1 /*-
2 * Copyright (c) 1991, 1993
3 * The Regents of the University of California. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. Neither the name of the University nor the names of its contributors
14 * may be used to endorse or promote products derived from this software
15 * without specific prior written permission.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27 * SUCH DAMAGE.
28 */
29
30 #include <sys/cdefs.h>
31
32 __FBSDID("$FreeBSD$");
33
34 #ifndef lint
35 #if 0
36 static const char sccsid[] = "@(#)encrypt.c 8.2 (Berkeley) 5/30/95";
37 #endif
38 #endif /* not lint */
39
40 /*
41 * Copyright (C) 1990 by the Massachusetts Institute of Technology
42 *
43 * Export of this software from the United States of America is assumed
44 * to require a specific license from the United States Government.
45 * It is the responsibility of any person or organization contemplating
46 * export to obtain such a license before exporting.
47 *
48 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
49 * distribute this software and its documentation for any purpose and
50 * without fee is hereby granted, provided that the above copyright
51 * notice appear in all copies and that both that copyright notice and
52 * this permission notice appear in supporting documentation, and that
53 * the name of M.I.T. not be used in advertising or publicity pertaining
54 * to distribution of the software without specific, written prior
55 * permission. M.I.T. makes no representations about the suitability of
56 * this software for any purpose. It is provided "as is" without express
57 * or implied warranty.
58 */
59
60 #ifdef ENCRYPTION
61
62 #include <sys/types.h>
63 #define ENCRYPT_NAMES
64 #include <arpa/telnet.h>
65 #include <stdio.h>
66 #include <stdlib.h>
67 #include <string.h>
68
69 #include "encrypt.h"
70 #include "misc.h"
71
72 /*
73 * These functions pointers point to the current routines
74 * for encrypting and decrypting data.
75 */
76 void (*encrypt_output)(unsigned char *, int);
77 int (*decrypt_input)(int);
78
79 int EncryptType(char *type, char *mode);
80 int EncryptStart(char *mode);
81 int EncryptStop(char *mode);
82 int EncryptStartInput(void);
83 int EncryptStartOutput(void);
84 int EncryptStopInput(void);
85 int EncryptStopOutput(void);
86
87 int encrypt_debug_mode = 0;
88 static int decrypt_mode = 0;
89 static int encrypt_mode = 0;
90 static int encrypt_verbose = 0;
91 static int autoencrypt = 0;
92 static int autodecrypt = 0;
93 static int havesessionkey = 0;
94 static int Server = 0;
95 static const char *Name = "Noname";
96
97 #define typemask(x) ((x) > 0 ? 1 << ((x)-1) : 0)
98
99 static u_long i_support_encrypt = 0
100 | typemask(ENCTYPE_DES_CFB64) | typemask(ENCTYPE_DES_OFB64)
101 |0;
102 static u_long i_support_decrypt = 0
103 | typemask(ENCTYPE_DES_CFB64) | typemask(ENCTYPE_DES_OFB64)
104 |0;
105
106 static u_long i_wont_support_encrypt = 0;
107 static u_long i_wont_support_decrypt = 0;
108 #define I_SUPPORT_ENCRYPT (i_support_encrypt & ~i_wont_support_encrypt)
109 #define I_SUPPORT_DECRYPT (i_support_decrypt & ~i_wont_support_decrypt)
110
111 static u_long remote_supports_encrypt = 0;
112 static u_long remote_supports_decrypt = 0;
113
114 static Encryptions encryptions[] = {
115 { "DES_CFB64", ENCTYPE_DES_CFB64,
116 cfb64_encrypt,
117 cfb64_decrypt,
118 cfb64_init,
119 cfb64_start,
120 cfb64_is,
121 cfb64_reply,
122 cfb64_session,
123 cfb64_keyid,
124 cfb64_printsub },
125 { "DES_OFB64", ENCTYPE_DES_OFB64,
126 ofb64_encrypt,
127 ofb64_decrypt,
128 ofb64_init,
129 ofb64_start,
130 ofb64_is,
131 ofb64_reply,
132 ofb64_session,
133 ofb64_keyid,
134 ofb64_printsub },
135 { NULL, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 },
136 };
137
138 static unsigned char str_send[64] = { IAC, SB, TELOPT_ENCRYPT,
139 ENCRYPT_SUPPORT };
140 static unsigned char str_suplen = 0;
141 static unsigned char str_start[72] = { IAC, SB, TELOPT_ENCRYPT };
142 static unsigned char str_end[] = { IAC, SB, TELOPT_ENCRYPT, 0, IAC, SE };
143
144 Encryptions *
findencryption(int type)145 findencryption(int type)
146 {
147 Encryptions *ep = encryptions;
148
149 if (!(I_SUPPORT_ENCRYPT & remote_supports_decrypt & (unsigned)typemask(type)))
150 return(0);
151 while (ep->type && ep->type != type)
152 ++ep;
153 return(ep->type ? ep : 0);
154 }
155
156 static Encryptions *
finddecryption(int type)157 finddecryption(int type)
158 {
159 Encryptions *ep = encryptions;
160
161 if (!(I_SUPPORT_DECRYPT & remote_supports_encrypt & (unsigned)typemask(type)))
162 return(0);
163 while (ep->type && ep->type != type)
164 ++ep;
165 return(ep->type ? ep : 0);
166 }
167
168 #define MAXKEYLEN 64
169
170 static struct key_info {
171 unsigned char keyid[MAXKEYLEN];
172 int keylen;
173 int dir;
174 int *modep;
175 Encryptions *(*getcrypt)(int);
176 } ki[2] = {
177 { { 0 }, 0, DIR_ENCRYPT, &encrypt_mode, findencryption },
178 { { 0 }, 0, DIR_DECRYPT, &decrypt_mode, finddecryption },
179 };
180
181 static void encrypt_keyid(struct key_info *kp, unsigned char *keyid, int len);
182
183 void
encrypt_init(const char * name,int server)184 encrypt_init(const char *name, int server)
185 {
186 Encryptions *ep = encryptions;
187
188 Name = name;
189 Server = server;
190 i_support_encrypt = i_support_decrypt = 0;
191 remote_supports_encrypt = remote_supports_decrypt = 0;
192 encrypt_mode = 0;
193 decrypt_mode = 0;
194 encrypt_output = 0;
195 decrypt_input = 0;
196
197 str_suplen = 4;
198
199 while (ep->type) {
200 if (encrypt_debug_mode)
201 printf(">>>%s: I will support %s\r\n",
202 Name, ENCTYPE_NAME(ep->type));
203 i_support_encrypt |= typemask(ep->type);
204 i_support_decrypt |= typemask(ep->type);
205 if ((i_wont_support_decrypt & typemask(ep->type)) == 0)
206 if ((str_send[str_suplen++] = ep->type) == IAC)
207 str_send[str_suplen++] = IAC;
208 if (ep->init)
209 (*ep->init)(Server);
210 ++ep;
211 }
212 str_send[str_suplen++] = IAC;
213 str_send[str_suplen++] = SE;
214 }
215
216 static void
encrypt_list_types(void)217 encrypt_list_types(void)
218 {
219 Encryptions *ep = encryptions;
220
221 printf("Valid encryption types:\n");
222 while (ep->type) {
223 printf("\t%s (%d)\r\n", ENCTYPE_NAME(ep->type), ep->type);
224 ++ep;
225 }
226 }
227
228 int
EncryptEnable(char * type,char * mode)229 EncryptEnable(char *type, char *mode)
230 {
231 if (isprefix(type, "help") || isprefix(type, "?")) {
232 printf("Usage: encrypt enable <type> [input|output]\n");
233 encrypt_list_types();
234 return(0);
235 }
236 if (EncryptType(type, mode))
237 return(EncryptStart(mode));
238 return(0);
239 }
240
241 int
EncryptDisable(char * type,char * mode)242 EncryptDisable(char *type, char *mode)
243 {
244 Encryptions *ep;
245 int ret = 0;
246
247 if (isprefix(type, "help") || isprefix(type, "?")) {
248 printf("Usage: encrypt disable <type> [input|output]\n");
249 encrypt_list_types();
250 } else if ((ep = (Encryptions *)genget(type, (char **)encryptions,
251 sizeof(Encryptions))) == 0) {
252 printf("%s: invalid encryption type\n", type);
253 } else if (Ambiguous((char **)ep)) {
254 printf("Ambiguous type '%s'\n", type);
255 } else {
256 if ((mode == 0) || (isprefix(mode, "input") ? 1 : 0)) {
257 if (decrypt_mode == ep->type)
258 EncryptStopInput();
259 i_wont_support_decrypt |= typemask(ep->type);
260 ret = 1;
261 }
262 if ((mode == 0) || (isprefix(mode, "output"))) {
263 if (encrypt_mode == ep->type)
264 EncryptStopOutput();
265 i_wont_support_encrypt |= typemask(ep->type);
266 ret = 1;
267 }
268 if (ret == 0)
269 printf("%s: invalid encryption mode\n", mode);
270 }
271 return(ret);
272 }
273
274 int
EncryptType(char * type,char * mode)275 EncryptType(char *type, char *mode)
276 {
277 Encryptions *ep;
278 int ret = 0;
279
280 if (isprefix(type, "help") || isprefix(type, "?")) {
281 printf("Usage: encrypt type <type> [input|output]\n");
282 encrypt_list_types();
283 } else if ((ep = (Encryptions *)genget(type, (char **)encryptions,
284 sizeof(Encryptions))) == 0) {
285 printf("%s: invalid encryption type\n", type);
286 } else if (Ambiguous((char **)ep)) {
287 printf("Ambiguous type '%s'\n", type);
288 } else {
289 if ((mode == 0) || isprefix(mode, "input")) {
290 decrypt_mode = ep->type;
291 i_wont_support_decrypt &= ~typemask(ep->type);
292 ret = 1;
293 }
294 if ((mode == 0) || isprefix(mode, "output")) {
295 encrypt_mode = ep->type;
296 i_wont_support_encrypt &= ~typemask(ep->type);
297 ret = 1;
298 }
299 if (ret == 0)
300 printf("%s: invalid encryption mode\n", mode);
301 }
302 return(ret);
303 }
304
305 int
EncryptStart(char * mode)306 EncryptStart(char *mode)
307 {
308 int ret = 0;
309 if (mode) {
310 if (isprefix(mode, "input"))
311 return(EncryptStartInput());
312 if (isprefix(mode, "output"))
313 return(EncryptStartOutput());
314 if (isprefix(mode, "help") || isprefix(mode, "?")) {
315 printf("Usage: encrypt start [input|output]\n");
316 return(0);
317 }
318 printf("%s: invalid encryption mode 'encrypt start ?' for help\n", mode);
319 return(0);
320 }
321 ret += EncryptStartInput();
322 ret += EncryptStartOutput();
323 return(ret);
324 }
325
326 int
EncryptStartInput(void)327 EncryptStartInput(void)
328 {
329 if (decrypt_mode) {
330 encrypt_send_request_start();
331 return(1);
332 }
333 printf("No previous decryption mode, decryption not enabled\r\n");
334 return(0);
335 }
336
337 int
EncryptStartOutput(void)338 EncryptStartOutput(void)
339 {
340 if (encrypt_mode) {
341 encrypt_start_output(encrypt_mode);
342 return(1);
343 }
344 printf("No previous encryption mode, encryption not enabled\r\n");
345 return(0);
346 }
347
348 int
EncryptStop(char * mode)349 EncryptStop(char *mode)
350 {
351 int ret = 0;
352 if (mode) {
353 if (isprefix(mode, "input"))
354 return(EncryptStopInput());
355 if (isprefix(mode, "output"))
356 return(EncryptStopOutput());
357 if (isprefix(mode, "help") || isprefix(mode, "?")) {
358 printf("Usage: encrypt stop [input|output]\n");
359 return(0);
360 }
361 printf("%s: invalid encryption mode 'encrypt stop ?' for help\n", mode);
362 return(0);
363 }
364 ret += EncryptStopInput();
365 ret += EncryptStopOutput();
366 return(ret);
367 }
368
369 int
EncryptStopInput(void)370 EncryptStopInput(void)
371 {
372 encrypt_send_request_end();
373 return(1);
374 }
375
376 int
EncryptStopOutput(void)377 EncryptStopOutput(void)
378 {
379 encrypt_send_end();
380 return(1);
381 }
382
383 void
encrypt_display(void)384 encrypt_display(void)
385 {
386 if (encrypt_output)
387 printf("Currently encrypting output with %s\r\n",
388 ENCTYPE_NAME(encrypt_mode));
389 if (decrypt_input)
390 printf("Currently decrypting input with %s\r\n",
391 ENCTYPE_NAME(decrypt_mode));
392 }
393
394 int
EncryptStatus(void)395 EncryptStatus(void)
396 {
397 if (encrypt_output)
398 printf("Currently encrypting output with %s\r\n",
399 ENCTYPE_NAME(encrypt_mode));
400 else if (encrypt_mode) {
401 printf("Currently output is clear text.\r\n");
402 printf("Last encryption mode was %s\r\n",
403 ENCTYPE_NAME(encrypt_mode));
404 }
405 if (decrypt_input) {
406 printf("Currently decrypting input with %s\r\n",
407 ENCTYPE_NAME(decrypt_mode));
408 } else if (decrypt_mode) {
409 printf("Currently input is clear text.\r\n");
410 printf("Last decryption mode was %s\r\n",
411 ENCTYPE_NAME(decrypt_mode));
412 }
413 return 1;
414 }
415
416 void
encrypt_send_support(void)417 encrypt_send_support(void)
418 {
419 if (str_suplen) {
420 /*
421 * If the user has requested that decryption start
422 * immediatly, then send a "REQUEST START" before
423 * we negotiate the type.
424 */
425 if (!Server && autodecrypt)
426 encrypt_send_request_start();
427 net_write(str_send, str_suplen);
428 printsub('>', &str_send[2], str_suplen - 2);
429 str_suplen = 0;
430 }
431 }
432
433 int
EncryptDebug(int on)434 EncryptDebug(int on)
435 {
436 if (on < 0)
437 encrypt_debug_mode ^= 1;
438 else
439 encrypt_debug_mode = on;
440 printf("Encryption debugging %s\r\n",
441 encrypt_debug_mode ? "enabled" : "disabled");
442 return(1);
443 }
444
445 int
EncryptVerbose(int on)446 EncryptVerbose(int on)
447 {
448 if (on < 0)
449 encrypt_verbose ^= 1;
450 else
451 encrypt_verbose = on;
452 printf("Encryption %s verbose\r\n",
453 encrypt_verbose ? "is" : "is not");
454 return(1);
455 }
456
457 int
EncryptAutoEnc(int on)458 EncryptAutoEnc(int on)
459 {
460 encrypt_auto(on);
461 printf("Automatic encryption of output is %s\r\n",
462 autoencrypt ? "enabled" : "disabled");
463 return(1);
464 }
465
466 int
EncryptAutoDec(int on)467 EncryptAutoDec(int on)
468 {
469 decrypt_auto(on);
470 printf("Automatic decryption of input is %s\r\n",
471 autodecrypt ? "enabled" : "disabled");
472 return(1);
473 }
474
475 /*
476 * Called when ENCRYPT SUPPORT is received.
477 */
478 void
encrypt_support(unsigned char * typelist,int cnt)479 encrypt_support(unsigned char *typelist, int cnt)
480 {
481 int type, use_type = 0;
482 Encryptions *ep;
483
484 /*
485 * Forget anything the other side has previously told us.
486 */
487 remote_supports_decrypt = 0;
488
489 while (cnt-- > 0) {
490 type = *typelist++;
491 if (encrypt_debug_mode)
492 printf(">>>%s: He is supporting %s (%d)\r\n",
493 Name,
494 ENCTYPE_NAME(type), type);
495 if ((type < ENCTYPE_CNT) &&
496 (I_SUPPORT_ENCRYPT & typemask(type))) {
497 remote_supports_decrypt |= typemask(type);
498 if (use_type == 0)
499 use_type = type;
500 }
501 }
502 if (use_type) {
503 ep = findencryption(use_type);
504 if (!ep)
505 return;
506 type = ep->start ? (*ep->start)(DIR_ENCRYPT, Server) : 0;
507 if (encrypt_debug_mode)
508 printf(">>>%s: (*ep->start)() returned %d\r\n",
509 Name, type);
510 if (type < 0)
511 return;
512 encrypt_mode = use_type;
513 if (type == 0)
514 encrypt_start_output(use_type);
515 }
516 }
517
518 void
encrypt_is(unsigned char * data,int cnt)519 encrypt_is(unsigned char *data, int cnt)
520 {
521 Encryptions *ep;
522 int type, ret;
523
524 if (--cnt < 0)
525 return;
526 type = *data++;
527 if (type < ENCTYPE_CNT)
528 remote_supports_encrypt |= typemask(type);
529 if (!(ep = finddecryption(type))) {
530 if (encrypt_debug_mode)
531 printf(">>>%s: Can't find type %s (%d) for initial negotiation\r\n",
532 Name,
533 ENCTYPE_NAME_OK(type)
534 ? ENCTYPE_NAME(type) : "(unknown)",
535 type);
536 return;
537 }
538 if (!ep->is) {
539 if (encrypt_debug_mode)
540 printf(">>>%s: No initial negotiation needed for type %s (%d)\r\n",
541 Name,
542 ENCTYPE_NAME_OK(type)
543 ? ENCTYPE_NAME(type) : "(unknown)",
544 type);
545 ret = 0;
546 } else {
547 ret = (*ep->is)(data, cnt);
548 if (encrypt_debug_mode)
549 printf("(*ep->is)(%p, %d) returned %s(%d)\n", data, cnt,
550 (ret < 0) ? "FAIL " :
551 (ret == 0) ? "SUCCESS " : "MORE_TO_DO ", ret);
552 }
553 if (ret < 0) {
554 autodecrypt = 0;
555 } else {
556 decrypt_mode = type;
557 if (ret == 0 && autodecrypt)
558 encrypt_send_request_start();
559 }
560 }
561
562 void
encrypt_reply(unsigned char * data,int cnt)563 encrypt_reply(unsigned char *data, int cnt)
564 {
565 Encryptions *ep;
566 int ret, type;
567
568 if (--cnt < 0)
569 return;
570 type = *data++;
571 if (!(ep = findencryption(type))) {
572 if (encrypt_debug_mode)
573 printf(">>>%s: Can't find type %s (%d) for initial negotiation\r\n",
574 Name,
575 ENCTYPE_NAME_OK(type)
576 ? ENCTYPE_NAME(type) : "(unknown)",
577 type);
578 return;
579 }
580 if (!ep->reply) {
581 if (encrypt_debug_mode)
582 printf(">>>%s: No initial negotiation needed for type %s (%d)\r\n",
583 Name,
584 ENCTYPE_NAME_OK(type)
585 ? ENCTYPE_NAME(type) : "(unknown)",
586 type);
587 ret = 0;
588 } else {
589 ret = (*ep->reply)(data, cnt);
590 if (encrypt_debug_mode)
591 printf("(*ep->reply)(%p, %d) returned %s(%d)\n",
592 data, cnt,
593 (ret < 0) ? "FAIL " :
594 (ret == 0) ? "SUCCESS " : "MORE_TO_DO ", ret);
595 }
596 if (encrypt_debug_mode)
597 printf(">>>%s: encrypt_reply returned %d\n", Name, ret);
598 if (ret < 0) {
599 autoencrypt = 0;
600 } else {
601 encrypt_mode = type;
602 if (ret == 0 && autoencrypt)
603 encrypt_start_output(type);
604 }
605 }
606
607 /*
608 * Called when a ENCRYPT START command is received.
609 */
610 void
encrypt_start(unsigned char * data __unused,int cnt __unused)611 encrypt_start(unsigned char *data __unused, int cnt __unused)
612 {
613 Encryptions *ep;
614
615 if (!decrypt_mode) {
616 /*
617 * Something is wrong. We should not get a START
618 * command without having already picked our
619 * decryption scheme. Send a REQUEST-END to
620 * attempt to clear the channel...
621 */
622 printf("%s: Warning, Cannot decrypt input stream!!!\r\n", Name);
623 encrypt_send_request_end();
624 return;
625 }
626
627 if ((ep = finddecryption(decrypt_mode))) {
628 decrypt_input = ep->input;
629 if (encrypt_verbose)
630 printf("[ Input is now decrypted with type %s ]\r\n",
631 ENCTYPE_NAME(decrypt_mode));
632 if (encrypt_debug_mode)
633 printf(">>>%s: Start to decrypt input with type %s\r\n",
634 Name, ENCTYPE_NAME(decrypt_mode));
635 } else {
636 printf("%s: Warning, Cannot decrypt type %s (%d)!!!\r\n",
637 Name,
638 ENCTYPE_NAME_OK(decrypt_mode)
639 ? ENCTYPE_NAME(decrypt_mode)
640 : "(unknown)",
641 decrypt_mode);
642 encrypt_send_request_end();
643 }
644 }
645
646 void
encrypt_session_key(Session_Key * key,int server)647 encrypt_session_key( Session_Key *key, int server)
648 {
649 Encryptions *ep = encryptions;
650
651 havesessionkey = 1;
652
653 while (ep->type) {
654 if (ep->session)
655 (*ep->session)(key, server);
656 ++ep;
657 }
658 }
659
660 /*
661 * Called when ENCRYPT END is received.
662 */
663 void
encrypt_end(void)664 encrypt_end(void)
665 {
666 decrypt_input = 0;
667 if (encrypt_debug_mode)
668 printf(">>>%s: Input is back to clear text\r\n", Name);
669 if (encrypt_verbose)
670 printf("[ Input is now clear text ]\r\n");
671 }
672
673 /*
674 * Called when ENCRYPT REQUEST-END is received.
675 */
676 void
encrypt_request_end(void)677 encrypt_request_end(void)
678 {
679 encrypt_send_end();
680 }
681
682 /*
683 * Called when ENCRYPT REQUEST-START is received. If we receive
684 * this before a type is picked, then that indicates that the
685 * other side wants us to start encrypting data as soon as we
686 * can.
687 */
688 void
encrypt_request_start(unsigned char * data __unused,int cnt __unused)689 encrypt_request_start(unsigned char *data __unused, int cnt __unused)
690 {
691 if (encrypt_mode == 0) {
692 if (Server)
693 autoencrypt = 1;
694 return;
695 }
696 encrypt_start_output(encrypt_mode);
697 }
698
699 static unsigned char str_keyid[(MAXKEYLEN*2)+5] = { IAC, SB, TELOPT_ENCRYPT };
700
701 void
encrypt_enc_keyid(unsigned char * keyid,int len)702 encrypt_enc_keyid(unsigned char *keyid, int len)
703 {
704 encrypt_keyid(&ki[1], keyid, len);
705 }
706
707 void
encrypt_dec_keyid(unsigned char * keyid,int len)708 encrypt_dec_keyid(unsigned char *keyid, int len)
709 {
710 encrypt_keyid(&ki[0], keyid, len);
711 }
712
713 void
encrypt_keyid(struct key_info * kp,unsigned char * keyid,int len)714 encrypt_keyid(struct key_info *kp, unsigned char *keyid, int len)
715 {
716 Encryptions *ep;
717 int dir = kp->dir;
718 int ret = 0;
719
720 if (len > MAXKEYLEN)
721 len = MAXKEYLEN;
722
723 if (!(ep = (*kp->getcrypt)(*kp->modep))) {
724 if (len == 0)
725 return;
726 kp->keylen = 0;
727 } else if (len == 0) {
728 /*
729 * Empty option, indicates a failure.
730 */
731 if (kp->keylen == 0)
732 return;
733 kp->keylen = 0;
734 if (ep->keyid)
735 (void)(*ep->keyid)(dir, kp->keyid, &kp->keylen);
736
737 } else if ((len != kp->keylen) ||
738 (memcmp(keyid, kp->keyid, len) != 0)) {
739 /*
740 * Length or contents are different
741 */
742 kp->keylen = len;
743 memmove(kp->keyid, keyid, len);
744 if (ep->keyid)
745 (void)(*ep->keyid)(dir, kp->keyid, &kp->keylen);
746 } else {
747 if (ep->keyid)
748 ret = (*ep->keyid)(dir, kp->keyid, &kp->keylen);
749 if ((ret == 0) && (dir == DIR_ENCRYPT) && autoencrypt)
750 encrypt_start_output(*kp->modep);
751 return;
752 }
753
754 encrypt_send_keyid(dir, kp->keyid, kp->keylen, 0);
755 }
756
757 void
encrypt_send_keyid(int dir,const char * keyid,int keylen,int saveit)758 encrypt_send_keyid(int dir, const char *keyid, int keylen, int saveit)
759 {
760 unsigned char *strp;
761
762 str_keyid[3] = (dir == DIR_ENCRYPT)
763 ? ENCRYPT_ENC_KEYID : ENCRYPT_DEC_KEYID;
764 if (saveit) {
765 struct key_info *kp = &ki[(dir == DIR_ENCRYPT) ? 0 : 1];
766 memmove(kp->keyid, keyid, keylen);
767 kp->keylen = keylen;
768 }
769
770 for (strp = &str_keyid[4]; keylen > 0; --keylen) {
771 if ((*strp++ = *keyid++) == IAC)
772 *strp++ = IAC;
773 }
774 *strp++ = IAC;
775 *strp++ = SE;
776 net_write(str_keyid, strp - str_keyid);
777 printsub('>', &str_keyid[2], strp - str_keyid - 2);
778 }
779
780 void
encrypt_auto(int on)781 encrypt_auto(int on)
782 {
783 if (on < 0)
784 autoencrypt ^= 1;
785 else
786 autoencrypt = on ? 1 : 0;
787 }
788
789 void
decrypt_auto(int on)790 decrypt_auto(int on)
791 {
792 if (on < 0)
793 autodecrypt ^= 1;
794 else
795 autodecrypt = on ? 1 : 0;
796 }
797
798 void
encrypt_start_output(int type)799 encrypt_start_output(int type)
800 {
801 Encryptions *ep;
802 unsigned char *p;
803 int i;
804
805 if (!(ep = findencryption(type))) {
806 if (encrypt_debug_mode) {
807 printf(">>>%s: Can't encrypt with type %s (%d)\r\n",
808 Name,
809 ENCTYPE_NAME_OK(type)
810 ? ENCTYPE_NAME(type) : "(unknown)",
811 type);
812 }
813 return;
814 }
815 if (ep->start) {
816 i = (*ep->start)(DIR_ENCRYPT, Server);
817 if (encrypt_debug_mode) {
818 printf(">>>%s: Encrypt start: %s (%d) %s\r\n",
819 Name,
820 (i < 0) ? "failed" :
821 "initial negotiation in progress",
822 i, ENCTYPE_NAME(type));
823 }
824 if (i)
825 return;
826 }
827 p = str_start + 3;
828 *p++ = ENCRYPT_START;
829 for (i = 0; i < ki[0].keylen; ++i) {
830 if ((*p++ = ki[0].keyid[i]) == IAC)
831 *p++ = IAC;
832 }
833 *p++ = IAC;
834 *p++ = SE;
835 net_write(str_start, p - str_start);
836 net_encrypt();
837 printsub('>', &str_start[2], p - &str_start[2]);
838 /*
839 * If we are already encrypting in some mode, then
840 * encrypt the ring (which includes our request) in
841 * the old mode, mark it all as "clear text" and then
842 * switch to the new mode.
843 */
844 encrypt_output = ep->output;
845 encrypt_mode = type;
846 if (encrypt_debug_mode)
847 printf(">>>%s: Started to encrypt output with type %s\r\n",
848 Name, ENCTYPE_NAME(type));
849 if (encrypt_verbose)
850 printf("[ Output is now encrypted with type %s ]\r\n",
851 ENCTYPE_NAME(type));
852 }
853
854 void
encrypt_send_end(void)855 encrypt_send_end(void)
856 {
857 if (!encrypt_output)
858 return;
859
860 str_end[3] = ENCRYPT_END;
861 net_write(str_end, sizeof(str_end));
862 net_encrypt();
863 printsub('>', &str_end[2], sizeof(str_end) - 2);
864 /*
865 * Encrypt the output buffer now because it will not be done by
866 * netflush...
867 */
868 encrypt_output = 0;
869 if (encrypt_debug_mode)
870 printf(">>>%s: Output is back to clear text\r\n", Name);
871 if (encrypt_verbose)
872 printf("[ Output is now clear text ]\r\n");
873 }
874
875 void
encrypt_send_request_start(void)876 encrypt_send_request_start(void)
877 {
878 unsigned char *p;
879 int i;
880
881 p = &str_start[3];
882 *p++ = ENCRYPT_REQSTART;
883 for (i = 0; i < ki[1].keylen; ++i) {
884 if ((*p++ = ki[1].keyid[i]) == IAC)
885 *p++ = IAC;
886 }
887 *p++ = IAC;
888 *p++ = SE;
889 net_write(str_start, p - str_start);
890 printsub('>', &str_start[2], p - &str_start[2]);
891 if (encrypt_debug_mode)
892 printf(">>>%s: Request input to be encrypted\r\n", Name);
893 }
894
895 void
encrypt_send_request_end(void)896 encrypt_send_request_end(void)
897 {
898 str_end[3] = ENCRYPT_REQEND;
899 net_write(str_end, sizeof(str_end));
900 printsub('>', &str_end[2], sizeof(str_end) - 2);
901
902 if (encrypt_debug_mode)
903 printf(">>>%s: Request input to be clear text\r\n", Name);
904 }
905
906 void
encrypt_wait(void)907 encrypt_wait(void)
908 {
909 if (encrypt_debug_mode)
910 printf(">>>%s: in encrypt_wait\r\n", Name);
911 if (!havesessionkey || !(I_SUPPORT_ENCRYPT & remote_supports_decrypt))
912 return;
913 while (autoencrypt && !encrypt_output)
914 if (telnet_spin())
915 return;
916 }
917
918 void
encrypt_gen_printsub(unsigned char * data,int cnt,unsigned char * buf,int buflen)919 encrypt_gen_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen)
920 {
921 char tbuf[16], *cp;
922
923 cnt -= 2;
924 data += 2;
925 buf[buflen-1] = '\0';
926 buf[buflen-2] = '*';
927 buflen -= 2;;
928 for (; cnt > 0; cnt--, data++) {
929 sprintf(tbuf, " %d", *data);
930 for (cp = tbuf; *cp && buflen > 0; --buflen)
931 *buf++ = *cp++;
932 if (buflen <= 0)
933 return;
934 }
935 *buf = '\0';
936 }
937
938 void
encrypt_printsub(unsigned char * data,int cnt,unsigned char * buf,int buflen)939 encrypt_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen)
940 {
941 Encryptions *ep;
942 int type = data[1];
943
944 for (ep = encryptions; ep->type && ep->type != type; ep++)
945 ;
946
947 if (ep->printsub)
948 (*ep->printsub)(data, cnt, buf, buflen);
949 else
950 encrypt_gen_printsub(data, cnt, buf, buflen);
951 }
952 #endif /* ENCRYPTION */
953