1999-11-09 Peter 'Luna' Runestig * Started this CHANGES file, covering changes to the STARTTLS patch following version 19991107. * Fixed bug in check_file() that might free incorrect pointer. 1999-11-10 Peter 'Luna' Runestig * Implemented proper FQDN check of the remote host name from it's certi- ficate, according to the Draft, version 3 (rumor has it that this is going to change, but I did it anyway): First check any 'dNSName' in 'subjectAltName', else check 'commonName' from 'subject'. * Released version 19991110. 1999-11-30 Peter 'Luna' Runestig * Added support for a CRL file in the client, support for a CRL direc- tory is "almost implemented". Also added command line switch to spe- cify the CRL file to use with the server. * Released version 1999130. 1999-12-01 Peter 'Luna' Runestig * Finished the CRL directory support. * Released version 19991201. 1999-12-15 Peter 'Luna' Runestig * Fixed a bug in the '~/.tlslogin' support in the server. * Changed '...dh_key...' names in the code back to '...dsa_key...'. 1999-12-17 Peter 'Luna' Runestig * Changed the certificate verification call back in the client a bit. * Released version 19991217. 1999-12-28 Peter 'Luna' Runestig * Fixed bug so Jeff's envvarok() function is actually used as it should. * Started the experimental implementation of the FORWARD_X option (con- cieved by Jeffrey Altman ). * Released version 19991228. 1999-12-29 Peter 'Luna' Runestig * Changes to the experimental FORWARD_X support: * Fixed Brown Paperbag Bug in fwdx_listen(), it now returns -1 instead of 0 in case of an error. * No longer assuming that sprintf() returns the number of bytes written. * Changed variable name s_addr => saddr, also changed use of type socklen_t => int. * No longer tries to use local tcp port 6000 (display number 0). * Changed the "suboption buffer flushing" code to actually work. * Released version 19991229. * More work on the debug outputs. * Some changes to the telnet option handling in the server. * Fixed a bug in process_rings() in the client that locked the X data processing. Same kind of bug seems to remain in the server. * Changed "localhost" to "127.0.0.1" in the DISPLAY var setting. 1999-12-30 Peter 'Luna' Runestig * Released version 19991230. 2000-01-01 Peter 'Luna' Runestig * Changes to the experimental FORWARD_X support: * Using the code's standard way to send data on the net instead of an explicit write(). * Trying to be sure that _all_ data is actually written to the net, but there still seems to be a problem with that in combination with TLS. * Using FD_SETSIZE in select() calls. * Dropped the malloc()/free() in every fwdx_forward(), using a single buffer instead. * Released version 20000101. 2000-01-02 Peter 'Luna' Runestig * Finally fixed the problem with FORWARD_X used together with STARTTLS. * Released version 20000102. 2000-01-03 Peter 'Luna' Runestig * Moved my telnet options #define's to headers/arpa/telnet.h, also added some more. * Renamed STARTTLS to START_TLS through out the code. 2000-01-04 Peter 'Luna' Runestig * Released version 20000104. 2000-01-06 Peter 'Luna' Runestig * The client now announces "IAC DO FORWARD_X" at startup (if connected to a standard telnet port, else no announcements are sent by design). * Fixed the parsing of the local DISPLAY environment variable in the client. * The fwdx_redirect() function now makes sure all data is written to the X server socket and also checks for errors (these bugs reported by Jeff). * Released version 20000106. 2000-01-07 Peter 'Luna' Runestig * Only writes a maximum of 1024 bytes of data at a time with SSL_write() since there seems to be a bug in OpenSSL. * Released version 20000107. 2000-01-08 Peter 'Luna' Runestig * Fixed bug in calculation of needed realloc() size in fwdx_forward(). * More changes to find out why the telnetd gets stuck with high CPU ut- ilization and possible trashed stack from time to time. * If the client has local DISPLAY=127.0.0.0:... is it negotiated to the server as DISPLAY=:... * Released version 20000108. 2000-01-09 Peter 'Luna' Runestig * Fixed a off-by-one bug in the server's telrcv() (Jeff). * Added "IAC quoting" to the channel bytes in the suboptions. * Released version 20000109. 2000-01-19 Peter 'Luna' Runestig * Changed the code around tls_pending() in telnetd.c. * Cleaned the code a bit. * Released version 20000119. 2000-01-20 Peter 'Luna' Runestig * Changed the TLS error checking to try to find a bug that corrupts large data transfers over TLS. * Released version 20000120. 2000-01-22 Peter 'Luna' Runestig * Removed safe_tls_write() since there isn't a >1024 send bug in OpenSSL after all. 2000-01-23 Peter 'Luna' Runestig * Fixed index bug in fwdx_forward() (Jeff). * Added signal handler for SIGPIPE to telnetd. * Released version 20000123. 2000-01-25 Peter 'Luna' Runestig * Moved the fwdx_init_fd_set() call in telnetd (Jeff). * Removed some bug searching logging. * Removed redundant netflush() calls in telnetd. * Removed dangerous DIAG() call in netflush(). * Released version 20000125. 2000-01-27 Peter 'Luna' Runestig * Added FWDX_OPTIONS suboption. * Removed C++-style comments. * Released version 20000127. 2000-02-10 Peter 'Luna' Runestig * Added experimental support for FWDX_OPT_XAUTH. 2000-03-02 Peter 'Luna' Runestig * Minor fix to compile with OpenSSL 0.9.5. * Added seeding of the PRNG (yes, even I missed it ;). * Released version 20000302. 2000-03-18 Peter 'Luna' Runestig * Fixed memory leak in fwdx_send_xauth() (Jeff). * Changes in the FWDX option handling, since I'm now more clear on how to handle them. :-) 2000-03-20 Peter 'Luna' Runestig * Added some sanity checks to parsedpy.c (Jeff). * Released version 20000320. 2000-03-31 Peter 'Luna' Runestig * Major changes to the FORWARD_X support (Jeff and me). * Remaking of the "configure" script, added new switches "--with-openssl-libs=DIR" and "--enable-xdm". 2000-04-01 Peter 'Luna' Runestig * Released version 20000401. 2000-04-05 Peter 'Luna' Runestig * Changed configure options --enable-forward_x and --enable-xdm to be on by default. * Released version 20000405. 2000-04-29 Peter 'Luna' Runestig * Updated README.TLS with better description of X509 authentication. * Made the client certificate verification more strict in telnetd, also more syslog()'ing of failed verifications. * Fixed so it compiles with glibc 2.1.3 (issue with utmp.h vs utmpx.h). * Now also "make install" works. 2000-06-09 Peter 'Luna' Runestig * Using Y instead of just Y when confirming TLS warnings in the client. * Rewritten the telnet state machine reset in the client, it didn't really work before (you only got garbage on screen instead). 2000-06-14 Peter 'Luna' Runestig * Added a numeric custom error code to the "Xlib: Forward X authentication error" message from the server. 2000-06-16 Peter 'Luna' Runestig * Removed the "glob.h" check from configure. * Increased the maximum number of times the ownership of the pty is monitored in telnetd.c. 2000-06-27 Peter 'Luna' Runestig * telnetd uses the ip address instead of the host name when setting the client's DISPLAY env var. * telnetd only listens on one ip address for any X client connections (the one the telnet client is connected to) instead of all available addresses. 2000-06-28 Peter 'Luna' Runestig * Added support for using the ip loop back address 127.0.0.1 as the li- stening address instead of the one connected to the client. Since fi- nding out if we actually have the loop back address available on our host is a rather complex task (while it should be an easy one), the decision to use this is made at "./configure" time. The option is en- abled by default and is turned of with "--disable-fwdx_loopback". If it turns out that it should be disabled by default, it's easily chang- ed. * Changed the "#define XDM" to "#define FWDX_XDM". * Added support for unix domain sockets in telnetd for X client connec- tions when using FORWARD_X. Since this is dependent on if the host system 1) has support for unix domain sockats and 2) the host system's X libraries is compiled with this support, this feature is disabled by default. It is enabled at "./configure" time with "--enable-fwdx_unix_sock". 2000-07-05 Peter 'Luna' Runestig * Changed the telnetd behaviour regarding FORWARD_X with unix_sock: If the "/tmp/.X11-unix" directory doesn't exist, fallback to use inet sockets instead (the host probably doesn't support unix_sock). * Added the support for unix domain sockets to the telnet client also. 2000-07-10 Peter 'Luna' Runestig * Minor changes to make it compile warning-free on OpenBSD 2.7 (GNU "make" still needed!). * Removed the "dist" make target. * Extended putf() in telnetd/utility.c to handle more types of format- ting #ifdef HAVE_UNAME. * Added the IETF draft documentation on START_TLS and FORWARD_X. 2000-07-15 Peter 'Luna' Runestig * Fixed stupid unsigned / signed bug in tls_read() and tls_write(). * Made some sanity patches inspired by OpenBSD's core telnet / telnetd. 2000-07-17 Peter 'Luna' Runestig * More OpenBSDish fixes. 2000-07-19 Peter 'Luna' Runestig * Made the Makefiles more portable; the GNU make prerequsite most go. 2000-07-20 Peter 'Luna' Runestig * Changed the ./configure option "--with-openssl-libs" to "--with-openssl-dir" to make it more useful. * Now compiles with native make on OpenBSD 2.7. 2000-07-26 Peter 'Luna' Runestig * Added command line option for the cipher string to telnetd. * Changed the default cipher string to "ALL:!EXP". 2000-07-27 Peter 'Luna' Runestig * A few more changes to the Makefiles. * Fixed CPPFLAGS in config.make.in which I broke at some time... * Made telnetd actually use the default cipher string. * Replaced "install -d" with "mkdir -p" since it doesn't work on HP-UX. 2000-07-31 Peter 'Luna' Runestig * Now _really_ fixed the CPPFLAGS-... issue (I hope). * Removed unused PATH_... from paths. 2000-08-02 Peter 'Luna' Runestig * Some sprintf() -> snprintf() fixes, marking safe sprintf() "safe". 2000-08-03 Peter 'Luna' Runestig * Changed the network output buffer from static to dynamic allocation. * Changed all the unchecked sprintf()s to the net out buffer to use a custom net_printf() function instead that increases the netobuf size if necessary. 2000-08-07 Peter 'Luna' Runestig * Added the concept of a "~/.x509rc" file, for mapping of host names to certificates, to the client. * Added more logging when users are auto-logged in by their client certs to the server. 2000-09-06 Peter 'Luna' Runestig * Removed some unnescesary files. 2000-09-08 Peter 'Luna' Runestig * Merged changes from the latest GNU inetutils CVS. 2000-09-09 Peter 'Luna' Runestig * Removed even more unnescesary files. 2000-09-09 Peter 'Luna' Runestig * Slightly changed the utmpx.h / glibc issue in telnetd/sys_term.c * Fixed stupid "increasing bug" in fwdx_max_socket() in telnetd. It's a wonder it worked at all with that bug in it... 2000-09-12 Peter 'Luna' Runestig * Started on some experimental stuff on file caching of SSL/TLS ses- sions, and idea by Jeffrey Altman. 2000-09-26 Peter 'Luna' Runestig * Using X509_NAME_print_ex() instead of X509_NAME_oneline(). 2000-10-28 Peter 'Luna' Runestig * Changed the `-T ...' command line option specifier to `-z ...', keep- ing silently `-T ...' for backward compatibillity. * Changed the client's way to validate the server's identity to conform to the latest telnet-tls draft. * The client now shows the subjectAltName if present in the server cert. 2000-10-29 Peter 'Luna' Runestig * Using inet_addr() instead of inet_aton(). 2000-10-31 Peter 'Luna' Runestig * Fixed my lame way to ignore telnet option negotiations while waiting for START_TLS FOLLOWS in the client, shown by Tom Wu. 2000-11-29 Peter 'Luna' Runestig * Added support for the zlib compression that is implemented in OpenSSL. Version 0.9.6 of OpenSSL must be modified to work with this though (remove two ``fprint(stderr, ...)'' lines from crypto/comp/c_zlib.c), or use a newer version (where this has already been done). 2000-12-05 Peter 'Luna' Runestig * Changed "Eric Young's ZLIB ID" to it's _real_ value 0xE0. 2000-12-10 Peter 'Luna' Runestig * Changed the `configure' script to not have the zlib enable option tightly associated with FORWARD_X, and rather have it on it's own. 2000-12-12 Peter 'Luna' Runestig * Fixed a few silly OpenSSL-related memory leaks. 2001-01-03 Peter 'Luna' Runestig * Changed read_char() in telnet/tlsutil.c to use select() and read(). For some reason, fgets() doesn't work there for me, `return' doesn't terminate the string input reading. Maybe some ncurses issue? 2001-01-24 Peter 'Luna' Runestig * Finally took the time to sort out the above read_char() issue. The problem was, that after the "ignore telnet options" change 2000-10-31 MODE_EDIT wasn't set for the terminal, thus (apparently) making fgets() not recognizing Carrige Return as the input terminator. Now we set MODE_EDIT temporarily in read_char(). 2001-01-25 Peter 'Luna' Runestig * Portabillity changes regarding Solaris 8. * One-line change to make FORWARD_X work on Solaris 8. 2001-03-15 Peter 'Luna' Runestig * Fixed type on README.TLS * Added command line options CApath and CAfile to the telnet client, implemented by Sergio Rabellino . 2001-05-04 Peter 'Luna' Runestig * Merged telnet/tlsutil.{c,h} with the ftp-tls client, for easier maintainence. 2001-07-03 Peter 'Luna' Runestig * Added a few more error text outputs to telnet/tlsutil.c. * Added support for ``certificate chain files'', based on input from Jeffrey Altman. 2001-11-18 Jeffrey Altman * Added the concept of a ``/etc/telnetd-termtype'' file. 2001-12-27 Peter 'Luna' Runestig * Added check for EINTR to netflush(). 2001-12-31 Peter 'Luna' Runestig * Various changes to try to make FORWARD_X go faster. * Some DIAG() fixes in fwdxutil.c. 2002-01-06 Peter 'Luna' Runestig * Implemented some dump-to-file stuff in telnetd. * A rewrite of the DIAG() routines in telnetd/utility.c (me and Jeff). 2002-01-08 Peter 'Luna' Runestig * Added DIAG() printout of data telnetd sends, if we are using an alter- native log file. * Added a comment in net_vprintf() in telnetd. 2002-01-09 Peter 'Luna' Runestig * Removed my own dump-to-file stuff in telnetd, and instead integrated it with the stock printdata(). New option: -D tlsdata 2002-05-19 Peter 'Luna' Runestig * telnet: Removed unused function strcasestr() from tlsutil.c. * telnet: Made all local functions in tlsutil.c "static". 2002-06-03 Peter 'Luna' Runestig * Made the configure switch --with-openssl-dir actually work as expected (!). * Tiny code formatting change. 2002-06-15 Peter 'Luna' Runestig * Added a select()-and-retry call to tls_read() in case of a SSL_WANT_READ, suggested by felipe@mailsender.com.br. 2002-06-16 Peter 'Luna' Runestig * Removed SSL_OP_ALL from telnetd since it broke zlib compatibillity with Jeff's code. 2002-07-01 Peter 'Luna' Runestig * Added ``nozlib'' command line option to telnetd. * Use strdup() in telnetd's tls_set_defaults(). 2002-07-03 Peter 'Luna' Runestig * Changed default cipher list from "ALL:!EXP" to "ALL:!ADH". * Changed the name of telnet's "-z nocomp" to "-z nozlib". 2002-07-20 Peter 'Luna' Runestig * Changed the "tls-required" telnetd option to "required". * Merged telnetd/tlsutil.{ch} with those for ftpd-tls and proftpd-tls. * Changed the telnet/tlsutil.{ch} define PR_FTP to PR_OBSD_FTP. * A bit "tidying" of telnet/tlsutil.{ch}, to make it a bit more like the server versions. 2002-07-21 Peter 'Luna' Runestig * Fixed a "MODE_EDIT-issue" in telnet, when reading a PEM password. * Added a "clientcertreq" option to telnetd. 2002-07-23 Peter 'Luna' Runestig * Added invalid option check to telnet's tls_optarg(). * Added handling of SSL_ERROR_SSL and SSL_ERROR_SYSCALL to tls_read() and tls_write(). 2002-07-30 Peter 'Luna' Runestig * Fixed broken order of #include's in telnetd/tlsutil.c. * Removed broken 20020722 version from ftp site. 2002-07-31 Peter 'Luna' Runestig * Added IPv6 support. Not really done yet, but the basics seems to work. 2002-09-06 Peter 'Luna' Runestig * Added "--with-krb5-dir=DIR" to ./configure. If OpenSSL is build with Kerberos 5 support, we must link with libkrb5, even if we don't use any krb5-related stuff. * Tweaked configure.in to work with autoconf 2.53, and removed check for unused "des.h". 2003-10-08 Peter 'Luna' Runestig * Fixed a bug in PR_TRY_RUN_NATIVE, where `$3' in a comment actually got macro expanded. Pointed out by Marius Strobl . 2004-10-08 Peter 'Luna' Runestig * Added support for a client CA list file (should have been added long ago...). * file_fullpath(): Also looks for file in e.g. /etc/ssl. 2005-04-07 Peter 'Luna' Runestig * Patched telnet/telnet.c according to the buffer overflows described in MIT krb5 Security Advisory 2005-001.