rpms/ppp/devel ppp-2.4.5-eaptls-mppe-0.98.patch, NONE, 1.1 ppp.spec, 1.62, 1.63
Jiri Skala
jskala at fedoraproject.org
Wed Jun 16 08:10:26 UTC 2010
Author: jskala
Update of /cvs/extras/rpms/ppp/devel
In directory cvs01.phx2.fedoraproject.org:/tmp/cvs-serv12667
Modified Files:
ppp.spec
Added Files:
ppp-2.4.5-eaptls-mppe-0.98.patch
Log Message:
* Wed Jun 16 2010 Jiri Skala <jskala at redhat.com> - 2.4.5-9
- included eap-tls patch
ppp-2.4.5-eaptls-mppe-0.98.patch:
README.eap-tls | 169 ++++++
etc.ppp/eaptls-client | 10
etc.ppp/eaptls-server | 11
etc.ppp/openssl.cnf | 14
linux/Makefile.top | 6
openssl.cnf | 14
pppd/Makefile.linux | 12
pppd/auth.c | 411 +++++++++++++++
pppd/ccp.c | 20
pppd/chap-md5.c | 4
pppd/eap-tls.c | 1146 ++++++++++++++++++++++++++++++++++++++++++++
pppd/eap-tls.h | 107 ++++
pppd/eap.c | 451 +++++++++++++++++
pppd/eap.h | 32 +
pppd/md5.c | 4
pppd/md5.h | 3
pppd/options.c | 10
pppd/pathnames.h | 7
pppd/plugins/Makefile.linux | 3
pppd/plugins/passprompt.c | 3
pppd/plugins/passwordfd.c | 5
pppd/pppd.h | 9
22 files changed, 2444 insertions(+), 7 deletions(-)
--- NEW FILE ppp-2.4.5-eaptls-mppe-0.98.patch ---
diff -Naur ppp-2.4.5/README.eap-tls ppp-2.4.5-eaptls-mppe-0.98/README.eap-tls
--- ppp-2.4.5/README.eap-tls 1970-01-01 01:00:00.000000000 +0100
+++ ppp-2.4.5-eaptls-mppe-0.98/README.eap-tls 2010-02-09 10:58:38.000000000 +0100
@@ -0,0 +1,169 @@
+EAP-TLS authentication support for PPP
+======================================
+
+1. Intro
+
+ The Extensible Authentication Protocol (EAP; RFC 3748) is a
+ security protocol that can be used with PPP. It provides a means
+ to plug in multiple optional authentication methods.
+
+ Transport Level Security (TLS; RFC 2246) provides for mutual
+ authentication, integrity-protected ciphersuite negotiation and
+ key exchange between two endpoints. It also provides for optional
+ MPPE encryption.
+
+ EAP-TLS (RFC 2716) incapsulates the TLS messages in EAP packets,
+ allowing TLS mutual authentication to be used as a generic EAP
+ mechanism. It also provides optional encryption using the MPPE
+ protocol.
+
+ This patch provide EAP-TLS support to pppd.
+ This authentication method can be used in both client or server
+ mode.
+
+2. Building
+
+ To build pppd with EAP-TLS support, OpenSSL (http://www.openssl.org)
+ is required. Any version from 0.9.7 should work.
+
+ Configure, compile, and install as usual.
+
+3. Configuration
+
+ On the client side there are two ways to configure EAP-TLS:
+
+ 1. supply the appropriate 'ca', 'cert' and 'key' command-line parameters
+
+ 2. edit the /etc/ppp/eaptls-client file.
+ Insert a line for each system with which you use EAP-TLS.
+ The line is composed of this fields separated by tab:
+
+ - Client name
+ The name used by the client for authentication, can be *
+ - Server name
+ The name of the server, can be *
+ - Client certificate file
+ The file containing the certificate chain for the
+ client in PEM format
+ - Server certificate file
+ If you want to specify the certificate that the
+ server is allowed to use, put the certificate file name.
+ Else put a dash '-'.
+ - CA certificate file
+ The file containing the trusted CA certificates in PEM
+ format.
+ - Client private key file
+ The file containing the client private key in PEM format.
+
+
+ On the server side edit the /etc/ppp/eaptls-server file.
+ Insert a line for each system with which you use EAP-TLS.
+ The line is composed of this fields separated by tab:
+
+ - Client name
+ The name used by the client for authentication, can be *
+ - Server name
+ The name of the server, can be *
+ - Client certificate file
+ If you want to specify the certificate that the
+ client is allowed to use, put the certificate file name.
+ Else put a dash '-'.
+ - Server certificate file
+ The file containing the certificate chain for the
+ server in PEM format
+ - CA certificate file
+ The file containing the trusted CA certificates in PEM
+ format.
+ - Client private key file
+ The file containing the server private key in PEM format.
+ - addresses
+ A list of IP addresses the client is allowed to use.
+
+
+ OpenSSL engine support is included starting with v0.95 of this patch.
+ Currently the only engine tested is the 'pkcs11' engine (hardware token
+ support). To use the 'pksc11' engine:
+ - Use a special private key fileiname in the /etc/ppp/eaptls-client file:
+ <engine>:<identifier>
+ e.g.
+ pkcs11:123456
+
+ - The certificate can also be loaded from the 'pkcs11' engine using
+ a special client certificate filename in the /etc/ppp/eaptls-client file:
+ <engine>:<identifier>
+ e.g.
+ pkcs11:123456
+
+ - Create an /etc/ppp/openssl.cnf file to load the right OpenSSL engine prior
+ to starting 'pppd'. A sample openssl.cnf file is
+
+ openssl_conf = openssl_def
+
+ [ openssl_def ]
+ engines = engine_section
+
+ [ engine_section ]
+ pkcs11 = pkcs11_section
+
+ [ pkcs11_section ]
+ engine_id = pkcs11
+ dynamic_path = /usr/lib64/openssl/engines/engine_pkcs11.so
+ MODULE_PATH = /usr/lib64/libeTPkcs11.so
+ init = 0
+
+ - There are two ways to specify a password/PIN for the PKCS11 engine:
+ - inside the openssl.cnf file using
+ PIN = your-secret-pin
+ Note The keyword 'PIN' is case sensitive!
+ - Using the 'password' in the ppp options file.
+ From v0.97 of the eap-tls patch the password can also be supplied
+ using the appropriate 'eaptls_passwd_hook' (see plugins/passprompt.c
+ for an example).
+
+
+4. Options
+
+ These pppd options are available:
+
+ ca <ca-file>
+ Use the CA public certificate found in <ca-file> in PEM format
+ cert <cert-file>
+ Use the client public certificate found in <cert-file> in PEM format
+ or in engine:engine_id format
+ key <key-file>
+ Use the client private key found in <key-file> in PEM format
+ or in engine:engine_id format
+ crl-dir <dir>
+ Use CRL files from dir. It contains CRL files in PEM
+ format and each file contains a CRL. The files are looked up
+ by the issuer name hash value. Use the c_rehash utility
+ to create necessary links.
+ need-peer-eap
+ If the peer doesn't ask us to authenticate or doesn't use eap
+ to authenticate us, disconnect.
+
+ Note:
+ password-encrypted certificates can be used as of v0.94 of this
+ patch. The password for the eap-tls.key file is specified using
+ the regular
+ password ....
+ statement in the ppp options file, or by using the appropriate
+ plugin which supplies a 'eaptls_passwd_hook' routine.
+
+5. Connecting
+
+ If you're setting up a pppd server, edit the EAP-TLS configuration file
+ as written above and then run pppd with the 'auth' option to authenticate
+ the client. The EAP-TLS method will be used if the other eap methods can't
+ be used (no secrets).
+
+ If you're setting up a client, edit the configuration file and then run
+ pppd with 'remotename' option to specify the server name. Add the
+ 'need-peer-eap' option if you want to be sure the peer ask you to
+ authenticate (and to use eap) and to disconnect if it doesn't.
+
+6. Notes
+
+ This is experimental code.
+ Send suggestions and comments to Jan Just Keijser <janjust at nikhef.nl>
+
diff -Naur ppp-2.4.5/etc.ppp/eaptls-client ppp-2.4.5-eaptls-mppe-0.98/etc.ppp/eaptls-client
--- ppp-2.4.5/etc.ppp/eaptls-client 1970-01-01 01:00:00.000000000 +0100
+++ ppp-2.4.5-eaptls-mppe-0.98/etc.ppp/eaptls-client 2010-02-09 10:58:38.000000000 +0100
@@ -0,0 +1,10 @@
+# Parameters for authentication using EAP-TLS (client)
+
+# client name (can be *)
+# server name (can be *)
+# client certificate file (required)
+# server certificate file (optional, if unused put '-')
+# CA certificate file (required)
+# client private key file (required)
+
+#client server /root/cert/client.crt - /root/cert/ca.crt /root/cert/client.key
diff -Naur ppp-2.4.5/etc.ppp/eaptls-server ppp-2.4.5-eaptls-mppe-0.98/etc.ppp/eaptls-server
--- ppp-2.4.5/etc.ppp/eaptls-server 1970-01-01 01:00:00.000000000 +0100
+++ ppp-2.4.5-eaptls-mppe-0.98/etc.ppp/eaptls-server 2010-02-09 10:58:38.000000000 +0100
@@ -0,0 +1,11 @@
+# Parameters for authentication using EAP-TLS (server)
+
+# client name (can be *)
+# server name (can be *)
+# client certificate file (optional, if unused put '-')
+# server certificate file (required)
+# CA certificate file (required)
+# server private key file (required)
[...2508 lines suppressed...]
+ eapTlsSendAlert, /* Send EAP-TLS tls alert (server)*/
+ eapTlsRecvAlertAck, /* Receive EAP-TLS ack after sending alert */
+ eapTlsRecvSuccess, /* Receive EAP success */
+ eapTlsRecvFailure, /* Receive EAP failure */
eapSRP1, /* Sent EAP SRP-SHA1 Subtype 1 */
eapSRP2, /* Sent EAP SRP-SHA1 Subtype 2 */
eapSRP3, /* Sent EAP SRP-SHA1 Subtype 3 */
@@ -95,9 +105,18 @@
#define EAP_STATES \
"Initial", "Pending", "Closed", "Listen", "Identify", \
+ "TlsStart", "TlsRecv", "TlsSendAck", "TlsSend", "TlsRecvAck", "TlsRecvClient",\
+ "TlsSendAlert", "TlsRecvAlertAck" , "TlsRecvSuccess", "TlsRecvFailure", \
"SRP1", "SRP2", "SRP3", "MD5Chall", "Open", "SRP4", "BadAuth"
-#define eap_client_active(esp) ((esp)->es_client.ea_state == eapListen)
+#ifdef USE_EAPTLS
+#define eap_client_active(esp) ((esp)->es_client.ea_state != eapInitial ||\
+ (esp)->es_client.ea_state != eapPending ||\
+ (esp)->es_client.ea_state != eapClosed)
+#else
+#define eap_client_active(esp) ((esp)->es_client.ea_state == eapListen)
+#endif /* USE_EAPTLS */
+
#define eap_server_active(esp) \
((esp)->es_server.ea_state >= eapIdentify && \
(esp)->es_server.ea_state <= eapMD5Chall)
@@ -112,11 +131,17 @@
u_short ea_namelen; /* Length of our name */
u_short ea_peerlen; /* Length of peer's name */
enum eap_state_code ea_state;
+#ifdef USE_EAPTLS
+ enum eap_state_code ea_prev_state;
+#endif
u_char ea_id; /* Current id */
u_char ea_requests; /* Number of Requests sent/received */
u_char ea_responses; /* Number of Responses */
u_char ea_type; /* One of EAPT_* */
u_int32_t ea_keyflags; /* SRP shared key usage flags */
+#ifdef USE_EAPTLS
+ bool ea_using_eaptls;
+#endif
};
/*
@@ -139,7 +164,12 @@
* Timeouts.
*/
#define EAP_DEFTIMEOUT 3 /* Timeout (seconds) for rexmit */
+#ifdef USE_EAPTLS
+#define EAP_DEFTRANSMITS 30 /* max # times to transmit */
+ /* certificates can be long ... */
+#else
#define EAP_DEFTRANSMITS 10 /* max # times to transmit */
+#endif /* USE_EAPTLS */
#define EAP_DEFREQTIME 20 /* Time to wait for peer request */
#define EAP_DEFALLOWREQ 20 /* max # times to accept requests */
diff -Naur ppp-2.4.5/pppd/md5.c ppp-2.4.5-eaptls-mppe-0.98/pppd/md5.c
--- ppp-2.4.5/pppd/md5.c 2009-11-16 23:26:07.000000000 +0100
+++ ppp-2.4.5-eaptls-mppe-0.98/pppd/md5.c 2010-02-09 10:58:38.000000000 +0100
@@ -33,6 +33,8 @@
***********************************************************************
*/
+#ifndef USE_EAPTLS
+
#include <string.h>
#include "md5.h"
@@ -305,3 +307,5 @@
** End of md5.c **
******************************** (cut) ********************************
*/
+#endif /* USE_EAPTLS */
+
diff -Naur ppp-2.4.5/pppd/md5.h ppp-2.4.5-eaptls-mppe-0.98/pppd/md5.h
--- ppp-2.4.5/pppd/md5.h 2009-11-16 23:26:07.000000000 +0100
+++ ppp-2.4.5-eaptls-mppe-0.98/pppd/md5.h 2010-02-09 10:58:38.000000000 +0100
@@ -36,6 +36,7 @@
** documentation and/or software. **
***********************************************************************
*/
+#ifndef USE_EAPTLS
#ifndef __MD5_INCLUDE__
@@ -63,3 +64,5 @@
#define __MD5_INCLUDE__
#endif /* __MD5_INCLUDE__ */
+
+#endif /* USE_EAPTLS */
diff -Naur ppp-2.4.5/pppd/options.c ppp-2.4.5-eaptls-mppe-0.98/pppd/options.c
--- ppp-2.4.5/pppd/options.c 2009-11-16 23:26:07.000000000 +0100
+++ ppp-2.4.5-eaptls-mppe-0.98/pppd/options.c 2010-02-09 10:58:38.000000000 +0100
@@ -119,6 +119,10 @@
bool dryrun; /* print out option values and exit */
char *domain; /* domain name set by domain option */
int child_wait = 5; /* # seconds to wait for children at exit */
+#ifdef USE_EAPTLS
+bool only_update_crl_server = 0; /* update server crl and exit */
+bool only_update_crl_client = 0; /* update client crl and exit */
+#endif /* USE_EAPTLS */
#ifdef MAXOCTETS
unsigned int maxoctets = 0; /* default - no limit */
@@ -320,6 +324,12 @@
{ "mo-timeout", o_int, &maxoctets_timeout,
"Check for traffic limit every N seconds", OPT_PRIO | OPT_LLIMIT | 1 },
#endif
+#ifdef USE_EAPTLS
+ { "only-update-crl-server", o_bool, &only_update_crl_server,
+ "Update server CA CRLs and exit", 1 },
+ { "only-update-crl-client", o_bool, &only_update_crl_client,
+ "Update client CA CRLs and exit", 1 },
+#endif /* USE_EAPTLS */
{ NULL }
};
diff -Naur ppp-2.4.5/pppd/pathnames.h ppp-2.4.5-eaptls-mppe-0.98/pppd/pathnames.h
--- ppp-2.4.5/pppd/pathnames.h 2009-11-16 23:26:07.000000000 +0100
+++ ppp-2.4.5-eaptls-mppe-0.98/pppd/pathnames.h 2010-02-09 10:58:38.000000000 +0100
@@ -21,6 +21,13 @@
#define _PATH_UPAPFILE _ROOT_PATH "/etc/ppp/pap-secrets"
#define _PATH_CHAPFILE _ROOT_PATH "/etc/ppp/chap-secrets"
#define _PATH_SRPFILE _ROOT_PATH "/etc/ppp/srp-secrets"
+
+#ifdef USE_EAPTLS
+#define _PATH_EAPTLSCLIFILE _ROOT_PATH "/etc/ppp/eaptls-client"
+#define _PATH_EAPTLSSERVFILE _ROOT_PATH "/etc/ppp/eaptls-server"
+#define _PATH_OPENSSLCONFFILE _ROOT_PATH "/etc/ppp/openssl.cnf"
+#endif /* USE_EAPTLS */
+
#define _PATH_SYSOPTIONS _ROOT_PATH "/etc/ppp/options"
#define _PATH_IPUP _ROOT_PATH "/etc/ppp/ip-up"
#define _PATH_IPDOWN _ROOT_PATH "/etc/ppp/ip-down"
diff -Naur ppp-2.4.5/pppd/plugins/Makefile.linux ppp-2.4.5-eaptls-mppe-0.98/pppd/plugins/Makefile.linux
--- ppp-2.4.5/pppd/plugins/Makefile.linux 2009-11-16 23:26:07.000000000 +0100
+++ ppp-2.4.5-eaptls-mppe-0.98/pppd/plugins/Makefile.linux 2010-02-09 10:58:38.000000000 +0100
@@ -4,6 +4,9 @@
LDFLAGS = -shared
INSTALL = install
+# EAP-TLS
+CFLAGS += -DUSE_EAPTLS=1
+
DESTDIR = $(INSTROOT)@DESTDIR@
BINDIR = $(DESTDIR)/sbin
MANDIR = $(DESTDIR)/share/man/man8
diff -Naur ppp-2.4.5/pppd/plugins/passprompt.c ppp-2.4.5-eaptls-mppe-0.98/pppd/plugins/passprompt.c
--- ppp-2.4.5/pppd/plugins/passprompt.c 2009-11-16 23:26:07.000000000 +0100
+++ ppp-2.4.5-eaptls-mppe-0.98/pppd/plugins/passprompt.c 2010-02-09 10:58:38.000000000 +0100
@@ -107,4 +107,7 @@
{
add_options(options);
pap_passwd_hook = promptpass;
+#ifdef USE_EAPTLS
+ eaptls_passwd_hook = promptpass;
+#endif
}
diff -Naur ppp-2.4.5/pppd/plugins/passwordfd.c ppp-2.4.5-eaptls-mppe-0.98/pppd/plugins/passwordfd.c
--- ppp-2.4.5/pppd/plugins/passwordfd.c 2009-11-16 23:26:07.000000000 +0100
+++ ppp-2.4.5-eaptls-mppe-0.98/pppd/plugins/passwordfd.c 2010-02-09 10:58:38.000000000 +0100
@@ -79,4 +79,9 @@
chap_check_hook = pwfd_check;
chap_passwd_hook = pwfd_passwd;
+
+#ifdef USE_EAPTLS
+ eaptls_check_hook = pwfd_check;
+ eaptls_passwd_hook = pwfd_passwd;
+#endif
}
diff -Naur ppp-2.4.5/pppd/pppd.h ppp-2.4.5-eaptls-mppe-0.98/pppd/pppd.h
--- ppp-2.4.5/pppd/pppd.h 2009-11-16 23:26:07.000000000 +0100
+++ ppp-2.4.5-eaptls-mppe-0.98/pppd/pppd.h 2010-02-09 10:58:38.000000000 +0100
@@ -320,6 +320,10 @@
extern bool dryrun; /* check everything, print options, exit */
extern int child_wait; /* # seconds to wait for children at end */
+#ifdef USE_EAPTLS
+extern char *crl_dir;
+#endif /* USE_EAPTLS */
+
#ifdef MAXOCTETS
extern unsigned int maxoctets; /* Maximum octetes per session (in bytes) */
extern int maxoctets_dir; /* Direction :
@@ -717,6 +721,11 @@
extern int (*chap_passwd_hook) __P((char *user, char *passwd));
extern void (*multilink_join_hook) __P((void));
+#ifdef USE_EAPTLS
+extern int (*eaptls_check_hook) __P((void));
+extern int (*eaptls_passwd_hook) __P((char *user, char *passwd));
+#endif
+
/* Let a plugin snoop sent and received packets. Useful for L2TP */
extern void (*snoop_recv_hook) __P((unsigned char *p, int len));
extern void (*snoop_send_hook) __P((unsigned char *p, int len));
Index: ppp.spec
===================================================================
RCS file: /cvs/extras/rpms/ppp/devel/ppp.spec,v
retrieving revision 1.62
retrieving revision 1.63
diff -u -p -r1.62 -r1.63
--- ppp.spec 7 Apr 2010 14:20:44 -0000 1.62
+++ ppp.spec 16 Jun 2010 08:10:26 -0000 1.63
@@ -1,7 +1,7 @@
Summary: The Point-to-Point Protocol daemon
Name: ppp
Version: 2.4.5
-Release: 8%{?dist}
+Release: 9%{?dist}
License: BSD and LGPLv2+ and GPLv2+ and Public Domain
Group: System Environment/Daemons
URL: http://www.samba.org/ppp
@@ -26,9 +26,10 @@ Patch23: ppp-2.4.2-dontwriteetc.patch
Patch24: ppp-2.4.4-fd_leak.patch
Patch25: ppp-2.4.5-var_run_ppp.patch
Patch26: ppp-2.4.5-manpg.patch
+Patch27: ppp-2.4.5-eaptls-mppe-0.98.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
-BuildRequires: pam-devel, libpcap-devel
+BuildRequires: pam-devel, libpcap-devel, openssl-devel
Requires: glibc >= 2.0.6, /etc/pam.d/system-auth, logrotate, libpcap >= 14:0.8.3-6
%description
@@ -67,6 +68,7 @@ This package contains the header files f
%patch24 -p1 -b .fd_leak
%patch25 -p1 -b .var_run_ppp
%patch26 -p1 -b .manpg
+%patch27 -p1 -b .eaptls
rm -f scripts/*.local
rm -f scripts/*.change_resolv_conf
@@ -119,6 +121,8 @@ rm -rf $RPM_BUILD_ROOT
%dir /etc/ppp
%dir /var/run/ppp
%attr(700, root, root) %dir /var/log/ppp
+%config(noreplace) /etc/ppp/eaptls-client
+%config(noreplace) /etc/ppp/eaptls-server
%config(noreplace) /etc/ppp/chap-secrets
%config(noreplace) /etc/ppp/options
%config(noreplace) /etc/ppp/pap-secrets
@@ -132,6 +136,9 @@ rm -rf $RPM_BUILD_ROOT
%doc PLUGINS
%changelog
+* Wed Jun 16 2010 Jiri Skala <jskala at redhat.com> - 2.4.5-9
+- included eap-tls patch
+
* Wed Apr 07 2010 Jiri Skala <jskala at redhat.com> - 2.4.5-8
- added pppoe-discovery(8)
More information about the scm-commits
mailing list