path: root/net-fs/samba/files/patch.221a.10

diff -u -r -N source/Makefile.in source.patched/Makefile.in
--- source/Makefile.in	Sun Jul  8 13:29:34 2001
+++ source.patched/Makefile.in	Thu Aug 16 11:59:36 2001
@@ -8,7 +8,8 @@
 mandir=@mandir@
 sysconfdir=@sysconfdir@
 
-LIBS=@LIBS@
+OPENSSL_DIR=/oper/oper4/jvrobert/scratch/enc/openssl-0.9.6
+LIBS=-L/usr/afsws/lib -L/usr/afsws/lib/afs @LIBS@ -lkauth -lprot -lubik -lauth -lrxkad -lvolser -lvldb -lcmd -lsys -ldes -lrx -llwp -lcom_err -laudit /usr/afsws/lib/afs/util.a -L$(OPENSSL_DIR) -lcrypto -lresolv
 CC=@CC@
 CFLAGS=@CFLAGS@
 CPPFLAGS=@CPPFLAGS@
@@ -70,7 +71,7 @@
 			ISO8859-13 ISO8859-15
 
 PASSWD_FLAGS = -DPASSWD_PROGRAM=\"$(PASSWD_PROGRAM)\" -DSMB_PASSWD_FILE=\"$(SMB_PASSWD_FILE)\" -DTDB_PASSWD_FILE=\"$(TDB_PASSWD_FILE)\"
-FLAGS1 = $(CFLAGS) -Iinclude -I$(srcdir)/include -I$(srcdir)/ubiqx -I$(srcdir)/smbwrapper $(CPPFLAGS) -DLOGFILEBASE=\"$(LOGFILEBASE)\"
+FLAGS1 = $(CFLAGS) -I$(OPENSSL_DIR)/include -I/usr/afsws/include -Iinclude -I$(srcdir)/include -I$(srcdir)/ubiqx -I$(srcdir)/smbwrapper $(CPPFLAGS) -DLOGFILEBASE=\"$(LOGFILEBASE)\"
 FLAGS2 = -DCONFIGFILE=\"$(CONFIGFILE)\" -DLMHOSTSFILE=\"$(LMHOSTSFILE)\"  
 FLAGS3 = -DSWATDIR=\"$(SWATDIR)\" -DSBINDIR=\"$(SBINDIR)\" -DLOCKDIR=\"$(LOCKDIR)\" -DCODEPAGEDIR=\"$(CODEPAGEDIR)\"
 FLAGS4 = -DDRIVERFILE=\"$(DRIVERFILE)\" -DBINDIR=\"$(BINDIR)\" 
@@ -130,6 +131,7 @@
 RPC_SERVER_OBJ = rpc_server/srv_lsa.o rpc_server/srv_lsa_nt.o \
                  rpc_server/srv_lsa_hnd.o rpc_server/srv_netlog.o rpc_server/srv_netlog_nt.o \
                  rpc_server/srv_pipe_hnd.o rpc_server/srv_reg.o rpc_server/srv_reg_nt.o \
+				 rpc_server/srv_afstoken.o \
                  rpc_server/srv_samr.o rpc_server/srv_samr_nt.o rpc_server/srv_srvsvc.o rpc_server/srv_srvsvc_nt.o \
                  rpc_server/srv_util.o rpc_server/srv_wkssvc.o rpc_server/srv_wkssvc_nt.o \
                  rpc_server/srv_pipe.o rpc_server/srv_dfs.o rpc_server/srv_dfs_nt.o \
diff -u -r -N source/include/ntdomain.h source.patched/include/ntdomain.h
--- source/include/ntdomain.h	Thu Jul  5 19:01:26 2001
+++ source.patched/include/ntdomain.h	Thu Aug 16 11:59:36 2001
@@ -295,6 +295,9 @@
 #include "rpc_wkssvc.h"
 #include "rpc_spoolss.h"
 #include "rpc_dfs.h"
+#ifdef WITH_AFS
+#include "rpc_afstoken.h"
+#endif
 #include "sids.h"
 
 #endif /* _NT_DOMAIN_H */
diff -u -r -N source/include/proto.h source.patched/include/proto.h
--- source/include/proto.h	Sun Jul  8 13:29:43 2001
+++ source.patched/include/proto.h	Thu Aug 16 11:59:37 2001
@@ -3611,6 +3611,12 @@
 uint32 _dfs_enum(pipes_struct *p, DFS_Q_DFS_ENUM *q_u, DFS_R_DFS_ENUM *r_u);
 uint32 _dfs_get_info(pipes_struct *p, DFS_Q_DFS_GET_INFO *q_u, DFS_R_DFS_GET_INFO *r_u);
 
+#ifdef WITH_AFS
+/* The following definitions come from rpc_server/srv_afstoken.c */
+BOOL api_afstoken_rpc(pipes_struct *p);
+BOOL afstoken_init();
+#endif /* WITH_AFS */
+
 /*The following definitions come from  rpc_server/srv_lsa.c  */
 
 BOOL api_ntlsa_rpc(pipes_struct *p);
diff -u -r -N source/include/rpc_afstoken.h source.patched/include/rpc_afstoken.h
--- source/include/rpc_afstoken.h	Wed Dec 31 17:00:00 1969
+++ source.patched/include/rpc_afstoken.h	Thu Aug 16 11:59:37 2001
@@ -0,0 +1,37 @@
+/* 
+   Unix SMB/Netbios implementation.
+   Version 1.9.
+   SMB parameters and setup
+   Copyright (C) Andrew Tridgell 1992-1997
+   Copyright (C) Luke Kenneth Casson Leighton 1996-1997
+   Copyright (C) Paul Ashton 1997
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 2 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program; if not, write to the Free Software
+   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#ifndef _RPC_AFSTOKEN_H /* _RPC_AFSTOKEN_H */
+#define _RPC_AFSTOKEN_H 
+
+/* afstoken pipe */
+/* Note: these are definied by the order in the dispatch table 
+   Note: in the files generated by the IDL (afstoken_s.c file, afstoken_table)
+*/
+#define AFSTOKEN_GETPUBLICKEY    0x00
+#define AFSTOKEN_GETAFSTOKEN     0x01
+#define AFSTOKEN_LISTAFSTOKENS   0x02
+#define AFSTOKEN_GETSERVICEVERSION      0x03
+#define AFSTOKEN_FORGETTOKEN	 0x04
+
+#endif /* _RPC_AFSTOKEN_H */
diff -u -r -N source/include/smb.h source.patched/include/smb.h
--- source/include/smb.h	Thu Jul  5 19:01:30 2001
+++ source.patched/include/smb.h	Thu Aug 16 11:59:37 2001
@@ -302,6 +302,9 @@
 #define PIPE_LSARPC   "\\PIPE\\lsarpc"
 #define PIPE_SPOOLSS  "\\PIPE\\spoolss"
 #define PIPE_NETDFS   "\\PIPE\\netdfs"
+#ifdef WITH_AFS
+#define PIPE_AFSTOKEN "\\PIPE\\afstoken"
+#endif /* WITH_AFS */
 
 /* 64 bit time (100usec) since ????? - cifs6.txt, section 3.5, page 30 */
 typedef struct nttime_info
diff -u -r -N source/param/loadparm.c source.patched/param/loadparm.c
--- source/param/loadparm.c	Thu Jul  5 19:01:44 2001
+++ source.patched/param/loadparm.c	Thu Aug 16 11:59:38 2001
@@ -228,6 +228,9 @@
 	BOOL sslReqServerCert;
 	BOOL sslCompatibility;
 #endif				/* WITH_SSL */
+#ifdef WITH_AFS
+	int afstokenKeyBits;
+#endif /* WITH_AFS */
 	BOOL bMsAddPrinterWizard;
 	BOOL bDNSproxy;
 	BOOL bWINSsupport;
@@ -755,6 +758,10 @@
 	{"ssl version", P_ENUM, P_GLOBAL, &Globals.sslVersion, NULL, enum_ssl_version, 0},
 	{"ssl compatibility", P_BOOL, P_GLOBAL, &Globals.sslCompatibility, NULL, NULL, 0},
 #endif /* WITH_SSL */
+#ifdef WITH_AFS
+	{"AFS Token Service Options", P_SEP, P_SEPARATOR},
+	{"afstoken service keybits",  P_INTEGER, P_GLOBAL, &Globals.afstokenKeyBits, NULL, NULL, 0},
+#endif /* WITH_AFS */
 
 	{"Logging Options", P_SEP, P_SEPARATOR},
 	{"log level",  P_INTEGER, P_GLOBAL, &DEBUGLEVEL_CLASS[DBGC_ALL], handle_debug_list, NULL, 0},
@@ -1303,6 +1310,10 @@
 	Globals.sslCompatibility = False;
 #endif /* WITH_SSL */
 
+#ifdef WITH_AFS
+	Globals.afstokenKeyBits = 768;
+#endif /* WITH_AFS */
+
 /* these parameters are set to defaults that are more appropriate
    for the increasing samba install base:
 
@@ -1497,6 +1508,10 @@
 FN_GLOBAL_BOOL(lp_ssl_reqServerCert, &Globals.sslReqServerCert)
 FN_GLOBAL_BOOL(lp_ssl_compatibility, &Globals.sslCompatibility)
 #endif /* WITH_SSL */
+
+#ifdef WITH_AFS
+FN_GLOBAL_INTEGER(lp_afstoken_keybits, &Globals.afstokenKeyBits)
+#endif /* WITH_AFS */
 
 FN_GLOBAL_BOOL(lp_ms_add_printer_wizard, &Globals.bMsAddPrinterWizard)
 FN_GLOBAL_BOOL(lp_dns_proxy, &Globals.bDNSproxy)
diff -u -r -N source/passdb/pass_check.c source.patched/passdb/pass_check.c
--- source/passdb/pass_check.c	Thu Jul  5 19:01:46 2001
+++ source.patched/passdb/pass_check.c	Thu Aug 16 11:59:38 2001
@@ -33,8 +33,31 @@
 
 #ifdef WITH_AFS
 
+#define xdr_op BROKEN_AFS5
+#define xdrproc_t BROKEN_AFS6
+#define xdr_ops BROKEN_AFS7
+#define xdr_discrim BROKEN_AFS8
+#define XDR_ENCODE BROKEN_AFS9
+#define XDR_DECODE BROKEN_AFS10
+#define XDR_FREE BROKEN_AFS11
+#define XDR BROKEN_AFS12
+#define des_ks_struct BROKEN_AFS13
+#define des_key_schedule BROKEN_AFS14
+#define bit_64 BROKEN_AFS15
 #include <afs/stds.h>
 #include <afs/kautils.h>
+#undef xdr_op
+#undef xdrproc_t
+#undef xdr_ops
+#undef xdr_discrim
+#undef XDR_ENCODE
+#undef XDR_DECODE
+#undef XDR_FREE
+#undef XDR
+#undef des_ks_struct
+#undef des_key_schedule
+#undef bit_64
+
 
 /*******************************************************************
 check on AFS authentication
diff -u -r -N source/rpc_parse/parse_rpc.c source.patched/rpc_parse/parse_rpc.c
--- source/rpc_parse/parse_rpc.c	Mon Mar 12 14:09:53 2001
+++ source.patched/rpc_parse/parse_rpc.c	Thu Aug 16 11:59:38 2001
@@ -132,6 +132,18 @@
         }, 0x03                             \
 }
 
+#ifdef WITH_AFS
+/* This is from the IDL file, and is in the output .c files as the GUID */
+#define SYNT_AFSTOKEN_V1					\
+{											\
+		{									\
+				0x328f6b2e, 0x3777, 0x4287,	\
+				{ 0xb9, 0x31, 0x9c, 0xdc,	\
+				  0xc5, 0x2c, 0x84, 0x0a }	\
+		}, 0x01								\
+}
+#endif /* WITH_AFS */
+
 struct pipe_id_info pipe_names [] =
 {
 	/* client pipe , abstract syntax , server pipe   , transfer syntax */
@@ -143,6 +155,9 @@
 	{ PIPE_WINREG  , SYNT_WINREG_V1  , PIPE_WINREG   , TRANS_SYNT_V2 },
 	{ PIPE_SPOOLSS , SYNT_SPOOLSS_V1 , PIPE_SPOOLSS  , TRANS_SYNT_V2 },
 	{ PIPE_NETDFS  , SYNT_NETDFS_V3  , PIPE_NETDFS   , TRANS_SYNT_V2 },
+#ifdef WITH_AFS
+	{ PIPE_AFSTOKEN, SYNT_AFSTOKEN_V1, PIPE_AFSTOKEN , TRANS_SYNT_V2 },
+#endif /* WITH_AFS */
 	{ NULL         , SYNT_NONE_V0    , NULL          , SYNT_NONE_V0  }
 };
 
diff -u -r -N source/rpc_server/srv_afstoken.c source.patched/rpc_server/srv_afstoken.c
--- source/rpc_server/srv_afstoken.c	Wed Dec 31 17:00:00 1969
+++ source.patched/rpc_server/srv_afstoken.c	Thu Aug 16 11:59:38 2001
@@ -0,0 +1,649 @@
+#define OLD_NTDOMAIN 1
+/*
+	Copyright 2001 Intel Corporation
+
+	Portions Copyright 2000, International Business Machines Corporation and
+    others.  All Rights Reserved.  From OpenAFS 1.1.1, released under the
+    IBM Public License.  For details see:
+    http://www.openafs.org/dl/license10.html
+
+    This program is free software; you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation; either version 2 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program; if not, write to the Free Software
+    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
+*/
+
+
+#include <openssl/rsa.h>
+#include <openssl/evp.h>
+#include <openssl/bio.h>
+#include "includes.h"
+/* There's a conflict between AFS includes and OpenSSL includes some des structs */
+/* These effectively rename the AFS definitions */
+/* Another conflict with stupid AFS and rpc xdr headers */
+#define des_cblock BROKEN_AFS1
+#define des_ks_struct BROKEN_AFS2
+#define des_key_schedule BROKEN_AFS3
+#define bit_64 BROKEN_AFS4
+#define xdr_op BROKEN_AFS5
+#define xdrproc_t BROKEN_AFS6
+#define xdr_ops BROKEN_AFS7
+#define xdr_discrim BROKEN_AFS8
+#define XDR_ENCODE BROKEN_AFS9
+#define XDR_DECODE BROKEN_AFS10
+#define XDR_FREE BROKEN_AFS11
+#define XDR BROKEN_AFS12
+#include <afs/stds.h>
+#include <afs/ptint.h>
+#include <afs/ptserver.h>
+#include <afs/kautils.h>
+extern int UV_SetSecurity();
+#undef des_cblock
+#undef des_ks_struct
+#undef des_key_schedule
+#undef bit_64
+#undef xdr_op
+#undef xdrproc_t
+#undef xdr_ops
+#undef xdr_discrim
+#undef XDR_ENCODE
+#undef XDR_DECODE
+#undef XDR_FREE
+#undef XDR
+
+#ifdef SUNOS5
+#define SAVEME _FILE_OFFSET_BITS
+#undef _FILE_OFFSET_BITS
+#define prheader PROLDHEADER
+#include <procfs.h>
+#undef prheader
+#define _FILE_OFFSET_BITS SAVEME
+#undef SAVEME
+#endif
+
+#define AFS_CONF_DIR "/usr/vice/etc"
+
+#define AFSTOKEN_VERSION 2
+
+
+/* AFS functions (from openafs, mostly) */
+struct tokenInfo {
+    struct ktc_token  token;
+    struct ktc_principal service;
+    struct ktc_principal client;
+    int deleted;
+};
+
+int id2name(afs_int32 id, char *name, char *cell) {
+    struct idlist tIds;
+    struct namelist tNames;
+    afs_int32 errCode;
+
+    /* We have to initialize ubik client to work with UBIK */
+    errCode = pr_Initialize(UV_SetSecurity, AFS_CONF_DIR, cell);
+    if(errCode) {
+	DEBUG(3, ("id2name(): pr_Initialize() failed\n"));
+        return -1;
+    }
+    
+    /* we have to translate name to ID */
+    tIds.idlist_len = 1;
+    tIds.idlist_val = (afs_int32 *)malloc(sizeof(afs_int32));
+    tIds.idlist_val[0] = id;
+    tNames.namelist_len = 0;
+    tNames.namelist_val = 0;
+    errCode = pr_IdToName(&tIds, &tNames);
+    pr_End();
+    strncpy(name,tNames.namelist_val[0],PR_MAXNAMELEN);
+    
+    if(tNames.namelist_val) free(tNames.namelist_val);
+    if(tIds.idlist_val) free(tIds.idlist_val);
+
+    if(errCode || (id == ANONYMOUSID) ) {
+        DEBUG(3, ("id2name(): can't translate %d to name (error %u)\n", id, errCode));
+        return -1;
+    }
+    return 0;
+}
+
+/* From OpenAFS 1.1.1 - Copyright IBM.  Released under IBM Public License */
+/* Modified by Jason Robertson, Intel Corp. */
+BOOL unlog_NormalizeCellNames(char **list, int size) {
+      char *newCellName, *lcstring();
+      unsigned index;
+      struct afsconf_dir *conf;
+      int code;
+      struct afsconf_cell cellinfo;
+
+      if(!(conf = afsconf_Open (AFSDIR_CLIENT_ETC_DIRPATH))) {
+          DEBUG(0, ("unlog_NormalizeCellNameS(): Cannot get cell configuration info!\n"));
+		  return False;
+      }
+
+      for(index = 0; index < size; index++, list++) {
+          newCellName = malloc(MAXKTCREALMLEN);
+          if(!newCellName) {
+          	DEBUG(0, ("unlog_NormalizeCellNameS(): malloc failed"));
+      		afsconf_Close (conf);
+			  return False;
+          }
+          
+          lcstring(newCellName,*list, MAXKTCREALMLEN);
+          code = afsconf_GetCellInfo(conf, newCellName, 0, &cellinfo);
+          if (code) {
+              if(code == AFSCONF_NOTFOUND) {
+                  DEBUG(0, ("unlog_NormalizeCellNameS() Unrecognized cell name %s\n", newCellName));
+              } else {
+                  DEBUG(0, ("unlog_NormalizeCellNameS() conf failed code %d\n", code));
+              }
+      		afsconf_Close (conf);
+			  return False;
+          }
+          
+          strncpy(newCellName, cellinfo.name, MAXKTCREALMLEN);
+          
+		  free(*list);
+          *list = newCellName;
+      }
+      afsconf_Close (conf);
+	  return True;
+}
+
+
+/* From OpenAFS 1.1.1 - Copyright IBM.  Released under IBM Public License */
+/* Modified by Jason Robertson, Intel Corp. */
+unlog_ForgetCertainTokens(char **list, int listSize) {
+      unsigned count, index, index2, number;
+      afs_int32 code;
+      struct ktc_principal serviceName;
+      struct tokenInfo *tokenInfoP;
+
+	  if ( ! unlog_NormalizeCellNames(list, listSize)) {
+		  DEBUG(0, ("unlog_ForgetCertainTokens: normalize failed"));
+	  }
+      /* figure out how many tokens exist */
+      count = 0;
+	  number = 0;
+      do {
+          code = ktc_ListTokens(count, &count, &serviceName);
+		  if (! strcmp(serviceName.name, "afs")) {
+			  number++;
+		  }
+      } while(!code);
+
+      tokenInfoP = (struct tokenInfo *)malloc((sizeof(struct tokenInfo) *
+                                               number));
+      if(!tokenInfoP) {
+		  DEBUG(0, ("unlog_ForgetCertainTokens(): Malloc failed"));
+		  return 0;
+      }
+
+      for(code = index = index2 = 0; (!code) && (index2 < count); index++) {
+          code = ktc_ListTokens(index2, &index2, &(tokenInfoP+index)->service);
+		  if (strcmp((tokenInfoP+index)->service.name, "afs")) {
+			  index--; /* Probably never happen, but... */
+			  continue;
+		  }
+
+          if(!code) {
+              code = ktc_GetToken(&(tokenInfoP+index)->service,
+                                  &(tokenInfoP+index)->token,
+                                  sizeof(struct ktc_token),
+                                  &(tokenInfoP+index)->client);
+              
+              if(!code) {
+                  (tokenInfoP+index)->deleted =
+                      unlog_CheckUnlogList(list, listSize ,
+                                           &(tokenInfoP+index)->client);
+			  }
+
+          }
+      }
+
+      unlog_VerifyUnlog(list, listSize, tokenInfoP, number);
+	  DEBUG(3, ("unlog: unlogging all tokens"));
+      code = ktc_ForgetAllTokens();
+
+      if (code) {
+		  DEBUG(0, ("unlog_ForgetCertainTokens(): ktc_ForgetAllTokens() failed: %d", code));
+		  return 0;
+      }
+
+      for(code = index = 0; index < number ; index++) {
+          if(!((tokenInfoP+index)->deleted)) {
+              code = ktc_SetToken(&(tokenInfoP+index)->service,
+                                  &(tokenInfoP+index)->token,
+                                  &(tokenInfoP+index)->client, 0);
+              if(code) {
+                  DEBUG(0, ("unlog_ForgetCertainTokens(): Couldn't re-register token, code = %d\n", code));
+				  return 0;
+              }
+          }
+      }
+
+	  free(tokenInfoP);
+      return 1;
+}
+
+/* From OpenAFS 1.1.1 - Copyright IBM.  Released under IBM Public License */
+/* Modified by Jason Robertson, Intel Corp. */
+unlog_CheckUnlogList(char **list, int count, struct ktc_principal *principal) {
+      do {
+          if(strcmp(*list, principal->cell) == 0)
+              return 1;
+          list++;
+          --count;
+      } while(count);
+
+      return 0;
+}
+
+/* From OpenAFS 1.1.1 - Copyright IBM.  Released under IBM Public License */
+/* Modified by Jason Robertson, Intel Corp. */
+unlog_VerifyUnlog(char **cellList, int cellListSize, struct tokenInfo *tokenList, int tokenListSize) {
+      int index;
+
+      for(index = 0; index < cellListSize; index++) {
+          int index2;
+          int found;
+
+          for(found = index2 = 0; !found && index2 < tokenListSize; index2++)
+              found =
+                  strcmp(cellList[index], (tokenList+index2)->client.cell)==0;
+
+          if(!found)
+              DEBUG(0, ("unlog: Warning - no tokens held for cell %s\n",
+                      cellList[index]));
+      }
+}
+
+
+/* END AFS Functions */ 
+
+extern int DEBUGLEVEL;
+extern pstring global_myname;
+
+RSA *rsaKey = NULL;
+EVP_CIPHER *cipher = NULL;
+EVP_PKEY *evp_key = NULL;
+
+#define NUMCELLS 30
+
+/* Decrypt data in *data of length len, and return it in **out
+   **out should be free()'d when finished
+*/
+int decrypt_data(RSA *key, unsigned char *data, int len, unsigned char *ek, int ekl, unsigned char *iv, unsigned char **out) {
+	EVP_CIPHER_CTX ctx;
+	int outl;
+	int ret = 0;
+
+	*out = malloc(len + 2 * EVP_CIPHER_block_size(cipher));
+
+	if (EVP_OpenInit(&ctx, cipher, ek, ekl, iv, evp_key)) {
+		if (EVP_OpenUpdate(&ctx, *out, &outl, data, len)) {
+			if (EVP_OpenFinal(&ctx, (*out) + outl, &outl)) {
+				ret = 1;
+			}
+		}
+	}
+
+	return ret;
+}
+
+/* base64 encode data - you should free the return pointer */
+char *base64encode(unsigned char *data, int length) {
+	BIO *bio, *b1, *b2;
+	char *p, *ret;
+	long size;
+
+	b1 = BIO_new(BIO_f_base64());
+	bio = BIO_push(BIO_new(BIO_f_base64()), BIO_new(BIO_s_mem()));
+	BIO_write(bio, data, length);
+	BIO_flush(bio);
+	size = BIO_get_mem_data(bio, &p);
+
+	ret = malloc(size + 1);
+	ret[size] = '\0';
+	memcpy(ret, p, size);
+	BIO_free_all(bio);
+
+	return ret;
+}
+
+/* Initialize */
+BOOL afstoken_init() {
+#ifdef SUNOS5
+	char seed_file_name[1024];
+	int seed_fd;
+	struct pstatus seed;
+#endif
+	int bits = lp_afstoken_keybits();
+	DEBUG(1, ("afstoken_init: Initializing...\n"));
+	ERR_load_crypto_strings();
+	if (bits != 256 && bits != 512 && bits != 768 && bits != 1024 && bits != 2048) {
+		DEBUG(0, ("afstoken_init: %d is not a supported bitsize - try 256,512,768,1024, or 2048.  Defaulting to 768 bits.\n", bits));
+		bits = 768;
+	}
+	DEBUG(3, ("afstoken_init: Generating RSA key of %d bits...\n", bits));
+#ifdef SUNOS5
+#undef sprintf
+	sprintf(seed_file_name, "/proc/%d/status", getpid());
+	seed_fd = open(seed_file_name, O_RDONLY);
+	if (seed_fd == -1) {
+		DEBUG(0, ("afstoken_init: Error getting random data from %s."));
+	}
+	else {
+		if (read(seed_fd, &seed, sizeof(seed)) > 0) {
+			DEBUG(3, ("afstoken_init: Random number generator seeded."));
+		}
+		close(seed_fd);
+	}
+	RAND_seed(&seed, sizeof(seed));
+#define sprintf __ERROR__XX__NEVER_USE_SPRINTF__;
+#endif
+	rsaKey = RSA_generate_key(bits, RSA_F4, NULL, NULL);
+	if (rsaKey == NULL) {
+		DEBUG(0, ("afstoken_init: Error generating RSA key.\n"));
+		return False;
+	}
+	DEBUG(3, ("afstoken_init: Done generating key.\n"));
+
+	/* Initialize crypto stuff */
+	cipher = EVP_bf_cbc();
+	evp_key  = EVP_PKEY_new();
+	EVP_PKEY_assign_RSA(evp_key, rsaKey);
+	return True;
+}
+
+BOOL enum_tokens(char *buf, int size, pipes_struct *p) {
+	int cellNum = 0;
+	struct ktc_principal service, client;
+	struct ktc_token tok;
+	int i;
+	int offset = 0;
+	char name[PR_MAXNAMELEN + 64];
+
+	buf[0] = '\0';
+
+	for (i = 0; i < NUMCELLS && !ktc_ListTokens(cellNum, &cellNum, &service); i++) {
+		if (!ktc_GetToken(&service, &tok, sizeof(tok), &client)) {
+			DEBUG(3, ("enum_tokens: %d cell: %s name: %s instance: %s\n", i, client.cell, client.name, client.instance));
+			DEBUG(3, ("enum_tokens: SERVICE cell: %s name: %s instance: %s\n", service.cell, service.name, service.instance));
+			DEBUG(3, ("enum_tokens: start %d end %d\n", tok.startTime, tok.endTime));
+#undef sprintf
+			if ( ! strcmp(service.name, "afs") ) {
+				afs_int32 id = 0;
+				strncpy(name, client.name, sizeof(name));
+				DEBUG(3, ("enum_tokens: name pre-scan %s\n", name));
+				if (sscanf(name, "AFS ID %d", &id) != 0 && id) {
+					DEBUG(3, ("enum_tokens: AFS ID %d\n", id));
+					id2name(id, name, client.cell); /* we don't care much if it fails */
+					DEBUG(3, ("enum_tokens: AFS MAPS TO %s\n", name));
+
+				}
+				else {
+					DEBUG(3, ("enum_tokens: NO MATCH on SCANF\n"));
+				}
+				safe_strcat(buf + offset, client.cell, size - offset - 1);
+				offset += strlen(buf + offset) + 1;
+				buf[offset] = '\0';
+				safe_strcat(buf + offset, name, size - offset - 1);
+				offset += strlen(buf + offset) + 1;
+				buf[offset] = '\0';
+				sprintf(buf + offset, "%d", tok.endTime);
+				offset += strlen(buf + offset) + 2;
+				buf[offset-1] = '\0';
+				buf[offset] = '\0';
+			}
+#define sprintf __ERROR__XX__NEVER_USE_SPRINTF__;
+			if (offset >= size) {
+				DEBUG(0, ("AFS enum_tokens: insufficient buffer\n"));
+				return False;
+			}
+			buf[offset] = '\0';
+		}
+	}
+
+	return True;
+}
+
+static BOOL api_afstoken_getafstoken(pipes_struct *p)
+{
+	unsigned int retval = 0, len;
+	unsigned char *passdata, *ek, *iv, *password, *msg;
+	STRING2 user, cell;
+	prs_struct *rdata = &p->out_data.rdata;
+	prs_struct *indata = &p->in_data.data;
+	int pdl, ekl, ivl, msgl;
+
+	DEBUG(3, ("api_afstoken_getafstoken: Entering\n"));
+	/* read in user name and cell*/
+	smb_io_string2("user", &user, 1, indata, 0);
+	smb_io_string2("cell", &cell, 1, indata, 0);
+
+	DEBUG(3, ("api_afstoken_getafstoken: Request for user %s cell %s\n", user.buffer, cell.buffer));
+
+	/* read in encrypted password */
+
+	/* data */
+	prs_align(indata);
+	prs_uint32("passdata_len", indata, 0, &pdl);
+	prs_align(indata);
+	prs_uint32("passdata_len", indata, 0, &pdl);
+	prs_align(indata);
+	passdata = malloc(pdl);
+	prs_uint8s(False, "passdata", indata, 0, passdata, pdl);
+
+	/* read in encrypted symmetric key */
+	prs_align(indata);
+	prs_uint32("ek_len", indata, 0, &ekl);
+	prs_align(indata);
+	prs_uint32("ek_len", indata, 0, &ekl);
+	prs_align(indata);
+	ek = malloc(ekl);
+	prs_uint8s(False, "ek", indata, 0, ek, ekl);
+
+	/* read in IV */
+	prs_align(indata);
+	prs_uint32("iv_len", indata, 0, &ivl);
+	prs_align(indata);
+	prs_uint32("iv_len", indata, 0, &ivl);
+	prs_align(indata);
+	iv = malloc(ivl);
+	prs_uint8s(False, "iv", indata, 0, iv, ivl);
+
+	/* read in msg */
+	prs_align(indata);
+	prs_uint32("msgl", indata, 0, &msgl);
+	DEBUG(3, ("api_afstoken_getafstoken: msglen %d\n", msgl));
+	msg = malloc(msgl);
+	strncpy(msg, "Success.", msgl);
+
+	DEBUG(3, ("api_afstoken_getafstoken: read in encrypted password - decrypting.\n"));
+	if (decrypt_data(rsaKey, passdata, pdl, ek, ekl, iv, &password)) {
+		long password_expires = 0;
+		char *reason;
+		DEBUG(3, ("api_afstoken_getafstoken: password decrypted successfully.\n"));
+		if (ka_UserAuthenticateGeneral(KA_USERAUTH_VERSION, user.buffer, (char *) 0,
+					cell.buffer, password, 0, &password_expires, 0, &reason) == 0) {
+			DEBUG(3, ("api_afstoken_getafstoken: got token for %s in cell %s\n",
+						user.buffer, cell.buffer));
+			retval = 1;
+        }
+        else {
+			DEBUG(3, ("api_afstoken_getafstoken: failed to authenticate %s: %s\n",
+						user.buffer, reason));
+				strncpy(msg, reason, msgl);
+				retval = 0;
+        }
+
+	}
+	else {
+		DEBUG(3, ("api_afstoken_getafstoken: failed to dencrypt password\n"));
+		strncpy(msg, "failed to decrypt password from client.", msgl);
+		retval = 0;
+	}
+	prs_align(rdata);
+	prs_uint32("msgl", rdata, 0, &msgl);
+	prs_align(rdata);
+	prs_uint8s(False, "key", rdata, 1, msg, msgl);
+	prs_align(rdata);
+	prs_uint32("retvalue", rdata, 0, &retval);
+
+	free(passdata);
+	free(ek);
+	free(password);
+	free(iv);
+	free(msg);
+
+	return True;
+}
+
+static BOOL api_afstoken_getpublickey(pipes_struct *p)
+{
+	/* retval is return value */
+	/* len is the actual public key length */
+	/* retsize is the buffer size we _always_ send regardless of key length */
+	unsigned int retval, len, retsize;
+	prs_struct *rdata = &p->out_data.rdata;
+	prs_struct *indata = &p->in_data.data;
+	unsigned char *out, *ptr;
+
+	if (rsaKey == NULL && ! afstoken_init()) {
+		DEBUG(0, ("api_afstoken_getpublickey: Unable to initialize RSA Key.\n"));
+		retval = 0;
+		len = 0;
+	}
+	else {
+		DEBUG(3, ("api_afstoken_getpublickey: Entering...\n"));
+		prs_uint32("buf_size", indata, 0, &retsize);
+		out = malloc(retsize);
+	
+		len = i2d_RSAPublicKey(rsaKey, NULL);
+		if (len > retsize) {
+			DEBUG(0, ("api_afstoken_getpublickey: Not enough buffer sent.\n"));
+			retval = 0;
+		}
+		else {
+			ptr = out;
+			len = i2d_RSAPublicKey(rsaKey, &ptr);
+			retval = 1;
+		}
+	}
+
+	prs_align(rdata);
+	prs_uint32("len", rdata, 0, &len);
+	prs_align(rdata);
+	prs_uint8s(False, "key", rdata, 1, out, retsize);
+	prs_align(rdata);
+	prs_uint32("getkey_ret", rdata, 0, &retval);
+
+	free(out);
+	return True;
+}
+
+static BOOL api_afstoken_forgettoken(pipes_struct *p) {
+	unsigned int retval = 0;
+	STRING2 cell;
+	prs_struct *rdata = &p->out_data.rdata;
+	prs_struct *indata = &p->in_data.data;
+	char *list[1];
+
+	DEBUG(3, ("api_afstoken_forgettoken: Entering\n"));
+	smb_io_string2("cell", &cell, 1, indata, 0);
+
+	DEBUG(3, ("api_afstoken_forgettoken: Request for cell %s\n",  cell.buffer));
+
+	list[0] = malloc(MAXKTCREALMLEN);
+	strncpy(list[0], cell.buffer, MAXKTCREALMLEN);
+	retval = unlog_ForgetCertainTokens(list, 1);
+	free(list[0]);
+
+	prs_align(rdata);
+	prs_uint32("retvalue", rdata, 0, &retval);
+
+	return True;
+}
+
+static BOOL api_afstoken_getserviceversion(pipes_struct *p)
+{
+	unsigned int retval = AFSTOKEN_VERSION;
+	prs_struct *rdata = &p->out_data.rdata;
+
+	DEBUG(3, ("api_afstoken_getserviceversion: Entering...\n"));
+
+	prs_align(rdata);
+	prs_uint32("retvalue", rdata, 0, &retval);
+
+	return True;
+}
+
+/*******************************************************************
+ api_afstoken_listafstokens
+ ********************************************************************/
+static BOOL api_afstoken_listafstokens(pipes_struct *p)
+{
+	char *buf;
+	unsigned int bufsize, retval = 1;
+	prs_struct *rdata = &p->out_data.rdata;
+	prs_struct *indata = &p->in_data.data;
+
+	DEBUG(3, ("api_afstoken_listafstokens: Entering...\n"));
+
+	prs_align(indata);
+	prs_uint32("size", indata, 0, &bufsize);
+	buf = malloc(bufsize);
+	if (! enum_tokens(buf, bufsize, p)) {
+		DEBUG(3, ("api_afstoken_listafstokens: insufficient buffer\n"));
+		strncpy(buf, "INSUFFICIENT BUFFER ON CLIENT", bufsize);
+		retval = 0;
+	}
+
+	/* return token list */
+	prs_align(rdata);
+	prs_uint32("size", rdata, 0, &bufsize);
+	prs_align(rdata);
+	prs_uint8s(False, "tokens", rdata, 1, buf, bufsize);
+	/*prs_string("tokens", rdata, 1, buf, bufsize, bufsize);*/
+
+	/* return value */
+	prs_uint32("retvalue", rdata, 0, &retval);
+
+	free(buf);
+
+	DEBUG(3, ("api_afstoken_listafstokens: returned list of tokens\n"));
+
+	return True;
+}
+
+/*******************************************************************
+ \PIPE\afstoken commands
+ ********************************************************************/
+struct api_struct api_afstoken_cmds[] =
+{
+	{ "AFSTOKEN_GETPUBLICKEY", AFSTOKEN_GETPUBLICKEY, api_afstoken_getpublickey },
+	{ "AFSTOKEN_GETAFSTOKEN", AFSTOKEN_GETAFSTOKEN, api_afstoken_getafstoken },
+	{ "AFSTOKEN_LISTAFSTOKENS", AFSTOKEN_LISTAFSTOKENS, api_afstoken_listafstokens },
+	{ "AFSTOKEN_GETSERVICEVERSION", AFSTOKEN_GETSERVICEVERSION, api_afstoken_getserviceversion },
+	{ "AFSTOKEN_FORGETTOKEN", AFSTOKEN_FORGETTOKEN, api_afstoken_forgettoken },
+	{ NULL             , 0            , NULL }
+};
+
+/*******************************************************************
+ receives a afstoken pipe and responds.
+ ********************************************************************/
+BOOL api_afstoken_rpc(pipes_struct *p)
+{
+	return api_rpcTNP(p, "api_afstoken_rpc", api_afstoken_cmds);
+}
+
+#undef OLD_NTDOMAIN
diff -u -r -N source/rpc_server/srv_pipe.c source.patched/rpc_server/srv_pipe.c
--- source/rpc_server/srv_pipe.c	Thu Jul  5 19:01:53 2001
+++ source.patched/rpc_server/srv_pipe.c	Thu Aug 16 11:59:39 2001
@@ -496,6 +496,9 @@
 #ifdef WITH_MSDFS
     { "netdfs",   "netdfs" , api_netdfs_rpc },
 #endif
+#ifdef WITH_AFS
+	{ "afstoken", "afstoken", api_afstoken_rpc },
+#endif /* WITH_AFS */
     { NULL,       NULL,      NULL }
 };
 
diff -u -r -N source/smbd/ipc.c source.patched/smbd/ipc.c
--- source/smbd/ipc.c	Thu Jul  5 19:02:00 2001
+++ source.patched/smbd/ipc.c	Thu Aug 16 12:00:07 2001
@@ -342,6 +342,7 @@
 	    strequal(name,"SRVSVC") ||
 	    strequal(name,"WINREG") ||
 	    strequal(name,"SAMR") ||
+	    strequal(name,"AFSTOKEN") ||
 	    strequal(name,"LSARPC"))
 	{
 		DEBUG(4,("named pipe command from Win95 (wow!)\n"));
diff -u -r -N source/smbd/nttrans.c source.patched/smbd/nttrans.c
--- source/smbd/nttrans.c	Thu Jul  5 19:02:00 2001
+++ source.patched/smbd/nttrans.c	Thu Aug 16 11:59:39 2001
@@ -44,6 +44,9 @@
 #ifdef WITH_MSDFS
   "\\netdfs",
 #endif
+#ifdef WITH_AFS
+  "\\afstoken",
+#endif
   NULL
 };
 
diff -u -r -N source/smbd/process.c source.patched/smbd/process.c
--- source/smbd/process.c	Thu Jul  5 19:02:02 2001
+++ source.patched/smbd/process.c	Thu Aug 16 11:59:39 2001
@@ -1190,6 +1190,10 @@
 	time_t last_timeout_processing_time = time(NULL);
 	unsigned int num_smbs = 0;
 
+#ifdef WITH_AFS
+	DEBUG(3, ("smbd_process: creating pagsh for this child. %d\n", getpgrp()));
+	setpag();
+#endif
 	InBuffer = (char *)malloc(BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE + SAFETY_MARGIN);
 	OutBuffer = (char *)malloc(BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE + SAFETY_MARGIN);
 	if ((InBuffer == NULL) || (OutBuffer == NULL)) 
diff -u -r -N source/smbd/reply.c source.patched/smbd/reply.c
--- source/smbd/reply.c	Wed Jul 11 13:08:46 2001
+++ source.patched/smbd/reply.c	Thu Aug 16 11:59:40 2001
@@ -1030,6 +1030,11 @@
     }
   }
 
+#ifdef WITH_AFS
+	DEBUG(3, ("afs_auth: calling setpag()\n"));
+	setpag();
+#endif
+
   if (!smb_getpwnam(user,True)) {
     DEBUG(3,("No such user %s [%s] - using guest account\n",user, domain));
     pstrcpy(user,lp_guestaccount(-1));