xref: /freebsd/contrib/telnet/libtelnet/encrypt.c (revision 02e9120893770924227138ba49df1edb3896112a)
1 /*-
2  * Copyright (c) 1991, 1993
3  *	The Regents of the University of California.  All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in the
12  *    documentation and/or other materials provided with the distribution.
13  * 3. Neither the name of the University nor the names of its contributors
14  *    may be used to endorse or promote products derived from this software
15  *    without specific prior written permission.
16  *
17  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
18  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
21  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27  * SUCH DAMAGE.
28  */
29 
30 #ifndef lint
31 #if 0
32 static const char sccsid[] = "@(#)encrypt.c	8.2 (Berkeley) 5/30/95";
33 #endif
34 #endif /* not lint */
35 
36 /*
37  * Copyright (C) 1990 by the Massachusetts Institute of Technology
38  *
39  * Export of this software from the United States of America is assumed
40  * to require a specific license from the United States Government.
41  * It is the responsibility of any person or organization contemplating
42  * export to obtain such a license before exporting.
43  *
44  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
45  * distribute this software and its documentation for any purpose and
46  * without fee is hereby granted, provided that the above copyright
47  * notice appear in all copies and that both that copyright notice and
48  * this permission notice appear in supporting documentation, and that
49  * the name of M.I.T. not be used in advertising or publicity pertaining
50  * to distribution of the software without specific, written prior
51  * permission.  M.I.T. makes no representations about the suitability of
52  * this software for any purpose.  It is provided "as is" without express
53  * or implied warranty.
54  */
55 
56 #ifdef	ENCRYPTION
57 
58 #include <sys/types.h>
59 #define	ENCRYPT_NAMES
60 #include <arpa/telnet.h>
61 #include <stdio.h>
62 #include <stdlib.h>
63 #include <string.h>
64 
65 #include "encrypt.h"
66 #include "misc.h"
67 
68 /*
69  * These functions pointers point to the current routines
70  * for encrypting and decrypting data.
71  */
72 void	(*encrypt_output)(unsigned char *, int);
73 int	(*decrypt_input)(int);
74 
75 int EncryptType(char *type, char *mode);
76 int EncryptStart(char *mode);
77 int EncryptStop(char *mode);
78 int EncryptStartInput(void);
79 int EncryptStartOutput(void);
80 int EncryptStopInput(void);
81 int EncryptStopOutput(void);
82 
83 int encrypt_debug_mode = 0;
84 static int decrypt_mode = 0;
85 static int encrypt_mode = 0;
86 static int encrypt_verbose = 0;
87 static int autoencrypt = 0;
88 static int autodecrypt = 0;
89 static int havesessionkey = 0;
90 static int Server = 0;
91 static const char *Name = "Noname";
92 
93 #define	typemask(x)	((x) > 0 ? 1 << ((x)-1) : 0)
94 
95 static u_long i_support_encrypt = 0
96  | typemask(ENCTYPE_DES_CFB64) | typemask(ENCTYPE_DES_OFB64)
97  |0;
98 static u_long i_support_decrypt = 0
99  | typemask(ENCTYPE_DES_CFB64) | typemask(ENCTYPE_DES_OFB64)
100  |0;
101 
102 static u_long i_wont_support_encrypt = 0;
103 static u_long i_wont_support_decrypt = 0;
104 #define	I_SUPPORT_ENCRYPT	(i_support_encrypt & ~i_wont_support_encrypt)
105 #define	I_SUPPORT_DECRYPT	(i_support_decrypt & ~i_wont_support_decrypt)
106 
107 static u_long remote_supports_encrypt = 0;
108 static u_long remote_supports_decrypt = 0;
109 
110 static Encryptions encryptions[] = {
111     { "DES_CFB64",	ENCTYPE_DES_CFB64,
112 			cfb64_encrypt,
113 			cfb64_decrypt,
114 			cfb64_init,
115 			cfb64_start,
116 			cfb64_is,
117 			cfb64_reply,
118 			cfb64_session,
119 			cfb64_keyid,
120 			cfb64_printsub },
121     { "DES_OFB64",	ENCTYPE_DES_OFB64,
122 			ofb64_encrypt,
123 			ofb64_decrypt,
124 			ofb64_init,
125 			ofb64_start,
126 			ofb64_is,
127 			ofb64_reply,
128 			ofb64_session,
129 			ofb64_keyid,
130 			ofb64_printsub },
131     { NULL, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 },
132 };
133 
134 static unsigned char str_send[64] = { IAC, SB, TELOPT_ENCRYPT,
135 					 ENCRYPT_SUPPORT };
136 static unsigned char str_suplen = 0;
137 static unsigned char str_start[72] = { IAC, SB, TELOPT_ENCRYPT };
138 static unsigned char str_end[] = { IAC, SB, TELOPT_ENCRYPT, 0, IAC, SE };
139 
140 Encryptions *
141 findencryption(int type)
142 {
143 	Encryptions *ep = encryptions;
144 
145 	if (!(I_SUPPORT_ENCRYPT & remote_supports_decrypt & (unsigned)typemask(type)))
146 		return(0);
147 	while (ep->type && ep->type != type)
148 		++ep;
149 	return(ep->type ? ep : 0);
150 }
151 
152 static Encryptions *
153 finddecryption(int type)
154 {
155 	Encryptions *ep = encryptions;
156 
157 	if (!(I_SUPPORT_DECRYPT & remote_supports_encrypt & (unsigned)typemask(type)))
158 		return(0);
159 	while (ep->type && ep->type != type)
160 		++ep;
161 	return(ep->type ? ep : 0);
162 }
163 
164 #define	MAXKEYLEN 64
165 
166 static struct key_info {
167 	unsigned char keyid[MAXKEYLEN];
168 	int keylen;
169 	int dir;
170 	int *modep;
171 	Encryptions *(*getcrypt)(int);
172 } ki[2] = {
173 	{ { 0 }, 0, DIR_ENCRYPT, &encrypt_mode, findencryption },
174 	{ { 0 }, 0, DIR_DECRYPT, &decrypt_mode, finddecryption },
175 };
176 
177 static void encrypt_keyid(struct key_info *kp, unsigned char *keyid, int len);
178 
179 void
180 encrypt_init(const char *name, int server)
181 {
182 	Encryptions *ep = encryptions;
183 
184 	Name = name;
185 	Server = server;
186 	i_support_encrypt = i_support_decrypt = 0;
187 	remote_supports_encrypt = remote_supports_decrypt = 0;
188 	encrypt_mode = 0;
189 	decrypt_mode = 0;
190 	encrypt_output = 0;
191 	decrypt_input = 0;
192 
193 	str_suplen = 4;
194 
195 	while (ep->type) {
196 		if (encrypt_debug_mode)
197 			printf(">>>%s: I will support %s\r\n",
198 				Name, ENCTYPE_NAME(ep->type));
199 		i_support_encrypt |= typemask(ep->type);
200 		i_support_decrypt |= typemask(ep->type);
201 		if ((i_wont_support_decrypt & typemask(ep->type)) == 0)
202 			if ((str_send[str_suplen++] = ep->type) == IAC)
203 				str_send[str_suplen++] = IAC;
204 		if (ep->init)
205 			(*ep->init)(Server);
206 		++ep;
207 	}
208 	str_send[str_suplen++] = IAC;
209 	str_send[str_suplen++] = SE;
210 }
211 
212 static void
213 encrypt_list_types(void)
214 {
215 	Encryptions *ep = encryptions;
216 
217 	printf("Valid encryption types:\n");
218 	while (ep->type) {
219 		printf("\t%s (%d)\r\n", ENCTYPE_NAME(ep->type), ep->type);
220 		++ep;
221 	}
222 }
223 
224 int
225 EncryptEnable(char *type, char *mode)
226 {
227 	if (isprefix(type, "help") || isprefix(type, "?")) {
228 		printf("Usage: encrypt enable <type> [input|output]\n");
229 		encrypt_list_types();
230 		return(0);
231 	}
232 	if (EncryptType(type, mode))
233 		return(EncryptStart(mode));
234 	return(0);
235 }
236 
237 int
238 EncryptDisable(char *type, char *mode)
239 {
240 	Encryptions *ep;
241 	int ret = 0;
242 
243 	if (isprefix(type, "help") || isprefix(type, "?")) {
244 		printf("Usage: encrypt disable <type> [input|output]\n");
245 		encrypt_list_types();
246 	} else if ((ep = (Encryptions *)genget(type, (char **)encryptions,
247 						sizeof(Encryptions))) == 0) {
248 		printf("%s: invalid encryption type\n", type);
249 	} else if (Ambiguous((char **)ep)) {
250 		printf("Ambiguous type '%s'\n", type);
251 	} else {
252 		if ((mode == 0) || (isprefix(mode, "input") ? 1 : 0)) {
253 			if (decrypt_mode == ep->type)
254 				EncryptStopInput();
255 			i_wont_support_decrypt |= typemask(ep->type);
256 			ret = 1;
257 		}
258 		if ((mode == 0) || (isprefix(mode, "output"))) {
259 			if (encrypt_mode == ep->type)
260 				EncryptStopOutput();
261 			i_wont_support_encrypt |= typemask(ep->type);
262 			ret = 1;
263 		}
264 		if (ret == 0)
265 			printf("%s: invalid encryption mode\n", mode);
266 	}
267 	return(ret);
268 }
269 
270 int
271 EncryptType(char *type, char *mode)
272 {
273 	Encryptions *ep;
274 	int ret = 0;
275 
276 	if (isprefix(type, "help") || isprefix(type, "?")) {
277 		printf("Usage: encrypt type <type> [input|output]\n");
278 		encrypt_list_types();
279 	} else if ((ep = (Encryptions *)genget(type, (char **)encryptions,
280 						sizeof(Encryptions))) == 0) {
281 		printf("%s: invalid encryption type\n", type);
282 	} else if (Ambiguous((char **)ep)) {
283 		printf("Ambiguous type '%s'\n", type);
284 	} else {
285 		if ((mode == 0) || isprefix(mode, "input")) {
286 			decrypt_mode = ep->type;
287 			i_wont_support_decrypt &= ~typemask(ep->type);
288 			ret = 1;
289 		}
290 		if ((mode == 0) || isprefix(mode, "output")) {
291 			encrypt_mode = ep->type;
292 			i_wont_support_encrypt &= ~typemask(ep->type);
293 			ret = 1;
294 		}
295 		if (ret == 0)
296 			printf("%s: invalid encryption mode\n", mode);
297 	}
298 	return(ret);
299 }
300 
301 int
302 EncryptStart(char *mode)
303 {
304 	int ret = 0;
305 	if (mode) {
306 		if (isprefix(mode, "input"))
307 			return(EncryptStartInput());
308 		if (isprefix(mode, "output"))
309 			return(EncryptStartOutput());
310 		if (isprefix(mode, "help") || isprefix(mode, "?")) {
311 			printf("Usage: encrypt start [input|output]\n");
312 			return(0);
313 		}
314 		printf("%s: invalid encryption mode 'encrypt start ?' for help\n", mode);
315 		return(0);
316 	}
317 	ret += EncryptStartInput();
318 	ret += EncryptStartOutput();
319 	return(ret);
320 }
321 
322 int
323 EncryptStartInput(void)
324 {
325 	if (decrypt_mode) {
326 		encrypt_send_request_start();
327 		return(1);
328 	}
329 	printf("No previous decryption mode, decryption not enabled\r\n");
330 	return(0);
331 }
332 
333 int
334 EncryptStartOutput(void)
335 {
336 	if (encrypt_mode) {
337 		encrypt_start_output(encrypt_mode);
338 		return(1);
339 	}
340 	printf("No previous encryption mode, encryption not enabled\r\n");
341 	return(0);
342 }
343 
344 int
345 EncryptStop(char *mode)
346 {
347 	int ret = 0;
348 	if (mode) {
349 		if (isprefix(mode, "input"))
350 			return(EncryptStopInput());
351 		if (isprefix(mode, "output"))
352 			return(EncryptStopOutput());
353 		if (isprefix(mode, "help") || isprefix(mode, "?")) {
354 			printf("Usage: encrypt stop [input|output]\n");
355 			return(0);
356 		}
357 		printf("%s: invalid encryption mode 'encrypt stop ?' for help\n", mode);
358 		return(0);
359 	}
360 	ret += EncryptStopInput();
361 	ret += EncryptStopOutput();
362 	return(ret);
363 }
364 
365 int
366 EncryptStopInput(void)
367 {
368 	encrypt_send_request_end();
369 	return(1);
370 }
371 
372 int
373 EncryptStopOutput(void)
374 {
375 	encrypt_send_end();
376 	return(1);
377 }
378 
379 void
380 encrypt_display(void)
381 {
382 	if (encrypt_output)
383 		printf("Currently encrypting output with %s\r\n",
384 			ENCTYPE_NAME(encrypt_mode));
385 	if (decrypt_input)
386 		printf("Currently decrypting input with %s\r\n",
387 			ENCTYPE_NAME(decrypt_mode));
388 }
389 
390 int
391 EncryptStatus(void)
392 {
393 	if (encrypt_output)
394 		printf("Currently encrypting output with %s\r\n",
395 			ENCTYPE_NAME(encrypt_mode));
396 	else if (encrypt_mode) {
397 		printf("Currently output is clear text.\r\n");
398 		printf("Last encryption mode was %s\r\n",
399 			ENCTYPE_NAME(encrypt_mode));
400 	}
401 	if (decrypt_input) {
402 		printf("Currently decrypting input with %s\r\n",
403 			ENCTYPE_NAME(decrypt_mode));
404 	} else if (decrypt_mode) {
405 		printf("Currently input is clear text.\r\n");
406 		printf("Last decryption mode was %s\r\n",
407 			ENCTYPE_NAME(decrypt_mode));
408 	}
409 	return 1;
410 }
411 
412 void
413 encrypt_send_support(void)
414 {
415 	if (str_suplen) {
416 		/*
417 		 * If the user has requested that decryption start
418 		 * immediatly, then send a "REQUEST START" before
419 		 * we negotiate the type.
420 		 */
421 		if (!Server && autodecrypt)
422 			encrypt_send_request_start();
423 		net_write(str_send, str_suplen);
424 		printsub('>', &str_send[2], str_suplen - 2);
425 		str_suplen = 0;
426 	}
427 }
428 
429 int
430 EncryptDebug(int on)
431 {
432 	if (on < 0)
433 		encrypt_debug_mode ^= 1;
434 	else
435 		encrypt_debug_mode = on;
436 	printf("Encryption debugging %s\r\n",
437 		encrypt_debug_mode ? "enabled" : "disabled");
438 	return(1);
439 }
440 
441 int
442 EncryptVerbose(int on)
443 {
444 	if (on < 0)
445 		encrypt_verbose ^= 1;
446 	else
447 		encrypt_verbose = on;
448 	printf("Encryption %s verbose\r\n",
449 		encrypt_verbose ? "is" : "is not");
450 	return(1);
451 }
452 
453 int
454 EncryptAutoEnc(int on)
455 {
456 	encrypt_auto(on);
457 	printf("Automatic encryption of output is %s\r\n",
458 		autoencrypt ? "enabled" : "disabled");
459 	return(1);
460 }
461 
462 int
463 EncryptAutoDec(int on)
464 {
465 	decrypt_auto(on);
466 	printf("Automatic decryption of input is %s\r\n",
467 		autodecrypt ? "enabled" : "disabled");
468 	return(1);
469 }
470 
471 /*
472  * Called when ENCRYPT SUPPORT is received.
473  */
474 void
475 encrypt_support(unsigned char *typelist, int cnt)
476 {
477 	int type, use_type = 0;
478 	Encryptions *ep;
479 
480 	/*
481 	 * Forget anything the other side has previously told us.
482 	 */
483 	remote_supports_decrypt = 0;
484 
485 	while (cnt-- > 0) {
486 		type = *typelist++;
487 		if (encrypt_debug_mode)
488 			printf(">>>%s: He is supporting %s (%d)\r\n",
489 				Name,
490 				ENCTYPE_NAME(type), type);
491 		if ((type < ENCTYPE_CNT) &&
492 		    (I_SUPPORT_ENCRYPT & typemask(type))) {
493 			remote_supports_decrypt |= typemask(type);
494 			if (use_type == 0)
495 				use_type = type;
496 		}
497 	}
498 	if (use_type) {
499 		ep = findencryption(use_type);
500 		if (!ep)
501 			return;
502 		type = ep->start ? (*ep->start)(DIR_ENCRYPT, Server) : 0;
503 		if (encrypt_debug_mode)
504 			printf(">>>%s: (*ep->start)() returned %d\r\n",
505 					Name, type);
506 		if (type < 0)
507 			return;
508 		encrypt_mode = use_type;
509 		if (type == 0)
510 			encrypt_start_output(use_type);
511 	}
512 }
513 
514 void
515 encrypt_is(unsigned char *data, int cnt)
516 {
517 	Encryptions *ep;
518 	int type, ret;
519 
520 	if (--cnt < 0)
521 		return;
522 	type = *data++;
523 	if (type < ENCTYPE_CNT)
524 		remote_supports_encrypt |= typemask(type);
525 	if (!(ep = finddecryption(type))) {
526 		if (encrypt_debug_mode)
527 			printf(">>>%s: Can't find type %s (%d) for initial negotiation\r\n",
528 				Name,
529 				ENCTYPE_NAME_OK(type)
530 					? ENCTYPE_NAME(type) : "(unknown)",
531 				type);
532 		return;
533 	}
534 	if (!ep->is) {
535 		if (encrypt_debug_mode)
536 			printf(">>>%s: No initial negotiation needed for type %s (%d)\r\n",
537 				Name,
538 				ENCTYPE_NAME_OK(type)
539 					? ENCTYPE_NAME(type) : "(unknown)",
540 				type);
541 		ret = 0;
542 	} else {
543 		ret = (*ep->is)(data, cnt);
544 		if (encrypt_debug_mode)
545 			printf("(*ep->is)(%p, %d) returned %s(%d)\n", data, cnt,
546 				(ret < 0) ? "FAIL " :
547 				(ret == 0) ? "SUCCESS " : "MORE_TO_DO ", ret);
548 	}
549 	if (ret < 0) {
550 		autodecrypt = 0;
551 	} else {
552 		decrypt_mode = type;
553 		if (ret == 0 && autodecrypt)
554 			encrypt_send_request_start();
555 	}
556 }
557 
558 void
559 encrypt_reply(unsigned char *data, int cnt)
560 {
561 	Encryptions *ep;
562 	int ret, type;
563 
564 	if (--cnt < 0)
565 		return;
566 	type = *data++;
567 	if (!(ep = findencryption(type))) {
568 		if (encrypt_debug_mode)
569 			printf(">>>%s: Can't find type %s (%d) for initial negotiation\r\n",
570 				Name,
571 				ENCTYPE_NAME_OK(type)
572 					? ENCTYPE_NAME(type) : "(unknown)",
573 				type);
574 		return;
575 	}
576 	if (!ep->reply) {
577 		if (encrypt_debug_mode)
578 			printf(">>>%s: No initial negotiation needed for type %s (%d)\r\n",
579 				Name,
580 				ENCTYPE_NAME_OK(type)
581 					? ENCTYPE_NAME(type) : "(unknown)",
582 				type);
583 		ret = 0;
584 	} else {
585 		ret = (*ep->reply)(data, cnt);
586 		if (encrypt_debug_mode)
587 			printf("(*ep->reply)(%p, %d) returned %s(%d)\n",
588 				data, cnt,
589 				(ret < 0) ? "FAIL " :
590 				(ret == 0) ? "SUCCESS " : "MORE_TO_DO ", ret);
591 	}
592 	if (encrypt_debug_mode)
593 		printf(">>>%s: encrypt_reply returned %d\n", Name, ret);
594 	if (ret < 0) {
595 		autoencrypt = 0;
596 	} else {
597 		encrypt_mode = type;
598 		if (ret == 0 && autoencrypt)
599 			encrypt_start_output(type);
600 	}
601 }
602 
603 /*
604  * Called when a ENCRYPT START command is received.
605  */
606 void
607 encrypt_start(unsigned char *data __unused, int cnt __unused)
608 {
609 	Encryptions *ep;
610 
611 	if (!decrypt_mode) {
612 		/*
613 		 * Something is wrong.  We should not get a START
614 		 * command without having already picked our
615 		 * decryption scheme.  Send a REQUEST-END to
616 		 * attempt to clear the channel...
617 		 */
618 		printf("%s: Warning, Cannot decrypt input stream!!!\r\n", Name);
619 		encrypt_send_request_end();
620 		return;
621 	}
622 
623 	if ((ep = finddecryption(decrypt_mode))) {
624 		decrypt_input = ep->input;
625 		if (encrypt_verbose)
626 			printf("[ Input is now decrypted with type %s ]\r\n",
627 				ENCTYPE_NAME(decrypt_mode));
628 		if (encrypt_debug_mode)
629 			printf(">>>%s: Start to decrypt input with type %s\r\n",
630 				Name, ENCTYPE_NAME(decrypt_mode));
631 	} else {
632 		printf("%s: Warning, Cannot decrypt type %s (%d)!!!\r\n",
633 				Name,
634 				ENCTYPE_NAME_OK(decrypt_mode)
635 					? ENCTYPE_NAME(decrypt_mode)
636 					: "(unknown)",
637 				decrypt_mode);
638 		encrypt_send_request_end();
639 	}
640 }
641 
642 void
643 encrypt_session_key( Session_Key *key, int server)
644 {
645 	Encryptions *ep = encryptions;
646 
647 	havesessionkey = 1;
648 
649 	while (ep->type) {
650 		if (ep->session)
651 			(*ep->session)(key, server);
652 		++ep;
653 	}
654 }
655 
656 /*
657  * Called when ENCRYPT END is received.
658  */
659 void
660 encrypt_end(void)
661 {
662 	decrypt_input = 0;
663 	if (encrypt_debug_mode)
664 		printf(">>>%s: Input is back to clear text\r\n", Name);
665 	if (encrypt_verbose)
666 		printf("[ Input is now clear text ]\r\n");
667 }
668 
669 /*
670  * Called when ENCRYPT REQUEST-END is received.
671  */
672 void
673 encrypt_request_end(void)
674 {
675 	encrypt_send_end();
676 }
677 
678 /*
679  * Called when ENCRYPT REQUEST-START is received.  If we receive
680  * this before a type is picked, then that indicates that the
681  * other side wants us to start encrypting data as soon as we
682  * can.
683  */
684 void
685 encrypt_request_start(unsigned char *data __unused, int cnt __unused)
686 {
687 	if (encrypt_mode == 0)  {
688 		if (Server)
689 			autoencrypt = 1;
690 		return;
691 	}
692 	encrypt_start_output(encrypt_mode);
693 }
694 
695 static unsigned char str_keyid[(MAXKEYLEN*2)+5] = { IAC, SB, TELOPT_ENCRYPT };
696 
697 void
698 encrypt_enc_keyid(unsigned char *keyid, int len)
699 {
700 	encrypt_keyid(&ki[1], keyid, len);
701 }
702 
703 void
704 encrypt_dec_keyid(unsigned char *keyid, int len)
705 {
706 	encrypt_keyid(&ki[0], keyid, len);
707 }
708 
709 void
710 encrypt_keyid(struct key_info *kp, unsigned char *keyid, int len)
711 {
712 	Encryptions *ep;
713 	int dir = kp->dir;
714 	int ret = 0;
715 
716 	if (len > MAXKEYLEN)
717 		len = MAXKEYLEN;
718 
719 	if (!(ep = (*kp->getcrypt)(*kp->modep))) {
720 		if (len == 0)
721 			return;
722 		kp->keylen = 0;
723 	} else if (len == 0) {
724 		/*
725 		 * Empty option, indicates a failure.
726 		 */
727 		if (kp->keylen == 0)
728 			return;
729 		kp->keylen = 0;
730 		if (ep->keyid)
731 			(void)(*ep->keyid)(dir, kp->keyid, &kp->keylen);
732 
733 	} else if ((len != kp->keylen) ||
734 		   (memcmp(keyid, kp->keyid, len) != 0)) {
735 		/*
736 		 * Length or contents are different
737 		 */
738 		kp->keylen = len;
739 		memmove(kp->keyid, keyid, len);
740 		if (ep->keyid)
741 			(void)(*ep->keyid)(dir, kp->keyid, &kp->keylen);
742 	} else {
743 		if (ep->keyid)
744 			ret = (*ep->keyid)(dir, kp->keyid, &kp->keylen);
745 		if ((ret == 0) && (dir == DIR_ENCRYPT) && autoencrypt)
746 			encrypt_start_output(*kp->modep);
747 		return;
748 	}
749 
750 	encrypt_send_keyid(dir, kp->keyid, kp->keylen, 0);
751 }
752 
753 void
754 encrypt_send_keyid(int dir, const char *keyid, int keylen, int saveit)
755 {
756 	unsigned char *strp;
757 
758 	str_keyid[3] = (dir == DIR_ENCRYPT)
759 			? ENCRYPT_ENC_KEYID : ENCRYPT_DEC_KEYID;
760 	if (saveit) {
761 		struct key_info *kp = &ki[(dir == DIR_ENCRYPT) ? 0 : 1];
762 		memmove(kp->keyid, keyid, keylen);
763 		kp->keylen = keylen;
764 	}
765 
766 	for (strp = &str_keyid[4]; keylen > 0; --keylen) {
767 		if ((*strp++ = *keyid++) == IAC)
768 			*strp++ = IAC;
769 	}
770 	*strp++ = IAC;
771 	*strp++ = SE;
772 	net_write(str_keyid, strp - str_keyid);
773 	printsub('>', &str_keyid[2], strp - str_keyid - 2);
774 }
775 
776 void
777 encrypt_auto(int on)
778 {
779 	if (on < 0)
780 		autoencrypt ^= 1;
781 	else
782 		autoencrypt = on ? 1 : 0;
783 }
784 
785 void
786 decrypt_auto(int on)
787 {
788 	if (on < 0)
789 		autodecrypt ^= 1;
790 	else
791 		autodecrypt = on ? 1 : 0;
792 }
793 
794 void
795 encrypt_start_output(int type)
796 {
797 	Encryptions *ep;
798 	unsigned char *p;
799 	int i;
800 
801 	if (!(ep = findencryption(type))) {
802 		if (encrypt_debug_mode) {
803 			printf(">>>%s: Can't encrypt with type %s (%d)\r\n",
804 				Name,
805 				ENCTYPE_NAME_OK(type)
806 					? ENCTYPE_NAME(type) : "(unknown)",
807 				type);
808 		}
809 		return;
810 	}
811 	if (ep->start) {
812 		i = (*ep->start)(DIR_ENCRYPT, Server);
813 		if (encrypt_debug_mode) {
814 			printf(">>>%s: Encrypt start: %s (%d) %s\r\n",
815 				Name,
816 				(i < 0) ? "failed" :
817 					"initial negotiation in progress",
818 				i, ENCTYPE_NAME(type));
819 		}
820 		if (i)
821 			return;
822 	}
823 	p = str_start + 3;
824 	*p++ = ENCRYPT_START;
825 	for (i = 0; i < ki[0].keylen; ++i) {
826 		if ((*p++ = ki[0].keyid[i]) == IAC)
827 			*p++ = IAC;
828 	}
829 	*p++ = IAC;
830 	*p++ = SE;
831 	net_write(str_start, p - str_start);
832 	net_encrypt();
833 	printsub('>', &str_start[2], p - &str_start[2]);
834 	/*
835 	 * If we are already encrypting in some mode, then
836 	 * encrypt the ring (which includes our request) in
837 	 * the old mode, mark it all as "clear text" and then
838 	 * switch to the new mode.
839 	 */
840 	encrypt_output = ep->output;
841 	encrypt_mode = type;
842 	if (encrypt_debug_mode)
843 		printf(">>>%s: Started to encrypt output with type %s\r\n",
844 			Name, ENCTYPE_NAME(type));
845 	if (encrypt_verbose)
846 		printf("[ Output is now encrypted with type %s ]\r\n",
847 			ENCTYPE_NAME(type));
848 }
849 
850 void
851 encrypt_send_end(void)
852 {
853 	if (!encrypt_output)
854 		return;
855 
856 	str_end[3] = ENCRYPT_END;
857 	net_write(str_end, sizeof(str_end));
858 	net_encrypt();
859 	printsub('>', &str_end[2], sizeof(str_end) - 2);
860 	/*
861 	 * Encrypt the output buffer now because it will not be done by
862 	 * netflush...
863 	 */
864 	encrypt_output = 0;
865 	if (encrypt_debug_mode)
866 		printf(">>>%s: Output is back to clear text\r\n", Name);
867 	if (encrypt_verbose)
868 		printf("[ Output is now clear text ]\r\n");
869 }
870 
871 void
872 encrypt_send_request_start(void)
873 {
874 	unsigned char *p;
875 	int i;
876 
877 	p = &str_start[3];
878 	*p++ = ENCRYPT_REQSTART;
879 	for (i = 0; i < ki[1].keylen; ++i) {
880 		if ((*p++ = ki[1].keyid[i]) == IAC)
881 			*p++ = IAC;
882 	}
883 	*p++ = IAC;
884 	*p++ = SE;
885 	net_write(str_start, p - str_start);
886 	printsub('>', &str_start[2], p - &str_start[2]);
887 	if (encrypt_debug_mode)
888 		printf(">>>%s: Request input to be encrypted\r\n", Name);
889 }
890 
891 void
892 encrypt_send_request_end(void)
893 {
894 	str_end[3] = ENCRYPT_REQEND;
895 	net_write(str_end, sizeof(str_end));
896 	printsub('>', &str_end[2], sizeof(str_end) - 2);
897 
898 	if (encrypt_debug_mode)
899 		printf(">>>%s: Request input to be clear text\r\n", Name);
900 }
901 
902 void
903 encrypt_wait(void)
904 {
905 	if (encrypt_debug_mode)
906 		printf(">>>%s: in encrypt_wait\r\n", Name);
907 	if (!havesessionkey || !(I_SUPPORT_ENCRYPT & remote_supports_decrypt))
908 		return;
909 	while (autoencrypt && !encrypt_output)
910 		if (telnet_spin())
911 			return;
912 }
913 
914 void
915 encrypt_gen_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen)
916 {
917 	char tbuf[16], *cp;
918 
919 	cnt -= 2;
920 	data += 2;
921 	buf[buflen-1] = '\0';
922 	buf[buflen-2] = '*';
923 	buflen -= 2;;
924 	for (; cnt > 0; cnt--, data++) {
925 		sprintf(tbuf, " %d", *data);
926 		for (cp = tbuf; *cp && buflen > 0; --buflen)
927 			*buf++ = *cp++;
928 		if (buflen <= 0)
929 			return;
930 	}
931 	*buf = '\0';
932 }
933 
934 void
935 encrypt_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen)
936 {
937 	Encryptions *ep;
938 	int type = data[1];
939 
940 	for (ep = encryptions; ep->type && ep->type != type; ep++)
941 		;
942 
943 	if (ep->printsub)
944 		(*ep->printsub)(data, cnt, buf, buflen);
945 	else
946 		encrypt_gen_printsub(data, cnt, buf, buflen);
947 }
948 #endif	/* ENCRYPTION */
949