Only in netkit-telnet-ssl-0.17.24+0.1: debian diff -ur netkit-telnet-ssl-0.17.24+0.1/libtelnet/auth.c netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/auth.c --- netkit-telnet-ssl-0.17.24+0.1/libtelnet/auth.c 2004-05-27 11:47:25.000000000 +0200 +++ netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/auth.c 2010-05-11 13:44:40.190322666 +0200 @@ -37,6 +37,9 @@ */ #ifndef lint +#ifdef __GNUC__ +__attribute__ ((unused)) +#endif /* __GNUC__ */ static char sccsid[] = "@(#)auth.c 5.2 (Berkeley) 3/22/91"; #endif /* not lint */ @@ -83,8 +86,11 @@ #define typemask(x) (1<<((x)-1)) +int auth_onoff(const char *type, int on); + + int auth_debug_mode = 0; -static char *Name = "Noname"; +static const char *Name = "Noname"; static int Server = 0; static Authenticator *authenticated = 0; static int authenticating = 0; @@ -170,7 +176,7 @@ void auth_init(name, server) - char *name; + const char *name; int server; { Authenticator *ap = authenticators; @@ -241,7 +247,7 @@ int auth_onoff(type, on) - char *type; + const char *type; int on; { int i, mask = -1; @@ -335,7 +341,7 @@ } *e++ = IAC; *e++ = SE; - writenet(str_request, e - str_request); + writenet((char *) str_request, e - str_request); printsub('>', &str_request[2], e - str_request - 2); } } @@ -424,7 +430,7 @@ } auth_send_data += 2; } - writenet(str_none, sizeof(str_none)); + writenet((char *) str_none, sizeof(str_none)); printsub('>', &str_none[2], sizeof(str_none) - 2); if (auth_debug_mode) printf(">>>%s: Sent failure message\r\n", Name); @@ -456,7 +462,7 @@ return; } - if (ap = findauthenticator(data[0], data[1])) { + if ((ap = findauthenticator(data[0], data[1]))) { if (ap->is) (*ap->is)(ap, data+2, cnt-2); } else if (auth_debug_mode) @@ -474,7 +480,7 @@ if (cnt < 2) return; - if (ap = findauthenticator(data[0], data[1])) { + if ((ap = findauthenticator(data[0], data[1]))) { if (ap->reply) (*ap->reply)(ap, data+2, cnt-2); } else if (auth_debug_mode) @@ -487,7 +493,7 @@ unsigned char *data; int cnt; { - Authenticator *ap; + /* Authenticator *ap; */ unsigned char savename[256]; if (cnt < 1) { @@ -505,7 +511,7 @@ savename[cnt] = '\0'; /* Null terminate */ if (auth_debug_mode) printf(">>>%s: Got NAME [%s]\r\n", Name, savename); - auth_encrypt_user(savename); + auth_encrypt_user((char *)savename); } int @@ -526,7 +532,7 @@ } *e++ = IAC; *e++ = SE; - writenet(str_request, e - str_request); + writenet((char *) str_request, e - str_request); printsub('>', &str_request[2], e - &str_request[2]); return(1); } @@ -542,6 +548,9 @@ } /* ARGSUSED */ +#ifdef __GNUC__ +__attribute__ ((used)) +#endif /* __GNUC__ */ static void auth_intr(sig) int sig; diff -ur netkit-telnet-ssl-0.17.24+0.1/libtelnet/auth-proto.h netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/auth-proto.h --- netkit-telnet-ssl-0.17.24+0.1/libtelnet/auth-proto.h 2004-05-27 11:47:25.000000000 +0200 +++ netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/auth-proto.h 2010-05-11 13:44:40.183654321 +0200 @@ -68,7 +68,7 @@ #if defined(AUTHENTICATE) Authenticator *findauthenticator P((int, int)); -void auth_init P((char *, int)); +void auth_init P((const char *, int)); int auth_cmd P((int, char **)); void auth_request P((void)); void auth_send P((unsigned char *, int)); @@ -123,7 +123,9 @@ int auth_ssl_status P((Authenticator *, char *, int)); void auth_ssl_printsub P((unsigned char *, int, unsigned char *, int)); #endif /* USE_SSL */ - + +extern void printsub P((char, unsigned char *, int)); +extern int writenet P((char *, int)); #endif #ifdef __cplusplus } diff -ur netkit-telnet-ssl-0.17.24+0.1/libtelnet/Makefile netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/Makefile --- netkit-telnet-ssl-0.17.24+0.1/libtelnet/Makefile 2004-05-27 11:47:25.000000000 +0200 +++ netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/Makefile 2010-05-11 13:45:28.073664102 +0200 @@ -15,5 +15,8 @@ ranlib lib${LIB}.a; \ fi; +install: + @echo "nothing to be installed from libtelnet" + clean: rm -f *.o lib${LIB}.a diff -ur netkit-telnet-ssl-0.17.24+0.1/libtelnet/misc.c netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/misc.c --- netkit-telnet-ssl-0.17.24+0.1/libtelnet/misc.c 2004-05-27 11:47:26.000000000 +0200 +++ netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/misc.c 2010-05-11 13:44:40.190322666 +0200 @@ -32,6 +32,9 @@ */ #ifndef lint +#ifdef __GNUC__ +__attribute__ ((unused)) +#endif /* __GNUC__ */ static char sccsid[] = "@(#)misc.c 5.1 (Berkeley) 2/28/91"; #endif /* not lint */ @@ -54,7 +57,12 @@ * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. */ +#include +#include + #include "misc.h" +#include "auth.h" +#include "auth-proto.h" char *RemoteHostName; char *LocalHostName; @@ -65,7 +73,7 @@ auth_encrypt_init(local, remote, name, server) char *local; char *remote; - char *name; + const char *name; int server; { RemoteHostName = remote; diff -ur netkit-telnet-ssl-0.17.24+0.1/libtelnet/misc-proto.h netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/misc-proto.h --- netkit-telnet-ssl-0.17.24+0.1/libtelnet/misc-proto.h 2004-05-27 11:47:26.000000000 +0200 +++ netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/misc-proto.h 2010-05-11 13:44:40.190322666 +0200 @@ -68,7 +68,7 @@ extern "C" { #endif -void auth_encrypt_init P((char *, char *, char *, int)); +void auth_encrypt_init P((char *, char *, const char *, int)); void auth_encrypt_connect P((int)); void auth_encrypt_user P((const char *name)); void printd P((unsigned char *, int)); diff -ur netkit-telnet-ssl-0.17.24+0.1/libtelnet/sslapp.h netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/sslapp.h --- netkit-telnet-ssl-0.17.24+0.1/libtelnet/sslapp.h 2004-05-27 11:47:26.000000000 +0200 +++ netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/sslapp.h 2010-05-11 13:44:40.200330208 +0200 @@ -45,6 +45,7 @@ #include "x509.h" #include "ssl.h" #define OLDPROTO NOPROTO +#undef NOPROTO #define NOPROTO #include "err.h" #undef NOPROTO @@ -72,7 +73,7 @@ /* we hide all the initialisation code in a separate file now */ extern int do_ssleay_init(int server); -extern int display_connect_details(SSL *ssl_con, int verbose); +extern void display_connect_details(SSL *ssl_con, int verbose); extern int server_verify_callback(); extern int client_verify_callback(); diff -ur netkit-telnet-ssl-0.17.24+0.1/libtelnet/ssl.c netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/ssl.c --- netkit-telnet-ssl-0.17.24+0.1/libtelnet/ssl.c 2004-05-27 11:47:26.000000000 +0200 +++ netkit-telnet-ssl-0.17.24+0.1.orig/libtelnet/ssl.c 2010-05-11 13:44:40.200330208 +0200 @@ -47,6 +47,9 @@ #include #endif +#include +#include + #include "auth.h" #include "misc.h" @@ -91,11 +94,12 @@ #define VERIFY_ROOT_OK VERIFY_OK #endif +extern int netflush(void); + extern int auth_debug_mode; -static auth_ssl_valid = 0; +static int auth_ssl_valid = 0; static char *auth_ssl_name = 0; /* this holds the oneline name */ -extern BIO *bio_err; extern int ssl_only_flag; extern int ssl_debug_flag; extern int ssl_active_flag; @@ -120,6 +124,9 @@ BIO *bio_err=NULL; +int auth_failed=0; + + /* compile this set to 1 to negotiate SSL but not actually start it */ static int ssl_dummy_flag=0; @@ -135,7 +142,7 @@ * telnet connect if we are talking straight ssl with no telnet * protocol --tjh */ -int +void display_connect_details(ssl_con,verbose) SSL *ssl_con; int verbose; @@ -152,7 +159,7 @@ /* grab the full list of ciphers */ i=0; buf[0]='\0'; - while((p=SSL_get_cipher_list(ssl_con,i++))!=NULL) { + while((p=(char *)SSL_get_cipher_list(ssl_con,i++))!=NULL) { if (i>0) strcat(buf,":"); strcat(buf,p); @@ -230,7 +237,7 @@ *p++ = SE; if (str_data[3] == TELQUAL_IS) printsub('>', &str_data[2], p - (&str_data[2])); - return(writenet(str_data, p - str_data)); + return(writenet((char *) str_data, p - str_data)); } int auth_ssl_init(ap, server) @@ -280,7 +287,7 @@ unsigned char *data; int cnt; { - int valid; + /* int valid; */ if (cnt-- < 1) return; @@ -364,7 +371,7 @@ unsigned char *data; int cnt; { - int i; + /* int i; */ int status; if (cnt-- < 1) @@ -389,16 +396,13 @@ SSL_set_verify(ssl_con,ssl_verify_flag, client_verify_callback); if ((status = SSL_connect(ssl_con)) <= 0) { - fprintf(stderr,"[SSL - FAILED (%d)]\r\n", status); - fflush(stderr); - - perror("telnet: Unable to ssl_connect to remote host"); + auth_finished(0,AUTH_REJECT); + fprintf(stderr,"[SSL - FAILED (%d)]\r\n", status); + fprintf(stderr,"telnet: Unable to ssl_connect to remote host\n"); ERR_print_errors(bio_err); - - /* don't know what I "should" be doing here ... */ - - auth_finished(0,AUTH_REJECT); + fflush(stderr); + auth_failed=1; return; } else { @@ -452,7 +456,7 @@ */ if (ssl_certsok_flag) { user_fp = fopen("/etc/ssl.users", "r"); - if (!auth_ssl_name || !user_fp) { + if (!auth_ssl_name || !user_fp || !UserNameRequested) { /* If we haven't received a certificate, then don't * return AUTH_VALID. */ @@ -486,7 +490,7 @@ cp = strchr(n, ','); if (cp) *cp++ = '\0'; - if (!UserNameRequested || + if (UserNameRequested && !strcmp(UserNameRequested, n)) { strcpy(name, n); fclose(user_fp); @@ -543,7 +547,7 @@ default: sprintf(lbuf, " %d (unknown)", data[3]); strncpy((char *)buf, lbuf, buflen); - common2: +/* common2: */ BUMP(buf, buflen); for (i = 4; i < cnt; i++) { sprintf(lbuf, " %d", data[i]); @@ -568,7 +572,7 @@ #endif /* SSLEAY8 */ { static char *saved_subject=NULL; - X509 *peer; + /* X509 *peer; */ char *subject, *issuer; #ifdef SSLEAY8 int depth,error; @@ -715,8 +719,8 @@ int depth, error; #endif /* SSLEAY8 */ { - X509 *peer; - char *subject, *issuer; + /* X509 *peer; */ + char *subject, *issuer, *cnsubj; #ifdef SSLEAY8 int depth,error; char *xs; @@ -727,13 +731,13 @@ #endif /* SSLEAY8 */ -#ifdef LOCAL_DEBUG - fprintf(stderr,"ssl:client_verify_callback:depth=%d ok=%d err=%d-%s\n", - depth,ok,error,X509_cert_verify_error_string(error)); - fflush(stderr); -#endif /* LOCAL_DEBUG */ + if(ssl_debug_flag && !ok) { + fprintf(stderr,"ssl:client_verify_callback:depth=%d ok=%d err=%d-%s\n", + depth,ok,error,X509_verify_cert_error_string(error)); + fflush(stderr); + } - subject=issuer=NULL; + subject=issuer=cnsubj=NULL; /* first thing is to have a meaningful name for the current * certificate that is being verified ... and if we cannot @@ -761,60 +765,77 @@ fflush(stderr); } - /* if the server is using a self signed certificate then - * we need to decide if that is good enough for us to - * accept ... - */ - if (error==VERIFY_ERR_DEPTH_ZERO_SELF_SIGNED_CERT) { - if (ssl_cert_required) { - /* make 100% sure that in secure more we drop the - * connection if the server does not have a - * real certificate! - */ - fprintf(stderr,"SSL: rejecting connection - server has a self-signed certificate\n"); - fflush(stderr); - - /* sometimes it is really handy to be able to debug things - * and still get a connection! - */ - if (ssl_debug_flag) { - fprintf(stderr,"SSL: debug -> ignoring cert required!\n"); - fflush(stderr); - ok=1; - } else { - ok=0; - } - goto return_time; - } else { - ok=1; - goto return_time; - } + /* verify commonName matches hostname */ + if(ssl_cert_required && depth == 0) { + char *cn,*p; + + cnsubj=strdup(subject); + if(cnsubj == NULL) { + fprintf(stderr,"SSL: Out of memory.\n"); + ok=0; + goto return_time; + } + cn=strstr(cnsubj,"/CN="); + if(cn == NULL) { + fprintf(stderr,"SSL: Cannot extract CN from certificate subject.\n"); + ok=0; + goto return_time; + } + cn+=4; /* skip /CN= */ + p=strchr(cn,'/'); + if(p != NULL) { + *p='\0'; + } + if(strcasecmp(cn,RemoteHostName) != 0) { + fprintf(stderr,"SSL: Certificate CN (%s) does not match hostname (%s)\n", + cn,RemoteHostName); + ok=0; + goto return_time; + } } - /* if we have any form of error in secure mode we reject the connection */ - if (! ((error==VERIFY_OK)||(error==VERIFY_ROOT_OK)) ) { - if (ssl_cert_required) { - fprintf(stderr,"SSL: rejecting connection - "); - if (error==VERIFY_ERR_UNABLE_TO_GET_ISSUER) { - fprintf(stderr,"unknown issuer: %s\n",issuer); - } else { - ERR_print_errors(bio_err); - } - fflush(stderr); - ok=0; - goto return_time; - } else { - /* be nice and display a lot more meaningful stuff - * so that we know which issuer is unknown no matter - * what the callers options are ... - */ - if (error==VERIFY_ERR_UNABLE_TO_GET_ISSUER) { - fprintf(stderr,"SSL: unknown issuer: %s\n",issuer); - fflush(stderr); - } - } + if((error==VERIFY_OK) || (error==VERIFY_ROOT_OK)) { + goto return_time; } + switch(error) { + case VERIFY_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: + fprintf(stderr,"SSL: Server has a self-signed certificate\n"); + case VERIFY_ERR_UNABLE_TO_GET_ISSUER: + fprintf(stderr,"SSL: unknown issuer: %s\n",issuer); + break; + case X509_V_ERR_CERT_NOT_YET_VALID: + fprintf(stderr,"SSL: Certificate not yet valid\n"); + BIO_printf(bio_err,"notBefore="); + ASN1_TIME_print(bio_err,X509_get_notBefore(ctx->current_cert)); + BIO_printf(bio_err,"\n"); + break; + case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: + fprintf(stderr,"SSL: Error in certificate notBefore field\n"); + BIO_printf(bio_err,"notBefore="); + ASN1_TIME_print(bio_err,X509_get_notBefore(ctx->current_cert)); + BIO_printf(bio_err,"\n"); + break; + case X509_V_ERR_CERT_HAS_EXPIRED: + fprintf(stderr,"SSL: Certificate has expired\n"); + BIO_printf(bio_err,"notAfter="); + ASN1_TIME_print(bio_err,X509_get_notAfter(ctx->current_cert)); + BIO_printf(bio_err,"\n"); + break; + case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: + fprintf(stderr,"SSL: Error in certificate notAfter field\n"); + BIO_printf(bio_err,"notAfter="); + ASN1_TIME_print(bio_err,X509_get_notAfter(ctx->current_cert)); + BIO_printf(bio_err,"\n"); + break; + default: + fprintf(stderr,"SSL: %s (%d)\n", X509_verify_cert_error_string(error),error); + break; + } + + /* If we are here there was an error */ + ok=0; + return_time: ; /* clean up things */ @@ -822,7 +843,20 @@ free(subject); if (issuer!=NULL) free(issuer); - + if (cnsubj!=NULL) + free(cnsubj); + if(!ok && ssl_cert_required) { + if(ssl_debug_flag) { + fprintf(stderr,"SSL: debug -> ignoring cert required!\n"); + ok=1; + } + else { + fprintf(stderr,"SSL: Rejecting connection\n"); + ok=0; + } + } + fflush(stderr); + return ok; } diff -ur netkit-telnet-ssl-0.17.24+0.1/Makefile netkit-telnet-ssl-0.17.24+0.1.orig/Makefile --- netkit-telnet-ssl-0.17.24+0.1/Makefile 2004-05-27 11:47:25.000000000 +0200 +++ netkit-telnet-ssl-0.17.24+0.1.orig/Makefile 2010-05-11 14:19:36.673445641 +0200 @@ -1,7 +1,7 @@ # You can do "make SUB=blah" to make only a few, or edit here, or both # You can also run make directly in the subdirs you want. -SUB = telnet telnetd telnetlogin +SUB = libtelnet telnet telnetd %.build: (cd $(patsubst %.build, %, $@) && $(MAKE)) diff -ur netkit-telnet-ssl-0.17.24+0.1/telnet/authenc.cc netkit-telnet-ssl-0.17.24+0.1.orig/telnet/authenc.cc --- netkit-telnet-ssl-0.17.24+0.1/telnet/authenc.cc 2000-07-23 05:24:53.000000000 +0200 +++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/authenc.cc 2010-05-11 13:44:40.056990450 +0200 @@ -35,7 +35,7 @@ * From: @(#)authenc.c 5.1 (Berkeley) 3/1/91 */ char au_rcsid[] = - "$Id: authenc.cc,v 1.6 2000/07/23 03:24:53 dholland Exp $"; + "$Id: authenc.cc,v 1.1 2004-10-14 13:19:53 ianb Exp $"; #if defined(ENCRYPT) || defined(AUTHENTICATE) #include diff -ur netkit-telnet-ssl-0.17.24+0.1/telnet/commands.cc netkit-telnet-ssl-0.17.24+0.1.orig/telnet/commands.cc --- netkit-telnet-ssl-0.17.24+0.1/telnet/commands.cc 2004-05-27 11:47:26.000000000 +0200 +++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/commands.cc 2010-05-11 13:44:40.060322107 +0200 @@ -35,7 +35,7 @@ * From: @(#)commands.c 5.5 (Berkeley) 3/22/91 */ char cmd_rcsid[] = - "$Id: commands.cc,v 1.34 2000/07/23 04:16:24 dholland Exp $"; + "$Id: commands.cc,v 1.13 2007-10-04 21:38:18 ianb Exp $"; #include @@ -653,6 +653,21 @@ return 1; } +#ifdef AUTHENTICATE + +static int tog_autologin(int) { + if(autologin == 0) { + autologin=1; + env_export("USER"); + } + else { + autologin=0; + env_unexport("USER"); + } + return 1; +} + +#endif /* AUTHENTICATE */ static int netdata; /* Print out network data flow */ static int prettydump; /* Print "netdata" output in user readable format */ @@ -682,13 +697,13 @@ #if defined(AUTHENTICATE) { "autologin", "automatic sending of login and/or authentication info", - NULL, &autologin, + tog_autologin, NULL, "send login name and/or authentication information" }, { "authdebug", "Toggle authentication debugging", auth_togdebug, NULL, "print authentication debugging information" }, #endif -#if 0 +#ifdef ENCRYPT { "autoencrypt", "automatic encryption of data stream", EncryptAutoEnc, NULL, "automatically encrypt output" }, @@ -701,7 +716,7 @@ { "encdebug", "Toggle encryption debugging", EncryptDebug, NULL, "print encryption debugging information" }, -#endif +#endif /* ENCRYPT */ { "skiprc", "don't read the telnetrc files", NULL, &skiprc, @@ -750,7 +765,7 @@ NULL, &showoptions, "show option processing" }, - { "termdata", "(debugging) toggle printing of hexadecimal terminal data", + { "termdata", "toggle printing of hexadecimal terminal data (debugging)", NULL, &termdata, "print hexadecimal representation of terminal traffic" }, @@ -1357,9 +1372,9 @@ else shellname++; if (argc > 1) - execl(shellp, shellname, "-c", &saveline[1], 0); + execl(shellp, shellname, "-c", &saveline[1], (char *) NULL); else - execl(shellp, shellname, 0); + execl(shellp, shellname, (char *) NULL); perror("Execl"); _exit(1); } @@ -1510,10 +1525,10 @@ #if defined(AUTHENTICATE) struct authlist { - char *name; - char *help; - int (*handler)(const char *, const char *); - int narg; + const char *name; + const char *help; + int (*handler)(const char *, const char *); + int narg; }; static int auth_help (const char *, const char *); @@ -1833,8 +1848,22 @@ if (*portp == '-') { portp++; telnetport = 1; - } else + } else { telnetport = 0; + if (*portp >='0' && *portp<='9') { + char *end; + long int p; + + p=strtol(portp, &end, 10); + if (ERANGE==errno && (LONG_MIN==p || LONG_MAX==p)) { + fprintf(stderr, "telnet: port %s overflows\n", portp); + return 0; + } else if (p<=0 || p>=65536) { + fprintf(stderr, "telnet: port %s out of range\n", portp); + return 0; + } + } + } } else { portp = "telnet"; @@ -1860,7 +1889,7 @@ if (res < 0) return 0; } - + /* Resolve both the host and service simultaneously. */ res = getaddrinfo(resolv_hostp, portp, &hints, &hostaddr); if (res == EAI_NONAME) { @@ -1902,6 +1931,16 @@ NI_NUMERICHOST | NI_NUMERICSERV); printf("Trying %s...\n", name); + + if (tmpaddr->ai_canonname == 0) { + hostname = new char[strlen(hostp)+1]; + strcpy(hostname, hostp); + } + else { + hostname = new char[strlen(tmpaddr->ai_canonname)+1]; + strcpy(hostname, tmpaddr->ai_canonname); + } + x = nlink.connect(debug, tmpaddr, srp, srlen, tos); if (!x) goto err; @@ -1909,18 +1948,18 @@ goto nextaddr; connected++; + +#ifdef USE_SSL + if (ssl_secure_flag || (strcmp(hostp, "localhost") != 0)) { + /* autologin = 1; */ + use_authentication=1; + } +#endif /* USE_SSL */ + #if defined(AUTHENTICATE) auth_encrypt_connect(connected); #endif } while (connected == 0); - if (tmpaddr->ai_canonname == 0) { - hostname = new char[strlen(hostp)+1]; - strcpy(hostname, hostp); - } - else { - hostname = new char[strlen(tmpaddr->ai_canonname)+1]; - strcpy(hostname, tmpaddr->ai_canonname); - } cmdrc(hostp, hostname, portp); freeaddrinfo(hostaddr); @@ -1966,6 +2005,9 @@ #if defined(AUTHENTICATE) authhelp[] = "turn on (off) authentication ('auth ?' for more)", #endif +#if defined(USE_SSL) + startsslhelp[] = "switch to telnet-over-ssl (use 'auth' for ssl-over-telnet)", +#endif zhelp[] = "suspend telnet", /* shellhelp[] = "invoke a subshell", */ envhelp[] = "change environment variables ('environ ?' for more)", @@ -1981,6 +2023,34 @@ return 0; } +#if defined(USE_SSL) +static int startssl_cmd(void) +{ + if(ssl_con == NULL) + { + fprintf(stderr,"telnet: Internal error - ssl_con not initialised.\n"); + return 1; + } + + if(ssl_active_flag) + { + fprintf(stderr,"telnet: SSL already in use.\n"); + return 1; + } + + if (SSL_connect(ssl_con) < 1) + { + ERR_print_errors_fp(stderr); + fflush(stderr); + } else { + display_connect_details(ssl_con,ssl_debug_flag); + ssl_active_flag=1; + ssl_only_flag=1; + } + return 1; +} +#endif /* USE_SSL */ + static int slc_mode_import_0(void) { slc_mode_import(0); return 1; @@ -2028,6 +2098,10 @@ #endif // BIND("encrypt", encrypthelp, encrypt_cmd); +#if defined(USE_SSL) + BIND("startssl", startsslhelp, startssl_cmd); +#endif + BIND("z", zhelp, suspend); #if defined(TN3270) /* why?! */ @@ -2233,22 +2307,18 @@ } void cmdrc(const char *m1, const char *m2, const char *port) { - static char *rcname = 0; - static char rcbuf[128]; + char *rcname = NULL; if (skiprc) return; readrc(m1, m2, port, "/etc/telnetrc"); - if (rcname == 0) { - rcname = getenv("HOME"); - if (rcname) - strcpy(rcbuf, rcname); - else - rcbuf[0] = '\0'; - strcat(rcbuf, "/.telnetrc"); - rcname = rcbuf; - } + if (asprintf (&rcname, "%s/.telnetrc", getenv ("HOME")) == -1) + { + perror ("asprintf"); + return; + } readrc(m1, m2, port, rcname); + free (rcname); } #if defined(IP_OPTIONS) && defined(HAS_IPPROTO_IP) diff -ur netkit-telnet-ssl-0.17.24+0.1/telnet/defines.h netkit-telnet-ssl-0.17.24+0.1.orig/telnet/defines.h --- netkit-telnet-ssl-0.17.24+0.1/telnet/defines.h 2004-05-27 11:47:01.000000000 +0200 +++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/defines.h 2010-05-11 13:44:40.063654881 +0200 @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * from: @(#)defines.h 5.1 (Berkeley) 9/14/90 - * $Id: defines.h,v 1.5 1996/08/04 23:44:43 dholland Exp $ + * $Id: defines.h,v 1.1 2004-10-14 13:19:53 ianb Exp $ */ #define ENV_VAR NEW_ENV_VAR diff -ur netkit-telnet-ssl-0.17.24+0.1/telnet/externs.h netkit-telnet-ssl-0.17.24+0.1.orig/telnet/externs.h --- netkit-telnet-ssl-0.17.24+0.1/telnet/externs.h 2004-05-27 11:47:26.000000000 +0200 +++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/externs.h 2010-05-11 13:44:40.063654881 +0200 @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * from: @(#)externs.h 5.3 (Berkeley) 3/22/91 - * $Id: externs.h,v 1.20 1999/08/19 09:34:15 dholland Exp $ + * $Id: externs.h,v 1.2 2004-11-17 15:28:51 ianb Exp $ */ #ifndef BSD @@ -57,6 +57,7 @@ #define SUBBUFSIZE 256 extern int autologin; /* Autologin enabled */ +extern int use_authentication; /* use SSL authentication */ extern int skiprc; /* Don't process the ~/.telnetrc file */ extern int eight; /* use eight bit mode (binary in and/or out) */ extern int binary; /* use binary option (in and/or out) */ diff -ur netkit-telnet-ssl-0.17.24+0.1/telnet/fdset.h netkit-telnet-ssl-0.17.24+0.1.orig/telnet/fdset.h --- netkit-telnet-ssl-0.17.24+0.1/telnet/fdset.h 1996-07-16 07:17:22.000000000 +0200 +++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/fdset.h 2010-05-11 13:44:40.063654881 +0200 @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * from: @(#)fdset.h 5.1 (Berkeley) 9/14/90 - * $Id: fdset.h,v 1.1 1996/07/16 05:17:22 dholland Exp $ + * $Id: fdset.h,v 1.1 2004-10-14 13:19:53 ianb Exp $ */ /* diff -ur netkit-telnet-ssl-0.17.24+0.1/telnet/general.h netkit-telnet-ssl-0.17.24+0.1.orig/telnet/general.h --- netkit-telnet-ssl-0.17.24+0.1/telnet/general.h 1996-07-16 07:17:22.000000000 +0200 +++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/general.h 2010-05-11 13:44:40.063654881 +0200 @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * from: @(#)general.h 5.2 (Berkeley) 3/1/91 - * $Id: general.h,v 1.1 1996/07/16 05:17:22 dholland Exp $ + * $Id: general.h,v 1.1 2004-10-14 13:19:53 ianb Exp $ */ /* diff -ur netkit-telnet-ssl-0.17.24+0.1/telnet/genget.cc netkit-telnet-ssl-0.17.24+0.1.orig/telnet/genget.cc --- netkit-telnet-ssl-0.17.24+0.1/telnet/genget.cc 1996-07-26 11:54:09.000000000 +0200 +++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/genget.cc 2010-05-11 13:44:40.063654881 +0200 @@ -35,7 +35,7 @@ * From: @(#)genget.c 5.1 (Berkeley) 2/28/91 */ char gg_rcsid[] = - "$Id: genget.cc,v 1.3 1996/07/26 09:54:09 dholland Exp $"; + "$Id: genget.cc,v 1.1 2004-10-14 13:19:53 ianb Exp $"; #include #include diff -ur netkit-telnet-ssl-0.17.24+0.1/telnet/glue.cc netkit-telnet-ssl-0.17.24+0.1.orig/telnet/glue.cc --- netkit-telnet-ssl-0.17.24+0.1/telnet/glue.cc 2004-05-27 11:47:26.000000000 +0200 +++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/glue.cc 2010-05-11 13:44:40.083654043 +0200 @@ -11,8 +11,9 @@ printsub_h(direction, pointer, length); } -extern "C" void writenet(const char *str, int len) { +extern "C" int writenet(const char *str, int len) { netoring.write(str, len); + return 1; } extern "C" int telnet_spin() { diff -ur netkit-telnet-ssl-0.17.24+0.1/telnet/main.cc netkit-telnet-ssl-0.17.24+0.1.orig/telnet/main.cc --- netkit-telnet-ssl-0.17.24+0.1/telnet/main.cc 2004-05-27 11:47:26.000000000 +0200 +++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/main.cc 2010-05-11 13:44:40.066988214 +0200 @@ -39,7 +39,7 @@ * From: @(#)main.c 5.4 (Berkeley) 3/22/91 */ char main_rcsid[] = - "$Id: main.cc,v 1.14 1999/08/01 05:06:37 dholland Exp $"; + "$Id: main.cc,v 1.6 2004-11-22 20:26:37 ianb Exp $"; #include "../version.h" @@ -86,16 +86,27 @@ * -X disable specified auth type */ void usage(void) { - fprintf(stderr, "Usage: %s %s%s%s%s\n", + fprintf(stderr, "Usage: %s %s%s%s%s%s\n", prompt, +#ifdef AUTHENTICATE + "[-4] [-6] [-8] [-E] [-K] [-L] [-X atype] [-a] [-d] [-e char]", + "\n\t[-l user] [-n tracefile] [ -b addr ]", +#else "[-4] [-6] [-8] [-E] [-L] [-a] [-d] [-e char] [-l user]", "\n\t[-n tracefile] [ -b addr ]", +#endif #ifdef TN3270 "\n\t" "[-noasynch] [-noasynctty] [-noasyncnet] [-r] [-t transcom]\n\t", #else " [-r] ", #endif +#ifdef USE_SSL + /* might as well output something useful here ... */ + "\n\t[-z ssl] [-z secure] [-z debug] [-z verify=int]\n\t[-z cert=file] [-z key=file]\n\t", +#else /* !USE_SSL */ + "", +#endif /* USE_SSL */ "[host-name [port]]" ); exit(1); @@ -135,8 +146,73 @@ autologin = -1; while ((ch = getopt(argc, argv, - "4678EKLS:X:ab:de:k:l:n:rt:x")) != EOF) { + "4678EKLS:X:ab:de:k:l:n:rt:xz:")) != EOF) { switch(ch) { +#ifdef USE_SSL + case 'z': + { + char *origopt; + + origopt=strdup(optarg); + optarg=strtok(origopt,","); + + while(optarg!=NULL) { + + if (strcmp(optarg, "debug") == 0 ) { + ssl_debug_flag=1; + } else if (strcmp(optarg, "authdebug") == 0 ) { + auth_debug_mode=1; + } else if (strcmp(optarg, "ssl") == 0 ) { + ssl_only_flag=1; + } else if ( (strcmp(optarg, "!ssl") == 0) || + (strcmp(optarg, "nossl") == 0) ) { + /* we may want to switch SSL negotiation off + * for testing or other reasons + */ + ssl_disabled_flag=1; + } else if (strcmp(optarg, "certrequired") == 0 ) { + ssl_cert_required=1; + } else if (strcmp(optarg, "secure") == 0 ) { + ssl_secure_flag=1; + } else if (strcmp(optarg, "verbose") == 0 ) { + ssl_verbose_flag=1; + } else if (strncmp(optarg, "verify=", + strlen("verify=")) == 0 ) { + ssl_verify_flag=atoi(optarg+strlen("verify=")); + } else if (strncmp(optarg, "cert=", + strlen("cert=")) == 0 ) { + ssl_cert_file= optarg + strlen("cert="); + } else if (strncmp(optarg, "key=", + strlen("key=")) == 0 ) { + ssl_key_file= optarg + strlen("key="); + } else if (strncmp(optarg,"cipher=", + strlen("cipher="))==0) { + ssl_cipher_list=optarg+strlen("cipher="); + } else { + /* report when we are given rubbish so that + * if the user makes a mistake they have to + * correct it! + */ + fprintf(stderr,"Unknown SSL option %s\n",optarg); + fflush(stderr); + exit(1); + } + + /* get the next one ... */ + optarg=strtok(NULL,","); + + } + + /* + if (origopt!=NULL) + free(origopt); + */ + + } + + break; +#endif /* USE_SSL */ + case '4': family = AF_INET; break; @@ -257,14 +333,25 @@ autologin = (rlogin == _POSIX_VDISABLE) ? 0 : 1; #ifdef USE_SSL + if((ssl_cert_file != NULL) || (ssl_key_file != NULL)) { + autologin = 1; + } + if (ssl_secure_flag||ssl_cert_required) { /* in secure mode we *must* switch on the base level * verify checking otherwise we cannot abort connections * at the right place! */ if (ssl_verify_flag == 0) - ssl_verify_flag = 1; + ssl_verify_flag = SSL_VERIFY_PEER;; } + + /* client mode ignores SSL_VERIFY_FAIL_IF_NO_PEER_CERT, + so simulate it using certrequired */ + if(ssl_verify_flag & SSL_VERIFY_FAIL_IF_NO_PEER_CERT) { + ssl_cert_required=1; + } + #endif /* USE_SSL */ argc -= optind; @@ -289,11 +376,6 @@ *argp++ = family == AF_INET ? "-4" : "-6"; } *argp++ = argv[0]; /* host */ -#ifdef USE_SSL - if (strcmp(argv[0], "localhost") != 0) { - autologin = 1; - } -#endif /* USE_SSL */ if (argc > 1) *argp++ = argv[1]; /* port */ *argp = 0; diff -ur netkit-telnet-ssl-0.17.24+0.1/telnet/Makefile netkit-telnet-ssl-0.17.24+0.1.orig/telnet/Makefile --- netkit-telnet-ssl-0.17.24+0.1/telnet/Makefile 2004-05-27 11:47:26.000000000 +0200 +++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/Makefile 2010-05-11 13:44:40.056990450 +0200 @@ -6,15 +6,18 @@ #CXXFLAGS:=$(patsubst -O2, -g, $(CXXFLAGS)) # -DAUTHENTICATE -CXXFLAGS += -DUSE_TERMIO -DKLUDGELINEMODE -LIBS = $(LIBTERMCAP) +CXXFLAGS += -DUSE_TERMIO -DKLUDGELINEMODE -DAUTHENTICATE -DUSE_SSL \ + -I/usr/include/openssl -I../ +LIBTELNET = ../libtelnet/libtelnet.a +LIBS += $(LIBTERMCAP) $(LIBTELNET) -lssl -lcrypto SRCS = commands.cc main.cc network.cc ring.cc sys_bsd.cc telnet.cc \ - terminal.cc tn3270.cc utilities.cc genget.cc environ.cc netlink.cc + terminal.cc tn3270.cc utilities.cc genget.cc environ.cc netlink.cc \ + glue.cc glue2.cc OBJS = $(patsubst %.cc, %.o, $(SRCS)) -telnet: $(OBJS) +telnet: $(OBJS) $(LIBTELNET) $(CXX) $(LDFLAGS) $^ $(LIBS) -o $@ include depend.mk @@ -22,7 +25,7 @@ $(CXX) $(CXXFLAGS) -MM $(SRCS) >depend.mk install: telnet - install -s -m$(BINMODE) telnet $(INSTALLROOT)$(BINDIR)/telnet-ssl + install -m$(BINMODE) telnet $(INSTALLROOT)$(BINDIR)/telnet-ssl install -m$(MANMODE) telnet.1 $(INSTALLROOT)$(MANDIR)/man1/telnet-ssl.1 clean: diff -ur netkit-telnet-ssl-0.17.24+0.1/telnet/netlink.cc netkit-telnet-ssl-0.17.24+0.1.orig/telnet/netlink.cc --- netkit-telnet-ssl-0.17.24+0.1/telnet/netlink.cc 2004-05-27 11:47:26.000000000 +0200 +++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/netlink.cc 2010-05-11 13:44:40.066988214 +0200 @@ -12,12 +12,27 @@ #include "proto.h" #include "ring.h" #include +#include /* In Linux, this is an enum */ #if defined(__linux__) || defined(IPPROTO_IP) #define HAS_IPPROTO_IP #endif +/* code from Peter 'Luna' Runestig */ +static int select_read(int rfd) +/* timeout = 20 seconds */ +{ + fd_set rfds; + struct timeval tv; + + FD_ZERO(&rfds); + FD_SET(rfd, &rfds); + tv.tv_sec = 20; + tv.tv_usec = 0; + return select(rfd + 1, &rfds, NULL, NULL, &tv); +} + netlink nlink; class netchannel : public ringbuf::source { @@ -26,12 +41,23 @@ int net = nlink.getfd(); int l; #ifdef USE_SSL - if (ssl_active_flag) - l = SSL_read(ssl_con, buf, maxlen); - else + if (ssl_active_flag) { + do { + l = SSL_read(ssl_con, buf, maxlen); + /* + * SSL_ERROR_WANT_READ may occur if an SSL/TLS rehandshake occurs. + * This means that data was available at the socket, but all was + * consumed by SSL itself, so we select (w/20s timeout) and retry. + */ + } while (l<0 && + (SSL_ERROR_WANT_READ == SSL_get_error(ssl_con, l)) && + (select_read(net) > 0)); + } else #endif /* USE_SSL */ - l = recv(net, buf, maxlen, 0); - if (l<0 && errno == EWOULDBLOCK) l = 0; + { + l = recv(net, buf, maxlen, 0); + if (l<0 && errno == EWOULDBLOCK) l = 0; + } return l; } }; @@ -70,11 +96,11 @@ netlink::netlink() { net = -1; } -netlink::~netlink() { ::close(net); } +netlink::~netlink() { if (net >= 0) ::close(net); } int netlink::setdebug(int debug) { - if (net > 0 && + if (net >= 0 && (setsockopt(net, SOL_SOCKET, SO_DEBUG, &debug, sizeof(debug))) < 0) { perror("setsockopt (SO_DEBUG)"); } @@ -95,7 +121,8 @@ ssl_active_flag=0; } #endif /* USE_SSL */ - ::close(net); + if (net >= 0) + ::close(net); net = -1; } @@ -142,7 +169,8 @@ { int on=1; int res; - + extern char *hostname; + res = socket(addr->ai_family); if (res < 2) return res; @@ -192,10 +220,24 @@ /* bind in the network descriptor */ SSL_set_fd(ssl_con,net); +#if defined(AUTHENTICATE) + /* moved from telnet() so client_verify_callback knows RemoteHostName -ianb */ + { + static char local_host[256] = { 0 }; + int len = sizeof(local_host); + + if (!local_host[0]) { + gethostname(local_host, len); /* WAS &len!!! */ + local_host[sizeof(local_host)-1] = 0; + } + auth_encrypt_init(local_host, hostname, "TELNET", 0); + } +#endif + /* if we are doing raw SSL then start it now ... */ if (ssl_only_flag) { if (!SSL_connect(ssl_con)) { - static char errbuf[1024]; + /* static char errbuf[1024]; */ ERR_print_errors_fp(stderr); perror("SSL_connect"); diff -ur netkit-telnet-ssl-0.17.24+0.1/telnet/network.cc netkit-telnet-ssl-0.17.24+0.1.orig/telnet/network.cc --- netkit-telnet-ssl-0.17.24+0.1/telnet/network.cc 2004-05-27 11:47:01.000000000 +0200 +++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/network.cc 2010-05-11 13:44:40.066988214 +0200 @@ -35,7 +35,7 @@ * From: @(#)network.c 5.2 (Berkeley) 3/1/91 */ char net_rcsid[] = - "$Id: network.cc,v 1.15 1996/08/13 08:09:58 dholland Exp $"; + "$Id: network.cc,v 1.1 2004-10-14 13:19:53 ianb Exp $"; #include #include diff -ur netkit-telnet-ssl-0.17.24+0.1/telnet/proto.h netkit-telnet-ssl-0.17.24+0.1.orig/telnet/proto.h --- netkit-telnet-ssl-0.17.24+0.1/telnet/proto.h 2004-05-27 11:47:26.000000000 +0200 +++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/proto.h 2010-05-11 13:44:40.070321269 +0200 @@ -10,9 +10,11 @@ int TerminalSpecialChars(int); void TerminalSpeeds(long *ispeed, long *ospeed); int TerminalWindowSize(long *rows, long *cols); +#if 0 void auth_encrypt_user(char *); void auth_name(unsigned char *, int); void auth_printsub(unsigned char *, int, unsigned char *, int); +#endif void cmdrc(const char *, const char *, const char *); void env_init(void); int getconnmode(void); diff -ur netkit-telnet-ssl-0.17.24+0.1/telnet/ring.cc netkit-telnet-ssl-0.17.24+0.1.orig/telnet/ring.cc --- netkit-telnet-ssl-0.17.24+0.1/telnet/ring.cc 2004-05-27 11:47:01.000000000 +0200 +++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/ring.cc 2010-05-11 13:44:40.070321269 +0200 @@ -35,7 +35,7 @@ * From: @(#)ring.c 5.2 (Berkeley) 3/1/91 */ char ring_rcsid[] = - "$Id: ring.cc,v 1.23 2000/07/23 03:25:09 dholland Exp $"; + "$Id: ring.cc,v 1.1 2004-10-14 13:19:53 ianb Exp $"; /* * This defines a structure for a ring buffer. diff -ur netkit-telnet-ssl-0.17.24+0.1/telnet/ring.h netkit-telnet-ssl-0.17.24+0.1.orig/telnet/ring.h --- netkit-telnet-ssl-0.17.24+0.1/telnet/ring.h 2004-05-27 11:47:01.000000000 +0200 +++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/ring.h 2010-05-11 13:44:40.070321269 +0200 @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * from: @(#)ring.h 5.2 (Berkeley) 3/1/91 - * $Id: ring.h,v 1.13 1996/08/13 08:43:28 dholland Exp $ + * $Id: ring.h,v 1.1 2004-10-14 13:19:53 ianb Exp $ */ class datasink { diff -ur netkit-telnet-ssl-0.17.24+0.1/telnet/sys_bsd.cc netkit-telnet-ssl-0.17.24+0.1.orig/telnet/sys_bsd.cc --- netkit-telnet-ssl-0.17.24+0.1/telnet/sys_bsd.cc 2004-05-27 11:47:26.000000000 +0200 +++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/sys_bsd.cc 2010-05-11 13:44:40.070321269 +0200 @@ -35,7 +35,7 @@ * From: @(#)sys_bsd.c 5.2 (Berkeley) 3/1/91 */ char bsd_rcsid[] = - "$Id: sys_bsd.cc,v 1.24 1999/09/28 16:29:24 dholland Exp $"; + "$Id: sys_bsd.cc,v 1.1 2004-10-14 13:19:53 ianb Exp $"; /* * The following routines try to encapsulate what is system dependent diff -ur netkit-telnet-ssl-0.17.24+0.1/telnet/telnet.1 netkit-telnet-ssl-0.17.24+0.1.orig/telnet/telnet.1 --- netkit-telnet-ssl-0.17.24+0.1/telnet/telnet.1 2004-05-27 11:47:26.000000000 +0200 +++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/telnet.1 2010-05-11 13:44:40.073654603 +0200 @@ -30,7 +30,7 @@ .\" SUCH DAMAGE. .\" .\" from: @(#)telnet.1 6.16 (Berkeley) 7/27/91 -.\" $Id: telnet.1,v 1.15 2000/07/30 23:57:08 dholland Exp $ +.\" $Id: telnet.1,v 1.5 2006-09-24 00:48:31 ianb Exp $ .\" .Dd August 15, 1999 .Dt TELNET 1 @@ -42,12 +42,14 @@ protocol .Sh SYNOPSIS .Nm telnet -.Op Fl 468ELadr +.Op Fl 468EKLadr .Op Fl S Ar tos +.Op Fl X Ar authtype .Op Fl b Ar address .Op Fl e Ar escapechar .Op Fl l Ar user .Op Fl n Ar tracefile +.Op Fl z Ar option .Oo .Ar host .Op Ar port @@ -152,44 +154,47 @@ command below. .It Fl z Ar option Set SSL (Secure Socket Layer) parameters. The default is to negotiate -via telnet protocoll if SSL is availlable at server side and then to +via telnet protocol if SSL is available at server side and then to switch it on. In this mode you can connect to both conventional and -SSL enhanced telnetd's. +SSL enhanced telnetd's. If the connection is made to localhost and +.Ic -z secure +is not set, then +SSL is not enabled. .Pp The SSL parameters are: .Bl -tag -width Fl -.It Ic Ar debug +.It Ic debug Send SSL related debugging information to stderr. -.It Ic Ar authdebug +.It Ic authdebug Enable authentication debugging. -.It Ic Ar ssl +.It Ic ssl Negotiate SSL at first, then use telnet protocol. In this mode you can connect to any server supporting directly SSL like Apache-SSL. Use .Ic telnet -z ssl ssl3.netscape.com https for example. telnet protocol negotiation goes encrypted. -.It Ic Ar nossl, Ar !ssl -switch of SSL negotiation -.It Ic Ar certrequired -client certificate is mandatory -.It Ic Ar secure +.It Ic nossl, Ic !ssl +switch off SSL negotiation +.It Ic certrequired +server certificate is mandatory +.It Ic secure Don't switch back to unencrypted mode (no SSL) if SSL is not available. -.It Ic Ar verbose +.It Ic verbose Be verbose about certificates etc. -.It Ic Ar verify=int +.It Ic verify= Ns Ar int .\" TODO Set the SSL verify flags (SSL_VERIFY_* in .Ar ssl/ssl.h ). .\" TODO -.It Ic Ar cert=cert_file +.It Ic cert= Ns Ar cert_file .\" TODO Use the certificate(s) in .Ar cert_file . -.It Ic Ar key=key_file +.It Ic key= Ns Ar key_file .\" TODO Use the key(s) in .Ar key_file . -.It Ic Ar cipher=ciph_list +.It Ic cipher= Ns Ar ciph_list .\" TODO Set the preferred ciphers to .Ar ciph_list . @@ -319,10 +324,6 @@ List the current status of the various types of authentication. .El -.Pp -Note that the current version of -.Nm telnet -does not support authentication. .It Ic close Close the connection to the remote host, if any, and return to command mode. @@ -332,49 +333,49 @@ and .Ic toggle values (see below). -.It Ic encrypt Ar argument ... -The encrypt command controls the -.Dv TELNET ENCRYPT -protocol option. If -.Nm telnet -was compiled without encryption, the -.Ic encrypt -command will not be supported. -.Pp -Valid arguments are as follows: -.Bl -tag -width Ar -.It Ic disable Ar type Ic [input|output] -Disable the specified type of encryption. If you do not specify input -or output, encryption of both is disabled. To obtain a list of -available types, use ``encrypt disable \&?''. -.It Ic enable Ar type Ic [input|output] -Enable the specified type of encryption. If you do not specify input -or output, encryption of both is enabled. To obtain a list of -available types, use ``encrypt enable \&?''. -.It Ic input -This is the same as ``encrypt start input''. -.It Ic -input -This is the same as ``encrypt stop input''. -.It Ic output -This is the same as ``encrypt start output''. -.It Ic -output -This is the same as ``encrypt stop output''. -.It Ic start Ic [input|output] -Attempt to begin encrypting. If you do not specify input or output, -encryption of both input and output is started. -.It Ic status -Display the current status of the encryption module. -.It Ic stop Ic [input|output] -Stop encrypting. If you do not specify input or output, encryption of -both is stopped. -.It Ic type Ar type -Sets the default type of encryption to be used with later ``encrypt start'' -or ``encrypt stop'' commands. -.El -.Pp -Note that the current version of -.Nm telnet -does not support encryption. +.\" .It Ic encrypt Ar argument ... +.\" The encrypt command controls the +.\" .Dv TELNET ENCRYPT +.\" protocol option. If +.\" .Nm telnet +.\" was compiled without encryption, the +.\" .Ic encrypt +.\" command will not be supported. +.\" .Pp +.\" Valid arguments are as follows: +.\" .Bl -tag -width Ar +.\" .It Ic disable Ar type Ic [input|output] +.\" Disable the specified type of encryption. If you do not specify input +.\" or output, encryption of both is disabled. To obtain a list of +.\" available types, use ``encrypt disable \&?''. +.\" .It Ic enable Ar type Ic [input|output] +.\" Enable the specified type of encryption. If you do not specify input +.\" or output, encryption of both is enabled. To obtain a list of +.\" available types, use ``encrypt enable \&?''. +.\" .It Ic input +.\" This is the same as ``encrypt start input''. +.\" .It Ic -input +.\" This is the same as ``encrypt stop input''. +.\" .It Ic output +.\" This is the same as ``encrypt start output''. +.\" .It Ic -output +.\" This is the same as ``encrypt stop output''. +.\" .It Ic start Ic [input|output] +.\" Attempt to begin encrypting. If you do not specify input or output, +.\" encryption of both input and output is started. +.\" .It Ic status +.\" Display the current status of the encryption module. +.\" .It Ic stop Ic [input|output] +.\" Stop encrypting. If you do not specify input or output, encryption of +.\" both is stopped. +.\" .It Ic type Ar type +.\" Sets the default type of encryption to be used with later ``encrypt start'' +.\" or ``encrypt stop'' commands. +.\" .El +.\" .Pp +.\" Note that the current version of +.\" .Nm telnet +.\" does not support encryption. .It Ic environ Ar arguments... The .Ic environ @@ -1017,6 +1018,16 @@ .Ic slc command. .El +.It Ic startssl +Attempt to negotiate telnet-over-SSL (as with the +.Ic -z ssl +option). This is useful when connecting to non-telnetds such +as imapd (with the +.Ic STARTTLS +command). To control SSL when connecting to a SSL-enabled +telnetd, use the +.Ic auth +command instead. .It Ic status Show the current status of .Nm telnet . @@ -1079,17 +1090,17 @@ .Dv FALSE (see .Xr stty 1 ) . -.It Ic autodecrypt -When the -.Dv TELNET ENCRYPT -option is negotiated, by -default the actual encryption (decryption) of the data -stream does not start automatically. The autoencrypt -(autodecrypt) command states that encryption of the -output (input) stream should be enabled as soon as -possible. -.Pp -Note that this flag exists only if encryption support is enabled. +.\" .It Ic autodecrypt +.\" When the +.\" .Dv TELNET ENCRYPT +.\" option is negotiated, by +.\" default the actual encryption (decryption) of the data +.\" stream does not start automatically. The autoencrypt +.\" (autodecrypt) command states that encryption of the +.\" output (input) stream should be enabled as soon as +.\" possible. +.\" .Pp +.\" Note that this flag exists only if encryption support is enabled. .It Ic autologin If the remote side supports the .Dv TELNET AUTHENTICATION @@ -1174,9 +1185,9 @@ .Ic super user ) . The initial value for this toggle is .Dv FALSE . -.It Ic encdebug -Turns on debugging information for the encryption code. -Note that this flag only exists if encryption support is available. +.\" .It Ic encdebug +.\" Turns on debugging information for the encryption code. +.\" Note that this flag only exists if encryption support is available. .It Ic localchars If this is .Dv TRUE , @@ -1221,8 +1232,9 @@ is sent as .Ic abort , and -.Ic eof and -.B suspend +.Ic eof +and +.Ic suspend are sent as .Ic eof and .Ic susp , @@ -1263,16 +1275,16 @@ Toggles the display of all terminal data (in hexadecimal format). The initial value for this toggle is .Dv FALSE . -.It Ic verbose_encrypt -When the -.Ic verbose_encrypt -toggle is -.Dv TRUE , -.Tn TELNET -prints out a message each time encryption is enabled or -disabled. The initial value for this toggle is -.Dv FALSE. -This flag only exists if encryption support is available. +.\" .It Ic verbose_encrypt +.\" When the +.\" .Ic verbose_encrypt +.\" toggle is +.\" .Dv TRUE , +.\" .Tn TELNET +.\" prints out a message each time encryption is enabled or +.\" disabled. The initial value for this toggle is +.\" .Dv FALSE. +.\" This flag only exists if encryption support is available. .It Ic \&? Displays the legal .Ic toggle diff -ur netkit-telnet-ssl-0.17.24+0.1/telnet/telnet.cc netkit-telnet-ssl-0.17.24+0.1.orig/telnet/telnet.cc --- netkit-telnet-ssl-0.17.24+0.1/telnet/telnet.cc 2004-05-27 11:47:26.000000000 +0200 +++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/telnet.cc 2010-05-11 13:44:40.076987936 +0200 @@ -47,7 +47,7 @@ * From: @(#)telnet.c 5.53 (Berkeley) 3/22/91 */ char telnet_rcsid[] = -"$Id: telnet.cc,v 1.36 2000/07/23 03:24:53 dholland Exp $"; +"$Id: telnet.cc,v 1.8 2005-04-14 15:26:27 ianb Exp $"; #include #include @@ -107,6 +107,7 @@ eight = 3, binary = 0, autologin = 0, /* Autologin anyone? */ + use_authentication = 0, skiprc = 0, connected, showoptions, @@ -495,7 +496,8 @@ break; #if defined(AUTHENTICATE) case TELOPT_AUTHENTICATION: - if (autologin) + /* if (autologin) */ + if (use_authentication) new_state_ok = 1; break; #endif @@ -722,6 +724,7 @@ */ static void suboption(void) { + extern int auth_failed; printsub('<', subbuffer, SB_LEN()+2); switch (SB_GET()) { case TELOPT_TTYPE: @@ -845,7 +848,8 @@ #if defined(AUTHENTICATE) case TELOPT_AUTHENTICATION: { - if (!autologin) + /* if (!autologin) */ + if (!use_authentication) break; if (SB_EOF()) return; @@ -864,6 +868,10 @@ if (my_want_state_is_wont(TELOPT_AUTHENTICATION)) return; auth_reply(subpointer, SB_LEN()); + if(auth_failed) { + /* auth rejected, quit */ + quit(); + } break; case TELQUAL_NAME: if (my_want_state_is_dont(TELOPT_AUTHENTICATION)) @@ -1140,6 +1148,7 @@ unsigned char slc_reply[128]; +unsigned char const * const slc_reply_eom = &slc_reply[sizeof(slc_reply)]; unsigned char *slc_replyp; void slc_start_reply(void) { @@ -1151,6 +1160,14 @@ } void slc_add_reply(int func, int flags, int value) { + /* A sequence of up to 6 bytes my be written for this member of the SLC + * suboption list by this function. The end of negotiation command, + * which is written by slc_end_reply(), will require 2 additional + * bytes. Do not proceed unless there is sufficient space for these + * items. + */ + if (&slc_replyp[6+2] > slc_reply_eom) + return; if ((*slc_replyp++ = func) == IAC) *slc_replyp++ = IAC; if ((*slc_replyp++ = flags) == IAC) @@ -1819,25 +1836,19 @@ */ void telnet(const char *user) { sys_telnet_init(); - -#if defined(AUTHENTICATE) - { - static char local_host[256] = { 0 }; - int len = sizeof(local_host); - - if (!local_host[0]) { - gethostname(local_host, len); /* WAS &len!!! */ - local_host[sizeof(local_host)-1] = 0; - } - auth_encrypt_init(local_host, hostname, "TELNET", 0); - auth_encrypt_user(user); - } + +#ifdef AUTHENTICATE + auth_encrypt_user(user); #endif - + #if !defined(TN3270) if (telnetport) { + + send_will(TELOPT_ENVIRON, 1); + #if defined(AUTHENTICATE) - if (autologin) + /* if (autologin) */ + if (use_authentication) send_will(TELOPT_AUTHENTICATION, 1); #endif send_do(TELOPT_SGA, 1); @@ -1846,7 +1857,6 @@ send_will(TELOPT_TSPEED, 1); send_will(TELOPT_LFLOW, 1); send_will(TELOPT_LINEMODE, 1); - send_will(TELOPT_ENVIRON, 1); send_do(TELOPT_STATUS, 1); if (env_getvalue("DISPLAY", 0)) send_will(TELOPT_XDISPLOC, 1); diff -ur netkit-telnet-ssl-0.17.24+0.1/telnet/terminal.cc netkit-telnet-ssl-0.17.24+0.1.orig/telnet/terminal.cc --- netkit-telnet-ssl-0.17.24+0.1/telnet/terminal.cc 2004-05-27 11:47:01.000000000 +0200 +++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/terminal.cc 2010-05-11 13:44:40.080321548 +0200 @@ -35,7 +35,7 @@ * From: @(#)terminal.c 5.3 (Berkeley) 3/22/91 */ char terminal_rcsid[] = - "$Id: terminal.cc,v 1.25 1999/12/12 19:48:05 dholland Exp $"; + "$Id: terminal.cc,v 1.1 2004-10-14 13:19:53 ianb Exp $"; #include #include diff -ur netkit-telnet-ssl-0.17.24+0.1/telnet/tn3270.cc netkit-telnet-ssl-0.17.24+0.1.orig/telnet/tn3270.cc --- netkit-telnet-ssl-0.17.24+0.1/telnet/tn3270.cc 1996-08-13 11:08:34.000000000 +0200 +++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/tn3270.cc 2010-05-11 13:44:40.080321548 +0200 @@ -35,7 +35,7 @@ * From: @(#)tn3270.c 5.2 (Berkeley) 3/1/91 */ char tn3270_rcsid[] = - "$Id: tn3270.cc,v 1.9 1996/08/13 09:08:34 dholland Exp $"; + "$Id: tn3270.cc,v 1.1 2004-10-14 13:19:53 ianb Exp $"; #include #include diff -ur netkit-telnet-ssl-0.17.24+0.1/telnet/types.h netkit-telnet-ssl-0.17.24+0.1.orig/telnet/types.h --- netkit-telnet-ssl-0.17.24+0.1/telnet/types.h 1996-07-27 02:45:54.000000000 +0200 +++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/types.h 2010-05-11 13:44:40.083654043 +0200 @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * from: @(#)types.h 5.1 (Berkeley) 9/14/90 - * $Id: types.h,v 1.2 1996/07/27 00:45:54 dholland Exp $ + * $Id: types.h,v 1.1 2004-10-14 13:19:53 ianb Exp $ */ typedef struct { diff -ur netkit-telnet-ssl-0.17.24+0.1/telnet/utilities.cc netkit-telnet-ssl-0.17.24+0.1.orig/telnet/utilities.cc --- netkit-telnet-ssl-0.17.24+0.1/telnet/utilities.cc 2004-05-27 11:47:27.000000000 +0200 +++ netkit-telnet-ssl-0.17.24+0.1.orig/telnet/utilities.cc 2010-05-11 13:44:40.083654043 +0200 @@ -35,7 +35,7 @@ * From: @(#)utilities.c 5.3 (Berkeley) 3/22/91 */ char util_rcsid[] = - "$Id: utilities.cc,v 1.19 1999/12/12 15:33:40 dholland Exp $"; + "$Id: utilities.cc,v 1.1 2004-10-14 13:19:53 ianb Exp $"; #define TELOPTS #define TELCMDS diff -ur netkit-telnet-ssl-0.17.24+0.1/telnetd/authenc.c netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/authenc.c --- netkit-telnet-ssl-0.17.24+0.1/telnetd/authenc.c 2004-05-27 11:47:01.000000000 +0200 +++ netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/authenc.c 2010-05-11 13:44:40.086987376 +0200 @@ -23,7 +23,7 @@ * From: @(#)authenc.c 5.1 (Berkeley) 3/1/91 */ char authenc_rcsid[] = - "$Id: authenc.c,v 1.5 1999/12/12 14:59:44 dholland Exp $"; + "$Id: authenc.c,v 1.1 2004-10-14 13:19:53 ianb Exp $"; #if defined(ENCRYPT) || defined(AUTHENTICATE) #include "telnetd.h" diff -ur netkit-telnet-ssl-0.17.24+0.1/telnetd/defs.h netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/defs.h --- netkit-telnet-ssl-0.17.24+0.1/telnetd/defs.h 2004-05-27 11:47:01.000000000 +0200 +++ netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/defs.h 2010-05-11 13:44:40.086987376 +0200 @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * from: @(#)defs.h 5.10 (Berkeley) 3/1/91 - * $Id: defs.h,v 1.7 1999/08/02 03:14:03 dholland Exp $ + * $Id: defs.h,v 1.1 2004-10-14 13:19:53 ianb Exp $ */ /* diff -ur netkit-telnet-ssl-0.17.24+0.1/telnetd/ext.h netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/ext.h --- netkit-telnet-ssl-0.17.24+0.1/telnetd/ext.h 2004-05-27 11:47:27.000000000 +0200 +++ netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/ext.h 2010-05-11 13:44:40.086987376 +0200 @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * from: @(#)ext.h 5.7 (Berkeley) 3/1/91 - * $Id: ext.h,v 1.9 1999/12/12 14:59:44 dholland Exp $ + * $Id: ext.h,v 1.2 2004-11-21 12:53:12 ianb Exp $ */ /* @@ -113,7 +113,7 @@ void interrupt(void); void localstat(void); void netclear(void); -void netflush(void); +int netflush(void); size_t netbuflen(int); void sendurg(const char *, size_t); @@ -183,7 +183,8 @@ void tty_tspeed(int); void willoption(int); void wontoption(int); -#define writenet(b, l) fwrite(b, 1, l, netfile) +int writenet(char *, int); +/*#define writenet(b, l) fwrite(b, 1, l, netfile)*/ void netopen(void); #if defined(ENCRYPT) diff -ur netkit-telnet-ssl-0.17.24+0.1/telnetd/getent.c netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/getent.c --- netkit-telnet-ssl-0.17.24+0.1/telnetd/getent.c 1996-08-15 08:23:28.000000000 +0200 +++ netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/getent.c 2010-05-11 13:44:40.086987376 +0200 @@ -35,7 +35,7 @@ * From: @(#)getent.c 5.1 (Berkeley) 2/28/91 */ char ge_rcsid[] = - "$Id: getent.c,v 1.3 1996/08/15 06:23:28 dholland Exp $"; + "$Id: getent.c,v 1.1 2004-10-14 13:19:53 ianb Exp $"; /* * Copyright (c) 1991 Regents of the University of California. diff -ur netkit-telnet-ssl-0.17.24+0.1/telnetd/global.c netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/global.c --- netkit-telnet-ssl-0.17.24+0.1/telnetd/global.c 2004-05-27 11:47:01.000000000 +0200 +++ netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/global.c 2010-05-11 13:44:40.090341661 +0200 @@ -35,7 +35,7 @@ * From: @(#)global.c 5.2 (Berkeley) 6/1/90 */ char global_rcsid[] = - "$Id: global.c,v 1.4 1999/12/12 14:59:44 dholland Exp $"; + "$Id: global.c,v 1.1 2004-10-14 13:19:53 ianb Exp $"; /* * Allocate global variables. diff -ur netkit-telnet-ssl-0.17.24+0.1/telnetd/issue.net.5 netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/issue.net.5 --- netkit-telnet-ssl-0.17.24+0.1/telnetd/issue.net.5 2004-05-27 11:47:01.000000000 +0200 +++ netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/issue.net.5 2010-05-11 13:44:40.090341661 +0200 @@ -15,26 +15,26 @@ .Pa /etc/issue.net is a text file which contains a message or system identification to be printed before the login prompt of a telnet session. It may contain -various `%-char' sequences. The following sequences are supported by +various `%\&\-char' sequences. The following sequences are supported by .Ic telnetd : .Bl -tag -offset indent -compact -width "abcde" -.It %t +.It %\&t - show the current tty -.It %h +.It %\&h - show the system node name (FQDN) -.It %D +.It %\&D - show the name of the NIS domain -.It %d +.It %\&d - show the current time and date -.It %s +.It %\&s - show the name of the operating system -.It %m +.It %\&m - show the machine (hardware) type -.It %r +.It %\&r - show the operating system release -.It %v +.It %\&v - show the operating system version -.It %% +.It %\&% - display a single '%' character .El .Sh FILES diff -ur netkit-telnet-ssl-0.17.24+0.1/telnetd/Makefile netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/Makefile --- netkit-telnet-ssl-0.17.24+0.1/telnetd/Makefile 2004-05-27 11:47:27.000000000 +0200 +++ netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/Makefile 2010-05-11 14:12:59.493485309 +0200 @@ -9,9 +9,11 @@ # take out -DPARANOID_TTYS. CFLAGS += '-DISSUE_FILE="/etc/issue.net"' -DPARANOID_TTYS \ - -DNO_REVOKE -DKLUDGELINEMODE -DDIAGNOSTICS \ - -DLOGIN_WRAPPER=\"/usr/lib/telnetlogin\" -# LIBS += $(LIBTERMCAP) + -DNO_REVOKE -DKLUDGELINEMODE -DDIAGNOSTICS -DAUTHENTICATE \ + -DLOGIN_WRAPPER=\"/usr/lib/telnetlogin\" \ + -DUSE_SSL -I/usr/include/openssl -I.. +LIBTELNET = ../libtelnet/libtelnet.a +LIBS += $(LIBTERMCAP) $(LIBTELNET) -lssl -lcrypto OBJS = telnetd.o state.o termstat.o slc.o sys_term.o utility.o \ global.o setproctitle.o @@ -28,10 +30,10 @@ telnetd.o: ../version.h install: telnetd - install -s -m$(DAEMONMODE) telnetd $(INSTALLROOT)$(SBINDIR)/in.telnetd - install -m$(MANMODE) issue.net.5 $(INSTALLROOT)$(MANDIR)/man5/ - install -m$(MANMODE) telnetd.8 $(INSTALLROOT)$(MANDIR)/man8/in.telnetd.8 - ln -sf in.telnetd.8 $(INSTALLROOT)$(MANDIR)/man8/telnetd.8 + install -m$(DAEMONMODE) telnetd $(INSTALLROOT)$(SBINDIR)/in.telnetd-ssl +# install -m$(MANMODE) issue.net.5 $(INSTALLROOT)$(MANDIR)/man5/ + install -m$(MANMODE) telnetd.8 $(INSTALLROOT)$(MANDIR)/man8/in.telnetd-ssl.8 + ln -sf in.telnetd-ssl.8 $(INSTALLROOT)$(MANDIR)/man8/telnetd-ssl.8 clean: rm -f *.o telnetd diff -ur netkit-telnet-ssl-0.17.24+0.1/telnetd/pathnames.h netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/pathnames.h --- netkit-telnet-ssl-0.17.24+0.1/telnetd/pathnames.h 1996-08-30 00:31:24.000000000 +0200 +++ netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/pathnames.h 2010-05-11 13:44:40.090341661 +0200 @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * from: @(#)pathnames.h 5.5 (Berkeley) 6/28/90 - * $Id: pathnames.h,v 1.3 1996/08/29 22:31:24 dholland Exp $ + * $Id: pathnames.h,v 1.1 2004-10-14 13:19:53 ianb Exp $ */ #include diff -ur netkit-telnet-ssl-0.17.24+0.1/telnetd/setproctitle.3 netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/setproctitle.3 --- netkit-telnet-ssl-0.17.24+0.1/telnetd/setproctitle.3 2000-07-31 01:57:09.000000000 +0200 +++ netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/setproctitle.3 2010-05-11 13:44:40.090341661 +0200 @@ -1,5 +1,5 @@ .\" OpenBSD: setproctitle.3,v 1.4 1996/10/08 01:20:08 michaels Exp -.\" $Id: setproctitle.3,v 1.13 2000/07/30 23:57:09 dholland Exp $ +.\" $Id: setproctitle.3,v 1.1 2004-10-14 13:19:53 ianb Exp $ .\" .\" Copyright (c) 1994, 1995 Christopher G. Demetriou .\" All rights reserved. diff -ur netkit-telnet-ssl-0.17.24+0.1/telnetd/setproctitle.c netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/setproctitle.c --- netkit-telnet-ssl-0.17.24+0.1/telnetd/setproctitle.c 2004-05-27 11:47:01.000000000 +0200 +++ netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/setproctitle.c 2010-05-11 13:44:40.090341661 +0200 @@ -39,7 +39,7 @@ * From: @(#)conf.c 8.243 (Berkeley) 11/20/95 */ char setproctitle_rcsid[] = - "$Id: setproctitle.c,v 1.3 1999/12/10 23:06:39 bryce Exp $"; + "$Id: setproctitle.c,v 1.1 2004-10-14 13:19:53 ianb Exp $"; #include #include diff -ur netkit-telnet-ssl-0.17.24+0.1/telnetd/slc.c netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/slc.c --- netkit-telnet-ssl-0.17.24+0.1/telnetd/slc.c 1999-12-12 15:59:44.000000000 +0100 +++ netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/slc.c 2010-05-11 13:44:40.096989611 +0200 @@ -35,7 +35,7 @@ * From: @(#)slc.c 5.7 (Berkeley) 3/1/91 */ char slc_rcsid[] = - "$Id: slc.c,v 1.5 1999/12/12 14:59:44 dholland Exp $"; + "$Id: slc.c,v 1.1 2004-10-14 13:19:53 ianb Exp $"; #include "telnetd.h" diff -ur netkit-telnet-ssl-0.17.24+0.1/telnetd/state.c netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/state.c --- netkit-telnet-ssl-0.17.24+0.1/telnetd/state.c 2004-05-27 11:47:27.000000000 +0200 +++ netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/state.c 2010-05-11 13:44:40.100321827 +0200 @@ -35,11 +35,12 @@ * From: @(#)state.c 5.10 (Berkeley) 3/22/91 */ char state_rcsid[] = - "$Id: state.c,v 1.12 1999/12/12 19:41:44 dholland Exp $"; + "$Id: state.c,v 1.5 2005-07-07 21:53:00 ianb Exp $"; #include "telnetd.h" #if defined(AUTHENTICATE) #include +extern char *UserNameRequested; #endif int not42 = 1; @@ -1161,7 +1162,7 @@ case TELOPT_ENVIRON: { register int c; - register char *cp, *varp, *valp; + register unsigned char *cp, *varp, *valp; if (SB_EOF()) return; @@ -1177,25 +1178,41 @@ if (SB_EOF()) return; - cp = varp = (char *)subpointer; + cp = varp = (unsigned char *)subpointer; valp = 0; while (!SB_EOF()) { switch (c = SB_GET()) { case ENV_VALUE: *cp = '\0'; - cp = valp = (char *)subpointer; + cp = valp = (unsigned char *)subpointer; break; case ENV_VAR: *cp = '\0'; - if (envvarok(varp)) { - if (valp) - (void)setenv(varp, valp, 1); - else - unsetenv(varp); + if (envvarok((char *)varp)) { + if (valp) { + (void)setenv((char *)varp, (char *)valp, 1); +#ifdef AUTHENTICATE + if (strcmp((char *)varp,"USER") == 0) { + if (UserNameRequested) + free(UserNameRequested); + UserNameRequested=strdup((char *)valp); + } +#endif /* AUTHENTICATE */ + } + else { + unsetenv((char *)varp); +#ifdef AUTHENTICATE + if (strcmp((char *)varp,"USER") == 0) { + if (UserNameRequested) + free(UserNameRequested); + UserNameRequested=NULL; + } +#endif /* AUTHENTICATE */ + } } - cp = varp = (char *)subpointer; + cp = varp = (unsigned char *)subpointer; valp = 0; break; @@ -1211,11 +1228,27 @@ } } *cp = '\0'; - if (envvarok(varp)) { - if (valp) - (void)setenv(varp, valp, 1); - else - unsetenv(varp); + if (envvarok((char *)varp)) { + if (valp) { + (void)setenv((char *)varp, (char *)valp, 1); +#ifdef AUTHENTICATE + if (strcmp((char *)varp,"USER") == 0) { + if (UserNameRequested) + free(UserNameRequested); + UserNameRequested=strdup((char *)valp); + } +#endif /* AUTHENTICATE */ + } + else { + unsetenv((char *)varp); +#ifdef AUTHENTICATE + if (strcmp((char *)varp,"USER") == 0) { + if (UserNameRequested) + free(UserNameRequested); + UserNameRequested=NULL; + } +#endif /* AUTHENTICATE */ + } } break; } /* end of case TELOPT_ENVIRON */ @@ -1367,7 +1400,7 @@ ADD(IAC); ADD(SE); - writenet(statusbuf, ncp - statusbuf); + writenet((char *)statusbuf, ncp - statusbuf); netflush(); /* Send it on its way */ DIAG(TD_OPTIONS, {printsub('>', statusbuf, ncp - statusbuf); netflush();}); diff -ur netkit-telnet-ssl-0.17.24+0.1/telnetd/sys_term.c netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/sys_term.c --- netkit-telnet-ssl-0.17.24+0.1/telnetd/sys_term.c 2004-05-27 11:47:27.000000000 +0200 +++ netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/sys_term.c 2010-05-11 13:44:40.106987377 +0200 @@ -35,7 +35,7 @@ * From: @(#)sys_term.c 5.16 (Berkeley) 3/22/91 */ char st_rcsid[] = - "$Id: sys_term.c,v 1.17 1999/12/17 14:28:47 dholland Exp $"; + "$Id: sys_term.c,v 1.1 2004-10-14 13:19:53 ianb Exp $"; #include diff -ur netkit-telnet-ssl-0.17.24+0.1/telnetd/telnetd.8 netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/telnetd.8 --- netkit-telnet-ssl-0.17.24+0.1/telnetd/telnetd.8 2004-05-27 11:47:27.000000000 +0200 +++ netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/telnetd.8 2010-05-11 13:44:40.106987377 +0200 @@ -30,7 +30,7 @@ .\" SUCH DAMAGE. .\" .\" from: @(#)telnetd.8 6.8 (Berkeley) 4/20/91 -.\" $Id: telnetd.8,v 1.18 2000/07/30 23:57:10 dholland Exp $ +.\" $Id: telnetd.8,v 1.5 2006-09-24 00:48:31 ianb Exp $ .\" .Dd December 29, 1996 .Dt TELNETD 8 @@ -42,7 +42,7 @@ protocol server .Sh SYNOPSIS .Nm /usr/sbin/in.telnetd -.Op Fl hns +.Op Fl hnNs .Op Fl a Ar authmode .Op Fl D Ar debugmode .Op Fl L Ar loginprg @@ -50,6 +50,7 @@ .Op Fl X Ar authtype .Op Fl edebug .Op Fl debug Ar port +.Op Fl z Ar sslopt .Sh DESCRIPTION The .Nm telnetd @@ -175,6 +176,9 @@ if the client is still there, so that idle connections from machines that have crashed or can no longer be reached may be cleaned up. +.It Fl N +Disable reverse DNS lookups and use the numeric IP address in logs +and REMOTEHOST environment variable. .It Fl s This option is only enabled if .Nm telnetd @@ -219,12 +223,16 @@ only accepts connections from SSL enhanced telnet with option .Ic -z ssl .It Ic nossl, !ssl -switch of SSL negotiation +switch off SSL negotiation .It Ic certsok Look username up in /etc/ssl.users. The format of this file is lines of this form: .Ar user1,user2:/C=US/..... -where user1 and user2 are usernames. If client certificate is valid, +where user1 and user2 are usernames and /C=US/... is the subject name of +the certificate. Use +.Ar openssl x509 -subject -noout +to extract the subject name. +If client certificate is valid, authenticate without password. .It Ic certrequired client certificate is mandatory @@ -451,7 +459,6 @@ is compiled with support for data encryption, and indicates a willingness to decrypt the data stream. -.Xr issue.net 5 ) . .El .Sh FILES .Pa /etc/services , diff -ur netkit-telnet-ssl-0.17.24+0.1/telnetd/telnetd.c netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/telnetd.c --- netkit-telnet-ssl-0.17.24+0.1/telnetd/telnetd.c 2004-05-27 11:47:27.000000000 +0200 +++ netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/telnetd.c 2010-05-11 13:44:40.113654043 +0200 @@ -39,7 +39,7 @@ * From: @(#)telnetd.c 5.48 (Berkeley) 3/1/91 */ char telnetd_rcsid[] = - "$Id: telnetd.c,v 1.24 2000/04/12 21:36:12 dholland Exp $"; + "$Id: telnetd.c,v 1.7 2006-06-16 13:29:00 ianb Exp $"; #include "../version.h" @@ -90,6 +90,7 @@ int debug = 0; int keepalive = 1; +int numeric_hosts = 0; #ifdef LOGIN_WRAPPER char *loginprg = LOGIN_WRAPPER; #else @@ -222,13 +223,12 @@ * certificate that we will be running with as we cannot * be sure of the cwd when we are launched */ - sprintf(cert_filepath,"%s/%s",X509_get_default_cert_dir(), - "telnetd.pem"); + strcpy(cert_filepath, "/etc/telnetd-ssl/telnetd.pem"); ssl_cert_file=cert_filepath; ssl_key_file=NULL; #endif /* USE_SSL */ - while ((ch = getopt(argc, argv, "d:a:e:lhnr:I:D:B:sS:a:X:L:z:")) != EOF) { + while ((ch = getopt(argc, argv, "d:a:e:lhnNr:I:D:B:sS:a:X:L:z:")) != EOF) { switch(ch) { #ifdef USE_SSL @@ -389,6 +389,10 @@ keepalive = 0; break; + case 'N': + numeric_hosts = 1; + break; + #ifdef SecurID case 's': /* SecurID required */ @@ -427,7 +431,7 @@ #ifdef USE_SSL - if (ssl_secure_flag || ssl_cert_required) { + if (ssl_secure_flag || ssl_cert_required || ssl_certsok_flag) { /* in secure mode we *must* switch on the base level * verify checking otherwise we cannot abort connections * at the right place! @@ -520,9 +524,9 @@ sprintf(errbuf,"SSL_accept error %s\n", ERR_error_string(ERR_get_error(),NULL)); - syslog(LOG_WARNING, errbuf); + syslog(LOG_WARNING, "%s", errbuf); - BIO_printf(bio_err,errbuf); + BIO_printf(bio_err,"%s",errbuf); /* go to sleep to make sure we are noticed */ sleep(10); @@ -571,6 +575,11 @@ #ifdef AUTHENTICATE fprintf(stderr, " [-X auth-type]"); #endif +#ifdef USE_SSL + /* might as well output something useful here ... */ + fprintf(stderr, "\n\t [-z ssl] [-z secure] [-z debug] [-z verify=int]\n\t"); + fprintf(stderr, " [-z cert=file] [-z key=file]\n\t"); +#endif /* USE_SSL */ fprintf(stderr, "\n"); exit(1); } @@ -596,6 +605,18 @@ /* * Handle the Authentication option before we do anything else. */ + send_do(TELOPT_ENVIRON, 1); + while (his_will_wont_is_changing(TELOPT_ENVIRON)) { + ttloop(); + } + + if (his_state_is_will(TELOPT_ENVIRON)) { + netoprintf("%c%c%c%c%c%c", + IAC, SB, TELOPT_ENVIRON, TELQUAL_SEND, IAC, SE); + while (sequenceIs(environsubopt, baseline)) + ttloop(); + } + send_do(TELOPT_AUTHENTICATION, 1); while (his_will_wont_is_changing(TELOPT_AUTHENTICATION)) ttloop(); @@ -654,7 +675,6 @@ send_do(TELOPT_TTYPE, 1); send_do(TELOPT_TSPEED, 1); send_do(TELOPT_XDISPLOC, 1); - send_do(TELOPT_ENVIRON, 1); while ( #if defined(ENCRYPT) his_do_dont_is_changing(TELOPT_ENCRYPT) || @@ -698,10 +718,6 @@ while (sequenceIs(xdisplocsubopt, baseline)) ttloop(); } - if (his_state_is_will(TELOPT_ENVIRON)) { - while (sequenceIs(environsubopt, baseline)) - ttloop(); - } if (his_state_is_will(TELOPT_TTYPE)) { char first[256], last[256]; @@ -852,7 +868,7 @@ static void doit(struct sockaddr *who, socklen_t who_len) { - const char *host; + char *host; int level; char user_name[256]; int i; @@ -867,7 +883,8 @@ /* get name of connected client */ if (getnameinfo(who, who_len, remote_host_name, - sizeof(remote_host_name), 0, 0, 0)) { + sizeof(remote_host_name), 0, 0, + numeric_hosts ? NI_NUMERICHOST : 0)) { syslog(LOG_ERR, "doit: getnameinfo: %m"); *remote_host_name = 0; } diff -ur netkit-telnet-ssl-0.17.24+0.1/telnetd/telnetd.h netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/telnetd.h --- netkit-telnet-ssl-0.17.24+0.1/telnetd/telnetd.h 1999-03-27 08:46:21.000000000 +0100 +++ netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/telnetd.h 2010-05-11 13:44:40.113654043 +0200 @@ -31,7 +31,7 @@ * SUCH DAMAGE. * * from: @(#)telnetd.h 5.3 (Berkeley) 3/1/91 - * $Id: telnetd.h,v 1.2 1999/03/27 07:46:21 dholland Exp $ + * $Id: telnetd.h,v 1.1 2004-10-14 13:19:53 ianb Exp $ */ diff -ur netkit-telnet-ssl-0.17.24+0.1/telnetd/termstat.c netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/termstat.c --- netkit-telnet-ssl-0.17.24+0.1/telnetd/termstat.c 1999-12-12 15:59:45.000000000 +0100 +++ netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/termstat.c 2010-05-11 13:44:40.113654043 +0200 @@ -35,7 +35,7 @@ * From: @(#)termstat.c 5.10 (Berkeley) 3/22/91 */ char termstat_rcsid[] = - "$Id: termstat.c,v 1.6 1999/12/12 14:59:45 dholland Exp $"; + "$Id: termstat.c,v 1.1 2004-10-14 13:19:53 ianb Exp $"; #include "telnetd.h" diff -ur netkit-telnet-ssl-0.17.24+0.1/telnetd/utility.c netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/utility.c --- netkit-telnet-ssl-0.17.24+0.1/telnetd/utility.c 2004-05-27 11:47:27.000000000 +0200 +++ netkit-telnet-ssl-0.17.24+0.1.orig/telnetd/utility.c 2010-05-11 13:45:21.990318196 +0200 @@ -35,7 +35,7 @@ * From: @(#)utility.c 5.8 (Berkeley) 3/22/91 */ char util_rcsid[] = - "$Id: utility.c,v 1.11 1999/12/12 14:59:45 dholland Exp $"; + "$Id: utility.c,v 1.8 2006-09-24 00:48:31 ianb Exp $"; #define PRINTOPTIONS @@ -49,6 +49,15 @@ #include "telnetd.h" +/* patched by fluke.l at gmail.com , im not sure it's gonna work or not */ +typedef struct { + int (*read) (void *, char *, int); + int (*write) (void *, char const *, int); + fpos_t (*seek) (void *, fpos_t, int); + int (*close) (void *); +} cookie_io_functions_t; +/* end patch */ + struct buflist { struct buflist *next; char *buf; @@ -86,6 +95,11 @@ DIAG(TD_REPORT, netoprintf("td: ttloop\r\n");); netflush(); +#ifdef USE_SSL + if (ssl_active_flag) + ncc = SSL_read(ssl_con, netibuf, sizeof netibuf); + else +#endif /* USE_SSL */ ncc = read(net, netibuf, sizeof(netibuf)); if (ncc < 0) { syslog(LOG_INFO, "ttloop: read: %m\n"); @@ -216,7 +230,7 @@ } out: - return next ? next + (current - end) : current; + return (const char *) (next ? (next + (current - end)) : current ); } /* end of nextitem */ @@ -243,6 +257,29 @@ doclear--; } /* end of netclear */ +#ifdef USE_SSL +static int +SSL_writev(SSL *ssl_con,const struct iovec *vector,int num) +{ + const struct iovec *v = vector; + + int ret; + int len = 0; + + while (num > 0) { + ret = SSL_write(ssl_con, v->iov_base, v->iov_len); + if (ret < 0) + return ret; + if (ret != v->iov_len) + syslog(LOG_NOTICE, "SSL_writev: short write\n"); + num -= v->iov_len; + len += ret; + v++; + } + return len; +} +#endif /* USE_SSL */ + static void netwritebuf(void) { @@ -253,6 +290,9 @@ size_t len; int ltrailing = trailing; + if (!listlen) + return; + vector = malloc(listlen * sizeof(struct iovec)); if (!vector) { return; @@ -265,6 +305,11 @@ if (lp == urg) { len = v - vector; if (!len) { +#ifdef USE_SSL + if (ssl_active_flag) + n = SSL_write(ssl_con, lp->buf, 1); + else +#endif /* USE_SSL */ n = send(net, lp->buf, 1, MSG_OOB); if (n > 0) { urg = 0; @@ -282,15 +327,25 @@ vector->iov_base = (char *)vector->iov_base + skip; vector->iov_len -= skip; - n = writev(net, vector, len); + if(vector->iov_len == 0 ) { + n=0; + } else { + +#ifdef USE_SSL + if (ssl_active_flag) + n = SSL_writev(ssl_con, vector, len); /* normal write */ + else +#endif /* USE_SSL */ + n = writev(net, vector, len); epi: - free(vector); + free(vector); - if (n < 0) { + if (n < 0) { if (errno != EWOULDBLOCK && errno != EINTR) - cleanup(0); + cleanup(0); return; + } } len = n + skip; @@ -315,6 +370,10 @@ } } + if(ltrailing && (len==0)) { + ltrailing=trailing=0; + } + skip = len; } @@ -323,16 +382,22 @@ * Send as much data as possible to the network, * handling requests for urgent data. */ -void +int netflush(void) { if (fflush(netfile)) { /* out of memory? */ cleanup(0); + return 0; } - if (listlen) { - netwritebuf(); - } + netwritebuf(); + return 1; +} + +int +writenet(char *b , int l) +{ + return(fwrite(b, 1, l, netfile)); } @@ -983,7 +1048,7 @@ ((pointer[3] & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) ? "MUTUAL" : "ONE-WAY"); - auth_printsub(&pointer[1], length - 1, buf, sizeof(buf)); + auth_printsub(&pointer[1], length - 1, (unsigned char *) buf, sizeof(buf)); netoprintf("%s", buf); break; @@ -1191,7 +1256,15 @@ size_t l; size_t m = tail->len; - p = nextitem(tail->buf, tail->buf + tail->len, buf, end); + if((tail->buf == NULL) || (tail->len==0)) + { + p = nextitem((unsigned char *) buf, (unsigned char *) end,0,0); + } + else + { + p = nextitem((unsigned char *) tail->buf, (unsigned char *) (tail->buf + tail->len), + (unsigned char *) buf, (unsigned char *) end); + } ltrailing = !p; if (ltrailing) { p = end; @@ -1245,7 +1318,7 @@ const char *p; size_t l; - p = nextitem(buf, end, 0, 0); + p = nextitem((unsigned char *) buf, (unsigned char *) end, 0, 0); ltrailing = !p; if (ltrailing) { p = end; diff -ur netkit-telnet-ssl-0.17.24+0.1/telnetlogin/Makefile netkit-telnet-ssl-0.17.24+0.1.orig/telnetlogin/Makefile --- netkit-telnet-ssl-0.17.24+0.1/telnetlogin/Makefile 2000-04-13 03:07:22.000000000 +0200 +++ netkit-telnet-ssl-0.17.24+0.1.orig/telnetlogin/Makefile 2010-05-11 13:46:19.023660189 +0200 @@ -11,7 +11,7 @@ $(OBJS): ../version.h install: telnetlogin - install -s -m4750 -oroot -gtelnetd telnetlogin $(INSTALLROOT)$(SBINDIR) + install -m$(BINMODE) telnetlogin $(INSTALLROOT)$(SBINDIR) install -m$(MANMODE) telnetlogin.8 $(INSTALLROOT)$(MANDIR)/man8 clean: diff -ur netkit-telnet-ssl-0.17.24+0.1/telnetlogin/telnetlogin.8 netkit-telnet-ssl-0.17.24+0.1.orig/telnetlogin/telnetlogin.8 --- netkit-telnet-ssl-0.17.24+0.1/telnetlogin/telnetlogin.8 2004-05-27 11:47:02.000000000 +0200 +++ netkit-telnet-ssl-0.17.24+0.1.orig/telnetlogin/telnetlogin.8 2010-05-11 13:44:40.123659071 +0200 @@ -28,7 +28,7 @@ .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF .\" SUCH DAMAGE. .\" -.\" $Id: telnetlogin.8,v 1.4 2000/07/30 23:57:10 dholland Exp $ +.\" $Id: telnetlogin.8,v 1.2 2004-11-07 15:47:43 ianb Exp $ .\" .Dd April 12, 2000 .Dt TELNETLOGIN 8 @@ -40,6 +40,7 @@ .Nm telnetlogin .Op Fl h Ar host .Op Fl p +.Op Fl f Ar username .Op Ar username .Sh DESCRIPTION .Nm telnetlogin @@ -79,11 +80,6 @@ .Xr inetd 8 , .Xr telnetd 8 .Sh RESTRICTIONS -.Nm telnetlogin -does not permit the -.Fl f -option to login, so will not -work with telnetds that perform authentication via Kerberos or SSL. .Pp THIS IS PRESENTLY EXPERIMENTAL CODE; USE WITH CAUTION. .Sh HISTORY diff -ur netkit-telnet-ssl-0.17.24+0.1/telnetlogin/telnetlogin.c netkit-telnet-ssl-0.17.24+0.1.orig/telnetlogin/telnetlogin.c --- netkit-telnet-ssl-0.17.24+0.1/telnetlogin/telnetlogin.c 2004-05-27 11:47:02.000000000 +0200 +++ netkit-telnet-ssl-0.17.24+0.1.orig/telnetlogin/telnetlogin.c 2010-05-11 13:44:40.123659071 +0200 @@ -35,7 +35,7 @@ "All rights reserved.\n"; char rcsid[] = - "$Id: telnetlogin.c,v 1.1 2000/04/13 01:07:22 dholland Exp $"; + "$Id: telnetlogin.c,v 1.2 2004-11-07 15:47:43 ianb Exp $"; #include "../version.h" #include @@ -76,7 +76,16 @@ int i=0; /* should we check length? */ for (i=0; hname[i]; i++) { - if (hname[i]<=32 && hname[i]>126) return -1; + if ((hname[i]<=32) || (hname[i]>126)) return -1; + } + return 0; +} + +static int check_username(char *username) { + int i; + if (strlen(username) > 32) return -1; + for (i=0; username[i]; i++) { + if ((username[i]<=32) || (username[i]>126)) return -1; } return 0; } @@ -158,6 +167,12 @@ if (argn < argc && !strcmp(argv[argn], "-p")) { argn++; } + if (argn < argc && !strcmp(argv[argn], "-f")) { + argn++; + if (argn==argc) die("Illegal args: -f requires argument"); + if (check_username(argv[argn])) die("Illegal remote username specified"); + argn++; + } if (argn < argc && argv[argn][0] != '-') { argn++; }