errors(); ++ ENGINE_free(e); ++ e = NULL; ++ } ++ } ++ else ++ { ++ warn( "EAP-TLS: Cannot load dynamic engine support" ); ++ } ++ } ++ ++ if (e) ++ { ++ dbglog( "Initialising engine" ); ++ if(!ENGINE_set_default(e, ENGINE_METHOD_ALL)) ++ { ++ warn( "EAP-TLS: Cannot use that engine" ); ++ log_ssl_errors(); ++ ENGINE_free(e); ++ e = NULL; ++ } ++ } ++ ++ return e; ++} ++ ++/* ++ * Initialize the SSL stacks and tests if certificates, key and crl ++ * for client or server use can be loaded. ++ */ ++SSL_CTX *eaptls_init_ssl(int init_server, char *cacertfile, ++ char *certfile, char *peer_certfile, char *privkeyfile) ++{ ++ char *cert_engine_name = NULL; ++ char *cert_identifier = NULL; ++ char *pkey_engine_name = NULL; ++ char *pkey_identifier = NULL; ++ SSL_CTX *ctx; ++ X509_STORE *certstore; ++ X509_LOOKUP *lookup; ++ X509 *tmp; ++ ++ /* ++ * Without these can't continue ++ */ ++ if (!cacertfile[0]) ++ { ++ error("EAP-TLS: CA certificate missing"); ++ return NULL; ++ } ++ ++ if (!certfile[0]) ++ { ++ error("EAP-TLS: User certificate missing"); ++ return NULL; ++ } ++ ++ if (!privkeyfile[0]) ++ { ++ error("EAP-TLS: User private key missing"); ++ return NULL; ++ } ++ ++ SSL_library_init(); ++ SSL_load_error_strings(); ++ ++ ctx = SSL_CTX_new(TLS_method()); ++ ++ if (!ctx) { ++ error("EAP-TLS: Cannot initialize SSL CTX context"); ++ goto fail; ++ } ++ ++ /* if the certificate filename is of the form engine:id. e.g. ++ pkcs11:12345 ++ then we try to load and use this engine. ++ If the certificate filename starts with a / or . then we ++ ALWAYS assume it is a file and not an engine/pkcs11 identifier ++ */ ++ if ( index( certfile, '/' ) == NULL && index( certfile, '.') == NULL ) ++ { ++ cert_identifier = index( certfile, ':' ); ++ ++ if (cert_identifier) ++ { ++ cert_engine_name = certfile; ++ *cert_identifier = '\0'; ++ cert_identifier++; ++ ++ dbglog( "Found certificate engine '%s'", cert_engine_name ); ++ dbglog( "Found certificate identifier '%s'", cert_identifier ); ++ } ++ } ++ ++ /* if the privatekey filename is of the form engine:id. e.g. ++ pkcs11:12345 ++ then we try to load and use this engine. ++ If the privatekey filename starts with a / or . then we ++ ALWAYS assume it is a file and not an engine/pkcs11 identifier ++ */ ++ if ( index( privkeyfile, '/' ) == NULL && index( privkeyfile, '.') == NULL ) ++ { ++ pkey_identifier = index( privkeyfile, ':' ); ++ ++ if (pkey_identifier) ++ { ++ pkey_engine_name = privkeyfile; ++ *pkey_identifier = '\0'; ++ pkey_identifier++; ++ ++ dbglog( "Found privatekey engine '%s'", pkey_engine_name ); ++ dbglog( "Found privatekey identifier '%s'", pkey_identifier ); ++ } ++ } ++ ++ if (cert_identifier && pkey_identifier) ++ { ++ if (strlen( cert_identifier ) == 0) ++ { ++ if (strlen( pkey_identifier ) == 0) ++ error( "EAP-TLS: both the certificate and privatekey identifiers are missing!" ); ++ else ++ { ++ dbglog( "Substituting privatekey identifier for certificate identifier" ); ++ cert_identifier = pkey_identifier; ++ } ++ } ++ else ++ { ++ if (strlen( pkey_identifier ) == 0) ++ { ++ dbglog( "Substituting certificate identifier for privatekey identifier" ); ++ pkey_identifier = cert_identifier; ++ } ++ } ++ ++ } ++ ++ /* load the openssl config file only once */ ++ if (!ssl_config) ++ { ++ if (cert_engine_name || pkey_engine_name) ++ ssl_config = eaptls_ssl_load_config(); ++ ++ if (ssl_config && cert_engine_name) ++ cert_engine = eaptls_ssl_load_engine( cert_engine_name ); ++ ++ if (ssl_config && pkey_engine_name) ++ { ++ /* don't load the same engine twice */ ++ if ( cert_engine && strcmp( cert_engine_name, pkey_engine_name) == 0 ) ++ pkey_engine = cert_engine; ++ else ++ pkey_engine = eaptls_ssl_load_engine( pkey_engine_name ); ++ } ++ } ++ ++ SSL_CTX_set_default_passwd_cb (ctx, password_callback); ++ ++ if (!SSL_CTX_load_verify_locations(ctx, cacertfile, NULL)) ++ { ++ error("EAP-TLS: Cannot load or verify CA file %s", cacertfile); ++ goto fail; ++ } ++ ++ if (init_server) ++ SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(cacertfile)); ++ ++ if (cert_engine) ++ { ++ struct ++ { ++ const char *s_slot_cert_id; ++ X509 *cert; ++ } cert_info; ++ ++ cert_info.s_slot_cert_id = cert_identifier; ++ cert_info.cert = NULL; ++ ++ if (!ENGINE_ctrl_cmd( cert_engine, "LOAD_CERT_CTRL", 0, &cert_info, NULL, 0 ) ) ++ { ++ error( "EAP-TLS: Error loading certificate with id '%s' from engine", cert_identifier ); ++ goto fail; ++ } ++ ++ if (cert_info.cert) ++ { ++ dbglog( "Got the certificate, adding it to SSL context" ); ++ dbglog( "subject = %s", X509_NAME_oneline( X509_get_subject_name( cert_info.cert ), NULL, 0 ) ); ++ if (SSL_CTX_use_certificate(ctx, cert_info.cert) <= 0) ++ { ++ error("EAP-TLS: Cannot use PKCS11 certificate %s", cert_identifier); ++ goto fail; ++ } ++ } ++ else ++ { ++ warn("EAP-TLS: Cannot load PKCS11 key %s", cert_identifier); ++ log_ssl_errors(); ++ } ++ } ++ else ++ { ++ if (!SSL_CTX_use_certificate_file(ctx, certfile, SSL_FILETYPE_PEM)) ++ { ++ error( "EAP-TLS: Cannot use public certificate %s", certfile ); ++ goto fail; ++ } ++ } ++ ++ if (pkey_engine) ++ { ++ EVP_PKEY *pkey = NULL; ++ PW_CB_DATA cb_data; ++ ++ cb_data.password = passwd; ++ cb_data.prompt_info = pkey_identifier; ++ ++ dbglog( "Loading private key '%s' from engine", pkey_identifier ); ++ pkey = ENGINE_load_private_key(pkey_engine, pkey_identifier, NULL, &cb_data); ++ if (pkey) ++ { ++ dbglog( "Got the private key, adding it to SSL context" ); ++ if (SSL_CTX_use_PrivateKey(ctx, pkey) <= 0) ++ { ++ error("EAP-TLS: Cannot use PKCS11 key %s", pkey_identifier); ++ goto fail; ++ } ++ } ++ else ++ { ++ warn("EAP-TLS: Cannot load PKCS11 key %s", pkey_identifier); ++ log_ssl_errors(); ++ } ++ } ++ else ++ { ++ if (!SSL_CTX_use_PrivateKey_file(ctx, privkeyfile, SSL_FILETYPE_PEM)) ++ { ++ error("EAP-TLS: Cannot use private key %s", privkeyfile); ++ goto fail; ++ } ++ } ++ ++ if (SSL_CTX_check_private_key(ctx) != 1) { ++ error("EAP-TLS: Private key %s fails security check", privkeyfile); ++ goto fail; ++ } ++ ++ /* Explicitly set the NO_TICKETS flag to support Win7/Win8 clients */ ++ SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 ++#ifdef SSL_OP_NO_TICKET ++ | SSL_OP_NO_TICKET ++#endif ++); ++ SSL_CTX_set_verify_depth(ctx, 5); ++ SSL_CTX_set_verify(ctx, ++ SSL_VERIFY_PEER | ++ SSL_VERIFY_FAIL_IF_NO_PEER_CERT, ++ &ssl_verify_callback); ++ ++ if (crl_dir) { ++ if (!(certstore = SSL_CTX_get_cert_store(ctx))) { ++ error("EAP-TLS: Failed to get certificate store"); ++ goto fail; ++ } ++ ++ if (!(lookup = ++ X509_STORE_add_lookup(certstore, X509_LOOKUP_hash_dir()))) { ++ error("EAP-TLS: Store lookup for CRL failed"); ++ ++ goto fail; ++ } ++ ++ X509_LOOKUP_add_dir(lookup, crl_dir, X509_FILETYPE_PEM); ++ X509_STORE_set_flags(certstore, X509_V_FLAG_CRL_CHECK); ++ } ++ ++ if (crl_file) { ++ FILE *fp = NULL; ++ X509_CRL *crl = NULL; ++ ++ fp = fopen(crl_file, "r"); ++ if (!fp) { ++ error("EAP-TLS: Cannot open CRL file '%s'", crl_file); ++ goto fail; ++ } ++ ++ crl = PEM_read_X509_CRL(fp, NULL, NULL, NULL); ++ if (!crl) { ++ error("EAP-TLS: Cannot read CRL file '%s'", crl_file); ++ goto fail; ++ } ++ ++ if (!(certstore = SSL_CTX_get_cert_store(ctx))) { ++ error("EAP-TLS: Failed to get certificate store"); ++ goto fail; ++ } ++ if (!X509_STORE_add_crl(certstore, crl)) { ++ error("EAP-TLS: Cannot add CRL to certificate store"); ++ goto fail; ++ } ++ X509_STORE_set_flags(certstore, X509_V_FLAG_CRL_CHECK); ++ ++ } ++ ++ /* ++ * If a peer certificate file was specified, it must be valid, else fail ++ */ ++ if (peer_certfile[0]) { ++ if (!(tmp = get_X509_from_file(peer_certfile))) { ++ error("EAP-TLS: Error loading client certificate from file %s", ++ peer_certfile); ++ goto fail; ++ } ++ X509_free(tmp); ++ } ++ ++ return ctx; ++ ++fail: ++ log_ssl_errors(); ++ SSL_CTX_free(ctx); ++ return NULL; ++} ++ ++/* ++ * Determine the maximum packet size by looking at the LCP handshake ++ */ ++ ++int eaptls_get_mtu(int unit) ++{ ++ int mtu, mru; ++ ++ lcp_options *wo = &lcp_wantoptions[unit]; ++ lcp_options *go = &lcp_gotoptions[unit]; ++ lcp_options *ho = &lcp_hisoptions[unit]; ++ lcp_options *ao = &lcp_allowoptions[unit]; ++ ++ mtu = ho->neg_mru? ho->mru: PPP_MRU; ++ mru = go->neg_mru? MAX(wo->mru, go->mru): PPP_MRU; ++ mtu = MIN(MIN(mtu, mru), ao->mru)- PPP_HDRLEN - 10; ++ ++ dbglog("MTU = %d", mtu); ++ return mtu; ++} ++ ++ ++/* ++ * Init the ssl handshake (server mode) ++ */ ++int eaptls_init_ssl_server(eap_state * esp) ++{ ++ struct eaptls_session *ets; ++ char servcertfile[MAXWORDLEN]; ++ char clicertfile[MAXWORDLEN]; ++ char cacertfile[MAXWORDLEN]; ++ char pkfile[MAXWORDLEN]; ++ /* ++ * Allocate new eaptls session ++ */ ++ esp->es_server.ea_session = malloc(sizeof(struct eaptls_session)); ++ if (!esp->es_server.ea_session) ++ fatal("Allocation error"); ++ ets = esp->es_server.ea_session; ++ ++ if (!esp->es_server.ea_peer) { ++ error("EAP-TLS: Error: client name not set (BUG)"); ++ return 0; ++ } ++ ++ strncpy(ets->peer, esp->es_server.ea_peer, MAXWORDLEN); ++ ++ dbglog( "getting eaptls secret" ); ++ if (!get_eaptls_secret(esp->es_unit, esp->es_server.ea_peer, ++ esp->es_server.ea_name, clicertfile, ++ servcertfile, cacertfile, pkfile, 1)) { ++ error( "EAP-TLS: Cannot get secret/password for client \"%s\", server \"%s\"", ++ esp->es_server.ea_peer, esp->es_server.ea_name ); ++ return 0; ++ } ++ ++ ets->mtu = eaptls_get_mtu(esp->es_unit); ++ ++ ets->ctx = eaptls_init_ssl(1, cacertfile, servcertfile, clicertfile, pkfile); ++ if (!ets->ctx) ++ goto fail; ++ ++ if (!(ets->ssl = SSL_new(ets->ctx))) ++ goto fail; ++ ++ /* ++ * Set auto-retry to avoid timeouts on BIO_read ++ */ ++ SSL_set_mode(ets->ssl, SSL_MODE_AUTO_RETRY); ++ ++ /* ++ * Initialize the BIOs we use to read/write to ssl engine ++ */ ++ ets->into_ssl = BIO_new(BIO_s_mem()); ++ ets->from_ssl = BIO_new(BIO_s_mem()); ++ SSL_set_bio(ets->ssl, ets->into_ssl, ets->from_ssl); ++ ++ SSL_set_msg_callback(ets->ssl, ssl_msg_callback); ++ SSL_set_msg_callback_arg(ets->ssl, ets); ++ ++ /* ++ * Attach the session struct to the connection, so we can later ++ * retrieve it when doing certificate verification ++ */ ++ SSL_set_ex_data(ets->ssl, 0, ets); ++ ++ SSL_set_accept_state(ets->ssl); ++ ++ ets->data = NULL; ++ ets->datalen = 0; ++ ets->alert_sent = 0; ++ ets->alert_recv = 0; ++ ++ /* ++ * If we specified the client certificate file, store it in ets->peercertfile, ++ * so we can check it later in ssl_verify_callback() ++ */ ++ if (clicertfile[0]) ++ strncpy(&ets->peercertfile[0], clicertfile, MAXWORDLEN); ++ else ++ ets->peercertfile[0] = 0; ++ ++ return 1; ++ ++fail: ++ SSL_CTX_free(ets->ctx); ++ return 0; ++} ++ ++/* ++ * Init the ssl handshake (client mode) ++ */ ++int eaptls_init_ssl_client(eap_state * esp) ++{ ++ struct eaptls_session *ets; ++ char servcertfile[MAXWORDLEN]; ++ char clicertfile[MAXWORDLEN]; ++ char cacertfile[MAXWORDLEN]; ++ char pkfile[MAXWORDLEN]; ++ ++ /* ++ * Allocate new eaptls session ++ */ ++ esp->es_client.ea_session = malloc(sizeof(struct eaptls_session)); ++ if (!esp->es_client.ea_session) ++ fatal("Allocation error"); ++ ets = esp->es_client.ea_session; ++ ++ /* ++ * If available, copy server name in ets; it will be used in cert ++ * verify ++ */ ++ if (esp->es_client.ea_peer) ++ strncpy(ets->peer, esp->es_client.ea_peer, MAXWORDLEN); ++ else ++ ets->peer[0] = 0; ++ ++ ets->mtu = eaptls_get_mtu(esp->es_unit); ++ ++ dbglog( "calling get_eaptls_secret" ); ++ if (!get_eaptls_secret(esp->es_unit, esp->es_client.ea_name, ++ ets->peer, clicertfile, ++ servcertfile, cacertfile, pkfile, 0)) { ++ error( "EAP-TLS: Cannot get secret/password for client \"%s\", server \"%s\"", ++ esp->es_client.ea_name, ets->peer ); ++ return 0; ++ } ++ ++ dbglog( "calling eaptls_init_ssl" ); ++ ets->ctx = eaptls_init_ssl(0, cacertfile, clicertfile, servcertfile, pkfile); ++ if (!ets->ctx) ++ goto fail; ++ ++ ets->ssl = SSL_new(ets->ctx); ++ ++ if (!ets->ssl) ++ goto fail; ++ ++ /* ++ * Initialize the BIOs we use to read/write to ssl engine ++ */ ++ dbglog( "Initializing SSL BIOs" ); ++ ets->into_ssl = BIO_new(BIO_s_mem()); ++ ets->from_ssl = BIO_new(BIO_s_mem()); ++ SSL_set_bio(ets->ssl, ets->into_ssl, ets->from_ssl); ++ ++ SSL_set_msg_callback(ets->ssl, ssl_msg_callback); ++ SSL_set_msg_callback_arg(ets->ssl, ets); ++ ++ /* ++ * Attach the session struct to the connection, so we can later ++ * retrieve it when doing certificate verification ++ */ ++ SSL_set_ex_data(ets->ssl, 0, ets); ++ ++ SSL_set_connect_state(ets->ssl); ++ ++ ets->data = NULL; ++ ets->datalen = 0; ++ ets->alert_sent = 0; ++ ets->alert_recv = 0; ++ ++ /* ++ * If we specified the server certificate file, store it in ++ * ets->peercertfile, so we can check it later in ++ * ssl_verify_callback() ++ */ ++ if (servcertfile[0]) ++ strncpy(ets->peercertfile, servcertfile, MAXWORDLEN); ++ else ++ ets->peercertfile[0] = 0; ++ ++ return 1; ++ ++fail: ++ dbglog( "eaptls_init_ssl_client: fail" ); ++ SSL_CTX_free(ets->ctx); ++ return 0; ++ ++} ++ ++void eaptls_free_session(struct eaptls_session *ets) ++{ ++ if (ets->ssl) ++ SSL_free(ets->ssl); ++ ++ if (ets->ctx) ++ SSL_CTX_free(ets->ctx); ++ ++ free(ets); ++} ++ ++/* ++ * Handle a received packet, reassembling fragmented messages and ++ * passing them to the ssl engine ++ */ ++int eaptls_receive(struct eaptls_session *ets, u_char * inp, int len) ++{ ++ u_char flags; ++ u_int tlslen = 0; ++ u_char dummy[65536]; ++ ++ if (len < 1) { ++ warn("EAP-TLS: received no or invalid data"); ++ return 1; ++ } ++ ++ GETCHAR(flags, inp); ++ len--; ++ ++ if (flags & EAP_TLS_FLAGS_LI && len >= 4) { ++ /* ++ * LenghtIncluded flag set -> this is the first packet of a message ++ */ ++ ++ /* ++ * the first 4 octets are the length of the EAP-TLS message ++ */ ++ GETLONG(tlslen, inp); ++ len -= 4; ++ ++ if (!ets->data) { ++ ++ if (tlslen > EAP_TLS_MAX_LEN) { ++ error("EAP-TLS: TLS message length > %d, truncated", EAP_TLS_MAX_LEN); ++ tlslen = EAP_TLS_MAX_LEN; ++ } ++ ++ /* ++ * Allocate memory for the whole message ++ */ ++ ets->data = malloc(tlslen); ++ if (!ets->data) ++ fatal("EAP-TLS: allocation error\n"); ++ ++ ets->datalen = 0; ++ ets->tlslen = tlslen; ++ } ++ else ++ warn("EAP-TLS: non-first LI packet? that's odd..."); ++ } ++ else if (!ets->data) { ++ /* ++ * A non fragmented message without LI flag ++ */ ++ ++ ets->data = malloc(len); ++ if (!ets->data) ++ fatal("EAP-TLS: allocation error\n"); ++ ++ ets->datalen = 0; ++ ets->tlslen = len; ++ } ++ ++ if (flags & EAP_TLS_FLAGS_MF) ++ ets->frag = 1; ++ else ++ ets->frag = 0; ++ ++ if (len < 0) { ++ warn("EAP-TLS: received malformed data"); ++ return 1; ++ } ++ ++ if (len + ets->datalen > ets->tlslen) { ++ warn("EAP-TLS: received data > TLS message length"); ++ return 1; ++ } ++ ++ BCOPY(inp, ets->data + ets->datalen, len); ++ ets->datalen += len; ++ ++ if (!ets->frag) { ++ ++ /* ++ * If we have the whole message, pass it to ssl ++ */ ++ ++ if (ets->datalen != ets->tlslen) { ++ warn("EAP-TLS: received data != TLS message length"); ++ return 1; ++ } ++ ++ if (BIO_write(ets->into_ssl, ets->data, ets->datalen) == -1) ++ log_ssl_errors(); ++ ++ SSL_read(ets->ssl, dummy, 65536); ++ ++ free(ets->data); ++ ets->data = NULL; ++ ets->datalen = 0; ++ } ++ ++ return 0; ++} ++ ++/* ++ * Return an eap-tls packet in outp. ++ * A TLS message read from the ssl engine is buffered in ets->data. ++ * At each call we control if there is buffered data and send a ++ * packet of mtu bytes. ++ */ ++int eaptls_send(struct eaptls_session *ets, u_char ** outp) ++{ ++ bool first = 0; ++ int size; ++ u_char fromtls[65536]; ++ int res; ++ u_char *start; ++ ++ start = *outp; ++ ++ if (!ets->data) { ++ ++ if(!ets->alert_sent) ++ SSL_read(ets->ssl, fromtls, 65536); ++ ++ /* ++ * Read from ssl ++ */ ++ if ((res = BIO_read(ets->from_ssl, fromtls, 65536)) == -1) ++ fatal("No data from BIO_read"); ++ ++ ets->datalen = res; ++ ++ ets->data = malloc(ets->datalen); ++ BCOPY(fromtls, ets->data, ets->datalen); ++ ++ ets->offset = 0; ++ first = 1; ++ ++ } ++ ++ size = ets->datalen - ets->offset; ++ ++ if (size > ets->mtu) { ++ size = ets->mtu; ++ ets->frag = 1; ++ } else ++ ets->frag = 0; ++ ++ PUTCHAR(EAPT_TLS, *outp); ++ ++ /* ++ * Set right flags and length if necessary ++ */ ++ if (ets->frag && first) { ++ PUTCHAR(EAP_TLS_FLAGS_LI | EAP_TLS_FLAGS_MF, *outp); ++ PUTLONG(ets->datalen, *outp); ++ } else if (ets->frag) { ++ PUTCHAR(EAP_TLS_FLAGS_MF, *outp); ++ } else ++ PUTCHAR(0, *outp); ++ ++ /* ++ * Copy the data in outp ++ */ ++ BCOPY(ets->data + ets->offset, *outp, size); ++ INCPTR(size, *outp); ++ ++ /* ++ * Copy the packet in retransmission buffer ++ */ ++ BCOPY(start, &ets->rtx[0], *outp - start); ++ ets->rtx_len = *outp - start; ++ ++ ets->offset += size; ++ ++ if (ets->offset >= ets->datalen) { ++ ++ /* ++ * The whole message has been sent ++ */ ++ ++ free(ets->data); ++ ets->data = NULL; ++ ets->datalen = 0; ++ ets->offset = 0; ++ } ++ ++ return 0; ++} ++ ++/* ++ * Get the sent packet from the retransmission buffer ++ */ ++void eaptls_retransmit(struct eaptls_session *ets, u_char ** outp) ++{ ++ BCOPY(ets->rtx, *outp, ets->rtx_len); ++ INCPTR(ets->rtx_len, *outp); ++} ++ ++/* ++ * Verify a certificate. ++ * Most of the work (signatures and issuer attributes checking) ++ * is done by ssl; we check the CN in the peer certificate ++ * against the peer name. ++ */ ++int ssl_verify_callback(int preverify_ok, X509_STORE_CTX * ctx) ++{ ++ char subject[256]; ++ char cn_str[256]; ++ X509 *peer_cert; ++ int err, depth; ++ int ok = preverify_ok; ++ SSL *ssl; ++ struct eaptls_session *ets; ++ ++ peer_cert = X509_STORE_CTX_get_current_cert(ctx); ++ err = X509_STORE_CTX_get_error(ctx); ++ depth = X509_STORE_CTX_get_error_depth(ctx); ++ ++ dbglog("certificate verify depth: %d", depth); ++ ++ if (auth_required && !ok) { ++ X509_NAME_oneline(X509_get_subject_name(peer_cert), ++ subject, 256); ++ ++ X509_NAME_get_text_by_NID(X509_get_subject_name(peer_cert), ++ NID_commonName, cn_str, 256); ++ ++ dbglog("Certificate verification error:\n depth: %d CN: %s" ++ "\n err: %d (%s)\n", depth, cn_str, err, ++ X509_verify_cert_error_string(err)); ++ ++ return 0; ++ } ++ ++ ssl = X509_STORE_CTX_get_ex_data(ctx, ++ SSL_get_ex_data_X509_STORE_CTX_idx()); ++ ++ ets = (struct eaptls_session *)SSL_get_ex_data(ssl, 0); ++ ++ if (ets == NULL) { ++ error("Error: SSL_get_ex_data returned NULL"); ++ return 0; ++ } ++ ++ log_ssl_errors(); ++ ++ if (!depth) { /* This is the peer certificate */ ++ ++ X509_NAME_oneline(X509_get_subject_name(peer_cert), ++ subject, 256); ++ ++ X509_NAME_get_text_by_NID(X509_get_subject_name(peer_cert), ++ NID_commonName, cn_str, 256); ++ ++ /* ++ * If acting as client and the name of the server wasn't specified ++ * explicitely, we can't verify the server authenticity ++ */ ++ if (!ets->peer[0]) { ++ warn("Peer name not specified: no check"); ++ return 1; ++ } ++ ++ /* ++ * Check the CN ++ */ ++ if (strcmp(cn_str, ets->peer)) { ++ error ++ ("Certificate verification error: CN (%s) != peer_name (%s)", ++ cn_str, ets->peer); ++ return 0; ++ } ++ ++ warn("Certificate CN: %s , peer name %s", cn_str, ets->peer); ++ ++ /* ++ * If a peer certificate file was specified, here we check it ++ */ ++ if (ets->peercertfile[0]) { ++ if (ssl_cmp_certs(&ets->peercertfile[0], peer_cert) ++ != 0) { ++ error ++ ("Peer certificate doesn't match stored certificate"); ++ return 0; ++ } ++ } ++ } ++ ++ return 1; ++} ++ ++/* ++ * Compare a certificate with the one stored in a file ++ */ ++int ssl_cmp_certs(char *filename, X509 * a) ++{ ++ X509 *b; ++ int ret; ++ ++ if (!(b = get_X509_from_file(filename))) ++ return 1; ++ ++ ret = X509_cmp(a, b); ++ X509_free(b); ++ ++ return ret; ++ ++} ++ ++X509 *get_X509_from_file(char *filename) ++{ ++ FILE *fp; ++ X509 *ret; ++ ++ if (!(fp = fopen(filename, "r"))) ++ return NULL; ++ ++ ret = PEM_read_X509(fp, NULL, NULL, NULL); ++ ++ fclose(fp); ++ ++ return ret; ++} ++ ++/* ++ * Every sent & received message this callback function is invoked, ++ * so we know when alert messages have arrived or are sent and ++ * we can print debug information about TLS handshake. ++ */ ++void ++ssl_msg_callback(int write_p, int version, int content_type, ++ const void *buf, size_t len, SSL * ssl, void *arg) ++{ ++ char string[256]; ++ struct eaptls_session *ets = (struct eaptls_session *)arg; ++ unsigned char code; ++ const unsigned char*msg = buf; ++ int hvers = msg[1] << 8 | msg[2]; ++ ++ if(write_p) ++ strcpy(string, " -> "); ++ else ++ strcpy(string, " <- "); ++ ++ switch(content_type) { ++ ++ case SSL3_RT_HEADER: ++ strcat(string, "SSL/TLS Header: "); ++ switch(hvers) { ++ case SSL3_VERSION: ++ strcat(string, "SSL 3.0"); ++ break; ++ case TLS1_VERSION: ++ strcat(string, "TLS 1.0"); ++ break; ++ case TLS1_1_VERSION: ++ strcat(string, "TLS 1.1"); ++ break; ++ case TLS1_2_VERSION: ++ strcat(string, "TLS 1.2"); ++ break; ++ case DTLS1_VERSION: ++ strcat(string, "DTLS 1.0"); ++ break; ++ case DTLS1_2_VERSION: ++ strcat(string, "DTLS 1.2"); ++ break; ++ default: ++ strcat(string, "Unknown version"); ++ } ++ break; ++ ++ case SSL3_RT_ALERT: ++ strcat(string, "Alert: "); ++ code = msg[1]; ++ ++ if (write_p) { ++ ets->alert_sent = 1; ++ ets->alert_sent_desc = code; ++ } else { ++ ets->alert_recv = 1; ++ ets->alert_recv_desc = code; ++ } ++ ++ strcat(string, SSL_alert_desc_string_long(code)); ++ break; ++ ++ case SSL3_RT_CHANGE_CIPHER_SPEC: ++ strcat(string, "ChangeCipherSpec"); ++ break; ++ ++ case SSL3_RT_HANDSHAKE: ++ ++ strcat(string, "Handshake: "); ++ code = msg[0]; ++ ++ switch(code) { ++ case SSL3_MT_HELLO_REQUEST: ++ strcat(string,"Hello Request"); ++ break; ++ case SSL3_MT_CLIENT_HELLO: ++ strcat(string,"Client Hello"); ++ break; ++ case SSL3_MT_SERVER_HELLO: ++ strcat(string,"Server Hello"); ++ break; ++#ifdef SSL3_MT_NEWSESSION_TICKET ++ case SSL3_MT_NEWSESSION_TICKET: ++ strcat(string,"New Session Ticket"); ++ break; ++#endif ++ case SSL3_MT_CERTIFICATE: ++ strcat(string,"Certificate"); ++ break; ++ case SSL3_MT_SERVER_KEY_EXCHANGE: ++ strcat(string,"Server Key Exchange"); ++ break; ++ case SSL3_MT_CERTIFICATE_REQUEST: ++ strcat(string,"Certificate Request"); ++ break; ++ case SSL3_MT_SERVER_DONE: ++ strcat(string,"Server Hello Done"); ++ break; ++ case SSL3_MT_CERTIFICATE_VERIFY: ++ strcat(string,"Certificate Verify"); ++ break; ++ case SSL3_MT_CLIENT_KEY_EXCHANGE: ++ strcat(string,"Client Key Exchange"); ++ break; ++ case SSL3_MT_FINISHED: ++ strcat(string,"Finished"); ++ break; ++ ++ default: ++ sprintf( string, "Handshake: Unknown SSL3 code received: %d", code ); ++ } ++ break; ++ ++ default: ++ sprintf( string, "SSL message contains unknown content type: %d", content_type ); ++ ++ } ++ ++ /* Alert messages must always be displayed */ ++ if(content_type == SSL3_RT_ALERT) ++ error("%s", string); ++ else ++ dbglog("%s", string); ++} ++ +diff -Naur ppp-2.4.7/pppd/eap-tls.h ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap-tls.h +--- ppp-2.4.7/pppd/eap-tls.h 1970-01-01 01:00:00.000000000 +0100 ++++ ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap-tls.h 2018-06-02 01:42:04.023165433 +0200 +@@ -0,0 +1,107 @@ ++/* ++ * eap-tls.h ++ * ++ * Copyright (c) Beniamino Galvani 2005 All rights reserved. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in ++ * the documentation and/or other materials provided with the ++ * distribution. ++ * ++ * 3. The name(s) of the authors of this software must not be used to ++ * endorse or promote products derived from this software without ++ * prior written permission. ++ * ++ * THE AUTHORS OF THIS SOFTWARE DISCLAIM ALL WARRANTIES WITH REGARD TO ++ * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY ++ * AND FITNESS, IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY ++ * SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES ++ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN ++ * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING ++ * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. ++ * ++ */ ++ ++#ifndef __EAP_TLS_H__ ++#define __EAP_TLS_H__ ++ ++#include "eap.h" ++ ++#include ++#include ++#include ++ ++#define EAP_TLS_FLAGS_LI 128 /* length included flag */ ++#define EAP_TLS_FLAGS_MF 64 /* more fragments flag */ ++#define EAP_TLS_FLAGS_START 32 /* start flag */ ++ ++#define EAP_TLS_MAX_LEN 65536 /* max eap tls packet size */ ++ ++struct eaptls_session ++{ ++ u_char *data; /* buffered data */ ++ int datalen; /* buffered data len */ ++ int offset; /* from where to send */ ++ int tlslen; /* total length of tls data */ ++ bool frag; /* packet is fragmented */ ++ SSL_CTX *ctx; ++ SSL *ssl; /* ssl connection */ ++ BIO *from_ssl; ++ BIO *into_ssl; ++ char peer[MAXWORDLEN]; /* peer name */ ++ char peercertfile[MAXWORDLEN]; ++ bool alert_sent; ++ u_char alert_sent_desc; ++ bool alert_recv; ++ u_char alert_recv_desc; ++ char rtx[65536]; /* retransmission buffer */ ++ int rtx_len; ++ int mtu; /* unit mtu */ ++}; ++ ++typedef struct pw_cb_data ++{ ++ const void *password; ++ const char *prompt_info; ++} PW_CB_DATA; ++ ++ ++int ssl_verify_callback(int, X509_STORE_CTX *); ++void ssl_msg_callback(int write_p, int version, int ct, const void *buf, ++ size_t len, SSL * ssl, void *arg); ++ ++X509 *get_X509_from_file(char *filename); ++int ssl_cmp_certs(char *filename, X509 * a); ++ ++SSL_CTX *eaptls_init_ssl(int init_server, char *cacertfile, ++ char *certfile, char *peer_certfile, char *privkeyfile); ++int eaptls_init_ssl_server(eap_state * esp); ++int eaptls_init_ssl_client(eap_state * esp); ++void eaptls_free_session(struct eaptls_session *ets); ++ ++int eaptls_receive(struct eaptls_session *ets, u_char * inp, int len); ++int eaptls_send(struct eaptls_session *ets, u_char ** outp); ++void eaptls_retransmit(struct eaptls_session *ets, u_char ** outp); ++ ++int get_eaptls_secret(int unit, char *client, char *server, ++ char *clicertfile, char *servcertfile, char *cacertfile, ++ char *pkfile, int am_server); ++ ++#ifdef MPPE ++#include "mppe.h" /* MPPE_MAX_KEY_LEN */ ++extern u_char mppe_send_key[MPPE_MAX_KEY_LEN]; ++extern u_char mppe_recv_key[MPPE_MAX_KEY_LEN]; ++extern int mppe_keys_set; ++ ++void eaptls_gen_mppe_keys(struct eaptls_session *ets, const char *prf_label, int client); ++ ++#endif ++ ++#endif +diff -Naur ppp-2.4.7/pppd/eap.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap.c +--- ppp-2.4.7/pppd/eap.c 2014-08-09 14:31:39.000000000 +0200 ++++ ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap.c 2018-06-02 01:42:04.023165433 +0200 +@@ -43,6 +43,11 @@ + * Based on draft-ietf-pppext-eap-srp-03.txt. + */ + ++/* ++ * Modification by Beniamino Galvani, Mar 2005 ++ * Implemented EAP-TLS authentication ++ */ ++ + #define RCSID "$Id: eap.c,v 1.4 2004/11/09 22:39:25 paulus Exp $" + + /* +@@ -62,8 +67,12 @@ + + #include "pppd.h" + #include "pathnames.h" +-#include "md5.h" + #include "eap.h" ++#ifdef USE_EAPTLS ++#include "eap-tls.h" ++#else ++#include "md5.h" ++#endif /* USE_EAPTLS */ + + #ifdef USE_SRP + #include +@@ -209,6 +218,9 @@ + esp->es_server.ea_id = (u_char)(drand48() * 0x100); + esp->es_client.ea_timeout = EAP_DEFREQTIME; + esp->es_client.ea_maxrequests = EAP_DEFALLOWREQ; ++#ifdef USE_EAPTLS ++ esp->es_client.ea_using_eaptls = 0; ++#endif /* USE_EAPTLS */ + } + + /* +@@ -436,8 +448,16 @@ + u_char vals[2]; + struct b64state bs; + #endif /* USE_SRP */ ++#ifdef USE_EAPTLS ++ struct eaptls_session *ets; ++ int secret_len; ++ char secret[MAXWORDLEN]; ++#endif /* USE_EAPTLS */ + + esp->es_server.ea_timeout = esp->es_savedtime; ++#ifdef USE_EAPTLS ++ esp->es_server.ea_prev_state = esp->es_server.ea_state; ++#endif /* USE_EAPTLS */ + switch (esp->es_server.ea_state) { + case eapBadAuth: + return; +@@ -562,9 +582,79 @@ + break; + } + #endif /* USE_SRP */ ++#ifdef USE_EAPTLS ++ if (!get_secret(esp->es_unit, esp->es_server.ea_peer, ++ esp->es_server.ea_name, secret, &secret_len, 1)) { ++ ++ esp->es_server.ea_state = eapTlsStart; ++ break; ++ } ++#endif /* USE_EAPTLS */ ++ + esp->es_server.ea_state = eapMD5Chall; + break; + ++#ifdef USE_EAPTLS ++ case eapTlsStart: ++ /* Initialize ssl session */ ++ if(!eaptls_init_ssl_server(esp)) { ++ esp->es_server.ea_state = eapBadAuth; ++ break; ++ } ++ ++ esp->es_server.ea_state = eapTlsRecv; ++ break; ++ ++ case eapTlsRecv: ++ ets = (struct eaptls_session *) esp->es_server.ea_session; ++ ++ if(ets->alert_sent) { ++ esp->es_server.ea_state = eapTlsSendAlert; ++ break; ++ } ++ ++ if (status) { ++ esp->es_server.ea_state = eapBadAuth; ++ break; ++ } ++ ets = (struct eaptls_session *) esp->es_server.ea_session; ++ ++ if(ets->frag) ++ esp->es_server.ea_state = eapTlsSendAck; ++ else ++ esp->es_server.ea_state = eapTlsSend; ++ break; ++ ++ case eapTlsSend: ++ ets = (struct eaptls_session *) esp->es_server.ea_session; ++ ++ if(ets->frag) ++ esp->es_server.ea_state = eapTlsRecvAck; ++ else ++ if(SSL_is_init_finished(ets->ssl)) ++ esp->es_server.ea_state = eapTlsRecvClient; ++ else ++ esp->es_server.ea_state = eapTlsRecv; ++ break; ++ ++ case eapTlsSendAck: ++ esp->es_server.ea_state = eapTlsRecv; ++ break; ++ ++ case eapTlsRecvAck: ++ if (status) { ++ esp->es_server.ea_state = eapBadAuth; ++ break; ++ } ++ ++ esp->es_server.ea_state = eapTlsSend; ++ break; ++ ++ case eapTlsSendAlert: ++ esp->es_server.ea_state = eapTlsRecvAlertAck; ++ break; ++#endif /* USE_EAPTLS */ ++ + case eapSRP1: + #ifdef USE_SRP + ts = (struct t_server *)esp->es_server.ea_session; +@@ -718,6 +808,30 @@ + INCPTR(esp->es_server.ea_namelen, outp); + break; + ++#ifdef USE_EAPTLS ++ case eapTlsStart: ++ PUTCHAR(EAPT_TLS, outp); ++ PUTCHAR(EAP_TLS_FLAGS_START, outp); ++ eap_figure_next_state(esp, 0); ++ break; ++ ++ case eapTlsSend: ++ eaptls_send(esp->es_server.ea_session, &outp); ++ eap_figure_next_state(esp, 0); ++ break; ++ ++ case eapTlsSendAck: ++ PUTCHAR(EAPT_TLS, outp); ++ PUTCHAR(0, outp); ++ eap_figure_next_state(esp, 0); ++ break; ++ ++ case eapTlsSendAlert: ++ eaptls_send(esp->es_server.ea_session, &outp); ++ eap_figure_next_state(esp, 0); ++ break; ++#endif /* USE_EAPTLS */ ++ + #ifdef USE_SRP + case eapSRP1: + PUTCHAR(EAPT_SRP, outp); +@@ -904,11 +1018,57 @@ + eap_server_timeout(arg) + void *arg; + { ++#ifdef USE_EAPTLS ++ u_char *outp; ++ u_char *lenloc; ++ int outlen; ++#endif /* USE_EAPTLS */ ++ + eap_state *esp = (eap_state *) arg; + + if (!eap_server_active(esp)) + return; + ++#ifdef USE_EAPTLS ++ switch(esp->es_server.ea_prev_state) { ++ ++ /* ++ * In eap-tls the state changes after a request, so we return to ++ * previous state ... ++ */ ++ case(eapTlsStart): ++ case(eapTlsSendAck): ++ esp->es_server.ea_state = esp->es_server.ea_prev_state; ++ break; ++ ++ /* ++ * ... or resend the stored data ++ */ ++ case(eapTlsSend): ++ case(eapTlsSendAlert): ++ outp = outpacket_buf; ++ MAKEHEADER(outp, PPP_EAP); ++ PUTCHAR(EAP_REQUEST, outp); ++ PUTCHAR(esp->es_server.ea_id, outp); ++ lenloc = outp; ++ INCPTR(2, outp); ++ ++ eaptls_retransmit(esp->es_server.ea_session, &outp); ++ ++ outlen = (outp - outpacket_buf) - PPP_HDRLEN; ++ PUTSHORT(outlen, lenloc); ++ output(esp->es_unit, outpacket_buf, outlen + PPP_HDRLEN); ++ esp->es_server.ea_requests++; ++ ++ if (esp->es_server.ea_timeout > 0) ++ TIMEOUT(eap_server_timeout, esp, esp->es_server.ea_timeout); ++ ++ return; ++ default: ++ break; ++ } ++#endif /* USE_EAPTLS */ ++ + /* EAP ID number must not change on timeout. */ + eap_send_request(esp); + } +@@ -1166,6 +1326,81 @@ + } + #endif /* USE_SRP */ + ++#ifdef USE_EAPTLS ++/* ++ * Send an EAP-TLS response message with tls data ++ */ ++static void ++eap_tls_response(esp, id) ++eap_state *esp; ++u_char id; ++{ ++ u_char *outp; ++ int outlen; ++ u_char *lenloc; ++ ++ outp = outpacket_buf; ++ ++ MAKEHEADER(outp, PPP_EAP); ++ ++ PUTCHAR(EAP_RESPONSE, outp); ++ PUTCHAR(id, outp); ++ ++ lenloc = outp; ++ INCPTR(2, outp); ++ ++ /* ++ If the id in the request is unchanged, we must retransmit ++ the old data ++ */ ++ if(id == esp->es_client.ea_id) ++ eaptls_retransmit(esp->es_client.ea_session, &outp); ++ else ++ eaptls_send(esp->es_client.ea_session, &outp); ++ ++ outlen = (outp - outpacket_buf) - PPP_HDRLEN; ++ PUTSHORT(outlen, lenloc); ++ ++ output(esp->es_unit, outpacket_buf, PPP_HDRLEN + outlen); ++ ++ esp->es_client.ea_id = id; ++ ++} ++ ++/* ++ * Send an EAP-TLS ack ++ */ ++static void ++eap_tls_sendack(esp, id) ++eap_state *esp; ++u_char id; ++{ ++ u_char *outp; ++ int outlen; ++ u_char *lenloc; ++ ++ outp = outpacket_buf; ++ ++ MAKEHEADER(outp, PPP_EAP); ++ ++ PUTCHAR(EAP_RESPONSE, outp); ++ PUTCHAR(id, outp); ++ esp->es_client.ea_id = id; ++ ++ lenloc = outp; ++ INCPTR(2, outp); ++ ++ PUTCHAR(EAPT_TLS, outp); ++ PUTCHAR(0, outp); ++ ++ outlen = (outp - outpacket_buf) - PPP_HDRLEN; ++ PUTSHORT(outlen, lenloc); ++ ++ output(esp->es_unit, outpacket_buf, PPP_HDRLEN + outlen); ++ ++} ++#endif /* USE_EAPTLS */ ++ + static void + eap_send_nak(esp, id, type) + eap_state *esp; +@@ -1320,6 +1555,11 @@ + char rhostname[256]; + MD5_CTX mdContext; + u_char hash[MD5_SIGNATURE_SIZE]; ++#ifdef USE_EAPTLS ++ u_char flags; ++ struct eaptls_session *ets = esp->es_client.ea_session; ++#endif /* USE_EAPTLS */ ++ + #ifdef USE_SRP + struct t_client *tc; + struct t_num sval, gval, Nval, *Ap, Bval; +@@ -1456,6 +1696,100 @@ + esp->es_client.ea_namelen); + break; + ++#ifdef USE_EAPTLS ++ case EAPT_TLS: ++ ++ switch(esp->es_client.ea_state) { ++ ++ case eapListen: ++ ++ if (len < 1) { ++ error("EAP: received EAP-TLS Listen packet with no data"); ++ /* Bogus request; wait for something real. */ ++ return; ++ } ++ GETCHAR(flags, inp); ++ if(flags & EAP_TLS_FLAGS_START){ ++ ++ esp->es_client.ea_using_eaptls = 1; ++ ++ if (explicit_remote){ ++ esp->es_client.ea_peer = strdup(remote_name); ++ esp->es_client.ea_peerlen = strlen(remote_name); ++ } else ++ esp->es_client.ea_peer = NULL; ++ ++ /* Init ssl session */ ++ if(!eaptls_init_ssl_client(esp)) { ++ dbglog("cannot init ssl"); ++ eap_send_nak(esp, id, EAPT_TLS); ++ esp->es_client.ea_using_eaptls = 0; ++ break; ++ } ++ ++ ets = esp->es_client.ea_session; ++ eap_tls_response(esp, id); ++ esp->es_client.ea_state = (ets->frag ? eapTlsRecvAck : ++ eapTlsRecv); ++ break; ++ } ++ ++ /* The server has sent a bad start packet. */ ++ eap_send_nak(esp, id, EAPT_TLS); ++ break; ++ ++ case eapTlsRecvAck: ++ eap_tls_response(esp, id); ++ esp->es_client.ea_state = (ets->frag ? eapTlsRecvAck : ++ eapTlsRecv); ++ break; ++ ++ case eapTlsRecv: ++ if (len < 1) { ++ error("EAP: discarding EAP-TLS Receive packet with no data"); ++ /* Bogus request; wait for something real. */ ++ return; ++ } ++ eaptls_receive(ets, inp, len); ++ ++ if(ets->frag) { ++ eap_tls_sendack(esp, id); ++ esp->es_client.ea_state = eapTlsRecv; ++ break; ++ } ++ ++ if(ets->alert_recv) { ++ eap_tls_sendack(esp, id); ++ esp->es_client.ea_state = eapTlsRecvFailure; ++ break; ++ } ++ ++ /* Check if TLS handshake is finished */ ++ if(SSL_is_init_finished(ets->ssl)){ ++#ifdef MPPE ++ eaptls_gen_mppe_keys( ets, "client EAP encryption", 1 ); ++#endif ++ eaptls_free_session(ets); ++ eap_tls_sendack(esp, id); ++ esp->es_client.ea_state = eapTlsRecvSuccess; ++ break; ++ } ++ ++ eap_tls_response(esp,id); ++ esp->es_client.ea_state = (ets->frag ? eapTlsRecvAck : ++ eapTlsRecv); ++ ++ break; ++ ++ default: ++ eap_send_nak(esp, id, EAPT_TLS); ++ esp->es_client.ea_using_eaptls = 0; ++ break; ++ } ++ ++ break; ++#endif /* USE_EAPTLS */ ++ + #ifdef USE_SRP + case EAPT_SRP: + if (len < 1) { +@@ -1737,6 +2071,11 @@ + u_char dig[SHA_DIGESTSIZE]; + #endif /* USE_SRP */ + ++#ifdef USE_EAPTLS ++ struct eaptls_session *ets; ++ u_char flags; ++#endif /* USE_EAPTLS */ ++ + if (esp->es_server.ea_id != id) { + dbglog("EAP: discarding Response %d; expected ID %d", id, + esp->es_server.ea_id); +@@ -1776,6 +2115,64 @@ + eap_figure_next_state(esp, 0); + break; + ++#ifdef USE_EAPTLS ++ case EAPT_TLS: ++ switch(esp->es_server.ea_state) { ++ ++ case eapTlsRecv: ++ ++ ets = (struct eaptls_session *) esp->es_server.ea_session; ++ eap_figure_next_state(esp, ++ eaptls_receive(esp->es_server.ea_session, inp, len)); ++ ++ if(ets->alert_recv) { ++ eap_send_failure(esp); ++ break; ++ } ++ break; ++ ++ case eapTlsRecvAck: ++ if(len > 1) { ++ dbglog("EAP-TLS ACK with extra data"); ++ } ++ eap_figure_next_state(esp, 0); ++ break; ++ ++ case eapTlsRecvClient: ++ /* Receive authentication response from client */ ++ ++ if (len > 0) { ++ GETCHAR(flags, inp); ++ ++ if(len == 1 && !flags) { /* Ack = ok */ ++#ifdef MPPE ++ eaptls_gen_mppe_keys( esp->es_server.ea_session, "client EAP encryption", 0 ); ++#endif ++ eap_send_success(esp); ++ } ++ else { /* failure */ ++ warn("Server authentication failed"); ++ eap_send_failure(esp); ++ } ++ } ++ else ++ warn("Bogus EAP-TLS packet received from client"); ++ ++ eaptls_free_session(esp->es_server.ea_session); ++ ++ break; ++ ++ case eapTlsRecvAlertAck: ++ eap_send_failure(esp); ++ break; ++ ++ default: ++ eap_figure_next_state(esp, 1); ++ break; ++ } ++ break; ++#endif /* USE_EAPTLS */ ++ + case EAPT_NOTIFICATION: + dbglog("EAP unexpected Notification; response discarded"); + break; +@@ -1807,6 +2204,13 @@ + esp->es_server.ea_state = eapMD5Chall; + break; + ++#ifdef USE_EAPTLS ++ /* Send EAP-TLS start packet */ ++ case EAPT_TLS: ++ esp->es_server.ea_state = eapTlsStart; ++ break; ++#endif /* USE_EAPTLS */ ++ + default: + dbglog("EAP: peer requesting unknown Type %d", vallen); + switch (esp->es_server.ea_state) { +@@ -2018,13 +2422,27 @@ + int id; + int len; + { +- if (esp->es_client.ea_state != eapOpen && !eap_client_active(esp)) { ++ if (esp->es_client.ea_state != eapOpen && !eap_client_active(esp) ++#ifdef USE_EAPTLS ++ && esp->es_client.ea_state != eapTlsRecvSuccess ++#endif /* USE_EAPTLS */ ++ ) { + dbglog("EAP unexpected success message in state %s (%d)", + eap_state_name(esp->es_client.ea_state), + esp->es_client.ea_state); + return; + } + ++#ifdef USE_EAPTLS ++ if(esp->es_client.ea_using_eaptls && esp->es_client.ea_state != ++ eapTlsRecvSuccess) { ++ dbglog("EAP-TLS unexpected success message in state %s (%d)", ++ eap_state_name(esp->es_client.ea_state), ++ esp->es_client.ea_state); ++ return; ++ } ++#endif /* USE_EAPTLS */ ++ + if (esp->es_client.ea_timeout > 0) { + UNTIMEOUT(eap_client_timeout, (void *)esp); + } +@@ -2150,6 +2568,9 @@ + int code, id, len, rtype, vallen; + u_char *pstart; + u_int32_t uval; ++#ifdef USE_EAPTLS ++ u_char flags; ++#endif /* USE_EAPTLS */ + + if (inlen < EAP_HEADERLEN) + return (0); +@@ -2214,6 +2635,24 @@ + } + break; + ++#ifdef USE_EAPTLS ++ case EAPT_TLS: ++ if (len < 1) ++ break; ++ GETCHAR(flags, inp); ++ len--; ++ ++ if(flags == 0 && len == 0){ ++ printer(arg, " Ack"); ++ break; ++ } ++ ++ printer(arg, flags & EAP_TLS_FLAGS_LI ? " L":" -"); ++ printer(arg, flags & EAP_TLS_FLAGS_MF ? "M":"-"); ++ printer(arg, flags & EAP_TLS_FLAGS_START ? "S":"- "); ++ break; ++#endif /* USE_EAPTLS */ ++ + case EAPT_SRP: + if (len < 3) + goto truncated; +@@ -2325,6 +2764,25 @@ + } + break; + ++#ifdef USE_EAPTLS ++ case EAPT_TLS: ++ if (len < 1) ++ break; ++ GETCHAR(flags, inp); ++ len--; ++ ++ if(flags == 0 && len == 0){ ++ printer(arg, " Ack"); ++ break; ++ } ++ ++ printer(arg, flags & EAP_TLS_FLAGS_LI ? " L":" -"); ++ printer(arg, flags & EAP_TLS_FLAGS_MF ? "M":"-"); ++ printer(arg, flags & EAP_TLS_FLAGS_START ? "S":"- "); ++ ++ break; ++#endif /* USE_EAPTLS */ ++ + case EAPT_NAK: + if (len <= 0) { + printer(arg, " "); +@@ -2426,3 +2884,4 @@ + + return (inp - pstart); + } ++ +diff -Naur ppp-2.4.7/pppd/eap.h ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap.h +--- ppp-2.4.7/pppd/eap.h 2014-08-09 14:31:39.000000000 +0200 ++++ ppp-2.4.7-eaptls-mppe-1.101b/pppd/eap.h 2018-06-02 01:42:04.023165433 +0200 +@@ -84,6 +84,16 @@ + eapClosed, /* Authentication not in use */ + eapListen, /* Client ready (and timer running) */ + eapIdentify, /* EAP Identify sent */ ++ eapTlsStart, /* Send EAP-TLS start packet */ ++ eapTlsRecv, /* Receive EAP-TLS tls data */ ++ eapTlsSendAck, /* Send EAP-TLS ack */ ++ eapTlsSend, /* Send EAP-TLS tls data */ ++ eapTlsRecvAck, /* Receive EAP-TLS ack */ ++ eapTlsRecvClient, /* Receive EAP-TLS auth response from client*/ ++ eapTlsSendAlert, /* Send EAP-TLS tls alert (server)*/ ++ eapTlsRecvAlertAck, /* Receive EAP-TLS ack after sending alert */ ++ eapTlsRecvSuccess, /* Receive EAP success */ ++ eapTlsRecvFailure, /* Receive EAP failure */ + eapSRP1, /* Sent EAP SRP-SHA1 Subtype 1 */ + eapSRP2, /* Sent EAP SRP-SHA1 Subtype 2 */ + eapSRP3, /* Sent EAP SRP-SHA1 Subtype 3 */ +@@ -95,9 +105,18 @@ + + #define EAP_STATES \ + "Initial", "Pending", "Closed", "Listen", "Identify", \ ++ "TlsStart", "TlsRecv", "TlsSendAck", "TlsSend", "TlsRecvAck", "TlsRecvClient",\ ++ "TlsSendAlert", "TlsRecvAlertAck" , "TlsRecvSuccess", "TlsRecvFailure", \ + "SRP1", "SRP2", "SRP3", "MD5Chall", "Open", "SRP4", "BadAuth" + +-#define eap_client_active(esp) ((esp)->es_client.ea_state == eapListen) ++#ifdef USE_EAPTLS ++#define eap_client_active(esp) ((esp)->es_client.ea_state != eapInitial &&\ ++ (esp)->es_client.ea_state != eapPending &&\ ++ (esp)->es_client.ea_state != eapClosed) ++#else ++#define eap_client_active(esp) ((esp)->es_client.ea_state == eapListen) ++#endif /* USE_EAPTLS */ ++ + #define eap_server_active(esp) \ + ((esp)->es_server.ea_state >= eapIdentify && \ + (esp)->es_server.ea_state <= eapMD5Chall) +@@ -112,11 +131,17 @@ + u_short ea_namelen; /* Length of our name */ + u_short ea_peerlen; /* Length of peer's name */ + enum eap_state_code ea_state; ++#ifdef USE_EAPTLS ++ enum eap_state_code ea_prev_state; ++#endif + u_char ea_id; /* Current id */ + u_char ea_requests; /* Number of Requests sent/received */ + u_char ea_responses; /* Number of Responses */ + u_char ea_type; /* One of EAPT_* */ + u_int32_t ea_keyflags; /* SRP shared key usage flags */ ++#ifdef USE_EAPTLS ++ bool ea_using_eaptls; ++#endif + }; + + /* +@@ -139,7 +164,12 @@ + * Timeouts. + */ + #define EAP_DEFTIMEOUT 3 /* Timeout (seconds) for rexmit */ ++#ifdef USE_EAPTLS ++#define EAP_DEFTRANSMITS 30 /* max # times to transmit */ ++ /* certificates can be long ... */ ++#else + #define EAP_DEFTRANSMITS 10 /* max # times to transmit */ ++#endif /* USE_EAPTLS */ + #define EAP_DEFREQTIME 20 /* Time to wait for peer request */ + #define EAP_DEFALLOWREQ 20 /* max # times to accept requests */ + +diff -Naur ppp-2.4.7/pppd/md5.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/md5.c +--- ppp-2.4.7/pppd/md5.c 2014-08-09 14:31:39.000000000 +0200 ++++ ppp-2.4.7-eaptls-mppe-1.101b/pppd/md5.c 2018-06-02 01:42:04.023165433 +0200 +@@ -33,6 +33,8 @@ + *********************************************************************** + */ + ++#ifndef USE_EAPTLS ++ + #include + #include "md5.h" + +@@ -305,3 +307,5 @@ + ** End of md5.c ** + ******************************** (cut) ******************************** + */ ++#endif /* USE_EAPTLS */ ++ +diff -Naur ppp-2.4.7/pppd/md5.h ppp-2.4.7-eaptls-mppe-1.101b/pppd/md5.h +--- ppp-2.4.7/pppd/md5.h 2014-08-09 14:31:39.000000000 +0200 ++++ ppp-2.4.7-eaptls-mppe-1.101b/pppd/md5.h 2018-06-02 01:42:04.024165430 +0200 +@@ -36,6 +36,7 @@ + ** documentation and/or software. ** + *********************************************************************** + */ ++#ifndef USE_EAPTLS + + #ifndef __MD5_INCLUDE__ + +@@ -63,3 +64,5 @@ + + #define __MD5_INCLUDE__ + #endif /* __MD5_INCLUDE__ */ ++ ++#endif /* USE_EAPTLS */ +diff -Naur ppp-2.4.7/pppd/pathnames.h ppp-2.4.7-eaptls-mppe-1.101b/pppd/pathnames.h +--- ppp-2.4.7/pppd/pathnames.h 2014-08-09 14:31:39.000000000 +0200 ++++ ppp-2.4.7-eaptls-mppe-1.101b/pppd/pathnames.h 2018-06-02 01:42:04.024165430 +0200 +@@ -21,6 +21,13 @@ + #define _PATH_UPAPFILE _ROOT_PATH "/etc/ppp/pap-secrets" + #define _PATH_CHAPFILE _ROOT_PATH "/etc/ppp/chap-secrets" + #define _PATH_SRPFILE _ROOT_PATH "/etc/ppp/srp-secrets" ++ ++#ifdef USE_EAPTLS ++#define _PATH_EAPTLSCLIFILE _ROOT_PATH "/etc/ppp/eaptls-client" ++#define _PATH_EAPTLSSERVFILE _ROOT_PATH "/etc/ppp/eaptls-server" ++#define _PATH_OPENSSLCONFFILE _ROOT_PATH "/etc/ppp/openssl.cnf" ++#endif /* USE_EAPTLS */ ++ + #define _PATH_SYSOPTIONS _ROOT_PATH "/etc/ppp/options" + #define _PATH_IPUP _ROOT_PATH "/etc/ppp/ip-up" + #define _PATH_IPDOWN _ROOT_PATH "/etc/ppp/ip-down" +diff -Naur ppp-2.4.7/pppd/plugins/Makefile.linux ppp-2.4.7-eaptls-mppe-1.101b/pppd/plugins/Makefile.linux +--- ppp-2.4.7/pppd/plugins/Makefile.linux 2014-08-09 14:31:39.000000000 +0200 ++++ ppp-2.4.7-eaptls-mppe-1.101b/pppd/plugins/Makefile.linux 2018-06-02 01:42:04.024165430 +0200 +@@ -4,6 +4,9 @@ + LDFLAGS = -shared + INSTALL = install + ++# EAP-TLS ++CFLAGS += -DUSE_EAPTLS=1 ++ + DESTDIR = $(INSTROOT)@DESTDIR@ + BINDIR = $(DESTDIR)/sbin + MANDIR = $(DESTDIR)/share/man/man8 +diff -Naur ppp-2.4.7/pppd/plugins/passprompt.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/plugins/passprompt.c +--- ppp-2.4.7/pppd/plugins/passprompt.c 2014-08-09 14:31:39.000000000 +0200 ++++ ppp-2.4.7-eaptls-mppe-1.101b/pppd/plugins/passprompt.c 2018-06-02 01:42:04.024165430 +0200 +@@ -107,4 +107,7 @@ + { + add_options(options); + pap_passwd_hook = promptpass; ++#ifdef USE_EAPTLS ++ eaptls_passwd_hook = promptpass; ++#endif + } +diff -Naur ppp-2.4.7/pppd/plugins/passwordfd.c ppp-2.4.7-eaptls-mppe-1.101b/pppd/plugins/passwordfd.c +--- ppp-2.4.7/pppd/plugins/passwordfd.c 2014-08-09 14:31:39.000000000 +0200 ++++ ppp-2.4.7-eaptls-mppe-1.101b/pppd/plugins/passwordfd.c 2018-06-02 01:42:04.024165430 +0200 +@@ -79,4 +79,8 @@ + + chap_check_hook = pwfd_check; + chap_passwd_hook = pwfd_passwd; ++ ++#ifdef USE_EAPTLS ++ eaptls_passwd_hook = pwfd_passwd; ++#endif + } +diff -Naur ppp-2.4.7/pppd/pppd.8 ppp-2.4.7-eaptls-mppe-1.101b/pppd/pppd.8 +--- ppp-2.4.7/pppd/pppd.8 2014-08-09 14:31:39.000000000 +0200 ++++ ppp-2.4.7-eaptls-mppe-1.101b/pppd/pppd.8 2018-06-02 01:42:04.025165427 +0200 +@@ -248,6 +248,12 @@ + compression in the corresponding direction. Use \fInobsdcomp\fR or + \fIbsdcomp 0\fR to disable BSD-Compress compression entirely. + .TP ++.B ca \fIca-file ++(EAP-TLS) Use the file \fIca-file\fR as the X.509 Certificate Authority ++(CA) file (in PEM format), needed for setting up an EAP-TLS connection. ++This option is used on the client-side in conjunction with the \fBcert\fR ++and \fBkey\fR options. ++.TP + .B cdtrcts + Use a non-standard hardware flow control (i.e. DTR/CTS) to control + the flow of data on the serial port. If neither the \fIcrtscts\fR, +@@ -259,6 +265,12 @@ + bi-directional flow control. The sacrifice is that this flow + control mode does not permit using DTR as a modem control line. + .TP ++.B cert \fIcertfile ++(EAP-TLS) Use the file \fIcertfile\fR as the X.509 certificate (in PEM ++format), needed for setting up an EAP-TLS connection. This option is ++used on the client-side in conjunction with the \fBca\fR and ++\fBkey\fR options. ++.TP + .B chap\-interval \fIn + If this option is given, pppd will rechallenge the peer every \fIn\fR + seconds. +@@ -287,6 +299,18 @@ + 1000 (1 second). This wait period only applies if the \fBconnect\fR + or \fBpty\fR option is used. + .TP ++.B crl \fIfilename ++(EAP-TLS) Use the file \fIfilename\fR as the Certificate Revocation List ++to check for the validity of the peer's certificate. This option is not ++mandatory for setting up an EAP-TLS connection. Also see the \fBcrl-dir\fR ++option. ++.TP ++.B crl-dir \fIdirectory ++(EAP-TLS) Use the directory \fIdirectory\fR to scan for CRL files in ++has format ($hash.r0) to check for the validity of the peer's certificate. ++This option is not mandatory for setting up an EAP-TLS connection. ++Also see the \fBcrl\fR option. ++.TP + .B debug + Enables connection debugging facilities. + If this option is given, pppd will log the contents of all +@@ -551,6 +575,12 @@ + the kernel are logged by syslog(1) to a file as directed in the + /etc/syslog.conf configuration file. + .TP ++.B key \fIkeyfile ++(EAP-TLS) Use the file \fIkeyfile\fR as the private key file (in PEM ++format), needed for setting up an EAP-TLS connection. This option is ++used on the client-side in conjunction with the \fBca\fR and ++\fBcert\fR options. ++.TP + .B ktune + Enables pppd to alter kernel settings as appropriate. Under Linux, + pppd will enable IP forwarding (i.e. set /proc/sys/net/ipv4/ip_forward +@@ -709,6 +739,9 @@ + Disable Address/Control compression in both directions (send and + receive). + .TP ++.B need-peer-eap ++(EAP-TLS) Require the peer to verify our authentication credentials. ++.TP + .B noauth + Do not require the peer to authenticate itself. This option is + privileged. +diff -Naur ppp-2.4.7/pppd/pppd.h ppp-2.4.7-eaptls-mppe-1.101b/pppd/pppd.h +--- ppp-2.4.7/pppd/pppd.h 2014-08-09 14:31:39.000000000 +0200 ++++ ppp-2.4.7-eaptls-mppe-1.101b/pppd/pppd.h 2018-06-02 01:42:04.025165427 +0200 +@@ -325,6 +325,11 @@ + extern bool dryrun; /* check everything, print options, exit */ + extern int child_wait; /* # seconds to wait for children at end */ + ++#ifdef USE_EAPTLS ++extern char *crl_dir; ++extern char *crl_file; ++#endif /* USE_EAPTLS */ ++ + #ifdef MAXOCTETS + extern unsigned int maxoctets; /* Maximum octetes per session (in bytes) */ + extern int maxoctets_dir; /* Direction : +@@ -741,6 +746,10 @@ + extern int (*chap_passwd_hook) __P((char *user, char *passwd)); + extern void (*multilink_join_hook) __P((void)); + ++#ifdef USE_EAPTLS ++extern int (*eaptls_passwd_hook) __P((char *user, char *passwd)); ++#endif ++ + /* Let a plugin snoop sent and received packets. Useful for L2TP */ + extern void (*snoop_recv_hook) __P((unsigned char *p, int len)); + extern void (*snoop_send_hook) __P((unsigned char *p, int len)); diff --git a/SOURCES/ppp-2.4.7-honor-ldflags.patch b/SOURCES/ppp-2.4.7-honor-ldflags.patch new file mode 100644 index 0000000..2c3e20d --- /dev/null +++ b/SOURCES/ppp-2.4.7-honor-ldflags.patch @@ -0,0 +1,170 @@ +diff --git a/chat/Makefile.linux b/chat/Makefile.linux +index 2445637..83114f1 100644 +--- a/chat/Makefile.linux ++++ b/chat/Makefile.linux +@@ -18,7 +18,7 @@ INSTALL= install + all: chat + + chat: chat.o +- $(CC) -o chat chat.o ++ $(CC) $(LDFLAGS) -o chat chat.o + + chat.o: chat.c + $(CC) -c $(CFLAGS) -o chat.o chat.c +diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux +index cf11b74..089f164 100644 +--- a/pppd/Makefile.linux ++++ b/pppd/Makefile.linux +@@ -188,7 +188,7 @@ endif + + ifdef PLUGIN + CFLAGS += -DPLUGIN +-LDFLAGS += -Wl,-E ++LDFLAGS_PLUGIN += -Wl,-E + LIBS += -ldl + endif + +@@ -230,7 +230,7 @@ install: pppd + $(INSTALL) -c -m 644 pppd.8 $(MANDIR) + + pppd: $(PPPDOBJS) +- $(CC) $(CFLAGS) $(LDFLAGS) -o pppd $(PPPDOBJS) $(LIBS) ++ $(CC) $(CFLAGS) $(LDFLAGS) $(LDFLAGS_PLUGIN) -o pppd $(PPPDOBJS) $(LIBS) + + srp-entry: srp-entry.c + $(CC) $(CFLAGS) $(LDFLAGS) -o $@ srp-entry.c $(LIBS) +diff --git a/pppd/plugins/Makefile.linux b/pppd/plugins/Makefile.linux +index 303833a..04fe876 100644 +--- a/pppd/plugins/Makefile.linux ++++ b/pppd/plugins/Makefile.linux +@@ -1,7 +1,7 @@ + #CC = gcc + COPTS = $(RPM_OPT_FLAGS) + CFLAGS = $(COPTS) -I.. -I../../include -fPIC +-LDFLAGS = -shared ++LDFLAGS_SHARED = -shared + INSTALL = install + + # EAP-TLS +@@ -33,7 +33,7 @@ all: $(PLUGINS) + for d in $(SUBDIRS); do $(MAKE) $(MFLAGS) -C $$d all; done + + %.so: %.c +- $(CC) -o $@ $(LDFLAGS) $(CFLAGS) $^ ++ $(CC) -o $@ $(LDFLAGS) $(LDFLAGS_SHARED) $(CFLAGS) $^ + + VERSION = $(shell awk -F '"' '/VERSION/ { print $$2; }' ../patchlevel.h) + +diff --git a/pppd/plugins/pppoatm/Makefile.linux b/pppd/plugins/pppoatm/Makefile.linux +index 4c5826f..1961e0e 100644 +--- a/pppd/plugins/pppoatm/Makefile.linux ++++ b/pppd/plugins/pppoatm/Makefile.linux +@@ -1,7 +1,7 @@ + #CC = gcc + COPTS = $(RPM_OPT_FLAGS) + CFLAGS = $(COPTS) -I../.. -I../../../include -fPIC +-LDFLAGS = -shared ++LDFLAGS_SHARED = -shared + INSTALL = install + + #*********************************************************************** +@@ -33,7 +33,7 @@ endif + all: $(PLUGIN) + + $(PLUGIN): $(PLUGIN_OBJS) +- $(CC) $(CFLAGS) -o $@ -shared $^ $(LIBS) ++ $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $(LDFLAGS_SHARED) $^ $(LIBS) + + install: all + $(INSTALL) -d -m 755 $(LIBDIR) +diff --git a/pppd/plugins/pppol2tp/Makefile.linux b/pppd/plugins/pppol2tp/Makefile.linux +index 9cb316d..7b23b25 100644 +--- a/pppd/plugins/pppol2tp/Makefile.linux ++++ b/pppd/plugins/pppol2tp/Makefile.linux +@@ -1,7 +1,7 @@ + #CC = gcc + COPTS = $(RPM_OPT_FLAGS) -DHAVE_MULTILINK + CFLAGS = $(COPTS) -I. -I../.. -I../../../include -fPIC +-LDFLAGS = -shared ++LDFLAGS_SHARED = -shared + INSTALL = install + + #*********************************************************************** +@@ -16,7 +16,7 @@ PLUGINS := pppol2tp.so openl2tp.so + all: $(PLUGINS) + + %.so: %.o +- $(CC) $(CFLAGS) -o $@ -shared $^ $(LIBS) ++ $(CC) $(CFLAGS) $(LDFLAGS) -o $@ $(LDFLAGS_SHARED) $^ $(LIBS) + + install: all + $(INSTALL) -d -m 755 $(LIBDIR) +diff --git a/pppd/plugins/radius/Makefile.linux b/pppd/plugins/radius/Makefile.linux +index 707326b..2150332 100644 +--- a/pppd/plugins/radius/Makefile.linux ++++ b/pppd/plugins/radius/Makefile.linux +@@ -43,13 +43,13 @@ install: all + $(INSTALL) -c -m 444 pppd-radattr.8 $(MANDIR) + + radius.so: radius.o libradiusclient.a +- $(CC) -o radius.so -shared radius.o libradiusclient.a ++ $(CC) $(LDFLAGS) -o radius.so -shared radius.o libradiusclient.a + + radattr.so: radattr.o +- $(CC) -o radattr.so -shared radattr.o ++ $(CC) $(LDFLAGS) -o radattr.so -shared radattr.o + + radrealms.so: radrealms.o +- $(CC) -o radrealms.so -shared radrealms.o ++ $(CC) $(LDFLAGS) -o radrealms.so -shared radrealms.o + + CLIENTOBJS = avpair.o buildreq.o config.o dict.o ip_util.o \ + clientid.o sendserver.o lock.o util.o md5.o +diff --git a/pppd/plugins/rp-pppoe/Makefile.linux b/pppd/plugins/rp-pppoe/Makefile.linux +index fa49efb..5e06b52 100644 +--- a/pppd/plugins/rp-pppoe/Makefile.linux ++++ b/pppd/plugins/rp-pppoe/Makefile.linux +@@ -31,7 +31,7 @@ CFLAGS=$(COPTS) -I../../../include '-DRP_VERSION="$(RP_VERSION)"' + all: rp-pppoe.so pppoe-discovery + + pppoe-discovery: pppoe-discovery.o debug.o common.o +- $(CC) -o pppoe-discovery pppoe-discovery.o debug.o -ludev ++ $(CC) $(LDFLAGS) -o pppoe-discovery pppoe-discovery.o debug.o -ludev + + pppoe-discovery.o: pppoe-discovery.c + $(CC) $(CFLAGS) -c -o pppoe-discovery.o pppoe-discovery.c +@@ -40,7 +40,7 @@ debug.o: debug.c + $(CC) $(CFLAGS) -c -o debug.o debug.c + + rp-pppoe.so: plugin.o discovery.o if.o common.o +- $(CC) -o rp-pppoe.so -shared plugin.o discovery.o if.o common.o ++ $(CC) $(LDFLAGS) -o rp-pppoe.so -shared plugin.o discovery.o if.o common.o + + install: all + $(INSTALL) -d -m 755 $(LIBDIR) +diff --git a/pppdump/Makefile.linux b/pppdump/Makefile.linux +index 95c6805..33e5107 100644 +--- a/pppdump/Makefile.linux ++++ b/pppdump/Makefile.linux +@@ -10,7 +10,7 @@ INSTALL= install + all: pppdump + + pppdump: $(OBJS) +- $(CC) -o pppdump $(OBJS) ++ $(CC) $(LDFLAGS) -o pppdump $(OBJS) + + clean: + rm -f pppdump $(OBJS) *~ +diff --git a/pppstats/Makefile.linux b/pppstats/Makefile.linux +index c5ba3b1..eeccf83 100644 +--- a/pppstats/Makefile.linux ++++ b/pppstats/Makefile.linux +@@ -26,7 +26,7 @@ install: pppstats + $(INSTALL) -c -m 444 pppstats.8 $(MANDIR) + + pppstats: $(PPPSTATSRCS) +- $(CC) $(CFLAGS) -o pppstats pppstats.c $(LIBS) ++ $(CC) $(CFLAGS) $(LDFLAGS) -o pppstats pppstats.c $(LIBS) + + clean: + rm -f pppstats *~ #* core diff --git a/SOURCES/ppp-logrotate.conf b/SOURCES/ppp-logrotate.conf new file mode 100644 index 0000000..7a72979 --- /dev/null +++ b/SOURCES/ppp-logrotate.conf @@ -0,0 +1,10 @@ +# Logrotate file for ppp RPM + +/var/log/ppp/connect-errors { + missingok + compress + notifempty + daily + rotate 5 + create 0600 root root +} diff --git a/SOURCES/ppp-pam.conf b/SOURCES/ppp-pam.conf new file mode 100644 index 0000000..968e252 --- /dev/null +++ b/SOURCES/ppp-pam.conf @@ -0,0 +1,5 @@ +#%PAM-1.0 +auth include password-auth +account required pam_nologin.so +account include password-auth +session include password-auth diff --git a/SOURCES/ppp-tmpfiles.conf b/SOURCES/ppp-tmpfiles.conf new file mode 100644 index 0000000..a07719c --- /dev/null +++ b/SOURCES/ppp-tmpfiles.conf @@ -0,0 +1,2 @@ +d /run/ppp 0755 root root +d /run/lock/ppp 0755 root root diff --git a/SPECS/ppp.spec b/SPECS/ppp.spec new file mode 100644 index 0000000..3b81e43 --- /dev/null +++ b/SPECS/ppp.spec @@ -0,0 +1,707 @@ +%global _hardened_build 1 + +Summary: The Point-to-Point Protocol daemon +Name: ppp +Version: 2.4.7 +Release: 26%{?dist} +License: BSD and LGPLv2+ and GPLv2+ and Public Domain +Group: System Environment/Daemons +URL: http://www.samba.org/ppp +Source0: ftp://ftp.samba.org/pub/ppp/ppp-%{version}.tar.gz +Source1: ppp-pam.conf +Source2: ppp-logrotate.conf +Source3: ppp-tmpfiles.conf +Source4: ip-down +Source5: ip-down.ipv6to4 +Source6: ip-up +Source7: ip-up.ipv6to4 +Source8: ipv6-down +Source9: ipv6-up +Source10: ifup-ppp +Source11: ifdown-ppp +Source12: ppp-watch.tar.xz + +# Fedora-specific +Patch0001: 0001-build-sys-use-gcc-as-our-compiler-of-choice.patch +Patch0002: 0002-build-sys-enable-PAM-support.patch +Patch0003: 0003-build-sys-utilize-compiler-flags-handed-to-us-by-rpm.patch +Patch0004: 0004-doc-add-configuration-samples.patch +Patch0005: 0005-build-sys-don-t-hardcode-LIBDIR-but-set-it-according.patch +Patch0006: 0006-scritps-use-change_resolv_conf-function.patch +Patch0007: 0007-build-sys-don-t-strip-binaries-during-installation.patch +Patch0008: 0008-build-sys-use-prefix-usr-instead-of-usr-local.patch +Patch0009: 0009-pppd-introduce-ipv6-accept-remote.patch +Patch0010: 0010-build-sys-enable-CBCP.patch +Patch0011: 0011-build-sys-don-t-put-connect-errors-log-to-etc-ppp.patch +Patch0012: 0012-pppd-we-don-t-want-to-accidentally-leak-fds.patch +Patch0013: 0013-everywhere-O_CLOEXEC-harder.patch +Patch0014: 0014-everywhere-use-SOCK_CLOEXEC-when-creating-socket.patch +Patch0015: 0015-pppd-move-pppd-database-to-var-run-ppp.patch +Patch0016: 0016-rp-pppoe-add-manpage-for-pppoe-discovery.patch +Patch0018: 0018-scritps-fix-ip-up.local-sample.patch +Patch0019: 0019-sys-linux-rework-get_first_ethernet.patch +Patch0020: 0020-pppd-put-lock-files-in-var-lock-ppp.patch +Patch0021: 0021-build-sys-compile-pppol2tp-plugin-with-RPM_OPT_FLAGS.patch +Patch0022: 0022-build-sys-compile-pppol2tp-with-multilink-support.patch +Patch0023: 0023-build-sys-install-rp-pppoe-plugin-files-with-standar.patch +Patch0024: 0024-build-sys-install-pppoatm-plugin-files-with-standard.patch +Patch0025: 0025-pppd-install-pppd-binary-using-standard-perms-755.patch +Patch0026: ppp-2.4.7-eaptls-mppe-1.101.patch +Patch0028: 0028-pppoe-include-netinet-in.h-before-linux-in.h.patch + +# rhbz#1556132 +Patch0029: ppp-2.4.7-DES-openssl.patch +# https://github.com/paulusmack/ppp/pull/95 +Patch0030: ppp-2.4.7-honor-ldflags.patch +Patch0031: ppp-2.4.7-coverity-scan-fixes.patch +Patch0032: ppp-2.4.7-CVE-2020-8597.patch + +BuildRequires: pam-devel, libpcap-devel, systemd, systemd-devel, glib2-devel +BuildRequires: openssl-devel +Requires: glibc >= 2.0.6, /etc/pam.d/system-auth, libpcap >= 14:0.8.3-6, systemd +Requires(pre): /usr/bin/getent +Requires(pre): /usr/sbin/groupadd + +%description +The ppp package contains the PPP (Point-to-Point Protocol) daemon and +documentation for PPP support. The PPP protocol provides a method for +transmitting datagrams over serial point-to-point links. PPP is +usually used to dial in to an ISP (Internet Service Provider) or other +organization over a modem and phone line. + +%package -n network-scripts-%{name} +Summary: PPP legacy network service support +Requires: network-scripts +Supplements: (%{name} and network-scripts) + +%description -n network-scripts-%{name} +This provides the ifup and ifdown scripts for use with the legacy network +service. + +%package devel +Summary: Headers for ppp plugin development +Group: Development/Libraries +Requires: %{name}%{?_isa} = %{version}-%{release} + +%description devel +This package contains the header files for building plugins for ppp. + +%prep +%setup -q +%autopatch -p1 + +tar -xJf %{SOURCE12} + +%build +export RPM_OPT_FLAGS="$RPM_OPT_FLAGS -fPIC -Wall -fno-strict-aliasing" +export RPM_LD_FLAGS="$LDFLAGS" +%configure +make %{?_smp_mflags} LDFLAGS="%{?build_ldflags}" +make -C ppp-watch %{?_smp_mflags} LDFLAGS="%{?build_ldflags}" + +%install +make INSTROOT=%{buildroot} install install-etcppp +find scripts -type f | xargs chmod a-x +make ROOT=%{buildroot} -C ppp-watch install + +# create log files dir +install -d %{buildroot}%{_localstatedir}/log/ppp + +# install pam config +install -d %{buildroot}%{_sysconfdir}/pam.d +install -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/pam.d/ppp + +# install logrotate script +install -d %{buildroot}%{_sysconfdir}/logrotate.d +install -m 644 -p %{SOURCE2} %{buildroot}%{_sysconfdir}/logrotate.d/ppp + +# install tmpfiles drop-in +install -d %{buildroot}%{_tmpfilesdir} +install -m 644 -p %{SOURCE3} %{buildroot}%{_tmpfilesdir}/ppp.conf + +# install scripts (previously owned by initscripts package) +install -d %{buildroot}%{_sysconfdir}/ppp +install -p %{SOURCE4} %{buildroot}%{_sysconfdir}/ppp/ip-down +install -p %{SOURCE5} %{buildroot}%{_sysconfdir}/ppp/ip-down.ipv6to4 +install -p %{SOURCE6} %{buildroot}%{_sysconfdir}/ppp/ip-up +install -p %{SOURCE7} %{buildroot}%{_sysconfdir}/ppp/ip-up.ipv6to4 +install -p %{SOURCE8} %{buildroot}%{_sysconfdir}/ppp/ipv6-down +install -p %{SOURCE9} %{buildroot}%{_sysconfdir}/ppp/ipv6-up + +install -d %{buildroot}%{_sysconfdir}/sysconfig/network-scripts/ +install -p %{SOURCE10} %{buildroot}%{_sysconfdir}/sysconfig/network-scripts/ifup-ppp +install -p %{SOURCE11} %{buildroot}%{_sysconfdir}/sysconfig/network-scripts/ifdown-ppp + +%pre +/usr/bin/getent group dip >/dev/null 2>&1 || /usr/sbin/groupadd -r -g 40 dip >/dev/null 2>&1 || : + +%post +%tmpfiles_create ppp.conf + +%files +%defattr(-,root,root) +%{_sbindir}/chat +%{_sbindir}/pppd +%{_sbindir}/pppdump +%{_sbindir}/pppoe-discovery +%{_sbindir}/pppstats +%{_sbindir}/ppp-watch +%dir %{_sysconfdir}/ppp +%{_sysconfdir}/ppp/ip-up +%{_sysconfdir}/ppp/ip-down +%{_sysconfdir}/ppp/ip-up.ipv6to4 +%{_sysconfdir}/ppp/ip-down.ipv6to4 +%{_sysconfdir}/ppp/ipv6-up +%{_sysconfdir}/ppp/ipv6-down +%{_mandir}/man8/chat.8* +%{_mandir}/man8/pppd.8* +%{_mandir}/man8/pppdump.8* +%{_mandir}/man8/pppd-radattr.8* +%{_mandir}/man8/pppd-radius.8* +%{_mandir}/man8/pppstats.8* +%{_mandir}/man8/pppoe-discovery.8* +%{_mandir}/man8/ppp-watch.8* +%{_libdir}/pppd +%ghost %dir /run/ppp +%ghost %dir /run/lock/ppp +%dir %{_sysconfdir}/logrotate.d +%attr(700, root, root) %dir %{_localstatedir}/log/ppp +%config(noreplace) %{_sysconfdir}/ppp/eaptls-client +%config(noreplace) %{_sysconfdir}/ppp/eaptls-server +%config(noreplace) %{_sysconfdir}/ppp/chap-secrets +%config(noreplace) %{_sysconfdir}/ppp/options +%config(noreplace) %{_sysconfdir}/ppp/pap-secrets +%config(noreplace) %{_sysconfdir}/pam.d/ppp +%config(noreplace) %{_sysconfdir}/logrotate.d/ppp +%{_tmpfilesdir}/ppp.conf +%doc FAQ README README.cbcp README.linux README.MPPE README.MSCHAP80 README.MSCHAP81 README.pwfd README.pppoe scripts sample README.eap-tls + +%files -n network-scripts-%{name} +%{_sysconfdir}/sysconfig/network-scripts/ifdown-ppp +%{_sysconfdir}/sysconfig/network-scripts/ifup-ppp + +%files devel +%defattr(-,root,root) +%{_includedir}/pppd +%doc PLUGINS + +%changelog +* Tue Feb 25 2020 Jaroslav Škarvada - 2.4.7-26 +- Fixed buffer overflow in the eap_request and eap_response functions + Resolves: CVE-2020-8597 + +* Tue Dec 4 2018 Jaroslav Škarvada - 2.4.7-25 +- Fixed some issues found by coverity scan + Resolves: rhbz#1602665 + +* Tue Nov 20 2018 Jaroslav Škarvada - 2.4.7-24 +- Split out the network-scripts + Resolves: rhbz#1608377 + +* Wed Jun 20 2018 Jaroslav Škarvada - 2.4.7-23 +- Replaced initscripts requirement by the network-scripts + Resolves: rhbz#1610285 + +* Tue Jun 5 2018 Jaroslav Škarvada - 2.4.7-22 +- Updated EAP-TLS patch to v1.101 + Resolves: CVE-2018-11574 + +* Mon Apr 9 2018 Jaroslav Škarvada - 2.4.7-21 +- Link with -E not to break plugins + Resolves: rhbz#1564459 + +* Fri Apr 6 2018 Jaroslav Škarvada - 2.4.7-20 +- Also build all DSOs with distro's LDFLAGS + Related: rhbz#1563157 + +* Wed Apr 4 2018 Jaroslav Škarvada - 2.4.7-19 +- Build with distro's LDFLAGS + Resolves: rhbz#1563157 + +* Tue Mar 27 2018 Jaroslav Škarvada - 2.4.7-18 +- Used openssl for the DES instead of the libcrypt / glibc + Resolves: rhbz#1556132 + +* Fri Feb 09 2018 Igor Gnatenko - 2.4.7-17 +- Escape macros in %%changelog + +* Fri Feb 09 2018 Fedora Release Engineering - 2.4.7-16 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Sat Jan 20 2018 Björn Esser - 2.4.7-15 +- Rebuilt for switch to libxcrypt + +* Mon Aug 21 2017 Jaroslav Škarvada - 2.4.7-14 +- EAP-TLS patch updated to version 0.999 +- Switched to openssl-1.1 + +* Thu Aug 03 2017 Fedora Release Engineering - 2.4.7-13 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 2.4.7-12 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Sat Feb 11 2017 Fedora Release Engineering - 2.4.7-11 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Sat Dec 10 2016 Lubomir Rintel - 2.4.7-10 +- Fix FTBFS + +* Thu Feb 04 2016 Fedora Release Engineering - 2.4.7-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Thu Jun 18 2015 Fedora Release Engineering - 2.4.7-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Mon Feb 09 2015 Michal Sekletar - 2.4.7-7 +- prevent running into issues caused by undefined behavior (pointers of incompatible types aliasing the same object) + +* Wed Dec 10 2014 Michal Sekletar - 2.4.7-6 +- fix logical expression in eap_client_active macro (#1023620) + +* Wed Nov 19 2014 Michal Sekletar - 2.4.7-5 +- don't mark logrotate config as executable (#1164435) + +* Tue Sep 2 2014 Peter Robinson 2.4.7-4 +- devel package should depend on base package as per guidelines + +* Tue Aug 19 2014 Michal Sekletar - 2.4.7-3 +- don't mark tmpfiles dropin as executable (#1131293) + +* Sun Aug 17 2014 Fedora Release Engineering - 2.4.7-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Mon Aug 11 2014 Michal Sekletar - 2.4.7-1 +- rebase to 2.4.7. Includes fix for CVE-2014-3158 (#1128716) + +* Fri Jun 20 2014 Michal Sekletar - 2.4.6-6 +- version 0.997 of EAP-TLS patch + +* Sat Jun 07 2014 Fedora Release Engineering - 2.4.6-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Wed Apr 16 2014 Michal Sekletar - 2.4.6-4 +- move ppp initscripts to ppp package (#1088220) + +* Mon Apr 14 2014 Michal Sekletar - 2.4.6-3 +- don't require perl and expect (#1086846) + +* Thu Apr 10 2014 Michal Sekletar - 2.4.6-2 +- rebase to 2.4.6 + +* Thu Aug 01 2013 Michal Sekletar - 2.4.5-33 +- fix post installation scriptlet + +* Fri Jul 12 2013 Michal Sekletar - 2.4.5-32 +- don't ship /var/lock/ppp in rpm payload and create it in %%post instead +- fix installation of tmpfiles.d configuration +- enable hardened build +- fix bogus dates in changelog +- compile all binaries with hardening flags + +* Thu Jul 04 2013 Michal Sekletar - 2.4.5-31 +- fix possible NULL pointer dereferencing + +* Wed May 29 2013 Michal Sekletar - 2.4.5-30 +- make radius plugin config parser less strict +- resolves : #906913 + +* Wed Mar 20 2013 Michal Sekletar - 2.4.5-29 +- Add creation of dip system group + +* Wed Mar 20 2013 Michal Sekletar - 2.4.5-28 +- Add /etc/logrotate.d to files section since we no longer hard depend on logrotate + +* Wed Mar 20 2013 Michal Sekletar - 2.4.5-27 +- Don't hard depend on logrotate + +* Thu Feb 14 2013 Fedora Release Engineering - 2.4.5-26 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Mon Nov 12 2012 Michal Sekletar - 2.4.5-25 +- Resolves: #840190 - install configuration file in /usr/lib/tmpfiles.d + +* Tue Sep 11 2012 Michal Sekletar - 2.4.5-24 +- Removed unnecessary dependency on systemd-unit + +* Sat Jul 21 2012 Fedora Release Engineering - 2.4.5-23 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Tue May 29 2012 Michal Sekletar +- Resolves: #817011 - fixed ppp-2.4.5-eaptls-mppe-0.99 patch, added variable definition + +* Mon May 21 2012 Michal Sekletar +- Resolves: #817013 - fixed support for multilink channels in pppol2tp plugin + +* Thu May 17 2012 Michal Sekletar +- Resolves: #771340 - fixed compilation of pppd without USE_EAPTLS + +* Sat Jan 14 2012 Fedora Release Engineering - 2.4.5-19 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Mon May 30 2011 Jiri Skala - 2.4.5-18 +- fixes #682381 - hardcodes eth0 +- fixes #708260 - SELinux is preventing access on the file LCK..ttyUSB3 + +* Mon Apr 04 2011 Jiri Skala - 2.4.5-17 +- fixes #664282 and #664868 - man page fixes + +* Wed Feb 09 2011 Fedora Release Engineering - 2.4.5-16 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Thu Dec 02 2010 Jiri Skala - 2.4.5-15 +- corrected tmpfiles.d conf +- replaced remaining /etc by macros + +* Tue Nov 30 2010 Jiri Skala - 2.4.5-14 +- fixes #656671 - /var/run and /var/lock on tmpfs +- replaced paths /var /etc by macros + +* Tue Nov 16 2010 Jiri Skala - 2.4.5-13 +- fixes #565294 - SELinux is preventing /sbin/consoletype access to a leaked packet_socket fd + +* Wed Sep 29 2010 Jiri Skala - 2.4.5-12 +- fixes #637513 - Missing: README.eap-tls +- updated to latest eaptls upstream +- fixes #637886 - EAP-TLS not working with enabled PPP Multilink Framing option + +* Thu Aug 05 2010 Jiri Skala - 2.4.5-11 +- fixes #617625 - FTBFS in ppp due to change in kernel-headers +- fixes pppol2tp Makefile + +* Tue Jul 13 2010 Jiri Skala - 2.4.5-10 +- fixes #613717 - Missing line in example script ip-up.local.add +- removed /usr/kerberos/include from eaptls patch + +* Wed Jun 16 2010 Jiri Skala - 2.4.5-9 +- included eap-tls patch + +* Wed Apr 07 2010 Jiri Skala - 2.4.5-8 +- added pppoe-discovery(8) + +* Fri Mar 05 2010 Jiri Skala - 2.4.5-7 +- removed duplicities from patches (ip-*.local.add) + +* Fri Feb 12 2010 Jiri Skala - 2.4.5-6 +- fixes #560014 - SELinux is preventing /usr/sbin/pppd "read write" access on pppd2.tdb + +* Thu Feb 04 2010 Jiri Skala - 2.4.5-5 +- one line correction in fd_leak patch + +* Wed Feb 03 2010 Jiri Skala - 2.4.5-4 +- applied patch fd_leak + +* Fri Jan 22 2010 Jiri Skala - 2.4.5-3 +- fixed some rpmlint complains + +* Sun Nov 22 2009 Jiri Skala - 2.4.5-2 +- updated patches (make local succeeded, koji failed) + +* Fri Nov 20 2009 Jiri Skala - 2.4.5-1 +- updated to latest upstream sources (#538058) + +* Thu Oct 08 2009 Jiri Skala - 2.4.4-14 +- fixed #519042 - ppp package is missing URL in spec +- fixed #524575 - ppp: no_strip patch modifies backup files created by previous patches + +* Wed Sep 16 2009 Tomas Mraz 2.4.4-13 +- use password-auth common PAM configuration instead of system-auth + +* Sun Jul 26 2009 Fedora Release Engineering - 2.4.4-12 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Fri Mar 06 2009 - Jiri Skala 2.4.4-11 +- fixed #488764 - package upgrade should not replace configuration files + +* Thu Feb 26 2009 Fedora Release Engineering - 2.4.4-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Thu Dec 11 2008 Jiri Skala 2.4.4.-9 +- fixed #467004 PPP sometimes gets incorrect DNS servers for mobile broadband connections + +* Thu Aug 28 2008 Tom "spot" Callaway 2.4.4-8 +- fix license tag + +* Tue May 13 2008 Martin Nagy 2.4.4-7 +- add new speeds, patch by Jason Vas Dias (#446132) + +* Thu Mar 06 2008 Martin Nagy 2.4.4-6 +- call closelog earlier (#222295) +- fix ChapMS2 (#217076) +- moving header files to new -devel package (#203542) + +* Mon Mar 03 2008 Martin Nagy 2.4.4-5 +- put logs into /var/log/ppp (#118837) + +* Mon Feb 11 2008 Martin Nagy 2.4.4-4 +- rebuild for gcc-4.3 + +* Fri Nov 09 2007 Martin Nagy 2.4.4-3 +- removed undesired files from the package (#241753) + +* Fri Dec 1 2006 Thomas Woerner 2.4.4-2 +- fixed build requirement for libpcap (#217661) + +* Wed Jul 19 2006 Thomas Woerner 2.4.4-1 +- new version 2.4.4 with lots of fixes +- fixed reesolv.conf docs (#165072) + Thanks to Matt Domsch for the initial patch +- enabled CBCP (#199278) + +* Wed Jul 12 2006 Jesse Keating - 2.4.3-6.2.2 +- rebuild + +* Fri Feb 10 2006 Jesse Keating - 2.4.3-6.2.1 +- bump again for double-long bug on ppc(64) + +* Tue Feb 07 2006 Jesse Keating - 2.4.3-6.2 +- rebuilt for new gcc4.1 snapshot and glibc changes + +* Fri Dec 09 2005 Jesse Keating +- rebuilt + +* Sat Nov 12 2005 Florian La Roche +- rebuild + +* Fri Nov 4 2005 David Woodhouse 2.4.3-5 +- Implement ipv6cp-accept-remote option + +* Fri Oct 7 2005 Tomas Mraz 2.4.3-4 +- use include instead of pam_stack in pam config + +* Sun Jul 31 2005 Florian La Roche +- rebuild for libpcap of the day + +* Tue Jul 19 2005 Thomas Woerner 2.4.3-2.1 +- additional patch for the scripts, thanks to Sammy (#163621) + +* Tue Jul 19 2005 Thomas Woerner 2.4.3-2 +- dropped all executable bits in scripts directory to prevent rpm requiring + programs used in there + +* Mon Jul 18 2005 Thomas Woerner 2.4.3-1 +- new version 2.4.3 + - updated patches: make, lib64, dontwriteetc, fix, fix64, no_strip, + radiusplugin + - dropped patches: bpf, signal, pcap, pppoatm, pkgcheck + +* Tue Nov 2 2004 Thomas Woerner 2.4.2-7 +- fixed out of bounds memory access, possible DOS + +* Thu Oct 7 2004 David Woodhouse 2.4.2-6.3 +- Fix use of 'demand' without explicit MTU/MRU with pppoatm + +* Tue Oct 5 2004 David Woodhouse 2.4.2-6.2 +- Link pppoatm plugin against libresolv. +- Revert to linux-atm headers without the workaround for #127098 + +* Mon Oct 4 2004 David Woodhouse 2.4.2-6.1 +- Include atmsap.h for pppoatm plugin. + +* Mon Oct 4 2004 David Woodhouse 2.4.2-6 +- Add pppoatm plugin (#131555) + +* Thu Sep 16 2004 Thomas Woerner 2.4.2-5.1 +- fixed subscript out of range (#132677) + +* Wed Sep 15 2004 Thomas Woerner 2.4.2-5 +- example scripts are using change_resolv_conf to modify /etc/resolv.conf + (#132482) +- require new libpcap library (>= 0.8.3-6) with a fix for inbound/outbound + filter processing +- not using internal libpcap structures anymore, fixes inbound/outbound + filter processing (#128053) + +* Fri Aug 6 2004 Thomas Woerner 2.4.2-4 +- fixed signal handling (#29171) + +* Mon Jun 21 2004 Thomas Woerner 2.4.2-3.1 +- fixed compiler warnings +- fixed 64bit problem with ms-chap (#125501) +- enabled pie again + +* Tue Jun 15 2004 Elliot Lee +- rebuilt + +* Mon May 24 2004 David Woodhouse 2.4.2-2.3 +- Enable IPv6 support. Disable PIE to avoid bogus Provides: + +* Fri May 14 2004 Thomas Woerner 2.4.2-2.2 +- compiled pppd and chat PIE + +* Thu May 13 2004 Thomas Woerner 2.4.2-2.1 +- added 'missingok' to ppp.logrotate (#122911) + +* Fri May 07 2004 Nils Philippsen 2.4.2-2 +- don't write to /etc (#118837) + +* Wed Mar 10 2004 Nalin Dahyabhai 2.4.2-1 +- update to 2.4.2 + +* Fri Feb 13 2004 Elliot Lee +- rebuilt + +* Fri Sep 5 2003 Nalin Dahyabhai 2.4.1-15 +- rebuild + +* Fri Sep 5 2003 Nalin Dahyabhai 2.4.1-14 +- apply the patch from -11 + +* Wed Jun 04 2003 Elliot Lee +- rebuilt + +* Tue Jun 3 2003 Nalin Dahyabhai 2.4.1-12 +- rebuild + +* Tue Jun 3 2003 Nalin Dahyabhai 2.4.1-11 +- check for libcrypt in the right directory at compile-time + +* Wed Jan 22 2003 Tim Powers +- rebuilt + +* Thu Dec 12 2002 Elliot Lee 2.4.1-9 +- Fix build failure by rebuilding + +* Tue Nov 19 2002 Nalin Dahyabhai 2.4.1-8 +- rebuild +- set x86_64 to use varargs the way s390 does + +* Mon Jul 22 2002 Florian La Roche +- add patch: + * Thu Jun 06 2002 Phil Knirsch + - Fixed varargs problem for s390/s390x. + +* Fri Jun 21 2002 Tim Powers +- automated rebuild + +* Sun May 26 2002 Tim Powers +- automated rebuild + +* Fri May 17 2002 Nalin Dahyabhai 2.4.1-4 +- rebuild in new environment + +* Wed Feb 27 2002 Nalin Dahyabhai 2.4.1-3 +- revert cbcp patch, it's wrong (#55367) + +* Thu Aug 9 2001 Nalin Dahyabhai 2.4.1-2 +- add buildprereq on pam-devel (#49559) +- add patch to respond to CBCP LCP requests (#15738) +- enable cbcp support at build-time +- change the Copyright: tag to a License: tag + +* Wed May 23 2001 Nalin Dahyabhai 2.4.1-1 +- update to 2.4.1 + +* Fri Dec 1 2000 Nalin Dahyabhai +- rebuild in new environment + +* Thu Nov 9 2000 Nalin Dahyabhai +- update to 2.4.0 + +* Wed Jul 12 2000 Prospector +- automatic rebuild + +* Mon Jun 5 2000 Nalin Dahyabhai +- move man pages to %%{_mandir} + +* Thu Jun 1 2000 Nalin Dahyabhai +- change perms using defattr +- modify PAM setup to use system-auth + +* Sun Mar 26 2000 Florian La Roche +- change to root:root perms + +* Mon Mar 06 2000 Nalin Dahyabhai +- reaper bugs verified as fixed +- check pam_open_session result code (bug #9966) + +* Mon Feb 07 2000 Nalin Dahyabhai +- take a shot at the wrong reaper bugs (#8153, #5290) + +* Thu Feb 03 2000 Nalin Dahyabhai +- free ride through the build system (release 2) + +* Tue Jan 18 2000 Nalin Dahyabhai +- Update to 2.3.11 + +* Sat Nov 06 1999 Michael K. Johnson +- Better fix for both problems + +* Fri Nov 05 1999 Michael K. Johnson +- fix for double-dial problem +- fix for requiring a controlling terminal problem + +* Sun Sep 19 1999 Preston Brown +- 2.3.10 bugfix release + +* Fri Aug 13 1999 Michael K. Johnson +- New version 2.3.9 required for kernel 2.3.13 and will be required + for new initscripts. auth patch removed; 2.3.9 does the same thing + more readably than the previous patch. + +* Thu Jun 24 1999 Cristian Gafton +- add pppdump + +* Fri Apr 09 1999 Cristian Gafton +- force pppd use the glibc's logwtmp instead of implementing its own + +* Thu Apr 01 1999 Preston Brown +- version 2.3.7 bugfix release + +* Tue Mar 23 1999 Cristian Gafton +- version 2.3.6 + +* Mon Mar 22 1999 Michael Johnson +- auth patch + +* Sun Mar 21 1999 Cristian Gafton +- auto rebuild in the new build environment (release 3) + +* Thu Jan 07 1999 Cristian Gafton +- build for glibc 2.1 + +* Fri Jun 5 1998 Jeff Johnson +- updated to 2.3.5. + +* Tue May 19 1998 Prospector System +- translations modified for de + +* Fri May 8 1998 Jakub Jelinek +- make it run with kernels 2.1.100 and above. + +* Fri Apr 24 1998 Prospector System +- translations modified for de, fr, tr + +* Wed Mar 18 1998 Cristian Gafton +- requires glibc 2.0.6 or later + +* Wed Mar 18 1998 Michael K. Johnson +- updated PAM patch to not turn off wtmp/utmp/syslog logging. + +* Wed Jan 7 1998 Cristian Gafton +- added the /etc/pam.d config file +- updated PAM patch to include session support + +* Tue Jan 6 1998 Cristian Gafton +- updated to ppp-2.3.3, build against glibc-2.0.6 - previous patches not + required any more. +- added buildroot +- fixed the PAM support, which was really, completely broken and against any + standards (session support is still not here... :-( ) +- we build against running kernel and pray that it will work +- added a samples patch; updated glibc patch + +* Thu Dec 18 1997 Erik Troan +- added a patch to use our own route.h, rather then glibc's (which has + alignment problems on Alpha's) -- I only applied this patch on the Alpha, + though it should be safe everywhere + +* Fri Oct 10 1997 Erik Troan +- turned off the execute bit for scripts in /usr/doc + +* Fri Jul 18 1997 Erik Troan +- built against glibc + +* Tue Mar 25 1997 Erik Troan +- Integrated new patch from David Mosberger +- Improved description