summaryrefslogtreecommitdiffstats
path: root/abs/core/netkit-telnet-ssl
diff options
context:
space:
mode:
authorMichael Hanson <hansonorders@verizon.net>2010-12-08 21:04:21 (GMT)
committerMichael Hanson <hansonorders@verizon.net>2010-12-08 21:04:21 (GMT)
commit8084aca8649eb7e20f638bfe2ba683647cea3141 (patch)
tree71d012ba2261fab33e45b59d641712ea1eeea68b /abs/core/netkit-telnet-ssl
parent95deb5093af2b3f89d83a7a9ecc4a0811db8eadc (diff)
downloadlinhes_pkgbuild-8084aca8649eb7e20f638bfe2ba683647cea3141.zip
linhes_pkgbuild-8084aca8649eb7e20f638bfe2ba683647cea3141.tar.gz
linhes_pkgbuild-8084aca8649eb7e20f638bfe2ba683647cea3141.tar.bz2
netkit-telnet-ssl: formerly netkit-telnet, upgrade
Diffstat (limited to 'abs/core/netkit-telnet-ssl')
-rw-r--r--abs/core/netkit-telnet-ssl/PKGBUILD33
-rw-r--r--abs/core/netkit-telnet-ssl/netkit-telnet-ssl-0.17.24+0.1_arch.diff2591
-rw-r--r--abs/core/netkit-telnet-ssl/netkit-telnet-ssl.install5
-rw-r--r--abs/core/netkit-telnet-ssl/telnet.xinetd10
4 files changed, 2639 insertions, 0 deletions
diff --git a/abs/core/netkit-telnet-ssl/PKGBUILD b/abs/core/netkit-telnet-ssl/PKGBUILD
new file mode 100644
index 0000000..37fb577
--- /dev/null
+++ b/abs/core/netkit-telnet-ssl/PKGBUILD
@@ -0,0 +1,33 @@
+# Maintainer: <alexandre.becoulet@free.fr>
+# Contributor: <netbug@ftp.uk.linux.org>
+# Contributor: Fluke <fluke.l at gmail.com>
+pkgname=netkit-telnet-ssl
+pkgver=0.17.24+0.1
+pkgrel=2
+pkgdesc="telnet client and server with ssl enabled"
+arch=('i686' 'x86_64')
+license=('BSD')
+url=("http://www.hcs.harvard.edu/~dholland/computers/netkit.html")
+source=(http://ftp.de.debian.org/debian/pool/main/n/${pkgname}/${pkgname}_${pkgver}.orig.tar.gz
+ netkit-telnet-ssl-0.17.24+0.1_arch.diff
+ telnet.xinetd)
+depends=('glibc' 'openssl' 'ncurses')
+replaces=('netkit-telnet')
+md5sums=('43a402139ed6b86434fdb83256feaad8'
+ 'd51bf898269a79a2de77d1134516c209'
+ 'ca38af6f1346ae90b2cb1e160858b453')
+install=netkit-telnet-ssl.install
+
+build() {
+ cd ${srcdir}/${pkgname}-${pkgver}.orig
+ patch -p1 < ../netkit-telnet-ssl-0.17.24+0.1_arch.diff
+ ./configure --prefix=/usr --installroot=${pkgdir}
+ make || return 1
+}
+package() {
+ cd ${srcdir}/${pkgname}-${pkgver}.orig
+ mkdir -p ${pkgdir}/usr/{bin,sbin,man/man1,man/man5,man/man8} ${pkgdir}/etc/xinetd.d
+
+ make install || return 1
+ install -m644 ${srcdir}/telnet.xinetd ${pkgdir}/etc/xinetd.d/telnet-ssl
+}
diff --git a/abs/core/netkit-telnet-ssl/netkit-telnet-ssl-0.17.24+0.1_arch.diff b/abs/core/netkit-telnet-ssl/netkit-telnet-ssl-0.17.24+0.1_arch.diff
new file mode 100644
index 0000000..17b3c3c
--- /dev/null
+++ b/abs/core/netkit-telnet-ssl/netkit-telnet-ssl-0.17.24+0.1_arch.diff
@@ -0,0 +1,2591 @@
+Only in netkit-telnet-ssl-0.17.24+0.1: debian
+diff -ur netkit-telnet-ssl-0.17.24+0.1/libtelnet/auth.c netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/auth.c
+--- netkit-telnet-ssl-0.17.24+0.1/libtelnet/auth.c 2004-05-27 11:47:25.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/auth.c 2010-05-11 13:44:40.190322666 +0200
+@@ -37,6 +37,9 @@
+ */
+
+ #ifndef lint
++#ifdef __GNUC__
++__attribute__ ((unused))
++#endif /* __GNUC__ */
+ static char sccsid[] = "@(#)auth.c 5.2 (Berkeley) 3/22/91";
+ #endif /* not lint */
+
+@@ -83,8 +86,11 @@
+
+ #define typemask(x) (1<<((x)-1))
+
++int auth_onoff(const char *type, int on);
++
++
+ int auth_debug_mode = 0;
+-static char *Name = "Noname";
++static const char *Name = "Noname";
+ static int Server = 0;
+ static Authenticator *authenticated = 0;
+ static int authenticating = 0;
+@@ -170,7 +176,7 @@
+
+ void
+ auth_init(name, server)
+- char *name;
++ const char *name;
+ int server;
+ {
+ Authenticator *ap = authenticators;
+@@ -241,7 +247,7 @@
+
+ int
+ auth_onoff(type, on)
+- char *type;
++ const char *type;
+ int on;
+ {
+ int i, mask = -1;
+@@ -335,7 +341,7 @@
+ }
+ *e++ = IAC;
+ *e++ = SE;
+- writenet(str_request, e - str_request);
++ writenet((char *) str_request, e - str_request);
+ printsub('>', &str_request[2], e - str_request - 2);
+ }
+ }
+@@ -424,7 +430,7 @@
+ }
+ auth_send_data += 2;
+ }
+- writenet(str_none, sizeof(str_none));
++ writenet((char *) str_none, sizeof(str_none));
+ printsub('>', &str_none[2], sizeof(str_none) - 2);
+ if (auth_debug_mode)
+ printf(">>>%s: Sent failure message\r\n", Name);
+@@ -456,7 +462,7 @@
+ return;
+ }
+
+- if (ap = findauthenticator(data[0], data[1])) {
++ if ((ap = findauthenticator(data[0], data[1]))) {
+ if (ap->is)
+ (*ap->is)(ap, data+2, cnt-2);
+ } else if (auth_debug_mode)
+@@ -474,7 +480,7 @@
+ if (cnt < 2)
+ return;
+
+- if (ap = findauthenticator(data[0], data[1])) {
++ if ((ap = findauthenticator(data[0], data[1]))) {
+ if (ap->reply)
+ (*ap->reply)(ap, data+2, cnt-2);
+ } else if (auth_debug_mode)
+@@ -487,7 +493,7 @@
+ unsigned char *data;
+ int cnt;
+ {
+- Authenticator *ap;
++ /* Authenticator *ap; */
+ unsigned char savename[256];
+
+ if (cnt < 1) {
+@@ -505,7 +511,7 @@
+ savename[cnt] = '\0'; /* Null terminate */
+ if (auth_debug_mode)
+ printf(">>>%s: Got NAME [%s]\r\n", Name, savename);
+- auth_encrypt_user(savename);
++ auth_encrypt_user((char *)savename);
+ }
+
+ int
+@@ -526,7 +532,7 @@
+ }
+ *e++ = IAC;
+ *e++ = SE;
+- writenet(str_request, e - str_request);
++ writenet((char *) str_request, e - str_request);
+ printsub('>', &str_request[2], e - &str_request[2]);
+ return(1);
+ }
+@@ -542,6 +548,9 @@
+ }
+
+ /* ARGSUSED */
++#ifdef __GNUC__
++__attribute__ ((used))
++#endif /* __GNUC__ */
+ static void
+ auth_intr(sig)
+ int sig;
+diff -ur netkit-telnet-ssl-0.17.24+0.1/libtelnet/auth-proto.h netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/auth-proto.h
+--- netkit-telnet-ssl-0.17.24+0.1/libtelnet/auth-proto.h 2004-05-27 11:47:25.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/auth-proto.h 2010-05-11 13:44:40.183654321 +0200
+@@ -68,7 +68,7 @@
+ #if defined(AUTHENTICATE)
+ Authenticator *findauthenticator P((int, int));
+
+-void auth_init P((char *, int));
++void auth_init P((const char *, int));
+ int auth_cmd P((int, char **));
+ void auth_request P((void));
+ void auth_send P((unsigned char *, int));
+@@ -123,7 +123,9 @@
+ int auth_ssl_status P((Authenticator *, char *, int));
+ void auth_ssl_printsub P((unsigned char *, int, unsigned char *, int));
+ #endif /* USE_SSL */
+-
++
++extern void printsub P((char, unsigned char *, int));
++extern int writenet P((char *, int));
+ #endif
+ #ifdef __cplusplus
+ }
+diff -ur netkit-telnet-ssl-0.17.24+0.1/libtelnet/Makefile netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/Makefile
+--- netkit-telnet-ssl-0.17.24+0.1/libtelnet/Makefile 2004-05-27 11:47:25.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/Makefile 2010-05-11 13:45:28.073664102 +0200
+@@ -15,5 +15,8 @@
+ ranlib lib${LIB}.a; \
+ fi;
+
++install:
++ @echo "nothing to be installed from libtelnet"
++
+ clean:
+ rm -f *.o lib${LIB}.a
+diff -ur netkit-telnet-ssl-0.17.24+0.1/libtelnet/misc.c netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/misc.c
+--- netkit-telnet-ssl-0.17.24+0.1/libtelnet/misc.c 2004-05-27 11:47:26.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/misc.c 2010-05-11 13:44:40.190322666 +0200
+@@ -32,6 +32,9 @@
+ */
+
+ #ifndef lint
++#ifdef __GNUC__
++__attribute__ ((unused))
++#endif /* __GNUC__ */
+ static char sccsid[] = "@(#)misc.c 5.1 (Berkeley) 2/28/91";
+ #endif /* not lint */
+
+@@ -54,7 +57,12 @@
+ * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ */
+
++#include <stdio.h>
++#include <stdlib.h>
++
+ #include "misc.h"
++#include "auth.h"
++#include "auth-proto.h"
+
+ char *RemoteHostName;
+ char *LocalHostName;
+@@ -65,7 +73,7 @@
+ auth_encrypt_init(local, remote, name, server)
+ char *local;
+ char *remote;
+- char *name;
++ const char *name;
+ int server;
+ {
+ RemoteHostName = remote;
+diff -ur netkit-telnet-ssl-0.17.24+0.1/libtelnet/misc-proto.h netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/misc-proto.h
+--- netkit-telnet-ssl-0.17.24+0.1/libtelnet/misc-proto.h 2004-05-27 11:47:26.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/misc-proto.h 2010-05-11 13:44:40.190322666 +0200
+@@ -68,7 +68,7 @@
+ extern "C" {
+ #endif
+
+-void auth_encrypt_init P((char *, char *, char *, int));
++void auth_encrypt_init P((char *, char *, const char *, int));
+ void auth_encrypt_connect P((int));
+ void auth_encrypt_user P((const char *name));
+ void printd P((unsigned char *, int));
+diff -ur netkit-telnet-ssl-0.17.24+0.1/libtelnet/sslapp.h netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/sslapp.h
+--- netkit-telnet-ssl-0.17.24+0.1/libtelnet/sslapp.h 2004-05-27 11:47:26.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/sslapp.h 2010-05-11 13:44:40.200330208 +0200
+@@ -45,6 +45,7 @@
+ #include "x509.h"
+ #include "ssl.h"
+ #define OLDPROTO NOPROTO
++#undef NOPROTO
+ #define NOPROTO
+ #include "err.h"
+ #undef NOPROTO
+@@ -72,7 +73,7 @@
+ /* we hide all the initialisation code in a separate file now */
+ extern int do_ssleay_init(int server);
+
+-extern int display_connect_details(SSL *ssl_con, int verbose);
++extern void display_connect_details(SSL *ssl_con, int verbose);
+ extern int server_verify_callback();
+ extern int client_verify_callback();
+
+diff -ur netkit-telnet-ssl-0.17.24+0.1/libtelnet/ssl.c netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/ssl.c
+--- netkit-telnet-ssl-0.17.24+0.1/libtelnet/ssl.c 2004-05-27 11:47:26.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/ssl.c 2010-05-11 13:44:40.200330208 +0200
+@@ -47,6 +47,9 @@
+ #include <string.h>
+ #endif
+
++#include <unistd.h>
++#include <openssl/err.h>
++
+ #include "auth.h"
+ #include "misc.h"
+
+@@ -91,11 +94,12 @@
+ #define VERIFY_ROOT_OK VERIFY_OK
+ #endif
+
++extern int netflush(void);
++
+ extern int auth_debug_mode;
+-static auth_ssl_valid = 0;
++static int auth_ssl_valid = 0;
+ static char *auth_ssl_name = 0; /* this holds the oneline name */
+
+-extern BIO *bio_err;
+ extern int ssl_only_flag;
+ extern int ssl_debug_flag;
+ extern int ssl_active_flag;
+@@ -120,6 +124,9 @@
+
+ BIO *bio_err=NULL;
+
++int auth_failed=0;
++
++
+ /* compile this set to 1 to negotiate SSL but not actually start it */
+ static int ssl_dummy_flag=0;
+
+@@ -135,7 +142,7 @@
+ * telnet connect if we are talking straight ssl with no telnet
+ * protocol --tjh
+ */
+-int
++void
+ display_connect_details(ssl_con,verbose)
+ SSL *ssl_con;
+ int verbose;
+@@ -152,7 +159,7 @@
+ /* grab the full list of ciphers */
+ i=0;
+ buf[0]='\0';
+- while((p=SSL_get_cipher_list(ssl_con,i++))!=NULL) {
++ while((p=(char *)SSL_get_cipher_list(ssl_con,i++))!=NULL) {
+ if (i>0)
+ strcat(buf,":");
+ strcat(buf,p);
+@@ -230,7 +237,7 @@
+ *p++ = SE;
+ if (str_data[3] == TELQUAL_IS)
+ printsub('>', &str_data[2], p - (&str_data[2]));
+- return(writenet(str_data, p - str_data));
++ return(writenet((char *) str_data, p - str_data));
+ }
+
+ int auth_ssl_init(ap, server)
+@@ -280,7 +287,7 @@
+ unsigned char *data;
+ int cnt;
+ {
+- int valid;
++ /* int valid; */
+
+ if (cnt-- < 1)
+ return;
+@@ -364,7 +371,7 @@
+ unsigned char *data;
+ int cnt;
+ {
+- int i;
++ /* int i; */
+ int status;
+
+ if (cnt-- < 1)
+@@ -389,16 +396,13 @@
+ SSL_set_verify(ssl_con,ssl_verify_flag,
+ client_verify_callback);
+ if ((status = SSL_connect(ssl_con)) <= 0) {
+- fprintf(stderr,"[SSL - FAILED (%d)]\r\n", status);
+- fflush(stderr);
+-
+- perror("telnet: Unable to ssl_connect to remote host");
++ auth_finished(0,AUTH_REJECT);
+
++ fprintf(stderr,"[SSL - FAILED (%d)]\r\n", status);
++ fprintf(stderr,"telnet: Unable to ssl_connect to remote host\n");
+ ERR_print_errors(bio_err);
+-
+- /* don't know what I "should" be doing here ... */
+-
+- auth_finished(0,AUTH_REJECT);
++ fflush(stderr);
++ auth_failed=1;
+ return;
+ } else {
+
+@@ -452,7 +456,7 @@
+ */
+ if (ssl_certsok_flag) {
+ user_fp = fopen("/etc/ssl.users", "r");
+- if (!auth_ssl_name || !user_fp) {
++ if (!auth_ssl_name || !user_fp || !UserNameRequested) {
+ /* If we haven't received a certificate, then don't
+ * return AUTH_VALID.
+ */
+@@ -486,7 +490,7 @@
+ cp = strchr(n, ',');
+ if (cp)
+ *cp++ = '\0';
+- if (!UserNameRequested ||
++ if (UserNameRequested &&
+ !strcmp(UserNameRequested, n)) {
+ strcpy(name, n);
+ fclose(user_fp);
+@@ -543,7 +547,7 @@
+ default:
+ sprintf(lbuf, " %d (unknown)", data[3]);
+ strncpy((char *)buf, lbuf, buflen);
+- common2:
++/* common2: */
+ BUMP(buf, buflen);
+ for (i = 4; i < cnt; i++) {
+ sprintf(lbuf, " %d", data[i]);
+@@ -568,7 +572,7 @@
+ #endif /* SSLEAY8 */
+ {
+ static char *saved_subject=NULL;
+- X509 *peer;
++ /* X509 *peer; */
+ char *subject, *issuer;
+ #ifdef SSLEAY8
+ int depth,error;
+@@ -715,8 +719,8 @@
+ int depth, error;
+ #endif /* SSLEAY8 */
+ {
+- X509 *peer;
+- char *subject, *issuer;
++ /* X509 *peer; */
++ char *subject, *issuer, *cnsubj;
+ #ifdef SSLEAY8
+ int depth,error;
+ char *xs;
+@@ -727,13 +731,13 @@
+
+ #endif /* SSLEAY8 */
+
+-#ifdef LOCAL_DEBUG
+- fprintf(stderr,"ssl:client_verify_callback:depth=%d ok=%d err=%d-%s\n",
+- depth,ok,error,X509_cert_verify_error_string(error));
+- fflush(stderr);
+-#endif /* LOCAL_DEBUG */
++ if(ssl_debug_flag && !ok) {
++ fprintf(stderr,"ssl:client_verify_callback:depth=%d ok=%d err=%d-%s\n",
++ depth,ok,error,X509_verify_cert_error_string(error));
++ fflush(stderr);
++ }
+
+- subject=issuer=NULL;
++ subject=issuer=cnsubj=NULL;
+
+ /* first thing is to have a meaningful name for the current
+ * certificate that is being verified ... and if we cannot
+@@ -761,60 +765,77 @@
+ fflush(stderr);
+ }
+
+- /* if the server is using a self signed certificate then
+- * we need to decide if that is good enough for us to
+- * accept ...
+- */
+- if (error==VERIFY_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) {
+- if (ssl_cert_required) {
+- /* make 100% sure that in secure more we drop the
+- * connection if the server does not have a
+- * real certificate!
+- */
+- fprintf(stderr,"SSL: rejecting connection - server has a self-signed certificate\n");
+- fflush(stderr);
+-
+- /* sometimes it is really handy to be able to debug things
+- * and still get a connection!
+- */
+- if (ssl_debug_flag) {
+- fprintf(stderr,"SSL: debug -> ignoring cert required!\n");
+- fflush(stderr);
+- ok=1;
+- } else {
+- ok=0;
+- }
+- goto return_time;
+- } else {
+- ok=1;
+- goto return_time;
+- }
++ /* verify commonName matches hostname */
++ if(ssl_cert_required && depth == 0) {
++ char *cn,*p;
++
++ cnsubj=strdup(subject);
++ if(cnsubj == NULL) {
++ fprintf(stderr,"SSL: Out of memory.\n");
++ ok=0;
++ goto return_time;
++ }
++ cn=strstr(cnsubj,"/CN=");
++ if(cn == NULL) {
++ fprintf(stderr,"SSL: Cannot extract CN from certificate subject.\n");
++ ok=0;
++ goto return_time;
++ }
++ cn+=4; /* skip /CN= */
++ p=strchr(cn,'/');
++ if(p != NULL) {
++ *p='\0';
++ }
++ if(strcasecmp(cn,RemoteHostName) != 0) {
++ fprintf(stderr,"SSL: Certificate CN (%s) does not match hostname (%s)\n",
++ cn,RemoteHostName);
++ ok=0;
++ goto return_time;
++ }
+ }
+
+- /* if we have any form of error in secure mode we reject the connection */
+- if (! ((error==VERIFY_OK)||(error==VERIFY_ROOT_OK)) ) {
+- if (ssl_cert_required) {
+- fprintf(stderr,"SSL: rejecting connection - ");
+- if (error==VERIFY_ERR_UNABLE_TO_GET_ISSUER) {
+- fprintf(stderr,"unknown issuer: %s\n",issuer);
+- } else {
+- ERR_print_errors(bio_err);
+- }
+- fflush(stderr);
+- ok=0;
+- goto return_time;
+- } else {
+- /* be nice and display a lot more meaningful stuff
+- * so that we know which issuer is unknown no matter
+- * what the callers options are ...
+- */
+- if (error==VERIFY_ERR_UNABLE_TO_GET_ISSUER) {
+- fprintf(stderr,"SSL: unknown issuer: %s\n",issuer);
+- fflush(stderr);
+- }
+- }
++ if((error==VERIFY_OK) || (error==VERIFY_ROOT_OK)) {
++ goto return_time;
+ }
+
++ switch(error) {
++ case VERIFY_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
++ fprintf(stderr,"SSL: Server has a self-signed certificate\n");
++ case VERIFY_ERR_UNABLE_TO_GET_ISSUER:
++ fprintf(stderr,"SSL: unknown issuer: %s\n",issuer);
++ break;
++ case X509_V_ERR_CERT_NOT_YET_VALID:
++ fprintf(stderr,"SSL: Certificate not yet valid\n");
++ BIO_printf(bio_err,"notBefore=");
++ ASN1_TIME_print(bio_err,X509_get_notBefore(ctx->current_cert));
++ BIO_printf(bio_err,"\n");
++ break;
++ case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
++ fprintf(stderr,"SSL: Error in certificate notBefore field\n");
++ BIO_printf(bio_err,"notBefore=");
++ ASN1_TIME_print(bio_err,X509_get_notBefore(ctx->current_cert));
++ BIO_printf(bio_err,"\n");
++ break;
++ case X509_V_ERR_CERT_HAS_EXPIRED:
++ fprintf(stderr,"SSL: Certificate has expired\n");
++ BIO_printf(bio_err,"notAfter=");
++ ASN1_TIME_print(bio_err,X509_get_notAfter(ctx->current_cert));
++ BIO_printf(bio_err,"\n");
++ break;
++ case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
++ fprintf(stderr,"SSL: Error in certificate notAfter field\n");
++ BIO_printf(bio_err,"notAfter=");
++ ASN1_TIME_print(bio_err,X509_get_notAfter(ctx->current_cert));
++ BIO_printf(bio_err,"\n");
++ break;
++ default:
++ fprintf(stderr,"SSL: %s (%d)\n", X509_verify_cert_error_string(error),error);
++ break;
++ }
++
++ /* If we are here there was an error */
++ ok=0;
++
+ return_time: ;
+
+ /* clean up things */
+@@ -822,7 +843,20 @@
+ free(subject);
+ if (issuer!=NULL)
+ free(issuer);
+-
++ if (cnsubj!=NULL)
++ free(cnsubj);
++ if(!ok && ssl_cert_required) {
++ if(ssl_debug_flag) {
++ fprintf(stderr,"SSL: debug -> ignoring cert required!\n");
++ ok=1;
++ }
++ else {
++ fprintf(stderr,"SSL: Rejecting connection\n");
++ ok=0;
++ }
++ }
++ fflush(stderr);
++
+ return ok;
+ }
+
+diff -ur netkit-telnet-ssl-0.17.24+0.1/Makefile netkit-telnet-ssl-0.17.24+0.1.orig/Makefile
+--- netkit-telnet-ssl-0.17.24+0.1/Makefile 2004-05-27 11:47:25.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/Makefile 2010-05-11 14:19:36.673445641 +0200
+@@ -1,7 +1,7 @@
+ # You can do "make SUB=blah" to make only a few, or edit here, or both
+ # You can also run make directly in the subdirs you want.
+
+-SUB = telnet telnetd telnetlogin
++SUB = libtelnet telnet telnetd
+
+ %.build:
+ (cd $(patsubst %.build, %, $@) && $(MAKE))
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnet/authenc.cc netkit-telnet-ssl-0.17.24+0.1.orig/telnet/authenc.cc
+--- netkit-telnet-ssl-0.17.24+0.1/telnet/authenc.cc 2000-07-23 05:24:53.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/authenc.cc 2010-05-11 13:44:40.056990450 +0200
+@@ -35,7 +35,7 @@
+ * From: @(#)authenc.c 5.1 (Berkeley) 3/1/91
+ */
+ char au_rcsid[] =
+- "$Id: authenc.cc,v 1.6 2000/07/23 03:24:53 dholland Exp $";
++ "$Id: authenc.cc,v 1.1 2004-10-14 13:19:53 ianb Exp $";
+
+ #if defined(ENCRYPT) || defined(AUTHENTICATE)
+ #include <sys/types.h>
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnet/commands.cc netkit-telnet-ssl-0.17.24+0.1.orig/telnet/commands.cc
+--- netkit-telnet-ssl-0.17.24+0.1/telnet/commands.cc 2004-05-27 11:47:26.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/commands.cc 2010-05-11 13:44:40.060322107 +0200
+@@ -35,7 +35,7 @@
+ * From: @(#)commands.c 5.5 (Berkeley) 3/22/91
+ */
+ char cmd_rcsid[] =
+- "$Id: commands.cc,v 1.34 2000/07/23 04:16:24 dholland Exp $";
++ "$Id: commands.cc,v 1.13 2007-10-04 21:38:18 ianb Exp $";
+
+ #include <string.h>
+
+@@ -653,6 +653,21 @@
+ return 1;
+ }
+
++#ifdef AUTHENTICATE
++
++static int tog_autologin(int) {
++ if(autologin == 0) {
++ autologin=1;
++ env_export("USER");
++ }
++ else {
++ autologin=0;
++ env_unexport("USER");
++ }
++ return 1;
++}
++
++#endif /* AUTHENTICATE */
+
+ static int netdata; /* Print out network data flow */
+ static int prettydump; /* Print "netdata" output in user readable format */
+@@ -682,13 +697,13 @@
+
+ #if defined(AUTHENTICATE)
+ { "autologin", "automatic sending of login and/or authentication info",
+- NULL, &autologin,
++ tog_autologin, NULL,
+ "send login name and/or authentication information" },
+ { "authdebug", "Toggle authentication debugging",
+ auth_togdebug, NULL,
+ "print authentication debugging information" },
+ #endif
+-#if 0
++#ifdef ENCRYPT
+ { "autoencrypt", "automatic encryption of data stream",
+ EncryptAutoEnc, NULL,
+ "automatically encrypt output" },
+@@ -701,7 +716,7 @@
+ { "encdebug", "Toggle encryption debugging",
+ EncryptDebug, NULL,
+ "print encryption debugging information" },
+-#endif
++#endif /* ENCRYPT */
+
+ { "skiprc", "don't read the telnetrc files",
+ NULL, &skiprc,
+@@ -750,7 +765,7 @@
+ NULL, &showoptions,
+ "show option processing" },
+
+- { "termdata", "(debugging) toggle printing of hexadecimal terminal data",
++ { "termdata", "toggle printing of hexadecimal terminal data (debugging)",
+ NULL, &termdata,
+ "print hexadecimal representation of terminal traffic" },
+
+@@ -1357,9 +1372,9 @@
+ else
+ shellname++;
+ if (argc > 1)
+- execl(shellp, shellname, "-c", &saveline[1], 0);
++ execl(shellp, shellname, "-c", &saveline[1], (char *) NULL);
+ else
+- execl(shellp, shellname, 0);
++ execl(shellp, shellname, (char *) NULL);
+ perror("Execl");
+ _exit(1);
+ }
+@@ -1510,10 +1525,10 @@
+
+ #if defined(AUTHENTICATE)
+ struct authlist {
+- char *name;
+- char *help;
+- int (*handler)(const char *, const char *);
+- int narg;
++ const char *name;
++ const char *help;
++ int (*handler)(const char *, const char *);
++ int narg;
+ };
+
+ static int auth_help (const char *, const char *);
+@@ -1833,8 +1848,22 @@
+ if (*portp == '-') {
+ portp++;
+ telnetport = 1;
+- } else
++ } else {
+ telnetport = 0;
++ if (*portp >='0' && *portp<='9') {
++ char *end;
++ long int p;
++
++ p=strtol(portp, &end, 10);
++ if (ERANGE==errno && (LONG_MIN==p || LONG_MAX==p)) {
++ fprintf(stderr, "telnet: port %s overflows\n", portp);
++ return 0;
++ } else if (p<=0 || p>=65536) {
++ fprintf(stderr, "telnet: port %s out of range\n", portp);
++ return 0;
++ }
++ }
++ }
+ }
+ else {
+ portp = "telnet";
+@@ -1860,7 +1889,7 @@
+ if (res < 0)
+ return 0;
+ }
+-
++
+ /* Resolve both the host and service simultaneously. */
+ res = getaddrinfo(resolv_hostp, portp, &hints, &hostaddr);
+ if (res == EAI_NONAME) {
+@@ -1902,6 +1931,16 @@
+ NI_NUMERICHOST | NI_NUMERICSERV);
+
+ printf("Trying %s...\n", name);
++
++ if (tmpaddr->ai_canonname == 0) {
++ hostname = new char[strlen(hostp)+1];
++ strcpy(hostname, hostp);
++ }
++ else {
++ hostname = new char[strlen(tmpaddr->ai_canonname)+1];
++ strcpy(hostname, tmpaddr->ai_canonname);
++ }
++
+ x = nlink.connect(debug, tmpaddr, srp, srlen, tos);
+ if (!x)
+ goto err;
+@@ -1909,18 +1948,18 @@
+ goto nextaddr;
+
+ connected++;
++
++#ifdef USE_SSL
++ if (ssl_secure_flag || (strcmp(hostp, "localhost") != 0)) {
++ /* autologin = 1; */
++ use_authentication=1;
++ }
++#endif /* USE_SSL */
++
+ #if defined(AUTHENTICATE)
+ auth_encrypt_connect(connected);
+ #endif
+ } while (connected == 0);
+- if (tmpaddr->ai_canonname == 0) {
+- hostname = new char[strlen(hostp)+1];
+- strcpy(hostname, hostp);
+- }
+- else {
+- hostname = new char[strlen(tmpaddr->ai_canonname)+1];
+- strcpy(hostname, tmpaddr->ai_canonname);
+- }
+
+ cmdrc(hostp, hostname, portp);
+ freeaddrinfo(hostaddr);
+@@ -1966,6 +2005,9 @@
+ #if defined(AUTHENTICATE)
+ authhelp[] = "turn on (off) authentication ('auth ?' for more)",
+ #endif
++#if defined(USE_SSL)
++ startsslhelp[] = "switch to telnet-over-ssl (use 'auth' for ssl-over-telnet)",
++#endif
+ zhelp[] = "suspend telnet",
+ /* shellhelp[] = "invoke a subshell", */
+ envhelp[] = "change environment variables ('environ ?' for more)",
+@@ -1981,6 +2023,34 @@
+ return 0;
+ }
+
++#if defined(USE_SSL)
++static int startssl_cmd(void)
++{
++ if(ssl_con == NULL)
++ {
++ fprintf(stderr,"telnet: Internal error - ssl_con not initialised.\n");
++ return 1;
++ }
++
++ if(ssl_active_flag)
++ {
++ fprintf(stderr,"telnet: SSL already in use.\n");
++ return 1;
++ }
++
++ if (SSL_connect(ssl_con) < 1)
++ {
++ ERR_print_errors_fp(stderr);
++ fflush(stderr);
++ } else {
++ display_connect_details(ssl_con,ssl_debug_flag);
++ ssl_active_flag=1;
++ ssl_only_flag=1;
++ }
++ return 1;
++}
++#endif /* USE_SSL */
++
+ static int slc_mode_import_0(void) {
+ slc_mode_import(0);
+ return 1;
+@@ -2028,6 +2098,10 @@
+ #endif
+ // BIND("encrypt", encrypthelp, encrypt_cmd);
+
++#if defined(USE_SSL)
++ BIND("startssl", startsslhelp, startssl_cmd);
++#endif
++
+ BIND("z", zhelp, suspend);
+
+ #if defined(TN3270) /* why?! */
+@@ -2233,22 +2307,18 @@
+ }
+
+ void cmdrc(const char *m1, const char *m2, const char *port) {
+- static char *rcname = 0;
+- static char rcbuf[128];
++ char *rcname = NULL;
+
+ if (skiprc) return;
+
+ readrc(m1, m2, port, "/etc/telnetrc");
+- if (rcname == 0) {
+- rcname = getenv("HOME");
+- if (rcname)
+- strcpy(rcbuf, rcname);
+- else
+- rcbuf[0] = '\0';
+- strcat(rcbuf, "/.telnetrc");
+- rcname = rcbuf;
+- }
++ if (asprintf (&rcname, "%s/.telnetrc", getenv ("HOME")) == -1)
++ {
++ perror ("asprintf");
++ return;
++ }
+ readrc(m1, m2, port, rcname);
++ free (rcname);
+ }
+
+ #if defined(IP_OPTIONS) && defined(HAS_IPPROTO_IP)
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnet/defines.h netkit-telnet-ssl-0.17.24+0.1.orig/telnet/defines.h
+--- netkit-telnet-ssl-0.17.24+0.1/telnet/defines.h 2004-05-27 11:47:01.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/defines.h 2010-05-11 13:44:40.063654881 +0200
+@@ -31,7 +31,7 @@
+ * SUCH DAMAGE.
+ *
+ * from: @(#)defines.h 5.1 (Berkeley) 9/14/90
+- * $Id: defines.h,v 1.5 1996/08/04 23:44:43 dholland Exp $
++ * $Id: defines.h,v 1.1 2004-10-14 13:19:53 ianb Exp $
+ */
+
+ #define ENV_VAR NEW_ENV_VAR
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnet/externs.h netkit-telnet-ssl-0.17.24+0.1.orig/telnet/externs.h
+--- netkit-telnet-ssl-0.17.24+0.1/telnet/externs.h 2004-05-27 11:47:26.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/externs.h 2010-05-11 13:44:40.063654881 +0200
+@@ -31,7 +31,7 @@
+ * SUCH DAMAGE.
+ *
+ * from: @(#)externs.h 5.3 (Berkeley) 3/22/91
+- * $Id: externs.h,v 1.20 1999/08/19 09:34:15 dholland Exp $
++ * $Id: externs.h,v 1.2 2004-11-17 15:28:51 ianb Exp $
+ */
+
+ #ifndef BSD
+@@ -57,6 +57,7 @@
+ #define SUBBUFSIZE 256
+
+ extern int autologin; /* Autologin enabled */
++extern int use_authentication; /* use SSL authentication */
+ extern int skiprc; /* Don't process the ~/.telnetrc file */
+ extern int eight; /* use eight bit mode (binary in and/or out) */
+ extern int binary; /* use binary option (in and/or out) */
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnet/fdset.h netkit-telnet-ssl-0.17.24+0.1.orig/telnet/fdset.h
+--- netkit-telnet-ssl-0.17.24+0.1/telnet/fdset.h 1996-07-16 07:17:22.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/fdset.h 2010-05-11 13:44:40.063654881 +0200
+@@ -31,7 +31,7 @@
+ * SUCH DAMAGE.
+ *
+ * from: @(#)fdset.h 5.1 (Berkeley) 9/14/90
+- * $Id: fdset.h,v 1.1 1996/07/16 05:17:22 dholland Exp $
++ * $Id: fdset.h,v 1.1 2004-10-14 13:19:53 ianb Exp $
+ */
+
+ /*
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnet/general.h netkit-telnet-ssl-0.17.24+0.1.orig/telnet/general.h
+--- netkit-telnet-ssl-0.17.24+0.1/telnet/general.h 1996-07-16 07:17:22.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/general.h 2010-05-11 13:44:40.063654881 +0200
+@@ -31,7 +31,7 @@
+ * SUCH DAMAGE.
+ *
+ * from: @(#)general.h 5.2 (Berkeley) 3/1/91
+- * $Id: general.h,v 1.1 1996/07/16 05:17:22 dholland Exp $
++ * $Id: general.h,v 1.1 2004-10-14 13:19:53 ianb Exp $
+ */
+
+ /*
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnet/genget.cc netkit-telnet-ssl-0.17.24+0.1.orig/telnet/genget.cc
+--- netkit-telnet-ssl-0.17.24+0.1/telnet/genget.cc 1996-07-26 11:54:09.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/genget.cc 2010-05-11 13:44:40.063654881 +0200
+@@ -35,7 +35,7 @@
+ * From: @(#)genget.c 5.1 (Berkeley) 2/28/91
+ */
+ char gg_rcsid[] =
+- "$Id: genget.cc,v 1.3 1996/07/26 09:54:09 dholland Exp $";
++ "$Id: genget.cc,v 1.1 2004-10-14 13:19:53 ianb Exp $";
+
+ #include <string.h>
+ #include <ctype.h>
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnet/glue.cc netkit-telnet-ssl-0.17.24+0.1.orig/telnet/glue.cc
+--- netkit-telnet-ssl-0.17.24+0.1/telnet/glue.cc 2004-05-27 11:47:26.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/glue.cc 2010-05-11 13:44:40.083654043 +0200
+@@ -11,8 +11,9 @@
+ printsub_h(direction, pointer, length);
+ }
+
+-extern "C" void writenet(const char *str, int len) {
++extern "C" int writenet(const char *str, int len) {
+ netoring.write(str, len);
++ return 1;
+ }
+
+ extern "C" int telnet_spin() {
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnet/main.cc netkit-telnet-ssl-0.17.24+0.1.orig/telnet/main.cc
+--- netkit-telnet-ssl-0.17.24+0.1/telnet/main.cc 2004-05-27 11:47:26.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/main.cc 2010-05-11 13:44:40.066988214 +0200
+@@ -39,7 +39,7 @@
+ * From: @(#)main.c 5.4 (Berkeley) 3/22/91
+ */
+ char main_rcsid[] =
+- "$Id: main.cc,v 1.14 1999/08/01 05:06:37 dholland Exp $";
++ "$Id: main.cc,v 1.6 2004-11-22 20:26:37 ianb Exp $";
+
+ #include "../version.h"
+
+@@ -86,16 +86,27 @@
+ * -X <atype> disable specified auth type
+ */
+ void usage(void) {
+- fprintf(stderr, "Usage: %s %s%s%s%s\n",
++ fprintf(stderr, "Usage: %s %s%s%s%s%s\n",
+ prompt,
++#ifdef AUTHENTICATE
++ "[-4] [-6] [-8] [-E] [-K] [-L] [-X atype] [-a] [-d] [-e char]",
++ "\n\t[-l user] [-n tracefile] [ -b addr ]",
++#else
+ "[-4] [-6] [-8] [-E] [-L] [-a] [-d] [-e char] [-l user]",
+ "\n\t[-n tracefile] [ -b addr ]",
++#endif
+ #ifdef TN3270
+ "\n\t"
+ "[-noasynch] [-noasynctty] [-noasyncnet] [-r] [-t transcom]\n\t",
+ #else
+ " [-r] ",
+ #endif
++#ifdef USE_SSL
++ /* might as well output something useful here ... */
++ "\n\t[-z ssl] [-z secure] [-z debug] [-z verify=int]\n\t[-z cert=file] [-z key=file]\n\t",
++#else /* !USE_SSL */
++ "",
++#endif /* USE_SSL */
+ "[host-name [port]]"
+ );
+ exit(1);
+@@ -135,8 +146,73 @@
+ autologin = -1;
+
+ while ((ch = getopt(argc, argv,
+- "4678EKLS:X:ab:de:k:l:n:rt:x")) != EOF) {
++ "4678EKLS:X:ab:de:k:l:n:rt:xz:")) != EOF) {
+ switch(ch) {
++#ifdef USE_SSL
++ case 'z':
++ {
++ char *origopt;
++
++ origopt=strdup(optarg);
++ optarg=strtok(origopt,",");
++
++ while(optarg!=NULL) {
++
++ if (strcmp(optarg, "debug") == 0 ) {
++ ssl_debug_flag=1;
++ } else if (strcmp(optarg, "authdebug") == 0 ) {
++ auth_debug_mode=1;
++ } else if (strcmp(optarg, "ssl") == 0 ) {
++ ssl_only_flag=1;
++ } else if ( (strcmp(optarg, "!ssl") == 0) ||
++ (strcmp(optarg, "nossl") == 0) ) {
++ /* we may want to switch SSL negotiation off
++ * for testing or other reasons
++ */
++ ssl_disabled_flag=1;
++ } else if (strcmp(optarg, "certrequired") == 0 ) {
++ ssl_cert_required=1;
++ } else if (strcmp(optarg, "secure") == 0 ) {
++ ssl_secure_flag=1;
++ } else if (strcmp(optarg, "verbose") == 0 ) {
++ ssl_verbose_flag=1;
++ } else if (strncmp(optarg, "verify=",
++ strlen("verify=")) == 0 ) {
++ ssl_verify_flag=atoi(optarg+strlen("verify="));
++ } else if (strncmp(optarg, "cert=",
++ strlen("cert=")) == 0 ) {
++ ssl_cert_file= optarg + strlen("cert=");
++ } else if (strncmp(optarg, "key=",
++ strlen("key=")) == 0 ) {
++ ssl_key_file= optarg + strlen("key=");
++ } else if (strncmp(optarg,"cipher=",
++ strlen("cipher="))==0) {
++ ssl_cipher_list=optarg+strlen("cipher=");
++ } else {
++ /* report when we are given rubbish so that
++ * if the user makes a mistake they have to
++ * correct it!
++ */
++ fprintf(stderr,"Unknown SSL option %s\n",optarg);
++ fflush(stderr);
++ exit(1);
++ }
++
++ /* get the next one ... */
++ optarg=strtok(NULL,",");
++
++ }
++
++ /*
++ if (origopt!=NULL)
++ free(origopt);
++ */
++
++ }
++
++ break;
++#endif /* USE_SSL */
++
+ case '4':
+ family = AF_INET;
+ break;
+@@ -257,14 +333,25 @@
+ autologin = (rlogin == _POSIX_VDISABLE) ? 0 : 1;
+
+ #ifdef USE_SSL
++ if((ssl_cert_file != NULL) || (ssl_key_file != NULL)) {
++ autologin = 1;
++ }
++
+ if (ssl_secure_flag||ssl_cert_required) {
+ /* in secure mode we *must* switch on the base level
+ * verify checking otherwise we cannot abort connections
+ * at the right place!
+ */
+ if (ssl_verify_flag == 0)
+- ssl_verify_flag = 1;
++ ssl_verify_flag = SSL_VERIFY_PEER;;
+ }
++
++ /* client mode ignores SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
++ so simulate it using certrequired */
++ if(ssl_verify_flag & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) {
++ ssl_cert_required=1;
++ }
++
+ #endif /* USE_SSL */
+
+ argc -= optind;
+@@ -289,11 +376,6 @@
+ *argp++ = family == AF_INET ? "-4" : "-6";
+ }
+ *argp++ = argv[0]; /* host */
+-#ifdef USE_SSL
+- if (strcmp(argv[0], "localhost") != 0) {
+- autologin = 1;
+- }
+-#endif /* USE_SSL */
+ if (argc > 1)
+ *argp++ = argv[1]; /* port */
+ *argp = 0;
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnet/Makefile netkit-telnet-ssl-0.17.24+0.1.orig/telnet/Makefile
+--- netkit-telnet-ssl-0.17.24+0.1/telnet/Makefile 2004-05-27 11:47:26.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/Makefile 2010-05-11 13:44:40.056990450 +0200
+@@ -6,15 +6,18 @@
+ #CXXFLAGS:=$(patsubst -O2, -g, $(CXXFLAGS))
+
+ # -DAUTHENTICATE
+-CXXFLAGS += -DUSE_TERMIO -DKLUDGELINEMODE
+-LIBS = $(LIBTERMCAP)
++CXXFLAGS += -DUSE_TERMIO -DKLUDGELINEMODE -DAUTHENTICATE -DUSE_SSL \
++ -I/usr/include/openssl -I../
++LIBTELNET = ../libtelnet/libtelnet.a
++LIBS += $(LIBTERMCAP) $(LIBTELNET) -lssl -lcrypto
+
+ SRCS = commands.cc main.cc network.cc ring.cc sys_bsd.cc telnet.cc \
+- terminal.cc tn3270.cc utilities.cc genget.cc environ.cc netlink.cc
++ terminal.cc tn3270.cc utilities.cc genget.cc environ.cc netlink.cc \
++ glue.cc glue2.cc
+
+ OBJS = $(patsubst %.cc, %.o, $(SRCS))
+
+-telnet: $(OBJS)
++telnet: $(OBJS) $(LIBTELNET)
+ $(CXX) $(LDFLAGS) $^ $(LIBS) -o $@
+
+ include depend.mk
+@@ -22,7 +25,7 @@
+ $(CXX) $(CXXFLAGS) -MM $(SRCS) >depend.mk
+
+ install: telnet
+- install -s -m$(BINMODE) telnet $(INSTALLROOT)$(BINDIR)/telnet-ssl
++ install -m$(BINMODE) telnet $(INSTALLROOT)$(BINDIR)/telnet-ssl
+ install -m$(MANMODE) telnet.1 $(INSTALLROOT)$(MANDIR)/man1/telnet-ssl.1
+
+ clean:
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnet/netlink.cc netkit-telnet-ssl-0.17.24+0.1.orig/telnet/netlink.cc
+--- netkit-telnet-ssl-0.17.24+0.1/telnet/netlink.cc 2004-05-27 11:47:26.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/netlink.cc 2010-05-11 13:44:40.066988214 +0200
+@@ -12,12 +12,27 @@
+ #include "proto.h"
+ #include "ring.h"
+ #include <libtelnet/sslapp.h>
++#include <libtelnet/misc-proto.h>
+
+ /* In Linux, this is an enum */
+ #if defined(__linux__) || defined(IPPROTO_IP)
+ #define HAS_IPPROTO_IP
+ #endif
+
++/* code from Peter 'Luna' Runestig <peter@runestig.com> */
++static int select_read(int rfd)
++/* timeout = 20 seconds */
++{
++ fd_set rfds;
++ struct timeval tv;
++
++ FD_ZERO(&rfds);
++ FD_SET(rfd, &rfds);
++ tv.tv_sec = 20;
++ tv.tv_usec = 0;
++ return select(rfd + 1, &rfds, NULL, NULL, &tv);
++}
++
+ netlink nlink;
+
+ class netchannel : public ringbuf::source {
+@@ -26,12 +41,23 @@
+ int net = nlink.getfd();
+ int l;
+ #ifdef USE_SSL
+- if (ssl_active_flag)
+- l = SSL_read(ssl_con, buf, maxlen);
+- else
++ if (ssl_active_flag) {
++ do {
++ l = SSL_read(ssl_con, buf, maxlen);
++ /*
++ * SSL_ERROR_WANT_READ may occur if an SSL/TLS rehandshake occurs.
++ * This means that data was available at the socket, but all was
++ * consumed by SSL itself, so we select (w/20s timeout) and retry.
++ */
++ } while (l<0 &&
++ (SSL_ERROR_WANT_READ == SSL_get_error(ssl_con, l)) &&
++ (select_read(net) > 0));
++ } else
+ #endif /* USE_SSL */
+- l = recv(net, buf, maxlen, 0);
+- if (l<0 && errno == EWOULDBLOCK) l = 0;
++ {
++ l = recv(net, buf, maxlen, 0);
++ if (l<0 && errno == EWOULDBLOCK) l = 0;
++ }
+ return l;
+ }
+ };
+@@ -70,11 +96,11 @@
+
+
+ netlink::netlink() { net = -1; }
+-netlink::~netlink() { ::close(net); }
++netlink::~netlink() { if (net >= 0) ::close(net); }
+
+
+ int netlink::setdebug(int debug) {
+- if (net > 0 &&
++ if (net >= 0 &&
+ (setsockopt(net, SOL_SOCKET, SO_DEBUG, &debug, sizeof(debug))) < 0) {
+ perror("setsockopt (SO_DEBUG)");
+ }
+@@ -95,7 +121,8 @@
+ ssl_active_flag=0;
+ }
+ #endif /* USE_SSL */
+- ::close(net);
++ if (net >= 0)
++ ::close(net);
+ net = -1;
+ }
+
+@@ -142,7 +169,8 @@
+ {
+ int on=1;
+ int res;
+-
++ extern char *hostname;
++
+ res = socket(addr->ai_family);
+ if (res < 2)
+ return res;
+@@ -192,10 +220,24 @@
+ /* bind in the network descriptor */
+ SSL_set_fd(ssl_con,net);
+
++#if defined(AUTHENTICATE)
++ /* moved from telnet() so client_verify_callback knows RemoteHostName -ianb */
++ {
++ static char local_host[256] = { 0 };
++ int len = sizeof(local_host);
++
++ if (!local_host[0]) {
++ gethostname(local_host, len); /* WAS &len!!! */
++ local_host[sizeof(local_host)-1] = 0;
++ }
++ auth_encrypt_init(local_host, hostname, "TELNET", 0);
++ }
++#endif
++
+ /* if we are doing raw SSL then start it now ... */
+ if (ssl_only_flag) {
+ if (!SSL_connect(ssl_con)) {
+- static char errbuf[1024];
++ /* static char errbuf[1024]; */
+
+ ERR_print_errors_fp(stderr);
+ perror("SSL_connect");
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnet/network.cc netkit-telnet-ssl-0.17.24+0.1.orig/telnet/network.cc
+--- netkit-telnet-ssl-0.17.24+0.1/telnet/network.cc 2004-05-27 11:47:01.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/network.cc 2010-05-11 13:44:40.066988214 +0200
+@@ -35,7 +35,7 @@
+ * From: @(#)network.c 5.2 (Berkeley) 3/1/91
+ */
+ char net_rcsid[] =
+- "$Id: network.cc,v 1.15 1996/08/13 08:09:58 dholland Exp $";
++ "$Id: network.cc,v 1.1 2004-10-14 13:19:53 ianb Exp $";
+
+ #include <sys/types.h>
+ #include <sys/socket.h>
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnet/proto.h netkit-telnet-ssl-0.17.24+0.1.orig/telnet/proto.h
+--- netkit-telnet-ssl-0.17.24+0.1/telnet/proto.h 2004-05-27 11:47:26.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/proto.h 2010-05-11 13:44:40.070321269 +0200
+@@ -10,9 +10,11 @@
+ int TerminalSpecialChars(int);
+ void TerminalSpeeds(long *ispeed, long *ospeed);
+ int TerminalWindowSize(long *rows, long *cols);
++#if 0
+ void auth_encrypt_user(char *);
+ void auth_name(unsigned char *, int);
+ void auth_printsub(unsigned char *, int, unsigned char *, int);
++#endif
+ void cmdrc(const char *, const char *, const char *);
+ void env_init(void);
+ int getconnmode(void);
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnet/ring.cc netkit-telnet-ssl-0.17.24+0.1.orig/telnet/ring.cc
+--- netkit-telnet-ssl-0.17.24+0.1/telnet/ring.cc 2004-05-27 11:47:01.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/ring.cc 2010-05-11 13:44:40.070321269 +0200
+@@ -35,7 +35,7 @@
+ * From: @(#)ring.c 5.2 (Berkeley) 3/1/91
+ */
+ char ring_rcsid[] =
+- "$Id: ring.cc,v 1.23 2000/07/23 03:25:09 dholland Exp $";
++ "$Id: ring.cc,v 1.1 2004-10-14 13:19:53 ianb Exp $";
+
+ /*
+ * This defines a structure for a ring buffer.
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnet/ring.h netkit-telnet-ssl-0.17.24+0.1.orig/telnet/ring.h
+--- netkit-telnet-ssl-0.17.24+0.1/telnet/ring.h 2004-05-27 11:47:01.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/ring.h 2010-05-11 13:44:40.070321269 +0200
+@@ -31,7 +31,7 @@
+ * SUCH DAMAGE.
+ *
+ * from: @(#)ring.h 5.2 (Berkeley) 3/1/91
+- * $Id: ring.h,v 1.13 1996/08/13 08:43:28 dholland Exp $
++ * $Id: ring.h,v 1.1 2004-10-14 13:19:53 ianb Exp $
+ */
+
+ class datasink {
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnet/sys_bsd.cc netkit-telnet-ssl-0.17.24+0.1.orig/telnet/sys_bsd.cc
+--- netkit-telnet-ssl-0.17.24+0.1/telnet/sys_bsd.cc 2004-05-27 11:47:26.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/sys_bsd.cc 2010-05-11 13:44:40.070321269 +0200
+@@ -35,7 +35,7 @@
+ * From: @(#)sys_bsd.c 5.2 (Berkeley) 3/1/91
+ */
+ char bsd_rcsid[] =
+- "$Id: sys_bsd.cc,v 1.24 1999/09/28 16:29:24 dholland Exp $";
++ "$Id: sys_bsd.cc,v 1.1 2004-10-14 13:19:53 ianb Exp $";
+
+ /*
+ * The following routines try to encapsulate what is system dependent
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnet/telnet.1 netkit-telnet-ssl-0.17.24+0.1.orig/telnet/telnet.1
+--- netkit-telnet-ssl-0.17.24+0.1/telnet/telnet.1 2004-05-27 11:47:26.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/telnet.1 2010-05-11 13:44:40.073654603 +0200
+@@ -30,7 +30,7 @@
+ .\" SUCH DAMAGE.
+ .\"
+ .\" from: @(#)telnet.1 6.16 (Berkeley) 7/27/91
+-.\" $Id: telnet.1,v 1.15 2000/07/30 23:57:08 dholland Exp $
++.\" $Id: telnet.1,v 1.5 2006-09-24 00:48:31 ianb Exp $
+ .\"
+ .Dd August 15, 1999
+ .Dt TELNET 1
+@@ -42,12 +42,14 @@
+ protocol
+ .Sh SYNOPSIS
+ .Nm telnet
+-.Op Fl 468ELadr
++.Op Fl 468EKLadr
+ .Op Fl S Ar tos
++.Op Fl X Ar authtype
+ .Op Fl b Ar address
+ .Op Fl e Ar escapechar
+ .Op Fl l Ar user
+ .Op Fl n Ar tracefile
++.Op Fl z Ar option
+ .Oo
+ .Ar host
+ .Op Ar port
+@@ -152,44 +154,47 @@
+ command below.
+ .It Fl z Ar option
+ Set SSL (Secure Socket Layer) parameters. The default is to negotiate
+-via telnet protocoll if SSL is availlable at server side and then to
++via telnet protocol if SSL is available at server side and then to
+ switch it on. In this mode you can connect to both conventional and
+-SSL enhanced telnetd's.
++SSL enhanced telnetd's. If the connection is made to localhost and
++.Ic -z secure
++is not set, then
++SSL is not enabled.
+ .Pp
+ The SSL parameters are:
+ .Bl -tag -width Fl
+-.It Ic Ar debug
++.It Ic debug
+ Send SSL related debugging information to stderr.
+-.It Ic Ar authdebug
++.It Ic authdebug
+ Enable authentication debugging.
+-.It Ic Ar ssl
++.It Ic ssl
+ Negotiate SSL at first, then use telnet protocol. In this mode you can
+ connect to any server supporting directly SSL like Apache-SSL. Use
+ .Ic telnet -z ssl ssl3.netscape.com https
+ for example. telnet protocol negotiation goes encrypted.
+-.It Ic Ar nossl, Ar !ssl
+-switch of SSL negotiation
+-.It Ic Ar certrequired
+-client certificate is mandatory
+-.It Ic Ar secure
++.It Ic nossl, Ic !ssl
++switch off SSL negotiation
++.It Ic certrequired
++server certificate is mandatory
++.It Ic secure
+ Don't switch back to unencrypted mode (no SSL) if SSL is not available.
+-.It Ic Ar verbose
++.It Ic verbose
+ Be verbose about certificates etc.
+-.It Ic Ar verify=int
++.It Ic verify= Ns Ar int
+ .\" TODO
+ Set the SSL verify flags (SSL_VERIFY_* in
+ .Ar ssl/ssl.h
+ ).
+ .\" TODO
+-.It Ic Ar cert=cert_file
++.It Ic cert= Ns Ar cert_file
+ .\" TODO
+ Use the certificate(s) in
+ .Ar cert_file .
+-.It Ic Ar key=key_file
++.It Ic key= Ns Ar key_file
+ .\" TODO
+ Use the key(s) in
+ .Ar key_file .
+-.It Ic Ar cipher=ciph_list
++.It Ic cipher= Ns Ar ciph_list
+ .\" TODO
+ Set the preferred ciphers to
+ .Ar ciph_list .
+@@ -319,10 +324,6 @@
+ List the current status of the various types of
+ authentication.
+ .El
+-.Pp
+-Note that the current version of
+-.Nm telnet
+-does not support authentication.
+ .It Ic close
+ Close the connection to the remote host, if any, and return to command
+ mode.
+@@ -332,49 +333,49 @@
+ and
+ .Ic toggle
+ values (see below).
+-.It Ic encrypt Ar argument ...
+-The encrypt command controls the
+-.Dv TELNET ENCRYPT
+-protocol option. If
+-.Nm telnet
+-was compiled without encryption, the
+-.Ic encrypt
+-command will not be supported.
+-.Pp
+-Valid arguments are as follows:
+-.Bl -tag -width Ar
+-.It Ic disable Ar type Ic [input|output]
+-Disable the specified type of encryption. If you do not specify input
+-or output, encryption of both is disabled. To obtain a list of
+-available types, use ``encrypt disable \&?''.
+-.It Ic enable Ar type Ic [input|output]
+-Enable the specified type of encryption. If you do not specify input
+-or output, encryption of both is enabled. To obtain a list of
+-available types, use ``encrypt enable \&?''.
+-.It Ic input
+-This is the same as ``encrypt start input''.
+-.It Ic -input
+-This is the same as ``encrypt stop input''.
+-.It Ic output
+-This is the same as ``encrypt start output''.
+-.It Ic -output
+-This is the same as ``encrypt stop output''.
+-.It Ic start Ic [input|output]
+-Attempt to begin encrypting. If you do not specify input or output,
+-encryption of both input and output is started.
+-.It Ic status
+-Display the current status of the encryption module.
+-.It Ic stop Ic [input|output]
+-Stop encrypting. If you do not specify input or output, encryption of
+-both is stopped.
+-.It Ic type Ar type
+-Sets the default type of encryption to be used with later ``encrypt start''
+-or ``encrypt stop'' commands.
+-.El
+-.Pp
+-Note that the current version of
+-.Nm telnet
+-does not support encryption.
++.\" .It Ic encrypt Ar argument ...
++.\" The encrypt command controls the
++.\" .Dv TELNET ENCRYPT
++.\" protocol option. If
++.\" .Nm telnet
++.\" was compiled without encryption, the
++.\" .Ic encrypt
++.\" command will not be supported.
++.\" .Pp
++.\" Valid arguments are as follows:
++.\" .Bl -tag -width Ar
++.\" .It Ic disable Ar type Ic [input|output]
++.\" Disable the specified type of encryption. If you do not specify input
++.\" or output, encryption of both is disabled. To obtain a list of
++.\" available types, use ``encrypt disable \&?''.
++.\" .It Ic enable Ar type Ic [input|output]
++.\" Enable the specified type of encryption. If you do not specify input
++.\" or output, encryption of both is enabled. To obtain a list of
++.\" available types, use ``encrypt enable \&?''.
++.\" .It Ic input
++.\" This is the same as ``encrypt start input''.
++.\" .It Ic -input
++.\" This is the same as ``encrypt stop input''.
++.\" .It Ic output
++.\" This is the same as ``encrypt start output''.
++.\" .It Ic -output
++.\" This is the same as ``encrypt stop output''.
++.\" .It Ic start Ic [input|output]
++.\" Attempt to begin encrypting. If you do not specify input or output,
++.\" encryption of both input and output is started.
++.\" .It Ic status
++.\" Display the current status of the encryption module.
++.\" .It Ic stop Ic [input|output]
++.\" Stop encrypting. If you do not specify input or output, encryption of
++.\" both is stopped.
++.\" .It Ic type Ar type
++.\" Sets the default type of encryption to be used with later ``encrypt start''
++.\" or ``encrypt stop'' commands.
++.\" .El
++.\" .Pp
++.\" Note that the current version of
++.\" .Nm telnet
++.\" does not support encryption.
+ .It Ic environ Ar arguments...
+ The
+ .Ic environ
+@@ -1017,6 +1018,16 @@
+ .Ic slc
+ command.
+ .El
++.It Ic startssl
++Attempt to negotiate telnet-over-SSL (as with the
++.Ic -z ssl
++option). This is useful when connecting to non-telnetds such
++as imapd (with the
++.Ic STARTTLS
++command). To control SSL when connecting to a SSL-enabled
++telnetd, use the
++.Ic auth
++command instead.
+ .It Ic status
+ Show the current status of
+ .Nm telnet .
+@@ -1079,17 +1090,17 @@
+ .Dv FALSE
+ (see
+ .Xr stty 1 ) .
+-.It Ic autodecrypt
+-When the
+-.Dv TELNET ENCRYPT
+-option is negotiated, by
+-default the actual encryption (decryption) of the data
+-stream does not start automatically. The autoencrypt
+-(autodecrypt) command states that encryption of the
+-output (input) stream should be enabled as soon as
+-possible.
+-.Pp
+-Note that this flag exists only if encryption support is enabled.
++.\" .It Ic autodecrypt
++.\" When the
++.\" .Dv TELNET ENCRYPT
++.\" option is negotiated, by
++.\" default the actual encryption (decryption) of the data
++.\" stream does not start automatically. The autoencrypt
++.\" (autodecrypt) command states that encryption of the
++.\" output (input) stream should be enabled as soon as
++.\" possible.
++.\" .Pp
++.\" Note that this flag exists only if encryption support is enabled.
+ .It Ic autologin
+ If the remote side supports the
+ .Dv TELNET AUTHENTICATION
+@@ -1174,9 +1185,9 @@
+ .Ic super user ) .
+ The initial value for this toggle is
+ .Dv FALSE .
+-.It Ic encdebug
+-Turns on debugging information for the encryption code.
+-Note that this flag only exists if encryption support is available.
++.\" .It Ic encdebug
++.\" Turns on debugging information for the encryption code.
++.\" Note that this flag only exists if encryption support is available.
+ .It Ic localchars
+ If this is
+ .Dv TRUE ,
+@@ -1221,8 +1232,9 @@
+ is sent as
+ .Ic abort ,
+ and
+-.Ic eof and
+-.B suspend
++.Ic eof
++and
++.Ic suspend
+ are sent as
+ .Ic eof and
+ .Ic susp ,
+@@ -1263,16 +1275,16 @@
+ Toggles the display of all terminal data (in hexadecimal format).
+ The initial value for this toggle is
+ .Dv FALSE .
+-.It Ic verbose_encrypt
+-When the
+-.Ic verbose_encrypt
+-toggle is
+-.Dv TRUE ,
+-.Tn TELNET
+-prints out a message each time encryption is enabled or
+-disabled. The initial value for this toggle is
+-.Dv FALSE.
+-This flag only exists if encryption support is available.
++.\" .It Ic verbose_encrypt
++.\" When the
++.\" .Ic verbose_encrypt
++.\" toggle is
++.\" .Dv TRUE ,
++.\" .Tn TELNET
++.\" prints out a message each time encryption is enabled or
++.\" disabled. The initial value for this toggle is
++.\" .Dv FALSE.
++.\" This flag only exists if encryption support is available.
+ .It Ic \&?
+ Displays the legal
+ .Ic toggle
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnet/telnet.cc netkit-telnet-ssl-0.17.24+0.1.orig/telnet/telnet.cc
+--- netkit-telnet-ssl-0.17.24+0.1/telnet/telnet.cc 2004-05-27 11:47:26.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/telnet.cc 2010-05-11 13:44:40.076987936 +0200
+@@ -47,7 +47,7 @@
+ * From: @(#)telnet.c 5.53 (Berkeley) 3/22/91
+ */
+ char telnet_rcsid[] =
+-"$Id: telnet.cc,v 1.36 2000/07/23 03:24:53 dholland Exp $";
++"$Id: telnet.cc,v 1.8 2005-04-14 15:26:27 ianb Exp $";
+
+ #include <string.h>
+ #include <sys/types.h>
+@@ -107,6 +107,7 @@
+ eight = 3,
+ binary = 0,
+ autologin = 0, /* Autologin anyone? */
++ use_authentication = 0,
+ skiprc = 0,
+ connected,
+ showoptions,
+@@ -495,7 +496,8 @@
+ break;
+ #if defined(AUTHENTICATE)
+ case TELOPT_AUTHENTICATION:
+- if (autologin)
++ /* if (autologin) */
++ if (use_authentication)
+ new_state_ok = 1;
+ break;
+ #endif
+@@ -722,6 +724,7 @@
+ */
+
+ static void suboption(void) {
++ extern int auth_failed;
+ printsub('<', subbuffer, SB_LEN()+2);
+ switch (SB_GET()) {
+ case TELOPT_TTYPE:
+@@ -845,7 +848,8 @@
+
+ #if defined(AUTHENTICATE)
+ case TELOPT_AUTHENTICATION: {
+- if (!autologin)
++ /* if (!autologin) */
++ if (!use_authentication)
+ break;
+ if (SB_EOF())
+ return;
+@@ -864,6 +868,10 @@
+ if (my_want_state_is_wont(TELOPT_AUTHENTICATION))
+ return;
+ auth_reply(subpointer, SB_LEN());
++ if(auth_failed) {
++ /* auth rejected, quit */
++ quit();
++ }
+ break;
+ case TELQUAL_NAME:
+ if (my_want_state_is_dont(TELOPT_AUTHENTICATION))
+@@ -1140,6 +1148,7 @@
+
+
+ unsigned char slc_reply[128];
++unsigned char const * const slc_reply_eom = &slc_reply[sizeof(slc_reply)];
+ unsigned char *slc_replyp;
+
+ void slc_start_reply(void) {
+@@ -1151,6 +1160,14 @@
+ }
+
+ void slc_add_reply(int func, int flags, int value) {
++ /* A sequence of up to 6 bytes my be written for this member of the SLC
++ * suboption list by this function. The end of negotiation command,
++ * which is written by slc_end_reply(), will require 2 additional
++ * bytes. Do not proceed unless there is sufficient space for these
++ * items.
++ */
++ if (&slc_replyp[6+2] > slc_reply_eom)
++ return;
+ if ((*slc_replyp++ = func) == IAC)
+ *slc_replyp++ = IAC;
+ if ((*slc_replyp++ = flags) == IAC)
+@@ -1819,25 +1836,19 @@
+ */
+ void telnet(const char *user) {
+ sys_telnet_init();
+-
+-#if defined(AUTHENTICATE)
+- {
+- static char local_host[256] = { 0 };
+- int len = sizeof(local_host);
+-
+- if (!local_host[0]) {
+- gethostname(local_host, len); /* WAS &len!!! */
+- local_host[sizeof(local_host)-1] = 0;
+- }
+- auth_encrypt_init(local_host, hostname, "TELNET", 0);
+- auth_encrypt_user(user);
+- }
++
++#ifdef AUTHENTICATE
++ auth_encrypt_user(user);
+ #endif
+-
++
+ #if !defined(TN3270)
+ if (telnetport) {
++
++ send_will(TELOPT_ENVIRON, 1);
++
+ #if defined(AUTHENTICATE)
+- if (autologin)
++ /* if (autologin) */
++ if (use_authentication)
+ send_will(TELOPT_AUTHENTICATION, 1);
+ #endif
+ send_do(TELOPT_SGA, 1);
+@@ -1846,7 +1857,6 @@
+ send_will(TELOPT_TSPEED, 1);
+ send_will(TELOPT_LFLOW, 1);
+ send_will(TELOPT_LINEMODE, 1);
+- send_will(TELOPT_ENVIRON, 1);
+ send_do(TELOPT_STATUS, 1);
+ if (env_getvalue("DISPLAY", 0))
+ send_will(TELOPT_XDISPLOC, 1);
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnet/terminal.cc netkit-telnet-ssl-0.17.24+0.1.orig/telnet/terminal.cc
+--- netkit-telnet-ssl-0.17.24+0.1/telnet/terminal.cc 2004-05-27 11:47:01.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/terminal.cc 2010-05-11 13:44:40.080321548 +0200
+@@ -35,7 +35,7 @@
+ * From: @(#)terminal.c 5.3 (Berkeley) 3/22/91
+ */
+ char terminal_rcsid[] =
+- "$Id: terminal.cc,v 1.25 1999/12/12 19:48:05 dholland Exp $";
++ "$Id: terminal.cc,v 1.1 2004-10-14 13:19:53 ianb Exp $";
+
+ #include <arpa/telnet.h>
+ #include <sys/types.h>
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnet/tn3270.cc netkit-telnet-ssl-0.17.24+0.1.orig/telnet/tn3270.cc
+--- netkit-telnet-ssl-0.17.24+0.1/telnet/tn3270.cc 1996-08-13 11:08:34.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/tn3270.cc 2010-05-11 13:44:40.080321548 +0200
+@@ -35,7 +35,7 @@
+ * From: @(#)tn3270.c 5.2 (Berkeley) 3/1/91
+ */
+ char tn3270_rcsid[] =
+- "$Id: tn3270.cc,v 1.9 1996/08/13 09:08:34 dholland Exp $";
++ "$Id: tn3270.cc,v 1.1 2004-10-14 13:19:53 ianb Exp $";
+
+ #include <sys/types.h>
+ #include <arpa/telnet.h>
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnet/types.h netkit-telnet-ssl-0.17.24+0.1.orig/telnet/types.h
+--- netkit-telnet-ssl-0.17.24+0.1/telnet/types.h 1996-07-27 02:45:54.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/types.h 2010-05-11 13:44:40.083654043 +0200
+@@ -31,7 +31,7 @@
+ * SUCH DAMAGE.
+ *
+ * from: @(#)types.h 5.1 (Berkeley) 9/14/90
+- * $Id: types.h,v 1.2 1996/07/27 00:45:54 dholland Exp $
++ * $Id: types.h,v 1.1 2004-10-14 13:19:53 ianb Exp $
+ */
+
+ typedef struct {
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnet/utilities.cc netkit-telnet-ssl-0.17.24+0.1.orig/telnet/utilities.cc
+--- netkit-telnet-ssl-0.17.24+0.1/telnet/utilities.cc 2004-05-27 11:47:27.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/utilities.cc 2010-05-11 13:44:40.083654043 +0200
+@@ -35,7 +35,7 @@
+ * From: @(#)utilities.c 5.3 (Berkeley) 3/22/91
+ */
+ char util_rcsid[] =
+- "$Id: utilities.cc,v 1.19 1999/12/12 15:33:40 dholland Exp $";
++ "$Id: utilities.cc,v 1.1 2004-10-14 13:19:53 ianb Exp $";
+
+ #define TELOPTS
+ #define TELCMDS
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnetd/authenc.c netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/authenc.c
+--- netkit-telnet-ssl-0.17.24+0.1/telnetd/authenc.c 2004-05-27 11:47:01.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/authenc.c 2010-05-11 13:44:40.086987376 +0200
+@@ -23,7 +23,7 @@
+ * From: @(#)authenc.c 5.1 (Berkeley) 3/1/91
+ */
+ char authenc_rcsid[] =
+- "$Id: authenc.c,v 1.5 1999/12/12 14:59:44 dholland Exp $";
++ "$Id: authenc.c,v 1.1 2004-10-14 13:19:53 ianb Exp $";
+
+ #if defined(ENCRYPT) || defined(AUTHENTICATE)
+ #include "telnetd.h"
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnetd/defs.h netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/defs.h
+--- netkit-telnet-ssl-0.17.24+0.1/telnetd/defs.h 2004-05-27 11:47:01.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/defs.h 2010-05-11 13:44:40.086987376 +0200
+@@ -31,7 +31,7 @@
+ * SUCH DAMAGE.
+ *
+ * from: @(#)defs.h 5.10 (Berkeley) 3/1/91
+- * $Id: defs.h,v 1.7 1999/08/02 03:14:03 dholland Exp $
++ * $Id: defs.h,v 1.1 2004-10-14 13:19:53 ianb Exp $
+ */
+
+ /*
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnetd/ext.h netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/ext.h
+--- netkit-telnet-ssl-0.17.24+0.1/telnetd/ext.h 2004-05-27 11:47:27.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/ext.h 2010-05-11 13:44:40.086987376 +0200
+@@ -31,7 +31,7 @@
+ * SUCH DAMAGE.
+ *
+ * from: @(#)ext.h 5.7 (Berkeley) 3/1/91
+- * $Id: ext.h,v 1.9 1999/12/12 14:59:44 dholland Exp $
++ * $Id: ext.h,v 1.2 2004-11-21 12:53:12 ianb Exp $
+ */
+
+ /*
+@@ -113,7 +113,7 @@
+ void interrupt(void);
+ void localstat(void);
+ void netclear(void);
+-void netflush(void);
++int netflush(void);
+ size_t netbuflen(int);
+ void sendurg(const char *, size_t);
+
+@@ -183,7 +183,8 @@
+ void tty_tspeed(int);
+ void willoption(int);
+ void wontoption(int);
+-#define writenet(b, l) fwrite(b, 1, l, netfile)
++int writenet(char *, int);
++/*#define writenet(b, l) fwrite(b, 1, l, netfile)*/
+ void netopen(void);
+
+ #if defined(ENCRYPT)
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnetd/getent.c netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/getent.c
+--- netkit-telnet-ssl-0.17.24+0.1/telnetd/getent.c 1996-08-15 08:23:28.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/getent.c 2010-05-11 13:44:40.086987376 +0200
+@@ -35,7 +35,7 @@
+ * From: @(#)getent.c 5.1 (Berkeley) 2/28/91
+ */
+ char ge_rcsid[] =
+- "$Id: getent.c,v 1.3 1996/08/15 06:23:28 dholland Exp $";
++ "$Id: getent.c,v 1.1 2004-10-14 13:19:53 ianb Exp $";
+
+ /*
+ * Copyright (c) 1991 Regents of the University of California.
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnetd/global.c netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/global.c
+--- netkit-telnet-ssl-0.17.24+0.1/telnetd/global.c 2004-05-27 11:47:01.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/global.c 2010-05-11 13:44:40.090341661 +0200
+@@ -35,7 +35,7 @@
+ * From: @(#)global.c 5.2 (Berkeley) 6/1/90
+ */
+ char global_rcsid[] =
+- "$Id: global.c,v 1.4 1999/12/12 14:59:44 dholland Exp $";
++ "$Id: global.c,v 1.1 2004-10-14 13:19:53 ianb Exp $";
+
+ /*
+ * Allocate global variables.
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnetd/issue.net.5 netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/issue.net.5
+--- netkit-telnet-ssl-0.17.24+0.1/telnetd/issue.net.5 2004-05-27 11:47:01.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/issue.net.5 2010-05-11 13:44:40.090341661 +0200
+@@ -15,26 +15,26 @@
+ .Pa /etc/issue.net
+ is a text file which contains a message or system identification to be
+ printed before the login prompt of a telnet session. It may contain
+-various `%-char' sequences. The following sequences are supported by
++various `%\&\-char' sequences. The following sequences are supported by
+ .Ic telnetd :
+ .Bl -tag -offset indent -compact -width "abcde"
+-.It %t
++.It %\&t
+ - show the current tty
+-.It %h
++.It %\&h
+ - show the system node name (FQDN)
+-.It %D
++.It %\&D
+ - show the name of the NIS domain
+-.It %d
++.It %\&d
+ - show the current time and date
+-.It %s
++.It %\&s
+ - show the name of the operating system
+-.It %m
++.It %\&m
+ - show the machine (hardware) type
+-.It %r
++.It %\&r
+ - show the operating system release
+-.It %v
++.It %\&v
+ - show the operating system version
+-.It %%
++.It %\&%
+ - display a single '%' character
+ .El
+ .Sh FILES
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnetd/Makefile netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/Makefile
+--- netkit-telnet-ssl-0.17.24+0.1/telnetd/Makefile 2004-05-27 11:47:27.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/Makefile 2010-05-11 14:12:59.493485309 +0200
+@@ -9,9 +9,11 @@
+ # take out -DPARANOID_TTYS.
+
+ CFLAGS += '-DISSUE_FILE="/etc/issue.net"' -DPARANOID_TTYS \
+- -DNO_REVOKE -DKLUDGELINEMODE -DDIAGNOSTICS \
+- -DLOGIN_WRAPPER=\"/usr/lib/telnetlogin\"
+-# LIBS += $(LIBTERMCAP)
++ -DNO_REVOKE -DKLUDGELINEMODE -DDIAGNOSTICS -DAUTHENTICATE \
++ -DLOGIN_WRAPPER=\"/usr/lib/telnetlogin\" \
++ -DUSE_SSL -I/usr/include/openssl -I..
++LIBTELNET = ../libtelnet/libtelnet.a
++LIBS += $(LIBTERMCAP) $(LIBTELNET) -lssl -lcrypto
+
+ OBJS = telnetd.o state.o termstat.o slc.o sys_term.o utility.o \
+ global.o setproctitle.o
+@@ -28,10 +30,10 @@
+ telnetd.o: ../version.h
+
+ install: telnetd
+- install -s -m$(DAEMONMODE) telnetd $(INSTALLROOT)$(SBINDIR)/in.telnetd
+- install -m$(MANMODE) issue.net.5 $(INSTALLROOT)$(MANDIR)/man5/
+- install -m$(MANMODE) telnetd.8 $(INSTALLROOT)$(MANDIR)/man8/in.telnetd.8
+- ln -sf in.telnetd.8 $(INSTALLROOT)$(MANDIR)/man8/telnetd.8
++ install -m$(DAEMONMODE) telnetd $(INSTALLROOT)$(SBINDIR)/in.telnetd-ssl
++# install -m$(MANMODE) issue.net.5 $(INSTALLROOT)$(MANDIR)/man5/
++ install -m$(MANMODE) telnetd.8 $(INSTALLROOT)$(MANDIR)/man8/in.telnetd-ssl.8
++ ln -sf in.telnetd-ssl.8 $(INSTALLROOT)$(MANDIR)/man8/telnetd-ssl.8
+
+ clean:
+ rm -f *.o telnetd
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnetd/pathnames.h netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/pathnames.h
+--- netkit-telnet-ssl-0.17.24+0.1/telnetd/pathnames.h 1996-08-30 00:31:24.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/pathnames.h 2010-05-11 13:44:40.090341661 +0200
+@@ -31,7 +31,7 @@
+ * SUCH DAMAGE.
+ *
+ * from: @(#)pathnames.h 5.5 (Berkeley) 6/28/90
+- * $Id: pathnames.h,v 1.3 1996/08/29 22:31:24 dholland Exp $
++ * $Id: pathnames.h,v 1.1 2004-10-14 13:19:53 ianb Exp $
+ */
+
+ #include <paths.h>
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnetd/setproctitle.3 netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/setproctitle.3
+--- netkit-telnet-ssl-0.17.24+0.1/telnetd/setproctitle.3 2000-07-31 01:57:09.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/setproctitle.3 2010-05-11 13:44:40.090341661 +0200
+@@ -1,5 +1,5 @@
+ .\" OpenBSD: setproctitle.3,v 1.4 1996/10/08 01:20:08 michaels Exp
+-.\" $Id: setproctitle.3,v 1.13 2000/07/30 23:57:09 dholland Exp $
++.\" $Id: setproctitle.3,v 1.1 2004-10-14 13:19:53 ianb Exp $
+ .\"
+ .\" Copyright (c) 1994, 1995 Christopher G. Demetriou
+ .\" All rights reserved.
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnetd/setproctitle.c netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/setproctitle.c
+--- netkit-telnet-ssl-0.17.24+0.1/telnetd/setproctitle.c 2004-05-27 11:47:01.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/setproctitle.c 2010-05-11 13:44:40.090341661 +0200
+@@ -39,7 +39,7 @@
+ * From: @(#)conf.c 8.243 (Berkeley) 11/20/95
+ */
+ char setproctitle_rcsid[] =
+- "$Id: setproctitle.c,v 1.3 1999/12/10 23:06:39 bryce Exp $";
++ "$Id: setproctitle.c,v 1.1 2004-10-14 13:19:53 ianb Exp $";
+
+ #include <stdlib.h>
+ #include <string.h>
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnetd/slc.c netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/slc.c
+--- netkit-telnet-ssl-0.17.24+0.1/telnetd/slc.c 1999-12-12 15:59:44.000000000 +0100
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/slc.c 2010-05-11 13:44:40.096989611 +0200
+@@ -35,7 +35,7 @@
+ * From: @(#)slc.c 5.7 (Berkeley) 3/1/91
+ */
+ char slc_rcsid[] =
+- "$Id: slc.c,v 1.5 1999/12/12 14:59:44 dholland Exp $";
++ "$Id: slc.c,v 1.1 2004-10-14 13:19:53 ianb Exp $";
+
+ #include "telnetd.h"
+
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnetd/state.c netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/state.c
+--- netkit-telnet-ssl-0.17.24+0.1/telnetd/state.c 2004-05-27 11:47:27.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/state.c 2010-05-11 13:44:40.100321827 +0200
+@@ -35,11 +35,12 @@
+ * From: @(#)state.c 5.10 (Berkeley) 3/22/91
+ */
+ char state_rcsid[] =
+- "$Id: state.c,v 1.12 1999/12/12 19:41:44 dholland Exp $";
++ "$Id: state.c,v 1.5 2005-07-07 21:53:00 ianb Exp $";
+
+ #include "telnetd.h"
+ #if defined(AUTHENTICATE)
+ #include <libtelnet/auth.h>
++extern char *UserNameRequested;
+ #endif
+
+ int not42 = 1;
+@@ -1161,7 +1162,7 @@
+
+ case TELOPT_ENVIRON: {
+ register int c;
+- register char *cp, *varp, *valp;
++ register unsigned char *cp, *varp, *valp;
+
+ if (SB_EOF())
+ return;
+@@ -1177,25 +1178,41 @@
+ if (SB_EOF())
+ return;
+
+- cp = varp = (char *)subpointer;
++ cp = varp = (unsigned char *)subpointer;
+ valp = 0;
+
+ while (!SB_EOF()) {
+ switch (c = SB_GET()) {
+ case ENV_VALUE:
+ *cp = '\0';
+- cp = valp = (char *)subpointer;
++ cp = valp = (unsigned char *)subpointer;
+ break;
+
+ case ENV_VAR:
+ *cp = '\0';
+- if (envvarok(varp)) {
+- if (valp)
+- (void)setenv(varp, valp, 1);
+- else
+- unsetenv(varp);
++ if (envvarok((char *)varp)) {
++ if (valp) {
++ (void)setenv((char *)varp, (char *)valp, 1);
++#ifdef AUTHENTICATE
++ if (strcmp((char *)varp,"USER") == 0) {
++ if (UserNameRequested)
++ free(UserNameRequested);
++ UserNameRequested=strdup((char *)valp);
++ }
++#endif /* AUTHENTICATE */
++ }
++ else {
++ unsetenv((char *)varp);
++#ifdef AUTHENTICATE
++ if (strcmp((char *)varp,"USER") == 0) {
++ if (UserNameRequested)
++ free(UserNameRequested);
++ UserNameRequested=NULL;
++ }
++#endif /* AUTHENTICATE */
++ }
+ }
+- cp = varp = (char *)subpointer;
++ cp = varp = (unsigned char *)subpointer;
+ valp = 0;
+ break;
+
+@@ -1211,11 +1228,27 @@
+ }
+ }
+ *cp = '\0';
+- if (envvarok(varp)) {
+- if (valp)
+- (void)setenv(varp, valp, 1);
+- else
+- unsetenv(varp);
++ if (envvarok((char *)varp)) {
++ if (valp) {
++ (void)setenv((char *)varp, (char *)valp, 1);
++#ifdef AUTHENTICATE
++ if (strcmp((char *)varp,"USER") == 0) {
++ if (UserNameRequested)
++ free(UserNameRequested);
++ UserNameRequested=strdup((char *)valp);
++ }
++#endif /* AUTHENTICATE */
++ }
++ else {
++ unsetenv((char *)varp);
++#ifdef AUTHENTICATE
++ if (strcmp((char *)varp,"USER") == 0) {
++ if (UserNameRequested)
++ free(UserNameRequested);
++ UserNameRequested=NULL;
++ }
++#endif /* AUTHENTICATE */
++ }
+ }
+ break;
+ } /* end of case TELOPT_ENVIRON */
+@@ -1367,7 +1400,7 @@
+ ADD(IAC);
+ ADD(SE);
+
+- writenet(statusbuf, ncp - statusbuf);
++ writenet((char *)statusbuf, ncp - statusbuf);
+ netflush(); /* Send it on its way */
+
+ DIAG(TD_OPTIONS, {printsub('>', statusbuf, ncp - statusbuf); netflush();});
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnetd/sys_term.c netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/sys_term.c
+--- netkit-telnet-ssl-0.17.24+0.1/telnetd/sys_term.c 2004-05-27 11:47:27.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/sys_term.c 2010-05-11 13:44:40.106987377 +0200
+@@ -35,7 +35,7 @@
+ * From: @(#)sys_term.c 5.16 (Berkeley) 3/22/91
+ */
+ char st_rcsid[] =
+- "$Id: sys_term.c,v 1.17 1999/12/17 14:28:47 dholland Exp $";
++ "$Id: sys_term.c,v 1.1 2004-10-14 13:19:53 ianb Exp $";
+
+ #include <utmp.h>
+
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnetd/telnetd.8 netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/telnetd.8
+--- netkit-telnet-ssl-0.17.24+0.1/telnetd/telnetd.8 2004-05-27 11:47:27.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/telnetd.8 2010-05-11 13:44:40.106987377 +0200
+@@ -30,7 +30,7 @@
+ .\" SUCH DAMAGE.
+ .\"
+ .\" from: @(#)telnetd.8 6.8 (Berkeley) 4/20/91
+-.\" $Id: telnetd.8,v 1.18 2000/07/30 23:57:10 dholland Exp $
++.\" $Id: telnetd.8,v 1.5 2006-09-24 00:48:31 ianb Exp $
+ .\"
+ .Dd December 29, 1996
+ .Dt TELNETD 8
+@@ -42,7 +42,7 @@
+ protocol server
+ .Sh SYNOPSIS
+ .Nm /usr/sbin/in.telnetd
+-.Op Fl hns
++.Op Fl hnNs
+ .Op Fl a Ar authmode
+ .Op Fl D Ar debugmode
+ .Op Fl L Ar loginprg
+@@ -50,6 +50,7 @@
+ .Op Fl X Ar authtype
+ .Op Fl edebug
+ .Op Fl debug Ar port
++.Op Fl z Ar sslopt
+ .Sh DESCRIPTION
+ The
+ .Nm telnetd
+@@ -175,6 +176,9 @@
+ if the client is still there, so that idle connections
+ from machines that have crashed or can no longer
+ be reached may be cleaned up.
++.It Fl N
++Disable reverse DNS lookups and use the numeric IP address in logs
++and REMOTEHOST environment variable.
+ .It Fl s
+ This option is only enabled if
+ .Nm telnetd
+@@ -219,12 +223,16 @@
+ only accepts connections from SSL enhanced telnet with option
+ .Ic -z ssl
+ .It Ic nossl, !ssl
+-switch of SSL negotiation
++switch off SSL negotiation
+ .It Ic certsok
+ Look username up in /etc/ssl.users. The format of this file is lines
+ of this form:
+ .Ar user1,user2:/C=US/.....
+-where user1 and user2 are usernames. If client certificate is valid,
++where user1 and user2 are usernames and /C=US/... is the subject name of
++the certificate. Use
++.Ar openssl x509 -subject -noout
++to extract the subject name.
++If client certificate is valid,
+ authenticate without password.
+ .It Ic certrequired
+ client certificate is mandatory
+@@ -451,7 +459,6 @@
+ is compiled with support for data encryption, and
+ indicates a willingness to decrypt
+ the data stream.
+-.Xr issue.net 5 ) .
+ .El
+ .Sh FILES
+ .Pa /etc/services ,
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnetd/telnetd.c netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/telnetd.c
+--- netkit-telnet-ssl-0.17.24+0.1/telnetd/telnetd.c 2004-05-27 11:47:27.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/telnetd.c 2010-05-11 13:44:40.113654043 +0200
+@@ -39,7 +39,7 @@
+ * From: @(#)telnetd.c 5.48 (Berkeley) 3/1/91
+ */
+ char telnetd_rcsid[] =
+- "$Id: telnetd.c,v 1.24 2000/04/12 21:36:12 dholland Exp $";
++ "$Id: telnetd.c,v 1.7 2006-06-16 13:29:00 ianb Exp $";
+
+ #include "../version.h"
+
+@@ -90,6 +90,7 @@
+
+ int debug = 0;
+ int keepalive = 1;
++int numeric_hosts = 0;
+ #ifdef LOGIN_WRAPPER
+ char *loginprg = LOGIN_WRAPPER;
+ #else
+@@ -222,13 +223,12 @@
+ * certificate that we will be running with as we cannot
+ * be sure of the cwd when we are launched
+ */
+- sprintf(cert_filepath,"%s/%s",X509_get_default_cert_dir(),
+- "telnetd.pem");
++ strcpy(cert_filepath, "/etc/telnetd-ssl/telnetd.pem");
+ ssl_cert_file=cert_filepath;
+ ssl_key_file=NULL;
+ #endif /* USE_SSL */
+
+- while ((ch = getopt(argc, argv, "d:a:e:lhnr:I:D:B:sS:a:X:L:z:")) != EOF) {
++ while ((ch = getopt(argc, argv, "d:a:e:lhnNr:I:D:B:sS:a:X:L:z:")) != EOF) {
+ switch(ch) {
+
+ #ifdef USE_SSL
+@@ -389,6 +389,10 @@
+ keepalive = 0;
+ break;
+
++ case 'N':
++ numeric_hosts = 1;
++ break;
++
+ #ifdef SecurID
+ case 's':
+ /* SecurID required */
+@@ -427,7 +431,7 @@
+
+ #ifdef USE_SSL
+
+- if (ssl_secure_flag || ssl_cert_required) {
++ if (ssl_secure_flag || ssl_cert_required || ssl_certsok_flag) {
+ /* in secure mode we *must* switch on the base level
+ * verify checking otherwise we cannot abort connections
+ * at the right place!
+@@ -520,9 +524,9 @@
+ sprintf(errbuf,"SSL_accept error %s\n",
+ ERR_error_string(ERR_get_error(),NULL));
+
+- syslog(LOG_WARNING, errbuf);
++ syslog(LOG_WARNING, "%s", errbuf);
+
+- BIO_printf(bio_err,errbuf);
++ BIO_printf(bio_err,"%s",errbuf);
+
+ /* go to sleep to make sure we are noticed */
+ sleep(10);
+@@ -571,6 +575,11 @@
+ #ifdef AUTHENTICATE
+ fprintf(stderr, " [-X auth-type]");
+ #endif
++#ifdef USE_SSL
++ /* might as well output something useful here ... */
++ fprintf(stderr, "\n\t [-z ssl] [-z secure] [-z debug] [-z verify=int]\n\t");
++ fprintf(stderr, " [-z cert=file] [-z key=file]\n\t");
++#endif /* USE_SSL */
+ fprintf(stderr, "\n");
+ exit(1);
+ }
+@@ -596,6 +605,18 @@
+ /*
+ * Handle the Authentication option before we do anything else.
+ */
++ send_do(TELOPT_ENVIRON, 1);
++ while (his_will_wont_is_changing(TELOPT_ENVIRON)) {
++ ttloop();
++ }
++
++ if (his_state_is_will(TELOPT_ENVIRON)) {
++ netoprintf("%c%c%c%c%c%c",
++ IAC, SB, TELOPT_ENVIRON, TELQUAL_SEND, IAC, SE);
++ while (sequenceIs(environsubopt, baseline))
++ ttloop();
++ }
++
+ send_do(TELOPT_AUTHENTICATION, 1);
+ while (his_will_wont_is_changing(TELOPT_AUTHENTICATION))
+ ttloop();
+@@ -654,7 +675,6 @@
+ send_do(TELOPT_TTYPE, 1);
+ send_do(TELOPT_TSPEED, 1);
+ send_do(TELOPT_XDISPLOC, 1);
+- send_do(TELOPT_ENVIRON, 1);
+ while (
+ #if defined(ENCRYPT)
+ his_do_dont_is_changing(TELOPT_ENCRYPT) ||
+@@ -698,10 +718,6 @@
+ while (sequenceIs(xdisplocsubopt, baseline))
+ ttloop();
+ }
+- if (his_state_is_will(TELOPT_ENVIRON)) {
+- while (sequenceIs(environsubopt, baseline))
+- ttloop();
+- }
+ if (his_state_is_will(TELOPT_TTYPE)) {
+ char first[256], last[256];
+
+@@ -852,7 +868,7 @@
+ static void
+ doit(struct sockaddr *who, socklen_t who_len)
+ {
+- const char *host;
++ char *host;
+ int level;
+ char user_name[256];
+ int i;
+@@ -867,7 +883,8 @@
+
+ /* get name of connected client */
+ if (getnameinfo(who, who_len, remote_host_name,
+- sizeof(remote_host_name), 0, 0, 0)) {
++ sizeof(remote_host_name), 0, 0,
++ numeric_hosts ? NI_NUMERICHOST : 0)) {
+ syslog(LOG_ERR, "doit: getnameinfo: %m");
+ *remote_host_name = 0;
+ }
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnetd/telnetd.h netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/telnetd.h
+--- netkit-telnet-ssl-0.17.24+0.1/telnetd/telnetd.h 1999-03-27 08:46:21.000000000 +0100
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/telnetd.h 2010-05-11 13:44:40.113654043 +0200
+@@ -31,7 +31,7 @@
+ * SUCH DAMAGE.
+ *
+ * from: @(#)telnetd.h 5.3 (Berkeley) 3/1/91
+- * $Id: telnetd.h,v 1.2 1999/03/27 07:46:21 dholland Exp $
++ * $Id: telnetd.h,v 1.1 2004-10-14 13:19:53 ianb Exp $
+ */
+
+
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnetd/termstat.c netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/termstat.c
+--- netkit-telnet-ssl-0.17.24+0.1/telnetd/termstat.c 1999-12-12 15:59:45.000000000 +0100
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/termstat.c 2010-05-11 13:44:40.113654043 +0200
+@@ -35,7 +35,7 @@
+ * From: @(#)termstat.c 5.10 (Berkeley) 3/22/91
+ */
+ char termstat_rcsid[] =
+- "$Id: termstat.c,v 1.6 1999/12/12 14:59:45 dholland Exp $";
++ "$Id: termstat.c,v 1.1 2004-10-14 13:19:53 ianb Exp $";
+
+ #include "telnetd.h"
+
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnetd/utility.c netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/utility.c
+--- netkit-telnet-ssl-0.17.24+0.1/telnetd/utility.c 2004-05-27 11:47:27.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/utility.c 2010-05-11 13:45:21.990318196 +0200
+@@ -35,7 +35,7 @@
+ * From: @(#)utility.c 5.8 (Berkeley) 3/22/91
+ */
+ char util_rcsid[] =
+- "$Id: utility.c,v 1.11 1999/12/12 14:59:45 dholland Exp $";
++ "$Id: utility.c,v 1.8 2006-09-24 00:48:31 ianb Exp $";
+
+ #define PRINTOPTIONS
+
+@@ -49,6 +49,15 @@
+
+ #include "telnetd.h"
+
++/* patched by fluke.l at gmail.com , im not sure it's gonna work or not */
++typedef struct {
++ int (*read) (void *, char *, int);
++ int (*write) (void *, char const *, int);
++ fpos_t (*seek) (void *, fpos_t, int);
++ int (*close) (void *);
++} cookie_io_functions_t;
++/* end patch */
++
+ struct buflist {
+ struct buflist *next;
+ char *buf;
+@@ -86,6 +95,11 @@
+ DIAG(TD_REPORT, netoprintf("td: ttloop\r\n"););
+
+ netflush();
++#ifdef USE_SSL
++ if (ssl_active_flag)
++ ncc = SSL_read(ssl_con, netibuf, sizeof netibuf);
++ else
++#endif /* USE_SSL */
+ ncc = read(net, netibuf, sizeof(netibuf));
+ if (ncc < 0) {
+ syslog(LOG_INFO, "ttloop: read: %m\n");
+@@ -216,7 +230,7 @@
+ }
+
+ out:
+- return next ? next + (current - end) : current;
++ return (const char *) (next ? (next + (current - end)) : current );
+ } /* end of nextitem */
+
+
+@@ -243,6 +257,29 @@
+ doclear--;
+ } /* end of netclear */
+
++#ifdef USE_SSL
++static int
++SSL_writev(SSL *ssl_con,const struct iovec *vector,int num)
++{
++ const struct iovec *v = vector;
++
++ int ret;
++ int len = 0;
++
++ while (num > 0) {
++ ret = SSL_write(ssl_con, v->iov_base, v->iov_len);
++ if (ret < 0)
++ return ret;
++ if (ret != v->iov_len)
++ syslog(LOG_NOTICE, "SSL_writev: short write\n");
++ num -= v->iov_len;
++ len += ret;
++ v++;
++ }
++ return len;
++}
++#endif /* USE_SSL */
++
+ static void
+ netwritebuf(void)
+ {
+@@ -253,6 +290,9 @@
+ size_t len;
+ int ltrailing = trailing;
+
++ if (!listlen)
++ return;
++
+ vector = malloc(listlen * sizeof(struct iovec));
+ if (!vector) {
+ return;
+@@ -265,6 +305,11 @@
+ if (lp == urg) {
+ len = v - vector;
+ if (!len) {
++#ifdef USE_SSL
++ if (ssl_active_flag)
++ n = SSL_write(ssl_con, lp->buf, 1);
++ else
++#endif /* USE_SSL */
+ n = send(net, lp->buf, 1, MSG_OOB);
+ if (n > 0) {
+ urg = 0;
+@@ -282,15 +327,25 @@
+ vector->iov_base = (char *)vector->iov_base + skip;
+ vector->iov_len -= skip;
+
+- n = writev(net, vector, len);
++ if(vector->iov_len == 0 ) {
++ n=0;
++ } else {
++
++#ifdef USE_SSL
++ if (ssl_active_flag)
++ n = SSL_writev(ssl_con, vector, len); /* normal write */
++ else
++#endif /* USE_SSL */
++ n = writev(net, vector, len);
+
+ epi:
+- free(vector);
++ free(vector);
+
+- if (n < 0) {
++ if (n < 0) {
+ if (errno != EWOULDBLOCK && errno != EINTR)
+- cleanup(0);
++ cleanup(0);
+ return;
++ }
+ }
+
+ len = n + skip;
+@@ -315,6 +370,10 @@
+ }
+ }
+
++ if(ltrailing && (len==0)) {
++ ltrailing=trailing=0;
++ }
++
+ skip = len;
+ }
+
+@@ -323,16 +382,22 @@
+ * Send as much data as possible to the network,
+ * handling requests for urgent data.
+ */
+-void
++int
+ netflush(void)
+ {
+ if (fflush(netfile)) {
+ /* out of memory? */
+ cleanup(0);
++ return 0;
+ }
+- if (listlen) {
+- netwritebuf();
+- }
++ netwritebuf();
++ return 1;
++}
++
++int
++writenet(char *b , int l)
++{
++ return(fwrite(b, 1, l, netfile));
+ }
+
+
+@@ -983,7 +1048,7 @@
+ ((pointer[3] & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) ?
+ "MUTUAL" : "ONE-WAY");
+
+- auth_printsub(&pointer[1], length - 1, buf, sizeof(buf));
++ auth_printsub(&pointer[1], length - 1, (unsigned char *) buf, sizeof(buf));
+ netoprintf("%s", buf);
+ break;
+
+@@ -1191,7 +1256,15 @@
+ size_t l;
+ size_t m = tail->len;
+
+- p = nextitem(tail->buf, tail->buf + tail->len, buf, end);
++ if((tail->buf == NULL) || (tail->len==0))
++ {
++ p = nextitem((unsigned char *) buf, (unsigned char *) end,0,0);
++ }
++ else
++ {
++ p = nextitem((unsigned char *) tail->buf, (unsigned char *) (tail->buf + tail->len),
++ (unsigned char *) buf, (unsigned char *) end);
++ }
+ ltrailing = !p;
+ if (ltrailing) {
+ p = end;
+@@ -1245,7 +1318,7 @@
+ const char *p;
+ size_t l;
+
+- p = nextitem(buf, end, 0, 0);
++ p = nextitem((unsigned char *) buf, (unsigned char *) end, 0, 0);
+ ltrailing = !p;
+ if (ltrailing) {
+ p = end;
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnetlogin/Makefile netkit-telnet-ssl-0.17.24+0.1.orig/telnetlogin/Makefile
+--- netkit-telnet-ssl-0.17.24+0.1/telnetlogin/Makefile 2000-04-13 03:07:22.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnetlogin/Makefile 2010-05-11 13:46:19.023660189 +0200
+@@ -11,7 +11,7 @@
+ $(OBJS): ../version.h
+
+ install: telnetlogin
+- install -s -m4750 -oroot -gtelnetd telnetlogin $(INSTALLROOT)$(SBINDIR)
++ install -m$(BINMODE) telnetlogin $(INSTALLROOT)$(SBINDIR)
+ install -m$(MANMODE) telnetlogin.8 $(INSTALLROOT)$(MANDIR)/man8
+
+ clean:
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnetlogin/telnetlogin.8 netkit-telnet-ssl-0.17.24+0.1.orig/telnetlogin/telnetlogin.8
+--- netkit-telnet-ssl-0.17.24+0.1/telnetlogin/telnetlogin.8 2004-05-27 11:47:02.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnetlogin/telnetlogin.8 2010-05-11 13:44:40.123659071 +0200
+@@ -28,7 +28,7 @@
+ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ .\" SUCH DAMAGE.
+ .\"
+-.\" $Id: telnetlogin.8,v 1.4 2000/07/30 23:57:10 dholland Exp $
++.\" $Id: telnetlogin.8,v 1.2 2004-11-07 15:47:43 ianb Exp $
+ .\"
+ .Dd April 12, 2000
+ .Dt TELNETLOGIN 8
+@@ -40,6 +40,7 @@
+ .Nm telnetlogin
+ .Op Fl h Ar host
+ .Op Fl p
++.Op Fl f Ar username
+ .Op Ar username
+ .Sh DESCRIPTION
+ .Nm telnetlogin
+@@ -79,11 +80,6 @@
+ .Xr inetd 8 ,
+ .Xr telnetd 8
+ .Sh RESTRICTIONS
+-.Nm telnetlogin
+-does not permit the
+-.Fl f
+-option to login, so will not
+-work with telnetds that perform authentication via Kerberos or SSL.
+ .Pp
+ THIS IS PRESENTLY EXPERIMENTAL CODE; USE WITH CAUTION.
+ .Sh HISTORY
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnetlogin/telnetlogin.c netkit-telnet-ssl-0.17.24+0.1.orig/telnetlogin/telnetlogin.c
+--- netkit-telnet-ssl-0.17.24+0.1/telnetlogin/telnetlogin.c 2004-05-27 11:47:02.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnetlogin/telnetlogin.c 2010-05-11 13:44:40.123659071 +0200
+@@ -35,7 +35,7 @@
+ "All rights reserved.\n";
+
+ char rcsid[] =
+- "$Id: telnetlogin.c,v 1.1 2000/04/13 01:07:22 dholland Exp $";
++ "$Id: telnetlogin.c,v 1.2 2004-11-07 15:47:43 ianb Exp $";
+ #include "../version.h"
+
+ #include <sys/types.h>
+@@ -76,7 +76,16 @@
+ int i=0;
+ /* should we check length? */
+ for (i=0; hname[i]; i++) {
+- if (hname[i]<=32 && hname[i]>126) return -1;
++ if ((hname[i]<=32) || (hname[i]>126)) return -1;
++ }
++ return 0;
++}
++
++static int check_username(char *username) {
++ int i;
++ if (strlen(username) > 32) return -1;
++ for (i=0; username[i]; i++) {
++ if ((username[i]<=32) || (username[i]>126)) return -1;
+ }
+ return 0;
+ }
+@@ -158,6 +167,12 @@
+ if (argn < argc && !strcmp(argv[argn], "-p")) {
+ argn++;
+ }
++ if (argn < argc && !strcmp(argv[argn], "-f")) {
++ argn++;
++ if (argn==argc) die("Illegal args: -f requires argument");
++ if (check_username(argv[argn])) die("Illegal remote username specified");
++ argn++;
++ }
+ if (argn < argc && argv[argn][0] != '-') {
+ argn++;
+ }
diff --git a/abs/core/netkit-telnet-ssl/netkit-telnet-ssl.install b/abs/core/netkit-telnet-ssl/netkit-telnet-ssl.install
new file mode 100644
index 0000000..25a4b28
--- /dev/null
+++ b/abs/core/netkit-telnet-ssl/netkit-telnet-ssl.install
@@ -0,0 +1,5 @@
+
+post_install() {
+ groupadd telnetd
+}
+
diff --git a/abs/core/netkit-telnet-ssl/telnet.xinetd b/abs/core/netkit-telnet-ssl/telnet.xinetd
new file mode 100644
index 0000000..f4ef4c0
--- /dev/null
+++ b/abs/core/netkit-telnet-ssl/telnet.xinetd
@@ -0,0 +1,10 @@
+service telnet-ssl
+{
+ flags = REUSE
+ socket_type = stream
+ wait = no
+ user = root
+ server = /usr/sbin/in.telnetd-ssl
+ log_on_failure += USERID
+ disable = yes
+}