Encryption from kth-krb 0.9.8 (only for those with kerberos)

9 files changed, 288 insertions, 116 deletions

diff --git a/libexec/telnetd/Makefile b/libexec/telnetd/Makefile
index 5d04c5c1193..1571d928ba6 100644
--- a/libexec/telnetd/Makefile
+++ b/libexec/telnetd/Makefile
@@ -1,8 +1,9 @@
-#	$OpenBSD: Makefile,v 1.3 1997/03/26 00:34:38 deraadt Exp $
+#	$OpenBSD: Makefile,v 1.4 1998/03/12 04:53:06 art Exp $
 #	from: @(#)Makefile	8.2 (Berkeley) 12/15/93
 #	$NetBSD: Makefile,v 1.6 1996/02/24 01:22:12 jtk Exp $
 
 PROG=	telnetd
+
 CFLAGS+=-DLINEMODE -DKLUDGELINEMODE -DUSE_TERMIO -DDIAGNOSTICS
 CFLAGS+=-DOLD_ENVIRON -DENV_HACK -I${.CURDIR}
 SRCS=	authenc.c global.c slc.c state.c sys_term.c telnetd.c \
@@ -11,13 +12,12 @@ DPADD=	${LIBUTIL} ${LIBTERM} ${LIBTELNET}
 LDADD+=	-lutil -ltermcap -ltelnet
 MAN=	telnetd.8
 
+.include <bsd.own.mk> # for KERBEROS
 
-# These are the sources that have encryption stuff in them.
-CRYPT_SRC= authenc.c ext.h state.c telnetd.c termstat.c
-CRYPT_SRC+= utility.c Makefile
-NOCRYPT_DIR=${.CURDIR}/Nocrypt
+.if (${KERBEROS} == "yes")
+CFLAGS+=-DENCRYPTION -DAUTHENTICATION -DKRB4 -I${.CURDIR}/../../lib
+LDADD+= -lkrb -ldes
+DPADD+= ${LIBDES} ${LIBKRB}
+.endif
 
 .include <bsd.prog.mk>
-
-nocrypt:
-	@echo "Encryption code already removed."
diff --git a/libexec/telnetd/authenc.c b/libexec/telnetd/authenc.c
index 4cea82cc7fe..f8e0b2d9ef2 100644
--- a/libexec/telnetd/authenc.c
+++ b/libexec/telnetd/authenc.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: authenc.c,v 1.2 1996/03/28 23:21:54 niklas Exp $	*/
+/*	$OpenBSD: authenc.c,v 1.3 1998/03/12 04:53:07 art Exp $	*/
 /*	$NetBSD: authenc.c,v 1.3 1996/02/28 20:38:08 thorpej Exp $	*/
 
 /*-
@@ -39,7 +39,7 @@
 static char sccsid[] = "@(#)authenc.c	8.2 (Berkeley) 5/30/95";
 static char rcsid[] = "$NetBSD: authenc.c,v 1.3 1996/02/28 20:38:08 thorpej Exp $";
 #else
-static char rcsid[] = "$OpenBSD: authenc.c,v 1.2 1996/03/28 23:21:54 niklas Exp $";
+static char rcsid[] = "$OpenBSD: authenc.c,v 1.3 1998/03/12 04:53:07 art Exp $";
 #endif
 #endif /* not lint */
 
@@ -63,6 +63,13 @@ net_write(str, len)
 	void
 net_encrypt()
 {
+#ifdef ENCRYPTION
+	char *s = (nclearto > nbackp) ? nclearto : nbackp;
+	if (s < nfrontp && encrypt_output) {
+		(*encrypt_output)((unsigned char *)s, nfrontp - s);
+	}
+	nclearto = nfrontp;
+#endif
 }
 
 	int
@@ -76,7 +83,7 @@ telnet_spin()
 telnet_getenv(val)
 	char *val;
 {
-	extern char *getenv();
+	extern char *getenv(const char *);
 	return(getenv(val));
 }
 
@@ -87,6 +94,6 @@ telnet_gets(prompt, result, length, echo)
 	int length;
 	int echo;
 {
-	return((char *)0);
+	return NULL;
 }
 #endif	/* defined(AUTHENTICATION) */
diff --git a/libexec/telnetd/defs.h b/libexec/telnetd/defs.h
index a6a47ff10fa..12f450eadfc 100644
--- a/libexec/telnetd/defs.h
+++ b/libexec/telnetd/defs.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: defs.h,v 1.2 1996/03/28 23:21:55 niklas Exp $	*/
+/*	$OpenBSD: defs.h,v 1.3 1998/03/12 04:53:09 art Exp $	*/
 /*	$NetBSD: defs.h,v 1.6 1996/02/28 20:38:10 thorpej Exp $	*/
 
 /*
@@ -46,55 +46,26 @@
 # define	BSD 43
 #endif
 
-#if	defined(CRAY) && !defined(LINEMODE)
-# define SYSV_TERMIO
-# define LINEMODE
-# define KLUDGELINEMODE
-# define DIAGNOSTICS
-# if defined(UNICOS50) && !defined(UNICOS5)
-#  define UNICOS5
-# endif
-# if !defined(UNICOS5)
-#  define BFTPDAEMON
-#  define HAS_IP_TOS
-# endif
-#endif /* CRAY */
-#if defined(UNICOS5) && !defined(NO_SETSID)
-# define NO_SETSID
-#endif
-
 #if defined(PRINTOPTIONS) && defined(DIAGNOSTICS)
 #define TELOPTS
 #define TELCMDS
 #define	SLC_NAMES
 #endif
 
-#if	defined(SYSV_TERMIO) && !defined(USE_TERMIO)
-# define	USE_TERMIO
-#endif
-
 #include <sys/socket.h>
-#ifndef	CRAY
 #include <sys/wait.h>
-#endif	/* CRAY */
 #include <fcntl.h>
 #include <sys/file.h>
 #include <sys/stat.h>
 #include <sys/time.h>
-#ifndef	FILIO_H
 #include <sys/ioctl.h>
-#else
-#include <sys/filio.h>
-#endif
 
 #include <netinet/in.h>
 
 #include <arpa/telnet.h>
 
 #include <stdio.h>
-#ifdef	__STDC__
 #include <stdlib.h>
-#endif
 #include <signal.h>
 #include <errno.h>
 #include <netdb.h>
@@ -106,11 +77,7 @@
 #define	LOG_ODELAY	0
 #endif
 #include <ctype.h>
-#ifndef NO_STRING_H
 #include <string.h>
-#else
-#include <strings.h>
-#endif
 
 #ifndef	USE_TERMIO
 #include <sgtty.h>
@@ -124,50 +91,24 @@
 #if !defined(USE_TERMIO) || defined(NO_CC_T)
 typedef unsigned char cc_t;
 #endif
-
-#ifdef	__STDC__
 #include <unistd.h>
-#endif
 
-#ifndef _POSIX_VDISABLE
-# ifdef VDISABLE
-#  define _POSIX_VDISABLE VDISABLE
-# else
-#  define _POSIX_VDISABLE ((unsigned char)'\377')
-# endif
+#if	!defined(TIOCSCTTY) && defined(TCSETCTTY)
+# define	TIOCSCTTY TCSETCTTY
 #endif
 
-
-#ifdef	CRAY
-# ifdef	CRAY1
-# include <sys/pty.h>
-#  ifndef FD_ZERO
-# include <sys/select.h>
-#  endif /* FD_ZERO */
-# endif	/* CRAY1 */
-
-#include <memory.h>
-#endif	/* CRAY */
-
-#ifdef __hpux
-#include <sys/ptyio.h>
+#ifndef TIOCPKT_FLUSHWRITE
+#define TIOCPKT_FLUSHWRITE      0x02
 #endif
 
-#if	!defined(TIOCSCTTY) && defined(TCSETCTTY)
-# define	TIOCSCTTY TCSETCTTY
+#ifndef TIOCPKT_NOSTOP
+#define TIOCPKT_NOSTOP  0x10
 #endif
 
-#ifndef	FD_SET
-#ifndef	HAVE_fd_set
-typedef struct fd_set { int fds_bits[1]; } fd_set;
+#ifndef TIOCPKT_DOSTOP
+#define TIOCPKT_DOSTOP  0x20
 #endif
 
-#define	FD_SET(n, p)	((p)->fds_bits[0] |= (1<<(n)))
-#define	FD_CLR(n, p)	((p)->fds_bits[0] &= ~(1<<(n)))
-#define	FD_ISSET(n, p)	((p)->fds_bits[0] & (1<<(n)))
-#define FD_ZERO(p)	((p)->fds_bits[0] = 0)
-#endif	/* FD_SET */
-
 /*
  * I/O data buffers defines
  */
diff --git a/libexec/telnetd/ext.h b/libexec/telnetd/ext.h
index 4b352bb71ab..b059393c6a0 100644
--- a/libexec/telnetd/ext.h
+++ b/libexec/telnetd/ext.h
@@ -1,4 +1,4 @@
-/*	$OpenBSD: ext.h,v 1.3 1997/07/14 01:40:38 millert Exp $	*/
+/*	$OpenBSD: ext.h,v 1.4 1998/03/12 04:53:10 art Exp $	*/
 /*	$NetBSD: ext.h,v 1.6 1996/02/28 20:38:13 thorpej Exp $	*/
 
 /*
@@ -123,7 +123,7 @@ extern void
 #ifdef DIAGNOSTICS
 	printoption P((char *, int)),
 	printdata P((char *, char *, int)),
-	printsub P((int, unsigned char *, int)),
+	printsub P((char, unsigned char *, int)),
 #endif
 	ptyflush P((void)),
 	putchr P((int)),
@@ -190,7 +190,11 @@ extern void
 	wontoption P((int)),
 	writenet P((unsigned char *, int));
 
-
+#ifdef ENCRYPTION
+extern void     (*encrypt_output) (unsigned char *, int);
+extern int      (*decrypt_input) (int);
+extern char     *nclearto;
+#endif
 
 /*
  * The following are some clocks used to decide how to interpret
diff --git a/libexec/telnetd/global.c b/libexec/telnetd/global.c
index 9250a129cc7..11b2cd5ed0f 100644
--- a/libexec/telnetd/global.c
+++ b/libexec/telnetd/global.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: global.c,v 1.2 1996/03/28 23:21:57 niklas Exp $	*/
+/*	$OpenBSD: global.c,v 1.3 1998/03/12 04:53:11 art Exp $	*/
 /*	$NetBSD: global.c,v 1.6 1996/02/28 20:38:14 thorpej Exp $	*/
 
 /*
@@ -39,7 +39,7 @@
 static char sccsid[] = "@(#)global.c	8.1 (Berkeley) 6/4/93";
 static char rcsid[] = "$NetBSD: global.c,v 1.6 1996/02/28 20:38:14 thorpej Exp $";
 #else
-static char rcsid[] = "$OpenBSD: global.c,v 1.2 1996/03/28 23:21:57 niklas Exp $";
+static char rcsid[] = "$OpenBSD: global.c,v 1.3 1998/03/12 04:53:11 art Exp $";
 #endif
 #endif /* not lint */
 
@@ -51,6 +51,24 @@ static char rcsid[] = "$OpenBSD: global.c,v 1.2 1996/03/28 23:21:57 niklas Exp $
  * we will actually allocate the space.
  */
 
+#include <stdarg.h>
 #include <defs.h>
 #define extern
 #include <ext.h>
+
+int
+output_data (const char *format, ...)
+{
+  va_list args;
+  size_t remaining, ret;
+
+  va_start(args, format);
+  remaining = BUFSIZ - (nfrontp - netobuf);
+  ret = vsnprintf (nfrontp,
+                   remaining,
+                   format,
+                   args);
+  nfrontp += ret;
+  va_end(args);
+  return ret;
+}
diff --git a/libexec/telnetd/state.c b/libexec/telnetd/state.c
index c74ae4635e2..8cea155050a 100644
--- a/libexec/telnetd/state.c
+++ b/libexec/telnetd/state.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: state.c,v 1.5 1996/08/24 09:03:42 deraadt Exp $	*/
+/*	$OpenBSD: state.c,v 1.6 1998/03/12 04:53:12 art Exp $	*/
 /*	$NetBSD: state.c,v 1.9 1996/02/28 20:38:19 thorpej Exp $	*/
 
 /*
@@ -39,7 +39,7 @@
 static char sccsid[] = "@(#)state.c	8.5 (Berkeley) 5/30/95";
 static char rcsid[] = "$NetBSD: state.c,v 1.9 1996/02/28 20:38:19 thorpej Exp $";
 #else
-static char rcsid[] = "$OpenBSD: state.c,v 1.5 1996/08/24 09:03:42 deraadt Exp $";
+static char rcsid[] = "$OpenBSD: state.c,v 1.6 1998/03/12 04:53:12 art Exp $";
 #endif
 #endif /* not lint */
 
@@ -94,14 +94,15 @@ telrcv()
 {
 	register int c;
 	static int state = TS_DATA;
-#if	defined(CRAY2) && defined(UNICOS5)
-	char *opfrontp = pfrontp;
-#endif
 
 	while (ncc > 0) {
 		if ((&ptyobuf[BUFSIZ] - pfrontp) < 2)
 			break;
 		c = *netip++ & 0377, ncc--;
+#ifdef ENCRYPTION
+       if (decrypt_input)
+           c = (*decrypt_input)(c);
+#endif
 		switch (state) {
 
 		case TS_CR:
@@ -141,7 +142,15 @@ telrcv()
 					c = '\n';
 				} else
 #endif
+#ifdef ENCRYPTION
+				if (decrypt_input)
+					nc = (*decrypt_input)(nc & 0xff);
+#endif
 				{
+#ifdef ENCRYPTION
+				if (decrypt_input)
+					(void)(*decrypt_input)(-1);
+#endif
 					state = TS_CR;
 				}
 			}
@@ -356,21 +365,6 @@ gotiac:			switch (c) {
 			exit(1);
 		}
 	}
-#if	defined(CRAY2) && defined(UNICOS5)
-	if (!linemode) {
-		char	xptyobuf[BUFSIZ+NETSLOP];
-		char	xbuf2[BUFSIZ];
-		register char *cp;
-		int n = pfrontp - opfrontp, oc;
-		memmove(xptyobuf, opfrontp, n);
-		pfrontp = opfrontp;
-		pfrontp += term_input(xptyobuf, pfrontp, n, BUFSIZ+NETSLOP,
-					xbuf2, &oc, BUFSIZ);
-		for (cp = xbuf2; oc > 0; --oc)
-			if ((*nfrontp++ = *cp++) == IAC)
-				*nfrontp++ = IAC;
-	}
-#endif	/* defined(CRAY2) && defined(UNICOS5) */
 }  /* end of telrcv */
 
 /*
@@ -455,11 +449,15 @@ send_do(option, init)
 }
 
 #ifdef	AUTHENTICATION
-extern void auth_request();
+extern void auth_request(void);
 #endif
 #ifdef	LINEMODE
 extern void doclientstat();
 #endif
+#ifdef ENCRYPTION
+extern void encrypt_send_support();
+#endif
+
 
 	void
 willoption(option)
@@ -573,6 +571,12 @@ willoption(option)
 			break;
 #endif
 
+#ifdef ENCRYPTION
+		case TELOPT_ENCRYPT:
+			func = encrypt_send_support;
+			changeok++;
+			break;
+#endif
 
 		default:
 			break;
@@ -632,6 +636,12 @@ willoption(option)
 			break;
 #endif
 
+#ifdef ENCRYPTION
+		case TELOPT_ENCRYPT:
+			func = encrypt_send_support;
+			break;
+#endif
+
 		case TELOPT_LFLOW:
 			func = flowstat;
 			break;
@@ -920,6 +930,11 @@ dooption(option)
 			cleanup(0);
 			/* NOT REACHED */
 			break;
+#ifdef ENCRYPTION
+		case TELOPT_ENCRYPT:
+			changeok++;
+			break;
+#endif
 
 		case TELOPT_LINEMODE:
 		case TELOPT_TTYPE:
@@ -1485,6 +1500,49 @@ suboption()
 	}
 	break;
 #endif
+#ifdef ENCRYPTION
+	case TELOPT_ENCRYPT:
+		if (SB_EOF())
+		break;
+	switch(SB_GET()) {
+	case ENCRYPT_SUPPORT:
+		encrypt_support(subpointer, SB_LEN());
+		break;
+	case ENCRYPT_IS:
+		encrypt_is(subpointer, SB_LEN());
+		break;
+	case ENCRYPT_REPLY:
+		encrypt_reply(subpointer, SB_LEN());
+		break;
+	case ENCRYPT_START:
+		encrypt_start(subpointer, SB_LEN());
+		break;
+	case ENCRYPT_END:
+		encrypt_end();
+		break;
+	case ENCRYPT_REQSTART:
+		encrypt_request_start(subpointer, SB_LEN());
+		break;
+	case ENCRYPT_REQEND:
+		/*
+		 * We can always send an REQEND so that we cannot
+		 * get stuck encrypting.  We should only get this
+		 * if we have been able to get in the correct mode
+		 * anyhow.
+		 */
+		encrypt_request_end();
+		break;
+	case ENCRYPT_ENC_KEYID:
+		encrypt_enc_keyid(subpointer, SB_LEN());
+		break;
+	case ENCRYPT_DEC_KEYID:
+		encrypt_dec_keyid(subpointer, SB_LEN());
+		break;
+	default:
+		break;
+	}
+	break;
+#endif
 
     default:
 	break;
diff --git a/libexec/telnetd/sys_term.c b/libexec/telnetd/sys_term.c
index 5e86141b09c..b4c07d09e4f 100644
--- a/libexec/telnetd/sys_term.c
+++ b/libexec/telnetd/sys_term.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: sys_term.c,v 1.8 1997/07/23 20:36:35 kstailey Exp $	*/
+/*	$OpenBSD: sys_term.c,v 1.9 1998/03/12 04:53:14 art Exp $	*/
 /*	$NetBSD: sys_term.c,v 1.9 1996/03/20 04:25:53 tls Exp $	*/
 
 /*
@@ -39,7 +39,7 @@
 static char sccsid[] = "@(#)sys_term.c	8.4+1 (Berkeley) 5/30/95";
 static char rcsid[] = "$NetBSD: sys_term.c,v 1.8 1996/02/28 20:38:21 thorpej Exp $";
 #else
-static char rcsid[] = "$OpenBSD: sys_term.c,v 1.8 1997/07/23 20:36:35 kstailey Exp $";
+static char rcsid[] = "$OpenBSD: sys_term.c,v 1.9 1998/03/12 04:53:14 art Exp $";
 #endif
 #endif /* not lint */
 
@@ -1415,6 +1415,16 @@ startslave(host, autologin, autoname)
 #endif
 
 #ifndef	NEWINIT
+	{
+		char *tbuf =
+		"\r\n*** Connection not encrypted! "
+		"Communication may be eavesdropped. ***\r\n";
+#ifdef ENCRYPTION
+		if (encrypt_output == 0 || decrypt_input == 0)
+#endif
+			writenet((unsigned char*)tbuf, strlen(tbuf));
+	}
+
 # ifdef	PARENT_DOES_UTMP
 	utmp_sig_init();
 # endif	/* PARENT_DOES_UTMP */
diff --git a/libexec/telnetd/telnetd.c b/libexec/telnetd/telnetd.c
index ef7d3d38b2b..87dc2f14c80 100644
--- a/libexec/telnetd/telnetd.c
+++ b/libexec/telnetd/telnetd.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: telnetd.c,v 1.7 1997/07/14 01:40:39 millert Exp $	*/
+/*	$OpenBSD: telnetd.c,v 1.8 1998/03/12 04:53:15 art Exp $	*/
 /*	$NetBSD: telnetd.c,v 1.6 1996/03/20 04:25:57 tls Exp $	*/
 
 /*
@@ -45,7 +45,7 @@ static char copyright[] =
 static char sccsid[] = "@(#)telnetd.c	8.4 (Berkeley) 5/30/95";
 static char rcsid[] = "$NetBSD: telnetd.c,v 1.5 1996/02/28 20:38:23 thorpej Exp $";
 #else
-static char rcsid[] = "$OpenBSD: telnetd.c,v 1.7 1997/07/14 01:40:39 millert Exp $";
+static char rcsid[] = "$OpenBSD: telnetd.c,v 1.8 1998/03/12 04:53:15 art Exp $";
 #endif
 #endif /* not lint */
 
@@ -189,11 +189,19 @@ main(argc, argv)
 	int tos = -1;
 #endif
 
+#ifdef ENCRYPTION
+	extern int des_check_key;
+	des_check_key = 1; /* Kludge for Mac NCSA telnet 2.6 /bg */
+#endif
+
 	pfrontp = pbackp = ptyobuf;
 	netip = netibuf;
 	nfrontp = nbackp = netobuf;
 
 	progname = *argv;
+#ifdef ENCRYPTION
+	nclearto = 0;
+#endif
 
 #ifdef CRAY
 	/*
@@ -212,7 +220,6 @@ main(argc, argv)
 			 * Check for required authentication level
 			 */
 			if (strcmp(optarg, "debug") == 0) {
-				extern int auth_debug_mode;
 				auth_debug_mode = 1;
 			} else if (strcasecmp(optarg, "none") == 0) {
 				auth_level = 0;
@@ -610,12 +617,19 @@ getterminaltype(name)
     }
 #endif
 
+#ifdef ENCRYPTION
+    send_will(TELOPT_ENCRYPT, 1);
+    send_do(TELOPT_ENCRYPT, 1);        /* esc@magic.fi */
+#endif
     send_do(TELOPT_TTYPE, 1);
     send_do(TELOPT_TSPEED, 1);
     send_do(TELOPT_XDISPLOC, 1);
     send_do(TELOPT_NEW_ENVIRON, 1);
     send_do(TELOPT_OLD_ENVIRON, 1);
     while (
+#ifdef ENCRYPTION
+	   his_do_dont_is_changing(TELOPT_ENCRYPT) ||
+#endif
 	   his_will_wont_is_changing(TELOPT_TTYPE) ||
 	   his_will_wont_is_changing(TELOPT_TSPEED) ||
 	   his_will_wont_is_changing(TELOPT_XDISPLOC) ||
@@ -623,6 +637,15 @@ getterminaltype(name)
 	   his_will_wont_is_changing(TELOPT_OLD_ENVIRON)) {
 	ttloop();
     }
+#ifdef ENCRYPTION
+    /*
+     * Wait for the negotiation of what type of encryption we can
+     * send with.  If autoencrypt is not set, this will just return.
+     */
+    if (his_state_is_will(TELOPT_ENCRYPT)) {
+	encrypt_wait();
+    }
+#endif
     if (his_state_is_will(TELOPT_TSPEED)) {
 	static unsigned char sb[] =
 			{ IAC, SB, TELOPT_TSPEED, TELQUAL_SEND, IAC, SE };
diff --git a/libexec/telnetd/utility.c b/libexec/telnetd/utility.c
index 1cd559966e6..85e01b9e1ff 100644
--- a/libexec/telnetd/utility.c
+++ b/libexec/telnetd/utility.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: utility.c,v 1.9 1998/02/16 04:57:55 jason Exp $	*/
+/*	$OpenBSD: utility.c,v 1.10 1998/03/12 04:53:17 art Exp $	*/
 /*	$NetBSD: utility.c,v 1.9 1996/02/28 20:38:29 thorpej Exp $	*/
 
 /*
@@ -39,7 +39,7 @@
 static char sccsid[] = "@(#)utility.c	8.4 (Berkeley) 5/30/95";
 static char rcsid[] = "$NetBSD: utility.c,v 1.9 1996/02/28 20:38:29 thorpej Exp $";
 #else
-static char rcsid[] = "$OpenBSD: utility.c,v 1.9 1998/02/16 04:57:55 jason Exp $";
+static char rcsid[] = "$OpenBSD: utility.c,v 1.10 1998/03/12 04:53:17 art Exp $";
 #endif
 #endif /* not lint */
 
@@ -202,8 +202,11 @@ netclear()
     char *good;
 #define	wewant(p)	((nfrontp > p) && ((*p&0xff) == IAC) && \
 				((*(p+1)&0xff) != EC) && ((*(p+1)&0xff) != EL))
-
+#ifdef ENCRYPTION
+    thisitem = nclearto > netobuf ? nclearto : netobuf;
+#else
     thisitem = netobuf;
+#endif
 
     while ((next = nextitem(thisitem)) <= nbackp) {
 	thisitem = next;
@@ -211,7 +214,11 @@ netclear()
 
     /* Now, thisitem is first before/at boundary. */
 
+#ifdef ENCRYPTION
+    good = nclearto > netobuf ? nclearto : netobuf;
+#else
     good = netobuf;	/* where the good bytes go */
+#endif
 
     while (nfrontp > thisitem) {
 	if (wewant(thisitem)) {
@@ -252,6 +259,15 @@ netflush()
 	      n += strlen(nfrontp);  /* get count first */
 	      nfrontp += strlen(nfrontp);  /* then move pointer */
 	    });
+#ifdef ENCRYPTION
+	if (encrypt_output) {
+	    char *s = nclearto ? nclearto : nbackp;
+	    if (nfrontp - s > 0) {
+		(*encrypt_output)((unsigned char *)s, nfrontp-s);
+		nclearto = nfrontp;
+	    }
+	}
+#endif
 	/*
 	 * if no urgent data, or if the other side appears to be an
 	 * old 4.2 client (and thus unable to survive TCP urgent data),
@@ -282,11 +298,18 @@ netflush()
 	cleanup(0);
     }
     nbackp += n;
+#ifdef ENCRYPTION
+    if (nbackp > nclearto)
+	nclearto = 0;
+#endif
     if (nbackp >= neturg) {
 	neturg = 0;
     }
     if (nbackp == nfrontp) {
 	nbackp = nfrontp = netobuf;
+#ifdef ENCRYPTION
+	nclearto = 0;
+#endif
     }
     return;
 }  /* end of netflush */
@@ -331,8 +354,19 @@ fatal(f, msg)
 {
 	char buf[BUFSIZ];
 
-	(void) sprintf(buf, "telnetd: %s.\r\n", msg);
-	(void) write(f, buf, (int)strlen(buf));
+	snprintf(buf, sizeof(buf), "telnetd: %s.\r\n", msg);
+#ifdef ENCRYPTION
+	if (encrypt_output) {
+		/*
+		 * Better turn off encryption first....
+		 * Hope it flushes...
+		 */
+		encrypt_send_end();
+		netflush();
+		}
+#endif
+	write(f, buf, (int)strlen(buf));
+
 	sleep(1);	/*XXX*/
 	exit(1);
 }
@@ -1038,6 +1072,83 @@ printsub(direction, pointer, length)
 	    break;
 #endif
 
+#ifdef ENCRYPTION
+	case TELOPT_ENCRYPT:
+	    output_data("ENCRYPT");
+	    if (length < 2) {
+		output_data(" (empty suboption?)");
+		break;
+	    }
+	    switch (pointer[1]) {
+	    case ENCRYPT_START:
+		output_data(" START");
+		break;
+		
+	    case ENCRYPT_END:
+		output_data(" END");
+		break;
+		
+	    case ENCRYPT_REQSTART:
+		output_data(" REQUEST-START");
+		break;
+
+	    case ENCRYPT_REQEND:
+		output_data(" REQUEST-END");
+		break;
+		
+	    case ENCRYPT_IS:
+	    case ENCRYPT_REPLY:
+		output_data(" %s ",
+			    (pointer[1] == ENCRYPT_IS) ?
+			    "IS" : "REPLY");
+		if (length < 3) {
+		    output_data(" (partial suboption?)");
+		    break;
+		}
+		if (ENCTYPE_NAME_OK(pointer[2]))
+		    output_data("%s ",
+				ENCTYPE_NAME(pointer[2]));
+		else
+		    output_data(" %d (unknown)",
+				pointer[2]);
+		
+		encrypt_printsub(&pointer[1], length - 1, buf, sizeof(buf));
+		output_data("%s",
+			    buf);
+		break;
+		
+	    case ENCRYPT_SUPPORT:
+		i = 2;
+		output_data(" SUPPORT ");
+		while (i < length) {
+		    if (ENCTYPE_NAME_OK(pointer[i]))
+			output_data("%s ",
+				    ENCTYPE_NAME(pointer[i]));
+		    else
+			output_data("%d ",
+				    pointer[i]);
+		    i++;
+		}
+		break;
+		
+	    case ENCRYPT_ENC_KEYID:
+		output_data(" ENC_KEYID %d", pointer[1]);
+		goto encommon;
+		
+	    case ENCRYPT_DEC_KEYID:
+		output_data(" DEC_KEYID %d", pointer[1]);
+		goto encommon;
+		
+	    default:
+		output_data(" %d (unknown)", pointer[1]);
+	    encommon:
+		for (i = 2; i < length; i++) {
+               output_data(" %d", pointer[i]);
+		}
+		break;
+	    }
+	    break;
+#endif /* ENCRYPTION */
 
 	default:
 	    if (TELOPT_OK(pointer[0]))