1 /*-
2 * Copyright (c) 1991, 1993
3 * The Regents of the University of California. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of the University nor the names of its contributors
14 * may be used to endorse or promote products derived from this software
15 * without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27 * SUCH DAMAGE.
28 */
29
30 #ifndef lint
31 #if 0
32 static const char sccsid[] = "@(#)encrypt.c 8.2 (Berkeley) 5/30/95";
33 #endif
34 #endif /* not lint */
35
36 /*
37 * Copyright (C) 1990 by the Massachusetts Institute of Technology
38 *
39 * Export of this software from the United States of America is assumed
40 * to require a specific license from the United States Government.
41 * It is the responsibility of any person or organization contemplating
42 * export to obtain such a license before exporting.
43 *
44 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
45 * distribute this software and its documentation for any purpose and
46 * without fee is hereby granted, provided that the above copyright
47 * notice appear in all copies and that both that copyright notice and
48 * this permission notice appear in supporting documentation, and that
49 * the name of M.I.T. not be used in advertising or publicity pertaining
50 * to distribution of the software without specific, written prior
51 * permission. M.I.T. makes no representations about the suitability of
52 * this software for any purpose. It is provided "as is" without express
53 * or implied warranty.
54 */
55
56 #ifdef ENCRYPTION
57
58 #include <sys/types.h>
59 #define ENCRYPT_NAMES
60 #include <arpa/telnet.h>
61 #include <stdio.h>
62 #include <stdlib.h>
63 #include <string.h>
64
65 #include "encrypt.h"
66 #include "misc.h"
67
68 /*
69 * These functions pointers point to the current routines
70 * for encrypting and decrypting data.
71 */
72 void (*encrypt_output)(unsigned char *, int);
73 int (*decrypt_input)(int);
74
75 int EncryptType(char *type, char *mode);
76 int EncryptStart(char *mode);
77 int EncryptStop(char *mode);
78 int EncryptStartInput(void);
79 int EncryptStartOutput(void);
80 int EncryptStopInput(void);
81 int EncryptStopOutput(void);
82
83 int encrypt_debug_mode = 0;
84 static int decrypt_mode = 0;
85 static int encrypt_mode = 0;
86 static int encrypt_verbose = 0;
87 static int autoencrypt = 0;
88 static int autodecrypt = 0;
89 static int havesessionkey = 0;
90 static int Server = 0;
91 static const char *Name = "Noname";
92
93 #define typemask(x) ((x) > 0 ? 1 << ((x)-1) : 0)
94
95 static u_long i_support_encrypt = 0
96 | typemask(ENCTYPE_DES_CFB64) | typemask(ENCTYPE_DES_OFB64)
97 |0;
98 static u_long i_support_decrypt = 0
99 | typemask(ENCTYPE_DES_CFB64) | typemask(ENCTYPE_DES_OFB64)
100 |0;
101
102 static u_long i_wont_support_encrypt = 0;
103 static u_long i_wont_support_decrypt = 0;
104 #define I_SUPPORT_ENCRYPT (i_support_encrypt & ~i_wont_support_encrypt)
105 #define I_SUPPORT_DECRYPT (i_support_decrypt & ~i_wont_support_decrypt)
106
107 static u_long remote_supports_encrypt = 0;
108 static u_long remote_supports_decrypt = 0;
109
110 static Encryptions encryptions[] = {
111 { "DES_CFB64", ENCTYPE_DES_CFB64,
112 cfb64_encrypt,
113 cfb64_decrypt,
114 cfb64_init,
115 cfb64_start,
116 cfb64_is,
117 cfb64_reply,
118 cfb64_session,
119 cfb64_keyid,
120 cfb64_printsub },
121 { "DES_OFB64", ENCTYPE_DES_OFB64,
122 ofb64_encrypt,
123 ofb64_decrypt,
124 ofb64_init,
125 ofb64_start,
126 ofb64_is,
127 ofb64_reply,
128 ofb64_session,
129 ofb64_keyid,
130 ofb64_printsub },
131 { NULL, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 },
132 };
133
134 static unsigned char str_send[64] = { IAC, SB, TELOPT_ENCRYPT,
135 ENCRYPT_SUPPORT };
136 static unsigned char str_suplen = 0;
137 static unsigned char str_start[72] = { IAC, SB, TELOPT_ENCRYPT };
138 static unsigned char str_end[] = { IAC, SB, TELOPT_ENCRYPT, 0, IAC, SE };
139
140 Encryptions *
findencryption(int type)141 findencryption(int type)
142 {
143 Encryptions *ep = encryptions;
144
145 if (!(I_SUPPORT_ENCRYPT & remote_supports_decrypt & (unsigned)typemask(type)))
146 return(0);
147 while (ep->type && ep->type != type)
148 ++ep;
149 return(ep->type ? ep : 0);
150 }
151
152 static Encryptions *
finddecryption(int type)153 finddecryption(int type)
154 {
155 Encryptions *ep = encryptions;
156
157 if (!(I_SUPPORT_DECRYPT & remote_supports_encrypt & (unsigned)typemask(type)))
158 return(0);
159 while (ep->type && ep->type != type)
160 ++ep;
161 return(ep->type ? ep : 0);
162 }
163
164 #define MAXKEYLEN 64
165
166 static struct key_info {
167 unsigned char keyid[MAXKEYLEN];
168 int keylen;
169 int dir;
170 int *modep;
171 Encryptions *(*getcrypt)(int);
172 } ki[2] = {
173 { { 0 }, 0, DIR_ENCRYPT, &encrypt_mode, findencryption },
174 { { 0 }, 0, DIR_DECRYPT, &decrypt_mode, finddecryption },
175 };
176
177 static void encrypt_keyid(struct key_info *kp, unsigned char *keyid, int len);
178
179 void
encrypt_init(const char * name,int server)180 encrypt_init(const char *name, int server)
181 {
182 Encryptions *ep = encryptions;
183
184 Name = name;
185 Server = server;
186 i_support_encrypt = i_support_decrypt = 0;
187 remote_supports_encrypt = remote_supports_decrypt = 0;
188 encrypt_mode = 0;
189 decrypt_mode = 0;
190 encrypt_output = 0;
191 decrypt_input = 0;
192
193 str_suplen = 4;
194
195 while (ep->type) {
196 if (encrypt_debug_mode)
197 printf(">>>%s: I will support %s\r\n",
198 Name, ENCTYPE_NAME(ep->type));
199 i_support_encrypt |= typemask(ep->type);
200 i_support_decrypt |= typemask(ep->type);
201 if ((i_wont_support_decrypt & typemask(ep->type)) == 0)
202 if ((str_send[str_suplen++] = ep->type) == IAC)
203 str_send[str_suplen++] = IAC;
204 if (ep->init)
205 (*ep->init)(Server);
206 ++ep;
207 }
208 str_send[str_suplen++] = IAC;
209 str_send[str_suplen++] = SE;
210 }
211
212 static void
encrypt_list_types(void)213 encrypt_list_types(void)
214 {
215 Encryptions *ep = encryptions;
216
217 printf("Valid encryption types:\n");
218 while (ep->type) {
219 printf("\t%s (%d)\r\n", ENCTYPE_NAME(ep->type), ep->type);
220 ++ep;
221 }
222 }
223
224 int
EncryptEnable(char * type,char * mode)225 EncryptEnable(char *type, char *mode)
226 {
227 if (isprefix(type, "help") || isprefix(type, "?")) {
228 printf("Usage: encrypt enable <type> [input|output]\n");
229 encrypt_list_types();
230 return(0);
231 }
232 if (EncryptType(type, mode))
233 return(EncryptStart(mode));
234 return(0);
235 }
236
237 int
EncryptDisable(char * type,char * mode)238 EncryptDisable(char *type, char *mode)
239 {
240 Encryptions *ep;
241 int ret = 0;
242
243 if (isprefix(type, "help") || isprefix(type, "?")) {
244 printf("Usage: encrypt disable <type> [input|output]\n");
245 encrypt_list_types();
246 } else if ((ep = (Encryptions *)genget(type, (char **)encryptions,
247 sizeof(Encryptions))) == 0) {
248 printf("%s: invalid encryption type\n", type);
249 } else if (Ambiguous((char **)ep)) {
250 printf("Ambiguous type '%s'\n", type);
251 } else {
252 if ((mode == 0) || (isprefix(mode, "input") ? 1 : 0)) {
253 if (decrypt_mode == ep->type)
254 EncryptStopInput();
255 i_wont_support_decrypt |= typemask(ep->type);
256 ret = 1;
257 }
258 if ((mode == 0) || (isprefix(mode, "output"))) {
259 if (encrypt_mode == ep->type)
260 EncryptStopOutput();
261 i_wont_support_encrypt |= typemask(ep->type);
262 ret = 1;
263 }
264 if (ret == 0)
265 printf("%s: invalid encryption mode\n", mode);
266 }
267 return(ret);
268 }
269
270 int
EncryptType(char * type,char * mode)271 EncryptType(char *type, char *mode)
272 {
273 Encryptions *ep;
274 int ret = 0;
275
276 if (isprefix(type, "help") || isprefix(type, "?")) {
277 printf("Usage: encrypt type <type> [input|output]\n");
278 encrypt_list_types();
279 } else if ((ep = (Encryptions *)genget(type, (char **)encryptions,
280 sizeof(Encryptions))) == 0) {
281 printf("%s: invalid encryption type\n", type);
282 } else if (Ambiguous((char **)ep)) {
283 printf("Ambiguous type '%s'\n", type);
284 } else {
285 if ((mode == 0) || isprefix(mode, "input")) {
286 decrypt_mode = ep->type;
287 i_wont_support_decrypt &= ~typemask(ep->type);
288 ret = 1;
289 }
290 if ((mode == 0) || isprefix(mode, "output")) {
291 encrypt_mode = ep->type;
292 i_wont_support_encrypt &= ~typemask(ep->type);
293 ret = 1;
294 }
295 if (ret == 0)
296 printf("%s: invalid encryption mode\n", mode);
297 }
298 return(ret);
299 }
300
301 int
EncryptStart(char * mode)302 EncryptStart(char *mode)
303 {
304 int ret = 0;
305 if (mode) {
306 if (isprefix(mode, "input"))
307 return(EncryptStartInput());
308 if (isprefix(mode, "output"))
309 return(EncryptStartOutput());
310 if (isprefix(mode, "help") || isprefix(mode, "?")) {
311 printf("Usage: encrypt start [input|output]\n");
312 return(0);
313 }
314 printf("%s: invalid encryption mode 'encrypt start ?' for help\n", mode);
315 return(0);
316 }
317 ret += EncryptStartInput();
318 ret += EncryptStartOutput();
319 return(ret);
320 }
321
322 int
EncryptStartInput(void)323 EncryptStartInput(void)
324 {
325 if (decrypt_mode) {
326 encrypt_send_request_start();
327 return(1);
328 }
329 printf("No previous decryption mode, decryption not enabled\r\n");
330 return(0);
331 }
332
333 int
EncryptStartOutput(void)334 EncryptStartOutput(void)
335 {
336 if (encrypt_mode) {
337 encrypt_start_output(encrypt_mode);
338 return(1);
339 }
340 printf("No previous encryption mode, encryption not enabled\r\n");
341 return(0);
342 }
343
344 int
EncryptStop(char * mode)345 EncryptStop(char *mode)
346 {
347 int ret = 0;
348 if (mode) {
349 if (isprefix(mode, "input"))
350 return(EncryptStopInput());
351 if (isprefix(mode, "output"))
352 return(EncryptStopOutput());
353 if (isprefix(mode, "help") || isprefix(mode, "?")) {
354 printf("Usage: encrypt stop [input|output]\n");
355 return(0);
356 }
357 printf("%s: invalid encryption mode 'encrypt stop ?' for help\n", mode);
358 return(0);
359 }
360 ret += EncryptStopInput();
361 ret += EncryptStopOutput();
362 return(ret);
363 }
364
365 int
EncryptStopInput(void)366 EncryptStopInput(void)
367 {
368 encrypt_send_request_end();
369 return(1);
370 }
371
372 int
EncryptStopOutput(void)373 EncryptStopOutput(void)
374 {
375 encrypt_send_end();
376 return(1);
377 }
378
379 void
encrypt_display(void)380 encrypt_display(void)
381 {
382 if (encrypt_output)
383 printf("Currently encrypting output with %s\r\n",
384 ENCTYPE_NAME(encrypt_mode));
385 if (decrypt_input)
386 printf("Currently decrypting input with %s\r\n",
387 ENCTYPE_NAME(decrypt_mode));
388 }
389
390 int
EncryptStatus(void)391 EncryptStatus(void)
392 {
393 if (encrypt_output)
394 printf("Currently encrypting output with %s\r\n",
395 ENCTYPE_NAME(encrypt_mode));
396 else if (encrypt_mode) {
397 printf("Currently output is clear text.\r\n");
398 printf("Last encryption mode was %s\r\n",
399 ENCTYPE_NAME(encrypt_mode));
400 }
401 if (decrypt_input) {
402 printf("Currently decrypting input with %s\r\n",
403 ENCTYPE_NAME(decrypt_mode));
404 } else if (decrypt_mode) {
405 printf("Currently input is clear text.\r\n");
406 printf("Last decryption mode was %s\r\n",
407 ENCTYPE_NAME(decrypt_mode));
408 }
409 return 1;
410 }
411
412 void
encrypt_send_support(void)413 encrypt_send_support(void)
414 {
415 if (str_suplen) {
416 /*
417 * If the user has requested that decryption start
418 * immediatly, then send a "REQUEST START" before
419 * we negotiate the type.
420 */
421 if (!Server && autodecrypt)
422 encrypt_send_request_start();
423 net_write(str_send, str_suplen);
424 printsub('>', &str_send[2], str_suplen - 2);
425 str_suplen = 0;
426 }
427 }
428
429 int
EncryptDebug(int on)430 EncryptDebug(int on)
431 {
432 if (on < 0)
433 encrypt_debug_mode ^= 1;
434 else
435 encrypt_debug_mode = on;
436 printf("Encryption debugging %s\r\n",
437 encrypt_debug_mode ? "enabled" : "disabled");
438 return(1);
439 }
440
441 int
EncryptVerbose(int on)442 EncryptVerbose(int on)
443 {
444 if (on < 0)
445 encrypt_verbose ^= 1;
446 else
447 encrypt_verbose = on;
448 printf("Encryption %s verbose\r\n",
449 encrypt_verbose ? "is" : "is not");
450 return(1);
451 }
452
453 int
EncryptAutoEnc(int on)454 EncryptAutoEnc(int on)
455 {
456 encrypt_auto(on);
457 printf("Automatic encryption of output is %s\r\n",
458 autoencrypt ? "enabled" : "disabled");
459 return(1);
460 }
461
462 int
EncryptAutoDec(int on)463 EncryptAutoDec(int on)
464 {
465 decrypt_auto(on);
466 printf("Automatic decryption of input is %s\r\n",
467 autodecrypt ? "enabled" : "disabled");
468 return(1);
469 }
470
471 /*
472 * Called when ENCRYPT SUPPORT is received.
473 */
474 void
encrypt_support(unsigned char * typelist,int cnt)475 encrypt_support(unsigned char *typelist, int cnt)
476 {
477 int type, use_type = 0;
478 Encryptions *ep;
479
480 /*
481 * Forget anything the other side has previously told us.
482 */
483 remote_supports_decrypt = 0;
484
485 while (cnt-- > 0) {
486 type = *typelist++;
487 if (encrypt_debug_mode)
488 printf(">>>%s: He is supporting %s (%d)\r\n",
489 Name,
490 ENCTYPE_NAME(type), type);
491 if ((type < ENCTYPE_CNT) &&
492 (I_SUPPORT_ENCRYPT & typemask(type))) {
493 remote_supports_decrypt |= typemask(type);
494 if (use_type == 0)
495 use_type = type;
496 }
497 }
498 if (use_type) {
499 ep = findencryption(use_type);
500 if (!ep)
501 return;
502 type = ep->start ? (*ep->start)(DIR_ENCRYPT, Server) : 0;
503 if (encrypt_debug_mode)
504 printf(">>>%s: (*ep->start)() returned %d\r\n",
505 Name, type);
506 if (type < 0)
507 return;
508 encrypt_mode = use_type;
509 if (type == 0)
510 encrypt_start_output(use_type);
511 }
512 }
513
514 void
encrypt_is(unsigned char * data,int cnt)515 encrypt_is(unsigned char *data, int cnt)
516 {
517 Encryptions *ep;
518 int type, ret;
519
520 if (--cnt < 0)
521 return;
522 type = *data++;
523 if (type < ENCTYPE_CNT)
524 remote_supports_encrypt |= typemask(type);
525 if (!(ep = finddecryption(type))) {
526 if (encrypt_debug_mode)
527 printf(">>>%s: Can't find type %s (%d) for initial negotiation\r\n",
528 Name,
529 ENCTYPE_NAME_OK(type)
530 ? ENCTYPE_NAME(type) : "(unknown)",
531 type);
532 return;
533 }
534 if (!ep->is) {
535 if (encrypt_debug_mode)
536 printf(">>>%s: No initial negotiation needed for type %s (%d)\r\n",
537 Name,
538 ENCTYPE_NAME_OK(type)
539 ? ENCTYPE_NAME(type) : "(unknown)",
540 type);
541 ret = 0;
542 } else {
543 ret = (*ep->is)(data, cnt);
544 if (encrypt_debug_mode)
545 printf("(*ep->is)(%p, %d) returned %s(%d)\n", data, cnt,
546 (ret < 0) ? "FAIL " :
547 (ret == 0) ? "SUCCESS " : "MORE_TO_DO ", ret);
548 }
549 if (ret < 0) {
550 autodecrypt = 0;
551 } else {
552 decrypt_mode = type;
553 if (ret == 0 && autodecrypt)
554 encrypt_send_request_start();
555 }
556 }
557
558 void
encrypt_reply(unsigned char * data,int cnt)559 encrypt_reply(unsigned char *data, int cnt)
560 {
561 Encryptions *ep;
562 int ret, type;
563
564 if (--cnt < 0)
565 return;
566 type = *data++;
567 if (!(ep = findencryption(type))) {
568 if (encrypt_debug_mode)
569 printf(">>>%s: Can't find type %s (%d) for initial negotiation\r\n",
570 Name,
571 ENCTYPE_NAME_OK(type)
572 ? ENCTYPE_NAME(type) : "(unknown)",
573 type);
574 return;
575 }
576 if (!ep->reply) {
577 if (encrypt_debug_mode)
578 printf(">>>%s: No initial negotiation needed for type %s (%d)\r\n",
579 Name,
580 ENCTYPE_NAME_OK(type)
581 ? ENCTYPE_NAME(type) : "(unknown)",
582 type);
583 ret = 0;
584 } else {
585 ret = (*ep->reply)(data, cnt);
586 if (encrypt_debug_mode)
587 printf("(*ep->reply)(%p, %d) returned %s(%d)\n",
588 data, cnt,
589 (ret < 0) ? "FAIL " :
590 (ret == 0) ? "SUCCESS " : "MORE_TO_DO ", ret);
591 }
592 if (encrypt_debug_mode)
593 printf(">>>%s: encrypt_reply returned %d\n", Name, ret);
594 if (ret < 0) {
595 autoencrypt = 0;
596 } else {
597 encrypt_mode = type;
598 if (ret == 0 && autoencrypt)
599 encrypt_start_output(type);
600 }
601 }
602
603 /*
604 * Called when a ENCRYPT START command is received.
605 */
606 void
encrypt_start(unsigned char * data __unused,int cnt __unused)607 encrypt_start(unsigned char *data __unused, int cnt __unused)
608 {
609 Encryptions *ep;
610
611 if (!decrypt_mode) {
612 /*
613 * Something is wrong. We should not get a START
614 * command without having already picked our
615 * decryption scheme. Send a REQUEST-END to
616 * attempt to clear the channel...
617 */
618 printf("%s: Warning, Cannot decrypt input stream!!!\r\n", Name);
619 encrypt_send_request_end();
620 return;
621 }
622
623 if ((ep = finddecryption(decrypt_mode))) {
624 decrypt_input = ep->input;
625 if (encrypt_verbose)
626 printf("[ Input is now decrypted with type %s ]\r\n",
627 ENCTYPE_NAME(decrypt_mode));
628 if (encrypt_debug_mode)
629 printf(">>>%s: Start to decrypt input with type %s\r\n",
630 Name, ENCTYPE_NAME(decrypt_mode));
631 } else {
632 printf("%s: Warning, Cannot decrypt type %s (%d)!!!\r\n",
633 Name,
634 ENCTYPE_NAME_OK(decrypt_mode)
635 ? ENCTYPE_NAME(decrypt_mode)
636 : "(unknown)",
637 decrypt_mode);
638 encrypt_send_request_end();
639 }
640 }
641
642 void
encrypt_session_key(Session_Key * key,int server)643 encrypt_session_key( Session_Key *key, int server)
644 {
645 Encryptions *ep = encryptions;
646
647 havesessionkey = 1;
648
649 while (ep->type) {
650 if (ep->session)
651 (*ep->session)(key, server);
652 ++ep;
653 }
654 }
655
656 /*
657 * Called when ENCRYPT END is received.
658 */
659 void
encrypt_end(void)660 encrypt_end(void)
661 {
662 decrypt_input = 0;
663 if (encrypt_debug_mode)
664 printf(">>>%s: Input is back to clear text\r\n", Name);
665 if (encrypt_verbose)
666 printf("[ Input is now clear text ]\r\n");
667 }
668
669 /*
670 * Called when ENCRYPT REQUEST-END is received.
671 */
672 void
encrypt_request_end(void)673 encrypt_request_end(void)
674 {
675 encrypt_send_end();
676 }
677
678 /*
679 * Called when ENCRYPT REQUEST-START is received. If we receive
680 * this before a type is picked, then that indicates that the
681 * other side wants us to start encrypting data as soon as we
682 * can.
683 */
684 void
encrypt_request_start(unsigned char * data __unused,int cnt __unused)685 encrypt_request_start(unsigned char *data __unused, int cnt __unused)
686 {
687 if (encrypt_mode == 0) {
688 if (Server)
689 autoencrypt = 1;
690 return;
691 }
692 encrypt_start_output(encrypt_mode);
693 }
694
695 static unsigned char str_keyid[(MAXKEYLEN*2)+5] = { IAC, SB, TELOPT_ENCRYPT };
696
697 void
encrypt_enc_keyid(unsigned char * keyid,int len)698 encrypt_enc_keyid(unsigned char *keyid, int len)
699 {
700 encrypt_keyid(&ki[1], keyid, len);
701 }
702
703 void
encrypt_dec_keyid(unsigned char * keyid,int len)704 encrypt_dec_keyid(unsigned char *keyid, int len)
705 {
706 encrypt_keyid(&ki[0], keyid, len);
707 }
708
709 void
encrypt_keyid(struct key_info * kp,unsigned char * keyid,int len)710 encrypt_keyid(struct key_info *kp, unsigned char *keyid, int len)
711 {
712 Encryptions *ep;
713 int dir = kp->dir;
714 int ret = 0;
715
716 if (len > MAXKEYLEN)
717 len = MAXKEYLEN;
718
719 if (!(ep = (*kp->getcrypt)(*kp->modep))) {
720 if (len == 0)
721 return;
722 kp->keylen = 0;
723 } else if (len == 0) {
724 /*
725 * Empty option, indicates a failure.
726 */
727 if (kp->keylen == 0)
728 return;
729 kp->keylen = 0;
730 if (ep->keyid)
731 (void)(*ep->keyid)(dir, kp->keyid, &kp->keylen);
732
733 } else if ((len != kp->keylen) ||
734 (memcmp(keyid, kp->keyid, len) != 0)) {
735 /*
736 * Length or contents are different
737 */
738 kp->keylen = len;
739 memmove(kp->keyid, keyid, len);
740 if (ep->keyid)
741 (void)(*ep->keyid)(dir, kp->keyid, &kp->keylen);
742 } else {
743 if (ep->keyid)
744 ret = (*ep->keyid)(dir, kp->keyid, &kp->keylen);
745 if ((ret == 0) && (dir == DIR_ENCRYPT) && autoencrypt)
746 encrypt_start_output(*kp->modep);
747 return;
748 }
749
750 encrypt_send_keyid(dir, kp->keyid, kp->keylen, 0);
751 }
752
753 void
encrypt_send_keyid(int dir,const char * keyid,int keylen,int saveit)754 encrypt_send_keyid(int dir, const char *keyid, int keylen, int saveit)
755 {
756 unsigned char *strp;
757
758 str_keyid[3] = (dir == DIR_ENCRYPT)
759 ? ENCRYPT_ENC_KEYID : ENCRYPT_DEC_KEYID;
760 if (saveit) {
761 struct key_info *kp = &ki[(dir == DIR_ENCRYPT) ? 0 : 1];
762 memmove(kp->keyid, keyid, keylen);
763 kp->keylen = keylen;
764 }
765
766 for (strp = &str_keyid[4]; keylen > 0; --keylen) {
767 if ((*strp++ = *keyid++) == IAC)
768 *strp++ = IAC;
769 }
770 *strp++ = IAC;
771 *strp++ = SE;
772 net_write(str_keyid, strp - str_keyid);
773 printsub('>', &str_keyid[2], strp - str_keyid - 2);
774 }
775
776 void
encrypt_auto(int on)777 encrypt_auto(int on)
778 {
779 if (on < 0)
780 autoencrypt ^= 1;
781 else
782 autoencrypt = on ? 1 : 0;
783 }
784
785 void
decrypt_auto(int on)786 decrypt_auto(int on)
787 {
788 if (on < 0)
789 autodecrypt ^= 1;
790 else
791 autodecrypt = on ? 1 : 0;
792 }
793
794 void
encrypt_start_output(int type)795 encrypt_start_output(int type)
796 {
797 Encryptions *ep;
798 unsigned char *p;
799 int i;
800
801 if (!(ep = findencryption(type))) {
802 if (encrypt_debug_mode) {
803 printf(">>>%s: Can't encrypt with type %s (%d)\r\n",
804 Name,
805 ENCTYPE_NAME_OK(type)
806 ? ENCTYPE_NAME(type) : "(unknown)",
807 type);
808 }
809 return;
810 }
811 if (ep->start) {
812 i = (*ep->start)(DIR_ENCRYPT, Server);
813 if (encrypt_debug_mode) {
814 printf(">>>%s: Encrypt start: %s (%d) %s\r\n",
815 Name,
816 (i < 0) ? "failed" :
817 "initial negotiation in progress",
818 i, ENCTYPE_NAME(type));
819 }
820 if (i)
821 return;
822 }
823 p = str_start + 3;
824 *p++ = ENCRYPT_START;
825 for (i = 0; i < ki[0].keylen; ++i) {
826 if ((*p++ = ki[0].keyid[i]) == IAC)
827 *p++ = IAC;
828 }
829 *p++ = IAC;
830 *p++ = SE;
831 net_write(str_start, p - str_start);
832 net_encrypt();
833 printsub('>', &str_start[2], p - &str_start[2]);
834 /*
835 * If we are already encrypting in some mode, then
836 * encrypt the ring (which includes our request) in
837 * the old mode, mark it all as "clear text" and then
838 * switch to the new mode.
839 */
840 encrypt_output = ep->output;
841 encrypt_mode = type;
842 if (encrypt_debug_mode)
843 printf(">>>%s: Started to encrypt output with type %s\r\n",
844 Name, ENCTYPE_NAME(type));
845 if (encrypt_verbose)
846 printf("[ Output is now encrypted with type %s ]\r\n",
847 ENCTYPE_NAME(type));
848 }
849
850 void
encrypt_send_end(void)851 encrypt_send_end(void)
852 {
853 if (!encrypt_output)
854 return;
855
856 str_end[3] = ENCRYPT_END;
857 net_write(str_end, sizeof(str_end));
858 net_encrypt();
859 printsub('>', &str_end[2], sizeof(str_end) - 2);
860 /*
861 * Encrypt the output buffer now because it will not be done by
862 * netflush...
863 */
864 encrypt_output = 0;
865 if (encrypt_debug_mode)
866 printf(">>>%s: Output is back to clear text\r\n", Name);
867 if (encrypt_verbose)
868 printf("[ Output is now clear text ]\r\n");
869 }
870
871 void
encrypt_send_request_start(void)872 encrypt_send_request_start(void)
873 {
874 unsigned char *p;
875 int i;
876
877 p = &str_start[3];
878 *p++ = ENCRYPT_REQSTART;
879 for (i = 0; i < ki[1].keylen; ++i) {
880 if ((*p++ = ki[1].keyid[i]) == IAC)
881 *p++ = IAC;
882 }
883 *p++ = IAC;
884 *p++ = SE;
885 net_write(str_start, p - str_start);
886 printsub('>', &str_start[2], p - &str_start[2]);
887 if (encrypt_debug_mode)
888 printf(">>>%s: Request input to be encrypted\r\n", Name);
889 }
890
891 void
encrypt_send_request_end(void)892 encrypt_send_request_end(void)
893 {
894 str_end[3] = ENCRYPT_REQEND;
895 net_write(str_end, sizeof(str_end));
896 printsub('>', &str_end[2], sizeof(str_end) - 2);
897
898 if (encrypt_debug_mode)
899 printf(">>>%s: Request input to be clear text\r\n", Name);
900 }
901
902 void
encrypt_wait(void)903 encrypt_wait(void)
904 {
905 if (encrypt_debug_mode)
906 printf(">>>%s: in encrypt_wait\r\n", Name);
907 if (!havesessionkey || !(I_SUPPORT_ENCRYPT & remote_supports_decrypt))
908 return;
909 while (autoencrypt && !encrypt_output)
910 if (telnet_spin())
911 return;
912 }
913
914 void
encrypt_gen_printsub(unsigned char * data,int cnt,unsigned char * buf,int buflen)915 encrypt_gen_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen)
916 {
917 char tbuf[16], *cp;
918
919 cnt -= 2;
920 data += 2;
921 buf[buflen-1] = '\0';
922 buf[buflen-2] = '*';
923 buflen -= 2;;
924 for (; cnt > 0; cnt--, data++) {
925 sprintf(tbuf, " %d", *data);
926 for (cp = tbuf; *cp && buflen > 0; --buflen)
927 *buf++ = *cp++;
928 if (buflen <= 0)
929 return;
930 }
931 *buf = '\0';
932 }
933
934 void
encrypt_printsub(unsigned char * data,int cnt,unsigned char * buf,int buflen)935 encrypt_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen)
936 {
937 Encryptions *ep;
938 int type = data[1];
939
940 for (ep = encryptions; ep->type && ep->type != type; ep++)
941 ;
942
943 if (ep->printsub)
944 (*ep->printsub)(data, cnt, buf, buflen);
945 else
946 encrypt_gen_printsub(data, cnt, buf, buflen);
947 }
948 #endif /* ENCRYPTION */
949