Security fixes.

CERT Advisory CA-95:03.telnet.encryption

Obtained from: CERT

eBones/lib/libtelnet/auth.c

@@ -246,7 +246,7 @@ getauthmask(type, maskp)
 {
 	register int x;
 
-	if (strcasecmp(type, AUTHTYPE_NAME(0))) {
+	if (!strcasecmp(type, AUTHTYPE_NAME(0))) {
 		*maskp = -1;
 		return(1);
 	}
@@ -262,14 +262,14 @@ getauthmask(type, maskp)
 
 	int
 auth_enable(type)
-	int type;
+	char * type;
 {
 	return(auth_onoff(type, 1));
 }
 
 	int
 auth_disable(type)
-	int type;
+	char * type;
 {
 	return(auth_onoff(type, 0));
 }
@@ -279,15 +279,20 @@ auth_onoff(type, on)
 	char *type;
 	int on;
 {
-	int mask = -1;
+	int i, mask = -1;
 	Authenticator *ap;
 
 	if (!strcasecmp(type, "?") || !strcasecmp(type, "help")) {
                 printf("auth %s 'type'\n", on ? "enable" : "disable");
 		printf("Where 'type' is one of:\n");
 		printf("\t%s\n", AUTHTYPE_NAME(0));
-		for (ap = authenticators; ap->type; ap++)
+		mask = 0;
+		for (ap = authenticators; ap->type; ap++) {
+			if ((mask & (i = typemask(ap->type))) != 0)
+				continue;
+			mask |= i;
 			printf("\t%s\n", AUTHTYPE_NAME(ap->type));
+		}
 		return(0);
 	}
 
@@ -295,7 +300,6 @@ auth_onoff(type, on)
 		printf("%s: invalid authentication type\n", type);
 		return(0);
 	}
-	mask = getauthmask(type, &mask);
 	if (on)
 		i_wont_support &= ~mask;
 	else
@@ -319,16 +323,22 @@ auth_togdebug(on)
 auth_status()
 {
 	Authenticator *ap;
+	int i, mask;
 
 	if (i_wont_support == -1)
 		printf("Authentication disabled\n");
 	else
 		printf("Authentication enabled\n");
 
-	for (ap = authenticators; ap->type; ap++)
+	mask = 0;
+	for (ap = authenticators; ap->type; ap++) {
+		if ((mask & (i = typemask(ap->type))) != 0)
+			continue;
+		mask |= i;
 		printf("%s: %s\n", AUTHTYPE_NAME(ap->type),
 			(i_wont_support & typemask(ap->type)) ?
 					"disabled" : "enabled");
+	}
 	return(1);
 }
 

eBones/lib/libtelnet/kerberos.c

@@ -227,9 +227,10 @@ kerberos4_send(ap)
 		register int i;
 
 		des_key_sched(cred.session, sched);
-		des_set_random_generator_seed(cred.session);
-		des_new_random_key(challenge);
-		des_ecb_encrypt(challenge, session_key, sched, 1);
+		des_init_random_number_generator(cred.session);
+		des_new_random_key(session_key);
+		des_ecb_encrypt(session_key, session_key, sched, 0);
+		des_ecb_encrypt(session_key, challenge, sched, 0);
 		/*
 		 * Increment the challenge by 1, and encrypt it for
 		 * later comparison.
@@ -322,6 +323,11 @@ kerberos4_is(ap, data, cnt)
 			break;
 		}
 
+		/*
+		 * Initialize the random number generator since it's
+		 * used later on by the encryption routine.
+		 */
+		des_init_random_number_generator(session_key);
 		des_key_sched(session_key, sched);
 		bcopy((void *)data, (void *)datablock, sizeof(Block));
 		/*
@@ -339,7 +345,7 @@ kerberos4_is(ap, data, cnt)
 		 * increment by one, re-encrypt it and send it back.
 		 */
 		des_ecb_encrypt(datablock, challenge, sched, 0);
-		for (r = 7; r >= 0; r++) {
+		for (r = 7; r >= 0; r--) {
 			register int t;
 			t = (unsigned int)challenge[r] + 1;
 			challenge[r] = t;	/* ignore overflow */

eBones/usr.bin/telnet/commands.c

@@ -1915,8 +1915,8 @@ struct authlist {
 };
 
 extern int
-	auth_enable P((int)),
-	auth_disable P((int)),
+	auth_enable P((char *)),
+	auth_disable P((char *)),
 	auth_status P((void));
 static int
 	auth_help P((void));
@@ -1955,6 +1955,12 @@ auth_cmd(argc, argv)
 {
     struct authlist *c;
 
+    if (argc < 2) {
+      fprintf(stderr,
+          "Need an argument to 'auth' command.  'auth ?' for help.\n");
+      return 0;
+    }
+
     c = (struct authlist *)
 		genget(argv[1], (char **) AuthList, sizeof(struct authlist));
     if (c == 0) {
@@ -2011,7 +2017,7 @@ struct encryptlist EncryptList[] = {
 						EncryptEnable, 1, 1, 2 },
     { "disable", "Disable encryption. ('encrypt enable ?' for more)",
 						EncryptDisable, 0, 1, 2 },
-    { "type", "Set encryptiong type. ('encrypt type ?' for more)",
+    { "type", "Set encryption type. ('encrypt type ?' for more)",
 						EncryptType, 0, 1, 1 },
     { "start", "Start encryption. ('encrypt start ?' for more)",
 						EncryptStart, 1, 0, 1 },
@@ -2055,6 +2061,12 @@ encrypt_cmd(argc, argv)
 {
     struct encryptlist *c;
 
+    if (argc < 2) {
+	fprintf(stderr,
+	    "Need an argument to 'encrypt' command.  'encrypt ?' for help.\n");
+	return 0;
+    }
+
     c = (struct encryptlist *)
 		genget(argv[1], (char **) EncryptList, sizeof(struct encryptlist));
     if (c == 0) {

secure/lib/libtelnet/auth.c

@@ -246,7 +246,7 @@ getauthmask(type, maskp)
 {
 	register int x;
 
-	if (strcasecmp(type, AUTHTYPE_NAME(0))) {
+	if (!strcasecmp(type, AUTHTYPE_NAME(0))) {
 		*maskp = -1;
 		return(1);
 	}
@@ -262,14 +262,14 @@ getauthmask(type, maskp)
 
 	int
 auth_enable(type)
-	int type;
+	char * type;
 {
 	return(auth_onoff(type, 1));
 }
 
 	int
 auth_disable(type)
-	int type;
+	char * type;
 {
 	return(auth_onoff(type, 0));
 }
@@ -279,15 +279,20 @@ auth_onoff(type, on)
 	char *type;
 	int on;
 {
-	int mask = -1;
+	int i, mask = -1;
 	Authenticator *ap;
 
 	if (!strcasecmp(type, "?") || !strcasecmp(type, "help")) {
                 printf("auth %s 'type'\n", on ? "enable" : "disable");
 		printf("Where 'type' is one of:\n");
 		printf("\t%s\n", AUTHTYPE_NAME(0));
-		for (ap = authenticators; ap->type; ap++)
+		mask = 0;
+		for (ap = authenticators; ap->type; ap++) {
+			if ((mask & (i = typemask(ap->type))) != 0)
+				continue;
+			mask |= i;
 			printf("\t%s\n", AUTHTYPE_NAME(ap->type));
+		}
 		return(0);
 	}
 
@@ -295,7 +300,6 @@ auth_onoff(type, on)
 		printf("%s: invalid authentication type\n", type);
 		return(0);
 	}
-	mask = getauthmask(type, &mask);
 	if (on)
 		i_wont_support &= ~mask;
 	else
@@ -319,16 +323,22 @@ auth_togdebug(on)
 auth_status()
 {
 	Authenticator *ap;
+	int i, mask;
 
 	if (i_wont_support == -1)
 		printf("Authentication disabled\n");
 	else
 		printf("Authentication enabled\n");
 
-	for (ap = authenticators; ap->type; ap++)
+	mask = 0;
+	for (ap = authenticators; ap->type; ap++) {
+		if ((mask & (i = typemask(ap->type))) != 0)
+			continue;
+		mask |= i;
 		printf("%s: %s\n", AUTHTYPE_NAME(ap->type),
 			(i_wont_support & typemask(ap->type)) ?
 					"disabled" : "enabled");
+	}
 	return(1);
 }
 

secure/lib/libtelnet/kerberos.c

@@ -227,9 +227,10 @@ kerberos4_send(ap)
 		register int i;
 
 		des_key_sched(cred.session, sched);
-		des_set_random_generator_seed(cred.session);
-		des_new_random_key(challenge);
-		des_ecb_encrypt(challenge, session_key, sched, 1);
+		des_init_random_number_generator(cred.session);
+		des_new_random_key(session_key);
+		des_ecb_encrypt(session_key, session_key, sched, 0);
+		des_ecb_encrypt(session_key, challenge, sched, 0);
 		/*
 		 * Increment the challenge by 1, and encrypt it for
 		 * later comparison.
@@ -322,6 +323,11 @@ kerberos4_is(ap, data, cnt)
 			break;
 		}
 
+		/*
+		 * Initialize the random number generator since it's
+		 * used later on by the encryption routine.
+		 */
+		des_init_random_number_generator(session_key);
 		des_key_sched(session_key, sched);
 		bcopy((void *)data, (void *)datablock, sizeof(Block));
 		/*
@@ -339,7 +345,7 @@ kerberos4_is(ap, data, cnt)
 		 * increment by one, re-encrypt it and send it back.
 		 */
 		des_ecb_encrypt(datablock, challenge, sched, 0);
-		for (r = 7; r >= 0; r++) {
+		for (r = 7; r >= 0; r--) {
 			register int t;
 			t = (unsigned int)challenge[r] + 1;
 			challenge[r] = t;	/* ignore overflow */

secure/usr.bin/telnet/commands.c

@@ -1915,8 +1915,8 @@ struct authlist {
 };
 
 extern int
-	auth_enable P((int)),
-	auth_disable P((int)),
+	auth_enable P((char *)),
+	auth_disable P((char *)),
 	auth_status P((void));
 static int
 	auth_help P((void));
@@ -1955,6 +1955,12 @@ auth_cmd(argc, argv)
 {
     struct authlist *c;
 
+    if (argc < 2) {
+      fprintf(stderr,
+          "Need an argument to 'auth' command.  'auth ?' for help.\n");
+      return 0;
+    }
+
     c = (struct authlist *)
 		genget(argv[1], (char **) AuthList, sizeof(struct authlist));
     if (c == 0) {
@@ -2011,7 +2017,7 @@ struct encryptlist EncryptList[] = {
 						EncryptEnable, 1, 1, 2 },
     { "disable", "Disable encryption. ('encrypt enable ?' for more)",
 						EncryptDisable, 0, 1, 2 },
-    { "type", "Set encryptiong type. ('encrypt type ?' for more)",
+    { "type", "Set encryption type. ('encrypt type ?' for more)",
 						EncryptType, 0, 1, 1 },
     { "start", "Start encryption. ('encrypt start ?' for more)",
 						EncryptStart, 1, 0, 1 },
@@ -2055,6 +2061,12 @@ encrypt_cmd(argc, argv)
 {
     struct encryptlist *c;
 
+    if (argc < 2) {
+	fprintf(stderr,
+	    "Need an argument to 'encrypt' command.  'encrypt ?' for help.\n");
+	return 0;
+    }
+
     c = (struct encryptlist *)
 		genget(argv[1], (char **) EncryptList, sizeof(struct encryptlist));
     if (c == 0) {