Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Evergreen:11.2
vpnc
vpnc-patch_nortel_auth_394.txt.diff
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File vpnc-patch_nortel_auth_394.txt.diff of Package vpnc
Index: isakmp.h =================================================================== --- isakmp.h (revision 394) +++ isakmp.h (working copy) @@ -486,4 +486,23 @@ ISAKMP_XAUTH_ATTRIB_CISCOEXT_VENDOR = 0x7d88 /* strange cisco things ... need docs! */ }; +enum isakmp_modecfg_type_enum { /* draft-ietf-ipsec-isakmp-xauth-05.txt */ + ISAKMP_MODECFG_TYPE_GENERIC, + ISAKMP_MODECFG_TYPE_RADIUS, + ISAKMP_MODECFG_TYPE_OTP, + ISAKMP_MODECFG_TYPE_NTDOMAIN, + ISAKMP_MODECFG_TYPE_UNIX, + ISAKMP_MODECFG_TYPE_SECURID, + ISAKMP_MODECFG_TYPE_AXENT, + ISAKMP_MODECFG_TYPE_LEEMAH, + ISAKMP_MODECFG_TYPE_ACTIVECARD, + ISAKMP_MODECFG_TYPE_DESGOLD, + ISAKMP_MODECFG_TYPE_TACACS, + ISAKMP_MODECFG_TYPE_TACACSPLUS, + ISAKMP_MODECFG_TYPE_SKEY, + ISAKMP_MODECFG_TYPE_NDS, + ISAKMP_MODECFG_TYPE_DIAMETER, + ISAKMP_MODECFG_TYPE_LDAP +}; + #endif Index: config.h =================================================================== --- config.h (revision 394) +++ config.h (working copy) @@ -49,6 +49,7 @@ CONFIG_IPSEC_SECRET, CONFIG_IPSEC_SECRET_OBF, CONFIG_XAUTH_USERNAME, + CONFIG_XAUTH_PIN, CONFIG_XAUTH_PASSWORD, CONFIG_XAUTH_PASSWORD_OBF, CONFIG_XAUTH_INTERACTIVE, @@ -87,11 +88,16 @@ }; enum auth_mode_enum { - AUTH_MODE_PSK, + AUTH_MODE_PSK, /* pre-shared key */ AUTH_MODE_RSA1, AUTH_MODE_RSA2, - AUTH_MODE_CERT, - AUTH_MODE_HYBRID + AUTH_MODE_CERT, /* Digital Certificate Authentication */ + AUTH_MODE_HYBRID, /* server certificate + xauth */ + AUTH_MODE_NORTEL_USERNAME, /* User Name and Password Authentication */ + AUTH_MODE_NORTEL_TOKEN, /* Group Security - Response Only Token - Use Passcode */ + AUTH_MODE_NORTEL_PINTOKEN, /* Group Security - Response Only Token - Use Two-Factor Card */ + AUTH_MODE_NORTEL_TOKENSW, /* Group Security - Response Only Token - Use SoftID Software */ + AUTH_MODE_NORTEL_GPASSWORD /* Group Security - Group Password Authentication */ }; extern const char *config[LAST_CONFIG]; Index: config.c =================================================================== --- config.c (revision 394) +++ config.c (working copy) @@ -159,7 +159,7 @@ static const char *config_def_auth_mode(void) { - return "psk"; + return "default"; } static const char *config_def_nortel_client_id(void) @@ -247,6 +247,13 @@ "your username", NULL }, { + CONFIG_XAUTH_PIN, 1, 0, + NULL, + "Xauth PIN ", + "<ASCII string>", + "PIN for Nortel Two-Factor Authentication", + NULL + }, { CONFIG_XAUTH_PASSWORD, 1, 0, NULL, "Xauth password ", @@ -434,11 +441,17 @@ CONFIG_AUTH_MODE, 1, 1, "--auth-mode", "IKE Authmode ", - "<psk/cert/hybrid>", + "<default/cert/psk/hybrid/username/token/PIN-token/token-SW/gpassword>", "Authentication mode:\n" - " * psk: pre-shared key (default)\n" - " * cert: server + client certificate (not implemented yet)\n" - " * hybrid: server certificate + xauth (if built with openssl support)\n", + " * default: maps to vendor specific default mode\n" + " * cert: server + client certificate (not implemented yet)\n" + " * psk: Cisco pre-shared key (default for Cisco)\n" + " * hybrid: Cisco server certificate + xauth (if built with openssl support)\n" + " * username: Nortel User Name and Password Authentication\n" + " * token: Nortel Group Security - Response Only Token - Use Passcode (default for Nortel)\n" + " * PIN-token: Nortel Group Security - Response Only Token - Use Two-Factor Card\n" + " * token-SW: Nortel Group Security - Response Only Token - Use SoftID Software\n" + " * gpassword: Nortel Group Security - Group Password Authentication", config_def_auth_mode }, { CONFIG_CA_FILE, 1, 1, @@ -703,16 +716,79 @@ opt_nd = (config[CONFIG_ND]) ? 1 : 0; opt_1des = (config[CONFIG_ENABLE_1DES]) ? 1 : 0; + if (!strcmp(config[CONFIG_VENDOR], "cisco")) { + opt_vendor = VENDOR_CISCO; + } else if (!strcmp(config[CONFIG_VENDOR], "netscreen")) { + opt_vendor = VENDOR_NETSCREEN; + } else if (!strcmp(config[CONFIG_VENDOR], "nortel")) { + opt_vendor = VENDOR_NORTEL; + } else { + printf("%s: unknown vendor %s\nknown vendors: cisco netscreen nortel\n", + argv[0], config[CONFIG_VENDOR]); + exit(1); + } + if (!strcmp(config[CONFIG_AUTH_MODE], "psk")) { opt_auth_mode = AUTH_MODE_PSK; } else if (!strcmp(config[CONFIG_AUTH_MODE], "cert")) { opt_auth_mode = AUTH_MODE_CERT; } else if (!strcmp(config[CONFIG_AUTH_MODE], "hybrid")) { opt_auth_mode = AUTH_MODE_HYBRID; + } else if (!strcmp(config[CONFIG_AUTH_MODE], "username")) { + opt_auth_mode = AUTH_MODE_NORTEL_USERNAME; + } else if (!strcmp(config[CONFIG_AUTH_MODE], "token")) { + opt_auth_mode = AUTH_MODE_NORTEL_TOKEN; + } else if (!strcmp(config[CONFIG_AUTH_MODE], "PIN-token")) { + opt_auth_mode = AUTH_MODE_NORTEL_PINTOKEN; + } else if (!strcmp(config[CONFIG_AUTH_MODE], "token-SW")) { + opt_auth_mode = AUTH_MODE_NORTEL_TOKENSW; + } else if (!strcmp(config[CONFIG_AUTH_MODE], "gpassword")) { + opt_auth_mode = AUTH_MODE_NORTEL_GPASSWORD; + } else if (!strcmp(config[CONFIG_AUTH_MODE], "default")) { + switch (opt_vendor) { + case VENDOR_NORTEL: + opt_auth_mode = AUTH_MODE_NORTEL_TOKEN; + break; + case VENDOR_NETSCREEN: + case VENDOR_CISCO: + default: + opt_auth_mode = AUTH_MODE_PSK; + break; + } } else { - printf("%s: unknown authentication mode %s\nknown modes: psk cert hybrid\n", argv[0], config[CONFIG_AUTH_MODE]); + printf("%s: unknown authentication mode \"%s\"\nknown modes: " + "default/cert/psk/hybrid/username/token/PIN-token/token-SW/gpassword\n", + argv[0], config[CONFIG_AUTH_MODE]); exit(1); } + + if (((opt_vendor == VENDOR_NORTEL) && + ((opt_auth_mode != AUTH_MODE_CERT) && + (opt_auth_mode != AUTH_MODE_NORTEL_USERNAME) && + (opt_auth_mode != AUTH_MODE_NORTEL_TOKEN) && + (opt_auth_mode != AUTH_MODE_NORTEL_PINTOKEN) && + (opt_auth_mode != AUTH_MODE_NORTEL_TOKENSW) && + (opt_auth_mode != AUTH_MODE_NORTEL_GPASSWORD))) || + ((opt_vendor == VENDOR_CISCO) && + ((opt_auth_mode != AUTH_MODE_CERT) && + (opt_auth_mode != AUTH_MODE_PSK) && + (opt_auth_mode != AUTH_MODE_HYBRID))) || + ((opt_vendor == VENDOR_NETSCREEN) && + ((opt_auth_mode != AUTH_MODE_CERT) && + (opt_auth_mode != AUTH_MODE_PSK) && + (opt_auth_mode != AUTH_MODE_HYBRID)))) { + printf("%s: Auth Mode \"%s\" not valid for Vendor \"%s\"\n", + argv[0], config[CONFIG_AUTH_MODE], config[CONFIG_VENDOR]); + exit(1); + } + + if (opt_auth_mode == AUTH_MODE_CERT || + opt_auth_mode == AUTH_MODE_NORTEL_TOKENSW) { + printf("%s: unimplemented Auth Mode \"%s\"\n", + argv[0], config[CONFIG_AUTH_MODE]); + exit(1); + } + #ifndef OPENSSL_GPL_VIOLATION if (opt_auth_mode == AUTH_MODE_HYBRID || opt_auth_mode == AUTH_MODE_CERT) { @@ -783,17 +859,6 @@ } opt_nortel_client_id = tmp; } - - if (!strcmp(config[CONFIG_VENDOR], "cisco")) { - opt_vendor = VENDOR_CISCO; - } else if (!strcmp(config[CONFIG_VENDOR], "netscreen")) { - opt_vendor = VENDOR_NETSCREEN; - } else if (!strcmp(config[CONFIG_VENDOR], "nortel")) { - opt_vendor = VENDOR_NORTEL; - } else { - printf("%s: unknown vendor %s\nknown vendors: cisco netscreen nortel\n", argv[0], config[CONFIG_VENDOR]); - exit(1); - } } if (opt_debug >= 99) { @@ -810,6 +875,12 @@ continue; if (config[CONFIG_XAUTH_INTERACTIVE] && i == CONFIG_XAUTH_PASSWORD) continue; + if (opt_auth_mode == AUTH_MODE_NORTEL_USERNAME + && (i == CONFIG_XAUTH_USERNAME || i == CONFIG_XAUTH_PASSWORD)) + continue; + if (opt_auth_mode != AUTH_MODE_NORTEL_PINTOKEN + && i == CONFIG_XAUTH_PIN) + continue; s = NULL; s_len = 0; @@ -828,6 +899,11 @@ case CONFIG_XAUTH_USERNAME: printf("Enter username for %s: ", config[CONFIG_IPSEC_GATEWAY]); break; + case CONFIG_XAUTH_PIN: + printf("Enter PIN for %s@%s: ", + config[CONFIG_XAUTH_USERNAME], + config[CONFIG_IPSEC_GATEWAY]); + break; case CONFIG_XAUTH_PASSWORD: printf("Enter password for %s@%s: ", config[CONFIG_XAUTH_USERNAME], @@ -839,6 +915,7 @@ fflush(stdout); switch (i) { case CONFIG_IPSEC_SECRET: + case CONFIG_XAUTH_PIN: case CONFIG_XAUTH_PASSWORD: s = strdup(getpass("")); break; @@ -870,10 +947,14 @@ error(1, 0, "missing IPSec ID"); if (!config[CONFIG_IPSEC_SECRET]) error(1, 0, "missing IPSec secret"); - if (!config[CONFIG_XAUTH_USERNAME]) - error(1, 0, "missing Xauth username"); - if (!config[CONFIG_XAUTH_PASSWORD] && !config[CONFIG_XAUTH_INTERACTIVE]) - error(1, 0, "missing Xauth password"); + if (opt_auth_mode != AUTH_MODE_NORTEL_USERNAME) { + if (!config[CONFIG_XAUTH_USERNAME]) + error(1, 0, "missing Xauth username"); + if (!config[CONFIG_XAUTH_PASSWORD] && !config[CONFIG_XAUTH_INTERACTIVE]) + error(1, 0, "missing Xauth password"); + } + if (opt_auth_mode == AUTH_MODE_NORTEL_PINTOKEN && !config[CONFIG_XAUTH_PIN]) + error(1, 0, "missing Xauth PIN"); if (get_dh_group_ike() == NULL) error(1, 0, "IKE DH Group \"%s\" unsupported\n", config[CONFIG_IKE_DH]); if (get_dh_group_ipsec(-1) == NULL) Index: vpnc.c =================================================================== --- vpnc.c (revision 394) +++ vpnc.c (working copy) @@ -1110,17 +1110,10 @@ r->u.sa.proposals->u.p.prot_id = ISAKMP_IPSEC_PROTO_ISAKMP; if (opt_vendor == VENDOR_NORTEL) { - auth = 0; + auth = 0; if ((opt_auth_mode == AUTH_MODE_CERT) && (supp_auth[auth].ike_sa_id != IKE_AUTH_RSA_SIG) && (supp_auth[auth].ike_sa_id != IKE_AUTH_DSS)) { - } else if ((opt_auth_mode == AUTH_MODE_HYBRID) && - (supp_auth[auth].ike_sa_id != IKE_AUTH_HybridInitRSA) && - (supp_auth[auth].ike_sa_id != IKE_AUTH_HybridInitDSS)) { - } else if (supp_auth[auth].ike_sa_id == IKE_AUTH_HybridInitRSA || - supp_auth[auth].ike_sa_id == IKE_AUTH_HybridInitDSS || - supp_auth[auth].ike_sa_id == IKE_AUTH_RSA_SIG || - supp_auth[auth].ike_sa_id == IKE_AUTH_DSS) { } else { for (crypt = 0; supp_crypt[crypt].name != NULL; crypt++) { keylen = supp_crypt[crypt].keylen; @@ -1284,7 +1277,10 @@ l->u.id.protocol = IPPROTO_UDP; l->u.id.port = ISAKMP_PORT; /* this must be 500, see rfc2407, 4.6.2 */ if (opt_vendor == VENDOR_NORTEL) { - l->u.id.length = 24; + if (opt_auth_mode == AUTH_MODE_NORTEL_USERNAME) + l->u.id.length = 20; + else + l->u.id.length = 24; l->u.id.data = xallocc(l->u.id.length); gcry_md_hash_buffer(GCRY_MD_SHA1, l->u.id.data, key_id, strlen(key_id)); /* memcpy(l->u.id.data, key_id, strlen(key_id)); */ @@ -1629,7 +1625,10 @@ reject = ISAKMP_N_INVALID_ID_INFORMATION; /* Decide if signature or hash is expected (sig only if vpnc is initiator of hybrid-auth */ - if (reject == 0 && opt_auth_mode == AUTH_MODE_PSK && (hash == NULL || hash->u.hash.length != s->ike.md_len)) + if (reject == 0 && + ((opt_auth_mode == AUTH_MODE_PSK) || + (opt_vendor == VENDOR_NORTEL && opt_auth_mode != AUTH_MODE_CERT)) && + (hash == NULL || hash->u.hash.length != s->ike.md_len)) reject = ISAKMP_N_INVALID_HASH_INFORMATION; if (reject == 0 && sig == NULL && (opt_auth_mode == AUTH_MODE_CERT || @@ -1744,7 +1743,8 @@ expected_hash = gcry_md_read(hm, 0); hex_dump("expected hash", expected_hash, s->ike.md_len, NULL); - if (opt_auth_mode == AUTH_MODE_PSK) { + if ((opt_auth_mode == AUTH_MODE_PSK) || + (opt_vendor == VENDOR_NORTEL && opt_auth_mode != AUTH_MODE_CERT)) { if (memcmp(expected_hash, hash->u.hash.data, s->ike.md_len) != 0) error(2, 0, "hash comparison failed: %s(%d)\ncheck group password!", val_to_string(ISAKMP_N_AUTHENTICATION_FAILED, isakmp_notify_enum_array), @@ -2228,7 +2228,6 @@ DEBUGTOP(2, printf("S5.1 xauth_start\n")); /* This can go around for a while. */ for (loopcount = 0;; loopcount++) { - uint16_t xauth_type_requested = 5; struct isakmp_payload *rp; struct isakmp_attribute *a, *ap, *reply_attr; char ntop_buf[32]; @@ -2343,6 +2342,12 @@ reply_attr = NULL; for (ap = a; ap && reject == 0; ap = ap->next) switch (ap->type) { + case ISAKMP_XAUTH_02_ATTRIB_TYPE: + if (opt_auth_mode == AUTH_MODE_NORTEL_GPASSWORD) + reply_attr = new_isakmp_attribute_16(ISAKMP_XAUTH_02_ATTRIB_TYPE, ISAKMP_MODECFG_TYPE_RADIUS, reply_attr); + else + reply_attr = new_isakmp_attribute_16(ISAKMP_XAUTH_02_ATTRIB_TYPE, ISAKMP_MODECFG_TYPE_SECURID, reply_attr); + break; case ISAKMP_XAUTH_06_ATTRIB_DOMAIN: case ISAKMP_XAUTH_02_ATTRIB_DOMAIN: { @@ -2416,16 +2421,27 @@ memset(pass, 0, na->u.lots.length); } else { struct isakmp_attribute *na; - if (opt_vendor == VENDOR_NORTEL) { - na = reply_attr->next = new_isakmp_attribute(ISAKMP_XAUTH_02_ATTRIB_PASSCODE, /* reply_attr */ NULL); + if (opt_vendor == VENDOR_NORTEL + && opt_auth_mode != AUTH_MODE_NORTEL_GPASSWORD) + na = new_isakmp_attribute(ISAKMP_XAUTH_02_ATTRIB_PASSCODE, reply_attr); + else + na = new_isakmp_attribute(ap->type, reply_attr); + reply_attr = na; + if (opt_vendor == VENDOR_NORTEL + && opt_auth_mode == AUTH_MODE_NORTEL_PINTOKEN) { + int l_pin, l_pas; + l_pin = strlen(config[CONFIG_XAUTH_PIN]); + l_pas = strlen(config[CONFIG_XAUTH_PASSWORD]); + na->u.lots.length = l_pin + l_pas; + na->u.lots.data = xallocc(na->u.lots.length); + memcpy(na->u.lots.data, config[CONFIG_XAUTH_PIN], l_pin); + memcpy(na->u.lots.data + l_pin, config[CONFIG_XAUTH_PASSWORD], l_pas); } else { - na = new_isakmp_attribute(ap->type, reply_attr); - reply_attr = na; + na->u.lots.length = strlen(config[CONFIG_XAUTH_PASSWORD]); + na->u.lots.data = xallocc(na->u.lots.length); + memcpy(na->u.lots.data, config[CONFIG_XAUTH_PASSWORD], + na->u.lots.length); } - na->u.lots.length = strlen(config[CONFIG_XAUTH_PASSWORD]); - na->u.lots.data = xallocc(na->u.lots.length); - memcpy(na->u.lots.data, config[CONFIG_XAUTH_PASSWORD], - na->u.lots.length); passwd_used = 1; /* Provide canned password at most once */ } break; @@ -2433,10 +2449,6 @@ ; } - if (opt_vendor == VENDOR_NORTEL) { - reply_attr = new_isakmp_attribute_16(ISAKMP_XAUTH_02_ATTRIB_TYPE, xauth_type_requested, reply_attr); - } - /* Send the response. */ rp = new_isakmp_payload(ISAKMP_PAYLOAD_MODECFG_ATTR); rp->u.modecfg.type = ISAKMP_MODECFG_CFG_REPLY; @@ -2551,7 +2563,8 @@ rp->u.modecfg.attributes = a; sendrecv_phase2(s, rp, ISAKMP_EXCHANGE_MODECFG_TRANSACTION, msgid, 0, 0, 0, 0, 0, 0, 0); } else { - r_length = sendrecv(s,r_packet, sizeof(r_packet), NULL, 0, 0); + if (opt_auth_mode != AUTH_MODE_NORTEL_USERNAME) + r_length = sendrecv(s,r_packet, sizeof(r_packet), NULL, 0, 0); } /* recv and check for notices */ @@ -3802,18 +3815,22 @@ do { DEBUGTOP(2, printf("S4 do_phase1\n")); do_phase1(group_id, config[CONFIG_IPSEC_SECRET], s); - DEBUGTOP(2, printf("S5 do_phase2_xauth\n")); if (opt_vendor == VENDOR_NORTEL) { - do_load_balance = do_phase2_xauth(s); + if (opt_auth_mode != AUTH_MODE_NORTEL_USERNAME) { + DEBUGTOP(2, printf("S5 do_phase2_xauth\n")); + do_load_balance = do_phase2_xauth(s); + } DEBUGTOP(2, printf("S6 do_phase2_config\n")); do_load_balance = do_phase2_config(s); DEBUGTOP(2, printf("S6 do_phase2\n")); do_phase2(s); } else { /* FIXME: Create and use a generic function in supp.[hc] */ - if (s->ike.auth_algo >= IKE_AUTH_HybridInitRSA) + if (s->ike.auth_algo >= IKE_AUTH_HybridInitRSA) { + DEBUGTOP(2, printf("S5 do_phase2_xauth\n")); do_load_balance = do_phase2_xauth(s); + } DEBUGTOP(2, printf("S6 do_phase2_config\n")); if ((opt_vendor == VENDOR_CISCO || opt_vendor == VENDOR_NORTEL) && (do_load_balance == 0)) do_load_balance = do_phase2_config(s);
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor