xref: /freebsd/contrib/telnet/libtelnet/encrypt.c (revision 62cfcf62f627e5093fb37026a6d8c98e4d2ef04c)
1 /*-
2  * Copyright (c) 1991, 1993
3  *	The Regents of the University of California.  All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in the
12  *    documentation and/or other materials provided with the distribution.
13  * 3. Neither the name of the University nor the names of its contributors
14  *    may be used to endorse or promote products derived from this software
15  *    without specific prior written permission.
16  *
17  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
18  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
21  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27  * SUCH DAMAGE.
28  */
29 
30 #include <sys/cdefs.h>
31 
32 __FBSDID("$FreeBSD$");
33 
34 #ifndef lint
35 #if 0
36 static const char sccsid[] = "@(#)encrypt.c	8.2 (Berkeley) 5/30/95";
37 #endif
38 #endif /* not lint */
39 
40 /*
41  * Copyright (C) 1990 by the Massachusetts Institute of Technology
42  *
43  * Export of this software from the United States of America is assumed
44  * to require a specific license from the United States Government.
45  * It is the responsibility of any person or organization contemplating
46  * export to obtain such a license before exporting.
47  *
48  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
49  * distribute this software and its documentation for any purpose and
50  * without fee is hereby granted, provided that the above copyright
51  * notice appear in all copies and that both that copyright notice and
52  * this permission notice appear in supporting documentation, and that
53  * the name of M.I.T. not be used in advertising or publicity pertaining
54  * to distribution of the software without specific, written prior
55  * permission.  M.I.T. makes no representations about the suitability of
56  * this software for any purpose.  It is provided "as is" without express
57  * or implied warranty.
58  */
59 
60 #ifdef	ENCRYPTION
61 
62 #include <sys/types.h>
63 #define	ENCRYPT_NAMES
64 #include <arpa/telnet.h>
65 #include <stdio.h>
66 #include <stdlib.h>
67 #include <string.h>
68 
69 #include "encrypt.h"
70 #include "misc.h"
71 
72 /*
73  * These functions pointers point to the current routines
74  * for encrypting and decrypting data.
75  */
76 void	(*encrypt_output)(unsigned char *, int);
77 int	(*decrypt_input)(int);
78 
79 int EncryptType(char *type, char *mode);
80 int EncryptStart(char *mode);
81 int EncryptStop(char *mode);
82 int EncryptStartInput(void);
83 int EncryptStartOutput(void);
84 int EncryptStopInput(void);
85 int EncryptStopOutput(void);
86 
87 int encrypt_debug_mode = 0;
88 static int decrypt_mode = 0;
89 static int encrypt_mode = 0;
90 static int encrypt_verbose = 0;
91 static int autoencrypt = 0;
92 static int autodecrypt = 0;
93 static int havesessionkey = 0;
94 static int Server = 0;
95 static const char *Name = "Noname";
96 
97 #define	typemask(x)	((x) > 0 ? 1 << ((x)-1) : 0)
98 
99 static u_long i_support_encrypt = 0
100  | typemask(ENCTYPE_DES_CFB64) | typemask(ENCTYPE_DES_OFB64)
101  |0;
102 static u_long i_support_decrypt = 0
103  | typemask(ENCTYPE_DES_CFB64) | typemask(ENCTYPE_DES_OFB64)
104  |0;
105 
106 static u_long i_wont_support_encrypt = 0;
107 static u_long i_wont_support_decrypt = 0;
108 #define	I_SUPPORT_ENCRYPT	(i_support_encrypt & ~i_wont_support_encrypt)
109 #define	I_SUPPORT_DECRYPT	(i_support_decrypt & ~i_wont_support_decrypt)
110 
111 static u_long remote_supports_encrypt = 0;
112 static u_long remote_supports_decrypt = 0;
113 
114 static Encryptions encryptions[] = {
115     { "DES_CFB64",	ENCTYPE_DES_CFB64,
116 			cfb64_encrypt,
117 			cfb64_decrypt,
118 			cfb64_init,
119 			cfb64_start,
120 			cfb64_is,
121 			cfb64_reply,
122 			cfb64_session,
123 			cfb64_keyid,
124 			cfb64_printsub },
125     { "DES_OFB64",	ENCTYPE_DES_OFB64,
126 			ofb64_encrypt,
127 			ofb64_decrypt,
128 			ofb64_init,
129 			ofb64_start,
130 			ofb64_is,
131 			ofb64_reply,
132 			ofb64_session,
133 			ofb64_keyid,
134 			ofb64_printsub },
135     { NULL, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 },
136 };
137 
138 static unsigned char str_send[64] = { IAC, SB, TELOPT_ENCRYPT,
139 					 ENCRYPT_SUPPORT };
140 static unsigned char str_suplen = 0;
141 static unsigned char str_start[72] = { IAC, SB, TELOPT_ENCRYPT };
142 static unsigned char str_end[] = { IAC, SB, TELOPT_ENCRYPT, 0, IAC, SE };
143 
144 Encryptions *
145 findencryption(int type)
146 {
147 	Encryptions *ep = encryptions;
148 
149 	if (!(I_SUPPORT_ENCRYPT & remote_supports_decrypt & (unsigned)typemask(type)))
150 		return(0);
151 	while (ep->type && ep->type != type)
152 		++ep;
153 	return(ep->type ? ep : 0);
154 }
155 
156 static Encryptions *
157 finddecryption(int type)
158 {
159 	Encryptions *ep = encryptions;
160 
161 	if (!(I_SUPPORT_DECRYPT & remote_supports_encrypt & (unsigned)typemask(type)))
162 		return(0);
163 	while (ep->type && ep->type != type)
164 		++ep;
165 	return(ep->type ? ep : 0);
166 }
167 
168 #define	MAXKEYLEN 64
169 
170 static struct key_info {
171 	unsigned char keyid[MAXKEYLEN];
172 	int keylen;
173 	int dir;
174 	int *modep;
175 	Encryptions *(*getcrypt)(int);
176 } ki[2] = {
177 	{ { 0 }, 0, DIR_ENCRYPT, &encrypt_mode, findencryption },
178 	{ { 0 }, 0, DIR_DECRYPT, &decrypt_mode, finddecryption },
179 };
180 
181 static void encrypt_keyid(struct key_info *kp, unsigned char *keyid, int len);
182 
183 void
184 encrypt_init(const char *name, int server)
185 {
186 	Encryptions *ep = encryptions;
187 
188 	Name = name;
189 	Server = server;
190 	i_support_encrypt = i_support_decrypt = 0;
191 	remote_supports_encrypt = remote_supports_decrypt = 0;
192 	encrypt_mode = 0;
193 	decrypt_mode = 0;
194 	encrypt_output = 0;
195 	decrypt_input = 0;
196 
197 	str_suplen = 4;
198 
199 	while (ep->type) {
200 		if (encrypt_debug_mode)
201 			printf(">>>%s: I will support %s\r\n",
202 				Name, ENCTYPE_NAME(ep->type));
203 		i_support_encrypt |= typemask(ep->type);
204 		i_support_decrypt |= typemask(ep->type);
205 		if ((i_wont_support_decrypt & typemask(ep->type)) == 0)
206 			if ((str_send[str_suplen++] = ep->type) == IAC)
207 				str_send[str_suplen++] = IAC;
208 		if (ep->init)
209 			(*ep->init)(Server);
210 		++ep;
211 	}
212 	str_send[str_suplen++] = IAC;
213 	str_send[str_suplen++] = SE;
214 }
215 
216 static void
217 encrypt_list_types(void)
218 {
219 	Encryptions *ep = encryptions;
220 
221 	printf("Valid encryption types:\n");
222 	while (ep->type) {
223 		printf("\t%s (%d)\r\n", ENCTYPE_NAME(ep->type), ep->type);
224 		++ep;
225 	}
226 }
227 
228 int
229 EncryptEnable(char *type, char *mode)
230 {
231 	if (isprefix(type, "help") || isprefix(type, "?")) {
232 		printf("Usage: encrypt enable <type> [input|output]\n");
233 		encrypt_list_types();
234 		return(0);
235 	}
236 	if (EncryptType(type, mode))
237 		return(EncryptStart(mode));
238 	return(0);
239 }
240 
241 int
242 EncryptDisable(char *type, char *mode)
243 {
244 	Encryptions *ep;
245 	int ret = 0;
246 
247 	if (isprefix(type, "help") || isprefix(type, "?")) {
248 		printf("Usage: encrypt disable <type> [input|output]\n");
249 		encrypt_list_types();
250 	} else if ((ep = (Encryptions *)genget(type, (char **)encryptions,
251 						sizeof(Encryptions))) == 0) {
252 		printf("%s: invalid encryption type\n", type);
253 	} else if (Ambiguous((char **)ep)) {
254 		printf("Ambiguous type '%s'\n", type);
255 	} else {
256 		if ((mode == 0) || (isprefix(mode, "input") ? 1 : 0)) {
257 			if (decrypt_mode == ep->type)
258 				EncryptStopInput();
259 			i_wont_support_decrypt |= typemask(ep->type);
260 			ret = 1;
261 		}
262 		if ((mode == 0) || (isprefix(mode, "output"))) {
263 			if (encrypt_mode == ep->type)
264 				EncryptStopOutput();
265 			i_wont_support_encrypt |= typemask(ep->type);
266 			ret = 1;
267 		}
268 		if (ret == 0)
269 			printf("%s: invalid encryption mode\n", mode);
270 	}
271 	return(ret);
272 }
273 
274 int
275 EncryptType(char *type, char *mode)
276 {
277 	Encryptions *ep;
278 	int ret = 0;
279 
280 	if (isprefix(type, "help") || isprefix(type, "?")) {
281 		printf("Usage: encrypt type <type> [input|output]\n");
282 		encrypt_list_types();
283 	} else if ((ep = (Encryptions *)genget(type, (char **)encryptions,
284 						sizeof(Encryptions))) == 0) {
285 		printf("%s: invalid encryption type\n", type);
286 	} else if (Ambiguous((char **)ep)) {
287 		printf("Ambiguous type '%s'\n", type);
288 	} else {
289 		if ((mode == 0) || isprefix(mode, "input")) {
290 			decrypt_mode = ep->type;
291 			i_wont_support_decrypt &= ~typemask(ep->type);
292 			ret = 1;
293 		}
294 		if ((mode == 0) || isprefix(mode, "output")) {
295 			encrypt_mode = ep->type;
296 			i_wont_support_encrypt &= ~typemask(ep->type);
297 			ret = 1;
298 		}
299 		if (ret == 0)
300 			printf("%s: invalid encryption mode\n", mode);
301 	}
302 	return(ret);
303 }
304 
305 int
306 EncryptStart(char *mode)
307 {
308 	int ret = 0;
309 	if (mode) {
310 		if (isprefix(mode, "input"))
311 			return(EncryptStartInput());
312 		if (isprefix(mode, "output"))
313 			return(EncryptStartOutput());
314 		if (isprefix(mode, "help") || isprefix(mode, "?")) {
315 			printf("Usage: encrypt start [input|output]\n");
316 			return(0);
317 		}
318 		printf("%s: invalid encryption mode 'encrypt start ?' for help\n", mode);
319 		return(0);
320 	}
321 	ret += EncryptStartInput();
322 	ret += EncryptStartOutput();
323 	return(ret);
324 }
325 
326 int
327 EncryptStartInput(void)
328 {
329 	if (decrypt_mode) {
330 		encrypt_send_request_start();
331 		return(1);
332 	}
333 	printf("No previous decryption mode, decryption not enabled\r\n");
334 	return(0);
335 }
336 
337 int
338 EncryptStartOutput(void)
339 {
340 	if (encrypt_mode) {
341 		encrypt_start_output(encrypt_mode);
342 		return(1);
343 	}
344 	printf("No previous encryption mode, encryption not enabled\r\n");
345 	return(0);
346 }
347 
348 int
349 EncryptStop(char *mode)
350 {
351 	int ret = 0;
352 	if (mode) {
353 		if (isprefix(mode, "input"))
354 			return(EncryptStopInput());
355 		if (isprefix(mode, "output"))
356 			return(EncryptStopOutput());
357 		if (isprefix(mode, "help") || isprefix(mode, "?")) {
358 			printf("Usage: encrypt stop [input|output]\n");
359 			return(0);
360 		}
361 		printf("%s: invalid encryption mode 'encrypt stop ?' for help\n", mode);
362 		return(0);
363 	}
364 	ret += EncryptStopInput();
365 	ret += EncryptStopOutput();
366 	return(ret);
367 }
368 
369 int
370 EncryptStopInput(void)
371 {
372 	encrypt_send_request_end();
373 	return(1);
374 }
375 
376 int
377 EncryptStopOutput(void)
378 {
379 	encrypt_send_end();
380 	return(1);
381 }
382 
383 void
384 encrypt_display(void)
385 {
386 	if (encrypt_output)
387 		printf("Currently encrypting output with %s\r\n",
388 			ENCTYPE_NAME(encrypt_mode));
389 	if (decrypt_input)
390 		printf("Currently decrypting input with %s\r\n",
391 			ENCTYPE_NAME(decrypt_mode));
392 }
393 
394 int
395 EncryptStatus(void)
396 {
397 	if (encrypt_output)
398 		printf("Currently encrypting output with %s\r\n",
399 			ENCTYPE_NAME(encrypt_mode));
400 	else if (encrypt_mode) {
401 		printf("Currently output is clear text.\r\n");
402 		printf("Last encryption mode was %s\r\n",
403 			ENCTYPE_NAME(encrypt_mode));
404 	}
405 	if (decrypt_input) {
406 		printf("Currently decrypting input with %s\r\n",
407 			ENCTYPE_NAME(decrypt_mode));
408 	} else if (decrypt_mode) {
409 		printf("Currently input is clear text.\r\n");
410 		printf("Last decryption mode was %s\r\n",
411 			ENCTYPE_NAME(decrypt_mode));
412 	}
413 	return 1;
414 }
415 
416 void
417 encrypt_send_support(void)
418 {
419 	if (str_suplen) {
420 		/*
421 		 * If the user has requested that decryption start
422 		 * immediatly, then send a "REQUEST START" before
423 		 * we negotiate the type.
424 		 */
425 		if (!Server && autodecrypt)
426 			encrypt_send_request_start();
427 		net_write(str_send, str_suplen);
428 		printsub('>', &str_send[2], str_suplen - 2);
429 		str_suplen = 0;
430 	}
431 }
432 
433 int
434 EncryptDebug(int on)
435 {
436 	if (on < 0)
437 		encrypt_debug_mode ^= 1;
438 	else
439 		encrypt_debug_mode = on;
440 	printf("Encryption debugging %s\r\n",
441 		encrypt_debug_mode ? "enabled" : "disabled");
442 	return(1);
443 }
444 
445 int
446 EncryptVerbose(int on)
447 {
448 	if (on < 0)
449 		encrypt_verbose ^= 1;
450 	else
451 		encrypt_verbose = on;
452 	printf("Encryption %s verbose\r\n",
453 		encrypt_verbose ? "is" : "is not");
454 	return(1);
455 }
456 
457 int
458 EncryptAutoEnc(int on)
459 {
460 	encrypt_auto(on);
461 	printf("Automatic encryption of output is %s\r\n",
462 		autoencrypt ? "enabled" : "disabled");
463 	return(1);
464 }
465 
466 int
467 EncryptAutoDec(int on)
468 {
469 	decrypt_auto(on);
470 	printf("Automatic decryption of input is %s\r\n",
471 		autodecrypt ? "enabled" : "disabled");
472 	return(1);
473 }
474 
475 /*
476  * Called when ENCRYPT SUPPORT is received.
477  */
478 void
479 encrypt_support(unsigned char *typelist, int cnt)
480 {
481 	int type, use_type = 0;
482 	Encryptions *ep;
483 
484 	/*
485 	 * Forget anything the other side has previously told us.
486 	 */
487 	remote_supports_decrypt = 0;
488 
489 	while (cnt-- > 0) {
490 		type = *typelist++;
491 		if (encrypt_debug_mode)
492 			printf(">>>%s: He is supporting %s (%d)\r\n",
493 				Name,
494 				ENCTYPE_NAME(type), type);
495 		if ((type < ENCTYPE_CNT) &&
496 		    (I_SUPPORT_ENCRYPT & typemask(type))) {
497 			remote_supports_decrypt |= typemask(type);
498 			if (use_type == 0)
499 				use_type = type;
500 		}
501 	}
502 	if (use_type) {
503 		ep = findencryption(use_type);
504 		if (!ep)
505 			return;
506 		type = ep->start ? (*ep->start)(DIR_ENCRYPT, Server) : 0;
507 		if (encrypt_debug_mode)
508 			printf(">>>%s: (*ep->start)() returned %d\r\n",
509 					Name, type);
510 		if (type < 0)
511 			return;
512 		encrypt_mode = use_type;
513 		if (type == 0)
514 			encrypt_start_output(use_type);
515 	}
516 }
517 
518 void
519 encrypt_is(unsigned char *data, int cnt)
520 {
521 	Encryptions *ep;
522 	int type, ret;
523 
524 	if (--cnt < 0)
525 		return;
526 	type = *data++;
527 	if (type < ENCTYPE_CNT)
528 		remote_supports_encrypt |= typemask(type);
529 	if (!(ep = finddecryption(type))) {
530 		if (encrypt_debug_mode)
531 			printf(">>>%s: Can't find type %s (%d) for initial negotiation\r\n",
532 				Name,
533 				ENCTYPE_NAME_OK(type)
534 					? ENCTYPE_NAME(type) : "(unknown)",
535 				type);
536 		return;
537 	}
538 	if (!ep->is) {
539 		if (encrypt_debug_mode)
540 			printf(">>>%s: No initial negotiation needed for type %s (%d)\r\n",
541 				Name,
542 				ENCTYPE_NAME_OK(type)
543 					? ENCTYPE_NAME(type) : "(unknown)",
544 				type);
545 		ret = 0;
546 	} else {
547 		ret = (*ep->is)(data, cnt);
548 		if (encrypt_debug_mode)
549 			printf("(*ep->is)(%p, %d) returned %s(%d)\n", data, cnt,
550 				(ret < 0) ? "FAIL " :
551 				(ret == 0) ? "SUCCESS " : "MORE_TO_DO ", ret);
552 	}
553 	if (ret < 0) {
554 		autodecrypt = 0;
555 	} else {
556 		decrypt_mode = type;
557 		if (ret == 0 && autodecrypt)
558 			encrypt_send_request_start();
559 	}
560 }
561 
562 void
563 encrypt_reply(unsigned char *data, int cnt)
564 {
565 	Encryptions *ep;
566 	int ret, type;
567 
568 	if (--cnt < 0)
569 		return;
570 	type = *data++;
571 	if (!(ep = findencryption(type))) {
572 		if (encrypt_debug_mode)
573 			printf(">>>%s: Can't find type %s (%d) for initial negotiation\r\n",
574 				Name,
575 				ENCTYPE_NAME_OK(type)
576 					? ENCTYPE_NAME(type) : "(unknown)",
577 				type);
578 		return;
579 	}
580 	if (!ep->reply) {
581 		if (encrypt_debug_mode)
582 			printf(">>>%s: No initial negotiation needed for type %s (%d)\r\n",
583 				Name,
584 				ENCTYPE_NAME_OK(type)
585 					? ENCTYPE_NAME(type) : "(unknown)",
586 				type);
587 		ret = 0;
588 	} else {
589 		ret = (*ep->reply)(data, cnt);
590 		if (encrypt_debug_mode)
591 			printf("(*ep->reply)(%p, %d) returned %s(%d)\n",
592 				data, cnt,
593 				(ret < 0) ? "FAIL " :
594 				(ret == 0) ? "SUCCESS " : "MORE_TO_DO ", ret);
595 	}
596 	if (encrypt_debug_mode)
597 		printf(">>>%s: encrypt_reply returned %d\n", Name, ret);
598 	if (ret < 0) {
599 		autoencrypt = 0;
600 	} else {
601 		encrypt_mode = type;
602 		if (ret == 0 && autoencrypt)
603 			encrypt_start_output(type);
604 	}
605 }
606 
607 /*
608  * Called when a ENCRYPT START command is received.
609  */
610 void
611 encrypt_start(unsigned char *data __unused, int cnt __unused)
612 {
613 	Encryptions *ep;
614 
615 	if (!decrypt_mode) {
616 		/*
617 		 * Something is wrong.  We should not get a START
618 		 * command without having already picked our
619 		 * decryption scheme.  Send a REQUEST-END to
620 		 * attempt to clear the channel...
621 		 */
622 		printf("%s: Warning, Cannot decrypt input stream!!!\r\n", Name);
623 		encrypt_send_request_end();
624 		return;
625 	}
626 
627 	if ((ep = finddecryption(decrypt_mode))) {
628 		decrypt_input = ep->input;
629 		if (encrypt_verbose)
630 			printf("[ Input is now decrypted with type %s ]\r\n",
631 				ENCTYPE_NAME(decrypt_mode));
632 		if (encrypt_debug_mode)
633 			printf(">>>%s: Start to decrypt input with type %s\r\n",
634 				Name, ENCTYPE_NAME(decrypt_mode));
635 	} else {
636 		printf("%s: Warning, Cannot decrypt type %s (%d)!!!\r\n",
637 				Name,
638 				ENCTYPE_NAME_OK(decrypt_mode)
639 					? ENCTYPE_NAME(decrypt_mode)
640 					: "(unknown)",
641 				decrypt_mode);
642 		encrypt_send_request_end();
643 	}
644 }
645 
646 void
647 encrypt_session_key( Session_Key *key, int server)
648 {
649 	Encryptions *ep = encryptions;
650 
651 	havesessionkey = 1;
652 
653 	while (ep->type) {
654 		if (ep->session)
655 			(*ep->session)(key, server);
656 		++ep;
657 	}
658 }
659 
660 /*
661  * Called when ENCRYPT END is received.
662  */
663 void
664 encrypt_end(void)
665 {
666 	decrypt_input = 0;
667 	if (encrypt_debug_mode)
668 		printf(">>>%s: Input is back to clear text\r\n", Name);
669 	if (encrypt_verbose)
670 		printf("[ Input is now clear text ]\r\n");
671 }
672 
673 /*
674  * Called when ENCRYPT REQUEST-END is received.
675  */
676 void
677 encrypt_request_end(void)
678 {
679 	encrypt_send_end();
680 }
681 
682 /*
683  * Called when ENCRYPT REQUEST-START is received.  If we receive
684  * this before a type is picked, then that indicates that the
685  * other side wants us to start encrypting data as soon as we
686  * can.
687  */
688 void
689 encrypt_request_start(unsigned char *data __unused, int cnt __unused)
690 {
691 	if (encrypt_mode == 0)  {
692 		if (Server)
693 			autoencrypt = 1;
694 		return;
695 	}
696 	encrypt_start_output(encrypt_mode);
697 }
698 
699 static unsigned char str_keyid[(MAXKEYLEN*2)+5] = { IAC, SB, TELOPT_ENCRYPT };
700 
701 void
702 encrypt_enc_keyid(unsigned char *keyid, int len)
703 {
704 	encrypt_keyid(&ki[1], keyid, len);
705 }
706 
707 void
708 encrypt_dec_keyid(unsigned char *keyid, int len)
709 {
710 	encrypt_keyid(&ki[0], keyid, len);
711 }
712 
713 void
714 encrypt_keyid(struct key_info *kp, unsigned char *keyid, int len)
715 {
716 	Encryptions *ep;
717 	int dir = kp->dir;
718 	int ret = 0;
719 
720 	if (len > MAXKEYLEN)
721 		len = MAXKEYLEN;
722 
723 	if (!(ep = (*kp->getcrypt)(*kp->modep))) {
724 		if (len == 0)
725 			return;
726 		kp->keylen = 0;
727 	} else if (len == 0) {
728 		/*
729 		 * Empty option, indicates a failure.
730 		 */
731 		if (kp->keylen == 0)
732 			return;
733 		kp->keylen = 0;
734 		if (ep->keyid)
735 			(void)(*ep->keyid)(dir, kp->keyid, &kp->keylen);
736 
737 	} else if ((len != kp->keylen) ||
738 		   (memcmp(keyid, kp->keyid, len) != 0)) {
739 		/*
740 		 * Length or contents are different
741 		 */
742 		kp->keylen = len;
743 		memmove(kp->keyid, keyid, len);
744 		if (ep->keyid)
745 			(void)(*ep->keyid)(dir, kp->keyid, &kp->keylen);
746 	} else {
747 		if (ep->keyid)
748 			ret = (*ep->keyid)(dir, kp->keyid, &kp->keylen);
749 		if ((ret == 0) && (dir == DIR_ENCRYPT) && autoencrypt)
750 			encrypt_start_output(*kp->modep);
751 		return;
752 	}
753 
754 	encrypt_send_keyid(dir, kp->keyid, kp->keylen, 0);
755 }
756 
757 void
758 encrypt_send_keyid(int dir, const char *keyid, int keylen, int saveit)
759 {
760 	unsigned char *strp;
761 
762 	str_keyid[3] = (dir == DIR_ENCRYPT)
763 			? ENCRYPT_ENC_KEYID : ENCRYPT_DEC_KEYID;
764 	if (saveit) {
765 		struct key_info *kp = &ki[(dir == DIR_ENCRYPT) ? 0 : 1];
766 		memmove(kp->keyid, keyid, keylen);
767 		kp->keylen = keylen;
768 	}
769 
770 	for (strp = &str_keyid[4]; keylen > 0; --keylen) {
771 		if ((*strp++ = *keyid++) == IAC)
772 			*strp++ = IAC;
773 	}
774 	*strp++ = IAC;
775 	*strp++ = SE;
776 	net_write(str_keyid, strp - str_keyid);
777 	printsub('>', &str_keyid[2], strp - str_keyid - 2);
778 }
779 
780 void
781 encrypt_auto(int on)
782 {
783 	if (on < 0)
784 		autoencrypt ^= 1;
785 	else
786 		autoencrypt = on ? 1 : 0;
787 }
788 
789 void
790 decrypt_auto(int on)
791 {
792 	if (on < 0)
793 		autodecrypt ^= 1;
794 	else
795 		autodecrypt = on ? 1 : 0;
796 }
797 
798 void
799 encrypt_start_output(int type)
800 {
801 	Encryptions *ep;
802 	unsigned char *p;
803 	int i;
804 
805 	if (!(ep = findencryption(type))) {
806 		if (encrypt_debug_mode) {
807 			printf(">>>%s: Can't encrypt with type %s (%d)\r\n",
808 				Name,
809 				ENCTYPE_NAME_OK(type)
810 					? ENCTYPE_NAME(type) : "(unknown)",
811 				type);
812 		}
813 		return;
814 	}
815 	if (ep->start) {
816 		i = (*ep->start)(DIR_ENCRYPT, Server);
817 		if (encrypt_debug_mode) {
818 			printf(">>>%s: Encrypt start: %s (%d) %s\r\n",
819 				Name,
820 				(i < 0) ? "failed" :
821 					"initial negotiation in progress",
822 				i, ENCTYPE_NAME(type));
823 		}
824 		if (i)
825 			return;
826 	}
827 	p = str_start + 3;
828 	*p++ = ENCRYPT_START;
829 	for (i = 0; i < ki[0].keylen; ++i) {
830 		if ((*p++ = ki[0].keyid[i]) == IAC)
831 			*p++ = IAC;
832 	}
833 	*p++ = IAC;
834 	*p++ = SE;
835 	net_write(str_start, p - str_start);
836 	net_encrypt();
837 	printsub('>', &str_start[2], p - &str_start[2]);
838 	/*
839 	 * If we are already encrypting in some mode, then
840 	 * encrypt the ring (which includes our request) in
841 	 * the old mode, mark it all as "clear text" and then
842 	 * switch to the new mode.
843 	 */
844 	encrypt_output = ep->output;
845 	encrypt_mode = type;
846 	if (encrypt_debug_mode)
847 		printf(">>>%s: Started to encrypt output with type %s\r\n",
848 			Name, ENCTYPE_NAME(type));
849 	if (encrypt_verbose)
850 		printf("[ Output is now encrypted with type %s ]\r\n",
851 			ENCTYPE_NAME(type));
852 }
853 
854 void
855 encrypt_send_end(void)
856 {
857 	if (!encrypt_output)
858 		return;
859 
860 	str_end[3] = ENCRYPT_END;
861 	net_write(str_end, sizeof(str_end));
862 	net_encrypt();
863 	printsub('>', &str_end[2], sizeof(str_end) - 2);
864 	/*
865 	 * Encrypt the output buffer now because it will not be done by
866 	 * netflush...
867 	 */
868 	encrypt_output = 0;
869 	if (encrypt_debug_mode)
870 		printf(">>>%s: Output is back to clear text\r\n", Name);
871 	if (encrypt_verbose)
872 		printf("[ Output is now clear text ]\r\n");
873 }
874 
875 void
876 encrypt_send_request_start(void)
877 {
878 	unsigned char *p;
879 	int i;
880 
881 	p = &str_start[3];
882 	*p++ = ENCRYPT_REQSTART;
883 	for (i = 0; i < ki[1].keylen; ++i) {
884 		if ((*p++ = ki[1].keyid[i]) == IAC)
885 			*p++ = IAC;
886 	}
887 	*p++ = IAC;
888 	*p++ = SE;
889 	net_write(str_start, p - str_start);
890 	printsub('>', &str_start[2], p - &str_start[2]);
891 	if (encrypt_debug_mode)
892 		printf(">>>%s: Request input to be encrypted\r\n", Name);
893 }
894 
895 void
896 encrypt_send_request_end(void)
897 {
898 	str_end[3] = ENCRYPT_REQEND;
899 	net_write(str_end, sizeof(str_end));
900 	printsub('>', &str_end[2], sizeof(str_end) - 2);
901 
902 	if (encrypt_debug_mode)
903 		printf(">>>%s: Request input to be clear text\r\n", Name);
904 }
905 
906 void
907 encrypt_wait(void)
908 {
909 	if (encrypt_debug_mode)
910 		printf(">>>%s: in encrypt_wait\r\n", Name);
911 	if (!havesessionkey || !(I_SUPPORT_ENCRYPT & remote_supports_decrypt))
912 		return;
913 	while (autoencrypt && !encrypt_output)
914 		if (telnet_spin())
915 			return;
916 }
917 
918 void
919 encrypt_gen_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen)
920 {
921 	char tbuf[16], *cp;
922 
923 	cnt -= 2;
924 	data += 2;
925 	buf[buflen-1] = '\0';
926 	buf[buflen-2] = '*';
927 	buflen -= 2;;
928 	for (; cnt > 0; cnt--, data++) {
929 		sprintf(tbuf, " %d", *data);
930 		for (cp = tbuf; *cp && buflen > 0; --buflen)
931 			*buf++ = *cp++;
932 		if (buflen <= 0)
933 			return;
934 	}
935 	*buf = '\0';
936 }
937 
938 void
939 encrypt_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen)
940 {
941 	Encryptions *ep;
942 	int type = data[1];
943 
944 	for (ep = encryptions; ep->type && ep->type != type; ep++)
945 		;
946 
947 	if (ep->printsub)
948 		(*ep->printsub)(data, cnt, buf, buflen);
949 	else
950 		encrypt_gen_printsub(data, cnt, buf, buflen);
951 }
952 #endif	/* ENCRYPTION */
953