xref: /freebsd/contrib/telnet/libtelnet/encrypt.c (revision 1e413cf93298b5b97441a21d9a50fdcd0ee9945e)
1 /*-
2  * Copyright (c) 1991, 1993
3  *	The Regents of the University of California.  All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in the
12  *    documentation and/or other materials provided with the distribution.
13  * 3. All advertising materials mentioning features or use of this software
14  *    must display the following acknowledgement:
15  *	This product includes software developed by the University of
16  *	California, Berkeley and its contributors.
17  * 4. Neither the name of the University nor the names of its contributors
18  *    may be used to endorse or promote products derived from this software
19  *    without specific prior written permission.
20  *
21  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31  * SUCH DAMAGE.
32  */
33 
34 #include <sys/cdefs.h>
35 
36 __FBSDID("$FreeBSD$");
37 
38 #ifndef lint
39 #if 0
40 static const char sccsid[] = "@(#)encrypt.c	8.2 (Berkeley) 5/30/95";
41 #endif
42 #endif /* not lint */
43 
44 /*
45  * Copyright (C) 1990 by the Massachusetts Institute of Technology
46  *
47  * Export of this software from the United States of America is assumed
48  * to require a specific license from the United States Government.
49  * It is the responsibility of any person or organization contemplating
50  * export to obtain such a license before exporting.
51  *
52  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
53  * distribute this software and its documentation for any purpose and
54  * without fee is hereby granted, provided that the above copyright
55  * notice appear in all copies and that both that copyright notice and
56  * this permission notice appear in supporting documentation, and that
57  * the name of M.I.T. not be used in advertising or publicity pertaining
58  * to distribution of the software without specific, written prior
59  * permission.  M.I.T. makes no representations about the suitability of
60  * this software for any purpose.  It is provided "as is" without express
61  * or implied warranty.
62  */
63 
64 #ifdef	ENCRYPTION
65 
66 #include <sys/types.h>
67 #define	ENCRYPT_NAMES
68 #include <arpa/telnet.h>
69 #include <stdio.h>
70 #include <stdlib.h>
71 #include <string.h>
72 
73 #include "encrypt.h"
74 #include "misc.h"
75 
76 /*
77  * These functions pointers point to the current routines
78  * for encrypting and decrypting data.
79  */
80 void	(*encrypt_output)(unsigned char *, int);
81 int	(*decrypt_input)(int);
82 
83 int EncryptType(char *type, char *mode);
84 int EncryptStart(char *mode);
85 int EncryptStop(char *mode);
86 int EncryptStartInput(void);
87 int EncryptStartOutput(void);
88 int EncryptStopInput(void);
89 int EncryptStopOutput(void);
90 
91 int encrypt_debug_mode = 0;
92 static int decrypt_mode = 0;
93 static int encrypt_mode = 0;
94 static int encrypt_verbose = 0;
95 static int autoencrypt = 0;
96 static int autodecrypt = 0;
97 static int havesessionkey = 0;
98 static int Server = 0;
99 static const char *Name = "Noname";
100 
101 #define	typemask(x)	((x) > 0 ? 1 << ((x)-1) : 0)
102 
103 static u_long i_support_encrypt = 0
104  | typemask(ENCTYPE_DES_CFB64) | typemask(ENCTYPE_DES_OFB64)
105  |0;
106 static u_long i_support_decrypt = 0
107  | typemask(ENCTYPE_DES_CFB64) | typemask(ENCTYPE_DES_OFB64)
108  |0;
109 
110 static u_long i_wont_support_encrypt = 0;
111 static u_long i_wont_support_decrypt = 0;
112 #define	I_SUPPORT_ENCRYPT	(i_support_encrypt & ~i_wont_support_encrypt)
113 #define	I_SUPPORT_DECRYPT	(i_support_decrypt & ~i_wont_support_decrypt)
114 
115 static u_long remote_supports_encrypt = 0;
116 static u_long remote_supports_decrypt = 0;
117 
118 static Encryptions encryptions[] = {
119     { "DES_CFB64",	ENCTYPE_DES_CFB64,
120 			cfb64_encrypt,
121 			cfb64_decrypt,
122 			cfb64_init,
123 			cfb64_start,
124 			cfb64_is,
125 			cfb64_reply,
126 			cfb64_session,
127 			cfb64_keyid,
128 			cfb64_printsub },
129     { "DES_OFB64",	ENCTYPE_DES_OFB64,
130 			ofb64_encrypt,
131 			ofb64_decrypt,
132 			ofb64_init,
133 			ofb64_start,
134 			ofb64_is,
135 			ofb64_reply,
136 			ofb64_session,
137 			ofb64_keyid,
138 			ofb64_printsub },
139     { NULL, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 },
140 };
141 
142 static unsigned char str_send[64] = { IAC, SB, TELOPT_ENCRYPT,
143 					 ENCRYPT_SUPPORT };
144 static unsigned char str_suplen = 0;
145 static unsigned char str_start[72] = { IAC, SB, TELOPT_ENCRYPT };
146 static unsigned char str_end[] = { IAC, SB, TELOPT_ENCRYPT, 0, IAC, SE };
147 
148 Encryptions *
149 findencryption(int type)
150 {
151 	Encryptions *ep = encryptions;
152 
153 	if (!(I_SUPPORT_ENCRYPT & remote_supports_decrypt & (unsigned)typemask(type)))
154 		return(0);
155 	while (ep->type && ep->type != type)
156 		++ep;
157 	return(ep->type ? ep : 0);
158 }
159 
160 static Encryptions *
161 finddecryption(int type)
162 {
163 	Encryptions *ep = encryptions;
164 
165 	if (!(I_SUPPORT_DECRYPT & remote_supports_encrypt & (unsigned)typemask(type)))
166 		return(0);
167 	while (ep->type && ep->type != type)
168 		++ep;
169 	return(ep->type ? ep : 0);
170 }
171 
172 #define	MAXKEYLEN 64
173 
174 static struct key_info {
175 	unsigned char keyid[MAXKEYLEN];
176 	int keylen;
177 	int dir;
178 	int *modep;
179 	Encryptions *(*getcrypt)(int);
180 } ki[2] = {
181 	{ { 0 }, 0, DIR_ENCRYPT, &encrypt_mode, findencryption },
182 	{ { 0 }, 0, DIR_DECRYPT, &decrypt_mode, finddecryption },
183 };
184 
185 static void encrypt_keyid(struct key_info *kp, unsigned char *keyid, int len);
186 
187 void
188 encrypt_init(const char *name, int server)
189 {
190 	Encryptions *ep = encryptions;
191 
192 	Name = name;
193 	Server = server;
194 	i_support_encrypt = i_support_decrypt = 0;
195 	remote_supports_encrypt = remote_supports_decrypt = 0;
196 	encrypt_mode = 0;
197 	decrypt_mode = 0;
198 	encrypt_output = 0;
199 	decrypt_input = 0;
200 
201 	str_suplen = 4;
202 
203 	while (ep->type) {
204 		if (encrypt_debug_mode)
205 			printf(">>>%s: I will support %s\r\n",
206 				Name, ENCTYPE_NAME(ep->type));
207 		i_support_encrypt |= typemask(ep->type);
208 		i_support_decrypt |= typemask(ep->type);
209 		if ((i_wont_support_decrypt & typemask(ep->type)) == 0)
210 			if ((str_send[str_suplen++] = ep->type) == IAC)
211 				str_send[str_suplen++] = IAC;
212 		if (ep->init)
213 			(*ep->init)(Server);
214 		++ep;
215 	}
216 	str_send[str_suplen++] = IAC;
217 	str_send[str_suplen++] = SE;
218 }
219 
220 static void
221 encrypt_list_types(void)
222 {
223 	Encryptions *ep = encryptions;
224 
225 	printf("Valid encryption types:\n");
226 	while (ep->type) {
227 		printf("\t%s (%d)\r\n", ENCTYPE_NAME(ep->type), ep->type);
228 		++ep;
229 	}
230 }
231 
232 int
233 EncryptEnable(char *type, char *mode)
234 {
235 	if (isprefix(type, "help") || isprefix(type, "?")) {
236 		printf("Usage: encrypt enable <type> [input|output]\n");
237 		encrypt_list_types();
238 		return(0);
239 	}
240 	if (EncryptType(type, mode))
241 		return(EncryptStart(mode));
242 	return(0);
243 }
244 
245 int
246 EncryptDisable(char *type, char *mode)
247 {
248 	Encryptions *ep;
249 	int ret = 0;
250 
251 	if (isprefix(type, "help") || isprefix(type, "?")) {
252 		printf("Usage: encrypt disable <type> [input|output]\n");
253 		encrypt_list_types();
254 	} else if ((ep = (Encryptions *)genget(type, (char **)encryptions,
255 						sizeof(Encryptions))) == 0) {
256 		printf("%s: invalid encryption type\n", type);
257 	} else if (Ambiguous((char **)ep)) {
258 		printf("Ambiguous type '%s'\n", type);
259 	} else {
260 		if ((mode == 0) || (isprefix(mode, "input") ? 1 : 0)) {
261 			if (decrypt_mode == ep->type)
262 				EncryptStopInput();
263 			i_wont_support_decrypt |= typemask(ep->type);
264 			ret = 1;
265 		}
266 		if ((mode == 0) || (isprefix(mode, "output"))) {
267 			if (encrypt_mode == ep->type)
268 				EncryptStopOutput();
269 			i_wont_support_encrypt |= typemask(ep->type);
270 			ret = 1;
271 		}
272 		if (ret == 0)
273 			printf("%s: invalid encryption mode\n", mode);
274 	}
275 	return(ret);
276 }
277 
278 int
279 EncryptType(char *type, char *mode)
280 {
281 	Encryptions *ep;
282 	int ret = 0;
283 
284 	if (isprefix(type, "help") || isprefix(type, "?")) {
285 		printf("Usage: encrypt type <type> [input|output]\n");
286 		encrypt_list_types();
287 	} else if ((ep = (Encryptions *)genget(type, (char **)encryptions,
288 						sizeof(Encryptions))) == 0) {
289 		printf("%s: invalid encryption type\n", type);
290 	} else if (Ambiguous((char **)ep)) {
291 		printf("Ambiguous type '%s'\n", type);
292 	} else {
293 		if ((mode == 0) || isprefix(mode, "input")) {
294 			decrypt_mode = ep->type;
295 			i_wont_support_decrypt &= ~typemask(ep->type);
296 			ret = 1;
297 		}
298 		if ((mode == 0) || isprefix(mode, "output")) {
299 			encrypt_mode = ep->type;
300 			i_wont_support_encrypt &= ~typemask(ep->type);
301 			ret = 1;
302 		}
303 		if (ret == 0)
304 			printf("%s: invalid encryption mode\n", mode);
305 	}
306 	return(ret);
307 }
308 
309 int
310 EncryptStart(char *mode)
311 {
312 	int ret = 0;
313 	if (mode) {
314 		if (isprefix(mode, "input"))
315 			return(EncryptStartInput());
316 		if (isprefix(mode, "output"))
317 			return(EncryptStartOutput());
318 		if (isprefix(mode, "help") || isprefix(mode, "?")) {
319 			printf("Usage: encrypt start [input|output]\n");
320 			return(0);
321 		}
322 		printf("%s: invalid encryption mode 'encrypt start ?' for help\n", mode);
323 		return(0);
324 	}
325 	ret += EncryptStartInput();
326 	ret += EncryptStartOutput();
327 	return(ret);
328 }
329 
330 int
331 EncryptStartInput(void)
332 {
333 	if (decrypt_mode) {
334 		encrypt_send_request_start();
335 		return(1);
336 	}
337 	printf("No previous decryption mode, decryption not enabled\r\n");
338 	return(0);
339 }
340 
341 int
342 EncryptStartOutput(void)
343 {
344 	if (encrypt_mode) {
345 		encrypt_start_output(encrypt_mode);
346 		return(1);
347 	}
348 	printf("No previous encryption mode, encryption not enabled\r\n");
349 	return(0);
350 }
351 
352 int
353 EncryptStop(char *mode)
354 {
355 	int ret = 0;
356 	if (mode) {
357 		if (isprefix(mode, "input"))
358 			return(EncryptStopInput());
359 		if (isprefix(mode, "output"))
360 			return(EncryptStopOutput());
361 		if (isprefix(mode, "help") || isprefix(mode, "?")) {
362 			printf("Usage: encrypt stop [input|output]\n");
363 			return(0);
364 		}
365 		printf("%s: invalid encryption mode 'encrypt stop ?' for help\n", mode);
366 		return(0);
367 	}
368 	ret += EncryptStopInput();
369 	ret += EncryptStopOutput();
370 	return(ret);
371 }
372 
373 int
374 EncryptStopInput(void)
375 {
376 	encrypt_send_request_end();
377 	return(1);
378 }
379 
380 int
381 EncryptStopOutput(void)
382 {
383 	encrypt_send_end();
384 	return(1);
385 }
386 
387 void
388 encrypt_display(void)
389 {
390 	if (encrypt_output)
391 		printf("Currently encrypting output with %s\r\n",
392 			ENCTYPE_NAME(encrypt_mode));
393 	if (decrypt_input)
394 		printf("Currently decrypting input with %s\r\n",
395 			ENCTYPE_NAME(decrypt_mode));
396 }
397 
398 int
399 EncryptStatus(void)
400 {
401 	if (encrypt_output)
402 		printf("Currently encrypting output with %s\r\n",
403 			ENCTYPE_NAME(encrypt_mode));
404 	else if (encrypt_mode) {
405 		printf("Currently output is clear text.\r\n");
406 		printf("Last encryption mode was %s\r\n",
407 			ENCTYPE_NAME(encrypt_mode));
408 	}
409 	if (decrypt_input) {
410 		printf("Currently decrypting input with %s\r\n",
411 			ENCTYPE_NAME(decrypt_mode));
412 	} else if (decrypt_mode) {
413 		printf("Currently input is clear text.\r\n");
414 		printf("Last decryption mode was %s\r\n",
415 			ENCTYPE_NAME(decrypt_mode));
416 	}
417 	return 1;
418 }
419 
420 void
421 encrypt_send_support(void)
422 {
423 	if (str_suplen) {
424 		/*
425 		 * If the user has requested that decryption start
426 		 * immediatly, then send a "REQUEST START" before
427 		 * we negotiate the type.
428 		 */
429 		if (!Server && autodecrypt)
430 			encrypt_send_request_start();
431 		net_write(str_send, str_suplen);
432 		printsub('>', &str_send[2], str_suplen - 2);
433 		str_suplen = 0;
434 	}
435 }
436 
437 int
438 EncryptDebug(int on)
439 {
440 	if (on < 0)
441 		encrypt_debug_mode ^= 1;
442 	else
443 		encrypt_debug_mode = on;
444 	printf("Encryption debugging %s\r\n",
445 		encrypt_debug_mode ? "enabled" : "disabled");
446 	return(1);
447 }
448 
449 int
450 EncryptVerbose(int on)
451 {
452 	if (on < 0)
453 		encrypt_verbose ^= 1;
454 	else
455 		encrypt_verbose = on;
456 	printf("Encryption %s verbose\r\n",
457 		encrypt_verbose ? "is" : "is not");
458 	return(1);
459 }
460 
461 int
462 EncryptAutoEnc(int on)
463 {
464 	encrypt_auto(on);
465 	printf("Automatic encryption of output is %s\r\n",
466 		autoencrypt ? "enabled" : "disabled");
467 	return(1);
468 }
469 
470 int
471 EncryptAutoDec(int on)
472 {
473 	decrypt_auto(on);
474 	printf("Automatic decryption of input is %s\r\n",
475 		autodecrypt ? "enabled" : "disabled");
476 	return(1);
477 }
478 
479 /*
480  * Called when ENCRYPT SUPPORT is received.
481  */
482 void
483 encrypt_support(unsigned char *typelist, int cnt)
484 {
485 	int type, use_type = 0;
486 	Encryptions *ep;
487 
488 	/*
489 	 * Forget anything the other side has previously told us.
490 	 */
491 	remote_supports_decrypt = 0;
492 
493 	while (cnt-- > 0) {
494 		type = *typelist++;
495 		if (encrypt_debug_mode)
496 			printf(">>>%s: He is supporting %s (%d)\r\n",
497 				Name,
498 				ENCTYPE_NAME(type), type);
499 		if ((type < ENCTYPE_CNT) &&
500 		    (I_SUPPORT_ENCRYPT & typemask(type))) {
501 			remote_supports_decrypt |= typemask(type);
502 			if (use_type == 0)
503 				use_type = type;
504 		}
505 	}
506 	if (use_type) {
507 		ep = findencryption(use_type);
508 		if (!ep)
509 			return;
510 		type = ep->start ? (*ep->start)(DIR_ENCRYPT, Server) : 0;
511 		if (encrypt_debug_mode)
512 			printf(">>>%s: (*ep->start)() returned %d\r\n",
513 					Name, type);
514 		if (type < 0)
515 			return;
516 		encrypt_mode = use_type;
517 		if (type == 0)
518 			encrypt_start_output(use_type);
519 	}
520 }
521 
522 void
523 encrypt_is(unsigned char *data, int cnt)
524 {
525 	Encryptions *ep;
526 	int type, ret;
527 
528 	if (--cnt < 0)
529 		return;
530 	type = *data++;
531 	if (type < ENCTYPE_CNT)
532 		remote_supports_encrypt |= typemask(type);
533 	if (!(ep = finddecryption(type))) {
534 		if (encrypt_debug_mode)
535 			printf(">>>%s: Can't find type %s (%d) for initial negotiation\r\n",
536 				Name,
537 				ENCTYPE_NAME_OK(type)
538 					? ENCTYPE_NAME(type) : "(unknown)",
539 				type);
540 		return;
541 	}
542 	if (!ep->is) {
543 		if (encrypt_debug_mode)
544 			printf(">>>%s: No initial negotiation needed for type %s (%d)\r\n",
545 				Name,
546 				ENCTYPE_NAME_OK(type)
547 					? ENCTYPE_NAME(type) : "(unknown)",
548 				type);
549 		ret = 0;
550 	} else {
551 		ret = (*ep->is)(data, cnt);
552 		if (encrypt_debug_mode)
553 			printf("(*ep->is)(%p, %d) returned %s(%d)\n", data, cnt,
554 				(ret < 0) ? "FAIL " :
555 				(ret == 0) ? "SUCCESS " : "MORE_TO_DO ", ret);
556 	}
557 	if (ret < 0) {
558 		autodecrypt = 0;
559 	} else {
560 		decrypt_mode = type;
561 		if (ret == 0 && autodecrypt)
562 			encrypt_send_request_start();
563 	}
564 }
565 
566 void
567 encrypt_reply(unsigned char *data, int cnt)
568 {
569 	Encryptions *ep;
570 	int ret, type;
571 
572 	if (--cnt < 0)
573 		return;
574 	type = *data++;
575 	if (!(ep = findencryption(type))) {
576 		if (encrypt_debug_mode)
577 			printf(">>>%s: Can't find type %s (%d) for initial negotiation\r\n",
578 				Name,
579 				ENCTYPE_NAME_OK(type)
580 					? ENCTYPE_NAME(type) : "(unknown)",
581 				type);
582 		return;
583 	}
584 	if (!ep->reply) {
585 		if (encrypt_debug_mode)
586 			printf(">>>%s: No initial negotiation needed for type %s (%d)\r\n",
587 				Name,
588 				ENCTYPE_NAME_OK(type)
589 					? ENCTYPE_NAME(type) : "(unknown)",
590 				type);
591 		ret = 0;
592 	} else {
593 		ret = (*ep->reply)(data, cnt);
594 		if (encrypt_debug_mode)
595 			printf("(*ep->reply)(%p, %d) returned %s(%d)\n",
596 				data, cnt,
597 				(ret < 0) ? "FAIL " :
598 				(ret == 0) ? "SUCCESS " : "MORE_TO_DO ", ret);
599 	}
600 	if (encrypt_debug_mode)
601 		printf(">>>%s: encrypt_reply returned %d\n", Name, ret);
602 	if (ret < 0) {
603 		autoencrypt = 0;
604 	} else {
605 		encrypt_mode = type;
606 		if (ret == 0 && autoencrypt)
607 			encrypt_start_output(type);
608 	}
609 }
610 
611 /*
612  * Called when a ENCRYPT START command is received.
613  */
614 void
615 encrypt_start(unsigned char *data __unused, int cnt __unused)
616 {
617 	Encryptions *ep;
618 
619 	if (!decrypt_mode) {
620 		/*
621 		 * Something is wrong.  We should not get a START
622 		 * command without having already picked our
623 		 * decryption scheme.  Send a REQUEST-END to
624 		 * attempt to clear the channel...
625 		 */
626 		printf("%s: Warning, Cannot decrypt input stream!!!\r\n", Name);
627 		encrypt_send_request_end();
628 		return;
629 	}
630 
631 	if ((ep = finddecryption(decrypt_mode))) {
632 		decrypt_input = ep->input;
633 		if (encrypt_verbose)
634 			printf("[ Input is now decrypted with type %s ]\r\n",
635 				ENCTYPE_NAME(decrypt_mode));
636 		if (encrypt_debug_mode)
637 			printf(">>>%s: Start to decrypt input with type %s\r\n",
638 				Name, ENCTYPE_NAME(decrypt_mode));
639 	} else {
640 		printf("%s: Warning, Cannot decrypt type %s (%d)!!!\r\n",
641 				Name,
642 				ENCTYPE_NAME_OK(decrypt_mode)
643 					? ENCTYPE_NAME(decrypt_mode)
644 					: "(unknown)",
645 				decrypt_mode);
646 		encrypt_send_request_end();
647 	}
648 }
649 
650 void
651 encrypt_session_key( Session_Key *key, int server)
652 {
653 	Encryptions *ep = encryptions;
654 
655 	havesessionkey = 1;
656 
657 	while (ep->type) {
658 		if (ep->session)
659 			(*ep->session)(key, server);
660 		++ep;
661 	}
662 }
663 
664 /*
665  * Called when ENCRYPT END is received.
666  */
667 void
668 encrypt_end(void)
669 {
670 	decrypt_input = 0;
671 	if (encrypt_debug_mode)
672 		printf(">>>%s: Input is back to clear text\r\n", Name);
673 	if (encrypt_verbose)
674 		printf("[ Input is now clear text ]\r\n");
675 }
676 
677 /*
678  * Called when ENCRYPT REQUEST-END is received.
679  */
680 void
681 encrypt_request_end(void)
682 {
683 	encrypt_send_end();
684 }
685 
686 /*
687  * Called when ENCRYPT REQUEST-START is received.  If we receive
688  * this before a type is picked, then that indicates that the
689  * other side wants us to start encrypting data as soon as we
690  * can.
691  */
692 void
693 encrypt_request_start(unsigned char *data __unused, int cnt __unused)
694 {
695 	if (encrypt_mode == 0)  {
696 		if (Server)
697 			autoencrypt = 1;
698 		return;
699 	}
700 	encrypt_start_output(encrypt_mode);
701 }
702 
703 static unsigned char str_keyid[(MAXKEYLEN*2)+5] = { IAC, SB, TELOPT_ENCRYPT };
704 
705 void
706 encrypt_enc_keyid(unsigned char *keyid, int len)
707 {
708 	encrypt_keyid(&ki[1], keyid, len);
709 }
710 
711 void
712 encrypt_dec_keyid(unsigned char *keyid, int len)
713 {
714 	encrypt_keyid(&ki[0], keyid, len);
715 }
716 
717 void
718 encrypt_keyid(struct key_info *kp, unsigned char *keyid, int len)
719 {
720 	Encryptions *ep;
721 	int dir = kp->dir;
722 	int ret = 0;
723 
724 	if (!(ep = (*kp->getcrypt)(*kp->modep))) {
725 		if (len == 0)
726 			return;
727 		kp->keylen = 0;
728 	} else if (len == 0) {
729 		/*
730 		 * Empty option, indicates a failure.
731 		 */
732 		if (kp->keylen == 0)
733 			return;
734 		kp->keylen = 0;
735 		if (ep->keyid)
736 			(void)(*ep->keyid)(dir, kp->keyid, &kp->keylen);
737 
738 	} else if ((len != kp->keylen) ||
739 		   (memcmp(keyid, kp->keyid, len) != 0)) {
740 		/*
741 		 * Length or contents are different
742 		 */
743 		kp->keylen = len;
744 		memmove(kp->keyid, keyid, len);
745 		if (ep->keyid)
746 			(void)(*ep->keyid)(dir, kp->keyid, &kp->keylen);
747 	} else {
748 		if (ep->keyid)
749 			ret = (*ep->keyid)(dir, kp->keyid, &kp->keylen);
750 		if ((ret == 0) && (dir == DIR_ENCRYPT) && autoencrypt)
751 			encrypt_start_output(*kp->modep);
752 		return;
753 	}
754 
755 	encrypt_send_keyid(dir, kp->keyid, kp->keylen, 0);
756 }
757 
758 void
759 encrypt_send_keyid(int dir, const char *keyid, int keylen, int saveit)
760 {
761 	unsigned char *strp;
762 
763 	str_keyid[3] = (dir == DIR_ENCRYPT)
764 			? ENCRYPT_ENC_KEYID : ENCRYPT_DEC_KEYID;
765 	if (saveit) {
766 		struct key_info *kp = &ki[(dir == DIR_ENCRYPT) ? 0 : 1];
767 		memmove(kp->keyid, keyid, keylen);
768 		kp->keylen = keylen;
769 	}
770 
771 	for (strp = &str_keyid[4]; keylen > 0; --keylen) {
772 		if ((*strp++ = *keyid++) == IAC)
773 			*strp++ = IAC;
774 	}
775 	*strp++ = IAC;
776 	*strp++ = SE;
777 	net_write(str_keyid, strp - str_keyid);
778 	printsub('>', &str_keyid[2], strp - str_keyid - 2);
779 }
780 
781 void
782 encrypt_auto(int on)
783 {
784 	if (on < 0)
785 		autoencrypt ^= 1;
786 	else
787 		autoencrypt = on ? 1 : 0;
788 }
789 
790 void
791 decrypt_auto(int on)
792 {
793 	if (on < 0)
794 		autodecrypt ^= 1;
795 	else
796 		autodecrypt = on ? 1 : 0;
797 }
798 
799 void
800 encrypt_start_output(int type)
801 {
802 	Encryptions *ep;
803 	unsigned char *p;
804 	int i;
805 
806 	if (!(ep = findencryption(type))) {
807 		if (encrypt_debug_mode) {
808 			printf(">>>%s: Can't encrypt with type %s (%d)\r\n",
809 				Name,
810 				ENCTYPE_NAME_OK(type)
811 					? ENCTYPE_NAME(type) : "(unknown)",
812 				type);
813 		}
814 		return;
815 	}
816 	if (ep->start) {
817 		i = (*ep->start)(DIR_ENCRYPT, Server);
818 		if (encrypt_debug_mode) {
819 			printf(">>>%s: Encrypt start: %s (%d) %s\r\n",
820 				Name,
821 				(i < 0) ? "failed" :
822 					"initial negotiation in progress",
823 				i, ENCTYPE_NAME(type));
824 		}
825 		if (i)
826 			return;
827 	}
828 	p = str_start + 3;
829 	*p++ = ENCRYPT_START;
830 	for (i = 0; i < ki[0].keylen; ++i) {
831 		if ((*p++ = ki[0].keyid[i]) == IAC)
832 			*p++ = IAC;
833 	}
834 	*p++ = IAC;
835 	*p++ = SE;
836 	net_write(str_start, p - str_start);
837 	net_encrypt();
838 	printsub('>', &str_start[2], p - &str_start[2]);
839 	/*
840 	 * If we are already encrypting in some mode, then
841 	 * encrypt the ring (which includes our request) in
842 	 * the old mode, mark it all as "clear text" and then
843 	 * switch to the new mode.
844 	 */
845 	encrypt_output = ep->output;
846 	encrypt_mode = type;
847 	if (encrypt_debug_mode)
848 		printf(">>>%s: Started to encrypt output with type %s\r\n",
849 			Name, ENCTYPE_NAME(type));
850 	if (encrypt_verbose)
851 		printf("[ Output is now encrypted with type %s ]\r\n",
852 			ENCTYPE_NAME(type));
853 }
854 
855 void
856 encrypt_send_end(void)
857 {
858 	if (!encrypt_output)
859 		return;
860 
861 	str_end[3] = ENCRYPT_END;
862 	net_write(str_end, sizeof(str_end));
863 	net_encrypt();
864 	printsub('>', &str_end[2], sizeof(str_end) - 2);
865 	/*
866 	 * Encrypt the output buffer now because it will not be done by
867 	 * netflush...
868 	 */
869 	encrypt_output = 0;
870 	if (encrypt_debug_mode)
871 		printf(">>>%s: Output is back to clear text\r\n", Name);
872 	if (encrypt_verbose)
873 		printf("[ Output is now clear text ]\r\n");
874 }
875 
876 void
877 encrypt_send_request_start(void)
878 {
879 	unsigned char *p;
880 	int i;
881 
882 	p = &str_start[3];
883 	*p++ = ENCRYPT_REQSTART;
884 	for (i = 0; i < ki[1].keylen; ++i) {
885 		if ((*p++ = ki[1].keyid[i]) == IAC)
886 			*p++ = IAC;
887 	}
888 	*p++ = IAC;
889 	*p++ = SE;
890 	net_write(str_start, p - str_start);
891 	printsub('>', &str_start[2], p - &str_start[2]);
892 	if (encrypt_debug_mode)
893 		printf(">>>%s: Request input to be encrypted\r\n", Name);
894 }
895 
896 void
897 encrypt_send_request_end(void)
898 {
899 	str_end[3] = ENCRYPT_REQEND;
900 	net_write(str_end, sizeof(str_end));
901 	printsub('>', &str_end[2], sizeof(str_end) - 2);
902 
903 	if (encrypt_debug_mode)
904 		printf(">>>%s: Request input to be clear text\r\n", Name);
905 }
906 
907 void
908 encrypt_wait(void)
909 {
910 	if (encrypt_debug_mode)
911 		printf(">>>%s: in encrypt_wait\r\n", Name);
912 	if (!havesessionkey || !(I_SUPPORT_ENCRYPT & remote_supports_decrypt))
913 		return;
914 	while (autoencrypt && !encrypt_output)
915 		if (telnet_spin())
916 			return;
917 }
918 
919 void
920 encrypt_gen_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen)
921 {
922 	char tbuf[16], *cp;
923 
924 	cnt -= 2;
925 	data += 2;
926 	buf[buflen-1] = '\0';
927 	buf[buflen-2] = '*';
928 	buflen -= 2;;
929 	for (; cnt > 0; cnt--, data++) {
930 		sprintf(tbuf, " %d", *data);
931 		for (cp = tbuf; *cp && buflen > 0; --buflen)
932 			*buf++ = *cp++;
933 		if (buflen <= 0)
934 			return;
935 	}
936 	*buf = '\0';
937 }
938 
939 void
940 encrypt_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen)
941 {
942 	Encryptions *ep;
943 	int type = data[1];
944 
945 	for (ep = encryptions; ep->type && ep->type != type; ep++)
946 		;
947 
948 	if (ep->printsub)
949 		(*ep->printsub)(data, cnt, buf, buflen);
950 	else
951 		encrypt_gen_printsub(data, cnt, buf, buflen);
952 }
953 #endif	/* ENCRYPTION */
954