Accepting request 18900 from network

Copy from network/vpnc based on submit request 18900 from user rwooninck

OBS-URL: https://build.opensuse.org/request/show/18900
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/vpnc?expand=0&rev=1

.gitattributes

@@ -0,0 +1,23 @@
+## Default LFS
+*.7z filter=lfs diff=lfs merge=lfs -text
+*.bsp filter=lfs diff=lfs merge=lfs -text
+*.bz2 filter=lfs diff=lfs merge=lfs -text
+*.gem filter=lfs diff=lfs merge=lfs -text
+*.gz filter=lfs diff=lfs merge=lfs -text
+*.jar filter=lfs diff=lfs merge=lfs -text
+*.lz filter=lfs diff=lfs merge=lfs -text
+*.lzma filter=lfs diff=lfs merge=lfs -text
+*.obscpio filter=lfs diff=lfs merge=lfs -text
+*.oxt filter=lfs diff=lfs merge=lfs -text
+*.pdf filter=lfs diff=lfs merge=lfs -text
+*.png filter=lfs diff=lfs merge=lfs -text
+*.rpm filter=lfs diff=lfs merge=lfs -text
+*.tbz filter=lfs diff=lfs merge=lfs -text
+*.tbz2 filter=lfs diff=lfs merge=lfs -text
+*.tgz filter=lfs diff=lfs merge=lfs -text
+*.ttf filter=lfs diff=lfs merge=lfs -text
+*.txz filter=lfs diff=lfs merge=lfs -text
+*.whl filter=lfs diff=lfs merge=lfs -text
+*.xz filter=lfs diff=lfs merge=lfs -text
+*.zip filter=lfs diff=lfs merge=lfs -text
+*.zst filter=lfs diff=lfs merge=lfs -text

.gitignore

@@ -0,0 +1 @@
+.osc

vpnc-0.5.2r394.tar.bz2

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:7982f92fe0f69de3ab49b9e7b9256ca86fc668d92c1b2df4cf788be625be3ae0
+size 82846

vpnc-nortel-attributes.diff

@@ -0,0 +1,61 @@
+Index: b/isakmp-pkt.c
+===================================================================
+--- a/isakmp-pkt.c
++++ b/isakmp-pkt.c
+@@ -637,10 +637,24 @@ static struct isakmp_attribute *parse_is
+ 				hex_dump("t.attributes.u.acl.mask", &r->u.acl.acl_ent[i].mask.s_addr, 4, NULL);
+ 				hex_dump("t.attributes.u.acl.protocol", &r->u.acl.acl_ent[i].protocol, DUMP_UINT16, NULL);
+ 				hex_dump("t.attributes.u.acl.sport", &r->u.acl.acl_ent[i].sport, DUMP_UINT16, NULL);
+ 				hex_dump("t.attributes.u.acl.dport", &r->u.acl.acl_ent[i].dport, DUMP_UINT16, NULL);
+ 			}
++		} else if (r->type == ISAKMP_MODECFG_ATTRIB_NORTEL_SPLIT_INC) {
++			r->af = isakmp_attr_acl;
++			r->u.acl.count = length / (4 + 4);
++			if (r->u.acl.count * (4 + 4) != length) {
++				*reject = ISAKMP_N_PAYLOAD_MALFORMED;
++				return r;
++			}
++			r->u.acl.acl_ent = xallocc(r->u.acl.count * sizeof(struct acl_ent_s));
++			for (i = 0; i < r->u.acl.count; i++) {
++				fetchn(&r->u.acl.acl_ent[i].addr.s_addr, 4);
++				fetchn(&r->u.acl.acl_ent[i].mask.s_addr, 4);
++				hex_dump("t.attributes.u.acl.addr", &r->u.acl.acl_ent[i].addr.s_addr, 4, NULL);
++				hex_dump("t.attributes.u.acl.mask", &r->u.acl.acl_ent[i].mask.s_addr, 4, NULL);
++			}
+ 		} else {
+ 			r->u.lots.data = xallocc(length);
+ 			fetchn(r->u.lots.data, length);
+ 			if ((((ISAKMP_XAUTH_06_ATTRIB_TYPE < type)
+ 				&& (type <= ISAKMP_XAUTH_06_ATTRIB_ANSWER)
+Index: b/isakmp.h
+===================================================================
+--- a/isakmp.h
++++ b/isakmp.h
+@@ -456,10 +456,11 @@ enum isakmp_modecfg_attrib_enum {
+ 	ISAKMP_XAUTH_02_ATTRIB_DOMAIN,
+ 	ISAKMP_XAUTH_02_ATTRIB_STATUS,
+ 	ISAKMP_XAUTH_02_ATTRIB_NEXT_PIN,
+ 	ISAKMP_XAUTH_02_ATTRIB_ANSWER, /* TYPE .. ANSWER is excluded from dump */
+ 
++	ISAKMP_MODECFG_ATTRIB_NORTEL_SPLIT_INC = 0x4000,
+ 	ISAKMP_MODECFG_ATTRIB_NORTEL_UNKNOWN_4011 = 0x4011,
+ 	ISAKMP_MODECFG_ATTRIB_NORTEL_CLIENT_ID = 0x4012,
+ 
+ 	ISAKMP_XAUTH_06_ATTRIB_TYPE = 0x4088,
+ 	ISAKMP_XAUTH_06_ATTRIB_USER_NAME,
+Index: b/vpnc.c
+===================================================================
+--- a/vpnc.c
++++ b/vpnc.c
+@@ -992,10 +992,11 @@ static int do_config_to_env(struct sa_bl
+ 				DEBUG(2, printf("got peer udp encapsulation port: %hu\n", s->ipsec.peer_udpencap_port));
+ 			}
+ 			break;
+ 
+ 		case ISAKMP_MODECFG_ATTRIB_CISCO_SPLIT_INC:
++		case ISAKMP_MODECFG_ATTRIB_NORTEL_SPLIT_INC:
+ 			if (a->af != isakmp_attr_acl) {
+ 				reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED;
+ 				break;
+ 			}
+ 

vpnc-nortel-fix-segfault.diff

@@ -0,0 +1,17 @@
+Index: b/vpnc.c
+===================================================================
+--- a/vpnc.c
++++ b/vpnc.c
+@@ -1712,10 +1712,12 @@ static void do_phase1(const char *key_id
+ 					gcry_md_setkey(skeyid_ctx, key, key_len);
+ 					gcry_md_write(skeyid_ctx, dh_shared_secret, dh_getlen(dh_grp));
+ 					gcry_md_final(skeyid_ctx);
+ 				} else
+ 					error(1, 0, "SKEYID could not be computed: %s", "the selected authentication method is not supported");
++				skeyid = gcry_md_read(skeyid_ctx, 0);
++				hex_dump("skeyid", skeyid, s->ike.md_len, NULL);
+ 			} else {
+ 				skeyid = gcry_md_read(skeyid_ctx, 0);
+ 				hex_dump("skeyid", skeyid, s->ike.md_len, NULL);
+ 			}
+ 			if (opt_vendor == VENDOR_NORTEL)

vpnc-patch_nortel_auth_394.txt.diff

@@ -0,0 +1,421 @@
+Index: isakmp.h
+===================================================================
+--- isakmp.h	(revision 394)
++++ isakmp.h	(working copy)
+@@ -486,4 +486,23 @@
+ 	ISAKMP_XAUTH_ATTRIB_CISCOEXT_VENDOR = 0x7d88 /* strange cisco things ... need docs! */
+ };
+ 
++enum isakmp_modecfg_type_enum { /* draft-ietf-ipsec-isakmp-xauth-05.txt */
++	ISAKMP_MODECFG_TYPE_GENERIC,
++	ISAKMP_MODECFG_TYPE_RADIUS,
++	ISAKMP_MODECFG_TYPE_OTP,
++	ISAKMP_MODECFG_TYPE_NTDOMAIN,
++	ISAKMP_MODECFG_TYPE_UNIX,
++	ISAKMP_MODECFG_TYPE_SECURID,
++	ISAKMP_MODECFG_TYPE_AXENT,
++	ISAKMP_MODECFG_TYPE_LEEMAH,
++	ISAKMP_MODECFG_TYPE_ACTIVECARD,
++	ISAKMP_MODECFG_TYPE_DESGOLD,
++	ISAKMP_MODECFG_TYPE_TACACS,
++	ISAKMP_MODECFG_TYPE_TACACSPLUS,
++	ISAKMP_MODECFG_TYPE_SKEY,
++	ISAKMP_MODECFG_TYPE_NDS,
++	ISAKMP_MODECFG_TYPE_DIAMETER,
++	ISAKMP_MODECFG_TYPE_LDAP
++};
++
+ #endif
+Index: config.h
+===================================================================
+--- config.h	(revision 394)
++++ config.h	(working copy)
+@@ -49,6 +49,7 @@
+ 	CONFIG_IPSEC_SECRET,
+ 	CONFIG_IPSEC_SECRET_OBF,
+ 	CONFIG_XAUTH_USERNAME,
++	CONFIG_XAUTH_PIN,
+ 	CONFIG_XAUTH_PASSWORD,
+ 	CONFIG_XAUTH_PASSWORD_OBF,
+ 	CONFIG_XAUTH_INTERACTIVE,
+@@ -87,11 +88,16 @@
+ };
+ 
+ enum auth_mode_enum {
+-	AUTH_MODE_PSK,
++	AUTH_MODE_PSK,                  /* pre-shared key */
+ 	AUTH_MODE_RSA1,
+ 	AUTH_MODE_RSA2,
+-	AUTH_MODE_CERT,
+-	AUTH_MODE_HYBRID
++	AUTH_MODE_CERT,                 /* Digital Certificate Authentication */
++	AUTH_MODE_HYBRID,               /* server certificate + xauth */
++	AUTH_MODE_NORTEL_USERNAME,      /* User Name and Password Authentication */
++	AUTH_MODE_NORTEL_TOKEN,         /* Group Security - Response Only Token - Use Passcode */
++	AUTH_MODE_NORTEL_PINTOKEN,      /* Group Security - Response Only Token - Use Two-Factor Card */
++	AUTH_MODE_NORTEL_TOKENSW,       /* Group Security - Response Only Token - Use SoftID Software */
++	AUTH_MODE_NORTEL_GPASSWORD      /* Group Security - Group Password Authentication */
+ };
+ 
+ extern const char *config[LAST_CONFIG];
+Index: config.c
+===================================================================
+--- config.c	(revision 394)
++++ config.c	(working copy)
+@@ -159,7 +159,7 @@
+ 
+ static const char *config_def_auth_mode(void)
+ {
+-	return "psk";
++	return "default";
+ }
+ 
+ static const char *config_def_nortel_client_id(void)
+@@ -247,6 +247,13 @@
+ 		"your username",
+ 		NULL
+ 	}, {
++		CONFIG_XAUTH_PIN, 1, 0,
++		NULL,
++		"Xauth PIN ",
++		"<ASCII string>",
++		"PIN for Nortel Two-Factor Authentication",
++		NULL
++	}, {
+ 		CONFIG_XAUTH_PASSWORD, 1, 0,
+ 		NULL,
+ 		"Xauth password ",
+@@ -434,11 +441,17 @@
+ 		CONFIG_AUTH_MODE, 1, 1,
+ 		"--auth-mode",
+ 		"IKE Authmode ",
+-		"<psk/cert/hybrid>",
++		"<default/cert/psk/hybrid/username/token/PIN-token/token-SW/gpassword>",
+ 		"Authentication mode:\n"
+-		" * psk:    pre-shared key (default)\n"
+-		" * cert:   server + client certificate (not implemented yet)\n"
+-		" * hybrid: server certificate + xauth (if built with openssl support)\n",
++		" * default:   maps to vendor specific default mode\n"
++		" * cert:      server + client certificate (not implemented yet)\n"
++		" * psk:       Cisco pre-shared key (default for Cisco)\n"
++		" * hybrid:    Cisco server certificate + xauth (if built with openssl support)\n"
++		" * username:  Nortel User Name and Password Authentication\n"
++		" * token:     Nortel Group Security - Response Only Token - Use Passcode (default for Nortel)\n"
++		" * PIN-token: Nortel Group Security - Response Only Token - Use Two-Factor Card\n"
++		" * token-SW:  Nortel Group Security - Response Only Token - Use SoftID Software\n"
++		" * gpassword: Nortel Group Security - Group Password Authentication",
+ 		config_def_auth_mode
+ 	}, {
+ 		CONFIG_CA_FILE, 1, 1,
+@@ -703,16 +716,79 @@
+ 		opt_nd = (config[CONFIG_ND]) ? 1 : 0;
+ 		opt_1des = (config[CONFIG_ENABLE_1DES]) ? 1 : 0;
+ 
++		if (!strcmp(config[CONFIG_VENDOR], "cisco")) {
++			opt_vendor = VENDOR_CISCO;
++		} else if (!strcmp(config[CONFIG_VENDOR], "netscreen")) {
++			opt_vendor = VENDOR_NETSCREEN;
++		} else if (!strcmp(config[CONFIG_VENDOR], "nortel")) {
++			opt_vendor = VENDOR_NORTEL;
++		} else {
++			printf("%s: unknown vendor %s\nknown vendors: cisco netscreen nortel\n",
++				argv[0], config[CONFIG_VENDOR]);
++			exit(1);
++		}
++
+ 		if (!strcmp(config[CONFIG_AUTH_MODE], "psk")) {
+ 			opt_auth_mode = AUTH_MODE_PSK;
+ 		} else if (!strcmp(config[CONFIG_AUTH_MODE], "cert")) {
+ 			opt_auth_mode = AUTH_MODE_CERT;
+ 		} else if (!strcmp(config[CONFIG_AUTH_MODE], "hybrid")) {
+ 			opt_auth_mode = AUTH_MODE_HYBRID;
++		} else if (!strcmp(config[CONFIG_AUTH_MODE], "username")) {
++			opt_auth_mode = AUTH_MODE_NORTEL_USERNAME;
++		} else if (!strcmp(config[CONFIG_AUTH_MODE], "token")) {
++			opt_auth_mode = AUTH_MODE_NORTEL_TOKEN;
++		} else if (!strcmp(config[CONFIG_AUTH_MODE], "PIN-token")) {
++			opt_auth_mode = AUTH_MODE_NORTEL_PINTOKEN;
++		} else if (!strcmp(config[CONFIG_AUTH_MODE], "token-SW")) {
++			opt_auth_mode = AUTH_MODE_NORTEL_TOKENSW;
++		} else if (!strcmp(config[CONFIG_AUTH_MODE], "gpassword")) {
++			opt_auth_mode = AUTH_MODE_NORTEL_GPASSWORD;
++		} else if (!strcmp(config[CONFIG_AUTH_MODE], "default")) {
++			switch (opt_vendor) {
++				case VENDOR_NORTEL:
++					opt_auth_mode = AUTH_MODE_NORTEL_TOKEN;
++					break;
++				case VENDOR_NETSCREEN:
++				case VENDOR_CISCO:
++				default:
++					opt_auth_mode = AUTH_MODE_PSK;
++					break;
++			}
+ 		} else {
+-			printf("%s: unknown authentication mode %s\nknown modes: psk cert hybrid\n", argv[0], config[CONFIG_AUTH_MODE]);
++			printf("%s: unknown authentication mode \"%s\"\nknown modes: "
++				"default/cert/psk/hybrid/username/token/PIN-token/token-SW/gpassword\n",
++				argv[0], config[CONFIG_AUTH_MODE]);
+ 			exit(1);
+ 		}
++
++		if (((opt_vendor == VENDOR_NORTEL) &&
++			((opt_auth_mode != AUTH_MODE_CERT) &&
++			 (opt_auth_mode != AUTH_MODE_NORTEL_USERNAME) &&
++			 (opt_auth_mode != AUTH_MODE_NORTEL_TOKEN) &&
++			 (opt_auth_mode != AUTH_MODE_NORTEL_PINTOKEN) &&
++			 (opt_auth_mode != AUTH_MODE_NORTEL_TOKENSW) &&
++			 (opt_auth_mode != AUTH_MODE_NORTEL_GPASSWORD))) ||
++		    ((opt_vendor == VENDOR_CISCO) &&
++			((opt_auth_mode != AUTH_MODE_CERT) &&
++			 (opt_auth_mode != AUTH_MODE_PSK) &&
++			 (opt_auth_mode != AUTH_MODE_HYBRID))) ||
++		    ((opt_vendor == VENDOR_NETSCREEN) &&
++			((opt_auth_mode != AUTH_MODE_CERT) &&
++			 (opt_auth_mode != AUTH_MODE_PSK) &&
++			 (opt_auth_mode != AUTH_MODE_HYBRID)))) {
++			printf("%s: Auth Mode \"%s\" not valid for Vendor \"%s\"\n",
++				argv[0], config[CONFIG_AUTH_MODE], config[CONFIG_VENDOR]);
++			exit(1);
++		}
++
++		if (opt_auth_mode == AUTH_MODE_CERT ||
++		    opt_auth_mode == AUTH_MODE_NORTEL_TOKENSW) {
++			printf("%s: unimplemented Auth Mode \"%s\"\n",
++				argv[0], config[CONFIG_AUTH_MODE]);
++			exit(1);
++		}
++
+ #ifndef OPENSSL_GPL_VIOLATION
+ 		if (opt_auth_mode == AUTH_MODE_HYBRID ||
+ 			opt_auth_mode == AUTH_MODE_CERT) {
+@@ -783,17 +859,6 @@
+ 			}
+ 			opt_nortel_client_id = tmp;
+ 		}
+-
+-		if (!strcmp(config[CONFIG_VENDOR], "cisco")) {
+-			opt_vendor = VENDOR_CISCO;
+-		} else if (!strcmp(config[CONFIG_VENDOR], "netscreen")) {
+-			opt_vendor = VENDOR_NETSCREEN;
+-		} else if (!strcmp(config[CONFIG_VENDOR], "nortel")) {
+-			opt_vendor = VENDOR_NORTEL;
+-		} else {
+-			printf("%s: unknown vendor %s\nknown vendors: cisco netscreen nortel\n", argv[0], config[CONFIG_VENDOR]);
+-			exit(1);
+-		}
+ 	}
+ 
+ 	if (opt_debug >= 99) {
+@@ -810,6 +875,12 @@
+ 			continue;
+ 		if (config[CONFIG_XAUTH_INTERACTIVE] && i == CONFIG_XAUTH_PASSWORD)
+ 			continue;
++		if (opt_auth_mode == AUTH_MODE_NORTEL_USERNAME
++		    && (i == CONFIG_XAUTH_USERNAME || i == CONFIG_XAUTH_PASSWORD))
++			continue;
++		if (opt_auth_mode != AUTH_MODE_NORTEL_PINTOKEN
++		    && i == CONFIG_XAUTH_PIN)
++			continue;
+ 
+ 		s = NULL;
+ 		s_len = 0;
+@@ -828,6 +899,11 @@
+ 		case CONFIG_XAUTH_USERNAME:
+ 			printf("Enter username for %s: ", config[CONFIG_IPSEC_GATEWAY]);
+ 			break;
++		case CONFIG_XAUTH_PIN:
++			printf("Enter PIN for %s@%s: ",
++				config[CONFIG_XAUTH_USERNAME],
++				config[CONFIG_IPSEC_GATEWAY]);
++			break;
+ 		case CONFIG_XAUTH_PASSWORD:
+ 			printf("Enter password for %s@%s: ",
+ 				config[CONFIG_XAUTH_USERNAME],
+@@ -839,6 +915,7 @@
+ 		fflush(stdout);
+ 		switch (i) {
+ 		case CONFIG_IPSEC_SECRET:
++		case CONFIG_XAUTH_PIN:
+ 		case CONFIG_XAUTH_PASSWORD:
+ 			s = strdup(getpass(""));
+ 			break;
+@@ -870,10 +947,14 @@
+ 		error(1, 0, "missing IPSec ID");
+ 	if (!config[CONFIG_IPSEC_SECRET])
+ 		error(1, 0, "missing IPSec secret");
+-	if (!config[CONFIG_XAUTH_USERNAME])
+-		error(1, 0, "missing Xauth username");
+-	if (!config[CONFIG_XAUTH_PASSWORD] && !config[CONFIG_XAUTH_INTERACTIVE])
+-		error(1, 0, "missing Xauth password");
++	if (opt_auth_mode != AUTH_MODE_NORTEL_USERNAME) {
++		if (!config[CONFIG_XAUTH_USERNAME])
++			error(1, 0, "missing Xauth username");
++		if (!config[CONFIG_XAUTH_PASSWORD] && !config[CONFIG_XAUTH_INTERACTIVE])
++			error(1, 0, "missing Xauth password");
++	}
++	if (opt_auth_mode == AUTH_MODE_NORTEL_PINTOKEN && !config[CONFIG_XAUTH_PIN])
++		error(1, 0, "missing Xauth PIN");
+ 	if (get_dh_group_ike() == NULL)
+ 		error(1, 0, "IKE DH Group \"%s\" unsupported\n", config[CONFIG_IKE_DH]);
+ 	if (get_dh_group_ipsec(-1) == NULL)
+Index: vpnc.c
+===================================================================
+--- vpnc.c	(revision 394)
++++ vpnc.c	(working copy)
+@@ -1110,17 +1110,10 @@
+ 	r->u.sa.proposals->u.p.prot_id = ISAKMP_IPSEC_PROTO_ISAKMP;
+ 
+ 	if (opt_vendor == VENDOR_NORTEL) {
+-	auth = 0;
++		auth = 0;
+ 		if ((opt_auth_mode == AUTH_MODE_CERT) &&
+ 	        (supp_auth[auth].ike_sa_id != IKE_AUTH_RSA_SIG) &&
+ 			(supp_auth[auth].ike_sa_id != IKE_AUTH_DSS)) {
+-		} else if ((opt_auth_mode == AUTH_MODE_HYBRID) &&
+-		    (supp_auth[auth].ike_sa_id != IKE_AUTH_HybridInitRSA) &&
+-			(supp_auth[auth].ike_sa_id != IKE_AUTH_HybridInitDSS)) {
+-		} else if (supp_auth[auth].ike_sa_id == IKE_AUTH_HybridInitRSA ||
+-			supp_auth[auth].ike_sa_id == IKE_AUTH_HybridInitDSS ||
+-			supp_auth[auth].ike_sa_id == IKE_AUTH_RSA_SIG ||
+-			supp_auth[auth].ike_sa_id == IKE_AUTH_DSS) {
+ 		} else {
+ 			for (crypt = 0; supp_crypt[crypt].name != NULL; crypt++) {
+ 				keylen = supp_crypt[crypt].keylen;
+@@ -1284,7 +1277,10 @@
+ 		l->u.id.protocol = IPPROTO_UDP;
+ 		l->u.id.port = ISAKMP_PORT; /* this must be 500, see rfc2407, 4.6.2 */
+ 		if (opt_vendor == VENDOR_NORTEL) {
+-			l->u.id.length = 24;
++			if (opt_auth_mode == AUTH_MODE_NORTEL_USERNAME)
++				l->u.id.length = 20;
++			else
++				l->u.id.length = 24;
+ 			l->u.id.data = xallocc(l->u.id.length);
+ 			gcry_md_hash_buffer(GCRY_MD_SHA1, l->u.id.data, key_id, strlen(key_id));
+ 			/* memcpy(l->u.id.data, key_id, strlen(key_id)); */
+@@ -1629,7 +1625,10 @@
+ 			reject = ISAKMP_N_INVALID_ID_INFORMATION;
+ 
+ 		/* Decide if signature or hash is expected (sig only if vpnc is initiator of hybrid-auth */
+-		if (reject == 0 && opt_auth_mode == AUTH_MODE_PSK && (hash == NULL || hash->u.hash.length != s->ike.md_len))
++		if (reject == 0 &&
++			((opt_auth_mode == AUTH_MODE_PSK) ||
++			 (opt_vendor == VENDOR_NORTEL && opt_auth_mode != AUTH_MODE_CERT)) &&
++			(hash == NULL || hash->u.hash.length != s->ike.md_len))
+ 			reject = ISAKMP_N_INVALID_HASH_INFORMATION;
+ 		if (reject == 0 && sig == NULL &&
+ 			(opt_auth_mode == AUTH_MODE_CERT ||
+@@ -1744,7 +1743,8 @@
+ 			expected_hash = gcry_md_read(hm, 0);
+ 			hex_dump("expected hash", expected_hash, s->ike.md_len, NULL);
+ 
+-			if (opt_auth_mode == AUTH_MODE_PSK) {
++			if ((opt_auth_mode == AUTH_MODE_PSK) ||
++				(opt_vendor == VENDOR_NORTEL && opt_auth_mode != AUTH_MODE_CERT)) {
+ 				if (memcmp(expected_hash, hash->u.hash.data, s->ike.md_len) != 0)
+ 					error(2, 0, "hash comparison failed: %s(%d)\ncheck group password!",
+ 						val_to_string(ISAKMP_N_AUTHENTICATION_FAILED, isakmp_notify_enum_array),
+@@ -2228,7 +2228,6 @@
+ 	DEBUGTOP(2, printf("S5.1 xauth_start\n"));
+ 	/* This can go around for a while.  */
+ 	for (loopcount = 0;; loopcount++) {
+-		uint16_t xauth_type_requested = 5;
+ 		struct isakmp_payload *rp;
+ 		struct isakmp_attribute *a, *ap, *reply_attr;
+ 		char ntop_buf[32];
+@@ -2343,6 +2342,12 @@
+ 		reply_attr = NULL;
+ 		for (ap = a; ap && reject == 0; ap = ap->next)
+ 			switch (ap->type) {
++			case ISAKMP_XAUTH_02_ATTRIB_TYPE:
++				if (opt_auth_mode == AUTH_MODE_NORTEL_GPASSWORD)
++					reply_attr = new_isakmp_attribute_16(ISAKMP_XAUTH_02_ATTRIB_TYPE, ISAKMP_MODECFG_TYPE_RADIUS, reply_attr);
++				else
++					reply_attr = new_isakmp_attribute_16(ISAKMP_XAUTH_02_ATTRIB_TYPE, ISAKMP_MODECFG_TYPE_SECURID, reply_attr);
++				break;
+ 			case ISAKMP_XAUTH_06_ATTRIB_DOMAIN:
+ 			case ISAKMP_XAUTH_02_ATTRIB_DOMAIN:
+ 				{
+@@ -2416,16 +2421,27 @@
+ 					memset(pass, 0, na->u.lots.length);
+ 				} else {
+ 					struct isakmp_attribute *na;
+-					if (opt_vendor == VENDOR_NORTEL) {
+-						na = reply_attr->next = new_isakmp_attribute(ISAKMP_XAUTH_02_ATTRIB_PASSCODE, /* reply_attr */ NULL);
++					if (opt_vendor == VENDOR_NORTEL
++					    && opt_auth_mode != AUTH_MODE_NORTEL_GPASSWORD)
++						na = new_isakmp_attribute(ISAKMP_XAUTH_02_ATTRIB_PASSCODE, reply_attr);
++					else
++						na = new_isakmp_attribute(ap->type, reply_attr);
++					reply_attr = na;
++					if (opt_vendor == VENDOR_NORTEL
++					    && opt_auth_mode == AUTH_MODE_NORTEL_PINTOKEN) {
++						int l_pin, l_pas;
++						l_pin = strlen(config[CONFIG_XAUTH_PIN]);
++						l_pas = strlen(config[CONFIG_XAUTH_PASSWORD]);
++						na->u.lots.length = l_pin + l_pas;
++						na->u.lots.data = xallocc(na->u.lots.length);
++						memcpy(na->u.lots.data, config[CONFIG_XAUTH_PIN], l_pin);
++						memcpy(na->u.lots.data + l_pin, config[CONFIG_XAUTH_PASSWORD], l_pas);
+ 					} else {
+-						na = new_isakmp_attribute(ap->type, reply_attr);
+-						reply_attr = na;
++						na->u.lots.length = strlen(config[CONFIG_XAUTH_PASSWORD]);
++						na->u.lots.data = xallocc(na->u.lots.length);
++						memcpy(na->u.lots.data, config[CONFIG_XAUTH_PASSWORD],
++							na->u.lots.length);
+ 					}
+-					na->u.lots.length = strlen(config[CONFIG_XAUTH_PASSWORD]);
+-					na->u.lots.data = xallocc(na->u.lots.length);
+-					memcpy(na->u.lots.data, config[CONFIG_XAUTH_PASSWORD],
+-						na->u.lots.length);
+ 					passwd_used = 1; /* Provide canned password at most once */
+ 				}
+ 				break;
+@@ -2433,10 +2449,6 @@
+ 				;
+ 			}
+ 
+-		if (opt_vendor == VENDOR_NORTEL) {
+-			reply_attr = new_isakmp_attribute_16(ISAKMP_XAUTH_02_ATTRIB_TYPE, xauth_type_requested, reply_attr);
+-		}
+-
+ 		/* Send the response.  */
+ 		rp = new_isakmp_payload(ISAKMP_PAYLOAD_MODECFG_ATTR);
+ 		rp->u.modecfg.type = ISAKMP_MODECFG_CFG_REPLY;
+@@ -2551,7 +2563,8 @@
+ 		rp->u.modecfg.attributes = a;
+ 		sendrecv_phase2(s, rp, ISAKMP_EXCHANGE_MODECFG_TRANSACTION, msgid, 0, 0, 0, 0, 0, 0, 0);
+ 	} else {
+-		r_length = sendrecv(s,r_packet, sizeof(r_packet), NULL, 0, 0);
++		if (opt_auth_mode != AUTH_MODE_NORTEL_USERNAME)
++			r_length = sendrecv(s,r_packet, sizeof(r_packet), NULL, 0, 0);
+ 	}
+ 
+ 	/* recv and check for notices */
+@@ -3802,18 +3815,22 @@
+ 	do {
+ 		DEBUGTOP(2, printf("S4 do_phase1\n"));
+ 		do_phase1(group_id, config[CONFIG_IPSEC_SECRET], s);
+-		DEBUGTOP(2, printf("S5 do_phase2_xauth\n"));
+ 
+ 		if (opt_vendor == VENDOR_NORTEL) {
+-			do_load_balance = do_phase2_xauth(s);
++			if (opt_auth_mode != AUTH_MODE_NORTEL_USERNAME) {
++				DEBUGTOP(2, printf("S5 do_phase2_xauth\n"));
++				do_load_balance = do_phase2_xauth(s);
++			}
+ 			DEBUGTOP(2, printf("S6 do_phase2_config\n"));
+ 			do_load_balance = do_phase2_config(s);
+ 			DEBUGTOP(2, printf("S6 do_phase2\n"));
+ 			do_phase2(s);
+ 		} else {
+ 			/* FIXME: Create and use a generic function in supp.[hc] */
+-			if (s->ike.auth_algo >= IKE_AUTH_HybridInitRSA)
++			if (s->ike.auth_algo >= IKE_AUTH_HybridInitRSA) {
++				DEBUGTOP(2, printf("S5 do_phase2_xauth\n"));
+ 				do_load_balance = do_phase2_xauth(s);
++			}
+ 			DEBUGTOP(2, printf("S6 do_phase2_config\n"));
+ 			if ((opt_vendor == VENDOR_CISCO || opt_vendor == VENDOR_NORTEL) && (do_load_balance == 0))
+ 				do_load_balance = do_phase2_config(s);

vpnc.changes

@@ -0,0 +1,129 @@
+-------------------------------------------------------------------
+Wed Aug 26 17:52:19 CET 2009 - tittiatcoke@gmail.com
+
+- adjusted group to Productivity/Networking/Security
+
+-------------------------------------------------------------------
+Sat Jul 18 22:14:19 CET 2009 - tittiatcoke@gmail.com
+
+- disabled the patch to send intial packages twice. This does not 
+  always work.
+
+-------------------------------------------------------------------
+Thu Jan 29 16:06:19 CET 2009 - seife@suse.de
+
+- fix segfault in the non-nortel case (bnc#468789)
+
+-------------------------------------------------------------------
+Thu Jan 29 15:13:34 CET 2009 - seife@suse.de
+
+- update the nortel-grouppasswdauth patch.
+  ATTENTION! nortel users have to change "Nortel Auth Mode" to
+  "IKE Authmode" in their config file.
+- add a patch to send initial packages twice, makes connection
+  setup more robust against packet loss
+
+-------------------------------------------------------------------
+Sun Jan 18 13:01:34 CET 2009 - seife@suse.de
+
+- replace vpnc-nortel-grouppasswordauth.diff with the patch that's
+  scheduled for upstream inclusion
+
+-------------------------------------------------------------------
+Thu Jan  8 17:11:36 CET 2009 - seife@suse.de
+
+- fix rpmlint warnings
+
+-------------------------------------------------------------------
+Mon Jan  5 17:07:35 CET 2009 - seife@suse.de
+
+- add vpnc-nortel-attributes.diff, to accept split tunnel configs
+  from the server
+
+-------------------------------------------------------------------
+Mon Jan  5 11:22:40 CET 2009 - seife@suse.de
+
+- update to current SVN, using the "nortel" branch.
+- add a patch for nortel group password authentication
+
+-------------------------------------------------------------------
+Thu Jan 17 10:50:41 CET 2008 - lmuelle@suse.de
+
+- Use the real FULL_SCRIPTNAME.
+
+-------------------------------------------------------------------
+Mon Jan 14 14:55:41 CET 2008 - lmuelle@suse.de
+
+- Update to version 0.5.1.
+  + Link against -lcrypto instead of -lssl.
+  + Fixed crashes on 64bit platforms.
+  + Dead-Peer-Detection support.
+  + Hybrid-Auth support.
+  + Rekeying support; [#134480].
+- Use upstream default location for vpnc-script.
+
+-------------------------------------------------------------------
+Sat Nov 11 11:51:04 CET 2006 - aj@suse.de
+
+- Fix permissions of man files.
+- Compile with RPM_OPT_FLAGS.
+
+-------------------------------------------------------------------
+Wed Jan 25 21:42:43 CET 2006 - mls@suse.de
+
+- converted neededforbuild to BuildRequires
+
+-------------------------------------------------------------------
+Fri Aug 12 00:57:01 CEST 2005 - lmuelle@suse.de
+
+- Install the example configuration as example.conf in the doc dir.
+
+-------------------------------------------------------------------
+Thu Aug 11 01:09:33 CEST 2005 - lmuelle@suse.de
+
+- Install vpnc.conf no longer as default.conf while keeping default.conf as
+  %config(noreplace) and %ghost in the package list; [#103856].
+
+-------------------------------------------------------------------
+Thu May 19 23:36:54 CEST 2005 - lmuelle@suse.de
+
+- Update to version 0.3.3; [#72234].
+
+-------------------------------------------------------------------
+Tue Nov 23 22:32:51 CET 2004 - lmuelle@suse.de
+
+- Update to version 0.3.2.
+- Remove most parts of the vpnc-connect diff, [#46931].
+
+-------------------------------------------------------------------
+Thu Oct 14 14:48:14 CEST 2004 - mc@suse.de
+
+- removed depcomp from filelist [#47074] 
+
+-------------------------------------------------------------------
+Sat Aug  7 06:25:29 CEST 2004 - lmuelle@suse.de
+
+- Update to version 0.2-rm+zomb.1; [#43525].
+
+-------------------------------------------------------------------
+Mon Jul 26 13:12:25 CEST 2004 - ro@suse.de
+
+- added libgcrypt-devel, libgpg-error-devel to neededforbuild
+
+-------------------------------------------------------------------
+Sat May  8 21:12:12 CEST 2004 - lmuelle@suse.de
+
+- Update to version 0.2-rm+zomb-pre9.
+
+-------------------------------------------------------------------
+Fri Apr 16 13:51:03 CEST 2004 - lmuelle@suse.de
+
+- add man page and connect and disconnect script patches provided by Eduard
+  Bloch <blade at debian dot org>
+- add /etc/vpnc directory for additional configuration files
+- rename /etc/wlan.conf to /etc/vpnc/default.conf
+
+-------------------------------------------------------------------
+Mon Apr 12 22:40:36 CEST 2004 - lmuelle@suse.de
+
+- inital SuSE RPM

vpnc.spec

@@ -0,0 +1,99 @@
+#
+# spec file for package vpnc (Version 0.5.2r394)
+#
+# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany.
+#
+# All modifications and additions to the file contributed by third parties
+# remain the property of their copyright owners, unless otherwise agreed
+# upon. The license for this file, and modifications and additions to the
+# file, is the same license as for the pristine package itself (unless the
+# license for the pristine package is not an Open Source License, in which
+# case the license is the MIT License). An "Open Source License" is a
+# license that conforms to the Open Source Definition (Version 1.9)
+# published by the Open Source Initiative.
+
+# Please submit bugfixes or comments via http://bugs.opensuse.org/
+#
+
+# norootforbuild
+
+
+Name:           vpnc
+Group:          Productivity/Networking/Security
+BuildRequires:  libgcrypt-devel
+Version:        0.5.2r394
+Release:        5
+License:        BSD 3-clause (or similar) ; GPL v2 or later
+AutoReqProv:    on
+Summary:        A Client for Cisco VPN concentrator
+Requires:       /usr/bin/sed /sbin/ip
+Source:         %{name}-%{version}.tar.bz2
+Patch1:         vpnc-patch_nortel_auth_394.txt.diff
+Patch2:         vpnc-nortel-attributes.diff
+Patch3:         vpnc-nortel-fix-segfault.diff
+BuildRoot:      %{_tmppath}/%{name}-%{version}-build
+
+%description
+A VPN client compatible with Cisco's EasyVPN equipment.
+
+Cisco 3000, IOS routers, PIX/ASA Zecurity Appliances, and
+Juniper/Netscreen as well as Nortel Contivity (experimental).
+
+Supported Authentications: Pre-Shared-Key + XAUTH, Pre-Shared-Key
+Supported IKE DH-Groups: dh1 dh2 dh5 Supported Hash Algo (IKE/IPSEC):
+md5 sha1 Supported Encryptions (IKE/IPSEC): (null) (1des) 3des aes128
+aes192 aes256 Perfect Forward Secrecy: nopfs dh1 dh2 dh5
+
+It runs entirely in userspace and uses the TUN/TAP driver for access.
+
+
+
+Authors:
+--------
+    Maurice Massar <vpnc at unix-ag dot uni-kl dot de>
+    Eduard Bloch <blade at debian dot org>
+
+%prep
+%setup -n %{name}-%{version}
+%patch1 -p0
+%patch2 -p1
+%patch3 -p1
+
+%build
+%{?suse_update_config:%{suse_update_config -f}}
+%{__make} \
+	CFLAGS="$RPM_OPT_FLAGS" \
+	PREFIX=/usr
+
+%install
+mkdir -p \
+	${RPM_BUILD_ROOT}/%{_localstatedir}/run/vpnc
+%{__make} install \
+	DESTDIR=${RPM_BUILD_ROOT} \
+	PREFIX=/usr
+# Use chmod as %attr doesn't work for %doc maked files in the list
+touch ${RPM_BUILD_ROOT}/%{_localstatedir}/run/vpnc/{defaultroute,gateway,pid,resolv.conf-backup} || true
+rm -rfv ${RPM_BUILD_ROOT}/usr/share/doc/vpnc
+
+%clean
+
+%files
+%defattr(-,root,root)
+%attr(0600,root,root) %config(noreplace) %ghost %{_sysconfdir}/vpnc/default.conf
+%dir %{_sysconfdir}/vpnc
+%{_sysconfdir}/vpnc/vpnc-script
+%{_sbindir}/vpnc
+%{_sbindir}/vpnc-disconnect
+%{_bindir}/cisco-decrypt
+%{_bindir}/pcf2vpnc
+%{_mandir}/man1/cisco-decrypt.1.*
+%{_mandir}/man1/pcf2vpnc.1.*
+%{_mandir}/man8/vpnc.8.*
+%dir %{_localstatedir}/run/vpnc
+%ghost %{_localstatedir}/run/vpnc/defaultroute
+%ghost %{_localstatedir}/run/vpnc/gateway
+%ghost %{_localstatedir}/run/vpnc/pid
+%ghost %{_localstatedir}/run/vpnc/resolv.conf-backup
+%doc ChangeLog COPYING README TODO VERSION
+
+%changelog