Historically, the MD5 checksums in our LFS files serve as a protection
against broken downloads, or accidentally corrupted source files.
While the sources are nowadays downloaded via HTTPS, it make sense to
beef up integrity protection for them, since transparently intercepting
TLS is believed to be feasible for more powerful actors, and the state
of the public PKI ecosystem is clearly not helping.
Therefore, this patch switches from MD5 to BLAKE2, updating all LFS
files as well as make.sh to deal with this checksum algorithm. BLAKE2 is
notably faster (and more secure) than SHA2, so the performance penalty
introduced by this patch is negligible, if noticeable at all.
In preparation of this patch, the toolchain files currently used have
been supplied with BLAKE2 checksums as well on
https://source.ipfire.org/.
Cc: Michael Tremer <michael.tremer@ipfire.org>
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Acked-by: Michael Tremer <michael.tremeripfire.org>
This is the first ppp release for years, and the project appears to have
a different maintainer (team?) by now. As a result, some of our patches
are no longer necessary as they made it into upstream, while others need
to be adjusted slightly.
In addition, their configure script does not handle commas in CFLAGS
properly, which is why the delimiter for the 'sed' call in it has to be
changed to something neither appearing in a path nor in our CLFAGS set.
The full changelog of this release can be retrieved from
https://ppp.samba.org/README.html and says:
* Support for new EAP (Extensible Authentication Protocol) methods:
- Support for EAP-TLS, from Jan Just Keijser and others
- Support for EAP-MSCHAPv2, from Eivind Næss, Thomas Omerzu, Tijs
Van Buggenhout and others
* New pppd options:
- chap-timeout
- chapms-strip-domain
- replacedefaultroute
- noreplacedefaultroute
- ipv6cp-accept-remote
- lcp-echo-adaptive
- ip-up-script
- ip-down-script
- ca
- capath
- cert
- key
- crl-dir
- crl
- max-tls-version
- need-peer-eap
* Fixes for CVE-2020-8597 and CVE-2015-3310.
* libpcap is now required when compiling on Linux (previously, if
libpcap was not present, pppd would be compiled without packet
filtering support).
* The rp-pppoe plugin has been renamed to pppoe, to distinguish it
from the upstream rp-pppoe code. Its options have changed names,
but the old names are kept as aliases.
* The configure script now supports cross-compilation.
* Many bug fixes and cleanups.
Thanks to Michael for his hint on the ./configure CFLAGS issue.
The second version of this patch correctly updates the
src/patches/ppp/0013-everywhere-O_CLOEXEC-harder.patch patch for the
second hunk in pppd/main.c, where socket permissions have been changed
meanwhile.
Further, it has been successfully tested against a VDSL 100 line in
Germany, using PAP to Easybell via 1&1 L2 BSA. No connectivity issues or
other anomalies have been observed so far.
Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
libcrypt has been removed from glibc and openssl
can be used instead for cryptographic operations.
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
Most of these files still used old dates and/or domain names for contact
mail addresses. This is now replaced by an up-to-date copyright line.
Just some housekeeping... :-)
Signed-off-by: Peter Müller <peter.mueller@link38.eu>
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org>
