From 7439cb7c3df2b76759dd3ad65bcdf2ef99c799d4 Mon Sep 17 00:00:00 2001
From: Mats Erik Andersson <gnu@gisladisker.se>
Date: Wed, 8 Aug 2012 11:49:48 +0200
Subject: [PATCH] Authorization type k5login.

Enable k5login authorization in telnetd and
rlogind/rshd for future versions of libshishi.
---
 ChangeLog             | 30 +++++++++++++++++++++
 TODO                  | 10 ++-----
 libinetutils/shishi.c | 11 ++++++++
 libtelnet/auth.c      |  8 +++---
 libtelnet/misc.c      | 10 +++----
 libtelnet/shishi.c    | 62 ++++++++++++++++++++++++++-----------------
 6 files changed, 89 insertions(+), 42 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 6ed2ba56..897434f8 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,33 @@
+2012-08-08  Mats Erik Andersson  <gnu@gisladisker.se>
+
+	telnet: Support k5login authorization.
+
+	* libtelnet/misc.c (UserNameRequested): Assign
+	NULL, not naught.
+	* libtelnet/auth.c (authenticated): Likewise.
+	(authenticators) [SHISHI]: Remove two references
+	to krb5shishi_cleanup.
+	* libtelnet/shishi.c (krb5shishi_send): Check for
+	non-empty UserNameRequested as the very first action.
+	Add UserNameRequested to `HINT.client'.
+	(krb5shishi_reply): Call shishi_done(), and assign NULL
+	to `shishi_handle'.
+	(krb5shishi_status): Remove variables CNAME, CNAMELEN.
+	Replace call to shishi_encticketpart_client() with a call
+	to shishi_authorized_p().
+	(krb5shishi_is_auth): Check version of libshishi and call
+	shishi_cfg_authorizationtype_set() "k5login basic".
+	Replace a call to shishi_encticketpart_crealm() with a
+	call to shishi_encticketpart_clientrealm().
+	(krb5shishi_is): Remove debug print using puts().
+	(krb5shishi_printsub): Likewise.
+
+	rlogind, rshd: Support k5login authorization.
+
+	* libinetutils/shishi.c (get_auth): Check version
+	of libshishi and call shishi_cfg_authorizationtype_set()
+	with "k5login basic".
+
 2012-08-03  Mats Erik Andersson  <gnu@gisladisker.se>
 
 	rlogind, rshd: Protocol exchange adherence.
diff --git a/TODO b/TODO
index 5ee5012b..757daaed 100644
--- a/TODO
+++ b/TODO
@@ -154,15 +154,9 @@ Ability to ping multiple host in one go.
   For example, if a system specific option shadows a normal option?
   Allow this?
 
-* ftpd
+* ftp, ftpd
 
-Complete the initiated rewrite for supporting IPv6.
-
-* tftpd
-
-OpenSolaris is only able to transmit a single package of
-size at most PKTSIZE. Debug libinetutils/tftpsubs.c on this.
-No issue with other systems.
+Implement libshishi support?
 
 * whois
 
diff --git a/libinetutils/shishi.c b/libinetutils/shishi.c
index 27c72f00..28996b1a 100644
--- a/libinetutils/shishi.c
+++ b/libinetutils/shishi.c
@@ -293,6 +293,17 @@ get_auth (int infd, Shishi ** handle, Shishi_ap ** ap,
   else
     servername = shishi_server_for_local_service (*handle, SERVICE);
 
+  /* Enable use of `~/.k5login'.  */
+  if (shishi_check_version ("1.0.2"))	/* Faulty in version 1.0.1.  */
+    {
+      rc = shishi_cfg_authorizationtype_set (*handle, "k5login basic");
+      if (rc != SHISHI_OK)
+	{
+	  *err_msg = shishi_error (*handle);
+	  return rc;
+	}
+    }
+
   key = shishi_hostkeys_for_server (*handle, servername);
   free (servername);
   if (!key)
diff --git a/libtelnet/auth.c b/libtelnet/auth.c
index 886b0ef1..753377d3 100644
--- a/libtelnet/auth.c
+++ b/libtelnet/auth.c
@@ -118,7 +118,7 @@ extern rsaencpwd_printsub ();
 int auth_debug_mode = 0;
 static char *Name = "Noname";
 static int Server = 0;
-static TN_Authenticator *authenticated = 0;
+static TN_Authenticator *authenticated = NULL;
 static int authenticating = 0;
 static int validuser = 0;
 static unsigned char _auth_send_data[256];
@@ -154,7 +154,7 @@ TN_Authenticator authenticators[] = {
    krb5shishi_reply,
    krb5shishi_status,
    krb5shishi_printsub,
-   krb5shishi_cleanup},
+  },
   {AUTHTYPE_KERBEROS_V5, AUTH_WHO_CLIENT | AUTH_HOW_ONE_WAY,
    krb5shishi_init,
    krb5shishi_send,
@@ -162,7 +162,7 @@ TN_Authenticator authenticators[] = {
    krb5shishi_reply,
    krb5shishi_status,
    krb5shishi_printsub,
-   krb5shishi_cleanup},
+  },
 # endif
 # ifdef	KRB5
 #  ifdef	ENCRYPTION
@@ -245,7 +245,7 @@ auth_init (char *name, int server)
   Name = name;
 
   i_support = 0;
-  authenticated = 0;
+  authenticated = NULL;
   authenticating = 0;
   while (ap->type)
     {
diff --git a/libtelnet/misc.c b/libtelnet/misc.c
index 47083022..0385040a 100644
--- a/libtelnet/misc.c
+++ b/libtelnet/misc.c
@@ -58,7 +58,7 @@
 
 char *RemoteHostName;
 char *LocalHostName;
-char *UserNameRequested = 0;
+char *UserNameRequested = NULL;
 
 void
 auth_encrypt_init (char *local, char *remote, char *name, int server)
@@ -66,7 +66,7 @@ auth_encrypt_init (char *local, char *remote, char *name, int server)
   RemoteHostName = remote;
   LocalHostName = local;
   (void) name;
-  (void) server;		/* shutup gcc */
+  (void) server;		/* silence gcc */
 #if defined AUTHENTICATION
   auth_init (name, server);
 #endif
@@ -74,7 +74,7 @@ auth_encrypt_init (char *local, char *remote, char *name, int server)
   encrypt_init (name, server);
 #endif /* ENCRYPTION */
   free (UserNameRequested);
-  UserNameRequested = 0;
+  UserNameRequested = NULL;
 }
 
 void
@@ -83,13 +83,13 @@ auth_encrypt_user (char *name)
   extern char *strdup (const char *);
 
   free (UserNameRequested);
-  UserNameRequested = name ? strdup (name) : 0;
+  UserNameRequested = name ? strdup (name) : NULL;
 }
 
 void
 auth_encrypt_connect (int cnt)
 {
-  (void) cnt;			/*shutup gcc */
+  (void) cnt;			/* silence gcc */
 }
 
 void
diff --git a/libtelnet/shishi.c b/libtelnet/shishi.c
index 17c9c3e6..a90e40ed 100644
--- a/libtelnet/shishi.c
+++ b/libtelnet/shishi.c
@@ -155,6 +155,12 @@ krb5shishi_send (TN_Authenticator * ap)
   char *apreq;
   size_t apreq_len;
 
+  if (!UserNameRequested)
+    {
+      DEBUG (("telnet: Kerberos V5: no user name supplied\r\n"));
+      return 0;
+    }
+
   if (!delayed_shishi_init ())
     {
       DEBUG (("telnet: Kerberos V5: shishi initialization failed\r\n"));
@@ -170,6 +176,7 @@ krb5shishi_send (TN_Authenticator * ap)
   sprintf (tmp, "host/%s", RemoteHostName);
   memset (&hint, 0, sizeof (hint));
   hint.server = tmp;
+  hint.client = UserNameRequested;
 
   if (dest_realm && *dest_realm)
     shishi_realm_default_set (shishi_handle, dest_realm);
@@ -185,12 +192,6 @@ krb5shishi_send (TN_Authenticator * ap)
   if (auth_debug_mode)
     shishi_tkt_pretty_print (tkt, stdout);
 
-  if (!UserNameRequested)
-    {
-      DEBUG (("telnet: Kerberos V5: no user name supplied\r\n"));
-      return 0;
-    }
-
   if ((ap->way & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL)
     ap_opts = SHISHI_APOPTIONS_MUTUAL_REQUIRED;
   else
@@ -333,7 +334,11 @@ krb5shishi_reply (TN_Authenticator * ap, unsigned char *data, int cnt)
 		" (server authenticated)" : " (server NOT authenticated)");
       else
 	printf ("[ Kerberos V5 accepts you ]\r\n");
+
       auth_finished (ap, AUTH_USER);
+      /* This was last access to handle on behalf of the client.  */
+      shishi_done (shishi_handle);
+      shishi_handle = NULL;
       break;
 
     case KRB_RESPONSE:
@@ -370,23 +375,16 @@ krb5shishi_reply (TN_Authenticator * ap, unsigned char *data, int cnt)
 int
 krb5shishi_status (TN_Authenticator * ap, char *name, int level)
 {
-  char *cname;
-  int cnamelen;
   int rc;
   int status;
 
   if (level < AUTH_USER)
     return level;
 
-  rc = shishi_encticketpart_client
-    (shishi_handle,
-     shishi_tkt_encticketpart (shishi_ap_tkt (auth_handle)),
-     &cname, &cnamelen);
-
   if (UserNameRequested
-      && rc == SHISHI_OK
-      && cnamelen == strlen (UserNameRequested)
-      && memcmp (UserNameRequested, cname, cnamelen) == 0)
+      && shishi_authorized_p (shishi_handle,
+			      shishi_ap_tkt (auth_handle),
+			      UserNameRequested))
     {
       /* FIXME: Check buffer length */
       strcpy (name, UserNameRequested);
@@ -394,7 +392,7 @@ krb5shishi_status (TN_Authenticator * ap, char *name, int level)
     }
   else
     status = AUTH_USER;
-  free (cname);
+
   return status;
 }
 
@@ -416,6 +414,19 @@ krb5shishi_is_auth (TN_Authenticator * a, unsigned char *data, int cnt,
       return 0;
     }
 
+  /* Enable use of `~/.k5login'.  */
+  if (shishi_check_version ("1.0.2"))	/* Faulty in version 1.0.1.  */
+    {
+      rc = shishi_cfg_authorizationtype_set (shishi_handle, "k5login basic");
+      if (rc != SHISHI_OK)
+	{
+	  snprintf (errbuf, errbuflen,
+		    "Cannot initiate authorization types: %s",
+		    shishi_error (shishi_handle));
+	  return rc;
+	}
+    }
+
   rc = shishi_ap (shishi_handle, &auth_handle);
   if (rc != SHISHI_OK)
     {
@@ -477,10 +488,10 @@ krb5shishi_is_auth (TN_Authenticator * a, unsigned char *data, int cnt,
       free (der);
     }
 
-  rc = shishi_encticketpart_crealm (shishi_handle,
-				    shishi_tkt_encticketpart (shishi_ap_tkt
-							      (auth_handle)),
-				    &cnamerealm, &cnamerealmlen);
+  rc = shishi_encticketpart_clientrealm (
+		shishi_handle,
+		shishi_tkt_encticketpart (shishi_ap_tkt (auth_handle)),
+		&cnamerealm, &cnamerealmlen);
   if (rc != SHISHI_OK)
     {
       snprintf (errbuf, errbuflen, "Error getting authenticator name: %s\n",
@@ -493,6 +504,11 @@ krb5shishi_is_auth (TN_Authenticator * a, unsigned char *data, int cnt,
   free (cnamerealm);
   auth_finished (a, AUTH_USER);
 
+  /* Make sure that shishi_handle is still valid,
+   * it must not be released in auth_finish()!
+   * The server side will make reference to it
+   * later on.  */
+
 # ifdef ENCRYPTION
   if (enckey)
     {
@@ -540,8 +556,6 @@ krb5shishi_is (TN_Authenticator * ap, unsigned char *data, int cnt)
   int r = 0;
   char errbuf[512];
 
-  puts ("krb5shishi_is");
-
   if (cnt-- < 1)
     return;
   errbuf[0] = 0;
@@ -597,8 +611,6 @@ krb5shishi_printsub (unsigned char *data, int cnt,
   char *p;
   int i;
 
-  puts ("krb5shishi_printsub");
-
   buf[buflen - 1] = '\0';	/* make sure its NULL terminated */
   buflen -= 1;