Re-add SSLtelnet, with patch (patch-an) to fix the security vulnerability

described in FreeBSD-SA-01:49.telnetd

Submitted by:   kondo hiroshi <kondo@ysyslab.co.jp>
PR:             ports/42676

net/Makefile

@@ -6,6 +6,7 @@
     SUBDIR += 6to4
     SUBDIR += GeoIP
     SUBDIR += NeTraMet
+    SUBDIR += SSLtelnet
     SUBDIR += adasockets
     SUBDIR += adns
     SUBDIR += aggregate

net/SSLtelnet/Makefile

@@ -0,0 +1,32 @@
+# New ports collection makefile for:	SSLtelnet
+# Date created:		Mar 29, 1998
+# Whom:			issei@jp.FreeBSD.org
+#
+# $FreeBSD$
+
+PORTNAME=		SSLtelnet
+PORTVERSION=		0.13
+CATEGORIES=		net security
+MASTER_SITES=		${MASTER_SITE_LOCAL} \
+			ftp://ftp.psy.uq.oz.au/pub/Crypto/SSLapps/
+MASTER_SITE_SUBDIR=	kris
+
+MAINTAINER=		ports@FreeBSD.org
+
+USE_OPENSSL=		YES
+
+PLIST_SUB+=		OPENSSLDIR="${OPENSSLDIR}"
+
+.if !defined(BATCH)
+INSTALL_TARGET=		install certificate
+.endif
+
+# Make sure that whole directory tree exists.
+pre-install:
+	${MKDIR} ${OPENSSLDIR}/certs
+
+post-install:
+	strip $(PREFIX)/bin/telnet
+	strip $(PREFIX)/libexec/telnetd
+
+.include <bsd.port.mk>

net/SSLtelnet/distinfo

@@ -0,0 +1 @@
+MD5 (SSLtelnet-0.13.tar.gz) = 51025a9aaceaa2581377f7be7e0d913e

net/SSLtelnet/files/Makefile.patch

@@ -0,0 +1,11 @@
+--- Makefile.orig	Thu Aug  5 09:03:59 1999
++++ Makefile	Thu Aug  5 09:05:32 1999
+@@ -98,7 +98,7 @@
+ 
+ #BSD386
+ CC += -DTERMCAP $(socksflags)
+-LDADD = -ltermcap $(sockslib) 
++LDADD = -L$(SSLTOP)/lib -lssl -lcrypto -lRSAglue -lrsaref -ltermcap $(sockslib)
+   
+ all:
+ 	@-mkdir bin 2>/dev/null

net/SSLtelnet/files/patch-aa

@@ -0,0 +1,64 @@
+--- Makefile.orig	Thu Sep 24 17:50:59 1998
++++ Makefile	Tue Feb  1 11:11:24 2000
+@@ -47,7 +47,7 @@
+ 
+ # the location where SSLeay is installed ... 
+ # - expect a include and lib directory under here 
+-SSLTOP=/usr/local/ssl
++SSLTOP=$(PREFIX)
+ 
+ INSTALLTOP=$(SSLTOP)
+ 
+@@ -83,8 +83,8 @@
+ #LDADD=$(sockslib) -ltermcap -lcurses
+   
+ # uncomment the next two lines for linux
+-CC = gcc -DLINUX -DTERMIOS $(socksflags)
+-LDADD = $(sockslib) -lbsd -lncurses
++#CC = gcc -DLINUX -DTERMIOS $(socksflags)
++#LDADD = $(sockslib) -lbsd -lncurses
+ 
+ ##OLD Linux stuff
+ #CC = gcc -DLINUX -DUSE_SHADOW $(socksflags) 
+@@ -95,6 +95,11 @@
+ #BSD386
+ #CC = gcc -DBSD386 -DTERMCAP $(socksflags)
+ #LDADD = -ltermcap $(sockslib) 
++
++#FreeBSD
++CC += -DTERMCAP $(socksflags)
++LDADD = -L$(OPENSSLLIB) -lssl -lcrypto $(EXTRA_SSL_LIBS) \
++	 -ltermcap $(sockslib)
+   
+ all:
+ 	@-mkdir bin 2>/dev/null
+@@ -145,12 +150,11 @@
+ tar:    clean
+ 	(cd ..; tar cf $(TARFILE) $(DIRECTORY); /bin/rm -f $(TARFILE).Z $(TARFILE).gz >/dev/null 2>&1 ; $(COMPRESS) $(TARFILE) )
+ 
+-install: telnet telnetd /dev/null
+-	@-mkdir -p $(INSTALLTOP)/bin 2>/dev/null
++install: telnet telnetd
+ 	cp bin/telnet $(INSTALLTOP)/bin/telnet
+ 	chmod 755 $(INSTALLTOP)/bin/telnet
+-	cp bin/telnetd $(INSTALLTOP)/bin/telnetd
+-	chmod 755 $(INSTALLTOP)/bin/telnetd
++	cp bin/telnetd $(INSTALLTOP)/libexec/telnetd
++	chmod 755 $(INSTALLTOP)/libexec/telnetd
+ 	@echo "*****************************************************"
+ 	@echo "* Do not forget to make the certificate for telnetd *"
+ 	@echo "* either manually or via \"make certificate\"       *"
+@@ -158,9 +162,10 @@
+ 
+ certificate:
+ 	(\
+-	cd $(INSTALLTOP)/certs; \
+-	ssleay req -new -x509 -nodes -days 365 -out telnetd.pem -keyout telnetd.pem; \
+-	ln -s telnetd.pem `ssleay x509 -noout -hash < telnetd.pem`.0 ;\
+-	chmod 600 $(INSTALLTOP)/certs/telnetd.pem; \
++	[ -f $(OPENSSLDIR)/certs/telnetd.pem ] && exit; \
++	cd $(OPENSSLDIR)/certs; \
++	openssl req -new -x509 -nodes -days 365 -out telnetd.pem -keyout telnetd.pem; \
++	ln -s telnetd.pem `openssl x509 -noout -hash < telnetd.pem`.0 ;\
++	chmod 600 $(OPENSSLDIR)/certs/telnetd.pem; \
+ 	)

net/SSLtelnet/files/patch-ab

@@ -0,0 +1,11 @@
+--- telnetd/pathnames.h.orig	Sat Jun 15 17:26:10 1996
++++ telnetd/pathnames.h	Sat Oct 17 22:11:51 1998
+@@ -53,7 +53,7 @@
+ /* I'm working on having this work as is with SunOS 5.x */
+ #ifndef USE_SRALOGIN
+ #undef _PATH_LOGIN
+-#ifdef __bsdi__
++#if defined(__bsdi__) || defined(__FreeBSD__)
+ #define	_PATH_LOGIN	"/usr/bin/login"
+ #else 
+ #define	_PATH_LOGIN	"/bin/login"

net/SSLtelnet/files/patch-ac

@@ -0,0 +1,14 @@
+--- telnet/sys_bsd.c.orig	Sat Aug  2 14:18:09 1997
++++ telnet/sys_bsd.c	Fri Oct 16 20:43:32 1998
+@@ -580,10 +580,7 @@
+ 	else
+ 		lmode &= ~LPASS8;
+ #else
+-	if (f & MODE_INBIN)
+-		tmp_tc.c_iflag &= ~ISTRIP;
+-	else
+-		tmp_tc.c_iflag |= ISTRIP;
++	tmp_tc.c_iflag &= ~ISTRIP;
+ 	if (f & MODE_OUTBIN) {
+ 		tmp_tc.c_cflag &= ~(CSIZE|PARENB);
+ 		tmp_tc.c_cflag |= CS8;

net/SSLtelnet/files/patch-ad

@@ -0,0 +1,10 @@
+--- lib/libtelnet/sslapp.h.orig	Fri Oct 16 21:14:59 1998
++++ lib/libtelnet/sslapp.h	Fri Oct 16 21:15:07 1998
+@@ -53,6 +53,7 @@
+ extern int ssl_disabled_flag;
+ extern int ssl_cert_required;
+ extern int ssl_certsok_flag;
++extern int ssl_quiet_flag;
+ 
+ extern char *ssl_log_file; 
+ extern char *ssl_cert_file; 

net/SSLtelnet/files/patch-ae

@@ -0,0 +1,11 @@
+--- lib/Makefile.orig	Wed Sep  2 13:11:39 1998
++++ lib/Makefile	Wed Sep  2 13:11:49 1998
+@@ -1,7 +1,7 @@
+ #SUBDIRS= gmp-1.2 kerberosIV/krb libbsd libdes/des libpk libtelnet libutil
+ SUBDIRS= gmp-1.3.2 libbsd libpk libtelnet libutil
+ 
+-SUBDIRS= libbsd libtelnet libutil
++SUBDIRS= libtelnet
+ 
+ all:
+ 	@for i in $(SUBDIRS); \

net/SSLtelnet/files/patch-af

@@ -0,0 +1,79 @@
+--- telnetd/sys_term.c.orig	Sat Aug  2 01:37:00 1997
++++ telnetd/sys_term.c	Sun Aug  6 16:15:37 2000
+@@ -167,7 +167,7 @@
+ struct termios termbuf, termbuf2;	/* pty control structure */
+ #endif	/* USE_TERMIO */
+ 
+-extern long time();
++extern time_t time();
+ 
+ #ifndef STDIN_FILENO
+ #define STDIN_FILENO fileno(stdin)
+@@ -531,7 +531,7 @@
+ 	return(p);
+ #else
+ 
+-	register char c, *p1, *p2;
++	register char c, *p1, *p2, *cp;
+ 	register int i;
+ 
+ #if defined(__GNUC__) || defined(__sgi)
+@@ -548,20 +548,40 @@
+ 	p1 = &line[8];
+ 	p2 = &line[9];
+ #endif
+-
+-	for (c = 'p'; c <= 's'; c++) {
++	for (cp = "pqrsPQRS"; *cp; cp++) {
+ 		struct stat stb;
+ 
+-		*p1 = c;
++		*p1 = *cp;
+ 		*p2 = '0';
++		/*
++		 * This stat() check is just to keep us from
++		 * looping through all 256 combinations if there
++		 * aren't that many ptys available.
++		 */
+ 		if (stat(line, &stb) < 0)
+ 			break;
+-		for (i = 0; i < 16; i++) {
+-			*p2 = "0123456789abcdef"[i];
++		for (i = 0; i < 32; i++) {
++			*p2 = "0123456789abcdefghijklmnopqrstuv"[i];
+ 			p = open(line, 2);
+ 			if (p > 0) {
++#ifndef __hpux
+ 				line[5] = 't';
+-				return(p);
++#else
++				for (p1 = &line[8]; *p1; p1++)
++					*p1 = *(p1+1);
++				line[9] = 't';
++#endif
++				chown(line, 0, 0);
++				chmod(line, 0600);
++#if defined(sun) && defined(TIOCGPGRP) && BSD < 199207
++				if (ioctl(p, TIOCGPGRP, &dummy) == 0
++				    || errno != EIO) {
++					chmod(line, 0666);
++					close(p);
++					line[5] = 'p';
++				} else
++#endif /* defined(sun) && defined(TIOCGPGRP) && BSD < 199207 */
++					return(p);
+ 			}
+ 		}
+ 	}
+@@ -733,11 +753,7 @@
+ 	else
+ 		termbuf.lflags &= ~LPASS8;
+ #else
+-	if (on) {
+-		termbuf.c_iflag &= ~ISTRIP;
+-	} else {
+-		termbuf.c_iflag |= ISTRIP;
+-	}
++	termbuf.c_iflag &= ~ISTRIP;
+ #endif
+ }

net/SSLtelnet/files/patch-ag

@@ -0,0 +1,46 @@
+--- telnetd/telnetd.c.orig	Sat Aug  2 14:40:48 1997
++++ telnetd/telnetd.c	Sat Oct 17 22:13:52 1998
+@@ -140,7 +140,7 @@
+ 	highpty = getnpty();
+ #endif /* CRAY */
+ 
+-	while ((ch = getopt(argc, argv, "d:a:e:lhnr:I:D:B:sS:a:X:z:")) != EOF) {
++	while ((ch = getopt(argc, argv, "d:a:e:lhnr:I:D:B:sS:a:X:z:q")) != EOF) {
+ 		switch(ch) {
+ 
+ #ifdef USE_SSL
+@@ -203,6 +203,11 @@
+ 
+ 			}
+ 			break;
++
++		case 'q':
++			ssl_quiet_flag = 1;
++			break;
++			
+ #endif /* USE_SSL */
+ 
+ #ifdef	AUTHENTICATE
+@@ -584,7 +589,7 @@
+ #ifdef USE_SSL
+         /* might as well output something useful here ... */
+ 	fprintf(stderr, " [-z ssl] [-z secure] [-z debug] [-z verify=int]\n\t");
+-	fprintf(stderr, " [-z cert=file] [-z key=file]\n\t");
++	fprintf(stderr, " [-z cert=file] [-z key=file] [-q]\n\t");
+ #endif /* USE_SSL */
+ 	fprintf(stderr, " [port]\n");
+ 	exit(1);
+@@ -656,7 +661,12 @@
+ 		fflush(stderr);
+ 	    }
+ 
+-	    fatal(net,"[SSL required - connection rejected]");
++	    if (ssl_quiet_flag) {
++		sleep(1);
++		exit(1);
++	    }
++	    else
++		fatal(net,"[SSL required - connection rejected]");
+ 
+ 	}
+     }

net/SSLtelnet/files/patch-ah

@@ -0,0 +1,24 @@
+--- telnetd/Makefile.orig	Mon Sep 11 22:22:51 1995
++++ telnetd/Makefile	Tue Feb  1 09:20:28 2000
+@@ -4,17 +4,11 @@
+ 
+ PROG=	telnetd
+ 
+-CFLAGS= -DTERMCAP -DKLUDGELINEMODE -DUSE_TERMIO -DAUTHENTICATE -DUSE_SSL \
+-	-DDIAGNOSTICS -DFILIO_H \
+-	-I../lib -I../lib/libbsd/include \
+-	-I$(SSLTOP)/include
++CFLAGS+= -DTERMCAP -DKLUDGELINEMODE -DUSE_TERMIO -DAUTHENTICATE -DUSE_SSL \
++	-DDIAGNOSTICS -DFILIO_H -I../lib -I../lib/libbsd/include \
++	-I$(OPENSSLINC)/openssl -I$(OPENSSLINC)
+ 
+-LIBS= 	../lib/libtelnet/libtelnet.a \
+-	../lib/libbsd/libbsd.a \
+-	../lib/libutil/libutil.a \
+-	$(SSLTOP)/lib/libssl.a \
+-	$(SSLTOP)/lib/libcrypto.a 
+-#	$(SSLTOP)/lib/libdes.a
++LIBS= 	../lib/libtelnet/libtelnet.a -lutil
+ 
+ OBJS=	authenc.o global.o slc.o state.o sys_term.o telnetd.o \
+ 	termstat.o utility.o 

net/SSLtelnet/files/patch-ai

@@ -0,0 +1,24 @@
+--- telnet/Makefile.orig	Sat Aug  2 01:30:16 1997
++++ telnet/Makefile	Sun Feb 20 17:28:27 2000
+@@ -6,17 +6,12 @@
+ PROG=	telnet
+ 
+ 
+-CFLAGS= -DKLUDGELINEMODE -DUSE_TERMIO -DAUTHENTICATE -DUSE_SSL \
+-	-DFILIO_H \
+-	-I../lib/libbsd/include -I../lib \
+-	-I$(SSLTOP)/include
++CFLAGS+= -DKLUDGELINEMODE -DUSE_TERMIO -DAUTHENTICATE -DUSE_SSL \
++	-DFILIO_H -I../lib -I../lib/libbsd/include -I$(OPENSSLINC)/openssl \
++	-I$(OPENSSLINC)
+ 
+ 
+-LIBS=   ../lib/libtelnet/libtelnet.a \
+-	../lib/libbsd/libbsd.a \
+-        $(SSLTOP)/lib/libssl.a \
+-	$(SSLTOP)/lib/libcrypto.a 
+-#	$(SSLTOP)/lib/libdes.a
++LIBS=   ../lib/libtelnet/libtelnet.a
+ 
+ OBJS=	authenc.o commands.o main.o network.o ring.o sys_bsd.o telnet.o \
+ 	terminal.o tn3270.o utilities.o 

net/SSLtelnet/files/patch-aj

@@ -0,0 +1,13 @@
+--- lib/libtelnet/Makefile.orig	Sat Aug  2 01:31:37 1997
++++ lib/libtelnet/Makefile	Sun Feb 20 17:31:46 2000
+@@ -12,8 +12,8 @@
+ #CFLAGS= -DENCRYPT -DAUTHENTICATE -DSRA -DUSE_SSL -DDES_ENCRYPTION \
+ #-I../libbsd/include -I../libpk
+ 
+-CFLAGS= -DAUTHENTICATE -DUSE_SSL \
+--I../libbsd/include -I$(SSLTOP)/include -I../libpk -g
++CFLAGS+= -DAUTHENTICATE -DUSE_SSL -I$(OPENSSLINC)/openssl -I../libbsd/include \
++	 -I$(OPENSSLINC)
+ 
+ lib${LIB}.a: ${OBJS}
+ 	echo building standard ${LIB} library 

net/SSLtelnet/files/patch-ak

@@ -0,0 +1,10 @@
+--- lib/libtelnet/sslapp.c.old	Thu Aug  5 03:36:35 1999
++++ lib/libtelnet/sslapp.c	Thu Aug  5 03:36:55 1999
+@@ -81,7 +81,7 @@
+ 
+       if (ssl_debug_flag)
+ 	  BIO_printf(bio_err,"Generating temp (512 bit) RSA key ...\r\n");
+-      rsa=RSA_generate_key(512,RSA_F4,NULL);
++      rsa=RSA_generate_key(512,RSA_F4,NULL,NULL);
+       if (ssl_debug_flag)
+ 	  BIO_printf(bio_err,"Generation of temp (512 bit) RSA key done\r\n");

net/SSLtelnet/files/patch-al

@@ -0,0 +1,26 @@
+--- telnet/telnet.c.orig	Sat Oct 16 11:32:57 1999
++++ telnet/telnet.c	Sat Oct 16 11:34:05 1999
+@@ -68,6 +68,7 @@
+ #include "externs.h"
+ #include "types.h"
+ #include "general.h"
++#include <osreldate.h>
+ 
+ 
+ #define	strip(x)	((x)&0x7f)
+@@ -752,6 +753,7 @@
+ 
+ #ifdef	TERMCAP
+ char termbuf[1024];
++#if (__FreeBSD_version < 400011)
+ 
+ 	/*ARGSUSED*/
+ 	int
+@@ -769,6 +771,7 @@
+ 		*errp = 0;
+ 	return(-1);
+ }
++#endif
+ #else
+ #define	termbuf	ttytype
+ extern char ttytype[];

net/SSLtelnet/files/patch-am

@@ -0,0 +1,43 @@
+--- telnet/commands.c.old	Sun Jan  7 10:03:38 2001
++++ telnet/commands.c	Sun Jan  7 10:16:53 2001
+@@ -55,7 +55,7 @@
+ #include <netdb.h>
+ #include <ctype.h>
+ #include <pwd.h>
+-#include <varargs.h>
++#include <stdarg.h>
+ #include <errno.h>
+ 
+ #include <arpa/telnet.h>
+@@ -100,7 +100,8 @@
+ extern char **genget();
+ extern int Ambiguous();
+ 
+-static call();
++typedef int (*intrtn_t)();
++static int call(intrtn_t, ...);
+ 
+ typedef struct {
+ 	char	*name;		/* command name */
+@@ -2550,18 +2551,14 @@
+  */
+ 
+     /*VARARGS1*/
+-    static
+-call(va_alist)
+-    va_dcl
++    static int
++call(intrtn_t routine, ...)
+ {
+     va_list ap;
+-    typedef int (*intrtn_t)();
+-    intrtn_t routine;
+     char *args[100];
+     int argno = 0;
+ 
+-    va_start(ap);
+-    routine = (va_arg(ap, intrtn_t));
++    va_start(ap, routine);
+     while ((args[argno++] = va_arg(ap, char *)) != 0) {
+ 	;
+     }

net/SSLtelnet/pkg-comment

@@ -0,0 +1 @@
+SSL enhanced telnet/telnetd

net/SSLtelnet/pkg-descr

@@ -0,0 +1,20 @@
+This program suports both certification and cryptogoraphic with using SSL.
+
+If you do not have certification (/etc/ssl/certs/telnet.pem) provided
+by CA, this port make dummy certification. Of cource it is useless to certify
+but you can use SSL telnet/telnetd in encryption only mode with it.
+
+You must edit /etc/inetd.conf to make SSL telnetd available. Some examples
+below:
+
+1. Accept both normal telnet client and SSL telnet client.
+
+telnet	stream	tcp	nowait	root	/usr/local/libexec/telnetd	telnetd 
+
+2. Accpet only SSL encrypted client.
+
+telnet	stream	tcp	nowait	root	/usr/local/libexec/telnetd	telnetd -z secure
+
+3. Accept only SSL certificated client.
+
+telnet	stream	tcp	nowait	root	/usr/local/libexec/telnetd	telnetd -a valid

net/SSLtelnet/pkg-plist

@@ -0,0 +1,4 @@
+bin/telnet
+libexec/telnetd
+@exec mkdir %%OPENSSLDIR%%/certs
+@exec if [ ! -f $(OPENSSLDIR)/certs/telnetd.pem ]; then cd %%OPENSSLDIR%%/certs; openssl req -new -x509 -nodes -days 365 -out telnetd.pem -keyout telnetd.pem; ln -s telnetd.pem `openssl x509 -noout -hash < telnetd.pem`.0 ; chmod 600 $(OPENSSLDIR)/certs/telnetd.pem; fi