* [ptxdist] [PATCH v3 0/5] mobile broadband software version bump @ 2021-06-23 7:33 Alexander Dahl 2021-06-23 7:33 ` [ptxdist] [PATCH v3 1/5] libqmi: version bump 1.28.2 -> 1.28.6 Alexander Dahl ` (4 more replies) 0 siblings, 5 replies; 11+ messages in thread From: Alexander Dahl @ 2021-06-23 7:33 UTC (permalink / raw) To: ptxdist Hello everyone, I just want to get out v3 of this series before end of the week. I had a question on networkmanager build option "polkit_agent_helper_1", which got no answer, maybe just answer on the reworked patch now? Sorry for including people in Cc which provided those ppp patches to debian, I messed up in v2, will be more careful in the future. Greets Alex v2 -> v3 -------- - networkmanager: adapted meson build options based on (my own) feedback in v2 - networkmanager: added patch 4/5 to enable 'more_logging' option RFC -> v2 --------- - added patches 1–3 for libqmi, modemmanager, and networkmanager - reworked patch 4 according to feedback from RFC/v1 series Greets Alex Alexander Dahl (5): libqmi: version bump 1.28.2 -> 1.28.6 modemmanager: version bump 1.16.2 -> 1.16.6 networkmanager: version bump 1.26.2 -> 1.30.4 networkmanager: Make "more logging" optional ppp: version bump 2.4.7 -> 2.4.9 ...dev-don-t-use-autoptr-in-GUdev-types.patch | 127 - patches/ModemManager-1.16.2/series | 4 - patches/NetworkManager-1.26.2/series | 1 - ...d-generate_docs_nm_settings_nmcli-on.patch | 19 +- patches/NetworkManager-1.30.4/series | 4 + ...001-abort-on-errors-in-subdir-builds.patch | 48 - ...002-scripts-Avoid-killing-wrong-pppd.patch | 29 - ...tension-when-displaying-bytes-in-oct.patch | 30 - ...se-error-message-on-PPPoE-disconnect.patch | 33 - .../0005-Send-PADT-on-PPPoE-disconnect.patch | 36 - ...nt-buffer-overrun-on-remote-router-n.patch | 30 - .../0007-pppd-Fix-ccp_options.mppe-type.patch | 30 - ...en-calculated-size-if-both-deflate_c.patch | 33 - ...in-comment.-Diff-from-Yuuichi-Someya.patch | 24 - ...ount-only-relevant-lines-from-syslog.patch | 24 - ...-include-from-sys-errno.h-to-errno.h.patch | 33 - ...low-use-of-arbitrary-interface-names.patch | 214 -- ...Remove-unused-declaration-of-ttyname.patch | 25 - ...or-implementation-in-pppoe-discovery.patch | 52 - ...clude-netinet-in.h-before-linux-in.h.patch | 49 - patches/ppp-2.4.7/0016-adaptive_echos.patch | 72 - .../ppp-2.4.7/0017-Makefiles-cleanup.patch | 296 -- ...does-not-properly-close-dev-ppp-on-p.patch | 44 - ...inkpidfile-is-not-created-upon-detac.patch | 48 - ...smetic-cleanup-of-the-pppoatm-plugin.patch | 90 - patches/ppp-2.4.7/0023-pppoe_noads.patch | 25 - ...4-make-_PATH_CONNERRS-world-readable.patch | 27 - .../0025-Correct-unkown-unknown-typo.patch | 46 - .../0026-pppoe-custom-host-uniq-tag.patch | 302 -- .../0027-Add-replacedefaultroute-option.patch | 324 -- ...-for-the-Framed-MTU-Radius-attribute.patch | 42 - patches/ppp-2.4.7/0030-018_ip-up_option.patch | 106 - .../0031-ppp-2.4.2-stripMSdomain.patch | 47 - ...export-CALL_FILE-to-the-link-scripts.patch | 38 - .../ppp-2.4.7/0033-ipv6-accept-remote.patch | 73 - ...buffer-overflow-in-clientid.c-rc_map.patch | 43 - ...0037-Fix-buffer-overflow-in-rc_mksid.patch | 36 - ...P-TLS-authentication-support-for-PPP.patch | 3383 ----------------- ...-for-the-DES-instead-of-the-libcrypt.patch | 115 - patches/ppp-2.4.7/series | 46 - ...igure-Allow-commas-in-the-CFLAGS-220.patch | 28 + ...tion-with-older-glibc-or-kernel-head.patch | 55 + ...ilding-pppdump-with-the-system-zlib.patch} | 27 +- ...unneeded-code-in-the-pppoatm-plugin.patch} | 16 +- patches/ppp-2.4.9/0102-pppoe_noads.patch | 24 + ...ithub.com-paulusmack-ppp-issues-187.patch} | 69 +- .../0104-resolv.conf_no_log.patch} | 12 +- .../0105-Debian-specific-changes.patch} | 50 +- ...dored-hash-functions-with-libcrypto.patch} | 209 +- ...00-pppd-make-makefile-sysroot-aware.patch} | 34 +- ...the-self-made-configure-cross-aware.patch} | 10 +- patches/ppp-2.4.9/series | 17 + rules/libqmi.make | 4 +- rules/modemmanager.make | 4 +- rules/networkmanager.in | 6 + rules/networkmanager.make | 9 +- rules/ppp.make | 6 +- 57 files changed, 357 insertions(+), 6271 deletions(-) delete mode 100644 patches/ModemManager-1.16.2/0001-kerneldevice-udev-don-t-use-autoptr-in-GUdev-types.patch delete mode 100644 patches/ModemManager-1.16.2/series delete mode 100644 patches/NetworkManager-1.26.2/series rename patches/{NetworkManager-1.26.2 => NetworkManager-1.30.4}/0001-clients-cli-build-generate_docs_nm_settings_nmcli-on.patch (67%) create mode 100644 patches/NetworkManager-1.30.4/series delete mode 100644 patches/ppp-2.4.7/0001-abort-on-errors-in-subdir-builds.patch delete mode 100644 patches/ppp-2.4.7/0002-scripts-Avoid-killing-wrong-pppd.patch delete mode 100644 patches/ppp-2.4.7/0003-pppd-Fix-sign-extension-when-displaying-bytes-in-oct.patch delete mode 100644 patches/ppp-2.4.7/0004-Suppress-false-error-message-on-PPPoE-disconnect.patch delete mode 100644 patches/ppp-2.4.7/0005-Send-PADT-on-PPPoE-disconnect.patch delete mode 100644 patches/ppp-2.4.7/0006-pppd-ipxcp-Prevent-buffer-overrun-on-remote-router-n.patch delete mode 100644 patches/ppp-2.4.7/0007-pppd-Fix-ccp_options.mppe-type.patch delete mode 100644 patches/ppp-2.4.7/0008-pppd-Fix-ccp_cilen-calculated-size-if-both-deflate_c.patch delete mode 100644 patches/ppp-2.4.7/0009-Fix-a-typo-in-comment.-Diff-from-Yuuichi-Someya.patch delete mode 100644 patches/ppp-2.4.7/0010-plog-count-only-relevant-lines-from-syslog.patch delete mode 100644 patches/ppp-2.4.7/0011-Change-include-from-sys-errno.h-to-errno.h.patch delete mode 100644 patches/ppp-2.4.7/0012-pppd-allow-use-of-arbitrary-interface-names.patch delete mode 100644 patches/ppp-2.4.7/0013-pppd-Remove-unused-declaration-of-ttyname.patch delete mode 100644 patches/ppp-2.4.7/0014-pppd-Provide-error-implementation-in-pppoe-discovery.patch delete mode 100644 patches/ppp-2.4.7/0015-pppoe-include-netinet-in.h-before-linux-in.h.patch delete mode 100644 patches/ppp-2.4.7/0016-adaptive_echos.patch delete mode 100644 patches/ppp-2.4.7/0017-Makefiles-cleanup.patch delete mode 100644 patches/ppp-2.4.7/0018-Bug-306261-pppd-does-not-properly-close-dev-ppp-on-p.patch delete mode 100644 patches/ppp-2.4.7/0019-Bug-284382-ppp-linkpidfile-is-not-created-upon-detac.patch delete mode 100644 patches/ppp-2.4.7/0022-cosmetic-cleanup-of-the-pppoatm-plugin.patch delete mode 100644 patches/ppp-2.4.7/0023-pppoe_noads.patch delete mode 100644 patches/ppp-2.4.7/0024-make-_PATH_CONNERRS-world-readable.patch delete mode 100644 patches/ppp-2.4.7/0025-Correct-unkown-unknown-typo.patch delete mode 100644 patches/ppp-2.4.7/0026-pppoe-custom-host-uniq-tag.patch delete mode 100644 patches/ppp-2.4.7/0027-Add-replacedefaultroute-option.patch delete mode 100644 patches/ppp-2.4.7/0029-add-support-for-the-Framed-MTU-Radius-attribute.patch delete mode 100644 patches/ppp-2.4.7/0030-018_ip-up_option.patch delete mode 100644 patches/ppp-2.4.7/0031-ppp-2.4.2-stripMSdomain.patch delete mode 100644 patches/ppp-2.4.7/0032-export-CALL_FILE-to-the-link-scripts.patch delete mode 100644 patches/ppp-2.4.7/0033-ipv6-accept-remote.patch delete mode 100644 patches/ppp-2.4.7/0034-fix-a-potential-buffer-overflow-in-clientid.c-rc_map.patch delete mode 100644 patches/ppp-2.4.7/0037-Fix-buffer-overflow-in-rc_mksid.patch delete mode 100644 patches/ppp-2.4.7/0038-EAP-TLS-authentication-support-for-PPP.patch delete mode 100644 patches/ppp-2.4.7/0040-pppd-Use-openssl-for-the-DES-instead-of-the-libcrypt.patch delete mode 100644 patches/ppp-2.4.7/series create mode 100644 patches/ppp-2.4.9/0001-configure-Allow-commas-in-the-CFLAGS-220.patch create mode 100644 patches/ppp-2.4.9/0002-pppd-Fix-compilation-with-older-glibc-or-kernel-head.patch rename patches/{ppp-2.4.7/0020-support-building-pppdump-with-the-system-zlib.patch => ppp-2.4.9/0100-support-building-pppdump-with-the-system-zlib.patch} (63%) rename patches/{ppp-2.4.7/0021-disable-unneeded-code-in-the-pppoatm-plugin.patch => ppp-2.4.9/0101-disable-unneeded-code-in-the-pppoatm-plugin.patch} (89%) create mode 100644 patches/ppp-2.4.9/0102-pppoe_noads.patch rename patches/{ppp-2.4.7/0028-ppp-2.3.11-oedod.dif.patch => ppp-2.4.9/0103-Forwarded-https-github.com-paulusmack-ppp-issues-187.patch} (72%) rename patches/{ppp-2.4.7/0035-resolv.conf_no_log.patch => ppp-2.4.9/0104-resolv.conf_no_log.patch} (56%) rename patches/{ppp-2.4.7/0036-Debian-specific-changes.patch => ppp-2.4.9/0105-Debian-specific-changes.patch} (62%) rename patches/{ppp-2.4.7/0039-Replace-vendored-hash-functions-with-libcrypto.patch => ppp-2.4.9/0106-Replace-vendored-hash-functions-with-libcrypto.patch} (92%) rename patches/{ppp-2.4.7/0100-pppd-make-makefile-sysroot-aware.patch => ppp-2.4.9/0200-pppd-make-makefile-sysroot-aware.patch} (63%) rename patches/{ppp-2.4.7/0101-pppd-make-the-self-made-configure-cross-aware.patch => ppp-2.4.9/0201-pppd-make-the-self-made-configure-cross-aware.patch} (87%) create mode 100644 patches/ppp-2.4.9/series base-commit: e1f0f2abd3116fdcb5e3e3211321aef801e959ff -- 2.30.2 _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de ^ permalink raw reply [flat|nested] 11+ messages in thread
* [ptxdist] [PATCH v3 1/5] libqmi: version bump 1.28.2 -> 1.28.6 2021-06-23 7:33 [ptxdist] [PATCH v3 0/5] mobile broadband software version bump Alexander Dahl @ 2021-06-23 7:33 ` Alexander Dahl 2021-06-29 5:09 ` [ptxdist] [APPLIED] " Michael Olbrich 2021-06-23 7:33 ` [ptxdist] [PATCH v3 2/5] modemmanager: version bump 1.16.2 -> 1.16.6 Alexander Dahl ` (3 subsequent siblings) 4 siblings, 1 reply; 11+ messages in thread From: Alexander Dahl @ 2021-06-23 7:33 UTC (permalink / raw) To: ptxdist Requirement for upcoming ModemManager version bump. Signed-off-by: Alexander Dahl <ada@thorsis.com> --- rules/libqmi.make | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/rules/libqmi.make b/rules/libqmi.make index d2d31ce18..5835f3fb1 100644 --- a/rules/libqmi.make +++ b/rules/libqmi.make @@ -14,8 +14,8 @@ PACKAGES-$(PTXCONF_LIBQMI) += libqmi # # Paths and names # -LIBQMI_VERSION := 1.28.2 -LIBQMI_MD5 := 825d7226e001cb2616e85d8a1e2a410f +LIBQMI_VERSION := 1.28.6 +LIBQMI_MD5 := 4361ff7eed22f9cd696b812947cd8813 LIBQMI := libqmi-$(LIBQMI_VERSION) LIBQMI_SUFFIX := tar.xz LIBQMI_URL := http://www.freedesktop.org/software/libqmi/$(LIBQMI).$(LIBQMI_SUFFIX) -- 2.30.2 _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [ptxdist] [APPLIED] libqmi: version bump 1.28.2 -> 1.28.6 2021-06-23 7:33 ` [ptxdist] [PATCH v3 1/5] libqmi: version bump 1.28.2 -> 1.28.6 Alexander Dahl @ 2021-06-29 5:09 ` Michael Olbrich 0 siblings, 0 replies; 11+ messages in thread From: Michael Olbrich @ 2021-06-29 5:09 UTC (permalink / raw) To: ptxdist; +Cc: Alexander Dahl Thanks, applied as c9b767f77e2235b7ecad55c1a9f913572aabbc24. Michael [sent from post-receive hook] On Tue, 29 Jun 2021 07:09:30 +0200, Alexander Dahl <ada@thorsis.com> wrote: > Requirement for upcoming ModemManager version bump. > > Signed-off-by: Alexander Dahl <ada@thorsis.com> > Message-Id: <20210623073309.23058-2-ada@thorsis.com> > Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> > > diff --git a/rules/libqmi.make b/rules/libqmi.make > index d2d31ce187bb..5835f3fb1e35 100644 > --- a/rules/libqmi.make > +++ b/rules/libqmi.make > @@ -14,8 +14,8 @@ PACKAGES-$(PTXCONF_LIBQMI) += libqmi > # > # Paths and names > # > -LIBQMI_VERSION := 1.28.2 > -LIBQMI_MD5 := 825d7226e001cb2616e85d8a1e2a410f > +LIBQMI_VERSION := 1.28.6 > +LIBQMI_MD5 := 4361ff7eed22f9cd696b812947cd8813 > LIBQMI := libqmi-$(LIBQMI_VERSION) > LIBQMI_SUFFIX := tar.xz > LIBQMI_URL := http://www.freedesktop.org/software/libqmi/$(LIBQMI).$(LIBQMI_SUFFIX) _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de ^ permalink raw reply [flat|nested] 11+ messages in thread
* [ptxdist] [PATCH v3 2/5] modemmanager: version bump 1.16.2 -> 1.16.6 2021-06-23 7:33 [ptxdist] [PATCH v3 0/5] mobile broadband software version bump Alexander Dahl 2021-06-23 7:33 ` [ptxdist] [PATCH v3 1/5] libqmi: version bump 1.28.2 -> 1.28.6 Alexander Dahl @ 2021-06-23 7:33 ` Alexander Dahl 2021-06-29 5:09 ` [ptxdist] [APPLIED] " Michael Olbrich 2021-06-23 7:33 ` [ptxdist] [PATCH v3 3/5] networkmanager: version bump 1.26.2 -> 1.30.4 Alexander Dahl ` (2 subsequent siblings) 4 siblings, 1 reply; 11+ messages in thread From: Alexander Dahl @ 2021-06-23 7:33 UTC (permalink / raw) To: ptxdist Patch gone upstream. Signed-off-by: Alexander Dahl <ada@thorsis.com> --- ...dev-don-t-use-autoptr-in-GUdev-types.patch | 127 ------------------ patches/ModemManager-1.16.2/series | 4 - rules/modemmanager.make | 4 +- 3 files changed, 2 insertions(+), 133 deletions(-) delete mode 100644 patches/ModemManager-1.16.2/0001-kerneldevice-udev-don-t-use-autoptr-in-GUdev-types.patch delete mode 100644 patches/ModemManager-1.16.2/series diff --git a/patches/ModemManager-1.16.2/0001-kerneldevice-udev-don-t-use-autoptr-in-GUdev-types.patch b/patches/ModemManager-1.16.2/0001-kerneldevice-udev-don-t-use-autoptr-in-GUdev-types.patch deleted file mode 100644 index 511b1693f..000000000 --- a/patches/ModemManager-1.16.2/0001-kerneldevice-udev-don-t-use-autoptr-in-GUdev-types.patch +++ /dev/null @@ -1,127 +0,0 @@ -From: Aleksander Morgado <aleksander@aleksander.es> -Date: Tue, 23 Mar 2021 15:36:58 +0100 -Subject: [PATCH] kerneldevice,udev: don't use autoptr in GUdev types - -The autoptr support in all GUdev types was introduced in -commit 272533131c6ed38479a88805, included in libgudev 232. - -In the MM 1.16 branch we depend on libgudev 147, so avoid -implicitly bumping the required version. - -Fixes https://gitlab.freedesktop.org/mobile-broadband/ModemManager/-/issues/349 ---- - src/kerneldevice/mm-kernel-device-udev.c | 30 +++++++++++++++++++++--------- - 1 file changed, 21 insertions(+), 9 deletions(-) - -diff --git a/src/kerneldevice/mm-kernel-device-udev.c b/src/kerneldevice/mm-kernel-device-udev.c -index f75104bd6b1c..a6bf1a71df88 100644 ---- a/src/kerneldevice/mm-kernel-device-udev.c -+++ b/src/kerneldevice/mm-kernel-device-udev.c -@@ -81,7 +81,7 @@ static void - preload_contents_platform (MMKernelDeviceUdev *self, - const gchar *platform) - { -- g_autoptr(GUdevDevice) iter = NULL; -+ GUdevDevice *iter; - - iter = g_object_ref (self->priv->device); - while (iter) { -@@ -102,17 +102,19 @@ preload_contents_platform (MMKernelDeviceUdev *self, - g_clear_object (&iter); - iter = parent; - } -+ -+ g_clear_object (&iter); - } - - static void - preload_contents_pcmcia (MMKernelDeviceUdev *self) - { -- g_autoptr(GUdevDevice) iter = NULL; -- gboolean pcmcia_subsystem_found = FALSE; -+ GUdevDevice *iter; -+ gboolean pcmcia_subsystem_found = FALSE; - - iter = g_object_ref (self->priv->device); - while (iter) { -- g_autoptr(GUdevDevice) parent = NULL; -+ GUdevDevice *parent; - - /* Store the first driver found */ - if (!self->priv->driver) -@@ -133,18 +135,21 @@ preload_contents_pcmcia (MMKernelDeviceUdev *self) - self->priv->product = udev_device_get_sysfs_attr_as_hex (iter, "card_id"); - self->priv->physdev = g_object_ref (iter); - /* stop traversing as soon as the physical device is found */ -+ g_clear_object (&parent); - break; - } - - g_clear_object (&iter); -- iter = g_steal_pointer (&parent); -+ iter = parent; - } -+ -+ g_clear_object (&iter); - } - - static void - preload_contents_pci (MMKernelDeviceUdev *self) - { -- g_autoptr(GUdevDevice) iter = NULL; -+ GUdevDevice *iter; - - iter = g_object_ref (self->priv->device); - while (iter) { -@@ -170,12 +175,14 @@ preload_contents_pci (MMKernelDeviceUdev *self) - g_clear_object (&iter); - iter = parent; - } -+ -+ g_clear_object (&iter); - } - - static void - preload_contents_usb (MMKernelDeviceUdev *self) - { -- g_autoptr(GUdevDevice) iter = NULL; -+ GUdevDevice *iter; - - iter = g_object_ref (self->priv->device); - while (iter) { -@@ -204,12 +211,14 @@ preload_contents_usb (MMKernelDeviceUdev *self) - g_clear_object (&iter); - iter = parent; - } -+ -+ g_clear_object (&iter); - } - - static gchar * - find_device_bus_subsystem (MMKernelDeviceUdev *self) - { -- g_autoptr(GUdevDevice) iter = NULL; -+ GUdevDevice *iter; - - iter = g_object_ref (self->priv->device); - while (iter) { -@@ -224,8 +233,10 @@ find_device_bus_subsystem (MMKernelDeviceUdev *self) - (g_strcmp0 (subsys, "pci") == 0) || - (g_strcmp0 (subsys, "platform") == 0) || - (g_strcmp0 (subsys, "pnp") == 0) || -- (g_strcmp0 (subsys, "sdio") == 0)) -+ (g_strcmp0 (subsys, "sdio") == 0)) { -+ g_clear_object (&iter); - return g_strdup (subsys); -+ } - - parent = g_udev_device_get_parent (iter); - g_clear_object (&iter); -@@ -233,6 +244,7 @@ find_device_bus_subsystem (MMKernelDeviceUdev *self) - } - - /* no more parents to check */ -+ g_clear_object (&iter); - return NULL; - } - diff --git a/patches/ModemManager-1.16.2/series b/patches/ModemManager-1.16.2/series deleted file mode 100644 index 073ee95c5..000000000 --- a/patches/ModemManager-1.16.2/series +++ /dev/null @@ -1,4 +0,0 @@ -# generated by git-ptx-patches -#tag:base --start-number 1 -0001-kerneldevice-udev-don-t-use-autoptr-in-GUdev-types.patch -# 7ee4df7afdcd7083fe59386d7e47c795 - git-ptx-patches magic diff --git a/rules/modemmanager.make b/rules/modemmanager.make index 18191583c..43d8e607e 100644 --- a/rules/modemmanager.make +++ b/rules/modemmanager.make @@ -14,8 +14,8 @@ PACKAGES-$(PTXCONF_MODEMMANAGER) += modemmanager # # Paths and names # -MODEMMANAGER_VERSION := 1.16.2 -MODEMMANAGER_MD5 := 83c5fc0bf65b8f321532b61b5f2b0b51 +MODEMMANAGER_VERSION := 1.16.6 +MODEMMANAGER_MD5 := bde995400758db3a98c886608c2d5d9d MODEMMANAGER := ModemManager-$(MODEMMANAGER_VERSION) MODEMMANAGER_SUFFIX := tar.xz MODEMMANAGER_URL := https://www.freedesktop.org/software/ModemManager/$(MODEMMANAGER).$(MODEMMANAGER_SUFFIX) -- 2.30.2 _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [ptxdist] [APPLIED] modemmanager: version bump 1.16.2 -> 1.16.6 2021-06-23 7:33 ` [ptxdist] [PATCH v3 2/5] modemmanager: version bump 1.16.2 -> 1.16.6 Alexander Dahl @ 2021-06-29 5:09 ` Michael Olbrich 0 siblings, 0 replies; 11+ messages in thread From: Michael Olbrich @ 2021-06-29 5:09 UTC (permalink / raw) To: ptxdist; +Cc: Alexander Dahl Thanks, applied as b097d0c7211d8e1d7186b903c60ba3f63f9e9be5. Michael [sent from post-receive hook] On Tue, 29 Jun 2021 07:09:32 +0200, Alexander Dahl <ada@thorsis.com> wrote: > Patch gone upstream. > > Signed-off-by: Alexander Dahl <ada@thorsis.com> > Message-Id: <20210623073309.23058-3-ada@thorsis.com> > Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> > > diff --git a/patches/ModemManager-1.16.2/0001-kerneldevice-udev-don-t-use-autoptr-in-GUdev-types.patch b/patches/ModemManager-1.16.2/0001-kerneldevice-udev-don-t-use-autoptr-in-GUdev-types.patch > deleted file mode 100644 > index 511b1693f7bb..000000000000 > --- a/patches/ModemManager-1.16.2/0001-kerneldevice-udev-don-t-use-autoptr-in-GUdev-types.patch > +++ /dev/null > @@ -1,127 +0,0 @@ > -From: Aleksander Morgado <aleksander@aleksander.es> > -Date: Tue, 23 Mar 2021 15:36:58 +0100 > -Subject: [PATCH] kerneldevice,udev: don't use autoptr in GUdev types > - > -The autoptr support in all GUdev types was introduced in > -commit 272533131c6ed38479a88805, included in libgudev 232. > - > -In the MM 1.16 branch we depend on libgudev 147, so avoid > -implicitly bumping the required version. > - > -Fixes https://gitlab.freedesktop.org/mobile-broadband/ModemManager/-/issues/349 > ---- > - src/kerneldevice/mm-kernel-device-udev.c | 30 +++++++++++++++++++++--------- > - 1 file changed, 21 insertions(+), 9 deletions(-) > - > -diff --git a/src/kerneldevice/mm-kernel-device-udev.c b/src/kerneldevice/mm-kernel-device-udev.c > -index f75104bd6b1c..a6bf1a71df88 100644 > ---- a/src/kerneldevice/mm-kernel-device-udev.c > -+++ b/src/kerneldevice/mm-kernel-device-udev.c > -@@ -81,7 +81,7 @@ static void > - preload_contents_platform (MMKernelDeviceUdev *self, > - const gchar *platform) > - { > -- g_autoptr(GUdevDevice) iter = NULL; > -+ GUdevDevice *iter; > - > - iter = g_object_ref (self->priv->device); > - while (iter) { > -@@ -102,17 +102,19 @@ preload_contents_platform (MMKernelDeviceUdev *self, > - g_clear_object (&iter); > - iter = parent; > - } > -+ > -+ g_clear_object (&iter); > - } > - > - static void > - preload_contents_pcmcia (MMKernelDeviceUdev *self) > - { > -- g_autoptr(GUdevDevice) iter = NULL; > -- gboolean pcmcia_subsystem_found = FALSE; > -+ GUdevDevice *iter; > -+ gboolean pcmcia_subsystem_found = FALSE; > - > - iter = g_object_ref (self->priv->device); > - while (iter) { > -- g_autoptr(GUdevDevice) parent = NULL; > -+ GUdevDevice *parent; > - > - /* Store the first driver found */ > - if (!self->priv->driver) > -@@ -133,18 +135,21 @@ preload_contents_pcmcia (MMKernelDeviceUdev *self) > - self->priv->product = udev_device_get_sysfs_attr_as_hex (iter, "card_id"); > - self->priv->physdev = g_object_ref (iter); > - /* stop traversing as soon as the physical device is found */ > -+ g_clear_object (&parent); > - break; > - } > - > - g_clear_object (&iter); > -- iter = g_steal_pointer (&parent); > -+ iter = parent; > - } > -+ > -+ g_clear_object (&iter); > - } > - > - static void > - preload_contents_pci (MMKernelDeviceUdev *self) > - { > -- g_autoptr(GUdevDevice) iter = NULL; > -+ GUdevDevice *iter; > - > - iter = g_object_ref (self->priv->device); > - while (iter) { > -@@ -170,12 +175,14 @@ preload_contents_pci (MMKernelDeviceUdev *self) > - g_clear_object (&iter); > - iter = parent; > - } > -+ > -+ g_clear_object (&iter); > - } > - > - static void > - preload_contents_usb (MMKernelDeviceUdev *self) > - { > -- g_autoptr(GUdevDevice) iter = NULL; > -+ GUdevDevice *iter; > - > - iter = g_object_ref (self->priv->device); > - while (iter) { > -@@ -204,12 +211,14 @@ preload_contents_usb (MMKernelDeviceUdev *self) > - g_clear_object (&iter); > - iter = parent; > - } > -+ > -+ g_clear_object (&iter); > - } > - > - static gchar * > - find_device_bus_subsystem (MMKernelDeviceUdev *self) > - { > -- g_autoptr(GUdevDevice) iter = NULL; > -+ GUdevDevice *iter; > - > - iter = g_object_ref (self->priv->device); > - while (iter) { > -@@ -224,8 +233,10 @@ find_device_bus_subsystem (MMKernelDeviceUdev *self) > - (g_strcmp0 (subsys, "pci") == 0) || > - (g_strcmp0 (subsys, "platform") == 0) || > - (g_strcmp0 (subsys, "pnp") == 0) || > -- (g_strcmp0 (subsys, "sdio") == 0)) > -+ (g_strcmp0 (subsys, "sdio") == 0)) { > -+ g_clear_object (&iter); > - return g_strdup (subsys); > -+ } > - > - parent = g_udev_device_get_parent (iter); > - g_clear_object (&iter); > -@@ -233,6 +244,7 @@ find_device_bus_subsystem (MMKernelDeviceUdev *self) > - } > - > - /* no more parents to check */ > -+ g_clear_object (&iter); > - return NULL; > - } > - > diff --git a/patches/ModemManager-1.16.2/series b/patches/ModemManager-1.16.2/series > deleted file mode 100644 > index 073ee95c575b..000000000000 > --- a/patches/ModemManager-1.16.2/series > +++ /dev/null > @@ -1,4 +0,0 @@ > -# generated by git-ptx-patches > -#tag:base --start-number 1 > -0001-kerneldevice-udev-don-t-use-autoptr-in-GUdev-types.patch > -# 7ee4df7afdcd7083fe59386d7e47c795 - git-ptx-patches magic > diff --git a/rules/modemmanager.make b/rules/modemmanager.make > index 18191583cc99..43d8e607e910 100644 > --- a/rules/modemmanager.make > +++ b/rules/modemmanager.make > @@ -14,8 +14,8 @@ PACKAGES-$(PTXCONF_MODEMMANAGER) += modemmanager > # > # Paths and names > # > -MODEMMANAGER_VERSION := 1.16.2 > -MODEMMANAGER_MD5 := 83c5fc0bf65b8f321532b61b5f2b0b51 > +MODEMMANAGER_VERSION := 1.16.6 > +MODEMMANAGER_MD5 := bde995400758db3a98c886608c2d5d9d > MODEMMANAGER := ModemManager-$(MODEMMANAGER_VERSION) > MODEMMANAGER_SUFFIX := tar.xz > MODEMMANAGER_URL := https://www.freedesktop.org/software/ModemManager/$(MODEMMANAGER).$(MODEMMANAGER_SUFFIX) _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de ^ permalink raw reply [flat|nested] 11+ messages in thread
* [ptxdist] [PATCH v3 3/5] networkmanager: version bump 1.26.2 -> 1.30.4 2021-06-23 7:33 [ptxdist] [PATCH v3 0/5] mobile broadband software version bump Alexander Dahl 2021-06-23 7:33 ` [ptxdist] [PATCH v3 1/5] libqmi: version bump 1.28.2 -> 1.28.6 Alexander Dahl 2021-06-23 7:33 ` [ptxdist] [PATCH v3 2/5] modemmanager: version bump 1.16.2 -> 1.16.6 Alexander Dahl @ 2021-06-23 7:33 ` Alexander Dahl 2021-06-29 5:09 ` [ptxdist] [APPLIED] " Michael Olbrich 2021-06-23 7:33 ` [ptxdist] [PATCH v3 4/5] networkmanager: Make "more logging" optional Alexander Dahl 2021-06-23 7:33 ` [ptxdist] [PATCH v3 5/5] ppp: version bump 2.4.7 -> 2.4.9 Alexander Dahl 4 siblings, 1 reply; 11+ messages in thread From: Alexander Dahl @ 2021-06-23 7:33 UTC (permalink / raw) To: ptxdist Signed-off-by: Alexander Dahl <ada@thorsis.com> --- Notes: v2 -> v3 -------- - Updated meson build options patches/NetworkManager-1.26.2/series | 1 - ...d-generate_docs_nm_settings_nmcli-on.patch | 19 +++++++++---------- patches/NetworkManager-1.30.4/series | 4 ++++ rules/networkmanager.make | 7 +++---- 4 files changed, 16 insertions(+), 15 deletions(-) delete mode 100644 patches/NetworkManager-1.26.2/series rename patches/{NetworkManager-1.26.2 => NetworkManager-1.30.4}/0001-clients-cli-build-generate_docs_nm_settings_nmcli-on.patch (67%) create mode 100644 patches/NetworkManager-1.30.4/series diff --git a/patches/NetworkManager-1.26.2/series b/patches/NetworkManager-1.26.2/series deleted file mode 100644 index b04ab9c47..000000000 --- a/patches/NetworkManager-1.26.2/series +++ /dev/null @@ -1 +0,0 @@ -0001-clients-cli-build-generate_docs_nm_settings_nmcli-on.patch diff --git a/patches/NetworkManager-1.26.2/0001-clients-cli-build-generate_docs_nm_settings_nmcli-on.patch b/patches/NetworkManager-1.30.4/0001-clients-cli-build-generate_docs_nm_settings_nmcli-on.patch similarity index 67% rename from patches/NetworkManager-1.26.2/0001-clients-cli-build-generate_docs_nm_settings_nmcli-on.patch rename to patches/NetworkManager-1.30.4/0001-clients-cli-build-generate_docs_nm_settings_nmcli-on.patch index db3c29643..ebc2816df 100644 --- a/patches/NetworkManager-1.26.2/0001-clients-cli-build-generate_docs_nm_settings_nmcli-on.patch +++ b/patches/NetworkManager-1.30.4/0001-clients-cli-build-generate_docs_nm_settings_nmcli-on.patch @@ -1,4 +1,3 @@ -From 5ddd262c1042ef2cd748b3b2a724d2e15f89b9fb Mon Sep 17 00:00:00 2001 From: Robert Schwebel <r.schwebel@pengutronix.de> Date: Sat, 25 Jul 2020 18:14:35 +0200 Subject: [PATCH] clients/cli: build generate_docs_nm_settings_nmcli only if @@ -10,10 +9,10 @@ Signed-off-by: Robert Schwebel <r.schwebel@pengutronix.de> 1 file changed, 5 insertions(+) diff --git a/clients/cli/meson.build b/clients/cli/meson.build -index 517deffa6..2dada71f5 100644 +index f8e6a8236d4e..af57eedabfb9 100644 --- a/clients/cli/meson.build +++ b/clients/cli/meson.build -@@ -35,6 +35,9 @@ executable( +@@ -37,6 +37,9 @@ executable( endif @@ -23,12 +22,12 @@ index 517deffa6..2dada71f5 100644 generate_docs_nm_settings_nmcli = executable( 'generate-docs-nm-settings-nmcli', files( -@@ -56,3 +59,5 @@ generate_docs_nm_settings_nmcli_xml = custom_target( - command: [ generate_docs_nm_settings_nmcli ], - capture: true, +@@ -54,6 +57,8 @@ generate_docs_nm_settings_nmcli = executable( + link_depends: linker_script_binary, ) -+ + +endif --- -2.27.0 - ++ + if enable_docs + generate_docs_nm_settings_nmcli_xml = custom_target( + 'generate-docs-nm-settings-nmcli.xml', diff --git a/patches/NetworkManager-1.30.4/series b/patches/NetworkManager-1.30.4/series new file mode 100644 index 000000000..24a953ec8 --- /dev/null +++ b/patches/NetworkManager-1.30.4/series @@ -0,0 +1,4 @@ +# generated by git-ptx-patches +#tag:base --start-number 1 +0001-clients-cli-build-generate_docs_nm_settings_nmcli-on.patch +# c940234bc49ce84559747d716a7955c5 - git-ptx-patches magic diff --git a/rules/networkmanager.make b/rules/networkmanager.make index e2502b3f0..c39179f5b 100644 --- a/rules/networkmanager.make +++ b/rules/networkmanager.make @@ -15,8 +15,8 @@ PACKAGES-$(PTXCONF_NETWORKMANAGER) += networkmanager # # Paths and names # -NETWORKMANAGER_VERSION := 1.26.2 -NETWORKMANAGER_MD5 := ad5332a7fe5d00db7c75b722337be62b +NETWORKMANAGER_VERSION := 1.30.4 +NETWORKMANAGER_MD5 := 8ce53a38356864832f7f10ad46fcde27 NETWORKMANAGER := NetworkManager-$(NETWORKMANAGER_VERSION) NETWORKMANAGER_SUFFIX := tar.xz NETWORKMANAGER_URL := $(call ptx/mirror, GNOME, NetworkManager/$(basename $(NETWORKMANAGER_VERSION))/$(NETWORKMANAGER).$(NETWORKMANAGER_SUFFIX)) @@ -57,7 +57,6 @@ NETWORKMANAGER_CONF_OPT = \ -Dintrospection=false \ -Diptables=/usr/sbin/iptables \ -Diwd=false \ - -Djson_validation=false \ -Dkernel_firmware_dir=/lib/firmware \ -Dld_gc=true \ -Dlibaudit=no \ @@ -73,7 +72,7 @@ NETWORKMANAGER_CONF_OPT = \ -Dofono=false \ -Dovs=false \ -Dpolkit=$(call ptx/truefalse,PTXCONF_NETWORKMANAGER_POLKIT) \ - -Dpolkit_agent=false \ + -Dpolkit_agent_helper_1=/usr/libexec/polkit-agent-helper-1 \ -Dppp=$(call ptx/truefalse,PTXCONF_NETWORKMANAGER_PPP) \ -Dpppd=/usr/sbin/pppd \ -Dpppd_plugin_dir=$(PPP_SHARED_INST_PATH) \ -- 2.30.2 _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [ptxdist] [APPLIED] networkmanager: version bump 1.26.2 -> 1.30.4 2021-06-23 7:33 ` [ptxdist] [PATCH v3 3/5] networkmanager: version bump 1.26.2 -> 1.30.4 Alexander Dahl @ 2021-06-29 5:09 ` Michael Olbrich 0 siblings, 0 replies; 11+ messages in thread From: Michael Olbrich @ 2021-06-29 5:09 UTC (permalink / raw) To: ptxdist; +Cc: Alexander Dahl Thanks, applied as 7baf74944ca16173de216387df591cbecc794e22. Michael [sent from post-receive hook] On Tue, 29 Jun 2021 07:09:33 +0200, Alexander Dahl <ada@thorsis.com> wrote: > Signed-off-by: Alexander Dahl <ada@thorsis.com> > Message-Id: <20210623073309.23058-4-ada@thorsis.com> > Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> > > diff --git a/patches/NetworkManager-1.26.2/series b/patches/NetworkManager-1.26.2/series > deleted file mode 100644 > index b04ab9c47a95..000000000000 > --- a/patches/NetworkManager-1.26.2/series > +++ /dev/null > @@ -1 +0,0 @@ > -0001-clients-cli-build-generate_docs_nm_settings_nmcli-on.patch > diff --git a/patches/NetworkManager-1.26.2/0001-clients-cli-build-generate_docs_nm_settings_nmcli-on.patch b/patches/NetworkManager-1.30.4/0001-clients-cli-build-generate_docs_nm_settings_nmcli-on.patch > similarity index 67% > rename from patches/NetworkManager-1.26.2/0001-clients-cli-build-generate_docs_nm_settings_nmcli-on.patch > rename to patches/NetworkManager-1.30.4/0001-clients-cli-build-generate_docs_nm_settings_nmcli-on.patch > index db3c2964380d..ebc2816dff0b 100644 > --- a/patches/NetworkManager-1.26.2/0001-clients-cli-build-generate_docs_nm_settings_nmcli-on.patch > +++ b/patches/NetworkManager-1.30.4/0001-clients-cli-build-generate_docs_nm_settings_nmcli-on.patch > @@ -1,4 +1,3 @@ > -From 5ddd262c1042ef2cd748b3b2a724d2e15f89b9fb Mon Sep 17 00:00:00 2001 > From: Robert Schwebel <r.schwebel@pengutronix.de> > Date: Sat, 25 Jul 2020 18:14:35 +0200 > Subject: [PATCH] clients/cli: build generate_docs_nm_settings_nmcli only if > @@ -10,10 +9,10 @@ Signed-off-by: Robert Schwebel <r.schwebel@pengutronix.de> > 1 file changed, 5 insertions(+) > > diff --git a/clients/cli/meson.build b/clients/cli/meson.build > -index 517deffa6..2dada71f5 100644 > +index f8e6a8236d4e..af57eedabfb9 100644 > --- a/clients/cli/meson.build > +++ b/clients/cli/meson.build > -@@ -35,6 +35,9 @@ executable( > +@@ -37,6 +37,9 @@ executable( > > endif > > @@ -23,12 +22,12 @@ index 517deffa6..2dada71f5 100644 > generate_docs_nm_settings_nmcli = executable( > 'generate-docs-nm-settings-nmcli', > files( > -@@ -56,3 +59,5 @@ generate_docs_nm_settings_nmcli_xml = custom_target( > - command: [ generate_docs_nm_settings_nmcli ], > - capture: true, > +@@ -54,6 +57,8 @@ generate_docs_nm_settings_nmcli = executable( > + link_depends: linker_script_binary, > ) > -+ > + > +endif > --- > -2.27.0 > - > ++ > + if enable_docs > + generate_docs_nm_settings_nmcli_xml = custom_target( > + 'generate-docs-nm-settings-nmcli.xml', > diff --git a/patches/NetworkManager-1.30.4/series b/patches/NetworkManager-1.30.4/series > new file mode 100644 > index 000000000000..24a953ec874d > --- /dev/null > +++ b/patches/NetworkManager-1.30.4/series > @@ -0,0 +1,4 @@ > +# generated by git-ptx-patches > +#tag:base --start-number 1 > +0001-clients-cli-build-generate_docs_nm_settings_nmcli-on.patch > +# c940234bc49ce84559747d716a7955c5 - git-ptx-patches magic > diff --git a/rules/networkmanager.make b/rules/networkmanager.make > index e2502b3f0c2d..c39179f5b5d3 100644 > --- a/rules/networkmanager.make > +++ b/rules/networkmanager.make > @@ -15,8 +15,8 @@ PACKAGES-$(PTXCONF_NETWORKMANAGER) += networkmanager > # > # Paths and names > # > -NETWORKMANAGER_VERSION := 1.26.2 > -NETWORKMANAGER_MD5 := ad5332a7fe5d00db7c75b722337be62b > +NETWORKMANAGER_VERSION := 1.30.4 > +NETWORKMANAGER_MD5 := 8ce53a38356864832f7f10ad46fcde27 > NETWORKMANAGER := NetworkManager-$(NETWORKMANAGER_VERSION) > NETWORKMANAGER_SUFFIX := tar.xz > NETWORKMANAGER_URL := $(call ptx/mirror, GNOME, NetworkManager/$(basename $(NETWORKMANAGER_VERSION))/$(NETWORKMANAGER).$(NETWORKMANAGER_SUFFIX)) > @@ -57,7 +57,6 @@ NETWORKMANAGER_CONF_OPT = \ > -Dintrospection=false \ > -Diptables=/usr/sbin/iptables \ > -Diwd=false \ > - -Djson_validation=false \ > -Dkernel_firmware_dir=/lib/firmware \ > -Dld_gc=true \ > -Dlibaudit=no \ > @@ -73,7 +72,7 @@ NETWORKMANAGER_CONF_OPT = \ > -Dofono=false \ > -Dovs=false \ > -Dpolkit=$(call ptx/truefalse,PTXCONF_NETWORKMANAGER_POLKIT) \ > - -Dpolkit_agent=false \ > + -Dpolkit_agent_helper_1=/usr/libexec/polkit-agent-helper-1 \ > -Dppp=$(call ptx/truefalse,PTXCONF_NETWORKMANAGER_PPP) \ > -Dpppd=/usr/sbin/pppd \ > -Dpppd_plugin_dir=$(PPP_SHARED_INST_PATH) \ _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de ^ permalink raw reply [flat|nested] 11+ messages in thread
* [ptxdist] [PATCH v3 4/5] networkmanager: Make "more logging" optional 2021-06-23 7:33 [ptxdist] [PATCH v3 0/5] mobile broadband software version bump Alexander Dahl ` (2 preceding siblings ...) 2021-06-23 7:33 ` [ptxdist] [PATCH v3 3/5] networkmanager: version bump 1.26.2 -> 1.30.4 Alexander Dahl @ 2021-06-23 7:33 ` Alexander Dahl 2021-06-29 5:09 ` [ptxdist] [APPLIED] " Michael Olbrich 2021-06-23 7:33 ` [ptxdist] [PATCH v3 5/5] ppp: version bump 2.4.7 -> 2.4.9 Alexander Dahl 4 siblings, 1 reply; 11+ messages in thread From: Alexander Dahl @ 2021-06-23 7:33 UTC (permalink / raw) To: ptxdist With build option "more_logging" set to false, it's not possible to enable loglevel "debug" in /etc/NetworkManager/NetworkManager.conf Signed-off-by: Alexander Dahl <ada@thorsis.com> --- rules/networkmanager.in | 6 ++++++ rules/networkmanager.make | 2 +- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/rules/networkmanager.in b/rules/networkmanager.in index 6c68d40cc..dae60a0c8 100644 --- a/rules/networkmanager.in +++ b/rules/networkmanager.in @@ -104,6 +104,12 @@ config NETWORKMANAGER_POLKIT bool prompt "polkit support" +config NETWORKMANAGER_MORE_LOGGING + bool + prompt "more logging" + help + Allows debug log level in NetworkManager.conf + endif menu "networkmanager plugins " diff --git a/rules/networkmanager.make b/rules/networkmanager.make index c39179f5b..022ed7178 100644 --- a/rules/networkmanager.make +++ b/rules/networkmanager.make @@ -64,7 +64,7 @@ NETWORKMANAGER_CONF_OPT = \ -Dmodem_manager=$(call ptx/truefalse,PTXCONF_NETWORKMANAGER_WWAN) \ -Dmodify_system=false \ -Dmore_asserts=no \ - -Dmore_logging=false \ + -Dmore_logging=$(call ptx/truefalse,PTXCONF_NETWORKMANAGER_MORE_LOGGING) \ -Dnetconfig=false \ -Dnm_cloud_setup=false \ -Dnmcli=$(call ptx/truefalse,PTXCONF_NETWORKMANAGER_NMCLI) \ -- 2.30.2 _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [ptxdist] [APPLIED] networkmanager: Make "more logging" optional 2021-06-23 7:33 ` [ptxdist] [PATCH v3 4/5] networkmanager: Make "more logging" optional Alexander Dahl @ 2021-06-29 5:09 ` Michael Olbrich 0 siblings, 0 replies; 11+ messages in thread From: Michael Olbrich @ 2021-06-29 5:09 UTC (permalink / raw) To: ptxdist; +Cc: Alexander Dahl Thanks, applied as fe852c3f4dc34d2e11c641092d19de0d2b3bd5fa. Michael [sent from post-receive hook] On Tue, 29 Jun 2021 07:09:34 +0200, Alexander Dahl <ada@thorsis.com> wrote: > With build option "more_logging" set to false, it's not possible to > enable loglevel "debug" in /etc/NetworkManager/NetworkManager.conf > > Signed-off-by: Alexander Dahl <ada@thorsis.com> > Message-Id: <20210623073309.23058-5-ada@thorsis.com> > Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> > > diff --git a/rules/networkmanager.in b/rules/networkmanager.in > index 6c68d40cc2d6..dae60a0c8d42 100644 > --- a/rules/networkmanager.in > +++ b/rules/networkmanager.in > @@ -104,6 +104,12 @@ config NETWORKMANAGER_POLKIT > bool > prompt "polkit support" > > +config NETWORKMANAGER_MORE_LOGGING > + bool > + prompt "more logging" > + help > + Allows debug log level in NetworkManager.conf > + > endif > > menu "networkmanager plugins " > diff --git a/rules/networkmanager.make b/rules/networkmanager.make > index c39179f5b5d3..022ed7178997 100644 > --- a/rules/networkmanager.make > +++ b/rules/networkmanager.make > @@ -64,7 +64,7 @@ NETWORKMANAGER_CONF_OPT = \ > -Dmodem_manager=$(call ptx/truefalse,PTXCONF_NETWORKMANAGER_WWAN) \ > -Dmodify_system=false \ > -Dmore_asserts=no \ > - -Dmore_logging=false \ > + -Dmore_logging=$(call ptx/truefalse,PTXCONF_NETWORKMANAGER_MORE_LOGGING) \ > -Dnetconfig=false \ > -Dnm_cloud_setup=false \ > -Dnmcli=$(call ptx/truefalse,PTXCONF_NETWORKMANAGER_NMCLI) \ _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de ^ permalink raw reply [flat|nested] 11+ messages in thread
* [ptxdist] [PATCH v3 5/5] ppp: version bump 2.4.7 -> 2.4.9 2021-06-23 7:33 [ptxdist] [PATCH v3 0/5] mobile broadband software version bump Alexander Dahl ` (3 preceding siblings ...) 2021-06-23 7:33 ` [ptxdist] [PATCH v3 4/5] networkmanager: Make "more logging" optional Alexander Dahl @ 2021-06-23 7:33 ` Alexander Dahl 2021-06-29 5:09 ` [ptxdist] [APPLIED] " Michael Olbrich 4 siblings, 1 reply; 11+ messages in thread From: Alexander Dahl @ 2021-06-23 7:33 UTC (permalink / raw) To: ptxdist - imported two post 2.4.9 upstream patches - imported Debian patches from package ppp (2.4.9-1+1) - adapted ptx patches Signed-off-by: Alexander Dahl <ada@thorsis.com> --- Notes: RFC -> v2 --------- - Used 'apply-debian' script to rework debian patch series Link: https://lore.ptxdist.org/ptxdist/20210616115355.GL839947@pengutronix.de/2-apply-debian ...001-abort-on-errors-in-subdir-builds.patch | 48 - ...002-scripts-Avoid-killing-wrong-pppd.patch | 29 - ...tension-when-displaying-bytes-in-oct.patch | 30 - ...se-error-message-on-PPPoE-disconnect.patch | 33 - .../0005-Send-PADT-on-PPPoE-disconnect.patch | 36 - ...nt-buffer-overrun-on-remote-router-n.patch | 30 - .../0007-pppd-Fix-ccp_options.mppe-type.patch | 30 - ...en-calculated-size-if-both-deflate_c.patch | 33 - ...in-comment.-Diff-from-Yuuichi-Someya.patch | 24 - ...ount-only-relevant-lines-from-syslog.patch | 24 - ...-include-from-sys-errno.h-to-errno.h.patch | 33 - ...low-use-of-arbitrary-interface-names.patch | 214 -- ...Remove-unused-declaration-of-ttyname.patch | 25 - ...or-implementation-in-pppoe-discovery.patch | 52 - ...clude-netinet-in.h-before-linux-in.h.patch | 49 - patches/ppp-2.4.7/0016-adaptive_echos.patch | 72 - .../ppp-2.4.7/0017-Makefiles-cleanup.patch | 296 -- ...does-not-properly-close-dev-ppp-on-p.patch | 44 - ...inkpidfile-is-not-created-upon-detac.patch | 48 - ...smetic-cleanup-of-the-pppoatm-plugin.patch | 90 - patches/ppp-2.4.7/0023-pppoe_noads.patch | 25 - ...4-make-_PATH_CONNERRS-world-readable.patch | 27 - .../0025-Correct-unkown-unknown-typo.patch | 46 - .../0026-pppoe-custom-host-uniq-tag.patch | 302 -- .../0027-Add-replacedefaultroute-option.patch | 324 -- ...-for-the-Framed-MTU-Radius-attribute.patch | 42 - patches/ppp-2.4.7/0030-018_ip-up_option.patch | 106 - .../0031-ppp-2.4.2-stripMSdomain.patch | 47 - ...export-CALL_FILE-to-the-link-scripts.patch | 38 - .../ppp-2.4.7/0033-ipv6-accept-remote.patch | 73 - ...buffer-overflow-in-clientid.c-rc_map.patch | 43 - ...0037-Fix-buffer-overflow-in-rc_mksid.patch | 36 - ...P-TLS-authentication-support-for-PPP.patch | 3383 ----------------- ...-for-the-DES-instead-of-the-libcrypt.patch | 115 - patches/ppp-2.4.7/series | 46 - ...igure-Allow-commas-in-the-CFLAGS-220.patch | 28 + ...tion-with-older-glibc-or-kernel-head.patch | 55 + ...ilding-pppdump-with-the-system-zlib.patch} | 27 +- ...unneeded-code-in-the-pppoatm-plugin.patch} | 16 +- patches/ppp-2.4.9/0102-pppoe_noads.patch | 24 + ...ithub.com-paulusmack-ppp-issues-187.patch} | 69 +- .../0104-resolv.conf_no_log.patch} | 12 +- .../0105-Debian-specific-changes.patch} | 50 +- ...dored-hash-functions-with-libcrypto.patch} | 209 +- ...00-pppd-make-makefile-sysroot-aware.patch} | 34 +- ...the-self-made-configure-cross-aware.patch} | 10 +- patches/ppp-2.4.9/series | 17 + rules/ppp.make | 6 +- 48 files changed, 330 insertions(+), 6120 deletions(-) delete mode 100644 patches/ppp-2.4.7/0001-abort-on-errors-in-subdir-builds.patch delete mode 100644 patches/ppp-2.4.7/0002-scripts-Avoid-killing-wrong-pppd.patch delete mode 100644 patches/ppp-2.4.7/0003-pppd-Fix-sign-extension-when-displaying-bytes-in-oct.patch delete mode 100644 patches/ppp-2.4.7/0004-Suppress-false-error-message-on-PPPoE-disconnect.patch delete mode 100644 patches/ppp-2.4.7/0005-Send-PADT-on-PPPoE-disconnect.patch delete mode 100644 patches/ppp-2.4.7/0006-pppd-ipxcp-Prevent-buffer-overrun-on-remote-router-n.patch delete mode 100644 patches/ppp-2.4.7/0007-pppd-Fix-ccp_options.mppe-type.patch delete mode 100644 patches/ppp-2.4.7/0008-pppd-Fix-ccp_cilen-calculated-size-if-both-deflate_c.patch delete mode 100644 patches/ppp-2.4.7/0009-Fix-a-typo-in-comment.-Diff-from-Yuuichi-Someya.patch delete mode 100644 patches/ppp-2.4.7/0010-plog-count-only-relevant-lines-from-syslog.patch delete mode 100644 patches/ppp-2.4.7/0011-Change-include-from-sys-errno.h-to-errno.h.patch delete mode 100644 patches/ppp-2.4.7/0012-pppd-allow-use-of-arbitrary-interface-names.patch delete mode 100644 patches/ppp-2.4.7/0013-pppd-Remove-unused-declaration-of-ttyname.patch delete mode 100644 patches/ppp-2.4.7/0014-pppd-Provide-error-implementation-in-pppoe-discovery.patch delete mode 100644 patches/ppp-2.4.7/0015-pppoe-include-netinet-in.h-before-linux-in.h.patch delete mode 100644 patches/ppp-2.4.7/0016-adaptive_echos.patch delete mode 100644 patches/ppp-2.4.7/0017-Makefiles-cleanup.patch delete mode 100644 patches/ppp-2.4.7/0018-Bug-306261-pppd-does-not-properly-close-dev-ppp-on-p.patch delete mode 100644 patches/ppp-2.4.7/0019-Bug-284382-ppp-linkpidfile-is-not-created-upon-detac.patch delete mode 100644 patches/ppp-2.4.7/0022-cosmetic-cleanup-of-the-pppoatm-plugin.patch delete mode 100644 patches/ppp-2.4.7/0023-pppoe_noads.patch delete mode 100644 patches/ppp-2.4.7/0024-make-_PATH_CONNERRS-world-readable.patch delete mode 100644 patches/ppp-2.4.7/0025-Correct-unkown-unknown-typo.patch delete mode 100644 patches/ppp-2.4.7/0026-pppoe-custom-host-uniq-tag.patch delete mode 100644 patches/ppp-2.4.7/0027-Add-replacedefaultroute-option.patch delete mode 100644 patches/ppp-2.4.7/0029-add-support-for-the-Framed-MTU-Radius-attribute.patch delete mode 100644 patches/ppp-2.4.7/0030-018_ip-up_option.patch delete mode 100644 patches/ppp-2.4.7/0031-ppp-2.4.2-stripMSdomain.patch delete mode 100644 patches/ppp-2.4.7/0032-export-CALL_FILE-to-the-link-scripts.patch delete mode 100644 patches/ppp-2.4.7/0033-ipv6-accept-remote.patch delete mode 100644 patches/ppp-2.4.7/0034-fix-a-potential-buffer-overflow-in-clientid.c-rc_map.patch delete mode 100644 patches/ppp-2.4.7/0037-Fix-buffer-overflow-in-rc_mksid.patch delete mode 100644 patches/ppp-2.4.7/0038-EAP-TLS-authentication-support-for-PPP.patch delete mode 100644 patches/ppp-2.4.7/0040-pppd-Use-openssl-for-the-DES-instead-of-the-libcrypt.patch delete mode 100644 patches/ppp-2.4.7/series create mode 100644 patches/ppp-2.4.9/0001-configure-Allow-commas-in-the-CFLAGS-220.patch create mode 100644 patches/ppp-2.4.9/0002-pppd-Fix-compilation-with-older-glibc-or-kernel-head.patch rename patches/{ppp-2.4.7/0020-support-building-pppdump-with-the-system-zlib.patch => ppp-2.4.9/0100-support-building-pppdump-with-the-system-zlib.patch} (63%) rename patches/{ppp-2.4.7/0021-disable-unneeded-code-in-the-pppoatm-plugin.patch => ppp-2.4.9/0101-disable-unneeded-code-in-the-pppoatm-plugin.patch} (89%) create mode 100644 patches/ppp-2.4.9/0102-pppoe_noads.patch rename patches/{ppp-2.4.7/0028-ppp-2.3.11-oedod.dif.patch => ppp-2.4.9/0103-Forwarded-https-github.com-paulusmack-ppp-issues-187.patch} (72%) rename patches/{ppp-2.4.7/0035-resolv.conf_no_log.patch => ppp-2.4.9/0104-resolv.conf_no_log.patch} (56%) rename patches/{ppp-2.4.7/0036-Debian-specific-changes.patch => ppp-2.4.9/0105-Debian-specific-changes.patch} (62%) rename patches/{ppp-2.4.7/0039-Replace-vendored-hash-functions-with-libcrypto.patch => ppp-2.4.9/0106-Replace-vendored-hash-functions-with-libcrypto.patch} (92%) rename patches/{ppp-2.4.7/0100-pppd-make-makefile-sysroot-aware.patch => ppp-2.4.9/0200-pppd-make-makefile-sysroot-aware.patch} (63%) rename patches/{ppp-2.4.7/0101-pppd-make-the-self-made-configure-cross-aware.patch => ppp-2.4.9/0201-pppd-make-the-self-made-configure-cross-aware.patch} (87%) create mode 100644 patches/ppp-2.4.9/series diff --git a/patches/ppp-2.4.7/0001-abort-on-errors-in-subdir-builds.patch b/patches/ppp-2.4.7/0001-abort-on-errors-in-subdir-builds.patch deleted file mode 100644 index c6a76ce65..000000000 --- a/patches/ppp-2.4.7/0001-abort-on-errors-in-subdir-builds.patch +++ /dev/null @@ -1,48 +0,0 @@ -From: Martin von Gagern <Martin.vGagern@gmx.net> -Date: Sat, 9 Aug 2014 22:44:45 -0400 -Subject: [PATCH] abort on errors in subdir builds - -The current recursive loops do not check the exit status of make -in subdirs which leads to `make` passing even when a subdir failed -to compile or install. - -URL: https://bugs.gentoo.org/334727 -Signed-off-by: Martin von Gagern <Martin.vGagern@gmx.net> -Signed-off-by: Mike Frysinger <vapier@gentoo.org> - -Imported from ppp_2.4.7-2+4.1.debian.tar.xz - -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> ---- - pppd/plugins/Makefile.linux | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/pppd/plugins/Makefile.linux b/pppd/plugins/Makefile.linux -index ab8cf50d9472..8a90e393a057 100644 ---- a/pppd/plugins/Makefile.linux -+++ b/pppd/plugins/Makefile.linux -@@ -27,7 +27,7 @@ include .depend - endif - - all: $(PLUGINS) -- for d in $(SUBDIRS); do $(MAKE) $(MFLAGS) -C $$d all; done -+ for d in $(SUBDIRS); do $(MAKE) $(MFLAGS) -C $$d all || exit $$?; done - - %.so: %.c - $(CC) -o $@ $(LDFLAGS) $(CFLAGS) $^ -@@ -37,12 +37,12 @@ VERSION = $(shell awk -F '"' '/VERSION/ { print $$2; }' ../patchlevel.h) - install: $(PLUGINS) - $(INSTALL) -d $(LIBDIR) - $(INSTALL) $? $(LIBDIR) -- for d in $(SUBDIRS); do $(MAKE) $(MFLAGS) -C $$d install; done -+ for d in $(SUBDIRS); do $(MAKE) $(MFLAGS) -C $$d install || exit $$?; done - - clean: - rm -f *.o *.so *.a -- for d in $(SUBDIRS); do $(MAKE) $(MFLAGS) -C $$d clean; done -+ for d in $(SUBDIRS); do $(MAKE) $(MFLAGS) -C $$d clean || exit $$?; done - - depend: - $(CPP) -M $(CFLAGS) *.c >.depend -- for d in $(SUBDIRS); do $(MAKE) $(MFLAGS) -C $$d depend; done -+ for d in $(SUBDIRS); do $(MAKE) $(MFLAGS) -C $$d depend || exit $$?; done diff --git a/patches/ppp-2.4.7/0002-scripts-Avoid-killing-wrong-pppd.patch b/patches/ppp-2.4.7/0002-scripts-Avoid-killing-wrong-pppd.patch deleted file mode 100644 index dc24c228e..000000000 --- a/patches/ppp-2.4.7/0002-scripts-Avoid-killing-wrong-pppd.patch +++ /dev/null @@ -1,29 +0,0 @@ -From: radaiming <radaiming@gmail.com> -Date: Sat, 13 Dec 2014 14:42:34 +0800 -Subject: [PATCH] scripts: Avoid killing wrong pppd - - poff could kill other pppd processes when there are many pppd - running on different serial port. - - Signed-off-by: Ming Dai <radaiming@gmail.com> - -Imported from ppp_2.4.7-2+4.1.debian.tar.xz - -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> ---- - scripts/poff | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/scripts/poff b/scripts/poff -index 3f55a7f40010..5b45d98a2b6a 100644 ---- a/scripts/poff -+++ b/scripts/poff -@@ -91,7 +91,7 @@ if test "$#" -eq 0 -o "$MODE" = "all" ; then - fi - - # There is an argument, so kill the pppd started on that provider. --PID=`ps axw | grep "[ /]pppd call $1" | awk '{print $1}'` -+PID=`ps axw | grep "[ /]pppd call $1" | grep -w "$1" | awk '{print $1}'` - if test -n "$PID" ; then - $KILL -$SIG $PID || { - echo "$0: $KILL failed. None ${DONE}." diff --git a/patches/ppp-2.4.7/0003-pppd-Fix-sign-extension-when-displaying-bytes-in-oct.patch b/patches/ppp-2.4.7/0003-pppd-Fix-sign-extension-when-displaying-bytes-in-oct.patch deleted file mode 100644 index 2bd23b921..000000000 --- a/patches/ppp-2.4.7/0003-pppd-Fix-sign-extension-when-displaying-bytes-in-oct.patch +++ /dev/null @@ -1,30 +0,0 @@ -From: "Philip A. Prindeville" <philipp@redfish-solutions.com> -Date: Fri, 19 Dec 2014 17:52:58 -0700 -Subject: [PATCH] pppd: Fix sign-extension when displaying bytes in octal - -print_string() displays characters as \\%.03o but without first -casting it from "char" to "unsigned char" so it gets sign-extended -to an int. This causes output like \37777777630 instead of \230. - -Signed-off-by: Philip A. Prindeville <philipp@redfish-solutions.com> - -Imported from ppp_2.4.7-2+4.1.debian.tar.xz - -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> ---- - pppd/utils.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/pppd/utils.c b/pppd/utils.c -index 29bf970905d5..3ac1b60926d2 100644 ---- a/pppd/utils.c -+++ b/pppd/utils.c -@@ -625,7 +625,7 @@ print_string(p, len, printer, arg) - printer(arg, "\\t"); - break; - default: -- printer(arg, "\\%.3o", c); -+ printer(arg, "\\%.3o", (unsigned char) c); - } - } - } diff --git a/patches/ppp-2.4.7/0004-Suppress-false-error-message-on-PPPoE-disconnect.patch b/patches/ppp-2.4.7/0004-Suppress-false-error-message-on-PPPoE-disconnect.patch deleted file mode 100644 index 6d4bd5c10..000000000 --- a/patches/ppp-2.4.7/0004-Suppress-false-error-message-on-PPPoE-disconnect.patch +++ /dev/null @@ -1,33 +0,0 @@ -From: Simon Farnsworth <simon@farnz.org.uk> -Date: Sun, 1 Mar 2015 11:49:06 +0000 -Subject: [PATCH] Suppress false error message on PPPoE disconnect - -Once the kernel handles PPPoE PADTs correctly[1], a PADT triggered -disconnect will result in EALREADY when pppd tries to clear the session ID. - -Simply ignore the error if, and only if, the error is EALREADY - -[1] https://patchwork.ozlabs.org/patch/444717/ - -Signed-off-by: Simon Farnsworth <simon@farnz.org.uk> - -Imported from ppp_2.4.7-2+4.1.debian.tar.xz - -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> ---- - pppd/plugins/rp-pppoe/plugin.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/pppd/plugins/rp-pppoe/plugin.c b/pppd/plugins/rp-pppoe/plugin.c -index a8c2bb4f4a6a..da50cdf2b9d3 100644 ---- a/pppd/plugins/rp-pppoe/plugin.c -+++ b/pppd/plugins/rp-pppoe/plugin.c -@@ -270,7 +270,7 @@ PPPOEDisconnectDevice(void) - memcpy(sp.sa_addr.pppoe.dev, conn->ifName, IFNAMSIZ); - memcpy(sp.sa_addr.pppoe.remote, conn->peerEth, ETH_ALEN); - if (connect(conn->sessionSocket, (struct sockaddr *) &sp, -- sizeof(struct sockaddr_pppox)) < 0) -+ sizeof(struct sockaddr_pppox)) < 0 && errno != EALREADY) - error("Failed to disconnect PPPoE socket: %d %m", errno); - close(conn->sessionSocket); - /* don't send PADT?? */ diff --git a/patches/ppp-2.4.7/0005-Send-PADT-on-PPPoE-disconnect.patch b/patches/ppp-2.4.7/0005-Send-PADT-on-PPPoE-disconnect.patch deleted file mode 100644 index 28efdfc71..000000000 --- a/patches/ppp-2.4.7/0005-Send-PADT-on-PPPoE-disconnect.patch +++ /dev/null @@ -1,36 +0,0 @@ -From: Simon Farnsworth <simon@farnz.org.uk> -Date: Sun, 1 Mar 2015 11:53:58 +0000 -Subject: [PATCH] Send PADT on PPPoE disconnect - -Once we've terminated the PPP session, there is no chance of a PPP layer -disconnect. Some PPPoE relays don't detect the PPP session going down, and -depend on a long timeout or a PPPoE PADT to terminate the session. - -Send a PADT on disconnect to work around these buggy relays. - -Signed-off-by: Simon Farnsworth <simon@farnz.org.uk> - -Imported from ppp_2.4.7-2+4.1.debian.tar.xz - -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> ---- - pppd/plugins/rp-pppoe/plugin.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/pppd/plugins/rp-pppoe/plugin.c b/pppd/plugins/rp-pppoe/plugin.c -index da50cdf2b9d3..c89be94250bc 100644 ---- a/pppd/plugins/rp-pppoe/plugin.c -+++ b/pppd/plugins/rp-pppoe/plugin.c -@@ -273,9 +273,10 @@ PPPOEDisconnectDevice(void) - sizeof(struct sockaddr_pppox)) < 0 && errno != EALREADY) - error("Failed to disconnect PPPoE socket: %d %m", errno); - close(conn->sessionSocket); -- /* don't send PADT?? */ -- if (conn->discoverySocket >= 0) -+ if (conn->discoverySocket >= 0) { -+ sendPADT(conn, NULL); - close(conn->discoverySocket); -+ } - } - - static void diff --git a/patches/ppp-2.4.7/0006-pppd-ipxcp-Prevent-buffer-overrun-on-remote-router-n.patch b/patches/ppp-2.4.7/0006-pppd-ipxcp-Prevent-buffer-overrun-on-remote-router-n.patch deleted file mode 100644 index 7d98127c2..000000000 --- a/patches/ppp-2.4.7/0006-pppd-ipxcp-Prevent-buffer-overrun-on-remote-router-n.patch +++ /dev/null @@ -1,30 +0,0 @@ -From: Paul Mackerras <paulus@samba.org> -Date: Fri, 14 Aug 2015 17:56:26 +1000 -Subject: [PATCH] pppd: ipxcp: Prevent buffer overrun on remote router name - -This fixes an if condition to prevent a possible 1-byte overrun -on ipxcp_hisoptions[0].name. - -Reported-by: "Sabas Rosales, Blanca E" <blanca.e.sabas.rosales@intel.com> -Signed-off-by: Paul Mackerras <paulus@ozlabs.org> - -Imported from ppp_2.4.7-2+4.1.debian.tar.xz - -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> ---- - pppd/ipxcp.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/pppd/ipxcp.c b/pppd/ipxcp.c -index 7b2343e15537..aaff10f76200 100644 ---- a/pppd/ipxcp.c -+++ b/pppd/ipxcp.c -@@ -1194,7 +1194,7 @@ ipxcp_reqci(f, inp, len, reject_if_disagree) - case IPX_ROUTER_NAME: - if (cilen >= CILEN_NAME) { - int name_size = cilen - CILEN_NAME; -- if (name_size > sizeof (ho->name)) -+ if (name_size >= sizeof (ho->name)) - name_size = sizeof (ho->name) - 1; - memset (ho->name, 0, sizeof (ho->name)); - memcpy (ho->name, p, name_size); diff --git a/patches/ppp-2.4.7/0007-pppd-Fix-ccp_options.mppe-type.patch b/patches/ppp-2.4.7/0007-pppd-Fix-ccp_options.mppe-type.patch deleted file mode 100644 index 475edae24..000000000 --- a/patches/ppp-2.4.7/0007-pppd-Fix-ccp_options.mppe-type.patch +++ /dev/null @@ -1,30 +0,0 @@ -From: Sylvain Rochet <gradator@gradator.net> -Date: Wed, 25 Mar 2015 00:25:18 +0100 -Subject: [PATCH] pppd: Fix ccp_options.mppe type - -This corrects the type of ccp_options.mppe; it is actually a bitfield of -MPPE_OPT_* and not a boolean. - -Signed-off-by: Sylvain Rochet <gradator@gradator.net> -Signed-off-by: Paul Mackerras <paulus@samba.org> - -Imported from ppp_2.4.7-2+4.1.debian.tar.xz - -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> ---- - pppd/ccp.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/pppd/ccp.h b/pppd/ccp.h -index 6f4a2fee0a2c..76446db007c0 100644 ---- a/pppd/ccp.h -+++ b/pppd/ccp.h -@@ -37,7 +37,7 @@ typedef struct ccp_options { - bool predictor_2; /* do Predictor-2? */ - bool deflate_correct; /* use correct code for deflate? */ - bool deflate_draft; /* use draft RFC code for deflate? */ -- bool mppe; /* do MPPE? */ -+ u_char mppe; /* MPPE bitfield */ - u_short bsd_bits; /* # bits/code for BSD Compress */ - u_short deflate_size; /* lg(window size) for Deflate */ - short method; /* code for chosen compression method */ diff --git a/patches/ppp-2.4.7/0008-pppd-Fix-ccp_cilen-calculated-size-if-both-deflate_c.patch b/patches/ppp-2.4.7/0008-pppd-Fix-ccp_cilen-calculated-size-if-both-deflate_c.patch deleted file mode 100644 index d73b4de32..000000000 --- a/patches/ppp-2.4.7/0008-pppd-Fix-ccp_cilen-calculated-size-if-both-deflate_c.patch +++ /dev/null @@ -1,33 +0,0 @@ -From: Sylvain Rochet <gradator@gradator.net> -Date: Tue, 24 Mar 2015 21:21:40 +0100 -Subject: [PATCH] pppd: Fix ccp_cilen calculated size if both deflate_correct - and deflate_draft are enabled - -This fixes a bug where ccp_cilen() will return 4 bytes less than -necessary for the addci buffer if both deflate_correct and -deflate_draft are enabled. - -Signed-off-by: Sylvain Rochet <gradator@gradator.net> -Signed-off-by: Paul Mackerras <paulus@samba.org> - -Imported from ppp_2.4.7-2+4.1.debian.tar.xz - -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> ---- - pppd/ccp.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/pppd/ccp.c b/pppd/ccp.c -index 5814f358eb44..7d7922afcfc0 100644 ---- a/pppd/ccp.c -+++ b/pppd/ccp.c -@@ -676,7 +676,8 @@ ccp_cilen(f) - ccp_options *go = &ccp_gotoptions[f->unit]; - - return (go->bsd_compress? CILEN_BSD_COMPRESS: 0) -- + (go->deflate? CILEN_DEFLATE: 0) -+ + (go->deflate && go->deflate_correct? CILEN_DEFLATE: 0) -+ + (go->deflate && go->deflate_draft? CILEN_DEFLATE: 0) - + (go->predictor_1? CILEN_PREDICTOR_1: 0) - + (go->predictor_2? CILEN_PREDICTOR_2: 0) - + (go->mppe? CILEN_MPPE: 0); diff --git a/patches/ppp-2.4.7/0009-Fix-a-typo-in-comment.-Diff-from-Yuuichi-Someya.patch b/patches/ppp-2.4.7/0009-Fix-a-typo-in-comment.-Diff-from-Yuuichi-Someya.patch deleted file mode 100644 index 39af8cf33..000000000 --- a/patches/ppp-2.4.7/0009-Fix-a-typo-in-comment.-Diff-from-Yuuichi-Someya.patch +++ /dev/null @@ -1,24 +0,0 @@ -From: YASUOKA Masahiko <yasuoka@yasuoka.net> -Date: Wed, 16 Mar 2016 13:39:19 +0900 -Subject: [PATCH] Fix a typo in comment. Diff from Yuuichi Someya. - -Imported from ppp_2.4.7-2+4.1.debian.tar.xz - -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> ---- - pppd/fsm.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/pppd/fsm.c b/pppd/fsm.c -index c200cc3a8438..e9bd34f0e8f4 100644 ---- a/pppd/fsm.c -+++ b/pppd/fsm.c -@@ -468,7 +468,7 @@ fsm_rconfreq(f, id, inp, len) - f->nakloops = 0; - - } else { -- /* we sent CONFACK or CONFREJ */ -+ /* we sent CONFNAK or CONFREJ */ - if (f->state != ACKRCVD) - f->state = REQSENT; - if( code == CONFNAK ) diff --git a/patches/ppp-2.4.7/0010-plog-count-only-relevant-lines-from-syslog.patch b/patches/ppp-2.4.7/0010-plog-count-only-relevant-lines-from-syslog.patch deleted file mode 100644 index c9d56cdbb..000000000 --- a/patches/ppp-2.4.7/0010-plog-count-only-relevant-lines-from-syslog.patch +++ /dev/null @@ -1,24 +0,0 @@ -From: Dmitry Deshevoy <mityada@gmail.com> -Date: Thu, 31 Mar 2016 23:39:32 +0400 -Subject: [PATCH] plog: count only relevant lines from syslog - -Closes paulusmack/ppp#42 - -Imported from ppp_2.4.7-2+4.1.debian.tar.xz - -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> ---- - scripts/plog | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/scripts/plog b/scripts/plog -index 84d2c7340cc6..7cb53346413d 100644 ---- a/scripts/plog -+++ b/scripts/plog -@@ -3,5 +3,5 @@ - if [ -s /var/log/ppp.log ]; then - exec tail "$@" /var/log/ppp.log - else -- exec tail "$@" /var/log/syslog | grep ' \(pppd\|chat\)\[' -+ exec grep ' \(pppd\|chat\)\[' /var/log/syslog | tail "$@" - fi diff --git a/patches/ppp-2.4.7/0011-Change-include-from-sys-errno.h-to-errno.h.patch b/patches/ppp-2.4.7/0011-Change-include-from-sys-errno.h-to-errno.h.patch deleted file mode 100644 index ed313eeaa..000000000 --- a/patches/ppp-2.4.7/0011-Change-include-from-sys-errno.h-to-errno.h.patch +++ /dev/null @@ -1,33 +0,0 @@ -From: Stefan Nickl <Stefan.Nickl@gmail.com> -Date: Wed, 10 Aug 2016 21:32:21 +0200 -Subject: [PATCH] Change include from sys/errno.h to errno.h - -According to POSIX, the canonical location for errno.h is on the top level. - -Signed-off-by: Stefan Nickl <Stefan.Nickl@gmail.com> - -Imported from ppp_2.4.7-2+4.1.debian.tar.xz - -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> ---- - pppd/sys-linux.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c -index e5e9baf8821f..908aa4f22297 100644 ---- a/pppd/sys-linux.c -+++ b/pppd/sys-linux.c -@@ -73,12 +73,12 @@ - #include <sys/types.h> - #include <sys/socket.h> - #include <sys/time.h> --#include <sys/errno.h> - #include <sys/file.h> - #include <sys/stat.h> - #include <sys/utsname.h> - #include <sys/sysmacros.h> - -+#include <errno.h> - #include <stdio.h> - #include <stdlib.h> - #include <syslog.h> diff --git a/patches/ppp-2.4.7/0012-pppd-allow-use-of-arbitrary-interface-names.patch b/patches/ppp-2.4.7/0012-pppd-allow-use-of-arbitrary-interface-names.patch deleted file mode 100644 index 26d56de1d..000000000 --- a/patches/ppp-2.4.7/0012-pppd-allow-use-of-arbitrary-interface-names.patch +++ /dev/null @@ -1,214 +0,0 @@ -From: Paul Mackerras <paulus@samba.org> -Date: Tue, 23 Aug 2016 16:10:21 +1000 -Subject: [PATCH] pppd: allow use of arbitrary interface names - -This is a modified version of a patch from openSUSE that enables PPP interfaces -to be called arbitrary names, rather than simply pppX where X is the unit -number. - -The modifications from the stock openSUSE patch are: - refresh patch on top of 018_ip up_option.diff -- fix a printf format-string vulnerability in pppd/main.c:set_ifunit() -- clarify the pppd.8 manpage additions -- patch pppstats/pppstats.c to query renamed interfaces without complaint - -Origin: SUSE -Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=458646 -Forwarded: no -Reviewed-by: Chris Boot <bootc@debian.org> -Signed-off-by: Paul Mackerras <paulus@ozlabs.org> - -Imported from ppp_2.4.7-2+4.1.debian.tar.xz - -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> ---- - pppd/main.c | 16 ++++++---------- - pppd/options.c | 5 +++++ - pppd/pppd.8 | 8 +++++++- - pppd/pppd.h | 11 +++++++++++ - pppd/sys-linux.c | 15 +++++++++++++++ - pppstats/pppstats.c | 12 ++++++------ - 6 files changed, 50 insertions(+), 17 deletions(-) - -diff --git a/pppd/main.c b/pppd/main.c -index 6d50d1bac1d9..f1986ed68d0b 100644 ---- a/pppd/main.c -+++ b/pppd/main.c -@@ -124,7 +124,7 @@ - static const char rcsid[] = RCSID; - - /* interface vars */ --char ifname[32]; /* Interface name */ -+char ifname[MAXIFNAMELEN]; /* Interface name */ - int ifunit; /* Interface unit number */ - - struct channel *the_channel; -@@ -298,13 +298,6 @@ struct protent *protocols[] = { - NULL - }; - --/* -- * If PPP_DRV_NAME is not defined, use the default "ppp" as the device name. -- */ --#if !defined(PPP_DRV_NAME) --#define PPP_DRV_NAME "ppp" --#endif /* !defined(PPP_DRV_NAME) */ -- - int - main(argc, argv) - int argc; -@@ -737,8 +730,11 @@ void - set_ifunit(iskey) - int iskey; - { -- info("Using interface %s%d", PPP_DRV_NAME, ifunit); -- slprintf(ifname, sizeof(ifname), "%s%d", PPP_DRV_NAME, ifunit); -+ if (req_ifname[0] != '\0') -+ slprintf(ifname, sizeof(ifname), "%s", req_ifname); -+ else -+ slprintf(ifname, sizeof(ifname), "%s%d", PPP_DRV_NAME, ifunit); -+ info("Using interface %s", ifname); - script_setenv("IFNAME", ifname, iskey); - if (iskey) { - create_pidfile(getpid()); /* write pid to file */ -diff --git a/pppd/options.c b/pppd/options.c -index f66b7657bc31..91da515ac533 100644 ---- a/pppd/options.c -+++ b/pppd/options.c -@@ -114,6 +114,7 @@ char linkname[MAXPATHLEN]; /* logical name for link */ - bool tune_kernel; /* may alter kernel settings */ - int connect_delay = 1000; /* wait this many ms after connect script */ - int req_unit = -1; /* requested interface unit */ -+char req_ifname[MAXIFNAMELEN]; /* requested interface name */ - bool multilink = 0; /* Enable multilink operation */ - char *bundle_name = NULL; /* bundle name for multilink */ - bool dump_options; /* print out option values */ -@@ -283,6 +284,10 @@ option_t general_options[] = { - "PPP interface unit number to use if possible", - OPT_PRIO | OPT_LLIMIT, 0, 0 }, - -+ { "ifname", o_string, req_ifname, -+ "Set PPP interface name", -+ OPT_PRIO | OPT_PRIV | OPT_STATIC, NULL, MAXIFNAMELEN }, -+ - { "dump", o_bool, &dump_options, - "Print out option values after parsing all options", 1 }, - { "dryrun", o_bool, &dryrun, -diff --git a/pppd/pppd.8 b/pppd/pppd.8 -index e2768b135273..64659cf867b2 100644 ---- a/pppd/pppd.8 -+++ b/pppd/pppd.8 -@@ -1073,7 +1073,13 @@ under Linux and FreeBSD 2.2.8 and later. - .TP - .B unit \fInum - Sets the ppp unit number (for a ppp0 or ppp1 etc interface name) for outbound --connections. -+connections. If the unit is already in use a dynamically allocated number will -+be used. -+.TP -+.B ifname \fIstring -+Set the ppp interface name for outbound connections. If the interface name is -+already in use, or if the name cannot be used for any other reason, pppd will -+terminate. - .TP - .B unset \fIname - Remove a variable from the environment variable for scripts that are -diff --git a/pppd/pppd.h b/pppd/pppd.h -index 247fa153739b..1a1bf0b99582 100644 ---- a/pppd/pppd.h -+++ b/pppd/pppd.h -@@ -80,6 +80,16 @@ - #define MAXARGS 1 /* max # args to a command */ - #define MAXNAMELEN 256 /* max length of hostname or name for auth */ - #define MAXSECRETLEN 256 /* max length of password or secret */ -+#define MAXIFNAMELEN 32 /* max length of interface name; or use IFNAMSIZ, can we -+ always include net/if.h? */ -+ -+/* -+ * If PPP_DRV_NAME is not defined, use the default "ppp" as the device name. -+ * Where should PPP_DRV_NAME come from? Do we include it here? -+ */ -+#if !defined(PPP_DRV_NAME) -+#define PPP_DRV_NAME "ppp" -+#endif /* !defined(PPP_DRV_NAME) */ - - /* - * Option descriptor structure. -@@ -318,6 +328,7 @@ extern bool tune_kernel; /* May alter kernel settings as necessary */ - extern int connect_delay; /* Time to delay after connect script */ - extern int max_data_rate; /* max bytes/sec through charshunt */ - extern int req_unit; /* interface unit number to use */ -+extern char req_ifname[MAXIFNAMELEN]; /* interface name to use */ - extern bool multilink; /* enable multilink operation */ - extern bool noendpoint; /* don't send or accept endpt. discrim. */ - extern char *bundle_name; /* bundle name for multilink */ -diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c -index 908aa4f22297..9b2f293024ac 100644 ---- a/pppd/sys-linux.c -+++ b/pppd/sys-linux.c -@@ -641,6 +641,21 @@ static int make_ppp_unit() - } - if (x < 0) - error("Couldn't create new ppp unit: %m"); -+ -+ if (x == 0 && req_ifname[0] != '\0') { -+ struct ifreq ifr; -+ char t[MAXIFNAMELEN]; -+ memset(&ifr, 0, sizeof(struct ifreq)); -+ slprintf(t, sizeof(t), "%s%d", PPP_DRV_NAME, ifunit); -+ strncpy(ifr.ifr_name, t, IF_NAMESIZE); -+ strncpy(ifr.ifr_newname, req_ifname, IF_NAMESIZE); -+ x = ioctl(sock_fd, SIOCSIFNAME, &ifr); -+ if (x < 0) -+ error("Couldn't rename interface %s to %s: %m", t, req_ifname); -+ else -+ info("Renamed interface %s to %s", t, req_ifname); -+ } -+ - return x; - } - -diff --git a/pppstats/pppstats.c b/pppstats/pppstats.c -index 6367988eb96b..46cb9c24942b 100644 ---- a/pppstats/pppstats.c -+++ b/pppstats/pppstats.c -@@ -88,7 +88,6 @@ int aflag; /* print absolute values, not deltas */ - int dflag; /* print data rates, not bytes */ - int interval, count; - int infinite; --int unit; - int s; /* socket or /dev/ppp file descriptor */ - int signalled; /* set if alarm goes off "early" */ - char *progname; -@@ -449,6 +448,7 @@ main(argc, argv) - { - int c; - #ifdef STREAMS -+ int unit; - char *dev; - #endif - -@@ -506,11 +506,6 @@ main(argc, argv) - if (argc > 0) - interface = argv[0]; - -- if (sscanf(interface, PPP_DRV_NAME "%d", &unit) != 1) { -- fprintf(stderr, "%s: invalid interface '%s' specified\n", -- progname, interface); -- } -- - #ifndef STREAMS - { - struct ifreq ifr; -@@ -535,6 +530,11 @@ main(argc, argv) - } - - #else /* STREAMS */ -+ if (sscanf(interface, PPP_DRV_NAME "%d", &unit) != 1) { -+ fprintf(stderr, "%s: invalid interface '%s' specified\n", -+ progname, interface); -+ } -+ - #ifdef __osf__ - dev = "/dev/streams/ppp"; - #else diff --git a/patches/ppp-2.4.7/0013-pppd-Remove-unused-declaration-of-ttyname.patch b/patches/ppp-2.4.7/0013-pppd-Remove-unused-declaration-of-ttyname.patch deleted file mode 100644 index 2199e7f7d..000000000 --- a/patches/ppp-2.4.7/0013-pppd-Remove-unused-declaration-of-ttyname.patch +++ /dev/null @@ -1,25 +0,0 @@ -From: George Burgess IV <george@gbiv.net> -Date: Fri, 9 Sep 2016 17:36:54 -0700 -Subject: [PATCH] pppd: Remove unused declaration of ttyname. - -Signed-off-by: George Burgess IV <george@gbiv.net> - -Imported from ppp_2.4.7-2+4.1.debian.tar.xz - -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> ---- - pppd/main.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/pppd/main.c b/pppd/main.c -index f1986ed68d0b..76b67d2485b7 100644 ---- a/pppd/main.c -+++ b/pppd/main.c -@@ -257,7 +257,6 @@ static void cleanup_db __P((void)); - static void handle_events __P((void)); - void print_link_stats __P((void)); - --extern char *ttyname __P((int)); - extern char *getlogin __P((void)); - int main __P((int, char *[])); - diff --git a/patches/ppp-2.4.7/0014-pppd-Provide-error-implementation-in-pppoe-discovery.patch b/patches/ppp-2.4.7/0014-pppd-Provide-error-implementation-in-pppoe-discovery.patch deleted file mode 100644 index 39fc3d4f6..000000000 --- a/patches/ppp-2.4.7/0014-pppd-Provide-error-implementation-in-pppoe-discovery.patch +++ /dev/null @@ -1,52 +0,0 @@ -From: Stefan Nickl <Stefan.Nickl@gmail.com> -Date: Wed, 10 Aug 2016 16:52:12 +0200 -Subject: [PATCH] pppd: Provide error() implementation in pppoe-discovery - -The pppoe-discovery program calls error() from the CHECK_ROOM macro -defined in pppoe.h. Since pppoe-discovery is a standalone program not -linked with the rest of pppd, the only way this could build is by -linking to glibc's proprietary error(3) function instead of the function -of the same name (but with different arguments) defined in pppd/utils.c. - -So with glibc this builds, but will probably crash when the assertion is -triggered. As the assertion is unlikely to fail, nobody has noticed. - -The build however fails with musl libc or uClibc since they don't -provide the doppelganger. - -Signed-off-by: Stefan Nickl <Stefan.Nickl@gmail.com> - -Imported from ppp_2.4.7-2+4.1.debian.tar.xz - -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> ---- - pppd/plugins/rp-pppoe/pppoe-discovery.c | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/pppd/plugins/rp-pppoe/pppoe-discovery.c b/pppd/plugins/rp-pppoe/pppoe-discovery.c -index 3d3bf4eecc81..55037dffb023 100644 ---- a/pppd/plugins/rp-pppoe/pppoe-discovery.c -+++ b/pppd/plugins/rp-pppoe/pppoe-discovery.c -@@ -9,6 +9,7 @@ - * - */ - -+#include <stdarg.h> - #include <stdio.h> - #include <stdlib.h> - #include <unistd.h> -@@ -55,6 +56,14 @@ void die(int status) - exit(status); - } - -+void error(char *fmt, ...) -+{ -+ va_list pvar; -+ va_start(pvar, fmt); -+ vfprintf(stderr, fmt, pvar); -+ va_end(pvar); -+} -+ - /* Initialize frame types to RFC 2516 values. Some broken peers apparently - use different frame types... sigh... */ - diff --git a/patches/ppp-2.4.7/0015-pppoe-include-netinet-in.h-before-linux-in.h.patch b/patches/ppp-2.4.7/0015-pppoe-include-netinet-in.h-before-linux-in.h.patch deleted file mode 100644 index b24e5ef58..000000000 --- a/patches/ppp-2.4.7/0015-pppoe-include-netinet-in.h-before-linux-in.h.patch +++ /dev/null @@ -1,49 +0,0 @@ -From: Lubomir Rintel <lkundrak@v3.sk> -Date: Mon, 9 Jan 2017 13:34:23 +0000 -Subject: [PATCH] pppoe: include netinet/in.h before linux/in.h - -This fixes builds with newer kernels. Basically, <netinet/in.h> needs to be -included before <linux/in.h> otherwise the earlier, unaware of the latter, -tries to redefine symbols and structures. Also, <linux/if_pppox.h> doesn't work -alone anymore, since it pulls the headers in the wrong order, so we better -include <netinet/in.h> early. - -Imported from ppp_2.4.7-2+4.1.debian.tar.xz - -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> ---- - pppd/plugins/rp-pppoe/pppoe.h | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/pppd/plugins/rp-pppoe/pppoe.h b/pppd/plugins/rp-pppoe/pppoe.h -index 9ab2eee3914c..c4aaa6e68856 100644 ---- a/pppd/plugins/rp-pppoe/pppoe.h -+++ b/pppd/plugins/rp-pppoe/pppoe.h -@@ -47,6 +47,10 @@ - #include <sys/socket.h> - #endif - -+/* This has to be included before Linux 4.8's linux/in.h -+ * gets dragged in. */ -+#include <netinet/in.h> -+ - /* Ugly header files on some Linux boxes... */ - #if defined(HAVE_LINUX_IF_H) - #include <linux/if.h> -@@ -84,8 +88,6 @@ typedef unsigned long UINT32_t; - #include <linux/if_ether.h> - #endif - --#include <netinet/in.h> -- - #ifdef HAVE_NETINET_IF_ETHER_H - #include <sys/types.h> - -@@ -98,7 +100,6 @@ typedef unsigned long UINT32_t; - #endif - - -- - /* Ethernet frame types according to RFC 2516 */ - #define ETH_PPPOE_DISCOVERY 0x8863 - #define ETH_PPPOE_SESSION 0x8864 diff --git a/patches/ppp-2.4.7/0016-adaptive_echos.patch b/patches/ppp-2.4.7/0016-adaptive_echos.patch deleted file mode 100644 index c0f222824..000000000 --- a/patches/ppp-2.4.7/0016-adaptive_echos.patch +++ /dev/null @@ -1,72 +0,0 @@ -From: Michael Olbrich <m.olbrich@pengutronix.de> -Date: Sat, 28 Sep 2019 08:11:49 +0200 -Subject: [PATCH] adaptive_echos - -Imported from ppp_2.4.7-2+4.1.debian.tar.xz - -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> ---- - pppd/lcp.c | 19 +++++++++++++++++++ - pppd/pppd.8 | 5 +++++ - 2 files changed, 24 insertions(+) - -diff --git a/pppd/lcp.c b/pppd/lcp.c -index 8ed2778bfb67..c97a64b7774f 100644 ---- a/pppd/lcp.c -+++ b/pppd/lcp.c -@@ -73,6 +73,7 @@ static void lcp_delayed_up __P((void *)); - */ - int lcp_echo_interval = 0; /* Interval between LCP echo-requests */ - int lcp_echo_fails = 0; /* Tolerance to unanswered echo-requests */ -+bool lcp_echo_adaptive = 0; /* request echo only if the link was idle */ - bool lax_recv = 0; /* accept control chars in asyncmap */ - bool noendpoint = 0; /* don't send/accept endpoint discriminator */ - -@@ -151,6 +152,8 @@ static option_t lcp_option_list[] = { - OPT_PRIO }, - { "lcp-echo-interval", o_int, &lcp_echo_interval, - "Set time in seconds between LCP echo requests", OPT_PRIO }, -+ { "lcp-echo-adaptive", o_bool, &lcp_echo_adaptive, -+ "Suppress LCP echo requests if traffic was received", 1 }, - { "lcp-restart", o_int, &lcp_fsm[0].timeouttime, - "Set time in seconds between LCP retransmissions", OPT_PRIO }, - { "lcp-max-terminate", o_int, &lcp_fsm[0].maxtermtransmits, -@@ -2331,6 +2334,22 @@ LcpSendEchoRequest (f) - } - } - -+ /* -+ * If adaptive echos have been enabled, only send the echo request if -+ * no traffic was received since the last one. -+ */ -+ if (lcp_echo_adaptive) { -+ static unsigned int last_pkts_in = 0; -+ -+ update_link_stats(f->unit); -+ link_stats_valid = 0; -+ -+ if (link_stats.pkts_in != last_pkts_in) { -+ last_pkts_in = link_stats.pkts_in; -+ return; -+ } -+ } -+ - /* - * Make and send the echo request frame. - */ -diff --git a/pppd/pppd.8 b/pppd/pppd.8 -index 64659cf867b2..ec8bfd5c0617 100644 ---- a/pppd/pppd.8 -+++ b/pppd/pppd.8 -@@ -558,6 +558,11 @@ to 1) if the \fIproxyarp\fR option is used, and will enable the - dynamic IP address option (i.e. set /proc/sys/net/ipv4/ip_dynaddr to - 1) in demand mode if the local address changes. - .TP -+.B lcp\-echo\-adaptive -+If this option is used with the \fIlcp\-echo\-failure\fR option then -+pppd will send LCP echo\-request frames only if no traffic was received -+from the peer since the last echo\-request was sent. -+.TP - .B lcp\-echo\-failure \fIn - If this option is given, pppd will presume the peer to be dead - if \fIn\fR LCP echo\-requests are sent without receiving a valid LCP diff --git a/patches/ppp-2.4.7/0017-Makefiles-cleanup.patch b/patches/ppp-2.4.7/0017-Makefiles-cleanup.patch deleted file mode 100644 index ff9096f70..000000000 --- a/patches/ppp-2.4.7/0017-Makefiles-cleanup.patch +++ /dev/null @@ -1,296 +0,0 @@ -From: Michael Olbrich <m.olbrich@pengutronix.de> -Date: Sat, 28 Sep 2019 08:11:49 +0200 -Subject: [PATCH] Makefiles cleanup - -Factor-out $COPTS and $LDOPTS to allow distributions to easily override -them. Properly use $LDFLAGS when linking and $CFLAGS when compiling. -Do not strip the installed binaries: this should be done by the -packaging system if required. - - -Imported from ppp_2.4.7-2+4.1.debian.tar.xz - -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> ---- - chat/Makefile.linux | 5 +++-- - pppd/Makefile.linux | 7 ++++--- - pppd/plugins/Makefile.linux | 4 ++-- - pppd/plugins/pppoatm/Makefile.linux | 4 ++-- - pppd/plugins/pppol2tp/Makefile.linux | 4 ++-- - pppd/plugins/radius/Makefile.linux | 16 +++++++++------- - pppd/plugins/rp-pppoe/Makefile.linux | 10 ++++++---- - pppdump/Makefile.linux | 9 ++++++--- - pppstats/Makefile.linux | 7 ++++--- - 9 files changed, 38 insertions(+), 28 deletions(-) - -diff --git a/chat/Makefile.linux b/chat/Makefile.linux -index 1065ac519576..a41d485b4168 100644 ---- a/chat/Makefile.linux -+++ b/chat/Makefile.linux -@@ -12,20 +12,21 @@ CDEFS= $(CDEF1) $(CDEF2) $(CDEF3) $(CDEF4) - - COPTS= -O2 -g -pipe - CFLAGS= $(COPTS) $(CDEFS) -+LDFLAGS=$(LDOPTS) - - INSTALL= install - - all: chat - - chat: chat.o -- $(CC) -o chat chat.o -+ $(CC) $(LDFLAGS) -o chat chat.o - - chat.o: chat.c - $(CC) -c $(CFLAGS) -o chat.o chat.c - - install: chat - mkdir -p $(BINDIR) $(MANDIR) -- $(INSTALL) -s -c chat $(BINDIR) -+ $(INSTALL) -c chat $(BINDIR) - $(INSTALL) -c -m 644 chat.8 $(MANDIR) - - clean: -diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux -index a74c914fd3ac..16b3ee879791 100644 ---- a/pppd/Makefile.linux -+++ b/pppd/Makefile.linux -@@ -83,6 +83,7 @@ INCLUDE_DIRS= -I../include - COMPILE_FLAGS= -DHAVE_PATHS_H -DIPX_CHANGE -DHAVE_MMAP - - CFLAGS= $(COPTS) $(COMPILE_FLAGS) $(INCLUDE_DIRS) '-DDESTDIR="@DESTDIR@"' -+LDFLAGS=$(LDOPTS) - - ifdef CHAPMS - CFLAGS += -DCHAPMS=1 -@@ -102,7 +103,7 @@ ifdef USE_SRP - CFLAGS += -DUSE_SRP -DOPENSSL -I/usr/local/ssl/include - LIBS += -lsrp -L/usr/local/ssl/lib -lcrypto - TARGETS += srp-entry --EXTRAINSTALL = $(INSTALL) -s -c -m 555 srp-entry $(BINDIR)/srp-entry -+EXTRAINSTALL = $(INSTALL) -c -m 555 srp-entry $(BINDIR)/srp-entry - MANPAGES += srp-entry.8 - EXTRACLEAN += srp-entry.o - NEEDDES=y -@@ -208,13 +209,13 @@ all: $(TARGETS) - install: pppd - mkdir -p $(BINDIR) $(MANDIR) - $(EXTRAINSTALL) -- $(INSTALL) -s -c -m 555 pppd $(BINDIR)/pppd -+ $(INSTALL) -c -m 555 pppd $(BINDIR)/pppd - if chgrp pppusers $(BINDIR)/pppd 2>/dev/null; then \ - chmod o-rx,u+s $(BINDIR)/pppd; fi - $(INSTALL) -c -m 444 pppd.8 $(MANDIR) - - pppd: $(PPPDOBJS) -- $(CC) $(CFLAGS) $(LDFLAGS) -o pppd $(PPPDOBJS) $(LIBS) -+ $(CC) $(LDFLAGS) -o pppd $(PPPDOBJS) $(LIBS) - - srp-entry: srp-entry.c - $(CC) $(CFLAGS) $(LDFLAGS) -o $@ srp-entry.c $(LIBS) -diff --git a/pppd/plugins/Makefile.linux b/pppd/plugins/Makefile.linux -index 8a90e393a057..0f9d37d2953b 100644 ---- a/pppd/plugins/Makefile.linux -+++ b/pppd/plugins/Makefile.linux -@@ -1,7 +1,7 @@ - #CC = gcc - COPTS = -O2 -g - CFLAGS = $(COPTS) -I.. -I../../include -fPIC --LDFLAGS = -shared -+LDFLAGS = $(LDOPTS) - INSTALL = install - - DESTDIR = $(INSTROOT)@DESTDIR@ -@@ -30,7 +30,7 @@ all: $(PLUGINS) - for d in $(SUBDIRS); do $(MAKE) $(MFLAGS) -C $$d all || exit $$?; done - - %.so: %.c -- $(CC) -o $@ $(LDFLAGS) $(CFLAGS) $^ -+ $(CC) -o $@ $(LDFLAGS) -shared $(CFLAGS) $^ - - VERSION = $(shell awk -F '"' '/VERSION/ { print $$2; }' ../patchlevel.h) - -diff --git a/pppd/plugins/pppoatm/Makefile.linux b/pppd/plugins/pppoatm/Makefile.linux -index 20f62e631d23..002603c6cbef 100644 ---- a/pppd/plugins/pppoatm/Makefile.linux -+++ b/pppd/plugins/pppoatm/Makefile.linux -@@ -1,7 +1,7 @@ - #CC = gcc - COPTS = -O2 -g - CFLAGS = $(COPTS) -I../.. -I../../../include -fPIC --LDFLAGS = -shared -+LDFLAGS = $(LDOPTS) - INSTALL = install - - #*********************************************************************** -@@ -33,7 +33,7 @@ endif - all: $(PLUGIN) - - $(PLUGIN): $(PLUGIN_OBJS) -- $(CC) $(CFLAGS) -o $@ -shared $^ $(LIBS) -+ $(CC) $(LDFLAGS) -o $@ -shared $^ $(LIBS) - - install: all - $(INSTALL) -d -m 755 $(LIBDIR) -diff --git a/pppd/plugins/pppol2tp/Makefile.linux b/pppd/plugins/pppol2tp/Makefile.linux -index ea3538e22d56..de5cc12e79c3 100644 ---- a/pppd/plugins/pppol2tp/Makefile.linux -+++ b/pppd/plugins/pppol2tp/Makefile.linux -@@ -1,7 +1,7 @@ - #CC = gcc - COPTS = -O2 -g - CFLAGS = $(COPTS) -I. -I../.. -I../../../include -fPIC --LDFLAGS = -shared -+LDFLAGS = $(LDOPTS) - INSTALL = install - - #*********************************************************************** -@@ -16,7 +16,7 @@ PLUGINS := pppol2tp.so openl2tp.so - all: $(PLUGINS) - - %.so: %.o -- $(CC) $(CFLAGS) -o $@ -shared $^ $(LIBS) -+ $(CC) $(LDFLAGS) -o $@ -shared $^ $(LIBS) - - install: all - $(INSTALL) -d -m 755 $(LIBDIR) -diff --git a/pppd/plugins/radius/Makefile.linux b/pppd/plugins/radius/Makefile.linux -index 24ed3e580c4d..436ff2fd0c23 100644 ---- a/pppd/plugins/radius/Makefile.linux -+++ b/pppd/plugins/radius/Makefile.linux -@@ -12,7 +12,9 @@ VERSION = $(shell awk -F '"' '/VERSION/ { print $$2; }' ../../patchlevel.h) - INSTALL = install - - PLUGIN=radius.so radattr.so radrealms.so --CFLAGS=-I. -I../.. -I../../../include -O2 -fPIC -DRC_LOG_FACILITY=LOG_DAEMON -+COPTS=-g -O2 -+CFLAGS = $(COPTS) -I. -I../.. -I../../../include -fPIC -DRC_LOG_FACILITY=LOG_DAEMON -+LDFLAGS= $(LDOPTS) - - # Uncomment the next line to include support for Microsoft's - # MS-CHAP authentication protocol. -@@ -36,20 +38,20 @@ all: $(PLUGIN) - - install: all - $(INSTALL) -d -m 755 $(LIBDIR) -- $(INSTALL) -s -c -m 755 radius.so $(LIBDIR) -- $(INSTALL) -s -c -m 755 radattr.so $(LIBDIR) -- $(INSTALL) -s -c -m 755 radrealms.so $(LIBDIR) -+ $(INSTALL) -c -m 755 radius.so $(LIBDIR) -+ $(INSTALL) -c -m 755 radattr.so $(LIBDIR) -+ $(INSTALL) -c -m 755 radrealms.so $(LIBDIR) - $(INSTALL) -c -m 444 pppd-radius.8 $(MANDIR) - $(INSTALL) -c -m 444 pppd-radattr.8 $(MANDIR) - - radius.so: radius.o libradiusclient.a -- $(CC) -o radius.so -shared radius.o libradiusclient.a -+ $(CC) $(LDFLAGS) -o radius.so -shared radius.o libradiusclient.a - - radattr.so: radattr.o -- $(CC) -o radattr.so -shared radattr.o -+ $(CC) $(LDFLAGS) -o radattr.so -shared radattr.o - - radrealms.so: radrealms.o -- $(CC) -o radrealms.so -shared radrealms.o -+ $(CC) $(LDFLAGS) -o radrealms.so -shared radrealms.o - - CLIENTOBJS = avpair.o buildreq.o config.o dict.o ip_util.o \ - clientid.o sendserver.o lock.o util.o md5.o -diff --git a/pppd/plugins/rp-pppoe/Makefile.linux b/pppd/plugins/rp-pppoe/Makefile.linux -index 5d7a2719545d..00e0af6da20c 100644 ---- a/pppd/plugins/rp-pppoe/Makefile.linux -+++ b/pppd/plugins/rp-pppoe/Makefile.linux -@@ -27,10 +27,12 @@ RP_VERSION=3.8p - - COPTS=-O2 -g - CFLAGS=$(COPTS) -I../../../include '-DRP_VERSION="$(RP_VERSION)"' -+LDFLAGS=$(LDOPTS) -+ - all: rp-pppoe.so pppoe-discovery - - pppoe-discovery: pppoe-discovery.o debug.o -- $(CC) -o pppoe-discovery pppoe-discovery.o debug.o -+ $(CC) $(LDFLAGS) -o pppoe-discovery pppoe-discovery.o debug.o - - pppoe-discovery.o: pppoe-discovery.c - $(CC) $(CFLAGS) -c -o pppoe-discovery.o pppoe-discovery.c -@@ -39,13 +41,13 @@ debug.o: debug.c - $(CC) $(CFLAGS) -c -o debug.o debug.c - - rp-pppoe.so: plugin.o discovery.o if.o common.o -- $(CC) -o rp-pppoe.so -shared plugin.o discovery.o if.o common.o -+ $(CC) $(LDFLAGS) -o rp-pppoe.so -shared $^ - - install: all - $(INSTALL) -d -m 755 $(LIBDIR) -- $(INSTALL) -s -c -m 4550 rp-pppoe.so $(LIBDIR) -+ $(INSTALL) -c -m 4550 rp-pppoe.so $(LIBDIR) - $(INSTALL) -d -m 755 $(BINDIR) -- $(INSTALL) -s -c -m 555 pppoe-discovery $(BINDIR) -+ $(INSTALL) -c -m 555 pppoe-discovery $(BINDIR) - - clean: - rm -f *.o *.so pppoe-discovery -diff --git a/pppdump/Makefile.linux b/pppdump/Makefile.linux -index ac028f6bf4f0..65e5c14914fb 100644 ---- a/pppdump/Makefile.linux -+++ b/pppdump/Makefile.linux -@@ -2,7 +2,10 @@ DESTDIR = $(INSTROOT)@DESTDIR@ - BINDIR = $(DESTDIR)/sbin - MANDIR = $(DESTDIR)/share/man/man8 - --CFLAGS= -O -I../include/net -+COPTS=-O2 -g -+CFLAGS= $(COPTS) -I../include/net -+LDFLAGS=$(LDOPTS) -+ - OBJS = pppdump.o bsd-comp.o deflate.o zlib.o - - INSTALL= install -@@ -10,12 +13,12 @@ INSTALL= install - all: pppdump - - pppdump: $(OBJS) -- $(CC) -o pppdump $(OBJS) -+ $(CC) $(LDFLAGS) -o pppdump $(OBJS) - - clean: - rm -f pppdump $(OBJS) *~ - - install: - mkdir -p $(BINDIR) $(MANDIR) -- $(INSTALL) -s -c pppdump $(BINDIR) -+ $(INSTALL) -c pppdump $(BINDIR) - $(INSTALL) -c -m 444 pppdump.8 $(MANDIR) -diff --git a/pppstats/Makefile.linux b/pppstats/Makefile.linux -index cca6f0f61d87..9ec8e803665a 100644 ---- a/pppstats/Makefile.linux -+++ b/pppstats/Makefile.linux -@@ -10,23 +10,24 @@ PPPSTATSRCS = pppstats.c - PPPSTATOBJS = pppstats.o - - #CC = gcc --COPTS = -O -+COPTS = -O2 -g - COMPILE_FLAGS = -I../include - LIBS = - - INSTALL= install - - CFLAGS = $(COPTS) $(COMPILE_FLAGS) -+LDFLAGS= $(LDOPTS) - - all: pppstats - - install: pppstats - -mkdir -p $(MANDIR) -- $(INSTALL) -s -c pppstats $(BINDIR) -+ $(INSTALL) -c pppstats $(BINDIR) - $(INSTALL) -c -m 444 pppstats.8 $(MANDIR) - - pppstats: $(PPPSTATSRCS) -- $(CC) $(CFLAGS) -o pppstats pppstats.c $(LIBS) -+ $(CC) $(LDFLAGS) $(CFLAGS) -o pppstats pppstats.c $(LIBS) - - clean: - rm -f pppstats *~ #* core diff --git a/patches/ppp-2.4.7/0018-Bug-306261-pppd-does-not-properly-close-dev-ppp-on-p.patch b/patches/ppp-2.4.7/0018-Bug-306261-pppd-does-not-properly-close-dev-ppp-on-p.patch deleted file mode 100644 index 41669d12a..000000000 --- a/patches/ppp-2.4.7/0018-Bug-306261-pppd-does-not-properly-close-dev-ppp-on-p.patch +++ /dev/null @@ -1,44 +0,0 @@ -From: Simon Peter <dn.tlp@gmx.net> -Date: Sat, 28 Sep 2019 08:11:49 +0200 -Subject: [PATCH] Bug#306261: pppd does not properly close /dev/ppp on persist - -When using the kernel PPPoE driver, pppd never -closes /dev/ppp when the link has come down. - -It opens superfluous fds to the device each time it re-opens the -connection, with the unclosed ones falsely reported always ready for -data by select(). - -This makes pppd eat up 100% CPU time after the first persist because of -the always instantly returning select() on the unclosed fds. - -The problem also occurs with the upstream version, but does not occur -when a pty/tty device is used for the ppp connection. - - - -Imported from ppp_2.4.7-2+4.1.debian.tar.xz - -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> ---- - pppd/sys-linux.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c -index 9b2f293024ac..6d29dc8e8594 100644 ---- a/pppd/sys-linux.c -+++ b/pppd/sys-linux.c -@@ -458,6 +458,13 @@ int generic_establish_ppp (int fd) - if (new_style_driver) { - int flags; - -+ /* if a ppp_fd is already open, close it first */ -+ if(ppp_fd > 0) { -+ close(ppp_fd); -+ remove_fd(ppp_fd); -+ ppp_fd = -1; -+ } -+ - /* Open an instance of /dev/ppp and connect the channel to it */ - if (ioctl(fd, PPPIOCGCHAN, &chindex) == -1) { - error("Couldn't get channel number: %m"); diff --git a/patches/ppp-2.4.7/0019-Bug-284382-ppp-linkpidfile-is-not-created-upon-detac.patch b/patches/ppp-2.4.7/0019-Bug-284382-ppp-linkpidfile-is-not-created-upon-detac.patch deleted file mode 100644 index f785c75d8..000000000 --- a/patches/ppp-2.4.7/0019-Bug-284382-ppp-linkpidfile-is-not-created-upon-detac.patch +++ /dev/null @@ -1,48 +0,0 @@ -From: "herbert@gondor.apana.org.au" <herbert@gondor.apana.org.au> -Date: Sat, 28 Sep 2019 08:11:49 +0200 -Subject: [PATCH] Bug#284382: ppp: linkpidfile is not created upon detachment - -Package: ppp -Version: 2.4.2+20040428-2 -Severity: wishlist - -When pppd detaches from the parent normally, that is, without nodetach -or updetach set, the linkpidfile is not created even when linkname is -set. - -This is because the create_linkpidfile call in detach() is only made -if the linkpidfile is filled in. However, linkpidfile is never filled -in until create_linkpidfile has been called. - -IMHO the call should be made uncondtionally in detach() since -create_linkpidfile does its own check on linkname anyway. - -Please note that the version of pppd in woody always wrote the -linkpidfile after detaching. It did so in main() however. That -call has now been removed which is why I'm seeing this problem. - -[...] - --- - -Imported from ppp_2.4.7-2+4.1.debian.tar.xz - -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> ---- - pppd/main.c | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/pppd/main.c b/pppd/main.c -index 76b67d2485b7..8e31365f0c58 100644 ---- a/pppd/main.c -+++ b/pppd/main.c -@@ -765,8 +765,7 @@ detach() - /* update pid files if they have been written already */ - if (pidfilename[0]) - create_pidfile(pid); -- if (linkpidfile[0]) -- create_linkpidfile(pid); -+ create_linkpidfile(pid); - exit(0); /* parent dies */ - } - setsid(); diff --git a/patches/ppp-2.4.7/0022-cosmetic-cleanup-of-the-pppoatm-plugin.patch b/patches/ppp-2.4.7/0022-cosmetic-cleanup-of-the-pppoatm-plugin.patch deleted file mode 100644 index ee22c74b6..000000000 --- a/patches/ppp-2.4.7/0022-cosmetic-cleanup-of-the-pppoatm-plugin.patch +++ /dev/null @@ -1,90 +0,0 @@ -From: Michael Olbrich <m.olbrich@pengutronix.de> -Date: Sat, 28 Sep 2019 08:11:49 +0200 -Subject: [PATCH] cosmetic cleanup of the pppoatm plugin - -Removed some debugging messages and generally cleaned up the source. - - -Imported from ppp_2.4.7-2+4.1.debian.tar.xz - -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> ---- - pppd/plugins/pppoatm/pppoatm.c | 23 +++++++++++++---------- - 1 file changed, 13 insertions(+), 10 deletions(-) - -diff --git a/pppd/plugins/pppoatm/pppoatm.c b/pppd/plugins/pppoatm/pppoatm.c -index a7560e9fb0c6..90d0c9a85d9f 100644 ---- a/pppd/plugins/pppoatm/pppoatm.c -+++ b/pppd/plugins/pppoatm/pppoatm.c -@@ -70,18 +70,20 @@ static int setdevname_pppoatm(const char *cp, const char **argv, int doit) - { - struct sockaddr_atmpvc addr; - extern struct stat devstat; -+ - if (device_got_set) - return 0; -- //info("PPPoATM setdevname_pppoatm: '%s'", cp); -+ - memset(&addr, 0, sizeof addr); - if (text2atm(cp, (struct sockaddr *) &addr, sizeof(addr), -- T2A_PVC | T2A_NAME) < 0) { -- if(doit) -- info("atm does not recognize: %s", cp); -+ T2A_PVC | T2A_NAME | T2A_WILDCARD) < 0) { -+ if (doit) -+ info("cannot parse the ATM address: %s", cp); - return 0; -- } -- if (!doit) return 1; -- //if (!dev_set_ok()) return -1; -+ } -+ if (!doit) -+ return 1; -+ - memcpy(&pvcaddr, &addr, sizeof pvcaddr); - strlcpy(devnam, cp, sizeof devnam); - devstat.st_mode = S_IFSOCK; -@@ -93,7 +95,6 @@ static int setdevname_pppoatm(const char *cp, const char **argv, int doit) - lcp_allowoptions[0].neg_asyncmap = 0; - lcp_wantoptions[0].neg_pcompression = 0; - } -- info("PPPoATM setdevname_pppoatm - SUCCESS:%s", cp); - device_got_set = 1; - return 1; - } -@@ -108,6 +109,7 @@ static void no_device_given_pppoatm(void) - static void set_line_discipline_pppoatm(int fd) - { - struct atm_backend_ppp be; -+ - be.backend_num = ATM_BACKEND_PPP; - if (!llc_encaps) - be.encaps = PPPOATM_ENCAPS_VC; -@@ -115,6 +117,7 @@ static void set_line_discipline_pppoatm(int fd) - be.encaps = PPPOATM_ENCAPS_LLC; - else - be.encaps = PPPOATM_ENCAPS_AUTODETECT; -+ - if (ioctl(fd, ATM_SETBACKEND, &be) < 0) - fatal("ioctl(ATM_SETBACKEND): %m"); - } -@@ -172,7 +175,7 @@ static void disconnect_pppoatm(void) - - void plugin_init(void) - { --#if defined(__linux__) -+#ifdef linux - extern int new_style_driver; /* From sys-linux.c */ - if (!ppp_available() && !new_style_driver) - fatal("Kernel doesn't support ppp_generic - " -@@ -180,9 +183,9 @@ void plugin_init(void) - #else - fatal("No PPPoATM support on this OS"); - #endif -- info("PPPoATM plugin_init"); - add_options(pppoa_options); - } -+ - struct channel pppoa_channel = { - options: pppoa_options, - process_extra_options: NULL, diff --git a/patches/ppp-2.4.7/0023-pppoe_noads.patch b/patches/ppp-2.4.7/0023-pppoe_noads.patch deleted file mode 100644 index b4712de17..000000000 --- a/patches/ppp-2.4.7/0023-pppoe_noads.patch +++ /dev/null @@ -1,25 +0,0 @@ -From: Michael Olbrich <m.olbrich@pengutronix.de> -Date: Sat, 28 Sep 2019 08:11:49 +0200 -Subject: [PATCH] pppoe_noads - -Imported from ppp_2.4.7-2+4.1.debian.tar.xz - -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> ---- - pppd/plugins/rp-pppoe/plugin.c | 3 --- - 1 file changed, 3 deletions(-) - -diff --git a/pppd/plugins/rp-pppoe/plugin.c b/pppd/plugins/rp-pppoe/plugin.c -index c89be94250bc..7804b184f0cb 100644 ---- a/pppd/plugins/rp-pppoe/plugin.c -+++ b/pppd/plugins/rp-pppoe/plugin.c -@@ -377,9 +377,6 @@ plugin_init(void) - } - - add_options(Options); -- -- info("RP-PPPoE plugin version %s compiled against pppd %s", -- RP_VERSION, VERSION); - } - - void pppoe_check_options(void) diff --git a/patches/ppp-2.4.7/0024-make-_PATH_CONNERRS-world-readable.patch b/patches/ppp-2.4.7/0024-make-_PATH_CONNERRS-world-readable.patch deleted file mode 100644 index 557b16901..000000000 --- a/patches/ppp-2.4.7/0024-make-_PATH_CONNERRS-world-readable.patch +++ /dev/null @@ -1,27 +0,0 @@ -From: Michael Olbrich <m.olbrich@pengutronix.de> -Date: Sat, 28 Sep 2019 08:11:49 +0200 -Subject: [PATCH] make _PATH_CONNERRS world readable - -There is nothing security-sensitive there. - - -Imported from ppp_2.4.7-2+4.1.debian.tar.xz - -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> ---- - pppd/main.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/pppd/main.c b/pppd/main.c -index 8e31365f0c58..ed544315c1df 100644 ---- a/pppd/main.c -+++ b/pppd/main.c -@@ -1673,7 +1673,7 @@ device_script(program, in, out, dont_wait) - if (log_to_fd >= 0) - errfd = log_to_fd; - else -- errfd = open(_PATH_CONNERRS, O_WRONLY | O_APPEND | O_CREAT, 0600); -+ errfd = open(_PATH_CONNERRS, O_WRONLY | O_APPEND | O_CREAT, 0644); - - ++conn_running; - pid = safe_fork(in, out, errfd); diff --git a/patches/ppp-2.4.7/0025-Correct-unkown-unknown-typo.patch b/patches/ppp-2.4.7/0025-Correct-unkown-unknown-typo.patch deleted file mode 100644 index febfaf869..000000000 --- a/patches/ppp-2.4.7/0025-Correct-unkown-unknown-typo.patch +++ /dev/null @@ -1,46 +0,0 @@ -From: Michael Olbrich <m.olbrich@pengutronix.de> -Date: Sat, 28 Sep 2019 08:11:49 +0200 -Subject: [PATCH] Correct unkown => unknown typo - -Author: Chris Boot <bootc@debian.org> -Last-Update: 2013-09-09 - - -Imported from ppp_2.4.7-2+4.1.debian.tar.xz - -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> ---- - pppd/plugins/radius/config.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/pppd/plugins/radius/config.c b/pppd/plugins/radius/config.c -index a29e5e8da909..f892ca7b1bf5 100644 ---- a/pppd/plugins/radius/config.c -+++ b/pppd/plugins/radius/config.c -@@ -271,7 +271,7 @@ char *rc_conf_str(char *optname) - option = find_option(optname, OT_STR); - - if (option == NULL) -- fatal("rc_conf_str: unkown config option requested: %s", optname); -+ fatal("rc_conf_str: unknown config option requested: %s", optname); - return (char *)option->val; - } - -@@ -282,7 +282,7 @@ int rc_conf_int(char *optname) - option = find_option(optname, OT_INT|OT_AUO); - - if (option == NULL) -- fatal("rc_conf_int: unkown config option requested: %s", optname); -+ fatal("rc_conf_int: unknown config option requested: %s", optname); - return *((int *)option->val); - } - -@@ -293,7 +293,7 @@ SERVER *rc_conf_srv(char *optname) - option = find_option(optname, OT_SRV); - - if (option == NULL) -- fatal("rc_conf_srv: unkown config option requested: %s", optname); -+ fatal("rc_conf_srv: unknown config option requested: %s", optname); - return (SERVER *)option->val; - } - diff --git a/patches/ppp-2.4.7/0026-pppoe-custom-host-uniq-tag.patch b/patches/ppp-2.4.7/0026-pppoe-custom-host-uniq-tag.patch deleted file mode 100644 index 5cf266d10..000000000 --- a/patches/ppp-2.4.7/0026-pppoe-custom-host-uniq-tag.patch +++ /dev/null @@ -1,302 +0,0 @@ -From: Matteo Croce <matteo@openwrt.org> -Date: Sat, 21 Nov 2015 18:45:43 +0100 -Subject: [PATCH] pppoe: custom host-uniq tag - -Add pppoe 'host-uniq' option to set an arbitrary -host-uniq tag instead of the pppd pid. -Some ISPs use such tag to authenticate the CPE, -so it must be set to a proper value to connect. - -Signed-off-by: Matteo Croce <matteo@openwrt.org> -Signed-off-by: Jo-Philipp Wich <jow@openwrt.org> - -Imported from ppp_2.4.7-2+4.1.debian.tar.xz - -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> ---- - pppd/plugins/rp-pppoe/common.c | 14 ++++----- - pppd/plugins/rp-pppoe/discovery.c | 51 +++++++++++++-------------------- - pppd/plugins/rp-pppoe/plugin.c | 7 ++++- - pppd/plugins/rp-pppoe/pppoe-discovery.c | 38 +++++++++++++++--------- - pppd/plugins/rp-pppoe/pppoe.h | 31 +++++++++++++++++++- - 5 files changed, 86 insertions(+), 55 deletions(-) - -diff --git a/pppd/plugins/rp-pppoe/common.c b/pppd/plugins/rp-pppoe/common.c -index 89c633c773f9..8f175ece345b 100644 ---- a/pppd/plugins/rp-pppoe/common.c -+++ b/pppd/plugins/rp-pppoe/common.c -@@ -119,15 +119,11 @@ sendPADT(PPPoEConnection *conn, char const *msg) - conn->session = 0; - - /* If we're using Host-Uniq, copy it over */ -- if (conn->useHostUniq) { -- PPPoETag hostUniq; -- pid_t pid = getpid(); -- hostUniq.type = htons(TAG_HOST_UNIQ); -- hostUniq.length = htons(sizeof(pid)); -- memcpy(hostUniq.payload, &pid, sizeof(pid)); -- memcpy(cursor, &hostUniq, sizeof(pid) + TAG_HDR_SIZE); -- cursor += sizeof(pid) + TAG_HDR_SIZE; -- plen += sizeof(pid) + TAG_HDR_SIZE; -+ if (conn->hostUniq.length) { -+ int len = ntohs(conn->hostUniq.length); -+ memcpy(cursor, &conn->hostUniq, len + TAG_HDR_SIZE); -+ cursor += len + TAG_HDR_SIZE; -+ plen += len + TAG_HDR_SIZE; - } - - /* Copy error message */ -diff --git a/pppd/plugins/rp-pppoe/discovery.c b/pppd/plugins/rp-pppoe/discovery.c -index 04877cb8295f..5db8d0defc37 100644 ---- a/pppd/plugins/rp-pppoe/discovery.c -+++ b/pppd/plugins/rp-pppoe/discovery.c -@@ -80,13 +80,10 @@ static void - parseForHostUniq(UINT16_t type, UINT16_t len, unsigned char *data, - void *extra) - { -- int *val = (int *) extra; -- if (type == TAG_HOST_UNIQ && len == sizeof(pid_t)) { -- pid_t tmp; -- memcpy(&tmp, data, len); -- if (tmp == getpid()) { -- *val = 1; -- } -+ PPPoETag *tag = extra; -+ -+ if (type == TAG_HOST_UNIQ && len == ntohs(tag->length)) { -+ tag->length = memcmp(data, tag->payload, len); - } - } - -@@ -104,16 +101,16 @@ parseForHostUniq(UINT16_t type, UINT16_t len, unsigned char *data, - static int - packetIsForMe(PPPoEConnection *conn, PPPoEPacket *packet) - { -- int forMe = 0; -+ PPPoETag hostUniq = conn->hostUniq; - - /* If packet is not directed to our MAC address, forget it */ - if (memcmp(packet->ethHdr.h_dest, conn->myEth, ETH_ALEN)) return 0; - - /* If we're not using the Host-Unique tag, then accept the packet */ -- if (!conn->useHostUniq) return 1; -+ if (!conn->hostUniq.length) return 1; - -- parsePacket(packet, parseForHostUniq, &forMe); -- return forMe; -+ parsePacket(packet, parseForHostUniq, &hostUniq); -+ return !hostUniq.length; - } - - /********************************************************************** -@@ -301,16 +298,12 @@ sendPADI(PPPoEConnection *conn) - } - - /* If we're using Host-Uniq, copy it over */ -- if (conn->useHostUniq) { -- PPPoETag hostUniq; -- pid_t pid = getpid(); -- hostUniq.type = htons(TAG_HOST_UNIQ); -- hostUniq.length = htons(sizeof(pid)); -- memcpy(hostUniq.payload, &pid, sizeof(pid)); -- CHECK_ROOM(cursor, packet.payload, sizeof(pid) + TAG_HDR_SIZE); -- memcpy(cursor, &hostUniq, sizeof(pid) + TAG_HDR_SIZE); -- cursor += sizeof(pid) + TAG_HDR_SIZE; -- plen += sizeof(pid) + TAG_HDR_SIZE; -+ if (conn->hostUniq.length) { -+ int len = ntohs(conn->hostUniq.length); -+ CHECK_ROOM(cursor, packet.payload, len + TAG_HDR_SIZE); -+ memcpy(cursor, &conn->hostUniq, len + TAG_HDR_SIZE); -+ cursor += len + TAG_HDR_SIZE; -+ plen += len + TAG_HDR_SIZE; - } - - /* Add our maximum MTU/MRU */ -@@ -478,16 +471,12 @@ sendPADR(PPPoEConnection *conn) - cursor += namelen + TAG_HDR_SIZE; - - /* If we're using Host-Uniq, copy it over */ -- if (conn->useHostUniq) { -- PPPoETag hostUniq; -- pid_t pid = getpid(); -- hostUniq.type = htons(TAG_HOST_UNIQ); -- hostUniq.length = htons(sizeof(pid)); -- memcpy(hostUniq.payload, &pid, sizeof(pid)); -- CHECK_ROOM(cursor, packet.payload, sizeof(pid)+TAG_HDR_SIZE); -- memcpy(cursor, &hostUniq, sizeof(pid) + TAG_HDR_SIZE); -- cursor += sizeof(pid) + TAG_HDR_SIZE; -- plen += sizeof(pid) + TAG_HDR_SIZE; -+ if (conn->hostUniq.length) { -+ int len = ntohs(conn->hostUniq.length); -+ CHECK_ROOM(cursor, packet.payload, len+TAG_HDR_SIZE); -+ memcpy(cursor, &conn->hostUniq, len + TAG_HDR_SIZE); -+ cursor += len + TAG_HDR_SIZE; -+ plen += len + TAG_HDR_SIZE; - } - - /* Add our maximum MTU/MRU */ -diff --git a/pppd/plugins/rp-pppoe/plugin.c b/pppd/plugins/rp-pppoe/plugin.c -index 7804b184f0cb..12778d0d9991 100644 ---- a/pppd/plugins/rp-pppoe/plugin.c -+++ b/pppd/plugins/rp-pppoe/plugin.c -@@ -68,6 +68,7 @@ static char *existingSession = NULL; - static int printACNames = 0; - static char *pppoe_reqd_mac = NULL; - unsigned char pppoe_reqd_mac_addr[6]; -+static char *host_uniq = NULL; - - static int PPPoEDevnameHook(char *cmd, char **argv, int doit); - static option_t Options[] = { -@@ -85,6 +86,8 @@ static option_t Options[] = { - "Be verbose about discovered access concentrators"}, - { "pppoe-mac", o_string, &pppoe_reqd_mac, - "Only connect to specified MAC address" }, -+ { "host-uniq", o_string, &host_uniq, -+ "Specify custom Host-Uniq" }, - { NULL } - }; - int (*OldDevnameHook)(char *cmd, char **argv, int doit) = NULL; -@@ -110,7 +113,6 @@ PPPOEInitDevice(void) - conn->ifName = devnam; - conn->discoverySocket = -1; - conn->sessionSocket = -1; -- conn->useHostUniq = 1; - conn->printACNames = printACNames; - conn->discoveryTimeout = PADI_TIMEOUT; - return 1; -@@ -166,6 +168,9 @@ PPPOEConnectDevice(void) - if (lcp_wantoptions[0].mru > ifr.ifr_mtu - TOTAL_OVERHEAD) - lcp_wantoptions[0].mru = ifr.ifr_mtu - TOTAL_OVERHEAD; - -+ if (host_uniq && !parseHostUniq(host_uniq, &conn->hostUniq)) -+ fatal("Illegal value for host-uniq option"); -+ - conn->acName = acName; - conn->serviceName = pppd_pppoe_service; - strlcpy(ppp_devnam, devnam, sizeof(ppp_devnam)); -diff --git a/pppd/plugins/rp-pppoe/pppoe-discovery.c b/pppd/plugins/rp-pppoe/pppoe-discovery.c -index 55037dffb023..ff4c487ffaa9 100644 ---- a/pppd/plugins/rp-pppoe/pppoe-discovery.c -+++ b/pppd/plugins/rp-pppoe/pppoe-discovery.c -@@ -356,7 +356,7 @@ packetIsForMe(PPPoEConnection *conn, PPPoEPacket *packet) - if (memcmp(packet->ethHdr.h_dest, conn->myEth, ETH_ALEN)) return 0; - - /* If we're not using the Host-Unique tag, then accept the packet */ -- if (!conn->useHostUniq) return 1; -+ if (!conn->hostUniq.length) return 1; - - parsePacket(packet, parseForHostUniq, &forMe); - return forMe; -@@ -482,16 +482,12 @@ sendPADI(PPPoEConnection *conn) - cursor += namelen + TAG_HDR_SIZE; - - /* If we're using Host-Uniq, copy it over */ -- if (conn->useHostUniq) { -- PPPoETag hostUniq; -- pid_t pid = getpid(); -- hostUniq.type = htons(TAG_HOST_UNIQ); -- hostUniq.length = htons(sizeof(pid)); -- memcpy(hostUniq.payload, &pid, sizeof(pid)); -- CHECK_ROOM(cursor, packet.payload, sizeof(pid) + TAG_HDR_SIZE); -- memcpy(cursor, &hostUniq, sizeof(pid) + TAG_HDR_SIZE); -- cursor += sizeof(pid) + TAG_HDR_SIZE; -- plen += sizeof(pid) + TAG_HDR_SIZE; -+ if (conn->hostUniq.length) { -+ int len = ntohs(conn->hostUniq.length); -+ CHECK_ROOM(cursor, packet.payload, len + TAG_HDR_SIZE); -+ memcpy(cursor, &conn->hostUniq, len + TAG_HDR_SIZE); -+ cursor += len + TAG_HDR_SIZE; -+ plen += len + TAG_HDR_SIZE; - } - - packet.length = htons(plen); -@@ -653,7 +649,7 @@ int main(int argc, char *argv[]) - - memset(conn, 0, sizeof(PPPoEConnection)); - -- while ((opt = getopt(argc, argv, "I:D:VUAS:C:h")) > 0) { -+ while ((opt = getopt(argc, argv, "I:D:VUW:AS:C:h")) > 0) { - switch(opt) { - case 'S': - conn->serviceName = xstrdup(optarg); -@@ -662,7 +658,23 @@ int main(int argc, char *argv[]) - conn->acName = xstrdup(optarg); - break; - case 'U': -- conn->useHostUniq = 1; -+ if(conn->hostUniq.length) { -+ fprintf(stderr, "-U and -W are mutually exclusive\n"); -+ exit(EXIT_FAILURE); -+ } -+ char pidbuf[5]; -+ snprintf(pidbuf, sizeof(pidbuf), "%04x", getpid()); -+ parseHostUniq(pidbuf, &conn->hostUniq); -+ break; -+ case 'W': -+ if(conn->hostUniq.length) { -+ fprintf(stderr, "-U and -W are mutually exclusive\n"); -+ exit(EXIT_FAILURE); -+ } -+ if (!parseHostUniq(optarg, &conn->hostUniq)) { -+ fprintf(stderr, "Invalid host-uniq argument: %s\n", optarg); -+ exit(EXIT_FAILURE); -+ } - break; - case 'D': - conn->debugFile = fopen(optarg, "w"); -diff --git a/pppd/plugins/rp-pppoe/pppoe.h b/pppd/plugins/rp-pppoe/pppoe.h -index c4aaa6e68856..08026f577028 100644 ---- a/pppd/plugins/rp-pppoe/pppoe.h -+++ b/pppd/plugins/rp-pppoe/pppoe.h -@@ -21,6 +21,8 @@ - - #include <stdio.h> /* For FILE */ - #include <sys/types.h> /* For pid_t */ -+#include <ctype.h> -+#include <string.h> - - /* How do we access raw Ethernet devices? */ - #undef USE_LINUX_PACKET -@@ -236,7 +238,7 @@ typedef struct PPPoEConnectionStruct { - char *serviceName; /* Desired service name, if any */ - char *acName; /* Desired AC name, if any */ - int synchronous; /* Use synchronous PPP */ -- int useHostUniq; /* Use Host-Uniq tag */ -+ PPPoETag hostUniq; /* Use Host-Uniq tag */ - int printACNames; /* Just print AC names */ - FILE *debugFile; /* Debug file for dumping packets */ - int numPADOs; /* Number of PADO packets received */ -@@ -292,6 +294,33 @@ void pppoe_printpkt(PPPoEPacket *packet, - void (*printer)(void *, char *, ...), void *arg); - void pppoe_log_packet(const char *prefix, PPPoEPacket *packet); - -+static inline int parseHostUniq(const char *uniq, PPPoETag *tag) -+{ -+ int i, len = strlen(uniq); -+ -+#define hex(x) \ -+ (((x) <= '9') ? ((x) - '0') : \ -+ (((x) <= 'F') ? ((x) - 'A' + 10) : \ -+ ((x) - 'a' + 10))) -+ -+ if (len % 2) -+ return 0; -+ -+ for (i = 0; i < len; i += 2) -+ { -+ if (!isxdigit(uniq[i]) || !isxdigit(uniq[i+1])) -+ return 0; -+ -+ tag->payload[i / 2] = (char)(16 * hex(uniq[i]) + hex(uniq[i+1])); -+ } -+ -+#undef hex -+ -+ tag->type = htons(TAG_HOST_UNIQ); -+ tag->length = htons(len / 2); -+ return 1; -+} -+ - #define SET_STRING(var, val) do { if (var) free(var); var = strDup(val); } while(0); - - #define CHECK_ROOM(cursor, start, len) \ diff --git a/patches/ppp-2.4.7/0027-Add-replacedefaultroute-option.patch b/patches/ppp-2.4.7/0027-Add-replacedefaultroute-option.patch deleted file mode 100644 index 19f931b12..000000000 --- a/patches/ppp-2.4.7/0027-Add-replacedefaultroute-option.patch +++ /dev/null @@ -1,324 +0,0 @@ -From: Michael Olbrich <m.olbrich@pengutronix.de> -Date: Sat, 28 Sep 2019 08:11:49 +0200 -Subject: [PATCH] Add replacedefaultroute option - -Adds an option to pppd to control whether to replace existing default routes -when using the 'defaultroute' option. - -If defaultroute and replacedefaultroute are both set, pppd replaces an existing -default route with the new default route. The old default route is restored when -the connection is taken down. - -Origin: vendor, https://build.opensuse.org/source/network/ppp/ppp-2.4.2-cifdefroute.diff?rev=7a0fdeff0b29437dd7f4581c95c7255a -Forwarded: no -Reviewed-by: Chris Boot <bootc@debian.org> -Last-Update: 2014-01-26 - - -Imported from ppp_2.4.7-2+4.1.debian.tar.xz - -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> ---- - pppd/ipcp.c | 45 +++++++++++++++++++++++++++---- - pppd/ipcp.h | 1 + - pppd/pppd.8 | 12 ++++++++- - pppd/pppd.h | 4 +++ - pppd/sys-linux.c | 82 +++++++++++++++++++++++++++++++++++++++++++++----------- - 5 files changed, 123 insertions(+), 21 deletions(-) - -diff --git a/pppd/ipcp.c b/pppd/ipcp.c -index e9738fe4d894..c8fe279d4ede 100644 ---- a/pppd/ipcp.c -+++ b/pppd/ipcp.c -@@ -198,6 +198,16 @@ static option_t ipcp_option_list[] = { - "disable defaultroute option", OPT_ALIAS | OPT_A2CLR, - &ipcp_wantoptions[0].default_route }, - -+#ifdef __linux__ -+ { "replacedefaultroute", o_bool, -+ &ipcp_wantoptions[0].replace_default_route, -+ "Replace default route", 1 -+ }, -+ { "noreplacedefaultroute", o_bool, -+ &ipcp_allowoptions[0].replace_default_route, -+ "Never replace default route", OPT_A2COPY, -+ &ipcp_wantoptions[0].replace_default_route }, -+#endif - { "proxyarp", o_bool, &ipcp_wantoptions[0].proxy_arp, - "Add proxy ARP entry", OPT_ENABLE|1, &ipcp_allowoptions[0].proxy_arp }, - { "noproxyarp", o_bool, &ipcp_allowoptions[0].proxy_arp, -@@ -271,7 +281,7 @@ struct protent ipcp_protent = { - ip_active_pkt - }; - --static void ipcp_clear_addrs __P((int, u_int32_t, u_int32_t)); -+static void ipcp_clear_addrs __P((int, u_int32_t, u_int32_t, bool)); - static void ipcp_script __P((char *, int)); /* Run an up/down script */ - static void ipcp_script_done __P((void *)); - -@@ -1761,7 +1771,12 @@ ip_demand_conf(u) - if (!sifnpmode(u, PPP_IP, NPMODE_QUEUE)) - return 0; - if (wo->default_route) -+#ifndef __linux__ - if (sifdefaultroute(u, wo->ouraddr, wo->hisaddr)) -+#else -+ if (sifdefaultroute(u, wo->ouraddr, wo->hisaddr, -+ wo->replace_default_route)) -+#endif - default_route_set[u] = 1; - if (wo->proxy_arp) - if (sifproxyarp(u, wo->hisaddr)) -@@ -1849,7 +1864,8 @@ ipcp_up(f) - */ - if (demand) { - if (go->ouraddr != wo->ouraddr || ho->hisaddr != wo->hisaddr) { -- ipcp_clear_addrs(f->unit, wo->ouraddr, wo->hisaddr); -+ ipcp_clear_addrs(f->unit, wo->ouraddr, wo->hisaddr, -+ wo->replace_default_route); - if (go->ouraddr != wo->ouraddr) { - warn("Local IP address changed to %I", go->ouraddr); - script_setenv("OLDIPLOCAL", ip_ntoa(wo->ouraddr), 0); -@@ -1874,7 +1890,12 @@ ipcp_up(f) - - /* assign a default route through the interface if required */ - if (ipcp_wantoptions[f->unit].default_route) -+#ifndef __linux__ - if (sifdefaultroute(f->unit, go->ouraddr, ho->hisaddr)) -+#else -+ if (sifdefaultroute(f->unit, go->ouraddr, ho->hisaddr, -+ wo->replace_default_route)) -+#endif - default_route_set[f->unit] = 1; - - /* Make a proxy ARP entry if requested. */ -@@ -1924,7 +1945,12 @@ ipcp_up(f) - - /* assign a default route through the interface if required */ - if (ipcp_wantoptions[f->unit].default_route) -+#ifndef __linux__ - if (sifdefaultroute(f->unit, go->ouraddr, ho->hisaddr)) -+#else -+ if (sifdefaultroute(f->unit, go->ouraddr, ho->hisaddr, -+ wo->replace_default_route)) -+#endif - default_route_set[f->unit] = 1; - - /* Make a proxy ARP entry if requested. */ -@@ -2002,7 +2028,7 @@ ipcp_down(f) - sifnpmode(f->unit, PPP_IP, NPMODE_DROP); - sifdown(f->unit); - ipcp_clear_addrs(f->unit, ipcp_gotoptions[f->unit].ouraddr, -- ipcp_hisoptions[f->unit].hisaddr); -+ ipcp_hisoptions[f->unit].hisaddr, 0); - } - - /* Execute the ip-down script */ -@@ -2018,16 +2044,25 @@ ipcp_down(f) - * proxy arp entries, etc. - */ - static void --ipcp_clear_addrs(unit, ouraddr, hisaddr) -+ipcp_clear_addrs(unit, ouraddr, hisaddr, replacedefaultroute) - int unit; - u_int32_t ouraddr; /* local address */ - u_int32_t hisaddr; /* remote address */ -+ bool replacedefaultroute; - { - if (proxy_arp_set[unit]) { - cifproxyarp(unit, hisaddr); - proxy_arp_set[unit] = 0; - } -- if (default_route_set[unit]) { -+ /* If replacedefaultroute, sifdefaultroute will be called soon -+ * with replacedefaultroute set and that will overwrite the current -+ * default route. This is the case only when doing demand, otherwise -+ * during demand, this cifdefaultroute would restore the old default -+ * route which is not what we want in this case. In the non-demand -+ * case, we'll delete the default route and restore the old if there -+ * is one saved by an sifdefaultroute with replacedefaultroute. -+ */ -+ if (!replacedefaultroute && default_route_set[unit]) { - cifdefaultroute(unit, ouraddr, hisaddr); - default_route_set[unit] = 0; - } -diff --git a/pppd/ipcp.h b/pppd/ipcp.h -index 6cf14c990578..7ecfa79d8668 100644 ---- a/pppd/ipcp.h -+++ b/pppd/ipcp.h -@@ -70,6 +70,7 @@ typedef struct ipcp_options { - bool old_addrs; /* Use old (IP-Addresses) option? */ - bool req_addr; /* Ask peer to send IP address? */ - bool default_route; /* Assign default route through interface? */ -+ bool replace_default_route; /* Replace default route through interface? */ - bool proxy_arp; /* Make proxy ARP entry for peer? */ - bool neg_vj; /* Van Jacobson Compression? */ - bool old_vj; /* use old (short) form of VJ option? */ -diff --git a/pppd/pppd.8 b/pppd/pppd.8 -index ec8bfd5c0617..481aa8be672b 100644 ---- a/pppd/pppd.8 -+++ b/pppd/pppd.8 -@@ -121,6 +121,11 @@ the gateway, when IPCP negotiation is successfully completed. - This entry is removed when the PPP connection is broken. This option - is privileged if the \fInodefaultroute\fR option has been specified. - .TP -+.B replacedefaultroute -+This option is a flag to the defaultroute option. If defaultroute is -+set and this flag is also set, pppd replaces an existing default route -+with the new default route. -+.TP - .B disconnect \fIscript - Execute the command specified by \fIscript\fR, by passing it to a - shell, after -@@ -739,7 +744,12 @@ disable both forms of hardware flow control. - .TP - .B nodefaultroute - Disable the \fIdefaultroute\fR option. The system administrator who --wishes to prevent users from creating default routes with pppd -+wishes to prevent users from adding a default route with pppd -+can do so by placing this option in the /etc/ppp/options file. -+.TP -+.B noreplacedefaultroute -+Disable the \fIreplacedefaultroute\fR option. The system administrator who -+wishes to prevent users from replacing a default route with pppd - can do so by placing this option in the /etc/ppp/options file. - .TP - .B nodeflate -diff --git a/pppd/pppd.h b/pppd/pppd.h -index 1a1bf0b99582..7495df657fe9 100644 ---- a/pppd/pppd.h -+++ b/pppd/pppd.h -@@ -676,7 +676,11 @@ int sif6addr __P((int, eui64_t, eui64_t)); - int cif6addr __P((int, eui64_t, eui64_t)); - /* Remove an IPv6 address from i/f */ - #endif -+#ifndef __linux__ - int sifdefaultroute __P((int, u_int32_t, u_int32_t)); -+#else -+int sifdefaultroute __P((int, u_int32_t, u_int32_t, bool replace_default_rt)); -+#endif - /* Create default route through i/f */ - int cifdefaultroute __P((int, u_int32_t, u_int32_t)); - /* Delete default route through i/f */ -diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c -index 6d29dc8e8594..3f0bbc33c605 100644 ---- a/pppd/sys-linux.c -+++ b/pppd/sys-linux.c -@@ -207,6 +207,8 @@ static unsigned char inbuf[512]; /* buffer for chars read from loopback */ - static int if_is_up; /* Interface has been marked up */ - static int if6_is_up; /* Interface has been marked up for IPv6, to help differentiate */ - static int have_default_route; /* Gateway for default route added */ -+static struct rtentry old_def_rt; /* Old default route */ -+static int default_rt_repl_rest; /* replace and restore old default rt */ - static u_int32_t proxy_arp_addr; /* Addr for proxy arp entry added */ - static char proxy_arp_dev[16]; /* Device for proxy arp entry */ - static u_int32_t our_old_addr; /* for detecting address changes */ -@@ -1567,6 +1569,9 @@ static int read_route_table(struct rtentry *rt) - p = NULL; - } - -+ SET_SA_FAMILY (rt->rt_dst, AF_INET); -+ SET_SA_FAMILY (rt->rt_gateway, AF_INET); -+ - SIN_ADDR(rt->rt_dst) = strtoul(cols[route_dest_col], NULL, 16); - SIN_ADDR(rt->rt_gateway) = strtoul(cols[route_gw_col], NULL, 16); - SIN_ADDR(rt->rt_genmask) = strtoul(cols[route_mask_col], NULL, 16); -@@ -1636,22 +1641,53 @@ int have_route_to(u_int32_t addr) - /******************************************************************** - * - * sifdefaultroute - assign a default route through the address given. -- */ -- --int sifdefaultroute (int unit, u_int32_t ouraddr, u_int32_t gateway) --{ -- struct rtentry rt; -- -- if (defaultroute_exists(&rt) && strcmp(rt.rt_dev, ifname) != 0) { -- if (rt.rt_flags & RTF_GATEWAY) -- error("not replacing existing default route via %I", -- SIN_ADDR(rt.rt_gateway)); -- else -- error("not replacing existing default route through %s", -- rt.rt_dev); -- return 0; -+ * -+ * If the global default_rt_repl_rest flag is set, then this function -+ * already replaced the original system defaultroute with some other -+ * route and it should just replace the current defaultroute with -+ * another one, without saving the current route. Use: demand mode, -+ * when pppd sets first a defaultroute it it's temporary ppp0 addresses -+ * and then changes the temporary addresses to the addresses for the real -+ * ppp connection when it has come up. -+ */ -+ -+int sifdefaultroute (int unit, u_int32_t ouraddr, u_int32_t gateway, bool replace) -+{ -+ struct rtentry rt, tmp_rt; -+ struct rtentry *del_rt = NULL; -+ -+ if (default_rt_repl_rest) { -+ /* We have already reclaced the original defaultroute, if we -+ * are called again, we will delete the current default route -+ * and set the new default route in this function. -+ * - this is normally only the case the doing demand: */ -+ if (defaultroute_exists( &tmp_rt )) -+ del_rt = &tmp_rt; -+ } else if ( defaultroute_exists( &old_def_rt ) && -+ strcmp( old_def_rt.rt_dev, ifname ) != 0) { -+ /* We did not yet replace an existing default route, let's -+ * check if we should save and replace a default route: -+ */ -+ u_int32_t old_gateway = SIN_ADDR(old_def_rt.rt_gateway); -+ -+ if (old_gateway != gateway) { -+ if (!replace) { -+ error("not replacing default route to %s [%I]", -+ old_def_rt.rt_dev, old_gateway); -+ return 0; -+ } else { -+ // we need to copy rt_dev because we need it permanent too: -+ char * tmp_dev = malloc(strlen(old_def_rt.rt_dev)+1); -+ strcpy(tmp_dev, old_def_rt.rt_dev); -+ old_def_rt.rt_dev = tmp_dev; -+ -+ notice("replacing old default route to %s [%I]", -+ old_def_rt.rt_dev, old_gateway); -+ default_rt_repl_rest = 1; -+ del_rt = &old_def_rt; -+ } -+ } - } -- - memset (&rt, 0, sizeof (rt)); - SET_SA_FAMILY (rt.rt_dst, AF_INET); - -@@ -1668,6 +1704,12 @@ int sifdefaultroute (int unit, u_int32_t ouraddr, u_int32_t gateway) - error("default route ioctl(SIOCADDRT): %m"); - return 0; - } -+ if (default_rt_repl_rest && del_rt) -+ if (ioctl(sock_fd, SIOCDELRT, del_rt) < 0) { -+ if ( ! ok_error ( errno )) -+ error("del old default route ioctl(SIOCDELRT): %m(%d)", errno); -+ return 0; -+ } - - have_default_route = 1; - return 1; -@@ -1703,6 +1745,16 @@ int cifdefaultroute (int unit, u_int32_t ouraddr, u_int32_t gateway) - return 0; - } - } -+ if (default_rt_repl_rest) { -+ notice("restoring old default route to %s [%I]", -+ old_def_rt.rt_dev, SIN_ADDR(old_def_rt.rt_gateway)); -+ if (ioctl(sock_fd, SIOCADDRT, &old_def_rt) < 0) { -+ if ( ! ok_error ( errno )) -+ error("restore default route ioctl(SIOCADDRT): %m(%d)", errno); -+ return 0; -+ } -+ default_rt_repl_rest = 0; -+ } - - return 1; - } diff --git a/patches/ppp-2.4.7/0029-add-support-for-the-Framed-MTU-Radius-attribute.patch b/patches/ppp-2.4.7/0029-add-support-for-the-Framed-MTU-Radius-attribute.patch deleted file mode 100644 index 3cd1b78e7..000000000 --- a/patches/ppp-2.4.7/0029-add-support-for-the-Framed-MTU-Radius-attribute.patch +++ /dev/null @@ -1,42 +0,0 @@ -From: Michael Olbrich <m.olbrich@pengutronix.de> -Date: Sat, 28 Sep 2019 08:11:49 +0200 -Subject: [PATCH] add support for the Framed-MTU Radius attribute - -http://ppp.samba.org/cgi-bin/ppp-bugs/incoming?id=1532 - -From: klepikov_a@up.ua -To: ppp-bugs@ppp.samba.org -Subject: Radius plugin does not set MTU on ppp interface -Date: Mon, 22 Jan 2007 12:36:59 +0000 (GMT) - -Full_Name: Alexander Klepikov -Version: 2.4.3 -OS: rhl 7.3 (2.4.20-28.7bigmem) -Submission from: (NULL) (213.130.21.73) - - -This patch allows radius plugin to deal with Framed-MTU Radius attribute and to -set MTU on interface. - - -Imported from ppp_2.4.7-2+4.1.debian.tar.xz - -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> ---- - pppd/plugins/radius/radius.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/pppd/plugins/radius/radius.c b/pppd/plugins/radius/radius.c -index 4ba5f523ea07..06e00590b635 100644 ---- a/pppd/plugins/radius/radius.c -+++ b/pppd/plugins/radius/radius.c -@@ -651,6 +651,9 @@ radius_setparams(VALUE_PAIR *vp, char *msg, REQUEST_INFO *req_info, - memcpy(rstate.class, vp->strvalue, rstate.class_len); - } /* else too big for our buffer - ignore it */ - break; -+ case PW_FRAMED_MTU: -+ netif_set_mtu(rstate.client_port,MIN(netif_get_mtu(rstate.client_port),vp->lvalue)); -+ break; - } - - diff --git a/patches/ppp-2.4.7/0030-018_ip-up_option.patch b/patches/ppp-2.4.7/0030-018_ip-up_option.patch deleted file mode 100644 index 06cb2e5bb..000000000 --- a/patches/ppp-2.4.7/0030-018_ip-up_option.patch +++ /dev/null @@ -1,106 +0,0 @@ -From: Michael Olbrich <m.olbrich@pengutronix.de> -Date: Sat, 28 Sep 2019 08:11:49 +0200 -Subject: [PATCH] 018_ip up_option - -Imported from ppp_2.4.7-2+4.1.debian.tar.xz - -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> ---- - pppd/ipcp.c | 8 ++++---- - pppd/main.c | 3 +++ - pppd/options.c | 9 +++++++++ - pppd/pppd.h | 2 ++ - 4 files changed, 18 insertions(+), 4 deletions(-) - -diff --git a/pppd/ipcp.c b/pppd/ipcp.c -index dceca807542a..d6e0e2a699fe 100644 ---- a/pppd/ipcp.c -+++ b/pppd/ipcp.c -@@ -1984,7 +1984,7 @@ ipcp_up(f) - */ - if (ipcp_script_state == s_down && ipcp_script_pid == 0) { - ipcp_script_state = s_up; -- ipcp_script(_PATH_IPUP, 0); -+ ipcp_script(path_ipup, 0); - } - } - -@@ -2034,7 +2034,7 @@ ipcp_down(f) - /* Execute the ip-down script */ - if (ipcp_script_state == s_up && ipcp_script_pid == 0) { - ipcp_script_state = s_down; -- ipcp_script(_PATH_IPDOWN, 0); -+ ipcp_script(path_ipdown, 0); - } - } - -@@ -2097,13 +2097,13 @@ ipcp_script_done(arg) - case s_up: - if (ipcp_fsm[0].state != OPENED) { - ipcp_script_state = s_down; -- ipcp_script(_PATH_IPDOWN, 0); -+ ipcp_script(path_ipdown, 0); - } - break; - case s_down: - if (ipcp_fsm[0].state == OPENED) { - ipcp_script_state = s_up; -- ipcp_script(_PATH_IPUP, 0); -+ ipcp_script(path_ipup, 0); - } - break; - } -diff --git a/pppd/main.c b/pppd/main.c -index ed544315c1df..9164a1eb0f95 100644 ---- a/pppd/main.c -+++ b/pppd/main.c -@@ -308,6 +308,9 @@ main(argc, argv) - struct protent *protp; - char numbuf[16]; - -+ strlcpy(path_ipup, _PATH_IPUP, sizeof(path_ipup)); -+ strlcpy(path_ipdown, _PATH_IPDOWN, sizeof(path_ipdown)); -+ - link_stats_valid = 0; - new_phase(PHASE_INITIALIZE); - -diff --git a/pppd/options.c b/pppd/options.c -index 91da515ac533..a8f3aa4590a3 100644 ---- a/pppd/options.c -+++ b/pppd/options.c -@@ -114,6 +114,8 @@ char linkname[MAXPATHLEN]; /* logical name for link */ - bool tune_kernel; /* may alter kernel settings */ - int connect_delay = 1000; /* wait this many ms after connect script */ - int req_unit = -1; /* requested interface unit */ -+char path_ipup[MAXPATHLEN]; /* pathname of ip-up script */ -+char path_ipdown[MAXPATHLEN];/* pathname of ip-down script */ - char req_ifname[MAXIFNAMELEN]; /* requested interface name */ - bool multilink = 0; /* Enable multilink operation */ - char *bundle_name = NULL; /* bundle name for multilink */ -@@ -304,6 +306,13 @@ option_t general_options[] = { - "Unset user environment variable", - OPT_A2PRINTER | OPT_NOPRINT, (void *)user_unsetprint }, - -+ { "ip-up-script", o_string, path_ipup, -+ "Set pathname of ip-up script", -+ OPT_PRIV|OPT_STATIC, NULL, MAXPATHLEN }, -+ { "ip-down-script", o_string, path_ipdown, -+ "Set pathname of ip-down script", -+ OPT_PRIV|OPT_STATIC, NULL, MAXPATHLEN }, -+ - #ifdef HAVE_MULTILINK - { "multilink", o_bool, &multilink, - "Enable multilink operation", OPT_PRIO | 1 }, -diff --git a/pppd/pppd.h b/pppd/pppd.h -index e65106d4c126..b11670586244 100644 ---- a/pppd/pppd.h -+++ b/pppd/pppd.h -@@ -328,6 +328,8 @@ extern bool tune_kernel; /* May alter kernel settings as necessary */ - extern int connect_delay; /* Time to delay after connect script */ - extern int max_data_rate; /* max bytes/sec through charshunt */ - extern int req_unit; /* interface unit number to use */ -+extern char path_ipup[MAXPATHLEN]; /* pathname of ip-up script */ -+extern char path_ipdown[MAXPATHLEN]; /* pathname of ip-down script */ - extern char req_ifname[MAXIFNAMELEN]; /* interface name to use */ - extern bool multilink; /* enable multilink operation */ - extern bool noendpoint; /* don't send or accept endpt. discrim. */ diff --git a/patches/ppp-2.4.7/0031-ppp-2.4.2-stripMSdomain.patch b/patches/ppp-2.4.7/0031-ppp-2.4.2-stripMSdomain.patch deleted file mode 100644 index 32629026c..000000000 --- a/patches/ppp-2.4.7/0031-ppp-2.4.2-stripMSdomain.patch +++ /dev/null @@ -1,47 +0,0 @@ -From: Michael Olbrich <m.olbrich@pengutronix.de> -Date: Sat, 28 Sep 2019 08:11:49 +0200 -Subject: [PATCH] ppp-2.4.2-stripMSdomain - -Imported from ppp_2.4.7-2+4.1.debian.tar.xz - -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> ---- - pppd/chap-new.c | 11 +++++++++++ - 1 file changed, 11 insertions(+) - -diff --git a/pppd/chap-new.c b/pppd/chap-new.c -index 2714bff64785..7fd7087a5e2c 100644 ---- a/pppd/chap-new.c -+++ b/pppd/chap-new.c -@@ -58,6 +58,7 @@ int (*chap_verify_hook)(char *name, char *ourname, int id, - int chap_timeout_time = 3; - int chap_max_transmits = 10; - int chap_rechallenge_time = 0; -+int chapms_strip_domain = 0; - - /* - * Command-line options. -@@ -69,6 +70,8 @@ static option_t chap_option_list[] = { - "Set max #xmits for challenge", OPT_PRIO }, - { "chap-interval", o_int, &chap_rechallenge_time, - "Set interval for rechallenge", OPT_PRIO }, -+ { "chapms-strip-domain", o_bool, &chapms_strip_domain, -+ "Strip the domain prefix before the Username", 1 }, - { NULL } - }; - -@@ -336,6 +339,14 @@ chap_handle_response(struct chap_server_state *ss, int id, - /* Null terminate and clean remote name. */ - slprintf(rname, sizeof(rname), "%.*v", len, name); - name = rname; -+ -+ /* strip the MS domain name */ -+ if (chapms_strip_domain && strrchr(rname, '\\')) { -+ char tmp[MAXNAMELEN+1]; -+ -+ strcpy(tmp, strrchr(rname, '\\') + 1); -+ strcpy(rname, tmp); -+ } - } - - if (chap_verify_hook) diff --git a/patches/ppp-2.4.7/0032-export-CALL_FILE-to-the-link-scripts.patch b/patches/ppp-2.4.7/0032-export-CALL_FILE-to-the-link-scripts.patch deleted file mode 100644 index 6a2e17088..000000000 --- a/patches/ppp-2.4.7/0032-export-CALL_FILE-to-the-link-scripts.patch +++ /dev/null @@ -1,38 +0,0 @@ -From: Michael Olbrich <m.olbrich@pengutronix.de> -Date: Sat, 28 Sep 2019 08:11:50 +0200 -Subject: [PATCH] export $CALL_FILE to the link scripts - -Imported from ppp_2.4.7-2+4.1.debian.tar.xz - -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> ---- - pppd/options.c | 1 + - pppd/pppd.8 | 3 +++ - 2 files changed, 4 insertions(+) - -diff --git a/pppd/options.c b/pppd/options.c -index a8f3aa4590a3..340797386dd6 100644 ---- a/pppd/options.c -+++ b/pppd/options.c -@@ -1482,6 +1482,7 @@ callfile(argv) - if ((fname = (char *) malloc(l)) == NULL) - novm("call file name"); - slprintf(fname, l, "%s%s", _PATH_PEERFILES, arg); -+ script_setenv("CALL_FILE", arg, 0); - - ok = options_from_file(fname, 1, 1, 1); - -diff --git a/pppd/pppd.8 b/pppd/pppd.8 -index 481aa8be672b..848ca8a16b77 100644 ---- a/pppd/pppd.8 -+++ b/pppd/pppd.8 -@@ -1662,6 +1662,9 @@ the connection. - .B LINKNAME - The logical name of the link, set with the \fIlinkname\fR option. - .TP -+.B CALL_FILE -+The value of the \fIcall\fR option. -+.TP - .B DNS1 - If the peer supplies DNS server addresses, this variable is set to the - first DNS server address supplied (whether or not the usepeerdns diff --git a/patches/ppp-2.4.7/0033-ipv6-accept-remote.patch b/patches/ppp-2.4.7/0033-ipv6-accept-remote.patch deleted file mode 100644 index 01376cf14..000000000 --- a/patches/ppp-2.4.7/0033-ipv6-accept-remote.patch +++ /dev/null @@ -1,73 +0,0 @@ -From: Michael Olbrich <m.olbrich@pengutronix.de> -Date: Sat, 28 Sep 2019 08:11:50 +0200 -Subject: [PATCH] ipv6-accept-remote - -Imported from ppp_2.4.7-2+4.1.debian.tar.xz - -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> ---- - pppd/ipv6cp.c | 5 ++++- - pppd/ipv6cp.h | 3 ++- - pppd/pppd.8 | 5 +++++ - 3 files changed, 11 insertions(+), 2 deletions(-) - -diff --git a/pppd/ipv6cp.c b/pppd/ipv6cp.c -index c1602f41c206..432170462196 100644 ---- a/pppd/ipv6cp.c -+++ b/pppd/ipv6cp.c -@@ -245,6 +245,8 @@ static option_t ipv6cp_option_list[] = { - - { "ipv6cp-accept-local", o_bool, &ipv6cp_allowoptions[0].accept_local, - "Accept peer's interface identifier for us", 1 }, -+ { "ipv6cp-accept-remote", o_bool, &ipv6cp_allowoptions[0].accept_remote, -+ "Accept peer's interface identifier for itself", 1 }, - - { "ipv6cp-use-ipaddr", o_bool, &ipv6cp_allowoptions[0].use_ip, - "Use (default) IPv4 address as interface identifier", 1 }, -@@ -435,6 +437,7 @@ ipv6cp_init(unit) - memset(ao, 0, sizeof(*ao)); - - wo->accept_local = 1; -+ wo->accept_remote = 1; - wo->neg_ifaceid = 1; - ao->neg_ifaceid = 1; - -@@ -960,7 +963,7 @@ ipv6cp_reqci(f, inp, len, reject_if_disagree) - orc = CONFREJ; /* Reject CI */ - break; - } -- if (!eui64_iszero(wo->hisid) && -+ if (!eui64_iszero(wo->hisid) && !wo->accept_remote && - !eui64_equals(ifaceid, wo->hisid) && - eui64_iszero(go->hisid)) { - -diff --git a/pppd/ipv6cp.h b/pppd/ipv6cp.h -index 2f4c06ddc189..1617707ebbde 100644 ---- a/pppd/ipv6cp.h -+++ b/pppd/ipv6cp.h -@@ -150,7 +150,8 @@ - typedef struct ipv6cp_options { - int neg_ifaceid; /* Negotiate interface identifier? */ - int req_ifaceid; /* Ask peer to send interface identifier? */ -- int accept_local; /* accept peer's value for iface id? */ -+ int accept_local; /* accept peer's value for our iface id? */ -+ int accept_remote; /* accept peer's value for his iface id? */ - int opt_local; /* ourtoken set by option */ - int opt_remote; /* histoken set by option */ - int use_ip; /* use IP as interface identifier */ -diff --git a/pppd/pppd.8 b/pppd/pppd.8 -index 848ca8a16b77..65bbe721f761 100644 ---- a/pppd/pppd.8 -+++ b/pppd/pppd.8 -@@ -463,6 +463,11 @@ With this option, pppd will accept the peer's idea of our local IPv6 - interface identifier, even if the local IPv6 interface identifier - was specified in an option. - .TP -+.B ipv6cp\-accept\-remote -+With this option, pppd will accept the peer's idea of its (remote) -+IPv6 interface identifier, even if the remote IPv6 interface -+identifier was specified in an option. -+.TP - .B ipv6cp\-max\-configure \fIn - Set the maximum number of IPv6CP configure-request transmissions to - \fIn\fR (default 10). diff --git a/patches/ppp-2.4.7/0034-fix-a-potential-buffer-overflow-in-clientid.c-rc_map.patch b/patches/ppp-2.4.7/0034-fix-a-potential-buffer-overflow-in-clientid.c-rc_map.patch deleted file mode 100644 index 2a8a029df..000000000 --- a/patches/ppp-2.4.7/0034-fix-a-potential-buffer-overflow-in-clientid.c-rc_map.patch +++ /dev/null @@ -1,43 +0,0 @@ -From: Michael Olbrich <m.olbrich@pengutronix.de> -Date: Sat, 28 Sep 2019 08:11:50 +0200 -Subject: [PATCH] fix a potential buffer overflow in clientid.c:rc_map2id() - -This fixes the following compile-time warning when building with --D_FORTIFY_SOURCE=2: - -In file included from /usr/include/string.h:638:0, - from ./includes.h:26, - from clientid.c:12: -In function 'strncat', - inlined from 'rc_map2id' at clientid.c:113:9: -/usr/include/i386-linux-gnu/bits/string3.h:150:3: warning: call to -__builtin___strncat_chk might overflow destination buffer [enabled by default] - return __builtin___strncat_chk (__dest, __src, __len, __bos (__dest)); - ^ - -Origin: vendor, https://build.opensuse.org/source/network/ppp/ppp-2.4.4-strncatfix.patch?rev=7a0fdeff0b29437dd7f4581c95c7255a -Forwarded: no -Reviewed-by: Chris Boot <bootc@debian.org> -Last-Update: 2014-01-12 - - -Imported from ppp_2.4.7-2+4.1.debian.tar.xz - -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> ---- - pppd/plugins/radius/clientid.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/pppd/plugins/radius/clientid.c b/pppd/plugins/radius/clientid.c -index d49579c43cc3..7de021139b56 100644 ---- a/pppd/plugins/radius/clientid.c -+++ b/pppd/plugins/radius/clientid.c -@@ -110,7 +110,7 @@ UINT4 rc_map2id(char *name) - if (*name != '/') - strcpy(ttyname, "/dev/"); - -- strncat(ttyname, name, sizeof(ttyname)); -+ strncat(ttyname, name, sizeof(ttyname)-strlen(ttyname)-1); - - for(p = map2id_list; p; p = p->next) - if (!strcmp(ttyname, p->name)) return p->id; diff --git a/patches/ppp-2.4.7/0037-Fix-buffer-overflow-in-rc_mksid.patch b/patches/ppp-2.4.7/0037-Fix-buffer-overflow-in-rc_mksid.patch deleted file mode 100644 index e21f129ad..000000000 --- a/patches/ppp-2.4.7/0037-Fix-buffer-overflow-in-rc_mksid.patch +++ /dev/null @@ -1,36 +0,0 @@ -From: Michael Olbrich <m.olbrich@pengutronix.de> -Date: Sat, 28 Sep 2019 08:11:50 +0200 -Subject: [PATCH] Fix buffer overflow in rc_mksid() - - rc_mksid converts the PID of pppd to hex to generate a pseudo-unique string. - . - If the process id is bigger than 65535 (FFFF), its hex representation will be - longer than 4 characters, resulting in a buffer overflow. - . - The bug can be exploited to cause a remote DoS. - . -Author: Emanuele Rocca <ema@debian.org> -Bug-Debian: https://bugs.debian.org/782450 -Last-Update: <2015-04-14> - - -Imported from ppp_2.4.7-2+4.1.debian.tar.xz - -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> ---- - pppd/plugins/radius/util.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/pppd/plugins/radius/util.c b/pppd/plugins/radius/util.c -index 6f976a712951..166bd5f31d7a 100644 ---- a/pppd/plugins/radius/util.c -+++ b/pppd/plugins/radius/util.c -@@ -77,7 +77,7 @@ rc_mksid (void) - static unsigned short int cnt = 0; - sprintf (buf, "%08lX%04X%02hX", - (unsigned long int) time (NULL), -- (unsigned int) getpid (), -+ (unsigned int) getpid () % 65535, - cnt & 0xFF); - cnt++; - return buf; diff --git a/patches/ppp-2.4.7/0038-EAP-TLS-authentication-support-for-PPP.patch b/patches/ppp-2.4.7/0038-EAP-TLS-authentication-support-for-PPP.patch deleted file mode 100644 index bd462d4f8..000000000 --- a/patches/ppp-2.4.7/0038-EAP-TLS-authentication-support-for-PPP.patch +++ /dev/null @@ -1,3383 +0,0 @@ -From: Michael Olbrich <m.olbrich@pengutronix.de> -Date: Sat, 28 Sep 2019 08:11:50 +0200 -Subject: [PATCH] EAP-TLS authentication support for PPP - -Origin: https://www.nikhef.nl/~janjust/ppp/download.html -Bug-Debian: https://bugs.debian.org/602503 -Bug-Ubuntu: https://launchpad.net/bugs/643417 -Forwarded: not-needed -Author: Jan Just Keijser <janjust@nikhef.nl> -Last-Update: 2018-11-04 - -This patch is based on ppp-2.4.7-eaptls-mppe-1.102.patch, with the following -changes: - - - Patch refreshed to remove fuzz. - - Trailing spaces removed. - - -Imported from ppp_2.4.7-2+4.1.debian.tar.xz - -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> ---- - README.eap-tls | 291 +++++++++ - etc.ppp/eaptls-client | 10 + - etc.ppp/eaptls-server | 11 + - etc.ppp/openssl.cnf | 14 + - linux/Makefile.top | 6 +- - pppd/Makefile.linux | 12 + - pppd/auth.c | 413 ++++++++++++- - pppd/ccp.c | 20 +- - pppd/chap-md5.c | 4 + - pppd/eap-tls.c | 1383 +++++++++++++++++++++++++++++++++++++++++++ - pppd/eap-tls.h | 107 ++++ - pppd/eap.c | 463 ++++++++++++++- - pppd/eap.h | 32 +- - pppd/md5.c | 4 + - pppd/md5.h | 3 + - pppd/pathnames.h | 7 + - pppd/plugins/Makefile.linux | 3 + - pppd/plugins/passprompt.c | 3 + - pppd/plugins/passwordfd.c | 4 + - pppd/pppd.8 | 33 ++ - pppd/pppd.h | 9 + - 21 files changed, 2825 insertions(+), 7 deletions(-) - create mode 100644 README.eap-tls - create mode 100644 etc.ppp/eaptls-client - create mode 100644 etc.ppp/eaptls-server - create mode 100644 etc.ppp/openssl.cnf - create mode 100644 pppd/eap-tls.c - create mode 100644 pppd/eap-tls.h - -diff --git a/README.eap-tls b/README.eap-tls -new file mode 100644 -index 000000000000..107e84db5e81 ---- /dev/null -+++ b/README.eap-tls -@@ -0,0 +1,291 @@ -+EAP-TLS authentication support for PPP -+====================================== -+ -+1. Intro -+ -+ The Extensible Authentication Protocol (EAP; RFC 3748) is a -+ security protocol that can be used with PPP. It provides a means -+ to plug in multiple optional authentication methods. -+ -+ Transport Level Security (TLS; RFC 5216) provides for mutual -+ authentication, integrity-protected ciphersuite negotiation and -+ key exchange between two endpoints. It also provides for optional -+ MPPE encryption. -+ -+ EAP-TLS (RFC 2716) incapsulates the TLS messages in EAP packets, -+ allowing TLS mutual authentication to be used as a generic EAP -+ mechanism. It also provides optional encryption using the MPPE -+ protocol. -+ -+ This patch provide EAP-TLS support to pppd. -+ This authentication method can be used in both client or server -+ mode. -+ -+2. Building -+ -+ To build pppd with EAP-TLS support, OpenSSL (http://www.openssl.org) -+ is required. Any version from 0.9.7 should work. -+ -+ Configure, compile, and install as usual. -+ -+3. Configuration -+ -+ On the client side there are two ways to configure EAP-TLS: -+ -+ 1. supply the appropriate 'ca', 'cert' and 'key' command-line parameters -+ -+ 2. edit the /etc/ppp/eaptls-client file. -+ Insert a line for each system with which you use EAP-TLS. -+ The line is composed of this fields separated by tab: -+ -+ - Client name -+ The name used by the client for authentication, can be * -+ - Server name -+ The name of the server, can be * -+ - Client certificate file -+ The file containing the certificate chain for the -+ client in PEM format -+ - Server certificate file -+ If you want to specify the certificate that the -+ server is allowed to use, put the certificate file name. -+ Else put a dash '-'. -+ - CA certificate file -+ The file containing the trusted CA certificates in PEM -+ format. -+ - Client private key file -+ The file containing the client private key in PEM format. -+ -+ -+ On the server side edit the /etc/ppp/eaptls-server file. -+ Insert a line for each system with which you use EAP-TLS. -+ The line is composed of this fields separated by tab: -+ -+ - Client name -+ The name used by the client for authentication, can be * -+ - Server name -+ The name of the server, can be * -+ - Client certificate file -+ If you want to specify the certificate that the -+ client is allowed to use, put the certificate file name. -+ Else put a dash '-'. -+ - Server certificate file -+ The file containing the certificate chain for the -+ server in PEM format -+ - CA certificate file -+ The file containing the trusted CA certificates in PEM format. -+ - Client private key file -+ The file containing the server private key in PEM format. -+ - addresses -+ A list of IP addresses the client is allowed to use. -+ -+ -+ OpenSSL engine support is included starting with v0.95 of this patch. -+ Currently the only engine tested is the 'pkcs11' engine (hardware token -+ support). To use the 'pksc11' engine: -+ - Use a special private key fileiname in the /etc/ppp/eaptls-client file: -+ <engine>:<identifier> -+ e.g. -+ pkcs11:123456 -+ -+ - The certificate can also be loaded from the 'pkcs11' engine using -+ a special client certificate filename in the /etc/ppp/eaptls-client file: -+ <engine>:<identifier> -+ e.g. -+ pkcs11:123456 -+ -+ - Create an /etc/ppp/openssl.cnf file to load the right OpenSSL engine prior -+ to starting 'pppd'. A sample openssl.cnf file is -+ -+ openssl_conf = openssl_def -+ -+ [ openssl_def ] -+ engines = engine_section -+ -+ [ engine_section ] -+ pkcs11 = pkcs11_section -+ -+ [ pkcs11_section ] -+ engine_id = pkcs11 -+ dynamic_path = /usr/lib64/openssl/engines/engine_pkcs11.so -+ MODULE_PATH = /usr/lib64/libeTPkcs11.so -+ init = 0 -+ -+ - There are two ways to specify a password/PIN for the PKCS11 engine: -+ - inside the openssl.cnf file using -+ PIN = your-secret-pin -+ Note The keyword 'PIN' is case sensitive! -+ - Using the 'password' in the ppp options file. -+ From v0.97 of the eap-tls patch the password can also be supplied -+ using the appropriate 'eaptls_passwd_hook' (see plugins/passprompt.c -+ for an example). -+ -+ -+4. Options -+ -+ These pppd options are available: -+ -+ ca <ca-file> -+ Use the CA public certificate found in <ca-file> in PEM format -+ cert <cert-file> -+ Use the client public certificate found in <cert-file> in PEM format -+ or in engine:engine_id format -+ key <key-file> -+ Use the client private key found in <key-file> in PEM format -+ or in engine:engine_id format -+ crl <crl-file> -+ Use the Certificate Revocation List (CRL) file <crl-file> in PEM format. -+ crl-dir <dir> -+ Use CRL files from directory <dir>. It contains CRL files in PEM -+ format and each file contains a CRL. The files are looked up -+ by the issuer name hash value. Use the c_rehash utility -+ to create necessary links. -+ need-peer-eap -+ If the peer doesn't ask us to authenticate or doesn't use eap -+ to authenticate us, disconnect. -+ -+ Note: -+ password-encrypted certificates can be used as of v0.94 of this -+ patch. The password for the eap-tls.key file is specified using -+ the regular -+ password .... -+ statement in the ppp options file, or by using the appropriate -+ plugin which supplies a 'eaptls_passwd_hook' routine. -+ -+5. Connecting -+ -+ If you're setting up a pppd server, edit the EAP-TLS configuration file -+ as written above and then run pppd with the 'auth' option to authenticate -+ the client. The EAP-TLS method will be used if the other eap methods can't -+ be used (no secrets). -+ -+ If you're setting up a client, edit the configuration file and then run -+ pppd with 'remotename' option to specify the server name. Add the -+ 'need-peer-eap' option if you want to be sure the peer ask you to -+ authenticate (and to use eap) and to disconnect if it doesn't. -+ -+6. Example -+ -+ The following example can be used to connect a Linux client with the 'pptp' -+ package to a Linux server running the 'pptpd' (PoPToP) package. The server -+ was configured with a certificate with name (CN) 'pptp-server', the client -+ was configured with a certificate with name (CN) 'pptp-client', both -+ signed by the same Certificate Authority (CA). -+ -+ Server side: -+ - /etc/pptpd.conf file: -+ option /etc/ppp/options-pptpd-eaptls -+ localip 172.16.1.1 -+ remoteip 172.16.1.10-20 -+ - /etc/ppp/options-pptpd-eaptls file: -+ name pptp-server -+ lock -+ mtu 1500 -+ mru 1450 -+ auth -+ lcp-echo-failure 3 -+ lcp-echo-interval 5 -+ nodeflate -+ nobsdcomp -+ nopredictor1 -+ nopcomp -+ noaccomp -+ -+ require-eap -+ require-mppe-128 -+ -+ crl /home/janjust/ppp/keys/crl.pem -+ -+ debug -+ logfile /tmp/pppd.log -+ -+ - /etc/ppp/eaptls-server file: -+ * pptp-server - /etc/ppp/pptp-server.crt /etc/ppp/ca.crt /etc/ppp/pptp-server.key * -+ -+ - On the server, run -+ pptdp --conf /etc/pptpd.conf -+ -+ Client side: -+ - Run -+ pppd noauth require-eap require-mppe-128 \ -+ ipcp-accept-local ipcp-accept-remote noipdefault \ -+ cert /etc/ppp/keys/pptp-client.crt \ -+ key /etc/ppp/keys/pptp-client.key \ -+ ca /etc/ppp/keys/ca.crt \ -+ name pptp-client remotename pptp-server \ -+ debug logfile /tmp/pppd.log -+ pty "pptp pptp-server.example.com --nolaunchpppd" -+ -+ Check /var/log/messages and the files /tmp/pppd.log on both sides for debugging info. -+ -+7. Notes -+ -+ This is experimental code. -+ Send suggestions and comments to Jan Just Keijser <janjust@nikhef.nl> -+ -+8. Changelog of ppp-<>-eaptls-mppe-* patches -+ -+v0.7 (22-Nov-2005) -+ - First version of the patch to include MPPE support -+ - ppp-2.4.3 only -+v0.9 (25-Jul-2006) -+ - Bug fixes -+ - First version for ppp-2.4.4 -+v0.91 (03-Sep-2006) -+ - Added missing #include for md5.h -+ - Last version for ppp-2.4.3 -+v0.92 (22-Apr-2008) -+ - Fix for openssl 0.9.8 issue with md5 function overload. -+v0.93 (14-Aug-2008) -+ - Make sure 'noauth' option can be used to bypass server certificate verification. -+v0.94 (15-Oct-2008) -+ - Added support for password-protected private keys by (ab)using the 'password' field. -+v0.95 (23-Dec-2009) -+ - First version with OpenSSL engine support. -+v0.96 (27-Jan-2010) -+ - Added fully functional support for OpenSSL engines (PKCS#11) -+ - First version for ppp-2.4.5 -+v0.97 (20-Apr-2010) -+ - Some bug fixes for v0.96 -+ - Added support for entering the password via a plugin. The sample plugin -+ .../pppd/plugins/passprompt.c has been extended with EAP-TLS support. -+ The "old" methods using the password option or the /etc/ppp/openssl.cnf file still work. -+ - Added support for specifying the client CA, certificate and private key on the command-line -+ or via the ppp config file. -+v0.98 (20-Apr-2010) -+ - Fix initialisation bug when using ca/cert/key command-line options. -+ - Last version for ppp-2.4.4 -+v0.99 (05-Oct-2010) -+ - Fix coredump when using multilink option. -+v0.991 (08-Aug-2011) -+ - Fix compilation issue with openssl 1.0. -+v0.992 (01-Dec-2011) -+ - Fix compilation issue with eaptls_check_hook and passwordfd plugin. -+v0.993 (24-Apr-2012) -+ - Fix compilation issue when EAP_TLS=n in pppd/Makefile. -+v0.994 (11-Jun-2012) -+ - Fix compilation issue on Ubuntu 11.10. -+v0.995 (27-May-2014) -+ - Add support for a CRL file using the command-line option 'crl' -+ (prior only 'crl-dir' was supported). -+ - Fix segfault when pkcs11 enginename was not specified correctly. -+ - Fix segfault when client was misconfigured. -+ - Disable SSL Session Ticket support as Windows 8 does not support this. -+v0.996 (28-May-2014) -+ - Fix minor bug where SessionTicket message was printed as 'Unknown SSL3 code 4' -+ - Add EAP-TLS-specific options to pppd.8 manual page. -+ - Updated README.eap-tls file with new options and provide an example. -+v0.997 (19-Jun-2014) -+ - Change SSL_OP_NO_TICKETS to SSL_OP_NO_TICKET -+ - Fix bug in initialisation code with fragmented packets. -+v0.998 (13-Mar-2015) -+ - Add fix for https://bugzilla.redhat.com/show_bug.cgi?id=1023620 -+v0.999 (11-May-2017) -+ - Add support for OpenSSL 1.1: the code will now compile against OpenSSL 1.0.x or 1.1.x. -+v1.101 (1-Jun-2018) -+ - Fix vulnerabilities CVE-2018-11574. -+v1.102 (2-Nov-2018) -+ - Add TLS 1.2 support. Windows 7/8 will connect using TLS 1.0, Windows 10 clients using TLS 1.2. -+ This works both when compiling against OpenSSL 1.0.1+ and 1.1+. -+ - Print warning when certificate is either not yet valid or has expired. -+ - Perform better peer certificate checks. -+ - Allow certificate chain files to be used. -diff --git a/etc.ppp/eaptls-client b/etc.ppp/eaptls-client -new file mode 100644 -index 000000000000..7782f0e2a065 ---- /dev/null -+++ b/etc.ppp/eaptls-client -@@ -0,0 +1,10 @@ -+# Parameters for authentication using EAP-TLS (client) -+ -+# client name (can be *) -+# server name (can be *) -+# client certificate file (required) -+# server certificate file (optional, if unused put '-') -+# CA certificate file (required) -+# client private key file (required) -+ -+#client server /root/cert/client.crt - /root/cert/ca.crt /root/cert/client.key -diff --git a/etc.ppp/eaptls-server b/etc.ppp/eaptls-server -new file mode 100644 -index 000000000000..fa53cbd197cf ---- /dev/null -+++ b/etc.ppp/eaptls-server -@@ -0,0 +1,11 @@ -+# Parameters for authentication using EAP-TLS (server) -+ -+# client name (can be *) -+# server name (can be *) -+# client certificate file (optional, if unused put '-') -+# server certificate file (required) -+# CA certificate file (required) -+# server private key file (required) -+# allowed addresses (required, can be *) -+ -+#client server - /root/cert/server.crt /root/cert/ca.crt /root/cert/server.key 192.168.1.0/24 -diff --git a/etc.ppp/openssl.cnf b/etc.ppp/openssl.cnf -new file mode 100644 -index 000000000000..dd32f305d680 ---- /dev/null -+++ b/etc.ppp/openssl.cnf -@@ -0,0 +1,14 @@ -+openssl_conf = openssl_def -+ -+[ openssl_def ] -+engines = engine_section -+ -+[ engine_section ] -+pkcs11 = pkcs11_section -+ -+[ pkcs11_section ] -+engine_id = pkcs11 -+dynamic_path = /usr/lib64/openssl/engines/engine_pkcs11.so -+MODULE_PATH = /usr/lib64/libeTPkcs11.so -+init = 0 -+ -diff --git a/linux/Makefile.top b/linux/Makefile.top -index f63d45e58a78..894f8f32c9e4 100644 ---- a/linux/Makefile.top -+++ b/linux/Makefile.top -@@ -26,7 +26,7 @@ install-progs: - cd pppdump; $(MAKE) $(MFLAGS) install - - install-etcppp: $(ETCDIR) $(ETCDIR)/options $(ETCDIR)/pap-secrets \ -- $(ETCDIR)/chap-secrets -+ $(ETCDIR)/chap-secrets $(ETCDIR)/eaptls-server $(ETCDIR)/eaptls-client - - install-devel: - cd pppd; $(MAKE) $(MFLAGS) install-devel -@@ -37,6 +37,10 @@ $(ETCDIR)/pap-secrets: - $(INSTALL) -c -m 600 etc.ppp/pap-secrets $@ - $(ETCDIR)/chap-secrets: - $(INSTALL) -c -m 600 etc.ppp/chap-secrets $@ -+$(ETCDIR)/eaptls-server: -+ $(INSTALL) -c -m 600 etc.ppp/eaptls-server $@ -+$(ETCDIR)/eaptls-client: -+ $(INSTALL) -c -m 600 etc.ppp/eaptls-client $@ - - $(BINDIR): - $(INSTALL) -d -m 755 $@ -diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux -index 5549145e5791..4a11d5fea748 100644 ---- a/pppd/Makefile.linux -+++ b/pppd/Makefile.linux -@@ -76,6 +76,9 @@ CBCP=y - # Use libutil - USE_LIBUTIL=y - -+# Enable EAP-TLS authentication (requires libssl and libcrypto) -+USE_EAPTLS=y -+ - MAXOCTETS=y - - INCLUDE_DIRS= -I../include -@@ -116,6 +119,15 @@ HEADERS += sha1.h - PPPDOBJS += sha1.o - endif - -+# EAP-TLS -+ifdef USE_EAPTLS -+CFLAGS += -DUSE_EAPTLS=1 -I/usr/kerberos/include -+LIBS += -lssl -lcrypto -+PPPDSRC += eap-tls.c -+HEADERS += eap-tls.h -+PPPDOBJS += eap-tls.o -+endif -+ - ifdef HAS_SHADOW - CFLAGS += -DHAS_SHADOW - #LIBS += -lshadow $(LIBS) -diff --git a/pppd/auth.c b/pppd/auth.c -index 4271af687102..45065c58bfcc 100644 ---- a/pppd/auth.c -+++ b/pppd/auth.c -@@ -109,6 +109,9 @@ - #include "upap.h" - #include "chap-new.h" - #include "eap.h" -+#ifdef USE_EAPTLS -+#include "eap-tls.h" -+#endif - #ifdef CBCP_SUPPORT - #include "cbcp.h" - #endif -@@ -183,6 +186,11 @@ int (*chap_check_hook) __P((void)) = NULL; - /* Hook for a plugin to get the CHAP password for authenticating us */ - int (*chap_passwd_hook) __P((char *user, char *passwd)) = NULL; - -+#ifdef USE_EAPTLS -+/* Hook for a plugin to get the EAP-TLS password for authenticating us */ -+int (*eaptls_passwd_hook) __P((char *user, char *passwd)) = NULL; -+#endif -+ - /* Hook for a plugin to say whether it is OK if the peer - refuses to authenticate. */ - int (*null_auth_hook) __P((struct wordlist **paddrs, -@@ -238,6 +246,14 @@ bool explicit_remote = 0; /* User specified explicit remote name */ - bool explicit_user = 0; /* Set if "user" option supplied */ - bool explicit_passwd = 0; /* Set if "password" option supplied */ - char remote_name[MAXNAMELEN]; /* Peer's name for authentication */ -+#ifdef USE_EAPTLS -+char *cacert_file = NULL; /* CA certificate file (pem format) */ -+char *cert_file = NULL; /* client certificate file (pem format) */ -+char *privkey_file = NULL; /* client private key file (pem format) */ -+char *crl_dir = NULL; /* directory containing CRL files */ -+char *crl_file = NULL; /* Certificate Revocation List (CRL) file (pem format) */ -+bool need_peer_eap = 0; /* Require peer to authenticate us */ -+#endif - - static char *uafname; /* name of most recent +ua file */ - -@@ -254,6 +270,19 @@ static int have_pap_secret __P((int *)); - static int have_chap_secret __P((char *, char *, int, int *)); - static int have_srp_secret __P((char *client, char *server, int need_ip, - int *lacks_ipp)); -+ -+#ifdef USE_EAPTLS -+static int have_eaptls_secret_server -+__P((char *client, char *server, int need_ip, int *lacks_ipp)); -+static int have_eaptls_secret_client __P((char *client, char *server)); -+static int scan_authfile_eaptls __P((FILE * f, char *client, char *server, -+ char *cli_cert, char *serv_cert, -+ char *ca_cert, char *pk, -+ struct wordlist ** addrs, -+ struct wordlist ** opts, -+ char *filename, int flags)); -+#endif -+ - static int ip_addr_check __P((u_int32_t, struct permitted_ip *)); - static int scan_authfile __P((FILE *, char *, char *, char *, - struct wordlist **, struct wordlist **, -@@ -401,6 +430,15 @@ option_t auth_options[] = { - "Set telephone number(s) which are allowed to connect", - OPT_PRIV | OPT_A2LIST }, - -+#ifdef USE_EAPTLS -+ { "ca", o_string, &cacert_file, "EAP-TLS CA certificate in PEM format" }, -+ { "cert", o_string, &cert_file, "EAP-TLS client certificate in PEM format" }, -+ { "key", o_string, &privkey_file, "EAP-TLS client private key in PEM format" }, -+ { "crl-dir", o_string, &crl_dir, "Use CRLs in directory" }, -+ { "crl", o_string, &crl_file, "Use specific CRL file" }, -+ { "need-peer-eap", o_bool, &need_peer_eap, -+ "Require the peer to authenticate us", 1 }, -+#endif /* USE_EAPTLS */ - { NULL } - }; - -@@ -730,6 +768,9 @@ link_established(unit) - lcp_options *wo = &lcp_wantoptions[unit]; - lcp_options *go = &lcp_gotoptions[unit]; - lcp_options *ho = &lcp_hisoptions[unit]; -+#ifdef USE_EAPTLS -+ lcp_options *ao = &lcp_allowoptions[unit]; -+#endif - int i; - struct protent *protp; - -@@ -764,6 +805,22 @@ link_established(unit) - } - } - -+#ifdef USE_EAPTLS -+ if (need_peer_eap && !ao->neg_eap) { -+ warn("eap required to authenticate us but no suitable secrets"); -+ lcp_close(unit, "couldn't negotiate eap"); -+ status = EXIT_AUTH_TOPEER_FAILED; -+ return; -+ } -+ -+ if (need_peer_eap && !ho->neg_eap) { -+ warn("peer doesn't want to authenticate us with eap"); -+ lcp_close(unit, "couldn't negotiate eap"); -+ status = EXIT_PEER_AUTH_FAILED; -+ return; -+ } -+#endif -+ - new_phase(PHASE_AUTHENTICATE); - auth = 0; - if (go->neg_eap) { -@@ -1277,6 +1334,15 @@ auth_check_options() - our_name, 1, &lacks_ip); - } - -+#ifdef USE_EAPTLS -+ if (!can_auth && wo->neg_eap) { -+ can_auth = -+ have_eaptls_secret_server((explicit_remote ? remote_name : -+ NULL), our_name, 1, &lacks_ip); -+ -+ } -+#endif -+ - if (auth_required && !can_auth && noauth_addrs == NULL) { - if (default_auth) { - option_error( -@@ -1331,7 +1397,11 @@ auth_reset(unit) - passwd[0] != 0 || - (hadchap == 1 || (hadchap == -1 && have_chap_secret(user, - (explicit_remote? remote_name: NULL), 0, NULL))) || -- have_srp_secret(user, (explicit_remote? remote_name: NULL), 0, NULL)); -+ have_srp_secret(user, (explicit_remote? remote_name: NULL), 0, NULL) -+#ifdef USE_EAPTLS -+ || have_eaptls_secret_client(user, (explicit_remote? remote_name: NULL)) -+#endif -+ ); - - hadchap = -1; - if (go->neg_upap && !uselogin && !have_pap_secret(NULL)) -@@ -1346,8 +1416,14 @@ auth_reset(unit) - !have_chap_secret((explicit_remote? remote_name: NULL), our_name, - 1, NULL))) && - !have_srp_secret((explicit_remote? remote_name: NULL), our_name, 1, -- NULL)) -+ NULL) -+#ifdef USE_EAPTLS -+ && !have_eaptls_secret_server((explicit_remote? remote_name: NULL), -+ our_name, 1, NULL) -+#endif -+ ) - go->neg_eap = 0; -+ - } - - -@@ -1707,6 +1783,7 @@ have_srp_secret(client, server, need_ip, lacks_ipp) - } - - -+ - /* - * get_secret - open the CHAP secret file and return the secret - * for authenticating the given client on the given server. -@@ -2359,3 +2436,335 @@ auth_script(script) - - auth_script_pid = run_program(script, argv, 0, auth_script_done, NULL, 0); - } -+ -+ -+#ifdef USE_EAPTLS -+static int -+have_eaptls_secret_server(client, server, need_ip, lacks_ipp) -+ char *client; -+ char *server; -+ int need_ip; -+ int *lacks_ipp; -+{ -+ FILE *f; -+ int ret; -+ char *filename; -+ struct wordlist *addrs; -+ char servcertfile[MAXWORDLEN]; -+ char clicertfile[MAXWORDLEN]; -+ char cacertfile[MAXWORDLEN]; -+ char pkfile[MAXWORDLEN]; -+ -+ filename = _PATH_EAPTLSSERVFILE; -+ f = fopen(filename, "r"); -+ if (f == NULL) -+ return 0; -+ -+ if (client != NULL && client[0] == 0) -+ client = NULL; -+ else if (server != NULL && server[0] == 0) -+ server = NULL; -+ -+ ret = -+ scan_authfile_eaptls(f, client, server, clicertfile, servcertfile, -+ cacertfile, pkfile, &addrs, NULL, filename, -+ 0); -+ -+ fclose(f); -+ -+/* -+ if (ret >= 0 && !eaptls_init_ssl(1, cacertfile, servcertfile, -+ clicertfile, pkfile)) -+ ret = -1; -+*/ -+ -+ if (ret >= 0 && need_ip && !some_ip_ok(addrs)) { -+ if (lacks_ipp != 0) -+ *lacks_ipp = 1; -+ ret = -1; -+ } -+ if (addrs != 0) -+ free_wordlist(addrs); -+ -+ return ret >= 0; -+} -+ -+ -+static int -+have_eaptls_secret_client(client, server) -+ char *client; -+ char *server; -+{ -+ FILE *f; -+ int ret; -+ char *filename; -+ struct wordlist *addrs = NULL; -+ char servcertfile[MAXWORDLEN]; -+ char clicertfile[MAXWORDLEN]; -+ char cacertfile[MAXWORDLEN]; -+ char pkfile[MAXWORDLEN]; -+ -+ if (client != NULL && client[0] == 0) -+ client = NULL; -+ else if (server != NULL && server[0] == 0) -+ server = NULL; -+ -+ if (cacert_file && cert_file && privkey_file) -+ return 1; -+ -+ filename = _PATH_EAPTLSCLIFILE; -+ f = fopen(filename, "r"); -+ if (f == NULL) -+ return 0; -+ -+ ret = -+ scan_authfile_eaptls(f, client, server, clicertfile, servcertfile, -+ cacertfile, pkfile, &addrs, NULL, filename, -+ 0); -+ fclose(f); -+ -+/* -+ if (ret >= 0 && !eaptls_init_ssl(0, cacertfile, clicertfile, -+ servcertfile, pkfile)) -+ ret = -1; -+*/ -+ -+ if (addrs != 0) -+ free_wordlist(addrs); -+ -+ return ret >= 0; -+} -+ -+ -+static int -+scan_authfile_eaptls(f, client, server, cli_cert, serv_cert, ca_cert, pk, -+ addrs, opts, filename, flags) -+ FILE *f; -+ char *client; -+ char *server; -+ char *cli_cert; -+ char *serv_cert; -+ char *ca_cert; -+ char *pk; -+ struct wordlist **addrs; -+ struct wordlist **opts; -+ char *filename; -+ int flags; -+{ -+ int newline; -+ int got_flag, best_flag; -+ struct wordlist *ap, *addr_list, *alist, **app; -+ char word[MAXWORDLEN]; -+ -+ if (addrs != NULL) -+ *addrs = NULL; -+ if (opts != NULL) -+ *opts = NULL; -+ addr_list = NULL; -+ if (!getword(f, word, &newline, filename)) -+ return -1; /* file is empty??? */ -+ newline = 1; -+ best_flag = -1; -+ for (;;) { -+ /* -+ * Skip until we find a word at the start of a line. -+ */ -+ while (!newline && getword(f, word, &newline, filename)); -+ if (!newline) -+ break; /* got to end of file */ -+ -+ /* -+ * Got a client - check if it's a match or a wildcard. -+ */ -+ got_flag = 0; -+ if (client != NULL && strcmp(word, client) != 0 && !ISWILD(word)) { -+ newline = 0; -+ continue; -+ } -+ if (!ISWILD(word)) -+ got_flag = NONWILD_CLIENT; -+ -+ /* -+ * Now get a server and check if it matches. -+ */ -+ if (!getword(f, word, &newline, filename)) -+ break; -+ if (newline) -+ continue; -+ if (!ISWILD(word)) { -+ if (server != NULL && strcmp(word, server) != 0) -+ continue; -+ got_flag |= NONWILD_SERVER; -+ } -+ -+ /* -+ * Got some sort of a match - see if it's better than what -+ * we have already. -+ */ -+ if (got_flag <= best_flag) -+ continue; -+ -+ /* -+ * Get the cli_cert -+ */ -+ if (!getword(f, word, &newline, filename)) -+ break; -+ if (newline) -+ continue; -+ if (strcmp(word, "-") != 0) { -+ strlcpy(cli_cert, word, MAXWORDLEN); -+ } else -+ cli_cert[0] = 0; -+ -+ /* -+ * Get serv_cert -+ */ -+ if (!getword(f, word, &newline, filename)) -+ break; -+ if (newline) -+ continue; -+ if (strcmp(word, "-") != 0) { -+ strlcpy(serv_cert, word, MAXWORDLEN); -+ } else -+ serv_cert[0] = 0; -+ -+ /* -+ * Get ca_cert -+ */ -+ if (!getword(f, word, &newline, filename)) -+ break; -+ if (newline) -+ continue; -+ strlcpy(ca_cert, word, MAXWORDLEN); -+ -+ /* -+ * Get pk -+ */ -+ if (!getword(f, word, &newline, filename)) -+ break; -+ if (newline) -+ continue; -+ strlcpy(pk, word, MAXWORDLEN); -+ -+ -+ /* -+ * Now read address authorization info and make a wordlist. -+ */ -+ app = &alist; -+ for (;;) { -+ if (!getword(f, word, &newline, filename) || newline) -+ break; -+ ap = (struct wordlist *) -+ malloc(sizeof(struct wordlist) + strlen(word) + 1); -+ if (ap == NULL) -+ novm("authorized addresses"); -+ ap->word = (char *) (ap + 1); -+ strcpy(ap->word, word); -+ *app = ap; -+ app = &ap->next; -+ } -+ *app = NULL; -+ /* -+ * This is the best so far; remember it. -+ */ -+ best_flag = got_flag; -+ if (addr_list) -+ free_wordlist(addr_list); -+ addr_list = alist; -+ -+ if (!newline) -+ break; -+ } -+ -+ /* scan for a -- word indicating the start of options */ -+ for (app = &addr_list; (ap = *app) != NULL; app = &ap->next) -+ if (strcmp(ap->word, "--") == 0) -+ break; -+ /* ap = start of options */ -+ if (ap != NULL) { -+ ap = ap->next; /* first option */ -+ free(*app); /* free the "--" word */ -+ *app = NULL; /* terminate addr list */ -+ } -+ if (opts != NULL) -+ *opts = ap; -+ else if (ap != NULL) -+ free_wordlist(ap); -+ if (addrs != NULL) -+ *addrs = addr_list; -+ else if (addr_list != NULL) -+ free_wordlist(addr_list); -+ -+ return best_flag; -+} -+ -+ -+int -+get_eaptls_secret(unit, client, server, clicertfile, servcertfile, -+ cacertfile, pkfile, am_server) -+ int unit; -+ char *client; -+ char *server; -+ char *clicertfile; -+ char *servcertfile; -+ char *cacertfile; -+ char *pkfile; -+ int am_server; -+{ -+ FILE *fp; -+ int ret; -+ char *filename = NULL; -+ struct wordlist *addrs = NULL; -+ struct wordlist *opts = NULL; -+ -+ /* in client mode the ca+cert+privkey can also be specified as options */ -+ if (!am_server && cacert_file && cert_file && privkey_file ) -+ { -+ strlcpy( clicertfile, cert_file, MAXWORDLEN ); -+ strlcpy( cacertfile, cacert_file, MAXWORDLEN ); -+ strlcpy( pkfile, privkey_file, MAXWORDLEN ); -+ servcertfile[0] = '\0'; -+ } -+ else -+ { -+ filename = (am_server ? _PATH_EAPTLSSERVFILE : _PATH_EAPTLSCLIFILE); -+ addrs = NULL; -+ -+ fp = fopen(filename, "r"); -+ if (fp == NULL) -+ { -+ error("Can't open eap-tls secret file %s: %m", filename); -+ return 0; -+ } -+ -+ check_access(fp, filename); -+ -+ ret = scan_authfile_eaptls(fp, client, server, clicertfile, servcertfile, -+ cacertfile, pkfile, &addrs, &opts, filename, 0); -+ -+ fclose(fp); -+ -+ if (ret < 0) return 0; -+ } -+ -+ if (eaptls_passwd_hook) -+ { -+ dbglog( "Calling eaptls password hook" ); -+ if ( (*eaptls_passwd_hook)(pkfile, passwd) < 0) -+ { -+ error("Unable to obtain EAP-TLS password for %s (%s) from plugin", -+ client, pkfile); -+ return 0; -+ } -+ } -+ if (am_server) -+ set_allowed_addrs(unit, addrs, opts); -+ else if (opts != NULL) -+ free_wordlist(opts); -+ if (addrs != NULL) -+ free_wordlist(addrs); -+ -+ return 1; -+} -+#endif -+ -diff --git a/pppd/ccp.c b/pppd/ccp.c -index 7d7922afcfc0..0a93b15aeef3 100644 ---- a/pppd/ccp.c -+++ b/pppd/ccp.c -@@ -540,6 +540,9 @@ ccp_resetci(f) - if (go->mppe) { - ccp_options *ao = &ccp_allowoptions[f->unit]; - int auth_mschap_bits = auth_done[f->unit]; -+#ifdef USE_EAPTLS -+ int auth_eap_bits = auth_done[f->unit]; -+#endif - int numbits; - - /* -@@ -567,8 +570,23 @@ ccp_resetci(f) - lcp_close(f->unit, "MPPE required but not available"); - return; - } -+ -+#ifdef USE_EAPTLS -+ /* -+ * MPPE is also possible in combination with EAP-TLS. -+ * It is not possible to detect if we're doing EAP or EAP-TLS -+ * at this stage, hence we accept all forms of EAP. If TLS is -+ * not used then the MPPE keys will not be derived anyway. -+ */ -+ /* Leave only the eap auth bits set */ -+ auth_eap_bits &= (EAP_WITHPEER | EAP_PEER ); -+ -+ if ((numbits == 0) && (auth_eap_bits == 0)) { -+ error("MPPE required, but MS-CHAP[v2] nor EAP-TLS auth are performed."); -+#else - if (!numbits) { -- error("MPPE required, but MS-CHAP[v2] auth not performed."); -+ error("MPPE required, but MS-CHAP[v2] auth not performed."); -+#endif - lcp_close(f->unit, "MPPE required but not available"); - return; - } -diff --git a/pppd/chap-md5.c b/pppd/chap-md5.c -index 77dd4ecc7059..269b52cb2041 100644 ---- a/pppd/chap-md5.c -+++ b/pppd/chap-md5.c -@@ -36,7 +36,11 @@ - #include "chap-new.h" - #include "chap-md5.h" - #include "magic.h" -+#ifdef USE_EAPTLS -+#include "eap-tls.h" -+#else - #include "md5.h" -+#endif /* USE_EAPTLS */ - - #define MD5_HASH_SIZE 16 - #define MD5_MIN_CHALLENGE 16 -diff --git a/pppd/eap-tls.c b/pppd/eap-tls.c -new file mode 100644 -index 000000000000..df4bc1b996c9 ---- /dev/null -+++ b/pppd/eap-tls.c -@@ -0,0 +1,1383 @@ -+/* * eap-tls.c - EAP-TLS implementation for PPP -+ * -+ * Copyright (c) Beniamino Galvani 2005 All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. The name(s) of the authors of this software must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. -+ * -+ * THE AUTHORS OF THIS SOFTWARE DISCLAIM ALL WARRANTIES WITH REGARD TO -+ * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -+ * AND FITNESS, IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY -+ * SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN -+ * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING -+ * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -+ * -+ */ -+ -+#include <string.h> -+#include <unistd.h> -+#include <sys/types.h> -+#include <sys/stat.h> -+#include <fcntl.h> -+ -+#include <openssl/conf.h> -+#include <openssl/engine.h> -+#include <openssl/hmac.h> -+#include <openssl/err.h> -+#include <openssl/x509v3.h> -+ -+#include "pppd.h" -+#include "eap.h" -+#include "eap-tls.h" -+#include "fsm.h" -+#include "lcp.h" -+#include "pathnames.h" -+ -+/* The openssl configuration file and engines can be loaded only once */ -+static CONF *ssl_config = NULL; -+static ENGINE *cert_engine = NULL; -+static ENGINE *pkey_engine = NULL; -+ -+#ifdef MPPE -+ -+#define EAPTLS_MPPE_KEY_LEN 32 -+ -+/* -+ * The following stuff is only needed if SSL_export_keying_material() is not available -+ */ -+ -+#if OPENSSL_VERSION_NUMBER < 0x10001000L -+ -+/* -+ * https://wiki.openssl.org/index.php/1.1_API_Changes -+ * tries to provide some guidance but ultimately falls short. -+ * -+ */ -+ -+static void HMAC_CTX_free(HMAC_CTX *ctx) -+{ -+ if (ctx != NULL) { -+ HMAC_CTX_cleanup(ctx); -+ OPENSSL_free(ctx); -+ } -+} -+ -+static HMAC_CTX *HMAC_CTX_new(void) -+{ -+ HMAC_CTX *ctx = OPENSSL_malloc(sizeof(*ctx)); -+ if (ctx != NULL) -+ HMAC_CTX_init(ctx); -+ return ctx; -+} -+ -+static size_t SSL_get_client_random(const SSL *ssl, unsigned char *out, -+ size_t outlen) -+{ -+ if (outlen == 0) -+ return sizeof(ssl->s3->client_random); -+ if (outlen > sizeof(ssl->s3->client_random)) -+ outlen = sizeof(ssl->s3->client_random); -+ memcpy(out, ssl->s3->client_random, outlen); -+ return outlen; -+} -+ -+static size_t SSL_get_server_random(const SSL *ssl, unsigned char *out, -+ size_t outlen) -+{ -+ if (outlen == 0) -+ return sizeof(ssl->s3->server_random); -+ if (outlen > sizeof(ssl->s3->server_random)) -+ outlen = sizeof(ssl->s3->server_random); -+ memcpy(out, ssl->s3->server_random, outlen); -+ return outlen; -+} -+ -+static size_t SSL_SESSION_get_master_key(const SSL_SESSION *session, -+ unsigned char *out, size_t outlen) -+{ -+ if (outlen == 0) -+ return session->master_key_length; -+ if (outlen > session->master_key_length) -+ outlen = session->master_key_length; -+ memcpy(out, session->master_key, outlen); -+ return outlen; -+} -+ -+ -+/* -+ * TLS PRF from RFC 2246 -+ */ -+static void P_hash(const EVP_MD *evp_md, -+ const unsigned char *secret, unsigned int secret_len, -+ const unsigned char *seed, unsigned int seed_len, -+ unsigned char *out, unsigned int out_len) -+{ -+ HMAC_CTX *ctx_a, *ctx_out; -+ unsigned char a[HMAC_MAX_MD_CBLOCK]; -+ unsigned int size; -+ -+ ctx_a = HMAC_CTX_new(); -+ ctx_out = HMAC_CTX_new(); -+ HMAC_Init_ex(ctx_a, secret, secret_len, evp_md, NULL); -+ HMAC_Init_ex(ctx_out, secret, secret_len, evp_md, NULL); -+ -+ size = HMAC_size(ctx_out); -+ -+ /* Calculate A(1) */ -+ HMAC_Update(ctx_a, seed, seed_len); -+ HMAC_Final(ctx_a, a, NULL); -+ -+ while (1) { -+ /* Calculate next part of output */ -+ HMAC_Update(ctx_out, a, size); -+ HMAC_Update(ctx_out, seed, seed_len); -+ -+ /* Check if last part */ -+ if (out_len < size) { -+ HMAC_Final(ctx_out, a, NULL); -+ memcpy(out, a, out_len); -+ break; -+ } -+ -+ /* Place digest in output buffer */ -+ HMAC_Final(ctx_out, out, NULL); -+ HMAC_Init_ex(ctx_out, NULL, 0, NULL, NULL); -+ out += size; -+ out_len -= size; -+ -+ /* Calculate next A(i) */ -+ HMAC_Init_ex(ctx_a, NULL, 0, NULL, NULL); -+ HMAC_Update(ctx_a, a, size); -+ HMAC_Final(ctx_a, a, NULL); -+ } -+ -+ HMAC_CTX_free(ctx_a); -+ HMAC_CTX_free(ctx_out); -+ memset(a, 0, sizeof(a)); -+} -+ -+static void PRF(const unsigned char *secret, unsigned int secret_len, -+ const unsigned char *seed, unsigned int seed_len, -+ unsigned char *out, unsigned char *buf, unsigned int out_len) -+{ -+ unsigned int i; -+ unsigned int len = (secret_len + 1) / 2; -+ const unsigned char *s1 = secret; -+ const unsigned char *s2 = secret + (secret_len - len); -+ -+ P_hash(EVP_md5(), s1, len, seed, seed_len, out, out_len); -+ P_hash(EVP_sha1(), s2, len, seed, seed_len, buf, out_len); -+ -+ for (i=0; i < out_len; i++) { -+ out[i] ^= buf[i]; -+ } -+} -+ -+static int SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen, -+ const char *label, size_t llen, -+ const unsigned char *p, size_t plen, -+ int use_context) -+{ -+ unsigned char seed[64 + 2*SSL3_RANDOM_SIZE]; -+ unsigned char buf[4*EAPTLS_MPPE_KEY_LEN]; -+ unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH]; -+ size_t master_key_length; -+ unsigned char *pp; -+ -+ pp = seed; -+ -+ memcpy(pp, label, llen); -+ pp += llen; -+ -+ llen += SSL_get_client_random(s, pp, SSL3_RANDOM_SIZE); -+ pp += SSL3_RANDOM_SIZE; -+ -+ llen += SSL_get_server_random(s, pp, SSL3_RANDOM_SIZE); -+ -+ master_key_length = SSL_SESSION_get_master_key(SSL_get_session(s), master_key, -+ sizeof(master_key)); -+ PRF(master_key, master_key_length, seed, llen, out, buf, olen); -+ -+ return 1; -+} -+ -+#endif /* OPENSSL_VERSION_NUMBER < 0x10001000L */ -+ -+ -+/* -+ * OpenSSL 1.1+ introduced a generic TLS_method() -+ * For older releases we substitute the appropriate method -+ */ -+ -+#if OPENSSL_VERSION_NUMBER < 0x10100000L -+ -+#define TLS_method SSLv23_method -+ -+#define SSL3_RT_HEADER 0x100 -+ -+#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */ -+ -+ -+/* -+ * Generate keys according to RFC 2716 and add to reply -+ */ -+void eaptls_gen_mppe_keys(struct eaptls_session *ets, const char *prf_label, -+ int client) -+{ -+ unsigned char out[4*EAPTLS_MPPE_KEY_LEN]; -+ size_t prf_size = strlen(prf_label); -+ unsigned char *p; -+ -+ if (SSL_export_keying_material(ets->ssl, out, sizeof(out), prf_label, prf_size, NULL, 0, 0) != 1) -+ { -+ warn( "EAP-TLS: Failed generating keying material" ); -+ return; -+ } -+ -+ /* -+ * We now have the master send and receive keys. -+ * From these, generate the session send and receive keys. -+ * (see RFC3079 / draft-ietf-pppext-mppe-keys-03.txt for details) -+ */ -+ if (client) -+ { -+ p = out; -+ BCOPY( p, mppe_send_key, sizeof(mppe_send_key) ); -+ p += EAPTLS_MPPE_KEY_LEN; -+ BCOPY( p, mppe_recv_key, sizeof(mppe_recv_key) ); -+ } -+ else -+ { -+ p = out; -+ BCOPY( p, mppe_recv_key, sizeof(mppe_recv_key) ); -+ p += EAPTLS_MPPE_KEY_LEN; -+ BCOPY( p, mppe_send_key, sizeof(mppe_send_key) ); -+ } -+ -+ mppe_keys_set = 1; -+} -+ -+#endif -+ -+void log_ssl_errors( void ) -+{ -+ unsigned long ssl_err = ERR_get_error(); -+ -+ if (ssl_err != 0) -+ dbglog("EAP-TLS SSL error stack:"); -+ while (ssl_err != 0) { -+ dbglog( ERR_error_string( ssl_err, NULL ) ); -+ ssl_err = ERR_get_error(); -+ } -+} -+ -+ -+int password_callback (char *buf, int size, int rwflag, void *u) -+{ -+ if (buf) -+ { -+ strncpy (buf, passwd, size); -+ return strlen (buf); -+ } -+ return 0; -+} -+ -+ -+CONF *eaptls_ssl_load_config( void ) -+{ -+ CONF *config; -+ int ret_code; -+ long error_line = 33; -+ -+ config = NCONF_new( NULL ); -+ dbglog( "Loading OpenSSL config file" ); -+ ret_code = NCONF_load( config, _PATH_OPENSSLCONFFILE, &error_line ); -+ if (ret_code == 0) -+ { -+ warn( "EAP-TLS: Error in OpenSSL config file %s at line %d", _PATH_OPENSSLCONFFILE, error_line ); -+ NCONF_free( config ); -+ config = NULL; -+ ERR_clear_error(); -+ } -+ -+ dbglog( "Loading OpenSSL built-ins" ); -+ ENGINE_load_builtin_engines(); -+ OPENSSL_load_builtin_modules(); -+ -+ dbglog( "Loading OpenSSL configured modules" ); -+ if (CONF_modules_load( config, NULL, 0 ) <= 0 ) -+ { -+ warn( "EAP-TLS: Error loading OpenSSL modules" ); -+ log_ssl_errors(); -+ config = NULL; -+ } -+ -+ return config; -+} -+ -+ENGINE *eaptls_ssl_load_engine( char *engine_name ) -+{ -+ ENGINE *e = NULL; -+ -+ dbglog( "Enabling OpenSSL auto engines" ); -+ ENGINE_register_all_complete(); -+ -+ dbglog( "Loading OpenSSL '%s' engine support", engine_name ); -+ e = ENGINE_by_id( engine_name ); -+ if (!e) -+ { -+ dbglog( "EAP-TLS: Cannot load '%s' engine support, trying 'dynamic'", engine_name ); -+ e = ENGINE_by_id( "dynamic" ); -+ if (e) -+ { -+ if (!ENGINE_ctrl_cmd_string(e, "SO_PATH", engine_name, 0) -+ || !ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0)) -+ { -+ warn( "EAP-TLS: Error loading dynamic engine '%s'", engine_name ); -+ log_ssl_errors(); -+ ENGINE_free(e); -+ e = NULL; -+ } -+ } -+ else -+ { -+ warn( "EAP-TLS: Cannot load dynamic engine support" ); -+ } -+ } -+ -+ if (e) -+ { -+ dbglog( "Initialising engine" ); -+ if(!ENGINE_set_default(e, ENGINE_METHOD_ALL)) -+ { -+ warn( "EAP-TLS: Cannot use that engine" ); -+ log_ssl_errors(); -+ ENGINE_free(e); -+ e = NULL; -+ } -+ } -+ -+ return e; -+} -+ -+/* -+ * Initialize the SSL stacks and tests if certificates, key and crl -+ * for client or server use can be loaded. -+ */ -+SSL_CTX *eaptls_init_ssl(int init_server, char *cacertfile, -+ char *certfile, char *peer_certfile, char *privkeyfile) -+{ -+ char *cert_engine_name = NULL; -+ char *cert_identifier = NULL; -+ char *pkey_engine_name = NULL; -+ char *pkey_identifier = NULL; -+ SSL_CTX *ctx; -+ SSL *ssl; -+ X509_STORE *certstore; -+ X509_LOOKUP *lookup; -+ X509 *tmp; -+ int ret; -+ -+ /* -+ * Without these can't continue -+ */ -+ if (!cacertfile[0]) -+ { -+ error("EAP-TLS: CA certificate missing"); -+ return NULL; -+ } -+ -+ if (!certfile[0]) -+ { -+ error("EAP-TLS: User certificate missing"); -+ return NULL; -+ } -+ -+ if (!privkeyfile[0]) -+ { -+ error("EAP-TLS: User private key missing"); -+ return NULL; -+ } -+ -+ SSL_library_init(); -+ SSL_load_error_strings(); -+ -+ ctx = SSL_CTX_new(TLS_method()); -+ -+ if (!ctx) { -+ error("EAP-TLS: Cannot initialize SSL CTX context"); -+ goto fail; -+ } -+ -+ /* if the certificate filename is of the form engine:id. e.g. -+ pkcs11:12345 -+ then we try to load and use this engine. -+ If the certificate filename starts with a / or . then we -+ ALWAYS assume it is a file and not an engine/pkcs11 identifier -+ */ -+ if ( index( certfile, '/' ) == NULL && index( certfile, '.') == NULL ) -+ { -+ cert_identifier = index( certfile, ':' ); -+ -+ if (cert_identifier) -+ { -+ cert_engine_name = certfile; -+ *cert_identifier = '\0'; -+ cert_identifier++; -+ -+ dbglog( "Found certificate engine '%s'", cert_engine_name ); -+ dbglog( "Found certificate identifier '%s'", cert_identifier ); -+ } -+ } -+ -+ /* if the privatekey filename is of the form engine:id. e.g. -+ pkcs11:12345 -+ then we try to load and use this engine. -+ If the privatekey filename starts with a / or . then we -+ ALWAYS assume it is a file and not an engine/pkcs11 identifier -+ */ -+ if ( index( privkeyfile, '/' ) == NULL && index( privkeyfile, '.') == NULL ) -+ { -+ pkey_identifier = index( privkeyfile, ':' ); -+ -+ if (pkey_identifier) -+ { -+ pkey_engine_name = privkeyfile; -+ *pkey_identifier = '\0'; -+ pkey_identifier++; -+ -+ dbglog( "Found privatekey engine '%s'", pkey_engine_name ); -+ dbglog( "Found privatekey identifier '%s'", pkey_identifier ); -+ } -+ } -+ -+ if (cert_identifier && pkey_identifier) -+ { -+ if (strlen( cert_identifier ) == 0) -+ { -+ if (strlen( pkey_identifier ) == 0) -+ error( "EAP-TLS: both the certificate and privatekey identifiers are missing!" ); -+ else -+ { -+ dbglog( "Substituting privatekey identifier for certificate identifier" ); -+ cert_identifier = pkey_identifier; -+ } -+ } -+ else -+ { -+ if (strlen( pkey_identifier ) == 0) -+ { -+ dbglog( "Substituting certificate identifier for privatekey identifier" ); -+ pkey_identifier = cert_identifier; -+ } -+ } -+ -+ } -+ -+ /* load the openssl config file only once */ -+ if (!ssl_config) -+ { -+ if (cert_engine_name || pkey_engine_name) -+ ssl_config = eaptls_ssl_load_config(); -+ -+ if (ssl_config && cert_engine_name) -+ cert_engine = eaptls_ssl_load_engine( cert_engine_name ); -+ -+ if (ssl_config && pkey_engine_name) -+ { -+ /* don't load the same engine twice */ -+ if ( cert_engine && strcmp( cert_engine_name, pkey_engine_name) == 0 ) -+ pkey_engine = cert_engine; -+ else -+ pkey_engine = eaptls_ssl_load_engine( pkey_engine_name ); -+ } -+ } -+ -+ SSL_CTX_set_default_passwd_cb (ctx, password_callback); -+ -+ if (!SSL_CTX_load_verify_locations(ctx, cacertfile, NULL)) -+ { -+ error("EAP-TLS: Cannot load or verify CA file %s", cacertfile); -+ goto fail; -+ } -+ -+ if (init_server) -+ SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(cacertfile)); -+ -+ if (cert_engine) -+ { -+ struct -+ { -+ const char *s_slot_cert_id; -+ X509 *cert; -+ } cert_info; -+ -+ cert_info.s_slot_cert_id = cert_identifier; -+ cert_info.cert = NULL; -+ -+ if (!ENGINE_ctrl_cmd( cert_engine, "LOAD_CERT_CTRL", 0, &cert_info, NULL, 0 ) ) -+ { -+ error( "EAP-TLS: Error loading certificate with id '%s' from engine", cert_identifier ); -+ goto fail; -+ } -+ -+ if (cert_info.cert) -+ { -+ dbglog( "Got the certificate, adding it to SSL context" ); -+ dbglog( "subject = %s", X509_NAME_oneline( X509_get_subject_name( cert_info.cert ), NULL, 0 ) ); -+ if (SSL_CTX_use_certificate(ctx, cert_info.cert) <= 0) -+ { -+ error("EAP-TLS: Cannot use PKCS11 certificate %s", cert_identifier); -+ goto fail; -+ } -+ } -+ else -+ { -+ warn("EAP-TLS: Cannot load PKCS11 key %s", cert_identifier); -+ log_ssl_errors(); -+ } -+ } -+ else -+ { -+ if (!SSL_CTX_use_certificate_chain_file(ctx, certfile)) -+ { -+ error( "EAP-TLS: Cannot use public certificate %s", certfile ); -+ goto fail; -+ } -+ } -+ -+ -+ /* -+ * Check the Before and After dates of the certificate -+ */ -+ ssl = SSL_new(ctx); -+ tmp = SSL_get_certificate(ssl); -+ -+ ret = X509_cmp_time(X509_get_notBefore(tmp), NULL); -+ if (ret == 0) -+ { -+ warn( "EAP-TLS: Failed to read certificate notBefore field."); -+ } -+ if (ret > 0) -+ { -+ warn( "EAP-TLS: Your certificate is not yet valid!"); -+ } -+ -+ ret = X509_cmp_time(X509_get_notAfter(tmp), NULL); -+ if (ret == 0) -+ { -+ warn( "EAP-TLS: Failed to read certificate notAfter field."); -+ } -+ if (ret < 0) -+ { -+ warn( "EAP-TLS: Your certificate has expired!"); -+ } -+ SSL_free(ssl); -+ -+ if (pkey_engine) -+ { -+ EVP_PKEY *pkey = NULL; -+ PW_CB_DATA cb_data; -+ -+ cb_data.password = passwd; -+ cb_data.prompt_info = pkey_identifier; -+ -+ dbglog( "Loading private key '%s' from engine", pkey_identifier ); -+ pkey = ENGINE_load_private_key(pkey_engine, pkey_identifier, NULL, &cb_data); -+ if (pkey) -+ { -+ dbglog( "Got the private key, adding it to SSL context" ); -+ if (SSL_CTX_use_PrivateKey(ctx, pkey) <= 0) -+ { -+ error("EAP-TLS: Cannot use PKCS11 key %s", pkey_identifier); -+ goto fail; -+ } -+ } -+ else -+ { -+ warn("EAP-TLS: Cannot load PKCS11 key %s", pkey_identifier); -+ log_ssl_errors(); -+ } -+ } -+ else -+ { -+ if (!SSL_CTX_use_PrivateKey_file(ctx, privkeyfile, SSL_FILETYPE_PEM)) -+ { -+ error("EAP-TLS: Cannot use private key %s", privkeyfile); -+ goto fail; -+ } -+ } -+ -+ if (SSL_CTX_check_private_key(ctx) != 1) { -+ error("EAP-TLS: Private key %s fails security check", privkeyfile); -+ goto fail; -+ } -+ -+ /* Explicitly set the NO_TICKETS flag to support Win7/Win8 clients */ -+ SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 -+#ifdef SSL_OP_NO_TICKET -+ | SSL_OP_NO_TICKET -+#endif -+ ); -+ -+ SSL_CTX_set_verify_depth(ctx, 5); -+ SSL_CTX_set_verify(ctx, -+ SSL_VERIFY_PEER | -+ SSL_VERIFY_FAIL_IF_NO_PEER_CERT, -+ &ssl_verify_callback); -+ -+ if (crl_dir) { -+ if (!(certstore = SSL_CTX_get_cert_store(ctx))) { -+ error("EAP-TLS: Failed to get certificate store"); -+ goto fail; -+ } -+ -+ if (!(lookup = -+ X509_STORE_add_lookup(certstore, X509_LOOKUP_hash_dir()))) { -+ error("EAP-TLS: Store lookup for CRL failed"); -+ -+ goto fail; -+ } -+ -+ X509_LOOKUP_add_dir(lookup, crl_dir, X509_FILETYPE_PEM); -+ X509_STORE_set_flags(certstore, X509_V_FLAG_CRL_CHECK); -+ } -+ -+ if (crl_file) { -+ FILE *fp = NULL; -+ X509_CRL *crl = NULL; -+ -+ fp = fopen(crl_file, "r"); -+ if (!fp) { -+ error("EAP-TLS: Cannot open CRL file '%s'", crl_file); -+ goto fail; -+ } -+ -+ crl = PEM_read_X509_CRL(fp, NULL, NULL, NULL); -+ if (!crl) { -+ error("EAP-TLS: Cannot read CRL file '%s'", crl_file); -+ goto fail; -+ } -+ -+ if (!(certstore = SSL_CTX_get_cert_store(ctx))) { -+ error("EAP-TLS: Failed to get certificate store"); -+ goto fail; -+ } -+ if (!X509_STORE_add_crl(certstore, crl)) { -+ error("EAP-TLS: Cannot add CRL to certificate store"); -+ goto fail; -+ } -+ X509_STORE_set_flags(certstore, X509_V_FLAG_CRL_CHECK); -+ -+ } -+ -+ /* -+ * If a peer certificate file was specified, it must be valid, else fail -+ */ -+ if (peer_certfile[0]) { -+ if (!(tmp = get_X509_from_file(peer_certfile))) { -+ error("EAP-TLS: Error loading client certificate from file %s", -+ peer_certfile); -+ goto fail; -+ } -+ X509_free(tmp); -+ } -+ -+ return ctx; -+ -+fail: -+ log_ssl_errors(); -+ SSL_CTX_free(ctx); -+ return NULL; -+} -+ -+/* -+ * Determine the maximum packet size by looking at the LCP handshake -+ */ -+ -+int eaptls_get_mtu(int unit) -+{ -+ int mtu, mru; -+ -+ lcp_options *wo = &lcp_wantoptions[unit]; -+ lcp_options *go = &lcp_gotoptions[unit]; -+ lcp_options *ho = &lcp_hisoptions[unit]; -+ lcp_options *ao = &lcp_allowoptions[unit]; -+ -+ mtu = ho->neg_mru? ho->mru: PPP_MRU; -+ mru = go->neg_mru? MAX(wo->mru, go->mru): PPP_MRU; -+ mtu = MIN(MIN(mtu, mru), ao->mru)- PPP_HDRLEN - 10; -+ -+ dbglog("MTU = %d", mtu); -+ return mtu; -+} -+ -+ -+/* -+ * Init the ssl handshake (server mode) -+ */ -+int eaptls_init_ssl_server(eap_state * esp) -+{ -+ struct eaptls_session *ets; -+ char servcertfile[MAXWORDLEN]; -+ char clicertfile[MAXWORDLEN]; -+ char cacertfile[MAXWORDLEN]; -+ char pkfile[MAXWORDLEN]; -+ /* -+ * Allocate new eaptls session -+ */ -+ esp->es_server.ea_session = malloc(sizeof(struct eaptls_session)); -+ if (!esp->es_server.ea_session) -+ fatal("Allocation error"); -+ ets = esp->es_server.ea_session; -+ -+ if (!esp->es_server.ea_peer) { -+ error("EAP-TLS: Error: client name not set (BUG)"); -+ return 0; -+ } -+ -+ strncpy(ets->peer, esp->es_server.ea_peer, MAXWORDLEN); -+ -+ dbglog( "getting eaptls secret" ); -+ if (!get_eaptls_secret(esp->es_unit, esp->es_server.ea_peer, -+ esp->es_server.ea_name, clicertfile, -+ servcertfile, cacertfile, pkfile, 1)) { -+ error( "EAP-TLS: Cannot get secret/password for client \"%s\", server \"%s\"", -+ esp->es_server.ea_peer, esp->es_server.ea_name ); -+ return 0; -+ } -+ -+ ets->mtu = eaptls_get_mtu(esp->es_unit); -+ -+ ets->ctx = eaptls_init_ssl(1, cacertfile, servcertfile, clicertfile, pkfile); -+ if (!ets->ctx) -+ goto fail; -+ -+ if (!(ets->ssl = SSL_new(ets->ctx))) -+ goto fail; -+ -+ /* -+ * Set auto-retry to avoid timeouts on BIO_read -+ */ -+ SSL_set_mode(ets->ssl, SSL_MODE_AUTO_RETRY); -+ -+ /* -+ * Initialize the BIOs we use to read/write to ssl engine -+ */ -+ ets->into_ssl = BIO_new(BIO_s_mem()); -+ ets->from_ssl = BIO_new(BIO_s_mem()); -+ SSL_set_bio(ets->ssl, ets->into_ssl, ets->from_ssl); -+ -+ SSL_set_msg_callback(ets->ssl, ssl_msg_callback); -+ SSL_set_msg_callback_arg(ets->ssl, ets); -+ -+ /* -+ * Attach the session struct to the connection, so we can later -+ * retrieve it when doing certificate verification -+ */ -+ SSL_set_ex_data(ets->ssl, 0, ets); -+ -+ SSL_set_accept_state(ets->ssl); -+ -+ ets->data = NULL; -+ ets->datalen = 0; -+ ets->alert_sent = 0; -+ ets->alert_recv = 0; -+ -+ /* -+ * If we specified the client certificate file, store it in ets->peercertfile, -+ * so we can check it later in ssl_verify_callback() -+ */ -+ if (clicertfile[0]) -+ strncpy(&ets->peercertfile[0], clicertfile, MAXWORDLEN); -+ else -+ ets->peercertfile[0] = 0; -+ -+ return 1; -+ -+fail: -+ SSL_CTX_free(ets->ctx); -+ return 0; -+} -+ -+/* -+ * Init the ssl handshake (client mode) -+ */ -+int eaptls_init_ssl_client(eap_state * esp) -+{ -+ struct eaptls_session *ets; -+ char servcertfile[MAXWORDLEN]; -+ char clicertfile[MAXWORDLEN]; -+ char cacertfile[MAXWORDLEN]; -+ char pkfile[MAXWORDLEN]; -+ -+ /* -+ * Allocate new eaptls session -+ */ -+ esp->es_client.ea_session = malloc(sizeof(struct eaptls_session)); -+ if (!esp->es_client.ea_session) -+ fatal("Allocation error"); -+ ets = esp->es_client.ea_session; -+ -+ /* -+ * If available, copy server name in ets; it will be used in cert -+ * verify -+ */ -+ if (esp->es_client.ea_peer) -+ strncpy(ets->peer, esp->es_client.ea_peer, MAXWORDLEN); -+ else -+ ets->peer[0] = 0; -+ -+ ets->mtu = eaptls_get_mtu(esp->es_unit); -+ -+ dbglog( "calling get_eaptls_secret" ); -+ if (!get_eaptls_secret(esp->es_unit, esp->es_client.ea_name, -+ ets->peer, clicertfile, -+ servcertfile, cacertfile, pkfile, 0)) { -+ error( "EAP-TLS: Cannot get secret/password for client \"%s\", server \"%s\"", -+ esp->es_client.ea_name, ets->peer ); -+ return 0; -+ } -+ -+ dbglog( "calling eaptls_init_ssl" ); -+ ets->ctx = eaptls_init_ssl(0, cacertfile, clicertfile, servcertfile, pkfile); -+ if (!ets->ctx) -+ goto fail; -+ -+ ets->ssl = SSL_new(ets->ctx); -+ -+ if (!ets->ssl) -+ goto fail; -+ -+ /* -+ * Initialize the BIOs we use to read/write to ssl engine -+ */ -+ dbglog( "Initializing SSL BIOs" ); -+ ets->into_ssl = BIO_new(BIO_s_mem()); -+ ets->from_ssl = BIO_new(BIO_s_mem()); -+ SSL_set_bio(ets->ssl, ets->into_ssl, ets->from_ssl); -+ -+ SSL_set_msg_callback(ets->ssl, ssl_msg_callback); -+ SSL_set_msg_callback_arg(ets->ssl, ets); -+ -+ /* -+ * Attach the session struct to the connection, so we can later -+ * retrieve it when doing certificate verification -+ */ -+ SSL_set_ex_data(ets->ssl, 0, ets); -+ -+ SSL_set_connect_state(ets->ssl); -+ -+ ets->data = NULL; -+ ets->datalen = 0; -+ ets->alert_sent = 0; -+ ets->alert_recv = 0; -+ -+ /* -+ * If we specified the server certificate file, store it in -+ * ets->peercertfile, so we can check it later in -+ * ssl_verify_callback() -+ */ -+ if (servcertfile[0]) -+ strncpy(ets->peercertfile, servcertfile, MAXWORDLEN); -+ else -+ ets->peercertfile[0] = 0; -+ -+ return 1; -+ -+fail: -+ dbglog( "eaptls_init_ssl_client: fail" ); -+ SSL_CTX_free(ets->ctx); -+ return 0; -+ -+} -+ -+void eaptls_free_session(struct eaptls_session *ets) -+{ -+ if (ets->ssl) -+ SSL_free(ets->ssl); -+ -+ if (ets->ctx) -+ SSL_CTX_free(ets->ctx); -+ -+ free(ets); -+} -+ -+/* -+ * Handle a received packet, reassembling fragmented messages and -+ * passing them to the ssl engine -+ */ -+int eaptls_receive(struct eaptls_session *ets, u_char * inp, int len) -+{ -+ u_char flags; -+ u_int tlslen = 0; -+ u_char dummy[65536]; -+ -+ if (len < 1) { -+ warn("EAP-TLS: received no or invalid data"); -+ return 1; -+ } -+ -+ GETCHAR(flags, inp); -+ len--; -+ -+ if (flags & EAP_TLS_FLAGS_LI && len > 4) { -+ /* -+ * LenghtIncluded flag set -> this is the first packet of a message -+ */ -+ -+ /* -+ * the first 4 octets are the length of the EAP-TLS message -+ */ -+ GETLONG(tlslen, inp); -+ len -= 4; -+ -+ if (!ets->data) { -+ -+ if (tlslen > EAP_TLS_MAX_LEN) { -+ error("EAP-TLS: TLS message length > %d, truncated", EAP_TLS_MAX_LEN); -+ tlslen = EAP_TLS_MAX_LEN; -+ } -+ -+ /* -+ * Allocate memory for the whole message -+ */ -+ ets->data = malloc(tlslen); -+ if (!ets->data) -+ fatal("EAP-TLS: allocation error\n"); -+ -+ ets->datalen = 0; -+ ets->tlslen = tlslen; -+ } -+ else -+ warn("EAP-TLS: non-first LI packet? that's odd..."); -+ } -+ else if (!ets->data) { -+ /* -+ * A non fragmented message without LI flag -+ */ -+ -+ ets->data = malloc(len); -+ if (!ets->data) -+ fatal("EAP-TLS: allocation error\n"); -+ -+ ets->datalen = 0; -+ ets->tlslen = len; -+ } -+ -+ if (flags & EAP_TLS_FLAGS_MF) -+ ets->frag = 1; -+ else -+ ets->frag = 0; -+ -+ if (len < 0) { -+ warn("EAP-TLS: received malformed data"); -+ return 1; -+ } -+ -+ if (len + ets->datalen > ets->tlslen) { -+ warn("EAP-TLS: received data > TLS message length"); -+ return 1; -+ } -+ -+ BCOPY(inp, ets->data + ets->datalen, len); -+ ets->datalen += len; -+ -+ if (!ets->frag) { -+ -+ /* -+ * If we have the whole message, pass it to ssl -+ */ -+ -+ if (ets->datalen != ets->tlslen) { -+ warn("EAP-TLS: received data != TLS message length"); -+ return 1; -+ } -+ -+ if (BIO_write(ets->into_ssl, ets->data, ets->datalen) == -1) -+ log_ssl_errors(); -+ -+ SSL_read(ets->ssl, dummy, 65536); -+ -+ free(ets->data); -+ ets->data = NULL; -+ ets->datalen = 0; -+ } -+ -+ return 0; -+} -+ -+/* -+ * Return an eap-tls packet in outp. -+ * A TLS message read from the ssl engine is buffered in ets->data. -+ * At each call we control if there is buffered data and send a -+ * packet of mtu bytes. -+ */ -+int eaptls_send(struct eaptls_session *ets, u_char ** outp) -+{ -+ bool first = 0; -+ int size; -+ u_char fromtls[65536]; -+ int res; -+ u_char *start; -+ -+ start = *outp; -+ -+ if (!ets->data) { -+ -+ if(!ets->alert_sent) -+ SSL_read(ets->ssl, fromtls, 65536); -+ -+ /* -+ * Read from ssl -+ */ -+ if ((res = BIO_read(ets->from_ssl, fromtls, 65536)) == -1) -+ { -+ warn("EAP-TLS send: No data from BIO_read"); -+ return 1; -+ } -+ -+ ets->datalen = res; -+ -+ ets->data = malloc(ets->datalen); -+ BCOPY(fromtls, ets->data, ets->datalen); -+ -+ ets->offset = 0; -+ first = 1; -+ -+ } -+ -+ size = ets->datalen - ets->offset; -+ -+ if (size > ets->mtu) { -+ size = ets->mtu; -+ ets->frag = 1; -+ } else -+ ets->frag = 0; -+ -+ PUTCHAR(EAPT_TLS, *outp); -+ -+ /* -+ * Set right flags and length if necessary -+ */ -+ if (ets->frag && first) { -+ PUTCHAR(EAP_TLS_FLAGS_LI | EAP_TLS_FLAGS_MF, *outp); -+ PUTLONG(ets->datalen, *outp); -+ } else if (ets->frag) { -+ PUTCHAR(EAP_TLS_FLAGS_MF, *outp); -+ } else -+ PUTCHAR(0, *outp); -+ -+ /* -+ * Copy the data in outp -+ */ -+ BCOPY(ets->data + ets->offset, *outp, size); -+ INCPTR(size, *outp); -+ -+ /* -+ * Copy the packet in retransmission buffer -+ */ -+ BCOPY(start, &ets->rtx[0], *outp - start); -+ ets->rtx_len = *outp - start; -+ -+ ets->offset += size; -+ -+ if (ets->offset >= ets->datalen) { -+ -+ /* -+ * The whole message has been sent -+ */ -+ -+ free(ets->data); -+ ets->data = NULL; -+ ets->datalen = 0; -+ ets->offset = 0; -+ } -+ -+ return 0; -+} -+ -+/* -+ * Get the sent packet from the retransmission buffer -+ */ -+void eaptls_retransmit(struct eaptls_session *ets, u_char ** outp) -+{ -+ BCOPY(ets->rtx, *outp, ets->rtx_len); -+ INCPTR(ets->rtx_len, *outp); -+} -+ -+/* -+ * Verify a certificate. -+ * Most of the work (signatures and issuer attributes checking) -+ * is done by ssl; we check the CN in the peer certificate -+ * against the peer name. -+ */ -+int ssl_verify_callback(int ok, X509_STORE_CTX * ctx) -+{ -+ char subject[256]; -+ char cn_str[256]; -+ X509 *peer_cert; -+ int err, depth; -+ SSL *ssl; -+ struct eaptls_session *ets; -+ -+ peer_cert = X509_STORE_CTX_get_current_cert(ctx); -+ err = X509_STORE_CTX_get_error(ctx); -+ depth = X509_STORE_CTX_get_error_depth(ctx); -+ -+ dbglog("certificate verify depth: %d", depth); -+ -+ if (auth_required && !ok) { -+ X509_NAME_oneline(X509_get_subject_name(peer_cert), -+ subject, 256); -+ -+ X509_NAME_get_text_by_NID(X509_get_subject_name(peer_cert), -+ NID_commonName, cn_str, 256); -+ -+ dbglog("Certificate verification error:\n depth: %d CN: %s" -+ "\n err: %d (%s)\n", depth, cn_str, err, -+ X509_verify_cert_error_string(err)); -+ -+ return 0; -+ } -+ -+ ssl = X509_STORE_CTX_get_ex_data(ctx, -+ SSL_get_ex_data_X509_STORE_CTX_idx()); -+ -+ ets = (struct eaptls_session *)SSL_get_ex_data(ssl, 0); -+ -+ if (ets == NULL) { -+ error("Error: SSL_get_ex_data returned NULL"); -+ return 0; -+ } -+ -+ log_ssl_errors(); -+ -+ if (!depth) { /* This is the peer certificate */ -+ -+ X509_NAME_oneline(X509_get_subject_name(peer_cert), -+ subject, 256); -+ -+ X509_NAME_get_text_by_NID(X509_get_subject_name(peer_cert), -+ NID_commonName, cn_str, 256); -+ -+ /* -+ * If acting as client and the name of the server wasn't specified -+ * explicitely, we can't verify the server authenticity -+ */ -+ if (!ets->peer[0]) { -+ warn("Peer name not specified: no check"); -+ return ok; -+ } -+ -+ /* -+ * Check the CN -+ */ -+ if (strcmp(cn_str, ets->peer)) { -+ error -+ ("Certificate verification error: CN (%s) != peer_name (%s)", -+ cn_str, ets->peer); -+ return 0; -+ } -+ -+ warn("Certificate CN: %s , peer name %s", cn_str, ets->peer); -+ -+ /* -+ * If a peer certificate file was specified, here we check it -+ */ -+ if (ets->peercertfile[0]) { -+ if (ssl_cmp_certs(&ets->peercertfile[0], peer_cert) -+ != 0) { -+ error -+ ("Peer certificate doesn't match stored certificate"); -+ return 0; -+ } -+ } -+ } -+ -+ return ok; -+} -+ -+/* -+ * Compare a certificate with the one stored in a file -+ */ -+int ssl_cmp_certs(char *filename, X509 * a) -+{ -+ X509 *b; -+ int ret; -+ -+ if (!(b = get_X509_from_file(filename))) -+ return 1; -+ -+ ret = X509_cmp(a, b); -+ X509_free(b); -+ -+ return ret; -+ -+} -+ -+X509 *get_X509_from_file(char *filename) -+{ -+ FILE *fp; -+ X509 *ret; -+ -+ if (!(fp = fopen(filename, "r"))) -+ return NULL; -+ -+ ret = PEM_read_X509(fp, NULL, NULL, NULL); -+ -+ fclose(fp); -+ -+ return ret; -+} -+ -+/* -+ * Every sent & received message this callback function is invoked, -+ * so we know when alert messages have arrived or are sent and -+ * we can print debug information about TLS handshake. -+ */ -+void -+ssl_msg_callback(int write_p, int version, int content_type, -+ const void *buf, size_t len, SSL * ssl, void *arg) -+{ -+ char string[256]; -+ struct eaptls_session *ets = (struct eaptls_session *)arg; -+ unsigned char code; -+ const unsigned char*msg = buf; -+ int hvers = msg[1] << 8 | msg[2]; -+ -+ if(write_p) -+ strcpy(string, " -> "); -+ else -+ strcpy(string, " <- "); -+ -+ switch(content_type) { -+ -+ case SSL3_RT_HEADER: -+ strcat(string, "SSL/TLS Header: "); -+ switch(hvers) { -+ case SSL3_VERSION: -+ strcat(string, "SSL 3.0"); -+ break; -+ case TLS1_VERSION: -+ strcat(string, "TLS 1.0"); -+ break; -+ case TLS1_1_VERSION: -+ strcat(string, "TLS 1.1"); -+ break; -+ case TLS1_2_VERSION: -+ strcat(string, "TLS 1.2"); -+ break; -+ default: -+ strcat(string, "Unknown version"); -+ } -+ break; -+ -+ case SSL3_RT_ALERT: -+ strcat(string, "Alert: "); -+ code = msg[1]; -+ -+ if (write_p) { -+ ets->alert_sent = 1; -+ ets->alert_sent_desc = code; -+ } else { -+ ets->alert_recv = 1; -+ ets->alert_recv_desc = code; -+ } -+ -+ strcat(string, SSL_alert_desc_string_long(code)); -+ break; -+ -+ case SSL3_RT_CHANGE_CIPHER_SPEC: -+ strcat(string, "ChangeCipherSpec"); -+ break; -+ -+ case SSL3_RT_HANDSHAKE: -+ -+ strcat(string, "Handshake: "); -+ code = msg[0]; -+ -+ switch(code) { -+ case SSL3_MT_HELLO_REQUEST: -+ strcat(string,"Hello Request"); -+ break; -+ case SSL3_MT_CLIENT_HELLO: -+ strcat(string,"Client Hello"); -+ break; -+ case SSL3_MT_SERVER_HELLO: -+ strcat(string,"Server Hello"); -+ break; -+#ifdef SSL3_MT_NEWSESSION_TICKET -+ case SSL3_MT_NEWSESSION_TICKET: -+ strcat(string,"New Session Ticket"); -+ break; -+#endif -+ case SSL3_MT_CERTIFICATE: -+ strcat(string,"Certificate"); -+ break; -+ case SSL3_MT_SERVER_KEY_EXCHANGE: -+ strcat(string,"Server Key Exchange"); -+ break; -+ case SSL3_MT_CERTIFICATE_REQUEST: -+ strcat(string,"Certificate Request"); -+ break; -+ case SSL3_MT_SERVER_DONE: -+ strcat(string,"Server Hello Done"); -+ break; -+ case SSL3_MT_CERTIFICATE_VERIFY: -+ strcat(string,"Certificate Verify"); -+ break; -+ case SSL3_MT_CLIENT_KEY_EXCHANGE: -+ strcat(string,"Client Key Exchange"); -+ break; -+ case SSL3_MT_FINISHED: -+ strcat(string,"Finished: "); -+ hvers = SSL_version(ssl); -+ switch(hvers) { -+ case SSL3_VERSION: -+ strcat(string, "SSL 3.0"); -+ break; -+ case TLS1_VERSION: -+ strcat(string, "TLS 1.0"); -+ break; -+ case TLS1_1_VERSION: -+ strcat(string, "TLS 1.1"); -+ break; -+ case TLS1_2_VERSION: -+ strcat(string, "TLS 1.2"); -+ break; -+ default: -+ strcat(string, "Unknown version"); -+ } -+ break; -+ default: -+ sprintf( string, "Handshake: Unknown SSL3 code received: %d", code ); -+ } -+ break; -+ -+ default: -+ sprintf( string, "SSL message contains unknown content type: %d", content_type ); -+ -+ } -+ -+ /* Alert messages must always be displayed */ -+ if(content_type == SSL3_RT_ALERT) -+ error("%s", string); -+ else -+ dbglog("%s", string); -+} -+ -diff --git a/pppd/eap-tls.h b/pppd/eap-tls.h -new file mode 100644 -index 000000000000..2d45a0b83a0c ---- /dev/null -+++ b/pppd/eap-tls.h -@@ -0,0 +1,107 @@ -+/* -+ * eap-tls.h -+ * -+ * Copyright (c) Beniamino Galvani 2005 All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. The name(s) of the authors of this software must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. -+ * -+ * THE AUTHORS OF THIS SOFTWARE DISCLAIM ALL WARRANTIES WITH REGARD TO -+ * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY -+ * AND FITNESS, IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY -+ * SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN -+ * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING -+ * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -+ * -+ */ -+ -+#ifndef __EAP_TLS_H__ -+#define __EAP_TLS_H__ -+ -+#include "eap.h" -+ -+#include <openssl/ssl.h> -+#include <openssl/bio.h> -+#include <openssl/md5.h> -+ -+#define EAP_TLS_FLAGS_LI 128 /* length included flag */ -+#define EAP_TLS_FLAGS_MF 64 /* more fragments flag */ -+#define EAP_TLS_FLAGS_START 32 /* start flag */ -+ -+#define EAP_TLS_MAX_LEN 65536 /* max eap tls packet size */ -+ -+struct eaptls_session -+{ -+ u_char *data; /* buffered data */ -+ int datalen; /* buffered data len */ -+ int offset; /* from where to send */ -+ int tlslen; /* total length of tls data */ -+ bool frag; /* packet is fragmented */ -+ SSL_CTX *ctx; -+ SSL *ssl; /* ssl connection */ -+ BIO *from_ssl; -+ BIO *into_ssl; -+ char peer[MAXWORDLEN]; /* peer name */ -+ char peercertfile[MAXWORDLEN]; -+ bool alert_sent; -+ u_char alert_sent_desc; -+ bool alert_recv; -+ u_char alert_recv_desc; -+ char rtx[65536]; /* retransmission buffer */ -+ int rtx_len; -+ int mtu; /* unit mtu */ -+}; -+ -+typedef struct pw_cb_data -+{ -+ const void *password; -+ const char *prompt_info; -+} PW_CB_DATA; -+ -+ -+int ssl_verify_callback(int, X509_STORE_CTX *); -+void ssl_msg_callback(int write_p, int version, int ct, const void *buf, -+ size_t len, SSL * ssl, void *arg); -+ -+X509 *get_X509_from_file(char *filename); -+int ssl_cmp_certs(char *filename, X509 * a); -+ -+SSL_CTX *eaptls_init_ssl(int init_server, char *cacertfile, -+ char *certfile, char *peer_certfile, char *privkeyfile); -+int eaptls_init_ssl_server(eap_state * esp); -+int eaptls_init_ssl_client(eap_state * esp); -+void eaptls_free_session(struct eaptls_session *ets); -+ -+int eaptls_receive(struct eaptls_session *ets, u_char * inp, int len); -+int eaptls_send(struct eaptls_session *ets, u_char ** outp); -+void eaptls_retransmit(struct eaptls_session *ets, u_char ** outp); -+ -+int get_eaptls_secret(int unit, char *client, char *server, -+ char *clicertfile, char *servcertfile, char *cacertfile, -+ char *pkfile, int am_server); -+ -+#ifdef MPPE -+#include "mppe.h" /* MPPE_MAX_KEY_LEN */ -+extern u_char mppe_send_key[MPPE_MAX_KEY_LEN]; -+extern u_char mppe_recv_key[MPPE_MAX_KEY_LEN]; -+extern int mppe_keys_set; -+ -+void eaptls_gen_mppe_keys(struct eaptls_session *ets, const char *prf_label, int client); -+ -+#endif -+ -+#endif -diff --git a/pppd/eap.c b/pppd/eap.c -index 6ea6c1f8bff6..032407c3dbb2 100644 ---- a/pppd/eap.c -+++ b/pppd/eap.c -@@ -43,6 +43,11 @@ - * Based on draft-ietf-pppext-eap-srp-03.txt. - */ - -+/* -+ * Modification by Beniamino Galvani, Mar 2005 -+ * Implemented EAP-TLS authentication -+ */ -+ - #define RCSID "$Id: eap.c,v 1.4 2004/11/09 22:39:25 paulus Exp $" - - /* -@@ -62,8 +67,12 @@ - - #include "pppd.h" - #include "pathnames.h" --#include "md5.h" - #include "eap.h" -+#ifdef USE_EAPTLS -+#include "eap-tls.h" -+#else -+#include "md5.h" -+#endif /* USE_EAPTLS */ - - #ifdef USE_SRP - #include <t_pwd.h> -@@ -209,6 +218,9 @@ int unit; - esp->es_server.ea_id = (u_char)(drand48() * 0x100); - esp->es_client.ea_timeout = EAP_DEFREQTIME; - esp->es_client.ea_maxrequests = EAP_DEFALLOWREQ; -+#ifdef USE_EAPTLS -+ esp->es_client.ea_using_eaptls = 0; -+#endif /* USE_EAPTLS */ - } - - /* -@@ -436,8 +448,16 @@ int status; - u_char vals[2]; - struct b64state bs; - #endif /* USE_SRP */ -+#ifdef USE_EAPTLS -+ struct eaptls_session *ets; -+ int secret_len; -+ char secret[MAXWORDLEN]; -+#endif /* USE_EAPTLS */ - - esp->es_server.ea_timeout = esp->es_savedtime; -+#ifdef USE_EAPTLS -+ esp->es_server.ea_prev_state = esp->es_server.ea_state; -+#endif /* USE_EAPTLS */ - switch (esp->es_server.ea_state) { - case eapBadAuth: - return; -@@ -562,9 +582,79 @@ int status; - break; - } - #endif /* USE_SRP */ -+#ifdef USE_EAPTLS -+ if (!get_secret(esp->es_unit, esp->es_server.ea_peer, -+ esp->es_server.ea_name, secret, &secret_len, 1)) { -+ -+ esp->es_server.ea_state = eapTlsStart; -+ break; -+ } -+#endif /* USE_EAPTLS */ -+ - esp->es_server.ea_state = eapMD5Chall; - break; - -+#ifdef USE_EAPTLS -+ case eapTlsStart: -+ /* Initialize ssl session */ -+ if(!eaptls_init_ssl_server(esp)) { -+ esp->es_server.ea_state = eapBadAuth; -+ break; -+ } -+ -+ esp->es_server.ea_state = eapTlsRecv; -+ break; -+ -+ case eapTlsRecv: -+ ets = (struct eaptls_session *) esp->es_server.ea_session; -+ -+ if(ets->alert_sent) { -+ esp->es_server.ea_state = eapTlsSendAlert; -+ break; -+ } -+ -+ if (status) { -+ esp->es_server.ea_state = eapBadAuth; -+ break; -+ } -+ ets = (struct eaptls_session *) esp->es_server.ea_session; -+ -+ if(ets->frag) -+ esp->es_server.ea_state = eapTlsSendAck; -+ else -+ esp->es_server.ea_state = eapTlsSend; -+ break; -+ -+ case eapTlsSend: -+ ets = (struct eaptls_session *) esp->es_server.ea_session; -+ -+ if(ets->frag) -+ esp->es_server.ea_state = eapTlsRecvAck; -+ else -+ if(SSL_is_init_finished(ets->ssl)) -+ esp->es_server.ea_state = eapTlsRecvClient; -+ else -+ esp->es_server.ea_state = eapTlsRecv; -+ break; -+ -+ case eapTlsSendAck: -+ esp->es_server.ea_state = eapTlsRecv; -+ break; -+ -+ case eapTlsRecvAck: -+ if (status) { -+ esp->es_server.ea_state = eapBadAuth; -+ break; -+ } -+ -+ esp->es_server.ea_state = eapTlsSend; -+ break; -+ -+ case eapTlsSendAlert: -+ esp->es_server.ea_state = eapTlsRecvAlertAck; -+ break; -+#endif /* USE_EAPTLS */ -+ - case eapSRP1: - #ifdef USE_SRP - ts = (struct t_server *)esp->es_server.ea_session; -@@ -718,6 +808,30 @@ eap_state *esp; - INCPTR(esp->es_server.ea_namelen, outp); - break; - -+#ifdef USE_EAPTLS -+ case eapTlsStart: -+ PUTCHAR(EAPT_TLS, outp); -+ PUTCHAR(EAP_TLS_FLAGS_START, outp); -+ eap_figure_next_state(esp, 0); -+ break; -+ -+ case eapTlsSend: -+ eaptls_send(esp->es_server.ea_session, &outp); -+ eap_figure_next_state(esp, 0); -+ break; -+ -+ case eapTlsSendAck: -+ PUTCHAR(EAPT_TLS, outp); -+ PUTCHAR(0, outp); -+ eap_figure_next_state(esp, 0); -+ break; -+ -+ case eapTlsSendAlert: -+ eaptls_send(esp->es_server.ea_session, &outp); -+ eap_figure_next_state(esp, 0); -+ break; -+#endif /* USE_EAPTLS */ -+ - #ifdef USE_SRP - case eapSRP1: - PUTCHAR(EAPT_SRP, outp); -@@ -904,11 +1018,57 @@ static void - eap_server_timeout(arg) - void *arg; - { -+#ifdef USE_EAPTLS -+ u_char *outp; -+ u_char *lenloc; -+ int outlen; -+#endif /* USE_EAPTLS */ -+ - eap_state *esp = (eap_state *) arg; - - if (!eap_server_active(esp)) - return; - -+#ifdef USE_EAPTLS -+ switch(esp->es_server.ea_prev_state) { -+ -+ /* -+ * In eap-tls the state changes after a request, so we return to -+ * previous state ... -+ */ -+ case(eapTlsStart): -+ case(eapTlsSendAck): -+ esp->es_server.ea_state = esp->es_server.ea_prev_state; -+ break; -+ -+ /* -+ * ... or resend the stored data -+ */ -+ case(eapTlsSend): -+ case(eapTlsSendAlert): -+ outp = outpacket_buf; -+ MAKEHEADER(outp, PPP_EAP); -+ PUTCHAR(EAP_REQUEST, outp); -+ PUTCHAR(esp->es_server.ea_id, outp); -+ lenloc = outp; -+ INCPTR(2, outp); -+ -+ eaptls_retransmit(esp->es_server.ea_session, &outp); -+ -+ outlen = (outp - outpacket_buf) - PPP_HDRLEN; -+ PUTSHORT(outlen, lenloc); -+ output(esp->es_unit, outpacket_buf, outlen + PPP_HDRLEN); -+ esp->es_server.ea_requests++; -+ -+ if (esp->es_server.ea_timeout > 0) -+ TIMEOUT(eap_server_timeout, esp, esp->es_server.ea_timeout); -+ -+ return; -+ default: -+ break; -+ } -+#endif /* USE_EAPTLS */ -+ - /* EAP ID number must not change on timeout. */ - eap_send_request(esp); - } -@@ -1166,6 +1326,81 @@ u_char *str; - } - #endif /* USE_SRP */ - -+#ifdef USE_EAPTLS -+/* -+ * Send an EAP-TLS response message with tls data -+ */ -+static void -+eap_tls_response(esp, id) -+eap_state *esp; -+u_char id; -+{ -+ u_char *outp; -+ int outlen; -+ u_char *lenloc; -+ -+ outp = outpacket_buf; -+ -+ MAKEHEADER(outp, PPP_EAP); -+ -+ PUTCHAR(EAP_RESPONSE, outp); -+ PUTCHAR(id, outp); -+ -+ lenloc = outp; -+ INCPTR(2, outp); -+ -+ /* -+ If the id in the request is unchanged, we must retransmit -+ the old data -+ */ -+ if(id == esp->es_client.ea_id) -+ eaptls_retransmit(esp->es_client.ea_session, &outp); -+ else -+ eaptls_send(esp->es_client.ea_session, &outp); -+ -+ outlen = (outp - outpacket_buf) - PPP_HDRLEN; -+ PUTSHORT(outlen, lenloc); -+ -+ output(esp->es_unit, outpacket_buf, PPP_HDRLEN + outlen); -+ -+ esp->es_client.ea_id = id; -+ -+} -+ -+/* -+ * Send an EAP-TLS ack -+ */ -+static void -+eap_tls_sendack(esp, id) -+eap_state *esp; -+u_char id; -+{ -+ u_char *outp; -+ int outlen; -+ u_char *lenloc; -+ -+ outp = outpacket_buf; -+ -+ MAKEHEADER(outp, PPP_EAP); -+ -+ PUTCHAR(EAP_RESPONSE, outp); -+ PUTCHAR(id, outp); -+ esp->es_client.ea_id = id; -+ -+ lenloc = outp; -+ INCPTR(2, outp); -+ -+ PUTCHAR(EAPT_TLS, outp); -+ PUTCHAR(0, outp); -+ -+ outlen = (outp - outpacket_buf) - PPP_HDRLEN; -+ PUTSHORT(outlen, lenloc); -+ -+ output(esp->es_unit, outpacket_buf, PPP_HDRLEN + outlen); -+ -+} -+#endif /* USE_EAPTLS */ -+ - static void - eap_send_nak(esp, id, type) - eap_state *esp; -@@ -1320,6 +1555,11 @@ int len; - char rhostname[256]; - MD5_CTX mdContext; - u_char hash[MD5_SIGNATURE_SIZE]; -+#ifdef USE_EAPTLS -+ u_char flags; -+ struct eaptls_session *ets = esp->es_client.ea_session; -+#endif /* USE_EAPTLS */ -+ - #ifdef USE_SRP - struct t_client *tc; - struct t_num sval, gval, Nval, *Ap, Bval; -@@ -1456,6 +1696,100 @@ int len; - esp->es_client.ea_namelen); - break; - -+#ifdef USE_EAPTLS -+ case EAPT_TLS: -+ -+ switch(esp->es_client.ea_state) { -+ -+ case eapListen: -+ -+ if (len < 1) { -+ error("EAP: received EAP-TLS Listen packet with no data"); -+ /* Bogus request; wait for something real. */ -+ return; -+ } -+ GETCHAR(flags, inp); -+ if(flags & EAP_TLS_FLAGS_START){ -+ -+ esp->es_client.ea_using_eaptls = 1; -+ -+ if (explicit_remote){ -+ esp->es_client.ea_peer = strdup(remote_name); -+ esp->es_client.ea_peerlen = strlen(remote_name); -+ } else -+ esp->es_client.ea_peer = NULL; -+ -+ /* Init ssl session */ -+ if(!eaptls_init_ssl_client(esp)) { -+ dbglog("cannot init ssl"); -+ eap_send_nak(esp, id, EAPT_TLS); -+ esp->es_client.ea_using_eaptls = 0; -+ break; -+ } -+ -+ ets = esp->es_client.ea_session; -+ eap_tls_response(esp, id); -+ esp->es_client.ea_state = (ets->frag ? eapTlsRecvAck : -+ eapTlsRecv); -+ break; -+ } -+ -+ /* The server has sent a bad start packet. */ -+ eap_send_nak(esp, id, EAPT_TLS); -+ break; -+ -+ case eapTlsRecvAck: -+ eap_tls_response(esp, id); -+ esp->es_client.ea_state = (ets->frag ? eapTlsRecvAck : -+ eapTlsRecv); -+ break; -+ -+ case eapTlsRecv: -+ if (len < 1) { -+ error("EAP: discarding EAP-TLS Receive packet with no data"); -+ /* Bogus request; wait for something real. */ -+ return; -+ } -+ eaptls_receive(ets, inp, len); -+ -+ if(ets->frag) { -+ eap_tls_sendack(esp, id); -+ esp->es_client.ea_state = eapTlsRecv; -+ break; -+ } -+ -+ if(ets->alert_recv) { -+ eap_tls_sendack(esp, id); -+ esp->es_client.ea_state = eapTlsRecvFailure; -+ break; -+ } -+ -+ /* Check if TLS handshake is finished */ -+ if(SSL_is_init_finished(ets->ssl)){ -+#ifdef MPPE -+ eaptls_gen_mppe_keys( ets, "client EAP encryption", 1 ); -+#endif -+ eaptls_free_session(ets); -+ eap_tls_sendack(esp, id); -+ esp->es_client.ea_state = eapTlsRecvSuccess; -+ break; -+ } -+ -+ eap_tls_response(esp,id); -+ esp->es_client.ea_state = (ets->frag ? eapTlsRecvAck : -+ eapTlsRecv); -+ -+ break; -+ -+ default: -+ eap_send_nak(esp, id, EAPT_TLS); -+ esp->es_client.ea_using_eaptls = 0; -+ break; -+ } -+ -+ break; -+#endif /* USE_EAPTLS */ -+ - #ifdef USE_SRP - case EAPT_SRP: - if (len < 1) { -@@ -1737,6 +2071,11 @@ int len; - u_char dig[SHA_DIGESTSIZE]; - #endif /* USE_SRP */ - -+#ifdef USE_EAPTLS -+ struct eaptls_session *ets; -+ u_char flags; -+#endif /* USE_EAPTLS */ -+ - if (esp->es_server.ea_id != id) { - dbglog("EAP: discarding Response %d; expected ID %d", id, - esp->es_server.ea_id); -@@ -1776,6 +2115,64 @@ int len; - eap_figure_next_state(esp, 0); - break; - -+#ifdef USE_EAPTLS -+ case EAPT_TLS: -+ switch(esp->es_server.ea_state) { -+ -+ case eapTlsRecv: -+ -+ ets = (struct eaptls_session *) esp->es_server.ea_session; -+ eap_figure_next_state(esp, -+ eaptls_receive(esp->es_server.ea_session, inp, len)); -+ -+ if(ets->alert_recv) { -+ eap_send_failure(esp); -+ break; -+ } -+ break; -+ -+ case eapTlsRecvAck: -+ if(len > 1) { -+ dbglog("EAP-TLS ACK with extra data"); -+ } -+ eap_figure_next_state(esp, 0); -+ break; -+ -+ case eapTlsRecvClient: -+ /* Receive authentication response from client */ -+ -+ if (len > 0) { -+ GETCHAR(flags, inp); -+ -+ if(len == 1 && !flags) { /* Ack = ok */ -+#ifdef MPPE -+ eaptls_gen_mppe_keys( esp->es_server.ea_session, "client EAP encryption", 0 ); -+#endif -+ eap_send_success(esp); -+ } -+ else { /* failure */ -+ warn("Server authentication failed"); -+ eap_send_failure(esp); -+ } -+ } -+ else -+ warn("Bogus EAP-TLS packet received from client"); -+ -+ eaptls_free_session(esp->es_server.ea_session); -+ -+ break; -+ -+ case eapTlsRecvAlertAck: -+ eap_send_failure(esp); -+ break; -+ -+ default: -+ eap_figure_next_state(esp, 1); -+ break; -+ } -+ break; -+#endif /* USE_EAPTLS */ -+ - case EAPT_NOTIFICATION: - dbglog("EAP unexpected Notification; response discarded"); - break; -@@ -1807,6 +2204,13 @@ int len; - esp->es_server.ea_state = eapMD5Chall; - break; - -+#ifdef USE_EAPTLS -+ /* Send EAP-TLS start packet */ -+ case EAPT_TLS: -+ esp->es_server.ea_state = eapTlsStart; -+ break; -+#endif /* USE_EAPTLS */ -+ - default: - dbglog("EAP: peer requesting unknown Type %d", vallen); - switch (esp->es_server.ea_state) { -@@ -2018,13 +2422,27 @@ u_char *inp; - int id; - int len; - { -- if (esp->es_client.ea_state != eapOpen && !eap_client_active(esp)) { -+ if (esp->es_client.ea_state != eapOpen && !eap_client_active(esp) -+#ifdef USE_EAPTLS -+ && esp->es_client.ea_state != eapTlsRecvSuccess -+#endif /* USE_EAPTLS */ -+ ) { - dbglog("EAP unexpected success message in state %s (%d)", - eap_state_name(esp->es_client.ea_state), - esp->es_client.ea_state); - return; - } - -+#ifdef USE_EAPTLS -+ if(esp->es_client.ea_using_eaptls && esp->es_client.ea_state != -+ eapTlsRecvSuccess) { -+ dbglog("EAP-TLS unexpected success message in state %s (%d)", -+ eap_state_name(esp->es_client.ea_state), -+ esp->es_client.ea_state); -+ return; -+ } -+#endif /* USE_EAPTLS */ -+ - if (esp->es_client.ea_timeout > 0) { - UNTIMEOUT(eap_client_timeout, (void *)esp); - } -@@ -2150,6 +2568,9 @@ void *arg; - int code, id, len, rtype, vallen; - u_char *pstart; - u_int32_t uval; -+#ifdef USE_EAPTLS -+ u_char flags; -+#endif /* USE_EAPTLS */ - - if (inlen < EAP_HEADERLEN) - return (0); -@@ -2214,6 +2635,24 @@ void *arg; - } - break; - -+#ifdef USE_EAPTLS -+ case EAPT_TLS: -+ if (len < 1) -+ break; -+ GETCHAR(flags, inp); -+ len--; -+ -+ if(flags == 0 && len == 0){ -+ printer(arg, " Ack"); -+ break; -+ } -+ -+ printer(arg, flags & EAP_TLS_FLAGS_LI ? " L":" -"); -+ printer(arg, flags & EAP_TLS_FLAGS_MF ? "M":"-"); -+ printer(arg, flags & EAP_TLS_FLAGS_START ? "S":"- "); -+ break; -+#endif /* USE_EAPTLS */ -+ - case EAPT_SRP: - if (len < 3) - goto truncated; -@@ -2325,6 +2764,25 @@ void *arg; - } - break; - -+#ifdef USE_EAPTLS -+ case EAPT_TLS: -+ if (len < 1) -+ break; -+ GETCHAR(flags, inp); -+ len--; -+ -+ if(flags == 0 && len == 0){ -+ printer(arg, " Ack"); -+ break; -+ } -+ -+ printer(arg, flags & EAP_TLS_FLAGS_LI ? " L":" -"); -+ printer(arg, flags & EAP_TLS_FLAGS_MF ? "M":"-"); -+ printer(arg, flags & EAP_TLS_FLAGS_START ? "S":"- "); -+ -+ break; -+#endif /* USE_EAPTLS */ -+ - case EAPT_NAK: - if (len <= 0) { - printer(arg, " <missing hint>"); -@@ -2426,3 +2884,4 @@ void *arg; - - return (inp - pstart); - } -+ -diff --git a/pppd/eap.h b/pppd/eap.h -index 199d1849b826..087baad83eed 100644 ---- a/pppd/eap.h -+++ b/pppd/eap.h -@@ -84,6 +84,16 @@ enum eap_state_code { - eapClosed, /* Authentication not in use */ - eapListen, /* Client ready (and timer running) */ - eapIdentify, /* EAP Identify sent */ -+ eapTlsStart, /* Send EAP-TLS start packet */ -+ eapTlsRecv, /* Receive EAP-TLS tls data */ -+ eapTlsSendAck, /* Send EAP-TLS ack */ -+ eapTlsSend, /* Send EAP-TLS tls data */ -+ eapTlsRecvAck, /* Receive EAP-TLS ack */ -+ eapTlsRecvClient, /* Receive EAP-TLS auth response from client*/ -+ eapTlsSendAlert, /* Send EAP-TLS tls alert (server)*/ -+ eapTlsRecvAlertAck, /* Receive EAP-TLS ack after sending alert */ -+ eapTlsRecvSuccess, /* Receive EAP success */ -+ eapTlsRecvFailure, /* Receive EAP failure */ - eapSRP1, /* Sent EAP SRP-SHA1 Subtype 1 */ - eapSRP2, /* Sent EAP SRP-SHA1 Subtype 2 */ - eapSRP3, /* Sent EAP SRP-SHA1 Subtype 3 */ -@@ -95,9 +105,18 @@ enum eap_state_code { - - #define EAP_STATES \ - "Initial", "Pending", "Closed", "Listen", "Identify", \ -+ "TlsStart", "TlsRecv", "TlsSendAck", "TlsSend", "TlsRecvAck", "TlsRecvClient",\ -+ "TlsSendAlert", "TlsRecvAlertAck" , "TlsRecvSuccess", "TlsRecvFailure", \ - "SRP1", "SRP2", "SRP3", "MD5Chall", "Open", "SRP4", "BadAuth" - --#define eap_client_active(esp) ((esp)->es_client.ea_state == eapListen) -+#ifdef USE_EAPTLS -+#define eap_client_active(esp) ((esp)->es_client.ea_state != eapInitial &&\ -+ (esp)->es_client.ea_state != eapPending &&\ -+ (esp)->es_client.ea_state != eapClosed) -+#else -+#define eap_client_active(esp) ((esp)->es_client.ea_state == eapListen) -+#endif /* USE_EAPTLS */ -+ - #define eap_server_active(esp) \ - ((esp)->es_server.ea_state >= eapIdentify && \ - (esp)->es_server.ea_state <= eapMD5Chall) -@@ -112,11 +131,17 @@ struct eap_auth { - u_short ea_namelen; /* Length of our name */ - u_short ea_peerlen; /* Length of peer's name */ - enum eap_state_code ea_state; -+#ifdef USE_EAPTLS -+ enum eap_state_code ea_prev_state; -+#endif - u_char ea_id; /* Current id */ - u_char ea_requests; /* Number of Requests sent/received */ - u_char ea_responses; /* Number of Responses */ - u_char ea_type; /* One of EAPT_* */ - u_int32_t ea_keyflags; /* SRP shared key usage flags */ -+#ifdef USE_EAPTLS -+ bool ea_using_eaptls; -+#endif - }; - - /* -@@ -139,7 +164,12 @@ typedef struct eap_state { - * Timeouts. - */ - #define EAP_DEFTIMEOUT 3 /* Timeout (seconds) for rexmit */ -+#ifdef USE_EAPTLS -+#define EAP_DEFTRANSMITS 30 /* max # times to transmit */ -+ /* certificates can be long ... */ -+#else - #define EAP_DEFTRANSMITS 10 /* max # times to transmit */ -+#endif /* USE_EAPTLS */ - #define EAP_DEFREQTIME 20 /* Time to wait for peer request */ - #define EAP_DEFALLOWREQ 20 /* max # times to accept requests */ - -diff --git a/pppd/md5.c b/pppd/md5.c -index f1291ce1bd72..6f8f7207c592 100644 ---- a/pppd/md5.c -+++ b/pppd/md5.c -@@ -33,6 +33,8 @@ - *********************************************************************** - */ - -+#ifndef USE_EAPTLS -+ - #include <string.h> - #include "md5.h" - -@@ -305,3 +307,5 @@ UINT4 *in; - ** End of md5.c ** - ******************************** (cut) ******************************** - */ -+#endif /* USE_EAPTLS */ -+ -diff --git a/pppd/md5.h b/pppd/md5.h -index 71e8b00e2dde..14d712171c5e 100644 ---- a/pppd/md5.h -+++ b/pppd/md5.h -@@ -36,6 +36,7 @@ - ** documentation and/or software. ** - *********************************************************************** - */ -+#ifndef USE_EAPTLS - - #ifndef __MD5_INCLUDE__ - -@@ -63,3 +64,5 @@ void MD5_Final (unsigned char hash[], MD5_CTX *mdContext); - - #define __MD5_INCLUDE__ - #endif /* __MD5_INCLUDE__ */ -+ -+#endif /* USE_EAPTLS */ -diff --git a/pppd/pathnames.h b/pppd/pathnames.h -index 46972601fc92..72c2f5b191ee 100644 ---- a/pppd/pathnames.h -+++ b/pppd/pathnames.h -@@ -21,6 +21,13 @@ - #define _PATH_UPAPFILE _ROOT_PATH "/etc/ppp/pap-secrets" - #define _PATH_CHAPFILE _ROOT_PATH "/etc/ppp/chap-secrets" - #define _PATH_SRPFILE _ROOT_PATH "/etc/ppp/srp-secrets" -+ -+#ifdef USE_EAPTLS -+#define _PATH_EAPTLSCLIFILE _ROOT_PATH "/etc/ppp/eaptls-client" -+#define _PATH_EAPTLSSERVFILE _ROOT_PATH "/etc/ppp/eaptls-server" -+#define _PATH_OPENSSLCONFFILE _ROOT_PATH "/etc/ppp/openssl.cnf" -+#endif /* USE_EAPTLS */ -+ - #define _PATH_SYSOPTIONS _ROOT_PATH "/etc/ppp/options" - #define _PATH_IPUP _ROOT_PATH "/etc/ppp/ip-up" - #define _PATH_IPDOWN _ROOT_PATH "/etc/ppp/ip-down" -diff --git a/pppd/plugins/Makefile.linux b/pppd/plugins/Makefile.linux -index 0f9d37d2953b..bc29968d44c9 100644 ---- a/pppd/plugins/Makefile.linux -+++ b/pppd/plugins/Makefile.linux -@@ -4,6 +4,9 @@ CFLAGS = $(COPTS) -I.. -I../../include -fPIC - LDFLAGS = $(LDOPTS) - INSTALL = install - -+# EAP-TLS -+CFLAGS += -DUSE_EAPTLS=1 -+ - DESTDIR = $(INSTROOT)@DESTDIR@ - BINDIR = $(DESTDIR)/sbin - MANDIR = $(DESTDIR)/share/man/man8 -diff --git a/pppd/plugins/passprompt.c b/pppd/plugins/passprompt.c -index babb6dc31bab..6ba73cae2795 100644 ---- a/pppd/plugins/passprompt.c -+++ b/pppd/plugins/passprompt.c -@@ -107,4 +107,7 @@ void plugin_init(void) - { - add_options(options); - pap_passwd_hook = promptpass; -+#ifdef USE_EAPTLS -+ eaptls_passwd_hook = promptpass; -+#endif - } -diff --git a/pppd/plugins/passwordfd.c b/pppd/plugins/passwordfd.c -index d718f3bdf81d..c3f9793e41a0 100644 ---- a/pppd/plugins/passwordfd.c -+++ b/pppd/plugins/passwordfd.c -@@ -79,4 +79,8 @@ void plugin_init (void) - - chap_check_hook = pwfd_check; - chap_passwd_hook = pwfd_passwd; -+ -+#ifdef USE_EAPTLS -+ eaptls_passwd_hook = pwfd_passwd; -+#endif - } -diff --git a/pppd/pppd.8 b/pppd/pppd.8 -index 65bbe721f761..8afa2d1186e2 100644 ---- a/pppd/pppd.8 -+++ b/pppd/pppd.8 -@@ -253,6 +253,12 @@ Alternatively, a value of 0 for \fInr\fR or \fInt\fR disables - compression in the corresponding direction. Use \fInobsdcomp\fR or - \fIbsdcomp 0\fR to disable BSD-Compress compression entirely. - .TP -+.B ca \fIca-file -+(EAP-TLS) Use the file \fIca-file\fR as the X.509 Certificate Authority -+(CA) file (in PEM format), needed for setting up an EAP-TLS connection. -+This option is used on the client-side in conjunction with the \fBcert\fR -+and \fBkey\fR options. -+.TP - .B cdtrcts - Use a non-standard hardware flow control (i.e. DTR/CTS) to control - the flow of data on the serial port. If neither the \fIcrtscts\fR, -@@ -264,6 +270,12 @@ RTS output. Such serial ports use this mode to implement true - bi-directional flow control. The sacrifice is that this flow - control mode does not permit using DTR as a modem control line. - .TP -+.B cert \fIcertfile -+(EAP-TLS) Use the file \fIcertfile\fR as the X.509 certificate (in PEM -+format), needed for setting up an EAP-TLS connection. This option is -+used on the client-side in conjunction with the \fBca\fR and -+\fBkey\fR options. -+.TP - .B chap\-interval \fIn - If this option is given, pppd will rechallenge the peer every \fIn\fR - seconds. -@@ -292,6 +304,18 @@ negotiation by sending its first LCP packet. The default value is - 1000 (1 second). This wait period only applies if the \fBconnect\fR - or \fBpty\fR option is used. - .TP -+.B crl \fIfilename -+(EAP-TLS) Use the file \fIfilename\fR as the Certificate Revocation List -+to check for the validity of the peer's certificate. This option is not -+mandatory for setting up an EAP-TLS connection. Also see the \fBcrl-dir\fR -+option. -+.TP -+.B crl-dir \fIdirectory -+(EAP-TLS) Use the directory \fIdirectory\fR to scan for CRL files in -+has format ($hash.r0) to check for the validity of the peer's certificate. -+This option is not mandatory for setting up an EAP-TLS connection. -+Also see the \fBcrl\fR option. -+.TP - .B debug - Enables connection debugging facilities. - If this option is given, pppd will log the contents of all -@@ -561,6 +585,12 @@ transmitted packets be printed. On most systems, messages printed by - the kernel are logged by syslog(1) to a file as directed in the - /etc/syslog.conf configuration file. - .TP -+.B key \fIkeyfile -+(EAP-TLS) Use the file \fIkeyfile\fR as the private key file (in PEM -+format), needed for setting up an EAP-TLS connection. This option is -+used on the client-side in conjunction with the \fBca\fR and -+\fBcert\fR options. -+.TP - .B ktune - Enables pppd to alter kernel settings as appropriate. Under Linux, - pppd will enable IP forwarding (i.e. set /proc/sys/net/ipv4/ip_forward -@@ -724,6 +754,9 @@ name to \fIname\fR.) - Disable Address/Control compression in both directions (send and - receive). - .TP -+.B need-peer-eap -+(EAP-TLS) Require the peer to verify our authentication credentials. -+.TP - .B noauth - Do not require the peer to authenticate itself. This option is - privileged. -diff --git a/pppd/pppd.h b/pppd/pppd.h -index 567d702181ca..195cbe3c6ffb 100644 ---- a/pppd/pppd.h -+++ b/pppd/pppd.h -@@ -338,6 +338,11 @@ extern bool dump_options; /* print out option values */ - extern bool dryrun; /* check everything, print options, exit */ - extern int child_wait; /* # seconds to wait for children at end */ - -+#ifdef USE_EAPTLS -+extern char *crl_dir; -+extern char *crl_file; -+#endif /* USE_EAPTLS */ -+ - #ifdef MAXOCTETS - extern unsigned int maxoctets; /* Maximum octetes per session (in bytes) */ - extern int maxoctets_dir; /* Direction : -@@ -758,6 +763,10 @@ extern int (*chap_check_hook) __P((void)); - extern int (*chap_passwd_hook) __P((char *user, char *passwd)); - extern void (*multilink_join_hook) __P((void)); - -+#ifdef USE_EAPTLS -+extern int (*eaptls_passwd_hook) __P((char *user, char *passwd)); -+#endif -+ - /* Let a plugin snoop sent and received packets. Useful for L2TP */ - extern void (*snoop_recv_hook) __P((unsigned char *p, int len)); - extern void (*snoop_send_hook) __P((unsigned char *p, int len)); diff --git a/patches/ppp-2.4.7/0040-pppd-Use-openssl-for-the-DES-instead-of-the-libcrypt.patch b/patches/ppp-2.4.7/0040-pppd-Use-openssl-for-the-DES-instead-of-the-libcrypt.patch deleted file mode 100644 index bf83278a9..000000000 --- a/patches/ppp-2.4.7/0040-pppd-Use-openssl-for-the-DES-instead-of-the-libcrypt.patch +++ /dev/null @@ -1,115 +0,0 @@ -From: =?UTF-8?q?Jaroslav=20=C5=A0karvada?= <jskarvad@redhat.com> -Date: Fri, 6 Apr 2018 14:27:18 +0200 -Subject: [PATCH] pppd: Use openssl for the DES instead of the libcrypt / glibc -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -[https://github.com/paulusmack/ppp/commit/3c7b86229f7bd2600d74db14b1fe5b3896be3875] - -It seems the latest glibc (in Fedora glibc-2.27.9000-12.fc29) dropped -libcrypt. The libxcrypt standalone package can be used instead, but -it dropped the old setkey/encrypt API which ppp uses for DES. There -is support for using openssl in pppcrypt.c, but it contains typos -preventing it from compiling and seems to be written for an ancient -openssl version. - -This updates the code to use current openssl. - -[paulus@ozlabs.org - wrote the commit description, fixed comment in - Makefile.linux.] - -Signed-off-by: Jaroslav Škarvada <jskarvad@redhat.com> -Signed-off-by: Paul Mackerras <paulus@ozlabs.org> - -Imported from ppp_2.4.7-2+4.1.debian.tar.xz - -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> ---- - pppd/Makefile.linux | 7 ++++--- - pppd/pppcrypt.c | 18 +++++++++--------- - 2 files changed, 13 insertions(+), 12 deletions(-) - -diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux -index 58a634ce8c3b..cb9d4f9dcf22 100644 ---- a/pppd/Makefile.linux -+++ b/pppd/Makefile.linux -@@ -35,10 +35,10 @@ endif - COPTS = -O2 -pipe -Wall -g - LIBS = -lcrypto - --# Uncomment the next 2 lines to include support for Microsoft's -+# Uncomment the next line to include support for Microsoft's - # MS-CHAP authentication protocol. Also, edit plugins/radius/Makefile.linux. - CHAPMS=y --USE_CRYPT=y -+#USE_CRYPT=y - # Don't use MSLANMAN unless you really know what you're doing. - #MSLANMAN=y - # Uncomment the next line to include support for MPPE. CHAPMS (above) must -@@ -138,7 +138,8 @@ endif - - ifdef NEEDDES - ifndef USE_CRYPT --LIBS += -ldes $(LIBS) -+CFLAGS += -I/usr/include/openssl -+LIBS += -lcrypto - else - CFLAGS += -DUSE_CRYPT=1 - endif -diff --git a/pppd/pppcrypt.c b/pppd/pppcrypt.c -index 8b85b13276ab..6b35375edc5e 100644 ---- a/pppd/pppcrypt.c -+++ b/pppd/pppcrypt.c -@@ -64,7 +64,7 @@ u_char *des_key; /* OUT 64 bit DES key with parity bits added */ - des_key[7] = Get7Bits(key, 49); - - #ifndef USE_CRYPT -- des_set_odd_parity((des_cblock *)des_key); -+ DES_set_odd_parity((DES_cblock *)des_key); - #endif - } - -@@ -158,25 +158,25 @@ u_char *clear; /* OUT 8 octets */ - } - - #else /* USE_CRYPT */ --static des_key_schedule key_schedule; -+static DES_key_schedule key_schedule; - - bool - DesSetkey(key) - u_char *key; - { -- des_cblock des_key; -+ DES_cblock des_key; - MakeKey(key, des_key); -- des_set_key(&des_key, key_schedule); -+ DES_set_key(&des_key, &key_schedule); - return (1); - } - - bool --DesEncrypt(clear, key, cipher) -+DesEncrypt(clear, cipher) - u_char *clear; /* IN 8 octets */ - u_char *cipher; /* OUT 8 octets */ - { -- des_ecb_encrypt((des_cblock *)clear, (des_cblock *)cipher, -- key_schedule, 1); -+ DES_ecb_encrypt((DES_cblock *)clear, (DES_cblock *)cipher, -+ &key_schedule, 1); - return (1); - } - -@@ -185,8 +185,8 @@ DesDecrypt(cipher, clear) - u_char *cipher; /* IN 8 octets */ - u_char *clear; /* OUT 8 octets */ - { -- des_ecb_encrypt((des_cblock *)cipher, (des_cblock *)clear, -- key_schedule, 0); -+ DES_ecb_encrypt((DES_cblock *)cipher, (DES_cblock *)clear, -+ &key_schedule, 0); - return (1); - } - diff --git a/patches/ppp-2.4.7/series b/patches/ppp-2.4.7/series deleted file mode 100644 index 6aeaf1984..000000000 --- a/patches/ppp-2.4.7/series +++ /dev/null @@ -1,46 +0,0 @@ -# generated by git-ptx-patches -#tag:base --start-number 1 -0001-abort-on-errors-in-subdir-builds.patch -0002-scripts-Avoid-killing-wrong-pppd.patch -0003-pppd-Fix-sign-extension-when-displaying-bytes-in-oct.patch -0004-Suppress-false-error-message-on-PPPoE-disconnect.patch -0005-Send-PADT-on-PPPoE-disconnect.patch -0006-pppd-ipxcp-Prevent-buffer-overrun-on-remote-router-n.patch -0007-pppd-Fix-ccp_options.mppe-type.patch -0008-pppd-Fix-ccp_cilen-calculated-size-if-both-deflate_c.patch -0009-Fix-a-typo-in-comment.-Diff-from-Yuuichi-Someya.patch -0010-plog-count-only-relevant-lines-from-syslog.patch -0011-Change-include-from-sys-errno.h-to-errno.h.patch -0012-pppd-allow-use-of-arbitrary-interface-names.patch -0013-pppd-Remove-unused-declaration-of-ttyname.patch -0014-pppd-Provide-error-implementation-in-pppoe-discovery.patch -0015-pppoe-include-netinet-in.h-before-linux-in.h.patch -0016-adaptive_echos.patch -0017-Makefiles-cleanup.patch -0018-Bug-306261-pppd-does-not-properly-close-dev-ppp-on-p.patch -0019-Bug-284382-ppp-linkpidfile-is-not-created-upon-detac.patch -0020-support-building-pppdump-with-the-system-zlib.patch -0021-disable-unneeded-code-in-the-pppoatm-plugin.patch -0022-cosmetic-cleanup-of-the-pppoatm-plugin.patch -0023-pppoe_noads.patch -0024-make-_PATH_CONNERRS-world-readable.patch -0025-Correct-unkown-unknown-typo.patch -0026-pppoe-custom-host-uniq-tag.patch -0027-Add-replacedefaultroute-option.patch -0028-ppp-2.3.11-oedod.dif.patch -0029-add-support-for-the-Framed-MTU-Radius-attribute.patch -0030-018_ip-up_option.patch -0031-ppp-2.4.2-stripMSdomain.patch -0032-export-CALL_FILE-to-the-link-scripts.patch -0033-ipv6-accept-remote.patch -0034-fix-a-potential-buffer-overflow-in-clientid.c-rc_map.patch -0035-resolv.conf_no_log.patch -0036-Debian-specific-changes.patch -0037-Fix-buffer-overflow-in-rc_mksid.patch -0038-EAP-TLS-authentication-support-for-PPP.patch -0039-Replace-vendored-hash-functions-with-libcrypto.patch -0040-pppd-Use-openssl-for-the-DES-instead-of-the-libcrypt.patch -#tag:ptx --start-number 100 -0100-pppd-make-makefile-sysroot-aware.patch -0101-pppd-make-the-self-made-configure-cross-aware.patch -# b0e349fd34b2aac1a9ba4ffb38f43be0 - git-ptx-patches magic diff --git a/patches/ppp-2.4.9/0001-configure-Allow-commas-in-the-CFLAGS-220.patch b/patches/ppp-2.4.9/0001-configure-Allow-commas-in-the-CFLAGS-220.patch new file mode 100644 index 000000000..c83b64b1c --- /dev/null +++ b/patches/ppp-2.4.9/0001-configure-Allow-commas-in-the-CFLAGS-220.patch @@ -0,0 +1,28 @@ +From: =?UTF-8?q?Jaroslav=20=C5=A0karvada?= <jskarvad@redhat.com> +Date: Fri, 8 Jan 2021 02:43:46 +0100 +Subject: [PATCH] configure: Allow commas in the CFLAGS (#220) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +It allows e.g. the following: +./configure --cflags='-Wp,-D_FORTIFY_SOURCE=2' + +Signed-off-by: Jaroslav Škarvada <jskarvad@redhat.com> +--- + configure | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/configure b/configure +index f977663fd8db..b0c3d2b49122 100755 +--- a/configure ++++ b/configure +@@ -123,7 +123,7 @@ mkmkf() { + echo " $2 <= $1" + sed -e "s,@DESTDIR@,$DESTDIR,g" -e "s,@SYSCONF@,$SYSCONF,g" \ + -e "s,@CROSS_COMPILE@,$CROSS_COMPILE,g" -e "s,@CC@,$CC,g" \ +- -e "s,@CFLAGS@,$CFLAGS,g" $1 >$2 ++ -e "s|@CFLAGS@|$CFLAGS|g" $1 >$2 + fi + } + diff --git a/patches/ppp-2.4.9/0002-pppd-Fix-compilation-with-older-glibc-or-kernel-head.patch b/patches/ppp-2.4.9/0002-pppd-Fix-compilation-with-older-glibc-or-kernel-head.patch new file mode 100644 index 000000000..33cf002db --- /dev/null +++ b/patches/ppp-2.4.9/0002-pppd-Fix-compilation-with-older-glibc-or-kernel-head.patch @@ -0,0 +1,55 @@ +From: pali <7141871+pali@users.noreply.github.com> +Date: Mon, 15 Feb 2021 07:54:01 +0100 +Subject: [PATCH] pppd: Fix compilation with older glibc or kernel headers + (#248) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +glibc versions prior to 2.24 do not define SOL_NETLINK and linux kernel +versions prior to 4.3 do not define NETLINK_CAP_ACK. So add fallback +definitions for these macros into pppd/sys-linux.c file. + +Also extend description why we call SOL_NETLINK/NETLINK_CAP_ACK option. + +Signed-off-by: Pali Rohár <pali@kernel.org> +--- + pppd/sys-linux.c | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c +index 85033d97124f..50c4f2dab403 100644 +--- a/pppd/sys-linux.c ++++ b/pppd/sys-linux.c +@@ -125,6 +125,14 @@ + #include <linux/netlink.h> + #include <linux/rtnetlink.h> + #include <linux/if_addr.h> ++/* glibc versions prior to 2.24 do not define SOL_NETLINK */ ++#ifndef SOL_NETLINK ++#define SOL_NETLINK 270 ++#endif ++/* linux kernel versions prior to 4.3 do not define/support NETLINK_CAP_ACK */ ++#ifndef NETLINK_CAP_ACK ++#define NETLINK_CAP_ACK 10 ++#endif + #endif + + #include "pppd.h" +@@ -2843,7 +2851,15 @@ static int append_peer_ipv6_address(unsigned int iface, struct in6_addr *local_a + if (fd < 0) + return 0; + +- /* do not ask for error message content */ ++ /* ++ * Tell kernel to not send to us payload of acknowledgment error message. ++ * NETLINK_CAP_ACK option is supported since Linux kernel version 4.3 and ++ * older kernel versions always send full payload in acknowledgment netlink ++ * message. We ignore payload of this message as we need only error code, ++ * to check if our set remote peer address request succeeded or failed. ++ * So ignore return value from the following setsockopt() call as setting ++ * option NETLINK_CAP_ACK means for us just a kernel hint / optimization. ++ */ + one = 1; + setsockopt(fd, SOL_NETLINK, NETLINK_CAP_ACK, &one, sizeof(one)); + diff --git a/patches/ppp-2.4.7/0020-support-building-pppdump-with-the-system-zlib.patch b/patches/ppp-2.4.9/0100-support-building-pppdump-with-the-system-zlib.patch similarity index 63% rename from patches/ppp-2.4.7/0020-support-building-pppdump-with-the-system-zlib.patch rename to patches/ppp-2.4.9/0100-support-building-pppdump-with-the-system-zlib.patch index ef8265d43..383be9d60 100644 --- a/patches/ppp-2.4.7/0020-support-building-pppdump-with-the-system-zlib.patch +++ b/patches/ppp-2.4.9/0100-support-building-pppdump-with-the-system-zlib.patch @@ -1,19 +1,25 @@ -From: Michael Olbrich <m.olbrich@pengutronix.de> -Date: Sat, 28 Sep 2019 08:11:49 +0200 +From: Alexander Dahl <ada@thorsis.com> +Date: Wed, 16 Jun 2021 18:22:48 +0200 Subject: [PATCH] support building pppdump with the system zlib -Imported from ppp_2.4.7-2+4.1.debian.tar.xz +Forwarded: https://github.com/paulusmack/ppp/pull/189 +but nacked: "it caused compile failures (on Fedora at least), which +reminded me that the zlib.c here is not the same as upstream; it has +extra functions that I added a long time ago." -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> + +Imported from ppp_2.4.9-1+1.debian.tar.xz + +Signed-off-by: Alexander Dahl <ada@thorsis.com> --- pppdump/Makefile.linux | 28 ++++++++++++++++++++++++++-- 1 file changed, 26 insertions(+), 2 deletions(-) diff --git a/pppdump/Makefile.linux b/pppdump/Makefile.linux -index 65e5c14914fb..87777fab5e94 100644 +index a94187fa9e29..de7e574d10e1 100644 --- a/pppdump/Makefile.linux +++ b/pppdump/Makefile.linux -@@ -2,18 +2,42 @@ DESTDIR = $(INSTROOT)@DESTDIR@ +@@ -6,15 +6,39 @@ DESTDIR = $(INSTROOT)@DESTDIR@ BINDIR = $(DESTDIR)/sbin MANDIR = $(DESTDIR)/share/man/man8 @@ -21,10 +27,7 @@ index 65e5c14914fb..87777fab5e94 100644 +DO_BSD_COMPRESS=y +HAVE_ZLIB=n + - COPTS=-O2 -g - CFLAGS= $(COPTS) -I../include/net - LDFLAGS=$(LDOPTS) - + CFLAGS = $(COPTS) -I../include/net -OBJS = pppdump.o bsd-comp.o deflate.o zlib.o +OBJS = pppdump.o +LIBS = @@ -40,14 +43,14 @@ index 65e5c14914fb..87777fab5e94 100644 +else +CFLAGS += -DDO_DEFLATE=0 +endif -+ + +ifdef DO_BSD_COMPRESS +CFLAGS += -DDO_BSD_COMPRESS=1 +OBJS += bsd-comp.o +else +CFLAGS += -DDO_BSD_COMPRESS=0 +endif - ++ INSTALL= install all: pppdump diff --git a/patches/ppp-2.4.7/0021-disable-unneeded-code-in-the-pppoatm-plugin.patch b/patches/ppp-2.4.9/0101-disable-unneeded-code-in-the-pppoatm-plugin.patch similarity index 89% rename from patches/ppp-2.4.7/0021-disable-unneeded-code-in-the-pppoatm-plugin.patch rename to patches/ppp-2.4.9/0101-disable-unneeded-code-in-the-pppoatm-plugin.patch index 2fb9c5573..882c913aa 100644 --- a/patches/ppp-2.4.7/0021-disable-unneeded-code-in-the-pppoatm-plugin.patch +++ b/patches/ppp-2.4.9/0101-disable-unneeded-code-in-the-pppoatm-plugin.patch @@ -1,5 +1,5 @@ -From: Michael Olbrich <m.olbrich@pengutronix.de> -Date: Sat, 28 Sep 2019 08:11:49 +0200 +From: Alexander Dahl <ada@thorsis.com> +Date: Wed, 16 Jun 2021 18:22:48 +0200 Subject: [PATCH] disable unneeded code in the pppoatm plugin This patch halves the size of the PPPoA plugin by disabling features @@ -13,9 +13,9 @@ plugin with the real libatm. I really doubt anybody cares, anyway. -Imported from ppp_2.4.7-2+4.1.debian.tar.xz +Imported from ppp_2.4.9-1+1.debian.tar.xz -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> +Signed-off-by: Alexander Dahl <ada@thorsis.com> --- pppd/plugins/pppoatm/Makefile.linux | 4 ++++ pppd/plugins/pppoatm/pppoatm.c | 4 ++++ @@ -23,10 +23,10 @@ Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> 3 files changed, 12 insertions(+) diff --git a/pppd/plugins/pppoatm/Makefile.linux b/pppd/plugins/pppoatm/Makefile.linux -index 002603c6cbef..76d81aced70a 100644 +index d3a8086b69ea..036b193637df 100644 --- a/pppd/plugins/pppoatm/Makefile.linux +++ b/pppd/plugins/pppoatm/Makefile.linux -@@ -25,9 +25,13 @@ ifdef HAVE_LIBATM +@@ -26,9 +26,13 @@ ifdef HAVE_LIBATM LIBS := -latm else CFLAGS += -I. @@ -41,10 +41,10 @@ index 002603c6cbef..76d81aced70a 100644 #********* all: $(PLUGIN) diff --git a/pppd/plugins/pppoatm/pppoatm.c b/pppd/plugins/pppoatm/pppoatm.c -index d693350bc473..a7560e9fb0c6 100644 +index 5a3ecd61b6a2..90d0c9a85d9f 100644 --- a/pppd/plugins/pppoatm/pppoatm.c +++ b/pppd/plugins/pppoatm/pppoatm.c -@@ -142,8 +142,12 @@ static int connect_pppoatm(void) +@@ -145,8 +145,12 @@ static int connect_pppoatm(void) qos.txtp.traffic_class = qos.rxtp.traffic_class = ATM_UBR; /* TODO: support simplified QoS setting */ if (qosstr != NULL) diff --git a/patches/ppp-2.4.9/0102-pppoe_noads.patch b/patches/ppp-2.4.9/0102-pppoe_noads.patch new file mode 100644 index 000000000..6629d4194 --- /dev/null +++ b/patches/ppp-2.4.9/0102-pppoe_noads.patch @@ -0,0 +1,24 @@ +From: Alexander Dahl <ada@thorsis.com> +Date: Wed, 16 Jun 2021 18:22:48 +0200 +Subject: [PATCH] pppoe_noads + +Imported from ppp_2.4.9-1+1.debian.tar.xz + +Signed-off-by: Alexander Dahl <ada@thorsis.com> +--- + pppd/plugins/pppoe/plugin.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/pppd/plugins/pppoe/plugin.c b/pppd/plugins/pppoe/plugin.c +index de9b8166ce7b..58fbdf95be3f 100644 +--- a/pppd/plugins/pppoe/plugin.c ++++ b/pppd/plugins/pppoe/plugin.c +@@ -412,8 +412,6 @@ plugin_init(void) + } + + add_options(Options); +- +- info("PPPoE plugin from pppd %s", VERSION); + } + + void pppoe_check_options(void) diff --git a/patches/ppp-2.4.7/0028-ppp-2.3.11-oedod.dif.patch b/patches/ppp-2.4.9/0103-Forwarded-https-github.com-paulusmack-ppp-issues-187.patch similarity index 72% rename from patches/ppp-2.4.7/0028-ppp-2.3.11-oedod.dif.patch rename to patches/ppp-2.4.9/0103-Forwarded-https-github.com-paulusmack-ppp-issues-187.patch index 8151c3be2..38eb5b791 100644 --- a/patches/ppp-2.4.7/0028-ppp-2.3.11-oedod.dif.patch +++ b/patches/ppp-2.4.9/0103-Forwarded-https-github.com-paulusmack-ppp-issues-187.patch @@ -1,10 +1,22 @@ -From: Michael Olbrich <m.olbrich@pengutronix.de> -Date: Sat, 28 Sep 2019 08:11:49 +0200 -Subject: [PATCH] ppp-2.3.11-oedod.dif +From: Alexander Dahl <ada@thorsis.com> +Date: Wed, 16 Jun 2021 18:22:48 +0200 +Subject: [PATCH] Forwarded: https://github.com/paulusmack/ppp/issues/187 -Imported from ppp_2.4.7-2+4.1.debian.tar.xz +Upstream said: -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> +" +Hmmm, dial-on-demand was never tested with the sync option, and in fact I don't +know what devices would use that option. + +To be accepted, the patch would need a sign-off and a description that +explained the changes in the patch - in particular, what the large lump of code +added to demand_rexmit() is doing. +" + + +Imported from ppp_2.4.9-1+1.debian.tar.xz + +Signed-off-by: Alexander Dahl <ada@thorsis.com> --- pppd/demand.c | 99 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++- pppd/ipcp.c | 2 +- @@ -13,7 +25,7 @@ Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> 4 files changed, 101 insertions(+), 4 deletions(-) diff --git a/pppd/demand.c b/pppd/demand.c -index 5e57658ea831..3eddf3016d98 100644 +index 289c9f8fdd57..4c61444d3968 100644 --- a/pppd/demand.c +++ b/pppd/demand.c @@ -36,6 +36,8 @@ @@ -34,7 +46,7 @@ index 5e57658ea831..3eddf3016d98 100644 #ifdef PPP_FILTER #include <pcap-bpf.h> #endif -@@ -221,6 +225,14 @@ loop_chars(p, n) +@@ -218,6 +222,14 @@ loop_chars(unsigned char *p, int n) int c, rv; rv = 0; @@ -49,14 +61,12 @@ index 5e57658ea831..3eddf3016d98 100644 for (; n > 0; --n) { c = *p++; if (c == PPP_FLAG) { -@@ -299,17 +311,102 @@ loop_frame(frame, len) +@@ -294,16 +306,101 @@ loop_frame(unsigned char *frame, int len) * loopback, now that the real serial link is up. */ void --demand_rexmit(proto) -+demand_rexmit(proto, newip) - int proto; -+ u_int32_t newip; +-demand_rexmit(int proto) ++demand_rexmit(int proto, u_int32_t newip) { struct packet *pkt, *prev, *nextpkt; + unsigned short checksum; @@ -69,9 +79,11 @@ index 5e57658ea831..3eddf3016d98 100644 prev = NULL; pkt = pend_q; pend_q = NULL; ++ + tv.tv_sec = 1; + tv.tv_usec = 0; -+ select(0,NULL,NULL,NULL,&tv); /* Sleep for 1 Seconds */ ++ select(0,NULL,NULL,NULL,&tv); /* Sleep for 1 Second */ ++ for (; pkt != NULL; pkt = nextpkt) { nextpkt = pkt->next; if (PPP_PROTOCOL(pkt->data) == proto) { @@ -83,7 +95,6 @@ index 5e57658ea831..3eddf3016d98 100644 + if (checksum == 0xFFFF) { + checksum = 0; + } -+ + + if (pkt->data[13] == 17) { + pkt_checksum = *((unsigned short *) (pkt->data+10+iphdr)); @@ -154,10 +165,10 @@ index 5e57658ea831..3eddf3016d98 100644 free(pkt); } else { diff --git a/pppd/ipcp.c b/pppd/ipcp.c -index c8fe279d4ede..dceca807542a 100644 +index 302ca40b4c83..3ac26a08032a 100644 --- a/pppd/ipcp.c +++ b/pppd/ipcp.c -@@ -1904,7 +1904,7 @@ ipcp_up(f) +@@ -1850,7 +1850,7 @@ ipcp_up(fsm *f) proxy_arp_set[f->unit] = 1; } @@ -167,12 +178,12 @@ index c8fe279d4ede..dceca807542a 100644 } else { diff --git a/pppd/ipv6cp.c b/pppd/ipv6cp.c -index 356ff84ead41..c1602f41c206 100644 +index 431cb62211bf..a32b0002e10d 100644 --- a/pppd/ipv6cp.c +++ b/pppd/ipv6cp.c -@@ -1232,7 +1232,7 @@ ipv6cp_up(f) - } - +@@ -1253,7 +1253,7 @@ ipv6cp_up(fsm *f) + if (sif6defaultroute(f->unit, go->ourid, ho->hisid)) + default_route_set[f->unit] = 1; } - demand_rexmit(PPP_IPV6); + demand_rexmit(PPP_IPV6,0); @@ -180,15 +191,15 @@ index 356ff84ead41..c1602f41c206 100644 } else { diff --git a/pppd/pppd.h b/pppd/pppd.h -index 7495df657fe9..e65106d4c126 100644 +index 612902f55d0d..10a9977598aa 100644 --- a/pppd/pppd.h +++ b/pppd/pppd.h -@@ -594,7 +594,7 @@ void demand_conf __P((void)); /* config interface(s) for demand-dial */ - void demand_block __P((void)); /* set all NPs to queue up packets */ - void demand_unblock __P((void)); /* set all NPs to pass packets */ - void demand_discard __P((void)); /* set all NPs to discard packets */ --void demand_rexmit __P((int)); /* retransmit saved frames for an NP */ -+void demand_rexmit __P((int, u_int32_t)); /* retransmit saved frames for an NP*/ - int loop_chars __P((unsigned char *, int)); /* process chars from loopback */ - int loop_frame __P((unsigned char *, int)); /* should we bring link up? */ +@@ -598,7 +598,7 @@ void demand_conf(void); /* config interface(s) for demand-dial */ + void demand_block(void); /* set all NPs to queue up packets */ + void demand_unblock(void); /* set all NPs to pass packets */ + void demand_discard(void); /* set all NPs to discard packets */ +-void demand_rexmit(int); /* retransmit saved frames for an NP */ ++void demand_rexmit(int, u_int32_t); /* retransmit saved frames for an NP */ + int loop_chars(unsigned char *, int); /* process chars from loopback */ + int loop_frame(unsigned char *, int); /* should we bring link up? */ diff --git a/patches/ppp-2.4.7/0035-resolv.conf_no_log.patch b/patches/ppp-2.4.9/0104-resolv.conf_no_log.patch similarity index 56% rename from patches/ppp-2.4.7/0035-resolv.conf_no_log.patch rename to patches/ppp-2.4.9/0104-resolv.conf_no_log.patch index aea6b2082..66265aa6c 100644 --- a/patches/ppp-2.4.7/0035-resolv.conf_no_log.patch +++ b/patches/ppp-2.4.9/0104-resolv.conf_no_log.patch @@ -1,19 +1,19 @@ -From: Michael Olbrich <m.olbrich@pengutronix.de> -Date: Sat, 28 Sep 2019 08:11:50 +0200 +From: Alexander Dahl <ada@thorsis.com> +Date: Wed, 16 Jun 2021 18:22:48 +0200 Subject: [PATCH] resolv.conf_no_log -Imported from ppp_2.4.7-2+4.1.debian.tar.xz +Imported from ppp_2.4.9-1+1.debian.tar.xz -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> +Signed-off-by: Alexander Dahl <ada@thorsis.com> --- pppd/ipcp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pppd/ipcp.c b/pppd/ipcp.c -index d6e0e2a699fe..b81b2fd0a29f 100644 +index 3ac26a08032a..ce002262bb34 100644 --- a/pppd/ipcp.c +++ b/pppd/ipcp.c -@@ -2152,7 +2152,7 @@ create_resolv(peerdns1, peerdns2) +@@ -2093,7 +2093,7 @@ create_resolv(u_int32_t peerdns1, u_int32_t peerdns2) f = fopen(_PATH_RESOLV, "w"); if (f == NULL) { diff --git a/patches/ppp-2.4.7/0036-Debian-specific-changes.patch b/patches/ppp-2.4.9/0105-Debian-specific-changes.patch similarity index 62% rename from patches/ppp-2.4.7/0036-Debian-specific-changes.patch rename to patches/ppp-2.4.9/0105-Debian-specific-changes.patch index 9576af118..86bba35f9 100644 --- a/patches/ppp-2.4.7/0036-Debian-specific-changes.patch +++ b/patches/ppp-2.4.9/0105-Debian-specific-changes.patch @@ -1,23 +1,27 @@ -From: Michael Olbrich <m.olbrich@pengutronix.de> -Date: Sat, 28 Sep 2019 08:11:50 +0200 +From: Alexander Dahl <ada@thorsis.com> +Date: Wed, 16 Jun 2021 18:22:49 +0200 Subject: [PATCH] Debian-specific changes. -Imported from ppp_2.4.7-2+4.1.debian.tar.xz +Imported from ppp_2.4.9-1+1.debian.tar.xz -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> +Signed-off-by: Alexander Dahl <ada@thorsis.com> --- - pppd/Makefile.linux | 6 ++---- + pppd/Makefile.linux | 6 +++--- pppd/pathnames.h | 2 +- pppd/pppd.h | 2 +- pppdump/Makefile.linux | 4 ++-- - 4 files changed, 6 insertions(+), 8 deletions(-) + 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux -index 16b3ee879791..5549145e5791 100644 +index 22837c50415e..bbb476827cea 100644 --- a/pppd/Makefile.linux +++ b/pppd/Makefile.linux -@@ -61,14 +61,14 @@ HAVE_MULTILINK=y - USE_TDB=y +@@ -64,17 +64,17 @@ USE_TDB=y + # Uncomment the next line to enable Type=notify services in systemd + # If enabled, and the user sets the up_sdnotify option, then + # pppd will not detach and will notify systemd when up. +-#SYSTEMD=y ++SYSTEMD=y HAS_SHADOW=y -#USE_PAM=y @@ -33,23 +37,11 @@ index 16b3ee879791..5549145e5791 100644 # Enable EAP SRP-SHA1 authentication (requires libsrp) #USE_SRP=y -@@ -178,11 +178,9 @@ LIBS += -ldl - endif - - ifdef FILTER --ifneq ($(wildcard /usr/include/pcap-bpf.h),) - LIBS += -lpcap - CFLAGS += -DPPP_FILTER - endif --endif - - ifdef HAVE_INET6 - PPPDSRCS += ipv6cp.c eui64.c diff --git a/pppd/pathnames.h b/pppd/pathnames.h -index a33f0466c9d6..46972601fc92 100644 +index 524d608ce12c..2df61354f40e 100644 --- a/pppd/pathnames.h +++ b/pppd/pathnames.h -@@ -28,7 +28,7 @@ +@@ -33,7 +33,7 @@ #define _PATH_AUTHUP _ROOT_PATH "/etc/ppp/auth-up" #define _PATH_AUTHDOWN _ROOT_PATH "/etc/ppp/auth-down" #define _PATH_TTYOPT _ROOT_PATH "/etc/ppp/options." @@ -59,10 +51,10 @@ index a33f0466c9d6..46972601fc92 100644 #define _PATH_RESOLV _ROOT_PATH "/etc/ppp/resolv.conf" diff --git a/pppd/pppd.h b/pppd/pppd.h -index b11670586244..567d702181ca 100644 +index 10a9977598aa..a14483b76acc 100644 --- a/pppd/pppd.h +++ b/pppd/pppd.h -@@ -870,7 +870,7 @@ extern void (*snoop_send_hook) __P((unsigned char *p, int len)); +@@ -879,7 +879,7 @@ extern void (*snoop_send_hook)(unsigned char *p, int len); || defined(DEBUGCHAP) || defined(DEBUG) || defined(DEBUGIPV6CP) #define LOG_PPP LOG_LOCAL2 #else @@ -72,10 +64,10 @@ index b11670586244..567d702181ca 100644 #endif /* LOG_PPP */ diff --git a/pppdump/Makefile.linux b/pppdump/Makefile.linux -index 87777fab5e94..1eeeafe20111 100644 +index de7e574d10e1..04b1c10b34c7 100644 --- a/pppdump/Makefile.linux +++ b/pppdump/Makefile.linux -@@ -2,9 +2,9 @@ DESTDIR = $(INSTROOT)@DESTDIR@ +@@ -6,9 +6,9 @@ DESTDIR = $(INSTROOT)@DESTDIR@ BINDIR = $(DESTDIR)/sbin MANDIR = $(DESTDIR)/share/man/man8 @@ -85,5 +77,5 @@ index 87777fab5e94..1eeeafe20111 100644 -HAVE_ZLIB=n +HAVE_ZLIB=y - COPTS=-O2 -g - CFLAGS= $(COPTS) -I../include/net + CFLAGS = $(COPTS) -I../include/net + OBJS = pppdump.o diff --git a/patches/ppp-2.4.7/0039-Replace-vendored-hash-functions-with-libcrypto.patch b/patches/ppp-2.4.9/0106-Replace-vendored-hash-functions-with-libcrypto.patch similarity index 92% rename from patches/ppp-2.4.7/0039-Replace-vendored-hash-functions-with-libcrypto.patch rename to patches/ppp-2.4.9/0106-Replace-vendored-hash-functions-with-libcrypto.patch index a08af544a..8597cf9a5 100644 --- a/patches/ppp-2.4.7/0039-Replace-vendored-hash-functions-with-libcrypto.patch +++ b/patches/ppp-2.4.9/0106-Replace-vendored-hash-functions-with-libcrypto.patch @@ -1,5 +1,5 @@ -From: Michael Olbrich <m.olbrich@pengutronix.de> -Date: Sat, 28 Sep 2019 08:11:50 +0200 +From: Alexander Dahl <ada@thorsis.com> +Date: Wed, 16 Jun 2021 18:22:49 +0200 Subject: [PATCH] Replace vendored hash functions with libcrypto Bug-Debian: https://bugs.debian.org/826625 @@ -14,24 +14,24 @@ preferable both due to the patch being slightly less invasive and also because of our use of the EAP-TLS patch which requires OpenSSL. -Imported from ppp_2.4.7-2+4.1.debian.tar.xz +Imported from ppp_2.4.9-1+1.debian.tar.xz -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> +Signed-off-by: Alexander Dahl <ada@thorsis.com> --- - pppd/Makefile.linux | 25 ++-- + pppd/Makefile.linux | 28 +--- pppd/chap-md5.c | 2 +- pppd/chap_ms.c | 40 ++---- - pppd/eap.c | 2 +- - pppd/md4.c | 299 ----------------------------------------- - pppd/md4.h | 64 --------- - pppd/md5.c | 311 ------------------------------------------- - pppd/md5.h | 68 ---------- + pppd/eap.c | 3 +- + pppd/md4.c | 290 ----------------------------------------- + pppd/md4.h | 55 -------- + pppd/md5.c | 299 ------------------------------------------- + pppd/md5.h | 65 ---------- pppd/plugins/radius/md5.c | 2 +- pppd/plugins/radius/radius.c | 2 +- pppd/plugins/winbind.c | 2 +- - pppd/sha1.c | 170 ----------------------- + pppd/sha1.c | 171 ------------------------- pppd/sha1.h | 31 ----- - 13 files changed, 28 insertions(+), 990 deletions(-) + 13 files changed, 27 insertions(+), 963 deletions(-) delete mode 100644 pppd/md4.c delete mode 100644 pppd/md4.h delete mode 100644 pppd/md5.c @@ -40,10 +40,10 @@ Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> delete mode 100644 pppd/sha1.h diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux -index 4a11d5fea748..58a634ce8c3b 100644 +index bbb476827cea..bc01e3fd2a24 100644 --- a/pppd/Makefile.linux +++ b/pppd/Makefile.linux -@@ -11,16 +11,16 @@ INCDIR = $(DESTDIR)/include +@@ -15,16 +15,16 @@ INCDIR = $(DESTDIR)/include TARGETS = pppd @@ -64,16 +64,16 @@ index 4a11d5fea748..58a634ce8c3b 100644 ecp.o auth.o options.o demand.o utils.o sys-linux.o ipxcp.o tty.o \ eap.o chap-md5.o session.o -@@ -33,7 +33,7 @@ endif - # CC = gcc - # - COPTS = -O2 -pipe -Wall -g --LIBS = -+LIBS = -lcrypto +@@ -34,7 +34,7 @@ ifeq (.depend,$(wildcard .depend)) + include .depend + endif + +-LIBS = -lrt ++LIBS = -lrt -lcrypto - # Uncomment the next 2 lines to include support for Microsoft's + # Uncomment the next line to include support for Microsoft's # MS-CHAP authentication protocol. Also, edit plugins/radius/Makefile.linux. -@@ -91,8 +91,8 @@ LDFLAGS=$(LDOPTS) +@@ -98,8 +98,8 @@ CFLAGS= $(COPTS) $(COMPILE_FLAGS) $(INCLUDE_DIRS) '-DDESTDIR="@DESTDIR@"' ifdef CHAPMS CFLAGS += -DCHAPMS=1 NEEDDES=y @@ -84,12 +84,11 @@ index 4a11d5fea748..58a634ce8c3b 100644 ifdef MSLANMAN CFLAGS += -DMSLANMAN=1 endif -@@ -104,25 +104,18 @@ endif - # EAP SRP-SHA1 +@@ -113,26 +113,17 @@ endif ifdef USE_SRP CFLAGS += -DUSE_SRP -DOPENSSL -I/usr/local/ssl/include --LIBS += -lsrp -L/usr/local/ssl/lib -lcrypto -+LIBS += -lsrp -L/usr/local/ssl/lib + LIBS += -lsrp -L/usr/local/ssl/lib +-NEEDCRYPTOLIB = y TARGETS += srp-entry EXTRAINSTALL = $(INSTALL) -c -m 555 srp-entry $(BINDIR)/srp-entry MANPAGES += srp-entry.8 @@ -106,27 +105,50 @@ index 4a11d5fea748..58a634ce8c3b 100644 # EAP-TLS ifdef USE_EAPTLS - CFLAGS += -DUSE_EAPTLS=1 -I/usr/kerberos/include --LIBS += -lssl -lcrypto -+LIBS += -lssl + CFLAGS += -DUSE_EAPTLS=1 + LIBS += -lssl +-NEEDCRYPTOLIB = y PPPDSRC += eap-tls.c HEADERS += eap-tls.h PPPDOBJS += eap-tls.o +@@ -156,7 +147,6 @@ endif + ifdef NEEDDES + ifndef USE_CRYPT + CFLAGS += -I$(shell $(CC) --print-sysroot)/usr/include/openssl +-NEEDCRYPTOLIB = y + else + CFLAGS += -DUSE_CRYPT=1 + endif +@@ -164,10 +154,6 @@ PPPDOBJS += pppcrypt.o + HEADERS += pppcrypt.h + endif + +-ifdef NEEDCRYPTOLIB +-LIBS += -lcrypto +-endif +- + # For "Pluggable Authentication Modules", see ftp.redhat.com:/pub/pam/. + ifdef USE_PAM + CFLAGS += -DUSE_PAM diff --git a/pppd/chap-md5.c b/pppd/chap-md5.c -index 269b52cb2041..7f7967a56842 100644 +index 77dd4ecc7059..d86564aa865a 100644 --- a/pppd/chap-md5.c +++ b/pppd/chap-md5.c -@@ -39,7 +39,7 @@ - #ifdef USE_EAPTLS - #include "eap-tls.h" - #else --#include "md5.h" +@@ -32,11 +32,11 @@ + + #include <stdlib.h> + #include <string.h> +#include <openssl/md5.h> - #endif /* USE_EAPTLS */ + #include "pppd.h" + #include "chap-new.h" + #include "chap-md5.h" + #include "magic.h" +-#include "md5.h" #define MD5_HASH_SIZE 16 + #define MD5_MIN_CHALLENGE 16 diff --git a/pppd/chap_ms.c b/pppd/chap_ms.c -index c2bd00f9c6f7..19edb85d27a8 100644 +index e6b84f203fc3..64848f20f660 100644 --- a/pppd/chap_ms.c +++ b/pppd/chap_ms.c @@ -89,8 +89,8 @@ @@ -140,7 +162,7 @@ index c2bd00f9c6f7..19edb85d27a8 100644 #include "pppcrypt.h" #include "magic.h" -@@ -535,8 +535,8 @@ ChallengeHash(u_char PeerChallenge[16], u_char *rchallenge, +@@ -536,8 +536,8 @@ ChallengeHash(u_char PeerChallenge[16], u_char *rchallenge, char *username, u_char Challenge[8]) { @@ -151,7 +173,7 @@ index c2bd00f9c6f7..19edb85d27a8 100644 char *user; /* remove domain from "domain\username" */ -@@ -574,23 +574,11 @@ ascii2unicode(char ascii[], int ascii_len, u_char unicode[]) +@@ -575,23 +575,11 @@ ascii2unicode(char ascii[], int ascii_len, u_char unicode[]) static void NTPasswordHash(u_char *secret, int secret_len, u_char hash[MD4_SIGNATURE_SIZE]) { @@ -178,7 +200,7 @@ index c2bd00f9c6f7..19edb85d27a8 100644 } -@@ -671,8 +659,8 @@ GenerateAuthenticatorResponse(u_char PasswordHashHash[MD4_SIGNATURE_SIZE], +@@ -672,8 +660,8 @@ GenerateAuthenticatorResponse(u_char PasswordHashHash[MD4_SIGNATURE_SIZE], 0x6E }; int i; @@ -189,7 +211,7 @@ index c2bd00f9c6f7..19edb85d27a8 100644 u_char Challenge[8]; SHA1_Init(&sha1Context); -@@ -725,8 +713,8 @@ GenerateAuthenticatorResponsePlain +@@ -726,8 +714,8 @@ GenerateAuthenticatorResponsePlain void mppe_set_keys(u_char *rchallenge, u_char PasswordHashHash[MD4_SIGNATURE_SIZE]) { @@ -200,7 +222,7 @@ index c2bd00f9c6f7..19edb85d27a8 100644 SHA1_Init(&sha1Context); SHA1_Update(&sha1Context, PasswordHashHash, MD4_SIGNATURE_SIZE); -@@ -769,9 +757,9 @@ void +@@ -770,9 +758,9 @@ void mppe_set_keys2(u_char PasswordHashHash[MD4_SIGNATURE_SIZE], u_char NTResponse[24], int IsServer) { @@ -214,24 +236,27 @@ index c2bd00f9c6f7..19edb85d27a8 100644 u_char SHApad1[40] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, diff --git a/pppd/eap.c b/pppd/eap.c -index 032407c3dbb2..35d111015ff3 100644 +index 79146557bd32..d987888d9f20 100644 --- a/pppd/eap.c +++ b/pppd/eap.c -@@ -71,7 +71,7 @@ - #ifdef USE_EAPTLS - #include "eap-tls.h" - #else --#include "md5.h" +@@ -59,9 +59,10 @@ + #include <assert.h> + #include <errno.h> + +#include <openssl/md5.h> - #endif /* USE_EAPTLS */ ++ + #include "pppd.h" + #include "pathnames.h" +-#include "md5.h" + #include "eap.h" - #ifdef USE_SRP + #ifdef CHAPMS diff --git a/pppd/md4.c b/pppd/md4.c deleted file mode 100644 -index d943e8885f2d..000000000000 +index 42a9b2e75d6e..000000000000 --- a/pppd/md4.c +++ /dev/null -@@ -1,299 +0,0 @@ +@@ -1,290 +0,0 @@ -/* -** ******************************************************************** -** md4.c -- Implementation of MD4 Message Digest Algorithm ** @@ -321,8 +346,7 @@ index d943e8885f2d..000000000000 -** This is a user-callable routine. -*/ -void --MD4Print(MDp) --MD4_CTX *MDp; +-MD4Print(MD4_CTX *MDp) -{ - int i,j; - for (i=0;i<4;i++) @@ -335,8 +359,7 @@ index d943e8885f2d..000000000000 -** This is a user-callable routine. -*/ -void --MD4Init(MDp) --MD4_CTX *MDp; +-MD4Init(MD4_CTX *MDp) -{ - int i; - MDp->buffer[0] = I0; @@ -354,9 +377,7 @@ index d943e8885f2d..000000000000 -** This routine is not user-callable. -*/ -static void --MDblock(MDp,Xb) --MD4_CTX *MDp; --unsigned char *Xb; +-MDblock(MD4_CTX *MDp, unsigned char *Xb) -{ - register unsigned int tmp, A, B, C, D; - unsigned int X[16]; @@ -440,10 +461,7 @@ index d943e8885f2d..000000000000 -** if desired. -*/ -void --MD4Update(MDp,X,count) --MD4_CTX *MDp; --unsigned char *X; --unsigned int count; +-MD4Update(MD4_CTX *MDp, unsigned char *X, unsigned int count) -{ - unsigned int i, tmp, bit, byte, mask; - unsigned char XX[64]; @@ -511,9 +529,7 @@ index d943e8885f2d..000000000000 -** Finish up MD4 computation and return message digest. -*/ -void --MD4Final(buf, MD) --unsigned char *buf; --MD4_CTX *MD; +-MD4Final(unsigned char *buf, MD4_CTX *MD) -{ - int i, j; - unsigned int w; @@ -533,10 +549,10 @@ index d943e8885f2d..000000000000 -****************************(cut)***********************************/ diff --git a/pppd/md4.h b/pppd/md4.h deleted file mode 100644 -index 80e8f9a2acca..000000000000 +index b6fc3f561faa..000000000000 --- a/pppd/md4.h +++ /dev/null -@@ -1,64 +0,0 @@ +@@ -1,55 +0,0 @@ - -/* -** ******************************************************************** @@ -547,15 +563,6 @@ index 80e8f9a2acca..000000000000 -** ******************************************************************** -*/ - --#ifndef __P --# if defined(__STDC__) || defined(__GNUC__) --# define __P(x) x --# else --# define __P(x) () --# endif --#endif -- -- -/* MDstruct is the data structure for a message digest computation. -*/ -typedef struct { @@ -568,7 +575,7 @@ index 80e8f9a2acca..000000000000 -** Initialize the MD4_CTX prepatory to doing a message digest -** computation. -*/ --extern void MD4Init __P((MD4_CTX *MD)); +-extern void MD4Init(MD4_CTX *MD); - -/* MD4Update(MD,X,count) -** Input: X -- a pointer to an array of unsigned characters. @@ -582,7 +589,7 @@ index 80e8f9a2acca..000000000000 -** every MD computation should end with one call to MD4Update with a -** count less than 512. Zero is OK for a count. -*/ --extern void MD4Update __P((MD4_CTX *MD, unsigned char *X, unsigned int count)); +-extern void MD4Update(MD4_CTX *MD, unsigned char *X, unsigned int count); - -/* MD4Print(MD) -** Prints message digest buffer MD as 32 hexadecimal digits. @@ -590,23 +597,23 @@ index 80e8f9a2acca..000000000000 -** of buffer[3]. -** Each byte is printed with high-order hexadecimal digit first. -*/ --extern void MD4Print __P((MD4_CTX *)); +-extern void MD4Print(MD4_CTX *); - -/* MD4Final(buf, MD) -** Returns message digest from MD and terminates the message -** digest computation. -*/ --extern void MD4Final __P((unsigned char *, MD4_CTX *)); +-extern void MD4Final(unsigned char *, MD4_CTX *); - -/* -** End of md4.h -****************************(cut)***********************************/ diff --git a/pppd/md5.c b/pppd/md5.c deleted file mode 100644 -index 6f8f7207c592..000000000000 +index f7988e64141a..000000000000 --- a/pppd/md5.c +++ /dev/null -@@ -1,311 +0,0 @@ +@@ -1,299 +0,0 @@ - - -/* @@ -642,8 +649,6 @@ index 6f8f7207c592..000000000000 - *********************************************************************** - */ - --#ifndef USE_EAPTLS -- -#include <string.h> -#include "md5.h" - @@ -713,8 +718,7 @@ index 6f8f7207c592..000000000000 -/* The routine MD5_Init initializes the message-digest context - mdContext. All fields are set to zero. - */ --void MD5_Init (mdContext) --MD5_CTX *mdContext; +-void MD5_Init (MD5_CTX *mdContext) -{ - mdContext->i[0] = mdContext->i[1] = (UINT4)0; - @@ -730,10 +734,7 @@ index 6f8f7207c592..000000000000 - account for the presence of each of the characters inBuf[0..inLen-1] - in the message whose digest is being computed. - */ --void MD5_Update (mdContext, inBuf, inLen) --MD5_CTX *mdContext; --unsigned char *inBuf; --unsigned int inLen; +-void MD5_Update (MD5_CTX *mdContext, unsigned char *inBuf, unsigned int inLen) -{ - UINT4 in[16]; - int mdi; @@ -768,9 +769,7 @@ index 6f8f7207c592..000000000000 -/* The routine MD5Final terminates the message-digest computation and - ends with the desired message digest in mdContext->digest[0...15]. - */ --void MD5_Final (hash, mdContext) --unsigned char hash[]; --MD5_CTX *mdContext; +-void MD5_Final (unsigned char hash[], MD5_CTX *mdContext) -{ - UINT4 in[16]; - int mdi; @@ -811,9 +810,7 @@ index 6f8f7207c592..000000000000 - -/* Basic MD5 step. Transforms buf based on in. - */ --static void Transform (buf, in) --UINT4 *buf; --UINT4 *in; +-static void Transform (UINT4 *buf, UINT4 *in) -{ - UINT4 a = buf[0], b = buf[1], c = buf[2], d = buf[3]; - @@ -916,14 +913,12 @@ index 6f8f7207c592..000000000000 - ** End of md5.c ** - ******************************** (cut) ******************************** - */ --#endif /* USE_EAPTLS */ -- diff --git a/pppd/md5.h b/pppd/md5.h deleted file mode 100644 -index 14d712171c5e..000000000000 +index 71e8b00e2dde..000000000000 --- a/pppd/md5.h +++ /dev/null -@@ -1,68 +0,0 @@ +@@ -1,65 +0,0 @@ -/* - *********************************************************************** - ** md5.h -- header file for implementation of MD5 ** @@ -962,7 +957,6 @@ index 14d712171c5e..000000000000 - ** documentation and/or software. ** - *********************************************************************** - */ --#ifndef USE_EAPTLS - -#ifndef __MD5_INCLUDE__ - @@ -990,8 +984,6 @@ index 14d712171c5e..000000000000 - -#define __MD5_INCLUDE__ -#endif /* __MD5_INCLUDE__ */ -- --#endif /* USE_EAPTLS */ diff --git a/pppd/plugins/radius/md5.c b/pppd/plugins/radius/md5.c index 8af03aa3713e..90d9b025d211 100644 --- a/pppd/plugins/radius/md5.c @@ -1006,7 +998,7 @@ index 8af03aa3713e..90d9b025d211 100644 void rc_md5_calc (unsigned char *output, unsigned char *input, unsigned int inlen) { diff --git a/pppd/plugins/radius/radius.c b/pppd/plugins/radius/radius.c -index 06e00590b635..60282d9b2b9c 100644 +index c5798316719a..d5d63698a6dc 100644 --- a/pppd/plugins/radius/radius.c +++ b/pppd/plugins/radius/radius.c @@ -31,7 +31,7 @@ static char const RCSID[] = @@ -1019,7 +1011,7 @@ index 06e00590b635..60282d9b2b9c 100644 #endif #include "radiusclient.h" diff --git a/pppd/plugins/winbind.c b/pppd/plugins/winbind.c -index bb05acd87dce..5f87a317b677 100644 +index 0c395c34711a..6320645ac994 100644 --- a/pppd/plugins/winbind.c +++ b/pppd/plugins/winbind.c @@ -38,7 +38,7 @@ @@ -1033,10 +1025,10 @@ index bb05acd87dce..5f87a317b677 100644 #include "ipcp.h" diff --git a/pppd/sha1.c b/pppd/sha1.c deleted file mode 100644 -index f4f975cf516f..000000000000 +index 4e51cee506c2..000000000000 --- a/pppd/sha1.c +++ /dev/null -@@ -1,170 +0,0 @@ +@@ -1,171 +0,0 @@ -/* - * ftp://ftp.funet.fi/pub/crypt/hash/sha/sha1.c - * @@ -1056,6 +1048,7 @@ index f4f975cf516f..000000000000 -/* #define SHA1HANDSOFF * Copies data before messing with it. */ - -#include <string.h> +-#include <time.h> -#include <netinet/in.h> /* htonl() */ -#include <net/ppp_defs.h> -#include "sha1.h" diff --git a/patches/ppp-2.4.7/0100-pppd-make-makefile-sysroot-aware.patch b/patches/ppp-2.4.9/0200-pppd-make-makefile-sysroot-aware.patch similarity index 63% rename from patches/ppp-2.4.7/0100-pppd-make-makefile-sysroot-aware.patch rename to patches/ppp-2.4.9/0200-pppd-make-makefile-sysroot-aware.patch index c205b15ed..11020e0cc 100644 --- a/patches/ppp-2.4.7/0100-pppd-make-makefile-sysroot-aware.patch +++ b/patches/ppp-2.4.9/0200-pppd-make-makefile-sysroot-aware.patch @@ -13,14 +13,14 @@ Signed-off-by: Marc Kleine-Budde <m.kleine-budde@pengutronix.de> Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> --- - pppd/Makefile.linux | 10 ++++------ - 1 file changed, 4 insertions(+), 6 deletions(-) + pppd/Makefile.linux | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux -index cb9d4f9dcf22..ea0a7f02766b 100644 +index bc01e3fd2a24..9b0119463c1f 100644 --- a/pppd/Makefile.linux +++ b/pppd/Makefile.linux -@@ -103,8 +103,8 @@ endif +@@ -111,8 +111,8 @@ endif # EAP SRP-SHA1 ifdef USE_SRP @@ -31,32 +31,12 @@ index cb9d4f9dcf22..ea0a7f02766b 100644 TARGETS += srp-entry EXTRAINSTALL = $(INSTALL) -c -m 555 srp-entry $(BINDIR)/srp-entry MANPAGES += srp-entry.8 -@@ -114,7 +114,7 @@ endif - - # EAP-TLS - ifdef USE_EAPTLS --CFLAGS += -DUSE_EAPTLS=1 -I/usr/kerberos/include -+CFLAGS += -DUSE_EAPTLS=1 - LIBS += -lssl - PPPDSRC += eap-tls.c - HEADERS += eap-tls.h -@@ -126,10 +126,8 @@ CFLAGS += -DHAS_SHADOW - #LIBS += -lshadow $(LIBS) - endif - --ifneq ($(wildcard /usr/include/crypt.h),) - CFLAGS += -DHAVE_CRYPT_H=1 - LIBS += -lcrypt --endif - - ifdef USE_LIBUTIL - CFLAGS += -DHAVE_LOGWTMP=1 -@@ -138,7 +136,7 @@ endif +@@ -146,7 +146,7 @@ endif ifdef NEEDDES ifndef USE_CRYPT --CFLAGS += -I/usr/include/openssl +-CFLAGS += -I$(shell $(CC) --print-sysroot)/usr/include/openssl +CFLAGS += -I$(SYSROOT)/usr/include/openssl - LIBS += -lcrypto else CFLAGS += -DUSE_CRYPT=1 + endif diff --git a/patches/ppp-2.4.7/0101-pppd-make-the-self-made-configure-cross-aware.patch b/patches/ppp-2.4.9/0201-pppd-make-the-self-made-configure-cross-aware.patch similarity index 87% rename from patches/ppp-2.4.7/0101-pppd-make-the-self-made-configure-cross-aware.patch rename to patches/ppp-2.4.9/0201-pppd-make-the-self-made-configure-cross-aware.patch index f57361a4c..590cf3ae4 100644 --- a/patches/ppp-2.4.7/0101-pppd-make-the-self-made-configure-cross-aware.patch +++ b/patches/ppp-2.4.9/0201-pppd-make-the-self-made-configure-cross-aware.patch @@ -11,11 +11,11 @@ Signed-off-by: Juergen Beisert <juergen@kreuzholzen.de> 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/configure b/configure -index 6a55e0f08be4..3886564fa495 100755 +index b0c3d2b49122..4bc6a18fad32 100755 --- a/configure +++ b/configure -@@ -14,6 +14,16 @@ SYSCONF=/etc - # fi +@@ -15,6 +15,16 @@ release=`uname -r` + arch=`uname -m` state="unknown" +if [ -n $TARGET_OS ]; then @@ -32,10 +32,10 @@ index 6a55e0f08be4..3886564fa495 100755 Linux) makext="linux"; diff --git a/pppd/plugins/Makefile.linux b/pppd/plugins/Makefile.linux -index bc29968d44c9..e010ad215981 100644 +index 6403e3d477e3..375be764e19a 100644 --- a/pppd/plugins/Makefile.linux +++ b/pppd/plugins/Makefile.linux -@@ -47,5 +47,5 @@ clean: +@@ -49,5 +49,5 @@ clean: for d in $(SUBDIRS); do $(MAKE) $(MFLAGS) -C $$d clean || exit $$?; done depend: diff --git a/patches/ppp-2.4.9/series b/patches/ppp-2.4.9/series new file mode 100644 index 000000000..4028f0892 --- /dev/null +++ b/patches/ppp-2.4.9/series @@ -0,0 +1,17 @@ +# generated by git-ptx-patches +#tag:base --start-number 1 +#tag:upstream --start-number 1 +0001-configure-Allow-commas-in-the-CFLAGS-220.patch +0002-pppd-Fix-compilation-with-older-glibc-or-kernel-head.patch +#tag:debian --start-number 100 +0100-support-building-pppdump-with-the-system-zlib.patch +0101-disable-unneeded-code-in-the-pppoatm-plugin.patch +0102-pppoe_noads.patch +0103-Forwarded-https-github.com-paulusmack-ppp-issues-187.patch +0104-resolv.conf_no_log.patch +0105-Debian-specific-changes.patch +0106-Replace-vendored-hash-functions-with-libcrypto.patch +#tag:ptx --start-number 200 +0200-pppd-make-makefile-sysroot-aware.patch +0201-pppd-make-the-self-made-configure-cross-aware.patch +# 9c9016a8956cf8c0dc84ee8dbe803cf3 - git-ptx-patches magic diff --git a/rules/ppp.make b/rules/ppp.make index 8bfb88b55..932910c98 100644 --- a/rules/ppp.make +++ b/rules/ppp.make @@ -16,8 +16,8 @@ PACKAGES-$(PTXCONF_PPP) += ppp # # Paths and names # -PPP_VERSION := 2.4.7 -PPP_MD5 := 78818f40e6d33a1d1de68a1551f6595a +PPP_VERSION := 2.4.9 +PPP_MD5 := c88153ae3d16ae114152cd3c15c7301d PPP := ppp-$(PPP_VERSION) PPP_SUFFIX := tar.gz PPP_URL := http://ftp.samba.org/pub/ppp/$(PPP).$(PPP_SUFFIX) @@ -55,7 +55,7 @@ PPP_SHARED_INST_PATH := /usr/lib/pppd/$(PPP_VERSION) $(STATEDIR)/ppp.prepare: @$(call targetinfo) @cd $(PPP_DIR) && $(PPP_PATH) $(PPP_CONF_ENV) \ - ./configure --prefix=/usr --sysconfdir=/etc + ./configure --prefix=/usr --sysconfdir=/etc --cc=$(CROSS_CC) @$(call disable_sh,$(PPP_DIR)/pppd/Makefile,USE_PAM=y) -- 2.30.2 _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de ^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [ptxdist] [APPLIED] ppp: version bump 2.4.7 -> 2.4.9 2021-06-23 7:33 ` [ptxdist] [PATCH v3 5/5] ppp: version bump 2.4.7 -> 2.4.9 Alexander Dahl @ 2021-06-29 5:09 ` Michael Olbrich 0 siblings, 0 replies; 11+ messages in thread From: Michael Olbrich @ 2021-06-29 5:09 UTC (permalink / raw) To: ptxdist; +Cc: Alexander Dahl Thanks, applied as 34ea6a37b0cbfe64f17890aa37b1b3a4a1efc486. Michael [sent from post-receive hook] On Tue, 29 Jun 2021 07:09:36 +0200, Alexander Dahl <ada@thorsis.com> wrote: > - imported two post 2.4.9 upstream patches > - imported Debian patches from package ppp (2.4.9-1+1) > - adapted ptx patches > > Signed-off-by: Alexander Dahl <ada@thorsis.com> > Message-Id: <20210623073309.23058-6-ada@thorsis.com> > Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> > > diff --git a/patches/ppp-2.4.7/0001-abort-on-errors-in-subdir-builds.patch b/patches/ppp-2.4.7/0001-abort-on-errors-in-subdir-builds.patch > deleted file mode 100644 > index c6a76ce6567a..000000000000 > --- a/patches/ppp-2.4.7/0001-abort-on-errors-in-subdir-builds.patch > +++ /dev/null > @@ -1,48 +0,0 @@ > -From: Martin von Gagern <Martin.vGagern@gmx.net> > -Date: Sat, 9 Aug 2014 22:44:45 -0400 > -Subject: [PATCH] abort on errors in subdir builds > - > -The current recursive loops do not check the exit status of make > -in subdirs which leads to `make` passing even when a subdir failed > -to compile or install. > - > -URL: https://bugs.gentoo.org/334727 > -Signed-off-by: Martin von Gagern <Martin.vGagern@gmx.net> > -Signed-off-by: Mike Frysinger <vapier@gentoo.org> > - > -Imported from ppp_2.4.7-2+4.1.debian.tar.xz > - > -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> > ---- > - pppd/plugins/Makefile.linux | 8 ++++---- > - 1 file changed, 4 insertions(+), 4 deletions(-) > - > -diff --git a/pppd/plugins/Makefile.linux b/pppd/plugins/Makefile.linux > -index ab8cf50d9472..8a90e393a057 100644 > ---- a/pppd/plugins/Makefile.linux > -+++ b/pppd/plugins/Makefile.linux > -@@ -27,7 +27,7 @@ include .depend > - endif > - > - all: $(PLUGINS) > -- for d in $(SUBDIRS); do $(MAKE) $(MFLAGS) -C $$d all; done > -+ for d in $(SUBDIRS); do $(MAKE) $(MFLAGS) -C $$d all || exit $$?; done > - > - %.so: %.c > - $(CC) -o $@ $(LDFLAGS) $(CFLAGS) $^ > -@@ -37,12 +37,12 @@ VERSION = $(shell awk -F '"' '/VERSION/ { print $$2; }' ../patchlevel.h) > - install: $(PLUGINS) > - $(INSTALL) -d $(LIBDIR) > - $(INSTALL) $? $(LIBDIR) > -- for d in $(SUBDIRS); do $(MAKE) $(MFLAGS) -C $$d install; done > -+ for d in $(SUBDIRS); do $(MAKE) $(MFLAGS) -C $$d install || exit $$?; done > - > - clean: > - rm -f *.o *.so *.a > -- for d in $(SUBDIRS); do $(MAKE) $(MFLAGS) -C $$d clean; done > -+ for d in $(SUBDIRS); do $(MAKE) $(MFLAGS) -C $$d clean || exit $$?; done > - > - depend: > - $(CPP) -M $(CFLAGS) *.c >.depend > -- for d in $(SUBDIRS); do $(MAKE) $(MFLAGS) -C $$d depend; done > -+ for d in $(SUBDIRS); do $(MAKE) $(MFLAGS) -C $$d depend || exit $$?; done > diff --git a/patches/ppp-2.4.7/0002-scripts-Avoid-killing-wrong-pppd.patch b/patches/ppp-2.4.7/0002-scripts-Avoid-killing-wrong-pppd.patch > deleted file mode 100644 > index dc24c228eafa..000000000000 > --- a/patches/ppp-2.4.7/0002-scripts-Avoid-killing-wrong-pppd.patch > +++ /dev/null > @@ -1,29 +0,0 @@ > -From: radaiming <radaiming@gmail.com> > -Date: Sat, 13 Dec 2014 14:42:34 +0800 > -Subject: [PATCH] scripts: Avoid killing wrong pppd > - > - poff could kill other pppd processes when there are many pppd > - running on different serial port. > - > - Signed-off-by: Ming Dai <radaiming@gmail.com> > - > -Imported from ppp_2.4.7-2+4.1.debian.tar.xz > - > -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> > ---- > - scripts/poff | 2 +- > - 1 file changed, 1 insertion(+), 1 deletion(-) > - > -diff --git a/scripts/poff b/scripts/poff > -index 3f55a7f40010..5b45d98a2b6a 100644 > ---- a/scripts/poff > -+++ b/scripts/poff > -@@ -91,7 +91,7 @@ if test "$#" -eq 0 -o "$MODE" = "all" ; then > - fi > - > - # There is an argument, so kill the pppd started on that provider. > --PID=`ps axw | grep "[ /]pppd call $1" | awk '{print $1}'` > -+PID=`ps axw | grep "[ /]pppd call $1" | grep -w "$1" | awk '{print $1}'` > - if test -n "$PID" ; then > - $KILL -$SIG $PID || { > - echo "$0: $KILL failed. None ${DONE}." > diff --git a/patches/ppp-2.4.7/0003-pppd-Fix-sign-extension-when-displaying-bytes-in-oct.patch b/patches/ppp-2.4.7/0003-pppd-Fix-sign-extension-when-displaying-bytes-in-oct.patch > deleted file mode 100644 > index 2bd23b9216ec..000000000000 > --- a/patches/ppp-2.4.7/0003-pppd-Fix-sign-extension-when-displaying-bytes-in-oct.patch > +++ /dev/null > @@ -1,30 +0,0 @@ > -From: "Philip A. Prindeville" <philipp@redfish-solutions.com> > -Date: Fri, 19 Dec 2014 17:52:58 -0700 > -Subject: [PATCH] pppd: Fix sign-extension when displaying bytes in octal > - > -print_string() displays characters as \\%.03o but without first > -casting it from "char" to "unsigned char" so it gets sign-extended > -to an int. This causes output like \37777777630 instead of \230. > - > -Signed-off-by: Philip A. Prindeville <philipp@redfish-solutions.com> > - > -Imported from ppp_2.4.7-2+4.1.debian.tar.xz > - > -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> > ---- > - pppd/utils.c | 2 +- > - 1 file changed, 1 insertion(+), 1 deletion(-) > - > -diff --git a/pppd/utils.c b/pppd/utils.c > -index 29bf970905d5..3ac1b60926d2 100644 > ---- a/pppd/utils.c > -+++ b/pppd/utils.c > -@@ -625,7 +625,7 @@ print_string(p, len, printer, arg) > - printer(arg, "\\t"); > - break; > - default: > -- printer(arg, "\\%.3o", c); > -+ printer(arg, "\\%.3o", (unsigned char) c); > - } > - } > - } > diff --git a/patches/ppp-2.4.7/0004-Suppress-false-error-message-on-PPPoE-disconnect.patch b/patches/ppp-2.4.7/0004-Suppress-false-error-message-on-PPPoE-disconnect.patch > deleted file mode 100644 > index 6d4bd5c106bb..000000000000 > --- a/patches/ppp-2.4.7/0004-Suppress-false-error-message-on-PPPoE-disconnect.patch > +++ /dev/null > @@ -1,33 +0,0 @@ > -From: Simon Farnsworth <simon@farnz.org.uk> > -Date: Sun, 1 Mar 2015 11:49:06 +0000 > -Subject: [PATCH] Suppress false error message on PPPoE disconnect > - > -Once the kernel handles PPPoE PADTs correctly[1], a PADT triggered > -disconnect will result in EALREADY when pppd tries to clear the session ID. > - > -Simply ignore the error if, and only if, the error is EALREADY > - > -[1] https://patchwork.ozlabs.org/patch/444717/ > - > -Signed-off-by: Simon Farnsworth <simon@farnz.org.uk> > - > -Imported from ppp_2.4.7-2+4.1.debian.tar.xz > - > -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> > ---- > - pppd/plugins/rp-pppoe/plugin.c | 2 +- > - 1 file changed, 1 insertion(+), 1 deletion(-) > - > -diff --git a/pppd/plugins/rp-pppoe/plugin.c b/pppd/plugins/rp-pppoe/plugin.c > -index a8c2bb4f4a6a..da50cdf2b9d3 100644 > ---- a/pppd/plugins/rp-pppoe/plugin.c > -+++ b/pppd/plugins/rp-pppoe/plugin.c > -@@ -270,7 +270,7 @@ PPPOEDisconnectDevice(void) > - memcpy(sp.sa_addr.pppoe.dev, conn->ifName, IFNAMSIZ); > - memcpy(sp.sa_addr.pppoe.remote, conn->peerEth, ETH_ALEN); > - if (connect(conn->sessionSocket, (struct sockaddr *) &sp, > -- sizeof(struct sockaddr_pppox)) < 0) > -+ sizeof(struct sockaddr_pppox)) < 0 && errno != EALREADY) > - error("Failed to disconnect PPPoE socket: %d %m", errno); > - close(conn->sessionSocket); > - /* don't send PADT?? */ > diff --git a/patches/ppp-2.4.7/0005-Send-PADT-on-PPPoE-disconnect.patch b/patches/ppp-2.4.7/0005-Send-PADT-on-PPPoE-disconnect.patch > deleted file mode 100644 > index 28efdfc713a5..000000000000 > --- a/patches/ppp-2.4.7/0005-Send-PADT-on-PPPoE-disconnect.patch > +++ /dev/null > @@ -1,36 +0,0 @@ > -From: Simon Farnsworth <simon@farnz.org.uk> > -Date: Sun, 1 Mar 2015 11:53:58 +0000 > -Subject: [PATCH] Send PADT on PPPoE disconnect > - > -Once we've terminated the PPP session, there is no chance of a PPP layer > -disconnect. Some PPPoE relays don't detect the PPP session going down, and > -depend on a long timeout or a PPPoE PADT to terminate the session. > - > -Send a PADT on disconnect to work around these buggy relays. > - > -Signed-off-by: Simon Farnsworth <simon@farnz.org.uk> > - > -Imported from ppp_2.4.7-2+4.1.debian.tar.xz > - > -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> > ---- > - pppd/plugins/rp-pppoe/plugin.c | 5 +++-- > - 1 file changed, 3 insertions(+), 2 deletions(-) > - > -diff --git a/pppd/plugins/rp-pppoe/plugin.c b/pppd/plugins/rp-pppoe/plugin.c > -index da50cdf2b9d3..c89be94250bc 100644 > ---- a/pppd/plugins/rp-pppoe/plugin.c > -+++ b/pppd/plugins/rp-pppoe/plugin.c > -@@ -273,9 +273,10 @@ PPPOEDisconnectDevice(void) > - sizeof(struct sockaddr_pppox)) < 0 && errno != EALREADY) > - error("Failed to disconnect PPPoE socket: %d %m", errno); > - close(conn->sessionSocket); > -- /* don't send PADT?? */ > -- if (conn->discoverySocket >= 0) > -+ if (conn->discoverySocket >= 0) { > -+ sendPADT(conn, NULL); > - close(conn->discoverySocket); > -+ } > - } > - > - static void > diff --git a/patches/ppp-2.4.7/0006-pppd-ipxcp-Prevent-buffer-overrun-on-remote-router-n.patch b/patches/ppp-2.4.7/0006-pppd-ipxcp-Prevent-buffer-overrun-on-remote-router-n.patch > deleted file mode 100644 > index 7d98127c286f..000000000000 > --- a/patches/ppp-2.4.7/0006-pppd-ipxcp-Prevent-buffer-overrun-on-remote-router-n.patch > +++ /dev/null > @@ -1,30 +0,0 @@ > -From: Paul Mackerras <paulus@samba.org> > -Date: Fri, 14 Aug 2015 17:56:26 +1000 > -Subject: [PATCH] pppd: ipxcp: Prevent buffer overrun on remote router name > - > -This fixes an if condition to prevent a possible 1-byte overrun > -on ipxcp_hisoptions[0].name. > - > -Reported-by: "Sabas Rosales, Blanca E" <blanca.e.sabas.rosales@intel.com> > -Signed-off-by: Paul Mackerras <paulus@ozlabs.org> > - > -Imported from ppp_2.4.7-2+4.1.debian.tar.xz > - > -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> > ---- > - pppd/ipxcp.c | 2 +- > - 1 file changed, 1 insertion(+), 1 deletion(-) > - > -diff --git a/pppd/ipxcp.c b/pppd/ipxcp.c > -index 7b2343e15537..aaff10f76200 100644 > ---- a/pppd/ipxcp.c > -+++ b/pppd/ipxcp.c > -@@ -1194,7 +1194,7 @@ ipxcp_reqci(f, inp, len, reject_if_disagree) > - case IPX_ROUTER_NAME: > - if (cilen >= CILEN_NAME) { > - int name_size = cilen - CILEN_NAME; > -- if (name_size > sizeof (ho->name)) > -+ if (name_size >= sizeof (ho->name)) > - name_size = sizeof (ho->name) - 1; > - memset (ho->name, 0, sizeof (ho->name)); > - memcpy (ho->name, p, name_size); > diff --git a/patches/ppp-2.4.7/0007-pppd-Fix-ccp_options.mppe-type.patch b/patches/ppp-2.4.7/0007-pppd-Fix-ccp_options.mppe-type.patch > deleted file mode 100644 > index 475edae24935..000000000000 > --- a/patches/ppp-2.4.7/0007-pppd-Fix-ccp_options.mppe-type.patch > +++ /dev/null > @@ -1,30 +0,0 @@ > -From: Sylvain Rochet <gradator@gradator.net> > -Date: Wed, 25 Mar 2015 00:25:18 +0100 > -Subject: [PATCH] pppd: Fix ccp_options.mppe type > - > -This corrects the type of ccp_options.mppe; it is actually a bitfield of > -MPPE_OPT_* and not a boolean. > - > -Signed-off-by: Sylvain Rochet <gradator@gradator.net> > -Signed-off-by: Paul Mackerras <paulus@samba.org> > - > -Imported from ppp_2.4.7-2+4.1.debian.tar.xz > - > -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> > ---- > - pppd/ccp.h | 2 +- > - 1 file changed, 1 insertion(+), 1 deletion(-) > - > -diff --git a/pppd/ccp.h b/pppd/ccp.h > -index 6f4a2fee0a2c..76446db007c0 100644 > ---- a/pppd/ccp.h > -+++ b/pppd/ccp.h > -@@ -37,7 +37,7 @@ typedef struct ccp_options { > - bool predictor_2; /* do Predictor-2? */ > - bool deflate_correct; /* use correct code for deflate? */ > - bool deflate_draft; /* use draft RFC code for deflate? */ > -- bool mppe; /* do MPPE? */ > -+ u_char mppe; /* MPPE bitfield */ > - u_short bsd_bits; /* # bits/code for BSD Compress */ > - u_short deflate_size; /* lg(window size) for Deflate */ > - short method; /* code for chosen compression method */ > diff --git a/patches/ppp-2.4.7/0008-pppd-Fix-ccp_cilen-calculated-size-if-both-deflate_c.patch b/patches/ppp-2.4.7/0008-pppd-Fix-ccp_cilen-calculated-size-if-both-deflate_c.patch > deleted file mode 100644 > index d73b4de32b38..000000000000 > --- a/patches/ppp-2.4.7/0008-pppd-Fix-ccp_cilen-calculated-size-if-both-deflate_c.patch > +++ /dev/null > @@ -1,33 +0,0 @@ > -From: Sylvain Rochet <gradator@gradator.net> > -Date: Tue, 24 Mar 2015 21:21:40 +0100 > -Subject: [PATCH] pppd: Fix ccp_cilen calculated size if both deflate_correct > - and deflate_draft are enabled > - > -This fixes a bug where ccp_cilen() will return 4 bytes less than > -necessary for the addci buffer if both deflate_correct and > -deflate_draft are enabled. > - > -Signed-off-by: Sylvain Rochet <gradator@gradator.net> > -Signed-off-by: Paul Mackerras <paulus@samba.org> > - > -Imported from ppp_2.4.7-2+4.1.debian.tar.xz > - > -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> > ---- > - pppd/ccp.c | 3 ++- > - 1 file changed, 2 insertions(+), 1 deletion(-) > - > -diff --git a/pppd/ccp.c b/pppd/ccp.c > -index 5814f358eb44..7d7922afcfc0 100644 > ---- a/pppd/ccp.c > -+++ b/pppd/ccp.c > -@@ -676,7 +676,8 @@ ccp_cilen(f) > - ccp_options *go = &ccp_gotoptions[f->unit]; > - > - return (go->bsd_compress? CILEN_BSD_COMPRESS: 0) > -- + (go->deflate? CILEN_DEFLATE: 0) > -+ + (go->deflate && go->deflate_correct? CILEN_DEFLATE: 0) > -+ + (go->deflate && go->deflate_draft? CILEN_DEFLATE: 0) > - + (go->predictor_1? CILEN_PREDICTOR_1: 0) > - + (go->predictor_2? CILEN_PREDICTOR_2: 0) > - + (go->mppe? CILEN_MPPE: 0); > diff --git a/patches/ppp-2.4.7/0009-Fix-a-typo-in-comment.-Diff-from-Yuuichi-Someya.patch b/patches/ppp-2.4.7/0009-Fix-a-typo-in-comment.-Diff-from-Yuuichi-Someya.patch > deleted file mode 100644 > index 39af8cf33b1c..000000000000 > --- a/patches/ppp-2.4.7/0009-Fix-a-typo-in-comment.-Diff-from-Yuuichi-Someya.patch > +++ /dev/null > @@ -1,24 +0,0 @@ > -From: YASUOKA Masahiko <yasuoka@yasuoka.net> > -Date: Wed, 16 Mar 2016 13:39:19 +0900 > -Subject: [PATCH] Fix a typo in comment. Diff from Yuuichi Someya. > - > -Imported from ppp_2.4.7-2+4.1.debian.tar.xz > - > -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> > ---- > - pppd/fsm.c | 2 +- > - 1 file changed, 1 insertion(+), 1 deletion(-) > - > -diff --git a/pppd/fsm.c b/pppd/fsm.c > -index c200cc3a8438..e9bd34f0e8f4 100644 > ---- a/pppd/fsm.c > -+++ b/pppd/fsm.c > -@@ -468,7 +468,7 @@ fsm_rconfreq(f, id, inp, len) > - f->nakloops = 0; > - > - } else { > -- /* we sent CONFACK or CONFREJ */ > -+ /* we sent CONFNAK or CONFREJ */ > - if (f->state != ACKRCVD) > - f->state = REQSENT; > - if( code == CONFNAK ) > diff --git a/patches/ppp-2.4.7/0010-plog-count-only-relevant-lines-from-syslog.patch b/patches/ppp-2.4.7/0010-plog-count-only-relevant-lines-from-syslog.patch > deleted file mode 100644 > index c9d56cdbbad5..000000000000 > --- a/patches/ppp-2.4.7/0010-plog-count-only-relevant-lines-from-syslog.patch > +++ /dev/null > @@ -1,24 +0,0 @@ > -From: Dmitry Deshevoy <mityada@gmail.com> > -Date: Thu, 31 Mar 2016 23:39:32 +0400 > -Subject: [PATCH] plog: count only relevant lines from syslog > - > -Closes paulusmack/ppp#42 > - > -Imported from ppp_2.4.7-2+4.1.debian.tar.xz > - > -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> > ---- > - scripts/plog | 2 +- > - 1 file changed, 1 insertion(+), 1 deletion(-) > - > -diff --git a/scripts/plog b/scripts/plog > -index 84d2c7340cc6..7cb53346413d 100644 > ---- a/scripts/plog > -+++ b/scripts/plog > -@@ -3,5 +3,5 @@ > - if [ -s /var/log/ppp.log ]; then > - exec tail "$@" /var/log/ppp.log > - else > -- exec tail "$@" /var/log/syslog | grep ' \(pppd\|chat\)\[' > -+ exec grep ' \(pppd\|chat\)\[' /var/log/syslog | tail "$@" > - fi > diff --git a/patches/ppp-2.4.7/0011-Change-include-from-sys-errno.h-to-errno.h.patch b/patches/ppp-2.4.7/0011-Change-include-from-sys-errno.h-to-errno.h.patch > deleted file mode 100644 > index ed313eeaa6d4..000000000000 > --- a/patches/ppp-2.4.7/0011-Change-include-from-sys-errno.h-to-errno.h.patch > +++ /dev/null > @@ -1,33 +0,0 @@ > -From: Stefan Nickl <Stefan.Nickl@gmail.com> > -Date: Wed, 10 Aug 2016 21:32:21 +0200 > -Subject: [PATCH] Change include from sys/errno.h to errno.h > - > -According to POSIX, the canonical location for errno.h is on the top level. > - > -Signed-off-by: Stefan Nickl <Stefan.Nickl@gmail.com> > - > -Imported from ppp_2.4.7-2+4.1.debian.tar.xz > - > -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> > ---- > - pppd/sys-linux.c | 2 +- > - 1 file changed, 1 insertion(+), 1 deletion(-) > - > -diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c > -index e5e9baf8821f..908aa4f22297 100644 > ---- a/pppd/sys-linux.c > -+++ b/pppd/sys-linux.c > -@@ -73,12 +73,12 @@ > - #include <sys/types.h> > - #include <sys/socket.h> > - #include <sys/time.h> > --#include <sys/errno.h> > - #include <sys/file.h> > - #include <sys/stat.h> > - #include <sys/utsname.h> > - #include <sys/sysmacros.h> > - > -+#include <errno.h> > - #include <stdio.h> > - #include <stdlib.h> > - #include <syslog.h> > diff --git a/patches/ppp-2.4.7/0012-pppd-allow-use-of-arbitrary-interface-names.patch b/patches/ppp-2.4.7/0012-pppd-allow-use-of-arbitrary-interface-names.patch > deleted file mode 100644 > index 26d56de1d43a..000000000000 > --- a/patches/ppp-2.4.7/0012-pppd-allow-use-of-arbitrary-interface-names.patch > +++ /dev/null > @@ -1,214 +0,0 @@ > -From: Paul Mackerras <paulus@samba.org> > -Date: Tue, 23 Aug 2016 16:10:21 +1000 > -Subject: [PATCH] pppd: allow use of arbitrary interface names > - > -This is a modified version of a patch from openSUSE that enables PPP interfaces > -to be called arbitrary names, rather than simply pppX where X is the unit > -number. > - > -The modifications from the stock openSUSE patch are: > - refresh patch on top of 018_ip up_option.diff > -- fix a printf format-string vulnerability in pppd/main.c:set_ifunit() > -- clarify the pppd.8 manpage additions > -- patch pppstats/pppstats.c to query renamed interfaces without complaint > - > -Origin: SUSE > -Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=458646 > -Forwarded: no > -Reviewed-by: Chris Boot <bootc@debian.org> > -Signed-off-by: Paul Mackerras <paulus@ozlabs.org> > - > -Imported from ppp_2.4.7-2+4.1.debian.tar.xz > - > -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> > ---- > - pppd/main.c | 16 ++++++---------- > - pppd/options.c | 5 +++++ > - pppd/pppd.8 | 8 +++++++- > - pppd/pppd.h | 11 +++++++++++ > - pppd/sys-linux.c | 15 +++++++++++++++ > - pppstats/pppstats.c | 12 ++++++------ > - 6 files changed, 50 insertions(+), 17 deletions(-) > - > -diff --git a/pppd/main.c b/pppd/main.c > -index 6d50d1bac1d9..f1986ed68d0b 100644 > ---- a/pppd/main.c > -+++ b/pppd/main.c > -@@ -124,7 +124,7 @@ > - static const char rcsid[] = RCSID; > - > - /* interface vars */ > --char ifname[32]; /* Interface name */ > -+char ifname[MAXIFNAMELEN]; /* Interface name */ > - int ifunit; /* Interface unit number */ > - > - struct channel *the_channel; > -@@ -298,13 +298,6 @@ struct protent *protocols[] = { > - NULL > - }; > - > --/* > -- * If PPP_DRV_NAME is not defined, use the default "ppp" as the device name. > -- */ > --#if !defined(PPP_DRV_NAME) > --#define PPP_DRV_NAME "ppp" > --#endif /* !defined(PPP_DRV_NAME) */ > -- > - int > - main(argc, argv) > - int argc; > -@@ -737,8 +730,11 @@ void > - set_ifunit(iskey) > - int iskey; > - { > -- info("Using interface %s%d", PPP_DRV_NAME, ifunit); > -- slprintf(ifname, sizeof(ifname), "%s%d", PPP_DRV_NAME, ifunit); > -+ if (req_ifname[0] != '\0') > -+ slprintf(ifname, sizeof(ifname), "%s", req_ifname); > -+ else > -+ slprintf(ifname, sizeof(ifname), "%s%d", PPP_DRV_NAME, ifunit); > -+ info("Using interface %s", ifname); > - script_setenv("IFNAME", ifname, iskey); > - if (iskey) { > - create_pidfile(getpid()); /* write pid to file */ > -diff --git a/pppd/options.c b/pppd/options.c > -index f66b7657bc31..91da515ac533 100644 > ---- a/pppd/options.c > -+++ b/pppd/options.c > -@@ -114,6 +114,7 @@ char linkname[MAXPATHLEN]; /* logical name for link */ > - bool tune_kernel; /* may alter kernel settings */ > - int connect_delay = 1000; /* wait this many ms after connect script */ > - int req_unit = -1; /* requested interface unit */ > -+char req_ifname[MAXIFNAMELEN]; /* requested interface name */ > - bool multilink = 0; /* Enable multilink operation */ > - char *bundle_name = NULL; /* bundle name for multilink */ > - bool dump_options; /* print out option values */ > -@@ -283,6 +284,10 @@ option_t general_options[] = { > - "PPP interface unit number to use if possible", > - OPT_PRIO | OPT_LLIMIT, 0, 0 }, > - > -+ { "ifname", o_string, req_ifname, > -+ "Set PPP interface name", > -+ OPT_PRIO | OPT_PRIV | OPT_STATIC, NULL, MAXIFNAMELEN }, > -+ > - { "dump", o_bool, &dump_options, > - "Print out option values after parsing all options", 1 }, > - { "dryrun", o_bool, &dryrun, > -diff --git a/pppd/pppd.8 b/pppd/pppd.8 > -index e2768b135273..64659cf867b2 100644 > ---- a/pppd/pppd.8 > -+++ b/pppd/pppd.8 > -@@ -1073,7 +1073,13 @@ under Linux and FreeBSD 2.2.8 and later. > - .TP > - .B unit \fInum > - Sets the ppp unit number (for a ppp0 or ppp1 etc interface name) for outbound > --connections. > -+connections. If the unit is already in use a dynamically allocated number will > -+be used. > -+.TP > -+.B ifname \fIstring > -+Set the ppp interface name for outbound connections. If the interface name is > -+already in use, or if the name cannot be used for any other reason, pppd will > -+terminate. > - .TP > - .B unset \fIname > - Remove a variable from the environment variable for scripts that are > -diff --git a/pppd/pppd.h b/pppd/pppd.h > -index 247fa153739b..1a1bf0b99582 100644 > ---- a/pppd/pppd.h > -+++ b/pppd/pppd.h > -@@ -80,6 +80,16 @@ > - #define MAXARGS 1 /* max # args to a command */ > - #define MAXNAMELEN 256 /* max length of hostname or name for auth */ > - #define MAXSECRETLEN 256 /* max length of password or secret */ > -+#define MAXIFNAMELEN 32 /* max length of interface name; or use IFNAMSIZ, can we > -+ always include net/if.h? */ > -+ > -+/* > -+ * If PPP_DRV_NAME is not defined, use the default "ppp" as the device name. > -+ * Where should PPP_DRV_NAME come from? Do we include it here? > -+ */ > -+#if !defined(PPP_DRV_NAME) > -+#define PPP_DRV_NAME "ppp" > -+#endif /* !defined(PPP_DRV_NAME) */ > - > - /* > - * Option descriptor structure. > -@@ -318,6 +328,7 @@ extern bool tune_kernel; /* May alter kernel settings as necessary */ > - extern int connect_delay; /* Time to delay after connect script */ > - extern int max_data_rate; /* max bytes/sec through charshunt */ > - extern int req_unit; /* interface unit number to use */ > -+extern char req_ifname[MAXIFNAMELEN]; /* interface name to use */ > - extern bool multilink; /* enable multilink operation */ > - extern bool noendpoint; /* don't send or accept endpt. discrim. */ > - extern char *bundle_name; /* bundle name for multilink */ > -diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c > -index 908aa4f22297..9b2f293024ac 100644 > ---- a/pppd/sys-linux.c > -+++ b/pppd/sys-linux.c > -@@ -641,6 +641,21 @@ static int make_ppp_unit() > - } > - if (x < 0) > - error("Couldn't create new ppp unit: %m"); > -+ > -+ if (x == 0 && req_ifname[0] != '\0') { > -+ struct ifreq ifr; > -+ char t[MAXIFNAMELEN]; > -+ memset(&ifr, 0, sizeof(struct ifreq)); > -+ slprintf(t, sizeof(t), "%s%d", PPP_DRV_NAME, ifunit); > -+ strncpy(ifr.ifr_name, t, IF_NAMESIZE); > -+ strncpy(ifr.ifr_newname, req_ifname, IF_NAMESIZE); > -+ x = ioctl(sock_fd, SIOCSIFNAME, &ifr); > -+ if (x < 0) > -+ error("Couldn't rename interface %s to %s: %m", t, req_ifname); > -+ else > -+ info("Renamed interface %s to %s", t, req_ifname); > -+ } > -+ > - return x; > - } > - > -diff --git a/pppstats/pppstats.c b/pppstats/pppstats.c > -index 6367988eb96b..46cb9c24942b 100644 > ---- a/pppstats/pppstats.c > -+++ b/pppstats/pppstats.c > -@@ -88,7 +88,6 @@ int aflag; /* print absolute values, not deltas */ > - int dflag; /* print data rates, not bytes */ > - int interval, count; > - int infinite; > --int unit; > - int s; /* socket or /dev/ppp file descriptor */ > - int signalled; /* set if alarm goes off "early" */ > - char *progname; > -@@ -449,6 +448,7 @@ main(argc, argv) > - { > - int c; > - #ifdef STREAMS > -+ int unit; > - char *dev; > - #endif > - > -@@ -506,11 +506,6 @@ main(argc, argv) > - if (argc > 0) > - interface = argv[0]; > - > -- if (sscanf(interface, PPP_DRV_NAME "%d", &unit) != 1) { > -- fprintf(stderr, "%s: invalid interface '%s' specified\n", > -- progname, interface); > -- } > -- > - #ifndef STREAMS > - { > - struct ifreq ifr; > -@@ -535,6 +530,11 @@ main(argc, argv) > - } > - > - #else /* STREAMS */ > -+ if (sscanf(interface, PPP_DRV_NAME "%d", &unit) != 1) { > -+ fprintf(stderr, "%s: invalid interface '%s' specified\n", > -+ progname, interface); > -+ } > -+ > - #ifdef __osf__ > - dev = "/dev/streams/ppp"; > - #else > diff --git a/patches/ppp-2.4.7/0013-pppd-Remove-unused-declaration-of-ttyname.patch b/patches/ppp-2.4.7/0013-pppd-Remove-unused-declaration-of-ttyname.patch > deleted file mode 100644 > index 2199e7f7dfdf..000000000000 > --- a/patches/ppp-2.4.7/0013-pppd-Remove-unused-declaration-of-ttyname.patch > +++ /dev/null > @@ -1,25 +0,0 @@ > -From: George Burgess IV <george@gbiv.net> > -Date: Fri, 9 Sep 2016 17:36:54 -0700 > -Subject: [PATCH] pppd: Remove unused declaration of ttyname. > - > -Signed-off-by: George Burgess IV <george@gbiv.net> > - > -Imported from ppp_2.4.7-2+4.1.debian.tar.xz > - > -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> > ---- > - pppd/main.c | 1 - > - 1 file changed, 1 deletion(-) > - > -diff --git a/pppd/main.c b/pppd/main.c > -index f1986ed68d0b..76b67d2485b7 100644 > ---- a/pppd/main.c > -+++ b/pppd/main.c > -@@ -257,7 +257,6 @@ static void cleanup_db __P((void)); > - static void handle_events __P((void)); > - void print_link_stats __P((void)); > - > --extern char *ttyname __P((int)); > - extern char *getlogin __P((void)); > - int main __P((int, char *[])); > - > diff --git a/patches/ppp-2.4.7/0014-pppd-Provide-error-implementation-in-pppoe-discovery.patch b/patches/ppp-2.4.7/0014-pppd-Provide-error-implementation-in-pppoe-discovery.patch > deleted file mode 100644 > index 39fc3d4f6f86..000000000000 > --- a/patches/ppp-2.4.7/0014-pppd-Provide-error-implementation-in-pppoe-discovery.patch > +++ /dev/null > @@ -1,52 +0,0 @@ > -From: Stefan Nickl <Stefan.Nickl@gmail.com> > -Date: Wed, 10 Aug 2016 16:52:12 +0200 > -Subject: [PATCH] pppd: Provide error() implementation in pppoe-discovery > - > -The pppoe-discovery program calls error() from the CHECK_ROOM macro > -defined in pppoe.h. Since pppoe-discovery is a standalone program not > -linked with the rest of pppd, the only way this could build is by > -linking to glibc's proprietary error(3) function instead of the function > -of the same name (but with different arguments) defined in pppd/utils.c. > - > -So with glibc this builds, but will probably crash when the assertion is > -triggered. As the assertion is unlikely to fail, nobody has noticed. > - > -The build however fails with musl libc or uClibc since they don't > -provide the doppelganger. > - > -Signed-off-by: Stefan Nickl <Stefan.Nickl@gmail.com> > - > -Imported from ppp_2.4.7-2+4.1.debian.tar.xz > - > -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> > ---- > - pppd/plugins/rp-pppoe/pppoe-discovery.c | 9 +++++++++ > - 1 file changed, 9 insertions(+) > - > -diff --git a/pppd/plugins/rp-pppoe/pppoe-discovery.c b/pppd/plugins/rp-pppoe/pppoe-discovery.c > -index 3d3bf4eecc81..55037dffb023 100644 > ---- a/pppd/plugins/rp-pppoe/pppoe-discovery.c > -+++ b/pppd/plugins/rp-pppoe/pppoe-discovery.c > -@@ -9,6 +9,7 @@ > - * > - */ > - > -+#include <stdarg.h> > - #include <stdio.h> > - #include <stdlib.h> > - #include <unistd.h> > -@@ -55,6 +56,14 @@ void die(int status) > - exit(status); > - } > - > -+void error(char *fmt, ...) > -+{ > -+ va_list pvar; > -+ va_start(pvar, fmt); > -+ vfprintf(stderr, fmt, pvar); > -+ va_end(pvar); > -+} > -+ > - /* Initialize frame types to RFC 2516 values. Some broken peers apparently > - use different frame types... sigh... */ > - > diff --git a/patches/ppp-2.4.7/0015-pppoe-include-netinet-in.h-before-linux-in.h.patch b/patches/ppp-2.4.7/0015-pppoe-include-netinet-in.h-before-linux-in.h.patch > deleted file mode 100644 > index b24e5ef5852f..000000000000 > --- a/patches/ppp-2.4.7/0015-pppoe-include-netinet-in.h-before-linux-in.h.patch > +++ /dev/null > @@ -1,49 +0,0 @@ > -From: Lubomir Rintel <lkundrak@v3.sk> > -Date: Mon, 9 Jan 2017 13:34:23 +0000 > -Subject: [PATCH] pppoe: include netinet/in.h before linux/in.h > - > -This fixes builds with newer kernels. Basically, <netinet/in.h> needs to be > -included before <linux/in.h> otherwise the earlier, unaware of the latter, > -tries to redefine symbols and structures. Also, <linux/if_pppox.h> doesn't work > -alone anymore, since it pulls the headers in the wrong order, so we better > -include <netinet/in.h> early. > - > -Imported from ppp_2.4.7-2+4.1.debian.tar.xz > - > -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> > ---- > - pppd/plugins/rp-pppoe/pppoe.h | 7 ++++--- > - 1 file changed, 4 insertions(+), 3 deletions(-) > - > -diff --git a/pppd/plugins/rp-pppoe/pppoe.h b/pppd/plugins/rp-pppoe/pppoe.h > -index 9ab2eee3914c..c4aaa6e68856 100644 > ---- a/pppd/plugins/rp-pppoe/pppoe.h > -+++ b/pppd/plugins/rp-pppoe/pppoe.h > -@@ -47,6 +47,10 @@ > - #include <sys/socket.h> > - #endif > - > -+/* This has to be included before Linux 4.8's linux/in.h > -+ * gets dragged in. */ > -+#include <netinet/in.h> > -+ > - /* Ugly header files on some Linux boxes... */ > - #if defined(HAVE_LINUX_IF_H) > - #include <linux/if.h> > -@@ -84,8 +88,6 @@ typedef unsigned long UINT32_t; > - #include <linux/if_ether.h> > - #endif > - > --#include <netinet/in.h> > -- > - #ifdef HAVE_NETINET_IF_ETHER_H > - #include <sys/types.h> > - > -@@ -98,7 +100,6 @@ typedef unsigned long UINT32_t; > - #endif > - > - > -- > - /* Ethernet frame types according to RFC 2516 */ > - #define ETH_PPPOE_DISCOVERY 0x8863 > - #define ETH_PPPOE_SESSION 0x8864 > diff --git a/patches/ppp-2.4.7/0016-adaptive_echos.patch b/patches/ppp-2.4.7/0016-adaptive_echos.patch > deleted file mode 100644 > index c0f222824036..000000000000 > --- a/patches/ppp-2.4.7/0016-adaptive_echos.patch > +++ /dev/null > @@ -1,72 +0,0 @@ > -From: Michael Olbrich <m.olbrich@pengutronix.de> > -Date: Sat, 28 Sep 2019 08:11:49 +0200 > -Subject: [PATCH] adaptive_echos > - > -Imported from ppp_2.4.7-2+4.1.debian.tar.xz > - > -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> > ---- > - pppd/lcp.c | 19 +++++++++++++++++++ > - pppd/pppd.8 | 5 +++++ > - 2 files changed, 24 insertions(+) > - > -diff --git a/pppd/lcp.c b/pppd/lcp.c > -index 8ed2778bfb67..c97a64b7774f 100644 > ---- a/pppd/lcp.c > -+++ b/pppd/lcp.c > -@@ -73,6 +73,7 @@ static void lcp_delayed_up __P((void *)); > - */ > - int lcp_echo_interval = 0; /* Interval between LCP echo-requests */ > - int lcp_echo_fails = 0; /* Tolerance to unanswered echo-requests */ > -+bool lcp_echo_adaptive = 0; /* request echo only if the link was idle */ > - bool lax_recv = 0; /* accept control chars in asyncmap */ > - bool noendpoint = 0; /* don't send/accept endpoint discriminator */ > - > -@@ -151,6 +152,8 @@ static option_t lcp_option_list[] = { > - OPT_PRIO }, > - { "lcp-echo-interval", o_int, &lcp_echo_interval, > - "Set time in seconds between LCP echo requests", OPT_PRIO }, > -+ { "lcp-echo-adaptive", o_bool, &lcp_echo_adaptive, > -+ "Suppress LCP echo requests if traffic was received", 1 }, > - { "lcp-restart", o_int, &lcp_fsm[0].timeouttime, > - "Set time in seconds between LCP retransmissions", OPT_PRIO }, > - { "lcp-max-terminate", o_int, &lcp_fsm[0].maxtermtransmits, > -@@ -2331,6 +2334,22 @@ LcpSendEchoRequest (f) > - } > - } > - > -+ /* > -+ * If adaptive echos have been enabled, only send the echo request if > -+ * no traffic was received since the last one. > -+ */ > -+ if (lcp_echo_adaptive) { > -+ static unsigned int last_pkts_in = 0; > -+ > -+ update_link_stats(f->unit); > -+ link_stats_valid = 0; > -+ > -+ if (link_stats.pkts_in != last_pkts_in) { > -+ last_pkts_in = link_stats.pkts_in; > -+ return; > -+ } > -+ } > -+ > - /* > - * Make and send the echo request frame. > - */ > -diff --git a/pppd/pppd.8 b/pppd/pppd.8 > -index 64659cf867b2..ec8bfd5c0617 100644 > ---- a/pppd/pppd.8 > -+++ b/pppd/pppd.8 > -@@ -558,6 +558,11 @@ to 1) if the \fIproxyarp\fR option is used, and will enable the > - dynamic IP address option (i.e. set /proc/sys/net/ipv4/ip_dynaddr to > - 1) in demand mode if the local address changes. > - .TP > -+.B lcp\-echo\-adaptive > -+If this option is used with the \fIlcp\-echo\-failure\fR option then > -+pppd will send LCP echo\-request frames only if no traffic was received > -+from the peer since the last echo\-request was sent. > -+.TP > - .B lcp\-echo\-failure \fIn > - If this option is given, pppd will presume the peer to be dead > - if \fIn\fR LCP echo\-requests are sent without receiving a valid LCP > diff --git a/patches/ppp-2.4.7/0017-Makefiles-cleanup.patch b/patches/ppp-2.4.7/0017-Makefiles-cleanup.patch > deleted file mode 100644 > index ff9096f70369..000000000000 > --- a/patches/ppp-2.4.7/0017-Makefiles-cleanup.patch > +++ /dev/null > @@ -1,296 +0,0 @@ > -From: Michael Olbrich <m.olbrich@pengutronix.de> > -Date: Sat, 28 Sep 2019 08:11:49 +0200 > -Subject: [PATCH] Makefiles cleanup > - > -Factor-out $COPTS and $LDOPTS to allow distributions to easily override > -them. Properly use $LDFLAGS when linking and $CFLAGS when compiling. > -Do not strip the installed binaries: this should be done by the > -packaging system if required. > - > - > -Imported from ppp_2.4.7-2+4.1.debian.tar.xz > - > -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> > ---- > - chat/Makefile.linux | 5 +++-- > - pppd/Makefile.linux | 7 ++++--- > - pppd/plugins/Makefile.linux | 4 ++-- > - pppd/plugins/pppoatm/Makefile.linux | 4 ++-- > - pppd/plugins/pppol2tp/Makefile.linux | 4 ++-- > - pppd/plugins/radius/Makefile.linux | 16 +++++++++------- > - pppd/plugins/rp-pppoe/Makefile.linux | 10 ++++++---- > - pppdump/Makefile.linux | 9 ++++++--- > - pppstats/Makefile.linux | 7 ++++--- > - 9 files changed, 38 insertions(+), 28 deletions(-) > - > -diff --git a/chat/Makefile.linux b/chat/Makefile.linux > -index 1065ac519576..a41d485b4168 100644 > ---- a/chat/Makefile.linux > -+++ b/chat/Makefile.linux > -@@ -12,20 +12,21 @@ CDEFS= $(CDEF1) $(CDEF2) $(CDEF3) $(CDEF4) > - > - COPTS= -O2 -g -pipe > - CFLAGS= $(COPTS) $(CDEFS) > -+LDFLAGS=$(LDOPTS) > - > - INSTALL= install > - > - all: chat > - > - chat: chat.o > -- $(CC) -o chat chat.o > -+ $(CC) $(LDFLAGS) -o chat chat.o > - > - chat.o: chat.c > - $(CC) -c $(CFLAGS) -o chat.o chat.c > - > - install: chat > - mkdir -p $(BINDIR) $(MANDIR) > -- $(INSTALL) -s -c chat $(BINDIR) > -+ $(INSTALL) -c chat $(BINDIR) > - $(INSTALL) -c -m 644 chat.8 $(MANDIR) > - > - clean: > -diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux > -index a74c914fd3ac..16b3ee879791 100644 > ---- a/pppd/Makefile.linux > -+++ b/pppd/Makefile.linux > -@@ -83,6 +83,7 @@ INCLUDE_DIRS= -I../include > - COMPILE_FLAGS= -DHAVE_PATHS_H -DIPX_CHANGE -DHAVE_MMAP > - > - CFLAGS= $(COPTS) $(COMPILE_FLAGS) $(INCLUDE_DIRS) '-DDESTDIR="@DESTDIR@"' > -+LDFLAGS=$(LDOPTS) > - > - ifdef CHAPMS > - CFLAGS += -DCHAPMS=1 > -@@ -102,7 +103,7 @@ ifdef USE_SRP > - CFLAGS += -DUSE_SRP -DOPENSSL -I/usr/local/ssl/include > - LIBS += -lsrp -L/usr/local/ssl/lib -lcrypto > - TARGETS += srp-entry > --EXTRAINSTALL = $(INSTALL) -s -c -m 555 srp-entry $(BINDIR)/srp-entry > -+EXTRAINSTALL = $(INSTALL) -c -m 555 srp-entry $(BINDIR)/srp-entry > - MANPAGES += srp-entry.8 > - EXTRACLEAN += srp-entry.o > - NEEDDES=y > -@@ -208,13 +209,13 @@ all: $(TARGETS) > - install: pppd > - mkdir -p $(BINDIR) $(MANDIR) > - $(EXTRAINSTALL) > -- $(INSTALL) -s -c -m 555 pppd $(BINDIR)/pppd > -+ $(INSTALL) -c -m 555 pppd $(BINDIR)/pppd > - if chgrp pppusers $(BINDIR)/pppd 2>/dev/null; then \ > - chmod o-rx,u+s $(BINDIR)/pppd; fi > - $(INSTALL) -c -m 444 pppd.8 $(MANDIR) > - > - pppd: $(PPPDOBJS) > -- $(CC) $(CFLAGS) $(LDFLAGS) -o pppd $(PPPDOBJS) $(LIBS) > -+ $(CC) $(LDFLAGS) -o pppd $(PPPDOBJS) $(LIBS) > - > - srp-entry: srp-entry.c > - $(CC) $(CFLAGS) $(LDFLAGS) -o $@ srp-entry.c $(LIBS) > -diff --git a/pppd/plugins/Makefile.linux b/pppd/plugins/Makefile.linux > -index 8a90e393a057..0f9d37d2953b 100644 > ---- a/pppd/plugins/Makefile.linux > -+++ b/pppd/plugins/Makefile.linux > -@@ -1,7 +1,7 @@ > - #CC = gcc > - COPTS = -O2 -g > - CFLAGS = $(COPTS) -I.. -I../../include -fPIC > --LDFLAGS = -shared > -+LDFLAGS = $(LDOPTS) > - INSTALL = install > - > - DESTDIR = $(INSTROOT)@DESTDIR@ > -@@ -30,7 +30,7 @@ all: $(PLUGINS) > - for d in $(SUBDIRS); do $(MAKE) $(MFLAGS) -C $$d all || exit $$?; done > - > - %.so: %.c > -- $(CC) -o $@ $(LDFLAGS) $(CFLAGS) $^ > -+ $(CC) -o $@ $(LDFLAGS) -shared $(CFLAGS) $^ > - > - VERSION = $(shell awk -F '"' '/VERSION/ { print $$2; }' ../patchlevel.h) > - > -diff --git a/pppd/plugins/pppoatm/Makefile.linux b/pppd/plugins/pppoatm/Makefile.linux > -index 20f62e631d23..002603c6cbef 100644 > ---- a/pppd/plugins/pppoatm/Makefile.linux > -+++ b/pppd/plugins/pppoatm/Makefile.linux > -@@ -1,7 +1,7 @@ > - #CC = gcc > - COPTS = -O2 -g > - CFLAGS = $(COPTS) -I../.. -I../../../include -fPIC > --LDFLAGS = -shared > -+LDFLAGS = $(LDOPTS) > - INSTALL = install > - > - #*********************************************************************** > -@@ -33,7 +33,7 @@ endif > - all: $(PLUGIN) > - > - $(PLUGIN): $(PLUGIN_OBJS) > -- $(CC) $(CFLAGS) -o $@ -shared $^ $(LIBS) > -+ $(CC) $(LDFLAGS) -o $@ -shared $^ $(LIBS) > - > - install: all > - $(INSTALL) -d -m 755 $(LIBDIR) > -diff --git a/pppd/plugins/pppol2tp/Makefile.linux b/pppd/plugins/pppol2tp/Makefile.linux > -index ea3538e22d56..de5cc12e79c3 100644 > ---- a/pppd/plugins/pppol2tp/Makefile.linux > -+++ b/pppd/plugins/pppol2tp/Makefile.linux > -@@ -1,7 +1,7 @@ > - #CC = gcc > - COPTS = -O2 -g > - CFLAGS = $(COPTS) -I. -I../.. -I../../../include -fPIC > --LDFLAGS = -shared > -+LDFLAGS = $(LDOPTS) > - INSTALL = install > - > - #*********************************************************************** > -@@ -16,7 +16,7 @@ PLUGINS := pppol2tp.so openl2tp.so > - all: $(PLUGINS) > - > - %.so: %.o > -- $(CC) $(CFLAGS) -o $@ -shared $^ $(LIBS) > -+ $(CC) $(LDFLAGS) -o $@ -shared $^ $(LIBS) > - > - install: all > - $(INSTALL) -d -m 755 $(LIBDIR) > -diff --git a/pppd/plugins/radius/Makefile.linux b/pppd/plugins/radius/Makefile.linux > -index 24ed3e580c4d..436ff2fd0c23 100644 > ---- a/pppd/plugins/radius/Makefile.linux > -+++ b/pppd/plugins/radius/Makefile.linux > -@@ -12,7 +12,9 @@ VERSION = $(shell awk -F '"' '/VERSION/ { print $$2; }' ../../patchlevel.h) > - INSTALL = install > - > - PLUGIN=radius.so radattr.so radrealms.so > --CFLAGS=-I. -I../.. -I../../../include -O2 -fPIC -DRC_LOG_FACILITY=LOG_DAEMON > -+COPTS=-g -O2 > -+CFLAGS = $(COPTS) -I. -I../.. -I../../../include -fPIC -DRC_LOG_FACILITY=LOG_DAEMON > -+LDFLAGS= $(LDOPTS) > - > - # Uncomment the next line to include support for Microsoft's > - # MS-CHAP authentication protocol. > -@@ -36,20 +38,20 @@ all: $(PLUGIN) > - > - install: all > - $(INSTALL) -d -m 755 $(LIBDIR) > -- $(INSTALL) -s -c -m 755 radius.so $(LIBDIR) > -- $(INSTALL) -s -c -m 755 radattr.so $(LIBDIR) > -- $(INSTALL) -s -c -m 755 radrealms.so $(LIBDIR) > -+ $(INSTALL) -c -m 755 radius.so $(LIBDIR) > -+ $(INSTALL) -c -m 755 radattr.so $(LIBDIR) > -+ $(INSTALL) -c -m 755 radrealms.so $(LIBDIR) > - $(INSTALL) -c -m 444 pppd-radius.8 $(MANDIR) > - $(INSTALL) -c -m 444 pppd-radattr.8 $(MANDIR) > - > - radius.so: radius.o libradiusclient.a > -- $(CC) -o radius.so -shared radius.o libradiusclient.a > -+ $(CC) $(LDFLAGS) -o radius.so -shared radius.o libradiusclient.a > - > - radattr.so: radattr.o > -- $(CC) -o radattr.so -shared radattr.o > -+ $(CC) $(LDFLAGS) -o radattr.so -shared radattr.o > - > - radrealms.so: radrealms.o > -- $(CC) -o radrealms.so -shared radrealms.o > -+ $(CC) $(LDFLAGS) -o radrealms.so -shared radrealms.o > - > - CLIENTOBJS = avpair.o buildreq.o config.o dict.o ip_util.o \ > - clientid.o sendserver.o lock.o util.o md5.o > -diff --git a/pppd/plugins/rp-pppoe/Makefile.linux b/pppd/plugins/rp-pppoe/Makefile.linux > -index 5d7a2719545d..00e0af6da20c 100644 > ---- a/pppd/plugins/rp-pppoe/Makefile.linux > -+++ b/pppd/plugins/rp-pppoe/Makefile.linux > -@@ -27,10 +27,12 @@ RP_VERSION=3.8p > - > - COPTS=-O2 -g > - CFLAGS=$(COPTS) -I../../../include '-DRP_VERSION="$(RP_VERSION)"' > -+LDFLAGS=$(LDOPTS) > -+ > - all: rp-pppoe.so pppoe-discovery > - > - pppoe-discovery: pppoe-discovery.o debug.o > -- $(CC) -o pppoe-discovery pppoe-discovery.o debug.o > -+ $(CC) $(LDFLAGS) -o pppoe-discovery pppoe-discovery.o debug.o > - > - pppoe-discovery.o: pppoe-discovery.c > - $(CC) $(CFLAGS) -c -o pppoe-discovery.o pppoe-discovery.c > -@@ -39,13 +41,13 @@ debug.o: debug.c > - $(CC) $(CFLAGS) -c -o debug.o debug.c > - > - rp-pppoe.so: plugin.o discovery.o if.o common.o > -- $(CC) -o rp-pppoe.so -shared plugin.o discovery.o if.o common.o > -+ $(CC) $(LDFLAGS) -o rp-pppoe.so -shared $^ > - > - install: all > - $(INSTALL) -d -m 755 $(LIBDIR) > -- $(INSTALL) -s -c -m 4550 rp-pppoe.so $(LIBDIR) > -+ $(INSTALL) -c -m 4550 rp-pppoe.so $(LIBDIR) > - $(INSTALL) -d -m 755 $(BINDIR) > -- $(INSTALL) -s -c -m 555 pppoe-discovery $(BINDIR) > -+ $(INSTALL) -c -m 555 pppoe-discovery $(BINDIR) > - > - clean: > - rm -f *.o *.so pppoe-discovery > -diff --git a/pppdump/Makefile.linux b/pppdump/Makefile.linux > -index ac028f6bf4f0..65e5c14914fb 100644 > ---- a/pppdump/Makefile.linux > -+++ b/pppdump/Makefile.linux > -@@ -2,7 +2,10 @@ DESTDIR = $(INSTROOT)@DESTDIR@ > - BINDIR = $(DESTDIR)/sbin > - MANDIR = $(DESTDIR)/share/man/man8 > - > --CFLAGS= -O -I../include/net > -+COPTS=-O2 -g > -+CFLAGS= $(COPTS) -I../include/net > -+LDFLAGS=$(LDOPTS) > -+ > - OBJS = pppdump.o bsd-comp.o deflate.o zlib.o > - > - INSTALL= install > -@@ -10,12 +13,12 @@ INSTALL= install > - all: pppdump > - > - pppdump: $(OBJS) > -- $(CC) -o pppdump $(OBJS) > -+ $(CC) $(LDFLAGS) -o pppdump $(OBJS) > - > - clean: > - rm -f pppdump $(OBJS) *~ > - > - install: > - mkdir -p $(BINDIR) $(MANDIR) > -- $(INSTALL) -s -c pppdump $(BINDIR) > -+ $(INSTALL) -c pppdump $(BINDIR) > - $(INSTALL) -c -m 444 pppdump.8 $(MANDIR) > -diff --git a/pppstats/Makefile.linux b/pppstats/Makefile.linux > -index cca6f0f61d87..9ec8e803665a 100644 > ---- a/pppstats/Makefile.linux > -+++ b/pppstats/Makefile.linux > -@@ -10,23 +10,24 @@ PPPSTATSRCS = pppstats.c > - PPPSTATOBJS = pppstats.o > - > - #CC = gcc > --COPTS = -O > -+COPTS = -O2 -g > - COMPILE_FLAGS = -I../include > - LIBS = > - > - INSTALL= install > - > - CFLAGS = $(COPTS) $(COMPILE_FLAGS) > -+LDFLAGS= $(LDOPTS) > - > - all: pppstats > - > - install: pppstats > - -mkdir -p $(MANDIR) > -- $(INSTALL) -s -c pppstats $(BINDIR) > -+ $(INSTALL) -c pppstats $(BINDIR) > - $(INSTALL) -c -m 444 pppstats.8 $(MANDIR) > - > - pppstats: $(PPPSTATSRCS) > -- $(CC) $(CFLAGS) -o pppstats pppstats.c $(LIBS) > -+ $(CC) $(LDFLAGS) $(CFLAGS) -o pppstats pppstats.c $(LIBS) > - > - clean: > - rm -f pppstats *~ #* core > diff --git a/patches/ppp-2.4.7/0018-Bug-306261-pppd-does-not-properly-close-dev-ppp-on-p.patch b/patches/ppp-2.4.7/0018-Bug-306261-pppd-does-not-properly-close-dev-ppp-on-p.patch > deleted file mode 100644 > index 41669d12a43f..000000000000 > --- a/patches/ppp-2.4.7/0018-Bug-306261-pppd-does-not-properly-close-dev-ppp-on-p.patch > +++ /dev/null > @@ -1,44 +0,0 @@ > -From: Simon Peter <dn.tlp@gmx.net> > -Date: Sat, 28 Sep 2019 08:11:49 +0200 > -Subject: [PATCH] Bug#306261: pppd does not properly close /dev/ppp on persist > - > -When using the kernel PPPoE driver, pppd never > -closes /dev/ppp when the link has come down. > - > -It opens superfluous fds to the device each time it re-opens the > -connection, with the unclosed ones falsely reported always ready for > -data by select(). > - > -This makes pppd eat up 100% CPU time after the first persist because of > -the always instantly returning select() on the unclosed fds. > - > -The problem also occurs with the upstream version, but does not occur > -when a pty/tty device is used for the ppp connection. > - > - > - > -Imported from ppp_2.4.7-2+4.1.debian.tar.xz > - > -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> > ---- > - pppd/sys-linux.c | 7 +++++++ > - 1 file changed, 7 insertions(+) > - > -diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c > -index 9b2f293024ac..6d29dc8e8594 100644 > ---- a/pppd/sys-linux.c > -+++ b/pppd/sys-linux.c > -@@ -458,6 +458,13 @@ int generic_establish_ppp (int fd) > - if (new_style_driver) { > - int flags; > - > -+ /* if a ppp_fd is already open, close it first */ > -+ if(ppp_fd > 0) { > -+ close(ppp_fd); > -+ remove_fd(ppp_fd); > -+ ppp_fd = -1; > -+ } > -+ > - /* Open an instance of /dev/ppp and connect the channel to it */ > - if (ioctl(fd, PPPIOCGCHAN, &chindex) == -1) { > - error("Couldn't get channel number: %m"); > diff --git a/patches/ppp-2.4.7/0019-Bug-284382-ppp-linkpidfile-is-not-created-upon-detac.patch b/patches/ppp-2.4.7/0019-Bug-284382-ppp-linkpidfile-is-not-created-upon-detac.patch > deleted file mode 100644 > index f785c75d87bb..000000000000 > --- a/patches/ppp-2.4.7/0019-Bug-284382-ppp-linkpidfile-is-not-created-upon-detac.patch > +++ /dev/null > @@ -1,48 +0,0 @@ > -From: "herbert@gondor.apana.org.au" <herbert@gondor.apana.org.au> > -Date: Sat, 28 Sep 2019 08:11:49 +0200 > -Subject: [PATCH] Bug#284382: ppp: linkpidfile is not created upon detachment > - > -Package: ppp > -Version: 2.4.2+20040428-2 > -Severity: wishlist > - > -When pppd detaches from the parent normally, that is, without nodetach > -or updetach set, the linkpidfile is not created even when linkname is > -set. > - > -This is because the create_linkpidfile call in detach() is only made > -if the linkpidfile is filled in. However, linkpidfile is never filled > -in until create_linkpidfile has been called. > - > -IMHO the call should be made uncondtionally in detach() since > -create_linkpidfile does its own check on linkname anyway. > - > -Please note that the version of pppd in woody always wrote the > -linkpidfile after detaching. It did so in main() however. That > -call has now been removed which is why I'm seeing this problem. > - > -[...] > - > --- > - > -Imported from ppp_2.4.7-2+4.1.debian.tar.xz > - > -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> > ---- > - pppd/main.c | 3 +-- > - 1 file changed, 1 insertion(+), 2 deletions(-) > - > -diff --git a/pppd/main.c b/pppd/main.c > -index 76b67d2485b7..8e31365f0c58 100644 > ---- a/pppd/main.c > -+++ b/pppd/main.c > -@@ -765,8 +765,7 @@ detach() > - /* update pid files if they have been written already */ > - if (pidfilename[0]) > - create_pidfile(pid); > -- if (linkpidfile[0]) > -- create_linkpidfile(pid); > -+ create_linkpidfile(pid); > - exit(0); /* parent dies */ > - } > - setsid(); > diff --git a/patches/ppp-2.4.7/0022-cosmetic-cleanup-of-the-pppoatm-plugin.patch b/patches/ppp-2.4.7/0022-cosmetic-cleanup-of-the-pppoatm-plugin.patch > deleted file mode 100644 > index ee22c74b6405..000000000000 > --- a/patches/ppp-2.4.7/0022-cosmetic-cleanup-of-the-pppoatm-plugin.patch > +++ /dev/null > @@ -1,90 +0,0 @@ > -From: Michael Olbrich <m.olbrich@pengutronix.de> > -Date: Sat, 28 Sep 2019 08:11:49 +0200 > -Subject: [PATCH] cosmetic cleanup of the pppoatm plugin > - > -Removed some debugging messages and generally cleaned up the source. > - > - > -Imported from ppp_2.4.7-2+4.1.debian.tar.xz > - > -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> > ---- > - pppd/plugins/pppoatm/pppoatm.c | 23 +++++++++++++---------- > - 1 file changed, 13 insertions(+), 10 deletions(-) > - > -diff --git a/pppd/plugins/pppoatm/pppoatm.c b/pppd/plugins/pppoatm/pppoatm.c > -index a7560e9fb0c6..90d0c9a85d9f 100644 > ---- a/pppd/plugins/pppoatm/pppoatm.c > -+++ b/pppd/plugins/pppoatm/pppoatm.c > -@@ -70,18 +70,20 @@ static int setdevname_pppoatm(const char *cp, const char **argv, int doit) > - { > - struct sockaddr_atmpvc addr; > - extern struct stat devstat; > -+ > - if (device_got_set) > - return 0; > -- //info("PPPoATM setdevname_pppoatm: '%s'", cp); > -+ > - memset(&addr, 0, sizeof addr); > - if (text2atm(cp, (struct sockaddr *) &addr, sizeof(addr), > -- T2A_PVC | T2A_NAME) < 0) { > -- if(doit) > -- info("atm does not recognize: %s", cp); > -+ T2A_PVC | T2A_NAME | T2A_WILDCARD) < 0) { > -+ if (doit) > -+ info("cannot parse the ATM address: %s", cp); > - return 0; > -- } > -- if (!doit) return 1; > -- //if (!dev_set_ok()) return -1; > -+ } > -+ if (!doit) > -+ return 1; > -+ > - memcpy(&pvcaddr, &addr, sizeof pvcaddr); > - strlcpy(devnam, cp, sizeof devnam); > - devstat.st_mode = S_IFSOCK; > -@@ -93,7 +95,6 @@ static int setdevname_pppoatm(const char *cp, const char **argv, int doit) > - lcp_allowoptions[0].neg_asyncmap = 0; > - lcp_wantoptions[0].neg_pcompression = 0; > - } > -- info("PPPoATM setdevname_pppoatm - SUCCESS:%s", cp); > - device_got_set = 1; > - return 1; > - } > -@@ -108,6 +109,7 @@ static void no_device_given_pppoatm(void) > - static void set_line_discipline_pppoatm(int fd) > - { > - struct atm_backend_ppp be; > -+ > - be.backend_num = ATM_BACKEND_PPP; > - if (!llc_encaps) > - be.encaps = PPPOATM_ENCAPS_VC; > -@@ -115,6 +117,7 @@ static void set_line_discipline_pppoatm(int fd) > - be.encaps = PPPOATM_ENCAPS_LLC; > - else > - be.encaps = PPPOATM_ENCAPS_AUTODETECT; > -+ > - if (ioctl(fd, ATM_SETBACKEND, &be) < 0) > - fatal("ioctl(ATM_SETBACKEND): %m"); > - } > -@@ -172,7 +175,7 @@ static void disconnect_pppoatm(void) > - > - void plugin_init(void) > - { > --#if defined(__linux__) > -+#ifdef linux > - extern int new_style_driver; /* From sys-linux.c */ > - if (!ppp_available() && !new_style_driver) > - fatal("Kernel doesn't support ppp_generic - " > -@@ -180,9 +183,9 @@ void plugin_init(void) > - #else > - fatal("No PPPoATM support on this OS"); > - #endif > -- info("PPPoATM plugin_init"); > - add_options(pppoa_options); > - } > -+ > - struct channel pppoa_channel = { > - options: pppoa_options, > - process_extra_options: NULL, > diff --git a/patches/ppp-2.4.7/0023-pppoe_noads.patch b/patches/ppp-2.4.7/0023-pppoe_noads.patch > deleted file mode 100644 > index b4712de17a7f..000000000000 > --- a/patches/ppp-2.4.7/0023-pppoe_noads.patch > +++ /dev/null > @@ -1,25 +0,0 @@ > -From: Michael Olbrich <m.olbrich@pengutronix.de> > -Date: Sat, 28 Sep 2019 08:11:49 +0200 > -Subject: [PATCH] pppoe_noads > - > -Imported from ppp_2.4.7-2+4.1.debian.tar.xz > - > -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> > ---- > - pppd/plugins/rp-pppoe/plugin.c | 3 --- > - 1 file changed, 3 deletions(-) > - > -diff --git a/pppd/plugins/rp-pppoe/plugin.c b/pppd/plugins/rp-pppoe/plugin.c > -index c89be94250bc..7804b184f0cb 100644 > ---- a/pppd/plugins/rp-pppoe/plugin.c > -+++ b/pppd/plugins/rp-pppoe/plugin.c > -@@ -377,9 +377,6 @@ plugin_init(void) > - } > - > - add_options(Options); > -- > -- info("RP-PPPoE plugin version %s compiled against pppd %s", > -- RP_VERSION, VERSION); > - } > - > - void pppoe_check_options(void) > diff --git a/patches/ppp-2.4.7/0024-make-_PATH_CONNERRS-world-readable.patch b/patches/ppp-2.4.7/0024-make-_PATH_CONNERRS-world-readable.patch > deleted file mode 100644 > index 557b16901f18..000000000000 > --- a/patches/ppp-2.4.7/0024-make-_PATH_CONNERRS-world-readable.patch > +++ /dev/null > @@ -1,27 +0,0 @@ > -From: Michael Olbrich <m.olbrich@pengutronix.de> > -Date: Sat, 28 Sep 2019 08:11:49 +0200 > -Subject: [PATCH] make _PATH_CONNERRS world readable > - > -There is nothing security-sensitive there. > - > - > -Imported from ppp_2.4.7-2+4.1.debian.tar.xz > - > -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> > ---- > - pppd/main.c | 2 +- > - 1 file changed, 1 insertion(+), 1 deletion(-) > - > -diff --git a/pppd/main.c b/pppd/main.c > -index 8e31365f0c58..ed544315c1df 100644 > ---- a/pppd/main.c > -+++ b/pppd/main.c > -@@ -1673,7 +1673,7 @@ device_script(program, in, out, dont_wait) > - if (log_to_fd >= 0) > - errfd = log_to_fd; > - else > -- errfd = open(_PATH_CONNERRS, O_WRONLY | O_APPEND | O_CREAT, 0600); > -+ errfd = open(_PATH_CONNERRS, O_WRONLY | O_APPEND | O_CREAT, 0644); > - > - ++conn_running; > - pid = safe_fork(in, out, errfd); > diff --git a/patches/ppp-2.4.7/0025-Correct-unkown-unknown-typo.patch b/patches/ppp-2.4.7/0025-Correct-unkown-unknown-typo.patch > deleted file mode 100644 > index febfaf869f22..000000000000 > --- a/patches/ppp-2.4.7/0025-Correct-unkown-unknown-typo.patch > +++ /dev/null > @@ -1,46 +0,0 @@ > -From: Michael Olbrich <m.olbrich@pengutronix.de> > -Date: Sat, 28 Sep 2019 08:11:49 +0200 > -Subject: [PATCH] Correct unkown => unknown typo > - > -Author: Chris Boot <bootc@debian.org> > -Last-Update: 2013-09-09 > - > - > -Imported from ppp_2.4.7-2+4.1.debian.tar.xz > - > -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> > ---- > - pppd/plugins/radius/config.c | 6 +++--- > - 1 file changed, 3 insertions(+), 3 deletions(-) > - > -diff --git a/pppd/plugins/radius/config.c b/pppd/plugins/radius/config.c > -index a29e5e8da909..f892ca7b1bf5 100644 > ---- a/pppd/plugins/radius/config.c > -+++ b/pppd/plugins/radius/config.c > -@@ -271,7 +271,7 @@ char *rc_conf_str(char *optname) > - option = find_option(optname, OT_STR); > - > - if (option == NULL) > -- fatal("rc_conf_str: unkown config option requested: %s", optname); > -+ fatal("rc_conf_str: unknown config option requested: %s", optname); > - return (char *)option->val; > - } > - > -@@ -282,7 +282,7 @@ int rc_conf_int(char *optname) > - option = find_option(optname, OT_INT|OT_AUO); > - > - if (option == NULL) > -- fatal("rc_conf_int: unkown config option requested: %s", optname); > -+ fatal("rc_conf_int: unknown config option requested: %s", optname); > - return *((int *)option->val); > - } > - > -@@ -293,7 +293,7 @@ SERVER *rc_conf_srv(char *optname) > - option = find_option(optname, OT_SRV); > - > - if (option == NULL) > -- fatal("rc_conf_srv: unkown config option requested: %s", optname); > -+ fatal("rc_conf_srv: unknown config option requested: %s", optname); > - return (SERVER *)option->val; > - } > - > diff --git a/patches/ppp-2.4.7/0026-pppoe-custom-host-uniq-tag.patch b/patches/ppp-2.4.7/0026-pppoe-custom-host-uniq-tag.patch > deleted file mode 100644 > index 5cf266d10971..000000000000 > --- a/patches/ppp-2.4.7/0026-pppoe-custom-host-uniq-tag.patch > +++ /dev/null > @@ -1,302 +0,0 @@ > -From: Matteo Croce <matteo@openwrt.org> > -Date: Sat, 21 Nov 2015 18:45:43 +0100 > -Subject: [PATCH] pppoe: custom host-uniq tag > - > -Add pppoe 'host-uniq' option to set an arbitrary > -host-uniq tag instead of the pppd pid. > -Some ISPs use such tag to authenticate the CPE, > -so it must be set to a proper value to connect. > - > -Signed-off-by: Matteo Croce <matteo@openwrt.org> > -Signed-off-by: Jo-Philipp Wich <jow@openwrt.org> > - > -Imported from ppp_2.4.7-2+4.1.debian.tar.xz > - > -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> > ---- > - pppd/plugins/rp-pppoe/common.c | 14 ++++----- > - pppd/plugins/rp-pppoe/discovery.c | 51 +++++++++++++-------------------- > - pppd/plugins/rp-pppoe/plugin.c | 7 ++++- > - pppd/plugins/rp-pppoe/pppoe-discovery.c | 38 +++++++++++++++--------- > - pppd/plugins/rp-pppoe/pppoe.h | 31 +++++++++++++++++++- > - 5 files changed, 86 insertions(+), 55 deletions(-) > - > -diff --git a/pppd/plugins/rp-pppoe/common.c b/pppd/plugins/rp-pppoe/common.c > -index 89c633c773f9..8f175ece345b 100644 > ---- a/pppd/plugins/rp-pppoe/common.c > -+++ b/pppd/plugins/rp-pppoe/common.c > -@@ -119,15 +119,11 @@ sendPADT(PPPoEConnection *conn, char const *msg) > - conn->session = 0; > - > - /* If we're using Host-Uniq, copy it over */ > -- if (conn->useHostUniq) { > -- PPPoETag hostUniq; > -- pid_t pid = getpid(); > -- hostUniq.type = htons(TAG_HOST_UNIQ); > -- hostUniq.length = htons(sizeof(pid)); > -- memcpy(hostUniq.payload, &pid, sizeof(pid)); > -- memcpy(cursor, &hostUniq, sizeof(pid) + TAG_HDR_SIZE); > -- cursor += sizeof(pid) + TAG_HDR_SIZE; > -- plen += sizeof(pid) + TAG_HDR_SIZE; > -+ if (conn->hostUniq.length) { > -+ int len = ntohs(conn->hostUniq.length); > -+ memcpy(cursor, &conn->hostUniq, len + TAG_HDR_SIZE); > -+ cursor += len + TAG_HDR_SIZE; > -+ plen += len + TAG_HDR_SIZE; > - } > - > - /* Copy error message */ > -diff --git a/pppd/plugins/rp-pppoe/discovery.c b/pppd/plugins/rp-pppoe/discovery.c > -index 04877cb8295f..5db8d0defc37 100644 > ---- a/pppd/plugins/rp-pppoe/discovery.c > -+++ b/pppd/plugins/rp-pppoe/discovery.c > -@@ -80,13 +80,10 @@ static void > - parseForHostUniq(UINT16_t type, UINT16_t len, unsigned char *data, > - void *extra) > - { > -- int *val = (int *) extra; > -- if (type == TAG_HOST_UNIQ && len == sizeof(pid_t)) { > -- pid_t tmp; > -- memcpy(&tmp, data, len); > -- if (tmp == getpid()) { > -- *val = 1; > -- } > -+ PPPoETag *tag = extra; > -+ > -+ if (type == TAG_HOST_UNIQ && len == ntohs(tag->length)) { > -+ tag->length = memcmp(data, tag->payload, len); > - } > - } > - > -@@ -104,16 +101,16 @@ parseForHostUniq(UINT16_t type, UINT16_t len, unsigned char *data, > - static int > - packetIsForMe(PPPoEConnection *conn, PPPoEPacket *packet) > - { > -- int forMe = 0; > -+ PPPoETag hostUniq = conn->hostUniq; > - > - /* If packet is not directed to our MAC address, forget it */ > - if (memcmp(packet->ethHdr.h_dest, conn->myEth, ETH_ALEN)) return 0; > - > - /* If we're not using the Host-Unique tag, then accept the packet */ > -- if (!conn->useHostUniq) return 1; > -+ if (!conn->hostUniq.length) return 1; > - > -- parsePacket(packet, parseForHostUniq, &forMe); > -- return forMe; > -+ parsePacket(packet, parseForHostUniq, &hostUniq); > -+ return !hostUniq.length; > - } > - > - /********************************************************************** > -@@ -301,16 +298,12 @@ sendPADI(PPPoEConnection *conn) > - } > - > - /* If we're using Host-Uniq, copy it over */ > -- if (conn->useHostUniq) { > -- PPPoETag hostUniq; > -- pid_t pid = getpid(); > -- hostUniq.type = htons(TAG_HOST_UNIQ); > -- hostUniq.length = htons(sizeof(pid)); > -- memcpy(hostUniq.payload, &pid, sizeof(pid)); > -- CHECK_ROOM(cursor, packet.payload, sizeof(pid) + TAG_HDR_SIZE); > -- memcpy(cursor, &hostUniq, sizeof(pid) + TAG_HDR_SIZE); > -- cursor += sizeof(pid) + TAG_HDR_SIZE; > -- plen += sizeof(pid) + TAG_HDR_SIZE; > -+ if (conn->hostUniq.length) { > -+ int len = ntohs(conn->hostUniq.length); > -+ CHECK_ROOM(cursor, packet.payload, len + TAG_HDR_SIZE); > -+ memcpy(cursor, &conn->hostUniq, len + TAG_HDR_SIZE); > -+ cursor += len + TAG_HDR_SIZE; > -+ plen += len + TAG_HDR_SIZE; > - } > - > - /* Add our maximum MTU/MRU */ > -@@ -478,16 +471,12 @@ sendPADR(PPPoEConnection *conn) > - cursor += namelen + TAG_HDR_SIZE; > - > - /* If we're using Host-Uniq, copy it over */ > -- if (conn->useHostUniq) { > -- PPPoETag hostUniq; > -- pid_t pid = getpid(); > -- hostUniq.type = htons(TAG_HOST_UNIQ); > -- hostUniq.length = htons(sizeof(pid)); > -- memcpy(hostUniq.payload, &pid, sizeof(pid)); > -- CHECK_ROOM(cursor, packet.payload, sizeof(pid)+TAG_HDR_SIZE); > -- memcpy(cursor, &hostUniq, sizeof(pid) + TAG_HDR_SIZE); > -- cursor += sizeof(pid) + TAG_HDR_SIZE; > -- plen += sizeof(pid) + TAG_HDR_SIZE; > -+ if (conn->hostUniq.length) { > -+ int len = ntohs(conn->hostUniq.length); > -+ CHECK_ROOM(cursor, packet.payload, len+TAG_HDR_SIZE); > -+ memcpy(cursor, &conn->hostUniq, len + TAG_HDR_SIZE); > -+ cursor += len + TAG_HDR_SIZE; > -+ plen += len + TAG_HDR_SIZE; > - } > - > - /* Add our maximum MTU/MRU */ > -diff --git a/pppd/plugins/rp-pppoe/plugin.c b/pppd/plugins/rp-pppoe/plugin.c > -index 7804b184f0cb..12778d0d9991 100644 > ---- a/pppd/plugins/rp-pppoe/plugin.c > -+++ b/pppd/plugins/rp-pppoe/plugin.c > -@@ -68,6 +68,7 @@ static char *existingSession = NULL; > - static int printACNames = 0; > - static char *pppoe_reqd_mac = NULL; > - unsigned char pppoe_reqd_mac_addr[6]; > -+static char *host_uniq = NULL; > - > - static int PPPoEDevnameHook(char *cmd, char **argv, int doit); > - static option_t Options[] = { > -@@ -85,6 +86,8 @@ static option_t Options[] = { > - "Be verbose about discovered access concentrators"}, > - { "pppoe-mac", o_string, &pppoe_reqd_mac, > - "Only connect to specified MAC address" }, > -+ { "host-uniq", o_string, &host_uniq, > -+ "Specify custom Host-Uniq" }, > - { NULL } > - }; > - int (*OldDevnameHook)(char *cmd, char **argv, int doit) = NULL; > -@@ -110,7 +113,6 @@ PPPOEInitDevice(void) > - conn->ifName = devnam; > - conn->discoverySocket = -1; > - conn->sessionSocket = -1; > -- conn->useHostUniq = 1; > - conn->printACNames = printACNames; > - conn->discoveryTimeout = PADI_TIMEOUT; > - return 1; > -@@ -166,6 +168,9 @@ PPPOEConnectDevice(void) > - if (lcp_wantoptions[0].mru > ifr.ifr_mtu - TOTAL_OVERHEAD) > - lcp_wantoptions[0].mru = ifr.ifr_mtu - TOTAL_OVERHEAD; > - > -+ if (host_uniq && !parseHostUniq(host_uniq, &conn->hostUniq)) > -+ fatal("Illegal value for host-uniq option"); > -+ > - conn->acName = acName; > - conn->serviceName = pppd_pppoe_service; > - strlcpy(ppp_devnam, devnam, sizeof(ppp_devnam)); > -diff --git a/pppd/plugins/rp-pppoe/pppoe-discovery.c b/pppd/plugins/rp-pppoe/pppoe-discovery.c > -index 55037dffb023..ff4c487ffaa9 100644 > ---- a/pppd/plugins/rp-pppoe/pppoe-discovery.c > -+++ b/pppd/plugins/rp-pppoe/pppoe-discovery.c > -@@ -356,7 +356,7 @@ packetIsForMe(PPPoEConnection *conn, PPPoEPacket *packet) > - if (memcmp(packet->ethHdr.h_dest, conn->myEth, ETH_ALEN)) return 0; > - > - /* If we're not using the Host-Unique tag, then accept the packet */ > -- if (!conn->useHostUniq) return 1; > -+ if (!conn->hostUniq.length) return 1; > - > - parsePacket(packet, parseForHostUniq, &forMe); > - return forMe; > -@@ -482,16 +482,12 @@ sendPADI(PPPoEConnection *conn) > - cursor += namelen + TAG_HDR_SIZE; > - > - /* If we're using Host-Uniq, copy it over */ > -- if (conn->useHostUniq) { > -- PPPoETag hostUniq; > -- pid_t pid = getpid(); > -- hostUniq.type = htons(TAG_HOST_UNIQ); > -- hostUniq.length = htons(sizeof(pid)); > -- memcpy(hostUniq.payload, &pid, sizeof(pid)); > -- CHECK_ROOM(cursor, packet.payload, sizeof(pid) + TAG_HDR_SIZE); > -- memcpy(cursor, &hostUniq, sizeof(pid) + TAG_HDR_SIZE); > -- cursor += sizeof(pid) + TAG_HDR_SIZE; > -- plen += sizeof(pid) + TAG_HDR_SIZE; > -+ if (conn->hostUniq.length) { > -+ int len = ntohs(conn->hostUniq.length); > -+ CHECK_ROOM(cursor, packet.payload, len + TAG_HDR_SIZE); > -+ memcpy(cursor, &conn->hostUniq, len + TAG_HDR_SIZE); > -+ cursor += len + TAG_HDR_SIZE; > -+ plen += len + TAG_HDR_SIZE; > - } > - > - packet.length = htons(plen); > -@@ -653,7 +649,7 @@ int main(int argc, char *argv[]) > - > - memset(conn, 0, sizeof(PPPoEConnection)); > - > -- while ((opt = getopt(argc, argv, "I:D:VUAS:C:h")) > 0) { > -+ while ((opt = getopt(argc, argv, "I:D:VUW:AS:C:h")) > 0) { > - switch(opt) { > - case 'S': > - conn->serviceName = xstrdup(optarg); > -@@ -662,7 +658,23 @@ int main(int argc, char *argv[]) > - conn->acName = xstrdup(optarg); > - break; > - case 'U': > -- conn->useHostUniq = 1; > -+ if(conn->hostUniq.length) { > -+ fprintf(stderr, "-U and -W are mutually exclusive\n"); > -+ exit(EXIT_FAILURE); > -+ } > -+ char pidbuf[5]; > -+ snprintf(pidbuf, sizeof(pidbuf), "%04x", getpid()); > -+ parseHostUniq(pidbuf, &conn->hostUniq); > -+ break; > -+ case 'W': > -+ if(conn->hostUniq.length) { > -+ fprintf(stderr, "-U and -W are mutually exclusive\n"); > -+ exit(EXIT_FAILURE); > -+ } > -+ if (!parseHostUniq(optarg, &conn->hostUniq)) { > -+ fprintf(stderr, "Invalid host-uniq argument: %s\n", optarg); > -+ exit(EXIT_FAILURE); > -+ } > - break; > - case 'D': > - conn->debugFile = fopen(optarg, "w"); > -diff --git a/pppd/plugins/rp-pppoe/pppoe.h b/pppd/plugins/rp-pppoe/pppoe.h > -index c4aaa6e68856..08026f577028 100644 > ---- a/pppd/plugins/rp-pppoe/pppoe.h > -+++ b/pppd/plugins/rp-pppoe/pppoe.h > -@@ -21,6 +21,8 @@ > - > - #include <stdio.h> /* For FILE */ > - #include <sys/types.h> /* For pid_t */ > -+#include <ctype.h> > -+#include <string.h> > - > - /* How do we access raw Ethernet devices? */ > - #undef USE_LINUX_PACKET > -@@ -236,7 +238,7 @@ typedef struct PPPoEConnectionStruct { > - char *serviceName; /* Desired service name, if any */ > - char *acName; /* Desired AC name, if any */ > - int synchronous; /* Use synchronous PPP */ > -- int useHostUniq; /* Use Host-Uniq tag */ > -+ PPPoETag hostUniq; /* Use Host-Uniq tag */ > - int printACNames; /* Just print AC names */ > - FILE *debugFile; /* Debug file for dumping packets */ > - int numPADOs; /* Number of PADO packets received */ > -@@ -292,6 +294,33 @@ void pppoe_printpkt(PPPoEPacket *packet, > - void (*printer)(void *, char *, ...), void *arg); > - void pppoe_log_packet(const char *prefix, PPPoEPacket *packet); > - > -+static inline int parseHostUniq(const char *uniq, PPPoETag *tag) > -+{ > -+ int i, len = strlen(uniq); > -+ > -+#define hex(x) \ > -+ (((x) <= '9') ? ((x) - '0') : \ > -+ (((x) <= 'F') ? ((x) - 'A' + 10) : \ > -+ ((x) - 'a' + 10))) > -+ > -+ if (len % 2) > -+ return 0; > -+ > -+ for (i = 0; i < len; i += 2) > -+ { > -+ if (!isxdigit(uniq[i]) || !isxdigit(uniq[i+1])) > -+ return 0; > -+ > -+ tag->payload[i / 2] = (char)(16 * hex(uniq[i]) + hex(uniq[i+1])); > -+ } > -+ > -+#undef hex > -+ > -+ tag->type = htons(TAG_HOST_UNIQ); > -+ tag->length = htons(len / 2); > -+ return 1; > -+} > -+ > - #define SET_STRING(var, val) do { if (var) free(var); var = strDup(val); } while(0); > - > - #define CHECK_ROOM(cursor, start, len) \ > diff --git a/patches/ppp-2.4.7/0027-Add-replacedefaultroute-option.patch b/patches/ppp-2.4.7/0027-Add-replacedefaultroute-option.patch > deleted file mode 100644 > index 19f931b1244f..000000000000 > --- a/patches/ppp-2.4.7/0027-Add-replacedefaultroute-option.patch > +++ /dev/null > @@ -1,324 +0,0 @@ > -From: Michael Olbrich <m.olbrich@pengutronix.de> > -Date: Sat, 28 Sep 2019 08:11:49 +0200 > -Subject: [PATCH] Add replacedefaultroute option > - > -Adds an option to pppd to control whether to replace existing default routes > -when using the 'defaultroute' option. > - > -If defaultroute and replacedefaultroute are both set, pppd replaces an existing > -default route with the new default route. The old default route is restored when > -the connection is taken down. > - > -Origin: vendor, https://build.opensuse.org/source/network/ppp/ppp-2.4.2-cifdefroute.diff?rev=7a0fdeff0b29437dd7f4581c95c7255a > -Forwarded: no > -Reviewed-by: Chris Boot <bootc@debian.org> > -Last-Update: 2014-01-26 > - > - > -Imported from ppp_2.4.7-2+4.1.debian.tar.xz > - > -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> > ---- > - pppd/ipcp.c | 45 +++++++++++++++++++++++++++---- > - pppd/ipcp.h | 1 + > - pppd/pppd.8 | 12 ++++++++- > - pppd/pppd.h | 4 +++ > - pppd/sys-linux.c | 82 +++++++++++++++++++++++++++++++++++++++++++++----------- > - 5 files changed, 123 insertions(+), 21 deletions(-) > - > -diff --git a/pppd/ipcp.c b/pppd/ipcp.c > -index e9738fe4d894..c8fe279d4ede 100644 > ---- a/pppd/ipcp.c > -+++ b/pppd/ipcp.c > -@@ -198,6 +198,16 @@ static option_t ipcp_option_list[] = { > - "disable defaultroute option", OPT_ALIAS | OPT_A2CLR, > - &ipcp_wantoptions[0].default_route }, > - > -+#ifdef __linux__ > -+ { "replacedefaultroute", o_bool, > -+ &ipcp_wantoptions[0].replace_default_route, > -+ "Replace default route", 1 > -+ }, > -+ { "noreplacedefaultroute", o_bool, > -+ &ipcp_allowoptions[0].replace_default_route, > -+ "Never replace default route", OPT_A2COPY, > -+ &ipcp_wantoptions[0].replace_default_route }, > -+#endif > - { "proxyarp", o_bool, &ipcp_wantoptions[0].proxy_arp, > - "Add proxy ARP entry", OPT_ENABLE|1, &ipcp_allowoptions[0].proxy_arp }, > - { "noproxyarp", o_bool, &ipcp_allowoptions[0].proxy_arp, > -@@ -271,7 +281,7 @@ struct protent ipcp_protent = { > - ip_active_pkt > - }; > - > --static void ipcp_clear_addrs __P((int, u_int32_t, u_int32_t)); > -+static void ipcp_clear_addrs __P((int, u_int32_t, u_int32_t, bool)); > - static void ipcp_script __P((char *, int)); /* Run an up/down script */ > - static void ipcp_script_done __P((void *)); > - > -@@ -1761,7 +1771,12 @@ ip_demand_conf(u) > - if (!sifnpmode(u, PPP_IP, NPMODE_QUEUE)) > - return 0; > - if (wo->default_route) > -+#ifndef __linux__ > - if (sifdefaultroute(u, wo->ouraddr, wo->hisaddr)) > -+#else > -+ if (sifdefaultroute(u, wo->ouraddr, wo->hisaddr, > -+ wo->replace_default_route)) > -+#endif > - default_route_set[u] = 1; > - if (wo->proxy_arp) > - if (sifproxyarp(u, wo->hisaddr)) > -@@ -1849,7 +1864,8 @@ ipcp_up(f) > - */ > - if (demand) { > - if (go->ouraddr != wo->ouraddr || ho->hisaddr != wo->hisaddr) { > -- ipcp_clear_addrs(f->unit, wo->ouraddr, wo->hisaddr); > -+ ipcp_clear_addrs(f->unit, wo->ouraddr, wo->hisaddr, > -+ wo->replace_default_route); > - if (go->ouraddr != wo->ouraddr) { > - warn("Local IP address changed to %I", go->ouraddr); > - script_setenv("OLDIPLOCAL", ip_ntoa(wo->ouraddr), 0); > -@@ -1874,7 +1890,12 @@ ipcp_up(f) > - > - /* assign a default route through the interface if required */ > - if (ipcp_wantoptions[f->unit].default_route) > -+#ifndef __linux__ > - if (sifdefaultroute(f->unit, go->ouraddr, ho->hisaddr)) > -+#else > -+ if (sifdefaultroute(f->unit, go->ouraddr, ho->hisaddr, > -+ wo->replace_default_route)) > -+#endif > - default_route_set[f->unit] = 1; > - > - /* Make a proxy ARP entry if requested. */ > -@@ -1924,7 +1945,12 @@ ipcp_up(f) > - > - /* assign a default route through the interface if required */ > - if (ipcp_wantoptions[f->unit].default_route) > -+#ifndef __linux__ > - if (sifdefaultroute(f->unit, go->ouraddr, ho->hisaddr)) > -+#else > -+ if (sifdefaultroute(f->unit, go->ouraddr, ho->hisaddr, > -+ wo->replace_default_route)) > -+#endif > - default_route_set[f->unit] = 1; > - > - /* Make a proxy ARP entry if requested. */ > -@@ -2002,7 +2028,7 @@ ipcp_down(f) > - sifnpmode(f->unit, PPP_IP, NPMODE_DROP); > - sifdown(f->unit); > - ipcp_clear_addrs(f->unit, ipcp_gotoptions[f->unit].ouraddr, > -- ipcp_hisoptions[f->unit].hisaddr); > -+ ipcp_hisoptions[f->unit].hisaddr, 0); > - } > - > - /* Execute the ip-down script */ > -@@ -2018,16 +2044,25 @@ ipcp_down(f) > - * proxy arp entries, etc. > - */ > - static void > --ipcp_clear_addrs(unit, ouraddr, hisaddr) > -+ipcp_clear_addrs(unit, ouraddr, hisaddr, replacedefaultroute) > - int unit; > - u_int32_t ouraddr; /* local address */ > - u_int32_t hisaddr; /* remote address */ > -+ bool replacedefaultroute; > - { > - if (proxy_arp_set[unit]) { > - cifproxyarp(unit, hisaddr); > - proxy_arp_set[unit] = 0; > - } > -- if (default_route_set[unit]) { > -+ /* If replacedefaultroute, sifdefaultroute will be called soon > -+ * with replacedefaultroute set and that will overwrite the current > -+ * default route. This is the case only when doing demand, otherwise > -+ * during demand, this cifdefaultroute would restore the old default > -+ * route which is not what we want in this case. In the non-demand > -+ * case, we'll delete the default route and restore the old if there > -+ * is one saved by an sifdefaultroute with replacedefaultroute. > -+ */ > -+ if (!replacedefaultroute && default_route_set[unit]) { > - cifdefaultroute(unit, ouraddr, hisaddr); > - default_route_set[unit] = 0; > - } > -diff --git a/pppd/ipcp.h b/pppd/ipcp.h > -index 6cf14c990578..7ecfa79d8668 100644 > ---- a/pppd/ipcp.h > -+++ b/pppd/ipcp.h > -@@ -70,6 +70,7 @@ typedef struct ipcp_options { > - bool old_addrs; /* Use old (IP-Addresses) option? */ > - bool req_addr; /* Ask peer to send IP address? */ > - bool default_route; /* Assign default route through interface? */ > -+ bool replace_default_route; /* Replace default route through interface? */ > - bool proxy_arp; /* Make proxy ARP entry for peer? */ > - bool neg_vj; /* Van Jacobson Compression? */ > - bool old_vj; /* use old (short) form of VJ option? */ > -diff --git a/pppd/pppd.8 b/pppd/pppd.8 > -index ec8bfd5c0617..481aa8be672b 100644 > ---- a/pppd/pppd.8 > -+++ b/pppd/pppd.8 > -@@ -121,6 +121,11 @@ the gateway, when IPCP negotiation is successfully completed. > - This entry is removed when the PPP connection is broken. This option > - is privileged if the \fInodefaultroute\fR option has been specified. > - .TP > -+.B replacedefaultroute > -+This option is a flag to the defaultroute option. If defaultroute is > -+set and this flag is also set, pppd replaces an existing default route > -+with the new default route. > -+.TP > - .B disconnect \fIscript > - Execute the command specified by \fIscript\fR, by passing it to a > - shell, after > -@@ -739,7 +744,12 @@ disable both forms of hardware flow control. > - .TP > - .B nodefaultroute > - Disable the \fIdefaultroute\fR option. The system administrator who > --wishes to prevent users from creating default routes with pppd > -+wishes to prevent users from adding a default route with pppd > -+can do so by placing this option in the /etc/ppp/options file. > -+.TP > -+.B noreplacedefaultroute > -+Disable the \fIreplacedefaultroute\fR option. The system administrator who > -+wishes to prevent users from replacing a default route with pppd > - can do so by placing this option in the /etc/ppp/options file. > - .TP > - .B nodeflate > -diff --git a/pppd/pppd.h b/pppd/pppd.h > -index 1a1bf0b99582..7495df657fe9 100644 > ---- a/pppd/pppd.h > -+++ b/pppd/pppd.h > -@@ -676,7 +676,11 @@ int sif6addr __P((int, eui64_t, eui64_t)); > - int cif6addr __P((int, eui64_t, eui64_t)); > - /* Remove an IPv6 address from i/f */ > - #endif > -+#ifndef __linux__ > - int sifdefaultroute __P((int, u_int32_t, u_int32_t)); > -+#else > -+int sifdefaultroute __P((int, u_int32_t, u_int32_t, bool replace_default_rt)); > -+#endif > - /* Create default route through i/f */ > - int cifdefaultroute __P((int, u_int32_t, u_int32_t)); > - /* Delete default route through i/f */ > -diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c > -index 6d29dc8e8594..3f0bbc33c605 100644 > ---- a/pppd/sys-linux.c > -+++ b/pppd/sys-linux.c > -@@ -207,6 +207,8 @@ static unsigned char inbuf[512]; /* buffer for chars read from loopback */ > - static int if_is_up; /* Interface has been marked up */ > - static int if6_is_up; /* Interface has been marked up for IPv6, to help differentiate */ > - static int have_default_route; /* Gateway for default route added */ > -+static struct rtentry old_def_rt; /* Old default route */ > -+static int default_rt_repl_rest; /* replace and restore old default rt */ > - static u_int32_t proxy_arp_addr; /* Addr for proxy arp entry added */ > - static char proxy_arp_dev[16]; /* Device for proxy arp entry */ > - static u_int32_t our_old_addr; /* for detecting address changes */ > -@@ -1567,6 +1569,9 @@ static int read_route_table(struct rtentry *rt) > - p = NULL; > - } > - > -+ SET_SA_FAMILY (rt->rt_dst, AF_INET); > -+ SET_SA_FAMILY (rt->rt_gateway, AF_INET); > -+ > - SIN_ADDR(rt->rt_dst) = strtoul(cols[route_dest_col], NULL, 16); > - SIN_ADDR(rt->rt_gateway) = strtoul(cols[route_gw_col], NULL, 16); > - SIN_ADDR(rt->rt_genmask) = strtoul(cols[route_mask_col], NULL, 16); > -@@ -1636,22 +1641,53 @@ int have_route_to(u_int32_t addr) > - /******************************************************************** > - * > - * sifdefaultroute - assign a default route through the address given. > -- */ > -- > --int sifdefaultroute (int unit, u_int32_t ouraddr, u_int32_t gateway) > --{ > -- struct rtentry rt; > -- > -- if (defaultroute_exists(&rt) && strcmp(rt.rt_dev, ifname) != 0) { > -- if (rt.rt_flags & RTF_GATEWAY) > -- error("not replacing existing default route via %I", > -- SIN_ADDR(rt.rt_gateway)); > -- else > -- error("not replacing existing default route through %s", > -- rt.rt_dev); > -- return 0; > -+ * > -+ * If the global default_rt_repl_rest flag is set, then this function > -+ * already replaced the original system defaultroute with some other > -+ * route and it should just replace the current defaultroute with > -+ * another one, without saving the current route. Use: demand mode, > -+ * when pppd sets first a defaultroute it it's temporary ppp0 addresses > -+ * and then changes the temporary addresses to the addresses for the real > -+ * ppp connection when it has come up. > -+ */ > -+ > -+int sifdefaultroute (int unit, u_int32_t ouraddr, u_int32_t gateway, bool replace) > -+{ > -+ struct rtentry rt, tmp_rt; > -+ struct rtentry *del_rt = NULL; > -+ > -+ if (default_rt_repl_rest) { > -+ /* We have already reclaced the original defaultroute, if we > -+ * are called again, we will delete the current default route > -+ * and set the new default route in this function. > -+ * - this is normally only the case the doing demand: */ > -+ if (defaultroute_exists( &tmp_rt )) > -+ del_rt = &tmp_rt; > -+ } else if ( defaultroute_exists( &old_def_rt ) && > -+ strcmp( old_def_rt.rt_dev, ifname ) != 0) { > -+ /* We did not yet replace an existing default route, let's > -+ * check if we should save and replace a default route: > -+ */ > -+ u_int32_t old_gateway = SIN_ADDR(old_def_rt.rt_gateway); > -+ > -+ if (old_gateway != gateway) { > -+ if (!replace) { > -+ error("not replacing default route to %s [%I]", > -+ old_def_rt.rt_dev, old_gateway); > -+ return 0; > -+ } else { > -+ // we need to copy rt_dev because we need it permanent too: > -+ char * tmp_dev = malloc(strlen(old_def_rt.rt_dev)+1); > -+ strcpy(tmp_dev, old_def_rt.rt_dev); > -+ old_def_rt.rt_dev = tmp_dev; > -+ > -+ notice("replacing old default route to %s [%I]", > -+ old_def_rt.rt_dev, old_gateway); > -+ default_rt_repl_rest = 1; > -+ del_rt = &old_def_rt; > -+ } > -+ } > - } > -- > - memset (&rt, 0, sizeof (rt)); > - SET_SA_FAMILY (rt.rt_dst, AF_INET); > - > -@@ -1668,6 +1704,12 @@ int sifdefaultroute (int unit, u_int32_t ouraddr, u_int32_t gateway) > - error("default route ioctl(SIOCADDRT): %m"); > - return 0; > - } > -+ if (default_rt_repl_rest && del_rt) > -+ if (ioctl(sock_fd, SIOCDELRT, del_rt) < 0) { > -+ if ( ! ok_error ( errno )) > -+ error("del old default route ioctl(SIOCDELRT): %m(%d)", errno); > -+ return 0; > -+ } > - > - have_default_route = 1; > - return 1; > -@@ -1703,6 +1745,16 @@ int cifdefaultroute (int unit, u_int32_t ouraddr, u_int32_t gateway) > - return 0; > - } > - } > -+ if (default_rt_repl_rest) { > -+ notice("restoring old default route to %s [%I]", > -+ old_def_rt.rt_dev, SIN_ADDR(old_def_rt.rt_gateway)); > -+ if (ioctl(sock_fd, SIOCADDRT, &old_def_rt) < 0) { > -+ if ( ! ok_error ( errno )) > -+ error("restore default route ioctl(SIOCADDRT): %m(%d)", errno); > -+ return 0; > -+ } > -+ default_rt_repl_rest = 0; > -+ } > - > - return 1; > - } > diff --git a/patches/ppp-2.4.7/0029-add-support-for-the-Framed-MTU-Radius-attribute.patch b/patches/ppp-2.4.7/0029-add-support-for-the-Framed-MTU-Radius-attribute.patch > deleted file mode 100644 > index 3cd1b78e7012..000000000000 > --- a/patches/ppp-2.4.7/0029-add-support-for-the-Framed-MTU-Radius-attribute.patch > +++ /dev/null > @@ -1,42 +0,0 @@ > -From: Michael Olbrich <m.olbrich@pengutronix.de> > -Date: Sat, 28 Sep 2019 08:11:49 +0200 > -Subject: [PATCH] add support for the Framed-MTU Radius attribute > - > -http://ppp.samba.org/cgi-bin/ppp-bugs/incoming?id=1532 > - > -From: klepikov_a@up.ua > -To: ppp-bugs@ppp.samba.org > -Subject: Radius plugin does not set MTU on ppp interface > -Date: Mon, 22 Jan 2007 12:36:59 +0000 (GMT) > - > -Full_Name: Alexander Klepikov > -Version: 2.4.3 > -OS: rhl 7.3 (2.4.20-28.7bigmem) > -Submission from: (NULL) (213.130.21.73) > - > - > -This patch allows radius plugin to deal with Framed-MTU Radius attribute and to > -set MTU on interface. > - > - > -Imported from ppp_2.4.7-2+4.1.debian.tar.xz > - > -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> > ---- > - pppd/plugins/radius/radius.c | 3 +++ > - 1 file changed, 3 insertions(+) > - > -diff --git a/pppd/plugins/radius/radius.c b/pppd/plugins/radius/radius.c > -index 4ba5f523ea07..06e00590b635 100644 > ---- a/pppd/plugins/radius/radius.c > -+++ b/pppd/plugins/radius/radius.c > -@@ -651,6 +651,9 @@ radius_setparams(VALUE_PAIR *vp, char *msg, REQUEST_INFO *req_info, > - memcpy(rstate.class, vp->strvalue, rstate.class_len); > - } /* else too big for our buffer - ignore it */ > - break; > -+ case PW_FRAMED_MTU: > -+ netif_set_mtu(rstate.client_port,MIN(netif_get_mtu(rstate.client_port),vp->lvalue)); > -+ break; > - } > - > - > diff --git a/patches/ppp-2.4.7/0030-018_ip-up_option.patch b/patches/ppp-2.4.7/0030-018_ip-up_option.patch > deleted file mode 100644 > index 06cb2e5bb3a6..000000000000 > --- a/patches/ppp-2.4.7/0030-018_ip-up_option.patch > +++ /dev/null > @@ -1,106 +0,0 @@ > -From: Michael Olbrich <m.olbrich@pengutronix.de> > -Date: Sat, 28 Sep 2019 08:11:49 +0200 > -Subject: [PATCH] 018_ip up_option > - > -Imported from ppp_2.4.7-2+4.1.debian.tar.xz > - > -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> > ---- > - pppd/ipcp.c | 8 ++++---- > - pppd/main.c | 3 +++ > - pppd/options.c | 9 +++++++++ > - pppd/pppd.h | 2 ++ > - 4 files changed, 18 insertions(+), 4 deletions(-) > - > -diff --git a/pppd/ipcp.c b/pppd/ipcp.c > -index dceca807542a..d6e0e2a699fe 100644 > ---- a/pppd/ipcp.c > -+++ b/pppd/ipcp.c > -@@ -1984,7 +1984,7 @@ ipcp_up(f) > - */ > - if (ipcp_script_state == s_down && ipcp_script_pid == 0) { > - ipcp_script_state = s_up; > -- ipcp_script(_PATH_IPUP, 0); > -+ ipcp_script(path_ipup, 0); > - } > - } > - > -@@ -2034,7 +2034,7 @@ ipcp_down(f) > - /* Execute the ip-down script */ > - if (ipcp_script_state == s_up && ipcp_script_pid == 0) { > - ipcp_script_state = s_down; > -- ipcp_script(_PATH_IPDOWN, 0); > -+ ipcp_script(path_ipdown, 0); > - } > - } > - > -@@ -2097,13 +2097,13 @@ ipcp_script_done(arg) > - case s_up: > - if (ipcp_fsm[0].state != OPENED) { > - ipcp_script_state = s_down; > -- ipcp_script(_PATH_IPDOWN, 0); > -+ ipcp_script(path_ipdown, 0); > - } > - break; > - case s_down: > - if (ipcp_fsm[0].state == OPENED) { > - ipcp_script_state = s_up; > -- ipcp_script(_PATH_IPUP, 0); > -+ ipcp_script(path_ipup, 0); > - } > - break; > - } > -diff --git a/pppd/main.c b/pppd/main.c > -index ed544315c1df..9164a1eb0f95 100644 > ---- a/pppd/main.c > -+++ b/pppd/main.c > -@@ -308,6 +308,9 @@ main(argc, argv) > - struct protent *protp; > - char numbuf[16]; > - > -+ strlcpy(path_ipup, _PATH_IPUP, sizeof(path_ipup)); > -+ strlcpy(path_ipdown, _PATH_IPDOWN, sizeof(path_ipdown)); > -+ > - link_stats_valid = 0; > - new_phase(PHASE_INITIALIZE); > - > -diff --git a/pppd/options.c b/pppd/options.c > -index 91da515ac533..a8f3aa4590a3 100644 > ---- a/pppd/options.c > -+++ b/pppd/options.c > -@@ -114,6 +114,8 @@ char linkname[MAXPATHLEN]; /* logical name for link */ > - bool tune_kernel; /* may alter kernel settings */ > - int connect_delay = 1000; /* wait this many ms after connect script */ > - int req_unit = -1; /* requested interface unit */ > -+char path_ipup[MAXPATHLEN]; /* pathname of ip-up script */ > -+char path_ipdown[MAXPATHLEN];/* pathname of ip-down script */ > - char req_ifname[MAXIFNAMELEN]; /* requested interface name */ > - bool multilink = 0; /* Enable multilink operation */ > - char *bundle_name = NULL; /* bundle name for multilink */ > -@@ -304,6 +306,13 @@ option_t general_options[] = { > - "Unset user environment variable", > - OPT_A2PRINTER | OPT_NOPRINT, (void *)user_unsetprint }, > - > -+ { "ip-up-script", o_string, path_ipup, > -+ "Set pathname of ip-up script", > -+ OPT_PRIV|OPT_STATIC, NULL, MAXPATHLEN }, > -+ { "ip-down-script", o_string, path_ipdown, > -+ "Set pathname of ip-down script", > -+ OPT_PRIV|OPT_STATIC, NULL, MAXPATHLEN }, > -+ > - #ifdef HAVE_MULTILINK > - { "multilink", o_bool, &multilink, > - "Enable multilink operation", OPT_PRIO | 1 }, > -diff --git a/pppd/pppd.h b/pppd/pppd.h > -index e65106d4c126..b11670586244 100644 > ---- a/pppd/pppd.h > -+++ b/pppd/pppd.h > -@@ -328,6 +328,8 @@ extern bool tune_kernel; /* May alter kernel settings as necessary */ > - extern int connect_delay; /* Time to delay after connect script */ > - extern int max_data_rate; /* max bytes/sec through charshunt */ > - extern int req_unit; /* interface unit number to use */ > -+extern char path_ipup[MAXPATHLEN]; /* pathname of ip-up script */ > -+extern char path_ipdown[MAXPATHLEN]; /* pathname of ip-down script */ > - extern char req_ifname[MAXIFNAMELEN]; /* interface name to use */ > - extern bool multilink; /* enable multilink operation */ > - extern bool noendpoint; /* don't send or accept endpt. discrim. */ > diff --git a/patches/ppp-2.4.7/0031-ppp-2.4.2-stripMSdomain.patch b/patches/ppp-2.4.7/0031-ppp-2.4.2-stripMSdomain.patch > deleted file mode 100644 > index 32629026cad5..000000000000 > --- a/patches/ppp-2.4.7/0031-ppp-2.4.2-stripMSdomain.patch > +++ /dev/null > @@ -1,47 +0,0 @@ > -From: Michael Olbrich <m.olbrich@pengutronix.de> > -Date: Sat, 28 Sep 2019 08:11:49 +0200 > -Subject: [PATCH] ppp-2.4.2-stripMSdomain > - > -Imported from ppp_2.4.7-2+4.1.debian.tar.xz > - > -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> > ---- > - pppd/chap-new.c | 11 +++++++++++ > - 1 file changed, 11 insertions(+) > - > -diff --git a/pppd/chap-new.c b/pppd/chap-new.c > -index 2714bff64785..7fd7087a5e2c 100644 > ---- a/pppd/chap-new.c > -+++ b/pppd/chap-new.c > -@@ -58,6 +58,7 @@ int (*chap_verify_hook)(char *name, char *ourname, int id, > - int chap_timeout_time = 3; > - int chap_max_transmits = 10; > - int chap_rechallenge_time = 0; > -+int chapms_strip_domain = 0; > - > - /* > - * Command-line options. > -@@ -69,6 +70,8 @@ static option_t chap_option_list[] = { > - "Set max #xmits for challenge", OPT_PRIO }, > - { "chap-interval", o_int, &chap_rechallenge_time, > - "Set interval for rechallenge", OPT_PRIO }, > -+ { "chapms-strip-domain", o_bool, &chapms_strip_domain, > -+ "Strip the domain prefix before the Username", 1 }, > - { NULL } > - }; > - > -@@ -336,6 +339,14 @@ chap_handle_response(struct chap_server_state *ss, int id, > - /* Null terminate and clean remote name. */ > - slprintf(rname, sizeof(rname), "%.*v", len, name); > - name = rname; > -+ > -+ /* strip the MS domain name */ > -+ if (chapms_strip_domain && strrchr(rname, '\\')) { > -+ char tmp[MAXNAMELEN+1]; > -+ > -+ strcpy(tmp, strrchr(rname, '\\') + 1); > -+ strcpy(rname, tmp); > -+ } > - } > - > - if (chap_verify_hook) > diff --git a/patches/ppp-2.4.7/0032-export-CALL_FILE-to-the-link-scripts.patch b/patches/ppp-2.4.7/0032-export-CALL_FILE-to-the-link-scripts.patch > deleted file mode 100644 > index 6a2e17088336..000000000000 > --- a/patches/ppp-2.4.7/0032-export-CALL_FILE-to-the-link-scripts.patch > +++ /dev/null > @@ -1,38 +0,0 @@ > -From: Michael Olbrich <m.olbrich@pengutronix.de> > -Date: Sat, 28 Sep 2019 08:11:50 +0200 > -Subject: [PATCH] export $CALL_FILE to the link scripts > - > -Imported from ppp_2.4.7-2+4.1.debian.tar.xz > - > -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> > ---- > - pppd/options.c | 1 + > - pppd/pppd.8 | 3 +++ > - 2 files changed, 4 insertions(+) > - > -diff --git a/pppd/options.c b/pppd/options.c > -index a8f3aa4590a3..340797386dd6 100644 > ---- a/pppd/options.c > -+++ b/pppd/options.c > -@@ -1482,6 +1482,7 @@ callfile(argv) > - if ((fname = (char *) malloc(l)) == NULL) > - novm("call file name"); > - slprintf(fname, l, "%s%s", _PATH_PEERFILES, arg); > -+ script_setenv("CALL_FILE", arg, 0); > - > - ok = options_from_file(fname, 1, 1, 1); > - > -diff --git a/pppd/pppd.8 b/pppd/pppd.8 > -index 481aa8be672b..848ca8a16b77 100644 > ---- a/pppd/pppd.8 > -+++ b/pppd/pppd.8 > -@@ -1662,6 +1662,9 @@ the connection. > - .B LINKNAME > - The logical name of the link, set with the \fIlinkname\fR option. > - .TP > -+.B CALL_FILE > -+The value of the \fIcall\fR option. > -+.TP > - .B DNS1 > - If the peer supplies DNS server addresses, this variable is set to the > - first DNS server address supplied (whether or not the usepeerdns > diff --git a/patches/ppp-2.4.7/0033-ipv6-accept-remote.patch b/patches/ppp-2.4.7/0033-ipv6-accept-remote.patch > deleted file mode 100644 > index 01376cf140e2..000000000000 > --- a/patches/ppp-2.4.7/0033-ipv6-accept-remote.patch > +++ /dev/null > @@ -1,73 +0,0 @@ > -From: Michael Olbrich <m.olbrich@pengutronix.de> > -Date: Sat, 28 Sep 2019 08:11:50 +0200 > -Subject: [PATCH] ipv6-accept-remote > - > -Imported from ppp_2.4.7-2+4.1.debian.tar.xz > - > -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> > ---- > - pppd/ipv6cp.c | 5 ++++- > - pppd/ipv6cp.h | 3 ++- > - pppd/pppd.8 | 5 +++++ > - 3 files changed, 11 insertions(+), 2 deletions(-) > - > -diff --git a/pppd/ipv6cp.c b/pppd/ipv6cp.c > -index c1602f41c206..432170462196 100644 > ---- a/pppd/ipv6cp.c > -+++ b/pppd/ipv6cp.c > -@@ -245,6 +245,8 @@ static option_t ipv6cp_option_list[] = { > - > - { "ipv6cp-accept-local", o_bool, &ipv6cp_allowoptions[0].accept_local, > - "Accept peer's interface identifier for us", 1 }, > -+ { "ipv6cp-accept-remote", o_bool, &ipv6cp_allowoptions[0].accept_remote, > -+ "Accept peer's interface identifier for itself", 1 }, > - > - { "ipv6cp-use-ipaddr", o_bool, &ipv6cp_allowoptions[0].use_ip, > - "Use (default) IPv4 address as interface identifier", 1 }, > -@@ -435,6 +437,7 @@ ipv6cp_init(unit) > - memset(ao, 0, sizeof(*ao)); > - > - wo->accept_local = 1; > -+ wo->accept_remote = 1; > - wo->neg_ifaceid = 1; > - ao->neg_ifaceid = 1; > - > -@@ -960,7 +963,7 @@ ipv6cp_reqci(f, inp, len, reject_if_disagree) > - orc = CONFREJ; /* Reject CI */ > - break; > - } > -- if (!eui64_iszero(wo->hisid) && > -+ if (!eui64_iszero(wo->hisid) && !wo->accept_remote && > - !eui64_equals(ifaceid, wo->hisid) && > - eui64_iszero(go->hisid)) { > - > -diff --git a/pppd/ipv6cp.h b/pppd/ipv6cp.h > -index 2f4c06ddc189..1617707ebbde 100644 > ---- a/pppd/ipv6cp.h > -+++ b/pppd/ipv6cp.h > -@@ -150,7 +150,8 @@ > - typedef struct ipv6cp_options { > - int neg_ifaceid; /* Negotiate interface identifier? */ > - int req_ifaceid; /* Ask peer to send interface identifier? */ > -- int accept_local; /* accept peer's value for iface id? */ > -+ int accept_local; /* accept peer's value for our iface id? */ > -+ int accept_remote; /* accept peer's value for his iface id? */ > - int opt_local; /* ourtoken set by option */ > - int opt_remote; /* histoken set by option */ > - int use_ip; /* use IP as interface identifier */ > -diff --git a/pppd/pppd.8 b/pppd/pppd.8 > -index 848ca8a16b77..65bbe721f761 100644 > ---- a/pppd/pppd.8 > -+++ b/pppd/pppd.8 > -@@ -463,6 +463,11 @@ With this option, pppd will accept the peer's idea of our local IPv6 > - interface identifier, even if the local IPv6 interface identifier > - was specified in an option. > - .TP > -+.B ipv6cp\-accept\-remote > -+With this option, pppd will accept the peer's idea of its (remote) > -+IPv6 interface identifier, even if the remote IPv6 interface > -+identifier was specified in an option. > -+.TP > - .B ipv6cp\-max\-configure \fIn > - Set the maximum number of IPv6CP configure-request transmissions to > - \fIn\fR (default 10). > diff --git a/patches/ppp-2.4.7/0034-fix-a-potential-buffer-overflow-in-clientid.c-rc_map.patch b/patches/ppp-2.4.7/0034-fix-a-potential-buffer-overflow-in-clientid.c-rc_map.patch > deleted file mode 100644 > index 2a8a029df62b..000000000000 > --- a/patches/ppp-2.4.7/0034-fix-a-potential-buffer-overflow-in-clientid.c-rc_map.patch > +++ /dev/null > @@ -1,43 +0,0 @@ > -From: Michael Olbrich <m.olbrich@pengutronix.de> > -Date: Sat, 28 Sep 2019 08:11:50 +0200 > -Subject: [PATCH] fix a potential buffer overflow in clientid.c:rc_map2id() > - > -This fixes the following compile-time warning when building with > --D_FORTIFY_SOURCE=2: > - > -In file included from /usr/include/string.h:638:0, > - from ./includes.h:26, > - from clientid.c:12: > -In function 'strncat', > - inlined from 'rc_map2id' at clientid.c:113:9: > -/usr/include/i386-linux-gnu/bits/string3.h:150:3: warning: call to > -__builtin___strncat_chk might overflow destination buffer [enabled by default] > - return __builtin___strncat_chk (__dest, __src, __len, __bos (__dest)); > - ^ > - > -Origin: vendor, https://build.opensuse.org/source/network/ppp/ppp-2.4.4-strncatfix.patch?rev=7a0fdeff0b29437dd7f4581c95c7255a > -Forwarded: no > -Reviewed-by: Chris Boot <bootc@debian.org> > -Last-Update: 2014-01-12 > - > - > -Imported from ppp_2.4.7-2+4.1.debian.tar.xz > - > -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> > ---- > - pppd/plugins/radius/clientid.c | 2 +- > - 1 file changed, 1 insertion(+), 1 deletion(-) > - > -diff --git a/pppd/plugins/radius/clientid.c b/pppd/plugins/radius/clientid.c > -index d49579c43cc3..7de021139b56 100644 > ---- a/pppd/plugins/radius/clientid.c > -+++ b/pppd/plugins/radius/clientid.c > -@@ -110,7 +110,7 @@ UINT4 rc_map2id(char *name) > - if (*name != '/') > - strcpy(ttyname, "/dev/"); > - > -- strncat(ttyname, name, sizeof(ttyname)); > -+ strncat(ttyname, name, sizeof(ttyname)-strlen(ttyname)-1); > - > - for(p = map2id_list; p; p = p->next) > - if (!strcmp(ttyname, p->name)) return p->id; > diff --git a/patches/ppp-2.4.7/0037-Fix-buffer-overflow-in-rc_mksid.patch b/patches/ppp-2.4.7/0037-Fix-buffer-overflow-in-rc_mksid.patch > deleted file mode 100644 > index e21f129ad9a9..000000000000 > --- a/patches/ppp-2.4.7/0037-Fix-buffer-overflow-in-rc_mksid.patch > +++ /dev/null > @@ -1,36 +0,0 @@ > -From: Michael Olbrich <m.olbrich@pengutronix.de> > -Date: Sat, 28 Sep 2019 08:11:50 +0200 > -Subject: [PATCH] Fix buffer overflow in rc_mksid() > - > - rc_mksid converts the PID of pppd to hex to generate a pseudo-unique string. > - . > - If the process id is bigger than 65535 (FFFF), its hex representation will be > - longer than 4 characters, resulting in a buffer overflow. > - . > - The bug can be exploited to cause a remote DoS. > - . > -Author: Emanuele Rocca <ema@debian.org> > -Bug-Debian: https://bugs.debian.org/782450 > -Last-Update: <2015-04-14> > - > - > -Imported from ppp_2.4.7-2+4.1.debian.tar.xz > - > -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> > ---- > - pppd/plugins/radius/util.c | 2 +- > - 1 file changed, 1 insertion(+), 1 deletion(-) > - > -diff --git a/pppd/plugins/radius/util.c b/pppd/plugins/radius/util.c > -index 6f976a712951..166bd5f31d7a 100644 > ---- a/pppd/plugins/radius/util.c > -+++ b/pppd/plugins/radius/util.c > -@@ -77,7 +77,7 @@ rc_mksid (void) > - static unsigned short int cnt = 0; > - sprintf (buf, "%08lX%04X%02hX", > - (unsigned long int) time (NULL), > -- (unsigned int) getpid (), > -+ (unsigned int) getpid () % 65535, > - cnt & 0xFF); > - cnt++; > - return buf; > diff --git a/patches/ppp-2.4.7/0038-EAP-TLS-authentication-support-for-PPP.patch b/patches/ppp-2.4.7/0038-EAP-TLS-authentication-support-for-PPP.patch > deleted file mode 100644 > index bd462d4f83f9..000000000000 > --- a/patches/ppp-2.4.7/0038-EAP-TLS-authentication-support-for-PPP.patch > +++ /dev/null > @@ -1,3383 +0,0 @@ > -From: Michael Olbrich <m.olbrich@pengutronix.de> > -Date: Sat, 28 Sep 2019 08:11:50 +0200 > -Subject: [PATCH] EAP-TLS authentication support for PPP > - > -Origin: https://www.nikhef.nl/~janjust/ppp/download.html > -Bug-Debian: https://bugs.debian.org/602503 > -Bug-Ubuntu: https://launchpad.net/bugs/643417 > -Forwarded: not-needed > -Author: Jan Just Keijser <janjust@nikhef.nl> > -Last-Update: 2018-11-04 > - > -This patch is based on ppp-2.4.7-eaptls-mppe-1.102.patch, with the following > -changes: > - > - - Patch refreshed to remove fuzz. > - - Trailing spaces removed. > - > - > -Imported from ppp_2.4.7-2+4.1.debian.tar.xz > - > -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> > ---- > - README.eap-tls | 291 +++++++++ > - etc.ppp/eaptls-client | 10 + > - etc.ppp/eaptls-server | 11 + > - etc.ppp/openssl.cnf | 14 + > - linux/Makefile.top | 6 +- > - pppd/Makefile.linux | 12 + > - pppd/auth.c | 413 ++++++++++++- > - pppd/ccp.c | 20 +- > - pppd/chap-md5.c | 4 + > - pppd/eap-tls.c | 1383 +++++++++++++++++++++++++++++++++++++++++++ > - pppd/eap-tls.h | 107 ++++ > - pppd/eap.c | 463 ++++++++++++++- > - pppd/eap.h | 32 +- > - pppd/md5.c | 4 + > - pppd/md5.h | 3 + > - pppd/pathnames.h | 7 + > - pppd/plugins/Makefile.linux | 3 + > - pppd/plugins/passprompt.c | 3 + > - pppd/plugins/passwordfd.c | 4 + > - pppd/pppd.8 | 33 ++ > - pppd/pppd.h | 9 + > - 21 files changed, 2825 insertions(+), 7 deletions(-) > - create mode 100644 README.eap-tls > - create mode 100644 etc.ppp/eaptls-client > - create mode 100644 etc.ppp/eaptls-server > - create mode 100644 etc.ppp/openssl.cnf > - create mode 100644 pppd/eap-tls.c > - create mode 100644 pppd/eap-tls.h > - > -diff --git a/README.eap-tls b/README.eap-tls > -new file mode 100644 > -index 000000000000..107e84db5e81 > ---- /dev/null > -+++ b/README.eap-tls > -@@ -0,0 +1,291 @@ > -+EAP-TLS authentication support for PPP > -+====================================== > -+ > -+1. Intro > -+ > -+ The Extensible Authentication Protocol (EAP; RFC 3748) is a > -+ security protocol that can be used with PPP. It provides a means > -+ to plug in multiple optional authentication methods. > -+ > -+ Transport Level Security (TLS; RFC 5216) provides for mutual > -+ authentication, integrity-protected ciphersuite negotiation and > -+ key exchange between two endpoints. It also provides for optional > -+ MPPE encryption. > -+ > -+ EAP-TLS (RFC 2716) incapsulates the TLS messages in EAP packets, > -+ allowing TLS mutual authentication to be used as a generic EAP > -+ mechanism. It also provides optional encryption using the MPPE > -+ protocol. > -+ > -+ This patch provide EAP-TLS support to pppd. > -+ This authentication method can be used in both client or server > -+ mode. > -+ > -+2. Building > -+ > -+ To build pppd with EAP-TLS support, OpenSSL (http://www.openssl.org) > -+ is required. Any version from 0.9.7 should work. > -+ > -+ Configure, compile, and install as usual. > -+ > -+3. Configuration > -+ > -+ On the client side there are two ways to configure EAP-TLS: > -+ > -+ 1. supply the appropriate 'ca', 'cert' and 'key' command-line parameters > -+ > -+ 2. edit the /etc/ppp/eaptls-client file. > -+ Insert a line for each system with which you use EAP-TLS. > -+ The line is composed of this fields separated by tab: > -+ > -+ - Client name > -+ The name used by the client for authentication, can be * > -+ - Server name > -+ The name of the server, can be * > -+ - Client certificate file > -+ The file containing the certificate chain for the > -+ client in PEM format > -+ - Server certificate file > -+ If you want to specify the certificate that the > -+ server is allowed to use, put the certificate file name. > -+ Else put a dash '-'. > -+ - CA certificate file > -+ The file containing the trusted CA certificates in PEM > -+ format. > -+ - Client private key file > -+ The file containing the client private key in PEM format. > -+ > -+ > -+ On the server side edit the /etc/ppp/eaptls-server file. > -+ Insert a line for each system with which you use EAP-TLS. > -+ The line is composed of this fields separated by tab: > -+ > -+ - Client name > -+ The name used by the client for authentication, can be * > -+ - Server name > -+ The name of the server, can be * > -+ - Client certificate file > -+ If you want to specify the certificate that the > -+ client is allowed to use, put the certificate file name. > -+ Else put a dash '-'. > -+ - Server certificate file > -+ The file containing the certificate chain for the > -+ server in PEM format > -+ - CA certificate file > -+ The file containing the trusted CA certificates in PEM format. > -+ - Client private key file > -+ The file containing the server private key in PEM format. > -+ - addresses > -+ A list of IP addresses the client is allowed to use. > -+ > -+ > -+ OpenSSL engine support is included starting with v0.95 of this patch. > -+ Currently the only engine tested is the 'pkcs11' engine (hardware token > -+ support). To use the 'pksc11' engine: > -+ - Use a special private key fileiname in the /etc/ppp/eaptls-client file: > -+ <engine>:<identifier> > -+ e.g. > -+ pkcs11:123456 > -+ > -+ - The certificate can also be loaded from the 'pkcs11' engine using > -+ a special client certificate filename in the /etc/ppp/eaptls-client file: > -+ <engine>:<identifier> > -+ e.g. > -+ pkcs11:123456 > -+ > -+ - Create an /etc/ppp/openssl.cnf file to load the right OpenSSL engine prior > -+ to starting 'pppd'. A sample openssl.cnf file is > -+ > -+ openssl_conf = openssl_def > -+ > -+ [ openssl_def ] > -+ engines = engine_section > -+ > -+ [ engine_section ] > -+ pkcs11 = pkcs11_section > -+ > -+ [ pkcs11_section ] > -+ engine_id = pkcs11 > -+ dynamic_path = /usr/lib64/openssl/engines/engine_pkcs11.so > -+ MODULE_PATH = /usr/lib64/libeTPkcs11.so > -+ init = 0 > -+ > -+ - There are two ways to specify a password/PIN for the PKCS11 engine: > -+ - inside the openssl.cnf file using > -+ PIN = your-secret-pin > -+ Note The keyword 'PIN' is case sensitive! > -+ - Using the 'password' in the ppp options file. > -+ From v0.97 of the eap-tls patch the password can also be supplied > -+ using the appropriate 'eaptls_passwd_hook' (see plugins/passprompt.c > -+ for an example). > -+ > -+ > -+4. Options > -+ > -+ These pppd options are available: > -+ > -+ ca <ca-file> > -+ Use the CA public certificate found in <ca-file> in PEM format > -+ cert <cert-file> > -+ Use the client public certificate found in <cert-file> in PEM format > -+ or in engine:engine_id format > -+ key <key-file> > -+ Use the client private key found in <key-file> in PEM format > -+ or in engine:engine_id format > -+ crl <crl-file> > -+ Use the Certificate Revocation List (CRL) file <crl-file> in PEM format. > -+ crl-dir <dir> > -+ Use CRL files from directory <dir>. It contains CRL files in PEM > -+ format and each file contains a CRL. The files are looked up > -+ by the issuer name hash value. Use the c_rehash utility > -+ to create necessary links. > -+ need-peer-eap > -+ If the peer doesn't ask us to authenticate or doesn't use eap > -+ to authenticate us, disconnect. > -+ > -+ Note: > -+ password-encrypted certificates can be used as of v0.94 of this > -+ patch. The password for the eap-tls.key file is specified using > -+ the regular > -+ password .... > -+ statement in the ppp options file, or by using the appropriate > -+ plugin which supplies a 'eaptls_passwd_hook' routine. > -+ > -+5. Connecting > -+ > -+ If you're setting up a pppd server, edit the EAP-TLS configuration file > -+ as written above and then run pppd with the 'auth' option to authenticate > -+ the client. The EAP-TLS method will be used if the other eap methods can't > -+ be used (no secrets). > -+ > -+ If you're setting up a client, edit the configuration file and then run > -+ pppd with 'remotename' option to specify the server name. Add the > -+ 'need-peer-eap' option if you want to be sure the peer ask you to > -+ authenticate (and to use eap) and to disconnect if it doesn't. > -+ > -+6. Example > -+ > -+ The following example can be used to connect a Linux client with the 'pptp' > -+ package to a Linux server running the 'pptpd' (PoPToP) package. The server > -+ was configured with a certificate with name (CN) 'pptp-server', the client > -+ was configured with a certificate with name (CN) 'pptp-client', both > -+ signed by the same Certificate Authority (CA). > -+ > -+ Server side: > -+ - /etc/pptpd.conf file: > -+ option /etc/ppp/options-pptpd-eaptls > -+ localip 172.16.1.1 > -+ remoteip 172.16.1.10-20 > -+ - /etc/ppp/options-pptpd-eaptls file: > -+ name pptp-server > -+ lock > -+ mtu 1500 > -+ mru 1450 > -+ auth > -+ lcp-echo-failure 3 > -+ lcp-echo-interval 5 > -+ nodeflate > -+ nobsdcomp > -+ nopredictor1 > -+ nopcomp > -+ noaccomp > -+ > -+ require-eap > -+ require-mppe-128 > -+ > -+ crl /home/janjust/ppp/keys/crl.pem > -+ > -+ debug > -+ logfile /tmp/pppd.log > -+ > -+ - /etc/ppp/eaptls-server file: > -+ * pptp-server - /etc/ppp/pptp-server.crt /etc/ppp/ca.crt /etc/ppp/pptp-server.key * > -+ > -+ - On the server, run > -+ pptdp --conf /etc/pptpd.conf > -+ > -+ Client side: > -+ - Run > -+ pppd noauth require-eap require-mppe-128 \ > -+ ipcp-accept-local ipcp-accept-remote noipdefault \ > -+ cert /etc/ppp/keys/pptp-client.crt \ > -+ key /etc/ppp/keys/pptp-client.key \ > -+ ca /etc/ppp/keys/ca.crt \ > -+ name pptp-client remotename pptp-server \ > -+ debug logfile /tmp/pppd.log > -+ pty "pptp pptp-server.example.com --nolaunchpppd" > -+ > -+ Check /var/log/messages and the files /tmp/pppd.log on both sides for debugging info. > -+ > -+7. Notes > -+ > -+ This is experimental code. > -+ Send suggestions and comments to Jan Just Keijser <janjust@nikhef.nl> > -+ > -+8. Changelog of ppp-<>-eaptls-mppe-* patches > -+ > -+v0.7 (22-Nov-2005) > -+ - First version of the patch to include MPPE support > -+ - ppp-2.4.3 only > -+v0.9 (25-Jul-2006) > -+ - Bug fixes > -+ - First version for ppp-2.4.4 > -+v0.91 (03-Sep-2006) > -+ - Added missing #include for md5.h > -+ - Last version for ppp-2.4.3 > -+v0.92 (22-Apr-2008) > -+ - Fix for openssl 0.9.8 issue with md5 function overload. > -+v0.93 (14-Aug-2008) > -+ - Make sure 'noauth' option can be used to bypass server certificate verification. > -+v0.94 (15-Oct-2008) > -+ - Added support for password-protected private keys by (ab)using the 'password' field. > -+v0.95 (23-Dec-2009) > -+ - First version with OpenSSL engine support. > -+v0.96 (27-Jan-2010) > -+ - Added fully functional support for OpenSSL engines (PKCS#11) > -+ - First version for ppp-2.4.5 > -+v0.97 (20-Apr-2010) > -+ - Some bug fixes for v0.96 > -+ - Added support for entering the password via a plugin. The sample plugin > -+ .../pppd/plugins/passprompt.c has been extended with EAP-TLS support. > -+ The "old" methods using the password option or the /etc/ppp/openssl.cnf file still work. > -+ - Added support for specifying the client CA, certificate and private key on the command-line > -+ or via the ppp config file. > -+v0.98 (20-Apr-2010) > -+ - Fix initialisation bug when using ca/cert/key command-line options. > -+ - Last version for ppp-2.4.4 > -+v0.99 (05-Oct-2010) > -+ - Fix coredump when using multilink option. > -+v0.991 (08-Aug-2011) > -+ - Fix compilation issue with openssl 1.0. > -+v0.992 (01-Dec-2011) > -+ - Fix compilation issue with eaptls_check_hook and passwordfd plugin. > -+v0.993 (24-Apr-2012) > -+ - Fix compilation issue when EAP_TLS=n in pppd/Makefile. > -+v0.994 (11-Jun-2012) > -+ - Fix compilation issue on Ubuntu 11.10. > -+v0.995 (27-May-2014) > -+ - Add support for a CRL file using the command-line option 'crl' > -+ (prior only 'crl-dir' was supported). > -+ - Fix segfault when pkcs11 enginename was not specified correctly. > -+ - Fix segfault when client was misconfigured. > -+ - Disable SSL Session Ticket support as Windows 8 does not support this. > -+v0.996 (28-May-2014) > -+ - Fix minor bug where SessionTicket message was printed as 'Unknown SSL3 code 4' > -+ - Add EAP-TLS-specific options to pppd.8 manual page. > -+ - Updated README.eap-tls file with new options and provide an example. > -+v0.997 (19-Jun-2014) > -+ - Change SSL_OP_NO_TICKETS to SSL_OP_NO_TICKET > -+ - Fix bug in initialisation code with fragmented packets. > -+v0.998 (13-Mar-2015) > -+ - Add fix for https://bugzilla.redhat.com/show_bug.cgi?id=1023620 > -+v0.999 (11-May-2017) > -+ - Add support for OpenSSL 1.1: the code will now compile against OpenSSL 1.0.x or 1.1.x. > -+v1.101 (1-Jun-2018) > -+ - Fix vulnerabilities CVE-2018-11574. > -+v1.102 (2-Nov-2018) > -+ - Add TLS 1.2 support. Windows 7/8 will connect using TLS 1.0, Windows 10 clients using TLS 1.2. > -+ This works both when compiling against OpenSSL 1.0.1+ and 1.1+. > -+ - Print warning when certificate is either not yet valid or has expired. > -+ - Perform better peer certificate checks. > -+ - Allow certificate chain files to be used. > -diff --git a/etc.ppp/eaptls-client b/etc.ppp/eaptls-client > -new file mode 100644 > -index 000000000000..7782f0e2a065 > ---- /dev/null > -+++ b/etc.ppp/eaptls-client > -@@ -0,0 +1,10 @@ > -+# Parameters for authentication using EAP-TLS (client) > -+ > -+# client name (can be *) > -+# server name (can be *) > -+# client certificate file (required) > -+# server certificate file (optional, if unused put '-') > -+# CA certificate file (required) > -+# client private key file (required) > -+ > -+#client server /root/cert/client.crt - /root/cert/ca.crt /root/cert/client.key > -diff --git a/etc.ppp/eaptls-server b/etc.ppp/eaptls-server > -new file mode 100644 > -index 000000000000..fa53cbd197cf > ---- /dev/null > -+++ b/etc.ppp/eaptls-server > -@@ -0,0 +1,11 @@ > -+# Parameters for authentication using EAP-TLS (server) > -+ > -+# client name (can be *) > -+# server name (can be *) > -+# client certificate file (optional, if unused put '-') > -+# server certificate file (required) > -+# CA certificate file (required) > -+# server private key file (required) > -+# allowed addresses (required, can be *) > -+ > -+#client server - /root/cert/server.crt /root/cert/ca.crt /root/cert/server.key 192.168.1.0/24 > -diff --git a/etc.ppp/openssl.cnf b/etc.ppp/openssl.cnf > -new file mode 100644 > -index 000000000000..dd32f305d680 > ---- /dev/null > -+++ b/etc.ppp/openssl.cnf > -@@ -0,0 +1,14 @@ > -+openssl_conf = openssl_def > -+ > -+[ openssl_def ] > -+engines = engine_section > -+ > -+[ engine_section ] > -+pkcs11 = pkcs11_section > -+ > -+[ pkcs11_section ] > -+engine_id = pkcs11 > -+dynamic_path = /usr/lib64/openssl/engines/engine_pkcs11.so > -+MODULE_PATH = /usr/lib64/libeTPkcs11.so > -+init = 0 > -+ > -diff --git a/linux/Makefile.top b/linux/Makefile.top > -index f63d45e58a78..894f8f32c9e4 100644 > ---- a/linux/Makefile.top > -+++ b/linux/Makefile.top > -@@ -26,7 +26,7 @@ install-progs: > - cd pppdump; $(MAKE) $(MFLAGS) install > - > - install-etcppp: $(ETCDIR) $(ETCDIR)/options $(ETCDIR)/pap-secrets \ > -- $(ETCDIR)/chap-secrets > -+ $(ETCDIR)/chap-secrets $(ETCDIR)/eaptls-server $(ETCDIR)/eaptls-client > - > - install-devel: > - cd pppd; $(MAKE) $(MFLAGS) install-devel > -@@ -37,6 +37,10 @@ $(ETCDIR)/pap-secrets: > - $(INSTALL) -c -m 600 etc.ppp/pap-secrets $@ > - $(ETCDIR)/chap-secrets: > - $(INSTALL) -c -m 600 etc.ppp/chap-secrets $@ > -+$(ETCDIR)/eaptls-server: > -+ $(INSTALL) -c -m 600 etc.ppp/eaptls-server $@ > -+$(ETCDIR)/eaptls-client: > -+ $(INSTALL) -c -m 600 etc.ppp/eaptls-client $@ > - > - $(BINDIR): > - $(INSTALL) -d -m 755 $@ > -diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux > -index 5549145e5791..4a11d5fea748 100644 > ---- a/pppd/Makefile.linux > -+++ b/pppd/Makefile.linux > -@@ -76,6 +76,9 @@ CBCP=y > - # Use libutil > - USE_LIBUTIL=y > - > -+# Enable EAP-TLS authentication (requires libssl and libcrypto) > -+USE_EAPTLS=y > -+ > - MAXOCTETS=y > - > - INCLUDE_DIRS= -I../include > -@@ -116,6 +119,15 @@ HEADERS += sha1.h > - PPPDOBJS += sha1.o > - endif > - > -+# EAP-TLS > -+ifdef USE_EAPTLS > -+CFLAGS += -DUSE_EAPTLS=1 -I/usr/kerberos/include > -+LIBS += -lssl -lcrypto > -+PPPDSRC += eap-tls.c > -+HEADERS += eap-tls.h > -+PPPDOBJS += eap-tls.o > -+endif > -+ > - ifdef HAS_SHADOW > - CFLAGS += -DHAS_SHADOW > - #LIBS += -lshadow $(LIBS) > -diff --git a/pppd/auth.c b/pppd/auth.c > -index 4271af687102..45065c58bfcc 100644 > ---- a/pppd/auth.c > -+++ b/pppd/auth.c > -@@ -109,6 +109,9 @@ > - #include "upap.h" > - #include "chap-new.h" > - #include "eap.h" > -+#ifdef USE_EAPTLS > -+#include "eap-tls.h" > -+#endif > - #ifdef CBCP_SUPPORT > - #include "cbcp.h" > - #endif > -@@ -183,6 +186,11 @@ int (*chap_check_hook) __P((void)) = NULL; > - /* Hook for a plugin to get the CHAP password for authenticating us */ > - int (*chap_passwd_hook) __P((char *user, char *passwd)) = NULL; > - > -+#ifdef USE_EAPTLS > -+/* Hook for a plugin to get the EAP-TLS password for authenticating us */ > -+int (*eaptls_passwd_hook) __P((char *user, char *passwd)) = NULL; > -+#endif > -+ > - /* Hook for a plugin to say whether it is OK if the peer > - refuses to authenticate. */ > - int (*null_auth_hook) __P((struct wordlist **paddrs, > -@@ -238,6 +246,14 @@ bool explicit_remote = 0; /* User specified explicit remote name */ > - bool explicit_user = 0; /* Set if "user" option supplied */ > - bool explicit_passwd = 0; /* Set if "password" option supplied */ > - char remote_name[MAXNAMELEN]; /* Peer's name for authentication */ > -+#ifdef USE_EAPTLS > -+char *cacert_file = NULL; /* CA certificate file (pem format) */ > -+char *cert_file = NULL; /* client certificate file (pem format) */ > -+char *privkey_file = NULL; /* client private key file (pem format) */ > -+char *crl_dir = NULL; /* directory containing CRL files */ > -+char *crl_file = NULL; /* Certificate Revocation List (CRL) file (pem format) */ > -+bool need_peer_eap = 0; /* Require peer to authenticate us */ > -+#endif > - > - static char *uafname; /* name of most recent +ua file */ > - > -@@ -254,6 +270,19 @@ static int have_pap_secret __P((int *)); > - static int have_chap_secret __P((char *, char *, int, int *)); > - static int have_srp_secret __P((char *client, char *server, int need_ip, > - int *lacks_ipp)); > -+ > -+#ifdef USE_EAPTLS > -+static int have_eaptls_secret_server > -+__P((char *client, char *server, int need_ip, int *lacks_ipp)); > -+static int have_eaptls_secret_client __P((char *client, char *server)); > -+static int scan_authfile_eaptls __P((FILE * f, char *client, char *server, > -+ char *cli_cert, char *serv_cert, > -+ char *ca_cert, char *pk, > -+ struct wordlist ** addrs, > -+ struct wordlist ** opts, > -+ char *filename, int flags)); > -+#endif > -+ > - static int ip_addr_check __P((u_int32_t, struct permitted_ip *)); > - static int scan_authfile __P((FILE *, char *, char *, char *, > - struct wordlist **, struct wordlist **, > -@@ -401,6 +430,15 @@ option_t auth_options[] = { > - "Set telephone number(s) which are allowed to connect", > - OPT_PRIV | OPT_A2LIST }, > - > -+#ifdef USE_EAPTLS > -+ { "ca", o_string, &cacert_file, "EAP-TLS CA certificate in PEM format" }, > -+ { "cert", o_string, &cert_file, "EAP-TLS client certificate in PEM format" }, > -+ { "key", o_string, &privkey_file, "EAP-TLS client private key in PEM format" }, > -+ { "crl-dir", o_string, &crl_dir, "Use CRLs in directory" }, > -+ { "crl", o_string, &crl_file, "Use specific CRL file" }, > -+ { "need-peer-eap", o_bool, &need_peer_eap, > -+ "Require the peer to authenticate us", 1 }, > -+#endif /* USE_EAPTLS */ > - { NULL } > - }; > - > -@@ -730,6 +768,9 @@ link_established(unit) > - lcp_options *wo = &lcp_wantoptions[unit]; > - lcp_options *go = &lcp_gotoptions[unit]; > - lcp_options *ho = &lcp_hisoptions[unit]; > -+#ifdef USE_EAPTLS > -+ lcp_options *ao = &lcp_allowoptions[unit]; > -+#endif > - int i; > - struct protent *protp; > - > -@@ -764,6 +805,22 @@ link_established(unit) > - } > - } > - > -+#ifdef USE_EAPTLS > -+ if (need_peer_eap && !ao->neg_eap) { > -+ warn("eap required to authenticate us but no suitable secrets"); > -+ lcp_close(unit, "couldn't negotiate eap"); > -+ status = EXIT_AUTH_TOPEER_FAILED; > -+ return; > -+ } > -+ > -+ if (need_peer_eap && !ho->neg_eap) { > -+ warn("peer doesn't want to authenticate us with eap"); > -+ lcp_close(unit, "couldn't negotiate eap"); > -+ status = EXIT_PEER_AUTH_FAILED; > -+ return; > -+ } > -+#endif > -+ > - new_phase(PHASE_AUTHENTICATE); > - auth = 0; > - if (go->neg_eap) { > -@@ -1277,6 +1334,15 @@ auth_check_options() > - our_name, 1, &lacks_ip); > - } > - > -+#ifdef USE_EAPTLS > -+ if (!can_auth && wo->neg_eap) { > -+ can_auth = > -+ have_eaptls_secret_server((explicit_remote ? remote_name : > -+ NULL), our_name, 1, &lacks_ip); > -+ > -+ } > -+#endif > -+ > - if (auth_required && !can_auth && noauth_addrs == NULL) { > - if (default_auth) { > - option_error( > -@@ -1331,7 +1397,11 @@ auth_reset(unit) > - passwd[0] != 0 || > - (hadchap == 1 || (hadchap == -1 && have_chap_secret(user, > - (explicit_remote? remote_name: NULL), 0, NULL))) || > -- have_srp_secret(user, (explicit_remote? remote_name: NULL), 0, NULL)); > -+ have_srp_secret(user, (explicit_remote? remote_name: NULL), 0, NULL) > -+#ifdef USE_EAPTLS > -+ || have_eaptls_secret_client(user, (explicit_remote? remote_name: NULL)) > -+#endif > -+ ); > - > - hadchap = -1; > - if (go->neg_upap && !uselogin && !have_pap_secret(NULL)) > -@@ -1346,8 +1416,14 @@ auth_reset(unit) > - !have_chap_secret((explicit_remote? remote_name: NULL), our_name, > - 1, NULL))) && > - !have_srp_secret((explicit_remote? remote_name: NULL), our_name, 1, > -- NULL)) > -+ NULL) > -+#ifdef USE_EAPTLS > -+ && !have_eaptls_secret_server((explicit_remote? remote_name: NULL), > -+ our_name, 1, NULL) > -+#endif > -+ ) > - go->neg_eap = 0; > -+ > - } > - > - > -@@ -1707,6 +1783,7 @@ have_srp_secret(client, server, need_ip, lacks_ipp) > - } > - > - > -+ > - /* > - * get_secret - open the CHAP secret file and return the secret > - * for authenticating the given client on the given server. > -@@ -2359,3 +2436,335 @@ auth_script(script) > - > - auth_script_pid = run_program(script, argv, 0, auth_script_done, NULL, 0); > - } > -+ > -+ > -+#ifdef USE_EAPTLS > -+static int > -+have_eaptls_secret_server(client, server, need_ip, lacks_ipp) > -+ char *client; > -+ char *server; > -+ int need_ip; > -+ int *lacks_ipp; > -+{ > -+ FILE *f; > -+ int ret; > -+ char *filename; > -+ struct wordlist *addrs; > -+ char servcertfile[MAXWORDLEN]; > -+ char clicertfile[MAXWORDLEN]; > -+ char cacertfile[MAXWORDLEN]; > -+ char pkfile[MAXWORDLEN]; > -+ > -+ filename = _PATH_EAPTLSSERVFILE; > -+ f = fopen(filename, "r"); > -+ if (f == NULL) > -+ return 0; > -+ > -+ if (client != NULL && client[0] == 0) > -+ client = NULL; > -+ else if (server != NULL && server[0] == 0) > -+ server = NULL; > -+ > -+ ret = > -+ scan_authfile_eaptls(f, client, server, clicertfile, servcertfile, > -+ cacertfile, pkfile, &addrs, NULL, filename, > -+ 0); > -+ > -+ fclose(f); > -+ > -+/* > -+ if (ret >= 0 && !eaptls_init_ssl(1, cacertfile, servcertfile, > -+ clicertfile, pkfile)) > -+ ret = -1; > -+*/ > -+ > -+ if (ret >= 0 && need_ip && !some_ip_ok(addrs)) { > -+ if (lacks_ipp != 0) > -+ *lacks_ipp = 1; > -+ ret = -1; > -+ } > -+ if (addrs != 0) > -+ free_wordlist(addrs); > -+ > -+ return ret >= 0; > -+} > -+ > -+ > -+static int > -+have_eaptls_secret_client(client, server) > -+ char *client; > -+ char *server; > -+{ > -+ FILE *f; > -+ int ret; > -+ char *filename; > -+ struct wordlist *addrs = NULL; > -+ char servcertfile[MAXWORDLEN]; > -+ char clicertfile[MAXWORDLEN]; > -+ char cacertfile[MAXWORDLEN]; > -+ char pkfile[MAXWORDLEN]; > -+ > -+ if (client != NULL && client[0] == 0) > -+ client = NULL; > -+ else if (server != NULL && server[0] == 0) > -+ server = NULL; > -+ > -+ if (cacert_file && cert_file && privkey_file) > -+ return 1; > -+ > -+ filename = _PATH_EAPTLSCLIFILE; > -+ f = fopen(filename, "r"); > -+ if (f == NULL) > -+ return 0; > -+ > -+ ret = > -+ scan_authfile_eaptls(f, client, server, clicertfile, servcertfile, > -+ cacertfile, pkfile, &addrs, NULL, filename, > -+ 0); > -+ fclose(f); > -+ > -+/* > -+ if (ret >= 0 && !eaptls_init_ssl(0, cacertfile, clicertfile, > -+ servcertfile, pkfile)) > -+ ret = -1; > -+*/ > -+ > -+ if (addrs != 0) > -+ free_wordlist(addrs); > -+ > -+ return ret >= 0; > -+} > -+ > -+ > -+static int > -+scan_authfile_eaptls(f, client, server, cli_cert, serv_cert, ca_cert, pk, > -+ addrs, opts, filename, flags) > -+ FILE *f; > -+ char *client; > -+ char *server; > -+ char *cli_cert; > -+ char *serv_cert; > -+ char *ca_cert; > -+ char *pk; > -+ struct wordlist **addrs; > -+ struct wordlist **opts; > -+ char *filename; > -+ int flags; > -+{ > -+ int newline; > -+ int got_flag, best_flag; > -+ struct wordlist *ap, *addr_list, *alist, **app; > -+ char word[MAXWORDLEN]; > -+ > -+ if (addrs != NULL) > -+ *addrs = NULL; > -+ if (opts != NULL) > -+ *opts = NULL; > -+ addr_list = NULL; > -+ if (!getword(f, word, &newline, filename)) > -+ return -1; /* file is empty??? */ > -+ newline = 1; > -+ best_flag = -1; > -+ for (;;) { > -+ /* > -+ * Skip until we find a word at the start of a line. > -+ */ > -+ while (!newline && getword(f, word, &newline, filename)); > -+ if (!newline) > -+ break; /* got to end of file */ > -+ > -+ /* > -+ * Got a client - check if it's a match or a wildcard. > -+ */ > -+ got_flag = 0; > -+ if (client != NULL && strcmp(word, client) != 0 && !ISWILD(word)) { > -+ newline = 0; > -+ continue; > -+ } > -+ if (!ISWILD(word)) > -+ got_flag = NONWILD_CLIENT; > -+ > -+ /* > -+ * Now get a server and check if it matches. > -+ */ > -+ if (!getword(f, word, &newline, filename)) > -+ break; > -+ if (newline) > -+ continue; > -+ if (!ISWILD(word)) { > -+ if (server != NULL && strcmp(word, server) != 0) > -+ continue; > -+ got_flag |= NONWILD_SERVER; > -+ } > -+ > -+ /* > -+ * Got some sort of a match - see if it's better than what > -+ * we have already. > -+ */ > -+ if (got_flag <= best_flag) > -+ continue; > -+ > -+ /* > -+ * Get the cli_cert > -+ */ > -+ if (!getword(f, word, &newline, filename)) > -+ break; > -+ if (newline) > -+ continue; > -+ if (strcmp(word, "-") != 0) { > -+ strlcpy(cli_cert, word, MAXWORDLEN); > -+ } else > -+ cli_cert[0] = 0; > -+ > -+ /* > -+ * Get serv_cert > -+ */ > -+ if (!getword(f, word, &newline, filename)) > -+ break; > -+ if (newline) > -+ continue; > -+ if (strcmp(word, "-") != 0) { > -+ strlcpy(serv_cert, word, MAXWORDLEN); > -+ } else > -+ serv_cert[0] = 0; > -+ > -+ /* > -+ * Get ca_cert > -+ */ > -+ if (!getword(f, word, &newline, filename)) > -+ break; > -+ if (newline) > -+ continue; > -+ strlcpy(ca_cert, word, MAXWORDLEN); > -+ > -+ /* > -+ * Get pk > -+ */ > -+ if (!getword(f, word, &newline, filename)) > -+ break; > -+ if (newline) > -+ continue; > -+ strlcpy(pk, word, MAXWORDLEN); > -+ > -+ > -+ /* > -+ * Now read address authorization info and make a wordlist. > -+ */ > -+ app = &alist; > -+ for (;;) { > -+ if (!getword(f, word, &newline, filename) || newline) > -+ break; > -+ ap = (struct wordlist *) > -+ malloc(sizeof(struct wordlist) + strlen(word) + 1); > -+ if (ap == NULL) > -+ novm("authorized addresses"); > -+ ap->word = (char *) (ap + 1); > -+ strcpy(ap->word, word); > -+ *app = ap; > -+ app = &ap->next; > -+ } > -+ *app = NULL; > -+ /* > -+ * This is the best so far; remember it. > -+ */ > -+ best_flag = got_flag; > -+ if (addr_list) > -+ free_wordlist(addr_list); > -+ addr_list = alist; > -+ > -+ if (!newline) > -+ break; > -+ } > -+ > -+ /* scan for a -- word indicating the start of options */ > -+ for (app = &addr_list; (ap = *app) != NULL; app = &ap->next) > -+ if (strcmp(ap->word, "--") == 0) > -+ break; > -+ /* ap = start of options */ > -+ if (ap != NULL) { > -+ ap = ap->next; /* first option */ > -+ free(*app); /* free the "--" word */ > -+ *app = NULL; /* terminate addr list */ > -+ } > -+ if (opts != NULL) > -+ *opts = ap; > -+ else if (ap != NULL) > -+ free_wordlist(ap); > -+ if (addrs != NULL) > -+ *addrs = addr_list; > -+ else if (addr_list != NULL) > -+ free_wordlist(addr_list); > -+ > -+ return best_flag; > -+} > -+ > -+ > -+int > -+get_eaptls_secret(unit, client, server, clicertfile, servcertfile, > -+ cacertfile, pkfile, am_server) > -+ int unit; > -+ char *client; > -+ char *server; > -+ char *clicertfile; > -+ char *servcertfile; > -+ char *cacertfile; > -+ char *pkfile; > -+ int am_server; > -+{ > -+ FILE *fp; > -+ int ret; > -+ char *filename = NULL; > -+ struct wordlist *addrs = NULL; > -+ struct wordlist *opts = NULL; > -+ > -+ /* in client mode the ca+cert+privkey can also be specified as options */ > -+ if (!am_server && cacert_file && cert_file && privkey_file ) > -+ { > -+ strlcpy( clicertfile, cert_file, MAXWORDLEN ); > -+ strlcpy( cacertfile, cacert_file, MAXWORDLEN ); > -+ strlcpy( pkfile, privkey_file, MAXWORDLEN ); > -+ servcertfile[0] = '\0'; > -+ } > -+ else > -+ { > -+ filename = (am_server ? _PATH_EAPTLSSERVFILE : _PATH_EAPTLSCLIFILE); > -+ addrs = NULL; > -+ > -+ fp = fopen(filename, "r"); > -+ if (fp == NULL) > -+ { > -+ error("Can't open eap-tls secret file %s: %m", filename); > -+ return 0; > -+ } > -+ > -+ check_access(fp, filename); > -+ > -+ ret = scan_authfile_eaptls(fp, client, server, clicertfile, servcertfile, > -+ cacertfile, pkfile, &addrs, &opts, filename, 0); > -+ > -+ fclose(fp); > -+ > -+ if (ret < 0) return 0; > -+ } > -+ > -+ if (eaptls_passwd_hook) > -+ { > -+ dbglog( "Calling eaptls password hook" ); > -+ if ( (*eaptls_passwd_hook)(pkfile, passwd) < 0) > -+ { > -+ error("Unable to obtain EAP-TLS password for %s (%s) from plugin", > -+ client, pkfile); > -+ return 0; > -+ } > -+ } > -+ if (am_server) > -+ set_allowed_addrs(unit, addrs, opts); > -+ else if (opts != NULL) > -+ free_wordlist(opts); > -+ if (addrs != NULL) > -+ free_wordlist(addrs); > -+ > -+ return 1; > -+} > -+#endif > -+ > -diff --git a/pppd/ccp.c b/pppd/ccp.c > -index 7d7922afcfc0..0a93b15aeef3 100644 > ---- a/pppd/ccp.c > -+++ b/pppd/ccp.c > -@@ -540,6 +540,9 @@ ccp_resetci(f) > - if (go->mppe) { > - ccp_options *ao = &ccp_allowoptions[f->unit]; > - int auth_mschap_bits = auth_done[f->unit]; > -+#ifdef USE_EAPTLS > -+ int auth_eap_bits = auth_done[f->unit]; > -+#endif > - int numbits; > - > - /* > -@@ -567,8 +570,23 @@ ccp_resetci(f) > - lcp_close(f->unit, "MPPE required but not available"); > - return; > - } > -+ > -+#ifdef USE_EAPTLS > -+ /* > -+ * MPPE is also possible in combination with EAP-TLS. > -+ * It is not possible to detect if we're doing EAP or EAP-TLS > -+ * at this stage, hence we accept all forms of EAP. If TLS is > -+ * not used then the MPPE keys will not be derived anyway. > -+ */ > -+ /* Leave only the eap auth bits set */ > -+ auth_eap_bits &= (EAP_WITHPEER | EAP_PEER ); > -+ > -+ if ((numbits == 0) && (auth_eap_bits == 0)) { > -+ error("MPPE required, but MS-CHAP[v2] nor EAP-TLS auth are performed."); > -+#else > - if (!numbits) { > -- error("MPPE required, but MS-CHAP[v2] auth not performed."); > -+ error("MPPE required, but MS-CHAP[v2] auth not performed."); > -+#endif > - lcp_close(f->unit, "MPPE required but not available"); > - return; > - } > -diff --git a/pppd/chap-md5.c b/pppd/chap-md5.c > -index 77dd4ecc7059..269b52cb2041 100644 > ---- a/pppd/chap-md5.c > -+++ b/pppd/chap-md5.c > -@@ -36,7 +36,11 @@ > - #include "chap-new.h" > - #include "chap-md5.h" > - #include "magic.h" > -+#ifdef USE_EAPTLS > -+#include "eap-tls.h" > -+#else > - #include "md5.h" > -+#endif /* USE_EAPTLS */ > - > - #define MD5_HASH_SIZE 16 > - #define MD5_MIN_CHALLENGE 16 > -diff --git a/pppd/eap-tls.c b/pppd/eap-tls.c > -new file mode 100644 > -index 000000000000..df4bc1b996c9 > ---- /dev/null > -+++ b/pppd/eap-tls.c > -@@ -0,0 +1,1383 @@ > -+/* * eap-tls.c - EAP-TLS implementation for PPP > -+ * > -+ * Copyright (c) Beniamino Galvani 2005 All rights reserved. > -+ * > -+ * Redistribution and use in source and binary forms, with or without > -+ * modification, are permitted provided that the following conditions > -+ * are met: > -+ * > -+ * 1. Redistributions of source code must retain the above copyright > -+ * notice, this list of conditions and the following disclaimer. > -+ * > -+ * 2. Redistributions in binary form must reproduce the above copyright > -+ * notice, this list of conditions and the following disclaimer in > -+ * the documentation and/or other materials provided with the > -+ * distribution. > -+ * > -+ * 3. The name(s) of the authors of this software must not be used to > -+ * endorse or promote products derived from this software without > -+ * prior written permission. > -+ * > -+ * THE AUTHORS OF THIS SOFTWARE DISCLAIM ALL WARRANTIES WITH REGARD TO > -+ * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY > -+ * AND FITNESS, IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY > -+ * SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES > -+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN > -+ * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING > -+ * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. > -+ * > -+ */ > -+ > -+#include <string.h> > -+#include <unistd.h> > -+#include <sys/types.h> > -+#include <sys/stat.h> > -+#include <fcntl.h> > -+ > -+#include <openssl/conf.h> > -+#include <openssl/engine.h> > -+#include <openssl/hmac.h> > -+#include <openssl/err.h> > -+#include <openssl/x509v3.h> > -+ > -+#include "pppd.h" > -+#include "eap.h" > -+#include "eap-tls.h" > -+#include "fsm.h" > -+#include "lcp.h" > -+#include "pathnames.h" > -+ > -+/* The openssl configuration file and engines can be loaded only once */ > -+static CONF *ssl_config = NULL; > -+static ENGINE *cert_engine = NULL; > -+static ENGINE *pkey_engine = NULL; > -+ > -+#ifdef MPPE > -+ > -+#define EAPTLS_MPPE_KEY_LEN 32 > -+ > -+/* > -+ * The following stuff is only needed if SSL_export_keying_material() is not available > -+ */ > -+ > -+#if OPENSSL_VERSION_NUMBER < 0x10001000L > -+ > -+/* > -+ * https://wiki.openssl.org/index.php/1.1_API_Changes > -+ * tries to provide some guidance but ultimately falls short. > -+ * > -+ */ > -+ > -+static void HMAC_CTX_free(HMAC_CTX *ctx) > -+{ > -+ if (ctx != NULL) { > -+ HMAC_CTX_cleanup(ctx); > -+ OPENSSL_free(ctx); > -+ } > -+} > -+ > -+static HMAC_CTX *HMAC_CTX_new(void) > -+{ > -+ HMAC_CTX *ctx = OPENSSL_malloc(sizeof(*ctx)); > -+ if (ctx != NULL) > -+ HMAC_CTX_init(ctx); > -+ return ctx; > -+} > -+ > -+static size_t SSL_get_client_random(const SSL *ssl, unsigned char *out, > -+ size_t outlen) > -+{ > -+ if (outlen == 0) > -+ return sizeof(ssl->s3->client_random); > -+ if (outlen > sizeof(ssl->s3->client_random)) > -+ outlen = sizeof(ssl->s3->client_random); > -+ memcpy(out, ssl->s3->client_random, outlen); > -+ return outlen; > -+} > -+ > -+static size_t SSL_get_server_random(const SSL *ssl, unsigned char *out, > -+ size_t outlen) > -+{ > -+ if (outlen == 0) > -+ return sizeof(ssl->s3->server_random); > -+ if (outlen > sizeof(ssl->s3->server_random)) > -+ outlen = sizeof(ssl->s3->server_random); > -+ memcpy(out, ssl->s3->server_random, outlen); > -+ return outlen; > -+} > -+ > -+static size_t SSL_SESSION_get_master_key(const SSL_SESSION *session, > -+ unsigned char *out, size_t outlen) > -+{ > -+ if (outlen == 0) > -+ return session->master_key_length; > -+ if (outlen > session->master_key_length) > -+ outlen = session->master_key_length; > -+ memcpy(out, session->master_key, outlen); > -+ return outlen; > -+} > -+ > -+ > -+/* > -+ * TLS PRF from RFC 2246 > -+ */ > -+static void P_hash(const EVP_MD *evp_md, > -+ const unsigned char *secret, unsigned int secret_len, > -+ const unsigned char *seed, unsigned int seed_len, > -+ unsigned char *out, unsigned int out_len) > -+{ > -+ HMAC_CTX *ctx_a, *ctx_out; > -+ unsigned char a[HMAC_MAX_MD_CBLOCK]; > -+ unsigned int size; > -+ > -+ ctx_a = HMAC_CTX_new(); > -+ ctx_out = HMAC_CTX_new(); > -+ HMAC_Init_ex(ctx_a, secret, secret_len, evp_md, NULL); > -+ HMAC_Init_ex(ctx_out, secret, secret_len, evp_md, NULL); > -+ > -+ size = HMAC_size(ctx_out); > -+ > -+ /* Calculate A(1) */ > -+ HMAC_Update(ctx_a, seed, seed_len); > -+ HMAC_Final(ctx_a, a, NULL); > -+ > -+ while (1) { > -+ /* Calculate next part of output */ > -+ HMAC_Update(ctx_out, a, size); > -+ HMAC_Update(ctx_out, seed, seed_len); > -+ > -+ /* Check if last part */ > -+ if (out_len < size) { > -+ HMAC_Final(ctx_out, a, NULL); > -+ memcpy(out, a, out_len); > -+ break; > -+ } > -+ > -+ /* Place digest in output buffer */ > -+ HMAC_Final(ctx_out, out, NULL); > -+ HMAC_Init_ex(ctx_out, NULL, 0, NULL, NULL); > -+ out += size; > -+ out_len -= size; > -+ > -+ /* Calculate next A(i) */ > -+ HMAC_Init_ex(ctx_a, NULL, 0, NULL, NULL); > -+ HMAC_Update(ctx_a, a, size); > -+ HMAC_Final(ctx_a, a, NULL); > -+ } > -+ > -+ HMAC_CTX_free(ctx_a); > -+ HMAC_CTX_free(ctx_out); > -+ memset(a, 0, sizeof(a)); > -+} > -+ > -+static void PRF(const unsigned char *secret, unsigned int secret_len, > -+ const unsigned char *seed, unsigned int seed_len, > -+ unsigned char *out, unsigned char *buf, unsigned int out_len) > -+{ > -+ unsigned int i; > -+ unsigned int len = (secret_len + 1) / 2; > -+ const unsigned char *s1 = secret; > -+ const unsigned char *s2 = secret + (secret_len - len); > -+ > -+ P_hash(EVP_md5(), s1, len, seed, seed_len, out, out_len); > -+ P_hash(EVP_sha1(), s2, len, seed, seed_len, buf, out_len); > -+ > -+ for (i=0; i < out_len; i++) { > -+ out[i] ^= buf[i]; > -+ } > -+} > -+ > -+static int SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen, > -+ const char *label, size_t llen, > -+ const unsigned char *p, size_t plen, > -+ int use_context) > -+{ > -+ unsigned char seed[64 + 2*SSL3_RANDOM_SIZE]; > -+ unsigned char buf[4*EAPTLS_MPPE_KEY_LEN]; > -+ unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH]; > -+ size_t master_key_length; > -+ unsigned char *pp; > -+ > -+ pp = seed; > -+ > -+ memcpy(pp, label, llen); > -+ pp += llen; > -+ > -+ llen += SSL_get_client_random(s, pp, SSL3_RANDOM_SIZE); > -+ pp += SSL3_RANDOM_SIZE; > -+ > -+ llen += SSL_get_server_random(s, pp, SSL3_RANDOM_SIZE); > -+ > -+ master_key_length = SSL_SESSION_get_master_key(SSL_get_session(s), master_key, > -+ sizeof(master_key)); > -+ PRF(master_key, master_key_length, seed, llen, out, buf, olen); > -+ > -+ return 1; > -+} > -+ > -+#endif /* OPENSSL_VERSION_NUMBER < 0x10001000L */ > -+ > -+ > -+/* > -+ * OpenSSL 1.1+ introduced a generic TLS_method() > -+ * For older releases we substitute the appropriate method > -+ */ > -+ > -+#if OPENSSL_VERSION_NUMBER < 0x10100000L > -+ > -+#define TLS_method SSLv23_method > -+ > -+#define SSL3_RT_HEADER 0x100 > -+ > -+#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */ > -+ > -+ > -+/* > -+ * Generate keys according to RFC 2716 and add to reply > -+ */ > -+void eaptls_gen_mppe_keys(struct eaptls_session *ets, const char *prf_label, > -+ int client) > -+{ > -+ unsigned char out[4*EAPTLS_MPPE_KEY_LEN]; > -+ size_t prf_size = strlen(prf_label); > -+ unsigned char *p; > -+ > -+ if (SSL_export_keying_material(ets->ssl, out, sizeof(out), prf_label, prf_size, NULL, 0, 0) != 1) > -+ { > -+ warn( "EAP-TLS: Failed generating keying material" ); > -+ return; > -+ } > -+ > -+ /* > -+ * We now have the master send and receive keys. > -+ * From these, generate the session send and receive keys. > -+ * (see RFC3079 / draft-ietf-pppext-mppe-keys-03.txt for details) > -+ */ > -+ if (client) > -+ { > -+ p = out; > -+ BCOPY( p, mppe_send_key, sizeof(mppe_send_key) ); > -+ p += EAPTLS_MPPE_KEY_LEN; > -+ BCOPY( p, mppe_recv_key, sizeof(mppe_recv_key) ); > -+ } > -+ else > -+ { > -+ p = out; > -+ BCOPY( p, mppe_recv_key, sizeof(mppe_recv_key) ); > -+ p += EAPTLS_MPPE_KEY_LEN; > -+ BCOPY( p, mppe_send_key, sizeof(mppe_send_key) ); > -+ } > -+ > -+ mppe_keys_set = 1; > -+} > -+ > -+#endif > -+ > -+void log_ssl_errors( void ) > -+{ > -+ unsigned long ssl_err = ERR_get_error(); > -+ > -+ if (ssl_err != 0) > -+ dbglog("EAP-TLS SSL error stack:"); > -+ while (ssl_err != 0) { > -+ dbglog( ERR_error_string( ssl_err, NULL ) ); > -+ ssl_err = ERR_get_error(); > -+ } > -+} > -+ > -+ > -+int password_callback (char *buf, int size, int rwflag, void *u) > -+{ > -+ if (buf) > -+ { > -+ strncpy (buf, passwd, size); > -+ return strlen (buf); > -+ } > -+ return 0; > -+} > -+ > -+ > -+CONF *eaptls_ssl_load_config( void ) > -+{ > -+ CONF *config; > -+ int ret_code; > -+ long error_line = 33; > -+ > -+ config = NCONF_new( NULL ); > -+ dbglog( "Loading OpenSSL config file" ); > -+ ret_code = NCONF_load( config, _PATH_OPENSSLCONFFILE, &error_line ); > -+ if (ret_code == 0) > -+ { > -+ warn( "EAP-TLS: Error in OpenSSL config file %s at line %d", _PATH_OPENSSLCONFFILE, error_line ); > -+ NCONF_free( config ); > -+ config = NULL; > -+ ERR_clear_error(); > -+ } > -+ > -+ dbglog( "Loading OpenSSL built-ins" ); > -+ ENGINE_load_builtin_engines(); > -+ OPENSSL_load_builtin_modules(); > -+ > -+ dbglog( "Loading OpenSSL configured modules" ); > -+ if (CONF_modules_load( config, NULL, 0 ) <= 0 ) > -+ { > -+ warn( "EAP-TLS: Error loading OpenSSL modules" ); > -+ log_ssl_errors(); > -+ config = NULL; > -+ } > -+ > -+ return config; > -+} > -+ > -+ENGINE *eaptls_ssl_load_engine( char *engine_name ) > -+{ > -+ ENGINE *e = NULL; > -+ > -+ dbglog( "Enabling OpenSSL auto engines" ); > -+ ENGINE_register_all_complete(); > -+ > -+ dbglog( "Loading OpenSSL '%s' engine support", engine_name ); > -+ e = ENGINE_by_id( engine_name ); > -+ if (!e) > -+ { > -+ dbglog( "EAP-TLS: Cannot load '%s' engine support, trying 'dynamic'", engine_name ); > -+ e = ENGINE_by_id( "dynamic" ); > -+ if (e) > -+ { > -+ if (!ENGINE_ctrl_cmd_string(e, "SO_PATH", engine_name, 0) > -+ || !ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0)) > -+ { > -+ warn( "EAP-TLS: Error loading dynamic engine '%s'", engine_name ); > -+ log_ssl_errors(); > -+ ENGINE_free(e); > -+ e = NULL; > -+ } > -+ } > -+ else > -+ { > -+ warn( "EAP-TLS: Cannot load dynamic engine support" ); > -+ } > -+ } > -+ > -+ if (e) > -+ { > -+ dbglog( "Initialising engine" ); > -+ if(!ENGINE_set_default(e, ENGINE_METHOD_ALL)) > -+ { > -+ warn( "EAP-TLS: Cannot use that engine" ); > -+ log_ssl_errors(); > -+ ENGINE_free(e); > -+ e = NULL; > -+ } > -+ } > -+ > -+ return e; > -+} > -+ > -+/* > -+ * Initialize the SSL stacks and tests if certificates, key and crl > -+ * for client or server use can be loaded. > -+ */ > -+SSL_CTX *eaptls_init_ssl(int init_server, char *cacertfile, > -+ char *certfile, char *peer_certfile, char *privkeyfile) > -+{ > -+ char *cert_engine_name = NULL; > -+ char *cert_identifier = NULL; > -+ char *pkey_engine_name = NULL; > -+ char *pkey_identifier = NULL; > -+ SSL_CTX *ctx; > -+ SSL *ssl; > -+ X509_STORE *certstore; > -+ X509_LOOKUP *lookup; > -+ X509 *tmp; > -+ int ret; > -+ > -+ /* > -+ * Without these can't continue > -+ */ > -+ if (!cacertfile[0]) > -+ { > -+ error("EAP-TLS: CA certificate missing"); > -+ return NULL; > -+ } > -+ > -+ if (!certfile[0]) > -+ { > -+ error("EAP-TLS: User certificate missing"); > -+ return NULL; > -+ } > -+ > -+ if (!privkeyfile[0]) > -+ { > -+ error("EAP-TLS: User private key missing"); > -+ return NULL; > -+ } > -+ > -+ SSL_library_init(); > -+ SSL_load_error_strings(); > -+ > -+ ctx = SSL_CTX_new(TLS_method()); > -+ > -+ if (!ctx) { > -+ error("EAP-TLS: Cannot initialize SSL CTX context"); > -+ goto fail; > -+ } > -+ > -+ /* if the certificate filename is of the form engine:id. e.g. > -+ pkcs11:12345 > -+ then we try to load and use this engine. > -+ If the certificate filename starts with a / or . then we > -+ ALWAYS assume it is a file and not an engine/pkcs11 identifier > -+ */ > -+ if ( index( certfile, '/' ) == NULL && index( certfile, '.') == NULL ) > -+ { > -+ cert_identifier = index( certfile, ':' ); > -+ > -+ if (cert_identifier) > -+ { > -+ cert_engine_name = certfile; > -+ *cert_identifier = '\0'; > -+ cert_identifier++; > -+ > -+ dbglog( "Found certificate engine '%s'", cert_engine_name ); > -+ dbglog( "Found certificate identifier '%s'", cert_identifier ); > -+ } > -+ } > -+ > -+ /* if the privatekey filename is of the form engine:id. e.g. > -+ pkcs11:12345 > -+ then we try to load and use this engine. > -+ If the privatekey filename starts with a / or . then we > -+ ALWAYS assume it is a file and not an engine/pkcs11 identifier > -+ */ > -+ if ( index( privkeyfile, '/' ) == NULL && index( privkeyfile, '.') == NULL ) > -+ { > -+ pkey_identifier = index( privkeyfile, ':' ); > -+ > -+ if (pkey_identifier) > -+ { > -+ pkey_engine_name = privkeyfile; > -+ *pkey_identifier = '\0'; > -+ pkey_identifier++; > -+ > -+ dbglog( "Found privatekey engine '%s'", pkey_engine_name ); > -+ dbglog( "Found privatekey identifier '%s'", pkey_identifier ); > -+ } > -+ } > -+ > -+ if (cert_identifier && pkey_identifier) > -+ { > -+ if (strlen( cert_identifier ) == 0) > -+ { > -+ if (strlen( pkey_identifier ) == 0) > -+ error( "EAP-TLS: both the certificate and privatekey identifiers are missing!" ); > -+ else > -+ { > -+ dbglog( "Substituting privatekey identifier for certificate identifier" ); > -+ cert_identifier = pkey_identifier; > -+ } > -+ } > -+ else > -+ { > -+ if (strlen( pkey_identifier ) == 0) > -+ { > -+ dbglog( "Substituting certificate identifier for privatekey identifier" ); > -+ pkey_identifier = cert_identifier; > -+ } > -+ } > -+ > -+ } > -+ > -+ /* load the openssl config file only once */ > -+ if (!ssl_config) > -+ { > -+ if (cert_engine_name || pkey_engine_name) > -+ ssl_config = eaptls_ssl_load_config(); > -+ > -+ if (ssl_config && cert_engine_name) > -+ cert_engine = eaptls_ssl_load_engine( cert_engine_name ); > -+ > -+ if (ssl_config && pkey_engine_name) > -+ { > -+ /* don't load the same engine twice */ > -+ if ( cert_engine && strcmp( cert_engine_name, pkey_engine_name) == 0 ) > -+ pkey_engine = cert_engine; > -+ else > -+ pkey_engine = eaptls_ssl_load_engine( pkey_engine_name ); > -+ } > -+ } > -+ > -+ SSL_CTX_set_default_passwd_cb (ctx, password_callback); > -+ > -+ if (!SSL_CTX_load_verify_locations(ctx, cacertfile, NULL)) > -+ { > -+ error("EAP-TLS: Cannot load or verify CA file %s", cacertfile); > -+ goto fail; > -+ } > -+ > -+ if (init_server) > -+ SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(cacertfile)); > -+ > -+ if (cert_engine) > -+ { > -+ struct > -+ { > -+ const char *s_slot_cert_id; > -+ X509 *cert; > -+ } cert_info; > -+ > -+ cert_info.s_slot_cert_id = cert_identifier; > -+ cert_info.cert = NULL; > -+ > -+ if (!ENGINE_ctrl_cmd( cert_engine, "LOAD_CERT_CTRL", 0, &cert_info, NULL, 0 ) ) > -+ { > -+ error( "EAP-TLS: Error loading certificate with id '%s' from engine", cert_identifier ); > -+ goto fail; > -+ } > -+ > -+ if (cert_info.cert) > -+ { > -+ dbglog( "Got the certificate, adding it to SSL context" ); > -+ dbglog( "subject = %s", X509_NAME_oneline( X509_get_subject_name( cert_info.cert ), NULL, 0 ) ); > -+ if (SSL_CTX_use_certificate(ctx, cert_info.cert) <= 0) > -+ { > -+ error("EAP-TLS: Cannot use PKCS11 certificate %s", cert_identifier); > -+ goto fail; > -+ } > -+ } > -+ else > -+ { > -+ warn("EAP-TLS: Cannot load PKCS11 key %s", cert_identifier); > -+ log_ssl_errors(); > -+ } > -+ } > -+ else > -+ { > -+ if (!SSL_CTX_use_certificate_chain_file(ctx, certfile)) > -+ { > -+ error( "EAP-TLS: Cannot use public certificate %s", certfile ); > -+ goto fail; > -+ } > -+ } > -+ > -+ > -+ /* > -+ * Check the Before and After dates of the certificate > -+ */ > -+ ssl = SSL_new(ctx); > -+ tmp = SSL_get_certificate(ssl); > -+ > -+ ret = X509_cmp_time(X509_get_notBefore(tmp), NULL); > -+ if (ret == 0) > -+ { > -+ warn( "EAP-TLS: Failed to read certificate notBefore field."); > -+ } > -+ if (ret > 0) > -+ { > -+ warn( "EAP-TLS: Your certificate is not yet valid!"); > -+ } > -+ > -+ ret = X509_cmp_time(X509_get_notAfter(tmp), NULL); > -+ if (ret == 0) > -+ { > -+ warn( "EAP-TLS: Failed to read certificate notAfter field."); > -+ } > -+ if (ret < 0) > -+ { > -+ warn( "EAP-TLS: Your certificate has expired!"); > -+ } > -+ SSL_free(ssl); > -+ > -+ if (pkey_engine) > -+ { > -+ EVP_PKEY *pkey = NULL; > -+ PW_CB_DATA cb_data; > -+ > -+ cb_data.password = passwd; > -+ cb_data.prompt_info = pkey_identifier; > -+ > -+ dbglog( "Loading private key '%s' from engine", pkey_identifier ); > -+ pkey = ENGINE_load_private_key(pkey_engine, pkey_identifier, NULL, &cb_data); > -+ if (pkey) > -+ { > -+ dbglog( "Got the private key, adding it to SSL context" ); > -+ if (SSL_CTX_use_PrivateKey(ctx, pkey) <= 0) > -+ { > -+ error("EAP-TLS: Cannot use PKCS11 key %s", pkey_identifier); > -+ goto fail; > -+ } > -+ } > -+ else > -+ { > -+ warn("EAP-TLS: Cannot load PKCS11 key %s", pkey_identifier); > -+ log_ssl_errors(); > -+ } > -+ } > -+ else > -+ { > -+ if (!SSL_CTX_use_PrivateKey_file(ctx, privkeyfile, SSL_FILETYPE_PEM)) > -+ { > -+ error("EAP-TLS: Cannot use private key %s", privkeyfile); > -+ goto fail; > -+ } > -+ } > -+ > -+ if (SSL_CTX_check_private_key(ctx) != 1) { > -+ error("EAP-TLS: Private key %s fails security check", privkeyfile); > -+ goto fail; > -+ } > -+ > -+ /* Explicitly set the NO_TICKETS flag to support Win7/Win8 clients */ > -+ SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 > -+#ifdef SSL_OP_NO_TICKET > -+ | SSL_OP_NO_TICKET > -+#endif > -+ ); > -+ > -+ SSL_CTX_set_verify_depth(ctx, 5); > -+ SSL_CTX_set_verify(ctx, > -+ SSL_VERIFY_PEER | > -+ SSL_VERIFY_FAIL_IF_NO_PEER_CERT, > -+ &ssl_verify_callback); > -+ > -+ if (crl_dir) { > -+ if (!(certstore = SSL_CTX_get_cert_store(ctx))) { > -+ error("EAP-TLS: Failed to get certificate store"); > -+ goto fail; > -+ } > -+ > -+ if (!(lookup = > -+ X509_STORE_add_lookup(certstore, X509_LOOKUP_hash_dir()))) { > -+ error("EAP-TLS: Store lookup for CRL failed"); > -+ > -+ goto fail; > -+ } > -+ > -+ X509_LOOKUP_add_dir(lookup, crl_dir, X509_FILETYPE_PEM); > -+ X509_STORE_set_flags(certstore, X509_V_FLAG_CRL_CHECK); > -+ } > -+ > -+ if (crl_file) { > -+ FILE *fp = NULL; > -+ X509_CRL *crl = NULL; > -+ > -+ fp = fopen(crl_file, "r"); > -+ if (!fp) { > -+ error("EAP-TLS: Cannot open CRL file '%s'", crl_file); > -+ goto fail; > -+ } > -+ > -+ crl = PEM_read_X509_CRL(fp, NULL, NULL, NULL); > -+ if (!crl) { > -+ error("EAP-TLS: Cannot read CRL file '%s'", crl_file); > -+ goto fail; > -+ } > -+ > -+ if (!(certstore = SSL_CTX_get_cert_store(ctx))) { > -+ error("EAP-TLS: Failed to get certificate store"); > -+ goto fail; > -+ } > -+ if (!X509_STORE_add_crl(certstore, crl)) { > -+ error("EAP-TLS: Cannot add CRL to certificate store"); > -+ goto fail; > -+ } > -+ X509_STORE_set_flags(certstore, X509_V_FLAG_CRL_CHECK); > -+ > -+ } > -+ > -+ /* > -+ * If a peer certificate file was specified, it must be valid, else fail > -+ */ > -+ if (peer_certfile[0]) { > -+ if (!(tmp = get_X509_from_file(peer_certfile))) { > -+ error("EAP-TLS: Error loading client certificate from file %s", > -+ peer_certfile); > -+ goto fail; > -+ } > -+ X509_free(tmp); > -+ } > -+ > -+ return ctx; > -+ > -+fail: > -+ log_ssl_errors(); > -+ SSL_CTX_free(ctx); > -+ return NULL; > -+} > -+ > -+/* > -+ * Determine the maximum packet size by looking at the LCP handshake > -+ */ > -+ > -+int eaptls_get_mtu(int unit) > -+{ > -+ int mtu, mru; > -+ > -+ lcp_options *wo = &lcp_wantoptions[unit]; > -+ lcp_options *go = &lcp_gotoptions[unit]; > -+ lcp_options *ho = &lcp_hisoptions[unit]; > -+ lcp_options *ao = &lcp_allowoptions[unit]; > -+ > -+ mtu = ho->neg_mru? ho->mru: PPP_MRU; > -+ mru = go->neg_mru? MAX(wo->mru, go->mru): PPP_MRU; > -+ mtu = MIN(MIN(mtu, mru), ao->mru)- PPP_HDRLEN - 10; > -+ > -+ dbglog("MTU = %d", mtu); > -+ return mtu; > -+} > -+ > -+ > -+/* > -+ * Init the ssl handshake (server mode) > -+ */ > -+int eaptls_init_ssl_server(eap_state * esp) > -+{ > -+ struct eaptls_session *ets; > -+ char servcertfile[MAXWORDLEN]; > -+ char clicertfile[MAXWORDLEN]; > -+ char cacertfile[MAXWORDLEN]; > -+ char pkfile[MAXWORDLEN]; > -+ /* > -+ * Allocate new eaptls session > -+ */ > -+ esp->es_server.ea_session = malloc(sizeof(struct eaptls_session)); > -+ if (!esp->es_server.ea_session) > -+ fatal("Allocation error"); > -+ ets = esp->es_server.ea_session; > -+ > -+ if (!esp->es_server.ea_peer) { > -+ error("EAP-TLS: Error: client name not set (BUG)"); > -+ return 0; > -+ } > -+ > -+ strncpy(ets->peer, esp->es_server.ea_peer, MAXWORDLEN); > -+ > -+ dbglog( "getting eaptls secret" ); > -+ if (!get_eaptls_secret(esp->es_unit, esp->es_server.ea_peer, > -+ esp->es_server.ea_name, clicertfile, > -+ servcertfile, cacertfile, pkfile, 1)) { > -+ error( "EAP-TLS: Cannot get secret/password for client \"%s\", server \"%s\"", > -+ esp->es_server.ea_peer, esp->es_server.ea_name ); > -+ return 0; > -+ } > -+ > -+ ets->mtu = eaptls_get_mtu(esp->es_unit); > -+ > -+ ets->ctx = eaptls_init_ssl(1, cacertfile, servcertfile, clicertfile, pkfile); > -+ if (!ets->ctx) > -+ goto fail; > -+ > -+ if (!(ets->ssl = SSL_new(ets->ctx))) > -+ goto fail; > -+ > -+ /* > -+ * Set auto-retry to avoid timeouts on BIO_read > -+ */ > -+ SSL_set_mode(ets->ssl, SSL_MODE_AUTO_RETRY); > -+ > -+ /* > -+ * Initialize the BIOs we use to read/write to ssl engine > -+ */ > -+ ets->into_ssl = BIO_new(BIO_s_mem()); > -+ ets->from_ssl = BIO_new(BIO_s_mem()); > -+ SSL_set_bio(ets->ssl, ets->into_ssl, ets->from_ssl); > -+ > -+ SSL_set_msg_callback(ets->ssl, ssl_msg_callback); > -+ SSL_set_msg_callback_arg(ets->ssl, ets); > -+ > -+ /* > -+ * Attach the session struct to the connection, so we can later > -+ * retrieve it when doing certificate verification > -+ */ > -+ SSL_set_ex_data(ets->ssl, 0, ets); > -+ > -+ SSL_set_accept_state(ets->ssl); > -+ > -+ ets->data = NULL; > -+ ets->datalen = 0; > -+ ets->alert_sent = 0; > -+ ets->alert_recv = 0; > -+ > -+ /* > -+ * If we specified the client certificate file, store it in ets->peercertfile, > -+ * so we can check it later in ssl_verify_callback() > -+ */ > -+ if (clicertfile[0]) > -+ strncpy(&ets->peercertfile[0], clicertfile, MAXWORDLEN); > -+ else > -+ ets->peercertfile[0] = 0; > -+ > -+ return 1; > -+ > -+fail: > -+ SSL_CTX_free(ets->ctx); > -+ return 0; > -+} > -+ > -+/* > -+ * Init the ssl handshake (client mode) > -+ */ > -+int eaptls_init_ssl_client(eap_state * esp) > -+{ > -+ struct eaptls_session *ets; > -+ char servcertfile[MAXWORDLEN]; > -+ char clicertfile[MAXWORDLEN]; > -+ char cacertfile[MAXWORDLEN]; > -+ char pkfile[MAXWORDLEN]; > -+ > -+ /* > -+ * Allocate new eaptls session > -+ */ > -+ esp->es_client.ea_session = malloc(sizeof(struct eaptls_session)); > -+ if (!esp->es_client.ea_session) > -+ fatal("Allocation error"); > -+ ets = esp->es_client.ea_session; > -+ > -+ /* > -+ * If available, copy server name in ets; it will be used in cert > -+ * verify > -+ */ > -+ if (esp->es_client.ea_peer) > -+ strncpy(ets->peer, esp->es_client.ea_peer, MAXWORDLEN); > -+ else > -+ ets->peer[0] = 0; > -+ > -+ ets->mtu = eaptls_get_mtu(esp->es_unit); > -+ > -+ dbglog( "calling get_eaptls_secret" ); > -+ if (!get_eaptls_secret(esp->es_unit, esp->es_client.ea_name, > -+ ets->peer, clicertfile, > -+ servcertfile, cacertfile, pkfile, 0)) { > -+ error( "EAP-TLS: Cannot get secret/password for client \"%s\", server \"%s\"", > -+ esp->es_client.ea_name, ets->peer ); > -+ return 0; > -+ } > -+ > -+ dbglog( "calling eaptls_init_ssl" ); > -+ ets->ctx = eaptls_init_ssl(0, cacertfile, clicertfile, servcertfile, pkfile); > -+ if (!ets->ctx) > -+ goto fail; > -+ > -+ ets->ssl = SSL_new(ets->ctx); > -+ > -+ if (!ets->ssl) > -+ goto fail; > -+ > -+ /* > -+ * Initialize the BIOs we use to read/write to ssl engine > -+ */ > -+ dbglog( "Initializing SSL BIOs" ); > -+ ets->into_ssl = BIO_new(BIO_s_mem()); > -+ ets->from_ssl = BIO_new(BIO_s_mem()); > -+ SSL_set_bio(ets->ssl, ets->into_ssl, ets->from_ssl); > -+ > -+ SSL_set_msg_callback(ets->ssl, ssl_msg_callback); > -+ SSL_set_msg_callback_arg(ets->ssl, ets); > -+ > -+ /* > -+ * Attach the session struct to the connection, so we can later > -+ * retrieve it when doing certificate verification > -+ */ > -+ SSL_set_ex_data(ets->ssl, 0, ets); > -+ > -+ SSL_set_connect_state(ets->ssl); > -+ > -+ ets->data = NULL; > -+ ets->datalen = 0; > -+ ets->alert_sent = 0; > -+ ets->alert_recv = 0; > -+ > -+ /* > -+ * If we specified the server certificate file, store it in > -+ * ets->peercertfile, so we can check it later in > -+ * ssl_verify_callback() > -+ */ > -+ if (servcertfile[0]) > -+ strncpy(ets->peercertfile, servcertfile, MAXWORDLEN); > -+ else > -+ ets->peercertfile[0] = 0; > -+ > -+ return 1; > -+ > -+fail: > -+ dbglog( "eaptls_init_ssl_client: fail" ); > -+ SSL_CTX_free(ets->ctx); > -+ return 0; > -+ > -+} > -+ > -+void eaptls_free_session(struct eaptls_session *ets) > -+{ > -+ if (ets->ssl) > -+ SSL_free(ets->ssl); > -+ > -+ if (ets->ctx) > -+ SSL_CTX_free(ets->ctx); > -+ > -+ free(ets); > -+} > -+ > -+/* > -+ * Handle a received packet, reassembling fragmented messages and > -+ * passing them to the ssl engine > -+ */ > -+int eaptls_receive(struct eaptls_session *ets, u_char * inp, int len) > -+{ > -+ u_char flags; > -+ u_int tlslen = 0; > -+ u_char dummy[65536]; > -+ > -+ if (len < 1) { > -+ warn("EAP-TLS: received no or invalid data"); > -+ return 1; > -+ } > -+ > -+ GETCHAR(flags, inp); > -+ len--; > -+ > -+ if (flags & EAP_TLS_FLAGS_LI && len > 4) { > -+ /* > -+ * LenghtIncluded flag set -> this is the first packet of a message > -+ */ > -+ > -+ /* > -+ * the first 4 octets are the length of the EAP-TLS message > -+ */ > -+ GETLONG(tlslen, inp); > -+ len -= 4; > -+ > -+ if (!ets->data) { > -+ > -+ if (tlslen > EAP_TLS_MAX_LEN) { > -+ error("EAP-TLS: TLS message length > %d, truncated", EAP_TLS_MAX_LEN); > -+ tlslen = EAP_TLS_MAX_LEN; > -+ } > -+ > -+ /* > -+ * Allocate memory for the whole message > -+ */ > -+ ets->data = malloc(tlslen); > -+ if (!ets->data) > -+ fatal("EAP-TLS: allocation error\n"); > -+ > -+ ets->datalen = 0; > -+ ets->tlslen = tlslen; > -+ } > -+ else > -+ warn("EAP-TLS: non-first LI packet? that's odd..."); > -+ } > -+ else if (!ets->data) { > -+ /* > -+ * A non fragmented message without LI flag > -+ */ > -+ > -+ ets->data = malloc(len); > -+ if (!ets->data) > -+ fatal("EAP-TLS: allocation error\n"); > -+ > -+ ets->datalen = 0; > -+ ets->tlslen = len; > -+ } > -+ > -+ if (flags & EAP_TLS_FLAGS_MF) > -+ ets->frag = 1; > -+ else > -+ ets->frag = 0; > -+ > -+ if (len < 0) { > -+ warn("EAP-TLS: received malformed data"); > -+ return 1; > -+ } > -+ > -+ if (len + ets->datalen > ets->tlslen) { > -+ warn("EAP-TLS: received data > TLS message length"); > -+ return 1; > -+ } > -+ > -+ BCOPY(inp, ets->data + ets->datalen, len); > -+ ets->datalen += len; > -+ > -+ if (!ets->frag) { > -+ > -+ /* > -+ * If we have the whole message, pass it to ssl > -+ */ > -+ > -+ if (ets->datalen != ets->tlslen) { > -+ warn("EAP-TLS: received data != TLS message length"); > -+ return 1; > -+ } > -+ > -+ if (BIO_write(ets->into_ssl, ets->data, ets->datalen) == -1) > -+ log_ssl_errors(); > -+ > -+ SSL_read(ets->ssl, dummy, 65536); > -+ > -+ free(ets->data); > -+ ets->data = NULL; > -+ ets->datalen = 0; > -+ } > -+ > -+ return 0; > -+} > -+ > -+/* > -+ * Return an eap-tls packet in outp. > -+ * A TLS message read from the ssl engine is buffered in ets->data. > -+ * At each call we control if there is buffered data and send a > -+ * packet of mtu bytes. > -+ */ > -+int eaptls_send(struct eaptls_session *ets, u_char ** outp) > -+{ > -+ bool first = 0; > -+ int size; > -+ u_char fromtls[65536]; > -+ int res; > -+ u_char *start; > -+ > -+ start = *outp; > -+ > -+ if (!ets->data) { > -+ > -+ if(!ets->alert_sent) > -+ SSL_read(ets->ssl, fromtls, 65536); > -+ > -+ /* > -+ * Read from ssl > -+ */ > -+ if ((res = BIO_read(ets->from_ssl, fromtls, 65536)) == -1) > -+ { > -+ warn("EAP-TLS send: No data from BIO_read"); > -+ return 1; > -+ } > -+ > -+ ets->datalen = res; > -+ > -+ ets->data = malloc(ets->datalen); > -+ BCOPY(fromtls, ets->data, ets->datalen); > -+ > -+ ets->offset = 0; > -+ first = 1; > -+ > -+ } > -+ > -+ size = ets->datalen - ets->offset; > -+ > -+ if (size > ets->mtu) { > -+ size = ets->mtu; > -+ ets->frag = 1; > -+ } else > -+ ets->frag = 0; > -+ > -+ PUTCHAR(EAPT_TLS, *outp); > -+ > -+ /* > -+ * Set right flags and length if necessary > -+ */ > -+ if (ets->frag && first) { > -+ PUTCHAR(EAP_TLS_FLAGS_LI | EAP_TLS_FLAGS_MF, *outp); > -+ PUTLONG(ets->datalen, *outp); > -+ } else if (ets->frag) { > -+ PUTCHAR(EAP_TLS_FLAGS_MF, *outp); > -+ } else > -+ PUTCHAR(0, *outp); > -+ > -+ /* > -+ * Copy the data in outp > -+ */ > -+ BCOPY(ets->data + ets->offset, *outp, size); > -+ INCPTR(size, *outp); > -+ > -+ /* > -+ * Copy the packet in retransmission buffer > -+ */ > -+ BCOPY(start, &ets->rtx[0], *outp - start); > -+ ets->rtx_len = *outp - start; > -+ > -+ ets->offset += size; > -+ > -+ if (ets->offset >= ets->datalen) { > -+ > -+ /* > -+ * The whole message has been sent > -+ */ > -+ > -+ free(ets->data); > -+ ets->data = NULL; > -+ ets->datalen = 0; > -+ ets->offset = 0; > -+ } > -+ > -+ return 0; > -+} > -+ > -+/* > -+ * Get the sent packet from the retransmission buffer > -+ */ > -+void eaptls_retransmit(struct eaptls_session *ets, u_char ** outp) > -+{ > -+ BCOPY(ets->rtx, *outp, ets->rtx_len); > -+ INCPTR(ets->rtx_len, *outp); > -+} > -+ > -+/* > -+ * Verify a certificate. > -+ * Most of the work (signatures and issuer attributes checking) > -+ * is done by ssl; we check the CN in the peer certificate > -+ * against the peer name. > -+ */ > -+int ssl_verify_callback(int ok, X509_STORE_CTX * ctx) > -+{ > -+ char subject[256]; > -+ char cn_str[256]; > -+ X509 *peer_cert; > -+ int err, depth; > -+ SSL *ssl; > -+ struct eaptls_session *ets; > -+ > -+ peer_cert = X509_STORE_CTX_get_current_cert(ctx); > -+ err = X509_STORE_CTX_get_error(ctx); > -+ depth = X509_STORE_CTX_get_error_depth(ctx); > -+ > -+ dbglog("certificate verify depth: %d", depth); > -+ > -+ if (auth_required && !ok) { > -+ X509_NAME_oneline(X509_get_subject_name(peer_cert), > -+ subject, 256); > -+ > -+ X509_NAME_get_text_by_NID(X509_get_subject_name(peer_cert), > -+ NID_commonName, cn_str, 256); > -+ > -+ dbglog("Certificate verification error:\n depth: %d CN: %s" > -+ "\n err: %d (%s)\n", depth, cn_str, err, > -+ X509_verify_cert_error_string(err)); > -+ > -+ return 0; > -+ } > -+ > -+ ssl = X509_STORE_CTX_get_ex_data(ctx, > -+ SSL_get_ex_data_X509_STORE_CTX_idx()); > -+ > -+ ets = (struct eaptls_session *)SSL_get_ex_data(ssl, 0); > -+ > -+ if (ets == NULL) { > -+ error("Error: SSL_get_ex_data returned NULL"); > -+ return 0; > -+ } > -+ > -+ log_ssl_errors(); > -+ > -+ if (!depth) { /* This is the peer certificate */ > -+ > -+ X509_NAME_oneline(X509_get_subject_name(peer_cert), > -+ subject, 256); > -+ > -+ X509_NAME_get_text_by_NID(X509_get_subject_name(peer_cert), > -+ NID_commonName, cn_str, 256); > -+ > -+ /* > -+ * If acting as client and the name of the server wasn't specified > -+ * explicitely, we can't verify the server authenticity > -+ */ > -+ if (!ets->peer[0]) { > -+ warn("Peer name not specified: no check"); > -+ return ok; > -+ } > -+ > -+ /* > -+ * Check the CN > -+ */ > -+ if (strcmp(cn_str, ets->peer)) { > -+ error > -+ ("Certificate verification error: CN (%s) != peer_name (%s)", > -+ cn_str, ets->peer); > -+ return 0; > -+ } > -+ > -+ warn("Certificate CN: %s , peer name %s", cn_str, ets->peer); > -+ > -+ /* > -+ * If a peer certificate file was specified, here we check it > -+ */ > -+ if (ets->peercertfile[0]) { > -+ if (ssl_cmp_certs(&ets->peercertfile[0], peer_cert) > -+ != 0) { > -+ error > -+ ("Peer certificate doesn't match stored certificate"); > -+ return 0; > -+ } > -+ } > -+ } > -+ > -+ return ok; > -+} > -+ > -+/* > -+ * Compare a certificate with the one stored in a file > -+ */ > -+int ssl_cmp_certs(char *filename, X509 * a) > -+{ > -+ X509 *b; > -+ int ret; > -+ > -+ if (!(b = get_X509_from_file(filename))) > -+ return 1; > -+ > -+ ret = X509_cmp(a, b); > -+ X509_free(b); > -+ > -+ return ret; > -+ > -+} > -+ > -+X509 *get_X509_from_file(char *filename) > -+{ > -+ FILE *fp; > -+ X509 *ret; > -+ > -+ if (!(fp = fopen(filename, "r"))) > -+ return NULL; > -+ > -+ ret = PEM_read_X509(fp, NULL, NULL, NULL); > -+ > -+ fclose(fp); > -+ > -+ return ret; > -+} > -+ > -+/* > -+ * Every sent & received message this callback function is invoked, > -+ * so we know when alert messages have arrived or are sent and > -+ * we can print debug information about TLS handshake. > -+ */ > -+void > -+ssl_msg_callback(int write_p, int version, int content_type, > -+ const void *buf, size_t len, SSL * ssl, void *arg) > -+{ > -+ char string[256]; > -+ struct eaptls_session *ets = (struct eaptls_session *)arg; > -+ unsigned char code; > -+ const unsigned char*msg = buf; > -+ int hvers = msg[1] << 8 | msg[2]; > -+ > -+ if(write_p) > -+ strcpy(string, " -> "); > -+ else > -+ strcpy(string, " <- "); > -+ > -+ switch(content_type) { > -+ > -+ case SSL3_RT_HEADER: > -+ strcat(string, "SSL/TLS Header: "); > -+ switch(hvers) { > -+ case SSL3_VERSION: > -+ strcat(string, "SSL 3.0"); > -+ break; > -+ case TLS1_VERSION: > -+ strcat(string, "TLS 1.0"); > -+ break; > -+ case TLS1_1_VERSION: > -+ strcat(string, "TLS 1.1"); > -+ break; > -+ case TLS1_2_VERSION: > -+ strcat(string, "TLS 1.2"); > -+ break; > -+ default: > -+ strcat(string, "Unknown version"); > -+ } > -+ break; > -+ > -+ case SSL3_RT_ALERT: > -+ strcat(string, "Alert: "); > -+ code = msg[1]; > -+ > -+ if (write_p) { > -+ ets->alert_sent = 1; > -+ ets->alert_sent_desc = code; > -+ } else { > -+ ets->alert_recv = 1; > -+ ets->alert_recv_desc = code; > -+ } > -+ > -+ strcat(string, SSL_alert_desc_string_long(code)); > -+ break; > -+ > -+ case SSL3_RT_CHANGE_CIPHER_SPEC: > -+ strcat(string, "ChangeCipherSpec"); > -+ break; > -+ > -+ case SSL3_RT_HANDSHAKE: > -+ > -+ strcat(string, "Handshake: "); > -+ code = msg[0]; > -+ > -+ switch(code) { > -+ case SSL3_MT_HELLO_REQUEST: > -+ strcat(string,"Hello Request"); > -+ break; > -+ case SSL3_MT_CLIENT_HELLO: > -+ strcat(string,"Client Hello"); > -+ break; > -+ case SSL3_MT_SERVER_HELLO: > -+ strcat(string,"Server Hello"); > -+ break; > -+#ifdef SSL3_MT_NEWSESSION_TICKET > -+ case SSL3_MT_NEWSESSION_TICKET: > -+ strcat(string,"New Session Ticket"); > -+ break; > -+#endif > -+ case SSL3_MT_CERTIFICATE: > -+ strcat(string,"Certificate"); > -+ break; > -+ case SSL3_MT_SERVER_KEY_EXCHANGE: > -+ strcat(string,"Server Key Exchange"); > -+ break; > -+ case SSL3_MT_CERTIFICATE_REQUEST: > -+ strcat(string,"Certificate Request"); > -+ break; > -+ case SSL3_MT_SERVER_DONE: > -+ strcat(string,"Server Hello Done"); > -+ break; > -+ case SSL3_MT_CERTIFICATE_VERIFY: > -+ strcat(string,"Certificate Verify"); > -+ break; > -+ case SSL3_MT_CLIENT_KEY_EXCHANGE: > -+ strcat(string,"Client Key Exchange"); > -+ break; > -+ case SSL3_MT_FINISHED: > -+ strcat(string,"Finished: "); > -+ hvers = SSL_version(ssl); > -+ switch(hvers) { > -+ case SSL3_VERSION: > -+ strcat(string, "SSL 3.0"); > -+ break; > -+ case TLS1_VERSION: > -+ strcat(string, "TLS 1.0"); > -+ break; > -+ case TLS1_1_VERSION: > -+ strcat(string, "TLS 1.1"); > -+ break; > -+ case TLS1_2_VERSION: > -+ strcat(string, "TLS 1.2"); > -+ break; > -+ default: > -+ strcat(string, "Unknown version"); > -+ } > -+ break; > -+ default: > -+ sprintf( string, "Handshake: Unknown SSL3 code received: %d", code ); > -+ } > -+ break; > -+ > -+ default: > -+ sprintf( string, "SSL message contains unknown content type: %d", content_type ); > -+ > -+ } > -+ > -+ /* Alert messages must always be displayed */ > -+ if(content_type == SSL3_RT_ALERT) > -+ error("%s", string); > -+ else > -+ dbglog("%s", string); > -+} > -+ > -diff --git a/pppd/eap-tls.h b/pppd/eap-tls.h > -new file mode 100644 > -index 000000000000..2d45a0b83a0c > ---- /dev/null > -+++ b/pppd/eap-tls.h > -@@ -0,0 +1,107 @@ > -+/* > -+ * eap-tls.h > -+ * > -+ * Copyright (c) Beniamino Galvani 2005 All rights reserved. > -+ * > -+ * Redistribution and use in source and binary forms, with or without > -+ * modification, are permitted provided that the following conditions > -+ * are met: > -+ * > -+ * 1. Redistributions of source code must retain the above copyright > -+ * notice, this list of conditions and the following disclaimer. > -+ * > -+ * 2. Redistributions in binary form must reproduce the above copyright > -+ * notice, this list of conditions and the following disclaimer in > -+ * the documentation and/or other materials provided with the > -+ * distribution. > -+ * > -+ * 3. The name(s) of the authors of this software must not be used to > -+ * endorse or promote products derived from this software without > -+ * prior written permission. > -+ * > -+ * THE AUTHORS OF THIS SOFTWARE DISCLAIM ALL WARRANTIES WITH REGARD TO > -+ * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY > -+ * AND FITNESS, IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY > -+ * SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES > -+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN > -+ * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING > -+ * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. > -+ * > -+ */ > -+ > -+#ifndef __EAP_TLS_H__ > -+#define __EAP_TLS_H__ > -+ > -+#include "eap.h" > -+ > -+#include <openssl/ssl.h> > -+#include <openssl/bio.h> > -+#include <openssl/md5.h> > -+ > -+#define EAP_TLS_FLAGS_LI 128 /* length included flag */ > -+#define EAP_TLS_FLAGS_MF 64 /* more fragments flag */ > -+#define EAP_TLS_FLAGS_START 32 /* start flag */ > -+ > -+#define EAP_TLS_MAX_LEN 65536 /* max eap tls packet size */ > -+ > -+struct eaptls_session > -+{ > -+ u_char *data; /* buffered data */ > -+ int datalen; /* buffered data len */ > -+ int offset; /* from where to send */ > -+ int tlslen; /* total length of tls data */ > -+ bool frag; /* packet is fragmented */ > -+ SSL_CTX *ctx; > -+ SSL *ssl; /* ssl connection */ > -+ BIO *from_ssl; > -+ BIO *into_ssl; > -+ char peer[MAXWORDLEN]; /* peer name */ > -+ char peercertfile[MAXWORDLEN]; > -+ bool alert_sent; > -+ u_char alert_sent_desc; > -+ bool alert_recv; > -+ u_char alert_recv_desc; > -+ char rtx[65536]; /* retransmission buffer */ > -+ int rtx_len; > -+ int mtu; /* unit mtu */ > -+}; > -+ > -+typedef struct pw_cb_data > -+{ > -+ const void *password; > -+ const char *prompt_info; > -+} PW_CB_DATA; > -+ > -+ > -+int ssl_verify_callback(int, X509_STORE_CTX *); > -+void ssl_msg_callback(int write_p, int version, int ct, const void *buf, > -+ size_t len, SSL * ssl, void *arg); > -+ > -+X509 *get_X509_from_file(char *filename); > -+int ssl_cmp_certs(char *filename, X509 * a); > -+ > -+SSL_CTX *eaptls_init_ssl(int init_server, char *cacertfile, > -+ char *certfile, char *peer_certfile, char *privkeyfile); > -+int eaptls_init_ssl_server(eap_state * esp); > -+int eaptls_init_ssl_client(eap_state * esp); > -+void eaptls_free_session(struct eaptls_session *ets); > -+ > -+int eaptls_receive(struct eaptls_session *ets, u_char * inp, int len); > -+int eaptls_send(struct eaptls_session *ets, u_char ** outp); > -+void eaptls_retransmit(struct eaptls_session *ets, u_char ** outp); > -+ > -+int get_eaptls_secret(int unit, char *client, char *server, > -+ char *clicertfile, char *servcertfile, char *cacertfile, > -+ char *pkfile, int am_server); > -+ > -+#ifdef MPPE > -+#include "mppe.h" /* MPPE_MAX_KEY_LEN */ > -+extern u_char mppe_send_key[MPPE_MAX_KEY_LEN]; > -+extern u_char mppe_recv_key[MPPE_MAX_KEY_LEN]; > -+extern int mppe_keys_set; > -+ > -+void eaptls_gen_mppe_keys(struct eaptls_session *ets, const char *prf_label, int client); > -+ > -+#endif > -+ > -+#endif > -diff --git a/pppd/eap.c b/pppd/eap.c > -index 6ea6c1f8bff6..032407c3dbb2 100644 > ---- a/pppd/eap.c > -+++ b/pppd/eap.c > -@@ -43,6 +43,11 @@ > - * Based on draft-ietf-pppext-eap-srp-03.txt. > - */ > - > -+/* > -+ * Modification by Beniamino Galvani, Mar 2005 > -+ * Implemented EAP-TLS authentication > -+ */ > -+ > - #define RCSID "$Id: eap.c,v 1.4 2004/11/09 22:39:25 paulus Exp $" > - > - /* > -@@ -62,8 +67,12 @@ > - > - #include "pppd.h" > - #include "pathnames.h" > --#include "md5.h" > - #include "eap.h" > -+#ifdef USE_EAPTLS > -+#include "eap-tls.h" > -+#else > -+#include "md5.h" > -+#endif /* USE_EAPTLS */ > - > - #ifdef USE_SRP > - #include <t_pwd.h> > -@@ -209,6 +218,9 @@ int unit; > - esp->es_server.ea_id = (u_char)(drand48() * 0x100); > - esp->es_client.ea_timeout = EAP_DEFREQTIME; > - esp->es_client.ea_maxrequests = EAP_DEFALLOWREQ; > -+#ifdef USE_EAPTLS > -+ esp->es_client.ea_using_eaptls = 0; > -+#endif /* USE_EAPTLS */ > - } > - > - /* > -@@ -436,8 +448,16 @@ int status; > - u_char vals[2]; > - struct b64state bs; > - #endif /* USE_SRP */ > -+#ifdef USE_EAPTLS > -+ struct eaptls_session *ets; > -+ int secret_len; > -+ char secret[MAXWORDLEN]; > -+#endif /* USE_EAPTLS */ > - > - esp->es_server.ea_timeout = esp->es_savedtime; > -+#ifdef USE_EAPTLS > -+ esp->es_server.ea_prev_state = esp->es_server.ea_state; > -+#endif /* USE_EAPTLS */ > - switch (esp->es_server.ea_state) { > - case eapBadAuth: > - return; > -@@ -562,9 +582,79 @@ int status; > - break; > - } > - #endif /* USE_SRP */ > -+#ifdef USE_EAPTLS > -+ if (!get_secret(esp->es_unit, esp->es_server.ea_peer, > -+ esp->es_server.ea_name, secret, &secret_len, 1)) { > -+ > -+ esp->es_server.ea_state = eapTlsStart; > -+ break; > -+ } > -+#endif /* USE_EAPTLS */ > -+ > - esp->es_server.ea_state = eapMD5Chall; > - break; > - > -+#ifdef USE_EAPTLS > -+ case eapTlsStart: > -+ /* Initialize ssl session */ > -+ if(!eaptls_init_ssl_server(esp)) { > -+ esp->es_server.ea_state = eapBadAuth; > -+ break; > -+ } > -+ > -+ esp->es_server.ea_state = eapTlsRecv; > -+ break; > -+ > -+ case eapTlsRecv: > -+ ets = (struct eaptls_session *) esp->es_server.ea_session; > -+ > -+ if(ets->alert_sent) { > -+ esp->es_server.ea_state = eapTlsSendAlert; > -+ break; > -+ } > -+ > -+ if (status) { > -+ esp->es_server.ea_state = eapBadAuth; > -+ break; > -+ } > -+ ets = (struct eaptls_session *) esp->es_server.ea_session; > -+ > -+ if(ets->frag) > -+ esp->es_server.ea_state = eapTlsSendAck; > -+ else > -+ esp->es_server.ea_state = eapTlsSend; > -+ break; > -+ > -+ case eapTlsSend: > -+ ets = (struct eaptls_session *) esp->es_server.ea_session; > -+ > -+ if(ets->frag) > -+ esp->es_server.ea_state = eapTlsRecvAck; > -+ else > -+ if(SSL_is_init_finished(ets->ssl)) > -+ esp->es_server.ea_state = eapTlsRecvClient; > -+ else > -+ esp->es_server.ea_state = eapTlsRecv; > -+ break; > -+ > -+ case eapTlsSendAck: > -+ esp->es_server.ea_state = eapTlsRecv; > -+ break; > -+ > -+ case eapTlsRecvAck: > -+ if (status) { > -+ esp->es_server.ea_state = eapBadAuth; > -+ break; > -+ } > -+ > -+ esp->es_server.ea_state = eapTlsSend; > -+ break; > -+ > -+ case eapTlsSendAlert: > -+ esp->es_server.ea_state = eapTlsRecvAlertAck; > -+ break; > -+#endif /* USE_EAPTLS */ > -+ > - case eapSRP1: > - #ifdef USE_SRP > - ts = (struct t_server *)esp->es_server.ea_session; > -@@ -718,6 +808,30 @@ eap_state *esp; > - INCPTR(esp->es_server.ea_namelen, outp); > - break; > - > -+#ifdef USE_EAPTLS > -+ case eapTlsStart: > -+ PUTCHAR(EAPT_TLS, outp); > -+ PUTCHAR(EAP_TLS_FLAGS_START, outp); > -+ eap_figure_next_state(esp, 0); > -+ break; > -+ > -+ case eapTlsSend: > -+ eaptls_send(esp->es_server.ea_session, &outp); > -+ eap_figure_next_state(esp, 0); > -+ break; > -+ > -+ case eapTlsSendAck: > -+ PUTCHAR(EAPT_TLS, outp); > -+ PUTCHAR(0, outp); > -+ eap_figure_next_state(esp, 0); > -+ break; > -+ > -+ case eapTlsSendAlert: > -+ eaptls_send(esp->es_server.ea_session, &outp); > -+ eap_figure_next_state(esp, 0); > -+ break; > -+#endif /* USE_EAPTLS */ > -+ > - #ifdef USE_SRP > - case eapSRP1: > - PUTCHAR(EAPT_SRP, outp); > -@@ -904,11 +1018,57 @@ static void > - eap_server_timeout(arg) > - void *arg; > - { > -+#ifdef USE_EAPTLS > -+ u_char *outp; > -+ u_char *lenloc; > -+ int outlen; > -+#endif /* USE_EAPTLS */ > -+ > - eap_state *esp = (eap_state *) arg; > - > - if (!eap_server_active(esp)) > - return; > - > -+#ifdef USE_EAPTLS > -+ switch(esp->es_server.ea_prev_state) { > -+ > -+ /* > -+ * In eap-tls the state changes after a request, so we return to > -+ * previous state ... > -+ */ > -+ case(eapTlsStart): > -+ case(eapTlsSendAck): > -+ esp->es_server.ea_state = esp->es_server.ea_prev_state; > -+ break; > -+ > -+ /* > -+ * ... or resend the stored data > -+ */ > -+ case(eapTlsSend): > -+ case(eapTlsSendAlert): > -+ outp = outpacket_buf; > -+ MAKEHEADER(outp, PPP_EAP); > -+ PUTCHAR(EAP_REQUEST, outp); > -+ PUTCHAR(esp->es_server.ea_id, outp); > -+ lenloc = outp; > -+ INCPTR(2, outp); > -+ > -+ eaptls_retransmit(esp->es_server.ea_session, &outp); > -+ > -+ outlen = (outp - outpacket_buf) - PPP_HDRLEN; > -+ PUTSHORT(outlen, lenloc); > -+ output(esp->es_unit, outpacket_buf, outlen + PPP_HDRLEN); > -+ esp->es_server.ea_requests++; > -+ > -+ if (esp->es_server.ea_timeout > 0) > -+ TIMEOUT(eap_server_timeout, esp, esp->es_server.ea_timeout); > -+ > -+ return; > -+ default: > -+ break; > -+ } > -+#endif /* USE_EAPTLS */ > -+ > - /* EAP ID number must not change on timeout. */ > - eap_send_request(esp); > - } > -@@ -1166,6 +1326,81 @@ u_char *str; > - } > - #endif /* USE_SRP */ > - > -+#ifdef USE_EAPTLS > -+/* > -+ * Send an EAP-TLS response message with tls data > -+ */ > -+static void > -+eap_tls_response(esp, id) > -+eap_state *esp; > -+u_char id; > -+{ > -+ u_char *outp; > -+ int outlen; > -+ u_char *lenloc; > -+ > -+ outp = outpacket_buf; > -+ > -+ MAKEHEADER(outp, PPP_EAP); > -+ > -+ PUTCHAR(EAP_RESPONSE, outp); > -+ PUTCHAR(id, outp); > -+ > -+ lenloc = outp; > -+ INCPTR(2, outp); > -+ > -+ /* > -+ If the id in the request is unchanged, we must retransmit > -+ the old data > -+ */ > -+ if(id == esp->es_client.ea_id) > -+ eaptls_retransmit(esp->es_client.ea_session, &outp); > -+ else > -+ eaptls_send(esp->es_client.ea_session, &outp); > -+ > -+ outlen = (outp - outpacket_buf) - PPP_HDRLEN; > -+ PUTSHORT(outlen, lenloc); > -+ > -+ output(esp->es_unit, outpacket_buf, PPP_HDRLEN + outlen); > -+ > -+ esp->es_client.ea_id = id; > -+ > -+} > -+ > -+/* > -+ * Send an EAP-TLS ack > -+ */ > -+static void > -+eap_tls_sendack(esp, id) > -+eap_state *esp; > -+u_char id; > -+{ > -+ u_char *outp; > -+ int outlen; > -+ u_char *lenloc; > -+ > -+ outp = outpacket_buf; > -+ > -+ MAKEHEADER(outp, PPP_EAP); > -+ > -+ PUTCHAR(EAP_RESPONSE, outp); > -+ PUTCHAR(id, outp); > -+ esp->es_client.ea_id = id; > -+ > -+ lenloc = outp; > -+ INCPTR(2, outp); > -+ > -+ PUTCHAR(EAPT_TLS, outp); > -+ PUTCHAR(0, outp); > -+ > -+ outlen = (outp - outpacket_buf) - PPP_HDRLEN; > -+ PUTSHORT(outlen, lenloc); > -+ > -+ output(esp->es_unit, outpacket_buf, PPP_HDRLEN + outlen); > -+ > -+} > -+#endif /* USE_EAPTLS */ > -+ > - static void > - eap_send_nak(esp, id, type) > - eap_state *esp; > -@@ -1320,6 +1555,11 @@ int len; > - char rhostname[256]; > - MD5_CTX mdContext; > - u_char hash[MD5_SIGNATURE_SIZE]; > -+#ifdef USE_EAPTLS > -+ u_char flags; > -+ struct eaptls_session *ets = esp->es_client.ea_session; > -+#endif /* USE_EAPTLS */ > -+ > - #ifdef USE_SRP > - struct t_client *tc; > - struct t_num sval, gval, Nval, *Ap, Bval; > -@@ -1456,6 +1696,100 @@ int len; > - esp->es_client.ea_namelen); > - break; > - > -+#ifdef USE_EAPTLS > -+ case EAPT_TLS: > -+ > -+ switch(esp->es_client.ea_state) { > -+ > -+ case eapListen: > -+ > -+ if (len < 1) { > -+ error("EAP: received EAP-TLS Listen packet with no data"); > -+ /* Bogus request; wait for something real. */ > -+ return; > -+ } > -+ GETCHAR(flags, inp); > -+ if(flags & EAP_TLS_FLAGS_START){ > -+ > -+ esp->es_client.ea_using_eaptls = 1; > -+ > -+ if (explicit_remote){ > -+ esp->es_client.ea_peer = strdup(remote_name); > -+ esp->es_client.ea_peerlen = strlen(remote_name); > -+ } else > -+ esp->es_client.ea_peer = NULL; > -+ > -+ /* Init ssl session */ > -+ if(!eaptls_init_ssl_client(esp)) { > -+ dbglog("cannot init ssl"); > -+ eap_send_nak(esp, id, EAPT_TLS); > -+ esp->es_client.ea_using_eaptls = 0; > -+ break; > -+ } > -+ > -+ ets = esp->es_client.ea_session; > -+ eap_tls_response(esp, id); > -+ esp->es_client.ea_state = (ets->frag ? eapTlsRecvAck : > -+ eapTlsRecv); > -+ break; > -+ } > -+ > -+ /* The server has sent a bad start packet. */ > -+ eap_send_nak(esp, id, EAPT_TLS); > -+ break; > -+ > -+ case eapTlsRecvAck: > -+ eap_tls_response(esp, id); > -+ esp->es_client.ea_state = (ets->frag ? eapTlsRecvAck : > -+ eapTlsRecv); > -+ break; > -+ > -+ case eapTlsRecv: > -+ if (len < 1) { > -+ error("EAP: discarding EAP-TLS Receive packet with no data"); > -+ /* Bogus request; wait for something real. */ > -+ return; > -+ } > -+ eaptls_receive(ets, inp, len); > -+ > -+ if(ets->frag) { > -+ eap_tls_sendack(esp, id); > -+ esp->es_client.ea_state = eapTlsRecv; > -+ break; > -+ } > -+ > -+ if(ets->alert_recv) { > -+ eap_tls_sendack(esp, id); > -+ esp->es_client.ea_state = eapTlsRecvFailure; > -+ break; > -+ } > -+ > -+ /* Check if TLS handshake is finished */ > -+ if(SSL_is_init_finished(ets->ssl)){ > -+#ifdef MPPE > -+ eaptls_gen_mppe_keys( ets, "client EAP encryption", 1 ); > -+#endif > -+ eaptls_free_session(ets); > -+ eap_tls_sendack(esp, id); > -+ esp->es_client.ea_state = eapTlsRecvSuccess; > -+ break; > -+ } > -+ > -+ eap_tls_response(esp,id); > -+ esp->es_client.ea_state = (ets->frag ? eapTlsRecvAck : > -+ eapTlsRecv); > -+ > -+ break; > -+ > -+ default: > -+ eap_send_nak(esp, id, EAPT_TLS); > -+ esp->es_client.ea_using_eaptls = 0; > -+ break; > -+ } > -+ > -+ break; > -+#endif /* USE_EAPTLS */ > -+ > - #ifdef USE_SRP > - case EAPT_SRP: > - if (len < 1) { > -@@ -1737,6 +2071,11 @@ int len; > - u_char dig[SHA_DIGESTSIZE]; > - #endif /* USE_SRP */ > - > -+#ifdef USE_EAPTLS > -+ struct eaptls_session *ets; > -+ u_char flags; > -+#endif /* USE_EAPTLS */ > -+ > - if (esp->es_server.ea_id != id) { > - dbglog("EAP: discarding Response %d; expected ID %d", id, > - esp->es_server.ea_id); > -@@ -1776,6 +2115,64 @@ int len; > - eap_figure_next_state(esp, 0); > - break; > - > -+#ifdef USE_EAPTLS > -+ case EAPT_TLS: > -+ switch(esp->es_server.ea_state) { > -+ > -+ case eapTlsRecv: > -+ > -+ ets = (struct eaptls_session *) esp->es_server.ea_session; > -+ eap_figure_next_state(esp, > -+ eaptls_receive(esp->es_server.ea_session, inp, len)); > -+ > -+ if(ets->alert_recv) { > -+ eap_send_failure(esp); > -+ break; > -+ } > -+ break; > -+ > -+ case eapTlsRecvAck: > -+ if(len > 1) { > -+ dbglog("EAP-TLS ACK with extra data"); > -+ } > -+ eap_figure_next_state(esp, 0); > -+ break; > -+ > -+ case eapTlsRecvClient: > -+ /* Receive authentication response from client */ > -+ > -+ if (len > 0) { > -+ GETCHAR(flags, inp); > -+ > -+ if(len == 1 && !flags) { /* Ack = ok */ > -+#ifdef MPPE > -+ eaptls_gen_mppe_keys( esp->es_server.ea_session, "client EAP encryption", 0 ); > -+#endif > -+ eap_send_success(esp); > -+ } > -+ else { /* failure */ > -+ warn("Server authentication failed"); > -+ eap_send_failure(esp); > -+ } > -+ } > -+ else > -+ warn("Bogus EAP-TLS packet received from client"); > -+ > -+ eaptls_free_session(esp->es_server.ea_session); > -+ > -+ break; > -+ > -+ case eapTlsRecvAlertAck: > -+ eap_send_failure(esp); > -+ break; > -+ > -+ default: > -+ eap_figure_next_state(esp, 1); > -+ break; > -+ } > -+ break; > -+#endif /* USE_EAPTLS */ > -+ > - case EAPT_NOTIFICATION: > - dbglog("EAP unexpected Notification; response discarded"); > - break; > -@@ -1807,6 +2204,13 @@ int len; > - esp->es_server.ea_state = eapMD5Chall; > - break; > - > -+#ifdef USE_EAPTLS > -+ /* Send EAP-TLS start packet */ > -+ case EAPT_TLS: > -+ esp->es_server.ea_state = eapTlsStart; > -+ break; > -+#endif /* USE_EAPTLS */ > -+ > - default: > - dbglog("EAP: peer requesting unknown Type %d", vallen); > - switch (esp->es_server.ea_state) { > -@@ -2018,13 +2422,27 @@ u_char *inp; > - int id; > - int len; > - { > -- if (esp->es_client.ea_state != eapOpen && !eap_client_active(esp)) { > -+ if (esp->es_client.ea_state != eapOpen && !eap_client_active(esp) > -+#ifdef USE_EAPTLS > -+ && esp->es_client.ea_state != eapTlsRecvSuccess > -+#endif /* USE_EAPTLS */ > -+ ) { > - dbglog("EAP unexpected success message in state %s (%d)", > - eap_state_name(esp->es_client.ea_state), > - esp->es_client.ea_state); > - return; > - } > - > -+#ifdef USE_EAPTLS > -+ if(esp->es_client.ea_using_eaptls && esp->es_client.ea_state != > -+ eapTlsRecvSuccess) { > -+ dbglog("EAP-TLS unexpected success message in state %s (%d)", > -+ eap_state_name(esp->es_client.ea_state), > -+ esp->es_client.ea_state); > -+ return; > -+ } > -+#endif /* USE_EAPTLS */ > -+ > - if (esp->es_client.ea_timeout > 0) { > - UNTIMEOUT(eap_client_timeout, (void *)esp); > - } > -@@ -2150,6 +2568,9 @@ void *arg; > - int code, id, len, rtype, vallen; > - u_char *pstart; > - u_int32_t uval; > -+#ifdef USE_EAPTLS > -+ u_char flags; > -+#endif /* USE_EAPTLS */ > - > - if (inlen < EAP_HEADERLEN) > - return (0); > -@@ -2214,6 +2635,24 @@ void *arg; > - } > - break; > - > -+#ifdef USE_EAPTLS > -+ case EAPT_TLS: > -+ if (len < 1) > -+ break; > -+ GETCHAR(flags, inp); > -+ len--; > -+ > -+ if(flags == 0 && len == 0){ > -+ printer(arg, " Ack"); > -+ break; > -+ } > -+ > -+ printer(arg, flags & EAP_TLS_FLAGS_LI ? " L":" -"); > -+ printer(arg, flags & EAP_TLS_FLAGS_MF ? "M":"-"); > -+ printer(arg, flags & EAP_TLS_FLAGS_START ? "S":"- "); > -+ break; > -+#endif /* USE_EAPTLS */ > -+ > - case EAPT_SRP: > - if (len < 3) > - goto truncated; > -@@ -2325,6 +2764,25 @@ void *arg; > - } > - break; > - > -+#ifdef USE_EAPTLS > -+ case EAPT_TLS: > -+ if (len < 1) > -+ break; > -+ GETCHAR(flags, inp); > -+ len--; > -+ > -+ if(flags == 0 && len == 0){ > -+ printer(arg, " Ack"); > -+ break; > -+ } > -+ > -+ printer(arg, flags & EAP_TLS_FLAGS_LI ? " L":" -"); > -+ printer(arg, flags & EAP_TLS_FLAGS_MF ? "M":"-"); > -+ printer(arg, flags & EAP_TLS_FLAGS_START ? "S":"- "); > -+ > -+ break; > -+#endif /* USE_EAPTLS */ > -+ > - case EAPT_NAK: > - if (len <= 0) { > - printer(arg, " <missing hint>"); > -@@ -2426,3 +2884,4 @@ void *arg; > - > - return (inp - pstart); > - } > -+ > -diff --git a/pppd/eap.h b/pppd/eap.h > -index 199d1849b826..087baad83eed 100644 > ---- a/pppd/eap.h > -+++ b/pppd/eap.h > -@@ -84,6 +84,16 @@ enum eap_state_code { > - eapClosed, /* Authentication not in use */ > - eapListen, /* Client ready (and timer running) */ > - eapIdentify, /* EAP Identify sent */ > -+ eapTlsStart, /* Send EAP-TLS start packet */ > -+ eapTlsRecv, /* Receive EAP-TLS tls data */ > -+ eapTlsSendAck, /* Send EAP-TLS ack */ > -+ eapTlsSend, /* Send EAP-TLS tls data */ > -+ eapTlsRecvAck, /* Receive EAP-TLS ack */ > -+ eapTlsRecvClient, /* Receive EAP-TLS auth response from client*/ > -+ eapTlsSendAlert, /* Send EAP-TLS tls alert (server)*/ > -+ eapTlsRecvAlertAck, /* Receive EAP-TLS ack after sending alert */ > -+ eapTlsRecvSuccess, /* Receive EAP success */ > -+ eapTlsRecvFailure, /* Receive EAP failure */ > - eapSRP1, /* Sent EAP SRP-SHA1 Subtype 1 */ > - eapSRP2, /* Sent EAP SRP-SHA1 Subtype 2 */ > - eapSRP3, /* Sent EAP SRP-SHA1 Subtype 3 */ > -@@ -95,9 +105,18 @@ enum eap_state_code { > - > - #define EAP_STATES \ > - "Initial", "Pending", "Closed", "Listen", "Identify", \ > -+ "TlsStart", "TlsRecv", "TlsSendAck", "TlsSend", "TlsRecvAck", "TlsRecvClient",\ > -+ "TlsSendAlert", "TlsRecvAlertAck" , "TlsRecvSuccess", "TlsRecvFailure", \ > - "SRP1", "SRP2", "SRP3", "MD5Chall", "Open", "SRP4", "BadAuth" > - > --#define eap_client_active(esp) ((esp)->es_client.ea_state == eapListen) > -+#ifdef USE_EAPTLS > -+#define eap_client_active(esp) ((esp)->es_client.ea_state != eapInitial &&\ > -+ (esp)->es_client.ea_state != eapPending &&\ > -+ (esp)->es_client.ea_state != eapClosed) > -+#else > -+#define eap_client_active(esp) ((esp)->es_client.ea_state == eapListen) > -+#endif /* USE_EAPTLS */ > -+ > - #define eap_server_active(esp) \ > - ((esp)->es_server.ea_state >= eapIdentify && \ > - (esp)->es_server.ea_state <= eapMD5Chall) > -@@ -112,11 +131,17 @@ struct eap_auth { > - u_short ea_namelen; /* Length of our name */ > - u_short ea_peerlen; /* Length of peer's name */ > - enum eap_state_code ea_state; > -+#ifdef USE_EAPTLS > -+ enum eap_state_code ea_prev_state; > -+#endif > - u_char ea_id; /* Current id */ > - u_char ea_requests; /* Number of Requests sent/received */ > - u_char ea_responses; /* Number of Responses */ > - u_char ea_type; /* One of EAPT_* */ > - u_int32_t ea_keyflags; /* SRP shared key usage flags */ > -+#ifdef USE_EAPTLS > -+ bool ea_using_eaptls; > -+#endif > - }; > - > - /* > -@@ -139,7 +164,12 @@ typedef struct eap_state { > - * Timeouts. > - */ > - #define EAP_DEFTIMEOUT 3 /* Timeout (seconds) for rexmit */ > -+#ifdef USE_EAPTLS > -+#define EAP_DEFTRANSMITS 30 /* max # times to transmit */ > -+ /* certificates can be long ... */ > -+#else > - #define EAP_DEFTRANSMITS 10 /* max # times to transmit */ > -+#endif /* USE_EAPTLS */ > - #define EAP_DEFREQTIME 20 /* Time to wait for peer request */ > - #define EAP_DEFALLOWREQ 20 /* max # times to accept requests */ > - > -diff --git a/pppd/md5.c b/pppd/md5.c > -index f1291ce1bd72..6f8f7207c592 100644 > ---- a/pppd/md5.c > -+++ b/pppd/md5.c > -@@ -33,6 +33,8 @@ > - *********************************************************************** > - */ > - > -+#ifndef USE_EAPTLS > -+ > - #include <string.h> > - #include "md5.h" > - > -@@ -305,3 +307,5 @@ UINT4 *in; > - ** End of md5.c ** > - ******************************** (cut) ******************************** > - */ > -+#endif /* USE_EAPTLS */ > -+ > -diff --git a/pppd/md5.h b/pppd/md5.h > -index 71e8b00e2dde..14d712171c5e 100644 > ---- a/pppd/md5.h > -+++ b/pppd/md5.h > -@@ -36,6 +36,7 @@ > - ** documentation and/or software. ** > - *********************************************************************** > - */ > -+#ifndef USE_EAPTLS > - > - #ifndef __MD5_INCLUDE__ > - > -@@ -63,3 +64,5 @@ void MD5_Final (unsigned char hash[], MD5_CTX *mdContext); > - > - #define __MD5_INCLUDE__ > - #endif /* __MD5_INCLUDE__ */ > -+ > -+#endif /* USE_EAPTLS */ > -diff --git a/pppd/pathnames.h b/pppd/pathnames.h > -index 46972601fc92..72c2f5b191ee 100644 > ---- a/pppd/pathnames.h > -+++ b/pppd/pathnames.h > -@@ -21,6 +21,13 @@ > - #define _PATH_UPAPFILE _ROOT_PATH "/etc/ppp/pap-secrets" > - #define _PATH_CHAPFILE _ROOT_PATH "/etc/ppp/chap-secrets" > - #define _PATH_SRPFILE _ROOT_PATH "/etc/ppp/srp-secrets" > -+ > -+#ifdef USE_EAPTLS > -+#define _PATH_EAPTLSCLIFILE _ROOT_PATH "/etc/ppp/eaptls-client" > -+#define _PATH_EAPTLSSERVFILE _ROOT_PATH "/etc/ppp/eaptls-server" > -+#define _PATH_OPENSSLCONFFILE _ROOT_PATH "/etc/ppp/openssl.cnf" > -+#endif /* USE_EAPTLS */ > -+ > - #define _PATH_SYSOPTIONS _ROOT_PATH "/etc/ppp/options" > - #define _PATH_IPUP _ROOT_PATH "/etc/ppp/ip-up" > - #define _PATH_IPDOWN _ROOT_PATH "/etc/ppp/ip-down" > -diff --git a/pppd/plugins/Makefile.linux b/pppd/plugins/Makefile.linux > -index 0f9d37d2953b..bc29968d44c9 100644 > ---- a/pppd/plugins/Makefile.linux > -+++ b/pppd/plugins/Makefile.linux > -@@ -4,6 +4,9 @@ CFLAGS = $(COPTS) -I.. -I../../include -fPIC > - LDFLAGS = $(LDOPTS) > - INSTALL = install > - > -+# EAP-TLS > -+CFLAGS += -DUSE_EAPTLS=1 > -+ > - DESTDIR = $(INSTROOT)@DESTDIR@ > - BINDIR = $(DESTDIR)/sbin > - MANDIR = $(DESTDIR)/share/man/man8 > -diff --git a/pppd/plugins/passprompt.c b/pppd/plugins/passprompt.c > -index babb6dc31bab..6ba73cae2795 100644 > ---- a/pppd/plugins/passprompt.c > -+++ b/pppd/plugins/passprompt.c > -@@ -107,4 +107,7 @@ void plugin_init(void) > - { > - add_options(options); > - pap_passwd_hook = promptpass; > -+#ifdef USE_EAPTLS > -+ eaptls_passwd_hook = promptpass; > -+#endif > - } > -diff --git a/pppd/plugins/passwordfd.c b/pppd/plugins/passwordfd.c > -index d718f3bdf81d..c3f9793e41a0 100644 > ---- a/pppd/plugins/passwordfd.c > -+++ b/pppd/plugins/passwordfd.c > -@@ -79,4 +79,8 @@ void plugin_init (void) > - > - chap_check_hook = pwfd_check; > - chap_passwd_hook = pwfd_passwd; > -+ > -+#ifdef USE_EAPTLS > -+ eaptls_passwd_hook = pwfd_passwd; > -+#endif > - } > -diff --git a/pppd/pppd.8 b/pppd/pppd.8 > -index 65bbe721f761..8afa2d1186e2 100644 > ---- a/pppd/pppd.8 > -+++ b/pppd/pppd.8 > -@@ -253,6 +253,12 @@ Alternatively, a value of 0 for \fInr\fR or \fInt\fR disables > - compression in the corresponding direction. Use \fInobsdcomp\fR or > - \fIbsdcomp 0\fR to disable BSD-Compress compression entirely. > - .TP > -+.B ca \fIca-file > -+(EAP-TLS) Use the file \fIca-file\fR as the X.509 Certificate Authority > -+(CA) file (in PEM format), needed for setting up an EAP-TLS connection. > -+This option is used on the client-side in conjunction with the \fBcert\fR > -+and \fBkey\fR options. > -+.TP > - .B cdtrcts > - Use a non-standard hardware flow control (i.e. DTR/CTS) to control > - the flow of data on the serial port. If neither the \fIcrtscts\fR, > -@@ -264,6 +270,12 @@ RTS output. Such serial ports use this mode to implement true > - bi-directional flow control. The sacrifice is that this flow > - control mode does not permit using DTR as a modem control line. > - .TP > -+.B cert \fIcertfile > -+(EAP-TLS) Use the file \fIcertfile\fR as the X.509 certificate (in PEM > -+format), needed for setting up an EAP-TLS connection. This option is > -+used on the client-side in conjunction with the \fBca\fR and > -+\fBkey\fR options. > -+.TP > - .B chap\-interval \fIn > - If this option is given, pppd will rechallenge the peer every \fIn\fR > - seconds. > -@@ -292,6 +304,18 @@ negotiation by sending its first LCP packet. The default value is > - 1000 (1 second). This wait period only applies if the \fBconnect\fR > - or \fBpty\fR option is used. > - .TP > -+.B crl \fIfilename > -+(EAP-TLS) Use the file \fIfilename\fR as the Certificate Revocation List > -+to check for the validity of the peer's certificate. This option is not > -+mandatory for setting up an EAP-TLS connection. Also see the \fBcrl-dir\fR > -+option. > -+.TP > -+.B crl-dir \fIdirectory > -+(EAP-TLS) Use the directory \fIdirectory\fR to scan for CRL files in > -+has format ($hash.r0) to check for the validity of the peer's certificate. > -+This option is not mandatory for setting up an EAP-TLS connection. > -+Also see the \fBcrl\fR option. > -+.TP > - .B debug > - Enables connection debugging facilities. > - If this option is given, pppd will log the contents of all > -@@ -561,6 +585,12 @@ transmitted packets be printed. On most systems, messages printed by > - the kernel are logged by syslog(1) to a file as directed in the > - /etc/syslog.conf configuration file. > - .TP > -+.B key \fIkeyfile > -+(EAP-TLS) Use the file \fIkeyfile\fR as the private key file (in PEM > -+format), needed for setting up an EAP-TLS connection. This option is > -+used on the client-side in conjunction with the \fBca\fR and > -+\fBcert\fR options. > -+.TP > - .B ktune > - Enables pppd to alter kernel settings as appropriate. Under Linux, > - pppd will enable IP forwarding (i.e. set /proc/sys/net/ipv4/ip_forward > -@@ -724,6 +754,9 @@ name to \fIname\fR.) > - Disable Address/Control compression in both directions (send and > - receive). > - .TP > -+.B need-peer-eap > -+(EAP-TLS) Require the peer to verify our authentication credentials. > -+.TP > - .B noauth > - Do not require the peer to authenticate itself. This option is > - privileged. > -diff --git a/pppd/pppd.h b/pppd/pppd.h > -index 567d702181ca..195cbe3c6ffb 100644 > ---- a/pppd/pppd.h > -+++ b/pppd/pppd.h > -@@ -338,6 +338,11 @@ extern bool dump_options; /* print out option values */ > - extern bool dryrun; /* check everything, print options, exit */ > - extern int child_wait; /* # seconds to wait for children at end */ > - > -+#ifdef USE_EAPTLS > -+extern char *crl_dir; > -+extern char *crl_file; > -+#endif /* USE_EAPTLS */ > -+ > - #ifdef MAXOCTETS > - extern unsigned int maxoctets; /* Maximum octetes per session (in bytes) */ > - extern int maxoctets_dir; /* Direction : > -@@ -758,6 +763,10 @@ extern int (*chap_check_hook) __P((void)); > - extern int (*chap_passwd_hook) __P((char *user, char *passwd)); > - extern void (*multilink_join_hook) __P((void)); > - > -+#ifdef USE_EAPTLS > -+extern int (*eaptls_passwd_hook) __P((char *user, char *passwd)); > -+#endif > -+ > - /* Let a plugin snoop sent and received packets. Useful for L2TP */ > - extern void (*snoop_recv_hook) __P((unsigned char *p, int len)); > - extern void (*snoop_send_hook) __P((unsigned char *p, int len)); > diff --git a/patches/ppp-2.4.7/0040-pppd-Use-openssl-for-the-DES-instead-of-the-libcrypt.patch b/patches/ppp-2.4.7/0040-pppd-Use-openssl-for-the-DES-instead-of-the-libcrypt.patch > deleted file mode 100644 > index bf83278a9915..000000000000 > --- a/patches/ppp-2.4.7/0040-pppd-Use-openssl-for-the-DES-instead-of-the-libcrypt.patch > +++ /dev/null > @@ -1,115 +0,0 @@ > -From: =?UTF-8?q?Jaroslav=20=C5=A0karvada?= <jskarvad@redhat.com> > -Date: Fri, 6 Apr 2018 14:27:18 +0200 > -Subject: [PATCH] pppd: Use openssl for the DES instead of the libcrypt / glibc > -MIME-Version: 1.0 > -Content-Type: text/plain; charset=UTF-8 > -Content-Transfer-Encoding: 8bit > - > -[https://github.com/paulusmack/ppp/commit/3c7b86229f7bd2600d74db14b1fe5b3896be3875] > - > -It seems the latest glibc (in Fedora glibc-2.27.9000-12.fc29) dropped > -libcrypt. The libxcrypt standalone package can be used instead, but > -it dropped the old setkey/encrypt API which ppp uses for DES. There > -is support for using openssl in pppcrypt.c, but it contains typos > -preventing it from compiling and seems to be written for an ancient > -openssl version. > - > -This updates the code to use current openssl. > - > -[paulus@ozlabs.org - wrote the commit description, fixed comment in > - Makefile.linux.] > - > -Signed-off-by: Jaroslav Škarvada <jskarvad@redhat.com> > -Signed-off-by: Paul Mackerras <paulus@ozlabs.org> > - > -Imported from ppp_2.4.7-2+4.1.debian.tar.xz > - > -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> > ---- > - pppd/Makefile.linux | 7 ++++--- > - pppd/pppcrypt.c | 18 +++++++++--------- > - 2 files changed, 13 insertions(+), 12 deletions(-) > - > -diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux > -index 58a634ce8c3b..cb9d4f9dcf22 100644 > ---- a/pppd/Makefile.linux > -+++ b/pppd/Makefile.linux > -@@ -35,10 +35,10 @@ endif > - COPTS = -O2 -pipe -Wall -g > - LIBS = -lcrypto > - > --# Uncomment the next 2 lines to include support for Microsoft's > -+# Uncomment the next line to include support for Microsoft's > - # MS-CHAP authentication protocol. Also, edit plugins/radius/Makefile.linux. > - CHAPMS=y > --USE_CRYPT=y > -+#USE_CRYPT=y > - # Don't use MSLANMAN unless you really know what you're doing. > - #MSLANMAN=y > - # Uncomment the next line to include support for MPPE. CHAPMS (above) must > -@@ -138,7 +138,8 @@ endif > - > - ifdef NEEDDES > - ifndef USE_CRYPT > --LIBS += -ldes $(LIBS) > -+CFLAGS += -I/usr/include/openssl > -+LIBS += -lcrypto > - else > - CFLAGS += -DUSE_CRYPT=1 > - endif > -diff --git a/pppd/pppcrypt.c b/pppd/pppcrypt.c > -index 8b85b13276ab..6b35375edc5e 100644 > ---- a/pppd/pppcrypt.c > -+++ b/pppd/pppcrypt.c > -@@ -64,7 +64,7 @@ u_char *des_key; /* OUT 64 bit DES key with parity bits added */ > - des_key[7] = Get7Bits(key, 49); > - > - #ifndef USE_CRYPT > -- des_set_odd_parity((des_cblock *)des_key); > -+ DES_set_odd_parity((DES_cblock *)des_key); > - #endif > - } > - > -@@ -158,25 +158,25 @@ u_char *clear; /* OUT 8 octets */ > - } > - > - #else /* USE_CRYPT */ > --static des_key_schedule key_schedule; > -+static DES_key_schedule key_schedule; > - > - bool > - DesSetkey(key) > - u_char *key; > - { > -- des_cblock des_key; > -+ DES_cblock des_key; > - MakeKey(key, des_key); > -- des_set_key(&des_key, key_schedule); > -+ DES_set_key(&des_key, &key_schedule); > - return (1); > - } > - > - bool > --DesEncrypt(clear, key, cipher) > -+DesEncrypt(clear, cipher) > - u_char *clear; /* IN 8 octets */ > - u_char *cipher; /* OUT 8 octets */ > - { > -- des_ecb_encrypt((des_cblock *)clear, (des_cblock *)cipher, > -- key_schedule, 1); > -+ DES_ecb_encrypt((DES_cblock *)clear, (DES_cblock *)cipher, > -+ &key_schedule, 1); > - return (1); > - } > - > -@@ -185,8 +185,8 @@ DesDecrypt(cipher, clear) > - u_char *cipher; /* IN 8 octets */ > - u_char *clear; /* OUT 8 octets */ > - { > -- des_ecb_encrypt((des_cblock *)cipher, (des_cblock *)clear, > -- key_schedule, 0); > -+ DES_ecb_encrypt((DES_cblock *)cipher, (DES_cblock *)clear, > -+ &key_schedule, 0); > - return (1); > - } > - > diff --git a/patches/ppp-2.4.7/series b/patches/ppp-2.4.7/series > deleted file mode 100644 > index 6aeaf1984704..000000000000 > --- a/patches/ppp-2.4.7/series > +++ /dev/null > @@ -1,46 +0,0 @@ > -# generated by git-ptx-patches > -#tag:base --start-number 1 > -0001-abort-on-errors-in-subdir-builds.patch > -0002-scripts-Avoid-killing-wrong-pppd.patch > -0003-pppd-Fix-sign-extension-when-displaying-bytes-in-oct.patch > -0004-Suppress-false-error-message-on-PPPoE-disconnect.patch > -0005-Send-PADT-on-PPPoE-disconnect.patch > -0006-pppd-ipxcp-Prevent-buffer-overrun-on-remote-router-n.patch > -0007-pppd-Fix-ccp_options.mppe-type.patch > -0008-pppd-Fix-ccp_cilen-calculated-size-if-both-deflate_c.patch > -0009-Fix-a-typo-in-comment.-Diff-from-Yuuichi-Someya.patch > -0010-plog-count-only-relevant-lines-from-syslog.patch > -0011-Change-include-from-sys-errno.h-to-errno.h.patch > -0012-pppd-allow-use-of-arbitrary-interface-names.patch > -0013-pppd-Remove-unused-declaration-of-ttyname.patch > -0014-pppd-Provide-error-implementation-in-pppoe-discovery.patch > -0015-pppoe-include-netinet-in.h-before-linux-in.h.patch > -0016-adaptive_echos.patch > -0017-Makefiles-cleanup.patch > -0018-Bug-306261-pppd-does-not-properly-close-dev-ppp-on-p.patch > -0019-Bug-284382-ppp-linkpidfile-is-not-created-upon-detac.patch > -0020-support-building-pppdump-with-the-system-zlib.patch > -0021-disable-unneeded-code-in-the-pppoatm-plugin.patch > -0022-cosmetic-cleanup-of-the-pppoatm-plugin.patch > -0023-pppoe_noads.patch > -0024-make-_PATH_CONNERRS-world-readable.patch > -0025-Correct-unkown-unknown-typo.patch > -0026-pppoe-custom-host-uniq-tag.patch > -0027-Add-replacedefaultroute-option.patch > -0028-ppp-2.3.11-oedod.dif.patch > -0029-add-support-for-the-Framed-MTU-Radius-attribute.patch > -0030-018_ip-up_option.patch > -0031-ppp-2.4.2-stripMSdomain.patch > -0032-export-CALL_FILE-to-the-link-scripts.patch > -0033-ipv6-accept-remote.patch > -0034-fix-a-potential-buffer-overflow-in-clientid.c-rc_map.patch > -0035-resolv.conf_no_log.patch > -0036-Debian-specific-changes.patch > -0037-Fix-buffer-overflow-in-rc_mksid.patch > -0038-EAP-TLS-authentication-support-for-PPP.patch > -0039-Replace-vendored-hash-functions-with-libcrypto.patch > -0040-pppd-Use-openssl-for-the-DES-instead-of-the-libcrypt.patch > -#tag:ptx --start-number 100 > -0100-pppd-make-makefile-sysroot-aware.patch > -0101-pppd-make-the-self-made-configure-cross-aware.patch > -# b0e349fd34b2aac1a9ba4ffb38f43be0 - git-ptx-patches magic > diff --git a/patches/ppp-2.4.9/0001-configure-Allow-commas-in-the-CFLAGS-220.patch b/patches/ppp-2.4.9/0001-configure-Allow-commas-in-the-CFLAGS-220.patch > new file mode 100644 > index 000000000000..c83b64b1c652 > --- /dev/null > +++ b/patches/ppp-2.4.9/0001-configure-Allow-commas-in-the-CFLAGS-220.patch > @@ -0,0 +1,28 @@ > +From: =?UTF-8?q?Jaroslav=20=C5=A0karvada?= <jskarvad@redhat.com> > +Date: Fri, 8 Jan 2021 02:43:46 +0100 > +Subject: [PATCH] configure: Allow commas in the CFLAGS (#220) > +MIME-Version: 1.0 > +Content-Type: text/plain; charset=UTF-8 > +Content-Transfer-Encoding: 8bit > + > +It allows e.g. the following: > +./configure --cflags='-Wp,-D_FORTIFY_SOURCE=2' > + > +Signed-off-by: Jaroslav Škarvada <jskarvad@redhat.com> > +--- > + configure | 2 +- > + 1 file changed, 1 insertion(+), 1 deletion(-) > + > +diff --git a/configure b/configure > +index f977663fd8db..b0c3d2b49122 100755 > +--- a/configure > ++++ b/configure > +@@ -123,7 +123,7 @@ mkmkf() { > + echo " $2 <= $1" > + sed -e "s,@DESTDIR@,$DESTDIR,g" -e "s,@SYSCONF@,$SYSCONF,g" \ > + -e "s,@CROSS_COMPILE@,$CROSS_COMPILE,g" -e "s,@CC@,$CC,g" \ > +- -e "s,@CFLAGS@,$CFLAGS,g" $1 >$2 > ++ -e "s|@CFLAGS@|$CFLAGS|g" $1 >$2 > + fi > + } > + > diff --git a/patches/ppp-2.4.9/0002-pppd-Fix-compilation-with-older-glibc-or-kernel-head.patch b/patches/ppp-2.4.9/0002-pppd-Fix-compilation-with-older-glibc-or-kernel-head.patch > new file mode 100644 > index 000000000000..33cf002db62b > --- /dev/null > +++ b/patches/ppp-2.4.9/0002-pppd-Fix-compilation-with-older-glibc-or-kernel-head.patch > @@ -0,0 +1,55 @@ > +From: pali <7141871+pali@users.noreply.github.com> > +Date: Mon, 15 Feb 2021 07:54:01 +0100 > +Subject: [PATCH] pppd: Fix compilation with older glibc or kernel headers > + (#248) > +MIME-Version: 1.0 > +Content-Type: text/plain; charset=UTF-8 > +Content-Transfer-Encoding: 8bit > + > +glibc versions prior to 2.24 do not define SOL_NETLINK and linux kernel > +versions prior to 4.3 do not define NETLINK_CAP_ACK. So add fallback > +definitions for these macros into pppd/sys-linux.c file. > + > +Also extend description why we call SOL_NETLINK/NETLINK_CAP_ACK option. > + > +Signed-off-by: Pali Rohár <pali@kernel.org> > +--- > + pppd/sys-linux.c | 18 +++++++++++++++++- > + 1 file changed, 17 insertions(+), 1 deletion(-) > + > +diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c > +index 85033d97124f..50c4f2dab403 100644 > +--- a/pppd/sys-linux.c > ++++ b/pppd/sys-linux.c > +@@ -125,6 +125,14 @@ > + #include <linux/netlink.h> > + #include <linux/rtnetlink.h> > + #include <linux/if_addr.h> > ++/* glibc versions prior to 2.24 do not define SOL_NETLINK */ > ++#ifndef SOL_NETLINK > ++#define SOL_NETLINK 270 > ++#endif > ++/* linux kernel versions prior to 4.3 do not define/support NETLINK_CAP_ACK */ > ++#ifndef NETLINK_CAP_ACK > ++#define NETLINK_CAP_ACK 10 > ++#endif > + #endif > + > + #include "pppd.h" > +@@ -2843,7 +2851,15 @@ static int append_peer_ipv6_address(unsigned int iface, struct in6_addr *local_a > + if (fd < 0) > + return 0; > + > +- /* do not ask for error message content */ > ++ /* > ++ * Tell kernel to not send to us payload of acknowledgment error message. > ++ * NETLINK_CAP_ACK option is supported since Linux kernel version 4.3 and > ++ * older kernel versions always send full payload in acknowledgment netlink > ++ * message. We ignore payload of this message as we need only error code, > ++ * to check if our set remote peer address request succeeded or failed. > ++ * So ignore return value from the following setsockopt() call as setting > ++ * option NETLINK_CAP_ACK means for us just a kernel hint / optimization. > ++ */ > + one = 1; > + setsockopt(fd, SOL_NETLINK, NETLINK_CAP_ACK, &one, sizeof(one)); > + > diff --git a/patches/ppp-2.4.7/0020-support-building-pppdump-with-the-system-zlib.patch b/patches/ppp-2.4.9/0100-support-building-pppdump-with-the-system-zlib.patch > similarity index 63% > rename from patches/ppp-2.4.7/0020-support-building-pppdump-with-the-system-zlib.patch > rename to patches/ppp-2.4.9/0100-support-building-pppdump-with-the-system-zlib.patch > index ef8265d43686..383be9d60ba5 100644 > --- a/patches/ppp-2.4.7/0020-support-building-pppdump-with-the-system-zlib.patch > +++ b/patches/ppp-2.4.9/0100-support-building-pppdump-with-the-system-zlib.patch > @@ -1,19 +1,25 @@ > -From: Michael Olbrich <m.olbrich@pengutronix.de> > -Date: Sat, 28 Sep 2019 08:11:49 +0200 > +From: Alexander Dahl <ada@thorsis.com> > +Date: Wed, 16 Jun 2021 18:22:48 +0200 > Subject: [PATCH] support building pppdump with the system zlib > > -Imported from ppp_2.4.7-2+4.1.debian.tar.xz > +Forwarded: https://github.com/paulusmack/ppp/pull/189 > +but nacked: "it caused compile failures (on Fedora at least), which > +reminded me that the zlib.c here is not the same as upstream; it has > +extra functions that I added a long time ago." > > -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> > + > +Imported from ppp_2.4.9-1+1.debian.tar.xz > + > +Signed-off-by: Alexander Dahl <ada@thorsis.com> > --- > pppdump/Makefile.linux | 28 ++++++++++++++++++++++++++-- > 1 file changed, 26 insertions(+), 2 deletions(-) > > diff --git a/pppdump/Makefile.linux b/pppdump/Makefile.linux > -index 65e5c14914fb..87777fab5e94 100644 > +index a94187fa9e29..de7e574d10e1 100644 > --- a/pppdump/Makefile.linux > +++ b/pppdump/Makefile.linux > -@@ -2,18 +2,42 @@ DESTDIR = $(INSTROOT)@DESTDIR@ > +@@ -6,15 +6,39 @@ DESTDIR = $(INSTROOT)@DESTDIR@ > BINDIR = $(DESTDIR)/sbin > MANDIR = $(DESTDIR)/share/man/man8 > > @@ -21,10 +27,7 @@ index 65e5c14914fb..87777fab5e94 100644 > +DO_BSD_COMPRESS=y > +HAVE_ZLIB=n > + > - COPTS=-O2 -g > - CFLAGS= $(COPTS) -I../include/net > - LDFLAGS=$(LDOPTS) > - > + CFLAGS = $(COPTS) -I../include/net > -OBJS = pppdump.o bsd-comp.o deflate.o zlib.o > +OBJS = pppdump.o > +LIBS = > @@ -40,14 +43,14 @@ index 65e5c14914fb..87777fab5e94 100644 > +else > +CFLAGS += -DDO_DEFLATE=0 > +endif > -+ > + > +ifdef DO_BSD_COMPRESS > +CFLAGS += -DDO_BSD_COMPRESS=1 > +OBJS += bsd-comp.o > +else > +CFLAGS += -DDO_BSD_COMPRESS=0 > +endif > - > ++ > INSTALL= install > > all: pppdump > diff --git a/patches/ppp-2.4.7/0021-disable-unneeded-code-in-the-pppoatm-plugin.patch b/patches/ppp-2.4.9/0101-disable-unneeded-code-in-the-pppoatm-plugin.patch > similarity index 89% > rename from patches/ppp-2.4.7/0021-disable-unneeded-code-in-the-pppoatm-plugin.patch > rename to patches/ppp-2.4.9/0101-disable-unneeded-code-in-the-pppoatm-plugin.patch > index 2fb9c5573458..882c913aa5c9 100644 > --- a/patches/ppp-2.4.7/0021-disable-unneeded-code-in-the-pppoatm-plugin.patch > +++ b/patches/ppp-2.4.9/0101-disable-unneeded-code-in-the-pppoatm-plugin.patch > @@ -1,5 +1,5 @@ > -From: Michael Olbrich <m.olbrich@pengutronix.de> > -Date: Sat, 28 Sep 2019 08:11:49 +0200 > +From: Alexander Dahl <ada@thorsis.com> > +Date: Wed, 16 Jun 2021 18:22:48 +0200 > Subject: [PATCH] disable unneeded code in the pppoatm plugin > > This patch halves the size of the PPPoA plugin by disabling features > @@ -13,9 +13,9 @@ plugin with the real libatm. I really doubt anybody cares, anyway. > > > > -Imported from ppp_2.4.7-2+4.1.debian.tar.xz > +Imported from ppp_2.4.9-1+1.debian.tar.xz > > -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> > +Signed-off-by: Alexander Dahl <ada@thorsis.com> > --- > pppd/plugins/pppoatm/Makefile.linux | 4 ++++ > pppd/plugins/pppoatm/pppoatm.c | 4 ++++ > @@ -23,10 +23,10 @@ Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> > 3 files changed, 12 insertions(+) > > diff --git a/pppd/plugins/pppoatm/Makefile.linux b/pppd/plugins/pppoatm/Makefile.linux > -index 002603c6cbef..76d81aced70a 100644 > +index d3a8086b69ea..036b193637df 100644 > --- a/pppd/plugins/pppoatm/Makefile.linux > +++ b/pppd/plugins/pppoatm/Makefile.linux > -@@ -25,9 +25,13 @@ ifdef HAVE_LIBATM > +@@ -26,9 +26,13 @@ ifdef HAVE_LIBATM > LIBS := -latm > else > CFLAGS += -I. > @@ -41,10 +41,10 @@ index 002603c6cbef..76d81aced70a 100644 > #********* > all: $(PLUGIN) > diff --git a/pppd/plugins/pppoatm/pppoatm.c b/pppd/plugins/pppoatm/pppoatm.c > -index d693350bc473..a7560e9fb0c6 100644 > +index 5a3ecd61b6a2..90d0c9a85d9f 100644 > --- a/pppd/plugins/pppoatm/pppoatm.c > +++ b/pppd/plugins/pppoatm/pppoatm.c > -@@ -142,8 +142,12 @@ static int connect_pppoatm(void) > +@@ -145,8 +145,12 @@ static int connect_pppoatm(void) > qos.txtp.traffic_class = qos.rxtp.traffic_class = ATM_UBR; > /* TODO: support simplified QoS setting */ > if (qosstr != NULL) > diff --git a/patches/ppp-2.4.9/0102-pppoe_noads.patch b/patches/ppp-2.4.9/0102-pppoe_noads.patch > new file mode 100644 > index 000000000000..6629d4194e78 > --- /dev/null > +++ b/patches/ppp-2.4.9/0102-pppoe_noads.patch > @@ -0,0 +1,24 @@ > +From: Alexander Dahl <ada@thorsis.com> > +Date: Wed, 16 Jun 2021 18:22:48 +0200 > +Subject: [PATCH] pppoe_noads > + > +Imported from ppp_2.4.9-1+1.debian.tar.xz > + > +Signed-off-by: Alexander Dahl <ada@thorsis.com> > +--- > + pppd/plugins/pppoe/plugin.c | 2 -- > + 1 file changed, 2 deletions(-) > + > +diff --git a/pppd/plugins/pppoe/plugin.c b/pppd/plugins/pppoe/plugin.c > +index de9b8166ce7b..58fbdf95be3f 100644 > +--- a/pppd/plugins/pppoe/plugin.c > ++++ b/pppd/plugins/pppoe/plugin.c > +@@ -412,8 +412,6 @@ plugin_init(void) > + } > + > + add_options(Options); > +- > +- info("PPPoE plugin from pppd %s", VERSION); > + } > + > + void pppoe_check_options(void) > diff --git a/patches/ppp-2.4.7/0028-ppp-2.3.11-oedod.dif.patch b/patches/ppp-2.4.9/0103-Forwarded-https-github.com-paulusmack-ppp-issues-187.patch > similarity index 72% > rename from patches/ppp-2.4.7/0028-ppp-2.3.11-oedod.dif.patch > rename to patches/ppp-2.4.9/0103-Forwarded-https-github.com-paulusmack-ppp-issues-187.patch > index 8151c3be260b..38eb5b7917db 100644 > --- a/patches/ppp-2.4.7/0028-ppp-2.3.11-oedod.dif.patch > +++ b/patches/ppp-2.4.9/0103-Forwarded-https-github.com-paulusmack-ppp-issues-187.patch > @@ -1,10 +1,22 @@ > -From: Michael Olbrich <m.olbrich@pengutronix.de> > -Date: Sat, 28 Sep 2019 08:11:49 +0200 > -Subject: [PATCH] ppp-2.3.11-oedod.dif > +From: Alexander Dahl <ada@thorsis.com> > +Date: Wed, 16 Jun 2021 18:22:48 +0200 > +Subject: [PATCH] Forwarded: https://github.com/paulusmack/ppp/issues/187 > > -Imported from ppp_2.4.7-2+4.1.debian.tar.xz > +Upstream said: > > -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> > +" > +Hmmm, dial-on-demand was never tested with the sync option, and in fact I don't > +know what devices would use that option. > + > +To be accepted, the patch would need a sign-off and a description that > +explained the changes in the patch - in particular, what the large lump of code > +added to demand_rexmit() is doing. > +" > + > + > +Imported from ppp_2.4.9-1+1.debian.tar.xz > + > +Signed-off-by: Alexander Dahl <ada@thorsis.com> > --- > pppd/demand.c | 99 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++- > pppd/ipcp.c | 2 +- > @@ -13,7 +25,7 @@ Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> > 4 files changed, 101 insertions(+), 4 deletions(-) > > diff --git a/pppd/demand.c b/pppd/demand.c > -index 5e57658ea831..3eddf3016d98 100644 > +index 289c9f8fdd57..4c61444d3968 100644 > --- a/pppd/demand.c > +++ b/pppd/demand.c > @@ -36,6 +36,8 @@ > @@ -34,7 +46,7 @@ index 5e57658ea831..3eddf3016d98 100644 > #ifdef PPP_FILTER > #include <pcap-bpf.h> > #endif > -@@ -221,6 +225,14 @@ loop_chars(p, n) > +@@ -218,6 +222,14 @@ loop_chars(unsigned char *p, int n) > int c, rv; > > rv = 0; > @@ -49,14 +61,12 @@ index 5e57658ea831..3eddf3016d98 100644 > for (; n > 0; --n) { > c = *p++; > if (c == PPP_FLAG) { > -@@ -299,17 +311,102 @@ loop_frame(frame, len) > +@@ -294,16 +306,101 @@ loop_frame(unsigned char *frame, int len) > * loopback, now that the real serial link is up. > */ > void > --demand_rexmit(proto) > -+demand_rexmit(proto, newip) > - int proto; > -+ u_int32_t newip; > +-demand_rexmit(int proto) > ++demand_rexmit(int proto, u_int32_t newip) > { > struct packet *pkt, *prev, *nextpkt; > + unsigned short checksum; > @@ -69,9 +79,11 @@ index 5e57658ea831..3eddf3016d98 100644 > prev = NULL; > pkt = pend_q; > pend_q = NULL; > ++ > + tv.tv_sec = 1; > + tv.tv_usec = 0; > -+ select(0,NULL,NULL,NULL,&tv); /* Sleep for 1 Seconds */ > ++ select(0,NULL,NULL,NULL,&tv); /* Sleep for 1 Second */ > ++ > for (; pkt != NULL; pkt = nextpkt) { > nextpkt = pkt->next; > if (PPP_PROTOCOL(pkt->data) == proto) { > @@ -83,7 +95,6 @@ index 5e57658ea831..3eddf3016d98 100644 > + if (checksum == 0xFFFF) { > + checksum = 0; > + } > -+ > + > + if (pkt->data[13] == 17) { > + pkt_checksum = *((unsigned short *) (pkt->data+10+iphdr)); > @@ -154,10 +165,10 @@ index 5e57658ea831..3eddf3016d98 100644 > free(pkt); > } else { > diff --git a/pppd/ipcp.c b/pppd/ipcp.c > -index c8fe279d4ede..dceca807542a 100644 > +index 302ca40b4c83..3ac26a08032a 100644 > --- a/pppd/ipcp.c > +++ b/pppd/ipcp.c > -@@ -1904,7 +1904,7 @@ ipcp_up(f) > +@@ -1850,7 +1850,7 @@ ipcp_up(fsm *f) > proxy_arp_set[f->unit] = 1; > > } > @@ -167,12 +178,12 @@ index c8fe279d4ede..dceca807542a 100644 > > } else { > diff --git a/pppd/ipv6cp.c b/pppd/ipv6cp.c > -index 356ff84ead41..c1602f41c206 100644 > +index 431cb62211bf..a32b0002e10d 100644 > --- a/pppd/ipv6cp.c > +++ b/pppd/ipv6cp.c > -@@ -1232,7 +1232,7 @@ ipv6cp_up(f) > - } > - > +@@ -1253,7 +1253,7 @@ ipv6cp_up(fsm *f) > + if (sif6defaultroute(f->unit, go->ourid, ho->hisid)) > + default_route_set[f->unit] = 1; > } > - demand_rexmit(PPP_IPV6); > + demand_rexmit(PPP_IPV6,0); > @@ -180,15 +191,15 @@ index 356ff84ead41..c1602f41c206 100644 > > } else { > diff --git a/pppd/pppd.h b/pppd/pppd.h > -index 7495df657fe9..e65106d4c126 100644 > +index 612902f55d0d..10a9977598aa 100644 > --- a/pppd/pppd.h > +++ b/pppd/pppd.h > -@@ -594,7 +594,7 @@ void demand_conf __P((void)); /* config interface(s) for demand-dial */ > - void demand_block __P((void)); /* set all NPs to queue up packets */ > - void demand_unblock __P((void)); /* set all NPs to pass packets */ > - void demand_discard __P((void)); /* set all NPs to discard packets */ > --void demand_rexmit __P((int)); /* retransmit saved frames for an NP */ > -+void demand_rexmit __P((int, u_int32_t)); /* retransmit saved frames for an NP*/ > - int loop_chars __P((unsigned char *, int)); /* process chars from loopback */ > - int loop_frame __P((unsigned char *, int)); /* should we bring link up? */ > +@@ -598,7 +598,7 @@ void demand_conf(void); /* config interface(s) for demand-dial */ > + void demand_block(void); /* set all NPs to queue up packets */ > + void demand_unblock(void); /* set all NPs to pass packets */ > + void demand_discard(void); /* set all NPs to discard packets */ > +-void demand_rexmit(int); /* retransmit saved frames for an NP */ > ++void demand_rexmit(int, u_int32_t); /* retransmit saved frames for an NP */ > + int loop_chars(unsigned char *, int); /* process chars from loopback */ > + int loop_frame(unsigned char *, int); /* should we bring link up? */ > > diff --git a/patches/ppp-2.4.7/0035-resolv.conf_no_log.patch b/patches/ppp-2.4.9/0104-resolv.conf_no_log.patch > similarity index 56% > rename from patches/ppp-2.4.7/0035-resolv.conf_no_log.patch > rename to patches/ppp-2.4.9/0104-resolv.conf_no_log.patch > index aea6b2082c8f..66265aa6cd77 100644 > --- a/patches/ppp-2.4.7/0035-resolv.conf_no_log.patch > +++ b/patches/ppp-2.4.9/0104-resolv.conf_no_log.patch > @@ -1,19 +1,19 @@ > -From: Michael Olbrich <m.olbrich@pengutronix.de> > -Date: Sat, 28 Sep 2019 08:11:50 +0200 > +From: Alexander Dahl <ada@thorsis.com> > +Date: Wed, 16 Jun 2021 18:22:48 +0200 > Subject: [PATCH] resolv.conf_no_log > > -Imported from ppp_2.4.7-2+4.1.debian.tar.xz > +Imported from ppp_2.4.9-1+1.debian.tar.xz > > -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> > +Signed-off-by: Alexander Dahl <ada@thorsis.com> > --- > pppd/ipcp.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/pppd/ipcp.c b/pppd/ipcp.c > -index d6e0e2a699fe..b81b2fd0a29f 100644 > +index 3ac26a08032a..ce002262bb34 100644 > --- a/pppd/ipcp.c > +++ b/pppd/ipcp.c > -@@ -2152,7 +2152,7 @@ create_resolv(peerdns1, peerdns2) > +@@ -2093,7 +2093,7 @@ create_resolv(u_int32_t peerdns1, u_int32_t peerdns2) > > f = fopen(_PATH_RESOLV, "w"); > if (f == NULL) { > diff --git a/patches/ppp-2.4.7/0036-Debian-specific-changes.patch b/patches/ppp-2.4.9/0105-Debian-specific-changes.patch > similarity index 62% > rename from patches/ppp-2.4.7/0036-Debian-specific-changes.patch > rename to patches/ppp-2.4.9/0105-Debian-specific-changes.patch > index 9576af1187d6..86bba35f9ecc 100644 > --- a/patches/ppp-2.4.7/0036-Debian-specific-changes.patch > +++ b/patches/ppp-2.4.9/0105-Debian-specific-changes.patch > @@ -1,23 +1,27 @@ > -From: Michael Olbrich <m.olbrich@pengutronix.de> > -Date: Sat, 28 Sep 2019 08:11:50 +0200 > +From: Alexander Dahl <ada@thorsis.com> > +Date: Wed, 16 Jun 2021 18:22:49 +0200 > Subject: [PATCH] Debian-specific changes. > > -Imported from ppp_2.4.7-2+4.1.debian.tar.xz > +Imported from ppp_2.4.9-1+1.debian.tar.xz > > -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> > +Signed-off-by: Alexander Dahl <ada@thorsis.com> > --- > - pppd/Makefile.linux | 6 ++---- > + pppd/Makefile.linux | 6 +++--- > pppd/pathnames.h | 2 +- > pppd/pppd.h | 2 +- > pppdump/Makefile.linux | 4 ++-- > - 4 files changed, 6 insertions(+), 8 deletions(-) > + 4 files changed, 7 insertions(+), 7 deletions(-) > > diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux > -index 16b3ee879791..5549145e5791 100644 > +index 22837c50415e..bbb476827cea 100644 > --- a/pppd/Makefile.linux > +++ b/pppd/Makefile.linux > -@@ -61,14 +61,14 @@ HAVE_MULTILINK=y > - USE_TDB=y > +@@ -64,17 +64,17 @@ USE_TDB=y > + # Uncomment the next line to enable Type=notify services in systemd > + # If enabled, and the user sets the up_sdnotify option, then > + # pppd will not detach and will notify systemd when up. > +-#SYSTEMD=y > ++SYSTEMD=y > > HAS_SHADOW=y > -#USE_PAM=y > @@ -33,23 +37,11 @@ index 16b3ee879791..5549145e5791 100644 > > # Enable EAP SRP-SHA1 authentication (requires libsrp) > #USE_SRP=y > -@@ -178,11 +178,9 @@ LIBS += -ldl > - endif > - > - ifdef FILTER > --ifneq ($(wildcard /usr/include/pcap-bpf.h),) > - LIBS += -lpcap > - CFLAGS += -DPPP_FILTER > - endif > --endif > - > - ifdef HAVE_INET6 > - PPPDSRCS += ipv6cp.c eui64.c > diff --git a/pppd/pathnames.h b/pppd/pathnames.h > -index a33f0466c9d6..46972601fc92 100644 > +index 524d608ce12c..2df61354f40e 100644 > --- a/pppd/pathnames.h > +++ b/pppd/pathnames.h > -@@ -28,7 +28,7 @@ > +@@ -33,7 +33,7 @@ > #define _PATH_AUTHUP _ROOT_PATH "/etc/ppp/auth-up" > #define _PATH_AUTHDOWN _ROOT_PATH "/etc/ppp/auth-down" > #define _PATH_TTYOPT _ROOT_PATH "/etc/ppp/options." > @@ -59,10 +51,10 @@ index a33f0466c9d6..46972601fc92 100644 > #define _PATH_RESOLV _ROOT_PATH "/etc/ppp/resolv.conf" > > diff --git a/pppd/pppd.h b/pppd/pppd.h > -index b11670586244..567d702181ca 100644 > +index 10a9977598aa..a14483b76acc 100644 > --- a/pppd/pppd.h > +++ b/pppd/pppd.h > -@@ -870,7 +870,7 @@ extern void (*snoop_send_hook) __P((unsigned char *p, int len)); > +@@ -879,7 +879,7 @@ extern void (*snoop_send_hook)(unsigned char *p, int len); > || defined(DEBUGCHAP) || defined(DEBUG) || defined(DEBUGIPV6CP) > #define LOG_PPP LOG_LOCAL2 > #else > @@ -72,10 +64,10 @@ index b11670586244..567d702181ca 100644 > #endif /* LOG_PPP */ > > diff --git a/pppdump/Makefile.linux b/pppdump/Makefile.linux > -index 87777fab5e94..1eeeafe20111 100644 > +index de7e574d10e1..04b1c10b34c7 100644 > --- a/pppdump/Makefile.linux > +++ b/pppdump/Makefile.linux > -@@ -2,9 +2,9 @@ DESTDIR = $(INSTROOT)@DESTDIR@ > +@@ -6,9 +6,9 @@ DESTDIR = $(INSTROOT)@DESTDIR@ > BINDIR = $(DESTDIR)/sbin > MANDIR = $(DESTDIR)/share/man/man8 > > @@ -85,5 +77,5 @@ index 87777fab5e94..1eeeafe20111 100644 > -HAVE_ZLIB=n > +HAVE_ZLIB=y > > - COPTS=-O2 -g > - CFLAGS= $(COPTS) -I../include/net > + CFLAGS = $(COPTS) -I../include/net > + OBJS = pppdump.o > diff --git a/patches/ppp-2.4.7/0039-Replace-vendored-hash-functions-with-libcrypto.patch b/patches/ppp-2.4.9/0106-Replace-vendored-hash-functions-with-libcrypto.patch > similarity index 92% > rename from patches/ppp-2.4.7/0039-Replace-vendored-hash-functions-with-libcrypto.patch > rename to patches/ppp-2.4.9/0106-Replace-vendored-hash-functions-with-libcrypto.patch > index a08af544a385..8597cf9a512b 100644 > --- a/patches/ppp-2.4.7/0039-Replace-vendored-hash-functions-with-libcrypto.patch > +++ b/patches/ppp-2.4.9/0106-Replace-vendored-hash-functions-with-libcrypto.patch > @@ -1,5 +1,5 @@ > -From: Michael Olbrich <m.olbrich@pengutronix.de> > -Date: Sat, 28 Sep 2019 08:11:50 +0200 > +From: Alexander Dahl <ada@thorsis.com> > +Date: Wed, 16 Jun 2021 18:22:49 +0200 > Subject: [PATCH] Replace vendored hash functions with libcrypto > > Bug-Debian: https://bugs.debian.org/826625 > @@ -14,24 +14,24 @@ preferable both due to the patch being slightly less invasive and also because > of our use of the EAP-TLS patch which requires OpenSSL. > > > -Imported from ppp_2.4.7-2+4.1.debian.tar.xz > +Imported from ppp_2.4.9-1+1.debian.tar.xz > > -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> > +Signed-off-by: Alexander Dahl <ada@thorsis.com> > --- > - pppd/Makefile.linux | 25 ++-- > + pppd/Makefile.linux | 28 +--- > pppd/chap-md5.c | 2 +- > pppd/chap_ms.c | 40 ++---- > - pppd/eap.c | 2 +- > - pppd/md4.c | 299 ----------------------------------------- > - pppd/md4.h | 64 --------- > - pppd/md5.c | 311 ------------------------------------------- > - pppd/md5.h | 68 ---------- > + pppd/eap.c | 3 +- > + pppd/md4.c | 290 ----------------------------------------- > + pppd/md4.h | 55 -------- > + pppd/md5.c | 299 ------------------------------------------- > + pppd/md5.h | 65 ---------- > pppd/plugins/radius/md5.c | 2 +- > pppd/plugins/radius/radius.c | 2 +- > pppd/plugins/winbind.c | 2 +- > - pppd/sha1.c | 170 ----------------------- > + pppd/sha1.c | 171 ------------------------- > pppd/sha1.h | 31 ----- > - 13 files changed, 28 insertions(+), 990 deletions(-) > + 13 files changed, 27 insertions(+), 963 deletions(-) > delete mode 100644 pppd/md4.c > delete mode 100644 pppd/md4.h > delete mode 100644 pppd/md5.c > @@ -40,10 +40,10 @@ Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> > delete mode 100644 pppd/sha1.h > > diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux > -index 4a11d5fea748..58a634ce8c3b 100644 > +index bbb476827cea..bc01e3fd2a24 100644 > --- a/pppd/Makefile.linux > +++ b/pppd/Makefile.linux > -@@ -11,16 +11,16 @@ INCDIR = $(DESTDIR)/include > +@@ -15,16 +15,16 @@ INCDIR = $(DESTDIR)/include > > TARGETS = pppd > > @@ -64,16 +64,16 @@ index 4a11d5fea748..58a634ce8c3b 100644 > ecp.o auth.o options.o demand.o utils.o sys-linux.o ipxcp.o tty.o \ > eap.o chap-md5.o session.o > > -@@ -33,7 +33,7 @@ endif > - # CC = gcc > - # > - COPTS = -O2 -pipe -Wall -g > --LIBS = > -+LIBS = -lcrypto > +@@ -34,7 +34,7 @@ ifeq (.depend,$(wildcard .depend)) > + include .depend > + endif > + > +-LIBS = -lrt > ++LIBS = -lrt -lcrypto > > - # Uncomment the next 2 lines to include support for Microsoft's > + # Uncomment the next line to include support for Microsoft's > # MS-CHAP authentication protocol. Also, edit plugins/radius/Makefile.linux. > -@@ -91,8 +91,8 @@ LDFLAGS=$(LDOPTS) > +@@ -98,8 +98,8 @@ CFLAGS= $(COPTS) $(COMPILE_FLAGS) $(INCLUDE_DIRS) '-DDESTDIR="@DESTDIR@"' > ifdef CHAPMS > CFLAGS += -DCHAPMS=1 > NEEDDES=y > @@ -84,12 +84,11 @@ index 4a11d5fea748..58a634ce8c3b 100644 > ifdef MSLANMAN > CFLAGS += -DMSLANMAN=1 > endif > -@@ -104,25 +104,18 @@ endif > - # EAP SRP-SHA1 > +@@ -113,26 +113,17 @@ endif > ifdef USE_SRP > CFLAGS += -DUSE_SRP -DOPENSSL -I/usr/local/ssl/include > --LIBS += -lsrp -L/usr/local/ssl/lib -lcrypto > -+LIBS += -lsrp -L/usr/local/ssl/lib > + LIBS += -lsrp -L/usr/local/ssl/lib > +-NEEDCRYPTOLIB = y > TARGETS += srp-entry > EXTRAINSTALL = $(INSTALL) -c -m 555 srp-entry $(BINDIR)/srp-entry > MANPAGES += srp-entry.8 > @@ -106,27 +105,50 @@ index 4a11d5fea748..58a634ce8c3b 100644 > > # EAP-TLS > ifdef USE_EAPTLS > - CFLAGS += -DUSE_EAPTLS=1 -I/usr/kerberos/include > --LIBS += -lssl -lcrypto > -+LIBS += -lssl > + CFLAGS += -DUSE_EAPTLS=1 > + LIBS += -lssl > +-NEEDCRYPTOLIB = y > PPPDSRC += eap-tls.c > HEADERS += eap-tls.h > PPPDOBJS += eap-tls.o > +@@ -156,7 +147,6 @@ endif > + ifdef NEEDDES > + ifndef USE_CRYPT > + CFLAGS += -I$(shell $(CC) --print-sysroot)/usr/include/openssl > +-NEEDCRYPTOLIB = y > + else > + CFLAGS += -DUSE_CRYPT=1 > + endif > +@@ -164,10 +154,6 @@ PPPDOBJS += pppcrypt.o > + HEADERS += pppcrypt.h > + endif > + > +-ifdef NEEDCRYPTOLIB > +-LIBS += -lcrypto > +-endif > +- > + # For "Pluggable Authentication Modules", see ftp.redhat.com:/pub/pam/. > + ifdef USE_PAM > + CFLAGS += -DUSE_PAM > diff --git a/pppd/chap-md5.c b/pppd/chap-md5.c > -index 269b52cb2041..7f7967a56842 100644 > +index 77dd4ecc7059..d86564aa865a 100644 > --- a/pppd/chap-md5.c > +++ b/pppd/chap-md5.c > -@@ -39,7 +39,7 @@ > - #ifdef USE_EAPTLS > - #include "eap-tls.h" > - #else > --#include "md5.h" > +@@ -32,11 +32,11 @@ > + > + #include <stdlib.h> > + #include <string.h> > +#include <openssl/md5.h> > - #endif /* USE_EAPTLS */ > + #include "pppd.h" > + #include "chap-new.h" > + #include "chap-md5.h" > + #include "magic.h" > +-#include "md5.h" > > #define MD5_HASH_SIZE 16 > + #define MD5_MIN_CHALLENGE 16 > diff --git a/pppd/chap_ms.c b/pppd/chap_ms.c > -index c2bd00f9c6f7..19edb85d27a8 100644 > +index e6b84f203fc3..64848f20f660 100644 > --- a/pppd/chap_ms.c > +++ b/pppd/chap_ms.c > @@ -89,8 +89,8 @@ > @@ -140,7 +162,7 @@ index c2bd00f9c6f7..19edb85d27a8 100644 > #include "pppcrypt.h" > #include "magic.h" > > -@@ -535,8 +535,8 @@ ChallengeHash(u_char PeerChallenge[16], u_char *rchallenge, > +@@ -536,8 +536,8 @@ ChallengeHash(u_char PeerChallenge[16], u_char *rchallenge, > char *username, u_char Challenge[8]) > > { > @@ -151,7 +173,7 @@ index c2bd00f9c6f7..19edb85d27a8 100644 > char *user; > > /* remove domain from "domain\username" */ > -@@ -574,23 +574,11 @@ ascii2unicode(char ascii[], int ascii_len, u_char unicode[]) > +@@ -575,23 +575,11 @@ ascii2unicode(char ascii[], int ascii_len, u_char unicode[]) > static void > NTPasswordHash(u_char *secret, int secret_len, u_char hash[MD4_SIGNATURE_SIZE]) > { > @@ -178,7 +200,7 @@ index c2bd00f9c6f7..19edb85d27a8 100644 > > } > > -@@ -671,8 +659,8 @@ GenerateAuthenticatorResponse(u_char PasswordHashHash[MD4_SIGNATURE_SIZE], > +@@ -672,8 +660,8 @@ GenerateAuthenticatorResponse(u_char PasswordHashHash[MD4_SIGNATURE_SIZE], > 0x6E }; > > int i; > @@ -189,7 +211,7 @@ index c2bd00f9c6f7..19edb85d27a8 100644 > u_char Challenge[8]; > > SHA1_Init(&sha1Context); > -@@ -725,8 +713,8 @@ GenerateAuthenticatorResponsePlain > +@@ -726,8 +714,8 @@ GenerateAuthenticatorResponsePlain > void > mppe_set_keys(u_char *rchallenge, u_char PasswordHashHash[MD4_SIGNATURE_SIZE]) > { > @@ -200,7 +222,7 @@ index c2bd00f9c6f7..19edb85d27a8 100644 > > SHA1_Init(&sha1Context); > SHA1_Update(&sha1Context, PasswordHashHash, MD4_SIGNATURE_SIZE); > -@@ -769,9 +757,9 @@ void > +@@ -770,9 +758,9 @@ void > mppe_set_keys2(u_char PasswordHashHash[MD4_SIGNATURE_SIZE], > u_char NTResponse[24], int IsServer) > { > @@ -214,24 +236,27 @@ index c2bd00f9c6f7..19edb85d27a8 100644 > u_char SHApad1[40] = > { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, > diff --git a/pppd/eap.c b/pppd/eap.c > -index 032407c3dbb2..35d111015ff3 100644 > +index 79146557bd32..d987888d9f20 100644 > --- a/pppd/eap.c > +++ b/pppd/eap.c > -@@ -71,7 +71,7 @@ > - #ifdef USE_EAPTLS > - #include "eap-tls.h" > - #else > --#include "md5.h" > +@@ -59,9 +59,10 @@ > + #include <assert.h> > + #include <errno.h> > + > +#include <openssl/md5.h> > - #endif /* USE_EAPTLS */ > ++ > + #include "pppd.h" > + #include "pathnames.h" > +-#include "md5.h" > + #include "eap.h" > > - #ifdef USE_SRP > + #ifdef CHAPMS > diff --git a/pppd/md4.c b/pppd/md4.c > deleted file mode 100644 > -index d943e8885f2d..000000000000 > +index 42a9b2e75d6e..000000000000 > --- a/pppd/md4.c > +++ /dev/null > -@@ -1,299 +0,0 @@ > +@@ -1,290 +0,0 @@ > -/* > -** ******************************************************************** > -** md4.c -- Implementation of MD4 Message Digest Algorithm ** > @@ -321,8 +346,7 @@ index d943e8885f2d..000000000000 > -** This is a user-callable routine. > -*/ > -void > --MD4Print(MDp) > --MD4_CTX *MDp; > +-MD4Print(MD4_CTX *MDp) > -{ > - int i,j; > - for (i=0;i<4;i++) > @@ -335,8 +359,7 @@ index d943e8885f2d..000000000000 > -** This is a user-callable routine. > -*/ > -void > --MD4Init(MDp) > --MD4_CTX *MDp; > +-MD4Init(MD4_CTX *MDp) > -{ > - int i; > - MDp->buffer[0] = I0; > @@ -354,9 +377,7 @@ index d943e8885f2d..000000000000 > -** This routine is not user-callable. > -*/ > -static void > --MDblock(MDp,Xb) > --MD4_CTX *MDp; > --unsigned char *Xb; > +-MDblock(MD4_CTX *MDp, unsigned char *Xb) > -{ > - register unsigned int tmp, A, B, C, D; > - unsigned int X[16]; > @@ -440,10 +461,7 @@ index d943e8885f2d..000000000000 > -** if desired. > -*/ > -void > --MD4Update(MDp,X,count) > --MD4_CTX *MDp; > --unsigned char *X; > --unsigned int count; > +-MD4Update(MD4_CTX *MDp, unsigned char *X, unsigned int count) > -{ > - unsigned int i, tmp, bit, byte, mask; > - unsigned char XX[64]; > @@ -511,9 +529,7 @@ index d943e8885f2d..000000000000 > -** Finish up MD4 computation and return message digest. > -*/ > -void > --MD4Final(buf, MD) > --unsigned char *buf; > --MD4_CTX *MD; > +-MD4Final(unsigned char *buf, MD4_CTX *MD) > -{ > - int i, j; > - unsigned int w; > @@ -533,10 +549,10 @@ index d943e8885f2d..000000000000 > -****************************(cut)***********************************/ > diff --git a/pppd/md4.h b/pppd/md4.h > deleted file mode 100644 > -index 80e8f9a2acca..000000000000 > +index b6fc3f561faa..000000000000 > --- a/pppd/md4.h > +++ /dev/null > -@@ -1,64 +0,0 @@ > +@@ -1,55 +0,0 @@ > - > -/* > -** ******************************************************************** > @@ -547,15 +563,6 @@ index 80e8f9a2acca..000000000000 > -** ******************************************************************** > -*/ > - > --#ifndef __P > --# if defined(__STDC__) || defined(__GNUC__) > --# define __P(x) x > --# else > --# define __P(x) () > --# endif > --#endif > -- > -- > -/* MDstruct is the data structure for a message digest computation. > -*/ > -typedef struct { > @@ -568,7 +575,7 @@ index 80e8f9a2acca..000000000000 > -** Initialize the MD4_CTX prepatory to doing a message digest > -** computation. > -*/ > --extern void MD4Init __P((MD4_CTX *MD)); > +-extern void MD4Init(MD4_CTX *MD); > - > -/* MD4Update(MD,X,count) > -** Input: X -- a pointer to an array of unsigned characters. > @@ -582,7 +589,7 @@ index 80e8f9a2acca..000000000000 > -** every MD computation should end with one call to MD4Update with a > -** count less than 512. Zero is OK for a count. > -*/ > --extern void MD4Update __P((MD4_CTX *MD, unsigned char *X, unsigned int count)); > +-extern void MD4Update(MD4_CTX *MD, unsigned char *X, unsigned int count); > - > -/* MD4Print(MD) > -** Prints message digest buffer MD as 32 hexadecimal digits. > @@ -590,23 +597,23 @@ index 80e8f9a2acca..000000000000 > -** of buffer[3]. > -** Each byte is printed with high-order hexadecimal digit first. > -*/ > --extern void MD4Print __P((MD4_CTX *)); > +-extern void MD4Print(MD4_CTX *); > - > -/* MD4Final(buf, MD) > -** Returns message digest from MD and terminates the message > -** digest computation. > -*/ > --extern void MD4Final __P((unsigned char *, MD4_CTX *)); > +-extern void MD4Final(unsigned char *, MD4_CTX *); > - > -/* > -** End of md4.h > -****************************(cut)***********************************/ > diff --git a/pppd/md5.c b/pppd/md5.c > deleted file mode 100644 > -index 6f8f7207c592..000000000000 > +index f7988e64141a..000000000000 > --- a/pppd/md5.c > +++ /dev/null > -@@ -1,311 +0,0 @@ > +@@ -1,299 +0,0 @@ > - > - > -/* > @@ -642,8 +649,6 @@ index 6f8f7207c592..000000000000 > - *********************************************************************** > - */ > - > --#ifndef USE_EAPTLS > -- > -#include <string.h> > -#include "md5.h" > - > @@ -713,8 +718,7 @@ index 6f8f7207c592..000000000000 > -/* The routine MD5_Init initializes the message-digest context > - mdContext. All fields are set to zero. > - */ > --void MD5_Init (mdContext) > --MD5_CTX *mdContext; > +-void MD5_Init (MD5_CTX *mdContext) > -{ > - mdContext->i[0] = mdContext->i[1] = (UINT4)0; > - > @@ -730,10 +734,7 @@ index 6f8f7207c592..000000000000 > - account for the presence of each of the characters inBuf[0..inLen-1] > - in the message whose digest is being computed. > - */ > --void MD5_Update (mdContext, inBuf, inLen) > --MD5_CTX *mdContext; > --unsigned char *inBuf; > --unsigned int inLen; > +-void MD5_Update (MD5_CTX *mdContext, unsigned char *inBuf, unsigned int inLen) > -{ > - UINT4 in[16]; > - int mdi; > @@ -768,9 +769,7 @@ index 6f8f7207c592..000000000000 > -/* The routine MD5Final terminates the message-digest computation and > - ends with the desired message digest in mdContext->digest[0...15]. > - */ > --void MD5_Final (hash, mdContext) > --unsigned char hash[]; > --MD5_CTX *mdContext; > +-void MD5_Final (unsigned char hash[], MD5_CTX *mdContext) > -{ > - UINT4 in[16]; > - int mdi; > @@ -811,9 +810,7 @@ index 6f8f7207c592..000000000000 > - > -/* Basic MD5 step. Transforms buf based on in. > - */ > --static void Transform (buf, in) > --UINT4 *buf; > --UINT4 *in; > +-static void Transform (UINT4 *buf, UINT4 *in) > -{ > - UINT4 a = buf[0], b = buf[1], c = buf[2], d = buf[3]; > - > @@ -916,14 +913,12 @@ index 6f8f7207c592..000000000000 > - ** End of md5.c ** > - ******************************** (cut) ******************************** > - */ > --#endif /* USE_EAPTLS */ > -- > diff --git a/pppd/md5.h b/pppd/md5.h > deleted file mode 100644 > -index 14d712171c5e..000000000000 > +index 71e8b00e2dde..000000000000 > --- a/pppd/md5.h > +++ /dev/null > -@@ -1,68 +0,0 @@ > +@@ -1,65 +0,0 @@ > -/* > - *********************************************************************** > - ** md5.h -- header file for implementation of MD5 ** > @@ -962,7 +957,6 @@ index 14d712171c5e..000000000000 > - ** documentation and/or software. ** > - *********************************************************************** > - */ > --#ifndef USE_EAPTLS > - > -#ifndef __MD5_INCLUDE__ > - > @@ -990,8 +984,6 @@ index 14d712171c5e..000000000000 > - > -#define __MD5_INCLUDE__ > -#endif /* __MD5_INCLUDE__ */ > -- > --#endif /* USE_EAPTLS */ > diff --git a/pppd/plugins/radius/md5.c b/pppd/plugins/radius/md5.c > index 8af03aa3713e..90d9b025d211 100644 > --- a/pppd/plugins/radius/md5.c > @@ -1006,7 +998,7 @@ index 8af03aa3713e..90d9b025d211 100644 > void rc_md5_calc (unsigned char *output, unsigned char *input, unsigned int inlen) > { > diff --git a/pppd/plugins/radius/radius.c b/pppd/plugins/radius/radius.c > -index 06e00590b635..60282d9b2b9c 100644 > +index c5798316719a..d5d63698a6dc 100644 > --- a/pppd/plugins/radius/radius.c > +++ b/pppd/plugins/radius/radius.c > @@ -31,7 +31,7 @@ static char const RCSID[] = > @@ -1019,7 +1011,7 @@ index 06e00590b635..60282d9b2b9c 100644 > #endif > #include "radiusclient.h" > diff --git a/pppd/plugins/winbind.c b/pppd/plugins/winbind.c > -index bb05acd87dce..5f87a317b677 100644 > +index 0c395c34711a..6320645ac994 100644 > --- a/pppd/plugins/winbind.c > +++ b/pppd/plugins/winbind.c > @@ -38,7 +38,7 @@ > @@ -1033,10 +1025,10 @@ index bb05acd87dce..5f87a317b677 100644 > #include "ipcp.h" > diff --git a/pppd/sha1.c b/pppd/sha1.c > deleted file mode 100644 > -index f4f975cf516f..000000000000 > +index 4e51cee506c2..000000000000 > --- a/pppd/sha1.c > +++ /dev/null > -@@ -1,170 +0,0 @@ > +@@ -1,171 +0,0 @@ > -/* > - * ftp://ftp.funet.fi/pub/crypt/hash/sha/sha1.c > - * > @@ -1056,6 +1048,7 @@ index f4f975cf516f..000000000000 > -/* #define SHA1HANDSOFF * Copies data before messing with it. */ > - > -#include <string.h> > +-#include <time.h> > -#include <netinet/in.h> /* htonl() */ > -#include <net/ppp_defs.h> > -#include "sha1.h" > diff --git a/patches/ppp-2.4.7/0100-pppd-make-makefile-sysroot-aware.patch b/patches/ppp-2.4.9/0200-pppd-make-makefile-sysroot-aware.patch > similarity index 63% > rename from patches/ppp-2.4.7/0100-pppd-make-makefile-sysroot-aware.patch > rename to patches/ppp-2.4.9/0200-pppd-make-makefile-sysroot-aware.patch > index c205b15ed9aa..11020e0cce5a 100644 > --- a/patches/ppp-2.4.7/0100-pppd-make-makefile-sysroot-aware.patch > +++ b/patches/ppp-2.4.9/0200-pppd-make-makefile-sysroot-aware.patch > @@ -13,14 +13,14 @@ Signed-off-by: Marc Kleine-Budde <m.kleine-budde@pengutronix.de> > Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de> > Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de> > --- > - pppd/Makefile.linux | 10 ++++------ > - 1 file changed, 4 insertions(+), 6 deletions(-) > + pppd/Makefile.linux | 6 +++--- > + 1 file changed, 3 insertions(+), 3 deletions(-) > > diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux > -index cb9d4f9dcf22..ea0a7f02766b 100644 > +index bc01e3fd2a24..9b0119463c1f 100644 > --- a/pppd/Makefile.linux > +++ b/pppd/Makefile.linux > -@@ -103,8 +103,8 @@ endif > +@@ -111,8 +111,8 @@ endif > > # EAP SRP-SHA1 > ifdef USE_SRP > @@ -31,32 +31,12 @@ index cb9d4f9dcf22..ea0a7f02766b 100644 > TARGETS += srp-entry > EXTRAINSTALL = $(INSTALL) -c -m 555 srp-entry $(BINDIR)/srp-entry > MANPAGES += srp-entry.8 > -@@ -114,7 +114,7 @@ endif > - > - # EAP-TLS > - ifdef USE_EAPTLS > --CFLAGS += -DUSE_EAPTLS=1 -I/usr/kerberos/include > -+CFLAGS += -DUSE_EAPTLS=1 > - LIBS += -lssl > - PPPDSRC += eap-tls.c > - HEADERS += eap-tls.h > -@@ -126,10 +126,8 @@ CFLAGS += -DHAS_SHADOW > - #LIBS += -lshadow $(LIBS) > - endif > - > --ifneq ($(wildcard /usr/include/crypt.h),) > - CFLAGS += -DHAVE_CRYPT_H=1 > - LIBS += -lcrypt > --endif > - > - ifdef USE_LIBUTIL > - CFLAGS += -DHAVE_LOGWTMP=1 > -@@ -138,7 +136,7 @@ endif > +@@ -146,7 +146,7 @@ endif > > ifdef NEEDDES > ifndef USE_CRYPT > --CFLAGS += -I/usr/include/openssl > +-CFLAGS += -I$(shell $(CC) --print-sysroot)/usr/include/openssl > +CFLAGS += -I$(SYSROOT)/usr/include/openssl > - LIBS += -lcrypto > else > CFLAGS += -DUSE_CRYPT=1 > + endif > diff --git a/patches/ppp-2.4.7/0101-pppd-make-the-self-made-configure-cross-aware.patch b/patches/ppp-2.4.9/0201-pppd-make-the-self-made-configure-cross-aware.patch > similarity index 87% > rename from patches/ppp-2.4.7/0101-pppd-make-the-self-made-configure-cross-aware.patch > rename to patches/ppp-2.4.9/0201-pppd-make-the-self-made-configure-cross-aware.patch > index f57361a4c639..590cf3ae43cc 100644 > --- a/patches/ppp-2.4.7/0101-pppd-make-the-self-made-configure-cross-aware.patch > +++ b/patches/ppp-2.4.9/0201-pppd-make-the-self-made-configure-cross-aware.patch > @@ -11,11 +11,11 @@ Signed-off-by: Juergen Beisert <juergen@kreuzholzen.de> > 2 files changed, 11 insertions(+), 1 deletion(-) > > diff --git a/configure b/configure > -index 6a55e0f08be4..3886564fa495 100755 > +index b0c3d2b49122..4bc6a18fad32 100755 > --- a/configure > +++ b/configure > -@@ -14,6 +14,16 @@ SYSCONF=/etc > - # fi > +@@ -15,6 +15,16 @@ release=`uname -r` > + arch=`uname -m` > state="unknown" > > +if [ -n $TARGET_OS ]; then > @@ -32,10 +32,10 @@ index 6a55e0f08be4..3886564fa495 100755 > Linux) > makext="linux"; > diff --git a/pppd/plugins/Makefile.linux b/pppd/plugins/Makefile.linux > -index bc29968d44c9..e010ad215981 100644 > +index 6403e3d477e3..375be764e19a 100644 > --- a/pppd/plugins/Makefile.linux > +++ b/pppd/plugins/Makefile.linux > -@@ -47,5 +47,5 @@ clean: > +@@ -49,5 +49,5 @@ clean: > for d in $(SUBDIRS); do $(MAKE) $(MFLAGS) -C $$d clean || exit $$?; done > > depend: > diff --git a/patches/ppp-2.4.9/series b/patches/ppp-2.4.9/series > new file mode 100644 > index 000000000000..4028f0892992 > --- /dev/null > +++ b/patches/ppp-2.4.9/series > @@ -0,0 +1,17 @@ > +# generated by git-ptx-patches > +#tag:base --start-number 1 > +#tag:upstream --start-number 1 > +0001-configure-Allow-commas-in-the-CFLAGS-220.patch > +0002-pppd-Fix-compilation-with-older-glibc-or-kernel-head.patch > +#tag:debian --start-number 100 > +0100-support-building-pppdump-with-the-system-zlib.patch > +0101-disable-unneeded-code-in-the-pppoatm-plugin.patch > +0102-pppoe_noads.patch > +0103-Forwarded-https-github.com-paulusmack-ppp-issues-187.patch > +0104-resolv.conf_no_log.patch > +0105-Debian-specific-changes.patch > +0106-Replace-vendored-hash-functions-with-libcrypto.patch > +#tag:ptx --start-number 200 > +0200-pppd-make-makefile-sysroot-aware.patch > +0201-pppd-make-the-self-made-configure-cross-aware.patch > +# 9c9016a8956cf8c0dc84ee8dbe803cf3 - git-ptx-patches magic > diff --git a/rules/ppp.make b/rules/ppp.make > index 8bfb88b55904..932910c98b02 100644 > --- a/rules/ppp.make > +++ b/rules/ppp.make > @@ -16,8 +16,8 @@ PACKAGES-$(PTXCONF_PPP) += ppp > # > # Paths and names > # > -PPP_VERSION := 2.4.7 > -PPP_MD5 := 78818f40e6d33a1d1de68a1551f6595a > +PPP_VERSION := 2.4.9 > +PPP_MD5 := c88153ae3d16ae114152cd3c15c7301d > PPP := ppp-$(PPP_VERSION) > PPP_SUFFIX := tar.gz > PPP_URL := http://ftp.samba.org/pub/ppp/$(PPP).$(PPP_SUFFIX) > @@ -55,7 +55,7 @@ PPP_SHARED_INST_PATH := /usr/lib/pppd/$(PPP_VERSION) > $(STATEDIR)/ppp.prepare: > @$(call targetinfo) > @cd $(PPP_DIR) && $(PPP_PATH) $(PPP_CONF_ENV) \ > - ./configure --prefix=/usr --sysconfdir=/etc > + ./configure --prefix=/usr --sysconfdir=/etc --cc=$(CROSS_CC) > > @$(call disable_sh,$(PPP_DIR)/pppd/Makefile,USE_PAM=y) > _______________________________________________ ptxdist mailing list ptxdist@pengutronix.de To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de ^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2021-06-29 5:13 UTC | newest] Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-06-23 7:33 [ptxdist] [PATCH v3 0/5] mobile broadband software version bump Alexander Dahl 2021-06-23 7:33 ` [ptxdist] [PATCH v3 1/5] libqmi: version bump 1.28.2 -> 1.28.6 Alexander Dahl 2021-06-29 5:09 ` [ptxdist] [APPLIED] " Michael Olbrich 2021-06-23 7:33 ` [ptxdist] [PATCH v3 2/5] modemmanager: version bump 1.16.2 -> 1.16.6 Alexander Dahl 2021-06-29 5:09 ` [ptxdist] [APPLIED] " Michael Olbrich 2021-06-23 7:33 ` [ptxdist] [PATCH v3 3/5] networkmanager: version bump 1.26.2 -> 1.30.4 Alexander Dahl 2021-06-29 5:09 ` [ptxdist] [APPLIED] " Michael Olbrich 2021-06-23 7:33 ` [ptxdist] [PATCH v3 4/5] networkmanager: Make "more logging" optional Alexander Dahl 2021-06-29 5:09 ` [ptxdist] [APPLIED] " Michael Olbrich 2021-06-23 7:33 ` [ptxdist] [PATCH v3 5/5] ppp: version bump 2.4.7 -> 2.4.9 Alexander Dahl 2021-06-29 5:09 ` [ptxdist] [APPLIED] " Michael Olbrich
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox