Hello community,
here is the log from the commit of package vpnc for openSUSE:Factory
checked in at Thu Jan 29 23:57:19 CET 2009.
--------
--- vpnc/vpnc.changes 2009-01-18 13:09:34.000000000 +0100
+++ vpnc/vpnc.changes 2009-01-29 16:07:26.000000000 +0100
@@ -1,0 +2,14 @@
+Thu Jan 29 16:06:19 CET 2009 - seife@suse.de
+
+- fix segfault in the non-nortel case (bnc#468789)
+
+-------------------------------------------------------------------
+Thu Jan 29 15:13:34 CET 2009 - seife@suse.de
+
+- update the nortel-grouppasswdauth patch.
+ ATTENTION! nortel users have to change "Nortel Auth Mode" to
+ "IKE Authmode" in their config file.
+- add a patch to send initial packages twice, makes connection
+ setup more robust against packet loss
+
+-------------------------------------------------------------------
calling whatdependson for head-i586
Old:
----
vpnc-patch_nortel_auth_378_correct.txt.diff
New:
----
vpnc-nortel-fix-segfault.diff
vpnc-patch_nortel_auth_394.txt.diff
vpnc-patch_send_twice.txt.diff
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ vpnc.spec ++++++
--- /var/tmp/diff_new_pack.xS2088/_old 2009-01-29 23:53:22.000000000 +0100
+++ /var/tmp/diff_new_pack.xS2088/_new 2009-01-29 23:53:22.000000000 +0100
@@ -21,7 +21,7 @@
Name: vpnc
BuildRequires: libgcrypt-devel
Version: 0.5.2r394
-Release: 3
+Release: 4
License: BSD 3-Clause; GPL v2 or later
Group: Productivity/Networking/Security
Url: http://www.unix-ag.uni-kl.de/~massar/vpnc/
@@ -29,9 +29,10 @@
Summary: A Client for Cisco VPN concentrator
Requires: /usr/bin/sed /sbin/ip
Source: %{name}-%{version}.tar.bz2
-#Patch: vpnc-nortel-grouppasswordauth.diff
-Patch: vpnc-patch_nortel_auth_378_correct.txt.diff
-Patch1: vpnc-nortel-attributes.diff
+Patch0: vpnc-patch_send_twice.txt.diff
+Patch1: vpnc-patch_nortel_auth_394.txt.diff
+Patch2: vpnc-nortel-attributes.diff
+Patch3: vpnc-nortel-fix-segfault.diff
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@@ -57,7 +58,9 @@
%prep
%setup -n %{name}-%{version}
%patch0 -p0
-%patch1 -p1
+%patch1 -p0
+%patch2 -p1
+%patch3 -p1
%build
%{?suse_update_config:%{suse_update_config -f}}
@@ -97,6 +100,14 @@
%doc ChangeLog COPYING README TODO VERSION
%changelog
+* Thu Jan 29 2009 seife@suse.de
+- fix segfault in the non-nortel case (bnc#468789)
+* Thu Jan 29 2009 seife@suse.de
+- update the nortel-grouppasswdauth patch.
+ ATTENTION! nortel users have to change "Nortel Auth Mode" to
+ "IKE Authmode" in their config file.
+- add a patch to send initial packages twice, makes connection
+ setup more robust against packet loss
* Sun Jan 18 2009 seife@suse.de
- replace vpnc-nortel-grouppasswordauth.diff with the patch that's
scheduled for upstream inclusion
++++++ vpnc-nortel-fix-segfault.diff ++++++
Index: b/vpnc.c
===================================================================
--- a/vpnc.c
+++ b/vpnc.c
@@ -1712,10 +1712,12 @@ static void do_phase1(const char *key_id
gcry_md_setkey(skeyid_ctx, key, key_len);
gcry_md_write(skeyid_ctx, dh_shared_secret, dh_getlen(dh_grp));
gcry_md_final(skeyid_ctx);
} else
error(1, 0, "SKEYID could not be computed: %s", "the selected authentication method is not supported");
+ skeyid = gcry_md_read(skeyid_ctx, 0);
+ hex_dump("skeyid", skeyid, s->ike.md_len, NULL);
} else {
skeyid = gcry_md_read(skeyid_ctx, 0);
hex_dump("skeyid", skeyid, s->ike.md_len, NULL);
}
if (opt_vendor == VENDOR_NORTEL)
++++++ vpnc-patch_nortel_auth_378_correct.txt.diff -> vpnc-patch_nortel_auth_394.txt.diff ++++++
--- vpnc/vpnc-patch_nortel_auth_378_correct.txt.diff 2009-01-18 13:09:33.000000000 +0100
+++ vpnc/vpnc-patch_nortel_auth_394.txt.diff 2009-01-29 15:18:02.000000000 +0100
@@ -1,8 +1,8 @@
Index: isakmp.h
===================================================================
---- isakmp.h (revision 378)
+--- isakmp.h (revision 394)
+++ isakmp.h (working copy)
-@@ -463,4 +463,23 @@
+@@ -486,4 +486,23 @@
ISAKMP_XAUTH_ATTRIB_CISCOEXT_VENDOR = 0x7d88 /* strange cisco things ... need docs! */
};
@@ -28,9 +28,9 @@
#endif
Index: config.h
===================================================================
---- config.h (revision 378)
+--- config.h (revision 394)
+++ config.h (working copy)
-@@ -48,6 +48,7 @@
+@@ -49,6 +49,7 @@
CONFIG_IPSEC_SECRET,
CONFIG_IPSEC_SECRET_OBF,
CONFIG_XAUTH_USERNAME,
@@ -38,63 +38,40 @@
CONFIG_XAUTH_PASSWORD,
CONFIG_XAUTH_PASSWORD_OBF,
CONFIG_XAUTH_INTERACTIVE,
-@@ -58,6 +59,7 @@
- CONFIG_AUTH_MODE,
- CONFIG_CA_FILE,
- CONFIG_CA_DIR,
-+ CONFIG_NORTEL_AUTH_MODE,
- LAST_CONFIG
+@@ -87,11 +88,16 @@
};
-@@ -93,6 +95,15 @@
- AUTH_MODE_HYBRID
+ enum auth_mode_enum {
+- AUTH_MODE_PSK,
++ AUTH_MODE_PSK, /* pre-shared key */
+ AUTH_MODE_RSA1,
+ AUTH_MODE_RSA2,
+- AUTH_MODE_CERT,
+- AUTH_MODE_HYBRID
++ AUTH_MODE_CERT, /* Digital Certificate Authentication */
++ AUTH_MODE_HYBRID, /* server certificate + xauth */
++ AUTH_MODE_NORTEL_USERNAME, /* User Name and Password Authentication */
++ AUTH_MODE_NORTEL_TOKEN, /* Group Security - Response Only Token - Use Passcode */
++ AUTH_MODE_NORTEL_PINTOKEN, /* Group Security - Response Only Token - Use Two-Factor Card */
++ AUTH_MODE_NORTEL_TOKENSW, /* Group Security - Response Only Token - Use SoftID Software */
++ AUTH_MODE_NORTEL_GPASSWORD /* Group Security - Group Password Authentication */
};
-+enum nortel_auth_mode_enum {
-+ NORTEL_AUTH_MODE_USERNAME, /* User Name and Password Authentication */
-+ NORTEL_AUTH_MODE_CERT, /* Digital Certificate Authentication */
-+ NORTEL_AUTH_MODE_TOKEN, /* Group Security - Response Only Token - Use Passcode */
-+ NORTEL_AUTH_MODE_PINTOKEN, /* Group Security - Response Only Token - Use Two-Factor Card */
-+ NORTEL_AUTH_MODE_TOKENSW, /* Group Security - Response Only Token - Use SoftID Software */
-+ NORTEL_AUTH_MODE_GPASSWORD, /* Group Security - Group Password Authentication */
-+};
-+
extern const char *config[LAST_CONFIG];
-
- extern enum vendor_enum opt_vendor;
-@@ -101,6 +112,7 @@
- extern int opt_1des, opt_no_encryption, opt_auth_mode;
- extern enum natt_mode_enum opt_natt_mode;
- extern enum if_mode_enum opt_if_mode;
-+extern enum nortel_auth_mode_enum opt_nortel_auth_mode;
- extern uint16_t opt_udpencapport;
-
- #define TIMESTAMP() ({ \
Index: config.c
===================================================================
---- config.c (revision 378)
+--- config.c (revision 394)
+++ config.c (working copy)
-@@ -44,6 +44,7 @@
- enum natt_mode_enum opt_natt_mode;
- enum vendor_enum opt_vendor;
- enum if_mode_enum opt_if_mode;
-+enum nortel_auth_mode_enum opt_nortel_auth_mode;
- uint16_t opt_udpencapport;
-
- void hex_dump(const char *str, const void *data, ssize_t len, const struct debug_strings *decode)
-@@ -191,6 +192,11 @@
- return "0.0.0.0/0.0.0.0";
+@@ -159,7 +159,7 @@
+
+ static const char *config_def_auth_mode(void)
+ {
+- return "psk";
++ return "default";
}
-+static const char *config_def_nortel_auth_mode(void)
-+{
-+ return "token";
-+}
-+
- static const struct config_names_s {
- enum config_enum nm;
- const int needsArgument;
-@@ -241,6 +247,13 @@
+ static const char *config_def_nortel_client_id(void)
+@@ -247,6 +247,13 @@
"your username",
NULL
}, {
@@ -108,70 +85,141 @@
CONFIG_XAUTH_PASSWORD, 1, 0,
NULL,
"Xauth password ",
-@@ -448,6 +461,19 @@
- "Target network in dotted decimal or CIDR notation\n",
- config_def_target_network
+@@ -434,11 +441,17 @@
+ CONFIG_AUTH_MODE, 1, 1,
+ "--auth-mode",
+ "IKE Authmode ",
+- "",
++ "",
+ "Authentication mode:\n"
+- " * psk: pre-shared key (default)\n"
+- " * cert: server + client certificate (not implemented yet)\n"
+- " * hybrid: server certificate + xauth (if built with openssl support)\n",
++ " * default: maps to vendor specific default mode\n"
++ " * cert: server + client certificate (not implemented yet)\n"
++ " * psk: Cisco pre-shared key (default for Cisco)\n"
++ " * hybrid: Cisco server certificate + xauth (if built with openssl support)\n"
++ " * username: Nortel User Name and Password Authentication\n"
++ " * token: Nortel Group Security - Response Only Token - Use Passcode (default for Nortel)\n"
++ " * PIN-token: Nortel Group Security - Response Only Token - Use Two-Factor Card\n"
++ " * token-SW: Nortel Group Security - Response Only Token - Use SoftID Software\n"
++ " * gpassword: Nortel Group Security - Group Password Authentication",
+ config_def_auth_mode
}, {
-+ CONFIG_NORTEL_AUTH_MODE, 1, 1,
-+ "--nortel-auth-mode",
-+ "Nortel Auth Mode ",
-+ "",
-+ "Nortel Authentication Mode:\n"
-+ " * username: User Name and Password Authentication\n"
-+ " * cert: Digital Certificate Authentication\n"
-+ " * token: Group Security - Response Only Token - Use Passcode (default)\n"
-+ " * PIN-token: Group Security - Response Only Token - Use Two-Factor Card\n"
-+ " * token-SW: Group Security - Response Only Token - Use SoftID Software\n"
-+ " * gpassword: Group Security - Group Password Authentication",
-+ config_def_nortel_auth_mode
-+ }, {
- 0, 0, 0, NULL, NULL, NULL, NULL, NULL
- }
- };
-@@ -741,6 +767,29 @@
- printf("%s: unknown vendor %s\nknown vendors: cisco netscreen nortel\n", argv[0], config[CONFIG_VENDOR]);
+ CONFIG_CA_FILE, 1, 1,
+@@ -703,16 +716,79 @@
+ opt_nd = (config[CONFIG_ND]) ? 1 : 0;
+ opt_1des = (config[CONFIG_ENABLE_1DES]) ? 1 : 0;
+
++ if (!strcmp(config[CONFIG_VENDOR], "cisco")) {
++ opt_vendor = VENDOR_CISCO;
++ } else if (!strcmp(config[CONFIG_VENDOR], "netscreen")) {
++ opt_vendor = VENDOR_NETSCREEN;
++ } else if (!strcmp(config[CONFIG_VENDOR], "nortel")) {
++ opt_vendor = VENDOR_NORTEL;
++ } else {
++ printf("%s: unknown vendor %s\nknown vendors: cisco netscreen nortel\n",
++ argv[0], config[CONFIG_VENDOR]);
++ exit(1);
++ }
++
+ if (!strcmp(config[CONFIG_AUTH_MODE], "psk")) {
+ opt_auth_mode = AUTH_MODE_PSK;
+ } else if (!strcmp(config[CONFIG_AUTH_MODE], "cert")) {
+ opt_auth_mode = AUTH_MODE_CERT;
+ } else if (!strcmp(config[CONFIG_AUTH_MODE], "hybrid")) {
+ opt_auth_mode = AUTH_MODE_HYBRID;
++ } else if (!strcmp(config[CONFIG_AUTH_MODE], "username")) {
++ opt_auth_mode = AUTH_MODE_NORTEL_USERNAME;
++ } else if (!strcmp(config[CONFIG_AUTH_MODE], "token")) {
++ opt_auth_mode = AUTH_MODE_NORTEL_TOKEN;
++ } else if (!strcmp(config[CONFIG_AUTH_MODE], "PIN-token")) {
++ opt_auth_mode = AUTH_MODE_NORTEL_PINTOKEN;
++ } else if (!strcmp(config[CONFIG_AUTH_MODE], "token-SW")) {
++ opt_auth_mode = AUTH_MODE_NORTEL_TOKENSW;
++ } else if (!strcmp(config[CONFIG_AUTH_MODE], "gpassword")) {
++ opt_auth_mode = AUTH_MODE_NORTEL_GPASSWORD;
++ } else if (!strcmp(config[CONFIG_AUTH_MODE], "default")) {
++ switch (opt_vendor) {
++ case VENDOR_NORTEL:
++ opt_auth_mode = AUTH_MODE_NORTEL_TOKEN;
++ break;
++ case VENDOR_NETSCREEN:
++ case VENDOR_CISCO:
++ default:
++ opt_auth_mode = AUTH_MODE_PSK;
++ break;
++ }
+ } else {
+- printf("%s: unknown authentication mode %s\nknown modes: psk cert hybrid\n", argv[0], config[CONFIG_AUTH_MODE]);
++ printf("%s: unknown authentication mode \"%s\"\nknown modes: "
++ "default/cert/psk/hybrid/username/token/PIN-token/token-SW/gpassword\n",
++ argv[0], config[CONFIG_AUTH_MODE]);
exit(1);
}
+
-+ if (!strcmp(config[CONFIG_NORTEL_AUTH_MODE], "username")) {
-+ opt_nortel_auth_mode = NORTEL_AUTH_MODE_USERNAME;
-+ } else if (!strcmp(config[CONFIG_NORTEL_AUTH_MODE], "cert")) {
-+ opt_nortel_auth_mode = NORTEL_AUTH_MODE_CERT;
-+ printf("%s: unimplemented Nortel Auth Mode %s\n", argv[0], config[CONFIG_NORTEL_AUTH_MODE]);
++ if (((opt_vendor == VENDOR_NORTEL) &&
++ ((opt_auth_mode != AUTH_MODE_CERT) &&
++ (opt_auth_mode != AUTH_MODE_NORTEL_USERNAME) &&
++ (opt_auth_mode != AUTH_MODE_NORTEL_TOKEN) &&
++ (opt_auth_mode != AUTH_MODE_NORTEL_PINTOKEN) &&
++ (opt_auth_mode != AUTH_MODE_NORTEL_TOKENSW) &&
++ (opt_auth_mode != AUTH_MODE_NORTEL_GPASSWORD))) ||
++ ((opt_vendor == VENDOR_CISCO) &&
++ ((opt_auth_mode != AUTH_MODE_CERT) &&
++ (opt_auth_mode != AUTH_MODE_PSK) &&
++ (opt_auth_mode != AUTH_MODE_HYBRID))) ||
++ ((opt_vendor == VENDOR_NETSCREEN) &&
++ ((opt_auth_mode != AUTH_MODE_CERT) &&
++ (opt_auth_mode != AUTH_MODE_PSK) &&
++ (opt_auth_mode != AUTH_MODE_HYBRID)))) {
++ printf("%s: Auth Mode \"%s\" not valid for Vendor \"%s\"\n",
++ argv[0], config[CONFIG_AUTH_MODE], config[CONFIG_VENDOR]);
+ exit(1);
-+ } else if (!strcmp(config[CONFIG_NORTEL_AUTH_MODE], "token")) {
-+ opt_nortel_auth_mode = NORTEL_AUTH_MODE_TOKEN;
-+ } else if (!strcmp(config[CONFIG_NORTEL_AUTH_MODE], "PIN-token")) {
-+ opt_nortel_auth_mode = NORTEL_AUTH_MODE_PINTOKEN;
-+ } else if (!strcmp(config[CONFIG_NORTEL_AUTH_MODE], "token-SW")) {
-+ opt_nortel_auth_mode = NORTEL_AUTH_MODE_TOKENSW;
-+ printf("%s: unimplemented Nortel Auth Mode %s\n", argv[0], config[CONFIG_NORTEL_AUTH_MODE]);
-+ exit(1);
-+ } else if (!strcmp(config[CONFIG_NORTEL_AUTH_MODE], "gpassword")) {
-+ opt_nortel_auth_mode = NORTEL_AUTH_MODE_GPASSWORD;
-+ } else {
-+ printf("%s: unknown Nortel Authenticate Mode %s\n"
-+ "known modes: username cert token PIN-token token-SW gpassword\n",
-+ argv[0], config[CONFIG_NORTEL_AUTH_MODE]);
++ }
++
++ if (opt_auth_mode == AUTH_MODE_CERT ||
++ opt_auth_mode == AUTH_MODE_NORTEL_TOKENSW) {
++ printf("%s: unimplemented Auth Mode \"%s\"\n",
++ argv[0], config[CONFIG_AUTH_MODE]);
+ exit(1);
+ }
++
+ #ifndef OPENSSL_GPL_VIOLATION
+ if (opt_auth_mode == AUTH_MODE_HYBRID ||
+ opt_auth_mode == AUTH_MODE_CERT) {
+@@ -783,17 +859,6 @@
+ }
+ opt_nortel_client_id = tmp;
+ }
+-
+- if (!strcmp(config[CONFIG_VENDOR], "cisco")) {
+- opt_vendor = VENDOR_CISCO;
+- } else if (!strcmp(config[CONFIG_VENDOR], "netscreen")) {
+- opt_vendor = VENDOR_NETSCREEN;
+- } else if (!strcmp(config[CONFIG_VENDOR], "nortel")) {
+- opt_vendor = VENDOR_NORTEL;
+- } else {
+- printf("%s: unknown vendor %s\nknown vendors: cisco netscreen nortel\n", argv[0], config[CONFIG_VENDOR]);
+- exit(1);
+- }
}
if (opt_debug >= 99) {
-@@ -757,6 +806,12 @@
+@@ -810,6 +875,12 @@
continue;
if (config[CONFIG_XAUTH_INTERACTIVE] && i == CONFIG_XAUTH_PASSWORD)
continue;
-+ if (opt_vendor == VENDOR_NORTEL && opt_nortel_auth_mode == NORTEL_AUTH_MODE_USERNAME
++ if (opt_auth_mode == AUTH_MODE_NORTEL_USERNAME
+ && (i == CONFIG_XAUTH_USERNAME || i == CONFIG_XAUTH_PASSWORD))
+ continue;
-+ if (opt_vendor == VENDOR_NORTEL && opt_nortel_auth_mode != NORTEL_AUTH_MODE_PINTOKEN
++ if (opt_auth_mode != AUTH_MODE_NORTEL_PINTOKEN
+ && i == CONFIG_XAUTH_PIN)
+ continue;
s = NULL;
s_len = 0;
-@@ -775,6 +830,11 @@
+@@ -828,6 +899,11 @@
case CONFIG_XAUTH_USERNAME:
printf("Enter username for %s: ", config[CONFIG_IPSEC_GATEWAY]);
break;
@@ -183,7 +231,7 @@
case CONFIG_XAUTH_PASSWORD:
printf("Enter password for %s@%s: ",
config[CONFIG_XAUTH_USERNAME],
-@@ -784,6 +844,7 @@
+@@ -839,6 +915,7 @@
fflush(stdout);
switch (i) {
case CONFIG_IPSEC_SECRET:
@@ -191,7 +239,7 @@
case CONFIG_XAUTH_PASSWORD:
s = strdup(getpass(""));
break;
-@@ -815,10 +876,14 @@
+@@ -870,10 +947,14 @@
error(1, 0, "missing IPSec ID");
if (!config[CONFIG_IPSEC_SECRET])
error(1, 0, "missing IPSec secret");
@@ -199,34 +247,75 @@
- error(1, 0, "missing Xauth username");
- if (!config[CONFIG_XAUTH_PASSWORD] && !config[CONFIG_XAUTH_INTERACTIVE])
- error(1, 0, "missing Xauth password");
-+ if (!(opt_vendor == VENDOR_NORTEL && opt_nortel_auth_mode == NORTEL_AUTH_MODE_USERNAME)) {
++ if (opt_auth_mode != AUTH_MODE_NORTEL_USERNAME) {
+ if (!config[CONFIG_XAUTH_USERNAME])
+ error(1, 0, "missing Xauth username");
+ if (!config[CONFIG_XAUTH_PASSWORD] && !config[CONFIG_XAUTH_INTERACTIVE])
+ error(1, 0, "missing Xauth password");
+ }
-+ if (opt_vendor == VENDOR_NORTEL && opt_nortel_auth_mode == NORTEL_AUTH_MODE_PINTOKEN && !config[CONFIG_XAUTH_PIN])
++ if (opt_auth_mode == AUTH_MODE_NORTEL_PINTOKEN && !config[CONFIG_XAUTH_PIN])
+ error(1, 0, "missing Xauth PIN");
if (get_dh_group_ike() == NULL)
error(1, 0, "IKE DH Group \"%s\" unsupported\n", config[CONFIG_IKE_DH]);
if (get_dh_group_ipsec(-1) == NULL)
Index: vpnc.c
===================================================================
---- vpnc.c (revision 378)
+--- vpnc.c (revision 394)
+++ vpnc.c (working copy)
-@@ -1284,7 +1284,10 @@
+@@ -1110,17 +1110,10 @@
+ r->u.sa.proposals->u.p.prot_id = ISAKMP_IPSEC_PROTO_ISAKMP;
+
+ if (opt_vendor == VENDOR_NORTEL) {
+- auth = 0;
++ auth = 0;
+ if ((opt_auth_mode == AUTH_MODE_CERT) &&
+ (supp_auth[auth].ike_sa_id != IKE_AUTH_RSA_SIG) &&
+ (supp_auth[auth].ike_sa_id != IKE_AUTH_DSS)) {
+- } else if ((opt_auth_mode == AUTH_MODE_HYBRID) &&
+- (supp_auth[auth].ike_sa_id != IKE_AUTH_HybridInitRSA) &&
+- (supp_auth[auth].ike_sa_id != IKE_AUTH_HybridInitDSS)) {
+- } else if (supp_auth[auth].ike_sa_id == IKE_AUTH_HybridInitRSA ||
+- supp_auth[auth].ike_sa_id == IKE_AUTH_HybridInitDSS ||
+- supp_auth[auth].ike_sa_id == IKE_AUTH_RSA_SIG ||
+- supp_auth[auth].ike_sa_id == IKE_AUTH_DSS) {
+ } else {
+ for (crypt = 0; supp_crypt[crypt].name != NULL; crypt++) {
+ keylen = supp_crypt[crypt].keylen;
+@@ -1284,7 +1277,10 @@
l->u.id.protocol = IPPROTO_UDP;
l->u.id.port = ISAKMP_PORT; /* this must be 500, see rfc2407, 4.6.2 */
if (opt_vendor == VENDOR_NORTEL) {
- l->u.id.length = 24;
-+ if (opt_nortel_auth_mode == NORTEL_AUTH_MODE_USERNAME)
++ if (opt_auth_mode == AUTH_MODE_NORTEL_USERNAME)
+ l->u.id.length = 20;
+ else
+ l->u.id.length = 24;
l->u.id.data = xallocc(l->u.id.length);
gcry_md_hash_buffer(GCRY_MD_SHA1, l->u.id.data, key_id, strlen(key_id));
/* memcpy(l->u.id.data, key_id, strlen(key_id)); */
-@@ -2228,7 +2231,6 @@
+@@ -1629,7 +1625,10 @@
+ reject = ISAKMP_N_INVALID_ID_INFORMATION;
+
+ /* Decide if signature or hash is expected (sig only if vpnc is initiator of hybrid-auth */
+- if (reject == 0 && opt_auth_mode == AUTH_MODE_PSK && (hash == NULL || hash->u.hash.length != s->ike.md_len))
++ if (reject == 0 &&
++ ((opt_auth_mode == AUTH_MODE_PSK) ||
++ (opt_vendor == VENDOR_NORTEL && opt_auth_mode != AUTH_MODE_CERT)) &&
++ (hash == NULL || hash->u.hash.length != s->ike.md_len))
+ reject = ISAKMP_N_INVALID_HASH_INFORMATION;
+ if (reject == 0 && sig == NULL &&
+ (opt_auth_mode == AUTH_MODE_CERT ||
+@@ -1744,7 +1743,8 @@
+ expected_hash = gcry_md_read(hm, 0);
+ hex_dump("expected hash", expected_hash, s->ike.md_len, NULL);
+
+- if (opt_auth_mode == AUTH_MODE_PSK) {
++ if ((opt_auth_mode == AUTH_MODE_PSK) ||
++ (opt_vendor == VENDOR_NORTEL && opt_auth_mode != AUTH_MODE_CERT)) {
+ if (memcmp(expected_hash, hash->u.hash.data, s->ike.md_len) != 0)
+ error(2, 0, "hash comparison failed: %s(%d)\ncheck group password!",
+ val_to_string(ISAKMP_N_AUTHENTICATION_FAILED, isakmp_notify_enum_array),
+@@ -2228,7 +2228,6 @@
DEBUGTOP(2, printf("S5.1 xauth_start\n"));
/* This can go around for a while. */
for (loopcount = 0;; loopcount++) {
@@ -234,12 +323,12 @@
struct isakmp_payload *rp;
struct isakmp_attribute *a, *ap, *reply_attr;
char ntop_buf[32];
-@@ -2341,6 +2343,12 @@
+@@ -2343,6 +2342,12 @@
reply_attr = NULL;
for (ap = a; ap && reject == 0; ap = ap->next)
switch (ap->type) {
+ case ISAKMP_XAUTH_02_ATTRIB_TYPE:
-+ if (opt_vendor == VENDOR_NORTEL && opt_nortel_auth_mode == NORTEL_AUTH_MODE_GPASSWORD)
++ if (opt_auth_mode == AUTH_MODE_NORTEL_GPASSWORD)
+ reply_attr = new_isakmp_attribute_16(ISAKMP_XAUTH_02_ATTRIB_TYPE, ISAKMP_MODECFG_TYPE_RADIUS, reply_attr);
+ else
+ reply_attr = new_isakmp_attribute_16(ISAKMP_XAUTH_02_ATTRIB_TYPE, ISAKMP_MODECFG_TYPE_SECURID, reply_attr);
@@ -247,26 +336,20 @@
case ISAKMP_XAUTH_06_ATTRIB_DOMAIN:
case ISAKMP_XAUTH_02_ATTRIB_DOMAIN:
{
-@@ -2403,16 +2411,29 @@
+@@ -2416,16 +2421,27 @@
memset(pass, 0, na->u.lots.length);
} else {
struct isakmp_attribute *na;
- if (opt_vendor == VENDOR_NORTEL) {
- na = reply_attr->next = new_isakmp_attribute(ISAKMP_XAUTH_02_ATTRIB_PASSCODE, /* reply_attr */ NULL);
+ if (opt_vendor == VENDOR_NORTEL
-+ && opt_nortel_auth_mode != NORTEL_AUTH_MODE_GPASSWORD) {
++ && opt_auth_mode != AUTH_MODE_NORTEL_GPASSWORD)
+ na = new_isakmp_attribute(ISAKMP_XAUTH_02_ATTRIB_PASSCODE, reply_attr);
-+ reply_attr = na;
- } else {
- na = new_isakmp_attribute(ap->type, reply_attr);
- reply_attr = na;
- }
-- na->u.lots.length = strlen(config[CONFIG_XAUTH_PASSWORD]);
-- na->u.lots.data = xallocc(na->u.lots.length);
-- memcpy(na->u.lots.data, config[CONFIG_XAUTH_PASSWORD],
-- na->u.lots.length);
++ else
++ na = new_isakmp_attribute(ap->type, reply_attr);
++ reply_attr = na;
+ if (opt_vendor == VENDOR_NORTEL
-+ && opt_nortel_auth_mode == NORTEL_AUTH_MODE_PINTOKEN) {
++ && opt_auth_mode == AUTH_MODE_NORTEL_PINTOKEN) {
+ int l_pin, l_pas;
+ l_pin = strlen(config[CONFIG_XAUTH_PIN]);
+ l_pas = strlen(config[CONFIG_XAUTH_PASSWORD]);
@@ -274,16 +357,22 @@
+ na->u.lots.data = xallocc(na->u.lots.length);
+ memcpy(na->u.lots.data, config[CONFIG_XAUTH_PIN], l_pin);
+ memcpy(na->u.lots.data + l_pin, config[CONFIG_XAUTH_PASSWORD], l_pas);
-+ } else {
+ } else {
+- na = new_isakmp_attribute(ap->type, reply_attr);
+- reply_attr = na;
+ na->u.lots.length = strlen(config[CONFIG_XAUTH_PASSWORD]);
+ na->u.lots.data = xallocc(na->u.lots.length);
+ memcpy(na->u.lots.data, config[CONFIG_XAUTH_PASSWORD],
+ na->u.lots.length);
-+ }
+ }
+- na->u.lots.length = strlen(config[CONFIG_XAUTH_PASSWORD]);
+- na->u.lots.data = xallocc(na->u.lots.length);
+- memcpy(na->u.lots.data, config[CONFIG_XAUTH_PASSWORD],
+- na->u.lots.length);
passwd_used = 1; /* Provide canned password at most once */
}
break;
-@@ -2420,10 +2441,6 @@
+@@ -2433,10 +2449,6 @@
;
}
@@ -294,17 +383,17 @@
/* Send the response. */
rp = new_isakmp_payload(ISAKMP_PAYLOAD_MODECFG_ATTR);
rp->u.modecfg.type = ISAKMP_MODECFG_CFG_REPLY;
-@@ -2538,7 +2555,8 @@
+@@ -2551,7 +2563,8 @@
rp->u.modecfg.attributes = a;
sendrecv_phase2(s, rp, ISAKMP_EXCHANGE_MODECFG_TRANSACTION, msgid, 0, 0, 0, 0, 0, 0, 0);
} else {
- r_length = sendrecv(s,r_packet, sizeof(r_packet), NULL, 0, 0);
-+ if (opt_nortel_auth_mode != NORTEL_AUTH_MODE_USERNAME)
++ if (opt_auth_mode != AUTH_MODE_NORTEL_USERNAME)
+ r_length = sendrecv(s,r_packet, sizeof(r_packet), NULL, 0, 0);
}
/* recv and check for notices */
-@@ -3789,18 +3807,22 @@
+@@ -3802,18 +3815,22 @@
do {
DEBUGTOP(2, printf("S4 do_phase1\n"));
do_phase1(group_id, config[CONFIG_IPSEC_SECRET], s);
@@ -312,7 +401,7 @@
if (opt_vendor == VENDOR_NORTEL) {
- do_load_balance = do_phase2_xauth(s);
-+ if (opt_nortel_auth_mode != NORTEL_AUTH_MODE_USERNAME) {
++ if (opt_auth_mode != AUTH_MODE_NORTEL_USERNAME) {
+ DEBUGTOP(2, printf("S5 do_phase2_xauth\n"));
+ do_load_balance = do_phase2_xauth(s);
+ }
++++++ vpnc-patch_send_twice.txt.diff ++++++
Index: config.h
===================================================================
--- config.h (revision 394)
+++ config.h (working copy)
@@ -55,6 +55,7 @@
CONFIG_VENDOR,
CONFIG_NATT_MODE,
CONFIG_UDP_ENCAP_PORT,
+ CONFIG_SEND_TWICE,
CONFIG_DPD_IDLE,
CONFIG_AUTH_MODE,
CONFIG_CA_FILE,
Index: config.c
===================================================================
--- config.c (revision 394)
+++ config.c (working copy)
@@ -416,6 +416,14 @@
"It is especially not the cisco-tcp port.\n",
config_def_udp_port
}, {
+ CONFIG_SEND_TWICE, 0, 1,
+ "--send-twice",
+ "Send twice",
+ NULL,
+ "Send twice each IKE UDP packet. In case of high packet lost rate, this option\n"
+ "improves network performance during authentication.",
+ NULL
+ }, {
CONFIG_DPD_IDLE, 1, 1,
"--dpd-idle",
"DPD idle timeout (our side) ",
Index: vpnc.c
===================================================================
--- vpnc.c (revision 394)
+++ vpnc.c (working copy)
@@ -442,9 +442,13 @@
for (;;) {
int pollresult;
- if (realtosend != NULL)
+ if (realtosend != NULL) {
if (write(s->ike_fd, realtosend, sendsize) != (int)sendsize)
- error(1, errno, "can't send packet");
+ error(1, errno, "can't send packet [1]");
+ if (config[CONFIG_SEND_TWICE])
+ if (write(s->ike_fd, realtosend, sendsize) != (int)sendsize)
+ error(1, errno, "can't send packet [2]");
+ }
if (sendonly)
break;
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Remember to have fun...
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org