1 /*
2  * Copyright 2002 Sun Microsystems, Inc.  All rights reserved.
3  * Use is subject to license terms.
4  */
5 
6 /*
7  * usr/src/cmd/cmd-inet/usr.bin/telnet/encrypt.c
8  */
9 
10 /*
11  * Copyright (c) 1991, 1993
12  *	The Regents of the University of California.  All rights reserved.
13  *
14  * Redistribution and use in source and binary forms, with or without
15  * modification, are permitted provided that the following conditions
16  * are met:
17  * 1. Redistributions of source code must retain the above copyright
18  *    notice, this list of conditions and the following disclaimer.
19  * 2. Redistributions in binary form must reproduce the above copyright
20  *    notice, this list of conditions and the following disclaimer in the
21  *    documentation and/or other materials provided with the distribution.
22  * 3. All advertising materials mentioning features or use of this software
23  *    must display the following acknowledgement:
24  *	This product includes software developed by the University of
25  *	California, Berkeley and its contributors.
26  * 4. Neither the name of the University nor the names of its contributors
27  *    may be used to endorse or promote products derived from this software
28  *    without specific prior written permission.
29  *
30  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
31  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
32  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
33  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
34  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
35  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
36  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
37  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
38  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
39  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
40  * SUCH DAMAGE.
41  */
42 
43 /* based on @(#)encrypt.c	8.1 (Berkeley) 6/4/93 */
44 
45 /*
46  * Copyright (C) 1990 by the Massachusetts Institute of Technology
47  *
48  * Export of this software from the United States of America may
49  * require a specific license from the United States Government.
50  * It is the responsibility of any person or organization contemplating
51  * export to obtain such a license before exporting.
52  *
53  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
54  * distribute this software and its documentation for any purpose and
55  * without fee is hereby granted, provided that the above copyright
56  * notice appear in all copies and that both that copyright notice and
57  * this permission notice appear in supporting documentation, and that
58  * the name of M.I.T. not be used in advertising or publicity pertaining
59  * to distribution of the software without specific, written prior
60  * permission.  Furthermore if you modify this software you must label
61  * your software as modified software and not distribute it in such a
62  * fashion that it might be confused with the original M.I.T. software.
63  * M.I.T. makes no representations about the suitability of
64  * this software for any purpose.  It is provided "as is" without express
65  * or implied warranty.
66  */
67 
68 #ifdef	lint
69 static char *encrypt_names[] = {0};
70 static char *enctype_names[] = {0};
71 #else	/* lint */
72 #define	ENCRYPT_NAMES
73 #endif	/* lint */
74 #include <arpa/telnet.h>
75 
76 #include "externs.h"
77 
78 #ifdef	__STDC__
79 #include <stdlib.h>
80 #endif
81 
82 /*
83  * These functions pointers point to the current routines
84  * for encrypting and decrypting data.
85  */
86 void	(*encrypt_output)(uchar_t *, int);
87 int	(*decrypt_input)(int);
88 static	void encrypt_start_output(int);
89 static	void encrypt_send_end(void);
90 static	void encrypt_send_request_start(void);
91 static	void encrypt_send_request_end(void);
92 
93 boolean_t	encrypt_debug_mode = B_FALSE;
94 
95 static int decrypt_mode = 0;
96 static int encrypt_mode = 0;
97 static boolean_t encrypt_verbose = B_FALSE;
98 static boolean_t autoencrypt = B_FALSE;
99 static boolean_t autodecrypt = B_FALSE;
100 static char *Name = "Noname";
101 
102 #define	typemask(x)	((x) > 0 ? 1 << ((x)-1) : 0)
103 #define	SUCCESS		0x00
104 #define	UNKNOWN		gettext("(unknown)")
105 
106 static int i_support_encrypt = typemask(TELOPT_ENCTYPE_DES_CFB64);
107 static int i_support_decrypt = typemask(TELOPT_ENCTYPE_DES_CFB64);
108 static int i_wont_support_encrypt = 0;
109 static int i_wont_support_decrypt = 0;
110 #define	I_SUPPORT_ENCRYPT	(i_support_encrypt & ~i_wont_support_encrypt)
111 #define	I_SUPPORT_DECRYPT	(i_support_decrypt & ~i_wont_support_decrypt)
112 
113 static int remote_supports_encrypt = 0;
114 static int remote_supports_decrypt = 0;
115 
116 static Encryptions encryptions[] = {
117 	{ "DES_CFB64",	TELOPT_ENCTYPE_DES_CFB64,
118 			cfb64_encrypt,
119 			cfb64_decrypt,
120 			cfb64_init,
121 			cfb64_start,
122 			cfb64_is,
123 			cfb64_reply,
124 			cfb64_session,
125 			cfb64_keyid,
126 			cfb64_printsub },
127 	{ 0, },
128 };
129 
130 static uchar_t str_send[64] = { IAC, SB, TELOPT_ENCRYPT,
131 	ENCRYPT_SUPPORT };
132 static uchar_t str_suplen = 0;
133 static uchar_t str_start[72] = { IAC, SB, TELOPT_ENCRYPT };
134 static uchar_t str_end[] = { IAC, SB, TELOPT_ENCRYPT, 0, IAC, SE };
135 
136 static Encryptions *
findencryption(int type)137 findencryption(int type)
138 {
139 	Encryptions *ep = encryptions;
140 
141 	if (!(I_SUPPORT_ENCRYPT & remote_supports_decrypt & typemask(type)))
142 		return (NULL);
143 	for (; (ep->type != 0) && (ep->type != type); ep++);
144 	return (ep->type ? ep : NULL);
145 }
146 
147 static Encryptions *
finddecryption(int type)148 finddecryption(int type)
149 {
150 	Encryptions *ep = encryptions;
151 
152 	if (!(I_SUPPORT_DECRYPT & remote_supports_encrypt & typemask(type)))
153 		return (NULL);
154 	while (ep->type && ep->type != type)
155 		++ep;
156 	return (ep->type ? ep : NULL);
157 }
158 
159 #define	MAXKEYLEN 64
160 
161 static struct key_info {
162 	uchar_t keyid[MAXKEYLEN];
163 	int keylen;
164 	int dir;
165 	int *modep;
166 	Encryptions *(*getcrypt)();
167 } ki[2] = {
168 	{ { 0 }, 0, TELNET_DIR_ENCRYPT, &encrypt_mode, findencryption },
169 	{ { 0 }, 0, TELNET_DIR_DECRYPT, &decrypt_mode, finddecryption },
170 };
171 #define	KI_ENCRYPT	0
172 #define	KI_DECRYPT	1
173 
174 void
encrypt_init(char * name)175 encrypt_init(char *name)
176 {
177 	Encryptions *ep = encryptions;
178 
179 	Name = name;
180 	i_support_encrypt = i_support_decrypt = 0;
181 	remote_supports_encrypt = remote_supports_decrypt = 0;
182 	encrypt_mode = 0;
183 	decrypt_mode = 0;
184 	encrypt_output = 0;
185 	decrypt_input = 0;
186 #ifdef notdef
187 	encrypt_verbose = !server;
188 #endif
189 
190 	str_suplen = 4;
191 
192 	while (ep->type) {
193 		if (encrypt_debug_mode)
194 			(void) printf(gettext(
195 				">>>%s: I will support %s\r\n"),
196 				Name, ENCTYPE_NAME(ep->type));
197 		i_support_encrypt |= typemask(ep->type);
198 		i_support_decrypt |= typemask(ep->type);
199 		if ((i_wont_support_decrypt & typemask(ep->type)) == 0)
200 			if ((str_send[str_suplen++] = ep->type) == IAC)
201 				str_send[str_suplen++] = IAC;
202 		if (ep->init)
203 			(*ep->init)();
204 		++ep;
205 	}
206 	str_send[str_suplen++] = IAC;
207 	str_send[str_suplen++] = SE;
208 }
209 
210 static void
encrypt_list_types(void)211 encrypt_list_types(void)
212 {
213 	Encryptions *ep = encryptions;
214 
215 	(void) printf(gettext("Valid encryption types:\n"));
216 	while (ep->type) {
217 		(void) printf("\t%s (%d)\r\n",
218 			ENCTYPE_NAME(ep->type), ep->type);
219 		++ep;
220 	}
221 }
222 
223 int
EncryptEnable(char * type,char * mode)224 EncryptEnable(char *type, char *mode)
225 {
226 	if (isprefix(type, "help") || isprefix(type, "?")) {
227 		(void) printf(gettext(
228 			"Usage: encrypt enable <type> [input|output]\n"));
229 		encrypt_list_types();
230 		return (0);
231 	}
232 
233 	if (EncryptType(type, mode))
234 		return (EncryptStart(mode));
235 
236 	return (0);
237 }
238 
239 int
EncryptDisable(char * type,char * mode)240 EncryptDisable(char *type, char *mode)
241 {
242 	register Encryptions *ep;
243 	int ret = 0;
244 
245 	if (isprefix(type, "help") || isprefix(type, "?")) {
246 		(void) printf(gettext(
247 			"Usage: encrypt disable <type> [input|output]\n"));
248 		encrypt_list_types();
249 	} else if ((ep = (Encryptions *)genget(type, (char **)encryptions,
250 						sizeof (Encryptions))) == 0) {
251 		(void) printf(gettext("%s: invalid encryption type\n"), type);
252 	} else if (Ambiguous(ep)) {
253 		(void) printf(gettext("Ambiguous type '%s'\n"), type);
254 	} else {
255 		if ((mode == 0) || (isprefix(mode, "input") ? 1 : 0)) {
256 			if (decrypt_mode == ep->type)
257 				(void) EncryptStopInput();
258 			i_wont_support_decrypt |= typemask(ep->type);
259 			ret = 1;
260 		}
261 		if ((mode == 0) || (isprefix(mode, "output"))) {
262 			if (encrypt_mode == ep->type)
263 				(void) EncryptStopOutput();
264 			i_wont_support_encrypt |= typemask(ep->type);
265 			ret = 1;
266 		}
267 		if (ret == 0)
268 			(void) printf(gettext(
269 				"%s: invalid encryption mode\n"), mode);
270 	}
271 	return (ret);
272 }
273 
274 int
EncryptType(char * type,char * mode)275 EncryptType(char *type, char *mode)
276 {
277 	register Encryptions *ep;
278 	int ret = 0;
279 
280 	if (isprefix(type, "help") || isprefix(type, "?")) {
281 		(void) printf(gettext(
282 			"Usage: encrypt type <type> [input|output]\n"));
283 		encrypt_list_types();
284 	} else if ((ep = (Encryptions *)genget(type, (char **)encryptions,
285 						sizeof (Encryptions))) == 0) {
286 		(void) printf(gettext("%s: invalid encryption type\n"), type);
287 	} else if (Ambiguous(ep)) {
288 		(void) printf(gettext("Ambiguous type '%s'\n"), type);
289 	} else {
290 		if ((mode == 0) || isprefix(mode, "input")) {
291 			decrypt_mode = ep->type;
292 			i_wont_support_decrypt &= ~typemask(ep->type);
293 			ret = 1;
294 		}
295 		if ((mode == 0) || isprefix(mode, "output")) {
296 			encrypt_mode = ep->type;
297 			i_wont_support_encrypt &= ~typemask(ep->type);
298 			ret = 1;
299 		}
300 		if (ret == 0)
301 			(void) printf(gettext(
302 				"%s: invalid encryption mode\n"), mode);
303 	}
304 	return (ret);
305 }
306 
307 int
EncryptStart(char * mode)308 EncryptStart(char *mode)
309 {
310 	register int ret = 0;
311 	if (mode) {
312 		if (isprefix(mode, "input"))
313 			return (EncryptStartInput());
314 		if (isprefix(mode, "output"))
315 			return (EncryptStartOutput());
316 		if (isprefix(mode, "help") || isprefix(mode, "?")) {
317 			(void) printf(gettext(
318 				"Usage: encrypt start [input|output]\n"));
319 			return (0);
320 		}
321 		(void) printf(gettext(
322 			"%s: invalid encryption mode 'encrypt start ?' "
323 			"for help\n"), mode);
324 		return (0);
325 	}
326 	ret += EncryptStartInput();
327 	ret += EncryptStartOutput();
328 	return (ret);
329 }
330 
331 int
EncryptStartInput(void)332 EncryptStartInput(void)
333 {
334 	if (decrypt_mode) {
335 		encrypt_send_request_start();
336 		return (1);
337 	}
338 	(void) printf(gettext("No previous decryption mode, "
339 		"decryption not enabled\r\n"));
340 	return (0);
341 }
342 
343 int
EncryptStartOutput(void)344 EncryptStartOutput(void)
345 {
346 	if (encrypt_mode) {
347 		encrypt_start_output(encrypt_mode);
348 		return (1);
349 	}
350 	(void) printf(gettext("No previous encryption mode, "
351 		"encryption not enabled\r\n"));
352 	return (0);
353 }
354 
355 int
EncryptStop(char * mode)356 EncryptStop(char *mode)
357 {
358 	int ret = 0;
359 	if (mode) {
360 		if (isprefix(mode, "input"))
361 			return (EncryptStopInput());
362 		if (isprefix(mode, "output"))
363 			return (EncryptStopOutput());
364 		if (isprefix(mode, "help") || isprefix(mode, "?")) {
365 			(void) printf(gettext(
366 				"Usage: encrypt stop [input|output]\n"));
367 			return (0);
368 		}
369 		(void) printf(gettext(
370 			"%s: invalid encryption mode 'encrypt stop ?' "
371 			"for help\n"), mode);
372 		return (0);
373 	}
374 	ret += EncryptStopInput();
375 	ret += EncryptStopOutput();
376 	return (ret);
377 }
378 
379 int
EncryptStopInput(void)380 EncryptStopInput(void)
381 {
382 	encrypt_send_request_end();
383 	return (1);
384 }
385 
386 int
EncryptStopOutput(void)387 EncryptStopOutput(void)
388 {
389 	encrypt_send_end();
390 	return (1);
391 }
392 
393 void
encrypt_display(void)394 encrypt_display(void)
395 {
396 	if (encrypt_output)
397 		(void) printf(gettext(
398 			"Currently encrypting output with %s\r\n"),
399 			ENCTYPE_NAME(encrypt_mode));
400 	if (decrypt_input)
401 		(void) printf(gettext(
402 			"Currently decrypting input with %s\r\n"),
403 			ENCTYPE_NAME(decrypt_mode));
404 }
405 
406 int
EncryptStatus(void)407 EncryptStatus(void)
408 {
409 	if (encrypt_output)
410 		(void) printf(gettext(
411 			"Currently encrypting output with %s\r\n"),
412 			ENCTYPE_NAME(encrypt_mode));
413 	else if (encrypt_mode) {
414 		(void) printf(gettext("Currently output is clear text.\r\n"));
415 		(void) printf(gettext("Last encryption mode was %s\r\n"),
416 			ENCTYPE_NAME(encrypt_mode));
417 	}
418 	if (decrypt_input) {
419 		(void) printf(gettext(
420 			"Currently decrypting input with %s\r\n"),
421 			ENCTYPE_NAME(decrypt_mode));
422 	} else if (decrypt_mode) {
423 		(void) printf(gettext("Currently input is clear text.\r\n"));
424 		(void) printf(gettext("Last decryption mode was %s\r\n"),
425 			ENCTYPE_NAME(decrypt_mode));
426 	}
427 	return (1);
428 }
429 
430 void
encrypt_send_support(void)431 encrypt_send_support(void)
432 {
433 	if (str_suplen) {
434 		/*
435 		 * If the user has requested that decryption start
436 		 * immediatly, then send a "REQUEST START" before
437 		 * we negotiate the type.
438 		 */
439 		if (autodecrypt)
440 			encrypt_send_request_start();
441 		(void) net_write(str_send, str_suplen);
442 		printsub('>', &str_send[2], str_suplen - 2);
443 		str_suplen = 0;
444 	}
445 }
446 
447 int
EncryptDebug(int on)448 EncryptDebug(int on)
449 {
450 	encrypt_debug_mode = (on < 0) ? !encrypt_debug_mode :
451 		(on > 0) ? B_TRUE : B_FALSE;
452 	(void) printf(encrypt_debug_mode ?
453 		gettext("Encryption debugging enabled\r\n") :
454 		gettext("Encryption debugging disabled\r\n"));
455 	return (1);
456 }
457 
458 int
EncryptVerbose(int on)459 EncryptVerbose(int on)
460 {
461 	encrypt_verbose = (on < 0) ? !encrypt_verbose :
462 		(on > 0) ? B_TRUE : B_FALSE;
463 	(void) printf(encrypt_verbose ?
464 		gettext("Encryption is verbose\r\n") :
465 		gettext("Encryption is not verbose\r\n"));
466 	return (1);
467 }
468 
469 int
EncryptAutoEnc(int on)470 EncryptAutoEnc(int on)
471 {
472 	encrypt_auto(on);
473 	(void) printf(autoencrypt ?
474 		gettext("Automatic encryption of output is enabled\r\n") :
475 		gettext("Automatic encryption of output is disabled\r\n"));
476 	return (1);
477 }
478 
479 int
EncryptAutoDec(int on)480 EncryptAutoDec(int on)
481 {
482 	decrypt_auto(on);
483 	(void) printf(autodecrypt ?
484 		gettext("Automatic decryption of input is enabled\r\n") :
485 		gettext("Automatic decryption of input is disabled\r\n"));
486 	return (1);
487 }
488 
489 /*
490  * Called when ENCRYPT SUPPORT is received.
491  */
492 void
encrypt_support(uchar_t * typelist,int cnt)493 encrypt_support(uchar_t *typelist, int cnt)
494 {
495 	register int type, use_type = 0;
496 	Encryptions *ep;
497 
498 	/*
499 	 * Forget anything the other side has previously told us.
500 	 */
501 	remote_supports_decrypt = 0;
502 
503 	while (cnt-- > 0) {
504 		type = *typelist++;
505 		if (encrypt_debug_mode)
506 			(void) printf(gettext(
507 				">>>%s: Remote host supports %s (%d)\r\n"),
508 				Name, ENCTYPE_NAME(type), type);
509 		if ((type < TELOPT_ENCTYPE_CNT) &&
510 		    (I_SUPPORT_ENCRYPT & typemask(type))) {
511 			remote_supports_decrypt |= typemask(type);
512 			if (use_type == 0)
513 				use_type = type;
514 		}
515 	}
516 	if (use_type) {
517 		ep = findencryption(use_type);
518 		if (!ep)
519 			return;
520 		type = ep->start ? (*ep->start)(TELNET_DIR_ENCRYPT) : 0;
521 		if (encrypt_debug_mode)
522 			(void) printf(gettext(
523 				">>>%s: (*ep->start)() returned %d\r\n"),
524 				Name, type);
525 		if (type < 0)
526 			return;
527 		encrypt_mode = use_type;
528 		if (type == 0)
529 			encrypt_start_output(use_type);
530 	}
531 }
532 
533 void
encrypt_is(uchar_t * data,int cnt)534 encrypt_is(uchar_t *data, int cnt)
535 {
536 	Encryptions *ep;
537 	register int type, ret;
538 
539 	if (--cnt < 0)
540 		return;
541 	type = *data++;
542 	if (type < TELOPT_ENCTYPE_CNT)
543 		remote_supports_encrypt |= typemask(type);
544 	if (!(ep = finddecryption(type))) {
545 		if (encrypt_debug_mode)
546 			(void) printf(gettext(
547 				">>>%s: Can't find type %s (%d) for "
548 				"initial negotiation\r\n"), Name,
549 				ENCTYPE_NAME_OK(type) ?
550 				ENCTYPE_NAME(type) : UNKNOWN, type);
551 		return;
552 	}
553 	if (!ep->is) {
554 		if (encrypt_debug_mode)
555 			(void) printf(gettext(
556 				">>>%s: No initial negotiation needed "
557 				"for type %s (%d)\r\n"), Name,
558 				ENCTYPE_NAME_OK(type) ?
559 				ENCTYPE_NAME(type) : UNKNOWN, type);
560 		ret = 0;
561 	} else {
562 		ret = (*ep->is)(data, cnt);
563 		if (encrypt_debug_mode)
564 			(void) printf(gettext(
565 				"(*ep->is)(%x, %d) returned %s(%d)\n"),
566 				data, cnt, (ret < 0) ? "FAIL " :
567 				(ret == 0) ? "SUCCESS " : "MORE_TO_DO ", ret);
568 	}
569 	if (ret < 0) {
570 		autodecrypt = B_FALSE;
571 	} else {
572 		decrypt_mode = type;
573 		if (ret == 0 && autodecrypt)
574 			encrypt_send_request_start();
575 	}
576 }
577 
578 void
encrypt_reply(uchar_t * data,int cnt)579 encrypt_reply(uchar_t *data, int cnt)
580 {
581 	Encryptions *ep;
582 	register int ret, type;
583 
584 	if (--cnt < 0)
585 		return;
586 	type = *data++;
587 	if (!(ep = findencryption(type))) {
588 		if (encrypt_debug_mode)
589 			(void) printf(gettext(
590 				">>>%s: Can't find type %s (%d) "
591 				"for initial negotiation\r\n"), Name,
592 				ENCTYPE_NAME_OK(type) ?
593 				ENCTYPE_NAME(type) : UNKNOWN, type);
594 		return;
595 	}
596 	if (!ep->reply) {
597 		if (encrypt_debug_mode)
598 			(void) printf(gettext(
599 				">>>%s: No initial negotiation needed "
600 				"for type %s (%d)\r\n"), Name,
601 				ENCTYPE_NAME_OK(type) ?
602 				ENCTYPE_NAME(type) : UNKNOWN, type);
603 		ret = 0;
604 	} else {
605 		ret = (*ep->reply)(data, cnt);
606 		if (encrypt_debug_mode)
607 			(void) printf(gettext(
608 				"(*ep->reply)(%x, %d) returned %s(%d)\n"),
609 				data, cnt, (ret < 0) ? "FAIL " :
610 				(ret == 0) ? "SUCCESS " : "MORE_TO_DO ", ret);
611 	}
612 	if (encrypt_debug_mode)
613 		(void) printf(gettext(
614 			">>>%s: encrypt_reply returned %d\n"), Name, ret);
615 	if (ret < 0) {
616 		autoencrypt = B_FALSE;
617 	} else {
618 		encrypt_mode = type;
619 		if (ret == 0 && autoencrypt)
620 			encrypt_start_output(type);
621 	}
622 }
623 
624 /*
625  * Called when a ENCRYPT START command is received.
626  */
627 /* ARGSUSED */
628 void
encrypt_start(uchar_t * data,int cnt)629 encrypt_start(uchar_t *data, int cnt)
630 {
631 	Encryptions *ep;
632 
633 	if (!decrypt_mode) {
634 		/*
635 		 * Something is wrong.  We should not get a START
636 		 * command without having already picked our
637 		 * decryption scheme.  Send a REQUEST-END to
638 		 * attempt to clear the channel...
639 		 */
640 		(void) printf(gettext("%s: Warning, cannot decrypt "
641 			"input stream!!!\r\n"), Name);
642 		encrypt_send_request_end();
643 		return;
644 	}
645 
646 	if (ep = finddecryption(decrypt_mode)) {
647 		decrypt_input = ep->input;
648 		if (encrypt_verbose)
649 			(void) printf(gettext(
650 			    "[ Input is now decrypted with type %s ]\r\n"),
651 			    ENCTYPE_NAME(decrypt_mode));
652 		if (encrypt_debug_mode)
653 			(void) printf(gettext(
654 			    ">>>%s: Start to decrypt input with type %s\r\n"),
655 			    Name, ENCTYPE_NAME(decrypt_mode));
656 	} else {
657 		(void) printf(gettext(
658 			    "%s: Warning, cannot decrypt type %s (%d)!!!\r\n"),
659 			    Name, ENCTYPE_NAME_OK(decrypt_mode) ?
660 			    ENCTYPE_NAME(decrypt_mode) : UNKNOWN,
661 			    decrypt_mode);
662 		encrypt_send_request_end();
663 	}
664 }
665 
666 void
encrypt_session_key(Session_Key * key)667 encrypt_session_key(Session_Key *key)
668 {
669 	Encryptions *ep = encryptions;
670 
671 	while (ep->type) {
672 		if (ep->session)
673 			(*ep->session)(key);
674 #ifdef notdef
675 		if (!encrypt_output && autoencrypt)
676 			encrypt_start_output(ep->type);
677 		if (!decrypt_input && autodecrypt)
678 			encrypt_send_request_start();
679 #endif
680 		++ep;
681 	}
682 }
683 
684 /*
685  * Called when ENCRYPT END is received.
686  */
687 void
encrypt_end(void)688 encrypt_end(void)
689 {
690 	decrypt_input = 0;
691 	if (encrypt_debug_mode)
692 		(void) printf(gettext(
693 			">>>%s: Input is back to clear text\r\n"), Name);
694 	if (encrypt_verbose)
695 		(void) printf(gettext("[ Input is now clear text ]\r\n"));
696 }
697 
698 /*
699  * Called when ENCRYPT REQUEST-END is received.
700  */
701 void
encrypt_request_end(void)702 encrypt_request_end(void)
703 {
704 	encrypt_send_end();
705 }
706 
707 /*
708  * Called when ENCRYPT REQUEST-START is received.  If we receive
709  * this before a type is picked, then that indicates that the
710  * other side wants us to start encrypting data as soon as we
711  * can.
712  */
713 /* ARGSUSED */
714 void
encrypt_request_start(uchar_t * data,int cnt)715 encrypt_request_start(uchar_t *data, int cnt)
716 {
717 	if (encrypt_mode == 0)
718 		return;
719 	encrypt_start_output(encrypt_mode);
720 }
721 
722 static	uchar_t str_keyid[(MAXKEYLEN*2)+5] = { IAC, SB, TELOPT_ENCRYPT };
723 static	void encrypt_keyid(struct key_info *, uchar_t *, int);
724 
725 void
encrypt_enc_keyid(uchar_t * keyid,int len)726 encrypt_enc_keyid(uchar_t *keyid, int len)
727 {
728 	encrypt_keyid(&ki[KI_DECRYPT], keyid, len);
729 }
730 
731 void
encrypt_dec_keyid(uchar_t * keyid,int len)732 encrypt_dec_keyid(uchar_t *keyid, int len)
733 {
734 	encrypt_keyid(&ki[KI_ENCRYPT], keyid, len);
735 }
736 
737 static void
encrypt_keyid(struct key_info * kp,uchar_t * keyid,int len)738 encrypt_keyid(struct key_info *kp, uchar_t *keyid, int len)
739 {
740 	Encryptions *ep;
741 	int dir = kp->dir;
742 	register int ret = 0;
743 
744 	if (!(ep = (*kp->getcrypt)(*kp->modep))) {
745 		if (len == 0)
746 			return;
747 		kp->keylen = 0;
748 	} else if (len == 0) {
749 		/*
750 		 * Empty option, indicates a failure.
751 		 */
752 		if (kp->keylen == 0)
753 			return;
754 		kp->keylen = 0;
755 		if (ep->keyid)
756 			(void) (*ep->keyid)(dir, kp->keyid, &kp->keylen);
757 
758 	} else if ((len != kp->keylen) ||
759 		(memcmp(keyid, kp->keyid, len) != 0)) {
760 		/*
761 		 * Length or contents are different
762 		 */
763 		kp->keylen = len;
764 		(void) memcpy(kp->keyid, keyid, len);
765 		if (ep->keyid)
766 			(void) (*ep->keyid)(dir, kp->keyid, &kp->keylen);
767 	} else {
768 		if (ep->keyid)
769 			ret = (*ep->keyid)(dir, kp->keyid, &kp->keylen);
770 		if ((ret == 0) && (dir == TELNET_DIR_ENCRYPT) && autoencrypt)
771 			encrypt_start_output(*kp->modep);
772 		return;
773 	}
774 
775 	encrypt_send_keyid(dir, kp->keyid, kp->keylen, 0);
776 }
777 
778 void
encrypt_send_keyid(int dir,uchar_t * keyid,int keylen,int saveit)779 encrypt_send_keyid(int dir, uchar_t *keyid, int keylen, int saveit)
780 {
781 	uchar_t *strp;
782 
783 	str_keyid[3] = (dir == TELNET_DIR_ENCRYPT)
784 			? ENCRYPT_ENC_KEYID : ENCRYPT_DEC_KEYID;
785 	if (saveit) {
786 		struct key_info *kp = &ki[(dir == TELNET_DIR_ENCRYPT) ? 0 : 1];
787 		(void) memcpy(kp->keyid, keyid, keylen);
788 		kp->keylen = keylen;
789 	}
790 
791 	for (strp = &str_keyid[4]; keylen > 0; --keylen) {
792 		if ((*strp++ = *keyid++) == IAC)
793 			*strp++ = IAC;
794 	}
795 	*strp++ = IAC;
796 	*strp++ = SE;
797 	(void) net_write(str_keyid, strp - str_keyid);
798 	printsub('>', &str_keyid[2], strp - str_keyid - 2);
799 }
800 
801 void
encrypt_auto(int on)802 encrypt_auto(int on)
803 {
804 	autoencrypt = (on < 0) ? !autoencrypt :
805 		(on > 0) ? B_TRUE : B_FALSE;
806 }
807 
808 void
decrypt_auto(int on)809 decrypt_auto(int on)
810 {
811 	autodecrypt = (on < 0) ? !autodecrypt :
812 		(on > 0) ? B_TRUE : B_FALSE;
813 }
814 
815 static void
encrypt_start_output(int type)816 encrypt_start_output(int type)
817 {
818 	Encryptions *ep;
819 	register uchar_t *p;
820 	register int i;
821 
822 	if (!(ep = findencryption(type))) {
823 		if (encrypt_debug_mode) {
824 		    (void) printf(gettext(
825 			">>>%s: Can't encrypt with type %s (%d)\r\n"),
826 			Name, ENCTYPE_NAME_OK(type) ?
827 			ENCTYPE_NAME(type) : UNKNOWN, type);
828 		}
829 		return;
830 	}
831 	if (ep->start) {
832 		i = (*ep->start)(TELNET_DIR_ENCRYPT);
833 		if (encrypt_debug_mode) {
834 		    (void) printf(gettext(
835 			">>>%s: Encrypt start: %s (%d) %s\r\n"),
836 			Name, (i < 0) ?
837 			gettext("failed") :
838 			gettext("initial negotiation in progress"),
839 			i, ENCTYPE_NAME(type));
840 		}
841 		if (i)
842 			return;
843 	}
844 	p = str_start + 3;
845 	*p++ = ENCRYPT_START;
846 	for (i = 0; i < ki[KI_ENCRYPT].keylen; ++i) {
847 		if ((*p++ = ki[KI_ENCRYPT].keyid[i]) == IAC)
848 			*p++ = IAC;
849 	}
850 	*p++ = IAC;
851 	*p++ = SE;
852 	(void) net_write(str_start, p - str_start);
853 	net_encrypt();
854 	printsub('>', &str_start[2], p - &str_start[2]);
855 	/*
856 	 * If we are already encrypting in some mode, then
857 	 * encrypt the ring (which includes our request) in
858 	 * the old mode, mark it all as "clear text" and then
859 	 * switch to the new mode.
860 	 */
861 	encrypt_output = ep->output;
862 	encrypt_mode = type;
863 	if (encrypt_debug_mode)
864 	    (void) printf(gettext(
865 		">>>%s: Started to encrypt output with type %s\r\n"),
866 		Name, ENCTYPE_NAME(type));
867 	if (encrypt_verbose)
868 	    (void) printf(gettext(
869 		"[ Output is now encrypted with type %s ]\r\n"),
870 		ENCTYPE_NAME(type));
871 }
872 
873 static void
encrypt_send_end(void)874 encrypt_send_end(void)
875 {
876 	if (!encrypt_output)
877 		return;
878 
879 	str_end[3] = ENCRYPT_END;
880 	(void) net_write(str_end, sizeof (str_end));
881 	net_encrypt();
882 	printsub('>', &str_end[2], sizeof (str_end) - 2);
883 	/*
884 	 * Encrypt the output buffer now because it will not be done by
885 	 * netflush...
886 	 */
887 	encrypt_output = 0;
888 	if (encrypt_debug_mode)
889 	    (void) printf(gettext(
890 		">>>%s: Output is back to clear text\r\n"), Name);
891 	if (encrypt_verbose)
892 	    (void) printf(gettext("[ Output is now clear text ]\r\n"));
893 }
894 
895 static void
encrypt_send_request_start(void)896 encrypt_send_request_start(void)
897 {
898 	register uchar_t *p;
899 	register int i;
900 
901 	p = &str_start[3];
902 	*p++ = ENCRYPT_REQSTART;
903 	for (i = 0; i < ki[KI_DECRYPT].keylen; ++i) {
904 		if ((*p++ = ki[KI_DECRYPT].keyid[i]) == IAC)
905 			*p++ = IAC;
906 	}
907 	*p++ = IAC;
908 	*p++ = SE;
909 	(void) net_write(str_start, p - str_start);
910 	printsub('>', &str_start[2], p - &str_start[2]);
911 	if (encrypt_debug_mode)
912 	    (void) printf(gettext(
913 		">>>%s: Request input to be encrypted\r\n"), Name);
914 }
915 
916 static void
encrypt_send_request_end(void)917 encrypt_send_request_end(void)
918 {
919 	str_end[3] = ENCRYPT_REQEND;
920 	(void) net_write(str_end, sizeof (str_end));
921 	printsub('>', &str_end[2], sizeof (str_end) - 2);
922 
923 	if (encrypt_debug_mode)
924 	    (void) printf(gettext(
925 		">>>%s: Request input to be clear text\r\n"), Name);
926 }
927 
928 boolean_t
encrypt_is_encrypting(void)929 encrypt_is_encrypting(void)
930 {
931 	return (encrypt_output && decrypt_input ? B_TRUE : B_FALSE);
932 }
933 
934 static void
encrypt_gen_printsub(uchar_t * data,int cnt,uchar_t * buf,int buflen)935 encrypt_gen_printsub(uchar_t *data, int cnt, uchar_t *buf, int buflen)
936 {
937 	char lbuf[ENCR_LBUF_BUFSIZ], *cp;
938 
939 	if (cnt < 2 || buflen < 2)
940 		return;
941 	cnt -= 2;
942 	data += 2;
943 	buf[buflen-1] = '\0';
944 	buf[buflen-2] = '*';
945 	buflen -= 2;
946 	for (; cnt > 0; cnt--, data++) {
947 		(void) snprintf(lbuf, ENCR_LBUF_BUFSIZ, " %d", *data);
948 		for (cp = lbuf; *cp && buflen > 0; --buflen)
949 			*buf++ = *cp++;
950 		if (buflen <= 0)
951 			return;
952 	}
953 	*buf = '\0';
954 }
955 
956 void
encrypt_printsub(uchar_t * data,int cnt,uchar_t * buf,int buflen)957 encrypt_printsub(uchar_t *data, int cnt, uchar_t *buf, int buflen)
958 {
959 	Encryptions *ep;
960 	register int type = data[1];
961 
962 	for (ep = encryptions; ep->type && ep->type != type; ep++)
963 		;
964 
965 	if (ep->printsub)
966 		(*ep->printsub)(data, cnt, buf, buflen);
967 	else
968 		encrypt_gen_printsub(data, cnt, buf, buflen);
969 }
970