From 12bf8c806285ed4a0689eb7cc3966896dc80568b Mon Sep 17 00:00:00 2001
From: Theodore Tso <tytso@mit.edu>
Date: Tue, 19 Mar 1996 02:38:56 +0000
Subject: [PATCH] Makefile.in: Added flags to turn on the encryption option

authenc.c (telnet_spin): Implemented the telnet spin function, which
	works by calling the Scheduler with the tty_lockout flag set.

main.c (main): If the -x option is given, set the autologin,
	wantencryption, and auth_enable_encrypt flag.  They enable
	authentication, enforcement of the encryption option, and a flag to
	the auth layer to negotiate authentication with mandatory encryption
	option.

telnet.c (telnet): If the wantencryption flag is set (because the user
	has given the -x option, then we enforce that encryption must be
	turned on.  The user will not be able to type to the network stream
	until encryption is enabled, and if encryption is refused, the client
	will print an error message.
	(Scheduler): If the tty_lockout flag is set, then don't process
	keyboard read events.  This prevents the user from typing over the
	network until encryption is enabled.

utilities.c (printsub): Added print support for the authentication
	must-encrypt option.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@7662 dc483132-0cff-0310-8789-dd5450dbe970
---
 src/appl/telnet/telnet/ChangeLog   | 27 +++++++++++++++
 src/appl/telnet/telnet/Makefile.in |  2 +-
 src/appl/telnet/telnet/authenc.c   |  8 ++++-
 src/appl/telnet/telnet/externs.h   |  1 +
 src/appl/telnet/telnet/main.c      |  6 ++++
 src/appl/telnet/telnet/telnet.c    | 55 ++++++++++++++++++++++++++++--
 src/appl/telnet/telnet/utilities.c | 13 ++++---
 7 files changed, 102 insertions(+), 10 deletions(-)

diff --git a/src/appl/telnet/telnet/ChangeLog b/src/appl/telnet/telnet/ChangeLog
index 314b22396..b467da049 100644
--- a/src/appl/telnet/telnet/ChangeLog
+++ b/src/appl/telnet/telnet/ChangeLog
@@ -1,3 +1,30 @@
+Mon Mar 18 20:31:44 1996  Theodore Y. Ts'o  <tytso@dcl>
+
+	* Makefile.in: Added flags to turn on the encryption option.
+
+	* authenc.c (telnet_spin): Implemented the telnet spin function,
+		which works by calling the Scheduler with the tty_lockout
+		flag set.
+
+	* main.c (main): If the -x option is given, set the autologin,
+		wantencryption, and auth_enable_encrypt flag.  They enable
+		authentication, enforcement of the encryption option, and
+		a flag to the auth layer to negotiate authentication with
+		mandatory encryption option.
+
+	* telnet.c (telnet): If the wantencryption flag is set (because
+		the user has given the -x option, then we enforce that
+		encryption must be turned on.  The user will not be able
+		to type to the network stream until encryption is enabled,
+		and if encryption is refused, the client will print an
+		error message.
+		(Scheduler): If the tty_lockout flag is set, then don't
+		process keyboard read events.  This prevents the user from
+		typing over the network until encryption is enabled.
+
+	* utilities.c (printsub): Added print support for the
+		authentication must-encrypt option.
+
 Sun Feb 25 20:32:57 1996  Sam Hartman  <hartmans@tertius.mit.edu>
 
 	* configure.in: Check for arpa/nameser.h
diff --git a/src/appl/telnet/telnet/Makefile.in b/src/appl/telnet/telnet/Makefile.in
index 0180fe63b..8429c2229 100644
--- a/src/appl/telnet/telnet/Makefile.in
+++ b/src/appl/telnet/telnet/Makefile.in
@@ -20,7 +20,7 @@
 #	@(#)Makefile.generic	5.5 (Berkeley) 3/1/91
 #
 
-AUTH_DEF=-DAUTHENTICATION -DKRB5 -DFORWARD -UNO_LOGIN_F -DLOGIN_CAP_F -DLOGIN_PROGRAM=KRB5_PATH_LOGIN
+AUTH_DEF=-DAUTHENTICATION -DENCRYPTION -DKRB5 -DFORWARD -UNO_LOGIN_F -DLOGIN_CAP_F -DLOGIN_PROGRAM=KRB5_PATH_LOGIN
 OTHERDEFS=-DLINEMODE -DKLUDGELINEMODE -DDIAGNOSTICS -DENV_HACK -DOLD_ENVIRON
 LOCALINCLUDES=-I.. -I$(srcdir)/..
 CFLAGS = $(CCOPTS) $(AUTH_DEF) $(OTHERDEFS) $(DEFS) $(LOCALINCLUDES)
diff --git a/src/appl/telnet/telnet/authenc.c b/src/appl/telnet/telnet/authenc.c
index 351b8f221..3f7691125 100644
--- a/src/appl/telnet/telnet/authenc.c
+++ b/src/appl/telnet/telnet/authenc.c
@@ -73,7 +73,13 @@ net_encrypt()
 	int
 telnet_spin()
 {
-	return(-1);
+    extern int scheduler_lockout_tty;
+
+    scheduler_lockout_tty = 1;
+    Scheduler(0);
+    scheduler_lockout_tty = 0;
+    
+    return 0;
 }
 
 	char *
diff --git a/src/appl/telnet/telnet/externs.h b/src/appl/telnet/telnet/externs.h
index 3ebf1dd16..fae1d5d2e 100644
--- a/src/appl/telnet/telnet/externs.h
+++ b/src/appl/telnet/telnet/externs.h
@@ -137,6 +137,7 @@ extern int
     localchars,		/* we recognize interrupt/quit */
     donelclchars,		/* the user has set "localchars" */
     showoptions,
+    wantencryption,	/* User has requested encryption */
     net,		/* Network file descriptor */
     tin,		/* Terminal input file descriptor */
     tout,		/* Terminal output file descriptor */
diff --git a/src/appl/telnet/telnet/main.c b/src/appl/telnet/telnet/main.c
index 172a57919..89159e0fd 100644
--- a/src/appl/telnet/telnet/main.c
+++ b/src/appl/telnet/telnet/main.c
@@ -121,6 +121,9 @@ main(argc, argv)
 #ifdef	FORWARD
 	extern int forward_flags;
 #endif	/* FORWARD */
+#ifdef ENCRYPTION
+	extern int auth_enable_encrypt;
+#endif /* ENCRYPTION */
 
 	tninit();		/* Clear out things */
 #if	defined(CRAY) && !defined(__STDC__)
@@ -279,6 +282,9 @@ main(argc, argv)
 #ifdef	ENCRYPTION
 			encrypt_auto(1);
 			decrypt_auto(1);
+			wantencryption = 1;
+			autologin = 1;
+			auth_enable_encrypt = 1;
 #else
 			fprintf(stderr,
 			    "%s: Warning: -x ignored, no ENCRYPT support.\n",
diff --git a/src/appl/telnet/telnet/telnet.c b/src/appl/telnet/telnet/telnet.c
index f7994fa98..9368f3652 100644
--- a/src/appl/telnet/telnet/telnet.c
+++ b/src/appl/telnet/telnet/telnet.c
@@ -92,6 +92,7 @@ int
 	askedSGA = 0,	/* We have talked about suppress go ahead */
 #endif	/* defined(TN3270) */
 	telnetport,
+        wantencryption = 0,
 	SYNCHing,	/* we are in TELNET SYNCH mode */
 	flushout,	/* flush output */
 	autoflush = 0,	/* flush output when interrupting? */
@@ -106,6 +107,8 @@ int
 
 char *prompt = 0;
 
+int scheduler_lockout_tty = 0;
+
 cc_t escape;
 cc_t rlogin;
 #ifdef	KLUDGELINEMODE
@@ -2203,6 +2206,10 @@ Scheduler(block)
     }
 #endif	/* defined(TN3270) && defined(unix) */
 
+    if (scheduler_lockout_tty) {
+	ttyin = ttyout = 0;
+    }
+
     /* Call to system code to process rings */
 
     returnValue = process_rings(netin, netout, netex, ttyin, ttyout, !block);
@@ -2260,15 +2267,17 @@ telnet(user)
     }
 #endif	/* defined(AUTHENTICATION) || defined(ENCRYPTION)  */
 #   if !defined(TN3270)
-    if (telnetport) {
 #if	defined(AUTHENTICATION)
-	if (autologin)
-		send_will(TELOPT_AUTHENTICATION, 1);
+    if (autologin)
+	send_will(TELOPT_AUTHENTICATION, 1);
 #endif
 #ifdef	ENCRYPTION
+    if (telnetport || wantencryption) {
 	send_do(TELOPT_ENCRYPT, 1);
 	send_will(TELOPT_ENCRYPT, 1);
+    }
 #endif	/* ENCRYPTION */
+    if (telnetport) {
 	send_do(TELOPT_SGA, 1);
 	send_will(TELOPT_TTYPE, 1);
 	send_will(TELOPT_NAWS, 1);
@@ -2284,6 +2293,46 @@ telnet(user)
     }
 #   endif /* !defined(TN3270) */
 
+#ifdef ENCRYPTION
+    /*
+     * Note: we assume a tie to the authentication option here.  This
+     * is necessary so that authentication fails, we don't spin
+     * forever. 
+     */
+    if (wantencryption) {
+	extern int auth_has_failed;
+	time_t timeout = time(0) + 60;
+
+	send_do(TELOPT_ENCRYPT, 1);
+	send_will(TELOPT_ENCRYPT, 1);
+	while (1) {
+	    if (my_want_state_is_wont(TELOPT_AUTHENTICATION)) {
+		printf("Server refused to negotiation authentication, which is required\n");
+		printf("for encryption.  Good bye.\n\r");
+		Exit(1);
+	    }
+	    if (auth_has_failed) {
+		printf("Authentication negotation has failed, which is required for\n");
+		printf("encryption.  Good bye.\n\r");
+		Exit(1);
+	    }
+	    if (my_want_state_is_dont(TELOPT_ENCRYPT) ||
+		my_want_state_is_wont(TELOPT_ENCRYPT)) {
+		printf("Server refused to negotiate encryption.  Good bye.\n\r");
+		Exit(1);
+	    }
+	    if (encrypt_is_encrypting())
+		break;
+	    if (time(0) > timeout) {
+		printf("Encryption could not be enabled.  Goodbye.\n\r");
+		Exit(1);
+	    }
+	    telnet_spin();
+	}
+    }
+#endif
+
+
 #   if !defined(TN3270)
     for (;;) {
 	int schedValue;
diff --git a/src/appl/telnet/telnet/utilities.c b/src/appl/telnet/telnet/utilities.c
index 2e973e031..19f503bd4 100644
--- a/src/appl/telnet/telnet/utilities.c
+++ b/src/appl/telnet/telnet/utilities.c
@@ -436,12 +436,13 @@ printsub(direction, pointer, length)
 		    fprintf(NetTrace, "(partial suboption??\?)");
 		    break;
 		}
-		fprintf(NetTrace, "%s|%s",
+		fprintf(NetTrace, "%s|%s%s",
 			((pointer[3] & AUTH_WHO_MASK) == AUTH_WHO_CLIENT) ?
 			"CLIENT" : "SERVER",
 			((pointer[3] & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) ?
-			"MUTUAL" : "ONE-WAY");
-
+			"MUTUAL" : "ONE-WAY",
+			((pointer[3] & AUTH_ENCRYPT_MASK) == AUTH_ENCRYPT_ON) ?
+			"|ENCRYPT" : "");
 		auth_printsub(&pointer[1], length - 1, buf, sizeof(buf));
 		fprintf(NetTrace, "%s", buf);
 		break;
@@ -458,11 +459,13 @@ printsub(direction, pointer, length)
 			fprintf(NetTrace, "(partial suboption??\?)");
 			break;
 		    }
-		    fprintf(NetTrace, "%s|%s ",
+		    fprintf(NetTrace, "%s|%s%s ",
 			((pointer[i] & AUTH_WHO_MASK) == AUTH_WHO_CLIENT) ?
 							"CLIENT" : "SERVER",
 			((pointer[i] & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) ?
-							"MUTUAL" : "ONE-WAY");
+							"MUTUAL" : "ONE-WAY",
+			((pointer[i] & AUTH_ENCRYPT_MASK) == AUTH_ENCRYPT_ON) ?
+							"|ENCRYPT" : "");
 		    ++i;
 		}
 		break;
-- 
2.26.2