summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--lib/libtelnet/Makefile23
-rw-r--r--lib/libtelnet/auth-proto.h23
-rw-r--r--lib/libtelnet/auth.c50
-rw-r--r--lib/libtelnet/auth.h16
-rw-r--r--lib/libtelnet/enc-proto.h146
-rw-r--r--lib/libtelnet/enc_des.c662
-rw-r--r--lib/libtelnet/encrypt.c952
-rw-r--r--lib/libtelnet/encrypt.h53
-rw-r--r--lib/libtelnet/genget.c12
-rw-r--r--lib/libtelnet/kerberos.c674
-rw-r--r--lib/libtelnet/kerberos5.c775
-rw-r--r--lib/libtelnet/misc-proto.h21
-rw-r--r--lib/libtelnet/misc.c12
-rw-r--r--lib/libtelnet/shlib_version2
14 files changed, 3371 insertions, 50 deletions
diff --git a/lib/libtelnet/Makefile b/lib/libtelnet/Makefile
index a8ce8810bcc..cea65a18f80 100644
--- a/lib/libtelnet/Makefile
+++ b/lib/libtelnet/Makefile
@@ -1,18 +1,23 @@
# from: @(#)Makefile 8.2 (Berkeley) 12/15/93
-# $OpenBSD: Makefile,v 1.2 1996/03/19 23:15:46 niklas Exp $
+# $OpenBSD: Makefile,v 1.3 1998/03/12 04:48:42 art Exp $
# $NetBSD: Makefile,v 1.6 1996/02/24 01:15:15 jtk Exp $
LIB= telnet
SRCS= auth.c encrypt.c genget.c getent.c misc.c
+
CFLAGS+= -DHAS_CGETENT
-# These are the sources that have encryption stuff in them.
-CRYPT_SRC= auth.c enc-proto.h enc_des.c encrypt.c
-CRYPT_SRC+= encrypt.h kerberos.c kerberos5.c krb4encpwd.c
-CRYPT_SRC+= misc.c spx.c Makefile
-NOCRYPT_DIR=${.CURDIR}/Nocrypt
+.include <bsd.own.mk> # for KERBEROS
-.include <bsd.lib.mk>
+.if (${KERBEROS} == "yes")
+CFLAGS+= -DKRB4 -DAUTHENTICATION -DENCRYPTION -DDES_ENCRYPTION
+SRCS+= kerberos.c enc_des.c
+.endif
-nocrypt:
- @echo "Encryption code already removed."
+# XXX this has not been tested due to lack of kerberos5 to test with.
+.if (${KERBEROS5} == "yes")
+CFLAGS+= -DKRB5 -DAUTHENTICATION -DENCRYPTION -DDES_ENCRYPTION
+SRCS+= kerberos5.c enc_des.c
+.endif
+
+.include <bsd.lib.mk>
diff --git a/lib/libtelnet/auth-proto.h b/lib/libtelnet/auth-proto.h
index d77a215043f..170121ad6ff 100644
--- a/lib/libtelnet/auth-proto.h
+++ b/lib/libtelnet/auth-proto.h
@@ -31,11 +31,23 @@
* SUCH DAMAGE.
*
* from: @(#)auth-proto.h 8.1 (Berkeley) 6/4/93
- * $OpenBSD: auth-proto.h,v 1.2 1996/03/19 23:15:47 niklas Exp $
+ * $OpenBSD: auth-proto.h,v 1.3 1998/03/12 04:48:43 art Exp $
* $NetBSD: auth-proto.h,v 1.5 1996/02/24 01:15:16 jtk Exp $
*/
/*
+ * This source code is no longer held under any constraint of USA
+ * `cryptographic laws' since it was exported legally. The cryptographic
+ * functions were removed from the code and a "Bones" distribution was
+ * made. A Commodity Jurisdiction Request #012-94 was filed with the
+ * USA State Department, who handed it to the Commerce department. The
+ * code was determined to fall under General License GTDA under ECCN 5D96G,
+ * and hence exportable. The cryptographic interfaces were re-added by Eric
+ * Young, and then KTH proceeded to maintain the code in the free world.
+ *
+ */
+
+/*
* Copyright (C) 1990 by the Massachusetts Institute of Technology
*
* Export of this software from the United States of America is assumed
@@ -80,14 +92,14 @@ int auth_togdebug __P((int));
int auth_status __P((void));
void auth_name __P((unsigned char *, int));
int auth_sendname __P((unsigned char *, int));
-void auth_finished __P((Authenticator *, int));
-int auth_wait __P((char *));
void auth_debug __P((int));
void auth_printsub __P((unsigned char *, int, unsigned char *, int));
#ifdef KRB4
int kerberos4_init __P((Authenticator *, int));
-int kerberos4_send __P((Authenticator *));
+int kerberos4_forward __P((Authenticator *));
+int kerberos4_send_oneway __P((Authenticator *));
+int kerberos4_send_mutual __P((Authenticator *));
void kerberos4_is __P((Authenticator *, unsigned char *, int));
void kerberos4_reply __P((Authenticator *, unsigned char *, int));
int kerberos4_status __P((Authenticator *, char *, int));
@@ -96,7 +108,8 @@ void kerberos4_printsub __P((unsigned char *, int, unsigned char *, int));
#ifdef KRB5
int kerberos5_init __P((Authenticator *, int));
-int kerberos5_send __P((Authenticator *));
+int kerberos5_send_mutual __P((Authenticator *));
+int kerberos5_send_oneway __P((Authenticator *));
void kerberos5_is __P((Authenticator *, unsigned char *, int));
void kerberos5_reply __P((Authenticator *, unsigned char *, int));
int kerberos5_status __P((Authenticator *, char *, int));
diff --git a/lib/libtelnet/auth.c b/lib/libtelnet/auth.c
index 76ff5dfbaf4..412fe75a406 100644
--- a/lib/libtelnet/auth.c
+++ b/lib/libtelnet/auth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth.c,v 1.2 1996/03/19 23:15:48 niklas Exp $ */
+/* $OpenBSD: auth.c,v 1.3 1998/03/12 04:48:45 art Exp $ */
/*-
* Copyright (c) 1991, 1993
@@ -36,10 +36,21 @@
#ifndef lint
/* from: static char sccsid[] = "@(#)auth.c 8.3 (Berkeley) 5/30/95" */
/* from: static char *rcsid = "$NetBSD: auth.c,v 1.5 1996/02/24 01:15:17 jtk Exp $"; */
-static char *rcsid = "$OpenBSD: auth.c,v 1.2 1996/03/19 23:15:48 niklas Exp $";
#endif /* not lint */
/*
+ * This source code is no longer held under any constraint of USA
+ * `cryptographic laws' since it was exported legally. The cryptographic
+ * functions were removed from the code and a "Bones" distribution was
+ * made. A Commodity Jurisdiction Request #012-94 was filed with the
+ * USA State Department, who handed it to the Commerce department. The
+ * code was determined to fall under General License GTDA under ECCN 5D96G,
+ * and hence exportable. The cryptographic interfaces were re-added by Eric
+ * Young, and then KTH proceeded to maintain the code in the free world.
+ *
+ */
+
+/*
* Copyright (C) 1990 by the Massachusetts Institute of Technology
*
* Export of this software from the United States of America is assumed
@@ -61,19 +72,15 @@ static char *rcsid = "$OpenBSD: auth.c,v 1.2 1996/03/19 23:15:48 niklas Exp $";
#if defined(AUTHENTICATION)
+
#include <stdio.h>
#include <sys/types.h>
+#include <unistd.h>
#include <signal.h>
#define AUTH_NAMES
#include <arpa/telnet.h>
-#ifdef __STDC__
#include <stdlib.h>
-#endif
-#ifdef NO_STRING_H
-#include <strings.h>
-#else
#include <string.h>
-#endif
#include "encrypt.h"
#include "auth.h"
@@ -132,18 +139,34 @@ Authenticator authenticators[] = {
spx_printsub },
#endif
#ifdef KRB5
+ { AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
+ kerberos5_init,
+ kerberos5_send_mutual,
+ kerberos5_is,
+ kerberos5_reply,
+ kerberos5_status,
+ kerberos5_printsub },
+
{ AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
kerberos5_init,
- kerberos5_send,
+ kerberos5_send_oneway,
kerberos5_is,
kerberos5_reply,
kerberos5_status,
kerberos5_printsub },
#endif
#ifdef KRB4
+ { AUTHTYPE_KERBEROS_V4, AUTH_WHO_CLIENT|AUTH_HOW_MUTUAL,
+ kerberos4_init,
+ kerberos4_send_mutual,
+ kerberos4_is,
+ kerberos4_reply,
+ kerberos4_status,
+ kerberos4_printsub },
+
{ AUTHTYPE_KERBEROS_V4, AUTH_WHO_CLIENT|AUTH_HOW_ONE_WAY,
kerberos4_init,
- kerberos4_send,
+ kerberos4_send_oneway,
kerberos4_is,
kerberos4_reply,
kerberos4_status,
@@ -486,7 +509,7 @@ auth_is(data, cnt)
return;
}
- if (ap = findauthenticator(data[0], data[1])) {
+ if ((ap = findauthenticator(data[0], data[1]))) {
if (ap->is)
(*ap->is)(ap, data+2, cnt-2);
} else if (auth_debug_mode)
@@ -504,7 +527,7 @@ auth_reply(data, cnt)
if (cnt < 2)
return;
- if (ap = findauthenticator(data[0], data[1])) {
+ if ((ap = findauthenticator(data[0], data[1]))) {
if (ap->reply)
(*ap->reply)(ap, data+2, cnt-2);
} else if (auth_debug_mode)
@@ -517,7 +540,6 @@ auth_name(data, cnt)
unsigned char *data;
int cnt;
{
- Authenticator *ap;
unsigned char savename[256];
if (cnt < 1) {
@@ -646,7 +668,7 @@ auth_gen_printsub(data, cnt, buf, buflen)
buf[buflen-2] = '*';
buflen -= 2;
for (; cnt > 0; cnt--, data++) {
- sprintf((char *)tbuf, " %d", *data);
+ snprintf((char *)tbuf, sizeof(tbuf), " %d", *data);
for (cp = tbuf; *cp && buflen > 0; --buflen)
*buf++ = *cp++;
if (buflen <= 0)
diff --git a/lib/libtelnet/auth.h b/lib/libtelnet/auth.h
index fe76cd17af8..dd9fba11451 100644
--- a/lib/libtelnet/auth.h
+++ b/lib/libtelnet/auth.h
@@ -31,11 +31,23 @@
* SUCH DAMAGE.
*
* from: @(#)auth.h 8.1 (Berkeley) 6/4/93
- * $OpenBSD: auth.h,v 1.2 1996/03/19 23:15:49 niklas Exp $
+ * $OpenBSD: auth.h,v 1.3 1998/03/12 04:48:46 art Exp $
* $NetBSD: auth.h,v 1.5 1996/02/24 01:15:18 jtk Exp $
*/
/*
+ * This source code is no longer held under any constraint of USA
+ * `cryptographic laws' since it was exported legally. The cryptographic
+ * functions were removed from the code and a "Bones" distribution was
+ * made. A Commodity Jurisdiction Request #012-94 was filed with the
+ * USA State Department, who handed it to the Commerce department. The
+ * code was determined to fall under General License GTDA under ECCN 5D96G,
+ * and hence exportable. The cryptographic interfaces were re-added by Eric
+ * Young, and then KTH proceeded to maintain the code in the free world.
+ *
+ */
+
+/*
* Copyright (C) 1990 by the Massachusetts Institute of Technology
*
* Export of this software from the United States of America is assumed
@@ -77,5 +89,5 @@ typedef struct XauthP {
#include "auth-proto.h"
-extern auth_debug_mode;
+extern int auth_debug_mode;
#endif
diff --git a/lib/libtelnet/enc-proto.h b/lib/libtelnet/enc-proto.h
new file mode 100644
index 00000000000..ff3ecb7e693
--- /dev/null
+++ b/lib/libtelnet/enc-proto.h
@@ -0,0 +1,146 @@
+/* $OpenBSD: enc-proto.h,v 1.1 1998/03/12 04:48:47 art Exp $ */
+/*-
+ * Copyright (c) 1991, 1993
+ * The Regents of the University of California. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ * must display the following acknowledgement:
+ * This product includes software developed by the University of
+ * California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * @(#)enc-proto.h 8.1 (Berkeley) 6/4/93
+ *
+ * @(#)enc-proto.h 5.2 (Berkeley) 3/22/91
+ */
+
+/*
+ * This source code is no longer held under any constraint of USA
+ * `cryptographic laws' since it was exported legally. The cryptographic
+ * functions were removed from the code and a "Bones" distribution was
+ * made. A Commodity Jurisdiction Request #012-94 was filed with the
+ * USA State Department, who handed it to the Commerce department. The
+ * code was determined to fall under General License GTDA under ECCN 5D96G,
+ * and hence exportable. The cryptographic interfaces were re-added by Eric
+ * Young, and then KTH proceeded to maintain the code in the free world.
+ *
+ */
+
+/*
+ * Copyright (C) 1990 by the Massachusetts Institute of Technology
+ *
+ * Export of this software from the United States of America is assumed
+ * to require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ */
+
+/* $KTH: enc-proto.h,v 1.8 1997/11/02 03:57:10 assar Exp $ */
+
+#if defined(ENCRYPTION)
+Encryptions *findencryption __P((int));
+Encryptions *finddecryption __P((int));
+int EncryptAutoDec __P((int));
+int EncryptAutoEnc __P((int));
+int EncryptDebug __P((int));
+int EncryptDisable __P((char*, char*));
+int EncryptEnable __P((char*, char*));
+int EncryptStart __P((char*));
+int EncryptStartInput __P((void));
+int EncryptStartOutput __P((void));
+int EncryptStatus __P((void));
+int EncryptStop __P((char*));
+int EncryptStopInput __P((void));
+int EncryptStopOutput __P((void));
+int EncryptType __P((char*, char*));
+int EncryptVerbose __P((int));
+int net_write __P((unsigned char *, int));
+void decrypt_auto __P((int));
+void encrypt_auto __P((int));
+void encrypt_debug __P((int));
+void encrypt_dec_keyid __P((unsigned char*, int));
+void encrypt_display __P((void));
+void encrypt_enc_keyid __P((unsigned char*, int));
+void encrypt_end __P((void));
+void encrypt_gen_printsub __P((unsigned char*, int, unsigned char*, int));
+void encrypt_init __P((char*, int));
+void encrypt_is __P((unsigned char*, int));
+void encrypt_list_types __P((void));
+void encrypt_not __P((void));
+void encrypt_printsub __P((unsigned char*, int, unsigned char*, int));
+void encrypt_reply __P((unsigned char*, int));
+void encrypt_request_end __P((void));
+void encrypt_request_start __P((unsigned char*, int));
+void encrypt_send_end __P((void));
+void encrypt_send_keyid __P((int, unsigned char*, int, int));
+void encrypt_send_request_end __P((void));
+void encrypt_send_request_start __P((void));
+void encrypt_send_support __P((void));
+void encrypt_session_key __P((Session_Key*, int));
+void encrypt_start __P((unsigned char*, int));
+void encrypt_start_output __P((int));
+void encrypt_support __P((unsigned char*, int));
+void encrypt_verbose_quiet __P((int));
+void encrypt_wait __P((void));
+int encrypt_delay __P((void));
+
+#ifdef TELENTD
+void encrypt_wait __P((void));
+#else
+void encrypt_display __P((void));
+#endif
+
+void cfb64_encrypt __P((unsigned char *, int));
+int cfb64_decrypt __P((int));
+void cfb64_init __P((int));
+int cfb64_start __P((int, int));
+int cfb64_is __P((unsigned char *, int));
+int cfb64_reply __P((unsigned char *, int));
+void cfb64_session __P((Session_Key *, int));
+int cfb64_keyid __P((int, unsigned char *, int *));
+void cfb64_printsub __P((unsigned char *, int, unsigned char *, int));
+
+void ofb64_encrypt __P((unsigned char *, int));
+int ofb64_decrypt __P((int));
+void ofb64_init __P((int));
+int ofb64_start __P((int, int));
+int ofb64_is __P((unsigned char *, int));
+int ofb64_reply __P((unsigned char *, int));
+void ofb64_session __P((Session_Key *, int));
+int ofb64_keyid __P((int, unsigned char *, int *));
+void ofb64_printsub __P((unsigned char *, int, unsigned char *, int));
+
+#endif
diff --git a/lib/libtelnet/enc_des.c b/lib/libtelnet/enc_des.c
new file mode 100644
index 00000000000..769b40c76b3
--- /dev/null
+++ b/lib/libtelnet/enc_des.c
@@ -0,0 +1,662 @@
+/* $OpenBSD: enc_des.c,v 1.1 1998/03/12 04:48:48 art Exp $ */
+/* $Id: enc_des.c,v 1.1 1998/03/12 04:48:48 art Exp $ */
+
+/*-
+ * Copyright (c) 1991, 1993
+ * The Regents of the University of California. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ * must display the following acknowledgement:
+ * This product includes software developed by the University of
+ * California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#if defined(AUTHENTICATION) && defined(ENCRYPTION) && defined(DES_ENCRYPTION)
+#include <arpa/telnet.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include "encrypt.h"
+#include "misc-proto.h"
+#include <des.h>
+
+extern int encrypt_debug_mode;
+
+#define CFB 0
+#define OFB 1
+
+#define NO_SEND_IV 1
+#define NO_RECV_IV 2
+#define NO_KEYID 4
+#define IN_PROGRESS (NO_SEND_IV|NO_RECV_IV|NO_KEYID)
+#define SUCCESS 0
+#define FAILED -1
+
+
+struct stinfo {
+ des_cblock str_output;
+ des_cblock str_feed;
+ des_cblock str_iv;
+ des_cblock str_ikey;
+ des_key_schedule str_sched;
+ int str_index;
+ int str_flagshift;
+};
+
+struct fb {
+ des_cblock krbdes_key;
+ des_key_schedule krbdes_sched;
+ des_cblock temp_feed;
+ unsigned char fb_feed[64];
+ int need_start;
+ int state[2];
+ int keyid[2];
+ int once;
+ struct stinfo streams[2];
+};
+
+static struct fb fb[2];
+
+struct keyidlist {
+ char *keyid;
+ int keyidlen;
+ char *key;
+ int keylen;
+ int flags;
+} keyidlist [] = {
+ { "\0", 1, 0, 0, 0 }, /* default key of zero */
+ { 0, 0, 0, 0, 0 }
+};
+
+#define KEYFLAG_MASK 03
+
+#define KEYFLAG_NOINIT 00
+#define KEYFLAG_INIT 01
+#define KEYFLAG_OK 02
+#define KEYFLAG_BAD 03
+
+#define KEYFLAG_SHIFT 2
+
+#define SHIFT_VAL(a,b) (KEYFLAG_SHIFT*((a)+((b)*2)))
+
+#define FB64_IV 1
+#define FB64_IV_OK 2
+#define FB64_IV_BAD 3
+
+
+void fb64_stream_iv (des_cblock, struct stinfo *);
+void fb64_init (struct fb *);
+static int fb64_start (struct fb *, int, int);
+int fb64_is (unsigned char *, int, struct fb *);
+int fb64_reply (unsigned char *, int, struct fb *);
+static void fb64_session (Session_Key *, int, struct fb *);
+void fb64_stream_key (des_cblock, struct stinfo *);
+int fb64_keyid (int, unsigned char *, int *, struct fb *);
+
+void cfb64_init(int server)
+{
+ fb64_init(&fb[CFB]);
+ fb[CFB].fb_feed[4] = ENCTYPE_DES_CFB64;
+ fb[CFB].streams[0].str_flagshift = SHIFT_VAL(0, CFB);
+ fb[CFB].streams[1].str_flagshift = SHIFT_VAL(1, CFB);
+}
+
+
+void ofb64_init(int server)
+{
+ fb64_init(&fb[OFB]);
+ fb[OFB].fb_feed[4] = ENCTYPE_DES_OFB64;
+ fb[CFB].streams[0].str_flagshift = SHIFT_VAL(0, OFB);
+ fb[CFB].streams[1].str_flagshift = SHIFT_VAL(1, OFB);
+}
+
+void fb64_init(struct fb *fbp)
+{
+ memset(fbp,0, sizeof(*fbp));
+ fbp->state[0] = fbp->state[1] = FAILED;
+ fbp->fb_feed[0] = IAC;
+ fbp->fb_feed[1] = SB;
+ fbp->fb_feed[2] = TELOPT_ENCRYPT;
+ fbp->fb_feed[3] = ENCRYPT_IS;
+}
+
+/*
+ * Returns:
+ * -1: some error. Negotiation is done, encryption not ready.
+ * 0: Successful, initial negotiation all done.
+ * 1: successful, negotiation not done yet.
+ * 2: Not yet. Other things (like getting the key from
+ * Kerberos) have to happen before we can continue.
+ */
+int cfb64_start(int dir, int server)
+{
+ return(fb64_start(&fb[CFB], dir, server));
+}
+
+int ofb64_start(int dir, int server)
+{
+ return(fb64_start(&fb[OFB], dir, server));
+}
+
+static int fb64_start(struct fb *fbp, int dir, int server)
+{
+ int x;
+ unsigned char *p;
+ int state;
+
+ switch (dir) {
+ case DIR_DECRYPT:
+ /*
+ * This is simply a request to have the other side
+ * start output (our input). He will negotiate an
+ * IV so we need not look for it.
+ */
+ state = fbp->state[dir-1];
+ if (state == FAILED)
+ state = IN_PROGRESS;
+ break;
+
+ case DIR_ENCRYPT:
+ state = fbp->state[dir-1];
+ if (state == FAILED)
+ state = IN_PROGRESS;
+ else if ((state & NO_SEND_IV) == 0) {
+ break;
+ }
+
+ if (!VALIDKEY(fbp->krbdes_key)) {
+ fbp->need_start = 1;
+ break;
+ }
+
+ state &= ~NO_SEND_IV;
+ state |= NO_RECV_IV;
+ if (encrypt_debug_mode)
+ printf("Creating new feed\r\n");
+ /*
+ * Create a random feed and send it over.
+ */
+#ifndef OLD_DES_RANDOM_KEY
+ des_new_random_key(&fbp->temp_feed);
+#else
+ /*
+ * From des_cryp.man "If the des_check_key flag is non-zero,
+ * des_set_key will check that the key passed is
+ * of odd parity and is not a week or semi-weak key."
+ */
+ do {
+ des_random_key(fbp->temp_feed);
+ des_set_odd_parity(fbp->temp_feed);
+ } while (des_is_weak_key(fbp->temp_feed));
+#endif
+ des_ecb_encrypt(&fbp->temp_feed,
+ &fbp->temp_feed,
+ fbp->krbdes_sched, 1);
+ p = fbp->fb_feed + 3;
+ *p++ = ENCRYPT_IS;
+ p++;
+ *p++ = FB64_IV;
+ for (x = 0; x < sizeof(des_cblock); ++x) {
+ if ((*p++ = fbp->temp_feed[x]) == IAC)
+ *p++ = IAC;
+ }
+ *p++ = IAC;
+ *p++ = SE;
+ printsub('>', &fbp->fb_feed[2], p - &fbp->fb_feed[2]);
+ net_write(fbp->fb_feed, p - fbp->fb_feed);
+ break;
+ default:
+ return(FAILED);
+ }
+ return(fbp->state[dir-1] = state);
+}
+
+/*
+ * Returns:
+ * -1: some error. Negotiation is done, encryption not ready.
+ * 0: Successful, initial negotiation all done.
+ * 1: successful, negotiation not done yet.
+ */
+
+int cfb64_is(unsigned char *data, int cnt)
+{
+ return(fb64_is(data, cnt, &fb[CFB]));
+}
+
+int ofb64_is(unsigned char *data, int cnt)
+{
+ return(fb64_is(data, cnt, &fb[OFB]));
+}
+
+
+int fb64_is(unsigned char *data, int cnt, struct fb *fbp)
+{
+ unsigned char *p;
+ int state = fbp->state[DIR_DECRYPT-1];
+
+ if (cnt-- < 1)
+ goto failure;
+
+ switch (*data++) {
+ case FB64_IV:
+ if (cnt != sizeof(des_cblock)) {
+ if (encrypt_debug_mode)
+ printf("CFB64: initial vector failed on size\r\n");
+ state = FAILED;
+ goto failure;
+ }
+
+ if (encrypt_debug_mode)
+ printf("CFB64: initial vector received\r\n");
+
+ if (encrypt_debug_mode)
+ printf("Initializing Decrypt stream\r\n");
+
+ fb64_stream_iv(data, &fbp->streams[DIR_DECRYPT-1]);
+
+ p = fbp->fb_feed + 3;
+ *p++ = ENCRYPT_REPLY;
+ p++;
+ *p++ = FB64_IV_OK;
+ *p++ = IAC;
+ *p++ = SE;
+ printsub('>', &fbp->fb_feed[2], p - &fbp->fb_feed[2]);
+ net_write(fbp->fb_feed, p - fbp->fb_feed);
+
+ state = fbp->state[DIR_DECRYPT-1] = IN_PROGRESS;
+ break;
+
+ default:
+ if (encrypt_debug_mode) {
+ printf("Unknown option type: %d\r\n", *(data-1));
+ printd(data, cnt);
+ printf("\r\n");
+ }
+ /* FALL THROUGH */
+ failure:
+ /*
+ * We failed. Send an FB64_IV_BAD option
+ * to the other side so it will know that
+ * things failed.
+ */
+ p = fbp->fb_feed + 3;
+ *p++ = ENCRYPT_REPLY;
+ p++;
+ *p++ = FB64_IV_BAD;
+ *p++ = IAC;
+ *p++ = SE;
+ printsub('>', &fbp->fb_feed[2], p - &fbp->fb_feed[2]);
+ net_write(fbp->fb_feed, p - fbp->fb_feed);
+
+ break;
+ }
+ return(fbp->state[DIR_DECRYPT-1] = state);
+}
+
+/*
+ * Returns:
+ * -1: some error. Negotiation is done, encryption not ready.
+ * 0: Successful, initial negotiation all done.
+ * 1: successful, negotiation not done yet.
+ */
+
+int cfb64_reply(unsigned char *data, int cnt)
+{
+ return(fb64_reply(data, cnt, &fb[CFB]));
+}
+
+int ofb64_reply(unsigned char *data, int cnt)
+{
+ return(fb64_reply(data, cnt, &fb[OFB]));
+}
+
+
+int fb64_reply(unsigned char *data, int cnt, struct fb *fbp)
+{
+ int state = fbp->state[DIR_ENCRYPT-1];
+
+ if (cnt-- < 1)
+ goto failure;
+
+ switch (*data++) {
+ case FB64_IV_OK:
+ fb64_stream_iv(fbp->temp_feed, &fbp->streams[DIR_ENCRYPT-1]);
+ if (state == FAILED)
+ state = IN_PROGRESS;
+ state &= ~NO_RECV_IV;
+ encrypt_send_keyid(DIR_ENCRYPT, (unsigned char *)"\0", 1, 1);
+ break;
+
+ case FB64_IV_BAD:
+ memset(fbp->temp_feed, 0, sizeof(des_cblock));
+ fb64_stream_iv(fbp->temp_feed, &fbp->streams[DIR_ENCRYPT-1]);
+ state = FAILED;
+ break;
+
+ default:
+ if (encrypt_debug_mode) {
+ printf("Unknown option type: %d\r\n", data[-1]);
+ printd(data, cnt);
+ printf("\r\n");
+ }
+ /* FALL THROUGH */
+ failure:
+ state = FAILED;
+ break;
+ }
+ return(fbp->state[DIR_ENCRYPT-1] = state);
+}
+
+void cfb64_session(Session_Key *key, int server)
+{
+ fb64_session(key, server, &fb[CFB]);
+}
+
+void ofb64_session(Session_Key *key, int server)
+{
+ fb64_session(key, server, &fb[OFB]);
+}
+
+static void fb64_session(Session_Key *key, int server, struct fb *fbp)
+{
+
+ if (!key || key->type != SK_DES) {
+ if (encrypt_debug_mode)
+ printf("Can't set krbdes's session key (%d != %d)\r\n",
+ key ? key->type : -1, SK_DES);
+ return;
+ }
+ memcpy(fbp->krbdes_key, key->data, sizeof(des_cblock));
+
+ fb64_stream_key(fbp->krbdes_key, &fbp->streams[DIR_ENCRYPT-1]);
+ fb64_stream_key(fbp->krbdes_key, &fbp->streams[DIR_DECRYPT-1]);
+
+ if (fbp->once == 0) {
+#ifndef OLD_DES_RANDOM_KEY
+ des_init_random_number_generator(&fbp->krbdes_key);
+#endif
+ fbp->once = 1;
+ }
+ des_key_sched(&fbp->krbdes_key, fbp->krbdes_sched);
+ /*
+ * Now look to see if krbdes_start() was was waiting for
+ * the key to show up. If so, go ahead an call it now
+ * that we have the key.
+ */
+ if (fbp->need_start) {
+ fbp->need_start = 0;
+ fb64_start(fbp, DIR_ENCRYPT, server);
+ }
+}
+
+/*
+ * We only accept a keyid of 0. If we get a keyid of
+ * 0, then mark the state as SUCCESS.
+ */
+
+int cfb64_keyid(int dir, unsigned char *kp, int *lenp)
+{
+ return(fb64_keyid(dir, kp, lenp, &fb[CFB]));
+}
+
+int ofb64_keyid(int dir, unsigned char *kp, int *lenp)
+{
+ return(fb64_keyid(dir, kp, lenp, &fb[OFB]));
+}
+
+int fb64_keyid(int dir, unsigned char *kp, int *lenp, struct fb *fbp)
+{
+ int state = fbp->state[dir-1];
+
+ if (*lenp != 1 || (*kp != '\0')) {
+ *lenp = 0;
+ return(state);
+ }
+
+ if (state == FAILED)
+ state = IN_PROGRESS;
+
+ state &= ~NO_KEYID;
+
+ return(fbp->state[dir-1] = state);
+}
+
+void fb64_printsub(unsigned char *data, int cnt,
+ unsigned char *buf, int buflen, char *type)
+{
+ char lbuf[32];
+ int i;
+ char *cp;
+
+ buf[buflen-1] = '\0'; /* make sure it's NULL terminated */
+ buflen -= 1;
+
+ switch(data[2]) {
+ case FB64_IV:
+ snprintf(lbuf, sizeof(lbuf), "%s_IV", type);
+ cp = lbuf;
+ goto common;
+
+ case FB64_IV_OK:
+ snprintf(lbuf, sizeof(lbuf), "%s_IV_OK", type);
+ cp = lbuf;
+ goto common;
+
+ case FB64_IV_BAD:
+ snprintf(lbuf, sizeof(lbuf), "%s_IV_BAD", type);
+ cp = lbuf;
+ goto common;
+
+ default:
+ snprintf(lbuf, sizeof(lbuf), " %d (unknown)", data[2]);
+ cp = lbuf;
+ common:
+ for (; (buflen > 0) && (*buf = *cp++); buf++)
+ buflen--;
+ for (i = 3; i < cnt; i++) {
+ snprintf(lbuf, sizeof(lbuf), " %d", data[i]);
+ for (cp = lbuf; (buflen > 0) && (*buf = *cp++); buf++)
+ buflen--;
+ }
+ break;
+ }
+}
+
+void cfb64_printsub(unsigned char *data, int cnt,
+ unsigned char *buf, int buflen)
+{
+ fb64_printsub(data, cnt, buf, buflen, "CFB64");
+}
+
+void ofb64_printsub(unsigned char *data, int cnt,
+ unsigned char *buf, int buflen)
+{
+ fb64_printsub(data, cnt, buf, buflen, "OFB64");
+}
+
+void fb64_stream_iv(des_cblock seed, struct stinfo *stp)
+{
+
+ memcpy(stp->str_iv, seed,sizeof(des_cblock));
+ memcpy(stp->str_output, seed, sizeof(des_cblock));
+
+ des_key_sched(&stp->str_ikey, stp->str_sched);
+
+ stp->str_index = sizeof(des_cblock);
+}
+
+void fb64_stream_key(des_cblock key, struct stinfo *stp)
+{
+ memcpy(stp->str_ikey, key, sizeof(des_cblock));
+ des_key_sched((des_cblock*)key, stp->str_sched);
+
+ memcpy(stp->str_output, stp->str_iv, sizeof(des_cblock));
+
+ stp->str_index = sizeof(des_cblock);
+}
+
+/*
+ * DES 64 bit Cipher Feedback
+ *
+ * key --->+-----+
+ * +->| DES |--+
+ * | +-----+ |
+ * | v
+ * INPUT --(--------->(+)+---> DATA
+ * | |
+ * +-------------+
+ *
+ *
+ * Given:
+ * iV: Initial vector, 64 bits (8 bytes) long.
+ * Dn: the nth chunk of 64 bits (8 bytes) of data to encrypt (decrypt).
+ * On: the nth chunk of 64 bits (8 bytes) of encrypted (decrypted) output.
+ *
+ * V0 = DES(iV, key)
+ * On = Dn ^ Vn
+ * V(n+1) = DES(On, key)
+ */
+
+void cfb64_encrypt(unsigned char *s, int c)
+{
+ struct stinfo *stp = &fb[CFB].streams[DIR_ENCRYPT-1];
+ int index;
+
+ index = stp->str_index;
+ while (c-- > 0) {
+ if (index == sizeof(des_cblock)) {
+ des_cblock b;
+ des_ecb_encrypt(&stp->str_output, &b,stp->str_sched, 1);
+ memcpy(stp->str_feed, b, sizeof(des_cblock));
+ index = 0;
+ }
+
+ /* On encryption, we store (feed ^ data) which is cypher */
+ *s = stp->str_output[index] = (stp->str_feed[index] ^ *s);
+ s++;
+ index++;
+ }
+ stp->str_index = index;
+}
+
+int cfb64_decrypt(int data)
+{
+ struct stinfo *stp = &fb[CFB].streams[DIR_DECRYPT-1];
+ int index;
+
+ if (data == -1) {
+ /*
+ * Back up one byte. It is assumed that we will
+ * never back up more than one byte. If we do, this
+ * may or may not work.
+ */
+ if (stp->str_index)
+ --stp->str_index;
+ return(0);
+ }
+
+ index = stp->str_index++;
+ if (index == sizeof(des_cblock)) {
+ des_cblock b;
+ des_ecb_encrypt(&stp->str_output,&b, stp->str_sched, 1);
+ memcpy(stp->str_feed, b, sizeof(des_cblock));
+ stp->str_index = 1; /* Next time will be 1 */
+ index = 0; /* But now use 0 */
+ }
+
+ /* On decryption we store (data) which is cypher. */
+ stp->str_output[index] = data;
+ return(data ^ stp->str_feed[index]);
+}
+
+/*
+ * DES 64 bit Output Feedback
+ *
+ * key --->+-----+
+ * +->| DES |--+
+ * | +-----+ |
+ * +-----------+
+ * v
+ * INPUT -------->(+) ----> DATA
+ *
+ * Given:
+ * iV: Initial vector, 64 bits (8 bytes) long.
+ * Dn: the nth chunk of 64 bits (8 bytes) of data to encrypt (decrypt).
+ * On: the nth chunk of 64 bits (8 bytes) of encrypted (decrypted) output.
+ *
+ * V0 = DES(iV, key)
+ * V(n+1) = DES(Vn, key)
+ * On = Dn ^ Vn
+ */
+
+void ofb64_encrypt(unsigned char *s, int c)
+{
+ struct stinfo *stp = &fb[OFB].streams[DIR_ENCRYPT-1];
+ int index;
+
+ index = stp->str_index;
+ while (c-- > 0) {
+ if (index == sizeof(des_cblock)) {
+ des_cblock b;
+ des_ecb_encrypt(&stp->str_feed,&b, stp->str_sched, 1);
+ memcpy(stp->str_feed, b, sizeof(des_cblock));
+ index = 0;
+ }
+ *s++ ^= stp->str_feed[index];
+ index++;
+ }
+ stp->str_index = index;
+}
+
+int ofb64_decrypt(int data)
+{
+ struct stinfo *stp = &fb[OFB].streams[DIR_DECRYPT-1];
+ int index;
+
+ if (data == -1) {
+ /*
+ * Back up one byte. It is assumed that we will
+ * never back up more than one byte. If we do, this
+ * may or may not work.
+ */
+ if (stp->str_index)
+ --stp->str_index;
+ return(0);
+ }
+
+ index = stp->str_index++;
+ if (index == sizeof(des_cblock)) {
+ des_cblock b;
+ des_ecb_encrypt(&stp->str_feed,&b,stp->str_sched, 1);
+ memcpy(stp->str_feed, b, sizeof(des_cblock));
+ stp->str_index = 1; /* Next time will be 1 */
+ index = 0; /* But now use 0 */
+ }
+
+ return(data ^ stp->str_feed[index]);
+}
+#endif
+
diff --git a/lib/libtelnet/encrypt.c b/lib/libtelnet/encrypt.c
index 54cf30852f8..17cd6ae1c74 100644
--- a/lib/libtelnet/encrypt.c
+++ b/lib/libtelnet/encrypt.c
@@ -1,3 +1,6 @@
+/* $OpenBSD: encrypt.c,v 1.3 1998/03/12 04:48:48 art Exp $ */
+/* $KTH: encrypt.c,v 1.19 1997/11/02 03:58:03 assar Exp $ */
+
/*-
* Copyright (c) 1991, 1993
* The Regents of the University of California. All rights reserved.
@@ -31,11 +34,17 @@
* SUCH DAMAGE.
*/
-#ifndef lint
-/* from: static char sccsid[] = "@(#)encrypt.c 8.2 (Berkeley) 5/30/95"; */
-/* from: static char rcsid[] = "$NetBSD: encrypt.c,v 1.4 1996/02/24 01:15:19 jtk Exp $"; */
-static char rcsid[] = "$OpenBSD: encrypt.c,v 1.2 1996/03/19 23:15:50 niklas Exp $";
-#endif /* not lint */
+/*
+ * This source code is no longer held under any constraint of USA
+ * `cryptographic laws' since it was exported legally. The cryptographic
+ * functions were removed from the code and a "Bones" distribution was
+ * made. A Commodity Jurisdiction Request #012-94 was filed with the
+ * USA State Department, who handed it to the Commerce department. The
+ * code was determined to fall under General License GTDA under ECCN 5D96G,
+ * and hence exportable. The cryptographic interfaces were re-added by Eric
+ * Young, and then KTH proceeded to maintain the code in the free world.
+ *
+ */
/*
* Copyright (C) 1990 by the Massachusetts Institute of Technology
@@ -57,3 +66,936 @@ static char rcsid[] = "$OpenBSD: encrypt.c,v 1.2 1996/03/19 23:15:50 niklas Exp
* or implied warranty.
*/
+#if defined(ENCRYPTION)
+
+#define ENCRYPT_NAMES
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/types.h>
+#include <arpa/telnet.h>
+
+#include "encrypt.h"
+#include "misc.h"
+
+
+/*
+ * These functions pointers point to the current routines
+ * for encrypting and decrypting data.
+ */
+void (*encrypt_output) __P((unsigned char *, int));
+int (*decrypt_input) __P((int));
+char *nclearto;
+
+int encrypt_debug_mode = 0;
+static int decrypt_mode = 0;
+static int encrypt_mode = 0;
+static int encrypt_verbose = 0;
+static int autoencrypt = 0;
+static int autodecrypt = 0;
+static int havesessionkey = 0;
+static int Server = 0;
+static char *Name = "Noname";
+
+#define typemask(x) ((x) > 0 ? 1 << ((x)-1) : 0)
+
+static long i_support_encrypt = typemask(ENCTYPE_DES_CFB64)
+ | typemask(ENCTYPE_DES_OFB64);
+ static long i_support_decrypt = typemask(ENCTYPE_DES_CFB64)
+ | typemask(ENCTYPE_DES_OFB64);
+ static long i_wont_support_encrypt = 0;
+ static long i_wont_support_decrypt = 0;
+#define I_SUPPORT_ENCRYPT (i_support_encrypt & ~i_wont_support_encrypt)
+#define I_SUPPORT_DECRYPT (i_support_decrypt & ~i_wont_support_decrypt)
+
+ static long remote_supports_encrypt = 0;
+ static long remote_supports_decrypt = 0;
+
+ static Encryptions encryptions[] = {
+#if defined(DES_ENCRYPTION)
+ { "DES_CFB64", ENCTYPE_DES_CFB64,
+ cfb64_encrypt,
+ cfb64_decrypt,
+ cfb64_init,
+ cfb64_start,
+ cfb64_is,
+ cfb64_reply,
+ cfb64_session,
+ cfb64_keyid,
+ cfb64_printsub },
+ { "DES_OFB64", ENCTYPE_DES_OFB64,
+ ofb64_encrypt,
+ ofb64_decrypt,
+ ofb64_init,
+ ofb64_start,
+ ofb64_is,
+ ofb64_reply,
+ ofb64_session,
+ ofb64_keyid,
+ ofb64_printsub },
+#endif
+ { 0, },
+ };
+
+static unsigned char str_send[64] = { IAC, SB, TELOPT_ENCRYPT,
+ ENCRYPT_SUPPORT };
+static unsigned char str_suplen = 0;
+static unsigned char str_start[72] = { IAC, SB, TELOPT_ENCRYPT };
+static unsigned char str_end[] = { IAC, SB, TELOPT_ENCRYPT, 0, IAC, SE };
+
+Encryptions *
+findencryption(int type)
+{
+ Encryptions *ep = encryptions;
+
+ if (!(I_SUPPORT_ENCRYPT & remote_supports_decrypt & typemask(type)))
+ return(0);
+ while (ep->type && ep->type != type)
+ ++ep;
+ return(ep->type ? ep : 0);
+}
+
+Encryptions *
+finddecryption(int type)
+{
+ Encryptions *ep = encryptions;
+
+ if (!(I_SUPPORT_DECRYPT & remote_supports_encrypt & typemask(type)))
+ return(0);
+ while (ep->type && ep->type != type)
+ ++ep;
+ return(ep->type ? ep : 0);
+}
+
+#define MAXKEYLEN 64
+
+static struct key_info {
+ unsigned char keyid[MAXKEYLEN];
+ int keylen;
+ int dir;
+ int *modep;
+ Encryptions *(*getcrypt)();
+} ki[2] = {
+ { { 0 }, 0, DIR_ENCRYPT, &encrypt_mode, findencryption },
+ { { 0 }, 0, DIR_DECRYPT, &decrypt_mode, finddecryption },
+};
+
+void
+encrypt_init(char *name, int server)
+{
+ Encryptions *ep = encryptions;
+
+ Name = name;
+ Server = server;
+ i_support_encrypt = i_support_decrypt = 0;
+ remote_supports_encrypt = remote_supports_decrypt = 0;
+ encrypt_mode = 0;
+ decrypt_mode = 0;
+ encrypt_output = 0;
+ decrypt_input = 0;
+#ifdef notdef
+ encrypt_verbose = !server;
+#endif
+
+ str_suplen = 4;
+
+ while (ep->type) {
+ if (encrypt_debug_mode)
+ printf(">>>%s: I will support %s\r\n",
+ Name, ENCTYPE_NAME(ep->type));
+ i_support_encrypt |= typemask(ep->type);
+ i_support_decrypt |= typemask(ep->type);
+ if ((i_wont_support_decrypt & typemask(ep->type)) == 0)
+ if ((str_send[str_suplen++] = ep->type) == IAC)
+ str_send[str_suplen++] = IAC;
+ if (ep->init)
+ (*ep->init)(Server);
+ ++ep;
+ }
+ str_send[str_suplen++] = IAC;
+ str_send[str_suplen++] = SE;
+}
+
+void
+encrypt_list_types(void)
+{
+ Encryptions *ep = encryptions;
+
+ printf("Valid encryption types:\n");
+ while (ep->type) {
+ printf("\t%s (%d)\r\n", ENCTYPE_NAME(ep->type), ep->type);
+ ++ep;
+ }
+}
+
+int
+EncryptEnable(char *type, char *mode)
+{
+ if (isprefix(type, "help") || isprefix(type, "?")) {
+ printf("Usage: encrypt enable <type> [input|output]\n");
+ encrypt_list_types();
+ return(0);
+ }
+ if (EncryptType(type, mode))
+ return(EncryptStart(mode));
+ return(0);
+}
+
+int
+EncryptDisable(char *type, char *mode)
+{
+ Encryptions *ep;
+ int ret = 0;
+
+ if (isprefix(type, "help") || isprefix(type, "?")) {
+ printf("Usage: encrypt disable <type> [input|output]\n");
+ encrypt_list_types();
+ } else if ((ep = (Encryptions *)genget(type, (char**)encryptions,
+ sizeof(Encryptions))) == 0) {
+ printf("%s: invalid encryption type\n", type);
+ } else if (Ambiguous(ep)) {
+ printf("Ambiguous type '%s'\n", type);
+ } else {
+ if ((mode == 0) || (isprefix(mode, "input") ? 1 : 0)) {
+ if (decrypt_mode == ep->type)
+ EncryptStopInput();
+ i_wont_support_decrypt |= typemask(ep->type);
+ ret = 1;
+ }
+ if ((mode == 0) || (isprefix(mode, "output"))) {
+ if (encrypt_mode == ep->type)
+ EncryptStopOutput();
+ i_wont_support_encrypt |= typemask(ep->type);
+ ret = 1;
+ }
+ if (ret == 0)
+ printf("%s: invalid encryption mode\n", mode);
+ }
+ return(ret);
+}
+
+int
+EncryptType(char *type, char *mode)
+{
+ Encryptions *ep;
+ int ret = 0;
+
+ if (isprefix(type, "help") || isprefix(type, "?")) {
+ printf("Usage: encrypt type <type> [input|output]\n");
+ encrypt_list_types();
+ } else if ((ep = (Encryptions *)genget(type, (char**)encryptions,
+ sizeof(Encryptions))) == 0) {
+ printf("%s: invalid encryption type\n", type);
+ } else if (Ambiguous(ep)) {
+ printf("Ambiguous type '%s'\n", type);
+ } else {
+ if ((mode == 0) || isprefix(mode, "input")) {
+ decrypt_mode = ep->type;
+ i_wont_support_decrypt &= ~typemask(ep->type);
+ ret = 1;
+ }
+ if ((mode == 0) || isprefix(mode, "output")) {
+ encrypt_mode = ep->type;
+ i_wont_support_encrypt &= ~typemask(ep->type);
+ ret = 1;
+ }
+ if (ret == 0)
+ printf("%s: invalid encryption mode\n", mode);
+ }
+ return(ret);
+}
+
+int
+EncryptStart(char *mode)
+{
+ int ret = 0;
+ if (mode) {
+ if (isprefix(mode, "input"))
+ return(EncryptStartInput());
+ if (isprefix(mode, "output"))
+ return(EncryptStartOutput());
+ if (isprefix(mode, "help") || isprefix(mode, "?")) {
+ printf("Usage: encrypt start [input|output]\n");
+ return(0);
+ }
+ printf("%s: invalid encryption mode 'encrypt start ?' for help\n", mode);
+ return(0);
+ }
+ ret += EncryptStartInput();
+ ret += EncryptStartOutput();
+ return(ret);
+}
+
+int
+EncryptStartInput(void)
+{
+ if (decrypt_mode) {
+ encrypt_send_request_start();
+ return(1);
+ }
+ printf("No previous decryption mode, decryption not enabled\r\n");
+ return(0);
+}
+
+int
+EncryptStartOutput(void)
+{
+ if (encrypt_mode) {
+ encrypt_start_output(encrypt_mode);
+ return(1);
+ }
+ printf("No previous encryption mode, encryption not enabled\r\n");
+ return(0);
+}
+
+int
+EncryptStop(char *mode)
+{
+ int ret = 0;
+ if (mode) {
+ if (isprefix(mode, "input"))
+ return(EncryptStopInput());
+ if (isprefix(mode, "output"))
+ return(EncryptStopOutput());
+ if (isprefix(mode, "help") || isprefix(mode, "?")) {
+ printf("Usage: encrypt stop [input|output]\n");
+ return(0);
+ }
+ printf("%s: invalid encryption mode 'encrypt stop ?' for help\n", mode);
+ return(0);
+ }
+ ret += EncryptStopInput();
+ ret += EncryptStopOutput();
+ return(ret);
+}
+
+int
+EncryptStopInput(void)
+{
+ encrypt_send_request_end();
+ return(1);
+}
+
+int
+EncryptStopOutput(void)
+{
+ encrypt_send_end();
+ return(1);
+}
+
+void
+encrypt_display(void)
+{
+ printf("Autoencrypt for output is %s. Autodecrypt for input is %s.\r\n",
+ autoencrypt?"on":"off", autodecrypt?"on":"off");
+
+ if (encrypt_output)
+ printf("Currently encrypting output with %s\r\n",
+ ENCTYPE_NAME(encrypt_mode));
+ else
+ printf("Currently not encrypting output\r\n");
+
+ if (decrypt_input)
+ printf("Currently decrypting input with %s\r\n",
+ ENCTYPE_NAME(decrypt_mode));
+ else
+ printf("Currently not decrypting input\r\n");
+}
+
+int
+EncryptStatus(void)
+{
+ printf("Autoencrypt for output is %s. Autodecrypt for input is %s.\r\n",
+ autoencrypt?"on":"off", autodecrypt?"on":"off");
+
+ if (encrypt_output)
+ printf("Currently encrypting output with %s\r\n",
+ ENCTYPE_NAME(encrypt_mode));
+ else if (encrypt_mode) {
+ printf("Currently output is clear text.\r\n");
+ printf("Last encryption mode was %s\r\n",
+ ENCTYPE_NAME(encrypt_mode));
+ } else
+ printf("Currently not encrypting output\r\n");
+
+ if (decrypt_input) {
+ printf("Currently decrypting input with %s\r\n",
+ ENCTYPE_NAME(decrypt_mode));
+ } else if (decrypt_mode) {
+ printf("Currently input is clear text.\r\n");
+ printf("Last decryption mode was %s\r\n",
+ ENCTYPE_NAME(decrypt_mode));
+ } else
+ printf("Currently not decrypting input\r\n");
+
+ return 1;
+}
+
+void
+encrypt_send_support(void)
+{
+ if (str_suplen) {
+ /*
+ * If the user has requested that decryption start
+ * immediatly, then send a "REQUEST START" before
+ * we negotiate the type.
+ */
+ if (!Server && autodecrypt)
+ encrypt_send_request_start();
+ net_write(str_send, str_suplen);
+ printsub('>', &str_send[2], str_suplen - 2);
+ str_suplen = 0;
+ }
+}
+
+int
+EncryptDebug(int on)
+{
+ if (on < 0)
+ encrypt_debug_mode ^= 1;
+ else
+ encrypt_debug_mode = on;
+ printf("Encryption debugging %s\r\n",
+ encrypt_debug_mode ? "enabled" : "disabled");
+ return(1);
+}
+
+/* turn on verbose encryption, but dont keep telling the whole world
+ */
+void encrypt_verbose_quiet(int on)
+{
+ if(on < 0)
+ encrypt_verbose ^= 1;
+ else
+ encrypt_verbose = on ? 1 : 0;
+}
+
+int
+EncryptVerbose(int on)
+{
+ encrypt_verbose_quiet(on);
+ printf("Encryption %s verbose\r\n",
+ encrypt_verbose ? "is" : "is not");
+ return(1);
+}
+
+int
+EncryptAutoEnc(int on)
+{
+ encrypt_auto(on);
+ printf("Automatic encryption of output is %s\r\n",
+ autoencrypt ? "enabled" : "disabled");
+ return(1);
+}
+
+int
+EncryptAutoDec(int on)
+{
+ decrypt_auto(on);
+ printf("Automatic decryption of input is %s\r\n",
+ autodecrypt ? "enabled" : "disabled");
+ return(1);
+}
+
+/* Called when we receive a WONT or a DONT ENCRYPT after we sent a DO
+ encrypt */
+void
+encrypt_not(void)
+{
+ if (encrypt_verbose)
+ printf("[ Connection is NOT encrypted ]\r\n");
+ else
+ printf("\r\n*** Connection not encrypted! "
+ "Communication may be eavesdropped. ***\r\n");
+}
+
+/*
+ * Called when ENCRYPT SUPPORT is received.
+ */
+void
+encrypt_support(unsigned char *typelist, int cnt)
+{
+ int type, use_type = 0;
+ Encryptions *ep;
+
+ /*
+ * Forget anything the other side has previously told us.
+ */
+ remote_supports_decrypt = 0;
+
+ while (cnt-- > 0) {
+ type = *typelist++;
+ if (encrypt_debug_mode)
+ printf(">>>%s: He is supporting %s (%d)\r\n",
+ Name,
+ ENCTYPE_NAME(type), type);
+ if ((type < ENCTYPE_CNT) &&
+ (I_SUPPORT_ENCRYPT & typemask(type))) {
+ remote_supports_decrypt |= typemask(type);
+ if (use_type == 0)
+ use_type = type;
+ }
+ }
+ if (use_type) {
+ ep = findencryption(use_type);
+ if (!ep)
+ return;
+ type = ep->start ? (*ep->start)(DIR_ENCRYPT, Server) : 0;
+ if (encrypt_debug_mode)
+ printf(">>>%s: (*ep->start)() returned %d\r\n",
+ Name, type);
+ if (type < 0)
+ return;
+ encrypt_mode = use_type;
+ if (type == 0)
+ encrypt_start_output(use_type);
+ }
+}
+
+void
+encrypt_is(unsigned char *data, int cnt)
+{
+ Encryptions *ep;
+ int type, ret;
+
+ if (--cnt < 0)
+ return;
+ type = *data++;
+ if (type < ENCTYPE_CNT)
+ remote_supports_encrypt |= typemask(type);
+ if (!(ep = finddecryption(type))) {
+ if (encrypt_debug_mode)
+ printf(">>>%s: Can't find type %s (%d) for initial negotiation\r\n",
+ Name,
+ ENCTYPE_NAME_OK(type)
+ ? ENCTYPE_NAME(type) : "(unknown)",
+ type);
+ return;
+ }
+ if (!ep->is) {
+ if (encrypt_debug_mode)
+ printf(">>>%s: No initial negotiation needed for type %s (%d)\r\n",
+ Name,
+ ENCTYPE_NAME_OK(type)
+ ? ENCTYPE_NAME(type) : "(unknown)",
+ type);
+ ret = 0;
+ } else {
+ ret = (*ep->is)(data, cnt);
+ if (encrypt_debug_mode)
+ printf("(*ep->is)(%p, %d) returned %s(%d)\n", data, cnt,
+ (ret < 0) ? "FAIL " :
+ (ret == 0) ? "SUCCESS " : "MORE_TO_DO ", ret);
+ }
+ if (ret < 0) {
+ autodecrypt = 0;
+ } else {
+ decrypt_mode = type;
+ if (ret == 0 && autodecrypt)
+ encrypt_send_request_start();
+ }
+}
+
+void
+encrypt_reply(unsigned char *data, int cnt)
+{
+ Encryptions *ep;
+ int ret, type;
+
+ if (--cnt < 0)
+ return;
+ type = *data++;
+ if (!(ep = findencryption(type))) {
+ if (encrypt_debug_mode)
+ printf(">>>%s: Can't find type %s (%d) for initial negotiation\r\n",
+ Name,
+ ENCTYPE_NAME_OK(type)
+ ? ENCTYPE_NAME(type) : "(unknown)",
+ type);
+ return;
+ }
+ if (!ep->reply) {
+ if (encrypt_debug_mode)
+ printf(">>>%s: No initial negotiation needed for type %s (%d)\r\n",
+ Name,
+ ENCTYPE_NAME_OK(type)
+ ? ENCTYPE_NAME(type) : "(unknown)",
+ type);
+ ret = 0;
+ } else {
+ ret = (*ep->reply)(data, cnt);
+ if (encrypt_debug_mode)
+ printf("(*ep->reply)(%p, %d) returned %s(%d)\n",
+ data, cnt,
+ (ret < 0) ? "FAIL " :
+ (ret == 0) ? "SUCCESS " : "MORE_TO_DO ", ret);
+ }
+ if (encrypt_debug_mode)
+ printf(">>>%s: encrypt_reply returned %d\n", Name, ret);
+ if (ret < 0) {
+ autoencrypt = 0;
+ } else {
+ encrypt_mode = type;
+ if (ret == 0 && autoencrypt)
+ encrypt_start_output(type);
+ }
+}
+
+/*
+ * Called when a ENCRYPT START command is received.
+ */
+void
+encrypt_start(unsigned char *data, int cnt)
+{
+ Encryptions *ep;
+
+ if (!decrypt_mode) {
+ /*
+ * Something is wrong. We should not get a START
+ * command without having already picked our
+ * decryption scheme. Send a REQUEST-END to
+ * attempt to clear the channel...
+ */
+ printf("%s: Warning, Cannot decrypt input stream!!!\r\n", Name);
+ encrypt_send_request_end();
+ return;
+ }
+
+ if ((ep = finddecryption(decrypt_mode))) {
+ decrypt_input = ep->input;
+ if (encrypt_verbose)
+ printf("[ Input is now decrypted with type %s ]\r\n",
+ ENCTYPE_NAME(decrypt_mode));
+ if (encrypt_debug_mode)
+ printf(">>>%s: Start to decrypt input with type %s\r\n",
+ Name, ENCTYPE_NAME(decrypt_mode));
+ } else {
+ printf("%s: Warning, Cannot decrypt type %s (%d)!!!\r\n",
+ Name,
+ ENCTYPE_NAME_OK(decrypt_mode)
+ ? ENCTYPE_NAME(decrypt_mode)
+ : "(unknown)",
+ decrypt_mode);
+ encrypt_send_request_end();
+ }
+}
+
+void
+encrypt_session_key(Session_Key *key, int server)
+{
+ Encryptions *ep = encryptions;
+
+ havesessionkey = 1;
+
+ while (ep->type) {
+ if (ep->session)
+ (*ep->session)(key, server);
+ ++ep;
+ }
+}
+
+/*
+ * Called when ENCRYPT END is received.
+ */
+void
+encrypt_end(void)
+{
+ decrypt_input = 0;
+ if (encrypt_debug_mode)
+ printf(">>>%s: Input is back to clear text\r\n", Name);
+ if (encrypt_verbose)
+ printf("[ Input is now clear text ]\r\n");
+}
+
+/*
+ * Called when ENCRYPT REQUEST-END is received.
+ */
+void
+encrypt_request_end(void)
+{
+ encrypt_send_end();
+}
+
+/*
+ * Called when ENCRYPT REQUEST-START is received. If we receive
+ * this before a type is picked, then that indicates that the
+ * other side wants us to start encrypting data as soon as we
+ * can.
+ */
+void
+encrypt_request_start(unsigned char *data, int cnt)
+{
+ if (encrypt_mode == 0) {
+ if (Server)
+ autoencrypt = 1;
+ return;
+ }
+ encrypt_start_output(encrypt_mode);
+}
+
+static unsigned char str_keyid[(MAXKEYLEN*2)+5] = { IAC, SB, TELOPT_ENCRYPT };
+
+static void
+encrypt_keyid(struct key_info *kp, unsigned char *keyid, int len)
+{
+ Encryptions *ep;
+ int dir = kp->dir;
+ int ret = 0;
+
+ if (!(ep = (*kp->getcrypt)(*kp->modep))) {
+ if (len == 0)
+ return;
+ kp->keylen = 0;
+ } else if (len == 0) {
+ /*
+ * Empty option, indicates a failure.
+ */
+ if (kp->keylen == 0)
+ return;
+ kp->keylen = 0;
+ if (ep->keyid)
+ (void)(*ep->keyid)(dir, kp->keyid, &kp->keylen);
+
+ } else if ((len != kp->keylen) || (memcmp(keyid,kp->keyid,len) != 0)) {
+ /*
+ * Length or contents are different
+ */
+ kp->keylen = len;
+ memcpy(kp->keyid,keyid, len);
+ if (ep->keyid)
+ (void)(*ep->keyid)(dir, kp->keyid, &kp->keylen);
+ } else {
+ if (ep->keyid)
+ ret = (*ep->keyid)(dir, kp->keyid, &kp->keylen);
+ if ((ret == 0) && (dir == DIR_ENCRYPT) && autoencrypt)
+ encrypt_start_output(*kp->modep);
+ return;
+ }
+
+ encrypt_send_keyid(dir, kp->keyid, kp->keylen, 0);
+}
+
+void encrypt_enc_keyid(unsigned char *keyid, int len)
+{
+ encrypt_keyid(&ki[1], keyid, len);
+}
+
+void encrypt_dec_keyid(unsigned char *keyid, int len)
+{
+ encrypt_keyid(&ki[0], keyid, len);
+}
+
+
+void encrypt_send_keyid(int dir, unsigned char *keyid, int keylen, int saveit)
+{
+ unsigned char *strp;
+
+ str_keyid[3] = (dir == DIR_ENCRYPT)
+ ? ENCRYPT_ENC_KEYID : ENCRYPT_DEC_KEYID;
+ if (saveit) {
+ struct key_info *kp = &ki[(dir == DIR_ENCRYPT) ? 0 : 1];
+ memcpy(kp->keyid,keyid, keylen);
+ kp->keylen = keylen;
+ }
+
+ for (strp = &str_keyid[4]; keylen > 0; --keylen) {
+ if ((*strp++ = *keyid++) == IAC)
+ *strp++ = IAC;
+ }
+ *strp++ = IAC;
+ *strp++ = SE;
+ net_write(str_keyid, strp - str_keyid);
+ printsub('>', &str_keyid[2], strp - str_keyid - 2);
+}
+
+void
+encrypt_auto(int on)
+{
+ if (on < 0)
+ autoencrypt ^= 1;
+ else
+ autoencrypt = on ? 1 : 0;
+}
+
+void
+decrypt_auto(int on)
+{
+ if (on < 0)
+ autodecrypt ^= 1;
+ else
+ autodecrypt = on ? 1 : 0;
+}
+
+void
+encrypt_start_output(int type)
+{
+ Encryptions *ep;
+ unsigned char *p;
+ int i;
+
+ if (!(ep = findencryption(type))) {
+ if (encrypt_debug_mode) {
+ printf(">>>%s: Can't encrypt with type %s (%d)\r\n",
+ Name,
+ ENCTYPE_NAME_OK(type)
+ ? ENCTYPE_NAME(type) : "(unknown)",
+ type);
+ }
+ return;
+ }
+ if (ep->start) {
+ i = (*ep->start)(DIR_ENCRYPT, Server);
+ if (encrypt_debug_mode) {
+ printf(">>>%s: Encrypt start: %s (%d) %s\r\n",
+ Name,
+ (i < 0) ? "failed" :
+ "initial negotiation in progress",
+ i, ENCTYPE_NAME(type));
+ }
+ if (i)
+ return;
+ }
+ p = str_start + 3;
+ *p++ = ENCRYPT_START;
+ for (i = 0; i < ki[0].keylen; ++i) {
+ if ((*p++ = ki[0].keyid[i]) == IAC)
+ *p++ = IAC;
+ }
+ *p++ = IAC;
+ *p++ = SE;
+ net_write(str_start, p - str_start);
+ net_encrypt();
+ printsub('>', &str_start[2], p - &str_start[2]);
+ /*
+ * If we are already encrypting in some mode, then
+ * encrypt the ring (which includes our request) in
+ * the old mode, mark it all as "clear text" and then
+ * switch to the new mode.
+ */
+ encrypt_output = ep->output;
+ encrypt_mode = type;
+ if (encrypt_debug_mode)
+ printf(">>>%s: Started to encrypt output with type %s\r\n",
+ Name, ENCTYPE_NAME(type));
+ if (encrypt_verbose)
+ printf("[ Output is now encrypted with type %s ]\r\n",
+ ENCTYPE_NAME(type));
+}
+
+void
+encrypt_send_end(void)
+{
+ if (!encrypt_output)
+ return;
+
+ str_end[3] = ENCRYPT_END;
+ net_write(str_end, sizeof(str_end));
+ net_encrypt();
+ printsub('>', &str_end[2], sizeof(str_end) - 2);
+ /*
+ * Encrypt the output buffer now because it will not be done by
+ * netflush...
+ */
+ encrypt_output = 0;
+ if (encrypt_debug_mode)
+ printf(">>>%s: Output is back to clear text\r\n", Name);
+ if (encrypt_verbose)
+ printf("[ Output is now clear text ]\r\n");
+}
+
+void
+encrypt_send_request_start(void)
+{
+ unsigned char *p;
+ int i;
+
+ p = &str_start[3];
+ *p++ = ENCRYPT_REQSTART;
+ for (i = 0; i < ki[1].keylen; ++i) {
+ if ((*p++ = ki[1].keyid[i]) == IAC)
+ *p++ = IAC;
+ }
+ *p++ = IAC;
+ *p++ = SE;
+ net_write(str_start, p - str_start);
+ printsub('>', &str_start[2], p - &str_start[2]);
+ if (encrypt_debug_mode)
+ printf(">>>%s: Request input to be encrypted\r\n", Name);
+}
+
+void
+encrypt_send_request_end(void)
+{
+ str_end[3] = ENCRYPT_REQEND;
+ net_write(str_end, sizeof(str_end));
+ printsub('>', &str_end[2], sizeof(str_end) - 2);
+
+ if (encrypt_debug_mode)
+ printf(">>>%s: Request input to be clear text\r\n", Name);
+}
+
+
+void encrypt_wait(void)
+{
+ if (encrypt_debug_mode)
+ printf(">>>%s: in encrypt_wait\r\n", Name);
+ if (!havesessionkey || !(I_SUPPORT_ENCRYPT & remote_supports_decrypt))
+ return;
+ while (autoencrypt && !encrypt_output)
+ if (telnet_spin())
+ return;
+}
+
+int
+encrypt_delay(void)
+{
+ if(!havesessionkey ||
+ (I_SUPPORT_ENCRYPT & remote_supports_decrypt) == 0 ||
+ (I_SUPPORT_DECRYPT & remote_supports_encrypt) == 0)
+ return 0;
+ if(!(encrypt_output && decrypt_input))
+ return 1;
+ return 0;
+}
+
+void
+encrypt_debug(int mode)
+{
+ encrypt_debug_mode = mode;
+}
+
+void encrypt_gen_printsub(unsigned char *data, int cnt,
+ unsigned char *buf, int buflen)
+{
+ char tbuf[16], *cp;
+
+ cnt -= 2;
+ data += 2;
+ buf[buflen-1] = '\0';
+ buf[buflen-2] = '*';
+ buflen -= 2;;
+ for (; cnt > 0; cnt--, data++) {
+ snprintf(tbuf, sizeof(tbuf), " %d", *data);
+ for (cp = tbuf; *cp && buflen > 0; --buflen)
+ *buf++ = *cp++;
+ if (buflen <= 0)
+ return;
+ }
+ *buf = '\0';
+}
+
+void
+encrypt_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen)
+{
+ Encryptions *ep;
+ int type = data[1];
+
+ for (ep = encryptions; ep->type && ep->type != type; ep++)
+ ;
+
+ if (ep->printsub)
+ (*ep->printsub)(data, cnt, buf, buflen);
+ else
+ encrypt_gen_printsub(data, cnt, buf, buflen);
+}
+#endif
diff --git a/lib/libtelnet/encrypt.h b/lib/libtelnet/encrypt.h
index dd43350058f..7b26aabd0fe 100644
--- a/lib/libtelnet/encrypt.h
+++ b/lib/libtelnet/encrypt.h
@@ -31,11 +31,23 @@
* SUCH DAMAGE.
*
* from: @(#)encrypt.h 8.1 (Berkeley) 6/4/93
- * $OpenBSD: encrypt.h,v 1.2 1996/03/19 23:15:51 niklas Exp $
+ * $OpenBSD: encrypt.h,v 1.3 1998/03/12 04:48:49 art Exp $
* $NetBSD: encrypt.h,v 1.4 1996/02/24 01:15:20 jtk Exp $
*/
/*
+ * This source code is no longer held under any constraint of USA
+ * `cryptographic laws' since it was exported legally. The cryptographic
+ * functions were removed from the code and a "Bones" distribution was
+ * made. A Commodity Jurisdiction Request #012-94 was filed with the
+ * USA State Department, who handed it to the Commerce department. The
+ * code was determined to fall under General License GTDA under ECCN 5D96G,
+ * and hence exportable. The cryptographic interfaces were re-added by Eric
+ * Young, and then KTH proceeded to maintain the code in the free world.
+ *
+ */
+
+/*
* Copyright (C) 1990 by the Massachusetts Institute of Technology
*
* Export of this software from the United States of America is assumed
@@ -55,3 +67,42 @@
* or implied warranty.
*/
+#ifndef __ENCRYPT__
+#define __ENCRYPT__
+
+#define DIR_DECRYPT 1
+#define DIR_ENCRYPT 2
+
+#define VALIDKEY(key) ( key[0] | key[1] | key[2] | key[3] | \
+ key[4] | key[5] | key[6] | key[7])
+
+#define SAMEKEY(k1, k2) (!memcmp(k1, k2, sizeof(des_cblock)))
+
+typedef struct {
+ short type;
+ int length;
+ unsigned char *data;
+} Session_Key;
+
+typedef struct {
+ char *name;
+ int type;
+ void (*output) (unsigned char *, int);
+ int (*input) (int);
+ void (*init) (int);
+ int (*start) (int, int);
+ int (*is) (unsigned char *, int);
+ int (*reply) (unsigned char *, int);
+ void (*session) (Session_Key *, int);
+ int (*keyid) (int, unsigned char *, int *);
+ void (*printsub) (unsigned char *, int, unsigned char *, int);
+} Encryptions;
+
+#define SK_DES 1 /* Matched Kerberos v5 KEYTYPE_DES */
+
+#include "enc-proto.h"
+
+extern int encrypt_debug_mode;
+extern int (*decrypt_input) (int);
+extern void (*encrypt_output) (unsigned char *, int);
+#endif
diff --git a/lib/libtelnet/genget.c b/lib/libtelnet/genget.c
index 5fa634f72f3..e821b9dae15 100644
--- a/lib/libtelnet/genget.c
+++ b/lib/libtelnet/genget.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: genget.c,v 1.3 1997/07/14 01:33:42 millert Exp $ */
+/* $OpenBSD: genget.c,v 1.4 1998/03/12 04:48:50 art Exp $ */
/*-
* Copyright (c) 1991, 1993
@@ -36,18 +36,14 @@
#ifndef lint
/* from: static char sccsid[] = "@(#)genget.c 8.2 (Berkeley) 5/30/95"; */
/* from: static char *rcsid = "$NetBSD: genget.c,v 1.5 1996/02/24 01:15:21 jtk Exp $"; */
-static char *rcsid = "$OpenBSD: genget.c,v 1.3 1997/07/14 01:33:42 millert Exp $";
+static char *rcsid = "$OpenBSD: genget.c,v 1.4 1998/03/12 04:48:50 art Exp $";
#endif /* not lint */
#include <ctype.h>
#include "misc-proto.h"
-int isprefix __P((char *, char *));
-char **genget __P((char *, char **, int));
-int Ambiguous __P((char *));
-
-#define LOWER(x) (isupper(x) ? tolower(x) : (x))
+#define LOWER(x) (isupper((int)x) ? tolower((int)x) : (x))
/*
* The prefix function returns 0 if *s1 is not a prefix
* of *s2. If *s1 exactly matches *s2, the negative of
@@ -107,7 +103,7 @@ genget(name, table, stlen)
*/
int
Ambiguous(s)
- char *s;
+ void *s;
{
return((char **)s == &ambiguous);
}
diff --git a/lib/libtelnet/kerberos.c b/lib/libtelnet/kerberos.c
new file mode 100644
index 00000000000..32464f05ac1
--- /dev/null
+++ b/lib/libtelnet/kerberos.c
@@ -0,0 +1,674 @@
+/* $OpenBSD: kerberos.c,v 1.1 1998/03/12 04:48:52 art Exp $ */
+/* $Id: kerberos.c,v 1.1 1998/03/12 04:48:52 art Exp $ */
+
+/*-
+ * Copyright (c) 1991, 1993
+ * The Regents of the University of California. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ * must display the following acknowledgement:
+ * This product includes software developed by the University of
+ * California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * This source code is no longer held under any constraint of USA
+ * `cryptographic laws' since it was exported legally. The cryptographic
+ * functions were removed from the code and a "Bones" distribution was
+ * made. A Commodity Jurisdiction Request #012-94 was filed with the
+ * USA State Department, who handed it to the Commerce department. The
+ * code was determined to fall under General License GTDA under ECCN 5D96G,
+ * and hence exportable. The cryptographic interfaces were re-added by Eric
+ * Young, and then KTH proceeded to maintain the code in the free world.
+ *
+ */
+
+/*
+ * Copyright (C) 1990 by the Massachusetts Institute of Technology
+ *
+ * Export of this software from the United States of America is assumed
+ * to require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ */
+
+#ifdef KRB4
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <string.h>
+#include <netinet/in.h>
+#include <resolv.h>
+#include <arpa/telnet.h>
+#include <des.h>
+#include <kerberosIV/krb.h>
+#include <pwd.h>
+#include "encrypt.h"
+#include "auth.h"
+#include "misc.h"
+
+int kerberos4_cksum (unsigned char *, int);
+extern int auth_debug_mode;
+
+static unsigned char str_data[2048] = { IAC, SB, TELOPT_AUTHENTICATION, 0,
+ AUTHTYPE_KERBEROS_V4, };
+
+#define KRB_AUTH 0 /* Authentication data follows */
+#define KRB_REJECT 1 /* Rejected (reason might follow) */
+#define KRB_ACCEPT 2 /* Accepted */
+#define KRB_CHALLENGE 3 /* Challenge for mutual auth. */
+#define KRB_RESPONSE 4 /* Response for mutual auth. */
+
+#define KRB_FORWARD 5 /* */
+#define KRB_FORWARD_ACCEPT 6 /* */
+#define KRB_FORWARD_REJECT 7 /* */
+
+#define KRB_SERVICE_NAME "rcmd"
+
+static KTEXT_ST auth;
+static char name[ANAME_SZ];
+static AUTH_DAT adat;
+static des_cblock session_key;
+static des_key_schedule sched;
+static des_cblock challenge;
+static int auth_done; /* XXX */
+
+static int pack_cred(CREDENTIALS *cred, unsigned char *buf);
+static int unpack_cred(unsigned char *buf, int len, CREDENTIALS *cred);
+
+
+static int
+Data(Authenticator *ap, int type, const void *d, int c)
+{
+ unsigned char *p = str_data + 4;
+ const unsigned char *cd = (const unsigned char *)d;
+
+ if (c == -1)
+ c = strlen((const char *)cd);
+
+ if (auth_debug_mode) {
+ printf("%s:%d: [%d] (%d)",
+ str_data[3] == TELQUAL_IS ? ">>>IS" : ">>>REPLY",
+ str_data[3],
+ type, c);
+ printd(d, c);
+ printf("\r\n");
+ }
+ *p++ = ap->type;
+ *p++ = ap->way;
+ *p++ = type;
+ while (c-- > 0) {
+ if ((*p++ = *cd++) == IAC)
+ *p++ = IAC;
+ }
+ *p++ = IAC;
+ *p++ = SE;
+ if (str_data[3] == TELQUAL_IS)
+ printsub('>', &str_data[2], p - (&str_data[2]));
+ return(net_write(str_data, p - str_data));
+}
+
+int
+kerberos4_init(Authenticator *ap, int server)
+{
+ FILE *fp;
+
+ if (server) {
+ str_data[3] = TELQUAL_REPLY;
+ if ((fp = fopen(KEYFILE, "r")) == NULL)
+ return(0);
+ fclose(fp);
+ } else {
+ str_data[3] = TELQUAL_IS;
+ }
+ return(1);
+}
+
+char dst_realm_buf[REALM_SZ], *dest_realm = NULL;
+int dst_realm_sz = REALM_SZ;
+
+static int
+kerberos4_send(char *name, Authenticator *ap)
+{
+ KTEXT_ST auth;
+ char instance[INST_SZ];
+ char *realm;
+ CREDENTIALS cred;
+ int r;
+
+ printf("[ Trying %s ... ]\r\n", name);
+ if (!UserNameRequested) {
+ if (auth_debug_mode) {
+ printf("Kerberos V4: no user name supplied\r\n");
+ }
+ return(0);
+ }
+
+ memset(instance, 0, sizeof(instance));
+
+ if ((realm = krb_get_phost(RemoteHostName)))
+ strncpy(instance, realm, sizeof(instance));
+
+ instance[sizeof(instance)-1] = '\0';
+
+ realm = dest_realm ? dest_realm : krb_realmofhost(RemoteHostName);
+
+ if (!realm) {
+ printf("Kerberos V4: no realm for %s\r\n", RemoteHostName);
+ return(0);
+ }
+ r = krb_mk_req(&auth, KRB_SERVICE_NAME, instance, realm, 0L);
+ if (r) {
+ printf("mk_req failed: %s\r\n", krb_get_err_text(r));
+ return(0);
+ }
+ r = krb_get_cred(KRB_SERVICE_NAME, instance, realm, &cred);
+ if (r) {
+ printf("get_cred failed: %s\r\n", krb_get_err_text(r));
+ return(0);
+ }
+ if (!auth_sendname(UserNameRequested, strlen(UserNameRequested))) {
+ if (auth_debug_mode)
+ printf("Not enough room for user name\r\n");
+ return(0);
+ }
+ if (auth_debug_mode)
+ printf("Sent %d bytes of authentication data\r\n", auth.length);
+ if (!Data(ap, KRB_AUTH, (void *)auth.dat, auth.length)) {
+ if (auth_debug_mode)
+ printf("Not enough room for authentication data\r\n");
+ return(0);
+ }
+#ifdef ENCRYPTION
+ /* create challenge */
+ if ((ap->way & AUTH_HOW_MASK)==AUTH_HOW_MUTUAL) {
+ int i;
+
+ des_key_sched(&cred.session, sched);
+ des_init_random_number_generator(&cred.session);
+ des_new_random_key(&session_key);
+ des_ecb_encrypt(&session_key, &session_key, sched, 0);
+ des_ecb_encrypt(&session_key, &challenge, sched, 0);
+
+ /*
+ old code
+ Some CERT Advisory thinks this is a bad thing...
+
+ des_init_random_number_generator(&cred.session);
+ des_new_random_key(&challenge);
+ des_ecb_encrypt(&challenge, &session_key, sched, 1);
+ */
+
+ /*
+ * Increment the challenge by 1, and encrypt it for
+ * later comparison.
+ */
+ for (i = 7; i >= 0; --i)
+ if(++challenge[i] != 0) /* No carry! */
+ break;
+ des_ecb_encrypt(&challenge, &challenge, sched, 1);
+ }
+
+#endif
+
+ if (auth_debug_mode) {
+ printf("CK: %d:", kerberos4_cksum(auth.dat, auth.length));
+ printd(auth.dat, auth.length);
+ printf("\r\n");
+ printf("Sent Kerberos V4 credentials to server\r\n");
+ }
+ return(1);
+}
+int
+kerberos4_send_mutual(Authenticator *ap)
+{
+ return kerberos4_send("mutual KERBEROS4", ap);
+}
+
+int
+kerberos4_send_oneway(Authenticator *ap)
+{
+ return kerberos4_send("KERBEROS4", ap);
+}
+
+void
+kerberos4_is(Authenticator *ap, unsigned char *data, int cnt)
+{
+ struct sockaddr_in addr;
+ char realm[REALM_SZ];
+ char instance[INST_SZ];
+ int r;
+ int addr_len;
+
+ if (cnt-- < 1)
+ return;
+ switch (*data++) {
+ case KRB_AUTH:
+ if (krb_get_lrealm(realm, 1) != KSUCCESS) {
+ Data(ap, KRB_REJECT, (void *)"No local V4 Realm.", -1);
+ auth_finished(ap, AUTH_REJECT);
+ if (auth_debug_mode)
+ printf("No local realm\r\n");
+ return;
+ }
+ memmove(auth.dat, data, auth.length = cnt);
+ if (auth_debug_mode) {
+ printf("Got %d bytes of authentication data\r\n", cnt);
+ printf("CK: %d:", kerberos4_cksum(auth.dat, auth.length));
+ printd(auth.dat, auth.length);
+ printf("\r\n");
+ }
+ k_getsockinst(0, instance, sizeof(instance));
+ addr_len = sizeof(addr);
+ if(getpeername(0, (struct sockaddr *)&addr, &addr_len) < 0) {
+ if(auth_debug_mode)
+ printf("getpeername failed\r\n");
+ Data(ap, KRB_REJECT, "getpeername failed", -1);
+ auth_finished(ap, AUTH_REJECT);
+ return;
+ }
+ r = krb_rd_req(&auth, KRB_SERVICE_NAME,
+ instance, addr.sin_addr.s_addr, &adat, "");
+ if (r) {
+ if (auth_debug_mode)
+ printf("Kerberos failed him as %s\r\n", name);
+ Data(ap, KRB_REJECT, (void *)krb_get_err_text(r), -1);
+ auth_finished(ap, AUTH_REJECT);
+ return;
+ }
+ /* save the session key */
+ memmove(session_key, adat.session, sizeof(adat.session));
+ krb_kntoln(&adat, name);
+
+ if (UserNameRequested && !kuserok(&adat, UserNameRequested)){
+ char ts[MAXPATHLEN];
+ struct passwd *pw = getpwnam(UserNameRequested);
+
+ if(pw){
+ snprintf(ts, sizeof(ts),
+ "%s%u",
+ TKT_ROOT,
+ (unsigned)pw->pw_uid);
+ setenv("KRBTKFILE", ts, 1);
+ }
+ Data(ap, KRB_ACCEPT, NULL, 0);
+ } else {
+ char *msg;
+
+ asprintf (&msg, "user `%s' is not authorized to "
+ "login as `%s'",
+ krb_unparse_name_long(adat.pname,
+ adat.pinst,
+ adat.prealm),
+ UserNameRequested ? UserNameRequested : "<nobody>");
+ if (msg == NULL)
+ Data(ap, KRB_REJECT, NULL, 0);
+ else {
+ Data(ap, KRB_REJECT, (void *)msg, -1);
+ free(msg);
+ }
+ }
+ auth_finished(ap, AUTH_USER);
+ break;
+
+ case KRB_CHALLENGE:
+#ifndef ENCRYPTION
+ Data(ap, KRB_RESPONSE, NULL, 0);
+#else
+ if(!VALIDKEY(session_key)){
+ Data(ap, KRB_RESPONSE, NULL, 0);
+ break;
+ }
+ des_key_sched(&session_key, sched);
+ {
+ des_cblock d_block;
+ int i;
+ Session_Key skey;
+
+ memmove(d_block, data, sizeof(d_block));
+
+ /* make a session key for encryption */
+ des_ecb_encrypt(&d_block, &session_key, sched, 1);
+ skey.type=SK_DES;
+ skey.length=8;
+ skey.data=session_key;
+ encrypt_session_key(&skey, 1);
+
+ /* decrypt challenge, add one and encrypt it */
+ des_ecb_encrypt(&d_block, &challenge, sched, 0);
+ for (i = 7; i >= 0; i--)
+ if(++challenge[i] != 0)
+ break;
+ des_ecb_encrypt(&challenge, &challenge, sched, 1);
+ Data(ap, KRB_RESPONSE, (void *)challenge, sizeof(challenge));
+ }
+#endif
+ break;
+
+ case KRB_FORWARD:
+ {
+ des_key_schedule ks;
+ unsigned char netcred[sizeof(CREDENTIALS)];
+ CREDENTIALS cred;
+ int ret;
+ if(cnt > sizeof(cred))
+ abort();
+
+ des_set_key(&session_key, ks);
+ des_pcbc_encrypt((void*)data, (void*)netcred, cnt,
+ ks, &session_key, DES_DECRYPT);
+ unpack_cred(netcred, cnt, &cred);
+ {
+ if(strcmp(cred.service, KRB_TICKET_GRANTING_TICKET) ||
+ strncmp(cred.instance, cred.realm, sizeof(cred.instance)) ||
+ cred.lifetime < 0 || cred.lifetime > 255 ||
+ cred.kvno < 0 || cred.kvno > 255 ||
+ cred.issue_date < 0 ||
+ cred.issue_date > time(0) + CLOCK_SKEW ||
+ strncmp(cred.pname, adat.pname, sizeof(cred.pname)) ||
+ strncmp(cred.pinst, adat.pinst, sizeof(cred.pname))){
+ Data(ap, KRB_FORWARD_REJECT, "Bad credentials", -1);
+ }else{
+ if((ret = tf_setup(&cred,
+ cred.pname,
+ cred.pinst)) == KSUCCESS){
+ struct passwd *pw = getpwnam(UserNameRequested);
+
+ if (pw)
+ chown(tkt_string(), pw->pw_uid, pw->pw_gid);
+ Data(ap, KRB_FORWARD_ACCEPT, 0, 0);
+ } else{
+ Data(ap, KRB_FORWARD_REJECT,
+ krb_get_err_text(ret), -1);
+ }
+ }
+ }
+ memset(data, 0, cnt);
+ memset(ks, 0, sizeof(ks));
+ memset(&cred, 0, sizeof(cred));
+ }
+
+ break;
+
+ default:
+ if (auth_debug_mode)
+ printf("Unknown Kerberos option %d\r\n", data[-1]);
+ Data(ap, KRB_REJECT, 0, 0);
+ break;
+ }
+}
+
+void
+kerberos4_reply(Authenticator *ap, unsigned char *data, int cnt)
+{
+ Session_Key skey;
+
+ if (cnt-- < 1)
+ return;
+ switch (*data++) {
+ case KRB_REJECT:
+ if(auth_done){ /* XXX Ick! */
+ printf("[ Kerberos V4 received unknown opcode ]\r\n");
+ }else{
+ printf("[ Kerberos V4 refuses authentication ");
+ if (cnt > 0)
+ printf("because %.*s ", cnt, data);
+ printf("]\r\n");
+ auth_send_retry();
+ }
+ return;
+ case KRB_ACCEPT:
+ printf("[ Kerberos V4 accepts you ]\r\n");
+ auth_done = 1;
+ if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
+ /*
+ * Send over the encrypted challenge.
+ */
+ Data(ap, KRB_CHALLENGE, session_key,
+ sizeof(session_key));
+ des_ecb_encrypt(&session_key, &session_key, sched, 1);
+ skey.type = SK_DES;
+ skey.length = 8;
+ skey.data = session_key;
+ encrypt_session_key(&skey, 0);
+#if 0
+ kerberos4_forward(ap);
+#endif
+ return;
+ }
+ auth_finished(ap, AUTH_USER);
+ return;
+ case KRB_RESPONSE:
+ /* make sure the response is correct */
+ if ((cnt != sizeof(des_cblock)) ||
+ (memcmp(data, challenge, sizeof(challenge)))){
+ printf("[ Kerberos V4 challenge failed!!! ]\r\n");
+ auth_send_retry();
+ return;
+ }
+ printf("[ Kerberos V4 challenge successful ]\r\n");
+ auth_finished(ap, AUTH_USER);
+ break;
+ case KRB_FORWARD_ACCEPT:
+ printf("[ Kerberos V4 accepted forwarded credentials ]\r\n");
+ break;
+ case KRB_FORWARD_REJECT:
+ printf("[ Kerberos V4 rejected forwarded credentials: `%.*s']\r\n",
+ cnt, data);
+ break;
+ default:
+ if (auth_debug_mode)
+ printf("Unknown Kerberos option %d\r\n", data[-1]);
+ return;
+ }
+}
+
+int
+kerberos4_status(Authenticator *ap, char *name, int level)
+{
+ if (level < AUTH_USER)
+ return(level);
+
+ if (UserNameRequested && !kuserok(&adat, UserNameRequested)) {
+ strncpy(name, UserNameRequested, ANAME_SZ - 1);
+ name[ANAME_SZ - 1] = '\0';
+ return(AUTH_VALID);
+ } else
+ return(AUTH_USER);
+}
+
+#define BUMP(buf, len) while (*(buf)) {++(buf), --(len);}
+#define ADDC(buf, len, c) if ((len) > 0) {*(buf)++ = (c); --(len);}
+
+void
+kerberos4_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen)
+{
+ char lbuf[32];
+ int i;
+
+ buf[buflen-1] = '\0'; /* make sure its NULL terminated */
+ buflen -= 1;
+
+ switch(data[3]) {
+ case KRB_REJECT: /* Rejected (reason might follow) */
+ strncpy((char *)buf, " REJECT ", buflen);
+ goto common;
+
+ case KRB_ACCEPT: /* Accepted (name might follow) */
+ strncpy((char *)buf, " ACCEPT ", buflen);
+ common:
+ BUMP(buf, buflen);
+ if (cnt <= 4)
+ break;
+ ADDC(buf, buflen, '"');
+ for (i = 4; i < cnt; i++)
+ ADDC(buf, buflen, data[i]);
+ ADDC(buf, buflen, '"');
+ ADDC(buf, buflen, '\0');
+ break;
+
+ case KRB_AUTH: /* Authentication data follows */
+ strncpy((char *)buf, " AUTH", buflen);
+ goto common2;
+
+ case KRB_CHALLENGE:
+ strncpy((char *)buf, " CHALLENGE", buflen);
+ goto common2;
+
+ case KRB_RESPONSE:
+ strncpy((char *)buf, " RESPONSE", buflen);
+ goto common2;
+
+ default:
+ snprintf(lbuf, sizeof(lbuf), " %d (unknown)", data[3]);
+ strncpy((char *)buf, lbuf, buflen);
+ common2:
+ BUMP(buf, buflen);
+ for (i = 4; i < cnt; i++) {
+ snprintf(lbuf, sizeof(lbuf), " %d", data[i]);
+ strncpy((char *)buf, lbuf, buflen);
+ BUMP(buf, buflen);
+ }
+ break;
+ }
+}
+
+int
+kerberos4_cksum(unsigned char *d, int n)
+{
+ int ck = 0;
+
+ /*
+ * A comment is probably needed here for those not
+ * well versed in the "C" language. Yes, this is
+ * supposed to be a "switch" with the body of the
+ * "switch" being a "while" statement. The whole
+ * purpose of the switch is to allow us to jump into
+ * the middle of the while() loop, and then not have
+ * to do any more switch()s.
+ *
+ * Some compilers will spit out a warning message
+ * about the loop not being entered at the top.
+ */
+ switch (n&03)
+ while (n > 0) {
+ case 0:
+ ck ^= (int)*d++ << 24;
+ --n;
+ case 3:
+ ck ^= (int)*d++ << 16;
+ --n;
+ case 2:
+ ck ^= (int)*d++ << 8;
+ --n;
+ case 1:
+ ck ^= (int)*d++;
+ --n;
+ }
+ return(ck);
+}
+
+static int
+pack_cred(CREDENTIALS *cred, unsigned char *buf)
+{
+ unsigned char *p = buf;
+
+ p += krb_put_nir(cred->service, cred->instance, cred->realm, p);
+ memcpy(p, cred->session, 8);
+ p += 8;
+ *p++ = cred->lifetime;
+ *p++ = cred->kvno;
+ p += krb_put_int(cred->ticket_st.length, p, 4);
+ memcpy(p, cred->ticket_st.dat, cred->ticket_st.length);
+ p += cred->ticket_st.length;
+ p += krb_put_int(cred->issue_date, p, 4);
+ p += krb_put_nir(cred->pname, cred->pinst, NULL, p);
+ return p - buf;
+}
+
+static int
+unpack_cred(unsigned char *buf, int len, CREDENTIALS *cred)
+{
+ unsigned char *p = buf;
+
+ p += krb_get_nir(p, cred->service, cred->instance, cred->realm);
+ memcpy(cred->session, p, 8);
+ p += 8;
+ cred->lifetime = *p++;
+ cred->kvno = *p++;
+ p += krb_get_int(p, &cred->ticket_st.length, 4, 0);
+ memcpy(cred->ticket_st.dat, p, cred->ticket_st.length);
+ cred->ticket_st.mbz = 0;
+ p += krb_get_int(p, (u_int32_t *)&cred->issue_date, 4, 0);
+ p += krb_get_nir(p, cred->pname, cred->pinst, NULL);
+ return 0;
+}
+
+
+int
+kerberos4_forward(Authenticator *ap)
+{
+ CREDENTIALS cred;
+ char *realm;
+ des_key_schedule ks;
+ int len;
+ unsigned char netcred[sizeof(CREDENTIALS)];
+ int ret;
+
+ realm = krb_realmofhost(RemoteHostName);
+ if(realm == NULL)
+ return -1;
+ memset(&cred, 0, sizeof(cred));
+ ret = krb_get_cred(KRB_TICKET_GRANTING_TICKET,
+ realm,
+ realm,
+ &cred);
+ if(ret)
+ return ret;
+ des_set_key(&session_key, ks);
+ len = pack_cred(&cred, netcred);
+ des_pcbc_encrypt((void*)netcred, (void*)netcred, len,
+ ks, &session_key, DES_ENCRYPT);
+ memset(ks, 0, sizeof(ks));
+ Data(ap, KRB_FORWARD, netcred, len);
+ memset(netcred, 0, sizeof(netcred));
+ return 0;
+}
+
+#endif /* KRB4 */
diff --git a/lib/libtelnet/kerberos5.c b/lib/libtelnet/kerberos5.c
new file mode 100644
index 00000000000..229798391f5
--- /dev/null
+++ b/lib/libtelnet/kerberos5.c
@@ -0,0 +1,775 @@
+/* $OpenBSD: kerberos5.c,v 1.1 1998/03/12 04:48:52 art Exp $ */
+/* $Id: kerberos5.c,v 1.1 1998/03/12 04:48:52 art Exp $ */
+
+/*-
+ * Copyright (c) 1991, 1993
+ * The Regents of the University of California. All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ * must display the following acknowledgement:
+ * This product includes software developed by the University of
+ * California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ * may be used to endorse or promote products derived from this software
+ * without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+/*
+ * This source code is no longer held under any constraint of USA
+ * `cryptographic laws' since it was exported legally. The cryptographic
+ * functions were removed from the code and a "Bones" distribution was
+ * made. A Commodity Jurisdiction Request #012-94 was filed with the
+ * USA State Department, who handed it to the Commerce department. The
+ * code was determined to fall under General License GTDA under ECCN 5D96G,
+ * and hence exportable. The cryptographic interfaces were re-added by Eric
+ * Young, and then KTH proceeded to maintain the code in the free world.
+ *
+ */
+
+/*
+ * Copyright (C) 1990 by the Massachusetts Institute of Technology
+ *
+ * Export of this software from the United States of America may
+ * require a specific license from the United States Government.
+ * It is the responsibility of any person or organization contemplating
+ * export to obtain such a license before exporting.
+ *
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission. M.I.T. makes no representations about the suitability of
+ * this software for any purpose. It is provided "as is" without express
+ * or implied warranty.
+ */
+#ifdef KRB5
+
+#include <arpa/telnet.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <netdb.h>
+#include <ctype.h>
+#include <pwd.h>
+#define Authenticator k5_Authenticator
+#include <krb5.h>
+#undef Authenticator
+
+#include "encrypt.h"
+#include "auth.h"
+#include "misc.h"
+
+extern int auth_debug_mode;
+
+/* where should this really reside? */
+
+#ifdef KRB5
+#define FORWARD
+#endif
+
+#ifdef FORWARD
+int forward_flags = 0; /* Flags get set in telnet/main.c on -f and -F */
+
+/* These values need to be the same as those defined in telnet/main.c. */
+/* Either define them in both places, or put in some common header file. */
+#define OPTS_FORWARD_CREDS 0x00000002
+#define OPTS_FORWARDABLE_CREDS 0x00000001
+
+void kerberos5_forward (Authenticator *);
+
+#endif /* FORWARD */
+
+static unsigned char str_data[1024] = { IAC, SB, TELOPT_AUTHENTICATION, 0,
+ AUTHTYPE_KERBEROS_V5, };
+
+#define KRB_AUTH 0 /* Authentication data follows */
+#define KRB_REJECT 1 /* Rejected (reason might follow) */
+#define KRB_ACCEPT 2 /* Accepted */
+#define KRB_RESPONSE 3 /* Response for mutual auth. */
+
+#ifdef FORWARD
+#define KRB_FORWARD 4 /* Forwarded credentials follow */
+#define KRB_FORWARD_ACCEPT 5 /* Forwarded credentials accepted */
+#define KRB_FORWARD_REJECT 6 /* Forwarded credentials rejected */
+#endif /* FORWARD */
+
+static krb5_data auth;
+static krb5_ticket *ticket;
+
+static krb5_context context;
+static krb5_auth_context auth_context;
+
+static int
+Data(Authenticator *ap, int type, void *d, int c)
+{
+ unsigned char *p = str_data + 4;
+ unsigned char *cd = (unsigned char *)d;
+
+ if (c == -1)
+ c = strlen(cd);
+
+ if (auth_debug_mode) {
+ printf("%s:%d: [%d] (%d)",
+ str_data[3] == TELQUAL_IS ? ">>>IS" : ">>>REPLY",
+ str_data[3],
+ type, c);
+ printd(d, c);
+ printf("\r\n");
+ }
+ *p++ = ap->type;
+ *p++ = ap->way;
+ *p++ = type;
+ while (c-- > 0) {
+ if ((*p++ = *cd++) == IAC)
+ *p++ = IAC;
+ }
+ *p++ = IAC;
+ *p++ = SE;
+ if (str_data[3] == TELQUAL_IS)
+ printsub('>', &str_data[2], p - &str_data[2]);
+ return(net_write(str_data, p - str_data));
+}
+
+int
+kerberos5_init(Authenticator *ap, int server)
+{
+ if (server)
+ str_data[3] = TELQUAL_REPLY;
+ else
+ str_data[3] = TELQUAL_IS;
+ krb5_init_context(&context);
+ return(1);
+}
+
+static int
+kerberos5_send(char *name, Authenticator *ap)
+{
+ krb5_error_code ret;
+ krb5_ccache ccache;
+ int ap_opts;
+ krb5_data cksum_data;
+ char foo[2];
+
+ printf("[ Trying %s ... ]\r\n", name);
+ if (!UserNameRequested) {
+ if (auth_debug_mode) {
+ printf("Kerberos V5: no user name supplied\r\n");
+ }
+ return(0);
+ }
+
+ ret = krb5_cc_default(context, &ccache);
+ if (ret) {
+ if (auth_debug_mode) {
+ printf("Kerberos V5: could not get default ccache: %s\r\n",
+ krb5_get_err_text (context, ret));
+ }
+ return 0;
+ }
+
+ if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL)
+ ap_opts = AP_OPTS_MUTUAL_REQUIRED;
+ else
+ ap_opts = 0;
+
+ ret = krb5_auth_con_init (context, &auth_context);
+ if (ret) {
+ if (auth_debug_mode) {
+ printf("Kerberos V5: krb5_auth_con_init failed (%s)\r\n",
+ krb5_get_err_text(context, ret));
+ }
+ return(0);
+ }
+
+ krb5_auth_setenctype (context, auth_context, ETYPE_DES_CBC_MD5);
+
+ foo[0] = ap->type;
+ foo[1] = ap->way;
+
+ cksum_data.length = sizeof(foo);
+ cksum_data.data = foo;
+ ret = krb5_mk_req(context, &auth_context, ap_opts,
+ "host", RemoteHostName,
+ &cksum_data, ccache, &auth);
+
+ if (ret) {
+ if (auth_debug_mode) {
+ printf("Kerberos V5: mk_req failed (%s)\r\n",
+ krb5_get_err_text(context, ret));
+ }
+ return(0);
+ }
+
+ if (!auth_sendname((unsigned char *)UserNameRequested,
+ strlen(UserNameRequested))) {
+ if (auth_debug_mode)
+ printf("Not enough room for user name\r\n");
+ return(0);
+ }
+ if (!Data(ap, KRB_AUTH, auth.data, auth.length)) {
+ if (auth_debug_mode)
+ printf("Not enough room for authentication data\r\n");
+ return(0);
+ }
+ if (auth_debug_mode) {
+ printf("Sent Kerberos V5 credentials to server\r\n");
+ }
+ return(1);
+}
+
+int
+kerberos5_send_mutual(Authenticator *ap)
+{
+ return kerberos5_send("mutual KERBEROS5", ap);
+}
+
+int
+kerberos5_send_oneway(Authenticator *ap)
+{
+ return kerberos5_send("KERBEROS5", ap);
+}
+
+void
+kerberos5_is(Authenticator *ap, unsigned char *data, int cnt)
+{
+ krb5_error_code ret;
+ krb5_data outbuf;
+ krb5_keyblock *key_block;
+ char *name;
+ krb5_principal server;
+ krb5_authenticator authenticator;
+ int zero = 0;
+
+ if (cnt-- < 1)
+ return;
+ switch (*data++) {
+ case KRB_AUTH:
+ auth.data = (char *)data;
+ auth.length = cnt;
+
+ auth_context = NULL;
+
+ ret = krb5_auth_con_init (context, &auth_context);
+ if (ret) {
+ Data(ap, KRB_REJECT, "krb5_auth_con_init failed", -1);
+ auth_finished(ap, AUTH_REJECT);
+ if (auth_debug_mode)
+ printf("Kerberos V5: krb5_auth_con_init failed (%s)\r\n",
+ krb5_get_err_text(context, ret));
+ return;
+ }
+
+ ret = krb5_auth_con_setaddrs_from_fd (context,
+ auth_context,
+ &zero);
+ if (ret) {
+ Data(ap, KRB_REJECT, "krb5_auth_con_setaddrs_from_fd failed", -1);
+ auth_finished(ap, AUTH_REJECT);
+ if (auth_debug_mode)
+ printf("Kerberos V5: "
+ "krb5_auth_con_setaddrs_from_fd failed (%s)\r\n",
+ krb5_get_err_text(context, ret));
+ return;
+ }
+
+ ret = krb5_sock_to_principal (context,
+ 0,
+ "host",
+ KRB5_NT_SRV_HST,
+ &server);
+ if (ret) {
+ Data(ap, KRB_REJECT, "krb5_sock_to_principal failed", -1);
+ auth_finished(ap, AUTH_REJECT);
+ if (auth_debug_mode)
+ printf("Kerberos V5: "
+ "krb5_sock_to_principal failed (%s)\r\n",
+ krb5_get_err_text(context, ret));
+ return;
+ }
+
+ ret = krb5_rd_req(context,
+ &auth_context,
+ &auth,
+ server,
+ NULL,
+ NULL,
+ &ticket);
+ krb5_free_principal (context, server);
+
+ if (ret) {
+ char *errbuf;
+
+ asprintf(&errbuf,
+ "Read req failed: %s",
+ krb5_get_err_text(context, ret));
+ Data(ap, KRB_REJECT, errbuf, -1);
+ if (auth_debug_mode)
+ printf("%s\r\n", errbuf);
+ free (errbuf);
+ return;
+ }
+
+ ret = krb5_auth_con_getkey(context, auth_context, &key_block);
+ if (ret) {
+ Data(ap, KRB_REJECT, "krb5_auth_con_getkey failed", -1);
+ auth_finished(ap, AUTH_REJECT);
+ if (auth_debug_mode)
+ printf("Kerberos V5: "
+ "krb5_auth_con_getkey failed (%s)\r\n",
+ krb5_get_err_text(context, ret));
+ return;
+ }
+
+ ret = krb5_auth_getauthenticator (context,
+ auth_context,
+ &authenticator);
+ if (ret) {
+ Data(ap, KRB_REJECT, "krb5_auth_getauthenticator failed", -1);
+ auth_finished(ap, AUTH_REJECT);
+ if (auth_debug_mode)
+ printf("Kerberos V5: "
+ "krb5_auth_getauthenticator failed (%s)\r\n",
+ krb5_get_err_text(context, ret));
+ return;
+ }
+
+ if (authenticator->cksum) {
+ char foo[2];
+
+ foo[0] = ap->type;
+ foo[1] = ap->way;
+
+ ret = krb5_verify_checksum (context,
+ foo,
+ sizeof(foo),
+ key_block,
+ authenticator->cksum);
+ if (ret) {
+ Data(ap, KRB_REJECT, "No checksum", -1);
+ if (auth_debug_mode)
+ printf ("No checksum\r\n");
+ krb5_free_authenticator (context,
+ &authenticator);
+
+ return;
+ }
+ }
+ krb5_free_authenticator (context,
+ &authenticator);
+
+ ret = krb5_auth_con_getremotesubkey (context,
+ auth_context,
+ &key_block);
+
+ if (ret) {
+ Data(ap, KRB_REJECT, "krb5_auth_con_getremotesubkey failed", -1);
+ auth_finished(ap, AUTH_REJECT);
+ if (auth_debug_mode)
+ printf("Kerberos V5: "
+ "krb5_auth_con_getremotesubkey failed (%s)\r\n",
+ krb5_get_err_text(context, ret));
+ return;
+ }
+
+ if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
+ ret = krb5_mk_rep(context, &auth_context, &outbuf);
+ if (ret) {
+ Data(ap, KRB_REJECT,
+ "krb5_mk_rep failed", -1);
+ auth_finished(ap, AUTH_REJECT);
+ if (auth_debug_mode)
+ printf("Kerberos V5: "
+ "krb5_mk_rep failed (%s)\r\n",
+ krb5_get_err_text(context, ret));
+ return;
+ }
+ Data(ap, KRB_RESPONSE, outbuf.data, outbuf.length);
+ }
+ if (krb5_unparse_name(context, ticket->client, &name))
+ name = 0;
+
+ if(UserNameRequested && krb5_kuserok(context,
+ ticket->client,
+ UserNameRequested)) {
+ Data(ap, KRB_ACCEPT, name, name ? -1 : 0);
+ if (auth_debug_mode) {
+ printf("Kerberos5 identifies him as ``%s''\r\n",
+ name ? name : "");
+ }
+
+ if(key_block->keytype == KEYTYPE_DES) {
+ Session_Key skey;
+
+ skey.type = SK_DES;
+ skey.length = 8;
+ skey.data = key_block->keyvalue.data;
+ encrypt_session_key(&skey, 0);
+ }
+
+ } else {
+ char *msg;
+
+ asprintf (&msg, "user `%s' is not authorized to "
+ "login as `%s'",
+ name ? name : "<unknown>",
+ UserNameRequested ? UserNameRequested : "<nobody>");
+ if (msg == NULL)
+ Data(ap, KRB_REJECT, NULL, 0);
+ else {
+ Data(ap, KRB_REJECT, (void *)msg, -1);
+ free(msg);
+ }
+ }
+ auth_finished(ap, AUTH_USER);
+
+ krb5_free_keyblock_contents(context, key_block);
+
+ break;
+#ifdef FORWARD
+ case KRB_FORWARD: {
+ struct passwd *pwd;
+ char ccname[1024]; /* XXX */
+ krb5_data inbuf;
+ krb5_ccache ccache;
+ inbuf.data = (char *)data;
+ inbuf.length = cnt;
+
+ pwd = getpwnam (UserNameRequested);
+ if (pwd == NULL)
+ break;
+
+ snprintf (ccname, sizeof(ccname),
+ "FILE:/tmp/krb5cc_%u", pwd->pw_uid);
+
+ ret = krb5_cc_resolve (context, ccname, &ccache);
+ if (ret) {
+ if (auth_debug_mode)
+ printf ("Kerberos V5: could not get ccache: %s\r\n",
+ krb5_get_err_text(context, ret));
+ break;
+ }
+
+ ret = krb5_cc_initialize (context,
+ ccache,
+ ticket->client);
+ if (ret) {
+ if (auth_debug_mode)
+ printf ("Kerberos V5: could not init ccache: %s\r\n",
+ krb5_get_err_text(context, ret));
+ break;
+ }
+
+ ret = krb5_rd_cred (context,
+ auth_context,
+ ccache,
+ &inbuf);
+ if(ret) {
+ char *errbuf;
+
+ asprintf (&errbuf,
+ "Read forwarded creds failed: %s",
+ krb5_get_err_text (context, ret));
+ if(errbuf == NULL)
+ Data(ap, KRB_FORWARD_REJECT, NULL, 0);
+ else
+ Data(ap, KRB_FORWARD_REJECT, errbuf, -1);
+ if (auth_debug_mode)
+ printf("Could not read forwarded credentials: %s\r\n",
+ errbuf);
+ free (errbuf);
+ } else
+ Data(ap, KRB_FORWARD_ACCEPT, 0, 0);
+ chown (ccname + 5, pwd->pw_uid, -1);
+ if (auth_debug_mode)
+ printf("Forwarded credentials obtained\r\n");
+ break;
+ }
+#endif /* FORWARD */
+ default:
+ if (auth_debug_mode)
+ printf("Unknown Kerberos option %d\r\n", data[-1]);
+ Data(ap, KRB_REJECT, 0, 0);
+ break;
+ }
+}
+
+void
+kerberos5_reply(Authenticator *ap, unsigned char *data, int cnt)
+{
+ static int mutual_complete = 0;
+
+ if (cnt-- < 1)
+ return;
+ switch (*data++) {
+ case KRB_REJECT:
+ if (cnt > 0) {
+ printf("[ Kerberos V5 refuses authentication because %.*s ]\r\n",
+ cnt, data);
+ } else
+ printf("[ Kerberos V5 refuses authentication ]\r\n");
+ auth_send_retry();
+ return;
+ case KRB_ACCEPT: {
+ krb5_error_code ret;
+ Session_Key skey;
+ krb5_keyblock *keyblock;
+
+ if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL &&
+ !mutual_complete) {
+ printf("[ Kerberos V5 accepted you, but didn't provide mutual authentication! ]\r\n");
+ auth_send_retry();
+ return;
+ }
+ if (cnt)
+ printf("[ Kerberos V5 accepts you as ``%.*s'' ]\r\n", cnt, data);
+ else
+ printf("[ Kerberos V5 accepts you ]\r\n");
+
+ ret = krb5_auth_con_getlocalsubkey (context,
+ auth_context,
+ &keyblock);
+ if (ret)
+ ret = krb5_auth_con_getkey (context,
+ auth_context,
+ &keyblock);
+ if(ret) {
+ printf("[ krb5_auth_con_getkey: %s ]\r\n",
+ krb5_get_err_text(context, ret));
+ auth_send_retry();
+ return;
+ }
+
+ skey.type = SK_DES;
+ skey.length = 8;
+ skey.data = keyblock->keyvalue.data;
+ encrypt_session_key(&skey, 0);
+ krb5_free_keyblock_contents (context, keyblock);
+ auth_finished(ap, AUTH_USER);
+#ifdef FORWARD
+ if (forward_flags & OPTS_FORWARD_CREDS)
+ kerberos5_forward(ap);
+#endif /* FORWARD */
+ break;
+ }
+ case KRB_RESPONSE:
+ if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) {
+ /* the rest of the reply should contain a krb_ap_rep */
+ krb5_ap_rep_enc_part *reply;
+ krb5_data inbuf;
+ krb5_error_code ret;
+
+ inbuf.length = cnt;
+ inbuf.data = (char *)data;
+
+ ret = krb5_rd_rep(context, auth_context, &inbuf, &reply);
+ if (ret) {
+ printf("[ Mutual authentication failed: %s ]\r\n",
+ krb5_get_err_text (context, ret));
+ auth_send_retry();
+ return;
+ }
+ krb5_free_ap_rep_enc_part(context, reply);
+ mutual_complete = 1;
+ }
+ return;
+#ifdef FORWARD
+ case KRB_FORWARD_ACCEPT:
+ printf("[ Kerberos V5 accepted forwarded credentials ]\r\n");
+ return;
+ case KRB_FORWARD_REJECT:
+ printf("[ Kerberos V5 refuses forwarded credentials because %.*s ]\r\n",
+ cnt, data);
+ return;
+#endif /* FORWARD */
+ default:
+ if (auth_debug_mode)
+ printf("Unknown Kerberos option %d\r\n", data[-1]);
+ return;
+ }
+}
+
+int
+kerberos5_status(Authenticator *ap, char *name, int level)
+{
+ if (level < AUTH_USER)
+ return(level);
+
+ if (UserNameRequested &&
+ krb5_kuserok(context,
+ ticket->client,
+ UserNameRequested))
+ {
+ strcpy(name, UserNameRequested);
+ return(AUTH_VALID);
+ } else
+ return(AUTH_USER);
+}
+
+#define BUMP(buf, len) while (*(buf)) {++(buf), --(len);}
+#define ADDC(buf, len, c) if ((len) > 0) {*(buf)++ = (c); --(len);}
+
+void
+kerberos5_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen)
+{
+ char lbuf[32];
+ int i;
+
+ buf[buflen-1] = '\0'; /* make sure its NULL terminated */
+ buflen -= 1;
+
+ switch(data[3]) {
+ case KRB_REJECT: /* Rejected (reason might follow) */
+ strncpy((char *)buf, " REJECT ", buflen);
+ goto common;
+
+ case KRB_ACCEPT: /* Accepted (name might follow) */
+ strncpy((char *)buf, " ACCEPT ", buflen);
+ common:
+ BUMP(buf, buflen);
+ if (cnt <= 4)
+ break;
+ ADDC(buf, buflen, '"');
+ for (i = 4; i < cnt; i++)
+ ADDC(buf, buflen, data[i]);
+ ADDC(buf, buflen, '"');
+ ADDC(buf, buflen, '\0');
+ break;
+
+
+ case KRB_AUTH: /* Authentication data follows */
+ strncpy((char *)buf, " AUTH", buflen);
+ goto common2;
+
+ case KRB_RESPONSE:
+ strncpy((char *)buf, " RESPONSE", buflen);
+ goto common2;
+
+#ifdef FORWARD
+ case KRB_FORWARD: /* Forwarded credentials follow */
+ strncpy((char *)buf, " FORWARD", buflen);
+ goto common2;
+
+ case KRB_FORWARD_ACCEPT: /* Forwarded credentials accepted */
+ strncpy((char *)buf, " FORWARD_ACCEPT", buflen);
+ goto common2;
+
+ case KRB_FORWARD_REJECT: /* Forwarded credentials rejected */
+ /* (reason might follow) */
+ strncpy((char *)buf, " FORWARD_REJECT", buflen);
+ goto common2;
+#endif /* FORWARD */
+
+ default:
+ snprintf(lbuf, sizeof(lbuf), " %d (unknown)", data[3]);
+ strncpy((char *)buf, lbuf, buflen);
+ common2:
+ BUMP(buf, buflen);
+ for (i = 4; i < cnt; i++) {
+ snprintf(lbuf, sizeof(lbuf), " %d", data[i]);
+ strncpy((char *)buf, lbuf, buflen);
+ BUMP(buf, buflen);
+ }
+ break;
+ }
+}
+
+#ifdef FORWARD
+void
+kerberos5_forward(Authenticator *ap)
+{
+ krb5_error_code ret;
+ krb5_ccache ccache;
+ krb5_creds creds;
+ krb5_kdc_flags flags;
+ krb5_data out_data;
+ krb5_principal principal;
+
+ ret = krb5_cc_default (context, &ccache);
+ if (ret) {
+ if (auth_debug_mode)
+ printf ("KerberosV5: could not get default ccache: %s\r\n",
+ krb5_get_err_text (context, ret));
+ return;
+ }
+
+ ret = krb5_cc_get_principal (context, ccache, &principal);
+ if (ret) {
+ if (auth_debug_mode)
+ printf ("KerberosV5: could not get principal: %s\r\n",
+ krb5_get_err_text (context, ret));
+ return;
+ }
+
+ creds.client = principal;
+
+ ret = krb5_build_principal (context,
+ &creds.server,
+ strlen(principal->realm),
+ principal->realm,
+ "krbtgt",
+ principal->realm,
+ NULL);
+
+ if (ret) {
+ if (auth_debug_mode)
+ printf ("KerberosV5: could not get principal: %s\r\n",
+ krb5_get_err_text (context, ret));
+ return;
+ }
+
+ creds.times.endtime = 0;
+
+ flags.i = 0;
+ flags.b.forwarded = 1;
+ if (forward_flags & OPTS_FORWARDABLE_CREDS)
+ flags.b.forwardable = 1;
+
+ ret = krb5_get_forwarded_creds (context,
+ auth_context,
+ ccache,
+ flags.i,
+ RemoteHostName,
+ &creds,
+ &out_data);
+ if (ret) {
+ if (auth_debug_mode)
+ printf ("Kerberos V5: error gettting forwarded creds: %s\r\n",
+ krb5_get_err_text (context, ret));
+ return;
+ }
+
+ if(!Data(ap, KRB_FORWARD, out_data.data, out_data.length)) {
+ if (auth_debug_mode)
+ printf("Not enough room for authentication data\r\n");
+ } else {
+ if (auth_debug_mode)
+ printf("Forwarded local Kerberos V5 credentials to server\r\n");
+ }
+}
+#endif
+
+#endif /* KRB5 */
diff --git a/lib/libtelnet/misc-proto.h b/lib/libtelnet/misc-proto.h
index 3c2f5b759c3..2f67ff0b50f 100644
--- a/lib/libtelnet/misc-proto.h
+++ b/lib/libtelnet/misc-proto.h
@@ -31,11 +31,23 @@
* SUCH DAMAGE.
*
* from: @(#)misc-proto.h 8.1 (Berkeley) 6/4/93
- * $OpenBSD: misc-proto.h,v 1.2 1996/03/19 23:15:54 niklas Exp $
+ * $OpenBSD: misc-proto.h,v 1.3 1998/03/12 04:48:52 art Exp $
* $NetBSD: misc-proto.h,v 1.5 1996/02/24 01:15:23 jtk Exp $
*/
/*
+ * This source code is no longer held under any constraint of USA
+ * `cryptographic laws' since it was exported legally. The cryptographic
+ * functions were removed from the code and a "Bones" distribution was
+ * made. A Commodity Jurisdiction Request #012-94 was filed with the
+ * USA State Department, who handed it to the Commerce department. The
+ * code was determined to fall under General License GTDA under ECCN 5D96G,
+ * and hence exportable. The cryptographic interfaces were re-added by Eric
+ * Young, and then KTH proceeded to maintain the code in the free world.
+ *
+ */
+
+/*
* Copyright (C) 1990 by the Massachusetts Institute of Technology
*
* Export of this software from the United States of America is assumed
@@ -63,7 +75,11 @@
void auth_encrypt_init __P((char *, char *, char *, int));
void auth_encrypt_user __P((char *));
void auth_encrypt_connect __P((int));
-void printd __P((unsigned char *, int));
+void printd __P((const unsigned char *, int));
+char **genget __P((char *, char **, int));
+int isprefix __P((char *, char *));
+int Ambiguous __P((void *));
+
/*
* These functions are imported from the application
@@ -73,4 +89,5 @@ void net_encrypt __P((void));
int telnet_spin __P((void));
char *telnet_getenv __P((char *));
char *telnet_gets __P((char *, char *, int, int));
+void printsub __P((char, unsigned char *, int));
#endif
diff --git a/lib/libtelnet/misc.c b/lib/libtelnet/misc.c
index 9c05f77ed8a..fc2d5791d54 100644
--- a/lib/libtelnet/misc.c
+++ b/lib/libtelnet/misc.c
@@ -34,13 +34,15 @@
#ifndef lint
/* from: static char sccsid[] = "@(#)misc.c 8.1 (Berkeley) 6/4/93"; */
/* from: static char rcsid[] = "$NetBSD: misc.c,v 1.5 1996/02/24 01:15:25 jtk Exp $"; */
-static char rcsid[] = "$OpenBSD: misc.c,v 1.2 1996/03/19 23:15:55 niklas Exp $";
+static char rcsid[] = "$OpenBSD: misc.c,v 1.3 1998/03/12 04:48:54 art Exp $";
#endif /* not lint */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "misc.h"
+#include "auth.h"
+#include "encrypt.h"
char *RemoteHostName;
char *LocalHostName;
@@ -56,9 +58,13 @@ auth_encrypt_init(local, remote, name, server)
{
RemoteHostName = remote;
LocalHostName = local;
-#if defined(AUTHENTICATION)
+#ifdef AUTHENTICATION
auth_init(name, server);
#endif
+#ifdef ENCRYPTION
+ encrypt_init(name, server);
+#endif
+
if (UserNameRequested) {
free(UserNameRequested);
UserNameRequested = 0;
@@ -84,7 +90,7 @@ auth_encrypt_connect(cnt)
void
printd(data, cnt)
- unsigned char *data;
+ const unsigned char *data;
int cnt;
{
if (cnt > 16)
diff --git a/lib/libtelnet/shlib_version b/lib/libtelnet/shlib_version
index 1edea46de91..b52599a164f 100644
--- a/lib/libtelnet/shlib_version
+++ b/lib/libtelnet/shlib_version
@@ -1,2 +1,2 @@
-major=1
+major=2
minor=0
generated by cgit v1.2.3 (git 2.25.1) at 2025-01-17 20:59:22 +0000