2 * Copyright (c) 1991, 1993
3 * The Regents of the University of California. All rights reserved.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. All advertising materials mentioning features or use of this software
14 * must display the following acknowledgement:
15 * This product includes software developed by the University of
16 * California, Berkeley and its contributors.
17 * 4. Neither the name of the University nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 #include <sys/cdefs.h>
36 __FBSDID("$FreeBSD: src/crypto/telnet/libtelnet/encrypt.c,v 1.3.2.2 2002/04/13 10:59:07 markm Exp $");
40 static const char sccsid[] = "@(#)encrypt.c 8.2 (Berkeley) 5/30/95";
45 * Copyright (C) 1990 by the Massachusetts Institute of Technology
47 * Export of this software from the United States of America is assumed
48 * to require a specific license from the United States Government.
49 * It is the responsibility of any person or organization contemplating
50 * export to obtain such a license before exporting.
52 * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
53 * distribute this software and its documentation for any purpose and
54 * without fee is hereby granted, provided that the above copyright
55 * notice appear in all copies and that both that copyright notice and
56 * this permission notice appear in supporting documentation, and that
57 * the name of M.I.T. not be used in advertising or publicity pertaining
58 * to distribution of the software without specific, written prior
59 * permission. M.I.T. makes no representations about the suitability of
60 * this software for any purpose. It is provided "as is" without express
61 * or implied warranty.
67 #include <arpa/telnet.h>
76 * These functions pointers point to the current routines
77 * for encrypting and decrypting data.
79 void (*encrypt_output)(unsigned char *, int);
80 int (*decrypt_input)(int);
82 int EncryptType(char *type, char *mode);
83 int EncryptStart(char *mode);
84 int EncryptStop(char *mode);
85 int EncryptStartInput(void);
86 int EncryptStartOutput(void);
87 int EncryptStopInput(void);
88 int EncryptStopOutput(void);
90 int encrypt_debug_mode = 0;
91 static int decrypt_mode = 0;
92 static int encrypt_mode = 0;
93 static int encrypt_verbose = 0;
94 static int autoencrypt = 0;
95 static int autodecrypt = 0;
96 static int havesessionkey = 0;
97 static int Server = 0;
98 static const char *Name = "Noname";
100 #define typemask(x) ((x) > 0 ? 1 << ((x)-1) : 0)
102 static long i_support_encrypt = 0
103 | typemask(ENCTYPE_DES_CFB64) | typemask(ENCTYPE_DES_OFB64)
105 static long i_support_decrypt = 0
106 | typemask(ENCTYPE_DES_CFB64) | typemask(ENCTYPE_DES_OFB64)
109 static long i_wont_support_encrypt = 0;
110 static long i_wont_support_decrypt = 0;
111 #define I_SUPPORT_ENCRYPT (i_support_encrypt & ~i_wont_support_encrypt)
112 #define I_SUPPORT_DECRYPT (i_support_decrypt & ~i_wont_support_decrypt)
114 static long remote_supports_encrypt = 0;
115 static long remote_supports_decrypt = 0;
117 static Encryptions encryptions[] = {
118 { "DES_CFB64", ENCTYPE_DES_CFB64,
128 { "DES_OFB64", ENCTYPE_DES_OFB64,
138 { NULL, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 },
141 static unsigned char str_send[64] = { IAC, SB, TELOPT_ENCRYPT,
143 static unsigned char str_suplen = 0;
144 static unsigned char str_start[72] = { IAC, SB, TELOPT_ENCRYPT };
145 static unsigned char str_end[] = { IAC, SB, TELOPT_ENCRYPT, 0, IAC, SE };
148 findencryption(int type)
150 Encryptions *ep = encryptions;
152 if (!(I_SUPPORT_ENCRYPT & remote_supports_decrypt & (unsigned)typemask(type)))
154 while (ep->type && ep->type != type)
156 return(ep->type ? ep : 0);
160 finddecryption(int type)
162 Encryptions *ep = encryptions;
164 if (!(I_SUPPORT_DECRYPT & remote_supports_encrypt & (unsigned)typemask(type)))
166 while (ep->type && ep->type != type)
168 return(ep->type ? ep : 0);
173 static struct key_info {
174 unsigned char keyid[MAXKEYLEN];
178 Encryptions *(*getcrypt)(int);
180 { { 0 }, 0, DIR_ENCRYPT, &encrypt_mode, findencryption },
181 { { 0 }, 0, DIR_DECRYPT, &decrypt_mode, finddecryption },
184 static void encrypt_keyid(struct key_info *kp, unsigned char *keyid, int len);
187 encrypt_init(const char *name, int server)
189 Encryptions *ep = encryptions;
193 i_support_encrypt = i_support_decrypt = 0;
194 remote_supports_encrypt = remote_supports_decrypt = 0;
203 if (encrypt_debug_mode)
204 printf(">>>%s: I will support %s\r\n",
205 Name, ENCTYPE_NAME(ep->type));
206 i_support_encrypt |= typemask(ep->type);
207 i_support_decrypt |= typemask(ep->type);
208 if ((i_wont_support_decrypt & typemask(ep->type)) == 0)
209 if ((str_send[str_suplen++] = ep->type) == IAC)
210 str_send[str_suplen++] = IAC;
215 str_send[str_suplen++] = IAC;
216 str_send[str_suplen++] = SE;
220 encrypt_list_types(void)
222 Encryptions *ep = encryptions;
224 printf("Valid encryption types:\n");
226 printf("\t%s (%d)\r\n", ENCTYPE_NAME(ep->type), ep->type);
232 EncryptEnable(char *type, char *mode)
234 if (isprefix(type, "help") || isprefix(type, "?")) {
235 printf("Usage: encrypt enable <type> [input|output]\n");
236 encrypt_list_types();
239 if (EncryptType(type, mode))
240 return(EncryptStart(mode));
245 EncryptDisable(char *type, char *mode)
250 if (isprefix(type, "help") || isprefix(type, "?")) {
251 printf("Usage: encrypt disable <type> [input|output]\n");
252 encrypt_list_types();
253 } else if ((ep = (Encryptions *)genget(type, (char **)encryptions,
254 sizeof(Encryptions))) == 0) {
255 printf("%s: invalid encryption type\n", type);
256 } else if (Ambiguous((char **)ep)) {
257 printf("Ambiguous type '%s'\n", type);
259 if ((mode == 0) || (isprefix(mode, "input") ? 1 : 0)) {
260 if (decrypt_mode == ep->type)
262 i_wont_support_decrypt |= typemask(ep->type);
265 if ((mode == 0) || (isprefix(mode, "output"))) {
266 if (encrypt_mode == ep->type)
268 i_wont_support_encrypt |= typemask(ep->type);
272 printf("%s: invalid encryption mode\n", mode);
278 EncryptType(char *type, char *mode)
283 if (isprefix(type, "help") || isprefix(type, "?")) {
284 printf("Usage: encrypt type <type> [input|output]\n");
285 encrypt_list_types();
286 } else if ((ep = (Encryptions *)genget(type, (char **)encryptions,
287 sizeof(Encryptions))) == 0) {
288 printf("%s: invalid encryption type\n", type);
289 } else if (Ambiguous((char **)ep)) {
290 printf("Ambiguous type '%s'\n", type);
292 if ((mode == 0) || isprefix(mode, "input")) {
293 decrypt_mode = ep->type;
294 i_wont_support_decrypt &= ~typemask(ep->type);
297 if ((mode == 0) || isprefix(mode, "output")) {
298 encrypt_mode = ep->type;
299 i_wont_support_encrypt &= ~typemask(ep->type);
303 printf("%s: invalid encryption mode\n", mode);
309 EncryptStart(char *mode)
313 if (isprefix(mode, "input"))
314 return(EncryptStartInput());
315 if (isprefix(mode, "output"))
316 return(EncryptStartOutput());
317 if (isprefix(mode, "help") || isprefix(mode, "?")) {
318 printf("Usage: encrypt start [input|output]\n");
321 printf("%s: invalid encryption mode 'encrypt start ?' for help\n", mode);
324 ret += EncryptStartInput();
325 ret += EncryptStartOutput();
330 EncryptStartInput(void)
333 encrypt_send_request_start();
336 printf("No previous decryption mode, decryption not enabled\r\n");
341 EncryptStartOutput(void)
344 encrypt_start_output(encrypt_mode);
347 printf("No previous encryption mode, encryption not enabled\r\n");
352 EncryptStop(char *mode)
356 if (isprefix(mode, "input"))
357 return(EncryptStopInput());
358 if (isprefix(mode, "output"))
359 return(EncryptStopOutput());
360 if (isprefix(mode, "help") || isprefix(mode, "?")) {
361 printf("Usage: encrypt stop [input|output]\n");
364 printf("%s: invalid encryption mode 'encrypt stop ?' for help\n", mode);
367 ret += EncryptStopInput();
368 ret += EncryptStopOutput();
373 EncryptStopInput(void)
375 encrypt_send_request_end();
380 EncryptStopOutput(void)
387 encrypt_display(void)
390 printf("Currently encrypting output with %s\r\n",
391 ENCTYPE_NAME(encrypt_mode));
393 printf("Currently decrypting input with %s\r\n",
394 ENCTYPE_NAME(decrypt_mode));
401 printf("Currently encrypting output with %s\r\n",
402 ENCTYPE_NAME(encrypt_mode));
403 else if (encrypt_mode) {
404 printf("Currently output is clear text.\r\n");
405 printf("Last encryption mode was %s\r\n",
406 ENCTYPE_NAME(encrypt_mode));
409 printf("Currently decrypting input with %s\r\n",
410 ENCTYPE_NAME(decrypt_mode));
411 } else if (decrypt_mode) {
412 printf("Currently input is clear text.\r\n");
413 printf("Last decryption mode was %s\r\n",
414 ENCTYPE_NAME(decrypt_mode));
420 encrypt_send_support(void)
424 * If the user has requested that decryption start
425 * immediatly, then send a "REQUEST START" before
426 * we negotiate the type.
428 if (!Server && autodecrypt)
429 encrypt_send_request_start();
430 net_write(str_send, str_suplen);
431 printsub('>', &str_send[2], str_suplen - 2);
440 encrypt_debug_mode ^= 1;
442 encrypt_debug_mode = on;
443 printf("Encryption debugging %s\r\n",
444 encrypt_debug_mode ? "enabled" : "disabled");
449 EncryptVerbose(int on)
452 encrypt_verbose ^= 1;
454 encrypt_verbose = on;
455 printf("Encryption %s verbose\r\n",
456 encrypt_verbose ? "is" : "is not");
461 EncryptAutoEnc(int on)
464 printf("Automatic encryption of output is %s\r\n",
465 autoencrypt ? "enabled" : "disabled");
470 EncryptAutoDec(int on)
473 printf("Automatic decryption of input is %s\r\n",
474 autodecrypt ? "enabled" : "disabled");
479 * Called when ENCRYPT SUPPORT is received.
482 encrypt_support(unsigned char *typelist, int cnt)
484 int type, use_type = 0;
488 * Forget anything the other side has previously told us.
490 remote_supports_decrypt = 0;
494 if (encrypt_debug_mode)
495 printf(">>>%s: He is supporting %s (%d)\r\n",
497 ENCTYPE_NAME(type), type);
498 if ((type < ENCTYPE_CNT) &&
499 (I_SUPPORT_ENCRYPT & typemask(type))) {
500 remote_supports_decrypt |= typemask(type);
506 ep = findencryption(use_type);
509 type = ep->start ? (*ep->start)(DIR_ENCRYPT, Server) : 0;
510 if (encrypt_debug_mode)
511 printf(">>>%s: (*ep->start)() returned %d\r\n",
515 encrypt_mode = use_type;
517 encrypt_start_output(use_type);
522 encrypt_is(unsigned char *data, int cnt)
530 if (type < ENCTYPE_CNT)
531 remote_supports_encrypt |= typemask(type);
532 if (!(ep = finddecryption(type))) {
533 if (encrypt_debug_mode)
534 printf(">>>%s: Can't find type %s (%d) for initial negotiation\r\n",
536 ENCTYPE_NAME_OK(type)
537 ? ENCTYPE_NAME(type) : "(unknown)",
542 if (encrypt_debug_mode)
543 printf(">>>%s: No initial negotiation needed for type %s (%d)\r\n",
545 ENCTYPE_NAME_OK(type)
546 ? ENCTYPE_NAME(type) : "(unknown)",
550 ret = (*ep->is)(data, cnt);
551 if (encrypt_debug_mode)
552 printf("(*ep->is)(%p, %d) returned %s(%d)\n", data, cnt,
553 (ret < 0) ? "FAIL " :
554 (ret == 0) ? "SUCCESS " : "MORE_TO_DO ", ret);
560 if (ret == 0 && autodecrypt)
561 encrypt_send_request_start();
566 encrypt_reply(unsigned char *data, int cnt)
574 if (!(ep = findencryption(type))) {
575 if (encrypt_debug_mode)
576 printf(">>>%s: Can't find type %s (%d) for initial negotiation\r\n",
578 ENCTYPE_NAME_OK(type)
579 ? ENCTYPE_NAME(type) : "(unknown)",
584 if (encrypt_debug_mode)
585 printf(">>>%s: No initial negotiation needed for type %s (%d)\r\n",
587 ENCTYPE_NAME_OK(type)
588 ? ENCTYPE_NAME(type) : "(unknown)",
592 ret = (*ep->reply)(data, cnt);
593 if (encrypt_debug_mode)
594 printf("(*ep->reply)(%p, %d) returned %s(%d)\n",
596 (ret < 0) ? "FAIL " :
597 (ret == 0) ? "SUCCESS " : "MORE_TO_DO ", ret);
599 if (encrypt_debug_mode)
600 printf(">>>%s: encrypt_reply returned %d\n", Name, ret);
605 if (ret == 0 && autoencrypt)
606 encrypt_start_output(type);
611 * Called when a ENCRYPT START command is received.
614 encrypt_start(unsigned char *data __unused, int cnt __unused)
620 * Something is wrong. We should not get a START
621 * command without having already picked our
622 * decryption scheme. Send a REQUEST-END to
623 * attempt to clear the channel...
625 printf("%s: Warning, Cannot decrypt input stream!!!\r\n", Name);
626 encrypt_send_request_end();
630 if ((ep = finddecryption(decrypt_mode))) {
631 decrypt_input = ep->input;
633 printf("[ Input is now decrypted with type %s ]\r\n",
634 ENCTYPE_NAME(decrypt_mode));
635 if (encrypt_debug_mode)
636 printf(">>>%s: Start to decrypt input with type %s\r\n",
637 Name, ENCTYPE_NAME(decrypt_mode));
639 printf("%s: Warning, Cannot decrypt type %s (%d)!!!\r\n",
641 ENCTYPE_NAME_OK(decrypt_mode)
642 ? ENCTYPE_NAME(decrypt_mode)
645 encrypt_send_request_end();
650 encrypt_session_key( Session_Key *key, int server)
652 Encryptions *ep = encryptions;
658 (*ep->session)(key, server);
664 * Called when ENCRYPT END is received.
670 if (encrypt_debug_mode)
671 printf(">>>%s: Input is back to clear text\r\n", Name);
673 printf("[ Input is now clear text ]\r\n");
677 * Called when ENCRYPT REQUEST-END is received.
680 encrypt_request_end(void)
686 * Called when ENCRYPT REQUEST-START is received. If we receive
687 * this before a type is picked, then that indicates that the
688 * other side wants us to start encrypting data as soon as we
692 encrypt_request_start(unsigned char *data __unused, int cnt __unused)
694 if (encrypt_mode == 0) {
699 encrypt_start_output(encrypt_mode);
702 static unsigned char str_keyid[(MAXKEYLEN*2)+5] = { IAC, SB, TELOPT_ENCRYPT };
705 encrypt_enc_keyid(unsigned char *keyid, int len)
707 encrypt_keyid(&ki[1], keyid, len);
711 encrypt_dec_keyid(unsigned char *keyid, int len)
713 encrypt_keyid(&ki[0], keyid, len);
717 encrypt_keyid(struct key_info *kp, unsigned char *keyid, int len)
723 if (!(ep = (*kp->getcrypt)(*kp->modep))) {
727 } else if (len == 0) {
729 * Empty option, indicates a failure.
735 (void)(*ep->keyid)(dir, kp->keyid, &kp->keylen);
737 } else if ((len != kp->keylen) ||
738 (memcmp(keyid, kp->keyid, len) != 0)) {
740 * Length or contents are different
743 memmove(kp->keyid, keyid, len);
745 (void)(*ep->keyid)(dir, kp->keyid, &kp->keylen);
748 ret = (*ep->keyid)(dir, kp->keyid, &kp->keylen);
749 if ((ret == 0) && (dir == DIR_ENCRYPT) && autoencrypt)
750 encrypt_start_output(*kp->modep);
754 encrypt_send_keyid(dir, kp->keyid, kp->keylen, 0);
758 encrypt_send_keyid(int dir, const char *keyid, int keylen, int saveit)
762 str_keyid[3] = (dir == DIR_ENCRYPT)
763 ? ENCRYPT_ENC_KEYID : ENCRYPT_DEC_KEYID;
765 struct key_info *kp = &ki[(dir == DIR_ENCRYPT) ? 0 : 1];
766 memmove(kp->keyid, keyid, keylen);
770 for (strp = &str_keyid[4]; keylen > 0; --keylen) {
771 if ((*strp++ = *keyid++) == IAC)
776 net_write(str_keyid, strp - str_keyid);
777 printsub('>', &str_keyid[2], strp - str_keyid - 2);
786 autoencrypt = on ? 1 : 0;
795 autodecrypt = on ? 1 : 0;
799 encrypt_start_output(int type)
805 if (!(ep = findencryption(type))) {
806 if (encrypt_debug_mode) {
807 printf(">>>%s: Can't encrypt with type %s (%d)\r\n",
809 ENCTYPE_NAME_OK(type)
810 ? ENCTYPE_NAME(type) : "(unknown)",
816 i = (*ep->start)(DIR_ENCRYPT, Server);
817 if (encrypt_debug_mode) {
818 printf(">>>%s: Encrypt start: %s (%d) %s\r\n",
821 "initial negotiation in progress",
822 i, ENCTYPE_NAME(type));
828 *p++ = ENCRYPT_START;
829 for (i = 0; i < ki[0].keylen; ++i) {
830 if ((*p++ = ki[0].keyid[i]) == IAC)
835 net_write(str_start, p - str_start);
837 printsub('>', &str_start[2], p - &str_start[2]);
839 * If we are already encrypting in some mode, then
840 * encrypt the ring (which includes our request) in
841 * the old mode, mark it all as "clear text" and then
842 * switch to the new mode.
844 encrypt_output = ep->output;
846 if (encrypt_debug_mode)
847 printf(">>>%s: Started to encrypt output with type %s\r\n",
848 Name, ENCTYPE_NAME(type));
850 printf("[ Output is now encrypted with type %s ]\r\n",
855 encrypt_send_end(void)
860 str_end[3] = ENCRYPT_END;
861 net_write(str_end, sizeof(str_end));
863 printsub('>', &str_end[2], sizeof(str_end) - 2);
865 * Encrypt the output buffer now because it will not be done by
869 if (encrypt_debug_mode)
870 printf(">>>%s: Output is back to clear text\r\n", Name);
872 printf("[ Output is now clear text ]\r\n");
876 encrypt_send_request_start(void)
882 *p++ = ENCRYPT_REQSTART;
883 for (i = 0; i < ki[1].keylen; ++i) {
884 if ((*p++ = ki[1].keyid[i]) == IAC)
889 net_write(str_start, p - str_start);
890 printsub('>', &str_start[2], p - &str_start[2]);
891 if (encrypt_debug_mode)
892 printf(">>>%s: Request input to be encrypted\r\n", Name);
896 encrypt_send_request_end(void)
898 str_end[3] = ENCRYPT_REQEND;
899 net_write(str_end, sizeof(str_end));
900 printsub('>', &str_end[2], sizeof(str_end) - 2);
902 if (encrypt_debug_mode)
903 printf(">>>%s: Request input to be clear text\r\n", Name);
909 if (encrypt_debug_mode)
910 printf(">>>%s: in encrypt_wait\r\n", Name);
911 if (!havesessionkey || !(I_SUPPORT_ENCRYPT & remote_supports_decrypt))
913 while (autoencrypt && !encrypt_output)
919 encrypt_gen_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen)
925 buf[buflen-1] = '\0';
928 for (; cnt > 0; cnt--, data++) {
929 sprintf(tbuf, " %d", *data);
930 for (cp = tbuf; *cp && buflen > 0; --buflen)
939 encrypt_printsub(unsigned char *data, int cnt, unsigned char *buf, int buflen)
944 for (ep = encryptions; ep->type && ep->type != type; ep++)
948 (*ep->printsub)(data, cnt, buf, buflen);
950 encrypt_gen_printsub(data, cnt, buf, buflen);
952 #endif /* ENCRYPTION */
projects / dragonfly.git / blob