1
Description: Step up from netkit-telnet_0.17-24.
2
Compute original SSL patch between sources
4
netkit-telnet_0.17-24.dsc
6
netkit-telnet-ssl_0.17.24+0.1.orig.tar.gz
8
This will be pruned to follow netkit-telnet packaging.
10
Author: Christoph Martin, Tim Hudson, David A. Holland, Peter Tobias,
13
Last-Update: 2015-01-28
15
diff -Naur netkit-telnet-0.17/__conftest.cc netkit-telnet-ssl-0.17.24+0.1.orig/__conftest.cc
16
--- netkit-telnet-0.17/__conftest.cc 1970-01-01 01:00:00.000000000 +0100
17
+++ netkit-telnet-ssl-0.17.24+0.1.orig/__conftest.cc 2004-05-27 11:47:02.000000000 +0200
21
+ void *x = (void *)snprintf;
22
+ printf("%lx", (long)x);
26
diff -Naur netkit-telnet-0.17/libtelnet/arpa/telnet.h netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/arpa/telnet.h
27
--- netkit-telnet-0.17/libtelnet/arpa/telnet.h 1970-01-01 01:00:00.000000000 +0100
28
+++ netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/arpa/telnet.h 2004-05-27 11:47:25.000000000 +0200
31
+ * Copyright (c) 1983, 1993
32
+ * The Regents of the University of California. All rights reserved.
34
+ * Redistribution and use in source and binary forms, with or without
35
+ * modification, are permitted provided that the following conditions
37
+ * 1. Redistributions of source code must retain the above copyright
38
+ * notice, this list of conditions and the following disclaimer.
39
+ * 2. Redistributions in binary form must reproduce the above copyright
40
+ * notice, this list of conditions and the following disclaimer in the
41
+ * documentation and/or other materials provided with the distribution.
42
+ * 3. All advertising materials mentioning features or use of this software
43
+ * must display the following acknowledgement:
44
+ * This product includes software developed by the University of
45
+ * California, Berkeley and its contributors.
46
+ * 4. Neither the name of the University nor the names of its contributors
47
+ * may be used to endorse or promote products derived from this software
48
+ * without specific prior written permission.
50
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
51
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
52
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
53
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
54
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
55
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
56
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
57
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
58
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
59
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
62
+ * @(#)telnet.h 8.2 (Berkeley) 12/15/93
69
+ * Definitions for the TELNET protocol.
71
+#define IAC 255 /* interpret as command: */
72
+#define DONT 254 /* you are not to use option */
73
+#define DO 253 /* please, you use option */
74
+#define WONT 252 /* I won't use option */
75
+#define WILL 251 /* I will use option */
76
+#define SB 250 /* interpret as subnegotiation */
77
+#define GA 249 /* you may reverse the line */
78
+#define EL 248 /* erase the current line */
79
+#define EC 247 /* erase the current character */
80
+#define AYT 246 /* are you there */
81
+#define AO 245 /* abort output--but let prog finish */
82
+#define IP 244 /* interrupt process--permanently */
83
+#define BREAK 243 /* break */
84
+#define DM 242 /* data mark--for connect. cleaning */
85
+#define NOP 241 /* nop */
86
+#define SE 240 /* end sub negotiation */
87
+#define EOR 239 /* end of record (transparent mode) */
88
+#define ABORT 238 /* Abort process */
89
+#define SUSP 237 /* Suspend process */
90
+#define xEOF 236 /* End of file: EOF is already used... */
92
+#define SYNCH 242 /* for telfunc calls */
96
+ "EOF", "SUSP", "ABORT", "EOR",
97
+ "SE", "NOP", "DMARK", "BRK", "IP", "AO", "AYT", "EC",
98
+ "EL", "GA", "SB", "WILL", "WONT", "DO", "DONT", "IAC", 0,
101
+extern char *telcmds[];
104
+#define TELCMD_FIRST xEOF
105
+#define TELCMD_LAST IAC
106
+#define TELCMD_OK(x) ((unsigned int)(x) <= TELCMD_LAST && \
107
+ (unsigned int)(x) >= TELCMD_FIRST)
108
+#define TELCMD(x) telcmds[(x)-TELCMD_FIRST]
110
+/* telnet options */
111
+#define TELOPT_BINARY 0 /* 8-bit data path */
112
+#define TELOPT_ECHO 1 /* echo */
113
+#define TELOPT_RCP 2 /* prepare to reconnect */
114
+#define TELOPT_SGA 3 /* suppress go ahead */
115
+#define TELOPT_NAMS 4 /* approximate message size */
116
+#define TELOPT_STATUS 5 /* give status */
117
+#define TELOPT_TM 6 /* timing mark */
118
+#define TELOPT_RCTE 7 /* remote controlled transmission and echo */
119
+#define TELOPT_NAOL 8 /* negotiate about output line width */
120
+#define TELOPT_NAOP 9 /* negotiate about output page size */
121
+#define TELOPT_NAOCRD 10 /* negotiate about CR disposition */
122
+#define TELOPT_NAOHTS 11 /* negotiate about horizontal tabstops */
123
+#define TELOPT_NAOHTD 12 /* negotiate about horizontal tab disposition */
124
+#define TELOPT_NAOFFD 13 /* negotiate about formfeed disposition */
125
+#define TELOPT_NAOVTS 14 /* negotiate about vertical tab stops */
126
+#define TELOPT_NAOVTD 15 /* negotiate about vertical tab disposition */
127
+#define TELOPT_NAOLFD 16 /* negotiate about output LF disposition */
128
+#define TELOPT_XASCII 17 /* extended ascii character set */
129
+#define TELOPT_LOGOUT 18 /* force logout */
130
+#define TELOPT_BM 19 /* byte macro */
131
+#define TELOPT_DET 20 /* data entry terminal */
132
+#define TELOPT_SUPDUP 21 /* supdup protocol */
133
+#define TELOPT_SUPDUPOUTPUT 22 /* supdup output */
134
+#define TELOPT_SNDLOC 23 /* send location */
135
+#define TELOPT_TTYPE 24 /* terminal type */
136
+#define TELOPT_EOR 25 /* end or record */
137
+#define TELOPT_TUID 26 /* TACACS user identification */
138
+#define TELOPT_OUTMRK 27 /* output marking */
139
+#define TELOPT_TTYLOC 28 /* terminal location number */
140
+#define TELOPT_3270REGIME 29 /* 3270 regime */
141
+#define TELOPT_X3PAD 30 /* X.3 PAD */
142
+#define TELOPT_NAWS 31 /* window size */
143
+#define TELOPT_TSPEED 32 /* terminal speed */
144
+#define TELOPT_LFLOW 33 /* remote flow control */
145
+#define TELOPT_LINEMODE 34 /* Linemode option */
146
+#define TELOPT_XDISPLOC 35 /* X Display Location */
147
+#define TELOPT_OLD_ENVIRON 36 /* Old - Environment variables */
148
+#define TELOPT_AUTHENTICATION 37/* Authenticate */
149
+#define TELOPT_ENCRYPT 38 /* Encryption option */
150
+#define TELOPT_NEW_ENVIRON 39 /* New - Environment variables */
151
+#define TELOPT_EXOPL 255 /* extended-options-list */
154
+#define NTELOPTS (1+TELOPT_NEW_ENVIRON)
156
+char *telopts[NTELOPTS+1] = {
157
+ "BINARY", "ECHO", "RCP", "SUPPRESS GO AHEAD", "NAME",
158
+ "STATUS", "TIMING MARK", "RCTE", "NAOL", "NAOP",
159
+ "NAOCRD", "NAOHTS", "NAOHTD", "NAOFFD", "NAOVTS",
160
+ "NAOVTD", "NAOLFD", "EXTEND ASCII", "LOGOUT", "BYTE MACRO",
161
+ "DATA ENTRY TERMINAL", "SUPDUP", "SUPDUP OUTPUT",
162
+ "SEND LOCATION", "TERMINAL TYPE", "END OF RECORD",
163
+ "TACACS UID", "OUTPUT MARKING", "TTYLOC",
164
+ "3270 REGIME", "X.3 PAD", "NAWS", "TSPEED", "LFLOW",
165
+ "LINEMODE", "XDISPLOC", "OLD-ENVIRON", "AUTHENTICATION",
166
+ "ENCRYPT", "NEW-ENVIRON",
169
+#define TELOPT_FIRST TELOPT_BINARY
170
+#define TELOPT_LAST TELOPT_NEW_ENVIRON
171
+#define TELOPT_OK(x) ((unsigned int)(x) <= TELOPT_LAST)
172
+#define TELOPT(x) telopts[(x)-TELOPT_FIRST]
175
+/* sub-option qualifiers */
176
+#define TELQUAL_IS 0 /* option is... */
177
+#define TELQUAL_SEND 1 /* send option */
178
+#define TELQUAL_INFO 2 /* ENVIRON: informational version of IS */
179
+#define TELQUAL_REPLY 2 /* AUTHENTICATION: client version of IS */
180
+#define TELQUAL_NAME 3 /* AUTHENTICATION: client version of IS */
182
+#define LFLOW_OFF 0 /* Disable remote flow control */
183
+#define LFLOW_ON 1 /* Enable remote flow control */
184
+#define LFLOW_RESTART_ANY 2 /* Restart output on any char */
185
+#define LFLOW_RESTART_XON 3 /* Restart output only on XON */
188
+ * LINEMODE suboptions
192
+#define LM_FORWARDMASK 2
195
+#define MODE_EDIT 0x01
196
+#define MODE_TRAPSIG 0x02
197
+#define MODE_ACK 0x04
198
+#define MODE_SOFT_TAB 0x08
199
+#define MODE_LIT_ECHO 0x10
201
+#define MODE_MASK 0x1f
203
+/* Not part of protocol, but needed to simplify things... */
204
+#define MODE_FLOW 0x0100
205
+#define MODE_ECHO 0x0200
206
+#define MODE_INBIN 0x0400
207
+#define MODE_OUTBIN 0x0800
208
+#define MODE_FORCE 0x1000
223
+#define SLC_LNEXT 14
226
+#define SLC_FORW1 17
227
+#define SLC_FORW2 18
232
+ * For backwards compatibility, we define SLC_NAMES to be the
233
+ * list of names if SLC_NAMES is not defined.
235
+#define SLC_NAMELIST "0", "SYNCH", "BRK", "IP", "AO", "AYT", "EOR", \
236
+ "ABORT", "EOF", "SUSP", "EC", "EL", "EW", "RP", \
237
+ "LNEXT", "XON", "XOFF", "FORW1", "FORW2", 0,
239
+char *slc_names[] = {
243
+extern char *slc_names[];
244
+#define SLC_NAMES SLC_NAMELIST
247
+#define SLC_NAME_OK(x) ((unsigned int)(x) <= NSLC)
248
+#define SLC_NAME(x) slc_names[x]
250
+#define SLC_NOSUPPORT 0
251
+#define SLC_CANTCHANGE 1
252
+#define SLC_VARIABLE 2
253
+#define SLC_DEFAULT 3
254
+#define SLC_LEVELBITS 0x03
260
+#define SLC_ACK 0x80
261
+#define SLC_FLUSHIN 0x40
262
+#define SLC_FLUSHOUT 0x20
264
+#define OLD_ENV_VAR 1
265
+#define OLD_ENV_VALUE 0
266
+#define NEW_ENV_VAR 0
267
+#define NEW_ENV_VALUE 1
269
+#define ENV_USERVAR 3
272
+ * AUTHENTICATION suboptions
276
+ * Who is authenticating who ...
278
+#define AUTH_WHO_CLIENT 0 /* Client authenticating server */
279
+#define AUTH_WHO_SERVER 1 /* Server authenticating client */
280
+#define AUTH_WHO_MASK 1
283
+ * amount of authentication done
285
+#define AUTH_HOW_ONE_WAY 0
286
+#define AUTH_HOW_MUTUAL 2
287
+#define AUTH_HOW_MASK 2
289
+#define AUTHTYPE_NULL 0
290
+#define AUTHTYPE_KERBEROS_V4 1
291
+#define AUTHTYPE_KERBEROS_V5 2
292
+#define AUTHTYPE_SPX 3
293
+#define AUTHTYPE_MINK 4
294
+#define AUTHTYPE_CNT 5
295
+#define AUTHTYPE_SRA 6
298
+#define AUTHTYPE_SSL 7
299
+#define N_AUTHTYPE 8
300
+#else /* !USE_SSL */
301
+#define N_AUTHTYPE 7
302
+#endif /* USE_SSL */
304
+#define AUTHTYPE_TEST 99
307
+char *authtype_names[] = {
308
+ "NULL", "KERBEROS_V4", "KERBEROS_V5", "SPX", "MINK", "CNT", "SRA",
315
+extern char *authtype_names[];
318
+#define AUTHTYPE_NAME_OK(x) ((unsigned int)(x) < AUTHTYPE_CNT)
319
+#define AUTHTYPE_NAME(x) authtype_names[x]
322
+ * ENCRYPTion suboptions
324
+#define ENCRYPT_IS 0 /* I pick encryption type ... */
325
+#define ENCRYPT_SUPPORT 1 /* I support encryption types ... */
326
+#define ENCRYPT_REPLY 2 /* Initial setup response */
327
+#define ENCRYPT_START 3 /* Am starting to send encrypted */
328
+#define ENCRYPT_END 4 /* Am ending encrypted */
329
+#define ENCRYPT_REQSTART 5 /* Request you start encrypting */
330
+#define ENCRYPT_REQEND 6 /* Request you send encrypting */
331
+#define ENCRYPT_ENC_KEYID 7
332
+#define ENCRYPT_DEC_KEYID 8
333
+#define ENCRYPT_CNT 9
335
+#define ENCTYPE_ANY 0
336
+#define ENCTYPE_DES_CFB64 1
337
+#define ENCTYPE_DES_OFB64 2
338
+#define ENCTYPE_CNT 3
340
+#ifdef ENCRYPT_NAMES
341
+char *encrypt_names[] = {
342
+ "IS", "SUPPORT", "REPLY", "START", "END",
343
+ "REQUEST-START", "REQUEST-END", "ENC-KEYID", "DEC-KEYID",
346
+char *enctype_names[] = {
347
+ "ANY", "DES_CFB64", "DES_OFB64", 0,
350
+extern char *encrypt_names[];
351
+extern char *enctype_names[];
355
+#define ENCRYPT_NAME_OK(x) ((unsigned int)(x) < ENCRYPT_CNT)
356
+#define ENCRYPT_NAME(x) encrypt_names[x]
358
+#define ENCTYPE_NAME_OK(x) ((unsigned int)(x) < ENCTYPE_CNT)
359
+#define ENCTYPE_NAME(x) enctype_names[x]
361
+#endif /* !_TELNET_H_ */
362
diff -Naur netkit-telnet-0.17/libtelnet/auth.c netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/auth.c
363
--- netkit-telnet-0.17/libtelnet/auth.c 1970-01-01 01:00:00.000000000 +0100
364
+++ netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/auth.c 2004-05-27 11:47:25.000000000 +0200
367
+ * 30-Jun-95 tjh applied the security patch from the CERT advisory
368
+ * ................. that I'd missed earlier
372
+ * Copyright (c) 1991 The Regents of the University of California.
373
+ * All rights reserved.
375
+ * Redistribution and use in source and binary forms, with or without
376
+ * modification, are permitted provided that the following conditions
378
+ * 1. Redistributions of source code must retain the above copyright
379
+ * notice, this list of conditions and the following disclaimer.
380
+ * 2. Redistributions in binary form must reproduce the above copyright
381
+ * notice, this list of conditions and the following disclaimer in the
382
+ * documentation and/or other materials provided with the distribution.
383
+ * 3. All advertising materials mentioning features or use of this software
384
+ * must display the following acknowledgement:
385
+ * This product includes software developed by the University of
386
+ * California, Berkeley and its contributors.
387
+ * 4. Neither the name of the University nor the names of its contributors
388
+ * may be used to endorse or promote products derived from this software
389
+ * without specific prior written permission.
391
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
392
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
393
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
394
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
395
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
396
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
397
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
398
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
399
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
400
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
405
+static char sccsid[] = "@(#)auth.c 5.2 (Berkeley) 3/22/91";
406
+#endif /* not lint */
409
+ * Copyright (C) 1990 by the Massachusetts Institute of Technology
411
+ * Export of this software from the United States of America is assumed
412
+ * to require a specific license from the United States Government.
413
+ * It is the responsibility of any person or organization contemplating
414
+ * export to obtain such a license before exporting.
416
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
417
+ * distribute this software and its documentation for any purpose and
418
+ * without fee is hereby granted, provided that the above copyright
419
+ * notice appear in all copies and that both that copyright notice and
420
+ * this permission notice appear in supporting documentation, and that
421
+ * the name of M.I.T. not be used in advertising or publicity pertaining
422
+ * to distribution of the software without specific, written prior
423
+ * permission. M.I.T. makes no representations about the suitability of
424
+ * this software for any purpose. It is provided "as is" without express
425
+ * or implied warranty.
429
+#if defined(AUTHENTICATE)
431
+#include <sys/types.h>
434
+#include <arpa/telnet.h>
439
+#include <strings.h>
444
+#include "encrypt.h"
446
+#include "misc-proto.h"
447
+#include "auth-proto.h"
449
+#define typemask(x) (1<<((x)-1))
451
+int auth_debug_mode = 0;
452
+static char *Name = "Noname";
453
+static int Server = 0;
454
+static Authenticator *authenticated = 0;
455
+static int authenticating = 0;
456
+static int validuser = 0;
457
+static unsigned char _auth_send_data[256];
458
+static unsigned char *auth_send_data;
459
+static int auth_send_cnt = 0;
462
+ * Authentication types supported. Plese note that these are stored
463
+ * in priority order, i.e. try the first one first.
465
+Authenticator authenticators[] = {
467
+ { AUTHTYPE_SSL, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
473
+ auth_ssl_printsub },
474
+#endif /* USE_SSL */
476
+ { AUTHTYPE_SRA, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
485
+ { AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
491
+ kerberos5_printsub },
492
+ { AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
498
+ kerberos5_printsub },
501
+ { AUTHTYPE_KERBEROS_V4, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
507
+ kerberos4_printsub },
508
+ { AUTHTYPE_KERBEROS_V4, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
514
+ kerberos4_printsub },
519
+static Authenticator NoAuth = { 0 };
521
+static int i_support = 0;
522
+static int i_wont_support = 0;
525
+findauthenticator(type, way)
529
+ Authenticator *ap = authenticators;
531
+ while (ap->type && (ap->type != type || ap->way != way))
533
+ return(ap->type ? ap : 0);
537
+auth_init(name, server)
541
+ Authenticator *ap = authenticators;
548
+ authenticating = 0;
550
+ if (!ap->init || (*ap->init)(ap, server)) {
551
+ i_support |= typemask(ap->type);
552
+ if (auth_debug_mode)
553
+ printf(">>>%s: I support auth type %d %d\r\n",
555
+ ap->type, ap->way);
562
+auth_disable_name(name)
566
+ for (x = 0; x < N_AUTHTYPE; ++x) {
567
+ if (!strcasecmp(name, AUTHTYPE_NAME(x))) {
568
+ i_wont_support |= typemask(x);
575
+getauthmask(type, maskp)
581
+ if (!strcasecmp(type, AUTHTYPE_NAME(0))) {
586
+ for (x = 1; x < N_AUTHTYPE; ++x) {
587
+ if (!strcasecmp(type, AUTHTYPE_NAME(x))) {
588
+ *maskp = typemask(x);
596
+auth_enable(const char *type, const char *a)
598
+ return(auth_onoff(type, 1));
602
+auth_disable(const char *type, const char *a)
604
+ return(auth_onoff(type, 0));
608
+auth_onoff(type, on)
615
+ if (!strcasecmp(type, "?") || !strcasecmp(type, "help")) {
616
+ printf("auth %s 'type'\n", on ? "enable" : "disable");
617
+ printf("Where 'type' is one of:\n");
618
+ printf("\t%s\n", AUTHTYPE_NAME(0));
620
+ for (ap = authenticators; ap->type; ap++) {
621
+ if ((mask & (i = typemask(ap->type))) != 0)
624
+ printf("\t%s\n", AUTHTYPE_NAME(ap->type));
629
+ if (!getauthmask(type, &mask)) {
630
+ printf("%s: invalid authentication type\n", type);
634
+ i_wont_support &= ~mask;
636
+ i_wont_support |= mask;
645
+ auth_debug_mode ^= 1;
647
+ auth_debug_mode = on;
648
+ printf("auth debugging %s\n", auth_debug_mode ? "enabled" : "disabled");
653
+auth_status(const char *type, const char *a)
658
+ if (i_wont_support == -1)
659
+ printf("Authentication disabled\n");
661
+ printf("Authentication enabled\n");
664
+ for (ap = authenticators; ap->type; ap++) {
665
+ if ((mask & (i = typemask(ap->type))) != 0)
668
+ printf("%s: %s\n", AUTHTYPE_NAME(ap->type),
669
+ (i_wont_support & typemask(ap->type)) ?
670
+ "disabled" : "enabled");
676
+ * This routine is called by the server to start authentication
682
+ static unsigned char str_request[64] = { IAC, SB,
683
+ TELOPT_AUTHENTICATION,
685
+ Authenticator *ap = authenticators;
686
+ unsigned char *e = str_request + 4;
688
+ if (!authenticating) {
689
+ authenticating = 1;
691
+ if (i_support & ~i_wont_support & typemask(ap->type)) {
692
+ if (auth_debug_mode) {
693
+ printf(">>>%s: Sending type %d %d\r\n",
694
+ Name, ap->type, ap->way);
703
+ writenet(str_request, e - str_request);
704
+ printsub('>', &str_request[2], e - str_request - 2);
709
+ * This is called when an AUTH SEND is received.
710
+ * It should never arrive on the server side (as only the server can
711
+ * send an AUTH SEND).
712
+ * You should probably respond to it if you can...
714
+ * If you want to respond to the types out of order (i.e. even
715
+ * if he sends LOGIN KERBEROS and you support both, you respond
716
+ * with KERBEROS instead of LOGIN (which is against what the
717
+ * protocol says)) you will have to hack this code...
720
+auth_send(data, cnt)
721
+ unsigned char *data;
725
+ static unsigned char str_none[] = { IAC, SB, TELOPT_AUTHENTICATION,
726
+ TELQUAL_IS, AUTHTYPE_NULL, 0,
729
+ if (auth_debug_mode) {
730
+ printf(">>>%s: auth_send called!\r\n", Name);
735
+ if (auth_debug_mode) {
736
+ printf(">>>%s: auth_send got:", Name);
737
+ printd(data, cnt); printf("\r\n");
741
+ * Save the data, if it is new, so that we can continue looking
742
+ * at it if the authorization we try doesn't work
744
+ if (data < _auth_send_data ||
745
+ data > _auth_send_data + sizeof(_auth_send_data)) {
746
+ auth_send_cnt = cnt > sizeof(_auth_send_data)
747
+ ? sizeof(_auth_send_data)
749
+ memcpy((void *)_auth_send_data,(void *)data, auth_send_cnt);
750
+ auth_send_data = _auth_send_data;
753
+ * This is probably a no-op, but we just make sure
755
+ auth_send_data = data;
756
+ auth_send_cnt = cnt;
758
+ while ((auth_send_cnt -= 2) >= 0) {
759
+ if (auth_debug_mode)
760
+ printf(">>>%s: He supports %d\r\n",
761
+ Name, *auth_send_data);
762
+ if ((i_support & ~i_wont_support) & typemask(*auth_send_data)) {
763
+ ap = findauthenticator(auth_send_data[0],
764
+ auth_send_data[1]);
766
+ printf("Internal state error: cannot find authentication type %d a second time\r\n", *auth_send_data);
767
+ } else if (ap->send) {
768
+ if (auth_debug_mode)
769
+ printf(">>>%s: Trying %d %d\r\n",
770
+ Name, auth_send_data[0],
771
+ auth_send_data[1]);
772
+ if ((*ap->send)(ap)) {
774
+ * Okay, we found one we like
776
+ * we can go home now.
778
+ if (auth_debug_mode)
779
+ printf(">>>%s: Using type %d\r\n",
780
+ Name, *auth_send_data);
781
+ auth_send_data += 2;
786
+ * just continue on and look for the
787
+ * next one if we didn't do anything.
790
+ auth_send_data += 2;
792
+ writenet(str_none, sizeof(str_none));
793
+ printsub('>', &str_none[2], sizeof(str_none) - 2);
794
+ if (auth_debug_mode)
795
+ printf(">>>%s: Sent failure message\r\n", Name);
796
+ auth_finished(0, AUTH_REJECT);
803
+ * if auth_send_cnt <= 0 then auth_send will end up rejecting
804
+ * the authentication and informing the other side of this.
806
+ auth_send(auth_send_data, auth_send_cnt);
811
+ unsigned char *data;
819
+ if (data[0] == AUTHTYPE_NULL) {
820
+ auth_finished(0, AUTH_REJECT);
824
+ if (ap = findauthenticator(data[0], data[1])) {
826
+ (*ap->is)(ap, data+2, cnt-2);
827
+ } else if (auth_debug_mode)
828
+ printf(">>>%s: Invalid authentication in IS: %d\r\n",
833
+auth_reply(data, cnt)
834
+ unsigned char *data;
842
+ if (ap = findauthenticator(data[0], data[1])) {
844
+ (*ap->reply)(ap, data+2, cnt-2);
845
+ } else if (auth_debug_mode)
846
+ printf(">>>%s: Invalid authentication in SEND: %d\r\n",
851
+auth_name(data, cnt)
852
+ unsigned char *data;
856
+ unsigned char savename[256];
859
+ if (auth_debug_mode)
860
+ printf(">>>%s: Empty name in NAME\r\n", Name);
863
+ if (cnt > sizeof(savename) - 1) {
864
+ if (auth_debug_mode)
865
+ printf(">>>%s: Name in NAME (%d) exceeds %d length\r\n",
866
+ Name, cnt, sizeof(savename)-1);
869
+ memcpy((void *)savename, (void *)data,cnt);
870
+ savename[cnt] = '\0'; /* Null terminate */
871
+ if (auth_debug_mode)
872
+ printf(">>>%s: Got NAME [%s]\r\n", Name, savename);
873
+ auth_encrypt_user(savename);
877
+auth_sendname(cp, len)
881
+ static unsigned char str_request[256+6]
882
+ = { IAC, SB, TELOPT_AUTHENTICATION, TELQUAL_NAME, };
883
+ register unsigned char *e = str_request + 4;
884
+ register unsigned char *ee = &str_request[sizeof(str_request)-2];
886
+ while (--len >= 0) {
887
+ if ((*e++ = *cp++) == IAC)
894
+ writenet(str_request, e - str_request);
895
+ printsub('>', &str_request[2], e - &str_request[2]);
900
+auth_finished(ap, result)
904
+ if (!(authenticated = ap))
905
+ authenticated = &NoAuth;
906
+ validuser = result;
914
+ auth_finished(0, AUTH_REJECT);
921
+ if (auth_debug_mode)
922
+ printf(">>>%s: in auth_wait.\r\n", Name);
924
+ if (Server && !authenticating)
928
+ (void) signal(SIGALRM, auth_intr);
931
+ while (!authenticated)
936
+ (void) signal(SIGALRM, SIG_DFL);
940
+ * Now check to see if the user is valid or not
942
+ if (!authenticated || authenticated == &NoAuth)
943
+ return(AUTH_REJECT);
945
+ if (validuser == AUTH_VALID)
946
+ validuser = AUTH_USER;
948
+ if (authenticated->status)
949
+ validuser = (*authenticated->status)(authenticated,
958
+ auth_debug_mode = mode;
962
+auth_printsub(data, cnt, buf, buflen)
963
+ unsigned char *data, *buf;
968
+ if ((ap = findauthenticator(data[1], data[2])) && ap->printsub)
969
+ (*ap->printsub)(data, cnt, buf, buflen);
971
+ auth_gen_printsub(data, cnt, buf, buflen);
975
+auth_gen_printsub(data, cnt, buf, buflen)
976
+ unsigned char *data, *buf;
979
+ register unsigned char *cp;
980
+ unsigned char tbuf[16];
984
+ buf[buflen-1] = '\0';
985
+ buf[buflen-2] = '*';
987
+ for (; cnt > 0; cnt--, data++) {
988
+ sprintf((char *)tbuf, " %d", *data);
989
+ for (cp = tbuf; *cp && buflen > 0; --buflen)
997
diff -Naur netkit-telnet-0.17/libtelnet/authenc.c netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/authenc.c
998
--- netkit-telnet-0.17/libtelnet/authenc.c 1970-01-01 01:00:00.000000000 +0100
999
+++ netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/authenc.c 2004-05-27 11:47:26.000000000 +0200
1002
+ * Copyright (c) 1991 The Regents of the University of California.
1003
+ * All rights reserved.
1005
+ * Redistribution and use in source and binary forms, with or without
1006
+ * modification, are permitted provided that the following conditions
1008
+ * 1. Redistributions of source code must retain the above copyright
1009
+ * notice, this list of conditions and the following disclaimer.
1010
+ * 2. Redistributions in binary form must reproduce the above copyright
1011
+ * notice, this list of conditions and the following disclaimer in the
1012
+ * documentation and/or other materials provided with the distribution.
1013
+ * 3. All advertising materials mentioning features or use of this software
1014
+ * must display the following acknowledgement:
1015
+ * This product includes software developed by the University of
1016
+ * California, Berkeley and its contributors.
1017
+ * 4. Neither the name of the University nor the names of its contributors
1018
+ * may be used to endorse or promote products derived from this software
1019
+ * without specific prior written permission.
1021
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
1022
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
1023
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
1024
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
1025
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
1026
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
1027
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
1028
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
1029
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
1030
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
1035
+static char sccsid[] = "@(#)authenc.c 5.1 (Berkeley) 3/1/91";
1036
+#endif /* not lint */
1038
+#if defined(ENCRYPT) || defined(AUTHENTICATE)
1039
+#include <sys/types.h>
1040
+#include <arpa/telnet.h>
1041
+#include <libtelnet/encrypt.h>
1042
+#include <libtelnet/misc.h>
1044
+#include "general.h"
1046
+#include "externs.h"
1047
+#include "defines.h"
1051
+net_write(str, len)
1052
+ unsigned char *str;
1055
+ if (NETROOM() > len) {
1056
+ ring_supply_data(&netoring, str, len);
1057
+ if (str[0] == IAC && str[1] == SE)
1058
+ printsub('>', &str[2], len-2);
1067
+#if defined(ENCRYPT)
1068
+ if (encrypt_output)
1069
+ ring_encrypt(&netoring, encrypt_output);
1071
+ ring_clearto(&netoring);
1085
+ return((char *)env_getvalue((unsigned char *)val));
1089
+telnet_gets(prompt, result, length, echo)
1095
+ extern char *getpass();
1096
+ extern int globalmode;
1097
+ int om = globalmode;
1098
+ int old_localchars = localchars;
1101
+ TerminalNewMode(-1);
1102
+ localchars = 0; /* SIGINT quits the application */
1105
+ printf("%s", prompt);
1107
+ res = fgets(result, length, stdin);
1108
+ } else if (res = getpass(prompt)) {
1109
+ strncpy(result, res, length);
1112
+ localchars = old_localchars; /* restore old state */
1113
+ TerminalNewMode(om);
1117
diff -Naur netkit-telnet-0.17/libtelnet/auth.h netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/auth.h
1118
--- netkit-telnet-0.17/libtelnet/auth.h 1970-01-01 01:00:00.000000000 +0100
1119
+++ netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/auth.h 2004-05-27 11:47:26.000000000 +0200
1122
+ * Copyright (c) 1991 The Regents of the University of California.
1123
+ * All rights reserved.
1125
+ * Redistribution and use in source and binary forms, with or without
1126
+ * modification, are permitted provided that the following conditions
1128
+ * 1. Redistributions of source code must retain the above copyright
1129
+ * notice, this list of conditions and the following disclaimer.
1130
+ * 2. Redistributions in binary form must reproduce the above copyright
1131
+ * notice, this list of conditions and the following disclaimer in the
1132
+ * documentation and/or other materials provided with the distribution.
1133
+ * 3. All advertising materials mentioning features or use of this software
1134
+ * must display the following acknowledgement:
1135
+ * This product includes software developed by the University of
1136
+ * California, Berkeley and its contributors.
1137
+ * 4. Neither the name of the University nor the names of its contributors
1138
+ * may be used to endorse or promote products derived from this software
1139
+ * without specific prior written permission.
1141
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
1142
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
1143
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
1144
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
1145
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
1146
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
1147
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
1148
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
1149
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
1150
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
1153
+ * @(#)auth.h 5.1 (Berkeley) 2/28/91
1157
+ * Copyright (C) 1990 by the Massachusetts Institute of Technology
1159
+ * Export of this software from the United States of America is assumed
1160
+ * to require a specific license from the United States Government.
1161
+ * It is the responsibility of any person or organization contemplating
1162
+ * export to obtain such a license before exporting.
1164
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
1165
+ * distribute this software and its documentation for any purpose and
1166
+ * without fee is hereby granted, provided that the above copyright
1167
+ * notice appear in all copies and that both that copyright notice and
1168
+ * this permission notice appear in supporting documentation, and that
1169
+ * the name of M.I.T. not be used in advertising or publicity pertaining
1170
+ * to distribution of the software without specific, written prior
1171
+ * permission. M.I.T. makes no representations about the suitability of
1172
+ * this software for any purpose. It is provided "as is" without express
1173
+ * or implied warranty.
1179
+#define AUTH_REJECT 0 /* Rejected */
1180
+#define AUTH_UNKNOWN 1 /* We don't know who he is, but he's okay */
1181
+#define AUTH_OTHER 2 /* We know him, but not his name */
1182
+#define AUTH_USER 3 /* We know he name */
1183
+#define AUTH_VALID 4 /* We know him, and he needs no password */
1197
+typedef struct XauthP {
1200
+ int (*init) P((struct XauthP *, int));
1201
+ int (*send) P((struct XauthP *));
1202
+ void (*is) P((struct XauthP *, unsigned char *, int));
1203
+ void (*reply) P((struct XauthP *, unsigned char *, int));
1204
+ int (*status) P((struct XauthP *, char *, int));
1205
+ void (*printsub) P((unsigned char *, int, unsigned char *, int));
1208
+#include "auth-proto.h"
1210
+extern int auth_debug_mode;
1217
diff -Naur netkit-telnet-0.17/libtelnet/auth-proto.h netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/auth-proto.h
1218
--- netkit-telnet-0.17/libtelnet/auth-proto.h 1970-01-01 01:00:00.000000000 +0100
1219
+++ netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/auth-proto.h 2004-05-27 11:47:25.000000000 +0200
1222
+ * Copyright (c) 1991 The Regents of the University of California.
1223
+ * All rights reserved.
1225
+ * Redistribution and use in source and binary forms, with or without
1226
+ * modification, are permitted provided that the following conditions
1228
+ * 1. Redistributions of source code must retain the above copyright
1229
+ * notice, this list of conditions and the following disclaimer.
1230
+ * 2. Redistributions in binary form must reproduce the above copyright
1231
+ * notice, this list of conditions and the following disclaimer in the
1232
+ * documentation and/or other materials provided with the distribution.
1233
+ * 3. All advertising materials mentioning features or use of this software
1234
+ * must display the following acknowledgement:
1235
+ * This product includes software developed by the University of
1236
+ * California, Berkeley and its contributors.
1237
+ * 4. Neither the name of the University nor the names of its contributors
1238
+ * may be used to endorse or promote products derived from this software
1239
+ * without specific prior written permission.
1241
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
1242
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
1243
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
1244
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
1245
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
1246
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
1247
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
1248
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
1249
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
1250
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
1253
+ * @(#)auth-proto.h 5.2 (Berkeley) 3/22/91
1257
+ * Copyright (C) 1990 by the Massachusetts Institute of Technology
1259
+ * Export of this software from the United States of America is assumed
1260
+ * to require a specific license from the United States Government.
1261
+ * It is the responsibility of any person or organization contemplating
1262
+ * export to obtain such a license before exporting.
1264
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
1265
+ * distribute this software and its documentation for any purpose and
1266
+ * without fee is hereby granted, provided that the above copyright
1267
+ * notice appear in all copies and that both that copyright notice and
1268
+ * this permission notice appear in supporting documentation, and that
1269
+ * the name of M.I.T. not be used in advertising or publicity pertaining
1270
+ * to distribution of the software without specific, written prior
1271
+ * permission. M.I.T. makes no representations about the suitability of
1272
+ * this software for any purpose. It is provided "as is" without express
1273
+ * or implied warranty.
1288
+#if defined(AUTHENTICATE)
1289
+Authenticator *findauthenticator P((int, int));
1291
+void auth_init P((char *, int));
1292
+int auth_cmd P((int, char **));
1293
+void auth_request P((void));
1294
+void auth_send P((unsigned char *, int));
1295
+void auth_send_retry P((void));
1296
+void auth_is P((unsigned char *, int));
1297
+void auth_reply P((unsigned char *, int));
1298
+void auth_finished P((Authenticator *, int));
1299
+int auth_wait P((char *));
1300
+void auth_disable_name P((char *));
1301
+void auth_gen_printsub P((unsigned char *, int, unsigned char *, int));
1303
+int auth_enable P((const char *, const char *));
1304
+int auth_disable P((const char *, const char *));
1305
+int auth_status P((const char *, const char *));
1306
+int auth_togdebug P((int));
1307
+void auth_name P((unsigned char *, int));
1308
+void auth_printsub P((unsigned char *, int, unsigned char *, int));
1312
+int kerberos4_init P((Authenticator *, int));
1313
+int kerberos4_send P((Authenticator *));
1314
+void kerberos4_is P((Authenticator *, unsigned char *, int));
1315
+void kerberos4_reply P((Authenticator *, unsigned char *, int));
1316
+int kerberos4_status P((Authenticator *, char *, int));
1317
+void kerberos4_printsub P((unsigned char *, int, unsigned char *, int));
1321
+int kerberos5_init P((Authenticator *, int));
1322
+int kerberos5_send P((Authenticator *));
1323
+void kerberos5_is P((Authenticator *, unsigned char *, int));
1324
+void kerberos5_reply P((Authenticator *, unsigned char *, int));
1325
+int kerberos5_status P((Authenticator *, char *, int));
1326
+void kerberos5_printsub P((unsigned char *, int, unsigned char *, int));
1330
+int sra_init P((Authenticator *, int));
1331
+int sra_send P((Authenticator *));
1332
+void sra_is P((Authenticator *, unsigned char *, int));
1333
+void sra_reply P((Authenticator *, unsigned char *, int));
1334
+int sra_status P((Authenticator *, char *, int));
1335
+void sra_printsub P((unsigned char *, int, unsigned char *, int));
1339
+int auth_ssl_init P((Authenticator *, int));
1340
+int auth_ssl_send P((Authenticator *));
1341
+void auth_ssl_is P((Authenticator *, unsigned char *, int));
1342
+void auth_ssl_reply P((Authenticator *, unsigned char *, int));
1343
+int auth_ssl_status P((Authenticator *, char *, int));
1344
+void auth_ssl_printsub P((unsigned char *, int, unsigned char *, int));
1345
+#endif /* USE_SSL */
1351
diff -Naur netkit-telnet-0.17/libtelnet/enc-proto.h netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/enc-proto.h
1352
--- netkit-telnet-0.17/libtelnet/enc-proto.h 1970-01-01 01:00:00.000000000 +0100
1353
+++ netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/enc-proto.h 2004-05-27 11:47:26.000000000 +0200
1356
+ * Copyright (c) 1991 The Regents of the University of California.
1357
+ * All rights reserved.
1359
+ * Redistribution and use in source and binary forms, with or without
1360
+ * modification, are permitted provided that the following conditions
1362
+ * 1. Redistributions of source code must retain the above copyright
1363
+ * notice, this list of conditions and the following disclaimer.
1364
+ * 2. Redistributions in binary form must reproduce the above copyright
1365
+ * notice, this list of conditions and the following disclaimer in the
1366
+ * documentation and/or other materials provided with the distribution.
1367
+ * 3. All advertising materials mentioning features or use of this software
1368
+ * must display the following acknowledgement:
1369
+ * This product includes software developed by the University of
1370
+ * California, Berkeley and its contributors.
1371
+ * 4. Neither the name of the University nor the names of its contributors
1372
+ * may be used to endorse or promote products derived from this software
1373
+ * without specific prior written permission.
1375
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
1376
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
1377
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
1378
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
1379
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
1380
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
1381
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
1382
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
1383
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
1384
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
1387
+ * @(#)enc-proto.h 5.2 (Berkeley) 3/22/91
1391
+ * Copyright (C) 1990 by the Massachusetts Institute of Technology
1393
+ * Export of this software from the United States of America is assumed
1394
+ * to require a specific license from the United States Government.
1395
+ * It is the responsibility of any person or organization contemplating
1396
+ * export to obtain such a license before exporting.
1398
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
1399
+ * distribute this software and its documentation for any purpose and
1400
+ * without fee is hereby granted, provided that the above copyright
1401
+ * notice appear in all copies and that both that copyright notice and
1402
+ * this permission notice appear in supporting documentation, and that
1403
+ * the name of M.I.T. not be used in advertising or publicity pertaining
1404
+ * to distribution of the software without specific, written prior
1405
+ * permission. M.I.T. makes no representations about the suitability of
1406
+ * this software for any purpose. It is provided "as is" without express
1407
+ * or implied warranty.
1417
+#if defined(ENCRYPT)
1418
+void encrypt_init P((char *, int));
1419
+Encryptions *findencryption P((int));
1420
+void encrypt_send_supprt P((void));
1421
+void encrypt_auto P((int));
1422
+void decrypt_auto P((int));
1423
+void encrypt_is P((unsigned char *, int));
1424
+void encrypt_reply P((unsigned char *, int));
1425
+void encrypt_start_input P((int));
1426
+void encrypt_session_key P((Session_Key *, int));
1427
+void encrypt_end_input P((void));
1428
+void encrypt_start_output P((int));
1429
+void encrypt_end_output P((void));
1430
+void encrypt_send_request_start P((void));
1431
+void encrypt_send_request_end P((void));
1432
+void encrypt_send_end P((void));
1433
+void encrypt_wait P((void));
1434
+void encrypt_send_support P((void));
1435
+void encrypt_send_keyid P((int, unsigned char *, int, int));
1436
+int writenet P((unsigned char *, int));
1439
+void encrypt_wait P((void));
1441
+int encrypt_cmd P((int, char **));
1442
+void encrypt_display P((void));
1445
+void cfb64_encrypt P((unsigned char *, int));
1446
+int cfb64_decrypt P((int));
1447
+void cfb64_init P((int));
1448
+int cfb64_start P((int, int));
1449
+int cfb64_is P((unsigned char *, int));
1450
+int cfb64_reply P((unsigned char *, int));
1451
+void cfb64_session P((Session_Key *, int));
1452
+int cfb64_keyid P((int, unsigned char *, int *));
1453
+void cfb64_printsub P((unsigned char *, int, unsigned char *, int));
1455
+void ofb64_encrypt P((unsigned char *, int));
1456
+int ofb64_decrypt P((int));
1457
+void ofb64_init P((int));
1458
+int ofb64_start P((int, int));
1459
+int ofb64_is P((unsigned char *, int));
1460
+int ofb64_reply P((unsigned char *, int));
1461
+void ofb64_session P((Session_Key *, int));
1462
+int ofb64_keyid P((int, unsigned char *, int *));
1463
+void ofb64_printsub P((unsigned char *, int, unsigned char *, int));
1466
diff -Naur netkit-telnet-0.17/libtelnet/encrypt.h netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/encrypt.h
1467
--- netkit-telnet-0.17/libtelnet/encrypt.h 1970-01-01 01:00:00.000000000 +0100
1468
+++ netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/encrypt.h 2004-05-27 11:47:26.000000000 +0200
1471
+ * Copyright (c) 1991 The Regents of the University of California.
1472
+ * All rights reserved.
1474
+ * Redistribution and use in source and binary forms, with or without
1475
+ * modification, are permitted provided that the following conditions
1477
+ * 1. Redistributions of source code must retain the above copyright
1478
+ * notice, this list of conditions and the following disclaimer.
1479
+ * 2. Redistributions in binary form must reproduce the above copyright
1480
+ * notice, this list of conditions and the following disclaimer in the
1481
+ * documentation and/or other materials provided with the distribution.
1482
+ * 3. All advertising materials mentioning features or use of this software
1483
+ * must display the following acknowledgement:
1484
+ * This product includes software developed by the University of
1485
+ * California, Berkeley and its contributors.
1486
+ * 4. Neither the name of the University nor the names of its contributors
1487
+ * may be used to endorse or promote products derived from this software
1488
+ * without specific prior written permission.
1490
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
1491
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
1492
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
1493
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
1494
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
1495
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
1496
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
1497
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
1498
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
1499
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
1502
+ * @(#)encrypt.h 5.2 (Berkeley) 3/22/91
1506
+ * Copyright (C) 1990 by the Massachusetts Institute of Technology
1508
+ * Export of this software from the United States of America is assumed
1509
+ * to require a specific license from the United States Government.
1510
+ * It is the responsibility of any person or organization contemplating
1511
+ * export to obtain such a license before exporting.
1513
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
1514
+ * distribute this software and its documentation for any purpose and
1515
+ * without fee is hereby granted, provided that the above copyright
1516
+ * notice appear in all copies and that both that copyright notice and
1517
+ * this permission notice appear in supporting documentation, and that
1518
+ * the name of M.I.T. not be used in advertising or publicity pertaining
1519
+ * to distribution of the software without specific, written prior
1520
+ * permission. M.I.T. makes no representations about the suitability of
1521
+ * this software for any purpose. It is provided "as is" without express
1522
+ * or implied warranty.
1525
+#ifndef __ENCRYPT__
1526
+#define __ENCRYPT__
1528
+#define DIR_DECRYPT 1
1529
+#define DIR_ENCRYPT 2
1531
+typedef unsigned char Block[8];
1532
+typedef unsigned char *BlockT;
1533
+typedef struct { Block _; } Schedule[16];
1535
+#define VALIDKEY(key) ( key[0] | key[1] | key[2] | key[3] | \
1536
+ key[4] | key[5] | key[6] | key[7])
1538
+#define SAMEKEY(k1, k2) (!bcmp((void *)k1, (void *)k2, sizeof(Block)))
1543
+ unsigned char *data;
1557
+ void (*output) P((unsigned char *, int));
1558
+ int (*input) P((int));
1559
+ void (*init) P((int));
1560
+ int (*start) P((int, int));
1561
+ int (*is) P((unsigned char *, int));
1562
+ int (*reply) P((unsigned char *, int));
1563
+ void (*session) P((Session_Key *, int));
1564
+ int (*keyid) P((int, unsigned char *, int *));
1565
+ void (*printsub) P((unsigned char *, int, unsigned char *, int));
1568
+#define SK_DES 1 /* Matched Kerberos v5 KEYTYPE_DES */
1570
+#include "enc-proto.h"
1572
+extern int encrypt_debug_mode;
1573
+extern int (*decrypt_input) P((int));
1574
+extern void (*encrypt_output) P((unsigned char *, int));
1576
diff -Naur netkit-telnet-0.17/libtelnet/Makefile netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/Makefile
1577
--- netkit-telnet-0.17/libtelnet/Makefile 1970-01-01 01:00:00.000000000 +0100
1578
+++ netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/Makefile 2004-05-27 11:47:25.000000000 +0200
1585
+OBJS= auth.o misc.o ssl.o sslapp.o
1587
+CFLAGS += -DAUTHENTICATE -DUSE_SSL -I/usr/include/openssl -I.
1589
+lib${LIB}.a: ${OBJS}
1590
+ echo building standard ${LIB} library
1592
+ ar cq lib${LIB}.a ${OBJS}; \
1593
+ if [ -f /usr/bin/ranlib ]; then \
1594
+ ranlib lib${LIB}.a; \
1598
+ rm -f *.o lib${LIB}.a
1599
diff -Naur netkit-telnet-0.17/libtelnet/misc.c netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/misc.c
1600
--- netkit-telnet-0.17/libtelnet/misc.c 1970-01-01 01:00:00.000000000 +0100
1601
+++ netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/misc.c 2004-05-27 11:47:26.000000000 +0200
1604
+ * Copyright (c) 1991 The Regents of the University of California.
1605
+ * All rights reserved.
1607
+ * Redistribution and use in source and binary forms, with or without
1608
+ * modification, are permitted provided that the following conditions
1610
+ * 1. Redistributions of source code must retain the above copyright
1611
+ * notice, this list of conditions and the following disclaimer.
1612
+ * 2. Redistributions in binary form must reproduce the above copyright
1613
+ * notice, this list of conditions and the following disclaimer in the
1614
+ * documentation and/or other materials provided with the distribution.
1615
+ * 3. All advertising materials mentioning features or use of this software
1616
+ * must display the following acknowledgement:
1617
+ * This product includes software developed by the University of
1618
+ * California, Berkeley and its contributors.
1619
+ * 4. Neither the name of the University nor the names of its contributors
1620
+ * may be used to endorse or promote products derived from this software
1621
+ * without specific prior written permission.
1623
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
1624
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
1625
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
1626
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
1627
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
1628
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
1629
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
1630
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
1631
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
1632
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
1637
+static char sccsid[] = "@(#)misc.c 5.1 (Berkeley) 2/28/91";
1638
+#endif /* not lint */
1641
+ * Copyright (c) 1988, 1990 Regents of the University of California.
1642
+ * All rights reserved.
1644
+ * Redistribution and use in source and binary forms are permitted provided
1645
+ * that: (1) source distributions retain this entire copyright notice and
1646
+ * comment, and (2) distributions including binaries display the following
1647
+ * acknowledgement: ``This product includes software developed by the
1648
+ * University of California, Berkeley and its contributors'' in the
1649
+ * documentation or other materials provided with the distribution and in
1650
+ * all advertising materials mentioning features or use of this software.
1651
+ * Neither the name of the University nor the names of its contributors may
1652
+ * be used to endorse or promote products derived from this software without
1653
+ * specific prior written permission.
1654
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
1655
+ * WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
1656
+ * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
1661
+char *RemoteHostName;
1662
+char *LocalHostName;
1663
+char *UserNameRequested = 0;
1664
+int ConnectedCount = 0;
1667
+auth_encrypt_init(local, remote, name, server)
1673
+ RemoteHostName = remote;
1674
+ LocalHostName = local;
1675
+#if defined(AUTHENTICATE)
1676
+ auth_init(name, server);
1678
+#if defined(ENCRYPT)
1679
+ encrypt_init(name, server);
1681
+ if (UserNameRequested) {
1682
+ free(UserNameRequested);
1683
+ UserNameRequested = 0;
1688
+auth_encrypt_user(name)
1691
+ extern char *strdup();
1693
+ if (UserNameRequested)
1694
+ free(UserNameRequested);
1695
+ UserNameRequested = name ? strdup(name) : 0;
1699
+auth_encrypt_connect(cnt)
1706
+ unsigned char *data;
1711
+ while (cnt-- > 0) {
1712
+ printf(" %02x", *data);
1716
diff -Naur netkit-telnet-0.17/libtelnet/misc.h netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/misc.h
1717
--- netkit-telnet-0.17/libtelnet/misc.h 1970-01-01 01:00:00.000000000 +0100
1718
+++ netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/misc.h 2004-05-27 11:47:26.000000000 +0200
1721
+ * Copyright (c) 1991 The Regents of the University of California.
1722
+ * All rights reserved.
1724
+ * Redistribution and use in source and binary forms, with or without
1725
+ * modification, are permitted provided that the following conditions
1727
+ * 1. Redistributions of source code must retain the above copyright
1728
+ * notice, this list of conditions and the following disclaimer.
1729
+ * 2. Redistributions in binary form must reproduce the above copyright
1730
+ * notice, this list of conditions and the following disclaimer in the
1731
+ * documentation and/or other materials provided with the distribution.
1732
+ * 3. All advertising materials mentioning features or use of this software
1733
+ * must display the following acknowledgement:
1734
+ * This product includes software developed by the University of
1735
+ * California, Berkeley and its contributors.
1736
+ * 4. Neither the name of the University nor the names of its contributors
1737
+ * may be used to endorse or promote products derived from this software
1738
+ * without specific prior written permission.
1740
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
1741
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
1742
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
1743
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
1744
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
1745
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
1746
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
1747
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
1748
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
1749
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
1752
+ * @(#)misc.h 5.1 (Berkeley) 2/28/91
1755
+extern char *UserNameRequested;
1756
+extern char *LocalHostName;
1757
+extern char *RemoteHostName;
1758
+extern int ConnectedCount;
1759
+extern int ReservedPort;
1761
+#include "misc-proto.h"
1762
diff -Naur netkit-telnet-0.17/libtelnet/misc-proto.h netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/misc-proto.h
1763
--- netkit-telnet-0.17/libtelnet/misc-proto.h 1970-01-01 01:00:00.000000000 +0100
1764
+++ netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/misc-proto.h 2004-05-27 11:47:26.000000000 +0200
1767
+ * Copyright (c) 1991 The Regents of the University of California.
1768
+ * All rights reserved.
1770
+ * Redistribution and use in source and binary forms, with or without
1771
+ * modification, are permitted provided that the following conditions
1773
+ * 1. Redistributions of source code must retain the above copyright
1774
+ * notice, this list of conditions and the following disclaimer.
1775
+ * 2. Redistributions in binary form must reproduce the above copyright
1776
+ * notice, this list of conditions and the following disclaimer in the
1777
+ * documentation and/or other materials provided with the distribution.
1778
+ * 3. All advertising materials mentioning features or use of this software
1779
+ * must display the following acknowledgement:
1780
+ * This product includes software developed by the University of
1781
+ * California, Berkeley and its contributors.
1782
+ * 4. Neither the name of the University nor the names of its contributors
1783
+ * may be used to endorse or promote products derived from this software
1784
+ * without specific prior written permission.
1786
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
1787
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
1788
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
1789
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
1790
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
1791
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
1792
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
1793
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
1794
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
1795
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
1798
+ * @(#)misc-proto.h 5.1 (Berkeley) 2/28/91
1802
+ * Copyright (C) 1990 by the Massachusetts Institute of Technology
1804
+ * Export of this software from the United States of America is assumed
1805
+ * to require a specific license from the United States Government.
1806
+ * It is the responsibility of any person or organization contemplating
1807
+ * export to obtain such a license before exporting.
1809
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
1810
+ * distribute this software and its documentation for any purpose and
1811
+ * without fee is hereby granted, provided that the above copyright
1812
+ * notice appear in all copies and that both that copyright notice and
1813
+ * this permission notice appear in supporting documentation, and that
1814
+ * the name of M.I.T. not be used in advertising or publicity pertaining
1815
+ * to distribution of the software without specific, written prior
1816
+ * permission. M.I.T. makes no representations about the suitability of
1817
+ * this software for any purpose. It is provided "as is" without express
1818
+ * or implied warranty.
1821
+#ifndef __MISC_PROTO__
1822
+#define __MISC_PROTO__
1836
+void auth_encrypt_init P((char *, char *, char *, int));
1837
+void auth_encrypt_connect P((int));
1838
+void auth_encrypt_user P((const char *name));
1839
+void printd P((unsigned char *, int));
1842
+ * These functions are imported from the application
1844
+/*int writenet P((unsigned char *, int));*/
1845
+void net_encrypt P((void));
1846
+int telnet_spin P((void));
1847
+char *telnet_getenv P((char *));
1848
+char *telnet_gets P((char *, char *, int, int));
1855
diff -Naur netkit-telnet-0.17/libtelnet/sslapp.c netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/sslapp.c
1856
--- netkit-telnet-0.17/libtelnet/sslapp.c 1970-01-01 01:00:00.000000000 +0100
1857
+++ netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/sslapp.c 2004-05-27 11:47:26.000000000 +0200
1859
+/* sslapp.c - ssl application code */
1862
+ * The modifications to support SSLeay were done by Tim Hudson
1863
+ * tjh@cryptsoft.com
1865
+ * You can do whatever you like with these patches except pretend that
1868
+ * Email ssl-users-request@mincom.oz.au to get instructions on how to
1869
+ * join the mailing list that discusses SSLeay and also these patches.
1875
+#include "sslapp.h"
1878
+#define SSL_set_pref_cipher(c,n) SSL_set_cipher_list(c,n)
1883
+int ssl_debug_flag=0;
1884
+int ssl_only_flag=0;
1885
+int ssl_active_flag=0;
1886
+int ssl_verify_flag=SSL_VERIFY_NONE;
1887
+int ssl_secure_flag=0;
1888
+int ssl_certsok_flag=0;
1889
+int ssl_cert_required=0;
1890
+int ssl_verbose_flag=0;
1891
+int ssl_disabled_flag=0;
1892
+char *ssl_cert_file=NULL;
1893
+char *ssl_key_file=NULL;
1894
+char *ssl_cipher_list=NULL;
1895
+char *ssl_log_file=NULL;
1898
+static void client_info_callback();
1900
+int do_ssleay_init(int server)
1902
+ /* make sure we have somewhere we can log errors to */
1903
+ if (bio_err==NULL) {
1904
+ if ((bio_err=BIO_new(BIO_s_file()))!=NULL) {
1905
+ if (ssl_log_file==NULL)
1906
+ BIO_set_fp(bio_err,stderr,BIO_NOCLOSE);
1908
+ if (BIO_write_filename(bio_err,ssl_log_file)<=0) {
1909
+ /* not a lot we can do */
1915
+ /* rather simple things these days ... the old SSL_LOG and SSL_ERR
1916
+ * vars are long gone now SSLeay8 has rolled around and we have
1917
+ * a clean interface for doing things
1919
+ if (ssl_debug_flag)
1920
+ BIO_printf(bio_err,"SSL_DEBUG_FLAG on\r\n");
1923
+ /* init things so we will get meaningful error messages
1924
+ * rather than numbers
1926
+ SSL_load_error_strings();
1929
+ SSLeay_add_ssl_algorithms();
1931
+ /* we may require a temp 512 bit RSA key because of the
1932
+ * wonderful way export things work ... if so we generate
1936
+ ssl_ctx=(SSL_CTX *)SSL_CTX_new(SSLv23_method());
1937
+ if (SSL_CTX_need_tmp_RSA(ssl_ctx)) {
1940
+ if (ssl_debug_flag)
1941
+ BIO_printf(bio_err,"Generating temp (512 bit) RSA key ...\r\n");
1942
+ rsa=RSA_generate_key(512,RSA_F4,NULL,NULL);
1943
+ if (ssl_debug_flag)
1944
+ BIO_printf(bio_err,"Generation of temp (512 bit) RSA key done\r\n");
1946
+ if (!SSL_CTX_set_tmp_rsa(ssl_ctx,rsa)) {
1947
+ BIO_printf(bio_err,"Failed to assign generated temp RSA key!\r\n");
1950
+ if (ssl_debug_flag)
1951
+ BIO_printf(bio_err,"Assigned temp (512 bit) RSA key\r\n");
1954
+ ssl_ctx=(SSL_CTX *)SSL_CTX_new(SSLv23_client_method());
1958
+ /* also switch on all the interoperability and bug
1959
+ * workarounds so that we will communicate with people
1960
+ * that cannot read poorly written specs :-)
1962
+ SSL_CTX_set_options(ssl_ctx,SSL_OP_ALL);
1964
+#else /* !SSLEAY8 */
1965
+ ssl_ctx=(SSL_CTX *)SSL_CTX_new();
1966
+#endif /* SSLEAY8 */
1968
+ ssl_con=(SSL *)SSL_new(ssl_ctx);
1970
+ SSL_set_verify(ssl_con,ssl_verify_flag,NULL);
1973
+ if (ssl_cipher_list==NULL)
1974
+ SSL_set_pref_cipher(ssl_con,getenv("SSL_CIPHER"));
1976
+ SSL_set_pref_cipher(ssl_con,ssl_cipher_list);
1979
+ /* for verbose we use the 0.6.x info callback that I got
1980
+ * eric to finally add into the code :-) --tjh
1982
+ if (ssl_verbose_flag) {
1983
+ SSL_CTX_set_info_callback(ssl_ctx,client_info_callback);
1986
+ /* Add in any certificates if you want to here ... */
1987
+ if (ssl_cert_file) {
1988
+ if (!SSL_use_certificate_file(ssl_con, ssl_cert_file,
1989
+ X509_FILETYPE_PEM)) {
1990
+ BIO_printf(bio_err,"Error loading %s: ",ssl_cert_file);
1991
+ ERR_print_errors(bio_err);
1992
+ BIO_printf(bio_err,"\r\n");
1995
+ if (!ssl_key_file)
1996
+ ssl_key_file = ssl_cert_file;
1997
+ if (!SSL_use_RSAPrivateKey_file(ssl_con, ssl_key_file,
1998
+ X509_FILETYPE_PEM)) {
1999
+ BIO_printf(bio_err,"Error loading %s: ",ssl_key_file);
2000
+ ERR_print_errors(bio_err);
2001
+ BIO_printf(bio_err,"\r\n");
2007
+ /* make sure we will find certificates in the standard
2008
+ * location ... otherwise we don't look anywhere for
2009
+ * these things which is going to make client certificate
2010
+ * exchange rather useless :-)
2013
+ SSL_CTX_set_default_verify_paths(ssl_ctx);
2015
+ SSL_set_default_verify_paths(ssl_ctx);
2018
+ SSL_set_verify(ssl_con,ssl_verify_flag,client_verify_callback);
2024
+static void client_info_callback(s,where,ret)
2029
+ if (where==SSL_CB_CONNECT_LOOP) {
2030
+ BIO_printf(bio_err,"SSL_connect:%s %s\r\n",
2031
+ SSL_state_string(s),SSL_state_string_long(s));
2032
+ } else if (where==SSL_CB_CONNECT_EXIT) {
2034
+ BIO_printf(bio_err,"SSL_connect:failed in %s %s\r\n",
2035
+ SSL_state_string(s),SSL_state_string_long(s));
2036
+ } else if (ret < 0) {
2037
+ BIO_printf(bio_err,"SSL_connect:error in %s %s\r\n",
2038
+ SSL_state_string(s),SSL_state_string_long(s));
2044
+#else /* !USE_SSL */
2046
+static void dummy_func()
2053
+#endif /* USE_SSL */
2055
diff -Naur netkit-telnet-0.17/libtelnet/sslapp.h netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/sslapp.h
2056
--- netkit-telnet-0.17/libtelnet/sslapp.h 1970-01-01 01:00:00.000000000 +0100
2057
+++ netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/sslapp.h 2004-05-27 11:47:26.000000000 +0200
2059
+/* sslapp.h - ssl application code */
2062
+ * The modifications to support SSLeay were done by Tim Hudson
2063
+ * tjh@cryptsoft.com
2065
+ * You can do whatever you like with these patches except pretend that
2068
+ * Email ssl-users-request@mincom.oz.au to get instructions on how to
2069
+ * join the mailing list that discusses SSLeay and also these patches.
2081
+#include "crypto.h"
2083
+#if SSLEAY_VERSION_NUMBER >= 0x0800
2088
+#define ONELINE_NAME(X) X509_NAME_oneline(X,NULL,0)
2090
+#define ONELINE_NAME(X) X509_NAME_oneline(X)
2094
+#define OLDPROTO NOPROTO
2098
+#define NOPROTO OLDPROTO
2101
+#include "buffer.h"
2105
+#define OLDPROTO NOPROTO
2109
+#define NOPROTO OLDPROTO
2112
+extern BIO *bio_err;
2113
+extern SSL *ssl_con;
2114
+extern SSL_CTX *ssl_ctx;
2115
+extern int ssl_debug_flag;
2116
+extern int ssl_only_flag;
2117
+extern int ssl_active_flag;
2118
+extern int ssl_verify_flag;
2119
+extern int ssl_secure_flag;
2120
+extern int ssl_verbose_flag;
2121
+extern int ssl_disabled_flag;
2122
+extern int ssl_cert_required;
2123
+extern int ssl_certsok_flag;
2125
+extern char *ssl_log_file;
2126
+extern char *ssl_cert_file;
2127
+extern char *ssl_key_file;
2128
+extern char *ssl_cipher_list;
2130
+/* we hide all the initialisation code in a separate file now */
2131
+extern int do_ssleay_init(int server);
2133
+extern int display_connect_details(SSL *ssl_con, int verbose);
2134
+extern int server_verify_callback();
2135
+extern int client_verify_callback();
2141
+#endif /* USE_SSL */
2144
diff -Naur netkit-telnet-0.17/libtelnet/ssl.c netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/ssl.c
2145
--- netkit-telnet-0.17/libtelnet/ssl.c 1970-01-01 01:00:00.000000000 +0100
2146
+++ netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/ssl.c 2004-05-27 11:47:26.000000000 +0200
2150
+ * The modifications to support SSLeay were done by Tim Hudson
2151
+ * tjh@mincom.oz.au
2153
+ * You can do whatever you like with these patches except pretend that
2156
+ * Email ssl-users-request@mincom.oz.au to get instructions on how to
2157
+ * join the mailing list that discusses SSLeay and also these patches.
2161
+/* ssl.c - interface to Eric Young's SSLeay library (eay@mincom.oz.au)
2163
+ * see LICENSE for details
2165
+ * xx-Aug-96 tjh reworked the client certificate stuff into a form
2166
+ * ................ where it is useful with SSLeay-0.6.x which changed
2167
+ * ................ lots of things in the handling of the verify function
2168
+ * 01-Jul-95 tjh merged patches from Steven Schoch
2169
+ * ................ <schoch@sheba.arc.nasa.gov> that add in the certsok
2170
+ * ................ option for using signed certificates rather than
2171
+ * ................ explicit passwords for authentication (modified a little
2172
+ * ................ to add in an option that controls this feature)
2173
+ * 26-Apr-95 tjh original coding
2175
+ * tjh@mincom.oz.au
2185
+#include <sys/types.h>
2186
+#include "arpa/telnet.h"
2189
+#include <stdlib.h>
2192
+#include <strings.h>
2194
+#include <string.h>
2200
+#include "crypto.h"
2202
+#if SSLEAY_VERSION_NUMBER >= 0x0800
2207
+#define ONELINE_NAME(X) X509_NAME_oneline(X,NULL,0)
2209
+#define ONELINE_NAME(X) X509_NAME_oneline(X)
2215
+#include "buffer.h"
2220
+/* quick translation ... */
2221
+#ifndef VERIFY_ERR_UNABLE_TO_GET_ISSUER
2222
+#define VERIFY_ERR_UNABLE_TO_GET_ISSUER X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT
2224
+#ifndef VERIFY_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
2225
+#define VERIFY_ERR_DEPTH_ZERO_SELF_SIGNED_CERT X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT
2228
+#define VERIFY_OK X509_V_OK
2230
+#ifndef VERIFY_ERR_UNABLE_TO_GET_ISSUER
2231
+#define VERIFY_ERR_UNABLE_TO_GET_ISSUER X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT
2234
+/* need to think about this mapping in terms of what the real
2235
+ * equivalent of this actually is
2237
+#ifndef VERIFY_ROOT_OK
2238
+#define VERIFY_ROOT_OK VERIFY_OK
2241
+extern int auth_debug_mode;
2242
+static auth_ssl_valid = 0;
2243
+static char *auth_ssl_name = 0; /* this holds the oneline name */
2245
+extern BIO *bio_err;
2246
+extern int ssl_only_flag;
2247
+extern int ssl_debug_flag;
2248
+extern int ssl_active_flag;
2249
+extern int ssl_secure_flag;
2250
+extern int ssl_verify_flag;
2251
+extern int ssl_certsok_flag; /* if this is set then we enable the
2252
+ * /etc/ssl.users stuff for allowing
2253
+ * access - just to make sure we don't
2254
+ * switch it on unless we really want it
2256
+extern int ssl_cert_required; /* client certificate is mandatory! */
2258
+extern int ssl_verbose_flag;
2259
+extern int ssl_disabled_flag;
2261
+int server_verify_callback();
2262
+int client_verify_callback();
2264
+extern SSL *ssl_con;
2266
+#include "buffer.h"
2270
+/* compile this set to 1 to negotiate SSL but not actually start it */
2271
+static int ssl_dummy_flag=0;
2273
+static unsigned char str_data[1024] = { IAC, SB, TELOPT_AUTHENTICATION, 0,
2276
+#define AUTH_SSL_START 1
2277
+#define AUTH_SSL_ACCEPT 2
2278
+#define AUTH_SSL_REJECT 3
2281
+/* this is called by both the ssl.c auth connect and the mainline
2282
+ * telnet connect if we are talking straight ssl with no telnet
2286
+display_connect_details(ssl_con,verbose)
2291
+ char *cipher_list;
2293
+ if (ssl_active_flag && verbose) {
2299
+ /* grab the full list of ciphers */
2302
+ while((p=SSL_get_cipher_list(ssl_con,i++))!=NULL) {
2308
+#else /* !SSLEAY8 */
2309
+ cipher_list=SSL_get_cipher(ssl_con);
2310
+#endif /* !SSLEAY8 */
2312
+ /* the cipher list *can* be NULL ... useless but it happens! */
2313
+ if (cipher_list==NULL)
2314
+ cipher_list="<NULL>";
2315
+ fprintf(stderr,"[SSL cipher=%s]\r\n",cipher_list);
2316
+ peer=SSL_get_peer_certificate(ssl_con);
2317
+ if (peer != NULL) {
2320
+ str=ONELINE_NAME(X509_get_subject_name(peer));
2321
+ fprintf(stderr,"[SSL subject=%s]\r\n",str);
2323
+ str=ONELINE_NAME(X509_get_issuer_name(peer));
2324
+ fprintf(stderr,"[SSL issuer=%s]\r\n",str);
2335
+fprintd(fp, data, cnt)
2337
+ unsigned char *data;
2342
+ while (cnt-- > 0) {
2343
+ fprintf(fp," %02x", *data);
2348
+/* support routine to send out authentication message */
2349
+static int Data(ap, type, d, c)
2355
+ unsigned char *p = str_data + 4;
2356
+ unsigned char *cd = (unsigned char *)d;
2359
+ c = strlen((char *)cd);
2361
+ if (auth_debug_mode) {
2362
+ fprintf(stderr,"%s:%d: [%d] (%d)",
2363
+ str_data[3] == TELQUAL_IS ? ">>>IS" : ">>>REPLY",
2366
+ fprintd(stderr,d, c);
2367
+ fprintf(stderr,"\r\n");
2373
+ if ((*p++ = *cd++) == IAC)
2378
+ if (str_data[3] == TELQUAL_IS)
2379
+ printsub('>', &str_data[2], p - (&str_data[2]));
2380
+ return(writenet(str_data, p - str_data));
2383
+int auth_ssl_init(ap, server)
2387
+ /* ssl only option skips all of this muck ... */
2388
+ if (ssl_only_flag || ssl_disabled_flag) {
2392
+ SSL_load_error_strings();
2394
+ /* SSLeay-0.6 introduces the BIO stuff ... which we need for
2395
+ * all the error reporting things!
2397
+ if (bio_err == NULL)
2398
+ if ((bio_err=BIO_new(BIO_s_file())) != NULL)
2399
+ BIO_set_fp(bio_err,stderr,BIO_NOCLOSE);
2402
+ str_data[3] = TELQUAL_REPLY;
2404
+ str_data[3] = TELQUAL_IS;
2408
+/* client received a go-ahead for ssl */
2409
+int auth_ssl_send(ap)
2412
+ fprintf(stderr,"[SSL - attempting to switch on SSL]\r\n");
2415
+ if (!Data(ap, AUTH_SSL_START, NULL, 0 )) {
2416
+ if (auth_debug_mode)
2417
+ fprintf(stderr,"Not enough room for start data\r\n");
2424
+/* server received an IS -- could (only) be SSL START */
2425
+void auth_ssl_is(ap, data, cnt)
2427
+unsigned char *data;
2434
+ switch (*data++) {
2436
+ case AUTH_SSL_START:
2437
+ Data(ap, AUTH_SSL_ACCEPT, (void *)0, 0);
2440
+ auth_ssl_valid = 1;
2441
+ auth_finished(ap, AUTH_VALID);
2443
+ /* server starts the SSL stuff now ... */
2444
+ if (ssl_dummy_flag)
2447
+ if (!ssl_only_flag) {
2448
+ /* only want/need verify if doing certsok stuff */
2449
+ if (ssl_certsok_flag||ssl_cert_required)
2450
+ SSL_set_verify(ssl_con,ssl_verify_flag,server_verify_callback);
2451
+ if (!SSL_accept(ssl_con)) {
2454
+ syslog(LOG_WARNING, "ssl_accept error");
2457
+ fprintf(stderr,"[SSL - SSL_accept error]\r\n");
2460
+ SSL_free(ssl_con);
2462
+ auth_finished(ap, AUTH_REJECT);
2466
+ ssl_active_flag=1;
2469
+ /* now check to see that we got exactly what we
2470
+ * wanted from the caller ... if a certificate is
2471
+ * required then we make 100% sure that we were
2472
+ * given on during the handshake (as it is an optional
2475
+ if ( ssl_cert_required ) {
2476
+ if (SSL_get_peer_certificate(ssl_con)==NULL) {
2478
+ if (ssl_debug_flag) {
2479
+ fprintf(stderr,"[SSL - peer check failed]\r\n");
2483
+ /* LOGGING REQUIRED HERE! */
2484
+ SSL_free(ssl_con);
2485
+ auth_finished(ap, AUTH_REJECT);
2493
+ fprintf(stderr,"[SSL - failed to switch on SSL]\r\n");
2496
+ if (auth_debug_mode) {
2497
+ fprintf(stderr,"Unknown SSL option %d\r\n", data[-1]);
2498
+ fprintf(stderr,"[SSL - negotiation failed]\r\n");
2500
+ Data(ap, AUTH_SSL_REJECT, (void *)0, 0);
2502
+ auth_ssl_valid = 0;
2503
+ auth_finished(ap, AUTH_REJECT);
2508
+/* client received REPLY -- could be SSL ACCEPT or REJECT */
2509
+void auth_ssl_reply(ap, data, cnt)
2511
+unsigned char *data;
2519
+ switch (*data++) {
2521
+ case AUTH_SSL_ACCEPT:
2522
+ if (auth_debug_mode)
2523
+ fprintf(stderr,"SSL ACCEPT\r\n");
2524
+ fprintf(stderr,"[SSL - handshake starting]\r\n");
2526
+ auth_finished(ap, AUTH_VALID);
2528
+ if (ssl_dummy_flag) {
2529
+ fprintf(stderr,"[SSL - Dummy Connected]\r\n");
2534
+ /* right ... now we drop into the SSL library */
2535
+ if (!ssl_only_flag) {
2536
+ SSL_set_verify(ssl_con,ssl_verify_flag,
2537
+ client_verify_callback);
2538
+ if ((status = SSL_connect(ssl_con)) <= 0) {
2539
+ fprintf(stderr,"[SSL - FAILED (%d)]\r\n", status);
2542
+ perror("telnet: Unable to ssl_connect to remote host");
2544
+ ERR_print_errors(bio_err);
2546
+ /* don't know what I "should" be doing here ... */
2548
+ auth_finished(0,AUTH_REJECT);
2552
+ fprintf(stderr,"[SSL - OK]\r\n");
2555
+ ssl_active_flag=1;
2556
+ display_connect_details(ssl_con,ssl_debug_flag);
2560
+ /* this is handy/required? */
2567
+ case AUTH_SSL_REJECT:
2568
+ if (auth_debug_mode)
2569
+ fprintf(stderr,"SSL REJECT\r\n");
2570
+ fprintf(stderr,"[SSL - failed to switch on SSL]\r\n");
2571
+ fprintf(stderr,"Trying plaintext login:\r\n");
2573
+ auth_finished(0,AUTH_REJECT);
2577
+ if (auth_debug_mode)
2578
+ fprintf(stderr,"Unknown SSL option %d\r\n", data[-1]);
2583
+int auth_ssl_status(ap, name, level)
2591
+ if (level < AUTH_USER)
2595
+ * Look our name up in /etc/ssl.users.
2596
+ * The format of this file is lines of this form:
2597
+ * user1,user2:/C=US/.....
2598
+ * where user1 and user2 are usernames
2600
+ if (ssl_certsok_flag) {
2601
+ user_fp = fopen("/etc/ssl.users", "r");
2602
+ if (!auth_ssl_name || !user_fp) {
2603
+ /* If we haven't received a certificate, then don't
2604
+ * return AUTH_VALID.
2606
+ if (UserNameRequested)
2607
+ strcpy(name, UserNameRequested);
2613
+ while (fgets(buf, sizeof buf, user_fp)) {
2617
+ /* allow for comments in the file ... always nice
2618
+ * to be able to add a little novel in files and
2619
+ * also disable entries easily --tjh
2624
+ if ((cp = strchr(buf, '\n')))
2626
+ cp = strchr(buf, ':');
2630
+ if (strcasecmp(cp, auth_ssl_name) == 0) {
2633
+ cp = strchr(n, ',');
2636
+ if (!UserNameRequested ||
2637
+ !strcmp(UserNameRequested, n)) {
2640
+ return(AUTH_VALID);
2647
+ return(AUTH_USER);
2649
+ return(AUTH_USER);
2653
+#define BUMP(buf, len) while (*(buf)) {++(buf), --(len);}
2654
+#define ADDC(buf, len, c) if ((len) > 0) {*(buf)++ = (c); --(len);}
2656
+void auth_ssl_printsub(data, cnt, buf, buflen)
2657
+unsigned char *data, *buf;
2663
+ buf[buflen-1] = '\0'; /* make sure its NULL terminated */
2668
+ case AUTH_SSL_START:
2669
+ strncpy((char *)buf, " START ", buflen);
2672
+ case AUTH_SSL_REJECT: /* Rejected (reason might follow) */
2673
+ strncpy((char *)buf, " REJECT ", buflen);
2676
+ case AUTH_SSL_ACCEPT: /* Accepted (name might follow) */
2677
+ strncpy((char *)buf, " ACCEPT ", buflen);
2680
+ BUMP(buf, buflen);
2683
+ ADDC(buf, buflen, '"');
2684
+ for (i = 4; i < cnt; i++)
2685
+ ADDC(buf, buflen, data[i]);
2686
+ ADDC(buf, buflen, '"');
2687
+ ADDC(buf, buflen, '\0');
2691
+ sprintf(lbuf, " %d (unknown)", data[3]);
2692
+ strncpy((char *)buf, lbuf, buflen);
2694
+ BUMP(buf, buflen);
2695
+ for (i = 4; i < cnt; i++) {
2696
+ sprintf(lbuf, " %d", data[i]);
2697
+ strncpy((char *)buf, lbuf, buflen);
2698
+ BUMP(buf, buflen);
2707
+server_verify_callback(ok, ctx)
2709
+X509_STORE_CTX *ctx;
2710
+#else /* !SSLEAY8 */
2711
+server_verify_callback(ok, xs, xi, depth, error)
2715
+#endif /* SSLEAY8 */
2717
+ static char *saved_subject=NULL;
2719
+ char *subject, *issuer;
2724
+ depth=ctx->error_depth;
2726
+ xs=(char *)X509_STORE_CTX_get_current_cert(ctx);
2728
+#endif /* SSLEAY8 */
2731
+ if (ssl_debug_flag) {
2732
+ fprintf(stderr,"ssl:server_verify_callback:depth=%d ok=%d err=%d-%s\n",
2733
+ depth,ok,error,X509_cert_verify_error_string(error));
2736
+#endif /* LOCAL_DEBUG */
2738
+ subject=issuer=NULL;
2740
+ /* first thing is to have a meaningful name for the current
2741
+ * certificate that is being verified ... and if we cannot
2742
+ * determine that then something is seriously wrong!
2744
+ subject=(char *)ONELINE_NAME(X509_get_subject_name((X509 *)xs));
2745
+ if (subject==NULL) {
2746
+ if (ssl_debug_flag)
2747
+ ERR_print_errors(bio_err);
2751
+ issuer=(char *)ONELINE_NAME(X509_get_issuer_name((X509 *)xs));
2752
+ if (issuer==NULL) {
2753
+ if (ssl_debug_flag)
2754
+ ERR_print_errors(bio_err);
2759
+ /* save the name of the first level subject as this is
2760
+ * the name we want to use to match for a username in
2761
+ * /etc/ssl.users later ... but *only* if we pass the
2762
+ * full verification of the certificate chain
2765
+ /* clear things */
2766
+ if (saved_subject!=NULL) {
2767
+ free(saved_subject);
2768
+ saved_subject=NULL;
2770
+ if (auth_ssl_name!=NULL) {
2771
+ free(auth_ssl_name);
2772
+ auth_ssl_name=NULL;
2775
+ /* save the name if at least the first level is okay */
2777
+ saved_subject=strdup(subject);
2780
+ /* if the client is using a self signed certificate then
2781
+ * we need to decide if that is good enough for us to
2782
+ * accept ... it certainly isn't good enough for anything
2783
+ * that wants to use the certificate as it is basically
2784
+ * junk of no value in this context!
2786
+ if (error==VERIFY_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) {
2787
+ if (ssl_cert_required) {
2788
+ /* make 100% sure that in secure mode we drop the
2789
+ * connection if the server does not have a
2790
+ * real certificate!
2792
+ if (ssl_debug_flag) {
2793
+ fprintf(stderr,"SSL: rejecting connection - self-signed cert\n");
2805
+ /* if we have any form of error in secure mode we reject the connection */
2806
+ if (! ((error==VERIFY_OK)||(error==VERIFY_ROOT_OK)) ) {
2807
+ if (ssl_cert_required) {
2808
+ if (ssl_debug_flag) {
2809
+ fprintf(stderr,"SSL: rejecting connection - ");
2810
+ if (error==VERIFY_ERR_UNABLE_TO_GET_ISSUER) {
2811
+ fprintf(stderr,"unknown issuer: %s\n",issuer);
2813
+ ERR_print_errors(bio_err);
2820
+ /* be nice and display a lot more meaningful stuff
2821
+ * so that we know which issuer is unknown no matter
2822
+ * what the callers options are ...
2824
+ if (error==VERIFY_ERR_UNABLE_TO_GET_ISSUER) {
2825
+ if (ssl_debug_flag) {
2826
+ fprintf(stderr,"SSL: unknown issuer: %s\n",issuer);
2832
+ /* if we got all the way to the top of the tree then
2833
+ * we *can* use this certificate for a username to
2834
+ * match ... in all other cases we must not!
2836
+ if ( (error==VERIFY_ROOT_OK) ) {
2837
+ auth_ssl_name = saved_subject;
2838
+ saved_subject = NULL;
2844
+ /* clean up things */
2845
+ if (subject!=NULL)
2855
+client_verify_callback(ok, ctx)
2857
+X509_STORE_CTX *ctx;
2858
+#else /* !SSLEAY8 */
2859
+client_verify_callback(ok, xs, xi, depth, error)
2863
+#endif /* SSLEAY8 */
2866
+ char *subject, *issuer;
2871
+ depth=ctx->error_depth;
2873
+ xs=(char *)X509_STORE_CTX_get_current_cert(ctx);
2875
+#endif /* SSLEAY8 */
2878
+ fprintf(stderr,"ssl:client_verify_callback:depth=%d ok=%d err=%d-%s\n",
2879
+ depth,ok,error,X509_cert_verify_error_string(error));
2881
+#endif /* LOCAL_DEBUG */
2883
+ subject=issuer=NULL;
2885
+ /* first thing is to have a meaningful name for the current
2886
+ * certificate that is being verified ... and if we cannot
2887
+ * determine that then something is seriously wrong!
2889
+ subject=(char *)ONELINE_NAME(X509_get_subject_name((X509 *)xs));
2890
+ if (subject==NULL) {
2891
+ ERR_print_errors(bio_err);
2895
+ issuer=(char *)ONELINE_NAME(X509_get_issuer_name((X509 *)xs));
2896
+ if (issuer==NULL) {
2897
+ ERR_print_errors(bio_err);
2902
+ /* if the user wants us to be chatty about things then this
2903
+ * is a good time to wizz the certificate chain past quickly :-)
2905
+ if (ssl_verbose_flag) {
2906
+ fprintf(stderr,"Certificate[%d] subject=%s\n",depth,subject);
2907
+ fprintf(stderr,"Certificate[%d] issuer =%s\n",depth,issuer);
2911
+ /* if the server is using a self signed certificate then
2912
+ * we need to decide if that is good enough for us to
2915
+ if (error==VERIFY_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) {
2916
+ if (ssl_cert_required) {
2917
+ /* make 100% sure that in secure more we drop the
2918
+ * connection if the server does not have a
2919
+ * real certificate!
2921
+ fprintf(stderr,"SSL: rejecting connection - server has a self-signed certificate\n");
2924
+ /* sometimes it is really handy to be able to debug things
2925
+ * and still get a connection!
2927
+ if (ssl_debug_flag) {
2928
+ fprintf(stderr,"SSL: debug -> ignoring cert required!\n");
2941
+ /* if we have any form of error in secure mode we reject the connection */
2942
+ if (! ((error==VERIFY_OK)||(error==VERIFY_ROOT_OK)) ) {
2943
+ if (ssl_cert_required) {
2944
+ fprintf(stderr,"SSL: rejecting connection - ");
2945
+ if (error==VERIFY_ERR_UNABLE_TO_GET_ISSUER) {
2946
+ fprintf(stderr,"unknown issuer: %s\n",issuer);
2948
+ ERR_print_errors(bio_err);
2954
+ /* be nice and display a lot more meaningful stuff
2955
+ * so that we know which issuer is unknown no matter
2956
+ * what the callers options are ...
2958
+ if (error==VERIFY_ERR_UNABLE_TO_GET_ISSUER) {
2959
+ fprintf(stderr,"SSL: unknown issuer: %s\n",issuer);
2967
+ /* clean up things */
2968
+ if (subject!=NULL)
2976
+#endif /* USE_SSL */
2979
diff -Naur netkit-telnet-0.17/README.SSL netkit-telnet-ssl-0.17.24+0.1.orig/README.SSL
2980
--- netkit-telnet-0.17/README.SSL 1970-01-01 01:00:00.000000000 +0100
2981
+++ netkit-telnet-ssl-0.17.24+0.1.orig/README.SSL 2004-05-27 11:47:25.000000000 +0200
2983
+This is the telnet(d)-ssl package with encryption support.
2985
+It is derived from netkit-telnet(d) and is
2986
+patched with the SSL-enhancement of Tim Hudson <tjh@mincom.oz.au>,
2987
+which he did to the SRA-telnet sources.
2989
+These patches were done by:
2998
+Christoph.Martin@Uni-Mainz.DE
3000
+(Look at the VERSION file for details of contributors since the initial
3003
+You can do whatever you like with these patches except pretend that
3006
+This package uses the SSL-implementation which can be found in
3007
+ftp://ftp.psy.uq.oz.au/pub/Crypto/SSL/SSLeay-0.8.1.tar.gz
3009
+The SSLeay FAQ (which includes pointers to the porting documentation
3010
+and references to the other SSL-based applications) can be found at
3011
+http://www.psy.uq.oz.au/~ftp/Crypto
3014
+Test telnet like this:
3015
+ telnet -z ssl www.netscape.com https
3017
+ GET / HTTP/1.0 <RETURN><RETURN>
3018
+and you should get back the HTML for the Netscape home page
3020
+For installing put the path of telnetd in /etc/inetd.conf and send a
3021
+kill -HUP to inetd. (On SCO this is not working :( ). Then you have to
3022
+install at least the self-signed certificates
3024
+I assume that the following exist:
3026
+/usr/bin/ssl (all the SSLeay utilites)
3027
+/usr/lib/ssl (libcrypto.a and libssl.a)
3028
+/usr/include/ssl (required SSLeay header files)
3030
+/etc/ssl/certs PUBLIC keys
3031
+/etc/ssl/private PRIVATE keys
3033
+For telnetd you can operate using a self-signed certificate (this is the
3034
+easiest way of driving SSL as a "simple" stream encryption
3035
+library). To generate the required file you can either use
3036
+"make certificate" or do the following:
3038
+PATH=$PATH:/usr/bin/ssl
3040
+# SSLeay 0.8.1 supports a quick mechanism for generating
3041
+# "dummy" certificates
3043
+req -new -x509 -nodes -out telnetd.pem -keyout telnetd.pem
3044
+ln -s telnetd.pem `x509 -noout -hash < telnetd.pem`.0
3046
+Then *test* that verify likes the setup
3048
+verify /etc/ssl/certs/telnetd.pem
3050
+SSL bugs should be directed to ssl-bugs@mincom.oz.au
3051
+SSL comments/discussion should be directed to ssl-users@mincom.oz.au
3053
+If you email ssl-users-request@mincom.oz.au you will be emailed
3054
+instructions on how to interact with the majordomo varient that
3055
+is managing this list.
3057
+Email to ssleay@cryptsoft.com will get both Eric Young and Tim Hudson
3058
+if you are not sure which one of us a problem should be directed to.
3060
diff -Naur netkit-telnet-0.17/telnet/commands.cc netkit-telnet-ssl-0.17.24+0.1.orig/telnet/commands.cc
3061
--- netkit-telnet-0.17/telnet/commands.cc 2015-01-27 23:31:10.449546453 +0100
3062
+++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/commands.cc 2004-05-27 11:47:26.000000000 +0200
3064
#include "ptrarray.h"
3065
#include "netlink.h"
3067
+#if defined(AUTHENTICATE)
3068
+#include <libtelnet/auth.h>
3069
+#include <libtelnet/misc.h>
3072
/* In Linux, this is an enum */
3073
#if defined(__linux__) || defined(IPPROTO_IP)
3074
#define HAS_IPPROTO_IP
3076
static int termdata; /* Print out terminal data flow */
3078
static int togglehelp(int);
3079
+#if defined(AUTHENTICATE)
3080
+extern int auth_togdebug(int);
3084
const char *name; /* name of toggle */
3085
@@ -672,13 +680,15 @@
3087
"send interrupt characters in urgent mode" },
3090
+#if defined(AUTHENTICATE)
3091
{ "autologin", "automatic sending of login and/or authentication info",
3093
"send login name and/or authentication information" },
3094
{ "authdebug", "Toggle authentication debugging",
3095
auth_togdebug, NULL,
3096
"print authentication debugging information" },
3099
{ "autoencrypt", "automatic encryption of data stream",
3100
EncryptAutoEnc, NULL,
3101
"automatically encrypt output" },
3102
@@ -1368,6 +1378,9 @@
3103
printf("Connection closed.\n");
3106
+#if defined(AUTHENTICATE)
3107
+ auth_encrypt_connect(connected);
3112
@@ -1493,6 +1506,79 @@
3113
* auth disable Disable an authentication type
3114
* auth enable Enable an authentication type
3118
+#if defined(AUTHENTICATE)
3122
+ int (*handler)(const char *, const char *);
3126
+static int auth_help (const char *, const char *);
3128
+struct authlist AuthList[] = {
3129
+ { "status", "Display current status of authentication information",
3131
+ { "disable", "Disable an authentication type ('auth disable ?' for more)",
3132
+ auth_disable, 1 },
3133
+ { "enable", "Enable an authentication type ('auth enable ?' for more)",
3135
+ { "help", 0, auth_help, 0 },
3136
+ { "?", "Print help information", auth_help, 0 },
3140
+static int auth_help(const char *, const char *)
3142
+ struct authlist *c;
3144
+ for (c = AuthList; c->name; c++) {
3147
+ printf("%-15s %s\n", c->name, c->help);
3155
+static int auth_cmd(int argc, const char *argv[])
3157
+ struct authlist *c;
3161
+ "Need an argument to 'auth' command. 'auth ?' for help.\n");
3165
+ c = (struct authlist *)
3166
+ genget(argv[1], (char **) AuthList, sizeof(struct authlist));
3168
+ fprintf(stderr, "'%s': unknown argument ('auth ?' for help).\n",
3172
+ if (c == AMBIGUOUS) {
3173
+ fprintf(stderr, "'%s': ambiguous argument ('auth ?' for help).\n",
3177
+ if (c->narg + 2 != argc) {
3179
+ "Need %s%d argument%s to 'auth %s' command. 'auth ?' for help.\n",
3180
+ c->narg < argc + 2 ? "only " : "",
3181
+ c->narg, c->narg == 1 ? "" : "s", c->name);
3184
+ return((*c->handler)(argv[2], argv[3]));
3189
* The ENCRYPT command.
3191
* encrypt enable Enable encryption
3192
@@ -1823,6 +1909,9 @@
3196
+#if defined(AUTHENTICATE)
3197
+ auth_encrypt_connect(connected);
3199
} while (connected == 0);
3200
if (tmpaddr->ai_canonname == 0) {
3201
hostname = new char[strlen(hostp)+1];
3202
@@ -1874,6 +1963,9 @@
3204
transcomhelp[] = "specify Unix command for transparent mode pipe",
3206
+#if defined(AUTHENTICATE)
3207
+ authhelp[] = "turn on (off) authentication ('auth ?' for more)",
3209
zhelp[] = "suspend telnet",
3210
/* shellhelp[] = "invoke a subshell", */
3211
envhelp[] = "change environment variables ('environ ?' for more)",
3212
@@ -1931,7 +2023,9 @@
3213
BIND("transcom", transcomhelp, settranscom);
3216
- // BIND("auth", authhelp, auth_cmd);
3217
+#if defined(AUTHENTICATE)
3218
+ BIND("auth", authhelp, auth_cmd);
3220
// BIND("encrypt", encrypthelp, encrypt_cmd);
3222
BIND("z", zhelp, suspend);
3223
diff -Naur netkit-telnet-0.17/telnet/externs.h netkit-telnet-ssl-0.17.24+0.1.orig/telnet/externs.h
3224
--- netkit-telnet-0.17/telnet/externs.h 2015-01-27 23:31:10.461546453 +0100
3225
+++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/externs.h 2004-05-27 11:47:26.000000000 +0200
3227
void inputAvailable(void);
3229
#endif /* defined(TN3270) */
3232
+#include <libtelnet/sslapp.h>
3233
+#endif /* USE_SSL */
3235
diff -Naur netkit-telnet-0.17/telnet/glue2.cc netkit-telnet-ssl-0.17.24+0.1.orig/telnet/glue2.cc
3236
--- netkit-telnet-0.17/telnet/glue2.cc 1970-01-01 01:00:00.000000000 +0100
3237
+++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/glue2.cc 2004-05-27 11:47:26.000000000 +0200
3241
+#include "externs.h"
3244
+int netflush_h(void) {
3245
+ return netflush();
3248
+void printsub_h(int direction, unsigned char *pointer, int length) {
3249
+ printsub(direction, pointer, length);
3252
diff -Naur netkit-telnet-0.17/telnet/glue.cc netkit-telnet-ssl-0.17.24+0.1.orig/telnet/glue.cc
3253
--- netkit-telnet-0.17/telnet/glue.cc 1970-01-01 01:00:00.000000000 +0100
3254
+++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/glue.cc 2004-05-27 11:47:26.000000000 +0200
3259
+extern ringbuf netoring;
3261
+extern "C" int netflush(void) {
3262
+ return netflush_h();
3265
+extern "C" void printsub(int direction, unsigned char *pointer, int length) {
3266
+ printsub_h(direction, pointer, length);
3269
+extern "C" void writenet(const char *str, int len) {
3270
+ netoring.write(str, len);
3273
+extern "C" int telnet_spin() {
3276
diff -Naur netkit-telnet-0.17/telnet/glue.h netkit-telnet-ssl-0.17.24+0.1.orig/telnet/glue.h
3277
--- netkit-telnet-0.17/telnet/glue.h 1970-01-01 01:00:00.000000000 +0100
3278
+++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/glue.h 2004-05-27 11:47:26.000000000 +0200
3280
+void printsub_h(int direction, unsigned char *pointer, int length);
3281
+int netflush_h(void);
3282
diff -Naur netkit-telnet-0.17/telnet/main.cc netkit-telnet-ssl-0.17.24+0.1.orig/telnet/main.cc
3283
--- netkit-telnet-0.17/telnet/main.cc 2015-01-27 23:31:10.449546453 +0100
3284
+++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/main.cc 2004-05-27 11:47:26.000000000 +0200
3286
#include "defines.h"
3289
+#if defined(AUTHENTICATE)
3290
+#include <libtelnet/auth.h>
3291
+#include <libtelnet/misc.h>
3295
* Initialize variables.
3298
rlogin = escapechar = _POSIX_VDISABLE;
3302
+#ifdef AUTHENTICATE
3307
binary |= 2; /* binary output only */
3312
- // disable authentication type "optarg"
3313
+#ifdef AUTHENTICATE
3314
+ auth_disable_name(optarg);
3319
@@ -247,6 +256,17 @@
3320
if (autologin == -1)
3321
autologin = (rlogin == _POSIX_VDISABLE) ? 0 : 1;
3324
+ if (ssl_secure_flag||ssl_cert_required) {
3325
+ /* in secure mode we *must* switch on the base level
3326
+ * verify checking otherwise we cannot abort connections
3327
+ * at the right place!
3329
+ if (ssl_verify_flag == 0)
3330
+ ssl_verify_flag = 1;
3332
+#endif /* USE_SSL */
3337
@@ -269,6 +289,11 @@
3338
*argp++ = family == AF_INET ? "-4" : "-6";
3340
*argp++ = argv[0]; /* host */
3342
+ if (strcmp(argv[0], "localhost") != 0) {
3345
+#endif /* USE_SSL */
3347
*argp++ = argv[1]; /* port */
3349
diff -Naur netkit-telnet-0.17/telnet/Makefile netkit-telnet-ssl-0.17.24+0.1.orig/telnet/Makefile
3350
--- netkit-telnet-0.17/telnet/Makefile 2015-01-27 23:31:03.913546617 +0100
3351
+++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/Makefile 2004-05-27 11:47:26.000000000 +0200
3353
$(CXX) $(CXXFLAGS) -MM $(SRCS) >depend.mk
3356
- install -s -m$(BINMODE) telnet $(INSTALLROOT)$(BINDIR)
3357
- install -m$(MANMODE) telnet.1 $(INSTALLROOT)$(MANDIR)/man1
3358
+ install -s -m$(BINMODE) telnet $(INSTALLROOT)$(BINDIR)/telnet-ssl
3359
+ install -m$(MANMODE) telnet.1 $(INSTALLROOT)$(MANDIR)/man1/telnet-ssl.1
3363
diff -Naur netkit-telnet-0.17/telnet/netlink.cc netkit-telnet-ssl-0.17.24+0.1.orig/telnet/netlink.cc
3364
--- netkit-telnet-0.17/telnet/netlink.cc 2015-01-27 23:31:10.449546453 +0100
3365
+++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/netlink.cc 2004-05-27 11:47:26.000000000 +0200
3367
#include "netlink.h"
3370
+#include <libtelnet/sslapp.h>
3372
/* In Linux, this is an enum */
3373
#if defined(__linux__) || defined(IPPROTO_IP)
3376
virtual int read(char *buf, int maxlen) {
3377
int net = nlink.getfd();
3378
- int l = recv(net, buf, maxlen, 0);
3381
+ if (ssl_active_flag)
3382
+ l = SSL_read(ssl_con, buf, maxlen);
3384
+#endif /* USE_SSL */
3385
+ l = recv(net, buf, maxlen, 0);
3386
if (l<0 && errno == EWOULDBLOCK) l = 0;
3394
+ if (ssl_active_flag) {
3395
+ if (ssl_debug_flag)
3396
+ BIO_printf(bio_err,"NetClose: calling SSL_shutdown\n");
3397
+ SSL_shutdown(ssl_con);
3398
+ SSL_free(ssl_con);
3400
+ ssl_active_flag=0;
3402
+#endif /* USE_SSL */
3406
@@ -158,6 +175,40 @@
3407
if (::connect(net, addr->ai_addr, addr->ai_addrlen) < 0) {
3411
+ if (!do_ssleay_init(0)) {
3412
+ if (bio_err==NULL) {
3415
+ fprintf(stderr,"do_ssleay_init() failed\n");
3416
+ ERR_print_errors_fp(stderr);
3418
+ BIO_printf(bio_err,"do_ssleay_init() failed\n");
3419
+ ERR_print_errors(bio_err);
3424
+ /* bind in the network descriptor */
3425
+ SSL_set_fd(ssl_con,net);
3427
+ /* if we are doing raw SSL then start it now ... */
3428
+ if (ssl_only_flag) {
3429
+ if (!SSL_connect(ssl_con)) {
3430
+ static char errbuf[1024];
3432
+ ERR_print_errors_fp(stderr);
3433
+ perror("SSL_connect");
3438
+ display_connect_details(ssl_con,ssl_debug_flag);
3439
+ ssl_active_flag=1;
3443
+#endif /* USE_SSL */
3447
@@ -201,11 +252,18 @@
3450
int netlink::send(const char *s, int n, int f) {
3452
+ if (ssl_active_flag)
3453
+ return SSL_write(ssl_con, s, n); /* normal write */
3455
+#endif /* USE_SSL */
3456
return ::send(net, s, n, f);
3459
void netlink::nonblock(int onoff) {
3461
ioctl(net, FIONBIO, &onoff);
3462
+#endif /* !USE_SSL */
3465
int netlink::getfd() {
3466
diff -Naur netkit-telnet-0.17/telnet/README.SSL netkit-telnet-ssl-0.17.24+0.1.orig/telnet/README.SSL
3467
--- netkit-telnet-0.17/telnet/README.SSL 1970-01-01 01:00:00.000000000 +0100
3468
+++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/README.SSL 2004-05-27 11:47:26.000000000 +0200
3471
+ * The modifications to support SSLeay were done by Tim Hudson
3472
+ * tjh@cryptsoft.com
3474
+ * You can do whatever you like with these patches except pretend that
3477
+ * Email ssl-users-request@mincom.oz.au to get instructions on how to
3478
+ * join the mailing list that discusses SSLeay and also these patches.
3480
+ * The modifications for this version of telnet where done by
3481
+ * Christoph Martin <christoph.martin@uni-mainz.de>
3486
+ This version of telnet/telnetd has support for the
3487
+ AUTHENTICATION option. The AUTHENTICATION option is fairly
3488
+ well defined, and an option number has been assigned to
3489
+ it. The code is provided in this release for experimental and
3492
+ A new telnet command, "auth" has been added (if
3493
+ AUTHENTICATE is defined). It has four sub-commands,
3494
+ "status", "debug", "disable", "enable" and "help".
3496
diff -Naur netkit-telnet-0.17/telnet/sys_bsd.cc netkit-telnet-ssl-0.17.24+0.1.orig/telnet/sys_bsd.cc
3497
--- netkit-telnet-0.17/telnet/sys_bsd.cc 2015-01-27 23:31:03.925546616 +0100
3498
+++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/sys_bsd.cc 2004-05-27 11:47:26.000000000 +0200
3499
@@ -173,8 +173,10 @@
3504
void NetSigIO(int fd, int onoff) {
3505
ioctl(fd, FIOASYNC, (char *)&onoff); /* hear about input */
3506
+#endif /* !USE_SSL */
3509
void NetSetPgrp(int fd) {
3512
int returnValue = 0;
3513
static struct timeval TimeValue = { 0, 0 };
3517
int net = nlink.getfd();
3518
int tin = tlink_getifd();
3519
@@ -318,6 +322,12 @@
3520
if (maxfd < tin) maxfd=tin;
3521
if (maxfd < tout) maxfd=tout;
3523
+ ssl_pending = netin && SSL_pending(ssl_con);
3525
+ /* if (ssl_pending) {
3526
+ printf("SSL_pending, poll=%d\n", poll);
3529
if ((c = select(maxfd+1, &ibits, &obits, &xbits,
3530
(poll == 0)? (struct timeval *)0 : &TimeValue)) < 0) {
3534
* Something to read from the network...
3536
- if (FD_ISSET(net, &ibits)) {
3537
+ if (ssl_pending || FD_ISSET(net, &ibits)) {
3538
/* hacks for systems without SO_OOBINLINE removed */
3540
FD_CLR(net, &ibits);
3541
diff -Naur netkit-telnet-0.17/telnet/telnet.1 netkit-telnet-ssl-0.17.24+0.1.orig/telnet/telnet.1
3542
--- netkit-telnet-0.17/telnet/telnet.1 2015-01-27 23:31:10.449546453 +0100
3543
+++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/telnet.1 2004-05-27 11:47:26.000000000 +0200
3546
Disables the escape character functionality; that is, sets the escape
3547
character to ``no character''.
3549
+Specifies no automatic login to the remote system.
3551
Specifies an 8-bit data path on output. This causes the
3553
option to be negotiated on just output.
3557
+type of authentication.
3559
Attempt automatic login. Currently, this sends the user name via the
3561
@@ -144,6 +150,54 @@
3566
+Set SSL (Secure Socket Layer) parameters. The default is to negotiate
3567
+via telnet protocoll if SSL is availlable at server side and then to
3568
+switch it on. In this mode you can connect to both conventional and
3569
+SSL enhanced telnetd's.
3571
+The SSL parameters are:
3574
+Send SSL related debugging information to stderr.
3575
+.It Ic Ar authdebug
3576
+Enable authentication debugging.
3578
+Negotiate SSL at first, then use telnet protocol. In this mode you can
3579
+connect to any server supporting directly SSL like Apache-SSL. Use
3580
+.Ic telnet -z ssl ssl3.netscape.com https
3581
+for example. telnet protocol negotiation goes encrypted.
3582
+.It Ic Ar nossl, Ar !ssl
3583
+switch of SSL negotiation
3584
+.It Ic Ar certrequired
3585
+client certificate is mandatory
3587
+Don't switch back to unencrypted mode (no SSL) if SSL is not available.
3589
+Be verbose about certificates etc.
3590
+.It Ic Ar verify=int
3592
+Set the SSL verify flags (SSL_VERIFY_* in
3596
+.It Ic Ar cert=cert_file
3598
+Use the certificate(s) in
3600
+.It Ic Ar key=key_file
3604
+.It Ic Ar cipher=ciph_list
3606
+Set the preferred ciphers to
3608
+.\" TODO: possible values; comma-separated list?
3614
Specifies a host to contact over the network.
3616
diff -Naur netkit-telnet-0.17/telnet/telnet.cc netkit-telnet-ssl-0.17.24+0.1.orig/telnet/telnet.cc
3617
--- netkit-telnet-0.17/telnet/telnet.cc 2015-01-27 23:31:10.457546453 +0100
3618
+++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/telnet.cc 2004-05-27 11:47:26.000000000 +0200
3621
+ * The modifications to support SSLeay were done by Tim Hudson
3622
+ * tjh@cryptsoft.com and Christoph Martin martin@uni-mainz.de
3624
+ * You can do whatever you like with these patches except pretend that
3627
+ * Email ssl-users-request@mincom.oz.au to get instructions on how to
3628
+ * join the mailing list that discusses SSLeay and also these patches.
3633
* Copyright (c) 1988, 1990 Regents of the University of California.
3634
* All rights reserved.
3640
+#if defined(AUTHENTICATE)
3641
+#include <libtelnet/auth.h>
3642
+#include <libtelnet/misc-proto.h>
3645
#define strip(x) ((x)&0x7f)
3647
@@ -179,6 +195,10 @@
3648
memset(options, 0, sizeof(options));
3650
connected = In3270 = ISend = localflow = donebinarytoggle = 0;
3652
+#if defined(ENCRYPT) || defined(AUTHENTICATE)
3653
+ auth_encrypt_connect(connected);
3659
settimer(modenegotiated);
3662
+#if defined(AUTHENTICATE)
3663
+ case TELOPT_AUTHENTICATION:
3668
@@ -400,6 +423,21 @@
3669
set_my_state_dont(option);
3670
return; /* Never reply to TM will's/wont's */
3673
+ /* don't know if this is needed here ... don't
3674
+ * really want to think about it myself
3675
+ * at the moment --tjh
3677
+ case TELOPT_AUTHENTICATION:
3678
+ if (ssl_secure_flag && !ssl_only_flag) {
3680
+ printf("[SSL not available]\n");
3682
+ /* abort quickly ... */
3685
+#endif /* USE_SSL */
3690
@@ -455,6 +493,12 @@
3691
case TELOPT_ENVIRON: /* environment variable option */
3694
+#if defined(AUTHENTICATE)
3695
+ case TELOPT_AUTHENTICATION:
3701
case TELOPT_XDISPLOC: /* X Display location */
3702
if (env_getvalue("DISPLAY", 0))
3703
@@ -520,6 +564,19 @@
3704
case TELOPT_LINEMODE:
3705
linemode = 0; /* put us back to the default state */
3708
+ case TELOPT_AUTHENTICATION:
3709
+ if (ssl_secure_flag && !ssl_only_flag) {
3711
+ printf("[SSL not available]\n");
3713
+ /* abort quickly ... */
3716
+ fprintf(stderr,"[SSL not available]\n");
3719
+#endif /* USE_SSL */
3721
/* we always accept a DONT */
3722
set_my_want_state_wont(option);
3723
@@ -786,6 +843,38 @@
3727
+#if defined(AUTHENTICATE)
3728
+ case TELOPT_AUTHENTICATION: {
3733
+ switch(SB_GET()) {
3735
+ if (my_want_state_is_dont(TELOPT_AUTHENTICATION))
3737
+ auth_is(subpointer, SB_LEN());
3739
+ case TELQUAL_SEND:
3740
+ if (my_want_state_is_wont(TELOPT_AUTHENTICATION))
3742
+ auth_send(subpointer, SB_LEN());
3744
+ case TELQUAL_REPLY:
3745
+ if (my_want_state_is_wont(TELOPT_AUTHENTICATION))
3747
+ auth_reply(subpointer, SB_LEN());
3749
+ case TELQUAL_NAME:
3750
+ if (my_want_state_is_dont(TELOPT_AUTHENTICATION))
3752
+ auth_name(subpointer, SB_LEN());
3762
@@ -1728,12 +1817,29 @@
3764
* Select from tty and network...
3766
-void telnet(const char * /*user*/) {
3767
+void telnet(const char *user) {
3770
+#if defined(AUTHENTICATE)
3772
+ static char local_host[256] = { 0 };
3773
+ int len = sizeof(local_host);
3775
+ if (!local_host[0]) {
3776
+ gethostname(local_host, len); /* WAS &len!!! */
3777
+ local_host[sizeof(local_host)-1] = 0;
3779
+ auth_encrypt_init(local_host, hostname, "TELNET", 0);
3780
+ auth_encrypt_user(user);
3784
#if !defined(TN3270)
3786
+#if defined(AUTHENTICATE)
3788
+ send_will(TELOPT_AUTHENTICATION, 1);
3790
send_do(TELOPT_SGA, 1);
3791
send_will(TELOPT_TTYPE, 1);
3792
send_will(TELOPT_NAWS, 1);
3793
diff -Naur netkit-telnet-0.17/telnet/utilities.cc netkit-telnet-ssl-0.17.24+0.1.orig/telnet/utilities.cc
3794
--- netkit-telnet-0.17/telnet/utilities.cc 2015-01-27 23:31:03.929546616 +0100
3795
+++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/utilities.cc 2004-05-27 11:47:27.000000000 +0200
3798
#include "terminal.h"
3800
+#if defined(AUTHENTICATE)
3801
+#include <libtelnet/auth.h>
3804
FILE *NetTrace = 0; /* Not in bss, since needs to stay */ /* ? */
3805
char NetTraceFile[256] = "(standard output)";
3808
/* length: length of suboption data */
3809
void printsub(int direction, unsigned char *pointer, int length) {
3812
+ unsigned char buf[512];
3813
extern int want_status_response;
3815
if (showoptions || direction == 0 ||
3816
@@ -370,6 +374,73 @@
3817
fprintf(NetTrace, " ?%d?", pointer[i]);
3820
+#if defined(AUTHENTICATE)
3821
+ case TELOPT_AUTHENTICATION:
3822
+ fprintf(NetTrace, "AUTHENTICATION");
3824
+ fprintf(NetTrace, " (empty suboption???)");
3827
+ switch (pointer[1]) {
3828
+ case TELQUAL_REPLY:
3830
+ fprintf(NetTrace, " %s ", (pointer[1] == TELQUAL_IS) ?
3832
+ if (AUTHTYPE_NAME_OK(pointer[2]))
3833
+ fprintf(NetTrace, "%s ", AUTHTYPE_NAME(pointer[2]));
3835
+ fprintf(NetTrace, "%d ", pointer[2]);
3837
+ fprintf(NetTrace, "(partial suboption???)");
3840
+ fprintf(NetTrace, "%s|%s",
3841
+ ((pointer[3] & AUTH_WHO_MASK) == AUTH_WHO_CLIENT) ?
3842
+ "CLIENT" : "SERVER",
3843
+ ((pointer[3] & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) ?
3844
+ "MUTUAL" : "ONE-WAY");
3846
+ auth_printsub(&pointer[1], length - 1, buf, sizeof(buf));
3847
+ fprintf(NetTrace, "%s", buf);
3850
+ case TELQUAL_SEND:
3852
+ fprintf(NetTrace, " SEND ");
3853
+ while (i < length) {
3854
+ if (AUTHTYPE_NAME_OK(pointer[i]))
3855
+ fprintf(NetTrace, "%s ", AUTHTYPE_NAME(pointer[i]));
3857
+ fprintf(NetTrace, "%d ", pointer[i]);
3858
+ if (++i >= length) {
3859
+ fprintf(NetTrace, "(partial suboption???)");
3862
+ fprintf(NetTrace, "%s|%s ",
3863
+ ((pointer[i] & AUTH_WHO_MASK) == AUTH_WHO_CLIENT) ?
3864
+ "CLIENT" : "SERVER",
3865
+ ((pointer[i] & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) ?
3866
+ "MUTUAL" : "ONE-WAY");
3871
+ case TELQUAL_NAME:
3873
+ fprintf(NetTrace, " NAME \"");
3874
+ while (i < length)
3875
+ putc(pointer[i++], NetTrace);
3876
+ putc('"', NetTrace);
3880
+ for (i = 2; i < length; i++)
3881
+ fprintf(NetTrace, " ?%d?", pointer[i]);
3887
case TELOPT_LINEMODE:
3888
fprintf(NetTrace, "LINEMODE ");
3890
diff -Naur netkit-telnet-0.17/telnetd/ext.h netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/ext.h
3891
--- netkit-telnet-0.17/telnetd/ext.h 2015-01-27 23:31:10.457546453 +0100
3892
+++ netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/ext.h 2004-05-27 11:47:27.000000000 +0200
3893
@@ -212,3 +212,12 @@
3896
#define DEFAULT_IM "%i\r\n%s %r (%h) (%t)\r\n\r\n"
3900
+#include <libtelnet/sslapp.h>
3902
+/* make telnetd global debug flag visible */
3905
+#endif /* USE_SSL */
3906
diff -Naur netkit-telnet-0.17/telnetd/Makefile netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/Makefile
3907
--- netkit-telnet-0.17/telnetd/Makefile 2015-01-27 23:31:03.929546616 +0100
3908
+++ netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/Makefile 2004-05-27 11:47:27.000000000 +0200
3910
# logout.o logwtmp.o (now from -lutil)
3914
+telnetd: $(OBJS) $(LIBTELNET)
3915
$(CC) $(LDFLAGS) $^ $(LIBS) -o $@
3917
$(OBJS): defs.h ext.h pathnames.h telnetd.h logwtmp.h logout.h setproctitle.h
3918
diff -Naur netkit-telnet-0.17/telnetd/state.c netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/state.c
3919
--- netkit-telnet-0.17/telnetd/state.c 2015-01-27 23:31:03.929546616 +0100
3920
+++ netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/state.c 2004-05-27 11:47:27.000000000 +0200
3922
"$Id: state.c,v 1.12 1999/12/12 19:41:44 dholland Exp $";
3924
#include "telnetd.h"
3925
+#if defined(AUTHENTICATE)
3926
+#include <libtelnet/auth.h>
3931
diff -Naur netkit-telnet-0.17/telnetd/sys_term.c netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/sys_term.c
3932
--- netkit-telnet-0.17/telnetd/sys_term.c 2015-01-27 23:31:10.461546453 +0100
3933
+++ netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/sys_term.c 2004-05-27 11:47:27.000000000 +0200
3936
static struct termios termbuf, termbuf2; /* pty control structure */
3939
+#define DO_SHUTDOWN(x,y) \
3941
+ fprintf(stderr,"Doing SSL_shutdown\n");\
3944
+ if (ssl_active_flag) \
3945
+ SSL_shutdown(ssl_con); \
3948
+#define DO_SHUTDOWN(x,y) shutdown((x),(y))
3951
/*static int cleanopen(char *line);*/
3954
diff -Naur netkit-telnet-0.17/telnetd/telnetd.8 netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/telnetd.8
3955
--- netkit-telnet-0.17/telnetd/telnetd.8 2015-01-27 23:31:10.461546453 +0100
3956
+++ netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/telnetd.8 2004-05-27 11:47:27.000000000 +0200
3957
@@ -207,6 +207,52 @@
3958
can be used to temporarily disable
3959
a specific authentication type without having to recompile
3961
+.It Fl z Ar SSL-parameter
3962
+This option is only valid if
3964
+has been built with SSL (Secure Socket Layer) support.
3967
+Enable SSL related debugging.
3969
+Negotiate SSL at first, then use telnet protocol. In this mode telnetd
3970
+only accepts connections from SSL enhanced telnet with option
3973
+switch of SSL negotiation
3975
+Look username up in /etc/ssl.users. The format of this file is lines
3977
+.Ar user1,user2:/C=US/.....
3978
+where user1 and user2 are usernames. If client certificate is valid,
3979
+authenticate without password.
3980
+.It Ic certrequired
3981
+client certificate is mandatory
3983
+Don't switch back to unencrypted mode (no SSL) if SSL is not available.
3986
+Set the SSL verify flags (SSL_VERIFY_* in
3990
+.It Ic cert=cert_file
3992
+Use the certificate(s) in
3994
+.It Ic key=key_file
3998
+.It Ic cipher=ciph_list
4000
+Set the preferred ciphers to
4002
+.\" TODO: possible values; comma-separated list?
4010
diff -Naur netkit-telnet-0.17/telnetd/telnetd.c netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/telnetd.c
4011
--- netkit-telnet-0.17/telnetd/telnetd.c 2015-01-27 23:31:03.929546616 +0100
4012
+++ netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/telnetd.c 2004-05-27 11:47:27.000000000 +0200
4014
static void doit(struct sockaddr *who, socklen_t who_len);
4015
static int terminaltypeok(const char *s);
4018
+static char cert_filepath[1024];
4019
+#endif /* USE_SSL */
4023
* pointers, and counters.
4030
#if defined(HAS_IPPROTO_IP) && defined(IP_TOS)
4032
@@ -212,9 +217,82 @@
4033
pfrontp = pbackp = ptyobuf;
4036
- while ((ch = getopt(argc, argv, "d:a:e:lhnr:I:D:B:sS:a:X:L:")) != EOF) {
4038
+ /* we need to know the fullpath to the location of the
4039
+ * certificate that we will be running with as we cannot
4040
+ * be sure of the cwd when we are launched
4042
+ sprintf(cert_filepath,"%s/%s",X509_get_default_cert_dir(),
4044
+ ssl_cert_file=cert_filepath;
4045
+ ssl_key_file=NULL;
4046
+#endif /* USE_SSL */
4048
+ while ((ch = getopt(argc, argv, "d:a:e:lhnr:I:D:B:sS:a:X:L:z:")) != EOF) {
4056
+ origopt=strdup(optarg);
4057
+ optarg=strtok(origopt,",");
4059
+ while(optarg!=NULL) {
4061
+ if (strcmp(optarg, "debug") == 0 ) {
4063
+ } else if (strcmp(optarg, "ssl") == 0 ) {
4065
+ } else if (strcmp(optarg, "certsok") == 0 ) {
4066
+ ssl_certsok_flag=1;
4067
+ } else if ( (strcmp(optarg, "!ssl") == 0) ||
4068
+ (strcmp(optarg, "nossl") == 0) ) {
4069
+ /* we may want to switch SSL negotiation off
4070
+ * for testing or other reasons
4072
+ ssl_disabled_flag=1;
4073
+ } else if (strcmp(optarg, "certrequired") == 0 ) {
4074
+ ssl_cert_required=1;
4075
+ } else if (strcmp(optarg, "secure") == 0 ) {
4076
+ ssl_secure_flag=1;
4077
+ } else if (strncmp(optarg, "verify=",
4078
+ strlen("verify=")) == 0 ) {
4079
+ ssl_verify_flag=atoi(optarg+strlen("verify="));
4080
+ } else if (strncmp(optarg, "cert=",
4081
+ strlen("cert=")) == 0 ) {
4082
+ ssl_cert_file=optarg+strlen("cert=");
4083
+ } else if (strncmp(optarg, "key=",
4084
+ strlen("key=")) == 0 ) {
4085
+ ssl_key_file=optarg+strlen("key=");
4086
+ } else if (strncmp(optarg,"cipher=",
4087
+ strlen("cipher="))==0) {
4088
+ ssl_cipher_list=optarg+strlen("cipher=");
4090
+ /* report when we are given rubbish so that
4091
+ * if the user makes a mistake they have to
4094
+ fprintf(stderr,"Unknown SSL option %s\n",optarg);
4099
+ /* get the next one ... */
4100
+ optarg=strtok(NULL,",");
4105
+ if (origopt!=NULL)
4111
+#endif /* USE_SSL */
4116
@@ -347,6 +425,46 @@
4122
+ if (ssl_secure_flag || ssl_cert_required) {
4123
+ /* in secure mode we *must* switch on the base level
4124
+ * verify checking otherwise we cannot abort connections
4125
+ * at the right place!
4127
+ if (ssl_verify_flag==0)
4128
+ ssl_verify_flag=1;
4131
+ /* if we are not running in debug then any error
4132
+ * stuff from SSL debug *must* not go down
4133
+ * the socket (which 0,1,2 are all pointing to by
4136
+ if (ssl_debug_flag)
4137
+ ssl_log_file="/telnetd.log";
4139
+ if (!do_ssleay_init(1)) {
4140
+ if (bio_err!=NULL) {
4141
+ BIO_printf(bio_err,"do_ssleay_init() failed\n");
4142
+ ERR_print_errors(bio_err);
4145
+ fprintf(stderr,"do_ssleay_init() failed\n");
4146
+ ERR_print_errors_fp(stderr);
4151
+ if (ssl_debug_flag) {
4152
+ BIO_printf(bio_err,"secure %d certrequired %d verify %d\n",
4153
+ ssl_secure_flag,ssl_cert_required,ssl_verify_flag);
4154
+ for(i=0;i<argc;i++)
4155
+ BIO_printf(bio_err,"argv[%d]=\"%s\"\n",i,argv[i]);
4158
+#endif /* USE_SSL */
4163
@@ -384,6 +502,39 @@
4164
syslog(LOG_WARNING, "setsockopt (IP_TOS): %m");
4166
#endif /* defined(HAS_IPPROTO_IP) && defined(IP_TOS) */
4169
+ /* do the SSL stuff now ... before we play with pty's */
4170
+ SSL_set_fd(ssl_con,0);
4172
+ if (ssl_only_flag) {
4173
+ /* hmm ... only when running talking to things like
4174
+ * https servers should we hit this code and then
4175
+ * we really don't care *who* we talk to :-)
4177
+ SSL_set_verify(ssl_con,ssl_verify_flag,NULL);
4179
+ if (SSL_accept(ssl_con) <= 0) {
4180
+ static char errbuf[1024];
4182
+ sprintf(errbuf,"SSL_accept error %s\n",
4183
+ ERR_error_string(ERR_get_error(),NULL));
4185
+ syslog(LOG_WARNING, errbuf);
4187
+ BIO_printf(bio_err,errbuf);
4189
+ /* go to sleep to make sure we are noticed */
4191
+ SSL_free(ssl_con);
4195
+ ssl_active_flag=1;
4198
+#endif /* USE_SSL */
4202
doit((struct sockaddr *)&from, fromlen);
4203
@@ -451,6 +602,50 @@
4204
if (his_state_is_will(TELOPT_AUTHENTICATION)) {
4205
retval = auth_wait(name);
4209
+ /* if SSL is required then we will stop if we don't
4212
+ if (ssl_secure_flag) {
4213
+ if (!ssl_active_flag) {
4214
+ /* we need to indicate to the user that SSL
4215
+ * is required ... need to think about how
4216
+ * to do this cleanly at this point!
4220
+ /* this muck is needed so that the message
4221
+ * actually makes it back to the user ...
4223
+ send_do(TELOPT_TTYPE, 1);
4224
+ send_do(TELOPT_TSPEED, 1);
4225
+ send_do(TELOPT_XDISPLOC, 1);
4226
+ send_do(TELOPT_ENVIRON, 1);
4229
+#if defined(ENCRYPT)
4230
+ his_do_dont_is_changing(TELOPT_ENCRYPT) ||
4232
+ his_will_wont_is_changing(TELOPT_TTYPE) ||
4233
+ his_will_wont_is_changing(TELOPT_TSPEED) ||
4234
+ his_will_wont_is_changing(TELOPT_XDISPLOC) ||
4235
+ his_will_wont_is_changing(TELOPT_ENVIRON)) {
4240
+ if (ssl_debug_flag) {
4241
+ fprintf(stderr,"[SSL required - connection rejected]");
4245
+ fatal(net,"[SSL required - connection rejected]");
4249
+#endif /* USE_SSL */
4253
#if defined(ENCRYPT)
4254
@@ -710,12 +905,29 @@
4256
/* TODO list stuff provided by Laszlo Vecsey <master@internexus.net> */
4260
+ fprintf(stderr,"doit - ALIVE\n");
4264
+#endif /* USE_SSL */
4268
* Set REMOTEHOST environment variable
4270
setproctitle("%s", host);
4271
setenv("REMOTEHOST", host, 0);
4275
+ fprintf(stderr,"doit - starting telnet protocol itself\n");
4279
+#endif /* USE_SSL */
4282
* Start up the login process on the slave side of the terminal
4284
@@ -853,7 +1065,10 @@
4289
ioctl(f, FIONBIO, (char *)&on);
4290
+#endif /* !USE_SSL */
4292
ioctl(p, FIONBIO, (char *)&on);
4294
#if defined(SO_OOBINLINE)
4295
@@ -1007,6 +1222,7 @@
4296
* fails (and AFTER we did the normal mode read
4297
* to clear "at the mark").
4303
@@ -1024,11 +1240,23 @@
4304
ncc = read(net, netibuf, sizeof (netibuf));
4309
+#endif /* !USE_SSL */
4312
+ if (ssl_active_flag)
4313
+ ncc = SSL_read(ssl_con, netibuf, sizeof (netibuf));
4315
+#endif /* USE_SSL */
4316
ncc = read(net, netibuf, sizeof (netibuf));
4318
settimer(didnetreceive);
4319
#else /* !defined(SO_OOBINLINE)) */
4321
+ if (ssl_active_flag)
4322
+ ncc = SSL_read(ssl_con, netibuf, sizeof (netibuf));
4324
+#endif /* USE_SSL */
4325
ncc = read(net, netibuf, sizeof (netibuf));
4326
#endif /* !defined(SO_OOBINLINE)) */
4327
if (ncc < 0 && errno == EWOULDBLOCK)
4328
diff -Naur netkit-telnet-0.17/telnetd/utility.c netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/utility.c
4329
--- netkit-telnet-0.17/telnetd/utility.c 2015-01-27 23:31:03.941546616 +0100
4330
+++ netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/utility.c 2004-05-27 11:47:27.000000000 +0200
4333
static struct buflist *urg;
4345
@@ -351,6 +358,12 @@
4348
(void) write(f, buf, (int)strlen(buf));
4351
+ fprintf(stderr,"fatal called: %s\r\n",msg);
4354
+#endif /* USE_SSL */
4358
@@ -452,6 +465,23 @@
4364
+ /* output prog ver and SSLeay ver */
4365
+ putstr("[SSL 0.10-");
4366
+ putstr(SSLeay_version(SSLEAY_VERSION));
4369
+#else /* !USE_SSL */
4371
+ /* ignore the version token ... so we can have
4372
+ * just the one version string which we hack
4373
+ * here rather than all over the place
4377
+#endif /* USE_SSL */
4382
diff -Naur netkit-telnet-0.17/VERSION netkit-telnet-ssl-0.17.24+0.1.orig/VERSION
4383
--- netkit-telnet-0.17/VERSION 1970-01-01 01:00:00.000000000 +0100
4384
+++ netkit-telnet-ssl-0.17.24+0.1.orig/VERSION 2004-05-27 11:47:25.000000000 +0200
4386
+Version 0.13 16-Sep-1997 tjh (tjh@cryptsoft.com)
4387
+ - CRLF on messages in sslapp.c
4388
+ - fixed built-in service name to port number code for sites that
4389
+ don't have SSL things in their services list (https, telnets, etc)
4390
+ - work around gcc 2.7.2 solaris 2.5.1 compiler bug in telnet/commands.c
4392
+Version 0.12 02-Aug-1997 tjh (tjh@cryptsoft.com)
4393
+ - fixed up check for secure mode when running with ssl_only
4394
+ set - thanks to Simon Gerraty (sjg@zen.quick.com.au) for
4395
+ pointing this combination out.
4397
+Version 0.11 01-Jun-1997 tjh (tjh@cryptsoft.com)
4398
+ - SSLeay-0.8.0 port
4399
+ - reorganised the code so that most of the SSLeay stuff is
4400
+ now in lib/libtelnet/sslapp.c and is shared between the
4401
+ client and the server so things are easier to maintain
4403
+Version 0.10 06-Aug-1996 tjh (tjh@mincom.oz.au)
4404
+ - updated the messages from telnet on startup so that the
4405
+ user is 100% sure of when SSL is being used and when it
4406
+ is not being used (thanks to Eric for hassling me to do this)
4407
+ - extra options for working with SSLeay-0.6.x which changed
4408
+ a lot of the verify handling stuff with support for
4409
+ client certificate exchange ... still to be documented
4411
+ telnetd -z certrequired -z secure -z verify=1 -z certsok
4412
+ telnet -z secure -z cert=FILENAME.pem -z key=FILENAME.pem
4413
+ - added in support for all the telnetd args being comma separated
4414
+ so that braindead inetd's (SunOS 5.3) can have lots of options
4415
+ in the one option to work around arg count limits! You can
4417
+ telnet -z certrequired,secure,debug,certsok
4419
+ - there is now documentation for SSL telnet ... and it should
4420
+ be read especially if you are going to use certificates for
4423
+Version 0.9 01-Jul-1996 tjh (tjh@mincom.oz.au)
4424
+ - hmm ... merged in some additional things ... and I don't
4425
+ recollect exactly what :-)
4427
+Version 0.8 01-Jan-1996 tjh (tjh@mincom.oz.au)
4428
+ - fixed up gettimeofday to add the extra parameter that
4429
+ is required under SunOS 5.4+ (by default) ... thanks to
4430
+ J.J.Bailey <jjb@bcc.com>
4431
+ - get the checking for -z secure correct - thanks to
4432
+ James Walter Martin III <jwm3@harriet.jwm3.org> for pointing out
4433
+ that I had it wrong initially
4434
+ - fixed major security flaw in lib/libtelnet/ssl.c thanks to
4435
+ Christop Martin for pointing this one out!
4438
+Version 0.7 21-Dec-1995 tjh (tjh@mincom.oz.au)
4439
+ - SSLeay 0.5.0b support
4440
+ => note: now using telnetd.pem for public+private key
4441
+ (telnetd/ext.h now displays the SSLtelnetd version)
4443
+Version 0.6 03-Nov-1995 tjh (tjh@mincom.oz.au)
4445
+Version 0.5 18-Sep-1995 tjh (tjh@mincom.oz.au)
4446
+ - fixed up SSL_accept, SSL_connect as Eric changed the return
4447
+ codes on me without letting me know (again)!
4448
+ - fixed up inet_addr.c for SunOS 4.1.3 as per email from
4449
+ Nicolas Pioch <pioch@Email.ENST.Fr>
4450
+ - yet another linux patch - this time to fix termio includes
4451
+ thanks to Warwick Heath <warwick@rcc-irc.si>
4452
+ - include the security patch (modified) for removing unwanted
4453
+ things from the environment of telnetd (things that effect
4454
+ shared libraries) as per the CERT announcement. Note that
4455
+ this patch doesn't log a hack attempt explicitly - perhaps
4456
+ it should. (01-Nov-95)
4458
+Version 0.4 18-Jul-1995 tjh (tjh@mincom.oz.au)
4459
+ - updated to the new error handling stuff in SSLeay-0.4.4
4460
+ and added -cipher=cipherlist and printout of subject
4461
+ and issuer of the certificate offered by the server.
4463
+Version 0.3 09-Jul-1995 tjh (tjh@mincom.oz.au)
4464
+ - 01-Jul-95 tjh - merged patches from Steven Schoch
4465
+ <schoch@sheba.arc.nasa.gov> that add in the option of having
4466
+ a file that allows you to not have to enter a password if you
4467
+ have a matching certificate (and the server is running with
4468
+ the new -z certsok option and the user is in /etc/ssl.users)
4469
+ [look in lib/libtelnet/ssl.c for more details until I document
4470
+ this a little better]
4471
+ - 30-Jun-95 tjh - applied the CERT advisory security patch that
4472
+ I happened to have missed before to bring the code up to date
4473
+ with the "current" BSD telnetd auth stuff
4474
+ - set utmp entry to be tn0xff0xff so that comsat doesn't find
4475
+ the entry twice - really need to know what the *real* id should
4476
+ be set to. (SunOS 5.x) ... and this is still not *right*
4477
+ - fixed up building under SunOS 4.1.3
4478
+ thanks to Nicolas Pioch <pioch@Email.ENST.Fr>
4479
+ - telnet client now builds cleanly on
4480
+ SunOS 4.x, SunOS 5.x, IRIX 5.x, HPUX 9.x, DGUX 5.x, Linux
4481
+ - telnetd fixes for Linux from bogk@inf.fu-berlin.de (Andreas Bogk)
4482
+ to work around an ncurses "feature" ... see terminaltypeok()
4483
+ which was also emailed in by aeppert@dialin.ind.net a few weeks
4485
+ - telnetd has now been tested on
4486
+ SunOS 5.x, IRIX 5.x, Linux
4488
+Version 0.2 09-Jun-1995 tjh (tjh@mincom.oz.au)
4489
+ - fixed up the handling of utmpx so that we can use the "normal"
4490
+ /bin/login program rather than our separate login program which
4491
+ fixed the SunOS 5.3 problem
4492
+ No utmpx entry. You must exec "login" from the lowest level "shell".
4493
+ - thanks to bogk@inf.fu-berlin.de (Andreas Bogk) for pointing
4494
+ out that I hadn't cleaned up that part of the SRA base I've
4496
+ - HPUX builds now ... still need to put in the pty handling code
4497
+ if I want telnetd to work I think
4499
+Version 0.1 06-Jun-1995 tjh (tjh@mincom.oz.au)
4500
+ - first "released" version. Code is really still pre-alpha as
4501
+ it was implemented last night so at the moment use it at your