CI: Updated the 'checkout' actions that were using Node.js 16 to Node.js 20. (#489)

[ppp.git] / pppd / eap.c
diff --git a/pppd/eap.c b/pppd/eap.c

index c73dcfb2c3587b9bbfad680889886b2a7f42de9c..70154664432e8e90904d901bf311aa6511036a57 100644 (file)
--- a/pppd/eap.c
+++ b/pppd/eap.c
@@ -63,48 +63,45 @@
  #include <assert.h>
  #include <errno.h>
  
-#include "pppd.h"
+#include "pppd-private.h"
+#include "options.h"
  #include "pathnames.h"
-#include "md5.h"
+#include "crypto.h"
+#include "crypto_ms.h"
  #include "eap.h"
  #ifdef PPP_WITH_PEAP
  #include "peap.h"
  #endif /* PPP_WITH_PEAP */
  
-#ifdef USE_SRP
+#ifdef PPP_WITH_SRP
  #ifdef HAVE_TIME_H
  #include <time.h>
  #endif
  #include <t_pwd.h>
  #include <t_server.h>
  #include <t_client.h>
-#include "pppcrypt.h"
-#endif /* USE_SRP */
-
-#ifndef SHA_DIGESTSIZE
-#define        SHA_DIGESTSIZE 20
-#endif
+#endif /* PPP_WITH_SRP */
  
  #ifdef PPP_WITH_EAPTLS
  #include "eap-tls.h"
  #endif /* PPP_WITH_EAPTLS */
  
  #ifdef PPP_WITH_CHAPMS
+#include "chap.h"
  #include "chap_ms.h"
-#include "chap-new.h"
  
  extern int chapms_strip_domain;
  #endif /* PPP_WITH_CHAPMS */
  
  eap_state eap_states[NUM_PPP];         /* EAP state; one for each unit */
-#ifdef USE_SRP
+#ifdef PPP_WITH_SRP
  static char *pn_secret = NULL;         /* Pseudonym generating secret */
  #endif
  
  /*
   * Command-line options.
   */
-static option_t eap_option_list[] = {
+static struct option eap_option_list[] = {
      { "eap-restart", o_int, &eap_states[0].es_server.ea_timeout,
        "Set retransmit timeout for EAP Requests (server)" },
      { "eap-max-sreq", o_int, &eap_states[0].es_server.ea_maxrequests,
@@ -115,7 +112,7 @@ static option_t eap_option_list[] = {
        "Set max number of EAP Requests allows (client)" },
      { "eap-interval", o_int, &eap_states[0].es_rechallenge,
        "Set interval for EAP rechallenge" },
-#ifdef USE_SRP
+#ifdef PPP_WITH_SRP
      { "srp-interval", o_int, &eap_states[0].es_lwrechallenge,
        "Set interval for SRP lightweight rechallenge" },
      { "srp-pn-secret", o_string, &pn_secret,
@@ -157,7 +154,7 @@ struct protent eap_protent = {
         NULL                    /* say whether to bring up link for this pkt */
  };
  
-#ifdef USE_SRP
+#ifdef PPP_WITH_SRP
  /*
   * A well-known 2048 bit modulus.
   */
@@ -195,7 +192,7 @@ static const u_char wkmodulus[] = {
         0x9B, 0x65, 0xE3, 0x72, 0xFC, 0xD6, 0x8E, 0xF2,
         0x0F, 0xA7, 0x11, 0x1F, 0x9E, 0x4A, 0xFF, 0x73
  };
-#endif /* USE_SRP */
+#endif /* PPP_WITH_SRP */
  
  /* Local forward declarations. */
  static void eap_server_timeout (void *arg);
@@ -327,30 +324,39 @@ eap_send_success(eap_state *esp)
             esp->es_server.ea_peer, esp->es_server.ea_peerlen);
  }
  
-#ifdef USE_SRP
+#ifdef PPP_WITH_SRP
  /*
   * Set DES key according to pseudonym-generating secret and current
   * date.
   */
  static bool
-pncrypt_setkey(int timeoffs)
+pncrypt_getkey(int timeoffs, unsigned char *key, int keylen)
  {
         struct tm *tp;
         char tbuf[9];
-       SHA1_CTX ctxt;
-       u_char dig[SHA_DIGESTSIZE];
+       PPP_MD_CTX *ctxt;
         time_t reftime;
  
         if (pn_secret == NULL)
                 return (0);
         reftime = time(NULL) + timeoffs;
         tp = localtime(&reftime);
-       SHA1Init(&ctxt);
-       SHA1Update(&ctxt, pn_secret, strlen(pn_secret));
-       strftime(tbuf, sizeof (tbuf), "%Y%m%d", tp);
-       SHA1Update(&ctxt, tbuf, strlen(tbuf));
-       SHA1Final(dig, &ctxt);
-       return (DesSetkey(dig));
+
+       ctxt = PPP_MD_CTX_new();
+       if (ctxt) {
+
+           strftime(tbuf, sizeof (tbuf), "%Y%m%d", tp);
+
+           PPP_DigestInit(ctxt, PPP_sha1());
+           PPP_DigestUpdate(ctxt, pn_secret, strlen(pn_secret));
+           PPP_DigestUpdate(ctxt, tbuf, strlen(tbuf));
+           PPP_DigestFinal(ctxt, key, &keylen);
+
+           PPP_MD_CTX_free(ctxt);
+           return 1;
+       }
+
+       return (0);
  }
  
  static char base64[] =
@@ -423,7 +429,7 @@ b64dec(struct b64state *bs, u_char *inp, int inlen, u_char *outp)
         }
         return (outlen);
  }
-#endif /* USE_SRP */
+#endif /* PPP_WITH_SRP */
  
  /*
   * Assume that current waiting server state is complete and figure
@@ -434,16 +440,16 @@ b64dec(struct b64state *bs, u_char *inp, int inlen, u_char *outp)
  static void
  eap_figure_next_state(eap_state *esp, int status)
  {
-#ifdef USE_SRP
-       unsigned char secbuf[MAXWORDLEN], clear[8], *sp, *dp;
+#ifdef PPP_WITH_SRP
+       unsigned char secbuf[MAXWORDLEN], clear[8], *sp, *dp, key[SHA_DIGEST_LENGTH];
         struct t_pw tpw;
         struct t_confent *tce, mytce;
         char *cp, *cp2;
         struct t_server *ts;
-       int id, i, plen, toffs;
+       int id, i, plen, clen, toffs, keylen;
         u_char vals[2];
         struct b64state bs;
-#endif /* USE_SRP */
+#endif /* PPP_WITH_SRP */
  #ifdef PPP_WITH_EAPTLS
         struct eaptls_session *ets;
         int secret_len;
@@ -459,7 +465,7 @@ eap_figure_next_state(eap_state *esp, int status)
                 return;
  
         case eapIdentify:
-#ifdef USE_SRP
+#ifdef PPP_WITH_SRP
                 /* Discard any previous session. */
                 ts = (struct t_server *)esp->es_server.ea_session;
                 if (ts != NULL) {
@@ -467,12 +473,12 @@ eap_figure_next_state(eap_state *esp, int status)
                         esp->es_server.ea_session = NULL;
                         esp->es_server.ea_skey = NULL;
                 }
-#endif /* USE_SRP */
+#endif /* PPP_WITH_SRP */
                 if (status != 0) {
                         esp->es_server.ea_state = eapBadAuth;
                         break;
                 }
-#ifdef USE_SRP
+#ifdef PPP_WITH_SRP
                 /* If we've got a pseudonym, try to decode to real name. */
                 if (esp->es_server.ea_peerlen > SRP_PSEUDO_LEN &&
                     strncmp(esp->es_server.ea_peer, SRP_PSEUDO_ID,
@@ -486,11 +492,12 @@ eap_figure_next_state(eap_state *esp, int status)
                             secbuf);
                         toffs = 0;
                         for (i = 0; i < 5; i++) {
-                               pncrypt_setkey(toffs);
+                               pncrypt_getkey(toffs, key, keylen);
                                 toffs -= 86400;
-                               if (!DesDecrypt(secbuf, clear)) {
+
+                               if (!DesDecrypt(secbuf, key, clear)) {
                                         dbglog("no DES here; cannot decode "
-                                           "pseudonym");
+                                               "pseudonym");
                                         return;
                                 }
                                 id = *(unsigned char *)clear;
@@ -512,7 +519,7 @@ eap_figure_next_state(eap_state *esp, int status)
                                 dp += i;
                                 sp = secbuf + 8;
                                 while (plen > 0) {
-                                       (void) DesDecrypt(sp, dp);
+                                       DesDecrypt(sp, key, dp);
                                         sp += 8;
                                         dp += 8;
                                         plen -= 8;
@@ -577,7 +584,7 @@ eap_figure_next_state(eap_state *esp, int status)
                         t_servergenexp(ts);
                         break;
                 }
-#endif /* USE_SRP */
+#endif /* PPP_WITH_SRP */
  #ifdef PPP_WITH_EAPTLS
                  if (!get_secret(esp->es_unit, esp->es_server.ea_peer,
                      esp->es_server.ea_name, secret, &secret_len, 1)) {
@@ -654,14 +661,14 @@ eap_figure_next_state(eap_state *esp, int status)
  #endif /* PPP_WITH_EAPTLS */
  
         case eapSRP1:
-#ifdef USE_SRP
+#ifdef PPP_WITH_SRP
                 ts = (struct t_server *)esp->es_server.ea_session;
                 if (ts != NULL && status != 0) {
                         t_serverclose(ts);
                         esp->es_server.ea_session = NULL;
                         esp->es_server.ea_skey = NULL;
                 }
-#endif /* USE_SRP */
+#endif /* PPP_WITH_SRP */
                 if (status == 1) {
                         esp->es_server.ea_state = eapMD5Chall;
                 } else if (status != 0 || esp->es_server.ea_session == NULL) {
@@ -672,14 +679,14 @@ eap_figure_next_state(eap_state *esp, int status)
                 break;
  
         case eapSRP2:
-#ifdef USE_SRP
+#ifdef PPP_WITH_SRP
                 ts = (struct t_server *)esp->es_server.ea_session;
                 if (ts != NULL && status != 0) {
                         t_serverclose(ts);
                         esp->es_server.ea_session = NULL;
                         esp->es_server.ea_skey = NULL;
                 }
-#endif /* USE_SRP */
+#endif /* PPP_WITH_SRP */
                 if (status != 0 || esp->es_server.ea_session == NULL) {
                         esp->es_server.ea_state = eapBadAuth;
                 } else {
@@ -689,14 +696,14 @@ eap_figure_next_state(eap_state *esp, int status)
  
         case eapSRP3:
         case eapSRP4:
-#ifdef USE_SRP
+#ifdef PPP_WITH_SRP
                 ts = (struct t_server *)esp->es_server.ea_session;
                 if (ts != NULL && status != 0) {
                         t_serverclose(ts);
                         esp->es_server.ea_session = NULL;
                         esp->es_server.ea_skey = NULL;
                 }
-#endif /* USE_SRP */
+#endif /* PPP_WITH_SRP */
                 if (status != 0 || esp->es_server.ea_session == NULL) {
                         esp->es_server.ea_state = eapBadAuth;
                 } else {
@@ -810,13 +817,13 @@ eap_send_request(eap_state *esp)
         int outlen;
         int challen;
         char *str;
-#ifdef USE_SRP
+#ifdef PPP_WITH_SRP
         struct t_server *ts;
-       u_char clear[8], cipher[8], dig[SHA_DIGESTSIZE], *optr, *cp;
-       int i, j;
+       u_char clear[8], cipher[8], dig[SHA_DIGEST_LENGTH], *optr, *cp, key[SHA_DIGEST_LENGTH];
+       int i, j, diglen, clen, keylen = sizeof(key);
         struct b64state b64;
-       SHA1_CTX ctxt;
-#endif /* USE_SRP */
+       PPP_MD_CTX *ctxt;
+#endif /* PPP_WITH_SRP */
  
         /* Handle both initial auth and restart */
         if (esp->es_server.ea_state < eapIdentify &&
@@ -929,7 +936,7 @@ eap_send_request(eap_state *esp)
                 break;
  #endif /* PPP_WITH_EAPTLS */
  
-#ifdef USE_SRP
+#ifdef PPP_WITH_SRP
         case eapSRP1:
                 PUTCHAR(EAPT_SRP, outp);
                 PUTCHAR(EAPSRP_CHALLENGE, outp);
@@ -975,10 +982,10 @@ eap_send_request(eap_state *esp)
                 PUTLONG(SRPVAL_EBIT, outp);
                 ts = (struct t_server *)esp->es_server.ea_session;
                 assert(ts != NULL);
-               BCOPY(t_serverresponse(ts), outp, SHA_DIGESTSIZE);
-               INCPTR(SHA_DIGESTSIZE, outp);
+               BCOPY(t_serverresponse(ts), outp, SHA_DIGEST_LENGTH);
+               INCPTR(SHA_DIGEST_LENGTH, outp);
  
-               if (pncrypt_setkey(0)) {
+               if (pncrypt_getkey(0, key, keylen)) {
                         /* Generate pseudonym */
                         optr = outp;
                         cp = (unsigned char *)esp->es_server.ea_peer;
@@ -988,15 +995,17 @@ eap_send_request(eap_state *esp)
                         BCOPY(cp, clear + 1, j);
                         i -= j;
                         cp += j;
-                       if (!DesEncrypt(clear, cipher)) {
+
+                       if (!DesEncrypt(clear, key, cipher)) {
                                 dbglog("no DES here; not generating pseudonym");
                                 break;
-                       }
+            }
+
                         BZERO(&b64, sizeof (b64));
                         outp++;         /* space for pseudonym length */
                         outp += b64enc(&b64, cipher, 8, outp);
                         while (i >= 8) {
-                               (void) DesEncrypt(cp, cipher);
+                               DesEncrypt(cp, key, cipher);
                                 outp += b64enc(&b64, cipher, 8, outp);
                                 cp += 8;
                                 i -= 8;
@@ -1008,7 +1017,8 @@ eap_send_request(eap_state *esp)
                                         *cp++ = drand48() * 0x100;
                                         i++;
                                 }
-                               (void) DesEncrypt(clear, cipher);
+
+                               DesEncrypt(clear, key, cipher);
                                 outp += b64enc(&b64, cipher, 8, outp);
                         }
                         outp += b64flush(&b64, outp);
@@ -1016,32 +1026,40 @@ eap_send_request(eap_state *esp)
                         /* Set length and pad out to next 20 octet boundary */
                         i = outp - optr - 1;
                         *optr = i;
-                       i %= SHA_DIGESTSIZE;
+                       i %= SHA_DIGEST_LENGTH;
                         if (i != 0) {
-                               while (i < SHA_DIGESTSIZE) {
+                               while (i < SHA_DIGEST_LENGTH) {
                                         *outp++ = drand48() * 0x100;
                                         i++;
                                 }
                         }
  
                         /* Obscure the pseudonym with SHA1 hash */
-                       SHA1Init(&ctxt);
-                       SHA1Update(&ctxt, &esp->es_server.ea_id, 1);
-                       SHA1Update(&ctxt, esp->es_server.ea_skey,
-                           SESSION_KEY_LEN);
-                       SHA1Update(&ctxt, esp->es_server.ea_peer,
-                           esp->es_server.ea_peerlen);
-                       while (optr < outp) {
-                               SHA1Final(dig, &ctxt);
-                               cp = dig;
-                               while (cp < dig + SHA_DIGESTSIZE)
-                                       *optr++ ^= *cp++;
-                               SHA1Init(&ctxt);
-                               SHA1Update(&ctxt, &esp->es_server.ea_id, 1);
-                               SHA1Update(&ctxt, esp->es_server.ea_skey,
-                                   SESSION_KEY_LEN);
-                               SHA1Update(&ctxt, optr - SHA_DIGESTSIZE,
-                                   SHA_DIGESTSIZE);
+                       ctxt = PPP_MD_CTX_new();
+                       if (ctxt) {
+
+                               PPP_DigestInit(ctxt, PPP_sha1());
+                               PPP_DigestUpdate(ctxt, &esp->es_server.ea_id, 1);
+                               PPP_DigestUpdate(ctxt, &esp->es_server.ea_skey,
+                                       SESSION_KEY_LEN);
+                               PPP_DigestUpdate(ctxt,  esp->es_server.ea_peer,
+                                       esp->es_server.ea_peerlen);
+                               while (optr < outp) {
+                                       diglen = SHA_DIGEST_LENGTH;
+                                       PPP_DigestFinal(ctxt, dig, &diglen);
+                                       cp = dig;
+                                       while (cp < dig + SHA_DIGEST_LENGTH)
+                                               *optr++ ^= *cp++;
+
+                                       PPP_DigestInit(ctxt, PPP_sha1());
+                                       PPP_DigestUpdate(ctxt, &esp->es_server.ea_id, 1);
+                                       PPP_DigestUpdate(ctxt, esp->es_server.ea_skey,
+                                               SESSION_KEY_LEN);
+                                       PPP_DigestUpdate(ctxt, optr - SHA_DIGEST_LENGTH,
+                                               SHA_DIGEST_LENGTH);
+                               }
+
+                               PPP_MD_CTX_free(ctxt);
                         }
                 }
                 break;
@@ -1058,7 +1076,7 @@ eap_send_request(eap_state *esp)
                 BCOPY(esp->es_challenge, outp, esp->es_challen);
                 INCPTR(esp->es_challen, outp);
                 break;
-#endif /* USE_SRP */
+#endif /* PPP_WITH_SRP */
  
         default:
                 return;
@@ -1322,19 +1340,19 @@ eap_chap_response(eap_state *esp, u_char id, u_char *hash,
         int msglen;
  
         outp = outpacket_buf;
-    
+
         MAKEHEADER(outp, PPP_EAP);
  
         PUTCHAR(EAP_RESPONSE, outp);
         PUTCHAR(id, outp);
         esp->es_client.ea_id = id;
-       msglen = EAP_HEADERLEN + 2 * sizeof (u_char) + MD5_SIGNATURE_SIZE +
+       msglen = EAP_HEADERLEN + 2 * sizeof (u_char) + MD5_DIGEST_LENGTH +
             namelen;
         PUTSHORT(msglen, outp);
         PUTCHAR(EAPT_MD5CHAP, outp);
-       PUTCHAR(MD5_SIGNATURE_SIZE, outp);
-       BCOPY(hash, outp, MD5_SIGNATURE_SIZE);
-       INCPTR(MD5_SIGNATURE_SIZE, outp);
+       PUTCHAR(MD5_DIGEST_LENGTH, outp);
+       BCOPY(hash, outp, MD5_DIGEST_LENGTH);
+       INCPTR(MD5_DIGEST_LENGTH, outp);
         if (namelen > 0) {
                 BCOPY(name, outp, namelen);
         }
@@ -1342,7 +1360,7 @@ eap_chap_response(eap_state *esp, u_char id, u_char *hash,
         output(esp->es_unit, outpacket_buf, PPP_HDRLEN + msglen);
  }
  
-#ifdef USE_SRP
+#ifdef PPP_WITH_SRP
  /*
   * Format and send a SRP EAP Response message.
   */
@@ -1388,16 +1406,16 @@ eap_srpval_response(eap_state *esp, u_char id, u_int32_t flags, u_char *str)
         PUTCHAR(id, outp);
         esp->es_client.ea_id = id;
         msglen = EAP_HEADERLEN + 2 * sizeof (u_char) + sizeof (u_int32_t) +
-           SHA_DIGESTSIZE;
+           SHA_DIGEST_LENGTH;
         PUTSHORT(msglen, outp);
         PUTCHAR(EAPT_SRP, outp);
         PUTCHAR(EAPSRP_CVALIDATOR, outp);
         PUTLONG(flags, outp);
-       BCOPY(str, outp, SHA_DIGESTSIZE);
+       BCOPY(str, outp, SHA_DIGEST_LENGTH);
  
         output(esp->es_unit, outpacket_buf, PPP_HDRLEN + msglen);
  }
-#endif /* USE_SRP */
+#endif /* PPP_WITH_SRP */
  
  #ifdef PPP_WITH_EAPTLS
  /*
@@ -1489,7 +1507,7 @@ eap_send_nak(eap_state *esp, u_char id, u_char type)
         output(esp->es_unit, outpacket_buf, PPP_HDRLEN + msglen);
  }
  
-#ifdef USE_SRP
+#ifdef PPP_WITH_SRP
  static char *
  name_of_pn_file(void)
  {
@@ -1503,7 +1521,7 @@ name_of_pn_file(void)
                 errno = EINVAL;
                 return (NULL);
         }
-       file = _PATH_PSEUDONYM;
+       file = PPP_PATH_PSEUDONYM;
         pl = strlen(user) + strlen(file) + 2;
         path = malloc(pl);
         if (path == NULL)
@@ -1547,9 +1565,9 @@ write_pseudonym(eap_state *esp, u_char *inp, int len, int id)
  {
         u_char val;
         u_char *datp, *digp;
-       SHA1_CTX ctxt;
-       u_char dig[SHA_DIGESTSIZE];
-       int dsize, fd, olen = len;
+       PPP_MD_CTX *ctxt;
+       u_char dig[SHA_DIGEST_LENGTH];
+       int dsize, fd, olen = len, diglen = sizeof(dig);
  
         /*
          * Do the decoding by working backwards.  This eliminates the need
@@ -1557,22 +1575,30 @@ write_pseudonym(eap_state *esp, u_char *inp, int len, int id)
          */
         val = id;
         while (len > 0) {
-               if ((dsize = len % SHA_DIGESTSIZE) == 0)
-                       dsize = SHA_DIGESTSIZE;
+               if ((dsize = len % SHA_DIGEST_LENGTH) == 0)
+                       dsize = SHA_DIGEST_LENGTH;
                 len -= dsize;
                 datp = inp + len;
-               SHA1Init(&ctxt);
-               SHA1Update(&ctxt, &val, 1);
-               SHA1Update(&ctxt, esp->es_client.ea_skey, SESSION_KEY_LEN);
-               if (len > 0) {
-                       SHA1Update(&ctxt, datp, SHA_DIGESTSIZE);
-               } else {
-                       SHA1Update(&ctxt, esp->es_client.ea_name,
-                           esp->es_client.ea_namelen);
+               ctxt = PPP_MD_CTX_new();
+               if (ctxt) {
+
+                       PPP_DigestInit(ctxt, PPP_sha1());
+                       PPP_DigestUpdate(ctxt, &val, 1);
+                       PPP_DigestUpdate(ctxt, esp->es_client.ea_skey,
+                                       SESSION_KEY_LEN);
+                       if (len > 0) {
+                               PPP_DigestUpdate(ctxt, datp, SHA_DIGEST_LENGTH);
+                       } else {
+                               PPP_DigestUpdate(ctxt, esp->es_client.ea_name,
+                                       esp->es_client.ea_namelen);
+                       }
+                       PPP_DigestFinal(ctxt, dig, &diglen);
+
+                       for (digp = dig; digp < dig + SHA_DIGEST_LENGTH; digp++)
+                               *datp++ ^= *digp;
+
+                       PPP_MD_CTX_free(ctxt);
                 }
-               SHA1Final(dig, &ctxt);
-               for (digp = dig; digp < dig + SHA_DIGESTSIZE; digp++)
-                       *datp++ ^= *digp;
         }
  
         /* Now check that the result is sane */
@@ -1596,7 +1622,7 @@ write_pseudonym(eap_state *esp, u_char *inp, int len, int id)
                 remove_pn_file();
         }
  }
-#endif /* USE_SRP */
+#endif /* PPP_WITH_SRP */
  
  #if PPP_WITH_CHAPMS
  /*
@@ -1642,21 +1668,23 @@ eap_request(eap_state *esp, u_char *inp, int id, int len)
         int secret_len;
         char secret[MAXWORDLEN];
         char rhostname[256];
-       MD5_CTX mdContext;
-       u_char hash[MD5_SIGNATURE_SIZE];
+       PPP_MD_CTX *mdctx;
+       u_char hash[MD5_DIGEST_LENGTH];
+       int hashlen = MD5_DIGEST_LENGTH;
  #ifdef PPP_WITH_EAPTLS
         u_char flags;
         struct eaptls_session *ets = esp->es_client.ea_session;
  #endif /* PPP_WITH_EAPTLS */
  
-#ifdef USE_SRP
+#ifdef PPP_WITH_SRP
         struct t_client *tc;
         struct t_num sval, gval, Nval, *Ap, Bval;
         u_char vals[2];
-       SHA1_CTX ctxt;
-       u_char dig[SHA_DIGESTSIZE];
+       PPP_MD_CTX *ctxt;
+       u_char dig[SHA_DIGEST_LENGTH];
+       int diglen = sizeof(dig);
         int fd;
-#endif /* USE_SRP */
+#endif /* PPP_WITH_SRP */
  
         /*
          * Ignore requests if we're not open
@@ -1693,7 +1721,7 @@ eap_request(eap_state *esp, u_char *inp, int id, int len)
         case EAPT_IDENTITY:
                 if (len > 0)
                         info("EAP: Identity prompt \"%.*q\"", len, inp);
-#ifdef USE_SRP
+#ifdef PPP_WITH_SRP
                 if (esp->es_usepseudo &&
                     (esp->es_usedpseudo == 0 ||
                         (esp->es_usedpseudo == 1 &&
@@ -1719,7 +1747,7 @@ eap_request(eap_state *esp, u_char *inp, int id, int len)
                         remove_pn_file();
                         esp->es_usedpseudo = 2;
                 }
-#endif /* USE_SRP */
+#endif /* PPP_WITH_SRP */
                 eap_send_response(esp, id, typenum, (u_char *)esp->es_client.ea_name,
                     esp->es_client.ea_namelen);
                 break;
@@ -1780,15 +1808,29 @@ eap_request(eap_state *esp, u_char *inp, int id, int len)
                         eap_send_nak(esp, id, EAPT_SRP);
                         break;
                 }
-               MD5_Init(&mdContext);
-               typenum = id;
-               MD5_Update(&mdContext, &typenum, 1);
-               MD5_Update(&mdContext, (u_char *)secret, secret_len);
-               BZERO(secret, sizeof (secret));
-               MD5_Update(&mdContext, inp, vallen);
-               MD5_Final(hash, &mdContext);
-               eap_chap_response(esp, id, hash, esp->es_client.ea_name,
-                   esp->es_client.ea_namelen);
+
+               mdctx = PPP_MD_CTX_new();
+               if (mdctx != NULL) {
+                       if (PPP_DigestInit(mdctx, PPP_md5())) {
+                               typenum = id;
+                               if (PPP_DigestUpdate(mdctx, &typenum, 1)) {
+                                       if (PPP_DigestUpdate(mdctx, secret, secret_len)) {
+                                               BZERO(secret, sizeof(secret));
+                                               if (PPP_DigestUpdate(mdctx, inp, vallen)) {
+                                                       if (PPP_DigestFinal(mdctx, hash, &hashlen)) {
+                                                               eap_chap_response(esp, id, hash, esp->es_client.ea_name,
+                                                                               esp->es_client.ea_namelen);
+                                                               PPP_MD_CTX_free(mdctx);
+                                                               break;
+                                                       }
+                                               }
+                                       }
+                               }
+                       }
+                       PPP_MD_CTX_free(mdctx);
+               }
+               dbglog("EAP: Invalid MD5 checksum");
+        eap_send_nak(esp, id, EAPT_SRP);
                 break;
  
  #ifdef PPP_WITH_EAPTLS
@@ -1881,7 +1923,7 @@ eap_request(eap_state *esp, u_char *inp, int id, int len)
                 break;
  #endif /* PPP_WITH_EAPTLS */
  
-#ifdef USE_SRP
+#ifdef PPP_WITH_SRP
         case EAPT_SRP:
                 if (len < 1) {
                         error("EAP: received empty SRP Request");
@@ -2065,7 +2107,7 @@ eap_request(eap_state *esp, u_char *inp, int id, int len)
                                             esp->es_client.ea_id, id);
                                 }
                         } else {
-                               len -= sizeof (u_int32_t) + SHA_DIGESTSIZE;
+                               len -= sizeof (u_int32_t) + SHA_DIGEST_LENGTH;
                                 if (len < 0 || t_clientverify(tc, inp +
                                         sizeof (u_int32_t)) != 0) {
                                         error("EAP: SRP server verification "
@@ -2075,7 +2117,7 @@ eap_request(eap_state *esp, u_char *inp, int id, int len)
                                 GETLONG(esp->es_client.ea_keyflags, inp);
                                 /* Save pseudonym if user wants it. */
                                 if (len > 0 && esp->es_usepseudo) {
-                                       INCPTR(SHA_DIGESTSIZE, inp);
+                                       INCPTR(SHA_DIGEST_LENGTH, inp);
                                         write_pseudonym(esp, inp, len, id);
                                 }
                         }
@@ -2092,17 +2134,24 @@ eap_request(eap_state *esp, u_char *inp, int id, int len)
                                 warn("EAP: malformed Lightweight rechallenge");
                                 return;
                         }
-                       SHA1Init(&ctxt);
-                       vals[0] = id;
-                       SHA1Update(&ctxt, vals, 1);
-                       SHA1Update(&ctxt, esp->es_client.ea_skey,
-                           SESSION_KEY_LEN);
-                       SHA1Update(&ctxt, inp, len);
-                       SHA1Update(&ctxt, esp->es_client.ea_name,
-                           esp->es_client.ea_namelen);
-                       SHA1Final(dig, &ctxt);
-                       eap_srp_response(esp, id, EAPSRP_LWRECHALLENGE, dig,
-                           SHA_DIGESTSIZE);
+                       ctxt = PPP_MD_CTX_new();
+                       if (ctxt) {
+
+                               vals[0] = id;
+                               PPP_DigestInit(ctxt, PPP_sha1());
+                               PPP_DigestUpdate(ctxt, vals, 1);
+                               PPP_DigestUpdate(ctxt, esp->es_client.ea_skey,
+                                       SESSION_KEY_LEN);
+                               PPP_DigestUpdate(ctxt, inp, len);
+                               PPP_DigestUpdate(ctxt, esp->es_client.ea_name,
+                                       esp->es_client.ea_namelen);
+                               PPP_DigestFinal(ctxt, dig, &diglen);
+
+                               PPP_MD_CTX_free(ctxt);
+
+                               eap_srp_response(esp, id, EAPSRP_LWRECHALLENGE, dig,
+                                       SHA_DIGEST_LENGTH);
+                       }
                         break;
  
                 default:
@@ -2111,8 +2160,8 @@ eap_request(eap_state *esp, u_char *inp, int id, int len)
                         break;
                 }
                 break;
-#endif /* USE_SRP */
-    
+#endif /* PPP_WITH_SRP */
+
  #ifdef PPP_WITH_CHAPMS
          case EAPT_MSCHAPV2:
             if (len < 4) {
@@ -2262,10 +2311,10 @@ client_failure:
                 UNTIMEOUT(eap_client_timeout, (void *)esp);
         }
         esp->es_client.ea_session = NULL;
-#ifdef USE_SRP
+#ifdef PPP_WITH_SRP
         t_clientclose(tc);
         auth_withpeer_fail(esp->es_unit, PPP_EAP);
-#endif /* USE_SRP */
+#endif /* PPP_WITH_SRP */
  }
  
  /*
@@ -2279,14 +2328,16 @@ eap_response(eap_state *esp, u_char *inp, int id, int len)
         int secret_len;
         char secret[MAXSECRETLEN];
         char rhostname[256];
-       MD5_CTX mdContext;
-       u_char hash[MD5_SIGNATURE_SIZE];
-#ifdef USE_SRP
+       PPP_MD_CTX *mdctx;
+       u_char hash[MD5_DIGEST_LENGTH];
+       int hashlen = MD5_DIGEST_LENGTH;
+#ifdef PPP_WITH_SRP
         struct t_server *ts;
         struct t_num A;
-       SHA1_CTX ctxt;
-       u_char dig[SHA_DIGESTSIZE];
-#endif /* USE_SRP */
+       PPP_MD_CTX *ctxt;
+       u_char dig[SHA_DIGEST_LENGTH];
+       int diglen = sizeof(dig);
+#endif /* PPP_WITH_SRP */
  
  #ifdef PPP_WITH_EAPTLS
         struct eaptls_session *ets;
@@ -2294,8 +2345,7 @@ eap_response(eap_state *esp, u_char *inp, int id, int len)
  #endif /* PPP_WITH_EAPTLS */
  #ifdef PPP_WITH_CHAPMS
         u_char opcode;
-       int (*chap_verifier)(char *, char *, int, struct chap_digest_type *,
-               unsigned char *, unsigned char *, char *, int);
+        chap_verify_hook_fn *chap_verifier;
         char response_message[256];
  #endif /* PPP_WITH_CHAPMS */
  
@@ -2517,21 +2567,42 @@ eap_response(eap_state *esp, u_char *inp, int id, int len)
                         eap_send_failure(esp);
                         break;
                 }
-               MD5_Init(&mdContext);
-               MD5_Update(&mdContext, &esp->es_server.ea_id, 1);
-               MD5_Update(&mdContext, (u_char *)secret, secret_len);
-               BZERO(secret, sizeof (secret));
-               MD5_Update(&mdContext, esp->es_challenge, esp->es_challen);
-               MD5_Final(hash, &mdContext);
-               if (BCMP(hash, inp, MD5_SIGNATURE_SIZE) != 0) {
-                       eap_send_failure(esp);
-                       break;
+
+               mdctx = PPP_MD_CTX_new();
+               if (mdctx != NULL) {
+
+                       if (PPP_DigestInit(mdctx, PPP_md5())) {
+
+                               if (PPP_DigestUpdate(mdctx, &esp->es_server.ea_id, 1)) {
+
+                                       if (PPP_DigestUpdate(mdctx, &secret, secret_len)) {
+
+                                               BZERO(secret, sizeof(secret));
+                                               if (PPP_DigestUpdate(mdctx, esp->es_challenge, esp->es_challen)) {
+
+                                                       if (PPP_DigestFinal(mdctx, hash, &hashlen)) {
+
+                                                               if (BCMP(hash, inp, MD5_DIGEST_LENGTH) == 0) {
+                                                                       esp->es_server.ea_type = EAPT_MD5CHAP;
+                                                                       eap_send_success(esp);
+                                                                       eap_figure_next_state(esp, 0);
+
+                                                                       if (esp->es_rechallenge != 0) {
+                                                                               TIMEOUT(eap_rechallenge, esp, esp->es_rechallenge);
+                                                                       }
+                                                                       PPP_MD_CTX_free(mdctx);
+                                                                       break;
+                                                               }
+                                                       }
+                                               }
+                                       }
+                               }
+                       }
+
+                       PPP_MD_CTX_free(mdctx);
                 }
-               esp->es_server.ea_type = EAPT_MD5CHAP;
-               eap_send_success(esp);
-               eap_figure_next_state(esp, 0);
-               if (esp->es_rechallenge != 0)
-                       TIMEOUT(eap_rechallenge, esp, esp->es_rechallenge);
+
+               eap_send_failure(esp);
                 break;
  
  #ifdef PPP_WITH_CHAPMS
@@ -2583,7 +2654,7 @@ eap_response(eap_state *esp, u_char *inp, int id, int len)
                                 char tmp[MAXNAMELEN+1];
  
                                 strcpy(tmp, strrchr(rhostname, '\\') + 1);
-                               strcpy(rhostname, tmp);
+                               strlcpy(rhostname, tmp, sizeof(rhostname));
                         }
  
                         if (chap_verify_hook)
@@ -2639,7 +2710,7 @@ eap_response(eap_state *esp, u_char *inp, int id, int len)
                 break;
  #endif /* PPP_WITH_CHAPMS */
  
-#ifdef USE_SRP
+#ifdef PPP_WITH_SRP
         case EAPT_SRP:
                 if (len < 1) {
                         error("EAP: empty SRP Response");
@@ -2675,9 +2746,9 @@ eap_response(eap_state *esp, u_char *inp, int id, int len)
                                 eap_figure_next_state(esp, 1);
                                 break;
                         }
-                       if (len < sizeof (u_int32_t) + SHA_DIGESTSIZE) {
+                       if (len < sizeof (u_int32_t) + SHA_DIGEST_LENGTH) {
                                 error("EAP: M1 length %d < %d", len,
-                                   sizeof (u_int32_t) + SHA_DIGESTSIZE);
+                                   sizeof (u_int32_t) + SHA_DIGEST_LENGTH);
                                 eap_figure_next_state(esp, 1);
                                 break;
                         }
@@ -2714,33 +2785,41 @@ eap_response(eap_state *esp, u_char *inp, int id, int len)
                                 info("EAP: unexpected SRP Subtype 4 Response");
                                 return;
                         }
-                       if (len != SHA_DIGESTSIZE) {
+                       if (len != SHA_DIGEST_LENGTH) {
                                 error("EAP: bad Lightweight rechallenge "
                                     "response");
                                 return;
                         }
-                       SHA1Init(&ctxt);
-                       vallen = id;
-                       SHA1Update(&ctxt, &vallen, 1);
-                       SHA1Update(&ctxt, esp->es_server.ea_skey,
-                           SESSION_KEY_LEN);
-                       SHA1Update(&ctxt, esp->es_challenge, esp->es_challen);
-                       SHA1Update(&ctxt, esp->es_server.ea_peer,
-                           esp->es_server.ea_peerlen);
-                       SHA1Final(dig, &ctxt);
-                       if (BCMP(dig, inp, SHA_DIGESTSIZE) != 0) {
-                               error("EAP: failed Lightweight rechallenge");
-                               eap_send_failure(esp);
-                               break;
+                       ctxt = PPP_MD_CTX_new();
+                       if (ctxt) {
+                               vallen = id;
+
+                               PPP_DigestInit(ctxt, PPP_sha1());
+                               PPP_DigestUpdate(ctxt, &vallen, 1);
+                               PPP_DigestUpdate(ctxt, esp->es_server.ea_skey,
+                                       SESSION_KEY_LEN);
+                               PPP_DigestUpdate(ctxt, esp->es_challenge, esp->es_challen);
+                               PPP_DigestUpdate(ctxt, esp->es_server.ea_peer,
+                                       esp->es_server.ea_peerlen);
+                               PPP_DigestFinal(ctxt, dig, &diglen);
+
+                               PPP_MD_CTX_free(ctxt);
+
+                               if (BCMP(dig, inp, SHA_DIGEST_LENGTH) != 0) {
+                                       error("EAP: failed Lightweight rechallenge");
+                                       eap_send_failure(esp);
+                                       break;
+                               }
+
+                               esp->es_server.ea_state = eapOpen;
+                               if (esp->es_lwrechallenge != 0)
+                                       TIMEOUT(srp_lwrechallenge, esp,
+                                               esp->es_lwrechallenge);
                         }
-                       esp->es_server.ea_state = eapOpen;
-                       if (esp->es_lwrechallenge != 0)
-                               TIMEOUT(srp_lwrechallenge, esp,
-                                   esp->es_lwrechallenge);
                         break;
                 }
                 break;
-#endif /* USE_SRP */
+#endif /* PPP_WITH_SRP */
  
         default:
                 /* This can't happen. */
@@ -3061,7 +3140,7 @@ eap_printpkt(u_char *inp, int inlen,
                         break;
  #endif /* PPP_WITH_EAPTLS */
  
-#ifdef USE_SRP
+#ifdef PPP_WITH_SRP
                 case EAPT_SRP:
                         if (len < 3)
                                 goto truncated;
@@ -3129,10 +3208,10 @@ eap_printpkt(u_char *inp, int inlen,
                                 if (uval != 0) {
                                         printer(arg, " f<%X>", uval);
                                 }
-                               if ((vallen = len) > SHA_DIGESTSIZE)
-                                       vallen = SHA_DIGESTSIZE;
+                               if ((vallen = len) > SHA_DIGEST_LENGTH)
+                                       vallen = SHA_DIGEST_LENGTH;
                                 printer(arg, " <M2%.*B%s>", len, inp,
-                                   len < SHA_DIGESTSIZE ? "?" : "");
+                                   len < SHA_DIGEST_LENGTH ? "?" : "");
                                 INCPTR(vallen, inp);
                                 len -= vallen;
                                 if (len > 0) {
@@ -3149,7 +3228,7 @@ eap_printpkt(u_char *inp, int inlen,
                                 break;
                         }
                         break;
-#endif  /* USE_SRP */
+#endif  /* PPP_WITH_SRP */
                 }
                 break;
  
@@ -3275,7 +3354,7 @@ eap_printpkt(u_char *inp, int inlen,
                         break;
  #endif /* PPP_WITH_CHAPMS */
  
-#ifdef USE_SRP
+#ifdef PPP_WITH_SRP
                 case EAPT_SRP:
                         if (len < 1)
                                 goto truncated;
@@ -3302,7 +3381,7 @@ eap_printpkt(u_char *inp, int inlen,
                                         printer(arg, " f<%X>", uval);
                                 }
                                 printer(arg, " <M1%.*B%s>", len, inp,
-                                   len == SHA_DIGESTSIZE ? "" : "?");
+                                   len == SHA_DIGEST_LENGTH ? "" : "?");
                                 INCPTR(len, inp);
                                 len = 0;
                                 break;
@@ -3312,15 +3391,15 @@ eap_printpkt(u_char *inp, int inlen,
  
                         case EAPSRP_LWRECHALLENGE:
                                 printer(arg, " <Response%.*B%s>", len, inp,
-                                   len == SHA_DIGESTSIZE ? "" : "?");
-                               if ((vallen = len) > SHA_DIGESTSIZE)
-                                       vallen = SHA_DIGESTSIZE;
+                                   len == SHA_DIGEST_LENGTH ? "" : "?");
+                               if ((vallen = len) > SHA_DIGEST_LENGTH)
+                                       vallen = SHA_DIGEST_LENGTH;
                                 INCPTR(vallen, inp);
                                 len -= vallen;
                                 break;
                         }
                         break;
-#endif  /* USE_SRP */
+#endif  /* PPP_WITH_SRP */
                 }
                 break;