diff --git a/.cvsignore b/.cvsignore deleted file mode 100644 index e69de29..0000000 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..ae0ec2f --- /dev/null +++ b/.gitignore @@ -0,0 +1,16 @@ +xl2tpd-1.1.06.tar.gz +xl2tpd-1.1.07.tar.gz +xl2tpd-1.1.08.tar.gz +xl2tpd-1.1.09.tar.gz +xl2tpd-1.1.11.tar.gz +xl2tpd-1.1.12.tar.gz +xl2tpd-1.2.0.tar.gz +xl2tpd-1.2.4.tar.gz +xl2tpd-1.2.5.tar.gz +xl2tpd-1.2.7.tar.gz +xl2tpd-1.2.8.tar.gz +xl2tpd-1.3.0.tar.gz +xl2tpd-1.3.1.tar.gz +/xl2tpd-5619e1771048e74b729804e8602f409af0f3faea.tar.gz +/xl2tpd-1.3.8.tar.gz +/xl2tpd-1.3.14.tar.gz diff --git a/Makefile b/Makefile deleted file mode 100644 index 8bab16b..0000000 --- a/Makefile +++ /dev/null @@ -1,21 +0,0 @@ -# Makefile for source rpm: xl2tpd -# $Id$ -NAME := xl2tpd -SPECFILE = $(firstword $(wildcard *.spec)) - -define find-makefile-common -for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done -endef - -MAKEFILE_COMMON := $(shell $(find-makefile-common)) - -ifeq ($(MAKEFILE_COMMON),) -# attept a checkout -define checkout-makefile-common -test -f CVS/Root && { cvs -Q -d $$(cat CVS/Root) checkout common && echo "common/Makefile.common" ; } || { echo "ERROR: I can't figure out how to checkout the 'common' module." ; exit -1 ; } >&2 -endef - -MAKEFILE_COMMON := $(shell $(checkout-makefile-common)) -endif - -include $(MAKEFILE_COMMON) diff --git a/sources b/sources index e69de29..31efa93 100644 --- a/sources +++ b/sources @@ -0,0 +1 @@ +SHA512 (xl2tpd-1.3.14.tar.gz) = a0c007b5a2d45f4c73d8651c8ca2525cd46b779e4b8cfabebd2c7905770d128f25edea5665c25828c53788083fda73896faccb49f4da9a38a2042b5f957a3327 diff --git a/tmpfiles-xl2tpd.conf b/tmpfiles-xl2tpd.conf new file mode 100644 index 0000000..ee868fb --- /dev/null +++ b/tmpfiles-xl2tpd.conf @@ -0,0 +1 @@ +D /run/xl2tpd 0755 root root - diff --git a/xl2tpd-1.3.14-conf.patch b/xl2tpd-1.3.14-conf.patch new file mode 100644 index 0000000..8f70a3d --- /dev/null +++ b/xl2tpd-1.3.14-conf.patch @@ -0,0 +1,31 @@ +diff -Naur xl2tpd-1.3.14-orig/examples/ppp-options.xl2tpd xl2tpd-1.3.14/examples/ppp-options.xl2tpd +--- xl2tpd-1.3.14-orig/examples/ppp-options.xl2tpd 2019-04-17 12:23:39.000000000 -0400 ++++ xl2tpd-1.3.14/examples/ppp-options.xl2tpd 2019-09-24 20:47:35.056615746 -0400 +@@ -1,9 +1,11 @@ + ipcp-accept-local + ipcp-accept-remote +-ms-dns 192.168.1.1 +-ms-dns 192.168.1.3 +-ms-wins 192.168.1.2 +-ms-wins 192.168.1.4 ++ms-dns 8.8.8.8 ++ms-dns 1.1.1.1 ++# ms-dns 192.168.1.1 ++# ms-dns 192.168.1.3 ++# ms-wins 192.168.1.2 ++# ms-wins 192.168.1.4 + noccp + auth + crtscts +@@ -15,3 +17,11 @@ + lock + proxyarp + connect-delay 5000 ++# To allow authentication against a Windows domain EXAMPLE, and require the ++# user to be in a group "VPN Users". Requires the samba-winbind package ++# require-mschap-v2 ++# plugin winbind.so ++# ntlm_auth-helper '/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of="EXAMPLE\\VPN Users"' ++# You need to join the domain on the server, for example using samba: ++# http://rootmanager.com/ubuntu-ipsec-l2tp-windows-domain-auth/setting-up-openswan-xl2tpd-with-native-windows-clients-lucid.html ++ diff --git a/xl2tpd-1.3.14-kernelmode.patch b/xl2tpd-1.3.14-kernelmode.patch new file mode 100644 index 0000000..9f30914 --- /dev/null +++ b/xl2tpd-1.3.14-kernelmode.patch @@ -0,0 +1,18 @@ +diff -Naur xl2tpd-1.3.14-orig/xl2tpd.c xl2tpd-1.3.14/xl2tpd.c +--- xl2tpd-1.3.14-orig/xl2tpd.c 2019-04-17 12:23:39.000000000 -0400 ++++ xl2tpd-1.3.14/xl2tpd.c 2019-09-24 21:48:49.234308626 -0400 +@@ -277,14 +277,7 @@ + * OK...pppd died, we can go ahead and close the pty for + * it + */ +-#ifdef USE_KERNEL +- if (!kernel_support) { +- +-#endif + close (c->fd); +-#ifdef USE_KERNEL +- } +-#endif + c->fd = -1; + /* + * terminate tunnel and call loops, returning to the diff --git a/xl2tpd-1.3.14-md5-fips.patch b/xl2tpd-1.3.14-md5-fips.patch new file mode 100644 index 0000000..ed8304f --- /dev/null +++ b/xl2tpd-1.3.14-md5-fips.patch @@ -0,0 +1,468 @@ +diff -Naur xl2tpd-1.3.14-orig/aaa.c xl2tpd-1.3.14/aaa.c +--- xl2tpd-1.3.14-orig/aaa.c 2019-04-17 12:23:39.000000000 -0400 ++++ xl2tpd-1.3.14/aaa.c 2019-09-24 20:51:39.478952494 -0400 +@@ -21,6 +21,8 @@ + #include + #include "l2tp.h" + ++#include ++ + extern void bufferDump (char *, int); + + /* FIXME: Accounting? */ +@@ -273,11 +275,11 @@ + #endif + + memset (chal->response, 0, MD_SIG_SIZE); +- MD5Init (&chal->md5); +- MD5Update (&chal->md5, &chal->ss, 1); +- MD5Update (&chal->md5, chal->secret, strlen ((char *)chal->secret)); +- MD5Update (&chal->md5, chal->challenge, chal->chal_len); +- MD5Final (chal->response, &chal->md5); ++ MD5_Init (&chal->md5); ++ MD5_Update (&chal->md5, &chal->ss, 1); ++ MD5_Update (&chal->md5, chal->secret, strlen ((char *)chal->secret)); ++ MD5_Update (&chal->md5, chal->challenge, chal->chal_len); ++ MD5_Final (chal->response, &chal->md5); + #ifdef DEBUG_AUTH + l2tp_log (LOG_DEBUG, "response is %X%X%X%X to '%s' and %X%X%X%X, %d\n", + *((int *) &chal->response[0]), +@@ -392,12 +394,12 @@ + buf->len += length; + /* Back to the beginning of real data, including the original length AVP */ + +- MD5Init (&t->chal_them.md5); +- MD5Update (&t->chal_them.md5, (void *) &attr, 2); +- MD5Update (&t->chal_them.md5, t->chal_them.secret, ++ MD5_Init (&t->chal_them.md5); ++ MD5_Update (&t->chal_them.md5, (void *) &attr, 2); ++ MD5_Update (&t->chal_them.md5, t->chal_them.secret, + strlen ((char *)t->chal_them.secret)); +- MD5Update (&t->chal_them.md5, t->chal_them.vector, VECTOR_SIZE); +- MD5Final (digest, &t->chal_them.md5); ++ MD5_Update (&t->chal_them.md5, t->chal_them.vector, VECTOR_SIZE); ++ MD5_Final (digest, &t->chal_them.md5); + + /* Though not a "MUST" in the spec, our subformat length is always a multiple of 16 */ + ptr = ((unsigned char *) new_hdr) + sizeof (struct avp_hdr); +@@ -421,11 +423,11 @@ + #endif + if (ptr < end) + { +- MD5Init (&t->chal_them.md5); +- MD5Update (&t->chal_them.md5, t->chal_them.secret, ++ MD5_Init (&t->chal_them.md5); ++ MD5_Update (&t->chal_them.md5, t->chal_them.secret, + strlen ((char *)t->chal_them.secret)); +- MD5Update (&t->chal_them.md5, previous_segment, MD_SIG_SIZE); +- MD5Final (digest, &t->chal_them.md5); ++ MD5_Update (&t->chal_them.md5, previous_segment, MD_SIG_SIZE); ++ MD5_Final (digest, &t->chal_them.md5); + } + previous_segment = ptr; + } +@@ -458,12 +460,12 @@ + that it will be padded to a 16 byte boundary, so we + have to be more careful than when encrypting */ + attr = ntohs (old_hdr->attr); +- MD5Init (&t->chal_us.md5); +- MD5Update (&t->chal_us.md5, (void *) &attr, 2); +- MD5Update (&t->chal_us.md5, t->chal_us.secret, ++ MD5_Init (&t->chal_us.md5); ++ MD5_Update (&t->chal_us.md5, (void *) &attr, 2); ++ MD5_Update (&t->chal_us.md5, t->chal_us.secret, + strlen ((char *)t->chal_us.secret)); +- MD5Update (&t->chal_us.md5, t->chal_us.vector, t->chal_us.vector_len); +- MD5Final (digest, &t->chal_us.md5); ++ MD5_Update (&t->chal_us.md5, t->chal_us.vector, t->chal_us.vector_len); ++ MD5_Final (digest, &t->chal_us.md5); + #ifdef DEBUG_HIDDEN + l2tp_log (LOG_DEBUG, "attribute is %d and challenge is: ", attr); + print_challenge (&t->chal_us); +@@ -474,11 +476,11 @@ + { + if (cnt >= MD_SIG_SIZE) + { +- MD5Init (&t->chal_us.md5); +- MD5Update (&t->chal_us.md5, t->chal_us.secret, ++ MD5_Init (&t->chal_us.md5); ++ MD5_Update (&t->chal_us.md5, t->chal_us.secret, + strlen ((char *)t->chal_us.secret)); +- MD5Update (&t->chal_us.md5, saved_segment, MD_SIG_SIZE); +- MD5Final (digest, &t->chal_us.md5); ++ MD5_Update (&t->chal_us.md5, saved_segment, MD_SIG_SIZE); ++ MD5_Final (digest, &t->chal_us.md5); + cnt = 0; + } + /* at the beginning of each segment, we save the current segment (16 octets or less) of cipher +diff -Naur xl2tpd-1.3.14-orig/aaa.h xl2tpd-1.3.14/aaa.h +--- xl2tpd-1.3.14-orig/aaa.h 2019-04-17 12:23:39.000000000 -0400 ++++ xl2tpd-1.3.14/aaa.h 2019-09-24 20:52:14.179531612 -0400 +@@ -15,7 +15,7 @@ + + #ifndef _AAA_H + #define _AAA_H +-#include "md5.h" ++#include + + #define ADDR_HASH_SIZE 256 + #define MD_SIG_SIZE 16 +@@ -34,7 +34,7 @@ + + struct challenge + { +- struct MD5Context md5; ++ MD5_CTX md5; + unsigned char ss; /* State we're sending in */ + unsigned char secret[MAXSTRLEN]; /* The shared secret */ + unsigned char *challenge; /* The original challenge */ +diff -Naur xl2tpd-1.3.14-orig/Makefile xl2tpd-1.3.14/Makefile +--- xl2tpd-1.3.14-orig/Makefile 2019-04-17 12:23:39.000000000 -0400 ++++ xl2tpd-1.3.14/Makefile 2019-09-24 20:53:02.420020643 -0400 +@@ -101,8 +101,8 @@ + IPFLAGS?= -DIP_ALLOCATION + + CFLAGS+= $(DFLAGS) -Os -Wall -Wextra -DSANITY $(OSFLAGS) $(IPFLAGS) +-HDRS=l2tp.h avp.h misc.h control.h call.h scheduler.h file.h aaa.h md5.h +-OBJS=xl2tpd.o pty.o misc.o control.o avp.o call.o network.o avpsend.o scheduler.o file.o aaa.o md5.o ++HDRS=l2tp.h avp.h misc.h control.h call.h scheduler.h file.h aaa.h ++OBJS=xl2tpd.o pty.o misc.o control.o avp.o call.o network.o avpsend.o scheduler.o file.o aaa.o + SRCS=${OBJS:.o=.c} ${HDRS} + CONTROL_SRCS=xl2tpd-control.c + #LIBS= $(OSLIBS) # -lefence # efence for malloc checking +@@ -121,7 +121,7 @@ + rm -f $(OBJS) $(EXEC) pfc.o pfc $(CONTROL_EXEC) + + $(EXEC): $(OBJS) $(HDRS) +- $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LDLIBS) ++ $(CC) $(LDFLAGS) -o $@ $(OBJS) -lcrypto $(LDLIBS) + + $(CONTROL_EXEC): $(CONTROL_SRCS) + $(CC) $(CFLAGS) $(LDFLAGS) $(CONTROL_SRCS) -o $@ +diff -Naur xl2tpd-1.3.14-orig/md5.c xl2tpd-1.3.14/md5.c +--- xl2tpd-1.3.14-orig/md5.c 2019-04-17 12:23:39.000000000 -0400 ++++ xl2tpd-1.3.14/md5.c 1969-12-31 19:00:00.000000000 -0500 +@@ -1,274 +0,0 @@ +-#ifdef FREEBSD +-# include +-#elif defined(OPENBSD) || defined(NETBSD) +-# define __BSD_VISIBLE 0 +-# include +-#elif defined(LINUX) +-# include +-#elif defined(SOLARIS) +-# include +-#endif +-#if __BYTE_ORDER == __BIG_ENDIAN +-#define HIGHFIRST 1 +-#endif +- +-/* +- * This code implements the MD5 message-digest algorithm. +- * The algorithm is due to Ron Rivest. This code was +- * written by Colin Plumb in 1993, no copyright is claimed. +- * This code is in the public domain; do with it what you wish. +- * +- * Equivalent code is available from RSA Data Security, Inc. +- * This code has been tested against that, and is equivalent, +- * except that you don't need to include two pages of legalese +- * with every copy. +- * +- * To compute the message digest of a chunk of bytes, declare an +- * MD5Context structure, pass it to MD5Init, call MD5Update as +- * needed on buffers full of bytes, and then call MD5Final, which +- * will fill a supplied 16-byte array with the digest. +- */ +-#include /* for memcpy() */ +-#include "md5.h" +- +-#ifndef HIGHFIRST +-#define byteReverse(buf, len) /* Nothing */ +-#else +-void byteReverse (unsigned char *buf, unsigned longs); +- +-#ifndef ASM_MD5 +-/* +- * Note: this code is harmless on little-endian machines. +- */ +-void byteReverse (unsigned char *buf, unsigned longs) +-{ +- uint32 t; +- do +- { +- t = (uint32) ((unsigned) buf[3] << 8 | buf[2]) << 16 | +- ((unsigned) buf[1] << 8 | buf[0]); +- *(uint32 *) buf = t; +- buf += 4; +- } +- while (--longs); +-} +-#endif +-#endif +- +-/* +- * Start MD5 accumulation. Set bit count to 0 and buffer to mysterious +- * initialization constants. +- */ +-void MD5Init (struct MD5Context *ctx) +-{ +- ctx->buf[0] = 0x67452301; +- ctx->buf[1] = 0xefcdab89; +- ctx->buf[2] = 0x98badcfe; +- ctx->buf[3] = 0x10325476; +- +- ctx->bits[0] = 0; +- ctx->bits[1] = 0; +-} +- +-/* +- * Update context to reflect the concatenation of another buffer full +- * of bytes. +- */ +-void MD5Update (struct MD5Context *ctx, unsigned char const *buf, +- unsigned len) +-{ +- uint32 t; +- +- /* Update bitcount */ +- +- t = ctx->bits[0]; +- if ((ctx->bits[0] = t + ((uint32) len << 3)) < t) +- ctx->bits[1]++; /* Carry from low to high */ +- ctx->bits[1] += len >> 29; +- +- t = (t >> 3) & 0x3f; /* Bytes already in shsInfo->data */ +- +- /* Handle any leading odd-sized chunks */ +- +- if (t) +- { +- unsigned char *p = (unsigned char *) ctx->in + t; +- +- t = 64 - t; +- if (len < t) +- { +- memcpy (p, buf, len); +- return; +- } +- memcpy (p, buf, t); +- byteReverse (ctx->in, 16); +- MD5Transform (ctx->buf, (uint32 *) ctx->in); +- buf += t; +- len -= t; +- } +- /* Process data in 64-byte chunks */ +- +- while (len >= 64) +- { +- memcpy (ctx->in, buf, 64); +- byteReverse (ctx->in, 16); +- MD5Transform (ctx->buf, (uint32 *) ctx->in); +- buf += 64; +- len -= 64; +- } +- +- /* Handle any remaining bytes of data. */ +- +- memcpy (ctx->in, buf, len); +-} +- +-/* +- * Final wrapup - pad to 64-byte boundary with the bit pattern +- * 1 0* (64-bit count of bits processed, MSB-first) +- */ +-void MD5Final (unsigned char digest[16], struct MD5Context *ctx) +-{ +- unsigned count; +- unsigned char *p; +- +- /* Compute number of bytes mod 64 */ +- count = (ctx->bits[0] >> 3) & 0x3F; +- +- /* Set the first char of padding to 0x80. This is safe since there is +- always at least one byte free */ +- p = ctx->in + count; +- *p++ = 0x80; +- +- /* Bytes of padding needed to make 64 bytes */ +- count = 64 - 1 - count; +- +- /* Pad out to 56 mod 64 */ +- if (count < 8) +- { +- /* Two lots of padding: Pad the first block to 64 bytes */ +- memset (p, 0, count); +- byteReverse (ctx->in, 16); +- MD5Transform (ctx->buf, (uint32 *) ctx->in); +- +- /* Now fill the next block with 56 bytes */ +- memset (ctx->in, 0, 56); +- } +- else +- { +- /* Pad block to 56 bytes */ +- memset (p, 0, count - 8); +- } +- byteReverse (ctx->in, 14); +- +- /* Append length in bits and transform */ +- memcpy(ctx->in + 14 * sizeof(uint32), ctx->bits, sizeof(ctx->bits)); +- +- MD5Transform (ctx->buf, (uint32 *) ctx->in); +- byteReverse ((unsigned char *) ctx->buf, 4); +- memcpy (digest, ctx->buf, 16); +- memset (ctx, 0, sizeof (*ctx)); /* In case it's sensitive */ +-} +- +-#ifndef ASM_MD5 +- +-/* The four core functions - F1 is optimized somewhat */ +- +-/* #define F1(x, y, z) (x & y | ~x & z) */ +-#define F1(x, y, z) (z ^ (x & (y ^ z))) +-#define F2(x, y, z) F1(z, x, y) +-#define F3(x, y, z) (x ^ y ^ z) +-#define F4(x, y, z) (y ^ (x | ~z)) +- +-/* This is the central step in the MD5 algorithm. */ +-#define MD5STEP(f, w, x, y, z, data, s) \ +- ( w += f(x, y, z) + data, w = w<>(32-s), w += x ) +- +-/* +- * The core of the MD5 algorithm, this alters an existing MD5 hash to +- * reflect the addition of 16 longwords of new data. MD5Update blocks +- * the data and converts bytes into longwords for this routine. +- */ +-void MD5Transform (uint32 buf[4], uint32 const in[16]) +-{ +- register uint32 a, b, c, d; +- +- a = buf[0]; +- b = buf[1]; +- c = buf[2]; +- d = buf[3]; +- +- MD5STEP (F1, a, b, c, d, in[0] + 0xd76aa478, 7); +- MD5STEP (F1, d, a, b, c, in[1] + 0xe8c7b756, 12); +- MD5STEP (F1, c, d, a, b, in[2] + 0x242070db, 17); +- MD5STEP (F1, b, c, d, a, in[3] + 0xc1bdceee, 22); +- MD5STEP (F1, a, b, c, d, in[4] + 0xf57c0faf, 7); +- MD5STEP (F1, d, a, b, c, in[5] + 0x4787c62a, 12); +- MD5STEP (F1, c, d, a, b, in[6] + 0xa8304613, 17); +- MD5STEP (F1, b, c, d, a, in[7] + 0xfd469501, 22); +- MD5STEP (F1, a, b, c, d, in[8] + 0x698098d8, 7); +- MD5STEP (F1, d, a, b, c, in[9] + 0x8b44f7af, 12); +- MD5STEP (F1, c, d, a, b, in[10] + 0xffff5bb1, 17); +- MD5STEP (F1, b, c, d, a, in[11] + 0x895cd7be, 22); +- MD5STEP (F1, a, b, c, d, in[12] + 0x6b901122, 7); +- MD5STEP (F1, d, a, b, c, in[13] + 0xfd987193, 12); +- MD5STEP (F1, c, d, a, b, in[14] + 0xa679438e, 17); +- MD5STEP (F1, b, c, d, a, in[15] + 0x49b40821, 22); +- +- MD5STEP (F2, a, b, c, d, in[1] + 0xf61e2562, 5); +- MD5STEP (F2, d, a, b, c, in[6] + 0xc040b340, 9); +- MD5STEP (F2, c, d, a, b, in[11] + 0x265e5a51, 14); +- MD5STEP (F2, b, c, d, a, in[0] + 0xe9b6c7aa, 20); +- MD5STEP (F2, a, b, c, d, in[5] + 0xd62f105d, 5); +- MD5STEP (F2, d, a, b, c, in[10] + 0x02441453, 9); +- MD5STEP (F2, c, d, a, b, in[15] + 0xd8a1e681, 14); +- MD5STEP (F2, b, c, d, a, in[4] + 0xe7d3fbc8, 20); +- MD5STEP (F2, a, b, c, d, in[9] + 0x21e1cde6, 5); +- MD5STEP (F2, d, a, b, c, in[14] + 0xc33707d6, 9); +- MD5STEP (F2, c, d, a, b, in[3] + 0xf4d50d87, 14); +- MD5STEP (F2, b, c, d, a, in[8] + 0x455a14ed, 20); +- MD5STEP (F2, a, b, c, d, in[13] + 0xa9e3e905, 5); +- MD5STEP (F2, d, a, b, c, in[2] + 0xfcefa3f8, 9); +- MD5STEP (F2, c, d, a, b, in[7] + 0x676f02d9, 14); +- MD5STEP (F2, b, c, d, a, in[12] + 0x8d2a4c8a, 20); +- +- MD5STEP (F3, a, b, c, d, in[5] + 0xfffa3942, 4); +- MD5STEP (F3, d, a, b, c, in[8] + 0x8771f681, 11); +- MD5STEP (F3, c, d, a, b, in[11] + 0x6d9d6122, 16); +- MD5STEP (F3, b, c, d, a, in[14] + 0xfde5380c, 23); +- MD5STEP (F3, a, b, c, d, in[1] + 0xa4beea44, 4); +- MD5STEP (F3, d, a, b, c, in[4] + 0x4bdecfa9, 11); +- MD5STEP (F3, c, d, a, b, in[7] + 0xf6bb4b60, 16); +- MD5STEP (F3, b, c, d, a, in[10] + 0xbebfbc70, 23); +- MD5STEP (F3, a, b, c, d, in[13] + 0x289b7ec6, 4); +- MD5STEP (F3, d, a, b, c, in[0] + 0xeaa127fa, 11); +- MD5STEP (F3, c, d, a, b, in[3] + 0xd4ef3085, 16); +- MD5STEP (F3, b, c, d, a, in[6] + 0x04881d05, 23); +- MD5STEP (F3, a, b, c, d, in[9] + 0xd9d4d039, 4); +- MD5STEP (F3, d, a, b, c, in[12] + 0xe6db99e5, 11); +- MD5STEP (F3, c, d, a, b, in[15] + 0x1fa27cf8, 16); +- MD5STEP (F3, b, c, d, a, in[2] + 0xc4ac5665, 23); +- +- MD5STEP (F4, a, b, c, d, in[0] + 0xf4292244, 6); +- MD5STEP (F4, d, a, b, c, in[7] + 0x432aff97, 10); +- MD5STEP (F4, c, d, a, b, in[14] + 0xab9423a7, 15); +- MD5STEP (F4, b, c, d, a, in[5] + 0xfc93a039, 21); +- MD5STEP (F4, a, b, c, d, in[12] + 0x655b59c3, 6); +- MD5STEP (F4, d, a, b, c, in[3] + 0x8f0ccc92, 10); +- MD5STEP (F4, c, d, a, b, in[10] + 0xffeff47d, 15); +- MD5STEP (F4, b, c, d, a, in[1] + 0x85845dd1, 21); +- MD5STEP (F4, a, b, c, d, in[8] + 0x6fa87e4f, 6); +- MD5STEP (F4, d, a, b, c, in[15] + 0xfe2ce6e0, 10); +- MD5STEP (F4, c, d, a, b, in[6] + 0xa3014314, 15); +- MD5STEP (F4, b, c, d, a, in[13] + 0x4e0811a1, 21); +- MD5STEP (F4, a, b, c, d, in[4] + 0xf7537e82, 6); +- MD5STEP (F4, d, a, b, c, in[11] + 0xbd3af235, 10); +- MD5STEP (F4, c, d, a, b, in[2] + 0x2ad7d2bb, 15); +- MD5STEP (F4, b, c, d, a, in[9] + 0xeb86d391, 21); +- +- buf[0] += a; +- buf[1] += b; +- buf[2] += c; +- buf[3] += d; +-} +- +-#endif +diff -Naur xl2tpd-1.3.14-orig/md5.h xl2tpd-1.3.14/md5.h +--- xl2tpd-1.3.14-orig/md5.h 2019-04-17 12:23:39.000000000 -0400 ++++ xl2tpd-1.3.14/md5.h 1969-12-31 19:00:00.000000000 -0500 +@@ -1,29 +0,0 @@ +-#ifndef MD5_H +-#define MD5_H +- +-#ifdef __alpha +-typedef unsigned int uint32; +-#else +-#include +-typedef uint32_t uint32; +-#endif +- +-struct MD5Context +-{ +- uint32 buf[4]; +- uint32 bits[2]; +- unsigned char in[64]; +-}; +- +-void MD5Init (struct MD5Context *context); +-void MD5Update (struct MD5Context *context, unsigned char const *buf, +- unsigned len); +-void MD5Final (unsigned char digest[16], struct MD5Context *context); +-void MD5Transform (uint32 buf[4], uint32 const in[16]); +- +-/* +- * This is needed to make RSAREF happy on some MS-DOS compilers. +- */ +-typedef struct MD5Context MD5_CTX; +- +-#endif /* !MD5_H */ +diff -Naur xl2tpd-1.3.14-orig/xl2tpd.c xl2tpd-1.3.14/xl2tpd.c +--- xl2tpd-1.3.14-orig/xl2tpd.c 2019-04-17 12:23:39.000000000 -0400 ++++ xl2tpd-1.3.14/xl2tpd.c 2019-09-24 20:53:50.969512827 -0400 +@@ -1643,7 +1643,11 @@ + + + static void usage(void) { +- printf("\nxl2tpd version: %s\n", SERVER_VERSION); ++ printf("\nxl2tpd version: %s\n" ++"This product includes software developed by the OpenSSL Project for use\n" ++"in the OpenSSL Toolkit. (http://www.openssl.org/)\n" ++, SERVER_VERSION); ++ + printf("Usage: xl2tpd [-c ] [-s ] [-p ]\n" + " [-C ] [-D] [-l] [-q ]\n" + " [-v, --version]\n"); diff --git a/xl2tpd-1.3.6-conf.patch b/xl2tpd-1.3.6-conf.patch new file mode 100644 index 0000000..1976244 --- /dev/null +++ b/xl2tpd-1.3.6-conf.patch @@ -0,0 +1,40 @@ +diff -Naur xl2tpd-1.3.6-orig/examples/ppp-options.xl2tpd xl2tpd-1.3.6/examples/ppp-options.xl2tpd +--- xl2tpd-1.3.6-orig/examples/ppp-options.xl2tpd 2014-01-15 15:58:37.000000000 -0500 ++++ xl2tpd-1.3.6/examples/ppp-options.xl2tpd 2014-05-12 14:46:24.358653357 -0400 +@@ -1,9 +1,10 @@ + ipcp-accept-local + ipcp-accept-remote +-ms-dns 192.168.1.1 +-ms-dns 192.168.1.3 +-ms-wins 192.168.1.2 +-ms-wins 192.168.1.4 ++ms-dns 8.8.8.8 ++# ms-dns 192.168.1.1 ++# ms-dns 192.168.1.3 ++# ms-wins 192.168.1.2 ++# ms-wins 192.168.1.4 + noccp + auth + crtscts +@@ -15,3 +16,11 @@ + lock + proxyarp + connect-delay 5000 ++# To allow authentication against a Windows domain EXAMPLE, and require the ++# user to be in a group "VPN Users". Requires the samba-winbind package ++# require-mschap-v2 ++# plugin winbind.so ++# ntlm_auth-helper '/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of="EXAMPLE\\VPN Users"' ++# You need to join the domain on the server, for example using samba: ++# http://rootmanager.com/ubuntu-ipsec-l2tp-windows-domain-auth/setting-up-openswan-xl2tpd-with-native-windows-clients-lucid.html ++ +diff -Naur xl2tpd-1.3.6-orig/examples/README xl2tpd-1.3.6/examples/README +--- xl2tpd-1.3.6-orig/examples/README 2014-01-15 15:58:37.000000000 -0500 ++++ xl2tpd-1.3.6/examples/README 2014-05-12 14:46:59.168476547 -0400 +@@ -1,4 +1,4 @@ + These are example files for use with xl2tpd. + +-Openswan carries config examples for use with l2tp-over-ipsec. +-See http://www.openswan.org/ ++xl2tpd is often used in combination with libreswan to offer L2TP/IPsec ++See https://libreswan.org/ diff --git a/xl2tpd-1.3.6-md5-fips.patch b/xl2tpd-1.3.6-md5-fips.patch new file mode 100644 index 0000000..3ee8cc9 --- /dev/null +++ b/xl2tpd-1.3.6-md5-fips.patch @@ -0,0 +1,466 @@ +diff -Naur xl2tpd-1.3.6-orig/aaa.c xl2tpd-1.3.6/aaa.c +--- xl2tpd-1.3.6-orig/aaa.c 2014-01-15 15:58:37.000000000 -0500 ++++ xl2tpd-1.3.6/aaa.c 2014-05-12 15:01:05.936492449 -0400 +@@ -21,6 +21,8 @@ + #include + #include "l2tp.h" + ++#include ++ + extern void bufferDump (char *, int); + + /* FIXME: Accounting? */ +@@ -273,11 +275,11 @@ + #endif + + memset (chal->response, 0, MD_SIG_SIZE); +- MD5Init (&chal->md5); +- MD5Update (&chal->md5, &chal->ss, 1); +- MD5Update (&chal->md5, chal->secret, strlen ((char *)chal->secret)); +- MD5Update (&chal->md5, chal->challenge, chal->chal_len); +- MD5Final (chal->response, &chal->md5); ++ MD5_Init (&chal->md5); ++ MD5_Update (&chal->md5, &chal->ss, 1); ++ MD5_Update (&chal->md5, chal->secret, strlen ((char *)chal->secret)); ++ MD5_Update (&chal->md5, chal->challenge, chal->chal_len); ++ MD5_Final (chal->response, &chal->md5); + #ifdef DEBUG_AUTH + l2tp_log (LOG_DEBUG, "response is %X%X%X%X to '%s' and %X%X%X%X, %d\n", + *((int *) &chal->response[0]), +@@ -392,12 +394,12 @@ + buf->len += length; + /* Back to the beginning of real data, including the original length AVP */ + +- MD5Init (&t->chal_them.md5); +- MD5Update (&t->chal_them.md5, (void *) &attr, 2); +- MD5Update (&t->chal_them.md5, t->chal_them.secret, ++ MD5_Init (&t->chal_them.md5); ++ MD5_Update (&t->chal_them.md5, (void *) &attr, 2); ++ MD5_Update (&t->chal_them.md5, t->chal_them.secret, + strlen ((char *)t->chal_them.secret)); +- MD5Update (&t->chal_them.md5, t->chal_them.vector, VECTOR_SIZE); +- MD5Final (digest, &t->chal_them.md5); ++ MD5_Update (&t->chal_them.md5, t->chal_them.vector, VECTOR_SIZE); ++ MD5_Final (digest, &t->chal_them.md5); + + /* Though not a "MUST" in the spec, our subformat length is always a multiple of 16 */ + ptr = ((unsigned char *) new_hdr) + sizeof (struct avp_hdr); +@@ -421,11 +423,11 @@ + #endif + if (ptr < end) + { +- MD5Init (&t->chal_them.md5); +- MD5Update (&t->chal_them.md5, t->chal_them.secret, ++ MD5_Init (&t->chal_them.md5); ++ MD5_Update (&t->chal_them.md5, t->chal_them.secret, + strlen ((char *)t->chal_them.secret)); +- MD5Update (&t->chal_them.md5, previous_segment, MD_SIG_SIZE); +- MD5Final (digest, &t->chal_them.md5); ++ MD5_Update (&t->chal_them.md5, previous_segment, MD_SIG_SIZE); ++ MD5_Final (digest, &t->chal_them.md5); + } + previous_segment = ptr; + } +@@ -458,12 +460,12 @@ + that it will be padded to a 16 byte boundary, so we + have to be more careful than when encrypting */ + attr = ntohs (old_hdr->attr); +- MD5Init (&t->chal_us.md5); +- MD5Update (&t->chal_us.md5, (void *) &attr, 2); +- MD5Update (&t->chal_us.md5, t->chal_us.secret, ++ MD5_Init (&t->chal_us.md5); ++ MD5_Update (&t->chal_us.md5, (void *) &attr, 2); ++ MD5_Update (&t->chal_us.md5, t->chal_us.secret, + strlen ((char *)t->chal_us.secret)); +- MD5Update (&t->chal_us.md5, t->chal_us.vector, t->chal_us.vector_len); +- MD5Final (digest, &t->chal_us.md5); ++ MD5_Update (&t->chal_us.md5, t->chal_us.vector, t->chal_us.vector_len); ++ MD5_Final (digest, &t->chal_us.md5); + #ifdef DEBUG_HIDDEN + l2tp_log (LOG_DEBUG, "attribute is %d and challenge is: ", attr); + print_challenge (&t->chal_us); +@@ -474,11 +476,11 @@ + { + if (cnt >= MD_SIG_SIZE) + { +- MD5Init (&t->chal_us.md5); +- MD5Update (&t->chal_us.md5, t->chal_us.secret, ++ MD5_Init (&t->chal_us.md5); ++ MD5_Update (&t->chal_us.md5, t->chal_us.secret, + strlen ((char *)t->chal_us.secret)); +- MD5Update (&t->chal_us.md5, saved_segment, MD_SIG_SIZE); +- MD5Final (digest, &t->chal_us.md5); ++ MD5_Update (&t->chal_us.md5, saved_segment, MD_SIG_SIZE); ++ MD5_Final (digest, &t->chal_us.md5); + cnt = 0; + } + /* at the beginning of each segment, we save the current segment (16 octets or less) of cipher +diff -Naur xl2tpd-1.3.6-orig/aaa.h xl2tpd-1.3.6/aaa.h +--- xl2tpd-1.3.6-orig/aaa.h 2014-01-15 15:58:37.000000000 -0500 ++++ xl2tpd-1.3.6/aaa.h 2014-05-12 15:02:39.262697808 -0400 +@@ -15,7 +15,7 @@ + + #ifndef _AAA_H + #define _AAA_H +-#include "md5.h" ++#include + + #define ADDR_HASH_SIZE 256 + #define MD_SIG_SIZE 16 +@@ -34,7 +34,7 @@ + + struct challenge + { +- struct MD5Context md5; ++ MD5_CTX md5; + unsigned char ss; /* State we're sending in */ + unsigned char secret[MAXSTRLEN]; /* The shared secret */ + unsigned char *challenge; /* The original challenge */ +diff -Naur xl2tpd-1.3.6-orig/Makefile xl2tpd-1.3.6/Makefile +--- xl2tpd-1.3.6-orig/Makefile 2014-01-15 15:58:37.000000000 -0500 ++++ xl2tpd-1.3.6/Makefile 2014-05-12 15:03:43.832223559 -0400 +@@ -92,8 +92,8 @@ + IPFLAGS?= -DIP_ALLOCATION + + CFLAGS+= $(DFLAGS) -O2 -fno-builtin -Wall -DSANITY $(OSFLAGS) $(IPFLAGS) +-HDRS=l2tp.h avp.h misc.h control.h call.h scheduler.h file.h aaa.h md5.h +-OBJS=xl2tpd.o pty.o misc.o control.o avp.o call.o network.o avpsend.o scheduler.o file.o aaa.o md5.o ++HDRS=l2tp.h avp.h misc.h control.h call.h scheduler.h file.h aaa.h ++OBJS=xl2tpd.o pty.o misc.o control.o avp.o call.o network.o avpsend.o scheduler.o file.o aaa.o + SRCS=${OBJS:.o=.c} ${HDRS} + CONTROL_SRCS=xl2tpd-control.c + #LIBS= $(OSLIBS) # -lefence # efence for malloc checking +@@ -112,7 +112,7 @@ + rm -f $(OBJS) $(EXEC) pfc.o pfc $(CONTROL_EXEC) + + $(EXEC): $(OBJS) $(HDRS) +- $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LDLIBS) ++ $(CC) $(LDFLAGS) -o $@ $(OBJS) -lcrypto $(LDLIBS) + + $(CONTROL_EXEC): $(CONTROL_SRCS) + $(CC) $(CFLAGS) $(LDFLAGS) $(CONTROL_SRCS) -o $@ +diff -Naur xl2tpd-1.3.6-orig/md5.c xl2tpd-1.3.6/md5.c +--- xl2tpd-1.3.6-orig/md5.c 2014-01-15 15:58:37.000000000 -0500 ++++ xl2tpd-1.3.6/md5.c 1969-12-31 19:00:00.000000000 -0500 +@@ -1,274 +0,0 @@ +-#ifdef FREEBSD +-# include +-#elif defined(OPENBSD) +-# define __BSD_VISIBLE 0 +-# include +-#elif defined(LINUX) +-# include +-#elif defined(SOLARIS) +-# include +-#endif +-#if __BYTE_ORDER == __BIG_ENDIAN +-#define HIGHFIRST 1 +-#endif +- +-/* +- * This code implements the MD5 message-digest algorithm. +- * The algorithm is due to Ron Rivest. This code was +- * written by Colin Plumb in 1993, no copyright is claimed. +- * This code is in the public domain; do with it what you wish. +- * +- * Equivalent code is available from RSA Data Security, Inc. +- * This code has been tested against that, and is equivalent, +- * except that you don't need to include two pages of legalese +- * with every copy. +- * +- * To compute the message digest of a chunk of bytes, declare an +- * MD5Context structure, pass it to MD5Init, call MD5Update as +- * needed on buffers full of bytes, and then call MD5Final, which +- * will fill a supplied 16-byte array with the digest. +- */ +-#include /* for memcpy() */ +-#include "md5.h" +- +-#ifndef HIGHFIRST +-#define byteReverse(buf, len) /* Nothing */ +-#else +-void byteReverse (unsigned char *buf, unsigned longs); +- +-#ifndef ASM_MD5 +-/* +- * Note: this code is harmless on little-endian machines. +- */ +-void byteReverse (unsigned char *buf, unsigned longs) +-{ +- uint32 t; +- do +- { +- t = (uint32) ((unsigned) buf[3] << 8 | buf[2]) << 16 | +- ((unsigned) buf[1] << 8 | buf[0]); +- *(uint32 *) buf = t; +- buf += 4; +- } +- while (--longs); +-} +-#endif +-#endif +- +-/* +- * Start MD5 accumulation. Set bit count to 0 and buffer to mysterious +- * initialization constants. +- */ +-void MD5Init (struct MD5Context *ctx) +-{ +- ctx->buf[0] = 0x67452301; +- ctx->buf[1] = 0xefcdab89; +- ctx->buf[2] = 0x98badcfe; +- ctx->buf[3] = 0x10325476; +- +- ctx->bits[0] = 0; +- ctx->bits[1] = 0; +-} +- +-/* +- * Update context to reflect the concatenation of another buffer full +- * of bytes. +- */ +-void MD5Update (struct MD5Context *ctx, unsigned char const *buf, +- unsigned len) +-{ +- uint32 t; +- +- /* Update bitcount */ +- +- t = ctx->bits[0]; +- if ((ctx->bits[0] = t + ((uint32) len << 3)) < t) +- ctx->bits[1]++; /* Carry from low to high */ +- ctx->bits[1] += len >> 29; +- +- t = (t >> 3) & 0x3f; /* Bytes already in shsInfo->data */ +- +- /* Handle any leading odd-sized chunks */ +- +- if (t) +- { +- unsigned char *p = (unsigned char *) ctx->in + t; +- +- t = 64 - t; +- if (len < t) +- { +- memcpy (p, buf, len); +- return; +- } +- memcpy (p, buf, t); +- byteReverse (ctx->in, 16); +- MD5Transform (ctx->buf, (uint32 *) ctx->in); +- buf += t; +- len -= t; +- } +- /* Process data in 64-byte chunks */ +- +- while (len >= 64) +- { +- memcpy (ctx->in, buf, 64); +- byteReverse (ctx->in, 16); +- MD5Transform (ctx->buf, (uint32 *) ctx->in); +- buf += 64; +- len -= 64; +- } +- +- /* Handle any remaining bytes of data. */ +- +- memcpy (ctx->in, buf, len); +-} +- +-/* +- * Final wrapup - pad to 64-byte boundary with the bit pattern +- * 1 0* (64-bit count of bits processed, MSB-first) +- */ +-void MD5Final (unsigned char digest[16], struct MD5Context *ctx) +-{ +- unsigned count; +- unsigned char *p; +- +- /* Compute number of bytes mod 64 */ +- count = (ctx->bits[0] >> 3) & 0x3F; +- +- /* Set the first char of padding to 0x80. This is safe since there is +- always at least one byte free */ +- p = ctx->in + count; +- *p++ = 0x80; +- +- /* Bytes of padding needed to make 64 bytes */ +- count = 64 - 1 - count; +- +- /* Pad out to 56 mod 64 */ +- if (count < 8) +- { +- /* Two lots of padding: Pad the first block to 64 bytes */ +- memset (p, 0, count); +- byteReverse (ctx->in, 16); +- MD5Transform (ctx->buf, (uint32 *) ctx->in); +- +- /* Now fill the next block with 56 bytes */ +- memset (ctx->in, 0, 56); +- } +- else +- { +- /* Pad block to 56 bytes */ +- memset (p, 0, count - 8); +- } +- byteReverse (ctx->in, 14); +- +- /* Append length in bits and transform */ +- memcpy(ctx->in + 14 * sizeof(uint32), ctx->bits, sizeof(ctx->bits)); +- +- MD5Transform (ctx->buf, (uint32 *) ctx->in); +- byteReverse ((unsigned char *) ctx->buf, 4); +- memcpy (digest, ctx->buf, 16); +- memset (ctx, 0, sizeof (ctx)); /* In case it's sensitive */ +-} +- +-#ifndef ASM_MD5 +- +-/* The four core functions - F1 is optimized somewhat */ +- +-/* #define F1(x, y, z) (x & y | ~x & z) */ +-#define F1(x, y, z) (z ^ (x & (y ^ z))) +-#define F2(x, y, z) F1(z, x, y) +-#define F3(x, y, z) (x ^ y ^ z) +-#define F4(x, y, z) (y ^ (x | ~z)) +- +-/* This is the central step in the MD5 algorithm. */ +-#define MD5STEP(f, w, x, y, z, data, s) \ +- ( w += f(x, y, z) + data, w = w<>(32-s), w += x ) +- +-/* +- * The core of the MD5 algorithm, this alters an existing MD5 hash to +- * reflect the addition of 16 longwords of new data. MD5Update blocks +- * the data and converts bytes into longwords for this routine. +- */ +-void MD5Transform (uint32 buf[4], uint32 const in[16]) +-{ +- register uint32 a, b, c, d; +- +- a = buf[0]; +- b = buf[1]; +- c = buf[2]; +- d = buf[3]; +- +- MD5STEP (F1, a, b, c, d, in[0] + 0xd76aa478, 7); +- MD5STEP (F1, d, a, b, c, in[1] + 0xe8c7b756, 12); +- MD5STEP (F1, c, d, a, b, in[2] + 0x242070db, 17); +- MD5STEP (F1, b, c, d, a, in[3] + 0xc1bdceee, 22); +- MD5STEP (F1, a, b, c, d, in[4] + 0xf57c0faf, 7); +- MD5STEP (F1, d, a, b, c, in[5] + 0x4787c62a, 12); +- MD5STEP (F1, c, d, a, b, in[6] + 0xa8304613, 17); +- MD5STEP (F1, b, c, d, a, in[7] + 0xfd469501, 22); +- MD5STEP (F1, a, b, c, d, in[8] + 0x698098d8, 7); +- MD5STEP (F1, d, a, b, c, in[9] + 0x8b44f7af, 12); +- MD5STEP (F1, c, d, a, b, in[10] + 0xffff5bb1, 17); +- MD5STEP (F1, b, c, d, a, in[11] + 0x895cd7be, 22); +- MD5STEP (F1, a, b, c, d, in[12] + 0x6b901122, 7); +- MD5STEP (F1, d, a, b, c, in[13] + 0xfd987193, 12); +- MD5STEP (F1, c, d, a, b, in[14] + 0xa679438e, 17); +- MD5STEP (F1, b, c, d, a, in[15] + 0x49b40821, 22); +- +- MD5STEP (F2, a, b, c, d, in[1] + 0xf61e2562, 5); +- MD5STEP (F2, d, a, b, c, in[6] + 0xc040b340, 9); +- MD5STEP (F2, c, d, a, b, in[11] + 0x265e5a51, 14); +- MD5STEP (F2, b, c, d, a, in[0] + 0xe9b6c7aa, 20); +- MD5STEP (F2, a, b, c, d, in[5] + 0xd62f105d, 5); +- MD5STEP (F2, d, a, b, c, in[10] + 0x02441453, 9); +- MD5STEP (F2, c, d, a, b, in[15] + 0xd8a1e681, 14); +- MD5STEP (F2, b, c, d, a, in[4] + 0xe7d3fbc8, 20); +- MD5STEP (F2, a, b, c, d, in[9] + 0x21e1cde6, 5); +- MD5STEP (F2, d, a, b, c, in[14] + 0xc33707d6, 9); +- MD5STEP (F2, c, d, a, b, in[3] + 0xf4d50d87, 14); +- MD5STEP (F2, b, c, d, a, in[8] + 0x455a14ed, 20); +- MD5STEP (F2, a, b, c, d, in[13] + 0xa9e3e905, 5); +- MD5STEP (F2, d, a, b, c, in[2] + 0xfcefa3f8, 9); +- MD5STEP (F2, c, d, a, b, in[7] + 0x676f02d9, 14); +- MD5STEP (F2, b, c, d, a, in[12] + 0x8d2a4c8a, 20); +- +- MD5STEP (F3, a, b, c, d, in[5] + 0xfffa3942, 4); +- MD5STEP (F3, d, a, b, c, in[8] + 0x8771f681, 11); +- MD5STEP (F3, c, d, a, b, in[11] + 0x6d9d6122, 16); +- MD5STEP (F3, b, c, d, a, in[14] + 0xfde5380c, 23); +- MD5STEP (F3, a, b, c, d, in[1] + 0xa4beea44, 4); +- MD5STEP (F3, d, a, b, c, in[4] + 0x4bdecfa9, 11); +- MD5STEP (F3, c, d, a, b, in[7] + 0xf6bb4b60, 16); +- MD5STEP (F3, b, c, d, a, in[10] + 0xbebfbc70, 23); +- MD5STEP (F3, a, b, c, d, in[13] + 0x289b7ec6, 4); +- MD5STEP (F3, d, a, b, c, in[0] + 0xeaa127fa, 11); +- MD5STEP (F3, c, d, a, b, in[3] + 0xd4ef3085, 16); +- MD5STEP (F3, b, c, d, a, in[6] + 0x04881d05, 23); +- MD5STEP (F3, a, b, c, d, in[9] + 0xd9d4d039, 4); +- MD5STEP (F3, d, a, b, c, in[12] + 0xe6db99e5, 11); +- MD5STEP (F3, c, d, a, b, in[15] + 0x1fa27cf8, 16); +- MD5STEP (F3, b, c, d, a, in[2] + 0xc4ac5665, 23); +- +- MD5STEP (F4, a, b, c, d, in[0] + 0xf4292244, 6); +- MD5STEP (F4, d, a, b, c, in[7] + 0x432aff97, 10); +- MD5STEP (F4, c, d, a, b, in[14] + 0xab9423a7, 15); +- MD5STEP (F4, b, c, d, a, in[5] + 0xfc93a039, 21); +- MD5STEP (F4, a, b, c, d, in[12] + 0x655b59c3, 6); +- MD5STEP (F4, d, a, b, c, in[3] + 0x8f0ccc92, 10); +- MD5STEP (F4, c, d, a, b, in[10] + 0xffeff47d, 15); +- MD5STEP (F4, b, c, d, a, in[1] + 0x85845dd1, 21); +- MD5STEP (F4, a, b, c, d, in[8] + 0x6fa87e4f, 6); +- MD5STEP (F4, d, a, b, c, in[15] + 0xfe2ce6e0, 10); +- MD5STEP (F4, c, d, a, b, in[6] + 0xa3014314, 15); +- MD5STEP (F4, b, c, d, a, in[13] + 0x4e0811a1, 21); +- MD5STEP (F4, a, b, c, d, in[4] + 0xf7537e82, 6); +- MD5STEP (F4, d, a, b, c, in[11] + 0xbd3af235, 10); +- MD5STEP (F4, c, d, a, b, in[2] + 0x2ad7d2bb, 15); +- MD5STEP (F4, b, c, d, a, in[9] + 0xeb86d391, 21); +- +- buf[0] += a; +- buf[1] += b; +- buf[2] += c; +- buf[3] += d; +-} +- +-#endif +diff -Naur xl2tpd-1.3.6-orig/md5.h xl2tpd-1.3.6/md5.h +--- xl2tpd-1.3.6-orig/md5.h 2014-01-15 15:58:37.000000000 -0500 ++++ xl2tpd-1.3.6/md5.h 1969-12-31 19:00:00.000000000 -0500 +@@ -1,28 +0,0 @@ +-#ifndef MD5_H +-#define MD5_H +- +-#ifdef __alpha +-typedef unsigned int uint32; +-#else +-typedef unsigned long uint32; +-#endif +- +-struct MD5Context +-{ +- uint32 buf[4]; +- uint32 bits[2]; +- unsigned char in[64]; +-}; +- +-void MD5Init (struct MD5Context *context); +-void MD5Update (struct MD5Context *context, unsigned char const *buf, +- unsigned len); +-void MD5Final (unsigned char digest[16], struct MD5Context *context); +-void MD5Transform (uint32 buf[4], uint32 const in[16]); +- +-/* +- * This is needed to make RSAREF happy on some MS-DOS compilers. +- */ +-typedef struct MD5Context MD5_CTX; +- +-#endif /* !MD5_H */ +diff -Naur xl2tpd-1.3.6-orig/xl2tpd.c xl2tpd-1.3.6/xl2tpd.c +--- xl2tpd-1.3.6-orig/xl2tpd.c 2014-01-15 15:58:37.000000000 -0500 ++++ xl2tpd-1.3.6/xl2tpd.c 2014-05-12 14:58:58.903490392 -0400 +@@ -1310,7 +1310,10 @@ + + + void usage(void) { +- printf("\nxl2tpd version: %s\n", SERVER_VERSION); ++ printf("\nxl2tpd version: %s\n" ++"This product includes software developed by the OpenSSL Project for use\n" ++"in the OpenSSL Toolkit. (http://www.openssl.org/)\n" ++, SERVER_VERSION); + printf("Usage: xl2tpd [-c ] [-s ] [-p ]\n" + " [-C ] [-D]\n" + " [-v, --version]\n"); diff --git a/xl2tpd-1.3.6-saref.patch b/xl2tpd-1.3.6-saref.patch new file mode 100644 index 0000000..c0b2160 --- /dev/null +++ b/xl2tpd-1.3.6-saref.patch @@ -0,0 +1,36 @@ +diff -Naur xl2tpd-5619e1771048e74b729804e8602f409af0f3faea-orig/file.c xl2tpd-5619e1771048e74b729804e8602f409af0f3faea/file.c +--- xl2tpd-5619e1771048e74b729804e8602f409af0f3faea-orig/file.c 2014-01-15 15:58:37.000000000 -0500 ++++ xl2tpd-5619e1771048e74b729804e8602f409af0f3faea/file.c 2014-06-14 12:34:06.422355636 -0400 +@@ -42,6 +42,8 @@ + + gconfig.port = UDP_LISTEN_PORT; + gconfig.sarefnum = IP_IPSEC_REFINFO; /* default use the latest we know */ ++ gconfig.ipsecsaref = 0; /* default off - requires patched KLIPS kernel module */ ++ gconfig.forceuserspace = 0; /* default off - allow kernel decap of data packets */ + gconfig.listenaddr = htonl(INADDR_ANY); /* Default is to bind (listen) to all interfaces */ + gconfig.debug_avp = 0; + gconfig.debug_network = 0; +diff -Naur xl2tpd-5619e1771048e74b729804e8602f409af0f3faea-orig/network.c xl2tpd-5619e1771048e74b729804e8602f409af0f3faea/network.c +--- xl2tpd-5619e1771048e74b729804e8602f409af0f3faea-orig/network.c 2014-01-15 15:58:37.000000000 -0500 ++++ xl2tpd-5619e1771048e74b729804e8602f409af0f3faea/network.c 2014-06-14 12:37:06.953574143 -0400 +@@ -78,6 +78,12 @@ + * For L2TP/IPsec with KLIPSng, set the socket to receive IPsec REFINFO + * values. + */ ++ if (!gconfig.ipsecsaref) ++ { ++ l2tp_log (LOG_INFO, "Not looking for kernel SAref support.\n"); ++ } ++ else ++ { + arg=1; + if(setsockopt(server_socket, IPPROTO_IP, gconfig.sarefnum, + &arg, sizeof(arg)) != 0) { +@@ -85,6 +91,7 @@ + + gconfig.ipsecsaref=0; + } ++ } + + arg=1; + if(setsockopt(server_socket, IPPROTO_IP, IP_PKTINFO, (char*)&arg, sizeof(arg)) != 0) { diff --git a/xl2tpd-1.3.8-kernelmode.patch b/xl2tpd-1.3.8-kernelmode.patch new file mode 100644 index 0000000..9349a8c --- /dev/null +++ b/xl2tpd-1.3.8-kernelmode.patch @@ -0,0 +1,26 @@ +diff -Naur xl2tpd-1.3.8-orig/network.c xl2tpd-1.3.8/network.c +--- xl2tpd-1.3.8-orig/network.c 2016-08-24 11:56:13.438007170 -0400 ++++ xl2tpd-1.3.8/network.c 2016-08-24 12:22:36.945960487 -0400 +@@ -781,6 +781,9 @@ + sax.pppol2tp.addr.sin_family = AF_INET; + sax.pppol2tp.s_tunnel = t->ourtid; + sax.pppol2tp.d_tunnel = t->tid; ++ sax.pppol2tp.s_session = 0; ++ sax.pppol2tp.d_session = 0; ++ + if ((connect(fd2, (struct sockaddr *)&sax, sizeof(sax))) < 0) { + l2tp_log (LOG_WARNING, "%s: Unable to connect PPPoL2TP socket. %d %s\n", + __FUNCTION__, errno, strerror(errno)); +diff -Naur xl2tpd-1.3.8-orig/xl2tpd.c xl2tpd-1.3.8/xl2tpd.c +--- xl2tpd-1.3.8-orig/xl2tpd.c 2016-08-24 11:56:13.436007180 -0400 ++++ xl2tpd-1.3.8/xl2tpd.c 2016-08-24 12:07:47.057504872 -0400 +@@ -274,9 +274,6 @@ + * OK...pppd died, we can go ahead and close the pty for + * it + */ +-#ifdef USE_KERNEL +- if (!kernel_support) +-#endif + close (c->fd); + c->fd = -1; + /* diff --git a/xl2tpd-1.3.8-md5-fips.patch b/xl2tpd-1.3.8-md5-fips.patch new file mode 100644 index 0000000..bc4d965 --- /dev/null +++ b/xl2tpd-1.3.8-md5-fips.patch @@ -0,0 +1,467 @@ +diff -Naur xl2tpd-1.3.8-orig/aaa.c xl2tpd-1.3.8/aaa.c +--- xl2tpd-1.3.8-orig/aaa.c 2016-08-11 20:56:53.000000000 -0400 ++++ xl2tpd-1.3.8/aaa.c 2016-08-24 11:40:46.784683160 -0400 +@@ -21,6 +21,8 @@ + #include + #include "l2tp.h" + ++#include ++ + extern void bufferDump (char *, int); + + /* FIXME: Accounting? */ +@@ -273,11 +275,11 @@ + #endif + + memset (chal->response, 0, MD_SIG_SIZE); +- MD5Init (&chal->md5); +- MD5Update (&chal->md5, &chal->ss, 1); +- MD5Update (&chal->md5, chal->secret, strlen ((char *)chal->secret)); +- MD5Update (&chal->md5, chal->challenge, chal->chal_len); +- MD5Final (chal->response, &chal->md5); ++ MD5_Init (&chal->md5); ++ MD5_Update (&chal->md5, &chal->ss, 1); ++ MD5_Update (&chal->md5, chal->secret, strlen ((char *)chal->secret)); ++ MD5_Update (&chal->md5, chal->challenge, chal->chal_len); ++ MD5_Final (chal->response, &chal->md5); + #ifdef DEBUG_AUTH + l2tp_log (LOG_DEBUG, "response is %X%X%X%X to '%s' and %X%X%X%X, %d\n", + *((int *) &chal->response[0]), +@@ -392,12 +394,12 @@ + buf->len += length; + /* Back to the beginning of real data, including the original length AVP */ + +- MD5Init (&t->chal_them.md5); +- MD5Update (&t->chal_them.md5, (void *) &attr, 2); +- MD5Update (&t->chal_them.md5, t->chal_them.secret, ++ MD5_Init (&t->chal_them.md5); ++ MD5_Update (&t->chal_them.md5, (void *) &attr, 2); ++ MD5_Update (&t->chal_them.md5, t->chal_them.secret, + strlen ((char *)t->chal_them.secret)); +- MD5Update (&t->chal_them.md5, t->chal_them.vector, VECTOR_SIZE); +- MD5Final (digest, &t->chal_them.md5); ++ MD5_Update (&t->chal_them.md5, t->chal_them.vector, VECTOR_SIZE); ++ MD5_Final (digest, &t->chal_them.md5); + + /* Though not a "MUST" in the spec, our subformat length is always a multiple of 16 */ + ptr = ((unsigned char *) new_hdr) + sizeof (struct avp_hdr); +@@ -421,11 +423,11 @@ + #endif + if (ptr < end) + { +- MD5Init (&t->chal_them.md5); +- MD5Update (&t->chal_them.md5, t->chal_them.secret, ++ MD5_Init (&t->chal_them.md5); ++ MD5_Update (&t->chal_them.md5, t->chal_them.secret, + strlen ((char *)t->chal_them.secret)); +- MD5Update (&t->chal_them.md5, previous_segment, MD_SIG_SIZE); +- MD5Final (digest, &t->chal_them.md5); ++ MD5_Update (&t->chal_them.md5, previous_segment, MD_SIG_SIZE); ++ MD5_Final (digest, &t->chal_them.md5); + } + previous_segment = ptr; + } +@@ -458,12 +460,12 @@ + that it will be padded to a 16 byte boundary, so we + have to be more careful than when encrypting */ + attr = ntohs (old_hdr->attr); +- MD5Init (&t->chal_us.md5); +- MD5Update (&t->chal_us.md5, (void *) &attr, 2); +- MD5Update (&t->chal_us.md5, t->chal_us.secret, ++ MD5_Init (&t->chal_us.md5); ++ MD5_Update (&t->chal_us.md5, (void *) &attr, 2); ++ MD5_Update (&t->chal_us.md5, t->chal_us.secret, + strlen ((char *)t->chal_us.secret)); +- MD5Update (&t->chal_us.md5, t->chal_us.vector, t->chal_us.vector_len); +- MD5Final (digest, &t->chal_us.md5); ++ MD5_Update (&t->chal_us.md5, t->chal_us.vector, t->chal_us.vector_len); ++ MD5_Final (digest, &t->chal_us.md5); + #ifdef DEBUG_HIDDEN + l2tp_log (LOG_DEBUG, "attribute is %d and challenge is: ", attr); + print_challenge (&t->chal_us); +@@ -474,11 +476,11 @@ + { + if (cnt >= MD_SIG_SIZE) + { +- MD5Init (&t->chal_us.md5); +- MD5Update (&t->chal_us.md5, t->chal_us.secret, ++ MD5_Init (&t->chal_us.md5); ++ MD5_Update (&t->chal_us.md5, t->chal_us.secret, + strlen ((char *)t->chal_us.secret)); +- MD5Update (&t->chal_us.md5, saved_segment, MD_SIG_SIZE); +- MD5Final (digest, &t->chal_us.md5); ++ MD5_Update (&t->chal_us.md5, saved_segment, MD_SIG_SIZE); ++ MD5_Final (digest, &t->chal_us.md5); + cnt = 0; + } + /* at the beginning of each segment, we save the current segment (16 octets or less) of cipher +diff -Naur xl2tpd-1.3.8-orig/aaa.h xl2tpd-1.3.8/aaa.h +--- xl2tpd-1.3.8-orig/aaa.h 2016-08-11 20:56:53.000000000 -0400 ++++ xl2tpd-1.3.8/aaa.h 2016-08-24 11:41:21.032506562 -0400 +@@ -15,7 +15,7 @@ + + #ifndef _AAA_H + #define _AAA_H +-#include "md5.h" ++#include + + #define ADDR_HASH_SIZE 256 + #define MD_SIG_SIZE 16 +@@ -34,7 +34,7 @@ + + struct challenge + { +- struct MD5Context md5; ++ MD5_CTX md5; + unsigned char ss; /* State we're sending in */ + unsigned char secret[MAXSTRLEN]; /* The shared secret */ + unsigned char *challenge; /* The original challenge */ +diff -Naur xl2tpd-1.3.8-orig/Makefile xl2tpd-1.3.8/Makefile +--- xl2tpd-1.3.8-orig/Makefile 2016-08-11 20:56:53.000000000 -0400 ++++ xl2tpd-1.3.8/Makefile 2016-08-24 11:42:18.389210804 -0400 +@@ -98,8 +98,8 @@ + IPFLAGS?= -DIP_ALLOCATION + + CFLAGS+= $(DFLAGS) -Os -Wall -DSANITY $(OSFLAGS) $(IPFLAGS) +-HDRS=l2tp.h avp.h misc.h control.h call.h scheduler.h file.h aaa.h md5.h +-OBJS=xl2tpd.o pty.o misc.o control.o avp.o call.o network.o avpsend.o scheduler.o file.o aaa.o md5.o ++HDRS=l2tp.h avp.h misc.h control.h call.h scheduler.h file.h aaa.h ++OBJS=xl2tpd.o pty.o misc.o control.o avp.o call.o network.o avpsend.o scheduler.o file.o aaa.o + SRCS=${OBJS:.o=.c} ${HDRS} + CONTROL_SRCS=xl2tpd-control.c + #LIBS= $(OSLIBS) # -lefence # efence for malloc checking +@@ -119,7 +119,7 @@ + rm -f $(OBJS) $(EXEC) pfc.o pfc $(CONTROL_EXEC) + + $(EXEC): $(OBJS) $(HDRS) +- $(CC) $(LDFLAGS) -o $@ $(OBJS) $(LDLIBS) ++ $(CC) $(LDFLAGS) -o $@ $(OBJS) -lcrypto $(LDLIBS) + + $(CONTROL_EXEC): $(CONTROL_SRCS) + $(CC) $(CFLAGS) $(LDFLAGS) $(CONTROL_SRCS) -o $@ +diff -Naur xl2tpd-1.3.8-orig/md5.c xl2tpd-1.3.8/md5.c +--- xl2tpd-1.3.8-orig/md5.c 2016-08-11 20:56:53.000000000 -0400 ++++ xl2tpd-1.3.8/md5.c 2016-08-24 11:42:47.940058425 -0400 +@@ -1,274 +0,0 @@ +-#ifdef FREEBSD +-# include +-#elif defined(OPENBSD) || defined(NETBSD) +-# define __BSD_VISIBLE 0 +-# include +-#elif defined(LINUX) +-# include +-#elif defined(SOLARIS) +-# include +-#endif +-#if __BYTE_ORDER == __BIG_ENDIAN +-#define HIGHFIRST 1 +-#endif +- +-/* +- * This code implements the MD5 message-digest algorithm. +- * The algorithm is due to Ron Rivest. This code was +- * written by Colin Plumb in 1993, no copyright is claimed. +- * This code is in the public domain; do with it what you wish. +- * +- * Equivalent code is available from RSA Data Security, Inc. +- * This code has been tested against that, and is equivalent, +- * except that you don't need to include two pages of legalese +- * with every copy. +- * +- * To compute the message digest of a chunk of bytes, declare an +- * MD5Context structure, pass it to MD5Init, call MD5Update as +- * needed on buffers full of bytes, and then call MD5Final, which +- * will fill a supplied 16-byte array with the digest. +- */ +-#include /* for memcpy() */ +-#include "md5.h" +- +-#ifndef HIGHFIRST +-#define byteReverse(buf, len) /* Nothing */ +-#else +-void byteReverse (unsigned char *buf, unsigned longs); +- +-#ifndef ASM_MD5 +-/* +- * Note: this code is harmless on little-endian machines. +- */ +-void byteReverse (unsigned char *buf, unsigned longs) +-{ +- uint32 t; +- do +- { +- t = (uint32) ((unsigned) buf[3] << 8 | buf[2]) << 16 | +- ((unsigned) buf[1] << 8 | buf[0]); +- *(uint32 *) buf = t; +- buf += 4; +- } +- while (--longs); +-} +-#endif +-#endif +- +-/* +- * Start MD5 accumulation. Set bit count to 0 and buffer to mysterious +- * initialization constants. +- */ +-void MD5Init (struct MD5Context *ctx) +-{ +- ctx->buf[0] = 0x67452301; +- ctx->buf[1] = 0xefcdab89; +- ctx->buf[2] = 0x98badcfe; +- ctx->buf[3] = 0x10325476; +- +- ctx->bits[0] = 0; +- ctx->bits[1] = 0; +-} +- +-/* +- * Update context to reflect the concatenation of another buffer full +- * of bytes. +- */ +-void MD5Update (struct MD5Context *ctx, unsigned char const *buf, +- unsigned len) +-{ +- uint32 t; +- +- /* Update bitcount */ +- +- t = ctx->bits[0]; +- if ((ctx->bits[0] = t + ((uint32) len << 3)) < t) +- ctx->bits[1]++; /* Carry from low to high */ +- ctx->bits[1] += len >> 29; +- +- t = (t >> 3) & 0x3f; /* Bytes already in shsInfo->data */ +- +- /* Handle any leading odd-sized chunks */ +- +- if (t) +- { +- unsigned char *p = (unsigned char *) ctx->in + t; +- +- t = 64 - t; +- if (len < t) +- { +- memcpy (p, buf, len); +- return; +- } +- memcpy (p, buf, t); +- byteReverse (ctx->in, 16); +- MD5Transform (ctx->buf, (uint32 *) ctx->in); +- buf += t; +- len -= t; +- } +- /* Process data in 64-byte chunks */ +- +- while (len >= 64) +- { +- memcpy (ctx->in, buf, 64); +- byteReverse (ctx->in, 16); +- MD5Transform (ctx->buf, (uint32 *) ctx->in); +- buf += 64; +- len -= 64; +- } +- +- /* Handle any remaining bytes of data. */ +- +- memcpy (ctx->in, buf, len); +-} +- +-/* +- * Final wrapup - pad to 64-byte boundary with the bit pattern +- * 1 0* (64-bit count of bits processed, MSB-first) +- */ +-void MD5Final (unsigned char digest[16], struct MD5Context *ctx) +-{ +- unsigned count; +- unsigned char *p; +- +- /* Compute number of bytes mod 64 */ +- count = (ctx->bits[0] >> 3) & 0x3F; +- +- /* Set the first char of padding to 0x80. This is safe since there is +- always at least one byte free */ +- p = ctx->in + count; +- *p++ = 0x80; +- +- /* Bytes of padding needed to make 64 bytes */ +- count = 64 - 1 - count; +- +- /* Pad out to 56 mod 64 */ +- if (count < 8) +- { +- /* Two lots of padding: Pad the first block to 64 bytes */ +- memset (p, 0, count); +- byteReverse (ctx->in, 16); +- MD5Transform (ctx->buf, (uint32 *) ctx->in); +- +- /* Now fill the next block with 56 bytes */ +- memset (ctx->in, 0, 56); +- } +- else +- { +- /* Pad block to 56 bytes */ +- memset (p, 0, count - 8); +- } +- byteReverse (ctx->in, 14); +- +- /* Append length in bits and transform */ +- memcpy(ctx->in + 14 * sizeof(uint32), ctx->bits, sizeof(ctx->bits)); +- +- MD5Transform (ctx->buf, (uint32 *) ctx->in); +- byteReverse ((unsigned char *) ctx->buf, 4); +- memcpy (digest, ctx->buf, 16); +- memset (ctx, 0, sizeof (*ctx)); /* In case it's sensitive */ +-} +- +-#ifndef ASM_MD5 +- +-/* The four core functions - F1 is optimized somewhat */ +- +-/* #define F1(x, y, z) (x & y | ~x & z) */ +-#define F1(x, y, z) (z ^ (x & (y ^ z))) +-#define F2(x, y, z) F1(z, x, y) +-#define F3(x, y, z) (x ^ y ^ z) +-#define F4(x, y, z) (y ^ (x | ~z)) +- +-/* This is the central step in the MD5 algorithm. */ +-#define MD5STEP(f, w, x, y, z, data, s) \ +- ( w += f(x, y, z) + data, w = w<>(32-s), w += x ) +- +-/* +- * The core of the MD5 algorithm, this alters an existing MD5 hash to +- * reflect the addition of 16 longwords of new data. MD5Update blocks +- * the data and converts bytes into longwords for this routine. +- */ +-void MD5Transform (uint32 buf[4], uint32 const in[16]) +-{ +- register uint32 a, b, c, d; +- +- a = buf[0]; +- b = buf[1]; +- c = buf[2]; +- d = buf[3]; +- +- MD5STEP (F1, a, b, c, d, in[0] + 0xd76aa478, 7); +- MD5STEP (F1, d, a, b, c, in[1] + 0xe8c7b756, 12); +- MD5STEP (F1, c, d, a, b, in[2] + 0x242070db, 17); +- MD5STEP (F1, b, c, d, a, in[3] + 0xc1bdceee, 22); +- MD5STEP (F1, a, b, c, d, in[4] + 0xf57c0faf, 7); +- MD5STEP (F1, d, a, b, c, in[5] + 0x4787c62a, 12); +- MD5STEP (F1, c, d, a, b, in[6] + 0xa8304613, 17); +- MD5STEP (F1, b, c, d, a, in[7] + 0xfd469501, 22); +- MD5STEP (F1, a, b, c, d, in[8] + 0x698098d8, 7); +- MD5STEP (F1, d, a, b, c, in[9] + 0x8b44f7af, 12); +- MD5STEP (F1, c, d, a, b, in[10] + 0xffff5bb1, 17); +- MD5STEP (F1, b, c, d, a, in[11] + 0x895cd7be, 22); +- MD5STEP (F1, a, b, c, d, in[12] + 0x6b901122, 7); +- MD5STEP (F1, d, a, b, c, in[13] + 0xfd987193, 12); +- MD5STEP (F1, c, d, a, b, in[14] + 0xa679438e, 17); +- MD5STEP (F1, b, c, d, a, in[15] + 0x49b40821, 22); +- +- MD5STEP (F2, a, b, c, d, in[1] + 0xf61e2562, 5); +- MD5STEP (F2, d, a, b, c, in[6] + 0xc040b340, 9); +- MD5STEP (F2, c, d, a, b, in[11] + 0x265e5a51, 14); +- MD5STEP (F2, b, c, d, a, in[0] + 0xe9b6c7aa, 20); +- MD5STEP (F2, a, b, c, d, in[5] + 0xd62f105d, 5); +- MD5STEP (F2, d, a, b, c, in[10] + 0x02441453, 9); +- MD5STEP (F2, c, d, a, b, in[15] + 0xd8a1e681, 14); +- MD5STEP (F2, b, c, d, a, in[4] + 0xe7d3fbc8, 20); +- MD5STEP (F2, a, b, c, d, in[9] + 0x21e1cde6, 5); +- MD5STEP (F2, d, a, b, c, in[14] + 0xc33707d6, 9); +- MD5STEP (F2, c, d, a, b, in[3] + 0xf4d50d87, 14); +- MD5STEP (F2, b, c, d, a, in[8] + 0x455a14ed, 20); +- MD5STEP (F2, a, b, c, d, in[13] + 0xa9e3e905, 5); +- MD5STEP (F2, d, a, b, c, in[2] + 0xfcefa3f8, 9); +- MD5STEP (F2, c, d, a, b, in[7] + 0x676f02d9, 14); +- MD5STEP (F2, b, c, d, a, in[12] + 0x8d2a4c8a, 20); +- +- MD5STEP (F3, a, b, c, d, in[5] + 0xfffa3942, 4); +- MD5STEP (F3, d, a, b, c, in[8] + 0x8771f681, 11); +- MD5STEP (F3, c, d, a, b, in[11] + 0x6d9d6122, 16); +- MD5STEP (F3, b, c, d, a, in[14] + 0xfde5380c, 23); +- MD5STEP (F3, a, b, c, d, in[1] + 0xa4beea44, 4); +- MD5STEP (F3, d, a, b, c, in[4] + 0x4bdecfa9, 11); +- MD5STEP (F3, c, d, a, b, in[7] + 0xf6bb4b60, 16); +- MD5STEP (F3, b, c, d, a, in[10] + 0xbebfbc70, 23); +- MD5STEP (F3, a, b, c, d, in[13] + 0x289b7ec6, 4); +- MD5STEP (F3, d, a, b, c, in[0] + 0xeaa127fa, 11); +- MD5STEP (F3, c, d, a, b, in[3] + 0xd4ef3085, 16); +- MD5STEP (F3, b, c, d, a, in[6] + 0x04881d05, 23); +- MD5STEP (F3, a, b, c, d, in[9] + 0xd9d4d039, 4); +- MD5STEP (F3, d, a, b, c, in[12] + 0xe6db99e5, 11); +- MD5STEP (F3, c, d, a, b, in[15] + 0x1fa27cf8, 16); +- MD5STEP (F3, b, c, d, a, in[2] + 0xc4ac5665, 23); +- +- MD5STEP (F4, a, b, c, d, in[0] + 0xf4292244, 6); +- MD5STEP (F4, d, a, b, c, in[7] + 0x432aff97, 10); +- MD5STEP (F4, c, d, a, b, in[14] + 0xab9423a7, 15); +- MD5STEP (F4, b, c, d, a, in[5] + 0xfc93a039, 21); +- MD5STEP (F4, a, b, c, d, in[12] + 0x655b59c3, 6); +- MD5STEP (F4, d, a, b, c, in[3] + 0x8f0ccc92, 10); +- MD5STEP (F4, c, d, a, b, in[10] + 0xffeff47d, 15); +- MD5STEP (F4, b, c, d, a, in[1] + 0x85845dd1, 21); +- MD5STEP (F4, a, b, c, d, in[8] + 0x6fa87e4f, 6); +- MD5STEP (F4, d, a, b, c, in[15] + 0xfe2ce6e0, 10); +- MD5STEP (F4, c, d, a, b, in[6] + 0xa3014314, 15); +- MD5STEP (F4, b, c, d, a, in[13] + 0x4e0811a1, 21); +- MD5STEP (F4, a, b, c, d, in[4] + 0xf7537e82, 6); +- MD5STEP (F4, d, a, b, c, in[11] + 0xbd3af235, 10); +- MD5STEP (F4, c, d, a, b, in[2] + 0x2ad7d2bb, 15); +- MD5STEP (F4, b, c, d, a, in[9] + 0xeb86d391, 21); +- +- buf[0] += a; +- buf[1] += b; +- buf[2] += c; +- buf[3] += d; +-} +- +-#endif +diff -Naur xl2tpd-1.3.8-orig/md5.h xl2tpd-1.3.8/md5.h +--- xl2tpd-1.3.8-orig/md5.h 2016-08-11 20:56:53.000000000 -0400 ++++ xl2tpd-1.3.8/md5.h 2016-08-24 11:42:51.182041708 -0400 +@@ -1,29 +0,0 @@ +-#ifndef MD5_H +-#define MD5_H +- +-#ifdef __alpha +-typedef unsigned int uint32; +-#else +-#include +-typedef uint32_t uint32; +-#endif +- +-struct MD5Context +-{ +- uint32 buf[4]; +- uint32 bits[2]; +- unsigned char in[64]; +-}; +- +-void MD5Init (struct MD5Context *context); +-void MD5Update (struct MD5Context *context, unsigned char const *buf, +- unsigned len); +-void MD5Final (unsigned char digest[16], struct MD5Context *context); +-void MD5Transform (uint32 buf[4], uint32 const in[16]); +- +-/* +- * This is needed to make RSAREF happy on some MS-DOS compilers. +- */ +-typedef struct MD5Context MD5_CTX; +- +-#endif /* !MD5_H */ +diff -Naur xl2tpd-1.3.8-orig/xl2tpd.c xl2tpd-1.3.8/xl2tpd.c +--- xl2tpd-1.3.8-orig/xl2tpd.c 2016-08-11 20:56:53.000000000 -0400 ++++ xl2tpd-1.3.8/xl2tpd.c 2016-08-24 11:43:37.704807118 -0400 +@@ -1630,7 +1630,10 @@ + + + void usage(void) { +- printf("\nxl2tpd version: %s\n", SERVER_VERSION); ++ printf("\nxl2tpd version: %s\n" ++"This product includes software developed by the OpenSSL Project for use\n" ++"in the OpenSSL Toolkit. (http://www.openssl.org/)\n" ++, SERVER_VERSION); + printf("Usage: xl2tpd [-c ] [-s ] [-p ]\n" + " [-C ] [-D] [-l]\n" + " [-v, --version]\n"); diff --git a/xl2tpd-1.3.8-saref.patch b/xl2tpd-1.3.8-saref.patch new file mode 100644 index 0000000..3cd9a23 --- /dev/null +++ b/xl2tpd-1.3.8-saref.patch @@ -0,0 +1,59 @@ +diff --git a/file.c b/file.c +index f61c221..a6362c0 100644 +--- a/file.c ++++ b/file.c +@@ -42,6 +42,8 @@ int init_config () + + gconfig.port = UDP_LISTEN_PORT; + gconfig.sarefnum = IP_IPSEC_REFINFO; /* default use the latest we know */ ++ gconfig.ipsecsaref = 0; /* default off - requires patched KLIPS kernel module */ ++ gconfig.forceuserspace = 0; /* default off - allow kernel decap of data packets */ + gconfig.listenaddr = htonl(INADDR_ANY); /* Default is to bind (listen) to all interfaces */ + gconfig.debug_avp = 0; + gconfig.debug_network = 0; +diff --git a/network.c b/network.c +index 543d30e..c66d1e3 100644 +--- a/network.c ++++ b/network.c +@@ -78,23 +78,27 @@ int init_network (void) + * For L2TP/IPsec with KLIPSng, set the socket to receive IPsec REFINFO + * values. + */ +- arg=1; +- if(setsockopt(server_socket, IPPROTO_IP, gconfig.sarefnum, +- &arg, sizeof(arg)) != 0) { +- l2tp_log(LOG_CRIT, "setsockopt recvref[%d]: %s\n", gconfig.sarefnum, strerror(errno)); +- +- gconfig.ipsecsaref=0; +- } +- +- arg=1; +- if(setsockopt(server_socket, IPPROTO_IP, IP_PKTINFO, (char*)&arg, sizeof(arg)) != 0) { +- l2tp_log(LOG_CRIT, "setsockopt IP_PKTINFO: %s\n", strerror(errno)); ++ if (!gconfig.ipsecsaref) ++ { ++ l2tp_log (LOG_INFO, "Not looking for kernel SAref support.\n"); + } +-#else ++ else + { +- l2tp_log(LOG_INFO, "No attempt being made to use IPsec SAref's since we're not on a Linux machine.\n"); ++ arg=1; ++ if(setsockopt(server_socket, IPPROTO_IP, gconfig.sarefnum, &arg, sizeof(arg)) != 0) { ++ l2tp_log(LOG_CRIT, "setsockopt recvref[%d]: %s\n", gconfig.sarefnum, strerror(errno)); ++ gconfig.ipsecsaref=0; ++ } ++ else ++ { ++ arg=1; ++ if(setsockopt(server_socket, IPPROTO_IP, IP_PKTINFO, (char*)&arg, sizeof(arg)) != 0) { ++ l2tp_log(LOG_CRIT, "setsockopt IP_PKTINFO: %s\n", strerror(errno)); ++ } ++ } + } +- ++#else ++ l2tp_log(LOG_INFO, "No attempt being made to use IPsec SAref's since we're not on a Linux machine.\n"); + #endif + + #ifdef USE_KERNEL diff --git a/xl2tpd.service b/xl2tpd.service new file mode 100644 index 0000000..082b4ff --- /dev/null +++ b/xl2tpd.service @@ -0,0 +1,16 @@ +[Unit] +Description=Level 2 Tunnel Protocol Daemon (L2TP) +After=network.target +After=ipsec.service +# Some ISPs in Russia use l2tp without IPsec, so don't insist anymore +#Wants=ipsec.service + +[Service] +Type=simple +PIDFile=/var/run/xl2tpd/xl2tpd.pid +ExecStartPre=/sbin/modprobe -q l2tp_ppp +ExecStart=/usr/sbin/xl2tpd -D +Restart=on-abort + +[Install] +WantedBy=multi-user.target diff --git a/xl2tpd.spec b/xl2tpd.spec new file mode 100644 index 0000000..0506f6d --- /dev/null +++ b/xl2tpd.spec @@ -0,0 +1,512 @@ +%global commit 5619e1771048e74b729804e8602f409af0f3faea + +Summary: Layer 2 Tunnelling Protocol Daemon (RFC 2661) +Name: xl2tpd +Version: 1.3.14 +Release: 1%{?dist} +License: GPL+ +Url: https://github.com/xelerance/xl2tpd/ +# upstream isn't using proper names, we manually rename v-VERSION.tar.gz to xl2tpd-VERSION.tar.gz +Source0: https://github.com/xelerance/xl2tpd/archive/xl2tpd-%{version}.tar.gz +Source1: xl2tpd.service +Source2: tmpfiles-xl2tpd.conf +Patch1: xl2tpd-1.3.14-conf.patch +Patch2: xl2tpd-1.3.14-md5-fips.patch +Patch3: xl2tpd-1.3.14-kernelmode.patch + +Requires: ppp >= 2.4.5-18, kmod(l2tp_ppp.ko) +# If you want to authenticate against a Microsoft PDC/Active Directory +# Requires: samba-winbind +BuildRequires: gcc +BuildRequires: libpcap-devel +BuildRequires: systemd-units +BuildRequires: openssl-devel +Requires(post): systemd +Requires(preun): systemd +Requires(postun): systemd +# dnf resolving prefers kernel-debug-modules-extra over kernel-modules-extra +Suggests: kernel-modules-extra + +%description +xl2tpd is an implementation of the Layer 2 Tunnelling Protocol (RFC 2661). +L2TP allows you to tunnel PPP over UDP. Some ISPs use L2TP to tunnel user +sessions from dial-in servers (modem banks, ADSL DSLAMs) to back-end PPP +servers. Another important application is Virtual Private Networks where +the IPsec protocol is used to secure the L2TP connection (L2TP/IPsec, +RFC 3193). The L2TP/IPsec protocol is mainly used by Windows and +Mac OS X clients. On Linux, xl2tpd can be used in combination with IPsec +implementations such as Openswan. +Example configuration files for such a setup are included in this RPM. + +xl2tpd works by opening a pseudo-tty for communicating with pppd. +It runs completely in userspace. + +xl2tpd supports IPsec SA Reference tracking to enable overlapping internak +NAT'ed IP's by different clients (eg all clients connecting from their +linksys internal IP 192.168.1.101) as well as multiple clients behind +the same NAT router. + +xl2tpd supports the pppol2tp kernel mode operations on 2.6.23 or higher, +or via a patch in contrib for 2.4.x kernels. + +Xl2tpd is based on the 0.69 L2TP by Jeff McAdams +It was de-facto maintained by Jacco de Leeuw in 2002 and 2003. + +%prep +%setup +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 + +%build +export CFLAGS="$CFLAGS -fPIC -Wall -DTRUST_PPPD_TO_DIE" +export DFLAGS="$RPM_OPT_FLAGS -g " +export LDFLAGS="$LDFLAGS -pie -Wl,-z,relro -Wl,-z,now" +# if extra debugging is needed, use: +# %make_build DFLAGS="$RPM_OPT_FLAGS -g -DDEBUG_HELLO -DDEBUG_CLOSE -DDEBUG_FLOW -DDEBUG_PAYLOAD -DDEBUG_CONTROL -DDEBUG_CONTROL_XMIT -DDEBUG_FLOW_MORE -DDEBUG_MAGIC -DDEBUG_ENTROPY -DDEBUG_HIDDEN -DDEBUG_PPPD -DDEBUG_AAA -DDEBUG_FILE -DDEBUG_FLOW -DDEBUG_HELLO -DDEBUG_CLOSE -DDEBUG_ZLB -DDEBUG_AUTH" +%make_build + +%install +make DESTDIR=%{buildroot} PREFIX=%{_prefix} install +install -d 0755 %{buildroot}%{_unitdir} +install -m 0644 %{SOURCE1} %{buildroot}%{_unitdir}/xl2tpd.service +mkdir -p %{buildroot}/%{_tmpfilesdir} +install -m 0644 %{SOURCE2} %{buildroot}/%{_tmpfilesdir}/%{name}.conf + +install -p -D -m644 examples/xl2tpd.conf %{buildroot}%{_sysconfdir}/xl2tpd/xl2tpd.conf +install -p -D -m644 examples/ppp-options.xl2tpd %{buildroot}%{_sysconfdir}/ppp/options.xl2tpd +install -p -D -m600 doc/l2tp-secrets.sample %{buildroot}%{_sysconfdir}/xl2tpd/l2tp-secrets +install -p -D -m600 examples/chapsecrets.sample %{buildroot}%{_sysconfdir}/ppp/chap-secrets.sample +install -p -D -m755 -d %{buildroot}%{_rundir}/xl2tpd + +%preun +%systemd_preun xl2tpd.service + +%post +%systemd_post xl2tpd.service + +%postun +%systemd_postun_with_restart xl2tpd.service + +%triggerun -- xl2td < 1.3.1-3 +# Save the current service runlevel info +# User must manually run systemd-sysv-convert --apply xl2tpd +# to migrate them to systemd targets +/usr/bin/systemd-sysv-convert --save xl2tpd >/dev/null 2>&1 ||: +# Run these because the SysV package being removed won't do them +/sbin/chkconfig --del xl2tpd >/dev/null 2>&1 || : +/bin/systemctl try-restart xl2tpd.service >/dev/null 2>&1 || : + +%files +%doc BUGS CHANGES CREDITS README.* TODO +%license LICENSE +%doc doc/README.patents examples/chapsecrets.sample +%{_sbindir}/xl2tpd +%{_sbindir}/xl2tpd-control +%{_bindir}/pfc +%{_mandir}/*/* +%dir %{_sysconfdir}/xl2tpd +%config(noreplace) %{_sysconfdir}/xl2tpd/* +%config(noreplace) %{_sysconfdir}/ppp/* +%dir %{_rundir}/xl2tpd +%{_unitdir}/%{name}.service +%{_tmpfilesdir}/%{name}.conf +%ghost %attr(0600,root,root) %{_rundir}/xl2tpd/l2tp-control + +%changelog +* Wed Sep 25 2019 Paul Wouters - 1.3.14-1 +- Resolves: rhbz#1322190 Updated to 1.3.14 +- Resolves: rhbz#1722121 Use proper /run directory +- Resolves: rhbz#1399648 Review Request: xl2tpd + +* Sat Jul 27 2019 Fedora Release Engineering - 1.3.8-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild + +* Sun Feb 03 2019 Fedora Release Engineering - 1.3.8-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild + +* Sat Jul 14 2018 Fedora Release Engineering - 1.3.8-8 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild + +* Sun Apr 01 2018 Paul Wouters - 1.3.8-7 +- Resolves: rhbz#1562512 kernels 4.15 and 4.16 break xl2tpd + +* Fri Feb 09 2018 Fedora Release Engineering - 1.3.8-6 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_28_Mass_Rebuild + +* Thu Aug 03 2017 Fedora Release Engineering - 1.3.8-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Binutils_Mass_Rebuild + +* Thu Jul 27 2017 Fedora Release Engineering - 1.3.8-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild + +* Sat Feb 11 2017 Fedora Release Engineering - 1.3.8-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild + +* Sun Jan 15 2017 Paul Wouters - 1.3.8-2 +- Very reluctantly add a Suggests: tag to work around dnf/kernel bug +- Resolves: rhbz#1192189 Both kernel-debug-core and kernel-core are installed + +* Wed Aug 24 2016 Paul Wouters - 1.3.8-1 +- Upgraded to 1.3.8 and updated existing patches still required +- Fix kernel mode breaking the closing tunnels + +* Fri Feb 05 2016 Fedora Release Engineering - 1.3.6-10 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild + +* Fri Jun 19 2015 Fedora Release Engineering - 1.3.6-9 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_23_Mass_Rebuild + +* Tue Mar 31 2015 Paul Wouters - 1.3.6-8 +- Bump EVR + +* Tue Mar 31 2015 Paul Wouters - 1.3.6-7 +- Rebuild with -DTRUST_PPPD_TO_DIE so pppd will execute its down script + +* Thu Aug 21 2014 Kevin Fenzi - 1.3.6-6 +- Rebuild for rpm bug 1131960 + +* Mon Aug 18 2014 Fedora Release Engineering - 1.3.6-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild + +* Sat Jun 14 2014 Paul Wouters - 1.3.6-4 +- Resolves rhbz#1109470 l2tpd/ipsec breaks when "ipsec saref" not set + +* Sun Jun 08 2014 Fedora Release Engineering - 1.3.6-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild + +* Wed May 14 2014 Josh Boyer +- Switch to using Requires on individual kernel modules +- Resolves rhbz#1056192 + +* Tue May 13 2014 Paul Wouters - 1.3.6-1 +- Updated to 1.3.6 - using github-only monstrosity packaging +- Resolves: rhbz#1051785 (new upstream version available) +- Resolves: rhbz#868391 xl2tpd sends response packets from wrong IP address +- Revert: rhbz#929447 Incorrect "ipparam" manipulation +- Resolves: rhbz#1055196 Don't order service after syslog.target +- Resolves: rhbz#984332 xl2tpd tmpfiles configuration file in wrong directory +- Removed patches merged in upstream. +- FIPS patch updated with advertising clause for openssl in xl2tpd -V + (although the GPL code was already basically taken from openssl) + +* Sun Aug 04 2013 Fedora Release Engineering - 1.3.1-14 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild + +* Mon Apr 01 2013 Paul Wouters - 1.3.1-13 +- rhbz#929447 - Fix ipparam so ipv6-up does not fail (Michal Bruncko) +- rhbz#850372 - Introduce new systemd-rpm macros in xl2tpd spec file +- Use relro,pie for compiling +- rhbz#947209 - Use openssl's MD5 function instead of private copy + (so FIPS restrictions work) + +* Fri Feb 15 2013 Fedora Release Engineering - 1.3.1-11 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Thu Jul 19 2012 Paul Wouters - 1.3.1-10 +- Updated comments in config files on how to authenticate against + a Windows PDC / Active Directory + +* Tue Jul 03 2012 Paul Wouters - 1.3.1-9 +- Rename non-existing openswan.service to ipsec.service (rhbz#836783) +- Start after ipsec.service, but do not require it + +* Tue Jun 26 2012 Paul Wouters - 1.3.1-8 +- The l2tp_ppp kernel module is now in kernel-module-extra + (rhbz#832149) +- Don't insist on openswan, some ISPS use L2TP without IPsec +- Don't call grantpt(), it's not needed and triggers SElinux + block (rhbz#834861) + +* Fri Jun 15 2012 Paul Wouters - 1.3.1-7 +- Moved modprobe code from daemon to initscript/systemd + (SElinux does not allow a daemon to do this, see rhbz#832149) + +* Tue Jun 12 2012 Paul Wouters - 1.3.1-6 +- Added patch for xl2tpd.conf to improve interop settings + (no longer need to say "no encryption" on Windows) +- Improved patch, more doc fixed (esp. "force userspace" option) +- don't use old version of if_pppol2tp.h + +* Wed Apr 18 2012 Paul Wouters - 1.3.1-5 +- Added support for CONFIG_PPPOL2TP by sigwall +- Require current ppp because some old versions lacked pppol2tp.so plugin + +* Thu Apr 05 2012 Paul Wouters - 1.3.1-4 +- Fix parse error on lines > 80 chars, rhbz#806963 + +* Tue Feb 28 2012 Paul Wouters - 1.3.1-3 +- Converted to systemd +- Added -Wunused patch to fix two minor warnings + +* Sat Jan 14 2012 Fedora Release Engineering - 1.3.1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Thu Oct 06 2011 Paul Wouters - 1.3.1-1 +- Upgraded to 1.3.1 +- Use ghost for /var/run files + +* Sat Jul 23 2011 Paul Wouters - 1.3.0-1 +- Upgraded to 1.3.0 with better NetworkManager support +- Compiled without DEBUG per default to gain more performance +- Added xl2tpd-control + +* Wed Feb 23 2011 Paul Wouters - 1.2.8-1 +- Updated to 1.2.8 +- Add ghosting for l2tp pipe (bz#656725) + +* Mon Feb 07 2011 Fedora Release Engineering - 1.2.7-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Tue Nov 30 2010 Paul Wouters - 1.2.7-2 +- fix md5 of init script in sources + +* Tue Nov 30 2010 Paul Wouters - 1.2.7-1 +- Updated to 1.2.7 +- Added more DEBUG build options to the make command +- Minor cleanups + +* Sat Jan 09 2010 Paul Wouters - 1.2.5-2 +- Bump for EVR + +* Sat Jan 09 2010 Paul Wouters - 1.2.5-1 +- Upgraded to 1.2.5. (fixes interop with two Windows machines behind same NAT) +- Fix mix space/tab in spec file +- Added missing keyword Default-Stop + +* Mon Jul 27 2009 Fedora Release Engineering - 1.2.4-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Sun Mar 08 2009 Paul Wouters - 1.2.4-3 +- Bump version for tagging mistake + +* Sun Mar 08 2009 Paul Wouters - 1.2.4-2 +-Fix initscript for https://bugzilla.redhat.com/show_bug.cgi?id=247100 + +* Sun Mar 08 2009 Paul Wouters - 1.2.4-1 +- Upgraded to 1.2.4 +- Merged spec file with upstream + +* Thu Feb 26 2009 Fedora Release Engineering - 1.2.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_11_Mass_Rebuild + +* Thu Oct 9 2008 Paul Wouters - 1.2.0-1 +- Updated to new upstream release + +* Sat Sep 6 2008 Tom "spot" Callaway 1.1.12-3 +- fix license tag + +* Tue Feb 19 2008 Fedora Release Engineering - 1.1.12-2 +- Autorebuild for GCC 4.3 + +* Fri Oct 26 2007 Paul Wouters 1.1.12-1 +- Upgraded to new release upstream +- Removed l2tpd to xl2tpd migration in post + +* Wed Aug 29 2007 Fedora Release Engineering - 1.1.11-3 +- Rebuild for selinux ppc32 issue. + +* Sat Jul 28 2007 Paul Wouters 1.1.11-2 +- Upgraded to 1.1.11 +- Include new split README.* + +* Mon Mar 19 2007 Paul Wouters 1.1.09-1 +- Upgraded to 1.1.09 + +* Fri Feb 23 2007 Paul Wouters 1.1.08-2 +- Bump for EVR + +* Fri Feb 23 2007 Paul Wouters 1.1.08-1 +- Upgraded to 1.1.08 +- This works around the ppp-2.4.2-6.4 issue of not dying on SIGTERM + +* Tue Feb 20 2007 Paul Wouters 1.1.07-2 +- Fixed version usage in source macro + +* Tue Feb 20 2007 Paul Wouters 1.1.07-1 +- Upgraded to 1.1.07 +- Added /var/run/xl2tpd to the spec file so this pacakge + owns /var/run/xl2tpd + +* Thu Dec 7 2006 Paul Wouters 1.1.06-5 +- Changed space/tab replacing method + +* Wed Dec 6 2006 Paul Wouters 1.1.06-4 +- Added -p to keep original timestamps +- Added temporary hack to change space/tab in init file. +- Added /sbin/service dependancy + +* Tue Dec 5 2006 Paul Wouters 1.1.06-3 +- Added Requires(post) / Requires(preun) +- changed init file to create /var/run/xl2tpd fixed a tab/space +- changed control file to be within /var/run/xl2tpd/ + +* Tue Dec 5 2006 Paul Wouters 1.1.06-2 +- Changed Mr. Karlsen's name to not be a utf8 problem +- Fixed Obosoletes/Provides to be more specific wrt l2tpd. +- Added dist tag which accidentally got deleted. + +* Mon Dec 4 2006 Paul Wouters 1.1.06-1 +- Rebased spec file on Fedora Extras copy, but using xl2tpd as package name + +* Sun Nov 27 2005 Paul Wouters 0.69.20051030 +- Pulled up sourceforget.net CVS fixes. +- various debugging added, but debugging should not be on by default. +- async/sync conversion routines must be ready for possibility that the read + will block due to routing loops. +- refactor control socket handling. +- move all logic about pty usage to pty.c. Try ptmx first, if it fails try + legacy ptys +- rename log() to l2tp_log(), as "log" is a math function. +- if we aren't deamonized, then log to stderr. +- added install: and DESTDIR support. + +* Thu Oct 20 2005 Paul Wouters 0.69-13 +- Removed suse/mandrake specifics. Comply for Fedora Extras guidelines + +* Tue Jun 21 2005 Jacco de Leeuw 0.69-12jdl +- Added log() patch by Paul Wouters so that l2tpd compiles on FC4. + +* Sat Jun 4 2005 Jacco de Leeuw +- l2tpd.org has been hijacked. Project moved back to SourceForge: + http://l2tpd.sourceforge.net + +* Tue May 3 2005 Jacco de Leeuw +- Small Makefile fixes. Explicitly use gcc instead of cc. + Network services library was not linked on Solaris due to typo. + +* Thu Mar 17 2005 Jacco de Leeuw 0.69-11jdl +- Choosing between SysV or BSD style ptys is now configurable through + a compile-time boolean "unix98pty". + +* Fri Feb 4 2005 Jacco de Leeuw +- Added code from Roaring Penguin (rp-l2tp) to support SysV-style ptys. + Requires the N_HDLC kernel module. + +* Fri Nov 26 2004 Jacco de Leeuw +- Updated the README. + +* Wed Nov 10 2004 Jacco de Leeuw 0.69-10jdl +- Patch by Marald Klein and Roger Luethi. Fixes writing PID file. + (http://l2tpd.graffl.net/msg01790.html) + Long overdue. Rereleasing 10jdl. + +* Tue Nov 9 2004 Jacco de Leeuw 0.69-10jdl +- [SECURITY FIX] Added fix from Debian because of a bss-based + buffer overflow. + (http://www.mail-archive.com/l2tpd-devel@l2tpd.org/msg01071.html) +- Mandrake's FreeS/WAN, Openswan and Strongswan RPMS use configuration + directories /etc/{freeswan,openswan,strongswan}. Install our + configuration files to /etc/ipsec.d and create symbolic links in + those directories. + +* Wed Aug 18 2004 Jacco de Leeuw +- Removed 'leftnexthop=' lines. Not relevant for recent versions + of FreeS/WAN and derivates. + +* Tue Jan 20 2004 Jacco de Leeuw 0.69-9jdl +- Added "noccp" because of too much MPPE/CCP messages sometimes. + +* Wed Dec 31 2003 Jacco de Leeuw +- Added patch in order to prevent StopCCN messages. + +* Sat Aug 23 2003 Jacco de Leeuw +- MTU/MRU 1410 seems to be the lowest possible for MSL2TP. + For Windows 2000/XP it doesn't seem to matter. +- Typo in l2tpd.conf (192.168.128/25). + +* Fri Aug 8 2003 Jacco de Leeuw 0.69-8jdl +- Added MTU/MRU 1400 to options.l2tpd. I don't know the optimal + value but some apps had problems with the default value. + +* Fri Aug 1 2003 Jacco de Leeuw +- Added workaround for the missing hostname bug in the MSL2TP client + ('Specify your hostname', error 629: "You have been disconnected + from the computer you are dialing"). + +* Sun Jul 20 2003 Jacco de Leeuw 0.69-7jdl +- Added the "listen-addr" global parameter for l2tpd.conf. By + default, the daemon listens on *all* interfaces. Use + "listen-addr" if you want it to bind to one specific + IP address (interface), for security reasons. (See also: + http://www.jacco2.dds.nl/networking/freeswan-l2tp.html#Firewallwarning) +- Explained in l2tpd.conf that two different IP addresses should be + used for 'listen-addr' and 'local ip'. +- Modified init script. Upgrades should work better now. You + still need to start/chkconfig l2tpd manually. +- Renamed the example Openswan .conf files to better reflect + the situation. There are two variants using different portselectors. + Previously I thought Windows 2000/XP used portselector 17/0 + and the rest used 17/1701. But with the release of an updated + IPsec client by Microsoft, it turns out that 17/0 must have + been a mistake: the updated client now also uses 17/1701. + +* Thu Apr 10 2003 Jacco de Leeuw 0.69-6jdl +- Changed sample chap-secrets to be valid only for specific + IP addresses. + +* Thu Mar 13 2003 Bernhard Thoni +- Adjustments for SuSE8.x (thanks, Bernhard!) +- Added sample chap-secrets. + +* Thu Mar 6 2003 Jacco de Leeuw 0.69-5jdl +- Replaced Dominique's patch by Damion de Soto's, which does not + depend on the N_HDLC kernel module. + +* Wed Feb 26 2003 Jacco de Leeuw 0.69-4jdl +- Seperate example config files for Win9x (MSL2TP) and Win2K/XP + due to left/rightprotoport differences. + Fixing preun for Red Hat. + +* Mon Feb 3 2003 Jacco de Leeuw 0.69-3jdl +- Mandrake uses /etc/freeswan/ instead of /etc/ipsec.d/ + Error fixed: source6 was used for both PSK and CERT. + +* Wed Jan 29 2003 Jacco de Leeuw 0.69-3jdl +- Added Dominique Cressatti's pty patch in another attempt to + prevent the Windows 2000 Professional "loopback detected" error. + Seems to work! + +* Wed Dec 25 2002 Jacco de Leeuw 0.69-2jdl +- Added 'connect-delay' to PPP parameters in an attempt to + prevent the Windows 2000 Professional "loopback detected" error. + Didn't seem to work. + +* Fri Dec 13 2002 Jacco de Leeuw 0.69-1jdl +- Did not build on Red Hat 8.0. Solved by adding comments(?!). + Bug detected in spec file: chkconfig --list l2tpd does not work + on Red Hat 8.0. Not important enough to look into yet. + +* Sun Nov 17 2002 Jacco de Leeuw 0.69-1jdl +- Tested on Red Hat, required some changes. No gprintf. Used different + pty patch, otherwise wouldn't run. Added buildroot sanity check. + +* Sun Nov 10 2002 Jacco de Leeuw +- Specfile adapted from Mandrake Cooker. The original RPM can be + retrieved through: + http://www.rpmfind.net/linux/rpm2html/search.php?query=l2tpd +- Config path changed from /etc/l2tp/ to /etc/l2tpd/ + (Seems more logical and rp-l2tp already uses /etc/l2tp/). +- Do not run at boot or install. The original RPM uses a config file + which is completely commented out, but it still starts l2tpd on all + interfaces. Could be a security risk. This RPM does not start l2tpd, + the sysadmin has to edit the config file and start l2tpd explicitly. +- Renamed patches to start with l2tpd- +- Added dependencies for pppd, glibc-devel. +- Use %%{name} as much as possible. +- l2tp-secrets contains passwords, thus should not be world readable. +- Removed dependency on rpm-helper. + +* Mon Oct 21 2002 Lenny Cartier 0.69-3mdk +- from Per 0yvind Karlsen : + - PreReq and Requires + - Fix preun_service + +* Thu Oct 17 2002 Per 0yvind Karlsen 0.69-2mdk +- Move l2tpd from /usr/bin to /usr/sbin +- Added SysV initscript +- Patch0 +- Patch1 + +* Thu Oct 17 2002 Per 0yvind Karlsen 0.69-1mdk +- Initial release