1 /*-
2 * Copyright (c) 1991, 1993
3 * The Regents of the University of California. All rights reserved.
4 *
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. All advertising materials mentioning features or use of this software
14 * must display the following acknowledgement:
15 * This product includes software developed by the University of
16 * California, Berkeley and its contributors.
17 * 4. Neither the name of the University nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 /* based on @(#)encrypt.c 8.1 (Berkeley) 6/4/93 */
35
36 /*
37 * Copyright (C) 1990 by the Massachusetts Institute of Technology
38 *
39 * Export of this software from the United States of America may
40 * require a specific license from the United States Government.
41 * It is the responsibility of any person or organization contemplating
42 * export to obtain such a license before exporting.
43 *
44 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
45 * distribute this software and its documentation for any purpose and
46 * without fee is hereby granted, provided that the above copyright
47 * notice appear in all copies and that both that copyright notice and
48 * this permission notice appear in supporting documentation, and that
49 * the name of M.I.T. not be used in advertising or publicity pertaining
50 * to distribution of the software without specific, written prior
51 * permission. Furthermore if you modify this software you must label
52 * your software as modified software and not distribute it in such a
53 * fashion that it might be confused with the original M.I.T. software.
54 * M.I.T. makes no representations about the suitability of
55 * this software for any purpose. It is provided "as is" without express
56 * or implied warranty.
57 */
58
59 #include <autoconf.h>
60
61 #ifdef ENCRYPTION
62
63 #include <stdio.h>
64 #define ENCRYPT_NAMES
65 #include <arpa/telnet.h>
66
67 #include "encrypt.h"
68 #include "misc.h"
69
70 #ifdef __STDC__
71 #include <stdlib.h>
72 #endif
73 #ifdef HAVE_STRING_H
74 #include <string.h>
75 #else
76 #include <strings.h>
77 #endif
78
79 /*
80 * These functions pointers point to the current routines
81 * for encrypting and decrypting data.
82 */
83 void (*encrypt_output) (unsigned char *, int);
84 int (*decrypt_input) (int);
85
86 int encrypt_debug_mode = 0;
87 static int decrypt_mode = 0;
88 static int encrypt_mode = 0;
89 static int encrypt_verbose = 0;
90 static int autoencrypt = 0;
91 static int autodecrypt = 0;
92 static int havesessionkey = 0;
93 static int Server = 0;
94 static char *Name = "Noname";
95
96 #define typemask(x) ((x) > 0 ? 1 << ((x)-1) : 0)
97
98 static long i_support_encrypt = typemask(ENCTYPE_DES_CFB64)
99 | typemask(ENCTYPE_DES_OFB64);
100 static long i_support_decrypt = typemask(ENCTYPE_DES_CFB64)
101 | typemask(ENCTYPE_DES_OFB64);
102 static long i_wont_support_encrypt = 0;
103 static long i_wont_support_decrypt = 0;
104 #define I_SUPPORT_ENCRYPT (i_support_encrypt & ~i_wont_support_encrypt)
105 #define I_SUPPORT_DECRYPT (i_support_decrypt & ~i_wont_support_decrypt)
106
107 static long remote_supports_encrypt = 0;
108 static long remote_supports_decrypt = 0;
109
110 static Encryptions encryptions[] = {
111 #ifdef DES_ENCRYPTION
112 { "DES_CFB64", ENCTYPE_DES_CFB64,
113 cfb64_encrypt,
114 cfb64_decrypt,
115 cfb64_init,
116 cfb64_start,
117 cfb64_is,
118 cfb64_reply,
119 cfb64_session,
120 cfb64_keyid,
121 cfb64_printsub },
122 { "DES_OFB64", ENCTYPE_DES_OFB64,
123 ofb64_encrypt,
124 ofb64_decrypt,
125 ofb64_init,
126 ofb64_start,
127 ofb64_is,
128 ofb64_reply,
129 ofb64_session,
130 ofb64_keyid,
131 ofb64_printsub },
132 #endif /* DES_ENCRYPTION */
133 { 0, },
134 };
135
136 static unsigned char str_send[64] = { IAC, SB, TELOPT_ENCRYPT,
137 ENCRYPT_SUPPORT };
138 static unsigned char str_suplen = 0;
139 static unsigned char str_start[72] = { IAC, SB, TELOPT_ENCRYPT };
140 static unsigned char str_end[] = { IAC, SB, TELOPT_ENCRYPT, 0, IAC, SE };
141
142 Encryptions *
findencryption(type)143 findencryption(type)
144 int type;
145 {
146 Encryptions *ep = encryptions;
147
148 if (!(I_SUPPORT_ENCRYPT & remote_supports_decrypt & typemask(type)))
149 return(0);
150 while (ep->type && ep->type != type)
151 ++ep;
152 return(ep->type ? ep : 0);
153 }
154
155 Encryptions *
finddecryption(type)156 finddecryption(type)
157 int type;
158 {
159 Encryptions *ep = encryptions;
160
161 if (!(I_SUPPORT_DECRYPT & remote_supports_encrypt & typemask(type)))
162 return(0);
163 while (ep->type && ep->type != type)
164 ++ep;
165 return(ep->type ? ep : 0);
166 }
167
168 #define MAXKEYLEN 64
169
170 static struct key_info {
171 unsigned char keyid[MAXKEYLEN];
172 int keylen;
173 int dir;
174 int *modep;
175 Encryptions *(*getcrypt)();
176 } ki[2] = {
177 { { 0 }, 0, DIR_ENCRYPT, &encrypt_mode, findencryption },
178 { { 0 }, 0, DIR_DECRYPT, &decrypt_mode, finddecryption },
179 };
180
181 void
encrypt_init(name,server)182 encrypt_init(name, server)
183 char *name;
184 int server;
185 {
186 Encryptions *ep = encryptions;
187
188 Name = name;
189 Server = server;
190 i_support_encrypt = i_support_decrypt = 0;
191 remote_supports_encrypt = remote_supports_decrypt = 0;
192 encrypt_mode = 0;
193 decrypt_mode = 0;
194 encrypt_output = 0;
195 decrypt_input = 0;
196 #ifdef notdef
197 encrypt_verbose = !server;
198 #endif
199
200 str_suplen = 4;
201
202 while (ep->type) {
203 if (encrypt_debug_mode)
204 printf(">>>%s: I will support %s\r\n",
205 Name, ENCTYPE_NAME(ep->type));
206 i_support_encrypt |= typemask(ep->type);
207 i_support_decrypt |= typemask(ep->type);
208 if ((i_wont_support_decrypt & typemask(ep->type)) == 0)
209 if ((str_send[str_suplen++] = ep->type) == IAC)
210 str_send[str_suplen++] = IAC;
211 if (ep->init)
212 (*ep->init)(Server);
213 ++ep;
214 }
215 str_send[str_suplen++] = IAC;
216 str_send[str_suplen++] = SE;
217 }
218
219 static void
encrypt_list_types()220 encrypt_list_types()
221 {
222 Encryptions *ep = encryptions;
223
224 printf("Valid encryption types:\n");
225 while (ep->type) {
226 printf("\t%s (%d)\r\n", ENCTYPE_NAME(ep->type), ep->type);
227 ++ep;
228 }
229 }
230
231 int
EncryptEnable(type,mode)232 EncryptEnable(type, mode)
233 char *type, *mode;
234 {
235 if (isprefix(type, "help") || isprefix(type, "?")) {
236 printf("Usage: encrypt enable <type> [input|output]\n");
237 encrypt_list_types();
238 return(0);
239 }
240 if (EncryptType(type, mode))
241 return(EncryptStart(mode));
242 return(0);
243 }
244
245 int
EncryptDisable(type,mode)246 EncryptDisable(type, mode)
247 char *type, *mode;
248 {
249 register Encryptions *ep;
250 int ret = 0;
251
252 if (isprefix(type, "help") || isprefix(type, "?")) {
253 printf("Usage: encrypt disable <type> [input|output]\n");
254 encrypt_list_types();
255 } else if ((ep = (Encryptions *)genget(type, (char **) encryptions,
256 sizeof(Encryptions))) == 0) {
257 printf("%s: invalid encryption type\n", type);
258 } else if (Ambiguous(ep)) {
259 printf("Ambiguous type '%s'\n", type);
260 } else {
261 if ((mode == 0) || (isprefix(mode, "input") ? 1 : 0)) {
262 if (decrypt_mode == ep->type)
263 EncryptStopInput();
264 i_wont_support_decrypt |= typemask(ep->type);
265 ret = 1;
266 }
267 if ((mode == 0) || (isprefix(mode, "output"))) {
268 if (encrypt_mode == ep->type)
269 EncryptStopOutput();
270 i_wont_support_encrypt |= typemask(ep->type);
271 ret = 1;
272 }
273 if (ret == 0)
274 printf("%s: invalid encryption mode\n", mode);
275 }
276 return(ret);
277 }
278
279 int
EncryptType(type,mode)280 EncryptType(type, mode)
281 char *type;
282 char *mode;
283 {
284 register Encryptions *ep;
285 int ret = 0;
286
287 if (isprefix(type, "help") || isprefix(type, "?")) {
288 printf("Usage: encrypt type <type> [input|output]\n");
289 encrypt_list_types();
290 } else if ((ep = (Encryptions *)genget(type, (char **) encryptions,
291 sizeof(Encryptions))) == 0) {
292 printf("%s: invalid encryption type\n", type);
293 } else if (Ambiguous(ep)) {
294 printf("Ambiguous type '%s'\n", type);
295 } else {
296 if ((mode == 0) || isprefix(mode, "input")) {
297 decrypt_mode = ep->type;
298 i_wont_support_decrypt &= ~typemask(ep->type);
299 ret = 1;
300 }
301 if ((mode == 0) || isprefix(mode, "output")) {
302 encrypt_mode = ep->type;
303 i_wont_support_encrypt &= ~typemask(ep->type);
304 ret = 1;
305 }
306 if (ret == 0)
307 printf("%s: invalid encryption mode\n", mode);
308 }
309 return(ret);
310 }
311
312 int
EncryptStart(mode)313 EncryptStart(mode)
314 char *mode;
315 {
316 register int ret = 0;
317 if (mode) {
318 if (isprefix(mode, "input"))
319 return(EncryptStartInput());
320 if (isprefix(mode, "output"))
321 return(EncryptStartOutput());
322 if (isprefix(mode, "help") || isprefix(mode, "?")) {
323 printf("Usage: encrypt start [input|output]\n");
324 return(0);
325 }
326 printf("%s: invalid encryption mode 'encrypt start ?' for help\n", mode);
327 return(0);
328 }
329 ret += EncryptStartInput();
330 ret += EncryptStartOutput();
331 return(ret);
332 }
333
334 int
EncryptStartInput()335 EncryptStartInput()
336 {
337 if (decrypt_mode) {
338 encrypt_send_request_start();
339 return(1);
340 }
341 if (!Server)
342 printf("No previous decryption mode, decryption not enabled\r\n");
343 return(0);
344 }
345
346 int
EncryptStartOutput()347 EncryptStartOutput()
348 {
349 if (encrypt_mode) {
350 encrypt_start_output(encrypt_mode);
351 return(1);
352 }
353 if (!Server)
354 printf("No previous encryption mode, encryption not enabled\r\n");
355 return(0);
356 }
357
358 int
EncryptStop(mode)359 EncryptStop(mode)
360 char *mode;
361 {
362 int ret = 0;
363 if (mode) {
364 if (isprefix(mode, "input"))
365 return(EncryptStopInput());
366 if (isprefix(mode, "output"))
367 return(EncryptStopOutput());
368 if (isprefix(mode, "help") || isprefix(mode, "?")) {
369 printf("Usage: encrypt stop [input|output]\n");
370 return(0);
371 }
372 printf("%s: invalid encryption mode 'encrypt stop ?' for help\n", mode);
373 return(0);
374 }
375 ret += EncryptStopInput();
376 ret += EncryptStopOutput();
377 return(ret);
378 }
379
380 int
EncryptStopInput()381 EncryptStopInput()
382 {
383 encrypt_send_request_end();
384 return(1);
385 }
386
387 int
EncryptStopOutput()388 EncryptStopOutput()
389 {
390 encrypt_send_end();
391 return(1);
392 }
393
394 void
encrypt_display()395 encrypt_display()
396 {
397 if (encrypt_output)
398 printf("Currently encrypting output with %s\r\n",
399 ENCTYPE_NAME(encrypt_mode));
400 if (decrypt_input)
401 printf("Currently decrypting input with %s\r\n",
402 ENCTYPE_NAME(decrypt_mode));
403 }
404
405 int
EncryptStatus()406 EncryptStatus()
407 {
408 if (encrypt_output)
409 printf("Currently encrypting output with %s\r\n",
410 ENCTYPE_NAME(encrypt_mode));
411 else if (encrypt_mode) {
412 printf("Currently output is clear text.\r\n");
413 printf("Last encryption mode was %s\r\n",
414 ENCTYPE_NAME(encrypt_mode));
415 }
416 if (decrypt_input) {
417 printf("Currently decrypting input with %s\r\n",
418 ENCTYPE_NAME(decrypt_mode));
419 } else if (decrypt_mode) {
420 printf("Currently input is clear text.\r\n");
421 printf("Last decryption mode was %s\r\n",
422 ENCTYPE_NAME(decrypt_mode));
423 }
424 return 1;
425 }
426
427 void
encrypt_send_support()428 encrypt_send_support()
429 {
430 if (str_suplen) {
431 /*
432 * If the user has requested that decryption start
433 * immediatly, then send a "REQUEST START" before
434 * we negotiate the type.
435 */
436 if (!Server && autodecrypt)
437 encrypt_send_request_start();
438 net_write(str_send, str_suplen);
439 printsub('>', &str_send[2], str_suplen - 2);
440 str_suplen = 0;
441 }
442 }
443
444 int
EncryptDebug(on)445 EncryptDebug(on)
446 int on;
447 {
448 if (on < 0)
449 encrypt_debug_mode ^= 1;
450 else
451 encrypt_debug_mode = on;
452 printf("Encryption debugging %s\r\n",
453 encrypt_debug_mode ? "enabled" : "disabled");
454 return(1);
455 }
456
457 int
EncryptVerbose(on)458 EncryptVerbose(on)
459 int on;
460 {
461 if (on < 0)
462 encrypt_verbose ^= 1;
463 else
464 encrypt_verbose = on;
465 printf("Encryption %s verbose\r\n",
466 encrypt_verbose ? "is" : "is not");
467 return(1);
468 }
469
470 int
EncryptAutoEnc(on)471 EncryptAutoEnc(on)
472 int on;
473 {
474 encrypt_auto(on);
475 printf("Automatic encryption of output is %s\r\n",
476 autoencrypt ? "enabled" : "disabled");
477 return(1);
478 }
479
480 int
EncryptAutoDec(on)481 EncryptAutoDec(on)
482 int on;
483 {
484 decrypt_auto(on);
485 printf("Automatic decryption of input is %s\r\n",
486 autodecrypt ? "enabled" : "disabled");
487 return(1);
488 }
489
490 /*
491 * Called when ENCRYPT SUPPORT is received.
492 */
493 void
encrypt_support(typelist,cnt)494 encrypt_support(typelist, cnt)
495 unsigned char *typelist;
496 int cnt;
497 {
498 register int type, use_type = 0;
499 Encryptions *ep;
500
501 /*
502 * Forget anything the other side has previously told us.
503 */
504 remote_supports_decrypt = 0;
505
506 while (cnt-- > 0) {
507 type = *typelist++;
508 if (encrypt_debug_mode)
509 printf(">>>%s: He is supporting %s (%d)\r\n",
510 Name,
511 ENCTYPE_NAME(type), type);
512 if ((type < ENCTYPE_CNT) &&
513 (I_SUPPORT_ENCRYPT & typemask(type))) {
514 remote_supports_decrypt |= typemask(type);
515 if (use_type == 0)
516 use_type = type;
517 }
518 }
519 if (use_type) {
520 ep = findencryption(use_type);
521 if (!ep)
522 return;
523 type = ep->start ? (*ep->start)(DIR_ENCRYPT, Server) : 0;
524 if (encrypt_debug_mode)
525 printf(">>>%s: (*ep->start)() returned %d\r\n",
526 Name, type);
527 if (type < 0)
528 return;
529 encrypt_mode = use_type;
530 if (type == 0)
531 encrypt_start_output(use_type);
532 }
533 }
534
535 void
encrypt_is(data,cnt)536 encrypt_is(data, cnt)
537 unsigned char *data;
538 int cnt;
539 {
540 Encryptions *ep;
541 register int type, ret;
542
543 if (--cnt < 0)
544 return;
545 type = *data++;
546 if (type < ENCTYPE_CNT)
547 remote_supports_encrypt |= typemask(type);
548 if (!(ep = finddecryption(type))) {
549 if (encrypt_debug_mode)
550 printf(">>>%s: Can't find type %s (%d) for initial negotiation\r\n",
551 Name,
552 ENCTYPE_NAME_OK(type)
553 ? ENCTYPE_NAME(type) : "(unknown)",
554 type);
555 return;
556 }
557 if (!ep->is) {
558 if (encrypt_debug_mode)
559 printf(">>>%s: No initial negotiation needed for type %s (%d)\r\n",
560 Name,
561 ENCTYPE_NAME_OK(type)
562 ? ENCTYPE_NAME(type) : "(unknown)",
563 type);
564 ret = 0;
565 } else {
566 ret = (*ep->is)(data, cnt);
567 if (encrypt_debug_mode)
568 printf("(*ep->is)(%lx, %d) returned %s(%d)\n",
569 (unsigned long) data, cnt,
570 (ret < 0) ? "FAIL " :
571 (ret == 0) ? "SUCCESS " : "MORE_TO_DO ", ret);
572 }
573 if (ret < 0) {
574 autodecrypt = 0;
575 } else {
576 decrypt_mode = type;
577 if (ret == 0 && autodecrypt)
578 encrypt_send_request_start();
579 }
580 }
581
582 void
encrypt_reply(data,cnt)583 encrypt_reply(data, cnt)
584 unsigned char *data;
585 int cnt;
586 {
587 Encryptions *ep;
588 register int ret, type;
589
590 if (--cnt < 0)
591 return;
592 type = *data++;
593 if (!(ep = findencryption(type))) {
594 if (encrypt_debug_mode)
595 printf(">>>%s: Can't find type %s (%d) for initial negotiation\r\n",
596 Name,
597 ENCTYPE_NAME_OK(type)
598 ? ENCTYPE_NAME(type) : "(unknown)",
599 type);
600 return;
601 }
602 if (!ep->reply) {
603 if (encrypt_debug_mode)
604 printf(">>>%s: No initial negotiation needed for type %s (%d)\r\n",
605 Name,
606 ENCTYPE_NAME_OK(type)
607 ? ENCTYPE_NAME(type) : "(unknown)",
608 type);
609 ret = 0;
610 } else {
611 ret = (*ep->reply)(data, cnt);
612 if (encrypt_debug_mode)
613 printf("(*ep->reply)(%lx, %d) returned %s(%d)\n",
614 (unsigned long) data, cnt,
615 (ret < 0) ? "FAIL " :
616 (ret == 0) ? "SUCCESS " : "MORE_TO_DO ", ret);
617 }
618 if (encrypt_debug_mode)
619 printf(">>>%s: encrypt_reply returned %d\n", Name, ret);
620 if (ret < 0) {
621 autoencrypt = 0;
622 } else {
623 encrypt_mode = type;
624 if (ret == 0 && autoencrypt)
625 encrypt_start_output(type);
626 }
627 }
628
629 /*
630 * Called when a ENCRYPT START command is received.
631 */
632 void
encrypt_start(data,cnt)633 encrypt_start(data, cnt)
634 unsigned char *data;
635 int cnt;
636 {
637 Encryptions *ep;
638
639 if (!decrypt_mode) {
640 /*
641 * Something is wrong. We should not get a START
642 * command without having already picked our
643 * decryption scheme. Send a REQUEST-END to
644 * attempt to clear the channel...
645 */
646 printf("%s: Warning, Cannot decrypt input stream!!!\r\n", Name);
647 encrypt_send_request_end();
648 return;
649 }
650
651 if ((ep = finddecryption(decrypt_mode))) {
652 decrypt_input = ep->input;
653 if (encrypt_verbose)
654 printf("[ Input is now decrypted with type %s ]\r\n",
655 ENCTYPE_NAME(decrypt_mode));
656 if (encrypt_debug_mode)
657 printf(">>>%s: Start to decrypt input with type %s\r\n",
658 Name, ENCTYPE_NAME(decrypt_mode));
659 } else {
660 printf("%s: Warning, Cannot decrypt type %s (%d)!!!\r\n",
661 Name,
662 ENCTYPE_NAME_OK(decrypt_mode)
663 ? ENCTYPE_NAME(decrypt_mode)
664 : "(unknown)",
665 decrypt_mode);
666 encrypt_send_request_end();
667 }
668 }
669
670 void
encrypt_session_key(key,server)671 encrypt_session_key(key, server)
672 Session_Key *key;
673 int server;
674 {
675 Encryptions *ep = encryptions;
676
677 havesessionkey = 1;
678
679 while (ep->type) {
680 if (ep->session)
681 (*ep->session)(key, server);
682 #ifdef notdef
683 if (!encrypt_output && autoencrypt && !server)
684 encrypt_start_output(ep->type);
685 if (!decrypt_input && autodecrypt && !server)
686 encrypt_send_request_start();
687 #endif
688 ++ep;
689 }
690 }
691
692 /*
693 * Called when ENCRYPT END is received.
694 */
695 void
encrypt_end()696 encrypt_end()
697 {
698 decrypt_input = 0;
699 if (encrypt_debug_mode)
700 printf(">>>%s: Input is back to clear text\r\n", Name);
701 if (encrypt_verbose)
702 printf("[ Input is now clear text ]\r\n");
703 }
704
705 /*
706 * Called when ENCRYPT REQUEST-END is received.
707 */
708 void
encrypt_request_end()709 encrypt_request_end()
710 {
711 encrypt_send_end();
712 }
713
714 /*
715 * Called when ENCRYPT REQUEST-START is received. If we receive
716 * this before a type is picked, then that indicates that the
717 * other side wants us to start encrypting data as soon as we
718 * can.
719 */
720 void
encrypt_request_start(data,cnt)721 encrypt_request_start(data, cnt)
722 unsigned char *data;
723 int cnt;
724 {
725 if (encrypt_mode == 0) {
726 if (Server)
727 autoencrypt = 1;
728 return;
729 }
730 encrypt_start_output(encrypt_mode);
731 }
732
733 static unsigned char str_keyid[(MAXKEYLEN*2)+5] = { IAC, SB, TELOPT_ENCRYPT };
734
735 static void encrypt_keyid (struct key_info *kp, unsigned char *, unsigned int);
736
encrypt_enc_keyid(keyid,len)737 void encrypt_enc_keyid(keyid, len)
738 unsigned char *keyid;
739 int len;
740 {
741 encrypt_keyid(&ki[1], keyid, (unsigned) len);
742 }
743
encrypt_dec_keyid(keyid,len)744 void encrypt_dec_keyid(keyid, len)
745 unsigned char *keyid;
746 int len;
747 {
748 encrypt_keyid(&ki[0], keyid, (unsigned) len);
749 }
750
encrypt_keyid(kp,keyid,len)751 static void encrypt_keyid(kp, keyid, len)
752 struct key_info *kp;
753 unsigned char *keyid;
754 unsigned int len;
755 {
756 Encryptions *ep;
757 int dir = kp->dir;
758 register int ret = 0;
759
760 if (len > MAXKEYLEN)
761 len = MAXKEYLEN;
762
763 if (!(ep = (*kp->getcrypt)(*kp->modep))) {
764 if (len == 0)
765 return;
766 kp->keylen = 0;
767 } else if (len == 0) {
768 /*
769 * Empty option, indicates a failure.
770 */
771 if (kp->keylen == 0)
772 return;
773 kp->keylen = 0;
774 if (ep->keyid)
775 (void)(*ep->keyid)(dir, kp->keyid, &kp->keylen);
776
777 } else if ((len != (unsigned int) kp->keylen) ||
778 (memcmp(keyid, kp->keyid, len) != 0)) {
779 /*
780 * Length or contents are different
781 */
782 kp->keylen = len;
783 memcpy(kp->keyid, keyid, len);
784 if (ep->keyid)
785 (void)(*ep->keyid)(dir, kp->keyid, &kp->keylen);
786 } else {
787 if (ep->keyid)
788 ret = (*ep->keyid)(dir, kp->keyid, &kp->keylen);
789 if ((ret == 0) && (dir == DIR_ENCRYPT) && autoencrypt)
790 encrypt_start_output(*kp->modep);
791 return;
792 }
793
794 encrypt_send_keyid(dir, kp->keyid, (unsigned) kp->keylen, 0);
795 }
796
797 void
encrypt_send_keyid(dir,keyid,keylen,saveit)798 encrypt_send_keyid(dir, keyid, keylen, saveit)
799 int dir;
800 unsigned char *keyid;
801 unsigned int keylen;
802 int saveit;
803 {
804 unsigned char *strp;
805
806 str_keyid[3] = (dir == DIR_ENCRYPT)
807 ? ENCRYPT_ENC_KEYID : ENCRYPT_DEC_KEYID;
808 if (saveit) {
809 struct key_info *kp = &ki[(dir == DIR_ENCRYPT) ? 0 : 1];
810 memcpy(kp->keyid, keyid, keylen);
811 kp->keylen = keylen;
812 }
813
814 for (strp = &str_keyid[4]; keylen > 0; --keylen) {
815 if ((*strp++ = *keyid++) == IAC)
816 *strp++ = IAC;
817 }
818 *strp++ = IAC;
819 *strp++ = SE;
820 net_write(str_keyid, strp - str_keyid);
821 printsub('>', &str_keyid[2], strp - str_keyid - 2);
822 }
823
824 void
encrypt_auto(on)825 encrypt_auto(on)
826 int on;
827 {
828 if (on < 0)
829 autoencrypt ^= 1;
830 else
831 autoencrypt = on ? 1 : 0;
832 }
833
834 void
decrypt_auto(on)835 decrypt_auto(on)
836 int on;
837 {
838 if (on < 0)
839 autodecrypt ^= 1;
840 else
841 autodecrypt = on ? 1 : 0;
842 }
843
844 void
encrypt_start_output(type)845 encrypt_start_output(type)
846 int type;
847 {
848 Encryptions *ep;
849 register unsigned char *p;
850 register int i;
851
852 if (!(ep = findencryption(type))) {
853 if (encrypt_debug_mode) {
854 printf(">>>%s: Can't encrypt with type %s (%d)\r\n",
855 Name,
856 ENCTYPE_NAME_OK(type)
857 ? ENCTYPE_NAME(type) : "(unknown)",
858 type);
859 }
860 return;
861 }
862 if (ep->start) {
863 i = (*ep->start)(DIR_ENCRYPT, Server);
864 if (encrypt_debug_mode) {
865 printf(">>>%s: Encrypt start: %s (%d) %s\r\n",
866 Name,
867 (i < 0) ? "failed" :
868 "initial negotiation in progress",
869 i, ENCTYPE_NAME(type));
870 }
871 if (i)
872 return;
873 }
874 p = str_start + 3;
875 *p++ = ENCRYPT_START;
876 for (i = 0; i < ki[0].keylen; ++i) {
877 if ((*p++ = ki[0].keyid[i]) == IAC)
878 *p++ = IAC;
879 }
880 *p++ = IAC;
881 *p++ = SE;
882 net_write(str_start, p - str_start);
883 net_encrypt();
884 printsub('>', &str_start[2], p - &str_start[2]);
885 /*
886 * If we are already encrypting in some mode, then
887 * encrypt the ring (which includes our request) in
888 * the old mode, mark it all as "clear text" and then
889 * switch to the new mode.
890 */
891 encrypt_output = ep->output;
892 encrypt_mode = type;
893 if (encrypt_debug_mode)
894 printf(">>>%s: Started to encrypt output with type %s\r\n",
895 Name, ENCTYPE_NAME(type));
896 if (encrypt_verbose)
897 printf("[ Output is now encrypted with type %s ]\r\n",
898 ENCTYPE_NAME(type));
899 }
900
901 void
encrypt_send_end()902 encrypt_send_end()
903 {
904 if (!encrypt_output)
905 return;
906
907 str_end[3] = ENCRYPT_END;
908 net_write(str_end, sizeof(str_end));
909 net_encrypt();
910 printsub('>', &str_end[2], sizeof(str_end) - 2);
911 /*
912 * Encrypt the output buffer now because it will not be done by
913 * netflush...
914 */
915 encrypt_output = 0;
916 if (encrypt_debug_mode)
917 printf(">>>%s: Output is back to clear text\r\n", Name);
918 if (encrypt_verbose)
919 printf("[ Output is now clear text ]\r\n");
920 }
921
922 void
encrypt_send_request_start()923 encrypt_send_request_start()
924 {
925 register unsigned char *p;
926 register int i;
927
928 p = &str_start[3];
929 *p++ = ENCRYPT_REQSTART;
930 for (i = 0; i < ki[1].keylen; ++i) {
931 if ((*p++ = ki[1].keyid[i]) == IAC)
932 *p++ = IAC;
933 }
934 *p++ = IAC;
935 *p++ = SE;
936 net_write(str_start, p - str_start);
937 printsub('>', &str_start[2], p - &str_start[2]);
938 if (encrypt_debug_mode)
939 printf(">>>%s: Request input to be encrypted\r\n", Name);
940 }
941
942 void
encrypt_send_request_end()943 encrypt_send_request_end()
944 {
945 str_end[3] = ENCRYPT_REQEND;
946 net_write(str_end, sizeof(str_end));
947 printsub('>', &str_end[2], sizeof(str_end) - 2);
948
949 if (encrypt_debug_mode)
950 printf(">>>%s: Request input to be clear text\r\n", Name);
951 }
952
953 void
encrypt_wait()954 encrypt_wait()
955 {
956 if (encrypt_debug_mode)
957 printf(">>>%s: in encrypt_wait\r\n", Name);
958 if (!havesessionkey || !(I_SUPPORT_ENCRYPT & remote_supports_decrypt))
959 return;
960 while (autoencrypt && !encrypt_output)
961 if (telnet_spin())
962 return;
963 }
964
encrypt_is_encrypting()965 int encrypt_is_encrypting()
966 {
967 if (encrypt_output && decrypt_input)
968 return 1;
969 return 0;
970 }
971
972 void
encrypt_debug(mode)973 encrypt_debug(mode)
974 int mode;
975 {
976 encrypt_debug_mode = mode;
977 }
978
979 void
encrypt_gen_printsub(data,cnt,buf,buflen)980 encrypt_gen_printsub(data, cnt, buf, buflen)
981 unsigned char *data, *buf;
982 int cnt, buflen;
983 {
984 char tbuf[16], *cp;
985
986 cnt -= 2;
987 data += 2;
988 buf[buflen-1] = '\0';
989 buf[buflen-2] = '*';
990 buflen -= 2;;
991 for (; cnt > 0; cnt--, data++) {
992 snprintf(tbuf, sizeof(tbuf), " %d", *data);
993 for (cp = tbuf; *cp && buflen > 0; --buflen)
994 *buf++ = *cp++;
995 if (buflen <= 0)
996 return;
997 }
998 *buf = '\0';
999 }
1000
1001 void
encrypt_printsub(data,cnt,buf,buflen)1002 encrypt_printsub(data, cnt, buf, buflen)
1003 unsigned char *data, *buf;
1004 int cnt, buflen;
1005 {
1006 Encryptions *ep;
1007 register int type = data[1];
1008
1009 for (ep = encryptions; ep->type && ep->type != type; ep++)
1010 ;
1011
1012 if (ep->printsub)
1013 (*ep->printsub)(data, cnt, buf, buflen);
1014 else
1015 encrypt_gen_printsub(data, cnt, buf, buflen);
1016 }
1017 #else /* ENCRYPTION */
1018 #include "misc-proto.h"
1019 #endif /* ENCRYPTION */
1020