5 months agopppd: Drop linux IPX support (#326) master
Richard Purdie [Thu, 13 Jan 2022 06:48:14 +0000 (06:48 +0000)]
pppd: Drop linux IPX support (#326)

The 5.15 Linux kernel has removed ipx support, along with the userspace
visible header. This support wasn't very well maintained in the kernel
for several years so drop the support from ppp as well since this won't
be usable in future.

Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
5 months agopppd: Allow use of additional Bnnn constants (#325)
pali [Thu, 13 Jan 2022 06:42:53 +0000 (07:42 +0100)]
pppd: Allow use of additional Bnnn constants (#325)

These constants are supported by Linux kernel on SPARC architecture.

Signed-off-by: Pali Rohár <pali@kernel.org>
5 months agoExpand byte count statistics to 64 bits (#298)
Jaco Kroon [Thu, 13 Jan 2022 06:38:04 +0000 (08:38 +0200)]
Expand byte count statistics to 64 bits (#298)

* Add Gigawords to radius packets where applicable.

IMPORTANT NOTE:  The ioctl() only supports 32-bit counters.  In order t
obtain 64-bit counters, these are now pulled in from sysfs (it's assumed
to be mounted on /sys which I'm assuming is standard).

It is unknown whether sysfs will be available everywhere, as such, keep
the ioctl() method in place, but attempt to detect wrap-overs.

If the sysfs mechanism fails, fail back to the ioctl().

Given maximum data rates, the intervals between calling this needs to be
such that no more than 4GB (2^32) bytes are sent or received in any
given interval.  Mostly important for radius plugin where data
accounting may be in effect.

Towards this, a timer interval on 25 seconds is set to force a ioctl()
poll irrespective of the rate of stats update calls.  This may be
important for especially radius that needs to provide interim-update
intervals, if the interim updates is too long and the counters could
wrap-over twice in a single interval.  At 25 seconds we should detect
all wraps up to an effective data rate of 1.37Gbps, which for my
purposes is adequate.

Possible downsides, 4 files are opened, read and closed every time
statistics is requested.  This results in 12 system calls every single
time statistics is required, compared to 1 for the ioctl.  Efficiency is
unknown, but as a rule of thumb fewer system calls are better, this is
however not a critical path in my opinion, so should not be a problem.
If required I can run a few benchmarks using gettimeofday() to measure
actual impact.

Signed-off-by: Jaco Kroon <jaco@uls.co.za>
* Use netlink if possible to obtain 64-bit stats.

This uses two system calls per round.

This should be preferred where available.  It seems the RTM_GETSTATS was
only added from 2016 some point (4.7.0 as per pali), which is in my
opinion old, but given experience with certain embedded systems does
need to be supported.

Signed-off-by: Jaco Kroon <jaco@uls.co.za>
Co-authored-by: Jaco Kroon <jaco@iewc.co.za>
5 months agoMerge pull request #328 from pali/ipv6
Paul Mackerras [Wed, 12 Jan 2022 09:41:33 +0000 (20:41 +1100)]
Merge pull request #328 from pali/ipv6

ipv6cp: Add support for new ipv6cp-noremote, ipv6cp-nosend and ipv6cp-use-remotenumber options

5 months agoMerge pull request #330 from pali/pppoe-discovery
Paul Mackerras [Mon, 10 Jan 2022 04:06:21 +0000 (15:06 +1100)]
Merge pull request #330 from pali/pppoe-discovery

pppoe-discovery: Do not set eth0 as default interface and valide all cmdline options

5 months agoImproved Buildroot CI build speed by providing precompiled Buildroot images. (#332)
Adrien RICCIARDI [Sat, 8 Jan 2022 01:27:43 +0000 (02:27 +0100)]
Improved Buildroot CI build speed by providing precompiled Buildroot images. (#332)

Signed-off-by: RICCIARDI-Adrien <adrien.ricciardi@hotmail.fr>
6 months agopppoe-discovery: Remove duplicate and unused includes
Pali Rohár [Tue, 21 Dec 2021 17:10:27 +0000 (18:10 +0100)]
pppoe-discovery: Remove duplicate and unused includes

Some of specified include header files in pppoe-discovery.c are duplicate
and some of them are unused. Remove all these include lines which are not

Signed-off-by: Pali Rohár <pali@kernel.org>
6 months agopppoe-discovery: Add check that there is no additional extra argument
Pali Rohár [Tue, 21 Dec 2021 15:00:58 +0000 (16:00 +0100)]
pppoe-discovery: Add check that there is no additional extra argument

Signed-off-by: Pali Rohár <pali@kernel.org>
6 months agopppoe-discovery: Do not set eth0 as default interface
Pali Rohár [Tue, 21 Dec 2021 15:00:18 +0000 (16:00 +0100)]
pppoe-discovery: Do not set eth0 as default interface

On most Linux systems there is no network interface with name eth0.

So rather make -I interface option as mandatory and do not rely on some
default hardcoded interface name.

Signed-off-by: Pali Rohár <pali@kernel.org>
6 months agoipv6cp: Add support for ipv6cp-use-remotenumber option
Pali Rohár [Sat, 31 Jul 2021 15:09:08 +0000 (17:09 +0200)]
ipv6cp: Add support for ipv6cp-use-remotenumber option

This new option cause that pppd would use "remotenumber" option value for
negotiating IPv6 remote interface identifier.

It is expected that "remotenumber" option in this case is set either to MAC
address, IPv4 address, IPv6 address or telephone number (with or without
plus sign) of remote peer system.

This option is useful for PPPoE connections to generate stable and
predicable IPv6 remote interface identifier as "remotenumber" is set by
pppoe.so plugin to MAC address of remote ethernet peer.

Similarly dial-up connections set "remotenumber" to telephone number of the
remote system and VPN-based ppp plugins set "remotenumber" to address of
remote peer (in case VPN connection is based on IPv4 transport protocol
then address is set to IPv4, if based on IPv6 then remotenumber is IPv6

Having stable IPv6 interface identifiers in ipv6cp is really important.

Signed-off-by: Pali Rohár <pali@kernel.org>
6 months agoipv6cp: Add support for ipv6cp-nosend option
Pali Rohár [Sat, 5 Jun 2021 16:51:52 +0000 (18:51 +0200)]
ipv6cp: Add support for ipv6cp-nosend option

This new option cause that pppd would not send our local IPv6 interface
identifier to peer during IPv6 interface identifier negotiation. Like
nosendip option for IPv4.

Signed-off-by: Pali Rohár <pali@kernel.org>
6 months agoipv6cp: Add support for ipv6cp-noremote option
Pali Rohár [Fri, 26 Feb 2021 13:47:59 +0000 (14:47 +0100)]
ipv6cp: Add support for ipv6cp-noremote option

With this option pppd is allowed to operate without having an IPv6 link
local address for the peer, like noremoteip option for IPv4.

This option is only available under Linux, like noremoteip option.

Signed-off-by: Pali Rohár <pali@kernel.org>
6 months agoUpdated Solaris CI action to fix build error on macOS greater than 10.15. (#327)
Adrien RICCIARDI [Mon, 13 Dec 2021 05:37:16 +0000 (06:37 +0100)]
Updated Solaris CI action to fix build error on macOS greater than 10.15. (#327)

Signed-off-by: RICCIARDI-Adrien <adrien.ricciardi@hotmail.fr>
6 months agopppoe: Print packet fields in hex if they contain non-printable characters
Paul Mackerras [Fri, 10 Dec 2021 21:40:57 +0000 (08:40 +1100)]
pppoe: Print packet fields in hex if they contain non-printable characters

This adds logic to pppoe_printpkt to print text fields as hex if the
field contains any non-printable characters.  This is so that a
malicious, buggy or hacked access concentrator can't cause us to send
non-printing characters to syslog.

Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
7 months agoMerge branch 'pppoe-discovery' of https://github.com/pali/ppp
Paul Mackerras [Fri, 26 Nov 2021 00:05:06 +0000 (11:05 +1100)]
Merge branch 'pppoe-discovery' of https://github.com/pali/ppp

Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
7 months agopppd: Add ipv6-{up,down}-script options (#321)
Daniel Barlow [Sat, 20 Nov 2021 04:58:17 +0000 (04:58 +0000)]
pppd: Add ipv6-{up,down}-script options (#321)

These allow a user to specify the paths to the scripts
usually located at /etc/ppp/ipv6-up and /etc/ppp/ipv6-down,
similarly to the existing ip-up-script and ip-down-script

Signed-off-by: Daniel Barlow <dan@telent.net>
7 months agoplugins/pppol2tp: Add '#ifdef INET6' for optional ipv6 (#319)
Paul Mackerras [Sat, 20 Nov 2021 04:57:23 +0000 (15:57 +1100)]
plugins/pppol2tp: Add '#ifdef INET6' for optional ipv6 (#319)

pppol2tp.c add '#ifdef INET6' for optional ipv6

8 months agopppol2tp.c add '#ifdef INET6' for optional ipv6
str8fast [Thu, 28 Oct 2021 14:55:56 +0000 (14:55 +0000)]
pppol2tp.c add '#ifdef INET6' for optional ipv6

Without it, l2tp daemon can't launch ppp, cuz undefined symbol ipv6_up_notifier.

8 months agoMerge pull request #297 from mjeveritt/patch-11-test-pr
Paul Mackerras [Sat, 16 Oct 2021 03:01:46 +0000 (14:01 +1100)]
Merge pull request #297 from mjeveritt/patch-11-test-pr

pppd: Add option to ask peer for WINS address

This adds a 'usepeerwins' option, analogous to the usepeerdns option,
to ask the peer for WINS server addresses.  Nothing is done with
the addresses provided other than to pass them to the ip-up
script in environment variables.

With this, if the peer sends an IPCP Configure-NAK containing
WINS addresses, we will request them in the following IPCP

Co-authored-by: Mike Frysinger <vapier@gentoo.org>
Signed-off-by: Michael Everitt <gentoo@veremit.xyz>
Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>
Signed-off-by: Michael Everitt <michael@2e0cer.net>
8 months agoMerge pull request #307 from enaess/ppp-peap
Paul Mackerras [Sat, 16 Oct 2021 02:55:21 +0000 (13:55 +1100)]
Merge pull request #307 from enaess/ppp-peap

pppd: Add PEAP/MSCHAPv2 support

8 months agoMerge pull request #313 from Chocobo1/install
Paul Mackerras [Sat, 16 Oct 2021 02:53:02 +0000 (13:53 +1100)]
Merge pull request #313 from Chocobo1/install

Perform installation step in the CI testing

9 months agoImprove the PEAP contribution by Rustam Kovhaev
Eivind Næss [Thu, 24 Jun 2021 23:06:11 +0000 (16:06 -0700)]
Improve the PEAP contribution by Rustam Kovhaev

These changes adds to his contribution by

  * Adding options to perform CA/CRL checking and certificate validation
    consistent with what is already been done for EAP-TLS
  * Certificate validation is now in line with what is already been done
    for EAP-TLS. Users can now set "remotename" and "tls-verify-method" to
    control these.
  * Validation of certificate purpose and extended key usage is controlled
    by the option "tls-verify-key-usage".
  * Fixing up MPPE key generation to use the new API for handling MPPE keys
  * Man page is updated where appropriate for the new options.
  * Added unit-tests for the PEAP code in case of crypto or parameters would
    change in the future.
  * Added the peap feature to configure scripts. Users can now control the
    feature by specifying --enable-peap/--disable-peap.

To acheive feature parity with the EAP-TLS change, the EAP-TLS common code was
refactored into tls.c/.h such that it could be re-used in both instances.

Using PEAP/MSCHAPv2 is now supported in PPPD with this change.

Signed-off-by: Eivind Næss <eivnaes@yahoo.com>
9 months agoMerge branch 'fix-compiler-warnings-2' of https://github.com/enaess/ppp
Paul Mackerras [Mon, 27 Sep 2021 07:12:00 +0000 (17:12 +1000)]
Merge branch 'fix-compiler-warnings-2' of https://github.com/enaess/ppp

Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
9 months agopppd: Fix usage of BOTHER ioctl API on Linux (#314)
pali [Mon, 27 Sep 2021 07:10:31 +0000 (09:10 +0200)]
pppd: Fix usage of BOTHER ioctl API on Linux (#314)

Linux architectures have different content of struct termios2 and also
different value of BOTHER macro. So do not declare any struct termios2 nor
BOTHER macro. Current definitions in ppp were applicable only for x86.

Correct definitions for current architecture are only in <asm/termbits.h>
and <asm/ioctls.h> header files. But Linux header file <asm/termbits.h> is
in conflict with glibc header file <termios.h> and only one can be included
in one source unit. Moreover both header files contains struct termios but
with different content. So it is not possible to use glibc tc* functions
with <asm/termbits.h> definitions.

For this reason provide a new include header file "termios_linux.h" which
provides custom implementation of all glibc's termios.h functions via Linux
ioctl() interface with definitions from Linux <asm/termbits.h> header file.

Thus this "termios_linux.h" is replacement for <termios.h> with additional
support for BOTHER Linux termios API.

Same "termios_linux.h" is going to be used by U-Boot's kwboot utility for
the same reason to use arbitrary baudrate value via BOTHER ioctl API.

Hopefully one day glibc will provide some API functions for functionality
provided currently by BOTHER Linux API.

Signed-off-by: Pali Rohár <pali@kernel.org>
9 months agoFix for CLang -Wformat-overflow warning, expand the destination array to fit a number.
Eivind Næss [Thu, 23 Sep 2021 21:52:47 +0000 (14:52 -0700)]
Fix for CLang -Wformat-overflow warning, expand the destination array to fit a number.

Signed-off-by: Eivind Næss <eivnaes@yahoo.com>
9 months agoFixing GCC -Wunused-result warning in chat.c resolving comments from Paul Mackerras
Eivind Næss [Thu, 23 Sep 2021 15:19:35 +0000 (08:19 -0700)]
Fixing GCC -Wunused-result warning in chat.c resolving comments from Paul Mackerras

Signed-off-by: Eivind Næss <eivnaes@yahoo.com>
9 months agoFixing CLang [-Wpointer-sign] warning in winbind.c
Eivind Næss [Thu, 23 Sep 2021 14:59:51 +0000 (07:59 -0700)]
Fixing CLang [-Wpointer-sign] warning in winbind.c

Signed-off-by: Eivind Næss <eivnaes@yahoo.com>
9 months agoFixing CLang [-Wcomment] warning for using /* inside of a /* comment.
Eivind Næss [Thu, 23 Sep 2021 14:57:12 +0000 (07:57 -0700)]
Fixing CLang [-Wcomment] warning for using /* inside of a /* comment.

Signed-off-by: Eivind Næss <eivnaes@yahoo.com>
9 months agoFixing CLang [-Wpointer-sign] warning in radius.c
Eivind Næss [Thu, 23 Sep 2021 14:56:05 +0000 (07:56 -0700)]
Fixing CLang [-Wpointer-sign] warning in radius.c

Signed-off-by: Eivind Næss <eivnaes@yahoo.com>
9 months agoClang complained about -Wformat in passing a int for %h in snprintf. Result would...
Eivind Næss [Thu, 23 Sep 2021 14:52:34 +0000 (07:52 -0700)]
Clang complained about -Wformat in passing a int for %h in snprintf. Result would have been the same.

Signed-off-by: Eivind Næss <eivnaes@yahoo.com>
9 months agoFixing CLang -Wpointer-sign warnings in sendserver.c
Eivind Næss [Thu, 23 Sep 2021 14:49:40 +0000 (07:49 -0700)]
Fixing CLang -Wpointer-sign warnings in sendserver.c

Signed-off-by: Eivind Næss <eivnaes@yahoo.com>
9 months agoCLang detected possible invalid memory access (-Wsizeof-pointer-memaccess)
Eivind Næss [Thu, 23 Sep 2021 14:44:06 +0000 (07:44 -0700)]
CLang detected possible invalid memory access (-Wsizeof-pointer-memaccess)

rc_find_server() resets the secret by setting *secret = 0 instead of what
was likely intended: memset the entire array. In case of error, moved the
memset operation outside of the rc_find_server() function. It's only used
in one place anyway.

Signed-off-by: Eivind Næss <eivnaes@yahoo.com>
9 months agoFixing signed vs. unsigned char* warnings in avpair.c
Eivind Næss [Thu, 23 Sep 2021 14:40:01 +0000 (07:40 -0700)]
Fixing signed vs. unsigned char* warnings in avpair.c

Signed-off-by: Eivind Næss <eivnaes@yahoo.com>
9 months agoFixing signed vs. unsigned char * in strcpy operation.
Eivind Næss [Thu, 23 Sep 2021 14:36:43 +0000 (07:36 -0700)]
Fixing signed vs. unsigned char * in strcpy operation.

Signed-off-by: Eivind Næss <eivnaes@yahoo.com>
9 months agoCI: Deduplicate configure flags by using a variable
Chocobo1 [Tue, 21 Sep 2021 07:21:47 +0000 (15:21 +0800)]
CI: Deduplicate configure flags by using a variable

9 months agoCI: Remove redundant check
Chocobo1 [Tue, 21 Sep 2021 07:20:47 +0000 (15:20 +0800)]
CI: Remove redundant check

The step is already covered by `make distcheck`.

9 months agoCI: Perform installation step
Chocobo1 [Sun, 29 Aug 2021 11:59:21 +0000 (19:59 +0800)]
CI: Perform installation step

This ensures installation code to be tested.

9 months agoFixing CLang warning: format specifies type 'unsigned short' but the argument has...
Eivind Næss [Mon, 20 Sep 2021 17:20:50 +0000 (10:20 -0700)]
Fixing CLang warning: format specifies type 'unsigned short' but the argument has type 'int'

Signed-off-by: Eivind Næss <eivnaes@yahoo.com>
9 months agoFixing CLang warnings related to using pointers of different signedness (int* vs...
Eivind Næss [Mon, 20 Sep 2021 17:18:50 +0000 (10:18 -0700)]
Fixing CLang warnings related to using pointers of different signedness (int* vs unsigned int* in definition of socklen_t).

Signed-off-by: Eivind Næss <eivnaes@yahoo.com>
9 months agoFixing CLang warning with regards to GNU old-style designator in structure initializa...
Eivind Næss [Mon, 20 Sep 2021 17:15:02 +0000 (10:15 -0700)]
Fixing CLang warning with regards to GNU old-style designator in structure initialization.

Signed-off-by: Eivind Næss <eivnaes@yahoo.com>
9 months agoFixing CLang warnings w.r.t. GNU-style designator in structure declaration
Eivind Næss [Mon, 20 Sep 2021 17:13:00 +0000 (10:13 -0700)]
Fixing CLang warnings w.r.t. GNU-style designator in structure declaration

Signed-off-by: Eivind Næss <eivnaes@yahoo.com>
9 months agoFixing GCC unused result warning w.r.t. fchown() and fchmod() functions.
Eivind Næss [Mon, 20 Sep 2021 17:09:31 +0000 (10:09 -0700)]
Fixing GCC unused result warning w.r.t. fchown() and fchmod() functions.

Signed-off-by: Eivind Næss <eivnaes@yahoo.com>
9 months agoFixing GCC warning with unused return value from ftruncate().
Eivind Næss [Mon, 20 Sep 2021 17:05:17 +0000 (10:05 -0700)]
Fixing GCC warning with unused return value from ftruncate().

Signed-off-by: Eivind Næss <eivnaes@yahoo.com>
9 months agoFixing GCC compile warning with unused result from setgid/setuid.
Eivind Næss [Mon, 20 Sep 2021 17:01:55 +0000 (10:01 -0700)]
Fixing GCC compile warning with unused result from setgid/setuid.

Signed-off-by: Eivind Næss <eivnaes@yahoo.com>
9 months agoFixing GCC warning -Wunused-result with setgid in winbind.c
Eivind Næss [Mon, 20 Sep 2021 16:52:22 +0000 (09:52 -0700)]
Fixing GCC warning -Wunused-result with setgid in winbind.c

Signed-off-by: Eivind Næss <eivnaes@yahoo.com>
9 months agoFixing compiler warning with GCC, -Wunused-result and write()
Eivind Næss [Mon, 20 Sep 2021 16:44:50 +0000 (09:44 -0700)]
Fixing compiler warning with GCC, -Wunused-result and write()

Signed-off-by: Eivind Næss <eivnaes@yahoo.com>
9 months agoFixing compiler warnings with regards to GCC, w.r.t. unused results of setuid/setgid
Eivind Næss [Mon, 20 Sep 2021 16:34:15 +0000 (09:34 -0700)]
Fixing compiler warnings with regards to GCC, w.r.t. unused results of setuid/setgid

Signed-off-by: Eivind Næss <eivnaes@yahoo.com>
9 months agoFixing main.c with regards to default GCC/CLANG compiler warnings
Eivind Næss [Mon, 20 Sep 2021 16:29:21 +0000 (09:29 -0700)]
Fixing main.c with regards to default GCC/CLANG compiler warnings

This also incorporates the comments from @paulusmack.

Generally, fixes:
- Suppresed warnings w.r.t. unused results in signal handling and result from write()
- Unused results w.r.t. setuid/getuid/chdir

Signed-off-by: Eivind Næss <eivnaes@yahoo.com>
9 months agoradattr: tighten permissions on radattr file to avoid information leakage. (#290)
Jaco Kroon [Sat, 18 Sep 2021 02:02:54 +0000 (04:02 +0200)]
radattr: tighten permissions on radattr file to avoid information leakage. (#290)

Depending on the invoking process's umask it's possible that the radattr
file (which in certain cases can contain crytographic keys) be stored
with permissions such that world-read access is possible, resulting in
sensitive information being leaked to local users.

Signed-off-by: Jaco Kroon <jaco@uls.co.za>
Co-authored-by: Jaco Kroon <jaco@iewc.co.za>
9 months agoREADME.pppoe: Fix spelling (#316)
Gustavo Romero [Fri, 17 Sep 2021 23:43:35 +0000 (20:43 -0300)]
README.pppoe: Fix spelling (#316)

Minor spelling fix.

Signed-off-by: Gustavo Romero <gustavo.romero@linaro.org>
9 months agopppd: add experimental support for PEAP protocol, an extension of EAP
Rustam Kovhaev [Thu, 10 Oct 2019 19:53:36 +0000 (12:53 -0700)]
pppd: add experimental support for PEAP protocol, an extension of EAP

current patch implements client functionality for PEAPv0/EAP-MSCHAPv2,
which is usually the most common setup deployed by companies utilizing
Microsoft RRAS as their VPN solution

Signed-off-by: Rustam Kovhaev <rkovhaev@gmail.com>
10 months agoFix situation where peer may NAK with request for MS_WINS
Michael Everitt [Sun, 15 Aug 2021 22:16:46 +0000 (23:16 +0100)]
Fix situation where peer may NAK with request for MS_WINS

Previously, if configure-request is sent without MS_WINS[12], a
peer may return a NAK with a request for it. However, code in the
ipcp_nakci didn't handle this case properly. This patch fixes it
to set try.req_wins[12].

Signed-off-by: Michael Everitt <michael@2e0cer.net>
10 months agoMerge pull request #305 from pali/ifnamsiz
Paul Mackerras [Sat, 7 Aug 2021 06:59:18 +0000 (16:59 +1000)]
Merge pull request #305 from pali/ifnamsiz

pppd: Remove usage of incorrect constant MAXIFNAMELEN

10 months agoFixing up a few inconsistencies in configure.ac (#306)
Eivind Næss [Sat, 7 Aug 2021 06:56:43 +0000 (23:56 -0700)]
Fixing up a few inconsistencies in configure.ac (#306)

Options that specify --with-logfile-dir, or --with-plugin-dir, or --with-runtime-dir needs to be specified using AC_ARG_WITH, not AC_ARG_ENABLE.

If you try to specify --without-openssl, then the conditions should be tested against = "xyes". There is a case where the option is either blank or is set to "xno" and the former case wasn't properly handled.

Signed-off-by: Eivind Næss <eivnaes@yahoo.com>
11 months agopppd: Replace IF_NAMESIZE by IFNAMSIZ for struct ifreq
Pali Rohár [Sat, 31 Jul 2021 20:12:55 +0000 (22:12 +0200)]
pppd: Replace IF_NAMESIZE by IFNAMSIZ for struct ifreq

Macros IF_NAMESIZE and IFNAMSIZ should be defined to the same value, but
struct ifreq uses IFNAMSIZ. So use "correct" macro.

Signed-off-by: Pali Rohár <pali@kernel.org>
11 months agopppd: Remove usage of incorrect constant MAXIFNAMELEN
Pali Rohár [Sat, 31 Jul 2021 18:47:21 +0000 (20:47 +0200)]
pppd: Remove usage of incorrect constant MAXIFNAMELEN

MAXIFNAMELEN is currently hardcoded to 32, but maximal size of interface
name on Linux is just 15 + nul-term byte. This limit is already provided by
IFNAMSIZ macro defined in net/if.h header file.

So replace MAXIFNAMELEN usage by IFNAMSIZ to not silently truncate
interface name.

Signed-off-by: Pali Rohár <pali@kernel.org>
11 months agopppoe: Remove rp-pppoe.so symlink to not conflict with real rp-pppoe.so plugin (...
pali [Fri, 30 Jul 2021 03:29:01 +0000 (05:29 +0200)]
pppoe: Remove rp-pppoe.so symlink to not conflict with real rp-pppoe.so plugin (#304)

Backward compatibility symlink is there already for one ppp release. Remove
it for next ppp release to not conflict with real rp-pppoe.so plugin. So
both ppp's pppoe.so and rp's rp-pppoe.so plugins can be installed together.

Now when conversion to automake was done, it is a good time to drop this
problematic symlink from default installation.

Signed-off-by: Pali Rohár <pali@kernel.org>
11 months agoMerge pull request #303 from enaess/fix-md4
Paul Mackerras [Fri, 30 Jul 2021 03:26:55 +0000 (13:26 +1000)]
Merge pull request #303 from enaess/fix-md4

Using OpenSSL for MD4 isn't compatibile how NTPasswordHash is using it.

11 months agoradius: interim and stop frames should not depend on successful start. (#299)
Jaco Kroon [Fri, 30 Jul 2021 03:24:08 +0000 (05:24 +0200)]
radius: interim and stop frames should not depend on successful start. (#299)

It could simply be that the accounting server is temporarily down, and
any good accounting server should be able to recover from missed
start/stop frames.  In particular Acct-Session-Time on the first seen
interim update or even stop frame allows for determining start time.

Signed-off-by: Jaco Kroon <jaco@uls.co.za>
Co-authored-by: Jaco Kroon <jaco@iewc.co.za>
11 months agoAdding in unit-tests for chap_ms.c in pppd
Eivind Næss [Thu, 29 Jul 2021 14:52:17 +0000 (07:52 -0700)]
Adding in unit-tests for chap_ms.c in pppd

This would have uncovered the change that broke MD4

Signed-off-by: Eivind Næss <eivnaes@yahoo.com>
11 months agoUsing OpenSSL for MD4 isn't compatibile how NTPasswordHash is using it.
Eivind Næss [Wed, 28 Jul 2021 23:39:43 +0000 (16:39 -0700)]
Using OpenSSL for MD4 isn't compatibile how NTPasswordHash is using it.

Signed-off-by: Eivind Næss <eivnaes@yahoo.com>
11 months agopppd: Fix IPv6 compatibility with older kernel versions (#301)
pali [Mon, 26 Jul 2021 06:47:57 +0000 (08:47 +0200)]
pppd: Fix IPv6 compatibility with older kernel versions (#301)

Linux kernel versions prior 3.11 do not support setting IPv6 peer
addresses. On error try fallback to old IOCTL method.

Signed-off-by: Pali Rohár <pali@kernel.org>
11 months agoMerge pull request #296 from enaess/ppp-autotools
Paul Mackerras [Sat, 24 Jul 2021 03:07:30 +0000 (13:07 +1000)]
Merge pull request #296 from enaess/ppp-autotools

Use autoconf/automake to configure and make ppp

Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
11 months agoFixing up install targets for man pages and file permissions of secrets files
Eivind Næss [Thu, 22 Jul 2021 23:55:08 +0000 (16:55 -0700)]
Fixing up install targets for man pages and file permissions of secrets files

Signed-off-by: Eivind Næss <eivnaes@yahoo.com>
11 months agoSetting version to 2.4.10-dev per request of Neustradamus
Eivind Næss [Wed, 21 Jul 2021 15:54:41 +0000 (08:54 -0700)]
Setting version to 2.4.10-dev per request of Neustradamus

Signed-off-by: Eivind Næss <eivnaes@yahoo.com>
11 months agoUpdating .gitignore files
Eivind Næss [Tue, 20 Jul 2021 16:21:10 +0000 (09:21 -0700)]
Updating .gitignore files

Signed-off-by: Eivind Næss <eivnaes@yahoo.com>
11 months agoRemove obsolete Makefile(s) and configure scripts
Eivind Næss [Tue, 20 Jul 2021 16:20:04 +0000 (09:20 -0700)]
Remove obsolete Makefile(s) and configure scripts

Signed-off-by: Eivind Næss <eivnaes@yahoo.com>
11 months agoRemoving dead code per review by James Carlson
Eivind Næss [Tue, 20 Jul 2021 08:19:39 +0000 (01:19 -0700)]
Removing dead code per review by James Carlson

Signed-off-by: Eivind Næss <eivnaes@yahoo.com>
11 months agoFixing up libpcap configure option on SunOS
Eivind Næss [Tue, 20 Jul 2021 08:18:23 +0000 (01:18 -0700)]
Fixing up libpcap configure option on SunOS

Re-introducing the Automake WITH_FILTER to separate the detection
of libpcap. SunOS has a viable libpcap, but does not support the
filter feature.

Signed-off-by: Eivind Næss <eivnaes@yahoo.com>
11 months agoIncorporating review feedback from David Seifert.
Eivind Næss [Sat, 17 Jul 2021 20:35:58 +0000 (13:35 -0700)]
Incorporating review feedback from David Seifert.

Signed-off-by: Eivind Næss <eivnaes@yahoo.com>
11 months agoUpdated Buildroot CI to make it work with autotools.
RICCIARDI-Adrien [Sat, 17 Jul 2021 07:19:55 +0000 (09:19 +0200)]
Updated Buildroot CI to make it work with autotools.

11 months agoCompiling with clang encounters an error in eap-tls.c
Eivind Næss [Sun, 11 Jul 2021 21:36:44 +0000 (14:36 -0700)]
Compiling with clang encounters an error in eap-tls.c

This moves the inline functions to outside the function and declares them static.

Signed-off-by: Eivind Næss <eivnaes@yahoo.com>
11 months agoUse autoconf/automake to configure and make ppp
Eivind Næss [Thu, 24 Jun 2021 23:07:26 +0000 (16:07 -0700)]
Use autoconf/automake to configure and make ppp

This change brings in autoconf/automake scripts to configure the ppp project. Current change doesn't eliminate the previous build system, but the new script autogen.sh will overwrite configure, and generate the basic Makefile.in and Makefile files.

Features can now be enabled by command line:

  * Microsoft Extensions,
    - MSCHAP
    - MPPE
    - MS LAN Manager support
  * IPXCP protocol
  * CBCP protocol
  * PAM support
  * EAP-TLS support
  * EAP-SRP support
  * Max session lifetime by byte count
  * Plugins
  * Packet activity filter support
  * Multilink
  * IPv6 support

Control linkage with
  * OpenSSL (-lssl -lcrypto)
  * systemd (-lsystemd)
  * libatm (-latm)
  * libsrp (-lsrp)
  * pam (-lpam)

Also, the configure script is made sensitive to features of OpenSSL. Like the presence or absence of DES, SHA, MD4 and MD5 crypto support. In the cases where either of these are missing, the support will be directly compiled into pppd and plugins.

In addition, package maintainers can now control the installation paths with standard --prefix=, or --localstatedir=, or --sysconfdir= to configure. On top of that, they can now control the following directories:
  * runtime directory w/--with-runtime-dir
  * logfile directory w/--with-logfile-dir
  * plugin directory w/--with-plugin-dir

In the case where automake isn't the right solution, namely: SunOS kernel module build, the original Makefile infrastructure is preserved and reused.

Care was taken to only cosmetically touchup the source files in this change. This means:
  * Insert HAVE_CONFIG_H and include config.h in all .c files.
  * Introduce HAVE_CRYPT_H into the source code where appropriate
  * Added ifdef MPPE where appropriate
  * USE_SRP required a few changes as it didn't compile
  * Touchup some compile warning in pppstats directory on SunOS

Introduced a new pppdconf.h file that exports the appropriate defines to a module that wants to provide a module that pppd can dynamically load. This will define/undef features like MPPE, CHAPMS such that the project doesn't have to guess what features pppd is compiled with.

Signed-off-by: Eivind Næss <eivnaes@yahoo.com>
11 months agochat: Clean up usage of clean() function
Paul Mackerras [Mon, 19 Jul 2021 07:41:09 +0000 (17:41 +1000)]
chat: Clean up usage of clean() function

In a couple of places, we were calling clean(), which does environment
variable substitution among other things, but then using the original
string not the "cleaned" string when logging a message about what
we're doing.

Also, this removes a couple of checks that the "cleaned" string is not
longer than the original string, which date back to the first version
of the code checked into CVS.  Those checks were appropriate before
environment variable substitution was added in commit eaca954c2d4a
("add -E option to use environment variables, from Andreas Arens") and
dynamic reallocation of the result buffer was added in commit
86dd2eec100d ("clean(): Fix buffer overflow.") but are no longer

These changes were prompted by github issue #294 and redhat bugzilla

Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
11 months agoplugins/radius: Add RFC8044 dictionary compatibility for IPv4 address (#291)
Adrian [Fri, 16 Jul 2021 09:24:13 +0000 (12:24 +0300)]
plugins/radius: Add RFC8044 dictionary compatibility for IPv4 address (#291)

This patch adds ipv4addr RADIUS data type compatible with RFC8044.
New dictionaries from RADIUS is using ipv4addr instead of old
ipaddr data type. This patch is avoiding modification of RADIUS
dictionaries to be compatible with PPP.

Signed-off-by: Adrian Ban <devel@easynet.dev>
11 months agoAdd option to ask peer for WINS address
Mike Frysinger [Fri, 3 Jan 2020 16:19:40 +0000 (17:19 +0100)]
Add option to ask peer for WINS address

Signed-off-by: Michael Everitt <gentoo@veremit.xyz>
Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>
11 months agoplugins/radius: Use snprintf in rc_mksid
Paul Mackerras [Sat, 10 Jul 2021 00:29:55 +0000 (10:29 +1000)]
plugins/radius: Use snprintf in rc_mksid

Commit 858976b1fc31 ("radius: Prevent buffer overflow in rc_mksid()")
changed sprintf to slprintf to avoid a possible buffer overflow.
However, this introduced a bug because slprintf does not currently
handle the %lX and %hX formats.  Use snprintf instead, which does, as
we are not using any of the custom formats that slprintf handles in
this instance.

Reported-by: Adrian Ban <devel@easynet.dev>
Signed-off-by: Paul Mackerras <paulus@ozlabs.org>
12 months agoipv6cp: Fix enforcing local and peer non-random IPv6 interface identifiers (#283)
pali [Sat, 19 Jun 2021 01:03:14 +0000 (03:03 +0200)]
ipv6cp: Fix enforcing local and peer non-random IPv6 interface identifiers (#283)

In some cases peer may reject our local IPv6 identifier or may send to us
IPV6CP request without any IPv6 identifier or send empty IPv6 identifier
(asking as to generate some identifier for him).

In these special cases pppd always generated some new random IPv6
identifier and completely ignored the fact that user may already specified
IPv6 link local address (used for IPv6 identifier) either at command line
or in config file.

So properly check pppd options and generate new random IPv6 identifier only
in case user did not supply any IPv6 link local address.

If pppd was configured to not allow random identifiers and peer rejected
our enforced identifiers then pppd connection should be terminated.

Signed-off-by: Pali Rohár <pali@kernel.org>
12 months agoipv6cp: Fix ipv6cp-accept-local and ipv6cp-accept-remote options (#282)
pali [Sat, 19 Jun 2021 01:02:37 +0000 (03:02 +0200)]
ipv6cp: Fix ipv6cp-accept-local and ipv6cp-accept-remote options (#282)

These options are completely broken and ignored because pppd reflects these
options in the incorrect struct ipv6cp_allowoptions. Instead pppd expects
that these options are reflected in struct ipv6cp_wantoptions. Same applies
also for IPv4 code where these options are reflected in struct wantoptions.

This issue can be tested and verified by following command:

    ./pppd noauth asyncmap 0 default-asyncmap novj noaccomp nopcomp nodeflate nobsdcomp nomagic  local nolock nodetach  noip  ipv6 ::2,::1 ipv6cp-accept-local ipv6cp-accept-remote  debug pty "./pppd noauth asyncmap 0 default-asyncmap novj noaccomp nopcomp nodeflate nobsdcomp nomagic  local nolock nodetach  noip  ipv6 ::1:1,::1:2  notty"

First pppd prefer to use IPv6 addresses ::2 and ::1 but accept also any
address suggested by second pppd. Second pppd allows usage only of IPv6
addresses ::1:1 and ::1:2 and does not accept any suggestion by first pppd.

Without this patch first pppd show this output:

    sent [IPV6CP ConfReq id=0x1 <addr fe80::0000:0000:0000:0002>]
    rcvd [IPV6CP ConfReq id=0x1 <addr fe80::0000:0000:0001:0001>]
    sent [IPV6CP ConfNak id=0x1 <addr fe80::0000:0000:0000:0001>]
    rcvd [IPV6CP ConfNak id=0x1 <addr fe80::0000:0000:0001:0002>]
    sent [IPV6CP ConfReq id=0x2 <addr fe80::0000:0000:0000:0002>]
    rcvd [IPV6CP ConfReq id=0x2 <addr fe80::0000:0000:0001:0001>]
    sent [IPV6CP ConfAck id=0x2 <addr fe80::0000:0000:0001:0001>]
    rcvd [IPV6CP ConfAck id=0x2 <addr fe80::0000:0000:0000:0002>]
    local  LL address fe80::0000:0000:0000:0002
    remote LL address fe80::0000:0000:0001:0001

Which means that second pppd did not forced its IPv6 address assignment.

With applying this patch first pppd show output:

    sent [IPV6CP ConfReq id=0x1 <addr fe80::0000:0000:0000:0002>]
    rcvd [IPV6CP ConfReq id=0x1 <addr fe80::0000:0000:0001:0001>]
    sent [IPV6CP ConfAck id=0x1 <addr fe80::0000:0000:0001:0001>]
    rcvd [IPV6CP ConfNak id=0x1 <addr fe80::0000:0000:0001:0002>]
    sent [IPV6CP ConfReq id=0x2 <addr fe80::0000:0000:0001:0002>]
    rcvd [IPV6CP ConfAck id=0x2 <addr fe80::0000:0000:0001:0002>]
    local  LL address fe80::0000:0000:0001:0002
    remote LL address fe80::0000:0000:0001:0001

And now first pppd accepted offer from second pppd, meaning that both
ipv6cp-accept-local and ipv6cp-accept-remote are working.

Signed-off-by: Pali Rohár <pali@kernel.org>
12 months agoipv6cp: Fix enforcing peer IPv6 interface identifier (#281)
pali [Sat, 19 Jun 2021 01:01:58 +0000 (03:01 +0200)]
ipv6cp: Fix enforcing peer IPv6 interface identifier (#281)

Enforcing peer IPv6 interface identifier is broken in the same way as it
was broken for peer IPv4 address prior commit 9fe8923419a9 ("pppd: Fix
enforcing peer IP address").

IPv6 test case:

    ./pppd noauth asyncmap 0 default-asyncmap novj noaccomp nopcomp nodeflate nobsdcomp nomagic  local nolock nodetach  noip  ipv6 ::2,::1  debug pty "./pppd noauth asyncmap 0 default-asyncmap novj noaccomp nopcomp nodeflate nobsdcomp nomagic  local nolock nodetach  noip  ipv6 ::1:1,::1:2  notty"

Without this patch output from first pppd is:

    sent [IPV6CP ConfReq id=0x5 <addr fe80::0000:0000:0000:0002>]
    rcvd [IPV6CP ConfReq id=0x5 <addr fe80::0000:0000:0001:0001>]
    sent [IPV6CP ConfNak id=0x5 <addr fe80::0000:0000:0000:0001>]
    rcvd [IPV6CP ConfNak id=0x5 <addr fe80::0000:0000:0001:0002>]
    sent [IPV6CP ConfReq id=0x6]
    rcvd [IPV6CP ConfReq id=0x6]
    sent [IPV6CP ConfAck id=0x6]
    rcvd [IPV6CP ConfAck id=0x6]
    local  LL address fe80::0000:0000:0000:0002
    remote LL address fe80::0000:0000:0000:0001

And system configured IPv6 addresses as:

    124: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 3
        inet6 fe80::2 peer fe80::1/128 scope link nodad
           valid_lft forever preferred_lft forever
    125: ppp1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 3
        inet6 fe80::1:1 peer fe80::1:2/128 scope link nodad
           valid_lft forever preferred_lft forever

So both pppd use different IPv6 LL addresses and therefore IPv6 connection
is totally broken between these pppd instances.

With this patch output from first pppd is:

    sent [IPV6CP ConfReq id=0x5 <addr fe80::0000:0000:0000:0002>]
    rcvd [IPV6CP ConfReq id=0x5 <addr fe80::0000:0000:0001:0001>]
    sent [IPV6CP ConfNak id=0x5 <addr fe80::0000:0000:0000:0001>]
    rcvd [IPV6CP ConfNak id=0x5 <addr fe80::0000:0000:0001:0002>]
    sent [IPV6CP ConfReq id=0x6]
    rcvd [IPV6CP ConfReq id=0x6]
    sent [IPV6CP ConfAck id=0x6]
    rcvd [IPV6CP ConfAck id=0x6]
    Peer refused to agree to his interface identifier
    sent [IPV6CP TermReq id=0x7 "Refused his interface identifier"]
    rcvd [IPV6CP TermReq id=0x7 "Refused his interface identifier"]
    sent [IPV6CP TermAck id=0x7]
    rcvd [IPV6CP TermAck id=0x7]
    sent [LCP TermReq id=0x2 "No network protocols running"]
    rcvd [LCP TermAck id=0x2]
    Connection terminated.
    Connect time 0.0 minutes.
    Sent 148 bytes, received 148 bytes.

Now pppd correctly detected that IPv6 interface identifiers negotiation
failed and closed IPv6 connection.

Signed-off-by: Pali Rohár <pali@kernel.org>
12 months agopppd: Allow users to use Engine and ID strings unmodified to the OpenSSL engine ...
Eivind Næss [Sat, 19 Jun 2021 01:01:34 +0000 (18:01 -0700)]
pppd: Allow users to use Engine and ID strings unmodified to the OpenSSL engine (#280)

This change allows users to specify "cert" and "key" arguments where the prefix
leading up to the ':' indicates the engine e.g. pkcs11, the entire string is
passed down to the engine library which does the parsing. In the case of
pkcs11.so (OpenSC project's libp11) engine for OpenSSL, it will now correctly
parse the PKCS11 URI string (See RFC7512).

Signed-off-by: Eivind Næss <eivnaes@yahoo.com>
12 months agopppd: Fix vslprintf %ld for negative values (#279)
Maks Naumov [Mon, 7 Jun 2021 11:13:42 +0000 (14:13 +0300)]
pppd: Fix vslprintf %ld for negative values (#279)

'val' is unsigned so condition 'val < 0' is always false
fix it by adding signed long variable.

Signed-off-by: Maks Naumov <maksqwe1@ukr.net>
12 months agopppd: Set restore_term at correct place (#284)
pali [Mon, 7 Jun 2021 11:11:43 +0000 (13:11 +0200)]
pppd: Set restore_term at correct place (#284)

After successful call to tcsetattr/TCSAFLUSH it is needed to restore
terminal at the end. So set restore_term variable at correct place. Fixes
issue that fatal() call after tcsetattr/TCSAFLUSH does not restore terminal

Signed-off-by: Pali Rohár <pali@kernel.org>
12 months agopppd: Add support for arbitrary baud rates via BOTHER on Linux (#278)
pali [Sat, 5 Jun 2021 01:43:24 +0000 (03:43 +0200)]
pppd: Add support for arbitrary baud rates via BOTHER on Linux (#278)

Most Linux architectures and drivers support arbitrary baud rate BOTHER
values via TCGETS2 and TCSETS2 ioctls in struct termios2.

This patch implements support for BOTHER and struct termios2 which allows
pppd to use any baud rate on Linux systems where architecture and drivers
have support for it.

By default standard values are used.

Support for BOTHER is enabled during compilation when header files have
appropriate definitions of TCGETS2 and TCSETS2 ioctls.

Because there is no glibc support for BOTHER and struct termios2 yet, pppd
defines own BOTHER macro and struct termios2.

Signed-off-by: Pali Rohár <pali@kernel.org>
12 months agopppd: Support for use of PKCS12 certificates (#264)
Eivind Næss [Sat, 5 Jun 2021 01:30:16 +0000 (18:30 -0700)]
pppd: Support for use of PKCS12 certificates (#264)

This implements the ability to specify the option 'pkcs12' to allow
users to provide a PKCS12 formatted file as user credentials.

Signed-off-by: Eivind Naess <eivnaes@yahoo.com>
14 months agopppd: Expose the MPPE keys generated through an API (#267)
Eivind Næss [Sat, 24 Apr 2021 10:00:34 +0000 (03:00 -0700)]
pppd: Expose the MPPE keys generated through an API (#267)

The lengthy part of this fix is to refactor the handling of MPPE keys
by moving it into mppe.c and thus reducing the clutter in chap_ms.c.
It does so by renaming the mppe_set_keys/2 to the corresponding
mppe_set_chapv1/mppe_set_chapv2 versions and updates callers of these

Having done so, it conveniently allows the name "mppe_set_keys" to be
re-used for this new purpose which will copy the key material up to
its size and then clear the input parameters (avoids leaving the MPPE
keys on the stack).

Additional functiions added to the MPPE code allow plugins et al. to
access the MPPE keys, clear the keys, and check if they are set. All
plugin and CCP code has been updated to use this API.

This fixes GitHub Issue #258

Signed-off-by: Eivind Naess <eivnaes@yahoo.com>
14 months agoAdd pkgconfig support to PPP project (#270)
Eivind Næss [Sat, 24 Apr 2021 05:26:06 +0000 (22:26 -0700)]
Add pkgconfig support to PPP project (#270)

This adds pppd.pc into $(INSTROOT)/$(LIBDIR)/pkgconfig. On some distributions
this would be /lib/pkgconfig, or /usr/lib/pkgconfig, but other distributions
may consider specifying --libdir=/usr/lib/x86_x64-linux-gnu/ and the pkgconfig
directory would be under that. Allowing --libdir to be specified at configure
time fixes #223, providing pkgconfig support fixes #19 and allows third party
packages pickup the plugin directory.

Manually cherry picking parts of two commits by @lkundrak from:

Mainly, the difference between the original commit is not to replace DESTDIR
with "prefix". Leave DESTDIR alone, and add needed pkgconfig (pppd.pc.in)
as a part of the linux distribution (previously in pppd/plugin directory).

This fixes GitHub issues: #19 #47 and #223

Signed-off-by: Eivind Naess <eivnaes@yahoo.com>
14 months agopppd: Allow building of EAP-TLS code when OPENSSL_NO_ENGINE is set. (#273)
jjkeijser [Thu, 22 Apr 2021 22:31:19 +0000 (00:31 +0200)]
pppd: Allow building of EAP-TLS code when OPENSSL_NO_ENGINE is set. (#273)

Signed-off-by: Jan Just Keijser <jan.just.keijser@gmail.com>
14 months agopppd: Fix SIGSEGV in EAP-TLS code when TLS verify method is not specified
Eivind Næss [Sun, 11 Apr 2021 23:31:02 +0000 (16:31 -0700)]
pppd: Fix SIGSEGV in EAP-TLS code when TLS verify method is not specified

Make sure the tls_verify_method variable has a default value. Also, fix up the
README.eap-tls documentation for the new options.

Fixes github issue #268.

Signed-off-by: Eivind Naess <eivnaes@yahoo.com>
15 months agopppd: Fix logical error in comparing valid encryption policies (#262)
Eivind Næss [Sun, 14 Mar 2021 23:20:29 +0000 (16:20 -0700)]
pppd: Fix logical error in comparing valid encryption policies (#262)

RFC2548 describes the proper values of the MS-MPPE-Encryption-Policy attribute.
and it can only hold 2 values: 1 (encryption allowed) and 2 (encryption required).

   https://tools.ietf.org/html/rfc2548, section 2.4.4

The correct comparison should be made with an && and not a ||.

This fixes github issue #218

Signed-off-by: Eivind Naess <eivnaes@yahoo.com>
15 months agopppd: EAP-TLS: Verify Subject or CommonName by suffix (#261)
Eivind Næss [Sun, 14 Mar 2021 23:17:41 +0000 (16:17 -0700)]
pppd: EAP-TLS: Verify Subject or CommonName by suffix (#261)

This feature matches closely what OpenVPN and the network-manager-openvpn plugin do for
certificate verification. It allows the end user to configure the certificate to be matched by
its common name (entire string), its subject name, or the suffix of a subject name.
The latter is especially useful if you are trying to match against a random server in a RADIUS
pool. Lastly, it also allows you to turn off the certificate matching altogether.

tls-verify-method can have the following parameter values:
- none
- subject   - The entire subject, e.g. /CN=some.server.org
- name      - The entire common name, e.g. some.server.org
- suffix    - The latter part of a name, e.g. servers.org

Secondly, it also introduces a new parameter 'tls-verify-key-usage' which permits checking
of the 'server' or 'client' side attributes of nsCertType and X509 extended key attributes.
For example, in client mode, it will verify that received certificate has the 'server' side
attributes enabled.

Signed-off-by: Eivind Naess <eivnaes@yahoo.com>
15 months agopppd: Fix cross-compilation using Clang (#253)
10ne1 [Sun, 14 Mar 2021 23:11:35 +0000 (01:11 +0200)]
pppd: Fix cross-compilation using Clang (#253)

Clang does not have the --print-sysroot option so the shell
snippet silently fails leading to "-I/usr/include/openssl".
Thankfully systems like Gentoo/portage or Yocto/bitbake enable
sysroot poisoning precisely to catch these kinds of bugs.

There is only one user of this non-standard CFLAG include in
pppcrypt.h, so make it consistent with the rest of the sources
(eg. see eap-tls.[h|c] openssl/* includes) and drop the fragile
sysroot hackery.

Signed-off-by: Adrian Ratiu <adrian.ratiu@collabora.com>
16 months agoMerge pull request #254 from pali/ipv6-rtnetlink
Paul Mackerras [Fri, 26 Feb 2021 04:58:01 +0000 (15:58 +1100)]
Merge pull request #254 from pali/ipv6-rtnetlink

pppd: Fix and clean up code for setting Linux IPv6 addresses

16 months agopppd: defaultroute6 is not frequent option and should not be used (#257)
pali [Fri, 26 Feb 2021 04:44:19 +0000 (05:44 +0100)]
pppd: defaultroute6 is not frequent option and should not be used (#257)

In pppd.8 manpage, move defaultroute6 option from FREQUENTLY USED OPTIONS
into OPTIONS, and add a warning that this option should not be needed or
used on IPv6 networks. Option defaultroute6 is needed only for broken IPv6
networks. Also add nodefaultroute6 into sample options file.

Signed-off-by: Pali Rohár <pali@kernel.org>
16 months agopppd: Define request and response rtnetlink IPv6 structures
Pali Rohár [Sat, 16 Jan 2021 21:50:27 +0000 (22:50 +0100)]
pppd: Define request and response rtnetlink IPv6 structures

This simplify understanding of rtnetlink IPv6 API. Also it simplify
code for filling rtnetlink IPv6 address request message and reading
rtnetlink response message as it avoids usage of pointer arithmetic.

Signed-off-by: Pali Rohár <pali@kernel.org>
16 months agopppd: Set local and remote IPv6 addresses by one call
Pali Rohár [Sun, 10 Jan 2021 18:46:07 +0000 (19:46 +0100)]
pppd: Set local and remote IPv6 addresses by one call

Currently local IPv6 address is set by SIOCSIFADDR ioctl and remote peer
address is appended by rtnetlink RTM_NEWADDR/NLM_F_REPLACE call. For
RTM_NEWADDR/NLM_F_REPLACE call it is needed to specify both local + remote
addresses as local address is used for matching to which address needs to
be remote peer address appended. When issuing this call kernel first
removes currently configured local address and then inserts a new pair of
local + remote addresses.

Simplify whole setup by just one rtnetlink RTM_NEWADDR/NLM_F_CREATE call by
inserting pair of local + remote addresses atomically. Therefore calling
SIOCSIFADDR ioctl for local IPv6 address is not used or needed anymore.

Signed-off-by: Pali Rohár <pali@kernel.org>
16 months agopppd: Disable Duplicate Address Detection for IPv6 peer address
Pali Rohár [Sun, 10 Jan 2021 18:09:25 +0000 (19:09 +0100)]
pppd: Disable Duplicate Address Detection for IPv6 peer address

IPv6 link-local addresses are negotiated via IPV6CP and therefore are
unique and not duplicate. Doing additional Duplicate Address Detection
is redundant and not needed, so disable it.

Signed-off-by: Pali Rohár <pali@kernel.org>
16 months agopppd: Fix setting flags of IPv6 peer address
Pali Rohár [Sun, 10 Jan 2021 17:51:23 +0000 (18:51 +0100)]
pppd: Fix setting flags of IPv6 peer address

Address is link-local (not globaly routable) and is permanent (not dynamic
from stateless address configuration).

Signed-off-by: Pali Rohár <pali@kernel.org>
16 months agopppd: Fix compilation with older glibc or kernel headers (#248)
pali [Mon, 15 Feb 2021 06:54:01 +0000 (07:54 +0100)]
pppd: Fix compilation with older glibc or kernel headers (#248)

glibc versions prior to 2.24 do not define SOL_NETLINK and linux kernel
versions prior to 4.3 do not define NETLINK_CAP_ACK. So add fallback
definitions for these macros into pppd/sys-linux.c file.

Also extend description why we call SOL_NETLINK/NETLINK_CAP_ACK option.

Signed-off-by: Pali Rohár <pali@kernel.org>
17 months agoMerge pull request #230 from tisj/eap-mschapv2-refactor
Paul Mackerras [Tue, 26 Jan 2021 03:14:42 +0000 (14:14 +1100)]
Merge pull request #230 from tisj/eap-mschapv2-refactor

EAP mschapv2 refactoring