Merge lp:~frewq28/ubuntu/quantal/ppp/head into lp:ubuntu/raring/ppp
- Quantal (12.10)
- head
- Merge into raring
Status: | Superseded |
---|---|
Proposed branch: | lp:~frewq28/ubuntu/quantal/ppp/head |
Merge into: | lp:ubuntu/raring/ppp |
Diff against target: |
3033 lines (+2963/-1) (has conflicts) 5 files modified
debian/changelog (+10/-0) debian/control (+1/-1) debian/patches/ppp-2.4.5-eaptls-mppe-0.994.patch (+2922/-0) debian/patches/series (+1/-0) debian/patches/update_if_pppol2tp (+29/-0) Text conflict in debian/changelog Text conflict in debian/patches/update_if_pppol2tp |
To merge this branch: | bzr merge lp:~frewq28/ubuntu/quantal/ppp/head |
Related bugs: |
Reviewer | Review Type | Date Requested | Status |
---|---|---|---|
Benjamin Drung | Needs Fixing | ||
Ubuntu branches | Pending | ||
Review via email: mp+131289@code.launchpad.net |
This proposal has been superseded by a proposal from 2012-12-23.
Commit message
Description of the change
Integrated EAP-TLS patch and tested in Quantal with Aladdin eToken Pro 64k for PPTP VPN.
Pavel Plesov (frewq28) wrote : | # |
Pavel Plesov (frewq28) wrote : | # |
Patches in this merge request will help to close the bug: https:/
Benjamin Drung (bdrung) wrote : | # |
I like to see this big patch discussed with upstream first. I don't like to add a big maintenance burden. Is there a upstream bug report or discussion on a upstream mailing list? Can you add a DEP-3 header to the patch then?
There seems to be at least a few upstream commits this year [1].
Pavel Plesov (frewq28) wrote : | # |
Hi, Benjamin,
Here a results of a little research done by myself in July 2012:
https:/
Fedora have this patch since Fedora 12.
Here is response of EAPTLS patch merge request from Sergey Gridnev and answer of Debian package maintainer & maintainer of upstream ppp project at Samba (Marco d'Itri <email address hidden>) dated Wed, 2 Nov 2011 17:50:10 +0100:
http://
I am very new to ubuntu/debian patch submit process, could you look at headers below - are they ok ? Are they must be added to the head of debian/
Author: Jan Just Keijser <email address hidden>
Description: EAP-TLS patch for pppd (0.994)
Bug-Ubuntu: https:/
Bug-Debian: http://
But-Fedora: https:/
Origin: http://
Thank you in advance.
Benjamin Drung (bdrung) wrote : | # |
Hi Pavel,
the header look okay. The header (with an empty new line at the end) will be added to the beginning of the patch file.
Can you add a changelog entry explaining the changes and closing the bugs?
Pavel Plesov (frewq28) wrote : | # |
Hi, Benjamin,
I will be happy to add changelog entry, but I have no idea what to write instead of question marks below.
Current package version of ppp in Raring is 2.4.5-5.1ubuntu1.
=========
ppp (????) raring; urgency=???
* Closes LP: #643417. Merge EAPTLS-MPPE 0.994 patch from http://
* Add openssl as dependancy as required for EAPTLS-MPPE patch
-- Pavel Plesov <email address hidden> Mon, 03 Dec 2012 20:21:00 +0400
=========
Benjamin Drung (bdrung) wrote : | # |
You can use dch -i [1], which will increase the version from 2.4.5-5.1ubuntu1 to 2.4.5-5.1ubuntu2. The urgency is not used in Ubuntu and therefore it is always >low<.
The changelog entries normally close the bug at the end. Your first entry would normally look like:
* Merge EAPTLS-MPPE 0.994 patch from http://
(Closes: # 602503, LP: #643417)
I shortened the URL in this example to not exceed the 80 characters per line.
Feel free to join #ubuntu-devel on IRC if you have more questions or direct conversations with us.
[1] http://
- 32. By Pavel Plesov
-
Add DEP-3 headers to the ppp-2.4.
5-eaptls- mppe-0. 994.patch - 33. By Pavel Plesov
-
Add changelog entry for EAPTLS-MPPE patch
Unmerged revisions
Preview Diff
1 | === modified file 'debian/changelog' |
2 | --- debian/changelog 2012-12-02 03:57:07 +0000 |
3 | +++ debian/changelog 2012-12-23 19:15:25 +0000 |
4 | @@ -1,3 +1,4 @@ |
5 | +<<<<<<< TREE |
6 | ppp (2.4.5-5.1ubuntu1) raring; urgency=low |
7 | |
8 | [ Ubuntu Merge-o-Matic ] |
9 | @@ -29,6 +30,15 @@ |
10 | |
11 | -- Tim Gardner <tim.gardner@canonical.com> Tue, 25 Sep 2012 16:20:00 +0000 |
12 | |
13 | +======= |
14 | +ppp (2.4.5-5ubuntu2) UNRELEASED; urgency=low |
15 | + |
16 | + * Merge EAPTLS-MPPE 0.994 patch from http://www.nikhef.nl/~janjust/ppp/ |
17 | + (Closes: # 602503, LP: #643417) |
18 | + |
19 | + -- Pavel Plesov <pavel.plesov@gmail.com> Sun, 23 Dec 2012 23:11:19 +0400 |
20 | + |
21 | +>>>>>>> MERGE-SOURCE |
22 | ppp (2.4.5-5ubuntu1) natty; urgency=low |
23 | |
24 | * Merge from debian unstable. (LP: #712419) Remaining changes: |
25 | |
26 | === modified file 'debian/control' |
27 | --- debian/control 2012-12-02 03:57:07 +0000 |
28 | +++ debian/control 2012-12-23 19:15:25 +0000 |
29 | @@ -3,7 +3,7 @@ |
30 | Priority: optional |
31 | Maintainer: Ubuntu Core Developers <ubuntu-devel-discuss@lists.ubuntu.com> |
32 | XSBC-Original-Maintainer: Marco d'Itri <md@linux.it> |
33 | -Build-Depends: debhelper (>= 5), quilt (>= 0.40), libpcap0.8-dev, libpam0g-dev, zlib1g-dev |
34 | +Build-Depends: debhelper (>= 5), quilt (>= 0.40), libpcap0.8-dev, libpam0g-dev, libssl-dev, zlib1g-dev |
35 | Standards-Version: 3.9.1 |
36 | |
37 | Package: ppp |
38 | |
39 | === added file 'debian/patches/ppp-2.4.5-eaptls-mppe-0.994.patch' |
40 | --- debian/patches/ppp-2.4.5-eaptls-mppe-0.994.patch 1970-01-01 00:00:00 +0000 |
41 | +++ debian/patches/ppp-2.4.5-eaptls-mppe-0.994.patch 2012-12-23 19:15:25 +0000 |
42 | @@ -0,0 +1,2922 @@ |
43 | +Author: Jan Just Keijser <janjust@nikhef.nl> |
44 | +Description: EAP-TLS patch for pppd (0.994) |
45 | +Bug-Ubuntu: https://launchpad.net/bugs/643417 |
46 | +Bug-Debian: http://bugs.debian.org/602503 |
47 | +But-Fedora: https://bugzilla.redhat.com/556407 |
48 | +Origin: http://www.nikhef.nl/~janjust/ppp/download.html |
49 | + |
50 | +diff -Naur ppp-2.4.5/README.eap-tls ppp-2.4.5-eaptls-mppe-0.992/README.eap-tls |
51 | +--- ppp-2.4.5/README.eap-tls 1970-01-01 01:00:00.000000000 +0100 |
52 | ++++ ppp-2.4.5-eaptls-mppe-0.992/README.eap-tls 2011-12-01 15:14:39.020344767 +0100 |
53 | +@@ -0,0 +1,169 @@ |
54 | ++EAP-TLS authentication support for PPP |
55 | ++====================================== |
56 | ++ |
57 | ++1. Intro |
58 | ++ |
59 | ++ The Extensible Authentication Protocol (EAP; RFC 3748) is a |
60 | ++ security protocol that can be used with PPP. It provides a means |
61 | ++ to plug in multiple optional authentication methods. |
62 | ++ |
63 | ++ Transport Level Security (TLS; RFC 2246) provides for mutual |
64 | ++ authentication, integrity-protected ciphersuite negotiation and |
65 | ++ key exchange between two endpoints. It also provides for optional |
66 | ++ MPPE encryption. |
67 | ++ |
68 | ++ EAP-TLS (RFC 2716) incapsulates the TLS messages in EAP packets, |
69 | ++ allowing TLS mutual authentication to be used as a generic EAP |
70 | ++ mechanism. It also provides optional encryption using the MPPE |
71 | ++ protocol. |
72 | ++ |
73 | ++ This patch provide EAP-TLS support to pppd. |
74 | ++ This authentication method can be used in both client or server |
75 | ++ mode. |
76 | ++ |
77 | ++2. Building |
78 | ++ |
79 | ++ To build pppd with EAP-TLS support, OpenSSL (http://www.openssl.org) |
80 | ++ is required. Any version from 0.9.7 should work. |
81 | ++ |
82 | ++ Configure, compile, and install as usual. |
83 | ++ |
84 | ++3. Configuration |
85 | ++ |
86 | ++ On the client side there are two ways to configure EAP-TLS: |
87 | ++ |
88 | ++ 1. supply the appropriate 'ca', 'cert' and 'key' command-line parameters |
89 | ++ |
90 | ++ 2. edit the /etc/ppp/eaptls-client file. |
91 | ++ Insert a line for each system with which you use EAP-TLS. |
92 | ++ The line is composed of this fields separated by tab: |
93 | ++ |
94 | ++ - Client name |
95 | ++ The name used by the client for authentication, can be * |
96 | ++ - Server name |
97 | ++ The name of the server, can be * |
98 | ++ - Client certificate file |
99 | ++ The file containing the certificate chain for the |
100 | ++ client in PEM format |
101 | ++ - Server certificate file |
102 | ++ If you want to specify the certificate that the |
103 | ++ server is allowed to use, put the certificate file name. |
104 | ++ Else put a dash '-'. |
105 | ++ - CA certificate file |
106 | ++ The file containing the trusted CA certificates in PEM |
107 | ++ format. |
108 | ++ - Client private key file |
109 | ++ The file containing the client private key in PEM format. |
110 | ++ |
111 | ++ |
112 | ++ On the server side edit the /etc/ppp/eaptls-server file. |
113 | ++ Insert a line for each system with which you use EAP-TLS. |
114 | ++ The line is composed of this fields separated by tab: |
115 | ++ |
116 | ++ - Client name |
117 | ++ The name used by the client for authentication, can be * |
118 | ++ - Server name |
119 | ++ The name of the server, can be * |
120 | ++ - Client certificate file |
121 | ++ If you want to specify the certificate that the |
122 | ++ client is allowed to use, put the certificate file name. |
123 | ++ Else put a dash '-'. |
124 | ++ - Server certificate file |
125 | ++ The file containing the certificate chain for the |
126 | ++ server in PEM format |
127 | ++ - CA certificate file |
128 | ++ The file containing the trusted CA certificates in PEM |
129 | ++ format. |
130 | ++ - Client private key file |
131 | ++ The file containing the server private key in PEM format. |
132 | ++ - addresses |
133 | ++ A list of IP addresses the client is allowed to use. |
134 | ++ |
135 | ++ |
136 | ++ OpenSSL engine support is included starting with v0.95 of this patch. |
137 | ++ Currently the only engine tested is the 'pkcs11' engine (hardware token |
138 | ++ support). To use the 'pksc11' engine: |
139 | ++ - Use a special private key fileiname in the /etc/ppp/eaptls-client file: |
140 | ++ <engine>:<identifier> |
141 | ++ e.g. |
142 | ++ pkcs11:123456 |
143 | ++ |
144 | ++ - The certificate can also be loaded from the 'pkcs11' engine using |
145 | ++ a special client certificate filename in the /etc/ppp/eaptls-client file: |
146 | ++ <engine>:<identifier> |
147 | ++ e.g. |
148 | ++ pkcs11:123456 |
149 | ++ |
150 | ++ - Create an /etc/ppp/openssl.cnf file to load the right OpenSSL engine prior |
151 | ++ to starting 'pppd'. A sample openssl.cnf file is |
152 | ++ |
153 | ++ openssl_conf = openssl_def |
154 | ++ |
155 | ++ [ openssl_def ] |
156 | ++ engines = engine_section |
157 | ++ |
158 | ++ [ engine_section ] |
159 | ++ pkcs11 = pkcs11_section |
160 | ++ |
161 | ++ [ pkcs11_section ] |
162 | ++ engine_id = pkcs11 |
163 | ++ dynamic_path = /usr/lib64/openssl/engines/engine_pkcs11.so |
164 | ++ MODULE_PATH = /usr/lib64/libeTPkcs11.so |
165 | ++ init = 0 |
166 | ++ |
167 | ++ - There are two ways to specify a password/PIN for the PKCS11 engine: |
168 | ++ - inside the openssl.cnf file using |
169 | ++ PIN = your-secret-pin |
170 | ++ Note The keyword 'PIN' is case sensitive! |
171 | ++ - Using the 'password' in the ppp options file. |
172 | ++ From v0.97 of the eap-tls patch the password can also be supplied |
173 | ++ using the appropriate 'eaptls_passwd_hook' (see plugins/passprompt.c |
174 | ++ for an example). |
175 | ++ |
176 | ++ |
177 | ++4. Options |
178 | ++ |
179 | ++ These pppd options are available: |
180 | ++ |
181 | ++ ca <ca-file> |
182 | ++ Use the CA public certificate found in <ca-file> in PEM format |
183 | ++ cert <cert-file> |
184 | ++ Use the client public certificate found in <cert-file> in PEM format |
185 | ++ or in engine:engine_id format |
186 | ++ key <key-file> |
187 | ++ Use the client private key found in <key-file> in PEM format |
188 | ++ or in engine:engine_id format |
189 | ++ crl-dir <dir> |
190 | ++ Use CRL files from dir. It contains CRL files in PEM |
191 | ++ format and each file contains a CRL. The files are looked up |
192 | ++ by the issuer name hash value. Use the c_rehash utility |
193 | ++ to create necessary links. |
194 | ++ need-peer-eap |
195 | ++ If the peer doesn't ask us to authenticate or doesn't use eap |
196 | ++ to authenticate us, disconnect. |
197 | ++ |
198 | ++ Note: |
199 | ++ password-encrypted certificates can be used as of v0.94 of this |
200 | ++ patch. The password for the eap-tls.key file is specified using |
201 | ++ the regular |
202 | ++ password .... |
203 | ++ statement in the ppp options file, or by using the appropriate |
204 | ++ plugin which supplies a 'eaptls_passwd_hook' routine. |
205 | ++ |
206 | ++5. Connecting |
207 | ++ |
208 | ++ If you're setting up a pppd server, edit the EAP-TLS configuration file |
209 | ++ as written above and then run pppd with the 'auth' option to authenticate |
210 | ++ the client. The EAP-TLS method will be used if the other eap methods can't |
211 | ++ be used (no secrets). |
212 | ++ |
213 | ++ If you're setting up a client, edit the configuration file and then run |
214 | ++ pppd with 'remotename' option to specify the server name. Add the |
215 | ++ 'need-peer-eap' option if you want to be sure the peer ask you to |
216 | ++ authenticate (and to use eap) and to disconnect if it doesn't. |
217 | ++ |
218 | ++6. Notes |
219 | ++ |
220 | ++ This is experimental code. |
221 | ++ Send suggestions and comments to Jan Just Keijser <janjust@nikhef.nl> |
222 | ++ |
223 | +diff -Naur ppp-2.4.5/etc.ppp/eaptls-client ppp-2.4.5-eaptls-mppe-0.992/etc.ppp/eaptls-client |
224 | +--- ppp-2.4.5/etc.ppp/eaptls-client 1970-01-01 01:00:00.000000000 +0100 |
225 | ++++ ppp-2.4.5-eaptls-mppe-0.992/etc.ppp/eaptls-client 2011-12-01 15:14:39.030346052 +0100 |
226 | +@@ -0,0 +1,10 @@ |
227 | ++# Parameters for authentication using EAP-TLS (client) |
228 | ++ |
229 | ++# client name (can be *) |
230 | ++# server name (can be *) |
231 | ++# client certificate file (required) |
232 | ++# server certificate file (optional, if unused put '-') |
233 | ++# CA certificate file (required) |
234 | ++# client private key file (required) |
235 | ++ |
236 | ++#client server /root/cert/client.crt - /root/cert/ca.crt /root/cert/client.key |
237 | +diff -Naur ppp-2.4.5/etc.ppp/eaptls-server ppp-2.4.5-eaptls-mppe-0.992/etc.ppp/eaptls-server |
238 | +--- ppp-2.4.5/etc.ppp/eaptls-server 1970-01-01 01:00:00.000000000 +0100 |
239 | ++++ ppp-2.4.5-eaptls-mppe-0.992/etc.ppp/eaptls-server 2011-12-01 15:14:39.038347081 +0100 |
240 | +@@ -0,0 +1,11 @@ |
241 | ++# Parameters for authentication using EAP-TLS (server) |
242 | ++ |
243 | ++# client name (can be *) |
244 | ++# server name (can be *) |
245 | ++# client certificate file (optional, if unused put '-') |
246 | ++# server certificate file (required) |
247 | ++# CA certificate file (required) |
248 | ++# server private key file (required) |
249 | ++# allowed addresses (required, can be *) |
250 | ++ |
251 | ++#client server - /root/cert/server.crt /root/cert/ca.crt /root/cert/server.key 192.168.1.0/24 |
252 | +diff -Naur ppp-2.4.5/etc.ppp/openssl.cnf ppp-2.4.5-eaptls-mppe-0.992/etc.ppp/openssl.cnf |
253 | +--- ppp-2.4.5/etc.ppp/openssl.cnf 1970-01-01 01:00:00.000000000 +0100 |
254 | ++++ ppp-2.4.5-eaptls-mppe-0.992/etc.ppp/openssl.cnf 2011-12-01 15:14:39.038347081 +0100 |
255 | +@@ -0,0 +1,14 @@ |
256 | ++openssl_conf = openssl_def |
257 | ++ |
258 | ++[ openssl_def ] |
259 | ++engines = engine_section |
260 | ++ |
261 | ++[ engine_section ] |
262 | ++pkcs11 = pkcs11_section |
263 | ++ |
264 | ++[ pkcs11_section ] |
265 | ++engine_id = pkcs11 |
266 | ++dynamic_path = /usr/lib64/openssl/engines/engine_pkcs11.so |
267 | ++MODULE_PATH = /usr/lib64/libeTPkcs11.so |
268 | ++init = 0 |
269 | ++ |
270 | +diff -Naur ppp-2.4.5/linux/Makefile.top ppp-2.4.5-eaptls-mppe-0.992/linux/Makefile.top |
271 | +--- ppp-2.4.5/linux/Makefile.top 2009-11-16 23:26:07.000000000 +0100 |
272 | ++++ ppp-2.4.5-eaptls-mppe-0.992/linux/Makefile.top 2011-12-01 15:14:39.046348110 +0100 |
273 | +@@ -26,7 +26,7 @@ |
274 | + cd pppdump; $(MAKE) $(MFLAGS) install |
275 | + |
276 | + install-etcppp: $(ETCDIR) $(ETCDIR)/options $(ETCDIR)/pap-secrets \ |
277 | +- $(ETCDIR)/chap-secrets |
278 | ++ $(ETCDIR)/chap-secrets $(ETCDIR)/eaptls-server $(ETCDIR)/eaptls-client |
279 | + |
280 | + install-devel: |
281 | + cd pppd; $(MAKE) $(MFLAGS) install-devel |
282 | +@@ -37,6 +37,10 @@ |
283 | + $(INSTALL) -c -m 600 etc.ppp/pap-secrets $@ |
284 | + $(ETCDIR)/chap-secrets: |
285 | + $(INSTALL) -c -m 600 etc.ppp/chap-secrets $@ |
286 | ++$(ETCDIR)/eaptls-server: |
287 | ++ $(INSTALL) -c -m 600 etc.ppp/eaptls-server $@ |
288 | ++$(ETCDIR)/eaptls-client: |
289 | ++ $(INSTALL) -c -m 600 etc.ppp/eaptls-client $@ |
290 | + |
291 | + $(BINDIR): |
292 | + $(INSTALL) -d -m 755 $@ |
293 | +diff -Naur ppp-2.4.5/pppd/Makefile.linux ppp-2.4.5-eaptls-mppe-0.992/pppd/Makefile.linux |
294 | +--- ppp-2.4.5/pppd/Makefile.linux 2009-11-16 23:26:07.000000000 +0100 |
295 | ++++ ppp-2.4.5-eaptls-mppe-0.992/pppd/Makefile.linux 2011-12-01 15:14:39.060349910 +0100 |
296 | +@@ -73,6 +73,9 @@ |
297 | + # Enable EAP SRP-SHA1 authentication (requires libsrp) |
298 | + #USE_SRP=y |
299 | + |
300 | ++# Enable EAP-TLS authentication (requires libssl and libcrypto) |
301 | ++USE_EAPTLS=y |
302 | ++ |
303 | + MAXOCTETS=y |
304 | + |
305 | + INCLUDE_DIRS= -I../include |
306 | +@@ -112,6 +115,15 @@ |
307 | + PPPDOBJS += sha1.o |
308 | + endif |
309 | + |
310 | ++# EAP-TLS |
311 | ++ifdef USE_EAPTLS |
312 | ++COMPILE_FLAGS += -DUSE_EAPTLS=1 -I/usr/kerberos/include |
313 | ++LIBS += -lssl -lcrypto |
314 | ++PPPDSRC += eap-tls.c |
315 | ++HEADERS += eap-tls.h |
316 | ++PPPDOBJS += eap-tls.o |
317 | ++endif |
318 | ++ |
319 | + ifdef HAS_SHADOW |
320 | + CFLAGS += -DHAS_SHADOW |
321 | + #LIBS += -lshadow $(LIBS) |
322 | +diff -Naur ppp-2.4.5/pppd/auth.c ppp-2.4.5-eaptls-mppe-0.992/pppd/auth.c |
323 | +--- ppp-2.4.5/pppd/auth.c 2009-11-16 23:26:07.000000000 +0100 |
324 | ++++ ppp-2.4.5-eaptls-mppe-0.992/pppd/auth.c 2011-12-01 15:14:39.069351068 +0100 |
325 | +@@ -109,6 +109,9 @@ |
326 | + #include "upap.h" |
327 | + #include "chap-new.h" |
328 | + #include "eap.h" |
329 | ++#ifdef USE_EAPTLS |
330 | ++#include "eap-tls.h" |
331 | ++#endif |
332 | + #ifdef CBCP_SUPPORT |
333 | + #include "cbcp.h" |
334 | + #endif |
335 | +@@ -183,6 +186,11 @@ |
336 | + /* Hook for a plugin to get the CHAP password for authenticating us */ |
337 | + int (*chap_passwd_hook) __P((char *user, char *passwd)) = NULL; |
338 | + |
339 | ++#ifdef USE_EAPTLS |
340 | ++/* Hook for a plugin to get the EAP-TLS password for authenticating us */ |
341 | ++int (*eaptls_passwd_hook) __P((char *user, char *passwd)) = NULL; |
342 | ++#endif |
343 | ++ |
344 | + /* Hook for a plugin to say whether it is OK if the peer |
345 | + refuses to authenticate. */ |
346 | + int (*null_auth_hook) __P((struct wordlist **paddrs, |
347 | +@@ -238,6 +246,13 @@ |
348 | + bool explicit_user = 0; /* Set if "user" option supplied */ |
349 | + bool explicit_passwd = 0; /* Set if "password" option supplied */ |
350 | + char remote_name[MAXNAMELEN]; /* Peer's name for authentication */ |
351 | ++#ifdef USE_EAPTLS |
352 | ++char *cacert_file = NULL; /* CA certificate file (pem format) */ |
353 | ++char *cert_file = NULL; /* client certificate file (pem format) */ |
354 | ++char *privkey_file = NULL; /* client private key file (pem format) */ |
355 | ++char *crl_dir = NULL; /* directory containing CRL files */ |
356 | ++bool need_peer_eap = 0; /* Require peer to authenticate us */ |
357 | ++#endif |
358 | + |
359 | + static char *uafname; /* name of most recent +ua file */ |
360 | + |
361 | +@@ -254,6 +269,19 @@ |
362 | + static int have_chap_secret __P((char *, char *, int, int *)); |
363 | + static int have_srp_secret __P((char *client, char *server, int need_ip, |
364 | + int *lacks_ipp)); |
365 | ++ |
366 | ++#ifdef USE_EAPTLS |
367 | ++static int have_eaptls_secret_server |
368 | ++__P((char *client, char *server, int need_ip, int *lacks_ipp)); |
369 | ++static int have_eaptls_secret_client __P((char *client, char *server)); |
370 | ++static int scan_authfile_eaptls __P((FILE * f, char *client, char *server, |
371 | ++ char *cli_cert, char *serv_cert, |
372 | ++ char *ca_cert, char *pk, |
373 | ++ struct wordlist ** addrs, |
374 | ++ struct wordlist ** opts, |
375 | ++ char *filename, int flags)); |
376 | ++#endif |
377 | ++ |
378 | + static int ip_addr_check __P((u_int32_t, struct permitted_ip *)); |
379 | + static int scan_authfile __P((FILE *, char *, char *, char *, |
380 | + struct wordlist **, struct wordlist **, |
381 | +@@ -401,6 +429,14 @@ |
382 | + "Set telephone number(s) which are allowed to connect", |
383 | + OPT_PRIV | OPT_A2LIST }, |
384 | + |
385 | ++#ifdef USE_EAPTLS |
386 | ++ { "ca", o_string, &cacert_file, "EAP-TLS CA certificate in PEM format" }, |
387 | ++ { "cert", o_string, &cert_file, "EAP-TLS client certificate in PEM format" }, |
388 | ++ { "key", o_string, &privkey_file, "EAP-TLS client private key in PEM format" }, |
389 | ++ { "crl-dir", o_string, &crl_dir, "Use CRLs in directory" }, |
390 | ++ { "need-peer-eap", o_bool, &need_peer_eap, |
391 | ++ "Require the peer to authenticate us", 1 }, |
392 | ++#endif /* USE_EAPTLS */ |
393 | + { NULL } |
394 | + }; |
395 | + |
396 | +@@ -731,6 +767,9 @@ |
397 | + lcp_options *wo = &lcp_wantoptions[unit]; |
398 | + lcp_options *go = &lcp_gotoptions[unit]; |
399 | + lcp_options *ho = &lcp_hisoptions[unit]; |
400 | ++#ifdef USE_EAPTLS |
401 | ++ lcp_options *ao = &lcp_allowoptions[unit]; |
402 | ++#endif |
403 | + int i; |
404 | + struct protent *protp; |
405 | + |
406 | +@@ -765,6 +804,22 @@ |
407 | + } |
408 | + } |
409 | + |
410 | ++#ifdef USE_EAPTLS |
411 | ++ if (need_peer_eap && !ao->neg_eap) { |
412 | ++ warn("eap required to authenticate us but no suitable secrets"); |
413 | ++ lcp_close(unit, "couldn't negotiate eap"); |
414 | ++ status = EXIT_AUTH_TOPEER_FAILED; |
415 | ++ return; |
416 | ++ } |
417 | ++ |
418 | ++ if (need_peer_eap && !ho->neg_eap) { |
419 | ++ warn("peer doesn't want to authenticate us with eap"); |
420 | ++ lcp_close(unit, "couldn't negotiate eap"); |
421 | ++ status = EXIT_PEER_AUTH_FAILED; |
422 | ++ return; |
423 | ++ } |
424 | ++#endif |
425 | ++ |
426 | + new_phase(PHASE_AUTHENTICATE); |
427 | + auth = 0; |
428 | + if (go->neg_eap) { |
429 | +@@ -1278,6 +1333,15 @@ |
430 | + our_name, 1, &lacks_ip); |
431 | + } |
432 | + |
433 | ++#ifdef USE_EAPTLS |
434 | ++ if (!can_auth && wo->neg_eap) { |
435 | ++ can_auth = |
436 | ++ have_eaptls_secret_server((explicit_remote ? remote_name : |
437 | ++ NULL), our_name, 1, &lacks_ip); |
438 | ++ |
439 | ++ } |
440 | ++#endif |
441 | ++ |
442 | + if (auth_required && !can_auth && noauth_addrs == NULL) { |
443 | + if (default_auth) { |
444 | + option_error( |
445 | +@@ -1332,7 +1396,11 @@ |
446 | + passwd[0] != 0 || |
447 | + (hadchap == 1 || (hadchap == -1 && have_chap_secret(user, |
448 | + (explicit_remote? remote_name: NULL), 0, NULL))) || |
449 | +- have_srp_secret(user, (explicit_remote? remote_name: NULL), 0, NULL)); |
450 | ++ have_srp_secret(user, (explicit_remote? remote_name: NULL), 0, NULL) |
451 | ++#ifdef USE_EAPTLS |
452 | ++ || have_eaptls_secret_client(user, (explicit_remote? remote_name: NULL)) |
453 | ++#endif |
454 | ++ ); |
455 | + |
456 | + hadchap = -1; |
457 | + if (go->neg_upap && !uselogin && !have_pap_secret(NULL)) |
458 | +@@ -1347,8 +1415,14 @@ |
459 | + !have_chap_secret((explicit_remote? remote_name: NULL), our_name, |
460 | + 1, NULL))) && |
461 | + !have_srp_secret((explicit_remote? remote_name: NULL), our_name, 1, |
462 | +- NULL)) |
463 | ++ NULL) |
464 | ++#ifdef USE_EAPTLS |
465 | ++ && !have_eaptls_secret_server((explicit_remote? remote_name: NULL), |
466 | ++ our_name, 1, NULL) |
467 | ++#endif |
468 | ++ ) |
469 | + go->neg_eap = 0; |
470 | ++ |
471 | + } |
472 | + |
473 | + |
474 | +@@ -1706,6 +1780,7 @@ |
475 | + } |
476 | + |
477 | + |
478 | ++ |
479 | + /* |
480 | + * get_secret - open the CHAP secret file and return the secret |
481 | + * for authenticating the given client on the given server. |
482 | +@@ -2358,3 +2433,335 @@ |
483 | + |
484 | + auth_script_pid = run_program(script, argv, 0, auth_script_done, NULL, 0); |
485 | + } |
486 | ++ |
487 | ++ |
488 | ++#ifdef USE_EAPTLS |
489 | ++static int |
490 | ++have_eaptls_secret_server(client, server, need_ip, lacks_ipp) |
491 | ++ char *client; |
492 | ++ char *server; |
493 | ++ int need_ip; |
494 | ++ int *lacks_ipp; |
495 | ++{ |
496 | ++ FILE *f; |
497 | ++ int ret; |
498 | ++ char *filename; |
499 | ++ struct wordlist *addrs; |
500 | ++ char servcertfile[MAXWORDLEN]; |
501 | ++ char clicertfile[MAXWORDLEN]; |
502 | ++ char cacertfile[MAXWORDLEN]; |
503 | ++ char pkfile[MAXWORDLEN]; |
504 | ++ |
505 | ++ filename = _PATH_EAPTLSSERVFILE; |
506 | ++ f = fopen(filename, "r"); |
507 | ++ if (f == NULL) |
508 | ++ return 0; |
509 | ++ |
510 | ++ if (client != NULL && client[0] == 0) |
511 | ++ client = NULL; |
512 | ++ else if (server != NULL && server[0] == 0) |
513 | ++ server = NULL; |
514 | ++ |
515 | ++ ret = |
516 | ++ scan_authfile_eaptls(f, client, server, clicertfile, servcertfile, |
517 | ++ cacertfile, pkfile, &addrs, NULL, filename, |
518 | ++ 0); |
519 | ++ |
520 | ++ fclose(f); |
521 | ++ |
522 | ++/* |
523 | ++ if (ret >= 0 && !eaptls_init_ssl(1, cacertfile, servcertfile, |
524 | ++ clicertfile, pkfile)) |
525 | ++ ret = -1; |
526 | ++*/ |
527 | ++ |
528 | ++ if (ret >= 0 && need_ip && !some_ip_ok(addrs)) { |
529 | ++ if (lacks_ipp != 0) |
530 | ++ *lacks_ipp = 1; |
531 | ++ ret = -1; |
532 | ++ } |
533 | ++ if (addrs != 0) |
534 | ++ free_wordlist(addrs); |
535 | ++ |
536 | ++ return ret >= 0; |
537 | ++} |
538 | ++ |
539 | ++ |
540 | ++static int |
541 | ++have_eaptls_secret_client(client, server) |
542 | ++ char *client; |
543 | ++ char *server; |
544 | ++{ |
545 | ++ FILE *f; |
546 | ++ int ret; |
547 | ++ char *filename; |
548 | ++ struct wordlist *addrs = NULL; |
549 | ++ char servcertfile[MAXWORDLEN]; |
550 | ++ char clicertfile[MAXWORDLEN]; |
551 | ++ char cacertfile[MAXWORDLEN]; |
552 | ++ char pkfile[MAXWORDLEN]; |
553 | ++ |
554 | ++ if (client != NULL && client[0] == 0) |
555 | ++ client = NULL; |
556 | ++ else if (server != NULL && server[0] == 0) |
557 | ++ server = NULL; |
558 | ++ |
559 | ++ if (cacert_file && cert_file && privkey_file) |
560 | ++ return 1; |
561 | ++ |
562 | ++ filename = _PATH_EAPTLSCLIFILE; |
563 | ++ f = fopen(filename, "r"); |
564 | ++ if (f == NULL) |
565 | ++ return 0; |
566 | ++ |
567 | ++ ret = |
568 | ++ scan_authfile_eaptls(f, client, server, clicertfile, servcertfile, |
569 | ++ cacertfile, pkfile, &addrs, NULL, filename, |
570 | ++ 0); |
571 | ++ fclose(f); |
572 | ++ |
573 | ++/* |
574 | ++ if (ret >= 0 && !eaptls_init_ssl(0, cacertfile, clicertfile, |
575 | ++ servcertfile, pkfile)) |
576 | ++ ret = -1; |
577 | ++*/ |
578 | ++ |
579 | ++ if (addrs != 0) |
580 | ++ free_wordlist(addrs); |
581 | ++ |
582 | ++ return ret >= 0; |
583 | ++} |
584 | ++ |
585 | ++ |
586 | ++static int |
587 | ++scan_authfile_eaptls(f, client, server, cli_cert, serv_cert, ca_cert, pk, |
588 | ++ addrs, opts, filename, flags) |
589 | ++ FILE *f; |
590 | ++ char *client; |
591 | ++ char *server; |
592 | ++ char *cli_cert; |
593 | ++ char *serv_cert; |
594 | ++ char *ca_cert; |
595 | ++ char *pk; |
596 | ++ struct wordlist **addrs; |
597 | ++ struct wordlist **opts; |
598 | ++ char *filename; |
599 | ++ int flags; |
600 | ++{ |
601 | ++ int newline; |
602 | ++ int got_flag, best_flag; |
603 | ++ struct wordlist *ap, *addr_list, *alist, **app; |
604 | ++ char word[MAXWORDLEN]; |
605 | ++ |
606 | ++ if (addrs != NULL) |
607 | ++ *addrs = NULL; |
608 | ++ if (opts != NULL) |
609 | ++ *opts = NULL; |
610 | ++ addr_list = NULL; |
611 | ++ if (!getword(f, word, &newline, filename)) |
612 | ++ return -1; /* file is empty??? */ |
613 | ++ newline = 1; |
614 | ++ best_flag = -1; |
615 | ++ for (;;) { |
616 | ++ /* |
617 | ++ * Skip until we find a word at the start of a line. |
618 | ++ */ |
619 | ++ while (!newline && getword(f, word, &newline, filename)); |
620 | ++ if (!newline) |
621 | ++ break; /* got to end of file */ |
622 | ++ |
623 | ++ /* |
624 | ++ * Got a client - check if it's a match or a wildcard. |
625 | ++ */ |
626 | ++ got_flag = 0; |
627 | ++ if (client != NULL && strcmp(word, client) != 0 && !ISWILD(word)) { |
628 | ++ newline = 0; |
629 | ++ continue; |
630 | ++ } |
631 | ++ if (!ISWILD(word)) |
632 | ++ got_flag = NONWILD_CLIENT; |
633 | ++ |
634 | ++ /* |
635 | ++ * Now get a server and check if it matches. |
636 | ++ */ |
637 | ++ if (!getword(f, word, &newline, filename)) |
638 | ++ break; |
639 | ++ if (newline) |
640 | ++ continue; |
641 | ++ if (!ISWILD(word)) { |
642 | ++ if (server != NULL && strcmp(word, server) != 0) |
643 | ++ continue; |
644 | ++ got_flag |= NONWILD_SERVER; |
645 | ++ } |
646 | ++ |
647 | ++ /* |
648 | ++ * Got some sort of a match - see if it's better than what |
649 | ++ * we have already. |
650 | ++ */ |
651 | ++ if (got_flag <= best_flag) |
652 | ++ continue; |
653 | ++ |
654 | ++ /* |
655 | ++ * Get the cli_cert |
656 | ++ */ |
657 | ++ if (!getword(f, word, &newline, filename)) |
658 | ++ break; |
659 | ++ if (newline) |
660 | ++ continue; |
661 | ++ if (strcmp(word, "-") != 0) { |
662 | ++ strlcpy(cli_cert, word, MAXWORDLEN); |
663 | ++ } else |
664 | ++ cli_cert[0] = 0; |
665 | ++ |
666 | ++ /* |
667 | ++ * Get serv_cert |
668 | ++ */ |
669 | ++ if (!getword(f, word, &newline, filename)) |
670 | ++ break; |
671 | ++ if (newline) |
672 | ++ continue; |
673 | ++ if (strcmp(word, "-") != 0) { |
674 | ++ strlcpy(serv_cert, word, MAXWORDLEN); |
675 | ++ } else |
676 | ++ serv_cert[0] = 0; |
677 | ++ |
678 | ++ /* |
679 | ++ * Get ca_cert |
680 | ++ */ |
681 | ++ if (!getword(f, word, &newline, filename)) |
682 | ++ break; |
683 | ++ if (newline) |
684 | ++ continue; |
685 | ++ strlcpy(ca_cert, word, MAXWORDLEN); |
686 | ++ |
687 | ++ /* |
688 | ++ * Get pk |
689 | ++ */ |
690 | ++ if (!getword(f, word, &newline, filename)) |
691 | ++ break; |
692 | ++ if (newline) |
693 | ++ continue; |
694 | ++ strlcpy(pk, word, MAXWORDLEN); |
695 | ++ |
696 | ++ |
697 | ++ /* |
698 | ++ * Now read address authorization info and make a wordlist. |
699 | ++ */ |
700 | ++ app = &alist; |
701 | ++ for (;;) { |
702 | ++ if (!getword(f, word, &newline, filename) || newline) |
703 | ++ break; |
704 | ++ ap = (struct wordlist *) |
705 | ++ malloc(sizeof(struct wordlist) + strlen(word) + 1); |
706 | ++ if (ap == NULL) |
707 | ++ novm("authorized addresses"); |
708 | ++ ap->word = (char *) (ap + 1); |
709 | ++ strcpy(ap->word, word); |
710 | ++ *app = ap; |
711 | ++ app = &ap->next; |
712 | ++ } |
713 | ++ *app = NULL; |
714 | ++ /* |
715 | ++ * This is the best so far; remember it. |
716 | ++ */ |
717 | ++ best_flag = got_flag; |
718 | ++ if (addr_list) |
719 | ++ free_wordlist(addr_list); |
720 | ++ addr_list = alist; |
721 | ++ |
722 | ++ if (!newline) |
723 | ++ break; |
724 | ++ } |
725 | ++ |
726 | ++ /* scan for a -- word indicating the start of options */ |
727 | ++ for (app = &addr_list; (ap = *app) != NULL; app = &ap->next) |
728 | ++ if (strcmp(ap->word, "--") == 0) |
729 | ++ break; |
730 | ++ /* ap = start of options */ |
731 | ++ if (ap != NULL) { |
732 | ++ ap = ap->next; /* first option */ |
733 | ++ free(*app); /* free the "--" word */ |
734 | ++ *app = NULL; /* terminate addr list */ |
735 | ++ } |
736 | ++ if (opts != NULL) |
737 | ++ *opts = ap; |
738 | ++ else if (ap != NULL) |
739 | ++ free_wordlist(ap); |
740 | ++ if (addrs != NULL) |
741 | ++ *addrs = addr_list; |
742 | ++ else if (addr_list != NULL) |
743 | ++ free_wordlist(addr_list); |
744 | ++ |
745 | ++ return best_flag; |
746 | ++} |
747 | ++ |
748 | ++ |
749 | ++int |
750 | ++get_eaptls_secret(unit, client, server, clicertfile, servcertfile, |
751 | ++ cacertfile, pkfile, am_server) |
752 | ++ int unit; |
753 | ++ char *client; |
754 | ++ char *server; |
755 | ++ char *clicertfile; |
756 | ++ char *servcertfile; |
757 | ++ char *cacertfile; |
758 | ++ char *pkfile; |
759 | ++ int am_server; |
760 | ++{ |
761 | ++ FILE *fp; |
762 | ++ int ret; |
763 | ++ char *filename = NULL; |
764 | ++ struct wordlist *addrs = NULL; |
765 | ++ struct wordlist *opts = NULL; |
766 | ++ |
767 | ++ /* in client mode the ca+cert+privkey can also be specified as options */ |
768 | ++ if (!am_server && cacert_file && cert_file && privkey_file ) |
769 | ++ { |
770 | ++ strlcpy( clicertfile, cert_file, MAXWORDLEN ); |
771 | ++ strlcpy( cacertfile, cacert_file, MAXWORDLEN ); |
772 | ++ strlcpy( pkfile, privkey_file, MAXWORDLEN ); |
773 | ++ servcertfile[0] = '\0'; |
774 | ++ } |
775 | ++ else |
776 | ++ { |
777 | ++ filename = (am_server ? _PATH_EAPTLSSERVFILE : _PATH_EAPTLSCLIFILE); |
778 | ++ addrs = NULL; |
779 | ++ |
780 | ++ fp = fopen(filename, "r"); |
781 | ++ if (fp == NULL) |
782 | ++ { |
783 | ++ error("Can't open eap-tls secret file %s: %m", filename); |
784 | ++ return 0; |
785 | ++ } |
786 | ++ |
787 | ++ check_access(fp, filename); |
788 | ++ |
789 | ++ ret = scan_authfile_eaptls(fp, client, server, clicertfile, servcertfile, |
790 | ++ cacertfile, pkfile, &addrs, &opts, filename, 0); |
791 | ++ |
792 | ++ fclose(fp); |
793 | ++ |
794 | ++ if (ret < 0) return 0; |
795 | ++ } |
796 | ++ |
797 | ++ if (eaptls_passwd_hook) |
798 | ++ { |
799 | ++ dbglog( "Calling eaptls password hook" ); |
800 | ++ if ( (*eaptls_passwd_hook)(pkfile, passwd) < 0) |
801 | ++ { |
802 | ++ error("Unable to obtain EAP-TLS password for %s (%s) from plugin", |
803 | ++ client, pkfile); |
804 | ++ return 0; |
805 | ++ } |
806 | ++ } |
807 | ++ if (am_server) |
808 | ++ set_allowed_addrs(unit, addrs, opts); |
809 | ++ else if (opts != NULL) |
810 | ++ free_wordlist(opts); |
811 | ++ if (addrs != NULL) |
812 | ++ free_wordlist(addrs); |
813 | ++ |
814 | ++ return 1; |
815 | ++} |
816 | ++#endif |
817 | ++ |
818 | +diff -Naur ppp-2.4.5/pppd/ccp.c ppp-2.4.5-eaptls-mppe-0.992/pppd/ccp.c |
819 | +--- ppp-2.4.5/pppd/ccp.c 2009-11-16 23:26:07.000000000 +0100 |
820 | ++++ ppp-2.4.5-eaptls-mppe-0.992/pppd/ccp.c 2011-12-01 15:14:39.078352226 +0100 |
821 | +@@ -540,6 +540,9 @@ |
822 | + if (go->mppe) { |
823 | + ccp_options *ao = &ccp_allowoptions[f->unit]; |
824 | + int auth_mschap_bits = auth_done[f->unit]; |
825 | ++#ifdef USE_EAPTLS |
826 | ++ int auth_eap_bits = auth_done[f->unit]; |
827 | ++#endif |
828 | + int numbits; |
829 | + |
830 | + /* |
831 | +@@ -567,8 +570,23 @@ |
832 | + lcp_close(f->unit, "MPPE required but not available"); |
833 | + return; |
834 | + } |
835 | ++ |
836 | ++#ifdef USE_EAPTLS |
837 | ++ /* |
838 | ++ * MPPE is also possible in combination with EAP-TLS. |
839 | ++ * It is not possible to detect if we're doing EAP or EAP-TLS |
840 | ++ * at this stage, hence we accept all forms of EAP. If TLS is |
841 | ++ * not used then the MPPE keys will not be derived anyway. |
842 | ++ */ |
843 | ++ /* Leave only the eap auth bits set */ |
844 | ++ auth_eap_bits &= (EAP_WITHPEER | EAP_PEER ); |
845 | ++ |
846 | ++ if ((numbits == 0) && (auth_eap_bits == 0)) { |
847 | ++ error("MPPE required, but MS-CHAP[v2] nor EAP-TLS auth are performed."); |
848 | ++#else |
849 | + if (!numbits) { |
850 | +- error("MPPE required, but MS-CHAP[v2] auth not performed."); |
851 | ++ error("MPPE required, but MS-CHAP[v2] auth not performed."); |
852 | ++#endif |
853 | + lcp_close(f->unit, "MPPE required but not available"); |
854 | + return; |
855 | + } |
856 | +diff -Naur ppp-2.4.5/pppd/chap-md5.c ppp-2.4.5-eaptls-mppe-0.992/pppd/chap-md5.c |
857 | +--- ppp-2.4.5/pppd/chap-md5.c 2009-11-16 23:26:07.000000000 +0100 |
858 | ++++ ppp-2.4.5-eaptls-mppe-0.992/pppd/chap-md5.c 2011-12-01 15:14:39.079352354 +0100 |
859 | +@@ -36,7 +36,11 @@ |
860 | + #include "chap-new.h" |
861 | + #include "chap-md5.h" |
862 | + #include "magic.h" |
863 | ++#ifdef USE_EAPTLS |
864 | ++#include "eap-tls.h" |
865 | ++#else |
866 | + #include "md5.h" |
867 | ++#endif /* USE_EAPTLS */ |
868 | + |
869 | + #define MD5_HASH_SIZE 16 |
870 | + #define MD5_MIN_CHALLENGE 16 |
871 | +diff -Naur ppp-2.4.5/pppd/eap-tls.c ppp-2.4.5-eaptls-mppe-0.992/pppd/eap-tls.c |
872 | +--- ppp-2.4.5/pppd/eap-tls.c 1970-01-01 01:00:00.000000000 +0100 |
873 | ++++ ppp-2.4.5-eaptls-mppe-0.992/pppd/eap-tls.c 2011-12-01 15:14:39.080352482 +0100 |
874 | +@@ -0,0 +1,1174 @@ |
875 | ++/* |
876 | ++ * eap-tls.c - EAP-TLS implementation for PPP |
877 | ++ * |
878 | ++ * Copyright (c) Beniamino Galvani 2005 All rights reserved. |
879 | ++ * |
880 | ++ * Redistribution and use in source and binary forms, with or without |
881 | ++ * modification, are permitted provided that the following conditions |
882 | ++ * are met: |
883 | ++ * |
884 | ++ * 1. Redistributions of source code must retain the above copyright |
885 | ++ * notice, this list of conditions and the following disclaimer. |
886 | ++ * |
887 | ++ * 2. Redistributions in binary form must reproduce the above copyright |
888 | ++ * notice, this list of conditions and the following disclaimer in |
889 | ++ * the documentation and/or other materials provided with the |
890 | ++ * distribution. |
891 | ++ * |
892 | ++ * 3. The name(s) of the authors of this software must not be used to |
893 | ++ * endorse or promote products derived from this software without |
894 | ++ * prior written permission. |
895 | ++ * |
896 | ++ * THE AUTHORS OF THIS SOFTWARE DISCLAIM ALL WARRANTIES WITH REGARD TO |
897 | ++ * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY |
898 | ++ * AND FITNESS, IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY |
899 | ++ * SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES |
900 | ++ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN |
901 | ++ * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING |
902 | ++ * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
903 | ++ * |
904 | ++ */ |
905 | ++ |
906 | ++#include <string.h> |
907 | ++#include <unistd.h> |
908 | ++#include <sys/types.h> |
909 | ++#include <sys/stat.h> |
910 | ++#include <fcntl.h> |
911 | ++ |
912 | ++#include <openssl/conf.h> |
913 | ++#include <openssl/engine.h> |
914 | ++#include <openssl/hmac.h> |
915 | ++#include <openssl/err.h> |
916 | ++#include <openssl/x509v3.h> |
917 | ++ |
918 | ++#include "pppd.h" |
919 | ++#include "eap.h" |
920 | ++#include "eap-tls.h" |
921 | ++#include "fsm.h" |
922 | ++#include "lcp.h" |
923 | ++#include "pathnames.h" |
924 | ++ |
925 | ++/* The openssl configuration file and engines can be loaded only once */ |
926 | ++static CONF *ssl_config = NULL; |
927 | ++static ENGINE *cert_engine = NULL; |
928 | ++static ENGINE *pkey_engine = NULL; |
929 | ++ |
930 | ++#ifdef MPPE |
931 | ++ |
932 | ++/* |
933 | ++ * TLS PRF from RFC 2246 |
934 | ++ */ |
935 | ++static void P_hash(const EVP_MD *evp_md, |
936 | ++ const unsigned char *secret, unsigned int secret_len, |
937 | ++ const unsigned char *seed, unsigned int seed_len, |
938 | ++ unsigned char *out, unsigned int out_len) |
939 | ++{ |
940 | ++ HMAC_CTX ctx_a, ctx_out; |
941 | ++ unsigned char a[HMAC_MAX_MD_CBLOCK]; |
942 | ++ unsigned int size; |
943 | ++ |
944 | ++ HMAC_CTX_init(&ctx_a); |
945 | ++ HMAC_CTX_init(&ctx_out); |
946 | ++ HMAC_Init_ex(&ctx_a, secret, secret_len, evp_md, NULL); |
947 | ++ HMAC_Init_ex(&ctx_out, secret, secret_len, evp_md, NULL); |
948 | ++ |
949 | ++ size = HMAC_size(&ctx_out); |
950 | ++ |
951 | ++ /* Calculate A(1) */ |
952 | ++ HMAC_Update(&ctx_a, seed, seed_len); |
953 | ++ HMAC_Final(&ctx_a, a, NULL); |
954 | ++ |
955 | ++ while (1) { |
956 | ++ /* Calculate next part of output */ |
957 | ++ HMAC_Update(&ctx_out, a, size); |
958 | ++ HMAC_Update(&ctx_out, seed, seed_len); |
959 | ++ |
960 | ++ /* Check if last part */ |
961 | ++ if (out_len < size) { |
962 | ++ HMAC_Final(&ctx_out, a, NULL); |
963 | ++ memcpy(out, a, out_len); |
964 | ++ break; |
965 | ++ } |
966 | ++ |
967 | ++ /* Place digest in output buffer */ |
968 | ++ HMAC_Final(&ctx_out, out, NULL); |
969 | ++ HMAC_Init_ex(&ctx_out, NULL, 0, NULL, NULL); |
970 | ++ out += size; |
971 | ++ out_len -= size; |
972 | ++ |
973 | ++ /* Calculate next A(i) */ |
974 | ++ HMAC_Init_ex(&ctx_a, NULL, 0, NULL, NULL); |
975 | ++ HMAC_Update(&ctx_a, a, size); |
976 | ++ HMAC_Final(&ctx_a, a, NULL); |
977 | ++ } |
978 | ++ |
979 | ++ HMAC_CTX_cleanup(&ctx_a); |
980 | ++ HMAC_CTX_cleanup(&ctx_out); |
981 | ++ memset(a, 0, sizeof(a)); |
982 | ++} |
983 | ++ |
984 | ++static void PRF(const unsigned char *secret, unsigned int secret_len, |
985 | ++ const unsigned char *seed, unsigned int seed_len, |
986 | ++ unsigned char *out, unsigned char *buf, unsigned int out_len) |
987 | ++{ |
988 | ++ unsigned int i; |
989 | ++ unsigned int len = (secret_len + 1) / 2; |
990 | ++ const unsigned char *s1 = secret; |
991 | ++ const unsigned char *s2 = secret + (secret_len - len); |
992 | ++ |
993 | ++ P_hash(EVP_md5(), s1, len, seed, seed_len, out, out_len); |
994 | ++ P_hash(EVP_sha1(), s2, len, seed, seed_len, buf, out_len); |
995 | ++ |
996 | ++ for (i=0; i < out_len; i++) { |
997 | ++ out[i] ^= buf[i]; |
998 | ++ } |
999 | ++} |
1000 | ++ |
1001 | ++#define EAPTLS_MPPE_KEY_LEN 32 |
1002 | ++ |
1003 | ++/* |
1004 | ++ * Generate keys according to RFC 2716 and add to reply |
1005 | ++ */ |
1006 | ++void eaptls_gen_mppe_keys(struct eaptls_session *ets, const char *prf_label, |
1007 | ++ int client) |
1008 | ++{ |
1009 | ++ unsigned char out[4*EAPTLS_MPPE_KEY_LEN], buf[4*EAPTLS_MPPE_KEY_LEN]; |
1010 | ++ unsigned char seed[64 + 2*SSL3_RANDOM_SIZE]; |
1011 | ++ unsigned char *p = seed; |
1012 | ++ SSL *s = ets->ssl; |
1013 | ++ size_t prf_size; |
1014 | ++ |
1015 | ++ prf_size = strlen(prf_label); |
1016 | ++ |
1017 | ++ memcpy(p, prf_label, prf_size); |
1018 | ++ p += prf_size; |
1019 | ++ |
1020 | ++ memcpy(p, s->s3->client_random, SSL3_RANDOM_SIZE); |
1021 | ++ p += SSL3_RANDOM_SIZE; |
1022 | ++ prf_size += SSL3_RANDOM_SIZE; |
1023 | ++ |
1024 | ++ memcpy(p, s->s3->server_random, SSL3_RANDOM_SIZE); |
1025 | ++ prf_size += SSL3_RANDOM_SIZE; |
1026 | ++ |
1027 | ++ PRF(s->session->master_key, s->session->master_key_length, |
1028 | ++ seed, prf_size, out, buf, sizeof(out)); |
1029 | ++ |
1030 | ++ /* |
1031 | ++ * We now have the master send and receive keys. |
1032 | ++ * From these, generate the session send and receive keys. |
1033 | ++ * (see RFC3079 / draft-ietf-pppext-mppe-keys-03.txt for details) |
1034 | ++ */ |
1035 | ++ if (client) |
1036 | ++ { |
1037 | ++ p = out; |
1038 | ++ BCOPY( p, mppe_send_key, sizeof(mppe_send_key) ); |
1039 | ++ p += EAPTLS_MPPE_KEY_LEN; |
1040 | ++ BCOPY( p, mppe_recv_key, sizeof(mppe_recv_key) ); |
1041 | ++ } |
1042 | ++ else |
1043 | ++ { |
1044 | ++ p = out; |
1045 | ++ BCOPY( p, mppe_recv_key, sizeof(mppe_recv_key) ); |
1046 | ++ p += EAPTLS_MPPE_KEY_LEN; |
1047 | ++ BCOPY( p, mppe_send_key, sizeof(mppe_send_key) ); |
1048 | ++ } |
1049 | ++ |
1050 | ++ mppe_keys_set = 1; |
1051 | ++} |
1052 | ++ |
1053 | ++#endif |
1054 | ++ |
1055 | ++void log_ssl_errors( void ) |
1056 | ++{ |
1057 | ++ unsigned long ssl_err = ERR_get_error(); |
1058 | ++ |
1059 | ++ if (ssl_err != 0) |
1060 | ++ dbglog("EAP-TLS SSL error stack:"); |
1061 | ++ while (ssl_err != 0) { |
1062 | ++ dbglog( ERR_error_string( ssl_err, NULL ) ); |
1063 | ++ ssl_err = ERR_get_error(); |
1064 | ++ } |
1065 | ++} |
1066 | ++ |
1067 | ++ |
1068 | ++int password_callback (char *buf, int size, int rwflag, void *u) |
1069 | ++{ |
1070 | ++ if (buf) |
1071 | ++ { |
1072 | ++ strncpy (buf, passwd, size); |
1073 | ++ return strlen (buf); |
1074 | ++ } |
1075 | ++ return 0; |
1076 | ++} |
1077 | ++ |
1078 | ++ |
1079 | ++CONF *eaptls_ssl_load_config( void ) |
1080 | ++{ |
1081 | ++ CONF *config; |
1082 | ++ int ret_code; |
1083 | ++ long error_line = 33; |
1084 | ++ |
1085 | ++ config = NCONF_new( NULL ); |
1086 | ++ dbglog( "Loading OpenSSL config file" ); |
1087 | ++ ret_code = NCONF_load( config, _PATH_OPENSSLCONFFILE, &error_line ); |
1088 | ++ if (ret_code == 0) |
1089 | ++ { |
1090 | ++ warn( "EAP-TLS: Error in OpenSSL config file %s at line %d", _PATH_OPENSSLCONFFILE, error_line ); |
1091 | ++ NCONF_free( config ); |
1092 | ++ config = NULL; |
1093 | ++ ERR_clear_error(); |
1094 | ++ } |
1095 | ++ |
1096 | ++ dbglog( "Loading OpenSSL built-ins" ); |
1097 | ++ ENGINE_load_builtin_engines(); |
1098 | ++ OPENSSL_load_builtin_modules(); |
1099 | ++ |
1100 | ++ dbglog( "Loading OpenSSL configured modules" ); |
1101 | ++ if (CONF_modules_load( config, NULL, 0 ) <= 0 ) |
1102 | ++ { |
1103 | ++ warn( "EAP-TLS: Error loading OpenSSL modules" ); |
1104 | ++ log_ssl_errors(); |
1105 | ++ config = NULL; |
1106 | ++ } |
1107 | ++ |
1108 | ++ return config; |
1109 | ++} |
1110 | ++ |
1111 | ++ENGINE *eaptls_ssl_load_engine( char *engine_name ) |
1112 | ++{ |
1113 | ++ ENGINE *e = NULL; |
1114 | ++ |
1115 | ++ dbglog( "Enabling OpenSSL auto engines" ); |
1116 | ++ ENGINE_register_all_complete(); |
1117 | ++ |
1118 | ++ dbglog( "Loading OpenSSL '%s' engine support", engine_name ); |
1119 | ++ e = ENGINE_by_id( engine_name ); |
1120 | ++ if (!e) |
1121 | ++ { |
1122 | ++ dbglog( "EAP-TLS: Cannot load '%s' engine support, trying 'dynamic'", engine_name ); |
1123 | ++ e = ENGINE_by_id( "dynamic" ); |
1124 | ++ if (e) |
1125 | ++ { |
1126 | ++ if (!ENGINE_ctrl_cmd_string(e, "SO_PATH", engine_name, 0) |
1127 | ++ || !ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0)) |
1128 | ++ { |
1129 | ++ warn( "EAP-TLS: Error loading dynamic engine '%s'", engine_name ); |
1130 | ++ log_ssl_errors(); |
1131 | ++ ENGINE_free(e); |
1132 | ++ e = NULL; |
1133 | ++ } |
1134 | ++ } |
1135 | ++ else |
1136 | ++ { |
1137 | ++ warn( "EAP-TLS: Cannot load dynamic engine support" ); |
1138 | ++ } |
1139 | ++ } |
1140 | ++ |
1141 | ++ if (e) |
1142 | ++ { |
1143 | ++ dbglog( "Initialising engine" ); |
1144 | ++ if(!ENGINE_set_default(e, ENGINE_METHOD_ALL)) |
1145 | ++ { |
1146 | ++ warn( "EAP-TLS: Cannot use that engine" ); |
1147 | ++ log_ssl_errors(); |
1148 | ++ ENGINE_free(e); |
1149 | ++ e = NULL; |
1150 | ++ } |
1151 | ++ } |
1152 | ++ |
1153 | ++ return e; |
1154 | ++} |
1155 | ++ |
1156 | ++/* |
1157 | ++ * Initialize the SSL stacks and tests if certificates, key and crl |
1158 | ++ * for client or server use can be loaded. |
1159 | ++ */ |
1160 | ++SSL_CTX *eaptls_init_ssl(int init_server, char *cacertfile, |
1161 | ++ char *certfile, char *peer_certfile, char *privkeyfile) |
1162 | ++{ |
1163 | ++ char *cert_engine_name = NULL; |
1164 | ++ char *cert_identifier = NULL; |
1165 | ++ char *pkey_engine_name = NULL; |
1166 | ++ char *pkey_identifier = NULL; |
1167 | ++ SSL_CTX *ctx; |
1168 | ++ X509_STORE *certstore; |
1169 | ++ X509_LOOKUP *lookup; |
1170 | ++ X509 *tmp; |
1171 | ++ |
1172 | ++ /* |
1173 | ++ * Without these can't continue |
1174 | ++ */ |
1175 | ++ if (!cacertfile[0]) |
1176 | ++ { |
1177 | ++ error("EAP-TLS: CA certificate missing"); |
1178 | ++ return NULL; |
1179 | ++ } |
1180 | ++ |
1181 | ++ if (!certfile[0]) |
1182 | ++ { |
1183 | ++ error("EAP-TLS: User certificate missing"); |
1184 | ++ return NULL; |
1185 | ++ } |
1186 | ++ |
1187 | ++ if (!privkeyfile[0]) |
1188 | ++ { |
1189 | ++ error("EAP-TLS: User private key missing"); |
1190 | ++ return NULL; |
1191 | ++ } |
1192 | ++ |
1193 | ++ SSL_library_init(); |
1194 | ++ SSL_load_error_strings(); |
1195 | ++ |
1196 | ++ ctx = SSL_CTX_new(TLSv1_method()); |
1197 | ++ |
1198 | ++ if (!ctx) { |
1199 | ++ error("EAP-TLS: Cannot initialize SSL CTX context"); |
1200 | ++ goto fail; |
1201 | ++ } |
1202 | ++ |
1203 | ++ /* if the certificate filename is of the form engine:id. e.g. |
1204 | ++ pkcs11:12345 |
1205 | ++ then we try to load and use this engine. |
1206 | ++ If the certificate filename starts with a / or . then we |
1207 | ++ ALWAYS assume it is a file and not an engine/pkcs11 identifier |
1208 | ++ */ |
1209 | ++ if ( index( certfile, '/' ) == NULL && index( certfile, '.') == NULL ) |
1210 | ++ { |
1211 | ++ cert_identifier = index( certfile, ':' ); |
1212 | ++ |
1213 | ++ if (cert_identifier) |
1214 | ++ { |
1215 | ++ cert_engine_name = certfile; |
1216 | ++ *cert_identifier = '\0'; |
1217 | ++ cert_identifier++; |
1218 | ++ |
1219 | ++ dbglog( "Found certificate engine '%s'", cert_engine_name ); |
1220 | ++ dbglog( "Found certificate identifier '%s'", cert_identifier ); |
1221 | ++ } |
1222 | ++ } |
1223 | ++ |
1224 | ++ /* if the privatekey filename is of the form engine:id. e.g. |
1225 | ++ pkcs11:12345 |
1226 | ++ then we try to load and use this engine. |
1227 | ++ If the privatekey filename starts with a / or . then we |
1228 | ++ ALWAYS assume it is a file and not an engine/pkcs11 identifier |
1229 | ++ */ |
1230 | ++ if ( index( privkeyfile, '/' ) == NULL && index( privkeyfile, '.') == NULL ) |
1231 | ++ { |
1232 | ++ pkey_identifier = index( privkeyfile, ':' ); |
1233 | ++ |
1234 | ++ if (pkey_identifier) |
1235 | ++ { |
1236 | ++ pkey_engine_name = privkeyfile; |
1237 | ++ *pkey_identifier = '\0'; |
1238 | ++ pkey_identifier++; |
1239 | ++ |
1240 | ++ dbglog( "Found privatekey engine '%s'", pkey_engine_name ); |
1241 | ++ dbglog( "Found privatekey identifier '%s'", pkey_identifier ); |
1242 | ++ } |
1243 | ++ } |
1244 | ++ |
1245 | ++ if (cert_identifier && pkey_identifier) |
1246 | ++ { |
1247 | ++ if (strlen( cert_identifier ) == 0) |
1248 | ++ { |
1249 | ++ if (strlen( pkey_identifier ) == 0) |
1250 | ++ error( "EAP-TLS: both the certificate and privatekey identifiers are missing!" ); |
1251 | ++ else |
1252 | ++ { |
1253 | ++ dbglog( "Substituting privatekey identifier for certificate identifier" ); |
1254 | ++ cert_identifier = pkey_identifier; |
1255 | ++ } |
1256 | ++ } |
1257 | ++ else |
1258 | ++ { |
1259 | ++ if (strlen( pkey_identifier ) == 0) |
1260 | ++ { |
1261 | ++ dbglog( "Substituting certificate identifier for privatekey identifier" ); |
1262 | ++ pkey_identifier = cert_identifier; |
1263 | ++ } |
1264 | ++ } |
1265 | ++ |
1266 | ++ } |
1267 | ++ |
1268 | ++ /* load the openssl config file only once */ |
1269 | ++ if (!ssl_config) |
1270 | ++ { |
1271 | ++ if (cert_engine_name || pkey_engine_name) |
1272 | ++ ssl_config = eaptls_ssl_load_config(); |
1273 | ++ |
1274 | ++ if (ssl_config && cert_engine_name) |
1275 | ++ cert_engine = eaptls_ssl_load_engine( cert_engine_name ); |
1276 | ++ |
1277 | ++ if (ssl_config && pkey_engine_name) |
1278 | ++ { |
1279 | ++ /* don't load the same engine twice */ |
1280 | ++ if ( strcmp( cert_engine_name, pkey_engine_name) == 0 ) |
1281 | ++ pkey_engine = cert_engine; |
1282 | ++ else |
1283 | ++ pkey_engine = eaptls_ssl_load_engine( pkey_engine_name ); |
1284 | ++ } |
1285 | ++ } |
1286 | ++ |
1287 | ++ SSL_CTX_set_default_passwd_cb (ctx, password_callback); |
1288 | ++ |
1289 | ++ if (!SSL_CTX_load_verify_locations(ctx, cacertfile, NULL)) |
1290 | ++ { |
1291 | ++ error("EAP-TLS: Cannot load or verify CA file %s", cacertfile); |
1292 | ++ goto fail; |
1293 | ++ } |
1294 | ++ |
1295 | ++ if (init_server) |
1296 | ++ SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(cacertfile)); |
1297 | ++ |
1298 | ++ if (cert_engine) |
1299 | ++ { |
1300 | ++ struct |
1301 | ++ { |
1302 | ++ const char *s_slot_cert_id; |
1303 | ++ X509 *cert; |
1304 | ++ } cert_info; |
1305 | ++ |
1306 | ++ cert_info.s_slot_cert_id = cert_identifier; |
1307 | ++ cert_info.cert = NULL; |
1308 | ++ |
1309 | ++ if (!ENGINE_ctrl_cmd( cert_engine, "LOAD_CERT_CTRL", 0, &cert_info, NULL, 0 ) ) |
1310 | ++ { |
1311 | ++ error( "EAP-TLS: Error loading certificate with id '%s' from engine", cert_identifier ); |
1312 | ++ goto fail; |
1313 | ++ } |
1314 | ++ |
1315 | ++ if (cert_info.cert) |
1316 | ++ { |
1317 | ++ dbglog( "Got the certificate, adding it to SSL context" ); |
1318 | ++ dbglog( "subject = %s", X509_NAME_oneline( X509_get_subject_name( cert_info.cert ), NULL, 0 ) ); |
1319 | ++ if (SSL_CTX_use_certificate(ctx, cert_info.cert) <= 0) |
1320 | ++ { |
1321 | ++ error("EAP-TLS: Cannot use PKCS11 certificate %s", cert_identifier); |
1322 | ++ goto fail; |
1323 | ++ } |
1324 | ++ } |
1325 | ++ else |
1326 | ++ { |
1327 | ++ warn("EAP-TLS: Cannot load PKCS11 key %s", cert_identifier); |
1328 | ++ log_ssl_errors(); |
1329 | ++ } |
1330 | ++ } |
1331 | ++ else |
1332 | ++ { |
1333 | ++ if (!SSL_CTX_use_certificate_file(ctx, certfile, SSL_FILETYPE_PEM)) |
1334 | ++ { |
1335 | ++ error( "EAP-TLS: Cannot use public certificate %s", certfile ); |
1336 | ++ goto fail; |
1337 | ++ } |
1338 | ++ } |
1339 | ++ |
1340 | ++ if (pkey_engine) |
1341 | ++ { |
1342 | ++ EVP_PKEY *pkey = NULL; |
1343 | ++ PW_CB_DATA cb_data; |
1344 | ++ |
1345 | ++ cb_data.password = passwd; |
1346 | ++ cb_data.prompt_info = pkey_identifier; |
1347 | ++ |
1348 | ++ dbglog( "Loading private key '%s' from engine", pkey_identifier ); |
1349 | ++ pkey = ENGINE_load_private_key(pkey_engine, pkey_identifier, NULL, &cb_data); |
1350 | ++ if (pkey) |
1351 | ++ { |
1352 | ++ dbglog( "Got the private key, adding it to SSL context" ); |
1353 | ++ if (SSL_CTX_use_PrivateKey(ctx, pkey) <= 0) |
1354 | ++ { |
1355 | ++ error("EAP-TLS: Cannot use PKCS11 key %s", pkey_identifier); |
1356 | ++ goto fail; |
1357 | ++ } |
1358 | ++ } |
1359 | ++ else |
1360 | ++ { |
1361 | ++ warn("EAP-TLS: Cannot load PKCS11 key %s", pkey_identifier); |
1362 | ++ log_ssl_errors(); |
1363 | ++ } |
1364 | ++ } |
1365 | ++ else |
1366 | ++ { |
1367 | ++ if (!SSL_CTX_use_PrivateKey_file(ctx, privkeyfile, SSL_FILETYPE_PEM)) |
1368 | ++ { |
1369 | ++ error("EAP-TLS: Cannot use private key %s", privkeyfile); |
1370 | ++ goto fail; |
1371 | ++ } |
1372 | ++ } |
1373 | ++ |
1374 | ++ if (SSL_CTX_check_private_key(ctx) != 1) { |
1375 | ++ error("EAP-TLS: Private key %s fails security check", privkeyfile); |
1376 | ++ goto fail; |
1377 | ++ } |
1378 | ++ |
1379 | ++ SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3); |
1380 | ++ SSL_CTX_set_verify_depth(ctx, 5); |
1381 | ++ SSL_CTX_set_verify(ctx, |
1382 | ++ SSL_VERIFY_PEER | |
1383 | ++ SSL_VERIFY_FAIL_IF_NO_PEER_CERT, |
1384 | ++ &ssl_verify_callback); |
1385 | ++ |
1386 | ++ if (crl_dir) { |
1387 | ++ if (!(certstore = SSL_CTX_get_cert_store(ctx))) { |
1388 | ++ error("EAP-TLS: Failed to get certificate store"); |
1389 | ++ goto fail; |
1390 | ++ } |
1391 | ++ |
1392 | ++ if (!(lookup = |
1393 | ++ X509_STORE_add_lookup(certstore, X509_LOOKUP_hash_dir()))) { |
1394 | ++ error("EAP-TLS: Store lookup for CRL failed"); |
1395 | ++ |
1396 | ++ goto fail; |
1397 | ++ } |
1398 | ++ |
1399 | ++ X509_LOOKUP_add_dir(lookup, crl_dir, X509_FILETYPE_PEM); |
1400 | ++ X509_STORE_set_flags(certstore, X509_V_FLAG_CRL_CHECK); |
1401 | ++ } |
1402 | ++ |
1403 | ++ /* |
1404 | ++ * If a peer certificate file was specified, it must be valid, else fail |
1405 | ++ */ |
1406 | ++ if (peer_certfile[0]) { |
1407 | ++ if (!(tmp = get_X509_from_file(peer_certfile))) { |
1408 | ++ error("EAP-TLS: Error loading client certificate from file %s", |
1409 | ++ peer_certfile); |
1410 | ++ goto fail; |
1411 | ++ } |
1412 | ++ X509_free(tmp); |
1413 | ++ } |
1414 | ++ |
1415 | ++ return ctx; |
1416 | ++ |
1417 | ++fail: |
1418 | ++ log_ssl_errors(); |
1419 | ++ SSL_CTX_free(ctx); |
1420 | ++ return NULL; |
1421 | ++} |
1422 | ++ |
1423 | ++/* |
1424 | ++ * Determine the maximum packet size by looking at the LCP handshake |
1425 | ++ */ |
1426 | ++ |
1427 | ++int eaptls_get_mtu(int unit) |
1428 | ++{ |
1429 | ++ int mtu, mru; |
1430 | ++ |
1431 | ++ lcp_options *wo = &lcp_wantoptions[unit]; |
1432 | ++ lcp_options *go = &lcp_gotoptions[unit]; |
1433 | ++ lcp_options *ho = &lcp_hisoptions[unit]; |
1434 | ++ lcp_options *ao = &lcp_allowoptions[unit]; |
1435 | ++ |
1436 | ++ mtu = ho->neg_mru? ho->mru: PPP_MRU; |
1437 | ++ mru = go->neg_mru? MAX(wo->mru, go->mru): PPP_MRU; |
1438 | ++ mtu = MIN(MIN(mtu, mru), ao->mru)- PPP_HDRLEN - 10; |
1439 | ++ |
1440 | ++ dbglog("MTU = %d", mtu); |
1441 | ++ return mtu; |
1442 | ++} |
1443 | ++ |
1444 | ++ |
1445 | ++/* |
1446 | ++ * Init the ssl handshake (server mode) |
1447 | ++ */ |
1448 | ++int eaptls_init_ssl_server(eap_state * esp) |
1449 | ++{ |
1450 | ++ struct eaptls_session *ets; |
1451 | ++ char servcertfile[MAXWORDLEN]; |
1452 | ++ char clicertfile[MAXWORDLEN]; |
1453 | ++ char cacertfile[MAXWORDLEN]; |
1454 | ++ char pkfile[MAXWORDLEN]; |
1455 | ++ /* |
1456 | ++ * Allocate new eaptls session |
1457 | ++ */ |
1458 | ++ esp->es_server.ea_session = malloc(sizeof(struct eaptls_session)); |
1459 | ++ if (!esp->es_server.ea_session) |
1460 | ++ fatal("Allocation error"); |
1461 | ++ ets = esp->es_server.ea_session; |
1462 | ++ |
1463 | ++ if (!esp->es_server.ea_peer) { |
1464 | ++ error("EAP-TLS: Error: client name not set (BUG)"); |
1465 | ++ return 0; |
1466 | ++ } |
1467 | ++ |
1468 | ++ strncpy(ets->peer, esp->es_server.ea_peer, MAXWORDLEN); |
1469 | ++ |
1470 | ++ dbglog( "getting eaptls secret" ); |
1471 | ++ if (!get_eaptls_secret(esp->es_unit, esp->es_server.ea_peer, |
1472 | ++ esp->es_server.ea_name, clicertfile, |
1473 | ++ servcertfile, cacertfile, pkfile, 1)) { |
1474 | ++ error( "EAP-TLS: Cannot get secret/password for client \"%s\", server \"%s\"", |
1475 | ++ esp->es_server.ea_peer, esp->es_server.ea_name ); |
1476 | ++ return 0; |
1477 | ++ } |
1478 | ++ |
1479 | ++ ets->mtu = eaptls_get_mtu(esp->es_unit); |
1480 | ++ |
1481 | ++ ets->ctx = eaptls_init_ssl(1, cacertfile, servcertfile, clicertfile, pkfile); |
1482 | ++ if (!ets->ctx) |
1483 | ++ goto fail; |
1484 | ++ |
1485 | ++ if (!(ets->ssl = SSL_new(ets->ctx))) |
1486 | ++ goto fail; |
1487 | ++ |
1488 | ++ /* |
1489 | ++ * Set auto-retry to avoid timeouts on BIO_read |
1490 | ++ */ |
1491 | ++ SSL_set_mode(ets->ssl, SSL_MODE_AUTO_RETRY); |
1492 | ++ |
1493 | ++ /* |
1494 | ++ * Initialize the BIOs we use to read/write to ssl engine |
1495 | ++ */ |
1496 | ++ ets->into_ssl = BIO_new(BIO_s_mem()); |
1497 | ++ ets->from_ssl = BIO_new(BIO_s_mem()); |
1498 | ++ SSL_set_bio(ets->ssl, ets->into_ssl, ets->from_ssl); |
1499 | ++ |
1500 | ++ SSL_set_msg_callback(ets->ssl, ssl_msg_callback); |
1501 | ++ SSL_set_msg_callback_arg(ets->ssl, ets); |
1502 | ++ |
1503 | ++ /* |
1504 | ++ * Attach the session struct to the connection, so we can later |
1505 | ++ * retrieve it when doing certificate verification |
1506 | ++ */ |
1507 | ++ SSL_set_ex_data(ets->ssl, 0, ets); |
1508 | ++ |
1509 | ++ SSL_set_accept_state(ets->ssl); |
1510 | ++ |
1511 | ++ ets->data = NULL; |
1512 | ++ ets->datalen = 0; |
1513 | ++ ets->alert_sent = 0; |
1514 | ++ ets->alert_recv = 0; |
1515 | ++ |
1516 | ++ /* |
1517 | ++ * If we specified the client certificate file, store it in ets->peercertfile, |
1518 | ++ * so we can check it later in ssl_verify_callback() |
1519 | ++ */ |
1520 | ++ if (clicertfile[0]) |
1521 | ++ strncpy(&ets->peercertfile[0], clicertfile, MAXWORDLEN); |
1522 | ++ else |
1523 | ++ ets->peercertfile[0] = 0; |
1524 | ++ |
1525 | ++ return 1; |
1526 | ++ |
1527 | ++fail: |
1528 | ++ SSL_CTX_free(ets->ctx); |
1529 | ++ return 0; |
1530 | ++} |
1531 | ++ |
1532 | ++/* |
1533 | ++ * Init the ssl handshake (client mode) |
1534 | ++ */ |
1535 | ++int eaptls_init_ssl_client(eap_state * esp) |
1536 | ++{ |
1537 | ++ struct eaptls_session *ets; |
1538 | ++ char servcertfile[MAXWORDLEN]; |
1539 | ++ char clicertfile[MAXWORDLEN]; |
1540 | ++ char cacertfile[MAXWORDLEN]; |
1541 | ++ char pkfile[MAXWORDLEN]; |
1542 | ++ |
1543 | ++ /* |
1544 | ++ * Allocate new eaptls session |
1545 | ++ */ |
1546 | ++ esp->es_client.ea_session = malloc(sizeof(struct eaptls_session)); |
1547 | ++ if (!esp->es_client.ea_session) |
1548 | ++ fatal("Allocation error"); |
1549 | ++ ets = esp->es_client.ea_session; |
1550 | ++ |
1551 | ++ /* |
1552 | ++ * If available, copy server name in ets; it will be used in cert |
1553 | ++ * verify |
1554 | ++ */ |
1555 | ++ if (esp->es_client.ea_peer) |
1556 | ++ strncpy(ets->peer, esp->es_client.ea_peer, MAXWORDLEN); |
1557 | ++ else |
1558 | ++ ets->peer[0] = 0; |
1559 | ++ |
1560 | ++ ets->mtu = eaptls_get_mtu(esp->es_unit); |
1561 | ++ |
1562 | ++ dbglog( "calling get_eaptls_secret" ); |
1563 | ++ if (!get_eaptls_secret(esp->es_unit, esp->es_client.ea_name, |
1564 | ++ esp->es_client.ea_peer, clicertfile, |
1565 | ++ servcertfile, cacertfile, pkfile, 0)) { |
1566 | ++ error( "EAP-TLS: Cannot get secret/password for client \"%s\", server \"%s\"", |
1567 | ++ esp->es_client.ea_name, esp->es_client.ea_peer ); |
1568 | ++ return 0; |
1569 | ++ } |
1570 | ++ |
1571 | ++ dbglog( "calling eaptls_init_ssl" ); |
1572 | ++ ets->ctx = eaptls_init_ssl(0, cacertfile, clicertfile, servcertfile, pkfile); |
1573 | ++ if (!ets->ctx) |
1574 | ++ goto fail; |
1575 | ++ |
1576 | ++ ets->ssl = SSL_new(ets->ctx); |
1577 | ++ |
1578 | ++ if (!ets->ssl) |
1579 | ++ goto fail; |
1580 | ++ |
1581 | ++ /* |
1582 | ++ * Initialize the BIOs we use to read/write to ssl engine |
1583 | ++ */ |
1584 | ++ dbglog( "Initializing SSL BIOs" ); |
1585 | ++ ets->into_ssl = BIO_new(BIO_s_mem()); |
1586 | ++ ets->from_ssl = BIO_new(BIO_s_mem()); |
1587 | ++ SSL_set_bio(ets->ssl, ets->into_ssl, ets->from_ssl); |
1588 | ++ |
1589 | ++ SSL_set_msg_callback(ets->ssl, ssl_msg_callback); |
1590 | ++ SSL_set_msg_callback_arg(ets->ssl, ets); |
1591 | ++ |
1592 | ++ /* |
1593 | ++ * Attach the session struct to the connection, so we can later |
1594 | ++ * retrieve it when doing certificate verification |
1595 | ++ */ |
1596 | ++ SSL_set_ex_data(ets->ssl, 0, ets); |
1597 | ++ |
1598 | ++ SSL_set_connect_state(ets->ssl); |
1599 | ++ |
1600 | ++ ets->data = NULL; |
1601 | ++ ets->datalen = 0; |
1602 | ++ ets->alert_sent = 0; |
1603 | ++ ets->alert_recv = 0; |
1604 | ++ |
1605 | ++ /* |
1606 | ++ * If we specified the server certificate file, store it in |
1607 | ++ * ets->peercertfile, so we can check it later in |
1608 | ++ * ssl_verify_callback() |
1609 | ++ */ |
1610 | ++ if (servcertfile[0]) |
1611 | ++ strncpy(ets->peercertfile, servcertfile, MAXWORDLEN); |
1612 | ++ else |
1613 | ++ ets->peercertfile[0] = 0; |
1614 | ++ |
1615 | ++ return 1; |
1616 | ++ |
1617 | ++fail: |
1618 | ++ dbglog( "eaptls_init_ssl_client: fail" ); |
1619 | ++ SSL_CTX_free(ets->ctx); |
1620 | ++ return 0; |
1621 | ++ |
1622 | ++} |
1623 | ++ |
1624 | ++void eaptls_free_session(struct eaptls_session *ets) |
1625 | ++{ |
1626 | ++ if (ets->ssl) |
1627 | ++ SSL_free(ets->ssl); |
1628 | ++ |
1629 | ++ if (ets->ctx) |
1630 | ++ SSL_CTX_free(ets->ctx); |
1631 | ++ |
1632 | ++ free(ets); |
1633 | ++} |
1634 | ++ |
1635 | ++/* |
1636 | ++ * Handle a received packet, reassembling fragmented messages and |
1637 | ++ * passing them to the ssl engine |
1638 | ++ */ |
1639 | ++int eaptls_receive(struct eaptls_session *ets, u_char * inp, int len) |
1640 | ++{ |
1641 | ++ u_char flags; |
1642 | ++ u_int tlslen; |
1643 | ++ u_char dummy[65536]; |
1644 | ++ |
1645 | ++ GETCHAR(flags, inp); |
1646 | ++ len--; |
1647 | ++ |
1648 | ++ if (flags & EAP_TLS_FLAGS_LI && !ets->data) { |
1649 | ++ |
1650 | ++ /* |
1651 | ++ * This is the first packet of a message |
1652 | ++ */ |
1653 | ++ |
1654 | ++ GETLONG(tlslen, inp); |
1655 | ++ len -= 4; |
1656 | ++ |
1657 | ++ if (tlslen > EAP_TLS_MAX_LEN) { |
1658 | ++ error("Error: tls message length > %d, truncated", |
1659 | ++ EAP_TLS_MAX_LEN); |
1660 | ++ tlslen = EAP_TLS_MAX_LEN; |
1661 | ++ } |
1662 | ++ |
1663 | ++ /* |
1664 | ++ * Allocate memory for the whole message |
1665 | ++ */ |
1666 | ++ ets->data = malloc(tlslen); |
1667 | ++ if (!ets->data) |
1668 | ++ fatal("EAP TLS: allocation error\n"); |
1669 | ++ |
1670 | ++ ets->datalen = 0; |
1671 | ++ ets->tlslen = tlslen; |
1672 | ++ |
1673 | ++ } |
1674 | ++ else if (flags & EAP_TLS_FLAGS_LI && ets->data) { |
1675 | ++ /* |
1676 | ++ * Non first with LI (strange...) |
1677 | ++ */ |
1678 | ++ |
1679 | ++ GETLONG(tlslen, inp); |
1680 | ++ len -= 4; |
1681 | ++ |
1682 | ++ } |
1683 | ++ else if (!ets->data) { |
1684 | ++ /* |
1685 | ++ * A non fragmented message without LI flag |
1686 | ++ */ |
1687 | ++ |
1688 | ++ ets->data = malloc(len); |
1689 | ++ if (!ets->data) |
1690 | ++ fatal("EAP TLS: allocation error\n"); |
1691 | ++ |
1692 | ++ ets->datalen = 0; |
1693 | ++ ets->tlslen = len; |
1694 | ++ } |
1695 | ++ |
1696 | ++ if (flags & EAP_TLS_FLAGS_MF) |
1697 | ++ ets->frag = 1; |
1698 | ++ else |
1699 | ++ ets->frag = 0; |
1700 | ++ |
1701 | ++ if (len + ets->datalen > ets->tlslen) { |
1702 | ++ warn("EAP TLS: received data > TLS message length"); |
1703 | ++ return 1; |
1704 | ++ } |
1705 | ++ |
1706 | ++ BCOPY(inp, ets->data + ets->datalen, len); |
1707 | ++ ets->datalen += len; |
1708 | ++ |
1709 | ++ if (!ets->frag) { |
1710 | ++ |
1711 | ++ /* |
1712 | ++ * If we have the whole message, pass it to ssl |
1713 | ++ */ |
1714 | ++ |
1715 | ++ if (ets->datalen != ets->tlslen) { |
1716 | ++ warn("EAP TLS: received data != TLS message length"); |
1717 | ++ return 1; |
1718 | ++ } |
1719 | ++ |
1720 | ++ if (BIO_write(ets->into_ssl, ets->data, ets->datalen) == -1) |
1721 | ++ log_ssl_errors(); |
1722 | ++ |
1723 | ++ SSL_read(ets->ssl, dummy, 65536); |
1724 | ++ |
1725 | ++ free(ets->data); |
1726 | ++ ets->data = NULL; |
1727 | ++ ets->datalen = 0; |
1728 | ++ } |
1729 | ++ |
1730 | ++ return 0; |
1731 | ++} |
1732 | ++ |
1733 | ++/* |
1734 | ++ * Return an eap-tls packet in outp. |
1735 | ++ * A TLS message read from the ssl engine is buffered in ets->data. |
1736 | ++ * At each call we control if there is buffered data and send a |
1737 | ++ * packet of mtu bytes. |
1738 | ++ */ |
1739 | ++int eaptls_send(struct eaptls_session *ets, u_char ** outp) |
1740 | ++{ |
1741 | ++ bool first = 0; |
1742 | ++ int size; |
1743 | ++ u_char fromtls[65536]; |
1744 | ++ int res; |
1745 | ++ u_char *start; |
1746 | ++ |
1747 | ++ start = *outp; |
1748 | ++ |
1749 | ++ if (!ets->data) { |
1750 | ++ |
1751 | ++ if(!ets->alert_sent) |
1752 | ++ SSL_read(ets->ssl, fromtls, 65536); |
1753 | ++ |
1754 | ++ /* |
1755 | ++ * Read from ssl |
1756 | ++ */ |
1757 | ++ if ((res = BIO_read(ets->from_ssl, fromtls, 65536)) == -1) |
1758 | ++ fatal("No data from BIO_read"); |
1759 | ++ |
1760 | ++ ets->datalen = res; |
1761 | ++ |
1762 | ++ ets->data = malloc(ets->datalen); |
1763 | ++ BCOPY(fromtls, ets->data, ets->datalen); |
1764 | ++ |
1765 | ++ ets->offset = 0; |
1766 | ++ first = 1; |
1767 | ++ |
1768 | ++ } |
1769 | ++ |
1770 | ++ size = ets->datalen - ets->offset; |
1771 | ++ |
1772 | ++ if (size > ets->mtu) { |
1773 | ++ size = ets->mtu; |
1774 | ++ ets->frag = 1; |
1775 | ++ } else |
1776 | ++ ets->frag = 0; |
1777 | ++ |
1778 | ++ PUTCHAR(EAPT_TLS, *outp); |
1779 | ++ |
1780 | ++ /* |
1781 | ++ * Set right flags and length if necessary |
1782 | ++ */ |
1783 | ++ if (ets->frag && first) { |
1784 | ++ PUTCHAR(EAP_TLS_FLAGS_LI | EAP_TLS_FLAGS_MF, *outp); |
1785 | ++ PUTLONG(ets->datalen, *outp); |
1786 | ++ } else if (ets->frag) { |
1787 | ++ PUTCHAR(EAP_TLS_FLAGS_MF, *outp); |
1788 | ++ } else |
1789 | ++ PUTCHAR(0, *outp); |
1790 | ++ |
1791 | ++ /* |
1792 | ++ * Copy the data in outp |
1793 | ++ */ |
1794 | ++ BCOPY(ets->data + ets->offset, *outp, size); |
1795 | ++ INCPTR(size, *outp); |
1796 | ++ |
1797 | ++ /* |
1798 | ++ * Copy the packet in retransmission buffer |
1799 | ++ */ |
1800 | ++ BCOPY(start, &ets->rtx[0], *outp - start); |
1801 | ++ ets->rtx_len = *outp - start; |
1802 | ++ |
1803 | ++ ets->offset += size; |
1804 | ++ |
1805 | ++ if (ets->offset >= ets->datalen) { |
1806 | ++ |
1807 | ++ /* |
1808 | ++ * The whole message has been sent |
1809 | ++ */ |
1810 | ++ |
1811 | ++ free(ets->data); |
1812 | ++ ets->data = NULL; |
1813 | ++ ets->datalen = 0; |
1814 | ++ ets->offset = 0; |
1815 | ++ } |
1816 | ++ |
1817 | ++ return 0; |
1818 | ++} |
1819 | ++ |
1820 | ++/* |
1821 | ++ * Get the sent packet from the retransmission buffer |
1822 | ++ */ |
1823 | ++void eaptls_retransmit(struct eaptls_session *ets, u_char ** outp) |
1824 | ++{ |
1825 | ++ BCOPY(ets->rtx, *outp, ets->rtx_len); |
1826 | ++ INCPTR(ets->rtx_len, *outp); |
1827 | ++} |
1828 | ++ |
1829 | ++/* |
1830 | ++ * Verify a certificate. |
1831 | ++ * Most of the work (signatures and issuer attributes checking) |
1832 | ++ * is done by ssl; we check the CN in the peer certificate |
1833 | ++ * against the peer name. |
1834 | ++ */ |
1835 | ++int ssl_verify_callback(int preverify_ok, X509_STORE_CTX * ctx) |
1836 | ++{ |
1837 | ++ char subject[256]; |
1838 | ++ char cn_str[256]; |
1839 | ++ X509 *peer_cert; |
1840 | ++ int err, depth; |
1841 | ++ int ok = preverify_ok; |
1842 | ++ SSL *ssl; |
1843 | ++ struct eaptls_session *ets; |
1844 | ++ |
1845 | ++ peer_cert = X509_STORE_CTX_get_current_cert(ctx); |
1846 | ++ err = X509_STORE_CTX_get_error(ctx); |
1847 | ++ depth = X509_STORE_CTX_get_error_depth(ctx); |
1848 | ++ |
1849 | ++ dbglog("certificate verify depth: %d", depth); |
1850 | ++ |
1851 | ++ if (auth_required && !ok) { |
1852 | ++ X509_NAME_oneline(X509_get_subject_name(peer_cert), |
1853 | ++ subject, 256); |
1854 | ++ |
1855 | ++ X509_NAME_get_text_by_NID(X509_get_subject_name(peer_cert), |
1856 | ++ NID_commonName, cn_str, 256); |
1857 | ++ |
1858 | ++ dbglog("Certificate verification error:\n depth: %d CN: %s" |
1859 | ++ "\n err: %d (%s)\n", depth, cn_str, err, |
1860 | ++ X509_verify_cert_error_string(err)); |
1861 | ++ |
1862 | ++ return 0; |
1863 | ++ } |
1864 | ++ |
1865 | ++ ssl = X509_STORE_CTX_get_ex_data(ctx, |
1866 | ++ SSL_get_ex_data_X509_STORE_CTX_idx()); |
1867 | ++ |
1868 | ++ ets = (struct eaptls_session *)SSL_get_ex_data(ssl, 0); |
1869 | ++ |
1870 | ++ if (ets == NULL) { |
1871 | ++ error("Error: SSL_get_ex_data returned NULL"); |
1872 | ++ return 0; |
1873 | ++ } |
1874 | ++ |
1875 | ++ log_ssl_errors(); |
1876 | ++ |
1877 | ++ if (!depth) { /* This is the peer certificate */ |
1878 | ++ |
1879 | ++ X509_NAME_oneline(X509_get_subject_name(peer_cert), |
1880 | ++ subject, 256); |
1881 | ++ |
1882 | ++ X509_NAME_get_text_by_NID(X509_get_subject_name(peer_cert), |
1883 | ++ NID_commonName, cn_str, 256); |
1884 | ++ |
1885 | ++ /* |
1886 | ++ * If acting as client and the name of the server wasn't specified |
1887 | ++ * explicitely, we can't verify the server authenticity |
1888 | ++ */ |
1889 | ++ if (!ets->peer[0]) { |
1890 | ++ warn("Peer name not specified: no check"); |
1891 | ++ return 1; |
1892 | ++ } |
1893 | ++ |
1894 | ++ /* |
1895 | ++ * Check the CN |
1896 | ++ */ |
1897 | ++ if (strcmp(cn_str, ets->peer)) { |
1898 | ++ error |
1899 | ++ ("Certificate verification error: CN (%s) != peer_name (%s)", |
1900 | ++ cn_str, ets->peer); |
1901 | ++ return 0; |
1902 | ++ } |
1903 | ++ |
1904 | ++ warn("Certificate CN: %s , peer name %s", cn_str, ets->peer); |
1905 | ++ |
1906 | ++ /* |
1907 | ++ * If a peer certificate file was specified, here we check it |
1908 | ++ */ |
1909 | ++ if (ets->peercertfile[0]) { |
1910 | ++ if (ssl_cmp_certs(&ets->peercertfile[0], peer_cert) |
1911 | ++ != 0) { |
1912 | ++ error |
1913 | ++ ("Peer certificate doesn't match stored certificate"); |
1914 | ++ return 0; |
1915 | ++ } |
1916 | ++ } |
1917 | ++ } |
1918 | ++ |
1919 | ++ return 1; |
1920 | ++} |
1921 | ++ |
1922 | ++/* |
1923 | ++ * Compare a certificate with the one stored in a file |
1924 | ++ */ |
1925 | ++int ssl_cmp_certs(char *filename, X509 * a) |
1926 | ++{ |
1927 | ++ X509 *b; |
1928 | ++ int ret; |
1929 | ++ |
1930 | ++ if (!(b = get_X509_from_file(filename))) |
1931 | ++ return 1; |
1932 | ++ |
1933 | ++ ret = X509_cmp(a, b); |
1934 | ++ X509_free(b); |
1935 | ++ |
1936 | ++ return ret; |
1937 | ++ |
1938 | ++} |
1939 | ++ |
1940 | ++X509 *get_X509_from_file(char *filename) |
1941 | ++{ |
1942 | ++ FILE *fp; |
1943 | ++ X509 *ret; |
1944 | ++ |
1945 | ++ if (!(fp = fopen(filename, "r"))) |
1946 | ++ return NULL; |
1947 | ++ |
1948 | ++ ret = PEM_read_X509(fp, NULL, NULL, NULL); |
1949 | ++ |
1950 | ++ fclose(fp); |
1951 | ++ |
1952 | ++ return ret; |
1953 | ++} |
1954 | ++ |
1955 | ++/* |
1956 | ++ * Every sent & received message this callback function is invoked, |
1957 | ++ * so we know when alert messages have arrived or are sent and |
1958 | ++ * we can print debug information about TLS handshake. |
1959 | ++ */ |
1960 | ++void |
1961 | ++ssl_msg_callback(int write_p, int version, int content_type, |
1962 | ++ const void *buf, size_t len, SSL * ssl, void *arg) |
1963 | ++{ |
1964 | ++ char string[256]; |
1965 | ++ struct eaptls_session *ets = (struct eaptls_session *)arg; |
1966 | ++ unsigned char code; |
1967 | ++ |
1968 | ++ if(write_p) |
1969 | ++ strcpy(string, " -> "); |
1970 | ++ else |
1971 | ++ strcpy(string, " <- "); |
1972 | ++ |
1973 | ++ |
1974 | ++ switch(content_type) { |
1975 | ++ |
1976 | ++ case SSL3_RT_ALERT: |
1977 | ++ strcat(string, "Alert: "); |
1978 | ++ code = ((const unsigned char *)buf)[1]; |
1979 | ++ |
1980 | ++ if (write_p) { |
1981 | ++ ets->alert_sent = 1; |
1982 | ++ ets->alert_sent_desc = code; |
1983 | ++ } else { |
1984 | ++ ets->alert_recv = 1; |
1985 | ++ ets->alert_recv_desc = code; |
1986 | ++ } |
1987 | ++ |
1988 | ++ strcat(string, SSL_alert_desc_string_long(code)); |
1989 | ++ break; |
1990 | ++ |
1991 | ++ case SSL3_RT_CHANGE_CIPHER_SPEC: |
1992 | ++ strcat(string, "ChangeCipherSpec"); |
1993 | ++ break; |
1994 | ++ |
1995 | ++ case SSL3_RT_HANDSHAKE: |
1996 | ++ |
1997 | ++ strcat(string, "Handshake: "); |
1998 | ++ code = ((const unsigned char *)buf)[0]; |
1999 | ++ |
2000 | ++ switch(code) { |
2001 | ++ case SSL3_MT_HELLO_REQUEST: |
2002 | ++ strcat(string,"Hello Request"); |
2003 | ++ break; |
2004 | ++ case SSL3_MT_CLIENT_HELLO: |
2005 | ++ strcat(string,"Client Hello"); |
2006 | ++ break; |
2007 | ++ case SSL3_MT_SERVER_HELLO: |
2008 | ++ strcat(string,"Server Hello"); |
2009 | ++ break; |
2010 | ++ case SSL3_MT_CERTIFICATE: |
2011 | ++ strcat(string,"Certificate"); |
2012 | ++ break; |
2013 | ++ case SSL3_MT_SERVER_KEY_EXCHANGE: |
2014 | ++ strcat(string,"Server Key Exchange"); |
2015 | ++ break; |
2016 | ++ case SSL3_MT_CERTIFICATE_REQUEST: |
2017 | ++ strcat(string,"Certificate Request"); |
2018 | ++ break; |
2019 | ++ case SSL3_MT_SERVER_DONE: |
2020 | ++ strcat(string,"Server Hello Done"); |
2021 | ++ break; |
2022 | ++ case SSL3_MT_CERTIFICATE_VERIFY: |
2023 | ++ strcat(string,"Certificate Verify"); |
2024 | ++ break; |
2025 | ++ case SSL3_MT_CLIENT_KEY_EXCHANGE: |
2026 | ++ strcat(string,"Client Key Exchange"); |
2027 | ++ break; |
2028 | ++ case SSL3_MT_FINISHED: |
2029 | ++ strcat(string,"Finished"); |
2030 | ++ break; |
2031 | ++ |
2032 | ++ default: |
2033 | ++ sprintf( string, "Handshake: Unknown SSL3 code received: %d", code ); |
2034 | ++ } |
2035 | ++ break; |
2036 | ++ |
2037 | ++ default: |
2038 | ++ sprintf( string, "SSL message contains unknown content type: %d", content_type ); |
2039 | ++ |
2040 | ++ } |
2041 | ++ |
2042 | ++ /* Alert messages must always be displayed */ |
2043 | ++ if(content_type == SSL3_RT_ALERT) |
2044 | ++ error("%s", string); |
2045 | ++ else |
2046 | ++ dbglog("%s", string); |
2047 | ++} |
2048 | ++ |
2049 | +diff -Naur ppp-2.4.5/pppd/eap-tls.h ppp-2.4.5-eaptls-mppe-0.992/pppd/eap-tls.h |
2050 | +--- ppp-2.4.5/pppd/eap-tls.h 1970-01-01 01:00:00.000000000 +0100 |
2051 | ++++ ppp-2.4.5-eaptls-mppe-0.992/pppd/eap-tls.h 2011-12-01 15:14:39.081352611 +0100 |
2052 | +@@ -0,0 +1,107 @@ |
2053 | ++/* |
2054 | ++ * eap-tls.h |
2055 | ++ * |
2056 | ++ * Copyright (c) Beniamino Galvani 2005 All rights reserved. |
2057 | ++ * |
2058 | ++ * Redistribution and use in source and binary forms, with or without |
2059 | ++ * modification, are permitted provided that the following conditions |
2060 | ++ * are met: |
2061 | ++ * |
2062 | ++ * 1. Redistributions of source code must retain the above copyright |
2063 | ++ * notice, this list of conditions and the following disclaimer. |
2064 | ++ * |
2065 | ++ * 2. Redistributions in binary form must reproduce the above copyright |
2066 | ++ * notice, this list of conditions and the following disclaimer in |
2067 | ++ * the documentation and/or other materials provided with the |
2068 | ++ * distribution. |
2069 | ++ * |
2070 | ++ * 3. The name(s) of the authors of this software must not be used to |
2071 | ++ * endorse or promote products derived from this software without |
2072 | ++ * prior written permission. |
2073 | ++ * |
2074 | ++ * THE AUTHORS OF THIS SOFTWARE DISCLAIM ALL WARRANTIES WITH REGARD TO |
2075 | ++ * THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY |
2076 | ++ * AND FITNESS, IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY |
2077 | ++ * SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES |
2078 | ++ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN |
2079 | ++ * AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING |
2080 | ++ * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. |
2081 | ++ * |
2082 | ++ */ |
2083 | ++ |
2084 | ++#ifndef __EAP_TLS_H__ |
2085 | ++#define __EAP_TLS_H__ |
2086 | ++ |
2087 | ++#include "eap.h" |
2088 | ++ |
2089 | ++#include <openssl/ssl.h> |
2090 | ++#include <openssl/bio.h> |
2091 | ++#include <openssl/md5.h> |
2092 | ++ |
2093 | ++#define EAP_TLS_FLAGS_LI 128 /* length included flag */ |
2094 | ++#define EAP_TLS_FLAGS_MF 64 /* more fragments flag */ |
2095 | ++#define EAP_TLS_FLAGS_START 32 /* start flag */ |
2096 | ++ |
2097 | ++#define EAP_TLS_MAX_LEN 65536 /* max eap tls packet size */ |
2098 | ++ |
2099 | ++struct eaptls_session |
2100 | ++{ |
2101 | ++ u_char *data; /* buffered data */ |
2102 | ++ int datalen; /* buffered data len */ |
2103 | ++ int offset; /* from where to send */ |
2104 | ++ int tlslen; /* total length of tls data */ |
2105 | ++ bool frag; /* packet is fragmented */ |
2106 | ++ SSL_CTX *ctx; |
2107 | ++ SSL *ssl; /* ssl connection */ |
2108 | ++ BIO *from_ssl; |
2109 | ++ BIO *into_ssl; |
2110 | ++ char peer[MAXWORDLEN]; /* peer name */ |
2111 | ++ char peercertfile[MAXWORDLEN]; |
2112 | ++ bool alert_sent; |
2113 | ++ u_char alert_sent_desc; |
2114 | ++ bool alert_recv; |
2115 | ++ u_char alert_recv_desc; |
2116 | ++ char rtx[65536]; /* retransmission buffer */ |
2117 | ++ int rtx_len; |
2118 | ++ int mtu; /* unit mtu */ |
2119 | ++}; |
2120 | ++ |
2121 | ++typedef struct pw_cb_data |
2122 | ++{ |
2123 | ++ const void *password; |
2124 | ++ const char *prompt_info; |
2125 | ++} PW_CB_DATA; |
2126 | ++ |
2127 | ++ |
2128 | ++int ssl_verify_callback(int, X509_STORE_CTX *); |
2129 | ++void ssl_msg_callback(int write_p, int version, int ct, const void *buf, |
2130 | ++ size_t len, SSL * ssl, void *arg); |
2131 | ++ |
2132 | ++X509 *get_X509_from_file(char *filename); |
2133 | ++int ssl_cmp_certs(char *filename, X509 * a); |
2134 | ++ |
2135 | ++SSL_CTX *eaptls_init_ssl(int init_server, char *cacertfile, |
2136 | ++ char *certfile, char *peer_certfile, char *privkeyfile); |
2137 | ++int eaptls_init_ssl_server(eap_state * esp); |
2138 | ++int eaptls_init_ssl_client(eap_state * esp); |
2139 | ++void eaptls_free_session(struct eaptls_session *ets); |
2140 | ++ |
2141 | ++int eaptls_receive(struct eaptls_session *ets, u_char * inp, int len); |
2142 | ++int eaptls_send(struct eaptls_session *ets, u_char ** outp); |
2143 | ++void eaptls_retransmit(struct eaptls_session *ets, u_char ** outp); |
2144 | ++ |
2145 | ++int get_eaptls_secret(int unit, char *client, char *server, |
2146 | ++ char *clicertfile, char *servcertfile, char *cacertfile, |
2147 | ++ char *pkfile, int am_server); |
2148 | ++ |
2149 | ++#ifdef MPPE |
2150 | ++#include "mppe.h" /* MPPE_MAX_KEY_LEN */ |
2151 | ++extern u_char mppe_send_key[MPPE_MAX_KEY_LEN]; |
2152 | ++extern u_char mppe_recv_key[MPPE_MAX_KEY_LEN]; |
2153 | ++extern int mppe_keys_set; |
2154 | ++ |
2155 | ++void eaptls_gen_mppe_keys(struct eaptls_session *ets, const char *prf_label, int client); |
2156 | ++ |
2157 | ++#endif |
2158 | ++ |
2159 | ++#endif |
2160 | +diff -Naur ppp-2.4.5/pppd/eap.c ppp-2.4.5-eaptls-mppe-0.992/pppd/eap.c |
2161 | +--- ppp-2.4.5/pppd/eap.c 2009-11-16 23:26:07.000000000 +0100 |
2162 | ++++ ppp-2.4.5-eaptls-mppe-0.992/pppd/eap.c 2011-12-01 15:14:39.083352869 +0100 |
2163 | +@@ -43,6 +43,11 @@ |
2164 | + * Based on draft-ietf-pppext-eap-srp-03.txt. |
2165 | + */ |
2166 | + |
2167 | ++/* |
2168 | ++ * Modification by Beniamino Galvani, Mar 2005 |
2169 | ++ * Implemented EAP-TLS authentication |
2170 | ++ */ |
2171 | ++ |
2172 | + #define RCSID "$Id: eap.c,v 1.4 2004/11/09 22:39:25 paulus Exp $" |
2173 | + |
2174 | + /* |
2175 | +@@ -62,8 +67,12 @@ |
2176 | + |
2177 | + #include "pppd.h" |
2178 | + #include "pathnames.h" |
2179 | +-#include "md5.h" |
2180 | + #include "eap.h" |
2181 | ++#ifdef USE_EAPTLS |
2182 | ++#include "eap-tls.h" |
2183 | ++#else |
2184 | ++#include "md5.h" |
2185 | ++#endif /* USE_EAPTLS */ |
2186 | + |
2187 | + #ifdef USE_SRP |
2188 | + #include <t_pwd.h> |
2189 | +@@ -209,6 +218,9 @@ |
2190 | + esp->es_server.ea_id = (u_char)(drand48() * 0x100); |
2191 | + esp->es_client.ea_timeout = EAP_DEFREQTIME; |
2192 | + esp->es_client.ea_maxrequests = EAP_DEFALLOWREQ; |
2193 | ++#ifdef USE_EAPTLS |
2194 | ++ esp->es_client.ea_using_eaptls = 0; |
2195 | ++#endif /* USE_EAPTLS */ |
2196 | + } |
2197 | + |
2198 | + /* |
2199 | +@@ -436,8 +448,16 @@ |
2200 | + u_char vals[2]; |
2201 | + struct b64state bs; |
2202 | + #endif /* USE_SRP */ |
2203 | ++#ifdef USE_EAPTLS |
2204 | ++ struct eaptls_session *ets; |
2205 | ++ int secret_len; |
2206 | ++ char secret[MAXWORDLEN]; |
2207 | ++#endif /* USE_EAPTLS */ |
2208 | + |
2209 | + esp->es_server.ea_timeout = esp->es_savedtime; |
2210 | ++#ifdef USE_EAPTLS |
2211 | ++ esp->es_server.ea_prev_state = esp->es_server.ea_state; |
2212 | ++#endif /* USE_EAPTLS */ |
2213 | + switch (esp->es_server.ea_state) { |
2214 | + case eapBadAuth: |
2215 | + return; |
2216 | +@@ -562,9 +582,81 @@ |
2217 | + break; |
2218 | + } |
2219 | + #endif /* USE_SRP */ |
2220 | ++#ifdef USE_EAPTLS |
2221 | ++ if (!get_secret(esp->es_unit, esp->es_server.ea_peer, |
2222 | ++ esp->es_server.ea_name, secret, &secret_len, 1)) { |
2223 | ++ |
2224 | ++ esp->es_server.ea_state = eapTlsStart; |
2225 | ++ break; |
2226 | ++ } |
2227 | ++#endif /* USE_EAPTLS */ |
2228 | ++ |
2229 | + esp->es_server.ea_state = eapMD5Chall; |
2230 | + break; |
2231 | + |
2232 | ++#ifdef USE_EAPTLS |
2233 | ++ case eapTlsStart: |
2234 | ++ /* Initialize ssl session */ |
2235 | ++ if(!eaptls_init_ssl_server(esp)) { |
2236 | ++ esp->es_server.ea_state = eapBadAuth; |
2237 | ++ break; |
2238 | ++ } |
2239 | ++ |
2240 | ++ esp->es_server.ea_state = eapTlsRecv; |
2241 | ++ break; |
2242 | ++ |
2243 | ++ case eapTlsRecv: |
2244 | ++ ets = (struct eaptls_session *) esp->es_server.ea_session; |
2245 | ++ |
2246 | ++ if(ets->alert_sent) { |
2247 | ++ esp->es_server.ea_state = eapTlsSendAlert; |
2248 | ++ break; |
2249 | ++ } |
2250 | ++ |
2251 | ++ if (status) { |
2252 | ++ esp->es_server.ea_state = eapBadAuth; |
2253 | ++ break; |
2254 | ++ } |
2255 | ++ ets = (struct eaptls_session *) esp->es_server.ea_session; |
2256 | ++ |
2257 | ++ if(ets->frag) |
2258 | ++ esp->es_server.ea_state = eapTlsSendAck; |
2259 | ++ else |
2260 | ++ esp->es_server.ea_state = eapTlsSend; |
2261 | ++ break; |
2262 | ++ |
2263 | ++ case eapTlsSend: |
2264 | ++ ets = (struct eaptls_session *) esp->es_server.ea_session; |
2265 | ++ |
2266 | ++ if(SSL_is_init_finished(ets->ssl)) { |
2267 | ++ esp->es_server.ea_state = eapTlsRecvClient; |
2268 | ++ break; |
2269 | ++ } |
2270 | ++ |
2271 | ++ if(ets->frag) |
2272 | ++ esp->es_server.ea_state = eapTlsRecvAck; |
2273 | ++ else |
2274 | ++ esp->es_server.ea_state = eapTlsRecv; |
2275 | ++ break; |
2276 | ++ |
2277 | ++ case eapTlsSendAck: |
2278 | ++ esp->es_server.ea_state = eapTlsRecv; |
2279 | ++ break; |
2280 | ++ |
2281 | ++ case eapTlsRecvAck: |
2282 | ++ if (status) { |
2283 | ++ esp->es_server.ea_state = eapBadAuth; |
2284 | ++ break; |
2285 | ++ } |
2286 | ++ |
2287 | ++ esp->es_server.ea_state = eapTlsSend; |
2288 | ++ break; |
2289 | ++ |
2290 | ++ case eapTlsSendAlert: |
2291 | ++ esp->es_server.ea_state = eapTlsRecvAlertAck; |
2292 | ++ break; |
2293 | ++#endif /* USE_EAPTLS */ |
2294 | ++ |
2295 | + case eapSRP1: |
2296 | + #ifdef USE_SRP |
2297 | + ts = (struct t_server *)esp->es_server.ea_session; |
2298 | +@@ -718,6 +810,30 @@ |
2299 | + INCPTR(esp->es_server.ea_namelen, outp); |
2300 | + break; |
2301 | + |
2302 | ++#ifdef USE_EAPTLS |
2303 | ++ case eapTlsStart: |
2304 | ++ PUTCHAR(EAPT_TLS, outp); |
2305 | ++ PUTCHAR(EAP_TLS_FLAGS_START, outp); |
2306 | ++ eap_figure_next_state(esp, 0); |
2307 | ++ break; |
2308 | ++ |
2309 | ++ case eapTlsSend: |
2310 | ++ eaptls_send(esp->es_server.ea_session, &outp); |
2311 | ++ eap_figure_next_state(esp, 0); |
2312 | ++ break; |
2313 | ++ |
2314 | ++ case eapTlsSendAck: |
2315 | ++ PUTCHAR(EAPT_TLS, outp); |
2316 | ++ PUTCHAR(0, outp); |
2317 | ++ eap_figure_next_state(esp, 0); |
2318 | ++ break; |
2319 | ++ |
2320 | ++ case eapTlsSendAlert: |
2321 | ++ eaptls_send(esp->es_server.ea_session, &outp); |
2322 | ++ eap_figure_next_state(esp, 0); |
2323 | ++ break; |
2324 | ++#endif /* USE_EAPTLS */ |
2325 | ++ |
2326 | + #ifdef USE_SRP |
2327 | + case eapSRP1: |
2328 | + PUTCHAR(EAPT_SRP, outp); |
2329 | +@@ -904,11 +1020,57 @@ |
2330 | + eap_server_timeout(arg) |
2331 | + void *arg; |
2332 | + { |
2333 | ++#ifdef USE_EAPTLS |
2334 | ++ u_char *outp; |
2335 | ++ u_char *lenloc; |
2336 | ++ int outlen; |
2337 | ++#endif /* USE_EAPTLS */ |
2338 | ++ |
2339 | + eap_state *esp = (eap_state *) arg; |
2340 | + |
2341 | + if (!eap_server_active(esp)) |
2342 | + return; |
2343 | + |
2344 | ++#ifdef USE_EAPTLS |
2345 | ++ switch(esp->es_server.ea_prev_state) { |
2346 | ++ |
2347 | ++ /* |
2348 | ++ * In eap-tls the state changes after a request, so we return to |
2349 | ++ * previous state ... |
2350 | ++ */ |
2351 | ++ case(eapTlsStart): |
2352 | ++ case(eapTlsSendAck): |
2353 | ++ esp->es_server.ea_state = esp->es_server.ea_prev_state; |
2354 | ++ break; |
2355 | ++ |
2356 | ++ /* |
2357 | ++ * ... or resend the stored data |
2358 | ++ */ |
2359 | ++ case(eapTlsSend): |
2360 | ++ case(eapTlsSendAlert): |
2361 | ++ outp = outpacket_buf; |
2362 | ++ MAKEHEADER(outp, PPP_EAP); |
2363 | ++ PUTCHAR(EAP_REQUEST, outp); |
2364 | ++ PUTCHAR(esp->es_server.ea_id, outp); |
2365 | ++ lenloc = outp; |
2366 | ++ INCPTR(2, outp); |
2367 | ++ |
2368 | ++ eaptls_retransmit(esp->es_server.ea_session, &outp); |
2369 | ++ |
2370 | ++ outlen = (outp - outpacket_buf) - PPP_HDRLEN; |
2371 | ++ PUTSHORT(outlen, lenloc); |
2372 | ++ output(esp->es_unit, outpacket_buf, outlen + PPP_HDRLEN); |
2373 | ++ esp->es_server.ea_requests++; |
2374 | ++ |
2375 | ++ if (esp->es_server.ea_timeout > 0) |
2376 | ++ TIMEOUT(eap_server_timeout, esp, esp->es_server.ea_timeout); |
2377 | ++ |
2378 | ++ return; |
2379 | ++ default: |
2380 | ++ break; |
2381 | ++ } |
2382 | ++#endif /* USE_EAPTLS */ |
2383 | ++ |
2384 | + /* EAP ID number must not change on timeout. */ |
2385 | + eap_send_request(esp); |
2386 | + } |
2387 | +@@ -1166,6 +1328,81 @@ |
2388 | + } |
2389 | + #endif /* USE_SRP */ |
2390 | + |
2391 | ++#ifdef USE_EAPTLS |
2392 | ++/* |
2393 | ++ * Send an EAP-TLS response message with tls data |
2394 | ++ */ |
2395 | ++static void |
2396 | ++eap_tls_response(esp, id) |
2397 | ++eap_state *esp; |
2398 | ++u_char id; |
2399 | ++{ |
2400 | ++ u_char *outp; |
2401 | ++ int outlen; |
2402 | ++ u_char *lenloc; |
2403 | ++ |
2404 | ++ outp = outpacket_buf; |
2405 | ++ |
2406 | ++ MAKEHEADER(outp, PPP_EAP); |
2407 | ++ |
2408 | ++ PUTCHAR(EAP_RESPONSE, outp); |
2409 | ++ PUTCHAR(id, outp); |
2410 | ++ |
2411 | ++ lenloc = outp; |
2412 | ++ INCPTR(2, outp); |
2413 | ++ |
2414 | ++ /* |
2415 | ++ If the id in the request is unchanged, we must retransmit |
2416 | ++ the old data |
2417 | ++ */ |
2418 | ++ if(id == esp->es_client.ea_id) |
2419 | ++ eaptls_retransmit(esp->es_client.ea_session, &outp); |
2420 | ++ else |
2421 | ++ eaptls_send(esp->es_client.ea_session, &outp); |
2422 | ++ |
2423 | ++ outlen = (outp - outpacket_buf) - PPP_HDRLEN; |
2424 | ++ PUTSHORT(outlen, lenloc); |
2425 | ++ |
2426 | ++ output(esp->es_unit, outpacket_buf, PPP_HDRLEN + outlen); |
2427 | ++ |
2428 | ++ esp->es_client.ea_id = id; |
2429 | ++ |
2430 | ++} |
2431 | ++ |
2432 | ++/* |
2433 | ++ * Send an EAP-TLS ack |
2434 | ++ */ |
2435 | ++static void |
2436 | ++eap_tls_sendack(esp, id) |
2437 | ++eap_state *esp; |
2438 | ++u_char id; |
2439 | ++{ |
2440 | ++ u_char *outp; |
2441 | ++ int outlen; |
2442 | ++ u_char *lenloc; |
2443 | ++ |
2444 | ++ outp = outpacket_buf; |
2445 | ++ |
2446 | ++ MAKEHEADER(outp, PPP_EAP); |
2447 | ++ |
2448 | ++ PUTCHAR(EAP_RESPONSE, outp); |
2449 | ++ PUTCHAR(id, outp); |
2450 | ++ esp->es_client.ea_id = id; |
2451 | ++ |
2452 | ++ lenloc = outp; |
2453 | ++ INCPTR(2, outp); |
2454 | ++ |
2455 | ++ PUTCHAR(EAPT_TLS, outp); |
2456 | ++ PUTCHAR(0, outp); |
2457 | ++ |
2458 | ++ outlen = (outp - outpacket_buf) - PPP_HDRLEN; |
2459 | ++ PUTSHORT(outlen, lenloc); |
2460 | ++ |
2461 | ++ output(esp->es_unit, outpacket_buf, PPP_HDRLEN + outlen); |
2462 | ++ |
2463 | ++} |
2464 | ++#endif /* USE_EAPTLS */ |
2465 | ++ |
2466 | + static void |
2467 | + eap_send_nak(esp, id, type) |
2468 | + eap_state *esp; |
2469 | +@@ -1320,6 +1557,11 @@ |
2470 | + char rhostname[256]; |
2471 | + MD5_CTX mdContext; |
2472 | + u_char hash[MD5_SIGNATURE_SIZE]; |
2473 | ++#ifdef USE_EAPTLS |
2474 | ++ u_char flags; |
2475 | ++ struct eaptls_session *ets = esp->es_client.ea_session; |
2476 | ++#endif /* USE_EAPTLS */ |
2477 | ++ |
2478 | + #ifdef USE_SRP |
2479 | + struct t_client *tc; |
2480 | + struct t_num sval, gval, Nval, *Ap, Bval; |
2481 | +@@ -1456,6 +1698,90 @@ |
2482 | + esp->es_client.ea_namelen); |
2483 | + break; |
2484 | + |
2485 | ++#ifdef USE_EAPTLS |
2486 | ++ case EAPT_TLS: |
2487 | ++ |
2488 | ++ switch(esp->es_client.ea_state) { |
2489 | ++ |
2490 | ++ case eapListen: |
2491 | ++ |
2492 | ++ GETCHAR(flags, inp); |
2493 | ++ if(flags & EAP_TLS_FLAGS_START){ |
2494 | ++ |
2495 | ++ esp->es_client.ea_using_eaptls = 1; |
2496 | ++ |
2497 | ++ if (explicit_remote){ |
2498 | ++ esp->es_client.ea_peer = strdup(remote_name); |
2499 | ++ esp->es_client.ea_peerlen = strlen(remote_name); |
2500 | ++ } else |
2501 | ++ esp->es_client.ea_peer = NULL; |
2502 | ++ |
2503 | ++ /* Init ssl session */ |
2504 | ++ if(!eaptls_init_ssl_client(esp)) { |
2505 | ++ dbglog("cannot init ssl"); |
2506 | ++ eap_send_nak(esp, id, EAPT_TLS); |
2507 | ++ esp->es_client.ea_using_eaptls = 0; |
2508 | ++ break; |
2509 | ++ } |
2510 | ++ |
2511 | ++ ets = esp->es_client.ea_session; |
2512 | ++ eap_tls_response(esp, id); |
2513 | ++ esp->es_client.ea_state = (ets->frag ? eapTlsRecvAck : |
2514 | ++ eapTlsRecv); |
2515 | ++ break; |
2516 | ++ } |
2517 | ++ |
2518 | ++ /* The server has sent a bad start packet. */ |
2519 | ++ eap_send_nak(esp, id, EAPT_TLS); |
2520 | ++ break; |
2521 | ++ |
2522 | ++ case eapTlsRecvAck: |
2523 | ++ eap_tls_response(esp, id); |
2524 | ++ esp->es_client.ea_state = (ets->frag ? eapTlsRecvAck : |
2525 | ++ eapTlsRecv); |
2526 | ++ break; |
2527 | ++ |
2528 | ++ case eapTlsRecv: |
2529 | ++ eaptls_receive(ets, inp, len); |
2530 | ++ |
2531 | ++ if(ets->frag) { |
2532 | ++ eap_tls_sendack(esp, id); |
2533 | ++ esp->es_client.ea_state = eapTlsRecv; |
2534 | ++ break; |
2535 | ++ } |
2536 | ++ |
2537 | ++ if(ets->alert_recv) { |
2538 | ++ eap_tls_sendack(esp, id); |
2539 | ++ esp->es_client.ea_state = eapTlsRecvFailure; |
2540 | ++ break; |
2541 | ++ } |
2542 | ++ |
2543 | ++ /* Check if TLS handshake is finished */ |
2544 | ++ if(SSL_is_init_finished(ets->ssl)){ |
2545 | ++#ifdef MPPE |
2546 | ++ eaptls_gen_mppe_keys( ets, "client EAP encryption", 1 ); |
2547 | ++#endif |
2548 | ++ eaptls_free_session(ets); |
2549 | ++ eap_tls_sendack(esp, id); |
2550 | ++ esp->es_client.ea_state = eapTlsRecvSuccess; |
2551 | ++ break; |
2552 | ++ } |
2553 | ++ |
2554 | ++ eap_tls_response(esp,id); |
2555 | ++ esp->es_client.ea_state = (ets->frag ? eapTlsRecvAck : |
2556 | ++ eapTlsRecv); |
2557 | ++ |
2558 | ++ break; |
2559 | ++ |
2560 | ++ default: |
2561 | ++ eap_send_nak(esp, id, EAPT_TLS); |
2562 | ++ esp->es_client.ea_using_eaptls = 0; |
2563 | ++ break; |
2564 | ++ } |
2565 | ++ |
2566 | ++ break; |
2567 | ++#endif /* USE_EAPTLS */ |
2568 | ++ |
2569 | + #ifdef USE_SRP |
2570 | + case EAPT_SRP: |
2571 | + if (len < 1) { |
2572 | +@@ -1737,6 +2063,11 @@ |
2573 | + u_char dig[SHA_DIGESTSIZE]; |
2574 | + #endif /* USE_SRP */ |
2575 | + |
2576 | ++#ifdef USE_EAPTLS |
2577 | ++ struct eaptls_session *ets; |
2578 | ++ u_char flags; |
2579 | ++#endif /* USE_EAPTLS */ |
2580 | ++ |
2581 | + if (esp->es_server.ea_id != id) { |
2582 | + dbglog("EAP: discarding Response %d; expected ID %d", id, |
2583 | + esp->es_server.ea_id); |
2584 | +@@ -1776,6 +2107,60 @@ |
2585 | + eap_figure_next_state(esp, 0); |
2586 | + break; |
2587 | + |
2588 | ++#ifdef USE_EAPTLS |
2589 | ++ case EAPT_TLS: |
2590 | ++ switch(esp->es_server.ea_state) { |
2591 | ++ |
2592 | ++ case eapTlsRecv: |
2593 | ++ ets = (struct eaptls_session *) esp->es_server.ea_session; |
2594 | ++ eap_figure_next_state(esp, |
2595 | ++ eaptls_receive(esp->es_server.ea_session, inp, len)); |
2596 | ++ |
2597 | ++ if(ets->alert_recv) { |
2598 | ++ eap_send_failure(esp); |
2599 | ++ break; |
2600 | ++ } |
2601 | ++ break; |
2602 | ++ |
2603 | ++ case eapTlsRecvAck: |
2604 | ++ if(len > 1) { |
2605 | ++ dbglog("EAP-TLS ACK with extra data"); |
2606 | ++ } |
2607 | ++ eap_figure_next_state(esp, 0); |
2608 | ++ break; |
2609 | ++ |
2610 | ++ case eapTlsRecvClient: |
2611 | ++ /* Receive authentication response from client */ |
2612 | ++ |
2613 | ++ GETCHAR(flags, inp); |
2614 | ++ |
2615 | ++ if(len == 1 && !flags) { /* Ack = ok */ |
2616 | ++#ifdef MPPE |
2617 | ++ eaptls_gen_mppe_keys( esp->es_server.ea_session, "client EAP encryption", 0 ); |
2618 | ++#endif |
2619 | ++ eap_send_success(esp); |
2620 | ++ } |
2621 | ++ else { /* failure */ |
2622 | ++ eaptls_receive(esp->es_server.ea_session, inp, len); |
2623 | ++ warn("Server authentication failed"); |
2624 | ++ eap_send_failure(esp); |
2625 | ++ } |
2626 | ++ |
2627 | ++ eaptls_free_session(esp->es_server.ea_session); |
2628 | ++ |
2629 | ++ break; |
2630 | ++ |
2631 | ++ case eapTlsRecvAlertAck: |
2632 | ++ eap_send_failure(esp); |
2633 | ++ break; |
2634 | ++ |
2635 | ++ default: |
2636 | ++ eap_figure_next_state(esp, 1); |
2637 | ++ break; |
2638 | ++ } |
2639 | ++ break; |
2640 | ++#endif /* USE_EAPTLS */ |
2641 | ++ |
2642 | + case EAPT_NOTIFICATION: |
2643 | + dbglog("EAP unexpected Notification; response discarded"); |
2644 | + break; |
2645 | +@@ -1807,6 +2192,13 @@ |
2646 | + esp->es_server.ea_state = eapMD5Chall; |
2647 | + break; |
2648 | + |
2649 | ++#ifdef USE_EAPTLS |
2650 | ++ /* Send EAP-TLS start packet */ |
2651 | ++ case EAPT_TLS: |
2652 | ++ esp->es_server.ea_state = eapTlsStart; |
2653 | ++ break; |
2654 | ++#endif /* USE_EAPTLS */ |
2655 | ++ |
2656 | + default: |
2657 | + dbglog("EAP: peer requesting unknown Type %d", vallen); |
2658 | + switch (esp->es_server.ea_state) { |
2659 | +@@ -2018,13 +2410,27 @@ |
2660 | + int id; |
2661 | + int len; |
2662 | + { |
2663 | +- if (esp->es_client.ea_state != eapOpen && !eap_client_active(esp)) { |
2664 | ++ if (esp->es_client.ea_state != eapOpen && !eap_client_active(esp) |
2665 | ++#ifdef USE_EAPTLS |
2666 | ++ && esp->es_client.ea_state != eapTlsRecvSuccess |
2667 | ++#endif /* USE_EAPTLS */ |
2668 | ++ ) { |
2669 | + dbglog("EAP unexpected success message in state %s (%d)", |
2670 | + eap_state_name(esp->es_client.ea_state), |
2671 | + esp->es_client.ea_state); |
2672 | + return; |
2673 | + } |
2674 | + |
2675 | ++#ifdef USE_EAPTLS |
2676 | ++ if(esp->es_client.ea_using_eaptls && esp->es_client.ea_state != |
2677 | ++ eapTlsRecvSuccess) { |
2678 | ++ dbglog("EAP-TLS unexpected success message in state %s (%d)", |
2679 | ++ eap_state_name(esp->es_client.ea_state), |
2680 | ++ esp->es_client.ea_state); |
2681 | ++ return; |
2682 | ++ } |
2683 | ++#endif /* USE_EAPTLS */ |
2684 | ++ |
2685 | + if (esp->es_client.ea_timeout > 0) { |
2686 | + UNTIMEOUT(eap_client_timeout, (void *)esp); |
2687 | + } |
2688 | +@@ -2150,6 +2556,9 @@ |
2689 | + int code, id, len, rtype, vallen; |
2690 | + u_char *pstart; |
2691 | + u_int32_t uval; |
2692 | ++#ifdef USE_EAPTLS |
2693 | ++ u_char flags; |
2694 | ++#endif /* USE_EAPTLS */ |
2695 | + |
2696 | + if (inlen < EAP_HEADERLEN) |
2697 | + return (0); |
2698 | +@@ -2214,6 +2623,24 @@ |
2699 | + } |
2700 | + break; |
2701 | + |
2702 | ++#ifdef USE_EAPTLS |
2703 | ++ case EAPT_TLS: |
2704 | ++ if (len < 1) |
2705 | ++ break; |
2706 | ++ GETCHAR(flags, inp); |
2707 | ++ len--; |
2708 | ++ |
2709 | ++ if(flags == 0 && len == 0){ |
2710 | ++ printer(arg, " Ack"); |
2711 | ++ break; |
2712 | ++ } |
2713 | ++ |
2714 | ++ printer(arg, flags & EAP_TLS_FLAGS_LI ? " L":" -"); |
2715 | ++ printer(arg, flags & EAP_TLS_FLAGS_MF ? "M":"-"); |
2716 | ++ printer(arg, flags & EAP_TLS_FLAGS_START ? "S":"- "); |
2717 | ++ break; |
2718 | ++#endif /* USE_EAPTLS */ |
2719 | ++ |
2720 | + case EAPT_SRP: |
2721 | + if (len < 3) |
2722 | + goto truncated; |
2723 | +@@ -2325,6 +2752,25 @@ |
2724 | + } |
2725 | + break; |
2726 | + |
2727 | ++#ifdef USE_EAPTLS |
2728 | ++ case EAPT_TLS: |
2729 | ++ if (len < 1) |
2730 | ++ break; |
2731 | ++ GETCHAR(flags, inp); |
2732 | ++ len--; |
2733 | ++ |
2734 | ++ if(flags == 0 && len == 0){ |
2735 | ++ printer(arg, " Ack"); |
2736 | ++ break; |
2737 | ++ } |
2738 | ++ |
2739 | ++ printer(arg, flags & EAP_TLS_FLAGS_LI ? " L":" -"); |
2740 | ++ printer(arg, flags & EAP_TLS_FLAGS_MF ? "M":"-"); |
2741 | ++ printer(arg, flags & EAP_TLS_FLAGS_START ? "S":"- "); |
2742 | ++ |
2743 | ++ break; |
2744 | ++#endif /* USE_EAPTLS */ |
2745 | ++ |
2746 | + case EAPT_NAK: |
2747 | + if (len <= 0) { |
2748 | + printer(arg, " <missing hint>"); |
2749 | +@@ -2426,3 +2872,4 @@ |
2750 | + |
2751 | + return (inp - pstart); |
2752 | + } |
2753 | ++ |
2754 | +diff -Naur ppp-2.4.5/pppd/eap.h ppp-2.4.5-eaptls-mppe-0.992/pppd/eap.h |
2755 | +--- ppp-2.4.5/pppd/eap.h 2009-11-16 23:26:07.000000000 +0100 |
2756 | ++++ ppp-2.4.5-eaptls-mppe-0.992/pppd/eap.h 2011-12-01 15:14:39.085353125 +0100 |
2757 | +@@ -84,6 +84,16 @@ |
2758 | + eapClosed, /* Authentication not in use */ |
2759 | + eapListen, /* Client ready (and timer running) */ |
2760 | + eapIdentify, /* EAP Identify sent */ |
2761 | ++ eapTlsStart, /* Send EAP-TLS start packet */ |
2762 | ++ eapTlsRecv, /* Receive EAP-TLS tls data */ |
2763 | ++ eapTlsSendAck, /* Send EAP-TLS ack */ |
2764 | ++ eapTlsSend, /* Send EAP-TLS tls data */ |
2765 | ++ eapTlsRecvAck, /* Receive EAP-TLS ack */ |
2766 | ++ eapTlsRecvClient, /* Receive EAP-TLS auth response from client*/ |
2767 | ++ eapTlsSendAlert, /* Send EAP-TLS tls alert (server)*/ |
2768 | ++ eapTlsRecvAlertAck, /* Receive EAP-TLS ack after sending alert */ |
2769 | ++ eapTlsRecvSuccess, /* Receive EAP success */ |
2770 | ++ eapTlsRecvFailure, /* Receive EAP failure */ |
2771 | + eapSRP1, /* Sent EAP SRP-SHA1 Subtype 1 */ |
2772 | + eapSRP2, /* Sent EAP SRP-SHA1 Subtype 2 */ |
2773 | + eapSRP3, /* Sent EAP SRP-SHA1 Subtype 3 */ |
2774 | +@@ -95,9 +105,18 @@ |
2775 | + |
2776 | + #define EAP_STATES \ |
2777 | + "Initial", "Pending", "Closed", "Listen", "Identify", \ |
2778 | ++ "TlsStart", "TlsRecv", "TlsSendAck", "TlsSend", "TlsRecvAck", "TlsRecvClient",\ |
2779 | ++ "TlsSendAlert", "TlsRecvAlertAck" , "TlsRecvSuccess", "TlsRecvFailure", \ |
2780 | + "SRP1", "SRP2", "SRP3", "MD5Chall", "Open", "SRP4", "BadAuth" |
2781 | + |
2782 | +-#define eap_client_active(esp) ((esp)->es_client.ea_state == eapListen) |
2783 | ++#ifdef USE_EAPTLS |
2784 | ++#define eap_client_active(esp) ((esp)->es_client.ea_state != eapInitial ||\ |
2785 | ++ (esp)->es_client.ea_state != eapPending ||\ |
2786 | ++ (esp)->es_client.ea_state != eapClosed) |
2787 | ++#else |
2788 | ++#define eap_client_active(esp) ((esp)->es_client.ea_state == eapListen) |
2789 | ++#endif /* USE_EAPTLS */ |
2790 | ++ |
2791 | + #define eap_server_active(esp) \ |
2792 | + ((esp)->es_server.ea_state >= eapIdentify && \ |
2793 | + (esp)->es_server.ea_state <= eapMD5Chall) |
2794 | +@@ -112,11 +131,17 @@ |
2795 | + u_short ea_namelen; /* Length of our name */ |
2796 | + u_short ea_peerlen; /* Length of peer's name */ |
2797 | + enum eap_state_code ea_state; |
2798 | ++#ifdef USE_EAPTLS |
2799 | ++ enum eap_state_code ea_prev_state; |
2800 | ++#endif |
2801 | + u_char ea_id; /* Current id */ |
2802 | + u_char ea_requests; /* Number of Requests sent/received */ |
2803 | + u_char ea_responses; /* Number of Responses */ |
2804 | + u_char ea_type; /* One of EAPT_* */ |
2805 | + u_int32_t ea_keyflags; /* SRP shared key usage flags */ |
2806 | ++#ifdef USE_EAPTLS |
2807 | ++ bool ea_using_eaptls; |
2808 | ++#endif |
2809 | + }; |
2810 | + |
2811 | + /* |
2812 | +@@ -139,7 +164,12 @@ |
2813 | + * Timeouts. |
2814 | + */ |
2815 | + #define EAP_DEFTIMEOUT 3 /* Timeout (seconds) for rexmit */ |
2816 | ++#ifdef USE_EAPTLS |
2817 | ++#define EAP_DEFTRANSMITS 30 /* max # times to transmit */ |
2818 | ++ /* certificates can be long ... */ |
2819 | ++#else |
2820 | + #define EAP_DEFTRANSMITS 10 /* max # times to transmit */ |
2821 | ++#endif /* USE_EAPTLS */ |
2822 | + #define EAP_DEFREQTIME 20 /* Time to wait for peer request */ |
2823 | + #define EAP_DEFALLOWREQ 20 /* max # times to accept requests */ |
2824 | + |
2825 | +diff -Naur ppp-2.4.5/pppd/md5.c ppp-2.4.5-eaptls-mppe-0.992/pppd/md5.c |
2826 | +--- ppp-2.4.5/pppd/md5.c 2009-11-16 23:26:07.000000000 +0100 |
2827 | ++++ ppp-2.4.5-eaptls-mppe-0.992/pppd/md5.c 2011-12-01 15:14:39.086353254 +0100 |
2828 | +@@ -33,6 +33,8 @@ |
2829 | + *********************************************************************** |
2830 | + */ |
2831 | + |
2832 | ++#ifndef USE_EAPTLS |
2833 | ++ |
2834 | + #include <string.h> |
2835 | + #include "md5.h" |
2836 | + |
2837 | +@@ -305,3 +307,5 @@ |
2838 | + ** End of md5.c ** |
2839 | + ******************************** (cut) ******************************** |
2840 | + */ |
2841 | ++#endif /* USE_EAPTLS */ |
2842 | ++ |
2843 | +diff -Naur ppp-2.4.5/pppd/md5.h ppp-2.4.5-eaptls-mppe-0.992/pppd/md5.h |
2844 | +--- ppp-2.4.5/pppd/md5.h 2009-11-16 23:26:07.000000000 +0100 |
2845 | ++++ ppp-2.4.5-eaptls-mppe-0.992/pppd/md5.h 2011-12-01 15:14:39.086353254 +0100 |
2846 | +@@ -36,6 +36,7 @@ |
2847 | + ** documentation and/or software. ** |
2848 | + *********************************************************************** |
2849 | + */ |
2850 | ++#ifndef USE_EAPTLS |
2851 | + |
2852 | + #ifndef __MD5_INCLUDE__ |
2853 | + |
2854 | +@@ -63,3 +64,5 @@ |
2855 | + |
2856 | + #define __MD5_INCLUDE__ |
2857 | + #endif /* __MD5_INCLUDE__ */ |
2858 | ++ |
2859 | ++#endif /* USE_EAPTLS */ |
2860 | +diff -Naur ppp-2.4.5/pppd/options.c ppp-2.4.5-eaptls-mppe-0.992/pppd/options.c |
2861 | +--- ppp-2.4.5/pppd/options.c 2009-11-16 23:26:07.000000000 +0100 |
2862 | ++++ ppp-2.4.5-eaptls-mppe-0.992/pppd/options.c 2011-12-01 15:14:39.087353383 +0100 |
2863 | +@@ -119,6 +119,10 @@ |
2864 | + bool dryrun; /* print out option values and exit */ |
2865 | + char *domain; /* domain name set by domain option */ |
2866 | + int child_wait = 5; /* # seconds to wait for children at exit */ |
2867 | ++#ifdef USE_EAPTLS |
2868 | ++bool only_update_crl_server = 0; /* update server crl and exit */ |
2869 | ++bool only_update_crl_client = 0; /* update client crl and exit */ |
2870 | ++#endif /* USE_EAPTLS */ |
2871 | + |
2872 | + #ifdef MAXOCTETS |
2873 | + unsigned int maxoctets = 0; /* default - no limit */ |
2874 | +@@ -320,6 +324,12 @@ |
2875 | + { "mo-timeout", o_int, &maxoctets_timeout, |
2876 | + "Check for traffic limit every N seconds", OPT_PRIO | OPT_LLIMIT | 1 }, |
2877 | + #endif |
2878 | ++#ifdef USE_EAPTLS |
2879 | ++ { "only-update-crl-server", o_bool, &only_update_crl_server, |
2880 | ++ "Update server CA CRLs and exit", 1 }, |
2881 | ++ { "only-update-crl-client", o_bool, &only_update_crl_client, |
2882 | ++ "Update client CA CRLs and exit", 1 }, |
2883 | ++#endif /* USE_EAPTLS */ |
2884 | + |
2885 | + { NULL } |
2886 | + }; |
2887 | +diff -Naur ppp-2.4.5/pppd/pathnames.h ppp-2.4.5-eaptls-mppe-0.992/pppd/pathnames.h |
2888 | +--- ppp-2.4.5/pppd/pathnames.h 2009-11-16 23:26:07.000000000 +0100 |
2889 | ++++ ppp-2.4.5-eaptls-mppe-0.992/pppd/pathnames.h 2011-12-01 15:14:39.088353512 +0100 |
2890 | +@@ -21,6 +21,13 @@ |
2891 | + #define _PATH_UPAPFILE _ROOT_PATH "/etc/ppp/pap-secrets" |
2892 | + #define _PATH_CHAPFILE _ROOT_PATH "/etc/ppp/chap-secrets" |
2893 | + #define _PATH_SRPFILE _ROOT_PATH "/etc/ppp/srp-secrets" |
2894 | ++ |
2895 | ++#ifdef USE_EAPTLS |
2896 | ++#define _PATH_EAPTLSCLIFILE _ROOT_PATH "/etc/ppp/eaptls-client" |
2897 | ++#define _PATH_EAPTLSSERVFILE _ROOT_PATH "/etc/ppp/eaptls-server" |
2898 | ++#define _PATH_OPENSSLCONFFILE _ROOT_PATH "/etc/ppp/openssl.cnf" |
2899 | ++#endif /* USE_EAPTLS */ |
2900 | ++ |
2901 | + #define _PATH_SYSOPTIONS _ROOT_PATH "/etc/ppp/options" |
2902 | + #define _PATH_IPUP _ROOT_PATH "/etc/ppp/ip-up" |
2903 | + #define _PATH_IPDOWN _ROOT_PATH "/etc/ppp/ip-down" |
2904 | +diff -Naur ppp-2.4.5/pppd/plugins/Makefile.linux ppp-2.4.5-eaptls-mppe-0.992/pppd/plugins/Makefile.linux |
2905 | +--- ppp-2.4.5/pppd/plugins/Makefile.linux 2009-11-16 23:26:07.000000000 +0100 |
2906 | ++++ ppp-2.4.5-eaptls-mppe-0.992/pppd/plugins/Makefile.linux 2011-12-01 15:14:39.089353640 +0100 |
2907 | +@@ -4,6 +4,9 @@ |
2908 | + LDFLAGS = -shared |
2909 | + INSTALL = install |
2910 | + |
2911 | ++# EAP-TLS |
2912 | ++CFLAGS += -DUSE_EAPTLS=1 |
2913 | ++ |
2914 | + DESTDIR = $(INSTROOT)@DESTDIR@ |
2915 | + BINDIR = $(DESTDIR)/sbin |
2916 | + MANDIR = $(DESTDIR)/share/man/man8 |
2917 | +diff -Naur ppp-2.4.5/pppd/plugins/passprompt.c ppp-2.4.5-eaptls-mppe-0.992/pppd/plugins/passprompt.c |
2918 | +--- ppp-2.4.5/pppd/plugins/passprompt.c 2009-11-16 23:26:07.000000000 +0100 |
2919 | ++++ ppp-2.4.5-eaptls-mppe-0.992/pppd/plugins/passprompt.c 2011-12-01 15:14:39.090353769 +0100 |
2920 | +@@ -107,4 +107,7 @@ |
2921 | + { |
2922 | + add_options(options); |
2923 | + pap_passwd_hook = promptpass; |
2924 | ++#ifdef USE_EAPTLS |
2925 | ++ eaptls_passwd_hook = promptpass; |
2926 | ++#endif |
2927 | + } |
2928 | +diff -Naur ppp-2.4.5/pppd/plugins/passwordfd.c ppp-2.4.5-eaptls-mppe-0.992/pppd/plugins/passwordfd.c |
2929 | +--- ppp-2.4.5/pppd/plugins/passwordfd.c 2009-11-16 23:26:07.000000000 +0100 |
2930 | ++++ ppp-2.4.5-eaptls-mppe-0.992/pppd/plugins/passwordfd.c 2011-12-01 15:16:39.158794111 +0100 |
2931 | +@@ -79,4 +79,8 @@ |
2932 | + |
2933 | + chap_check_hook = pwfd_check; |
2934 | + chap_passwd_hook = pwfd_passwd; |
2935 | ++ |
2936 | ++#ifdef USE_EAPTLS |
2937 | ++ eaptls_passwd_hook = pwfd_passwd; |
2938 | ++#endif |
2939 | + } |
2940 | +diff -Naur ppp-2.4.5/pppd/pppd.h ppp-2.4.5-eaptls-mppe-0.992/pppd/pppd.h |
2941 | +--- ppp-2.4.5/pppd/pppd.h 2009-11-16 23:26:07.000000000 +0100 |
2942 | ++++ ppp-2.4.5-eaptls-mppe-0.992/pppd/pppd.h 2011-12-01 15:16:25.296011439 +0100 |
2943 | +@@ -320,6 +320,10 @@ |
2944 | + extern bool dryrun; /* check everything, print options, exit */ |
2945 | + extern int child_wait; /* # seconds to wait for children at end */ |
2946 | + |
2947 | ++#ifdef USE_EAPTLS |
2948 | ++extern char *crl_dir; |
2949 | ++#endif /* USE_EAPTLS */ |
2950 | ++ |
2951 | + #ifdef MAXOCTETS |
2952 | + extern unsigned int maxoctets; /* Maximum octetes per session (in bytes) */ |
2953 | + extern int maxoctets_dir; /* Direction : |
2954 | +@@ -717,6 +721,10 @@ |
2955 | + extern int (*chap_passwd_hook) __P((char *user, char *passwd)); |
2956 | + extern void (*multilink_join_hook) __P((void)); |
2957 | + |
2958 | ++#ifdef USE_EAPTLS |
2959 | ++extern int (*eaptls_passwd_hook) __P((char *user, char *passwd)); |
2960 | ++#endif |
2961 | ++ |
2962 | + /* Let a plugin snoop sent and received packets. Useful for L2TP */ |
2963 | + extern void (*snoop_recv_hook) __P((unsigned char *p, int len)); |
2964 | + extern void (*snoop_send_hook) __P((unsigned char *p, int len)); |
2965 | |
2966 | === modified file 'debian/patches/series' |
2967 | --- debian/patches/series 2010-11-24 18:12:47 +0000 |
2968 | +++ debian/patches/series 2012-12-23 19:15:25 +0000 |
2969 | @@ -39,6 +39,7 @@ |
2970 | no_crypt_hack |
2971 | resolv.conf_no_log |
2972 | zzz_config |
2973 | +ppp-2.4.5-eaptls-mppe-0.994.patch |
2974 | |
2975 | # ubuntu |
2976 | load_ppp_generic_if_needed |
2977 | |
2978 | === modified file 'debian/patches/update_if_pppol2tp' |
2979 | --- debian/patches/update_if_pppol2tp 2012-09-25 16:20:00 +0000 |
2980 | +++ debian/patches/update_if_pppol2tp 2012-12-23 19:15:25 +0000 |
2981 | @@ -1,5 +1,12 @@ |
2982 | +<<<<<<< TREE |
2983 | --- ./include/linux/if_pppol2tp.h 2012-09-25 16:14:23.449883865 +0000 |
2984 | +++ /usr/include/linux/if_pppol2tp.h 2012-09-19 20:46:59.000000000 +0000 |
2985 | +======= |
2986 | +Index: ppp/include/linux/if_pppol2tp.h |
2987 | +=================================================================== |
2988 | +--- ppp.orig/include/linux/if_pppol2tp.h 2012-07-25 02:33:37.947244001 +0400 |
2989 | ++++ ppp/include/linux/if_pppol2tp.h 2012-07-25 02:46:40.891242332 +0400 |
2990 | +>>>>>>> MERGE-SOURCE |
2991 | @@ -2,7 +2,7 @@ |
2992 | * Linux PPP over L2TP (PPPoL2TP) Socket Implementation (RFC 2661) |
2993 | * |
2994 | @@ -29,10 +36,15 @@ |
2995 | * 0 => current */ |
2996 | int fd; /* FD of UDP socket to use */ |
2997 | |
2998 | +<<<<<<< TREE |
2999 | @@ -32,6 +32,45 @@ |
3000 | +======= |
3001 | +@@ -32,6 +32,46 @@ |
3002 | +>>>>>>> MERGE-SOURCE |
3003 | __u16 d_tunnel, d_session; /* For sending outgoing packets */ |
3004 | }; |
3005 | |
3006 | +<<<<<<< TREE |
3007 | +/* Structure used to connect() the socket to a particular tunnel UDP |
3008 | + * socket over IPv6. |
3009 | + */ |
3010 | @@ -47,6 +59,23 @@ |
3011 | + struct sockaddr_in6 addr; /* IP address and port to send to */ |
3012 | +}; |
3013 | + |
3014 | +======= |
3015 | ++/* Structure used to connect() the socket to a particular tunnel UDP |
3016 | ++ * socket over IPv6. |
3017 | ++ */ |
3018 | ++struct pppol2tpin6_addr { |
3019 | ++ pid_t pid; /* pid that owns the fd. |
3020 | ++ * 0 => current */ |
3021 | ++ int fd; /* FD of UDP socket to use */ |
3022 | ++ |
3023 | ++ __u16 s_tunnel, s_session; /* For matching incoming packets */ |
3024 | ++ __u16 d_tunnel, d_session; /* For sending outgoing packets */ |
3025 | ++ |
3026 | ++ struct sockaddr_in6 addr; /* IP address and port to send to */ |
3027 | ++}; |
3028 | ++ |
3029 | ++ |
3030 | +>>>>>>> MERGE-SOURCE |
3031 | +/* The L2TPv3 protocol changes tunnel and session ids from 16 to 32 |
3032 | + * bits. So we need a different sockaddr structure. |
3033 | + */ |
Hi All!
Are there any chances to get this merged into Raring ???