commit 98dd6d712b85c00de64e874deeec9816401f7d950a4aa5955cb18765a2110cd2 Author: OBS User autobuild Date: Tue Sep 1 22:15:57 2009 +0000 Accepting request 18900 from network Copy from network/vpnc based on submit request 18900 from user rwooninck OBS-URL: https://build.opensuse.org/request/show/18900 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/vpnc?expand=0&rev=1 diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/ready b/ready new file mode 100644 index 0000000..473a0f4 diff --git a/vpnc-0.5.2r394.tar.bz2 b/vpnc-0.5.2r394.tar.bz2 new file mode 100644 index 0000000..d7c0f1e --- /dev/null +++ b/vpnc-0.5.2r394.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7982f92fe0f69de3ab49b9e7b9256ca86fc668d92c1b2df4cf788be625be3ae0 +size 82846 diff --git a/vpnc-nortel-attributes.diff b/vpnc-nortel-attributes.diff new file mode 100644 index 0000000..26ad535 --- /dev/null +++ b/vpnc-nortel-attributes.diff @@ -0,0 +1,61 @@ +Index: b/isakmp-pkt.c +=================================================================== +--- a/isakmp-pkt.c ++++ b/isakmp-pkt.c +@@ -637,10 +637,24 @@ static struct isakmp_attribute *parse_is + hex_dump("t.attributes.u.acl.mask", &r->u.acl.acl_ent[i].mask.s_addr, 4, NULL); + hex_dump("t.attributes.u.acl.protocol", &r->u.acl.acl_ent[i].protocol, DUMP_UINT16, NULL); + hex_dump("t.attributes.u.acl.sport", &r->u.acl.acl_ent[i].sport, DUMP_UINT16, NULL); + hex_dump("t.attributes.u.acl.dport", &r->u.acl.acl_ent[i].dport, DUMP_UINT16, NULL); + } ++ } else if (r->type == ISAKMP_MODECFG_ATTRIB_NORTEL_SPLIT_INC) { ++ r->af = isakmp_attr_acl; ++ r->u.acl.count = length / (4 + 4); ++ if (r->u.acl.count * (4 + 4) != length) { ++ *reject = ISAKMP_N_PAYLOAD_MALFORMED; ++ return r; ++ } ++ r->u.acl.acl_ent = xallocc(r->u.acl.count * sizeof(struct acl_ent_s)); ++ for (i = 0; i < r->u.acl.count; i++) { ++ fetchn(&r->u.acl.acl_ent[i].addr.s_addr, 4); ++ fetchn(&r->u.acl.acl_ent[i].mask.s_addr, 4); ++ hex_dump("t.attributes.u.acl.addr", &r->u.acl.acl_ent[i].addr.s_addr, 4, NULL); ++ hex_dump("t.attributes.u.acl.mask", &r->u.acl.acl_ent[i].mask.s_addr, 4, NULL); ++ } + } else { + r->u.lots.data = xallocc(length); + fetchn(r->u.lots.data, length); + if ((((ISAKMP_XAUTH_06_ATTRIB_TYPE < type) + && (type <= ISAKMP_XAUTH_06_ATTRIB_ANSWER) +Index: b/isakmp.h +=================================================================== +--- a/isakmp.h ++++ b/isakmp.h +@@ -456,10 +456,11 @@ enum isakmp_modecfg_attrib_enum { + ISAKMP_XAUTH_02_ATTRIB_DOMAIN, + ISAKMP_XAUTH_02_ATTRIB_STATUS, + ISAKMP_XAUTH_02_ATTRIB_NEXT_PIN, + ISAKMP_XAUTH_02_ATTRIB_ANSWER, /* TYPE .. ANSWER is excluded from dump */ + ++ ISAKMP_MODECFG_ATTRIB_NORTEL_SPLIT_INC = 0x4000, + ISAKMP_MODECFG_ATTRIB_NORTEL_UNKNOWN_4011 = 0x4011, + ISAKMP_MODECFG_ATTRIB_NORTEL_CLIENT_ID = 0x4012, + + ISAKMP_XAUTH_06_ATTRIB_TYPE = 0x4088, + ISAKMP_XAUTH_06_ATTRIB_USER_NAME, +Index: b/vpnc.c +=================================================================== +--- a/vpnc.c ++++ b/vpnc.c +@@ -992,10 +992,11 @@ static int do_config_to_env(struct sa_bl + DEBUG(2, printf("got peer udp encapsulation port: %hu\n", s->ipsec.peer_udpencap_port)); + } + break; + + case ISAKMP_MODECFG_ATTRIB_CISCO_SPLIT_INC: ++ case ISAKMP_MODECFG_ATTRIB_NORTEL_SPLIT_INC: + if (a->af != isakmp_attr_acl) { + reject = ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED; + break; + } + diff --git a/vpnc-nortel-fix-segfault.diff b/vpnc-nortel-fix-segfault.diff new file mode 100644 index 0000000..a3f8b77 --- /dev/null +++ b/vpnc-nortel-fix-segfault.diff @@ -0,0 +1,17 @@ +Index: b/vpnc.c +=================================================================== +--- a/vpnc.c ++++ b/vpnc.c +@@ -1712,10 +1712,12 @@ static void do_phase1(const char *key_id + gcry_md_setkey(skeyid_ctx, key, key_len); + gcry_md_write(skeyid_ctx, dh_shared_secret, dh_getlen(dh_grp)); + gcry_md_final(skeyid_ctx); + } else + error(1, 0, "SKEYID could not be computed: %s", "the selected authentication method is not supported"); ++ skeyid = gcry_md_read(skeyid_ctx, 0); ++ hex_dump("skeyid", skeyid, s->ike.md_len, NULL); + } else { + skeyid = gcry_md_read(skeyid_ctx, 0); + hex_dump("skeyid", skeyid, s->ike.md_len, NULL); + } + if (opt_vendor == VENDOR_NORTEL) diff --git a/vpnc-patch_nortel_auth_394.txt.diff b/vpnc-patch_nortel_auth_394.txt.diff new file mode 100644 index 0000000..7cbb3f8 --- /dev/null +++ b/vpnc-patch_nortel_auth_394.txt.diff @@ -0,0 +1,421 @@ +Index: isakmp.h +=================================================================== +--- isakmp.h (revision 394) ++++ isakmp.h (working copy) +@@ -486,4 +486,23 @@ + ISAKMP_XAUTH_ATTRIB_CISCOEXT_VENDOR = 0x7d88 /* strange cisco things ... need docs! */ + }; + ++enum isakmp_modecfg_type_enum { /* draft-ietf-ipsec-isakmp-xauth-05.txt */ ++ ISAKMP_MODECFG_TYPE_GENERIC, ++ ISAKMP_MODECFG_TYPE_RADIUS, ++ ISAKMP_MODECFG_TYPE_OTP, ++ ISAKMP_MODECFG_TYPE_NTDOMAIN, ++ ISAKMP_MODECFG_TYPE_UNIX, ++ ISAKMP_MODECFG_TYPE_SECURID, ++ ISAKMP_MODECFG_TYPE_AXENT, ++ ISAKMP_MODECFG_TYPE_LEEMAH, ++ ISAKMP_MODECFG_TYPE_ACTIVECARD, ++ ISAKMP_MODECFG_TYPE_DESGOLD, ++ ISAKMP_MODECFG_TYPE_TACACS, ++ ISAKMP_MODECFG_TYPE_TACACSPLUS, ++ ISAKMP_MODECFG_TYPE_SKEY, ++ ISAKMP_MODECFG_TYPE_NDS, ++ ISAKMP_MODECFG_TYPE_DIAMETER, ++ ISAKMP_MODECFG_TYPE_LDAP ++}; ++ + #endif +Index: config.h +=================================================================== +--- config.h (revision 394) ++++ config.h (working copy) +@@ -49,6 +49,7 @@ + CONFIG_IPSEC_SECRET, + CONFIG_IPSEC_SECRET_OBF, + CONFIG_XAUTH_USERNAME, ++ CONFIG_XAUTH_PIN, + CONFIG_XAUTH_PASSWORD, + CONFIG_XAUTH_PASSWORD_OBF, + CONFIG_XAUTH_INTERACTIVE, +@@ -87,11 +88,16 @@ + }; + + enum auth_mode_enum { +- AUTH_MODE_PSK, ++ AUTH_MODE_PSK, /* pre-shared key */ + AUTH_MODE_RSA1, + AUTH_MODE_RSA2, +- AUTH_MODE_CERT, +- AUTH_MODE_HYBRID ++ AUTH_MODE_CERT, /* Digital Certificate Authentication */ ++ AUTH_MODE_HYBRID, /* server certificate + xauth */ ++ AUTH_MODE_NORTEL_USERNAME, /* User Name and Password Authentication */ ++ AUTH_MODE_NORTEL_TOKEN, /* Group Security - Response Only Token - Use Passcode */ ++ AUTH_MODE_NORTEL_PINTOKEN, /* Group Security - Response Only Token - Use Two-Factor Card */ ++ AUTH_MODE_NORTEL_TOKENSW, /* Group Security - Response Only Token - Use SoftID Software */ ++ AUTH_MODE_NORTEL_GPASSWORD /* Group Security - Group Password Authentication */ + }; + + extern const char *config[LAST_CONFIG]; +Index: config.c +=================================================================== +--- config.c (revision 394) ++++ config.c (working copy) +@@ -159,7 +159,7 @@ + + static const char *config_def_auth_mode(void) + { +- return "psk"; ++ return "default"; + } + + static const char *config_def_nortel_client_id(void) +@@ -247,6 +247,13 @@ + "your username", + NULL + }, { ++ CONFIG_XAUTH_PIN, 1, 0, ++ NULL, ++ "Xauth PIN ", ++ "", ++ "PIN for Nortel Two-Factor Authentication", ++ NULL ++ }, { + CONFIG_XAUTH_PASSWORD, 1, 0, + NULL, + "Xauth password ", +@@ -434,11 +441,17 @@ + CONFIG_AUTH_MODE, 1, 1, + "--auth-mode", + "IKE Authmode ", +- "", ++ "", + "Authentication mode:\n" +- " * psk: pre-shared key (default)\n" +- " * cert: server + client certificate (not implemented yet)\n" +- " * hybrid: server certificate + xauth (if built with openssl support)\n", ++ " * default: maps to vendor specific default mode\n" ++ " * cert: server + client certificate (not implemented yet)\n" ++ " * psk: Cisco pre-shared key (default for Cisco)\n" ++ " * hybrid: Cisco server certificate + xauth (if built with openssl support)\n" ++ " * username: Nortel User Name and Password Authentication\n" ++ " * token: Nortel Group Security - Response Only Token - Use Passcode (default for Nortel)\n" ++ " * PIN-token: Nortel Group Security - Response Only Token - Use Two-Factor Card\n" ++ " * token-SW: Nortel Group Security - Response Only Token - Use SoftID Software\n" ++ " * gpassword: Nortel Group Security - Group Password Authentication", + config_def_auth_mode + }, { + CONFIG_CA_FILE, 1, 1, +@@ -703,16 +716,79 @@ + opt_nd = (config[CONFIG_ND]) ? 1 : 0; + opt_1des = (config[CONFIG_ENABLE_1DES]) ? 1 : 0; + ++ if (!strcmp(config[CONFIG_VENDOR], "cisco")) { ++ opt_vendor = VENDOR_CISCO; ++ } else if (!strcmp(config[CONFIG_VENDOR], "netscreen")) { ++ opt_vendor = VENDOR_NETSCREEN; ++ } else if (!strcmp(config[CONFIG_VENDOR], "nortel")) { ++ opt_vendor = VENDOR_NORTEL; ++ } else { ++ printf("%s: unknown vendor %s\nknown vendors: cisco netscreen nortel\n", ++ argv[0], config[CONFIG_VENDOR]); ++ exit(1); ++ } ++ + if (!strcmp(config[CONFIG_AUTH_MODE], "psk")) { + opt_auth_mode = AUTH_MODE_PSK; + } else if (!strcmp(config[CONFIG_AUTH_MODE], "cert")) { + opt_auth_mode = AUTH_MODE_CERT; + } else if (!strcmp(config[CONFIG_AUTH_MODE], "hybrid")) { + opt_auth_mode = AUTH_MODE_HYBRID; ++ } else if (!strcmp(config[CONFIG_AUTH_MODE], "username")) { ++ opt_auth_mode = AUTH_MODE_NORTEL_USERNAME; ++ } else if (!strcmp(config[CONFIG_AUTH_MODE], "token")) { ++ opt_auth_mode = AUTH_MODE_NORTEL_TOKEN; ++ } else if (!strcmp(config[CONFIG_AUTH_MODE], "PIN-token")) { ++ opt_auth_mode = AUTH_MODE_NORTEL_PINTOKEN; ++ } else if (!strcmp(config[CONFIG_AUTH_MODE], "token-SW")) { ++ opt_auth_mode = AUTH_MODE_NORTEL_TOKENSW; ++ } else if (!strcmp(config[CONFIG_AUTH_MODE], "gpassword")) { ++ opt_auth_mode = AUTH_MODE_NORTEL_GPASSWORD; ++ } else if (!strcmp(config[CONFIG_AUTH_MODE], "default")) { ++ switch (opt_vendor) { ++ case VENDOR_NORTEL: ++ opt_auth_mode = AUTH_MODE_NORTEL_TOKEN; ++ break; ++ case VENDOR_NETSCREEN: ++ case VENDOR_CISCO: ++ default: ++ opt_auth_mode = AUTH_MODE_PSK; ++ break; ++ } + } else { +- printf("%s: unknown authentication mode %s\nknown modes: psk cert hybrid\n", argv[0], config[CONFIG_AUTH_MODE]); ++ printf("%s: unknown authentication mode \"%s\"\nknown modes: " ++ "default/cert/psk/hybrid/username/token/PIN-token/token-SW/gpassword\n", ++ argv[0], config[CONFIG_AUTH_MODE]); + exit(1); + } ++ ++ if (((opt_vendor == VENDOR_NORTEL) && ++ ((opt_auth_mode != AUTH_MODE_CERT) && ++ (opt_auth_mode != AUTH_MODE_NORTEL_USERNAME) && ++ (opt_auth_mode != AUTH_MODE_NORTEL_TOKEN) && ++ (opt_auth_mode != AUTH_MODE_NORTEL_PINTOKEN) && ++ (opt_auth_mode != AUTH_MODE_NORTEL_TOKENSW) && ++ (opt_auth_mode != AUTH_MODE_NORTEL_GPASSWORD))) || ++ ((opt_vendor == VENDOR_CISCO) && ++ ((opt_auth_mode != AUTH_MODE_CERT) && ++ (opt_auth_mode != AUTH_MODE_PSK) && ++ (opt_auth_mode != AUTH_MODE_HYBRID))) || ++ ((opt_vendor == VENDOR_NETSCREEN) && ++ ((opt_auth_mode != AUTH_MODE_CERT) && ++ (opt_auth_mode != AUTH_MODE_PSK) && ++ (opt_auth_mode != AUTH_MODE_HYBRID)))) { ++ printf("%s: Auth Mode \"%s\" not valid for Vendor \"%s\"\n", ++ argv[0], config[CONFIG_AUTH_MODE], config[CONFIG_VENDOR]); ++ exit(1); ++ } ++ ++ if (opt_auth_mode == AUTH_MODE_CERT || ++ opt_auth_mode == AUTH_MODE_NORTEL_TOKENSW) { ++ printf("%s: unimplemented Auth Mode \"%s\"\n", ++ argv[0], config[CONFIG_AUTH_MODE]); ++ exit(1); ++ } ++ + #ifndef OPENSSL_GPL_VIOLATION + if (opt_auth_mode == AUTH_MODE_HYBRID || + opt_auth_mode == AUTH_MODE_CERT) { +@@ -783,17 +859,6 @@ + } + opt_nortel_client_id = tmp; + } +- +- if (!strcmp(config[CONFIG_VENDOR], "cisco")) { +- opt_vendor = VENDOR_CISCO; +- } else if (!strcmp(config[CONFIG_VENDOR], "netscreen")) { +- opt_vendor = VENDOR_NETSCREEN; +- } else if (!strcmp(config[CONFIG_VENDOR], "nortel")) { +- opt_vendor = VENDOR_NORTEL; +- } else { +- printf("%s: unknown vendor %s\nknown vendors: cisco netscreen nortel\n", argv[0], config[CONFIG_VENDOR]); +- exit(1); +- } + } + + if (opt_debug >= 99) { +@@ -810,6 +875,12 @@ + continue; + if (config[CONFIG_XAUTH_INTERACTIVE] && i == CONFIG_XAUTH_PASSWORD) + continue; ++ if (opt_auth_mode == AUTH_MODE_NORTEL_USERNAME ++ && (i == CONFIG_XAUTH_USERNAME || i == CONFIG_XAUTH_PASSWORD)) ++ continue; ++ if (opt_auth_mode != AUTH_MODE_NORTEL_PINTOKEN ++ && i == CONFIG_XAUTH_PIN) ++ continue; + + s = NULL; + s_len = 0; +@@ -828,6 +899,11 @@ + case CONFIG_XAUTH_USERNAME: + printf("Enter username for %s: ", config[CONFIG_IPSEC_GATEWAY]); + break; ++ case CONFIG_XAUTH_PIN: ++ printf("Enter PIN for %s@%s: ", ++ config[CONFIG_XAUTH_USERNAME], ++ config[CONFIG_IPSEC_GATEWAY]); ++ break; + case CONFIG_XAUTH_PASSWORD: + printf("Enter password for %s@%s: ", + config[CONFIG_XAUTH_USERNAME], +@@ -839,6 +915,7 @@ + fflush(stdout); + switch (i) { + case CONFIG_IPSEC_SECRET: ++ case CONFIG_XAUTH_PIN: + case CONFIG_XAUTH_PASSWORD: + s = strdup(getpass("")); + break; +@@ -870,10 +947,14 @@ + error(1, 0, "missing IPSec ID"); + if (!config[CONFIG_IPSEC_SECRET]) + error(1, 0, "missing IPSec secret"); +- if (!config[CONFIG_XAUTH_USERNAME]) +- error(1, 0, "missing Xauth username"); +- if (!config[CONFIG_XAUTH_PASSWORD] && !config[CONFIG_XAUTH_INTERACTIVE]) +- error(1, 0, "missing Xauth password"); ++ if (opt_auth_mode != AUTH_MODE_NORTEL_USERNAME) { ++ if (!config[CONFIG_XAUTH_USERNAME]) ++ error(1, 0, "missing Xauth username"); ++ if (!config[CONFIG_XAUTH_PASSWORD] && !config[CONFIG_XAUTH_INTERACTIVE]) ++ error(1, 0, "missing Xauth password"); ++ } ++ if (opt_auth_mode == AUTH_MODE_NORTEL_PINTOKEN && !config[CONFIG_XAUTH_PIN]) ++ error(1, 0, "missing Xauth PIN"); + if (get_dh_group_ike() == NULL) + error(1, 0, "IKE DH Group \"%s\" unsupported\n", config[CONFIG_IKE_DH]); + if (get_dh_group_ipsec(-1) == NULL) +Index: vpnc.c +=================================================================== +--- vpnc.c (revision 394) ++++ vpnc.c (working copy) +@@ -1110,17 +1110,10 @@ + r->u.sa.proposals->u.p.prot_id = ISAKMP_IPSEC_PROTO_ISAKMP; + + if (opt_vendor == VENDOR_NORTEL) { +- auth = 0; ++ auth = 0; + if ((opt_auth_mode == AUTH_MODE_CERT) && + (supp_auth[auth].ike_sa_id != IKE_AUTH_RSA_SIG) && + (supp_auth[auth].ike_sa_id != IKE_AUTH_DSS)) { +- } else if ((opt_auth_mode == AUTH_MODE_HYBRID) && +- (supp_auth[auth].ike_sa_id != IKE_AUTH_HybridInitRSA) && +- (supp_auth[auth].ike_sa_id != IKE_AUTH_HybridInitDSS)) { +- } else if (supp_auth[auth].ike_sa_id == IKE_AUTH_HybridInitRSA || +- supp_auth[auth].ike_sa_id == IKE_AUTH_HybridInitDSS || +- supp_auth[auth].ike_sa_id == IKE_AUTH_RSA_SIG || +- supp_auth[auth].ike_sa_id == IKE_AUTH_DSS) { + } else { + for (crypt = 0; supp_crypt[crypt].name != NULL; crypt++) { + keylen = supp_crypt[crypt].keylen; +@@ -1284,7 +1277,10 @@ + l->u.id.protocol = IPPROTO_UDP; + l->u.id.port = ISAKMP_PORT; /* this must be 500, see rfc2407, 4.6.2 */ + if (opt_vendor == VENDOR_NORTEL) { +- l->u.id.length = 24; ++ if (opt_auth_mode == AUTH_MODE_NORTEL_USERNAME) ++ l->u.id.length = 20; ++ else ++ l->u.id.length = 24; + l->u.id.data = xallocc(l->u.id.length); + gcry_md_hash_buffer(GCRY_MD_SHA1, l->u.id.data, key_id, strlen(key_id)); + /* memcpy(l->u.id.data, key_id, strlen(key_id)); */ +@@ -1629,7 +1625,10 @@ + reject = ISAKMP_N_INVALID_ID_INFORMATION; + + /* Decide if signature or hash is expected (sig only if vpnc is initiator of hybrid-auth */ +- if (reject == 0 && opt_auth_mode == AUTH_MODE_PSK && (hash == NULL || hash->u.hash.length != s->ike.md_len)) ++ if (reject == 0 && ++ ((opt_auth_mode == AUTH_MODE_PSK) || ++ (opt_vendor == VENDOR_NORTEL && opt_auth_mode != AUTH_MODE_CERT)) && ++ (hash == NULL || hash->u.hash.length != s->ike.md_len)) + reject = ISAKMP_N_INVALID_HASH_INFORMATION; + if (reject == 0 && sig == NULL && + (opt_auth_mode == AUTH_MODE_CERT || +@@ -1744,7 +1743,8 @@ + expected_hash = gcry_md_read(hm, 0); + hex_dump("expected hash", expected_hash, s->ike.md_len, NULL); + +- if (opt_auth_mode == AUTH_MODE_PSK) { ++ if ((opt_auth_mode == AUTH_MODE_PSK) || ++ (opt_vendor == VENDOR_NORTEL && opt_auth_mode != AUTH_MODE_CERT)) { + if (memcmp(expected_hash, hash->u.hash.data, s->ike.md_len) != 0) + error(2, 0, "hash comparison failed: %s(%d)\ncheck group password!", + val_to_string(ISAKMP_N_AUTHENTICATION_FAILED, isakmp_notify_enum_array), +@@ -2228,7 +2228,6 @@ + DEBUGTOP(2, printf("S5.1 xauth_start\n")); + /* This can go around for a while. */ + for (loopcount = 0;; loopcount++) { +- uint16_t xauth_type_requested = 5; + struct isakmp_payload *rp; + struct isakmp_attribute *a, *ap, *reply_attr; + char ntop_buf[32]; +@@ -2343,6 +2342,12 @@ + reply_attr = NULL; + for (ap = a; ap && reject == 0; ap = ap->next) + switch (ap->type) { ++ case ISAKMP_XAUTH_02_ATTRIB_TYPE: ++ if (opt_auth_mode == AUTH_MODE_NORTEL_GPASSWORD) ++ reply_attr = new_isakmp_attribute_16(ISAKMP_XAUTH_02_ATTRIB_TYPE, ISAKMP_MODECFG_TYPE_RADIUS, reply_attr); ++ else ++ reply_attr = new_isakmp_attribute_16(ISAKMP_XAUTH_02_ATTRIB_TYPE, ISAKMP_MODECFG_TYPE_SECURID, reply_attr); ++ break; + case ISAKMP_XAUTH_06_ATTRIB_DOMAIN: + case ISAKMP_XAUTH_02_ATTRIB_DOMAIN: + { +@@ -2416,16 +2421,27 @@ + memset(pass, 0, na->u.lots.length); + } else { + struct isakmp_attribute *na; +- if (opt_vendor == VENDOR_NORTEL) { +- na = reply_attr->next = new_isakmp_attribute(ISAKMP_XAUTH_02_ATTRIB_PASSCODE, /* reply_attr */ NULL); ++ if (opt_vendor == VENDOR_NORTEL ++ && opt_auth_mode != AUTH_MODE_NORTEL_GPASSWORD) ++ na = new_isakmp_attribute(ISAKMP_XAUTH_02_ATTRIB_PASSCODE, reply_attr); ++ else ++ na = new_isakmp_attribute(ap->type, reply_attr); ++ reply_attr = na; ++ if (opt_vendor == VENDOR_NORTEL ++ && opt_auth_mode == AUTH_MODE_NORTEL_PINTOKEN) { ++ int l_pin, l_pas; ++ l_pin = strlen(config[CONFIG_XAUTH_PIN]); ++ l_pas = strlen(config[CONFIG_XAUTH_PASSWORD]); ++ na->u.lots.length = l_pin + l_pas; ++ na->u.lots.data = xallocc(na->u.lots.length); ++ memcpy(na->u.lots.data, config[CONFIG_XAUTH_PIN], l_pin); ++ memcpy(na->u.lots.data + l_pin, config[CONFIG_XAUTH_PASSWORD], l_pas); + } else { +- na = new_isakmp_attribute(ap->type, reply_attr); +- reply_attr = na; ++ na->u.lots.length = strlen(config[CONFIG_XAUTH_PASSWORD]); ++ na->u.lots.data = xallocc(na->u.lots.length); ++ memcpy(na->u.lots.data, config[CONFIG_XAUTH_PASSWORD], ++ na->u.lots.length); + } +- na->u.lots.length = strlen(config[CONFIG_XAUTH_PASSWORD]); +- na->u.lots.data = xallocc(na->u.lots.length); +- memcpy(na->u.lots.data, config[CONFIG_XAUTH_PASSWORD], +- na->u.lots.length); + passwd_used = 1; /* Provide canned password at most once */ + } + break; +@@ -2433,10 +2449,6 @@ + ; + } + +- if (opt_vendor == VENDOR_NORTEL) { +- reply_attr = new_isakmp_attribute_16(ISAKMP_XAUTH_02_ATTRIB_TYPE, xauth_type_requested, reply_attr); +- } +- + /* Send the response. */ + rp = new_isakmp_payload(ISAKMP_PAYLOAD_MODECFG_ATTR); + rp->u.modecfg.type = ISAKMP_MODECFG_CFG_REPLY; +@@ -2551,7 +2563,8 @@ + rp->u.modecfg.attributes = a; + sendrecv_phase2(s, rp, ISAKMP_EXCHANGE_MODECFG_TRANSACTION, msgid, 0, 0, 0, 0, 0, 0, 0); + } else { +- r_length = sendrecv(s,r_packet, sizeof(r_packet), NULL, 0, 0); ++ if (opt_auth_mode != AUTH_MODE_NORTEL_USERNAME) ++ r_length = sendrecv(s,r_packet, sizeof(r_packet), NULL, 0, 0); + } + + /* recv and check for notices */ +@@ -3802,18 +3815,22 @@ + do { + DEBUGTOP(2, printf("S4 do_phase1\n")); + do_phase1(group_id, config[CONFIG_IPSEC_SECRET], s); +- DEBUGTOP(2, printf("S5 do_phase2_xauth\n")); + + if (opt_vendor == VENDOR_NORTEL) { +- do_load_balance = do_phase2_xauth(s); ++ if (opt_auth_mode != AUTH_MODE_NORTEL_USERNAME) { ++ DEBUGTOP(2, printf("S5 do_phase2_xauth\n")); ++ do_load_balance = do_phase2_xauth(s); ++ } + DEBUGTOP(2, printf("S6 do_phase2_config\n")); + do_load_balance = do_phase2_config(s); + DEBUGTOP(2, printf("S6 do_phase2\n")); + do_phase2(s); + } else { + /* FIXME: Create and use a generic function in supp.[hc] */ +- if (s->ike.auth_algo >= IKE_AUTH_HybridInitRSA) ++ if (s->ike.auth_algo >= IKE_AUTH_HybridInitRSA) { ++ DEBUGTOP(2, printf("S5 do_phase2_xauth\n")); + do_load_balance = do_phase2_xauth(s); ++ } + DEBUGTOP(2, printf("S6 do_phase2_config\n")); + if ((opt_vendor == VENDOR_CISCO || opt_vendor == VENDOR_NORTEL) && (do_load_balance == 0)) + do_load_balance = do_phase2_config(s); diff --git a/vpnc.changes b/vpnc.changes new file mode 100644 index 0000000..cc0f713 --- /dev/null +++ b/vpnc.changes @@ -0,0 +1,129 @@ +------------------------------------------------------------------- +Wed Aug 26 17:52:19 CET 2009 - tittiatcoke@gmail.com + +- adjusted group to Productivity/Networking/Security + +------------------------------------------------------------------- +Sat Jul 18 22:14:19 CET 2009 - tittiatcoke@gmail.com + +- disabled the patch to send intial packages twice. This does not + always work. + +------------------------------------------------------------------- +Thu Jan 29 16:06:19 CET 2009 - seife@suse.de + +- fix segfault in the non-nortel case (bnc#468789) + +------------------------------------------------------------------- +Thu Jan 29 15:13:34 CET 2009 - seife@suse.de + +- update the nortel-grouppasswdauth patch. + ATTENTION! nortel users have to change "Nortel Auth Mode" to + "IKE Authmode" in their config file. +- add a patch to send initial packages twice, makes connection + setup more robust against packet loss + +------------------------------------------------------------------- +Sun Jan 18 13:01:34 CET 2009 - seife@suse.de + +- replace vpnc-nortel-grouppasswordauth.diff with the patch that's + scheduled for upstream inclusion + +------------------------------------------------------------------- +Thu Jan 8 17:11:36 CET 2009 - seife@suse.de + +- fix rpmlint warnings + +------------------------------------------------------------------- +Mon Jan 5 17:07:35 CET 2009 - seife@suse.de + +- add vpnc-nortel-attributes.diff, to accept split tunnel configs + from the server + +------------------------------------------------------------------- +Mon Jan 5 11:22:40 CET 2009 - seife@suse.de + +- update to current SVN, using the "nortel" branch. +- add a patch for nortel group password authentication + +------------------------------------------------------------------- +Thu Jan 17 10:50:41 CET 2008 - lmuelle@suse.de + +- Use the real FULL_SCRIPTNAME. + +------------------------------------------------------------------- +Mon Jan 14 14:55:41 CET 2008 - lmuelle@suse.de + +- Update to version 0.5.1. + + Link against -lcrypto instead of -lssl. + + Fixed crashes on 64bit platforms. + + Dead-Peer-Detection support. + + Hybrid-Auth support. + + Rekeying support; [#134480]. +- Use upstream default location for vpnc-script. + +------------------------------------------------------------------- +Sat Nov 11 11:51:04 CET 2006 - aj@suse.de + +- Fix permissions of man files. +- Compile with RPM_OPT_FLAGS. + +------------------------------------------------------------------- +Wed Jan 25 21:42:43 CET 2006 - mls@suse.de + +- converted neededforbuild to BuildRequires + +------------------------------------------------------------------- +Fri Aug 12 00:57:01 CEST 2005 - lmuelle@suse.de + +- Install the example configuration as example.conf in the doc dir. + +------------------------------------------------------------------- +Thu Aug 11 01:09:33 CEST 2005 - lmuelle@suse.de + +- Install vpnc.conf no longer as default.conf while keeping default.conf as + %config(noreplace) and %ghost in the package list; [#103856]. + +------------------------------------------------------------------- +Thu May 19 23:36:54 CEST 2005 - lmuelle@suse.de + +- Update to version 0.3.3; [#72234]. + +------------------------------------------------------------------- +Tue Nov 23 22:32:51 CET 2004 - lmuelle@suse.de + +- Update to version 0.3.2. +- Remove most parts of the vpnc-connect diff, [#46931]. + +------------------------------------------------------------------- +Thu Oct 14 14:48:14 CEST 2004 - mc@suse.de + +- removed depcomp from filelist [#47074] + +------------------------------------------------------------------- +Sat Aug 7 06:25:29 CEST 2004 - lmuelle@suse.de + +- Update to version 0.2-rm+zomb.1; [#43525]. + +------------------------------------------------------------------- +Mon Jul 26 13:12:25 CEST 2004 - ro@suse.de + +- added libgcrypt-devel, libgpg-error-devel to neededforbuild + +------------------------------------------------------------------- +Sat May 8 21:12:12 CEST 2004 - lmuelle@suse.de + +- Update to version 0.2-rm+zomb-pre9. + +------------------------------------------------------------------- +Fri Apr 16 13:51:03 CEST 2004 - lmuelle@suse.de + +- add man page and connect and disconnect script patches provided by Eduard + Bloch +- add /etc/vpnc directory for additional configuration files +- rename /etc/wlan.conf to /etc/vpnc/default.conf + +------------------------------------------------------------------- +Mon Apr 12 22:40:36 CEST 2004 - lmuelle@suse.de + +- inital SuSE RPM diff --git a/vpnc.spec b/vpnc.spec new file mode 100644 index 0000000..1ce233a --- /dev/null +++ b/vpnc.spec @@ -0,0 +1,99 @@ +# +# spec file for package vpnc (Version 0.5.2r394) +# +# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany. +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# + +# norootforbuild + + +Name: vpnc +Group: Productivity/Networking/Security +BuildRequires: libgcrypt-devel +Version: 0.5.2r394 +Release: 5 +License: BSD 3-clause (or similar) ; GPL v2 or later +AutoReqProv: on +Summary: A Client for Cisco VPN concentrator +Requires: /usr/bin/sed /sbin/ip +Source: %{name}-%{version}.tar.bz2 +Patch1: vpnc-patch_nortel_auth_394.txt.diff +Patch2: vpnc-nortel-attributes.diff +Patch3: vpnc-nortel-fix-segfault.diff +BuildRoot: %{_tmppath}/%{name}-%{version}-build + +%description +A VPN client compatible with Cisco's EasyVPN equipment. + +Cisco 3000, IOS routers, PIX/ASA Zecurity Appliances, and +Juniper/Netscreen as well as Nortel Contivity (experimental). + +Supported Authentications: Pre-Shared-Key + XAUTH, Pre-Shared-Key +Supported IKE DH-Groups: dh1 dh2 dh5 Supported Hash Algo (IKE/IPSEC): +md5 sha1 Supported Encryptions (IKE/IPSEC): (null) (1des) 3des aes128 +aes192 aes256 Perfect Forward Secrecy: nopfs dh1 dh2 dh5 + +It runs entirely in userspace and uses the TUN/TAP driver for access. + + + +Authors: +-------- + Maurice Massar + Eduard Bloch + +%prep +%setup -n %{name}-%{version} +%patch1 -p0 +%patch2 -p1 +%patch3 -p1 + +%build +%{?suse_update_config:%{suse_update_config -f}} +%{__make} \ + CFLAGS="$RPM_OPT_FLAGS" \ + PREFIX=/usr + +%install +mkdir -p \ + ${RPM_BUILD_ROOT}/%{_localstatedir}/run/vpnc +%{__make} install \ + DESTDIR=${RPM_BUILD_ROOT} \ + PREFIX=/usr +# Use chmod as %attr doesn't work for %doc maked files in the list +touch ${RPM_BUILD_ROOT}/%{_localstatedir}/run/vpnc/{defaultroute,gateway,pid,resolv.conf-backup} || true +rm -rfv ${RPM_BUILD_ROOT}/usr/share/doc/vpnc + +%clean + +%files +%defattr(-,root,root) +%attr(0600,root,root) %config(noreplace) %ghost %{_sysconfdir}/vpnc/default.conf +%dir %{_sysconfdir}/vpnc +%{_sysconfdir}/vpnc/vpnc-script +%{_sbindir}/vpnc +%{_sbindir}/vpnc-disconnect +%{_bindir}/cisco-decrypt +%{_bindir}/pcf2vpnc +%{_mandir}/man1/cisco-decrypt.1.* +%{_mandir}/man1/pcf2vpnc.1.* +%{_mandir}/man8/vpnc.8.* +%dir %{_localstatedir}/run/vpnc +%ghost %{_localstatedir}/run/vpnc/defaultroute +%ghost %{_localstatedir}/run/vpnc/gateway +%ghost %{_localstatedir}/run/vpnc/pid +%ghost %{_localstatedir}/run/vpnc/resolv.conf-backup +%doc ChangeLog COPYING README TODO VERSION + +%changelog