From 8084aca8649eb7e20f638bfe2ba683647cea3141 Mon Sep 17 00:00:00 2001
From: Michael Hanson <hansonorders@verizon.net>
Date: Wed, 8 Dec 2010 21:04:21 +0000
Subject: netkit-telnet-ssl: formerly netkit-telnet, upgrade

---
 abs/core/netkit-telnet-ssl/PKGBUILD                |   33 +
 .../netkit-telnet-ssl-0.17.24+0.1_arch.diff        | 2591 ++++++++++++++++++++
 .../netkit-telnet-ssl/netkit-telnet-ssl.install    |    5 +
 abs/core/netkit-telnet-ssl/telnet.xinetd           |   10 +
 abs/core/netkit-telnet/PKGBUILD                    |   22 -
 abs/core/netkit-telnet/netkit-telnet-0.17.patch    |   36 -
 abs/core/netkit-telnet/telnet.xinetd               |   10 -
 7 files changed, 2639 insertions(+), 68 deletions(-)
 create mode 100644 abs/core/netkit-telnet-ssl/PKGBUILD
 create mode 100644 abs/core/netkit-telnet-ssl/netkit-telnet-ssl-0.17.24+0.1_arch.diff
 create mode 100644 abs/core/netkit-telnet-ssl/netkit-telnet-ssl.install
 create mode 100644 abs/core/netkit-telnet-ssl/telnet.xinetd
 delete mode 100644 abs/core/netkit-telnet/PKGBUILD
 delete mode 100644 abs/core/netkit-telnet/netkit-telnet-0.17.patch
 delete mode 100644 abs/core/netkit-telnet/telnet.xinetd

diff --git a/abs/core/netkit-telnet-ssl/PKGBUILD b/abs/core/netkit-telnet-ssl/PKGBUILD
new file mode 100644
index 0000000..37fb577
--- /dev/null
+++ b/abs/core/netkit-telnet-ssl/PKGBUILD
@@ -0,0 +1,33 @@
+# Maintainer: <alexandre.becoulet@free.fr>
+# Contributor: <netbug@ftp.uk.linux.org>
+# Contributor: Fluke <fluke.l at gmail.com>
+pkgname=netkit-telnet-ssl
+pkgver=0.17.24+0.1
+pkgrel=2
+pkgdesc="telnet client and server with ssl enabled"
+arch=('i686' 'x86_64')
+license=('BSD')
+url=("http://www.hcs.harvard.edu/~dholland/computers/netkit.html")
+source=(http://ftp.de.debian.org/debian/pool/main/n/${pkgname}/${pkgname}_${pkgver}.orig.tar.gz
+	netkit-telnet-ssl-0.17.24+0.1_arch.diff
+	telnet.xinetd)
+depends=('glibc' 'openssl' 'ncurses')
+replaces=('netkit-telnet')
+md5sums=('43a402139ed6b86434fdb83256feaad8'
+	'd51bf898269a79a2de77d1134516c209'
+	'ca38af6f1346ae90b2cb1e160858b453')
+install=netkit-telnet-ssl.install
+
+build() {
+        cd ${srcdir}/${pkgname}-${pkgver}.orig
+        patch -p1 < ../netkit-telnet-ssl-0.17.24+0.1_arch.diff
+        ./configure --prefix=/usr --installroot=${pkgdir}
+        make || return 1
+}
+package() {
+        cd ${srcdir}/${pkgname}-${pkgver}.orig
+        mkdir -p ${pkgdir}/usr/{bin,sbin,man/man1,man/man5,man/man8} ${pkgdir}/etc/xinetd.d
+
+        make install || return 1
+        install -m644 ${srcdir}/telnet.xinetd ${pkgdir}/etc/xinetd.d/telnet-ssl
+}
diff --git a/abs/core/netkit-telnet-ssl/netkit-telnet-ssl-0.17.24+0.1_arch.diff b/abs/core/netkit-telnet-ssl/netkit-telnet-ssl-0.17.24+0.1_arch.diff
new file mode 100644
index 0000000..17b3c3c
--- /dev/null
+++ b/abs/core/netkit-telnet-ssl/netkit-telnet-ssl-0.17.24+0.1_arch.diff
@@ -0,0 +1,2591 @@
+Only in netkit-telnet-ssl-0.17.24+0.1: debian
+diff -ur netkit-telnet-ssl-0.17.24+0.1/libtelnet/auth.c netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/auth.c
+--- netkit-telnet-ssl-0.17.24+0.1/libtelnet/auth.c	2004-05-27 11:47:25.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/auth.c	2010-05-11 13:44:40.190322666 +0200
+@@ -37,6 +37,9 @@
+  */
+ 
+ #ifndef lint
++#ifdef __GNUC__
++__attribute__ ((unused))
++#endif	/* __GNUC__ */
+ static char sccsid[] = "@(#)auth.c	5.2 (Berkeley) 3/22/91";
+ #endif /* not lint */
+ 
+@@ -83,8 +86,11 @@
+ 
+ #define	typemask(x)		(1<<((x)-1))
+ 
++int auth_onoff(const char *type, int on);
++
++
+ int auth_debug_mode = 0;
+-static 	char	*Name = "Noname";
++static 	const char *Name = "Noname";
+ static	int	Server = 0;
+ static	Authenticator	*authenticated = 0;
+ static	int	authenticating = 0;
+@@ -170,7 +176,7 @@
+ 
+ 	void
+ auth_init(name, server)
+-	char *name;
++	const char *name;
+ 	int server;
+ {
+ 	Authenticator *ap = authenticators;
+@@ -241,7 +247,7 @@
+ 
+ 	int
+ auth_onoff(type, on)
+-	char *type;
++	const char *type;
+ 	int on;
+ {
+ 	int i, mask = -1;
+@@ -335,7 +341,7 @@
+ 		}
+ 		*e++ = IAC;
+ 		*e++ = SE;
+-		writenet(str_request, e - str_request);
++		writenet((char *) str_request, e - str_request);
+ 		printsub('>', &str_request[2], e - str_request - 2);
+ 	}
+ }
+@@ -424,7 +430,7 @@
+ 		}
+ 		auth_send_data += 2;
+ 	}
+-	writenet(str_none, sizeof(str_none));
++	writenet((char *) str_none, sizeof(str_none));
+ 	printsub('>', &str_none[2], sizeof(str_none) - 2);
+ 	if (auth_debug_mode)
+ 		printf(">>>%s: Sent failure message\r\n", Name);
+@@ -456,7 +462,7 @@
+ 		return;
+ 	}
+ 
+-	if (ap = findauthenticator(data[0], data[1])) {
++	if ((ap = findauthenticator(data[0], data[1]))) {
+ 		if (ap->is)
+ 			(*ap->is)(ap, data+2, cnt-2);
+ 	} else if (auth_debug_mode)
+@@ -474,7 +480,7 @@
+ 	if (cnt < 2)
+ 		return;
+ 
+-	if (ap = findauthenticator(data[0], data[1])) {
++	if ((ap = findauthenticator(data[0], data[1]))) {
+ 		if (ap->reply)
+ 			(*ap->reply)(ap, data+2, cnt-2);
+ 	} else if (auth_debug_mode)
+@@ -487,7 +493,7 @@
+ 	unsigned char *data;
+ 	int cnt;
+ {
+-	Authenticator *ap;
++  /*	Authenticator *ap; */
+ 	unsigned char savename[256];
+ 
+ 	if (cnt < 1) {
+@@ -505,7 +511,7 @@
+ 	savename[cnt] = '\0';	/* Null terminate */
+ 	if (auth_debug_mode)
+ 		printf(">>>%s: Got NAME [%s]\r\n", Name, savename);
+-	auth_encrypt_user(savename);
++	auth_encrypt_user((char *)savename);
+ }
+ 
+ 	int
+@@ -526,7 +532,7 @@
+ 	}
+ 	*e++ = IAC;
+ 	*e++ = SE;
+-	writenet(str_request, e - str_request);
++	writenet((char *) str_request, e - str_request);
+ 	printsub('>', &str_request[2], e - &str_request[2]);
+ 	return(1);
+ }
+@@ -542,6 +548,9 @@
+ }
+ 
+ 	/* ARGSUSED */
++#ifdef __GNUC__
++__attribute__ ((used))
++#endif	/* __GNUC__ */
+ 	static void
+ auth_intr(sig)
+ 	int sig;
+diff -ur netkit-telnet-ssl-0.17.24+0.1/libtelnet/auth-proto.h netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/auth-proto.h
+--- netkit-telnet-ssl-0.17.24+0.1/libtelnet/auth-proto.h	2004-05-27 11:47:25.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/auth-proto.h	2010-05-11 13:44:40.183654321 +0200
+@@ -68,7 +68,7 @@
+ #if	defined(AUTHENTICATE)
+ Authenticator *findauthenticator P((int, int));
+ 
+-void auth_init P((char *, int));
++void auth_init P((const char *, int));
+ int auth_cmd P((int, char **));
+ void auth_request P((void));
+ void auth_send P((unsigned char *, int));
+@@ -123,7 +123,9 @@
+ int auth_ssl_status P((Authenticator *, char *, int));
+ void auth_ssl_printsub P((unsigned char *, int, unsigned char *, int));
+ #endif /* USE_SSL */
+- 
++
++extern void printsub P((char, unsigned char *, int));
++extern int writenet P((char *, int));
+ #endif
+ #ifdef __cplusplus
+ }
+diff -ur netkit-telnet-ssl-0.17.24+0.1/libtelnet/Makefile netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/Makefile
+--- netkit-telnet-ssl-0.17.24+0.1/libtelnet/Makefile	2004-05-27 11:47:25.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/Makefile	2010-05-11 13:45:28.073664102 +0200
+@@ -15,5 +15,8 @@
+ 		ranlib lib${LIB}.a; \
+ 	fi;
+ 
++install:
++	@echo "nothing to be installed from libtelnet"
++
+ clean:
+ 	rm -f *.o lib${LIB}.a
+diff -ur netkit-telnet-ssl-0.17.24+0.1/libtelnet/misc.c netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/misc.c
+--- netkit-telnet-ssl-0.17.24+0.1/libtelnet/misc.c	2004-05-27 11:47:26.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/misc.c	2010-05-11 13:44:40.190322666 +0200
+@@ -32,6 +32,9 @@
+  */
+ 
+ #ifndef lint
++#ifdef __GNUC__
++__attribute__ ((unused))
++#endif	/* __GNUC__ */
+ static char sccsid[] = "@(#)misc.c	5.1 (Berkeley) 2/28/91";
+ #endif /* not lint */
+ 
+@@ -54,7 +57,12 @@
+  * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+  */
+ 
++#include <stdio.h>
++#include <stdlib.h>
++
+ #include "misc.h"
++#include "auth.h"
++#include "auth-proto.h"
+ 
+ char *RemoteHostName;
+ char *LocalHostName;
+@@ -65,7 +73,7 @@
+ auth_encrypt_init(local, remote, name, server)
+ 	char *local;
+ 	char *remote;
+-	char *name;
++	const char *name;
+ 	int server;
+ {
+ 	RemoteHostName = remote;
+diff -ur netkit-telnet-ssl-0.17.24+0.1/libtelnet/misc-proto.h netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/misc-proto.h
+--- netkit-telnet-ssl-0.17.24+0.1/libtelnet/misc-proto.h	2004-05-27 11:47:26.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/misc-proto.h	2010-05-11 13:44:40.190322666 +0200
+@@ -68,7 +68,7 @@
+ extern "C" {
+ #endif
+ 
+-void auth_encrypt_init P((char *, char *, char *, int));
++void auth_encrypt_init P((char *, char *, const char *, int));
+ void auth_encrypt_connect P((int));
+ void auth_encrypt_user P((const char *name));
+ void printd P((unsigned char *, int));
+diff -ur netkit-telnet-ssl-0.17.24+0.1/libtelnet/sslapp.h netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/sslapp.h
+--- netkit-telnet-ssl-0.17.24+0.1/libtelnet/sslapp.h	2004-05-27 11:47:26.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/sslapp.h	2010-05-11 13:44:40.200330208 +0200
+@@ -45,6 +45,7 @@
+ #include "x509.h"
+ #include "ssl.h"
+ #define OLDPROTO NOPROTO
++#undef NOPROTO
+ #define NOPROTO
+ #include "err.h"
+ #undef NOPROTO
+@@ -72,7 +73,7 @@
+ /* we hide all the initialisation code in a separate file now */
+ extern int do_ssleay_init(int server);
+ 
+-extern int display_connect_details(SSL *ssl_con, int verbose);
++extern void display_connect_details(SSL *ssl_con, int verbose);
+ extern int server_verify_callback();
+ extern int client_verify_callback();
+ 
+diff -ur netkit-telnet-ssl-0.17.24+0.1/libtelnet/ssl.c netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/ssl.c
+--- netkit-telnet-ssl-0.17.24+0.1/libtelnet/ssl.c	2004-05-27 11:47:26.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/ssl.c	2010-05-11 13:44:40.200330208 +0200
+@@ -47,6 +47,9 @@
+ #include <string.h>
+ #endif
+ 
++#include <unistd.h>
++#include <openssl/err.h>
++
+ #include "auth.h"
+ #include "misc.h"
+ 
+@@ -91,11 +94,12 @@
+ #define VERIFY_ROOT_OK VERIFY_OK
+ #endif
+ 
++extern int netflush(void);
++
+ extern int auth_debug_mode;
+-static auth_ssl_valid = 0;
++static int auth_ssl_valid = 0;
+ static char *auth_ssl_name = 0;    /* this holds the oneline name */
+ 
+-extern BIO *bio_err;
+ extern int ssl_only_flag;
+ extern int ssl_debug_flag;
+ extern int ssl_active_flag;
+@@ -120,6 +124,9 @@
+ 
+ BIO *bio_err=NULL;
+ 
++int auth_failed=0;
++
++
+ /* compile this set to 1 to negotiate SSL but not actually start it */
+ static int ssl_dummy_flag=0;
+ 
+@@ -135,7 +142,7 @@
+  * telnet connect if we are talking straight ssl with no telnet
+  * protocol --tjh
+  */
+-int
++void
+ display_connect_details(ssl_con,verbose)
+ SSL *ssl_con;
+ int verbose;
+@@ -152,7 +159,7 @@
+ 	/* grab the full list of ciphers */
+ 	i=0;
+ 	buf[0]='\0';
+-	while((p=SSL_get_cipher_list(ssl_con,i++))!=NULL) {
++	while((p=(char *)SSL_get_cipher_list(ssl_con,i++))!=NULL) {
+ 	  if (i>0)
+ 	    strcat(buf,":");
+ 	  strcat(buf,p);
+@@ -230,7 +237,7 @@
+         *p++ = SE;
+ 	if (str_data[3] == TELQUAL_IS)
+ 		printsub('>', &str_data[2], p - (&str_data[2]));
+-        return(writenet(str_data, p - str_data));
++        return(writenet((char *) str_data, p - str_data));
+ }
+ 
+ int auth_ssl_init(ap, server)
+@@ -280,7 +287,7 @@
+ unsigned char *data;
+ int cnt;
+ {
+-	int valid;
++  /*	int valid; */
+ 
+ 	if (cnt-- < 1)
+ 		return;
+@@ -364,7 +371,7 @@
+ unsigned char *data;
+ int cnt;
+ {
+-	int i;
++  /*	int i; */
+ 	int status;
+ 
+ 	if (cnt-- < 1)
+@@ -389,16 +396,13 @@
+ 		    SSL_set_verify(ssl_con,ssl_verify_flag,
+ 		    				client_verify_callback);
+ 		    if ((status = SSL_connect(ssl_con)) <= 0) {
+-			fprintf(stderr,"[SSL - FAILED (%d)]\r\n", status);
+-			fflush(stderr);
+-
+-			perror("telnet: Unable to ssl_connect to remote host");
++			auth_finished(0,AUTH_REJECT);
+ 
++			fprintf(stderr,"[SSL - FAILED (%d)]\r\n", status);
++			fprintf(stderr,"telnet: Unable to ssl_connect to remote host\n");
+ 			ERR_print_errors(bio_err);
+-
+-			/* don't know what I "should" be doing here ... */
+-
+-			auth_finished(0,AUTH_REJECT);
++			fflush(stderr);
++			auth_failed=1;
+ 			return;
+ 		    } else {
+ 
+@@ -452,7 +456,7 @@
+ 	 */
+ 	if (ssl_certsok_flag) {
+ 	    user_fp = fopen("/etc/ssl.users", "r");
+-	    if (!auth_ssl_name || !user_fp) {
++	    if (!auth_ssl_name || !user_fp || !UserNameRequested) {
+ 	        /* If we haven't received a certificate, then don't 
+ 		 * return AUTH_VALID. 
+ 		 */
+@@ -486,7 +490,7 @@
+ 			cp = strchr(n, ',');
+ 			if (cp)
+ 			    *cp++ = '\0';
+-			if (!UserNameRequested || 
++			if (UserNameRequested &&
+ 			            !strcmp(UserNameRequested, n)) {
+ 			    strcpy(name, n);
+ 			    fclose(user_fp);
+@@ -543,7 +547,7 @@
+ 	default:
+ 		sprintf(lbuf, " %d (unknown)", data[3]);
+ 		strncpy((char *)buf, lbuf, buflen);
+-	common2:
++/*	common2: */
+ 		BUMP(buf, buflen);
+ 		for (i = 4; i < cnt; i++) {
+ 			sprintf(lbuf, " %d", data[i]);
+@@ -568,7 +572,7 @@
+ #endif /* SSLEAY8 */
+ {
+     static char *saved_subject=NULL;
+-    X509 *peer;
++    /*    X509 *peer; */
+     char *subject, *issuer;
+ #ifdef SSLEAY8
+     int depth,error;
+@@ -715,8 +719,8 @@
+ int depth, error;
+ #endif /* SSLEAY8 */
+ {
+-    X509 *peer;
+-    char *subject, *issuer;
++  /*    X509 *peer; */
++    char *subject, *issuer, *cnsubj;
+ #ifdef SSLEAY8
+     int depth,error;
+     char *xs;
+@@ -727,13 +731,13 @@
+ 
+ #endif /* SSLEAY8 */
+ 
+-#ifdef LOCAL_DEBUG
+-    fprintf(stderr,"ssl:client_verify_callback:depth=%d ok=%d err=%d-%s\n",
+-    	depth,ok,error,X509_cert_verify_error_string(error));
+-    fflush(stderr);
+-#endif /* LOCAL_DEBUG */
++    if(ssl_debug_flag && !ok) {
++      fprintf(stderr,"ssl:client_verify_callback:depth=%d ok=%d err=%d-%s\n",
++	      depth,ok,error,X509_verify_cert_error_string(error));
++      fflush(stderr);
++    }
+ 
+-    subject=issuer=NULL;
++    subject=issuer=cnsubj=NULL;
+ 
+     /* first thing is to have a meaningful name for the current
+      * certificate that is being verified ... and if we cannot
+@@ -761,60 +765,77 @@
+ 	fflush(stderr);
+     }
+ 
+-    /* if the server is using a self signed certificate then 
+-     * we need to decide if that is good enough for us to 
+-     * accept ... 
+-     */
+-    if (error==VERIFY_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) {
+-	if (ssl_cert_required) {
+-	    /* make 100% sure that in secure more we drop the 
+-	     * connection if the server does not have a 
+-	     * real certificate!
+-	     */
+-	    fprintf(stderr,"SSL: rejecting connection - server has a self-signed certificate\n");
+-	    fflush(stderr);
+-
+-            /* sometimes it is really handy to be able to debug things
+-	     * and still get a connection!
+-	     */
+-	    if (ssl_debug_flag) {
+-		fprintf(stderr,"SSL: debug -> ignoring cert required!\n");
+-		fflush(stderr);
+-		ok=1;
+-	    } else {
+-		ok=0;
+-	    }
+-	    goto return_time;
+-	} else {
+-	    ok=1;
+-	    goto return_time;
+-	}
++    /* verify commonName matches hostname */
++    if(ssl_cert_required && depth == 0) {
++      char *cn,*p;	
++	  
++      cnsubj=strdup(subject);
++      if(cnsubj == NULL) {
++	fprintf(stderr,"SSL: Out of memory.\n");
++	ok=0;
++	goto return_time;
++      }
++      cn=strstr(cnsubj,"/CN=");
++      if(cn == NULL) {
++	fprintf(stderr,"SSL: Cannot extract CN from certificate subject.\n");
++	ok=0;
++	goto return_time;
++      }
++      cn+=4; /* skip /CN= */
++      p=strchr(cn,'/');
++      if(p != NULL) {
++	*p='\0';
++      }
++      if(strcasecmp(cn,RemoteHostName) != 0) {
++	fprintf(stderr,"SSL: Certificate CN (%s) does not match hostname (%s)\n",
++		cn,RemoteHostName);
++	ok=0;
++	goto return_time;
++      }
+     }
+ 
+-    /* if we have any form of error in secure mode we reject the connection */
+-    if (! ((error==VERIFY_OK)||(error==VERIFY_ROOT_OK)) ) {
+-	if (ssl_cert_required) {
+-	    fprintf(stderr,"SSL: rejecting connection - ");
+-	    if (error==VERIFY_ERR_UNABLE_TO_GET_ISSUER) {
+-		fprintf(stderr,"unknown issuer: %s\n",issuer);
+-	    } else {
+-		ERR_print_errors(bio_err);
+-	    }
+-	    fflush(stderr);
+-	    ok=0;
+-	    goto return_time;
+-	} else {
+-	    /* be nice and display a lot more meaningful stuff 
+-	     * so that we know which issuer is unknown no matter
+-	     * what the callers options are ...
+-	     */
+-	    if (error==VERIFY_ERR_UNABLE_TO_GET_ISSUER) {
+-		fprintf(stderr,"SSL: unknown issuer: %s\n",issuer);
+-		fflush(stderr);
+-	    }
+-	}
++    if((error==VERIFY_OK) || (error==VERIFY_ROOT_OK)) {
++      goto return_time;
+     }
+ 
++    switch(error) {
++    case VERIFY_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
++      fprintf(stderr,"SSL: Server has a self-signed certificate\n");
++    case VERIFY_ERR_UNABLE_TO_GET_ISSUER:
++      fprintf(stderr,"SSL: unknown issuer: %s\n",issuer);
++      break;
++    case X509_V_ERR_CERT_NOT_YET_VALID:
++      fprintf(stderr,"SSL: Certificate not yet valid\n");
++      BIO_printf(bio_err,"notBefore=");
++      ASN1_TIME_print(bio_err,X509_get_notBefore(ctx->current_cert));
++      BIO_printf(bio_err,"\n");
++      break;
++    case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
++      fprintf(stderr,"SSL: Error in certificate notBefore field\n");
++      BIO_printf(bio_err,"notBefore=");
++      ASN1_TIME_print(bio_err,X509_get_notBefore(ctx->current_cert));
++      BIO_printf(bio_err,"\n");
++      break;
++    case X509_V_ERR_CERT_HAS_EXPIRED:
++      fprintf(stderr,"SSL: Certificate has expired\n");
++      BIO_printf(bio_err,"notAfter=");
++      ASN1_TIME_print(bio_err,X509_get_notAfter(ctx->current_cert));
++      BIO_printf(bio_err,"\n");
++      break;
++    case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
++      fprintf(stderr,"SSL: Error in certificate notAfter field\n");
++      BIO_printf(bio_err,"notAfter=");
++      ASN1_TIME_print(bio_err,X509_get_notAfter(ctx->current_cert));
++      BIO_printf(bio_err,"\n");
++      break;
++    default:
++      fprintf(stderr,"SSL: %s (%d)\n", X509_verify_cert_error_string(error),error);
++      break;
++    }
++
++    /* If we are here there was an error */
++    ok=0;
++    
+ return_time: ;
+ 
+     /* clean up things */
+@@ -822,7 +843,20 @@
+ 	free(subject);
+     if (issuer!=NULL)
+ 	free(issuer);
+-
++    if (cnsubj!=NULL)
++	free(cnsubj);
++    if(!ok && ssl_cert_required) {
++      if(ssl_debug_flag) {
++	fprintf(stderr,"SSL: debug -> ignoring cert required!\n");
++	ok=1;
++      }
++      else {
++	fprintf(stderr,"SSL: Rejecting connection\n");
++	ok=0;
++      }
++    }
++    fflush(stderr);
++      
+     return ok;
+ }
+ 
+diff -ur netkit-telnet-ssl-0.17.24+0.1/Makefile netkit-telnet-ssl-0.17.24+0.1.orig/Makefile
+--- netkit-telnet-ssl-0.17.24+0.1/Makefile	2004-05-27 11:47:25.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/Makefile	2010-05-11 14:19:36.673445641 +0200
+@@ -1,7 +1,7 @@
+ # You can do "make SUB=blah" to make only a few, or edit here, or both
+ # You can also run make directly in the subdirs you want.
+ 
+-SUB =   telnet telnetd telnetlogin
++SUB =   libtelnet telnet telnetd
+ 
+ %.build:
+ 	(cd $(patsubst %.build, %, $@) && $(MAKE))
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnet/authenc.cc netkit-telnet-ssl-0.17.24+0.1.orig/telnet/authenc.cc
+--- netkit-telnet-ssl-0.17.24+0.1/telnet/authenc.cc	2000-07-23 05:24:53.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/authenc.cc	2010-05-11 13:44:40.056990450 +0200
+@@ -35,7 +35,7 @@
+  * From: @(#)authenc.c	5.1 (Berkeley) 3/1/91
+  */
+ char au_rcsid[] = 
+-  "$Id: authenc.cc,v 1.6 2000/07/23 03:24:53 dholland Exp $";
++  "$Id: authenc.cc,v 1.1 2004-10-14 13:19:53 ianb Exp $";
+ 
+ #if	defined(ENCRYPT) || defined(AUTHENTICATE)
+ #include <sys/types.h>
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnet/commands.cc netkit-telnet-ssl-0.17.24+0.1.orig/telnet/commands.cc
+--- netkit-telnet-ssl-0.17.24+0.1/telnet/commands.cc	2004-05-27 11:47:26.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/commands.cc	2010-05-11 13:44:40.060322107 +0200
+@@ -35,7 +35,7 @@
+  * From: @(#)commands.c	5.5 (Berkeley) 3/22/91
+  */
+ char cmd_rcsid[] = 
+-  "$Id: commands.cc,v 1.34 2000/07/23 04:16:24 dholland Exp $";
++  "$Id: commands.cc,v 1.13 2007-10-04 21:38:18 ianb Exp $";
+ 
+ #include <string.h>
+ 
+@@ -653,6 +653,21 @@
+     return 1;
+ }
+ 
++#ifdef AUTHENTICATE
++
++static int tog_autologin(int) {
++  if(autologin == 0) {
++    autologin=1;
++    env_export("USER");
++  }
++  else {
++    autologin=0;
++    env_unexport("USER");
++  }	
++  return 1;
++}
++
++#endif /* AUTHENTICATE */
+ 
+ static int netdata;		/* Print out network data flow */
+ static int prettydump;	/* Print "netdata" output in user readable format */
+@@ -682,13 +697,13 @@
+ 
+ #if	defined(AUTHENTICATE)
+     { "autologin", "automatic sending of login and/or authentication info",
+-      NULL, &autologin,
++      tog_autologin, NULL,
+       "send login name and/or authentication information" },
+     { "authdebug", "Toggle authentication debugging",
+       auth_togdebug, NULL,
+       "print authentication debugging information" },
+ #endif
+-#if 0
++#ifdef ENCRYPT
+     { "autoencrypt", "automatic encryption of data stream",
+       EncryptAutoEnc, NULL,
+       "automatically encrypt output" },
+@@ -701,7 +716,7 @@
+     { "encdebug", "Toggle encryption debugging",
+       EncryptDebug, NULL,
+       "print encryption debugging information" },
+-#endif
++#endif /* ENCRYPT */
+ 
+     { "skiprc", "don't read the telnetrc files",
+       NULL, &skiprc,
+@@ -750,7 +765,7 @@
+       NULL, &showoptions,
+       "show option processing" },
+ 
+-    { "termdata", "(debugging) toggle printing of hexadecimal terminal data",
++    { "termdata", "toggle printing of hexadecimal terminal data (debugging)",
+       NULL, &termdata,
+       "print hexadecimal representation of terminal traffic" },
+ 
+@@ -1357,9 +1372,9 @@
+ 	    else
+ 		shellname++;
+ 	    if (argc > 1)
+-		execl(shellp, shellname, "-c", &saveline[1], 0);
++		execl(shellp, shellname, "-c", &saveline[1], (char *) NULL);
+ 	    else
+-		execl(shellp, shellname, 0);
++		execl(shellp, shellname, (char *) NULL);
+ 	    perror("Execl");
+ 	    _exit(1);
+ 	}
+@@ -1510,10 +1525,10 @@
+ 
+ #if	defined(AUTHENTICATE)
+ struct authlist {
+-	char	*name;
+-	char	*help;
+-	int	(*handler)(const char *, const char *);
+-	int	narg;
++    const char	*name;
++    const char	*help;
++    int	(*handler)(const char *, const char *);
++    int	narg;
+ };
+ 
+ static int auth_help (const char *, const char *);
+@@ -1833,8 +1848,22 @@
+ 	if (*portp == '-') {
+ 	    portp++;
+ 	    telnetport = 1;
+-	} else
++	} else {
+ 	    telnetport = 0;
++	    if (*portp >='0' && *portp<='9') {
++	       char *end;
++	       long int p;
++
++	       p=strtol(portp, &end, 10);
++	       if (ERANGE==errno && (LONG_MIN==p || LONG_MAX==p)) {
++	          fprintf(stderr, "telnet: port %s overflows\n", portp);
++		  return 0;
++	       } else if (p<=0 || p>=65536) {
++	          fprintf(stderr, "telnet: port %s out of range\n", portp);
++		  return 0;
++	       }
++	    }
++	}
+     }
+     else {
+ 	portp = "telnet";
+@@ -1860,7 +1889,7 @@
+ 	if (res < 0)
+ 	    return 0;
+     }
+-        
++
+     /* Resolve both the host and service simultaneously. */
+     res = getaddrinfo(resolv_hostp, portp, &hints, &hostaddr);
+     if (res == EAI_NONAME) {
+@@ -1902,6 +1931,16 @@
+ 		    NI_NUMERICHOST | NI_NUMERICSERV);
+ 
+ 	printf("Trying %s...\n", name);
++
++	if (tmpaddr->ai_canonname == 0) {
++	  hostname = new char[strlen(hostp)+1];
++	  strcpy(hostname, hostp);
++	}
++	else {
++	  hostname = new char[strlen(tmpaddr->ai_canonname)+1];
++	  strcpy(hostname, tmpaddr->ai_canonname);
++	}
++
+ 	x = nlink.connect(debug, tmpaddr, srp, srlen, tos);
+ 	if (!x)
+ 	    goto err;
+@@ -1909,18 +1948,18 @@
+ 	    goto nextaddr;
+ 
+ 	connected++;
++
++#ifdef USE_SSL
++	if (ssl_secure_flag || (strcmp(hostp, "localhost") != 0)) {
++	  /* autologin = 1; */
++	  use_authentication=1;
++	}
++#endif /* USE_SSL */
++
+ #if	defined(AUTHENTICATE)
+ 	auth_encrypt_connect(connected);
+ #endif
+     } while (connected == 0);
+-    if (tmpaddr->ai_canonname == 0) {
+-	hostname = new char[strlen(hostp)+1];
+-	strcpy(hostname, hostp);
+-    }
+-    else {
+-	hostname = new char[strlen(tmpaddr->ai_canonname)+1];
+-	strcpy(hostname, tmpaddr->ai_canonname);
+-    }
+ 
+     cmdrc(hostp, hostname, portp);
+     freeaddrinfo(hostaddr);
+@@ -1966,6 +2005,9 @@
+ #if	defined(AUTHENTICATE)
+ 	authhelp[] =	"turn on (off) authentication ('auth ?' for more)",
+ #endif
++#if	defined(USE_SSL)
++	startsslhelp[] = "switch to telnet-over-ssl (use 'auth' for ssl-over-telnet)",
++#endif
+ 	zhelp[] =	"suspend telnet",
+ /*	shellhelp[] =	"invoke a subshell", */
+ 	envhelp[] =	"change environment variables ('environ ?' for more)",
+@@ -1981,6 +2023,34 @@
+     return 0;
+ }
+ 
++#if defined(USE_SSL)
++static int startssl_cmd(void)
++{
++	if(ssl_con == NULL)
++	{
++		fprintf(stderr,"telnet: Internal error - ssl_con not initialised.\n");
++		return 1;
++	}
++
++	if(ssl_active_flag)
++	{
++		fprintf(stderr,"telnet: SSL already in use.\n");
++		return 1;
++	}
++  
++	if (SSL_connect(ssl_con) < 1)
++	{
++		ERR_print_errors_fp(stderr);
++		fflush(stderr);
++	} else {
++		display_connect_details(ssl_con,ssl_debug_flag);
++		ssl_active_flag=1;
++		ssl_only_flag=1;
++	}
++	return 1;
++}
++#endif /* USE_SSL */
++
+ static int slc_mode_import_0(void) {
+     slc_mode_import(0);
+     return 1;
+@@ -2028,6 +2098,10 @@
+ #endif
+     // BIND("encrypt", encrypthelp, encrypt_cmd);
+ 
++#if	defined(USE_SSL)
++	BIND("startssl", startsslhelp, startssl_cmd);
++#endif
++
+     BIND("z", zhelp, suspend);
+ 
+ #if defined(TN3270)   /* why?! */
+@@ -2233,22 +2307,18 @@
+ }
+ 
+ void cmdrc(const char *m1, const char *m2, const char *port) {
+-    static char *rcname = 0;
+-    static char rcbuf[128];
++    char *rcname = NULL;
+ 
+     if (skiprc) return;
+ 
+     readrc(m1, m2, port, "/etc/telnetrc");
+-    if (rcname == 0) {
+-	rcname = getenv("HOME");
+-	if (rcname)
+-	    strcpy(rcbuf, rcname);
+-	else
+-	    rcbuf[0] = '\0';
+-	strcat(rcbuf, "/.telnetrc");
+-	rcname = rcbuf;
+-    }
++    if (asprintf (&rcname, "%s/.telnetrc", getenv ("HOME")) == -1)
++      {
++        perror ("asprintf");
++        return;
++      }
+     readrc(m1, m2, port, rcname);
++    free (rcname);
+ }
+ 
+ #if defined(IP_OPTIONS) && defined(HAS_IPPROTO_IP)
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnet/defines.h netkit-telnet-ssl-0.17.24+0.1.orig/telnet/defines.h
+--- netkit-telnet-ssl-0.17.24+0.1/telnet/defines.h	2004-05-27 11:47:01.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/defines.h	2010-05-11 13:44:40.063654881 +0200
+@@ -31,7 +31,7 @@
+  * SUCH DAMAGE.
+  *
+  *	from: @(#)defines.h	5.1 (Berkeley) 9/14/90
+- *	$Id: defines.h,v 1.5 1996/08/04 23:44:43 dholland Exp $
++ *	$Id: defines.h,v 1.1 2004-10-14 13:19:53 ianb Exp $
+  */
+ 
+ #define ENV_VAR NEW_ENV_VAR
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnet/externs.h netkit-telnet-ssl-0.17.24+0.1.orig/telnet/externs.h
+--- netkit-telnet-ssl-0.17.24+0.1/telnet/externs.h	2004-05-27 11:47:26.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/externs.h	2010-05-11 13:44:40.063654881 +0200
+@@ -31,7 +31,7 @@
+  * SUCH DAMAGE.
+  *
+  *	from: @(#)externs.h	5.3 (Berkeley) 3/22/91
+- *	$Id: externs.h,v 1.20 1999/08/19 09:34:15 dholland Exp $
++ *	$Id: externs.h,v 1.2 2004-11-17 15:28:51 ianb Exp $
+  */
+ 
+ #ifndef	BSD
+@@ -57,6 +57,7 @@
+ #define	SUBBUFSIZE	256
+ 
+ extern int autologin;		/* Autologin enabled */
++extern int use_authentication;		/* use SSL authentication */
+ extern int skiprc;		/* Don't process the ~/.telnetrc file */
+ extern int eight;		/* use eight bit mode (binary in and/or out) */
+ extern int binary;		/* use binary option (in and/or out) */
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnet/fdset.h netkit-telnet-ssl-0.17.24+0.1.orig/telnet/fdset.h
+--- netkit-telnet-ssl-0.17.24+0.1/telnet/fdset.h	1996-07-16 07:17:22.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/fdset.h	2010-05-11 13:44:40.063654881 +0200
+@@ -31,7 +31,7 @@
+  * SUCH DAMAGE.
+  *
+  *	from: @(#)fdset.h	5.1 (Berkeley) 9/14/90
+- *	$Id: fdset.h,v 1.1 1996/07/16 05:17:22 dholland Exp $
++ *	$Id: fdset.h,v 1.1 2004-10-14 13:19:53 ianb Exp $
+  */
+ 
+ /*
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnet/general.h netkit-telnet-ssl-0.17.24+0.1.orig/telnet/general.h
+--- netkit-telnet-ssl-0.17.24+0.1/telnet/general.h	1996-07-16 07:17:22.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/general.h	2010-05-11 13:44:40.063654881 +0200
+@@ -31,7 +31,7 @@
+  * SUCH DAMAGE.
+  *
+  *	from: @(#)general.h	5.2 (Berkeley) 3/1/91
+- *	$Id: general.h,v 1.1 1996/07/16 05:17:22 dholland Exp $
++ *	$Id: general.h,v 1.1 2004-10-14 13:19:53 ianb Exp $
+  */
+ 
+ /*
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnet/genget.cc netkit-telnet-ssl-0.17.24+0.1.orig/telnet/genget.cc
+--- netkit-telnet-ssl-0.17.24+0.1/telnet/genget.cc	1996-07-26 11:54:09.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/genget.cc	2010-05-11 13:44:40.063654881 +0200
+@@ -35,7 +35,7 @@
+  * From: @(#)genget.c	5.1 (Berkeley) 2/28/91
+  */
+ char gg_rcsid[] = 
+-  "$Id: genget.cc,v 1.3 1996/07/26 09:54:09 dholland Exp $";
++  "$Id: genget.cc,v 1.1 2004-10-14 13:19:53 ianb Exp $";
+ 
+ #include <string.h>
+ #include <ctype.h>
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnet/glue.cc netkit-telnet-ssl-0.17.24+0.1.orig/telnet/glue.cc
+--- netkit-telnet-ssl-0.17.24+0.1/telnet/glue.cc	2004-05-27 11:47:26.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/glue.cc	2010-05-11 13:44:40.083654043 +0200
+@@ -11,8 +11,9 @@
+   printsub_h(direction, pointer, length);
+ }
+ 
+-extern "C" void writenet(const char *str, int len) {
++extern "C" int writenet(const char *str, int len) {
+   netoring.write(str, len);
++  return 1;
+ }
+ 
+ extern "C" int telnet_spin() {
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnet/main.cc netkit-telnet-ssl-0.17.24+0.1.orig/telnet/main.cc
+--- netkit-telnet-ssl-0.17.24+0.1/telnet/main.cc	2004-05-27 11:47:26.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/main.cc	2010-05-11 13:44:40.066988214 +0200
+@@ -39,7 +39,7 @@
+  * From: @(#)main.c	5.4 (Berkeley) 3/22/91
+  */
+ char main_rcsid[] = 
+-  "$Id: main.cc,v 1.14 1999/08/01 05:06:37 dholland Exp $";
++  "$Id: main.cc,v 1.6 2004-11-22 20:26:37 ianb Exp $";
+ 
+ #include "../version.h"
+ 
+@@ -86,16 +86,27 @@
+  *       -X <atype> disable specified auth type
+  */ 
+ void usage(void) {
+-    fprintf(stderr, "Usage: %s %s%s%s%s\n",
++    fprintf(stderr, "Usage: %s %s%s%s%s%s\n",
+ 	    prompt,
++#ifdef	AUTHENTICATE
++	    "[-4] [-6] [-8] [-E] [-K] [-L] [-X atype] [-a] [-d] [-e char]",
++	    "\n\t[-l user] [-n tracefile] [ -b addr ]",
++#else
+ 	    "[-4] [-6] [-8] [-E] [-L] [-a] [-d] [-e char] [-l user]",
+ 	    "\n\t[-n tracefile] [ -b addr ]",
++#endif
+ #ifdef TN3270
+ 	    "\n\t"
+ 	    "[-noasynch] [-noasynctty] [-noasyncnet] [-r] [-t transcom]\n\t",
+ #else
+ 	    " [-r] ",
+ #endif
++#ifdef USE_SSL
++        /* might as well output something useful here ... */
++	"\n\t[-z ssl] [-z secure] [-z debug] [-z verify=int]\n\t[-z cert=file] [-z key=file]\n\t",
++#else /* !USE_SSL */
++        "",
++#endif /* USE_SSL */
+ 	    "[host-name [port]]"
+ 	);
+ 	exit(1);
+@@ -135,8 +146,73 @@
+ 	autologin = -1;
+ 
+ 	while ((ch = getopt(argc, argv,
+-			    "4678EKLS:X:ab:de:k:l:n:rt:x")) != EOF) {
++			    "4678EKLS:X:ab:de:k:l:n:rt:xz:")) != EOF) {
+ 		switch(ch) {
++#ifdef USE_SSL
++                case 'z':
++		        { 
++			char *origopt;
++
++			origopt=strdup(optarg);
++			optarg=strtok(origopt,",");
++
++			while(optarg!=NULL) {
++
++		        if (strcmp(optarg, "debug") == 0 ) {
++			    ssl_debug_flag=1;
++			} else if (strcmp(optarg, "authdebug") == 0 ) {
++			    auth_debug_mode=1;
++			} else if (strcmp(optarg, "ssl") == 0 ) {
++			    ssl_only_flag=1;
++			} else if ( (strcmp(optarg, "!ssl") == 0) ||
++		             (strcmp(optarg, "nossl") == 0) ) {
++			    /* we may want to switch SSL negotiation off
++			     * for testing or other reasons 
++			     */
++			    ssl_disabled_flag=1;
++			} else if (strcmp(optarg, "certrequired") == 0 ) {
++			    ssl_cert_required=1;
++			} else if (strcmp(optarg, "secure") == 0 ) {
++			    ssl_secure_flag=1;
++			} else if (strcmp(optarg, "verbose") == 0 ) {
++			    ssl_verbose_flag=1;
++			} else if (strncmp(optarg, "verify=", 
++			                        strlen("verify=")) == 0 ) {
++			    ssl_verify_flag=atoi(optarg+strlen("verify="));
++			} else if (strncmp(optarg, "cert=", 
++			                        strlen("cert=")) == 0 ) {
++			    ssl_cert_file= optarg + strlen("cert=");
++			} else if (strncmp(optarg, "key=", 
++			                        strlen("key=")) == 0 ) {
++			    ssl_key_file= optarg + strlen("key=");
++			} else if (strncmp(optarg,"cipher=",
++			                strlen("cipher="))==0) {
++			    ssl_cipher_list=optarg+strlen("cipher=");
++			} else {
++			    /* report when we are given rubbish so that
++			     * if the user makes a mistake they have to
++			     * correct it!
++			     */
++			    fprintf(stderr,"Unknown SSL option %s\n",optarg);
++			    fflush(stderr);
++			    exit(1);
++			}
++
++			/* get the next one ... */
++                        optarg=strtok(NULL,",");
++
++			}
++
++			/*
++			if (origopt!=NULL)
++			    free(origopt);
++			*/
++
++			}
++
++			break;
++#endif /* USE_SSL */
++
+ 		case '4':
+ 			family = AF_INET;
+ 			break;
+@@ -257,14 +333,25 @@
+ 		autologin = (rlogin == _POSIX_VDISABLE) ? 0 : 1;
+ 
+ #ifdef USE_SSL
++	if((ssl_cert_file != NULL) || (ssl_key_file != NULL)) {
++	  autologin = 1;
++	}
++
+         if (ssl_secure_flag||ssl_cert_required) {
+ 	    /* in secure mode we *must* switch on the base level
+ 	     * verify checking otherwise we cannot abort connections
+ 	     * at the right place!
+ 	     */
+ 	    if (ssl_verify_flag == 0)
+-		ssl_verify_flag = 1;
++		ssl_verify_flag = SSL_VERIFY_PEER;;
+ 	}
++
++	/* client mode ignores SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
++	   so simulate it using certrequired */
++	if(ssl_verify_flag & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) {
++	  ssl_cert_required=1;
++	}
++	
+ #endif /* USE_SSL */
+ 
+ 	argc -= optind;
+@@ -289,11 +376,6 @@
+ 			*argp++ = family == AF_INET ? "-4" : "-6";
+ 		}
+ 		*argp++ = argv[0];		/* host */
+-#ifdef USE_SSL
+-		if (strcmp(argv[0], "localhost") != 0) {
+-		  autologin = 1;
+-		}
+-#endif /* USE_SSL */
+ 		if (argc > 1)
+ 			*argp++ = argv[1];	/* port */
+ 		*argp = 0;
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnet/Makefile netkit-telnet-ssl-0.17.24+0.1.orig/telnet/Makefile
+--- netkit-telnet-ssl-0.17.24+0.1/telnet/Makefile	2004-05-27 11:47:26.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/Makefile	2010-05-11 13:44:40.056990450 +0200
+@@ -6,15 +6,18 @@
+ #CXXFLAGS:=$(patsubst -O2, -g, $(CXXFLAGS))
+ 
+ # -DAUTHENTICATE
+-CXXFLAGS += -DUSE_TERMIO -DKLUDGELINEMODE
+-LIBS = $(LIBTERMCAP)
++CXXFLAGS += -DUSE_TERMIO -DKLUDGELINEMODE -DAUTHENTICATE -DUSE_SSL \
++	-I/usr/include/openssl -I../
++LIBTELNET = ../libtelnet/libtelnet.a 
++LIBS += $(LIBTERMCAP) $(LIBTELNET) -lssl -lcrypto
+ 
+ SRCS = commands.cc main.cc network.cc ring.cc sys_bsd.cc telnet.cc \
+-	terminal.cc tn3270.cc utilities.cc genget.cc environ.cc netlink.cc
++	terminal.cc tn3270.cc utilities.cc genget.cc environ.cc netlink.cc \
++	glue.cc glue2.cc
+ 
+ OBJS = $(patsubst %.cc, %.o, $(SRCS))
+ 
+-telnet: $(OBJS)
++telnet: $(OBJS) $(LIBTELNET)
+ 	$(CXX) $(LDFLAGS) $^ $(LIBS) -o $@
+ 
+ include depend.mk
+@@ -22,7 +25,7 @@
+ 	$(CXX) $(CXXFLAGS) -MM $(SRCS) >depend.mk
+ 
+ install: telnet
+-	install -s -m$(BINMODE) telnet $(INSTALLROOT)$(BINDIR)/telnet-ssl
++	install -m$(BINMODE) telnet $(INSTALLROOT)$(BINDIR)/telnet-ssl
+ 	install -m$(MANMODE) telnet.1 $(INSTALLROOT)$(MANDIR)/man1/telnet-ssl.1
+ 
+ clean:
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnet/netlink.cc netkit-telnet-ssl-0.17.24+0.1.orig/telnet/netlink.cc
+--- netkit-telnet-ssl-0.17.24+0.1/telnet/netlink.cc	2004-05-27 11:47:26.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/netlink.cc	2010-05-11 13:44:40.066988214 +0200
+@@ -12,12 +12,27 @@
+ #include "proto.h"
+ #include "ring.h"
+ #include <libtelnet/sslapp.h>
++#include <libtelnet/misc-proto.h>
+ 
+ /* In Linux, this is an enum */
+ #if defined(__linux__) || defined(IPPROTO_IP)
+ #define HAS_IPPROTO_IP
+ #endif
+ 
++/* code from Peter 'Luna' Runestig <peter@runestig.com> */
++static int select_read(int rfd)
++/* timeout = 20 seconds */
++{
++    fd_set rfds;
++    struct timeval tv;
++
++    FD_ZERO(&rfds);
++    FD_SET(rfd, &rfds);
++    tv.tv_sec = 20;
++    tv.tv_usec = 0;
++    return select(rfd + 1, &rfds, NULL, NULL, &tv);
++}
++
+ netlink nlink;
+ 
+ class netchannel : public ringbuf::source {
+@@ -26,12 +41,23 @@
+ 	int net = nlink.getfd();
+ 	int l;
+ #ifdef USE_SSL
+-	if (ssl_active_flag)
+-	  l = SSL_read(ssl_con, buf, maxlen);
+-	else
++	if (ssl_active_flag) {
++	    do {
++		l = SSL_read(ssl_con, buf, maxlen);
++		/*
++		 * SSL_ERROR_WANT_READ may occur if an SSL/TLS rehandshake occurs.
++		 * This means that data was available at the socket, but all was
++		 * consumed by SSL itself, so we select (w/20s timeout)  and retry.
++		 */
++	    } while (l<0 &&
++		     (SSL_ERROR_WANT_READ == SSL_get_error(ssl_con, l)) &&
++		     (select_read(net) > 0));
++        } else
+ #endif /* USE_SSL */
+-	l = recv(net, buf, maxlen, 0);
+-	if (l<0 && errno == EWOULDBLOCK) l = 0;
++        {
++  	    l = recv(net, buf, maxlen, 0);
++	    if (l<0 && errno == EWOULDBLOCK) l = 0;
++        }
+ 	return l;
+     }
+ };
+@@ -70,11 +96,11 @@
+ 
+ 
+ netlink::netlink() { net = -1; }
+-netlink::~netlink() { ::close(net); }
++netlink::~netlink() { if (net >= 0) ::close(net); }
+ 
+ 
+ int netlink::setdebug(int debug) {
+-    if (net > 0 &&
++    if (net >= 0 &&
+ 	(setsockopt(net, SOL_SOCKET, SO_DEBUG, &debug, sizeof(debug))) < 0) {
+ 	perror("setsockopt (SO_DEBUG)");
+     }
+@@ -95,7 +121,8 @@
+ 	ssl_active_flag=0;
+     }
+ #endif /* USE_SSL */
+-    ::close(net);
++    if (net >= 0)
++       ::close(net);
+     net = -1;
+ }
+ 
+@@ -142,7 +169,8 @@
+ {
+     int on=1;
+     int res;
+-
++    extern char *hostname;
++    
+     res = socket(addr->ai_family);
+     if (res < 2)
+ 	return res;
+@@ -192,10 +220,24 @@
+ 	/* bind in the network descriptor */
+     	SSL_set_fd(ssl_con,net);
+ 
++#if defined(AUTHENTICATE)
++	/* moved from telnet() so client_verify_callback knows RemoteHostName -ianb */
++	{
++	  static char local_host[256] = { 0 };
++	  int len = sizeof(local_host);
++
++	  if (!local_host[0]) {
++	    gethostname(local_host, len);        /* WAS &len!!! */
++	    local_host[sizeof(local_host)-1] = 0;
++	  }
++	  auth_encrypt_init(local_host, hostname, "TELNET", 0);
++	}
++#endif
++
+ 	/* if we are doing raw SSL then start it now ... */
+ 	if (ssl_only_flag) {
+ 	    if (!SSL_connect(ssl_con)) {
+-		static char errbuf[1024];
++	      /* static char errbuf[1024]; */
+ 
+ 		ERR_print_errors_fp(stderr);
+ 		perror("SSL_connect");
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnet/network.cc netkit-telnet-ssl-0.17.24+0.1.orig/telnet/network.cc
+--- netkit-telnet-ssl-0.17.24+0.1/telnet/network.cc	2004-05-27 11:47:01.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/network.cc	2010-05-11 13:44:40.066988214 +0200
+@@ -35,7 +35,7 @@
+  * From: @(#)network.c	5.2 (Berkeley) 3/1/91
+  */
+ char net_rcsid[] = 
+-  "$Id: network.cc,v 1.15 1996/08/13 08:09:58 dholland Exp $";
++  "$Id: network.cc,v 1.1 2004-10-14 13:19:53 ianb Exp $";
+ 
+ #include <sys/types.h>
+ #include <sys/socket.h>
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnet/proto.h netkit-telnet-ssl-0.17.24+0.1.orig/telnet/proto.h
+--- netkit-telnet-ssl-0.17.24+0.1/telnet/proto.h	2004-05-27 11:47:26.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/proto.h	2010-05-11 13:44:40.070321269 +0200
+@@ -10,9 +10,11 @@
+ int TerminalSpecialChars(int);
+ void TerminalSpeeds(long *ispeed, long *ospeed);
+ int TerminalWindowSize(long *rows, long *cols);
++#if 0
+ void auth_encrypt_user(char *);
+ void auth_name(unsigned char *, int);
+ void auth_printsub(unsigned char *, int, unsigned char *, int);
++#endif
+ void cmdrc(const char *, const char *, const char *);
+ void env_init(void);
+ int getconnmode(void);
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnet/ring.cc netkit-telnet-ssl-0.17.24+0.1.orig/telnet/ring.cc
+--- netkit-telnet-ssl-0.17.24+0.1/telnet/ring.cc	2004-05-27 11:47:01.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/ring.cc	2010-05-11 13:44:40.070321269 +0200
+@@ -35,7 +35,7 @@
+  * From: @(#)ring.c	5.2 (Berkeley) 3/1/91
+  */
+ char ring_rcsid[] =
+-  "$Id: ring.cc,v 1.23 2000/07/23 03:25:09 dholland Exp $";
++  "$Id: ring.cc,v 1.1 2004-10-14 13:19:53 ianb Exp $";
+ 
+ /*
+  * This defines a structure for a ring buffer. 
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnet/ring.h netkit-telnet-ssl-0.17.24+0.1.orig/telnet/ring.h
+--- netkit-telnet-ssl-0.17.24+0.1/telnet/ring.h	2004-05-27 11:47:01.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/ring.h	2010-05-11 13:44:40.070321269 +0200
+@@ -31,7 +31,7 @@
+  * SUCH DAMAGE.
+  *
+  *	from: @(#)ring.h	5.2 (Berkeley) 3/1/91
+- *	$Id: ring.h,v 1.13 1996/08/13 08:43:28 dholland Exp $
++ *	$Id: ring.h,v 1.1 2004-10-14 13:19:53 ianb Exp $
+  */
+ 
+ class datasink {
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnet/sys_bsd.cc netkit-telnet-ssl-0.17.24+0.1.orig/telnet/sys_bsd.cc
+--- netkit-telnet-ssl-0.17.24+0.1/telnet/sys_bsd.cc	2004-05-27 11:47:26.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/sys_bsd.cc	2010-05-11 13:44:40.070321269 +0200
+@@ -35,7 +35,7 @@
+  * From: @(#)sys_bsd.c	5.2 (Berkeley) 3/1/91
+  */
+ char bsd_rcsid[] = 
+-  "$Id: sys_bsd.cc,v 1.24 1999/09/28 16:29:24 dholland Exp $";
++  "$Id: sys_bsd.cc,v 1.1 2004-10-14 13:19:53 ianb Exp $";
+ 
+ /*
+  * The following routines try to encapsulate what is system dependent
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnet/telnet.1 netkit-telnet-ssl-0.17.24+0.1.orig/telnet/telnet.1
+--- netkit-telnet-ssl-0.17.24+0.1/telnet/telnet.1	2004-05-27 11:47:26.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/telnet.1	2010-05-11 13:44:40.073654603 +0200
+@@ -30,7 +30,7 @@
+ .\" SUCH DAMAGE.
+ .\"
+ .\"	from: @(#)telnet.1	6.16 (Berkeley) 7/27/91
+-.\"	$Id: telnet.1,v 1.15 2000/07/30 23:57:08 dholland Exp $
++.\"	$Id: telnet.1,v 1.5 2006-09-24 00:48:31 ianb Exp $
+ .\"
+ .Dd August 15, 1999
+ .Dt TELNET 1
+@@ -42,12 +42,14 @@
+ protocol
+ .Sh SYNOPSIS
+ .Nm telnet
+-.Op Fl 468ELadr
++.Op Fl 468EKLadr
+ .Op Fl S Ar tos
++.Op Fl X Ar authtype
+ .Op Fl b Ar address
+ .Op Fl e Ar escapechar
+ .Op Fl l Ar user
+ .Op Fl n Ar tracefile
++.Op Fl z Ar option
+ .Oo
+ .Ar host
+ .Op Ar port
+@@ -152,44 +154,47 @@
+ command below.
+ .It Fl z Ar option
+ Set SSL (Secure Socket Layer) parameters. The default is to negotiate
+-via telnet protocoll if SSL is availlable at server side and then to
++via telnet protocol if SSL is available at server side and then to
+ switch it on. In this mode you can connect to both conventional and
+-SSL enhanced telnetd's.
++SSL enhanced telnetd's. If the connection is made to localhost and 
++.Ic -z secure
++is not set, then
++SSL is not enabled.
+ .Pp
+ The SSL parameters are:
+ .Bl -tag -width Fl
+-.It Ic Ar debug
++.It Ic debug
+ Send SSL related debugging information to stderr.
+-.It Ic Ar authdebug
++.It Ic authdebug
+ Enable authentication debugging.
+-.It Ic Ar ssl
++.It Ic ssl
+ Negotiate SSL at first, then use telnet protocol. In this mode you can
+ connect to any server supporting directly SSL like Apache-SSL. Use
+ .Ic telnet -z ssl ssl3.netscape.com https
+ for example. telnet protocol negotiation goes encrypted.
+-.It Ic Ar nossl, Ar !ssl
+-switch of SSL negotiation
+-.It Ic Ar certrequired
+-client certificate is mandatory
+-.It Ic Ar secure
++.It Ic nossl, Ic !ssl
++switch off SSL negotiation
++.It Ic certrequired
++server certificate is mandatory
++.It Ic secure
+ Don't switch back to unencrypted mode (no SSL) if SSL is not available.
+-.It Ic Ar verbose
++.It Ic verbose
+ Be verbose about certificates etc.
+-.It Ic Ar verify=int
++.It Ic verify= Ns Ar int
+ .\" TODO
+ Set the SSL verify flags (SSL_VERIFY_* in 
+ .Ar ssl/ssl.h
+ ).
+ .\" TODO
+-.It Ic Ar cert=cert_file
++.It Ic cert= Ns Ar cert_file
+ .\" TODO
+ Use the certificate(s) in
+ .Ar cert_file .
+-.It Ic Ar key=key_file
++.It Ic key= Ns Ar key_file
+ .\" TODO
+ Use the key(s) in
+ .Ar key_file .
+-.It Ic Ar cipher=ciph_list
++.It Ic cipher= Ns Ar ciph_list
+ .\" TODO
+ Set the preferred ciphers to
+ .Ar ciph_list .
+@@ -319,10 +324,6 @@
+ List the current status of the various types of
+ authentication.
+ .El
+-.Pp
+-Note that the current version of 
+-.Nm telnet
+-does not support authentication.
+ .It Ic close
+ Close the connection to the remote host, if any, and return to command
+ mode.
+@@ -332,49 +333,49 @@
+ and
+ .Ic toggle
+ values (see below).
+-.It Ic encrypt Ar argument ...
+-The encrypt command controls the
+-.Dv TELNET ENCRYPT
+-protocol option. If 
+-.Nm telnet
+-was compiled without encryption, the
+-.Ic encrypt
+-command will not be supported. 
+-.Pp
+-Valid arguments are as follows:
+-.Bl -tag -width Ar
+-.It Ic disable Ar type Ic [input|output]
+-Disable the specified type of encryption.  If you do not specify input
+-or output, encryption of both is disabled.  To obtain a list of
+-available types, use ``encrypt disable \&?''.
+-.It Ic enable Ar type Ic [input|output]
+-Enable the specified type of encryption.  If you do not specify input
+-or output, encryption of both is enabled.  To obtain a list of
+-available types, use ``encrypt enable \&?''.
+-.It Ic input
+-This is the same as ``encrypt start input''.
+-.It Ic -input
+-This is the same as ``encrypt stop input''.
+-.It Ic output
+-This is the same as ``encrypt start output''.
+-.It Ic -output
+-This is the same as ``encrypt stop output''.
+-.It Ic start Ic [input|output]
+-Attempt to begin encrypting.  If you do not specify input or output, 
+-encryption of both input and output is started. 
+-.It Ic status
+-Display the current status of the encryption module.
+-.It Ic stop Ic [input|output]
+-Stop encrypting.  If you do not specify input or output, encryption of
+-both is stopped.
+-.It Ic type Ar type
+-Sets the default type of encryption to be used with later ``encrypt start''
+-or ``encrypt stop'' commands.
+-.El
+-.Pp
+-Note that the current version of 
+-.Nm telnet
+-does not support encryption.
++.\" .It Ic encrypt Ar argument ...
++.\" The encrypt command controls the
++.\" .Dv TELNET ENCRYPT
++.\" protocol option. If 
++.\" .Nm telnet
++.\" was compiled without encryption, the
++.\" .Ic encrypt
++.\" command will not be supported. 
++.\" .Pp
++.\" Valid arguments are as follows:
++.\" .Bl -tag -width Ar
++.\" .It Ic disable Ar type Ic [input|output]
++.\" Disable the specified type of encryption.  If you do not specify input
++.\" or output, encryption of both is disabled.  To obtain a list of
++.\" available types, use ``encrypt disable \&?''.
++.\" .It Ic enable Ar type Ic [input|output]
++.\" Enable the specified type of encryption.  If you do not specify input
++.\" or output, encryption of both is enabled.  To obtain a list of
++.\" available types, use ``encrypt enable \&?''.
++.\" .It Ic input
++.\" This is the same as ``encrypt start input''.
++.\" .It Ic -input
++.\" This is the same as ``encrypt stop input''.
++.\" .It Ic output
++.\" This is the same as ``encrypt start output''.
++.\" .It Ic -output
++.\" This is the same as ``encrypt stop output''.
++.\" .It Ic start Ic [input|output]
++.\" Attempt to begin encrypting.  If you do not specify input or output, 
++.\" encryption of both input and output is started. 
++.\" .It Ic status
++.\" Display the current status of the encryption module.
++.\" .It Ic stop Ic [input|output]
++.\" Stop encrypting.  If you do not specify input or output, encryption of
++.\" both is stopped.
++.\" .It Ic type Ar type
++.\" Sets the default type of encryption to be used with later ``encrypt start''
++.\" or ``encrypt stop'' commands.
++.\" .El
++.\" .Pp
++.\" Note that the current version of 
++.\" .Nm telnet
++.\" does not support encryption.
+ .It Ic environ Ar arguments... 
+ The
+ .Ic environ
+@@ -1017,6 +1018,16 @@
+ .Ic slc
+ command.
+ .El
++.It Ic startssl
++Attempt to negotiate telnet-over-SSL (as with the
++.Ic -z ssl
++option). This is useful when connecting to non-telnetds such
++as imapd (with the
++.Ic STARTTLS
++command). To control SSL when connecting to a SSL-enabled
++telnetd, use the
++.Ic auth
++command instead.
+ .It Ic status
+ Show the current status of
+ .Nm telnet .
+@@ -1079,17 +1090,17 @@
+ .Dv FALSE
+ (see
+ .Xr stty  1  ) .
+-.It Ic autodecrypt
+-When the
+-.Dv TELNET ENCRYPT
+-option is negotiated, by
+-default the actual encryption (decryption) of the data
+-stream does not start automatically.  The autoencrypt
+-(autodecrypt) command states that encryption of the
+-output (input) stream should be enabled as soon as
+-possible.
+-.Pp
+-Note that this flag exists only if encryption support is enabled.
++.\" .It Ic autodecrypt
++.\" When the
++.\" .Dv TELNET ENCRYPT
++.\" option is negotiated, by
++.\" default the actual encryption (decryption) of the data
++.\" stream does not start automatically.  The autoencrypt
++.\" (autodecrypt) command states that encryption of the
++.\" output (input) stream should be enabled as soon as
++.\" possible.
++.\" .Pp
++.\" Note that this flag exists only if encryption support is enabled.
+ .It Ic autologin
+ If the remote side supports the
+ .Dv TELNET AUTHENTICATION
+@@ -1174,9 +1185,9 @@
+ .Ic super user ) .
+ The initial value for this toggle is
+ .Dv FALSE .
+-.It Ic encdebug
+-Turns on debugging information for the encryption code.
+-Note that this flag only exists if encryption support is available.
++.\" .It Ic encdebug
++.\" Turns on debugging information for the encryption code.
++.\" Note that this flag only exists if encryption support is available.
+ .It Ic localchars
+ If this is
+ .Dv TRUE ,
+@@ -1221,8 +1232,9 @@
+ is sent as
+ .Ic abort  ,
+ and
+-.Ic eof and
+-.B suspend
++.Ic eof
++and
++.Ic suspend
+ are sent as
+ .Ic eof and
+ .Ic susp ,
+@@ -1263,16 +1275,16 @@
+ Toggles the display of all terminal data (in hexadecimal format).
+ The initial value for this toggle is
+ .Dv FALSE .
+-.It Ic verbose_encrypt
+-When the
+-.Ic verbose_encrypt
+-toggle is
+-.Dv TRUE ,
+-.Tn TELNET
+-prints out a message each time encryption is enabled or
+-disabled.  The initial value for this toggle is
+-.Dv FALSE.
+-This flag only exists if encryption support is available.
++.\" .It Ic verbose_encrypt
++.\" When the
++.\" .Ic verbose_encrypt
++.\" toggle is
++.\" .Dv TRUE ,
++.\" .Tn TELNET
++.\" prints out a message each time encryption is enabled or
++.\" disabled.  The initial value for this toggle is
++.\" .Dv FALSE.
++.\" This flag only exists if encryption support is available.
+ .It Ic \&?
+ Displays the legal
+ .Ic toggle
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnet/telnet.cc netkit-telnet-ssl-0.17.24+0.1.orig/telnet/telnet.cc
+--- netkit-telnet-ssl-0.17.24+0.1/telnet/telnet.cc	2004-05-27 11:47:26.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/telnet.cc	2010-05-11 13:44:40.076987936 +0200
+@@ -47,7 +47,7 @@
+  * From: @(#)telnet.c	5.53 (Berkeley) 3/22/91
+  */
+ char telnet_rcsid[] = 
+-"$Id: telnet.cc,v 1.36 2000/07/23 03:24:53 dholland Exp $";
++"$Id: telnet.cc,v 1.8 2005-04-14 15:26:27 ianb Exp $";
+ 
+ #include <string.h>
+ #include <sys/types.h>
+@@ -107,6 +107,7 @@
+   eight = 3,
+   binary = 0,
+   autologin = 0,	/* Autologin anyone? */
++  use_authentication = 0,
+   skiprc = 0,
+   connected,
+   showoptions,
+@@ -495,7 +496,8 @@
+ 	break;
+ #if	defined(AUTHENTICATE)
+       case TELOPT_AUTHENTICATION:
+-	if (autologin)
++	/* if (autologin) */
++	if (use_authentication)
+ 	  new_state_ok = 1;
+ 	break;
+ #endif
+@@ -722,6 +724,7 @@
+  */
+ 
+ static void suboption(void) {
++  extern int auth_failed;
+   printsub('<', subbuffer, SB_LEN()+2);
+   switch (SB_GET()) {
+   case TELOPT_TTYPE:
+@@ -845,7 +848,8 @@
+     
+ #if	defined(AUTHENTICATE)
+   case TELOPT_AUTHENTICATION: {
+-    if (!autologin)
++    /* if (!autologin) */
++    if (!use_authentication)
+       break;
+     if (SB_EOF())
+       return;
+@@ -864,6 +868,10 @@
+       if (my_want_state_is_wont(TELOPT_AUTHENTICATION))
+ 	return;
+       auth_reply(subpointer, SB_LEN());
++      if(auth_failed) {
++	/* auth rejected, quit */
++	quit();
++      }
+       break;
+     case TELQUAL_NAME:
+       if (my_want_state_is_dont(TELOPT_AUTHENTICATION))
+@@ -1140,6 +1148,7 @@
+ 
+ 
+ unsigned char slc_reply[128];
++unsigned char const * const slc_reply_eom = &slc_reply[sizeof(slc_reply)];
+ unsigned char *slc_replyp;
+ 
+ void slc_start_reply(void) {
+@@ -1151,6 +1160,14 @@
+ }
+ 
+ void slc_add_reply(int func, int flags, int value) {
++  /* A sequence of up to 6 bytes my be written for this member of the SLC
++   * suboption list by this function.  The end of negotiation command,
++   * which is written by slc_end_reply(), will require 2 additional
++   * bytes.  Do not proceed unless there is sufficient space for these
++   * items.
++   */
++  if (&slc_replyp[6+2] > slc_reply_eom)
++    return;
+   if ((*slc_replyp++ = func) == IAC)
+     *slc_replyp++ = IAC;
+   if ((*slc_replyp++ = flags) == IAC)
+@@ -1819,25 +1836,19 @@
+  */
+ void telnet(const char *user) {
+   sys_telnet_init();
+-  
+-#if defined(AUTHENTICATE)
+-  {
+-    static char local_host[256] = { 0 };
+-    int len = sizeof(local_host);
+-    
+-    if (!local_host[0]) {
+-      gethostname(local_host, len);        /* WAS &len!!! */
+-      local_host[sizeof(local_host)-1] = 0;
+-    }
+-    auth_encrypt_init(local_host, hostname, "TELNET", 0);
+-    auth_encrypt_user(user);
+-  }
++    
++#ifdef AUTHENTICATE
++  auth_encrypt_user(user);
+ #endif
+-  
++
+ #if !defined(TN3270)
+   if (telnetport) {
++
++    send_will(TELOPT_ENVIRON, 1);
++
+ #if	defined(AUTHENTICATE)
+-    if (autologin)
++    /* if (autologin) */
++    if (use_authentication)
+       send_will(TELOPT_AUTHENTICATION, 1);
+ #endif
+     send_do(TELOPT_SGA, 1);
+@@ -1846,7 +1857,6 @@
+     send_will(TELOPT_TSPEED, 1);
+     send_will(TELOPT_LFLOW, 1);
+     send_will(TELOPT_LINEMODE, 1);
+-    send_will(TELOPT_ENVIRON, 1);
+     send_do(TELOPT_STATUS, 1);
+     if (env_getvalue("DISPLAY", 0))
+       send_will(TELOPT_XDISPLOC, 1);
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnet/terminal.cc netkit-telnet-ssl-0.17.24+0.1.orig/telnet/terminal.cc
+--- netkit-telnet-ssl-0.17.24+0.1/telnet/terminal.cc	2004-05-27 11:47:01.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/terminal.cc	2010-05-11 13:44:40.080321548 +0200
+@@ -35,7 +35,7 @@
+  * From: @(#)terminal.c	5.3 (Berkeley) 3/22/91
+  */
+ char terminal_rcsid[] = 
+-  "$Id: terminal.cc,v 1.25 1999/12/12 19:48:05 dholland Exp $";
++  "$Id: terminal.cc,v 1.1 2004-10-14 13:19:53 ianb Exp $";
+ 
+ #include <arpa/telnet.h>
+ #include <sys/types.h>
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnet/tn3270.cc netkit-telnet-ssl-0.17.24+0.1.orig/telnet/tn3270.cc
+--- netkit-telnet-ssl-0.17.24+0.1/telnet/tn3270.cc	1996-08-13 11:08:34.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/tn3270.cc	2010-05-11 13:44:40.080321548 +0200
+@@ -35,7 +35,7 @@
+  * From: @(#)tn3270.c	5.2 (Berkeley) 3/1/91
+  */
+ char tn3270_rcsid[] = 
+-  "$Id: tn3270.cc,v 1.9 1996/08/13 09:08:34 dholland Exp $";
++  "$Id: tn3270.cc,v 1.1 2004-10-14 13:19:53 ianb Exp $";
+ 
+ #include <sys/types.h>
+ #include <arpa/telnet.h>
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnet/types.h netkit-telnet-ssl-0.17.24+0.1.orig/telnet/types.h
+--- netkit-telnet-ssl-0.17.24+0.1/telnet/types.h	1996-07-27 02:45:54.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/types.h	2010-05-11 13:44:40.083654043 +0200
+@@ -31,7 +31,7 @@
+  * SUCH DAMAGE.
+  *
+  *	from: @(#)types.h	5.1 (Berkeley) 9/14/90
+- *	$Id: types.h,v 1.2 1996/07/27 00:45:54 dholland Exp $
++ *	$Id: types.h,v 1.1 2004-10-14 13:19:53 ianb Exp $
+  */
+ 
+ typedef struct {
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnet/utilities.cc netkit-telnet-ssl-0.17.24+0.1.orig/telnet/utilities.cc
+--- netkit-telnet-ssl-0.17.24+0.1/telnet/utilities.cc	2004-05-27 11:47:27.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/utilities.cc	2010-05-11 13:44:40.083654043 +0200
+@@ -35,7 +35,7 @@
+  * From: @(#)utilities.c	5.3 (Berkeley) 3/22/91
+  */
+ char util_rcsid[] = 
+-  "$Id: utilities.cc,v 1.19 1999/12/12 15:33:40 dholland Exp $";
++  "$Id: utilities.cc,v 1.1 2004-10-14 13:19:53 ianb Exp $";
+ 
+ #define	TELOPTS
+ #define	TELCMDS
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnetd/authenc.c netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/authenc.c
+--- netkit-telnet-ssl-0.17.24+0.1/telnetd/authenc.c	2004-05-27 11:47:01.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/authenc.c	2010-05-11 13:44:40.086987376 +0200
+@@ -23,7 +23,7 @@
+  * From: @(#)authenc.c	5.1 (Berkeley) 3/1/91
+  */
+ char authenc_rcsid[] =
+-  "$Id: authenc.c,v 1.5 1999/12/12 14:59:44 dholland Exp $";
++  "$Id: authenc.c,v 1.1 2004-10-14 13:19:53 ianb Exp $";
+ 
+ #if	defined(ENCRYPT) || defined(AUTHENTICATE)
+ #include "telnetd.h"
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnetd/defs.h netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/defs.h
+--- netkit-telnet-ssl-0.17.24+0.1/telnetd/defs.h	2004-05-27 11:47:01.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/defs.h	2010-05-11 13:44:40.086987376 +0200
+@@ -31,7 +31,7 @@
+  * SUCH DAMAGE.
+  *
+  *	from: @(#)defs.h	5.10 (Berkeley) 3/1/91
+- *	$Id: defs.h,v 1.7 1999/08/02 03:14:03 dholland Exp $
++ *	$Id: defs.h,v 1.1 2004-10-14 13:19:53 ianb Exp $
+  */
+ 
+ /*
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnetd/ext.h netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/ext.h
+--- netkit-telnet-ssl-0.17.24+0.1/telnetd/ext.h	2004-05-27 11:47:27.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/ext.h	2010-05-11 13:44:40.086987376 +0200
+@@ -31,7 +31,7 @@
+  * SUCH DAMAGE.
+  *
+  *	from: @(#)ext.h	5.7 (Berkeley) 3/1/91
+- *	$Id: ext.h,v 1.9 1999/12/12 14:59:44 dholland Exp $
++ *	$Id: ext.h,v 1.2 2004-11-21 12:53:12 ianb Exp $
+  */
+ 
+ /*
+@@ -113,7 +113,7 @@
+ void interrupt(void);
+ void localstat(void);
+ void netclear(void);
+-void netflush(void);
++int netflush(void);
+ size_t netbuflen(int);
+ void sendurg(const char *, size_t);
+ 
+@@ -183,7 +183,8 @@
+ void tty_tspeed(int);
+ void willoption(int);
+ void wontoption(int);
+-#define writenet(b, l) fwrite(b, 1, l, netfile)
++int writenet(char *, int);
++/*#define writenet(b, l) fwrite(b, 1, l, netfile)*/
+ void netopen(void);
+ 
+ #if defined(ENCRYPT)
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnetd/getent.c netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/getent.c
+--- netkit-telnet-ssl-0.17.24+0.1/telnetd/getent.c	1996-08-15 08:23:28.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/getent.c	2010-05-11 13:44:40.086987376 +0200
+@@ -35,7 +35,7 @@
+  * From: @(#)getent.c	5.1 (Berkeley) 2/28/91
+  */
+ char ge_rcsid[] = 
+-  "$Id: getent.c,v 1.3 1996/08/15 06:23:28 dholland Exp $";
++  "$Id: getent.c,v 1.1 2004-10-14 13:19:53 ianb Exp $";
+ 
+ /*
+  * Copyright (c) 1991 Regents of the University of California.
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnetd/global.c netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/global.c
+--- netkit-telnet-ssl-0.17.24+0.1/telnetd/global.c	2004-05-27 11:47:01.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/global.c	2010-05-11 13:44:40.090341661 +0200
+@@ -35,7 +35,7 @@
+  * From: @(#)global.c	5.2 (Berkeley) 6/1/90
+  */
+ char global_rcsid[] = 
+-  "$Id: global.c,v 1.4 1999/12/12 14:59:44 dholland Exp $";
++  "$Id: global.c,v 1.1 2004-10-14 13:19:53 ianb Exp $";
+ 
+ /*
+  * Allocate global variables.  
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnetd/issue.net.5 netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/issue.net.5
+--- netkit-telnet-ssl-0.17.24+0.1/telnetd/issue.net.5	2004-05-27 11:47:01.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/issue.net.5	2010-05-11 13:44:40.090341661 +0200
+@@ -15,26 +15,26 @@
+ .Pa /etc/issue.net
+ is a text file which contains a message or system identification to be
+ printed before the login prompt of a telnet session. It may contain
+-various `%-char' sequences. The following sequences are supported by
++various `%\&\-char' sequences. The following sequences are supported by
+ .Ic telnetd :
+ .Bl -tag -offset indent -compact -width "abcde"
+-.It %t
++.It %\&t
+ - show the current tty
+-.It %h
++.It %\&h
+ - show the system node name (FQDN)
+-.It %D
++.It %\&D
+ - show the name of the NIS domain
+-.It %d
++.It %\&d
+ - show the current time and date
+-.It %s
++.It %\&s
+ - show the name of the operating system
+-.It %m
++.It %\&m
+ - show the machine (hardware) type
+-.It %r
++.It %\&r
+ - show the operating system release
+-.It %v
++.It %\&v
+ - show the operating system version
+-.It %%
++.It %\&%
+ - display a single '%' character
+ .El
+ .Sh FILES
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnetd/Makefile netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/Makefile
+--- netkit-telnet-ssl-0.17.24+0.1/telnetd/Makefile	2004-05-27 11:47:27.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/Makefile	2010-05-11 14:12:59.493485309 +0200
+@@ -9,9 +9,11 @@
+ # take out -DPARANOID_TTYS.
+ 
+ CFLAGS += '-DISSUE_FILE="/etc/issue.net"' -DPARANOID_TTYS \
+-	   -DNO_REVOKE -DKLUDGELINEMODE -DDIAGNOSTICS \
+-	   -DLOGIN_WRAPPER=\"/usr/lib/telnetlogin\"
+-# LIBS += $(LIBTERMCAP)
++	   -DNO_REVOKE -DKLUDGELINEMODE -DDIAGNOSTICS -DAUTHENTICATE \
++	   -DLOGIN_WRAPPER=\"/usr/lib/telnetlogin\" \
++	   -DUSE_SSL -I/usr/include/openssl -I..
++LIBTELNET = ../libtelnet/libtelnet.a 
++LIBS += $(LIBTERMCAP) $(LIBTELNET) -lssl -lcrypto
+ 
+ OBJS = telnetd.o state.o termstat.o slc.o sys_term.o utility.o \
+ 	global.o setproctitle.o
+@@ -28,10 +30,10 @@
+ telnetd.o: ../version.h
+ 
+ install: telnetd
+-	install -s -m$(DAEMONMODE) telnetd $(INSTALLROOT)$(SBINDIR)/in.telnetd
+-	install -m$(MANMODE) issue.net.5 $(INSTALLROOT)$(MANDIR)/man5/
+-	install -m$(MANMODE) telnetd.8 $(INSTALLROOT)$(MANDIR)/man8/in.telnetd.8
+-	ln -sf in.telnetd.8 $(INSTALLROOT)$(MANDIR)/man8/telnetd.8
++	install -m$(DAEMONMODE) telnetd $(INSTALLROOT)$(SBINDIR)/in.telnetd-ssl
++#	install -m$(MANMODE) issue.net.5 $(INSTALLROOT)$(MANDIR)/man5/
++	install -m$(MANMODE) telnetd.8 $(INSTALLROOT)$(MANDIR)/man8/in.telnetd-ssl.8
++	ln -sf in.telnetd-ssl.8 $(INSTALLROOT)$(MANDIR)/man8/telnetd-ssl.8
+ 
+ clean:
+ 	rm -f *.o telnetd 
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnetd/pathnames.h netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/pathnames.h
+--- netkit-telnet-ssl-0.17.24+0.1/telnetd/pathnames.h	1996-08-30 00:31:24.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/pathnames.h	2010-05-11 13:44:40.090341661 +0200
+@@ -31,7 +31,7 @@
+  * SUCH DAMAGE.
+  *
+  *	from: @(#)pathnames.h	5.5 (Berkeley) 6/28/90
+- *	$Id: pathnames.h,v 1.3 1996/08/29 22:31:24 dholland Exp $
++ *	$Id: pathnames.h,v 1.1 2004-10-14 13:19:53 ianb Exp $
+  */
+ 
+ #include <paths.h>
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnetd/setproctitle.3 netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/setproctitle.3
+--- netkit-telnet-ssl-0.17.24+0.1/telnetd/setproctitle.3	2000-07-31 01:57:09.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/setproctitle.3	2010-05-11 13:44:40.090341661 +0200
+@@ -1,5 +1,5 @@
+ .\"	OpenBSD: setproctitle.3,v 1.4 1996/10/08 01:20:08 michaels Exp 
+-.\"     $Id: setproctitle.3,v 1.13 2000/07/30 23:57:09 dholland Exp $
++.\"     $Id: setproctitle.3,v 1.1 2004-10-14 13:19:53 ianb Exp $
+ .\"
+ .\" Copyright (c) 1994, 1995 Christopher G. Demetriou
+ .\" All rights reserved.
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnetd/setproctitle.c netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/setproctitle.c
+--- netkit-telnet-ssl-0.17.24+0.1/telnetd/setproctitle.c	2004-05-27 11:47:01.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/setproctitle.c	2010-05-11 13:44:40.090341661 +0200
+@@ -39,7 +39,7 @@
+  * From: @(#)conf.c	8.243 (Berkeley) 11/20/95
+  */
+ char setproctitle_rcsid[] =
+-  "$Id: setproctitle.c,v 1.3 1999/12/10 23:06:39 bryce Exp $";
++  "$Id: setproctitle.c,v 1.1 2004-10-14 13:19:53 ianb Exp $";
+ 
+ #include <stdlib.h>
+ #include <string.h>
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnetd/slc.c netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/slc.c
+--- netkit-telnet-ssl-0.17.24+0.1/telnetd/slc.c	1999-12-12 15:59:44.000000000 +0100
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/slc.c	2010-05-11 13:44:40.096989611 +0200
+@@ -35,7 +35,7 @@
+  * From: @(#)slc.c	5.7 (Berkeley) 3/1/91
+  */
+ char slc_rcsid[] = 
+-  "$Id: slc.c,v 1.5 1999/12/12 14:59:44 dholland Exp $";
++  "$Id: slc.c,v 1.1 2004-10-14 13:19:53 ianb Exp $";
+ 
+ #include "telnetd.h"
+ 
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnetd/state.c netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/state.c
+--- netkit-telnet-ssl-0.17.24+0.1/telnetd/state.c	2004-05-27 11:47:27.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/state.c	2010-05-11 13:44:40.100321827 +0200
+@@ -35,11 +35,12 @@
+  * From: @(#)state.c	5.10 (Berkeley) 3/22/91
+  */
+ char state_rcsid[] = 
+-  "$Id: state.c,v 1.12 1999/12/12 19:41:44 dholland Exp $";
++  "$Id: state.c,v 1.5 2005-07-07 21:53:00 ianb Exp $";
+ 
+ #include "telnetd.h"
+ #if	defined(AUTHENTICATE)
+ #include <libtelnet/auth.h>
++extern char *UserNameRequested;
+ #endif
+ 
+ int not42 = 1;
+@@ -1161,7 +1162,7 @@
+ 
+     case TELOPT_ENVIRON: {
+ 	register int c;
+-	register char *cp, *varp, *valp;
++	register unsigned char *cp, *varp, *valp;
+ 
+ 	if (SB_EOF())
+ 		return;
+@@ -1177,25 +1178,41 @@
+ 	if (SB_EOF())
+ 		return;
+ 
+-	cp = varp = (char *)subpointer;
++	cp = varp = (unsigned char *)subpointer;
+ 	valp = 0;
+ 
+ 	while (!SB_EOF()) {
+ 	    switch (c = SB_GET()) {
+ 	    case ENV_VALUE:
+ 		*cp = '\0';
+-		cp = valp = (char *)subpointer;
++		cp = valp = (unsigned char *)subpointer;
+ 		break;
+ 		
+ 	    case ENV_VAR:
+ 		*cp = '\0';
+-		if (envvarok(varp)) {
+-		    if (valp)
+-			(void)setenv(varp, valp, 1);
+-		    else
+-			unsetenv(varp);
++		if (envvarok((char *)varp)) {
++		  if (valp) {
++		    (void)setenv((char *)varp, (char *)valp, 1);
++#ifdef AUTHENTICATE
++		    if (strcmp((char *)varp,"USER") == 0) {
++		      if (UserNameRequested)
++			free(UserNameRequested);
++		      UserNameRequested=strdup((char *)valp);
++		    }
++#endif /* AUTHENTICATE */
++		  }
++		  else {
++		    unsetenv((char *)varp);
++#ifdef AUTHENTICATE
++		    if (strcmp((char *)varp,"USER") == 0) {
++		      if (UserNameRequested)
++			free(UserNameRequested);
++		      UserNameRequested=NULL;
++		    }
++#endif /* AUTHENTICATE */
++		  }
+ 		}
+-		cp = varp = (char *)subpointer;
++		cp = varp = (unsigned char *)subpointer;
+ 		valp = 0;
+ 		break;
+ 		
+@@ -1211,11 +1228,27 @@
+ 	    }
+ 	}
+ 	*cp = '\0';
+-	if (envvarok(varp)) {
+-	    if (valp)
+-		(void)setenv(varp, valp, 1);
+-	    else
+-		unsetenv(varp);
++	if (envvarok((char *)varp)) {
++	  if (valp) {
++	    (void)setenv((char *)varp, (char *)valp, 1);
++#ifdef AUTHENTICATE
++	    if (strcmp((char *)varp,"USER") == 0) {
++	      if (UserNameRequested)
++		free(UserNameRequested);
++	      UserNameRequested=strdup((char *)valp);
++	    }
++#endif /* AUTHENTICATE */
++	  }
++	  else {
++	    unsetenv((char *)varp);
++#ifdef AUTHENTICATE
++	    if (strcmp((char *)varp,"USER") == 0) {
++	      if (UserNameRequested)
++		free(UserNameRequested);
++	      UserNameRequested=NULL;
++	    }
++#endif /* AUTHENTICATE */
++	  }
+ 	}
+ 	break;
+     }  /* end of case TELOPT_ENVIRON */
+@@ -1367,7 +1400,7 @@
+     ADD(IAC);
+     ADD(SE);
+ 
+-    writenet(statusbuf, ncp - statusbuf);
++    writenet((char *)statusbuf, ncp - statusbuf);
+     netflush();	/* Send it on its way */
+ 
+     DIAG(TD_OPTIONS, {printsub('>', statusbuf, ncp - statusbuf); netflush();});
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnetd/sys_term.c netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/sys_term.c
+--- netkit-telnet-ssl-0.17.24+0.1/telnetd/sys_term.c	2004-05-27 11:47:27.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/sys_term.c	2010-05-11 13:44:40.106987377 +0200
+@@ -35,7 +35,7 @@
+  * From: @(#)sys_term.c	5.16 (Berkeley) 3/22/91
+  */
+ char st_rcsid[] = 
+-  "$Id: sys_term.c,v 1.17 1999/12/17 14:28:47 dholland Exp $";
++  "$Id: sys_term.c,v 1.1 2004-10-14 13:19:53 ianb Exp $";
+ 
+ #include <utmp.h>
+ 
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnetd/telnetd.8 netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/telnetd.8
+--- netkit-telnet-ssl-0.17.24+0.1/telnetd/telnetd.8	2004-05-27 11:47:27.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/telnetd.8	2010-05-11 13:44:40.106987377 +0200
+@@ -30,7 +30,7 @@
+ .\" SUCH DAMAGE.
+ .\"
+ .\"	from: @(#)telnetd.8	6.8 (Berkeley) 4/20/91
+-.\"	$Id: telnetd.8,v 1.18 2000/07/30 23:57:10 dholland Exp $
++.\"	$Id: telnetd.8,v 1.5 2006-09-24 00:48:31 ianb Exp $
+ .\"
+ .Dd December 29, 1996
+ .Dt TELNETD 8
+@@ -42,7 +42,7 @@
+ protocol server
+ .Sh SYNOPSIS
+ .Nm /usr/sbin/in.telnetd
+-.Op Fl hns
++.Op Fl hnNs
+ .Op Fl a Ar authmode
+ .Op Fl D Ar debugmode
+ .Op Fl L Ar loginprg
+@@ -50,6 +50,7 @@
+ .Op Fl X Ar authtype
+ .Op Fl edebug
+ .Op Fl debug Ar port
++.Op Fl z Ar sslopt
+ .Sh DESCRIPTION
+ The
+ .Nm telnetd
+@@ -175,6 +176,9 @@
+ if the client is still there, so that idle connections
+ from machines that have crashed or can no longer
+ be reached may be cleaned up.
++.It Fl N
++Disable reverse DNS lookups and use the numeric IP address in logs
++and REMOTEHOST environment variable.
+ .It Fl s
+ This option is only enabled if
+ .Nm telnetd
+@@ -219,12 +223,16 @@
+ only accepts connections from SSL enhanced telnet with option 
+ .Ic -z ssl
+ .It Ic nossl, !ssl
+-switch of SSL negotiation
++switch off SSL negotiation
+ .It Ic certsok
+ Look username up in /etc/ssl.users. The format of this file is lines
+ of this form: 
+ .Ar user1,user2:/C=US/.....
+-where user1 and user2 are usernames. If client certificate is valid,
++where user1 and user2 are usernames and /C=US/... is the subject name of
++the certificate. Use 
++.Ar openssl x509 -subject -noout
++to extract the subject name.
++If client certificate is valid,
+ authenticate without password.
+ .It Ic certrequired
+ client certificate is mandatory
+@@ -451,7 +459,6 @@
+ is compiled with support for data encryption, and
+ indicates a willingness to decrypt
+ the data stream.
+-.Xr issue.net 5 ) .
+ .El
+ .Sh FILES
+ .Pa /etc/services ,
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnetd/telnetd.c netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/telnetd.c
+--- netkit-telnet-ssl-0.17.24+0.1/telnetd/telnetd.c	2004-05-27 11:47:27.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/telnetd.c	2010-05-11 13:44:40.113654043 +0200
+@@ -39,7 +39,7 @@
+  * From: @(#)telnetd.c	5.48 (Berkeley) 3/1/91
+  */
+ char telnetd_rcsid[] = 
+-  "$Id: telnetd.c,v 1.24 2000/04/12 21:36:12 dholland Exp $";
++  "$Id: telnetd.c,v 1.7 2006-06-16 13:29:00 ianb Exp $";
+ 
+ #include "../version.h"
+ 
+@@ -90,6 +90,7 @@
+ 
+ int debug = 0;
+ int keepalive = 1;
++int numeric_hosts = 0;
+ #ifdef LOGIN_WRAPPER
+ char *loginprg = LOGIN_WRAPPER;
+ #else
+@@ -222,13 +223,12 @@
+ 	 * certificate that we will be running with as we cannot
+ 	 * be sure of the cwd when we are launched
+ 	 */
+-	sprintf(cert_filepath,"%s/%s",X509_get_default_cert_dir(),
+-	        "telnetd.pem");
++	strcpy(cert_filepath, "/etc/telnetd-ssl/telnetd.pem");
+ 	ssl_cert_file=cert_filepath;
+ 	ssl_key_file=NULL;
+ #endif /* USE_SSL */
+ 
+-	while ((ch = getopt(argc, argv, "d:a:e:lhnr:I:D:B:sS:a:X:L:z:")) != EOF) {
++	while ((ch = getopt(argc, argv, "d:a:e:lhnNr:I:D:B:sS:a:X:L:z:")) != EOF) {
+ 		switch(ch) {
+ 
+ #ifdef USE_SSL
+@@ -389,6 +389,10 @@
+ 			keepalive = 0;
+ 			break;
+ 
++		case 'N':
++		  numeric_hosts = 1;
++		  break;
++
+ #ifdef	SecurID
+ 		case 's':
+ 			/* SecurID required */
+@@ -427,7 +431,7 @@
+ 
+ #ifdef USE_SSL
+ 
+-        if (ssl_secure_flag || ssl_cert_required) {
++        if (ssl_secure_flag || ssl_cert_required || ssl_certsok_flag) {
+ 	    /* in secure mode we *must* switch on the base level
+ 	     * verify checking otherwise we cannot abort connections
+ 	     * at the right place!
+@@ -520,9 +524,9 @@
+ 	        sprintf(errbuf,"SSL_accept error %s\n",
+ 		    ERR_error_string(ERR_get_error(),NULL));
+ 
+-		syslog(LOG_WARNING, errbuf);
++		syslog(LOG_WARNING, "%s", errbuf);
+ 
+-		BIO_printf(bio_err,errbuf);
++		BIO_printf(bio_err,"%s",errbuf);
+ 
+ 		/* go to sleep to make sure we are noticed */
+ 		sleep(10);
+@@ -571,6 +575,11 @@
+ #ifdef	AUTHENTICATE
+ 	fprintf(stderr, " [-X auth-type]");
+ #endif
++#ifdef USE_SSL
++        /* might as well output something useful here ... */
++	fprintf(stderr, "\n\t [-z ssl] [-z secure] [-z debug] [-z verify=int]\n\t");
++	fprintf(stderr, " [-z cert=file] [-z key=file]\n\t");
++#endif /* USE_SSL */
+ 	fprintf(stderr, "\n");
+ 	exit(1);
+ }
+@@ -596,6 +605,18 @@
+     /*
+      * Handle the Authentication option before we do anything else.
+      */
++    send_do(TELOPT_ENVIRON, 1);
++    while (his_will_wont_is_changing(TELOPT_ENVIRON)) {
++	ttloop();
++    }
++
++    if (his_state_is_will(TELOPT_ENVIRON)) {
++      netoprintf("%c%c%c%c%c%c", 
++		 IAC, SB, TELOPT_ENVIRON, TELQUAL_SEND, IAC, SE);
++	while (sequenceIs(environsubopt, baseline))
++	    ttloop();
++    }
++
+     send_do(TELOPT_AUTHENTICATION, 1);
+     while (his_will_wont_is_changing(TELOPT_AUTHENTICATION))
+ 	ttloop();
+@@ -654,7 +675,6 @@
+     send_do(TELOPT_TTYPE, 1);
+     send_do(TELOPT_TSPEED, 1);
+     send_do(TELOPT_XDISPLOC, 1);
+-    send_do(TELOPT_ENVIRON, 1);
+     while (
+ #if	defined(ENCRYPT)
+ 	   his_do_dont_is_changing(TELOPT_ENCRYPT) ||
+@@ -698,10 +718,6 @@
+ 	while (sequenceIs(xdisplocsubopt, baseline))
+ 	    ttloop();
+     }
+-    if (his_state_is_will(TELOPT_ENVIRON)) {
+-	while (sequenceIs(environsubopt, baseline))
+-	    ttloop();
+-    }
+     if (his_state_is_will(TELOPT_TTYPE)) {
+ 	char first[256], last[256];
+ 
+@@ -852,7 +868,7 @@
+ static void
+ doit(struct sockaddr *who, socklen_t who_len)
+ {
+-	const char *host;
++	char *host;
+ 	int level;
+ 	char user_name[256];
+ 	int i;
+@@ -867,7 +883,8 @@
+ 
+ 	/* get name of connected client */
+ 	if (getnameinfo(who, who_len, remote_host_name,
+-			sizeof(remote_host_name), 0, 0, 0)) {
++			sizeof(remote_host_name), 0, 0, 
++			numeric_hosts ? NI_NUMERICHOST : 0)) {
+ 		syslog(LOG_ERR, "doit: getnameinfo: %m");
+ 		*remote_host_name = 0;
+         }
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnetd/telnetd.h netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/telnetd.h
+--- netkit-telnet-ssl-0.17.24+0.1/telnetd/telnetd.h	1999-03-27 08:46:21.000000000 +0100
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/telnetd.h	2010-05-11 13:44:40.113654043 +0200
+@@ -31,7 +31,7 @@
+  * SUCH DAMAGE.
+  *
+  *	from: @(#)telnetd.h	5.3 (Berkeley) 3/1/91
+- *	$Id: telnetd.h,v 1.2 1999/03/27 07:46:21 dholland Exp $
++ *	$Id: telnetd.h,v 1.1 2004-10-14 13:19:53 ianb Exp $
+  */
+ 
+ 
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnetd/termstat.c netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/termstat.c
+--- netkit-telnet-ssl-0.17.24+0.1/telnetd/termstat.c	1999-12-12 15:59:45.000000000 +0100
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/termstat.c	2010-05-11 13:44:40.113654043 +0200
+@@ -35,7 +35,7 @@
+  * From: @(#)termstat.c	5.10 (Berkeley) 3/22/91
+  */
+ char termstat_rcsid[] = 
+-  "$Id: termstat.c,v 1.6 1999/12/12 14:59:45 dholland Exp $";
++  "$Id: termstat.c,v 1.1 2004-10-14 13:19:53 ianb Exp $";
+ 
+ #include "telnetd.h"
+ 
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnetd/utility.c netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/utility.c
+--- netkit-telnet-ssl-0.17.24+0.1/telnetd/utility.c	2004-05-27 11:47:27.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/utility.c	2010-05-11 13:45:21.990318196 +0200
+@@ -35,7 +35,7 @@
+  * From: @(#)utility.c	5.8 (Berkeley) 3/22/91
+  */
+ char util_rcsid[] = 
+-  "$Id: utility.c,v 1.11 1999/12/12 14:59:45 dholland Exp $";
++  "$Id: utility.c,v 1.8 2006-09-24 00:48:31 ianb Exp $";
+ 
+ #define PRINTOPTIONS
+ 
+@@ -49,6 +49,15 @@
+ 
+ #include "telnetd.h"
+ 
++/* patched by fluke.l at gmail.com , im not sure it's gonna work or not  */
++typedef struct {
++	int (*read) (void *, char *, int);
++	int (*write) (void *, char const *, int);
++	fpos_t (*seek) (void *, fpos_t, int);
++	int (*close) (void *);
++} cookie_io_functions_t;
++/* end patch */
++
+ struct buflist {
+ 	struct buflist *next;
+ 	char *buf;
+@@ -86,6 +95,11 @@
+     DIAG(TD_REPORT, netoprintf("td: ttloop\r\n"););
+ 		     
+     netflush();
++#ifdef USE_SSL
++    if (ssl_active_flag)
++	ncc = SSL_read(ssl_con, netibuf, sizeof netibuf);
++    else
++#endif /* USE_SSL */
+     ncc = read(net, netibuf, sizeof(netibuf));
+     if (ncc < 0) {
+ 	syslog(LOG_INFO, "ttloop: read: %m\n");
+@@ -216,7 +230,7 @@
+ 	}
+ 
+ out:
+-	return next ? next + (current - end) : current;
++	return (const char *) (next ? (next + (current - end)) : current );
+ }  /* end of nextitem */
+ 
+ 
+@@ -243,6 +257,29 @@
+ 	doclear--;
+ }  /* end of netclear */
+ 
++#ifdef USE_SSL
++static int
++SSL_writev(SSL *ssl_con,const struct iovec *vector,int num)
++{
++	const struct iovec *v = vector;
++
++	int ret;
++	int len = 0;
++
++	while (num > 0) {
++		ret = SSL_write(ssl_con, v->iov_base, v->iov_len);
++		if (ret < 0)
++			return ret;
++		if (ret != v->iov_len)
++			syslog(LOG_NOTICE, "SSL_writev: short write\n");
++		num -= v->iov_len;
++		len += ret;
++		v++;
++	}
++	return len;
++}
++#endif /* USE_SSL */
++
+ static void
+ netwritebuf(void)
+ {
+@@ -253,6 +290,9 @@
+ 	size_t len;
+ 	int ltrailing = trailing;
+ 
++	if (!listlen)
++		return;
++
+ 	vector = malloc(listlen * sizeof(struct iovec));
+ 	if (!vector) {
+ 		return;
+@@ -265,6 +305,11 @@
+ 		if (lp == urg) {
+ 			len = v - vector;
+ 			if (!len) {
++#ifdef USE_SSL
++			        if (ssl_active_flag)
++				  n = SSL_write(ssl_con, lp->buf, 1);	
++				else
++#endif /* USE_SSL */
+ 				n = send(net, lp->buf, 1, MSG_OOB);
+ 				if (n > 0) {
+ 					urg = 0;
+@@ -282,15 +327,25 @@
+ 	vector->iov_base = (char *)vector->iov_base + skip;
+ 	vector->iov_len -= skip;
+ 
+-	n = writev(net, vector, len);
++	if(vector->iov_len == 0 ) {
++	  n=0;
++	} else {
++
++#ifdef USE_SSL
++	  if (ssl_active_flag)
++		n = SSL_writev(ssl_con, vector, len);	/* normal write */
++	  else	
++#endif /* USE_SSL */
++		n = writev(net, vector, len);
+ 
+ epi:
+-	free(vector);
++	  free(vector);
+ 
+-	if (n < 0) {
++	  if (n < 0) {
+ 		if (errno != EWOULDBLOCK && errno != EINTR)
+-			cleanup(0);
++		  cleanup(0);
+ 		return;
++	  }
+ 	}
+ 
+ 	len = n + skip;
+@@ -315,6 +370,10 @@
+ 		}
+ 	}
+ 
++	if(ltrailing && (len==0)) {
++		ltrailing=trailing=0;
++	}
++
+ 	skip = len;
+ }
+ 
+@@ -323,16 +382,22 @@
+  *             Send as much data as possible to the network,
+  *     handling requests for urgent data.
+  */
+-void
++int
+ netflush(void)
+ {
+ 	if (fflush(netfile)) {
+ 		/* out of memory? */
+ 		cleanup(0);
++		return 0;
+ 	}
+-	if (listlen) {
+-		netwritebuf();
+-	}
++	netwritebuf();
++	return 1;
++}
++
++int
++writenet(char *b , int l)
++{
++  return(fwrite(b, 1, l, netfile));
+ }
+ 
+ 
+@@ -983,7 +1048,7 @@
+ 			((pointer[3] & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) ?
+ 			"MUTUAL" : "ONE-WAY");
+ 
+-		auth_printsub(&pointer[1], length - 1, buf, sizeof(buf));
++		auth_printsub(&pointer[1], length - 1, (unsigned char *) buf, sizeof(buf));
+ 		netoprintf("%s", buf);
+ 		break;
+ 
+@@ -1191,7 +1256,15 @@
+ 		size_t l;
+ 		size_t m = tail->len;
+ 
+-		p = nextitem(tail->buf, tail->buf + tail->len, buf, end);
++		if((tail->buf == NULL) || (tail->len==0))
++		{
++			p = nextitem((unsigned char *) buf, (unsigned char *) end,0,0);
++		}
++		else
++		{
++			p = nextitem((unsigned char *) tail->buf, (unsigned char *) (tail->buf + tail->len),
++						 (unsigned char *) buf, (unsigned char *) end);
++		}
+ 		ltrailing = !p;
+ 		if (ltrailing) {
+ 			p = end;
+@@ -1245,7 +1318,7 @@
+ 		const char *p;
+ 		size_t l;
+ 
+-		p = nextitem(buf, end, 0, 0);
++		p = nextitem((unsigned char *) buf, (unsigned char *) end, 0, 0);
+ 		ltrailing = !p;
+ 		if (ltrailing) {
+ 			p = end;
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnetlogin/Makefile netkit-telnet-ssl-0.17.24+0.1.orig/telnetlogin/Makefile
+--- netkit-telnet-ssl-0.17.24+0.1/telnetlogin/Makefile	2000-04-13 03:07:22.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnetlogin/Makefile	2010-05-11 13:46:19.023660189 +0200
+@@ -11,7 +11,7 @@
+ $(OBJS): ../version.h
+ 
+ install: telnetlogin
+-	install -s -m4750 -oroot -gtelnetd telnetlogin $(INSTALLROOT)$(SBINDIR)
++	install -m$(BINMODE) telnetlogin $(INSTALLROOT)$(SBINDIR)
+ 	install -m$(MANMODE) telnetlogin.8 $(INSTALLROOT)$(MANDIR)/man8
+ 
+ clean:
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnetlogin/telnetlogin.8 netkit-telnet-ssl-0.17.24+0.1.orig/telnetlogin/telnetlogin.8
+--- netkit-telnet-ssl-0.17.24+0.1/telnetlogin/telnetlogin.8	2004-05-27 11:47:02.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnetlogin/telnetlogin.8	2010-05-11 13:44:40.123659071 +0200
+@@ -28,7 +28,7 @@
+ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ .\" SUCH DAMAGE.
+ .\"
+-.\"	$Id: telnetlogin.8,v 1.4 2000/07/30 23:57:10 dholland Exp $
++.\"	$Id: telnetlogin.8,v 1.2 2004-11-07 15:47:43 ianb Exp $
+ .\"
+ .Dd April 12, 2000
+ .Dt TELNETLOGIN 8
+@@ -40,6 +40,7 @@
+ .Nm telnetlogin
+ .Op Fl h Ar host
+ .Op Fl p
++.Op Fl f Ar username
+ .Op Ar username
+ .Sh DESCRIPTION
+ .Nm telnetlogin
+@@ -79,11 +80,6 @@
+ .Xr inetd 8 ,
+ .Xr telnetd 8
+ .Sh RESTRICTIONS
+-.Nm telnetlogin
+-does not permit the
+-.Fl f
+-option to login, so will not
+-work with telnetds that perform authentication via Kerberos or SSL.
+ .Pp
+ THIS IS PRESENTLY EXPERIMENTAL CODE; USE WITH CAUTION.
+ .Sh HISTORY
+diff -ur netkit-telnet-ssl-0.17.24+0.1/telnetlogin/telnetlogin.c netkit-telnet-ssl-0.17.24+0.1.orig/telnetlogin/telnetlogin.c
+--- netkit-telnet-ssl-0.17.24+0.1/telnetlogin/telnetlogin.c	2004-05-27 11:47:02.000000000 +0200
++++ netkit-telnet-ssl-0.17.24+0.1.orig/telnetlogin/telnetlogin.c	2010-05-11 13:44:40.123659071 +0200
+@@ -35,7 +35,7 @@
+  "All rights reserved.\n";
+ 
+ char rcsid[] =
+-  "$Id: telnetlogin.c,v 1.1 2000/04/13 01:07:22 dholland Exp $";
++  "$Id: telnetlogin.c,v 1.2 2004-11-07 15:47:43 ianb Exp $";
+ #include "../version.h"
+ 
+ #include <sys/types.h>
+@@ -76,7 +76,16 @@
+    int i=0;
+    /* should we check length? */
+    for (i=0; hname[i]; i++) {
+-      if (hname[i]<=32 && hname[i]>126) return -1;
++      if ((hname[i]<=32) || (hname[i]>126)) return -1;
++   }
++   return 0;
++}
++
++static int check_username(char *username) {
++   int i;
++   if (strlen(username) > 32) return -1;
++   for (i=0; username[i]; i++) {
++      if ((username[i]<=32) || (username[i]>126)) return -1;
+    }
+    return 0;
+ }
+@@ -158,6 +167,12 @@
+    if (argn < argc && !strcmp(argv[argn], "-p")) {
+       argn++;
+    }
++   if (argn < argc && !strcmp(argv[argn], "-f")) {
++      argn++;
++      if (argn==argc) die("Illegal args: -f requires argument");
++      if (check_username(argv[argn])) die("Illegal remote username specified");
++      argn++;
++   }
+    if (argn < argc && argv[argn][0] != '-') {
+       argn++;
+    }
diff --git a/abs/core/netkit-telnet-ssl/netkit-telnet-ssl.install b/abs/core/netkit-telnet-ssl/netkit-telnet-ssl.install
new file mode 100644
index 0000000..25a4b28
--- /dev/null
+++ b/abs/core/netkit-telnet-ssl/netkit-telnet-ssl.install
@@ -0,0 +1,5 @@
+
+post_install() {
+  groupadd telnetd
+}
+
diff --git a/abs/core/netkit-telnet-ssl/telnet.xinetd b/abs/core/netkit-telnet-ssl/telnet.xinetd
new file mode 100644
index 0000000..f4ef4c0
--- /dev/null
+++ b/abs/core/netkit-telnet-ssl/telnet.xinetd
@@ -0,0 +1,10 @@
+service telnet-ssl
+{
+	flags			= REUSE
+	socket_type		= stream
+	wait			= no
+	user			= root
+	server			= /usr/sbin/in.telnetd-ssl
+	log_on_failure		+= USERID
+	disable			= yes
+}
diff --git a/abs/core/netkit-telnet/PKGBUILD b/abs/core/netkit-telnet/PKGBUILD
deleted file mode 100644
index 5afd1a1..0000000
--- a/abs/core/netkit-telnet/PKGBUILD
+++ /dev/null
@@ -1,22 +0,0 @@
-# $Id: PKGBUILD 9079 2008-08-17 03:28:25Z allan $
-# Maintainer: dorphell <dorphell@archlinux.org>
-pkgname=netkit-telnet
-pkgver=0.17
-pkgrel=8
-pkgdesc="A telnet client (and server)"
-arch=(i686 x86_64)
-depends=('ncurses')
-license=('GPL2' 'GPL3') # parts are GPL2, others GPL3
-source=(ftp://ftp.uk.linux.org/pub/linux/Networking/netkit/$pkgname-$pkgver.tar.gz $pkgname-$pkgver.patch telnet.xinetd)
-md5sums=('d6beabaaf53fe6e382c42ce3faa05a36' 'd56497f2c6b96e8909ed57f1be19411d' \
-         'c6e6ca4ba8e084be8ce2a170bebc17cc')
-
-build() {
-  cd $startdir/src/$pkgname-$pkgver
-  patch -Np1 -i ../$pkgname-$pkgver.patch
-  ./configure --prefix=/usr --installroot=$startdir/pkg
-  make || return 1
-  mkdir -p $startdir/pkg/usr/{bin,sbin,share/{man/man1,man/man5,man/man8}} $startdir/pkg/etc/xinetd.d
-  make MANDIR=/usr/share/man install
-  install -m644 $startdir/src/telnet.xinetd $startdir/pkg/etc/xinetd.d/telnet
-}
diff --git a/abs/core/netkit-telnet/netkit-telnet-0.17.patch b/abs/core/netkit-telnet/netkit-telnet-0.17.patch
deleted file mode 100644
index 77919e1..0000000
--- a/abs/core/netkit-telnet/netkit-telnet-0.17.patch
+++ /dev/null
@@ -1,36 +0,0 @@
-diff -Naur netkit-telnet-0.17-orig/telnet/proto.h netkit-telnet-0.17/telnet/proto.h
---- netkit-telnet-0.17-orig/telnet/proto.h	1997-05-19 09:32:36.000000000 +0000
-+++ netkit-telnet-0.17/telnet/proto.h	2002-09-05 01:17:24.000000000 +0000
-@@ -3,6 +3,9 @@
- void auth_encrypt_init(void);
- #endif
- 
-+#include <stdlib.h>
-+#include <string.h>
-+
- void Exit(int);
- void ExitString(const char *, int);
- int TerminalAutoFlush(void);
-diff -Naur netkit-telnet-0.17-orig/telnetd/telnetd.h netkit-telnet-0.17/telnetd/telnetd.h
---- netkit-telnet-0.17-orig/telnetd/telnetd.h	1999-03-27 07:46:21.000000000 +0000
-+++ netkit-telnet-0.17/telnetd/telnetd.h	2002-09-05 01:17:34.000000000 +0000
-@@ -38,6 +38,7 @@
- #include "defs.h"
- #include "ext.h"
- #include <errno.h>
-+#include <stdlib.h>
- 
- #ifdef	DIAGNOSTICS
- #define	DIAG(a,b)	if (diagnostic & (a)) b
-diff -Naur netkit-telnet-0.17-orig/configure netkit-telnet-0.17/configure
---- netkit-telnet-0.17-orig/configure	2003-11-04 13:10:07.000000000 -0500
-+++ netkit-telnet-0.17/configure	2003-11-04 13:10:49.000000000 -0500
-@@ -252,7 +252,7 @@
- fi
- 
- 
--LDFLAGS=
-+LDFLAGS=-lstdc++
- LIBS=
- 
- rm -f __conftest*
diff --git a/abs/core/netkit-telnet/telnet.xinetd b/abs/core/netkit-telnet/telnet.xinetd
deleted file mode 100644
index 1a1f4ed..0000000
--- a/abs/core/netkit-telnet/telnet.xinetd
+++ /dev/null
@@ -1,10 +0,0 @@
-service telnet
-{
-	flags			= REUSE
-	socket_type		= stream
-	wait			= no
-	user			= root
-	server			= /usr/sbin/in.telnetd
-	log_on_failure		+= USERID
-	disable			= yes
-}
-- 
cgit v0.12