mailarchive of the ptxdist mailing list
 help / color / mirror / Atom feed
* [ptxdist] [PATCH v3 0/5] mobile broadband software version bump
@ 2021-06-23  7:33 Alexander Dahl
  2021-06-23  7:33 ` [ptxdist] [PATCH v3 1/5] libqmi: version bump 1.28.2 -> 1.28.6 Alexander Dahl
                   ` (4 more replies)
  0 siblings, 5 replies; 11+ messages in thread
From: Alexander Dahl @ 2021-06-23  7:33 UTC (permalink / raw)
  To: ptxdist

Hello everyone,

I just want to get out v3 of this series before end of the week. I had
a question on networkmanager build option "polkit_agent_helper_1", which
got no answer, maybe just answer on the reworked patch now?

Sorry for including people in Cc which provided those ppp patches to
debian, I messed up in v2, will be more careful in the future.

Greets
Alex

v2 -> v3
--------
- networkmanager: adapted meson build options based on (my own) feedback
  in v2
- networkmanager: added patch 4/5 to enable 'more_logging' option

RFC -> v2
---------
- added patches 1–3 for libqmi, modemmanager, and networkmanager
- reworked patch 4 according to feedback from RFC/v1 series

Greets
Alex

Alexander Dahl (5):
  libqmi: version bump 1.28.2 -> 1.28.6
  modemmanager: version bump 1.16.2 -> 1.16.6
  networkmanager: version bump 1.26.2 -> 1.30.4
  networkmanager: Make "more logging" optional
  ppp: version bump 2.4.7 -> 2.4.9

 ...dev-don-t-use-autoptr-in-GUdev-types.patch |  127 -
 patches/ModemManager-1.16.2/series            |    4 -
 patches/NetworkManager-1.26.2/series          |    1 -
 ...d-generate_docs_nm_settings_nmcli-on.patch |   19 +-
 patches/NetworkManager-1.30.4/series          |    4 +
 ...001-abort-on-errors-in-subdir-builds.patch |   48 -
 ...002-scripts-Avoid-killing-wrong-pppd.patch |   29 -
 ...tension-when-displaying-bytes-in-oct.patch |   30 -
 ...se-error-message-on-PPPoE-disconnect.patch |   33 -
 .../0005-Send-PADT-on-PPPoE-disconnect.patch  |   36 -
 ...nt-buffer-overrun-on-remote-router-n.patch |   30 -
 .../0007-pppd-Fix-ccp_options.mppe-type.patch |   30 -
 ...en-calculated-size-if-both-deflate_c.patch |   33 -
 ...in-comment.-Diff-from-Yuuichi-Someya.patch |   24 -
 ...ount-only-relevant-lines-from-syslog.patch |   24 -
 ...-include-from-sys-errno.h-to-errno.h.patch |   33 -
 ...low-use-of-arbitrary-interface-names.patch |  214 --
 ...Remove-unused-declaration-of-ttyname.patch |   25 -
 ...or-implementation-in-pppoe-discovery.patch |   52 -
 ...clude-netinet-in.h-before-linux-in.h.patch |   49 -
 patches/ppp-2.4.7/0016-adaptive_echos.patch   |   72 -
 .../ppp-2.4.7/0017-Makefiles-cleanup.patch    |  296 --
 ...does-not-properly-close-dev-ppp-on-p.patch |   44 -
 ...inkpidfile-is-not-created-upon-detac.patch |   48 -
 ...smetic-cleanup-of-the-pppoatm-plugin.patch |   90 -
 patches/ppp-2.4.7/0023-pppoe_noads.patch      |   25 -
 ...4-make-_PATH_CONNERRS-world-readable.patch |   27 -
 .../0025-Correct-unkown-unknown-typo.patch    |   46 -
 .../0026-pppoe-custom-host-uniq-tag.patch     |  302 --
 .../0027-Add-replacedefaultroute-option.patch |  324 --
 ...-for-the-Framed-MTU-Radius-attribute.patch |   42 -
 patches/ppp-2.4.7/0030-018_ip-up_option.patch |  106 -
 .../0031-ppp-2.4.2-stripMSdomain.patch        |   47 -
 ...export-CALL_FILE-to-the-link-scripts.patch |   38 -
 .../ppp-2.4.7/0033-ipv6-accept-remote.patch   |   73 -
 ...buffer-overflow-in-clientid.c-rc_map.patch |   43 -
 ...0037-Fix-buffer-overflow-in-rc_mksid.patch |   36 -
 ...P-TLS-authentication-support-for-PPP.patch | 3383 -----------------
 ...-for-the-DES-instead-of-the-libcrypt.patch |  115 -
 patches/ppp-2.4.7/series                      |   46 -
 ...igure-Allow-commas-in-the-CFLAGS-220.patch |   28 +
 ...tion-with-older-glibc-or-kernel-head.patch |   55 +
 ...ilding-pppdump-with-the-system-zlib.patch} |   27 +-
 ...unneeded-code-in-the-pppoatm-plugin.patch} |   16 +-
 patches/ppp-2.4.9/0102-pppoe_noads.patch      |   24 +
 ...ithub.com-paulusmack-ppp-issues-187.patch} |   69 +-
 .../0104-resolv.conf_no_log.patch}            |   12 +-
 .../0105-Debian-specific-changes.patch}       |   50 +-
 ...dored-hash-functions-with-libcrypto.patch} |  209 +-
 ...00-pppd-make-makefile-sysroot-aware.patch} |   34 +-
 ...the-self-made-configure-cross-aware.patch} |   10 +-
 patches/ppp-2.4.9/series                      |   17 +
 rules/libqmi.make                             |    4 +-
 rules/modemmanager.make                       |    4 +-
 rules/networkmanager.in                       |    6 +
 rules/networkmanager.make                     |    9 +-
 rules/ppp.make                                |    6 +-
 57 files changed, 357 insertions(+), 6271 deletions(-)
 delete mode 100644 patches/ModemManager-1.16.2/0001-kerneldevice-udev-don-t-use-autoptr-in-GUdev-types.patch
 delete mode 100644 patches/ModemManager-1.16.2/series
 delete mode 100644 patches/NetworkManager-1.26.2/series
 rename patches/{NetworkManager-1.26.2 => NetworkManager-1.30.4}/0001-clients-cli-build-generate_docs_nm_settings_nmcli-on.patch (67%)
 create mode 100644 patches/NetworkManager-1.30.4/series
 delete mode 100644 patches/ppp-2.4.7/0001-abort-on-errors-in-subdir-builds.patch
 delete mode 100644 patches/ppp-2.4.7/0002-scripts-Avoid-killing-wrong-pppd.patch
 delete mode 100644 patches/ppp-2.4.7/0003-pppd-Fix-sign-extension-when-displaying-bytes-in-oct.patch
 delete mode 100644 patches/ppp-2.4.7/0004-Suppress-false-error-message-on-PPPoE-disconnect.patch
 delete mode 100644 patches/ppp-2.4.7/0005-Send-PADT-on-PPPoE-disconnect.patch
 delete mode 100644 patches/ppp-2.4.7/0006-pppd-ipxcp-Prevent-buffer-overrun-on-remote-router-n.patch
 delete mode 100644 patches/ppp-2.4.7/0007-pppd-Fix-ccp_options.mppe-type.patch
 delete mode 100644 patches/ppp-2.4.7/0008-pppd-Fix-ccp_cilen-calculated-size-if-both-deflate_c.patch
 delete mode 100644 patches/ppp-2.4.7/0009-Fix-a-typo-in-comment.-Diff-from-Yuuichi-Someya.patch
 delete mode 100644 patches/ppp-2.4.7/0010-plog-count-only-relevant-lines-from-syslog.patch
 delete mode 100644 patches/ppp-2.4.7/0011-Change-include-from-sys-errno.h-to-errno.h.patch
 delete mode 100644 patches/ppp-2.4.7/0012-pppd-allow-use-of-arbitrary-interface-names.patch
 delete mode 100644 patches/ppp-2.4.7/0013-pppd-Remove-unused-declaration-of-ttyname.patch
 delete mode 100644 patches/ppp-2.4.7/0014-pppd-Provide-error-implementation-in-pppoe-discovery.patch
 delete mode 100644 patches/ppp-2.4.7/0015-pppoe-include-netinet-in.h-before-linux-in.h.patch
 delete mode 100644 patches/ppp-2.4.7/0016-adaptive_echos.patch
 delete mode 100644 patches/ppp-2.4.7/0017-Makefiles-cleanup.patch
 delete mode 100644 patches/ppp-2.4.7/0018-Bug-306261-pppd-does-not-properly-close-dev-ppp-on-p.patch
 delete mode 100644 patches/ppp-2.4.7/0019-Bug-284382-ppp-linkpidfile-is-not-created-upon-detac.patch
 delete mode 100644 patches/ppp-2.4.7/0022-cosmetic-cleanup-of-the-pppoatm-plugin.patch
 delete mode 100644 patches/ppp-2.4.7/0023-pppoe_noads.patch
 delete mode 100644 patches/ppp-2.4.7/0024-make-_PATH_CONNERRS-world-readable.patch
 delete mode 100644 patches/ppp-2.4.7/0025-Correct-unkown-unknown-typo.patch
 delete mode 100644 patches/ppp-2.4.7/0026-pppoe-custom-host-uniq-tag.patch
 delete mode 100644 patches/ppp-2.4.7/0027-Add-replacedefaultroute-option.patch
 delete mode 100644 patches/ppp-2.4.7/0029-add-support-for-the-Framed-MTU-Radius-attribute.patch
 delete mode 100644 patches/ppp-2.4.7/0030-018_ip-up_option.patch
 delete mode 100644 patches/ppp-2.4.7/0031-ppp-2.4.2-stripMSdomain.patch
 delete mode 100644 patches/ppp-2.4.7/0032-export-CALL_FILE-to-the-link-scripts.patch
 delete mode 100644 patches/ppp-2.4.7/0033-ipv6-accept-remote.patch
 delete mode 100644 patches/ppp-2.4.7/0034-fix-a-potential-buffer-overflow-in-clientid.c-rc_map.patch
 delete mode 100644 patches/ppp-2.4.7/0037-Fix-buffer-overflow-in-rc_mksid.patch
 delete mode 100644 patches/ppp-2.4.7/0038-EAP-TLS-authentication-support-for-PPP.patch
 delete mode 100644 patches/ppp-2.4.7/0040-pppd-Use-openssl-for-the-DES-instead-of-the-libcrypt.patch
 delete mode 100644 patches/ppp-2.4.7/series
 create mode 100644 patches/ppp-2.4.9/0001-configure-Allow-commas-in-the-CFLAGS-220.patch
 create mode 100644 patches/ppp-2.4.9/0002-pppd-Fix-compilation-with-older-glibc-or-kernel-head.patch
 rename patches/{ppp-2.4.7/0020-support-building-pppdump-with-the-system-zlib.patch => ppp-2.4.9/0100-support-building-pppdump-with-the-system-zlib.patch} (63%)
 rename patches/{ppp-2.4.7/0021-disable-unneeded-code-in-the-pppoatm-plugin.patch => ppp-2.4.9/0101-disable-unneeded-code-in-the-pppoatm-plugin.patch} (89%)
 create mode 100644 patches/ppp-2.4.9/0102-pppoe_noads.patch
 rename patches/{ppp-2.4.7/0028-ppp-2.3.11-oedod.dif.patch => ppp-2.4.9/0103-Forwarded-https-github.com-paulusmack-ppp-issues-187.patch} (72%)
 rename patches/{ppp-2.4.7/0035-resolv.conf_no_log.patch => ppp-2.4.9/0104-resolv.conf_no_log.patch} (56%)
 rename patches/{ppp-2.4.7/0036-Debian-specific-changes.patch => ppp-2.4.9/0105-Debian-specific-changes.patch} (62%)
 rename patches/{ppp-2.4.7/0039-Replace-vendored-hash-functions-with-libcrypto.patch => ppp-2.4.9/0106-Replace-vendored-hash-functions-with-libcrypto.patch} (92%)
 rename patches/{ppp-2.4.7/0100-pppd-make-makefile-sysroot-aware.patch => ppp-2.4.9/0200-pppd-make-makefile-sysroot-aware.patch} (63%)
 rename patches/{ppp-2.4.7/0101-pppd-make-the-self-made-configure-cross-aware.patch => ppp-2.4.9/0201-pppd-make-the-self-made-configure-cross-aware.patch} (87%)
 create mode 100644 patches/ppp-2.4.9/series


base-commit: e1f0f2abd3116fdcb5e3e3211321aef801e959ff
-- 
2.30.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

^ permalink raw reply	[flat|nested] 11+ messages in thread

* [ptxdist] [PATCH v3 1/5] libqmi: version bump 1.28.2 -> 1.28.6
  2021-06-23  7:33 [ptxdist] [PATCH v3 0/5] mobile broadband software version bump Alexander Dahl
@ 2021-06-23  7:33 ` Alexander Dahl
  2021-06-29  5:09   ` [ptxdist] [APPLIED] " Michael Olbrich
  2021-06-23  7:33 ` [ptxdist] [PATCH v3 2/5] modemmanager: version bump 1.16.2 -> 1.16.6 Alexander Dahl
                   ` (3 subsequent siblings)
  4 siblings, 1 reply; 11+ messages in thread
From: Alexander Dahl @ 2021-06-23  7:33 UTC (permalink / raw)
  To: ptxdist

Requirement for upcoming ModemManager version bump.

Signed-off-by: Alexander Dahl <ada@thorsis.com>
---
 rules/libqmi.make | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rules/libqmi.make b/rules/libqmi.make
index d2d31ce18..5835f3fb1 100644
--- a/rules/libqmi.make
+++ b/rules/libqmi.make
@@ -14,8 +14,8 @@ PACKAGES-$(PTXCONF_LIBQMI) += libqmi
 #
 # Paths and names
 #
-LIBQMI_VERSION	:= 1.28.2
-LIBQMI_MD5	:= 825d7226e001cb2616e85d8a1e2a410f
+LIBQMI_VERSION	:= 1.28.6
+LIBQMI_MD5	:= 4361ff7eed22f9cd696b812947cd8813
 LIBQMI		:= libqmi-$(LIBQMI_VERSION)
 LIBQMI_SUFFIX	:= tar.xz
 LIBQMI_URL	:= http://www.freedesktop.org/software/libqmi/$(LIBQMI).$(LIBQMI_SUFFIX)
-- 
2.30.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de


^ permalink raw reply	[flat|nested] 11+ messages in thread

* [ptxdist] [PATCH v3 2/5] modemmanager: version bump 1.16.2 -> 1.16.6
  2021-06-23  7:33 [ptxdist] [PATCH v3 0/5] mobile broadband software version bump Alexander Dahl
  2021-06-23  7:33 ` [ptxdist] [PATCH v3 1/5] libqmi: version bump 1.28.2 -> 1.28.6 Alexander Dahl
@ 2021-06-23  7:33 ` Alexander Dahl
  2021-06-29  5:09   ` [ptxdist] [APPLIED] " Michael Olbrich
  2021-06-23  7:33 ` [ptxdist] [PATCH v3 3/5] networkmanager: version bump 1.26.2 -> 1.30.4 Alexander Dahl
                   ` (2 subsequent siblings)
  4 siblings, 1 reply; 11+ messages in thread
From: Alexander Dahl @ 2021-06-23  7:33 UTC (permalink / raw)
  To: ptxdist

Patch gone upstream.

Signed-off-by: Alexander Dahl <ada@thorsis.com>
---
 ...dev-don-t-use-autoptr-in-GUdev-types.patch | 127 ------------------
 patches/ModemManager-1.16.2/series            |   4 -
 rules/modemmanager.make                       |   4 +-
 3 files changed, 2 insertions(+), 133 deletions(-)
 delete mode 100644 patches/ModemManager-1.16.2/0001-kerneldevice-udev-don-t-use-autoptr-in-GUdev-types.patch
 delete mode 100644 patches/ModemManager-1.16.2/series

diff --git a/patches/ModemManager-1.16.2/0001-kerneldevice-udev-don-t-use-autoptr-in-GUdev-types.patch b/patches/ModemManager-1.16.2/0001-kerneldevice-udev-don-t-use-autoptr-in-GUdev-types.patch
deleted file mode 100644
index 511b1693f..000000000
--- a/patches/ModemManager-1.16.2/0001-kerneldevice-udev-don-t-use-autoptr-in-GUdev-types.patch
+++ /dev/null
@@ -1,127 +0,0 @@
-From: Aleksander Morgado <aleksander@aleksander.es>
-Date: Tue, 23 Mar 2021 15:36:58 +0100
-Subject: [PATCH] kerneldevice,udev: don't use autoptr in GUdev types
-
-The autoptr support in all GUdev types was introduced in
-commit 272533131c6ed38479a88805, included in libgudev 232.
-
-In the MM 1.16 branch we depend on libgudev 147, so avoid
-implicitly bumping the required version.
-
-Fixes https://gitlab.freedesktop.org/mobile-broadband/ModemManager/-/issues/349
----
- src/kerneldevice/mm-kernel-device-udev.c | 30 +++++++++++++++++++++---------
- 1 file changed, 21 insertions(+), 9 deletions(-)
-
-diff --git a/src/kerneldevice/mm-kernel-device-udev.c b/src/kerneldevice/mm-kernel-device-udev.c
-index f75104bd6b1c..a6bf1a71df88 100644
---- a/src/kerneldevice/mm-kernel-device-udev.c
-+++ b/src/kerneldevice/mm-kernel-device-udev.c
-@@ -81,7 +81,7 @@ static void
- preload_contents_platform (MMKernelDeviceUdev *self,
-                            const gchar        *platform)
- {
--    g_autoptr(GUdevDevice) iter = NULL;
-+    GUdevDevice *iter;
- 
-     iter = g_object_ref (self->priv->device);
-     while (iter) {
-@@ -102,17 +102,19 @@ preload_contents_platform (MMKernelDeviceUdev *self,
-         g_clear_object (&iter);
-         iter = parent;
-     }
-+
-+    g_clear_object (&iter);
- }
- 
- static void
- preload_contents_pcmcia (MMKernelDeviceUdev *self)
- {
--    g_autoptr(GUdevDevice) iter = NULL;
--    gboolean               pcmcia_subsystem_found = FALSE;
-+    GUdevDevice *iter;
-+    gboolean     pcmcia_subsystem_found = FALSE;
- 
-     iter = g_object_ref (self->priv->device);
-     while (iter) {
--        g_autoptr(GUdevDevice) parent = NULL;
-+        GUdevDevice *parent;
- 
-         /* Store the first driver found */
-         if (!self->priv->driver)
-@@ -133,18 +135,21 @@ preload_contents_pcmcia (MMKernelDeviceUdev *self)
-             self->priv->product = udev_device_get_sysfs_attr_as_hex (iter, "card_id");
-             self->priv->physdev = g_object_ref (iter);
-             /* stop traversing as soon as the physical device is found */
-+            g_clear_object (&parent);
-             break;
-         }
- 
-         g_clear_object (&iter);
--        iter = g_steal_pointer (&parent);
-+        iter = parent;
-     }
-+
-+    g_clear_object (&iter);
- }
- 
- static void
- preload_contents_pci (MMKernelDeviceUdev *self)
- {
--    g_autoptr(GUdevDevice) iter = NULL;
-+    GUdevDevice *iter;
- 
-     iter = g_object_ref (self->priv->device);
-     while (iter) {
-@@ -170,12 +175,14 @@ preload_contents_pci (MMKernelDeviceUdev *self)
-         g_clear_object (&iter);
-         iter = parent;
-     }
-+
-+    g_clear_object (&iter);
- }
- 
- static void
- preload_contents_usb (MMKernelDeviceUdev *self)
- {
--    g_autoptr(GUdevDevice) iter = NULL;
-+    GUdevDevice *iter;
- 
-     iter = g_object_ref (self->priv->device);
-     while (iter) {
-@@ -204,12 +211,14 @@ preload_contents_usb (MMKernelDeviceUdev *self)
-         g_clear_object (&iter);
-         iter = parent;
-     }
-+
-+    g_clear_object (&iter);
- }
- 
- static gchar *
- find_device_bus_subsystem (MMKernelDeviceUdev *self)
- {
--    g_autoptr(GUdevDevice) iter = NULL;
-+    GUdevDevice *iter;
- 
-     iter = g_object_ref (self->priv->device);
-     while (iter) {
-@@ -224,8 +233,10 @@ find_device_bus_subsystem (MMKernelDeviceUdev *self)
-             (g_strcmp0 (subsys, "pci") == 0)      ||
-             (g_strcmp0 (subsys, "platform") == 0) ||
-             (g_strcmp0 (subsys, "pnp") == 0)      ||
--            (g_strcmp0 (subsys, "sdio") == 0))
-+            (g_strcmp0 (subsys, "sdio") == 0)) {
-+            g_clear_object (&iter);
-             return g_strdup (subsys);
-+        }
- 
-         parent = g_udev_device_get_parent (iter);
-         g_clear_object (&iter);
-@@ -233,6 +244,7 @@ find_device_bus_subsystem (MMKernelDeviceUdev *self)
-     }
- 
-     /* no more parents to check */
-+    g_clear_object (&iter);
-     return NULL;
- }
- 
diff --git a/patches/ModemManager-1.16.2/series b/patches/ModemManager-1.16.2/series
deleted file mode 100644
index 073ee95c5..000000000
--- a/patches/ModemManager-1.16.2/series
+++ /dev/null
@@ -1,4 +0,0 @@
-# generated by git-ptx-patches
-#tag:base --start-number 1
-0001-kerneldevice-udev-don-t-use-autoptr-in-GUdev-types.patch
-# 7ee4df7afdcd7083fe59386d7e47c795  - git-ptx-patches magic
diff --git a/rules/modemmanager.make b/rules/modemmanager.make
index 18191583c..43d8e607e 100644
--- a/rules/modemmanager.make
+++ b/rules/modemmanager.make
@@ -14,8 +14,8 @@ PACKAGES-$(PTXCONF_MODEMMANAGER) += modemmanager
 #
 # Paths and names
 #
-MODEMMANAGER_VERSION	:= 1.16.2
-MODEMMANAGER_MD5	:= 83c5fc0bf65b8f321532b61b5f2b0b51
+MODEMMANAGER_VERSION	:= 1.16.6
+MODEMMANAGER_MD5	:= bde995400758db3a98c886608c2d5d9d
 MODEMMANAGER		:= ModemManager-$(MODEMMANAGER_VERSION)
 MODEMMANAGER_SUFFIX	:= tar.xz
 MODEMMANAGER_URL	:= https://www.freedesktop.org/software/ModemManager/$(MODEMMANAGER).$(MODEMMANAGER_SUFFIX)
-- 
2.30.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de


^ permalink raw reply	[flat|nested] 11+ messages in thread

* [ptxdist] [PATCH v3 3/5] networkmanager: version bump 1.26.2 -> 1.30.4
  2021-06-23  7:33 [ptxdist] [PATCH v3 0/5] mobile broadband software version bump Alexander Dahl
  2021-06-23  7:33 ` [ptxdist] [PATCH v3 1/5] libqmi: version bump 1.28.2 -> 1.28.6 Alexander Dahl
  2021-06-23  7:33 ` [ptxdist] [PATCH v3 2/5] modemmanager: version bump 1.16.2 -> 1.16.6 Alexander Dahl
@ 2021-06-23  7:33 ` Alexander Dahl
  2021-06-29  5:09   ` [ptxdist] [APPLIED] " Michael Olbrich
  2021-06-23  7:33 ` [ptxdist] [PATCH v3 4/5] networkmanager: Make "more logging" optional Alexander Dahl
  2021-06-23  7:33 ` [ptxdist] [PATCH v3 5/5] ppp: version bump 2.4.7 -> 2.4.9 Alexander Dahl
  4 siblings, 1 reply; 11+ messages in thread
From: Alexander Dahl @ 2021-06-23  7:33 UTC (permalink / raw)
  To: ptxdist

Signed-off-by: Alexander Dahl <ada@thorsis.com>
---

Notes:
    v2 -> v3
    --------
    - Updated meson build options

 patches/NetworkManager-1.26.2/series          |  1 -
 ...d-generate_docs_nm_settings_nmcli-on.patch | 19 +++++++++----------
 patches/NetworkManager-1.30.4/series          |  4 ++++
 rules/networkmanager.make                     |  7 +++----
 4 files changed, 16 insertions(+), 15 deletions(-)
 delete mode 100644 patches/NetworkManager-1.26.2/series
 rename patches/{NetworkManager-1.26.2 => NetworkManager-1.30.4}/0001-clients-cli-build-generate_docs_nm_settings_nmcli-on.patch (67%)
 create mode 100644 patches/NetworkManager-1.30.4/series

diff --git a/patches/NetworkManager-1.26.2/series b/patches/NetworkManager-1.26.2/series
deleted file mode 100644
index b04ab9c47..000000000
--- a/patches/NetworkManager-1.26.2/series
+++ /dev/null
@@ -1 +0,0 @@
-0001-clients-cli-build-generate_docs_nm_settings_nmcli-on.patch
diff --git a/patches/NetworkManager-1.26.2/0001-clients-cli-build-generate_docs_nm_settings_nmcli-on.patch b/patches/NetworkManager-1.30.4/0001-clients-cli-build-generate_docs_nm_settings_nmcli-on.patch
similarity index 67%
rename from patches/NetworkManager-1.26.2/0001-clients-cli-build-generate_docs_nm_settings_nmcli-on.patch
rename to patches/NetworkManager-1.30.4/0001-clients-cli-build-generate_docs_nm_settings_nmcli-on.patch
index db3c29643..ebc2816df 100644
--- a/patches/NetworkManager-1.26.2/0001-clients-cli-build-generate_docs_nm_settings_nmcli-on.patch
+++ b/patches/NetworkManager-1.30.4/0001-clients-cli-build-generate_docs_nm_settings_nmcli-on.patch
@@ -1,4 +1,3 @@
-From 5ddd262c1042ef2cd748b3b2a724d2e15f89b9fb Mon Sep 17 00:00:00 2001
 From: Robert Schwebel <r.schwebel@pengutronix.de>
 Date: Sat, 25 Jul 2020 18:14:35 +0200
 Subject: [PATCH] clients/cli: build generate_docs_nm_settings_nmcli only if
@@ -10,10 +9,10 @@ Signed-off-by: Robert Schwebel <r.schwebel@pengutronix.de>
  1 file changed, 5 insertions(+)
 
 diff --git a/clients/cli/meson.build b/clients/cli/meson.build
-index 517deffa6..2dada71f5 100644
+index f8e6a8236d4e..af57eedabfb9 100644
 --- a/clients/cli/meson.build
 +++ b/clients/cli/meson.build
-@@ -35,6 +35,9 @@ executable(
+@@ -37,6 +37,9 @@ executable(
  
  endif
  
@@ -23,12 +22,12 @@ index 517deffa6..2dada71f5 100644
  generate_docs_nm_settings_nmcli = executable(
    'generate-docs-nm-settings-nmcli',
    files(
-@@ -56,3 +59,5 @@ generate_docs_nm_settings_nmcli_xml = custom_target(
-   command: [ generate_docs_nm_settings_nmcli ],
-   capture: true,
+@@ -54,6 +57,8 @@ generate_docs_nm_settings_nmcli = executable(
+   link_depends: linker_script_binary,
  )
-+
+ 
 +endif
--- 
-2.27.0
-
++
+ if enable_docs
+   generate_docs_nm_settings_nmcli_xml = custom_target(
+     'generate-docs-nm-settings-nmcli.xml',
diff --git a/patches/NetworkManager-1.30.4/series b/patches/NetworkManager-1.30.4/series
new file mode 100644
index 000000000..24a953ec8
--- /dev/null
+++ b/patches/NetworkManager-1.30.4/series
@@ -0,0 +1,4 @@
+# generated by git-ptx-patches
+#tag:base --start-number 1
+0001-clients-cli-build-generate_docs_nm_settings_nmcli-on.patch
+# c940234bc49ce84559747d716a7955c5  - git-ptx-patches magic
diff --git a/rules/networkmanager.make b/rules/networkmanager.make
index e2502b3f0..c39179f5b 100644
--- a/rules/networkmanager.make
+++ b/rules/networkmanager.make
@@ -15,8 +15,8 @@ PACKAGES-$(PTXCONF_NETWORKMANAGER) += networkmanager
 #
 # Paths and names
 #
-NETWORKMANAGER_VERSION	:= 1.26.2
-NETWORKMANAGER_MD5	:= ad5332a7fe5d00db7c75b722337be62b
+NETWORKMANAGER_VERSION	:= 1.30.4
+NETWORKMANAGER_MD5	:= 8ce53a38356864832f7f10ad46fcde27
 NETWORKMANAGER		:= NetworkManager-$(NETWORKMANAGER_VERSION)
 NETWORKMANAGER_SUFFIX	:= tar.xz
 NETWORKMANAGER_URL	:= $(call ptx/mirror, GNOME, NetworkManager/$(basename $(NETWORKMANAGER_VERSION))/$(NETWORKMANAGER).$(NETWORKMANAGER_SUFFIX))
@@ -57,7 +57,6 @@ NETWORKMANAGER_CONF_OPT = \
 	-Dintrospection=false \
 	-Diptables=/usr/sbin/iptables \
 	-Diwd=false \
-	-Djson_validation=false \
 	-Dkernel_firmware_dir=/lib/firmware \
 	-Dld_gc=true \
 	-Dlibaudit=no \
@@ -73,7 +72,7 @@ NETWORKMANAGER_CONF_OPT = \
 	-Dofono=false \
 	-Dovs=false \
 	-Dpolkit=$(call ptx/truefalse,PTXCONF_NETWORKMANAGER_POLKIT) \
-	-Dpolkit_agent=false \
+	-Dpolkit_agent_helper_1=/usr/libexec/polkit-agent-helper-1 \
 	-Dppp=$(call ptx/truefalse,PTXCONF_NETWORKMANAGER_PPP) \
 	-Dpppd=/usr/sbin/pppd \
 	-Dpppd_plugin_dir=$(PPP_SHARED_INST_PATH) \
-- 
2.30.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de


^ permalink raw reply	[flat|nested] 11+ messages in thread

* [ptxdist] [PATCH v3 4/5] networkmanager: Make "more logging" optional
  2021-06-23  7:33 [ptxdist] [PATCH v3 0/5] mobile broadband software version bump Alexander Dahl
                   ` (2 preceding siblings ...)
  2021-06-23  7:33 ` [ptxdist] [PATCH v3 3/5] networkmanager: version bump 1.26.2 -> 1.30.4 Alexander Dahl
@ 2021-06-23  7:33 ` Alexander Dahl
  2021-06-29  5:09   ` [ptxdist] [APPLIED] " Michael Olbrich
  2021-06-23  7:33 ` [ptxdist] [PATCH v3 5/5] ppp: version bump 2.4.7 -> 2.4.9 Alexander Dahl
  4 siblings, 1 reply; 11+ messages in thread
From: Alexander Dahl @ 2021-06-23  7:33 UTC (permalink / raw)
  To: ptxdist

With build option "more_logging" set to false, it's not possible to
enable loglevel "debug" in /etc/NetworkManager/NetworkManager.conf

Signed-off-by: Alexander Dahl <ada@thorsis.com>
---
 rules/networkmanager.in   | 6 ++++++
 rules/networkmanager.make | 2 +-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/rules/networkmanager.in b/rules/networkmanager.in
index 6c68d40cc..dae60a0c8 100644
--- a/rules/networkmanager.in
+++ b/rules/networkmanager.in
@@ -104,6 +104,12 @@ config NETWORKMANAGER_POLKIT
 	bool
 	prompt "polkit support"
 
+config NETWORKMANAGER_MORE_LOGGING
+	bool
+	prompt "more logging"
+	help
+	  Allows debug log level in NetworkManager.conf
+
 endif
 
 menu "networkmanager plugins        "
diff --git a/rules/networkmanager.make b/rules/networkmanager.make
index c39179f5b..022ed7178 100644
--- a/rules/networkmanager.make
+++ b/rules/networkmanager.make
@@ -64,7 +64,7 @@ NETWORKMANAGER_CONF_OPT = \
 	-Dmodem_manager=$(call ptx/truefalse,PTXCONF_NETWORKMANAGER_WWAN) \
 	-Dmodify_system=false \
 	-Dmore_asserts=no \
-	-Dmore_logging=false \
+	-Dmore_logging=$(call ptx/truefalse,PTXCONF_NETWORKMANAGER_MORE_LOGGING) \
 	-Dnetconfig=false \
 	-Dnm_cloud_setup=false \
 	-Dnmcli=$(call ptx/truefalse,PTXCONF_NETWORKMANAGER_NMCLI) \
-- 
2.30.2


_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de


^ permalink raw reply	[flat|nested] 11+ messages in thread

* [ptxdist] [PATCH v3 5/5] ppp: version bump 2.4.7 -> 2.4.9
  2021-06-23  7:33 [ptxdist] [PATCH v3 0/5] mobile broadband software version bump Alexander Dahl
                   ` (3 preceding siblings ...)
  2021-06-23  7:33 ` [ptxdist] [PATCH v3 4/5] networkmanager: Make "more logging" optional Alexander Dahl
@ 2021-06-23  7:33 ` Alexander Dahl
  2021-06-29  5:09   ` [ptxdist] [APPLIED] " Michael Olbrich
  4 siblings, 1 reply; 11+ messages in thread
From: Alexander Dahl @ 2021-06-23  7:33 UTC (permalink / raw)
  To: ptxdist

- imported two post 2.4.9 upstream patches
- imported Debian patches from package ppp (2.4.9-1+1)
- adapted ptx patches

Signed-off-by: Alexander Dahl <ada@thorsis.com>
---

Notes:
    RFC -> v2
    ---------
    - Used 'apply-debian' script to rework debian patch series
    
    Link: https://lore.ptxdist.org/ptxdist/20210616115355.GL839947@pengutronix.de/2-apply-debian

 ...001-abort-on-errors-in-subdir-builds.patch |   48 -
 ...002-scripts-Avoid-killing-wrong-pppd.patch |   29 -
 ...tension-when-displaying-bytes-in-oct.patch |   30 -
 ...se-error-message-on-PPPoE-disconnect.patch |   33 -
 .../0005-Send-PADT-on-PPPoE-disconnect.patch  |   36 -
 ...nt-buffer-overrun-on-remote-router-n.patch |   30 -
 .../0007-pppd-Fix-ccp_options.mppe-type.patch |   30 -
 ...en-calculated-size-if-both-deflate_c.patch |   33 -
 ...in-comment.-Diff-from-Yuuichi-Someya.patch |   24 -
 ...ount-only-relevant-lines-from-syslog.patch |   24 -
 ...-include-from-sys-errno.h-to-errno.h.patch |   33 -
 ...low-use-of-arbitrary-interface-names.patch |  214 --
 ...Remove-unused-declaration-of-ttyname.patch |   25 -
 ...or-implementation-in-pppoe-discovery.patch |   52 -
 ...clude-netinet-in.h-before-linux-in.h.patch |   49 -
 patches/ppp-2.4.7/0016-adaptive_echos.patch   |   72 -
 .../ppp-2.4.7/0017-Makefiles-cleanup.patch    |  296 --
 ...does-not-properly-close-dev-ppp-on-p.patch |   44 -
 ...inkpidfile-is-not-created-upon-detac.patch |   48 -
 ...smetic-cleanup-of-the-pppoatm-plugin.patch |   90 -
 patches/ppp-2.4.7/0023-pppoe_noads.patch      |   25 -
 ...4-make-_PATH_CONNERRS-world-readable.patch |   27 -
 .../0025-Correct-unkown-unknown-typo.patch    |   46 -
 .../0026-pppoe-custom-host-uniq-tag.patch     |  302 --
 .../0027-Add-replacedefaultroute-option.patch |  324 --
 ...-for-the-Framed-MTU-Radius-attribute.patch |   42 -
 patches/ppp-2.4.7/0030-018_ip-up_option.patch |  106 -
 .../0031-ppp-2.4.2-stripMSdomain.patch        |   47 -
 ...export-CALL_FILE-to-the-link-scripts.patch |   38 -
 .../ppp-2.4.7/0033-ipv6-accept-remote.patch   |   73 -
 ...buffer-overflow-in-clientid.c-rc_map.patch |   43 -
 ...0037-Fix-buffer-overflow-in-rc_mksid.patch |   36 -
 ...P-TLS-authentication-support-for-PPP.patch | 3383 -----------------
 ...-for-the-DES-instead-of-the-libcrypt.patch |  115 -
 patches/ppp-2.4.7/series                      |   46 -
 ...igure-Allow-commas-in-the-CFLAGS-220.patch |   28 +
 ...tion-with-older-glibc-or-kernel-head.patch |   55 +
 ...ilding-pppdump-with-the-system-zlib.patch} |   27 +-
 ...unneeded-code-in-the-pppoatm-plugin.patch} |   16 +-
 patches/ppp-2.4.9/0102-pppoe_noads.patch      |   24 +
 ...ithub.com-paulusmack-ppp-issues-187.patch} |   69 +-
 .../0104-resolv.conf_no_log.patch}            |   12 +-
 .../0105-Debian-specific-changes.patch}       |   50 +-
 ...dored-hash-functions-with-libcrypto.patch} |  209 +-
 ...00-pppd-make-makefile-sysroot-aware.patch} |   34 +-
 ...the-self-made-configure-cross-aware.patch} |   10 +-
 patches/ppp-2.4.9/series                      |   17 +
 rules/ppp.make                                |    6 +-
 48 files changed, 330 insertions(+), 6120 deletions(-)
 delete mode 100644 patches/ppp-2.4.7/0001-abort-on-errors-in-subdir-builds.patch
 delete mode 100644 patches/ppp-2.4.7/0002-scripts-Avoid-killing-wrong-pppd.patch
 delete mode 100644 patches/ppp-2.4.7/0003-pppd-Fix-sign-extension-when-displaying-bytes-in-oct.patch
 delete mode 100644 patches/ppp-2.4.7/0004-Suppress-false-error-message-on-PPPoE-disconnect.patch
 delete mode 100644 patches/ppp-2.4.7/0005-Send-PADT-on-PPPoE-disconnect.patch
 delete mode 100644 patches/ppp-2.4.7/0006-pppd-ipxcp-Prevent-buffer-overrun-on-remote-router-n.patch
 delete mode 100644 patches/ppp-2.4.7/0007-pppd-Fix-ccp_options.mppe-type.patch
 delete mode 100644 patches/ppp-2.4.7/0008-pppd-Fix-ccp_cilen-calculated-size-if-both-deflate_c.patch
 delete mode 100644 patches/ppp-2.4.7/0009-Fix-a-typo-in-comment.-Diff-from-Yuuichi-Someya.patch
 delete mode 100644 patches/ppp-2.4.7/0010-plog-count-only-relevant-lines-from-syslog.patch
 delete mode 100644 patches/ppp-2.4.7/0011-Change-include-from-sys-errno.h-to-errno.h.patch
 delete mode 100644 patches/ppp-2.4.7/0012-pppd-allow-use-of-arbitrary-interface-names.patch
 delete mode 100644 patches/ppp-2.4.7/0013-pppd-Remove-unused-declaration-of-ttyname.patch
 delete mode 100644 patches/ppp-2.4.7/0014-pppd-Provide-error-implementation-in-pppoe-discovery.patch
 delete mode 100644 patches/ppp-2.4.7/0015-pppoe-include-netinet-in.h-before-linux-in.h.patch
 delete mode 100644 patches/ppp-2.4.7/0016-adaptive_echos.patch
 delete mode 100644 patches/ppp-2.4.7/0017-Makefiles-cleanup.patch
 delete mode 100644 patches/ppp-2.4.7/0018-Bug-306261-pppd-does-not-properly-close-dev-ppp-on-p.patch
 delete mode 100644 patches/ppp-2.4.7/0019-Bug-284382-ppp-linkpidfile-is-not-created-upon-detac.patch
 delete mode 100644 patches/ppp-2.4.7/0022-cosmetic-cleanup-of-the-pppoatm-plugin.patch
 delete mode 100644 patches/ppp-2.4.7/0023-pppoe_noads.patch
 delete mode 100644 patches/ppp-2.4.7/0024-make-_PATH_CONNERRS-world-readable.patch
 delete mode 100644 patches/ppp-2.4.7/0025-Correct-unkown-unknown-typo.patch
 delete mode 100644 patches/ppp-2.4.7/0026-pppoe-custom-host-uniq-tag.patch
 delete mode 100644 patches/ppp-2.4.7/0027-Add-replacedefaultroute-option.patch
 delete mode 100644 patches/ppp-2.4.7/0029-add-support-for-the-Framed-MTU-Radius-attribute.patch
 delete mode 100644 patches/ppp-2.4.7/0030-018_ip-up_option.patch
 delete mode 100644 patches/ppp-2.4.7/0031-ppp-2.4.2-stripMSdomain.patch
 delete mode 100644 patches/ppp-2.4.7/0032-export-CALL_FILE-to-the-link-scripts.patch
 delete mode 100644 patches/ppp-2.4.7/0033-ipv6-accept-remote.patch
 delete mode 100644 patches/ppp-2.4.7/0034-fix-a-potential-buffer-overflow-in-clientid.c-rc_map.patch
 delete mode 100644 patches/ppp-2.4.7/0037-Fix-buffer-overflow-in-rc_mksid.patch
 delete mode 100644 patches/ppp-2.4.7/0038-EAP-TLS-authentication-support-for-PPP.patch
 delete mode 100644 patches/ppp-2.4.7/0040-pppd-Use-openssl-for-the-DES-instead-of-the-libcrypt.patch
 delete mode 100644 patches/ppp-2.4.7/series
 create mode 100644 patches/ppp-2.4.9/0001-configure-Allow-commas-in-the-CFLAGS-220.patch
 create mode 100644 patches/ppp-2.4.9/0002-pppd-Fix-compilation-with-older-glibc-or-kernel-head.patch
 rename patches/{ppp-2.4.7/0020-support-building-pppdump-with-the-system-zlib.patch => ppp-2.4.9/0100-support-building-pppdump-with-the-system-zlib.patch} (63%)
 rename patches/{ppp-2.4.7/0021-disable-unneeded-code-in-the-pppoatm-plugin.patch => ppp-2.4.9/0101-disable-unneeded-code-in-the-pppoatm-plugin.patch} (89%)
 create mode 100644 patches/ppp-2.4.9/0102-pppoe_noads.patch
 rename patches/{ppp-2.4.7/0028-ppp-2.3.11-oedod.dif.patch => ppp-2.4.9/0103-Forwarded-https-github.com-paulusmack-ppp-issues-187.patch} (72%)
 rename patches/{ppp-2.4.7/0035-resolv.conf_no_log.patch => ppp-2.4.9/0104-resolv.conf_no_log.patch} (56%)
 rename patches/{ppp-2.4.7/0036-Debian-specific-changes.patch => ppp-2.4.9/0105-Debian-specific-changes.patch} (62%)
 rename patches/{ppp-2.4.7/0039-Replace-vendored-hash-functions-with-libcrypto.patch => ppp-2.4.9/0106-Replace-vendored-hash-functions-with-libcrypto.patch} (92%)
 rename patches/{ppp-2.4.7/0100-pppd-make-makefile-sysroot-aware.patch => ppp-2.4.9/0200-pppd-make-makefile-sysroot-aware.patch} (63%)
 rename patches/{ppp-2.4.7/0101-pppd-make-the-self-made-configure-cross-aware.patch => ppp-2.4.9/0201-pppd-make-the-self-made-configure-cross-aware.patch} (87%)
 create mode 100644 patches/ppp-2.4.9/series

diff --git a/patches/ppp-2.4.7/0001-abort-on-errors-in-subdir-builds.patch b/patches/ppp-2.4.7/0001-abort-on-errors-in-subdir-builds.patch
deleted file mode 100644
index c6a76ce65..000000000
--- a/patches/ppp-2.4.7/0001-abort-on-errors-in-subdir-builds.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From: Martin von Gagern <Martin.vGagern@gmx.net>
-Date: Sat, 9 Aug 2014 22:44:45 -0400
-Subject: [PATCH] abort on errors in subdir builds
-
-The current recursive loops do not check the exit status of make
-in subdirs which leads to `make` passing even when a subdir failed
-to compile or install.
-
-URL: https://bugs.gentoo.org/334727
-Signed-off-by: Martin von Gagern <Martin.vGagern@gmx.net>
-Signed-off-by: Mike Frysinger <vapier@gentoo.org>
-
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- pppd/plugins/Makefile.linux | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/pppd/plugins/Makefile.linux b/pppd/plugins/Makefile.linux
-index ab8cf50d9472..8a90e393a057 100644
---- a/pppd/plugins/Makefile.linux
-+++ b/pppd/plugins/Makefile.linux
-@@ -27,7 +27,7 @@ include .depend
- endif
- 
- all:	$(PLUGINS)
--	for d in $(SUBDIRS); do $(MAKE) $(MFLAGS) -C $$d all; done
-+	for d in $(SUBDIRS); do $(MAKE) $(MFLAGS) -C $$d all || exit $$?; done
- 
- %.so: %.c
- 	$(CC) -o $@ $(LDFLAGS) $(CFLAGS) $^
-@@ -37,12 +37,12 @@ VERSION = $(shell awk -F '"' '/VERSION/ { print $$2; }' ../patchlevel.h)
- install: $(PLUGINS)
- 	$(INSTALL) -d $(LIBDIR)
- 	$(INSTALL) $? $(LIBDIR)
--	for d in $(SUBDIRS); do $(MAKE) $(MFLAGS) -C $$d install; done
-+	for d in $(SUBDIRS); do $(MAKE) $(MFLAGS) -C $$d install || exit $$?; done
- 
- clean:
- 	rm -f *.o *.so *.a
--	for d in $(SUBDIRS); do $(MAKE) $(MFLAGS) -C $$d clean; done
-+	for d in $(SUBDIRS); do $(MAKE) $(MFLAGS) -C $$d clean || exit $$?; done
- 
- depend:
- 	$(CPP) -M $(CFLAGS) *.c >.depend
--	for d in $(SUBDIRS); do $(MAKE) $(MFLAGS) -C $$d depend; done
-+	for d in $(SUBDIRS); do $(MAKE) $(MFLAGS) -C $$d depend || exit $$?; done
diff --git a/patches/ppp-2.4.7/0002-scripts-Avoid-killing-wrong-pppd.patch b/patches/ppp-2.4.7/0002-scripts-Avoid-killing-wrong-pppd.patch
deleted file mode 100644
index dc24c228e..000000000
--- a/patches/ppp-2.4.7/0002-scripts-Avoid-killing-wrong-pppd.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From: radaiming <radaiming@gmail.com>
-Date: Sat, 13 Dec 2014 14:42:34 +0800
-Subject: [PATCH] scripts: Avoid killing wrong pppd
-
- poff could kill other pppd processes when there are many pppd
- running on different serial port.
-
- Signed-off-by: Ming Dai <radaiming@gmail.com>
-
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- scripts/poff | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/scripts/poff b/scripts/poff
-index 3f55a7f40010..5b45d98a2b6a 100644
---- a/scripts/poff
-+++ b/scripts/poff
-@@ -91,7 +91,7 @@ if test "$#" -eq 0 -o "$MODE" = "all" ; then
- fi
- 
- # There is an argument, so kill the pppd started on that provider.
--PID=`ps axw | grep "[ /]pppd call $1" | awk '{print $1}'`
-+PID=`ps axw | grep "[ /]pppd call $1" | grep -w "$1" | awk '{print $1}'`
- if test -n "$PID" ; then
-     $KILL -$SIG $PID || {
-         echo "$0: $KILL failed.  None ${DONE}."
diff --git a/patches/ppp-2.4.7/0003-pppd-Fix-sign-extension-when-displaying-bytes-in-oct.patch b/patches/ppp-2.4.7/0003-pppd-Fix-sign-extension-when-displaying-bytes-in-oct.patch
deleted file mode 100644
index 2bd23b921..000000000
--- a/patches/ppp-2.4.7/0003-pppd-Fix-sign-extension-when-displaying-bytes-in-oct.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From: "Philip A. Prindeville" <philipp@redfish-solutions.com>
-Date: Fri, 19 Dec 2014 17:52:58 -0700
-Subject: [PATCH] pppd: Fix sign-extension when displaying bytes in octal
-
-print_string() displays characters as \\%.03o but without first
-casting it from "char" to "unsigned char" so it gets sign-extended
-to an int. This causes output like \37777777630 instead of \230.
-
-Signed-off-by: Philip A. Prindeville <philipp@redfish-solutions.com>
-
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- pppd/utils.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/pppd/utils.c b/pppd/utils.c
-index 29bf970905d5..3ac1b60926d2 100644
---- a/pppd/utils.c
-+++ b/pppd/utils.c
-@@ -625,7 +625,7 @@ print_string(p, len, printer, arg)
- 		printer(arg, "\\t");
- 		break;
- 	    default:
--		printer(arg, "\\%.3o", c);
-+		printer(arg, "\\%.3o", (unsigned char) c);
- 	    }
- 	}
-     }
diff --git a/patches/ppp-2.4.7/0004-Suppress-false-error-message-on-PPPoE-disconnect.patch b/patches/ppp-2.4.7/0004-Suppress-false-error-message-on-PPPoE-disconnect.patch
deleted file mode 100644
index 6d4bd5c10..000000000
--- a/patches/ppp-2.4.7/0004-Suppress-false-error-message-on-PPPoE-disconnect.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From: Simon Farnsworth <simon@farnz.org.uk>
-Date: Sun, 1 Mar 2015 11:49:06 +0000
-Subject: [PATCH] Suppress false error message on PPPoE disconnect
-
-Once the kernel handles PPPoE PADTs correctly[1], a PADT triggered
-disconnect will result in EALREADY when pppd tries to clear the session ID.
-
-Simply ignore the error if, and only if, the error is EALREADY
-
-[1] https://patchwork.ozlabs.org/patch/444717/
-
-Signed-off-by: Simon Farnsworth <simon@farnz.org.uk>
-
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- pppd/plugins/rp-pppoe/plugin.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/pppd/plugins/rp-pppoe/plugin.c b/pppd/plugins/rp-pppoe/plugin.c
-index a8c2bb4f4a6a..da50cdf2b9d3 100644
---- a/pppd/plugins/rp-pppoe/plugin.c
-+++ b/pppd/plugins/rp-pppoe/plugin.c
-@@ -270,7 +270,7 @@ PPPOEDisconnectDevice(void)
-     memcpy(sp.sa_addr.pppoe.dev, conn->ifName, IFNAMSIZ);
-     memcpy(sp.sa_addr.pppoe.remote, conn->peerEth, ETH_ALEN);
-     if (connect(conn->sessionSocket, (struct sockaddr *) &sp,
--		sizeof(struct sockaddr_pppox)) < 0)
-+		sizeof(struct sockaddr_pppox)) < 0 && errno != EALREADY)
- 	error("Failed to disconnect PPPoE socket: %d %m", errno);
-     close(conn->sessionSocket);
-     /* don't send PADT?? */
diff --git a/patches/ppp-2.4.7/0005-Send-PADT-on-PPPoE-disconnect.patch b/patches/ppp-2.4.7/0005-Send-PADT-on-PPPoE-disconnect.patch
deleted file mode 100644
index 28efdfc71..000000000
--- a/patches/ppp-2.4.7/0005-Send-PADT-on-PPPoE-disconnect.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From: Simon Farnsworth <simon@farnz.org.uk>
-Date: Sun, 1 Mar 2015 11:53:58 +0000
-Subject: [PATCH] Send PADT on PPPoE disconnect
-
-Once we've terminated the PPP session, there is no chance of a PPP layer
-disconnect. Some PPPoE relays don't detect the PPP session going down, and
-depend on a long timeout or a PPPoE PADT to terminate the session.
-
-Send a PADT on disconnect to work around these buggy relays.
-
-Signed-off-by: Simon Farnsworth <simon@farnz.org.uk>
-
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- pppd/plugins/rp-pppoe/plugin.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/pppd/plugins/rp-pppoe/plugin.c b/pppd/plugins/rp-pppoe/plugin.c
-index da50cdf2b9d3..c89be94250bc 100644
---- a/pppd/plugins/rp-pppoe/plugin.c
-+++ b/pppd/plugins/rp-pppoe/plugin.c
-@@ -273,9 +273,10 @@ PPPOEDisconnectDevice(void)
- 		sizeof(struct sockaddr_pppox)) < 0 && errno != EALREADY)
- 	error("Failed to disconnect PPPoE socket: %d %m", errno);
-     close(conn->sessionSocket);
--    /* don't send PADT?? */
--    if (conn->discoverySocket >= 0)
-+    if (conn->discoverySocket >= 0) {
-+        sendPADT(conn, NULL);
- 	close(conn->discoverySocket);
-+    }
- }
- 
- static void
diff --git a/patches/ppp-2.4.7/0006-pppd-ipxcp-Prevent-buffer-overrun-on-remote-router-n.patch b/patches/ppp-2.4.7/0006-pppd-ipxcp-Prevent-buffer-overrun-on-remote-router-n.patch
deleted file mode 100644
index 7d98127c2..000000000
--- a/patches/ppp-2.4.7/0006-pppd-ipxcp-Prevent-buffer-overrun-on-remote-router-n.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From: Paul Mackerras <paulus@samba.org>
-Date: Fri, 14 Aug 2015 17:56:26 +1000
-Subject: [PATCH] pppd: ipxcp: Prevent buffer overrun on remote router name
-
-This fixes an if condition to prevent a possible 1-byte overrun
-on ipxcp_hisoptions[0].name.
-
-Reported-by: "Sabas Rosales, Blanca E" <blanca.e.sabas.rosales@intel.com>
-Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
-
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- pppd/ipxcp.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/pppd/ipxcp.c b/pppd/ipxcp.c
-index 7b2343e15537..aaff10f76200 100644
---- a/pppd/ipxcp.c
-+++ b/pppd/ipxcp.c
-@@ -1194,7 +1194,7 @@ ipxcp_reqci(f, inp, len, reject_if_disagree)
- 	case IPX_ROUTER_NAME:
- 	    if (cilen >= CILEN_NAME) {
- 		int name_size = cilen - CILEN_NAME;
--		if (name_size > sizeof (ho->name))
-+		if (name_size >= sizeof (ho->name))
- 		    name_size = sizeof (ho->name) - 1;
- 		memset (ho->name, 0, sizeof (ho->name));
- 		memcpy (ho->name, p, name_size);
diff --git a/patches/ppp-2.4.7/0007-pppd-Fix-ccp_options.mppe-type.patch b/patches/ppp-2.4.7/0007-pppd-Fix-ccp_options.mppe-type.patch
deleted file mode 100644
index 475edae24..000000000
--- a/patches/ppp-2.4.7/0007-pppd-Fix-ccp_options.mppe-type.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From: Sylvain Rochet <gradator@gradator.net>
-Date: Wed, 25 Mar 2015 00:25:18 +0100
-Subject: [PATCH] pppd: Fix ccp_options.mppe type
-
-This corrects the type of ccp_options.mppe; it is actually a bitfield of
-MPPE_OPT_* and not a boolean.
-
-Signed-off-by: Sylvain Rochet <gradator@gradator.net>
-Signed-off-by: Paul Mackerras <paulus@samba.org>
-
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- pppd/ccp.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/pppd/ccp.h b/pppd/ccp.h
-index 6f4a2fee0a2c..76446db007c0 100644
---- a/pppd/ccp.h
-+++ b/pppd/ccp.h
-@@ -37,7 +37,7 @@ typedef struct ccp_options {
-     bool predictor_2;		/* do Predictor-2? */
-     bool deflate_correct;	/* use correct code for deflate? */
-     bool deflate_draft;		/* use draft RFC code for deflate? */
--    bool mppe;			/* do MPPE? */
-+    u_char mppe;		/* MPPE bitfield */
-     u_short bsd_bits;		/* # bits/code for BSD Compress */
-     u_short deflate_size;	/* lg(window size) for Deflate */
-     short method;		/* code for chosen compression method */
diff --git a/patches/ppp-2.4.7/0008-pppd-Fix-ccp_cilen-calculated-size-if-both-deflate_c.patch b/patches/ppp-2.4.7/0008-pppd-Fix-ccp_cilen-calculated-size-if-both-deflate_c.patch
deleted file mode 100644
index d73b4de32..000000000
--- a/patches/ppp-2.4.7/0008-pppd-Fix-ccp_cilen-calculated-size-if-both-deflate_c.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From: Sylvain Rochet <gradator@gradator.net>
-Date: Tue, 24 Mar 2015 21:21:40 +0100
-Subject: [PATCH] pppd: Fix ccp_cilen calculated size if both deflate_correct
- and deflate_draft are enabled
-
-This fixes a bug where ccp_cilen() will return 4 bytes less than
-necessary for the addci buffer if both deflate_correct and
-deflate_draft are enabled.
-
-Signed-off-by: Sylvain Rochet <gradator@gradator.net>
-Signed-off-by: Paul Mackerras <paulus@samba.org>
-
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- pppd/ccp.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/pppd/ccp.c b/pppd/ccp.c
-index 5814f358eb44..7d7922afcfc0 100644
---- a/pppd/ccp.c
-+++ b/pppd/ccp.c
-@@ -676,7 +676,8 @@ ccp_cilen(f)
-     ccp_options *go = &ccp_gotoptions[f->unit];
- 
-     return (go->bsd_compress? CILEN_BSD_COMPRESS: 0)
--	+ (go->deflate? CILEN_DEFLATE: 0)
-+	+ (go->deflate && go->deflate_correct? CILEN_DEFLATE: 0)
-+	+ (go->deflate && go->deflate_draft? CILEN_DEFLATE: 0)
- 	+ (go->predictor_1? CILEN_PREDICTOR_1: 0)
- 	+ (go->predictor_2? CILEN_PREDICTOR_2: 0)
- 	+ (go->mppe? CILEN_MPPE: 0);
diff --git a/patches/ppp-2.4.7/0009-Fix-a-typo-in-comment.-Diff-from-Yuuichi-Someya.patch b/patches/ppp-2.4.7/0009-Fix-a-typo-in-comment.-Diff-from-Yuuichi-Someya.patch
deleted file mode 100644
index 39af8cf33..000000000
--- a/patches/ppp-2.4.7/0009-Fix-a-typo-in-comment.-Diff-from-Yuuichi-Someya.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-From: YASUOKA Masahiko <yasuoka@yasuoka.net>
-Date: Wed, 16 Mar 2016 13:39:19 +0900
-Subject: [PATCH] Fix a typo in comment. Diff from Yuuichi Someya.
-
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- pppd/fsm.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/pppd/fsm.c b/pppd/fsm.c
-index c200cc3a8438..e9bd34f0e8f4 100644
---- a/pppd/fsm.c
-+++ b/pppd/fsm.c
-@@ -468,7 +468,7 @@ fsm_rconfreq(f, id, inp, len)
- 	f->nakloops = 0;
- 
-     } else {
--	/* we sent CONFACK or CONFREJ */
-+	/* we sent CONFNAK or CONFREJ */
- 	if (f->state != ACKRCVD)
- 	    f->state = REQSENT;
- 	if( code == CONFNAK )
diff --git a/patches/ppp-2.4.7/0010-plog-count-only-relevant-lines-from-syslog.patch b/patches/ppp-2.4.7/0010-plog-count-only-relevant-lines-from-syslog.patch
deleted file mode 100644
index c9d56cdbb..000000000
--- a/patches/ppp-2.4.7/0010-plog-count-only-relevant-lines-from-syslog.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-From: Dmitry Deshevoy <mityada@gmail.com>
-Date: Thu, 31 Mar 2016 23:39:32 +0400
-Subject: [PATCH] plog: count only relevant lines from syslog
-
-Closes paulusmack/ppp#42
-
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- scripts/plog | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/scripts/plog b/scripts/plog
-index 84d2c7340cc6..7cb53346413d 100644
---- a/scripts/plog
-+++ b/scripts/plog
-@@ -3,5 +3,5 @@
- if [ -s /var/log/ppp.log ]; then
-   exec tail "$@" /var/log/ppp.log
- else
--  exec tail "$@" /var/log/syslog | grep ' \(pppd\|chat\)\['
-+  exec grep ' \(pppd\|chat\)\[' /var/log/syslog | tail "$@"
- fi
diff --git a/patches/ppp-2.4.7/0011-Change-include-from-sys-errno.h-to-errno.h.patch b/patches/ppp-2.4.7/0011-Change-include-from-sys-errno.h-to-errno.h.patch
deleted file mode 100644
index ed313eeaa..000000000
--- a/patches/ppp-2.4.7/0011-Change-include-from-sys-errno.h-to-errno.h.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From: Stefan Nickl <Stefan.Nickl@gmail.com>
-Date: Wed, 10 Aug 2016 21:32:21 +0200
-Subject: [PATCH] Change include from sys/errno.h to errno.h
-
-According to POSIX, the canonical location for errno.h is on the top level.
-
-Signed-off-by: Stefan Nickl <Stefan.Nickl@gmail.com>
-
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- pppd/sys-linux.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c
-index e5e9baf8821f..908aa4f22297 100644
---- a/pppd/sys-linux.c
-+++ b/pppd/sys-linux.c
-@@ -73,12 +73,12 @@
- #include <sys/types.h>
- #include <sys/socket.h>
- #include <sys/time.h>
--#include <sys/errno.h>
- #include <sys/file.h>
- #include <sys/stat.h>
- #include <sys/utsname.h>
- #include <sys/sysmacros.h>
- 
-+#include <errno.h>
- #include <stdio.h>
- #include <stdlib.h>
- #include <syslog.h>
diff --git a/patches/ppp-2.4.7/0012-pppd-allow-use-of-arbitrary-interface-names.patch b/patches/ppp-2.4.7/0012-pppd-allow-use-of-arbitrary-interface-names.patch
deleted file mode 100644
index 26d56de1d..000000000
--- a/patches/ppp-2.4.7/0012-pppd-allow-use-of-arbitrary-interface-names.patch
+++ /dev/null
@@ -1,214 +0,0 @@
-From: Paul Mackerras <paulus@samba.org>
-Date: Tue, 23 Aug 2016 16:10:21 +1000
-Subject: [PATCH] pppd: allow use of arbitrary interface names
-
-This is a modified version of a patch from openSUSE that enables PPP interfaces
-to be called arbitrary names, rather than simply pppX where X is the unit
-number.
-
-The modifications from the stock openSUSE patch are:
-  refresh patch on top of 018_ip up_option.diff
-- fix a printf format-string vulnerability in pppd/main.c:set_ifunit()
-- clarify the pppd.8 manpage additions
-- patch pppstats/pppstats.c to query renamed interfaces without complaint
-
-Origin: SUSE
-Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=458646
-Forwarded: no
-Reviewed-by: Chris Boot <bootc@debian.org>
-Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
-
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- pppd/main.c         | 16 ++++++----------
- pppd/options.c      |  5 +++++
- pppd/pppd.8         |  8 +++++++-
- pppd/pppd.h         | 11 +++++++++++
- pppd/sys-linux.c    | 15 +++++++++++++++
- pppstats/pppstats.c | 12 ++++++------
- 6 files changed, 50 insertions(+), 17 deletions(-)
-
-diff --git a/pppd/main.c b/pppd/main.c
-index 6d50d1bac1d9..f1986ed68d0b 100644
---- a/pppd/main.c
-+++ b/pppd/main.c
-@@ -124,7 +124,7 @@
- static const char rcsid[] = RCSID;
- 
- /* interface vars */
--char ifname[32];		/* Interface name */
-+char ifname[MAXIFNAMELEN];	/* Interface name */
- int ifunit;			/* Interface unit number */
- 
- struct channel *the_channel;
-@@ -298,13 +298,6 @@ struct protent *protocols[] = {
-     NULL
- };
- 
--/*
-- * If PPP_DRV_NAME is not defined, use the default "ppp" as the device name.
-- */
--#if !defined(PPP_DRV_NAME)
--#define PPP_DRV_NAME	"ppp"
--#endif /* !defined(PPP_DRV_NAME) */
--
- int
- main(argc, argv)
-     int argc;
-@@ -737,8 +730,11 @@ void
- set_ifunit(iskey)
-     int iskey;
- {
--    info("Using interface %s%d", PPP_DRV_NAME, ifunit);
--    slprintf(ifname, sizeof(ifname), "%s%d", PPP_DRV_NAME, ifunit);
-+    if (req_ifname[0] != '\0')
-+	slprintf(ifname, sizeof(ifname), "%s", req_ifname);
-+    else
-+	slprintf(ifname, sizeof(ifname), "%s%d", PPP_DRV_NAME, ifunit);
-+    info("Using interface %s", ifname);
-     script_setenv("IFNAME", ifname, iskey);
-     if (iskey) {
- 	create_pidfile(getpid());	/* write pid to file */
-diff --git a/pppd/options.c b/pppd/options.c
-index f66b7657bc31..91da515ac533 100644
---- a/pppd/options.c
-+++ b/pppd/options.c
-@@ -114,6 +114,7 @@ char	linkname[MAXPATHLEN];	/* logical name for link */
- bool	tune_kernel;		/* may alter kernel settings */
- int	connect_delay = 1000;	/* wait this many ms after connect script */
- int	req_unit = -1;		/* requested interface unit */
-+char	req_ifname[MAXIFNAMELEN];	/* requested interface name */
- bool	multilink = 0;		/* Enable multilink operation */
- char	*bundle_name = NULL;	/* bundle name for multilink */
- bool	dump_options;		/* print out option values */
-@@ -283,6 +284,10 @@ option_t general_options[] = {
-       "PPP interface unit number to use if possible",
-       OPT_PRIO | OPT_LLIMIT, 0, 0 },
- 
-+    { "ifname", o_string, req_ifname,
-+      "Set PPP interface name",
-+      OPT_PRIO | OPT_PRIV | OPT_STATIC, NULL, MAXIFNAMELEN },
-+
-     { "dump", o_bool, &dump_options,
-       "Print out option values after parsing all options", 1 },
-     { "dryrun", o_bool, &dryrun,
-diff --git a/pppd/pppd.8 b/pppd/pppd.8
-index e2768b135273..64659cf867b2 100644
---- a/pppd/pppd.8
-+++ b/pppd/pppd.8
-@@ -1073,7 +1073,13 @@ under Linux and FreeBSD 2.2.8 and later.
- .TP
- .B unit \fInum
- Sets the ppp unit number (for a ppp0 or ppp1 etc interface name) for outbound
--connections.
-+connections.  If the unit is already in use a dynamically allocated number will
-+be used.
-+.TP
-+.B ifname \fIstring
-+Set the ppp interface name for outbound connections.  If the interface name is
-+already in use, or if the name cannot be used for any other reason, pppd will
-+terminate.
- .TP
- .B unset \fIname
- Remove a variable from the environment variable for scripts that are
-diff --git a/pppd/pppd.h b/pppd/pppd.h
-index 247fa153739b..1a1bf0b99582 100644
---- a/pppd/pppd.h
-+++ b/pppd/pppd.h
-@@ -80,6 +80,16 @@
- #define MAXARGS		1	/* max # args to a command */
- #define MAXNAMELEN	256	/* max length of hostname or name for auth */
- #define MAXSECRETLEN	256	/* max length of password or secret */
-+#define MAXIFNAMELEN	32	/* max length of interface name; or use IFNAMSIZ, can we
-+				   always include net/if.h? */
-+
-+/*
-+ * If PPP_DRV_NAME is not defined, use the default "ppp" as the device name.
-+ * Where should PPP_DRV_NAME come from? Do we include it here?
-+ */
-+#if !defined(PPP_DRV_NAME)
-+#define PPP_DRV_NAME	"ppp"
-+#endif /* !defined(PPP_DRV_NAME) */
- 
- /*
-  * Option descriptor structure.
-@@ -318,6 +328,7 @@ extern bool	tune_kernel;	/* May alter kernel settings as necessary */
- extern int	connect_delay;	/* Time to delay after connect script */
- extern int	max_data_rate;	/* max bytes/sec through charshunt */
- extern int	req_unit;	/* interface unit number to use */
-+extern char	req_ifname[MAXIFNAMELEN]; /* interface name to use */
- extern bool	multilink;	/* enable multilink operation */
- extern bool	noendpoint;	/* don't send or accept endpt. discrim. */
- extern char	*bundle_name;	/* bundle name for multilink */
-diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c
-index 908aa4f22297..9b2f293024ac 100644
---- a/pppd/sys-linux.c
-+++ b/pppd/sys-linux.c
-@@ -641,6 +641,21 @@ static int make_ppp_unit()
- 	}
- 	if (x < 0)
- 		error("Couldn't create new ppp unit: %m");
-+
-+	if (x == 0 && req_ifname[0] != '\0') {
-+		struct ifreq ifr;
-+		char t[MAXIFNAMELEN];
-+		memset(&ifr, 0, sizeof(struct ifreq));
-+		slprintf(t, sizeof(t), "%s%d", PPP_DRV_NAME, ifunit);
-+		strncpy(ifr.ifr_name, t, IF_NAMESIZE);
-+		strncpy(ifr.ifr_newname, req_ifname, IF_NAMESIZE);
-+		x = ioctl(sock_fd, SIOCSIFNAME, &ifr);
-+		if (x < 0)
-+		    error("Couldn't rename interface %s to %s: %m", t, req_ifname);
-+		else
-+		    info("Renamed interface %s to %s", t, req_ifname);
-+	}
-+
- 	return x;
- }
- 
-diff --git a/pppstats/pppstats.c b/pppstats/pppstats.c
-index 6367988eb96b..46cb9c24942b 100644
---- a/pppstats/pppstats.c
-+++ b/pppstats/pppstats.c
-@@ -88,7 +88,6 @@ int	aflag;			/* print absolute values, not deltas */
- int	dflag;			/* print data rates, not bytes */
- int	interval, count;
- int	infinite;
--int	unit;
- int	s;			/* socket or /dev/ppp file descriptor */
- int	signalled;		/* set if alarm goes off "early" */
- char	*progname;
-@@ -449,6 +448,7 @@ main(argc, argv)
- {
-     int c;
- #ifdef STREAMS
-+    int unit;
-     char *dev;
- #endif
- 
-@@ -506,11 +506,6 @@ main(argc, argv)
-     if (argc > 0)
- 	interface = argv[0];
- 
--    if (sscanf(interface, PPP_DRV_NAME "%d", &unit) != 1) {
--	fprintf(stderr, "%s: invalid interface '%s' specified\n",
--		progname, interface);
--    }
--
- #ifndef STREAMS
-     {
- 	struct ifreq ifr;
-@@ -535,6 +530,11 @@ main(argc, argv)
-     }
- 
- #else	/* STREAMS */
-+    if (sscanf(interface, PPP_DRV_NAME "%d", &unit) != 1) {
-+	fprintf(stderr, "%s: invalid interface '%s' specified\n",
-+		progname, interface);
-+    }
-+
- #ifdef __osf__
-     dev = "/dev/streams/ppp";
- #else
diff --git a/patches/ppp-2.4.7/0013-pppd-Remove-unused-declaration-of-ttyname.patch b/patches/ppp-2.4.7/0013-pppd-Remove-unused-declaration-of-ttyname.patch
deleted file mode 100644
index 2199e7f7d..000000000
--- a/patches/ppp-2.4.7/0013-pppd-Remove-unused-declaration-of-ttyname.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From: George Burgess IV <george@gbiv.net>
-Date: Fri, 9 Sep 2016 17:36:54 -0700
-Subject: [PATCH] pppd: Remove unused declaration of ttyname.
-
-Signed-off-by: George Burgess IV <george@gbiv.net>
-
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- pppd/main.c | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/pppd/main.c b/pppd/main.c
-index f1986ed68d0b..76b67d2485b7 100644
---- a/pppd/main.c
-+++ b/pppd/main.c
-@@ -257,7 +257,6 @@ static void cleanup_db __P((void));
- static void handle_events __P((void));
- void print_link_stats __P((void));
- 
--extern	char	*ttyname __P((int));
- extern	char	*getlogin __P((void));
- int main __P((int, char *[]));
- 
diff --git a/patches/ppp-2.4.7/0014-pppd-Provide-error-implementation-in-pppoe-discovery.patch b/patches/ppp-2.4.7/0014-pppd-Provide-error-implementation-in-pppoe-discovery.patch
deleted file mode 100644
index 39fc3d4f6..000000000
--- a/patches/ppp-2.4.7/0014-pppd-Provide-error-implementation-in-pppoe-discovery.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From: Stefan Nickl <Stefan.Nickl@gmail.com>
-Date: Wed, 10 Aug 2016 16:52:12 +0200
-Subject: [PATCH] pppd: Provide error() implementation in pppoe-discovery
-
-The pppoe-discovery program calls error() from the CHECK_ROOM macro
-defined in pppoe.h. Since pppoe-discovery is a standalone program not
-linked with the rest of pppd, the only way this could build is by
-linking to glibc's proprietary error(3) function instead of the function
-of the same name (but with different arguments) defined in pppd/utils.c.
-
-So with glibc this builds, but will probably crash when the assertion is
-triggered. As the assertion is unlikely to fail, nobody has noticed.
-
-The build however fails with musl libc or uClibc since they don't
-provide the doppelganger.
-
-Signed-off-by: Stefan Nickl <Stefan.Nickl@gmail.com>
-
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- pppd/plugins/rp-pppoe/pppoe-discovery.c | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/pppd/plugins/rp-pppoe/pppoe-discovery.c b/pppd/plugins/rp-pppoe/pppoe-discovery.c
-index 3d3bf4eecc81..55037dffb023 100644
---- a/pppd/plugins/rp-pppoe/pppoe-discovery.c
-+++ b/pppd/plugins/rp-pppoe/pppoe-discovery.c
-@@ -9,6 +9,7 @@
-  *
-  */
- 
-+#include <stdarg.h>
- #include <stdio.h>
- #include <stdlib.h>
- #include <unistd.h>
-@@ -55,6 +56,14 @@ void die(int status)
- 	exit(status);
- }
- 
-+void error(char *fmt, ...)
-+{
-+    va_list pvar;
-+    va_start(pvar, fmt);
-+    vfprintf(stderr, fmt, pvar);
-+    va_end(pvar);
-+}
-+
- /* Initialize frame types to RFC 2516 values.  Some broken peers apparently
-    use different frame types... sigh... */
- 
diff --git a/patches/ppp-2.4.7/0015-pppoe-include-netinet-in.h-before-linux-in.h.patch b/patches/ppp-2.4.7/0015-pppoe-include-netinet-in.h-before-linux-in.h.patch
deleted file mode 100644
index b24e5ef58..000000000
--- a/patches/ppp-2.4.7/0015-pppoe-include-netinet-in.h-before-linux-in.h.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From: Lubomir Rintel <lkundrak@v3.sk>
-Date: Mon, 9 Jan 2017 13:34:23 +0000
-Subject: [PATCH] pppoe: include netinet/in.h before linux/in.h
-
-This fixes builds with newer kernels. Basically, <netinet/in.h> needs to be
-included before <linux/in.h> otherwise the earlier, unaware of the latter,
-tries to redefine symbols and structures. Also, <linux/if_pppox.h> doesn't work
-alone anymore, since it pulls the headers in the wrong order, so we better
-include <netinet/in.h> early.
-
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- pppd/plugins/rp-pppoe/pppoe.h | 7 ++++---
- 1 file changed, 4 insertions(+), 3 deletions(-)
-
-diff --git a/pppd/plugins/rp-pppoe/pppoe.h b/pppd/plugins/rp-pppoe/pppoe.h
-index 9ab2eee3914c..c4aaa6e68856 100644
---- a/pppd/plugins/rp-pppoe/pppoe.h
-+++ b/pppd/plugins/rp-pppoe/pppoe.h
-@@ -47,6 +47,10 @@
- #include <sys/socket.h>
- #endif
- 
-+/* This has to be included before Linux 4.8's linux/in.h
-+ * gets dragged in. */
-+#include <netinet/in.h>
-+
- /* Ugly header files on some Linux boxes... */
- #if defined(HAVE_LINUX_IF_H)
- #include <linux/if.h>
-@@ -84,8 +88,6 @@ typedef unsigned long UINT32_t;
- #include <linux/if_ether.h>
- #endif
- 
--#include <netinet/in.h>
--
- #ifdef HAVE_NETINET_IF_ETHER_H
- #include <sys/types.h>
- 
-@@ -98,7 +100,6 @@ typedef unsigned long UINT32_t;
- #endif
- 
- 
--
- /* Ethernet frame types according to RFC 2516 */
- #define ETH_PPPOE_DISCOVERY 0x8863
- #define ETH_PPPOE_SESSION   0x8864
diff --git a/patches/ppp-2.4.7/0016-adaptive_echos.patch b/patches/ppp-2.4.7/0016-adaptive_echos.patch
deleted file mode 100644
index c0f222824..000000000
--- a/patches/ppp-2.4.7/0016-adaptive_echos.patch
+++ /dev/null
@@ -1,72 +0,0 @@
-From: Michael Olbrich <m.olbrich@pengutronix.de>
-Date: Sat, 28 Sep 2019 08:11:49 +0200
-Subject: [PATCH] adaptive_echos
-
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- pppd/lcp.c  | 19 +++++++++++++++++++
- pppd/pppd.8 |  5 +++++
- 2 files changed, 24 insertions(+)
-
-diff --git a/pppd/lcp.c b/pppd/lcp.c
-index 8ed2778bfb67..c97a64b7774f 100644
---- a/pppd/lcp.c
-+++ b/pppd/lcp.c
-@@ -73,6 +73,7 @@ static void lcp_delayed_up __P((void *));
-  */
- int	lcp_echo_interval = 0; 	/* Interval between LCP echo-requests */
- int	lcp_echo_fails = 0;	/* Tolerance to unanswered echo-requests */
-+bool	lcp_echo_adaptive = 0;	/* request echo only if the link was idle */
- bool	lax_recv = 0;		/* accept control chars in asyncmap */
- bool	noendpoint = 0;		/* don't send/accept endpoint discriminator */
- 
-@@ -151,6 +152,8 @@ static option_t lcp_option_list[] = {
-       OPT_PRIO },
-     { "lcp-echo-interval", o_int, &lcp_echo_interval,
-       "Set time in seconds between LCP echo requests", OPT_PRIO },
-+    { "lcp-echo-adaptive", o_bool, &lcp_echo_adaptive,
-+      "Suppress LCP echo requests if traffic was received", 1 },
-     { "lcp-restart", o_int, &lcp_fsm[0].timeouttime,
-       "Set time in seconds between LCP retransmissions", OPT_PRIO },
-     { "lcp-max-terminate", o_int, &lcp_fsm[0].maxtermtransmits,
-@@ -2331,6 +2334,22 @@ LcpSendEchoRequest (f)
- 	}
-     }
- 
-+    /*
-+     * If adaptive echos have been enabled, only send the echo request if
-+     * no traffic was received since the last one.
-+     */
-+    if (lcp_echo_adaptive) {
-+	static unsigned int last_pkts_in = 0;
-+
-+	update_link_stats(f->unit);
-+	link_stats_valid = 0;
-+
-+	if (link_stats.pkts_in != last_pkts_in) {
-+	    last_pkts_in = link_stats.pkts_in;
-+	    return;
-+	}
-+    }
-+
-     /*
-      * Make and send the echo request frame.
-      */
-diff --git a/pppd/pppd.8 b/pppd/pppd.8
-index 64659cf867b2..ec8bfd5c0617 100644
---- a/pppd/pppd.8
-+++ b/pppd/pppd.8
-@@ -558,6 +558,11 @@ to 1) if the \fIproxyarp\fR option is used, and will enable the
- dynamic IP address option (i.e. set /proc/sys/net/ipv4/ip_dynaddr to
- 1) in demand mode if the local address changes.
- .TP
-+.B lcp\-echo\-adaptive
-+If this option is used with the \fIlcp\-echo\-failure\fR option then
-+pppd will send LCP echo\-request frames only if no traffic was received
-+from the peer since the last echo\-request was sent.
-+.TP
- .B lcp\-echo\-failure \fIn
- If this option is given, pppd will presume the peer to be dead
- if \fIn\fR LCP echo\-requests are sent without receiving a valid LCP
diff --git a/patches/ppp-2.4.7/0017-Makefiles-cleanup.patch b/patches/ppp-2.4.7/0017-Makefiles-cleanup.patch
deleted file mode 100644
index ff9096f70..000000000
--- a/patches/ppp-2.4.7/0017-Makefiles-cleanup.patch
+++ /dev/null
@@ -1,296 +0,0 @@
-From: Michael Olbrich <m.olbrich@pengutronix.de>
-Date: Sat, 28 Sep 2019 08:11:49 +0200
-Subject: [PATCH] Makefiles cleanup
-
-Factor-out $COPTS and $LDOPTS to allow distributions to easily override
-them. Properly use $LDFLAGS when linking and $CFLAGS when compiling.
-Do not strip the installed binaries: this should be done by the
-packaging system if required.
-
-
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- chat/Makefile.linux                  |  5 +++--
- pppd/Makefile.linux                  |  7 ++++---
- pppd/plugins/Makefile.linux          |  4 ++--
- pppd/plugins/pppoatm/Makefile.linux  |  4 ++--
- pppd/plugins/pppol2tp/Makefile.linux |  4 ++--
- pppd/plugins/radius/Makefile.linux   | 16 +++++++++-------
- pppd/plugins/rp-pppoe/Makefile.linux | 10 ++++++----
- pppdump/Makefile.linux               |  9 ++++++---
- pppstats/Makefile.linux              |  7 ++++---
- 9 files changed, 38 insertions(+), 28 deletions(-)
-
-diff --git a/chat/Makefile.linux b/chat/Makefile.linux
-index 1065ac519576..a41d485b4168 100644
---- a/chat/Makefile.linux
-+++ b/chat/Makefile.linux
-@@ -12,20 +12,21 @@ CDEFS=	$(CDEF1) $(CDEF2) $(CDEF3) $(CDEF4)
- 
- COPTS=	-O2 -g -pipe
- CFLAGS=	$(COPTS) $(CDEFS)
-+LDFLAGS=$(LDOPTS)
- 
- INSTALL= install
- 
- all:	chat
- 
- chat:	chat.o
--	$(CC) -o chat chat.o
-+	$(CC) $(LDFLAGS) -o chat chat.o
- 
- chat.o:	chat.c
- 	$(CC) -c $(CFLAGS) -o chat.o chat.c
- 
- install: chat
- 	mkdir -p $(BINDIR) $(MANDIR)
--	$(INSTALL) -s -c chat $(BINDIR)
-+	$(INSTALL) -c chat $(BINDIR)
- 	$(INSTALL) -c -m 644 chat.8 $(MANDIR)
- 
- clean:
-diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux
-index a74c914fd3ac..16b3ee879791 100644
---- a/pppd/Makefile.linux
-+++ b/pppd/Makefile.linux
-@@ -83,6 +83,7 @@ INCLUDE_DIRS= -I../include
- COMPILE_FLAGS= -DHAVE_PATHS_H -DIPX_CHANGE -DHAVE_MMAP
- 
- CFLAGS= $(COPTS) $(COMPILE_FLAGS) $(INCLUDE_DIRS) '-DDESTDIR="@DESTDIR@"'
-+LDFLAGS=$(LDOPTS)
- 
- ifdef CHAPMS
- CFLAGS   += -DCHAPMS=1
-@@ -102,7 +103,7 @@ ifdef USE_SRP
- CFLAGS	+= -DUSE_SRP -DOPENSSL -I/usr/local/ssl/include
- LIBS	+= -lsrp -L/usr/local/ssl/lib -lcrypto
- TARGETS	+= srp-entry
--EXTRAINSTALL = $(INSTALL) -s -c -m 555 srp-entry $(BINDIR)/srp-entry
-+EXTRAINSTALL = $(INSTALL) -c -m 555 srp-entry $(BINDIR)/srp-entry
- MANPAGES += srp-entry.8
- EXTRACLEAN += srp-entry.o
- NEEDDES=y
-@@ -208,13 +209,13 @@ all: $(TARGETS)
- install: pppd
- 	mkdir -p $(BINDIR) $(MANDIR)
- 	$(EXTRAINSTALL)
--	$(INSTALL) -s -c -m 555 pppd $(BINDIR)/pppd
-+	$(INSTALL) -c -m 555 pppd $(BINDIR)/pppd
- 	if chgrp pppusers $(BINDIR)/pppd 2>/dev/null; then \
- 	  chmod o-rx,u+s $(BINDIR)/pppd; fi
- 	$(INSTALL) -c -m 444 pppd.8 $(MANDIR)
- 
- pppd: $(PPPDOBJS)
--	$(CC) $(CFLAGS) $(LDFLAGS) -o pppd $(PPPDOBJS) $(LIBS)
-+	$(CC) $(LDFLAGS) -o pppd $(PPPDOBJS) $(LIBS)
- 
- srp-entry:	srp-entry.c
- 	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ srp-entry.c $(LIBS)
-diff --git a/pppd/plugins/Makefile.linux b/pppd/plugins/Makefile.linux
-index 8a90e393a057..0f9d37d2953b 100644
---- a/pppd/plugins/Makefile.linux
-+++ b/pppd/plugins/Makefile.linux
-@@ -1,7 +1,7 @@
- #CC	= gcc
- COPTS	= -O2 -g
- CFLAGS	= $(COPTS) -I.. -I../../include -fPIC
--LDFLAGS	= -shared
-+LDFLAGS	= $(LDOPTS)
- INSTALL	= install
- 
- DESTDIR = $(INSTROOT)@DESTDIR@
-@@ -30,7 +30,7 @@ all:	$(PLUGINS)
- 	for d in $(SUBDIRS); do $(MAKE) $(MFLAGS) -C $$d all || exit $$?; done
- 
- %.so: %.c
--	$(CC) -o $@ $(LDFLAGS) $(CFLAGS) $^
-+	$(CC) -o $@ $(LDFLAGS) -shared $(CFLAGS) $^
- 
- VERSION = $(shell awk -F '"' '/VERSION/ { print $$2; }' ../patchlevel.h)
- 
-diff --git a/pppd/plugins/pppoatm/Makefile.linux b/pppd/plugins/pppoatm/Makefile.linux
-index 20f62e631d23..002603c6cbef 100644
---- a/pppd/plugins/pppoatm/Makefile.linux
-+++ b/pppd/plugins/pppoatm/Makefile.linux
-@@ -1,7 +1,7 @@
- #CC	= gcc
- COPTS	= -O2 -g
- CFLAGS	= $(COPTS) -I../.. -I../../../include -fPIC
--LDFLAGS	= -shared
-+LDFLAGS	= $(LDOPTS)
- INSTALL	= install
- 
- #***********************************************************************
-@@ -33,7 +33,7 @@ endif
- all: $(PLUGIN)
- 
- $(PLUGIN): $(PLUGIN_OBJS)
--	$(CC) $(CFLAGS) -o $@ -shared $^ $(LIBS)
-+	$(CC) $(LDFLAGS) -o $@ -shared $^ $(LIBS)
- 
- install: all
- 	$(INSTALL) -d -m 755 $(LIBDIR)
-diff --git a/pppd/plugins/pppol2tp/Makefile.linux b/pppd/plugins/pppol2tp/Makefile.linux
-index ea3538e22d56..de5cc12e79c3 100644
---- a/pppd/plugins/pppol2tp/Makefile.linux
-+++ b/pppd/plugins/pppol2tp/Makefile.linux
-@@ -1,7 +1,7 @@
- #CC	= gcc
- COPTS	= -O2 -g
- CFLAGS	= $(COPTS) -I. -I../.. -I../../../include -fPIC
--LDFLAGS	= -shared
-+LDFLAGS	= $(LDOPTS)
- INSTALL	= install
- 
- #***********************************************************************
-@@ -16,7 +16,7 @@ PLUGINS := pppol2tp.so openl2tp.so
- all: $(PLUGINS)
- 
- %.so: %.o
--	$(CC) $(CFLAGS) -o $@ -shared $^ $(LIBS)
-+	$(CC) $(LDFLAGS) -o $@ -shared $^ $(LIBS)
- 
- install: all
- 	$(INSTALL) -d -m 755 $(LIBDIR)
-diff --git a/pppd/plugins/radius/Makefile.linux b/pppd/plugins/radius/Makefile.linux
-index 24ed3e580c4d..436ff2fd0c23 100644
---- a/pppd/plugins/radius/Makefile.linux
-+++ b/pppd/plugins/radius/Makefile.linux
-@@ -12,7 +12,9 @@ VERSION = $(shell awk -F '"' '/VERSION/ { print $$2; }' ../../patchlevel.h)
- INSTALL	= install
- 
- PLUGIN=radius.so radattr.so radrealms.so
--CFLAGS=-I. -I../.. -I../../../include -O2 -fPIC -DRC_LOG_FACILITY=LOG_DAEMON
-+COPTS=-g -O2
-+CFLAGS = $(COPTS) -I. -I../.. -I../../../include -fPIC -DRC_LOG_FACILITY=LOG_DAEMON
-+LDFLAGS= $(LDOPTS)
- 
- # Uncomment the next line to include support for Microsoft's
- # MS-CHAP authentication protocol.
-@@ -36,20 +38,20 @@ all: $(PLUGIN)
- 
- install: all
- 	$(INSTALL) -d -m 755 $(LIBDIR)
--	$(INSTALL) -s -c -m 755 radius.so $(LIBDIR)
--	$(INSTALL) -s -c -m 755 radattr.so $(LIBDIR)
--	$(INSTALL) -s -c -m 755 radrealms.so $(LIBDIR)
-+	$(INSTALL) -c -m 755 radius.so $(LIBDIR)
-+	$(INSTALL) -c -m 755 radattr.so $(LIBDIR)
-+	$(INSTALL) -c -m 755 radrealms.so $(LIBDIR)
- 	$(INSTALL) -c -m 444 pppd-radius.8 $(MANDIR)
- 	$(INSTALL) -c -m 444 pppd-radattr.8 $(MANDIR)
- 
- radius.so: radius.o libradiusclient.a
--	$(CC) -o radius.so -shared radius.o libradiusclient.a
-+	$(CC) $(LDFLAGS) -o radius.so -shared radius.o libradiusclient.a
- 
- radattr.so: radattr.o
--	$(CC) -o radattr.so -shared radattr.o
-+	$(CC) $(LDFLAGS) -o radattr.so -shared radattr.o
- 
- radrealms.so: radrealms.o
--	$(CC) -o radrealms.so -shared radrealms.o
-+	$(CC) $(LDFLAGS) -o radrealms.so -shared radrealms.o
- 
- CLIENTOBJS = avpair.o buildreq.o config.o dict.o ip_util.o \
- 	clientid.o sendserver.o lock.o util.o md5.o
-diff --git a/pppd/plugins/rp-pppoe/Makefile.linux b/pppd/plugins/rp-pppoe/Makefile.linux
-index 5d7a2719545d..00e0af6da20c 100644
---- a/pppd/plugins/rp-pppoe/Makefile.linux
-+++ b/pppd/plugins/rp-pppoe/Makefile.linux
-@@ -27,10 +27,12 @@ RP_VERSION=3.8p
- 
- COPTS=-O2 -g
- CFLAGS=$(COPTS) -I../../../include '-DRP_VERSION="$(RP_VERSION)"'
-+LDFLAGS=$(LDOPTS)
-+
- all: rp-pppoe.so pppoe-discovery
- 
- pppoe-discovery: pppoe-discovery.o debug.o
--	$(CC) -o pppoe-discovery pppoe-discovery.o debug.o
-+	$(CC) $(LDFLAGS) -o pppoe-discovery pppoe-discovery.o debug.o
- 
- pppoe-discovery.o: pppoe-discovery.c
- 	$(CC) $(CFLAGS) -c -o pppoe-discovery.o pppoe-discovery.c
-@@ -39,13 +41,13 @@ debug.o: debug.c
- 	$(CC) $(CFLAGS) -c -o debug.o debug.c
- 
- rp-pppoe.so: plugin.o discovery.o if.o common.o
--	$(CC) -o rp-pppoe.so -shared plugin.o discovery.o if.o common.o
-+	$(CC) $(LDFLAGS) -o rp-pppoe.so -shared $^
- 
- install: all
- 	$(INSTALL) -d -m 755 $(LIBDIR)
--	$(INSTALL) -s -c -m 4550 rp-pppoe.so $(LIBDIR)
-+	$(INSTALL) -c -m 4550 rp-pppoe.so $(LIBDIR)
- 	$(INSTALL) -d -m 755 $(BINDIR)
--	$(INSTALL) -s -c -m 555 pppoe-discovery $(BINDIR)
-+	$(INSTALL) -c -m 555 pppoe-discovery $(BINDIR)
- 
- clean:
- 	rm -f *.o *.so pppoe-discovery
-diff --git a/pppdump/Makefile.linux b/pppdump/Makefile.linux
-index ac028f6bf4f0..65e5c14914fb 100644
---- a/pppdump/Makefile.linux
-+++ b/pppdump/Makefile.linux
-@@ -2,7 +2,10 @@ DESTDIR = $(INSTROOT)@DESTDIR@
- BINDIR = $(DESTDIR)/sbin
- MANDIR = $(DESTDIR)/share/man/man8
- 
--CFLAGS= -O -I../include/net
-+COPTS=-O2 -g
-+CFLAGS= $(COPTS) -I../include/net
-+LDFLAGS=$(LDOPTS)
-+
- OBJS = pppdump.o bsd-comp.o deflate.o zlib.o
- 
- INSTALL= install
-@@ -10,12 +13,12 @@ INSTALL= install
- all:	pppdump
- 
- pppdump: $(OBJS)
--	$(CC) -o pppdump $(OBJS)
-+	$(CC) $(LDFLAGS) -o pppdump $(OBJS)
- 
- clean:
- 	rm -f pppdump $(OBJS) *~
- 
- install:
- 	mkdir -p $(BINDIR) $(MANDIR)
--	$(INSTALL) -s -c pppdump $(BINDIR)
-+	$(INSTALL) -c pppdump $(BINDIR)
- 	$(INSTALL) -c -m 444 pppdump.8 $(MANDIR)
-diff --git a/pppstats/Makefile.linux b/pppstats/Makefile.linux
-index cca6f0f61d87..9ec8e803665a 100644
---- a/pppstats/Makefile.linux
-+++ b/pppstats/Makefile.linux
-@@ -10,23 +10,24 @@ PPPSTATSRCS = pppstats.c
- PPPSTATOBJS = pppstats.o
- 
- #CC = gcc
--COPTS = -O
-+COPTS = -O2 -g
- COMPILE_FLAGS = -I../include
- LIBS =
- 
- INSTALL= install
- 
- CFLAGS = $(COPTS) $(COMPILE_FLAGS)
-+LDFLAGS= $(LDOPTS)
- 
- all: pppstats
- 
- install: pppstats
- 	-mkdir -p $(MANDIR)
--	$(INSTALL) -s -c pppstats $(BINDIR)
-+	$(INSTALL) -c pppstats $(BINDIR)
- 	$(INSTALL) -c -m 444 pppstats.8 $(MANDIR)
- 
- pppstats: $(PPPSTATSRCS)
--	$(CC) $(CFLAGS) -o pppstats pppstats.c $(LIBS)
-+	$(CC) $(LDFLAGS) $(CFLAGS) -o pppstats pppstats.c $(LIBS)
- 
- clean:
- 	rm -f pppstats *~ #* core
diff --git a/patches/ppp-2.4.7/0018-Bug-306261-pppd-does-not-properly-close-dev-ppp-on-p.patch b/patches/ppp-2.4.7/0018-Bug-306261-pppd-does-not-properly-close-dev-ppp-on-p.patch
deleted file mode 100644
index 41669d12a..000000000
--- a/patches/ppp-2.4.7/0018-Bug-306261-pppd-does-not-properly-close-dev-ppp-on-p.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From: Simon Peter <dn.tlp@gmx.net>
-Date: Sat, 28 Sep 2019 08:11:49 +0200
-Subject: [PATCH] Bug#306261: pppd does not properly close /dev/ppp on persist
-
-When using the kernel PPPoE driver, pppd never
-closes /dev/ppp when the link has come down.
-
-It opens superfluous fds to the device each time it re-opens the
-connection, with the unclosed ones falsely reported always ready for
-data by select().
-
-This makes pppd eat up 100% CPU time after the first persist because of
-the always instantly returning select() on the unclosed fds.
-
-The problem also occurs with the upstream version, but does not occur
-when a pty/tty device is used for the ppp connection.
-
-
-
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- pppd/sys-linux.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c
-index 9b2f293024ac..6d29dc8e8594 100644
---- a/pppd/sys-linux.c
-+++ b/pppd/sys-linux.c
-@@ -458,6 +458,13 @@ int generic_establish_ppp (int fd)
-     if (new_style_driver) {
- 	int flags;
- 
-+        /* if a ppp_fd is already open, close it first */
-+        if(ppp_fd > 0) {
-+          close(ppp_fd);
-+          remove_fd(ppp_fd);
-+          ppp_fd = -1;
-+        }
-+
- 	/* Open an instance of /dev/ppp and connect the channel to it */
- 	if (ioctl(fd, PPPIOCGCHAN, &chindex) == -1) {
- 	    error("Couldn't get channel number: %m");
diff --git a/patches/ppp-2.4.7/0019-Bug-284382-ppp-linkpidfile-is-not-created-upon-detac.patch b/patches/ppp-2.4.7/0019-Bug-284382-ppp-linkpidfile-is-not-created-upon-detac.patch
deleted file mode 100644
index f785c75d8..000000000
--- a/patches/ppp-2.4.7/0019-Bug-284382-ppp-linkpidfile-is-not-created-upon-detac.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From: "herbert@gondor.apana.org.au" <herbert@gondor.apana.org.au>
-Date: Sat, 28 Sep 2019 08:11:49 +0200
-Subject: [PATCH] Bug#284382: ppp: linkpidfile is not created upon detachment
-
-Package: ppp
-Version: 2.4.2+20040428-2
-Severity: wishlist
-
-When pppd detaches from the parent normally, that is, without nodetach
-or updetach set, the linkpidfile is not created even when linkname is
-set.
-
-This is because the create_linkpidfile call in detach() is only made
-if the linkpidfile is filled in.  However, linkpidfile is never filled
-in until create_linkpidfile has been called.
-
-IMHO the call should be made uncondtionally in detach() since
-create_linkpidfile does its own check on linkname anyway.
-
-Please note that the version of pppd in woody always wrote the
-linkpidfile after detaching.  It did so in main() however.  That
-call has now been removed which is why I'm seeing this problem.
-
-[...]
-
---
-
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- pppd/main.c | 3 +--
- 1 file changed, 1 insertion(+), 2 deletions(-)
-
-diff --git a/pppd/main.c b/pppd/main.c
-index 76b67d2485b7..8e31365f0c58 100644
---- a/pppd/main.c
-+++ b/pppd/main.c
-@@ -765,8 +765,7 @@ detach()
- 	/* update pid files if they have been written already */
- 	if (pidfilename[0])
- 	    create_pidfile(pid);
--	if (linkpidfile[0])
--	    create_linkpidfile(pid);
-+	create_linkpidfile(pid);
- 	exit(0);		/* parent dies */
-     }
-     setsid();
diff --git a/patches/ppp-2.4.7/0022-cosmetic-cleanup-of-the-pppoatm-plugin.patch b/patches/ppp-2.4.7/0022-cosmetic-cleanup-of-the-pppoatm-plugin.patch
deleted file mode 100644
index ee22c74b6..000000000
--- a/patches/ppp-2.4.7/0022-cosmetic-cleanup-of-the-pppoatm-plugin.patch
+++ /dev/null
@@ -1,90 +0,0 @@
-From: Michael Olbrich <m.olbrich@pengutronix.de>
-Date: Sat, 28 Sep 2019 08:11:49 +0200
-Subject: [PATCH] cosmetic cleanup of the pppoatm plugin
-
-Removed some debugging messages and generally cleaned up the source.
-
-
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- pppd/plugins/pppoatm/pppoatm.c | 23 +++++++++++++----------
- 1 file changed, 13 insertions(+), 10 deletions(-)
-
-diff --git a/pppd/plugins/pppoatm/pppoatm.c b/pppd/plugins/pppoatm/pppoatm.c
-index a7560e9fb0c6..90d0c9a85d9f 100644
---- a/pppd/plugins/pppoatm/pppoatm.c
-+++ b/pppd/plugins/pppoatm/pppoatm.c
-@@ -70,18 +70,20 @@ static int setdevname_pppoatm(const char *cp, const char **argv, int doit)
- {
- 	struct sockaddr_atmpvc addr;
- 	extern struct stat devstat;
-+
- 	if (device_got_set)
- 		return 0;
--	//info("PPPoATM setdevname_pppoatm: '%s'", cp);
-+
- 	memset(&addr, 0, sizeof addr);
- 	if (text2atm(cp, (struct sockaddr *) &addr, sizeof(addr),
--	    T2A_PVC | T2A_NAME) < 0) {
--               if(doit)
--                   info("atm does not recognize: %s", cp);
-+	    T2A_PVC | T2A_NAME | T2A_WILDCARD) < 0) {
-+		if (doit)
-+			info("cannot parse the ATM address: %s", cp);
- 		return 0;
--           }
--	if (!doit) return 1;
--	//if (!dev_set_ok()) return -1;
-+	}
-+	if (!doit)
-+		return 1;
-+
- 	memcpy(&pvcaddr, &addr, sizeof pvcaddr);
- 	strlcpy(devnam, cp, sizeof devnam);
- 	devstat.st_mode = S_IFSOCK;
-@@ -93,7 +95,6 @@ static int setdevname_pppoatm(const char *cp, const char **argv, int doit)
- 		lcp_allowoptions[0].neg_asyncmap = 0;
- 		lcp_wantoptions[0].neg_pcompression = 0;
- 	}
--	info("PPPoATM setdevname_pppoatm - SUCCESS:%s", cp);
- 	device_got_set = 1;
- 	return 1;
- }
-@@ -108,6 +109,7 @@ static void no_device_given_pppoatm(void)
- static void set_line_discipline_pppoatm(int fd)
- {
- 	struct atm_backend_ppp be;
-+
- 	be.backend_num = ATM_BACKEND_PPP;
- 	if (!llc_encaps)
- 		be.encaps = PPPOATM_ENCAPS_VC;
-@@ -115,6 +117,7 @@ static void set_line_discipline_pppoatm(int fd)
- 		be.encaps = PPPOATM_ENCAPS_LLC;
- 	else
- 		be.encaps = PPPOATM_ENCAPS_AUTODETECT;
-+
- 	if (ioctl(fd, ATM_SETBACKEND, &be) < 0)
- 		fatal("ioctl(ATM_SETBACKEND): %m");
- }
-@@ -172,7 +175,7 @@ static void disconnect_pppoatm(void)
- 
- void plugin_init(void)
- {
--#if defined(__linux__)
-+#ifdef linux
- 	extern int new_style_driver;	/* From sys-linux.c */
- 	if (!ppp_available() && !new_style_driver)
- 		fatal("Kernel doesn't support ppp_generic - "
-@@ -180,9 +183,9 @@ void plugin_init(void)
- #else
- 	fatal("No PPPoATM support on this OS");
- #endif
--	info("PPPoATM plugin_init");
- 	add_options(pppoa_options);
- }
-+
- struct channel pppoa_channel = {
-     options: pppoa_options,
-     process_extra_options: NULL,
diff --git a/patches/ppp-2.4.7/0023-pppoe_noads.patch b/patches/ppp-2.4.7/0023-pppoe_noads.patch
deleted file mode 100644
index b4712de17..000000000
--- a/patches/ppp-2.4.7/0023-pppoe_noads.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From: Michael Olbrich <m.olbrich@pengutronix.de>
-Date: Sat, 28 Sep 2019 08:11:49 +0200
-Subject: [PATCH] pppoe_noads
-
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- pppd/plugins/rp-pppoe/plugin.c | 3 ---
- 1 file changed, 3 deletions(-)
-
-diff --git a/pppd/plugins/rp-pppoe/plugin.c b/pppd/plugins/rp-pppoe/plugin.c
-index c89be94250bc..7804b184f0cb 100644
---- a/pppd/plugins/rp-pppoe/plugin.c
-+++ b/pppd/plugins/rp-pppoe/plugin.c
-@@ -377,9 +377,6 @@ plugin_init(void)
-     }
- 
-     add_options(Options);
--
--    info("RP-PPPoE plugin version %s compiled against pppd %s",
--	 RP_VERSION, VERSION);
- }
- 
- void pppoe_check_options(void)
diff --git a/patches/ppp-2.4.7/0024-make-_PATH_CONNERRS-world-readable.patch b/patches/ppp-2.4.7/0024-make-_PATH_CONNERRS-world-readable.patch
deleted file mode 100644
index 557b16901..000000000
--- a/patches/ppp-2.4.7/0024-make-_PATH_CONNERRS-world-readable.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From: Michael Olbrich <m.olbrich@pengutronix.de>
-Date: Sat, 28 Sep 2019 08:11:49 +0200
-Subject: [PATCH] make _PATH_CONNERRS world readable
-
-There is nothing security-sensitive there.
-
-
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- pppd/main.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/pppd/main.c b/pppd/main.c
-index 8e31365f0c58..ed544315c1df 100644
---- a/pppd/main.c
-+++ b/pppd/main.c
-@@ -1673,7 +1673,7 @@ device_script(program, in, out, dont_wait)
-     if (log_to_fd >= 0)
- 	errfd = log_to_fd;
-     else
--	errfd = open(_PATH_CONNERRS, O_WRONLY | O_APPEND | O_CREAT, 0600);
-+	errfd = open(_PATH_CONNERRS, O_WRONLY | O_APPEND | O_CREAT, 0644);
- 
-     ++conn_running;
-     pid = safe_fork(in, out, errfd);
diff --git a/patches/ppp-2.4.7/0025-Correct-unkown-unknown-typo.patch b/patches/ppp-2.4.7/0025-Correct-unkown-unknown-typo.patch
deleted file mode 100644
index febfaf869..000000000
--- a/patches/ppp-2.4.7/0025-Correct-unkown-unknown-typo.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From: Michael Olbrich <m.olbrich@pengutronix.de>
-Date: Sat, 28 Sep 2019 08:11:49 +0200
-Subject: [PATCH] Correct unkown => unknown typo
-
-Author: Chris Boot <bootc@debian.org>
-Last-Update: 2013-09-09
-
-
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- pppd/plugins/radius/config.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/pppd/plugins/radius/config.c b/pppd/plugins/radius/config.c
-index a29e5e8da909..f892ca7b1bf5 100644
---- a/pppd/plugins/radius/config.c
-+++ b/pppd/plugins/radius/config.c
-@@ -271,7 +271,7 @@ char *rc_conf_str(char *optname)
- 	option = find_option(optname, OT_STR);
- 
- 	if (option == NULL)
--		fatal("rc_conf_str: unkown config option requested: %s", optname);
-+		fatal("rc_conf_str: unknown config option requested: %s", optname);
- 		return (char *)option->val;
- }
- 
-@@ -282,7 +282,7 @@ int rc_conf_int(char *optname)
- 	option = find_option(optname, OT_INT|OT_AUO);
- 
- 	if (option == NULL)
--		fatal("rc_conf_int: unkown config option requested: %s", optname);
-+		fatal("rc_conf_int: unknown config option requested: %s", optname);
- 	return *((int *)option->val);
- }
- 
-@@ -293,7 +293,7 @@ SERVER *rc_conf_srv(char *optname)
- 	option = find_option(optname, OT_SRV);
- 
- 	if (option == NULL)
--		fatal("rc_conf_srv: unkown config option requested: %s", optname);
-+		fatal("rc_conf_srv: unknown config option requested: %s", optname);
- 	return (SERVER *)option->val;
- }
- 
diff --git a/patches/ppp-2.4.7/0026-pppoe-custom-host-uniq-tag.patch b/patches/ppp-2.4.7/0026-pppoe-custom-host-uniq-tag.patch
deleted file mode 100644
index 5cf266d10..000000000
--- a/patches/ppp-2.4.7/0026-pppoe-custom-host-uniq-tag.patch
+++ /dev/null
@@ -1,302 +0,0 @@
-From: Matteo Croce <matteo@openwrt.org>
-Date: Sat, 21 Nov 2015 18:45:43 +0100
-Subject: [PATCH] pppoe: custom host-uniq tag
-
-Add pppoe 'host-uniq' option to set an arbitrary
-host-uniq tag instead of the pppd pid.
-Some ISPs use such tag to authenticate the CPE,
-so it must be set to a proper value to connect.
-
-Signed-off-by: Matteo Croce <matteo@openwrt.org>
-Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
-
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- pppd/plugins/rp-pppoe/common.c          | 14 ++++-----
- pppd/plugins/rp-pppoe/discovery.c       | 51 +++++++++++++--------------------
- pppd/plugins/rp-pppoe/plugin.c          |  7 ++++-
- pppd/plugins/rp-pppoe/pppoe-discovery.c | 38 +++++++++++++++---------
- pppd/plugins/rp-pppoe/pppoe.h           | 31 +++++++++++++++++++-
- 5 files changed, 86 insertions(+), 55 deletions(-)
-
-diff --git a/pppd/plugins/rp-pppoe/common.c b/pppd/plugins/rp-pppoe/common.c
-index 89c633c773f9..8f175ece345b 100644
---- a/pppd/plugins/rp-pppoe/common.c
-+++ b/pppd/plugins/rp-pppoe/common.c
-@@ -119,15 +119,11 @@ sendPADT(PPPoEConnection *conn, char const *msg)
-     conn->session = 0;
- 
-     /* If we're using Host-Uniq, copy it over */
--    if (conn->useHostUniq) {
--	PPPoETag hostUniq;
--	pid_t pid = getpid();
--	hostUniq.type = htons(TAG_HOST_UNIQ);
--	hostUniq.length = htons(sizeof(pid));
--	memcpy(hostUniq.payload, &pid, sizeof(pid));
--	memcpy(cursor, &hostUniq, sizeof(pid) + TAG_HDR_SIZE);
--	cursor += sizeof(pid) + TAG_HDR_SIZE;
--	plen += sizeof(pid) + TAG_HDR_SIZE;
-+    if (conn->hostUniq.length) {
-+	int len = ntohs(conn->hostUniq.length);
-+	memcpy(cursor, &conn->hostUniq, len + TAG_HDR_SIZE);
-+	cursor += len + TAG_HDR_SIZE;
-+	plen += len + TAG_HDR_SIZE;
-     }
- 
-     /* Copy error message */
-diff --git a/pppd/plugins/rp-pppoe/discovery.c b/pppd/plugins/rp-pppoe/discovery.c
-index 04877cb8295f..5db8d0defc37 100644
---- a/pppd/plugins/rp-pppoe/discovery.c
-+++ b/pppd/plugins/rp-pppoe/discovery.c
-@@ -80,13 +80,10 @@ static void
- parseForHostUniq(UINT16_t type, UINT16_t len, unsigned char *data,
- 		 void *extra)
- {
--    int *val = (int *) extra;
--    if (type == TAG_HOST_UNIQ && len == sizeof(pid_t)) {
--	pid_t tmp;
--	memcpy(&tmp, data, len);
--	if (tmp == getpid()) {
--	    *val = 1;
--	}
-+    PPPoETag *tag = extra;
-+
-+    if (type == TAG_HOST_UNIQ && len == ntohs(tag->length)) {
-+	tag->length = memcmp(data, tag->payload, len);
-     }
- }
- 
-@@ -104,16 +101,16 @@ parseForHostUniq(UINT16_t type, UINT16_t len, unsigned char *data,
- static int
- packetIsForMe(PPPoEConnection *conn, PPPoEPacket *packet)
- {
--    int forMe = 0;
-+    PPPoETag hostUniq = conn->hostUniq;
- 
-     /* If packet is not directed to our MAC address, forget it */
-     if (memcmp(packet->ethHdr.h_dest, conn->myEth, ETH_ALEN)) return 0;
- 
-     /* If we're not using the Host-Unique tag, then accept the packet */
--    if (!conn->useHostUniq) return 1;
-+    if (!conn->hostUniq.length) return 1;
- 
--    parsePacket(packet, parseForHostUniq, &forMe);
--    return forMe;
-+    parsePacket(packet, parseForHostUniq, &hostUniq);
-+    return !hostUniq.length;
- }
- 
- /**********************************************************************
-@@ -301,16 +298,12 @@ sendPADI(PPPoEConnection *conn)
-     }
- 
-     /* If we're using Host-Uniq, copy it over */
--    if (conn->useHostUniq) {
--	PPPoETag hostUniq;
--	pid_t pid = getpid();
--	hostUniq.type = htons(TAG_HOST_UNIQ);
--	hostUniq.length = htons(sizeof(pid));
--	memcpy(hostUniq.payload, &pid, sizeof(pid));
--	CHECK_ROOM(cursor, packet.payload, sizeof(pid) + TAG_HDR_SIZE);
--	memcpy(cursor, &hostUniq, sizeof(pid) + TAG_HDR_SIZE);
--	cursor += sizeof(pid) + TAG_HDR_SIZE;
--	plen += sizeof(pid) + TAG_HDR_SIZE;
-+    if (conn->hostUniq.length) {
-+	int len = ntohs(conn->hostUniq.length);
-+	CHECK_ROOM(cursor, packet.payload, len + TAG_HDR_SIZE);
-+	memcpy(cursor, &conn->hostUniq, len + TAG_HDR_SIZE);
-+	cursor += len + TAG_HDR_SIZE;
-+	plen += len + TAG_HDR_SIZE;
-     }
- 
-     /* Add our maximum MTU/MRU */
-@@ -478,16 +471,12 @@ sendPADR(PPPoEConnection *conn)
-     cursor += namelen + TAG_HDR_SIZE;
- 
-     /* If we're using Host-Uniq, copy it over */
--    if (conn->useHostUniq) {
--	PPPoETag hostUniq;
--	pid_t pid = getpid();
--	hostUniq.type = htons(TAG_HOST_UNIQ);
--	hostUniq.length = htons(sizeof(pid));
--	memcpy(hostUniq.payload, &pid, sizeof(pid));
--	CHECK_ROOM(cursor, packet.payload, sizeof(pid)+TAG_HDR_SIZE);
--	memcpy(cursor, &hostUniq, sizeof(pid) + TAG_HDR_SIZE);
--	cursor += sizeof(pid) + TAG_HDR_SIZE;
--	plen += sizeof(pid) + TAG_HDR_SIZE;
-+    if (conn->hostUniq.length) {
-+	int len = ntohs(conn->hostUniq.length);
-+	CHECK_ROOM(cursor, packet.payload, len+TAG_HDR_SIZE);
-+	memcpy(cursor, &conn->hostUniq, len + TAG_HDR_SIZE);
-+	cursor += len + TAG_HDR_SIZE;
-+	plen += len + TAG_HDR_SIZE;
-     }
- 
-     /* Add our maximum MTU/MRU */
-diff --git a/pppd/plugins/rp-pppoe/plugin.c b/pppd/plugins/rp-pppoe/plugin.c
-index 7804b184f0cb..12778d0d9991 100644
---- a/pppd/plugins/rp-pppoe/plugin.c
-+++ b/pppd/plugins/rp-pppoe/plugin.c
-@@ -68,6 +68,7 @@ static char *existingSession = NULL;
- static int printACNames = 0;
- static char *pppoe_reqd_mac = NULL;
- unsigned char pppoe_reqd_mac_addr[6];
-+static char *host_uniq = NULL;
- 
- static int PPPoEDevnameHook(char *cmd, char **argv, int doit);
- static option_t Options[] = {
-@@ -85,6 +86,8 @@ static option_t Options[] = {
-       "Be verbose about discovered access concentrators"},
-     { "pppoe-mac", o_string, &pppoe_reqd_mac,
-       "Only connect to specified MAC address" },
-+    { "host-uniq", o_string, &host_uniq,
-+      "Specify custom Host-Uniq" },
-     { NULL }
- };
- int (*OldDevnameHook)(char *cmd, char **argv, int doit) = NULL;
-@@ -110,7 +113,6 @@ PPPOEInitDevice(void)
-     conn->ifName = devnam;
-     conn->discoverySocket = -1;
-     conn->sessionSocket = -1;
--    conn->useHostUniq = 1;
-     conn->printACNames = printACNames;
-     conn->discoveryTimeout = PADI_TIMEOUT;
-     return 1;
-@@ -166,6 +168,9 @@ PPPOEConnectDevice(void)
-     if (lcp_wantoptions[0].mru > ifr.ifr_mtu - TOTAL_OVERHEAD)
- 	lcp_wantoptions[0].mru = ifr.ifr_mtu - TOTAL_OVERHEAD;
- 
-+    if (host_uniq && !parseHostUniq(host_uniq, &conn->hostUniq))
-+	fatal("Illegal value for host-uniq option");
-+
-     conn->acName = acName;
-     conn->serviceName = pppd_pppoe_service;
-     strlcpy(ppp_devnam, devnam, sizeof(ppp_devnam));
-diff --git a/pppd/plugins/rp-pppoe/pppoe-discovery.c b/pppd/plugins/rp-pppoe/pppoe-discovery.c
-index 55037dffb023..ff4c487ffaa9 100644
---- a/pppd/plugins/rp-pppoe/pppoe-discovery.c
-+++ b/pppd/plugins/rp-pppoe/pppoe-discovery.c
-@@ -356,7 +356,7 @@ packetIsForMe(PPPoEConnection *conn, PPPoEPacket *packet)
-     if (memcmp(packet->ethHdr.h_dest, conn->myEth, ETH_ALEN)) return 0;
- 
-     /* If we're not using the Host-Unique tag, then accept the packet */
--    if (!conn->useHostUniq) return 1;
-+    if (!conn->hostUniq.length) return 1;
- 
-     parsePacket(packet, parseForHostUniq, &forMe);
-     return forMe;
-@@ -482,16 +482,12 @@ sendPADI(PPPoEConnection *conn)
-     cursor += namelen + TAG_HDR_SIZE;
- 
-     /* If we're using Host-Uniq, copy it over */
--    if (conn->useHostUniq) {
--	PPPoETag hostUniq;
--	pid_t pid = getpid();
--	hostUniq.type = htons(TAG_HOST_UNIQ);
--	hostUniq.length = htons(sizeof(pid));
--	memcpy(hostUniq.payload, &pid, sizeof(pid));
--	CHECK_ROOM(cursor, packet.payload, sizeof(pid) + TAG_HDR_SIZE);
--	memcpy(cursor, &hostUniq, sizeof(pid) + TAG_HDR_SIZE);
--	cursor += sizeof(pid) + TAG_HDR_SIZE;
--	plen += sizeof(pid) + TAG_HDR_SIZE;
-+    if (conn->hostUniq.length) {
-+	int len = ntohs(conn->hostUniq.length);
-+	CHECK_ROOM(cursor, packet.payload, len + TAG_HDR_SIZE);
-+	memcpy(cursor, &conn->hostUniq, len + TAG_HDR_SIZE);
-+	cursor += len + TAG_HDR_SIZE;
-+	plen += len + TAG_HDR_SIZE;
-     }
- 
-     packet.length = htons(plen);
-@@ -653,7 +649,7 @@ int main(int argc, char *argv[])
- 
-     memset(conn, 0, sizeof(PPPoEConnection));
- 
--    while ((opt = getopt(argc, argv, "I:D:VUAS:C:h")) > 0) {
-+    while ((opt = getopt(argc, argv, "I:D:VUW:AS:C:h")) > 0) {
- 	switch(opt) {
- 	case 'S':
- 	    conn->serviceName = xstrdup(optarg);
-@@ -662,7 +658,23 @@ int main(int argc, char *argv[])
- 	    conn->acName = xstrdup(optarg);
- 	    break;
- 	case 'U':
--	    conn->useHostUniq = 1;
-+	    if(conn->hostUniq.length) {
-+		fprintf(stderr, "-U and -W are mutually exclusive\n");
-+		exit(EXIT_FAILURE);
-+	    }
-+            char pidbuf[5];
-+            snprintf(pidbuf, sizeof(pidbuf), "%04x", getpid());
-+            parseHostUniq(pidbuf, &conn->hostUniq);
-+	    break;
-+	case 'W':
-+	    if(conn->hostUniq.length) {
-+		fprintf(stderr, "-U and -W are mutually exclusive\n");
-+		exit(EXIT_FAILURE);
-+	    }
-+	    if (!parseHostUniq(optarg, &conn->hostUniq)) {
-+                fprintf(stderr, "Invalid host-uniq argument: %s\n", optarg);
-+                exit(EXIT_FAILURE);
-+            }
- 	    break;
- 	case 'D':
- 	    conn->debugFile = fopen(optarg, "w");
-diff --git a/pppd/plugins/rp-pppoe/pppoe.h b/pppd/plugins/rp-pppoe/pppoe.h
-index c4aaa6e68856..08026f577028 100644
---- a/pppd/plugins/rp-pppoe/pppoe.h
-+++ b/pppd/plugins/rp-pppoe/pppoe.h
-@@ -21,6 +21,8 @@
- 
- #include <stdio.h>		/* For FILE */
- #include <sys/types.h>		/* For pid_t */
-+#include <ctype.h>
-+#include <string.h>
- 
- /* How do we access raw Ethernet devices? */
- #undef USE_LINUX_PACKET
-@@ -236,7 +238,7 @@ typedef struct PPPoEConnectionStruct {
-     char *serviceName;		/* Desired service name, if any */
-     char *acName;		/* Desired AC name, if any */
-     int synchronous;		/* Use synchronous PPP */
--    int useHostUniq;		/* Use Host-Uniq tag */
-+    PPPoETag hostUniq;		/* Use Host-Uniq tag */
-     int printACNames;		/* Just print AC names */
-     FILE *debugFile;		/* Debug file for dumping packets */
-     int numPADOs;		/* Number of PADO packets received */
-@@ -292,6 +294,33 @@ void pppoe_printpkt(PPPoEPacket *packet,
- 		    void (*printer)(void *, char *, ...), void *arg);
- void pppoe_log_packet(const char *prefix, PPPoEPacket *packet);
- 
-+static inline int parseHostUniq(const char *uniq, PPPoETag *tag)
-+{
-+    int i, len = strlen(uniq);
-+
-+#define hex(x) \
-+    (((x) <= '9') ? ((x) - '0') : \
-+        (((x) <= 'F') ? ((x) - 'A' + 10) : \
-+            ((x) - 'a' + 10)))
-+
-+    if (len % 2)
-+        return 0;
-+
-+    for (i = 0; i < len; i += 2)
-+    {
-+        if (!isxdigit(uniq[i]) || !isxdigit(uniq[i+1]))
-+            return 0;
-+
-+        tag->payload[i / 2] = (char)(16 * hex(uniq[i]) + hex(uniq[i+1]));
-+    }
-+
-+#undef hex
-+
-+    tag->type = htons(TAG_HOST_UNIQ);
-+    tag->length = htons(len / 2);
-+    return 1;
-+}
-+
- #define SET_STRING(var, val) do { if (var) free(var); var = strDup(val); } while(0);
- 
- #define CHECK_ROOM(cursor, start, len) \
diff --git a/patches/ppp-2.4.7/0027-Add-replacedefaultroute-option.patch b/patches/ppp-2.4.7/0027-Add-replacedefaultroute-option.patch
deleted file mode 100644
index 19f931b12..000000000
--- a/patches/ppp-2.4.7/0027-Add-replacedefaultroute-option.patch
+++ /dev/null
@@ -1,324 +0,0 @@
-From: Michael Olbrich <m.olbrich@pengutronix.de>
-Date: Sat, 28 Sep 2019 08:11:49 +0200
-Subject: [PATCH] Add replacedefaultroute option
-
-Adds an option to pppd to control whether to replace existing default routes
-when using the 'defaultroute' option.
-
-If defaultroute and replacedefaultroute are both set, pppd replaces an existing
-default route with the new default route. The old default route is restored when
-the connection is taken down.
-
-Origin: vendor, https://build.opensuse.org/source/network/ppp/ppp-2.4.2-cifdefroute.diff?rev=7a0fdeff0b29437dd7f4581c95c7255a
-Forwarded: no
-Reviewed-by: Chris Boot <bootc@debian.org>
-Last-Update: 2014-01-26
-
-
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- pppd/ipcp.c      | 45 +++++++++++++++++++++++++++----
- pppd/ipcp.h      |  1 +
- pppd/pppd.8      | 12 ++++++++-
- pppd/pppd.h      |  4 +++
- pppd/sys-linux.c | 82 +++++++++++++++++++++++++++++++++++++++++++++-----------
- 5 files changed, 123 insertions(+), 21 deletions(-)
-
-diff --git a/pppd/ipcp.c b/pppd/ipcp.c
-index e9738fe4d894..c8fe279d4ede 100644
---- a/pppd/ipcp.c
-+++ b/pppd/ipcp.c
-@@ -198,6 +198,16 @@ static option_t ipcp_option_list[] = {
-       "disable defaultroute option", OPT_ALIAS | OPT_A2CLR,
-       &ipcp_wantoptions[0].default_route },
- 
-+#ifdef __linux__
-+    { "replacedefaultroute", o_bool,
-+				&ipcp_wantoptions[0].replace_default_route,
-+      "Replace default route", 1
-+    },
-+    { "noreplacedefaultroute", o_bool,
-+				&ipcp_allowoptions[0].replace_default_route,
-+      "Never replace default route", OPT_A2COPY,
-+				&ipcp_wantoptions[0].replace_default_route },
-+#endif
-     { "proxyarp", o_bool, &ipcp_wantoptions[0].proxy_arp,
-       "Add proxy ARP entry", OPT_ENABLE|1, &ipcp_allowoptions[0].proxy_arp },
-     { "noproxyarp", o_bool, &ipcp_allowoptions[0].proxy_arp,
-@@ -271,7 +281,7 @@ struct protent ipcp_protent = {
-     ip_active_pkt
- };
- 
--static void ipcp_clear_addrs __P((int, u_int32_t, u_int32_t));
-+static void ipcp_clear_addrs __P((int, u_int32_t, u_int32_t, bool));
- static void ipcp_script __P((char *, int));	/* Run an up/down script */
- static void ipcp_script_done __P((void *));
- 
-@@ -1761,7 +1771,12 @@ ip_demand_conf(u)
-     if (!sifnpmode(u, PPP_IP, NPMODE_QUEUE))
- 	return 0;
-     if (wo->default_route)
-+#ifndef __linux__
- 	if (sifdefaultroute(u, wo->ouraddr, wo->hisaddr))
-+#else
-+	if (sifdefaultroute(u, wo->ouraddr, wo->hisaddr,
-+					    wo->replace_default_route))
-+#endif
- 	    default_route_set[u] = 1;
-     if (wo->proxy_arp)
- 	if (sifproxyarp(u, wo->hisaddr))
-@@ -1849,7 +1864,8 @@ ipcp_up(f)
-      */
-     if (demand) {
- 	if (go->ouraddr != wo->ouraddr || ho->hisaddr != wo->hisaddr) {
--	    ipcp_clear_addrs(f->unit, wo->ouraddr, wo->hisaddr);
-+	    ipcp_clear_addrs(f->unit, wo->ouraddr, wo->hisaddr,
-+				      wo->replace_default_route);
- 	    if (go->ouraddr != wo->ouraddr) {
- 		warn("Local IP address changed to %I", go->ouraddr);
- 		script_setenv("OLDIPLOCAL", ip_ntoa(wo->ouraddr), 0);
-@@ -1874,7 +1890,12 @@ ipcp_up(f)
- 
- 	    /* assign a default route through the interface if required */
- 	    if (ipcp_wantoptions[f->unit].default_route) 
-+#ifndef __linux__
- 		if (sifdefaultroute(f->unit, go->ouraddr, ho->hisaddr))
-+#else
-+		if (sifdefaultroute(f->unit, go->ouraddr, ho->hisaddr,
-+					     wo->replace_default_route))
-+#endif
- 		    default_route_set[f->unit] = 1;
- 
- 	    /* Make a proxy ARP entry if requested. */
-@@ -1924,7 +1945,12 @@ ipcp_up(f)
- 
- 	/* assign a default route through the interface if required */
- 	if (ipcp_wantoptions[f->unit].default_route) 
-+#ifndef __linux__
- 	    if (sifdefaultroute(f->unit, go->ouraddr, ho->hisaddr))
-+#else
-+	    if (sifdefaultroute(f->unit, go->ouraddr, ho->hisaddr,
-+					 wo->replace_default_route))
-+#endif
- 		default_route_set[f->unit] = 1;
- 
- 	/* Make a proxy ARP entry if requested. */
-@@ -2002,7 +2028,7 @@ ipcp_down(f)
- 	sifnpmode(f->unit, PPP_IP, NPMODE_DROP);
- 	sifdown(f->unit);
- 	ipcp_clear_addrs(f->unit, ipcp_gotoptions[f->unit].ouraddr,
--			 ipcp_hisoptions[f->unit].hisaddr);
-+			 ipcp_hisoptions[f->unit].hisaddr, 0);
-     }
- 
-     /* Execute the ip-down script */
-@@ -2018,16 +2044,25 @@ ipcp_down(f)
-  * proxy arp entries, etc.
-  */
- static void
--ipcp_clear_addrs(unit, ouraddr, hisaddr)
-+ipcp_clear_addrs(unit, ouraddr, hisaddr, replacedefaultroute)
-     int unit;
-     u_int32_t ouraddr;  /* local address */
-     u_int32_t hisaddr;  /* remote address */
-+    bool replacedefaultroute;
- {
-     if (proxy_arp_set[unit]) {
- 	cifproxyarp(unit, hisaddr);
- 	proxy_arp_set[unit] = 0;
-     }
--    if (default_route_set[unit]) {
-+    /* If replacedefaultroute, sifdefaultroute will be called soon
-+     * with replacedefaultroute set and that will overwrite the current
-+     * default route. This is the case only when doing demand, otherwise
-+     * during demand, this cifdefaultroute would restore the old default
-+     * route which is not what we want in this case. In the non-demand
-+     * case, we'll delete the default route and restore the old if there
-+     * is one saved by an sifdefaultroute with replacedefaultroute.
-+     */
-+    if (!replacedefaultroute && default_route_set[unit]) {
- 	cifdefaultroute(unit, ouraddr, hisaddr);
- 	default_route_set[unit] = 0;
-     }
-diff --git a/pppd/ipcp.h b/pppd/ipcp.h
-index 6cf14c990578..7ecfa79d8668 100644
---- a/pppd/ipcp.h
-+++ b/pppd/ipcp.h
-@@ -70,6 +70,7 @@ typedef struct ipcp_options {
-     bool old_addrs;		/* Use old (IP-Addresses) option? */
-     bool req_addr;		/* Ask peer to send IP address? */
-     bool default_route;		/* Assign default route through interface? */
-+    bool replace_default_route;	/* Replace default route through interface? */
-     bool proxy_arp;		/* Make proxy ARP entry for peer? */
-     bool neg_vj;		/* Van Jacobson Compression? */
-     bool old_vj;		/* use old (short) form of VJ option? */
-diff --git a/pppd/pppd.8 b/pppd/pppd.8
-index ec8bfd5c0617..481aa8be672b 100644
---- a/pppd/pppd.8
-+++ b/pppd/pppd.8
-@@ -121,6 +121,11 @@ the gateway, when IPCP negotiation is successfully completed.
- This entry is removed when the PPP connection is broken.  This option
- is privileged if the \fInodefaultroute\fR option has been specified.
- .TP
-+.B replacedefaultroute
-+This option is a flag to the defaultroute option. If defaultroute is
-+set and this flag is also set, pppd replaces an existing default route
-+with the new default route.
-+.TP
- .B disconnect \fIscript
- Execute the command specified by \fIscript\fR, by passing it to a
- shell, after
-@@ -739,7 +744,12 @@ disable both forms of hardware flow control.
- .TP
- .B nodefaultroute
- Disable the \fIdefaultroute\fR option.  The system administrator who
--wishes to prevent users from creating default routes with pppd
-+wishes to prevent users from adding a default route with pppd
-+can do so by placing this option in the /etc/ppp/options file.
-+.TP
-+.B noreplacedefaultroute
-+Disable the \fIreplacedefaultroute\fR option. The system administrator who
-+wishes to prevent users from replacing a default route with pppd
- can do so by placing this option in the /etc/ppp/options file.
- .TP
- .B nodeflate
-diff --git a/pppd/pppd.h b/pppd/pppd.h
-index 1a1bf0b99582..7495df657fe9 100644
---- a/pppd/pppd.h
-+++ b/pppd/pppd.h
-@@ -676,7 +676,11 @@ int  sif6addr __P((int, eui64_t, eui64_t));
- int  cif6addr __P((int, eui64_t, eui64_t));
- 				/* Remove an IPv6 address from i/f */
- #endif
-+#ifndef __linux__
- int  sifdefaultroute __P((int, u_int32_t, u_int32_t));
-+#else
-+int  sifdefaultroute __P((int, u_int32_t, u_int32_t, bool replace_default_rt));
-+#endif
- 				/* Create default route through i/f */
- int  cifdefaultroute __P((int, u_int32_t, u_int32_t));
- 				/* Delete default route through i/f */
-diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c
-index 6d29dc8e8594..3f0bbc33c605 100644
---- a/pppd/sys-linux.c
-+++ b/pppd/sys-linux.c
-@@ -207,6 +207,8 @@ static unsigned char inbuf[512]; /* buffer for chars read from loopback */
- static int	if_is_up;	/* Interface has been marked up */
- static int	if6_is_up;	/* Interface has been marked up for IPv6, to help differentiate */
- static int	have_default_route;	/* Gateway for default route added */
-+static struct rtentry old_def_rt;       /* Old default route */
-+static int       default_rt_repl_rest;  /* replace and restore old default rt */
- static u_int32_t proxy_arp_addr;	/* Addr for proxy arp entry added */
- static char proxy_arp_dev[16];		/* Device for proxy arp entry */
- static u_int32_t our_old_addr;		/* for detecting address changes */
-@@ -1567,6 +1569,9 @@ static int read_route_table(struct rtentry *rt)
- 	p = NULL;
-     }
- 
-+    SET_SA_FAMILY (rt->rt_dst,     AF_INET);
-+    SET_SA_FAMILY (rt->rt_gateway, AF_INET);
-+
-     SIN_ADDR(rt->rt_dst) = strtoul(cols[route_dest_col], NULL, 16);
-     SIN_ADDR(rt->rt_gateway) = strtoul(cols[route_gw_col], NULL, 16);
-     SIN_ADDR(rt->rt_genmask) = strtoul(cols[route_mask_col], NULL, 16);
-@@ -1636,22 +1641,53 @@ int have_route_to(u_int32_t addr)
- /********************************************************************
-  *
-  * sifdefaultroute - assign a default route through the address given.
-- */
--
--int sifdefaultroute (int unit, u_int32_t ouraddr, u_int32_t gateway)
--{
--    struct rtentry rt;
--
--    if (defaultroute_exists(&rt) && strcmp(rt.rt_dev, ifname) != 0) {
--	if (rt.rt_flags & RTF_GATEWAY)
--	    error("not replacing existing default route via %I",
--		  SIN_ADDR(rt.rt_gateway));
--	else
--	    error("not replacing existing default route through %s",
--		  rt.rt_dev);
--	return 0;
-+ *
-+ * If the global default_rt_repl_rest flag is set, then this function
-+ * already replaced the original system defaultroute with some other
-+ * route and it should just replace the current defaultroute with
-+ * another one, without saving the current route. Use: demand mode,
-+ * when pppd sets first a defaultroute it it's temporary ppp0 addresses
-+ * and then changes the temporary addresses to the addresses for the real
-+ * ppp connection when it has come up.
-+ */
-+
-+int sifdefaultroute (int unit, u_int32_t ouraddr, u_int32_t gateway, bool replace)
-+{
-+    struct rtentry rt, tmp_rt;
-+    struct rtentry *del_rt = NULL;
-+
-+    if (default_rt_repl_rest) {
-+       /* We have already reclaced the original defaultroute, if we
-+         * are called again, we will delete the current default route
-+         * and set the new default route in this function.
-+         * - this is normally only the case the doing demand: */
-+       if (defaultroute_exists( &tmp_rt ))
-+               del_rt = &tmp_rt;
-+    } else if ( defaultroute_exists( &old_def_rt                ) &&
-+                            strcmp(  old_def_rt.rt_dev, ifname ) != 0) {
-+       /* We did not yet replace an existing default route, let's
-+        * check if we should save and replace a default route:
-+         */
-+       u_int32_t old_gateway = SIN_ADDR(old_def_rt.rt_gateway);
-+
-+       if (old_gateway != gateway) {
-+           if (!replace) {
-+               error("not replacing default route to %s [%I]",
-+                       old_def_rt.rt_dev, old_gateway);
-+               return 0;
-+           } else {
-+               // we need to copy rt_dev because we need it permanent too:
-+               char * tmp_dev = malloc(strlen(old_def_rt.rt_dev)+1);
-+               strcpy(tmp_dev, old_def_rt.rt_dev);
-+               old_def_rt.rt_dev = tmp_dev;
-+
-+               notice("replacing old default route to %s [%I]",
-+                       old_def_rt.rt_dev, old_gateway);
-+               default_rt_repl_rest = 1;
-+               del_rt = &old_def_rt;
-+           }
-+       }
-     }
--
-     memset (&rt, 0, sizeof (rt));
-     SET_SA_FAMILY (rt.rt_dst, AF_INET);
- 
-@@ -1668,6 +1704,12 @@ int sifdefaultroute (int unit, u_int32_t ouraddr, u_int32_t gateway)
- 	    error("default route ioctl(SIOCADDRT): %m");
- 	return 0;
-     }
-+    if (default_rt_repl_rest && del_rt)
-+        if (ioctl(sock_fd, SIOCDELRT, del_rt) < 0) {
-+	    if ( ! ok_error ( errno ))
-+	        error("del old default route ioctl(SIOCDELRT): %m(%d)", errno);
-+	    return 0;
-+        }
- 
-     have_default_route = 1;
-     return 1;
-@@ -1703,6 +1745,16 @@ int cifdefaultroute (int unit, u_int32_t ouraddr, u_int32_t gateway)
- 	    return 0;
- 	}
-     }
-+    if (default_rt_repl_rest) {
-+	notice("restoring old default route to %s [%I]",
-+			old_def_rt.rt_dev, SIN_ADDR(old_def_rt.rt_gateway));
-+        if (ioctl(sock_fd, SIOCADDRT, &old_def_rt) < 0) {
-+	    if ( ! ok_error ( errno ))
-+	        error("restore default route ioctl(SIOCADDRT): %m(%d)", errno);
-+	    return 0;
-+        }
-+        default_rt_repl_rest = 0;
-+    }
- 
-     return 1;
- }
diff --git a/patches/ppp-2.4.7/0029-add-support-for-the-Framed-MTU-Radius-attribute.patch b/patches/ppp-2.4.7/0029-add-support-for-the-Framed-MTU-Radius-attribute.patch
deleted file mode 100644
index 3cd1b78e7..000000000
--- a/patches/ppp-2.4.7/0029-add-support-for-the-Framed-MTU-Radius-attribute.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From: Michael Olbrich <m.olbrich@pengutronix.de>
-Date: Sat, 28 Sep 2019 08:11:49 +0200
-Subject: [PATCH] add support for the Framed-MTU Radius attribute
-
-http://ppp.samba.org/cgi-bin/ppp-bugs/incoming?id=1532
-
-From: klepikov_a@up.ua
-To: ppp-bugs@ppp.samba.org
-Subject: Radius plugin does not set MTU on ppp interface
-Date: Mon, 22 Jan 2007 12:36:59 +0000 (GMT)
-
-Full_Name: Alexander Klepikov
-Version: 2.4.3
-OS: rhl 7.3 (2.4.20-28.7bigmem)
-Submission from: (NULL) (213.130.21.73)
-
-
-This patch allows radius plugin to deal with Framed-MTU Radius attribute and to
-set MTU on interface.
-
-
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- pppd/plugins/radius/radius.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/pppd/plugins/radius/radius.c b/pppd/plugins/radius/radius.c
-index 4ba5f523ea07..06e00590b635 100644
---- a/pppd/plugins/radius/radius.c
-+++ b/pppd/plugins/radius/radius.c
-@@ -651,6 +651,9 @@ radius_setparams(VALUE_PAIR *vp, char *msg, REQUEST_INFO *req_info,
- 		    memcpy(rstate.class, vp->strvalue, rstate.class_len);
- 		} /* else too big for our buffer - ignore it */
- 		break;
-+	    case PW_FRAMED_MTU:
-+		netif_set_mtu(rstate.client_port,MIN(netif_get_mtu(rstate.client_port),vp->lvalue));
-+		break;
- 	    }
- 
- 
diff --git a/patches/ppp-2.4.7/0030-018_ip-up_option.patch b/patches/ppp-2.4.7/0030-018_ip-up_option.patch
deleted file mode 100644
index 06cb2e5bb..000000000
--- a/patches/ppp-2.4.7/0030-018_ip-up_option.patch
+++ /dev/null
@@ -1,106 +0,0 @@
-From: Michael Olbrich <m.olbrich@pengutronix.de>
-Date: Sat, 28 Sep 2019 08:11:49 +0200
-Subject: [PATCH] 018_ip up_option
-
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- pppd/ipcp.c    | 8 ++++----
- pppd/main.c    | 3 +++
- pppd/options.c | 9 +++++++++
- pppd/pppd.h    | 2 ++
- 4 files changed, 18 insertions(+), 4 deletions(-)
-
-diff --git a/pppd/ipcp.c b/pppd/ipcp.c
-index dceca807542a..d6e0e2a699fe 100644
---- a/pppd/ipcp.c
-+++ b/pppd/ipcp.c
-@@ -1984,7 +1984,7 @@ ipcp_up(f)
-      */
-     if (ipcp_script_state == s_down && ipcp_script_pid == 0) {
- 	ipcp_script_state = s_up;
--	ipcp_script(_PATH_IPUP, 0);
-+	ipcp_script(path_ipup, 0);
-     }
- }
- 
-@@ -2034,7 +2034,7 @@ ipcp_down(f)
-     /* Execute the ip-down script */
-     if (ipcp_script_state == s_up && ipcp_script_pid == 0) {
- 	ipcp_script_state = s_down;
--	ipcp_script(_PATH_IPDOWN, 0);
-+	ipcp_script(path_ipdown, 0);
-     }
- }
- 
-@@ -2097,13 +2097,13 @@ ipcp_script_done(arg)
-     case s_up:
- 	if (ipcp_fsm[0].state != OPENED) {
- 	    ipcp_script_state = s_down;
--	    ipcp_script(_PATH_IPDOWN, 0);
-+	    ipcp_script(path_ipdown, 0);
- 	}
- 	break;
-     case s_down:
- 	if (ipcp_fsm[0].state == OPENED) {
- 	    ipcp_script_state = s_up;
--	    ipcp_script(_PATH_IPUP, 0);
-+	    ipcp_script(path_ipup, 0);
- 	}
- 	break;
-     }
-diff --git a/pppd/main.c b/pppd/main.c
-index ed544315c1df..9164a1eb0f95 100644
---- a/pppd/main.c
-+++ b/pppd/main.c
-@@ -308,6 +308,9 @@ main(argc, argv)
-     struct protent *protp;
-     char numbuf[16];
- 
-+    strlcpy(path_ipup, _PATH_IPUP, sizeof(path_ipup));
-+    strlcpy(path_ipdown, _PATH_IPDOWN, sizeof(path_ipdown));
-+
-     link_stats_valid = 0;
-     new_phase(PHASE_INITIALIZE);
- 
-diff --git a/pppd/options.c b/pppd/options.c
-index 91da515ac533..a8f3aa4590a3 100644
---- a/pppd/options.c
-+++ b/pppd/options.c
-@@ -114,6 +114,8 @@ char	linkname[MAXPATHLEN];	/* logical name for link */
- bool	tune_kernel;		/* may alter kernel settings */
- int	connect_delay = 1000;	/* wait this many ms after connect script */
- int	req_unit = -1;		/* requested interface unit */
-+char	path_ipup[MAXPATHLEN];	/* pathname of ip-up script */
-+char	path_ipdown[MAXPATHLEN];/* pathname of ip-down script */
- char	req_ifname[MAXIFNAMELEN];	/* requested interface name */
- bool	multilink = 0;		/* Enable multilink operation */
- char	*bundle_name = NULL;	/* bundle name for multilink */
-@@ -304,6 +306,13 @@ option_t general_options[] = {
-       "Unset user environment variable",
-       OPT_A2PRINTER | OPT_NOPRINT, (void *)user_unsetprint },
- 
-+    { "ip-up-script", o_string, path_ipup,
-+      "Set pathname of ip-up script",
-+      OPT_PRIV|OPT_STATIC, NULL, MAXPATHLEN },
-+    { "ip-down-script", o_string, path_ipdown,
-+      "Set pathname of ip-down script",
-+      OPT_PRIV|OPT_STATIC, NULL, MAXPATHLEN },
-+
- #ifdef HAVE_MULTILINK
-     { "multilink", o_bool, &multilink,
-       "Enable multilink operation", OPT_PRIO | 1 },
-diff --git a/pppd/pppd.h b/pppd/pppd.h
-index e65106d4c126..b11670586244 100644
---- a/pppd/pppd.h
-+++ b/pppd/pppd.h
-@@ -328,6 +328,8 @@ extern bool	tune_kernel;	/* May alter kernel settings as necessary */
- extern int	connect_delay;	/* Time to delay after connect script */
- extern int	max_data_rate;	/* max bytes/sec through charshunt */
- extern int	req_unit;	/* interface unit number to use */
-+extern char	path_ipup[MAXPATHLEN]; /* pathname of ip-up script */
-+extern char	path_ipdown[MAXPATHLEN]; /* pathname of ip-down script */
- extern char	req_ifname[MAXIFNAMELEN]; /* interface name to use */
- extern bool	multilink;	/* enable multilink operation */
- extern bool	noendpoint;	/* don't send or accept endpt. discrim. */
diff --git a/patches/ppp-2.4.7/0031-ppp-2.4.2-stripMSdomain.patch b/patches/ppp-2.4.7/0031-ppp-2.4.2-stripMSdomain.patch
deleted file mode 100644
index 32629026c..000000000
--- a/patches/ppp-2.4.7/0031-ppp-2.4.2-stripMSdomain.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From: Michael Olbrich <m.olbrich@pengutronix.de>
-Date: Sat, 28 Sep 2019 08:11:49 +0200
-Subject: [PATCH] ppp-2.4.2-stripMSdomain
-
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- pppd/chap-new.c | 11 +++++++++++
- 1 file changed, 11 insertions(+)
-
-diff --git a/pppd/chap-new.c b/pppd/chap-new.c
-index 2714bff64785..7fd7087a5e2c 100644
---- a/pppd/chap-new.c
-+++ b/pppd/chap-new.c
-@@ -58,6 +58,7 @@ int (*chap_verify_hook)(char *name, char *ourname, int id,
- int chap_timeout_time = 3;
- int chap_max_transmits = 10;
- int chap_rechallenge_time = 0;
-+int chapms_strip_domain = 0;
- 
- /*
-  * Command-line options.
-@@ -69,6 +70,8 @@ static option_t chap_option_list[] = {
- 	  "Set max #xmits for challenge", OPT_PRIO },
- 	{ "chap-interval", o_int, &chap_rechallenge_time,
- 	  "Set interval for rechallenge", OPT_PRIO },
-+	{ "chapms-strip-domain", o_bool, &chapms_strip_domain,
-+	  "Strip the domain prefix before the Username", 1 },
- 	{ NULL }
- };
- 
-@@ -336,6 +339,14 @@ chap_handle_response(struct chap_server_state *ss, int id,
- 			/* Null terminate and clean remote name. */
- 			slprintf(rname, sizeof(rname), "%.*v", len, name);
- 			name = rname;
-+
-+			/* strip the MS domain name */
-+			if (chapms_strip_domain && strrchr(rname, '\\')) {
-+				char tmp[MAXNAMELEN+1];
-+
-+				strcpy(tmp, strrchr(rname, '\\') + 1);
-+				strcpy(rname, tmp);
-+			}
- 		}
- 
- 		if (chap_verify_hook)
diff --git a/patches/ppp-2.4.7/0032-export-CALL_FILE-to-the-link-scripts.patch b/patches/ppp-2.4.7/0032-export-CALL_FILE-to-the-link-scripts.patch
deleted file mode 100644
index 6a2e17088..000000000
--- a/patches/ppp-2.4.7/0032-export-CALL_FILE-to-the-link-scripts.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From: Michael Olbrich <m.olbrich@pengutronix.de>
-Date: Sat, 28 Sep 2019 08:11:50 +0200
-Subject: [PATCH] export $CALL_FILE to the link scripts
-
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- pppd/options.c | 1 +
- pppd/pppd.8    | 3 +++
- 2 files changed, 4 insertions(+)
-
-diff --git a/pppd/options.c b/pppd/options.c
-index a8f3aa4590a3..340797386dd6 100644
---- a/pppd/options.c
-+++ b/pppd/options.c
-@@ -1482,6 +1482,7 @@ callfile(argv)
-     if ((fname = (char *) malloc(l)) == NULL)
- 	novm("call file name");
-     slprintf(fname, l, "%s%s", _PATH_PEERFILES, arg);
-+    script_setenv("CALL_FILE", arg, 0);
- 
-     ok = options_from_file(fname, 1, 1, 1);
- 
-diff --git a/pppd/pppd.8 b/pppd/pppd.8
-index 481aa8be672b..848ca8a16b77 100644
---- a/pppd/pppd.8
-+++ b/pppd/pppd.8
-@@ -1662,6 +1662,9 @@ the connection.
- .B LINKNAME
- The logical name of the link, set with the \fIlinkname\fR option.
- .TP
-+.B CALL_FILE
-+The value of the \fIcall\fR option.
-+.TP
- .B DNS1
- If the peer supplies DNS server addresses, this variable is set to the
- first DNS server address supplied (whether or not the usepeerdns
diff --git a/patches/ppp-2.4.7/0033-ipv6-accept-remote.patch b/patches/ppp-2.4.7/0033-ipv6-accept-remote.patch
deleted file mode 100644
index 01376cf14..000000000
--- a/patches/ppp-2.4.7/0033-ipv6-accept-remote.patch
+++ /dev/null
@@ -1,73 +0,0 @@
-From: Michael Olbrich <m.olbrich@pengutronix.de>
-Date: Sat, 28 Sep 2019 08:11:50 +0200
-Subject: [PATCH] ipv6-accept-remote
-
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- pppd/ipv6cp.c | 5 ++++-
- pppd/ipv6cp.h | 3 ++-
- pppd/pppd.8   | 5 +++++
- 3 files changed, 11 insertions(+), 2 deletions(-)
-
-diff --git a/pppd/ipv6cp.c b/pppd/ipv6cp.c
-index c1602f41c206..432170462196 100644
---- a/pppd/ipv6cp.c
-+++ b/pppd/ipv6cp.c
-@@ -245,6 +245,8 @@ static option_t ipv6cp_option_list[] = {
- 
-     { "ipv6cp-accept-local", o_bool, &ipv6cp_allowoptions[0].accept_local,
-       "Accept peer's interface identifier for us", 1 },
-+    { "ipv6cp-accept-remote", o_bool, &ipv6cp_allowoptions[0].accept_remote,
-+      "Accept peer's interface identifier for itself", 1 },
- 
-     { "ipv6cp-use-ipaddr", o_bool, &ipv6cp_allowoptions[0].use_ip,
-       "Use (default) IPv4 address as interface identifier", 1 },
-@@ -435,6 +437,7 @@ ipv6cp_init(unit)
-     memset(ao, 0, sizeof(*ao));
- 
-     wo->accept_local = 1;
-+    wo->accept_remote = 1;
-     wo->neg_ifaceid = 1;
-     ao->neg_ifaceid = 1;
- 
-@@ -960,7 +963,7 @@ ipv6cp_reqci(f, inp, len, reject_if_disagree)
- 		orc = CONFREJ;		/* Reject CI */
- 		break;
- 	    }
--	    if (!eui64_iszero(wo->hisid) && 
-+	    if (!eui64_iszero(wo->hisid) && !wo->accept_remote &&
- 		!eui64_equals(ifaceid, wo->hisid) && 
- 		eui64_iszero(go->hisid)) {
- 		    
-diff --git a/pppd/ipv6cp.h b/pppd/ipv6cp.h
-index 2f4c06ddc189..1617707ebbde 100644
---- a/pppd/ipv6cp.h
-+++ b/pppd/ipv6cp.h
-@@ -150,7 +150,8 @@
- typedef struct ipv6cp_options {
-     int neg_ifaceid;		/* Negotiate interface identifier? */
-     int req_ifaceid;		/* Ask peer to send interface identifier? */
--    int accept_local;		/* accept peer's value for iface id? */
-+    int accept_local;		/* accept peer's value for our iface id? */
-+    int accept_remote;		/* accept peer's value for his iface id? */
-     int opt_local;		/* ourtoken set by option */
-     int opt_remote;		/* histoken set by option */
-     int use_ip;			/* use IP as interface identifier */
-diff --git a/pppd/pppd.8 b/pppd/pppd.8
-index 848ca8a16b77..65bbe721f761 100644
---- a/pppd/pppd.8
-+++ b/pppd/pppd.8
-@@ -463,6 +463,11 @@ With this option, pppd will accept the peer's idea of our local IPv6
- interface identifier, even if the local IPv6 interface identifier
- was specified in an option.
- .TP
-+.B ipv6cp\-accept\-remote
-+With this option, pppd will accept the peer's idea of its (remote)
-+IPv6 interface identifier, even if the remote IPv6 interface
-+identifier was specified in an option.
-+.TP
- .B ipv6cp\-max\-configure \fIn
- Set the maximum number of IPv6CP configure-request transmissions to
- \fIn\fR (default 10).
diff --git a/patches/ppp-2.4.7/0034-fix-a-potential-buffer-overflow-in-clientid.c-rc_map.patch b/patches/ppp-2.4.7/0034-fix-a-potential-buffer-overflow-in-clientid.c-rc_map.patch
deleted file mode 100644
index 2a8a029df..000000000
--- a/patches/ppp-2.4.7/0034-fix-a-potential-buffer-overflow-in-clientid.c-rc_map.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From: Michael Olbrich <m.olbrich@pengutronix.de>
-Date: Sat, 28 Sep 2019 08:11:50 +0200
-Subject: [PATCH] fix a potential buffer overflow in clientid.c:rc_map2id()
-
-This fixes the following compile-time warning when building with
--D_FORTIFY_SOURCE=2:
-
-In file included from /usr/include/string.h:638:0,
-                 from ./includes.h:26,
-                 from clientid.c:12:
-In function 'strncat',
-    inlined from 'rc_map2id' at clientid.c:113:9:
-/usr/include/i386-linux-gnu/bits/string3.h:150:3: warning: call to
-__builtin___strncat_chk might overflow destination buffer [enabled by default]
-   return __builtin___strncat_chk (__dest, __src, __len, __bos (__dest));
-   ^
-
-Origin: vendor, https://build.opensuse.org/source/network/ppp/ppp-2.4.4-strncatfix.patch?rev=7a0fdeff0b29437dd7f4581c95c7255a
-Forwarded: no
-Reviewed-by: Chris Boot <bootc@debian.org>
-Last-Update: 2014-01-12
-
-
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- pppd/plugins/radius/clientid.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/pppd/plugins/radius/clientid.c b/pppd/plugins/radius/clientid.c
-index d49579c43cc3..7de021139b56 100644
---- a/pppd/plugins/radius/clientid.c
-+++ b/pppd/plugins/radius/clientid.c
-@@ -110,7 +110,7 @@ UINT4 rc_map2id(char *name)
- 	if (*name != '/')
- 		strcpy(ttyname, "/dev/");
- 
--	strncat(ttyname, name, sizeof(ttyname));
-+	strncat(ttyname, name, sizeof(ttyname)-strlen(ttyname)-1);
- 
- 	for(p = map2id_list; p; p = p->next)
- 		if (!strcmp(ttyname, p->name)) return p->id;
diff --git a/patches/ppp-2.4.7/0037-Fix-buffer-overflow-in-rc_mksid.patch b/patches/ppp-2.4.7/0037-Fix-buffer-overflow-in-rc_mksid.patch
deleted file mode 100644
index e21f129ad..000000000
--- a/patches/ppp-2.4.7/0037-Fix-buffer-overflow-in-rc_mksid.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From: Michael Olbrich <m.olbrich@pengutronix.de>
-Date: Sat, 28 Sep 2019 08:11:50 +0200
-Subject: [PATCH] Fix buffer overflow in rc_mksid()
-
- rc_mksid converts the PID of pppd to hex to generate a pseudo-unique string.
- .
- If the process id is bigger than 65535 (FFFF), its hex representation will be
- longer than 4 characters, resulting in a buffer overflow.
- .
- The bug can be exploited to cause a remote DoS.
- .
-Author: Emanuele Rocca <ema@debian.org>
-Bug-Debian: https://bugs.debian.org/782450
-Last-Update: <2015-04-14>
-
-
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- pppd/plugins/radius/util.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/pppd/plugins/radius/util.c b/pppd/plugins/radius/util.c
-index 6f976a712951..166bd5f31d7a 100644
---- a/pppd/plugins/radius/util.c
-+++ b/pppd/plugins/radius/util.c
-@@ -77,7 +77,7 @@ rc_mksid (void)
-   static unsigned short int cnt = 0;
-   sprintf (buf, "%08lX%04X%02hX",
- 	   (unsigned long int) time (NULL),
--	   (unsigned int) getpid (),
-+	   (unsigned int) getpid () % 65535,
- 	   cnt & 0xFF);
-   cnt++;
-   return buf;
diff --git a/patches/ppp-2.4.7/0038-EAP-TLS-authentication-support-for-PPP.patch b/patches/ppp-2.4.7/0038-EAP-TLS-authentication-support-for-PPP.patch
deleted file mode 100644
index bd462d4f8..000000000
--- a/patches/ppp-2.4.7/0038-EAP-TLS-authentication-support-for-PPP.patch
+++ /dev/null
@@ -1,3383 +0,0 @@
-From: Michael Olbrich <m.olbrich@pengutronix.de>
-Date: Sat, 28 Sep 2019 08:11:50 +0200
-Subject: [PATCH] EAP-TLS authentication support for PPP
-
-Origin: https://www.nikhef.nl/~janjust/ppp/download.html
-Bug-Debian: https://bugs.debian.org/602503
-Bug-Ubuntu: https://launchpad.net/bugs/643417
-Forwarded: not-needed
-Author: Jan Just Keijser <janjust@nikhef.nl>
-Last-Update: 2018-11-04
-
-This patch is based on ppp-2.4.7-eaptls-mppe-1.102.patch, with the following
-changes:
-
- - Patch refreshed to remove fuzz.
- - Trailing spaces removed.
-
-
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- README.eap-tls              |  291 +++++++++
- etc.ppp/eaptls-client       |   10 +
- etc.ppp/eaptls-server       |   11 +
- etc.ppp/openssl.cnf         |   14 +
- linux/Makefile.top          |    6 +-
- pppd/Makefile.linux         |   12 +
- pppd/auth.c                 |  413 ++++++++++++-
- pppd/ccp.c                  |   20 +-
- pppd/chap-md5.c             |    4 +
- pppd/eap-tls.c              | 1383 +++++++++++++++++++++++++++++++++++++++++++
- pppd/eap-tls.h              |  107 ++++
- pppd/eap.c                  |  463 ++++++++++++++-
- pppd/eap.h                  |   32 +-
- pppd/md5.c                  |    4 +
- pppd/md5.h                  |    3 +
- pppd/pathnames.h            |    7 +
- pppd/plugins/Makefile.linux |    3 +
- pppd/plugins/passprompt.c   |    3 +
- pppd/plugins/passwordfd.c   |    4 +
- pppd/pppd.8                 |   33 ++
- pppd/pppd.h                 |    9 +
- 21 files changed, 2825 insertions(+), 7 deletions(-)
- create mode 100644 README.eap-tls
- create mode 100644 etc.ppp/eaptls-client
- create mode 100644 etc.ppp/eaptls-server
- create mode 100644 etc.ppp/openssl.cnf
- create mode 100644 pppd/eap-tls.c
- create mode 100644 pppd/eap-tls.h
-
-diff --git a/README.eap-tls b/README.eap-tls
-new file mode 100644
-index 000000000000..107e84db5e81
---- /dev/null
-+++ b/README.eap-tls
-@@ -0,0 +1,291 @@
-+EAP-TLS authentication support for PPP
-+======================================
-+
-+1. Intro
-+
-+    The Extensible Authentication Protocol (EAP; RFC 3748) is a
-+    security protocol that can be used with PPP.  It provides a means
-+    to plug in multiple optional authentication methods.
-+
-+    Transport Level Security (TLS; RFC 5216) provides for mutual
-+    authentication, integrity-protected ciphersuite negotiation and
-+    key exchange between two endpoints.  It also provides for optional
-+    MPPE encryption.
-+
-+    EAP-TLS (RFC 2716) incapsulates the TLS messages in EAP packets,
-+    allowing TLS mutual authentication to be used as a generic EAP
-+    mechanism. It also provides optional encryption using the MPPE
-+    protocol.
-+
-+    This patch provide EAP-TLS support to pppd.
-+    This authentication method can be used in both client or server
-+    mode.
-+
-+2. Building
-+
-+    To build pppd with EAP-TLS support, OpenSSL (http://www.openssl.org)
-+    is required. Any version from 0.9.7 should work.
-+
-+    Configure, compile, and install as usual.
-+
-+3. Configuration
-+
-+    On the client side there are two ways to configure EAP-TLS:
-+
-+    1. supply the appropriate 'ca', 'cert' and 'key' command-line parameters
-+
-+    2. edit the /etc/ppp/eaptls-client file.
-+    Insert a line for each system with which you use EAP-TLS.
-+    The line is composed of this fields separated by tab:
-+
-+      - Client name
-+        The name used by the client for authentication, can be *
-+      - Server name
-+        The name of the server, can be *
-+      - Client certificate file
-+        The file containing the certificate chain for the
-+        client in PEM format
-+      - Server certificate file
-+        If you want to specify the certificate that the
-+        server is allowed to use, put the certificate file name.
-+        Else put a dash '-'.
-+      - CA certificate file
-+        The file containing the trusted CA certificates in PEM
-+        format.
-+      - Client private key file
-+        The file containing the client private key in PEM format.
-+
-+
-+    On the server side edit the /etc/ppp/eaptls-server file.
-+    Insert a line for each system with which you use EAP-TLS.
-+    The line is composed of this fields separated by tab:
-+
-+      - Client name
-+        The name used by the client for authentication, can be *
-+      - Server name
-+        The name of the server, can be *
-+      - Client certificate file
-+        If you want to specify the certificate that the
-+        client is allowed to use, put the certificate file name.
-+        Else put a dash '-'.
-+      - Server certificate file
-+        The file containing the certificate chain for the
-+        server in PEM format
-+      - CA certificate file
-+        The file containing the trusted CA certificates in PEM format.
-+      - Client private key file
-+        The file containing the server private key in PEM format.
-+      - addresses
-+        A list of IP addresses the client is allowed to use.
-+
-+
-+    OpenSSL engine support is included starting with v0.95 of this patch.
-+    Currently the only engine tested is the 'pkcs11' engine (hardware token
-+    support). To use the 'pksc11' engine:
-+      - Use a special private key fileiname in the /etc/ppp/eaptls-client file:
-+          <engine>:<identifier>
-+        e.g.
-+          pkcs11:123456
-+
-+      - The certificate can also be loaded from the 'pkcs11' engine using
-+        a special client certificate filename in the /etc/ppp/eaptls-client file:
-+          <engine>:<identifier>
-+        e.g.
-+          pkcs11:123456
-+
-+      - Create an /etc/ppp/openssl.cnf file to load the right OpenSSL engine prior
-+        to starting 'pppd'. A sample openssl.cnf file is
-+
-+        openssl_conf = openssl_def
-+
-+        [ openssl_def ]
-+        engines = engine_section
-+
-+        [ engine_section ]
-+        pkcs11 = pkcs11_section
-+
-+        [ pkcs11_section ]
-+        engine_id = pkcs11
-+        dynamic_path = /usr/lib64/openssl/engines/engine_pkcs11.so
-+        MODULE_PATH = /usr/lib64/libeTPkcs11.so
-+        init = 0
-+
-+      - There are two ways to specify a password/PIN for the PKCS11 engine:
-+          - inside the openssl.cnf file using
-+              PIN = your-secret-pin
-+            Note The keyword 'PIN' is case sensitive!
-+          - Using the 'password' in the ppp options file.
-+        From v0.97 of the eap-tls patch the password can also be supplied
-+        using the appropriate 'eaptls_passwd_hook' (see plugins/passprompt.c
-+        for an example).
-+
-+
-+4. Options
-+
-+    These pppd options are available:
-+
-+      ca <ca-file>
-+        Use the CA public certificate found in <ca-file> in PEM format
-+      cert <cert-file>
-+        Use the client public certificate found in <cert-file> in PEM format
-+        or in engine:engine_id format
-+      key <key-file>
-+        Use the client private key found in <key-file> in PEM format
-+        or in engine:engine_id format
-+      crl <crl-file>
-+        Use the Certificate Revocation List (CRL) file <crl-file> in PEM format.
-+      crl-dir <dir>
-+        Use CRL files from directory <dir>. It contains CRL files in PEM
-+        format and each file contains a CRL. The files are looked up
-+        by the issuer name hash value. Use the c_rehash utility
-+        to create necessary links.
-+      need-peer-eap
-+        If the peer doesn't ask us to authenticate or doesn't use eap
-+        to authenticate us, disconnect.
-+
-+    Note:
-+      password-encrypted certificates can be used as of v0.94 of this
-+      patch. The password for the eap-tls.key file is specified using
-+      the regular
-+          password ....
-+      statement in the ppp options file, or by using the appropriate
-+      plugin which supplies a 'eaptls_passwd_hook' routine.
-+
-+5. Connecting
-+
-+    If you're setting up a pppd server, edit the EAP-TLS configuration file
-+    as written above and then run pppd with the 'auth' option to authenticate
-+    the client. The EAP-TLS method will be used if the other eap methods can't
-+    be used (no secrets).
-+
-+    If you're setting up a client, edit the configuration file and then run
-+    pppd with 'remotename' option to specify the server name. Add the
-+    'need-peer-eap' option if you want to be sure the peer ask you to
-+    authenticate (and to use eap) and to disconnect if it doesn't.
-+
-+6. Example
-+
-+    The following example can be used to connect a Linux client with the 'pptp'
-+    package to a Linux server running the 'pptpd' (PoPToP) package. The server
-+    was configured with a certificate with name (CN) 'pptp-server', the client
-+    was configured with a certificate with name (CN) 'pptp-client', both
-+    signed by the same Certificate Authority (CA).
-+
-+    Server side:
-+      - /etc/pptpd.conf file:
-+          option /etc/ppp/options-pptpd-eaptls
-+          localip 172.16.1.1
-+          remoteip 172.16.1.10-20
-+      - /etc/ppp/options-pptpd-eaptls file:
-+          name pptp-server
-+          lock
-+          mtu 1500
-+          mru 1450
-+          auth
-+          lcp-echo-failure 3
-+          lcp-echo-interval 5
-+          nodeflate
-+          nobsdcomp
-+          nopredictor1
-+          nopcomp
-+          noaccomp
-+
-+          require-eap
-+          require-mppe-128
-+
-+          crl /home/janjust/ppp/keys/crl.pem
-+
-+          debug
-+          logfile /tmp/pppd.log
-+
-+      - /etc/ppp/eaptls-server file:
-+           * pptp-server - /etc/ppp/pptp-server.crt /etc/ppp/ca.crt /etc/ppp/pptp-server.key *
-+
-+      - On the server, run
-+          pptdp --conf /etc/pptpd.conf
-+
-+    Client side:
-+      - Run
-+          pppd noauth require-eap require-mppe-128 \
-+            ipcp-accept-local ipcp-accept-remote noipdefault \
-+            cert  /etc/ppp/keys/pptp-client.crt \
-+            key   /etc/ppp/keys/pptp-client.key \
-+            ca    /etc/ppp/keys/ca.crt \
-+            name pptp-client remotename pptp-server \
-+            debug logfile /tmp/pppd.log
-+            pty "pptp pptp-server.example.com --nolaunchpppd"
-+
-+    Check /var/log/messages and the files /tmp/pppd.log on both sides for debugging info.
-+
-+7. Notes
-+
-+    This is experimental code.
-+    Send suggestions and comments to Jan Just Keijser <janjust@nikhef.nl>
-+
-+8. Changelog of ppp-<>-eaptls-mppe-* patches
-+
-+v0.7     (22-Nov-2005)
-+ - First version of the patch to include MPPE support
-+ - ppp-2.4.3 only
-+v0.9     (25-Jul-2006)
-+ - Bug fixes
-+ - First version for ppp-2.4.4
-+v0.91    (03-Sep-2006)
-+ - Added missing #include for md5.h
-+ - Last version for ppp-2.4.3
-+v0.92    (22-Apr-2008)
-+ - Fix for openssl 0.9.8 issue with md5 function overload.
-+v0.93    (14-Aug-2008)
-+ - Make sure 'noauth' option can be used to bypass server certificate verification.
-+v0.94    (15-Oct-2008)
-+ - Added support for password-protected private keys by (ab)using the 'password' field.
-+v0.95    (23-Dec-2009)
-+ - First version with OpenSSL engine support.
-+v0.96    (27-Jan-2010)
-+ - Added fully functional support for OpenSSL engines (PKCS#11)
-+ - First version for ppp-2.4.5
-+v0.97    (20-Apr-2010)
-+ - Some bug fixes for v0.96
-+ - Added support for entering the password via a plugin. The sample plugin
-+     .../pppd/plugins/passprompt.c has been extended with EAP-TLS support.
-+   The "old" methods using the password option or the /etc/ppp/openssl.cnf file still work.
-+ - Added support for specifying the client CA, certificate and private key on the command-line
-+   or via the ppp config file.
-+v0.98    (20-Apr-2010)
-+ - Fix initialisation bug when using ca/cert/key command-line options.
-+ - Last version for ppp-2.4.4
-+v0.99    (05-Oct-2010)
-+ - Fix coredump when using multilink option.
-+v0.991   (08-Aug-2011)
-+ - Fix compilation issue with openssl 1.0.
-+v0.992   (01-Dec-2011)
-+ - Fix compilation issue with eaptls_check_hook and passwordfd plugin.
-+v0.993   (24-Apr-2012)
-+ - Fix compilation issue when EAP_TLS=n in pppd/Makefile.
-+v0.994   (11-Jun-2012)
-+ - Fix compilation issue on Ubuntu 11.10.
-+v0.995   (27-May-2014)
-+ - Add support for a CRL file using the command-line option 'crl'
-+   (prior only 'crl-dir' was supported).
-+ - Fix segfault when pkcs11 enginename was not specified correctly.
-+ - Fix segfault when client was misconfigured.
-+ - Disable SSL Session Ticket support as Windows 8 does not support this.
-+v0.996   (28-May-2014)
-+ - Fix minor bug where SessionTicket message was printed as 'Unknown SSL3 code 4'
-+ - Add EAP-TLS-specific options to pppd.8 manual page.
-+ - Updated README.eap-tls file with new options and provide an example.
-+v0.997   (19-Jun-2014)
-+ - Change SSL_OP_NO_TICKETS to SSL_OP_NO_TICKET
-+ - Fix bug in initialisation code with fragmented packets.
-+v0.998   (13-Mar-2015)
-+ - Add fix for https://bugzilla.redhat.com/show_bug.cgi?id=1023620
-+v0.999   (11-May-2017)
-+ - Add support for OpenSSL 1.1: the code will now compile against OpenSSL 1.0.x or 1.1.x.
-+v1.101 (1-Jun-2018)
-+ - Fix vulnerabilities CVE-2018-11574.
-+v1.102 (2-Nov-2018)
-+ - Add TLS 1.2 support. Windows 7/8 will connect using TLS 1.0, Windows 10 clients using TLS 1.2.
-+   This works both when compiling against OpenSSL 1.0.1+ and 1.1+.
-+ - Print warning when certificate is either not yet valid or has expired.
-+ - Perform better peer certificate checks.
-+ - Allow certificate chain files to be used.
-diff --git a/etc.ppp/eaptls-client b/etc.ppp/eaptls-client
-new file mode 100644
-index 000000000000..7782f0e2a065
---- /dev/null
-+++ b/etc.ppp/eaptls-client
-@@ -0,0 +1,10 @@
-+# Parameters for authentication using EAP-TLS (client)
-+
-+# client name (can be *)
-+# server name (can be *)
-+# client certificate file (required)
-+# server certificate file (optional, if unused put '-')
-+# CA certificate file (required)
-+# client private key file (required)
-+
-+#client	server	/root/cert/client.crt	-	/root/cert/ca.crt	/root/cert/client.key
-diff --git a/etc.ppp/eaptls-server b/etc.ppp/eaptls-server
-new file mode 100644
-index 000000000000..fa53cbd197cf
---- /dev/null
-+++ b/etc.ppp/eaptls-server
-@@ -0,0 +1,11 @@
-+# Parameters for authentication using EAP-TLS (server)
-+
-+# client name (can be *)
-+# server name (can be *)
-+# client certificate file (optional, if unused put '-')
-+# server certificate file (required)
-+# CA certificate file (required)
-+# server private key file (required)
-+# allowed addresses (required, can be *)
-+
-+#client	server	-	/root/cert/server.crt	/root/cert/ca.crt	/root/cert/server.key	192.168.1.0/24
-diff --git a/etc.ppp/openssl.cnf b/etc.ppp/openssl.cnf
-new file mode 100644
-index 000000000000..dd32f305d680
---- /dev/null
-+++ b/etc.ppp/openssl.cnf
-@@ -0,0 +1,14 @@
-+openssl_conf = openssl_def
-+
-+[ openssl_def ]
-+engines = engine_section
-+
-+[ engine_section ]
-+pkcs11 = pkcs11_section
-+
-+[ pkcs11_section ]
-+engine_id = pkcs11
-+dynamic_path = /usr/lib64/openssl/engines/engine_pkcs11.so
-+MODULE_PATH = /usr/lib64/libeTPkcs11.so
-+init = 0
-+
-diff --git a/linux/Makefile.top b/linux/Makefile.top
-index f63d45e58a78..894f8f32c9e4 100644
---- a/linux/Makefile.top
-+++ b/linux/Makefile.top
-@@ -26,7 +26,7 @@ install-progs:
- 	cd pppdump; $(MAKE) $(MFLAGS) install
- 
- install-etcppp: $(ETCDIR) $(ETCDIR)/options $(ETCDIR)/pap-secrets \
--	$(ETCDIR)/chap-secrets
-+	$(ETCDIR)/chap-secrets $(ETCDIR)/eaptls-server $(ETCDIR)/eaptls-client
- 
- install-devel:
- 	cd pppd; $(MAKE) $(MFLAGS) install-devel
-@@ -37,6 +37,10 @@ $(ETCDIR)/pap-secrets:
- 	$(INSTALL) -c -m 600 etc.ppp/pap-secrets $@
- $(ETCDIR)/chap-secrets:
- 	$(INSTALL) -c -m 600 etc.ppp/chap-secrets $@
-+$(ETCDIR)/eaptls-server:
-+	$(INSTALL) -c -m 600 etc.ppp/eaptls-server $@
-+$(ETCDIR)/eaptls-client:
-+	$(INSTALL) -c -m 600 etc.ppp/eaptls-client $@
- 
- $(BINDIR):
- 	$(INSTALL) -d -m 755 $@
-diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux
-index 5549145e5791..4a11d5fea748 100644
---- a/pppd/Makefile.linux
-+++ b/pppd/Makefile.linux
-@@ -76,6 +76,9 @@ CBCP=y
- # Use libutil
- USE_LIBUTIL=y
- 
-+# Enable EAP-TLS authentication (requires libssl and libcrypto)
-+USE_EAPTLS=y
-+
- MAXOCTETS=y
- 
- INCLUDE_DIRS= -I../include
-@@ -116,6 +119,15 @@ HEADERS += sha1.h
- PPPDOBJS += sha1.o
- endif
- 
-+# EAP-TLS
-+ifdef USE_EAPTLS
-+CFLAGS += -DUSE_EAPTLS=1 -I/usr/kerberos/include
-+LIBS += -lssl -lcrypto
-+PPPDSRC += eap-tls.c
-+HEADERS += eap-tls.h
-+PPPDOBJS += eap-tls.o
-+endif
-+
- ifdef HAS_SHADOW
- CFLAGS   += -DHAS_SHADOW
- #LIBS     += -lshadow $(LIBS)
-diff --git a/pppd/auth.c b/pppd/auth.c
-index 4271af687102..45065c58bfcc 100644
---- a/pppd/auth.c
-+++ b/pppd/auth.c
-@@ -109,6 +109,9 @@
- #include "upap.h"
- #include "chap-new.h"
- #include "eap.h"
-+#ifdef USE_EAPTLS
-+#include "eap-tls.h"
-+#endif
- #ifdef CBCP_SUPPORT
- #include "cbcp.h"
- #endif
-@@ -183,6 +186,11 @@ int (*chap_check_hook) __P((void)) = NULL;
- /* Hook for a plugin to get the CHAP password for authenticating us */
- int (*chap_passwd_hook) __P((char *user, char *passwd)) = NULL;
- 
-+#ifdef USE_EAPTLS
-+/* Hook for a plugin to get the EAP-TLS password for authenticating us */
-+int (*eaptls_passwd_hook) __P((char *user, char *passwd)) = NULL;
-+#endif
-+
- /* Hook for a plugin to say whether it is OK if the peer
-    refuses to authenticate. */
- int (*null_auth_hook) __P((struct wordlist **paddrs,
-@@ -238,6 +246,14 @@ bool explicit_remote = 0;	/* User specified explicit remote name */
- bool explicit_user = 0;		/* Set if "user" option supplied */
- bool explicit_passwd = 0;	/* Set if "password" option supplied */
- char remote_name[MAXNAMELEN];	/* Peer's name for authentication */
-+#ifdef USE_EAPTLS
-+char *cacert_file  = NULL;	/* CA certificate file (pem format) */
-+char *cert_file    = NULL;	/* client certificate file (pem format) */
-+char *privkey_file = NULL;	/* client private key file (pem format) */
-+char *crl_dir      = NULL;	/* directory containing CRL files */
-+char *crl_file     = NULL;	/* Certificate Revocation List (CRL) file (pem format) */
-+bool need_peer_eap = 0;			/* Require peer to authenticate us */
-+#endif
- 
- static char *uafname;		/* name of most recent +ua file */
- 
-@@ -254,6 +270,19 @@ static int  have_pap_secret __P((int *));
- static int  have_chap_secret __P((char *, char *, int, int *));
- static int  have_srp_secret __P((char *client, char *server, int need_ip,
-     int *lacks_ipp));
-+
-+#ifdef USE_EAPTLS
-+static int  have_eaptls_secret_server
-+__P((char *client, char *server, int need_ip, int *lacks_ipp));
-+static int  have_eaptls_secret_client __P((char *client, char *server));
-+static int  scan_authfile_eaptls __P((FILE * f, char *client, char *server,
-+			       char *cli_cert, char *serv_cert,
-+			       char *ca_cert, char *pk,
-+			       struct wordlist ** addrs,
-+			       struct wordlist ** opts,
-+			       char *filename, int flags));
-+#endif
-+
- static int  ip_addr_check __P((u_int32_t, struct permitted_ip *));
- static int  scan_authfile __P((FILE *, char *, char *, char *,
- 			       struct wordlist **, struct wordlist **,
-@@ -401,6 +430,15 @@ option_t auth_options[] = {
-       "Set telephone number(s) which are allowed to connect",
-       OPT_PRIV | OPT_A2LIST },
- 
-+#ifdef USE_EAPTLS
-+    { "ca", o_string, &cacert_file,   "EAP-TLS CA certificate in PEM format" },
-+    { "cert", o_string, &cert_file,   "EAP-TLS client certificate in PEM format" },
-+    { "key", o_string, &privkey_file, "EAP-TLS client private key in PEM format" },
-+    { "crl-dir", o_string, &crl_dir,  "Use CRLs in directory" },
-+    { "crl", o_string, &crl_file,     "Use specific CRL file" },
-+    { "need-peer-eap", o_bool, &need_peer_eap,
-+      "Require the peer to authenticate us", 1 },
-+#endif /* USE_EAPTLS */
-     { NULL }
- };
- 
-@@ -730,6 +768,9 @@ link_established(unit)
-     lcp_options *wo = &lcp_wantoptions[unit];
-     lcp_options *go = &lcp_gotoptions[unit];
-     lcp_options *ho = &lcp_hisoptions[unit];
-+#ifdef USE_EAPTLS
-+    lcp_options *ao = &lcp_allowoptions[unit];
-+#endif
-     int i;
-     struct protent *protp;
- 
-@@ -764,6 +805,22 @@ link_established(unit)
- 	}
-     }
- 
-+#ifdef USE_EAPTLS
-+    if (need_peer_eap && !ao->neg_eap) {
-+	warn("eap required to authenticate us but no suitable secrets");
-+	lcp_close(unit, "couldn't negotiate eap");
-+	status = EXIT_AUTH_TOPEER_FAILED;
-+	return;
-+    }
-+
-+    if (need_peer_eap && !ho->neg_eap) {
-+	warn("peer doesn't want to authenticate us with eap");
-+	lcp_close(unit, "couldn't negotiate eap");
-+	status = EXIT_PEER_AUTH_FAILED;
-+	return;
-+    }
-+#endif
-+
-     new_phase(PHASE_AUTHENTICATE);
-     auth = 0;
-     if (go->neg_eap) {
-@@ -1277,6 +1334,15 @@ auth_check_options()
- 				    our_name, 1, &lacks_ip);
-     }
- 
-+#ifdef USE_EAPTLS
-+    if (!can_auth && wo->neg_eap) {
-+	can_auth =
-+	    have_eaptls_secret_server((explicit_remote ? remote_name :
-+				       NULL), our_name, 1, &lacks_ip);
-+
-+    }
-+#endif
-+
-     if (auth_required && !can_auth && noauth_addrs == NULL) {
- 	if (default_auth) {
- 	    option_error(
-@@ -1331,7 +1397,11 @@ auth_reset(unit)
- 	passwd[0] != 0 ||
- 	(hadchap == 1 || (hadchap == -1 && have_chap_secret(user,
- 	    (explicit_remote? remote_name: NULL), 0, NULL))) ||
--	have_srp_secret(user, (explicit_remote? remote_name: NULL), 0, NULL));
-+	have_srp_secret(user, (explicit_remote? remote_name: NULL), 0, NULL)
-+#ifdef USE_EAPTLS
-+		|| have_eaptls_secret_client(user, (explicit_remote? remote_name: NULL))
-+#endif
-+	);
- 
-     hadchap = -1;
-     if (go->neg_upap && !uselogin && !have_pap_secret(NULL))
-@@ -1346,8 +1416,14 @@ auth_reset(unit)
- 	    !have_chap_secret((explicit_remote? remote_name: NULL), our_name,
- 		1, NULL))) &&
- 	!have_srp_secret((explicit_remote? remote_name: NULL), our_name, 1,
--	    NULL))
-+	    NULL)
-+#ifdef USE_EAPTLS
-+	 && !have_eaptls_secret_server((explicit_remote? remote_name: NULL),
-+				   our_name, 1, NULL)
-+#endif
-+		)
- 	go->neg_eap = 0;
-+
- }
- 
- 
-@@ -1707,6 +1783,7 @@ have_srp_secret(client, server, need_ip, lacks_ipp)
- }
- 
- 
-+
- /*
-  * get_secret - open the CHAP secret file and return the secret
-  * for authenticating the given client on the given server.
-@@ -2359,3 +2436,335 @@ auth_script(script)
- 
-     auth_script_pid = run_program(script, argv, 0, auth_script_done, NULL, 0);
- }
-+
-+
-+#ifdef USE_EAPTLS
-+static int
-+have_eaptls_secret_server(client, server, need_ip, lacks_ipp)
-+    char *client;
-+    char *server;
-+    int need_ip;
-+    int *lacks_ipp;
-+{
-+    FILE *f;
-+    int ret;
-+    char *filename;
-+    struct wordlist *addrs;
-+    char servcertfile[MAXWORDLEN];
-+    char clicertfile[MAXWORDLEN];
-+    char cacertfile[MAXWORDLEN];
-+    char pkfile[MAXWORDLEN];
-+
-+    filename = _PATH_EAPTLSSERVFILE;
-+    f = fopen(filename, "r");
-+    if (f == NULL)
-+		return 0;
-+
-+    if (client != NULL && client[0] == 0)
-+		client = NULL;
-+    else if (server != NULL && server[0] == 0)
-+		server = NULL;
-+
-+    ret =
-+	scan_authfile_eaptls(f, client, server, clicertfile, servcertfile,
-+			     cacertfile, pkfile, &addrs, NULL, filename,
-+			     0);
-+
-+    fclose(f);
-+
-+/*
-+    if (ret >= 0 && !eaptls_init_ssl(1, cacertfile, servcertfile,
-+				clicertfile, pkfile))
-+		ret = -1;
-+*/
-+
-+	if (ret >= 0 && need_ip && !some_ip_ok(addrs)) {
-+		if (lacks_ipp != 0)
-+			*lacks_ipp = 1;
-+		ret = -1;
-+    }
-+    if (addrs != 0)
-+		free_wordlist(addrs);
-+
-+    return ret >= 0;
-+}
-+
-+
-+static int
-+have_eaptls_secret_client(client, server)
-+    char *client;
-+    char *server;
-+{
-+    FILE *f;
-+    int ret;
-+    char *filename;
-+    struct wordlist *addrs = NULL;
-+    char servcertfile[MAXWORDLEN];
-+    char clicertfile[MAXWORDLEN];
-+    char cacertfile[MAXWORDLEN];
-+    char pkfile[MAXWORDLEN];
-+
-+    if (client != NULL && client[0] == 0)
-+		client = NULL;
-+    else if (server != NULL && server[0] == 0)
-+		server = NULL;
-+
-+	if (cacert_file && cert_file && privkey_file)
-+		return 1;
-+
-+    filename = _PATH_EAPTLSCLIFILE;
-+    f = fopen(filename, "r");
-+    if (f == NULL)
-+		return 0;
-+
-+    ret =
-+	scan_authfile_eaptls(f, client, server, clicertfile, servcertfile,
-+			     cacertfile, pkfile, &addrs, NULL, filename,
-+			     0);
-+    fclose(f);
-+
-+/*
-+    if (ret >= 0 && !eaptls_init_ssl(0, cacertfile, clicertfile,
-+				servcertfile, pkfile))
-+		ret = -1;
-+*/
-+
-+    if (addrs != 0)
-+		free_wordlist(addrs);
-+
-+    return ret >= 0;
-+}
-+
-+
-+static int
-+scan_authfile_eaptls(f, client, server, cli_cert, serv_cert, ca_cert, pk,
-+		     addrs, opts, filename, flags)
-+    FILE *f;
-+    char *client;
-+    char *server;
-+    char *cli_cert;
-+    char *serv_cert;
-+    char *ca_cert;
-+    char *pk;
-+    struct wordlist **addrs;
-+    struct wordlist **opts;
-+    char *filename;
-+    int flags;
-+{
-+    int newline;
-+    int got_flag, best_flag;
-+    struct wordlist *ap, *addr_list, *alist, **app;
-+    char word[MAXWORDLEN];
-+
-+    if (addrs != NULL)
-+	*addrs = NULL;
-+    if (opts != NULL)
-+	*opts = NULL;
-+    addr_list = NULL;
-+    if (!getword(f, word, &newline, filename))
-+	return -1;		/* file is empty??? */
-+    newline = 1;
-+    best_flag = -1;
-+    for (;;) {
-+	/*
-+	 * Skip until we find a word at the start of a line.
-+	 */
-+	while (!newline && getword(f, word, &newline, filename));
-+	if (!newline)
-+	    break;		/* got to end of file */
-+
-+	/*
-+	 * Got a client - check if it's a match or a wildcard.
-+	 */
-+	got_flag = 0;
-+	if (client != NULL && strcmp(word, client) != 0 && !ISWILD(word)) {
-+	    newline = 0;
-+	    continue;
-+	}
-+	if (!ISWILD(word))
-+	    got_flag = NONWILD_CLIENT;
-+
-+	/*
-+	 * Now get a server and check if it matches.
-+	 */
-+	if (!getword(f, word, &newline, filename))
-+	    break;
-+	if (newline)
-+	    continue;
-+	if (!ISWILD(word)) {
-+	    if (server != NULL && strcmp(word, server) != 0)
-+		continue;
-+	    got_flag |= NONWILD_SERVER;
-+	}
-+
-+	/*
-+	 * Got some sort of a match - see if it's better than what
-+	 * we have already.
-+	 */
-+	if (got_flag <= best_flag)
-+	    continue;
-+
-+	/*
-+	 * Get the cli_cert
-+	 */
-+	if (!getword(f, word, &newline, filename))
-+	    break;
-+	if (newline)
-+	    continue;
-+	if (strcmp(word, "-") != 0) {
-+	    strlcpy(cli_cert, word, MAXWORDLEN);
-+	} else
-+	    cli_cert[0] = 0;
-+
-+	/*
-+	 * Get serv_cert
-+	 */
-+	if (!getword(f, word, &newline, filename))
-+	    break;
-+	if (newline)
-+	    continue;
-+	if (strcmp(word, "-") != 0) {
-+	    strlcpy(serv_cert, word, MAXWORDLEN);
-+	} else
-+	    serv_cert[0] = 0;
-+
-+	/*
-+	 * Get ca_cert
-+	 */
-+	if (!getword(f, word, &newline, filename))
-+	    break;
-+	if (newline)
-+	    continue;
-+	strlcpy(ca_cert, word, MAXWORDLEN);
-+
-+	/*
-+	 * Get pk
-+	 */
-+	if (!getword(f, word, &newline, filename))
-+	    break;
-+	if (newline)
-+	    continue;
-+	strlcpy(pk, word, MAXWORDLEN);
-+
-+
-+	/*
-+	 * Now read address authorization info and make a wordlist.
-+	 */
-+	app = &alist;
-+	for (;;) {
-+	    if (!getword(f, word, &newline, filename) || newline)
-+		break;
-+	    ap = (struct wordlist *)
-+		malloc(sizeof(struct wordlist) + strlen(word) + 1);
-+	    if (ap == NULL)
-+		novm("authorized addresses");
-+	    ap->word = (char *) (ap + 1);
-+	    strcpy(ap->word, word);
-+	    *app = ap;
-+	    app = &ap->next;
-+	}
-+	*app = NULL;
-+	/*
-+	 * This is the best so far; remember it.
-+	 */
-+	best_flag = got_flag;
-+	if (addr_list)
-+	    free_wordlist(addr_list);
-+	addr_list = alist;
-+
-+	if (!newline)
-+	    break;
-+    }
-+
-+    /* scan for a -- word indicating the start of options */
-+    for (app = &addr_list; (ap = *app) != NULL; app = &ap->next)
-+	if (strcmp(ap->word, "--") == 0)
-+	    break;
-+    /* ap = start of options */
-+    if (ap != NULL) {
-+	ap = ap->next;		/* first option */
-+	free(*app);		/* free the "--" word */
-+	*app = NULL;		/* terminate addr list */
-+    }
-+    if (opts != NULL)
-+	*opts = ap;
-+    else if (ap != NULL)
-+	free_wordlist(ap);
-+    if (addrs != NULL)
-+	*addrs = addr_list;
-+    else if (addr_list != NULL)
-+	free_wordlist(addr_list);
-+
-+    return best_flag;
-+}
-+
-+
-+int
-+get_eaptls_secret(unit, client, server, clicertfile, servcertfile,
-+		  cacertfile, pkfile, am_server)
-+    int unit;
-+    char *client;
-+    char *server;
-+    char *clicertfile;
-+    char *servcertfile;
-+    char *cacertfile;
-+    char *pkfile;
-+    int am_server;
-+{
-+    FILE *fp;
-+    int ret;
-+    char *filename         = NULL;
-+    struct wordlist *addrs = NULL;
-+    struct wordlist *opts  = NULL;
-+
-+	/* in client mode the ca+cert+privkey can also be specified as options */
-+	if (!am_server && cacert_file && cert_file && privkey_file )
-+	{
-+		strlcpy( clicertfile, cert_file, MAXWORDLEN );
-+		strlcpy( cacertfile, cacert_file, MAXWORDLEN );
-+		strlcpy( pkfile, privkey_file, MAXWORDLEN );
-+		servcertfile[0] = '\0';
-+	}
-+	else
-+	{
-+		filename = (am_server ? _PATH_EAPTLSSERVFILE : _PATH_EAPTLSCLIFILE);
-+		addrs = NULL;
-+
-+		fp = fopen(filename, "r");
-+		if (fp == NULL)
-+		{
-+			error("Can't open eap-tls secret file %s: %m", filename);
-+			return 0;
-+   	 	}
-+
-+		check_access(fp, filename);
-+
-+		ret = scan_authfile_eaptls(fp, client, server, clicertfile, servcertfile,
-+				cacertfile, pkfile, &addrs, &opts, filename, 0);
-+
-+		fclose(fp);
-+
-+		if (ret < 0) return 0;
-+	}
-+
-+    if (eaptls_passwd_hook)
-+    {
-+		dbglog( "Calling eaptls password hook" );
-+		if ( (*eaptls_passwd_hook)(pkfile, passwd) < 0)
-+		{
-+	   		 error("Unable to obtain EAP-TLS password for %s (%s) from plugin",
-+				client, pkfile);
-+		    return 0;
-+		}
-+	}
-+    if (am_server)
-+		set_allowed_addrs(unit, addrs, opts);
-+    else if (opts != NULL)
-+		free_wordlist(opts);
-+    if (addrs != NULL)
-+		free_wordlist(addrs);
-+
-+    return 1;
-+}
-+#endif
-+
-diff --git a/pppd/ccp.c b/pppd/ccp.c
-index 7d7922afcfc0..0a93b15aeef3 100644
---- a/pppd/ccp.c
-+++ b/pppd/ccp.c
-@@ -540,6 +540,9 @@ ccp_resetci(f)
-     if (go->mppe) {
- 	ccp_options *ao = &ccp_allowoptions[f->unit];
- 	int auth_mschap_bits = auth_done[f->unit];
-+#ifdef USE_EAPTLS
-+	int auth_eap_bits = auth_done[f->unit];
-+#endif
- 	int numbits;
- 
- 	/*
-@@ -567,8 +570,23 @@ ccp_resetci(f)
- 	    lcp_close(f->unit, "MPPE required but not available");
- 	    return;
- 	}
-+
-+#ifdef USE_EAPTLS
-+    /*
-+     * MPPE is also possible in combination with EAP-TLS.
-+     * It is not possible to detect if we're doing EAP or EAP-TLS
-+     * at this stage, hence we accept all forms of EAP. If TLS is
-+     * not used then the MPPE keys will not be derived anyway.
-+     */
-+	/* Leave only the eap auth bits set */
-+	auth_eap_bits &= (EAP_WITHPEER | EAP_PEER );
-+
-+	if ((numbits == 0) && (auth_eap_bits == 0)) {
-+	    error("MPPE required, but MS-CHAP[v2] nor EAP-TLS auth are performed.");
-+#else
- 	if (!numbits) {
--	    error("MPPE required, but MS-CHAP[v2] auth not performed.");
-+		error("MPPE required, but MS-CHAP[v2] auth not performed.");
-+#endif
- 	    lcp_close(f->unit, "MPPE required but not available");
- 	    return;
- 	}
-diff --git a/pppd/chap-md5.c b/pppd/chap-md5.c
-index 77dd4ecc7059..269b52cb2041 100644
---- a/pppd/chap-md5.c
-+++ b/pppd/chap-md5.c
-@@ -36,7 +36,11 @@
- #include "chap-new.h"
- #include "chap-md5.h"
- #include "magic.h"
-+#ifdef USE_EAPTLS
-+#include "eap-tls.h"
-+#else
- #include "md5.h"
-+#endif /* USE_EAPTLS */
- 
- #define MD5_HASH_SIZE		16
- #define MD5_MIN_CHALLENGE	16
-diff --git a/pppd/eap-tls.c b/pppd/eap-tls.c
-new file mode 100644
-index 000000000000..df4bc1b996c9
---- /dev/null
-+++ b/pppd/eap-tls.c
-@@ -0,0 +1,1383 @@
-+/* * eap-tls.c - EAP-TLS implementation for PPP
-+ *
-+ * Copyright (c) Beniamino Galvani 2005 All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ *    notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ *    notice, this list of conditions and the following disclaimer in
-+ *    the documentation and/or other materials provided with the
-+ *    distribution.
-+ *
-+ * 3. The name(s) of the authors of this software must not be used to
-+ *    endorse or promote products derived from this software without
-+ *    prior written permission.
-+ *
-+ * THE AUTHORS OF THIS SOFTWARE DISCLAIM ALL WARRANTIES WITH REGARD TO
-+ * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-+ * AND FITNESS, IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY
-+ * SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN
-+ * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING
-+ * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-+ *
-+ */
-+
-+#include <string.h>
-+#include <unistd.h>
-+#include <sys/types.h>
-+#include <sys/stat.h>
-+#include <fcntl.h>
-+
-+#include <openssl/conf.h>
-+#include <openssl/engine.h>
-+#include <openssl/hmac.h>
-+#include <openssl/err.h>
-+#include <openssl/x509v3.h>
-+
-+#include "pppd.h"
-+#include "eap.h"
-+#include "eap-tls.h"
-+#include "fsm.h"
-+#include "lcp.h"
-+#include "pathnames.h"
-+
-+/* The openssl configuration file and engines can be loaded only once */
-+static CONF   *ssl_config  = NULL;
-+static ENGINE *cert_engine = NULL;
-+static ENGINE *pkey_engine = NULL;
-+
-+#ifdef MPPE
-+
-+#define EAPTLS_MPPE_KEY_LEN     32
-+
-+/*
-+ * The following stuff is only needed if SSL_export_keying_material() is not available
-+ */
-+
-+#if OPENSSL_VERSION_NUMBER < 0x10001000L
-+
-+/*
-+ * https://wiki.openssl.org/index.php/1.1_API_Changes
-+ * tries to provide some guidance but ultimately falls short.
-+ *
-+ */
-+
-+static void HMAC_CTX_free(HMAC_CTX *ctx)
-+{
-+	if (ctx != NULL) {
-+		HMAC_CTX_cleanup(ctx);
-+		OPENSSL_free(ctx);
-+	}
-+}
-+
-+static HMAC_CTX *HMAC_CTX_new(void)
-+{
-+	HMAC_CTX *ctx = OPENSSL_malloc(sizeof(*ctx));
-+	if (ctx != NULL)
-+		HMAC_CTX_init(ctx);
-+	return ctx;
-+}
-+
-+static size_t SSL_get_client_random(const SSL *ssl, unsigned char *out,
-+				    size_t outlen)
-+{
-+	if (outlen == 0)
-+		return sizeof(ssl->s3->client_random);
-+	if (outlen > sizeof(ssl->s3->client_random))
-+		outlen = sizeof(ssl->s3->client_random);
-+	memcpy(out, ssl->s3->client_random, outlen);
-+	return outlen;
-+}
-+
-+static size_t SSL_get_server_random(const SSL *ssl, unsigned char *out,
-+				    size_t outlen)
-+{
-+	if (outlen == 0)
-+		return sizeof(ssl->s3->server_random);
-+	if (outlen > sizeof(ssl->s3->server_random))
-+		outlen = sizeof(ssl->s3->server_random);
-+	memcpy(out, ssl->s3->server_random, outlen);
-+	return outlen;
-+}
-+
-+static size_t SSL_SESSION_get_master_key(const SSL_SESSION *session,
-+				         unsigned char *out, size_t outlen)
-+{
-+	if (outlen == 0)
-+		return session->master_key_length;
-+	if (outlen > session->master_key_length)
-+		outlen = session->master_key_length;
-+	memcpy(out, session->master_key, outlen);
-+	return outlen;
-+}
-+
-+
-+/*
-+ * TLS PRF from RFC 2246
-+ */
-+static void P_hash(const EVP_MD *evp_md,
-+		   const unsigned char *secret, unsigned int secret_len,
-+		   const unsigned char *seed,   unsigned int seed_len,
-+		   unsigned char *out, unsigned int out_len)
-+{
-+	HMAC_CTX *ctx_a, *ctx_out;
-+	unsigned char a[HMAC_MAX_MD_CBLOCK];
-+	unsigned int size;
-+
-+	ctx_a = HMAC_CTX_new();
-+	ctx_out = HMAC_CTX_new();
-+	HMAC_Init_ex(ctx_a, secret, secret_len, evp_md, NULL);
-+	HMAC_Init_ex(ctx_out, secret, secret_len, evp_md, NULL);
-+
-+	size = HMAC_size(ctx_out);
-+
-+	/* Calculate A(1) */
-+	HMAC_Update(ctx_a, seed, seed_len);
-+	HMAC_Final(ctx_a, a, NULL);
-+
-+	while (1) {
-+		/* Calculate next part of output */
-+		HMAC_Update(ctx_out, a, size);
-+		HMAC_Update(ctx_out, seed, seed_len);
-+
-+		/* Check if last part */
-+		if (out_len < size) {
-+			HMAC_Final(ctx_out, a, NULL);
-+			memcpy(out, a, out_len);
-+			break;
-+		}
-+
-+		/* Place digest in output buffer */
-+		HMAC_Final(ctx_out, out, NULL);
-+		HMAC_Init_ex(ctx_out, NULL, 0, NULL, NULL);
-+		out += size;
-+		out_len -= size;
-+
-+		/* Calculate next A(i) */
-+		HMAC_Init_ex(ctx_a, NULL, 0, NULL, NULL);
-+		HMAC_Update(ctx_a, a, size);
-+		HMAC_Final(ctx_a, a, NULL);
-+	}
-+
-+	HMAC_CTX_free(ctx_a);
-+	HMAC_CTX_free(ctx_out);
-+	memset(a, 0, sizeof(a));
-+}
-+
-+static void PRF(const unsigned char *secret, unsigned int secret_len,
-+		const unsigned char *seed,   unsigned int seed_len,
-+		unsigned char *out, unsigned char *buf, unsigned int out_len)
-+{
-+	    unsigned int i;
-+	    unsigned int len = (secret_len + 1) / 2;
-+	const unsigned char *s1 = secret;
-+	const unsigned char *s2 = secret + (secret_len - len);
-+
-+	P_hash(EVP_md5(),  s1, len, seed, seed_len, out, out_len);
-+	P_hash(EVP_sha1(), s2, len, seed, seed_len, buf, out_len);
-+
-+	for (i=0; i < out_len; i++) {
-+	        out[i] ^= buf[i];
-+	}
-+}
-+
-+static int SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen,
-+                               const char *label, size_t llen,
-+                               const unsigned char *p, size_t plen,
-+                               int use_context)
-+{
-+	unsigned char seed[64 + 2*SSL3_RANDOM_SIZE];
-+	unsigned char buf[4*EAPTLS_MPPE_KEY_LEN];
-+	unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH];
-+	size_t master_key_length;
-+	unsigned char *pp;
-+
-+	pp = seed;
-+
-+	memcpy(pp, label, llen);
-+	pp += llen;
-+
-+	llen += SSL_get_client_random(s, pp, SSL3_RANDOM_SIZE);
-+	pp += SSL3_RANDOM_SIZE;
-+
-+	llen += SSL_get_server_random(s, pp, SSL3_RANDOM_SIZE);
-+
-+	master_key_length = SSL_SESSION_get_master_key(SSL_get_session(s), master_key,
-+						   sizeof(master_key));
-+	PRF(master_key, master_key_length, seed, llen, out, buf, olen);
-+
-+	return 1;
-+}
-+
-+#endif /* OPENSSL_VERSION_NUMBER < 0x10001000L */
-+
-+
-+/*
-+ *  OpenSSL 1.1+ introduced a generic TLS_method()
-+ *  For older releases we substitute the appropriate method
-+ */
-+
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+
-+#define TLS_method SSLv23_method
-+
-+#define SSL3_RT_HEADER	0x100
-+
-+#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
-+
-+
-+/*
-+ *  Generate keys according to RFC 2716 and add to reply
-+ */
-+void eaptls_gen_mppe_keys(struct eaptls_session *ets, const char *prf_label,
-+	                      int client)
-+{
-+	unsigned char  out[4*EAPTLS_MPPE_KEY_LEN];
-+	size_t         prf_size = strlen(prf_label);
-+	unsigned char *p;
-+
-+	if (SSL_export_keying_material(ets->ssl, out, sizeof(out), prf_label, prf_size, NULL, 0, 0) != 1)
-+	{
-+	    warn( "EAP-TLS: Failed generating keying material" );
-+	    return;
-+	}
-+
-+	/*
-+	 * We now have the master send and receive keys.
-+	 * From these, generate the session send and receive keys.
-+	 * (see RFC3079 / draft-ietf-pppext-mppe-keys-03.txt for details)
-+	 */
-+	if (client)
-+	{
-+	    p = out;
-+		BCOPY( p, mppe_send_key, sizeof(mppe_send_key) );
-+		p += EAPTLS_MPPE_KEY_LEN;
-+		BCOPY( p, mppe_recv_key, sizeof(mppe_recv_key) );
-+	}
-+	else
-+	{
-+		p = out;
-+		BCOPY( p, mppe_recv_key, sizeof(mppe_recv_key) );
-+		p += EAPTLS_MPPE_KEY_LEN;
-+		BCOPY( p, mppe_send_key, sizeof(mppe_send_key) );
-+	}
-+
-+	mppe_keys_set = 1;
-+}
-+
-+#endif
-+
-+void log_ssl_errors( void )
-+{
-+	unsigned long ssl_err = ERR_get_error();
-+
-+	if (ssl_err != 0)
-+		dbglog("EAP-TLS SSL error stack:");
-+	while (ssl_err != 0) {
-+		dbglog( ERR_error_string( ssl_err, NULL ) );
-+		ssl_err = ERR_get_error();
-+	}
-+}
-+
-+
-+int password_callback (char *buf, int size, int rwflag, void *u)
-+{
-+	if (buf)
-+	{
-+		strncpy (buf, passwd, size);
-+		return strlen (buf);
-+	}
-+	return 0;
-+}
-+
-+
-+CONF *eaptls_ssl_load_config( void )
-+{
-+	CONF        *config;
-+	int          ret_code;
-+	long         error_line = 33;
-+
-+	config = NCONF_new( NULL );
-+	dbglog( "Loading OpenSSL config file" );
-+	ret_code = NCONF_load( config, _PATH_OPENSSLCONFFILE, &error_line );
-+	if (ret_code == 0)
-+	{
-+	    warn( "EAP-TLS: Error in OpenSSL config file %s at line %d", _PATH_OPENSSLCONFFILE, error_line );
-+	    NCONF_free( config );
-+	    config = NULL;
-+	    ERR_clear_error();
-+	}
-+
-+	dbglog( "Loading OpenSSL built-ins" );
-+	ENGINE_load_builtin_engines();
-+	OPENSSL_load_builtin_modules();
-+
-+	dbglog( "Loading OpenSSL configured modules" );
-+	if (CONF_modules_load( config, NULL, 0 ) <= 0 )
-+	{
-+	    warn( "EAP-TLS: Error loading OpenSSL modules" );
-+	    log_ssl_errors();
-+	    config = NULL;
-+	}
-+
-+	return config;
-+}
-+
-+ENGINE *eaptls_ssl_load_engine( char *engine_name )
-+{
-+	ENGINE      *e = NULL;
-+
-+	dbglog( "Enabling OpenSSL auto engines" );
-+	ENGINE_register_all_complete();
-+
-+	dbglog( "Loading OpenSSL '%s' engine support", engine_name );
-+	e = ENGINE_by_id( engine_name );
-+	if (!e)
-+	{
-+		dbglog( "EAP-TLS: Cannot load '%s' engine support, trying 'dynamic'", engine_name );
-+		e = ENGINE_by_id( "dynamic" );
-+		if (e)
-+		{
-+			if (!ENGINE_ctrl_cmd_string(e, "SO_PATH", engine_name, 0)
-+   	         || !ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0))
-+			{
-+				warn( "EAP-TLS: Error loading dynamic engine '%s'", engine_name );
-+		        log_ssl_errors();
-+				ENGINE_free(e);
-+				e = NULL;
-+			}
-+		}
-+		else
-+		{
-+			warn( "EAP-TLS: Cannot load dynamic engine support" );
-+		}
-+	}
-+
-+	if (e)
-+	{
-+		dbglog( "Initialising engine" );
-+		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
-+		{
-+			warn( "EAP-TLS: Cannot use that engine" );
-+			log_ssl_errors();
-+			ENGINE_free(e);
-+			e = NULL;
-+		}
-+	}
-+
-+	return e;
-+}
-+
-+/*
-+ * Initialize the SSL stacks and tests if certificates, key and crl
-+ * for client or server use can be loaded.
-+ */
-+SSL_CTX *eaptls_init_ssl(int init_server, char *cacertfile,
-+			char *certfile, char *peer_certfile, char *privkeyfile)
-+{
-+	char		*cert_engine_name = NULL;
-+	char		*cert_identifier = NULL;
-+	char		*pkey_engine_name = NULL;
-+	char		*pkey_identifier = NULL;
-+	SSL_CTX		*ctx;
-+	SSL			*ssl;
-+	X509_STORE	*certstore;
-+	X509_LOOKUP	*lookup;
-+	X509		*tmp;
-+	int			ret;
-+
-+	/*
-+	 * Without these can't continue
-+	 */
-+	if (!cacertfile[0])
-+	{
-+		error("EAP-TLS: CA certificate missing");
-+		return NULL;
-+	}
-+
-+	if (!certfile[0])
-+	{
-+		error("EAP-TLS: User certificate missing");
-+		return NULL;
-+	}
-+
-+	if (!privkeyfile[0])
-+	{
-+		error("EAP-TLS: User private key missing");
-+		return NULL;
-+	}
-+
-+	SSL_library_init();
-+	SSL_load_error_strings();
-+
-+	ctx = SSL_CTX_new(TLS_method());
-+
-+	if (!ctx) {
-+		error("EAP-TLS: Cannot initialize SSL CTX context");
-+		goto fail;
-+	}
-+
-+	/* if the certificate filename is of the form engine:id. e.g.
-+		pkcs11:12345
-+	   then we try to load and use this engine.
-+	   If the certificate filename starts with a / or . then we
-+	   ALWAYS assume it is a file and not an engine/pkcs11 identifier
-+	 */
-+	if ( index( certfile, '/' ) == NULL && index( certfile, '.') == NULL )
-+	{
-+		cert_identifier = index( certfile, ':' );
-+
-+		if (cert_identifier)
-+		{
-+			cert_engine_name = certfile;
-+			*cert_identifier = '\0';
-+			cert_identifier++;
-+
-+			dbglog( "Found certificate engine '%s'", cert_engine_name );
-+			dbglog( "Found certificate identifier '%s'", cert_identifier );
-+		}
-+	}
-+
-+	/* if the privatekey filename is of the form engine:id. e.g.
-+		pkcs11:12345
-+	   then we try to load and use this engine.
-+	   If the privatekey filename starts with a / or . then we
-+	   ALWAYS assume it is a file and not an engine/pkcs11 identifier
-+	 */
-+	if ( index( privkeyfile, '/' ) == NULL && index( privkeyfile, '.') == NULL )
-+	{
-+		pkey_identifier = index( privkeyfile, ':' );
-+
-+		if (pkey_identifier)
-+		{
-+			pkey_engine_name = privkeyfile;
-+			*pkey_identifier = '\0';
-+			pkey_identifier++;
-+
-+			dbglog( "Found privatekey engine '%s'", pkey_engine_name );
-+			dbglog( "Found privatekey identifier '%s'", pkey_identifier );
-+		}
-+	}
-+
-+	if (cert_identifier && pkey_identifier)
-+	{
-+		if (strlen( cert_identifier ) == 0)
-+		{
-+			if (strlen( pkey_identifier ) == 0)
-+				error( "EAP-TLS: both the certificate and privatekey identifiers are missing!" );
-+			else
-+			{
-+				dbglog( "Substituting privatekey identifier for certificate identifier" );
-+				cert_identifier = pkey_identifier;
-+			}
-+		}
-+		else
-+		{
-+			if (strlen( pkey_identifier ) == 0)
-+			{
-+				dbglog( "Substituting certificate identifier for privatekey identifier" );
-+				pkey_identifier = cert_identifier;
-+			}
-+		}
-+
-+	}
-+
-+	/* load the openssl config file only once */
-+	if (!ssl_config)
-+	{
-+		if (cert_engine_name || pkey_engine_name)
-+			ssl_config = eaptls_ssl_load_config();
-+
-+		if (ssl_config && cert_engine_name)
-+			cert_engine = eaptls_ssl_load_engine( cert_engine_name );
-+
-+		if (ssl_config && pkey_engine_name)
-+		{
-+			/* don't load the same engine twice */
-+			if ( cert_engine && strcmp( cert_engine_name, pkey_engine_name) == 0 )
-+				pkey_engine = cert_engine;
-+			else
-+				pkey_engine = eaptls_ssl_load_engine( pkey_engine_name );
-+		}
-+	}
-+
-+	SSL_CTX_set_default_passwd_cb (ctx, password_callback);
-+
-+	if (!SSL_CTX_load_verify_locations(ctx, cacertfile, NULL))
-+	{
-+		error("EAP-TLS: Cannot load or verify CA file %s", cacertfile);
-+		goto fail;
-+	}
-+
-+	if (init_server)
-+		SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(cacertfile));
-+
-+	if (cert_engine)
-+	{
-+		struct
-+		{
-+			const char *s_slot_cert_id;
-+			X509 *cert;
-+		} cert_info;
-+
-+		cert_info.s_slot_cert_id = cert_identifier;
-+		cert_info.cert = NULL;
-+
-+		if (!ENGINE_ctrl_cmd( cert_engine, "LOAD_CERT_CTRL", 0, &cert_info, NULL, 0 ) )
-+		{
-+			error( "EAP-TLS: Error loading certificate with id '%s' from engine", cert_identifier );
-+			goto fail;
-+		}
-+
-+		if (cert_info.cert)
-+		{
-+		    dbglog( "Got the certificate, adding it to SSL context" );
-+			dbglog( "subject = %s", X509_NAME_oneline( X509_get_subject_name( cert_info.cert ), NULL, 0 ) );
-+			if (SSL_CTX_use_certificate(ctx, cert_info.cert) <= 0)
-+			{
-+				error("EAP-TLS: Cannot use PKCS11 certificate %s", cert_identifier);
-+				goto fail;
-+			}
-+		}
-+		else
-+		{
-+			warn("EAP-TLS: Cannot load PKCS11 key %s", cert_identifier);
-+			log_ssl_errors();
-+		}
-+	}
-+	else
-+	{
-+		if (!SSL_CTX_use_certificate_chain_file(ctx, certfile))
-+		{
-+			error( "EAP-TLS: Cannot use public certificate %s", certfile );
-+			goto fail;
-+		}
-+	}
-+
-+
-+	/*
-+	 *  Check the Before and After dates of the certificate
-+	 */
-+	ssl = SSL_new(ctx);
-+	tmp = SSL_get_certificate(ssl);
-+
-+	ret = X509_cmp_time(X509_get_notBefore(tmp), NULL);
-+	if (ret == 0)
-+	{
-+		warn( "EAP-TLS: Failed to read certificate notBefore field.");
-+	}
-+	if (ret > 0)
-+	{
-+		warn( "EAP-TLS: Your certificate is not yet valid!");
-+	}
-+
-+	ret = X509_cmp_time(X509_get_notAfter(tmp), NULL);
-+	if (ret == 0)
-+	{
-+		warn( "EAP-TLS: Failed to read certificate notAfter field.");
-+	}
-+	if (ret < 0)
-+	{
-+		warn( "EAP-TLS: Your certificate has expired!");
-+	}
-+	SSL_free(ssl);
-+
-+	if (pkey_engine)
-+	{
-+		EVP_PKEY   *pkey = NULL;
-+		PW_CB_DATA  cb_data;
-+
-+		cb_data.password = passwd;
-+		cb_data.prompt_info = pkey_identifier;
-+
-+		dbglog( "Loading private key '%s' from engine", pkey_identifier );
-+		pkey = ENGINE_load_private_key(pkey_engine, pkey_identifier, NULL, &cb_data);
-+		if (pkey)
-+		{
-+		    dbglog( "Got the private key, adding it to SSL context" );
-+			if (SSL_CTX_use_PrivateKey(ctx, pkey) <= 0)
-+			{
-+				error("EAP-TLS: Cannot use PKCS11 key %s", pkey_identifier);
-+				goto fail;
-+			}
-+		}
-+		else
-+		{
-+			warn("EAP-TLS: Cannot load PKCS11 key %s", pkey_identifier);
-+			log_ssl_errors();
-+		}
-+	}
-+	else
-+	{
-+		if (!SSL_CTX_use_PrivateKey_file(ctx, privkeyfile, SSL_FILETYPE_PEM))
-+		{
-+			error("EAP-TLS: Cannot use private key %s", privkeyfile);
-+			goto fail;
-+		}
-+	}
-+
-+	if (SSL_CTX_check_private_key(ctx) != 1) {
-+		error("EAP-TLS: Private key %s fails security check", privkeyfile);
-+		goto fail;
-+	}
-+
-+    /* Explicitly set the NO_TICKETS flag to support Win7/Win8 clients */
-+	SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3
-+#ifdef SSL_OP_NO_TICKET
-+	| SSL_OP_NO_TICKET
-+#endif
-+	);
-+
-+	SSL_CTX_set_verify_depth(ctx, 5);
-+	SSL_CTX_set_verify(ctx,
-+			   SSL_VERIFY_PEER |
-+			   SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
-+			   &ssl_verify_callback);
-+
-+	if (crl_dir) {
-+		if (!(certstore = SSL_CTX_get_cert_store(ctx))) {
-+			error("EAP-TLS: Failed to get certificate store");
-+			goto fail;
-+		}
-+
-+		if (!(lookup =
-+		     X509_STORE_add_lookup(certstore, X509_LOOKUP_hash_dir()))) {
-+			error("EAP-TLS: Store lookup for CRL failed");
-+
-+			goto fail;
-+		}
-+
-+		X509_LOOKUP_add_dir(lookup, crl_dir, X509_FILETYPE_PEM);
-+		X509_STORE_set_flags(certstore, X509_V_FLAG_CRL_CHECK);
-+	}
-+
-+	if (crl_file) {
-+	    FILE     *fp  = NULL;
-+	    X509_CRL *crl = NULL;
-+
-+	    fp = fopen(crl_file, "r");
-+	    if (!fp) {
-+	        error("EAP-TLS: Cannot open CRL file '%s'", crl_file);
-+	        goto fail;
-+	    }
-+
-+	    crl = PEM_read_X509_CRL(fp, NULL, NULL, NULL);
-+	    if (!crl) {
-+	        error("EAP-TLS: Cannot read CRL file '%s'", crl_file);
-+	        goto fail;
-+	    }
-+
-+		if (!(certstore = SSL_CTX_get_cert_store(ctx))) {
-+			error("EAP-TLS: Failed to get certificate store");
-+			goto fail;
-+		}
-+	    if (!X509_STORE_add_crl(certstore, crl)) {
-+	        error("EAP-TLS: Cannot add CRL to certificate store");
-+	        goto fail;
-+	    }
-+		X509_STORE_set_flags(certstore, X509_V_FLAG_CRL_CHECK);
-+
-+	}
-+
-+	/*
-+	 * If a peer certificate file was specified, it must be valid, else fail
-+	 */
-+	if (peer_certfile[0]) {
-+		if (!(tmp = get_X509_from_file(peer_certfile))) {
-+			error("EAP-TLS: Error loading client certificate from file %s",
-+			     peer_certfile);
-+			goto fail;
-+		}
-+		X509_free(tmp);
-+	}
-+
-+	return ctx;
-+
-+fail:
-+	log_ssl_errors();
-+	SSL_CTX_free(ctx);
-+	return NULL;
-+}
-+
-+/*
-+ * Determine the maximum packet size by looking at the LCP handshake
-+ */
-+
-+int eaptls_get_mtu(int unit)
-+{
-+	int mtu, mru;
-+
-+	lcp_options *wo = &lcp_wantoptions[unit];
-+	lcp_options *go = &lcp_gotoptions[unit];
-+	lcp_options *ho = &lcp_hisoptions[unit];
-+	lcp_options *ao = &lcp_allowoptions[unit];
-+
-+	mtu = ho->neg_mru? ho->mru: PPP_MRU;
-+	mru = go->neg_mru? MAX(wo->mru, go->mru): PPP_MRU;
-+	mtu = MIN(MIN(mtu, mru), ao->mru)- PPP_HDRLEN - 10;
-+
-+	dbglog("MTU = %d", mtu);
-+	return mtu;
-+}
-+
-+
-+/*
-+ * Init the ssl handshake (server mode)
-+ */
-+int eaptls_init_ssl_server(eap_state * esp)
-+{
-+	struct eaptls_session *ets;
-+	char servcertfile[MAXWORDLEN];
-+	char clicertfile[MAXWORDLEN];
-+	char cacertfile[MAXWORDLEN];
-+	char pkfile[MAXWORDLEN];
-+	/*
-+	 * Allocate new eaptls session
-+	 */
-+	esp->es_server.ea_session = malloc(sizeof(struct eaptls_session));
-+	if (!esp->es_server.ea_session)
-+		fatal("Allocation error");
-+	ets = esp->es_server.ea_session;
-+
-+	if (!esp->es_server.ea_peer) {
-+		error("EAP-TLS: Error: client name not set (BUG)");
-+		return 0;
-+	}
-+
-+	strncpy(ets->peer, esp->es_server.ea_peer, MAXWORDLEN);
-+
-+	dbglog( "getting eaptls secret" );
-+	if (!get_eaptls_secret(esp->es_unit, esp->es_server.ea_peer,
-+			       esp->es_server.ea_name, clicertfile,
-+			       servcertfile, cacertfile, pkfile, 1)) {
-+		error( "EAP-TLS: Cannot get secret/password for client \"%s\", server \"%s\"",
-+				esp->es_server.ea_peer, esp->es_server.ea_name );
-+		return 0;
-+	}
-+
-+	ets->mtu = eaptls_get_mtu(esp->es_unit);
-+
-+	ets->ctx = eaptls_init_ssl(1, cacertfile, servcertfile, clicertfile, pkfile);
-+	if (!ets->ctx)
-+		goto fail;
-+
-+	if (!(ets->ssl = SSL_new(ets->ctx)))
-+		goto fail;
-+
-+	/*
-+	 * Set auto-retry to avoid timeouts on BIO_read
-+	 */
-+	SSL_set_mode(ets->ssl, SSL_MODE_AUTO_RETRY);
-+
-+	/*
-+	 * Initialize the BIOs we use to read/write to ssl engine
-+	 */
-+	ets->into_ssl = BIO_new(BIO_s_mem());
-+	ets->from_ssl = BIO_new(BIO_s_mem());
-+	SSL_set_bio(ets->ssl, ets->into_ssl, ets->from_ssl);
-+
-+	SSL_set_msg_callback(ets->ssl, ssl_msg_callback);
-+	SSL_set_msg_callback_arg(ets->ssl, ets);
-+
-+	/*
-+	 * Attach the session struct to the connection, so we can later
-+	 * retrieve it when doing certificate verification
-+	 */
-+	SSL_set_ex_data(ets->ssl, 0, ets);
-+
-+	SSL_set_accept_state(ets->ssl);
-+
-+	ets->data = NULL;
-+	ets->datalen = 0;
-+	ets->alert_sent = 0;
-+	ets->alert_recv = 0;
-+
-+	/*
-+	 * If we specified the client certificate file, store it in ets->peercertfile,
-+	 * so we can check it later in ssl_verify_callback()
-+	 */
-+	if (clicertfile[0])
-+		strncpy(&ets->peercertfile[0], clicertfile, MAXWORDLEN);
-+	else
-+		ets->peercertfile[0] = 0;
-+
-+	return 1;
-+
-+fail:
-+	SSL_CTX_free(ets->ctx);
-+	return 0;
-+}
-+
-+/*
-+ * Init the ssl handshake (client mode)
-+ */
-+int eaptls_init_ssl_client(eap_state * esp)
-+{
-+	struct eaptls_session *ets;
-+	char servcertfile[MAXWORDLEN];
-+	char clicertfile[MAXWORDLEN];
-+	char cacertfile[MAXWORDLEN];
-+	char pkfile[MAXWORDLEN];
-+
-+	/*
-+	 * Allocate new eaptls session
-+	 */
-+	esp->es_client.ea_session = malloc(sizeof(struct eaptls_session));
-+	if (!esp->es_client.ea_session)
-+		fatal("Allocation error");
-+	ets = esp->es_client.ea_session;
-+
-+	/*
-+	 * If available, copy server name in ets; it will be used in cert
-+	 * verify
-+	 */
-+	if (esp->es_client.ea_peer)
-+		strncpy(ets->peer, esp->es_client.ea_peer, MAXWORDLEN);
-+	else
-+		ets->peer[0] = 0;
-+
-+	ets->mtu = eaptls_get_mtu(esp->es_unit);
-+
-+	dbglog( "calling get_eaptls_secret" );
-+	if (!get_eaptls_secret(esp->es_unit, esp->es_client.ea_name,
-+			       ets->peer, clicertfile,
-+			       servcertfile, cacertfile, pkfile, 0)) {
-+		error( "EAP-TLS: Cannot get secret/password for client \"%s\", server \"%s\"",
-+				esp->es_client.ea_name, ets->peer );
-+		return 0;
-+	}
-+
-+	dbglog( "calling eaptls_init_ssl" );
-+	ets->ctx = eaptls_init_ssl(0, cacertfile, clicertfile, servcertfile, pkfile);
-+	if (!ets->ctx)
-+		goto fail;
-+
-+	ets->ssl = SSL_new(ets->ctx);
-+
-+	if (!ets->ssl)
-+		goto fail;
-+
-+	/*
-+	 * Initialize the BIOs we use to read/write to ssl engine
-+	 */
-+	dbglog( "Initializing SSL BIOs" );
-+	ets->into_ssl = BIO_new(BIO_s_mem());
-+	ets->from_ssl = BIO_new(BIO_s_mem());
-+	SSL_set_bio(ets->ssl, ets->into_ssl, ets->from_ssl);
-+
-+	SSL_set_msg_callback(ets->ssl, ssl_msg_callback);
-+	SSL_set_msg_callback_arg(ets->ssl, ets);
-+
-+	/*
-+	 * Attach the session struct to the connection, so we can later
-+	 * retrieve it when doing certificate verification
-+	 */
-+	SSL_set_ex_data(ets->ssl, 0, ets);
-+
-+	SSL_set_connect_state(ets->ssl);
-+
-+	ets->data = NULL;
-+	ets->datalen = 0;
-+	ets->alert_sent = 0;
-+	ets->alert_recv = 0;
-+
-+	/*
-+	 * If we specified the server certificate file, store it in
-+	 * ets->peercertfile, so we can check it later in
-+	 * ssl_verify_callback()
-+	 */
-+	if (servcertfile[0])
-+		strncpy(ets->peercertfile, servcertfile, MAXWORDLEN);
-+	else
-+		ets->peercertfile[0] = 0;
-+
-+	return 1;
-+
-+fail:
-+	dbglog( "eaptls_init_ssl_client: fail" );
-+	SSL_CTX_free(ets->ctx);
-+	return 0;
-+
-+}
-+
-+void eaptls_free_session(struct eaptls_session *ets)
-+{
-+	if (ets->ssl)
-+		SSL_free(ets->ssl);
-+
-+	if (ets->ctx)
-+		SSL_CTX_free(ets->ctx);
-+
-+	free(ets);
-+}
-+
-+/*
-+ * Handle a received packet, reassembling fragmented messages and
-+ * passing them to the ssl engine
-+ */
-+int eaptls_receive(struct eaptls_session *ets, u_char * inp, int len)
-+{
-+	u_char flags;
-+	u_int tlslen = 0;
-+	u_char dummy[65536];
-+
-+	if (len < 1) {
-+		warn("EAP-TLS: received no or invalid data");
-+		return 1;
-+	}
-+
-+	GETCHAR(flags, inp);
-+	len--;
-+
-+	if (flags & EAP_TLS_FLAGS_LI && len > 4) {
-+		/*
-+		 * LenghtIncluded flag set -> this is the first packet of a message
-+		*/
-+
-+		/*
-+		 * the first 4 octets are the length of the EAP-TLS message
-+		 */
-+		GETLONG(tlslen, inp);
-+		len -= 4;
-+
-+		if (!ets->data) {
-+
-+			if (tlslen > EAP_TLS_MAX_LEN) {
-+				error("EAP-TLS: TLS message length > %d, truncated", EAP_TLS_MAX_LEN);
-+				tlslen = EAP_TLS_MAX_LEN;
-+			}
-+
-+			/*
-+			 * Allocate memory for the whole message
-+			*/
-+			ets->data = malloc(tlslen);
-+			if (!ets->data)
-+				fatal("EAP-TLS: allocation error\n");
-+
-+			ets->datalen = 0;
-+			ets->tlslen = tlslen;
-+		}
-+		else
-+			warn("EAP-TLS: non-first LI packet? that's odd...");
-+	}
-+	else if (!ets->data) {
-+		/*
-+		 * A non fragmented message without LI flag
-+		*/
-+
-+		ets->data = malloc(len);
-+		if (!ets->data)
-+			fatal("EAP-TLS: allocation error\n");
-+
-+		ets->datalen = 0;
-+		ets->tlslen = len;
-+	}
-+
-+	if (flags & EAP_TLS_FLAGS_MF)
-+		ets->frag = 1;
-+	else
-+		ets->frag = 0;
-+
-+	if (len < 0) {
-+		warn("EAP-TLS: received malformed data");
-+		return 1;
-+	}
-+
-+	if (len + ets->datalen > ets->tlslen) {
-+		warn("EAP-TLS: received data > TLS message length");
-+		return 1;
-+	}
-+
-+	BCOPY(inp, ets->data + ets->datalen, len);
-+	ets->datalen += len;
-+
-+	if (!ets->frag) {
-+
-+		/*
-+		 * If we have the whole message, pass it to ssl
-+		 */
-+
-+		if (ets->datalen != ets->tlslen) {
-+			warn("EAP-TLS: received data != TLS message length");
-+			return 1;
-+		}
-+
-+		if (BIO_write(ets->into_ssl, ets->data, ets->datalen) == -1)
-+			log_ssl_errors();
-+
-+		SSL_read(ets->ssl, dummy, 65536);
-+
-+		free(ets->data);
-+		ets->data = NULL;
-+		ets->datalen = 0;
-+	}
-+
-+	return 0;
-+}
-+
-+/*
-+ * Return an eap-tls packet in outp.
-+ * A TLS message read from the ssl engine is buffered in ets->data.
-+ * At each call we control if there is buffered data and send a
-+ * packet of mtu bytes.
-+ */
-+int eaptls_send(struct eaptls_session *ets, u_char ** outp)
-+{
-+	bool first = 0;
-+	int size;
-+	u_char fromtls[65536];
-+	int res;
-+	u_char *start;
-+
-+	start = *outp;
-+
-+	if (!ets->data) {
-+
-+		if(!ets->alert_sent)
-+			SSL_read(ets->ssl, fromtls, 65536);
-+
-+		/*
-+		 * Read from ssl
-+		 */
-+		if ((res = BIO_read(ets->from_ssl, fromtls, 65536)) == -1)
-+		{
-+			warn("EAP-TLS send: No data from BIO_read");
-+			return 1;
-+		}
-+
-+		ets->datalen = res;
-+
-+		ets->data = malloc(ets->datalen);
-+		BCOPY(fromtls, ets->data, ets->datalen);
-+
-+		ets->offset = 0;
-+		first = 1;
-+
-+	}
-+
-+	size = ets->datalen - ets->offset;
-+
-+	if (size > ets->mtu) {
-+		size = ets->mtu;
-+		ets->frag = 1;
-+	} else
-+		ets->frag = 0;
-+
-+	PUTCHAR(EAPT_TLS, *outp);
-+
-+	/*
-+	 * Set right flags and length if necessary
-+	 */
-+	if (ets->frag && first) {
-+		PUTCHAR(EAP_TLS_FLAGS_LI | EAP_TLS_FLAGS_MF, *outp);
-+		PUTLONG(ets->datalen, *outp);
-+	} else if (ets->frag) {
-+		PUTCHAR(EAP_TLS_FLAGS_MF, *outp);
-+	} else
-+		PUTCHAR(0, *outp);
-+
-+	/*
-+	 * Copy the data in outp
-+	 */
-+	BCOPY(ets->data + ets->offset, *outp, size);
-+	INCPTR(size, *outp);
-+
-+	/*
-+	 * Copy the packet in retransmission buffer
-+	 */
-+	BCOPY(start, &ets->rtx[0], *outp - start);
-+	ets->rtx_len = *outp - start;
-+
-+	ets->offset += size;
-+
-+	if (ets->offset >= ets->datalen) {
-+
-+		/*
-+		 * The whole message has been sent
-+		 */
-+
-+		free(ets->data);
-+		ets->data = NULL;
-+		ets->datalen = 0;
-+		ets->offset = 0;
-+	}
-+
-+	return 0;
-+}
-+
-+/*
-+ * Get the sent packet from the retransmission buffer
-+ */
-+void eaptls_retransmit(struct eaptls_session *ets, u_char ** outp)
-+{
-+	BCOPY(ets->rtx, *outp, ets->rtx_len);
-+	INCPTR(ets->rtx_len, *outp);
-+}
-+
-+/*
-+ * Verify a certificate.
-+ * Most of the work (signatures and issuer attributes checking)
-+ * is done by ssl; we check the CN in the peer certificate
-+ * against the peer name.
-+ */
-+int ssl_verify_callback(int ok, X509_STORE_CTX * ctx)
-+{
-+	char subject[256];
-+	char cn_str[256];
-+	X509 *peer_cert;
-+	int err, depth;
-+	SSL *ssl;
-+	struct eaptls_session *ets;
-+
-+	peer_cert = X509_STORE_CTX_get_current_cert(ctx);
-+	err = X509_STORE_CTX_get_error(ctx);
-+	depth = X509_STORE_CTX_get_error_depth(ctx);
-+
-+	dbglog("certificate verify depth: %d", depth);
-+
-+	if (auth_required && !ok) {
-+		X509_NAME_oneline(X509_get_subject_name(peer_cert),
-+				  subject, 256);
-+
-+		X509_NAME_get_text_by_NID(X509_get_subject_name(peer_cert),
-+					  NID_commonName, cn_str, 256);
-+
-+		dbglog("Certificate verification error:\n depth: %d CN: %s"
-+		       "\n err: %d (%s)\n", depth, cn_str, err,
-+		       X509_verify_cert_error_string(err));
-+
-+		return 0;
-+	}
-+
-+	ssl = X509_STORE_CTX_get_ex_data(ctx,
-+				       SSL_get_ex_data_X509_STORE_CTX_idx());
-+
-+	ets = (struct eaptls_session *)SSL_get_ex_data(ssl, 0);
-+
-+	if (ets == NULL) {
-+		error("Error: SSL_get_ex_data returned NULL");
-+		return 0;
-+	}
-+
-+	log_ssl_errors();
-+
-+	if (!depth) {		/* This is the peer certificate */
-+
-+		X509_NAME_oneline(X509_get_subject_name(peer_cert),
-+				  subject, 256);
-+
-+		X509_NAME_get_text_by_NID(X509_get_subject_name(peer_cert),
-+					  NID_commonName, cn_str, 256);
-+
-+		/*
-+		 * If acting as client and the name of the server wasn't specified
-+		 * explicitely, we can't verify the server authenticity
-+		 */
-+		if (!ets->peer[0]) {
-+			warn("Peer name not specified: no check");
-+			return ok;
-+		}
-+
-+		/*
-+		 * Check the CN
-+		 */
-+		if (strcmp(cn_str, ets->peer)) {
-+			error
-+			    ("Certificate verification error: CN (%s) != peer_name (%s)",
-+			     cn_str, ets->peer);
-+			return 0;
-+		}
-+
-+		warn("Certificate CN: %s , peer name %s", cn_str, ets->peer);
-+
-+		/*
-+		 * If a peer certificate file was specified, here we check it
-+		 */
-+		if (ets->peercertfile[0]) {
-+			if (ssl_cmp_certs(&ets->peercertfile[0], peer_cert)
-+			    != 0) {
-+				error
-+				    ("Peer certificate doesn't match stored certificate");
-+				return 0;
-+			}
-+		}
-+	}
-+
-+	return ok;
-+}
-+
-+/*
-+ * Compare a certificate with the one stored in a file
-+ */
-+int ssl_cmp_certs(char *filename, X509 * a)
-+{
-+	X509 *b;
-+	int ret;
-+
-+	if (!(b = get_X509_from_file(filename)))
-+		return 1;
-+
-+	ret = X509_cmp(a, b);
-+	X509_free(b);
-+
-+	return ret;
-+
-+}
-+
-+X509 *get_X509_from_file(char *filename)
-+{
-+	FILE *fp;
-+	X509 *ret;
-+
-+	if (!(fp = fopen(filename, "r")))
-+		return NULL;
-+
-+	ret = PEM_read_X509(fp, NULL, NULL, NULL);
-+
-+	fclose(fp);
-+
-+	return ret;
-+}
-+
-+/*
-+ * Every sent & received message this callback function is invoked,
-+ * so we know when alert messages have arrived or are sent and
-+ * we can print debug information about TLS handshake.
-+ */
-+void
-+ssl_msg_callback(int write_p, int version, int content_type,
-+		 const void *buf, size_t len, SSL * ssl, void *arg)
-+{
-+	char string[256];
-+	struct eaptls_session *ets = (struct eaptls_session *)arg;
-+	unsigned char code;
-+	const unsigned char*msg = buf;
-+	int hvers = msg[1] << 8 | msg[2];
-+
-+	if(write_p)
-+		strcpy(string, " -> ");
-+	else
-+		strcpy(string, " <- ");
-+
-+	switch(content_type) {
-+
-+	case SSL3_RT_HEADER:
-+		strcat(string, "SSL/TLS Header: ");
-+		switch(hvers) {
-+		case SSL3_VERSION:
-+				strcat(string, "SSL 3.0");
-+				break;
-+		case TLS1_VERSION:
-+				strcat(string, "TLS 1.0");
-+				break;
-+		case TLS1_1_VERSION:
-+				strcat(string, "TLS 1.1");
-+				break;
-+		case TLS1_2_VERSION:
-+				strcat(string, "TLS 1.2");
-+				break;
-+		default:
-+			strcat(string, "Unknown version");
-+		}
-+		break;
-+
-+	case SSL3_RT_ALERT:
-+		strcat(string, "Alert: ");
-+		code = msg[1];
-+
-+		if (write_p) {
-+			ets->alert_sent = 1;
-+			ets->alert_sent_desc = code;
-+		} else {
-+			ets->alert_recv = 1;
-+			ets->alert_recv_desc = code;
-+		}
-+
-+		strcat(string, SSL_alert_desc_string_long(code));
-+		break;
-+
-+	case SSL3_RT_CHANGE_CIPHER_SPEC:
-+		strcat(string, "ChangeCipherSpec");
-+		break;
-+
-+	case SSL3_RT_HANDSHAKE:
-+
-+		strcat(string, "Handshake: ");
-+		code = msg[0];
-+
-+		switch(code) {
-+			case SSL3_MT_HELLO_REQUEST:
-+				strcat(string,"Hello Request");
-+				break;
-+			case SSL3_MT_CLIENT_HELLO:
-+				strcat(string,"Client Hello");
-+				break;
-+			case SSL3_MT_SERVER_HELLO:
-+				strcat(string,"Server Hello");
-+				break;
-+#ifdef SSL3_MT_NEWSESSION_TICKET
-+			case SSL3_MT_NEWSESSION_TICKET:
-+				strcat(string,"New Session Ticket");
-+				break;
-+#endif
-+			case SSL3_MT_CERTIFICATE:
-+				strcat(string,"Certificate");
-+				break;
-+			case SSL3_MT_SERVER_KEY_EXCHANGE:
-+				strcat(string,"Server Key Exchange");
-+				break;
-+			case SSL3_MT_CERTIFICATE_REQUEST:
-+				strcat(string,"Certificate Request");
-+				break;
-+			case SSL3_MT_SERVER_DONE:
-+				strcat(string,"Server Hello Done");
-+								break;
-+			case SSL3_MT_CERTIFICATE_VERIFY:
-+				strcat(string,"Certificate Verify");
-+				break;
-+			case SSL3_MT_CLIENT_KEY_EXCHANGE:
-+				strcat(string,"Client Key Exchange");
-+				break;
-+			case SSL3_MT_FINISHED:
-+				strcat(string,"Finished: ");
-+				hvers = SSL_version(ssl);
-+				switch(hvers) {
-+				case SSL3_VERSION:
-+						strcat(string, "SSL 3.0");
-+						break;
-+				case TLS1_VERSION:
-+						strcat(string, "TLS 1.0");
-+						break;
-+				case TLS1_1_VERSION:
-+						strcat(string, "TLS 1.1");
-+						break;
-+				case TLS1_2_VERSION:
-+						strcat(string, "TLS 1.2");
-+						break;
-+				default:
-+					strcat(string, "Unknown version");
-+				}
-+				break;
-+			default:
-+				sprintf( string, "Handshake: Unknown SSL3 code received: %d", code );
-+		}
-+		break;
-+
-+	default:
-+		sprintf( string, "SSL message contains unknown content type: %d", content_type );
-+
-+	}
-+
-+	/* Alert messages must always be displayed */
-+	if(content_type == SSL3_RT_ALERT)
-+		error("%s", string);
-+	else
-+		dbglog("%s", string);
-+}
-+
-diff --git a/pppd/eap-tls.h b/pppd/eap-tls.h
-new file mode 100644
-index 000000000000..2d45a0b83a0c
---- /dev/null
-+++ b/pppd/eap-tls.h
-@@ -0,0 +1,107 @@
-+/*
-+ * eap-tls.h
-+ *
-+ * Copyright (c) Beniamino Galvani 2005 All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ *    notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ *    notice, this list of conditions and the following disclaimer in
-+ *    the documentation and/or other materials provided with the
-+ *    distribution.
-+ *
-+ * 3. The name(s) of the authors of this software must not be used to
-+ *    endorse or promote products derived from this software without
-+ *    prior written permission.
-+ *
-+ * THE AUTHORS OF THIS SOFTWARE DISCLAIM ALL WARRANTIES WITH REGARD TO
-+ * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-+ * AND FITNESS, IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY
-+ * SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN
-+ * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING
-+ * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-+ *
-+ */
-+
-+#ifndef __EAP_TLS_H__
-+#define __EAP_TLS_H__
-+
-+#include "eap.h"
-+
-+#include <openssl/ssl.h>
-+#include <openssl/bio.h>
-+#include <openssl/md5.h>
-+
-+#define EAP_TLS_FLAGS_LI        128	/* length included flag */
-+#define EAP_TLS_FLAGS_MF        64	/* more fragments flag */
-+#define EAP_TLS_FLAGS_START     32	/* start flag */
-+
-+#define EAP_TLS_MAX_LEN         65536	/* max eap tls packet size */
-+
-+struct eaptls_session
-+{
-+	u_char *data;		/* buffered data */
-+	int datalen;		/* buffered data len */
-+	int offset;		/* from where to send */
-+	int tlslen;		/* total length of tls data */
-+	bool frag;		/* packet is fragmented */
-+	SSL_CTX *ctx;
-+	SSL *ssl;		/* ssl connection */
-+	BIO *from_ssl;
-+	BIO *into_ssl;
-+	char peer[MAXWORDLEN];	/* peer name */
-+	char peercertfile[MAXWORDLEN];
-+	bool alert_sent;
-+	u_char alert_sent_desc;
-+	bool alert_recv;
-+	u_char alert_recv_desc;
-+	char rtx[65536];	/* retransmission buffer */
-+	int rtx_len;
-+	int mtu;		/* unit mtu */
-+};
-+
-+typedef struct pw_cb_data
-+{
-+	const void *password;
-+	const char *prompt_info;
-+} PW_CB_DATA;
-+
-+
-+int ssl_verify_callback(int, X509_STORE_CTX *);
-+void ssl_msg_callback(int write_p, int version, int ct, const void *buf,
-+		      size_t len, SSL * ssl, void *arg);
-+
-+X509 *get_X509_from_file(char *filename);
-+int ssl_cmp_certs(char *filename, X509 * a);
-+
-+SSL_CTX *eaptls_init_ssl(int init_server, char *cacertfile,
-+            char *certfile, char *peer_certfile, char *privkeyfile);
-+int eaptls_init_ssl_server(eap_state * esp);
-+int eaptls_init_ssl_client(eap_state * esp);
-+void eaptls_free_session(struct eaptls_session *ets);
-+
-+int eaptls_receive(struct eaptls_session *ets, u_char * inp, int len);
-+int eaptls_send(struct eaptls_session *ets, u_char ** outp);
-+void eaptls_retransmit(struct eaptls_session *ets, u_char ** outp);
-+
-+int get_eaptls_secret(int unit, char *client, char *server,
-+		      char *clicertfile, char *servcertfile, char *cacertfile,
-+		      char *pkfile, int am_server);
-+
-+#ifdef MPPE
-+#include "mppe.h"   /* MPPE_MAX_KEY_LEN */
-+extern u_char mppe_send_key[MPPE_MAX_KEY_LEN];
-+extern u_char mppe_recv_key[MPPE_MAX_KEY_LEN];
-+extern int mppe_keys_set;
-+
-+void eaptls_gen_mppe_keys(struct eaptls_session *ets, const char *prf_label, int client);
-+
-+#endif
-+
-+#endif
-diff --git a/pppd/eap.c b/pppd/eap.c
-index 6ea6c1f8bff6..032407c3dbb2 100644
---- a/pppd/eap.c
-+++ b/pppd/eap.c
-@@ -43,6 +43,11 @@
-  * Based on draft-ietf-pppext-eap-srp-03.txt.
-  */
- 
-+/*
-+ * Modification by Beniamino Galvani, Mar 2005
-+ * Implemented EAP-TLS authentication
-+ */
-+
- #define RCSID	"$Id: eap.c,v 1.4 2004/11/09 22:39:25 paulus Exp $"
- 
- /*
-@@ -62,8 +67,12 @@
- 
- #include "pppd.h"
- #include "pathnames.h"
--#include "md5.h"
- #include "eap.h"
-+#ifdef USE_EAPTLS
-+#include "eap-tls.h"
-+#else
-+#include "md5.h"
-+#endif /* USE_EAPTLS */
- 
- #ifdef USE_SRP
- #include <t_pwd.h>
-@@ -209,6 +218,9 @@ int unit;
- 	esp->es_server.ea_id = (u_char)(drand48() * 0x100);
- 	esp->es_client.ea_timeout = EAP_DEFREQTIME;
- 	esp->es_client.ea_maxrequests = EAP_DEFALLOWREQ;
-+#ifdef USE_EAPTLS
-+	esp->es_client.ea_using_eaptls = 0;
-+#endif /* USE_EAPTLS */
- }
- 
- /*
-@@ -436,8 +448,16 @@ int status;
- 	u_char vals[2];
- 	struct b64state bs;
- #endif /* USE_SRP */
-+#ifdef USE_EAPTLS
-+	struct eaptls_session *ets;
-+	int secret_len;
-+	char secret[MAXWORDLEN];
-+#endif /* USE_EAPTLS */
- 
- 	esp->es_server.ea_timeout = esp->es_savedtime;
-+#ifdef USE_EAPTLS
-+	esp->es_server.ea_prev_state = esp->es_server.ea_state;
-+#endif /* USE_EAPTLS */
- 	switch (esp->es_server.ea_state) {
- 	case eapBadAuth:
- 		return;
-@@ -562,9 +582,79 @@ int status;
- 			break;
- 		}
- #endif /* USE_SRP */
-+#ifdef USE_EAPTLS
-+                if (!get_secret(esp->es_unit, esp->es_server.ea_peer,
-+                    esp->es_server.ea_name, secret, &secret_len, 1)) {
-+
-+			esp->es_server.ea_state = eapTlsStart;
-+			break;
-+		}
-+#endif /* USE_EAPTLS */
-+
- 		esp->es_server.ea_state = eapMD5Chall;
- 		break;
- 
-+#ifdef USE_EAPTLS
-+	case eapTlsStart:
-+		/* Initialize ssl session */
-+		if(!eaptls_init_ssl_server(esp)) {
-+			esp->es_server.ea_state = eapBadAuth;
-+			break;
-+		}
-+
-+		esp->es_server.ea_state = eapTlsRecv;
-+		break;
-+
-+	case eapTlsRecv:
-+		ets = (struct eaptls_session *) esp->es_server.ea_session;
-+
-+		if(ets->alert_sent) {
-+			esp->es_server.ea_state = eapTlsSendAlert;
-+			break;
-+		}
-+
-+		if (status) {
-+			esp->es_server.ea_state = eapBadAuth;
-+			break;
-+		}
-+		ets = (struct eaptls_session *) esp->es_server.ea_session;
-+
-+		if(ets->frag)
-+			esp->es_server.ea_state = eapTlsSendAck;
-+		else
-+			esp->es_server.ea_state = eapTlsSend;
-+		break;
-+
-+	case eapTlsSend:
-+		ets = (struct eaptls_session *) esp->es_server.ea_session;
-+
-+		if(ets->frag)
-+			esp->es_server.ea_state = eapTlsRecvAck;
-+		else
-+			if(SSL_is_init_finished(ets->ssl))
-+				esp->es_server.ea_state = eapTlsRecvClient;
-+			else
-+				esp->es_server.ea_state = eapTlsRecv;
-+		break;
-+
-+	case eapTlsSendAck:
-+			esp->es_server.ea_state = eapTlsRecv;
-+		break;
-+
-+	case eapTlsRecvAck:
-+                if (status) {
-+                        esp->es_server.ea_state = eapBadAuth;
-+                        break;
-+                }
-+
-+		esp->es_server.ea_state = eapTlsSend;
-+		break;
-+
-+	case eapTlsSendAlert:
-+		esp->es_server.ea_state = eapTlsRecvAlertAck;
-+		break;
-+#endif /* USE_EAPTLS */
-+
- 	case eapSRP1:
- #ifdef USE_SRP
- 		ts = (struct t_server *)esp->es_server.ea_session;
-@@ -718,6 +808,30 @@ eap_state *esp;
- 		INCPTR(esp->es_server.ea_namelen, outp);
- 		break;
- 
-+#ifdef USE_EAPTLS
-+	case eapTlsStart:
-+		PUTCHAR(EAPT_TLS, outp);
-+		PUTCHAR(EAP_TLS_FLAGS_START, outp);
-+		eap_figure_next_state(esp, 0);
-+		break;
-+
-+	case eapTlsSend:
-+		eaptls_send(esp->es_server.ea_session, &outp);
-+		eap_figure_next_state(esp, 0);
-+		break;
-+
-+	case eapTlsSendAck:
-+		PUTCHAR(EAPT_TLS, outp);
-+		PUTCHAR(0, outp);
-+		eap_figure_next_state(esp, 0);
-+		break;
-+
-+	case eapTlsSendAlert:
-+		eaptls_send(esp->es_server.ea_session, &outp);
-+		eap_figure_next_state(esp, 0);
-+		break;
-+#endif /* USE_EAPTLS */
-+
- #ifdef USE_SRP
- 	case eapSRP1:
- 		PUTCHAR(EAPT_SRP, outp);
-@@ -904,11 +1018,57 @@ static void
- eap_server_timeout(arg)
- void *arg;
- {
-+#ifdef USE_EAPTLS
-+	u_char *outp;
-+	u_char *lenloc;
-+	int outlen;
-+#endif /* USE_EAPTLS */
-+
- 	eap_state *esp = (eap_state *) arg;
- 
- 	if (!eap_server_active(esp))
- 		return;
- 
-+#ifdef USE_EAPTLS
-+	switch(esp->es_server.ea_prev_state) {
-+
-+	/*
-+	 *  In eap-tls the state changes after a request, so we return to
-+	 *  previous state ...
-+	 */
-+	case(eapTlsStart):
-+	case(eapTlsSendAck):
-+		esp->es_server.ea_state = esp->es_server.ea_prev_state;
-+		break;
-+
-+	/*
-+	 *  ... or resend the stored data
-+	 */
-+	case(eapTlsSend):
-+	case(eapTlsSendAlert):
-+		outp = outpacket_buf;
-+		MAKEHEADER(outp, PPP_EAP);
-+		PUTCHAR(EAP_REQUEST, outp);
-+		PUTCHAR(esp->es_server.ea_id, outp);
-+		lenloc = outp;
-+		INCPTR(2, outp);
-+
-+		eaptls_retransmit(esp->es_server.ea_session, &outp);
-+
-+		outlen = (outp - outpacket_buf) - PPP_HDRLEN;
-+		PUTSHORT(outlen, lenloc);
-+		output(esp->es_unit, outpacket_buf, outlen + PPP_HDRLEN);
-+		esp->es_server.ea_requests++;
-+
-+		if (esp->es_server.ea_timeout > 0)
-+			TIMEOUT(eap_server_timeout, esp, esp->es_server.ea_timeout);
-+
-+		return;
-+	default:
-+		break;
-+	}
-+#endif /* USE_EAPTLS */
-+
- 	/* EAP ID number must not change on timeout. */
- 	eap_send_request(esp);
- }
-@@ -1166,6 +1326,81 @@ u_char *str;
- }
- #endif /* USE_SRP */
- 
-+#ifdef USE_EAPTLS
-+/*
-+ * Send an EAP-TLS response message with tls data
-+ */
-+static void
-+eap_tls_response(esp, id)
-+eap_state *esp;
-+u_char id;
-+{
-+        u_char *outp;
-+        int outlen;
-+	u_char *lenloc;
-+
-+        outp = outpacket_buf;
-+
-+        MAKEHEADER(outp, PPP_EAP);
-+
-+        PUTCHAR(EAP_RESPONSE, outp);
-+        PUTCHAR(id, outp);
-+
-+	lenloc = outp;
-+	INCPTR(2, outp);
-+
-+	/*
-+	   If the id in the request is unchanged, we must retransmit
-+	   the old data
-+	*/
-+	if(id == esp->es_client.ea_id)
-+		eaptls_retransmit(esp->es_client.ea_session, &outp);
-+	else
-+		eaptls_send(esp->es_client.ea_session, &outp);
-+
-+	outlen = (outp - outpacket_buf) - PPP_HDRLEN;
-+	PUTSHORT(outlen, lenloc);
-+
-+	output(esp->es_unit, outpacket_buf, PPP_HDRLEN + outlen);
-+
-+	esp->es_client.ea_id = id;
-+
-+}
-+
-+/*
-+ * Send an EAP-TLS ack
-+ */
-+static void
-+eap_tls_sendack(esp, id)
-+eap_state *esp;
-+u_char id;
-+{
-+	u_char *outp;
-+	int outlen;
-+	u_char *lenloc;
-+
-+	outp = outpacket_buf;
-+
-+	MAKEHEADER(outp, PPP_EAP);
-+
-+	PUTCHAR(EAP_RESPONSE, outp);
-+	PUTCHAR(id, outp);
-+	esp->es_client.ea_id = id;
-+
-+	lenloc = outp;
-+	INCPTR(2, outp);
-+
-+	PUTCHAR(EAPT_TLS, outp);
-+	PUTCHAR(0, outp);
-+
-+	outlen = (outp - outpacket_buf) - PPP_HDRLEN;
-+	PUTSHORT(outlen, lenloc);
-+
-+	output(esp->es_unit, outpacket_buf, PPP_HDRLEN + outlen);
-+
-+}
-+#endif /* USE_EAPTLS */
-+
- static void
- eap_send_nak(esp, id, type)
- eap_state *esp;
-@@ -1320,6 +1555,11 @@ int len;
- 	char rhostname[256];
- 	MD5_CTX mdContext;
- 	u_char hash[MD5_SIGNATURE_SIZE];
-+#ifdef USE_EAPTLS
-+	u_char flags;
-+	struct eaptls_session *ets = esp->es_client.ea_session;
-+#endif /* USE_EAPTLS */
-+
- #ifdef USE_SRP
- 	struct t_client *tc;
- 	struct t_num sval, gval, Nval, *Ap, Bval;
-@@ -1456,6 +1696,100 @@ int len;
- 		    esp->es_client.ea_namelen);
- 		break;
- 
-+#ifdef USE_EAPTLS
-+	case EAPT_TLS:
-+
-+		switch(esp->es_client.ea_state) {
-+
-+		case eapListen:
-+
-+			if (len < 1) {
-+				error("EAP: received EAP-TLS Listen packet with no data");
-+				/* Bogus request; wait for something real. */
-+				return;
-+			}
-+			GETCHAR(flags, inp);
-+			if(flags & EAP_TLS_FLAGS_START){
-+
-+				esp->es_client.ea_using_eaptls = 1;
-+
-+                                if (explicit_remote){
-+                                        esp->es_client.ea_peer = strdup(remote_name);
-+                                        esp->es_client.ea_peerlen = strlen(remote_name);
-+                                } else
-+                                        esp->es_client.ea_peer = NULL;
-+
-+				/* Init ssl session */
-+				if(!eaptls_init_ssl_client(esp)) {
-+					dbglog("cannot init ssl");
-+					eap_send_nak(esp, id, EAPT_TLS);
-+					esp->es_client.ea_using_eaptls = 0;
-+					break;
-+				}
-+
-+				ets = esp->es_client.ea_session;
-+				eap_tls_response(esp, id);
-+				esp->es_client.ea_state = (ets->frag ? eapTlsRecvAck :
-+								eapTlsRecv);
-+				break;
-+			}
-+
-+			/* The server has sent a bad start packet. */
-+			eap_send_nak(esp, id, EAPT_TLS);
-+			break;
-+
-+		case eapTlsRecvAck:
-+			eap_tls_response(esp, id);
-+			esp->es_client.ea_state = (ets->frag ? eapTlsRecvAck :
-+							eapTlsRecv);
-+			break;
-+
-+		case eapTlsRecv:
-+			if (len < 1) {
-+				error("EAP: discarding EAP-TLS Receive packet with no data");
-+				/* Bogus request; wait for something real. */
-+				return;
-+			}
-+			eaptls_receive(ets, inp, len);
-+
-+			if(ets->frag) {
-+				eap_tls_sendack(esp, id);
-+				esp->es_client.ea_state = eapTlsRecv;
-+				break;
-+			}
-+
-+			if(ets->alert_recv) {
-+				eap_tls_sendack(esp, id);
-+				esp->es_client.ea_state = eapTlsRecvFailure;
-+				break;
-+			}
-+
-+			/* Check if TLS handshake is finished */
-+			if(SSL_is_init_finished(ets->ssl)){
-+#ifdef MPPE
-+ 				eaptls_gen_mppe_keys( ets, "client EAP encryption", 1 );
-+#endif
-+				eaptls_free_session(ets);
-+				eap_tls_sendack(esp, id);
-+				esp->es_client.ea_state = eapTlsRecvSuccess;
-+				break;
-+			}
-+
-+			eap_tls_response(esp,id);
-+                        esp->es_client.ea_state = (ets->frag ? eapTlsRecvAck :
-+                                                        eapTlsRecv);
-+
-+                        break;
-+
-+		default:
-+			eap_send_nak(esp, id, EAPT_TLS);
-+			esp->es_client.ea_using_eaptls = 0;
-+			break;
-+		}
-+
-+		break;
-+#endif /* USE_EAPTLS */
-+
- #ifdef USE_SRP
- 	case EAPT_SRP:
- 		if (len < 1) {
-@@ -1737,6 +2071,11 @@ int len;
- 	u_char dig[SHA_DIGESTSIZE];
- #endif /* USE_SRP */
- 
-+#ifdef USE_EAPTLS
-+	struct eaptls_session *ets;
-+	u_char flags;
-+#endif /* USE_EAPTLS */
-+
- 	if (esp->es_server.ea_id != id) {
- 		dbglog("EAP: discarding Response %d; expected ID %d", id,
- 		    esp->es_server.ea_id);
-@@ -1776,6 +2115,64 @@ int len;
- 		eap_figure_next_state(esp, 0);
- 		break;
- 
-+#ifdef USE_EAPTLS
-+	case EAPT_TLS:
-+		switch(esp->es_server.ea_state) {
-+
-+		case eapTlsRecv:
-+
-+			ets = (struct eaptls_session *) esp->es_server.ea_session;
-+			eap_figure_next_state(esp,
-+				eaptls_receive(esp->es_server.ea_session, inp, len));
-+
-+			if(ets->alert_recv) {
-+				eap_send_failure(esp);
-+				break;
-+			}
-+			break;
-+
-+		case eapTlsRecvAck:
-+			if(len > 1) {
-+				dbglog("EAP-TLS ACK with extra data");
-+			}
-+			eap_figure_next_state(esp, 0);
-+			break;
-+
-+		case eapTlsRecvClient:
-+			/* Receive authentication response from client */
-+
-+			if (len > 0) {
-+				GETCHAR(flags, inp);
-+
-+				if(len == 1 && !flags) {	/* Ack = ok */
-+#ifdef MPPE
-+ 					eaptls_gen_mppe_keys( esp->es_server.ea_session, "client EAP encryption", 0 );
-+#endif
-+					eap_send_success(esp);
-+				}
-+				else {			/* failure */
-+					warn("Server authentication failed");
-+					eap_send_failure(esp);
-+				}
-+			}
-+			else
-+				warn("Bogus EAP-TLS packet received from client");
-+
-+			eaptls_free_session(esp->es_server.ea_session);
-+
-+			break;
-+
-+		case eapTlsRecvAlertAck:
-+			eap_send_failure(esp);
-+			break;
-+
-+		default:
-+			eap_figure_next_state(esp, 1);
-+			break;
-+		}
-+		break;
-+#endif /* USE_EAPTLS */
-+
- 	case EAPT_NOTIFICATION:
- 		dbglog("EAP unexpected Notification; response discarded");
- 		break;
-@@ -1807,6 +2204,13 @@ int len;
- 			esp->es_server.ea_state = eapMD5Chall;
- 			break;
- 
-+#ifdef USE_EAPTLS
-+			/* Send EAP-TLS start packet */
-+		case EAPT_TLS:
-+			esp->es_server.ea_state = eapTlsStart;
-+			break;
-+#endif /* USE_EAPTLS */
-+
- 		default:
- 			dbglog("EAP: peer requesting unknown Type %d", vallen);
- 			switch (esp->es_server.ea_state) {
-@@ -2018,13 +2422,27 @@ u_char *inp;
- int id;
- int len;
- {
--	if (esp->es_client.ea_state != eapOpen && !eap_client_active(esp)) {
-+	if (esp->es_client.ea_state != eapOpen && !eap_client_active(esp)
-+#ifdef USE_EAPTLS
-+		&& esp->es_client.ea_state != eapTlsRecvSuccess
-+#endif /* USE_EAPTLS */
-+		) {
- 		dbglog("EAP unexpected success message in state %s (%d)",
- 		    eap_state_name(esp->es_client.ea_state),
- 		    esp->es_client.ea_state);
- 		return;
- 	}
- 
-+#ifdef USE_EAPTLS
-+	if(esp->es_client.ea_using_eaptls && esp->es_client.ea_state !=
-+		eapTlsRecvSuccess) {
-+		dbglog("EAP-TLS unexpected success message in state %s (%d)",
-+                    eap_state_name(esp->es_client.ea_state),
-+                    esp->es_client.ea_state);
-+		return;
-+	}
-+#endif /* USE_EAPTLS */
-+
- 	if (esp->es_client.ea_timeout > 0) {
- 		UNTIMEOUT(eap_client_timeout, (void *)esp);
- 	}
-@@ -2150,6 +2568,9 @@ void *arg;
- 	int code, id, len, rtype, vallen;
- 	u_char *pstart;
- 	u_int32_t uval;
-+#ifdef USE_EAPTLS
-+	u_char flags;
-+#endif /* USE_EAPTLS */
- 
- 	if (inlen < EAP_HEADERLEN)
- 		return (0);
-@@ -2214,6 +2635,24 @@ void *arg;
- 			}
- 			break;
- 
-+#ifdef USE_EAPTLS
-+		case EAPT_TLS:
-+			if (len < 1)
-+				break;
-+			GETCHAR(flags, inp);
-+			len--;
-+
-+                        if(flags == 0 && len == 0){
-+                                printer(arg, " Ack");
-+                                break;
-+                        }
-+
-+			printer(arg, flags & EAP_TLS_FLAGS_LI ? " L":" -");
-+			printer(arg, flags & EAP_TLS_FLAGS_MF ? "M":"-");
-+			printer(arg, flags & EAP_TLS_FLAGS_START ? "S":"- ");
-+			break;
-+#endif /* USE_EAPTLS */
-+
- 		case EAPT_SRP:
- 			if (len < 3)
- 				goto truncated;
-@@ -2325,6 +2764,25 @@ void *arg;
- 			}
- 			break;
- 
-+#ifdef USE_EAPTLS
-+		case EAPT_TLS:
-+			if (len < 1)
-+				break;
-+			GETCHAR(flags, inp);
-+			len--;
-+
-+                        if(flags == 0 && len == 0){
-+                                printer(arg, " Ack");
-+                                break;
-+                        }
-+
-+			printer(arg, flags & EAP_TLS_FLAGS_LI ? " L":" -");
-+			printer(arg, flags & EAP_TLS_FLAGS_MF ? "M":"-");
-+			printer(arg, flags & EAP_TLS_FLAGS_START ? "S":"- ");
-+
-+			break;
-+#endif /* USE_EAPTLS */
-+
- 		case EAPT_NAK:
- 			if (len <= 0) {
- 				printer(arg, " <missing hint>");
-@@ -2426,3 +2884,4 @@ void *arg;
- 
- 	return (inp - pstart);
- }
-+
-diff --git a/pppd/eap.h b/pppd/eap.h
-index 199d1849b826..087baad83eed 100644
---- a/pppd/eap.h
-+++ b/pppd/eap.h
-@@ -84,6 +84,16 @@ enum eap_state_code {
- 	eapClosed,	/* Authentication not in use */
- 	eapListen,	/* Client ready (and timer running) */
- 	eapIdentify,	/* EAP Identify sent */
-+	eapTlsStart,	/* Send EAP-TLS start packet */
-+	eapTlsRecv,	/* Receive EAP-TLS tls data */
-+	eapTlsSendAck,	/* Send EAP-TLS ack */
-+	eapTlsSend,	/* Send EAP-TLS tls data */
-+	eapTlsRecvAck,	/* Receive EAP-TLS ack */
-+	eapTlsRecvClient, 	/* Receive EAP-TLS auth response from client*/
-+	eapTlsSendAlert,	/* Send EAP-TLS tls alert (server)*/
-+	eapTlsRecvAlertAck,	/* Receive EAP-TLS ack after sending alert */
-+	eapTlsRecvSuccess,	/* Receive EAP success */
-+	eapTlsRecvFailure,	/* Receive EAP failure */
- 	eapSRP1,	/* Sent EAP SRP-SHA1 Subtype 1 */
- 	eapSRP2,	/* Sent EAP SRP-SHA1 Subtype 2 */
- 	eapSRP3,	/* Sent EAP SRP-SHA1 Subtype 3 */
-@@ -95,9 +105,18 @@ enum eap_state_code {
- 
- #define	EAP_STATES	\
- 	"Initial", "Pending", "Closed", "Listen", "Identify", \
-+	"TlsStart", "TlsRecv", "TlsSendAck", "TlsSend", "TlsRecvAck", "TlsRecvClient",\
-+	"TlsSendAlert", "TlsRecvAlertAck" , "TlsRecvSuccess", "TlsRecvFailure", \
- 	"SRP1", "SRP2", "SRP3", "MD5Chall", "Open", "SRP4", "BadAuth"
- 
--#define	eap_client_active(esp)	((esp)->es_client.ea_state == eapListen)
-+#ifdef USE_EAPTLS
-+#define	eap_client_active(esp)	((esp)->es_client.ea_state != eapInitial &&\
-+				 (esp)->es_client.ea_state != eapPending &&\
-+				 (esp)->es_client.ea_state != eapClosed)
-+#else
-+#define eap_client_active(esp)	((esp)->es_client.ea_state == eapListen)
-+#endif /* USE_EAPTLS */
-+
- #define	eap_server_active(esp)	\
- 	((esp)->es_server.ea_state >= eapIdentify && \
- 	 (esp)->es_server.ea_state <= eapMD5Chall)
-@@ -112,11 +131,17 @@ struct eap_auth {
- 	u_short ea_namelen;	/* Length of our name */
- 	u_short ea_peerlen;	/* Length of peer's name */
- 	enum eap_state_code ea_state;
-+#ifdef USE_EAPTLS
-+	enum eap_state_code ea_prev_state;
-+#endif
- 	u_char ea_id;		/* Current id */
- 	u_char ea_requests;	/* Number of Requests sent/received */
- 	u_char ea_responses;	/* Number of Responses */
- 	u_char ea_type;		/* One of EAPT_* */
- 	u_int32_t ea_keyflags;	/* SRP shared key usage flags */
-+#ifdef USE_EAPTLS
-+	bool ea_using_eaptls;
-+#endif
- };
- 
- /*
-@@ -139,7 +164,12 @@ typedef struct eap_state {
-  * Timeouts.
-  */
- #define	EAP_DEFTIMEOUT		3	/* Timeout (seconds) for rexmit */
-+#ifdef USE_EAPTLS
-+#define	EAP_DEFTRANSMITS	30	/* max # times to transmit */
-+					/* certificates can be long ... */
-+#else
- #define	EAP_DEFTRANSMITS	10	/* max # times to transmit */
-+#endif /* USE_EAPTLS */
- #define	EAP_DEFREQTIME		20	/* Time to wait for peer request */
- #define	EAP_DEFALLOWREQ		20	/* max # times to accept requests */
- 
-diff --git a/pppd/md5.c b/pppd/md5.c
-index f1291ce1bd72..6f8f7207c592 100644
---- a/pppd/md5.c
-+++ b/pppd/md5.c
-@@ -33,6 +33,8 @@
-  ***********************************************************************
-  */
- 
-+#ifndef USE_EAPTLS
-+
- #include <string.h>
- #include "md5.h"
- 
-@@ -305,3 +307,5 @@ UINT4 *in;
-  ** End of md5.c                                                      **
-  ******************************** (cut) ********************************
-  */
-+#endif /* USE_EAPTLS */
-+
-diff --git a/pppd/md5.h b/pppd/md5.h
-index 71e8b00e2dde..14d712171c5e 100644
---- a/pppd/md5.h
-+++ b/pppd/md5.h
-@@ -36,6 +36,7 @@
-  ** documentation and/or software.                                    **
-  ***********************************************************************
-  */
-+#ifndef USE_EAPTLS
- 
- #ifndef __MD5_INCLUDE__
- 
-@@ -63,3 +64,5 @@ void MD5_Final (unsigned char hash[], MD5_CTX *mdContext);
- 
- #define __MD5_INCLUDE__
- #endif /* __MD5_INCLUDE__ */
-+
-+#endif /* USE_EAPTLS */
-diff --git a/pppd/pathnames.h b/pppd/pathnames.h
-index 46972601fc92..72c2f5b191ee 100644
---- a/pppd/pathnames.h
-+++ b/pppd/pathnames.h
-@@ -21,6 +21,13 @@
- #define _PATH_UPAPFILE 	 _ROOT_PATH "/etc/ppp/pap-secrets"
- #define _PATH_CHAPFILE 	 _ROOT_PATH "/etc/ppp/chap-secrets"
- #define _PATH_SRPFILE 	 _ROOT_PATH "/etc/ppp/srp-secrets"
-+
-+#ifdef USE_EAPTLS
-+#define _PATH_EAPTLSCLIFILE	_ROOT_PATH "/etc/ppp/eaptls-client"
-+#define _PATH_EAPTLSSERVFILE	_ROOT_PATH "/etc/ppp/eaptls-server"
-+#define _PATH_OPENSSLCONFFILE	_ROOT_PATH "/etc/ppp/openssl.cnf"
-+#endif /* USE_EAPTLS */
-+
- #define _PATH_SYSOPTIONS _ROOT_PATH "/etc/ppp/options"
- #define _PATH_IPUP	 _ROOT_PATH "/etc/ppp/ip-up"
- #define _PATH_IPDOWN	 _ROOT_PATH "/etc/ppp/ip-down"
-diff --git a/pppd/plugins/Makefile.linux b/pppd/plugins/Makefile.linux
-index 0f9d37d2953b..bc29968d44c9 100644
---- a/pppd/plugins/Makefile.linux
-+++ b/pppd/plugins/Makefile.linux
-@@ -4,6 +4,9 @@ CFLAGS	= $(COPTS) -I.. -I../../include -fPIC
- LDFLAGS	= $(LDOPTS)
- INSTALL	= install
- 
-+# EAP-TLS
-+CFLAGS += -DUSE_EAPTLS=1
-+
- DESTDIR = $(INSTROOT)@DESTDIR@
- BINDIR = $(DESTDIR)/sbin
- MANDIR = $(DESTDIR)/share/man/man8
-diff --git a/pppd/plugins/passprompt.c b/pppd/plugins/passprompt.c
-index babb6dc31bab..6ba73cae2795 100644
---- a/pppd/plugins/passprompt.c
-+++ b/pppd/plugins/passprompt.c
-@@ -107,4 +107,7 @@ void plugin_init(void)
- {
-     add_options(options);
-     pap_passwd_hook = promptpass;
-+#ifdef USE_EAPTLS
-+    eaptls_passwd_hook = promptpass;
-+#endif
- }
-diff --git a/pppd/plugins/passwordfd.c b/pppd/plugins/passwordfd.c
-index d718f3bdf81d..c3f9793e41a0 100644
---- a/pppd/plugins/passwordfd.c
-+++ b/pppd/plugins/passwordfd.c
-@@ -79,4 +79,8 @@ void plugin_init (void)
- 
-     chap_check_hook = pwfd_check;
-     chap_passwd_hook = pwfd_passwd;
-+
-+#ifdef USE_EAPTLS
-+    eaptls_passwd_hook = pwfd_passwd;
-+#endif
- }
-diff --git a/pppd/pppd.8 b/pppd/pppd.8
-index 65bbe721f761..8afa2d1186e2 100644
---- a/pppd/pppd.8
-+++ b/pppd/pppd.8
-@@ -253,6 +253,12 @@ Alternatively, a value of 0 for \fInr\fR or \fInt\fR disables
- compression in the corresponding direction.  Use \fInobsdcomp\fR or
- \fIbsdcomp 0\fR to disable BSD-Compress compression entirely.
- .TP
-+.B ca \fIca-file
-+(EAP-TLS) Use the file \fIca-file\fR as the X.509 Certificate Authority
-+(CA) file (in PEM format), needed for setting up an EAP-TLS connection.
-+This option is used on the client-side in conjunction with the \fBcert\fR
-+and \fBkey\fR options.
-+.TP
- .B cdtrcts
- Use a non-standard hardware flow control (i.e. DTR/CTS) to control
- the flow of data on the serial port.  If neither the \fIcrtscts\fR,
-@@ -264,6 +270,12 @@ RTS output. Such serial ports use this mode to implement true
- bi-directional flow control. The sacrifice is that this flow
- control mode does not permit using DTR as a modem control line.
- .TP
-+.B cert \fIcertfile
-+(EAP-TLS) Use the file \fIcertfile\fR as the X.509 certificate (in PEM
-+format), needed for setting up an EAP-TLS connection. This option is
-+used on the client-side in conjunction with the \fBca\fR and
-+\fBkey\fR options.
-+.TP
- .B chap\-interval \fIn
- If this option is given, pppd will rechallenge the peer every \fIn\fR
- seconds.
-@@ -292,6 +304,18 @@ negotiation by sending its first LCP packet.  The default value is
- 1000 (1 second).  This wait period only applies if the \fBconnect\fR
- or \fBpty\fR option is used.
- .TP
-+.B crl \fIfilename
-+(EAP-TLS) Use the file \fIfilename\fR as the Certificate Revocation List
-+to check for the validity of the peer's certificate. This option is not
-+mandatory for setting up an EAP-TLS connection. Also see the \fBcrl-dir\fR
-+option.
-+.TP
-+.B crl-dir \fIdirectory
-+(EAP-TLS) Use the directory \fIdirectory\fR to scan for CRL files in
-+has format ($hash.r0) to check for the validity of the peer's certificate.
-+This option is not mandatory for setting up an EAP-TLS connection.
-+Also see the \fBcrl\fR option.
-+.TP
- .B debug
- Enables connection debugging facilities.
- If this option is given, pppd will log the contents of all
-@@ -561,6 +585,12 @@ transmitted packets be printed.  On most systems, messages printed by
- the kernel are logged by syslog(1) to a file as directed in the
- /etc/syslog.conf configuration file.
- .TP
-+.B key \fIkeyfile
-+(EAP-TLS) Use the file \fIkeyfile\fR as the private key file (in PEM
-+format), needed for setting up an EAP-TLS connection. This option is
-+used on the client-side in conjunction with the \fBca\fR and
-+\fBcert\fR options.
-+.TP
- .B ktune
- Enables pppd to alter kernel settings as appropriate.  Under Linux,
- pppd will enable IP forwarding (i.e. set /proc/sys/net/ipv4/ip_forward
-@@ -724,6 +754,9 @@ name to \fIname\fR.)
- Disable Address/Control compression in both directions (send and
- receive).
- .TP
-+.B need-peer-eap
-+(EAP-TLS) Require the peer to verify our authentication credentials.
-+.TP
- .B noauth
- Do not require the peer to authenticate itself.  This option is
- privileged.
-diff --git a/pppd/pppd.h b/pppd/pppd.h
-index 567d702181ca..195cbe3c6ffb 100644
---- a/pppd/pppd.h
-+++ b/pppd/pppd.h
-@@ -338,6 +338,11 @@ extern bool	dump_options;	/* print out option values */
- extern bool	dryrun;		/* check everything, print options, exit */
- extern int	child_wait;	/* # seconds to wait for children at end */
- 
-+#ifdef USE_EAPTLS
-+extern char	*crl_dir;
-+extern char	*crl_file;
-+#endif /* USE_EAPTLS */
-+
- #ifdef MAXOCTETS
- extern unsigned int maxoctets;	     /* Maximum octetes per session (in bytes) */
- extern int       maxoctets_dir;      /* Direction :
-@@ -758,6 +763,10 @@ extern int (*chap_check_hook) __P((void));
- extern int (*chap_passwd_hook) __P((char *user, char *passwd));
- extern void (*multilink_join_hook) __P((void));
- 
-+#ifdef USE_EAPTLS
-+extern int (*eaptls_passwd_hook) __P((char *user, char *passwd));
-+#endif
-+
- /* Let a plugin snoop sent and received packets.  Useful for L2TP */
- extern void (*snoop_recv_hook) __P((unsigned char *p, int len));
- extern void (*snoop_send_hook) __P((unsigned char *p, int len));
diff --git a/patches/ppp-2.4.7/0040-pppd-Use-openssl-for-the-DES-instead-of-the-libcrypt.patch b/patches/ppp-2.4.7/0040-pppd-Use-openssl-for-the-DES-instead-of-the-libcrypt.patch
deleted file mode 100644
index bf83278a9..000000000
--- a/patches/ppp-2.4.7/0040-pppd-Use-openssl-for-the-DES-instead-of-the-libcrypt.patch
+++ /dev/null
@@ -1,115 +0,0 @@
-From: =?UTF-8?q?Jaroslav=20=C5=A0karvada?= <jskarvad@redhat.com>
-Date: Fri, 6 Apr 2018 14:27:18 +0200
-Subject: [PATCH] pppd: Use openssl for the DES instead of the libcrypt / glibc
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-[https://github.com/paulusmack/ppp/commit/3c7b86229f7bd2600d74db14b1fe5b3896be3875]
-
-It seems the latest glibc (in Fedora glibc-2.27.9000-12.fc29) dropped
-libcrypt.  The libxcrypt standalone package can be used instead, but
-it dropped the old setkey/encrypt API which ppp uses for DES.  There
-is support for using openssl in pppcrypt.c, but it contains typos
-preventing it from compiling and seems to be written for an ancient
-openssl version.
-
-This updates the code to use current openssl.
-
-[paulus@ozlabs.org - wrote the commit description, fixed comment in
- Makefile.linux.]
-
-Signed-off-by: Jaroslav Škarvada <jskarvad@redhat.com>
-Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
-
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- pppd/Makefile.linux |  7 ++++---
- pppd/pppcrypt.c     | 18 +++++++++---------
- 2 files changed, 13 insertions(+), 12 deletions(-)
-
-diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux
-index 58a634ce8c3b..cb9d4f9dcf22 100644
---- a/pppd/Makefile.linux
-+++ b/pppd/Makefile.linux
-@@ -35,10 +35,10 @@ endif
- COPTS = -O2 -pipe -Wall -g
- LIBS = -lcrypto
- 
--# Uncomment the next 2 lines to include support for Microsoft's
-+# Uncomment the next line to include support for Microsoft's
- # MS-CHAP authentication protocol.  Also, edit plugins/radius/Makefile.linux.
- CHAPMS=y
--USE_CRYPT=y
-+#USE_CRYPT=y
- # Don't use MSLANMAN unless you really know what you're doing.
- #MSLANMAN=y
- # Uncomment the next line to include support for MPPE.  CHAPMS (above) must
-@@ -138,7 +138,8 @@ endif
- 
- ifdef NEEDDES
- ifndef USE_CRYPT
--LIBS     += -ldes $(LIBS)
-+CFLAGS   += -I/usr/include/openssl
-+LIBS     += -lcrypto
- else
- CFLAGS   += -DUSE_CRYPT=1
- endif
-diff --git a/pppd/pppcrypt.c b/pppd/pppcrypt.c
-index 8b85b13276ab..6b35375edc5e 100644
---- a/pppd/pppcrypt.c
-+++ b/pppd/pppcrypt.c
-@@ -64,7 +64,7 @@ u_char *des_key;	/* OUT 64 bit DES key with parity bits added */
- 	des_key[7] = Get7Bits(key, 49);
- 
- #ifndef USE_CRYPT
--	des_set_odd_parity((des_cblock *)des_key);
-+	DES_set_odd_parity((DES_cblock *)des_key);
- #endif
- }
- 
-@@ -158,25 +158,25 @@ u_char *clear;	/* OUT 8 octets */
- }
- 
- #else /* USE_CRYPT */
--static des_key_schedule	key_schedule;
-+static DES_key_schedule	key_schedule;
- 
- bool
- DesSetkey(key)
- u_char *key;
- {
--	des_cblock des_key;
-+	DES_cblock des_key;
- 	MakeKey(key, des_key);
--	des_set_key(&des_key, key_schedule);
-+	DES_set_key(&des_key, &key_schedule);
- 	return (1);
- }
- 
- bool
--DesEncrypt(clear, key, cipher)
-+DesEncrypt(clear, cipher)
- u_char *clear;	/* IN  8 octets */
- u_char *cipher;	/* OUT 8 octets */
- {
--	des_ecb_encrypt((des_cblock *)clear, (des_cblock *)cipher,
--	    key_schedule, 1);
-+	DES_ecb_encrypt((DES_cblock *)clear, (DES_cblock *)cipher,
-+	    &key_schedule, 1);
- 	return (1);
- }
- 
-@@ -185,8 +185,8 @@ DesDecrypt(cipher, clear)
- u_char *cipher;	/* IN  8 octets */
- u_char *clear;	/* OUT 8 octets */
- {
--	des_ecb_encrypt((des_cblock *)cipher, (des_cblock *)clear,
--	    key_schedule, 0);
-+	DES_ecb_encrypt((DES_cblock *)cipher, (DES_cblock *)clear,
-+	    &key_schedule, 0);
- 	return (1);
- }
- 
diff --git a/patches/ppp-2.4.7/series b/patches/ppp-2.4.7/series
deleted file mode 100644
index 6aeaf1984..000000000
--- a/patches/ppp-2.4.7/series
+++ /dev/null
@@ -1,46 +0,0 @@
-# generated by git-ptx-patches
-#tag:base --start-number 1
-0001-abort-on-errors-in-subdir-builds.patch
-0002-scripts-Avoid-killing-wrong-pppd.patch
-0003-pppd-Fix-sign-extension-when-displaying-bytes-in-oct.patch
-0004-Suppress-false-error-message-on-PPPoE-disconnect.patch
-0005-Send-PADT-on-PPPoE-disconnect.patch
-0006-pppd-ipxcp-Prevent-buffer-overrun-on-remote-router-n.patch
-0007-pppd-Fix-ccp_options.mppe-type.patch
-0008-pppd-Fix-ccp_cilen-calculated-size-if-both-deflate_c.patch
-0009-Fix-a-typo-in-comment.-Diff-from-Yuuichi-Someya.patch
-0010-plog-count-only-relevant-lines-from-syslog.patch
-0011-Change-include-from-sys-errno.h-to-errno.h.patch
-0012-pppd-allow-use-of-arbitrary-interface-names.patch
-0013-pppd-Remove-unused-declaration-of-ttyname.patch
-0014-pppd-Provide-error-implementation-in-pppoe-discovery.patch
-0015-pppoe-include-netinet-in.h-before-linux-in.h.patch
-0016-adaptive_echos.patch
-0017-Makefiles-cleanup.patch
-0018-Bug-306261-pppd-does-not-properly-close-dev-ppp-on-p.patch
-0019-Bug-284382-ppp-linkpidfile-is-not-created-upon-detac.patch
-0020-support-building-pppdump-with-the-system-zlib.patch
-0021-disable-unneeded-code-in-the-pppoatm-plugin.patch
-0022-cosmetic-cleanup-of-the-pppoatm-plugin.patch
-0023-pppoe_noads.patch
-0024-make-_PATH_CONNERRS-world-readable.patch
-0025-Correct-unkown-unknown-typo.patch
-0026-pppoe-custom-host-uniq-tag.patch
-0027-Add-replacedefaultroute-option.patch
-0028-ppp-2.3.11-oedod.dif.patch
-0029-add-support-for-the-Framed-MTU-Radius-attribute.patch
-0030-018_ip-up_option.patch
-0031-ppp-2.4.2-stripMSdomain.patch
-0032-export-CALL_FILE-to-the-link-scripts.patch
-0033-ipv6-accept-remote.patch
-0034-fix-a-potential-buffer-overflow-in-clientid.c-rc_map.patch
-0035-resolv.conf_no_log.patch
-0036-Debian-specific-changes.patch
-0037-Fix-buffer-overflow-in-rc_mksid.patch
-0038-EAP-TLS-authentication-support-for-PPP.patch
-0039-Replace-vendored-hash-functions-with-libcrypto.patch
-0040-pppd-Use-openssl-for-the-DES-instead-of-the-libcrypt.patch
-#tag:ptx --start-number 100
-0100-pppd-make-makefile-sysroot-aware.patch
-0101-pppd-make-the-self-made-configure-cross-aware.patch
-# b0e349fd34b2aac1a9ba4ffb38f43be0  - git-ptx-patches magic
diff --git a/patches/ppp-2.4.9/0001-configure-Allow-commas-in-the-CFLAGS-220.patch b/patches/ppp-2.4.9/0001-configure-Allow-commas-in-the-CFLAGS-220.patch
new file mode 100644
index 000000000..c83b64b1c
--- /dev/null
+++ b/patches/ppp-2.4.9/0001-configure-Allow-commas-in-the-CFLAGS-220.patch
@@ -0,0 +1,28 @@
+From: =?UTF-8?q?Jaroslav=20=C5=A0karvada?= <jskarvad@redhat.com>
+Date: Fri, 8 Jan 2021 02:43:46 +0100
+Subject: [PATCH] configure: Allow commas in the CFLAGS (#220)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+It allows e.g. the following:
+./configure --cflags='-Wp,-D_FORTIFY_SOURCE=2'
+
+Signed-off-by: Jaroslav Škarvada <jskarvad@redhat.com>
+---
+ configure | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/configure b/configure
+index f977663fd8db..b0c3d2b49122 100755
+--- a/configure
++++ b/configure
+@@ -123,7 +123,7 @@ mkmkf() {
+ 	echo "  $2 <= $1"
+ 	sed -e "s,@DESTDIR@,$DESTDIR,g" -e "s,@SYSCONF@,$SYSCONF,g" \
+ 	    -e "s,@CROSS_COMPILE@,$CROSS_COMPILE,g" -e "s,@CC@,$CC,g" \
+-	    -e "s,@CFLAGS@,$CFLAGS,g" $1 >$2
++	    -e "s|@CFLAGS@|$CFLAGS|g" $1 >$2
+     fi
+ }
+ 
diff --git a/patches/ppp-2.4.9/0002-pppd-Fix-compilation-with-older-glibc-or-kernel-head.patch b/patches/ppp-2.4.9/0002-pppd-Fix-compilation-with-older-glibc-or-kernel-head.patch
new file mode 100644
index 000000000..33cf002db
--- /dev/null
+++ b/patches/ppp-2.4.9/0002-pppd-Fix-compilation-with-older-glibc-or-kernel-head.patch
@@ -0,0 +1,55 @@
+From: pali <7141871+pali@users.noreply.github.com>
+Date: Mon, 15 Feb 2021 07:54:01 +0100
+Subject: [PATCH] pppd: Fix compilation with older glibc or kernel headers
+ (#248)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+glibc versions prior to 2.24 do not define SOL_NETLINK and linux kernel
+versions prior to 4.3 do not define NETLINK_CAP_ACK. So add fallback
+definitions for these macros into pppd/sys-linux.c file.
+
+Also extend description why we call SOL_NETLINK/NETLINK_CAP_ACK option.
+
+Signed-off-by: Pali Rohár <pali@kernel.org>
+---
+ pppd/sys-linux.c | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c
+index 85033d97124f..50c4f2dab403 100644
+--- a/pppd/sys-linux.c
++++ b/pppd/sys-linux.c
+@@ -125,6 +125,14 @@
+ #include <linux/netlink.h>
+ #include <linux/rtnetlink.h>
+ #include <linux/if_addr.h>
++/* glibc versions prior to 2.24 do not define SOL_NETLINK */
++#ifndef SOL_NETLINK
++#define SOL_NETLINK 270
++#endif
++/* linux kernel versions prior to 4.3 do not define/support NETLINK_CAP_ACK */
++#ifndef NETLINK_CAP_ACK
++#define NETLINK_CAP_ACK 10
++#endif
+ #endif
+ 
+ #include "pppd.h"
+@@ -2843,7 +2851,15 @@ static int append_peer_ipv6_address(unsigned int iface, struct in6_addr *local_a
+     if (fd < 0)
+         return 0;
+ 
+-    /* do not ask for error message content */
++    /*
++     * Tell kernel to not send to us payload of acknowledgment error message.
++     * NETLINK_CAP_ACK option is supported since Linux kernel version 4.3 and
++     * older kernel versions always send full payload in acknowledgment netlink
++     * message. We ignore payload of this message as we need only error code,
++     * to check if our set remote peer address request succeeded or failed.
++     * So ignore return value from the following setsockopt() call as setting
++     * option NETLINK_CAP_ACK means for us just a kernel hint / optimization.
++     */
+     one = 1;
+     setsockopt(fd, SOL_NETLINK, NETLINK_CAP_ACK, &one, sizeof(one));
+ 
diff --git a/patches/ppp-2.4.7/0020-support-building-pppdump-with-the-system-zlib.patch b/patches/ppp-2.4.9/0100-support-building-pppdump-with-the-system-zlib.patch
similarity index 63%
rename from patches/ppp-2.4.7/0020-support-building-pppdump-with-the-system-zlib.patch
rename to patches/ppp-2.4.9/0100-support-building-pppdump-with-the-system-zlib.patch
index ef8265d43..383be9d60 100644
--- a/patches/ppp-2.4.7/0020-support-building-pppdump-with-the-system-zlib.patch
+++ b/patches/ppp-2.4.9/0100-support-building-pppdump-with-the-system-zlib.patch
@@ -1,19 +1,25 @@
-From: Michael Olbrich <m.olbrich@pengutronix.de>
-Date: Sat, 28 Sep 2019 08:11:49 +0200
+From: Alexander Dahl <ada@thorsis.com>
+Date: Wed, 16 Jun 2021 18:22:48 +0200
 Subject: [PATCH] support building pppdump with the system zlib
 
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
+Forwarded: https://github.com/paulusmack/ppp/pull/189
+but nacked: "it caused compile failures (on Fedora at least), which
+reminded me that the zlib.c here is not the same as upstream; it has
+extra functions that I added a long time ago."
 
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
+
+Imported from ppp_2.4.9-1+1.debian.tar.xz
+
+Signed-off-by: Alexander Dahl <ada@thorsis.com>
 ---
  pppdump/Makefile.linux | 28 ++++++++++++++++++++++++++--
  1 file changed, 26 insertions(+), 2 deletions(-)
 
 diff --git a/pppdump/Makefile.linux b/pppdump/Makefile.linux
-index 65e5c14914fb..87777fab5e94 100644
+index a94187fa9e29..de7e574d10e1 100644
 --- a/pppdump/Makefile.linux
 +++ b/pppdump/Makefile.linux
-@@ -2,18 +2,42 @@ DESTDIR = $(INSTROOT)@DESTDIR@
+@@ -6,15 +6,39 @@ DESTDIR = $(INSTROOT)@DESTDIR@
  BINDIR = $(DESTDIR)/sbin
  MANDIR = $(DESTDIR)/share/man/man8
  
@@ -21,10 +27,7 @@ index 65e5c14914fb..87777fab5e94 100644
 +DO_BSD_COMPRESS=y
 +HAVE_ZLIB=n
 +
- COPTS=-O2 -g
- CFLAGS= $(COPTS) -I../include/net
- LDFLAGS=$(LDOPTS)
- 
+ CFLAGS = $(COPTS) -I../include/net
 -OBJS = pppdump.o bsd-comp.o deflate.o zlib.o
 +OBJS = pppdump.o
 +LIBS =
@@ -40,14 +43,14 @@ index 65e5c14914fb..87777fab5e94 100644
 +else
 +CFLAGS += -DDO_DEFLATE=0
 +endif
-+
+ 
 +ifdef DO_BSD_COMPRESS
 +CFLAGS += -DDO_BSD_COMPRESS=1
 +OBJS += bsd-comp.o
 +else
 +CFLAGS += -DDO_BSD_COMPRESS=0
 +endif
- 
++ 
  INSTALL= install
  
  all:	pppdump
diff --git a/patches/ppp-2.4.7/0021-disable-unneeded-code-in-the-pppoatm-plugin.patch b/patches/ppp-2.4.9/0101-disable-unneeded-code-in-the-pppoatm-plugin.patch
similarity index 89%
rename from patches/ppp-2.4.7/0021-disable-unneeded-code-in-the-pppoatm-plugin.patch
rename to patches/ppp-2.4.9/0101-disable-unneeded-code-in-the-pppoatm-plugin.patch
index 2fb9c5573..882c913aa 100644
--- a/patches/ppp-2.4.7/0021-disable-unneeded-code-in-the-pppoatm-plugin.patch
+++ b/patches/ppp-2.4.9/0101-disable-unneeded-code-in-the-pppoatm-plugin.patch
@@ -1,5 +1,5 @@
-From: Michael Olbrich <m.olbrich@pengutronix.de>
-Date: Sat, 28 Sep 2019 08:11:49 +0200
+From: Alexander Dahl <ada@thorsis.com>
+Date: Wed, 16 Jun 2021 18:22:48 +0200
 Subject: [PATCH] disable unneeded code in the pppoatm plugin
 
 This patch halves the size of the PPPoA plugin by disabling features
@@ -13,9 +13,9 @@ plugin with the real libatm. I really doubt anybody cares, anyway.
 
 
 
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
+Imported from ppp_2.4.9-1+1.debian.tar.xz
 
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
+Signed-off-by: Alexander Dahl <ada@thorsis.com>
 ---
  pppd/plugins/pppoatm/Makefile.linux | 4 ++++
  pppd/plugins/pppoatm/pppoatm.c      | 4 ++++
@@ -23,10 +23,10 @@ Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
  3 files changed, 12 insertions(+)
 
 diff --git a/pppd/plugins/pppoatm/Makefile.linux b/pppd/plugins/pppoatm/Makefile.linux
-index 002603c6cbef..76d81aced70a 100644
+index d3a8086b69ea..036b193637df 100644
 --- a/pppd/plugins/pppoatm/Makefile.linux
 +++ b/pppd/plugins/pppoatm/Makefile.linux
-@@ -25,9 +25,13 @@ ifdef HAVE_LIBATM
+@@ -26,9 +26,13 @@ ifdef HAVE_LIBATM
  LIBS := -latm
  else
  CFLAGS += -I.
@@ -41,10 +41,10 @@ index 002603c6cbef..76d81aced70a 100644
  #*********
  all: $(PLUGIN)
 diff --git a/pppd/plugins/pppoatm/pppoatm.c b/pppd/plugins/pppoatm/pppoatm.c
-index d693350bc473..a7560e9fb0c6 100644
+index 5a3ecd61b6a2..90d0c9a85d9f 100644
 --- a/pppd/plugins/pppoatm/pppoatm.c
 +++ b/pppd/plugins/pppoatm/pppoatm.c
-@@ -142,8 +142,12 @@ static int connect_pppoatm(void)
+@@ -145,8 +145,12 @@ static int connect_pppoatm(void)
  	qos.txtp.traffic_class = qos.rxtp.traffic_class = ATM_UBR;
  	/* TODO: support simplified QoS setting */
  	if (qosstr != NULL)
diff --git a/patches/ppp-2.4.9/0102-pppoe_noads.patch b/patches/ppp-2.4.9/0102-pppoe_noads.patch
new file mode 100644
index 000000000..6629d4194
--- /dev/null
+++ b/patches/ppp-2.4.9/0102-pppoe_noads.patch
@@ -0,0 +1,24 @@
+From: Alexander Dahl <ada@thorsis.com>
+Date: Wed, 16 Jun 2021 18:22:48 +0200
+Subject: [PATCH] pppoe_noads
+
+Imported from ppp_2.4.9-1+1.debian.tar.xz
+
+Signed-off-by: Alexander Dahl <ada@thorsis.com>
+---
+ pppd/plugins/pppoe/plugin.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/pppd/plugins/pppoe/plugin.c b/pppd/plugins/pppoe/plugin.c
+index de9b8166ce7b..58fbdf95be3f 100644
+--- a/pppd/plugins/pppoe/plugin.c
++++ b/pppd/plugins/pppoe/plugin.c
+@@ -412,8 +412,6 @@ plugin_init(void)
+     }
+ 
+     add_options(Options);
+-
+-    info("PPPoE plugin from pppd %s", VERSION);
+ }
+ 
+ void pppoe_check_options(void)
diff --git a/patches/ppp-2.4.7/0028-ppp-2.3.11-oedod.dif.patch b/patches/ppp-2.4.9/0103-Forwarded-https-github.com-paulusmack-ppp-issues-187.patch
similarity index 72%
rename from patches/ppp-2.4.7/0028-ppp-2.3.11-oedod.dif.patch
rename to patches/ppp-2.4.9/0103-Forwarded-https-github.com-paulusmack-ppp-issues-187.patch
index 8151c3be2..38eb5b791 100644
--- a/patches/ppp-2.4.7/0028-ppp-2.3.11-oedod.dif.patch
+++ b/patches/ppp-2.4.9/0103-Forwarded-https-github.com-paulusmack-ppp-issues-187.patch
@@ -1,10 +1,22 @@
-From: Michael Olbrich <m.olbrich@pengutronix.de>
-Date: Sat, 28 Sep 2019 08:11:49 +0200
-Subject: [PATCH] ppp-2.3.11-oedod.dif
+From: Alexander Dahl <ada@thorsis.com>
+Date: Wed, 16 Jun 2021 18:22:48 +0200
+Subject: [PATCH] Forwarded: https://github.com/paulusmack/ppp/issues/187
 
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
+Upstream said:
 
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
+"
+Hmmm, dial-on-demand was never tested with the sync option, and in fact I don't
+know what devices would use that option.
+
+To be accepted, the patch would need a sign-off and a description that
+explained the changes in the patch - in particular, what the large lump of code
+added to demand_rexmit() is doing.
+"
+
+
+Imported from ppp_2.4.9-1+1.debian.tar.xz
+
+Signed-off-by: Alexander Dahl <ada@thorsis.com>
 ---
  pppd/demand.c | 99 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
  pppd/ipcp.c   |  2 +-
@@ -13,7 +25,7 @@ Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
  4 files changed, 101 insertions(+), 4 deletions(-)
 
 diff --git a/pppd/demand.c b/pppd/demand.c
-index 5e57658ea831..3eddf3016d98 100644
+index 289c9f8fdd57..4c61444d3968 100644
 --- a/pppd/demand.c
 +++ b/pppd/demand.c
 @@ -36,6 +36,8 @@
@@ -34,7 +46,7 @@ index 5e57658ea831..3eddf3016d98 100644
  #ifdef PPP_FILTER
  #include <pcap-bpf.h>
  #endif
-@@ -221,6 +225,14 @@ loop_chars(p, n)
+@@ -218,6 +222,14 @@ loop_chars(unsigned char *p, int n)
      int c, rv;
  
      rv = 0;
@@ -49,14 +61,12 @@ index 5e57658ea831..3eddf3016d98 100644
      for (; n > 0; --n) {
  	c = *p++;
  	if (c == PPP_FLAG) {
-@@ -299,17 +311,102 @@ loop_frame(frame, len)
+@@ -294,16 +306,101 @@ loop_frame(unsigned char *frame, int len)
   * loopback, now that the real serial link is up.
   */
  void
--demand_rexmit(proto)
-+demand_rexmit(proto, newip)
-     int proto;
-+    u_int32_t newip;
+-demand_rexmit(int proto)
++demand_rexmit(int proto, u_int32_t newip)
  {
      struct packet *pkt, *prev, *nextpkt;
 +    unsigned short checksum;
@@ -69,9 +79,11 @@ index 5e57658ea831..3eddf3016d98 100644
      prev = NULL;
      pkt = pend_q;
      pend_q = NULL;
++
 +    tv.tv_sec = 1;
 +    tv.tv_usec = 0;
-+    select(0,NULL,NULL,NULL,&tv);	/* Sleep for 1 Seconds */
++    select(0,NULL,NULL,NULL,&tv);	/* Sleep for 1 Second */
++
      for (; pkt != NULL; pkt = nextpkt) {
  	nextpkt = pkt->next;
  	if (PPP_PROTOCOL(pkt->data) == proto) {
@@ -83,7 +95,6 @@ index 5e57658ea831..3eddf3016d98 100644
 +                if (checksum == 0xFFFF) {
 +                    checksum = 0;
 +                }
-+
 + 
 +                if (pkt->data[13] == 17) {
 +                    pkt_checksum =  *((unsigned short *) (pkt->data+10+iphdr));
@@ -154,10 +165,10 @@ index 5e57658ea831..3eddf3016d98 100644
  	    free(pkt);
  	} else {
 diff --git a/pppd/ipcp.c b/pppd/ipcp.c
-index c8fe279d4ede..dceca807542a 100644
+index 302ca40b4c83..3ac26a08032a 100644
 --- a/pppd/ipcp.c
 +++ b/pppd/ipcp.c
-@@ -1904,7 +1904,7 @@ ipcp_up(f)
+@@ -1850,7 +1850,7 @@ ipcp_up(fsm *f)
  		    proxy_arp_set[f->unit] = 1;
  
  	}
@@ -167,12 +178,12 @@ index c8fe279d4ede..dceca807542a 100644
  
      } else {
 diff --git a/pppd/ipv6cp.c b/pppd/ipv6cp.c
-index 356ff84ead41..c1602f41c206 100644
+index 431cb62211bf..a32b0002e10d 100644
 --- a/pppd/ipv6cp.c
 +++ b/pppd/ipv6cp.c
-@@ -1232,7 +1232,7 @@ ipv6cp_up(f)
- 	    }
- 
+@@ -1253,7 +1253,7 @@ ipv6cp_up(fsm *f)
+ 		if (sif6defaultroute(f->unit, go->ourid, ho->hisid))
+ 		    default_route_set[f->unit] = 1;
  	}
 -	demand_rexmit(PPP_IPV6);
 +	demand_rexmit(PPP_IPV6,0);
@@ -180,15 +191,15 @@ index 356ff84ead41..c1602f41c206 100644
  
      } else {
 diff --git a/pppd/pppd.h b/pppd/pppd.h
-index 7495df657fe9..e65106d4c126 100644
+index 612902f55d0d..10a9977598aa 100644
 --- a/pppd/pppd.h
 +++ b/pppd/pppd.h
-@@ -594,7 +594,7 @@ void demand_conf __P((void));	/* config interface(s) for demand-dial */
- void demand_block __P((void));	/* set all NPs to queue up packets */
- void demand_unblock __P((void)); /* set all NPs to pass packets */
- void demand_discard __P((void)); /* set all NPs to discard packets */
--void demand_rexmit __P((int));	/* retransmit saved frames for an NP */
-+void demand_rexmit __P((int, u_int32_t)); /* retransmit saved frames for an NP*/
- int  loop_chars __P((unsigned char *, int)); /* process chars from loopback */
- int  loop_frame __P((unsigned char *, int)); /* should we bring link up? */
+@@ -598,7 +598,7 @@ void demand_conf(void);	/* config interface(s) for demand-dial */
+ void demand_block(void);	/* set all NPs to queue up packets */
+ void demand_unblock(void); /* set all NPs to pass packets */
+ void demand_discard(void); /* set all NPs to discard packets */
+-void demand_rexmit(int);	/* retransmit saved frames for an NP */
++void demand_rexmit(int, u_int32_t);	/* retransmit saved frames for an NP */
+ int  loop_chars(unsigned char *, int); /* process chars from loopback */
+ int  loop_frame(unsigned char *, int); /* should we bring link up? */
  
diff --git a/patches/ppp-2.4.7/0035-resolv.conf_no_log.patch b/patches/ppp-2.4.9/0104-resolv.conf_no_log.patch
similarity index 56%
rename from patches/ppp-2.4.7/0035-resolv.conf_no_log.patch
rename to patches/ppp-2.4.9/0104-resolv.conf_no_log.patch
index aea6b2082..66265aa6c 100644
--- a/patches/ppp-2.4.7/0035-resolv.conf_no_log.patch
+++ b/patches/ppp-2.4.9/0104-resolv.conf_no_log.patch
@@ -1,19 +1,19 @@
-From: Michael Olbrich <m.olbrich@pengutronix.de>
-Date: Sat, 28 Sep 2019 08:11:50 +0200
+From: Alexander Dahl <ada@thorsis.com>
+Date: Wed, 16 Jun 2021 18:22:48 +0200
 Subject: [PATCH] resolv.conf_no_log
 
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
+Imported from ppp_2.4.9-1+1.debian.tar.xz
 
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
+Signed-off-by: Alexander Dahl <ada@thorsis.com>
 ---
  pppd/ipcp.c | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/pppd/ipcp.c b/pppd/ipcp.c
-index d6e0e2a699fe..b81b2fd0a29f 100644
+index 3ac26a08032a..ce002262bb34 100644
 --- a/pppd/ipcp.c
 +++ b/pppd/ipcp.c
-@@ -2152,7 +2152,7 @@ create_resolv(peerdns1, peerdns2)
+@@ -2093,7 +2093,7 @@ create_resolv(u_int32_t peerdns1, u_int32_t peerdns2)
  
      f = fopen(_PATH_RESOLV, "w");
      if (f == NULL) {
diff --git a/patches/ppp-2.4.7/0036-Debian-specific-changes.patch b/patches/ppp-2.4.9/0105-Debian-specific-changes.patch
similarity index 62%
rename from patches/ppp-2.4.7/0036-Debian-specific-changes.patch
rename to patches/ppp-2.4.9/0105-Debian-specific-changes.patch
index 9576af118..86bba35f9 100644
--- a/patches/ppp-2.4.7/0036-Debian-specific-changes.patch
+++ b/patches/ppp-2.4.9/0105-Debian-specific-changes.patch
@@ -1,23 +1,27 @@
-From: Michael Olbrich <m.olbrich@pengutronix.de>
-Date: Sat, 28 Sep 2019 08:11:50 +0200
+From: Alexander Dahl <ada@thorsis.com>
+Date: Wed, 16 Jun 2021 18:22:49 +0200
 Subject: [PATCH] Debian-specific changes.
 
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
+Imported from ppp_2.4.9-1+1.debian.tar.xz
 
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
+Signed-off-by: Alexander Dahl <ada@thorsis.com>
 ---
- pppd/Makefile.linux    | 6 ++----
+ pppd/Makefile.linux    | 6 +++---
  pppd/pathnames.h       | 2 +-
  pppd/pppd.h            | 2 +-
  pppdump/Makefile.linux | 4 ++--
- 4 files changed, 6 insertions(+), 8 deletions(-)
+ 4 files changed, 7 insertions(+), 7 deletions(-)
 
 diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux
-index 16b3ee879791..5549145e5791 100644
+index 22837c50415e..bbb476827cea 100644
 --- a/pppd/Makefile.linux
 +++ b/pppd/Makefile.linux
-@@ -61,14 +61,14 @@ HAVE_MULTILINK=y
- USE_TDB=y
+@@ -64,17 +64,17 @@ USE_TDB=y
+ # Uncomment the next line to enable Type=notify services in systemd
+ # If enabled, and the user sets the up_sdnotify option, then
+ # pppd will not detach and will notify systemd when up.
+-#SYSTEMD=y
++SYSTEMD=y
  
  HAS_SHADOW=y
 -#USE_PAM=y
@@ -33,23 +37,11 @@ index 16b3ee879791..5549145e5791 100644
  
  # Enable EAP SRP-SHA1 authentication (requires libsrp)
  #USE_SRP=y
-@@ -178,11 +178,9 @@ LIBS	+= -ldl
- endif
- 
- ifdef FILTER
--ifneq ($(wildcard /usr/include/pcap-bpf.h),)
- LIBS    += -lpcap
- CFLAGS  += -DPPP_FILTER
- endif
--endif
- 
- ifdef HAVE_INET6
-      PPPDSRCS += ipv6cp.c eui64.c
 diff --git a/pppd/pathnames.h b/pppd/pathnames.h
-index a33f0466c9d6..46972601fc92 100644
+index 524d608ce12c..2df61354f40e 100644
 --- a/pppd/pathnames.h
 +++ b/pppd/pathnames.h
-@@ -28,7 +28,7 @@
+@@ -33,7 +33,7 @@
  #define _PATH_AUTHUP	 _ROOT_PATH "/etc/ppp/auth-up"
  #define _PATH_AUTHDOWN	 _ROOT_PATH "/etc/ppp/auth-down"
  #define _PATH_TTYOPT	 _ROOT_PATH "/etc/ppp/options."
@@ -59,10 +51,10 @@ index a33f0466c9d6..46972601fc92 100644
  #define _PATH_RESOLV	 _ROOT_PATH "/etc/ppp/resolv.conf"
  
 diff --git a/pppd/pppd.h b/pppd/pppd.h
-index b11670586244..567d702181ca 100644
+index 10a9977598aa..a14483b76acc 100644
 --- a/pppd/pppd.h
 +++ b/pppd/pppd.h
-@@ -870,7 +870,7 @@ extern void (*snoop_send_hook) __P((unsigned char *p, int len));
+@@ -879,7 +879,7 @@ extern void (*snoop_send_hook)(unsigned char *p, int len);
    || defined(DEBUGCHAP) || defined(DEBUG) || defined(DEBUGIPV6CP)
  #define LOG_PPP LOG_LOCAL2
  #else
@@ -72,10 +64,10 @@ index b11670586244..567d702181ca 100644
  #endif /* LOG_PPP */
  
 diff --git a/pppdump/Makefile.linux b/pppdump/Makefile.linux
-index 87777fab5e94..1eeeafe20111 100644
+index de7e574d10e1..04b1c10b34c7 100644
 --- a/pppdump/Makefile.linux
 +++ b/pppdump/Makefile.linux
-@@ -2,9 +2,9 @@ DESTDIR = $(INSTROOT)@DESTDIR@
+@@ -6,9 +6,9 @@ DESTDIR = $(INSTROOT)@DESTDIR@
  BINDIR = $(DESTDIR)/sbin
  MANDIR = $(DESTDIR)/share/man/man8
  
@@ -85,5 +77,5 @@ index 87777fab5e94..1eeeafe20111 100644
 -HAVE_ZLIB=n
 +HAVE_ZLIB=y
  
- COPTS=-O2 -g
- CFLAGS= $(COPTS) -I../include/net
+ CFLAGS = $(COPTS) -I../include/net
+ OBJS = pppdump.o
diff --git a/patches/ppp-2.4.7/0039-Replace-vendored-hash-functions-with-libcrypto.patch b/patches/ppp-2.4.9/0106-Replace-vendored-hash-functions-with-libcrypto.patch
similarity index 92%
rename from patches/ppp-2.4.7/0039-Replace-vendored-hash-functions-with-libcrypto.patch
rename to patches/ppp-2.4.9/0106-Replace-vendored-hash-functions-with-libcrypto.patch
index a08af544a..8597cf9a5 100644
--- a/patches/ppp-2.4.7/0039-Replace-vendored-hash-functions-with-libcrypto.patch
+++ b/patches/ppp-2.4.9/0106-Replace-vendored-hash-functions-with-libcrypto.patch
@@ -1,5 +1,5 @@
-From: Michael Olbrich <m.olbrich@pengutronix.de>
-Date: Sat, 28 Sep 2019 08:11:50 +0200
+From: Alexander Dahl <ada@thorsis.com>
+Date: Wed, 16 Jun 2021 18:22:49 +0200
 Subject: [PATCH] Replace vendored hash functions with libcrypto
 
 Bug-Debian: https://bugs.debian.org/826625
@@ -14,24 +14,24 @@ preferable both due to the patch being slightly less invasive and also because
 of our use of the EAP-TLS patch which requires OpenSSL.
 
 
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
+Imported from ppp_2.4.9-1+1.debian.tar.xz
 
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
+Signed-off-by: Alexander Dahl <ada@thorsis.com>
 ---
- pppd/Makefile.linux          |  25 ++--
+ pppd/Makefile.linux          |  28 +---
  pppd/chap-md5.c              |   2 +-
  pppd/chap_ms.c               |  40 ++----
- pppd/eap.c                   |   2 +-
- pppd/md4.c                   | 299 -----------------------------------------
- pppd/md4.h                   |  64 ---------
- pppd/md5.c                   | 311 -------------------------------------------
- pppd/md5.h                   |  68 ----------
+ pppd/eap.c                   |   3 +-
+ pppd/md4.c                   | 290 -----------------------------------------
+ pppd/md4.h                   |  55 --------
+ pppd/md5.c                   | 299 -------------------------------------------
+ pppd/md5.h                   |  65 ----------
  pppd/plugins/radius/md5.c    |   2 +-
  pppd/plugins/radius/radius.c |   2 +-
  pppd/plugins/winbind.c       |   2 +-
- pppd/sha1.c                  | 170 -----------------------
+ pppd/sha1.c                  | 171 -------------------------
  pppd/sha1.h                  |  31 -----
- 13 files changed, 28 insertions(+), 990 deletions(-)
+ 13 files changed, 27 insertions(+), 963 deletions(-)
  delete mode 100644 pppd/md4.c
  delete mode 100644 pppd/md4.h
  delete mode 100644 pppd/md5.c
@@ -40,10 +40,10 @@ Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
  delete mode 100644 pppd/sha1.h
 
 diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux
-index 4a11d5fea748..58a634ce8c3b 100644
+index bbb476827cea..bc01e3fd2a24 100644
 --- a/pppd/Makefile.linux
 +++ b/pppd/Makefile.linux
-@@ -11,16 +11,16 @@ INCDIR = $(DESTDIR)/include
+@@ -15,16 +15,16 @@ INCDIR = $(DESTDIR)/include
  
  TARGETS = pppd
  
@@ -64,16 +64,16 @@ index 4a11d5fea748..58a634ce8c3b 100644
  	   ecp.o auth.o options.o demand.o utils.o sys-linux.o ipxcp.o tty.o \
  	   eap.o chap-md5.o session.o
  
-@@ -33,7 +33,7 @@ endif
- # CC = gcc
- #
- COPTS = -O2 -pipe -Wall -g
--LIBS =
-+LIBS = -lcrypto
+@@ -34,7 +34,7 @@ ifeq (.depend,$(wildcard .depend))
+ include .depend
+ endif
+ 
+-LIBS = -lrt
++LIBS = -lrt -lcrypto
  
- # Uncomment the next 2 lines to include support for Microsoft's
+ # Uncomment the next line to include support for Microsoft's
  # MS-CHAP authentication protocol.  Also, edit plugins/radius/Makefile.linux.
-@@ -91,8 +91,8 @@ LDFLAGS=$(LDOPTS)
+@@ -98,8 +98,8 @@ CFLAGS= $(COPTS) $(COMPILE_FLAGS) $(INCLUDE_DIRS) '-DDESTDIR="@DESTDIR@"'
  ifdef CHAPMS
  CFLAGS   += -DCHAPMS=1
  NEEDDES=y
@@ -84,12 +84,11 @@ index 4a11d5fea748..58a634ce8c3b 100644
  ifdef MSLANMAN
  CFLAGS   += -DMSLANMAN=1
  endif
-@@ -104,25 +104,18 @@ endif
- # EAP SRP-SHA1
+@@ -113,26 +113,17 @@ endif
  ifdef USE_SRP
  CFLAGS	+= -DUSE_SRP -DOPENSSL -I/usr/local/ssl/include
--LIBS	+= -lsrp -L/usr/local/ssl/lib -lcrypto
-+LIBS	+= -lsrp -L/usr/local/ssl/lib
+ LIBS	+= -lsrp -L/usr/local/ssl/lib
+-NEEDCRYPTOLIB = y
  TARGETS	+= srp-entry
  EXTRAINSTALL = $(INSTALL) -c -m 555 srp-entry $(BINDIR)/srp-entry
  MANPAGES += srp-entry.8
@@ -106,27 +105,50 @@ index 4a11d5fea748..58a634ce8c3b 100644
  
  # EAP-TLS
  ifdef USE_EAPTLS
- CFLAGS += -DUSE_EAPTLS=1 -I/usr/kerberos/include
--LIBS += -lssl -lcrypto
-+LIBS += -lssl
+ CFLAGS += -DUSE_EAPTLS=1
+ LIBS += -lssl
+-NEEDCRYPTOLIB = y
  PPPDSRC += eap-tls.c
  HEADERS += eap-tls.h
  PPPDOBJS += eap-tls.o
+@@ -156,7 +147,6 @@ endif
+ ifdef NEEDDES
+ ifndef USE_CRYPT
+ CFLAGS   += -I$(shell $(CC) --print-sysroot)/usr/include/openssl
+-NEEDCRYPTOLIB = y
+ else
+ CFLAGS   += -DUSE_CRYPT=1
+ endif
+@@ -164,10 +154,6 @@ PPPDOBJS += pppcrypt.o
+ HEADERS += pppcrypt.h
+ endif
+ 
+-ifdef NEEDCRYPTOLIB
+-LIBS     += -lcrypto
+-endif
+-
+ # For "Pluggable Authentication Modules", see ftp.redhat.com:/pub/pam/.
+ ifdef USE_PAM
+ CFLAGS   += -DUSE_PAM
 diff --git a/pppd/chap-md5.c b/pppd/chap-md5.c
-index 269b52cb2041..7f7967a56842 100644
+index 77dd4ecc7059..d86564aa865a 100644
 --- a/pppd/chap-md5.c
 +++ b/pppd/chap-md5.c
-@@ -39,7 +39,7 @@
- #ifdef USE_EAPTLS
- #include "eap-tls.h"
- #else
--#include "md5.h"
+@@ -32,11 +32,11 @@
+ 
+ #include <stdlib.h>
+ #include <string.h>
 +#include <openssl/md5.h>
- #endif /* USE_EAPTLS */
+ #include "pppd.h"
+ #include "chap-new.h"
+ #include "chap-md5.h"
+ #include "magic.h"
+-#include "md5.h"
  
  #define MD5_HASH_SIZE		16
+ #define MD5_MIN_CHALLENGE	16
 diff --git a/pppd/chap_ms.c b/pppd/chap_ms.c
-index c2bd00f9c6f7..19edb85d27a8 100644
+index e6b84f203fc3..64848f20f660 100644
 --- a/pppd/chap_ms.c
 +++ b/pppd/chap_ms.c
 @@ -89,8 +89,8 @@
@@ -140,7 +162,7 @@ index c2bd00f9c6f7..19edb85d27a8 100644
  #include "pppcrypt.h"
  #include "magic.h"
  
-@@ -535,8 +535,8 @@ ChallengeHash(u_char PeerChallenge[16], u_char *rchallenge,
+@@ -536,8 +536,8 @@ ChallengeHash(u_char PeerChallenge[16], u_char *rchallenge,
  	      char *username, u_char Challenge[8])
      
  {
@@ -151,7 +173,7 @@ index c2bd00f9c6f7..19edb85d27a8 100644
      char	*user;
  
      /* remove domain from "domain\username" */
-@@ -574,23 +574,11 @@ ascii2unicode(char ascii[], int ascii_len, u_char unicode[])
+@@ -575,23 +575,11 @@ ascii2unicode(char ascii[], int ascii_len, u_char unicode[])
  static void
  NTPasswordHash(u_char *secret, int secret_len, u_char hash[MD4_SIGNATURE_SIZE])
  {
@@ -178,7 +200,7 @@ index c2bd00f9c6f7..19edb85d27a8 100644
  
  }
  
-@@ -671,8 +659,8 @@ GenerateAuthenticatorResponse(u_char PasswordHashHash[MD4_SIGNATURE_SIZE],
+@@ -672,8 +660,8 @@ GenerateAuthenticatorResponse(u_char PasswordHashHash[MD4_SIGNATURE_SIZE],
  	  0x6E };
  
      int		i;
@@ -189,7 +211,7 @@ index c2bd00f9c6f7..19edb85d27a8 100644
      u_char	Challenge[8];
  
      SHA1_Init(&sha1Context);
-@@ -725,8 +713,8 @@ GenerateAuthenticatorResponsePlain
+@@ -726,8 +714,8 @@ GenerateAuthenticatorResponsePlain
  void
  mppe_set_keys(u_char *rchallenge, u_char PasswordHashHash[MD4_SIGNATURE_SIZE])
  {
@@ -200,7 +222,7 @@ index c2bd00f9c6f7..19edb85d27a8 100644
  
      SHA1_Init(&sha1Context);
      SHA1_Update(&sha1Context, PasswordHashHash, MD4_SIGNATURE_SIZE);
-@@ -769,9 +757,9 @@ void
+@@ -770,9 +758,9 @@ void
  mppe_set_keys2(u_char PasswordHashHash[MD4_SIGNATURE_SIZE],
  	       u_char NTResponse[24], int IsServer)
  {
@@ -214,24 +236,27 @@ index c2bd00f9c6f7..19edb85d27a8 100644
      u_char SHApad1[40] =
  	{ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
 diff --git a/pppd/eap.c b/pppd/eap.c
-index 032407c3dbb2..35d111015ff3 100644
+index 79146557bd32..d987888d9f20 100644
 --- a/pppd/eap.c
 +++ b/pppd/eap.c
-@@ -71,7 +71,7 @@
- #ifdef USE_EAPTLS
- #include "eap-tls.h"
- #else
--#include "md5.h"
+@@ -59,9 +59,10 @@
+ #include <assert.h>
+ #include <errno.h>
+ 
 +#include <openssl/md5.h>
- #endif /* USE_EAPTLS */
++
+ #include "pppd.h"
+ #include "pathnames.h"
+-#include "md5.h"
+ #include "eap.h"
  
- #ifdef USE_SRP
+ #ifdef CHAPMS
 diff --git a/pppd/md4.c b/pppd/md4.c
 deleted file mode 100644
-index d943e8885f2d..000000000000
+index 42a9b2e75d6e..000000000000
 --- a/pppd/md4.c
 +++ /dev/null
-@@ -1,299 +0,0 @@
+@@ -1,290 +0,0 @@
 -/*
 -** ********************************************************************
 -** md4.c -- Implementation of MD4 Message Digest Algorithm           **
@@ -321,8 +346,7 @@ index d943e8885f2d..000000000000
 -** This is a user-callable routine.
 -*/
 -void
--MD4Print(MDp)
--MD4_CTX *MDp;
+-MD4Print(MD4_CTX *MDp)
 -{
 -  int i,j;
 -  for (i=0;i<4;i++)
@@ -335,8 +359,7 @@ index d943e8885f2d..000000000000
 -** This is a user-callable routine.
 -*/
 -void
--MD4Init(MDp)
--MD4_CTX *MDp;
+-MD4Init(MD4_CTX *MDp)
 -{
 -  int i;
 -  MDp->buffer[0] = I0;
@@ -354,9 +377,7 @@ index d943e8885f2d..000000000000
 -** This routine is not user-callable.
 -*/
 -static void
--MDblock(MDp,Xb)
--MD4_CTX *MDp;
--unsigned char *Xb;
+-MDblock(MD4_CTX *MDp, unsigned char *Xb)
 -{
 -  register unsigned int tmp, A, B, C, D;
 -  unsigned int X[16];
@@ -440,10 +461,7 @@ index d943e8885f2d..000000000000
 -** if desired.
 -*/
 -void
--MD4Update(MDp,X,count)
--MD4_CTX *MDp;
--unsigned char *X;
--unsigned int count;
+-MD4Update(MD4_CTX *MDp, unsigned char *X, unsigned int count)
 -{
 -  unsigned int i, tmp, bit, byte, mask;
 -  unsigned char XX[64];
@@ -511,9 +529,7 @@ index d943e8885f2d..000000000000
 -** Finish up MD4 computation and return message digest.
 -*/
 -void
--MD4Final(buf, MD)
--unsigned char *buf;
--MD4_CTX *MD;
+-MD4Final(unsigned char *buf, MD4_CTX *MD)
 -{
 -  int i, j;
 -  unsigned int w;
@@ -533,10 +549,10 @@ index d943e8885f2d..000000000000
 -****************************(cut)***********************************/
 diff --git a/pppd/md4.h b/pppd/md4.h
 deleted file mode 100644
-index 80e8f9a2acca..000000000000
+index b6fc3f561faa..000000000000
 --- a/pppd/md4.h
 +++ /dev/null
-@@ -1,64 +0,0 @@
+@@ -1,55 +0,0 @@
 -
 -/*
 -** ********************************************************************
@@ -547,15 +563,6 @@ index 80e8f9a2acca..000000000000
 -** ********************************************************************
 -*/
 -
--#ifndef __P
--# if defined(__STDC__) || defined(__GNUC__)
--#  define __P(x) x
--# else
--#  define __P(x) ()
--# endif
--#endif
--
--
 -/* MDstruct is the data structure for a message digest computation.
 -*/
 -typedef struct {
@@ -568,7 +575,7 @@ index 80e8f9a2acca..000000000000
 -** Initialize the MD4_CTX prepatory to doing a message digest
 -** computation.
 -*/
--extern void MD4Init __P((MD4_CTX *MD));
+-extern void MD4Init(MD4_CTX *MD);
 -
 -/* MD4Update(MD,X,count)
 -** Input: X -- a pointer to an array of unsigned characters.
@@ -582,7 +589,7 @@ index 80e8f9a2acca..000000000000
 -** every MD computation should end with one call to MD4Update with a
 -** count less than 512.  Zero is OK for a count.
 -*/
--extern void MD4Update __P((MD4_CTX *MD, unsigned char *X, unsigned int count));
+-extern void MD4Update(MD4_CTX *MD, unsigned char *X, unsigned int count);
 -
 -/* MD4Print(MD)
 -** Prints message digest buffer MD as 32 hexadecimal digits.
@@ -590,23 +597,23 @@ index 80e8f9a2acca..000000000000
 -** of buffer[3].
 -** Each byte is printed with high-order hexadecimal digit first.
 -*/
--extern void MD4Print __P((MD4_CTX *));
+-extern void MD4Print(MD4_CTX *);
 -
 -/* MD4Final(buf, MD)
 -** Returns message digest from MD and terminates the message
 -** digest computation.
 -*/
--extern void MD4Final __P((unsigned char *, MD4_CTX *));
+-extern void MD4Final(unsigned char *, MD4_CTX *);
 -
 -/*
 -** End of md4.h
 -****************************(cut)***********************************/
 diff --git a/pppd/md5.c b/pppd/md5.c
 deleted file mode 100644
-index 6f8f7207c592..000000000000
+index f7988e64141a..000000000000
 --- a/pppd/md5.c
 +++ /dev/null
-@@ -1,311 +0,0 @@
+@@ -1,299 +0,0 @@
 -
 -
 -/*
@@ -642,8 +649,6 @@ index 6f8f7207c592..000000000000
 - ***********************************************************************
 - */
 -
--#ifndef USE_EAPTLS
--
 -#include <string.h>
 -#include "md5.h"
 -
@@ -713,8 +718,7 @@ index 6f8f7207c592..000000000000
 -/* The routine MD5_Init initializes the message-digest context
 -   mdContext. All fields are set to zero.
 - */
--void MD5_Init (mdContext)
--MD5_CTX *mdContext;
+-void MD5_Init (MD5_CTX *mdContext)
 -{
 -  mdContext->i[0] = mdContext->i[1] = (UINT4)0;
 -
@@ -730,10 +734,7 @@ index 6f8f7207c592..000000000000
 -   account for the presence of each of the characters inBuf[0..inLen-1]
 -   in the message whose digest is being computed.
 - */
--void MD5_Update (mdContext, inBuf, inLen)
--MD5_CTX *mdContext;
--unsigned char *inBuf;
--unsigned int inLen;
+-void MD5_Update (MD5_CTX *mdContext, unsigned char *inBuf, unsigned int inLen)
 -{
 -  UINT4 in[16];
 -  int mdi;
@@ -768,9 +769,7 @@ index 6f8f7207c592..000000000000
 -/* The routine MD5Final terminates the message-digest computation and
 -   ends with the desired message digest in mdContext->digest[0...15].
 - */
--void MD5_Final (hash, mdContext)
--unsigned char hash[];
--MD5_CTX *mdContext;
+-void MD5_Final (unsigned char hash[], MD5_CTX *mdContext)
 -{
 -  UINT4 in[16];
 -  int mdi;
@@ -811,9 +810,7 @@ index 6f8f7207c592..000000000000
 -
 -/* Basic MD5 step. Transforms buf based on in.
 - */
--static void Transform (buf, in)
--UINT4 *buf;
--UINT4 *in;
+-static void Transform (UINT4 *buf, UINT4 *in)
 -{
 -  UINT4 a = buf[0], b = buf[1], c = buf[2], d = buf[3];
 -
@@ -916,14 +913,12 @@ index 6f8f7207c592..000000000000
 - ** End of md5.c                                                      **
 - ******************************** (cut) ********************************
 - */
--#endif /* USE_EAPTLS */
--
 diff --git a/pppd/md5.h b/pppd/md5.h
 deleted file mode 100644
-index 14d712171c5e..000000000000
+index 71e8b00e2dde..000000000000
 --- a/pppd/md5.h
 +++ /dev/null
-@@ -1,68 +0,0 @@
+@@ -1,65 +0,0 @@
 -/*
 - ***********************************************************************
 - ** md5.h -- header file for implementation of MD5                    **
@@ -962,7 +957,6 @@ index 14d712171c5e..000000000000
 - ** documentation and/or software.                                    **
 - ***********************************************************************
 - */
--#ifndef USE_EAPTLS
 -
 -#ifndef __MD5_INCLUDE__
 -
@@ -990,8 +984,6 @@ index 14d712171c5e..000000000000
 -
 -#define __MD5_INCLUDE__
 -#endif /* __MD5_INCLUDE__ */
--
--#endif /* USE_EAPTLS */
 diff --git a/pppd/plugins/radius/md5.c b/pppd/plugins/radius/md5.c
 index 8af03aa3713e..90d9b025d211 100644
 --- a/pppd/plugins/radius/md5.c
@@ -1006,7 +998,7 @@ index 8af03aa3713e..90d9b025d211 100644
  void rc_md5_calc (unsigned char *output, unsigned char *input, unsigned int inlen)
  {
 diff --git a/pppd/plugins/radius/radius.c b/pppd/plugins/radius/radius.c
-index 06e00590b635..60282d9b2b9c 100644
+index c5798316719a..d5d63698a6dc 100644
 --- a/pppd/plugins/radius/radius.c
 +++ b/pppd/plugins/radius/radius.c
 @@ -31,7 +31,7 @@ static char const RCSID[] =
@@ -1019,7 +1011,7 @@ index 06e00590b635..60282d9b2b9c 100644
  #endif
  #include "radiusclient.h"
 diff --git a/pppd/plugins/winbind.c b/pppd/plugins/winbind.c
-index bb05acd87dce..5f87a317b677 100644
+index 0c395c34711a..6320645ac994 100644
 --- a/pppd/plugins/winbind.c
 +++ b/pppd/plugins/winbind.c
 @@ -38,7 +38,7 @@
@@ -1033,10 +1025,10 @@ index bb05acd87dce..5f87a317b677 100644
  #include "ipcp.h"
 diff --git a/pppd/sha1.c b/pppd/sha1.c
 deleted file mode 100644
-index f4f975cf516f..000000000000
+index 4e51cee506c2..000000000000
 --- a/pppd/sha1.c
 +++ /dev/null
-@@ -1,170 +0,0 @@
+@@ -1,171 +0,0 @@
 -/*
 - * ftp://ftp.funet.fi/pub/crypt/hash/sha/sha1.c
 - * 
@@ -1056,6 +1048,7 @@ index f4f975cf516f..000000000000
 -/* #define SHA1HANDSOFF * Copies data before messing with it. */
 -
 -#include <string.h>
+-#include <time.h>
 -#include <netinet/in.h>	/* htonl() */
 -#include <net/ppp_defs.h>
 -#include "sha1.h"
diff --git a/patches/ppp-2.4.7/0100-pppd-make-makefile-sysroot-aware.patch b/patches/ppp-2.4.9/0200-pppd-make-makefile-sysroot-aware.patch
similarity index 63%
rename from patches/ppp-2.4.7/0100-pppd-make-makefile-sysroot-aware.patch
rename to patches/ppp-2.4.9/0200-pppd-make-makefile-sysroot-aware.patch
index c205b15ed..11020e0cc 100644
--- a/patches/ppp-2.4.7/0100-pppd-make-makefile-sysroot-aware.patch
+++ b/patches/ppp-2.4.9/0200-pppd-make-makefile-sysroot-aware.patch
@@ -13,14 +13,14 @@ Signed-off-by: Marc Kleine-Budde <m.kleine-budde@pengutronix.de>
 Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
 Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
 ---
- pppd/Makefile.linux | 10 ++++------
- 1 file changed, 4 insertions(+), 6 deletions(-)
+ pppd/Makefile.linux | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
 
 diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux
-index cb9d4f9dcf22..ea0a7f02766b 100644
+index bc01e3fd2a24..9b0119463c1f 100644
 --- a/pppd/Makefile.linux
 +++ b/pppd/Makefile.linux
-@@ -103,8 +103,8 @@ endif
+@@ -111,8 +111,8 @@ endif
  
  # EAP SRP-SHA1
  ifdef USE_SRP
@@ -31,32 +31,12 @@ index cb9d4f9dcf22..ea0a7f02766b 100644
  TARGETS	+= srp-entry
  EXTRAINSTALL = $(INSTALL) -c -m 555 srp-entry $(BINDIR)/srp-entry
  MANPAGES += srp-entry.8
-@@ -114,7 +114,7 @@ endif
- 
- # EAP-TLS
- ifdef USE_EAPTLS
--CFLAGS += -DUSE_EAPTLS=1 -I/usr/kerberos/include
-+CFLAGS += -DUSE_EAPTLS=1
- LIBS += -lssl
- PPPDSRC += eap-tls.c
- HEADERS += eap-tls.h
-@@ -126,10 +126,8 @@ CFLAGS   += -DHAS_SHADOW
- #LIBS     += -lshadow $(LIBS)
- endif
- 
--ifneq ($(wildcard /usr/include/crypt.h),)
- CFLAGS  += -DHAVE_CRYPT_H=1
- LIBS	+= -lcrypt
--endif
- 
- ifdef USE_LIBUTIL
- CFLAGS	+= -DHAVE_LOGWTMP=1
-@@ -138,7 +136,7 @@ endif
+@@ -146,7 +146,7 @@ endif
  
  ifdef NEEDDES
  ifndef USE_CRYPT
--CFLAGS   += -I/usr/include/openssl
+-CFLAGS   += -I$(shell $(CC) --print-sysroot)/usr/include/openssl
 +CFLAGS   += -I$(SYSROOT)/usr/include/openssl
- LIBS     += -lcrypto
  else
  CFLAGS   += -DUSE_CRYPT=1
+ endif
diff --git a/patches/ppp-2.4.7/0101-pppd-make-the-self-made-configure-cross-aware.patch b/patches/ppp-2.4.9/0201-pppd-make-the-self-made-configure-cross-aware.patch
similarity index 87%
rename from patches/ppp-2.4.7/0101-pppd-make-the-self-made-configure-cross-aware.patch
rename to patches/ppp-2.4.9/0201-pppd-make-the-self-made-configure-cross-aware.patch
index f57361a4c..590cf3ae4 100644
--- a/patches/ppp-2.4.7/0101-pppd-make-the-self-made-configure-cross-aware.patch
+++ b/patches/ppp-2.4.9/0201-pppd-make-the-self-made-configure-cross-aware.patch
@@ -11,11 +11,11 @@ Signed-off-by: Juergen Beisert <juergen@kreuzholzen.de>
  2 files changed, 11 insertions(+), 1 deletion(-)
 
 diff --git a/configure b/configure
-index 6a55e0f08be4..3886564fa495 100755
+index b0c3d2b49122..4bc6a18fad32 100755
 --- a/configure
 +++ b/configure
-@@ -14,6 +14,16 @@ SYSCONF=/etc
- #  fi
+@@ -15,6 +15,16 @@ release=`uname -r`
+ arch=`uname -m`
  state="unknown"
  
 +if [ -n $TARGET_OS ]; then
@@ -32,10 +32,10 @@ index 6a55e0f08be4..3886564fa495 100755
    Linux)
      makext="linux";
 diff --git a/pppd/plugins/Makefile.linux b/pppd/plugins/Makefile.linux
-index bc29968d44c9..e010ad215981 100644
+index 6403e3d477e3..375be764e19a 100644
 --- a/pppd/plugins/Makefile.linux
 +++ b/pppd/plugins/Makefile.linux
-@@ -47,5 +47,5 @@ clean:
+@@ -49,5 +49,5 @@ clean:
  	for d in $(SUBDIRS); do $(MAKE) $(MFLAGS) -C $$d clean || exit $$?; done
  
  depend:
diff --git a/patches/ppp-2.4.9/series b/patches/ppp-2.4.9/series
new file mode 100644
index 000000000..4028f0892
--- /dev/null
+++ b/patches/ppp-2.4.9/series
@@ -0,0 +1,17 @@
+# generated by git-ptx-patches
+#tag:base --start-number 1
+#tag:upstream --start-number 1
+0001-configure-Allow-commas-in-the-CFLAGS-220.patch
+0002-pppd-Fix-compilation-with-older-glibc-or-kernel-head.patch
+#tag:debian --start-number 100
+0100-support-building-pppdump-with-the-system-zlib.patch
+0101-disable-unneeded-code-in-the-pppoatm-plugin.patch
+0102-pppoe_noads.patch
+0103-Forwarded-https-github.com-paulusmack-ppp-issues-187.patch
+0104-resolv.conf_no_log.patch
+0105-Debian-specific-changes.patch
+0106-Replace-vendored-hash-functions-with-libcrypto.patch
+#tag:ptx --start-number 200
+0200-pppd-make-makefile-sysroot-aware.patch
+0201-pppd-make-the-self-made-configure-cross-aware.patch
+# 9c9016a8956cf8c0dc84ee8dbe803cf3  - git-ptx-patches magic
diff --git a/rules/ppp.make b/rules/ppp.make
index 8bfb88b55..932910c98 100644
--- a/rules/ppp.make
+++ b/rules/ppp.make
@@ -16,8 +16,8 @@ PACKAGES-$(PTXCONF_PPP) += ppp
 #
 # Paths and names
 #
-PPP_VERSION	:= 2.4.7
-PPP_MD5		:= 78818f40e6d33a1d1de68a1551f6595a
+PPP_VERSION	:= 2.4.9
+PPP_MD5		:= c88153ae3d16ae114152cd3c15c7301d
 PPP		:= ppp-$(PPP_VERSION)
 PPP_SUFFIX	:= tar.gz
 PPP_URL		:= http://ftp.samba.org/pub/ppp/$(PPP).$(PPP_SUFFIX)
@@ -55,7 +55,7 @@ PPP_SHARED_INST_PATH := /usr/lib/pppd/$(PPP_VERSION)
 $(STATEDIR)/ppp.prepare:
 	@$(call targetinfo)
 	@cd $(PPP_DIR) && $(PPP_PATH) $(PPP_CONF_ENV) \
-		./configure --prefix=/usr --sysconfdir=/etc
+		./configure --prefix=/usr --sysconfdir=/etc --cc=$(CROSS_CC)
 
 	@$(call disable_sh,$(PPP_DIR)/pppd/Makefile,USE_PAM=y)
 
-- 
2.30.2



_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [ptxdist] [APPLIED] libqmi: version bump 1.28.2 -> 1.28.6
  2021-06-23  7:33 ` [ptxdist] [PATCH v3 1/5] libqmi: version bump 1.28.2 -> 1.28.6 Alexander Dahl
@ 2021-06-29  5:09   ` Michael Olbrich
  0 siblings, 0 replies; 11+ messages in thread
From: Michael Olbrich @ 2021-06-29  5:09 UTC (permalink / raw)
  To: ptxdist; +Cc: Alexander Dahl

Thanks, applied as c9b767f77e2235b7ecad55c1a9f913572aabbc24.

Michael

[sent from post-receive hook]

On Tue, 29 Jun 2021 07:09:30 +0200, Alexander Dahl <ada@thorsis.com> wrote:
> Requirement for upcoming ModemManager version bump.
> 
> Signed-off-by: Alexander Dahl <ada@thorsis.com>
> Message-Id: <20210623073309.23058-2-ada@thorsis.com>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> 
> diff --git a/rules/libqmi.make b/rules/libqmi.make
> index d2d31ce187bb..5835f3fb1e35 100644
> --- a/rules/libqmi.make
> +++ b/rules/libqmi.make
> @@ -14,8 +14,8 @@ PACKAGES-$(PTXCONF_LIBQMI) += libqmi
>  #
>  # Paths and names
>  #
> -LIBQMI_VERSION	:= 1.28.2
> -LIBQMI_MD5	:= 825d7226e001cb2616e85d8a1e2a410f
> +LIBQMI_VERSION	:= 1.28.6
> +LIBQMI_MD5	:= 4361ff7eed22f9cd696b812947cd8813
>  LIBQMI		:= libqmi-$(LIBQMI_VERSION)
>  LIBQMI_SUFFIX	:= tar.xz
>  LIBQMI_URL	:= http://www.freedesktop.org/software/libqmi/$(LIBQMI).$(LIBQMI_SUFFIX)

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de


^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [ptxdist] [APPLIED] modemmanager: version bump 1.16.2 -> 1.16.6
  2021-06-23  7:33 ` [ptxdist] [PATCH v3 2/5] modemmanager: version bump 1.16.2 -> 1.16.6 Alexander Dahl
@ 2021-06-29  5:09   ` Michael Olbrich
  0 siblings, 0 replies; 11+ messages in thread
From: Michael Olbrich @ 2021-06-29  5:09 UTC (permalink / raw)
  To: ptxdist; +Cc: Alexander Dahl

Thanks, applied as b097d0c7211d8e1d7186b903c60ba3f63f9e9be5.

Michael

[sent from post-receive hook]

On Tue, 29 Jun 2021 07:09:32 +0200, Alexander Dahl <ada@thorsis.com> wrote:
> Patch gone upstream.
> 
> Signed-off-by: Alexander Dahl <ada@thorsis.com>
> Message-Id: <20210623073309.23058-3-ada@thorsis.com>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> 
> diff --git a/patches/ModemManager-1.16.2/0001-kerneldevice-udev-don-t-use-autoptr-in-GUdev-types.patch b/patches/ModemManager-1.16.2/0001-kerneldevice-udev-don-t-use-autoptr-in-GUdev-types.patch
> deleted file mode 100644
> index 511b1693f7bb..000000000000
> --- a/patches/ModemManager-1.16.2/0001-kerneldevice-udev-don-t-use-autoptr-in-GUdev-types.patch
> +++ /dev/null
> @@ -1,127 +0,0 @@
> -From: Aleksander Morgado <aleksander@aleksander.es>
> -Date: Tue, 23 Mar 2021 15:36:58 +0100
> -Subject: [PATCH] kerneldevice,udev: don't use autoptr in GUdev types
> -
> -The autoptr support in all GUdev types was introduced in
> -commit 272533131c6ed38479a88805, included in libgudev 232.
> -
> -In the MM 1.16 branch we depend on libgudev 147, so avoid
> -implicitly bumping the required version.
> -
> -Fixes https://gitlab.freedesktop.org/mobile-broadband/ModemManager/-/issues/349
> ----
> - src/kerneldevice/mm-kernel-device-udev.c | 30 +++++++++++++++++++++---------
> - 1 file changed, 21 insertions(+), 9 deletions(-)
> -
> -diff --git a/src/kerneldevice/mm-kernel-device-udev.c b/src/kerneldevice/mm-kernel-device-udev.c
> -index f75104bd6b1c..a6bf1a71df88 100644
> ---- a/src/kerneldevice/mm-kernel-device-udev.c
> -+++ b/src/kerneldevice/mm-kernel-device-udev.c
> -@@ -81,7 +81,7 @@ static void
> - preload_contents_platform (MMKernelDeviceUdev *self,
> -                            const gchar        *platform)
> - {
> --    g_autoptr(GUdevDevice) iter = NULL;
> -+    GUdevDevice *iter;
> - 
> -     iter = g_object_ref (self->priv->device);
> -     while (iter) {
> -@@ -102,17 +102,19 @@ preload_contents_platform (MMKernelDeviceUdev *self,
> -         g_clear_object (&iter);
> -         iter = parent;
> -     }
> -+
> -+    g_clear_object (&iter);
> - }
> - 
> - static void
> - preload_contents_pcmcia (MMKernelDeviceUdev *self)
> - {
> --    g_autoptr(GUdevDevice) iter = NULL;
> --    gboolean               pcmcia_subsystem_found = FALSE;
> -+    GUdevDevice *iter;
> -+    gboolean     pcmcia_subsystem_found = FALSE;
> - 
> -     iter = g_object_ref (self->priv->device);
> -     while (iter) {
> --        g_autoptr(GUdevDevice) parent = NULL;
> -+        GUdevDevice *parent;
> - 
> -         /* Store the first driver found */
> -         if (!self->priv->driver)
> -@@ -133,18 +135,21 @@ preload_contents_pcmcia (MMKernelDeviceUdev *self)
> -             self->priv->product = udev_device_get_sysfs_attr_as_hex (iter, "card_id");
> -             self->priv->physdev = g_object_ref (iter);
> -             /* stop traversing as soon as the physical device is found */
> -+            g_clear_object (&parent);
> -             break;
> -         }
> - 
> -         g_clear_object (&iter);
> --        iter = g_steal_pointer (&parent);
> -+        iter = parent;
> -     }
> -+
> -+    g_clear_object (&iter);
> - }
> - 
> - static void
> - preload_contents_pci (MMKernelDeviceUdev *self)
> - {
> --    g_autoptr(GUdevDevice) iter = NULL;
> -+    GUdevDevice *iter;
> - 
> -     iter = g_object_ref (self->priv->device);
> -     while (iter) {
> -@@ -170,12 +175,14 @@ preload_contents_pci (MMKernelDeviceUdev *self)
> -         g_clear_object (&iter);
> -         iter = parent;
> -     }
> -+
> -+    g_clear_object (&iter);
> - }
> - 
> - static void
> - preload_contents_usb (MMKernelDeviceUdev *self)
> - {
> --    g_autoptr(GUdevDevice) iter = NULL;
> -+    GUdevDevice *iter;
> - 
> -     iter = g_object_ref (self->priv->device);
> -     while (iter) {
> -@@ -204,12 +211,14 @@ preload_contents_usb (MMKernelDeviceUdev *self)
> -         g_clear_object (&iter);
> -         iter = parent;
> -     }
> -+
> -+    g_clear_object (&iter);
> - }
> - 
> - static gchar *
> - find_device_bus_subsystem (MMKernelDeviceUdev *self)
> - {
> --    g_autoptr(GUdevDevice) iter = NULL;
> -+    GUdevDevice *iter;
> - 
> -     iter = g_object_ref (self->priv->device);
> -     while (iter) {
> -@@ -224,8 +233,10 @@ find_device_bus_subsystem (MMKernelDeviceUdev *self)
> -             (g_strcmp0 (subsys, "pci") == 0)      ||
> -             (g_strcmp0 (subsys, "platform") == 0) ||
> -             (g_strcmp0 (subsys, "pnp") == 0)      ||
> --            (g_strcmp0 (subsys, "sdio") == 0))
> -+            (g_strcmp0 (subsys, "sdio") == 0)) {
> -+            g_clear_object (&iter);
> -             return g_strdup (subsys);
> -+        }
> - 
> -         parent = g_udev_device_get_parent (iter);
> -         g_clear_object (&iter);
> -@@ -233,6 +244,7 @@ find_device_bus_subsystem (MMKernelDeviceUdev *self)
> -     }
> - 
> -     /* no more parents to check */
> -+    g_clear_object (&iter);
> -     return NULL;
> - }
> - 
> diff --git a/patches/ModemManager-1.16.2/series b/patches/ModemManager-1.16.2/series
> deleted file mode 100644
> index 073ee95c575b..000000000000
> --- a/patches/ModemManager-1.16.2/series
> +++ /dev/null
> @@ -1,4 +0,0 @@
> -# generated by git-ptx-patches
> -#tag:base --start-number 1
> -0001-kerneldevice-udev-don-t-use-autoptr-in-GUdev-types.patch
> -# 7ee4df7afdcd7083fe59386d7e47c795  - git-ptx-patches magic
> diff --git a/rules/modemmanager.make b/rules/modemmanager.make
> index 18191583cc99..43d8e607e910 100644
> --- a/rules/modemmanager.make
> +++ b/rules/modemmanager.make
> @@ -14,8 +14,8 @@ PACKAGES-$(PTXCONF_MODEMMANAGER) += modemmanager
>  #
>  # Paths and names
>  #
> -MODEMMANAGER_VERSION	:= 1.16.2
> -MODEMMANAGER_MD5	:= 83c5fc0bf65b8f321532b61b5f2b0b51
> +MODEMMANAGER_VERSION	:= 1.16.6
> +MODEMMANAGER_MD5	:= bde995400758db3a98c886608c2d5d9d
>  MODEMMANAGER		:= ModemManager-$(MODEMMANAGER_VERSION)
>  MODEMMANAGER_SUFFIX	:= tar.xz
>  MODEMMANAGER_URL	:= https://www.freedesktop.org/software/ModemManager/$(MODEMMANAGER).$(MODEMMANAGER_SUFFIX)

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de


^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [ptxdist] [APPLIED] networkmanager: version bump 1.26.2 -> 1.30.4
  2021-06-23  7:33 ` [ptxdist] [PATCH v3 3/5] networkmanager: version bump 1.26.2 -> 1.30.4 Alexander Dahl
@ 2021-06-29  5:09   ` Michael Olbrich
  0 siblings, 0 replies; 11+ messages in thread
From: Michael Olbrich @ 2021-06-29  5:09 UTC (permalink / raw)
  To: ptxdist; +Cc: Alexander Dahl

Thanks, applied as 7baf74944ca16173de216387df591cbecc794e22.

Michael

[sent from post-receive hook]

On Tue, 29 Jun 2021 07:09:33 +0200, Alexander Dahl <ada@thorsis.com> wrote:
> Signed-off-by: Alexander Dahl <ada@thorsis.com>
> Message-Id: <20210623073309.23058-4-ada@thorsis.com>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> 
> diff --git a/patches/NetworkManager-1.26.2/series b/patches/NetworkManager-1.26.2/series
> deleted file mode 100644
> index b04ab9c47a95..000000000000
> --- a/patches/NetworkManager-1.26.2/series
> +++ /dev/null
> @@ -1 +0,0 @@
> -0001-clients-cli-build-generate_docs_nm_settings_nmcli-on.patch
> diff --git a/patches/NetworkManager-1.26.2/0001-clients-cli-build-generate_docs_nm_settings_nmcli-on.patch b/patches/NetworkManager-1.30.4/0001-clients-cli-build-generate_docs_nm_settings_nmcli-on.patch
> similarity index 67%
> rename from patches/NetworkManager-1.26.2/0001-clients-cli-build-generate_docs_nm_settings_nmcli-on.patch
> rename to patches/NetworkManager-1.30.4/0001-clients-cli-build-generate_docs_nm_settings_nmcli-on.patch
> index db3c2964380d..ebc2816dff0b 100644
> --- a/patches/NetworkManager-1.26.2/0001-clients-cli-build-generate_docs_nm_settings_nmcli-on.patch
> +++ b/patches/NetworkManager-1.30.4/0001-clients-cli-build-generate_docs_nm_settings_nmcli-on.patch
> @@ -1,4 +1,3 @@
> -From 5ddd262c1042ef2cd748b3b2a724d2e15f89b9fb Mon Sep 17 00:00:00 2001
>  From: Robert Schwebel <r.schwebel@pengutronix.de>
>  Date: Sat, 25 Jul 2020 18:14:35 +0200
>  Subject: [PATCH] clients/cli: build generate_docs_nm_settings_nmcli only if
> @@ -10,10 +9,10 @@ Signed-off-by: Robert Schwebel <r.schwebel@pengutronix.de>
>   1 file changed, 5 insertions(+)
>  
>  diff --git a/clients/cli/meson.build b/clients/cli/meson.build
> -index 517deffa6..2dada71f5 100644
> +index f8e6a8236d4e..af57eedabfb9 100644
>  --- a/clients/cli/meson.build
>  +++ b/clients/cli/meson.build
> -@@ -35,6 +35,9 @@ executable(
> +@@ -37,6 +37,9 @@ executable(
>   
>   endif
>   
> @@ -23,12 +22,12 @@ index 517deffa6..2dada71f5 100644
>   generate_docs_nm_settings_nmcli = executable(
>     'generate-docs-nm-settings-nmcli',
>     files(
> -@@ -56,3 +59,5 @@ generate_docs_nm_settings_nmcli_xml = custom_target(
> -   command: [ generate_docs_nm_settings_nmcli ],
> -   capture: true,
> +@@ -54,6 +57,8 @@ generate_docs_nm_settings_nmcli = executable(
> +   link_depends: linker_script_binary,
>   )
> -+
> + 
>  +endif
> --- 
> -2.27.0
> -
> ++
> + if enable_docs
> +   generate_docs_nm_settings_nmcli_xml = custom_target(
> +     'generate-docs-nm-settings-nmcli.xml',
> diff --git a/patches/NetworkManager-1.30.4/series b/patches/NetworkManager-1.30.4/series
> new file mode 100644
> index 000000000000..24a953ec874d
> --- /dev/null
> +++ b/patches/NetworkManager-1.30.4/series
> @@ -0,0 +1,4 @@
> +# generated by git-ptx-patches
> +#tag:base --start-number 1
> +0001-clients-cli-build-generate_docs_nm_settings_nmcli-on.patch
> +# c940234bc49ce84559747d716a7955c5  - git-ptx-patches magic
> diff --git a/rules/networkmanager.make b/rules/networkmanager.make
> index e2502b3f0c2d..c39179f5b5d3 100644
> --- a/rules/networkmanager.make
> +++ b/rules/networkmanager.make
> @@ -15,8 +15,8 @@ PACKAGES-$(PTXCONF_NETWORKMANAGER) += networkmanager
>  #
>  # Paths and names
>  #
> -NETWORKMANAGER_VERSION	:= 1.26.2
> -NETWORKMANAGER_MD5	:= ad5332a7fe5d00db7c75b722337be62b
> +NETWORKMANAGER_VERSION	:= 1.30.4
> +NETWORKMANAGER_MD5	:= 8ce53a38356864832f7f10ad46fcde27
>  NETWORKMANAGER		:= NetworkManager-$(NETWORKMANAGER_VERSION)
>  NETWORKMANAGER_SUFFIX	:= tar.xz
>  NETWORKMANAGER_URL	:= $(call ptx/mirror, GNOME, NetworkManager/$(basename $(NETWORKMANAGER_VERSION))/$(NETWORKMANAGER).$(NETWORKMANAGER_SUFFIX))
> @@ -57,7 +57,6 @@ NETWORKMANAGER_CONF_OPT = \
>  	-Dintrospection=false \
>  	-Diptables=/usr/sbin/iptables \
>  	-Diwd=false \
> -	-Djson_validation=false \
>  	-Dkernel_firmware_dir=/lib/firmware \
>  	-Dld_gc=true \
>  	-Dlibaudit=no \
> @@ -73,7 +72,7 @@ NETWORKMANAGER_CONF_OPT = \
>  	-Dofono=false \
>  	-Dovs=false \
>  	-Dpolkit=$(call ptx/truefalse,PTXCONF_NETWORKMANAGER_POLKIT) \
> -	-Dpolkit_agent=false \
> +	-Dpolkit_agent_helper_1=/usr/libexec/polkit-agent-helper-1 \
>  	-Dppp=$(call ptx/truefalse,PTXCONF_NETWORKMANAGER_PPP) \
>  	-Dpppd=/usr/sbin/pppd \
>  	-Dpppd_plugin_dir=$(PPP_SHARED_INST_PATH) \

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de


^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [ptxdist] [APPLIED] networkmanager: Make "more logging" optional
  2021-06-23  7:33 ` [ptxdist] [PATCH v3 4/5] networkmanager: Make "more logging" optional Alexander Dahl
@ 2021-06-29  5:09   ` Michael Olbrich
  0 siblings, 0 replies; 11+ messages in thread
From: Michael Olbrich @ 2021-06-29  5:09 UTC (permalink / raw)
  To: ptxdist; +Cc: Alexander Dahl

Thanks, applied as fe852c3f4dc34d2e11c641092d19de0d2b3bd5fa.

Michael

[sent from post-receive hook]

On Tue, 29 Jun 2021 07:09:34 +0200, Alexander Dahl <ada@thorsis.com> wrote:
> With build option "more_logging" set to false, it's not possible to
> enable loglevel "debug" in /etc/NetworkManager/NetworkManager.conf
> 
> Signed-off-by: Alexander Dahl <ada@thorsis.com>
> Message-Id: <20210623073309.23058-5-ada@thorsis.com>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> 
> diff --git a/rules/networkmanager.in b/rules/networkmanager.in
> index 6c68d40cc2d6..dae60a0c8d42 100644
> --- a/rules/networkmanager.in
> +++ b/rules/networkmanager.in
> @@ -104,6 +104,12 @@ config NETWORKMANAGER_POLKIT
>  	bool
>  	prompt "polkit support"
>  
> +config NETWORKMANAGER_MORE_LOGGING
> +	bool
> +	prompt "more logging"
> +	help
> +	  Allows debug log level in NetworkManager.conf
> +
>  endif
>  
>  menu "networkmanager plugins        "
> diff --git a/rules/networkmanager.make b/rules/networkmanager.make
> index c39179f5b5d3..022ed7178997 100644
> --- a/rules/networkmanager.make
> +++ b/rules/networkmanager.make
> @@ -64,7 +64,7 @@ NETWORKMANAGER_CONF_OPT = \
>  	-Dmodem_manager=$(call ptx/truefalse,PTXCONF_NETWORKMANAGER_WWAN) \
>  	-Dmodify_system=false \
>  	-Dmore_asserts=no \
> -	-Dmore_logging=false \
> +	-Dmore_logging=$(call ptx/truefalse,PTXCONF_NETWORKMANAGER_MORE_LOGGING) \
>  	-Dnetconfig=false \
>  	-Dnm_cloud_setup=false \
>  	-Dnmcli=$(call ptx/truefalse,PTXCONF_NETWORKMANAGER_NMCLI) \

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de


^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [ptxdist] [APPLIED] ppp: version bump 2.4.7 -> 2.4.9
  2021-06-23  7:33 ` [ptxdist] [PATCH v3 5/5] ppp: version bump 2.4.7 -> 2.4.9 Alexander Dahl
@ 2021-06-29  5:09   ` Michael Olbrich
  0 siblings, 0 replies; 11+ messages in thread
From: Michael Olbrich @ 2021-06-29  5:09 UTC (permalink / raw)
  To: ptxdist; +Cc: Alexander Dahl

Thanks, applied as 34ea6a37b0cbfe64f17890aa37b1b3a4a1efc486.

Michael

[sent from post-receive hook]

On Tue, 29 Jun 2021 07:09:36 +0200, Alexander Dahl <ada@thorsis.com> wrote:
> - imported two post 2.4.9 upstream patches
> - imported Debian patches from package ppp (2.4.9-1+1)
> - adapted ptx patches
> 
> Signed-off-by: Alexander Dahl <ada@thorsis.com>
> Message-Id: <20210623073309.23058-6-ada@thorsis.com>
> Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> 
> diff --git a/patches/ppp-2.4.7/0001-abort-on-errors-in-subdir-builds.patch b/patches/ppp-2.4.7/0001-abort-on-errors-in-subdir-builds.patch
> deleted file mode 100644
> index c6a76ce6567a..000000000000
> --- a/patches/ppp-2.4.7/0001-abort-on-errors-in-subdir-builds.patch
> +++ /dev/null
> @@ -1,48 +0,0 @@
> -From: Martin von Gagern <Martin.vGagern@gmx.net>
> -Date: Sat, 9 Aug 2014 22:44:45 -0400
> -Subject: [PATCH] abort on errors in subdir builds
> -
> -The current recursive loops do not check the exit status of make
> -in subdirs which leads to `make` passing even when a subdir failed
> -to compile or install.
> -
> -URL: https://bugs.gentoo.org/334727
> -Signed-off-by: Martin von Gagern <Martin.vGagern@gmx.net>
> -Signed-off-by: Mike Frysinger <vapier@gentoo.org>
> -
> -Imported from ppp_2.4.7-2+4.1.debian.tar.xz
> -
> -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> ----
> - pppd/plugins/Makefile.linux | 8 ++++----
> - 1 file changed, 4 insertions(+), 4 deletions(-)
> -
> -diff --git a/pppd/plugins/Makefile.linux b/pppd/plugins/Makefile.linux
> -index ab8cf50d9472..8a90e393a057 100644
> ---- a/pppd/plugins/Makefile.linux
> -+++ b/pppd/plugins/Makefile.linux
> -@@ -27,7 +27,7 @@ include .depend
> - endif
> - 
> - all:	$(PLUGINS)
> --	for d in $(SUBDIRS); do $(MAKE) $(MFLAGS) -C $$d all; done
> -+	for d in $(SUBDIRS); do $(MAKE) $(MFLAGS) -C $$d all || exit $$?; done
> - 
> - %.so: %.c
> - 	$(CC) -o $@ $(LDFLAGS) $(CFLAGS) $^
> -@@ -37,12 +37,12 @@ VERSION = $(shell awk -F '"' '/VERSION/ { print $$2; }' ../patchlevel.h)
> - install: $(PLUGINS)
> - 	$(INSTALL) -d $(LIBDIR)
> - 	$(INSTALL) $? $(LIBDIR)
> --	for d in $(SUBDIRS); do $(MAKE) $(MFLAGS) -C $$d install; done
> -+	for d in $(SUBDIRS); do $(MAKE) $(MFLAGS) -C $$d install || exit $$?; done
> - 
> - clean:
> - 	rm -f *.o *.so *.a
> --	for d in $(SUBDIRS); do $(MAKE) $(MFLAGS) -C $$d clean; done
> -+	for d in $(SUBDIRS); do $(MAKE) $(MFLAGS) -C $$d clean || exit $$?; done
> - 
> - depend:
> - 	$(CPP) -M $(CFLAGS) *.c >.depend
> --	for d in $(SUBDIRS); do $(MAKE) $(MFLAGS) -C $$d depend; done
> -+	for d in $(SUBDIRS); do $(MAKE) $(MFLAGS) -C $$d depend || exit $$?; done
> diff --git a/patches/ppp-2.4.7/0002-scripts-Avoid-killing-wrong-pppd.patch b/patches/ppp-2.4.7/0002-scripts-Avoid-killing-wrong-pppd.patch
> deleted file mode 100644
> index dc24c228eafa..000000000000
> --- a/patches/ppp-2.4.7/0002-scripts-Avoid-killing-wrong-pppd.patch
> +++ /dev/null
> @@ -1,29 +0,0 @@
> -From: radaiming <radaiming@gmail.com>
> -Date: Sat, 13 Dec 2014 14:42:34 +0800
> -Subject: [PATCH] scripts: Avoid killing wrong pppd
> -
> - poff could kill other pppd processes when there are many pppd
> - running on different serial port.
> -
> - Signed-off-by: Ming Dai <radaiming@gmail.com>
> -
> -Imported from ppp_2.4.7-2+4.1.debian.tar.xz
> -
> -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> ----
> - scripts/poff | 2 +-
> - 1 file changed, 1 insertion(+), 1 deletion(-)
> -
> -diff --git a/scripts/poff b/scripts/poff
> -index 3f55a7f40010..5b45d98a2b6a 100644
> ---- a/scripts/poff
> -+++ b/scripts/poff
> -@@ -91,7 +91,7 @@ if test "$#" -eq 0 -o "$MODE" = "all" ; then
> - fi
> - 
> - # There is an argument, so kill the pppd started on that provider.
> --PID=`ps axw | grep "[ /]pppd call $1" | awk '{print $1}'`
> -+PID=`ps axw | grep "[ /]pppd call $1" | grep -w "$1" | awk '{print $1}'`
> - if test -n "$PID" ; then
> -     $KILL -$SIG $PID || {
> -         echo "$0: $KILL failed.  None ${DONE}."
> diff --git a/patches/ppp-2.4.7/0003-pppd-Fix-sign-extension-when-displaying-bytes-in-oct.patch b/patches/ppp-2.4.7/0003-pppd-Fix-sign-extension-when-displaying-bytes-in-oct.patch
> deleted file mode 100644
> index 2bd23b9216ec..000000000000
> --- a/patches/ppp-2.4.7/0003-pppd-Fix-sign-extension-when-displaying-bytes-in-oct.patch
> +++ /dev/null
> @@ -1,30 +0,0 @@
> -From: "Philip A. Prindeville" <philipp@redfish-solutions.com>
> -Date: Fri, 19 Dec 2014 17:52:58 -0700
> -Subject: [PATCH] pppd: Fix sign-extension when displaying bytes in octal
> -
> -print_string() displays characters as \\%.03o but without first
> -casting it from "char" to "unsigned char" so it gets sign-extended
> -to an int. This causes output like \37777777630 instead of \230.
> -
> -Signed-off-by: Philip A. Prindeville <philipp@redfish-solutions.com>
> -
> -Imported from ppp_2.4.7-2+4.1.debian.tar.xz
> -
> -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> ----
> - pppd/utils.c | 2 +-
> - 1 file changed, 1 insertion(+), 1 deletion(-)
> -
> -diff --git a/pppd/utils.c b/pppd/utils.c
> -index 29bf970905d5..3ac1b60926d2 100644
> ---- a/pppd/utils.c
> -+++ b/pppd/utils.c
> -@@ -625,7 +625,7 @@ print_string(p, len, printer, arg)
> - 		printer(arg, "\\t");
> - 		break;
> - 	    default:
> --		printer(arg, "\\%.3o", c);
> -+		printer(arg, "\\%.3o", (unsigned char) c);
> - 	    }
> - 	}
> -     }
> diff --git a/patches/ppp-2.4.7/0004-Suppress-false-error-message-on-PPPoE-disconnect.patch b/patches/ppp-2.4.7/0004-Suppress-false-error-message-on-PPPoE-disconnect.patch
> deleted file mode 100644
> index 6d4bd5c106bb..000000000000
> --- a/patches/ppp-2.4.7/0004-Suppress-false-error-message-on-PPPoE-disconnect.patch
> +++ /dev/null
> @@ -1,33 +0,0 @@
> -From: Simon Farnsworth <simon@farnz.org.uk>
> -Date: Sun, 1 Mar 2015 11:49:06 +0000
> -Subject: [PATCH] Suppress false error message on PPPoE disconnect
> -
> -Once the kernel handles PPPoE PADTs correctly[1], a PADT triggered
> -disconnect will result in EALREADY when pppd tries to clear the session ID.
> -
> -Simply ignore the error if, and only if, the error is EALREADY
> -
> -[1] https://patchwork.ozlabs.org/patch/444717/
> -
> -Signed-off-by: Simon Farnsworth <simon@farnz.org.uk>
> -
> -Imported from ppp_2.4.7-2+4.1.debian.tar.xz
> -
> -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> ----
> - pppd/plugins/rp-pppoe/plugin.c | 2 +-
> - 1 file changed, 1 insertion(+), 1 deletion(-)
> -
> -diff --git a/pppd/plugins/rp-pppoe/plugin.c b/pppd/plugins/rp-pppoe/plugin.c
> -index a8c2bb4f4a6a..da50cdf2b9d3 100644
> ---- a/pppd/plugins/rp-pppoe/plugin.c
> -+++ b/pppd/plugins/rp-pppoe/plugin.c
> -@@ -270,7 +270,7 @@ PPPOEDisconnectDevice(void)
> -     memcpy(sp.sa_addr.pppoe.dev, conn->ifName, IFNAMSIZ);
> -     memcpy(sp.sa_addr.pppoe.remote, conn->peerEth, ETH_ALEN);
> -     if (connect(conn->sessionSocket, (struct sockaddr *) &sp,
> --		sizeof(struct sockaddr_pppox)) < 0)
> -+		sizeof(struct sockaddr_pppox)) < 0 && errno != EALREADY)
> - 	error("Failed to disconnect PPPoE socket: %d %m", errno);
> -     close(conn->sessionSocket);
> -     /* don't send PADT?? */
> diff --git a/patches/ppp-2.4.7/0005-Send-PADT-on-PPPoE-disconnect.patch b/patches/ppp-2.4.7/0005-Send-PADT-on-PPPoE-disconnect.patch
> deleted file mode 100644
> index 28efdfc713a5..000000000000
> --- a/patches/ppp-2.4.7/0005-Send-PADT-on-PPPoE-disconnect.patch
> +++ /dev/null
> @@ -1,36 +0,0 @@
> -From: Simon Farnsworth <simon@farnz.org.uk>
> -Date: Sun, 1 Mar 2015 11:53:58 +0000
> -Subject: [PATCH] Send PADT on PPPoE disconnect
> -
> -Once we've terminated the PPP session, there is no chance of a PPP layer
> -disconnect. Some PPPoE relays don't detect the PPP session going down, and
> -depend on a long timeout or a PPPoE PADT to terminate the session.
> -
> -Send a PADT on disconnect to work around these buggy relays.
> -
> -Signed-off-by: Simon Farnsworth <simon@farnz.org.uk>
> -
> -Imported from ppp_2.4.7-2+4.1.debian.tar.xz
> -
> -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> ----
> - pppd/plugins/rp-pppoe/plugin.c | 5 +++--
> - 1 file changed, 3 insertions(+), 2 deletions(-)
> -
> -diff --git a/pppd/plugins/rp-pppoe/plugin.c b/pppd/plugins/rp-pppoe/plugin.c
> -index da50cdf2b9d3..c89be94250bc 100644
> ---- a/pppd/plugins/rp-pppoe/plugin.c
> -+++ b/pppd/plugins/rp-pppoe/plugin.c
> -@@ -273,9 +273,10 @@ PPPOEDisconnectDevice(void)
> - 		sizeof(struct sockaddr_pppox)) < 0 && errno != EALREADY)
> - 	error("Failed to disconnect PPPoE socket: %d %m", errno);
> -     close(conn->sessionSocket);
> --    /* don't send PADT?? */
> --    if (conn->discoverySocket >= 0)
> -+    if (conn->discoverySocket >= 0) {
> -+        sendPADT(conn, NULL);
> - 	close(conn->discoverySocket);
> -+    }
> - }
> - 
> - static void
> diff --git a/patches/ppp-2.4.7/0006-pppd-ipxcp-Prevent-buffer-overrun-on-remote-router-n.patch b/patches/ppp-2.4.7/0006-pppd-ipxcp-Prevent-buffer-overrun-on-remote-router-n.patch
> deleted file mode 100644
> index 7d98127c286f..000000000000
> --- a/patches/ppp-2.4.7/0006-pppd-ipxcp-Prevent-buffer-overrun-on-remote-router-n.patch
> +++ /dev/null
> @@ -1,30 +0,0 @@
> -From: Paul Mackerras <paulus@samba.org>
> -Date: Fri, 14 Aug 2015 17:56:26 +1000
> -Subject: [PATCH] pppd: ipxcp: Prevent buffer overrun on remote router name
> -
> -This fixes an if condition to prevent a possible 1-byte overrun
> -on ipxcp_hisoptions[0].name.
> -
> -Reported-by: "Sabas Rosales, Blanca E" <blanca.e.sabas.rosales@intel.com>
> -Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
> -
> -Imported from ppp_2.4.7-2+4.1.debian.tar.xz
> -
> -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> ----
> - pppd/ipxcp.c | 2 +-
> - 1 file changed, 1 insertion(+), 1 deletion(-)
> -
> -diff --git a/pppd/ipxcp.c b/pppd/ipxcp.c
> -index 7b2343e15537..aaff10f76200 100644
> ---- a/pppd/ipxcp.c
> -+++ b/pppd/ipxcp.c
> -@@ -1194,7 +1194,7 @@ ipxcp_reqci(f, inp, len, reject_if_disagree)
> - 	case IPX_ROUTER_NAME:
> - 	    if (cilen >= CILEN_NAME) {
> - 		int name_size = cilen - CILEN_NAME;
> --		if (name_size > sizeof (ho->name))
> -+		if (name_size >= sizeof (ho->name))
> - 		    name_size = sizeof (ho->name) - 1;
> - 		memset (ho->name, 0, sizeof (ho->name));
> - 		memcpy (ho->name, p, name_size);
> diff --git a/patches/ppp-2.4.7/0007-pppd-Fix-ccp_options.mppe-type.patch b/patches/ppp-2.4.7/0007-pppd-Fix-ccp_options.mppe-type.patch
> deleted file mode 100644
> index 475edae24935..000000000000
> --- a/patches/ppp-2.4.7/0007-pppd-Fix-ccp_options.mppe-type.patch
> +++ /dev/null
> @@ -1,30 +0,0 @@
> -From: Sylvain Rochet <gradator@gradator.net>
> -Date: Wed, 25 Mar 2015 00:25:18 +0100
> -Subject: [PATCH] pppd: Fix ccp_options.mppe type
> -
> -This corrects the type of ccp_options.mppe; it is actually a bitfield of
> -MPPE_OPT_* and not a boolean.
> -
> -Signed-off-by: Sylvain Rochet <gradator@gradator.net>
> -Signed-off-by: Paul Mackerras <paulus@samba.org>
> -
> -Imported from ppp_2.4.7-2+4.1.debian.tar.xz
> -
> -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> ----
> - pppd/ccp.h | 2 +-
> - 1 file changed, 1 insertion(+), 1 deletion(-)
> -
> -diff --git a/pppd/ccp.h b/pppd/ccp.h
> -index 6f4a2fee0a2c..76446db007c0 100644
> ---- a/pppd/ccp.h
> -+++ b/pppd/ccp.h
> -@@ -37,7 +37,7 @@ typedef struct ccp_options {
> -     bool predictor_2;		/* do Predictor-2? */
> -     bool deflate_correct;	/* use correct code for deflate? */
> -     bool deflate_draft;		/* use draft RFC code for deflate? */
> --    bool mppe;			/* do MPPE? */
> -+    u_char mppe;		/* MPPE bitfield */
> -     u_short bsd_bits;		/* # bits/code for BSD Compress */
> -     u_short deflate_size;	/* lg(window size) for Deflate */
> -     short method;		/* code for chosen compression method */
> diff --git a/patches/ppp-2.4.7/0008-pppd-Fix-ccp_cilen-calculated-size-if-both-deflate_c.patch b/patches/ppp-2.4.7/0008-pppd-Fix-ccp_cilen-calculated-size-if-both-deflate_c.patch
> deleted file mode 100644
> index d73b4de32b38..000000000000
> --- a/patches/ppp-2.4.7/0008-pppd-Fix-ccp_cilen-calculated-size-if-both-deflate_c.patch
> +++ /dev/null
> @@ -1,33 +0,0 @@
> -From: Sylvain Rochet <gradator@gradator.net>
> -Date: Tue, 24 Mar 2015 21:21:40 +0100
> -Subject: [PATCH] pppd: Fix ccp_cilen calculated size if both deflate_correct
> - and deflate_draft are enabled
> -
> -This fixes a bug where ccp_cilen() will return 4 bytes less than
> -necessary for the addci buffer if both deflate_correct and
> -deflate_draft are enabled.
> -
> -Signed-off-by: Sylvain Rochet <gradator@gradator.net>
> -Signed-off-by: Paul Mackerras <paulus@samba.org>
> -
> -Imported from ppp_2.4.7-2+4.1.debian.tar.xz
> -
> -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> ----
> - pppd/ccp.c | 3 ++-
> - 1 file changed, 2 insertions(+), 1 deletion(-)
> -
> -diff --git a/pppd/ccp.c b/pppd/ccp.c
> -index 5814f358eb44..7d7922afcfc0 100644
> ---- a/pppd/ccp.c
> -+++ b/pppd/ccp.c
> -@@ -676,7 +676,8 @@ ccp_cilen(f)
> -     ccp_options *go = &ccp_gotoptions[f->unit];
> - 
> -     return (go->bsd_compress? CILEN_BSD_COMPRESS: 0)
> --	+ (go->deflate? CILEN_DEFLATE: 0)
> -+	+ (go->deflate && go->deflate_correct? CILEN_DEFLATE: 0)
> -+	+ (go->deflate && go->deflate_draft? CILEN_DEFLATE: 0)
> - 	+ (go->predictor_1? CILEN_PREDICTOR_1: 0)
> - 	+ (go->predictor_2? CILEN_PREDICTOR_2: 0)
> - 	+ (go->mppe? CILEN_MPPE: 0);
> diff --git a/patches/ppp-2.4.7/0009-Fix-a-typo-in-comment.-Diff-from-Yuuichi-Someya.patch b/patches/ppp-2.4.7/0009-Fix-a-typo-in-comment.-Diff-from-Yuuichi-Someya.patch
> deleted file mode 100644
> index 39af8cf33b1c..000000000000
> --- a/patches/ppp-2.4.7/0009-Fix-a-typo-in-comment.-Diff-from-Yuuichi-Someya.patch
> +++ /dev/null
> @@ -1,24 +0,0 @@
> -From: YASUOKA Masahiko <yasuoka@yasuoka.net>
> -Date: Wed, 16 Mar 2016 13:39:19 +0900
> -Subject: [PATCH] Fix a typo in comment. Diff from Yuuichi Someya.
> -
> -Imported from ppp_2.4.7-2+4.1.debian.tar.xz
> -
> -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> ----
> - pppd/fsm.c | 2 +-
> - 1 file changed, 1 insertion(+), 1 deletion(-)
> -
> -diff --git a/pppd/fsm.c b/pppd/fsm.c
> -index c200cc3a8438..e9bd34f0e8f4 100644
> ---- a/pppd/fsm.c
> -+++ b/pppd/fsm.c
> -@@ -468,7 +468,7 @@ fsm_rconfreq(f, id, inp, len)
> - 	f->nakloops = 0;
> - 
> -     } else {
> --	/* we sent CONFACK or CONFREJ */
> -+	/* we sent CONFNAK or CONFREJ */
> - 	if (f->state != ACKRCVD)
> - 	    f->state = REQSENT;
> - 	if( code == CONFNAK )
> diff --git a/patches/ppp-2.4.7/0010-plog-count-only-relevant-lines-from-syslog.patch b/patches/ppp-2.4.7/0010-plog-count-only-relevant-lines-from-syslog.patch
> deleted file mode 100644
> index c9d56cdbbad5..000000000000
> --- a/patches/ppp-2.4.7/0010-plog-count-only-relevant-lines-from-syslog.patch
> +++ /dev/null
> @@ -1,24 +0,0 @@
> -From: Dmitry Deshevoy <mityada@gmail.com>
> -Date: Thu, 31 Mar 2016 23:39:32 +0400
> -Subject: [PATCH] plog: count only relevant lines from syslog
> -
> -Closes paulusmack/ppp#42
> -
> -Imported from ppp_2.4.7-2+4.1.debian.tar.xz
> -
> -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> ----
> - scripts/plog | 2 +-
> - 1 file changed, 1 insertion(+), 1 deletion(-)
> -
> -diff --git a/scripts/plog b/scripts/plog
> -index 84d2c7340cc6..7cb53346413d 100644
> ---- a/scripts/plog
> -+++ b/scripts/plog
> -@@ -3,5 +3,5 @@
> - if [ -s /var/log/ppp.log ]; then
> -   exec tail "$@" /var/log/ppp.log
> - else
> --  exec tail "$@" /var/log/syslog | grep ' \(pppd\|chat\)\['
> -+  exec grep ' \(pppd\|chat\)\[' /var/log/syslog | tail "$@"
> - fi
> diff --git a/patches/ppp-2.4.7/0011-Change-include-from-sys-errno.h-to-errno.h.patch b/patches/ppp-2.4.7/0011-Change-include-from-sys-errno.h-to-errno.h.patch
> deleted file mode 100644
> index ed313eeaa6d4..000000000000
> --- a/patches/ppp-2.4.7/0011-Change-include-from-sys-errno.h-to-errno.h.patch
> +++ /dev/null
> @@ -1,33 +0,0 @@
> -From: Stefan Nickl <Stefan.Nickl@gmail.com>
> -Date: Wed, 10 Aug 2016 21:32:21 +0200
> -Subject: [PATCH] Change include from sys/errno.h to errno.h
> -
> -According to POSIX, the canonical location for errno.h is on the top level.
> -
> -Signed-off-by: Stefan Nickl <Stefan.Nickl@gmail.com>
> -
> -Imported from ppp_2.4.7-2+4.1.debian.tar.xz
> -
> -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> ----
> - pppd/sys-linux.c | 2 +-
> - 1 file changed, 1 insertion(+), 1 deletion(-)
> -
> -diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c
> -index e5e9baf8821f..908aa4f22297 100644
> ---- a/pppd/sys-linux.c
> -+++ b/pppd/sys-linux.c
> -@@ -73,12 +73,12 @@
> - #include <sys/types.h>
> - #include <sys/socket.h>
> - #include <sys/time.h>
> --#include <sys/errno.h>
> - #include <sys/file.h>
> - #include <sys/stat.h>
> - #include <sys/utsname.h>
> - #include <sys/sysmacros.h>
> - 
> -+#include <errno.h>
> - #include <stdio.h>
> - #include <stdlib.h>
> - #include <syslog.h>
> diff --git a/patches/ppp-2.4.7/0012-pppd-allow-use-of-arbitrary-interface-names.patch b/patches/ppp-2.4.7/0012-pppd-allow-use-of-arbitrary-interface-names.patch
> deleted file mode 100644
> index 26d56de1d43a..000000000000
> --- a/patches/ppp-2.4.7/0012-pppd-allow-use-of-arbitrary-interface-names.patch
> +++ /dev/null
> @@ -1,214 +0,0 @@
> -From: Paul Mackerras <paulus@samba.org>
> -Date: Tue, 23 Aug 2016 16:10:21 +1000
> -Subject: [PATCH] pppd: allow use of arbitrary interface names
> -
> -This is a modified version of a patch from openSUSE that enables PPP interfaces
> -to be called arbitrary names, rather than simply pppX where X is the unit
> -number.
> -
> -The modifications from the stock openSUSE patch are:
> -  refresh patch on top of 018_ip up_option.diff
> -- fix a printf format-string vulnerability in pppd/main.c:set_ifunit()
> -- clarify the pppd.8 manpage additions
> -- patch pppstats/pppstats.c to query renamed interfaces without complaint
> -
> -Origin: SUSE
> -Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=458646
> -Forwarded: no
> -Reviewed-by: Chris Boot <bootc@debian.org>
> -Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
> -
> -Imported from ppp_2.4.7-2+4.1.debian.tar.xz
> -
> -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> ----
> - pppd/main.c         | 16 ++++++----------
> - pppd/options.c      |  5 +++++
> - pppd/pppd.8         |  8 +++++++-
> - pppd/pppd.h         | 11 +++++++++++
> - pppd/sys-linux.c    | 15 +++++++++++++++
> - pppstats/pppstats.c | 12 ++++++------
> - 6 files changed, 50 insertions(+), 17 deletions(-)
> -
> -diff --git a/pppd/main.c b/pppd/main.c
> -index 6d50d1bac1d9..f1986ed68d0b 100644
> ---- a/pppd/main.c
> -+++ b/pppd/main.c
> -@@ -124,7 +124,7 @@
> - static const char rcsid[] = RCSID;
> - 
> - /* interface vars */
> --char ifname[32];		/* Interface name */
> -+char ifname[MAXIFNAMELEN];	/* Interface name */
> - int ifunit;			/* Interface unit number */
> - 
> - struct channel *the_channel;
> -@@ -298,13 +298,6 @@ struct protent *protocols[] = {
> -     NULL
> - };
> - 
> --/*
> -- * If PPP_DRV_NAME is not defined, use the default "ppp" as the device name.
> -- */
> --#if !defined(PPP_DRV_NAME)
> --#define PPP_DRV_NAME	"ppp"
> --#endif /* !defined(PPP_DRV_NAME) */
> --
> - int
> - main(argc, argv)
> -     int argc;
> -@@ -737,8 +730,11 @@ void
> - set_ifunit(iskey)
> -     int iskey;
> - {
> --    info("Using interface %s%d", PPP_DRV_NAME, ifunit);
> --    slprintf(ifname, sizeof(ifname), "%s%d", PPP_DRV_NAME, ifunit);
> -+    if (req_ifname[0] != '\0')
> -+	slprintf(ifname, sizeof(ifname), "%s", req_ifname);
> -+    else
> -+	slprintf(ifname, sizeof(ifname), "%s%d", PPP_DRV_NAME, ifunit);
> -+    info("Using interface %s", ifname);
> -     script_setenv("IFNAME", ifname, iskey);
> -     if (iskey) {
> - 	create_pidfile(getpid());	/* write pid to file */
> -diff --git a/pppd/options.c b/pppd/options.c
> -index f66b7657bc31..91da515ac533 100644
> ---- a/pppd/options.c
> -+++ b/pppd/options.c
> -@@ -114,6 +114,7 @@ char	linkname[MAXPATHLEN];	/* logical name for link */
> - bool	tune_kernel;		/* may alter kernel settings */
> - int	connect_delay = 1000;	/* wait this many ms after connect script */
> - int	req_unit = -1;		/* requested interface unit */
> -+char	req_ifname[MAXIFNAMELEN];	/* requested interface name */
> - bool	multilink = 0;		/* Enable multilink operation */
> - char	*bundle_name = NULL;	/* bundle name for multilink */
> - bool	dump_options;		/* print out option values */
> -@@ -283,6 +284,10 @@ option_t general_options[] = {
> -       "PPP interface unit number to use if possible",
> -       OPT_PRIO | OPT_LLIMIT, 0, 0 },
> - 
> -+    { "ifname", o_string, req_ifname,
> -+      "Set PPP interface name",
> -+      OPT_PRIO | OPT_PRIV | OPT_STATIC, NULL, MAXIFNAMELEN },
> -+
> -     { "dump", o_bool, &dump_options,
> -       "Print out option values after parsing all options", 1 },
> -     { "dryrun", o_bool, &dryrun,
> -diff --git a/pppd/pppd.8 b/pppd/pppd.8
> -index e2768b135273..64659cf867b2 100644
> ---- a/pppd/pppd.8
> -+++ b/pppd/pppd.8
> -@@ -1073,7 +1073,13 @@ under Linux and FreeBSD 2.2.8 and later.
> - .TP
> - .B unit \fInum
> - Sets the ppp unit number (for a ppp0 or ppp1 etc interface name) for outbound
> --connections.
> -+connections.  If the unit is already in use a dynamically allocated number will
> -+be used.
> -+.TP
> -+.B ifname \fIstring
> -+Set the ppp interface name for outbound connections.  If the interface name is
> -+already in use, or if the name cannot be used for any other reason, pppd will
> -+terminate.
> - .TP
> - .B unset \fIname
> - Remove a variable from the environment variable for scripts that are
> -diff --git a/pppd/pppd.h b/pppd/pppd.h
> -index 247fa153739b..1a1bf0b99582 100644
> ---- a/pppd/pppd.h
> -+++ b/pppd/pppd.h
> -@@ -80,6 +80,16 @@
> - #define MAXARGS		1	/* max # args to a command */
> - #define MAXNAMELEN	256	/* max length of hostname or name for auth */
> - #define MAXSECRETLEN	256	/* max length of password or secret */
> -+#define MAXIFNAMELEN	32	/* max length of interface name; or use IFNAMSIZ, can we
> -+				   always include net/if.h? */
> -+
> -+/*
> -+ * If PPP_DRV_NAME is not defined, use the default "ppp" as the device name.
> -+ * Where should PPP_DRV_NAME come from? Do we include it here?
> -+ */
> -+#if !defined(PPP_DRV_NAME)
> -+#define PPP_DRV_NAME	"ppp"
> -+#endif /* !defined(PPP_DRV_NAME) */
> - 
> - /*
> -  * Option descriptor structure.
> -@@ -318,6 +328,7 @@ extern bool	tune_kernel;	/* May alter kernel settings as necessary */
> - extern int	connect_delay;	/* Time to delay after connect script */
> - extern int	max_data_rate;	/* max bytes/sec through charshunt */
> - extern int	req_unit;	/* interface unit number to use */
> -+extern char	req_ifname[MAXIFNAMELEN]; /* interface name to use */
> - extern bool	multilink;	/* enable multilink operation */
> - extern bool	noendpoint;	/* don't send or accept endpt. discrim. */
> - extern char	*bundle_name;	/* bundle name for multilink */
> -diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c
> -index 908aa4f22297..9b2f293024ac 100644
> ---- a/pppd/sys-linux.c
> -+++ b/pppd/sys-linux.c
> -@@ -641,6 +641,21 @@ static int make_ppp_unit()
> - 	}
> - 	if (x < 0)
> - 		error("Couldn't create new ppp unit: %m");
> -+
> -+	if (x == 0 && req_ifname[0] != '\0') {
> -+		struct ifreq ifr;
> -+		char t[MAXIFNAMELEN];
> -+		memset(&ifr, 0, sizeof(struct ifreq));
> -+		slprintf(t, sizeof(t), "%s%d", PPP_DRV_NAME, ifunit);
> -+		strncpy(ifr.ifr_name, t, IF_NAMESIZE);
> -+		strncpy(ifr.ifr_newname, req_ifname, IF_NAMESIZE);
> -+		x = ioctl(sock_fd, SIOCSIFNAME, &ifr);
> -+		if (x < 0)
> -+		    error("Couldn't rename interface %s to %s: %m", t, req_ifname);
> -+		else
> -+		    info("Renamed interface %s to %s", t, req_ifname);
> -+	}
> -+
> - 	return x;
> - }
> - 
> -diff --git a/pppstats/pppstats.c b/pppstats/pppstats.c
> -index 6367988eb96b..46cb9c24942b 100644
> ---- a/pppstats/pppstats.c
> -+++ b/pppstats/pppstats.c
> -@@ -88,7 +88,6 @@ int	aflag;			/* print absolute values, not deltas */
> - int	dflag;			/* print data rates, not bytes */
> - int	interval, count;
> - int	infinite;
> --int	unit;
> - int	s;			/* socket or /dev/ppp file descriptor */
> - int	signalled;		/* set if alarm goes off "early" */
> - char	*progname;
> -@@ -449,6 +448,7 @@ main(argc, argv)
> - {
> -     int c;
> - #ifdef STREAMS
> -+    int unit;
> -     char *dev;
> - #endif
> - 
> -@@ -506,11 +506,6 @@ main(argc, argv)
> -     if (argc > 0)
> - 	interface = argv[0];
> - 
> --    if (sscanf(interface, PPP_DRV_NAME "%d", &unit) != 1) {
> --	fprintf(stderr, "%s: invalid interface '%s' specified\n",
> --		progname, interface);
> --    }
> --
> - #ifndef STREAMS
> -     {
> - 	struct ifreq ifr;
> -@@ -535,6 +530,11 @@ main(argc, argv)
> -     }
> - 
> - #else	/* STREAMS */
> -+    if (sscanf(interface, PPP_DRV_NAME "%d", &unit) != 1) {
> -+	fprintf(stderr, "%s: invalid interface '%s' specified\n",
> -+		progname, interface);
> -+    }
> -+
> - #ifdef __osf__
> -     dev = "/dev/streams/ppp";
> - #else
> diff --git a/patches/ppp-2.4.7/0013-pppd-Remove-unused-declaration-of-ttyname.patch b/patches/ppp-2.4.7/0013-pppd-Remove-unused-declaration-of-ttyname.patch
> deleted file mode 100644
> index 2199e7f7dfdf..000000000000
> --- a/patches/ppp-2.4.7/0013-pppd-Remove-unused-declaration-of-ttyname.patch
> +++ /dev/null
> @@ -1,25 +0,0 @@
> -From: George Burgess IV <george@gbiv.net>
> -Date: Fri, 9 Sep 2016 17:36:54 -0700
> -Subject: [PATCH] pppd: Remove unused declaration of ttyname.
> -
> -Signed-off-by: George Burgess IV <george@gbiv.net>
> -
> -Imported from ppp_2.4.7-2+4.1.debian.tar.xz
> -
> -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> ----
> - pppd/main.c | 1 -
> - 1 file changed, 1 deletion(-)
> -
> -diff --git a/pppd/main.c b/pppd/main.c
> -index f1986ed68d0b..76b67d2485b7 100644
> ---- a/pppd/main.c
> -+++ b/pppd/main.c
> -@@ -257,7 +257,6 @@ static void cleanup_db __P((void));
> - static void handle_events __P((void));
> - void print_link_stats __P((void));
> - 
> --extern	char	*ttyname __P((int));
> - extern	char	*getlogin __P((void));
> - int main __P((int, char *[]));
> - 
> diff --git a/patches/ppp-2.4.7/0014-pppd-Provide-error-implementation-in-pppoe-discovery.patch b/patches/ppp-2.4.7/0014-pppd-Provide-error-implementation-in-pppoe-discovery.patch
> deleted file mode 100644
> index 39fc3d4f6f86..000000000000
> --- a/patches/ppp-2.4.7/0014-pppd-Provide-error-implementation-in-pppoe-discovery.patch
> +++ /dev/null
> @@ -1,52 +0,0 @@
> -From: Stefan Nickl <Stefan.Nickl@gmail.com>
> -Date: Wed, 10 Aug 2016 16:52:12 +0200
> -Subject: [PATCH] pppd: Provide error() implementation in pppoe-discovery
> -
> -The pppoe-discovery program calls error() from the CHECK_ROOM macro
> -defined in pppoe.h. Since pppoe-discovery is a standalone program not
> -linked with the rest of pppd, the only way this could build is by
> -linking to glibc's proprietary error(3) function instead of the function
> -of the same name (but with different arguments) defined in pppd/utils.c.
> -
> -So with glibc this builds, but will probably crash when the assertion is
> -triggered. As the assertion is unlikely to fail, nobody has noticed.
> -
> -The build however fails with musl libc or uClibc since they don't
> -provide the doppelganger.
> -
> -Signed-off-by: Stefan Nickl <Stefan.Nickl@gmail.com>
> -
> -Imported from ppp_2.4.7-2+4.1.debian.tar.xz
> -
> -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> ----
> - pppd/plugins/rp-pppoe/pppoe-discovery.c | 9 +++++++++
> - 1 file changed, 9 insertions(+)
> -
> -diff --git a/pppd/plugins/rp-pppoe/pppoe-discovery.c b/pppd/plugins/rp-pppoe/pppoe-discovery.c
> -index 3d3bf4eecc81..55037dffb023 100644
> ---- a/pppd/plugins/rp-pppoe/pppoe-discovery.c
> -+++ b/pppd/plugins/rp-pppoe/pppoe-discovery.c
> -@@ -9,6 +9,7 @@
> -  *
> -  */
> - 
> -+#include <stdarg.h>
> - #include <stdio.h>
> - #include <stdlib.h>
> - #include <unistd.h>
> -@@ -55,6 +56,14 @@ void die(int status)
> - 	exit(status);
> - }
> - 
> -+void error(char *fmt, ...)
> -+{
> -+    va_list pvar;
> -+    va_start(pvar, fmt);
> -+    vfprintf(stderr, fmt, pvar);
> -+    va_end(pvar);
> -+}
> -+
> - /* Initialize frame types to RFC 2516 values.  Some broken peers apparently
> -    use different frame types... sigh... */
> - 
> diff --git a/patches/ppp-2.4.7/0015-pppoe-include-netinet-in.h-before-linux-in.h.patch b/patches/ppp-2.4.7/0015-pppoe-include-netinet-in.h-before-linux-in.h.patch
> deleted file mode 100644
> index b24e5ef5852f..000000000000
> --- a/patches/ppp-2.4.7/0015-pppoe-include-netinet-in.h-before-linux-in.h.patch
> +++ /dev/null
> @@ -1,49 +0,0 @@
> -From: Lubomir Rintel <lkundrak@v3.sk>
> -Date: Mon, 9 Jan 2017 13:34:23 +0000
> -Subject: [PATCH] pppoe: include netinet/in.h before linux/in.h
> -
> -This fixes builds with newer kernels. Basically, <netinet/in.h> needs to be
> -included before <linux/in.h> otherwise the earlier, unaware of the latter,
> -tries to redefine symbols and structures. Also, <linux/if_pppox.h> doesn't work
> -alone anymore, since it pulls the headers in the wrong order, so we better
> -include <netinet/in.h> early.
> -
> -Imported from ppp_2.4.7-2+4.1.debian.tar.xz
> -
> -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> ----
> - pppd/plugins/rp-pppoe/pppoe.h | 7 ++++---
> - 1 file changed, 4 insertions(+), 3 deletions(-)
> -
> -diff --git a/pppd/plugins/rp-pppoe/pppoe.h b/pppd/plugins/rp-pppoe/pppoe.h
> -index 9ab2eee3914c..c4aaa6e68856 100644
> ---- a/pppd/plugins/rp-pppoe/pppoe.h
> -+++ b/pppd/plugins/rp-pppoe/pppoe.h
> -@@ -47,6 +47,10 @@
> - #include <sys/socket.h>
> - #endif
> - 
> -+/* This has to be included before Linux 4.8's linux/in.h
> -+ * gets dragged in. */
> -+#include <netinet/in.h>
> -+
> - /* Ugly header files on some Linux boxes... */
> - #if defined(HAVE_LINUX_IF_H)
> - #include <linux/if.h>
> -@@ -84,8 +88,6 @@ typedef unsigned long UINT32_t;
> - #include <linux/if_ether.h>
> - #endif
> - 
> --#include <netinet/in.h>
> --
> - #ifdef HAVE_NETINET_IF_ETHER_H
> - #include <sys/types.h>
> - 
> -@@ -98,7 +100,6 @@ typedef unsigned long UINT32_t;
> - #endif
> - 
> - 
> --
> - /* Ethernet frame types according to RFC 2516 */
> - #define ETH_PPPOE_DISCOVERY 0x8863
> - #define ETH_PPPOE_SESSION   0x8864
> diff --git a/patches/ppp-2.4.7/0016-adaptive_echos.patch b/patches/ppp-2.4.7/0016-adaptive_echos.patch
> deleted file mode 100644
> index c0f222824036..000000000000
> --- a/patches/ppp-2.4.7/0016-adaptive_echos.patch
> +++ /dev/null
> @@ -1,72 +0,0 @@
> -From: Michael Olbrich <m.olbrich@pengutronix.de>
> -Date: Sat, 28 Sep 2019 08:11:49 +0200
> -Subject: [PATCH] adaptive_echos
> -
> -Imported from ppp_2.4.7-2+4.1.debian.tar.xz
> -
> -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> ----
> - pppd/lcp.c  | 19 +++++++++++++++++++
> - pppd/pppd.8 |  5 +++++
> - 2 files changed, 24 insertions(+)
> -
> -diff --git a/pppd/lcp.c b/pppd/lcp.c
> -index 8ed2778bfb67..c97a64b7774f 100644
> ---- a/pppd/lcp.c
> -+++ b/pppd/lcp.c
> -@@ -73,6 +73,7 @@ static void lcp_delayed_up __P((void *));
> -  */
> - int	lcp_echo_interval = 0; 	/* Interval between LCP echo-requests */
> - int	lcp_echo_fails = 0;	/* Tolerance to unanswered echo-requests */
> -+bool	lcp_echo_adaptive = 0;	/* request echo only if the link was idle */
> - bool	lax_recv = 0;		/* accept control chars in asyncmap */
> - bool	noendpoint = 0;		/* don't send/accept endpoint discriminator */
> - 
> -@@ -151,6 +152,8 @@ static option_t lcp_option_list[] = {
> -       OPT_PRIO },
> -     { "lcp-echo-interval", o_int, &lcp_echo_interval,
> -       "Set time in seconds between LCP echo requests", OPT_PRIO },
> -+    { "lcp-echo-adaptive", o_bool, &lcp_echo_adaptive,
> -+      "Suppress LCP echo requests if traffic was received", 1 },
> -     { "lcp-restart", o_int, &lcp_fsm[0].timeouttime,
> -       "Set time in seconds between LCP retransmissions", OPT_PRIO },
> -     { "lcp-max-terminate", o_int, &lcp_fsm[0].maxtermtransmits,
> -@@ -2331,6 +2334,22 @@ LcpSendEchoRequest (f)
> - 	}
> -     }
> - 
> -+    /*
> -+     * If adaptive echos have been enabled, only send the echo request if
> -+     * no traffic was received since the last one.
> -+     */
> -+    if (lcp_echo_adaptive) {
> -+	static unsigned int last_pkts_in = 0;
> -+
> -+	update_link_stats(f->unit);
> -+	link_stats_valid = 0;
> -+
> -+	if (link_stats.pkts_in != last_pkts_in) {
> -+	    last_pkts_in = link_stats.pkts_in;
> -+	    return;
> -+	}
> -+    }
> -+
> -     /*
> -      * Make and send the echo request frame.
> -      */
> -diff --git a/pppd/pppd.8 b/pppd/pppd.8
> -index 64659cf867b2..ec8bfd5c0617 100644
> ---- a/pppd/pppd.8
> -+++ b/pppd/pppd.8
> -@@ -558,6 +558,11 @@ to 1) if the \fIproxyarp\fR option is used, and will enable the
> - dynamic IP address option (i.e. set /proc/sys/net/ipv4/ip_dynaddr to
> - 1) in demand mode if the local address changes.
> - .TP
> -+.B lcp\-echo\-adaptive
> -+If this option is used with the \fIlcp\-echo\-failure\fR option then
> -+pppd will send LCP echo\-request frames only if no traffic was received
> -+from the peer since the last echo\-request was sent.
> -+.TP
> - .B lcp\-echo\-failure \fIn
> - If this option is given, pppd will presume the peer to be dead
> - if \fIn\fR LCP echo\-requests are sent without receiving a valid LCP
> diff --git a/patches/ppp-2.4.7/0017-Makefiles-cleanup.patch b/patches/ppp-2.4.7/0017-Makefiles-cleanup.patch
> deleted file mode 100644
> index ff9096f70369..000000000000
> --- a/patches/ppp-2.4.7/0017-Makefiles-cleanup.patch
> +++ /dev/null
> @@ -1,296 +0,0 @@
> -From: Michael Olbrich <m.olbrich@pengutronix.de>
> -Date: Sat, 28 Sep 2019 08:11:49 +0200
> -Subject: [PATCH] Makefiles cleanup
> -
> -Factor-out $COPTS and $LDOPTS to allow distributions to easily override
> -them. Properly use $LDFLAGS when linking and $CFLAGS when compiling.
> -Do not strip the installed binaries: this should be done by the
> -packaging system if required.
> -
> -
> -Imported from ppp_2.4.7-2+4.1.debian.tar.xz
> -
> -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> ----
> - chat/Makefile.linux                  |  5 +++--
> - pppd/Makefile.linux                  |  7 ++++---
> - pppd/plugins/Makefile.linux          |  4 ++--
> - pppd/plugins/pppoatm/Makefile.linux  |  4 ++--
> - pppd/plugins/pppol2tp/Makefile.linux |  4 ++--
> - pppd/plugins/radius/Makefile.linux   | 16 +++++++++-------
> - pppd/plugins/rp-pppoe/Makefile.linux | 10 ++++++----
> - pppdump/Makefile.linux               |  9 ++++++---
> - pppstats/Makefile.linux              |  7 ++++---
> - 9 files changed, 38 insertions(+), 28 deletions(-)
> -
> -diff --git a/chat/Makefile.linux b/chat/Makefile.linux
> -index 1065ac519576..a41d485b4168 100644
> ---- a/chat/Makefile.linux
> -+++ b/chat/Makefile.linux
> -@@ -12,20 +12,21 @@ CDEFS=	$(CDEF1) $(CDEF2) $(CDEF3) $(CDEF4)
> - 
> - COPTS=	-O2 -g -pipe
> - CFLAGS=	$(COPTS) $(CDEFS)
> -+LDFLAGS=$(LDOPTS)
> - 
> - INSTALL= install
> - 
> - all:	chat
> - 
> - chat:	chat.o
> --	$(CC) -o chat chat.o
> -+	$(CC) $(LDFLAGS) -o chat chat.o
> - 
> - chat.o:	chat.c
> - 	$(CC) -c $(CFLAGS) -o chat.o chat.c
> - 
> - install: chat
> - 	mkdir -p $(BINDIR) $(MANDIR)
> --	$(INSTALL) -s -c chat $(BINDIR)
> -+	$(INSTALL) -c chat $(BINDIR)
> - 	$(INSTALL) -c -m 644 chat.8 $(MANDIR)
> - 
> - clean:
> -diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux
> -index a74c914fd3ac..16b3ee879791 100644
> ---- a/pppd/Makefile.linux
> -+++ b/pppd/Makefile.linux
> -@@ -83,6 +83,7 @@ INCLUDE_DIRS= -I../include
> - COMPILE_FLAGS= -DHAVE_PATHS_H -DIPX_CHANGE -DHAVE_MMAP
> - 
> - CFLAGS= $(COPTS) $(COMPILE_FLAGS) $(INCLUDE_DIRS) '-DDESTDIR="@DESTDIR@"'
> -+LDFLAGS=$(LDOPTS)
> - 
> - ifdef CHAPMS
> - CFLAGS   += -DCHAPMS=1
> -@@ -102,7 +103,7 @@ ifdef USE_SRP
> - CFLAGS	+= -DUSE_SRP -DOPENSSL -I/usr/local/ssl/include
> - LIBS	+= -lsrp -L/usr/local/ssl/lib -lcrypto
> - TARGETS	+= srp-entry
> --EXTRAINSTALL = $(INSTALL) -s -c -m 555 srp-entry $(BINDIR)/srp-entry
> -+EXTRAINSTALL = $(INSTALL) -c -m 555 srp-entry $(BINDIR)/srp-entry
> - MANPAGES += srp-entry.8
> - EXTRACLEAN += srp-entry.o
> - NEEDDES=y
> -@@ -208,13 +209,13 @@ all: $(TARGETS)
> - install: pppd
> - 	mkdir -p $(BINDIR) $(MANDIR)
> - 	$(EXTRAINSTALL)
> --	$(INSTALL) -s -c -m 555 pppd $(BINDIR)/pppd
> -+	$(INSTALL) -c -m 555 pppd $(BINDIR)/pppd
> - 	if chgrp pppusers $(BINDIR)/pppd 2>/dev/null; then \
> - 	  chmod o-rx,u+s $(BINDIR)/pppd; fi
> - 	$(INSTALL) -c -m 444 pppd.8 $(MANDIR)
> - 
> - pppd: $(PPPDOBJS)
> --	$(CC) $(CFLAGS) $(LDFLAGS) -o pppd $(PPPDOBJS) $(LIBS)
> -+	$(CC) $(LDFLAGS) -o pppd $(PPPDOBJS) $(LIBS)
> - 
> - srp-entry:	srp-entry.c
> - 	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ srp-entry.c $(LIBS)
> -diff --git a/pppd/plugins/Makefile.linux b/pppd/plugins/Makefile.linux
> -index 8a90e393a057..0f9d37d2953b 100644
> ---- a/pppd/plugins/Makefile.linux
> -+++ b/pppd/plugins/Makefile.linux
> -@@ -1,7 +1,7 @@
> - #CC	= gcc
> - COPTS	= -O2 -g
> - CFLAGS	= $(COPTS) -I.. -I../../include -fPIC
> --LDFLAGS	= -shared
> -+LDFLAGS	= $(LDOPTS)
> - INSTALL	= install
> - 
> - DESTDIR = $(INSTROOT)@DESTDIR@
> -@@ -30,7 +30,7 @@ all:	$(PLUGINS)
> - 	for d in $(SUBDIRS); do $(MAKE) $(MFLAGS) -C $$d all || exit $$?; done
> - 
> - %.so: %.c
> --	$(CC) -o $@ $(LDFLAGS) $(CFLAGS) $^
> -+	$(CC) -o $@ $(LDFLAGS) -shared $(CFLAGS) $^
> - 
> - VERSION = $(shell awk -F '"' '/VERSION/ { print $$2; }' ../patchlevel.h)
> - 
> -diff --git a/pppd/plugins/pppoatm/Makefile.linux b/pppd/plugins/pppoatm/Makefile.linux
> -index 20f62e631d23..002603c6cbef 100644
> ---- a/pppd/plugins/pppoatm/Makefile.linux
> -+++ b/pppd/plugins/pppoatm/Makefile.linux
> -@@ -1,7 +1,7 @@
> - #CC	= gcc
> - COPTS	= -O2 -g
> - CFLAGS	= $(COPTS) -I../.. -I../../../include -fPIC
> --LDFLAGS	= -shared
> -+LDFLAGS	= $(LDOPTS)
> - INSTALL	= install
> - 
> - #***********************************************************************
> -@@ -33,7 +33,7 @@ endif
> - all: $(PLUGIN)
> - 
> - $(PLUGIN): $(PLUGIN_OBJS)
> --	$(CC) $(CFLAGS) -o $@ -shared $^ $(LIBS)
> -+	$(CC) $(LDFLAGS) -o $@ -shared $^ $(LIBS)
> - 
> - install: all
> - 	$(INSTALL) -d -m 755 $(LIBDIR)
> -diff --git a/pppd/plugins/pppol2tp/Makefile.linux b/pppd/plugins/pppol2tp/Makefile.linux
> -index ea3538e22d56..de5cc12e79c3 100644
> ---- a/pppd/plugins/pppol2tp/Makefile.linux
> -+++ b/pppd/plugins/pppol2tp/Makefile.linux
> -@@ -1,7 +1,7 @@
> - #CC	= gcc
> - COPTS	= -O2 -g
> - CFLAGS	= $(COPTS) -I. -I../.. -I../../../include -fPIC
> --LDFLAGS	= -shared
> -+LDFLAGS	= $(LDOPTS)
> - INSTALL	= install
> - 
> - #***********************************************************************
> -@@ -16,7 +16,7 @@ PLUGINS := pppol2tp.so openl2tp.so
> - all: $(PLUGINS)
> - 
> - %.so: %.o
> --	$(CC) $(CFLAGS) -o $@ -shared $^ $(LIBS)
> -+	$(CC) $(LDFLAGS) -o $@ -shared $^ $(LIBS)
> - 
> - install: all
> - 	$(INSTALL) -d -m 755 $(LIBDIR)
> -diff --git a/pppd/plugins/radius/Makefile.linux b/pppd/plugins/radius/Makefile.linux
> -index 24ed3e580c4d..436ff2fd0c23 100644
> ---- a/pppd/plugins/radius/Makefile.linux
> -+++ b/pppd/plugins/radius/Makefile.linux
> -@@ -12,7 +12,9 @@ VERSION = $(shell awk -F '"' '/VERSION/ { print $$2; }' ../../patchlevel.h)
> - INSTALL	= install
> - 
> - PLUGIN=radius.so radattr.so radrealms.so
> --CFLAGS=-I. -I../.. -I../../../include -O2 -fPIC -DRC_LOG_FACILITY=LOG_DAEMON
> -+COPTS=-g -O2
> -+CFLAGS = $(COPTS) -I. -I../.. -I../../../include -fPIC -DRC_LOG_FACILITY=LOG_DAEMON
> -+LDFLAGS= $(LDOPTS)
> - 
> - # Uncomment the next line to include support for Microsoft's
> - # MS-CHAP authentication protocol.
> -@@ -36,20 +38,20 @@ all: $(PLUGIN)
> - 
> - install: all
> - 	$(INSTALL) -d -m 755 $(LIBDIR)
> --	$(INSTALL) -s -c -m 755 radius.so $(LIBDIR)
> --	$(INSTALL) -s -c -m 755 radattr.so $(LIBDIR)
> --	$(INSTALL) -s -c -m 755 radrealms.so $(LIBDIR)
> -+	$(INSTALL) -c -m 755 radius.so $(LIBDIR)
> -+	$(INSTALL) -c -m 755 radattr.so $(LIBDIR)
> -+	$(INSTALL) -c -m 755 radrealms.so $(LIBDIR)
> - 	$(INSTALL) -c -m 444 pppd-radius.8 $(MANDIR)
> - 	$(INSTALL) -c -m 444 pppd-radattr.8 $(MANDIR)
> - 
> - radius.so: radius.o libradiusclient.a
> --	$(CC) -o radius.so -shared radius.o libradiusclient.a
> -+	$(CC) $(LDFLAGS) -o radius.so -shared radius.o libradiusclient.a
> - 
> - radattr.so: radattr.o
> --	$(CC) -o radattr.so -shared radattr.o
> -+	$(CC) $(LDFLAGS) -o radattr.so -shared radattr.o
> - 
> - radrealms.so: radrealms.o
> --	$(CC) -o radrealms.so -shared radrealms.o
> -+	$(CC) $(LDFLAGS) -o radrealms.so -shared radrealms.o
> - 
> - CLIENTOBJS = avpair.o buildreq.o config.o dict.o ip_util.o \
> - 	clientid.o sendserver.o lock.o util.o md5.o
> -diff --git a/pppd/plugins/rp-pppoe/Makefile.linux b/pppd/plugins/rp-pppoe/Makefile.linux
> -index 5d7a2719545d..00e0af6da20c 100644
> ---- a/pppd/plugins/rp-pppoe/Makefile.linux
> -+++ b/pppd/plugins/rp-pppoe/Makefile.linux
> -@@ -27,10 +27,12 @@ RP_VERSION=3.8p
> - 
> - COPTS=-O2 -g
> - CFLAGS=$(COPTS) -I../../../include '-DRP_VERSION="$(RP_VERSION)"'
> -+LDFLAGS=$(LDOPTS)
> -+
> - all: rp-pppoe.so pppoe-discovery
> - 
> - pppoe-discovery: pppoe-discovery.o debug.o
> --	$(CC) -o pppoe-discovery pppoe-discovery.o debug.o
> -+	$(CC) $(LDFLAGS) -o pppoe-discovery pppoe-discovery.o debug.o
> - 
> - pppoe-discovery.o: pppoe-discovery.c
> - 	$(CC) $(CFLAGS) -c -o pppoe-discovery.o pppoe-discovery.c
> -@@ -39,13 +41,13 @@ debug.o: debug.c
> - 	$(CC) $(CFLAGS) -c -o debug.o debug.c
> - 
> - rp-pppoe.so: plugin.o discovery.o if.o common.o
> --	$(CC) -o rp-pppoe.so -shared plugin.o discovery.o if.o common.o
> -+	$(CC) $(LDFLAGS) -o rp-pppoe.so -shared $^
> - 
> - install: all
> - 	$(INSTALL) -d -m 755 $(LIBDIR)
> --	$(INSTALL) -s -c -m 4550 rp-pppoe.so $(LIBDIR)
> -+	$(INSTALL) -c -m 4550 rp-pppoe.so $(LIBDIR)
> - 	$(INSTALL) -d -m 755 $(BINDIR)
> --	$(INSTALL) -s -c -m 555 pppoe-discovery $(BINDIR)
> -+	$(INSTALL) -c -m 555 pppoe-discovery $(BINDIR)
> - 
> - clean:
> - 	rm -f *.o *.so pppoe-discovery
> -diff --git a/pppdump/Makefile.linux b/pppdump/Makefile.linux
> -index ac028f6bf4f0..65e5c14914fb 100644
> ---- a/pppdump/Makefile.linux
> -+++ b/pppdump/Makefile.linux
> -@@ -2,7 +2,10 @@ DESTDIR = $(INSTROOT)@DESTDIR@
> - BINDIR = $(DESTDIR)/sbin
> - MANDIR = $(DESTDIR)/share/man/man8
> - 
> --CFLAGS= -O -I../include/net
> -+COPTS=-O2 -g
> -+CFLAGS= $(COPTS) -I../include/net
> -+LDFLAGS=$(LDOPTS)
> -+
> - OBJS = pppdump.o bsd-comp.o deflate.o zlib.o
> - 
> - INSTALL= install
> -@@ -10,12 +13,12 @@ INSTALL= install
> - all:	pppdump
> - 
> - pppdump: $(OBJS)
> --	$(CC) -o pppdump $(OBJS)
> -+	$(CC) $(LDFLAGS) -o pppdump $(OBJS)
> - 
> - clean:
> - 	rm -f pppdump $(OBJS) *~
> - 
> - install:
> - 	mkdir -p $(BINDIR) $(MANDIR)
> --	$(INSTALL) -s -c pppdump $(BINDIR)
> -+	$(INSTALL) -c pppdump $(BINDIR)
> - 	$(INSTALL) -c -m 444 pppdump.8 $(MANDIR)
> -diff --git a/pppstats/Makefile.linux b/pppstats/Makefile.linux
> -index cca6f0f61d87..9ec8e803665a 100644
> ---- a/pppstats/Makefile.linux
> -+++ b/pppstats/Makefile.linux
> -@@ -10,23 +10,24 @@ PPPSTATSRCS = pppstats.c
> - PPPSTATOBJS = pppstats.o
> - 
> - #CC = gcc
> --COPTS = -O
> -+COPTS = -O2 -g
> - COMPILE_FLAGS = -I../include
> - LIBS =
> - 
> - INSTALL= install
> - 
> - CFLAGS = $(COPTS) $(COMPILE_FLAGS)
> -+LDFLAGS= $(LDOPTS)
> - 
> - all: pppstats
> - 
> - install: pppstats
> - 	-mkdir -p $(MANDIR)
> --	$(INSTALL) -s -c pppstats $(BINDIR)
> -+	$(INSTALL) -c pppstats $(BINDIR)
> - 	$(INSTALL) -c -m 444 pppstats.8 $(MANDIR)
> - 
> - pppstats: $(PPPSTATSRCS)
> --	$(CC) $(CFLAGS) -o pppstats pppstats.c $(LIBS)
> -+	$(CC) $(LDFLAGS) $(CFLAGS) -o pppstats pppstats.c $(LIBS)
> - 
> - clean:
> - 	rm -f pppstats *~ #* core
> diff --git a/patches/ppp-2.4.7/0018-Bug-306261-pppd-does-not-properly-close-dev-ppp-on-p.patch b/patches/ppp-2.4.7/0018-Bug-306261-pppd-does-not-properly-close-dev-ppp-on-p.patch
> deleted file mode 100644
> index 41669d12a43f..000000000000
> --- a/patches/ppp-2.4.7/0018-Bug-306261-pppd-does-not-properly-close-dev-ppp-on-p.patch
> +++ /dev/null
> @@ -1,44 +0,0 @@
> -From: Simon Peter <dn.tlp@gmx.net>
> -Date: Sat, 28 Sep 2019 08:11:49 +0200
> -Subject: [PATCH] Bug#306261: pppd does not properly close /dev/ppp on persist
> -
> -When using the kernel PPPoE driver, pppd never
> -closes /dev/ppp when the link has come down.
> -
> -It opens superfluous fds to the device each time it re-opens the
> -connection, with the unclosed ones falsely reported always ready for
> -data by select().
> -
> -This makes pppd eat up 100% CPU time after the first persist because of
> -the always instantly returning select() on the unclosed fds.
> -
> -The problem also occurs with the upstream version, but does not occur
> -when a pty/tty device is used for the ppp connection.
> -
> -
> -
> -Imported from ppp_2.4.7-2+4.1.debian.tar.xz
> -
> -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> ----
> - pppd/sys-linux.c | 7 +++++++
> - 1 file changed, 7 insertions(+)
> -
> -diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c
> -index 9b2f293024ac..6d29dc8e8594 100644
> ---- a/pppd/sys-linux.c
> -+++ b/pppd/sys-linux.c
> -@@ -458,6 +458,13 @@ int generic_establish_ppp (int fd)
> -     if (new_style_driver) {
> - 	int flags;
> - 
> -+        /* if a ppp_fd is already open, close it first */
> -+        if(ppp_fd > 0) {
> -+          close(ppp_fd);
> -+          remove_fd(ppp_fd);
> -+          ppp_fd = -1;
> -+        }
> -+
> - 	/* Open an instance of /dev/ppp and connect the channel to it */
> - 	if (ioctl(fd, PPPIOCGCHAN, &chindex) == -1) {
> - 	    error("Couldn't get channel number: %m");
> diff --git a/patches/ppp-2.4.7/0019-Bug-284382-ppp-linkpidfile-is-not-created-upon-detac.patch b/patches/ppp-2.4.7/0019-Bug-284382-ppp-linkpidfile-is-not-created-upon-detac.patch
> deleted file mode 100644
> index f785c75d87bb..000000000000
> --- a/patches/ppp-2.4.7/0019-Bug-284382-ppp-linkpidfile-is-not-created-upon-detac.patch
> +++ /dev/null
> @@ -1,48 +0,0 @@
> -From: "herbert@gondor.apana.org.au" <herbert@gondor.apana.org.au>
> -Date: Sat, 28 Sep 2019 08:11:49 +0200
> -Subject: [PATCH] Bug#284382: ppp: linkpidfile is not created upon detachment
> -
> -Package: ppp
> -Version: 2.4.2+20040428-2
> -Severity: wishlist
> -
> -When pppd detaches from the parent normally, that is, without nodetach
> -or updetach set, the linkpidfile is not created even when linkname is
> -set.
> -
> -This is because the create_linkpidfile call in detach() is only made
> -if the linkpidfile is filled in.  However, linkpidfile is never filled
> -in until create_linkpidfile has been called.
> -
> -IMHO the call should be made uncondtionally in detach() since
> -create_linkpidfile does its own check on linkname anyway.
> -
> -Please note that the version of pppd in woody always wrote the
> -linkpidfile after detaching.  It did so in main() however.  That
> -call has now been removed which is why I'm seeing this problem.
> -
> -[...]
> -
> ---
> -
> -Imported from ppp_2.4.7-2+4.1.debian.tar.xz
> -
> -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> ----
> - pppd/main.c | 3 +--
> - 1 file changed, 1 insertion(+), 2 deletions(-)
> -
> -diff --git a/pppd/main.c b/pppd/main.c
> -index 76b67d2485b7..8e31365f0c58 100644
> ---- a/pppd/main.c
> -+++ b/pppd/main.c
> -@@ -765,8 +765,7 @@ detach()
> - 	/* update pid files if they have been written already */
> - 	if (pidfilename[0])
> - 	    create_pidfile(pid);
> --	if (linkpidfile[0])
> --	    create_linkpidfile(pid);
> -+	create_linkpidfile(pid);
> - 	exit(0);		/* parent dies */
> -     }
> -     setsid();
> diff --git a/patches/ppp-2.4.7/0022-cosmetic-cleanup-of-the-pppoatm-plugin.patch b/patches/ppp-2.4.7/0022-cosmetic-cleanup-of-the-pppoatm-plugin.patch
> deleted file mode 100644
> index ee22c74b6405..000000000000
> --- a/patches/ppp-2.4.7/0022-cosmetic-cleanup-of-the-pppoatm-plugin.patch
> +++ /dev/null
> @@ -1,90 +0,0 @@
> -From: Michael Olbrich <m.olbrich@pengutronix.de>
> -Date: Sat, 28 Sep 2019 08:11:49 +0200
> -Subject: [PATCH] cosmetic cleanup of the pppoatm plugin
> -
> -Removed some debugging messages and generally cleaned up the source.
> -
> -
> -Imported from ppp_2.4.7-2+4.1.debian.tar.xz
> -
> -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> ----
> - pppd/plugins/pppoatm/pppoatm.c | 23 +++++++++++++----------
> - 1 file changed, 13 insertions(+), 10 deletions(-)
> -
> -diff --git a/pppd/plugins/pppoatm/pppoatm.c b/pppd/plugins/pppoatm/pppoatm.c
> -index a7560e9fb0c6..90d0c9a85d9f 100644
> ---- a/pppd/plugins/pppoatm/pppoatm.c
> -+++ b/pppd/plugins/pppoatm/pppoatm.c
> -@@ -70,18 +70,20 @@ static int setdevname_pppoatm(const char *cp, const char **argv, int doit)
> - {
> - 	struct sockaddr_atmpvc addr;
> - 	extern struct stat devstat;
> -+
> - 	if (device_got_set)
> - 		return 0;
> --	//info("PPPoATM setdevname_pppoatm: '%s'", cp);
> -+
> - 	memset(&addr, 0, sizeof addr);
> - 	if (text2atm(cp, (struct sockaddr *) &addr, sizeof(addr),
> --	    T2A_PVC | T2A_NAME) < 0) {
> --               if(doit)
> --                   info("atm does not recognize: %s", cp);
> -+	    T2A_PVC | T2A_NAME | T2A_WILDCARD) < 0) {
> -+		if (doit)
> -+			info("cannot parse the ATM address: %s", cp);
> - 		return 0;
> --           }
> --	if (!doit) return 1;
> --	//if (!dev_set_ok()) return -1;
> -+	}
> -+	if (!doit)
> -+		return 1;
> -+
> - 	memcpy(&pvcaddr, &addr, sizeof pvcaddr);
> - 	strlcpy(devnam, cp, sizeof devnam);
> - 	devstat.st_mode = S_IFSOCK;
> -@@ -93,7 +95,6 @@ static int setdevname_pppoatm(const char *cp, const char **argv, int doit)
> - 		lcp_allowoptions[0].neg_asyncmap = 0;
> - 		lcp_wantoptions[0].neg_pcompression = 0;
> - 	}
> --	info("PPPoATM setdevname_pppoatm - SUCCESS:%s", cp);
> - 	device_got_set = 1;
> - 	return 1;
> - }
> -@@ -108,6 +109,7 @@ static void no_device_given_pppoatm(void)
> - static void set_line_discipline_pppoatm(int fd)
> - {
> - 	struct atm_backend_ppp be;
> -+
> - 	be.backend_num = ATM_BACKEND_PPP;
> - 	if (!llc_encaps)
> - 		be.encaps = PPPOATM_ENCAPS_VC;
> -@@ -115,6 +117,7 @@ static void set_line_discipline_pppoatm(int fd)
> - 		be.encaps = PPPOATM_ENCAPS_LLC;
> - 	else
> - 		be.encaps = PPPOATM_ENCAPS_AUTODETECT;
> -+
> - 	if (ioctl(fd, ATM_SETBACKEND, &be) < 0)
> - 		fatal("ioctl(ATM_SETBACKEND): %m");
> - }
> -@@ -172,7 +175,7 @@ static void disconnect_pppoatm(void)
> - 
> - void plugin_init(void)
> - {
> --#if defined(__linux__)
> -+#ifdef linux
> - 	extern int new_style_driver;	/* From sys-linux.c */
> - 	if (!ppp_available() && !new_style_driver)
> - 		fatal("Kernel doesn't support ppp_generic - "
> -@@ -180,9 +183,9 @@ void plugin_init(void)
> - #else
> - 	fatal("No PPPoATM support on this OS");
> - #endif
> --	info("PPPoATM plugin_init");
> - 	add_options(pppoa_options);
> - }
> -+
> - struct channel pppoa_channel = {
> -     options: pppoa_options,
> -     process_extra_options: NULL,
> diff --git a/patches/ppp-2.4.7/0023-pppoe_noads.patch b/patches/ppp-2.4.7/0023-pppoe_noads.patch
> deleted file mode 100644
> index b4712de17a7f..000000000000
> --- a/patches/ppp-2.4.7/0023-pppoe_noads.patch
> +++ /dev/null
> @@ -1,25 +0,0 @@
> -From: Michael Olbrich <m.olbrich@pengutronix.de>
> -Date: Sat, 28 Sep 2019 08:11:49 +0200
> -Subject: [PATCH] pppoe_noads
> -
> -Imported from ppp_2.4.7-2+4.1.debian.tar.xz
> -
> -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> ----
> - pppd/plugins/rp-pppoe/plugin.c | 3 ---
> - 1 file changed, 3 deletions(-)
> -
> -diff --git a/pppd/plugins/rp-pppoe/plugin.c b/pppd/plugins/rp-pppoe/plugin.c
> -index c89be94250bc..7804b184f0cb 100644
> ---- a/pppd/plugins/rp-pppoe/plugin.c
> -+++ b/pppd/plugins/rp-pppoe/plugin.c
> -@@ -377,9 +377,6 @@ plugin_init(void)
> -     }
> - 
> -     add_options(Options);
> --
> --    info("RP-PPPoE plugin version %s compiled against pppd %s",
> --	 RP_VERSION, VERSION);
> - }
> - 
> - void pppoe_check_options(void)
> diff --git a/patches/ppp-2.4.7/0024-make-_PATH_CONNERRS-world-readable.patch b/patches/ppp-2.4.7/0024-make-_PATH_CONNERRS-world-readable.patch
> deleted file mode 100644
> index 557b16901f18..000000000000
> --- a/patches/ppp-2.4.7/0024-make-_PATH_CONNERRS-world-readable.patch
> +++ /dev/null
> @@ -1,27 +0,0 @@
> -From: Michael Olbrich <m.olbrich@pengutronix.de>
> -Date: Sat, 28 Sep 2019 08:11:49 +0200
> -Subject: [PATCH] make _PATH_CONNERRS world readable
> -
> -There is nothing security-sensitive there.
> -
> -
> -Imported from ppp_2.4.7-2+4.1.debian.tar.xz
> -
> -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> ----
> - pppd/main.c | 2 +-
> - 1 file changed, 1 insertion(+), 1 deletion(-)
> -
> -diff --git a/pppd/main.c b/pppd/main.c
> -index 8e31365f0c58..ed544315c1df 100644
> ---- a/pppd/main.c
> -+++ b/pppd/main.c
> -@@ -1673,7 +1673,7 @@ device_script(program, in, out, dont_wait)
> -     if (log_to_fd >= 0)
> - 	errfd = log_to_fd;
> -     else
> --	errfd = open(_PATH_CONNERRS, O_WRONLY | O_APPEND | O_CREAT, 0600);
> -+	errfd = open(_PATH_CONNERRS, O_WRONLY | O_APPEND | O_CREAT, 0644);
> - 
> -     ++conn_running;
> -     pid = safe_fork(in, out, errfd);
> diff --git a/patches/ppp-2.4.7/0025-Correct-unkown-unknown-typo.patch b/patches/ppp-2.4.7/0025-Correct-unkown-unknown-typo.patch
> deleted file mode 100644
> index febfaf869f22..000000000000
> --- a/patches/ppp-2.4.7/0025-Correct-unkown-unknown-typo.patch
> +++ /dev/null
> @@ -1,46 +0,0 @@
> -From: Michael Olbrich <m.olbrich@pengutronix.de>
> -Date: Sat, 28 Sep 2019 08:11:49 +0200
> -Subject: [PATCH] Correct unkown => unknown typo
> -
> -Author: Chris Boot <bootc@debian.org>
> -Last-Update: 2013-09-09
> -
> -
> -Imported from ppp_2.4.7-2+4.1.debian.tar.xz
> -
> -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> ----
> - pppd/plugins/radius/config.c | 6 +++---
> - 1 file changed, 3 insertions(+), 3 deletions(-)
> -
> -diff --git a/pppd/plugins/radius/config.c b/pppd/plugins/radius/config.c
> -index a29e5e8da909..f892ca7b1bf5 100644
> ---- a/pppd/plugins/radius/config.c
> -+++ b/pppd/plugins/radius/config.c
> -@@ -271,7 +271,7 @@ char *rc_conf_str(char *optname)
> - 	option = find_option(optname, OT_STR);
> - 
> - 	if (option == NULL)
> --		fatal("rc_conf_str: unkown config option requested: %s", optname);
> -+		fatal("rc_conf_str: unknown config option requested: %s", optname);
> - 		return (char *)option->val;
> - }
> - 
> -@@ -282,7 +282,7 @@ int rc_conf_int(char *optname)
> - 	option = find_option(optname, OT_INT|OT_AUO);
> - 
> - 	if (option == NULL)
> --		fatal("rc_conf_int: unkown config option requested: %s", optname);
> -+		fatal("rc_conf_int: unknown config option requested: %s", optname);
> - 	return *((int *)option->val);
> - }
> - 
> -@@ -293,7 +293,7 @@ SERVER *rc_conf_srv(char *optname)
> - 	option = find_option(optname, OT_SRV);
> - 
> - 	if (option == NULL)
> --		fatal("rc_conf_srv: unkown config option requested: %s", optname);
> -+		fatal("rc_conf_srv: unknown config option requested: %s", optname);
> - 	return (SERVER *)option->val;
> - }
> - 
> diff --git a/patches/ppp-2.4.7/0026-pppoe-custom-host-uniq-tag.patch b/patches/ppp-2.4.7/0026-pppoe-custom-host-uniq-tag.patch
> deleted file mode 100644
> index 5cf266d10971..000000000000
> --- a/patches/ppp-2.4.7/0026-pppoe-custom-host-uniq-tag.patch
> +++ /dev/null
> @@ -1,302 +0,0 @@
> -From: Matteo Croce <matteo@openwrt.org>
> -Date: Sat, 21 Nov 2015 18:45:43 +0100
> -Subject: [PATCH] pppoe: custom host-uniq tag
> -
> -Add pppoe 'host-uniq' option to set an arbitrary
> -host-uniq tag instead of the pppd pid.
> -Some ISPs use such tag to authenticate the CPE,
> -so it must be set to a proper value to connect.
> -
> -Signed-off-by: Matteo Croce <matteo@openwrt.org>
> -Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
> -
> -Imported from ppp_2.4.7-2+4.1.debian.tar.xz
> -
> -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> ----
> - pppd/plugins/rp-pppoe/common.c          | 14 ++++-----
> - pppd/plugins/rp-pppoe/discovery.c       | 51 +++++++++++++--------------------
> - pppd/plugins/rp-pppoe/plugin.c          |  7 ++++-
> - pppd/plugins/rp-pppoe/pppoe-discovery.c | 38 +++++++++++++++---------
> - pppd/plugins/rp-pppoe/pppoe.h           | 31 +++++++++++++++++++-
> - 5 files changed, 86 insertions(+), 55 deletions(-)
> -
> -diff --git a/pppd/plugins/rp-pppoe/common.c b/pppd/plugins/rp-pppoe/common.c
> -index 89c633c773f9..8f175ece345b 100644
> ---- a/pppd/plugins/rp-pppoe/common.c
> -+++ b/pppd/plugins/rp-pppoe/common.c
> -@@ -119,15 +119,11 @@ sendPADT(PPPoEConnection *conn, char const *msg)
> -     conn->session = 0;
> - 
> -     /* If we're using Host-Uniq, copy it over */
> --    if (conn->useHostUniq) {
> --	PPPoETag hostUniq;
> --	pid_t pid = getpid();
> --	hostUniq.type = htons(TAG_HOST_UNIQ);
> --	hostUniq.length = htons(sizeof(pid));
> --	memcpy(hostUniq.payload, &pid, sizeof(pid));
> --	memcpy(cursor, &hostUniq, sizeof(pid) + TAG_HDR_SIZE);
> --	cursor += sizeof(pid) + TAG_HDR_SIZE;
> --	plen += sizeof(pid) + TAG_HDR_SIZE;
> -+    if (conn->hostUniq.length) {
> -+	int len = ntohs(conn->hostUniq.length);
> -+	memcpy(cursor, &conn->hostUniq, len + TAG_HDR_SIZE);
> -+	cursor += len + TAG_HDR_SIZE;
> -+	plen += len + TAG_HDR_SIZE;
> -     }
> - 
> -     /* Copy error message */
> -diff --git a/pppd/plugins/rp-pppoe/discovery.c b/pppd/plugins/rp-pppoe/discovery.c
> -index 04877cb8295f..5db8d0defc37 100644
> ---- a/pppd/plugins/rp-pppoe/discovery.c
> -+++ b/pppd/plugins/rp-pppoe/discovery.c
> -@@ -80,13 +80,10 @@ static void
> - parseForHostUniq(UINT16_t type, UINT16_t len, unsigned char *data,
> - 		 void *extra)
> - {
> --    int *val = (int *) extra;
> --    if (type == TAG_HOST_UNIQ && len == sizeof(pid_t)) {
> --	pid_t tmp;
> --	memcpy(&tmp, data, len);
> --	if (tmp == getpid()) {
> --	    *val = 1;
> --	}
> -+    PPPoETag *tag = extra;
> -+
> -+    if (type == TAG_HOST_UNIQ && len == ntohs(tag->length)) {
> -+	tag->length = memcmp(data, tag->payload, len);
> -     }
> - }
> - 
> -@@ -104,16 +101,16 @@ parseForHostUniq(UINT16_t type, UINT16_t len, unsigned char *data,
> - static int
> - packetIsForMe(PPPoEConnection *conn, PPPoEPacket *packet)
> - {
> --    int forMe = 0;
> -+    PPPoETag hostUniq = conn->hostUniq;
> - 
> -     /* If packet is not directed to our MAC address, forget it */
> -     if (memcmp(packet->ethHdr.h_dest, conn->myEth, ETH_ALEN)) return 0;
> - 
> -     /* If we're not using the Host-Unique tag, then accept the packet */
> --    if (!conn->useHostUniq) return 1;
> -+    if (!conn->hostUniq.length) return 1;
> - 
> --    parsePacket(packet, parseForHostUniq, &forMe);
> --    return forMe;
> -+    parsePacket(packet, parseForHostUniq, &hostUniq);
> -+    return !hostUniq.length;
> - }
> - 
> - /**********************************************************************
> -@@ -301,16 +298,12 @@ sendPADI(PPPoEConnection *conn)
> -     }
> - 
> -     /* If we're using Host-Uniq, copy it over */
> --    if (conn->useHostUniq) {
> --	PPPoETag hostUniq;
> --	pid_t pid = getpid();
> --	hostUniq.type = htons(TAG_HOST_UNIQ);
> --	hostUniq.length = htons(sizeof(pid));
> --	memcpy(hostUniq.payload, &pid, sizeof(pid));
> --	CHECK_ROOM(cursor, packet.payload, sizeof(pid) + TAG_HDR_SIZE);
> --	memcpy(cursor, &hostUniq, sizeof(pid) + TAG_HDR_SIZE);
> --	cursor += sizeof(pid) + TAG_HDR_SIZE;
> --	plen += sizeof(pid) + TAG_HDR_SIZE;
> -+    if (conn->hostUniq.length) {
> -+	int len = ntohs(conn->hostUniq.length);
> -+	CHECK_ROOM(cursor, packet.payload, len + TAG_HDR_SIZE);
> -+	memcpy(cursor, &conn->hostUniq, len + TAG_HDR_SIZE);
> -+	cursor += len + TAG_HDR_SIZE;
> -+	plen += len + TAG_HDR_SIZE;
> -     }
> - 
> -     /* Add our maximum MTU/MRU */
> -@@ -478,16 +471,12 @@ sendPADR(PPPoEConnection *conn)
> -     cursor += namelen + TAG_HDR_SIZE;
> - 
> -     /* If we're using Host-Uniq, copy it over */
> --    if (conn->useHostUniq) {
> --	PPPoETag hostUniq;
> --	pid_t pid = getpid();
> --	hostUniq.type = htons(TAG_HOST_UNIQ);
> --	hostUniq.length = htons(sizeof(pid));
> --	memcpy(hostUniq.payload, &pid, sizeof(pid));
> --	CHECK_ROOM(cursor, packet.payload, sizeof(pid)+TAG_HDR_SIZE);
> --	memcpy(cursor, &hostUniq, sizeof(pid) + TAG_HDR_SIZE);
> --	cursor += sizeof(pid) + TAG_HDR_SIZE;
> --	plen += sizeof(pid) + TAG_HDR_SIZE;
> -+    if (conn->hostUniq.length) {
> -+	int len = ntohs(conn->hostUniq.length);
> -+	CHECK_ROOM(cursor, packet.payload, len+TAG_HDR_SIZE);
> -+	memcpy(cursor, &conn->hostUniq, len + TAG_HDR_SIZE);
> -+	cursor += len + TAG_HDR_SIZE;
> -+	plen += len + TAG_HDR_SIZE;
> -     }
> - 
> -     /* Add our maximum MTU/MRU */
> -diff --git a/pppd/plugins/rp-pppoe/plugin.c b/pppd/plugins/rp-pppoe/plugin.c
> -index 7804b184f0cb..12778d0d9991 100644
> ---- a/pppd/plugins/rp-pppoe/plugin.c
> -+++ b/pppd/plugins/rp-pppoe/plugin.c
> -@@ -68,6 +68,7 @@ static char *existingSession = NULL;
> - static int printACNames = 0;
> - static char *pppoe_reqd_mac = NULL;
> - unsigned char pppoe_reqd_mac_addr[6];
> -+static char *host_uniq = NULL;
> - 
> - static int PPPoEDevnameHook(char *cmd, char **argv, int doit);
> - static option_t Options[] = {
> -@@ -85,6 +86,8 @@ static option_t Options[] = {
> -       "Be verbose about discovered access concentrators"},
> -     { "pppoe-mac", o_string, &pppoe_reqd_mac,
> -       "Only connect to specified MAC address" },
> -+    { "host-uniq", o_string, &host_uniq,
> -+      "Specify custom Host-Uniq" },
> -     { NULL }
> - };
> - int (*OldDevnameHook)(char *cmd, char **argv, int doit) = NULL;
> -@@ -110,7 +113,6 @@ PPPOEInitDevice(void)
> -     conn->ifName = devnam;
> -     conn->discoverySocket = -1;
> -     conn->sessionSocket = -1;
> --    conn->useHostUniq = 1;
> -     conn->printACNames = printACNames;
> -     conn->discoveryTimeout = PADI_TIMEOUT;
> -     return 1;
> -@@ -166,6 +168,9 @@ PPPOEConnectDevice(void)
> -     if (lcp_wantoptions[0].mru > ifr.ifr_mtu - TOTAL_OVERHEAD)
> - 	lcp_wantoptions[0].mru = ifr.ifr_mtu - TOTAL_OVERHEAD;
> - 
> -+    if (host_uniq && !parseHostUniq(host_uniq, &conn->hostUniq))
> -+	fatal("Illegal value for host-uniq option");
> -+
> -     conn->acName = acName;
> -     conn->serviceName = pppd_pppoe_service;
> -     strlcpy(ppp_devnam, devnam, sizeof(ppp_devnam));
> -diff --git a/pppd/plugins/rp-pppoe/pppoe-discovery.c b/pppd/plugins/rp-pppoe/pppoe-discovery.c
> -index 55037dffb023..ff4c487ffaa9 100644
> ---- a/pppd/plugins/rp-pppoe/pppoe-discovery.c
> -+++ b/pppd/plugins/rp-pppoe/pppoe-discovery.c
> -@@ -356,7 +356,7 @@ packetIsForMe(PPPoEConnection *conn, PPPoEPacket *packet)
> -     if (memcmp(packet->ethHdr.h_dest, conn->myEth, ETH_ALEN)) return 0;
> - 
> -     /* If we're not using the Host-Unique tag, then accept the packet */
> --    if (!conn->useHostUniq) return 1;
> -+    if (!conn->hostUniq.length) return 1;
> - 
> -     parsePacket(packet, parseForHostUniq, &forMe);
> -     return forMe;
> -@@ -482,16 +482,12 @@ sendPADI(PPPoEConnection *conn)
> -     cursor += namelen + TAG_HDR_SIZE;
> - 
> -     /* If we're using Host-Uniq, copy it over */
> --    if (conn->useHostUniq) {
> --	PPPoETag hostUniq;
> --	pid_t pid = getpid();
> --	hostUniq.type = htons(TAG_HOST_UNIQ);
> --	hostUniq.length = htons(sizeof(pid));
> --	memcpy(hostUniq.payload, &pid, sizeof(pid));
> --	CHECK_ROOM(cursor, packet.payload, sizeof(pid) + TAG_HDR_SIZE);
> --	memcpy(cursor, &hostUniq, sizeof(pid) + TAG_HDR_SIZE);
> --	cursor += sizeof(pid) + TAG_HDR_SIZE;
> --	plen += sizeof(pid) + TAG_HDR_SIZE;
> -+    if (conn->hostUniq.length) {
> -+	int len = ntohs(conn->hostUniq.length);
> -+	CHECK_ROOM(cursor, packet.payload, len + TAG_HDR_SIZE);
> -+	memcpy(cursor, &conn->hostUniq, len + TAG_HDR_SIZE);
> -+	cursor += len + TAG_HDR_SIZE;
> -+	plen += len + TAG_HDR_SIZE;
> -     }
> - 
> -     packet.length = htons(plen);
> -@@ -653,7 +649,7 @@ int main(int argc, char *argv[])
> - 
> -     memset(conn, 0, sizeof(PPPoEConnection));
> - 
> --    while ((opt = getopt(argc, argv, "I:D:VUAS:C:h")) > 0) {
> -+    while ((opt = getopt(argc, argv, "I:D:VUW:AS:C:h")) > 0) {
> - 	switch(opt) {
> - 	case 'S':
> - 	    conn->serviceName = xstrdup(optarg);
> -@@ -662,7 +658,23 @@ int main(int argc, char *argv[])
> - 	    conn->acName = xstrdup(optarg);
> - 	    break;
> - 	case 'U':
> --	    conn->useHostUniq = 1;
> -+	    if(conn->hostUniq.length) {
> -+		fprintf(stderr, "-U and -W are mutually exclusive\n");
> -+		exit(EXIT_FAILURE);
> -+	    }
> -+            char pidbuf[5];
> -+            snprintf(pidbuf, sizeof(pidbuf), "%04x", getpid());
> -+            parseHostUniq(pidbuf, &conn->hostUniq);
> -+	    break;
> -+	case 'W':
> -+	    if(conn->hostUniq.length) {
> -+		fprintf(stderr, "-U and -W are mutually exclusive\n");
> -+		exit(EXIT_FAILURE);
> -+	    }
> -+	    if (!parseHostUniq(optarg, &conn->hostUniq)) {
> -+                fprintf(stderr, "Invalid host-uniq argument: %s\n", optarg);
> -+                exit(EXIT_FAILURE);
> -+            }
> - 	    break;
> - 	case 'D':
> - 	    conn->debugFile = fopen(optarg, "w");
> -diff --git a/pppd/plugins/rp-pppoe/pppoe.h b/pppd/plugins/rp-pppoe/pppoe.h
> -index c4aaa6e68856..08026f577028 100644
> ---- a/pppd/plugins/rp-pppoe/pppoe.h
> -+++ b/pppd/plugins/rp-pppoe/pppoe.h
> -@@ -21,6 +21,8 @@
> - 
> - #include <stdio.h>		/* For FILE */
> - #include <sys/types.h>		/* For pid_t */
> -+#include <ctype.h>
> -+#include <string.h>
> - 
> - /* How do we access raw Ethernet devices? */
> - #undef USE_LINUX_PACKET
> -@@ -236,7 +238,7 @@ typedef struct PPPoEConnectionStruct {
> -     char *serviceName;		/* Desired service name, if any */
> -     char *acName;		/* Desired AC name, if any */
> -     int synchronous;		/* Use synchronous PPP */
> --    int useHostUniq;		/* Use Host-Uniq tag */
> -+    PPPoETag hostUniq;		/* Use Host-Uniq tag */
> -     int printACNames;		/* Just print AC names */
> -     FILE *debugFile;		/* Debug file for dumping packets */
> -     int numPADOs;		/* Number of PADO packets received */
> -@@ -292,6 +294,33 @@ void pppoe_printpkt(PPPoEPacket *packet,
> - 		    void (*printer)(void *, char *, ...), void *arg);
> - void pppoe_log_packet(const char *prefix, PPPoEPacket *packet);
> - 
> -+static inline int parseHostUniq(const char *uniq, PPPoETag *tag)
> -+{
> -+    int i, len = strlen(uniq);
> -+
> -+#define hex(x) \
> -+    (((x) <= '9') ? ((x) - '0') : \
> -+        (((x) <= 'F') ? ((x) - 'A' + 10) : \
> -+            ((x) - 'a' + 10)))
> -+
> -+    if (len % 2)
> -+        return 0;
> -+
> -+    for (i = 0; i < len; i += 2)
> -+    {
> -+        if (!isxdigit(uniq[i]) || !isxdigit(uniq[i+1]))
> -+            return 0;
> -+
> -+        tag->payload[i / 2] = (char)(16 * hex(uniq[i]) + hex(uniq[i+1]));
> -+    }
> -+
> -+#undef hex
> -+
> -+    tag->type = htons(TAG_HOST_UNIQ);
> -+    tag->length = htons(len / 2);
> -+    return 1;
> -+}
> -+
> - #define SET_STRING(var, val) do { if (var) free(var); var = strDup(val); } while(0);
> - 
> - #define CHECK_ROOM(cursor, start, len) \
> diff --git a/patches/ppp-2.4.7/0027-Add-replacedefaultroute-option.patch b/patches/ppp-2.4.7/0027-Add-replacedefaultroute-option.patch
> deleted file mode 100644
> index 19f931b1244f..000000000000
> --- a/patches/ppp-2.4.7/0027-Add-replacedefaultroute-option.patch
> +++ /dev/null
> @@ -1,324 +0,0 @@
> -From: Michael Olbrich <m.olbrich@pengutronix.de>
> -Date: Sat, 28 Sep 2019 08:11:49 +0200
> -Subject: [PATCH] Add replacedefaultroute option
> -
> -Adds an option to pppd to control whether to replace existing default routes
> -when using the 'defaultroute' option.
> -
> -If defaultroute and replacedefaultroute are both set, pppd replaces an existing
> -default route with the new default route. The old default route is restored when
> -the connection is taken down.
> -
> -Origin: vendor, https://build.opensuse.org/source/network/ppp/ppp-2.4.2-cifdefroute.diff?rev=7a0fdeff0b29437dd7f4581c95c7255a
> -Forwarded: no
> -Reviewed-by: Chris Boot <bootc@debian.org>
> -Last-Update: 2014-01-26
> -
> -
> -Imported from ppp_2.4.7-2+4.1.debian.tar.xz
> -
> -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> ----
> - pppd/ipcp.c      | 45 +++++++++++++++++++++++++++----
> - pppd/ipcp.h      |  1 +
> - pppd/pppd.8      | 12 ++++++++-
> - pppd/pppd.h      |  4 +++
> - pppd/sys-linux.c | 82 +++++++++++++++++++++++++++++++++++++++++++++-----------
> - 5 files changed, 123 insertions(+), 21 deletions(-)
> -
> -diff --git a/pppd/ipcp.c b/pppd/ipcp.c
> -index e9738fe4d894..c8fe279d4ede 100644
> ---- a/pppd/ipcp.c
> -+++ b/pppd/ipcp.c
> -@@ -198,6 +198,16 @@ static option_t ipcp_option_list[] = {
> -       "disable defaultroute option", OPT_ALIAS | OPT_A2CLR,
> -       &ipcp_wantoptions[0].default_route },
> - 
> -+#ifdef __linux__
> -+    { "replacedefaultroute", o_bool,
> -+				&ipcp_wantoptions[0].replace_default_route,
> -+      "Replace default route", 1
> -+    },
> -+    { "noreplacedefaultroute", o_bool,
> -+				&ipcp_allowoptions[0].replace_default_route,
> -+      "Never replace default route", OPT_A2COPY,
> -+				&ipcp_wantoptions[0].replace_default_route },
> -+#endif
> -     { "proxyarp", o_bool, &ipcp_wantoptions[0].proxy_arp,
> -       "Add proxy ARP entry", OPT_ENABLE|1, &ipcp_allowoptions[0].proxy_arp },
> -     { "noproxyarp", o_bool, &ipcp_allowoptions[0].proxy_arp,
> -@@ -271,7 +281,7 @@ struct protent ipcp_protent = {
> -     ip_active_pkt
> - };
> - 
> --static void ipcp_clear_addrs __P((int, u_int32_t, u_int32_t));
> -+static void ipcp_clear_addrs __P((int, u_int32_t, u_int32_t, bool));
> - static void ipcp_script __P((char *, int));	/* Run an up/down script */
> - static void ipcp_script_done __P((void *));
> - 
> -@@ -1761,7 +1771,12 @@ ip_demand_conf(u)
> -     if (!sifnpmode(u, PPP_IP, NPMODE_QUEUE))
> - 	return 0;
> -     if (wo->default_route)
> -+#ifndef __linux__
> - 	if (sifdefaultroute(u, wo->ouraddr, wo->hisaddr))
> -+#else
> -+	if (sifdefaultroute(u, wo->ouraddr, wo->hisaddr,
> -+					    wo->replace_default_route))
> -+#endif
> - 	    default_route_set[u] = 1;
> -     if (wo->proxy_arp)
> - 	if (sifproxyarp(u, wo->hisaddr))
> -@@ -1849,7 +1864,8 @@ ipcp_up(f)
> -      */
> -     if (demand) {
> - 	if (go->ouraddr != wo->ouraddr || ho->hisaddr != wo->hisaddr) {
> --	    ipcp_clear_addrs(f->unit, wo->ouraddr, wo->hisaddr);
> -+	    ipcp_clear_addrs(f->unit, wo->ouraddr, wo->hisaddr,
> -+				      wo->replace_default_route);
> - 	    if (go->ouraddr != wo->ouraddr) {
> - 		warn("Local IP address changed to %I", go->ouraddr);
> - 		script_setenv("OLDIPLOCAL", ip_ntoa(wo->ouraddr), 0);
> -@@ -1874,7 +1890,12 @@ ipcp_up(f)
> - 
> - 	    /* assign a default route through the interface if required */
> - 	    if (ipcp_wantoptions[f->unit].default_route) 
> -+#ifndef __linux__
> - 		if (sifdefaultroute(f->unit, go->ouraddr, ho->hisaddr))
> -+#else
> -+		if (sifdefaultroute(f->unit, go->ouraddr, ho->hisaddr,
> -+					     wo->replace_default_route))
> -+#endif
> - 		    default_route_set[f->unit] = 1;
> - 
> - 	    /* Make a proxy ARP entry if requested. */
> -@@ -1924,7 +1945,12 @@ ipcp_up(f)
> - 
> - 	/* assign a default route through the interface if required */
> - 	if (ipcp_wantoptions[f->unit].default_route) 
> -+#ifndef __linux__
> - 	    if (sifdefaultroute(f->unit, go->ouraddr, ho->hisaddr))
> -+#else
> -+	    if (sifdefaultroute(f->unit, go->ouraddr, ho->hisaddr,
> -+					 wo->replace_default_route))
> -+#endif
> - 		default_route_set[f->unit] = 1;
> - 
> - 	/* Make a proxy ARP entry if requested. */
> -@@ -2002,7 +2028,7 @@ ipcp_down(f)
> - 	sifnpmode(f->unit, PPP_IP, NPMODE_DROP);
> - 	sifdown(f->unit);
> - 	ipcp_clear_addrs(f->unit, ipcp_gotoptions[f->unit].ouraddr,
> --			 ipcp_hisoptions[f->unit].hisaddr);
> -+			 ipcp_hisoptions[f->unit].hisaddr, 0);
> -     }
> - 
> -     /* Execute the ip-down script */
> -@@ -2018,16 +2044,25 @@ ipcp_down(f)
> -  * proxy arp entries, etc.
> -  */
> - static void
> --ipcp_clear_addrs(unit, ouraddr, hisaddr)
> -+ipcp_clear_addrs(unit, ouraddr, hisaddr, replacedefaultroute)
> -     int unit;
> -     u_int32_t ouraddr;  /* local address */
> -     u_int32_t hisaddr;  /* remote address */
> -+    bool replacedefaultroute;
> - {
> -     if (proxy_arp_set[unit]) {
> - 	cifproxyarp(unit, hisaddr);
> - 	proxy_arp_set[unit] = 0;
> -     }
> --    if (default_route_set[unit]) {
> -+    /* If replacedefaultroute, sifdefaultroute will be called soon
> -+     * with replacedefaultroute set and that will overwrite the current
> -+     * default route. This is the case only when doing demand, otherwise
> -+     * during demand, this cifdefaultroute would restore the old default
> -+     * route which is not what we want in this case. In the non-demand
> -+     * case, we'll delete the default route and restore the old if there
> -+     * is one saved by an sifdefaultroute with replacedefaultroute.
> -+     */
> -+    if (!replacedefaultroute && default_route_set[unit]) {
> - 	cifdefaultroute(unit, ouraddr, hisaddr);
> - 	default_route_set[unit] = 0;
> -     }
> -diff --git a/pppd/ipcp.h b/pppd/ipcp.h
> -index 6cf14c990578..7ecfa79d8668 100644
> ---- a/pppd/ipcp.h
> -+++ b/pppd/ipcp.h
> -@@ -70,6 +70,7 @@ typedef struct ipcp_options {
> -     bool old_addrs;		/* Use old (IP-Addresses) option? */
> -     bool req_addr;		/* Ask peer to send IP address? */
> -     bool default_route;		/* Assign default route through interface? */
> -+    bool replace_default_route;	/* Replace default route through interface? */
> -     bool proxy_arp;		/* Make proxy ARP entry for peer? */
> -     bool neg_vj;		/* Van Jacobson Compression? */
> -     bool old_vj;		/* use old (short) form of VJ option? */
> -diff --git a/pppd/pppd.8 b/pppd/pppd.8
> -index ec8bfd5c0617..481aa8be672b 100644
> ---- a/pppd/pppd.8
> -+++ b/pppd/pppd.8
> -@@ -121,6 +121,11 @@ the gateway, when IPCP negotiation is successfully completed.
> - This entry is removed when the PPP connection is broken.  This option
> - is privileged if the \fInodefaultroute\fR option has been specified.
> - .TP
> -+.B replacedefaultroute
> -+This option is a flag to the defaultroute option. If defaultroute is
> -+set and this flag is also set, pppd replaces an existing default route
> -+with the new default route.
> -+.TP
> - .B disconnect \fIscript
> - Execute the command specified by \fIscript\fR, by passing it to a
> - shell, after
> -@@ -739,7 +744,12 @@ disable both forms of hardware flow control.
> - .TP
> - .B nodefaultroute
> - Disable the \fIdefaultroute\fR option.  The system administrator who
> --wishes to prevent users from creating default routes with pppd
> -+wishes to prevent users from adding a default route with pppd
> -+can do so by placing this option in the /etc/ppp/options file.
> -+.TP
> -+.B noreplacedefaultroute
> -+Disable the \fIreplacedefaultroute\fR option. The system administrator who
> -+wishes to prevent users from replacing a default route with pppd
> - can do so by placing this option in the /etc/ppp/options file.
> - .TP
> - .B nodeflate
> -diff --git a/pppd/pppd.h b/pppd/pppd.h
> -index 1a1bf0b99582..7495df657fe9 100644
> ---- a/pppd/pppd.h
> -+++ b/pppd/pppd.h
> -@@ -676,7 +676,11 @@ int  sif6addr __P((int, eui64_t, eui64_t));
> - int  cif6addr __P((int, eui64_t, eui64_t));
> - 				/* Remove an IPv6 address from i/f */
> - #endif
> -+#ifndef __linux__
> - int  sifdefaultroute __P((int, u_int32_t, u_int32_t));
> -+#else
> -+int  sifdefaultroute __P((int, u_int32_t, u_int32_t, bool replace_default_rt));
> -+#endif
> - 				/* Create default route through i/f */
> - int  cifdefaultroute __P((int, u_int32_t, u_int32_t));
> - 				/* Delete default route through i/f */
> -diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c
> -index 6d29dc8e8594..3f0bbc33c605 100644
> ---- a/pppd/sys-linux.c
> -+++ b/pppd/sys-linux.c
> -@@ -207,6 +207,8 @@ static unsigned char inbuf[512]; /* buffer for chars read from loopback */
> - static int	if_is_up;	/* Interface has been marked up */
> - static int	if6_is_up;	/* Interface has been marked up for IPv6, to help differentiate */
> - static int	have_default_route;	/* Gateway for default route added */
> -+static struct rtentry old_def_rt;       /* Old default route */
> -+static int       default_rt_repl_rest;  /* replace and restore old default rt */
> - static u_int32_t proxy_arp_addr;	/* Addr for proxy arp entry added */
> - static char proxy_arp_dev[16];		/* Device for proxy arp entry */
> - static u_int32_t our_old_addr;		/* for detecting address changes */
> -@@ -1567,6 +1569,9 @@ static int read_route_table(struct rtentry *rt)
> - 	p = NULL;
> -     }
> - 
> -+    SET_SA_FAMILY (rt->rt_dst,     AF_INET);
> -+    SET_SA_FAMILY (rt->rt_gateway, AF_INET);
> -+
> -     SIN_ADDR(rt->rt_dst) = strtoul(cols[route_dest_col], NULL, 16);
> -     SIN_ADDR(rt->rt_gateway) = strtoul(cols[route_gw_col], NULL, 16);
> -     SIN_ADDR(rt->rt_genmask) = strtoul(cols[route_mask_col], NULL, 16);
> -@@ -1636,22 +1641,53 @@ int have_route_to(u_int32_t addr)
> - /********************************************************************
> -  *
> -  * sifdefaultroute - assign a default route through the address given.
> -- */
> --
> --int sifdefaultroute (int unit, u_int32_t ouraddr, u_int32_t gateway)
> --{
> --    struct rtentry rt;
> --
> --    if (defaultroute_exists(&rt) && strcmp(rt.rt_dev, ifname) != 0) {
> --	if (rt.rt_flags & RTF_GATEWAY)
> --	    error("not replacing existing default route via %I",
> --		  SIN_ADDR(rt.rt_gateway));
> --	else
> --	    error("not replacing existing default route through %s",
> --		  rt.rt_dev);
> --	return 0;
> -+ *
> -+ * If the global default_rt_repl_rest flag is set, then this function
> -+ * already replaced the original system defaultroute with some other
> -+ * route and it should just replace the current defaultroute with
> -+ * another one, without saving the current route. Use: demand mode,
> -+ * when pppd sets first a defaultroute it it's temporary ppp0 addresses
> -+ * and then changes the temporary addresses to the addresses for the real
> -+ * ppp connection when it has come up.
> -+ */
> -+
> -+int sifdefaultroute (int unit, u_int32_t ouraddr, u_int32_t gateway, bool replace)
> -+{
> -+    struct rtentry rt, tmp_rt;
> -+    struct rtentry *del_rt = NULL;
> -+
> -+    if (default_rt_repl_rest) {
> -+       /* We have already reclaced the original defaultroute, if we
> -+         * are called again, we will delete the current default route
> -+         * and set the new default route in this function.
> -+         * - this is normally only the case the doing demand: */
> -+       if (defaultroute_exists( &tmp_rt ))
> -+               del_rt = &tmp_rt;
> -+    } else if ( defaultroute_exists( &old_def_rt                ) &&
> -+                            strcmp(  old_def_rt.rt_dev, ifname ) != 0) {
> -+       /* We did not yet replace an existing default route, let's
> -+        * check if we should save and replace a default route:
> -+         */
> -+       u_int32_t old_gateway = SIN_ADDR(old_def_rt.rt_gateway);
> -+
> -+       if (old_gateway != gateway) {
> -+           if (!replace) {
> -+               error("not replacing default route to %s [%I]",
> -+                       old_def_rt.rt_dev, old_gateway);
> -+               return 0;
> -+           } else {
> -+               // we need to copy rt_dev because we need it permanent too:
> -+               char * tmp_dev = malloc(strlen(old_def_rt.rt_dev)+1);
> -+               strcpy(tmp_dev, old_def_rt.rt_dev);
> -+               old_def_rt.rt_dev = tmp_dev;
> -+
> -+               notice("replacing old default route to %s [%I]",
> -+                       old_def_rt.rt_dev, old_gateway);
> -+               default_rt_repl_rest = 1;
> -+               del_rt = &old_def_rt;
> -+           }
> -+       }
> -     }
> --
> -     memset (&rt, 0, sizeof (rt));
> -     SET_SA_FAMILY (rt.rt_dst, AF_INET);
> - 
> -@@ -1668,6 +1704,12 @@ int sifdefaultroute (int unit, u_int32_t ouraddr, u_int32_t gateway)
> - 	    error("default route ioctl(SIOCADDRT): %m");
> - 	return 0;
> -     }
> -+    if (default_rt_repl_rest && del_rt)
> -+        if (ioctl(sock_fd, SIOCDELRT, del_rt) < 0) {
> -+	    if ( ! ok_error ( errno ))
> -+	        error("del old default route ioctl(SIOCDELRT): %m(%d)", errno);
> -+	    return 0;
> -+        }
> - 
> -     have_default_route = 1;
> -     return 1;
> -@@ -1703,6 +1745,16 @@ int cifdefaultroute (int unit, u_int32_t ouraddr, u_int32_t gateway)
> - 	    return 0;
> - 	}
> -     }
> -+    if (default_rt_repl_rest) {
> -+	notice("restoring old default route to %s [%I]",
> -+			old_def_rt.rt_dev, SIN_ADDR(old_def_rt.rt_gateway));
> -+        if (ioctl(sock_fd, SIOCADDRT, &old_def_rt) < 0) {
> -+	    if ( ! ok_error ( errno ))
> -+	        error("restore default route ioctl(SIOCADDRT): %m(%d)", errno);
> -+	    return 0;
> -+        }
> -+        default_rt_repl_rest = 0;
> -+    }
> - 
> -     return 1;
> - }
> diff --git a/patches/ppp-2.4.7/0029-add-support-for-the-Framed-MTU-Radius-attribute.patch b/patches/ppp-2.4.7/0029-add-support-for-the-Framed-MTU-Radius-attribute.patch
> deleted file mode 100644
> index 3cd1b78e7012..000000000000
> --- a/patches/ppp-2.4.7/0029-add-support-for-the-Framed-MTU-Radius-attribute.patch
> +++ /dev/null
> @@ -1,42 +0,0 @@
> -From: Michael Olbrich <m.olbrich@pengutronix.de>
> -Date: Sat, 28 Sep 2019 08:11:49 +0200
> -Subject: [PATCH] add support for the Framed-MTU Radius attribute
> -
> -http://ppp.samba.org/cgi-bin/ppp-bugs/incoming?id=1532
> -
> -From: klepikov_a@up.ua
> -To: ppp-bugs@ppp.samba.org
> -Subject: Radius plugin does not set MTU on ppp interface
> -Date: Mon, 22 Jan 2007 12:36:59 +0000 (GMT)
> -
> -Full_Name: Alexander Klepikov
> -Version: 2.4.3
> -OS: rhl 7.3 (2.4.20-28.7bigmem)
> -Submission from: (NULL) (213.130.21.73)
> -
> -
> -This patch allows radius plugin to deal with Framed-MTU Radius attribute and to
> -set MTU on interface.
> -
> -
> -Imported from ppp_2.4.7-2+4.1.debian.tar.xz
> -
> -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> ----
> - pppd/plugins/radius/radius.c | 3 +++
> - 1 file changed, 3 insertions(+)
> -
> -diff --git a/pppd/plugins/radius/radius.c b/pppd/plugins/radius/radius.c
> -index 4ba5f523ea07..06e00590b635 100644
> ---- a/pppd/plugins/radius/radius.c
> -+++ b/pppd/plugins/radius/radius.c
> -@@ -651,6 +651,9 @@ radius_setparams(VALUE_PAIR *vp, char *msg, REQUEST_INFO *req_info,
> - 		    memcpy(rstate.class, vp->strvalue, rstate.class_len);
> - 		} /* else too big for our buffer - ignore it */
> - 		break;
> -+	    case PW_FRAMED_MTU:
> -+		netif_set_mtu(rstate.client_port,MIN(netif_get_mtu(rstate.client_port),vp->lvalue));
> -+		break;
> - 	    }
> - 
> - 
> diff --git a/patches/ppp-2.4.7/0030-018_ip-up_option.patch b/patches/ppp-2.4.7/0030-018_ip-up_option.patch
> deleted file mode 100644
> index 06cb2e5bb3a6..000000000000
> --- a/patches/ppp-2.4.7/0030-018_ip-up_option.patch
> +++ /dev/null
> @@ -1,106 +0,0 @@
> -From: Michael Olbrich <m.olbrich@pengutronix.de>
> -Date: Sat, 28 Sep 2019 08:11:49 +0200
> -Subject: [PATCH] 018_ip up_option
> -
> -Imported from ppp_2.4.7-2+4.1.debian.tar.xz
> -
> -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> ----
> - pppd/ipcp.c    | 8 ++++----
> - pppd/main.c    | 3 +++
> - pppd/options.c | 9 +++++++++
> - pppd/pppd.h    | 2 ++
> - 4 files changed, 18 insertions(+), 4 deletions(-)
> -
> -diff --git a/pppd/ipcp.c b/pppd/ipcp.c
> -index dceca807542a..d6e0e2a699fe 100644
> ---- a/pppd/ipcp.c
> -+++ b/pppd/ipcp.c
> -@@ -1984,7 +1984,7 @@ ipcp_up(f)
> -      */
> -     if (ipcp_script_state == s_down && ipcp_script_pid == 0) {
> - 	ipcp_script_state = s_up;
> --	ipcp_script(_PATH_IPUP, 0);
> -+	ipcp_script(path_ipup, 0);
> -     }
> - }
> - 
> -@@ -2034,7 +2034,7 @@ ipcp_down(f)
> -     /* Execute the ip-down script */
> -     if (ipcp_script_state == s_up && ipcp_script_pid == 0) {
> - 	ipcp_script_state = s_down;
> --	ipcp_script(_PATH_IPDOWN, 0);
> -+	ipcp_script(path_ipdown, 0);
> -     }
> - }
> - 
> -@@ -2097,13 +2097,13 @@ ipcp_script_done(arg)
> -     case s_up:
> - 	if (ipcp_fsm[0].state != OPENED) {
> - 	    ipcp_script_state = s_down;
> --	    ipcp_script(_PATH_IPDOWN, 0);
> -+	    ipcp_script(path_ipdown, 0);
> - 	}
> - 	break;
> -     case s_down:
> - 	if (ipcp_fsm[0].state == OPENED) {
> - 	    ipcp_script_state = s_up;
> --	    ipcp_script(_PATH_IPUP, 0);
> -+	    ipcp_script(path_ipup, 0);
> - 	}
> - 	break;
> -     }
> -diff --git a/pppd/main.c b/pppd/main.c
> -index ed544315c1df..9164a1eb0f95 100644
> ---- a/pppd/main.c
> -+++ b/pppd/main.c
> -@@ -308,6 +308,9 @@ main(argc, argv)
> -     struct protent *protp;
> -     char numbuf[16];
> - 
> -+    strlcpy(path_ipup, _PATH_IPUP, sizeof(path_ipup));
> -+    strlcpy(path_ipdown, _PATH_IPDOWN, sizeof(path_ipdown));
> -+
> -     link_stats_valid = 0;
> -     new_phase(PHASE_INITIALIZE);
> - 
> -diff --git a/pppd/options.c b/pppd/options.c
> -index 91da515ac533..a8f3aa4590a3 100644
> ---- a/pppd/options.c
> -+++ b/pppd/options.c
> -@@ -114,6 +114,8 @@ char	linkname[MAXPATHLEN];	/* logical name for link */
> - bool	tune_kernel;		/* may alter kernel settings */
> - int	connect_delay = 1000;	/* wait this many ms after connect script */
> - int	req_unit = -1;		/* requested interface unit */
> -+char	path_ipup[MAXPATHLEN];	/* pathname of ip-up script */
> -+char	path_ipdown[MAXPATHLEN];/* pathname of ip-down script */
> - char	req_ifname[MAXIFNAMELEN];	/* requested interface name */
> - bool	multilink = 0;		/* Enable multilink operation */
> - char	*bundle_name = NULL;	/* bundle name for multilink */
> -@@ -304,6 +306,13 @@ option_t general_options[] = {
> -       "Unset user environment variable",
> -       OPT_A2PRINTER | OPT_NOPRINT, (void *)user_unsetprint },
> - 
> -+    { "ip-up-script", o_string, path_ipup,
> -+      "Set pathname of ip-up script",
> -+      OPT_PRIV|OPT_STATIC, NULL, MAXPATHLEN },
> -+    { "ip-down-script", o_string, path_ipdown,
> -+      "Set pathname of ip-down script",
> -+      OPT_PRIV|OPT_STATIC, NULL, MAXPATHLEN },
> -+
> - #ifdef HAVE_MULTILINK
> -     { "multilink", o_bool, &multilink,
> -       "Enable multilink operation", OPT_PRIO | 1 },
> -diff --git a/pppd/pppd.h b/pppd/pppd.h
> -index e65106d4c126..b11670586244 100644
> ---- a/pppd/pppd.h
> -+++ b/pppd/pppd.h
> -@@ -328,6 +328,8 @@ extern bool	tune_kernel;	/* May alter kernel settings as necessary */
> - extern int	connect_delay;	/* Time to delay after connect script */
> - extern int	max_data_rate;	/* max bytes/sec through charshunt */
> - extern int	req_unit;	/* interface unit number to use */
> -+extern char	path_ipup[MAXPATHLEN]; /* pathname of ip-up script */
> -+extern char	path_ipdown[MAXPATHLEN]; /* pathname of ip-down script */
> - extern char	req_ifname[MAXIFNAMELEN]; /* interface name to use */
> - extern bool	multilink;	/* enable multilink operation */
> - extern bool	noendpoint;	/* don't send or accept endpt. discrim. */
> diff --git a/patches/ppp-2.4.7/0031-ppp-2.4.2-stripMSdomain.patch b/patches/ppp-2.4.7/0031-ppp-2.4.2-stripMSdomain.patch
> deleted file mode 100644
> index 32629026cad5..000000000000
> --- a/patches/ppp-2.4.7/0031-ppp-2.4.2-stripMSdomain.patch
> +++ /dev/null
> @@ -1,47 +0,0 @@
> -From: Michael Olbrich <m.olbrich@pengutronix.de>
> -Date: Sat, 28 Sep 2019 08:11:49 +0200
> -Subject: [PATCH] ppp-2.4.2-stripMSdomain
> -
> -Imported from ppp_2.4.7-2+4.1.debian.tar.xz
> -
> -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> ----
> - pppd/chap-new.c | 11 +++++++++++
> - 1 file changed, 11 insertions(+)
> -
> -diff --git a/pppd/chap-new.c b/pppd/chap-new.c
> -index 2714bff64785..7fd7087a5e2c 100644
> ---- a/pppd/chap-new.c
> -+++ b/pppd/chap-new.c
> -@@ -58,6 +58,7 @@ int (*chap_verify_hook)(char *name, char *ourname, int id,
> - int chap_timeout_time = 3;
> - int chap_max_transmits = 10;
> - int chap_rechallenge_time = 0;
> -+int chapms_strip_domain = 0;
> - 
> - /*
> -  * Command-line options.
> -@@ -69,6 +70,8 @@ static option_t chap_option_list[] = {
> - 	  "Set max #xmits for challenge", OPT_PRIO },
> - 	{ "chap-interval", o_int, &chap_rechallenge_time,
> - 	  "Set interval for rechallenge", OPT_PRIO },
> -+	{ "chapms-strip-domain", o_bool, &chapms_strip_domain,
> -+	  "Strip the domain prefix before the Username", 1 },
> - 	{ NULL }
> - };
> - 
> -@@ -336,6 +339,14 @@ chap_handle_response(struct chap_server_state *ss, int id,
> - 			/* Null terminate and clean remote name. */
> - 			slprintf(rname, sizeof(rname), "%.*v", len, name);
> - 			name = rname;
> -+
> -+			/* strip the MS domain name */
> -+			if (chapms_strip_domain && strrchr(rname, '\\')) {
> -+				char tmp[MAXNAMELEN+1];
> -+
> -+				strcpy(tmp, strrchr(rname, '\\') + 1);
> -+				strcpy(rname, tmp);
> -+			}
> - 		}
> - 
> - 		if (chap_verify_hook)
> diff --git a/patches/ppp-2.4.7/0032-export-CALL_FILE-to-the-link-scripts.patch b/patches/ppp-2.4.7/0032-export-CALL_FILE-to-the-link-scripts.patch
> deleted file mode 100644
> index 6a2e17088336..000000000000
> --- a/patches/ppp-2.4.7/0032-export-CALL_FILE-to-the-link-scripts.patch
> +++ /dev/null
> @@ -1,38 +0,0 @@
> -From: Michael Olbrich <m.olbrich@pengutronix.de>
> -Date: Sat, 28 Sep 2019 08:11:50 +0200
> -Subject: [PATCH] export $CALL_FILE to the link scripts
> -
> -Imported from ppp_2.4.7-2+4.1.debian.tar.xz
> -
> -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> ----
> - pppd/options.c | 1 +
> - pppd/pppd.8    | 3 +++
> - 2 files changed, 4 insertions(+)
> -
> -diff --git a/pppd/options.c b/pppd/options.c
> -index a8f3aa4590a3..340797386dd6 100644
> ---- a/pppd/options.c
> -+++ b/pppd/options.c
> -@@ -1482,6 +1482,7 @@ callfile(argv)
> -     if ((fname = (char *) malloc(l)) == NULL)
> - 	novm("call file name");
> -     slprintf(fname, l, "%s%s", _PATH_PEERFILES, arg);
> -+    script_setenv("CALL_FILE", arg, 0);
> - 
> -     ok = options_from_file(fname, 1, 1, 1);
> - 
> -diff --git a/pppd/pppd.8 b/pppd/pppd.8
> -index 481aa8be672b..848ca8a16b77 100644
> ---- a/pppd/pppd.8
> -+++ b/pppd/pppd.8
> -@@ -1662,6 +1662,9 @@ the connection.
> - .B LINKNAME
> - The logical name of the link, set with the \fIlinkname\fR option.
> - .TP
> -+.B CALL_FILE
> -+The value of the \fIcall\fR option.
> -+.TP
> - .B DNS1
> - If the peer supplies DNS server addresses, this variable is set to the
> - first DNS server address supplied (whether or not the usepeerdns
> diff --git a/patches/ppp-2.4.7/0033-ipv6-accept-remote.patch b/patches/ppp-2.4.7/0033-ipv6-accept-remote.patch
> deleted file mode 100644
> index 01376cf140e2..000000000000
> --- a/patches/ppp-2.4.7/0033-ipv6-accept-remote.patch
> +++ /dev/null
> @@ -1,73 +0,0 @@
> -From: Michael Olbrich <m.olbrich@pengutronix.de>
> -Date: Sat, 28 Sep 2019 08:11:50 +0200
> -Subject: [PATCH] ipv6-accept-remote
> -
> -Imported from ppp_2.4.7-2+4.1.debian.tar.xz
> -
> -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> ----
> - pppd/ipv6cp.c | 5 ++++-
> - pppd/ipv6cp.h | 3 ++-
> - pppd/pppd.8   | 5 +++++
> - 3 files changed, 11 insertions(+), 2 deletions(-)
> -
> -diff --git a/pppd/ipv6cp.c b/pppd/ipv6cp.c
> -index c1602f41c206..432170462196 100644
> ---- a/pppd/ipv6cp.c
> -+++ b/pppd/ipv6cp.c
> -@@ -245,6 +245,8 @@ static option_t ipv6cp_option_list[] = {
> - 
> -     { "ipv6cp-accept-local", o_bool, &ipv6cp_allowoptions[0].accept_local,
> -       "Accept peer's interface identifier for us", 1 },
> -+    { "ipv6cp-accept-remote", o_bool, &ipv6cp_allowoptions[0].accept_remote,
> -+      "Accept peer's interface identifier for itself", 1 },
> - 
> -     { "ipv6cp-use-ipaddr", o_bool, &ipv6cp_allowoptions[0].use_ip,
> -       "Use (default) IPv4 address as interface identifier", 1 },
> -@@ -435,6 +437,7 @@ ipv6cp_init(unit)
> -     memset(ao, 0, sizeof(*ao));
> - 
> -     wo->accept_local = 1;
> -+    wo->accept_remote = 1;
> -     wo->neg_ifaceid = 1;
> -     ao->neg_ifaceid = 1;
> - 
> -@@ -960,7 +963,7 @@ ipv6cp_reqci(f, inp, len, reject_if_disagree)
> - 		orc = CONFREJ;		/* Reject CI */
> - 		break;
> - 	    }
> --	    if (!eui64_iszero(wo->hisid) && 
> -+	    if (!eui64_iszero(wo->hisid) && !wo->accept_remote &&
> - 		!eui64_equals(ifaceid, wo->hisid) && 
> - 		eui64_iszero(go->hisid)) {
> - 		    
> -diff --git a/pppd/ipv6cp.h b/pppd/ipv6cp.h
> -index 2f4c06ddc189..1617707ebbde 100644
> ---- a/pppd/ipv6cp.h
> -+++ b/pppd/ipv6cp.h
> -@@ -150,7 +150,8 @@
> - typedef struct ipv6cp_options {
> -     int neg_ifaceid;		/* Negotiate interface identifier? */
> -     int req_ifaceid;		/* Ask peer to send interface identifier? */
> --    int accept_local;		/* accept peer's value for iface id? */
> -+    int accept_local;		/* accept peer's value for our iface id? */
> -+    int accept_remote;		/* accept peer's value for his iface id? */
> -     int opt_local;		/* ourtoken set by option */
> -     int opt_remote;		/* histoken set by option */
> -     int use_ip;			/* use IP as interface identifier */
> -diff --git a/pppd/pppd.8 b/pppd/pppd.8
> -index 848ca8a16b77..65bbe721f761 100644
> ---- a/pppd/pppd.8
> -+++ b/pppd/pppd.8
> -@@ -463,6 +463,11 @@ With this option, pppd will accept the peer's idea of our local IPv6
> - interface identifier, even if the local IPv6 interface identifier
> - was specified in an option.
> - .TP
> -+.B ipv6cp\-accept\-remote
> -+With this option, pppd will accept the peer's idea of its (remote)
> -+IPv6 interface identifier, even if the remote IPv6 interface
> -+identifier was specified in an option.
> -+.TP
> - .B ipv6cp\-max\-configure \fIn
> - Set the maximum number of IPv6CP configure-request transmissions to
> - \fIn\fR (default 10).
> diff --git a/patches/ppp-2.4.7/0034-fix-a-potential-buffer-overflow-in-clientid.c-rc_map.patch b/patches/ppp-2.4.7/0034-fix-a-potential-buffer-overflow-in-clientid.c-rc_map.patch
> deleted file mode 100644
> index 2a8a029df62b..000000000000
> --- a/patches/ppp-2.4.7/0034-fix-a-potential-buffer-overflow-in-clientid.c-rc_map.patch
> +++ /dev/null
> @@ -1,43 +0,0 @@
> -From: Michael Olbrich <m.olbrich@pengutronix.de>
> -Date: Sat, 28 Sep 2019 08:11:50 +0200
> -Subject: [PATCH] fix a potential buffer overflow in clientid.c:rc_map2id()
> -
> -This fixes the following compile-time warning when building with
> --D_FORTIFY_SOURCE=2:
> -
> -In file included from /usr/include/string.h:638:0,
> -                 from ./includes.h:26,
> -                 from clientid.c:12:
> -In function 'strncat',
> -    inlined from 'rc_map2id' at clientid.c:113:9:
> -/usr/include/i386-linux-gnu/bits/string3.h:150:3: warning: call to
> -__builtin___strncat_chk might overflow destination buffer [enabled by default]
> -   return __builtin___strncat_chk (__dest, __src, __len, __bos (__dest));
> -   ^
> -
> -Origin: vendor, https://build.opensuse.org/source/network/ppp/ppp-2.4.4-strncatfix.patch?rev=7a0fdeff0b29437dd7f4581c95c7255a
> -Forwarded: no
> -Reviewed-by: Chris Boot <bootc@debian.org>
> -Last-Update: 2014-01-12
> -
> -
> -Imported from ppp_2.4.7-2+4.1.debian.tar.xz
> -
> -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> ----
> - pppd/plugins/radius/clientid.c | 2 +-
> - 1 file changed, 1 insertion(+), 1 deletion(-)
> -
> -diff --git a/pppd/plugins/radius/clientid.c b/pppd/plugins/radius/clientid.c
> -index d49579c43cc3..7de021139b56 100644
> ---- a/pppd/plugins/radius/clientid.c
> -+++ b/pppd/plugins/radius/clientid.c
> -@@ -110,7 +110,7 @@ UINT4 rc_map2id(char *name)
> - 	if (*name != '/')
> - 		strcpy(ttyname, "/dev/");
> - 
> --	strncat(ttyname, name, sizeof(ttyname));
> -+	strncat(ttyname, name, sizeof(ttyname)-strlen(ttyname)-1);
> - 
> - 	for(p = map2id_list; p; p = p->next)
> - 		if (!strcmp(ttyname, p->name)) return p->id;
> diff --git a/patches/ppp-2.4.7/0037-Fix-buffer-overflow-in-rc_mksid.patch b/patches/ppp-2.4.7/0037-Fix-buffer-overflow-in-rc_mksid.patch
> deleted file mode 100644
> index e21f129ad9a9..000000000000
> --- a/patches/ppp-2.4.7/0037-Fix-buffer-overflow-in-rc_mksid.patch
> +++ /dev/null
> @@ -1,36 +0,0 @@
> -From: Michael Olbrich <m.olbrich@pengutronix.de>
> -Date: Sat, 28 Sep 2019 08:11:50 +0200
> -Subject: [PATCH] Fix buffer overflow in rc_mksid()
> -
> - rc_mksid converts the PID of pppd to hex to generate a pseudo-unique string.
> - .
> - If the process id is bigger than 65535 (FFFF), its hex representation will be
> - longer than 4 characters, resulting in a buffer overflow.
> - .
> - The bug can be exploited to cause a remote DoS.
> - .
> -Author: Emanuele Rocca <ema@debian.org>
> -Bug-Debian: https://bugs.debian.org/782450
> -Last-Update: <2015-04-14>
> -
> -
> -Imported from ppp_2.4.7-2+4.1.debian.tar.xz
> -
> -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> ----
> - pppd/plugins/radius/util.c | 2 +-
> - 1 file changed, 1 insertion(+), 1 deletion(-)
> -
> -diff --git a/pppd/plugins/radius/util.c b/pppd/plugins/radius/util.c
> -index 6f976a712951..166bd5f31d7a 100644
> ---- a/pppd/plugins/radius/util.c
> -+++ b/pppd/plugins/radius/util.c
> -@@ -77,7 +77,7 @@ rc_mksid (void)
> -   static unsigned short int cnt = 0;
> -   sprintf (buf, "%08lX%04X%02hX",
> - 	   (unsigned long int) time (NULL),
> --	   (unsigned int) getpid (),
> -+	   (unsigned int) getpid () % 65535,
> - 	   cnt & 0xFF);
> -   cnt++;
> -   return buf;
> diff --git a/patches/ppp-2.4.7/0038-EAP-TLS-authentication-support-for-PPP.patch b/patches/ppp-2.4.7/0038-EAP-TLS-authentication-support-for-PPP.patch
> deleted file mode 100644
> index bd462d4f83f9..000000000000
> --- a/patches/ppp-2.4.7/0038-EAP-TLS-authentication-support-for-PPP.patch
> +++ /dev/null
> @@ -1,3383 +0,0 @@
> -From: Michael Olbrich <m.olbrich@pengutronix.de>
> -Date: Sat, 28 Sep 2019 08:11:50 +0200
> -Subject: [PATCH] EAP-TLS authentication support for PPP
> -
> -Origin: https://www.nikhef.nl/~janjust/ppp/download.html
> -Bug-Debian: https://bugs.debian.org/602503
> -Bug-Ubuntu: https://launchpad.net/bugs/643417
> -Forwarded: not-needed
> -Author: Jan Just Keijser <janjust@nikhef.nl>
> -Last-Update: 2018-11-04
> -
> -This patch is based on ppp-2.4.7-eaptls-mppe-1.102.patch, with the following
> -changes:
> -
> - - Patch refreshed to remove fuzz.
> - - Trailing spaces removed.
> -
> -
> -Imported from ppp_2.4.7-2+4.1.debian.tar.xz
> -
> -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> ----
> - README.eap-tls              |  291 +++++++++
> - etc.ppp/eaptls-client       |   10 +
> - etc.ppp/eaptls-server       |   11 +
> - etc.ppp/openssl.cnf         |   14 +
> - linux/Makefile.top          |    6 +-
> - pppd/Makefile.linux         |   12 +
> - pppd/auth.c                 |  413 ++++++++++++-
> - pppd/ccp.c                  |   20 +-
> - pppd/chap-md5.c             |    4 +
> - pppd/eap-tls.c              | 1383 +++++++++++++++++++++++++++++++++++++++++++
> - pppd/eap-tls.h              |  107 ++++
> - pppd/eap.c                  |  463 ++++++++++++++-
> - pppd/eap.h                  |   32 +-
> - pppd/md5.c                  |    4 +
> - pppd/md5.h                  |    3 +
> - pppd/pathnames.h            |    7 +
> - pppd/plugins/Makefile.linux |    3 +
> - pppd/plugins/passprompt.c   |    3 +
> - pppd/plugins/passwordfd.c   |    4 +
> - pppd/pppd.8                 |   33 ++
> - pppd/pppd.h                 |    9 +
> - 21 files changed, 2825 insertions(+), 7 deletions(-)
> - create mode 100644 README.eap-tls
> - create mode 100644 etc.ppp/eaptls-client
> - create mode 100644 etc.ppp/eaptls-server
> - create mode 100644 etc.ppp/openssl.cnf
> - create mode 100644 pppd/eap-tls.c
> - create mode 100644 pppd/eap-tls.h
> -
> -diff --git a/README.eap-tls b/README.eap-tls
> -new file mode 100644
> -index 000000000000..107e84db5e81
> ---- /dev/null
> -+++ b/README.eap-tls
> -@@ -0,0 +1,291 @@
> -+EAP-TLS authentication support for PPP
> -+======================================
> -+
> -+1. Intro
> -+
> -+    The Extensible Authentication Protocol (EAP; RFC 3748) is a
> -+    security protocol that can be used with PPP.  It provides a means
> -+    to plug in multiple optional authentication methods.
> -+
> -+    Transport Level Security (TLS; RFC 5216) provides for mutual
> -+    authentication, integrity-protected ciphersuite negotiation and
> -+    key exchange between two endpoints.  It also provides for optional
> -+    MPPE encryption.
> -+
> -+    EAP-TLS (RFC 2716) incapsulates the TLS messages in EAP packets,
> -+    allowing TLS mutual authentication to be used as a generic EAP
> -+    mechanism. It also provides optional encryption using the MPPE
> -+    protocol.
> -+
> -+    This patch provide EAP-TLS support to pppd.
> -+    This authentication method can be used in both client or server
> -+    mode.
> -+
> -+2. Building
> -+
> -+    To build pppd with EAP-TLS support, OpenSSL (http://www.openssl.org)
> -+    is required. Any version from 0.9.7 should work.
> -+
> -+    Configure, compile, and install as usual.
> -+
> -+3. Configuration
> -+
> -+    On the client side there are two ways to configure EAP-TLS:
> -+
> -+    1. supply the appropriate 'ca', 'cert' and 'key' command-line parameters
> -+
> -+    2. edit the /etc/ppp/eaptls-client file.
> -+    Insert a line for each system with which you use EAP-TLS.
> -+    The line is composed of this fields separated by tab:
> -+
> -+      - Client name
> -+        The name used by the client for authentication, can be *
> -+      - Server name
> -+        The name of the server, can be *
> -+      - Client certificate file
> -+        The file containing the certificate chain for the
> -+        client in PEM format
> -+      - Server certificate file
> -+        If you want to specify the certificate that the
> -+        server is allowed to use, put the certificate file name.
> -+        Else put a dash '-'.
> -+      - CA certificate file
> -+        The file containing the trusted CA certificates in PEM
> -+        format.
> -+      - Client private key file
> -+        The file containing the client private key in PEM format.
> -+
> -+
> -+    On the server side edit the /etc/ppp/eaptls-server file.
> -+    Insert a line for each system with which you use EAP-TLS.
> -+    The line is composed of this fields separated by tab:
> -+
> -+      - Client name
> -+        The name used by the client for authentication, can be *
> -+      - Server name
> -+        The name of the server, can be *
> -+      - Client certificate file
> -+        If you want to specify the certificate that the
> -+        client is allowed to use, put the certificate file name.
> -+        Else put a dash '-'.
> -+      - Server certificate file
> -+        The file containing the certificate chain for the
> -+        server in PEM format
> -+      - CA certificate file
> -+        The file containing the trusted CA certificates in PEM format.
> -+      - Client private key file
> -+        The file containing the server private key in PEM format.
> -+      - addresses
> -+        A list of IP addresses the client is allowed to use.
> -+
> -+
> -+    OpenSSL engine support is included starting with v0.95 of this patch.
> -+    Currently the only engine tested is the 'pkcs11' engine (hardware token
> -+    support). To use the 'pksc11' engine:
> -+      - Use a special private key fileiname in the /etc/ppp/eaptls-client file:
> -+          <engine>:<identifier>
> -+        e.g.
> -+          pkcs11:123456
> -+
> -+      - The certificate can also be loaded from the 'pkcs11' engine using
> -+        a special client certificate filename in the /etc/ppp/eaptls-client file:
> -+          <engine>:<identifier>
> -+        e.g.
> -+          pkcs11:123456
> -+
> -+      - Create an /etc/ppp/openssl.cnf file to load the right OpenSSL engine prior
> -+        to starting 'pppd'. A sample openssl.cnf file is
> -+
> -+        openssl_conf = openssl_def
> -+
> -+        [ openssl_def ]
> -+        engines = engine_section
> -+
> -+        [ engine_section ]
> -+        pkcs11 = pkcs11_section
> -+
> -+        [ pkcs11_section ]
> -+        engine_id = pkcs11
> -+        dynamic_path = /usr/lib64/openssl/engines/engine_pkcs11.so
> -+        MODULE_PATH = /usr/lib64/libeTPkcs11.so
> -+        init = 0
> -+
> -+      - There are two ways to specify a password/PIN for the PKCS11 engine:
> -+          - inside the openssl.cnf file using
> -+              PIN = your-secret-pin
> -+            Note The keyword 'PIN' is case sensitive!
> -+          - Using the 'password' in the ppp options file.
> -+        From v0.97 of the eap-tls patch the password can also be supplied
> -+        using the appropriate 'eaptls_passwd_hook' (see plugins/passprompt.c
> -+        for an example).
> -+
> -+
> -+4. Options
> -+
> -+    These pppd options are available:
> -+
> -+      ca <ca-file>
> -+        Use the CA public certificate found in <ca-file> in PEM format
> -+      cert <cert-file>
> -+        Use the client public certificate found in <cert-file> in PEM format
> -+        or in engine:engine_id format
> -+      key <key-file>
> -+        Use the client private key found in <key-file> in PEM format
> -+        or in engine:engine_id format
> -+      crl <crl-file>
> -+        Use the Certificate Revocation List (CRL) file <crl-file> in PEM format.
> -+      crl-dir <dir>
> -+        Use CRL files from directory <dir>. It contains CRL files in PEM
> -+        format and each file contains a CRL. The files are looked up
> -+        by the issuer name hash value. Use the c_rehash utility
> -+        to create necessary links.
> -+      need-peer-eap
> -+        If the peer doesn't ask us to authenticate or doesn't use eap
> -+        to authenticate us, disconnect.
> -+
> -+    Note:
> -+      password-encrypted certificates can be used as of v0.94 of this
> -+      patch. The password for the eap-tls.key file is specified using
> -+      the regular
> -+          password ....
> -+      statement in the ppp options file, or by using the appropriate
> -+      plugin which supplies a 'eaptls_passwd_hook' routine.
> -+
> -+5. Connecting
> -+
> -+    If you're setting up a pppd server, edit the EAP-TLS configuration file
> -+    as written above and then run pppd with the 'auth' option to authenticate
> -+    the client. The EAP-TLS method will be used if the other eap methods can't
> -+    be used (no secrets).
> -+
> -+    If you're setting up a client, edit the configuration file and then run
> -+    pppd with 'remotename' option to specify the server name. Add the
> -+    'need-peer-eap' option if you want to be sure the peer ask you to
> -+    authenticate (and to use eap) and to disconnect if it doesn't.
> -+
> -+6. Example
> -+
> -+    The following example can be used to connect a Linux client with the 'pptp'
> -+    package to a Linux server running the 'pptpd' (PoPToP) package. The server
> -+    was configured with a certificate with name (CN) 'pptp-server', the client
> -+    was configured with a certificate with name (CN) 'pptp-client', both
> -+    signed by the same Certificate Authority (CA).
> -+
> -+    Server side:
> -+      - /etc/pptpd.conf file:
> -+          option /etc/ppp/options-pptpd-eaptls
> -+          localip 172.16.1.1
> -+          remoteip 172.16.1.10-20
> -+      - /etc/ppp/options-pptpd-eaptls file:
> -+          name pptp-server
> -+          lock
> -+          mtu 1500
> -+          mru 1450
> -+          auth
> -+          lcp-echo-failure 3
> -+          lcp-echo-interval 5
> -+          nodeflate
> -+          nobsdcomp
> -+          nopredictor1
> -+          nopcomp
> -+          noaccomp
> -+
> -+          require-eap
> -+          require-mppe-128
> -+
> -+          crl /home/janjust/ppp/keys/crl.pem
> -+
> -+          debug
> -+          logfile /tmp/pppd.log
> -+
> -+      - /etc/ppp/eaptls-server file:
> -+           * pptp-server - /etc/ppp/pptp-server.crt /etc/ppp/ca.crt /etc/ppp/pptp-server.key *
> -+
> -+      - On the server, run
> -+          pptdp --conf /etc/pptpd.conf
> -+
> -+    Client side:
> -+      - Run
> -+          pppd noauth require-eap require-mppe-128 \
> -+            ipcp-accept-local ipcp-accept-remote noipdefault \
> -+            cert  /etc/ppp/keys/pptp-client.crt \
> -+            key   /etc/ppp/keys/pptp-client.key \
> -+            ca    /etc/ppp/keys/ca.crt \
> -+            name pptp-client remotename pptp-server \
> -+            debug logfile /tmp/pppd.log
> -+            pty "pptp pptp-server.example.com --nolaunchpppd"
> -+
> -+    Check /var/log/messages and the files /tmp/pppd.log on both sides for debugging info.
> -+
> -+7. Notes
> -+
> -+    This is experimental code.
> -+    Send suggestions and comments to Jan Just Keijser <janjust@nikhef.nl>
> -+
> -+8. Changelog of ppp-<>-eaptls-mppe-* patches
> -+
> -+v0.7     (22-Nov-2005)
> -+ - First version of the patch to include MPPE support
> -+ - ppp-2.4.3 only
> -+v0.9     (25-Jul-2006)
> -+ - Bug fixes
> -+ - First version for ppp-2.4.4
> -+v0.91    (03-Sep-2006)
> -+ - Added missing #include for md5.h
> -+ - Last version for ppp-2.4.3
> -+v0.92    (22-Apr-2008)
> -+ - Fix for openssl 0.9.8 issue with md5 function overload.
> -+v0.93    (14-Aug-2008)
> -+ - Make sure 'noauth' option can be used to bypass server certificate verification.
> -+v0.94    (15-Oct-2008)
> -+ - Added support for password-protected private keys by (ab)using the 'password' field.
> -+v0.95    (23-Dec-2009)
> -+ - First version with OpenSSL engine support.
> -+v0.96    (27-Jan-2010)
> -+ - Added fully functional support for OpenSSL engines (PKCS#11)
> -+ - First version for ppp-2.4.5
> -+v0.97    (20-Apr-2010)
> -+ - Some bug fixes for v0.96
> -+ - Added support for entering the password via a plugin. The sample plugin
> -+     .../pppd/plugins/passprompt.c has been extended with EAP-TLS support.
> -+   The "old" methods using the password option or the /etc/ppp/openssl.cnf file still work.
> -+ - Added support for specifying the client CA, certificate and private key on the command-line
> -+   or via the ppp config file.
> -+v0.98    (20-Apr-2010)
> -+ - Fix initialisation bug when using ca/cert/key command-line options.
> -+ - Last version for ppp-2.4.4
> -+v0.99    (05-Oct-2010)
> -+ - Fix coredump when using multilink option.
> -+v0.991   (08-Aug-2011)
> -+ - Fix compilation issue with openssl 1.0.
> -+v0.992   (01-Dec-2011)
> -+ - Fix compilation issue with eaptls_check_hook and passwordfd plugin.
> -+v0.993   (24-Apr-2012)
> -+ - Fix compilation issue when EAP_TLS=n in pppd/Makefile.
> -+v0.994   (11-Jun-2012)
> -+ - Fix compilation issue on Ubuntu 11.10.
> -+v0.995   (27-May-2014)
> -+ - Add support for a CRL file using the command-line option 'crl'
> -+   (prior only 'crl-dir' was supported).
> -+ - Fix segfault when pkcs11 enginename was not specified correctly.
> -+ - Fix segfault when client was misconfigured.
> -+ - Disable SSL Session Ticket support as Windows 8 does not support this.
> -+v0.996   (28-May-2014)
> -+ - Fix minor bug where SessionTicket message was printed as 'Unknown SSL3 code 4'
> -+ - Add EAP-TLS-specific options to pppd.8 manual page.
> -+ - Updated README.eap-tls file with new options and provide an example.
> -+v0.997   (19-Jun-2014)
> -+ - Change SSL_OP_NO_TICKETS to SSL_OP_NO_TICKET
> -+ - Fix bug in initialisation code with fragmented packets.
> -+v0.998   (13-Mar-2015)
> -+ - Add fix for https://bugzilla.redhat.com/show_bug.cgi?id=1023620
> -+v0.999   (11-May-2017)
> -+ - Add support for OpenSSL 1.1: the code will now compile against OpenSSL 1.0.x or 1.1.x.
> -+v1.101 (1-Jun-2018)
> -+ - Fix vulnerabilities CVE-2018-11574.
> -+v1.102 (2-Nov-2018)
> -+ - Add TLS 1.2 support. Windows 7/8 will connect using TLS 1.0, Windows 10 clients using TLS 1.2.
> -+   This works both when compiling against OpenSSL 1.0.1+ and 1.1+.
> -+ - Print warning when certificate is either not yet valid or has expired.
> -+ - Perform better peer certificate checks.
> -+ - Allow certificate chain files to be used.
> -diff --git a/etc.ppp/eaptls-client b/etc.ppp/eaptls-client
> -new file mode 100644
> -index 000000000000..7782f0e2a065
> ---- /dev/null
> -+++ b/etc.ppp/eaptls-client
> -@@ -0,0 +1,10 @@
> -+# Parameters for authentication using EAP-TLS (client)
> -+
> -+# client name (can be *)
> -+# server name (can be *)
> -+# client certificate file (required)
> -+# server certificate file (optional, if unused put '-')
> -+# CA certificate file (required)
> -+# client private key file (required)
> -+
> -+#client	server	/root/cert/client.crt	-	/root/cert/ca.crt	/root/cert/client.key
> -diff --git a/etc.ppp/eaptls-server b/etc.ppp/eaptls-server
> -new file mode 100644
> -index 000000000000..fa53cbd197cf
> ---- /dev/null
> -+++ b/etc.ppp/eaptls-server
> -@@ -0,0 +1,11 @@
> -+# Parameters for authentication using EAP-TLS (server)
> -+
> -+# client name (can be *)
> -+# server name (can be *)
> -+# client certificate file (optional, if unused put '-')
> -+# server certificate file (required)
> -+# CA certificate file (required)
> -+# server private key file (required)
> -+# allowed addresses (required, can be *)
> -+
> -+#client	server	-	/root/cert/server.crt	/root/cert/ca.crt	/root/cert/server.key	192.168.1.0/24
> -diff --git a/etc.ppp/openssl.cnf b/etc.ppp/openssl.cnf
> -new file mode 100644
> -index 000000000000..dd32f305d680
> ---- /dev/null
> -+++ b/etc.ppp/openssl.cnf
> -@@ -0,0 +1,14 @@
> -+openssl_conf = openssl_def
> -+
> -+[ openssl_def ]
> -+engines = engine_section
> -+
> -+[ engine_section ]
> -+pkcs11 = pkcs11_section
> -+
> -+[ pkcs11_section ]
> -+engine_id = pkcs11
> -+dynamic_path = /usr/lib64/openssl/engines/engine_pkcs11.so
> -+MODULE_PATH = /usr/lib64/libeTPkcs11.so
> -+init = 0
> -+
> -diff --git a/linux/Makefile.top b/linux/Makefile.top
> -index f63d45e58a78..894f8f32c9e4 100644
> ---- a/linux/Makefile.top
> -+++ b/linux/Makefile.top
> -@@ -26,7 +26,7 @@ install-progs:
> - 	cd pppdump; $(MAKE) $(MFLAGS) install
> - 
> - install-etcppp: $(ETCDIR) $(ETCDIR)/options $(ETCDIR)/pap-secrets \
> --	$(ETCDIR)/chap-secrets
> -+	$(ETCDIR)/chap-secrets $(ETCDIR)/eaptls-server $(ETCDIR)/eaptls-client
> - 
> - install-devel:
> - 	cd pppd; $(MAKE) $(MFLAGS) install-devel
> -@@ -37,6 +37,10 @@ $(ETCDIR)/pap-secrets:
> - 	$(INSTALL) -c -m 600 etc.ppp/pap-secrets $@
> - $(ETCDIR)/chap-secrets:
> - 	$(INSTALL) -c -m 600 etc.ppp/chap-secrets $@
> -+$(ETCDIR)/eaptls-server:
> -+	$(INSTALL) -c -m 600 etc.ppp/eaptls-server $@
> -+$(ETCDIR)/eaptls-client:
> -+	$(INSTALL) -c -m 600 etc.ppp/eaptls-client $@
> - 
> - $(BINDIR):
> - 	$(INSTALL) -d -m 755 $@
> -diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux
> -index 5549145e5791..4a11d5fea748 100644
> ---- a/pppd/Makefile.linux
> -+++ b/pppd/Makefile.linux
> -@@ -76,6 +76,9 @@ CBCP=y
> - # Use libutil
> - USE_LIBUTIL=y
> - 
> -+# Enable EAP-TLS authentication (requires libssl and libcrypto)
> -+USE_EAPTLS=y
> -+
> - MAXOCTETS=y
> - 
> - INCLUDE_DIRS= -I../include
> -@@ -116,6 +119,15 @@ HEADERS += sha1.h
> - PPPDOBJS += sha1.o
> - endif
> - 
> -+# EAP-TLS
> -+ifdef USE_EAPTLS
> -+CFLAGS += -DUSE_EAPTLS=1 -I/usr/kerberos/include
> -+LIBS += -lssl -lcrypto
> -+PPPDSRC += eap-tls.c
> -+HEADERS += eap-tls.h
> -+PPPDOBJS += eap-tls.o
> -+endif
> -+
> - ifdef HAS_SHADOW
> - CFLAGS   += -DHAS_SHADOW
> - #LIBS     += -lshadow $(LIBS)
> -diff --git a/pppd/auth.c b/pppd/auth.c
> -index 4271af687102..45065c58bfcc 100644
> ---- a/pppd/auth.c
> -+++ b/pppd/auth.c
> -@@ -109,6 +109,9 @@
> - #include "upap.h"
> - #include "chap-new.h"
> - #include "eap.h"
> -+#ifdef USE_EAPTLS
> -+#include "eap-tls.h"
> -+#endif
> - #ifdef CBCP_SUPPORT
> - #include "cbcp.h"
> - #endif
> -@@ -183,6 +186,11 @@ int (*chap_check_hook) __P((void)) = NULL;
> - /* Hook for a plugin to get the CHAP password for authenticating us */
> - int (*chap_passwd_hook) __P((char *user, char *passwd)) = NULL;
> - 
> -+#ifdef USE_EAPTLS
> -+/* Hook for a plugin to get the EAP-TLS password for authenticating us */
> -+int (*eaptls_passwd_hook) __P((char *user, char *passwd)) = NULL;
> -+#endif
> -+
> - /* Hook for a plugin to say whether it is OK if the peer
> -    refuses to authenticate. */
> - int (*null_auth_hook) __P((struct wordlist **paddrs,
> -@@ -238,6 +246,14 @@ bool explicit_remote = 0;	/* User specified explicit remote name */
> - bool explicit_user = 0;		/* Set if "user" option supplied */
> - bool explicit_passwd = 0;	/* Set if "password" option supplied */
> - char remote_name[MAXNAMELEN];	/* Peer's name for authentication */
> -+#ifdef USE_EAPTLS
> -+char *cacert_file  = NULL;	/* CA certificate file (pem format) */
> -+char *cert_file    = NULL;	/* client certificate file (pem format) */
> -+char *privkey_file = NULL;	/* client private key file (pem format) */
> -+char *crl_dir      = NULL;	/* directory containing CRL files */
> -+char *crl_file     = NULL;	/* Certificate Revocation List (CRL) file (pem format) */
> -+bool need_peer_eap = 0;			/* Require peer to authenticate us */
> -+#endif
> - 
> - static char *uafname;		/* name of most recent +ua file */
> - 
> -@@ -254,6 +270,19 @@ static int  have_pap_secret __P((int *));
> - static int  have_chap_secret __P((char *, char *, int, int *));
> - static int  have_srp_secret __P((char *client, char *server, int need_ip,
> -     int *lacks_ipp));
> -+
> -+#ifdef USE_EAPTLS
> -+static int  have_eaptls_secret_server
> -+__P((char *client, char *server, int need_ip, int *lacks_ipp));
> -+static int  have_eaptls_secret_client __P((char *client, char *server));
> -+static int  scan_authfile_eaptls __P((FILE * f, char *client, char *server,
> -+			       char *cli_cert, char *serv_cert,
> -+			       char *ca_cert, char *pk,
> -+			       struct wordlist ** addrs,
> -+			       struct wordlist ** opts,
> -+			       char *filename, int flags));
> -+#endif
> -+
> - static int  ip_addr_check __P((u_int32_t, struct permitted_ip *));
> - static int  scan_authfile __P((FILE *, char *, char *, char *,
> - 			       struct wordlist **, struct wordlist **,
> -@@ -401,6 +430,15 @@ option_t auth_options[] = {
> -       "Set telephone number(s) which are allowed to connect",
> -       OPT_PRIV | OPT_A2LIST },
> - 
> -+#ifdef USE_EAPTLS
> -+    { "ca", o_string, &cacert_file,   "EAP-TLS CA certificate in PEM format" },
> -+    { "cert", o_string, &cert_file,   "EAP-TLS client certificate in PEM format" },
> -+    { "key", o_string, &privkey_file, "EAP-TLS client private key in PEM format" },
> -+    { "crl-dir", o_string, &crl_dir,  "Use CRLs in directory" },
> -+    { "crl", o_string, &crl_file,     "Use specific CRL file" },
> -+    { "need-peer-eap", o_bool, &need_peer_eap,
> -+      "Require the peer to authenticate us", 1 },
> -+#endif /* USE_EAPTLS */
> -     { NULL }
> - };
> - 
> -@@ -730,6 +768,9 @@ link_established(unit)
> -     lcp_options *wo = &lcp_wantoptions[unit];
> -     lcp_options *go = &lcp_gotoptions[unit];
> -     lcp_options *ho = &lcp_hisoptions[unit];
> -+#ifdef USE_EAPTLS
> -+    lcp_options *ao = &lcp_allowoptions[unit];
> -+#endif
> -     int i;
> -     struct protent *protp;
> - 
> -@@ -764,6 +805,22 @@ link_established(unit)
> - 	}
> -     }
> - 
> -+#ifdef USE_EAPTLS
> -+    if (need_peer_eap && !ao->neg_eap) {
> -+	warn("eap required to authenticate us but no suitable secrets");
> -+	lcp_close(unit, "couldn't negotiate eap");
> -+	status = EXIT_AUTH_TOPEER_FAILED;
> -+	return;
> -+    }
> -+
> -+    if (need_peer_eap && !ho->neg_eap) {
> -+	warn("peer doesn't want to authenticate us with eap");
> -+	lcp_close(unit, "couldn't negotiate eap");
> -+	status = EXIT_PEER_AUTH_FAILED;
> -+	return;
> -+    }
> -+#endif
> -+
> -     new_phase(PHASE_AUTHENTICATE);
> -     auth = 0;
> -     if (go->neg_eap) {
> -@@ -1277,6 +1334,15 @@ auth_check_options()
> - 				    our_name, 1, &lacks_ip);
> -     }
> - 
> -+#ifdef USE_EAPTLS
> -+    if (!can_auth && wo->neg_eap) {
> -+	can_auth =
> -+	    have_eaptls_secret_server((explicit_remote ? remote_name :
> -+				       NULL), our_name, 1, &lacks_ip);
> -+
> -+    }
> -+#endif
> -+
> -     if (auth_required && !can_auth && noauth_addrs == NULL) {
> - 	if (default_auth) {
> - 	    option_error(
> -@@ -1331,7 +1397,11 @@ auth_reset(unit)
> - 	passwd[0] != 0 ||
> - 	(hadchap == 1 || (hadchap == -1 && have_chap_secret(user,
> - 	    (explicit_remote? remote_name: NULL), 0, NULL))) ||
> --	have_srp_secret(user, (explicit_remote? remote_name: NULL), 0, NULL));
> -+	have_srp_secret(user, (explicit_remote? remote_name: NULL), 0, NULL)
> -+#ifdef USE_EAPTLS
> -+		|| have_eaptls_secret_client(user, (explicit_remote? remote_name: NULL))
> -+#endif
> -+	);
> - 
> -     hadchap = -1;
> -     if (go->neg_upap && !uselogin && !have_pap_secret(NULL))
> -@@ -1346,8 +1416,14 @@ auth_reset(unit)
> - 	    !have_chap_secret((explicit_remote? remote_name: NULL), our_name,
> - 		1, NULL))) &&
> - 	!have_srp_secret((explicit_remote? remote_name: NULL), our_name, 1,
> --	    NULL))
> -+	    NULL)
> -+#ifdef USE_EAPTLS
> -+	 && !have_eaptls_secret_server((explicit_remote? remote_name: NULL),
> -+				   our_name, 1, NULL)
> -+#endif
> -+		)
> - 	go->neg_eap = 0;
> -+
> - }
> - 
> - 
> -@@ -1707,6 +1783,7 @@ have_srp_secret(client, server, need_ip, lacks_ipp)
> - }
> - 
> - 
> -+
> - /*
> -  * get_secret - open the CHAP secret file and return the secret
> -  * for authenticating the given client on the given server.
> -@@ -2359,3 +2436,335 @@ auth_script(script)
> - 
> -     auth_script_pid = run_program(script, argv, 0, auth_script_done, NULL, 0);
> - }
> -+
> -+
> -+#ifdef USE_EAPTLS
> -+static int
> -+have_eaptls_secret_server(client, server, need_ip, lacks_ipp)
> -+    char *client;
> -+    char *server;
> -+    int need_ip;
> -+    int *lacks_ipp;
> -+{
> -+    FILE *f;
> -+    int ret;
> -+    char *filename;
> -+    struct wordlist *addrs;
> -+    char servcertfile[MAXWORDLEN];
> -+    char clicertfile[MAXWORDLEN];
> -+    char cacertfile[MAXWORDLEN];
> -+    char pkfile[MAXWORDLEN];
> -+
> -+    filename = _PATH_EAPTLSSERVFILE;
> -+    f = fopen(filename, "r");
> -+    if (f == NULL)
> -+		return 0;
> -+
> -+    if (client != NULL && client[0] == 0)
> -+		client = NULL;
> -+    else if (server != NULL && server[0] == 0)
> -+		server = NULL;
> -+
> -+    ret =
> -+	scan_authfile_eaptls(f, client, server, clicertfile, servcertfile,
> -+			     cacertfile, pkfile, &addrs, NULL, filename,
> -+			     0);
> -+
> -+    fclose(f);
> -+
> -+/*
> -+    if (ret >= 0 && !eaptls_init_ssl(1, cacertfile, servcertfile,
> -+				clicertfile, pkfile))
> -+		ret = -1;
> -+*/
> -+
> -+	if (ret >= 0 && need_ip && !some_ip_ok(addrs)) {
> -+		if (lacks_ipp != 0)
> -+			*lacks_ipp = 1;
> -+		ret = -1;
> -+    }
> -+    if (addrs != 0)
> -+		free_wordlist(addrs);
> -+
> -+    return ret >= 0;
> -+}
> -+
> -+
> -+static int
> -+have_eaptls_secret_client(client, server)
> -+    char *client;
> -+    char *server;
> -+{
> -+    FILE *f;
> -+    int ret;
> -+    char *filename;
> -+    struct wordlist *addrs = NULL;
> -+    char servcertfile[MAXWORDLEN];
> -+    char clicertfile[MAXWORDLEN];
> -+    char cacertfile[MAXWORDLEN];
> -+    char pkfile[MAXWORDLEN];
> -+
> -+    if (client != NULL && client[0] == 0)
> -+		client = NULL;
> -+    else if (server != NULL && server[0] == 0)
> -+		server = NULL;
> -+
> -+	if (cacert_file && cert_file && privkey_file)
> -+		return 1;
> -+
> -+    filename = _PATH_EAPTLSCLIFILE;
> -+    f = fopen(filename, "r");
> -+    if (f == NULL)
> -+		return 0;
> -+
> -+    ret =
> -+	scan_authfile_eaptls(f, client, server, clicertfile, servcertfile,
> -+			     cacertfile, pkfile, &addrs, NULL, filename,
> -+			     0);
> -+    fclose(f);
> -+
> -+/*
> -+    if (ret >= 0 && !eaptls_init_ssl(0, cacertfile, clicertfile,
> -+				servcertfile, pkfile))
> -+		ret = -1;
> -+*/
> -+
> -+    if (addrs != 0)
> -+		free_wordlist(addrs);
> -+
> -+    return ret >= 0;
> -+}
> -+
> -+
> -+static int
> -+scan_authfile_eaptls(f, client, server, cli_cert, serv_cert, ca_cert, pk,
> -+		     addrs, opts, filename, flags)
> -+    FILE *f;
> -+    char *client;
> -+    char *server;
> -+    char *cli_cert;
> -+    char *serv_cert;
> -+    char *ca_cert;
> -+    char *pk;
> -+    struct wordlist **addrs;
> -+    struct wordlist **opts;
> -+    char *filename;
> -+    int flags;
> -+{
> -+    int newline;
> -+    int got_flag, best_flag;
> -+    struct wordlist *ap, *addr_list, *alist, **app;
> -+    char word[MAXWORDLEN];
> -+
> -+    if (addrs != NULL)
> -+	*addrs = NULL;
> -+    if (opts != NULL)
> -+	*opts = NULL;
> -+    addr_list = NULL;
> -+    if (!getword(f, word, &newline, filename))
> -+	return -1;		/* file is empty??? */
> -+    newline = 1;
> -+    best_flag = -1;
> -+    for (;;) {
> -+	/*
> -+	 * Skip until we find a word at the start of a line.
> -+	 */
> -+	while (!newline && getword(f, word, &newline, filename));
> -+	if (!newline)
> -+	    break;		/* got to end of file */
> -+
> -+	/*
> -+	 * Got a client - check if it's a match or a wildcard.
> -+	 */
> -+	got_flag = 0;
> -+	if (client != NULL && strcmp(word, client) != 0 && !ISWILD(word)) {
> -+	    newline = 0;
> -+	    continue;
> -+	}
> -+	if (!ISWILD(word))
> -+	    got_flag = NONWILD_CLIENT;
> -+
> -+	/*
> -+	 * Now get a server and check if it matches.
> -+	 */
> -+	if (!getword(f, word, &newline, filename))
> -+	    break;
> -+	if (newline)
> -+	    continue;
> -+	if (!ISWILD(word)) {
> -+	    if (server != NULL && strcmp(word, server) != 0)
> -+		continue;
> -+	    got_flag |= NONWILD_SERVER;
> -+	}
> -+
> -+	/*
> -+	 * Got some sort of a match - see if it's better than what
> -+	 * we have already.
> -+	 */
> -+	if (got_flag <= best_flag)
> -+	    continue;
> -+
> -+	/*
> -+	 * Get the cli_cert
> -+	 */
> -+	if (!getword(f, word, &newline, filename))
> -+	    break;
> -+	if (newline)
> -+	    continue;
> -+	if (strcmp(word, "-") != 0) {
> -+	    strlcpy(cli_cert, word, MAXWORDLEN);
> -+	} else
> -+	    cli_cert[0] = 0;
> -+
> -+	/*
> -+	 * Get serv_cert
> -+	 */
> -+	if (!getword(f, word, &newline, filename))
> -+	    break;
> -+	if (newline)
> -+	    continue;
> -+	if (strcmp(word, "-") != 0) {
> -+	    strlcpy(serv_cert, word, MAXWORDLEN);
> -+	} else
> -+	    serv_cert[0] = 0;
> -+
> -+	/*
> -+	 * Get ca_cert
> -+	 */
> -+	if (!getword(f, word, &newline, filename))
> -+	    break;
> -+	if (newline)
> -+	    continue;
> -+	strlcpy(ca_cert, word, MAXWORDLEN);
> -+
> -+	/*
> -+	 * Get pk
> -+	 */
> -+	if (!getword(f, word, &newline, filename))
> -+	    break;
> -+	if (newline)
> -+	    continue;
> -+	strlcpy(pk, word, MAXWORDLEN);
> -+
> -+
> -+	/*
> -+	 * Now read address authorization info and make a wordlist.
> -+	 */
> -+	app = &alist;
> -+	for (;;) {
> -+	    if (!getword(f, word, &newline, filename) || newline)
> -+		break;
> -+	    ap = (struct wordlist *)
> -+		malloc(sizeof(struct wordlist) + strlen(word) + 1);
> -+	    if (ap == NULL)
> -+		novm("authorized addresses");
> -+	    ap->word = (char *) (ap + 1);
> -+	    strcpy(ap->word, word);
> -+	    *app = ap;
> -+	    app = &ap->next;
> -+	}
> -+	*app = NULL;
> -+	/*
> -+	 * This is the best so far; remember it.
> -+	 */
> -+	best_flag = got_flag;
> -+	if (addr_list)
> -+	    free_wordlist(addr_list);
> -+	addr_list = alist;
> -+
> -+	if (!newline)
> -+	    break;
> -+    }
> -+
> -+    /* scan for a -- word indicating the start of options */
> -+    for (app = &addr_list; (ap = *app) != NULL; app = &ap->next)
> -+	if (strcmp(ap->word, "--") == 0)
> -+	    break;
> -+    /* ap = start of options */
> -+    if (ap != NULL) {
> -+	ap = ap->next;		/* first option */
> -+	free(*app);		/* free the "--" word */
> -+	*app = NULL;		/* terminate addr list */
> -+    }
> -+    if (opts != NULL)
> -+	*opts = ap;
> -+    else if (ap != NULL)
> -+	free_wordlist(ap);
> -+    if (addrs != NULL)
> -+	*addrs = addr_list;
> -+    else if (addr_list != NULL)
> -+	free_wordlist(addr_list);
> -+
> -+    return best_flag;
> -+}
> -+
> -+
> -+int
> -+get_eaptls_secret(unit, client, server, clicertfile, servcertfile,
> -+		  cacertfile, pkfile, am_server)
> -+    int unit;
> -+    char *client;
> -+    char *server;
> -+    char *clicertfile;
> -+    char *servcertfile;
> -+    char *cacertfile;
> -+    char *pkfile;
> -+    int am_server;
> -+{
> -+    FILE *fp;
> -+    int ret;
> -+    char *filename         = NULL;
> -+    struct wordlist *addrs = NULL;
> -+    struct wordlist *opts  = NULL;
> -+
> -+	/* in client mode the ca+cert+privkey can also be specified as options */
> -+	if (!am_server && cacert_file && cert_file && privkey_file )
> -+	{
> -+		strlcpy( clicertfile, cert_file, MAXWORDLEN );
> -+		strlcpy( cacertfile, cacert_file, MAXWORDLEN );
> -+		strlcpy( pkfile, privkey_file, MAXWORDLEN );
> -+		servcertfile[0] = '\0';
> -+	}
> -+	else
> -+	{
> -+		filename = (am_server ? _PATH_EAPTLSSERVFILE : _PATH_EAPTLSCLIFILE);
> -+		addrs = NULL;
> -+
> -+		fp = fopen(filename, "r");
> -+		if (fp == NULL)
> -+		{
> -+			error("Can't open eap-tls secret file %s: %m", filename);
> -+			return 0;
> -+   	 	}
> -+
> -+		check_access(fp, filename);
> -+
> -+		ret = scan_authfile_eaptls(fp, client, server, clicertfile, servcertfile,
> -+				cacertfile, pkfile, &addrs, &opts, filename, 0);
> -+
> -+		fclose(fp);
> -+
> -+		if (ret < 0) return 0;
> -+	}
> -+
> -+    if (eaptls_passwd_hook)
> -+    {
> -+		dbglog( "Calling eaptls password hook" );
> -+		if ( (*eaptls_passwd_hook)(pkfile, passwd) < 0)
> -+		{
> -+	   		 error("Unable to obtain EAP-TLS password for %s (%s) from plugin",
> -+				client, pkfile);
> -+		    return 0;
> -+		}
> -+	}
> -+    if (am_server)
> -+		set_allowed_addrs(unit, addrs, opts);
> -+    else if (opts != NULL)
> -+		free_wordlist(opts);
> -+    if (addrs != NULL)
> -+		free_wordlist(addrs);
> -+
> -+    return 1;
> -+}
> -+#endif
> -+
> -diff --git a/pppd/ccp.c b/pppd/ccp.c
> -index 7d7922afcfc0..0a93b15aeef3 100644
> ---- a/pppd/ccp.c
> -+++ b/pppd/ccp.c
> -@@ -540,6 +540,9 @@ ccp_resetci(f)
> -     if (go->mppe) {
> - 	ccp_options *ao = &ccp_allowoptions[f->unit];
> - 	int auth_mschap_bits = auth_done[f->unit];
> -+#ifdef USE_EAPTLS
> -+	int auth_eap_bits = auth_done[f->unit];
> -+#endif
> - 	int numbits;
> - 
> - 	/*
> -@@ -567,8 +570,23 @@ ccp_resetci(f)
> - 	    lcp_close(f->unit, "MPPE required but not available");
> - 	    return;
> - 	}
> -+
> -+#ifdef USE_EAPTLS
> -+    /*
> -+     * MPPE is also possible in combination with EAP-TLS.
> -+     * It is not possible to detect if we're doing EAP or EAP-TLS
> -+     * at this stage, hence we accept all forms of EAP. If TLS is
> -+     * not used then the MPPE keys will not be derived anyway.
> -+     */
> -+	/* Leave only the eap auth bits set */
> -+	auth_eap_bits &= (EAP_WITHPEER | EAP_PEER );
> -+
> -+	if ((numbits == 0) && (auth_eap_bits == 0)) {
> -+	    error("MPPE required, but MS-CHAP[v2] nor EAP-TLS auth are performed.");
> -+#else
> - 	if (!numbits) {
> --	    error("MPPE required, but MS-CHAP[v2] auth not performed.");
> -+		error("MPPE required, but MS-CHAP[v2] auth not performed.");
> -+#endif
> - 	    lcp_close(f->unit, "MPPE required but not available");
> - 	    return;
> - 	}
> -diff --git a/pppd/chap-md5.c b/pppd/chap-md5.c
> -index 77dd4ecc7059..269b52cb2041 100644
> ---- a/pppd/chap-md5.c
> -+++ b/pppd/chap-md5.c
> -@@ -36,7 +36,11 @@
> - #include "chap-new.h"
> - #include "chap-md5.h"
> - #include "magic.h"
> -+#ifdef USE_EAPTLS
> -+#include "eap-tls.h"
> -+#else
> - #include "md5.h"
> -+#endif /* USE_EAPTLS */
> - 
> - #define MD5_HASH_SIZE		16
> - #define MD5_MIN_CHALLENGE	16
> -diff --git a/pppd/eap-tls.c b/pppd/eap-tls.c
> -new file mode 100644
> -index 000000000000..df4bc1b996c9
> ---- /dev/null
> -+++ b/pppd/eap-tls.c
> -@@ -0,0 +1,1383 @@
> -+/* * eap-tls.c - EAP-TLS implementation for PPP
> -+ *
> -+ * Copyright (c) Beniamino Galvani 2005 All rights reserved.
> -+ *
> -+ * Redistribution and use in source and binary forms, with or without
> -+ * modification, are permitted provided that the following conditions
> -+ * are met:
> -+ *
> -+ * 1. Redistributions of source code must retain the above copyright
> -+ *    notice, this list of conditions and the following disclaimer.
> -+ *
> -+ * 2. Redistributions in binary form must reproduce the above copyright
> -+ *    notice, this list of conditions and the following disclaimer in
> -+ *    the documentation and/or other materials provided with the
> -+ *    distribution.
> -+ *
> -+ * 3. The name(s) of the authors of this software must not be used to
> -+ *    endorse or promote products derived from this software without
> -+ *    prior written permission.
> -+ *
> -+ * THE AUTHORS OF THIS SOFTWARE DISCLAIM ALL WARRANTIES WITH REGARD TO
> -+ * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
> -+ * AND FITNESS, IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY
> -+ * SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
> -+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN
> -+ * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING
> -+ * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
> -+ *
> -+ */
> -+
> -+#include <string.h>
> -+#include <unistd.h>
> -+#include <sys/types.h>
> -+#include <sys/stat.h>
> -+#include <fcntl.h>
> -+
> -+#include <openssl/conf.h>
> -+#include <openssl/engine.h>
> -+#include <openssl/hmac.h>
> -+#include <openssl/err.h>
> -+#include <openssl/x509v3.h>
> -+
> -+#include "pppd.h"
> -+#include "eap.h"
> -+#include "eap-tls.h"
> -+#include "fsm.h"
> -+#include "lcp.h"
> -+#include "pathnames.h"
> -+
> -+/* The openssl configuration file and engines can be loaded only once */
> -+static CONF   *ssl_config  = NULL;
> -+static ENGINE *cert_engine = NULL;
> -+static ENGINE *pkey_engine = NULL;
> -+
> -+#ifdef MPPE
> -+
> -+#define EAPTLS_MPPE_KEY_LEN     32
> -+
> -+/*
> -+ * The following stuff is only needed if SSL_export_keying_material() is not available
> -+ */
> -+
> -+#if OPENSSL_VERSION_NUMBER < 0x10001000L
> -+
> -+/*
> -+ * https://wiki.openssl.org/index.php/1.1_API_Changes
> -+ * tries to provide some guidance but ultimately falls short.
> -+ *
> -+ */
> -+
> -+static void HMAC_CTX_free(HMAC_CTX *ctx)
> -+{
> -+	if (ctx != NULL) {
> -+		HMAC_CTX_cleanup(ctx);
> -+		OPENSSL_free(ctx);
> -+	}
> -+}
> -+
> -+static HMAC_CTX *HMAC_CTX_new(void)
> -+{
> -+	HMAC_CTX *ctx = OPENSSL_malloc(sizeof(*ctx));
> -+	if (ctx != NULL)
> -+		HMAC_CTX_init(ctx);
> -+	return ctx;
> -+}
> -+
> -+static size_t SSL_get_client_random(const SSL *ssl, unsigned char *out,
> -+				    size_t outlen)
> -+{
> -+	if (outlen == 0)
> -+		return sizeof(ssl->s3->client_random);
> -+	if (outlen > sizeof(ssl->s3->client_random))
> -+		outlen = sizeof(ssl->s3->client_random);
> -+	memcpy(out, ssl->s3->client_random, outlen);
> -+	return outlen;
> -+}
> -+
> -+static size_t SSL_get_server_random(const SSL *ssl, unsigned char *out,
> -+				    size_t outlen)
> -+{
> -+	if (outlen == 0)
> -+		return sizeof(ssl->s3->server_random);
> -+	if (outlen > sizeof(ssl->s3->server_random))
> -+		outlen = sizeof(ssl->s3->server_random);
> -+	memcpy(out, ssl->s3->server_random, outlen);
> -+	return outlen;
> -+}
> -+
> -+static size_t SSL_SESSION_get_master_key(const SSL_SESSION *session,
> -+				         unsigned char *out, size_t outlen)
> -+{
> -+	if (outlen == 0)
> -+		return session->master_key_length;
> -+	if (outlen > session->master_key_length)
> -+		outlen = session->master_key_length;
> -+	memcpy(out, session->master_key, outlen);
> -+	return outlen;
> -+}
> -+
> -+
> -+/*
> -+ * TLS PRF from RFC 2246
> -+ */
> -+static void P_hash(const EVP_MD *evp_md,
> -+		   const unsigned char *secret, unsigned int secret_len,
> -+		   const unsigned char *seed,   unsigned int seed_len,
> -+		   unsigned char *out, unsigned int out_len)
> -+{
> -+	HMAC_CTX *ctx_a, *ctx_out;
> -+	unsigned char a[HMAC_MAX_MD_CBLOCK];
> -+	unsigned int size;
> -+
> -+	ctx_a = HMAC_CTX_new();
> -+	ctx_out = HMAC_CTX_new();
> -+	HMAC_Init_ex(ctx_a, secret, secret_len, evp_md, NULL);
> -+	HMAC_Init_ex(ctx_out, secret, secret_len, evp_md, NULL);
> -+
> -+	size = HMAC_size(ctx_out);
> -+
> -+	/* Calculate A(1) */
> -+	HMAC_Update(ctx_a, seed, seed_len);
> -+	HMAC_Final(ctx_a, a, NULL);
> -+
> -+	while (1) {
> -+		/* Calculate next part of output */
> -+		HMAC_Update(ctx_out, a, size);
> -+		HMAC_Update(ctx_out, seed, seed_len);
> -+
> -+		/* Check if last part */
> -+		if (out_len < size) {
> -+			HMAC_Final(ctx_out, a, NULL);
> -+			memcpy(out, a, out_len);
> -+			break;
> -+		}
> -+
> -+		/* Place digest in output buffer */
> -+		HMAC_Final(ctx_out, out, NULL);
> -+		HMAC_Init_ex(ctx_out, NULL, 0, NULL, NULL);
> -+		out += size;
> -+		out_len -= size;
> -+
> -+		/* Calculate next A(i) */
> -+		HMAC_Init_ex(ctx_a, NULL, 0, NULL, NULL);
> -+		HMAC_Update(ctx_a, a, size);
> -+		HMAC_Final(ctx_a, a, NULL);
> -+	}
> -+
> -+	HMAC_CTX_free(ctx_a);
> -+	HMAC_CTX_free(ctx_out);
> -+	memset(a, 0, sizeof(a));
> -+}
> -+
> -+static void PRF(const unsigned char *secret, unsigned int secret_len,
> -+		const unsigned char *seed,   unsigned int seed_len,
> -+		unsigned char *out, unsigned char *buf, unsigned int out_len)
> -+{
> -+	    unsigned int i;
> -+	    unsigned int len = (secret_len + 1) / 2;
> -+	const unsigned char *s1 = secret;
> -+	const unsigned char *s2 = secret + (secret_len - len);
> -+
> -+	P_hash(EVP_md5(),  s1, len, seed, seed_len, out, out_len);
> -+	P_hash(EVP_sha1(), s2, len, seed, seed_len, buf, out_len);
> -+
> -+	for (i=0; i < out_len; i++) {
> -+	        out[i] ^= buf[i];
> -+	}
> -+}
> -+
> -+static int SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen,
> -+                               const char *label, size_t llen,
> -+                               const unsigned char *p, size_t plen,
> -+                               int use_context)
> -+{
> -+	unsigned char seed[64 + 2*SSL3_RANDOM_SIZE];
> -+	unsigned char buf[4*EAPTLS_MPPE_KEY_LEN];
> -+	unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH];
> -+	size_t master_key_length;
> -+	unsigned char *pp;
> -+
> -+	pp = seed;
> -+
> -+	memcpy(pp, label, llen);
> -+	pp += llen;
> -+
> -+	llen += SSL_get_client_random(s, pp, SSL3_RANDOM_SIZE);
> -+	pp += SSL3_RANDOM_SIZE;
> -+
> -+	llen += SSL_get_server_random(s, pp, SSL3_RANDOM_SIZE);
> -+
> -+	master_key_length = SSL_SESSION_get_master_key(SSL_get_session(s), master_key,
> -+						   sizeof(master_key));
> -+	PRF(master_key, master_key_length, seed, llen, out, buf, olen);
> -+
> -+	return 1;
> -+}
> -+
> -+#endif /* OPENSSL_VERSION_NUMBER < 0x10001000L */
> -+
> -+
> -+/*
> -+ *  OpenSSL 1.1+ introduced a generic TLS_method()
> -+ *  For older releases we substitute the appropriate method
> -+ */
> -+
> -+#if OPENSSL_VERSION_NUMBER < 0x10100000L
> -+
> -+#define TLS_method SSLv23_method
> -+
> -+#define SSL3_RT_HEADER	0x100
> -+
> -+#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
> -+
> -+
> -+/*
> -+ *  Generate keys according to RFC 2716 and add to reply
> -+ */
> -+void eaptls_gen_mppe_keys(struct eaptls_session *ets, const char *prf_label,
> -+	                      int client)
> -+{
> -+	unsigned char  out[4*EAPTLS_MPPE_KEY_LEN];
> -+	size_t         prf_size = strlen(prf_label);
> -+	unsigned char *p;
> -+
> -+	if (SSL_export_keying_material(ets->ssl, out, sizeof(out), prf_label, prf_size, NULL, 0, 0) != 1)
> -+	{
> -+	    warn( "EAP-TLS: Failed generating keying material" );
> -+	    return;
> -+	}
> -+
> -+	/*
> -+	 * We now have the master send and receive keys.
> -+	 * From these, generate the session send and receive keys.
> -+	 * (see RFC3079 / draft-ietf-pppext-mppe-keys-03.txt for details)
> -+	 */
> -+	if (client)
> -+	{
> -+	    p = out;
> -+		BCOPY( p, mppe_send_key, sizeof(mppe_send_key) );
> -+		p += EAPTLS_MPPE_KEY_LEN;
> -+		BCOPY( p, mppe_recv_key, sizeof(mppe_recv_key) );
> -+	}
> -+	else
> -+	{
> -+		p = out;
> -+		BCOPY( p, mppe_recv_key, sizeof(mppe_recv_key) );
> -+		p += EAPTLS_MPPE_KEY_LEN;
> -+		BCOPY( p, mppe_send_key, sizeof(mppe_send_key) );
> -+	}
> -+
> -+	mppe_keys_set = 1;
> -+}
> -+
> -+#endif
> -+
> -+void log_ssl_errors( void )
> -+{
> -+	unsigned long ssl_err = ERR_get_error();
> -+
> -+	if (ssl_err != 0)
> -+		dbglog("EAP-TLS SSL error stack:");
> -+	while (ssl_err != 0) {
> -+		dbglog( ERR_error_string( ssl_err, NULL ) );
> -+		ssl_err = ERR_get_error();
> -+	}
> -+}
> -+
> -+
> -+int password_callback (char *buf, int size, int rwflag, void *u)
> -+{
> -+	if (buf)
> -+	{
> -+		strncpy (buf, passwd, size);
> -+		return strlen (buf);
> -+	}
> -+	return 0;
> -+}
> -+
> -+
> -+CONF *eaptls_ssl_load_config( void )
> -+{
> -+	CONF        *config;
> -+	int          ret_code;
> -+	long         error_line = 33;
> -+
> -+	config = NCONF_new( NULL );
> -+	dbglog( "Loading OpenSSL config file" );
> -+	ret_code = NCONF_load( config, _PATH_OPENSSLCONFFILE, &error_line );
> -+	if (ret_code == 0)
> -+	{
> -+	    warn( "EAP-TLS: Error in OpenSSL config file %s at line %d", _PATH_OPENSSLCONFFILE, error_line );
> -+	    NCONF_free( config );
> -+	    config = NULL;
> -+	    ERR_clear_error();
> -+	}
> -+
> -+	dbglog( "Loading OpenSSL built-ins" );
> -+	ENGINE_load_builtin_engines();
> -+	OPENSSL_load_builtin_modules();
> -+
> -+	dbglog( "Loading OpenSSL configured modules" );
> -+	if (CONF_modules_load( config, NULL, 0 ) <= 0 )
> -+	{
> -+	    warn( "EAP-TLS: Error loading OpenSSL modules" );
> -+	    log_ssl_errors();
> -+	    config = NULL;
> -+	}
> -+
> -+	return config;
> -+}
> -+
> -+ENGINE *eaptls_ssl_load_engine( char *engine_name )
> -+{
> -+	ENGINE      *e = NULL;
> -+
> -+	dbglog( "Enabling OpenSSL auto engines" );
> -+	ENGINE_register_all_complete();
> -+
> -+	dbglog( "Loading OpenSSL '%s' engine support", engine_name );
> -+	e = ENGINE_by_id( engine_name );
> -+	if (!e)
> -+	{
> -+		dbglog( "EAP-TLS: Cannot load '%s' engine support, trying 'dynamic'", engine_name );
> -+		e = ENGINE_by_id( "dynamic" );
> -+		if (e)
> -+		{
> -+			if (!ENGINE_ctrl_cmd_string(e, "SO_PATH", engine_name, 0)
> -+   	         || !ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0))
> -+			{
> -+				warn( "EAP-TLS: Error loading dynamic engine '%s'", engine_name );
> -+		        log_ssl_errors();
> -+				ENGINE_free(e);
> -+				e = NULL;
> -+			}
> -+		}
> -+		else
> -+		{
> -+			warn( "EAP-TLS: Cannot load dynamic engine support" );
> -+		}
> -+	}
> -+
> -+	if (e)
> -+	{
> -+		dbglog( "Initialising engine" );
> -+		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
> -+		{
> -+			warn( "EAP-TLS: Cannot use that engine" );
> -+			log_ssl_errors();
> -+			ENGINE_free(e);
> -+			e = NULL;
> -+		}
> -+	}
> -+
> -+	return e;
> -+}
> -+
> -+/*
> -+ * Initialize the SSL stacks and tests if certificates, key and crl
> -+ * for client or server use can be loaded.
> -+ */
> -+SSL_CTX *eaptls_init_ssl(int init_server, char *cacertfile,
> -+			char *certfile, char *peer_certfile, char *privkeyfile)
> -+{
> -+	char		*cert_engine_name = NULL;
> -+	char		*cert_identifier = NULL;
> -+	char		*pkey_engine_name = NULL;
> -+	char		*pkey_identifier = NULL;
> -+	SSL_CTX		*ctx;
> -+	SSL			*ssl;
> -+	X509_STORE	*certstore;
> -+	X509_LOOKUP	*lookup;
> -+	X509		*tmp;
> -+	int			ret;
> -+
> -+	/*
> -+	 * Without these can't continue
> -+	 */
> -+	if (!cacertfile[0])
> -+	{
> -+		error("EAP-TLS: CA certificate missing");
> -+		return NULL;
> -+	}
> -+
> -+	if (!certfile[0])
> -+	{
> -+		error("EAP-TLS: User certificate missing");
> -+		return NULL;
> -+	}
> -+
> -+	if (!privkeyfile[0])
> -+	{
> -+		error("EAP-TLS: User private key missing");
> -+		return NULL;
> -+	}
> -+
> -+	SSL_library_init();
> -+	SSL_load_error_strings();
> -+
> -+	ctx = SSL_CTX_new(TLS_method());
> -+
> -+	if (!ctx) {
> -+		error("EAP-TLS: Cannot initialize SSL CTX context");
> -+		goto fail;
> -+	}
> -+
> -+	/* if the certificate filename is of the form engine:id. e.g.
> -+		pkcs11:12345
> -+	   then we try to load and use this engine.
> -+	   If the certificate filename starts with a / or . then we
> -+	   ALWAYS assume it is a file and not an engine/pkcs11 identifier
> -+	 */
> -+	if ( index( certfile, '/' ) == NULL && index( certfile, '.') == NULL )
> -+	{
> -+		cert_identifier = index( certfile, ':' );
> -+
> -+		if (cert_identifier)
> -+		{
> -+			cert_engine_name = certfile;
> -+			*cert_identifier = '\0';
> -+			cert_identifier++;
> -+
> -+			dbglog( "Found certificate engine '%s'", cert_engine_name );
> -+			dbglog( "Found certificate identifier '%s'", cert_identifier );
> -+		}
> -+	}
> -+
> -+	/* if the privatekey filename is of the form engine:id. e.g.
> -+		pkcs11:12345
> -+	   then we try to load and use this engine.
> -+	   If the privatekey filename starts with a / or . then we
> -+	   ALWAYS assume it is a file and not an engine/pkcs11 identifier
> -+	 */
> -+	if ( index( privkeyfile, '/' ) == NULL && index( privkeyfile, '.') == NULL )
> -+	{
> -+		pkey_identifier = index( privkeyfile, ':' );
> -+
> -+		if (pkey_identifier)
> -+		{
> -+			pkey_engine_name = privkeyfile;
> -+			*pkey_identifier = '\0';
> -+			pkey_identifier++;
> -+
> -+			dbglog( "Found privatekey engine '%s'", pkey_engine_name );
> -+			dbglog( "Found privatekey identifier '%s'", pkey_identifier );
> -+		}
> -+	}
> -+
> -+	if (cert_identifier && pkey_identifier)
> -+	{
> -+		if (strlen( cert_identifier ) == 0)
> -+		{
> -+			if (strlen( pkey_identifier ) == 0)
> -+				error( "EAP-TLS: both the certificate and privatekey identifiers are missing!" );
> -+			else
> -+			{
> -+				dbglog( "Substituting privatekey identifier for certificate identifier" );
> -+				cert_identifier = pkey_identifier;
> -+			}
> -+		}
> -+		else
> -+		{
> -+			if (strlen( pkey_identifier ) == 0)
> -+			{
> -+				dbglog( "Substituting certificate identifier for privatekey identifier" );
> -+				pkey_identifier = cert_identifier;
> -+			}
> -+		}
> -+
> -+	}
> -+
> -+	/* load the openssl config file only once */
> -+	if (!ssl_config)
> -+	{
> -+		if (cert_engine_name || pkey_engine_name)
> -+			ssl_config = eaptls_ssl_load_config();
> -+
> -+		if (ssl_config && cert_engine_name)
> -+			cert_engine = eaptls_ssl_load_engine( cert_engine_name );
> -+
> -+		if (ssl_config && pkey_engine_name)
> -+		{
> -+			/* don't load the same engine twice */
> -+			if ( cert_engine && strcmp( cert_engine_name, pkey_engine_name) == 0 )
> -+				pkey_engine = cert_engine;
> -+			else
> -+				pkey_engine = eaptls_ssl_load_engine( pkey_engine_name );
> -+		}
> -+	}
> -+
> -+	SSL_CTX_set_default_passwd_cb (ctx, password_callback);
> -+
> -+	if (!SSL_CTX_load_verify_locations(ctx, cacertfile, NULL))
> -+	{
> -+		error("EAP-TLS: Cannot load or verify CA file %s", cacertfile);
> -+		goto fail;
> -+	}
> -+
> -+	if (init_server)
> -+		SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(cacertfile));
> -+
> -+	if (cert_engine)
> -+	{
> -+		struct
> -+		{
> -+			const char *s_slot_cert_id;
> -+			X509 *cert;
> -+		} cert_info;
> -+
> -+		cert_info.s_slot_cert_id = cert_identifier;
> -+		cert_info.cert = NULL;
> -+
> -+		if (!ENGINE_ctrl_cmd( cert_engine, "LOAD_CERT_CTRL", 0, &cert_info, NULL, 0 ) )
> -+		{
> -+			error( "EAP-TLS: Error loading certificate with id '%s' from engine", cert_identifier );
> -+			goto fail;
> -+		}
> -+
> -+		if (cert_info.cert)
> -+		{
> -+		    dbglog( "Got the certificate, adding it to SSL context" );
> -+			dbglog( "subject = %s", X509_NAME_oneline( X509_get_subject_name( cert_info.cert ), NULL, 0 ) );
> -+			if (SSL_CTX_use_certificate(ctx, cert_info.cert) <= 0)
> -+			{
> -+				error("EAP-TLS: Cannot use PKCS11 certificate %s", cert_identifier);
> -+				goto fail;
> -+			}
> -+		}
> -+		else
> -+		{
> -+			warn("EAP-TLS: Cannot load PKCS11 key %s", cert_identifier);
> -+			log_ssl_errors();
> -+		}
> -+	}
> -+	else
> -+	{
> -+		if (!SSL_CTX_use_certificate_chain_file(ctx, certfile))
> -+		{
> -+			error( "EAP-TLS: Cannot use public certificate %s", certfile );
> -+			goto fail;
> -+		}
> -+	}
> -+
> -+
> -+	/*
> -+	 *  Check the Before and After dates of the certificate
> -+	 */
> -+	ssl = SSL_new(ctx);
> -+	tmp = SSL_get_certificate(ssl);
> -+
> -+	ret = X509_cmp_time(X509_get_notBefore(tmp), NULL);
> -+	if (ret == 0)
> -+	{
> -+		warn( "EAP-TLS: Failed to read certificate notBefore field.");
> -+	}
> -+	if (ret > 0)
> -+	{
> -+		warn( "EAP-TLS: Your certificate is not yet valid!");
> -+	}
> -+
> -+	ret = X509_cmp_time(X509_get_notAfter(tmp), NULL);
> -+	if (ret == 0)
> -+	{
> -+		warn( "EAP-TLS: Failed to read certificate notAfter field.");
> -+	}
> -+	if (ret < 0)
> -+	{
> -+		warn( "EAP-TLS: Your certificate has expired!");
> -+	}
> -+	SSL_free(ssl);
> -+
> -+	if (pkey_engine)
> -+	{
> -+		EVP_PKEY   *pkey = NULL;
> -+		PW_CB_DATA  cb_data;
> -+
> -+		cb_data.password = passwd;
> -+		cb_data.prompt_info = pkey_identifier;
> -+
> -+		dbglog( "Loading private key '%s' from engine", pkey_identifier );
> -+		pkey = ENGINE_load_private_key(pkey_engine, pkey_identifier, NULL, &cb_data);
> -+		if (pkey)
> -+		{
> -+		    dbglog( "Got the private key, adding it to SSL context" );
> -+			if (SSL_CTX_use_PrivateKey(ctx, pkey) <= 0)
> -+			{
> -+				error("EAP-TLS: Cannot use PKCS11 key %s", pkey_identifier);
> -+				goto fail;
> -+			}
> -+		}
> -+		else
> -+		{
> -+			warn("EAP-TLS: Cannot load PKCS11 key %s", pkey_identifier);
> -+			log_ssl_errors();
> -+		}
> -+	}
> -+	else
> -+	{
> -+		if (!SSL_CTX_use_PrivateKey_file(ctx, privkeyfile, SSL_FILETYPE_PEM))
> -+		{
> -+			error("EAP-TLS: Cannot use private key %s", privkeyfile);
> -+			goto fail;
> -+		}
> -+	}
> -+
> -+	if (SSL_CTX_check_private_key(ctx) != 1) {
> -+		error("EAP-TLS: Private key %s fails security check", privkeyfile);
> -+		goto fail;
> -+	}
> -+
> -+    /* Explicitly set the NO_TICKETS flag to support Win7/Win8 clients */
> -+	SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3
> -+#ifdef SSL_OP_NO_TICKET
> -+	| SSL_OP_NO_TICKET
> -+#endif
> -+	);
> -+
> -+	SSL_CTX_set_verify_depth(ctx, 5);
> -+	SSL_CTX_set_verify(ctx,
> -+			   SSL_VERIFY_PEER |
> -+			   SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
> -+			   &ssl_verify_callback);
> -+
> -+	if (crl_dir) {
> -+		if (!(certstore = SSL_CTX_get_cert_store(ctx))) {
> -+			error("EAP-TLS: Failed to get certificate store");
> -+			goto fail;
> -+		}
> -+
> -+		if (!(lookup =
> -+		     X509_STORE_add_lookup(certstore, X509_LOOKUP_hash_dir()))) {
> -+			error("EAP-TLS: Store lookup for CRL failed");
> -+
> -+			goto fail;
> -+		}
> -+
> -+		X509_LOOKUP_add_dir(lookup, crl_dir, X509_FILETYPE_PEM);
> -+		X509_STORE_set_flags(certstore, X509_V_FLAG_CRL_CHECK);
> -+	}
> -+
> -+	if (crl_file) {
> -+	    FILE     *fp  = NULL;
> -+	    X509_CRL *crl = NULL;
> -+
> -+	    fp = fopen(crl_file, "r");
> -+	    if (!fp) {
> -+	        error("EAP-TLS: Cannot open CRL file '%s'", crl_file);
> -+	        goto fail;
> -+	    }
> -+
> -+	    crl = PEM_read_X509_CRL(fp, NULL, NULL, NULL);
> -+	    if (!crl) {
> -+	        error("EAP-TLS: Cannot read CRL file '%s'", crl_file);
> -+	        goto fail;
> -+	    }
> -+
> -+		if (!(certstore = SSL_CTX_get_cert_store(ctx))) {
> -+			error("EAP-TLS: Failed to get certificate store");
> -+			goto fail;
> -+		}
> -+	    if (!X509_STORE_add_crl(certstore, crl)) {
> -+	        error("EAP-TLS: Cannot add CRL to certificate store");
> -+	        goto fail;
> -+	    }
> -+		X509_STORE_set_flags(certstore, X509_V_FLAG_CRL_CHECK);
> -+
> -+	}
> -+
> -+	/*
> -+	 * If a peer certificate file was specified, it must be valid, else fail
> -+	 */
> -+	if (peer_certfile[0]) {
> -+		if (!(tmp = get_X509_from_file(peer_certfile))) {
> -+			error("EAP-TLS: Error loading client certificate from file %s",
> -+			     peer_certfile);
> -+			goto fail;
> -+		}
> -+		X509_free(tmp);
> -+	}
> -+
> -+	return ctx;
> -+
> -+fail:
> -+	log_ssl_errors();
> -+	SSL_CTX_free(ctx);
> -+	return NULL;
> -+}
> -+
> -+/*
> -+ * Determine the maximum packet size by looking at the LCP handshake
> -+ */
> -+
> -+int eaptls_get_mtu(int unit)
> -+{
> -+	int mtu, mru;
> -+
> -+	lcp_options *wo = &lcp_wantoptions[unit];
> -+	lcp_options *go = &lcp_gotoptions[unit];
> -+	lcp_options *ho = &lcp_hisoptions[unit];
> -+	lcp_options *ao = &lcp_allowoptions[unit];
> -+
> -+	mtu = ho->neg_mru? ho->mru: PPP_MRU;
> -+	mru = go->neg_mru? MAX(wo->mru, go->mru): PPP_MRU;
> -+	mtu = MIN(MIN(mtu, mru), ao->mru)- PPP_HDRLEN - 10;
> -+
> -+	dbglog("MTU = %d", mtu);
> -+	return mtu;
> -+}
> -+
> -+
> -+/*
> -+ * Init the ssl handshake (server mode)
> -+ */
> -+int eaptls_init_ssl_server(eap_state * esp)
> -+{
> -+	struct eaptls_session *ets;
> -+	char servcertfile[MAXWORDLEN];
> -+	char clicertfile[MAXWORDLEN];
> -+	char cacertfile[MAXWORDLEN];
> -+	char pkfile[MAXWORDLEN];
> -+	/*
> -+	 * Allocate new eaptls session
> -+	 */
> -+	esp->es_server.ea_session = malloc(sizeof(struct eaptls_session));
> -+	if (!esp->es_server.ea_session)
> -+		fatal("Allocation error");
> -+	ets = esp->es_server.ea_session;
> -+
> -+	if (!esp->es_server.ea_peer) {
> -+		error("EAP-TLS: Error: client name not set (BUG)");
> -+		return 0;
> -+	}
> -+
> -+	strncpy(ets->peer, esp->es_server.ea_peer, MAXWORDLEN);
> -+
> -+	dbglog( "getting eaptls secret" );
> -+	if (!get_eaptls_secret(esp->es_unit, esp->es_server.ea_peer,
> -+			       esp->es_server.ea_name, clicertfile,
> -+			       servcertfile, cacertfile, pkfile, 1)) {
> -+		error( "EAP-TLS: Cannot get secret/password for client \"%s\", server \"%s\"",
> -+				esp->es_server.ea_peer, esp->es_server.ea_name );
> -+		return 0;
> -+	}
> -+
> -+	ets->mtu = eaptls_get_mtu(esp->es_unit);
> -+
> -+	ets->ctx = eaptls_init_ssl(1, cacertfile, servcertfile, clicertfile, pkfile);
> -+	if (!ets->ctx)
> -+		goto fail;
> -+
> -+	if (!(ets->ssl = SSL_new(ets->ctx)))
> -+		goto fail;
> -+
> -+	/*
> -+	 * Set auto-retry to avoid timeouts on BIO_read
> -+	 */
> -+	SSL_set_mode(ets->ssl, SSL_MODE_AUTO_RETRY);
> -+
> -+	/*
> -+	 * Initialize the BIOs we use to read/write to ssl engine
> -+	 */
> -+	ets->into_ssl = BIO_new(BIO_s_mem());
> -+	ets->from_ssl = BIO_new(BIO_s_mem());
> -+	SSL_set_bio(ets->ssl, ets->into_ssl, ets->from_ssl);
> -+
> -+	SSL_set_msg_callback(ets->ssl, ssl_msg_callback);
> -+	SSL_set_msg_callback_arg(ets->ssl, ets);
> -+
> -+	/*
> -+	 * Attach the session struct to the connection, so we can later
> -+	 * retrieve it when doing certificate verification
> -+	 */
> -+	SSL_set_ex_data(ets->ssl, 0, ets);
> -+
> -+	SSL_set_accept_state(ets->ssl);
> -+
> -+	ets->data = NULL;
> -+	ets->datalen = 0;
> -+	ets->alert_sent = 0;
> -+	ets->alert_recv = 0;
> -+
> -+	/*
> -+	 * If we specified the client certificate file, store it in ets->peercertfile,
> -+	 * so we can check it later in ssl_verify_callback()
> -+	 */
> -+	if (clicertfile[0])
> -+		strncpy(&ets->peercertfile[0], clicertfile, MAXWORDLEN);
> -+	else
> -+		ets->peercertfile[0] = 0;
> -+
> -+	return 1;
> -+
> -+fail:
> -+	SSL_CTX_free(ets->ctx);
> -+	return 0;
> -+}
> -+
> -+/*
> -+ * Init the ssl handshake (client mode)
> -+ */
> -+int eaptls_init_ssl_client(eap_state * esp)
> -+{
> -+	struct eaptls_session *ets;
> -+	char servcertfile[MAXWORDLEN];
> -+	char clicertfile[MAXWORDLEN];
> -+	char cacertfile[MAXWORDLEN];
> -+	char pkfile[MAXWORDLEN];
> -+
> -+	/*
> -+	 * Allocate new eaptls session
> -+	 */
> -+	esp->es_client.ea_session = malloc(sizeof(struct eaptls_session));
> -+	if (!esp->es_client.ea_session)
> -+		fatal("Allocation error");
> -+	ets = esp->es_client.ea_session;
> -+
> -+	/*
> -+	 * If available, copy server name in ets; it will be used in cert
> -+	 * verify
> -+	 */
> -+	if (esp->es_client.ea_peer)
> -+		strncpy(ets->peer, esp->es_client.ea_peer, MAXWORDLEN);
> -+	else
> -+		ets->peer[0] = 0;
> -+
> -+	ets->mtu = eaptls_get_mtu(esp->es_unit);
> -+
> -+	dbglog( "calling get_eaptls_secret" );
> -+	if (!get_eaptls_secret(esp->es_unit, esp->es_client.ea_name,
> -+			       ets->peer, clicertfile,
> -+			       servcertfile, cacertfile, pkfile, 0)) {
> -+		error( "EAP-TLS: Cannot get secret/password for client \"%s\", server \"%s\"",
> -+				esp->es_client.ea_name, ets->peer );
> -+		return 0;
> -+	}
> -+
> -+	dbglog( "calling eaptls_init_ssl" );
> -+	ets->ctx = eaptls_init_ssl(0, cacertfile, clicertfile, servcertfile, pkfile);
> -+	if (!ets->ctx)
> -+		goto fail;
> -+
> -+	ets->ssl = SSL_new(ets->ctx);
> -+
> -+	if (!ets->ssl)
> -+		goto fail;
> -+
> -+	/*
> -+	 * Initialize the BIOs we use to read/write to ssl engine
> -+	 */
> -+	dbglog( "Initializing SSL BIOs" );
> -+	ets->into_ssl = BIO_new(BIO_s_mem());
> -+	ets->from_ssl = BIO_new(BIO_s_mem());
> -+	SSL_set_bio(ets->ssl, ets->into_ssl, ets->from_ssl);
> -+
> -+	SSL_set_msg_callback(ets->ssl, ssl_msg_callback);
> -+	SSL_set_msg_callback_arg(ets->ssl, ets);
> -+
> -+	/*
> -+	 * Attach the session struct to the connection, so we can later
> -+	 * retrieve it when doing certificate verification
> -+	 */
> -+	SSL_set_ex_data(ets->ssl, 0, ets);
> -+
> -+	SSL_set_connect_state(ets->ssl);
> -+
> -+	ets->data = NULL;
> -+	ets->datalen = 0;
> -+	ets->alert_sent = 0;
> -+	ets->alert_recv = 0;
> -+
> -+	/*
> -+	 * If we specified the server certificate file, store it in
> -+	 * ets->peercertfile, so we can check it later in
> -+	 * ssl_verify_callback()
> -+	 */
> -+	if (servcertfile[0])
> -+		strncpy(ets->peercertfile, servcertfile, MAXWORDLEN);
> -+	else
> -+		ets->peercertfile[0] = 0;
> -+
> -+	return 1;
> -+
> -+fail:
> -+	dbglog( "eaptls_init_ssl_client: fail" );
> -+	SSL_CTX_free(ets->ctx);
> -+	return 0;
> -+
> -+}
> -+
> -+void eaptls_free_session(struct eaptls_session *ets)
> -+{
> -+	if (ets->ssl)
> -+		SSL_free(ets->ssl);
> -+
> -+	if (ets->ctx)
> -+		SSL_CTX_free(ets->ctx);
> -+
> -+	free(ets);
> -+}
> -+
> -+/*
> -+ * Handle a received packet, reassembling fragmented messages and
> -+ * passing them to the ssl engine
> -+ */
> -+int eaptls_receive(struct eaptls_session *ets, u_char * inp, int len)
> -+{
> -+	u_char flags;
> -+	u_int tlslen = 0;
> -+	u_char dummy[65536];
> -+
> -+	if (len < 1) {
> -+		warn("EAP-TLS: received no or invalid data");
> -+		return 1;
> -+	}
> -+
> -+	GETCHAR(flags, inp);
> -+	len--;
> -+
> -+	if (flags & EAP_TLS_FLAGS_LI && len > 4) {
> -+		/*
> -+		 * LenghtIncluded flag set -> this is the first packet of a message
> -+		*/
> -+
> -+		/*
> -+		 * the first 4 octets are the length of the EAP-TLS message
> -+		 */
> -+		GETLONG(tlslen, inp);
> -+		len -= 4;
> -+
> -+		if (!ets->data) {
> -+
> -+			if (tlslen > EAP_TLS_MAX_LEN) {
> -+				error("EAP-TLS: TLS message length > %d, truncated", EAP_TLS_MAX_LEN);
> -+				tlslen = EAP_TLS_MAX_LEN;
> -+			}
> -+
> -+			/*
> -+			 * Allocate memory for the whole message
> -+			*/
> -+			ets->data = malloc(tlslen);
> -+			if (!ets->data)
> -+				fatal("EAP-TLS: allocation error\n");
> -+
> -+			ets->datalen = 0;
> -+			ets->tlslen = tlslen;
> -+		}
> -+		else
> -+			warn("EAP-TLS: non-first LI packet? that's odd...");
> -+	}
> -+	else if (!ets->data) {
> -+		/*
> -+		 * A non fragmented message without LI flag
> -+		*/
> -+
> -+		ets->data = malloc(len);
> -+		if (!ets->data)
> -+			fatal("EAP-TLS: allocation error\n");
> -+
> -+		ets->datalen = 0;
> -+		ets->tlslen = len;
> -+	}
> -+
> -+	if (flags & EAP_TLS_FLAGS_MF)
> -+		ets->frag = 1;
> -+	else
> -+		ets->frag = 0;
> -+
> -+	if (len < 0) {
> -+		warn("EAP-TLS: received malformed data");
> -+		return 1;
> -+	}
> -+
> -+	if (len + ets->datalen > ets->tlslen) {
> -+		warn("EAP-TLS: received data > TLS message length");
> -+		return 1;
> -+	}
> -+
> -+	BCOPY(inp, ets->data + ets->datalen, len);
> -+	ets->datalen += len;
> -+
> -+	if (!ets->frag) {
> -+
> -+		/*
> -+		 * If we have the whole message, pass it to ssl
> -+		 */
> -+
> -+		if (ets->datalen != ets->tlslen) {
> -+			warn("EAP-TLS: received data != TLS message length");
> -+			return 1;
> -+		}
> -+
> -+		if (BIO_write(ets->into_ssl, ets->data, ets->datalen) == -1)
> -+			log_ssl_errors();
> -+
> -+		SSL_read(ets->ssl, dummy, 65536);
> -+
> -+		free(ets->data);
> -+		ets->data = NULL;
> -+		ets->datalen = 0;
> -+	}
> -+
> -+	return 0;
> -+}
> -+
> -+/*
> -+ * Return an eap-tls packet in outp.
> -+ * A TLS message read from the ssl engine is buffered in ets->data.
> -+ * At each call we control if there is buffered data and send a
> -+ * packet of mtu bytes.
> -+ */
> -+int eaptls_send(struct eaptls_session *ets, u_char ** outp)
> -+{
> -+	bool first = 0;
> -+	int size;
> -+	u_char fromtls[65536];
> -+	int res;
> -+	u_char *start;
> -+
> -+	start = *outp;
> -+
> -+	if (!ets->data) {
> -+
> -+		if(!ets->alert_sent)
> -+			SSL_read(ets->ssl, fromtls, 65536);
> -+
> -+		/*
> -+		 * Read from ssl
> -+		 */
> -+		if ((res = BIO_read(ets->from_ssl, fromtls, 65536)) == -1)
> -+		{
> -+			warn("EAP-TLS send: No data from BIO_read");
> -+			return 1;
> -+		}
> -+
> -+		ets->datalen = res;
> -+
> -+		ets->data = malloc(ets->datalen);
> -+		BCOPY(fromtls, ets->data, ets->datalen);
> -+
> -+		ets->offset = 0;
> -+		first = 1;
> -+
> -+	}
> -+
> -+	size = ets->datalen - ets->offset;
> -+
> -+	if (size > ets->mtu) {
> -+		size = ets->mtu;
> -+		ets->frag = 1;
> -+	} else
> -+		ets->frag = 0;
> -+
> -+	PUTCHAR(EAPT_TLS, *outp);
> -+
> -+	/*
> -+	 * Set right flags and length if necessary
> -+	 */
> -+	if (ets->frag && first) {
> -+		PUTCHAR(EAP_TLS_FLAGS_LI | EAP_TLS_FLAGS_MF, *outp);
> -+		PUTLONG(ets->datalen, *outp);
> -+	} else if (ets->frag) {
> -+		PUTCHAR(EAP_TLS_FLAGS_MF, *outp);
> -+	} else
> -+		PUTCHAR(0, *outp);
> -+
> -+	/*
> -+	 * Copy the data in outp
> -+	 */
> -+	BCOPY(ets->data + ets->offset, *outp, size);
> -+	INCPTR(size, *outp);
> -+
> -+	/*
> -+	 * Copy the packet in retransmission buffer
> -+	 */
> -+	BCOPY(start, &ets->rtx[0], *outp - start);
> -+	ets->rtx_len = *outp - start;
> -+
> -+	ets->offset += size;
> -+
> -+	if (ets->offset >= ets->datalen) {
> -+
> -+		/*
> -+		 * The whole message has been sent
> -+		 */
> -+
> -+		free(ets->data);
> -+		ets->data = NULL;
> -+		ets->datalen = 0;
> -+		ets->offset = 0;
> -+	}
> -+
> -+	return 0;
> -+}
> -+
> -+/*
> -+ * Get the sent packet from the retransmission buffer
> -+ */
> -+void eaptls_retransmit(struct eaptls_session *ets, u_char ** outp)
> -+{
> -+	BCOPY(ets->rtx, *outp, ets->rtx_len);
> -+	INCPTR(ets->rtx_len, *outp);
> -+}
> -+
> -+/*
> -+ * Verify a certificate.
> -+ * Most of the work (signatures and issuer attributes checking)
> -+ * is done by ssl; we check the CN in the peer certificate
> -+ * against the peer name.
> -+ */
> -+int ssl_verify_callback(int ok, X509_STORE_CTX * ctx)
> -+{
> -+	char subject[256];
> -+	char cn_str[256];
> -+	X509 *peer_cert;
> -+	int err, depth;
> -+	SSL *ssl;
> -+	struct eaptls_session *ets;
> -+
> -+	peer_cert = X509_STORE_CTX_get_current_cert(ctx);
> -+	err = X509_STORE_CTX_get_error(ctx);
> -+	depth = X509_STORE_CTX_get_error_depth(ctx);
> -+
> -+	dbglog("certificate verify depth: %d", depth);
> -+
> -+	if (auth_required && !ok) {
> -+		X509_NAME_oneline(X509_get_subject_name(peer_cert),
> -+				  subject, 256);
> -+
> -+		X509_NAME_get_text_by_NID(X509_get_subject_name(peer_cert),
> -+					  NID_commonName, cn_str, 256);
> -+
> -+		dbglog("Certificate verification error:\n depth: %d CN: %s"
> -+		       "\n err: %d (%s)\n", depth, cn_str, err,
> -+		       X509_verify_cert_error_string(err));
> -+
> -+		return 0;
> -+	}
> -+
> -+	ssl = X509_STORE_CTX_get_ex_data(ctx,
> -+				       SSL_get_ex_data_X509_STORE_CTX_idx());
> -+
> -+	ets = (struct eaptls_session *)SSL_get_ex_data(ssl, 0);
> -+
> -+	if (ets == NULL) {
> -+		error("Error: SSL_get_ex_data returned NULL");
> -+		return 0;
> -+	}
> -+
> -+	log_ssl_errors();
> -+
> -+	if (!depth) {		/* This is the peer certificate */
> -+
> -+		X509_NAME_oneline(X509_get_subject_name(peer_cert),
> -+				  subject, 256);
> -+
> -+		X509_NAME_get_text_by_NID(X509_get_subject_name(peer_cert),
> -+					  NID_commonName, cn_str, 256);
> -+
> -+		/*
> -+		 * If acting as client and the name of the server wasn't specified
> -+		 * explicitely, we can't verify the server authenticity
> -+		 */
> -+		if (!ets->peer[0]) {
> -+			warn("Peer name not specified: no check");
> -+			return ok;
> -+		}
> -+
> -+		/*
> -+		 * Check the CN
> -+		 */
> -+		if (strcmp(cn_str, ets->peer)) {
> -+			error
> -+			    ("Certificate verification error: CN (%s) != peer_name (%s)",
> -+			     cn_str, ets->peer);
> -+			return 0;
> -+		}
> -+
> -+		warn("Certificate CN: %s , peer name %s", cn_str, ets->peer);
> -+
> -+		/*
> -+		 * If a peer certificate file was specified, here we check it
> -+		 */
> -+		if (ets->peercertfile[0]) {
> -+			if (ssl_cmp_certs(&ets->peercertfile[0], peer_cert)
> -+			    != 0) {
> -+				error
> -+				    ("Peer certificate doesn't match stored certificate");
> -+				return 0;
> -+			}
> -+		}
> -+	}
> -+
> -+	return ok;
> -+}
> -+
> -+/*
> -+ * Compare a certificate with the one stored in a file
> -+ */
> -+int ssl_cmp_certs(char *filename, X509 * a)
> -+{
> -+	X509 *b;
> -+	int ret;
> -+
> -+	if (!(b = get_X509_from_file(filename)))
> -+		return 1;
> -+
> -+	ret = X509_cmp(a, b);
> -+	X509_free(b);
> -+
> -+	return ret;
> -+
> -+}
> -+
> -+X509 *get_X509_from_file(char *filename)
> -+{
> -+	FILE *fp;
> -+	X509 *ret;
> -+
> -+	if (!(fp = fopen(filename, "r")))
> -+		return NULL;
> -+
> -+	ret = PEM_read_X509(fp, NULL, NULL, NULL);
> -+
> -+	fclose(fp);
> -+
> -+	return ret;
> -+}
> -+
> -+/*
> -+ * Every sent & received message this callback function is invoked,
> -+ * so we know when alert messages have arrived or are sent and
> -+ * we can print debug information about TLS handshake.
> -+ */
> -+void
> -+ssl_msg_callback(int write_p, int version, int content_type,
> -+		 const void *buf, size_t len, SSL * ssl, void *arg)
> -+{
> -+	char string[256];
> -+	struct eaptls_session *ets = (struct eaptls_session *)arg;
> -+	unsigned char code;
> -+	const unsigned char*msg = buf;
> -+	int hvers = msg[1] << 8 | msg[2];
> -+
> -+	if(write_p)
> -+		strcpy(string, " -> ");
> -+	else
> -+		strcpy(string, " <- ");
> -+
> -+	switch(content_type) {
> -+
> -+	case SSL3_RT_HEADER:
> -+		strcat(string, "SSL/TLS Header: ");
> -+		switch(hvers) {
> -+		case SSL3_VERSION:
> -+				strcat(string, "SSL 3.0");
> -+				break;
> -+		case TLS1_VERSION:
> -+				strcat(string, "TLS 1.0");
> -+				break;
> -+		case TLS1_1_VERSION:
> -+				strcat(string, "TLS 1.1");
> -+				break;
> -+		case TLS1_2_VERSION:
> -+				strcat(string, "TLS 1.2");
> -+				break;
> -+		default:
> -+			strcat(string, "Unknown version");
> -+		}
> -+		break;
> -+
> -+	case SSL3_RT_ALERT:
> -+		strcat(string, "Alert: ");
> -+		code = msg[1];
> -+
> -+		if (write_p) {
> -+			ets->alert_sent = 1;
> -+			ets->alert_sent_desc = code;
> -+		} else {
> -+			ets->alert_recv = 1;
> -+			ets->alert_recv_desc = code;
> -+		}
> -+
> -+		strcat(string, SSL_alert_desc_string_long(code));
> -+		break;
> -+
> -+	case SSL3_RT_CHANGE_CIPHER_SPEC:
> -+		strcat(string, "ChangeCipherSpec");
> -+		break;
> -+
> -+	case SSL3_RT_HANDSHAKE:
> -+
> -+		strcat(string, "Handshake: ");
> -+		code = msg[0];
> -+
> -+		switch(code) {
> -+			case SSL3_MT_HELLO_REQUEST:
> -+				strcat(string,"Hello Request");
> -+				break;
> -+			case SSL3_MT_CLIENT_HELLO:
> -+				strcat(string,"Client Hello");
> -+				break;
> -+			case SSL3_MT_SERVER_HELLO:
> -+				strcat(string,"Server Hello");
> -+				break;
> -+#ifdef SSL3_MT_NEWSESSION_TICKET
> -+			case SSL3_MT_NEWSESSION_TICKET:
> -+				strcat(string,"New Session Ticket");
> -+				break;
> -+#endif
> -+			case SSL3_MT_CERTIFICATE:
> -+				strcat(string,"Certificate");
> -+				break;
> -+			case SSL3_MT_SERVER_KEY_EXCHANGE:
> -+				strcat(string,"Server Key Exchange");
> -+				break;
> -+			case SSL3_MT_CERTIFICATE_REQUEST:
> -+				strcat(string,"Certificate Request");
> -+				break;
> -+			case SSL3_MT_SERVER_DONE:
> -+				strcat(string,"Server Hello Done");
> -+								break;
> -+			case SSL3_MT_CERTIFICATE_VERIFY:
> -+				strcat(string,"Certificate Verify");
> -+				break;
> -+			case SSL3_MT_CLIENT_KEY_EXCHANGE:
> -+				strcat(string,"Client Key Exchange");
> -+				break;
> -+			case SSL3_MT_FINISHED:
> -+				strcat(string,"Finished: ");
> -+				hvers = SSL_version(ssl);
> -+				switch(hvers) {
> -+				case SSL3_VERSION:
> -+						strcat(string, "SSL 3.0");
> -+						break;
> -+				case TLS1_VERSION:
> -+						strcat(string, "TLS 1.0");
> -+						break;
> -+				case TLS1_1_VERSION:
> -+						strcat(string, "TLS 1.1");
> -+						break;
> -+				case TLS1_2_VERSION:
> -+						strcat(string, "TLS 1.2");
> -+						break;
> -+				default:
> -+					strcat(string, "Unknown version");
> -+				}
> -+				break;
> -+			default:
> -+				sprintf( string, "Handshake: Unknown SSL3 code received: %d", code );
> -+		}
> -+		break;
> -+
> -+	default:
> -+		sprintf( string, "SSL message contains unknown content type: %d", content_type );
> -+
> -+	}
> -+
> -+	/* Alert messages must always be displayed */
> -+	if(content_type == SSL3_RT_ALERT)
> -+		error("%s", string);
> -+	else
> -+		dbglog("%s", string);
> -+}
> -+
> -diff --git a/pppd/eap-tls.h b/pppd/eap-tls.h
> -new file mode 100644
> -index 000000000000..2d45a0b83a0c
> ---- /dev/null
> -+++ b/pppd/eap-tls.h
> -@@ -0,0 +1,107 @@
> -+/*
> -+ * eap-tls.h
> -+ *
> -+ * Copyright (c) Beniamino Galvani 2005 All rights reserved.
> -+ *
> -+ * Redistribution and use in source and binary forms, with or without
> -+ * modification, are permitted provided that the following conditions
> -+ * are met:
> -+ *
> -+ * 1. Redistributions of source code must retain the above copyright
> -+ *    notice, this list of conditions and the following disclaimer.
> -+ *
> -+ * 2. Redistributions in binary form must reproduce the above copyright
> -+ *    notice, this list of conditions and the following disclaimer in
> -+ *    the documentation and/or other materials provided with the
> -+ *    distribution.
> -+ *
> -+ * 3. The name(s) of the authors of this software must not be used to
> -+ *    endorse or promote products derived from this software without
> -+ *    prior written permission.
> -+ *
> -+ * THE AUTHORS OF THIS SOFTWARE DISCLAIM ALL WARRANTIES WITH REGARD TO
> -+ * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
> -+ * AND FITNESS, IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY
> -+ * SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
> -+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN
> -+ * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING
> -+ * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
> -+ *
> -+ */
> -+
> -+#ifndef __EAP_TLS_H__
> -+#define __EAP_TLS_H__
> -+
> -+#include "eap.h"
> -+
> -+#include <openssl/ssl.h>
> -+#include <openssl/bio.h>
> -+#include <openssl/md5.h>
> -+
> -+#define EAP_TLS_FLAGS_LI        128	/* length included flag */
> -+#define EAP_TLS_FLAGS_MF        64	/* more fragments flag */
> -+#define EAP_TLS_FLAGS_START     32	/* start flag */
> -+
> -+#define EAP_TLS_MAX_LEN         65536	/* max eap tls packet size */
> -+
> -+struct eaptls_session
> -+{
> -+	u_char *data;		/* buffered data */
> -+	int datalen;		/* buffered data len */
> -+	int offset;		/* from where to send */
> -+	int tlslen;		/* total length of tls data */
> -+	bool frag;		/* packet is fragmented */
> -+	SSL_CTX *ctx;
> -+	SSL *ssl;		/* ssl connection */
> -+	BIO *from_ssl;
> -+	BIO *into_ssl;
> -+	char peer[MAXWORDLEN];	/* peer name */
> -+	char peercertfile[MAXWORDLEN];
> -+	bool alert_sent;
> -+	u_char alert_sent_desc;
> -+	bool alert_recv;
> -+	u_char alert_recv_desc;
> -+	char rtx[65536];	/* retransmission buffer */
> -+	int rtx_len;
> -+	int mtu;		/* unit mtu */
> -+};
> -+
> -+typedef struct pw_cb_data
> -+{
> -+	const void *password;
> -+	const char *prompt_info;
> -+} PW_CB_DATA;
> -+
> -+
> -+int ssl_verify_callback(int, X509_STORE_CTX *);
> -+void ssl_msg_callback(int write_p, int version, int ct, const void *buf,
> -+		      size_t len, SSL * ssl, void *arg);
> -+
> -+X509 *get_X509_from_file(char *filename);
> -+int ssl_cmp_certs(char *filename, X509 * a);
> -+
> -+SSL_CTX *eaptls_init_ssl(int init_server, char *cacertfile,
> -+            char *certfile, char *peer_certfile, char *privkeyfile);
> -+int eaptls_init_ssl_server(eap_state * esp);
> -+int eaptls_init_ssl_client(eap_state * esp);
> -+void eaptls_free_session(struct eaptls_session *ets);
> -+
> -+int eaptls_receive(struct eaptls_session *ets, u_char * inp, int len);
> -+int eaptls_send(struct eaptls_session *ets, u_char ** outp);
> -+void eaptls_retransmit(struct eaptls_session *ets, u_char ** outp);
> -+
> -+int get_eaptls_secret(int unit, char *client, char *server,
> -+		      char *clicertfile, char *servcertfile, char *cacertfile,
> -+		      char *pkfile, int am_server);
> -+
> -+#ifdef MPPE
> -+#include "mppe.h"   /* MPPE_MAX_KEY_LEN */
> -+extern u_char mppe_send_key[MPPE_MAX_KEY_LEN];
> -+extern u_char mppe_recv_key[MPPE_MAX_KEY_LEN];
> -+extern int mppe_keys_set;
> -+
> -+void eaptls_gen_mppe_keys(struct eaptls_session *ets, const char *prf_label, int client);
> -+
> -+#endif
> -+
> -+#endif
> -diff --git a/pppd/eap.c b/pppd/eap.c
> -index 6ea6c1f8bff6..032407c3dbb2 100644
> ---- a/pppd/eap.c
> -+++ b/pppd/eap.c
> -@@ -43,6 +43,11 @@
> -  * Based on draft-ietf-pppext-eap-srp-03.txt.
> -  */
> - 
> -+/*
> -+ * Modification by Beniamino Galvani, Mar 2005
> -+ * Implemented EAP-TLS authentication
> -+ */
> -+
> - #define RCSID	"$Id: eap.c,v 1.4 2004/11/09 22:39:25 paulus Exp $"
> - 
> - /*
> -@@ -62,8 +67,12 @@
> - 
> - #include "pppd.h"
> - #include "pathnames.h"
> --#include "md5.h"
> - #include "eap.h"
> -+#ifdef USE_EAPTLS
> -+#include "eap-tls.h"
> -+#else
> -+#include "md5.h"
> -+#endif /* USE_EAPTLS */
> - 
> - #ifdef USE_SRP
> - #include <t_pwd.h>
> -@@ -209,6 +218,9 @@ int unit;
> - 	esp->es_server.ea_id = (u_char)(drand48() * 0x100);
> - 	esp->es_client.ea_timeout = EAP_DEFREQTIME;
> - 	esp->es_client.ea_maxrequests = EAP_DEFALLOWREQ;
> -+#ifdef USE_EAPTLS
> -+	esp->es_client.ea_using_eaptls = 0;
> -+#endif /* USE_EAPTLS */
> - }
> - 
> - /*
> -@@ -436,8 +448,16 @@ int status;
> - 	u_char vals[2];
> - 	struct b64state bs;
> - #endif /* USE_SRP */
> -+#ifdef USE_EAPTLS
> -+	struct eaptls_session *ets;
> -+	int secret_len;
> -+	char secret[MAXWORDLEN];
> -+#endif /* USE_EAPTLS */
> - 
> - 	esp->es_server.ea_timeout = esp->es_savedtime;
> -+#ifdef USE_EAPTLS
> -+	esp->es_server.ea_prev_state = esp->es_server.ea_state;
> -+#endif /* USE_EAPTLS */
> - 	switch (esp->es_server.ea_state) {
> - 	case eapBadAuth:
> - 		return;
> -@@ -562,9 +582,79 @@ int status;
> - 			break;
> - 		}
> - #endif /* USE_SRP */
> -+#ifdef USE_EAPTLS
> -+                if (!get_secret(esp->es_unit, esp->es_server.ea_peer,
> -+                    esp->es_server.ea_name, secret, &secret_len, 1)) {
> -+
> -+			esp->es_server.ea_state = eapTlsStart;
> -+			break;
> -+		}
> -+#endif /* USE_EAPTLS */
> -+
> - 		esp->es_server.ea_state = eapMD5Chall;
> - 		break;
> - 
> -+#ifdef USE_EAPTLS
> -+	case eapTlsStart:
> -+		/* Initialize ssl session */
> -+		if(!eaptls_init_ssl_server(esp)) {
> -+			esp->es_server.ea_state = eapBadAuth;
> -+			break;
> -+		}
> -+
> -+		esp->es_server.ea_state = eapTlsRecv;
> -+		break;
> -+
> -+	case eapTlsRecv:
> -+		ets = (struct eaptls_session *) esp->es_server.ea_session;
> -+
> -+		if(ets->alert_sent) {
> -+			esp->es_server.ea_state = eapTlsSendAlert;
> -+			break;
> -+		}
> -+
> -+		if (status) {
> -+			esp->es_server.ea_state = eapBadAuth;
> -+			break;
> -+		}
> -+		ets = (struct eaptls_session *) esp->es_server.ea_session;
> -+
> -+		if(ets->frag)
> -+			esp->es_server.ea_state = eapTlsSendAck;
> -+		else
> -+			esp->es_server.ea_state = eapTlsSend;
> -+		break;
> -+
> -+	case eapTlsSend:
> -+		ets = (struct eaptls_session *) esp->es_server.ea_session;
> -+
> -+		if(ets->frag)
> -+			esp->es_server.ea_state = eapTlsRecvAck;
> -+		else
> -+			if(SSL_is_init_finished(ets->ssl))
> -+				esp->es_server.ea_state = eapTlsRecvClient;
> -+			else
> -+				esp->es_server.ea_state = eapTlsRecv;
> -+		break;
> -+
> -+	case eapTlsSendAck:
> -+			esp->es_server.ea_state = eapTlsRecv;
> -+		break;
> -+
> -+	case eapTlsRecvAck:
> -+                if (status) {
> -+                        esp->es_server.ea_state = eapBadAuth;
> -+                        break;
> -+                }
> -+
> -+		esp->es_server.ea_state = eapTlsSend;
> -+		break;
> -+
> -+	case eapTlsSendAlert:
> -+		esp->es_server.ea_state = eapTlsRecvAlertAck;
> -+		break;
> -+#endif /* USE_EAPTLS */
> -+
> - 	case eapSRP1:
> - #ifdef USE_SRP
> - 		ts = (struct t_server *)esp->es_server.ea_session;
> -@@ -718,6 +808,30 @@ eap_state *esp;
> - 		INCPTR(esp->es_server.ea_namelen, outp);
> - 		break;
> - 
> -+#ifdef USE_EAPTLS
> -+	case eapTlsStart:
> -+		PUTCHAR(EAPT_TLS, outp);
> -+		PUTCHAR(EAP_TLS_FLAGS_START, outp);
> -+		eap_figure_next_state(esp, 0);
> -+		break;
> -+
> -+	case eapTlsSend:
> -+		eaptls_send(esp->es_server.ea_session, &outp);
> -+		eap_figure_next_state(esp, 0);
> -+		break;
> -+
> -+	case eapTlsSendAck:
> -+		PUTCHAR(EAPT_TLS, outp);
> -+		PUTCHAR(0, outp);
> -+		eap_figure_next_state(esp, 0);
> -+		break;
> -+
> -+	case eapTlsSendAlert:
> -+		eaptls_send(esp->es_server.ea_session, &outp);
> -+		eap_figure_next_state(esp, 0);
> -+		break;
> -+#endif /* USE_EAPTLS */
> -+
> - #ifdef USE_SRP
> - 	case eapSRP1:
> - 		PUTCHAR(EAPT_SRP, outp);
> -@@ -904,11 +1018,57 @@ static void
> - eap_server_timeout(arg)
> - void *arg;
> - {
> -+#ifdef USE_EAPTLS
> -+	u_char *outp;
> -+	u_char *lenloc;
> -+	int outlen;
> -+#endif /* USE_EAPTLS */
> -+
> - 	eap_state *esp = (eap_state *) arg;
> - 
> - 	if (!eap_server_active(esp))
> - 		return;
> - 
> -+#ifdef USE_EAPTLS
> -+	switch(esp->es_server.ea_prev_state) {
> -+
> -+	/*
> -+	 *  In eap-tls the state changes after a request, so we return to
> -+	 *  previous state ...
> -+	 */
> -+	case(eapTlsStart):
> -+	case(eapTlsSendAck):
> -+		esp->es_server.ea_state = esp->es_server.ea_prev_state;
> -+		break;
> -+
> -+	/*
> -+	 *  ... or resend the stored data
> -+	 */
> -+	case(eapTlsSend):
> -+	case(eapTlsSendAlert):
> -+		outp = outpacket_buf;
> -+		MAKEHEADER(outp, PPP_EAP);
> -+		PUTCHAR(EAP_REQUEST, outp);
> -+		PUTCHAR(esp->es_server.ea_id, outp);
> -+		lenloc = outp;
> -+		INCPTR(2, outp);
> -+
> -+		eaptls_retransmit(esp->es_server.ea_session, &outp);
> -+
> -+		outlen = (outp - outpacket_buf) - PPP_HDRLEN;
> -+		PUTSHORT(outlen, lenloc);
> -+		output(esp->es_unit, outpacket_buf, outlen + PPP_HDRLEN);
> -+		esp->es_server.ea_requests++;
> -+
> -+		if (esp->es_server.ea_timeout > 0)
> -+			TIMEOUT(eap_server_timeout, esp, esp->es_server.ea_timeout);
> -+
> -+		return;
> -+	default:
> -+		break;
> -+	}
> -+#endif /* USE_EAPTLS */
> -+
> - 	/* EAP ID number must not change on timeout. */
> - 	eap_send_request(esp);
> - }
> -@@ -1166,6 +1326,81 @@ u_char *str;
> - }
> - #endif /* USE_SRP */
> - 
> -+#ifdef USE_EAPTLS
> -+/*
> -+ * Send an EAP-TLS response message with tls data
> -+ */
> -+static void
> -+eap_tls_response(esp, id)
> -+eap_state *esp;
> -+u_char id;
> -+{
> -+        u_char *outp;
> -+        int outlen;
> -+	u_char *lenloc;
> -+
> -+        outp = outpacket_buf;
> -+
> -+        MAKEHEADER(outp, PPP_EAP);
> -+
> -+        PUTCHAR(EAP_RESPONSE, outp);
> -+        PUTCHAR(id, outp);
> -+
> -+	lenloc = outp;
> -+	INCPTR(2, outp);
> -+
> -+	/*
> -+	   If the id in the request is unchanged, we must retransmit
> -+	   the old data
> -+	*/
> -+	if(id == esp->es_client.ea_id)
> -+		eaptls_retransmit(esp->es_client.ea_session, &outp);
> -+	else
> -+		eaptls_send(esp->es_client.ea_session, &outp);
> -+
> -+	outlen = (outp - outpacket_buf) - PPP_HDRLEN;
> -+	PUTSHORT(outlen, lenloc);
> -+
> -+	output(esp->es_unit, outpacket_buf, PPP_HDRLEN + outlen);
> -+
> -+	esp->es_client.ea_id = id;
> -+
> -+}
> -+
> -+/*
> -+ * Send an EAP-TLS ack
> -+ */
> -+static void
> -+eap_tls_sendack(esp, id)
> -+eap_state *esp;
> -+u_char id;
> -+{
> -+	u_char *outp;
> -+	int outlen;
> -+	u_char *lenloc;
> -+
> -+	outp = outpacket_buf;
> -+
> -+	MAKEHEADER(outp, PPP_EAP);
> -+
> -+	PUTCHAR(EAP_RESPONSE, outp);
> -+	PUTCHAR(id, outp);
> -+	esp->es_client.ea_id = id;
> -+
> -+	lenloc = outp;
> -+	INCPTR(2, outp);
> -+
> -+	PUTCHAR(EAPT_TLS, outp);
> -+	PUTCHAR(0, outp);
> -+
> -+	outlen = (outp - outpacket_buf) - PPP_HDRLEN;
> -+	PUTSHORT(outlen, lenloc);
> -+
> -+	output(esp->es_unit, outpacket_buf, PPP_HDRLEN + outlen);
> -+
> -+}
> -+#endif /* USE_EAPTLS */
> -+
> - static void
> - eap_send_nak(esp, id, type)
> - eap_state *esp;
> -@@ -1320,6 +1555,11 @@ int len;
> - 	char rhostname[256];
> - 	MD5_CTX mdContext;
> - 	u_char hash[MD5_SIGNATURE_SIZE];
> -+#ifdef USE_EAPTLS
> -+	u_char flags;
> -+	struct eaptls_session *ets = esp->es_client.ea_session;
> -+#endif /* USE_EAPTLS */
> -+
> - #ifdef USE_SRP
> - 	struct t_client *tc;
> - 	struct t_num sval, gval, Nval, *Ap, Bval;
> -@@ -1456,6 +1696,100 @@ int len;
> - 		    esp->es_client.ea_namelen);
> - 		break;
> - 
> -+#ifdef USE_EAPTLS
> -+	case EAPT_TLS:
> -+
> -+		switch(esp->es_client.ea_state) {
> -+
> -+		case eapListen:
> -+
> -+			if (len < 1) {
> -+				error("EAP: received EAP-TLS Listen packet with no data");
> -+				/* Bogus request; wait for something real. */
> -+				return;
> -+			}
> -+			GETCHAR(flags, inp);
> -+			if(flags & EAP_TLS_FLAGS_START){
> -+
> -+				esp->es_client.ea_using_eaptls = 1;
> -+
> -+                                if (explicit_remote){
> -+                                        esp->es_client.ea_peer = strdup(remote_name);
> -+                                        esp->es_client.ea_peerlen = strlen(remote_name);
> -+                                } else
> -+                                        esp->es_client.ea_peer = NULL;
> -+
> -+				/* Init ssl session */
> -+				if(!eaptls_init_ssl_client(esp)) {
> -+					dbglog("cannot init ssl");
> -+					eap_send_nak(esp, id, EAPT_TLS);
> -+					esp->es_client.ea_using_eaptls = 0;
> -+					break;
> -+				}
> -+
> -+				ets = esp->es_client.ea_session;
> -+				eap_tls_response(esp, id);
> -+				esp->es_client.ea_state = (ets->frag ? eapTlsRecvAck :
> -+								eapTlsRecv);
> -+				break;
> -+			}
> -+
> -+			/* The server has sent a bad start packet. */
> -+			eap_send_nak(esp, id, EAPT_TLS);
> -+			break;
> -+
> -+		case eapTlsRecvAck:
> -+			eap_tls_response(esp, id);
> -+			esp->es_client.ea_state = (ets->frag ? eapTlsRecvAck :
> -+							eapTlsRecv);
> -+			break;
> -+
> -+		case eapTlsRecv:
> -+			if (len < 1) {
> -+				error("EAP: discarding EAP-TLS Receive packet with no data");
> -+				/* Bogus request; wait for something real. */
> -+				return;
> -+			}
> -+			eaptls_receive(ets, inp, len);
> -+
> -+			if(ets->frag) {
> -+				eap_tls_sendack(esp, id);
> -+				esp->es_client.ea_state = eapTlsRecv;
> -+				break;
> -+			}
> -+
> -+			if(ets->alert_recv) {
> -+				eap_tls_sendack(esp, id);
> -+				esp->es_client.ea_state = eapTlsRecvFailure;
> -+				break;
> -+			}
> -+
> -+			/* Check if TLS handshake is finished */
> -+			if(SSL_is_init_finished(ets->ssl)){
> -+#ifdef MPPE
> -+ 				eaptls_gen_mppe_keys( ets, "client EAP encryption", 1 );
> -+#endif
> -+				eaptls_free_session(ets);
> -+				eap_tls_sendack(esp, id);
> -+				esp->es_client.ea_state = eapTlsRecvSuccess;
> -+				break;
> -+			}
> -+
> -+			eap_tls_response(esp,id);
> -+                        esp->es_client.ea_state = (ets->frag ? eapTlsRecvAck :
> -+                                                        eapTlsRecv);
> -+
> -+                        break;
> -+
> -+		default:
> -+			eap_send_nak(esp, id, EAPT_TLS);
> -+			esp->es_client.ea_using_eaptls = 0;
> -+			break;
> -+		}
> -+
> -+		break;
> -+#endif /* USE_EAPTLS */
> -+
> - #ifdef USE_SRP
> - 	case EAPT_SRP:
> - 		if (len < 1) {
> -@@ -1737,6 +2071,11 @@ int len;
> - 	u_char dig[SHA_DIGESTSIZE];
> - #endif /* USE_SRP */
> - 
> -+#ifdef USE_EAPTLS
> -+	struct eaptls_session *ets;
> -+	u_char flags;
> -+#endif /* USE_EAPTLS */
> -+
> - 	if (esp->es_server.ea_id != id) {
> - 		dbglog("EAP: discarding Response %d; expected ID %d", id,
> - 		    esp->es_server.ea_id);
> -@@ -1776,6 +2115,64 @@ int len;
> - 		eap_figure_next_state(esp, 0);
> - 		break;
> - 
> -+#ifdef USE_EAPTLS
> -+	case EAPT_TLS:
> -+		switch(esp->es_server.ea_state) {
> -+
> -+		case eapTlsRecv:
> -+
> -+			ets = (struct eaptls_session *) esp->es_server.ea_session;
> -+			eap_figure_next_state(esp,
> -+				eaptls_receive(esp->es_server.ea_session, inp, len));
> -+
> -+			if(ets->alert_recv) {
> -+				eap_send_failure(esp);
> -+				break;
> -+			}
> -+			break;
> -+
> -+		case eapTlsRecvAck:
> -+			if(len > 1) {
> -+				dbglog("EAP-TLS ACK with extra data");
> -+			}
> -+			eap_figure_next_state(esp, 0);
> -+			break;
> -+
> -+		case eapTlsRecvClient:
> -+			/* Receive authentication response from client */
> -+
> -+			if (len > 0) {
> -+				GETCHAR(flags, inp);
> -+
> -+				if(len == 1 && !flags) {	/* Ack = ok */
> -+#ifdef MPPE
> -+ 					eaptls_gen_mppe_keys( esp->es_server.ea_session, "client EAP encryption", 0 );
> -+#endif
> -+					eap_send_success(esp);
> -+				}
> -+				else {			/* failure */
> -+					warn("Server authentication failed");
> -+					eap_send_failure(esp);
> -+				}
> -+			}
> -+			else
> -+				warn("Bogus EAP-TLS packet received from client");
> -+
> -+			eaptls_free_session(esp->es_server.ea_session);
> -+
> -+			break;
> -+
> -+		case eapTlsRecvAlertAck:
> -+			eap_send_failure(esp);
> -+			break;
> -+
> -+		default:
> -+			eap_figure_next_state(esp, 1);
> -+			break;
> -+		}
> -+		break;
> -+#endif /* USE_EAPTLS */
> -+
> - 	case EAPT_NOTIFICATION:
> - 		dbglog("EAP unexpected Notification; response discarded");
> - 		break;
> -@@ -1807,6 +2204,13 @@ int len;
> - 			esp->es_server.ea_state = eapMD5Chall;
> - 			break;
> - 
> -+#ifdef USE_EAPTLS
> -+			/* Send EAP-TLS start packet */
> -+		case EAPT_TLS:
> -+			esp->es_server.ea_state = eapTlsStart;
> -+			break;
> -+#endif /* USE_EAPTLS */
> -+
> - 		default:
> - 			dbglog("EAP: peer requesting unknown Type %d", vallen);
> - 			switch (esp->es_server.ea_state) {
> -@@ -2018,13 +2422,27 @@ u_char *inp;
> - int id;
> - int len;
> - {
> --	if (esp->es_client.ea_state != eapOpen && !eap_client_active(esp)) {
> -+	if (esp->es_client.ea_state != eapOpen && !eap_client_active(esp)
> -+#ifdef USE_EAPTLS
> -+		&& esp->es_client.ea_state != eapTlsRecvSuccess
> -+#endif /* USE_EAPTLS */
> -+		) {
> - 		dbglog("EAP unexpected success message in state %s (%d)",
> - 		    eap_state_name(esp->es_client.ea_state),
> - 		    esp->es_client.ea_state);
> - 		return;
> - 	}
> - 
> -+#ifdef USE_EAPTLS
> -+	if(esp->es_client.ea_using_eaptls && esp->es_client.ea_state !=
> -+		eapTlsRecvSuccess) {
> -+		dbglog("EAP-TLS unexpected success message in state %s (%d)",
> -+                    eap_state_name(esp->es_client.ea_state),
> -+                    esp->es_client.ea_state);
> -+		return;
> -+	}
> -+#endif /* USE_EAPTLS */
> -+
> - 	if (esp->es_client.ea_timeout > 0) {
> - 		UNTIMEOUT(eap_client_timeout, (void *)esp);
> - 	}
> -@@ -2150,6 +2568,9 @@ void *arg;
> - 	int code, id, len, rtype, vallen;
> - 	u_char *pstart;
> - 	u_int32_t uval;
> -+#ifdef USE_EAPTLS
> -+	u_char flags;
> -+#endif /* USE_EAPTLS */
> - 
> - 	if (inlen < EAP_HEADERLEN)
> - 		return (0);
> -@@ -2214,6 +2635,24 @@ void *arg;
> - 			}
> - 			break;
> - 
> -+#ifdef USE_EAPTLS
> -+		case EAPT_TLS:
> -+			if (len < 1)
> -+				break;
> -+			GETCHAR(flags, inp);
> -+			len--;
> -+
> -+                        if(flags == 0 && len == 0){
> -+                                printer(arg, " Ack");
> -+                                break;
> -+                        }
> -+
> -+			printer(arg, flags & EAP_TLS_FLAGS_LI ? " L":" -");
> -+			printer(arg, flags & EAP_TLS_FLAGS_MF ? "M":"-");
> -+			printer(arg, flags & EAP_TLS_FLAGS_START ? "S":"- ");
> -+			break;
> -+#endif /* USE_EAPTLS */
> -+
> - 		case EAPT_SRP:
> - 			if (len < 3)
> - 				goto truncated;
> -@@ -2325,6 +2764,25 @@ void *arg;
> - 			}
> - 			break;
> - 
> -+#ifdef USE_EAPTLS
> -+		case EAPT_TLS:
> -+			if (len < 1)
> -+				break;
> -+			GETCHAR(flags, inp);
> -+			len--;
> -+
> -+                        if(flags == 0 && len == 0){
> -+                                printer(arg, " Ack");
> -+                                break;
> -+                        }
> -+
> -+			printer(arg, flags & EAP_TLS_FLAGS_LI ? " L":" -");
> -+			printer(arg, flags & EAP_TLS_FLAGS_MF ? "M":"-");
> -+			printer(arg, flags & EAP_TLS_FLAGS_START ? "S":"- ");
> -+
> -+			break;
> -+#endif /* USE_EAPTLS */
> -+
> - 		case EAPT_NAK:
> - 			if (len <= 0) {
> - 				printer(arg, " <missing hint>");
> -@@ -2426,3 +2884,4 @@ void *arg;
> - 
> - 	return (inp - pstart);
> - }
> -+
> -diff --git a/pppd/eap.h b/pppd/eap.h
> -index 199d1849b826..087baad83eed 100644
> ---- a/pppd/eap.h
> -+++ b/pppd/eap.h
> -@@ -84,6 +84,16 @@ enum eap_state_code {
> - 	eapClosed,	/* Authentication not in use */
> - 	eapListen,	/* Client ready (and timer running) */
> - 	eapIdentify,	/* EAP Identify sent */
> -+	eapTlsStart,	/* Send EAP-TLS start packet */
> -+	eapTlsRecv,	/* Receive EAP-TLS tls data */
> -+	eapTlsSendAck,	/* Send EAP-TLS ack */
> -+	eapTlsSend,	/* Send EAP-TLS tls data */
> -+	eapTlsRecvAck,	/* Receive EAP-TLS ack */
> -+	eapTlsRecvClient, 	/* Receive EAP-TLS auth response from client*/
> -+	eapTlsSendAlert,	/* Send EAP-TLS tls alert (server)*/
> -+	eapTlsRecvAlertAck,	/* Receive EAP-TLS ack after sending alert */
> -+	eapTlsRecvSuccess,	/* Receive EAP success */
> -+	eapTlsRecvFailure,	/* Receive EAP failure */
> - 	eapSRP1,	/* Sent EAP SRP-SHA1 Subtype 1 */
> - 	eapSRP2,	/* Sent EAP SRP-SHA1 Subtype 2 */
> - 	eapSRP3,	/* Sent EAP SRP-SHA1 Subtype 3 */
> -@@ -95,9 +105,18 @@ enum eap_state_code {
> - 
> - #define	EAP_STATES	\
> - 	"Initial", "Pending", "Closed", "Listen", "Identify", \
> -+	"TlsStart", "TlsRecv", "TlsSendAck", "TlsSend", "TlsRecvAck", "TlsRecvClient",\
> -+	"TlsSendAlert", "TlsRecvAlertAck" , "TlsRecvSuccess", "TlsRecvFailure", \
> - 	"SRP1", "SRP2", "SRP3", "MD5Chall", "Open", "SRP4", "BadAuth"
> - 
> --#define	eap_client_active(esp)	((esp)->es_client.ea_state == eapListen)
> -+#ifdef USE_EAPTLS
> -+#define	eap_client_active(esp)	((esp)->es_client.ea_state != eapInitial &&\
> -+				 (esp)->es_client.ea_state != eapPending &&\
> -+				 (esp)->es_client.ea_state != eapClosed)
> -+#else
> -+#define eap_client_active(esp)	((esp)->es_client.ea_state == eapListen)
> -+#endif /* USE_EAPTLS */
> -+
> - #define	eap_server_active(esp)	\
> - 	((esp)->es_server.ea_state >= eapIdentify && \
> - 	 (esp)->es_server.ea_state <= eapMD5Chall)
> -@@ -112,11 +131,17 @@ struct eap_auth {
> - 	u_short ea_namelen;	/* Length of our name */
> - 	u_short ea_peerlen;	/* Length of peer's name */
> - 	enum eap_state_code ea_state;
> -+#ifdef USE_EAPTLS
> -+	enum eap_state_code ea_prev_state;
> -+#endif
> - 	u_char ea_id;		/* Current id */
> - 	u_char ea_requests;	/* Number of Requests sent/received */
> - 	u_char ea_responses;	/* Number of Responses */
> - 	u_char ea_type;		/* One of EAPT_* */
> - 	u_int32_t ea_keyflags;	/* SRP shared key usage flags */
> -+#ifdef USE_EAPTLS
> -+	bool ea_using_eaptls;
> -+#endif
> - };
> - 
> - /*
> -@@ -139,7 +164,12 @@ typedef struct eap_state {
> -  * Timeouts.
> -  */
> - #define	EAP_DEFTIMEOUT		3	/* Timeout (seconds) for rexmit */
> -+#ifdef USE_EAPTLS
> -+#define	EAP_DEFTRANSMITS	30	/* max # times to transmit */
> -+					/* certificates can be long ... */
> -+#else
> - #define	EAP_DEFTRANSMITS	10	/* max # times to transmit */
> -+#endif /* USE_EAPTLS */
> - #define	EAP_DEFREQTIME		20	/* Time to wait for peer request */
> - #define	EAP_DEFALLOWREQ		20	/* max # times to accept requests */
> - 
> -diff --git a/pppd/md5.c b/pppd/md5.c
> -index f1291ce1bd72..6f8f7207c592 100644
> ---- a/pppd/md5.c
> -+++ b/pppd/md5.c
> -@@ -33,6 +33,8 @@
> -  ***********************************************************************
> -  */
> - 
> -+#ifndef USE_EAPTLS
> -+
> - #include <string.h>
> - #include "md5.h"
> - 
> -@@ -305,3 +307,5 @@ UINT4 *in;
> -  ** End of md5.c                                                      **
> -  ******************************** (cut) ********************************
> -  */
> -+#endif /* USE_EAPTLS */
> -+
> -diff --git a/pppd/md5.h b/pppd/md5.h
> -index 71e8b00e2dde..14d712171c5e 100644
> ---- a/pppd/md5.h
> -+++ b/pppd/md5.h
> -@@ -36,6 +36,7 @@
> -  ** documentation and/or software.                                    **
> -  ***********************************************************************
> -  */
> -+#ifndef USE_EAPTLS
> - 
> - #ifndef __MD5_INCLUDE__
> - 
> -@@ -63,3 +64,5 @@ void MD5_Final (unsigned char hash[], MD5_CTX *mdContext);
> - 
> - #define __MD5_INCLUDE__
> - #endif /* __MD5_INCLUDE__ */
> -+
> -+#endif /* USE_EAPTLS */
> -diff --git a/pppd/pathnames.h b/pppd/pathnames.h
> -index 46972601fc92..72c2f5b191ee 100644
> ---- a/pppd/pathnames.h
> -+++ b/pppd/pathnames.h
> -@@ -21,6 +21,13 @@
> - #define _PATH_UPAPFILE 	 _ROOT_PATH "/etc/ppp/pap-secrets"
> - #define _PATH_CHAPFILE 	 _ROOT_PATH "/etc/ppp/chap-secrets"
> - #define _PATH_SRPFILE 	 _ROOT_PATH "/etc/ppp/srp-secrets"
> -+
> -+#ifdef USE_EAPTLS
> -+#define _PATH_EAPTLSCLIFILE	_ROOT_PATH "/etc/ppp/eaptls-client"
> -+#define _PATH_EAPTLSSERVFILE	_ROOT_PATH "/etc/ppp/eaptls-server"
> -+#define _PATH_OPENSSLCONFFILE	_ROOT_PATH "/etc/ppp/openssl.cnf"
> -+#endif /* USE_EAPTLS */
> -+
> - #define _PATH_SYSOPTIONS _ROOT_PATH "/etc/ppp/options"
> - #define _PATH_IPUP	 _ROOT_PATH "/etc/ppp/ip-up"
> - #define _PATH_IPDOWN	 _ROOT_PATH "/etc/ppp/ip-down"
> -diff --git a/pppd/plugins/Makefile.linux b/pppd/plugins/Makefile.linux
> -index 0f9d37d2953b..bc29968d44c9 100644
> ---- a/pppd/plugins/Makefile.linux
> -+++ b/pppd/plugins/Makefile.linux
> -@@ -4,6 +4,9 @@ CFLAGS	= $(COPTS) -I.. -I../../include -fPIC
> - LDFLAGS	= $(LDOPTS)
> - INSTALL	= install
> - 
> -+# EAP-TLS
> -+CFLAGS += -DUSE_EAPTLS=1
> -+
> - DESTDIR = $(INSTROOT)@DESTDIR@
> - BINDIR = $(DESTDIR)/sbin
> - MANDIR = $(DESTDIR)/share/man/man8
> -diff --git a/pppd/plugins/passprompt.c b/pppd/plugins/passprompt.c
> -index babb6dc31bab..6ba73cae2795 100644
> ---- a/pppd/plugins/passprompt.c
> -+++ b/pppd/plugins/passprompt.c
> -@@ -107,4 +107,7 @@ void plugin_init(void)
> - {
> -     add_options(options);
> -     pap_passwd_hook = promptpass;
> -+#ifdef USE_EAPTLS
> -+    eaptls_passwd_hook = promptpass;
> -+#endif
> - }
> -diff --git a/pppd/plugins/passwordfd.c b/pppd/plugins/passwordfd.c
> -index d718f3bdf81d..c3f9793e41a0 100644
> ---- a/pppd/plugins/passwordfd.c
> -+++ b/pppd/plugins/passwordfd.c
> -@@ -79,4 +79,8 @@ void plugin_init (void)
> - 
> -     chap_check_hook = pwfd_check;
> -     chap_passwd_hook = pwfd_passwd;
> -+
> -+#ifdef USE_EAPTLS
> -+    eaptls_passwd_hook = pwfd_passwd;
> -+#endif
> - }
> -diff --git a/pppd/pppd.8 b/pppd/pppd.8
> -index 65bbe721f761..8afa2d1186e2 100644
> ---- a/pppd/pppd.8
> -+++ b/pppd/pppd.8
> -@@ -253,6 +253,12 @@ Alternatively, a value of 0 for \fInr\fR or \fInt\fR disables
> - compression in the corresponding direction.  Use \fInobsdcomp\fR or
> - \fIbsdcomp 0\fR to disable BSD-Compress compression entirely.
> - .TP
> -+.B ca \fIca-file
> -+(EAP-TLS) Use the file \fIca-file\fR as the X.509 Certificate Authority
> -+(CA) file (in PEM format), needed for setting up an EAP-TLS connection.
> -+This option is used on the client-side in conjunction with the \fBcert\fR
> -+and \fBkey\fR options.
> -+.TP
> - .B cdtrcts
> - Use a non-standard hardware flow control (i.e. DTR/CTS) to control
> - the flow of data on the serial port.  If neither the \fIcrtscts\fR,
> -@@ -264,6 +270,12 @@ RTS output. Such serial ports use this mode to implement true
> - bi-directional flow control. The sacrifice is that this flow
> - control mode does not permit using DTR as a modem control line.
> - .TP
> -+.B cert \fIcertfile
> -+(EAP-TLS) Use the file \fIcertfile\fR as the X.509 certificate (in PEM
> -+format), needed for setting up an EAP-TLS connection. This option is
> -+used on the client-side in conjunction with the \fBca\fR and
> -+\fBkey\fR options.
> -+.TP
> - .B chap\-interval \fIn
> - If this option is given, pppd will rechallenge the peer every \fIn\fR
> - seconds.
> -@@ -292,6 +304,18 @@ negotiation by sending its first LCP packet.  The default value is
> - 1000 (1 second).  This wait period only applies if the \fBconnect\fR
> - or \fBpty\fR option is used.
> - .TP
> -+.B crl \fIfilename
> -+(EAP-TLS) Use the file \fIfilename\fR as the Certificate Revocation List
> -+to check for the validity of the peer's certificate. This option is not
> -+mandatory for setting up an EAP-TLS connection. Also see the \fBcrl-dir\fR
> -+option.
> -+.TP
> -+.B crl-dir \fIdirectory
> -+(EAP-TLS) Use the directory \fIdirectory\fR to scan for CRL files in
> -+has format ($hash.r0) to check for the validity of the peer's certificate.
> -+This option is not mandatory for setting up an EAP-TLS connection.
> -+Also see the \fBcrl\fR option.
> -+.TP
> - .B debug
> - Enables connection debugging facilities.
> - If this option is given, pppd will log the contents of all
> -@@ -561,6 +585,12 @@ transmitted packets be printed.  On most systems, messages printed by
> - the kernel are logged by syslog(1) to a file as directed in the
> - /etc/syslog.conf configuration file.
> - .TP
> -+.B key \fIkeyfile
> -+(EAP-TLS) Use the file \fIkeyfile\fR as the private key file (in PEM
> -+format), needed for setting up an EAP-TLS connection. This option is
> -+used on the client-side in conjunction with the \fBca\fR and
> -+\fBcert\fR options.
> -+.TP
> - .B ktune
> - Enables pppd to alter kernel settings as appropriate.  Under Linux,
> - pppd will enable IP forwarding (i.e. set /proc/sys/net/ipv4/ip_forward
> -@@ -724,6 +754,9 @@ name to \fIname\fR.)
> - Disable Address/Control compression in both directions (send and
> - receive).
> - .TP
> -+.B need-peer-eap
> -+(EAP-TLS) Require the peer to verify our authentication credentials.
> -+.TP
> - .B noauth
> - Do not require the peer to authenticate itself.  This option is
> - privileged.
> -diff --git a/pppd/pppd.h b/pppd/pppd.h
> -index 567d702181ca..195cbe3c6ffb 100644
> ---- a/pppd/pppd.h
> -+++ b/pppd/pppd.h
> -@@ -338,6 +338,11 @@ extern bool	dump_options;	/* print out option values */
> - extern bool	dryrun;		/* check everything, print options, exit */
> - extern int	child_wait;	/* # seconds to wait for children at end */
> - 
> -+#ifdef USE_EAPTLS
> -+extern char	*crl_dir;
> -+extern char	*crl_file;
> -+#endif /* USE_EAPTLS */
> -+
> - #ifdef MAXOCTETS
> - extern unsigned int maxoctets;	     /* Maximum octetes per session (in bytes) */
> - extern int       maxoctets_dir;      /* Direction :
> -@@ -758,6 +763,10 @@ extern int (*chap_check_hook) __P((void));
> - extern int (*chap_passwd_hook) __P((char *user, char *passwd));
> - extern void (*multilink_join_hook) __P((void));
> - 
> -+#ifdef USE_EAPTLS
> -+extern int (*eaptls_passwd_hook) __P((char *user, char *passwd));
> -+#endif
> -+
> - /* Let a plugin snoop sent and received packets.  Useful for L2TP */
> - extern void (*snoop_recv_hook) __P((unsigned char *p, int len));
> - extern void (*snoop_send_hook) __P((unsigned char *p, int len));
> diff --git a/patches/ppp-2.4.7/0040-pppd-Use-openssl-for-the-DES-instead-of-the-libcrypt.patch b/patches/ppp-2.4.7/0040-pppd-Use-openssl-for-the-DES-instead-of-the-libcrypt.patch
> deleted file mode 100644
> index bf83278a9915..000000000000
> --- a/patches/ppp-2.4.7/0040-pppd-Use-openssl-for-the-DES-instead-of-the-libcrypt.patch
> +++ /dev/null
> @@ -1,115 +0,0 @@
> -From: =?UTF-8?q?Jaroslav=20=C5=A0karvada?= <jskarvad@redhat.com>
> -Date: Fri, 6 Apr 2018 14:27:18 +0200
> -Subject: [PATCH] pppd: Use openssl for the DES instead of the libcrypt / glibc
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -[https://github.com/paulusmack/ppp/commit/3c7b86229f7bd2600d74db14b1fe5b3896be3875]
> -
> -It seems the latest glibc (in Fedora glibc-2.27.9000-12.fc29) dropped
> -libcrypt.  The libxcrypt standalone package can be used instead, but
> -it dropped the old setkey/encrypt API which ppp uses for DES.  There
> -is support for using openssl in pppcrypt.c, but it contains typos
> -preventing it from compiling and seems to be written for an ancient
> -openssl version.
> -
> -This updates the code to use current openssl.
> -
> -[paulus@ozlabs.org - wrote the commit description, fixed comment in
> - Makefile.linux.]
> -
> -Signed-off-by: Jaroslav Škarvada <jskarvad@redhat.com>
> -Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
> -
> -Imported from ppp_2.4.7-2+4.1.debian.tar.xz
> -
> -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> ----
> - pppd/Makefile.linux |  7 ++++---
> - pppd/pppcrypt.c     | 18 +++++++++---------
> - 2 files changed, 13 insertions(+), 12 deletions(-)
> -
> -diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux
> -index 58a634ce8c3b..cb9d4f9dcf22 100644
> ---- a/pppd/Makefile.linux
> -+++ b/pppd/Makefile.linux
> -@@ -35,10 +35,10 @@ endif
> - COPTS = -O2 -pipe -Wall -g
> - LIBS = -lcrypto
> - 
> --# Uncomment the next 2 lines to include support for Microsoft's
> -+# Uncomment the next line to include support for Microsoft's
> - # MS-CHAP authentication protocol.  Also, edit plugins/radius/Makefile.linux.
> - CHAPMS=y
> --USE_CRYPT=y
> -+#USE_CRYPT=y
> - # Don't use MSLANMAN unless you really know what you're doing.
> - #MSLANMAN=y
> - # Uncomment the next line to include support for MPPE.  CHAPMS (above) must
> -@@ -138,7 +138,8 @@ endif
> - 
> - ifdef NEEDDES
> - ifndef USE_CRYPT
> --LIBS     += -ldes $(LIBS)
> -+CFLAGS   += -I/usr/include/openssl
> -+LIBS     += -lcrypto
> - else
> - CFLAGS   += -DUSE_CRYPT=1
> - endif
> -diff --git a/pppd/pppcrypt.c b/pppd/pppcrypt.c
> -index 8b85b13276ab..6b35375edc5e 100644
> ---- a/pppd/pppcrypt.c
> -+++ b/pppd/pppcrypt.c
> -@@ -64,7 +64,7 @@ u_char *des_key;	/* OUT 64 bit DES key with parity bits added */
> - 	des_key[7] = Get7Bits(key, 49);
> - 
> - #ifndef USE_CRYPT
> --	des_set_odd_parity((des_cblock *)des_key);
> -+	DES_set_odd_parity((DES_cblock *)des_key);
> - #endif
> - }
> - 
> -@@ -158,25 +158,25 @@ u_char *clear;	/* OUT 8 octets */
> - }
> - 
> - #else /* USE_CRYPT */
> --static des_key_schedule	key_schedule;
> -+static DES_key_schedule	key_schedule;
> - 
> - bool
> - DesSetkey(key)
> - u_char *key;
> - {
> --	des_cblock des_key;
> -+	DES_cblock des_key;
> - 	MakeKey(key, des_key);
> --	des_set_key(&des_key, key_schedule);
> -+	DES_set_key(&des_key, &key_schedule);
> - 	return (1);
> - }
> - 
> - bool
> --DesEncrypt(clear, key, cipher)
> -+DesEncrypt(clear, cipher)
> - u_char *clear;	/* IN  8 octets */
> - u_char *cipher;	/* OUT 8 octets */
> - {
> --	des_ecb_encrypt((des_cblock *)clear, (des_cblock *)cipher,
> --	    key_schedule, 1);
> -+	DES_ecb_encrypt((DES_cblock *)clear, (DES_cblock *)cipher,
> -+	    &key_schedule, 1);
> - 	return (1);
> - }
> - 
> -@@ -185,8 +185,8 @@ DesDecrypt(cipher, clear)
> - u_char *cipher;	/* IN  8 octets */
> - u_char *clear;	/* OUT 8 octets */
> - {
> --	des_ecb_encrypt((des_cblock *)cipher, (des_cblock *)clear,
> --	    key_schedule, 0);
> -+	DES_ecb_encrypt((DES_cblock *)cipher, (DES_cblock *)clear,
> -+	    &key_schedule, 0);
> - 	return (1);
> - }
> - 
> diff --git a/patches/ppp-2.4.7/series b/patches/ppp-2.4.7/series
> deleted file mode 100644
> index 6aeaf1984704..000000000000
> --- a/patches/ppp-2.4.7/series
> +++ /dev/null
> @@ -1,46 +0,0 @@
> -# generated by git-ptx-patches
> -#tag:base --start-number 1
> -0001-abort-on-errors-in-subdir-builds.patch
> -0002-scripts-Avoid-killing-wrong-pppd.patch
> -0003-pppd-Fix-sign-extension-when-displaying-bytes-in-oct.patch
> -0004-Suppress-false-error-message-on-PPPoE-disconnect.patch
> -0005-Send-PADT-on-PPPoE-disconnect.patch
> -0006-pppd-ipxcp-Prevent-buffer-overrun-on-remote-router-n.patch
> -0007-pppd-Fix-ccp_options.mppe-type.patch
> -0008-pppd-Fix-ccp_cilen-calculated-size-if-both-deflate_c.patch
> -0009-Fix-a-typo-in-comment.-Diff-from-Yuuichi-Someya.patch
> -0010-plog-count-only-relevant-lines-from-syslog.patch
> -0011-Change-include-from-sys-errno.h-to-errno.h.patch
> -0012-pppd-allow-use-of-arbitrary-interface-names.patch
> -0013-pppd-Remove-unused-declaration-of-ttyname.patch
> -0014-pppd-Provide-error-implementation-in-pppoe-discovery.patch
> -0015-pppoe-include-netinet-in.h-before-linux-in.h.patch
> -0016-adaptive_echos.patch
> -0017-Makefiles-cleanup.patch
> -0018-Bug-306261-pppd-does-not-properly-close-dev-ppp-on-p.patch
> -0019-Bug-284382-ppp-linkpidfile-is-not-created-upon-detac.patch
> -0020-support-building-pppdump-with-the-system-zlib.patch
> -0021-disable-unneeded-code-in-the-pppoatm-plugin.patch
> -0022-cosmetic-cleanup-of-the-pppoatm-plugin.patch
> -0023-pppoe_noads.patch
> -0024-make-_PATH_CONNERRS-world-readable.patch
> -0025-Correct-unkown-unknown-typo.patch
> -0026-pppoe-custom-host-uniq-tag.patch
> -0027-Add-replacedefaultroute-option.patch
> -0028-ppp-2.3.11-oedod.dif.patch
> -0029-add-support-for-the-Framed-MTU-Radius-attribute.patch
> -0030-018_ip-up_option.patch
> -0031-ppp-2.4.2-stripMSdomain.patch
> -0032-export-CALL_FILE-to-the-link-scripts.patch
> -0033-ipv6-accept-remote.patch
> -0034-fix-a-potential-buffer-overflow-in-clientid.c-rc_map.patch
> -0035-resolv.conf_no_log.patch
> -0036-Debian-specific-changes.patch
> -0037-Fix-buffer-overflow-in-rc_mksid.patch
> -0038-EAP-TLS-authentication-support-for-PPP.patch
> -0039-Replace-vendored-hash-functions-with-libcrypto.patch
> -0040-pppd-Use-openssl-for-the-DES-instead-of-the-libcrypt.patch
> -#tag:ptx --start-number 100
> -0100-pppd-make-makefile-sysroot-aware.patch
> -0101-pppd-make-the-self-made-configure-cross-aware.patch
> -# b0e349fd34b2aac1a9ba4ffb38f43be0  - git-ptx-patches magic
> diff --git a/patches/ppp-2.4.9/0001-configure-Allow-commas-in-the-CFLAGS-220.patch b/patches/ppp-2.4.9/0001-configure-Allow-commas-in-the-CFLAGS-220.patch
> new file mode 100644
> index 000000000000..c83b64b1c652
> --- /dev/null
> +++ b/patches/ppp-2.4.9/0001-configure-Allow-commas-in-the-CFLAGS-220.patch
> @@ -0,0 +1,28 @@
> +From: =?UTF-8?q?Jaroslav=20=C5=A0karvada?= <jskarvad@redhat.com>
> +Date: Fri, 8 Jan 2021 02:43:46 +0100
> +Subject: [PATCH] configure: Allow commas in the CFLAGS (#220)
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +It allows e.g. the following:
> +./configure --cflags='-Wp,-D_FORTIFY_SOURCE=2'
> +
> +Signed-off-by: Jaroslav Škarvada <jskarvad@redhat.com>
> +---
> + configure | 2 +-
> + 1 file changed, 1 insertion(+), 1 deletion(-)
> +
> +diff --git a/configure b/configure
> +index f977663fd8db..b0c3d2b49122 100755
> +--- a/configure
> ++++ b/configure
> +@@ -123,7 +123,7 @@ mkmkf() {
> + 	echo "  $2 <= $1"
> + 	sed -e "s,@DESTDIR@,$DESTDIR,g" -e "s,@SYSCONF@,$SYSCONF,g" \
> + 	    -e "s,@CROSS_COMPILE@,$CROSS_COMPILE,g" -e "s,@CC@,$CC,g" \
> +-	    -e "s,@CFLAGS@,$CFLAGS,g" $1 >$2
> ++	    -e "s|@CFLAGS@|$CFLAGS|g" $1 >$2
> +     fi
> + }
> + 
> diff --git a/patches/ppp-2.4.9/0002-pppd-Fix-compilation-with-older-glibc-or-kernel-head.patch b/patches/ppp-2.4.9/0002-pppd-Fix-compilation-with-older-glibc-or-kernel-head.patch
> new file mode 100644
> index 000000000000..33cf002db62b
> --- /dev/null
> +++ b/patches/ppp-2.4.9/0002-pppd-Fix-compilation-with-older-glibc-or-kernel-head.patch
> @@ -0,0 +1,55 @@
> +From: pali <7141871+pali@users.noreply.github.com>
> +Date: Mon, 15 Feb 2021 07:54:01 +0100
> +Subject: [PATCH] pppd: Fix compilation with older glibc or kernel headers
> + (#248)
> +MIME-Version: 1.0
> +Content-Type: text/plain; charset=UTF-8
> +Content-Transfer-Encoding: 8bit
> +
> +glibc versions prior to 2.24 do not define SOL_NETLINK and linux kernel
> +versions prior to 4.3 do not define NETLINK_CAP_ACK. So add fallback
> +definitions for these macros into pppd/sys-linux.c file.
> +
> +Also extend description why we call SOL_NETLINK/NETLINK_CAP_ACK option.
> +
> +Signed-off-by: Pali Rohár <pali@kernel.org>
> +---
> + pppd/sys-linux.c | 18 +++++++++++++++++-
> + 1 file changed, 17 insertions(+), 1 deletion(-)
> +
> +diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c
> +index 85033d97124f..50c4f2dab403 100644
> +--- a/pppd/sys-linux.c
> ++++ b/pppd/sys-linux.c
> +@@ -125,6 +125,14 @@
> + #include <linux/netlink.h>
> + #include <linux/rtnetlink.h>
> + #include <linux/if_addr.h>
> ++/* glibc versions prior to 2.24 do not define SOL_NETLINK */
> ++#ifndef SOL_NETLINK
> ++#define SOL_NETLINK 270
> ++#endif
> ++/* linux kernel versions prior to 4.3 do not define/support NETLINK_CAP_ACK */
> ++#ifndef NETLINK_CAP_ACK
> ++#define NETLINK_CAP_ACK 10
> ++#endif
> + #endif
> + 
> + #include "pppd.h"
> +@@ -2843,7 +2851,15 @@ static int append_peer_ipv6_address(unsigned int iface, struct in6_addr *local_a
> +     if (fd < 0)
> +         return 0;
> + 
> +-    /* do not ask for error message content */
> ++    /*
> ++     * Tell kernel to not send to us payload of acknowledgment error message.
> ++     * NETLINK_CAP_ACK option is supported since Linux kernel version 4.3 and
> ++     * older kernel versions always send full payload in acknowledgment netlink
> ++     * message. We ignore payload of this message as we need only error code,
> ++     * to check if our set remote peer address request succeeded or failed.
> ++     * So ignore return value from the following setsockopt() call as setting
> ++     * option NETLINK_CAP_ACK means for us just a kernel hint / optimization.
> ++     */
> +     one = 1;
> +     setsockopt(fd, SOL_NETLINK, NETLINK_CAP_ACK, &one, sizeof(one));
> + 
> diff --git a/patches/ppp-2.4.7/0020-support-building-pppdump-with-the-system-zlib.patch b/patches/ppp-2.4.9/0100-support-building-pppdump-with-the-system-zlib.patch
> similarity index 63%
> rename from patches/ppp-2.4.7/0020-support-building-pppdump-with-the-system-zlib.patch
> rename to patches/ppp-2.4.9/0100-support-building-pppdump-with-the-system-zlib.patch
> index ef8265d43686..383be9d60ba5 100644
> --- a/patches/ppp-2.4.7/0020-support-building-pppdump-with-the-system-zlib.patch
> +++ b/patches/ppp-2.4.9/0100-support-building-pppdump-with-the-system-zlib.patch
> @@ -1,19 +1,25 @@
> -From: Michael Olbrich <m.olbrich@pengutronix.de>
> -Date: Sat, 28 Sep 2019 08:11:49 +0200
> +From: Alexander Dahl <ada@thorsis.com>
> +Date: Wed, 16 Jun 2021 18:22:48 +0200
>  Subject: [PATCH] support building pppdump with the system zlib
>  
> -Imported from ppp_2.4.7-2+4.1.debian.tar.xz
> +Forwarded: https://github.com/paulusmack/ppp/pull/189
> +but nacked: "it caused compile failures (on Fedora at least), which
> +reminded me that the zlib.c here is not the same as upstream; it has
> +extra functions that I added a long time ago."
>  
> -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> +
> +Imported from ppp_2.4.9-1+1.debian.tar.xz
> +
> +Signed-off-by: Alexander Dahl <ada@thorsis.com>
>  ---
>   pppdump/Makefile.linux | 28 ++++++++++++++++++++++++++--
>   1 file changed, 26 insertions(+), 2 deletions(-)
>  
>  diff --git a/pppdump/Makefile.linux b/pppdump/Makefile.linux
> -index 65e5c14914fb..87777fab5e94 100644
> +index a94187fa9e29..de7e574d10e1 100644
>  --- a/pppdump/Makefile.linux
>  +++ b/pppdump/Makefile.linux
> -@@ -2,18 +2,42 @@ DESTDIR = $(INSTROOT)@DESTDIR@
> +@@ -6,15 +6,39 @@ DESTDIR = $(INSTROOT)@DESTDIR@
>   BINDIR = $(DESTDIR)/sbin
>   MANDIR = $(DESTDIR)/share/man/man8
>   
> @@ -21,10 +27,7 @@ index 65e5c14914fb..87777fab5e94 100644
>  +DO_BSD_COMPRESS=y
>  +HAVE_ZLIB=n
>  +
> - COPTS=-O2 -g
> - CFLAGS= $(COPTS) -I../include/net
> - LDFLAGS=$(LDOPTS)
> - 
> + CFLAGS = $(COPTS) -I../include/net
>  -OBJS = pppdump.o bsd-comp.o deflate.o zlib.o
>  +OBJS = pppdump.o
>  +LIBS =
> @@ -40,14 +43,14 @@ index 65e5c14914fb..87777fab5e94 100644
>  +else
>  +CFLAGS += -DDO_DEFLATE=0
>  +endif
> -+
> + 
>  +ifdef DO_BSD_COMPRESS
>  +CFLAGS += -DDO_BSD_COMPRESS=1
>  +OBJS += bsd-comp.o
>  +else
>  +CFLAGS += -DDO_BSD_COMPRESS=0
>  +endif
> - 
> ++ 
>   INSTALL= install
>   
>   all:	pppdump
> diff --git a/patches/ppp-2.4.7/0021-disable-unneeded-code-in-the-pppoatm-plugin.patch b/patches/ppp-2.4.9/0101-disable-unneeded-code-in-the-pppoatm-plugin.patch
> similarity index 89%
> rename from patches/ppp-2.4.7/0021-disable-unneeded-code-in-the-pppoatm-plugin.patch
> rename to patches/ppp-2.4.9/0101-disable-unneeded-code-in-the-pppoatm-plugin.patch
> index 2fb9c5573458..882c913aa5c9 100644
> --- a/patches/ppp-2.4.7/0021-disable-unneeded-code-in-the-pppoatm-plugin.patch
> +++ b/patches/ppp-2.4.9/0101-disable-unneeded-code-in-the-pppoatm-plugin.patch
> @@ -1,5 +1,5 @@
> -From: Michael Olbrich <m.olbrich@pengutronix.de>
> -Date: Sat, 28 Sep 2019 08:11:49 +0200
> +From: Alexander Dahl <ada@thorsis.com>
> +Date: Wed, 16 Jun 2021 18:22:48 +0200
>  Subject: [PATCH] disable unneeded code in the pppoatm plugin
>  
>  This patch halves the size of the PPPoA plugin by disabling features
> @@ -13,9 +13,9 @@ plugin with the real libatm. I really doubt anybody cares, anyway.
>  
>  
>  
> -Imported from ppp_2.4.7-2+4.1.debian.tar.xz
> +Imported from ppp_2.4.9-1+1.debian.tar.xz
>  
> -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> +Signed-off-by: Alexander Dahl <ada@thorsis.com>
>  ---
>   pppd/plugins/pppoatm/Makefile.linux | 4 ++++
>   pppd/plugins/pppoatm/pppoatm.c      | 4 ++++
> @@ -23,10 +23,10 @@ Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
>   3 files changed, 12 insertions(+)
>  
>  diff --git a/pppd/plugins/pppoatm/Makefile.linux b/pppd/plugins/pppoatm/Makefile.linux
> -index 002603c6cbef..76d81aced70a 100644
> +index d3a8086b69ea..036b193637df 100644
>  --- a/pppd/plugins/pppoatm/Makefile.linux
>  +++ b/pppd/plugins/pppoatm/Makefile.linux
> -@@ -25,9 +25,13 @@ ifdef HAVE_LIBATM
> +@@ -26,9 +26,13 @@ ifdef HAVE_LIBATM
>   LIBS := -latm
>   else
>   CFLAGS += -I.
> @@ -41,10 +41,10 @@ index 002603c6cbef..76d81aced70a 100644
>   #*********
>   all: $(PLUGIN)
>  diff --git a/pppd/plugins/pppoatm/pppoatm.c b/pppd/plugins/pppoatm/pppoatm.c
> -index d693350bc473..a7560e9fb0c6 100644
> +index 5a3ecd61b6a2..90d0c9a85d9f 100644
>  --- a/pppd/plugins/pppoatm/pppoatm.c
>  +++ b/pppd/plugins/pppoatm/pppoatm.c
> -@@ -142,8 +142,12 @@ static int connect_pppoatm(void)
> +@@ -145,8 +145,12 @@ static int connect_pppoatm(void)
>   	qos.txtp.traffic_class = qos.rxtp.traffic_class = ATM_UBR;
>   	/* TODO: support simplified QoS setting */
>   	if (qosstr != NULL)
> diff --git a/patches/ppp-2.4.9/0102-pppoe_noads.patch b/patches/ppp-2.4.9/0102-pppoe_noads.patch
> new file mode 100644
> index 000000000000..6629d4194e78
> --- /dev/null
> +++ b/patches/ppp-2.4.9/0102-pppoe_noads.patch
> @@ -0,0 +1,24 @@
> +From: Alexander Dahl <ada@thorsis.com>
> +Date: Wed, 16 Jun 2021 18:22:48 +0200
> +Subject: [PATCH] pppoe_noads
> +
> +Imported from ppp_2.4.9-1+1.debian.tar.xz
> +
> +Signed-off-by: Alexander Dahl <ada@thorsis.com>
> +---
> + pppd/plugins/pppoe/plugin.c | 2 --
> + 1 file changed, 2 deletions(-)
> +
> +diff --git a/pppd/plugins/pppoe/plugin.c b/pppd/plugins/pppoe/plugin.c
> +index de9b8166ce7b..58fbdf95be3f 100644
> +--- a/pppd/plugins/pppoe/plugin.c
> ++++ b/pppd/plugins/pppoe/plugin.c
> +@@ -412,8 +412,6 @@ plugin_init(void)
> +     }
> + 
> +     add_options(Options);
> +-
> +-    info("PPPoE plugin from pppd %s", VERSION);
> + }
> + 
> + void pppoe_check_options(void)
> diff --git a/patches/ppp-2.4.7/0028-ppp-2.3.11-oedod.dif.patch b/patches/ppp-2.4.9/0103-Forwarded-https-github.com-paulusmack-ppp-issues-187.patch
> similarity index 72%
> rename from patches/ppp-2.4.7/0028-ppp-2.3.11-oedod.dif.patch
> rename to patches/ppp-2.4.9/0103-Forwarded-https-github.com-paulusmack-ppp-issues-187.patch
> index 8151c3be260b..38eb5b7917db 100644
> --- a/patches/ppp-2.4.7/0028-ppp-2.3.11-oedod.dif.patch
> +++ b/patches/ppp-2.4.9/0103-Forwarded-https-github.com-paulusmack-ppp-issues-187.patch
> @@ -1,10 +1,22 @@
> -From: Michael Olbrich <m.olbrich@pengutronix.de>
> -Date: Sat, 28 Sep 2019 08:11:49 +0200
> -Subject: [PATCH] ppp-2.3.11-oedod.dif
> +From: Alexander Dahl <ada@thorsis.com>
> +Date: Wed, 16 Jun 2021 18:22:48 +0200
> +Subject: [PATCH] Forwarded: https://github.com/paulusmack/ppp/issues/187
>  
> -Imported from ppp_2.4.7-2+4.1.debian.tar.xz
> +Upstream said:
>  
> -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> +"
> +Hmmm, dial-on-demand was never tested with the sync option, and in fact I don't
> +know what devices would use that option.
> +
> +To be accepted, the patch would need a sign-off and a description that
> +explained the changes in the patch - in particular, what the large lump of code
> +added to demand_rexmit() is doing.
> +"
> +
> +
> +Imported from ppp_2.4.9-1+1.debian.tar.xz
> +
> +Signed-off-by: Alexander Dahl <ada@thorsis.com>
>  ---
>   pppd/demand.c | 99 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
>   pppd/ipcp.c   |  2 +-
> @@ -13,7 +25,7 @@ Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
>   4 files changed, 101 insertions(+), 4 deletions(-)
>  
>  diff --git a/pppd/demand.c b/pppd/demand.c
> -index 5e57658ea831..3eddf3016d98 100644
> +index 289c9f8fdd57..4c61444d3968 100644
>  --- a/pppd/demand.c
>  +++ b/pppd/demand.c
>  @@ -36,6 +36,8 @@
> @@ -34,7 +46,7 @@ index 5e57658ea831..3eddf3016d98 100644
>   #ifdef PPP_FILTER
>   #include <pcap-bpf.h>
>   #endif
> -@@ -221,6 +225,14 @@ loop_chars(p, n)
> +@@ -218,6 +222,14 @@ loop_chars(unsigned char *p, int n)
>       int c, rv;
>   
>       rv = 0;
> @@ -49,14 +61,12 @@ index 5e57658ea831..3eddf3016d98 100644
>       for (; n > 0; --n) {
>   	c = *p++;
>   	if (c == PPP_FLAG) {
> -@@ -299,17 +311,102 @@ loop_frame(frame, len)
> +@@ -294,16 +306,101 @@ loop_frame(unsigned char *frame, int len)
>    * loopback, now that the real serial link is up.
>    */
>   void
> --demand_rexmit(proto)
> -+demand_rexmit(proto, newip)
> -     int proto;
> -+    u_int32_t newip;
> +-demand_rexmit(int proto)
> ++demand_rexmit(int proto, u_int32_t newip)
>   {
>       struct packet *pkt, *prev, *nextpkt;
>  +    unsigned short checksum;
> @@ -69,9 +79,11 @@ index 5e57658ea831..3eddf3016d98 100644
>       prev = NULL;
>       pkt = pend_q;
>       pend_q = NULL;
> ++
>  +    tv.tv_sec = 1;
>  +    tv.tv_usec = 0;
> -+    select(0,NULL,NULL,NULL,&tv);	/* Sleep for 1 Seconds */
> ++    select(0,NULL,NULL,NULL,&tv);	/* Sleep for 1 Second */
> ++
>       for (; pkt != NULL; pkt = nextpkt) {
>   	nextpkt = pkt->next;
>   	if (PPP_PROTOCOL(pkt->data) == proto) {
> @@ -83,7 +95,6 @@ index 5e57658ea831..3eddf3016d98 100644
>  +                if (checksum == 0xFFFF) {
>  +                    checksum = 0;
>  +                }
> -+
>  + 
>  +                if (pkt->data[13] == 17) {
>  +                    pkt_checksum =  *((unsigned short *) (pkt->data+10+iphdr));
> @@ -154,10 +165,10 @@ index 5e57658ea831..3eddf3016d98 100644
>   	    free(pkt);
>   	} else {
>  diff --git a/pppd/ipcp.c b/pppd/ipcp.c
> -index c8fe279d4ede..dceca807542a 100644
> +index 302ca40b4c83..3ac26a08032a 100644
>  --- a/pppd/ipcp.c
>  +++ b/pppd/ipcp.c
> -@@ -1904,7 +1904,7 @@ ipcp_up(f)
> +@@ -1850,7 +1850,7 @@ ipcp_up(fsm *f)
>   		    proxy_arp_set[f->unit] = 1;
>   
>   	}
> @@ -167,12 +178,12 @@ index c8fe279d4ede..dceca807542a 100644
>   
>       } else {
>  diff --git a/pppd/ipv6cp.c b/pppd/ipv6cp.c
> -index 356ff84ead41..c1602f41c206 100644
> +index 431cb62211bf..a32b0002e10d 100644
>  --- a/pppd/ipv6cp.c
>  +++ b/pppd/ipv6cp.c
> -@@ -1232,7 +1232,7 @@ ipv6cp_up(f)
> - 	    }
> - 
> +@@ -1253,7 +1253,7 @@ ipv6cp_up(fsm *f)
> + 		if (sif6defaultroute(f->unit, go->ourid, ho->hisid))
> + 		    default_route_set[f->unit] = 1;
>   	}
>  -	demand_rexmit(PPP_IPV6);
>  +	demand_rexmit(PPP_IPV6,0);
> @@ -180,15 +191,15 @@ index 356ff84ead41..c1602f41c206 100644
>   
>       } else {
>  diff --git a/pppd/pppd.h b/pppd/pppd.h
> -index 7495df657fe9..e65106d4c126 100644
> +index 612902f55d0d..10a9977598aa 100644
>  --- a/pppd/pppd.h
>  +++ b/pppd/pppd.h
> -@@ -594,7 +594,7 @@ void demand_conf __P((void));	/* config interface(s) for demand-dial */
> - void demand_block __P((void));	/* set all NPs to queue up packets */
> - void demand_unblock __P((void)); /* set all NPs to pass packets */
> - void demand_discard __P((void)); /* set all NPs to discard packets */
> --void demand_rexmit __P((int));	/* retransmit saved frames for an NP */
> -+void demand_rexmit __P((int, u_int32_t)); /* retransmit saved frames for an NP*/
> - int  loop_chars __P((unsigned char *, int)); /* process chars from loopback */
> - int  loop_frame __P((unsigned char *, int)); /* should we bring link up? */
> +@@ -598,7 +598,7 @@ void demand_conf(void);	/* config interface(s) for demand-dial */
> + void demand_block(void);	/* set all NPs to queue up packets */
> + void demand_unblock(void); /* set all NPs to pass packets */
> + void demand_discard(void); /* set all NPs to discard packets */
> +-void demand_rexmit(int);	/* retransmit saved frames for an NP */
> ++void demand_rexmit(int, u_int32_t);	/* retransmit saved frames for an NP */
> + int  loop_chars(unsigned char *, int); /* process chars from loopback */
> + int  loop_frame(unsigned char *, int); /* should we bring link up? */
>   
> diff --git a/patches/ppp-2.4.7/0035-resolv.conf_no_log.patch b/patches/ppp-2.4.9/0104-resolv.conf_no_log.patch
> similarity index 56%
> rename from patches/ppp-2.4.7/0035-resolv.conf_no_log.patch
> rename to patches/ppp-2.4.9/0104-resolv.conf_no_log.patch
> index aea6b2082c8f..66265aa6cd77 100644
> --- a/patches/ppp-2.4.7/0035-resolv.conf_no_log.patch
> +++ b/patches/ppp-2.4.9/0104-resolv.conf_no_log.patch
> @@ -1,19 +1,19 @@
> -From: Michael Olbrich <m.olbrich@pengutronix.de>
> -Date: Sat, 28 Sep 2019 08:11:50 +0200
> +From: Alexander Dahl <ada@thorsis.com>
> +Date: Wed, 16 Jun 2021 18:22:48 +0200
>  Subject: [PATCH] resolv.conf_no_log
>  
> -Imported from ppp_2.4.7-2+4.1.debian.tar.xz
> +Imported from ppp_2.4.9-1+1.debian.tar.xz
>  
> -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> +Signed-off-by: Alexander Dahl <ada@thorsis.com>
>  ---
>   pppd/ipcp.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
>  
>  diff --git a/pppd/ipcp.c b/pppd/ipcp.c
> -index d6e0e2a699fe..b81b2fd0a29f 100644
> +index 3ac26a08032a..ce002262bb34 100644
>  --- a/pppd/ipcp.c
>  +++ b/pppd/ipcp.c
> -@@ -2152,7 +2152,7 @@ create_resolv(peerdns1, peerdns2)
> +@@ -2093,7 +2093,7 @@ create_resolv(u_int32_t peerdns1, u_int32_t peerdns2)
>   
>       f = fopen(_PATH_RESOLV, "w");
>       if (f == NULL) {
> diff --git a/patches/ppp-2.4.7/0036-Debian-specific-changes.patch b/patches/ppp-2.4.9/0105-Debian-specific-changes.patch
> similarity index 62%
> rename from patches/ppp-2.4.7/0036-Debian-specific-changes.patch
> rename to patches/ppp-2.4.9/0105-Debian-specific-changes.patch
> index 9576af1187d6..86bba35f9ecc 100644
> --- a/patches/ppp-2.4.7/0036-Debian-specific-changes.patch
> +++ b/patches/ppp-2.4.9/0105-Debian-specific-changes.patch
> @@ -1,23 +1,27 @@
> -From: Michael Olbrich <m.olbrich@pengutronix.de>
> -Date: Sat, 28 Sep 2019 08:11:50 +0200
> +From: Alexander Dahl <ada@thorsis.com>
> +Date: Wed, 16 Jun 2021 18:22:49 +0200
>  Subject: [PATCH] Debian-specific changes.
>  
> -Imported from ppp_2.4.7-2+4.1.debian.tar.xz
> +Imported from ppp_2.4.9-1+1.debian.tar.xz
>  
> -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> +Signed-off-by: Alexander Dahl <ada@thorsis.com>
>  ---
> - pppd/Makefile.linux    | 6 ++----
> + pppd/Makefile.linux    | 6 +++---
>   pppd/pathnames.h       | 2 +-
>   pppd/pppd.h            | 2 +-
>   pppdump/Makefile.linux | 4 ++--
> - 4 files changed, 6 insertions(+), 8 deletions(-)
> + 4 files changed, 7 insertions(+), 7 deletions(-)
>  
>  diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux
> -index 16b3ee879791..5549145e5791 100644
> +index 22837c50415e..bbb476827cea 100644
>  --- a/pppd/Makefile.linux
>  +++ b/pppd/Makefile.linux
> -@@ -61,14 +61,14 @@ HAVE_MULTILINK=y
> - USE_TDB=y
> +@@ -64,17 +64,17 @@ USE_TDB=y
> + # Uncomment the next line to enable Type=notify services in systemd
> + # If enabled, and the user sets the up_sdnotify option, then
> + # pppd will not detach and will notify systemd when up.
> +-#SYSTEMD=y
> ++SYSTEMD=y
>   
>   HAS_SHADOW=y
>  -#USE_PAM=y
> @@ -33,23 +37,11 @@ index 16b3ee879791..5549145e5791 100644
>   
>   # Enable EAP SRP-SHA1 authentication (requires libsrp)
>   #USE_SRP=y
> -@@ -178,11 +178,9 @@ LIBS	+= -ldl
> - endif
> - 
> - ifdef FILTER
> --ifneq ($(wildcard /usr/include/pcap-bpf.h),)
> - LIBS    += -lpcap
> - CFLAGS  += -DPPP_FILTER
> - endif
> --endif
> - 
> - ifdef HAVE_INET6
> -      PPPDSRCS += ipv6cp.c eui64.c
>  diff --git a/pppd/pathnames.h b/pppd/pathnames.h
> -index a33f0466c9d6..46972601fc92 100644
> +index 524d608ce12c..2df61354f40e 100644
>  --- a/pppd/pathnames.h
>  +++ b/pppd/pathnames.h
> -@@ -28,7 +28,7 @@
> +@@ -33,7 +33,7 @@
>   #define _PATH_AUTHUP	 _ROOT_PATH "/etc/ppp/auth-up"
>   #define _PATH_AUTHDOWN	 _ROOT_PATH "/etc/ppp/auth-down"
>   #define _PATH_TTYOPT	 _ROOT_PATH "/etc/ppp/options."
> @@ -59,10 +51,10 @@ index a33f0466c9d6..46972601fc92 100644
>   #define _PATH_RESOLV	 _ROOT_PATH "/etc/ppp/resolv.conf"
>   
>  diff --git a/pppd/pppd.h b/pppd/pppd.h
> -index b11670586244..567d702181ca 100644
> +index 10a9977598aa..a14483b76acc 100644
>  --- a/pppd/pppd.h
>  +++ b/pppd/pppd.h
> -@@ -870,7 +870,7 @@ extern void (*snoop_send_hook) __P((unsigned char *p, int len));
> +@@ -879,7 +879,7 @@ extern void (*snoop_send_hook)(unsigned char *p, int len);
>     || defined(DEBUGCHAP) || defined(DEBUG) || defined(DEBUGIPV6CP)
>   #define LOG_PPP LOG_LOCAL2
>   #else
> @@ -72,10 +64,10 @@ index b11670586244..567d702181ca 100644
>   #endif /* LOG_PPP */
>   
>  diff --git a/pppdump/Makefile.linux b/pppdump/Makefile.linux
> -index 87777fab5e94..1eeeafe20111 100644
> +index de7e574d10e1..04b1c10b34c7 100644
>  --- a/pppdump/Makefile.linux
>  +++ b/pppdump/Makefile.linux
> -@@ -2,9 +2,9 @@ DESTDIR = $(INSTROOT)@DESTDIR@
> +@@ -6,9 +6,9 @@ DESTDIR = $(INSTROOT)@DESTDIR@
>   BINDIR = $(DESTDIR)/sbin
>   MANDIR = $(DESTDIR)/share/man/man8
>   
> @@ -85,5 +77,5 @@ index 87777fab5e94..1eeeafe20111 100644
>  -HAVE_ZLIB=n
>  +HAVE_ZLIB=y
>   
> - COPTS=-O2 -g
> - CFLAGS= $(COPTS) -I../include/net
> + CFLAGS = $(COPTS) -I../include/net
> + OBJS = pppdump.o
> diff --git a/patches/ppp-2.4.7/0039-Replace-vendored-hash-functions-with-libcrypto.patch b/patches/ppp-2.4.9/0106-Replace-vendored-hash-functions-with-libcrypto.patch
> similarity index 92%
> rename from patches/ppp-2.4.7/0039-Replace-vendored-hash-functions-with-libcrypto.patch
> rename to patches/ppp-2.4.9/0106-Replace-vendored-hash-functions-with-libcrypto.patch
> index a08af544a385..8597cf9a512b 100644
> --- a/patches/ppp-2.4.7/0039-Replace-vendored-hash-functions-with-libcrypto.patch
> +++ b/patches/ppp-2.4.9/0106-Replace-vendored-hash-functions-with-libcrypto.patch
> @@ -1,5 +1,5 @@
> -From: Michael Olbrich <m.olbrich@pengutronix.de>
> -Date: Sat, 28 Sep 2019 08:11:50 +0200
> +From: Alexander Dahl <ada@thorsis.com>
> +Date: Wed, 16 Jun 2021 18:22:49 +0200
>  Subject: [PATCH] Replace vendored hash functions with libcrypto
>  
>  Bug-Debian: https://bugs.debian.org/826625
> @@ -14,24 +14,24 @@ preferable both due to the patch being slightly less invasive and also because
>  of our use of the EAP-TLS patch which requires OpenSSL.
>  
>  
> -Imported from ppp_2.4.7-2+4.1.debian.tar.xz
> +Imported from ppp_2.4.9-1+1.debian.tar.xz
>  
> -Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
> +Signed-off-by: Alexander Dahl <ada@thorsis.com>
>  ---
> - pppd/Makefile.linux          |  25 ++--
> + pppd/Makefile.linux          |  28 +---
>   pppd/chap-md5.c              |   2 +-
>   pppd/chap_ms.c               |  40 ++----
> - pppd/eap.c                   |   2 +-
> - pppd/md4.c                   | 299 -----------------------------------------
> - pppd/md4.h                   |  64 ---------
> - pppd/md5.c                   | 311 -------------------------------------------
> - pppd/md5.h                   |  68 ----------
> + pppd/eap.c                   |   3 +-
> + pppd/md4.c                   | 290 -----------------------------------------
> + pppd/md4.h                   |  55 --------
> + pppd/md5.c                   | 299 -------------------------------------------
> + pppd/md5.h                   |  65 ----------
>   pppd/plugins/radius/md5.c    |   2 +-
>   pppd/plugins/radius/radius.c |   2 +-
>   pppd/plugins/winbind.c       |   2 +-
> - pppd/sha1.c                  | 170 -----------------------
> + pppd/sha1.c                  | 171 -------------------------
>   pppd/sha1.h                  |  31 -----
> - 13 files changed, 28 insertions(+), 990 deletions(-)
> + 13 files changed, 27 insertions(+), 963 deletions(-)
>   delete mode 100644 pppd/md4.c
>   delete mode 100644 pppd/md4.h
>   delete mode 100644 pppd/md5.c
> @@ -40,10 +40,10 @@ Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
>   delete mode 100644 pppd/sha1.h
>  
>  diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux
> -index 4a11d5fea748..58a634ce8c3b 100644
> +index bbb476827cea..bc01e3fd2a24 100644
>  --- a/pppd/Makefile.linux
>  +++ b/pppd/Makefile.linux
> -@@ -11,16 +11,16 @@ INCDIR = $(DESTDIR)/include
> +@@ -15,16 +15,16 @@ INCDIR = $(DESTDIR)/include
>   
>   TARGETS = pppd
>   
> @@ -64,16 +64,16 @@ index 4a11d5fea748..58a634ce8c3b 100644
>   	   ecp.o auth.o options.o demand.o utils.o sys-linux.o ipxcp.o tty.o \
>   	   eap.o chap-md5.o session.o
>   
> -@@ -33,7 +33,7 @@ endif
> - # CC = gcc
> - #
> - COPTS = -O2 -pipe -Wall -g
> --LIBS =
> -+LIBS = -lcrypto
> +@@ -34,7 +34,7 @@ ifeq (.depend,$(wildcard .depend))
> + include .depend
> + endif
> + 
> +-LIBS = -lrt
> ++LIBS = -lrt -lcrypto
>   
> - # Uncomment the next 2 lines to include support for Microsoft's
> + # Uncomment the next line to include support for Microsoft's
>   # MS-CHAP authentication protocol.  Also, edit plugins/radius/Makefile.linux.
> -@@ -91,8 +91,8 @@ LDFLAGS=$(LDOPTS)
> +@@ -98,8 +98,8 @@ CFLAGS= $(COPTS) $(COMPILE_FLAGS) $(INCLUDE_DIRS) '-DDESTDIR="@DESTDIR@"'
>   ifdef CHAPMS
>   CFLAGS   += -DCHAPMS=1
>   NEEDDES=y
> @@ -84,12 +84,11 @@ index 4a11d5fea748..58a634ce8c3b 100644
>   ifdef MSLANMAN
>   CFLAGS   += -DMSLANMAN=1
>   endif
> -@@ -104,25 +104,18 @@ endif
> - # EAP SRP-SHA1
> +@@ -113,26 +113,17 @@ endif
>   ifdef USE_SRP
>   CFLAGS	+= -DUSE_SRP -DOPENSSL -I/usr/local/ssl/include
> --LIBS	+= -lsrp -L/usr/local/ssl/lib -lcrypto
> -+LIBS	+= -lsrp -L/usr/local/ssl/lib
> + LIBS	+= -lsrp -L/usr/local/ssl/lib
> +-NEEDCRYPTOLIB = y
>   TARGETS	+= srp-entry
>   EXTRAINSTALL = $(INSTALL) -c -m 555 srp-entry $(BINDIR)/srp-entry
>   MANPAGES += srp-entry.8
> @@ -106,27 +105,50 @@ index 4a11d5fea748..58a634ce8c3b 100644
>   
>   # EAP-TLS
>   ifdef USE_EAPTLS
> - CFLAGS += -DUSE_EAPTLS=1 -I/usr/kerberos/include
> --LIBS += -lssl -lcrypto
> -+LIBS += -lssl
> + CFLAGS += -DUSE_EAPTLS=1
> + LIBS += -lssl
> +-NEEDCRYPTOLIB = y
>   PPPDSRC += eap-tls.c
>   HEADERS += eap-tls.h
>   PPPDOBJS += eap-tls.o
> +@@ -156,7 +147,6 @@ endif
> + ifdef NEEDDES
> + ifndef USE_CRYPT
> + CFLAGS   += -I$(shell $(CC) --print-sysroot)/usr/include/openssl
> +-NEEDCRYPTOLIB = y
> + else
> + CFLAGS   += -DUSE_CRYPT=1
> + endif
> +@@ -164,10 +154,6 @@ PPPDOBJS += pppcrypt.o
> + HEADERS += pppcrypt.h
> + endif
> + 
> +-ifdef NEEDCRYPTOLIB
> +-LIBS     += -lcrypto
> +-endif
> +-
> + # For "Pluggable Authentication Modules", see ftp.redhat.com:/pub/pam/.
> + ifdef USE_PAM
> + CFLAGS   += -DUSE_PAM
>  diff --git a/pppd/chap-md5.c b/pppd/chap-md5.c
> -index 269b52cb2041..7f7967a56842 100644
> +index 77dd4ecc7059..d86564aa865a 100644
>  --- a/pppd/chap-md5.c
>  +++ b/pppd/chap-md5.c
> -@@ -39,7 +39,7 @@
> - #ifdef USE_EAPTLS
> - #include "eap-tls.h"
> - #else
> --#include "md5.h"
> +@@ -32,11 +32,11 @@
> + 
> + #include <stdlib.h>
> + #include <string.h>
>  +#include <openssl/md5.h>
> - #endif /* USE_EAPTLS */
> + #include "pppd.h"
> + #include "chap-new.h"
> + #include "chap-md5.h"
> + #include "magic.h"
> +-#include "md5.h"
>   
>   #define MD5_HASH_SIZE		16
> + #define MD5_MIN_CHALLENGE	16
>  diff --git a/pppd/chap_ms.c b/pppd/chap_ms.c
> -index c2bd00f9c6f7..19edb85d27a8 100644
> +index e6b84f203fc3..64848f20f660 100644
>  --- a/pppd/chap_ms.c
>  +++ b/pppd/chap_ms.c
>  @@ -89,8 +89,8 @@
> @@ -140,7 +162,7 @@ index c2bd00f9c6f7..19edb85d27a8 100644
>   #include "pppcrypt.h"
>   #include "magic.h"
>   
> -@@ -535,8 +535,8 @@ ChallengeHash(u_char PeerChallenge[16], u_char *rchallenge,
> +@@ -536,8 +536,8 @@ ChallengeHash(u_char PeerChallenge[16], u_char *rchallenge,
>   	      char *username, u_char Challenge[8])
>       
>   {
> @@ -151,7 +173,7 @@ index c2bd00f9c6f7..19edb85d27a8 100644
>       char	*user;
>   
>       /* remove domain from "domain\username" */
> -@@ -574,23 +574,11 @@ ascii2unicode(char ascii[], int ascii_len, u_char unicode[])
> +@@ -575,23 +575,11 @@ ascii2unicode(char ascii[], int ascii_len, u_char unicode[])
>   static void
>   NTPasswordHash(u_char *secret, int secret_len, u_char hash[MD4_SIGNATURE_SIZE])
>   {
> @@ -178,7 +200,7 @@ index c2bd00f9c6f7..19edb85d27a8 100644
>   
>   }
>   
> -@@ -671,8 +659,8 @@ GenerateAuthenticatorResponse(u_char PasswordHashHash[MD4_SIGNATURE_SIZE],
> +@@ -672,8 +660,8 @@ GenerateAuthenticatorResponse(u_char PasswordHashHash[MD4_SIGNATURE_SIZE],
>   	  0x6E };
>   
>       int		i;
> @@ -189,7 +211,7 @@ index c2bd00f9c6f7..19edb85d27a8 100644
>       u_char	Challenge[8];
>   
>       SHA1_Init(&sha1Context);
> -@@ -725,8 +713,8 @@ GenerateAuthenticatorResponsePlain
> +@@ -726,8 +714,8 @@ GenerateAuthenticatorResponsePlain
>   void
>   mppe_set_keys(u_char *rchallenge, u_char PasswordHashHash[MD4_SIGNATURE_SIZE])
>   {
> @@ -200,7 +222,7 @@ index c2bd00f9c6f7..19edb85d27a8 100644
>   
>       SHA1_Init(&sha1Context);
>       SHA1_Update(&sha1Context, PasswordHashHash, MD4_SIGNATURE_SIZE);
> -@@ -769,9 +757,9 @@ void
> +@@ -770,9 +758,9 @@ void
>   mppe_set_keys2(u_char PasswordHashHash[MD4_SIGNATURE_SIZE],
>   	       u_char NTResponse[24], int IsServer)
>   {
> @@ -214,24 +236,27 @@ index c2bd00f9c6f7..19edb85d27a8 100644
>       u_char SHApad1[40] =
>   	{ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
>  diff --git a/pppd/eap.c b/pppd/eap.c
> -index 032407c3dbb2..35d111015ff3 100644
> +index 79146557bd32..d987888d9f20 100644
>  --- a/pppd/eap.c
>  +++ b/pppd/eap.c
> -@@ -71,7 +71,7 @@
> - #ifdef USE_EAPTLS
> - #include "eap-tls.h"
> - #else
> --#include "md5.h"
> +@@ -59,9 +59,10 @@
> + #include <assert.h>
> + #include <errno.h>
> + 
>  +#include <openssl/md5.h>
> - #endif /* USE_EAPTLS */
> ++
> + #include "pppd.h"
> + #include "pathnames.h"
> +-#include "md5.h"
> + #include "eap.h"
>   
> - #ifdef USE_SRP
> + #ifdef CHAPMS
>  diff --git a/pppd/md4.c b/pppd/md4.c
>  deleted file mode 100644
> -index d943e8885f2d..000000000000
> +index 42a9b2e75d6e..000000000000
>  --- a/pppd/md4.c
>  +++ /dev/null
> -@@ -1,299 +0,0 @@
> +@@ -1,290 +0,0 @@
>  -/*
>  -** ********************************************************************
>  -** md4.c -- Implementation of MD4 Message Digest Algorithm           **
> @@ -321,8 +346,7 @@ index d943e8885f2d..000000000000
>  -** This is a user-callable routine.
>  -*/
>  -void
> --MD4Print(MDp)
> --MD4_CTX *MDp;
> +-MD4Print(MD4_CTX *MDp)
>  -{
>  -  int i,j;
>  -  for (i=0;i<4;i++)
> @@ -335,8 +359,7 @@ index d943e8885f2d..000000000000
>  -** This is a user-callable routine.
>  -*/
>  -void
> --MD4Init(MDp)
> --MD4_CTX *MDp;
> +-MD4Init(MD4_CTX *MDp)
>  -{
>  -  int i;
>  -  MDp->buffer[0] = I0;
> @@ -354,9 +377,7 @@ index d943e8885f2d..000000000000
>  -** This routine is not user-callable.
>  -*/
>  -static void
> --MDblock(MDp,Xb)
> --MD4_CTX *MDp;
> --unsigned char *Xb;
> +-MDblock(MD4_CTX *MDp, unsigned char *Xb)
>  -{
>  -  register unsigned int tmp, A, B, C, D;
>  -  unsigned int X[16];
> @@ -440,10 +461,7 @@ index d943e8885f2d..000000000000
>  -** if desired.
>  -*/
>  -void
> --MD4Update(MDp,X,count)
> --MD4_CTX *MDp;
> --unsigned char *X;
> --unsigned int count;
> +-MD4Update(MD4_CTX *MDp, unsigned char *X, unsigned int count)
>  -{
>  -  unsigned int i, tmp, bit, byte, mask;
>  -  unsigned char XX[64];
> @@ -511,9 +529,7 @@ index d943e8885f2d..000000000000
>  -** Finish up MD4 computation and return message digest.
>  -*/
>  -void
> --MD4Final(buf, MD)
> --unsigned char *buf;
> --MD4_CTX *MD;
> +-MD4Final(unsigned char *buf, MD4_CTX *MD)
>  -{
>  -  int i, j;
>  -  unsigned int w;
> @@ -533,10 +549,10 @@ index d943e8885f2d..000000000000
>  -****************************(cut)***********************************/
>  diff --git a/pppd/md4.h b/pppd/md4.h
>  deleted file mode 100644
> -index 80e8f9a2acca..000000000000
> +index b6fc3f561faa..000000000000
>  --- a/pppd/md4.h
>  +++ /dev/null
> -@@ -1,64 +0,0 @@
> +@@ -1,55 +0,0 @@
>  -
>  -/*
>  -** ********************************************************************
> @@ -547,15 +563,6 @@ index 80e8f9a2acca..000000000000
>  -** ********************************************************************
>  -*/
>  -
> --#ifndef __P
> --# if defined(__STDC__) || defined(__GNUC__)
> --#  define __P(x) x
> --# else
> --#  define __P(x) ()
> --# endif
> --#endif
> --
> --
>  -/* MDstruct is the data structure for a message digest computation.
>  -*/
>  -typedef struct {
> @@ -568,7 +575,7 @@ index 80e8f9a2acca..000000000000
>  -** Initialize the MD4_CTX prepatory to doing a message digest
>  -** computation.
>  -*/
> --extern void MD4Init __P((MD4_CTX *MD));
> +-extern void MD4Init(MD4_CTX *MD);
>  -
>  -/* MD4Update(MD,X,count)
>  -** Input: X -- a pointer to an array of unsigned characters.
> @@ -582,7 +589,7 @@ index 80e8f9a2acca..000000000000
>  -** every MD computation should end with one call to MD4Update with a
>  -** count less than 512.  Zero is OK for a count.
>  -*/
> --extern void MD4Update __P((MD4_CTX *MD, unsigned char *X, unsigned int count));
> +-extern void MD4Update(MD4_CTX *MD, unsigned char *X, unsigned int count);
>  -
>  -/* MD4Print(MD)
>  -** Prints message digest buffer MD as 32 hexadecimal digits.
> @@ -590,23 +597,23 @@ index 80e8f9a2acca..000000000000
>  -** of buffer[3].
>  -** Each byte is printed with high-order hexadecimal digit first.
>  -*/
> --extern void MD4Print __P((MD4_CTX *));
> +-extern void MD4Print(MD4_CTX *);
>  -
>  -/* MD4Final(buf, MD)
>  -** Returns message digest from MD and terminates the message
>  -** digest computation.
>  -*/
> --extern void MD4Final __P((unsigned char *, MD4_CTX *));
> +-extern void MD4Final(unsigned char *, MD4_CTX *);
>  -
>  -/*
>  -** End of md4.h
>  -****************************(cut)***********************************/
>  diff --git a/pppd/md5.c b/pppd/md5.c
>  deleted file mode 100644
> -index 6f8f7207c592..000000000000
> +index f7988e64141a..000000000000
>  --- a/pppd/md5.c
>  +++ /dev/null
> -@@ -1,311 +0,0 @@
> +@@ -1,299 +0,0 @@
>  -
>  -
>  -/*
> @@ -642,8 +649,6 @@ index 6f8f7207c592..000000000000
>  - ***********************************************************************
>  - */
>  -
> --#ifndef USE_EAPTLS
> --
>  -#include <string.h>
>  -#include "md5.h"
>  -
> @@ -713,8 +718,7 @@ index 6f8f7207c592..000000000000
>  -/* The routine MD5_Init initializes the message-digest context
>  -   mdContext. All fields are set to zero.
>  - */
> --void MD5_Init (mdContext)
> --MD5_CTX *mdContext;
> +-void MD5_Init (MD5_CTX *mdContext)
>  -{
>  -  mdContext->i[0] = mdContext->i[1] = (UINT4)0;
>  -
> @@ -730,10 +734,7 @@ index 6f8f7207c592..000000000000
>  -   account for the presence of each of the characters inBuf[0..inLen-1]
>  -   in the message whose digest is being computed.
>  - */
> --void MD5_Update (mdContext, inBuf, inLen)
> --MD5_CTX *mdContext;
> --unsigned char *inBuf;
> --unsigned int inLen;
> +-void MD5_Update (MD5_CTX *mdContext, unsigned char *inBuf, unsigned int inLen)
>  -{
>  -  UINT4 in[16];
>  -  int mdi;
> @@ -768,9 +769,7 @@ index 6f8f7207c592..000000000000
>  -/* The routine MD5Final terminates the message-digest computation and
>  -   ends with the desired message digest in mdContext->digest[0...15].
>  - */
> --void MD5_Final (hash, mdContext)
> --unsigned char hash[];
> --MD5_CTX *mdContext;
> +-void MD5_Final (unsigned char hash[], MD5_CTX *mdContext)
>  -{
>  -  UINT4 in[16];
>  -  int mdi;
> @@ -811,9 +810,7 @@ index 6f8f7207c592..000000000000
>  -
>  -/* Basic MD5 step. Transforms buf based on in.
>  - */
> --static void Transform (buf, in)
> --UINT4 *buf;
> --UINT4 *in;
> +-static void Transform (UINT4 *buf, UINT4 *in)
>  -{
>  -  UINT4 a = buf[0], b = buf[1], c = buf[2], d = buf[3];
>  -
> @@ -916,14 +913,12 @@ index 6f8f7207c592..000000000000
>  - ** End of md5.c                                                      **
>  - ******************************** (cut) ********************************
>  - */
> --#endif /* USE_EAPTLS */
> --
>  diff --git a/pppd/md5.h b/pppd/md5.h
>  deleted file mode 100644
> -index 14d712171c5e..000000000000
> +index 71e8b00e2dde..000000000000
>  --- a/pppd/md5.h
>  +++ /dev/null
> -@@ -1,68 +0,0 @@
> +@@ -1,65 +0,0 @@
>  -/*
>  - ***********************************************************************
>  - ** md5.h -- header file for implementation of MD5                    **
> @@ -962,7 +957,6 @@ index 14d712171c5e..000000000000
>  - ** documentation and/or software.                                    **
>  - ***********************************************************************
>  - */
> --#ifndef USE_EAPTLS
>  -
>  -#ifndef __MD5_INCLUDE__
>  -
> @@ -990,8 +984,6 @@ index 14d712171c5e..000000000000
>  -
>  -#define __MD5_INCLUDE__
>  -#endif /* __MD5_INCLUDE__ */
> --
> --#endif /* USE_EAPTLS */
>  diff --git a/pppd/plugins/radius/md5.c b/pppd/plugins/radius/md5.c
>  index 8af03aa3713e..90d9b025d211 100644
>  --- a/pppd/plugins/radius/md5.c
> @@ -1006,7 +998,7 @@ index 8af03aa3713e..90d9b025d211 100644
>   void rc_md5_calc (unsigned char *output, unsigned char *input, unsigned int inlen)
>   {
>  diff --git a/pppd/plugins/radius/radius.c b/pppd/plugins/radius/radius.c
> -index 06e00590b635..60282d9b2b9c 100644
> +index c5798316719a..d5d63698a6dc 100644
>  --- a/pppd/plugins/radius/radius.c
>  +++ b/pppd/plugins/radius/radius.c
>  @@ -31,7 +31,7 @@ static char const RCSID[] =
> @@ -1019,7 +1011,7 @@ index 06e00590b635..60282d9b2b9c 100644
>   #endif
>   #include "radiusclient.h"
>  diff --git a/pppd/plugins/winbind.c b/pppd/plugins/winbind.c
> -index bb05acd87dce..5f87a317b677 100644
> +index 0c395c34711a..6320645ac994 100644
>  --- a/pppd/plugins/winbind.c
>  +++ b/pppd/plugins/winbind.c
>  @@ -38,7 +38,7 @@
> @@ -1033,10 +1025,10 @@ index bb05acd87dce..5f87a317b677 100644
>   #include "ipcp.h"
>  diff --git a/pppd/sha1.c b/pppd/sha1.c
>  deleted file mode 100644
> -index f4f975cf516f..000000000000
> +index 4e51cee506c2..000000000000
>  --- a/pppd/sha1.c
>  +++ /dev/null
> -@@ -1,170 +0,0 @@
> +@@ -1,171 +0,0 @@
>  -/*
>  - * ftp://ftp.funet.fi/pub/crypt/hash/sha/sha1.c
>  - * 
> @@ -1056,6 +1048,7 @@ index f4f975cf516f..000000000000
>  -/* #define SHA1HANDSOFF * Copies data before messing with it. */
>  -
>  -#include <string.h>
> +-#include <time.h>
>  -#include <netinet/in.h>	/* htonl() */
>  -#include <net/ppp_defs.h>
>  -#include "sha1.h"
> diff --git a/patches/ppp-2.4.7/0100-pppd-make-makefile-sysroot-aware.patch b/patches/ppp-2.4.9/0200-pppd-make-makefile-sysroot-aware.patch
> similarity index 63%
> rename from patches/ppp-2.4.7/0100-pppd-make-makefile-sysroot-aware.patch
> rename to patches/ppp-2.4.9/0200-pppd-make-makefile-sysroot-aware.patch
> index c205b15ed9aa..11020e0cce5a 100644
> --- a/patches/ppp-2.4.7/0100-pppd-make-makefile-sysroot-aware.patch
> +++ b/patches/ppp-2.4.9/0200-pppd-make-makefile-sysroot-aware.patch
> @@ -13,14 +13,14 @@ Signed-off-by: Marc Kleine-Budde <m.kleine-budde@pengutronix.de>
>  Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
>  Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
>  ---
> - pppd/Makefile.linux | 10 ++++------
> - 1 file changed, 4 insertions(+), 6 deletions(-)
> + pppd/Makefile.linux | 6 +++---
> + 1 file changed, 3 insertions(+), 3 deletions(-)
>  
>  diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux
> -index cb9d4f9dcf22..ea0a7f02766b 100644
> +index bc01e3fd2a24..9b0119463c1f 100644
>  --- a/pppd/Makefile.linux
>  +++ b/pppd/Makefile.linux
> -@@ -103,8 +103,8 @@ endif
> +@@ -111,8 +111,8 @@ endif
>   
>   # EAP SRP-SHA1
>   ifdef USE_SRP
> @@ -31,32 +31,12 @@ index cb9d4f9dcf22..ea0a7f02766b 100644
>   TARGETS	+= srp-entry
>   EXTRAINSTALL = $(INSTALL) -c -m 555 srp-entry $(BINDIR)/srp-entry
>   MANPAGES += srp-entry.8
> -@@ -114,7 +114,7 @@ endif
> - 
> - # EAP-TLS
> - ifdef USE_EAPTLS
> --CFLAGS += -DUSE_EAPTLS=1 -I/usr/kerberos/include
> -+CFLAGS += -DUSE_EAPTLS=1
> - LIBS += -lssl
> - PPPDSRC += eap-tls.c
> - HEADERS += eap-tls.h
> -@@ -126,10 +126,8 @@ CFLAGS   += -DHAS_SHADOW
> - #LIBS     += -lshadow $(LIBS)
> - endif
> - 
> --ifneq ($(wildcard /usr/include/crypt.h),)
> - CFLAGS  += -DHAVE_CRYPT_H=1
> - LIBS	+= -lcrypt
> --endif
> - 
> - ifdef USE_LIBUTIL
> - CFLAGS	+= -DHAVE_LOGWTMP=1
> -@@ -138,7 +136,7 @@ endif
> +@@ -146,7 +146,7 @@ endif
>   
>   ifdef NEEDDES
>   ifndef USE_CRYPT
> --CFLAGS   += -I/usr/include/openssl
> +-CFLAGS   += -I$(shell $(CC) --print-sysroot)/usr/include/openssl
>  +CFLAGS   += -I$(SYSROOT)/usr/include/openssl
> - LIBS     += -lcrypto
>   else
>   CFLAGS   += -DUSE_CRYPT=1
> + endif
> diff --git a/patches/ppp-2.4.7/0101-pppd-make-the-self-made-configure-cross-aware.patch b/patches/ppp-2.4.9/0201-pppd-make-the-self-made-configure-cross-aware.patch
> similarity index 87%
> rename from patches/ppp-2.4.7/0101-pppd-make-the-self-made-configure-cross-aware.patch
> rename to patches/ppp-2.4.9/0201-pppd-make-the-self-made-configure-cross-aware.patch
> index f57361a4c639..590cf3ae43cc 100644
> --- a/patches/ppp-2.4.7/0101-pppd-make-the-self-made-configure-cross-aware.patch
> +++ b/patches/ppp-2.4.9/0201-pppd-make-the-self-made-configure-cross-aware.patch
> @@ -11,11 +11,11 @@ Signed-off-by: Juergen Beisert <juergen@kreuzholzen.de>
>   2 files changed, 11 insertions(+), 1 deletion(-)
>  
>  diff --git a/configure b/configure
> -index 6a55e0f08be4..3886564fa495 100755
> +index b0c3d2b49122..4bc6a18fad32 100755
>  --- a/configure
>  +++ b/configure
> -@@ -14,6 +14,16 @@ SYSCONF=/etc
> - #  fi
> +@@ -15,6 +15,16 @@ release=`uname -r`
> + arch=`uname -m`
>   state="unknown"
>   
>  +if [ -n $TARGET_OS ]; then
> @@ -32,10 +32,10 @@ index 6a55e0f08be4..3886564fa495 100755
>     Linux)
>       makext="linux";
>  diff --git a/pppd/plugins/Makefile.linux b/pppd/plugins/Makefile.linux
> -index bc29968d44c9..e010ad215981 100644
> +index 6403e3d477e3..375be764e19a 100644
>  --- a/pppd/plugins/Makefile.linux
>  +++ b/pppd/plugins/Makefile.linux
> -@@ -47,5 +47,5 @@ clean:
> +@@ -49,5 +49,5 @@ clean:
>   	for d in $(SUBDIRS); do $(MAKE) $(MFLAGS) -C $$d clean || exit $$?; done
>   
>   depend:
> diff --git a/patches/ppp-2.4.9/series b/patches/ppp-2.4.9/series
> new file mode 100644
> index 000000000000..4028f0892992
> --- /dev/null
> +++ b/patches/ppp-2.4.9/series
> @@ -0,0 +1,17 @@
> +# generated by git-ptx-patches
> +#tag:base --start-number 1
> +#tag:upstream --start-number 1
> +0001-configure-Allow-commas-in-the-CFLAGS-220.patch
> +0002-pppd-Fix-compilation-with-older-glibc-or-kernel-head.patch
> +#tag:debian --start-number 100
> +0100-support-building-pppdump-with-the-system-zlib.patch
> +0101-disable-unneeded-code-in-the-pppoatm-plugin.patch
> +0102-pppoe_noads.patch
> +0103-Forwarded-https-github.com-paulusmack-ppp-issues-187.patch
> +0104-resolv.conf_no_log.patch
> +0105-Debian-specific-changes.patch
> +0106-Replace-vendored-hash-functions-with-libcrypto.patch
> +#tag:ptx --start-number 200
> +0200-pppd-make-makefile-sysroot-aware.patch
> +0201-pppd-make-the-self-made-configure-cross-aware.patch
> +# 9c9016a8956cf8c0dc84ee8dbe803cf3  - git-ptx-patches magic
> diff --git a/rules/ppp.make b/rules/ppp.make
> index 8bfb88b55904..932910c98b02 100644
> --- a/rules/ppp.make
> +++ b/rules/ppp.make
> @@ -16,8 +16,8 @@ PACKAGES-$(PTXCONF_PPP) += ppp
>  #
>  # Paths and names
>  #
> -PPP_VERSION	:= 2.4.7
> -PPP_MD5		:= 78818f40e6d33a1d1de68a1551f6595a
> +PPP_VERSION	:= 2.4.9
> +PPP_MD5		:= c88153ae3d16ae114152cd3c15c7301d
>  PPP		:= ppp-$(PPP_VERSION)
>  PPP_SUFFIX	:= tar.gz
>  PPP_URL		:= http://ftp.samba.org/pub/ppp/$(PPP).$(PPP_SUFFIX)
> @@ -55,7 +55,7 @@ PPP_SHARED_INST_PATH := /usr/lib/pppd/$(PPP_VERSION)
>  $(STATEDIR)/ppp.prepare:
>  	@$(call targetinfo)
>  	@cd $(PPP_DIR) && $(PPP_PATH) $(PPP_CONF_ENV) \
> -		./configure --prefix=/usr --sysconfdir=/etc
> +		./configure --prefix=/usr --sysconfdir=/etc --cc=$(CROSS_CC)
>  
>  	@$(call disable_sh,$(PPP_DIR)/pppd/Makefile,USE_PAM=y)
>  

_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de

^ permalink raw reply	[flat|nested] 11+ messages in thread

end of thread, other threads:[~2021-06-29  5:13 UTC | newest]

Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-06-23  7:33 [ptxdist] [PATCH v3 0/5] mobile broadband software version bump Alexander Dahl
2021-06-23  7:33 ` [ptxdist] [PATCH v3 1/5] libqmi: version bump 1.28.2 -> 1.28.6 Alexander Dahl
2021-06-29  5:09   ` [ptxdist] [APPLIED] " Michael Olbrich
2021-06-23  7:33 ` [ptxdist] [PATCH v3 2/5] modemmanager: version bump 1.16.2 -> 1.16.6 Alexander Dahl
2021-06-29  5:09   ` [ptxdist] [APPLIED] " Michael Olbrich
2021-06-23  7:33 ` [ptxdist] [PATCH v3 3/5] networkmanager: version bump 1.26.2 -> 1.30.4 Alexander Dahl
2021-06-29  5:09   ` [ptxdist] [APPLIED] " Michael Olbrich
2021-06-23  7:33 ` [ptxdist] [PATCH v3 4/5] networkmanager: Make "more logging" optional Alexander Dahl
2021-06-29  5:09   ` [ptxdist] [APPLIED] " Michael Olbrich
2021-06-23  7:33 ` [ptxdist] [PATCH v3 5/5] ppp: version bump 2.4.7 -> 2.4.9 Alexander Dahl
2021-06-29  5:09   ` [ptxdist] [APPLIED] " Michael Olbrich

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox