This commit was manufactured by cvs2svn to create tagkfw-2.6-beta1

'kfw-2_6-beta-1'.

git-svn-id: svn://anonsvn.mit.edu/krb5/tags/kfw-2_6-beta-1@15980 dc483132-0cff-0310-8789-dd5450dbe970

16 files changed, 777 insertions, 86 deletions

diff --git a/src/include/ChangeLog b/src/include/ChangeLog
index a8e7726..f7283b9 100644
--- a/src/include/ChangeLog
+++ b/src/include/ChangeLog
@@ -1,3 +1,244 @@
+2004-01-04 Jeffrey Altman <jaltman@mit.edu>
+
+    * win-mac.h: conditionally define strcasecmp/strncasecmp macros 
+      only if they do not already exist.
+
+2003-12-18  Jeffrey Altman <jaltman@mit.edu>
+
+    * k5-int.h: add new functions to krb5int_access for use by gssapi
+
+2003-12-15  Ken Raeburn  <raeburn@mit.edu>
+
+	* k5-platform.h (SIZE_MAX): Provide default definition if stdint.h
+	doesn't define it.
+
+2003-12-15  Jeffrey Altman <jaltman@mit.edu>
+
+  * win-mac.h: source code written to the C99 standard assumes there
+    are standard definitions for the MAX sizes of C types including
+    size_t.  The MAX preprocessor variables are declared in limits.h
+    but limits.h is not included by any of the other header files.
+    We will therefore include it via win-mac.h.  We must also add a
+    declaration of SIZE_MAX (for size_t) because Microsoft does not
+    provide one.  
+
+2003-12-15  Jeffrey Altman <jaltman@mit.edu>
+
+  * k5-platform.h: apply casts (unsigned char) to the assignments from
+    64-bit ints to unsigned char fields to avoid warnings 
+
+2003-12-13  Ken Raeburn  <raeburn@mit.edu>
+
+	* krb5.hin (KRB5_AUTH_CONTEXT_USE_SUBKEY): New macro.
+
+	* k5-int.h (struct krb5_keytypes): Added field required_ctype.
+	(krb5int_c_mandatory_cksumtype): New declaration.
+	(krb5int_generate_and_set_subkey): Declare.
+	(memset) [__GNUC__ && __GLIBC__]: Undef, to reduce compilation
+	warnings in zap() macro with volatile pointer.
+
+	* k5-platform.h: New header file.  Manages inline-function and
+	64-bit support, in platform-specific ways.
+	* fake-addrinfo.h: Include k5-platform.h.
+	(inline): Don't define here.
+	* k5-int.h: Include k5-platform.h.
+	(krb5_ui_8, krb5_int64): New typedefs.
+	(krb5_ser_pack_int64, krb5_ser_unpack_int64): New function decls.
+
+2003-10-08  Tom Yu  <tlyu@mit.edu>
+
+	* k5-int.h: Add prototypes for decode_krb5_safe_with_body and
+	encode_krb5_safe_with_body.
+
+2003-08-29  Ken Raeburn  <raeburn@mit.edu>
+
+	* fake-addrinfo.h (WRAP_GETADDRINFO, COPY_FIRST_CANONNAME): Don't
+	define on Linux unless HAVE_GETADDRINFO is defined, for libc5
+	compatibility.
+
+2003-08-26  Ken Raeburn  <raeburn@mit.edu>
+
+	* foreachaddr.c (foreach_localaddr) [HAVE_IFADDRS_H]: Skip over
+	any returned data structure with a NULL ifa_addr field.
+
+2003-07-31  Jeffrey Altman  <jaltman@mit.edu>
+
+	* krb5.hin: krb5_get_host_realm and krb5_free_host_realm should
+	not be labeled as KRB5_PRIVATE.  They are required for many
+	applications including OpenAFS and UMich's Kx509.  1.2.8 had them
+	public but the change was never reflected on the trunk.
+
+2003-07-22  Alexandra Ellwood  <lxs@mit.edu>
+
+        * fake-addrinfo.h: Don't use broken getaddrinfo on Mac OS X
+
+2003-07-22  Ken Raeburn  <raeburn@mit.edu>
+
+	* k5-int.h (krb5int_zap_data, zap): New macros; call memset with
+	volatile cast for now.
+
+2003-07-21  Alexandra Ellwood  <lxs@mit.edu>
+
+        * krb5_32.def: Export krb5_principal2salt.
+
+2003-07-09  Alexandra Ellwood  <lxs@mit.edu>
+
+        * krb5.hin: Export krb5_get_permitted_enctypes and 
+        krb5_set_real_time for Samba.
+
+2003-06-23  Ken Raeburn  <raeburn@mit.edu>
+
+	* k5-int.h (struct krb5_cksumtypes): Add new field trunc_size.
+
+2003-06-12  Tom Yu  <tlyu@mit.edu>
+
+	* krb5.hin: krb524_init_ets() takes one argument.
+
+2003-06-06  Ken Raeburn  <raeburn@mit.edu>
+
+	* k5-int.h (struct srv_dns_entry): Declare.
+	(krb5int_make_srv_query_realm, krb5int_free_srv_dns_data):
+	Declare.
+	(struct _krb5int_access): Add make_srv_query_realm and
+	free_srv_dns_data fields.
+
+2003-06-03  Ken Raeburn  <raeburn@mit.edu>
+
+	* k5-int.h (struct _krb5int_access): Add locate_server back in.
+
+2003-05-27  Ken Raeburn  <raeburn@mit.edu>
+
+	* k5-int.h (KRB524_SERVICE, KRB524_PORT): Moved here...
+	* krb5.h: ...from here.
+	(krb5_524_convert_creds): Renamed from krb524_convert_creds_kdc,
+	fixed calling convention spec.
+	(krb524_convert_creds_kdc, krb524_init_ets) [KRB5_DEPRECATED]: New
+	macros.
+
+	* Makefile.in (clean-windows): Remove new "timestamp" file when
+	cleaning up.
+
+2003-05-25  Ezra Peisach  <epeisach@mit.edu>
+
+	* krb5.hin: Sequence number of krb5_replay_data should be unsigned.
+
+2003-05-23  Ken Raeburn  <raeburn@mit.edu>
+
+	* Makefile.in (krb5.h): Include krb524_err.h.
+	(krb524_err.h): Depend on rebuild-error-tables like krb5_err.h and
+	friends.  Add a null command to cause make to recheck the
+	timestamp on the files possibly updated.
+	(clean-unix): Get rid of it.
+	* k5-int.h (KRb5INT_ACCESS_STRUCT_VERSION): Update to 7.
+	(struct ktext) [!defined(ANAME_SZ)]: Declare forward.
+	(krb5int_access): Delete krb5_locate_kdc, krb5_locate_server,
+	krb5_max_dgram_size and timeout fields.  Add krb_life_to_time,
+	krb_time_to_life, and krb524_encode_v4tkt function pointer
+	fields.  Reorder fields, and add comments.
+	(krb5int_krb_life_to_time, krb5int_krb_time_to_life,
+	krb5int_encode_v4tkt, krb5int_524_sendto_kdc): Declare.
+	* krb5.hin (KRB524_SERVICE, KRB524_PORT): New macros.
+	(struct credentials): Declare forward.
+	(krb524_convert_creds_kdc): Declare.
+
+2003-05-22  Tom Yu  <tlyu@mit.edu>
+
+	* k5-int.h: Add prototype for krb5int_auth_con_chkseqnum.
+
+	* krb5.hin: Default KRB5_DEPRECATED to 0.  Default KRB5_PRIVATE to
+	0 on all platforms.
+
+2003-05-22  Sam Hartman  <hartmans@mit.edu>
+
+	* k5-int.h: krb5int_populate_gic_opt returns void
+
+2003-05-19  Sam Hartman  <hartmans@mit.edu>
+
+	* k5-int.h: Prototype krb5int_populate_gic_opt
+
+2003-05-18  Tom Yu  <tlyu@mit.edu>
+
+	* k5-int.h: Sequence numbers are now unsigned.
+
+	* krb5.hin: Sequence numbers are now unsigned.
+
+2003-05-16  Ken Raeburn  <raeburn@mit.edu>
+
+	* krb5.hin (KRB5_KPASSWD_ACCESSDENIED): New macro.
+	(KRB5_KPASSWD_BAD_VERSION, KRB5_KPASSWD_INITIAL_FLAG_NEEDED): New
+	macros.
+
+2003-05-13  Sam Hartman  <hartmans@mit.edu>
+
+	* k5-int.h: Add krb5int_copy_data_contents
+
+2003-05-08  Sam Hartman  <hartmans@mit.edu>
+
+	* krb5.hin: Add prototype for krb5_c_string_to_key_with_params
+
+	* k5-int.h: Add s2kparams to krb5_gic_get_as_key_fct
+
+2003-05-07  Sam Hartman  <hartmans@mit.edu>
+
+	* krb5.hin: Add KRB5_PADATA_ETYPE_INFO2
+
+2003-05-09  Ken Raeburn  <raeburn@mit.edu>
+
+	* k5-int.h (struct _krb5_context): New fields conf_tgs_ktypes,
+	conf_tgs_ktypes_count, use_conf_ktypes.
+
+2003-05-09  Tom Yu  <tlyu@mit.edu>
+
+	* krb5.hin: Add krb5_auth_con_getsendsubkey,
+	krb5_auth_con_getrecvsubkey, krb5_auth_con_setsendsubkey,
+	krb5_auth_con_setrecvsubkey.  Mark krb5_auth_con_getlocalsubkey
+	and krb5_auth_con_getremotesubkey as deprecated.
+
+2003-05-06  Sam Hartman  <hartmans@mit.edu>
+
+	* k5-int.h: Add s2kparams to 
+	krb5_etype_info_entry
+	Add encode_etype_info2 and decode_etype_info2
+
+2003-05-02  Ken Raeburn  <raeburn@mit.edu>
+
+	* port-sockets.h (inet_ntop) [!_WIN32 && !HAVE_MACSOCK_H]: Define
+	as a macro if not provided by the OS.
+
+2003-04-17  Sam Hartman  <hartmans@mit.edu>
+
+	* k5-int.h: Add encode_krb5_setpw_req
+
+2003-04-15  Sam Hartman  <hartmans@mit.edu>
+
+	* krb5.hin: Add krb5_set_password
+	Move krb5*_chpw internals to k5int.h
+
+	* k5-int.h: Add prototypes for set-password helper functions
+
+2003-04-07  Ken Raeburn  <raeburn@mit.edu>
+
+	* fake-addrinfo.h (getaddrinfo) [NUMERIC_SERVICE_BROKEN]:
+	Overwrite the port number only if a numeric service port was
+	supplied.
+
+2003-04-01  Ken Raeburn  <raeburn@mit.edu>
+
+	* fake-addrinfo.h (COPY_FIRST_CANONNAME) [_AIX]: Define.
+	(GET_HOST_BY_NAME) [_AIX]: New version for AIX version of
+	gethostbyname_r.
+	(getaddrinfo) [NUMERIC_SERVICE_BROKEN]: Use "discard" as a dummy
+	service name instead of none at all.  Don't check for unsigned
+	value less than zero.
+	(getaddrinfo) [COPY_FIRST_CANONNAME]: Set any ai_canonname fields
+	other than the first one to null.
+
+2003-03-18  Alexandra Ellwood  <lxs@mit.edu>
+
+    * configure.in: Use KRB5_AC_NEED_BIND_8_COMPAT to check for bind 9
+    and higher.  When bind 9 is present, BIND_8_COMPAT needs to be 
+    defined to get bind 8 types.
+
 2003-03-06  Alexandra Ellwood  <lxs@mit.edu>
     
     * krb5.h: Removed enumsalwaysint because there are no typed
diff --git a/src/include/Makefile.in b/src/include/Makefile.in
index df81029..6674a7c 100644
--- a/src/include/Makefile.in
+++ b/src/include/Makefile.in
@@ -31,18 +31,19 @@ $(srcdir)/krb5/autoconf.stmp: $(srcdir)/configure.in
 	cd $(srcdir) && $(AUTOHEADER) --localdir=$(CONFIG_RELTOPDIR) $(AUTOHEADERFLAGS)
 	touch $(srcdir)/krb5/autoconf.stmp
 
-krb5.h: krb5/autoconf.h $(srcdir)/krb5.hin krb5_err.h kdb5_err.h kv5m_err.h \
+krb5.h: krb5/autoconf.h $(srcdir)/krb5.hin krb5_err.h kdb5_err.h kv5m_err.h krb524_err.h \
 		asn1_err.h
 	echo "/* This file is generated, please don't edit it directly.  */" > krb5.h
 	grep SIZEOF krb5/autoconf.h >> krb5.h
-	cat $(srcdir)/krb5.hin krb5_err.h kdb5_err.h kv5m_err.h \
+	cat $(srcdir)/krb5.hin krb5_err.h kdb5_err.h kv5m_err.h krb524_err.h \
 		asn1_err.h >> krb5.h
 
 #
 # Build the error table include files:
-# asn1_err.h kdb5_err.h krb5_err.h kv5m_err.h
+# asn1_err.h kdb5_err.h krb5_err.h kv5m_err.h krb524_err.h
 
-asn1_err.h kdb5_err.h krb5_err.h kv5m_err.h: rebuild-error-tables
+asn1_err.h kdb5_err.h krb5_err.h kv5m_err.h krb524_err.h: rebuild-error-tables
+	: $@
 rebuild-error-tables:
 	(cd ../lib/krb5/error_tables && $(MAKE) includes)
 
@@ -53,9 +54,10 @@ asn1_err.h: $(SRCTOP)/lib/krb5/error_tables/asn1_err.et
 kdb5_err.h: $(SRCTOP)/lib/krb5/error_tables/kdb5_err.et
 krb5_err.h: $(SRCTOP)/lib/krb5/error_tables/krb5_err.et	
 kv5m_err.h: $(SRCTOP)/lib/krb5/error_tables/kv5m_err.et
+krb524_err.h: $(SRCTOP)/lib/krb5/error_tables/krb524_err.et
 
 clean-unix::
-	$(RM) krb5.h krb5_err.h kdb5_err.h kv5m_err.h \
+	$(RM) krb5.h krb5_err.h kdb5_err.h kv5m_err.h krb524_err.h \
 		asn1_err.h
 
 clean-mac::
diff --git a/src/include/configure.in b/src/include/configure.in
index 7287f15..71b47ff 100644
--- a/src/include/configure.in
+++ b/src/include/configure.in
@@ -181,6 +181,9 @@ if test $krb5_cv_has_type_socklen_t = yes; then
 fi
 dnl
 dnl
+KRB5_AC_NEED_BIND_8_COMPAT
+dnl
+dnl
 AC_ARG_ENABLE([athena],
 [  --enable-athena         build with MIT Project Athena configuration],
 AC_DEFINE(KRB5_ATHENA_COMPAT,1,[Define if MIT Project Athena default configuration should be used]),)
diff --git a/src/include/fake-addrinfo.h b/src/include/fake-addrinfo.h
index d32802a..79133c2 100644
--- a/src/include/fake-addrinfo.h
+++ b/src/include/fake-addrinfo.h
@@ -89,8 +89,10 @@
 #define FAI_DEFINED
 #include "port-sockets.h"
 #include "socket-utils.h"
+#include "k5-platform.h"
 
 #ifdef S_SPLINT_S
+/*@-incondefs@*/
 extern int
 getaddrinfo (/*@in@*/ /*@null@*/ const char *,
 	     /*@in@*/ /*@null@*/ const char *,
@@ -108,23 +110,28 @@ getnameinfo (const struct sockaddr *addr, socklen_t addrsz,
     /*@requires (maxSet(h)+1) >= hsz /\ (maxSet(s)+1) >= ssz @*/
     /* too hard: maxRead(addr) >= (addrsz-1) */
     /*@modifies *h, *s@*/;
-extern /*@dependent@*/ char *
-gai_strerror (int code) /*@*/;
+extern /*@dependent@*/ char *gai_strerror (int code) /*@*/;
+/*@=incondefs@*/
 #endif
 
 
-#if defined (__linux__) || defined (_AIX)
+#if defined (__APPLE__) && defined (__MACH__)
+#undef HAVE_GETADDRINFO
+#endif
+
+#if (defined (__linux__) && defined(HAVE_GETADDRINFO)) || defined (_AIX)
 /* See comments below.  */
 #  define WRAP_GETADDRINFO
 /* #  define WRAP_GETNAMEINFO */
 #endif
 
-#ifdef __linux__
+#if defined (__linux__) && defined(HAVE_GETADDRINFO)
 # define COPY_FIRST_CANONNAME
 #endif
 
 #ifdef _AIX
 # define NUMERIC_SERVICE_BROKEN
+# define COPY_FIRST_CANONNAME
 #endif
 
 
@@ -152,6 +159,29 @@ gai_strerror (int code) /*@*/;
 #define GET_HOST_BY_ADDR(ADDR, ADDRLEN, FAMILY, HP, ERR) \
     { (HP) = gethostbyaddr ((ADDR), (ADDRLEN), (FAMILY)); (ERR) = h_errno; }
 #else
+#ifdef _AIX /* XXX should have a feature test! */
+#define GET_HOST_BY_NAME(NAME, HP, ERR) \
+    {									\
+	struct hostent my_h_ent;					\
+	struct hostent_data my_h_ent_data;				\
+	(HP) = (gethostbyname_r((NAME), &my_h_ent, &my_h_ent_data)	\
+		? 0							\
+		: &my_h_ent);						\
+	(ERR) = h_errno;						\
+    }
+/*
+#define GET_HOST_BY_ADDR(ADDR, ADDRLEN, FAMILY, HP, ERR) \
+    {									\
+	struct hostent my_h_ent;					\
+	struct hostent_data my_h_ent_data;				\
+	(HP) = (gethostbyaddr_r((ADDR), (ADDRLEN), (FAMILY), &my_h_ent,	\
+				&my_h_ent_data)				\
+		? 0							\
+		: &my_h_ent);						\
+	(ERR) = my_h_err;						\
+    }
+*/
+#else
 #ifdef GETHOSTBYNAME_R_RETURNS_INT
 #define GET_HOST_BY_NAME(NAME, HP, ERR) \
     {									\
@@ -196,7 +226,8 @@ gai_strerror (int code) /*@*/;
 			       my_h_buf, sizeof (my_h_buf), &my_h_err);	\
 	(ERR) = my_h_err;						\
     }
-#endif
+#endif /* returns int? */
+#endif /* _AIX */
 #endif
 
 /* Now do the same for getservby* functions.  */
@@ -898,19 +929,19 @@ getaddrinfo (const char *name, const char *serv, const struct addrinfo *hint,
     /* AIX 4.3.3 is broken.  (Or perhaps out of date?)
 
        If a numeric service is provided, and it doesn't correspond to
-       a known service name, an error code (for "host not found") is
-       returned.  If the port maps to a known service, all is
-       well.  */
+       a known service name for tcp or udp (as appropriate), an error
+       code (for "host not found") is returned.  If the port maps to a
+       known service for both udp and tcp, all is well.  */
     if (serv && serv[0] && isdigit(serv[0])) {
 	unsigned long lport;
 	char *end;
 	lport = strtoul(serv, &end, 10);
 	if (!*end) {
-	    if (lport < 0 || lport > 65535)
+	    if (lport > 65535)
 		return EAI_SOCKTYPE;
 	    service_is_numeric = 1;
 	    service_port = htons(lport);
-	    serv = 0;
+	    serv = "discard";	/* defined for both udp and tcp */
 	    if (hint)
 		socket_type = hint->ai_socktype;
 	}
@@ -948,7 +979,10 @@ getaddrinfo (const char *name, const char *serv, const struct addrinfo *hint,
        approach: If getaddrinfo sets ai_canonname, we'll replace the
        *first* one with allocated storage, and free up that pointer in
        freeaddrinfo if it's set; the other ai_canonname fields will be
-       left untouched.
+       left untouched.  And we'll just pray that the application code
+       won't mess around with the list structure; if we start doing
+       that, we'll have to start replacing and freeing all of the
+       ai_canonname fields.
 
        Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=133668 .
 
@@ -961,7 +995,9 @@ getaddrinfo (const char *name, const char *serv, const struct addrinfo *hint,
        set, the returned ai_canonname field can be null.  The NetBSD
        1.5 implementation also does this, if the input hostname is a
        numeric host address string.  That case isn't handled well at
-       the moment.  */
+       the moment.
+
+       Libc version 5 didn't have getaddrinfo at all.  */
 
 #ifdef COPY_FIRST_CANONNAME
     /*
@@ -1017,20 +1053,28 @@ getaddrinfo (const char *name, const char *serv, const struct addrinfo *hint,
 #endif
 	    return EAI_MEMORY;
 	}
+	/* Zap the remaining ai_canonname fields glibc fills in, in
+	   case the application messes around with the list
+	   structure.  */
+	while ((ai = ai->ai_next) != NULL)
+	    ai->ai_canonname = 0;
     }
 #endif
 
 #ifdef NUMERIC_SERVICE_BROKEN
-    for (ai = *result; ai; ai = ai->ai_next) {
-	if (socket_type != 0 && ai->ai_socktype == 0)
-	    ai->ai_socktype = socket_type;
-	switch (ai->ai_family) {
-	case AF_INET:
-	    ((struct sockaddr_in *)ai->ai_addr)->sin_port = service_port;
-	    break;
-	case AF_INET6:
-	    ((struct sockaddr_in6 *)ai->ai_addr)->sin6_port = service_port;
-	    break;
+    if (service_port != 0) {
+	for (ai = *result; ai; ai = ai->ai_next) {
+	    if (socket_type != 0 && ai->ai_socktype == 0)
+		/* Is this check actually needed?  */
+		ai->ai_socktype = socket_type;
+	    switch (ai->ai_family) {
+	    case AF_INET:
+		((struct sockaddr_in *)ai->ai_addr)->sin_port = service_port;
+		break;
+	    case AF_INET6:
+		((struct sockaddr_in6 *)ai->ai_addr)->sin6_port = service_port;
+		break;
+	    }
 	}
     }
 #endif
diff --git a/src/include/foreachaddr.c b/src/include/foreachaddr.c
index 101f8ef..f91034a 100644
--- a/src/include/foreachaddr.c
+++ b/src/include/foreachaddr.c
@@ -383,6 +383,20 @@ foreach_localaddr (/*@null@*/ void *data,
 	if ((ifp->ifa_flags & IFF_UP) == 0)
 	    continue;
 	if (ifp->ifa_flags & IFF_LOOPBACK) {
+	    /* Pretend it's not up, so the second pass will skip
+	       it.  */
+	    ifp->ifa_flags &= ~IFF_UP;
+	    continue;
+	}
+	if (ifp->ifa_addr == NULL) {
+	    /* Can't use an interface without an address.  Linux
+	       apparently does this sometimes.  [RT ticket 1770 from
+	       Maurice Massar, also Debian bug 206851, shows the
+	       problem with a PPP link on a newer kernel than I'm
+	       running.]
+
+	       Pretend it's not up, so the second pass will skip
+	       it.  */
 	    ifp->ifa_flags &= ~IFF_UP;
 	    continue;
 	}
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index 41c325d..61333e4 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 1989,1990,1991,1992,1993,1994,1995,2000,2001 by the Massachusetts Institute of Technology,
+ * Copyright (C) 1989,1990,1991,1992,1993,1994,1995,2000,2001, 2003 by the Massachusetts Institute of Technology,
  * Cambridge, MA, USA.  All Rights Reserved.
  * 
  * This software is being provided to you, the LICENSEE, by the 
@@ -138,6 +138,13 @@ typedef unsigned char	u_char;
 #endif /* HAVE_SYS_TYPES_H */
 #endif /* KRB5_SYSTYPES__ */
 
+
+#include "k5-platform.h"
+/* not used in krb5.h (yet) */
+typedef UINT64_TYPE krb5_ui_8;
+typedef INT64_TYPE krb5_int64;
+
+
 #define DEFAULT_PWD_STRING1 "Enter password"
 #define DEFAULT_PWD_STRING2 "Re-enter password for verification"
 
@@ -282,12 +289,15 @@ typedef struct _krb5_alt_method {
  * A null-terminated array of this structure is returned by the KDC as
  * the data part of the ETYPE_INFO preauth type.  It informs the
  * client which encryption types are supported.
+ * The  same data structure is used by both etype-info and etype-info2
+ * but s2kparams must be null when encoding etype-info.
  */
 typedef struct _krb5_etype_info_entry {
 	krb5_magic	magic;
 	krb5_enctype	etype;
 	unsigned int	length;
 	krb5_octet	*salt;
+    krb5_data s2kparams;
 } krb5_etype_info_entry;
 
 /* 
@@ -638,6 +648,7 @@ struct krb5_keytypes {
     krb5_crypt_func encrypt;
     krb5_crypt_func decrypt;
     krb5_str2key_func str2key;
+    krb5_cksumtype required_ctype;
 };
 
 struct krb5_cksumtypes {
@@ -657,6 +668,12 @@ struct krb5_cksumtypes {
        kind of messy, but so is the krb5 api. */
     const struct krb5_keyhash_provider *keyhash;
     const struct krb5_hash_provider *hash;
+    /* This just gets uglier and uglier.  In the key derivation case,
+       we produce an hmac.  To make the hmac code work, we can't hack
+       the output size indicated by the hash provider, but we may want
+       a truncated hmac.  If we want truncation, this is the number of
+       bytes we truncate to; it should be 0 otherwise.  */
+    unsigned int trunc_size;
 };
 
 #define KRB5_CKSUMFLAG_DERIVE		0x0001
@@ -679,6 +696,10 @@ krb5_error_code krb5int_pbkdf2_hmac_sha1 (const krb5_data *, unsigned long,
 					  const krb5_data *,
 					  const krb5_data *);
 
+/* Make this a function eventually?  */
+#define krb5int_zap_data(ptr, len) memset((volatile void *)ptr, 0, len)
+#define zap(p,l) krb5int_zap_data(p,l)
+
 /* A definition of init_state for DES based encryption systems.
  * sets up an 8-byte IV of all zeros
  */
@@ -903,6 +924,8 @@ void krb5_free_etype_info
 /*
  * End "preauth.h"
  */
+krb5_error_code
+krb5int_copy_data_contents (krb5_context, const krb5_data *, krb5_data *);
 
 typedef krb5_error_code (*krb5_gic_get_as_key_fct)
     (krb5_context,
@@ -911,6 +934,7 @@ typedef krb5_error_code (*krb5_gic_get_as_key_fct)
 		     krb5_prompter_fct,
 		     void *prompter_data,
 		     krb5_data *salt,
+     krb5_data *s2kparams,
 		     krb5_keyblock *as_key,
 		     void *gak_data);
 
@@ -929,11 +953,17 @@ krb5_get_init_creds
 		int master,
 		krb5_kdc_rep **as_reply);
 
+void krb5int_populate_gic_opt (
+    krb5_context, krb5_get_init_creds_opt *,
+    krb5_flags options, krb5_address * const *addrs, krb5_enctype *ktypes,
+    krb5_preauthtype *pre_auth_types);
+
 
 krb5_error_code krb5_do_preauth
 (krb5_context, krb5_kdc_req *,
 		krb5_pa_data **, krb5_pa_data ***,
-		krb5_data *, krb5_enctype *,
+		krb5_data *salt, krb5_data *s2kparams,
+ krb5_enctype *,
 		krb5_keyblock *,
 		krb5_prompter_fct, void *,
 		krb5_gic_get_as_key_fct, void *);
@@ -1005,6 +1035,17 @@ struct _krb5_context {
 	   absolute limit on the UDP packet size.  */
 	int		udp_pref_limit;
 
+	/* This is the tgs_ktypes list as read from the profile, or
+	   set to compiled-in defaults.  The application code cannot
+	   override it.  This is used for session keys for
+	   intermediate ticket-granting tickets used to acquire the
+	   requested ticket (the session key of which may be
+	   constrained by tgs_ktypes above).  */
+	krb5_enctype	*conf_tgs_ktypes;
+	int		conf_tgs_ktypes_count;
+	/* Use the _configured version?  */
+	krb5_boolean	use_conf_ktypes;
+
 #ifdef KRB5_DNS_LOOKUP
         krb5_boolean    profile_in_memory;
 #endif /* KRB5_DNS_LOOKUP */
@@ -1023,7 +1064,7 @@ typedef struct _krb5_safe {
     krb5_timestamp timestamp;		/* client time, optional */
     krb5_int32 usec;			/* microsecond portion of time,
 					   optional */
-    krb5_int32 seq_number;		/* sequence #, optional */
+    krb5_ui_4 seq_number;		/* sequence #, optional */
     krb5_address *s_address;	/* sender address */
     krb5_address *r_address;	/* recipient address, optional */
     krb5_checksum *checksum;	/* data integrity checksum */
@@ -1039,7 +1080,7 @@ typedef struct _krb5_priv_enc_part {
     krb5_data user_data;		/* user data */
     krb5_timestamp timestamp;		/* client time, optional */
     krb5_int32 usec;			/* microsecond portion of time, opt. */
-    krb5_int32 seq_number;		/* sequence #, optional */
+    krb5_ui_4 seq_number;		/* sequence #, optional */
     krb5_address *s_address;	/* sender address */
     krb5_address *r_address;	/* recipient address, optional */
 } krb5_priv_enc_part;
@@ -1189,6 +1230,9 @@ krb5_error_code encode_krb5_kdc_req_body
 krb5_error_code encode_krb5_safe
 	(const krb5_safe *rep, krb5_data **code);
 
+krb5_error_code encode_krb5_safe_with_body
+	(const krb5_safe *rep, const krb5_data *body, krb5_data **code);
+
 krb5_error_code encode_krb5_priv
 	(const krb5_priv *rep, krb5_data **code);
 
@@ -1221,6 +1265,8 @@ krb5_error_code encode_krb5_alt_method
 
 krb5_error_code encode_krb5_etype_info
 	(const krb5_etype_info_entry **, krb5_data **code);
+krb5_error_code encode_krb5_etype_info2
+	(const krb5_etype_info_entry **, krb5_data **code);
 
 krb5_error_code encode_krb5_enc_data
     	(const krb5_enc_data *, krb5_data **);
@@ -1270,6 +1316,9 @@ krb5_error_code encode_krb5_sam_response
 krb5_error_code encode_krb5_predicted_sam_response
        (const krb5_predicted_sam_response * , krb5_data **);
 
+krb5_error_code encode_krb5_setpw_req
+(const krb5_principal target, char *password, krb5_data **code);
+
 /*************************************************************************
  * End of prototypes for krb5_encode.c
  *************************************************************************/
@@ -1363,6 +1412,9 @@ krb5_error_code decode_krb5_kdc_req_body
 krb5_error_code decode_krb5_safe
 	(const krb5_data *output, krb5_safe **rep);
 
+krb5_error_code decode_krb5_safe_with_body
+	(const krb5_data *output, krb5_safe **rep, krb5_data *body);
+
 krb5_error_code decode_krb5_priv
 	(const krb5_data *output, krb5_priv **rep);
 
@@ -1396,6 +1448,9 @@ krb5_error_code decode_krb5_alt_method
 krb5_error_code decode_krb5_etype_info
 	(const krb5_data *output, krb5_etype_info_entry ***rep);
 
+krb5_error_code decode_krb5_etype_info2
+	(const krb5_data *output, krb5_etype_info_entry ***rep);
+
 krb5_error_code decode_krb5_enc_data
 	(const krb5_data *output, krb5_enc_data **rep);
 
@@ -1448,6 +1503,8 @@ krb5_error_code krb5_encode_kdc_rep
 krb5_error_code krb5_validate_times
 	(krb5_context, 
 		krb5_ticket_times *);
+krb5_boolean krb5int_auth_con_chkseqnum
+	(krb5_context ctx, krb5_auth_context ac, krb5_ui_4 in_seq);
 /*
  * [De]Serialization Handle and operations.
  */
@@ -1537,6 +1594,11 @@ krb5_error_code KRB5_CALLCONV krb5_ser_unpack_int32
 	(krb5_int32 *,
 		krb5_octet **,
 		size_t *);
+/* [De]serialize 8-byte integer */
+krb5_error_code KRB5_CALLCONV krb5_ser_pack_int64
+	(krb5_int64, krb5_octet **, size_t *);
+krb5_error_code KRB5_CALLCONV krb5_ser_unpack_int64
+	(krb5_int64 *, krb5_octet **, size_t *);
 /* [De]serialize byte string */
 krb5_error_code KRB5_CALLCONV krb5_ser_pack_bytes
 	(krb5_octet *,
@@ -1559,7 +1621,46 @@ krb5_error_code KRB5_CALLCONV krb5_cc_retrieve_cred_default
 void krb5int_set_prompt_types
 	(krb5_context, krb5_prompt_type *);
 
-
+krb5_error_code
+krb5int_generate_and_save_subkey (krb5_context, krb5_auth_context,
+				  krb5_keyblock * /* Old keyblock, not new!  */);
+
+/* set and change password helpers */
+
+krb5_error_code krb5int_mk_chpw_req
+	(krb5_context context, krb5_auth_context auth_context,
+ 			krb5_data *ap_req, char *passwd, krb5_data *packet);
+krb5_error_code krb5int_rd_chpw_rep
+	(krb5_context context, krb5_auth_context auth_context,
+		       krb5_data *packet, int *result_code,
+		       krb5_data *result_data);
+krb5_error_code KRB5_CALLCONV krb5_chpw_result_code_string
+	(krb5_context context, int result_code,
+			char **result_codestr);
+krb5_error_code  krb5int_mk_setpw_req
+	(krb5_context context, krb5_auth_context auth_context,
+ 			krb5_data *ap_req, krb5_principal targetprinc, char *passwd, krb5_data *packet);
+krb5_error_code krb5int_rd_setpw_rep
+	(krb5_context context, krb5_auth_context auth_context,
+		       krb5_data *packet, int *result_code,
+		       krb5_data *result_data);
+krb5_error_code krb5int_setpw_result_code_string
+	(krb5_context context, int result_code,
+			const char **result_codestr);
+
+struct srv_dns_entry {
+    struct srv_dns_entry *next;
+    int priority;
+    int weight;
+    unsigned short port;
+    char *host;
+};
+krb5_error_code
+krb5int_make_srv_query_realm(const krb5_data *realm,
+			     const char *service,
+			     const char *protocol,
+			     struct srv_dns_entry **answers);
+void krb5int_free_srv_dns_data(struct srv_dns_entry *);
 
 #if defined(macintosh) && defined(__CFM68K__) && !defined(__USING_STATIC_LIBS__)
 #pragma import reset
@@ -1577,26 +1678,24 @@ void krb5int_set_prompt_types
 /* To keep happy libraries which are (for now) accessing internal stuff */
 
 /* Make sure to increment by one when changing the struct */
-#define KRB5INT_ACCESS_STRUCT_VERSION 6
+#define KRB5INT_ACCESS_STRUCT_VERSION 8
 
+#ifndef ANAME_SZ
+struct ktext;			/* from krb.h, for krb524 support */
+#endif
 typedef struct _krb5int_access {
-    krb5_error_code (*krb5_locate_kdc) (krb5_context, const krb5_data *,
-					struct addrlist *, int, int, int);
-    krb5_error_code (*krb5_locate_server) (krb5_context, const krb5_data *,
-					   struct addrlist *, int,
-					   const char *, const char *,
-					   int, int, int, int);
-    void (*free_addrlist) (struct addrlist *);
-    unsigned int krb5_max_skdc_timeout;
-    unsigned int krb5_skdc_timeout_shift;
-    unsigned int krb5_skdc_timeout_1;
-    unsigned int krb5_max_dgram_size;
+    /* crypto stuff */
     const struct krb5_hash_provider *md5_hash_provider;
     const struct krb5_enc_provider *arcfour_enc_provider;
     krb5_error_code (* krb5_hmac) (const struct krb5_hash_provider *hash,
 				   const krb5_keyblock *key,
 				   unsigned int icount, const krb5_data *input,
 				   krb5_data *output);
+    /* service location and communication */
+    krb5_error_code (*locate_server) (krb5_context, const krb5_data *,
+				      struct addrlist *, int,
+				      const char *, const char *,
+				      int, int, int, int);
     krb5_error_code (*sendto_udp) (krb5_context, const krb5_data *msg,
 				   const struct addrlist *, krb5_data *reply,
 				   struct sockaddr *, socklen_t *);
@@ -1604,6 +1703,24 @@ typedef struct _krb5int_access {
 					const char *hostname,
 					int port, int secport,
 					int socktype, int family);
+    void (*free_addrlist) (struct addrlist *);
+
+    krb5_error_code (*make_srv_query_realm)(const krb5_data *realm,
+					    const char *service,
+					    const char *protocol,
+					    struct srv_dns_entry **answers);
+    void (*free_srv_dns_data)(struct srv_dns_entry *);
+
+    /* krb4 compatibility stuff -- may be null if not enabled */
+    krb5_int32 (*krb_life_to_time)(krb5_int32, int);
+    int (*krb_time_to_life)(krb5_int32, krb5_int32);
+    int (*krb524_encode_v4tkt)(struct ktext *, char *, unsigned int *);
+    krb5_error_code (*krb5int_c_mandatory_cksumtype)
+        (krb5_context, krb5_enctype, krb5_cksumtype *);
+    krb5_error_code (KRB5_CALLCONV *krb5_ser_pack_int64)
+        (krb5_int64, krb5_octet **, size_t *);
+    krb5_error_code (KRB5_CALLCONV *krb5_ser_unpack_int64)
+        (krb5_int64 *, krb5_octet **, size_t *);
 } krb5int_access;
 
 #define KRB5INT_ACCESS_VERSION \
@@ -1613,6 +1730,29 @@ typedef struct _krb5int_access {
 krb5_error_code KRB5_CALLCONV krb5int_accessor
 	(krb5int_access*, krb5_int32);
 
+/* Ick -- some krb524 and krb4 support placed in the krb5 library,
+   because AFS (and potentially other applications?) use the krb4
+   object as an opaque token, which (in some implementations) is not
+   in fact a krb4 ticket, so we don't want to drag in the krb4 support
+   just to enable this.  */
+
+#define KRB524_SERVICE "krb524"
+#define KRB524_PORT 4444
+
+/* v4lifetime.c */
+extern krb5_int32 krb5int_krb_life_to_time(krb5_int32, int);
+extern int krb5int_krb_time_to_life(krb5_int32, krb5_int32);
+
+/* conv_creds.c */
+int krb5int_encode_v4tkt
+	(struct ktext *v4tkt, char *buf, unsigned int *encoded_len);
+
+/* send524.c */
+int krb5int_524_sendto_kdc
+        (krb5_context context, const krb5_data * message, 
+	 const krb5_data * realm, krb5_data * reply,
+	 struct sockaddr *, socklen_t *);
+
 /* temporary -- this should be under lib/krb5/ccache somewhere */
 
 struct _krb5_ccache {
@@ -1744,4 +1884,8 @@ extern const krb5_kt_ops krb5_kt_dfl_ops;
 
 extern krb5_error_code krb5int_translate_gai_error (int);
 
+/* Not sure it's ready for exposure just yet.  */
+extern krb5_error_code
+krb5int_c_mandatory_cksumtype (krb5_context, krb5_enctype, krb5_cksumtype *);
+
 #endif /* _KRB5_INT_H */
diff --git a/src/include/k5-platform.h b/src/include/k5-platform.h
new file mode 100644
index 0000000..c4cc7bb
--- /dev/null
+++ b/src/include/k5-platform.h
@@ -0,0 +1,170 @@
+/*
+ * k5-platform.h
+ *
+ * Copyright 2003  by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ *   require a specific license from the United States Government.
+ *   It is the responsibility of any person or organization contemplating
+ *   export to obtain such a license before exporting.
+ * 
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.	Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ * 
+ *
+ * Some platform-dependent definitions to sync up the C support level.
+ * Some to a C99-ish level, some related utility code.
+ *
+ * Currently: make "static inline" work; 64-bit types and load/store
+ * code; SIZE_MAX.
+ */
+
+#ifndef K5_PLATFORM_H
+#define K5_PLATFORM_H
+
+#if !defined(inline)
+# if __STDC_VERSION__ >= 199901L
+/* C99 supports inline, don't do anything.  */
+# elif defined(__GNUC__)
+#  define inline __inline__ /* this form silences -pedantic warnings */
+# elif defined(__mips) && defined(__sgi)
+#  define inline __inline /* IRIX used at MIT does inline but not c99 yet */
+# elif defined(__sun) && __SUNPRO_C >= 0x540
+/* The Forte Developer 7 C compiler supports "inline".  */
+# elif defined(_WIN32)
+#  define inline __inline
+# else
+#  define inline /* nothing, just static */
+# endif
+#endif
+
+#include "autoconf.h"
+
+/* 64-bit support: krb5_ui_8 and krb5_int64.
+
+   This should move to krb5.h eventually, but without the namespace
+   pollution from the autoconf macros.  */
+#if defined(HAVE_STDINT_H) || defined(HAVE_INTTYPES_H)
+# ifdef HAVE_STDINT_H
+#  include <stdint.h>
+# endif
+# ifdef HAVE_INTTYPES_H
+#  include <inttypes.h>
+# endif
+# define INT64_TYPE int64_t
+# define UINT64_TYPE uint64_t
+#elif defined(_WIN32)
+# define INT64_TYPE signed __int64
+# define UINT64_TYPE unsigned __int64
+#else /* not Windows, and neither stdint.h nor inttypes.h */
+# define INT64_TYPE signed long long
+# define UINT64_TYPE unsigned long long
+#endif
+
+#ifndef SIZE_MAX
+# define SIZE_MAX ((size_t)((size_t)0 - 1))
+#endif
+
+/* Read and write integer values as (unaligned) octet strings in
+   specific byte orders.
+
+   Add per-platform optimizations later if needed.  (E.g., maybe x86
+   unaligned word stores and gcc/asm instructions for byte swaps,
+   etc.)  */
+
+static inline void
+store_16_be (unsigned int val, unsigned char *p)
+{
+    p[0] = (val >>  8) & 0xff;
+    p[1] = (val      ) & 0xff;
+}
+static inline void
+store_16_le (unsigned int val, unsigned char *p)
+{
+    p[1] = (val >>  8) & 0xff;
+    p[0] = (val      ) & 0xff;
+}
+static inline void
+store_32_be (unsigned int val, unsigned char *p)
+{
+    p[0] = (val >> 24) & 0xff;
+    p[1] = (val >> 16) & 0xff;
+    p[2] = (val >>  8) & 0xff;
+    p[3] = (val      ) & 0xff;
+}
+static inline void
+store_32_le (unsigned int val, unsigned char *p)
+{
+    p[3] = (val >> 24) & 0xff;
+    p[2] = (val >> 16) & 0xff;
+    p[1] = (val >>  8) & 0xff;
+    p[0] = (val      ) & 0xff;
+}
+static inline void
+store_64_be (UINT64_TYPE val, unsigned char *p)
+{
+    p[0] = (unsigned char)((val >> 56) & 0xff);
+    p[1] = (unsigned char)((val >> 48) & 0xff);
+    p[2] = (unsigned char)((val >> 40) & 0xff);
+    p[3] = (unsigned char)((val >> 32) & 0xff);
+    p[4] = (unsigned char)((val >> 24) & 0xff);
+    p[5] = (unsigned char)((val >> 16) & 0xff);
+    p[6] = (unsigned char)((val >>  8) & 0xff);
+    p[7] = (unsigned char)((val      ) & 0xff);
+}
+static inline void
+store_64_le (UINT64_TYPE val, unsigned char *p)
+{
+    p[7] = (unsigned char)((val >> 56) & 0xff);
+    p[6] = (unsigned char)((val >> 48) & 0xff);
+    p[5] = (unsigned char)((val >> 40) & 0xff);
+    p[4] = (unsigned char)((val >> 32) & 0xff);
+    p[3] = (unsigned char)((val >> 24) & 0xff);
+    p[2] = (unsigned char)((val >> 16) & 0xff);
+    p[1] = (unsigned char)((val >>  8) & 0xff);
+    p[0] = (unsigned char)((val      ) & 0xff);
+}
+static inline unsigned short
+load_16_be (unsigned char *p)
+{
+    return (p[1] | (p[0] << 8));
+}
+static inline unsigned short
+load_16_le (unsigned char *p)
+{
+    return (p[0] | (p[1] << 8));
+}
+static inline unsigned int
+load_32_be (unsigned char *p)
+{
+    return (p[3] | (p[2] << 8) | (p[1] << 16) | (p[0] << 24));
+}
+static inline unsigned int
+load_32_le (unsigned char *p)
+{
+    return (p[0] | (p[1] << 8) | (p[2] << 16) | (p[3] << 24));
+}
+static inline UINT64_TYPE
+load_64_be (unsigned char *p)
+{
+    return ((UINT64_TYPE)load_32_be(p) << 32) | load_32_be(p+4);
+}
+static inline UINT64_TYPE
+load_64_le (unsigned char *p)
+{
+    return ((UINT64_TYPE)load_32_le(p+4) << 32) | load_32_le(p);
+}
+
+#endif /* K5_PLATFORM_H */
diff --git a/src/include/kerberosIV/ChangeLog b/src/include/kerberosIV/ChangeLog
index baa927a..226443b 100644
--- a/src/include/kerberosIV/ChangeLog
+++ b/src/include/kerberosIV/ChangeLog
@@ -1,3 +1,8 @@
+2003-09-23  Jeffrey Altman  <jaltman@mit.edu>
+
+	* krb.h: Modify the declaration of the CREDENTIALS structure to
+	support the additional address field used on Windows.
+
 2003-03-06  Alexandra Ellwood  <lxs@mit.edu>
     * des.h, krb.h: Removed deprecated KfM functions.  They will be 
     exported but not in the headers to discourage new callers. Removed 
diff --git a/src/include/kerberosIV/krb.h b/src/include/kerberosIV/krb.h
index 26ac086..a79df13 100644
--- a/src/include/kerberosIV/krb.h
+++ b/src/include/kerberosIV/krb.h
@@ -122,6 +122,7 @@ extern const char * const krb_err_txt[MAX_KRB_ERRORS];
 #define		REALM_SZ	40
 #define		SNAME_SZ	40
 #define		INST_SZ		40
+#define     ADDR_SZ     40
 /*
  * NB: This overcounts due to NULs.
  */
@@ -209,6 +210,9 @@ struct credentials {
     KRB_UINT32 address;			/* Address in ticket */
     KRB_UINT32 stk_type;		/* string_to_key function needed */
 #endif
+#ifdef _WIN32
+    char    address[ADDR_SZ];   /* Address in ticket */
+#endif
 };
 
 typedef struct credentials CREDENTIALS;
diff --git a/src/include/krb5.hin b/src/include/krb5.hin
index eece828..ea2fcd6 100644
--- a/src/include/krb5.hin
+++ b/src/include/krb5.hin
@@ -56,8 +56,13 @@
 #ifndef KRB5_GENERAL__
 #define KRB5_GENERAL__
 
+/* By default, do not expose deprecated interfaces. */
 #ifndef KRB5_DEPRECATED
-#define KRB5_DEPRECATED 1 /* Expose deprecated things for now. */
+#define KRB5_DEPRECATED 0
+#endif
+/* Do not expose private interfaces.  Build system will override. */
+#ifndef KRB5_PRIVATE
+#define KRB5_PRIVATE 0
 #endif
 
 #if defined(macintosh) || (defined(__MACH__) && defined(__APPLE__))
@@ -65,20 +70,6 @@
 #    if TARGET_RT_MAC_CFM
 #	error "Use KfM 4.0 SDK headers for CFM compilation."
 #    endif
-
-#	ifndef KRB5_PRIVATE /* Allow e.g. build system to override */
-#		define KRB5_PRIVATE 0
-#	endif
-#else
-#if defined(_WIN32)
-#	ifndef KRB5_PRIVATE
-#		define KRB5_PRIVATE 0
-#	endif
-#else
-#	ifndef KRB5_PRIVATE
-#		define KRB5_PRIVATE 1
-#	endif
-#endif
 #endif
 
 #if defined(_MSDOS) || defined(_WIN32)
@@ -491,6 +482,13 @@ krb5_error_code KRB5_CALLCONV
     (krb5_context context, krb5_enctype enctype,
 		    const krb5_data *string, const krb5_data *salt,
 		    krb5_keyblock *key);
+krb5_error_code KRB5_CALLCONV
+krb5_c_string_to_key_with_params(krb5_context context,
+				 krb5_enctype enctype,
+				 const krb5_data *string,
+				 const krb5_data *salt,
+				 const krb5_data *params,
+				 krb5_keyblock *key);
 
 krb5_error_code KRB5_CALLCONV
     krb5_c_enctype_compare
@@ -874,7 +872,7 @@ krb5_error_code krb5_decrypt_data
 #define KRB5_PADATA_SAM_RESPONSE	13 /* draft challenge system response */
 #define KRB5_PADATA_PK_AS_REQ		14 /* PKINIT */
 #define KRB5_PADATA_PK_AS_REP		15 /* PKINIT */
-
+#define KRB5_PADATA_ETYPE_INFO2 19
 #define KRB5_PADATA_SAM_CHALLENGE_2	30 /* draft challenge system, updated */
 #define KRB5_PADATA_SAM_RESPONSE_2	31 /* draft challenge system, updated */
     
@@ -902,6 +900,11 @@ krb5_error_code krb5_decrypt_data
 #define KRB5_KPASSWD_HARDERROR		2
 #define KRB5_KPASSWD_AUTHERROR		3
 #define KRB5_KPASSWD_SOFTERROR		4
+/* These are Microsoft's extensions in RFC 3244, and it looks like
+   they'll become standardized, possibly with other additions.  */
+#define KRB5_KPASSWD_ACCESSDENIED	5	/* unused */
+#define KRB5_KPASSWD_BAD_VERSION	6
+#define KRB5_KPASSWD_INITIAL_FLAG_NEEDED 7	/* unused */
 
 /*
  * end "proto.h"
@@ -962,7 +965,7 @@ typedef struct _krb5_authenticator {
     krb5_int32 cusec;			/* client usec portion */
     krb5_timestamp ctime;		/* client sec portion */
     krb5_keyblock *subkey;		/* true session key, optional */
-    krb5_int32 seq_number;		/* sequence #, optional */
+    krb5_ui_4 seq_number;		/* sequence #, optional */
     krb5_authdata **authorization_data; /* New add by Ari, auth data */
 } krb5_authenticator;
 
@@ -1088,7 +1091,7 @@ typedef struct _krb5_ap_rep_enc_part {
     krb5_timestamp ctime;		/* client time, seconds portion */
     krb5_int32 cusec;			/* client time, microseconds portion */
     krb5_keyblock *subkey;		/* true session key, optional */
-    krb5_int32 seq_number;		/* sequence #, optional */
+    krb5_ui_4 seq_number;		/* sequence #, optional */
 } krb5_ap_rep_enc_part;
 
 typedef struct _krb5_response {
@@ -1152,11 +1155,12 @@ typedef struct _krb5_pwd_data {
 #define KRB5_AUTH_CONTEXT_DO_SEQUENCE	0x00000004
 #define KRB5_AUTH_CONTEXT_RET_SEQUENCE	0x00000008
 #define KRB5_AUTH_CONTEXT_PERMIT_ALL	0x00000010
+#define KRB5_AUTH_CONTEXT_USE_SUBKEY	0x00000020
  
 typedef struct krb5_replay_data { 
     krb5_timestamp	timestamp; 
     krb5_int32		usec;
-    krb5_int32		seq; 
+    krb5_ui_4		seq; 
 } krb5_replay_data;
 
 /* flags for krb5_auth_con_genaddrs() */
@@ -1166,7 +1170,7 @@ typedef struct krb5_replay_data {
 #define KRB5_AUTH_CONTEXT_GENERATE_REMOTE_FULL_ADDR	0x00000008
 
 /* type of function used as a callback to generate checksum data for
-	* mk_req*/
+ * mk_req */
 
 typedef krb5_error_code 
 (KRB5_CALLCONV * krb5_mk_req_checksum_func) (krb5_context, krb5_auth_context , void *,
@@ -1407,9 +1411,12 @@ krb5_error_code KRB5_CALLCONV krb5_get_tgs_ktypes
 	(krb5_context,
 		krb5_const_principal,
 		krb5_enctype **);
+#endif
 
-krb5_error_code krb5_get_permitted_enctypes
+krb5_error_code KRB5_CALLCONV krb5_get_permitted_enctypes
 	(krb5_context, krb5_enctype **);
+
+#if KRB5_PRIVATE
 void KRB5_CALLCONV krb5_free_ktypes
 	(krb5_context, krb5_enctype *);
 
@@ -1632,7 +1639,7 @@ krb5_error_code krb5_generate_subkey
 		const krb5_keyblock *, krb5_keyblock **);
 krb5_error_code krb5_generate_seq_number
 	(krb5_context,
-		const krb5_keyblock *, krb5_int32 *);
+		const krb5_keyblock *, krb5_ui_4 *);
 #endif
 krb5_error_code KRB5_CALLCONV krb5_get_server_rcache
 	(krb5_context,
@@ -1658,17 +1665,13 @@ krb5_error_code KRB5_CALLCONV krb5_524_conv_principal
 	(krb5_context context, krb5_const_principal princ, 
 		char *name, char *inst, char *realm);
 
-#if KRB5_PRIVATE
-krb5_error_code KRB5_CALLCONV krb5_mk_chpw_req
-	(krb5_context context, krb5_auth_context auth_context,
- 			krb5_data *ap_req, char *passwd, krb5_data *packet);
-krb5_error_code KRB5_CALLCONV krb5_rd_chpw_rep
-	(krb5_context context, krb5_auth_context auth_context,
-		       krb5_data *packet, int *result_code,
-		       krb5_data *result_data);
-krb5_error_code KRB5_CALLCONV krb5_chpw_result_code_string
-	(krb5_context context, int result_code,
-			char **result_codestr);
+struct credentials;
+int KRB5_CALLCONV krb5_524_convert_creds
+	(krb5_context context, krb5_creds *v5creds,
+	 struct credentials *v4creds);
+#if KRB5_DEPRECATED
+#define krb524_convert_creds_kdc krb5_524_convert_creds
+#define krb524_init_ets(x) (0)
 #endif
 
 /* libkt.spec */
@@ -1708,10 +1711,10 @@ krb5_error_code KRB5_CALLCONV krb5_kt_add_entry
 	(krb5_context,
 		krb5_keytab,
 		krb5_keytab_entry * );
-#if KRB5_PRIVATE
 krb5_error_code krb5_principal2salt
 	(krb5_context,
 		krb5_const_principal, krb5_data *);
+#if KRB5_PRIVATE
 krb5_error_code krb5_principal2salt_norealm
 	(krb5_context,
 		krb5_const_principal, krb5_data *);
@@ -1871,6 +1874,14 @@ krb5_change_password
 	(krb5_context context, krb5_creds *creds, char *newpw,
 			int *result_code, krb5_data *result_code_string,
 			krb5_data *result_string);
+krb5_error_code KRB5_CALLCONV
+krb5_set_password
+	(krb5_context context, krb5_creds *creds, char *newpw, krb5_principal change_password_for,
+			int *result_code, krb5_data *result_code_string, krb5_data *result_string);
+krb5_error_code KRB5_CALLCONV
+krb5_set_password_using_ccache
+	(krb5_context context, krb5_ccache ccache, char *newpw, krb5_principal change_password_for,
+			int *result_code, krb5_data *result_code_string, krb5_data *result_string);
 
 #if KRB5_PRIVATE
 #ifndef macintosh
@@ -2152,11 +2163,30 @@ krb5_error_code KRB5_CALLCONV krb5_auth_con_getkey
 		krb5_auth_context,
 		krb5_keyblock **);
 
+krb5_error_code KRB5_CALLCONV krb5_auth_con_getsendsubkey(
+    krb5_context, krb5_auth_context, krb5_keyblock **);
+
+krb5_error_code KRB5_CALLCONV krb5_auth_con_getrecvsubkey(
+    krb5_context, krb5_auth_context, krb5_keyblock **);
+
+krb5_error_code KRB5_CALLCONV krb5_auth_con_setsendsubkey(
+    krb5_context, krb5_auth_context, krb5_keyblock *);
+
+krb5_error_code KRB5_CALLCONV krb5_auth_con_setrecvsubkey(
+    krb5_context, krb5_auth_context, krb5_keyblock *);
+
+#if KRB5_DEPRECATED
 krb5_error_code KRB5_CALLCONV krb5_auth_con_getlocalsubkey
 	(krb5_context,
 		krb5_auth_context,
 		krb5_keyblock **);
 
+krb5_error_code KRB5_CALLCONV krb5_auth_con_getremotesubkey
+	(krb5_context,
+		krb5_auth_context,
+		krb5_keyblock **);
+#endif
+
 #if KRB5_PRIVATE
 krb5_error_code KRB5_CALLCONV krb5_auth_con_set_req_cksumtype
 	(krb5_context,
@@ -2224,11 +2254,6 @@ krb5_error_code KRB5_CALLCONV krb5_auth_con_getauthenticator
 		krb5_auth_context,
 		krb5_authenticator **);
 
-krb5_error_code KRB5_CALLCONV krb5_auth_con_getremotesubkey
-	(krb5_context,
-		krb5_auth_context,
-		krb5_keyblock **);
-
 #define KRB5_REALM_BRANCH_CHAR '.'
 
 /*
@@ -2257,7 +2282,6 @@ krb5_error_code KRB5_CALLCONV krb5_aname_to_localname
 		krb5_const_principal,
 		int,
 		char * );
-#if KRB5_PRIVATE
 krb5_error_code KRB5_CALLCONV krb5_get_host_realm
 	(krb5_context,
 		const char *,
@@ -2265,6 +2289,7 @@ krb5_error_code KRB5_CALLCONV krb5_get_host_realm
 krb5_error_code KRB5_CALLCONV krb5_free_host_realm
 	(krb5_context,
 		char * const * );
+#if KRB5_PRIVATE
 krb5_error_code KRB5_CALLCONV krb5_get_realm_domain
 	(krb5_context,
 		const char *,
@@ -2293,9 +2318,12 @@ krb5_error_code krb5_make_fulladdr
 		krb5_address *,
 		krb5_address *,
 		krb5_address *);
+#endif
 
-krb5_error_code krb5_set_real_time
+krb5_error_code KRB5_CALLCONV krb5_set_real_time
 	(krb5_context, krb5_int32, krb5_int32);
+
+#if KRB5_PRIVATE
 krb5_error_code krb5_set_debugging_time
 	(krb5_context, krb5_int32, krb5_int32);
 krb5_error_code krb5_use_natural_time
diff --git a/src/include/krb5/ChangeLog b/src/include/krb5/ChangeLog
index ff3d7b3..72dc6e4 100644
--- a/src/include/krb5/ChangeLog
+++ b/src/include/krb5/ChangeLog
@@ -1,3 +1,7 @@
+2003-05-25  Ezra Peisach  <epeisach@mit.edu>
+
+	* kdb.h: Add prototype for krb5_db_iterate_ext.
+
 2003-03-05  Tom Yu  <tlyu@mit.edu>
 
 	* kdb_kt.h: Add krb5_ktkdb_set_context.  Update prototype of
diff --git a/src/include/krb5/kdb.h b/src/include/krb5/kdb.h
index 1670b54..73a3972 100644
--- a/src/include/krb5/kdb.h
+++ b/src/include/krb5/kdb.h
@@ -212,6 +212,10 @@ krb5_error_code krb5_db_iterate (krb5_context,
 				 krb5_error_code (* ) (krb5_pointer,
 						       krb5_db_entry *),
 				 krb5_pointer);
+krb5_error_code krb5_db_iterate_ext (krb5_context,
+				     krb5_error_code (* ) (krb5_pointer,
+					  	           krb5_db_entry *),
+				     krb5_pointer, int, int);
 krb5_error_code krb5_db_verify_master_key (krb5_context, krb5_principal, 
 					   krb5_keyblock *);
 krb5_error_code krb5_db_store_mkey (krb5_context, char *, krb5_principal,
diff --git a/src/include/krb5/stock/ChangeLog b/src/include/krb5/stock/ChangeLog
index 3c7bb4f..bd0d76f 100644
--- a/src/include/krb5/stock/ChangeLog
+++ b/src/include/krb5/stock/ChangeLog
@@ -1,3 +1,7 @@
+2003-05-29  Ken Raeburn  <raeburn@mit.edu>
+
+	* osconf.h (DEFAULT_KDC_ENCTYPE): Default to des3 now.
+
 2003-03-06  Alexandra Ellwood  <lxs@mit.edu>
 
     * osconf.h: Added DEFAULT_SECURE_PROFILE_PATH so that KfM will only
diff --git a/src/include/krb5/stock/osconf.h b/src/include/krb5/stock/osconf.h
index b56d057..876e9f2 100644
--- a/src/include/krb5/stock/osconf.h
+++ b/src/include/krb5/stock/osconf.h
@@ -64,7 +64,7 @@
 #define	DEFAULT_KDC_PROFILE	"@LOCALSTATEDIR/krb5kdc/kdc.conf"
 #define	KDC_PROFILE_ENV		"KRB5_KDC_PROFILE"
 
-#define	DEFAULT_KDC_ENCTYPE	ENCTYPE_DES_CBC_CRC
+#define	DEFAULT_KDC_ENCTYPE	ENCTYPE_DES3_CBC_SHA1
 #define KDCRCACHE		"dfl:krb5kdc_rcache"
 
 #define KDC_PORTNAME		"kerberos" /* for /etc/services or equiv. */
diff --git a/src/include/port-sockets.h b/src/include/port-sockets.h
index 3448966..eb87bc1 100644
--- a/src/include/port-sockets.h
+++ b/src/include/port-sockets.h
@@ -153,6 +153,21 @@ typedef struct iovec sg_buf;
 #define SHUTDOWN_WRITE	1
 #define SHUTDOWN_BOTH	2
 
+#ifndef HAVE_INET_NTOP
+#define inet_ntop(AF,SRC,DST,CNT)					    \
+    ((AF) == AF_INET							    \
+     ? ((CNT) < 16							    \
+	? (SOCKET_SET_ERRNO(ENOSPC), NULL)				    \
+	: (sprintf((DST), "%d.%d.%d.%d",				    \
+		   ((const unsigned char *)(const void *)(SRC))[0] & 0xff,  \
+		   ((const unsigned char *)(const void *)(SRC))[1] & 0xff,  \
+		   ((const unsigned char *)(const void *)(SRC))[2] & 0xff,  \
+		   ((const unsigned char *)(const void *)(SRC))[3] & 0xff), \
+	   (DST)))							    \
+     : (SOCKET_SET_ERRNO(EAFNOSUPPORT), NULL))
+#define HAVE_INET_NTOP
+#endif
+
 #endif /* HAVE_MACSOCK_H */
 
 #endif /* _WIN32 */
diff --git a/src/include/win-mac.h b/src/include/win-mac.h
index b6cf96d..4cf155e 100644
--- a/src/include/win-mac.h
+++ b/src/include/win-mac.h
@@ -30,9 +30,14 @@
 #define SIZEOF_LONG     4
 
 #include <windows.h>
+#include <limits.h>
 
 #define HAVE_LABS
 
+#ifndef SIZE_MAX    /* in case Microsoft defines max size of size_t */
+#define SIZE_MAX UINT_MAX
+#endif
+
 #ifndef KRB5_CALLCONV
 #  define KRB5_CALLCONV __stdcall
 #  define KRB5_CALLCONV_C __cdecl
@@ -145,8 +150,12 @@ typedef unsigned char	u_char;
 /*
  * Functions with slightly different names on the PC
  */
+#ifndef strcasecmp
 #define strcasecmp   stricmp
+#endif
+#ifndef strncasecmp
 #define strncasecmp  strnicmp
+#endif
 
 HINSTANCE get_lib_instance(void);