* [ptxdist] [RFC PATCH 1/1] ppp: version bump 2.4.7 -> 2.4.9
2021-06-14 14:47 [ptxdist] [RFC PATCH 0/1] ppp: version bump 2.4.7 -> 2.4.9 Alexander Dahl
@ 2021-06-14 14:47 ` Alexander Dahl
2021-06-15 9:26 ` [ptxdist] [RFC PATCH 0/1] " Alexander Dahl
2021-06-16 11:53 ` Michael Olbrich
2 siblings, 0 replies; 8+ messages in thread
From: Alexander Dahl @ 2021-06-14 14:47 UTC (permalink / raw)
To: ptxdist
- imported two post 2.4.9 upstream patches
- imported Debian patches from package ppp (2.4.9-1+1)
- adapted ptx patches
Signed-off-by: Alexander Dahl <ada@thorsis.com>
---
...001-abort-on-errors-in-subdir-builds.patch | 48 -
...002-scripts-Avoid-killing-wrong-pppd.patch | 29 -
...tension-when-displaying-bytes-in-oct.patch | 30 -
...se-error-message-on-PPPoE-disconnect.patch | 33 -
.../0005-Send-PADT-on-PPPoE-disconnect.patch | 36 -
...nt-buffer-overrun-on-remote-router-n.patch | 30 -
.../0007-pppd-Fix-ccp_options.mppe-type.patch | 30 -
...en-calculated-size-if-both-deflate_c.patch | 33 -
| 24 -
...ount-only-relevant-lines-from-syslog.patch | 24 -
...-include-from-sys-errno.h-to-errno.h.patch | 33 -
...low-use-of-arbitrary-interface-names.patch | 214 --
...Remove-unused-declaration-of-ttyname.patch | 25 -
...or-implementation-in-pppoe-discovery.patch | 52 -
...clude-netinet-in.h-before-linux-in.h.patch | 49 -
patches/ppp-2.4.7/0016-adaptive_echos.patch | 72 -
.../ppp-2.4.7/0017-Makefiles-cleanup.patch | 296 --
...does-not-properly-close-dev-ppp-on-p.patch | 44 -
...inkpidfile-is-not-created-upon-detac.patch | 48 -
...smetic-cleanup-of-the-pppoatm-plugin.patch | 90 -
patches/ppp-2.4.7/0023-pppoe_noads.patch | 25 -
...4-make-_PATH_CONNERRS-world-readable.patch | 27 -
.../0025-Correct-unkown-unknown-typo.patch | 46 -
.../0026-pppoe-custom-host-uniq-tag.patch | 302 --
.../0027-Add-replacedefaultroute-option.patch | 324 --
...-for-the-Framed-MTU-Radius-attribute.patch | 42 -
patches/ppp-2.4.7/0030-018_ip-up_option.patch | 106 -
.../0031-ppp-2.4.2-stripMSdomain.patch | 47 -
...export-CALL_FILE-to-the-link-scripts.patch | 38 -
.../ppp-2.4.7/0033-ipv6-accept-remote.patch | 73 -
...buffer-overflow-in-clientid.c-rc_map.patch | 43 -
...0037-Fix-buffer-overflow-in-rc_mksid.patch | 36 -
...P-TLS-authentication-support-for-PPP.patch | 3383 -----------------
...-for-the-DES-instead-of-the-libcrypt.patch | 115 -
patches/ppp-2.4.7/series | 46 -
...igure-Allow-commas-in-the-CFLAGS-220.patch | 28 +
...tion-with-older-glibc-or-kernel-head.patch | 55 +
patches/ppp-2.4.9/0100-chat_man.patch | 31 +
.../0101-pppdump_use_zlib.patch} | 26 +-
.../0102-pppoatm_resolver_light.patch} | 22 +-
patches/ppp-2.4.9/0103-pppoe_noads.patch | 21 +
.../0104-011_scripts_redialer.diff.patch | 162 +
.../0105-ppp-2.3.11-oedod.dif.patch} | 62 +-
.../0106-010_scripts_README.diff.patch | 30 +
patches/ppp-2.4.9/0107-no_crypt_hack.patch | 62 +
.../0108-resolv.conf_no_log.patch} | 11 +-
.../0109-zzz_config.patch} | 52 +-
patches/ppp-2.4.9/0110-pppd-soname-hack.patch | 31 +
...111-replace-vendored-hash-functions.patch} | 217 +-
...00-pppd-make-makefile-sysroot-aware.patch} | 34 +-
...the-self-made-configure-cross-aware.patch} | 10 +-
patches/ppp-2.4.9/series | 22 +
rules/ppp.make | 6 +-
53 files changed, 638 insertions(+), 6137 deletions(-)
delete mode 100644 patches/ppp-2.4.7/0001-abort-on-errors-in-subdir-builds.patch
delete mode 100644 patches/ppp-2.4.7/0002-scripts-Avoid-killing-wrong-pppd.patch
delete mode 100644 patches/ppp-2.4.7/0003-pppd-Fix-sign-extension-when-displaying-bytes-in-oct.patch
delete mode 100644 patches/ppp-2.4.7/0004-Suppress-false-error-message-on-PPPoE-disconnect.patch
delete mode 100644 patches/ppp-2.4.7/0005-Send-PADT-on-PPPoE-disconnect.patch
delete mode 100644 patches/ppp-2.4.7/0006-pppd-ipxcp-Prevent-buffer-overrun-on-remote-router-n.patch
delete mode 100644 patches/ppp-2.4.7/0007-pppd-Fix-ccp_options.mppe-type.patch
delete mode 100644 patches/ppp-2.4.7/0008-pppd-Fix-ccp_cilen-calculated-size-if-both-deflate_c.patch
delete mode 100644 patches/ppp-2.4.7/0009-Fix-a-typo-in-comment.-Diff-from-Yuuichi-Someya.patch
delete mode 100644 patches/ppp-2.4.7/0010-plog-count-only-relevant-lines-from-syslog.patch
delete mode 100644 patches/ppp-2.4.7/0011-Change-include-from-sys-errno.h-to-errno.h.patch
delete mode 100644 patches/ppp-2.4.7/0012-pppd-allow-use-of-arbitrary-interface-names.patch
delete mode 100644 patches/ppp-2.4.7/0013-pppd-Remove-unused-declaration-of-ttyname.patch
delete mode 100644 patches/ppp-2.4.7/0014-pppd-Provide-error-implementation-in-pppoe-discovery.patch
delete mode 100644 patches/ppp-2.4.7/0015-pppoe-include-netinet-in.h-before-linux-in.h.patch
delete mode 100644 patches/ppp-2.4.7/0016-adaptive_echos.patch
delete mode 100644 patches/ppp-2.4.7/0017-Makefiles-cleanup.patch
delete mode 100644 patches/ppp-2.4.7/0018-Bug-306261-pppd-does-not-properly-close-dev-ppp-on-p.patch
delete mode 100644 patches/ppp-2.4.7/0019-Bug-284382-ppp-linkpidfile-is-not-created-upon-detac.patch
delete mode 100644 patches/ppp-2.4.7/0022-cosmetic-cleanup-of-the-pppoatm-plugin.patch
delete mode 100644 patches/ppp-2.4.7/0023-pppoe_noads.patch
delete mode 100644 patches/ppp-2.4.7/0024-make-_PATH_CONNERRS-world-readable.patch
delete mode 100644 patches/ppp-2.4.7/0025-Correct-unkown-unknown-typo.patch
delete mode 100644 patches/ppp-2.4.7/0026-pppoe-custom-host-uniq-tag.patch
delete mode 100644 patches/ppp-2.4.7/0027-Add-replacedefaultroute-option.patch
delete mode 100644 patches/ppp-2.4.7/0029-add-support-for-the-Framed-MTU-Radius-attribute.patch
delete mode 100644 patches/ppp-2.4.7/0030-018_ip-up_option.patch
delete mode 100644 patches/ppp-2.4.7/0031-ppp-2.4.2-stripMSdomain.patch
delete mode 100644 patches/ppp-2.4.7/0032-export-CALL_FILE-to-the-link-scripts.patch
delete mode 100644 patches/ppp-2.4.7/0033-ipv6-accept-remote.patch
delete mode 100644 patches/ppp-2.4.7/0034-fix-a-potential-buffer-overflow-in-clientid.c-rc_map.patch
delete mode 100644 patches/ppp-2.4.7/0037-Fix-buffer-overflow-in-rc_mksid.patch
delete mode 100644 patches/ppp-2.4.7/0038-EAP-TLS-authentication-support-for-PPP.patch
delete mode 100644 patches/ppp-2.4.7/0040-pppd-Use-openssl-for-the-DES-instead-of-the-libcrypt.patch
delete mode 100644 patches/ppp-2.4.7/series
create mode 100644 patches/ppp-2.4.9/0001-configure-Allow-commas-in-the-CFLAGS-220.patch
create mode 100644 patches/ppp-2.4.9/0002-pppd-Fix-compilation-with-older-glibc-or-kernel-head.patch
create mode 100644 patches/ppp-2.4.9/0100-chat_man.patch
rename patches/{ppp-2.4.7/0020-support-building-pppdump-with-the-system-zlib.patch => ppp-2.4.9/0101-pppdump_use_zlib.patch} (62%)
rename patches/{ppp-2.4.7/0021-disable-unneeded-code-in-the-pppoatm-plugin.patch => ppp-2.4.9/0102-pppoatm_resolver_light.patch} (87%)
create mode 100644 patches/ppp-2.4.9/0103-pppoe_noads.patch
create mode 100644 patches/ppp-2.4.9/0104-011_scripts_redialer.diff.patch
rename patches/{ppp-2.4.7/0028-ppp-2.3.11-oedod.dif.patch => ppp-2.4.9/0105-ppp-2.3.11-oedod.dif.patch} (74%)
create mode 100644 patches/ppp-2.4.9/0106-010_scripts_README.diff.patch
create mode 100644 patches/ppp-2.4.9/0107-no_crypt_hack.patch
rename patches/{ppp-2.4.7/0035-resolv.conf_no_log.patch => ppp-2.4.9/0108-resolv.conf_no_log.patch} (56%)
rename patches/{ppp-2.4.7/0036-Debian-specific-changes.patch => ppp-2.4.9/0109-zzz_config.patch} (60%)
create mode 100644 patches/ppp-2.4.9/0110-pppd-soname-hack.patch
rename patches/{ppp-2.4.7/0039-Replace-vendored-hash-functions-with-libcrypto.patch => ppp-2.4.9/0111-replace-vendored-hash-functions.patch} (92%)
rename patches/{ppp-2.4.7/0100-pppd-make-makefile-sysroot-aware.patch => ppp-2.4.9/0200-pppd-make-makefile-sysroot-aware.patch} (63%)
rename patches/{ppp-2.4.7/0101-pppd-make-the-self-made-configure-cross-aware.patch => ppp-2.4.9/0201-pppd-make-the-self-made-configure-cross-aware.patch} (87%)
create mode 100644 patches/ppp-2.4.9/series
diff --git a/patches/ppp-2.4.7/0001-abort-on-errors-in-subdir-builds.patch b/patches/ppp-2.4.7/0001-abort-on-errors-in-subdir-builds.patch
deleted file mode 100644
index c6a76ce65..000000000
--- a/patches/ppp-2.4.7/0001-abort-on-errors-in-subdir-builds.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From: Martin von Gagern <Martin.vGagern@gmx.net>
-Date: Sat, 9 Aug 2014 22:44:45 -0400
-Subject: [PATCH] abort on errors in subdir builds
-
-The current recursive loops do not check the exit status of make
-in subdirs which leads to `make` passing even when a subdir failed
-to compile or install.
-
-URL: https://bugs.gentoo.org/334727
-Signed-off-by: Martin von Gagern <Martin.vGagern@gmx.net>
-Signed-off-by: Mike Frysinger <vapier@gentoo.org>
-
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- pppd/plugins/Makefile.linux | 8 ++++----
- 1 file changed, 4 insertions(+), 4 deletions(-)
-
-diff --git a/pppd/plugins/Makefile.linux b/pppd/plugins/Makefile.linux
-index ab8cf50d9472..8a90e393a057 100644
---- a/pppd/plugins/Makefile.linux
-+++ b/pppd/plugins/Makefile.linux
-@@ -27,7 +27,7 @@ include .depend
- endif
-
- all: $(PLUGINS)
-- for d in $(SUBDIRS); do $(MAKE) $(MFLAGS) -C $$d all; done
-+ for d in $(SUBDIRS); do $(MAKE) $(MFLAGS) -C $$d all || exit $$?; done
-
- %.so: %.c
- $(CC) -o $@ $(LDFLAGS) $(CFLAGS) $^
-@@ -37,12 +37,12 @@ VERSION = $(shell awk -F '"' '/VERSION/ { print $$2; }' ../patchlevel.h)
- install: $(PLUGINS)
- $(INSTALL) -d $(LIBDIR)
- $(INSTALL) $? $(LIBDIR)
-- for d in $(SUBDIRS); do $(MAKE) $(MFLAGS) -C $$d install; done
-+ for d in $(SUBDIRS); do $(MAKE) $(MFLAGS) -C $$d install || exit $$?; done
-
- clean:
- rm -f *.o *.so *.a
-- for d in $(SUBDIRS); do $(MAKE) $(MFLAGS) -C $$d clean; done
-+ for d in $(SUBDIRS); do $(MAKE) $(MFLAGS) -C $$d clean || exit $$?; done
-
- depend:
- $(CPP) -M $(CFLAGS) *.c >.depend
-- for d in $(SUBDIRS); do $(MAKE) $(MFLAGS) -C $$d depend; done
-+ for d in $(SUBDIRS); do $(MAKE) $(MFLAGS) -C $$d depend || exit $$?; done
diff --git a/patches/ppp-2.4.7/0002-scripts-Avoid-killing-wrong-pppd.patch b/patches/ppp-2.4.7/0002-scripts-Avoid-killing-wrong-pppd.patch
deleted file mode 100644
index dc24c228e..000000000
--- a/patches/ppp-2.4.7/0002-scripts-Avoid-killing-wrong-pppd.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From: radaiming <radaiming@gmail.com>
-Date: Sat, 13 Dec 2014 14:42:34 +0800
-Subject: [PATCH] scripts: Avoid killing wrong pppd
-
- poff could kill other pppd processes when there are many pppd
- running on different serial port.
-
- Signed-off-by: Ming Dai <radaiming@gmail.com>
-
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- scripts/poff | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/scripts/poff b/scripts/poff
-index 3f55a7f40010..5b45d98a2b6a 100644
---- a/scripts/poff
-+++ b/scripts/poff
-@@ -91,7 +91,7 @@ if test "$#" -eq 0 -o "$MODE" = "all" ; then
- fi
-
- # There is an argument, so kill the pppd started on that provider.
--PID=`ps axw | grep "[ /]pppd call $1" | awk '{print $1}'`
-+PID=`ps axw | grep "[ /]pppd call $1" | grep -w "$1" | awk '{print $1}'`
- if test -n "$PID" ; then
- $KILL -$SIG $PID || {
- echo "$0: $KILL failed. None ${DONE}."
diff --git a/patches/ppp-2.4.7/0003-pppd-Fix-sign-extension-when-displaying-bytes-in-oct.patch b/patches/ppp-2.4.7/0003-pppd-Fix-sign-extension-when-displaying-bytes-in-oct.patch
deleted file mode 100644
index 2bd23b921..000000000
--- a/patches/ppp-2.4.7/0003-pppd-Fix-sign-extension-when-displaying-bytes-in-oct.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From: "Philip A. Prindeville" <philipp@redfish-solutions.com>
-Date: Fri, 19 Dec 2014 17:52:58 -0700
-Subject: [PATCH] pppd: Fix sign-extension when displaying bytes in octal
-
-print_string() displays characters as \\%.03o but without first
-casting it from "char" to "unsigned char" so it gets sign-extended
-to an int. This causes output like \37777777630 instead of \230.
-
-Signed-off-by: Philip A. Prindeville <philipp@redfish-solutions.com>
-
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- pppd/utils.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/pppd/utils.c b/pppd/utils.c
-index 29bf970905d5..3ac1b60926d2 100644
---- a/pppd/utils.c
-+++ b/pppd/utils.c
-@@ -625,7 +625,7 @@ print_string(p, len, printer, arg)
- printer(arg, "\\t");
- break;
- default:
-- printer(arg, "\\%.3o", c);
-+ printer(arg, "\\%.3o", (unsigned char) c);
- }
- }
- }
diff --git a/patches/ppp-2.4.7/0004-Suppress-false-error-message-on-PPPoE-disconnect.patch b/patches/ppp-2.4.7/0004-Suppress-false-error-message-on-PPPoE-disconnect.patch
deleted file mode 100644
index 6d4bd5c10..000000000
--- a/patches/ppp-2.4.7/0004-Suppress-false-error-message-on-PPPoE-disconnect.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From: Simon Farnsworth <simon@farnz.org.uk>
-Date: Sun, 1 Mar 2015 11:49:06 +0000
-Subject: [PATCH] Suppress false error message on PPPoE disconnect
-
-Once the kernel handles PPPoE PADTs correctly[1], a PADT triggered
-disconnect will result in EALREADY when pppd tries to clear the session ID.
-
-Simply ignore the error if, and only if, the error is EALREADY
-
-[1] https://patchwork.ozlabs.org/patch/444717/
-
-Signed-off-by: Simon Farnsworth <simon@farnz.org.uk>
-
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- pppd/plugins/rp-pppoe/plugin.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/pppd/plugins/rp-pppoe/plugin.c b/pppd/plugins/rp-pppoe/plugin.c
-index a8c2bb4f4a6a..da50cdf2b9d3 100644
---- a/pppd/plugins/rp-pppoe/plugin.c
-+++ b/pppd/plugins/rp-pppoe/plugin.c
-@@ -270,7 +270,7 @@ PPPOEDisconnectDevice(void)
- memcpy(sp.sa_addr.pppoe.dev, conn->ifName, IFNAMSIZ);
- memcpy(sp.sa_addr.pppoe.remote, conn->peerEth, ETH_ALEN);
- if (connect(conn->sessionSocket, (struct sockaddr *) &sp,
-- sizeof(struct sockaddr_pppox)) < 0)
-+ sizeof(struct sockaddr_pppox)) < 0 && errno != EALREADY)
- error("Failed to disconnect PPPoE socket: %d %m", errno);
- close(conn->sessionSocket);
- /* don't send PADT?? */
diff --git a/patches/ppp-2.4.7/0005-Send-PADT-on-PPPoE-disconnect.patch b/patches/ppp-2.4.7/0005-Send-PADT-on-PPPoE-disconnect.patch
deleted file mode 100644
index 28efdfc71..000000000
--- a/patches/ppp-2.4.7/0005-Send-PADT-on-PPPoE-disconnect.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From: Simon Farnsworth <simon@farnz.org.uk>
-Date: Sun, 1 Mar 2015 11:53:58 +0000
-Subject: [PATCH] Send PADT on PPPoE disconnect
-
-Once we've terminated the PPP session, there is no chance of a PPP layer
-disconnect. Some PPPoE relays don't detect the PPP session going down, and
-depend on a long timeout or a PPPoE PADT to terminate the session.
-
-Send a PADT on disconnect to work around these buggy relays.
-
-Signed-off-by: Simon Farnsworth <simon@farnz.org.uk>
-
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- pppd/plugins/rp-pppoe/plugin.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
-
-diff --git a/pppd/plugins/rp-pppoe/plugin.c b/pppd/plugins/rp-pppoe/plugin.c
-index da50cdf2b9d3..c89be94250bc 100644
---- a/pppd/plugins/rp-pppoe/plugin.c
-+++ b/pppd/plugins/rp-pppoe/plugin.c
-@@ -273,9 +273,10 @@ PPPOEDisconnectDevice(void)
- sizeof(struct sockaddr_pppox)) < 0 && errno != EALREADY)
- error("Failed to disconnect PPPoE socket: %d %m", errno);
- close(conn->sessionSocket);
-- /* don't send PADT?? */
-- if (conn->discoverySocket >= 0)
-+ if (conn->discoverySocket >= 0) {
-+ sendPADT(conn, NULL);
- close(conn->discoverySocket);
-+ }
- }
-
- static void
diff --git a/patches/ppp-2.4.7/0006-pppd-ipxcp-Prevent-buffer-overrun-on-remote-router-n.patch b/patches/ppp-2.4.7/0006-pppd-ipxcp-Prevent-buffer-overrun-on-remote-router-n.patch
deleted file mode 100644
index 7d98127c2..000000000
--- a/patches/ppp-2.4.7/0006-pppd-ipxcp-Prevent-buffer-overrun-on-remote-router-n.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From: Paul Mackerras <paulus@samba.org>
-Date: Fri, 14 Aug 2015 17:56:26 +1000
-Subject: [PATCH] pppd: ipxcp: Prevent buffer overrun on remote router name
-
-This fixes an if condition to prevent a possible 1-byte overrun
-on ipxcp_hisoptions[0].name.
-
-Reported-by: "Sabas Rosales, Blanca E" <blanca.e.sabas.rosales@intel.com>
-Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
-
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- pppd/ipxcp.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/pppd/ipxcp.c b/pppd/ipxcp.c
-index 7b2343e15537..aaff10f76200 100644
---- a/pppd/ipxcp.c
-+++ b/pppd/ipxcp.c
-@@ -1194,7 +1194,7 @@ ipxcp_reqci(f, inp, len, reject_if_disagree)
- case IPX_ROUTER_NAME:
- if (cilen >= CILEN_NAME) {
- int name_size = cilen - CILEN_NAME;
-- if (name_size > sizeof (ho->name))
-+ if (name_size >= sizeof (ho->name))
- name_size = sizeof (ho->name) - 1;
- memset (ho->name, 0, sizeof (ho->name));
- memcpy (ho->name, p, name_size);
diff --git a/patches/ppp-2.4.7/0007-pppd-Fix-ccp_options.mppe-type.patch b/patches/ppp-2.4.7/0007-pppd-Fix-ccp_options.mppe-type.patch
deleted file mode 100644
index 475edae24..000000000
--- a/patches/ppp-2.4.7/0007-pppd-Fix-ccp_options.mppe-type.patch
+++ /dev/null
@@ -1,30 +0,0 @@
-From: Sylvain Rochet <gradator@gradator.net>
-Date: Wed, 25 Mar 2015 00:25:18 +0100
-Subject: [PATCH] pppd: Fix ccp_options.mppe type
-
-This corrects the type of ccp_options.mppe; it is actually a bitfield of
-MPPE_OPT_* and not a boolean.
-
-Signed-off-by: Sylvain Rochet <gradator@gradator.net>
-Signed-off-by: Paul Mackerras <paulus@samba.org>
-
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- pppd/ccp.h | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/pppd/ccp.h b/pppd/ccp.h
-index 6f4a2fee0a2c..76446db007c0 100644
---- a/pppd/ccp.h
-+++ b/pppd/ccp.h
-@@ -37,7 +37,7 @@ typedef struct ccp_options {
- bool predictor_2; /* do Predictor-2? */
- bool deflate_correct; /* use correct code for deflate? */
- bool deflate_draft; /* use draft RFC code for deflate? */
-- bool mppe; /* do MPPE? */
-+ u_char mppe; /* MPPE bitfield */
- u_short bsd_bits; /* # bits/code for BSD Compress */
- u_short deflate_size; /* lg(window size) for Deflate */
- short method; /* code for chosen compression method */
diff --git a/patches/ppp-2.4.7/0008-pppd-Fix-ccp_cilen-calculated-size-if-both-deflate_c.patch b/patches/ppp-2.4.7/0008-pppd-Fix-ccp_cilen-calculated-size-if-both-deflate_c.patch
deleted file mode 100644
index d73b4de32..000000000
--- a/patches/ppp-2.4.7/0008-pppd-Fix-ccp_cilen-calculated-size-if-both-deflate_c.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From: Sylvain Rochet <gradator@gradator.net>
-Date: Tue, 24 Mar 2015 21:21:40 +0100
-Subject: [PATCH] pppd: Fix ccp_cilen calculated size if both deflate_correct
- and deflate_draft are enabled
-
-This fixes a bug where ccp_cilen() will return 4 bytes less than
-necessary for the addci buffer if both deflate_correct and
-deflate_draft are enabled.
-
-Signed-off-by: Sylvain Rochet <gradator@gradator.net>
-Signed-off-by: Paul Mackerras <paulus@samba.org>
-
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- pppd/ccp.c | 3 ++-
- 1 file changed, 2 insertions(+), 1 deletion(-)
-
-diff --git a/pppd/ccp.c b/pppd/ccp.c
-index 5814f358eb44..7d7922afcfc0 100644
---- a/pppd/ccp.c
-+++ b/pppd/ccp.c
-@@ -676,7 +676,8 @@ ccp_cilen(f)
- ccp_options *go = &ccp_gotoptions[f->unit];
-
- return (go->bsd_compress? CILEN_BSD_COMPRESS: 0)
-- + (go->deflate? CILEN_DEFLATE: 0)
-+ + (go->deflate && go->deflate_correct? CILEN_DEFLATE: 0)
-+ + (go->deflate && go->deflate_draft? CILEN_DEFLATE: 0)
- + (go->predictor_1? CILEN_PREDICTOR_1: 0)
- + (go->predictor_2? CILEN_PREDICTOR_2: 0)
- + (go->mppe? CILEN_MPPE: 0);
diff --git a/patches/ppp-2.4.7/0009-Fix-a-typo-in-comment.-Diff-from-Yuuichi-Someya.patch b/patches/ppp-2.4.7/0009-Fix-a-typo-in-comment.-Diff-from-Yuuichi-Someya.patch
deleted file mode 100644
index 39af8cf33..000000000
--- a/patches/ppp-2.4.7/0009-Fix-a-typo-in-comment.-Diff-from-Yuuichi-Someya.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-From: YASUOKA Masahiko <yasuoka@yasuoka.net>
-Date: Wed, 16 Mar 2016 13:39:19 +0900
-Subject: [PATCH] Fix a typo in comment. Diff from Yuuichi Someya.
-
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- pppd/fsm.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/pppd/fsm.c b/pppd/fsm.c
-index c200cc3a8438..e9bd34f0e8f4 100644
---- a/pppd/fsm.c
-+++ b/pppd/fsm.c
-@@ -468,7 +468,7 @@ fsm_rconfreq(f, id, inp, len)
- f->nakloops = 0;
-
- } else {
-- /* we sent CONFACK or CONFREJ */
-+ /* we sent CONFNAK or CONFREJ */
- if (f->state != ACKRCVD)
- f->state = REQSENT;
- if( code == CONFNAK )
diff --git a/patches/ppp-2.4.7/0010-plog-count-only-relevant-lines-from-syslog.patch b/patches/ppp-2.4.7/0010-plog-count-only-relevant-lines-from-syslog.patch
deleted file mode 100644
index c9d56cdbb..000000000
--- a/patches/ppp-2.4.7/0010-plog-count-only-relevant-lines-from-syslog.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-From: Dmitry Deshevoy <mityada@gmail.com>
-Date: Thu, 31 Mar 2016 23:39:32 +0400
-Subject: [PATCH] plog: count only relevant lines from syslog
-
-Closes paulusmack/ppp#42
-
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- scripts/plog | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/scripts/plog b/scripts/plog
-index 84d2c7340cc6..7cb53346413d 100644
---- a/scripts/plog
-+++ b/scripts/plog
-@@ -3,5 +3,5 @@
- if [ -s /var/log/ppp.log ]; then
- exec tail "$@" /var/log/ppp.log
- else
-- exec tail "$@" /var/log/syslog | grep ' \(pppd\|chat\)\['
-+ exec grep ' \(pppd\|chat\)\[' /var/log/syslog | tail "$@"
- fi
diff --git a/patches/ppp-2.4.7/0011-Change-include-from-sys-errno.h-to-errno.h.patch b/patches/ppp-2.4.7/0011-Change-include-from-sys-errno.h-to-errno.h.patch
deleted file mode 100644
index ed313eeaa..000000000
--- a/patches/ppp-2.4.7/0011-Change-include-from-sys-errno.h-to-errno.h.patch
+++ /dev/null
@@ -1,33 +0,0 @@
-From: Stefan Nickl <Stefan.Nickl@gmail.com>
-Date: Wed, 10 Aug 2016 21:32:21 +0200
-Subject: [PATCH] Change include from sys/errno.h to errno.h
-
-According to POSIX, the canonical location for errno.h is on the top level.
-
-Signed-off-by: Stefan Nickl <Stefan.Nickl@gmail.com>
-
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- pppd/sys-linux.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c
-index e5e9baf8821f..908aa4f22297 100644
---- a/pppd/sys-linux.c
-+++ b/pppd/sys-linux.c
-@@ -73,12 +73,12 @@
- #include <sys/types.h>
- #include <sys/socket.h>
- #include <sys/time.h>
--#include <sys/errno.h>
- #include <sys/file.h>
- #include <sys/stat.h>
- #include <sys/utsname.h>
- #include <sys/sysmacros.h>
-
-+#include <errno.h>
- #include <stdio.h>
- #include <stdlib.h>
- #include <syslog.h>
diff --git a/patches/ppp-2.4.7/0012-pppd-allow-use-of-arbitrary-interface-names.patch b/patches/ppp-2.4.7/0012-pppd-allow-use-of-arbitrary-interface-names.patch
deleted file mode 100644
index 26d56de1d..000000000
--- a/patches/ppp-2.4.7/0012-pppd-allow-use-of-arbitrary-interface-names.patch
+++ /dev/null
@@ -1,214 +0,0 @@
-From: Paul Mackerras <paulus@samba.org>
-Date: Tue, 23 Aug 2016 16:10:21 +1000
-Subject: [PATCH] pppd: allow use of arbitrary interface names
-
-This is a modified version of a patch from openSUSE that enables PPP interfaces
-to be called arbitrary names, rather than simply pppX where X is the unit
-number.
-
-The modifications from the stock openSUSE patch are:
- refresh patch on top of 018_ip up_option.diff
-- fix a printf format-string vulnerability in pppd/main.c:set_ifunit()
-- clarify the pppd.8 manpage additions
-- patch pppstats/pppstats.c to query renamed interfaces without complaint
-
-Origin: SUSE
-Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=458646
-Forwarded: no
-Reviewed-by: Chris Boot <bootc@debian.org>
-Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
-
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- pppd/main.c | 16 ++++++----------
- pppd/options.c | 5 +++++
- pppd/pppd.8 | 8 +++++++-
- pppd/pppd.h | 11 +++++++++++
- pppd/sys-linux.c | 15 +++++++++++++++
- pppstats/pppstats.c | 12 ++++++------
- 6 files changed, 50 insertions(+), 17 deletions(-)
-
-diff --git a/pppd/main.c b/pppd/main.c
-index 6d50d1bac1d9..f1986ed68d0b 100644
---- a/pppd/main.c
-+++ b/pppd/main.c
-@@ -124,7 +124,7 @@
- static const char rcsid[] = RCSID;
-
- /* interface vars */
--char ifname[32]; /* Interface name */
-+char ifname[MAXIFNAMELEN]; /* Interface name */
- int ifunit; /* Interface unit number */
-
- struct channel *the_channel;
-@@ -298,13 +298,6 @@ struct protent *protocols[] = {
- NULL
- };
-
--/*
-- * If PPP_DRV_NAME is not defined, use the default "ppp" as the device name.
-- */
--#if !defined(PPP_DRV_NAME)
--#define PPP_DRV_NAME "ppp"
--#endif /* !defined(PPP_DRV_NAME) */
--
- int
- main(argc, argv)
- int argc;
-@@ -737,8 +730,11 @@ void
- set_ifunit(iskey)
- int iskey;
- {
-- info("Using interface %s%d", PPP_DRV_NAME, ifunit);
-- slprintf(ifname, sizeof(ifname), "%s%d", PPP_DRV_NAME, ifunit);
-+ if (req_ifname[0] != '\0')
-+ slprintf(ifname, sizeof(ifname), "%s", req_ifname);
-+ else
-+ slprintf(ifname, sizeof(ifname), "%s%d", PPP_DRV_NAME, ifunit);
-+ info("Using interface %s", ifname);
- script_setenv("IFNAME", ifname, iskey);
- if (iskey) {
- create_pidfile(getpid()); /* write pid to file */
-diff --git a/pppd/options.c b/pppd/options.c
-index f66b7657bc31..91da515ac533 100644
---- a/pppd/options.c
-+++ b/pppd/options.c
-@@ -114,6 +114,7 @@ char linkname[MAXPATHLEN]; /* logical name for link */
- bool tune_kernel; /* may alter kernel settings */
- int connect_delay = 1000; /* wait this many ms after connect script */
- int req_unit = -1; /* requested interface unit */
-+char req_ifname[MAXIFNAMELEN]; /* requested interface name */
- bool multilink = 0; /* Enable multilink operation */
- char *bundle_name = NULL; /* bundle name for multilink */
- bool dump_options; /* print out option values */
-@@ -283,6 +284,10 @@ option_t general_options[] = {
- "PPP interface unit number to use if possible",
- OPT_PRIO | OPT_LLIMIT, 0, 0 },
-
-+ { "ifname", o_string, req_ifname,
-+ "Set PPP interface name",
-+ OPT_PRIO | OPT_PRIV | OPT_STATIC, NULL, MAXIFNAMELEN },
-+
- { "dump", o_bool, &dump_options,
- "Print out option values after parsing all options", 1 },
- { "dryrun", o_bool, &dryrun,
-diff --git a/pppd/pppd.8 b/pppd/pppd.8
-index e2768b135273..64659cf867b2 100644
---- a/pppd/pppd.8
-+++ b/pppd/pppd.8
-@@ -1073,7 +1073,13 @@ under Linux and FreeBSD 2.2.8 and later.
- .TP
- .B unit \fInum
- Sets the ppp unit number (for a ppp0 or ppp1 etc interface name) for outbound
--connections.
-+connections. If the unit is already in use a dynamically allocated number will
-+be used.
-+.TP
-+.B ifname \fIstring
-+Set the ppp interface name for outbound connections. If the interface name is
-+already in use, or if the name cannot be used for any other reason, pppd will
-+terminate.
- .TP
- .B unset \fIname
- Remove a variable from the environment variable for scripts that are
-diff --git a/pppd/pppd.h b/pppd/pppd.h
-index 247fa153739b..1a1bf0b99582 100644
---- a/pppd/pppd.h
-+++ b/pppd/pppd.h
-@@ -80,6 +80,16 @@
- #define MAXARGS 1 /* max # args to a command */
- #define MAXNAMELEN 256 /* max length of hostname or name for auth */
- #define MAXSECRETLEN 256 /* max length of password or secret */
-+#define MAXIFNAMELEN 32 /* max length of interface name; or use IFNAMSIZ, can we
-+ always include net/if.h? */
-+
-+/*
-+ * If PPP_DRV_NAME is not defined, use the default "ppp" as the device name.
-+ * Where should PPP_DRV_NAME come from? Do we include it here?
-+ */
-+#if !defined(PPP_DRV_NAME)
-+#define PPP_DRV_NAME "ppp"
-+#endif /* !defined(PPP_DRV_NAME) */
-
- /*
- * Option descriptor structure.
-@@ -318,6 +328,7 @@ extern bool tune_kernel; /* May alter kernel settings as necessary */
- extern int connect_delay; /* Time to delay after connect script */
- extern int max_data_rate; /* max bytes/sec through charshunt */
- extern int req_unit; /* interface unit number to use */
-+extern char req_ifname[MAXIFNAMELEN]; /* interface name to use */
- extern bool multilink; /* enable multilink operation */
- extern bool noendpoint; /* don't send or accept endpt. discrim. */
- extern char *bundle_name; /* bundle name for multilink */
-diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c
-index 908aa4f22297..9b2f293024ac 100644
---- a/pppd/sys-linux.c
-+++ b/pppd/sys-linux.c
-@@ -641,6 +641,21 @@ static int make_ppp_unit()
- }
- if (x < 0)
- error("Couldn't create new ppp unit: %m");
-+
-+ if (x == 0 && req_ifname[0] != '\0') {
-+ struct ifreq ifr;
-+ char t[MAXIFNAMELEN];
-+ memset(&ifr, 0, sizeof(struct ifreq));
-+ slprintf(t, sizeof(t), "%s%d", PPP_DRV_NAME, ifunit);
-+ strncpy(ifr.ifr_name, t, IF_NAMESIZE);
-+ strncpy(ifr.ifr_newname, req_ifname, IF_NAMESIZE);
-+ x = ioctl(sock_fd, SIOCSIFNAME, &ifr);
-+ if (x < 0)
-+ error("Couldn't rename interface %s to %s: %m", t, req_ifname);
-+ else
-+ info("Renamed interface %s to %s", t, req_ifname);
-+ }
-+
- return x;
- }
-
-diff --git a/pppstats/pppstats.c b/pppstats/pppstats.c
-index 6367988eb96b..46cb9c24942b 100644
---- a/pppstats/pppstats.c
-+++ b/pppstats/pppstats.c
-@@ -88,7 +88,6 @@ int aflag; /* print absolute values, not deltas */
- int dflag; /* print data rates, not bytes */
- int interval, count;
- int infinite;
--int unit;
- int s; /* socket or /dev/ppp file descriptor */
- int signalled; /* set if alarm goes off "early" */
- char *progname;
-@@ -449,6 +448,7 @@ main(argc, argv)
- {
- int c;
- #ifdef STREAMS
-+ int unit;
- char *dev;
- #endif
-
-@@ -506,11 +506,6 @@ main(argc, argv)
- if (argc > 0)
- interface = argv[0];
-
-- if (sscanf(interface, PPP_DRV_NAME "%d", &unit) != 1) {
-- fprintf(stderr, "%s: invalid interface '%s' specified\n",
-- progname, interface);
-- }
--
- #ifndef STREAMS
- {
- struct ifreq ifr;
-@@ -535,6 +530,11 @@ main(argc, argv)
- }
-
- #else /* STREAMS */
-+ if (sscanf(interface, PPP_DRV_NAME "%d", &unit) != 1) {
-+ fprintf(stderr, "%s: invalid interface '%s' specified\n",
-+ progname, interface);
-+ }
-+
- #ifdef __osf__
- dev = "/dev/streams/ppp";
- #else
diff --git a/patches/ppp-2.4.7/0013-pppd-Remove-unused-declaration-of-ttyname.patch b/patches/ppp-2.4.7/0013-pppd-Remove-unused-declaration-of-ttyname.patch
deleted file mode 100644
index 2199e7f7d..000000000
--- a/patches/ppp-2.4.7/0013-pppd-Remove-unused-declaration-of-ttyname.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From: George Burgess IV <george@gbiv.net>
-Date: Fri, 9 Sep 2016 17:36:54 -0700
-Subject: [PATCH] pppd: Remove unused declaration of ttyname.
-
-Signed-off-by: George Burgess IV <george@gbiv.net>
-
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- pppd/main.c | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/pppd/main.c b/pppd/main.c
-index f1986ed68d0b..76b67d2485b7 100644
---- a/pppd/main.c
-+++ b/pppd/main.c
-@@ -257,7 +257,6 @@ static void cleanup_db __P((void));
- static void handle_events __P((void));
- void print_link_stats __P((void));
-
--extern char *ttyname __P((int));
- extern char *getlogin __P((void));
- int main __P((int, char *[]));
-
diff --git a/patches/ppp-2.4.7/0014-pppd-Provide-error-implementation-in-pppoe-discovery.patch b/patches/ppp-2.4.7/0014-pppd-Provide-error-implementation-in-pppoe-discovery.patch
deleted file mode 100644
index 39fc3d4f6..000000000
--- a/patches/ppp-2.4.7/0014-pppd-Provide-error-implementation-in-pppoe-discovery.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From: Stefan Nickl <Stefan.Nickl@gmail.com>
-Date: Wed, 10 Aug 2016 16:52:12 +0200
-Subject: [PATCH] pppd: Provide error() implementation in pppoe-discovery
-
-The pppoe-discovery program calls error() from the CHECK_ROOM macro
-defined in pppoe.h. Since pppoe-discovery is a standalone program not
-linked with the rest of pppd, the only way this could build is by
-linking to glibc's proprietary error(3) function instead of the function
-of the same name (but with different arguments) defined in pppd/utils.c.
-
-So with glibc this builds, but will probably crash when the assertion is
-triggered. As the assertion is unlikely to fail, nobody has noticed.
-
-The build however fails with musl libc or uClibc since they don't
-provide the doppelganger.
-
-Signed-off-by: Stefan Nickl <Stefan.Nickl@gmail.com>
-
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- pppd/plugins/rp-pppoe/pppoe-discovery.c | 9 +++++++++
- 1 file changed, 9 insertions(+)
-
-diff --git a/pppd/plugins/rp-pppoe/pppoe-discovery.c b/pppd/plugins/rp-pppoe/pppoe-discovery.c
-index 3d3bf4eecc81..55037dffb023 100644
---- a/pppd/plugins/rp-pppoe/pppoe-discovery.c
-+++ b/pppd/plugins/rp-pppoe/pppoe-discovery.c
-@@ -9,6 +9,7 @@
- *
- */
-
-+#include <stdarg.h>
- #include <stdio.h>
- #include <stdlib.h>
- #include <unistd.h>
-@@ -55,6 +56,14 @@ void die(int status)
- exit(status);
- }
-
-+void error(char *fmt, ...)
-+{
-+ va_list pvar;
-+ va_start(pvar, fmt);
-+ vfprintf(stderr, fmt, pvar);
-+ va_end(pvar);
-+}
-+
- /* Initialize frame types to RFC 2516 values. Some broken peers apparently
- use different frame types... sigh... */
-
diff --git a/patches/ppp-2.4.7/0015-pppoe-include-netinet-in.h-before-linux-in.h.patch b/patches/ppp-2.4.7/0015-pppoe-include-netinet-in.h-before-linux-in.h.patch
deleted file mode 100644
index b24e5ef58..000000000
--- a/patches/ppp-2.4.7/0015-pppoe-include-netinet-in.h-before-linux-in.h.patch
+++ /dev/null
@@ -1,49 +0,0 @@
-From: Lubomir Rintel <lkundrak@v3.sk>
-Date: Mon, 9 Jan 2017 13:34:23 +0000
-Subject: [PATCH] pppoe: include netinet/in.h before linux/in.h
-
-This fixes builds with newer kernels. Basically, <netinet/in.h> needs to be
-included before <linux/in.h> otherwise the earlier, unaware of the latter,
-tries to redefine symbols and structures. Also, <linux/if_pppox.h> doesn't work
-alone anymore, since it pulls the headers in the wrong order, so we better
-include <netinet/in.h> early.
-
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- pppd/plugins/rp-pppoe/pppoe.h | 7 ++++---
- 1 file changed, 4 insertions(+), 3 deletions(-)
-
-diff --git a/pppd/plugins/rp-pppoe/pppoe.h b/pppd/plugins/rp-pppoe/pppoe.h
-index 9ab2eee3914c..c4aaa6e68856 100644
---- a/pppd/plugins/rp-pppoe/pppoe.h
-+++ b/pppd/plugins/rp-pppoe/pppoe.h
-@@ -47,6 +47,10 @@
- #include <sys/socket.h>
- #endif
-
-+/* This has to be included before Linux 4.8's linux/in.h
-+ * gets dragged in. */
-+#include <netinet/in.h>
-+
- /* Ugly header files on some Linux boxes... */
- #if defined(HAVE_LINUX_IF_H)
- #include <linux/if.h>
-@@ -84,8 +88,6 @@ typedef unsigned long UINT32_t;
- #include <linux/if_ether.h>
- #endif
-
--#include <netinet/in.h>
--
- #ifdef HAVE_NETINET_IF_ETHER_H
- #include <sys/types.h>
-
-@@ -98,7 +100,6 @@ typedef unsigned long UINT32_t;
- #endif
-
-
--
- /* Ethernet frame types according to RFC 2516 */
- #define ETH_PPPOE_DISCOVERY 0x8863
- #define ETH_PPPOE_SESSION 0x8864
diff --git a/patches/ppp-2.4.7/0016-adaptive_echos.patch b/patches/ppp-2.4.7/0016-adaptive_echos.patch
deleted file mode 100644
index c0f222824..000000000
--- a/patches/ppp-2.4.7/0016-adaptive_echos.patch
+++ /dev/null
@@ -1,72 +0,0 @@
-From: Michael Olbrich <m.olbrich@pengutronix.de>
-Date: Sat, 28 Sep 2019 08:11:49 +0200
-Subject: [PATCH] adaptive_echos
-
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- pppd/lcp.c | 19 +++++++++++++++++++
- pppd/pppd.8 | 5 +++++
- 2 files changed, 24 insertions(+)
-
-diff --git a/pppd/lcp.c b/pppd/lcp.c
-index 8ed2778bfb67..c97a64b7774f 100644
---- a/pppd/lcp.c
-+++ b/pppd/lcp.c
-@@ -73,6 +73,7 @@ static void lcp_delayed_up __P((void *));
- */
- int lcp_echo_interval = 0; /* Interval between LCP echo-requests */
- int lcp_echo_fails = 0; /* Tolerance to unanswered echo-requests */
-+bool lcp_echo_adaptive = 0; /* request echo only if the link was idle */
- bool lax_recv = 0; /* accept control chars in asyncmap */
- bool noendpoint = 0; /* don't send/accept endpoint discriminator */
-
-@@ -151,6 +152,8 @@ static option_t lcp_option_list[] = {
- OPT_PRIO },
- { "lcp-echo-interval", o_int, &lcp_echo_interval,
- "Set time in seconds between LCP echo requests", OPT_PRIO },
-+ { "lcp-echo-adaptive", o_bool, &lcp_echo_adaptive,
-+ "Suppress LCP echo requests if traffic was received", 1 },
- { "lcp-restart", o_int, &lcp_fsm[0].timeouttime,
- "Set time in seconds between LCP retransmissions", OPT_PRIO },
- { "lcp-max-terminate", o_int, &lcp_fsm[0].maxtermtransmits,
-@@ -2331,6 +2334,22 @@ LcpSendEchoRequest (f)
- }
- }
-
-+ /*
-+ * If adaptive echos have been enabled, only send the echo request if
-+ * no traffic was received since the last one.
-+ */
-+ if (lcp_echo_adaptive) {
-+ static unsigned int last_pkts_in = 0;
-+
-+ update_link_stats(f->unit);
-+ link_stats_valid = 0;
-+
-+ if (link_stats.pkts_in != last_pkts_in) {
-+ last_pkts_in = link_stats.pkts_in;
-+ return;
-+ }
-+ }
-+
- /*
- * Make and send the echo request frame.
- */
-diff --git a/pppd/pppd.8 b/pppd/pppd.8
-index 64659cf867b2..ec8bfd5c0617 100644
---- a/pppd/pppd.8
-+++ b/pppd/pppd.8
-@@ -558,6 +558,11 @@ to 1) if the \fIproxyarp\fR option is used, and will enable the
- dynamic IP address option (i.e. set /proc/sys/net/ipv4/ip_dynaddr to
- 1) in demand mode if the local address changes.
- .TP
-+.B lcp\-echo\-adaptive
-+If this option is used with the \fIlcp\-echo\-failure\fR option then
-+pppd will send LCP echo\-request frames only if no traffic was received
-+from the peer since the last echo\-request was sent.
-+.TP
- .B lcp\-echo\-failure \fIn
- If this option is given, pppd will presume the peer to be dead
- if \fIn\fR LCP echo\-requests are sent without receiving a valid LCP
diff --git a/patches/ppp-2.4.7/0017-Makefiles-cleanup.patch b/patches/ppp-2.4.7/0017-Makefiles-cleanup.patch
deleted file mode 100644
index ff9096f70..000000000
--- a/patches/ppp-2.4.7/0017-Makefiles-cleanup.patch
+++ /dev/null
@@ -1,296 +0,0 @@
-From: Michael Olbrich <m.olbrich@pengutronix.de>
-Date: Sat, 28 Sep 2019 08:11:49 +0200
-Subject: [PATCH] Makefiles cleanup
-
-Factor-out $COPTS and $LDOPTS to allow distributions to easily override
-them. Properly use $LDFLAGS when linking and $CFLAGS when compiling.
-Do not strip the installed binaries: this should be done by the
-packaging system if required.
-
-
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- chat/Makefile.linux | 5 +++--
- pppd/Makefile.linux | 7 ++++---
- pppd/plugins/Makefile.linux | 4 ++--
- pppd/plugins/pppoatm/Makefile.linux | 4 ++--
- pppd/plugins/pppol2tp/Makefile.linux | 4 ++--
- pppd/plugins/radius/Makefile.linux | 16 +++++++++-------
- pppd/plugins/rp-pppoe/Makefile.linux | 10 ++++++----
- pppdump/Makefile.linux | 9 ++++++---
- pppstats/Makefile.linux | 7 ++++---
- 9 files changed, 38 insertions(+), 28 deletions(-)
-
-diff --git a/chat/Makefile.linux b/chat/Makefile.linux
-index 1065ac519576..a41d485b4168 100644
---- a/chat/Makefile.linux
-+++ b/chat/Makefile.linux
-@@ -12,20 +12,21 @@ CDEFS= $(CDEF1) $(CDEF2) $(CDEF3) $(CDEF4)
-
- COPTS= -O2 -g -pipe
- CFLAGS= $(COPTS) $(CDEFS)
-+LDFLAGS=$(LDOPTS)
-
- INSTALL= install
-
- all: chat
-
- chat: chat.o
-- $(CC) -o chat chat.o
-+ $(CC) $(LDFLAGS) -o chat chat.o
-
- chat.o: chat.c
- $(CC) -c $(CFLAGS) -o chat.o chat.c
-
- install: chat
- mkdir -p $(BINDIR) $(MANDIR)
-- $(INSTALL) -s -c chat $(BINDIR)
-+ $(INSTALL) -c chat $(BINDIR)
- $(INSTALL) -c -m 644 chat.8 $(MANDIR)
-
- clean:
-diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux
-index a74c914fd3ac..16b3ee879791 100644
---- a/pppd/Makefile.linux
-+++ b/pppd/Makefile.linux
-@@ -83,6 +83,7 @@ INCLUDE_DIRS= -I../include
- COMPILE_FLAGS= -DHAVE_PATHS_H -DIPX_CHANGE -DHAVE_MMAP
-
- CFLAGS= $(COPTS) $(COMPILE_FLAGS) $(INCLUDE_DIRS) '-DDESTDIR="@DESTDIR@"'
-+LDFLAGS=$(LDOPTS)
-
- ifdef CHAPMS
- CFLAGS += -DCHAPMS=1
-@@ -102,7 +103,7 @@ ifdef USE_SRP
- CFLAGS += -DUSE_SRP -DOPENSSL -I/usr/local/ssl/include
- LIBS += -lsrp -L/usr/local/ssl/lib -lcrypto
- TARGETS += srp-entry
--EXTRAINSTALL = $(INSTALL) -s -c -m 555 srp-entry $(BINDIR)/srp-entry
-+EXTRAINSTALL = $(INSTALL) -c -m 555 srp-entry $(BINDIR)/srp-entry
- MANPAGES += srp-entry.8
- EXTRACLEAN += srp-entry.o
- NEEDDES=y
-@@ -208,13 +209,13 @@ all: $(TARGETS)
- install: pppd
- mkdir -p $(BINDIR) $(MANDIR)
- $(EXTRAINSTALL)
-- $(INSTALL) -s -c -m 555 pppd $(BINDIR)/pppd
-+ $(INSTALL) -c -m 555 pppd $(BINDIR)/pppd
- if chgrp pppusers $(BINDIR)/pppd 2>/dev/null; then \
- chmod o-rx,u+s $(BINDIR)/pppd; fi
- $(INSTALL) -c -m 444 pppd.8 $(MANDIR)
-
- pppd: $(PPPDOBJS)
-- $(CC) $(CFLAGS) $(LDFLAGS) -o pppd $(PPPDOBJS) $(LIBS)
-+ $(CC) $(LDFLAGS) -o pppd $(PPPDOBJS) $(LIBS)
-
- srp-entry: srp-entry.c
- $(CC) $(CFLAGS) $(LDFLAGS) -o $@ srp-entry.c $(LIBS)
-diff --git a/pppd/plugins/Makefile.linux b/pppd/plugins/Makefile.linux
-index 8a90e393a057..0f9d37d2953b 100644
---- a/pppd/plugins/Makefile.linux
-+++ b/pppd/plugins/Makefile.linux
-@@ -1,7 +1,7 @@
- #CC = gcc
- COPTS = -O2 -g
- CFLAGS = $(COPTS) -I.. -I../../include -fPIC
--LDFLAGS = -shared
-+LDFLAGS = $(LDOPTS)
- INSTALL = install
-
- DESTDIR = $(INSTROOT)@DESTDIR@
-@@ -30,7 +30,7 @@ all: $(PLUGINS)
- for d in $(SUBDIRS); do $(MAKE) $(MFLAGS) -C $$d all || exit $$?; done
-
- %.so: %.c
-- $(CC) -o $@ $(LDFLAGS) $(CFLAGS) $^
-+ $(CC) -o $@ $(LDFLAGS) -shared $(CFLAGS) $^
-
- VERSION = $(shell awk -F '"' '/VERSION/ { print $$2; }' ../patchlevel.h)
-
-diff --git a/pppd/plugins/pppoatm/Makefile.linux b/pppd/plugins/pppoatm/Makefile.linux
-index 20f62e631d23..002603c6cbef 100644
---- a/pppd/plugins/pppoatm/Makefile.linux
-+++ b/pppd/plugins/pppoatm/Makefile.linux
-@@ -1,7 +1,7 @@
- #CC = gcc
- COPTS = -O2 -g
- CFLAGS = $(COPTS) -I../.. -I../../../include -fPIC
--LDFLAGS = -shared
-+LDFLAGS = $(LDOPTS)
- INSTALL = install
-
- #***********************************************************************
-@@ -33,7 +33,7 @@ endif
- all: $(PLUGIN)
-
- $(PLUGIN): $(PLUGIN_OBJS)
-- $(CC) $(CFLAGS) -o $@ -shared $^ $(LIBS)
-+ $(CC) $(LDFLAGS) -o $@ -shared $^ $(LIBS)
-
- install: all
- $(INSTALL) -d -m 755 $(LIBDIR)
-diff --git a/pppd/plugins/pppol2tp/Makefile.linux b/pppd/plugins/pppol2tp/Makefile.linux
-index ea3538e22d56..de5cc12e79c3 100644
---- a/pppd/plugins/pppol2tp/Makefile.linux
-+++ b/pppd/plugins/pppol2tp/Makefile.linux
-@@ -1,7 +1,7 @@
- #CC = gcc
- COPTS = -O2 -g
- CFLAGS = $(COPTS) -I. -I../.. -I../../../include -fPIC
--LDFLAGS = -shared
-+LDFLAGS = $(LDOPTS)
- INSTALL = install
-
- #***********************************************************************
-@@ -16,7 +16,7 @@ PLUGINS := pppol2tp.so openl2tp.so
- all: $(PLUGINS)
-
- %.so: %.o
-- $(CC) $(CFLAGS) -o $@ -shared $^ $(LIBS)
-+ $(CC) $(LDFLAGS) -o $@ -shared $^ $(LIBS)
-
- install: all
- $(INSTALL) -d -m 755 $(LIBDIR)
-diff --git a/pppd/plugins/radius/Makefile.linux b/pppd/plugins/radius/Makefile.linux
-index 24ed3e580c4d..436ff2fd0c23 100644
---- a/pppd/plugins/radius/Makefile.linux
-+++ b/pppd/plugins/radius/Makefile.linux
-@@ -12,7 +12,9 @@ VERSION = $(shell awk -F '"' '/VERSION/ { print $$2; }' ../../patchlevel.h)
- INSTALL = install
-
- PLUGIN=radius.so radattr.so radrealms.so
--CFLAGS=-I. -I../.. -I../../../include -O2 -fPIC -DRC_LOG_FACILITY=LOG_DAEMON
-+COPTS=-g -O2
-+CFLAGS = $(COPTS) -I. -I../.. -I../../../include -fPIC -DRC_LOG_FACILITY=LOG_DAEMON
-+LDFLAGS= $(LDOPTS)
-
- # Uncomment the next line to include support for Microsoft's
- # MS-CHAP authentication protocol.
-@@ -36,20 +38,20 @@ all: $(PLUGIN)
-
- install: all
- $(INSTALL) -d -m 755 $(LIBDIR)
-- $(INSTALL) -s -c -m 755 radius.so $(LIBDIR)
-- $(INSTALL) -s -c -m 755 radattr.so $(LIBDIR)
-- $(INSTALL) -s -c -m 755 radrealms.so $(LIBDIR)
-+ $(INSTALL) -c -m 755 radius.so $(LIBDIR)
-+ $(INSTALL) -c -m 755 radattr.so $(LIBDIR)
-+ $(INSTALL) -c -m 755 radrealms.so $(LIBDIR)
- $(INSTALL) -c -m 444 pppd-radius.8 $(MANDIR)
- $(INSTALL) -c -m 444 pppd-radattr.8 $(MANDIR)
-
- radius.so: radius.o libradiusclient.a
-- $(CC) -o radius.so -shared radius.o libradiusclient.a
-+ $(CC) $(LDFLAGS) -o radius.so -shared radius.o libradiusclient.a
-
- radattr.so: radattr.o
-- $(CC) -o radattr.so -shared radattr.o
-+ $(CC) $(LDFLAGS) -o radattr.so -shared radattr.o
-
- radrealms.so: radrealms.o
-- $(CC) -o radrealms.so -shared radrealms.o
-+ $(CC) $(LDFLAGS) -o radrealms.so -shared radrealms.o
-
- CLIENTOBJS = avpair.o buildreq.o config.o dict.o ip_util.o \
- clientid.o sendserver.o lock.o util.o md5.o
-diff --git a/pppd/plugins/rp-pppoe/Makefile.linux b/pppd/plugins/rp-pppoe/Makefile.linux
-index 5d7a2719545d..00e0af6da20c 100644
---- a/pppd/plugins/rp-pppoe/Makefile.linux
-+++ b/pppd/plugins/rp-pppoe/Makefile.linux
-@@ -27,10 +27,12 @@ RP_VERSION=3.8p
-
- COPTS=-O2 -g
- CFLAGS=$(COPTS) -I../../../include '-DRP_VERSION="$(RP_VERSION)"'
-+LDFLAGS=$(LDOPTS)
-+
- all: rp-pppoe.so pppoe-discovery
-
- pppoe-discovery: pppoe-discovery.o debug.o
-- $(CC) -o pppoe-discovery pppoe-discovery.o debug.o
-+ $(CC) $(LDFLAGS) -o pppoe-discovery pppoe-discovery.o debug.o
-
- pppoe-discovery.o: pppoe-discovery.c
- $(CC) $(CFLAGS) -c -o pppoe-discovery.o pppoe-discovery.c
-@@ -39,13 +41,13 @@ debug.o: debug.c
- $(CC) $(CFLAGS) -c -o debug.o debug.c
-
- rp-pppoe.so: plugin.o discovery.o if.o common.o
-- $(CC) -o rp-pppoe.so -shared plugin.o discovery.o if.o common.o
-+ $(CC) $(LDFLAGS) -o rp-pppoe.so -shared $^
-
- install: all
- $(INSTALL) -d -m 755 $(LIBDIR)
-- $(INSTALL) -s -c -m 4550 rp-pppoe.so $(LIBDIR)
-+ $(INSTALL) -c -m 4550 rp-pppoe.so $(LIBDIR)
- $(INSTALL) -d -m 755 $(BINDIR)
-- $(INSTALL) -s -c -m 555 pppoe-discovery $(BINDIR)
-+ $(INSTALL) -c -m 555 pppoe-discovery $(BINDIR)
-
- clean:
- rm -f *.o *.so pppoe-discovery
-diff --git a/pppdump/Makefile.linux b/pppdump/Makefile.linux
-index ac028f6bf4f0..65e5c14914fb 100644
---- a/pppdump/Makefile.linux
-+++ b/pppdump/Makefile.linux
-@@ -2,7 +2,10 @@ DESTDIR = $(INSTROOT)@DESTDIR@
- BINDIR = $(DESTDIR)/sbin
- MANDIR = $(DESTDIR)/share/man/man8
-
--CFLAGS= -O -I../include/net
-+COPTS=-O2 -g
-+CFLAGS= $(COPTS) -I../include/net
-+LDFLAGS=$(LDOPTS)
-+
- OBJS = pppdump.o bsd-comp.o deflate.o zlib.o
-
- INSTALL= install
-@@ -10,12 +13,12 @@ INSTALL= install
- all: pppdump
-
- pppdump: $(OBJS)
-- $(CC) -o pppdump $(OBJS)
-+ $(CC) $(LDFLAGS) -o pppdump $(OBJS)
-
- clean:
- rm -f pppdump $(OBJS) *~
-
- install:
- mkdir -p $(BINDIR) $(MANDIR)
-- $(INSTALL) -s -c pppdump $(BINDIR)
-+ $(INSTALL) -c pppdump $(BINDIR)
- $(INSTALL) -c -m 444 pppdump.8 $(MANDIR)
-diff --git a/pppstats/Makefile.linux b/pppstats/Makefile.linux
-index cca6f0f61d87..9ec8e803665a 100644
---- a/pppstats/Makefile.linux
-+++ b/pppstats/Makefile.linux
-@@ -10,23 +10,24 @@ PPPSTATSRCS = pppstats.c
- PPPSTATOBJS = pppstats.o
-
- #CC = gcc
--COPTS = -O
-+COPTS = -O2 -g
- COMPILE_FLAGS = -I../include
- LIBS =
-
- INSTALL= install
-
- CFLAGS = $(COPTS) $(COMPILE_FLAGS)
-+LDFLAGS= $(LDOPTS)
-
- all: pppstats
-
- install: pppstats
- -mkdir -p $(MANDIR)
-- $(INSTALL) -s -c pppstats $(BINDIR)
-+ $(INSTALL) -c pppstats $(BINDIR)
- $(INSTALL) -c -m 444 pppstats.8 $(MANDIR)
-
- pppstats: $(PPPSTATSRCS)
-- $(CC) $(CFLAGS) -o pppstats pppstats.c $(LIBS)
-+ $(CC) $(LDFLAGS) $(CFLAGS) -o pppstats pppstats.c $(LIBS)
-
- clean:
- rm -f pppstats *~ #* core
diff --git a/patches/ppp-2.4.7/0018-Bug-306261-pppd-does-not-properly-close-dev-ppp-on-p.patch b/patches/ppp-2.4.7/0018-Bug-306261-pppd-does-not-properly-close-dev-ppp-on-p.patch
deleted file mode 100644
index 41669d12a..000000000
--- a/patches/ppp-2.4.7/0018-Bug-306261-pppd-does-not-properly-close-dev-ppp-on-p.patch
+++ /dev/null
@@ -1,44 +0,0 @@
-From: Simon Peter <dn.tlp@gmx.net>
-Date: Sat, 28 Sep 2019 08:11:49 +0200
-Subject: [PATCH] Bug#306261: pppd does not properly close /dev/ppp on persist
-
-When using the kernel PPPoE driver, pppd never
-closes /dev/ppp when the link has come down.
-
-It opens superfluous fds to the device each time it re-opens the
-connection, with the unclosed ones falsely reported always ready for
-data by select().
-
-This makes pppd eat up 100% CPU time after the first persist because of
-the always instantly returning select() on the unclosed fds.
-
-The problem also occurs with the upstream version, but does not occur
-when a pty/tty device is used for the ppp connection.
-
-
-
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- pppd/sys-linux.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c
-index 9b2f293024ac..6d29dc8e8594 100644
---- a/pppd/sys-linux.c
-+++ b/pppd/sys-linux.c
-@@ -458,6 +458,13 @@ int generic_establish_ppp (int fd)
- if (new_style_driver) {
- int flags;
-
-+ /* if a ppp_fd is already open, close it first */
-+ if(ppp_fd > 0) {
-+ close(ppp_fd);
-+ remove_fd(ppp_fd);
-+ ppp_fd = -1;
-+ }
-+
- /* Open an instance of /dev/ppp and connect the channel to it */
- if (ioctl(fd, PPPIOCGCHAN, &chindex) == -1) {
- error("Couldn't get channel number: %m");
diff --git a/patches/ppp-2.4.7/0019-Bug-284382-ppp-linkpidfile-is-not-created-upon-detac.patch b/patches/ppp-2.4.7/0019-Bug-284382-ppp-linkpidfile-is-not-created-upon-detac.patch
deleted file mode 100644
index f785c75d8..000000000
--- a/patches/ppp-2.4.7/0019-Bug-284382-ppp-linkpidfile-is-not-created-upon-detac.patch
+++ /dev/null
@@ -1,48 +0,0 @@
-From: "herbert@gondor.apana.org.au" <herbert@gondor.apana.org.au>
-Date: Sat, 28 Sep 2019 08:11:49 +0200
-Subject: [PATCH] Bug#284382: ppp: linkpidfile is not created upon detachment
-
-Package: ppp
-Version: 2.4.2+20040428-2
-Severity: wishlist
-
-When pppd detaches from the parent normally, that is, without nodetach
-or updetach set, the linkpidfile is not created even when linkname is
-set.
-
-This is because the create_linkpidfile call in detach() is only made
-if the linkpidfile is filled in. However, linkpidfile is never filled
-in until create_linkpidfile has been called.
-
-IMHO the call should be made uncondtionally in detach() since
-create_linkpidfile does its own check on linkname anyway.
-
-Please note that the version of pppd in woody always wrote the
-linkpidfile after detaching. It did so in main() however. That
-call has now been removed which is why I'm seeing this problem.
-
-[...]
-
---
-
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- pppd/main.c | 3 +--
- 1 file changed, 1 insertion(+), 2 deletions(-)
-
-diff --git a/pppd/main.c b/pppd/main.c
-index 76b67d2485b7..8e31365f0c58 100644
---- a/pppd/main.c
-+++ b/pppd/main.c
-@@ -765,8 +765,7 @@ detach()
- /* update pid files if they have been written already */
- if (pidfilename[0])
- create_pidfile(pid);
-- if (linkpidfile[0])
-- create_linkpidfile(pid);
-+ create_linkpidfile(pid);
- exit(0); /* parent dies */
- }
- setsid();
diff --git a/patches/ppp-2.4.7/0022-cosmetic-cleanup-of-the-pppoatm-plugin.patch b/patches/ppp-2.4.7/0022-cosmetic-cleanup-of-the-pppoatm-plugin.patch
deleted file mode 100644
index ee22c74b6..000000000
--- a/patches/ppp-2.4.7/0022-cosmetic-cleanup-of-the-pppoatm-plugin.patch
+++ /dev/null
@@ -1,90 +0,0 @@
-From: Michael Olbrich <m.olbrich@pengutronix.de>
-Date: Sat, 28 Sep 2019 08:11:49 +0200
-Subject: [PATCH] cosmetic cleanup of the pppoatm plugin
-
-Removed some debugging messages and generally cleaned up the source.
-
-
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- pppd/plugins/pppoatm/pppoatm.c | 23 +++++++++++++----------
- 1 file changed, 13 insertions(+), 10 deletions(-)
-
-diff --git a/pppd/plugins/pppoatm/pppoatm.c b/pppd/plugins/pppoatm/pppoatm.c
-index a7560e9fb0c6..90d0c9a85d9f 100644
---- a/pppd/plugins/pppoatm/pppoatm.c
-+++ b/pppd/plugins/pppoatm/pppoatm.c
-@@ -70,18 +70,20 @@ static int setdevname_pppoatm(const char *cp, const char **argv, int doit)
- {
- struct sockaddr_atmpvc addr;
- extern struct stat devstat;
-+
- if (device_got_set)
- return 0;
-- //info("PPPoATM setdevname_pppoatm: '%s'", cp);
-+
- memset(&addr, 0, sizeof addr);
- if (text2atm(cp, (struct sockaddr *) &addr, sizeof(addr),
-- T2A_PVC | T2A_NAME) < 0) {
-- if(doit)
-- info("atm does not recognize: %s", cp);
-+ T2A_PVC | T2A_NAME | T2A_WILDCARD) < 0) {
-+ if (doit)
-+ info("cannot parse the ATM address: %s", cp);
- return 0;
-- }
-- if (!doit) return 1;
-- //if (!dev_set_ok()) return -1;
-+ }
-+ if (!doit)
-+ return 1;
-+
- memcpy(&pvcaddr, &addr, sizeof pvcaddr);
- strlcpy(devnam, cp, sizeof devnam);
- devstat.st_mode = S_IFSOCK;
-@@ -93,7 +95,6 @@ static int setdevname_pppoatm(const char *cp, const char **argv, int doit)
- lcp_allowoptions[0].neg_asyncmap = 0;
- lcp_wantoptions[0].neg_pcompression = 0;
- }
-- info("PPPoATM setdevname_pppoatm - SUCCESS:%s", cp);
- device_got_set = 1;
- return 1;
- }
-@@ -108,6 +109,7 @@ static void no_device_given_pppoatm(void)
- static void set_line_discipline_pppoatm(int fd)
- {
- struct atm_backend_ppp be;
-+
- be.backend_num = ATM_BACKEND_PPP;
- if (!llc_encaps)
- be.encaps = PPPOATM_ENCAPS_VC;
-@@ -115,6 +117,7 @@ static void set_line_discipline_pppoatm(int fd)
- be.encaps = PPPOATM_ENCAPS_LLC;
- else
- be.encaps = PPPOATM_ENCAPS_AUTODETECT;
-+
- if (ioctl(fd, ATM_SETBACKEND, &be) < 0)
- fatal("ioctl(ATM_SETBACKEND): %m");
- }
-@@ -172,7 +175,7 @@ static void disconnect_pppoatm(void)
-
- void plugin_init(void)
- {
--#if defined(__linux__)
-+#ifdef linux
- extern int new_style_driver; /* From sys-linux.c */
- if (!ppp_available() && !new_style_driver)
- fatal("Kernel doesn't support ppp_generic - "
-@@ -180,9 +183,9 @@ void plugin_init(void)
- #else
- fatal("No PPPoATM support on this OS");
- #endif
-- info("PPPoATM plugin_init");
- add_options(pppoa_options);
- }
-+
- struct channel pppoa_channel = {
- options: pppoa_options,
- process_extra_options: NULL,
diff --git a/patches/ppp-2.4.7/0023-pppoe_noads.patch b/patches/ppp-2.4.7/0023-pppoe_noads.patch
deleted file mode 100644
index b4712de17..000000000
--- a/patches/ppp-2.4.7/0023-pppoe_noads.patch
+++ /dev/null
@@ -1,25 +0,0 @@
-From: Michael Olbrich <m.olbrich@pengutronix.de>
-Date: Sat, 28 Sep 2019 08:11:49 +0200
-Subject: [PATCH] pppoe_noads
-
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- pppd/plugins/rp-pppoe/plugin.c | 3 ---
- 1 file changed, 3 deletions(-)
-
-diff --git a/pppd/plugins/rp-pppoe/plugin.c b/pppd/plugins/rp-pppoe/plugin.c
-index c89be94250bc..7804b184f0cb 100644
---- a/pppd/plugins/rp-pppoe/plugin.c
-+++ b/pppd/plugins/rp-pppoe/plugin.c
-@@ -377,9 +377,6 @@ plugin_init(void)
- }
-
- add_options(Options);
--
-- info("RP-PPPoE plugin version %s compiled against pppd %s",
-- RP_VERSION, VERSION);
- }
-
- void pppoe_check_options(void)
diff --git a/patches/ppp-2.4.7/0024-make-_PATH_CONNERRS-world-readable.patch b/patches/ppp-2.4.7/0024-make-_PATH_CONNERRS-world-readable.patch
deleted file mode 100644
index 557b16901..000000000
--- a/patches/ppp-2.4.7/0024-make-_PATH_CONNERRS-world-readable.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From: Michael Olbrich <m.olbrich@pengutronix.de>
-Date: Sat, 28 Sep 2019 08:11:49 +0200
-Subject: [PATCH] make _PATH_CONNERRS world readable
-
-There is nothing security-sensitive there.
-
-
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- pppd/main.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/pppd/main.c b/pppd/main.c
-index 8e31365f0c58..ed544315c1df 100644
---- a/pppd/main.c
-+++ b/pppd/main.c
-@@ -1673,7 +1673,7 @@ device_script(program, in, out, dont_wait)
- if (log_to_fd >= 0)
- errfd = log_to_fd;
- else
-- errfd = open(_PATH_CONNERRS, O_WRONLY | O_APPEND | O_CREAT, 0600);
-+ errfd = open(_PATH_CONNERRS, O_WRONLY | O_APPEND | O_CREAT, 0644);
-
- ++conn_running;
- pid = safe_fork(in, out, errfd);
diff --git a/patches/ppp-2.4.7/0025-Correct-unkown-unknown-typo.patch b/patches/ppp-2.4.7/0025-Correct-unkown-unknown-typo.patch
deleted file mode 100644
index febfaf869..000000000
--- a/patches/ppp-2.4.7/0025-Correct-unkown-unknown-typo.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-From: Michael Olbrich <m.olbrich@pengutronix.de>
-Date: Sat, 28 Sep 2019 08:11:49 +0200
-Subject: [PATCH] Correct unkown => unknown typo
-
-Author: Chris Boot <bootc@debian.org>
-Last-Update: 2013-09-09
-
-
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- pppd/plugins/radius/config.c | 6 +++---
- 1 file changed, 3 insertions(+), 3 deletions(-)
-
-diff --git a/pppd/plugins/radius/config.c b/pppd/plugins/radius/config.c
-index a29e5e8da909..f892ca7b1bf5 100644
---- a/pppd/plugins/radius/config.c
-+++ b/pppd/plugins/radius/config.c
-@@ -271,7 +271,7 @@ char *rc_conf_str(char *optname)
- option = find_option(optname, OT_STR);
-
- if (option == NULL)
-- fatal("rc_conf_str: unkown config option requested: %s", optname);
-+ fatal("rc_conf_str: unknown config option requested: %s", optname);
- return (char *)option->val;
- }
-
-@@ -282,7 +282,7 @@ int rc_conf_int(char *optname)
- option = find_option(optname, OT_INT|OT_AUO);
-
- if (option == NULL)
-- fatal("rc_conf_int: unkown config option requested: %s", optname);
-+ fatal("rc_conf_int: unknown config option requested: %s", optname);
- return *((int *)option->val);
- }
-
-@@ -293,7 +293,7 @@ SERVER *rc_conf_srv(char *optname)
- option = find_option(optname, OT_SRV);
-
- if (option == NULL)
-- fatal("rc_conf_srv: unkown config option requested: %s", optname);
-+ fatal("rc_conf_srv: unknown config option requested: %s", optname);
- return (SERVER *)option->val;
- }
-
diff --git a/patches/ppp-2.4.7/0026-pppoe-custom-host-uniq-tag.patch b/patches/ppp-2.4.7/0026-pppoe-custom-host-uniq-tag.patch
deleted file mode 100644
index 5cf266d10..000000000
--- a/patches/ppp-2.4.7/0026-pppoe-custom-host-uniq-tag.patch
+++ /dev/null
@@ -1,302 +0,0 @@
-From: Matteo Croce <matteo@openwrt.org>
-Date: Sat, 21 Nov 2015 18:45:43 +0100
-Subject: [PATCH] pppoe: custom host-uniq tag
-
-Add pppoe 'host-uniq' option to set an arbitrary
-host-uniq tag instead of the pppd pid.
-Some ISPs use such tag to authenticate the CPE,
-so it must be set to a proper value to connect.
-
-Signed-off-by: Matteo Croce <matteo@openwrt.org>
-Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>
-
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- pppd/plugins/rp-pppoe/common.c | 14 ++++-----
- pppd/plugins/rp-pppoe/discovery.c | 51 +++++++++++++--------------------
- pppd/plugins/rp-pppoe/plugin.c | 7 ++++-
- pppd/plugins/rp-pppoe/pppoe-discovery.c | 38 +++++++++++++++---------
- pppd/plugins/rp-pppoe/pppoe.h | 31 +++++++++++++++++++-
- 5 files changed, 86 insertions(+), 55 deletions(-)
-
-diff --git a/pppd/plugins/rp-pppoe/common.c b/pppd/plugins/rp-pppoe/common.c
-index 89c633c773f9..8f175ece345b 100644
---- a/pppd/plugins/rp-pppoe/common.c
-+++ b/pppd/plugins/rp-pppoe/common.c
-@@ -119,15 +119,11 @@ sendPADT(PPPoEConnection *conn, char const *msg)
- conn->session = 0;
-
- /* If we're using Host-Uniq, copy it over */
-- if (conn->useHostUniq) {
-- PPPoETag hostUniq;
-- pid_t pid = getpid();
-- hostUniq.type = htons(TAG_HOST_UNIQ);
-- hostUniq.length = htons(sizeof(pid));
-- memcpy(hostUniq.payload, &pid, sizeof(pid));
-- memcpy(cursor, &hostUniq, sizeof(pid) + TAG_HDR_SIZE);
-- cursor += sizeof(pid) + TAG_HDR_SIZE;
-- plen += sizeof(pid) + TAG_HDR_SIZE;
-+ if (conn->hostUniq.length) {
-+ int len = ntohs(conn->hostUniq.length);
-+ memcpy(cursor, &conn->hostUniq, len + TAG_HDR_SIZE);
-+ cursor += len + TAG_HDR_SIZE;
-+ plen += len + TAG_HDR_SIZE;
- }
-
- /* Copy error message */
-diff --git a/pppd/plugins/rp-pppoe/discovery.c b/pppd/plugins/rp-pppoe/discovery.c
-index 04877cb8295f..5db8d0defc37 100644
---- a/pppd/plugins/rp-pppoe/discovery.c
-+++ b/pppd/plugins/rp-pppoe/discovery.c
-@@ -80,13 +80,10 @@ static void
- parseForHostUniq(UINT16_t type, UINT16_t len, unsigned char *data,
- void *extra)
- {
-- int *val = (int *) extra;
-- if (type == TAG_HOST_UNIQ && len == sizeof(pid_t)) {
-- pid_t tmp;
-- memcpy(&tmp, data, len);
-- if (tmp == getpid()) {
-- *val = 1;
-- }
-+ PPPoETag *tag = extra;
-+
-+ if (type == TAG_HOST_UNIQ && len == ntohs(tag->length)) {
-+ tag->length = memcmp(data, tag->payload, len);
- }
- }
-
-@@ -104,16 +101,16 @@ parseForHostUniq(UINT16_t type, UINT16_t len, unsigned char *data,
- static int
- packetIsForMe(PPPoEConnection *conn, PPPoEPacket *packet)
- {
-- int forMe = 0;
-+ PPPoETag hostUniq = conn->hostUniq;
-
- /* If packet is not directed to our MAC address, forget it */
- if (memcmp(packet->ethHdr.h_dest, conn->myEth, ETH_ALEN)) return 0;
-
- /* If we're not using the Host-Unique tag, then accept the packet */
-- if (!conn->useHostUniq) return 1;
-+ if (!conn->hostUniq.length) return 1;
-
-- parsePacket(packet, parseForHostUniq, &forMe);
-- return forMe;
-+ parsePacket(packet, parseForHostUniq, &hostUniq);
-+ return !hostUniq.length;
- }
-
- /**********************************************************************
-@@ -301,16 +298,12 @@ sendPADI(PPPoEConnection *conn)
- }
-
- /* If we're using Host-Uniq, copy it over */
-- if (conn->useHostUniq) {
-- PPPoETag hostUniq;
-- pid_t pid = getpid();
-- hostUniq.type = htons(TAG_HOST_UNIQ);
-- hostUniq.length = htons(sizeof(pid));
-- memcpy(hostUniq.payload, &pid, sizeof(pid));
-- CHECK_ROOM(cursor, packet.payload, sizeof(pid) + TAG_HDR_SIZE);
-- memcpy(cursor, &hostUniq, sizeof(pid) + TAG_HDR_SIZE);
-- cursor += sizeof(pid) + TAG_HDR_SIZE;
-- plen += sizeof(pid) + TAG_HDR_SIZE;
-+ if (conn->hostUniq.length) {
-+ int len = ntohs(conn->hostUniq.length);
-+ CHECK_ROOM(cursor, packet.payload, len + TAG_HDR_SIZE);
-+ memcpy(cursor, &conn->hostUniq, len + TAG_HDR_SIZE);
-+ cursor += len + TAG_HDR_SIZE;
-+ plen += len + TAG_HDR_SIZE;
- }
-
- /* Add our maximum MTU/MRU */
-@@ -478,16 +471,12 @@ sendPADR(PPPoEConnection *conn)
- cursor += namelen + TAG_HDR_SIZE;
-
- /* If we're using Host-Uniq, copy it over */
-- if (conn->useHostUniq) {
-- PPPoETag hostUniq;
-- pid_t pid = getpid();
-- hostUniq.type = htons(TAG_HOST_UNIQ);
-- hostUniq.length = htons(sizeof(pid));
-- memcpy(hostUniq.payload, &pid, sizeof(pid));
-- CHECK_ROOM(cursor, packet.payload, sizeof(pid)+TAG_HDR_SIZE);
-- memcpy(cursor, &hostUniq, sizeof(pid) + TAG_HDR_SIZE);
-- cursor += sizeof(pid) + TAG_HDR_SIZE;
-- plen += sizeof(pid) + TAG_HDR_SIZE;
-+ if (conn->hostUniq.length) {
-+ int len = ntohs(conn->hostUniq.length);
-+ CHECK_ROOM(cursor, packet.payload, len+TAG_HDR_SIZE);
-+ memcpy(cursor, &conn->hostUniq, len + TAG_HDR_SIZE);
-+ cursor += len + TAG_HDR_SIZE;
-+ plen += len + TAG_HDR_SIZE;
- }
-
- /* Add our maximum MTU/MRU */
-diff --git a/pppd/plugins/rp-pppoe/plugin.c b/pppd/plugins/rp-pppoe/plugin.c
-index 7804b184f0cb..12778d0d9991 100644
---- a/pppd/plugins/rp-pppoe/plugin.c
-+++ b/pppd/plugins/rp-pppoe/plugin.c
-@@ -68,6 +68,7 @@ static char *existingSession = NULL;
- static int printACNames = 0;
- static char *pppoe_reqd_mac = NULL;
- unsigned char pppoe_reqd_mac_addr[6];
-+static char *host_uniq = NULL;
-
- static int PPPoEDevnameHook(char *cmd, char **argv, int doit);
- static option_t Options[] = {
-@@ -85,6 +86,8 @@ static option_t Options[] = {
- "Be verbose about discovered access concentrators"},
- { "pppoe-mac", o_string, &pppoe_reqd_mac,
- "Only connect to specified MAC address" },
-+ { "host-uniq", o_string, &host_uniq,
-+ "Specify custom Host-Uniq" },
- { NULL }
- };
- int (*OldDevnameHook)(char *cmd, char **argv, int doit) = NULL;
-@@ -110,7 +113,6 @@ PPPOEInitDevice(void)
- conn->ifName = devnam;
- conn->discoverySocket = -1;
- conn->sessionSocket = -1;
-- conn->useHostUniq = 1;
- conn->printACNames = printACNames;
- conn->discoveryTimeout = PADI_TIMEOUT;
- return 1;
-@@ -166,6 +168,9 @@ PPPOEConnectDevice(void)
- if (lcp_wantoptions[0].mru > ifr.ifr_mtu - TOTAL_OVERHEAD)
- lcp_wantoptions[0].mru = ifr.ifr_mtu - TOTAL_OVERHEAD;
-
-+ if (host_uniq && !parseHostUniq(host_uniq, &conn->hostUniq))
-+ fatal("Illegal value for host-uniq option");
-+
- conn->acName = acName;
- conn->serviceName = pppd_pppoe_service;
- strlcpy(ppp_devnam, devnam, sizeof(ppp_devnam));
-diff --git a/pppd/plugins/rp-pppoe/pppoe-discovery.c b/pppd/plugins/rp-pppoe/pppoe-discovery.c
-index 55037dffb023..ff4c487ffaa9 100644
---- a/pppd/plugins/rp-pppoe/pppoe-discovery.c
-+++ b/pppd/plugins/rp-pppoe/pppoe-discovery.c
-@@ -356,7 +356,7 @@ packetIsForMe(PPPoEConnection *conn, PPPoEPacket *packet)
- if (memcmp(packet->ethHdr.h_dest, conn->myEth, ETH_ALEN)) return 0;
-
- /* If we're not using the Host-Unique tag, then accept the packet */
-- if (!conn->useHostUniq) return 1;
-+ if (!conn->hostUniq.length) return 1;
-
- parsePacket(packet, parseForHostUniq, &forMe);
- return forMe;
-@@ -482,16 +482,12 @@ sendPADI(PPPoEConnection *conn)
- cursor += namelen + TAG_HDR_SIZE;
-
- /* If we're using Host-Uniq, copy it over */
-- if (conn->useHostUniq) {
-- PPPoETag hostUniq;
-- pid_t pid = getpid();
-- hostUniq.type = htons(TAG_HOST_UNIQ);
-- hostUniq.length = htons(sizeof(pid));
-- memcpy(hostUniq.payload, &pid, sizeof(pid));
-- CHECK_ROOM(cursor, packet.payload, sizeof(pid) + TAG_HDR_SIZE);
-- memcpy(cursor, &hostUniq, sizeof(pid) + TAG_HDR_SIZE);
-- cursor += sizeof(pid) + TAG_HDR_SIZE;
-- plen += sizeof(pid) + TAG_HDR_SIZE;
-+ if (conn->hostUniq.length) {
-+ int len = ntohs(conn->hostUniq.length);
-+ CHECK_ROOM(cursor, packet.payload, len + TAG_HDR_SIZE);
-+ memcpy(cursor, &conn->hostUniq, len + TAG_HDR_SIZE);
-+ cursor += len + TAG_HDR_SIZE;
-+ plen += len + TAG_HDR_SIZE;
- }
-
- packet.length = htons(plen);
-@@ -653,7 +649,7 @@ int main(int argc, char *argv[])
-
- memset(conn, 0, sizeof(PPPoEConnection));
-
-- while ((opt = getopt(argc, argv, "I:D:VUAS:C:h")) > 0) {
-+ while ((opt = getopt(argc, argv, "I:D:VUW:AS:C:h")) > 0) {
- switch(opt) {
- case 'S':
- conn->serviceName = xstrdup(optarg);
-@@ -662,7 +658,23 @@ int main(int argc, char *argv[])
- conn->acName = xstrdup(optarg);
- break;
- case 'U':
-- conn->useHostUniq = 1;
-+ if(conn->hostUniq.length) {
-+ fprintf(stderr, "-U and -W are mutually exclusive\n");
-+ exit(EXIT_FAILURE);
-+ }
-+ char pidbuf[5];
-+ snprintf(pidbuf, sizeof(pidbuf), "%04x", getpid());
-+ parseHostUniq(pidbuf, &conn->hostUniq);
-+ break;
-+ case 'W':
-+ if(conn->hostUniq.length) {
-+ fprintf(stderr, "-U and -W are mutually exclusive\n");
-+ exit(EXIT_FAILURE);
-+ }
-+ if (!parseHostUniq(optarg, &conn->hostUniq)) {
-+ fprintf(stderr, "Invalid host-uniq argument: %s\n", optarg);
-+ exit(EXIT_FAILURE);
-+ }
- break;
- case 'D':
- conn->debugFile = fopen(optarg, "w");
-diff --git a/pppd/plugins/rp-pppoe/pppoe.h b/pppd/plugins/rp-pppoe/pppoe.h
-index c4aaa6e68856..08026f577028 100644
---- a/pppd/plugins/rp-pppoe/pppoe.h
-+++ b/pppd/plugins/rp-pppoe/pppoe.h
-@@ -21,6 +21,8 @@
-
- #include <stdio.h> /* For FILE */
- #include <sys/types.h> /* For pid_t */
-+#include <ctype.h>
-+#include <string.h>
-
- /* How do we access raw Ethernet devices? */
- #undef USE_LINUX_PACKET
-@@ -236,7 +238,7 @@ typedef struct PPPoEConnectionStruct {
- char *serviceName; /* Desired service name, if any */
- char *acName; /* Desired AC name, if any */
- int synchronous; /* Use synchronous PPP */
-- int useHostUniq; /* Use Host-Uniq tag */
-+ PPPoETag hostUniq; /* Use Host-Uniq tag */
- int printACNames; /* Just print AC names */
- FILE *debugFile; /* Debug file for dumping packets */
- int numPADOs; /* Number of PADO packets received */
-@@ -292,6 +294,33 @@ void pppoe_printpkt(PPPoEPacket *packet,
- void (*printer)(void *, char *, ...), void *arg);
- void pppoe_log_packet(const char *prefix, PPPoEPacket *packet);
-
-+static inline int parseHostUniq(const char *uniq, PPPoETag *tag)
-+{
-+ int i, len = strlen(uniq);
-+
-+#define hex(x) \
-+ (((x) <= '9') ? ((x) - '0') : \
-+ (((x) <= 'F') ? ((x) - 'A' + 10) : \
-+ ((x) - 'a' + 10)))
-+
-+ if (len % 2)
-+ return 0;
-+
-+ for (i = 0; i < len; i += 2)
-+ {
-+ if (!isxdigit(uniq[i]) || !isxdigit(uniq[i+1]))
-+ return 0;
-+
-+ tag->payload[i / 2] = (char)(16 * hex(uniq[i]) + hex(uniq[i+1]));
-+ }
-+
-+#undef hex
-+
-+ tag->type = htons(TAG_HOST_UNIQ);
-+ tag->length = htons(len / 2);
-+ return 1;
-+}
-+
- #define SET_STRING(var, val) do { if (var) free(var); var = strDup(val); } while(0);
-
- #define CHECK_ROOM(cursor, start, len) \
diff --git a/patches/ppp-2.4.7/0027-Add-replacedefaultroute-option.patch b/patches/ppp-2.4.7/0027-Add-replacedefaultroute-option.patch
deleted file mode 100644
index 19f931b12..000000000
--- a/patches/ppp-2.4.7/0027-Add-replacedefaultroute-option.patch
+++ /dev/null
@@ -1,324 +0,0 @@
-From: Michael Olbrich <m.olbrich@pengutronix.de>
-Date: Sat, 28 Sep 2019 08:11:49 +0200
-Subject: [PATCH] Add replacedefaultroute option
-
-Adds an option to pppd to control whether to replace existing default routes
-when using the 'defaultroute' option.
-
-If defaultroute and replacedefaultroute are both set, pppd replaces an existing
-default route with the new default route. The old default route is restored when
-the connection is taken down.
-
-Origin: vendor, https://build.opensuse.org/source/network/ppp/ppp-2.4.2-cifdefroute.diff?rev=7a0fdeff0b29437dd7f4581c95c7255a
-Forwarded: no
-Reviewed-by: Chris Boot <bootc@debian.org>
-Last-Update: 2014-01-26
-
-
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- pppd/ipcp.c | 45 +++++++++++++++++++++++++++----
- pppd/ipcp.h | 1 +
- pppd/pppd.8 | 12 ++++++++-
- pppd/pppd.h | 4 +++
- pppd/sys-linux.c | 82 +++++++++++++++++++++++++++++++++++++++++++++-----------
- 5 files changed, 123 insertions(+), 21 deletions(-)
-
-diff --git a/pppd/ipcp.c b/pppd/ipcp.c
-index e9738fe4d894..c8fe279d4ede 100644
---- a/pppd/ipcp.c
-+++ b/pppd/ipcp.c
-@@ -198,6 +198,16 @@ static option_t ipcp_option_list[] = {
- "disable defaultroute option", OPT_ALIAS | OPT_A2CLR,
- &ipcp_wantoptions[0].default_route },
-
-+#ifdef __linux__
-+ { "replacedefaultroute", o_bool,
-+ &ipcp_wantoptions[0].replace_default_route,
-+ "Replace default route", 1
-+ },
-+ { "noreplacedefaultroute", o_bool,
-+ &ipcp_allowoptions[0].replace_default_route,
-+ "Never replace default route", OPT_A2COPY,
-+ &ipcp_wantoptions[0].replace_default_route },
-+#endif
- { "proxyarp", o_bool, &ipcp_wantoptions[0].proxy_arp,
- "Add proxy ARP entry", OPT_ENABLE|1, &ipcp_allowoptions[0].proxy_arp },
- { "noproxyarp", o_bool, &ipcp_allowoptions[0].proxy_arp,
-@@ -271,7 +281,7 @@ struct protent ipcp_protent = {
- ip_active_pkt
- };
-
--static void ipcp_clear_addrs __P((int, u_int32_t, u_int32_t));
-+static void ipcp_clear_addrs __P((int, u_int32_t, u_int32_t, bool));
- static void ipcp_script __P((char *, int)); /* Run an up/down script */
- static void ipcp_script_done __P((void *));
-
-@@ -1761,7 +1771,12 @@ ip_demand_conf(u)
- if (!sifnpmode(u, PPP_IP, NPMODE_QUEUE))
- return 0;
- if (wo->default_route)
-+#ifndef __linux__
- if (sifdefaultroute(u, wo->ouraddr, wo->hisaddr))
-+#else
-+ if (sifdefaultroute(u, wo->ouraddr, wo->hisaddr,
-+ wo->replace_default_route))
-+#endif
- default_route_set[u] = 1;
- if (wo->proxy_arp)
- if (sifproxyarp(u, wo->hisaddr))
-@@ -1849,7 +1864,8 @@ ipcp_up(f)
- */
- if (demand) {
- if (go->ouraddr != wo->ouraddr || ho->hisaddr != wo->hisaddr) {
-- ipcp_clear_addrs(f->unit, wo->ouraddr, wo->hisaddr);
-+ ipcp_clear_addrs(f->unit, wo->ouraddr, wo->hisaddr,
-+ wo->replace_default_route);
- if (go->ouraddr != wo->ouraddr) {
- warn("Local IP address changed to %I", go->ouraddr);
- script_setenv("OLDIPLOCAL", ip_ntoa(wo->ouraddr), 0);
-@@ -1874,7 +1890,12 @@ ipcp_up(f)
-
- /* assign a default route through the interface if required */
- if (ipcp_wantoptions[f->unit].default_route)
-+#ifndef __linux__
- if (sifdefaultroute(f->unit, go->ouraddr, ho->hisaddr))
-+#else
-+ if (sifdefaultroute(f->unit, go->ouraddr, ho->hisaddr,
-+ wo->replace_default_route))
-+#endif
- default_route_set[f->unit] = 1;
-
- /* Make a proxy ARP entry if requested. */
-@@ -1924,7 +1945,12 @@ ipcp_up(f)
-
- /* assign a default route through the interface if required */
- if (ipcp_wantoptions[f->unit].default_route)
-+#ifndef __linux__
- if (sifdefaultroute(f->unit, go->ouraddr, ho->hisaddr))
-+#else
-+ if (sifdefaultroute(f->unit, go->ouraddr, ho->hisaddr,
-+ wo->replace_default_route))
-+#endif
- default_route_set[f->unit] = 1;
-
- /* Make a proxy ARP entry if requested. */
-@@ -2002,7 +2028,7 @@ ipcp_down(f)
- sifnpmode(f->unit, PPP_IP, NPMODE_DROP);
- sifdown(f->unit);
- ipcp_clear_addrs(f->unit, ipcp_gotoptions[f->unit].ouraddr,
-- ipcp_hisoptions[f->unit].hisaddr);
-+ ipcp_hisoptions[f->unit].hisaddr, 0);
- }
-
- /* Execute the ip-down script */
-@@ -2018,16 +2044,25 @@ ipcp_down(f)
- * proxy arp entries, etc.
- */
- static void
--ipcp_clear_addrs(unit, ouraddr, hisaddr)
-+ipcp_clear_addrs(unit, ouraddr, hisaddr, replacedefaultroute)
- int unit;
- u_int32_t ouraddr; /* local address */
- u_int32_t hisaddr; /* remote address */
-+ bool replacedefaultroute;
- {
- if (proxy_arp_set[unit]) {
- cifproxyarp(unit, hisaddr);
- proxy_arp_set[unit] = 0;
- }
-- if (default_route_set[unit]) {
-+ /* If replacedefaultroute, sifdefaultroute will be called soon
-+ * with replacedefaultroute set and that will overwrite the current
-+ * default route. This is the case only when doing demand, otherwise
-+ * during demand, this cifdefaultroute would restore the old default
-+ * route which is not what we want in this case. In the non-demand
-+ * case, we'll delete the default route and restore the old if there
-+ * is one saved by an sifdefaultroute with replacedefaultroute.
-+ */
-+ if (!replacedefaultroute && default_route_set[unit]) {
- cifdefaultroute(unit, ouraddr, hisaddr);
- default_route_set[unit] = 0;
- }
-diff --git a/pppd/ipcp.h b/pppd/ipcp.h
-index 6cf14c990578..7ecfa79d8668 100644
---- a/pppd/ipcp.h
-+++ b/pppd/ipcp.h
-@@ -70,6 +70,7 @@ typedef struct ipcp_options {
- bool old_addrs; /* Use old (IP-Addresses) option? */
- bool req_addr; /* Ask peer to send IP address? */
- bool default_route; /* Assign default route through interface? */
-+ bool replace_default_route; /* Replace default route through interface? */
- bool proxy_arp; /* Make proxy ARP entry for peer? */
- bool neg_vj; /* Van Jacobson Compression? */
- bool old_vj; /* use old (short) form of VJ option? */
-diff --git a/pppd/pppd.8 b/pppd/pppd.8
-index ec8bfd5c0617..481aa8be672b 100644
---- a/pppd/pppd.8
-+++ b/pppd/pppd.8
-@@ -121,6 +121,11 @@ the gateway, when IPCP negotiation is successfully completed.
- This entry is removed when the PPP connection is broken. This option
- is privileged if the \fInodefaultroute\fR option has been specified.
- .TP
-+.B replacedefaultroute
-+This option is a flag to the defaultroute option. If defaultroute is
-+set and this flag is also set, pppd replaces an existing default route
-+with the new default route.
-+.TP
- .B disconnect \fIscript
- Execute the command specified by \fIscript\fR, by passing it to a
- shell, after
-@@ -739,7 +744,12 @@ disable both forms of hardware flow control.
- .TP
- .B nodefaultroute
- Disable the \fIdefaultroute\fR option. The system administrator who
--wishes to prevent users from creating default routes with pppd
-+wishes to prevent users from adding a default route with pppd
-+can do so by placing this option in the /etc/ppp/options file.
-+.TP
-+.B noreplacedefaultroute
-+Disable the \fIreplacedefaultroute\fR option. The system administrator who
-+wishes to prevent users from replacing a default route with pppd
- can do so by placing this option in the /etc/ppp/options file.
- .TP
- .B nodeflate
-diff --git a/pppd/pppd.h b/pppd/pppd.h
-index 1a1bf0b99582..7495df657fe9 100644
---- a/pppd/pppd.h
-+++ b/pppd/pppd.h
-@@ -676,7 +676,11 @@ int sif6addr __P((int, eui64_t, eui64_t));
- int cif6addr __P((int, eui64_t, eui64_t));
- /* Remove an IPv6 address from i/f */
- #endif
-+#ifndef __linux__
- int sifdefaultroute __P((int, u_int32_t, u_int32_t));
-+#else
-+int sifdefaultroute __P((int, u_int32_t, u_int32_t, bool replace_default_rt));
-+#endif
- /* Create default route through i/f */
- int cifdefaultroute __P((int, u_int32_t, u_int32_t));
- /* Delete default route through i/f */
-diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c
-index 6d29dc8e8594..3f0bbc33c605 100644
---- a/pppd/sys-linux.c
-+++ b/pppd/sys-linux.c
-@@ -207,6 +207,8 @@ static unsigned char inbuf[512]; /* buffer for chars read from loopback */
- static int if_is_up; /* Interface has been marked up */
- static int if6_is_up; /* Interface has been marked up for IPv6, to help differentiate */
- static int have_default_route; /* Gateway for default route added */
-+static struct rtentry old_def_rt; /* Old default route */
-+static int default_rt_repl_rest; /* replace and restore old default rt */
- static u_int32_t proxy_arp_addr; /* Addr for proxy arp entry added */
- static char proxy_arp_dev[16]; /* Device for proxy arp entry */
- static u_int32_t our_old_addr; /* for detecting address changes */
-@@ -1567,6 +1569,9 @@ static int read_route_table(struct rtentry *rt)
- p = NULL;
- }
-
-+ SET_SA_FAMILY (rt->rt_dst, AF_INET);
-+ SET_SA_FAMILY (rt->rt_gateway, AF_INET);
-+
- SIN_ADDR(rt->rt_dst) = strtoul(cols[route_dest_col], NULL, 16);
- SIN_ADDR(rt->rt_gateway) = strtoul(cols[route_gw_col], NULL, 16);
- SIN_ADDR(rt->rt_genmask) = strtoul(cols[route_mask_col], NULL, 16);
-@@ -1636,22 +1641,53 @@ int have_route_to(u_int32_t addr)
- /********************************************************************
- *
- * sifdefaultroute - assign a default route through the address given.
-- */
--
--int sifdefaultroute (int unit, u_int32_t ouraddr, u_int32_t gateway)
--{
-- struct rtentry rt;
--
-- if (defaultroute_exists(&rt) && strcmp(rt.rt_dev, ifname) != 0) {
-- if (rt.rt_flags & RTF_GATEWAY)
-- error("not replacing existing default route via %I",
-- SIN_ADDR(rt.rt_gateway));
-- else
-- error("not replacing existing default route through %s",
-- rt.rt_dev);
-- return 0;
-+ *
-+ * If the global default_rt_repl_rest flag is set, then this function
-+ * already replaced the original system defaultroute with some other
-+ * route and it should just replace the current defaultroute with
-+ * another one, without saving the current route. Use: demand mode,
-+ * when pppd sets first a defaultroute it it's temporary ppp0 addresses
-+ * and then changes the temporary addresses to the addresses for the real
-+ * ppp connection when it has come up.
-+ */
-+
-+int sifdefaultroute (int unit, u_int32_t ouraddr, u_int32_t gateway, bool replace)
-+{
-+ struct rtentry rt, tmp_rt;
-+ struct rtentry *del_rt = NULL;
-+
-+ if (default_rt_repl_rest) {
-+ /* We have already reclaced the original defaultroute, if we
-+ * are called again, we will delete the current default route
-+ * and set the new default route in this function.
-+ * - this is normally only the case the doing demand: */
-+ if (defaultroute_exists( &tmp_rt ))
-+ del_rt = &tmp_rt;
-+ } else if ( defaultroute_exists( &old_def_rt ) &&
-+ strcmp( old_def_rt.rt_dev, ifname ) != 0) {
-+ /* We did not yet replace an existing default route, let's
-+ * check if we should save and replace a default route:
-+ */
-+ u_int32_t old_gateway = SIN_ADDR(old_def_rt.rt_gateway);
-+
-+ if (old_gateway != gateway) {
-+ if (!replace) {
-+ error("not replacing default route to %s [%I]",
-+ old_def_rt.rt_dev, old_gateway);
-+ return 0;
-+ } else {
-+ // we need to copy rt_dev because we need it permanent too:
-+ char * tmp_dev = malloc(strlen(old_def_rt.rt_dev)+1);
-+ strcpy(tmp_dev, old_def_rt.rt_dev);
-+ old_def_rt.rt_dev = tmp_dev;
-+
-+ notice("replacing old default route to %s [%I]",
-+ old_def_rt.rt_dev, old_gateway);
-+ default_rt_repl_rest = 1;
-+ del_rt = &old_def_rt;
-+ }
-+ }
- }
--
- memset (&rt, 0, sizeof (rt));
- SET_SA_FAMILY (rt.rt_dst, AF_INET);
-
-@@ -1668,6 +1704,12 @@ int sifdefaultroute (int unit, u_int32_t ouraddr, u_int32_t gateway)
- error("default route ioctl(SIOCADDRT): %m");
- return 0;
- }
-+ if (default_rt_repl_rest && del_rt)
-+ if (ioctl(sock_fd, SIOCDELRT, del_rt) < 0) {
-+ if ( ! ok_error ( errno ))
-+ error("del old default route ioctl(SIOCDELRT): %m(%d)", errno);
-+ return 0;
-+ }
-
- have_default_route = 1;
- return 1;
-@@ -1703,6 +1745,16 @@ int cifdefaultroute (int unit, u_int32_t ouraddr, u_int32_t gateway)
- return 0;
- }
- }
-+ if (default_rt_repl_rest) {
-+ notice("restoring old default route to %s [%I]",
-+ old_def_rt.rt_dev, SIN_ADDR(old_def_rt.rt_gateway));
-+ if (ioctl(sock_fd, SIOCADDRT, &old_def_rt) < 0) {
-+ if ( ! ok_error ( errno ))
-+ error("restore default route ioctl(SIOCADDRT): %m(%d)", errno);
-+ return 0;
-+ }
-+ default_rt_repl_rest = 0;
-+ }
-
- return 1;
- }
diff --git a/patches/ppp-2.4.7/0029-add-support-for-the-Framed-MTU-Radius-attribute.patch b/patches/ppp-2.4.7/0029-add-support-for-the-Framed-MTU-Radius-attribute.patch
deleted file mode 100644
index 3cd1b78e7..000000000
--- a/patches/ppp-2.4.7/0029-add-support-for-the-Framed-MTU-Radius-attribute.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From: Michael Olbrich <m.olbrich@pengutronix.de>
-Date: Sat, 28 Sep 2019 08:11:49 +0200
-Subject: [PATCH] add support for the Framed-MTU Radius attribute
-
-http://ppp.samba.org/cgi-bin/ppp-bugs/incoming?id=1532
-
-From: klepikov_a@up.ua
-To: ppp-bugs@ppp.samba.org
-Subject: Radius plugin does not set MTU on ppp interface
-Date: Mon, 22 Jan 2007 12:36:59 +0000 (GMT)
-
-Full_Name: Alexander Klepikov
-Version: 2.4.3
-OS: rhl 7.3 (2.4.20-28.7bigmem)
-Submission from: (NULL) (213.130.21.73)
-
-
-This patch allows radius plugin to deal with Framed-MTU Radius attribute and to
-set MTU on interface.
-
-
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- pppd/plugins/radius/radius.c | 3 +++
- 1 file changed, 3 insertions(+)
-
-diff --git a/pppd/plugins/radius/radius.c b/pppd/plugins/radius/radius.c
-index 4ba5f523ea07..06e00590b635 100644
---- a/pppd/plugins/radius/radius.c
-+++ b/pppd/plugins/radius/radius.c
-@@ -651,6 +651,9 @@ radius_setparams(VALUE_PAIR *vp, char *msg, REQUEST_INFO *req_info,
- memcpy(rstate.class, vp->strvalue, rstate.class_len);
- } /* else too big for our buffer - ignore it */
- break;
-+ case PW_FRAMED_MTU:
-+ netif_set_mtu(rstate.client_port,MIN(netif_get_mtu(rstate.client_port),vp->lvalue));
-+ break;
- }
-
-
diff --git a/patches/ppp-2.4.7/0030-018_ip-up_option.patch b/patches/ppp-2.4.7/0030-018_ip-up_option.patch
deleted file mode 100644
index 06cb2e5bb..000000000
--- a/patches/ppp-2.4.7/0030-018_ip-up_option.patch
+++ /dev/null
@@ -1,106 +0,0 @@
-From: Michael Olbrich <m.olbrich@pengutronix.de>
-Date: Sat, 28 Sep 2019 08:11:49 +0200
-Subject: [PATCH] 018_ip up_option
-
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- pppd/ipcp.c | 8 ++++----
- pppd/main.c | 3 +++
- pppd/options.c | 9 +++++++++
- pppd/pppd.h | 2 ++
- 4 files changed, 18 insertions(+), 4 deletions(-)
-
-diff --git a/pppd/ipcp.c b/pppd/ipcp.c
-index dceca807542a..d6e0e2a699fe 100644
---- a/pppd/ipcp.c
-+++ b/pppd/ipcp.c
-@@ -1984,7 +1984,7 @@ ipcp_up(f)
- */
- if (ipcp_script_state == s_down && ipcp_script_pid == 0) {
- ipcp_script_state = s_up;
-- ipcp_script(_PATH_IPUP, 0);
-+ ipcp_script(path_ipup, 0);
- }
- }
-
-@@ -2034,7 +2034,7 @@ ipcp_down(f)
- /* Execute the ip-down script */
- if (ipcp_script_state == s_up && ipcp_script_pid == 0) {
- ipcp_script_state = s_down;
-- ipcp_script(_PATH_IPDOWN, 0);
-+ ipcp_script(path_ipdown, 0);
- }
- }
-
-@@ -2097,13 +2097,13 @@ ipcp_script_done(arg)
- case s_up:
- if (ipcp_fsm[0].state != OPENED) {
- ipcp_script_state = s_down;
-- ipcp_script(_PATH_IPDOWN, 0);
-+ ipcp_script(path_ipdown, 0);
- }
- break;
- case s_down:
- if (ipcp_fsm[0].state == OPENED) {
- ipcp_script_state = s_up;
-- ipcp_script(_PATH_IPUP, 0);
-+ ipcp_script(path_ipup, 0);
- }
- break;
- }
-diff --git a/pppd/main.c b/pppd/main.c
-index ed544315c1df..9164a1eb0f95 100644
---- a/pppd/main.c
-+++ b/pppd/main.c
-@@ -308,6 +308,9 @@ main(argc, argv)
- struct protent *protp;
- char numbuf[16];
-
-+ strlcpy(path_ipup, _PATH_IPUP, sizeof(path_ipup));
-+ strlcpy(path_ipdown, _PATH_IPDOWN, sizeof(path_ipdown));
-+
- link_stats_valid = 0;
- new_phase(PHASE_INITIALIZE);
-
-diff --git a/pppd/options.c b/pppd/options.c
-index 91da515ac533..a8f3aa4590a3 100644
---- a/pppd/options.c
-+++ b/pppd/options.c
-@@ -114,6 +114,8 @@ char linkname[MAXPATHLEN]; /* logical name for link */
- bool tune_kernel; /* may alter kernel settings */
- int connect_delay = 1000; /* wait this many ms after connect script */
- int req_unit = -1; /* requested interface unit */
-+char path_ipup[MAXPATHLEN]; /* pathname of ip-up script */
-+char path_ipdown[MAXPATHLEN];/* pathname of ip-down script */
- char req_ifname[MAXIFNAMELEN]; /* requested interface name */
- bool multilink = 0; /* Enable multilink operation */
- char *bundle_name = NULL; /* bundle name for multilink */
-@@ -304,6 +306,13 @@ option_t general_options[] = {
- "Unset user environment variable",
- OPT_A2PRINTER | OPT_NOPRINT, (void *)user_unsetprint },
-
-+ { "ip-up-script", o_string, path_ipup,
-+ "Set pathname of ip-up script",
-+ OPT_PRIV|OPT_STATIC, NULL, MAXPATHLEN },
-+ { "ip-down-script", o_string, path_ipdown,
-+ "Set pathname of ip-down script",
-+ OPT_PRIV|OPT_STATIC, NULL, MAXPATHLEN },
-+
- #ifdef HAVE_MULTILINK
- { "multilink", o_bool, &multilink,
- "Enable multilink operation", OPT_PRIO | 1 },
-diff --git a/pppd/pppd.h b/pppd/pppd.h
-index e65106d4c126..b11670586244 100644
---- a/pppd/pppd.h
-+++ b/pppd/pppd.h
-@@ -328,6 +328,8 @@ extern bool tune_kernel; /* May alter kernel settings as necessary */
- extern int connect_delay; /* Time to delay after connect script */
- extern int max_data_rate; /* max bytes/sec through charshunt */
- extern int req_unit; /* interface unit number to use */
-+extern char path_ipup[MAXPATHLEN]; /* pathname of ip-up script */
-+extern char path_ipdown[MAXPATHLEN]; /* pathname of ip-down script */
- extern char req_ifname[MAXIFNAMELEN]; /* interface name to use */
- extern bool multilink; /* enable multilink operation */
- extern bool noendpoint; /* don't send or accept endpt. discrim. */
diff --git a/patches/ppp-2.4.7/0031-ppp-2.4.2-stripMSdomain.patch b/patches/ppp-2.4.7/0031-ppp-2.4.2-stripMSdomain.patch
deleted file mode 100644
index 32629026c..000000000
--- a/patches/ppp-2.4.7/0031-ppp-2.4.2-stripMSdomain.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From: Michael Olbrich <m.olbrich@pengutronix.de>
-Date: Sat, 28 Sep 2019 08:11:49 +0200
-Subject: [PATCH] ppp-2.4.2-stripMSdomain
-
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- pppd/chap-new.c | 11 +++++++++++
- 1 file changed, 11 insertions(+)
-
-diff --git a/pppd/chap-new.c b/pppd/chap-new.c
-index 2714bff64785..7fd7087a5e2c 100644
---- a/pppd/chap-new.c
-+++ b/pppd/chap-new.c
-@@ -58,6 +58,7 @@ int (*chap_verify_hook)(char *name, char *ourname, int id,
- int chap_timeout_time = 3;
- int chap_max_transmits = 10;
- int chap_rechallenge_time = 0;
-+int chapms_strip_domain = 0;
-
- /*
- * Command-line options.
-@@ -69,6 +70,8 @@ static option_t chap_option_list[] = {
- "Set max #xmits for challenge", OPT_PRIO },
- { "chap-interval", o_int, &chap_rechallenge_time,
- "Set interval for rechallenge", OPT_PRIO },
-+ { "chapms-strip-domain", o_bool, &chapms_strip_domain,
-+ "Strip the domain prefix before the Username", 1 },
- { NULL }
- };
-
-@@ -336,6 +339,14 @@ chap_handle_response(struct chap_server_state *ss, int id,
- /* Null terminate and clean remote name. */
- slprintf(rname, sizeof(rname), "%.*v", len, name);
- name = rname;
-+
-+ /* strip the MS domain name */
-+ if (chapms_strip_domain && strrchr(rname, '\\')) {
-+ char tmp[MAXNAMELEN+1];
-+
-+ strcpy(tmp, strrchr(rname, '\\') + 1);
-+ strcpy(rname, tmp);
-+ }
- }
-
- if (chap_verify_hook)
diff --git a/patches/ppp-2.4.7/0032-export-CALL_FILE-to-the-link-scripts.patch b/patches/ppp-2.4.7/0032-export-CALL_FILE-to-the-link-scripts.patch
deleted file mode 100644
index 6a2e17088..000000000
--- a/patches/ppp-2.4.7/0032-export-CALL_FILE-to-the-link-scripts.patch
+++ /dev/null
@@ -1,38 +0,0 @@
-From: Michael Olbrich <m.olbrich@pengutronix.de>
-Date: Sat, 28 Sep 2019 08:11:50 +0200
-Subject: [PATCH] export $CALL_FILE to the link scripts
-
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- pppd/options.c | 1 +
- pppd/pppd.8 | 3 +++
- 2 files changed, 4 insertions(+)
-
-diff --git a/pppd/options.c b/pppd/options.c
-index a8f3aa4590a3..340797386dd6 100644
---- a/pppd/options.c
-+++ b/pppd/options.c
-@@ -1482,6 +1482,7 @@ callfile(argv)
- if ((fname = (char *) malloc(l)) == NULL)
- novm("call file name");
- slprintf(fname, l, "%s%s", _PATH_PEERFILES, arg);
-+ script_setenv("CALL_FILE", arg, 0);
-
- ok = options_from_file(fname, 1, 1, 1);
-
-diff --git a/pppd/pppd.8 b/pppd/pppd.8
-index 481aa8be672b..848ca8a16b77 100644
---- a/pppd/pppd.8
-+++ b/pppd/pppd.8
-@@ -1662,6 +1662,9 @@ the connection.
- .B LINKNAME
- The logical name of the link, set with the \fIlinkname\fR option.
- .TP
-+.B CALL_FILE
-+The value of the \fIcall\fR option.
-+.TP
- .B DNS1
- If the peer supplies DNS server addresses, this variable is set to the
- first DNS server address supplied (whether or not the usepeerdns
diff --git a/patches/ppp-2.4.7/0033-ipv6-accept-remote.patch b/patches/ppp-2.4.7/0033-ipv6-accept-remote.patch
deleted file mode 100644
index 01376cf14..000000000
--- a/patches/ppp-2.4.7/0033-ipv6-accept-remote.patch
+++ /dev/null
@@ -1,73 +0,0 @@
-From: Michael Olbrich <m.olbrich@pengutronix.de>
-Date: Sat, 28 Sep 2019 08:11:50 +0200
-Subject: [PATCH] ipv6-accept-remote
-
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- pppd/ipv6cp.c | 5 ++++-
- pppd/ipv6cp.h | 3 ++-
- pppd/pppd.8 | 5 +++++
- 3 files changed, 11 insertions(+), 2 deletions(-)
-
-diff --git a/pppd/ipv6cp.c b/pppd/ipv6cp.c
-index c1602f41c206..432170462196 100644
---- a/pppd/ipv6cp.c
-+++ b/pppd/ipv6cp.c
-@@ -245,6 +245,8 @@ static option_t ipv6cp_option_list[] = {
-
- { "ipv6cp-accept-local", o_bool, &ipv6cp_allowoptions[0].accept_local,
- "Accept peer's interface identifier for us", 1 },
-+ { "ipv6cp-accept-remote", o_bool, &ipv6cp_allowoptions[0].accept_remote,
-+ "Accept peer's interface identifier for itself", 1 },
-
- { "ipv6cp-use-ipaddr", o_bool, &ipv6cp_allowoptions[0].use_ip,
- "Use (default) IPv4 address as interface identifier", 1 },
-@@ -435,6 +437,7 @@ ipv6cp_init(unit)
- memset(ao, 0, sizeof(*ao));
-
- wo->accept_local = 1;
-+ wo->accept_remote = 1;
- wo->neg_ifaceid = 1;
- ao->neg_ifaceid = 1;
-
-@@ -960,7 +963,7 @@ ipv6cp_reqci(f, inp, len, reject_if_disagree)
- orc = CONFREJ; /* Reject CI */
- break;
- }
-- if (!eui64_iszero(wo->hisid) &&
-+ if (!eui64_iszero(wo->hisid) && !wo->accept_remote &&
- !eui64_equals(ifaceid, wo->hisid) &&
- eui64_iszero(go->hisid)) {
-
-diff --git a/pppd/ipv6cp.h b/pppd/ipv6cp.h
-index 2f4c06ddc189..1617707ebbde 100644
---- a/pppd/ipv6cp.h
-+++ b/pppd/ipv6cp.h
-@@ -150,7 +150,8 @@
- typedef struct ipv6cp_options {
- int neg_ifaceid; /* Negotiate interface identifier? */
- int req_ifaceid; /* Ask peer to send interface identifier? */
-- int accept_local; /* accept peer's value for iface id? */
-+ int accept_local; /* accept peer's value for our iface id? */
-+ int accept_remote; /* accept peer's value for his iface id? */
- int opt_local; /* ourtoken set by option */
- int opt_remote; /* histoken set by option */
- int use_ip; /* use IP as interface identifier */
-diff --git a/pppd/pppd.8 b/pppd/pppd.8
-index 848ca8a16b77..65bbe721f761 100644
---- a/pppd/pppd.8
-+++ b/pppd/pppd.8
-@@ -463,6 +463,11 @@ With this option, pppd will accept the peer's idea of our local IPv6
- interface identifier, even if the local IPv6 interface identifier
- was specified in an option.
- .TP
-+.B ipv6cp\-accept\-remote
-+With this option, pppd will accept the peer's idea of its (remote)
-+IPv6 interface identifier, even if the remote IPv6 interface
-+identifier was specified in an option.
-+.TP
- .B ipv6cp\-max\-configure \fIn
- Set the maximum number of IPv6CP configure-request transmissions to
- \fIn\fR (default 10).
diff --git a/patches/ppp-2.4.7/0034-fix-a-potential-buffer-overflow-in-clientid.c-rc_map.patch b/patches/ppp-2.4.7/0034-fix-a-potential-buffer-overflow-in-clientid.c-rc_map.patch
deleted file mode 100644
index 2a8a029df..000000000
--- a/patches/ppp-2.4.7/0034-fix-a-potential-buffer-overflow-in-clientid.c-rc_map.patch
+++ /dev/null
@@ -1,43 +0,0 @@
-From: Michael Olbrich <m.olbrich@pengutronix.de>
-Date: Sat, 28 Sep 2019 08:11:50 +0200
-Subject: [PATCH] fix a potential buffer overflow in clientid.c:rc_map2id()
-
-This fixes the following compile-time warning when building with
--D_FORTIFY_SOURCE=2:
-
-In file included from /usr/include/string.h:638:0,
- from ./includes.h:26,
- from clientid.c:12:
-In function 'strncat',
- inlined from 'rc_map2id' at clientid.c:113:9:
-/usr/include/i386-linux-gnu/bits/string3.h:150:3: warning: call to
-__builtin___strncat_chk might overflow destination buffer [enabled by default]
- return __builtin___strncat_chk (__dest, __src, __len, __bos (__dest));
- ^
-
-Origin: vendor, https://build.opensuse.org/source/network/ppp/ppp-2.4.4-strncatfix.patch?rev=7a0fdeff0b29437dd7f4581c95c7255a
-Forwarded: no
-Reviewed-by: Chris Boot <bootc@debian.org>
-Last-Update: 2014-01-12
-
-
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- pppd/plugins/radius/clientid.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/pppd/plugins/radius/clientid.c b/pppd/plugins/radius/clientid.c
-index d49579c43cc3..7de021139b56 100644
---- a/pppd/plugins/radius/clientid.c
-+++ b/pppd/plugins/radius/clientid.c
-@@ -110,7 +110,7 @@ UINT4 rc_map2id(char *name)
- if (*name != '/')
- strcpy(ttyname, "/dev/");
-
-- strncat(ttyname, name, sizeof(ttyname));
-+ strncat(ttyname, name, sizeof(ttyname)-strlen(ttyname)-1);
-
- for(p = map2id_list; p; p = p->next)
- if (!strcmp(ttyname, p->name)) return p->id;
diff --git a/patches/ppp-2.4.7/0037-Fix-buffer-overflow-in-rc_mksid.patch b/patches/ppp-2.4.7/0037-Fix-buffer-overflow-in-rc_mksid.patch
deleted file mode 100644
index e21f129ad..000000000
--- a/patches/ppp-2.4.7/0037-Fix-buffer-overflow-in-rc_mksid.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-From: Michael Olbrich <m.olbrich@pengutronix.de>
-Date: Sat, 28 Sep 2019 08:11:50 +0200
-Subject: [PATCH] Fix buffer overflow in rc_mksid()
-
- rc_mksid converts the PID of pppd to hex to generate a pseudo-unique string.
- .
- If the process id is bigger than 65535 (FFFF), its hex representation will be
- longer than 4 characters, resulting in a buffer overflow.
- .
- The bug can be exploited to cause a remote DoS.
- .
-Author: Emanuele Rocca <ema@debian.org>
-Bug-Debian: https://bugs.debian.org/782450
-Last-Update: <2015-04-14>
-
-
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- pppd/plugins/radius/util.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/pppd/plugins/radius/util.c b/pppd/plugins/radius/util.c
-index 6f976a712951..166bd5f31d7a 100644
---- a/pppd/plugins/radius/util.c
-+++ b/pppd/plugins/radius/util.c
-@@ -77,7 +77,7 @@ rc_mksid (void)
- static unsigned short int cnt = 0;
- sprintf (buf, "%08lX%04X%02hX",
- (unsigned long int) time (NULL),
-- (unsigned int) getpid (),
-+ (unsigned int) getpid () % 65535,
- cnt & 0xFF);
- cnt++;
- return buf;
diff --git a/patches/ppp-2.4.7/0038-EAP-TLS-authentication-support-for-PPP.patch b/patches/ppp-2.4.7/0038-EAP-TLS-authentication-support-for-PPP.patch
deleted file mode 100644
index bd462d4f8..000000000
--- a/patches/ppp-2.4.7/0038-EAP-TLS-authentication-support-for-PPP.patch
+++ /dev/null
@@ -1,3383 +0,0 @@
-From: Michael Olbrich <m.olbrich@pengutronix.de>
-Date: Sat, 28 Sep 2019 08:11:50 +0200
-Subject: [PATCH] EAP-TLS authentication support for PPP
-
-Origin: https://www.nikhef.nl/~janjust/ppp/download.html
-Bug-Debian: https://bugs.debian.org/602503
-Bug-Ubuntu: https://launchpad.net/bugs/643417
-Forwarded: not-needed
-Author: Jan Just Keijser <janjust@nikhef.nl>
-Last-Update: 2018-11-04
-
-This patch is based on ppp-2.4.7-eaptls-mppe-1.102.patch, with the following
-changes:
-
- - Patch refreshed to remove fuzz.
- - Trailing spaces removed.
-
-
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- README.eap-tls | 291 +++++++++
- etc.ppp/eaptls-client | 10 +
- etc.ppp/eaptls-server | 11 +
- etc.ppp/openssl.cnf | 14 +
- linux/Makefile.top | 6 +-
- pppd/Makefile.linux | 12 +
- pppd/auth.c | 413 ++++++++++++-
- pppd/ccp.c | 20 +-
- pppd/chap-md5.c | 4 +
- pppd/eap-tls.c | 1383 +++++++++++++++++++++++++++++++++++++++++++
- pppd/eap-tls.h | 107 ++++
- pppd/eap.c | 463 ++++++++++++++-
- pppd/eap.h | 32 +-
- pppd/md5.c | 4 +
- pppd/md5.h | 3 +
- pppd/pathnames.h | 7 +
- pppd/plugins/Makefile.linux | 3 +
- pppd/plugins/passprompt.c | 3 +
- pppd/plugins/passwordfd.c | 4 +
- pppd/pppd.8 | 33 ++
- pppd/pppd.h | 9 +
- 21 files changed, 2825 insertions(+), 7 deletions(-)
- create mode 100644 README.eap-tls
- create mode 100644 etc.ppp/eaptls-client
- create mode 100644 etc.ppp/eaptls-server
- create mode 100644 etc.ppp/openssl.cnf
- create mode 100644 pppd/eap-tls.c
- create mode 100644 pppd/eap-tls.h
-
-diff --git a/README.eap-tls b/README.eap-tls
-new file mode 100644
-index 000000000000..107e84db5e81
---- /dev/null
-+++ b/README.eap-tls
-@@ -0,0 +1,291 @@
-+EAP-TLS authentication support for PPP
-+======================================
-+
-+1. Intro
-+
-+ The Extensible Authentication Protocol (EAP; RFC 3748) is a
-+ security protocol that can be used with PPP. It provides a means
-+ to plug in multiple optional authentication methods.
-+
-+ Transport Level Security (TLS; RFC 5216) provides for mutual
-+ authentication, integrity-protected ciphersuite negotiation and
-+ key exchange between two endpoints. It also provides for optional
-+ MPPE encryption.
-+
-+ EAP-TLS (RFC 2716) incapsulates the TLS messages in EAP packets,
-+ allowing TLS mutual authentication to be used as a generic EAP
-+ mechanism. It also provides optional encryption using the MPPE
-+ protocol.
-+
-+ This patch provide EAP-TLS support to pppd.
-+ This authentication method can be used in both client or server
-+ mode.
-+
-+2. Building
-+
-+ To build pppd with EAP-TLS support, OpenSSL (http://www.openssl.org)
-+ is required. Any version from 0.9.7 should work.
-+
-+ Configure, compile, and install as usual.
-+
-+3. Configuration
-+
-+ On the client side there are two ways to configure EAP-TLS:
-+
-+ 1. supply the appropriate 'ca', 'cert' and 'key' command-line parameters
-+
-+ 2. edit the /etc/ppp/eaptls-client file.
-+ Insert a line for each system with which you use EAP-TLS.
-+ The line is composed of this fields separated by tab:
-+
-+ - Client name
-+ The name used by the client for authentication, can be *
-+ - Server name
-+ The name of the server, can be *
-+ - Client certificate file
-+ The file containing the certificate chain for the
-+ client in PEM format
-+ - Server certificate file
-+ If you want to specify the certificate that the
-+ server is allowed to use, put the certificate file name.
-+ Else put a dash '-'.
-+ - CA certificate file
-+ The file containing the trusted CA certificates in PEM
-+ format.
-+ - Client private key file
-+ The file containing the client private key in PEM format.
-+
-+
-+ On the server side edit the /etc/ppp/eaptls-server file.
-+ Insert a line for each system with which you use EAP-TLS.
-+ The line is composed of this fields separated by tab:
-+
-+ - Client name
-+ The name used by the client for authentication, can be *
-+ - Server name
-+ The name of the server, can be *
-+ - Client certificate file
-+ If you want to specify the certificate that the
-+ client is allowed to use, put the certificate file name.
-+ Else put a dash '-'.
-+ - Server certificate file
-+ The file containing the certificate chain for the
-+ server in PEM format
-+ - CA certificate file
-+ The file containing the trusted CA certificates in PEM format.
-+ - Client private key file
-+ The file containing the server private key in PEM format.
-+ - addresses
-+ A list of IP addresses the client is allowed to use.
-+
-+
-+ OpenSSL engine support is included starting with v0.95 of this patch.
-+ Currently the only engine tested is the 'pkcs11' engine (hardware token
-+ support). To use the 'pksc11' engine:
-+ - Use a special private key fileiname in the /etc/ppp/eaptls-client file:
-+ <engine>:<identifier>
-+ e.g.
-+ pkcs11:123456
-+
-+ - The certificate can also be loaded from the 'pkcs11' engine using
-+ a special client certificate filename in the /etc/ppp/eaptls-client file:
-+ <engine>:<identifier>
-+ e.g.
-+ pkcs11:123456
-+
-+ - Create an /etc/ppp/openssl.cnf file to load the right OpenSSL engine prior
-+ to starting 'pppd'. A sample openssl.cnf file is
-+
-+ openssl_conf = openssl_def
-+
-+ [ openssl_def ]
-+ engines = engine_section
-+
-+ [ engine_section ]
-+ pkcs11 = pkcs11_section
-+
-+ [ pkcs11_section ]
-+ engine_id = pkcs11
-+ dynamic_path = /usr/lib64/openssl/engines/engine_pkcs11.so
-+ MODULE_PATH = /usr/lib64/libeTPkcs11.so
-+ init = 0
-+
-+ - There are two ways to specify a password/PIN for the PKCS11 engine:
-+ - inside the openssl.cnf file using
-+ PIN = your-secret-pin
-+ Note The keyword 'PIN' is case sensitive!
-+ - Using the 'password' in the ppp options file.
-+ From v0.97 of the eap-tls patch the password can also be supplied
-+ using the appropriate 'eaptls_passwd_hook' (see plugins/passprompt.c
-+ for an example).
-+
-+
-+4. Options
-+
-+ These pppd options are available:
-+
-+ ca <ca-file>
-+ Use the CA public certificate found in <ca-file> in PEM format
-+ cert <cert-file>
-+ Use the client public certificate found in <cert-file> in PEM format
-+ or in engine:engine_id format
-+ key <key-file>
-+ Use the client private key found in <key-file> in PEM format
-+ or in engine:engine_id format
-+ crl <crl-file>
-+ Use the Certificate Revocation List (CRL) file <crl-file> in PEM format.
-+ crl-dir <dir>
-+ Use CRL files from directory <dir>. It contains CRL files in PEM
-+ format and each file contains a CRL. The files are looked up
-+ by the issuer name hash value. Use the c_rehash utility
-+ to create necessary links.
-+ need-peer-eap
-+ If the peer doesn't ask us to authenticate or doesn't use eap
-+ to authenticate us, disconnect.
-+
-+ Note:
-+ password-encrypted certificates can be used as of v0.94 of this
-+ patch. The password for the eap-tls.key file is specified using
-+ the regular
-+ password ....
-+ statement in the ppp options file, or by using the appropriate
-+ plugin which supplies a 'eaptls_passwd_hook' routine.
-+
-+5. Connecting
-+
-+ If you're setting up a pppd server, edit the EAP-TLS configuration file
-+ as written above and then run pppd with the 'auth' option to authenticate
-+ the client. The EAP-TLS method will be used if the other eap methods can't
-+ be used (no secrets).
-+
-+ If you're setting up a client, edit the configuration file and then run
-+ pppd with 'remotename' option to specify the server name. Add the
-+ 'need-peer-eap' option if you want to be sure the peer ask you to
-+ authenticate (and to use eap) and to disconnect if it doesn't.
-+
-+6. Example
-+
-+ The following example can be used to connect a Linux client with the 'pptp'
-+ package to a Linux server running the 'pptpd' (PoPToP) package. The server
-+ was configured with a certificate with name (CN) 'pptp-server', the client
-+ was configured with a certificate with name (CN) 'pptp-client', both
-+ signed by the same Certificate Authority (CA).
-+
-+ Server side:
-+ - /etc/pptpd.conf file:
-+ option /etc/ppp/options-pptpd-eaptls
-+ localip 172.16.1.1
-+ remoteip 172.16.1.10-20
-+ - /etc/ppp/options-pptpd-eaptls file:
-+ name pptp-server
-+ lock
-+ mtu 1500
-+ mru 1450
-+ auth
-+ lcp-echo-failure 3
-+ lcp-echo-interval 5
-+ nodeflate
-+ nobsdcomp
-+ nopredictor1
-+ nopcomp
-+ noaccomp
-+
-+ require-eap
-+ require-mppe-128
-+
-+ crl /home/janjust/ppp/keys/crl.pem
-+
-+ debug
-+ logfile /tmp/pppd.log
-+
-+ - /etc/ppp/eaptls-server file:
-+ * pptp-server - /etc/ppp/pptp-server.crt /etc/ppp/ca.crt /etc/ppp/pptp-server.key *
-+
-+ - On the server, run
-+ pptdp --conf /etc/pptpd.conf
-+
-+ Client side:
-+ - Run
-+ pppd noauth require-eap require-mppe-128 \
-+ ipcp-accept-local ipcp-accept-remote noipdefault \
-+ cert /etc/ppp/keys/pptp-client.crt \
-+ key /etc/ppp/keys/pptp-client.key \
-+ ca /etc/ppp/keys/ca.crt \
-+ name pptp-client remotename pptp-server \
-+ debug logfile /tmp/pppd.log
-+ pty "pptp pptp-server.example.com --nolaunchpppd"
-+
-+ Check /var/log/messages and the files /tmp/pppd.log on both sides for debugging info.
-+
-+7. Notes
-+
-+ This is experimental code.
-+ Send suggestions and comments to Jan Just Keijser <janjust@nikhef.nl>
-+
-+8. Changelog of ppp-<>-eaptls-mppe-* patches
-+
-+v0.7 (22-Nov-2005)
-+ - First version of the patch to include MPPE support
-+ - ppp-2.4.3 only
-+v0.9 (25-Jul-2006)
-+ - Bug fixes
-+ - First version for ppp-2.4.4
-+v0.91 (03-Sep-2006)
-+ - Added missing #include for md5.h
-+ - Last version for ppp-2.4.3
-+v0.92 (22-Apr-2008)
-+ - Fix for openssl 0.9.8 issue with md5 function overload.
-+v0.93 (14-Aug-2008)
-+ - Make sure 'noauth' option can be used to bypass server certificate verification.
-+v0.94 (15-Oct-2008)
-+ - Added support for password-protected private keys by (ab)using the 'password' field.
-+v0.95 (23-Dec-2009)
-+ - First version with OpenSSL engine support.
-+v0.96 (27-Jan-2010)
-+ - Added fully functional support for OpenSSL engines (PKCS#11)
-+ - First version for ppp-2.4.5
-+v0.97 (20-Apr-2010)
-+ - Some bug fixes for v0.96
-+ - Added support for entering the password via a plugin. The sample plugin
-+ .../pppd/plugins/passprompt.c has been extended with EAP-TLS support.
-+ The "old" methods using the password option or the /etc/ppp/openssl.cnf file still work.
-+ - Added support for specifying the client CA, certificate and private key on the command-line
-+ or via the ppp config file.
-+v0.98 (20-Apr-2010)
-+ - Fix initialisation bug when using ca/cert/key command-line options.
-+ - Last version for ppp-2.4.4
-+v0.99 (05-Oct-2010)
-+ - Fix coredump when using multilink option.
-+v0.991 (08-Aug-2011)
-+ - Fix compilation issue with openssl 1.0.
-+v0.992 (01-Dec-2011)
-+ - Fix compilation issue with eaptls_check_hook and passwordfd plugin.
-+v0.993 (24-Apr-2012)
-+ - Fix compilation issue when EAP_TLS=n in pppd/Makefile.
-+v0.994 (11-Jun-2012)
-+ - Fix compilation issue on Ubuntu 11.10.
-+v0.995 (27-May-2014)
-+ - Add support for a CRL file using the command-line option 'crl'
-+ (prior only 'crl-dir' was supported).
-+ - Fix segfault when pkcs11 enginename was not specified correctly.
-+ - Fix segfault when client was misconfigured.
-+ - Disable SSL Session Ticket support as Windows 8 does not support this.
-+v0.996 (28-May-2014)
-+ - Fix minor bug where SessionTicket message was printed as 'Unknown SSL3 code 4'
-+ - Add EAP-TLS-specific options to pppd.8 manual page.
-+ - Updated README.eap-tls file with new options and provide an example.
-+v0.997 (19-Jun-2014)
-+ - Change SSL_OP_NO_TICKETS to SSL_OP_NO_TICKET
-+ - Fix bug in initialisation code with fragmented packets.
-+v0.998 (13-Mar-2015)
-+ - Add fix for https://bugzilla.redhat.com/show_bug.cgi?id=1023620
-+v0.999 (11-May-2017)
-+ - Add support for OpenSSL 1.1: the code will now compile against OpenSSL 1.0.x or 1.1.x.
-+v1.101 (1-Jun-2018)
-+ - Fix vulnerabilities CVE-2018-11574.
-+v1.102 (2-Nov-2018)
-+ - Add TLS 1.2 support. Windows 7/8 will connect using TLS 1.0, Windows 10 clients using TLS 1.2.
-+ This works both when compiling against OpenSSL 1.0.1+ and 1.1+.
-+ - Print warning when certificate is either not yet valid or has expired.
-+ - Perform better peer certificate checks.
-+ - Allow certificate chain files to be used.
-diff --git a/etc.ppp/eaptls-client b/etc.ppp/eaptls-client
-new file mode 100644
-index 000000000000..7782f0e2a065
---- /dev/null
-+++ b/etc.ppp/eaptls-client
-@@ -0,0 +1,10 @@
-+# Parameters for authentication using EAP-TLS (client)
-+
-+# client name (can be *)
-+# server name (can be *)
-+# client certificate file (required)
-+# server certificate file (optional, if unused put '-')
-+# CA certificate file (required)
-+# client private key file (required)
-+
-+#client server /root/cert/client.crt - /root/cert/ca.crt /root/cert/client.key
-diff --git a/etc.ppp/eaptls-server b/etc.ppp/eaptls-server
-new file mode 100644
-index 000000000000..fa53cbd197cf
---- /dev/null
-+++ b/etc.ppp/eaptls-server
-@@ -0,0 +1,11 @@
-+# Parameters for authentication using EAP-TLS (server)
-+
-+# client name (can be *)
-+# server name (can be *)
-+# client certificate file (optional, if unused put '-')
-+# server certificate file (required)
-+# CA certificate file (required)
-+# server private key file (required)
-+# allowed addresses (required, can be *)
-+
-+#client server - /root/cert/server.crt /root/cert/ca.crt /root/cert/server.key 192.168.1.0/24
-diff --git a/etc.ppp/openssl.cnf b/etc.ppp/openssl.cnf
-new file mode 100644
-index 000000000000..dd32f305d680
---- /dev/null
-+++ b/etc.ppp/openssl.cnf
-@@ -0,0 +1,14 @@
-+openssl_conf = openssl_def
-+
-+[ openssl_def ]
-+engines = engine_section
-+
-+[ engine_section ]
-+pkcs11 = pkcs11_section
-+
-+[ pkcs11_section ]
-+engine_id = pkcs11
-+dynamic_path = /usr/lib64/openssl/engines/engine_pkcs11.so
-+MODULE_PATH = /usr/lib64/libeTPkcs11.so
-+init = 0
-+
-diff --git a/linux/Makefile.top b/linux/Makefile.top
-index f63d45e58a78..894f8f32c9e4 100644
---- a/linux/Makefile.top
-+++ b/linux/Makefile.top
-@@ -26,7 +26,7 @@ install-progs:
- cd pppdump; $(MAKE) $(MFLAGS) install
-
- install-etcppp: $(ETCDIR) $(ETCDIR)/options $(ETCDIR)/pap-secrets \
-- $(ETCDIR)/chap-secrets
-+ $(ETCDIR)/chap-secrets $(ETCDIR)/eaptls-server $(ETCDIR)/eaptls-client
-
- install-devel:
- cd pppd; $(MAKE) $(MFLAGS) install-devel
-@@ -37,6 +37,10 @@ $(ETCDIR)/pap-secrets:
- $(INSTALL) -c -m 600 etc.ppp/pap-secrets $@
- $(ETCDIR)/chap-secrets:
- $(INSTALL) -c -m 600 etc.ppp/chap-secrets $@
-+$(ETCDIR)/eaptls-server:
-+ $(INSTALL) -c -m 600 etc.ppp/eaptls-server $@
-+$(ETCDIR)/eaptls-client:
-+ $(INSTALL) -c -m 600 etc.ppp/eaptls-client $@
-
- $(BINDIR):
- $(INSTALL) -d -m 755 $@
-diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux
-index 5549145e5791..4a11d5fea748 100644
---- a/pppd/Makefile.linux
-+++ b/pppd/Makefile.linux
-@@ -76,6 +76,9 @@ CBCP=y
- # Use libutil
- USE_LIBUTIL=y
-
-+# Enable EAP-TLS authentication (requires libssl and libcrypto)
-+USE_EAPTLS=y
-+
- MAXOCTETS=y
-
- INCLUDE_DIRS= -I../include
-@@ -116,6 +119,15 @@ HEADERS += sha1.h
- PPPDOBJS += sha1.o
- endif
-
-+# EAP-TLS
-+ifdef USE_EAPTLS
-+CFLAGS += -DUSE_EAPTLS=1 -I/usr/kerberos/include
-+LIBS += -lssl -lcrypto
-+PPPDSRC += eap-tls.c
-+HEADERS += eap-tls.h
-+PPPDOBJS += eap-tls.o
-+endif
-+
- ifdef HAS_SHADOW
- CFLAGS += -DHAS_SHADOW
- #LIBS += -lshadow $(LIBS)
-diff --git a/pppd/auth.c b/pppd/auth.c
-index 4271af687102..45065c58bfcc 100644
---- a/pppd/auth.c
-+++ b/pppd/auth.c
-@@ -109,6 +109,9 @@
- #include "upap.h"
- #include "chap-new.h"
- #include "eap.h"
-+#ifdef USE_EAPTLS
-+#include "eap-tls.h"
-+#endif
- #ifdef CBCP_SUPPORT
- #include "cbcp.h"
- #endif
-@@ -183,6 +186,11 @@ int (*chap_check_hook) __P((void)) = NULL;
- /* Hook for a plugin to get the CHAP password for authenticating us */
- int (*chap_passwd_hook) __P((char *user, char *passwd)) = NULL;
-
-+#ifdef USE_EAPTLS
-+/* Hook for a plugin to get the EAP-TLS password for authenticating us */
-+int (*eaptls_passwd_hook) __P((char *user, char *passwd)) = NULL;
-+#endif
-+
- /* Hook for a plugin to say whether it is OK if the peer
- refuses to authenticate. */
- int (*null_auth_hook) __P((struct wordlist **paddrs,
-@@ -238,6 +246,14 @@ bool explicit_remote = 0; /* User specified explicit remote name */
- bool explicit_user = 0; /* Set if "user" option supplied */
- bool explicit_passwd = 0; /* Set if "password" option supplied */
- char remote_name[MAXNAMELEN]; /* Peer's name for authentication */
-+#ifdef USE_EAPTLS
-+char *cacert_file = NULL; /* CA certificate file (pem format) */
-+char *cert_file = NULL; /* client certificate file (pem format) */
-+char *privkey_file = NULL; /* client private key file (pem format) */
-+char *crl_dir = NULL; /* directory containing CRL files */
-+char *crl_file = NULL; /* Certificate Revocation List (CRL) file (pem format) */
-+bool need_peer_eap = 0; /* Require peer to authenticate us */
-+#endif
-
- static char *uafname; /* name of most recent +ua file */
-
-@@ -254,6 +270,19 @@ static int have_pap_secret __P((int *));
- static int have_chap_secret __P((char *, char *, int, int *));
- static int have_srp_secret __P((char *client, char *server, int need_ip,
- int *lacks_ipp));
-+
-+#ifdef USE_EAPTLS
-+static int have_eaptls_secret_server
-+__P((char *client, char *server, int need_ip, int *lacks_ipp));
-+static int have_eaptls_secret_client __P((char *client, char *server));
-+static int scan_authfile_eaptls __P((FILE * f, char *client, char *server,
-+ char *cli_cert, char *serv_cert,
-+ char *ca_cert, char *pk,
-+ struct wordlist ** addrs,
-+ struct wordlist ** opts,
-+ char *filename, int flags));
-+#endif
-+
- static int ip_addr_check __P((u_int32_t, struct permitted_ip *));
- static int scan_authfile __P((FILE *, char *, char *, char *,
- struct wordlist **, struct wordlist **,
-@@ -401,6 +430,15 @@ option_t auth_options[] = {
- "Set telephone number(s) which are allowed to connect",
- OPT_PRIV | OPT_A2LIST },
-
-+#ifdef USE_EAPTLS
-+ { "ca", o_string, &cacert_file, "EAP-TLS CA certificate in PEM format" },
-+ { "cert", o_string, &cert_file, "EAP-TLS client certificate in PEM format" },
-+ { "key", o_string, &privkey_file, "EAP-TLS client private key in PEM format" },
-+ { "crl-dir", o_string, &crl_dir, "Use CRLs in directory" },
-+ { "crl", o_string, &crl_file, "Use specific CRL file" },
-+ { "need-peer-eap", o_bool, &need_peer_eap,
-+ "Require the peer to authenticate us", 1 },
-+#endif /* USE_EAPTLS */
- { NULL }
- };
-
-@@ -730,6 +768,9 @@ link_established(unit)
- lcp_options *wo = &lcp_wantoptions[unit];
- lcp_options *go = &lcp_gotoptions[unit];
- lcp_options *ho = &lcp_hisoptions[unit];
-+#ifdef USE_EAPTLS
-+ lcp_options *ao = &lcp_allowoptions[unit];
-+#endif
- int i;
- struct protent *protp;
-
-@@ -764,6 +805,22 @@ link_established(unit)
- }
- }
-
-+#ifdef USE_EAPTLS
-+ if (need_peer_eap && !ao->neg_eap) {
-+ warn("eap required to authenticate us but no suitable secrets");
-+ lcp_close(unit, "couldn't negotiate eap");
-+ status = EXIT_AUTH_TOPEER_FAILED;
-+ return;
-+ }
-+
-+ if (need_peer_eap && !ho->neg_eap) {
-+ warn("peer doesn't want to authenticate us with eap");
-+ lcp_close(unit, "couldn't negotiate eap");
-+ status = EXIT_PEER_AUTH_FAILED;
-+ return;
-+ }
-+#endif
-+
- new_phase(PHASE_AUTHENTICATE);
- auth = 0;
- if (go->neg_eap) {
-@@ -1277,6 +1334,15 @@ auth_check_options()
- our_name, 1, &lacks_ip);
- }
-
-+#ifdef USE_EAPTLS
-+ if (!can_auth && wo->neg_eap) {
-+ can_auth =
-+ have_eaptls_secret_server((explicit_remote ? remote_name :
-+ NULL), our_name, 1, &lacks_ip);
-+
-+ }
-+#endif
-+
- if (auth_required && !can_auth && noauth_addrs == NULL) {
- if (default_auth) {
- option_error(
-@@ -1331,7 +1397,11 @@ auth_reset(unit)
- passwd[0] != 0 ||
- (hadchap == 1 || (hadchap == -1 && have_chap_secret(user,
- (explicit_remote? remote_name: NULL), 0, NULL))) ||
-- have_srp_secret(user, (explicit_remote? remote_name: NULL), 0, NULL));
-+ have_srp_secret(user, (explicit_remote? remote_name: NULL), 0, NULL)
-+#ifdef USE_EAPTLS
-+ || have_eaptls_secret_client(user, (explicit_remote? remote_name: NULL))
-+#endif
-+ );
-
- hadchap = -1;
- if (go->neg_upap && !uselogin && !have_pap_secret(NULL))
-@@ -1346,8 +1416,14 @@ auth_reset(unit)
- !have_chap_secret((explicit_remote? remote_name: NULL), our_name,
- 1, NULL))) &&
- !have_srp_secret((explicit_remote? remote_name: NULL), our_name, 1,
-- NULL))
-+ NULL)
-+#ifdef USE_EAPTLS
-+ && !have_eaptls_secret_server((explicit_remote? remote_name: NULL),
-+ our_name, 1, NULL)
-+#endif
-+ )
- go->neg_eap = 0;
-+
- }
-
-
-@@ -1707,6 +1783,7 @@ have_srp_secret(client, server, need_ip, lacks_ipp)
- }
-
-
-+
- /*
- * get_secret - open the CHAP secret file and return the secret
- * for authenticating the given client on the given server.
-@@ -2359,3 +2436,335 @@ auth_script(script)
-
- auth_script_pid = run_program(script, argv, 0, auth_script_done, NULL, 0);
- }
-+
-+
-+#ifdef USE_EAPTLS
-+static int
-+have_eaptls_secret_server(client, server, need_ip, lacks_ipp)
-+ char *client;
-+ char *server;
-+ int need_ip;
-+ int *lacks_ipp;
-+{
-+ FILE *f;
-+ int ret;
-+ char *filename;
-+ struct wordlist *addrs;
-+ char servcertfile[MAXWORDLEN];
-+ char clicertfile[MAXWORDLEN];
-+ char cacertfile[MAXWORDLEN];
-+ char pkfile[MAXWORDLEN];
-+
-+ filename = _PATH_EAPTLSSERVFILE;
-+ f = fopen(filename, "r");
-+ if (f == NULL)
-+ return 0;
-+
-+ if (client != NULL && client[0] == 0)
-+ client = NULL;
-+ else if (server != NULL && server[0] == 0)
-+ server = NULL;
-+
-+ ret =
-+ scan_authfile_eaptls(f, client, server, clicertfile, servcertfile,
-+ cacertfile, pkfile, &addrs, NULL, filename,
-+ 0);
-+
-+ fclose(f);
-+
-+/*
-+ if (ret >= 0 && !eaptls_init_ssl(1, cacertfile, servcertfile,
-+ clicertfile, pkfile))
-+ ret = -1;
-+*/
-+
-+ if (ret >= 0 && need_ip && !some_ip_ok(addrs)) {
-+ if (lacks_ipp != 0)
-+ *lacks_ipp = 1;
-+ ret = -1;
-+ }
-+ if (addrs != 0)
-+ free_wordlist(addrs);
-+
-+ return ret >= 0;
-+}
-+
-+
-+static int
-+have_eaptls_secret_client(client, server)
-+ char *client;
-+ char *server;
-+{
-+ FILE *f;
-+ int ret;
-+ char *filename;
-+ struct wordlist *addrs = NULL;
-+ char servcertfile[MAXWORDLEN];
-+ char clicertfile[MAXWORDLEN];
-+ char cacertfile[MAXWORDLEN];
-+ char pkfile[MAXWORDLEN];
-+
-+ if (client != NULL && client[0] == 0)
-+ client = NULL;
-+ else if (server != NULL && server[0] == 0)
-+ server = NULL;
-+
-+ if (cacert_file && cert_file && privkey_file)
-+ return 1;
-+
-+ filename = _PATH_EAPTLSCLIFILE;
-+ f = fopen(filename, "r");
-+ if (f == NULL)
-+ return 0;
-+
-+ ret =
-+ scan_authfile_eaptls(f, client, server, clicertfile, servcertfile,
-+ cacertfile, pkfile, &addrs, NULL, filename,
-+ 0);
-+ fclose(f);
-+
-+/*
-+ if (ret >= 0 && !eaptls_init_ssl(0, cacertfile, clicertfile,
-+ servcertfile, pkfile))
-+ ret = -1;
-+*/
-+
-+ if (addrs != 0)
-+ free_wordlist(addrs);
-+
-+ return ret >= 0;
-+}
-+
-+
-+static int
-+scan_authfile_eaptls(f, client, server, cli_cert, serv_cert, ca_cert, pk,
-+ addrs, opts, filename, flags)
-+ FILE *f;
-+ char *client;
-+ char *server;
-+ char *cli_cert;
-+ char *serv_cert;
-+ char *ca_cert;
-+ char *pk;
-+ struct wordlist **addrs;
-+ struct wordlist **opts;
-+ char *filename;
-+ int flags;
-+{
-+ int newline;
-+ int got_flag, best_flag;
-+ struct wordlist *ap, *addr_list, *alist, **app;
-+ char word[MAXWORDLEN];
-+
-+ if (addrs != NULL)
-+ *addrs = NULL;
-+ if (opts != NULL)
-+ *opts = NULL;
-+ addr_list = NULL;
-+ if (!getword(f, word, &newline, filename))
-+ return -1; /* file is empty??? */
-+ newline = 1;
-+ best_flag = -1;
-+ for (;;) {
-+ /*
-+ * Skip until we find a word at the start of a line.
-+ */
-+ while (!newline && getword(f, word, &newline, filename));
-+ if (!newline)
-+ break; /* got to end of file */
-+
-+ /*
-+ * Got a client - check if it's a match or a wildcard.
-+ */
-+ got_flag = 0;
-+ if (client != NULL && strcmp(word, client) != 0 && !ISWILD(word)) {
-+ newline = 0;
-+ continue;
-+ }
-+ if (!ISWILD(word))
-+ got_flag = NONWILD_CLIENT;
-+
-+ /*
-+ * Now get a server and check if it matches.
-+ */
-+ if (!getword(f, word, &newline, filename))
-+ break;
-+ if (newline)
-+ continue;
-+ if (!ISWILD(word)) {
-+ if (server != NULL && strcmp(word, server) != 0)
-+ continue;
-+ got_flag |= NONWILD_SERVER;
-+ }
-+
-+ /*
-+ * Got some sort of a match - see if it's better than what
-+ * we have already.
-+ */
-+ if (got_flag <= best_flag)
-+ continue;
-+
-+ /*
-+ * Get the cli_cert
-+ */
-+ if (!getword(f, word, &newline, filename))
-+ break;
-+ if (newline)
-+ continue;
-+ if (strcmp(word, "-") != 0) {
-+ strlcpy(cli_cert, word, MAXWORDLEN);
-+ } else
-+ cli_cert[0] = 0;
-+
-+ /*
-+ * Get serv_cert
-+ */
-+ if (!getword(f, word, &newline, filename))
-+ break;
-+ if (newline)
-+ continue;
-+ if (strcmp(word, "-") != 0) {
-+ strlcpy(serv_cert, word, MAXWORDLEN);
-+ } else
-+ serv_cert[0] = 0;
-+
-+ /*
-+ * Get ca_cert
-+ */
-+ if (!getword(f, word, &newline, filename))
-+ break;
-+ if (newline)
-+ continue;
-+ strlcpy(ca_cert, word, MAXWORDLEN);
-+
-+ /*
-+ * Get pk
-+ */
-+ if (!getword(f, word, &newline, filename))
-+ break;
-+ if (newline)
-+ continue;
-+ strlcpy(pk, word, MAXWORDLEN);
-+
-+
-+ /*
-+ * Now read address authorization info and make a wordlist.
-+ */
-+ app = &alist;
-+ for (;;) {
-+ if (!getword(f, word, &newline, filename) || newline)
-+ break;
-+ ap = (struct wordlist *)
-+ malloc(sizeof(struct wordlist) + strlen(word) + 1);
-+ if (ap == NULL)
-+ novm("authorized addresses");
-+ ap->word = (char *) (ap + 1);
-+ strcpy(ap->word, word);
-+ *app = ap;
-+ app = &ap->next;
-+ }
-+ *app = NULL;
-+ /*
-+ * This is the best so far; remember it.
-+ */
-+ best_flag = got_flag;
-+ if (addr_list)
-+ free_wordlist(addr_list);
-+ addr_list = alist;
-+
-+ if (!newline)
-+ break;
-+ }
-+
-+ /* scan for a -- word indicating the start of options */
-+ for (app = &addr_list; (ap = *app) != NULL; app = &ap->next)
-+ if (strcmp(ap->word, "--") == 0)
-+ break;
-+ /* ap = start of options */
-+ if (ap != NULL) {
-+ ap = ap->next; /* first option */
-+ free(*app); /* free the "--" word */
-+ *app = NULL; /* terminate addr list */
-+ }
-+ if (opts != NULL)
-+ *opts = ap;
-+ else if (ap != NULL)
-+ free_wordlist(ap);
-+ if (addrs != NULL)
-+ *addrs = addr_list;
-+ else if (addr_list != NULL)
-+ free_wordlist(addr_list);
-+
-+ return best_flag;
-+}
-+
-+
-+int
-+get_eaptls_secret(unit, client, server, clicertfile, servcertfile,
-+ cacertfile, pkfile, am_server)
-+ int unit;
-+ char *client;
-+ char *server;
-+ char *clicertfile;
-+ char *servcertfile;
-+ char *cacertfile;
-+ char *pkfile;
-+ int am_server;
-+{
-+ FILE *fp;
-+ int ret;
-+ char *filename = NULL;
-+ struct wordlist *addrs = NULL;
-+ struct wordlist *opts = NULL;
-+
-+ /* in client mode the ca+cert+privkey can also be specified as options */
-+ if (!am_server && cacert_file && cert_file && privkey_file )
-+ {
-+ strlcpy( clicertfile, cert_file, MAXWORDLEN );
-+ strlcpy( cacertfile, cacert_file, MAXWORDLEN );
-+ strlcpy( pkfile, privkey_file, MAXWORDLEN );
-+ servcertfile[0] = '\0';
-+ }
-+ else
-+ {
-+ filename = (am_server ? _PATH_EAPTLSSERVFILE : _PATH_EAPTLSCLIFILE);
-+ addrs = NULL;
-+
-+ fp = fopen(filename, "r");
-+ if (fp == NULL)
-+ {
-+ error("Can't open eap-tls secret file %s: %m", filename);
-+ return 0;
-+ }
-+
-+ check_access(fp, filename);
-+
-+ ret = scan_authfile_eaptls(fp, client, server, clicertfile, servcertfile,
-+ cacertfile, pkfile, &addrs, &opts, filename, 0);
-+
-+ fclose(fp);
-+
-+ if (ret < 0) return 0;
-+ }
-+
-+ if (eaptls_passwd_hook)
-+ {
-+ dbglog( "Calling eaptls password hook" );
-+ if ( (*eaptls_passwd_hook)(pkfile, passwd) < 0)
-+ {
-+ error("Unable to obtain EAP-TLS password for %s (%s) from plugin",
-+ client, pkfile);
-+ return 0;
-+ }
-+ }
-+ if (am_server)
-+ set_allowed_addrs(unit, addrs, opts);
-+ else if (opts != NULL)
-+ free_wordlist(opts);
-+ if (addrs != NULL)
-+ free_wordlist(addrs);
-+
-+ return 1;
-+}
-+#endif
-+
-diff --git a/pppd/ccp.c b/pppd/ccp.c
-index 7d7922afcfc0..0a93b15aeef3 100644
---- a/pppd/ccp.c
-+++ b/pppd/ccp.c
-@@ -540,6 +540,9 @@ ccp_resetci(f)
- if (go->mppe) {
- ccp_options *ao = &ccp_allowoptions[f->unit];
- int auth_mschap_bits = auth_done[f->unit];
-+#ifdef USE_EAPTLS
-+ int auth_eap_bits = auth_done[f->unit];
-+#endif
- int numbits;
-
- /*
-@@ -567,8 +570,23 @@ ccp_resetci(f)
- lcp_close(f->unit, "MPPE required but not available");
- return;
- }
-+
-+#ifdef USE_EAPTLS
-+ /*
-+ * MPPE is also possible in combination with EAP-TLS.
-+ * It is not possible to detect if we're doing EAP or EAP-TLS
-+ * at this stage, hence we accept all forms of EAP. If TLS is
-+ * not used then the MPPE keys will not be derived anyway.
-+ */
-+ /* Leave only the eap auth bits set */
-+ auth_eap_bits &= (EAP_WITHPEER | EAP_PEER );
-+
-+ if ((numbits == 0) && (auth_eap_bits == 0)) {
-+ error("MPPE required, but MS-CHAP[v2] nor EAP-TLS auth are performed.");
-+#else
- if (!numbits) {
-- error("MPPE required, but MS-CHAP[v2] auth not performed.");
-+ error("MPPE required, but MS-CHAP[v2] auth not performed.");
-+#endif
- lcp_close(f->unit, "MPPE required but not available");
- return;
- }
-diff --git a/pppd/chap-md5.c b/pppd/chap-md5.c
-index 77dd4ecc7059..269b52cb2041 100644
---- a/pppd/chap-md5.c
-+++ b/pppd/chap-md5.c
-@@ -36,7 +36,11 @@
- #include "chap-new.h"
- #include "chap-md5.h"
- #include "magic.h"
-+#ifdef USE_EAPTLS
-+#include "eap-tls.h"
-+#else
- #include "md5.h"
-+#endif /* USE_EAPTLS */
-
- #define MD5_HASH_SIZE 16
- #define MD5_MIN_CHALLENGE 16
-diff --git a/pppd/eap-tls.c b/pppd/eap-tls.c
-new file mode 100644
-index 000000000000..df4bc1b996c9
---- /dev/null
-+++ b/pppd/eap-tls.c
-@@ -0,0 +1,1383 @@
-+/* * eap-tls.c - EAP-TLS implementation for PPP
-+ *
-+ * Copyright (c) Beniamino Galvani 2005 All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. The name(s) of the authors of this software must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission.
-+ *
-+ * THE AUTHORS OF THIS SOFTWARE DISCLAIM ALL WARRANTIES WITH REGARD TO
-+ * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-+ * AND FITNESS, IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY
-+ * SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN
-+ * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING
-+ * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-+ *
-+ */
-+
-+#include <string.h>
-+#include <unistd.h>
-+#include <sys/types.h>
-+#include <sys/stat.h>
-+#include <fcntl.h>
-+
-+#include <openssl/conf.h>
-+#include <openssl/engine.h>
-+#include <openssl/hmac.h>
-+#include <openssl/err.h>
-+#include <openssl/x509v3.h>
-+
-+#include "pppd.h"
-+#include "eap.h"
-+#include "eap-tls.h"
-+#include "fsm.h"
-+#include "lcp.h"
-+#include "pathnames.h"
-+
-+/* The openssl configuration file and engines can be loaded only once */
-+static CONF *ssl_config = NULL;
-+static ENGINE *cert_engine = NULL;
-+static ENGINE *pkey_engine = NULL;
-+
-+#ifdef MPPE
-+
-+#define EAPTLS_MPPE_KEY_LEN 32
-+
-+/*
-+ * The following stuff is only needed if SSL_export_keying_material() is not available
-+ */
-+
-+#if OPENSSL_VERSION_NUMBER < 0x10001000L
-+
-+/*
-+ * https://wiki.openssl.org/index.php/1.1_API_Changes
-+ * tries to provide some guidance but ultimately falls short.
-+ *
-+ */
-+
-+static void HMAC_CTX_free(HMAC_CTX *ctx)
-+{
-+ if (ctx != NULL) {
-+ HMAC_CTX_cleanup(ctx);
-+ OPENSSL_free(ctx);
-+ }
-+}
-+
-+static HMAC_CTX *HMAC_CTX_new(void)
-+{
-+ HMAC_CTX *ctx = OPENSSL_malloc(sizeof(*ctx));
-+ if (ctx != NULL)
-+ HMAC_CTX_init(ctx);
-+ return ctx;
-+}
-+
-+static size_t SSL_get_client_random(const SSL *ssl, unsigned char *out,
-+ size_t outlen)
-+{
-+ if (outlen == 0)
-+ return sizeof(ssl->s3->client_random);
-+ if (outlen > sizeof(ssl->s3->client_random))
-+ outlen = sizeof(ssl->s3->client_random);
-+ memcpy(out, ssl->s3->client_random, outlen);
-+ return outlen;
-+}
-+
-+static size_t SSL_get_server_random(const SSL *ssl, unsigned char *out,
-+ size_t outlen)
-+{
-+ if (outlen == 0)
-+ return sizeof(ssl->s3->server_random);
-+ if (outlen > sizeof(ssl->s3->server_random))
-+ outlen = sizeof(ssl->s3->server_random);
-+ memcpy(out, ssl->s3->server_random, outlen);
-+ return outlen;
-+}
-+
-+static size_t SSL_SESSION_get_master_key(const SSL_SESSION *session,
-+ unsigned char *out, size_t outlen)
-+{
-+ if (outlen == 0)
-+ return session->master_key_length;
-+ if (outlen > session->master_key_length)
-+ outlen = session->master_key_length;
-+ memcpy(out, session->master_key, outlen);
-+ return outlen;
-+}
-+
-+
-+/*
-+ * TLS PRF from RFC 2246
-+ */
-+static void P_hash(const EVP_MD *evp_md,
-+ const unsigned char *secret, unsigned int secret_len,
-+ const unsigned char *seed, unsigned int seed_len,
-+ unsigned char *out, unsigned int out_len)
-+{
-+ HMAC_CTX *ctx_a, *ctx_out;
-+ unsigned char a[HMAC_MAX_MD_CBLOCK];
-+ unsigned int size;
-+
-+ ctx_a = HMAC_CTX_new();
-+ ctx_out = HMAC_CTX_new();
-+ HMAC_Init_ex(ctx_a, secret, secret_len, evp_md, NULL);
-+ HMAC_Init_ex(ctx_out, secret, secret_len, evp_md, NULL);
-+
-+ size = HMAC_size(ctx_out);
-+
-+ /* Calculate A(1) */
-+ HMAC_Update(ctx_a, seed, seed_len);
-+ HMAC_Final(ctx_a, a, NULL);
-+
-+ while (1) {
-+ /* Calculate next part of output */
-+ HMAC_Update(ctx_out, a, size);
-+ HMAC_Update(ctx_out, seed, seed_len);
-+
-+ /* Check if last part */
-+ if (out_len < size) {
-+ HMAC_Final(ctx_out, a, NULL);
-+ memcpy(out, a, out_len);
-+ break;
-+ }
-+
-+ /* Place digest in output buffer */
-+ HMAC_Final(ctx_out, out, NULL);
-+ HMAC_Init_ex(ctx_out, NULL, 0, NULL, NULL);
-+ out += size;
-+ out_len -= size;
-+
-+ /* Calculate next A(i) */
-+ HMAC_Init_ex(ctx_a, NULL, 0, NULL, NULL);
-+ HMAC_Update(ctx_a, a, size);
-+ HMAC_Final(ctx_a, a, NULL);
-+ }
-+
-+ HMAC_CTX_free(ctx_a);
-+ HMAC_CTX_free(ctx_out);
-+ memset(a, 0, sizeof(a));
-+}
-+
-+static void PRF(const unsigned char *secret, unsigned int secret_len,
-+ const unsigned char *seed, unsigned int seed_len,
-+ unsigned char *out, unsigned char *buf, unsigned int out_len)
-+{
-+ unsigned int i;
-+ unsigned int len = (secret_len + 1) / 2;
-+ const unsigned char *s1 = secret;
-+ const unsigned char *s2 = secret + (secret_len - len);
-+
-+ P_hash(EVP_md5(), s1, len, seed, seed_len, out, out_len);
-+ P_hash(EVP_sha1(), s2, len, seed, seed_len, buf, out_len);
-+
-+ for (i=0; i < out_len; i++) {
-+ out[i] ^= buf[i];
-+ }
-+}
-+
-+static int SSL_export_keying_material(SSL *s, unsigned char *out, size_t olen,
-+ const char *label, size_t llen,
-+ const unsigned char *p, size_t plen,
-+ int use_context)
-+{
-+ unsigned char seed[64 + 2*SSL3_RANDOM_SIZE];
-+ unsigned char buf[4*EAPTLS_MPPE_KEY_LEN];
-+ unsigned char master_key[SSL_MAX_MASTER_KEY_LENGTH];
-+ size_t master_key_length;
-+ unsigned char *pp;
-+
-+ pp = seed;
-+
-+ memcpy(pp, label, llen);
-+ pp += llen;
-+
-+ llen += SSL_get_client_random(s, pp, SSL3_RANDOM_SIZE);
-+ pp += SSL3_RANDOM_SIZE;
-+
-+ llen += SSL_get_server_random(s, pp, SSL3_RANDOM_SIZE);
-+
-+ master_key_length = SSL_SESSION_get_master_key(SSL_get_session(s), master_key,
-+ sizeof(master_key));
-+ PRF(master_key, master_key_length, seed, llen, out, buf, olen);
-+
-+ return 1;
-+}
-+
-+#endif /* OPENSSL_VERSION_NUMBER < 0x10001000L */
-+
-+
-+/*
-+ * OpenSSL 1.1+ introduced a generic TLS_method()
-+ * For older releases we substitute the appropriate method
-+ */
-+
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+
-+#define TLS_method SSLv23_method
-+
-+#define SSL3_RT_HEADER 0x100
-+
-+#endif /* OPENSSL_VERSION_NUMBER < 0x10100000L */
-+
-+
-+/*
-+ * Generate keys according to RFC 2716 and add to reply
-+ */
-+void eaptls_gen_mppe_keys(struct eaptls_session *ets, const char *prf_label,
-+ int client)
-+{
-+ unsigned char out[4*EAPTLS_MPPE_KEY_LEN];
-+ size_t prf_size = strlen(prf_label);
-+ unsigned char *p;
-+
-+ if (SSL_export_keying_material(ets->ssl, out, sizeof(out), prf_label, prf_size, NULL, 0, 0) != 1)
-+ {
-+ warn( "EAP-TLS: Failed generating keying material" );
-+ return;
-+ }
-+
-+ /*
-+ * We now have the master send and receive keys.
-+ * From these, generate the session send and receive keys.
-+ * (see RFC3079 / draft-ietf-pppext-mppe-keys-03.txt for details)
-+ */
-+ if (client)
-+ {
-+ p = out;
-+ BCOPY( p, mppe_send_key, sizeof(mppe_send_key) );
-+ p += EAPTLS_MPPE_KEY_LEN;
-+ BCOPY( p, mppe_recv_key, sizeof(mppe_recv_key) );
-+ }
-+ else
-+ {
-+ p = out;
-+ BCOPY( p, mppe_recv_key, sizeof(mppe_recv_key) );
-+ p += EAPTLS_MPPE_KEY_LEN;
-+ BCOPY( p, mppe_send_key, sizeof(mppe_send_key) );
-+ }
-+
-+ mppe_keys_set = 1;
-+}
-+
-+#endif
-+
-+void log_ssl_errors( void )
-+{
-+ unsigned long ssl_err = ERR_get_error();
-+
-+ if (ssl_err != 0)
-+ dbglog("EAP-TLS SSL error stack:");
-+ while (ssl_err != 0) {
-+ dbglog( ERR_error_string( ssl_err, NULL ) );
-+ ssl_err = ERR_get_error();
-+ }
-+}
-+
-+
-+int password_callback (char *buf, int size, int rwflag, void *u)
-+{
-+ if (buf)
-+ {
-+ strncpy (buf, passwd, size);
-+ return strlen (buf);
-+ }
-+ return 0;
-+}
-+
-+
-+CONF *eaptls_ssl_load_config( void )
-+{
-+ CONF *config;
-+ int ret_code;
-+ long error_line = 33;
-+
-+ config = NCONF_new( NULL );
-+ dbglog( "Loading OpenSSL config file" );
-+ ret_code = NCONF_load( config, _PATH_OPENSSLCONFFILE, &error_line );
-+ if (ret_code == 0)
-+ {
-+ warn( "EAP-TLS: Error in OpenSSL config file %s at line %d", _PATH_OPENSSLCONFFILE, error_line );
-+ NCONF_free( config );
-+ config = NULL;
-+ ERR_clear_error();
-+ }
-+
-+ dbglog( "Loading OpenSSL built-ins" );
-+ ENGINE_load_builtin_engines();
-+ OPENSSL_load_builtin_modules();
-+
-+ dbglog( "Loading OpenSSL configured modules" );
-+ if (CONF_modules_load( config, NULL, 0 ) <= 0 )
-+ {
-+ warn( "EAP-TLS: Error loading OpenSSL modules" );
-+ log_ssl_errors();
-+ config = NULL;
-+ }
-+
-+ return config;
-+}
-+
-+ENGINE *eaptls_ssl_load_engine( char *engine_name )
-+{
-+ ENGINE *e = NULL;
-+
-+ dbglog( "Enabling OpenSSL auto engines" );
-+ ENGINE_register_all_complete();
-+
-+ dbglog( "Loading OpenSSL '%s' engine support", engine_name );
-+ e = ENGINE_by_id( engine_name );
-+ if (!e)
-+ {
-+ dbglog( "EAP-TLS: Cannot load '%s' engine support, trying 'dynamic'", engine_name );
-+ e = ENGINE_by_id( "dynamic" );
-+ if (e)
-+ {
-+ if (!ENGINE_ctrl_cmd_string(e, "SO_PATH", engine_name, 0)
-+ || !ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0))
-+ {
-+ warn( "EAP-TLS: Error loading dynamic engine '%s'", engine_name );
-+ log_ssl_errors();
-+ ENGINE_free(e);
-+ e = NULL;
-+ }
-+ }
-+ else
-+ {
-+ warn( "EAP-TLS: Cannot load dynamic engine support" );
-+ }
-+ }
-+
-+ if (e)
-+ {
-+ dbglog( "Initialising engine" );
-+ if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
-+ {
-+ warn( "EAP-TLS: Cannot use that engine" );
-+ log_ssl_errors();
-+ ENGINE_free(e);
-+ e = NULL;
-+ }
-+ }
-+
-+ return e;
-+}
-+
-+/*
-+ * Initialize the SSL stacks and tests if certificates, key and crl
-+ * for client or server use can be loaded.
-+ */
-+SSL_CTX *eaptls_init_ssl(int init_server, char *cacertfile,
-+ char *certfile, char *peer_certfile, char *privkeyfile)
-+{
-+ char *cert_engine_name = NULL;
-+ char *cert_identifier = NULL;
-+ char *pkey_engine_name = NULL;
-+ char *pkey_identifier = NULL;
-+ SSL_CTX *ctx;
-+ SSL *ssl;
-+ X509_STORE *certstore;
-+ X509_LOOKUP *lookup;
-+ X509 *tmp;
-+ int ret;
-+
-+ /*
-+ * Without these can't continue
-+ */
-+ if (!cacertfile[0])
-+ {
-+ error("EAP-TLS: CA certificate missing");
-+ return NULL;
-+ }
-+
-+ if (!certfile[0])
-+ {
-+ error("EAP-TLS: User certificate missing");
-+ return NULL;
-+ }
-+
-+ if (!privkeyfile[0])
-+ {
-+ error("EAP-TLS: User private key missing");
-+ return NULL;
-+ }
-+
-+ SSL_library_init();
-+ SSL_load_error_strings();
-+
-+ ctx = SSL_CTX_new(TLS_method());
-+
-+ if (!ctx) {
-+ error("EAP-TLS: Cannot initialize SSL CTX context");
-+ goto fail;
-+ }
-+
-+ /* if the certificate filename is of the form engine:id. e.g.
-+ pkcs11:12345
-+ then we try to load and use this engine.
-+ If the certificate filename starts with a / or . then we
-+ ALWAYS assume it is a file and not an engine/pkcs11 identifier
-+ */
-+ if ( index( certfile, '/' ) == NULL && index( certfile, '.') == NULL )
-+ {
-+ cert_identifier = index( certfile, ':' );
-+
-+ if (cert_identifier)
-+ {
-+ cert_engine_name = certfile;
-+ *cert_identifier = '\0';
-+ cert_identifier++;
-+
-+ dbglog( "Found certificate engine '%s'", cert_engine_name );
-+ dbglog( "Found certificate identifier '%s'", cert_identifier );
-+ }
-+ }
-+
-+ /* if the privatekey filename is of the form engine:id. e.g.
-+ pkcs11:12345
-+ then we try to load and use this engine.
-+ If the privatekey filename starts with a / or . then we
-+ ALWAYS assume it is a file and not an engine/pkcs11 identifier
-+ */
-+ if ( index( privkeyfile, '/' ) == NULL && index( privkeyfile, '.') == NULL )
-+ {
-+ pkey_identifier = index( privkeyfile, ':' );
-+
-+ if (pkey_identifier)
-+ {
-+ pkey_engine_name = privkeyfile;
-+ *pkey_identifier = '\0';
-+ pkey_identifier++;
-+
-+ dbglog( "Found privatekey engine '%s'", pkey_engine_name );
-+ dbglog( "Found privatekey identifier '%s'", pkey_identifier );
-+ }
-+ }
-+
-+ if (cert_identifier && pkey_identifier)
-+ {
-+ if (strlen( cert_identifier ) == 0)
-+ {
-+ if (strlen( pkey_identifier ) == 0)
-+ error( "EAP-TLS: both the certificate and privatekey identifiers are missing!" );
-+ else
-+ {
-+ dbglog( "Substituting privatekey identifier for certificate identifier" );
-+ cert_identifier = pkey_identifier;
-+ }
-+ }
-+ else
-+ {
-+ if (strlen( pkey_identifier ) == 0)
-+ {
-+ dbglog( "Substituting certificate identifier for privatekey identifier" );
-+ pkey_identifier = cert_identifier;
-+ }
-+ }
-+
-+ }
-+
-+ /* load the openssl config file only once */
-+ if (!ssl_config)
-+ {
-+ if (cert_engine_name || pkey_engine_name)
-+ ssl_config = eaptls_ssl_load_config();
-+
-+ if (ssl_config && cert_engine_name)
-+ cert_engine = eaptls_ssl_load_engine( cert_engine_name );
-+
-+ if (ssl_config && pkey_engine_name)
-+ {
-+ /* don't load the same engine twice */
-+ if ( cert_engine && strcmp( cert_engine_name, pkey_engine_name) == 0 )
-+ pkey_engine = cert_engine;
-+ else
-+ pkey_engine = eaptls_ssl_load_engine( pkey_engine_name );
-+ }
-+ }
-+
-+ SSL_CTX_set_default_passwd_cb (ctx, password_callback);
-+
-+ if (!SSL_CTX_load_verify_locations(ctx, cacertfile, NULL))
-+ {
-+ error("EAP-TLS: Cannot load or verify CA file %s", cacertfile);
-+ goto fail;
-+ }
-+
-+ if (init_server)
-+ SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(cacertfile));
-+
-+ if (cert_engine)
-+ {
-+ struct
-+ {
-+ const char *s_slot_cert_id;
-+ X509 *cert;
-+ } cert_info;
-+
-+ cert_info.s_slot_cert_id = cert_identifier;
-+ cert_info.cert = NULL;
-+
-+ if (!ENGINE_ctrl_cmd( cert_engine, "LOAD_CERT_CTRL", 0, &cert_info, NULL, 0 ) )
-+ {
-+ error( "EAP-TLS: Error loading certificate with id '%s' from engine", cert_identifier );
-+ goto fail;
-+ }
-+
-+ if (cert_info.cert)
-+ {
-+ dbglog( "Got the certificate, adding it to SSL context" );
-+ dbglog( "subject = %s", X509_NAME_oneline( X509_get_subject_name( cert_info.cert ), NULL, 0 ) );
-+ if (SSL_CTX_use_certificate(ctx, cert_info.cert) <= 0)
-+ {
-+ error("EAP-TLS: Cannot use PKCS11 certificate %s", cert_identifier);
-+ goto fail;
-+ }
-+ }
-+ else
-+ {
-+ warn("EAP-TLS: Cannot load PKCS11 key %s", cert_identifier);
-+ log_ssl_errors();
-+ }
-+ }
-+ else
-+ {
-+ if (!SSL_CTX_use_certificate_chain_file(ctx, certfile))
-+ {
-+ error( "EAP-TLS: Cannot use public certificate %s", certfile );
-+ goto fail;
-+ }
-+ }
-+
-+
-+ /*
-+ * Check the Before and After dates of the certificate
-+ */
-+ ssl = SSL_new(ctx);
-+ tmp = SSL_get_certificate(ssl);
-+
-+ ret = X509_cmp_time(X509_get_notBefore(tmp), NULL);
-+ if (ret == 0)
-+ {
-+ warn( "EAP-TLS: Failed to read certificate notBefore field.");
-+ }
-+ if (ret > 0)
-+ {
-+ warn( "EAP-TLS: Your certificate is not yet valid!");
-+ }
-+
-+ ret = X509_cmp_time(X509_get_notAfter(tmp), NULL);
-+ if (ret == 0)
-+ {
-+ warn( "EAP-TLS: Failed to read certificate notAfter field.");
-+ }
-+ if (ret < 0)
-+ {
-+ warn( "EAP-TLS: Your certificate has expired!");
-+ }
-+ SSL_free(ssl);
-+
-+ if (pkey_engine)
-+ {
-+ EVP_PKEY *pkey = NULL;
-+ PW_CB_DATA cb_data;
-+
-+ cb_data.password = passwd;
-+ cb_data.prompt_info = pkey_identifier;
-+
-+ dbglog( "Loading private key '%s' from engine", pkey_identifier );
-+ pkey = ENGINE_load_private_key(pkey_engine, pkey_identifier, NULL, &cb_data);
-+ if (pkey)
-+ {
-+ dbglog( "Got the private key, adding it to SSL context" );
-+ if (SSL_CTX_use_PrivateKey(ctx, pkey) <= 0)
-+ {
-+ error("EAP-TLS: Cannot use PKCS11 key %s", pkey_identifier);
-+ goto fail;
-+ }
-+ }
-+ else
-+ {
-+ warn("EAP-TLS: Cannot load PKCS11 key %s", pkey_identifier);
-+ log_ssl_errors();
-+ }
-+ }
-+ else
-+ {
-+ if (!SSL_CTX_use_PrivateKey_file(ctx, privkeyfile, SSL_FILETYPE_PEM))
-+ {
-+ error("EAP-TLS: Cannot use private key %s", privkeyfile);
-+ goto fail;
-+ }
-+ }
-+
-+ if (SSL_CTX_check_private_key(ctx) != 1) {
-+ error("EAP-TLS: Private key %s fails security check", privkeyfile);
-+ goto fail;
-+ }
-+
-+ /* Explicitly set the NO_TICKETS flag to support Win7/Win8 clients */
-+ SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3
-+#ifdef SSL_OP_NO_TICKET
-+ | SSL_OP_NO_TICKET
-+#endif
-+ );
-+
-+ SSL_CTX_set_verify_depth(ctx, 5);
-+ SSL_CTX_set_verify(ctx,
-+ SSL_VERIFY_PEER |
-+ SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
-+ &ssl_verify_callback);
-+
-+ if (crl_dir) {
-+ if (!(certstore = SSL_CTX_get_cert_store(ctx))) {
-+ error("EAP-TLS: Failed to get certificate store");
-+ goto fail;
-+ }
-+
-+ if (!(lookup =
-+ X509_STORE_add_lookup(certstore, X509_LOOKUP_hash_dir()))) {
-+ error("EAP-TLS: Store lookup for CRL failed");
-+
-+ goto fail;
-+ }
-+
-+ X509_LOOKUP_add_dir(lookup, crl_dir, X509_FILETYPE_PEM);
-+ X509_STORE_set_flags(certstore, X509_V_FLAG_CRL_CHECK);
-+ }
-+
-+ if (crl_file) {
-+ FILE *fp = NULL;
-+ X509_CRL *crl = NULL;
-+
-+ fp = fopen(crl_file, "r");
-+ if (!fp) {
-+ error("EAP-TLS: Cannot open CRL file '%s'", crl_file);
-+ goto fail;
-+ }
-+
-+ crl = PEM_read_X509_CRL(fp, NULL, NULL, NULL);
-+ if (!crl) {
-+ error("EAP-TLS: Cannot read CRL file '%s'", crl_file);
-+ goto fail;
-+ }
-+
-+ if (!(certstore = SSL_CTX_get_cert_store(ctx))) {
-+ error("EAP-TLS: Failed to get certificate store");
-+ goto fail;
-+ }
-+ if (!X509_STORE_add_crl(certstore, crl)) {
-+ error("EAP-TLS: Cannot add CRL to certificate store");
-+ goto fail;
-+ }
-+ X509_STORE_set_flags(certstore, X509_V_FLAG_CRL_CHECK);
-+
-+ }
-+
-+ /*
-+ * If a peer certificate file was specified, it must be valid, else fail
-+ */
-+ if (peer_certfile[0]) {
-+ if (!(tmp = get_X509_from_file(peer_certfile))) {
-+ error("EAP-TLS: Error loading client certificate from file %s",
-+ peer_certfile);
-+ goto fail;
-+ }
-+ X509_free(tmp);
-+ }
-+
-+ return ctx;
-+
-+fail:
-+ log_ssl_errors();
-+ SSL_CTX_free(ctx);
-+ return NULL;
-+}
-+
-+/*
-+ * Determine the maximum packet size by looking at the LCP handshake
-+ */
-+
-+int eaptls_get_mtu(int unit)
-+{
-+ int mtu, mru;
-+
-+ lcp_options *wo = &lcp_wantoptions[unit];
-+ lcp_options *go = &lcp_gotoptions[unit];
-+ lcp_options *ho = &lcp_hisoptions[unit];
-+ lcp_options *ao = &lcp_allowoptions[unit];
-+
-+ mtu = ho->neg_mru? ho->mru: PPP_MRU;
-+ mru = go->neg_mru? MAX(wo->mru, go->mru): PPP_MRU;
-+ mtu = MIN(MIN(mtu, mru), ao->mru)- PPP_HDRLEN - 10;
-+
-+ dbglog("MTU = %d", mtu);
-+ return mtu;
-+}
-+
-+
-+/*
-+ * Init the ssl handshake (server mode)
-+ */
-+int eaptls_init_ssl_server(eap_state * esp)
-+{
-+ struct eaptls_session *ets;
-+ char servcertfile[MAXWORDLEN];
-+ char clicertfile[MAXWORDLEN];
-+ char cacertfile[MAXWORDLEN];
-+ char pkfile[MAXWORDLEN];
-+ /*
-+ * Allocate new eaptls session
-+ */
-+ esp->es_server.ea_session = malloc(sizeof(struct eaptls_session));
-+ if (!esp->es_server.ea_session)
-+ fatal("Allocation error");
-+ ets = esp->es_server.ea_session;
-+
-+ if (!esp->es_server.ea_peer) {
-+ error("EAP-TLS: Error: client name not set (BUG)");
-+ return 0;
-+ }
-+
-+ strncpy(ets->peer, esp->es_server.ea_peer, MAXWORDLEN);
-+
-+ dbglog( "getting eaptls secret" );
-+ if (!get_eaptls_secret(esp->es_unit, esp->es_server.ea_peer,
-+ esp->es_server.ea_name, clicertfile,
-+ servcertfile, cacertfile, pkfile, 1)) {
-+ error( "EAP-TLS: Cannot get secret/password for client \"%s\", server \"%s\"",
-+ esp->es_server.ea_peer, esp->es_server.ea_name );
-+ return 0;
-+ }
-+
-+ ets->mtu = eaptls_get_mtu(esp->es_unit);
-+
-+ ets->ctx = eaptls_init_ssl(1, cacertfile, servcertfile, clicertfile, pkfile);
-+ if (!ets->ctx)
-+ goto fail;
-+
-+ if (!(ets->ssl = SSL_new(ets->ctx)))
-+ goto fail;
-+
-+ /*
-+ * Set auto-retry to avoid timeouts on BIO_read
-+ */
-+ SSL_set_mode(ets->ssl, SSL_MODE_AUTO_RETRY);
-+
-+ /*
-+ * Initialize the BIOs we use to read/write to ssl engine
-+ */
-+ ets->into_ssl = BIO_new(BIO_s_mem());
-+ ets->from_ssl = BIO_new(BIO_s_mem());
-+ SSL_set_bio(ets->ssl, ets->into_ssl, ets->from_ssl);
-+
-+ SSL_set_msg_callback(ets->ssl, ssl_msg_callback);
-+ SSL_set_msg_callback_arg(ets->ssl, ets);
-+
-+ /*
-+ * Attach the session struct to the connection, so we can later
-+ * retrieve it when doing certificate verification
-+ */
-+ SSL_set_ex_data(ets->ssl, 0, ets);
-+
-+ SSL_set_accept_state(ets->ssl);
-+
-+ ets->data = NULL;
-+ ets->datalen = 0;
-+ ets->alert_sent = 0;
-+ ets->alert_recv = 0;
-+
-+ /*
-+ * If we specified the client certificate file, store it in ets->peercertfile,
-+ * so we can check it later in ssl_verify_callback()
-+ */
-+ if (clicertfile[0])
-+ strncpy(&ets->peercertfile[0], clicertfile, MAXWORDLEN);
-+ else
-+ ets->peercertfile[0] = 0;
-+
-+ return 1;
-+
-+fail:
-+ SSL_CTX_free(ets->ctx);
-+ return 0;
-+}
-+
-+/*
-+ * Init the ssl handshake (client mode)
-+ */
-+int eaptls_init_ssl_client(eap_state * esp)
-+{
-+ struct eaptls_session *ets;
-+ char servcertfile[MAXWORDLEN];
-+ char clicertfile[MAXWORDLEN];
-+ char cacertfile[MAXWORDLEN];
-+ char pkfile[MAXWORDLEN];
-+
-+ /*
-+ * Allocate new eaptls session
-+ */
-+ esp->es_client.ea_session = malloc(sizeof(struct eaptls_session));
-+ if (!esp->es_client.ea_session)
-+ fatal("Allocation error");
-+ ets = esp->es_client.ea_session;
-+
-+ /*
-+ * If available, copy server name in ets; it will be used in cert
-+ * verify
-+ */
-+ if (esp->es_client.ea_peer)
-+ strncpy(ets->peer, esp->es_client.ea_peer, MAXWORDLEN);
-+ else
-+ ets->peer[0] = 0;
-+
-+ ets->mtu = eaptls_get_mtu(esp->es_unit);
-+
-+ dbglog( "calling get_eaptls_secret" );
-+ if (!get_eaptls_secret(esp->es_unit, esp->es_client.ea_name,
-+ ets->peer, clicertfile,
-+ servcertfile, cacertfile, pkfile, 0)) {
-+ error( "EAP-TLS: Cannot get secret/password for client \"%s\", server \"%s\"",
-+ esp->es_client.ea_name, ets->peer );
-+ return 0;
-+ }
-+
-+ dbglog( "calling eaptls_init_ssl" );
-+ ets->ctx = eaptls_init_ssl(0, cacertfile, clicertfile, servcertfile, pkfile);
-+ if (!ets->ctx)
-+ goto fail;
-+
-+ ets->ssl = SSL_new(ets->ctx);
-+
-+ if (!ets->ssl)
-+ goto fail;
-+
-+ /*
-+ * Initialize the BIOs we use to read/write to ssl engine
-+ */
-+ dbglog( "Initializing SSL BIOs" );
-+ ets->into_ssl = BIO_new(BIO_s_mem());
-+ ets->from_ssl = BIO_new(BIO_s_mem());
-+ SSL_set_bio(ets->ssl, ets->into_ssl, ets->from_ssl);
-+
-+ SSL_set_msg_callback(ets->ssl, ssl_msg_callback);
-+ SSL_set_msg_callback_arg(ets->ssl, ets);
-+
-+ /*
-+ * Attach the session struct to the connection, so we can later
-+ * retrieve it when doing certificate verification
-+ */
-+ SSL_set_ex_data(ets->ssl, 0, ets);
-+
-+ SSL_set_connect_state(ets->ssl);
-+
-+ ets->data = NULL;
-+ ets->datalen = 0;
-+ ets->alert_sent = 0;
-+ ets->alert_recv = 0;
-+
-+ /*
-+ * If we specified the server certificate file, store it in
-+ * ets->peercertfile, so we can check it later in
-+ * ssl_verify_callback()
-+ */
-+ if (servcertfile[0])
-+ strncpy(ets->peercertfile, servcertfile, MAXWORDLEN);
-+ else
-+ ets->peercertfile[0] = 0;
-+
-+ return 1;
-+
-+fail:
-+ dbglog( "eaptls_init_ssl_client: fail" );
-+ SSL_CTX_free(ets->ctx);
-+ return 0;
-+
-+}
-+
-+void eaptls_free_session(struct eaptls_session *ets)
-+{
-+ if (ets->ssl)
-+ SSL_free(ets->ssl);
-+
-+ if (ets->ctx)
-+ SSL_CTX_free(ets->ctx);
-+
-+ free(ets);
-+}
-+
-+/*
-+ * Handle a received packet, reassembling fragmented messages and
-+ * passing them to the ssl engine
-+ */
-+int eaptls_receive(struct eaptls_session *ets, u_char * inp, int len)
-+{
-+ u_char flags;
-+ u_int tlslen = 0;
-+ u_char dummy[65536];
-+
-+ if (len < 1) {
-+ warn("EAP-TLS: received no or invalid data");
-+ return 1;
-+ }
-+
-+ GETCHAR(flags, inp);
-+ len--;
-+
-+ if (flags & EAP_TLS_FLAGS_LI && len > 4) {
-+ /*
-+ * LenghtIncluded flag set -> this is the first packet of a message
-+ */
-+
-+ /*
-+ * the first 4 octets are the length of the EAP-TLS message
-+ */
-+ GETLONG(tlslen, inp);
-+ len -= 4;
-+
-+ if (!ets->data) {
-+
-+ if (tlslen > EAP_TLS_MAX_LEN) {
-+ error("EAP-TLS: TLS message length > %d, truncated", EAP_TLS_MAX_LEN);
-+ tlslen = EAP_TLS_MAX_LEN;
-+ }
-+
-+ /*
-+ * Allocate memory for the whole message
-+ */
-+ ets->data = malloc(tlslen);
-+ if (!ets->data)
-+ fatal("EAP-TLS: allocation error\n");
-+
-+ ets->datalen = 0;
-+ ets->tlslen = tlslen;
-+ }
-+ else
-+ warn("EAP-TLS: non-first LI packet? that's odd...");
-+ }
-+ else if (!ets->data) {
-+ /*
-+ * A non fragmented message without LI flag
-+ */
-+
-+ ets->data = malloc(len);
-+ if (!ets->data)
-+ fatal("EAP-TLS: allocation error\n");
-+
-+ ets->datalen = 0;
-+ ets->tlslen = len;
-+ }
-+
-+ if (flags & EAP_TLS_FLAGS_MF)
-+ ets->frag = 1;
-+ else
-+ ets->frag = 0;
-+
-+ if (len < 0) {
-+ warn("EAP-TLS: received malformed data");
-+ return 1;
-+ }
-+
-+ if (len + ets->datalen > ets->tlslen) {
-+ warn("EAP-TLS: received data > TLS message length");
-+ return 1;
-+ }
-+
-+ BCOPY(inp, ets->data + ets->datalen, len);
-+ ets->datalen += len;
-+
-+ if (!ets->frag) {
-+
-+ /*
-+ * If we have the whole message, pass it to ssl
-+ */
-+
-+ if (ets->datalen != ets->tlslen) {
-+ warn("EAP-TLS: received data != TLS message length");
-+ return 1;
-+ }
-+
-+ if (BIO_write(ets->into_ssl, ets->data, ets->datalen) == -1)
-+ log_ssl_errors();
-+
-+ SSL_read(ets->ssl, dummy, 65536);
-+
-+ free(ets->data);
-+ ets->data = NULL;
-+ ets->datalen = 0;
-+ }
-+
-+ return 0;
-+}
-+
-+/*
-+ * Return an eap-tls packet in outp.
-+ * A TLS message read from the ssl engine is buffered in ets->data.
-+ * At each call we control if there is buffered data and send a
-+ * packet of mtu bytes.
-+ */
-+int eaptls_send(struct eaptls_session *ets, u_char ** outp)
-+{
-+ bool first = 0;
-+ int size;
-+ u_char fromtls[65536];
-+ int res;
-+ u_char *start;
-+
-+ start = *outp;
-+
-+ if (!ets->data) {
-+
-+ if(!ets->alert_sent)
-+ SSL_read(ets->ssl, fromtls, 65536);
-+
-+ /*
-+ * Read from ssl
-+ */
-+ if ((res = BIO_read(ets->from_ssl, fromtls, 65536)) == -1)
-+ {
-+ warn("EAP-TLS send: No data from BIO_read");
-+ return 1;
-+ }
-+
-+ ets->datalen = res;
-+
-+ ets->data = malloc(ets->datalen);
-+ BCOPY(fromtls, ets->data, ets->datalen);
-+
-+ ets->offset = 0;
-+ first = 1;
-+
-+ }
-+
-+ size = ets->datalen - ets->offset;
-+
-+ if (size > ets->mtu) {
-+ size = ets->mtu;
-+ ets->frag = 1;
-+ } else
-+ ets->frag = 0;
-+
-+ PUTCHAR(EAPT_TLS, *outp);
-+
-+ /*
-+ * Set right flags and length if necessary
-+ */
-+ if (ets->frag && first) {
-+ PUTCHAR(EAP_TLS_FLAGS_LI | EAP_TLS_FLAGS_MF, *outp);
-+ PUTLONG(ets->datalen, *outp);
-+ } else if (ets->frag) {
-+ PUTCHAR(EAP_TLS_FLAGS_MF, *outp);
-+ } else
-+ PUTCHAR(0, *outp);
-+
-+ /*
-+ * Copy the data in outp
-+ */
-+ BCOPY(ets->data + ets->offset, *outp, size);
-+ INCPTR(size, *outp);
-+
-+ /*
-+ * Copy the packet in retransmission buffer
-+ */
-+ BCOPY(start, &ets->rtx[0], *outp - start);
-+ ets->rtx_len = *outp - start;
-+
-+ ets->offset += size;
-+
-+ if (ets->offset >= ets->datalen) {
-+
-+ /*
-+ * The whole message has been sent
-+ */
-+
-+ free(ets->data);
-+ ets->data = NULL;
-+ ets->datalen = 0;
-+ ets->offset = 0;
-+ }
-+
-+ return 0;
-+}
-+
-+/*
-+ * Get the sent packet from the retransmission buffer
-+ */
-+void eaptls_retransmit(struct eaptls_session *ets, u_char ** outp)
-+{
-+ BCOPY(ets->rtx, *outp, ets->rtx_len);
-+ INCPTR(ets->rtx_len, *outp);
-+}
-+
-+/*
-+ * Verify a certificate.
-+ * Most of the work (signatures and issuer attributes checking)
-+ * is done by ssl; we check the CN in the peer certificate
-+ * against the peer name.
-+ */
-+int ssl_verify_callback(int ok, X509_STORE_CTX * ctx)
-+{
-+ char subject[256];
-+ char cn_str[256];
-+ X509 *peer_cert;
-+ int err, depth;
-+ SSL *ssl;
-+ struct eaptls_session *ets;
-+
-+ peer_cert = X509_STORE_CTX_get_current_cert(ctx);
-+ err = X509_STORE_CTX_get_error(ctx);
-+ depth = X509_STORE_CTX_get_error_depth(ctx);
-+
-+ dbglog("certificate verify depth: %d", depth);
-+
-+ if (auth_required && !ok) {
-+ X509_NAME_oneline(X509_get_subject_name(peer_cert),
-+ subject, 256);
-+
-+ X509_NAME_get_text_by_NID(X509_get_subject_name(peer_cert),
-+ NID_commonName, cn_str, 256);
-+
-+ dbglog("Certificate verification error:\n depth: %d CN: %s"
-+ "\n err: %d (%s)\n", depth, cn_str, err,
-+ X509_verify_cert_error_string(err));
-+
-+ return 0;
-+ }
-+
-+ ssl = X509_STORE_CTX_get_ex_data(ctx,
-+ SSL_get_ex_data_X509_STORE_CTX_idx());
-+
-+ ets = (struct eaptls_session *)SSL_get_ex_data(ssl, 0);
-+
-+ if (ets == NULL) {
-+ error("Error: SSL_get_ex_data returned NULL");
-+ return 0;
-+ }
-+
-+ log_ssl_errors();
-+
-+ if (!depth) { /* This is the peer certificate */
-+
-+ X509_NAME_oneline(X509_get_subject_name(peer_cert),
-+ subject, 256);
-+
-+ X509_NAME_get_text_by_NID(X509_get_subject_name(peer_cert),
-+ NID_commonName, cn_str, 256);
-+
-+ /*
-+ * If acting as client and the name of the server wasn't specified
-+ * explicitely, we can't verify the server authenticity
-+ */
-+ if (!ets->peer[0]) {
-+ warn("Peer name not specified: no check");
-+ return ok;
-+ }
-+
-+ /*
-+ * Check the CN
-+ */
-+ if (strcmp(cn_str, ets->peer)) {
-+ error
-+ ("Certificate verification error: CN (%s) != peer_name (%s)",
-+ cn_str, ets->peer);
-+ return 0;
-+ }
-+
-+ warn("Certificate CN: %s , peer name %s", cn_str, ets->peer);
-+
-+ /*
-+ * If a peer certificate file was specified, here we check it
-+ */
-+ if (ets->peercertfile[0]) {
-+ if (ssl_cmp_certs(&ets->peercertfile[0], peer_cert)
-+ != 0) {
-+ error
-+ ("Peer certificate doesn't match stored certificate");
-+ return 0;
-+ }
-+ }
-+ }
-+
-+ return ok;
-+}
-+
-+/*
-+ * Compare a certificate with the one stored in a file
-+ */
-+int ssl_cmp_certs(char *filename, X509 * a)
-+{
-+ X509 *b;
-+ int ret;
-+
-+ if (!(b = get_X509_from_file(filename)))
-+ return 1;
-+
-+ ret = X509_cmp(a, b);
-+ X509_free(b);
-+
-+ return ret;
-+
-+}
-+
-+X509 *get_X509_from_file(char *filename)
-+{
-+ FILE *fp;
-+ X509 *ret;
-+
-+ if (!(fp = fopen(filename, "r")))
-+ return NULL;
-+
-+ ret = PEM_read_X509(fp, NULL, NULL, NULL);
-+
-+ fclose(fp);
-+
-+ return ret;
-+}
-+
-+/*
-+ * Every sent & received message this callback function is invoked,
-+ * so we know when alert messages have arrived or are sent and
-+ * we can print debug information about TLS handshake.
-+ */
-+void
-+ssl_msg_callback(int write_p, int version, int content_type,
-+ const void *buf, size_t len, SSL * ssl, void *arg)
-+{
-+ char string[256];
-+ struct eaptls_session *ets = (struct eaptls_session *)arg;
-+ unsigned char code;
-+ const unsigned char*msg = buf;
-+ int hvers = msg[1] << 8 | msg[2];
-+
-+ if(write_p)
-+ strcpy(string, " -> ");
-+ else
-+ strcpy(string, " <- ");
-+
-+ switch(content_type) {
-+
-+ case SSL3_RT_HEADER:
-+ strcat(string, "SSL/TLS Header: ");
-+ switch(hvers) {
-+ case SSL3_VERSION:
-+ strcat(string, "SSL 3.0");
-+ break;
-+ case TLS1_VERSION:
-+ strcat(string, "TLS 1.0");
-+ break;
-+ case TLS1_1_VERSION:
-+ strcat(string, "TLS 1.1");
-+ break;
-+ case TLS1_2_VERSION:
-+ strcat(string, "TLS 1.2");
-+ break;
-+ default:
-+ strcat(string, "Unknown version");
-+ }
-+ break;
-+
-+ case SSL3_RT_ALERT:
-+ strcat(string, "Alert: ");
-+ code = msg[1];
-+
-+ if (write_p) {
-+ ets->alert_sent = 1;
-+ ets->alert_sent_desc = code;
-+ } else {
-+ ets->alert_recv = 1;
-+ ets->alert_recv_desc = code;
-+ }
-+
-+ strcat(string, SSL_alert_desc_string_long(code));
-+ break;
-+
-+ case SSL3_RT_CHANGE_CIPHER_SPEC:
-+ strcat(string, "ChangeCipherSpec");
-+ break;
-+
-+ case SSL3_RT_HANDSHAKE:
-+
-+ strcat(string, "Handshake: ");
-+ code = msg[0];
-+
-+ switch(code) {
-+ case SSL3_MT_HELLO_REQUEST:
-+ strcat(string,"Hello Request");
-+ break;
-+ case SSL3_MT_CLIENT_HELLO:
-+ strcat(string,"Client Hello");
-+ break;
-+ case SSL3_MT_SERVER_HELLO:
-+ strcat(string,"Server Hello");
-+ break;
-+#ifdef SSL3_MT_NEWSESSION_TICKET
-+ case SSL3_MT_NEWSESSION_TICKET:
-+ strcat(string,"New Session Ticket");
-+ break;
-+#endif
-+ case SSL3_MT_CERTIFICATE:
-+ strcat(string,"Certificate");
-+ break;
-+ case SSL3_MT_SERVER_KEY_EXCHANGE:
-+ strcat(string,"Server Key Exchange");
-+ break;
-+ case SSL3_MT_CERTIFICATE_REQUEST:
-+ strcat(string,"Certificate Request");
-+ break;
-+ case SSL3_MT_SERVER_DONE:
-+ strcat(string,"Server Hello Done");
-+ break;
-+ case SSL3_MT_CERTIFICATE_VERIFY:
-+ strcat(string,"Certificate Verify");
-+ break;
-+ case SSL3_MT_CLIENT_KEY_EXCHANGE:
-+ strcat(string,"Client Key Exchange");
-+ break;
-+ case SSL3_MT_FINISHED:
-+ strcat(string,"Finished: ");
-+ hvers = SSL_version(ssl);
-+ switch(hvers) {
-+ case SSL3_VERSION:
-+ strcat(string, "SSL 3.0");
-+ break;
-+ case TLS1_VERSION:
-+ strcat(string, "TLS 1.0");
-+ break;
-+ case TLS1_1_VERSION:
-+ strcat(string, "TLS 1.1");
-+ break;
-+ case TLS1_2_VERSION:
-+ strcat(string, "TLS 1.2");
-+ break;
-+ default:
-+ strcat(string, "Unknown version");
-+ }
-+ break;
-+ default:
-+ sprintf( string, "Handshake: Unknown SSL3 code received: %d", code );
-+ }
-+ break;
-+
-+ default:
-+ sprintf( string, "SSL message contains unknown content type: %d", content_type );
-+
-+ }
-+
-+ /* Alert messages must always be displayed */
-+ if(content_type == SSL3_RT_ALERT)
-+ error("%s", string);
-+ else
-+ dbglog("%s", string);
-+}
-+
-diff --git a/pppd/eap-tls.h b/pppd/eap-tls.h
-new file mode 100644
-index 000000000000..2d45a0b83a0c
---- /dev/null
-+++ b/pppd/eap-tls.h
-@@ -0,0 +1,107 @@
-+/*
-+ * eap-tls.h
-+ *
-+ * Copyright (c) Beniamino Galvani 2005 All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ *
-+ * 1. Redistributions of source code must retain the above copyright
-+ * notice, this list of conditions and the following disclaimer.
-+ *
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ * notice, this list of conditions and the following disclaimer in
-+ * the documentation and/or other materials provided with the
-+ * distribution.
-+ *
-+ * 3. The name(s) of the authors of this software must not be used to
-+ * endorse or promote products derived from this software without
-+ * prior written permission.
-+ *
-+ * THE AUTHORS OF THIS SOFTWARE DISCLAIM ALL WARRANTIES WITH REGARD TO
-+ * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
-+ * AND FITNESS, IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY
-+ * SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN
-+ * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING
-+ * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-+ *
-+ */
-+
-+#ifndef __EAP_TLS_H__
-+#define __EAP_TLS_H__
-+
-+#include "eap.h"
-+
-+#include <openssl/ssl.h>
-+#include <openssl/bio.h>
-+#include <openssl/md5.h>
-+
-+#define EAP_TLS_FLAGS_LI 128 /* length included flag */
-+#define EAP_TLS_FLAGS_MF 64 /* more fragments flag */
-+#define EAP_TLS_FLAGS_START 32 /* start flag */
-+
-+#define EAP_TLS_MAX_LEN 65536 /* max eap tls packet size */
-+
-+struct eaptls_session
-+{
-+ u_char *data; /* buffered data */
-+ int datalen; /* buffered data len */
-+ int offset; /* from where to send */
-+ int tlslen; /* total length of tls data */
-+ bool frag; /* packet is fragmented */
-+ SSL_CTX *ctx;
-+ SSL *ssl; /* ssl connection */
-+ BIO *from_ssl;
-+ BIO *into_ssl;
-+ char peer[MAXWORDLEN]; /* peer name */
-+ char peercertfile[MAXWORDLEN];
-+ bool alert_sent;
-+ u_char alert_sent_desc;
-+ bool alert_recv;
-+ u_char alert_recv_desc;
-+ char rtx[65536]; /* retransmission buffer */
-+ int rtx_len;
-+ int mtu; /* unit mtu */
-+};
-+
-+typedef struct pw_cb_data
-+{
-+ const void *password;
-+ const char *prompt_info;
-+} PW_CB_DATA;
-+
-+
-+int ssl_verify_callback(int, X509_STORE_CTX *);
-+void ssl_msg_callback(int write_p, int version, int ct, const void *buf,
-+ size_t len, SSL * ssl, void *arg);
-+
-+X509 *get_X509_from_file(char *filename);
-+int ssl_cmp_certs(char *filename, X509 * a);
-+
-+SSL_CTX *eaptls_init_ssl(int init_server, char *cacertfile,
-+ char *certfile, char *peer_certfile, char *privkeyfile);
-+int eaptls_init_ssl_server(eap_state * esp);
-+int eaptls_init_ssl_client(eap_state * esp);
-+void eaptls_free_session(struct eaptls_session *ets);
-+
-+int eaptls_receive(struct eaptls_session *ets, u_char * inp, int len);
-+int eaptls_send(struct eaptls_session *ets, u_char ** outp);
-+void eaptls_retransmit(struct eaptls_session *ets, u_char ** outp);
-+
-+int get_eaptls_secret(int unit, char *client, char *server,
-+ char *clicertfile, char *servcertfile, char *cacertfile,
-+ char *pkfile, int am_server);
-+
-+#ifdef MPPE
-+#include "mppe.h" /* MPPE_MAX_KEY_LEN */
-+extern u_char mppe_send_key[MPPE_MAX_KEY_LEN];
-+extern u_char mppe_recv_key[MPPE_MAX_KEY_LEN];
-+extern int mppe_keys_set;
-+
-+void eaptls_gen_mppe_keys(struct eaptls_session *ets, const char *prf_label, int client);
-+
-+#endif
-+
-+#endif
-diff --git a/pppd/eap.c b/pppd/eap.c
-index 6ea6c1f8bff6..032407c3dbb2 100644
---- a/pppd/eap.c
-+++ b/pppd/eap.c
-@@ -43,6 +43,11 @@
- * Based on draft-ietf-pppext-eap-srp-03.txt.
- */
-
-+/*
-+ * Modification by Beniamino Galvani, Mar 2005
-+ * Implemented EAP-TLS authentication
-+ */
-+
- #define RCSID "$Id: eap.c,v 1.4 2004/11/09 22:39:25 paulus Exp $"
-
- /*
-@@ -62,8 +67,12 @@
-
- #include "pppd.h"
- #include "pathnames.h"
--#include "md5.h"
- #include "eap.h"
-+#ifdef USE_EAPTLS
-+#include "eap-tls.h"
-+#else
-+#include "md5.h"
-+#endif /* USE_EAPTLS */
-
- #ifdef USE_SRP
- #include <t_pwd.h>
-@@ -209,6 +218,9 @@ int unit;
- esp->es_server.ea_id = (u_char)(drand48() * 0x100);
- esp->es_client.ea_timeout = EAP_DEFREQTIME;
- esp->es_client.ea_maxrequests = EAP_DEFALLOWREQ;
-+#ifdef USE_EAPTLS
-+ esp->es_client.ea_using_eaptls = 0;
-+#endif /* USE_EAPTLS */
- }
-
- /*
-@@ -436,8 +448,16 @@ int status;
- u_char vals[2];
- struct b64state bs;
- #endif /* USE_SRP */
-+#ifdef USE_EAPTLS
-+ struct eaptls_session *ets;
-+ int secret_len;
-+ char secret[MAXWORDLEN];
-+#endif /* USE_EAPTLS */
-
- esp->es_server.ea_timeout = esp->es_savedtime;
-+#ifdef USE_EAPTLS
-+ esp->es_server.ea_prev_state = esp->es_server.ea_state;
-+#endif /* USE_EAPTLS */
- switch (esp->es_server.ea_state) {
- case eapBadAuth:
- return;
-@@ -562,9 +582,79 @@ int status;
- break;
- }
- #endif /* USE_SRP */
-+#ifdef USE_EAPTLS
-+ if (!get_secret(esp->es_unit, esp->es_server.ea_peer,
-+ esp->es_server.ea_name, secret, &secret_len, 1)) {
-+
-+ esp->es_server.ea_state = eapTlsStart;
-+ break;
-+ }
-+#endif /* USE_EAPTLS */
-+
- esp->es_server.ea_state = eapMD5Chall;
- break;
-
-+#ifdef USE_EAPTLS
-+ case eapTlsStart:
-+ /* Initialize ssl session */
-+ if(!eaptls_init_ssl_server(esp)) {
-+ esp->es_server.ea_state = eapBadAuth;
-+ break;
-+ }
-+
-+ esp->es_server.ea_state = eapTlsRecv;
-+ break;
-+
-+ case eapTlsRecv:
-+ ets = (struct eaptls_session *) esp->es_server.ea_session;
-+
-+ if(ets->alert_sent) {
-+ esp->es_server.ea_state = eapTlsSendAlert;
-+ break;
-+ }
-+
-+ if (status) {
-+ esp->es_server.ea_state = eapBadAuth;
-+ break;
-+ }
-+ ets = (struct eaptls_session *) esp->es_server.ea_session;
-+
-+ if(ets->frag)
-+ esp->es_server.ea_state = eapTlsSendAck;
-+ else
-+ esp->es_server.ea_state = eapTlsSend;
-+ break;
-+
-+ case eapTlsSend:
-+ ets = (struct eaptls_session *) esp->es_server.ea_session;
-+
-+ if(ets->frag)
-+ esp->es_server.ea_state = eapTlsRecvAck;
-+ else
-+ if(SSL_is_init_finished(ets->ssl))
-+ esp->es_server.ea_state = eapTlsRecvClient;
-+ else
-+ esp->es_server.ea_state = eapTlsRecv;
-+ break;
-+
-+ case eapTlsSendAck:
-+ esp->es_server.ea_state = eapTlsRecv;
-+ break;
-+
-+ case eapTlsRecvAck:
-+ if (status) {
-+ esp->es_server.ea_state = eapBadAuth;
-+ break;
-+ }
-+
-+ esp->es_server.ea_state = eapTlsSend;
-+ break;
-+
-+ case eapTlsSendAlert:
-+ esp->es_server.ea_state = eapTlsRecvAlertAck;
-+ break;
-+#endif /* USE_EAPTLS */
-+
- case eapSRP1:
- #ifdef USE_SRP
- ts = (struct t_server *)esp->es_server.ea_session;
-@@ -718,6 +808,30 @@ eap_state *esp;
- INCPTR(esp->es_server.ea_namelen, outp);
- break;
-
-+#ifdef USE_EAPTLS
-+ case eapTlsStart:
-+ PUTCHAR(EAPT_TLS, outp);
-+ PUTCHAR(EAP_TLS_FLAGS_START, outp);
-+ eap_figure_next_state(esp, 0);
-+ break;
-+
-+ case eapTlsSend:
-+ eaptls_send(esp->es_server.ea_session, &outp);
-+ eap_figure_next_state(esp, 0);
-+ break;
-+
-+ case eapTlsSendAck:
-+ PUTCHAR(EAPT_TLS, outp);
-+ PUTCHAR(0, outp);
-+ eap_figure_next_state(esp, 0);
-+ break;
-+
-+ case eapTlsSendAlert:
-+ eaptls_send(esp->es_server.ea_session, &outp);
-+ eap_figure_next_state(esp, 0);
-+ break;
-+#endif /* USE_EAPTLS */
-+
- #ifdef USE_SRP
- case eapSRP1:
- PUTCHAR(EAPT_SRP, outp);
-@@ -904,11 +1018,57 @@ static void
- eap_server_timeout(arg)
- void *arg;
- {
-+#ifdef USE_EAPTLS
-+ u_char *outp;
-+ u_char *lenloc;
-+ int outlen;
-+#endif /* USE_EAPTLS */
-+
- eap_state *esp = (eap_state *) arg;
-
- if (!eap_server_active(esp))
- return;
-
-+#ifdef USE_EAPTLS
-+ switch(esp->es_server.ea_prev_state) {
-+
-+ /*
-+ * In eap-tls the state changes after a request, so we return to
-+ * previous state ...
-+ */
-+ case(eapTlsStart):
-+ case(eapTlsSendAck):
-+ esp->es_server.ea_state = esp->es_server.ea_prev_state;
-+ break;
-+
-+ /*
-+ * ... or resend the stored data
-+ */
-+ case(eapTlsSend):
-+ case(eapTlsSendAlert):
-+ outp = outpacket_buf;
-+ MAKEHEADER(outp, PPP_EAP);
-+ PUTCHAR(EAP_REQUEST, outp);
-+ PUTCHAR(esp->es_server.ea_id, outp);
-+ lenloc = outp;
-+ INCPTR(2, outp);
-+
-+ eaptls_retransmit(esp->es_server.ea_session, &outp);
-+
-+ outlen = (outp - outpacket_buf) - PPP_HDRLEN;
-+ PUTSHORT(outlen, lenloc);
-+ output(esp->es_unit, outpacket_buf, outlen + PPP_HDRLEN);
-+ esp->es_server.ea_requests++;
-+
-+ if (esp->es_server.ea_timeout > 0)
-+ TIMEOUT(eap_server_timeout, esp, esp->es_server.ea_timeout);
-+
-+ return;
-+ default:
-+ break;
-+ }
-+#endif /* USE_EAPTLS */
-+
- /* EAP ID number must not change on timeout. */
- eap_send_request(esp);
- }
-@@ -1166,6 +1326,81 @@ u_char *str;
- }
- #endif /* USE_SRP */
-
-+#ifdef USE_EAPTLS
-+/*
-+ * Send an EAP-TLS response message with tls data
-+ */
-+static void
-+eap_tls_response(esp, id)
-+eap_state *esp;
-+u_char id;
-+{
-+ u_char *outp;
-+ int outlen;
-+ u_char *lenloc;
-+
-+ outp = outpacket_buf;
-+
-+ MAKEHEADER(outp, PPP_EAP);
-+
-+ PUTCHAR(EAP_RESPONSE, outp);
-+ PUTCHAR(id, outp);
-+
-+ lenloc = outp;
-+ INCPTR(2, outp);
-+
-+ /*
-+ If the id in the request is unchanged, we must retransmit
-+ the old data
-+ */
-+ if(id == esp->es_client.ea_id)
-+ eaptls_retransmit(esp->es_client.ea_session, &outp);
-+ else
-+ eaptls_send(esp->es_client.ea_session, &outp);
-+
-+ outlen = (outp - outpacket_buf) - PPP_HDRLEN;
-+ PUTSHORT(outlen, lenloc);
-+
-+ output(esp->es_unit, outpacket_buf, PPP_HDRLEN + outlen);
-+
-+ esp->es_client.ea_id = id;
-+
-+}
-+
-+/*
-+ * Send an EAP-TLS ack
-+ */
-+static void
-+eap_tls_sendack(esp, id)
-+eap_state *esp;
-+u_char id;
-+{
-+ u_char *outp;
-+ int outlen;
-+ u_char *lenloc;
-+
-+ outp = outpacket_buf;
-+
-+ MAKEHEADER(outp, PPP_EAP);
-+
-+ PUTCHAR(EAP_RESPONSE, outp);
-+ PUTCHAR(id, outp);
-+ esp->es_client.ea_id = id;
-+
-+ lenloc = outp;
-+ INCPTR(2, outp);
-+
-+ PUTCHAR(EAPT_TLS, outp);
-+ PUTCHAR(0, outp);
-+
-+ outlen = (outp - outpacket_buf) - PPP_HDRLEN;
-+ PUTSHORT(outlen, lenloc);
-+
-+ output(esp->es_unit, outpacket_buf, PPP_HDRLEN + outlen);
-+
-+}
-+#endif /* USE_EAPTLS */
-+
- static void
- eap_send_nak(esp, id, type)
- eap_state *esp;
-@@ -1320,6 +1555,11 @@ int len;
- char rhostname[256];
- MD5_CTX mdContext;
- u_char hash[MD5_SIGNATURE_SIZE];
-+#ifdef USE_EAPTLS
-+ u_char flags;
-+ struct eaptls_session *ets = esp->es_client.ea_session;
-+#endif /* USE_EAPTLS */
-+
- #ifdef USE_SRP
- struct t_client *tc;
- struct t_num sval, gval, Nval, *Ap, Bval;
-@@ -1456,6 +1696,100 @@ int len;
- esp->es_client.ea_namelen);
- break;
-
-+#ifdef USE_EAPTLS
-+ case EAPT_TLS:
-+
-+ switch(esp->es_client.ea_state) {
-+
-+ case eapListen:
-+
-+ if (len < 1) {
-+ error("EAP: received EAP-TLS Listen packet with no data");
-+ /* Bogus request; wait for something real. */
-+ return;
-+ }
-+ GETCHAR(flags, inp);
-+ if(flags & EAP_TLS_FLAGS_START){
-+
-+ esp->es_client.ea_using_eaptls = 1;
-+
-+ if (explicit_remote){
-+ esp->es_client.ea_peer = strdup(remote_name);
-+ esp->es_client.ea_peerlen = strlen(remote_name);
-+ } else
-+ esp->es_client.ea_peer = NULL;
-+
-+ /* Init ssl session */
-+ if(!eaptls_init_ssl_client(esp)) {
-+ dbglog("cannot init ssl");
-+ eap_send_nak(esp, id, EAPT_TLS);
-+ esp->es_client.ea_using_eaptls = 0;
-+ break;
-+ }
-+
-+ ets = esp->es_client.ea_session;
-+ eap_tls_response(esp, id);
-+ esp->es_client.ea_state = (ets->frag ? eapTlsRecvAck :
-+ eapTlsRecv);
-+ break;
-+ }
-+
-+ /* The server has sent a bad start packet. */
-+ eap_send_nak(esp, id, EAPT_TLS);
-+ break;
-+
-+ case eapTlsRecvAck:
-+ eap_tls_response(esp, id);
-+ esp->es_client.ea_state = (ets->frag ? eapTlsRecvAck :
-+ eapTlsRecv);
-+ break;
-+
-+ case eapTlsRecv:
-+ if (len < 1) {
-+ error("EAP: discarding EAP-TLS Receive packet with no data");
-+ /* Bogus request; wait for something real. */
-+ return;
-+ }
-+ eaptls_receive(ets, inp, len);
-+
-+ if(ets->frag) {
-+ eap_tls_sendack(esp, id);
-+ esp->es_client.ea_state = eapTlsRecv;
-+ break;
-+ }
-+
-+ if(ets->alert_recv) {
-+ eap_tls_sendack(esp, id);
-+ esp->es_client.ea_state = eapTlsRecvFailure;
-+ break;
-+ }
-+
-+ /* Check if TLS handshake is finished */
-+ if(SSL_is_init_finished(ets->ssl)){
-+#ifdef MPPE
-+ eaptls_gen_mppe_keys( ets, "client EAP encryption", 1 );
-+#endif
-+ eaptls_free_session(ets);
-+ eap_tls_sendack(esp, id);
-+ esp->es_client.ea_state = eapTlsRecvSuccess;
-+ break;
-+ }
-+
-+ eap_tls_response(esp,id);
-+ esp->es_client.ea_state = (ets->frag ? eapTlsRecvAck :
-+ eapTlsRecv);
-+
-+ break;
-+
-+ default:
-+ eap_send_nak(esp, id, EAPT_TLS);
-+ esp->es_client.ea_using_eaptls = 0;
-+ break;
-+ }
-+
-+ break;
-+#endif /* USE_EAPTLS */
-+
- #ifdef USE_SRP
- case EAPT_SRP:
- if (len < 1) {
-@@ -1737,6 +2071,11 @@ int len;
- u_char dig[SHA_DIGESTSIZE];
- #endif /* USE_SRP */
-
-+#ifdef USE_EAPTLS
-+ struct eaptls_session *ets;
-+ u_char flags;
-+#endif /* USE_EAPTLS */
-+
- if (esp->es_server.ea_id != id) {
- dbglog("EAP: discarding Response %d; expected ID %d", id,
- esp->es_server.ea_id);
-@@ -1776,6 +2115,64 @@ int len;
- eap_figure_next_state(esp, 0);
- break;
-
-+#ifdef USE_EAPTLS
-+ case EAPT_TLS:
-+ switch(esp->es_server.ea_state) {
-+
-+ case eapTlsRecv:
-+
-+ ets = (struct eaptls_session *) esp->es_server.ea_session;
-+ eap_figure_next_state(esp,
-+ eaptls_receive(esp->es_server.ea_session, inp, len));
-+
-+ if(ets->alert_recv) {
-+ eap_send_failure(esp);
-+ break;
-+ }
-+ break;
-+
-+ case eapTlsRecvAck:
-+ if(len > 1) {
-+ dbglog("EAP-TLS ACK with extra data");
-+ }
-+ eap_figure_next_state(esp, 0);
-+ break;
-+
-+ case eapTlsRecvClient:
-+ /* Receive authentication response from client */
-+
-+ if (len > 0) {
-+ GETCHAR(flags, inp);
-+
-+ if(len == 1 && !flags) { /* Ack = ok */
-+#ifdef MPPE
-+ eaptls_gen_mppe_keys( esp->es_server.ea_session, "client EAP encryption", 0 );
-+#endif
-+ eap_send_success(esp);
-+ }
-+ else { /* failure */
-+ warn("Server authentication failed");
-+ eap_send_failure(esp);
-+ }
-+ }
-+ else
-+ warn("Bogus EAP-TLS packet received from client");
-+
-+ eaptls_free_session(esp->es_server.ea_session);
-+
-+ break;
-+
-+ case eapTlsRecvAlertAck:
-+ eap_send_failure(esp);
-+ break;
-+
-+ default:
-+ eap_figure_next_state(esp, 1);
-+ break;
-+ }
-+ break;
-+#endif /* USE_EAPTLS */
-+
- case EAPT_NOTIFICATION:
- dbglog("EAP unexpected Notification; response discarded");
- break;
-@@ -1807,6 +2204,13 @@ int len;
- esp->es_server.ea_state = eapMD5Chall;
- break;
-
-+#ifdef USE_EAPTLS
-+ /* Send EAP-TLS start packet */
-+ case EAPT_TLS:
-+ esp->es_server.ea_state = eapTlsStart;
-+ break;
-+#endif /* USE_EAPTLS */
-+
- default:
- dbglog("EAP: peer requesting unknown Type %d", vallen);
- switch (esp->es_server.ea_state) {
-@@ -2018,13 +2422,27 @@ u_char *inp;
- int id;
- int len;
- {
-- if (esp->es_client.ea_state != eapOpen && !eap_client_active(esp)) {
-+ if (esp->es_client.ea_state != eapOpen && !eap_client_active(esp)
-+#ifdef USE_EAPTLS
-+ && esp->es_client.ea_state != eapTlsRecvSuccess
-+#endif /* USE_EAPTLS */
-+ ) {
- dbglog("EAP unexpected success message in state %s (%d)",
- eap_state_name(esp->es_client.ea_state),
- esp->es_client.ea_state);
- return;
- }
-
-+#ifdef USE_EAPTLS
-+ if(esp->es_client.ea_using_eaptls && esp->es_client.ea_state !=
-+ eapTlsRecvSuccess) {
-+ dbglog("EAP-TLS unexpected success message in state %s (%d)",
-+ eap_state_name(esp->es_client.ea_state),
-+ esp->es_client.ea_state);
-+ return;
-+ }
-+#endif /* USE_EAPTLS */
-+
- if (esp->es_client.ea_timeout > 0) {
- UNTIMEOUT(eap_client_timeout, (void *)esp);
- }
-@@ -2150,6 +2568,9 @@ void *arg;
- int code, id, len, rtype, vallen;
- u_char *pstart;
- u_int32_t uval;
-+#ifdef USE_EAPTLS
-+ u_char flags;
-+#endif /* USE_EAPTLS */
-
- if (inlen < EAP_HEADERLEN)
- return (0);
-@@ -2214,6 +2635,24 @@ void *arg;
- }
- break;
-
-+#ifdef USE_EAPTLS
-+ case EAPT_TLS:
-+ if (len < 1)
-+ break;
-+ GETCHAR(flags, inp);
-+ len--;
-+
-+ if(flags == 0 && len == 0){
-+ printer(arg, " Ack");
-+ break;
-+ }
-+
-+ printer(arg, flags & EAP_TLS_FLAGS_LI ? " L":" -");
-+ printer(arg, flags & EAP_TLS_FLAGS_MF ? "M":"-");
-+ printer(arg, flags & EAP_TLS_FLAGS_START ? "S":"- ");
-+ break;
-+#endif /* USE_EAPTLS */
-+
- case EAPT_SRP:
- if (len < 3)
- goto truncated;
-@@ -2325,6 +2764,25 @@ void *arg;
- }
- break;
-
-+#ifdef USE_EAPTLS
-+ case EAPT_TLS:
-+ if (len < 1)
-+ break;
-+ GETCHAR(flags, inp);
-+ len--;
-+
-+ if(flags == 0 && len == 0){
-+ printer(arg, " Ack");
-+ break;
-+ }
-+
-+ printer(arg, flags & EAP_TLS_FLAGS_LI ? " L":" -");
-+ printer(arg, flags & EAP_TLS_FLAGS_MF ? "M":"-");
-+ printer(arg, flags & EAP_TLS_FLAGS_START ? "S":"- ");
-+
-+ break;
-+#endif /* USE_EAPTLS */
-+
- case EAPT_NAK:
- if (len <= 0) {
- printer(arg, " <missing hint>");
-@@ -2426,3 +2884,4 @@ void *arg;
-
- return (inp - pstart);
- }
-+
-diff --git a/pppd/eap.h b/pppd/eap.h
-index 199d1849b826..087baad83eed 100644
---- a/pppd/eap.h
-+++ b/pppd/eap.h
-@@ -84,6 +84,16 @@ enum eap_state_code {
- eapClosed, /* Authentication not in use */
- eapListen, /* Client ready (and timer running) */
- eapIdentify, /* EAP Identify sent */
-+ eapTlsStart, /* Send EAP-TLS start packet */
-+ eapTlsRecv, /* Receive EAP-TLS tls data */
-+ eapTlsSendAck, /* Send EAP-TLS ack */
-+ eapTlsSend, /* Send EAP-TLS tls data */
-+ eapTlsRecvAck, /* Receive EAP-TLS ack */
-+ eapTlsRecvClient, /* Receive EAP-TLS auth response from client*/
-+ eapTlsSendAlert, /* Send EAP-TLS tls alert (server)*/
-+ eapTlsRecvAlertAck, /* Receive EAP-TLS ack after sending alert */
-+ eapTlsRecvSuccess, /* Receive EAP success */
-+ eapTlsRecvFailure, /* Receive EAP failure */
- eapSRP1, /* Sent EAP SRP-SHA1 Subtype 1 */
- eapSRP2, /* Sent EAP SRP-SHA1 Subtype 2 */
- eapSRP3, /* Sent EAP SRP-SHA1 Subtype 3 */
-@@ -95,9 +105,18 @@ enum eap_state_code {
-
- #define EAP_STATES \
- "Initial", "Pending", "Closed", "Listen", "Identify", \
-+ "TlsStart", "TlsRecv", "TlsSendAck", "TlsSend", "TlsRecvAck", "TlsRecvClient",\
-+ "TlsSendAlert", "TlsRecvAlertAck" , "TlsRecvSuccess", "TlsRecvFailure", \
- "SRP1", "SRP2", "SRP3", "MD5Chall", "Open", "SRP4", "BadAuth"
-
--#define eap_client_active(esp) ((esp)->es_client.ea_state == eapListen)
-+#ifdef USE_EAPTLS
-+#define eap_client_active(esp) ((esp)->es_client.ea_state != eapInitial &&\
-+ (esp)->es_client.ea_state != eapPending &&\
-+ (esp)->es_client.ea_state != eapClosed)
-+#else
-+#define eap_client_active(esp) ((esp)->es_client.ea_state == eapListen)
-+#endif /* USE_EAPTLS */
-+
- #define eap_server_active(esp) \
- ((esp)->es_server.ea_state >= eapIdentify && \
- (esp)->es_server.ea_state <= eapMD5Chall)
-@@ -112,11 +131,17 @@ struct eap_auth {
- u_short ea_namelen; /* Length of our name */
- u_short ea_peerlen; /* Length of peer's name */
- enum eap_state_code ea_state;
-+#ifdef USE_EAPTLS
-+ enum eap_state_code ea_prev_state;
-+#endif
- u_char ea_id; /* Current id */
- u_char ea_requests; /* Number of Requests sent/received */
- u_char ea_responses; /* Number of Responses */
- u_char ea_type; /* One of EAPT_* */
- u_int32_t ea_keyflags; /* SRP shared key usage flags */
-+#ifdef USE_EAPTLS
-+ bool ea_using_eaptls;
-+#endif
- };
-
- /*
-@@ -139,7 +164,12 @@ typedef struct eap_state {
- * Timeouts.
- */
- #define EAP_DEFTIMEOUT 3 /* Timeout (seconds) for rexmit */
-+#ifdef USE_EAPTLS
-+#define EAP_DEFTRANSMITS 30 /* max # times to transmit */
-+ /* certificates can be long ... */
-+#else
- #define EAP_DEFTRANSMITS 10 /* max # times to transmit */
-+#endif /* USE_EAPTLS */
- #define EAP_DEFREQTIME 20 /* Time to wait for peer request */
- #define EAP_DEFALLOWREQ 20 /* max # times to accept requests */
-
-diff --git a/pppd/md5.c b/pppd/md5.c
-index f1291ce1bd72..6f8f7207c592 100644
---- a/pppd/md5.c
-+++ b/pppd/md5.c
-@@ -33,6 +33,8 @@
- ***********************************************************************
- */
-
-+#ifndef USE_EAPTLS
-+
- #include <string.h>
- #include "md5.h"
-
-@@ -305,3 +307,5 @@ UINT4 *in;
- ** End of md5.c **
- ******************************** (cut) ********************************
- */
-+#endif /* USE_EAPTLS */
-+
-diff --git a/pppd/md5.h b/pppd/md5.h
-index 71e8b00e2dde..14d712171c5e 100644
---- a/pppd/md5.h
-+++ b/pppd/md5.h
-@@ -36,6 +36,7 @@
- ** documentation and/or software. **
- ***********************************************************************
- */
-+#ifndef USE_EAPTLS
-
- #ifndef __MD5_INCLUDE__
-
-@@ -63,3 +64,5 @@ void MD5_Final (unsigned char hash[], MD5_CTX *mdContext);
-
- #define __MD5_INCLUDE__
- #endif /* __MD5_INCLUDE__ */
-+
-+#endif /* USE_EAPTLS */
-diff --git a/pppd/pathnames.h b/pppd/pathnames.h
-index 46972601fc92..72c2f5b191ee 100644
---- a/pppd/pathnames.h
-+++ b/pppd/pathnames.h
-@@ -21,6 +21,13 @@
- #define _PATH_UPAPFILE _ROOT_PATH "/etc/ppp/pap-secrets"
- #define _PATH_CHAPFILE _ROOT_PATH "/etc/ppp/chap-secrets"
- #define _PATH_SRPFILE _ROOT_PATH "/etc/ppp/srp-secrets"
-+
-+#ifdef USE_EAPTLS
-+#define _PATH_EAPTLSCLIFILE _ROOT_PATH "/etc/ppp/eaptls-client"
-+#define _PATH_EAPTLSSERVFILE _ROOT_PATH "/etc/ppp/eaptls-server"
-+#define _PATH_OPENSSLCONFFILE _ROOT_PATH "/etc/ppp/openssl.cnf"
-+#endif /* USE_EAPTLS */
-+
- #define _PATH_SYSOPTIONS _ROOT_PATH "/etc/ppp/options"
- #define _PATH_IPUP _ROOT_PATH "/etc/ppp/ip-up"
- #define _PATH_IPDOWN _ROOT_PATH "/etc/ppp/ip-down"
-diff --git a/pppd/plugins/Makefile.linux b/pppd/plugins/Makefile.linux
-index 0f9d37d2953b..bc29968d44c9 100644
---- a/pppd/plugins/Makefile.linux
-+++ b/pppd/plugins/Makefile.linux
-@@ -4,6 +4,9 @@ CFLAGS = $(COPTS) -I.. -I../../include -fPIC
- LDFLAGS = $(LDOPTS)
- INSTALL = install
-
-+# EAP-TLS
-+CFLAGS += -DUSE_EAPTLS=1
-+
- DESTDIR = $(INSTROOT)@DESTDIR@
- BINDIR = $(DESTDIR)/sbin
- MANDIR = $(DESTDIR)/share/man/man8
-diff --git a/pppd/plugins/passprompt.c b/pppd/plugins/passprompt.c
-index babb6dc31bab..6ba73cae2795 100644
---- a/pppd/plugins/passprompt.c
-+++ b/pppd/plugins/passprompt.c
-@@ -107,4 +107,7 @@ void plugin_init(void)
- {
- add_options(options);
- pap_passwd_hook = promptpass;
-+#ifdef USE_EAPTLS
-+ eaptls_passwd_hook = promptpass;
-+#endif
- }
-diff --git a/pppd/plugins/passwordfd.c b/pppd/plugins/passwordfd.c
-index d718f3bdf81d..c3f9793e41a0 100644
---- a/pppd/plugins/passwordfd.c
-+++ b/pppd/plugins/passwordfd.c
-@@ -79,4 +79,8 @@ void plugin_init (void)
-
- chap_check_hook = pwfd_check;
- chap_passwd_hook = pwfd_passwd;
-+
-+#ifdef USE_EAPTLS
-+ eaptls_passwd_hook = pwfd_passwd;
-+#endif
- }
-diff --git a/pppd/pppd.8 b/pppd/pppd.8
-index 65bbe721f761..8afa2d1186e2 100644
---- a/pppd/pppd.8
-+++ b/pppd/pppd.8
-@@ -253,6 +253,12 @@ Alternatively, a value of 0 for \fInr\fR or \fInt\fR disables
- compression in the corresponding direction. Use \fInobsdcomp\fR or
- \fIbsdcomp 0\fR to disable BSD-Compress compression entirely.
- .TP
-+.B ca \fIca-file
-+(EAP-TLS) Use the file \fIca-file\fR as the X.509 Certificate Authority
-+(CA) file (in PEM format), needed for setting up an EAP-TLS connection.
-+This option is used on the client-side in conjunction with the \fBcert\fR
-+and \fBkey\fR options.
-+.TP
- .B cdtrcts
- Use a non-standard hardware flow control (i.e. DTR/CTS) to control
- the flow of data on the serial port. If neither the \fIcrtscts\fR,
-@@ -264,6 +270,12 @@ RTS output. Such serial ports use this mode to implement true
- bi-directional flow control. The sacrifice is that this flow
- control mode does not permit using DTR as a modem control line.
- .TP
-+.B cert \fIcertfile
-+(EAP-TLS) Use the file \fIcertfile\fR as the X.509 certificate (in PEM
-+format), needed for setting up an EAP-TLS connection. This option is
-+used on the client-side in conjunction with the \fBca\fR and
-+\fBkey\fR options.
-+.TP
- .B chap\-interval \fIn
- If this option is given, pppd will rechallenge the peer every \fIn\fR
- seconds.
-@@ -292,6 +304,18 @@ negotiation by sending its first LCP packet. The default value is
- 1000 (1 second). This wait period only applies if the \fBconnect\fR
- or \fBpty\fR option is used.
- .TP
-+.B crl \fIfilename
-+(EAP-TLS) Use the file \fIfilename\fR as the Certificate Revocation List
-+to check for the validity of the peer's certificate. This option is not
-+mandatory for setting up an EAP-TLS connection. Also see the \fBcrl-dir\fR
-+option.
-+.TP
-+.B crl-dir \fIdirectory
-+(EAP-TLS) Use the directory \fIdirectory\fR to scan for CRL files in
-+has format ($hash.r0) to check for the validity of the peer's certificate.
-+This option is not mandatory for setting up an EAP-TLS connection.
-+Also see the \fBcrl\fR option.
-+.TP
- .B debug
- Enables connection debugging facilities.
- If this option is given, pppd will log the contents of all
-@@ -561,6 +585,12 @@ transmitted packets be printed. On most systems, messages printed by
- the kernel are logged by syslog(1) to a file as directed in the
- /etc/syslog.conf configuration file.
- .TP
-+.B key \fIkeyfile
-+(EAP-TLS) Use the file \fIkeyfile\fR as the private key file (in PEM
-+format), needed for setting up an EAP-TLS connection. This option is
-+used on the client-side in conjunction with the \fBca\fR and
-+\fBcert\fR options.
-+.TP
- .B ktune
- Enables pppd to alter kernel settings as appropriate. Under Linux,
- pppd will enable IP forwarding (i.e. set /proc/sys/net/ipv4/ip_forward
-@@ -724,6 +754,9 @@ name to \fIname\fR.)
- Disable Address/Control compression in both directions (send and
- receive).
- .TP
-+.B need-peer-eap
-+(EAP-TLS) Require the peer to verify our authentication credentials.
-+.TP
- .B noauth
- Do not require the peer to authenticate itself. This option is
- privileged.
-diff --git a/pppd/pppd.h b/pppd/pppd.h
-index 567d702181ca..195cbe3c6ffb 100644
---- a/pppd/pppd.h
-+++ b/pppd/pppd.h
-@@ -338,6 +338,11 @@ extern bool dump_options; /* print out option values */
- extern bool dryrun; /* check everything, print options, exit */
- extern int child_wait; /* # seconds to wait for children at end */
-
-+#ifdef USE_EAPTLS
-+extern char *crl_dir;
-+extern char *crl_file;
-+#endif /* USE_EAPTLS */
-+
- #ifdef MAXOCTETS
- extern unsigned int maxoctets; /* Maximum octetes per session (in bytes) */
- extern int maxoctets_dir; /* Direction :
-@@ -758,6 +763,10 @@ extern int (*chap_check_hook) __P((void));
- extern int (*chap_passwd_hook) __P((char *user, char *passwd));
- extern void (*multilink_join_hook) __P((void));
-
-+#ifdef USE_EAPTLS
-+extern int (*eaptls_passwd_hook) __P((char *user, char *passwd));
-+#endif
-+
- /* Let a plugin snoop sent and received packets. Useful for L2TP */
- extern void (*snoop_recv_hook) __P((unsigned char *p, int len));
- extern void (*snoop_send_hook) __P((unsigned char *p, int len));
diff --git a/patches/ppp-2.4.7/0040-pppd-Use-openssl-for-the-DES-instead-of-the-libcrypt.patch b/patches/ppp-2.4.7/0040-pppd-Use-openssl-for-the-DES-instead-of-the-libcrypt.patch
deleted file mode 100644
index bf83278a9..000000000
--- a/patches/ppp-2.4.7/0040-pppd-Use-openssl-for-the-DES-instead-of-the-libcrypt.patch
+++ /dev/null
@@ -1,115 +0,0 @@
-From: =?UTF-8?q?Jaroslav=20=C5=A0karvada?= <jskarvad@redhat.com>
-Date: Fri, 6 Apr 2018 14:27:18 +0200
-Subject: [PATCH] pppd: Use openssl for the DES instead of the libcrypt / glibc
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-[https://github.com/paulusmack/ppp/commit/3c7b86229f7bd2600d74db14b1fe5b3896be3875]
-
-It seems the latest glibc (in Fedora glibc-2.27.9000-12.fc29) dropped
-libcrypt. The libxcrypt standalone package can be used instead, but
-it dropped the old setkey/encrypt API which ppp uses for DES. There
-is support for using openssl in pppcrypt.c, but it contains typos
-preventing it from compiling and seems to be written for an ancient
-openssl version.
-
-This updates the code to use current openssl.
-
-[paulus@ozlabs.org - wrote the commit description, fixed comment in
- Makefile.linux.]
-
-Signed-off-by: Jaroslav Škarvada <jskarvad@redhat.com>
-Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
-
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
----
- pppd/Makefile.linux | 7 ++++---
- pppd/pppcrypt.c | 18 +++++++++---------
- 2 files changed, 13 insertions(+), 12 deletions(-)
-
-diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux
-index 58a634ce8c3b..cb9d4f9dcf22 100644
---- a/pppd/Makefile.linux
-+++ b/pppd/Makefile.linux
-@@ -35,10 +35,10 @@ endif
- COPTS = -O2 -pipe -Wall -g
- LIBS = -lcrypto
-
--# Uncomment the next 2 lines to include support for Microsoft's
-+# Uncomment the next line to include support for Microsoft's
- # MS-CHAP authentication protocol. Also, edit plugins/radius/Makefile.linux.
- CHAPMS=y
--USE_CRYPT=y
-+#USE_CRYPT=y
- # Don't use MSLANMAN unless you really know what you're doing.
- #MSLANMAN=y
- # Uncomment the next line to include support for MPPE. CHAPMS (above) must
-@@ -138,7 +138,8 @@ endif
-
- ifdef NEEDDES
- ifndef USE_CRYPT
--LIBS += -ldes $(LIBS)
-+CFLAGS += -I/usr/include/openssl
-+LIBS += -lcrypto
- else
- CFLAGS += -DUSE_CRYPT=1
- endif
-diff --git a/pppd/pppcrypt.c b/pppd/pppcrypt.c
-index 8b85b13276ab..6b35375edc5e 100644
---- a/pppd/pppcrypt.c
-+++ b/pppd/pppcrypt.c
-@@ -64,7 +64,7 @@ u_char *des_key; /* OUT 64 bit DES key with parity bits added */
- des_key[7] = Get7Bits(key, 49);
-
- #ifndef USE_CRYPT
-- des_set_odd_parity((des_cblock *)des_key);
-+ DES_set_odd_parity((DES_cblock *)des_key);
- #endif
- }
-
-@@ -158,25 +158,25 @@ u_char *clear; /* OUT 8 octets */
- }
-
- #else /* USE_CRYPT */
--static des_key_schedule key_schedule;
-+static DES_key_schedule key_schedule;
-
- bool
- DesSetkey(key)
- u_char *key;
- {
-- des_cblock des_key;
-+ DES_cblock des_key;
- MakeKey(key, des_key);
-- des_set_key(&des_key, key_schedule);
-+ DES_set_key(&des_key, &key_schedule);
- return (1);
- }
-
- bool
--DesEncrypt(clear, key, cipher)
-+DesEncrypt(clear, cipher)
- u_char *clear; /* IN 8 octets */
- u_char *cipher; /* OUT 8 octets */
- {
-- des_ecb_encrypt((des_cblock *)clear, (des_cblock *)cipher,
-- key_schedule, 1);
-+ DES_ecb_encrypt((DES_cblock *)clear, (DES_cblock *)cipher,
-+ &key_schedule, 1);
- return (1);
- }
-
-@@ -185,8 +185,8 @@ DesDecrypt(cipher, clear)
- u_char *cipher; /* IN 8 octets */
- u_char *clear; /* OUT 8 octets */
- {
-- des_ecb_encrypt((des_cblock *)cipher, (des_cblock *)clear,
-- key_schedule, 0);
-+ DES_ecb_encrypt((DES_cblock *)cipher, (DES_cblock *)clear,
-+ &key_schedule, 0);
- return (1);
- }
-
diff --git a/patches/ppp-2.4.7/series b/patches/ppp-2.4.7/series
deleted file mode 100644
index 6aeaf1984..000000000
--- a/patches/ppp-2.4.7/series
+++ /dev/null
@@ -1,46 +0,0 @@
-# generated by git-ptx-patches
-#tag:base --start-number 1
-0001-abort-on-errors-in-subdir-builds.patch
-0002-scripts-Avoid-killing-wrong-pppd.patch
-0003-pppd-Fix-sign-extension-when-displaying-bytes-in-oct.patch
-0004-Suppress-false-error-message-on-PPPoE-disconnect.patch
-0005-Send-PADT-on-PPPoE-disconnect.patch
-0006-pppd-ipxcp-Prevent-buffer-overrun-on-remote-router-n.patch
-0007-pppd-Fix-ccp_options.mppe-type.patch
-0008-pppd-Fix-ccp_cilen-calculated-size-if-both-deflate_c.patch
-0009-Fix-a-typo-in-comment.-Diff-from-Yuuichi-Someya.patch
-0010-plog-count-only-relevant-lines-from-syslog.patch
-0011-Change-include-from-sys-errno.h-to-errno.h.patch
-0012-pppd-allow-use-of-arbitrary-interface-names.patch
-0013-pppd-Remove-unused-declaration-of-ttyname.patch
-0014-pppd-Provide-error-implementation-in-pppoe-discovery.patch
-0015-pppoe-include-netinet-in.h-before-linux-in.h.patch
-0016-adaptive_echos.patch
-0017-Makefiles-cleanup.patch
-0018-Bug-306261-pppd-does-not-properly-close-dev-ppp-on-p.patch
-0019-Bug-284382-ppp-linkpidfile-is-not-created-upon-detac.patch
-0020-support-building-pppdump-with-the-system-zlib.patch
-0021-disable-unneeded-code-in-the-pppoatm-plugin.patch
-0022-cosmetic-cleanup-of-the-pppoatm-plugin.patch
-0023-pppoe_noads.patch
-0024-make-_PATH_CONNERRS-world-readable.patch
-0025-Correct-unkown-unknown-typo.patch
-0026-pppoe-custom-host-uniq-tag.patch
-0027-Add-replacedefaultroute-option.patch
-0028-ppp-2.3.11-oedod.dif.patch
-0029-add-support-for-the-Framed-MTU-Radius-attribute.patch
-0030-018_ip-up_option.patch
-0031-ppp-2.4.2-stripMSdomain.patch
-0032-export-CALL_FILE-to-the-link-scripts.patch
-0033-ipv6-accept-remote.patch
-0034-fix-a-potential-buffer-overflow-in-clientid.c-rc_map.patch
-0035-resolv.conf_no_log.patch
-0036-Debian-specific-changes.patch
-0037-Fix-buffer-overflow-in-rc_mksid.patch
-0038-EAP-TLS-authentication-support-for-PPP.patch
-0039-Replace-vendored-hash-functions-with-libcrypto.patch
-0040-pppd-Use-openssl-for-the-DES-instead-of-the-libcrypt.patch
-#tag:ptx --start-number 100
-0100-pppd-make-makefile-sysroot-aware.patch
-0101-pppd-make-the-self-made-configure-cross-aware.patch
-# b0e349fd34b2aac1a9ba4ffb38f43be0 - git-ptx-patches magic
diff --git a/patches/ppp-2.4.9/0001-configure-Allow-commas-in-the-CFLAGS-220.patch b/patches/ppp-2.4.9/0001-configure-Allow-commas-in-the-CFLAGS-220.patch
new file mode 100644
index 000000000..c83b64b1c
--- /dev/null
+++ b/patches/ppp-2.4.9/0001-configure-Allow-commas-in-the-CFLAGS-220.patch
@@ -0,0 +1,28 @@
+From: =?UTF-8?q?Jaroslav=20=C5=A0karvada?= <jskarvad@redhat.com>
+Date: Fri, 8 Jan 2021 02:43:46 +0100
+Subject: [PATCH] configure: Allow commas in the CFLAGS (#220)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+It allows e.g. the following:
+./configure --cflags='-Wp,-D_FORTIFY_SOURCE=2'
+
+Signed-off-by: Jaroslav Škarvada <jskarvad@redhat.com>
+---
+ configure | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/configure b/configure
+index f977663fd8db..b0c3d2b49122 100755
+--- a/configure
++++ b/configure
+@@ -123,7 +123,7 @@ mkmkf() {
+ echo " $2 <= $1"
+ sed -e "s,@DESTDIR@,$DESTDIR,g" -e "s,@SYSCONF@,$SYSCONF,g" \
+ -e "s,@CROSS_COMPILE@,$CROSS_COMPILE,g" -e "s,@CC@,$CC,g" \
+- -e "s,@CFLAGS@,$CFLAGS,g" $1 >$2
++ -e "s|@CFLAGS@|$CFLAGS|g" $1 >$2
+ fi
+ }
+
diff --git a/patches/ppp-2.4.9/0002-pppd-Fix-compilation-with-older-glibc-or-kernel-head.patch b/patches/ppp-2.4.9/0002-pppd-Fix-compilation-with-older-glibc-or-kernel-head.patch
new file mode 100644
index 000000000..33cf002db
--- /dev/null
+++ b/patches/ppp-2.4.9/0002-pppd-Fix-compilation-with-older-glibc-or-kernel-head.patch
@@ -0,0 +1,55 @@
+From: pali <7141871+pali@users.noreply.github.com>
+Date: Mon, 15 Feb 2021 07:54:01 +0100
+Subject: [PATCH] pppd: Fix compilation with older glibc or kernel headers
+ (#248)
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+glibc versions prior to 2.24 do not define SOL_NETLINK and linux kernel
+versions prior to 4.3 do not define NETLINK_CAP_ACK. So add fallback
+definitions for these macros into pppd/sys-linux.c file.
+
+Also extend description why we call SOL_NETLINK/NETLINK_CAP_ACK option.
+
+Signed-off-by: Pali Rohár <pali@kernel.org>
+---
+ pppd/sys-linux.c | 18 +++++++++++++++++-
+ 1 file changed, 17 insertions(+), 1 deletion(-)
+
+diff --git a/pppd/sys-linux.c b/pppd/sys-linux.c
+index 85033d97124f..50c4f2dab403 100644
+--- a/pppd/sys-linux.c
++++ b/pppd/sys-linux.c
+@@ -125,6 +125,14 @@
+ #include <linux/netlink.h>
+ #include <linux/rtnetlink.h>
+ #include <linux/if_addr.h>
++/* glibc versions prior to 2.24 do not define SOL_NETLINK */
++#ifndef SOL_NETLINK
++#define SOL_NETLINK 270
++#endif
++/* linux kernel versions prior to 4.3 do not define/support NETLINK_CAP_ACK */
++#ifndef NETLINK_CAP_ACK
++#define NETLINK_CAP_ACK 10
++#endif
+ #endif
+
+ #include "pppd.h"
+@@ -2843,7 +2851,15 @@ static int append_peer_ipv6_address(unsigned int iface, struct in6_addr *local_a
+ if (fd < 0)
+ return 0;
+
+- /* do not ask for error message content */
++ /*
++ * Tell kernel to not send to us payload of acknowledgment error message.
++ * NETLINK_CAP_ACK option is supported since Linux kernel version 4.3 and
++ * older kernel versions always send full payload in acknowledgment netlink
++ * message. We ignore payload of this message as we need only error code,
++ * to check if our set remote peer address request succeeded or failed.
++ * So ignore return value from the following setsockopt() call as setting
++ * option NETLINK_CAP_ACK means for us just a kernel hint / optimization.
++ */
+ one = 1;
+ setsockopt(fd, SOL_NETLINK, NETLINK_CAP_ACK, &one, sizeof(one));
+
diff --git a/patches/ppp-2.4.9/0100-chat_man.patch b/patches/ppp-2.4.9/0100-chat_man.patch
new file mode 100644
index 000000000..df1cd311b
--- /dev/null
+++ b/patches/ppp-2.4.9/0100-chat_man.patch
@@ -0,0 +1,31 @@
+From: unknown author <unknown.author@example.com>
+Date: Mon, 14 Jun 2021 13:24:41 +0200
+Subject: [PATCH] chat_man
+
+---
+ chat/chat.8 | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git a/chat/chat.8 b/chat/chat.8
+index 6d10836c4240..2273a12d6dcf 100644
+--- a/chat/chat.8
++++ b/chat/chat.8
+@@ -35,7 +35,8 @@ Set the timeout for the expected string to be received. If the string
+ is not received within the time limit then the reply string is not
+ sent. An alternate reply may be sent or the script will fail if there
+ is no alternate reply string. A failed script will cause the
+-\fIchat\fR program to terminate with a non-zero error code.
++\fIchat\fR program to terminate with a non-zero error code. You can
++also use the TIMEOUT string in order to specify the timeout.
+ .TP
+ .B \-r \fI<report file>
+ Set the file for output of the report strings. If you use the keyword
+@@ -349,7 +350,7 @@ ogin:\-\-BREAK\-\-ogin: real_account
+ .LP
+ .SH TIMEOUT
+ The initial timeout value is 45 seconds. This may be changed using the \fB\-t\fR
+-parameter.
++parameter. You can also specify "TIMEOUT 0".
+ .LP
+ To change the timeout value for the next expect string, the following
+ example may be used:
diff --git a/patches/ppp-2.4.7/0020-support-building-pppdump-with-the-system-zlib.patch b/patches/ppp-2.4.9/0101-pppdump_use_zlib.patch
similarity index 62%
rename from patches/ppp-2.4.7/0020-support-building-pppdump-with-the-system-zlib.patch
rename to patches/ppp-2.4.9/0101-pppdump_use_zlib.patch
index ef8265d43..5e04703b9 100644
--- a/patches/ppp-2.4.7/0020-support-building-pppdump-with-the-system-zlib.patch
+++ b/patches/ppp-2.4.9/0101-pppdump_use_zlib.patch
@@ -1,19 +1,22 @@
-From: Michael Olbrich <m.olbrich@pengutronix.de>
-Date: Sat, 28 Sep 2019 08:11:49 +0200
-Subject: [PATCH] support building pppdump with the system zlib
+From: unknown author <unknown.author@example.com>
+Date: Mon, 14 Jun 2021 13:24:41 +0200
+Subject: [PATCH] pppdump_use_zlib
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
+support building pppdump with the system zlib
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
+Forwarded: https://github.com/paulusmack/ppp/pull/189
+but nacked: "it caused compile failures (on Fedora at least), which
+reminded me that the zlib.c here is not the same as upstream; it has
+extra functions that I added a long time ago."
---
pppdump/Makefile.linux | 28 ++++++++++++++++++++++++++--
1 file changed, 26 insertions(+), 2 deletions(-)
diff --git a/pppdump/Makefile.linux b/pppdump/Makefile.linux
-index 65e5c14914fb..87777fab5e94 100644
+index a94187fa9e29..de7e574d10e1 100644
--- a/pppdump/Makefile.linux
+++ b/pppdump/Makefile.linux
-@@ -2,18 +2,42 @@ DESTDIR = $(INSTROOT)@DESTDIR@
+@@ -6,15 +6,39 @@ DESTDIR = $(INSTROOT)@DESTDIR@
BINDIR = $(DESTDIR)/sbin
MANDIR = $(DESTDIR)/share/man/man8
@@ -21,10 +24,7 @@ index 65e5c14914fb..87777fab5e94 100644
+DO_BSD_COMPRESS=y
+HAVE_ZLIB=n
+
- COPTS=-O2 -g
- CFLAGS= $(COPTS) -I../include/net
- LDFLAGS=$(LDOPTS)
-
+ CFLAGS = $(COPTS) -I../include/net
-OBJS = pppdump.o bsd-comp.o deflate.o zlib.o
+OBJS = pppdump.o
+LIBS =
@@ -40,14 +40,14 @@ index 65e5c14914fb..87777fab5e94 100644
+else
+CFLAGS += -DDO_DEFLATE=0
+endif
-+
+
+ifdef DO_BSD_COMPRESS
+CFLAGS += -DDO_BSD_COMPRESS=1
+OBJS += bsd-comp.o
+else
+CFLAGS += -DDO_BSD_COMPRESS=0
+endif
-
++
INSTALL= install
all: pppdump
diff --git a/patches/ppp-2.4.7/0021-disable-unneeded-code-in-the-pppoatm-plugin.patch b/patches/ppp-2.4.9/0102-pppoatm_resolver_light.patch
similarity index 87%
rename from patches/ppp-2.4.7/0021-disable-unneeded-code-in-the-pppoatm-plugin.patch
rename to patches/ppp-2.4.9/0102-pppoatm_resolver_light.patch
index 2fb9c5573..1bd782a04 100644
--- a/patches/ppp-2.4.7/0021-disable-unneeded-code-in-the-pppoatm-plugin.patch
+++ b/patches/ppp-2.4.9/0102-pppoatm_resolver_light.patch
@@ -1,6 +1,8 @@
-From: Michael Olbrich <m.olbrich@pengutronix.de>
-Date: Sat, 28 Sep 2019 08:11:49 +0200
-Subject: [PATCH] disable unneeded code in the pppoatm plugin
+From: unknown author <unknown.author@example.com>
+Date: Mon, 14 Jun 2021 13:24:41 +0200
+Subject: [PATCH] pppoatm_resolver_light
+
+disable unneeded code in the pppoatm plugin
This patch halves the size of the PPPoA plugin by disabling features
which are never used with normal DSL connections (i.e. parsing of QoS
@@ -10,12 +12,6 @@ It is especially useful for install images and embedded systems.
A next step could be removing text2qos.c, text2atm.c, misc.c and ans.c
and encourage users interested in the complete features to link the
plugin with the real libatm. I really doubt anybody cares, anyway.
-
-
-
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
---
pppd/plugins/pppoatm/Makefile.linux | 4 ++++
pppd/plugins/pppoatm/pppoatm.c | 4 ++++
@@ -23,10 +19,10 @@ Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
3 files changed, 12 insertions(+)
diff --git a/pppd/plugins/pppoatm/Makefile.linux b/pppd/plugins/pppoatm/Makefile.linux
-index 002603c6cbef..76d81aced70a 100644
+index d3a8086b69ea..036b193637df 100644
--- a/pppd/plugins/pppoatm/Makefile.linux
+++ b/pppd/plugins/pppoatm/Makefile.linux
-@@ -25,9 +25,13 @@ ifdef HAVE_LIBATM
+@@ -26,9 +26,13 @@ ifdef HAVE_LIBATM
LIBS := -latm
else
CFLAGS += -I.
@@ -41,10 +37,10 @@ index 002603c6cbef..76d81aced70a 100644
#*********
all: $(PLUGIN)
diff --git a/pppd/plugins/pppoatm/pppoatm.c b/pppd/plugins/pppoatm/pppoatm.c
-index d693350bc473..a7560e9fb0c6 100644
+index 5a3ecd61b6a2..90d0c9a85d9f 100644
--- a/pppd/plugins/pppoatm/pppoatm.c
+++ b/pppd/plugins/pppoatm/pppoatm.c
-@@ -142,8 +142,12 @@ static int connect_pppoatm(void)
+@@ -145,8 +145,12 @@ static int connect_pppoatm(void)
qos.txtp.traffic_class = qos.rxtp.traffic_class = ATM_UBR;
/* TODO: support simplified QoS setting */
if (qosstr != NULL)
diff --git a/patches/ppp-2.4.9/0103-pppoe_noads.patch b/patches/ppp-2.4.9/0103-pppoe_noads.patch
new file mode 100644
index 000000000..677580ba7
--- /dev/null
+++ b/patches/ppp-2.4.9/0103-pppoe_noads.patch
@@ -0,0 +1,21 @@
+From: unknown author <unknown.author@example.com>
+Date: Mon, 14 Jun 2021 13:24:41 +0200
+Subject: [PATCH] pppoe_noads
+
+---
+ pppd/plugins/pppoe/plugin.c | 2 --
+ 1 file changed, 2 deletions(-)
+
+diff --git a/pppd/plugins/pppoe/plugin.c b/pppd/plugins/pppoe/plugin.c
+index de9b8166ce7b..58fbdf95be3f 100644
+--- a/pppd/plugins/pppoe/plugin.c
++++ b/pppd/plugins/pppoe/plugin.c
+@@ -412,8 +412,6 @@ plugin_init(void)
+ }
+
+ add_options(Options);
+-
+- info("PPPoE plugin from pppd %s", VERSION);
+ }
+
+ void pppoe_check_options(void)
diff --git a/patches/ppp-2.4.9/0104-011_scripts_redialer.diff.patch b/patches/ppp-2.4.9/0104-011_scripts_redialer.diff.patch
new file mode 100644
index 000000000..ff8426495
--- /dev/null
+++ b/patches/ppp-2.4.9/0104-011_scripts_redialer.diff.patch
@@ -0,0 +1,162 @@
+From: unknown author <unknown.author@example.com>
+Date: Mon, 14 Jun 2021 13:24:41 +0200
+Subject: [PATCH] 011_scripts_redialer.diff
+
+---
+ scripts/redialer | 133 ++++++++++++++++++++++---------------------------------
+ 1 file changed, 53 insertions(+), 80 deletions(-)
+
+diff --git a/scripts/redialer b/scripts/redialer
+index 5bbde4e9da4e..c0b748ad0e53 100755
+--- a/scripts/redialer
++++ b/scripts/redialer
+@@ -1,96 +1,69 @@
+ #!/bin/sh
+-###################################################################
+ #
+-# These parameters control the attack dialing sequence.
++# A chatscript that will attempt to dial multiple numbers in sequence, until
++# you get connected.
+ #
+-# Maximum number of attempts to reach the telephone number(s)
+-MAX_ATTEMPTS=10
+-
+-# Delay between each of the attempts. This is a parameter to sleep
+-# so use "15s" for 15 seconds, "1m" for 1 minute, etc.
+-SLEEP_DELAY=15s
+-
+-###################################################################
++# To use: edit /etc/peers/provider, and change the connect line to read:
++# connect "/usr/local/bin/redialer"
+ #
+-# This is a list of telephone numbers. Add new numbers if you wish
+-# and see the function 'callall' below for the dial process.
+-PHONE1=555-1212
+-PHONE2=411
++# See below for configuration.
+
+-###################################################################
++# This is a list of chatscripts to use to get connected, and (optional)
++# telephone numbers to call for each of those chatscripts.
+ #
+-# If you use the ppp-on script, then these are passed to this routine
+-# automatically. There is no need to define them here. If not, then
+-# you will need to set the values.
+-#
+-ACCOUNT=my_account_name
+-PASSWORD=my_password
++# Note that in the chatscripts, you may use #NUMBER#, this will be replaced
++# with the number it is calling. You might want to use this to only have one
++# chatscript that is used for all numbers, or you might need multiple
++# chatscripts.
+
+-###################################################################
+-#
+-# Function to initialize the modem and ensure that it is in command
+-# state. This may not be needed, but it doesn't hurt.
+-#
+-function initialize
+-{
+- chat -v TIMEOUT 3 '' AT 'OK-+++\c-OK'
+- return
+-}
++PHONE1=123456789
++CHAT1=/etc/chatscripts/provider
+
+-###################################################################
+-#
+-# Script to dial a telephone
+-#
+-function callnumber
+-{
+-chat -v \
+- ABORT '\nBUSY\r' \
+- ABORT '\nNO ANSWER\r' \
+- ABORT '\nRINGING\r\n\r\nRINGING\r' \
+- '' ATDT$1 \
+- CONNECT '' \
+- ogin:--ogin: $ACCOUNT \
+- assword: $PASSWORD
+-#
+-# If the connection was successful then end the whole script with a
+-# success.
+-#
+- if [ "$?" = "0" ]; then
+- exit 0
+- fi
++PHONE2=912345678
++CHAT2=/etc/chatscripts/provider
+
+- return
+-}
++PHONE3=891234567
++CHAT3=/etc/chatscripts/provider
+
+-###################################################################
+-#
+-# Script to dial any telephone number
+-#
+-function callall
+-{
+-# echo "dialing attempt number: $1" >/dev/console
+- callnumber $PHONE1
+-# callnumber $PHONE2
+-}
++PHONE4=789123456
++CHAT4=/etc/chatscripts/provider
+
+-###################################################################
+-#
+-# Initialize the modem to ensure that it is in the command state
+-#
+-initialize
+-if [ ! "$?" = "0" ]; then
+- exit 1
+-fi
++PHONE5=001234567
++CHAT5=/etc/chatscripts/provider
+
++# How long to sleep between retries:
+ #
+-# Dial telephone numbers until one answers
+-#
++# Note that this is a parameter to sleep so use "15s" for 15 seconds,
++# "1m" for 1 minute, etc
++SLEEP_DELAY=1s
++
++# The code below does the dialing.
++
+ attempt=0
+ while : ; do
+- attempt=`expr $attempt + 1`
+- callall $attempt
+- if [ "$attempt" = "$MAX_ATTEMPTS" ]; then
+- exit 1
+- fi
+- sleep "$SLEEP_DELAY"
++ attempt=`expr $attempt + 1`
++ NUMBER=`eval echo '$PHONE'$attempt`
++ CHAT=`eval echo '$CHAT'$attempt`
++ if [ ! "$CHAT" ]; then
++ attempt=0
++ else
++ logger "Dialing attempt number: $attempt"
++ sed s/#NUMBER#/$NUMBER/ $CHAT >/etc/chatscripts/tmpchat
++ /usr/sbin/chat -v -f /etc/chatscripts/tmpchat
++ rm -f /etc/chatscripts/tmpchat
++ case $? in
++ 0) logger Connection established ; exit 0;;
++ 1) logger chat: exit 1, see manpage for details. ; exit 1;;
++ 2) logger chat: exit 2, see manpage for details. ; exit 2;;
++ 3) logger chat: exit 3, see manpage for details. ;;
++ 4) logger Line busy. ;;
++ 5) logger No Carrier. ;;
++ 6) logger A call is coming. Exiting! ; exit 1;;
++ 7) logger No dialtone. ;;
++ 8) logger An error occured. Exiting! ; exit 1;;
++ *) logger chat: exit $?, see manpage for details. ;;
++ esac
++ logger "Waiting $SLEEP_DELAY seconds before next try."
++ sleep $SLEEP_DELAY
++ fi
+ done
diff --git a/patches/ppp-2.4.7/0028-ppp-2.3.11-oedod.dif.patch b/patches/ppp-2.4.9/0105-ppp-2.3.11-oedod.dif.patch
similarity index 74%
rename from patches/ppp-2.4.7/0028-ppp-2.3.11-oedod.dif.patch
rename to patches/ppp-2.4.9/0105-ppp-2.3.11-oedod.dif.patch
index 8151c3be2..9b4cda0f0 100644
--- a/patches/ppp-2.4.7/0028-ppp-2.3.11-oedod.dif.patch
+++ b/patches/ppp-2.4.9/0105-ppp-2.3.11-oedod.dif.patch
@@ -1,10 +1,17 @@
-From: Michael Olbrich <m.olbrich@pengutronix.de>
-Date: Sat, 28 Sep 2019 08:11:49 +0200
+From: unknown author <unknown.author@example.com>
+Date: Mon, 14 Jun 2021 13:24:41 +0200
Subject: [PATCH] ppp-2.3.11-oedod.dif
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
+Upstream said:
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
+"
+Hmmm, dial-on-demand was never tested with the sync option, and in fact I don't
+know what devices would use that option.
+
+To be accepted, the patch would need a sign-off and a description that
+explained the changes in the patch - in particular, what the large lump of code
+added to demand_rexmit() is doing.
+"
---
pppd/demand.c | 99 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
pppd/ipcp.c | 2 +-
@@ -13,7 +20,7 @@ Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
4 files changed, 101 insertions(+), 4 deletions(-)
diff --git a/pppd/demand.c b/pppd/demand.c
-index 5e57658ea831..3eddf3016d98 100644
+index 289c9f8fdd57..4c61444d3968 100644
--- a/pppd/demand.c
+++ b/pppd/demand.c
@@ -36,6 +36,8 @@
@@ -34,7 +41,7 @@ index 5e57658ea831..3eddf3016d98 100644
#ifdef PPP_FILTER
#include <pcap-bpf.h>
#endif
-@@ -221,6 +225,14 @@ loop_chars(p, n)
+@@ -218,6 +222,14 @@ loop_chars(unsigned char *p, int n)
int c, rv;
rv = 0;
@@ -49,14 +56,12 @@ index 5e57658ea831..3eddf3016d98 100644
for (; n > 0; --n) {
c = *p++;
if (c == PPP_FLAG) {
-@@ -299,17 +311,102 @@ loop_frame(frame, len)
+@@ -294,16 +306,101 @@ loop_frame(unsigned char *frame, int len)
* loopback, now that the real serial link is up.
*/
void
--demand_rexmit(proto)
-+demand_rexmit(proto, newip)
- int proto;
-+ u_int32_t newip;
+-demand_rexmit(int proto)
++demand_rexmit(int proto, u_int32_t newip)
{
struct packet *pkt, *prev, *nextpkt;
+ unsigned short checksum;
@@ -69,9 +74,11 @@ index 5e57658ea831..3eddf3016d98 100644
prev = NULL;
pkt = pend_q;
pend_q = NULL;
++
+ tv.tv_sec = 1;
+ tv.tv_usec = 0;
-+ select(0,NULL,NULL,NULL,&tv); /* Sleep for 1 Seconds */
++ select(0,NULL,NULL,NULL,&tv); /* Sleep for 1 Second */
++
for (; pkt != NULL; pkt = nextpkt) {
nextpkt = pkt->next;
if (PPP_PROTOCOL(pkt->data) == proto) {
@@ -83,7 +90,6 @@ index 5e57658ea831..3eddf3016d98 100644
+ if (checksum == 0xFFFF) {
+ checksum = 0;
+ }
-+
+
+ if (pkt->data[13] == 17) {
+ pkt_checksum = *((unsigned short *) (pkt->data+10+iphdr));
@@ -154,10 +160,10 @@ index 5e57658ea831..3eddf3016d98 100644
free(pkt);
} else {
diff --git a/pppd/ipcp.c b/pppd/ipcp.c
-index c8fe279d4ede..dceca807542a 100644
+index 302ca40b4c83..3ac26a08032a 100644
--- a/pppd/ipcp.c
+++ b/pppd/ipcp.c
-@@ -1904,7 +1904,7 @@ ipcp_up(f)
+@@ -1850,7 +1850,7 @@ ipcp_up(fsm *f)
proxy_arp_set[f->unit] = 1;
}
@@ -167,12 +173,12 @@ index c8fe279d4ede..dceca807542a 100644
} else {
diff --git a/pppd/ipv6cp.c b/pppd/ipv6cp.c
-index 356ff84ead41..c1602f41c206 100644
+index 431cb62211bf..a32b0002e10d 100644
--- a/pppd/ipv6cp.c
+++ b/pppd/ipv6cp.c
-@@ -1232,7 +1232,7 @@ ipv6cp_up(f)
- }
-
+@@ -1253,7 +1253,7 @@ ipv6cp_up(fsm *f)
+ if (sif6defaultroute(f->unit, go->ourid, ho->hisid))
+ default_route_set[f->unit] = 1;
}
- demand_rexmit(PPP_IPV6);
+ demand_rexmit(PPP_IPV6,0);
@@ -180,15 +186,15 @@ index 356ff84ead41..c1602f41c206 100644
} else {
diff --git a/pppd/pppd.h b/pppd/pppd.h
-index 7495df657fe9..e65106d4c126 100644
+index 612902f55d0d..10a9977598aa 100644
--- a/pppd/pppd.h
+++ b/pppd/pppd.h
-@@ -594,7 +594,7 @@ void demand_conf __P((void)); /* config interface(s) for demand-dial */
- void demand_block __P((void)); /* set all NPs to queue up packets */
- void demand_unblock __P((void)); /* set all NPs to pass packets */
- void demand_discard __P((void)); /* set all NPs to discard packets */
--void demand_rexmit __P((int)); /* retransmit saved frames for an NP */
-+void demand_rexmit __P((int, u_int32_t)); /* retransmit saved frames for an NP*/
- int loop_chars __P((unsigned char *, int)); /* process chars from loopback */
- int loop_frame __P((unsigned char *, int)); /* should we bring link up? */
+@@ -598,7 +598,7 @@ void demand_conf(void); /* config interface(s) for demand-dial */
+ void demand_block(void); /* set all NPs to queue up packets */
+ void demand_unblock(void); /* set all NPs to pass packets */
+ void demand_discard(void); /* set all NPs to discard packets */
+-void demand_rexmit(int); /* retransmit saved frames for an NP */
++void demand_rexmit(int, u_int32_t); /* retransmit saved frames for an NP */
+ int loop_chars(unsigned char *, int); /* process chars from loopback */
+ int loop_frame(unsigned char *, int); /* should we bring link up? */
diff --git a/patches/ppp-2.4.9/0106-010_scripts_README.diff.patch b/patches/ppp-2.4.9/0106-010_scripts_README.diff.patch
new file mode 100644
index 000000000..d96f7d60b
--- /dev/null
+++ b/patches/ppp-2.4.9/0106-010_scripts_README.diff.patch
@@ -0,0 +1,30 @@
+From: unknown author <unknown.author@example.com>
+Date: Mon, 14 Jun 2021 13:24:41 +0200
+Subject: [PATCH] 010_scripts_README.diff
+
+---
+ scripts/README | 14 ++++++++++++++
+ 1 file changed, 14 insertions(+)
+
+diff --git a/scripts/README b/scripts/README
+index 00e032ca6ad4..439c900d657a 100644
+--- a/scripts/README
++++ b/scripts/README
+@@ -141,3 +141,17 @@ option. In addition, all ASCII control characters [0x00 to 0x1f], plus 0xff,
+ are escaped. This may need to be modified depending on the ssh (or
+ pseudo-tty) implementation which may differ across platforms, for further
+ optimizations.
++
++------------------------------------------------------------------------
++
++12. pon, poff and ip-up
++
++These are modified version of the pon/poff/ip-up scripts contributed by Yann
++Dirson <dirson@debian.org>. They allow you to call "pon quick" respectively
++"pon quick my-isp" to just call the provider for running you ip-up scripts in
++/etc/ppp/ip-up.d. This can be useful to check for incoming/flush outgoing
++mail, without the necessary delay before hangup introduced by diald or such.
++
++These scripts break the possibility to connect to multiple ISPs at once, so
++they are included only here.
++
diff --git a/patches/ppp-2.4.9/0107-no_crypt_hack.patch b/patches/ppp-2.4.9/0107-no_crypt_hack.patch
new file mode 100644
index 000000000..441675edd
--- /dev/null
+++ b/patches/ppp-2.4.9/0107-no_crypt_hack.patch
@@ -0,0 +1,62 @@
+From: unknown author <unknown.author@example.com>
+Date: Mon, 14 Jun 2021 13:24:41 +0200
+Subject: [PATCH] no_crypt_hack
+
+The udeb package does not have crypt(3).
+This patch makes authentication always fail, since it is not needed anyway
+for dialout.
+---
+ pppd/Makefile.linux | 4 ++++
+ pppd/auth.c | 2 ++
+ pppd/session.c | 2 ++
+ 3 files changed, 8 insertions(+)
+
+diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux
+index 22837c50415e..e517d5d3c1dd 100644
+--- a/pppd/Makefile.linux
++++ b/pppd/Makefile.linux
+@@ -143,10 +143,14 @@ CFLAGS += -DHAS_SHADOW
+ #LIBS += -lshadow $(LIBS)
+ endif
+
++ifdef NO_CRYPT_HACK
++CFLAGS += -DNO_CRYPT_HACK
++else
+ ifeq ($(shell echo '\#include <crypt.h>' | $(CC) -E - >/dev/null 2>&1 && echo yes),yes)
+ CFLAGS += -DHAVE_CRYPT_H=1
+ LIBS += -lcrypt
+ endif
++endif
+
+ ifdef USE_LIBUTIL
+ CFLAGS += -DHAVE_LOGWTMP=1
+diff --git a/pppd/auth.c b/pppd/auth.c
+index b1271c4f8739..4fb404e6b0a9 100644
+--- a/pppd/auth.c
++++ b/pppd/auth.c
+@@ -1509,8 +1509,10 @@ check_passwd(int unit,
+ if (secret[0] != 0 && !login_secret) {
+ /* password given in pap-secrets - must match */
+ if (cryptpap || strcmp(passwd, secret) != 0) {
++#ifndef NO_CRYPT_HACK
+ char *cbuf = crypt(passwd, secret);
+ if (!cbuf || strcmp(cbuf, secret) != 0)
++#endif
+ ret = UPAP_AUTHNAK;
+ }
+ }
+diff --git a/pppd/session.c b/pppd/session.c
+index 2f1c83e5552c..57c42d566450 100644
+--- a/pppd/session.c
++++ b/pppd/session.c
+@@ -343,8 +343,10 @@ session_start(const int flags, const char *user, const char *passwd, const char
+ */
+ if (pw->pw_passwd == NULL || strlen(pw->pw_passwd) < 2)
+ return SESSION_FAILED;
++#ifndef NO_CRYPT_HACK
+ cbuf = crypt(passwd, pw->pw_passwd);
+ if (!cbuf || strcmp(cbuf, pw->pw_passwd) != 0)
++#endif
+ return SESSION_FAILED;
+ }
+
diff --git a/patches/ppp-2.4.7/0035-resolv.conf_no_log.patch b/patches/ppp-2.4.9/0108-resolv.conf_no_log.patch
similarity index 56%
rename from patches/ppp-2.4.7/0035-resolv.conf_no_log.patch
rename to patches/ppp-2.4.9/0108-resolv.conf_no_log.patch
index aea6b2082..56d44d84a 100644
--- a/patches/ppp-2.4.7/0035-resolv.conf_no_log.patch
+++ b/patches/ppp-2.4.9/0108-resolv.conf_no_log.patch
@@ -1,19 +1,16 @@
-From: Michael Olbrich <m.olbrich@pengutronix.de>
-Date: Sat, 28 Sep 2019 08:11:50 +0200
+From: unknown author <unknown.author@example.com>
+Date: Mon, 14 Jun 2021 13:24:41 +0200
Subject: [PATCH] resolv.conf_no_log
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
---
pppd/ipcp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/pppd/ipcp.c b/pppd/ipcp.c
-index d6e0e2a699fe..b81b2fd0a29f 100644
+index 3ac26a08032a..ce002262bb34 100644
--- a/pppd/ipcp.c
+++ b/pppd/ipcp.c
-@@ -2152,7 +2152,7 @@ create_resolv(peerdns1, peerdns2)
+@@ -2093,7 +2093,7 @@ create_resolv(u_int32_t peerdns1, u_int32_t peerdns2)
f = fopen(_PATH_RESOLV, "w");
if (f == NULL) {
diff --git a/patches/ppp-2.4.7/0036-Debian-specific-changes.patch b/patches/ppp-2.4.9/0109-zzz_config.patch
similarity index 60%
rename from patches/ppp-2.4.7/0036-Debian-specific-changes.patch
rename to patches/ppp-2.4.9/0109-zzz_config.patch
index 9576af118..27e7818c0 100644
--- a/patches/ppp-2.4.7/0036-Debian-specific-changes.patch
+++ b/patches/ppp-2.4.9/0109-zzz_config.patch
@@ -1,23 +1,25 @@
-From: Michael Olbrich <m.olbrich@pengutronix.de>
-Date: Sat, 28 Sep 2019 08:11:50 +0200
-Subject: [PATCH] Debian-specific changes.
+From: unknown author <unknown.author@example.com>
+Date: Mon, 14 Jun 2021 13:24:41 +0200
+Subject: [PATCH] zzz_config
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
+Debian-specific changes.
---
- pppd/Makefile.linux | 6 ++----
+ pppd/Makefile.linux | 6 +++---
pppd/pathnames.h | 2 +-
pppd/pppd.h | 2 +-
pppdump/Makefile.linux | 4 ++--
- 4 files changed, 6 insertions(+), 8 deletions(-)
+ 4 files changed, 7 insertions(+), 7 deletions(-)
diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux
-index 16b3ee879791..5549145e5791 100644
+index e517d5d3c1dd..ab52c1b207f3 100644
--- a/pppd/Makefile.linux
+++ b/pppd/Makefile.linux
-@@ -61,14 +61,14 @@ HAVE_MULTILINK=y
- USE_TDB=y
+@@ -64,17 +64,17 @@ USE_TDB=y
+ # Uncomment the next line to enable Type=notify services in systemd
+ # If enabled, and the user sets the up_sdnotify option, then
+ # pppd will not detach and will notify systemd when up.
+-#SYSTEMD=y
++SYSTEMD=y
HAS_SHADOW=y
-#USE_PAM=y
@@ -33,23 +35,11 @@ index 16b3ee879791..5549145e5791 100644
# Enable EAP SRP-SHA1 authentication (requires libsrp)
#USE_SRP=y
-@@ -178,11 +178,9 @@ LIBS += -ldl
- endif
-
- ifdef FILTER
--ifneq ($(wildcard /usr/include/pcap-bpf.h),)
- LIBS += -lpcap
- CFLAGS += -DPPP_FILTER
- endif
--endif
-
- ifdef HAVE_INET6
- PPPDSRCS += ipv6cp.c eui64.c
diff --git a/pppd/pathnames.h b/pppd/pathnames.h
-index a33f0466c9d6..46972601fc92 100644
+index 524d608ce12c..2df61354f40e 100644
--- a/pppd/pathnames.h
+++ b/pppd/pathnames.h
-@@ -28,7 +28,7 @@
+@@ -33,7 +33,7 @@
#define _PATH_AUTHUP _ROOT_PATH "/etc/ppp/auth-up"
#define _PATH_AUTHDOWN _ROOT_PATH "/etc/ppp/auth-down"
#define _PATH_TTYOPT _ROOT_PATH "/etc/ppp/options."
@@ -59,10 +49,10 @@ index a33f0466c9d6..46972601fc92 100644
#define _PATH_RESOLV _ROOT_PATH "/etc/ppp/resolv.conf"
diff --git a/pppd/pppd.h b/pppd/pppd.h
-index b11670586244..567d702181ca 100644
+index 10a9977598aa..a14483b76acc 100644
--- a/pppd/pppd.h
+++ b/pppd/pppd.h
-@@ -870,7 +870,7 @@ extern void (*snoop_send_hook) __P((unsigned char *p, int len));
+@@ -879,7 +879,7 @@ extern void (*snoop_send_hook)(unsigned char *p, int len);
|| defined(DEBUGCHAP) || defined(DEBUG) || defined(DEBUGIPV6CP)
#define LOG_PPP LOG_LOCAL2
#else
@@ -72,10 +62,10 @@ index b11670586244..567d702181ca 100644
#endif /* LOG_PPP */
diff --git a/pppdump/Makefile.linux b/pppdump/Makefile.linux
-index 87777fab5e94..1eeeafe20111 100644
+index de7e574d10e1..04b1c10b34c7 100644
--- a/pppdump/Makefile.linux
+++ b/pppdump/Makefile.linux
-@@ -2,9 +2,9 @@ DESTDIR = $(INSTROOT)@DESTDIR@
+@@ -6,9 +6,9 @@ DESTDIR = $(INSTROOT)@DESTDIR@
BINDIR = $(DESTDIR)/sbin
MANDIR = $(DESTDIR)/share/man/man8
@@ -85,5 +75,5 @@ index 87777fab5e94..1eeeafe20111 100644
-HAVE_ZLIB=n
+HAVE_ZLIB=y
- COPTS=-O2 -g
- CFLAGS= $(COPTS) -I../include/net
+ CFLAGS = $(COPTS) -I../include/net
+ OBJS = pppdump.o
diff --git a/patches/ppp-2.4.9/0110-pppd-soname-hack.patch b/patches/ppp-2.4.9/0110-pppd-soname-hack.patch
new file mode 100644
index 000000000..eb7221050
--- /dev/null
+++ b/patches/ppp-2.4.9/0110-pppd-soname-hack.patch
@@ -0,0 +1,31 @@
+From: unknown author <unknown.author@example.com>
+Date: Mon, 14 Jun 2021 13:24:41 +0200
+Subject: [PATCH] pppd-soname-hack
+
+---
+ pppd/Makefile.linux | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux
+index ab52c1b207f3..b7f3cd71729e 100644
+--- a/pppd/Makefile.linux
++++ b/pppd/Makefile.linux
+@@ -238,6 +238,8 @@ endif
+
+ INSTALL= install
+
++VERSION = $(shell awk -F '"' '/VERSION/ { print $$2; }' patchlevel.h)
++
+ all: $(TARGETS)
+
+ install: pppd
+@@ -249,7 +251,8 @@ install: pppd
+ $(INSTALL) -c -m 444 pppd.8 $(MANDIR)
+
+ pppd: $(PPPDOBJS)
+- $(CC) $(CFLAGS) $(LDFLAGS) $(LDFLAGS_PLUGIN) -o pppd $(PPPDOBJS) $(LIBS)
++ $(CC) $(CFLAGS) $(LDFLAGS) $(LDFLAGS_PLUGIN) -o pppd $(PPPDOBJS) $(LIBS) \
++ -Wl,-soname,pppd.so.$(VERSION)
+
+ srp-entry: srp-entry.c
+ $(CC) $(CFLAGS) $(LDFLAGS) -o $@ srp-entry.c $(LIBS)
diff --git a/patches/ppp-2.4.7/0039-Replace-vendored-hash-functions-with-libcrypto.patch b/patches/ppp-2.4.9/0111-replace-vendored-hash-functions.patch
similarity index 92%
rename from patches/ppp-2.4.7/0039-Replace-vendored-hash-functions-with-libcrypto.patch
rename to patches/ppp-2.4.9/0111-replace-vendored-hash-functions.patch
index a08af544a..4c0234552 100644
--- a/patches/ppp-2.4.7/0039-Replace-vendored-hash-functions-with-libcrypto.patch
+++ b/patches/ppp-2.4.9/0111-replace-vendored-hash-functions.patch
@@ -1,37 +1,27 @@
-From: Michael Olbrich <m.olbrich@pengutronix.de>
-Date: Sat, 28 Sep 2019 08:11:50 +0200
-Subject: [PATCH] Replace vendored hash functions with libcrypto
-
-Bug-Debian: https://bugs.debian.org/826625
-Forwarded: no
-Author: Chris Boot <bootc@debian.org>
-Last-Update: 2017-12-17
+From: unknown author <unknown.author@example.com>
+Date: Mon, 14 Jun 2021 13:24:41 +0200
+Subject: [PATCH] replace-vendored-hash-functions
This patch switches ppp's use of the embedded implementations of MD4, MD5 and
SHA1 for those found in OpenSSL's libcrypto. This is inspired by the patch to
switch to the libmd versions of these functions, but using libcrypto is
preferable both due to the patch being slightly less invasive and also because
of our use of the EAP-TLS patch which requires OpenSSL.
-
-
-Imported from ppp_2.4.7-2+4.1.debian.tar.xz
-
-Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
---
- pppd/Makefile.linux | 25 ++--
+ pppd/Makefile.linux | 28 +---
pppd/chap-md5.c | 2 +-
pppd/chap_ms.c | 40 ++----
- pppd/eap.c | 2 +-
- pppd/md4.c | 299 -----------------------------------------
- pppd/md4.h | 64 ---------
- pppd/md5.c | 311 -------------------------------------------
- pppd/md5.h | 68 ----------
+ pppd/eap.c | 3 +-
+ pppd/md4.c | 290 -----------------------------------------
+ pppd/md4.h | 55 --------
+ pppd/md5.c | 299 -------------------------------------------
+ pppd/md5.h | 65 ----------
pppd/plugins/radius/md5.c | 2 +-
pppd/plugins/radius/radius.c | 2 +-
pppd/plugins/winbind.c | 2 +-
- pppd/sha1.c | 170 -----------------------
+ pppd/sha1.c | 171 -------------------------
pppd/sha1.h | 31 -----
- 13 files changed, 28 insertions(+), 990 deletions(-)
+ 13 files changed, 27 insertions(+), 963 deletions(-)
delete mode 100644 pppd/md4.c
delete mode 100644 pppd/md4.h
delete mode 100644 pppd/md5.c
@@ -40,10 +30,10 @@ Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
delete mode 100644 pppd/sha1.h
diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux
-index 4a11d5fea748..58a634ce8c3b 100644
+index b7f3cd71729e..90646dc31e70 100644
--- a/pppd/Makefile.linux
+++ b/pppd/Makefile.linux
-@@ -11,16 +11,16 @@ INCDIR = $(DESTDIR)/include
+@@ -15,16 +15,16 @@ INCDIR = $(DESTDIR)/include
TARGETS = pppd
@@ -64,16 +54,16 @@ index 4a11d5fea748..58a634ce8c3b 100644
ecp.o auth.o options.o demand.o utils.o sys-linux.o ipxcp.o tty.o \
eap.o chap-md5.o session.o
-@@ -33,7 +33,7 @@ endif
- # CC = gcc
- #
- COPTS = -O2 -pipe -Wall -g
--LIBS =
-+LIBS = -lcrypto
+@@ -34,7 +34,7 @@ ifeq (.depend,$(wildcard .depend))
+ include .depend
+ endif
+
+-LIBS = -lrt
++LIBS = -lrt -lcrypto
- # Uncomment the next 2 lines to include support for Microsoft's
+ # Uncomment the next line to include support for Microsoft's
# MS-CHAP authentication protocol. Also, edit plugins/radius/Makefile.linux.
-@@ -91,8 +91,8 @@ LDFLAGS=$(LDOPTS)
+@@ -98,8 +98,8 @@ CFLAGS= $(COPTS) $(COMPILE_FLAGS) $(INCLUDE_DIRS) '-DDESTDIR="@DESTDIR@"'
ifdef CHAPMS
CFLAGS += -DCHAPMS=1
NEEDDES=y
@@ -84,12 +74,11 @@ index 4a11d5fea748..58a634ce8c3b 100644
ifdef MSLANMAN
CFLAGS += -DMSLANMAN=1
endif
-@@ -104,25 +104,18 @@ endif
- # EAP SRP-SHA1
+@@ -113,26 +113,17 @@ endif
ifdef USE_SRP
CFLAGS += -DUSE_SRP -DOPENSSL -I/usr/local/ssl/include
--LIBS += -lsrp -L/usr/local/ssl/lib -lcrypto
-+LIBS += -lsrp -L/usr/local/ssl/lib
+ LIBS += -lsrp -L/usr/local/ssl/lib
+-NEEDCRYPTOLIB = y
TARGETS += srp-entry
EXTRAINSTALL = $(INSTALL) -c -m 555 srp-entry $(BINDIR)/srp-entry
MANPAGES += srp-entry.8
@@ -106,27 +95,50 @@ index 4a11d5fea748..58a634ce8c3b 100644
# EAP-TLS
ifdef USE_EAPTLS
- CFLAGS += -DUSE_EAPTLS=1 -I/usr/kerberos/include
--LIBS += -lssl -lcrypto
-+LIBS += -lssl
+ CFLAGS += -DUSE_EAPTLS=1
+ LIBS += -lssl
+-NEEDCRYPTOLIB = y
PPPDSRC += eap-tls.c
HEADERS += eap-tls.h
PPPDOBJS += eap-tls.o
+@@ -160,7 +151,6 @@ endif
+ ifdef NEEDDES
+ ifndef USE_CRYPT
+ CFLAGS += -I$(shell $(CC) --print-sysroot)/usr/include/openssl
+-NEEDCRYPTOLIB = y
+ else
+ CFLAGS += -DUSE_CRYPT=1
+ endif
+@@ -168,10 +158,6 @@ PPPDOBJS += pppcrypt.o
+ HEADERS += pppcrypt.h
+ endif
+
+-ifdef NEEDCRYPTOLIB
+-LIBS += -lcrypto
+-endif
+-
+ # For "Pluggable Authentication Modules", see ftp.redhat.com:/pub/pam/.
+ ifdef USE_PAM
+ CFLAGS += -DUSE_PAM
diff --git a/pppd/chap-md5.c b/pppd/chap-md5.c
-index 269b52cb2041..7f7967a56842 100644
+index 77dd4ecc7059..d86564aa865a 100644
--- a/pppd/chap-md5.c
+++ b/pppd/chap-md5.c
-@@ -39,7 +39,7 @@
- #ifdef USE_EAPTLS
- #include "eap-tls.h"
- #else
--#include "md5.h"
+@@ -32,11 +32,11 @@
+
+ #include <stdlib.h>
+ #include <string.h>
+#include <openssl/md5.h>
- #endif /* USE_EAPTLS */
+ #include "pppd.h"
+ #include "chap-new.h"
+ #include "chap-md5.h"
+ #include "magic.h"
+-#include "md5.h"
#define MD5_HASH_SIZE 16
+ #define MD5_MIN_CHALLENGE 16
diff --git a/pppd/chap_ms.c b/pppd/chap_ms.c
-index c2bd00f9c6f7..19edb85d27a8 100644
+index e6b84f203fc3..64848f20f660 100644
--- a/pppd/chap_ms.c
+++ b/pppd/chap_ms.c
@@ -89,8 +89,8 @@
@@ -140,7 +152,7 @@ index c2bd00f9c6f7..19edb85d27a8 100644
#include "pppcrypt.h"
#include "magic.h"
-@@ -535,8 +535,8 @@ ChallengeHash(u_char PeerChallenge[16], u_char *rchallenge,
+@@ -536,8 +536,8 @@ ChallengeHash(u_char PeerChallenge[16], u_char *rchallenge,
char *username, u_char Challenge[8])
{
@@ -151,7 +163,7 @@ index c2bd00f9c6f7..19edb85d27a8 100644
char *user;
/* remove domain from "domain\username" */
-@@ -574,23 +574,11 @@ ascii2unicode(char ascii[], int ascii_len, u_char unicode[])
+@@ -575,23 +575,11 @@ ascii2unicode(char ascii[], int ascii_len, u_char unicode[])
static void
NTPasswordHash(u_char *secret, int secret_len, u_char hash[MD4_SIGNATURE_SIZE])
{
@@ -178,7 +190,7 @@ index c2bd00f9c6f7..19edb85d27a8 100644
}
-@@ -671,8 +659,8 @@ GenerateAuthenticatorResponse(u_char PasswordHashHash[MD4_SIGNATURE_SIZE],
+@@ -672,8 +660,8 @@ GenerateAuthenticatorResponse(u_char PasswordHashHash[MD4_SIGNATURE_SIZE],
0x6E };
int i;
@@ -189,7 +201,7 @@ index c2bd00f9c6f7..19edb85d27a8 100644
u_char Challenge[8];
SHA1_Init(&sha1Context);
-@@ -725,8 +713,8 @@ GenerateAuthenticatorResponsePlain
+@@ -726,8 +714,8 @@ GenerateAuthenticatorResponsePlain
void
mppe_set_keys(u_char *rchallenge, u_char PasswordHashHash[MD4_SIGNATURE_SIZE])
{
@@ -200,7 +212,7 @@ index c2bd00f9c6f7..19edb85d27a8 100644
SHA1_Init(&sha1Context);
SHA1_Update(&sha1Context, PasswordHashHash, MD4_SIGNATURE_SIZE);
-@@ -769,9 +757,9 @@ void
+@@ -770,9 +758,9 @@ void
mppe_set_keys2(u_char PasswordHashHash[MD4_SIGNATURE_SIZE],
u_char NTResponse[24], int IsServer)
{
@@ -214,24 +226,27 @@ index c2bd00f9c6f7..19edb85d27a8 100644
u_char SHApad1[40] =
{ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
diff --git a/pppd/eap.c b/pppd/eap.c
-index 032407c3dbb2..35d111015ff3 100644
+index 79146557bd32..d987888d9f20 100644
--- a/pppd/eap.c
+++ b/pppd/eap.c
-@@ -71,7 +71,7 @@
- #ifdef USE_EAPTLS
- #include "eap-tls.h"
- #else
--#include "md5.h"
+@@ -59,9 +59,10 @@
+ #include <assert.h>
+ #include <errno.h>
+
+#include <openssl/md5.h>
- #endif /* USE_EAPTLS */
++
+ #include "pppd.h"
+ #include "pathnames.h"
+-#include "md5.h"
+ #include "eap.h"
- #ifdef USE_SRP
+ #ifdef CHAPMS
diff --git a/pppd/md4.c b/pppd/md4.c
deleted file mode 100644
-index d943e8885f2d..000000000000
+index 42a9b2e75d6e..000000000000
--- a/pppd/md4.c
+++ /dev/null
-@@ -1,299 +0,0 @@
+@@ -1,290 +0,0 @@
-/*
-** ********************************************************************
-** md4.c -- Implementation of MD4 Message Digest Algorithm **
@@ -321,8 +336,7 @@ index d943e8885f2d..000000000000
-** This is a user-callable routine.
-*/
-void
--MD4Print(MDp)
--MD4_CTX *MDp;
+-MD4Print(MD4_CTX *MDp)
-{
- int i,j;
- for (i=0;i<4;i++)
@@ -335,8 +349,7 @@ index d943e8885f2d..000000000000
-** This is a user-callable routine.
-*/
-void
--MD4Init(MDp)
--MD4_CTX *MDp;
+-MD4Init(MD4_CTX *MDp)
-{
- int i;
- MDp->buffer[0] = I0;
@@ -354,9 +367,7 @@ index d943e8885f2d..000000000000
-** This routine is not user-callable.
-*/
-static void
--MDblock(MDp,Xb)
--MD4_CTX *MDp;
--unsigned char *Xb;
+-MDblock(MD4_CTX *MDp, unsigned char *Xb)
-{
- register unsigned int tmp, A, B, C, D;
- unsigned int X[16];
@@ -440,10 +451,7 @@ index d943e8885f2d..000000000000
-** if desired.
-*/
-void
--MD4Update(MDp,X,count)
--MD4_CTX *MDp;
--unsigned char *X;
--unsigned int count;
+-MD4Update(MD4_CTX *MDp, unsigned char *X, unsigned int count)
-{
- unsigned int i, tmp, bit, byte, mask;
- unsigned char XX[64];
@@ -511,9 +519,7 @@ index d943e8885f2d..000000000000
-** Finish up MD4 computation and return message digest.
-*/
-void
--MD4Final(buf, MD)
--unsigned char *buf;
--MD4_CTX *MD;
+-MD4Final(unsigned char *buf, MD4_CTX *MD)
-{
- int i, j;
- unsigned int w;
@@ -533,10 +539,10 @@ index d943e8885f2d..000000000000
-****************************(cut)***********************************/
diff --git a/pppd/md4.h b/pppd/md4.h
deleted file mode 100644
-index 80e8f9a2acca..000000000000
+index b6fc3f561faa..000000000000
--- a/pppd/md4.h
+++ /dev/null
-@@ -1,64 +0,0 @@
+@@ -1,55 +0,0 @@
-
-/*
-** ********************************************************************
@@ -547,15 +553,6 @@ index 80e8f9a2acca..000000000000
-** ********************************************************************
-*/
-
--#ifndef __P
--# if defined(__STDC__) || defined(__GNUC__)
--# define __P(x) x
--# else
--# define __P(x) ()
--# endif
--#endif
--
--
-/* MDstruct is the data structure for a message digest computation.
-*/
-typedef struct {
@@ -568,7 +565,7 @@ index 80e8f9a2acca..000000000000
-** Initialize the MD4_CTX prepatory to doing a message digest
-** computation.
-*/
--extern void MD4Init __P((MD4_CTX *MD));
+-extern void MD4Init(MD4_CTX *MD);
-
-/* MD4Update(MD,X,count)
-** Input: X -- a pointer to an array of unsigned characters.
@@ -582,7 +579,7 @@ index 80e8f9a2acca..000000000000
-** every MD computation should end with one call to MD4Update with a
-** count less than 512. Zero is OK for a count.
-*/
--extern void MD4Update __P((MD4_CTX *MD, unsigned char *X, unsigned int count));
+-extern void MD4Update(MD4_CTX *MD, unsigned char *X, unsigned int count);
-
-/* MD4Print(MD)
-** Prints message digest buffer MD as 32 hexadecimal digits.
@@ -590,23 +587,23 @@ index 80e8f9a2acca..000000000000
-** of buffer[3].
-** Each byte is printed with high-order hexadecimal digit first.
-*/
--extern void MD4Print __P((MD4_CTX *));
+-extern void MD4Print(MD4_CTX *);
-
-/* MD4Final(buf, MD)
-** Returns message digest from MD and terminates the message
-** digest computation.
-*/
--extern void MD4Final __P((unsigned char *, MD4_CTX *));
+-extern void MD4Final(unsigned char *, MD4_CTX *);
-
-/*
-** End of md4.h
-****************************(cut)***********************************/
diff --git a/pppd/md5.c b/pppd/md5.c
deleted file mode 100644
-index 6f8f7207c592..000000000000
+index f7988e64141a..000000000000
--- a/pppd/md5.c
+++ /dev/null
-@@ -1,311 +0,0 @@
+@@ -1,299 +0,0 @@
-
-
-/*
@@ -642,8 +639,6 @@ index 6f8f7207c592..000000000000
- ***********************************************************************
- */
-
--#ifndef USE_EAPTLS
--
-#include <string.h>
-#include "md5.h"
-
@@ -713,8 +708,7 @@ index 6f8f7207c592..000000000000
-/* The routine MD5_Init initializes the message-digest context
- mdContext. All fields are set to zero.
- */
--void MD5_Init (mdContext)
--MD5_CTX *mdContext;
+-void MD5_Init (MD5_CTX *mdContext)
-{
- mdContext->i[0] = mdContext->i[1] = (UINT4)0;
-
@@ -730,10 +724,7 @@ index 6f8f7207c592..000000000000
- account for the presence of each of the characters inBuf[0..inLen-1]
- in the message whose digest is being computed.
- */
--void MD5_Update (mdContext, inBuf, inLen)
--MD5_CTX *mdContext;
--unsigned char *inBuf;
--unsigned int inLen;
+-void MD5_Update (MD5_CTX *mdContext, unsigned char *inBuf, unsigned int inLen)
-{
- UINT4 in[16];
- int mdi;
@@ -768,9 +759,7 @@ index 6f8f7207c592..000000000000
-/* The routine MD5Final terminates the message-digest computation and
- ends with the desired message digest in mdContext->digest[0...15].
- */
--void MD5_Final (hash, mdContext)
--unsigned char hash[];
--MD5_CTX *mdContext;
+-void MD5_Final (unsigned char hash[], MD5_CTX *mdContext)
-{
- UINT4 in[16];
- int mdi;
@@ -811,9 +800,7 @@ index 6f8f7207c592..000000000000
-
-/* Basic MD5 step. Transforms buf based on in.
- */
--static void Transform (buf, in)
--UINT4 *buf;
--UINT4 *in;
+-static void Transform (UINT4 *buf, UINT4 *in)
-{
- UINT4 a = buf[0], b = buf[1], c = buf[2], d = buf[3];
-
@@ -916,14 +903,12 @@ index 6f8f7207c592..000000000000
- ** End of md5.c **
- ******************************** (cut) ********************************
- */
--#endif /* USE_EAPTLS */
--
diff --git a/pppd/md5.h b/pppd/md5.h
deleted file mode 100644
-index 14d712171c5e..000000000000
+index 71e8b00e2dde..000000000000
--- a/pppd/md5.h
+++ /dev/null
-@@ -1,68 +0,0 @@
+@@ -1,65 +0,0 @@
-/*
- ***********************************************************************
- ** md5.h -- header file for implementation of MD5 **
@@ -962,7 +947,6 @@ index 14d712171c5e..000000000000
- ** documentation and/or software. **
- ***********************************************************************
- */
--#ifndef USE_EAPTLS
-
-#ifndef __MD5_INCLUDE__
-
@@ -990,8 +974,6 @@ index 14d712171c5e..000000000000
-
-#define __MD5_INCLUDE__
-#endif /* __MD5_INCLUDE__ */
--
--#endif /* USE_EAPTLS */
diff --git a/pppd/plugins/radius/md5.c b/pppd/plugins/radius/md5.c
index 8af03aa3713e..90d9b025d211 100644
--- a/pppd/plugins/radius/md5.c
@@ -1006,7 +988,7 @@ index 8af03aa3713e..90d9b025d211 100644
void rc_md5_calc (unsigned char *output, unsigned char *input, unsigned int inlen)
{
diff --git a/pppd/plugins/radius/radius.c b/pppd/plugins/radius/radius.c
-index 06e00590b635..60282d9b2b9c 100644
+index c5798316719a..d5d63698a6dc 100644
--- a/pppd/plugins/radius/radius.c
+++ b/pppd/plugins/radius/radius.c
@@ -31,7 +31,7 @@ static char const RCSID[] =
@@ -1019,7 +1001,7 @@ index 06e00590b635..60282d9b2b9c 100644
#endif
#include "radiusclient.h"
diff --git a/pppd/plugins/winbind.c b/pppd/plugins/winbind.c
-index bb05acd87dce..5f87a317b677 100644
+index 0c395c34711a..6320645ac994 100644
--- a/pppd/plugins/winbind.c
+++ b/pppd/plugins/winbind.c
@@ -38,7 +38,7 @@
@@ -1033,10 +1015,10 @@ index bb05acd87dce..5f87a317b677 100644
#include "ipcp.h"
diff --git a/pppd/sha1.c b/pppd/sha1.c
deleted file mode 100644
-index f4f975cf516f..000000000000
+index 4e51cee506c2..000000000000
--- a/pppd/sha1.c
+++ /dev/null
-@@ -1,170 +0,0 @@
+@@ -1,171 +0,0 @@
-/*
- * ftp://ftp.funet.fi/pub/crypt/hash/sha/sha1.c
- *
@@ -1056,6 +1038,7 @@ index f4f975cf516f..000000000000
-/* #define SHA1HANDSOFF * Copies data before messing with it. */
-
-#include <string.h>
+-#include <time.h>
-#include <netinet/in.h> /* htonl() */
-#include <net/ppp_defs.h>
-#include "sha1.h"
diff --git a/patches/ppp-2.4.7/0100-pppd-make-makefile-sysroot-aware.patch b/patches/ppp-2.4.9/0200-pppd-make-makefile-sysroot-aware.patch
similarity index 63%
rename from patches/ppp-2.4.7/0100-pppd-make-makefile-sysroot-aware.patch
rename to patches/ppp-2.4.9/0200-pppd-make-makefile-sysroot-aware.patch
index c205b15ed..48f451788 100644
--- a/patches/ppp-2.4.7/0100-pppd-make-makefile-sysroot-aware.patch
+++ b/patches/ppp-2.4.9/0200-pppd-make-makefile-sysroot-aware.patch
@@ -13,14 +13,14 @@ Signed-off-by: Marc Kleine-Budde <m.kleine-budde@pengutronix.de>
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
---
- pppd/Makefile.linux | 10 ++++------
- 1 file changed, 4 insertions(+), 6 deletions(-)
+ pppd/Makefile.linux | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/pppd/Makefile.linux b/pppd/Makefile.linux
-index cb9d4f9dcf22..ea0a7f02766b 100644
+index 90646dc31e70..c1da2908ccc7 100644
--- a/pppd/Makefile.linux
+++ b/pppd/Makefile.linux
-@@ -103,8 +103,8 @@ endif
+@@ -111,8 +111,8 @@ endif
# EAP SRP-SHA1
ifdef USE_SRP
@@ -31,32 +31,12 @@ index cb9d4f9dcf22..ea0a7f02766b 100644
TARGETS += srp-entry
EXTRAINSTALL = $(INSTALL) -c -m 555 srp-entry $(BINDIR)/srp-entry
MANPAGES += srp-entry.8
-@@ -114,7 +114,7 @@ endif
-
- # EAP-TLS
- ifdef USE_EAPTLS
--CFLAGS += -DUSE_EAPTLS=1 -I/usr/kerberos/include
-+CFLAGS += -DUSE_EAPTLS=1
- LIBS += -lssl
- PPPDSRC += eap-tls.c
- HEADERS += eap-tls.h
-@@ -126,10 +126,8 @@ CFLAGS += -DHAS_SHADOW
- #LIBS += -lshadow $(LIBS)
- endif
-
--ifneq ($(wildcard /usr/include/crypt.h),)
- CFLAGS += -DHAVE_CRYPT_H=1
- LIBS += -lcrypt
--endif
-
- ifdef USE_LIBUTIL
- CFLAGS += -DHAVE_LOGWTMP=1
-@@ -138,7 +136,7 @@ endif
+@@ -150,7 +150,7 @@ endif
ifdef NEEDDES
ifndef USE_CRYPT
--CFLAGS += -I/usr/include/openssl
+-CFLAGS += -I$(shell $(CC) --print-sysroot)/usr/include/openssl
+CFLAGS += -I$(SYSROOT)/usr/include/openssl
- LIBS += -lcrypto
else
CFLAGS += -DUSE_CRYPT=1
+ endif
diff --git a/patches/ppp-2.4.7/0101-pppd-make-the-self-made-configure-cross-aware.patch b/patches/ppp-2.4.9/0201-pppd-make-the-self-made-configure-cross-aware.patch
similarity index 87%
rename from patches/ppp-2.4.7/0101-pppd-make-the-self-made-configure-cross-aware.patch
rename to patches/ppp-2.4.9/0201-pppd-make-the-self-made-configure-cross-aware.patch
index f57361a4c..590cf3ae4 100644
--- a/patches/ppp-2.4.7/0101-pppd-make-the-self-made-configure-cross-aware.patch
+++ b/patches/ppp-2.4.9/0201-pppd-make-the-self-made-configure-cross-aware.patch
@@ -11,11 +11,11 @@ Signed-off-by: Juergen Beisert <juergen@kreuzholzen.de>
2 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/configure b/configure
-index 6a55e0f08be4..3886564fa495 100755
+index b0c3d2b49122..4bc6a18fad32 100755
--- a/configure
+++ b/configure
-@@ -14,6 +14,16 @@ SYSCONF=/etc
- # fi
+@@ -15,6 +15,16 @@ release=`uname -r`
+ arch=`uname -m`
state="unknown"
+if [ -n $TARGET_OS ]; then
@@ -32,10 +32,10 @@ index 6a55e0f08be4..3886564fa495 100755
Linux)
makext="linux";
diff --git a/pppd/plugins/Makefile.linux b/pppd/plugins/Makefile.linux
-index bc29968d44c9..e010ad215981 100644
+index 6403e3d477e3..375be764e19a 100644
--- a/pppd/plugins/Makefile.linux
+++ b/pppd/plugins/Makefile.linux
-@@ -47,5 +47,5 @@ clean:
+@@ -49,5 +49,5 @@ clean:
for d in $(SUBDIRS); do $(MAKE) $(MFLAGS) -C $$d clean || exit $$?; done
depend:
diff --git a/patches/ppp-2.4.9/series b/patches/ppp-2.4.9/series
new file mode 100644
index 000000000..451b78c39
--- /dev/null
+++ b/patches/ppp-2.4.9/series
@@ -0,0 +1,22 @@
+# generated by git-ptx-patches
+#tag:base --start-number 1
+#tag:upstream --start-number 1
+0001-configure-Allow-commas-in-the-CFLAGS-220.patch
+0002-pppd-Fix-compilation-with-older-glibc-or-kernel-head.patch
+#tag:debian --start-number 100
+0100-chat_man.patch
+0101-pppdump_use_zlib.patch
+0102-pppoatm_resolver_light.patch
+0103-pppoe_noads.patch
+0104-011_scripts_redialer.diff.patch
+0105-ppp-2.3.11-oedod.dif.patch
+0106-010_scripts_README.diff.patch
+0107-no_crypt_hack.patch
+0108-resolv.conf_no_log.patch
+0109-zzz_config.patch
+0110-pppd-soname-hack.patch
+0111-replace-vendored-hash-functions.patch
+#tag:ptx --start-number 200
+0200-pppd-make-makefile-sysroot-aware.patch
+0201-pppd-make-the-self-made-configure-cross-aware.patch
+# e38c56d74de42a3accdc2bcd4125fd6e - git-ptx-patches magic
diff --git a/rules/ppp.make b/rules/ppp.make
index 8bfb88b55..932910c98 100644
--- a/rules/ppp.make
+++ b/rules/ppp.make
@@ -16,8 +16,8 @@ PACKAGES-$(PTXCONF_PPP) += ppp
#
# Paths and names
#
-PPP_VERSION := 2.4.7
-PPP_MD5 := 78818f40e6d33a1d1de68a1551f6595a
+PPP_VERSION := 2.4.9
+PPP_MD5 := c88153ae3d16ae114152cd3c15c7301d
PPP := ppp-$(PPP_VERSION)
PPP_SUFFIX := tar.gz
PPP_URL := http://ftp.samba.org/pub/ppp/$(PPP).$(PPP_SUFFIX)
@@ -55,7 +55,7 @@ PPP_SHARED_INST_PATH := /usr/lib/pppd/$(PPP_VERSION)
$(STATEDIR)/ppp.prepare:
@$(call targetinfo)
@cd $(PPP_DIR) && $(PPP_PATH) $(PPP_CONF_ENV) \
- ./configure --prefix=/usr --sysconfdir=/etc
+ ./configure --prefix=/usr --sysconfdir=/etc --cc=$(CROSS_CC)
@$(call disable_sh,$(PPP_DIR)/pppd/Makefile,USE_PAM=y)
--
2.29.2
_______________________________________________
ptxdist mailing list
ptxdist@pengutronix.de
To unsubscribe, send a mail with subject "unsubscribe" to ptxdist-request@pengutronix.de
^ permalink raw reply [flat|nested] 8+ messages in thread