Makefile.in: Added flags to turn on the encryption option
authorTheodore Tso <tytso@mit.edu>
Tue, 19 Mar 1996 02:38:56 +0000 (02:38 +0000)
committerTheodore Tso <tytso@mit.edu>
Tue, 19 Mar 1996 02:38:56 +0000 (02:38 +0000)
authenc.c (telnet_spin): Implemented the telnet spin function, which
works by calling the Scheduler with the tty_lockout flag set.

main.c (main): If the -x option is given, set the autologin,
wantencryption, and auth_enable_encrypt flag.  They enable
authentication, enforcement of the encryption option, and a flag to
the auth layer to negotiate authentication with mandatory encryption
option.

telnet.c (telnet): If the wantencryption flag is set (because the user
has given the -x option, then we enforce that encryption must be
turned on.  The user will not be able to type to the network stream
until encryption is enabled, and if encryption is refused, the client
will print an error message.
(Scheduler): If the tty_lockout flag is set, then don't process
keyboard read events.  This prevents the user from typing over the
network until encryption is enabled.

utilities.c (printsub): Added print support for the authentication
must-encrypt option.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@7662 dc483132-0cff-0310-8789-dd5450dbe970

src/appl/telnet/telnet/ChangeLog
src/appl/telnet/telnet/Makefile.in
src/appl/telnet/telnet/authenc.c
src/appl/telnet/telnet/externs.h
src/appl/telnet/telnet/main.c
src/appl/telnet/telnet/telnet.c
src/appl/telnet/telnet/utilities.c

index 314b22396885ccbd1e5af5452333f16a108c4ce1..b467da049ed4ca56ec67641c6d0353fe84220b39 100644 (file)
@@ -1,3 +1,30 @@
+Mon Mar 18 20:31:44 1996  Theodore Y. Ts'o  <tytso@dcl>
+
+       * Makefile.in: Added flags to turn on the encryption option.
+
+       * authenc.c (telnet_spin): Implemented the telnet spin function,
+               which works by calling the Scheduler with the tty_lockout
+               flag set.
+
+       * main.c (main): If the -x option is given, set the autologin,
+               wantencryption, and auth_enable_encrypt flag.  They enable
+               authentication, enforcement of the encryption option, and
+               a flag to the auth layer to negotiate authentication with
+               mandatory encryption option.
+
+       * telnet.c (telnet): If the wantencryption flag is set (because
+               the user has given the -x option, then we enforce that
+               encryption must be turned on.  The user will not be able
+               to type to the network stream until encryption is enabled,
+               and if encryption is refused, the client will print an
+               error message.
+               (Scheduler): If the tty_lockout flag is set, then don't
+               process keyboard read events.  This prevents the user from
+               typing over the network until encryption is enabled.
+
+       * utilities.c (printsub): Added print support for the
+               authentication must-encrypt option.
+
 Sun Feb 25 20:32:57 1996  Sam Hartman  <hartmans@tertius.mit.edu>
 
        * configure.in: Check for arpa/nameser.h
index 0180fe63bb791e26dc8ba3baad9ee3f7d8171e1c..8429c222962d84c873172419d483a8a313ccffbd 100644 (file)
@@ -20,7 +20,7 @@
 #      @(#)Makefile.generic    5.5 (Berkeley) 3/1/91
 #
 
-AUTH_DEF=-DAUTHENTICATION -DKRB5 -DFORWARD -UNO_LOGIN_F -DLOGIN_CAP_F -DLOGIN_PROGRAM=KRB5_PATH_LOGIN
+AUTH_DEF=-DAUTHENTICATION -DENCRYPTION -DKRB5 -DFORWARD -UNO_LOGIN_F -DLOGIN_CAP_F -DLOGIN_PROGRAM=KRB5_PATH_LOGIN
 OTHERDEFS=-DLINEMODE -DKLUDGELINEMODE -DDIAGNOSTICS -DENV_HACK -DOLD_ENVIRON
 LOCALINCLUDES=-I.. -I$(srcdir)/..
 CFLAGS = $(CCOPTS) $(AUTH_DEF) $(OTHERDEFS) $(DEFS) $(LOCALINCLUDES)
index 351b8f2218819eb40c83b7a4d0c08032d6022218..3f76911250e795f89a897d2c48c779b9bfa1f402 100644 (file)
@@ -73,7 +73,13 @@ net_encrypt()
        int
 telnet_spin()
 {
-       return(-1);
+    extern int scheduler_lockout_tty;
+
+    scheduler_lockout_tty = 1;
+    Scheduler(0);
+    scheduler_lockout_tty = 0;
+    
+    return 0;
 }
 
        char *
index 3ebf1dd160d470920266829df036e1fb9fc1dc25..fae1d5d2e69c4079083c6d8266b186d58a0a342a 100644 (file)
@@ -137,6 +137,7 @@ extern int
     localchars,                /* we recognize interrupt/quit */
     donelclchars,              /* the user has set "localchars" */
     showoptions,
+    wantencryption,    /* User has requested encryption */
     net,               /* Network file descriptor */
     tin,               /* Terminal input file descriptor */
     tout,              /* Terminal output file descriptor */
index 172a579199a449a1daeb4be030a919e8ff5318ff..89159e0fd43f94d7e267da2b78a576b37f945821 100644 (file)
@@ -121,6 +121,9 @@ main(argc, argv)
 #ifdef FORWARD
        extern int forward_flags;
 #endif /* FORWARD */
+#ifdef ENCRYPTION
+       extern int auth_enable_encrypt;
+#endif /* ENCRYPTION */
 
        tninit();               /* Clear out things */
 #if    defined(CRAY) && !defined(__STDC__)
@@ -279,6 +282,9 @@ main(argc, argv)
 #ifdef ENCRYPTION
                        encrypt_auto(1);
                        decrypt_auto(1);
+                       wantencryption = 1;
+                       autologin = 1;
+                       auth_enable_encrypt = 1;
 #else
                        fprintf(stderr,
                            "%s: Warning: -x ignored, no ENCRYPT support.\n",
index f7994fa98019a9d850073142847facd6bb1b6269..9368f3652f3abfc1294abed0f7ba35c50f9a89b8 100644 (file)
@@ -92,6 +92,7 @@ int
        askedSGA = 0,   /* We have talked about suppress go ahead */
 #endif /* defined(TN3270) */
        telnetport,
+        wantencryption = 0,
        SYNCHing,       /* we are in TELNET SYNCH mode */
        flushout,       /* flush output */
        autoflush = 0,  /* flush output when interrupting? */
@@ -106,6 +107,8 @@ int
 
 char *prompt = 0;
 
+int scheduler_lockout_tty = 0;
+
 cc_t escape;
 cc_t rlogin;
 #ifdef KLUDGELINEMODE
@@ -2203,6 +2206,10 @@ Scheduler(block)
     }
 #endif /* defined(TN3270) && defined(unix) */
 
+    if (scheduler_lockout_tty) {
+       ttyin = ttyout = 0;
+    }
+
     /* Call to system code to process rings */
 
     returnValue = process_rings(netin, netout, netex, ttyin, ttyout, !block);
@@ -2260,15 +2267,17 @@ telnet(user)
     }
 #endif /* defined(AUTHENTICATION) || defined(ENCRYPTION)  */
 #   if !defined(TN3270)
-    if (telnetport) {
 #if    defined(AUTHENTICATION)
-       if (autologin)
-               send_will(TELOPT_AUTHENTICATION, 1);
+    if (autologin)
+       send_will(TELOPT_AUTHENTICATION, 1);
 #endif
 #ifdef ENCRYPTION
+    if (telnetport || wantencryption) {
        send_do(TELOPT_ENCRYPT, 1);
        send_will(TELOPT_ENCRYPT, 1);
+    }
 #endif /* ENCRYPTION */
+    if (telnetport) {
        send_do(TELOPT_SGA, 1);
        send_will(TELOPT_TTYPE, 1);
        send_will(TELOPT_NAWS, 1);
@@ -2284,6 +2293,46 @@ telnet(user)
     }
 #   endif /* !defined(TN3270) */
 
+#ifdef ENCRYPTION
+    /*
+     * Note: we assume a tie to the authentication option here.  This
+     * is necessary so that authentication fails, we don't spin
+     * forever. 
+     */
+    if (wantencryption) {
+       extern int auth_has_failed;
+       time_t timeout = time(0) + 60;
+
+       send_do(TELOPT_ENCRYPT, 1);
+       send_will(TELOPT_ENCRYPT, 1);
+       while (1) {
+           if (my_want_state_is_wont(TELOPT_AUTHENTICATION)) {
+               printf("Server refused to negotiation authentication, which is required\n");
+               printf("for encryption.  Good bye.\n\r");
+               Exit(1);
+           }
+           if (auth_has_failed) {
+               printf("Authentication negotation has failed, which is required for\n");
+               printf("encryption.  Good bye.\n\r");
+               Exit(1);
+           }
+           if (my_want_state_is_dont(TELOPT_ENCRYPT) ||
+               my_want_state_is_wont(TELOPT_ENCRYPT)) {
+               printf("Server refused to negotiate encryption.  Good bye.\n\r");
+               Exit(1);
+           }
+           if (encrypt_is_encrypting())
+               break;
+           if (time(0) > timeout) {
+               printf("Encryption could not be enabled.  Goodbye.\n\r");
+               Exit(1);
+           }
+           telnet_spin();
+       }
+    }
+#endif
+
+
 #   if !defined(TN3270)
     for (;;) {
        int schedValue;
index 2e973e03110adc79ca262e8dcfee30a10036949a..19f503bd44146a58b085f3056116f93cdc429467 100644 (file)
@@ -436,12 +436,13 @@ printsub(direction, pointer, length)
                    fprintf(NetTrace, "(partial suboption??\?)");
                    break;
                }
-               fprintf(NetTrace, "%s|%s",
+               fprintf(NetTrace, "%s|%s%s",
                        ((pointer[3] & AUTH_WHO_MASK) == AUTH_WHO_CLIENT) ?
                        "CLIENT" : "SERVER",
                        ((pointer[3] & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) ?
-                       "MUTUAL" : "ONE-WAY");
-
+                       "MUTUAL" : "ONE-WAY",
+                       ((pointer[3] & AUTH_ENCRYPT_MASK) == AUTH_ENCRYPT_ON) ?
+                       "|ENCRYPT" : "");
                auth_printsub(&pointer[1], length - 1, buf, sizeof(buf));
                fprintf(NetTrace, "%s", buf);
                break;
@@ -458,11 +459,13 @@ printsub(direction, pointer, length)
                        fprintf(NetTrace, "(partial suboption??\?)");
                        break;
                    }
-                   fprintf(NetTrace, "%s|%s ",
+                   fprintf(NetTrace, "%s|%s%s ",
                        ((pointer[i] & AUTH_WHO_MASK) == AUTH_WHO_CLIENT) ?
                                                        "CLIENT" : "SERVER",
                        ((pointer[i] & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) ?
-                                                       "MUTUAL" : "ONE-WAY");
+                                                       "MUTUAL" : "ONE-WAY",
+                       ((pointer[i] & AUTH_ENCRYPT_MASK) == AUTH_ENCRYPT_ON) ?
+                                                       "|ENCRYPT" : "");
                    ++i;
                }
                break;