From: Theodore Tso Date: Tue, 19 Mar 1996 02:38:56 +0000 (+0000) Subject: Makefile.in: Added flags to turn on the encryption option X-Git-Tag: krb5-1.0-beta6~340 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=12bf8c806285ed4a0689eb7cc3966896dc80568b;p=krb5.git Makefile.in: Added flags to turn on the encryption option authenc.c (telnet_spin): Implemented the telnet spin function, which works by calling the Scheduler with the tty_lockout flag set. main.c (main): If the -x option is given, set the autologin, wantencryption, and auth_enable_encrypt flag. They enable authentication, enforcement of the encryption option, and a flag to the auth layer to negotiate authentication with mandatory encryption option. telnet.c (telnet): If the wantencryption flag is set (because the user has given the -x option, then we enforce that encryption must be turned on. The user will not be able to type to the network stream until encryption is enabled, and if encryption is refused, the client will print an error message. (Scheduler): If the tty_lockout flag is set, then don't process keyboard read events. This prevents the user from typing over the network until encryption is enabled. utilities.c (printsub): Added print support for the authentication must-encrypt option. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@7662 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/appl/telnet/telnet/ChangeLog b/src/appl/telnet/telnet/ChangeLog index 314b22396..b467da049 100644 --- a/src/appl/telnet/telnet/ChangeLog +++ b/src/appl/telnet/telnet/ChangeLog @@ -1,3 +1,30 @@ +Mon Mar 18 20:31:44 1996 Theodore Y. Ts'o + + * Makefile.in: Added flags to turn on the encryption option. + + * authenc.c (telnet_spin): Implemented the telnet spin function, + which works by calling the Scheduler with the tty_lockout + flag set. + + * main.c (main): If the -x option is given, set the autologin, + wantencryption, and auth_enable_encrypt flag. They enable + authentication, enforcement of the encryption option, and + a flag to the auth layer to negotiate authentication with + mandatory encryption option. + + * telnet.c (telnet): If the wantencryption flag is set (because + the user has given the -x option, then we enforce that + encryption must be turned on. The user will not be able + to type to the network stream until encryption is enabled, + and if encryption is refused, the client will print an + error message. + (Scheduler): If the tty_lockout flag is set, then don't + process keyboard read events. This prevents the user from + typing over the network until encryption is enabled. + + * utilities.c (printsub): Added print support for the + authentication must-encrypt option. + Sun Feb 25 20:32:57 1996 Sam Hartman * configure.in: Check for arpa/nameser.h diff --git a/src/appl/telnet/telnet/Makefile.in b/src/appl/telnet/telnet/Makefile.in index 0180fe63b..8429c2229 100644 --- a/src/appl/telnet/telnet/Makefile.in +++ b/src/appl/telnet/telnet/Makefile.in @@ -20,7 +20,7 @@ # @(#)Makefile.generic 5.5 (Berkeley) 3/1/91 # -AUTH_DEF=-DAUTHENTICATION -DKRB5 -DFORWARD -UNO_LOGIN_F -DLOGIN_CAP_F -DLOGIN_PROGRAM=KRB5_PATH_LOGIN +AUTH_DEF=-DAUTHENTICATION -DENCRYPTION -DKRB5 -DFORWARD -UNO_LOGIN_F -DLOGIN_CAP_F -DLOGIN_PROGRAM=KRB5_PATH_LOGIN OTHERDEFS=-DLINEMODE -DKLUDGELINEMODE -DDIAGNOSTICS -DENV_HACK -DOLD_ENVIRON LOCALINCLUDES=-I.. -I$(srcdir)/.. CFLAGS = $(CCOPTS) $(AUTH_DEF) $(OTHERDEFS) $(DEFS) $(LOCALINCLUDES) diff --git a/src/appl/telnet/telnet/authenc.c b/src/appl/telnet/telnet/authenc.c index 351b8f221..3f7691125 100644 --- a/src/appl/telnet/telnet/authenc.c +++ b/src/appl/telnet/telnet/authenc.c @@ -73,7 +73,13 @@ net_encrypt() int telnet_spin() { - return(-1); + extern int scheduler_lockout_tty; + + scheduler_lockout_tty = 1; + Scheduler(0); + scheduler_lockout_tty = 0; + + return 0; } char * diff --git a/src/appl/telnet/telnet/externs.h b/src/appl/telnet/telnet/externs.h index 3ebf1dd16..fae1d5d2e 100644 --- a/src/appl/telnet/telnet/externs.h +++ b/src/appl/telnet/telnet/externs.h @@ -137,6 +137,7 @@ extern int localchars, /* we recognize interrupt/quit */ donelclchars, /* the user has set "localchars" */ showoptions, + wantencryption, /* User has requested encryption */ net, /* Network file descriptor */ tin, /* Terminal input file descriptor */ tout, /* Terminal output file descriptor */ diff --git a/src/appl/telnet/telnet/main.c b/src/appl/telnet/telnet/main.c index 172a57919..89159e0fd 100644 --- a/src/appl/telnet/telnet/main.c +++ b/src/appl/telnet/telnet/main.c @@ -121,6 +121,9 @@ main(argc, argv) #ifdef FORWARD extern int forward_flags; #endif /* FORWARD */ +#ifdef ENCRYPTION + extern int auth_enable_encrypt; +#endif /* ENCRYPTION */ tninit(); /* Clear out things */ #if defined(CRAY) && !defined(__STDC__) @@ -279,6 +282,9 @@ main(argc, argv) #ifdef ENCRYPTION encrypt_auto(1); decrypt_auto(1); + wantencryption = 1; + autologin = 1; + auth_enable_encrypt = 1; #else fprintf(stderr, "%s: Warning: -x ignored, no ENCRYPT support.\n", diff --git a/src/appl/telnet/telnet/telnet.c b/src/appl/telnet/telnet/telnet.c index f7994fa98..9368f3652 100644 --- a/src/appl/telnet/telnet/telnet.c +++ b/src/appl/telnet/telnet/telnet.c @@ -92,6 +92,7 @@ int askedSGA = 0, /* We have talked about suppress go ahead */ #endif /* defined(TN3270) */ telnetport, + wantencryption = 0, SYNCHing, /* we are in TELNET SYNCH mode */ flushout, /* flush output */ autoflush = 0, /* flush output when interrupting? */ @@ -106,6 +107,8 @@ int char *prompt = 0; +int scheduler_lockout_tty = 0; + cc_t escape; cc_t rlogin; #ifdef KLUDGELINEMODE @@ -2203,6 +2206,10 @@ Scheduler(block) } #endif /* defined(TN3270) && defined(unix) */ + if (scheduler_lockout_tty) { + ttyin = ttyout = 0; + } + /* Call to system code to process rings */ returnValue = process_rings(netin, netout, netex, ttyin, ttyout, !block); @@ -2260,15 +2267,17 @@ telnet(user) } #endif /* defined(AUTHENTICATION) || defined(ENCRYPTION) */ # if !defined(TN3270) - if (telnetport) { #if defined(AUTHENTICATION) - if (autologin) - send_will(TELOPT_AUTHENTICATION, 1); + if (autologin) + send_will(TELOPT_AUTHENTICATION, 1); #endif #ifdef ENCRYPTION + if (telnetport || wantencryption) { send_do(TELOPT_ENCRYPT, 1); send_will(TELOPT_ENCRYPT, 1); + } #endif /* ENCRYPTION */ + if (telnetport) { send_do(TELOPT_SGA, 1); send_will(TELOPT_TTYPE, 1); send_will(TELOPT_NAWS, 1); @@ -2284,6 +2293,46 @@ telnet(user) } # endif /* !defined(TN3270) */ +#ifdef ENCRYPTION + /* + * Note: we assume a tie to the authentication option here. This + * is necessary so that authentication fails, we don't spin + * forever. + */ + if (wantencryption) { + extern int auth_has_failed; + time_t timeout = time(0) + 60; + + send_do(TELOPT_ENCRYPT, 1); + send_will(TELOPT_ENCRYPT, 1); + while (1) { + if (my_want_state_is_wont(TELOPT_AUTHENTICATION)) { + printf("Server refused to negotiation authentication, which is required\n"); + printf("for encryption. Good bye.\n\r"); + Exit(1); + } + if (auth_has_failed) { + printf("Authentication negotation has failed, which is required for\n"); + printf("encryption. Good bye.\n\r"); + Exit(1); + } + if (my_want_state_is_dont(TELOPT_ENCRYPT) || + my_want_state_is_wont(TELOPT_ENCRYPT)) { + printf("Server refused to negotiate encryption. Good bye.\n\r"); + Exit(1); + } + if (encrypt_is_encrypting()) + break; + if (time(0) > timeout) { + printf("Encryption could not be enabled. Goodbye.\n\r"); + Exit(1); + } + telnet_spin(); + } + } +#endif + + # if !defined(TN3270) for (;;) { int schedValue; diff --git a/src/appl/telnet/telnet/utilities.c b/src/appl/telnet/telnet/utilities.c index 2e973e031..19f503bd4 100644 --- a/src/appl/telnet/telnet/utilities.c +++ b/src/appl/telnet/telnet/utilities.c @@ -436,12 +436,13 @@ printsub(direction, pointer, length) fprintf(NetTrace, "(partial suboption??\?)"); break; } - fprintf(NetTrace, "%s|%s", + fprintf(NetTrace, "%s|%s%s", ((pointer[3] & AUTH_WHO_MASK) == AUTH_WHO_CLIENT) ? "CLIENT" : "SERVER", ((pointer[3] & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) ? - "MUTUAL" : "ONE-WAY"); - + "MUTUAL" : "ONE-WAY", + ((pointer[3] & AUTH_ENCRYPT_MASK) == AUTH_ENCRYPT_ON) ? + "|ENCRYPT" : ""); auth_printsub(&pointer[1], length - 1, buf, sizeof(buf)); fprintf(NetTrace, "%s", buf); break; @@ -458,11 +459,13 @@ printsub(direction, pointer, length) fprintf(NetTrace, "(partial suboption??\?)"); break; } - fprintf(NetTrace, "%s|%s ", + fprintf(NetTrace, "%s|%s%s ", ((pointer[i] & AUTH_WHO_MASK) == AUTH_WHO_CLIENT) ? "CLIENT" : "SERVER", ((pointer[i] & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) ? - "MUTUAL" : "ONE-WAY"); + "MUTUAL" : "ONE-WAY", + ((pointer[i] & AUTH_ENCRYPT_MASK) == AUTH_ENCRYPT_ON) ? + "|ENCRYPT" : ""); ++i; } break;