Makefile.in: Added flags which turn on the encryption option
authorTheodore Tso <tytso@mit.edu>
Tue, 19 Mar 1996 02:39:45 +0000 (02:39 +0000)
committerTheodore Tso <tytso@mit.edu>
Tue, 19 Mar 1996 02:39:45 +0000 (02:39 +0000)
telnetd.c (getterminaltype): If the authentication option which was
negotiated requires that encryption be turned on, then enforce this
here.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@7663 dc483132-0cff-0310-8789-dd5450dbe970

src/appl/telnet/telnetd/ChangeLog
src/appl/telnet/telnetd/Makefile.in
src/appl/telnet/telnetd/telnetd.c

index f15d82bad426c397109e4f8f99611a4f48e9e395..1b4cd3fa39eb881775c05cc0de31b7da906c3d4c 100644 (file)
@@ -1,3 +1,11 @@
+Mon Mar 18 20:29:05 1996  Theodore Y. Ts'o  <tytso@dcl>
+
+       * Makefile.in: Added flags which turn on the encryption option.
+
+       * telnetd.c (getterminaltype): If the authentication option which
+               was negotiated requires that encryption be turned on, then
+               enforce this here.
+
 Mon Feb 26 03:33:48 1996  Sam Hartman  <hartmans@tertius.mit.edu>
 
        * configure.in: Call USE_ANAME
index 533633ba32d4a56810829b721ff201e63b6607c4..a0421779f21f64ca01568b4cf6a49c6e5dfb5181 100644 (file)
@@ -22,7 +22,7 @@
 
 LOCAL_LIBRARIES=-lpty
 DEPLOCAL_LIBRARIES=$(TOPLIBD)/../util/pty/libpty.a
-AUTH_DEF=-DAUTHENTICATION -DKRB5 -DFORWARD -UNO_LOGIN_F -DLOGIN_CAP_F -DLOGIN_PROGRAM=KRB5_PATH_LOGIN
+AUTH_DEF=-DAUTHENTICATION -DENCRYPTION -DKRB5 -DFORWARD -UNO_LOGIN_F -DLOGIN_CAP_F -DLOGIN_PROGRAM=KRB5_PATH_LOGIN
 OTHERDEFS=-DKLUDGELINEMODE -DDIAGNOSTICS -DENV_HACK -DOLD_ENVIRON
 LOCALINCLUDES=-I.. -I$(srcdir)/..
 CFLAGS = $(CCOPTS) $(AUTH_DEF) $(OTHERDEFS) $(DEFS) $(LOCALINCLUDES)
index aa8ad81011e0b6a5d55ae33db0acb77590d4d554..029add63b838aa523f5bb20f053aa3907f11f03b 100644 (file)
@@ -51,6 +51,10 @@ static char copyright[] =
 # undef _SC_CRAY_SECURE_SYS
 #endif
 
+#include <stdio.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <netdb.h>
 #include <libpty.h>
 #include <com_err.h>
 #if    defined(_SC_CRAY_SECURE_SYS)
@@ -77,11 +81,16 @@ struct      socket_security ss;
 
 #if    defined(AUTHENTICATION)
 #include <libtelnet/auth.h>
+#include <libtelnet/auth-proto.h>
 int    auth_level = 0;
 #endif
 #if    defined(SecurID)
 int    require_SecurID = 0;
 #endif
+#ifdef ENCRYPTION
+#include <libtelnet/encrypt.h>
+#include <libtelnet/enc-proto.h>
+#endif
 
 extern int utmp_len;
 int    registerd_host_only = 0;
@@ -98,6 +107,8 @@ int  registerd_host_only = 0;
 # include <sys/ptyvar.h>
 #endif
 
+void doit P((struct sockaddr_in *));
+
 /*
  * Because of the way ptyibuf is used with streams messages, we need
  * ptyibuf+1 to be on a full-word boundary.  The following wierdness
@@ -428,7 +439,7 @@ main(argc, argv)
                usage();
                /* NOT REACHED */
            } else if (argc == 1) {
-                   if (sp = getservbyname(*argv, "tcp")) {
+                   if ((sp = getservbyname(*argv, "tcp"))) {
                        sin.sin_port = sp->s_port;
                    } else {
                        sin.sin_port = atoi(*argv);
@@ -569,7 +580,9 @@ main(argc, argv)
 #endif /* defined(IPPROTO_IP) && defined(IP_TOS) */
        net = 0;
        doit(&from);
+       
        /* NOTREACHED */
+       return 0;
 }  /* end of main */
 
        void
@@ -618,6 +631,16 @@ usage()
        exit(1);
 }
 
+static void encrypt_failure()
+{
+    char *error_message =
+       "Encryption was not successfully negotiated.  Goodbye.\r\n\r\n";
+
+    writenet(error_message, strlen(error_message));
+    netflush();
+    exit(1);
+}
+
 /*
  * getterminaltype
  *
@@ -660,6 +683,7 @@ getterminaltype(name)
     while (
 #ifdef ENCRYPTION
           his_do_dont_is_changing(TELOPT_ENCRYPT) ||
+          his_will_wont_is_changing(TELOPT_ENCRYPT) ||
 #endif /* ENCRYPTION */
           his_will_wont_is_changing(TELOPT_TTYPE) ||
           his_will_wont_is_changing(TELOPT_TSPEED) ||
@@ -676,6 +700,22 @@ getterminaltype(name)
     if (his_state_is_will(TELOPT_ENCRYPT)) {
        encrypt_wait();
     }
+    if (auth_must_encrypt()) {
+       time_t timeout = time(0) + 60;
+       
+       if (my_state_is_dont(TELOPT_ENCRYPT) ||
+           my_state_is_wont(TELOPT_ENCRYPT))
+           encrypt_failure();
+
+       if (!EncryptStartInput() || !EncryptStartOutput())
+           encrypt_failure();
+
+       while (!encrypt_is_encrypting()) {
+           if (time(0) > timeout)
+               encrypt_failure();
+           ttloop();
+       }
+    }
 #endif /* ENCRYPTION */
     if (his_state_is_will(TELOPT_TSPEED)) {
        static unsigned char sb[] =
@@ -828,7 +868,7 @@ extern void telnet P((int, int, char *));
 /*
  * Get a pty, scan input lines.
  */
-doit(who)
+void doit(who)
        struct sockaddr_in *who;
 {
        char *host, *inet_ntoa();