From 5ba0b7e1e270dca8dd55838a605df816f68e87cd Mon Sep 17 00:00:00 2001
From: Derrick Brashear <shadow@dementia.org>
Date: Tue, 12 May 2009 20:40:57 +0000
Subject: [PATCH] STABLE14-pts-encrypt-option-20090512

LICENSE IPL10
FIXES 124681

add -encrypt flag to pts generic options, allowing the wire to be
encrypted if desired and the user's authenticated. document same.


(cherry picked from commit 6ba44802ea6cf722c22a4784cbbad70ed6f5d60a)
---
 doc/man-pages/pod1/pts.pod | 6 ++++++
 src/ptserver/pts.c         | 6 ++++++
 src/ptserver/ptuser.c      | 5 ++++-
 3 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/doc/man-pages/pod1/pts.pod b/doc/man-pages/pod1/pts.pod
index 913a9ff18..a3da57270 100644
--- a/doc/man-pages/pod1/pts.pod
+++ b/doc/man-pages/pod1/pts.pod
@@ -129,6 +129,12 @@ privileged users to issue commands that change the Protection Database,
 and refuses to perform such an action even if the B<-noauth> flag is
 provided.
 
+=item B<-encrypt>
+
+Establishes an authenticated, encrypted connection to the Protection Server.
+It is useful when it is desired to obscure network traffic related to the
+transactions being done.
+
 =item B<-localauth>
 
 Constructs a server ticket using the server encryption key with the
diff --git a/src/ptserver/pts.c b/src/ptserver/pts.c
index 7b90a9265..1a329c18c 100644
--- a/src/ptserver/pts.c
+++ b/src/ptserver/pts.c
@@ -176,6 +176,10 @@ GetGlobals(struct cmd_syndesc *as, void *arock)
 	changed = 1;
 	sec = 1;
     }
+    if (as->parms[22].items) { /* -encrypt */
+	changed = 1;
+	sec = 3;
+    }
     if (as->parms[18].items || as->parms[20].items) {	/* -test, -localauth */
 	changed = 1;
 	confdir = AFSDIR_SERVER_ETC_DIRPATH;
@@ -1022,6 +1026,8 @@ add_std_args(register struct cmd_syndesc *ts)
 		"use local authentication");
     cmd_AddParm(ts, "-auth", CMD_FLAG, CMD_OPTIONAL,
 		"use user's authentication (default)");
+    cmd_AddParm(ts, "-encrypt", CMD_FLAG, CMD_OPTIONAL,
+		"encrypt commands");
 }
 
 /*
diff --git a/src/ptserver/ptuser.c b/src/ptserver/ptuser.c
index fcd9d695f..a5f7d16b0 100644
--- a/src/ptserver/ptuser.c
+++ b/src/ptserver/ptuser.c
@@ -203,6 +203,8 @@ pr_Initialize(IN afs_int32 secLevel, IN char *confDir, IN char *cell)
 	code = ktc_GetToken(&sname, &ttoken, sizeof(ttoken), NULL);
 	if (code) {
 	    afs_com_err(whoami, code, "(getting token)");
+	    if (secLevel > 1)
+		return code;
 	    scIndex = 0;
 	} else {
 	    if (ttoken.kvno >= 0 && ttoken.kvno <= 256)
@@ -215,7 +217,8 @@ pr_Initialize(IN afs_int32 secLevel, IN char *confDir, IN char *cell)
 		scIndex = 2;
 	    }
 	    sc[2] =
-		rxkad_NewClientSecurityObject(rxkad_clear, &ttoken.sessionKey,
+		rxkad_NewClientSecurityObject((secLevel > 1) ? rxkad_crypt :
+					      rxkad_clear, &ttoken.sessionKey,
 					      ttoken.kvno, ttoken.ticketLen,
 					      ttoken.ticket);
 	}
-- 
2.39.5