1 /*- 2 * Copyright (c) 1991, 1993 3 * The Regents of the University of California. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. Neither the name of the University nor the names of its contributors 14 * may be used to endorse or promote products derived from this software 15 * without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 * SUCH DAMAGE. 28 */ 29 30 #ifndef lint 31 #if 0 32 static const char sccsid[] = "@(#)encrypt.c 8.2 (Berkeley) 5/30/95"; 33 #endif 34 #endif /* not lint */ 35 36 /* 37 * Copyright (C) 1990 by the Massachusetts Institute of Technology 38 * 39 * Export of this software from the United States of America is assumed 40 * to require a specific license from the United States Government. 41 * It is the responsibility of any person or organization contemplating 42 * export to obtain such a license before exporting. 43 * 44 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 45 * distribute this software and its documentation for any purpose and 46 * without fee is hereby granted, provided that the above copyright 47 * notice appear in all copies and that both that copyright notice and 48 * this permission notice appear in supporting documentation, and that 49 * the name of M.I.T. not be used in advertising or publicity pertaining 50 * to distribution of the software without specific, written prior 51 * permission. M.I.T. makes no representations about the suitability of 52 * this software for any purpose. It is provided "as is" without express 53 * or implied warranty. 54 */ 55 56 #ifdef ENCRYPTION 57 58 #include <sys/types.h> 59 #define ENCRYPT_NAMES 60 #include <arpa/telnet.h> 61 #include <stdio.h> 62 #include <stdlib.h> 63 #include <string.h> 64 65 #include "encrypt.h" 66 #include "misc.h" 67 68 /* 69 * These functions pointers point to the current routines 70 * for encrypting and decrypting data. 71 */ 72 void (*encrypt_output)(unsigned char *, int); 73 int (*decrypt_input)(int); 74 75 int EncryptType(char *type, char *mode); 76 int EncryptStart(char *mode); 77 int EncryptStop(char *mode); 78 int EncryptStartInput(void); 79 int EncryptStartOutput(void); 80 int EncryptStopInput(void); 81 int EncryptStopOutput(void); 82 83 int encrypt_debug_mode = 0; 84 static int decrypt_mode = 0; 85 static int encrypt_mode = 0; 86 static int encrypt_verbose = 0; 87 static int autoencrypt = 0; 88 static int autodecrypt = 0; 89 static int havesessionkey = 0; 90 static int Server = 0; 91 static const char *Name = "Noname"; 92 93 #define typemask(x) ((x) > 0 ? 1 << ((x)-1) : 0) 94 95 static u_long i_support_encrypt = 0 96 | typemask(ENCTYPE_DES_CFB64) | typemask(ENCTYPE_DES_OFB64) 97 |0; 98 static u_long i_support_decrypt = 0 99 | typemask(ENCTYPE_DES_CFB64) | typemask(ENCTYPE_DES_OFB64) 100 |0; 101 102 static u_long i_wont_support_encrypt = 0; 103 static u_long i_wont_support_decrypt = 0; 104 #define I_SUPPORT_ENCRYPT (i_support_encrypt & ~i_wont_support_encrypt) 105 #define I_SUPPORT_DECRYPT (i_support_decrypt & ~i_wont_support_decrypt) 106 107 static u_long remote_supports_encrypt = 0; 108 static u_long remote_supports_decrypt = 0; 109 110 static Encryptions encryptions[] = { 111 { "DES_CFB64", ENCTYPE_DES_CFB64, 112 cfb64_encrypt, 113 cfb64_decrypt, 114 cfb64_init, 115 cfb64_start, 116 cfb64_is, 117 cfb64_reply, 118 cfb64_session, 119 cfb64_keyid, 120 cfb64_printsub }, 121 { "DES_OFB64", ENCTYPE_DES_OFB64, 122 ofb64_encrypt, 123 ofb64_decrypt, 124 ofb64_init, 125 ofb64_start, 126 ofb64_is, 127 ofb64_reply, 128 ofb64_session, 129 ofb64_keyid, 130 ofb64_printsub }, 131 { NULL, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }, 132 }; 133 134 static unsigned char str_send[64] = { IAC, SB, TELOPT_ENCRYPT, 135 ENCRYPT_SUPPORT }; 136 static unsigned char str_suplen = 0; 137 static unsigned char str_start[72] = { IAC, SB, TELOPT_ENCRYPT }; 138 static unsigned char str_end[] = { IAC, SB, TELOPT_ENCRYPT, 0, IAC, SE }; 139 140 Encryptions * 141 findencryption(int type) 142 { 143 Encryptions *ep = encryptions; 144 145 if (!(I_SUPPORT_ENCRYPT & remote_supports_decrypt & (unsigned)typemask(type))) 146 return(0); 147 while (ep->type && ep->type != type) 148 ++ep; 149 return(ep->type ? ep : 0); 150 } 151 152 static Encryptions * 153 finddecryption(int type) 154 { 155 Encryptions *ep = encryptions; 156 157 if (!(I_SUPPORT_DECRYPT & remote_supports_encrypt & (unsigned)typemask(type))) 158 return(0); 159 while (ep->type && ep->type != type) 160 ++ep; 161 return(ep->type ? ep : 0); 162 } 163 164 #define MAXKEYLEN 64 165 166 static struct key_info { 167 unsigned char keyid[MAXKEYLEN]; 168 int keylen; 169 int dir; 170 int *modep; 171 Encryptions *(*getcrypt)(int); 172 } ki[2] = { 173 { { 0 }, 0, DIR_ENCRYPT, &encrypt_mode, findencryption }, 174 { { 0 }, 0, DIR_DECRYPT, &decrypt_mode, finddecryption }, 175 }; 176 177 static void encrypt_keyid(struct key_info *kp, unsigned char *keyid, int len); 178 179 void 180 encrypt_init(const char *name, int server) 181 { 182 Encryptions *ep = encryptions; 183 184 Name = name; 185 Server = server; 186 i_support_encrypt = i_support_decrypt = 0; 187 remote_supports_encrypt = remote_supports_decrypt = 0; 188 encrypt_mode = 0; 189 decrypt_mode = 0; 190 encrypt_output = 0; 191 decrypt_input = 0; 192 193 str_suplen = 4; 194 195 while (ep->type) { 196 if (encrypt_debug_mode) 197 printf(">>>%s: I will support %s\r\n", 198 Name, ENCTYPE_NAME(ep->type)); 199 i_support_encrypt |= typemask(ep->type); 200 i_support_decrypt |= typemask(ep->type); 201 if ((i_wont_support_decrypt & typemask(ep->type)) == 0) 202 if ((str_send[str_suplen++] = ep->type) == IAC) 203 str_send[str_suplen++] = IAC; 204 if (ep->init) 205 (*ep->init)(Server); 206 ++ep; 207 } 208 str_send[str_suplen++] = IAC; 209 str_send[str_suplen++] = SE; 210 } 211 212 static void 213 encrypt_list_types(void) 214 { 215 Encryptions *ep = encryptions; 216 217 printf("Valid encryption types:\n"); 218 while (ep->type) { 219 printf("\t%s (%d)\r\n", ENCTYPE_NAME(ep->type), ep->type); 220 ++ep; 221 } 222 } 223 224 int 225 EncryptEnable(char *type, char *mode) 226 { 227 if (isprefix(type, "help") || isprefix(type, "?")) { 228 printf("Usage: encrypt enable <type> [input|output]\n"); 229 encrypt_list_types(); 230 return(0); 231 } 232 if (EncryptType(type, mode)) 233 return(EncryptStart(mode)); 234 return(0); 235 } 236 237 int 238 EncryptDisable(char *type, char *mode) 239 { 240 Encryptions *ep; 241 int ret = 0; 242 243 if (isprefix(type, "help") || isprefix(type, "?")) { 244 printf("Usage: encrypt disable <type> [input|output]\n"); 245 encrypt_list_types(); 246 } else if ((ep = (Encryptions *)genget(type, (char **)encryptions, 247 sizeof(Encryptions))) == 0) { 248 printf("%s: invalid encryption type\n", type); 249 } else if (Ambiguous((char **)ep)) { 250 printf("Ambiguous type '%s'\n", type); 251 } else { 252 if ((mode == 0) || (isprefix(mode, "input") ? 1 : 0)) { 253 if (decrypt_mode == ep->type) 254 EncryptStopInput(); 255 i_wont_support_decrypt |= typemask(ep->type); 256 ret = 1; 257 } 258 if ((mode == 0) || (isprefix(mode, "output"))) { 259 if (encrypt_mode == ep->type) 260 EncryptStopOutput(); 261 i_wont_support_encrypt |= typemask(ep->type); 262 ret = 1; 263 } 264 if (ret == 0) 265 printf("%s: invalid encryption mode\n", mode); 266 } 267 return(ret); 268 } 269 270 int 271 EncryptType(char *type, char *mode) 272 { 273 Encryptions *ep; 274 int ret = 0; 275 276 if (isprefix(type, "help") || isprefix(type, "?")) { 277 printf("Usage: encrypt type <type> [input|output]\n"); 278 encrypt_list_types(); 279 } else if ((ep = (Encryptions *)genget(type, (char **)encryptions, 280 sizeof(Encryptions))) == 0) { 281 printf("%s: invalid encryption type\n", type); 282 } else if (Ambiguous((char **)ep)) { 283 printf("Ambiguous type '%s'\n", type); 284 } else { 285 if ((mode == 0) || isprefix(mode, "input")) { 286 decrypt_mode = ep->type; 287 i_wont_support_decrypt &= ~typemask(ep->type); 288 ret = 1; 289 } 290 if ((mode == 0) || isprefix(mode, "output")) { 291 encrypt_mode = ep->type; 292 i_wont_support_encrypt &= ~typemask(ep->type); 293 ret = 1; 294 } 295 if (ret == 0) 296 printf("%s: invalid encryption mode\n", mode); 297 } 298 return(ret); 299 } 300 301 int 302 EncryptStart(char *mode) 303 { 304 int ret = 0; 305 if (mode) { 306 if (isprefix(mode, "input")) 307 return(EncryptStartInput()); 308 if (isprefix(mode, "output")) 309 return(EncryptStartOutput()); 310 if (isprefix(mode, "help") || isprefix(mode, "?")) { 311 printf("Usage: encrypt start [input|output]\n"); 312 return(0); 313 } 314 printf("%s: invalid encryption mode 'encrypt start ?' for help\n", mode); 315 return(0); 316 } 317 ret += EncryptStartInput(); 318 ret += EncryptStartOutput(); 319 return(ret); 320 } 321 322 int 323 EncryptStartInput(void) 324 { 325 if (decrypt_mode) { 326 encrypt_send_request_start(); 327 return(1); 328 } 329 printf("No previous decryption mode, decryption not enabled\r\n"); 330 return(0); 331 } 332 333 int 334 EncryptStartOutput(void) 335 { 336 if (encrypt_mode) { 337 encrypt_start_output(encrypt_mode); 338 return(1); 339 } 340 printf("No previous encryption mode, encryption not enabled\r\n"); 341 return(0); 342 } 343 344 int 345 EncryptStop(char *mode) 346 { 347 int ret = 0; 348 if (mode) { 349 if (isprefix(mode, "input")) 350 return(EncryptStopInput()); 351 if (isprefix(mode, "output")) 352 return(EncryptStopOutput()); 353 if (isprefix(mode, "help") || isprefix(mode, "?")) { 354 printf("Usage: encrypt stop [input|output]\n"); 355 return(0); 356 } 357 printf("%s: invalid encryption mode 'encrypt stop ?' for help\n", mode); 358 return(0); 359 } 360 ret += EncryptStopInput(); 361 ret += EncryptStopOutput(); 362 return(ret); 363 } 364 365 int 366 EncryptStopInput(void) 367 { 368 encrypt_send_request_end(); 369 return(1); 370 } 371 372 int 373 EncryptStopOutput(void) 374 { 375 encrypt_send_end(); 376 return(1); 377 } 378 379 void 380 encrypt_display(void) 381 { 382 if (encrypt_output) 383 printf("Currently encrypting output with %s\r\n", 384 ENCTYPE_NAME(encrypt_mode)); 385 if (decrypt_input) 386 printf("Currently decrypting input with %s\r\n", 387 ENCTYPE_NAME(decrypt_mode)); 388 } 389 390 int 391 EncryptStatus(void) 392 { 393 if (encrypt_output) 394 printf("Currently encrypting output with %s\r\n", 395 ENCTYPE_NAME(encrypt_mode)); 396 else if (encrypt_mode) { 397 printf("Currently output is clear text.\r\n"); 398 printf("Last encryption mode was %s\r\n", 399 ENCTYPE_NAME(encrypt_mode)); 400 } 401 if (decrypt_input) { 402 printf("Currently decrypting input with %s\r\n", 403 ENCTYPE_NAME(decrypt_mode)); 404 } else if (decrypt_mode) { 405 printf("Currently input is clear text.\r\n"); 406 printf("Last decryption mode was %s\r\n", 407 ENCTYPE_NAME(decrypt_mode)); 408 } 409 return 1; 410 } 411 412 void 413 encrypt_send_support(void) 414 { 415 if (str_suplen) { 416 /* 417 * If the user has requested that decryption start 418 * immediatly, then send a "REQUEST START" before 419 * we negotiate the type. 420 */ 421 if (!Server && autodecrypt) 422 encrypt_send_request_start(); 423 net_write(str_send, str_suplen); 424 printsub('>', &str_send[2], str_suplen - 2); 425 str_suplen = 0; 426 } 427 } 428 429 int 430 EncryptDebug(int on) 431 { 432 if (on < 0) 433 encrypt_debug_mode ^= 1; 434 else 435 encrypt_debug_mode = on; 436 printf("Encryption debugging %s\r\n", 437 encrypt_debug_mode ? "enabled" : "disabled"); 438 return(1); 439 } 440 441 int 442 EncryptVerbose(int on) 443 { 444 if (on < 0) 445 encrypt_verbose ^= 1; 446 else 447 encrypt_verbose = on; 448 printf("Encryption %s verbose\r\n", 449 encrypt_verbose ? "is" : "is not"); 450 return(1); 451 } 452 453 int 454 EncryptAutoEnc(int on) 455 { 456 encrypt_auto(on); 457 printf("Automatic encryption of output is %s\r\n", 458 autoencrypt ? "enabled" : "disabled"); 459 return(1); 460 } 461 462 int 463 EncryptAutoDec(int on) 464 { 465 decrypt_auto(on); 466 printf("Automatic decryption of input is %s\r\n", 467 autodecrypt ? "enabled" : "disabled"); 468 return(1); 469 } 470 471 /* 472 * Called when ENCRYPT SUPPORT is received. 473 */ 474 void 475 encrypt_support(unsigned char *typelist, int cnt) 476 { 477 int type, use_type = 0; 478 Encryptions *ep; 479 480 /* 481 * Forget anything the other side has previously told us. 482 */ 483 remote_supports_decrypt = 0; 484 485 while (cnt-- > 0) { 486 type = *typelist++; 487 if (encrypt_debug_mode) 488 printf(">>>%s: He is supporting %s (%d)\r\n", 489 Name, 490 ENCTYPE_NAME(type), type); 491 if ((type < ENCTYPE_CNT) && 492 (I_SUPPORT_ENCRYPT & typemask(type))) { 493 remote_supports_decrypt |= typemask(type); 494 if (use_type == 0) 495 use_type = type; 496 } 497 } 498 if (use_type) { 499 ep = findencryption(use_type); 500 if (!ep) 501 return; 502 type = ep->start ? (*ep->start)(DIR_ENCRYPT, Server) : 0; 503 if (encrypt_debug_mode) 504 printf(">>>%s: (*ep->start)() returned %d\r\n", 505 Name, type); 506 if (type < 0) 507 return; 508 encrypt_mode = use_type; 509 if (type == 0) 510 encrypt_start_output(use_type); 511 } 512 } 513 514 void 515 encrypt_is(unsigned char *data, int cnt) 516 { 517 Encryptions *ep; 518 int type, ret; 519 520 if (--cnt < 0) 521 return; 522 type = *data++; 523 if (type < ENCTYPE_CNT) 524 remote_supports_encrypt |= typemask(type); 525 if (!(ep = finddecryption(type))) { 526 if (encrypt_debug_mode) 527 printf(">>>%s: Can't find type %s (%d) for initial negotiation\r\n", 528 Name, 529 ENCTYPE_NAME_OK(type) 530 ? ENCTYPE_NAME(type) : "(unknown)", 531 type); 532 return; 533 } 534 if (!ep->is) { 535 if (encrypt_debug_mode) 536 printf(">>>%s: No initial negotiation needed for type %s (%d)\r\n", 537 Name, 538 ENCTYPE_NAME_OK(type) 539 ? ENCTYPE_NAME(type) : "(unknown)", 540 type); 541 ret = 0; 542 } else { 543 ret = (*ep->is)(data, cnt); 544 if (encrypt_debug_mode) 545 printf("(*ep->is)(%p, %d) returned %s(%d)\n", data, cnt, 546 (ret < 0) ? "FAIL " : 547 (ret == 0) ? "SUCCESS " : "MORE_TO_DO ", ret); 548 } 549 if (ret < 0) { 550 autodecrypt = 0; 551 } else { 552 decrypt_mode = type; 553 if (ret == 0 && autodecrypt) 554 encrypt_send_request_start(); 555 } 556 } 557 558 void 559 encrypt_reply(unsigned char *data, int cnt) 560 { 561 Encryptions *ep; 562 int ret, type; 563 564 if (--cnt < 0) 565 return; 566 type = *data++; 567 if (!(ep = findencryption(type))) { 568 if (encrypt_debug_mode) 569 printf(">>>%s: Can't find type %s (%d) for initial negotiation\r\n", 570 Name, 571 ENCTYPE_NAME_OK(type) 572 ? ENCTYPE_NAME(type) : "(unknown)", 573 type); 574 return; 575 } 576 if (!ep->reply) { 577 if (encrypt_debug_mode) 578 printf(">>>%s: No initial negotiation needed for type %s (%d)\r\n", 579 Name, 580 ENCTYPE_NAME_OK(type) 581 ? ENCTYPE_NAME(type) : "(unknown)", 582 type); 583 ret = 0; 584 } else { 585 ret = (*ep->reply)(data, cnt); 586 if (encrypt_debug_mode) 587 printf("(*ep->reply)(%p, %d) returned %s(%d)\n", 588 data, cnt, 589 (ret < 0) ? "FAIL " : 590 (ret == 0) ? "SUCCESS " : "MORE_TO_DO ", ret); 591 } 592 if (encrypt_debug_mode) 593 printf(">>>%s: encrypt_reply returned %d\n", Name, ret); 594 if (ret < 0) { 595 autoencrypt = 0; 596 } else { 597 encrypt_mode = type; 598 if (ret == 0 && autoencrypt) 599 encrypt_start_output(type); 600 } 601 } 602 603 /* 604 * Called when a ENCRYPT START command is received. 605 */ 606 void 607 encrypt_start(unsigned char *data __unused, int cnt __unused) 608 { 609 Encryptions *ep; 610 611 if (!decrypt_mode) { 612 /* 613 * Something is wrong. We should not get a START 614 * command without having already picked our 615 * decryption scheme. Send a REQUEST-END to 616 * attempt to clear the channel... 617 */ 618 printf("%s: Warning, Cannot decrypt input stream!!!\r\n", Name); 619 encrypt_send_request_end(); 620 return; 621 } 622 623 if ((ep = finddecryption(decrypt_mode))) { 624 decrypt_input = ep->input; 625 if (encrypt_verbose) 626 printf("[ Input is now decrypted with type %s ]\r\n", 627 ENCTYPE_NAME(decrypt_mode)); 628 if (encrypt_debug_mode) 629 printf(">>>%s: Start to decrypt input with type %s\r\n", 630 Name, ENCTYPE_NAME(decrypt_mode)); 631 } else { 632 printf("%s: Warning, Cannot decrypt type %s (%d)!!!\r\n", 633 Name, 634 ENCTYPE_NAME_OK(decrypt_mode) 635 ? ENCTYPE_NAME(decrypt_mode) 636 : "(unknown)", 637 decrypt_mode); 638 encrypt_send_request_end(); 639 } 640 } 641 642 void 643 encrypt_session_key( Session_Key *key, int server) 644 { 645 Encryptions *ep = encryptions; 646 647 havesessionkey = 1; 648 649 while (ep->type) { 650 if (ep->session) 651 (*ep->session)(key, server); 652 ++ep; 653 } 654 } 655 656 /* 657 * Called when ENCRYPT END is received. 658 */ 659 void 660 encrypt_end(void) 661 { 662 decrypt_input = 0; 663 if (encrypt_debug_mode) 664 printf(">>>%s: Input is back to clear text\r\n", Name); 665 if (encrypt_verbose) 666 printf("[ Input is now clear text ]\r\n"); 667 } 668 669 /* 670 * Called when ENCRYPT REQUEST-END is received. 671 */ 672 void 673 encrypt_request_end(void) 674 { 675 encrypt_send_end(); 676 } 677 678 /* 679 * Called when ENCRYPT REQUEST-START is received. If we receive 680 * this before a type is picked, then that indicates that the 681 * other side wants us to start encrypting data as soon as we 682 * can. 683 */ 684 void 685 encrypt_request_start(unsigned char *data __unused, int cnt __unused) 686 { 687 if (encrypt_mode == 0) { 688 if (Server) 689 autoencrypt = 1; 690 return; 691 } 692 encrypt_start_output(encrypt_mode); 693 } 694 695 static unsigned char str_keyid[(MAXKEYLEN*2)+5] = { IAC, SB, TELOPT_ENCRYPT }; 696 697 void 698 encrypt_enc_keyid(unsigned char *keyid, int len) 699 { 700 encrypt_keyid(&ki[1], keyid, len); 701 } 702 703 void 704 encrypt_dec_keyid(unsigned char *keyid, int len) 705 { 706 encrypt_keyid(&ki[0], keyid, len); 707 } 708 709 void 710 encrypt_keyid(struct key_info *kp, unsigned char *keyid, int len) 711 { 712 Encryptions *ep; 713 int dir = kp->dir; 714 int ret = 0; 715 716 if (len > MAXKEYLEN) 717 len = MAXKEYLEN; 718 719 if (!(ep = (*kp->getcrypt)(*kp->modep))) { 720 if (len == 0) 721 return; 722 kp->keylen = 0; 723 } else if (len == 0) { 724 /* 725 * Empty option, indicates a failure. 726 */ 727 if (kp->keylen == 0) 728 return; 729 kp->keylen = 0; 730 if (ep->keyid) 731 (void)(*ep->keyid)(dir, kp->keyid, &kp->keylen); 732 733 } else if ((len != kp->keylen) || 734 (memcmp(keyid, kp->keyid, len) != 0)) { 735 /* 736 * Length or contents are different 737 */ 738 kp->keylen = len; 739 memmove(kp->keyid, keyid, len); 740 if (ep->keyid) 741 (void)(*ep->keyid)(dir, kp->keyid, &kp->keylen); 742 } else { 743 if (ep->keyid) 744 ret = (*ep->keyid)(dir, kp->keyid, &kp->keylen); 745 if ((ret == 0) && (dir == DIR_ENCRYPT) && autoencrypt) 746 encrypt_start_output(*kp->modep); 747 return; 748 } 749 750 encrypt_send_keyid(dir, kp->keyid, kp->keylen, 0); 751 } 752 753 void 754 encrypt_send_keyid(int dir, const char *keyid, int keylen, int saveit) 755 { 756 unsigned char *strp; 757 758 str_keyid[3] = (dir == DIR_ENCRYPT) 759 ? ENCRYPT_ENC_KEYID : ENCRYPT_DEC_KEYID; 760 if (saveit) { 761 struct key_info *kp = &ki[(dir == DIR_ENCRYPT) ? 0 : 1]; 762 memmove(kp->keyid, keyid, keylen); 763 kp->keylen = keylen; 764 } 765 766 for (strp = &str_keyid[4]; keylen > 0; --keylen) { 767 if ((*strp++ = *keyid++) == IAC) 768 *strp++ = IAC; 769 } 770 *strp++ = IAC; 771 *strp++ = SE; 772 net_write(str_keyid, strp - str_keyid); 773 printsub('>', &str_keyid[2], strp - str_keyid - 2); 774 } 775 776 void 777 encrypt_auto(int on) 778 { 779 if (on < 0) 780 autoencrypt ^= 1; 781 else 782 autoencrypt = on ? 1 : 0; 783 } 784 785 void 786 decrypt_auto(int on) 787 { 788 if (on < 0) 789 autodecrypt ^= 1; 790 else 791 autodecrypt = on ? 1 : 0; 792 } 793 794 void 795 encrypt_start_output(int type) 796 { 797 Encryptions *ep; 798 unsigned char *p; 799 int i; 800 801 if (!(ep = findencryption(type))) { 802 if (encrypt_debug_mode) { 803 printf(">>>%s: Can't encrypt with type %s (%d)\r\n", 804 Name, 805 ENCTYPE_NAME_OK(type) 806 ? ENCTYPE_NAME(type) : "(unknown)", 807 type); 808 } 809 return; 810 } 811 if (ep->start) { 812 i = (*ep->start)(DIR_ENCRYPT, Server); 813 if (encrypt_debug_mode) { 814 printf(">>>%s: Encrypt start: %s (%d) %s\r\n", 815 Name, 816 (i < 0) ? "failed" : 817 "initial negotiation in progress", 818 i, ENCTYPE_NAME(type)); 819 } 820 if (i) 821 return; 822 } 823 p = str_start + 3; 824 *p++ = ENCRYPT_START; 825 for (i = 0; i < ki[0].keylen; ++i) { 826 if ((*p++ = ki[0].keyid[i]) == IAC) 827 *p++ = IAC; 828 } 829 *p++ = IAC; 830 *p++ = SE; 831 net_write(str_start, p - str_start); 832 net_encrypt(); 833 printsub('>', &str_start[2], p - &str_start[2]); 834 /* 835 * If we are already encrypting in some mode, then 836 * encrypt the ring (which includes our request) in 837 * the old mode, mark it all as "clear text" and then 838 * switch to the new mode. 839 */ 840 encrypt_output = ep->output; 841 encrypt_mode = type; 842 if (encrypt_debug_mode) 843 printf(">>>%s: Started to encrypt output with type %s\r\n", 844 Name, ENCTYPE_NAME(type)); 845 if (encrypt_verbose) 846 printf("[ Output is now encrypted with type %s ]\r\n", 847 ENCTYPE_NAME(type)); 848 } 849 850 void 851 encrypt_send_end(void) 852 { 853 if (!encrypt_output) 854 return; 855 856 str_end[3] = ENCRYPT_END; 857 net_write(str_end, sizeof(str_end)); 858 net_encrypt(); 859 printsub('>', &str_end[2], sizeof(str_end) - 2); 860 /* 861 * Encrypt the output buffer now because it will not be done by 862 * netflush... 863 */ 864 encrypt_output = 0; 865 if (encrypt_debug_mode) 866 printf(">>>%s: Output is back to clear text\r\n", Name); 867 if (encrypt_verbose) 868 printf("[ Output is now clear text ]\r\n"); 869 } 870 871 void 872 encrypt_send_request_start(void) 873 { 874 unsigned char *p; 875 int i; 876 877 p = &str_start[3]; 878 *p++ = ENCRYPT_REQSTART; 879 for (i = 0; i < ki[1].keylen; ++i) { 880 if ((*p++ = ki[1].keyid[i]) == IAC) 881 *p++ = IAC; 882 } 883 *p++ = IAC; 884 *p++ = SE; 885 net_write(str_start, p - str_start); 886 printsub('>', &str_start[2], p - &str_start[2]); 887 if (encrypt_debug_mode) 888 printf(">>>%s: Request input to be encrypted\r\n", Name); 889 } 890 891 void 892 encrypt_send_request_end(void) 893 { 894 str_end[3] = ENCRYPT_REQEND; 895 net_write(str_end, sizeof(str_end)); 896 printsub('>', &str_end[2], sizeof(str_end) - 2); 897 898 if (encrypt_debug_mode) 899 printf(">>>%s: Request input to be clear text\r\n", Name); 900 } 901 902 void 903 encrypt_wait(void) 904 { 905 if (encrypt_debug_mode) 906 printf(">>>%s: in encrypt_wait\r\n", Name); 907 if (!havesessionkey || !(I_SUPPORT_ENCRYPT & remote_supports_decrypt)) 908 return; 909 while (autoencrypt && !encrypt_output) 910 if (telnet_spin()) 911 return; 912 } 913 914 void 915 encrypt_gen_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen) 916 { 917 char tbuf[16], *cp; 918 919 cnt -= 2; 920 data += 2; 921 buf[buflen-1] = '\0'; 922 buf[buflen-2] = '*'; 923 buflen -= 2;; 924 for (; cnt > 0; cnt--, data++) { 925 sprintf(tbuf, " %d", *data); 926 for (cp = tbuf; *cp && buflen > 0; --buflen) 927 *buf++ = *cp++; 928 if (buflen <= 0) 929 return; 930 } 931 *buf = '\0'; 932 } 933 934 void 935 encrypt_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen) 936 { 937 Encryptions *ep; 938 int type = data[1]; 939 940 for (ep = encryptions; ep->type && ep->type != type; ep++) 941 ; 942 943 if (ep->printsub) 944 (*ep->printsub)(data, cnt, buf, buflen); 945 else 946 encrypt_gen_printsub(data, cnt, buf, buflen); 947 } 948 #endif /* ENCRYPTION */ 949