From: Chaskiel Grundman <cg2v@andrew.cmu.edu>
Date: Sat, 6 Apr 2013 17:42:23 +0000 (-0400)
Subject: Use rfc3961 library to decrypt kerberos 5 tickets
X-Git-Tag: openafs-stable-1_8_0pre1~1062^2~6
X-Git-Url: https://git.openafs.org/?p=openafs.git;a=commitdiff_plain;h=ea4812f03d498b6a838440fa3349e085fa5ea8b5

Use rfc3961 library to decrypt kerberos 5 tickets

Decrypt tickets with non-des enctypes by calling out to the rfc3961 library.
This requires the security object to be given an enhanced get_key callback
that supports looking up keys by enctype.
Include a wrapper around afsconf_GetKeyByTypes so rxkad doesn't have
to know anything about libauth internals/interfaces

Change-Id: Id2b085fb41e2ed3576ec66b2914c03e78c0077ec
---

diff --git a/Makefile.in b/Makefile.in
index d919375..b001336 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -216,7 +216,7 @@ afs: config export comerr afs_depinstall
 sys: cmd comerr afs hcrypto rx rxstat fsint sys_depinstall
 	+${COMPILE_PART1} sys ${COMPILE_PART2}
 
-rxkad: cmd comerr hcrypto rx rxkad_depinstall
+rxkad: cmd comerr hcrypto rfc3961 rx rxkad_depinstall
 	+${COMPILE_PART1} rxkad ${COMPILE_PART2}
 
 auth: cmd comerr hcrypto lwp rx rxkad audit sys auth_depinstall
diff --git a/src/WINNT/afsd/NTMakefile b/src/WINNT/afsd/NTMakefile
index 1c7bb0a..11b9204 100644
--- a/src/WINNT/afsd/NTMakefile
+++ b/src/WINNT/afsd/NTMakefile
@@ -335,6 +335,7 @@ LOGON_DLLLIBS =\
     $(DESTDIR)\lib\afs\afsutil.lib \
     $(DESTDIR)\lib\opr.lib \
     $(DESTDIR)\lib\afsroken.lib \
+    $(DESTDIR)\lib\afsrpc.lib \
     $(LANAHELPERLIB) \
     $(AFSKFWLIB)
 
@@ -421,7 +422,8 @@ EXELIBS = \
 	$(DESTDIR)\lib\libafsconf.lib \
 	$(DESTDIR)\lib\opr.lib \
 	$(DESTDIR)\lib\afshcrypto.lib \
-	$(DESTDIR)\lib\afsroken.lib
+	$(DESTDIR)\lib\afsroken.lib \
+	$(DESTDIR)\lib\afsrfc3961.lib
 
 EXELIBS2 = \
         $(DESTDIR)\lib\afsrpc.lib \
diff --git a/src/WINNT/afssvrmgr/NTMakefile b/src/WINNT/afssvrmgr/NTMakefile
index c279ae5..ced9882 100644
--- a/src/WINNT/afssvrmgr/NTMakefile
+++ b/src/WINNT/afssvrmgr/NTMakefile
@@ -103,7 +103,8 @@ EXELIBS = \
 	$(DESTDIR)\lib\afs\TaAfsAppLib.lib \
         $(DESTDIR)\lib\afs\afsutil.lib \
 	$(DESTDIR)\lib\opr.lib \
-	$(DESTDIR)\lib\afsroken.lib
+	$(DESTDIR)\lib\afsroken.lib \
+	$(DESTDIR)\lib\afsrpc.lib
 
 ############################################################################
 
diff --git a/src/WINNT/aklog/NTMakefile b/src/WINNT/aklog/NTMakefile
index 79da73f..c8d4293 100644
--- a/src/WINNT/aklog/NTMakefile
+++ b/src/WINNT/aklog/NTMakefile
@@ -38,7 +38,8 @@ EXELIBS = \
         $(DESTDIR)\lib\afsrpc.lib \
         $(DESTDIR)\lib\afsauthent.lib \
 	$(DESTDIR)\lib\opr.lib \
-	$(DESTDIR)\lib\afsroken.lib
+	$(DESTDIR)\lib\afsroken.lib \
+	$(DESTDIR)\lib\afsrpc.lib
 
 OTHERLIBS = dnsapi.lib mpr.lib
 
diff --git a/src/WINNT/client_creds/NTMakefile b/src/WINNT/client_creds/NTMakefile
index 030cb25..74a43a9 100644
--- a/src/WINNT/client_creds/NTMakefile
+++ b/src/WINNT/client_creds/NTMakefile
@@ -73,7 +73,8 @@ EXELIBS = \
         $(DESTDIR)\lib\afs\afscom_err.lib \
         $(DESTDIR)\lib\afs\afsutil.lib \
 	$(DESTDIR)\lib\opr.lib \
-	$(DESTDIR)\lib\afsroken.lib
+	$(DESTDIR)\lib\afsroken.lib \
+	$(DESTDIR)\lib\afsrpc.lib
 
 ############################################################################
 #
diff --git a/src/WINNT/netidmgr_plugin/NTMakefile b/src/WINNT/netidmgr_plugin/NTMakefile
index 25a197b..e3ea181 100644
--- a/src/WINNT/netidmgr_plugin/NTMakefile
+++ b/src/WINNT/netidmgr_plugin/NTMakefile
@@ -94,6 +94,7 @@ OBJFILES= 				\
 
 LIBFILES= 				\
         $(DESTDIR)\lib\afsroken.lib     \
+	$(DESTDIR)\lib\afsrpc.lib       \
 	$(DESTDIR)\lib\afsauthent.lib 	\
 	$(DESTDIR)\lib\libafsconf.lib 	\
         $(DESTDIR)\lib\afs\mtafsutil.lib\
diff --git a/src/auth/Makefile.in b/src/auth/Makefile.in
index e6001c2..2a2c400 100644
--- a/src/auth/Makefile.in
+++ b/src/auth/Makefile.in
@@ -29,6 +29,7 @@ LT_libs= $(LDFLAGS_roken) $(LIB_roken)
 
 LIBS=libauth.a \
       ${TOP_LIBDIR}/librxkad.a \
+      ${TOP_LIBDIR}/libafsrfc3961.a \
       ${TOP_LIBDIR}/librx.a \
       ${TOP_LIBDIR}/libsys.a \
       ${TOP_LIBDIR}/liblwp.a \
diff --git a/src/auth/NTMakefile b/src/auth/NTMakefile
index 37146e8..0e77e0e 100644
--- a/src/auth/NTMakefile
+++ b/src/auth/NTMakefile
@@ -99,7 +99,8 @@ EXELIBS =\
 	$(EXELIBDIR)\libafsconf.lib \
 	$(EXELIBDIR)\opr.lib \
 	$(EXELIBDIR)\afshcrypto.lib \
-	$(EXELIBDIR)\afsroken.lib
+	$(EXELIBDIR)\afsroken.lib \
+	$(EXELIBDIR)\afsrfc3961.lib
 
 $(SETKEY_EXEFILE): $(SETKEY_EXEOBJS) $(EXELIBS)
 	$(EXECONLINK) dnsapi.lib shell32.lib
diff --git a/src/auth/authcon.c b/src/auth/authcon.c
index 54e842d..8976947 100644
--- a/src/auth/authcon.c
+++ b/src/auth/authcon.c
@@ -42,6 +42,31 @@ QuickAuth(struct rx_securityClass **astr, afs_int32 *aindex)
 }
 
 #if !defined(UKERNEL)
+static int _afsconf_GetRxkadKrb5Key(void *arock, int kvno, int enctype, void *outkey,
+				    size_t *keylen)
+{
+    struct afsconf_dir *adir = arock;
+    struct afsconf_typedKey *kobj;
+    struct rx_opaque *keymat;
+    afsconf_keyType tktype;
+    int tkvno, tenctype;
+    int code;
+
+    code = afsconf_GetKeyByTypes(adir, afsconf_rxkad_krb5, kvno, enctype, &kobj);
+    if (code != 0)
+	return code;
+    afsconf_typedKey_values(kobj, &tktype, &tkvno, &tenctype, &keymat);
+    if (*keylen < keymat->len) {
+	afsconf_typedKey_put(&kobj);
+	return AFSCONF_BADKEY;
+    }
+    memcpy(outkey, keymat->val, keymat->len);
+    *keylen = keymat->len;
+    afsconf_typedKey_put(&kobj);
+    return 0;
+}
+
+
 /* Return an appropriate security class and index */
 afs_int32
 afsconf_ServerAuth(void *arock,
@@ -53,7 +78,8 @@ afsconf_ServerAuth(void *arock,
 
     LOCK_GLOBAL_MUTEX;
     tclass = (struct rx_securityClass *)
-	rxkad_NewServerSecurityObject(0, adir, afsconf_GetKey, NULL);
+	rxkad_NewKrb5ServerSecurityObject(0, adir, afsconf_GetKey,
+					  _afsconf_GetRxkadKrb5Key, NULL);
     if (tclass) {
 	*astr = tclass;
 	*aindex = RX_SECIDX_KAD;
@@ -254,12 +280,16 @@ afsconf_BuildServerSecurityObjects(void *rock,
 
     (*classes)[0] = rxnull_NewServerSecurityObject();
     (*classes)[1] = NULL;
-    (*classes)[2] = rxkad_NewServerSecurityObject(0, dir,
-						  afsconf_GetKey, NULL);
+    (*classes)[2] = rxkad_NewKrb5ServerSecurityObject(0, dir,
+						      afsconf_GetKey,
+						      _afsconf_GetRxkadKrb5Key,
+						      NULL);
 
     if (dir->securityFlags & AFSCONF_SECOPTS_ALWAYSENCRYPT)
-	(*classes)[3] = rxkad_NewServerSecurityObject(rxkad_crypt, dir,
-						      afsconf_GetKey, NULL);
+	(*classes)[3] = rxkad_NewKrb5ServerSecurityObject(rxkad_crypt, dir,
+							  afsconf_GetKey,
+							  _afsconf_GetRxkadKrb5Key,
+							  NULL);
 }
 #endif
 
diff --git a/src/auth/cellconfig.p.h b/src/auth/cellconfig.p.h
index f22153d..c641fc3 100644
--- a/src/auth/cellconfig.p.h
+++ b/src/auth/cellconfig.p.h
@@ -150,7 +150,8 @@ struct afsconf_typedKeyList {
 
 typedef enum {
     afsconf_rxkad = 0,
-    afsconf_rxgk  =1
+    afsconf_rxgk  =1,
+    afsconf_rxkad_krb5  =2
 } afsconf_keyType;
 
 extern struct afsconf_typedKey *
diff --git a/src/bozo/Makefile.in b/src/bozo/Makefile.in
index 51cefac..b565d17 100644
--- a/src/bozo/Makefile.in
+++ b/src/bozo/Makefile.in
@@ -39,6 +39,7 @@ LIBS=   ${TOP_LIBDIR}/librx.a \
 	${TOP_LIBDIR}/libopr.a \
 	${TOP_LIBDIR}/libsys.a \
 	${TOP_LIBDIR}/libprocmgmt.a \
+	${TOP_LIBDIR}/libafsrfc3961.a \
 	${TOP_LIBDIR}/libafshcrypto_lwp.a
 
 OBJS=bosserver.o bnode.o ezbnodeops.o fsbnodeops.o bosint.ss.o bosint.xdr.o \
diff --git a/src/bozo/NTMakefile b/src/bozo/NTMakefile
index a2ed440..c4c1703 100644
--- a/src/bozo/NTMakefile
+++ b/src/bozo/NTMakefile
@@ -70,7 +70,8 @@ BOSSERVER_EXELIBS =\
         $(DESTDIR)\lib\afs\afspioctl.lib \
 	$(DESTDIR)\lib\opr.lib \
 	$(DESTDIR)\lib\afshcrypto.lib \
-	$(DESTDIR)\lib\afsroken.lib
+	$(DESTDIR)\lib\afsroken.lib \
+	$(DESTDIR)\lib\afsrfc3961.lib
 
 $(BOSSERVER_EXEFILE): $(BOSSERVER_EXEOBJS) $(BOSSERVER_EXELIBS)
 	$(EXECONLINK) dnsapi.lib mpr.lib iphlpapi.lib shell32.lib
@@ -109,7 +110,8 @@ BOS_EXELIBS =\
 	$(DESTDIR)\lib\libafsconf.lib \
 	$(DESTDIR)\lib\opr.lib \
 	$(DESTDIR)\lib\afshcrypto.lib \
-	$(DESTDIR)\lib\afsroken.lib
+	$(DESTDIR)\lib\afsroken.lib \
+	$(DESTDIR)\lib\afsrfc3961.lib
 
 $(RS_BOS_EXEFILE): $(BOS_EXEOBJS) $(BOS_EXELIBS)
 	$(EXECONLINK) dnsapi.lib mpr.lib iphlpapi.lib shell32.lib
diff --git a/src/bucoord/Makefile.in b/src/bucoord/Makefile.in
index cb1ad0e..f70369e 100644
--- a/src/bucoord/Makefile.in
+++ b/src/bucoord/Makefile.in
@@ -21,6 +21,7 @@ LIBS=${TOP_LIBDIR}/libbudb.a ${TOP_LIBDIR}/libbubasics.a \
         ${TOP_LIBDIR}/libafscom_err.a \
 	${TOP_LIBDIR}/util.a \
 	$(TOP_LIBDIR)/libopr.a \
+	${TOP_LIBDIR}/libafsrfc3961.a \
 	${TOP_LIBDIR}/libafshcrypto_lwp.a
 
 all: ${TOP_LIBDIR}/libbxdb.a ${TOP_INCDIR}/afs/bucoord_prototypes.h ${TOP_INCDIR}/afs/bc.h backup
diff --git a/src/bucoord/NTMakefile b/src/bucoord/NTMakefile
index 3085b95..05db66c 100644
--- a/src/bucoord/NTMakefile
+++ b/src/bucoord/NTMakefile
@@ -93,7 +93,8 @@ EXELIBS =\
 	$(DESTDIR)\lib\libafsconf.lib \
 	$(DESTDIR)\lib\opr.lib \
 	$(DESTDIR)\lib\afshcrypto.lib \
-	$(DESTDIR)\lib\afsroken.lib
+	$(DESTDIR)\lib\afsroken.lib \
+	$(DESTDIR)\lib\afsrfc3961.lib
 	
 
 $(EXEFILE): $(EXEOBJS) $(EXERES) $(EXELIBS)
diff --git a/src/budb/Makefile.in b/src/budb/Makefile.in
index 2a406f3..1d39793 100644
--- a/src/budb/Makefile.in
+++ b/src/budb/Makefile.in
@@ -42,6 +42,7 @@ LIBS=${TOP_LIBDIR}/libbubasics.a \
 	${TOP_LIBDIR}/libafscom_err.a \
 	${TOP_LIBDIR}/util.a \
 	${TOP_LIBDIR}/libopr.a \
+	${TOP_LIBDIR}/libafsrfc3961.a \
 	${TOP_LIBDIR}/libafshcrypto_lwp.a
 
 COMMON_OBJS = database.o db_alloc.o db_dump.o db_hash.o struct_ops.o ol_verify.o
diff --git a/src/budb/NTMakefile b/src/budb/NTMakefile
index 5d94741..1d9ecb9 100644
--- a/src/budb/NTMakefile
+++ b/src/budb/NTMakefile
@@ -81,7 +81,8 @@ EXELIBS =\
         $(DESTDIR)\lib\afs\afspioctl.lib \
 	$(DESTDIR)\lib\opr.lib \
 	$(DESTDIR)\lib\afshcrypto.lib \
-	$(DESTDIR)\lib\afsroken.lib
+	$(DESTDIR)\lib\afsroken.lib \
+	$(DESTDIR)\lib\afsrfc3961.lib
 
 $(EXEFILE): $(EXEOBJS)  $(EXELIBS)
 	$(EXECONLINK) dnsapi.lib mpr.lib iphlpapi.lib shell32.lib
diff --git a/src/butc/Makefile.in b/src/butc/Makefile.in
index 1dbe5bf..4648f96 100644
--- a/src/butc/Makefile.in
+++ b/src/butc/Makefile.in
@@ -41,6 +41,7 @@ LIBS=${TOP_LIBDIR}/libbudb.a \
 	${TOP_LIBDIR}/liblwp.a \
         ${TOP_LIBDIR}/libcmd.a \
 	${TOP_LIBDIR}/libafscom_err.a \
+	${TOP_LIBDIR}/libafsrfc3961.a \
 	${TOP_LIBDIR}/libafshcrypto_lwp.a \
 	${TOP_LIBDIR}/libusd.a \
 	${TOP_LIBDIR}/util.a \
diff --git a/src/butc/NTMakefile b/src/butc/NTMakefile
index e0e0ffb..719333c 100644
--- a/src/butc/NTMakefile
+++ b/src/butc/NTMakefile
@@ -55,7 +55,8 @@ EXELIBS =\
 	$(DESTDIR)\lib\libafsconf.lib \
 	$(DESTDIR)\lib\opr.lib \
 	$(DESTDIR)\lib\afshcrypto.lib \
-	$(DESTDIR)\lib\afsroken.lib
+	$(DESTDIR)\lib\afsroken.lib \
+	$(DESTDIR)\lib\afsrfc3961.lib
 
 $(EXERES): butc.rc AFS_component_version_number.h
 
diff --git a/src/finale/Makefile.in b/src/finale/Makefile.in
index c15415a..606f7c9 100644
--- a/src/finale/Makefile.in
+++ b/src/finale/Makefile.in
@@ -40,6 +40,7 @@ LIBS=${TOP_LIBDIR}/libubik.a \
 	${TOP_LIBDIR}/libkauth.a \
 	${TOP_LIBDIR}/libprot.a \
 	${TOP_LIBDIR}/libopr.a \
+	${TOP_LIBDIR}/libafsrfc3961.a \
 	${XLIBS}
 
 all: translate_et
diff --git a/src/fsprobe/Makefile.in b/src/fsprobe/Makefile.in
index 6b1b9e7..c26d3f2 100644
--- a/src/fsprobe/Makefile.in
+++ b/src/fsprobe/Makefile.in
@@ -26,6 +26,7 @@ LIBS=${TOP_LIBDIR}/libvolser.a ${TOP_LIBDIR}/vlib.a ${TOP_LIBDIR}/libacl.a \
 	${TOP_LIBDIR}/liblwp.a \
 	${TOP_LIBDIR}/libsys.a \
 	${TOP_LIBDIR}/util.a ${TOP_LIBDIR}/libopr.a \
+	${TOP_LIBDIR}/libafsrfc3961.a \
 	${TOP_LIBDIR}/libafshcrypto_lwp.a
 
 all: ${TOP_INCDIR}/afs/fsprobe.h ${TOP_LIBDIR}/libfsprobe.a fsprobe_test
diff --git a/src/gtx/Makefile.in b/src/gtx/Makefile.in
index b0433d0..1688e6f 100644
--- a/src/gtx/Makefile.in
+++ b/src/gtx/Makefile.in
@@ -36,6 +36,7 @@ LIBS=\
 	${TOP_LIBDIR}/libkauth.a \
 	${TOP_LIBDIR}/libauth.a \
 	${TOP_LIBDIR}/librxkad.a \
+	${TOP_LIBDIR}/libafsrfc3961.a \
 	${TOP_LIBDIR}/libafscom_err.a \
 	${TOP_LIBDIR}/libopr.a \
 	${TOP_LIBDIR}/util.a
diff --git a/src/kauth/Makefile.in b/src/kauth/Makefile.in
index 54b3849..c325247 100644
--- a/src/kauth/Makefile.in
+++ b/src/kauth/Makefile.in
@@ -51,6 +51,7 @@ LIBS=${TOP_LIBDIR}/libubik.a \
 	${TOP_LIBDIR}/libafsutil.a \
 	${TOP_LIBDIR}/libopr.a \
 	$(DBM) \
+	${TOP_LIBDIR}/libafsrfc3961.a \
 	${TOP_LIBDIR}/libafshcrypto_lwp.a
 
 KLIBS=${TOP_LIBDIR}/libubik.a \
@@ -65,6 +66,7 @@ KLIBS=${TOP_LIBDIR}/libubik.a \
 	${TOP_LIBDIR}/libafscom_err.a \
 	${TOP_LIBDIR}/libafsutil.a \
 	${TOP_LIBDIR}/libopr.a \
+	${TOP_LIBDIR}/libafsrfc3961.a \
 	${TOP_LIBDIR}/libafshcrypto_lwp.a
 
 all: liboafs_kauth.la libauthent_kauth.la \
diff --git a/src/kauth/NTMakefile b/src/kauth/NTMakefile
index 6efcb3d..7e3897a 100644
--- a/src/kauth/NTMakefile
+++ b/src/kauth/NTMakefile
@@ -95,7 +95,8 @@ AFSLIBS =  \
 	$(DESTDIR)\lib\libafsconf.lib \
 	$(DESTDIR)\lib\opr.lib \
 	$(DESTDIR)\lib\afshcrypto.lib \
-	$(DESTDIR)\lib\afsroken.lib
+	$(DESTDIR)\lib\afsroken.lib \
+	$(DESTDIR)\lib\afsrfc3961.lib
 
 TOKENLIB = $(DESTDIR)\lib\afs\afspioctl.lib
 
diff --git a/src/kauth/test/NTMakefile b/src/kauth/test/NTMakefile
index 0fe5c66..8a836c7 100644
--- a/src/kauth/test/NTMakefile
+++ b/src/kauth/test/NTMakefile
@@ -18,7 +18,8 @@ EXELIBS = \
 	$(DESTDIR)\afs\afsprot.lib \
 	$(DESTDIR)\afsrx.lib \
 	$(DESTDIR)\afs\afscom_err.lib \
-	$(DESTDIR)\afs\afskauth.lib
+	$(DESTDIR)\afs\afskauth.lib \
+	$(DESTDIR)\lib\afsrfc3961.lib
 
 
 $(OUT)\multiklog.exe: $(OUT)\multiklog.obj
diff --git a/src/libafsrpc/Makefile.in b/src/libafsrpc/Makefile.in
index 78ba93e..95ad027 100644
--- a/src/libafsrpc/Makefile.in
+++ b/src/libafsrpc/Makefile.in
@@ -13,6 +13,7 @@ LT_objs = \
 	$(top_builddir)/src/fsint/libafsrpc_fsint.la \
 	$(top_builddir)/src/rx/libafsrpc_rx.la \
 	$(top_builddir)/src/rxkad/libafsrpc_rxkad.la \
+	$(top_builddir)/src/crypto/rfc3961/libafsrpc_rfc3961.la \
 	$(top_builddir)/src/comerr/libafsrpc_comerr.la \
 	$(top_builddir)/src/util/libafsrpc_util.la \
 	$(top_builddir)/src/rxstat/libafsrpc_rxstat.la \
diff --git a/src/libafsrpc/afsrpc.def b/src/libafsrpc/afsrpc.def
index 8c6bedd..5d22669 100755
--- a/src/libafsrpc/afsrpc.def
+++ b/src/libafsrpc/afsrpc.def
@@ -340,6 +340,7 @@ EXPORTS
 	initialize_RXK_error_table		@345
 	rx_GetNetworkError                      @346
         afs_set_com_err_hook                    @347
+	rxkad_NewKrb5ServerSecurityObject       @348
 
 ; for performance testing
         rx_TSFPQGlobSize                        @2001 DATA
diff --git a/src/libafsrpc/libafsrpc.la.sym b/src/libafsrpc/libafsrpc.la.sym
index b1858a9..b5c0571 100644
--- a/src/libafsrpc/libafsrpc.la.sym
+++ b/src/libafsrpc/libafsrpc.la.sym
@@ -153,6 +153,7 @@ rxi_RoundUpPacket
 rxi_SetCallNumberVector
 rxkad_GetServerInfo
 rxkad_NewClientSecurityObject
+rxkad_NewKrb5ServerSecurityObject
 rxkad_NewServerSecurityObject
 rxkad_global_stats
 rxkad_global_stats_lock
diff --git a/src/log/Makefile.in b/src/log/Makefile.in
index 49a48c3..cdc6397 100644
--- a/src/log/Makefile.in
+++ b/src/log/Makefile.in
@@ -22,6 +22,7 @@ LIBRARIES=${TOP_LIBDIR}/libauth.a \
 		${TOP_LIBDIR}/libsys.a \
 	        ${TOP_LIBDIR}/liblwp.a ${TOP_LIBDIR}/libcmd.a \
 	        ${TOP_LIBDIR}/util.a ${TOP_LIBDIR}/libopr.a \
+		${TOP_LIBDIR}/libafsrfc3961.a \
 		${TOP_LIBDIR}/libafshcrypto_lwp.a
 
 KLIBRARIES=${TOP_LIBDIR}/libauth.krb.a \
@@ -30,6 +31,7 @@ KLIBRARIES=${TOP_LIBDIR}/libauth.krb.a \
 		${TOP_LIBDIR}/libsys.a \
 	        ${TOP_LIBDIR}/liblwp.a ${TOP_LIBDIR}/libcmd.a \
 	        ${TOP_LIBDIR}/util.a ${TOP_LIBDIR}/libopr.a \
+		${TOP_LIBDIR}/libafsrfc3961.a \
 		${TOP_LIBDIR}/libafshcrypto_lwp.a
 
 #
diff --git a/src/ptserver/Makefile.in b/src/ptserver/Makefile.in
index 3d018e8..dee4513 100644
--- a/src/ptserver/Makefile.in
+++ b/src/ptserver/Makefile.in
@@ -41,6 +41,7 @@ LIBS=   ${TOP_LIBDIR}/libubik.a \
 	${TOP_LIBDIR}/libaudit.a \
 	${TOP_LIBDIR}/libafsutil.a \
 	${TOP_LIBDIR}/libopr.a \
+	${TOP_LIBDIR}/libafsrfc3961.a \
 	${TOP_LIBDIR}/libafshcrypto_lwp.a
 
 LT_objs = ptuser.lo pterror.lo ptint.cs.lo ptint.xdr.lo display.lo
diff --git a/src/ptserver/NTMakefile b/src/ptserver/NTMakefile
index bc5846e..709bd44 100644
--- a/src/ptserver/NTMakefile
+++ b/src/ptserver/NTMakefile
@@ -73,7 +73,8 @@ PTSERVER_EXELIBS =\
         $(DESTDIR)\lib\afs\afspioctl.lib \
 	$(DESTDIR)\lib\opr.lib \
 	$(DESTDIR)\lib\afshcrypto.lib \
-	$(DESTDIR)\lib\afsroken.lib
+	$(DESTDIR)\lib\afsroken.lib \
+	$(DESTDIR)\lib\afsrfc3961.lib
 
 !IF (("$(SYS_NAME)"!="i386_win95" ) && ("$(SYS_NAME)"!="I386_WIN95" ))
 PTSERVER_EXELIBS =$(PTSERVER_EXELIBS) $(DESTDIR)\lib\afs\afsprocmgmt.lib
@@ -126,7 +127,8 @@ PTS_EXELIBS =\
 	$(DESTDIR)\lib\libafsconf.lib \
 	$(DESTDIR)\lib\opr.lib \
 	$(DESTDIR)\lib\afshcrypto.lib \
-	$(DESTDIR)\lib\afsroken.lib
+	$(DESTDIR)\lib\afsroken.lib \
+	$(DESTDIR)\lib\afsrfc3961.lib
 
 $(PTS): $(PTS_EXEOBJS) $(PTS_EXELIBS)
 	$(EXECONLINK) dnsapi.lib mpr.lib iphlpapi.lib shell32.lib
diff --git a/src/rxkad/Makefile.in b/src/rxkad/Makefile.in
index 31ba16e..4300d6a 100644
--- a/src/rxkad/Makefile.in
+++ b/src/rxkad/Makefile.in
@@ -23,7 +23,8 @@ LT_objs=rxkad_client.lo rxkad_server.lo rxkad_common.lo rxkad_errs.lo \
 
 LT_deps=$(top_builddir)/src/comerr/liboafs_comerr.la \
 	$(top_builddir)/src/rx/liboafs_rx.la \
-	$(top_builddir)/src/opr/liboafs_opr.la
+	$(top_builddir)/src/opr/liboafs_opr.la \
+	$(top_builddir)/src/crypto/rfc3961/liboafs_rfc3961.la
 
 LT_libs=$(LDFLAGS_hcrypto) $(LIB_hcrypto)
 
diff --git a/src/rxkad/liboafs_rxkad.la.sym b/src/rxkad/liboafs_rxkad.la.sym
index 7590599..acf9f3c 100644
--- a/src/rxkad/liboafs_rxkad.la.sym
+++ b/src/rxkad/liboafs_rxkad.la.sym
@@ -2,6 +2,7 @@ initialize_RXK_error_table
 life_to_time
 rxkad_GetServerInfo
 rxkad_NewClientSecurityObject
+rxkad_NewKrb5ServerSecurityObject
 rxkad_NewServerSecurityObject
 time_to_life
 tkt_CheckTimes
diff --git a/src/rxkad/private_data.h b/src/rxkad/private_data.h
index a26c603..fc4ccf6 100644
--- a/src/rxkad/private_data.h
+++ b/src/rxkad/private_data.h
@@ -78,6 +78,7 @@ struct rxkad_sprivate {
     int (*get_key) (void *, int,
 		    struct ktc_encryptionKey *);
 				/* func. of kvno and server key ptr */
+    rxkad_get_key_enctype_func get_key_enctype;
     int (*user_ok) (char *, char *,
 		    char *, afs_int32);
 				/* func called with new client name */
diff --git a/src/rxkad/rxkad.p.h b/src/rxkad/rxkad.p.h
index 55cfcfa..141f534 100644
--- a/src/rxkad/rxkad.p.h
+++ b/src/rxkad/rxkad.p.h
@@ -91,6 +91,10 @@ typedef signed char rxkad_level;
 
 
 extern int rxkad_EpochWasSet;	/* TRUE => we called rx_SetEpoch */
+/* Get key by enctype.  Takes a rock (path to conf dir), kvno and enctype as
+ * input and returns the key and key length.  On input, the keylength parameter
+ * must be set to the length of storage allocated by the caller. */
+typedef int (*rxkad_get_key_enctype_func) (void *, int, int, void *, size_t *);
 
 #include <rx/rxkad_prototypes.h>
 
diff --git a/src/rxkad/rxkad_prototypes.h b/src/rxkad/rxkad_prototypes.h
index 9fa059f..e73f1d1 100644
--- a/src/rxkad/rxkad_prototypes.h
+++ b/src/rxkad/rxkad_prototypes.h
@@ -106,6 +106,12 @@ extern struct rx_securityClass *rxkad_NewServerSecurityObject(rxkad_level
 							       char *cell,
 							       afs_int32
 							       kvno));
+extern struct rx_securityClass *rxkad_NewKrb5ServerSecurityObject
+(rxkad_level level, void *get_key_rock,
+ int (*get_key) (void *get_key_rock, int kvno,
+		 struct ktc_encryptionKey *serverKey),
+ rxkad_get_key_enctype_func get_key_enctype,
+ int (*user_ok) (char *name, char *instance, char *cell, afs_int32 kvno));
 extern int rxkad_CheckAuthentication(struct rx_securityClass *aobj,
 				     struct rx_connection *aconn);
 extern int rxkad_CreateChallenge(struct rx_securityClass *aobj,
@@ -151,6 +157,7 @@ extern afs_uint32 _rxkad_crc_update(const char *p, size_t len, afs_uint32 res);
 extern int tkt_DecodeTicket5(char *ticket, afs_int32 ticket_len,
 			     int (*get_key) (void *, int,
 					     struct ktc_encryptionKey *),
+			     rxkad_get_key_enctype_func get_key2,
 			     char *get_key_rock, int serv_kvno, char *name,
 			     char *inst, char *cell, struct ktc_encryptionKey *session_key,
 			     afs_int32 * host, afs_uint32 * start,
diff --git a/src/rxkad/rxkad_server.c b/src/rxkad/rxkad_server.c
index be0abef..07e806b 100644
--- a/src/rxkad/rxkad_server.c
+++ b/src/rxkad/rxkad_server.c
@@ -165,6 +165,23 @@ rxkad_NewServerSecurityObject(rxkad_level level, void *get_key_rock,
     return tsc;
 }
 
+struct rx_securityClass *
+rxkad_NewKrb5ServerSecurityObject(rxkad_level level, void *get_key_rock,
+				  int (*get_key) (void *get_key_rock, int kvno,
+						  struct ktc_encryptionKey *
+						  serverKey),
+				  rxkad_get_key_enctype_func get_key_enctype,
+				  int (*user_ok) (char *name, char *instance,
+						  char *cell, afs_int32 kvno)
+) {
+    struct rx_securityClass *tsc;
+    struct rxkad_sprivate *tsp;
+    tsc = rxkad_NewServerSecurityObject(level, get_key_rock, get_key, user_ok);
+    tsp = (struct rxkad_sprivate *)tsc->privateData;
+    tsp->get_key_enctype = get_key_enctype;
+    return tsc;
+}
+
 /* server: called to tell if a connection authenticated properly */
 
 int
@@ -325,8 +342,9 @@ rxkad_CheckResponse(struct rx_securityClass *aobj,
     if (code == -1 && ((kvno == RXKAD_TKT_TYPE_KERBEROS_V5)
 	|| (kvno == RXKAD_TKT_TYPE_KERBEROS_V5_ENCPART_ONLY))) {
 	code =
-	    tkt_DecodeTicket5(tix, tlen, tsp->get_key, tsp->get_key_rock,
-			      kvno, client.name, client.instance, client.cell,
+	    tkt_DecodeTicket5(tix, tlen, tsp->get_key, tsp->get_key_enctype,
+			      tsp->get_key_rock, kvno, client.name,
+			      client.instance, client.cell,
 			      &sessionkey, &host, &start, &end,
 			      tsp->flags & RXS_CONFIG_FLAGS_DISABLE_DOTCHECK);
 	if (code)
diff --git a/src/rxkad/ticket5.c b/src/rxkad/ticket5.c
index f0e830c..5ce4c7a 100644
--- a/src/rxkad/ticket5.c
+++ b/src/rxkad/ticket5.c
@@ -81,6 +81,10 @@
 #include "v5der.c"
 #include "v5gen.c"
 
+#define RFC3961_NO_ENUMS
+#define RFC3961_NO_CKSUM
+#include <afs/rfc3961.h>
+
 /*
  * Principal conversion Taken from src/lib/krb5/krb/conv_princ from MIT Kerberos.  If you
  * find a need to change the services here, please consider opening a
@@ -176,12 +180,19 @@ static int
 int
 tkt_DecodeTicket5(char *ticket, afs_int32 ticket_len,
 		  int (*get_key) (void *, int, struct ktc_encryptionKey *),
+		  rxkad_get_key_enctype_func get_key_enctype,
 		  char *get_key_rock, int serv_kvno, char *name, char *inst,
 		  char *cell, struct ktc_encryptionKey *session_key, afs_int32 * host,
 		  afs_uint32 * start, afs_uint32 * end, afs_int32 disableCheckdot)
 {
     char plain[MAXKRB5TICKETLEN];
     struct ktc_encryptionKey serv_key;
+    void *keybuf;
+    size_t keysize, allocsiz;
+    krb5_context context;
+    krb5_keyblock k;
+    krb5_crypto cr;
+    krb5_data plaindata;
     Ticket t5;			/* Must free */
     EncTicketPart decr_part;	/* Must free */
     int code;
@@ -224,25 +235,82 @@ tkt_DecodeTicket5(char *ticket, afs_int32 ticket_len,
     case ETYPE_DES_CBC_CRC:
     case ETYPE_DES_CBC_MD4:
     case ETYPE_DES_CBC_MD5:
+	/* check ticket */
+	if (t5.enc_part.cipher.length > sizeof(plain)
+	    || t5.enc_part.cipher.length % 8 != 0)
+	    goto bad_ticket;
+
+	code = (*get_key) (get_key_rock, v5_serv_kvno, &serv_key);
+	if (code)
+	    goto unknown_key;
+
+	/* Decrypt data here, save in plain, assume it will shrink */
+	code =
+	    krb5_des_decrypt(&serv_key, t5.enc_part.etype,
+			     t5.enc_part.cipher.data, t5.enc_part.cipher.length,
+			     plain, &plainsiz);
 	break;
     default:
-	goto unknown_key;
+	if (get_key_enctype == NULL)
+	    goto unknown_key;
+	code = krb5_init_context(&context);
+	if (code != 0)
+	    goto unknown_key;
+	code = krb5_enctype_valid(context, t5.enc_part.etype);
+	if (code != 0) {
+	    krb5_free_context(context);
+	    goto unknown_key;
+	}
+	code = krb5_enctype_keybits(context,  t5.enc_part.etype, &keysize);
+	if (code != 0) {
+	    krb5_free_context(context);
+	    goto unknown_key;
+	}
+	keysize = keysize / 8;
+	allocsiz = keysize;
+	keybuf = rxi_Alloc(allocsiz);
+	/* this is not quite a hole for afsconf_GetKeyByTypes. A wrapper
+	   that calls afsconf_GetKeyByTypes and afsconf_typedKey_values
+	   is needed */
+	code = get_key_enctype(get_key_rock, v5_serv_kvno, t5.enc_part.etype,
+			       keybuf, &keysize);
+	if (code) {
+	    rxi_Free(keybuf, allocsiz);
+	    krb5_free_context(context);
+	    goto unknown_key;
+	}
+	code = krb5_keyblock_init(context, t5.enc_part.etype,
+				  keybuf, keysize, &k);
+	rxi_Free(keybuf, allocsiz);
+	if (code != 0) {
+	    krb5_free_context(context);
+	    goto unknown_key;
+	}
+	code = krb5_crypto_init(context, &k, t5.enc_part.etype, &cr);
+	krb5_free_keyblock_contents(context, &k);
+	if (code != 0) {
+	    krb5_free_context(context);
+	    goto unknown_key;
+	}
+#ifndef KRB5_KU_TICKET
+#define KRB5_KU_TICKET 2
+#endif
+	code = krb5_decrypt(context, cr, KRB5_KU_TICKET, t5.enc_part.cipher.data,
+			    t5.enc_part.cipher.length, &plaindata);
+	krb5_crypto_destroy(context, cr);
+	if (code == 0) {
+	    if (plaindata.length > MAXKRB5TICKETLEN) {
+		krb5_data_free(&plaindata);
+		krb5_free_context(context);
+		goto bad_ticket;
+	    }
+	    memcpy(plain, plaindata.data, plaindata.length);
+	    plainsiz = plaindata.length;
+	    krb5_data_free(&plaindata);
+	}
+	krb5_free_context(context);
     }
 
-    /* check ticket */
-    if (t5.enc_part.cipher.length > sizeof(plain)
-	|| t5.enc_part.cipher.length % 8 != 0)
-	goto bad_ticket;
-
-    code = (*get_key) (get_key_rock, v5_serv_kvno, &serv_key);
-    if (code)
-	goto unknown_key;
-
-    /* Decrypt data here, save in plain, assume it will shrink */
-    code =
-	krb5_des_decrypt(&serv_key, t5.enc_part.etype,
-			 t5.enc_part.cipher.data, t5.enc_part.cipher.length,
-			 plain, &plainsiz);
     if (code != 0)
 	goto bad_ticket;
 
diff --git a/src/scout/Makefile.in b/src/scout/Makefile.in
index 53e8b2d..d7708cd 100644
--- a/src/scout/Makefile.in
+++ b/src/scout/Makefile.in
@@ -43,6 +43,7 @@ LIBS=${TOP_LIBDIR}/libgtx.a \
 	${TOP_LIBDIR}/liblwp.a \
 	${TOP_LIBDIR}/util.a \
 	${TOP_LIBDIR}/libopr.a \
+	${TOP_LIBDIR}/libafsrfc3961.a \
 	${TOP_LIBDIR}/libafshcrypto_lwp.a
 
 all: scout
diff --git a/src/sgistuff/Makefile.in b/src/sgistuff/Makefile.in
index 5c55120..5d36ea1 100644
--- a/src/sgistuff/Makefile.in
+++ b/src/sgistuff/Makefile.in
@@ -25,6 +25,7 @@ AFSLIBS=${TOP_LIBDIR}/libkauth.a \
 	${TOP_LIBDIR}/librxkad.a \
 	${TOP_LIBDIR}/libsys.a \
 	${LIBDIR}/librx.a \
+	${TOP_LIBDIR}/libafsrfc3961.a \
 	${TOP_LIBDIR}/libafshcrypto_lwp.a \
 	${LIBDIR}/liblwp.a \
         ${TOP_LIBDIR}/libcmd.a \
@@ -38,6 +39,7 @@ KAFSLIBS=${TOP_LIBDIR}/libkauth.krb.a \
 	${TOP_LIBDIR}/librxkad.a \
 	${TOP_LIBDIR}/libsys.a \
 	${LIBDIR}/librx.a \
+	${TOP_LIBDIR}/libafsrfc3961.a \
 	${TOP_LIBDIR}/libafshcrypto_lwp.a \
 	${LIBDIR}/liblwp.a \
         ${TOP_LIBDIR}/libcmd.a \
diff --git a/src/tbutc/NTMakefile b/src/tbutc/NTMakefile
index ee134fa..3c991f3 100644
--- a/src/tbutc/NTMakefile
+++ b/src/tbutc/NTMakefile
@@ -83,7 +83,8 @@ BUTCLIBS=$(DESTDIR)\lib\afs\afsbudb.lib  \
 	     $(DESTDIR)\lib\libafsconf.lib \
 	     $(DESTDIR)\lib\opr.lib \
 	     $(DESTDIR)\lib\afshcrypto.lib \
-	     $(DESTDIR)\lib\afsroken.lib
+	     $(DESTDIR)\lib\afsroken.lib \
+	     $(DESTDIR)\lib\afsrfc3961.lib
 
 # rm $(OUT)\tcstatus.obj
 # nmake /nologo /f ntmakefile install
diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in
index c9a82f5..c7d3e0c 100644
--- a/src/tests/Makefile.in
+++ b/src/tests/Makefile.in
@@ -11,7 +11,7 @@ SYS_LIBS	= ${TOP_LIBDIR}/libsys.a ${TOP_LIBDIR}/librx.a ${TOP_LIBDIR}/liblwp.a $
 
 AUTH_LIBS	= ${TOP_LIBDIR}/libauth.a ${SYS_LIBS}
 
-INT_LIBS	= ${TOP_LIBDIR}/libafsint.a ${TOP_LIBDIR}/libsys.a ${TOP_LIBDIR}/librxkad.a ${TOP_LIBDIR}/librx.a ${TOP_LIBDIR}/liblwp.a ${TOP_LIBDIR}/libafscom_err.a ${TOP_LIBDIR}/util.a
+INT_LIBS	= ${TOP_LIBDIR}/libafsint.a ${TOP_LIBDIR}/libsys.a ${TOP_LIBDIR}/librxkad.a ${TOP_LIBDIR}/librx.a ${TOP_LIBDIR}/liblwp.a ${TOP_LIBDIR}/libafscom_err.a ${TOP_LIBDIR}/util.a ${TOP_LIBDIR}/libafsrfc3961.a
 
 TEST_PROGRAMS = write-ro-file hello-world read-vs-mmap read-vs-mmap2	 \
 		mmap-and-read large-dir large-dir2 large-dir3 mountpoint \
diff --git a/src/tptserver/NTMakefile b/src/tptserver/NTMakefile
index f535923..6ccfd7d 100644
--- a/src/tptserver/NTMakefile
+++ b/src/tptserver/NTMakefile
@@ -95,7 +95,8 @@ PTSERVER_EXELIBS =\
 	$(DESTDIR)\lib\libafsconf.lib \
         $(DESTDIR)\lib\afs\afspioctl.lib \
         $(DESTDIR)\lib\afs\afsprocmgmt.lib \
-        $(DESTDIR)\lib\afspthread.lib
+        $(DESTDIR)\lib\afspthread.lib \
+	$(DESTDIR)\lib\afsrfc3961.lib
 
 $(PTSERVER): $(PTSERVER_EXEOBJS) $(PTUTILS_OBJ) $(PTINT_XDR_OBJ) $(UTILS_OBJ) $(MAP_OBJ) $(LWP_OBJS) $(PTSERVER_EXERES) $(RXKADOBJS) $(PTSERVER_EXELIBS)
 	$(EXECONLINK) dnsapi.lib mpr.lib iphlpapi.lib shell32.lib
diff --git a/src/tsm41/Makefile.in b/src/tsm41/Makefile.in
index a524901..a88a2e7 100644
--- a/src/tsm41/Makefile.in
+++ b/src/tsm41/Makefile.in
@@ -18,6 +18,7 @@ AFSLIBS = \
 		${TOP_LIBDIR}/libauth.a \
 		${TOP_LIBDIR}/librxkad.a \
 		${TOP_LIBDIR}/libsys.a \
+		${TOP_LIBDIR}/libafsrfc3961.a \
 		${TOP_LIBDIR}/libafshcrypto_lwp.a \
 		${TOP_LIBDIR}/librx.a \
 		${TOP_LIBDIR}/liblwp.a \
diff --git a/src/update/Makefile.in b/src/update/Makefile.in
index 96fb5d1..2dd023d 100644
--- a/src/update/Makefile.in
+++ b/src/update/Makefile.in
@@ -19,6 +19,7 @@ LIBS=${TOP_LIBDIR}/libauth.a \
 	${TOP_LIBDIR}/libafscom_err.a \
 	${TOP_LIBDIR}/util.a \
 	${TOP_LIBDIR}/libopr.a \
+	${TOP_LIBDIR}/libafsrfc3961.a \
 	${TOP_LIBDIR}/libafshcrypto_lwp.a
 
 all: upserver upclient
diff --git a/src/update/NTMakefile b/src/update/NTMakefile
index 5577e64..2f6f9e7 100644
--- a/src/update/NTMakefile
+++ b/src/update/NTMakefile
@@ -25,7 +25,8 @@ LIBS = \
         $(DESTDIR)\lib\afs\afspioctl.lib \
 	$(DESTDIR)\lib\opr.lib \
 	$(DESTDIR)\lib\afshcrypto.lib \
-	$(DESTDIR)\lib\afsroken.lib
+	$(DESTDIR)\lib\afsroken.lib \
+	$(DESTDIR)\lib\afsrfc3961.lib
 
 ############################################################################
 # Definitions for generating files via RXGEN
diff --git a/src/uss/Makefile.in b/src/uss/Makefile.in
index 0fe7867..250aa3f 100644
--- a/src/uss/Makefile.in
+++ b/src/uss/Makefile.in
@@ -30,6 +30,7 @@ LIBS=${TOP_LIBDIR}/libvolser.a \
 	${TOP_LIBDIR}/libafscom_err.a \
 	${TOP_LIBDIR}/util.a \
 	${TOP_LIBDIR}/libopr.a \
+	${TOP_LIBDIR}/libafsrfc3961.a \
 	${TOP_LIBDIR}/libafshcrypto_lwp.a
 
 OBJS =  uss_procs.o \
diff --git a/src/venus/Makefile.in b/src/venus/Makefile.in
index c78a80e..7eb6aed 100644
--- a/src/venus/Makefile.in
+++ b/src/venus/Makefile.in
@@ -47,6 +47,7 @@ FSLIBS=${TOP_LIBDIR}/libsys.a \
 	 ${TOP_LIBDIR}/libaudit.a \
 	 $(TOP_LIBDIR)/libafsutil.a \
 	 $(TOP_LIBDIR)/libopr.a \
+	 ${TOP_LIBDIR}/libafsrfc3961.a \
 	 ${TOP_LIBDIR}/libafshcrypto_lwp.a
 
 CMLIBS=${TOP_LIBDIR}/libsys.a \
diff --git a/src/viced/NTMakefile b/src/viced/NTMakefile
index 3c0b782..72aa02d 100644
--- a/src/viced/NTMakefile
+++ b/src/viced/NTMakefile
@@ -82,7 +82,8 @@ EXELIBS = \
         $(DESTDIR)\lib\afs\mtafsdir.lib \
 	$(DESTDIR)\lib\opr.lib \
 	$(DESTDIR)\lib\afspthread.lib \
-	$(DESTDIR)\lib\afsroken.lib
+	$(DESTDIR)\lib\afsroken.lib \
+	$(DESTDIR)\lib\afsrfc3961.lib
 
 $(EXEFILE): $(EXEOBJS) $(EXELIBS)
 	$(EXECONLINK)
diff --git a/src/vlserver/Makefile.in b/src/vlserver/Makefile.in
index d2ac689..13957e4 100644
--- a/src/vlserver/Makefile.in
+++ b/src/vlserver/Makefile.in
@@ -35,6 +35,7 @@ LIBS=\
 	${TOP_LIBDIR}/libaudit.a \
 	${TOP_LIBDIR}/libafsutil.a \
 	$(TOP_LIBDIR)/libopr.a \
+	${TOP_LIBDIR}/libafsrfc3961.a \
 	${TOP_LIBDIR}/libafshcrypto_lwp.a
 
 LT_objs = vldbint.xdr.lo vldbint.cs.lo vl_errors.lo
diff --git a/src/vlserver/NTMakefile b/src/vlserver/NTMakefile
index fc28ef9..d097ab5 100644
--- a/src/vlserver/NTMakefile
+++ b/src/vlserver/NTMakefile
@@ -92,7 +92,8 @@ VLSERVER_EXECLIBS = \
         $(DESTDIR)\lib\afs\afspioctl.lib \
 	$(DESTDIR)\lib\opr.lib \
 	$(DESTDIR)\lib\afshcrypto.lib \
-	$(DESTDIR)\lib\afsroken.lib
+	$(DESTDIR)\lib\afsroken.lib \
+	$(DESTDIR)\lib\afsrfc3961.lib
 
 $(VLSERVER): $(VLSERVER_EXEOBJS) $(LIBFILE) $(VLSERVER_EXECLIBS)
 	$(EXECONLINK) dnsapi.lib mpr.lib iphlpapi.lib shell32.lib
diff --git a/src/volser/Makefile.in b/src/volser/Makefile.in
index 87f4dd4..4066959 100644
--- a/src/volser/Makefile.in
+++ b/src/volser/Makefile.in
@@ -42,6 +42,7 @@ LIBS=\
 	${TOP_LIBDIR}/libusd.a \
 	${TOP_LIBDIR}/util.a \
 	${TOP_LIBDIR}/libopr.a \
+	${TOP_LIBDIR}/libafsrfc3961.a \
 	${TOP_LIBDIR}/libafshcrypto_lwp.a
 
 VOLDUMP_LIBS = \
diff --git a/src/volser/NTMakefile b/src/volser/NTMakefile
index 8622554..e134b62 100644
--- a/src/volser/NTMakefile
+++ b/src/volser/NTMakefile
@@ -75,7 +75,8 @@ EXEC_LIBS = \
         $(DESTDIR)\lib\afs\afspioctl.lib \
 	$(DESTDIR)\lib\opr.lib \
 	$(DESTDIR)\lib\afshcrypto.lib \
-	$(DESTDIR)\lib\afsroken.lib
+	$(DESTDIR)\lib\afsroken.lib \
+	$(DESTDIR)\lib\afsrfc3961.lib
 
 
 ############################################################################