From e8a7e4084f3b5477eb0a73df6020a4bb14c1b200 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Eivind=20N=C3=A6ss?= <eivnaes@yahoo.com>
Date: Fri, 17 Mar 2023 15:50:30 -0700
Subject: [PATCH] Add a --with-system-ca-path <path-to-ca-directory> option to
 configure (#406)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

Allow distributions to specify a default CA path. Fix for github issue #405.

Signed-off-by: Eivind Næss <eivnaes@yahoo.com>
---
 configure.ac     | 23 +++++++++++++++++++++++
 pppd/Makefile.am |  4 ++++
 pppd/auth.c      |  7 +++++++
 3 files changed, 34 insertions(+)

diff --git a/configure.ac b/configure.ac
index bb45cab..1180f64 100644
--- a/configure.ac
+++ b/configure.ac
@@ -221,6 +221,28 @@ AS_IF([test -n "$with_logfile_dir"],
 	[PPPD_LOGFILE_DIR="${localstatedir}/log/ppp"])
 AC_SUBST(PPPD_LOGFILE_DIR)
 
+#
+# System CA certificates path
+AC_ARG_WITH(system-ca-path,
+    AS_HELP_STRING([--with-system-ca-path=/path/to/ssl/certs], [path to system CA certificates]),
+    [
+       case "$withval" in
+       "" | y | ye | yes)
+            with_system_ca_path="${sysconfdir}/ssl/certs"
+            ;;
+       n | no)
+            ;;
+       *)
+            with_system_ca_path="$withval"
+            ;;
+       esac
+    ],[with_system_ca_path="${sysconfdir}/ssl/certs"])
+AM_CONDITIONAL(PPP_WITH_SYSTEM_CA_PATH, [test "$with_system_ca_path" != "no"])
+AM_COND_IF(PPP_WITH_SYSTEM_CA_PATH, [
+    SYSTEM_CA_PATH="$with_system_ca_path"
+])
+AC_SUBST(SYSTEM_CA_PATH)
+
 #
 # Check for OpenSSL
 AX_CHECK_OPENSSL
@@ -390,6 +412,7 @@ $PACKAGE_NAME version $PACKAGE_VERSION
     Runtime Dir..........: $PPPD_RUNTIME_DIR
     Logfile Dir..........: $PPPD_LOGFILE_DIR
     Plugin Dir...........: $PPPD_PLUGIN_DIR
+    System CA Path ......: ${SYSTEM_CA_PATH:-not set}
     With OpenSSL.........: ${with_openssl:-yes}
     With libatm..........: ${with_atm:-no}
     With libpam..........: ${with_pam:-no}
diff --git a/pppd/Makefile.am b/pppd/Makefile.am
index c93a86a..e5bedf2 100644
--- a/pppd/Makefile.am
+++ b/pppd/Makefile.am
@@ -87,6 +87,10 @@ pppd_CPPFLAGS = -DSYSCONFDIR=\"${sysconfdir}\" -DLOCALSTATEDIR=\"${localstatedir
 pppd_LDFLAGS =
 pppd_LIBS =
 
+if PPP_WITH_SYSTEM_CA_PATH
+pppd_CPPFLAGS += -DSYSTEM_CA_PATH='"@SYSTEM_CA_PATH@"'
+endif
+
 if LINUX
 pppd_SOURCES += sys-linux.c
 noinst_HEADERS += termios_linux.h
diff --git a/pppd/auth.c b/pppd/auth.c
index 202d557..cee847e 100644
--- a/pppd/auth.c
+++ b/pppd/auth.c
@@ -1334,6 +1334,13 @@ auth_check_options(void)
     if (user[0] == 0 && !explicit_user)
 	strlcpy(user, our_name, sizeof(user));
 
+#if defined(SYSTEM_CA_PATH) && (defined(PPP_WITH_EAPTLS) || defined(PPP_WITH_PEAP))
+    /* Use system default for CA Path if not specified */
+    if (!ca_path) {
+        ca_path = SYSTEM_CA_PATH;
+    }
+#endif
+
     /*
      * If we have a default route, require the peer to authenticate
      * unless the noauth option was given or the real user is root.
-- 
2.39.2