Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/external/bsd/ppp/dist What's new in ppp-2.4.9.



details:   https://anonhg.NetBSD.org/src/rev/0c9d1eb31cf1
branches:  trunk
changeset: 1017782:0c9d1eb31cf1
user:      christos <christos%NetBSD.org@localhost>
date:      Sat Jan 09 16:37:35 2021 +0000

description:
What's new in ppp-2.4.9.
************************

* Support for new EAP (Extensible Authentication Protocol) methods:
  - Support for EAP-TLS, from Jan Just Keijser and others
  - Support for EAP-MSCHAPv2, from Eivind Næss, Thomas Omerzu, Tijs
    Van Buggenhout and others

* New pppd options:
  - chap-timeout
  - chapms-strip-domain
  - replacedefaultroute
  - noreplacedefaultroute
  - ipv6cp-accept-remote
  - lcp-echo-adaptive
  - ip-up-script
  - ip-down-script
  - ca
  - capath
  - cert
  - key
  - crl-dir
  - crl
  - max-tls-version
  - need-peer-eap

* Fixes for CVE-2020-8597 and CVE-2015-3310.

* libpcap is now required when compiling on Linux (previously, if
  libpcap was not present, pppd would be compiled without packet
  filtering support).

* The rp-pppoe plugin has been renamed to pppoe, to distinguish it
  from the upstream rp-pppoe code.  Its options have changed names,
  but the old names are kept as aliases.

* The configure script now supports cross-compilation.

* Many bug fixes and cleanups.


What was new in ppp-2.4.8.
**************************

* New pppd options have been added:
  - ifname, to set the name for the PPP interface device
  - defaultroute-metric, to set the metric for the default route
  - defaultroute6, to add an IPv6 default route (with nodefaultroute6
    to prevent adding an IPv6 default route)
  - up_sdnotify, to have pppd notify systemd when the link is up.

* The rp-pppoe plugin has new options:
  - host-uniq, to set the Host-Uniq value to send
  - pppoe-padi-timeout, to set the timeout for discovery packets
  - pppoe-padi-attempts, to set the number of discovery attempts.

* Added the CLASS attribute in radius packets.

* Sundry bug fixes.

* Fixed warnings and issues found by static analysis.

* Added Submitting-patches.md.


What was new in ppp-2.4.7.
**************************

* Fixed a potential security issue in parsing option files (CVE-2014-3158).

* There is a new "stop-bits" option, which takes an argument of 1 or 2,
  indicating the number of stop bits to use for async serial ports.

* Various bug fixes.


What was new in ppp-2.4.6.
**************************

* Man page updates.

* Several bug fixes.

* Options files can now set and unset environment variables for
  scripts.

* The timeout for chat scripts can now be taken from an environment
  variable.

* There is a new option, master_detach, which allows pppd to detach
  from the controlling terminal when it is the multilink bundle master
  but its own link has terminated, even if the nodetach option has
  been given.

diffstat:

 external/bsd/ppp/dist/.github/workflows/buildroot.yaml     |    56 +
 external/bsd/ppp/dist/.github/workflows/solaris.yaml       |    17 +
 external/bsd/ppp/dist/README                               |    67 +-
 external/bsd/ppp/dist/README.eap-tls                       |   229 +
 external/bsd/ppp/dist/Submitting-patches.md                |   105 +
 external/bsd/ppp/dist/pppd/eap-tls.c                       |  1428 ++++++++++++
 external/bsd/ppp/dist/pppd/eap-tls.h                       |    96 +
 external/bsd/ppp/dist/pppd/plugins/passwordfd.c            |     4 +
 external/bsd/ppp/dist/pppd/plugins/pppoe/common.c          |   282 ++
 external/bsd/ppp/dist/pppd/plugins/pppoe/config.h          |   129 +
 external/bsd/ppp/dist/pppd/plugins/pppoe/debug.c           |   145 +
 external/bsd/ppp/dist/pppd/plugins/pppoe/discovery.c       |   666 +++++
 external/bsd/ppp/dist/pppd/plugins/pppoe/if.c              |   242 ++
 external/bsd/ppp/dist/pppd/plugins/pppoe/plugin.c          |   476 ++++
 external/bsd/ppp/dist/pppd/plugins/pppoe/pppoe-discovery.8 |    86 +
 external/bsd/ppp/dist/pppd/plugins/pppoe/pppoe-discovery.c |   784 ++++++
 external/bsd/ppp/dist/pppd/plugins/pppoe/pppoe.h           |   328 ++
 external/bsd/ppp/dist/pppd/plugins/pppol2tp/openl2tp.c     |     3 +
 external/bsd/ppp/dist/pppd/plugins/pppol2tp/pppol2tp.c     |     4 +
 external/bsd/ppp/dist/pppdump/pppdump.8                    |     5 +
 external/bsd/ppp/dist/pppstats/pppstats.8                  |     5 +
 external/bsd/ppp/dist/sample/auth-down                     |    17 +
 external/bsd/ppp/dist/sample/auth-up                       |    17 +
 external/bsd/ppp/dist/sample/ip-down                       |    22 +
 external/bsd/ppp/dist/sample/ip-up                         |    23 +
 external/bsd/ppp/dist/sample/options                       |   153 +
 external/bsd/ppp/dist/sample/options.ttyXX                 |    14 +
 external/bsd/ppp/dist/sample/pap-secrets                   |    28 +
 28 files changed, 5430 insertions(+), 1 deletions(-)

diffs (truncated from 5593 to 300 lines):

diff -r 11810a458464 -r 0c9d1eb31cf1 external/bsd/ppp/dist/.github/workflows/buildroot.yaml
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/external/bsd/ppp/dist/.github/workflows/buildroot.yaml    Sat Jan 09 16:37:35 2021 +0000
@@ -0,0 +1,56 @@
+name: Buildroot
+on: [push, pull_request]
+
+jobs:
+  buildroot:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        defconfig_name: [qemu_x86_defconfig, qemu_x86_64_defconfig, raspberrypi4_defconfig, raspberrypi4_64_defconfig, qemu_ppc64le_pseries_defconfig, qemu_mips32r2_malta_defconfig, 
qemu_mips64_malta_defconfig]
+        libc_name: [glibc, uclibc, musl]
+    steps:
+      - name: Checkout Buildroot sources
+        run: git clone --depth=1 --branch=2020.11.1 https://git.busybox.net/buildroot
+      - name: Select latest PPP version
+        working-directory: buildroot/package/pppd
+        run: |
+          # Allow package to build when musl libc is selected
+          sed -i '/depends on !BR2_TOOLCHAIN_USES_MUSL/d' Config.in
+          # Upstream version always needs OpenSSL
+          sed -i '/select BR2_PACKAGE_OPENSSL/c\\select BR2_PACKAGE_OPENSSL' Config.in
+          # Do not check for package hash, so there is no need to compute it
+          rm pppd.hash
+          # Buildroot patch is already applied upstream
+          rm -f 0001-pppd-Fix-bounds-check.patch
+          # Get package sources from head of master branch
+          sed -i "/PPPD_VERSION =/c\\PPPD_VERSION = ${GITHUB_SHA}" pppd.mk
+          sed -i '/PPPD_SITE =/c\\PPPD_SITE = https://github.com/paulusmack/ppp' pppd.mk
+          sed -i '9iPPPD_SITE_METHOD = git' pppd.mk
+          # Plugin rp-pppoe has been renamed in "pppoe"
+          sed -i 's/rp-pppoe/pppoe/g' pppd.mk
+      - name: Enable PPP build
+        working-directory: buildroot
+        run: |
+          # Enable all Buildroot PPP options as everything is built by upstream build system
+          echo "BR2_PACKAGE_PPPD=y" >> configs/${{ matrix.defconfig_name }}
+          echo "BR2_PACKAGE_PPPD_FILTER=y" >> configs/${{ matrix.defconfig_name }}
+          echo "BR2_PACKAGE_PPPD_RADIUS=y" >> configs/${{ matrix.defconfig_name }}
+          echo "BR2_PACKAGE_PPPD_OVERWRITE_RESOLV_CONF=y" >> configs/${{ matrix.defconfig_name }}
+      - name: Select glibc
+        if: ${{ matrix.libc_name == 'glibc' }}
+        working-directory: buildroot
+        run: echo "BR2_TOOLCHAIN_BUILDROOT_GLIBC=y" >> configs/${{ matrix.defconfig_name }}
+      - name: Select uClibc
+        if: ${{ matrix.libc_name == 'uclibc' }}
+        working-directory: buildroot
+        run: echo "BR2_TOOLCHAIN_BUILDROOT_UCLIBC=y" >> configs/${{ matrix.defconfig_name }}
+      - name: Select musl
+        if: ${{ matrix.libc_name == 'musl' }}
+        working-directory: buildroot
+        run: echo "BR2_TOOLCHAIN_BUILDROOT_MUSL=y" >> configs/${{ matrix.defconfig_name }}
+      - name: Configure Buildroot
+        working-directory: buildroot
+        run: make ${{ matrix.defconfig_name }}
+      - name: Build
+        working-directory: buildroot
+        run: make
diff -r 11810a458464 -r 0c9d1eb31cf1 external/bsd/ppp/dist/.github/workflows/solaris.yaml
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/external/bsd/ppp/dist/.github/workflows/solaris.yaml      Sat Jan 09 16:37:35 2021 +0000
@@ -0,0 +1,17 @@
+name: Solaris
+on: [push, pull_request]
+
+jobs:
+  solaris:
+    runs-on: macos-latest
+    steps:
+    - name: Checkout PPP sources
+      uses: actions/checkout@v2
+    - name: Build
+      uses: vmactions/solaris-vm@v0.0.1
+      with:
+        run: |
+          pkg update
+          pkg install gcc
+          ./configure
+          make
diff -r 11810a458464 -r 0c9d1eb31cf1 external/bsd/ppp/dist/README
--- a/external/bsd/ppp/dist/README      Sat Jan 09 16:25:19 2021 +0000
+++ b/external/bsd/ppp/dist/README      Sat Jan 09 16:37:35 2021 +0000
@@ -61,9 +61,74 @@
 authenticating itself to you, of course.)
 
 
-What's new in ppp-2.4.7.
+What's new in ppp-2.4.9.
 ************************
 
+* Support for new EAP (Extensible Authentication Protocol) methods:
+  - Support for EAP-TLS, from Jan Just Keijser and others
+  - Support for EAP-MSCHAPv2, from Eivind Næss, Thomas Omerzu, Tijs
+    Van Buggenhout and others
+
+* New pppd options:
+  - chap-timeout
+  - chapms-strip-domain
+  - replacedefaultroute
+  - noreplacedefaultroute
+  - ipv6cp-accept-remote
+  - lcp-echo-adaptive
+  - ip-up-script
+  - ip-down-script
+  - ca
+  - capath
+  - cert
+  - key
+  - crl-dir
+  - crl
+  - max-tls-version
+  - need-peer-eap
+
+* Fixes for CVE-2020-8597 and CVE-2015-3310.
+
+* libpcap is now required when compiling on Linux (previously, if
+  libpcap was not present, pppd would be compiled without packet
+  filtering support).
+
+* The rp-pppoe plugin has been renamed to pppoe, to distinguish it
+  from the upstream rp-pppoe code.  Its options have changed names,
+  but the old names are kept as aliases.
+
+* The configure script now supports cross-compilation.
+
+* Many bug fixes and cleanups.
+  
+
+What was new in ppp-2.4.8.
+**************************
+
+* New pppd options have been added:
+  - ifname, to set the name for the PPP interface device
+  - defaultroute-metric, to set the metric for the default route
+  - defaultroute6, to add an IPv6 default route (with nodefaultroute6
+    to prevent adding an IPv6 default route)
+  - up_sdnotify, to have pppd notify systemd when the link is up.
+
+* The rp-pppoe plugin has new options:
+  - host-uniq, to set the Host-Uniq value to send
+  - pppoe-padi-timeout, to set the timeout for discovery packets
+  - pppoe-padi-attempts, to set the number of discovery attempts.
+
+* Added the CLASS attribute in radius packets.
+
+* Sundry bug fixes.
+
+* Fixed warnings and issues found by static analysis.
+
+* Added Submitting-patches.md.
+
+
+What was new in ppp-2.4.7.
+**************************
+
 * Fixed a potential security issue in parsing option files (CVE-2014-3158).
 
 * There is a new "stop-bits" option, which takes an argument of 1 or 2,
diff -r 11810a458464 -r 0c9d1eb31cf1 external/bsd/ppp/dist/README.eap-tls
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/external/bsd/ppp/dist/README.eap-tls      Sat Jan 09 16:37:35 2021 +0000
@@ -0,0 +1,229 @@
+EAP-TLS authentication support for PPP
+======================================
+
+1. Intro
+
+    The Extensible Authentication Protocol (EAP; RFC 3748) is a
+    security protocol that can be used with PPP.  It provides a means
+    to plug in multiple optional authentication methods.
+
+    Transport Level Security (TLS; RFC 5216) provides for mutual 
+    authentication, integrity-protected ciphersuite negotiation and 
+    key exchange between two endpoints.  It also provides for optional
+    MPPE encryption.
+
+    EAP-TLS (RFC 2716) incapsulates the TLS messages in EAP packets,
+    allowing TLS mutual authentication to be used as a generic EAP
+    mechanism. It also provides optional encryption using the MPPE
+    protocol.
+
+    This patch provide EAP-TLS support to pppd.
+    This authentication method can be used in both client or server
+    mode.
+
+2. Building
+
+    To build pppd with EAP-TLS support, OpenSSL (http://www.openssl.org)
+    is required. Any version from 0.9.7 should work.
+    
+    Configure, compile, and install as usual. 
+
+3. Configuration
+
+    On the client side there are two ways to configure EAP-TLS:
+
+    1. supply the appropriate 'ca', 'cert' and 'key' command-line parameters
+
+    2. edit the /etc/ppp/eaptls-client file.
+    Insert a line for each system with which you use EAP-TLS.
+    The line is composed of this fields separated by tab:
+
+      - Client name 
+        The name used by the client for authentication, can be *
+      - Server name
+        The name of the server, can be *
+      - Client certificate file 
+        The file containing the certificate chain for the 
+        client in PEM format
+      - Server certificate file
+        If you want to specify the certificate that the 
+        server is allowed to use, put the certificate file name.
+        Else put a dash '-'.
+      - CA certificate file
+        The file containing the trusted CA certificates in PEM
+        format.
+      - Client private key file
+        The file containing the client private key in PEM format.
+
+
+    On the server side edit the /etc/ppp/eaptls-server file.
+    Insert a line for each system with which you use EAP-TLS.
+    The line is composed of this fields separated by tab:
+
+      - Client name
+        The name used by the client for authentication, can be *
+      - Server name
+        The name of the server, can be *
+      - Client certificate file
+        If you want to specify the certificate that the
+        client is allowed to use, put the certificate file name.
+        Else put a dash '-'.
+      - Server certificate file
+        The file containing the certificate chain for the
+        server in PEM format
+      - CA certificate file
+        The file containing the trusted CA certificates in PEM format.
+      - Client private key file
+        The file containing the server private key in PEM format.
+      - addresses
+        A list of IP addresses the client is allowed to use.
+
+
+    OpenSSL engine support is included starting with v0.95 of this patch. 
+    Currently the only engine tested is the 'pkcs11' engine (hardware token
+    support). To use the 'pksc11' engine:
+      - Use a special private key fileiname in the /etc/ppp/eaptls-client file:
+          <engine>:<identifier>
+        e.g.
+          pkcs11:123456
+
+      - The certificate can also be loaded from the 'pkcs11' engine using
+        a special client certificate filename in the /etc/ppp/eaptls-client file:
+          <engine>:<identifier>
+        e.g.
+          pkcs11:123456
+
+      - Create an /etc/ppp/openssl.cnf file to load the right OpenSSL engine prior
+        to starting 'pppd'. A sample openssl.cnf file is
+
+        openssl_conf = openssl_def
+
+        [ openssl_def ]
+        engines = engine_section
+
+        [ engine_section ]
+        pkcs11 = pkcs11_section
+
+        [ pkcs11_section ]
+        engine_id = pkcs11
+        dynamic_path = /usr/lib64/openssl/engines/engine_pkcs11.so
+        MODULE_PATH = /usr/lib64/libeTPkcs11.so
+        init = 0
+
+      - There are two ways to specify a password/PIN for the PKCS11 engine:
+          - inside the openssl.cnf file using
+              PIN = your-secret-pin
+            Note The keyword 'PIN' is case sensitive!
+          - Using the 'password' in the ppp options file.
+        From v0.97 of the eap-tls patch the password can also be supplied
+        using the appropriate 'eaptls_passwd_hook' (see plugins/passprompt.c
+        for an example).
+
+
+4. Options
+
+    These pppd options are available:
+
+      ca <ca-file>
+        Use the CA public certificate found in <ca-file> in PEM format
+      ca-path <directory>
+        Use the directory <directory> as the CA public certificate directory
+      cert <cert-file>
+        Use the client public certificate found in <cert-file> in PEM format
+        or in engine:engine_id format
+      key <key-file>
+        Use the client private key found in <key-file> in PEM format
+        or in engine:engine_id format



Home | Main Index | Thread Index | Old Index