From: kcr <kcr@cbed1d16-5ef5-0310-b6a1-d4a37b08ba1f>
Date: Tue, 23 Dec 2008 15:48:17 +0000 (+0000)
Subject: allow des key brain dumps from transition servers to krb5-only servers
X-Git-Url: https://asedeno.scripts.mit.edu/gitweb/?a=commitdiff_plain;h=88b6e911a8a54023dbd9cf35929a770eb3f727c7;p=1ts-debian.git

allow des key brain dumps from transition servers to krb5-only servers

git-svn-id: svn://svn.1ts.org/debian/branches/zephyr-reloaded@387 cbed1d16-5ef5-0310-b6a1-d4a37b08ba1f
---

diff --git a/zephyr/configure b/zephyr/configure
index 4466d3b..90b740e 100755
--- a/zephyr/configure
+++ b/zephyr/configure
@@ -1476,6 +1476,7 @@ Optional Packages:
                           both]
   --with-tags[=TAGS]      include additional configurations [automatic]
   --with-x                use the X Window System
+  --with-openssl=PREFIX      Use OpenSSL crypto
   --with-krb4=PREFIX      Use Kerberos 4
   --with-krb5=PREFIX      Use Kerberos 5
   --with-hesiod=PREFIX    Use Hesiod
@@ -4141,7 +4142,7 @@ ia64-*-hpux*)
   ;;
 *-*-irix6*)
   # Find out which ABI we are using.
-  echo '#line 4144 "configure"' > conftest.$ac_ext
+  echo '#line 4145 "configure"' > conftest.$ac_ext
   if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
   (eval $ac_compile) 2>&5
   ac_status=$?
@@ -6707,11 +6708,11 @@ else
    -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:6710: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:6711: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:6714: \$? = $ac_status" >&5
+   echo "$as_me:6715: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings
@@ -6940,11 +6941,11 @@ else
    -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:6943: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:6944: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:6947: \$? = $ac_status" >&5
+   echo "$as_me:6948: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings
@@ -7000,11 +7001,11 @@ else
    -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:7003: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:7004: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:7007: \$? = $ac_status" >&5
+   echo "$as_me:7008: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -8330,7 +8331,7 @@ linux*)
   libsuff=
   case "$host_cpu" in
   x86_64*|s390x*|powerpc64*)
-    echo '#line 8333 "configure"' > conftest.$ac_ext
+    echo '#line 8334 "configure"' > conftest.$ac_ext
     if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
   (eval $ac_compile) 2>&5
   ac_status=$?
@@ -9168,7 +9169,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<EOF
-#line 9171 "configure"
+#line 9172 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -9266,7 +9267,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<EOF
-#line 9269 "configure"
+#line 9270 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -11445,11 +11446,11 @@ else
    -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:11448: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:11449: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:11452: \$? = $ac_status" >&5
+   echo "$as_me:11453: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings
@@ -11505,11 +11506,11 @@ else
    -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:11508: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:11509: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:11512: \$? = $ac_status" >&5
+   echo "$as_me:11513: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -12016,7 +12017,7 @@ linux*)
   libsuff=
   case "$host_cpu" in
   x86_64*|s390x*|powerpc64*)
-    echo '#line 12019 "configure"' > conftest.$ac_ext
+    echo '#line 12020 "configure"' > conftest.$ac_ext
     if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
   (eval $ac_compile) 2>&5
   ac_status=$?
@@ -12854,7 +12855,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<EOF
-#line 12857 "configure"
+#line 12858 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -12952,7 +12953,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<EOF
-#line 12955 "configure"
+#line 12956 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -13779,11 +13780,11 @@ else
    -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:13782: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:13783: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:13786: \$? = $ac_status" >&5
+   echo "$as_me:13787: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings
@@ -13839,11 +13840,11 @@ else
    -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:13842: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:13843: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:13846: \$? = $ac_status" >&5
+   echo "$as_me:13847: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -15149,7 +15150,7 @@ linux*)
   libsuff=
   case "$host_cpu" in
   x86_64*|s390x*|powerpc64*)
-    echo '#line 15152 "configure"' > conftest.$ac_ext
+    echo '#line 15153 "configure"' > conftest.$ac_ext
     if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
   (eval $ac_compile) 2>&5
   ac_status=$?
@@ -15893,11 +15894,11 @@ else
    -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:15896: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:15897: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:15900: \$? = $ac_status" >&5
+   echo "$as_me:15901: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings
@@ -16126,11 +16127,11 @@ else
    -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:16129: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:16130: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>conftest.err)
    ac_status=$?
    cat conftest.err >&5
-   echo "$as_me:16133: \$? = $ac_status" >&5
+   echo "$as_me:16134: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s "$ac_outfile"; then
      # The compiler can only warn and ignore the option if not recognized
      # So say no if there are warnings
@@ -16186,11 +16187,11 @@ else
    -e 's:.*FLAGS}? :&$lt_compiler_flag :; t' \
    -e 's: [^ ]*conftest\.: $lt_compiler_flag&:; t' \
    -e 's:$: $lt_compiler_flag:'`
-   (eval echo "\"\$as_me:16189: $lt_compile\"" >&5)
+   (eval echo "\"\$as_me:16190: $lt_compile\"" >&5)
    (eval "$lt_compile" 2>out/conftest.err)
    ac_status=$?
    cat out/conftest.err >&5
-   echo "$as_me:16193: \$? = $ac_status" >&5
+   echo "$as_me:16194: \$? = $ac_status" >&5
    if (exit $ac_status) && test -s out/conftest2.$ac_objext
    then
      # The compiler can only warn and ignore the option if not recognized
@@ -17516,7 +17517,7 @@ linux*)
   libsuff=
   case "$host_cpu" in
   x86_64*|s390x*|powerpc64*)
-    echo '#line 17519 "configure"' > conftest.$ac_ext
+    echo '#line 17520 "configure"' > conftest.$ac_ext
     if { (eval echo "$as_me:$LINENO: \"$ac_compile\"") >&5
   (eval $ac_compile) 2>&5
   ac_status=$?
@@ -18354,7 +18355,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<EOF
-#line 18357 "configure"
+#line 18358 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -18452,7 +18453,7 @@ else
   lt_dlunknown=0; lt_dlno_uscore=1; lt_dlneed_uscore=2
   lt_status=$lt_dlunknown
   cat > conftest.$ac_ext <<EOF
-#line 18455 "configure"
+#line 18456 "configure"
 #include "confdefs.h"
 
 #if HAVE_DLFCN_H
@@ -23475,6 +23476,90 @@ fi
 
 
 
+# Check whether --with-openssl was given.
+if test "${with_openssl+set}" = set; then
+  withval=$with_openssl; openssl="$withval"
+else
+  openssl=no
+fi
+
+if test "$openssl" != no; then
+   { echo "$as_me:$LINENO: checking for DES_ecb_encrypt in -lcrypto" >&5
+echo $ECHO_N "checking for DES_ecb_encrypt in -lcrypto... $ECHO_C" >&6; }
+if test "${ac_cv_lib_crypto_DES_ecb_encrypt+set}" = set; then
+  echo $ECHO_N "(cached) $ECHO_C" >&6
+else
+  ac_check_lib_save_LIBS=$LIBS
+LIBS="-lcrypto  $LIBS"
+cat >conftest.$ac_ext <<_ACEOF
+/* confdefs.h.  */
+_ACEOF
+cat confdefs.h >>conftest.$ac_ext
+cat >>conftest.$ac_ext <<_ACEOF
+/* end confdefs.h.  */
+
+/* Override any GCC internal prototype to avoid an error.
+   Use char because int might match the return type of a GCC
+   builtin and then its argument prototype would still apply.  */
+#ifdef __cplusplus
+extern "C"
+#endif
+char DES_ecb_encrypt ();
+int
+main ()
+{
+return DES_ecb_encrypt ();
+  ;
+  return 0;
+}
+_ACEOF
+rm -f conftest.$ac_objext conftest$ac_exeext
+if { (ac_try="$ac_link"
+case "(($ac_try" in
+  *\"* | *\`* | *\\*) ac_try_echo=\$ac_try;;
+  *) ac_try_echo=$ac_try;;
+esac
+eval "echo \"\$as_me:$LINENO: $ac_try_echo\"") >&5
+  (eval "$ac_link") 2>conftest.er1
+  ac_status=$?
+  grep -v '^ *+' conftest.er1 >conftest.err
+  rm -f conftest.er1
+  cat conftest.err >&5
+  echo "$as_me:$LINENO: \$? = $ac_status" >&5
+  (exit $ac_status); } && {
+	 test -z "$ac_c_werror_flag" ||
+	 test ! -s conftest.err
+       } && test -s conftest$ac_exeext &&
+       $as_test_x conftest$ac_exeext; then
+  ac_cv_lib_crypto_DES_ecb_encrypt=yes
+else
+  echo "$as_me: failed program was:" >&5
+sed 's/^/| /' conftest.$ac_ext >&5
+
+	ac_cv_lib_crypto_DES_ecb_encrypt=no
+fi
+
+rm -f core conftest.err conftest.$ac_objext conftest_ipa8_conftest.oo \
+      conftest$ac_exeext conftest.$ac_ext
+LIBS=$ac_check_lib_save_LIBS
+fi
+{ echo "$as_me:$LINENO: result: $ac_cv_lib_crypto_DES_ecb_encrypt" >&5
+echo "${ECHO_T}$ac_cv_lib_crypto_DES_ecb_encrypt" >&6; }
+if test $ac_cv_lib_crypto_DES_ecb_encrypt = yes; then
+  OPENSSL_LIBS=-lcrypto
+   		cat >>confdefs.h <<\_ACEOF
+#define HAVE_OPENSSL 1
+_ACEOF
+
+else
+  { { echo "$as_me:$LINENO: error: Openssl requested but not found" >&5
+echo "$as_me: error: Openssl requested but not found" >&2;}
+   { (exit 1); exit 1; }; }
+fi
+
+fi
+
+
 # Check whether --with-krb4 was given.
 if test "${with_krb4+set}" = set; then
   withval=$with_krb4; krb4="$withval"
@@ -25324,7 +25409,7 @@ else
 echo "$as_me: error: This package requires ss." >&2;}
    { (exit 1); exit 1; }; }
 fi
-LIBS="$KRB5_LIBS $KRB4_LIBS $HESIOD_LIBS $LIBS"
+LIBS="$OPENSSL_LIBS $KRB5_LIBS $KRB4_LIBS $HESIOD_LIBS $LIBS"
 
 if test $ac_cv_c_compiler_gnu = yes; then
     { echo "$as_me:$LINENO: checking whether $CC needs -traditional" >&5
diff --git a/zephyr/configure.in b/zephyr/configure.in
index 57b97df..d24a891 100644
--- a/zephyr/configure.in
+++ b/zephyr/configure.in
@@ -84,6 +84,15 @@ AC_SUBST(TLIB)
 AC_SUBST(RLIB)
 AC_SUBST(SLIB)
 
+AC_ARG_WITH(openssl,
+	[  --with-openssl=PREFIX      Use OpenSSL crypto],
+	[openssl="$withval"], [openssl=no])
+if test "$openssl" != no; then
+   AC_CHECK_LIB(crypto, DES_ecb_encrypt, [OPENSSL_LIBS=-lcrypto
+   		AC_DEFINE(HAVE_OPENSSL)],
+   		[AC_MSG_ERROR(Openssl requested but not found)])
+fi
+
 ATHENA_KRB4
 ATHENA_KRB5
 ATHENA_HESIOD
@@ -91,7 +100,7 @@ ATHENA_REGEXP
 ATHENA_ARES
 ATHENA_UTIL_COM_ERR
 ATHENA_UTIL_SS
-LIBS="$KRB5_LIBS $KRB4_LIBS $HESIOD_LIBS $LIBS"
+LIBS="$OPENSSL_LIBS $KRB5_LIBS $KRB4_LIBS $HESIOD_LIBS $LIBS"
 
 dnl Checks for library functions.
 AC_PROG_GCC_TRADITIONAL
diff --git a/zephyr/debian/rules b/zephyr/debian/rules
index 66afbfe..231ca17 100755
--- a/zephyr/debian/rules
+++ b/zephyr/debian/rules
@@ -50,7 +50,7 @@ configure-stamp:
 	dh_testdir
 	# Add here commands to configure the package.
 	-mkdir krb5
-	cd krb5 && CFLAGS="-g -Wall" ../configure --with-krb5=/usr $(CONFIGURE_ROOT)
+	cd krb5 && CFLAGS="-g -Wall" ../configure --with-krb5=/usr --with-openssl=/usr $(CONFIGURE_ROOT)
 	-mkdir krb45
 	cd krb45 && CFLAGS="-g -Wall" ../configure --with-krb4=/usr --with-krb5=/usr $(CONFIGURE_ROOT)
 	-mkdir krb4
diff --git a/zephyr/h/config.h.in b/zephyr/h/config.h.in
index 40c0a3e..688870f 100644
--- a/zephyr/h/config.h.in
+++ b/zephyr/h/config.h.in
@@ -273,3 +273,6 @@
 
 /* Define to `int' if <sys/types.h> doesn't define. */
 #undef uid_t
+
+/* Wether we have the openssl library about */
+#undef HAVE_OPENSSL
diff --git a/zephyr/server/bdump.c b/zephyr/server/bdump.c
index cb3cfe1..39b4cd8 100644
--- a/zephyr/server/bdump.c
+++ b/zephyr/server/bdump.c
@@ -114,9 +114,12 @@ static long ticket_time;
 #define TKTLIFETIME	120
 #define tkt_lifetime(val) ((long) val * 5L * 60L)
 
+#endif /* HAVE_KRB4 */
+
+#if defined(HAVE_KRB4) || defined(HAVE_OPENSSL)
 extern C_Block	serv_key;
 extern Sched	serv_ksched;
-#endif /* HAVE_KRB4 */
+#endif
 
 static Timer *bdump_timer;
 static int live_socket = -1;
@@ -987,10 +990,26 @@ cleanup(Server *server)
 }
 
 #if defined(HAVE_KRB4) || defined(HAVE_KRB5)
+
+int got_des = 0;
+
+#ifndef HAVE_KRB4
+unsigned int enctypes[] = {ENCTYPE_DES_CBC_CRC,
+			   ENCTYPE_DES_CBC_MD4,
+			   ENCTYPE_DES_CBC_MD5,
+			   ENCTYPE_DES_CBC_RAW,
+			   0};
+#endif
+
+
 int
 get_tgt(void)
 {
     int retval = 0;
+#ifndef HAVE_KRB4
+    int i;
+    krb5_keytab_entry kt_ent;
+#endif
 #ifdef HAVE_KRB4
     /* MIT Kerberos 4 get_svc_in_tkt() requires instance to be writable and
      * at least INST_SZ bytes long. */
@@ -1026,6 +1045,7 @@ get_tgt(void)
 	    return 1;
 	}
 	des_key_sched(serv_key, serv_ksched.s);
+	got_des = 1;
     }
 #endif
 #ifdef HAVE_KRB5	
@@ -1061,9 +1081,37 @@ get_tgt(void)
 					     0,
 					     NULL,
 					     &opt);
+#if defined(HAVE_OPENSSL) && !defined(HAVE_KRB4)
+	if (retval) {
+	    krb5_free_principal(Z_krb5_ctx, principal);
+	    krb5_kt_close(Z_krb5_ctx, kt);
+	    return(1);
+	}
+
+	for (i = 0; enctypes[i]; i++) {
+	    retval = krb5_kt_get_entry(Z_krb5_ctx, kt, principal,
+				       0, enctypes[i], &kt_ent);
+	    if (!retval)
+		break;
+	}
+	if (!retval) {
+	    retval = krb5_copy_keyblock(Z_krb5_ctx, &kt_ent.key, &serv_key);
+	    if (retval) {
+		krb5_free_principal(Z_krb5_ctx, principal);
+		krb5_kt_close(Z_krb5_ctx, kt);
+		return(1);
+	    }
+	
+	    des_key_sched(serv_key, serv_ksched.s);
+
+	    got_des = 1;
+	}
+#endif
 	krb5_free_principal(Z_krb5_ctx, principal);
 	krb5_kt_close(Z_krb5_ctx, kt);
+#if defined(HAVE_OPENSSL) && !defined(HAVE_KRB4)
 	if (retval) return(1);
+#endif
 
 	retval = krb5_cc_initialize (Z_krb5_ctx, Z_krb5_ccache, cred.client);
 	if (retval) return(1);
@@ -1120,10 +1168,8 @@ bdump_recv_loop(Server *server)
 #endif
 #if defined(HAVE_KRB4) || defined(HAVE_KRB5)    
     char *cp;
-#endif
-#ifdef HAVE_KRB4
     C_Block cblock;
-#endif /* HAVE_KRB4 */
+#endif
     ZRealm *realm = NULL;
  
     zdbug((LOG_DEBUG, "bdump recv loop"));
@@ -1223,26 +1269,27 @@ bdump_recv_loop(Server *server)
 		/* check out this session key I found */
 		cp = notice.z_message + strlen(notice.z_message) + 1;
 		switch (*cp) {
-#ifdef HAVE_KRB4
-		case '0':
-		    /* ****ing netascii; this is an encrypted DES keyblock
-		       XXX this code should be conditionalized for server
-		       transitions   */
-		    retval = Z_krb5_init_keyblock(Z_krb5_ctx, ENCTYPE_DES_CBC_CRC,
-						sizeof(C_Block),
-						&client->session_keyblock);
-		    if (retval) {
-			syslog(LOG_ERR, "brl failed to allocate DES keyblock: %s",
-			       error_message(retval));
-			return retval;
-		    }
-		    retval = ZReadAscii(cp, strlen(cp), cblock, sizeof(C_Block));
-		    if (retval != ZERR_NONE) {
-			syslog(LOG_ERR,"brl bad cblk read: %s (%s)",
+#if defined(HAVE_KRB4) || defined(HAVE_OPENSSL)
+		    if (got_des) {
+			/* ****ing netascii; this is an encrypted DES keyblock
+			   XXX this code should be conditionalized for server
+			   transitions   */
+			retval = Z_krb5_init_keyblock(Z_krb5_ctx, ENCTYPE_DES_CBC_CRC,
+						      sizeof(C_Block),
+						      &client->session_keyblock);
+			if (retval) {
+			    syslog(LOG_ERR, "brl failed to allocate DES keyblock: %s",
+				   error_message(retval));
+			    return retval;
+			}
+			retval = ZReadAscii(cp, strlen(cp), cblock, sizeof(C_Block));
+			if (retval != ZERR_NONE) {
+			    syslog(LOG_ERR,"brl bad cblk read: %s (%s)",
 			       error_message(retval), cp);
-		    } else {
-			des_ecb_encrypt((C_Block *)cblock, (C_Block *)Z_keydata(client->session_keyblock),
-					serv_ksched.s, DES_DECRYPT);
+			} else {
+			    des_ecb_encrypt((C_Block *)cblock, (C_Block *)Z_keydata(client->session_keyblock),
+					    serv_ksched.s, DES_DECRYPT);
+			}
 		    }
 		    break;
 #endif
diff --git a/zephyr/server/subscr.c b/zephyr/server/subscr.c
index 4694590..8515644 100644
--- a/zephyr/server/subscr.c
+++ b/zephyr/server/subscr.c
@@ -61,7 +61,7 @@ static const char rcsid_subscr_c[] = "$Id$";
  *
  */
 
-#ifdef HAVE_KRB4
+#if defined(HAVE_KRB4) || defined(HAVE_OPENSSL)
 C_Block	serv_key;
 Sched	serv_ksched;
 #endif
diff --git a/zephyr/server/zserver.h b/zephyr/server/zserver.h
index 078a8a7..54a56e6 100644
--- a/zephyr/server/zserver.h
+++ b/zephyr/server/zserver.h
@@ -61,7 +61,12 @@ extern C_Block __Zephyr_session;
 /* Current time as cached by main(); use instead of time(). */
 #define NOW t_local.tv_sec
 
-#ifdef HAVE_KRB4
+#if defined(HAVE_OPENSSL) & !defined(HAVE_KRB4)
+#define OPENSSL_DES_LIBDES_COMPATIBILITY
+#include <openssl/des.h>
+#endif
+
+#if defined(HAVE_KRB4) || defined(HAVE_OPENSSL)
 /* Kerberos shouldn't stick us with array types... */
 typedef struct {
     des_key_schedule s;