Commit dc9ccaa5 authored by rswindell's avatar rswindell
Browse files

Added global option to disable BinkP encryption - at Mark Lewis' request.

With this option, it is now possible to support CRAM-MD5 authenication while
not allowing encrypted sessions (inbound or outbound) - not sure why.
parent 2671047f
......@@ -605,6 +605,7 @@ function callout(addr, scfg, locks, bicfg)
bicfg = new BinkITCfg();
bp.system_operator = bicfg.sysop;
bp.plain_auth_only = bicfg.plain_auth_only;
bp.crypt_support = bicfg.crypt_support;
bp.cb_data = {
binkitcfg:bicfg,
binkit_to_addr:addr,
......@@ -622,7 +623,7 @@ function callout(addr, scfg, locks, bicfg)
bp.require_crypt = false;
} else {
bp.require_md5 = !(bp.cb_data.binkitcfg.node[addr].nomd5);
bp.require_crypt = !(bp.cb_data.binkitcfg.node[addr].nocrypt);
bp.require_crypt = bp.crypt_support && !(bp.cb_data.binkitcfg.node[addr].nocrypt);
bp.plain_auth_only = bp.cb_data.binkitcfg.node[addr].plain_auth_only;
}
}
......@@ -1058,7 +1059,7 @@ function inbound_auth_cb(pwd, bp)
if (nocrypt === undefined)
nocrypt = false;
}
bp.require_crypt = !bp.plain_auth_only && !nocrypt;
bp.require_crypt = bp.crypt_support && !bp.plain_auth_only && !nocrypt;
add_outbound_files(addrs, bp);
return ret;
......@@ -1083,6 +1084,7 @@ function run_inbound(sock)
};
bp.system_operator = bp.cb_data.binkitcfg.sysop;
bp.plain_auth_only = bp.cb_data.binkitcfg.plain_auth_only;
bp.crypt_support = bp.cb_data.binkitcfg.crypt_support;
// TODO: Force debug mode for now...
bp.debug = true;
......
......@@ -15,6 +15,7 @@ require('fido.js', 'FIDO');
* debug - If set, logs all sent/received frames via log(LOG_DEBUG)
* require_md5 - Require that the remote support CRAM-MD5 authentication
* plain_auth_only - Use plain-text authentication always (no CRAM-MD5 auth, no encryption)
* crypt_support - Encryption supported
* timeout - Max timeout
* addr_list - list of addresses handled by this system. Defaults to system.fido_addr_list
* system_name - BBS name to send to remote defaults to system.name
......@@ -79,6 +80,7 @@ function BinkP(name_ver, inbound, rx_callback, tx_callback)
this.ver1_1 = false;
this.require_md5 = true;
this.plain_auth_only = false;
this.crypt_support = true;
// IREX VER Internet Rex 2.29 Win32 (binkp/1.1) doesn't work with longer challenges
// TODO: Remove this knob
this.cram_challenge_length = 16;
......@@ -437,7 +439,7 @@ BinkP.prototype.connect = function(addr, password, auth_cb, port, inet_host)
log(LOG_DEBUG, "Connection to "+inet_host+":"+port+" successful");
this.authenticated = undefined;
if (!this.plain_auth_only && password !== '-')
if (this.crypt_support && !this.plain_auth_only && password !== '-')
this.sendCmd(this.command.M_NUL, "OPT CRYPT");
else {
/*
......@@ -572,9 +574,9 @@ BinkP.prototype.accept = function(sock, auth_cb)
this.cram = {algo:'MD5', challenge:challenge.replace(/[0-9a-fA-F]{2}/g, hex2ascii)};
this.authenticated = undefined;
if(this.plain_auth_only)
if(!this.crypt_support || this.plain_auth_only)
this.wont_crypt = true;
else
if(!this.plain_auth_only)
this.sendCmd(this.command.M_NUL, "OPT CRAM-MD5-"+challenge+(this.wont_crypt?"":" CRYPT"));
pkt = this.recvFrame(this.timeout);
if (pkt === undefined || pkt === null)
......
......@@ -367,6 +367,7 @@ function BinkITCfg()
this.caps = f.iniGetValue('BinkP', 'Capabilities');
this.sysop = f.iniGetValue('BinkP', 'Sysop', system.operator);
this.plain_auth_only = f.iniGetValue('BinkP', 'PlainAuthOnly', false);
this.crypt_support = f.iniGetValue('BinkP', 'CryptSupport', true);
sects = f.iniGetSections('node:');
sects.forEach(function(section) {
var addr = section.substr(5);
......
......@@ -94,6 +94,7 @@ void global_settings(void)
sprintf(opt[i++], "%-25s %s", "BinkP Capabilities", cfg.binkp_caps);
sprintf(opt[i++], "%-25s %s", "BinkP Sysop Name", cfg.binkp_sysop);
sprintf(opt[i++], "%-25s %s", "BinkP Authentication", cfg.binkp_plainAuthOnly ? "Plain Only" : "Plain or CRAM-MD5");
sprintf(opt[i++], "%-25s %s", "BinkP Encryption", cfg.binkp_cryptSupport && !cfg.binkp_plainAuthOnly ? "Supported" : "Unsupported");
}
opt[i][0] = 0;
uifc.helpbuf=
......@@ -171,6 +172,10 @@ void global_settings(void)
" CRAM-MD5 authentication for both inbound and outbound sessions.\n"
" Note: CRAM-MD5 authentication is required for encrypted sessions.\n"
" Default: Plain or CRAM-MD5\n"
"\n"
"`BinkP Encryption` may be set to `Supported` (the default) only when\n"
" BinkP Authentication is set to Plain or CRAM-MD5.\n"
" Default: Supported\n"
;
int key = uifc.list(WIN_BOT|WIN_L2R|WIN_ACT|WIN_SAV, 0, 0, 0, &global_opt,0, "Global Settings", opt);
......@@ -282,6 +287,25 @@ void global_settings(void)
}
break;
}
case 14:
{
if(cfg.binkp_plainAuthOnly) {
uifc.msg("CRAM-MD5 authentication/encryption has been disabled globally");
break;
}
int k = !cfg.binkp_cryptSupport;
switch(uifc.list(WIN_MID|WIN_SAV,0,0,0,&k,0
,"BinkP Encryption Supported",uifcYesNoOpts)) {
case 0:
cfg.binkp_cryptSupport = true;
break;
case 1:
cfg.binkp_cryptSupport = false;
break;
}
break;
}
}
}
}
......@@ -375,7 +399,8 @@ void binkp_settings(nodecfg_t* node)
char* auth = "Plain Only";
char* crypt = "Unsupported";
if(!cfg.binkp_plainAuthOnly && !node->binkp_plainAuthOnly) {
crypt = node->binkp_allowPlainText ? "Supported" : "Required";
if(cfg.binkp_cryptSupport)
crypt = node->binkp_allowPlainText ? "Supported" : "Required";
if(node->binkp_allowPlainAuth)
auth = "Plain or CRAM-MD5";
else
......@@ -444,7 +469,7 @@ void binkp_settings(nodecfg_t* node)
break;
case 3:
if(cfg.binkp_plainAuthOnly) {
uifc.msg("CRAM-MD5 authentication/encryption has been disabled globally");
uifc.msg("CRAM-MD5 authentication/ has been disabled globally");
break;
}
k = node->binkp_plainAuthOnly ? 0 : (1 + !node->binkp_allowPlainAuth);
......@@ -474,6 +499,10 @@ void binkp_settings(nodecfg_t* node)
}
break;
case 4:
if(!cfg.binkp_cryptSupport) {
uifc.msg("BinkP encryption has been disabled globally");
break;
}
if(cfg.binkp_plainAuthOnly) {
uifc.msg("CRAM-MD5 authentication/encryption has been disabled globally");
break;
......
......@@ -312,6 +312,7 @@ bool sbbsecho_read_ini(sbbsecho_cfg_t* cfg)
SAFECOPY(cfg->binkp_caps, iniGetString(ini, "BinkP", "Capabilities", "", value));
SAFECOPY(cfg->binkp_sysop, iniGetString(ini, "BinkP", "Sysop", "", value));
cfg->binkp_plainAuthOnly = iniGetBool(ini, "BinkP", "PlainAuthOnly", FALSE);
cfg->binkp_cryptSupport = iniGetBool(ini, "BinkP", "CryptSupport", TRUE);
/******************/
/* Archive Types: */
......@@ -548,6 +549,7 @@ bool sbbsecho_write_ini(sbbsecho_cfg_t* cfg)
iniSetString(&ini, "BinkP" , "Capabilities" ,cfg->binkp_caps ,&style);
iniSetString(&ini, "BinkP" , "Sysop" ,cfg->binkp_sysop ,&style);
iniSetBool(&ini, "BinkP" , "PlainAuthOnly" ,cfg->binkp_plainAuthOnly ,&style);
iniSetBool(&ini, "BinkP" , "CryptSupport" ,cfg->binkp_cryptSupport ,&style);
/******************/
/* Archive Types: */
......
......@@ -222,6 +222,7 @@ typedef struct {
char binkp_caps[64];
char binkp_sysop[64];
bool binkp_plainAuthOnly;
bool binkp_cryptSupport;
} sbbsecho_cfg_t;
char* pktTypeStringList[PKT_TYPES_SUPPORTED+1];
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment