1 /* 2 * Copyright 2002 Sun Microsystems, Inc. All rights reserved. 3 * Use is subject to license terms. 4 */ 5 6 #pragma ident "%Z%%M% %I% %E% SMI" 7 8 /* 9 * usr/src/cmd/cmd-inet/usr.bin/telnet/encrypt.c 10 */ 11 12 /* 13 * Copyright (c) 1991, 1993 14 * The Regents of the University of California. All rights reserved. 15 * 16 * Redistribution and use in source and binary forms, with or without 17 * modification, are permitted provided that the following conditions 18 * are met: 19 * 1. Redistributions of source code must retain the above copyright 20 * notice, this list of conditions and the following disclaimer. 21 * 2. Redistributions in binary form must reproduce the above copyright 22 * notice, this list of conditions and the following disclaimer in the 23 * documentation and/or other materials provided with the distribution. 24 * 3. All advertising materials mentioning features or use of this software 25 * must display the following acknowledgement: 26 * This product includes software developed by the University of 27 * California, Berkeley and its contributors. 28 * 4. Neither the name of the University nor the names of its contributors 29 * may be used to endorse or promote products derived from this software 30 * without specific prior written permission. 31 * 32 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 33 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 34 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 35 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 36 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 37 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 38 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 39 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 40 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 41 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 42 * SUCH DAMAGE. 43 */ 44 45 /* based on @(#)encrypt.c 8.1 (Berkeley) 6/4/93 */ 46 47 /* 48 * Copyright (C) 1990 by the Massachusetts Institute of Technology 49 * 50 * Export of this software from the United States of America may 51 * require a specific license from the United States Government. 52 * It is the responsibility of any person or organization contemplating 53 * export to obtain such a license before exporting. 54 * 55 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and 56 * distribute this software and its documentation for any purpose and 57 * without fee is hereby granted, provided that the above copyright 58 * notice appear in all copies and that both that copyright notice and 59 * this permission notice appear in supporting documentation, and that 60 * the name of M.I.T. not be used in advertising or publicity pertaining 61 * to distribution of the software without specific, written prior 62 * permission. Furthermore if you modify this software you must label 63 * your software as modified software and not distribute it in such a 64 * fashion that it might be confused with the original M.I.T. software. 65 * M.I.T. makes no representations about the suitability of 66 * this software for any purpose. It is provided "as is" without express 67 * or implied warranty. 68 */ 69 70 #ifdef lint 71 static char *encrypt_names[] = {0}; 72 static char *enctype_names[] = {0}; 73 #else /* lint */ 74 #define ENCRYPT_NAMES 75 #endif /* lint */ 76 #include <arpa/telnet.h> 77 78 #include "externs.h" 79 80 #ifdef __STDC__ 81 #include <stdlib.h> 82 #endif 83 84 /* 85 * These functions pointers point to the current routines 86 * for encrypting and decrypting data. 87 */ 88 void (*encrypt_output)(uchar_t *, int); 89 int (*decrypt_input)(int); 90 static void encrypt_start_output(int); 91 static void encrypt_send_end(void); 92 static void encrypt_send_request_start(void); 93 static void encrypt_send_request_end(void); 94 95 boolean_t encrypt_debug_mode = B_FALSE; 96 97 static int decrypt_mode = 0; 98 static int encrypt_mode = 0; 99 static boolean_t encrypt_verbose = B_FALSE; 100 static boolean_t autoencrypt = B_FALSE; 101 static boolean_t autodecrypt = B_FALSE; 102 static char *Name = "Noname"; 103 104 #define typemask(x) ((x) > 0 ? 1 << ((x)-1) : 0) 105 #define SUCCESS 0x00 106 #define UNKNOWN gettext("(unknown)") 107 108 static int i_support_encrypt = typemask(TELOPT_ENCTYPE_DES_CFB64); 109 static int i_support_decrypt = typemask(TELOPT_ENCTYPE_DES_CFB64); 110 static int i_wont_support_encrypt = 0; 111 static int i_wont_support_decrypt = 0; 112 #define I_SUPPORT_ENCRYPT (i_support_encrypt & ~i_wont_support_encrypt) 113 #define I_SUPPORT_DECRYPT (i_support_decrypt & ~i_wont_support_decrypt) 114 115 static int remote_supports_encrypt = 0; 116 static int remote_supports_decrypt = 0; 117 118 static Encryptions encryptions[] = { 119 { "DES_CFB64", TELOPT_ENCTYPE_DES_CFB64, 120 cfb64_encrypt, 121 cfb64_decrypt, 122 cfb64_init, 123 cfb64_start, 124 cfb64_is, 125 cfb64_reply, 126 cfb64_session, 127 cfb64_keyid, 128 cfb64_printsub }, 129 { 0, }, 130 }; 131 132 static uchar_t str_send[64] = { IAC, SB, TELOPT_ENCRYPT, 133 ENCRYPT_SUPPORT }; 134 static uchar_t str_suplen = 0; 135 static uchar_t str_start[72] = { IAC, SB, TELOPT_ENCRYPT }; 136 static uchar_t str_end[] = { IAC, SB, TELOPT_ENCRYPT, 0, IAC, SE }; 137 138 static Encryptions * 139 findencryption(int type) 140 { 141 Encryptions *ep = encryptions; 142 143 if (!(I_SUPPORT_ENCRYPT & remote_supports_decrypt & typemask(type))) 144 return (NULL); 145 for (; (ep->type != NULL) && (ep->type != type); ep++); 146 return (ep->type ? ep : NULL); 147 } 148 149 static Encryptions * 150 finddecryption(int type) 151 { 152 Encryptions *ep = encryptions; 153 154 if (!(I_SUPPORT_DECRYPT & remote_supports_encrypt & typemask(type))) 155 return (NULL); 156 while (ep->type && ep->type != type) 157 ++ep; 158 return (ep->type ? ep : NULL); 159 } 160 161 #define MAXKEYLEN 64 162 163 static struct key_info { 164 uchar_t keyid[MAXKEYLEN]; 165 int keylen; 166 int dir; 167 int *modep; 168 Encryptions *(*getcrypt)(); 169 } ki[2] = { 170 { { 0 }, 0, TELNET_DIR_ENCRYPT, &encrypt_mode, findencryption }, 171 { { 0 }, 0, TELNET_DIR_DECRYPT, &decrypt_mode, finddecryption }, 172 }; 173 #define KI_ENCRYPT 0 174 #define KI_DECRYPT 1 175 176 void 177 encrypt_init(char *name) 178 { 179 Encryptions *ep = encryptions; 180 181 Name = name; 182 i_support_encrypt = i_support_decrypt = 0; 183 remote_supports_encrypt = remote_supports_decrypt = 0; 184 encrypt_mode = 0; 185 decrypt_mode = 0; 186 encrypt_output = 0; 187 decrypt_input = 0; 188 #ifdef notdef 189 encrypt_verbose = !server; 190 #endif 191 192 str_suplen = 4; 193 194 while (ep->type) { 195 if (encrypt_debug_mode) 196 (void) printf(gettext( 197 ">>>%s: I will support %s\r\n"), 198 Name, ENCTYPE_NAME(ep->type)); 199 i_support_encrypt |= typemask(ep->type); 200 i_support_decrypt |= typemask(ep->type); 201 if ((i_wont_support_decrypt & typemask(ep->type)) == 0) 202 if ((str_send[str_suplen++] = ep->type) == IAC) 203 str_send[str_suplen++] = IAC; 204 if (ep->init) 205 (*ep->init)(); 206 ++ep; 207 } 208 str_send[str_suplen++] = IAC; 209 str_send[str_suplen++] = SE; 210 } 211 212 static void 213 encrypt_list_types(void) 214 { 215 Encryptions *ep = encryptions; 216 217 (void) printf(gettext("Valid encryption types:\n")); 218 while (ep->type) { 219 (void) printf("\t%s (%d)\r\n", 220 ENCTYPE_NAME(ep->type), ep->type); 221 ++ep; 222 } 223 } 224 225 int 226 EncryptEnable(char *type, char *mode) 227 { 228 if (isprefix(type, "help") || isprefix(type, "?")) { 229 (void) printf(gettext( 230 "Usage: encrypt enable <type> [input|output]\n")); 231 encrypt_list_types(); 232 return (0); 233 } 234 235 if (EncryptType(type, mode)) 236 return (EncryptStart(mode)); 237 238 return (0); 239 } 240 241 int 242 EncryptDisable(char *type, char *mode) 243 { 244 register Encryptions *ep; 245 int ret = 0; 246 247 if (isprefix(type, "help") || isprefix(type, "?")) { 248 (void) printf(gettext( 249 "Usage: encrypt disable <type> [input|output]\n")); 250 encrypt_list_types(); 251 } else if ((ep = (Encryptions *)genget(type, (char **)encryptions, 252 sizeof (Encryptions))) == 0) { 253 (void) printf(gettext("%s: invalid encryption type\n"), type); 254 } else if (Ambiguous(ep)) { 255 (void) printf(gettext("Ambiguous type '%s'\n"), type); 256 } else { 257 if ((mode == 0) || (isprefix(mode, "input") ? 1 : 0)) { 258 if (decrypt_mode == ep->type) 259 (void) EncryptStopInput(); 260 i_wont_support_decrypt |= typemask(ep->type); 261 ret = 1; 262 } 263 if ((mode == 0) || (isprefix(mode, "output"))) { 264 if (encrypt_mode == ep->type) 265 (void) EncryptStopOutput(); 266 i_wont_support_encrypt |= typemask(ep->type); 267 ret = 1; 268 } 269 if (ret == 0) 270 (void) printf(gettext( 271 "%s: invalid encryption mode\n"), mode); 272 } 273 return (ret); 274 } 275 276 int 277 EncryptType(char *type, char *mode) 278 { 279 register Encryptions *ep; 280 int ret = 0; 281 282 if (isprefix(type, "help") || isprefix(type, "?")) { 283 (void) printf(gettext( 284 "Usage: encrypt type <type> [input|output]\n")); 285 encrypt_list_types(); 286 } else if ((ep = (Encryptions *)genget(type, (char **)encryptions, 287 sizeof (Encryptions))) == 0) { 288 (void) printf(gettext("%s: invalid encryption type\n"), type); 289 } else if (Ambiguous(ep)) { 290 (void) printf(gettext("Ambiguous type '%s'\n"), type); 291 } else { 292 if ((mode == 0) || isprefix(mode, "input")) { 293 decrypt_mode = ep->type; 294 i_wont_support_decrypt &= ~typemask(ep->type); 295 ret = 1; 296 } 297 if ((mode == 0) || isprefix(mode, "output")) { 298 encrypt_mode = ep->type; 299 i_wont_support_encrypt &= ~typemask(ep->type); 300 ret = 1; 301 } 302 if (ret == 0) 303 (void) printf(gettext( 304 "%s: invalid encryption mode\n"), mode); 305 } 306 return (ret); 307 } 308 309 int 310 EncryptStart(char *mode) 311 { 312 register int ret = 0; 313 if (mode) { 314 if (isprefix(mode, "input")) 315 return (EncryptStartInput()); 316 if (isprefix(mode, "output")) 317 return (EncryptStartOutput()); 318 if (isprefix(mode, "help") || isprefix(mode, "?")) { 319 (void) printf(gettext( 320 "Usage: encrypt start [input|output]\n")); 321 return (0); 322 } 323 (void) printf(gettext( 324 "%s: invalid encryption mode 'encrypt start ?' " 325 "for help\n"), mode); 326 return (0); 327 } 328 ret += EncryptStartInput(); 329 ret += EncryptStartOutput(); 330 return (ret); 331 } 332 333 int 334 EncryptStartInput(void) 335 { 336 if (decrypt_mode) { 337 encrypt_send_request_start(); 338 return (1); 339 } 340 (void) printf(gettext("No previous decryption mode, " 341 "decryption not enabled\r\n")); 342 return (0); 343 } 344 345 int 346 EncryptStartOutput(void) 347 { 348 if (encrypt_mode) { 349 encrypt_start_output(encrypt_mode); 350 return (1); 351 } 352 (void) printf(gettext("No previous encryption mode, " 353 "encryption not enabled\r\n")); 354 return (0); 355 } 356 357 int 358 EncryptStop(char *mode) 359 { 360 int ret = 0; 361 if (mode) { 362 if (isprefix(mode, "input")) 363 return (EncryptStopInput()); 364 if (isprefix(mode, "output")) 365 return (EncryptStopOutput()); 366 if (isprefix(mode, "help") || isprefix(mode, "?")) { 367 (void) printf(gettext( 368 "Usage: encrypt stop [input|output]\n")); 369 return (0); 370 } 371 (void) printf(gettext( 372 "%s: invalid encryption mode 'encrypt stop ?' " 373 "for help\n"), mode); 374 return (0); 375 } 376 ret += EncryptStopInput(); 377 ret += EncryptStopOutput(); 378 return (ret); 379 } 380 381 int 382 EncryptStopInput(void) 383 { 384 encrypt_send_request_end(); 385 return (1); 386 } 387 388 int 389 EncryptStopOutput(void) 390 { 391 encrypt_send_end(); 392 return (1); 393 } 394 395 void 396 encrypt_display(void) 397 { 398 if (encrypt_output) 399 (void) printf(gettext( 400 "Currently encrypting output with %s\r\n"), 401 ENCTYPE_NAME(encrypt_mode)); 402 if (decrypt_input) 403 (void) printf(gettext( 404 "Currently decrypting input with %s\r\n"), 405 ENCTYPE_NAME(decrypt_mode)); 406 } 407 408 int 409 EncryptStatus(void) 410 { 411 if (encrypt_output) 412 (void) printf(gettext( 413 "Currently encrypting output with %s\r\n"), 414 ENCTYPE_NAME(encrypt_mode)); 415 else if (encrypt_mode) { 416 (void) printf(gettext("Currently output is clear text.\r\n")); 417 (void) printf(gettext("Last encryption mode was %s\r\n"), 418 ENCTYPE_NAME(encrypt_mode)); 419 } 420 if (decrypt_input) { 421 (void) printf(gettext( 422 "Currently decrypting input with %s\r\n"), 423 ENCTYPE_NAME(decrypt_mode)); 424 } else if (decrypt_mode) { 425 (void) printf(gettext("Currently input is clear text.\r\n")); 426 (void) printf(gettext("Last decryption mode was %s\r\n"), 427 ENCTYPE_NAME(decrypt_mode)); 428 } 429 return (1); 430 } 431 432 void 433 encrypt_send_support(void) 434 { 435 if (str_suplen) { 436 /* 437 * If the user has requested that decryption start 438 * immediatly, then send a "REQUEST START" before 439 * we negotiate the type. 440 */ 441 if (autodecrypt) 442 encrypt_send_request_start(); 443 (void) net_write(str_send, str_suplen); 444 printsub('>', &str_send[2], str_suplen - 2); 445 str_suplen = 0; 446 } 447 } 448 449 int 450 EncryptDebug(int on) 451 { 452 encrypt_debug_mode = (on < 0) ? !encrypt_debug_mode : 453 (on > 0) ? B_TRUE : B_FALSE; 454 (void) printf(encrypt_debug_mode ? 455 gettext("Encryption debugging enabled\r\n") : 456 gettext("Encryption debugging disabled\r\n")); 457 return (1); 458 } 459 460 int 461 EncryptVerbose(int on) 462 { 463 encrypt_verbose = (on < 0) ? !encrypt_verbose : 464 (on > 0) ? B_TRUE : B_FALSE; 465 (void) printf(encrypt_verbose ? 466 gettext("Encryption is verbose\r\n") : 467 gettext("Encryption is not verbose\r\n")); 468 return (1); 469 } 470 471 int 472 EncryptAutoEnc(int on) 473 { 474 encrypt_auto(on); 475 (void) printf(autoencrypt ? 476 gettext("Automatic encryption of output is enabled\r\n") : 477 gettext("Automatic encryption of output is disabled\r\n")); 478 return (1); 479 } 480 481 int 482 EncryptAutoDec(int on) 483 { 484 decrypt_auto(on); 485 (void) printf(autodecrypt ? 486 gettext("Automatic decryption of input is enabled\r\n") : 487 gettext("Automatic decryption of input is disabled\r\n")); 488 return (1); 489 } 490 491 /* 492 * Called when ENCRYPT SUPPORT is received. 493 */ 494 void 495 encrypt_support(uchar_t *typelist, int cnt) 496 { 497 register int type, use_type = 0; 498 Encryptions *ep; 499 500 /* 501 * Forget anything the other side has previously told us. 502 */ 503 remote_supports_decrypt = 0; 504 505 while (cnt-- > 0) { 506 type = *typelist++; 507 if (encrypt_debug_mode) 508 (void) printf(gettext( 509 ">>>%s: Remote host supports %s (%d)\r\n"), 510 Name, ENCTYPE_NAME(type), type); 511 if ((type < TELOPT_ENCTYPE_CNT) && 512 (I_SUPPORT_ENCRYPT & typemask(type))) { 513 remote_supports_decrypt |= typemask(type); 514 if (use_type == 0) 515 use_type = type; 516 } 517 } 518 if (use_type) { 519 ep = findencryption(use_type); 520 if (!ep) 521 return; 522 type = ep->start ? (*ep->start)(TELNET_DIR_ENCRYPT) : 0; 523 if (encrypt_debug_mode) 524 (void) printf(gettext( 525 ">>>%s: (*ep->start)() returned %d\r\n"), 526 Name, type); 527 if (type < 0) 528 return; 529 encrypt_mode = use_type; 530 if (type == 0) 531 encrypt_start_output(use_type); 532 } 533 } 534 535 void 536 encrypt_is(uchar_t *data, int cnt) 537 { 538 Encryptions *ep; 539 register int type, ret; 540 541 if (--cnt < 0) 542 return; 543 type = *data++; 544 if (type < TELOPT_ENCTYPE_CNT) 545 remote_supports_encrypt |= typemask(type); 546 if (!(ep = finddecryption(type))) { 547 if (encrypt_debug_mode) 548 (void) printf(gettext( 549 ">>>%s: Can't find type %s (%d) for " 550 "initial negotiation\r\n"), Name, 551 ENCTYPE_NAME_OK(type) ? 552 ENCTYPE_NAME(type) : UNKNOWN, type); 553 return; 554 } 555 if (!ep->is) { 556 if (encrypt_debug_mode) 557 (void) printf(gettext( 558 ">>>%s: No initial negotiation needed " 559 "for type %s (%d)\r\n"), Name, 560 ENCTYPE_NAME_OK(type) ? 561 ENCTYPE_NAME(type) : UNKNOWN, type); 562 ret = 0; 563 } else { 564 ret = (*ep->is)(data, cnt); 565 if (encrypt_debug_mode) 566 (void) printf(gettext( 567 "(*ep->is)(%x, %d) returned %s(%d)\n"), 568 data, cnt, (ret < 0) ? "FAIL " : 569 (ret == 0) ? "SUCCESS " : "MORE_TO_DO ", ret); 570 } 571 if (ret < 0) { 572 autodecrypt = B_FALSE; 573 } else { 574 decrypt_mode = type; 575 if (ret == 0 && autodecrypt) 576 encrypt_send_request_start(); 577 } 578 } 579 580 void 581 encrypt_reply(uchar_t *data, int cnt) 582 { 583 Encryptions *ep; 584 register int ret, type; 585 586 if (--cnt < 0) 587 return; 588 type = *data++; 589 if (!(ep = findencryption(type))) { 590 if (encrypt_debug_mode) 591 (void) printf(gettext( 592 ">>>%s: Can't find type %s (%d) " 593 "for initial negotiation\r\n"), Name, 594 ENCTYPE_NAME_OK(type) ? 595 ENCTYPE_NAME(type) : UNKNOWN, type); 596 return; 597 } 598 if (!ep->reply) { 599 if (encrypt_debug_mode) 600 (void) printf(gettext( 601 ">>>%s: No initial negotiation needed " 602 "for type %s (%d)\r\n"), Name, 603 ENCTYPE_NAME_OK(type) ? 604 ENCTYPE_NAME(type) : UNKNOWN, type); 605 ret = 0; 606 } else { 607 ret = (*ep->reply)(data, cnt); 608 if (encrypt_debug_mode) 609 (void) printf(gettext( 610 "(*ep->reply)(%x, %d) returned %s(%d)\n"), 611 data, cnt, (ret < 0) ? "FAIL " : 612 (ret == 0) ? "SUCCESS " : "MORE_TO_DO ", ret); 613 } 614 if (encrypt_debug_mode) 615 (void) printf(gettext( 616 ">>>%s: encrypt_reply returned %d\n"), Name, ret); 617 if (ret < 0) { 618 autoencrypt = B_FALSE; 619 } else { 620 encrypt_mode = type; 621 if (ret == 0 && autoencrypt) 622 encrypt_start_output(type); 623 } 624 } 625 626 /* 627 * Called when a ENCRYPT START command is received. 628 */ 629 /* ARGSUSED */ 630 void 631 encrypt_start(uchar_t *data, int cnt) 632 { 633 Encryptions *ep; 634 635 if (!decrypt_mode) { 636 /* 637 * Something is wrong. We should not get a START 638 * command without having already picked our 639 * decryption scheme. Send a REQUEST-END to 640 * attempt to clear the channel... 641 */ 642 (void) printf(gettext("%s: Warning, cannot decrypt " 643 "input stream!!!\r\n"), Name); 644 encrypt_send_request_end(); 645 return; 646 } 647 648 if (ep = finddecryption(decrypt_mode)) { 649 decrypt_input = ep->input; 650 if (encrypt_verbose) 651 (void) printf(gettext( 652 "[ Input is now decrypted with type %s ]\r\n"), 653 ENCTYPE_NAME(decrypt_mode)); 654 if (encrypt_debug_mode) 655 (void) printf(gettext( 656 ">>>%s: Start to decrypt input with type %s\r\n"), 657 Name, ENCTYPE_NAME(decrypt_mode)); 658 } else { 659 (void) printf(gettext( 660 "%s: Warning, cannot decrypt type %s (%d)!!!\r\n"), 661 Name, ENCTYPE_NAME_OK(decrypt_mode) ? 662 ENCTYPE_NAME(decrypt_mode) : UNKNOWN, 663 decrypt_mode); 664 encrypt_send_request_end(); 665 } 666 } 667 668 void 669 encrypt_session_key(Session_Key *key) 670 { 671 Encryptions *ep = encryptions; 672 673 while (ep->type) { 674 if (ep->session) 675 (*ep->session)(key); 676 #ifdef notdef 677 if (!encrypt_output && autoencrypt) 678 encrypt_start_output(ep->type); 679 if (!decrypt_input && autodecrypt) 680 encrypt_send_request_start(); 681 #endif 682 ++ep; 683 } 684 } 685 686 /* 687 * Called when ENCRYPT END is received. 688 */ 689 void 690 encrypt_end(void) 691 { 692 decrypt_input = 0; 693 if (encrypt_debug_mode) 694 (void) printf(gettext( 695 ">>>%s: Input is back to clear text\r\n"), Name); 696 if (encrypt_verbose) 697 (void) printf(gettext("[ Input is now clear text ]\r\n")); 698 } 699 700 /* 701 * Called when ENCRYPT REQUEST-END is received. 702 */ 703 void 704 encrypt_request_end(void) 705 { 706 encrypt_send_end(); 707 } 708 709 /* 710 * Called when ENCRYPT REQUEST-START is received. If we receive 711 * this before a type is picked, then that indicates that the 712 * other side wants us to start encrypting data as soon as we 713 * can. 714 */ 715 /* ARGSUSED */ 716 void 717 encrypt_request_start(uchar_t *data, int cnt) 718 { 719 if (encrypt_mode == 0) 720 return; 721 encrypt_start_output(encrypt_mode); 722 } 723 724 static uchar_t str_keyid[(MAXKEYLEN*2)+5] = { IAC, SB, TELOPT_ENCRYPT }; 725 static void encrypt_keyid(struct key_info *, uchar_t *, int); 726 727 void 728 encrypt_enc_keyid(uchar_t *keyid, int len) 729 { 730 encrypt_keyid(&ki[KI_DECRYPT], keyid, len); 731 } 732 733 void 734 encrypt_dec_keyid(uchar_t *keyid, int len) 735 { 736 encrypt_keyid(&ki[KI_ENCRYPT], keyid, len); 737 } 738 739 static void 740 encrypt_keyid(struct key_info *kp, uchar_t *keyid, int len) 741 { 742 Encryptions *ep; 743 int dir = kp->dir; 744 register int ret = 0; 745 746 if (!(ep = (*kp->getcrypt)(*kp->modep))) { 747 if (len == 0) 748 return; 749 kp->keylen = 0; 750 } else if (len == 0) { 751 /* 752 * Empty option, indicates a failure. 753 */ 754 if (kp->keylen == 0) 755 return; 756 kp->keylen = 0; 757 if (ep->keyid) 758 (void) (*ep->keyid)(dir, kp->keyid, &kp->keylen); 759 760 } else if ((len != kp->keylen) || 761 (memcmp(keyid, kp->keyid, len) != 0)) { 762 /* 763 * Length or contents are different 764 */ 765 kp->keylen = len; 766 (void) memcpy(kp->keyid, keyid, len); 767 if (ep->keyid) 768 (void) (*ep->keyid)(dir, kp->keyid, &kp->keylen); 769 } else { 770 if (ep->keyid) 771 ret = (*ep->keyid)(dir, kp->keyid, &kp->keylen); 772 if ((ret == 0) && (dir == TELNET_DIR_ENCRYPT) && autoencrypt) 773 encrypt_start_output(*kp->modep); 774 return; 775 } 776 777 encrypt_send_keyid(dir, kp->keyid, kp->keylen, 0); 778 } 779 780 void 781 encrypt_send_keyid(int dir, uchar_t *keyid, int keylen, int saveit) 782 { 783 uchar_t *strp; 784 785 str_keyid[3] = (dir == TELNET_DIR_ENCRYPT) 786 ? ENCRYPT_ENC_KEYID : ENCRYPT_DEC_KEYID; 787 if (saveit) { 788 struct key_info *kp = &ki[(dir == TELNET_DIR_ENCRYPT) ? 0 : 1]; 789 (void) memcpy(kp->keyid, keyid, keylen); 790 kp->keylen = keylen; 791 } 792 793 for (strp = &str_keyid[4]; keylen > 0; --keylen) { 794 if ((*strp++ = *keyid++) == IAC) 795 *strp++ = IAC; 796 } 797 *strp++ = IAC; 798 *strp++ = SE; 799 (void) net_write(str_keyid, strp - str_keyid); 800 printsub('>', &str_keyid[2], strp - str_keyid - 2); 801 } 802 803 void 804 encrypt_auto(int on) 805 { 806 autoencrypt = (on < 0) ? !autoencrypt : 807 (on > 0) ? B_TRUE : B_FALSE; 808 } 809 810 void 811 decrypt_auto(int on) 812 { 813 autodecrypt = (on < 0) ? !autodecrypt : 814 (on > 0) ? B_TRUE : B_FALSE; 815 } 816 817 static void 818 encrypt_start_output(int type) 819 { 820 Encryptions *ep; 821 register uchar_t *p; 822 register int i; 823 824 if (!(ep = findencryption(type))) { 825 if (encrypt_debug_mode) { 826 (void) printf(gettext( 827 ">>>%s: Can't encrypt with type %s (%d)\r\n"), 828 Name, ENCTYPE_NAME_OK(type) ? 829 ENCTYPE_NAME(type) : UNKNOWN, type); 830 } 831 return; 832 } 833 if (ep->start) { 834 i = (*ep->start)(TELNET_DIR_ENCRYPT); 835 if (encrypt_debug_mode) { 836 (void) printf(gettext( 837 ">>>%s: Encrypt start: %s (%d) %s\r\n"), 838 Name, (i < 0) ? 839 gettext("failed") : 840 gettext("initial negotiation in progress"), 841 i, ENCTYPE_NAME(type)); 842 } 843 if (i) 844 return; 845 } 846 p = str_start + 3; 847 *p++ = ENCRYPT_START; 848 for (i = 0; i < ki[KI_ENCRYPT].keylen; ++i) { 849 if ((*p++ = ki[KI_ENCRYPT].keyid[i]) == IAC) 850 *p++ = IAC; 851 } 852 *p++ = IAC; 853 *p++ = SE; 854 (void) net_write(str_start, p - str_start); 855 net_encrypt(); 856 printsub('>', &str_start[2], p - &str_start[2]); 857 /* 858 * If we are already encrypting in some mode, then 859 * encrypt the ring (which includes our request) in 860 * the old mode, mark it all as "clear text" and then 861 * switch to the new mode. 862 */ 863 encrypt_output = ep->output; 864 encrypt_mode = type; 865 if (encrypt_debug_mode) 866 (void) printf(gettext( 867 ">>>%s: Started to encrypt output with type %s\r\n"), 868 Name, ENCTYPE_NAME(type)); 869 if (encrypt_verbose) 870 (void) printf(gettext( 871 "[ Output is now encrypted with type %s ]\r\n"), 872 ENCTYPE_NAME(type)); 873 } 874 875 static void 876 encrypt_send_end(void) 877 { 878 if (!encrypt_output) 879 return; 880 881 str_end[3] = ENCRYPT_END; 882 (void) net_write(str_end, sizeof (str_end)); 883 net_encrypt(); 884 printsub('>', &str_end[2], sizeof (str_end) - 2); 885 /* 886 * Encrypt the output buffer now because it will not be done by 887 * netflush... 888 */ 889 encrypt_output = 0; 890 if (encrypt_debug_mode) 891 (void) printf(gettext( 892 ">>>%s: Output is back to clear text\r\n"), Name); 893 if (encrypt_verbose) 894 (void) printf(gettext("[ Output is now clear text ]\r\n")); 895 } 896 897 static void 898 encrypt_send_request_start(void) 899 { 900 register uchar_t *p; 901 register int i; 902 903 p = &str_start[3]; 904 *p++ = ENCRYPT_REQSTART; 905 for (i = 0; i < ki[KI_DECRYPT].keylen; ++i) { 906 if ((*p++ = ki[KI_DECRYPT].keyid[i]) == IAC) 907 *p++ = IAC; 908 } 909 *p++ = IAC; 910 *p++ = SE; 911 (void) net_write(str_start, p - str_start); 912 printsub('>', &str_start[2], p - &str_start[2]); 913 if (encrypt_debug_mode) 914 (void) printf(gettext( 915 ">>>%s: Request input to be encrypted\r\n"), Name); 916 } 917 918 static void 919 encrypt_send_request_end(void) 920 { 921 str_end[3] = ENCRYPT_REQEND; 922 (void) net_write(str_end, sizeof (str_end)); 923 printsub('>', &str_end[2], sizeof (str_end) - 2); 924 925 if (encrypt_debug_mode) 926 (void) printf(gettext( 927 ">>>%s: Request input to be clear text\r\n"), Name); 928 } 929 930 boolean_t 931 encrypt_is_encrypting(void) 932 { 933 return (encrypt_output && decrypt_input ? B_TRUE : B_FALSE); 934 } 935 936 static void 937 encrypt_gen_printsub(uchar_t *data, int cnt, uchar_t *buf, int buflen) 938 { 939 char lbuf[ENCR_LBUF_BUFSIZ], *cp; 940 941 if (cnt < 2 || buflen < 2) 942 return; 943 cnt -= 2; 944 data += 2; 945 buf[buflen-1] = '\0'; 946 buf[buflen-2] = '*'; 947 buflen -= 2; 948 for (; cnt > 0; cnt--, data++) { 949 (void) snprintf(lbuf, ENCR_LBUF_BUFSIZ, " %d", *data); 950 for (cp = lbuf; *cp && buflen > 0; --buflen) 951 *buf++ = *cp++; 952 if (buflen <= 0) 953 return; 954 } 955 *buf = '\0'; 956 } 957 958 void 959 encrypt_printsub(uchar_t *data, int cnt, uchar_t *buf, int buflen) 960 { 961 Encryptions *ep; 962 register int type = data[1]; 963 964 for (ep = encryptions; ep->type && ep->type != type; ep++) 965 ; 966 967 if (ep->printsub) 968 (*ep->printsub)(data, cnt, buf, buflen); 969 else 970 encrypt_gen_printsub(data, cnt, buf, buflen); 971 } 972