562 files changed, 46347 insertions, 9333 deletions

diff --git a/README b/README
index 19b193e..b80cb69 100644
--- a/README
+++ b/README
@@ -1,49 +1,39 @@
-these were the
-		   Kerberos Version 5, Release 1.1
+
+		  Kerberos Version 5, Release 1.2.8
 
 			    Release Notes
-which will be updated before the next release by
+
 			The MIT Kerberos Team
 
 Unpacking the Source Distribution
 ---------------------------------
 
-The source distribution of Kerberos 5 comes in three gzipped tarfiles,
-krb5-1.1.src.tar.gz, krb5-1.1.doc.tar.gz, and krb5-1.1.crypto.tar.gz.
-The krb5-1.1.doc.tar.gz contains the doc/ directory and this README
-file.  The krb5-1.1.src.tar.gz contains the src/ directory and this
-README file, except for the crypto library sources, which are in
-krb5-1.1.crypto.tar.gz.
-
-Instruction on how to extract the entire distribution follow.  These
-directions assume that you want to extract into a directory called
-DIST.
+The source distribution of Kerberos 5 comes in a gzipped tarfile,
+krb5-1.2.8.tar.gz.  Instruction on how to extract the entire
+distribution follow.  These directions assume that you want to extract
+into a directory called DIST.
 
 If you have the GNU tar program and gzip installed, you can simply do:
 
 	mkdir DIST
 	cd DIST
-	gtar zxpf krb5-1.1.src.tar.gz
-	gtar zxpf krb5-1.1.crypto.tar.gz
-	gtar zxpf krb5-1.1.doc.tar.gz
+	gtar zxpf krb5-1.2.8.tar.gz
 
 If you don't have GNU tar, you will need to get the FSF gzip
 distribution and use gzcat:
 
 	mkdir DIST
 	cd DIST
-	gzcat krb5-1.1.src.tar.gz | tar xpf -
-	gzcat krb5-1.1.crypto.tar.gz | tar xpf -
-	gzcat krb5-1.1.doc.tar.gz | tar xpf -
+	gzcat krb5-1.2.8.tar.gz | tar xpf -
 
-Both of these methods will extract the sources into DIST/krb5-1.1/src
-and the documentation into DIST/krb5-1.1/doc.
+Both of these methods will extract the sources into DIST/krb5-1.2.8/src
+and the documentation into DIST/krb5-1.2.8/doc.
 
 Building and Installing Kerberos 5
 ----------------------------------
 
-The first file you should look at is doc/install.ps; it contains the
-notes for building and installing Kerberos 5.  The info file
+The first file you should look at is doc/install-guide.ps; it contains
+the notes for building and installing Kerberos 5.  The info file
 krb5-install.info has the same information in info file format.  You
 can view this using the GNU emacs info-mode, or by using the
 standalone info file viewer from the Free Software Foundation.  This
@@ -70,53 +60,593 @@ If you are not able to use krb5-send-pr because you haven't been able
 compile and install Kerberos V5 on any platform, you may send mail to
 krb5-bugs@mit.edu.
 
-Notes, Major Changes, and Known Bugs
-------------------------------------
-
-* Triple DES support is included; however, it is only usable for
-  service keys at the moment, due to a large number of compatibility
-  issues.  For example, the GSSAPI library has some (buggy) support
-  for a triple DES session key, but it is intentionally disabled.
-  ** Do not use triple-DES in your config files except as described in
-  ** the documentation.
-
-* The principal database now uses the btree backend of Berkeley DB.
-  This should result in improved KDC performance.
-
-* The lib/rpc tests do not appear to work under NetBSD-1.4, for
-  reasons that are not completely clear at the moment, but probably
-  have something to do with portmapper interfacing.  This should not
-  affect other operations, such as kadmind operation.
-
-* Shared library builds are under a new framework; at this point only
-  Solaris (2.x), Irix (6.5), NetBSD (1.4 i386), and possibly Linux are
-  known to work.  All other working shared library builds may be
-  figments of your imagination.
-
-* Many existing databases, especially those converted from krb4
-  original databases, may contain expiration dates in 1999.  You
-  should make sure to update these expiration dates, and also change
-  any config file entries that have two-digit years.
-
-* Hardware preauthentication is known to be broken; this will be fixed
-  in an upcoming release.
-
-* krb524d now defaults to forking into the background; use
-  "krb524d -nofork" to avoid forking.
-
-* Not all reported bugs have been fixed in this release, due to time
-  constraints.  We are planning to make another release in the near
-  future with more complete triple DES support, and additional
-  bugfixes.  Many of the bugs in our database are reported against
-  what is now quite old code, or require hardware that we do not have,
-  which make them difficult to reproduce and debug.  We will work on
-  these older bugs and some externally submitted patches for the
-  following release.
+Notes, Major Changes, and Known Bugs for 1.2.8
+----------------------------------------------
+
+Notes:
+
+* This release includes several significant security patches.  Please
+  see http://web.mit.edu/kerberos/www/advisories/index.html for
+  security advisories.
+
+Major Changes:
+
+* [1402, 1385, 1395, 1410, 1411] The krb4 protocol vulnerabilities
+  [MITKRB5-SA-2003-004] have been worked around.  Note that this will
+  disable krb4 cross-realm functionality, as well as krb4 triple-DES
+  functionality.  Please see doc/krb4-xrealm.txt for details of the
+  patch.
+
+* [1403, 1393] The xdrmem integer overflows [MITKRB5-SA-2003-003] have
+  been fixed.
+
+* [1405, 1397] The krb5_principal buffer bounds problems
+  [MITKRB5-SA-2003-005] have been fixed.  Thanks to Nalin Dahyabhai.
+
+Notes, Major Changes, and Known Bugs for 1.2.7
+----------------------------------------------
+
+Notes:
+
+* This release includes a significant security patch.  If you are
+  running kadmind4 from an earlier release, you are highly encouraged
+  to update, as an exploit is believed to be circulating.
+
+Major Changes:
+
+* [1238] The exploitable buffer overflow in kadmind4
+  [MITKRB5-SA-2002-002] has been patched.  Thanks to Johan Danielsson,
+  Love Hornquist-Astrand, and Assar Westerlund.
+
+* [1230, 1236] Hierarchical cross-realm has been repaired somewhat.
+  Terminating NUL characters are no longer generated, and are ignored
+  on receipt.
+
+Minor Changes:
+
+* [1218] ftpcmd.y now compiles successfully using more recent versions
+  of bison.
+
+* [1206] Fixed memory leak in padata handling in KDC.  Thanks to Ben
+  Cox.
+
+* [1207] Clients can now successfully specify explicit keysalt tuples
+  to password-changing kadm5 functions.  Thanks to Ben Cox.
+
+* [1008] Clients can now successfully pass an empty set of keysalt
+  tuples to the setkey kadm5 function.  Thanks to Emily Ratliff.
+
+* [1216] Fixed client-side read overruns in calls to res_search().
+  Thanks to Nalin Dahyabhai.
+
+* [1241] The test suite has been stabilized somewhat to work better
+  with modern versions of tcl and expect.
+
+* [1246] A race condition in the rpc unit tests has been worked
+  around.
+
+* [1249] The tests/dejagnu test suite has been fixed to leak ptys less
+  often.
+
+* [1185] sendmsg.c no longer checks that a pointer value is greater
+  than zero.  Thanks to Dan Riley.
+
+Known Bugs:
+
+* [1228] If tcl is built shared, and krb5 is built static, some
+  utility programs used by the test suite may fail to run due to RPATH
+  issues. (long-standing but recently acknowledged)
+
+* [1259] KDC sends etype-info for enctypes that weren't requested by
+  the client.
+
+* Most of the other known bugs noted in earlier 1.2.x releases (other
+  than those listed as fixed above) are still present.
+
+Notes, Major Changes, and Known Bugs for 1.2.6
+----------------------------------------------
+
+Notes:
+
+* This release includes a significant security patch.  If you are
+  running an earlier release, you are highly encouraged to update, as
+  it is theoretically possible for an intruder to compromise your
+  KDC.
+
+Major Changes:
+
+* The security vulnerability in xdr_array() [MITKRB5-SA-2002-001] has
+  been patched.  Thanks to Jeffrey Hutzelman and Nikolai Zeldovich.
+
+* A NULL pointer dereference in kadmind has been fixed
+  [krb5-admin/1140].  Thanks to Mark Levinson.
+
+* There was a botched buffer overflow patch in kadmind4 that caused
+  problems with kadmind4 acl handling.  It has been fixed.  Thanks to
+  Mark Silis.
+
+* Correct ETYPE_INFO padata are now generated.  Thanks to Lubos
+  Kejzlar.
+
+* A bug in AFS salt handling has been worked
+  around. [krb5-clients/1146] Thanks to Wolfgang Friebel.
+
+* The KDC, in handling both krb5 and krb4 TGS_REQs, now honors the
+  DISALLOW_ALL_TIX and DISALLOW_SVR attributes on the server
+  principal.  This also now happens with krb524d.
+
+* krb524d will now, by default, convert krb5 tickets for afs service
+  princpals to special tokens that are actually just the EncryptedData
+  part of a krb5 Ticket structure.  This may be overridden; please
+  consult src/krb524/README for details.
+
+* Patches from Sleepycat have been applied to the btree backend of the
+  Brekeley DB library; these fix potential problems with the page free
+  and page split operations.
+
+* The kdb5_util dump command has additional options to allow for
+  reversed or recursive (for btree only) dumps of the principal
+  database.  This permits the recovery of prinicpals that might
+  otherwise be omitted in a database dump in the presence of certain
+  types of corruption.
+
+* The dump command in kdb5_util now handles master key conversion
+  without crashing.
+
+Known Bugs:
+
+* Most of the other known bugs noted in earlier 1.2.x releases (other
+  than those listed as fixed above) are still present.
+
+Notes, Major Changes, and Known Bugs for 1.2.5
+----------------------------------------------
+
+Major Changes:
+
+* On MacOS X, we have reviewed the list of exported symbol names.  As
+  in earlier MacOS releases, and the Windows releases, but unlike the
+  UNIX releases, the list of exported names accessible to applications
+  is reduced to a predefined set of symbols.  We are attempting to
+  define a "stable" subset of the API we feel confident about
+  providing, as opposed to giving applications access to half of the
+  packet-manipulation functions we have.
+
+  In future releases, we may investigate applying a similar export
+  list under some UNIX shared library implementations.
+
+  If a function you use is not exported, we probably figured it was
+  functionality that should be internal to the library, or something
+  that should be done with a different interface, or something we
+  didn't know anyone was using at the moment and thought we'd like to
+  clean up the interface later on.  If you need it, and there isn't a
+  cleaner way, contact us about getting it added back in to the export
+  list.
+
+  A few things are marked "deprecated" in the header file, but will
+  continue to be provided under "#if KRB5_DEPRECATED" because even
+  though they're ugly, we also know they're in use and we can't phase
+  them out fast enough.  We may replace the implementation later on
+  with a shim on top of some cleaner mechanism.
+
+* For Heimdal (and possibly Microsoft) compatibility, we now accept
+  encrypted delegated credentials in gssapi.  Historically, the MIT
+  implementation has sent delegated gssapi credentials "in the clear",
+  but still encrypted in the AP-REQ.
+
+* IP address checks have been removed from rd_cred; this improves
+  compatibility with Heimdal.
+
+Minor changes:
+
+* A null pointer dereference in the krb5 library has been fixed.
+
+Known bugs:
+
+* Most of the other known bugs from 1.2.3 and 1.2.4 are unchanged.
+
+Notes, Major Changes, and Known Bugs for 1.2.4
+----------------------------------------------
+
+Notes:
+
+* Like the 1.2.3 release, this is a patch release.  One critical login
+  problem is fixed, and a problem with interoperability with
+  Microsoft software is worked around.
+
+Major Changes:
+
+* The one-character bug introduced into the login.krb5 program that
+  caused 8-character usernames to be rejected in some circumstances
+  has been fixed.
+
+* The handling of key version numbers has been modified in places.
+  The current formats of the keytab and srvtab files, as well as parts
+  of the remote kadmin protocol, handle key version numbers as 8-bit
+  quantities, when in fact they are 32-bit quantities.
+
+  * In the keytab and srvtab support for krb5, searching for the
+    "highest numbered" key version now has some heuristics to deal
+    with the 8-bit kvno wrapping from 255 to 0 to 1....  If a kvno
+    greater than 240 is found, the kvno values are assumed to range
+    from 128 to 383 (127+256).  This should handle cases like storing
+    kvno values 255 and 256 in the file.
+
+  * In the keytab and srvtab support for krb5, when looking for a key
+    with a specific version number, the low 8 bits of the requested
+    kvno are compared against the value stored in the file.
+
+  * The "ktutil" program also has a new heuristic for choosing the
+    "highest numbered" key in a keytab to be written out into a krb4
+    srvtab file.
+
+  These heuristics all assume that key version numbers will be
+  assigned sequentially, and that there will not be a large set of key
+  version numbers in use at one time for any given principal in a
+  keytab file.
+
+  These changes were prompted by the discovery by Microsoft (while
+  trying to write tools to generate MIT-style keytab files) that we
+  could not store arbitrary 32-bit version numbers for keys.
+
+* Some issues with multiple enctype support in GSSAPI credential
+  forwarding have been fixed.
+
+Minor Changes:
+
+* A few compilation problems have been fixed.
+
+* New test cases have been added to the test suite to exercise some of
+  the new changes.
+
+Known Bugs:
+
+* Non-sequential key version numbering will confuse the new kvno
+  handling heuristics.
+
+* Long-standing but newly recognized:
+
+  * The remote kadmin protocol will produce incorrect results when key
+    version numbers greater than 255 are being retrieved or stored.
+    The kadmin.local program does not suffer from this problem.
+
+  * We do not support storing multiple key versions for a principal in
+    a srvtab file.
+
+  * We do not support acquiring krb4 tickets using a srvtab or keytab
+    file without acquiring krb5 tickets at the same time (i.e., the
+    old krb4 "ksrvtgt" program).
+
+* most of the other known bugs from 1.2.3
+
+Notes, Major Changes, and Known Bugs for 1.2.3
+----------------------------------------------
+
+Notes:
+
+* This release is a patch release; some non-critical bugs and feature
+  requests have not been incorporated.  We have focussed mainly on
+  important security fixes and usability fixes.
+
+Major Changes:
+
+* Certain problems with shared library builds have been eliminated or
+  reduced on Linux and HP-UX.
+
+* Various bugs in single-DES enctype similarity have been fixed; the
+  1.0.x behavior of treating all single-DES enctype as equivalent has
+  been restored for now.  This may go away in a future release.  Note
+  that SUPPORT_DESMD5 will be treated as always false for now.
+
+* The KDC will now log a number of enctype parameters associated with
+  KDC requests, in order to allow easier debugging of enctype-related
+  problems.
+
+* A client will no longer attempt obtain a forwarded TGT with a
+  session key enctype that the target server won't understand.
+
+* Triple-DES should work on Windows now.  The SHA-1 implementation had
+  a Windows-specific bug preventing it from working in most cases.
+
+* Various bugs in pty handling have been fixed.
+
+* Bogus utmp files with garbage characters in their names should not
+  get created on Solaris.  Also, utmp/wtmp handling code has been
+  mostly rewritten, eliminating numerous bugs.
+
+* Potential buffer-overrun problems and null-pointer dereferences have
+  been fixed in ftpd, telnetd, login.krb5, and SHA-1.  The first three
+  may be exploitable under certain conditions; the SHA-1 bug probably
+  isn't, as far as we know.
+
+* For multiple-hop interrealm authentication, the realm transit path
+  checking has been rewritten.  The old code had a serious bug where
+  some of the transited realms may not have been checked against the
+  computed path.  It was therefore possible to forge a remote client
+  name in certain cases.  We strongly recommend updating application
+  server code where non-local principals may be found on ACLs.
+
+* In conjunction with the above fix, we've implemented KDC checking of
+  the realm transit path, as described in the IETF's current
+  kerberos-revisions draft, and set up the KDC to refuse to issue
+  tickets with unacceptable transit paths.  (Strictly speaking,
+  according to the Kerberos specification, enforcement of these checks
+  is supposed to be left to the application servers.)  Thus, if your
+  application servers can't be updated promptly but your KDC can, you
+  can still prevent such tickets from being issued.  This checking is
+  controlled by a per-realm flag, and is enabled by default.
+
+* On AIX systems, the rlogin server should no longer hang when
+  control-C is pressed.
+
+* New databases will be created in btree format by default.  We
+  believe the btree code to be less buggy than the hash format code we
+  have been using.  This should not affect the use of any existing
+  databases, only newly created ones, and even that should be a
+  transparent change.
+
+Known Bugs:
+
+* There may be problems with running a KDC on 64-bit platforms
+  (environments where size_t and long are wider than 32 bits, such as
+  alpha/Tru64, or Solaris/SPARC in SPARCv9 mode, for example), as
+  indicated by the util/db2 tests not passing.  These problems may
+  also extend to the rpc library, which may prevent the kadmin
+  protocol from functioning.  These are being investigated.
+
+* ETYPE_INFO preauthentication data returned from the KDC are not
+  sorted in the order requested by the client.  This may result in
+  preauthentication failure when encrypted timestamp preauthentication
+  is required but the client doesn't understand some of the enctypes
+  of the keys stored for it in the database.
+
+* The gssftp daemon and client, when running in krb4 mode, are
+  inconsistent with respect to port numbers passed to the
+  {mk,rd}_{priv,safe} functions.  As a result, there is a small but
+  nonzero probability that krb4 ftp with client and server on the same
+  IP address will fail with a "Time is out of bounds" error.  This
+  includes the tests/dejagnu test suite, which tests the krb4 ftp
+  functionality.  The probability of this occuring seems to be less
+  than 50%.
+
+* The gss-sample test application suite is known to not communicate
+  with the gss-sample suite in 1.1.x and earlier releases.  This is
+  the result of changes to gss-sample to increase its functionality;
+  fixes to allow for backwards compatibility will occur in a later
+  release.
+
+* BSD/OS 4.x may have some problems compiling.  These are being
+  investigated.
+
+Notes, Major Changes, and Known Bugs for 1.2.2
+----------------------------------------------
+
+Notes:
+
+* This release is a patch release; some non-critical bugs and feature
+  requests have not been incorporated.
+
+Major Changes:
+
+* The KDC dump format has been updated to include per-principal policy
+  information.  This will require updating your slave KDCs before your
+  master if you want things to still work.
+
+* A library bug that prevented kprop from working properly with DES3
+  keys has been fixed.
+
+* kpasswd should no longer coredump when there is no kadmin_server
+  line in krb5.conf.
+
+* ASN.1 parsing has been improved to deal with indefinite encodings,
+  such as those emitted by DCE-1.0 derived systems.
+
+* Preauthentication handling code in the initial ticket APIs has been
+  fixed to handle zero-length ETYPE_INFO sequences without causing a
+  NULL pointer dereference.
+
+* The replay cache should no longer leak temporary files.  Related
+  hard-to-analyze filename bugs in the rcache code should also be
+  fixed.
+
+* Library builds should now work on AIX.
+
+* KDC local address search code should now work on AIX.
+
+* The yacc grammar for the ftp daemon has been modified to be
+  compilable on HP/UX with Bison; namespace pollution from system
+  headers was causing trouble before.
+
+Known Bugs:
+
+* The gss-sample test application suite is known to not communicate
+  with the gss-sample suite in 1.1.x and earlier releases.  This is
+  the result of changes to increase functionality; fixes to allow for
+  backwards compatibility will occur in a later release.
+
+* Handling of utmp and utmpx updates is known to be broken on some
+  systems, such as Solaris 8.  We are investigating possible solutions
+  to this problem.
+
+* Tru64 Unix 5.0 (aka OSF/1 5.0), at least, has some problems with
+  revoke() returning ENOTTY in open_slave in the pty library.  One
+  possible workaround is to insert
+
+	vfs:
+		revoke_tty_only = 0
+
+  in /etc/sysconfigtab.  It is not known whether this workaround will
+  cause other problems.
+
+* BSD/OS 4.x may have some problems compiling.  These are being
+  investigated.
+
+Notes, Major Changes, and Known Bugs for 1.2.1 and 1.2
+------------------------------------------------------
+
+* Triple DES support, for session keys as well as user or service
+  keys, should be nearly complete in this release.  Much of the work
+  that has been needed is generic multiple-cryptosystem support, so
+  the addition of another cryptosystem should be much easier.
+
+  * GSSAPI support for 3DES has been added.  An Internet Draft is
+    being worked on that will describe how this works; it is not
+    currently standardized.  Some backwards-compatibility issues in
+    this area mean that enabling 3DES support must be done with
+    caution; service keys that are used for GSSAPI must not be updated
+    to 3DES until the services themselves are upgraded to support 3DES
+    under GSSAPI.
+
+* DNS support for locating KDCs is enabled by default.  DNS support
+  for looking up the realm of a host is compiled in but disabled by
+  default (due to some concerns with DNS spoofing).
+
+  We recommend that you publish your KDC information through DNS even
+  if you intend to rely on config files at your own site; otherwise,
+  sites that wish to communicate with you will have to keep their
+  config files updated with your information.  One of the goals of
+  this code is to reduce the client-side configuration maintenance
+  requirements as much as is possible, without compromising security.
+
+  See the administrator's guide for information on setting up DNS
+  information for your realm.
+
+  One important effect of this for developers is that on many systems,
+  "-lresolv" must be added to the compiler command line when linking
+  Kerberos programs.
+
+  Configure-time options are available to control the inclusion of the
+  DNS code and the setting of the defaults.  Entries in krb5.conf will
+  also modify the behavior if the code has been compiled in.
+
+* Numerous buffer-overrun problems have been found and fixed.  Many of
+  these were in locations we don't expect can be exploited in any
+  useful way (for example, overrunning a buffer of MAXPATHLEN bytes if
+  a compiled-in pathname is too long, in a program that has no special
+  privileges).  It may be possible to exploit a few of these to
+  compromise system security.
+
+* Partial support for IPv6 addresses has been added.  It can be
+  enabled or disabled at configure time with --enable-ipv6 or
+  --disable-ipv6; by default, the configure script will search for
+  certain types and macros, and enable the IPv6 code if they're found.
+  The IPv6 support at this time mostly consists of including the
+  addresses in credentials.
+
+* A protocol change has been made to the "rcmd" suite (rlogin, rsh,
+  rcp) to address several security problems described in Kris
+  Hildrum's paper presented at NDSS 2000.  New command-line options
+  have been added to control the selection of protocol, since the
+  revised protocol is not compatible with the old one.
+
+* A security problem in login.krb5 has been fixed.  This problem was
+  only present if the krb4 compatibility code was not compiled in.
+
+* A security problem with ftpd has been fixed.  An error in the in the
+  yacc grammar permitted potential root access.
+
+* The client programs kinit, klist and kdestroy have been changed to
+  incorporate krb4 support.  New command-line options control whether
+  krb4 behavior, krb5 behavior, or both are used.
+
+* Patches from Frank Cusack for much better hardware preauth support
+  have been incorporated.
+
+* Patches from Matt Crawford extend the kadmin ACL syntax so that
+  restrictions can be imposed on what certain administrators may do to
+  certain accounts.
+
+* A KDC on a host with multiple network addresses will now respond to
+  a client from the address that the client used to contact it.  The
+  means used to implement this will however cause the KDC not to
+  listen on network addresses configured after the KDC has started.
+
+Minor changes
+-------------
+
+* The shell code for searching for the Tcl package at configure time
+  has been modified.  If a tclConfig.sh can be found, the information
+  it contains is used, otherwise the old searching method is tried.
+  Let us know if this new scheme causes any problems.
+
+* Shared library builds may work on HPUX, Rhapsody/MacOS X, and newer
+  Alpha systems now.
+
+* The Windows build will now include kvno and gss-sample.
+
+* The routine krb5_secure_config_files has been disabled.  A new
+  routine, krb5_init_secure_context, has been added in its place.
+
+* The routine decode_krb5_ticket is now being exported as
+  krb5_decode_ticket.  Any programs that used the old name (which
+  should be few) should be changed to use the new name; we will
+  probably eliminate the old name in the future.
+
+* The CCAPI-based credentials cache code has been changed to store the
+  local-clock time of issue and expiration rather than the KDC-clock
+  times.
+
+* On systems with large numbers of IP addresses, "kinit" should do a
+  better job of acquiring those addresses to put in the user's
+  credentials.
+
+* Several memory leaks in error cases in the gssrpc code have been
+  fixed.
+
+* A bug with login clobbering some internal static storage on AIX has
+  been fixed.
+
+* Per-library initialization and cleanup functions have been added,
+  for use in configurations that dynamically load and unload these
+  libraries.
+
+* Many compile-time warnings have been fixed.
+
+* The GSS sample programs have been updated to exercise more of the
+  API.
+
+* The telnet server should produce a more meaningful error message if
+  authentication is required but not provided.
+
+* Changes have been made to ksu to make it more difficult to use it to
+  leak information the user does not have access to.
+
+* The sample config file information for the CYGNUS.COM realm has been
+  updated, and the GNU.ORG realm has been added.
+
+* A configure-time option has been added to enable a replay cache in
+  the KDC.  We recommend its use when hardware preauthentication is
+  being used.  It is enabled by default, and can be disabled if
+  desired with the configure-time option --disable-kdc-replay-cache.
+
+* Some new routines have been added to the library and krb5.h.
+
+* A new routine has been added to the prompter interface to allow the
+  application to determine which of the strings prompted for is the
+  user's password, in case it is needed for other purposes.
+
+* The remote kadmin interface has been enhanced to support the
+  specification of key/salt types for a principal.
+
+* New keytab entries' key values can now be specified manually with a
+  new command in the ktutil program.
+
+* A longstanding bug where certain krb4 exchanges using the
+  compatibility library between systems with different byte orders
+  would fail half the time has been fixed.
+
+* A source file under the GPL has been replaced with an equivalent
+  under the BSD license.  The file, strftime.c, was part of one of the
+  OpenVision admin system applications, and was only used on systems
+  that don't have strftime() in their C libraries.
+
+* Many bug reports are still outstanding in our database.  We are
+  continuing to work on this backlog.
+
 
 Copyright Notice and Legal Administrivia
 ----------------------------------------
 
-Copyright (C) 1985-1999 by the Massachusetts Institute of Technology.
+Copyright (C) 1985-2002 by the Massachusetts Institute of Technology.
 
 All rights reserved.
 
@@ -156,6 +686,8 @@ manner.  It does NOT prevent a commercial firm from referring to the
 MIT trademarks in order to convey information (although in doing so,
 recognition of their trademark status should be given).
 
+----
+
 The following copyright and permission notice applies to the
 OpenVision Kerberos Administration system located in kadmin/create,
 kadmin/dbutil, kadmin/passwd, kadmin/server, lib/kadm5, and portions
@@ -194,6 +726,13 @@ of lib/rpc:
    and our gratitude for the valuable work which has been 
    performed by MIT and the Kerberos community.
 
+----
+
+    Portions contributed by Matt Crawford <crawdad@fnal.gov> were
+    work performed at Fermi National Accelerator Laboratory, which is
+    operated by Universities Research Association, Inc., under
+    contract DE-AC02-76CHO3000 with the U.S. Department of Energy.
+
 Acknowledgements
 ----------------
 
@@ -222,13 +761,22 @@ as testing to ensure DCE interoperability.
 Thanks to Ken Hornstein at NRL for providing many bug fixes and
 suggestions.
 
+Thanks to Matt Crawford at FNAL for bugfixes and enhancements.
+
 Thanks to Sean Mullan and Bill Sommerfeld from Hewlett Packard for
 their many suggestions and bug fixes.
 
+Thanks to Nalin Dahyabhai of RedHat and Chris Evans for locating and
+providing patches for numerous buffer overruns.
+
+Thanks to Christopher Thompson and Marcus Watts for discovering the
+ftpd security bug.
+
 Thanks to the members of the Kerberos V5 development team at MIT, both
-past and present: Danillo Almeida, Jay Berkenbilt, Richard Basch, John
-Carr, Don Davis, Alexandra Ellwood, Nancy Gilman, Matt Hancher, Sam
-Hartman, Paul Hill, Marc Horowitz, Eva Jacobus, Barry Jaspan, Geoffrey
-King, John Kohl, Scott McGuire, Kevin Mitchell, Cliff Neuman, Paul
-Park, Ezra Peisach, Chris Provenzano, Ken Raeburn, Jon Rochlis, Jeff
-Schiller, Brad Thompson, Harry Tsai, Ted Ts'o, Marshall Vale, Tom Yu.
+past and present: Danilo Almeida, Jay Berkenbilt, Richard Basch, Mitch
+Berger, John Carr, Don Davis, Alexandra Ellwood, Nancy Gilman, Matt
+Hancher, Sam Hartman, Paul Hill, Marc Horowitz, Eva Jacobus, Miroslav
+Jurisic, Barry Jaspan, Geoffrey King, John Kohl, Peter Litwack, Scott
+McGuire, Kevin Mitchell, Cliff Neuman, Paul Park, Ezra Peisach, Chris
+Provenzano, Ken Raeburn, Jon Rochlis, Jeff Schiller, Jen Selby, Brad
+Thompson, Harry Tsai, Ted Ts'o, Marshall Vale, Tom Yu.
diff --git a/doc/ChangeLog b/doc/ChangeLog
index 38af2b8..6201a9f 100644
--- a/doc/ChangeLog
+++ b/doc/ChangeLog
@@ -1,3 +1,96 @@
+2003-04-08  Tom Yu  <tlyu@mit.edu>
+
+	* krb4-xrealm.txt: New file.  Describe the krb4 cross-realm
+	patchkit.  Copied from 2003-004-krb4_patchkit.
+
+2002-02-27  Tom Yu  <tlyu@mit.edu>
+
+	* build.texinfo: Update build quirks for Tru64 4.0 defaulting to
+	K&R mode.
+
+2001-09-25  Ken Raeburn  <raeburn@mit.edu>
+
+	* admin.texinfo (realms (kdc.conf)): Add description of
+	reject_bad_transit realm option.
+
+2001-02-22  Tom Yu  <tlyu@mit.edu>
+
+	* admin.texinfo: Remove references to "rename_princpal".
+
+2001-02-16  Tom Yu  <tlyu@mit.edu>
+
+	* admin.texinfo (Dumping a Kerberos Database to a File): 
+	(Restoring a Kerberos Database from a Dump File): Update to
+	reflect new dump file format and new flags to force beta7 dump
+	format.
+
+	* install.texinfo (Switching Master and Slave KDCs):
+	(Upgrading Existing Kerberos V5 Installations): Update to reflect
+	new dump file format that includes principal policy information.
+
+2000-06-22  Tom Yu  <tlyu@mit.edu>
+
+	* build.texinfo (HPUX): Update note for HPUX compiler flags.
+	(Shared Library Support): Update shared lib support info.
+
+2000-06-16  Ken Raeburn  <raeburn@mit.edu>
+
+	* admin.texinfo: Update descriptions to indicate full support for
+	des3.  Describe new DNS-related libdefaults tags for krb5.conf.
+
+	* build.texinfo (Options to Configure): Fix @item labels.
+
+	* install.texinfo: Update descriptions to indicate full support
+	for des3, and describe "v4" salt as being useful only with
+	des-cbc-crc.
+
+2000-06-15  Tom Yu  <tlyu@mit.edu>
+
+	* admin.texinfo: Note in multiple places that the current default
+	dump format doesn't include the per-principal policy information,
+	and some means of working around this problem.
+
+	* install.texinfo (Switching Master and Slave KDCs): Note that
+	in the process of swapping KDCs, it is necessary to do a ov format
+	dump in order to preserve per-principal policy information.
+
+2000-06-13  Tom Yu  <tlyu@mit.edu>
+
+	* install.texinfo (Upgrading Existing Kerberos V5 Installations):
+	Add info describing how to preserve policy information while
+	upgrading.  Also needs to go into other sections, possibly.
+
+2000-06-13  Ken Raeburn  <raeburn@mit.edu>
+
+	* build.texinfo: Enter correct xref info for DNS data
+	descriptions.  Fix up text around some xrefs.
+	* install.texinfo: Describe SRV and TXT DNS records.  Fix up text
+	around some xrefs.
+
+2000-06-09  Tom Yu  <tlyu@mit.edu>
+
+	* admin.texinfo: Add descriptions of the kadmin {ank,cpw,ktadd} -e
+	flag.
+
+2000-06-06  Ken Raeburn  <raeburn@mit.edu>
+
+	* install.texinfo: Describe new DNS support, and 3DES upgrade
+	path.  Update "enctypes" config file sample lines.
+
+	* build.texinfo: No kpasswd directory.  Describe new configure
+	options.
+
+	* send-pr.texinfo: Suggest caution regarding tab expansion for
+	patches.
+
+2000-06-02  Ken Raeburn  <raeburn@mit.edu>
+
+	* definitions.texinfo: Update for 1.2 release.
+
+2000-05-31  Ken Raeburn  <raeburn@mit.edu>
+
+	* krb425.texinfo (libdefaults): Add description of v4_realm.
+
 1999-09-22  Tom Yu  <tlyu@mit.edu>
 
 	* copyright.texinfo: Update copyright again.
diff --git a/doc/admin.texinfo b/doc/admin.texinfo
index 2ea716b..2fcfd1b 100644
--- a/doc/admin.texinfo
+++ b/doc/admin.texinfo
@@ -16,7 +16,7 @@
 
 @include definitions.texinfo
 @set EDITION 1.0
-@set UPDATED November 27, 1996
+@set UPDATED June 16, 2000
 
 @finalout                               @c don't print black warning boxes
 
@@ -429,7 +429,8 @@ your Kerberos realm.
 @itemx default_tgs_enctypes
 Identifies the supported list of session key encryption types that
 should be returned by the KDC.  The list may be delimited with commas or
-whitespace.  Currently, the only supported encryption type is
+whitespace.  Currently, the supported encryption types are
+"des3-hmac-sha1" and
 "des-cbc-crc".  Support for other encryption types is planned in the
 future.
 
@@ -437,7 +438,7 @@ future.
 Identifies the supported list of session key encryption
 types that should be requested by the client.  The format is the same as
 for @emph{default_tkt_enctypes}.  Again, the only supported encryption
-type is "des-cbc-crc".
+types are "des3-hmac-sha1" and "des-cbc-crc".
 
 @itemx clockskew
 Sets the maximum allowable amount of clockskew in seconds that the
@@ -456,6 +457,50 @@ of cache to be created by kinit, or when forwarded tickets are received.
 DCE and Kerberos can share the cache, but some versions of DCE do not
 support the default cache as created by this version of Kerberos.  Use a
 value of 1 on DCE 1.0.3a systems, and a value of 2 on DCE 1.1 systems.
+
+@itemx dns_lookup_kdc
+Indicate whether DNS SRV records should be used to locate the KDCs and
+other servers for a realm, if they are not listed in the information for
+the realm.  (Note that the @samp{admin_server} entry must be in the
+file, because the DNS implementation for it is incomplete.)
+
+Enabling this option does open up a type of denial-of-service attack, if
+someone spoofs the DNS records and redirects you to another server.
+However, it's no worse than a denial of service, because that fake KDC
+will be unable to decode anything you send it (besides the initial
+ticket request, which has no encrypted data), and anything the fake KDC
+sends will not be trusted without verification using some secret that it
+won't know.
+
+If this option is not specified but @samp{dns_fallback} is, that value
+will be used instead.  If neither option is specified, the behavior
+depends on configure-time options; if none were given, the default is to
+enable this option.  If the DNS support is not compiled in, this entry
+has no effect.
+
+@itemx dns_lookup_realm
+Indicate whether DNS TXT records should be used to determine the
+Kerberos realm of a host.
+
+Enabling this option may permit a redirection attack, where spoofed DNS
+replies persuade a client to authenticate to the wrong realm, when
+talking to the wrong host (either by spoofing yet more DNS records or by
+intercepting the net traffic).  Depending on how the client software
+manages hostnames, however, it could already be vulnerable to such
+attacks.  We are looking at possible ways to minimize or eliminate this
+exposure.  For now, we encourage more adventurous sites to try using
+Secure DNS.
+
+If this option is not specified but @samp{dns_fallback} is, that value
+will be used instead.  If neither option is specified, the behavior
+depends on configure-time options; if none were given, the default is to
+disable this option.  If the DNS support is not compiled in, this entry
+has no effect.
+
+@itemx dns_fallback
+General flag controlling the use of DNS for Kerberos information.  If
+both of the preceding options are specified, this option has no effect.
+
 @end table
 
 @node appdefaults, realms (krb5.conf), libdefaults, krb5.conf
@@ -724,8 +769,8 @@ Here is an example of a generic @code{krb5.conf} file:
 [libdefaults]
     ticket_lifetime = 600
     default_realm = @value{PRIMARYREALM}
-    default_tkt_enctypes = des-cbc-crc
-    default_tgs_enctypes = des-cbc-crc
+    default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
+    default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
 
 [realms]
     @value{PRIMARYREALM} = @{
@@ -858,8 +903,9 @@ this realm.  By default, the value of kdc_ports as specified in the
 (String.)  Specifies the name of the master key.
 
 @itemx master_key_type
-(Key type string.)  Specifies the master key's key type.  Only
-"des-cbc-crc" is supported at this time.
+(Key type string.)  Specifies the master key's key type.  Either
+"des3-hmac-sha1" or
+"des-cbc-crc" may be used at this time.
 
 @itemx max_life
 (Delta time string.)  Specifes the maximum time period for which a
@@ -872,23 +918,47 @@ valid ticket may be renewed in this realm.
 @itemx supported_enctypes
 List of key:salt strings.  Specifies the default key/salt combinations
 of principals for this realm.  Any principals created through
-@code{kadmin} will have keys of these types.  Since only the encryption
-type "des-cbc-crc" is supported, you should set this tag to
-@samp{des-cbc-crc:normal des-cbc-crc:v4}.
+@code{kadmin} will have keys of these types.  If you do not yet wish to
+enable triple-DES support, you should set this tag to
+@samp{des-cbc-crc:normal des-cbc-crc:v4}; otherwise, put
+@samp{des3-hmac-sha1:normal} at the beginning of the list.
 
 @itemx kdc_supported_enctypes
 List of key:salt strings.  Specifies the permitted key/salt combinations
 of principals for this realm.  You should set this tag to
-@samp{des-cbc-crc:normal des-cbc-crc:v4}.
-
-@b{Note:} You may also use @samp{des3-cbc-sha1:normal} before
-@samp{des-cbc-crc:normal} if you wish to support triple-DES service keys
-in addition to DES service keys.  In order to create such service keys,
-you must use the @code{-e} option to @code{kadmin.local}, running on the
-KDC system itself; the remote @code{kadmin} client does not allow this
-option.  We do not currently support the use of triple-DES keys anywhere
-other than for service keys.
-
+@samp{des3-hmac-sha1:normal des-cbc-crc:normal des-cbc-crc:v4}.
+
+@itemx reject_bad_transit
+A boolean value (@code{true}, @code{false}).  If set to @code{true}, the
+KDC will check the list of transited realms for cross-realm tickets
+against the transit path computed from the realm names and the
+@code{capaths} section of its @code{krb5.conf} file; if the path in the
+ticket to be issued contains any realms not in the computed path, the
+ticket will not be issued, and an error will be returned to the client
+instead.  If this value is set to @code{false}, such tickets will be
+issued anyways, and it will be left up to the application server to
+validate the realm transit path.
+
+If the @code{disable-transited-check} flag is set in the incoming
+request, this check is not performed at all.  Having the
+@code{reject_bad_transit} option will cause such ticket requests to be
+rejected always.
+
+This transit path checking and config file option currently apply only
+to TGS requests.
+
+Earlier versions of the MIT release (before 1.2.3) had bugs in the
+application server support such that the server-side checks may not be
+performed correctly.  We recommend turning this option on, unless you
+know that all application servers in this realm have been updated to
+fixed versions of the software, and for whatever reason, you don't want
+the KDC to do the validation.
+
+This is a per-realm option so that multiple-realm KDCs may control it
+separately for each realm, in case (for example) one realm has had the
+software on its application servers updated but another has not.
+
+This option defaults to @code{true}.
 
 @end table
 
@@ -907,9 +977,9 @@ Here's an example of a @code{kdc.conf} file:
         kadmind_port = 749
         max_life = 10h 0m 0s
         max_renewable_life = 7d 0h 0m 0s
-        master_key_type = des-cbc-crc
-        supported_enctypes = des-cbc-crc:normal des-cbc-crc:v4
-        kdc_supported_enctypes = des-cbc-crc:normal des-cbc-crc:v4
+        master_key_type = des3-hmac-sha1
+        supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal des-cbc-crc:v4
+        kdc_supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal des-cbc-crc:v4
     @}
 
 [logging]
@@ -1011,11 +1081,8 @@ scripts that pass specific queries to @code{kadmin}.
 @b{(For @code{kadmin.local} only.)}
 Sets the list of cryptosystem and salt types to be used for any new keys
 created.  Available types include @samp{des3-cbc-sha1:normal},
-@samp{des-cbc-crc:normal}, and @samp{des-cbc-crc:v4}.  In this release,
-the @samp{des3-cbc-sha1:normal} type should only be used when
-registering service principals; for any services that may request
-tickets themselves to initiate some action, it should be combined with
-one or more of the other types.
+@samp{des-cbc-crc:normal}, and @samp{des-cbc-crc:v4}.
+
 @end table
 
 @node Date Format, Principals, Kadmin Options, Administrating Kerberos Database Entries
@@ -1092,7 +1159,6 @@ that principal.
 * Adding or Modifying Principals::  
 * Deleting Principals::         
 * Changing Passwords::          
-* Renaming Principals::         
 @end menu
 
 @node Retrieving Information About a Principal, Privileges, Principals, Principals
@@ -1280,7 +1346,7 @@ administrative privilege.  The syntax is:
 @code{add_principal} has the aliases @code{addprinc} and
 @code{ank}@footnote{@code{ank} was the short form of the equivalent
 command using the deprecated @code{kadmin5} database administrative
-tool.  It has been kept}.  @code{modify_principal} has the alias @code{modprinc}.
+tool.  It has been kept.  @code{modify_principal} has the alias @code{modprinc}.}
 
 The @code{add_principal} and @code{modify_principal} commands take the
 following switches:
@@ -1408,16 +1474,18 @@ Removes the policy @i{policyname} from the principal
 
 @item -randkey
 Sets the key for the principal to a random value (@code{add_principal}
-only).  @value{COMPANY} recommends using this option for host keys.  You
-may also wish to use the @b{kadmin.local} command-line options @b{-e
-"des3-cbc-sha1:normal des-cbc-crc:normal"}@xref{Kadmin Options} on the
-KDC machine itself for host keys and other service keys that are
-security-critical.
+only).  @value{COMPANY} recommends using this option for host keys.
 
 @item -pw @i{password}
 Sets the key of the principal to the specified string and does not
 prompt for a password (@code{add_principal} only).  @value{COMPANY} does
 not recommend using this option.
+
+@item -e @i{enc:salt...}
+Uses the specified list of enctype-salttype pairs for setting the key of
+the principal.  The quotes are necessary if there are multiple
+enctype-salttype pairs.  This will not function against kadmin daemons
+earlier than krb5-1.2.
 @end table
 
 If you want to just use the default values, all you need to do is:
@@ -1503,7 +1571,7 @@ kadmin:}
 @end group
 @end smallexample
 
-@node Changing Passwords, Renaming Principals, Deleting Principals, Principals
+@node Changing Passwords,  , Deleting Principals, Principals
 @subsection Changing Passwords
 
 To change a principal's password use the kadmin @code{change_password}
@@ -1529,6 +1597,12 @@ Sets the key of the principal to a random value.
 @item @b{-pw} @i{password}
 Sets the password to the string @i{password}.  @value{COMPANY} does not
 recommend using this option.
+
+@item @b{-e} @i{"enc:salt..."}
+Uses the specified list of enctype-salttype pairs for setting the key of
+the principal.  The quotes are necessary if there are multiple
+enctype-salttype pairs.  This will not function against kadmin daemons
+earlier than krb5-1.2.
 @end table
 
 For example:
@@ -1552,35 +1626,6 @@ kadmin:}
 Note that @code{change_password} will not let you change the password to
 one that is in the principal's password history.
 
-@node Renaming Principals,  , Changing Passwords, Principals
-@subsection Renaming Principals
-
-To rename a principal, use the kadmin @code{rename_principal} command,
-which requires both the ``add'' and ``delete'' administrative
-privileges.  The syntax is:
-
-@smallexample
-@b{rename_principal} [@b{-force}] @i{old_principal} @i{new_principal}
-@end smallexample
-
-@noindent The @code{rename_principal} command has the alias @code{renprinc}.
-
-For example:
-
-@smallexample
-@group
-@b{kadmin:} renprinc test test0
-@b{Are you sure you want to rename the principal
-"test@@@value{PRIMARYREALM}" to
-"test0@@@value{PRIMARYREALM}"? (yes/no):} yes
-@b{Principal "test@@@value{PRIMARYREALM}" renamed to
-"test0@@@value{PRIMARYREALM}".
-Make sure that you have removed "test@@@value{PRIMARYREALM}" from
-all ACLs before reusing.
-kadmin:}
-@end group
-@end smallexample
-
 @node Policies, Dumping a Kerberos Database to a File, Principals, Administrating Kerberos Database Entries
 @section Policies
 
@@ -1745,8 +1790,8 @@ To dump a Kerberos database into a file, use the @code{kdb5_util}
 @code{dump} command on one of the KDCs.  The syntax is:
 
 @smallexample
-@b{kdb5_util dump} [@b{-old}] [@b{-b6}] [@b{-ov}] [@b{-verbose}] [@i{filename}
-[@i{principals...}]]
+@b{kdb5_util dump} [@b{-old}] [@b{-b6}] [@b{-b7}] [@b{-ov}] [@b{-verbose}]
+[@i{filename} [@i{principals...}]]
 @end smallexample
 
 The @code{kdb5_util dump} command takes the following options:
@@ -1758,6 +1803,10 @@ causes the dump to be in the Kerberos 5 Beta 5 and earlier dump format
 @itemx -b6
 causes the dump to be in the Kerberos 5 Beta 6 format (``kdb5_edit
 load_dump version 3.0'').
+@itemx -b7
+causes the dump to be in the Kerberos 5 Beta 7 format (``kdb5_util
+load_dump version 4'').  This was the dump format produced on releases
+prior to 1.2.2.
 @itemx -ov
 causes the dump to be in ovsec_adm_export format.
 @itemx -verbose
@@ -1824,8 +1873,8 @@ To restore a Kerberos database dump from a file, use the
 is:
 
 @smallexample
-@b{kdb5_util load} [@b{-old}] [@b{-b6}] [@b{-ov}] [@b{-verbose}] [@b{-update}]
-@i{dumpfilename} @i{dbname} [@i{admin_dbname}]
+@b{kdb5_util load} [@b{-old}] [@b{-b6}] [@b{-b7}] [@b{-ov}] [@b{-verbose}]
+[@b{-update}] @i{dumpfilename} @i{dbname} [@i{admin_dbname}]
 @end smallexample
 
 The @code{kdb5_util load} command takes the following options:
@@ -1837,6 +1886,9 @@ requires the dump to be in the Kerberos 5 Beta 5 and earlier dump format
 @itemx -b6
 requires the dump to be in the Kerberos 5 Beta 6 format (``kdb5_edit
 load_dump version 3.0'').
+@itemx -b7
+requires the dump to be in the Kerberos 5 Beta 7 format (``kdb5_util
+load_dump version 4'').
 @itemx -ov
 requires the dump to be in ovsec_adm_export format.
 @itemx -verbose
@@ -2001,6 +2053,12 @@ The @code{ktadd} command takes the following switches:
 use @i{keytab} as the keytab file.  Otherwise, @code{ktadd} will use the
 default keytab file (@code{/etc/krb5.keytab}).
 
+@item @b{-e} @i{"enc:salt..."}
+Uses the specified list of enctype-salttype pairs for setting the key of
+the principal.  The quotes are necessary if there are multiple
+enctype-salttype pairs.  This will not function against kadmin daemons
+earlier than krb5-1.2.
+
 @item -q
 run in quiet mode.  This causes @code{ktadd} to display less verbose
 information.
@@ -2012,8 +2070,9 @@ for the kadmin @code{list_principals} (@pxref{Retrieving a List of
 Principals}) command.
 @end table
 
-For example (The line beginning with @result{} is a continuation of the
-previous line.):
+Here is a sample session, using configuration files that enable only
+@samp{des-cbc-crc} encryption. (The line beginning with @result{} is a
+continuation of the previous line.)
 
 @smallexample
 @group
@@ -2551,7 +2610,6 @@ KRB5PLACEHOLD_110:  KRB5 error code 110
 @item
 KRB5PLACEHOLD_111:  KRB5 error code 111
 @item
-+
 KRB5PLACEHOLD_112:  KRB5 error code 112
 @item
 KRB5PLACEHOLD_113:  KRB5 error code 113
diff --git a/doc/api/ChangeLog b/doc/api/ChangeLog
index b1145f1..accc0c6 100644
--- a/doc/api/ChangeLog
+++ b/doc/api/ChangeLog
@@ -1,3 +1,7 @@
+2000-06-22  Ken Raeburn  <raeburn@mit.edu>
+
+	* Makefile (lib1.stamp): Use texindex instead of index.
+
 1999-08-30  Ken Raeburn  <raeburn@mit.edu>
 
 	* libdes.tex: Don't use ncs style; it's availability is dependent
diff --git a/doc/api/Makefile b/doc/api/Makefile
index 3fd23f9..dbb2f03 100644
--- a/doc/api/Makefile
+++ b/doc/api/Makefile
@@ -28,7 +28,7 @@ library.dvi:  lib1.stamp $(LIBTEX) $(STYLES)
 lib1.stamp: $(LIBTEX) $(STYLES)
 	touch library.ind
 	latex library
-	index library.idx
+	texindex library.idx
 	date > lib1.stamp
 
 .tex.dvi:
diff --git a/doc/build.texinfo b/doc/build.texinfo
index 78aa8b4..e432717 100644
--- a/doc/build.texinfo
+++ b/doc/build.texinfo
@@ -59,8 +59,8 @@ only need to build Kerberos for one platform, using a single directory
 tree which contains both the source files and the object files is the
 simplest.  However, if you need to maintain Kerberos for a large number
 of platforms, you will probably want to use separate build trees for
-each platform. We recommend that you look at see @ref{OS
-Incompatibilities} for notes that we have on particular operating
+each platform. We recommend that you look at @ref{OS
+Incompatibilities}, for notes that we have on particular operating
 systems. 
 
 @menu
@@ -152,10 +152,10 @@ building Kerberos; see @ref{Doing the Build}.):
 
 @menu
 * The DejaGnu Tests::           
-* The KADM5 Tests::     
+* The KADM5 Tests::             
 @end menu
 
-@node The DejaGnu Tests,  The KADM5 Tests, Testing the Build, Testing the Build
+@node The DejaGnu Tests, The KADM5 Tests, Testing the Build, Testing the Build
 @subsection The DejaGnu Tests 
 
 Some of the built-in regression tests are setup to use the DejaGnu
@@ -200,7 +200,7 @@ libraries to be available during compilation and some of the tests also
 require Perl in order to operate.  If all of these resources are not
 available during configuration, the KADM5 tests will not run.  The TCL
 installation directory can be specified with the @code{--with-tcl}
-configure option (see @xref{Options to Configure}).  The runtest and
+configure option.  (See @xref{Options to Configure}.)  The runtest and
 perl programs must be in the current execution path.
 
 If you install DejaGnu, TCL, or Perl after configuring and building
@@ -208,7 +208,7 @@ Kerberos and then want to run the KADM5 tests, you will need to
 re-configure the tree and run @code{make} at the top level again to make
 sure all the proper programs are built.  To save time, you actually only
 need to reconfigure and build in the directories src/kadmin/testing,
-src/lib/rpc, src/lib/kadm5, and src/kpasswd.
+src/lib/rpc, src/lib/kadm5.
 
 @node Options to Configure, osconf.h, Testing the Build, Building Kerberos V5
 @section Options to Configure 
@@ -301,12 +301,6 @@ default, Kerberos V5 configuration will look for @code{-lnsl} and
 (see @ref{Solaris versions 2.0 through 2.3}) or fails to pass the tests in
 @file{src/tests/resolv} you will need to use this option.
 
-@item --enable-shared
-
-This option will turn on the building and use of shared library objects
-in the Kerberos build. This option is only supported on certain
-platforms. 
-
 @item --with-vague-errors
 
 If enabled, gives vague and unhelpful error messages to the client... er,
@@ -329,10 +323,33 @@ Tcl. The directory specified by @code{TCLPATH} specifies where the Tcl
 header file (@file{TCLPATH/include/tcl.h} as well as where the Tcl
 library should be found (@file{TCLPATH/lib}).
 
+@item --enable-shared
+
+This option will turn on the building and use of shared library objects
+in the Kerberos build. This option is only supported on certain
+platforms. 
+
+@item --enable-dns
+@item --enable-dns-for-kdc
+@item --enable-dns-for-realm
+
+Enable the use of DNS to look up a host's Kerberos realm, or a realm's
+KDCs, if the information is not provided in krb5.conf.  See
+@xref{Hostnames for the Master and Slave KDCs}, and @xref{Mapping
+Hostnames onto Kerberos Realms}.  By default, DNS lookups are enabled
+for the latter but not for the former.
+
+@item --enable-kdc-replay-cache
+
+Enable a cache in the KDC to detect retransmitted messages, and resend
+the previous responses to them.  This protects against certain types of
+attempts to extract information from the KDC through some of the
+hardware preauthentication systems.
+
 @end table
 
 For example, in order to configure Kerberos on a Solaris machine using
-the @samp{suncc} with the optimizer turned on, run the configure
+the @samp{suncc} compiler with the optimizer turned on, run the configure
 script with the following options:
 
 @example
@@ -397,10 +414,15 @@ variables when using the programs. Except where noted, multiple versions
 of the libraries may be installed on the same system and continue to
 work.
 
-Currently the supported platforms are
-@comment NetBSD 1.0A, AIX 3.2.5, AIX 4.1,
-Solaris 2.6 (aka SunOS 5.6) and Irix 6.5.
-@comment Alpha OSF/1 >= 2.1, HP-UX >= 9.X.
+Currently the supported platforms are Solaris 2.6 (aka SunOS 5.6) and Irix 6.5.
+
+Shared library support has been tested on the following platforms but
+not exhaustively (they have been built but not necessarily tested in an
+installed state): Tru64 (aka Alpha OSF/1 or Digital Unix) 4.0, NetBSD
+1.4.x (i386), and HP/UX 10.20.
+
+Platforms for which there is shared library support but not significant
+testing include FreeBSD, OpenBSD, MacOS 10, AIX, Linux, and SunOS 4.x.
 
 To enable shared libraries on the above platforms, run the configure
 script with the option @samp{--enable-shared}.
@@ -428,6 +450,7 @@ Thanks!
 * AIX::                         
 * Alpha OSF/1 V1.3::            
 * Alpha OSF/1 (Digital Unix) V2.0++::  
+* Alpha Tru64 4.0::             
 * BSDI::                        
 * HPUX::                        
 * Solaris versions 2.0 through 2.3::  
@@ -452,7 +475,7 @@ causes the @code{asn.1} library to be compiled incorrectly.
 Using GCC version 2.6.3 or later instead of the native compiler will also work
 fine, both with or without optimization.
 
-@node Alpha OSF/1 (Digital Unix) V2.0++, BSDI, Alpha OSF/1 V1.3, OS Incompatibilities
+@node Alpha OSF/1 (Digital Unix) V2.0++, Alpha Tru64 4.0, Alpha OSF/1 V1.3, OS Incompatibilities
 @subsection Alpha OSF/1 V2.0++
 
 There used to be a bug when using the native compiler in compiling
@@ -463,9 +486,21 @@ problem would exist there. (We welcome feedback on this issue). There
 was never a problem in using GCC version 2.6.3.
 
 In version 3.2 and beyond of the operating system, we have not seen any
-problems with the native compiler. 
+optimizer problems with the native compiler. 
+
+@node Alpha Tru64 4.0, BSDI, Alpha OSF/1 (Digital Unix) V2.0++, OS Incompatibilities
+@subsection Alpha Tru64 4.0
+
+Alpha Tru64 4.0 will have some trouble compiling the some stdarg
+prototypes, since it defaults to K&R C.  Use the @samp{-std} or
+@samp{-std1} flags to force ANSI behavior (e.g. @samp{./configure
+--with-cc='cc -std1'}).
+
+@comment  node-name,  next,  previous,  up@c @node Alpha Tru64 UNIX 5.0
+@c @subsection Alpha Tru64 UNIX 5.0
+@c ... login.krb5 problems
 
-@node BSDI, HPUX, Alpha OSF/1 (Digital Unix) V2.0++, OS Incompatibilities
+@node BSDI, HPUX, Alpha Tru64 4.0, OS Incompatibilities
 @subsection BSDI
 
 BSDI versions 1.0 and 1.1 reportedly has a bad @samp{sed} which causes
@@ -479,9 +514,9 @@ NetBSD and FreeBSD.)
 
 The native (bundled) compiler for HPUX currently will not work, because
 it is not a full ANSI C compiler.  The optional compiler (c89) should
-work as long as you give it the @samp{+Olibcalls -D_HPUX_SOURCE} (this
-has only been tested for HPUX 9.0).  At this point, using GCC is
-probably your best bet.
+work as long as you give it the @samp{-D_HPUX_SOURCE} flag
+(i.e. @samp{./configure --with-cc='c89 -D_HPUX_SOURCE'}).  This has only
+been tested recently for HPUX 10.20.
 
 @node Solaris versions 2.0 through 2.3, Solaris 2.X, HPUX, OS Incompatibilities
 @subsection Solaris versions 2.0 through 2.3
diff --git a/doc/copyright.texinfo b/doc/copyright.texinfo
index 7ea4758..355cad1 100644
--- a/doc/copyright.texinfo
+++ b/doc/copyright.texinfo
@@ -1,4 +1,4 @@
-Copyright @copyright{} 1985-1999 by the Massachusetts Institute of Technology. 
+Copyright @copyright{} 1985-2001 by the Massachusetts Institute of Technology. 
 
 @quotation  
 Export of software employing encryption from the United States of
diff --git a/doc/definitions.texinfo b/doc/definitions.texinfo
index 079809d..5a5b37c 100644
--- a/doc/definitions.texinfo
+++ b/doc/definitions.texinfo
@@ -19,8 +19,8 @@
 @set RANDOMUSER johndoe
 @set RANDOMUSER1 jennifer
 @set RANDOMUSER2 david
-@set RELEASE 1.1
-@set PREVRELEASE 1.0
+@set RELEASE 1.2
+@set PREVRELEASE 1.1
 @set INSTALLDIR /usr/@value{LCPRODUCT}
 @set PREVINSTALLDIR @value{INSTALLDIR}
 @set ROOTDIR /usr/local
diff --git a/doc/install.texinfo b/doc/install.texinfo
index 8744b0f..2ecd8bd 100644
--- a/doc/install.texinfo
+++ b/doc/install.texinfo
@@ -229,7 +229,10 @@ BOSTON.@value{SECONDREALM} and HOUSTON.@value{SECONDREALM}.
 @node Mapping Hostnames onto Kerberos Realms, Ports for the KDC and Admin Services, Kerberos Realms, Realm Configuration Decisions
 @section Mapping Hostnames onto Kerberos Realms
 
-Mapping hostnames onto Kerberos realms is done through a set of rules in
+Mapping hostnames onto Kerberos realms is done in one of two ways.
+
+The first mechanism, which has been in use for years in MIT-based
+Kerberos distributions, works through a set of rules in
 the @code{krb5.conf} configuration file.  (@xref{krb5.conf}.)  You can
 specify mappings for an entire domain or subdomain, and/or on a
 hostname-by-hostname basis.  Since greater specificity takes precedence,
@@ -240,7 +243,35 @@ The @value{PRODUCT} System Administrator's Guide contains a thorough
 description of the parts of the @code{krb5.conf} file and what may be
 specified in each.  A sample @code{krb5.conf} file appears in
 @ref{krb5.conf}.  You should be able to use this file, substituting the
-relevant information for your Kerberos instllation for the samples.
+relevant information for your Kerberos installation for the samples.
+
+The second mechanism, recently introduced into the MIT code base but not
+currently used by default, works by looking up the information in
+special @code{TXT} records in the Domain Name Service.  If this
+mechanism is enabled on the client, it will try to look up a @code{TXT}
+record for the DNS name formed by putting the prefix @code{_kerberos} in
+front of the hostname in question.  If that record is not found, it will
+try using @code{_kerberos} and the host's domain name, then its parent
+domain, and so forth.  So for the hostname
+BOSTON.ENGINEERING.FOOBAR.COM, the names looked up would be:
+
+@smallexample
+_kerberos.boston.engineering.foobar.com
+_kerberos.engineering.foobar.com
+_kerberos.foobar.com
+_kerberos.com
+@end smallexample
+
+The value of the first TXT record found is taken as the realm name.
+(Obviously, this doesn't work all that well if a host and a subdomain
+have the same name, and different realms.  For example, if all the hosts
+in the ENGINEERING.FOOBAR.COM domain are in the ENGINEERING.FOOBAR.COM
+realm, but a host named ENGINEERING.FOOBAR.COM is for some reason in
+another realm.  In that case, you would set up TXT records for all
+hosts, rather than relying on the fallback to the domain name.)
+
+Even if you do not choose to use this mechanism within your site, you
+may wish to set up anyways, for use when interacting with other sites.
 
 @node Ports for the KDC and Admin Services, Slave KDCs, Mapping Hostnames onto Kerberos Realms, Realm Configuration Decisions
 @section Ports for the KDC and Admin Services
@@ -293,11 +324,86 @@ disasters.
 @section Hostnames for the Master and Slave KDCs
 
 @value{COMPANY} recommends that your KDCs have a predefined set of
-CNAMEs, such as @code{@value{KDCSERVER}} for the master KDC and
+CNAME records (DNS hostname aliases), such as @code{@value{KDCSERVER}}
+for the master KDC and
 @code{@value{KDCSLAVE1}}, @code{@value{KDCSLAVE2}}, @dots{} for the
 slave KDCs.  This way, if you need to swap a machine, you only need to
 change a DNS entry, rather than having to change hostnames.
 
+A new mechanism for locating KDCs of a realm through DNS has been added
+to the @value{COMPANY} @value{PRODUCT} distribution.  A relatively new
+record type called @code{SRV} has been added to DNS.  Looked up by a
+service name and a domain name, these records indicate the hostname and
+port number to contact for that service, optionally with weighting and
+prioritization.  (See RFC 2782 if you want more information.  You can
+follow the example below for straightforward cases.)
+
+The use with Kerberos is fairly straightforward.  The domain name used
+in the SRV record name is the domain-style Kerberos realm name.  (It is
+possible to have Kerberos realm names that are not DNS-style names, but
+we don't recommend it for Internet use, and our code does not support it
+well.)  Several different Kerberos-related service names are used:
+
+@table @code
+@item _kerberos._udp
+This is for contacting any KDC.  This entry will be used the most often.
+Normally you should list ports 88 and 750 on each of your KDCs.
+
+@item _kerberos-master._udp
+This entry should refer to those KDCs, if any, that will immediately see
+password changes to the Kerberos database.  This entry is used only in
+one case, when the user is logging in and the password appears to be
+incorrect; the master KDC is then contacted, and the same password used
+to try to decrypt the response, in case the user's password had recently
+been changed and the first KDC contacted hadn't been updated.  Only if
+that fails is an ``incorrect password'' error given.
+
+If you have only one KDC, or for whatever reason there is no accessible
+KDC that would get database changes faster than the others, you do not
+need to define this entry.
+
+@item _kerberos-adm._tcp
+This should list port 749 on your master KDC.  Support for it is not
+complete at this time, but it will eventually be used by the
+@code{kadmin} program and related utilities.  For now, you will also
+need the @code{admin_server} entry in @code{krb5.conf}.
+
+@item _kpasswd._udp
+This should list port 464 on your master KDC.  It is used when a user
+changes her password.
+
+@end table
+
+Be aware, however, that the DNS SRV specification requires that the
+hostnames listed be the canonical names, not aliases.  So, for example,
+you might include the following records in your (BIND-style) zone file:
+
+@smallexample
+$ORIGIN foobar.com.
+_kerberos               TXT       "FOOBAR.COM"
+kerberos                CNAME     daisy
+kerberos-1              CNAME     use-the-force-luke
+kerberos-2              CNAME     bunny-rabbit
+_kerberos._udp          SRV       0 0 88 daisy
+                        SRV       0 0 88 use-the-force-luke
+                        SRV       0 0 88 bunny-rabbit
+_kerberos-master._udp   SRV       0 0 88 daisy
+_kerberos-adm._tcp      SRV       0 0 749 daisy
+_kpasswd._udp           SRV       0 0 464 daisy
+@end smallexample
+
+As with the DNS-based mechanism for determining the Kerberos realm of a
+host, we recommend distributing the information this way for use by
+other sites that may want to interact with yours using Kerberos, even if
+you don't immediately make use of it within your own site.  If you
+anticipate installing a very large number of machines on which it will
+be hard to update the Kerberos configuration files, you may wish to do
+all of your Kerberos service lookups via DNS and not put the information
+(except for @code{admin_server} as noted above) in future versions of
+your @code{krb5.conf} files at all.  Eventually, we hope to phase out
+the listing of server hostnames in the client-side configuration files;
+making preparations now will make the transition easier in the future.
+
 @node Database Propagation,  , Hostnames for the Master and Slave KDCs, Realm Configuration Decisions
 @section Database Propagation
 
@@ -421,7 +527,8 @@ encrypted form on the KDC's local disk.  The stash file is used to
 authenticate the KDC to itself automatically before starting the
 @code{kadmind} and @code{krb5kdc} daemons (@i{e.g.,} as part of the
 machine's boot sequence).  The stash file, like the keytab file
-(@xref{The Keytab File}) is a potential point-of-entry for a break-in,
+(see @xref{The Keytab File}, for more information) is a potential
+point-of-entry for a break-in,
 and if compromised, would allow unrestricted access to the Kerberos
 database.  If you choose to install a stash file, it should be readable
 only by root, and should exist only on the KDC's local disk.  The file
@@ -560,8 +667,8 @@ instance ``root'', you would add the following line to the acl file:
 Next you need to add administrative principals to the Kerberos database.
 (You must add at least one now.)  To do this, use @code{kadmin.local}
 @emph{on the master KDC}.  The administrative principals you create
-should be the ones you added to the ACL file (see @xref{Add
-Administrators to the Acl File}).  In the following example, the
+should be the ones you added to the ACL file.  (See @xref{Add
+Administrators to the Acl File}.)  In the following example, the
 administration principal @code{admin/admin} is created:
 
 @smallexample
@@ -639,8 +746,8 @@ to the KDC's @code{/etc/rc} or @code{/etc/inittab} file.  You need to
 have a stash file in order to do this.
 
 You can verify that they started properly by checking for their startup
-messages in the logging locations you defined in @code{/etc/krb5.conf}
-(see @xref{Edit the Configuration Files}).  For example:
+messages in the logging locations you defined in @code{/etc/krb5.conf}.
+(See @xref{Edit the Configuration Files}.)  For example:
 
 @smallexample
 @b{shell%} tail /var/log/krb5kdc.log
@@ -909,7 +1016,7 @@ Once your KDCs are set up and running, you are ready to use
 @code{kadmin} to load principals for your users, hosts, and other
 services into the Kerberos database.  This procedure is described fully in the
 ``Adding or Modifying Principals'' section of the @value{PRODUCT} System
-Administrator's Guide.  (@xref{Create Host Keys for the Slave KDCs} for a
+Administrator's Guide.  (@xref{Create Host Keys for the Slave KDCs}, for a
 brief description.)  The keytab is generated by running @code{kadmin}
 and issuing the @code{ktadd} command.
 
@@ -987,7 +1094,11 @@ Disable the cron job that propagates the database.
 @item
 Run your database propagation script manually, to ensure that the slaves
 all have the latest copy of the database.  (@xref{Propagate the Database
-to Each Slave KDC}.)
+to Each Slave KDC}.)  As of the 1.2.2 release, it is no longer necessary
+to use ``kdb5_util dump -ov'' in order to preserve per-principal policy
+information, as the default dump format now supports it.  Note you
+should update your slaves prior to your master, so that they will
+understand the new dump format.  (This is a good policy anyway.)
 @end enumerate
 
 On the @emph{new} master KDC:
@@ -1007,6 +1118,7 @@ Database to Each Slave KDC}.)
 Switch the CNAMEs of the old and new master KDCs.  (If you don't do
 this, you'll need to change the @code{krb5.conf} file on every client
 machine in your Kerberos realm.)
+
 @end enumerate
 
 @node Installing and Configuring UNIX Client Machines, UNIX Application Servers, Installing KDCs, Installing Kerberos V5
@@ -1050,7 +1162,7 @@ counterparts
 @c @code{from}
 @code{su}, @code{passwd}, and @code{rdist}.
 
-@node Client Machine Configuration Files, Mac OS X Configuration, Client Programs, Installing and Configuring UNIX Client Machines
+@node Client Machine Configuration Files,  , Client Programs, Installing and Configuring UNIX Client Machines
 @subsection Client Machine Configuration Files
 
 Each machine running Kerberos must have a @code{/etc/krb5.conf} file.
@@ -1357,27 +1469,29 @@ should be readable only by root.
 
 If you already have an existing Kerberos database that you created with
 a prior release of Kerberos 5, you can upgrade it to work with the
-current release with the @code{kdb5_util} command.  The process for
-upgrading a Master KDC involves the following steps (the lines beginning
-with => indicate a continuation of the previous line):
+current release with the @code{kdb5_util} command.  It is only necessary
+to perform this dump/undump procedure if you were running a krb5-1.0.x
+KDC and are migrating to a krb5-1.1.x or newer KDC.  The process for
+upgrading a Master KDC involves the following steps:
 
 @enumerate
 
-@item Stopping your current KDC and administration
+@item Stop your current KDC and administration
 server processes, if any.
 
-@item Dumping your existing Kerberos database to an ASCII file with 
+@item Dump your existing Kerberos database to an ASCII file with 
 @code{kdb5_util}'s ``dump'' command:
 
 @smallexample
 @group
-@b{shell%} kdb5_util -r @value{PRIMARYREALM} dump
-@result{} @value{ROOTDIR}/var/krb5kdc/old-kdb-dump
+@b{shell%} cd @value{ROOTDIR}/var/krb5kdc
+@b{shell%} kdb5_util dump old-kdb-dump
+@b{shell%} kdb5_util dump -ov old-kdb-dump.ov
 @b{shell%}
 @end group
 @end smallexample
 
-@item Creating a new Master KDC installation (@xref{Install the Master
+@item Create a new Master KDC installation (@xref{Install the Master
 KDC}).  If you have a stash file for your current database, choose any
 new master password but then copy your existing stash file to the
 location specified by your kdc.conf; if you do not have a stash file for
@@ -1388,17 +1502,64 @@ your current database, you must choose the same master password.
 
 @smallexample
 @group
-@b{shell%} kdb5_util load @value{ROOTDIR}/var/krb5kdc/old-kdb-dump
+@b{shell%} cd @value{ROOTDIR}/var/krb5kdc
+@b{shell%} kdb5_util load old-kdb-dump
+@b{shell%} kdb5_util load -update old-kdb-dump.ov
 @b{shell%}
 @end group
 @end smallexample
 
 @end enumerate
 
+The ``dump -ov'' and ``load -update'' commands are necessary in order to
+preserve per-principal policy information, since the dump format in
+releases prior to 1.2.2 filters out that information.  If you omit those
+steps, the loaded database database will lose the policy information for
+each principal that has a policy.
+
 To update a Slave KDC, you must stop the old server processes on the
 Slave KDC, install the new server binaries, reload the most recent slave
 dump file, and re-start the server processes.
 
+@menu
+* Upgrading to Triple-DES Encryption Keys::  
+@end menu
+
+@node Upgrading to Triple-DES Encryption Keys,  , Upgrading Existing Kerberos V5 Installations, Upgrading Existing Kerberos V5 Installations
+@section Upgrading to Triple-DES Encryption Keys
+
+Beginning with the 1.2 release from MIT, Kerberos includes a stronger
+encryption algorithm called ``triple DES'' -- essentially, three
+applications of the basic DES encryption algorithm, greatly increasing
+the resistance to a brute-force search for the key by an attacker.  This
+algorithm is more secure, but encryption is much slower.  We expect to
+add other, faster encryption algorithms at some point in the future.
+
+Release 1.1 had some support for triple-DES service keys, but with
+release 1.2 we have added support for user keys and session keys as
+well.  Release 1.0 had very little support for multiple cryptosystems,
+and some of that software may not function properly in an environment
+using triple-DES as well as plain DES.
+
+Because of the way the MIT Kerberos database is structured, the KDC will
+assume that a service supports only those encryption types for which
+keys are found in the database.  Thus, if a service has only a
+single-DES key in the database, the KDC will not issue tickets for that
+service that use triple-DES session keys; it will instead issue only
+single-DES session keys, even if other services are already capable of
+using triple-DES.  So if you make sure your application server software
+is updated before adding a triple-DES key for the service, clients
+should be able to talk to services at all times during the updating
+process.
+
+Normally, the listed @code{supported_enctypes} in @code{kdc.conf} are
+all used when a new key is generated.  You can control this with
+command-line flags to @code{kadmin} and @code{kadmin.local}.  You may
+want to exclude triple-DES by default until you have updated a lot of
+your application servers, and then change the default to include
+triple-DES.  We recommend that you always include @code{des-cbc-crc} in
+the default list.
+
 @node Bug Reports for Kerberos V5, Files, Upgrading Existing Kerberos V5 Installations, Top
 @chapter Bug Reports for @value{PRODUCT}
 
@@ -1422,8 +1583,8 @@ Here is an example @code{krb5.conf} file:
 [libdefaults]
     ticket_lifetime = 600
     default_realm = @value{PRIMARYREALM}
-    default_tkt_enctypes = des-cbc-crc
-    default_tgs_enctypes = des-cbc-crc
+    default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
+    default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc
 
 [realms]
     @value{PRIMARYREALM} = @{
@@ -1478,17 +1639,14 @@ Here's an example of a kdc.conf file:
         kadmind_port = 749
         max_life = 10h 0m 0s
         max_renewable_life = 7d 0h 0m 0s
-        master_key_type = des-cbc-crc
-        supported_enctypes = des-cbc-crc:normal
+        master_key_type = des3-hmac-sha1
+        supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal
     @}
 @end group
 @end smallexample
 
-To add Kerberos V4 support, change the @code{supported_enctypes} line to:
-
-@smallexample
-        supported_enctypes = des-cbc-crc:normal des-cbc-crc:v4
-@end smallexample
+To add Kerberos V4 support, add @code{des-cbc-crc:v4} to the
+@code{supported_enctypes} line.
 
 @menu
 * Encryption Types and Salt Types::  
@@ -1497,9 +1655,8 @@ To add Kerberos V4 support, change the @code{supported_enctypes} line to:
 @node Encryption Types and Salt Types,  , kdc.conf, kdc.conf
 @appendixsubsec Encryption Types and Salt Types
 
-Currently, @value{PRODUCT} supports only DES and triple-DES encryption;
-however, triple-DES is currently supported only for service keys, not
-for user keys or session keys.  The encoding types include
+Currently, @value{PRODUCT} supports only DES and triple-DES encryption.
+The encoding types include
 @code{des-cbc-crc} and @code{des3-cbc-sha1}.  The @dfn{salt} is
 additional information encoded within the key that tells what kind of
 key it is.  The only salts that you will be likely to encounter are:
@@ -1509,6 +1666,8 @@ key it is.  The only salts that you will be likely to encounter are:
 your @value{PRODUCT} keys
 
 @item @dfn{v4}, which is necessary only for compatibility with a v4 KDC
+or a v4 version of @code{kinit}, and then only with @code{des-cbc-crc}
+encryption
 
 @item @dfn{afs}, which you will never need to generate, and which you will
 encounter only if you dump an AFS database into a Kerberos database
diff --git a/doc/krb4-xrealm.txt b/doc/krb4-xrealm.txt
new file mode 100644
index 0000000..f8c4566
--- /dev/null
+++ b/doc/krb4-xrealm.txt
@@ -0,0 +1,143 @@
+The following text was taken from the patchkit disabling cross-realm
+authentication and triple-DES in krb4.
+
+PATCH KIT DESCRIPTION
+=====================
+
+** FLAG DAY REQUIRED **
+
+One of the things we decided to do (and must do for security reasons)
+was drop support for the 3DES krb4 TGTs.  Unfortunately the current
+code will only accept 3DES TGTs if it issues 3DES TGTs.  Since the new
+code issues only DES TGTs, the old code will not understand its v4
+TGTs if the site has a 3DES key available for the krbtgt principal.
+The new code will understand and accept both DES and 3DES v4 TGTs.
+
+So, the easiest upgrade option is to deploy the code on all KDCs at
+once, being sure to deploy it on the master KDC last.  Under this
+scenario, a brief window exists where slaves may be able to issue
+tickets that the master will not understand.  However, the slaves will
+understand tickets issued by the master throughout the upgrade.
+
+An alternate and more annoying upgrade strategy exists.  At least one
+max TGT life time before the upgrade, the TGT key can be changed to be
+a single-des key.  Since we support adding a new TGT key while
+preserving the old one, this does not create an interruption in
+service.  Since no 3DES key is available then both the old and new
+code will issue and accept DES v4 TGTs.  After the upgrade, the TGT
+key can again be rekeyed to add 3DES keys.  This does require two TGT
+key changes and creates a window where DES is used for the v5 TGT, but
+creates no window in which slaves will issue TGTs the master cannot
+accept.
+
+* What the patch does
+=====================
+
+1) Kerberos 4 cross-realm authentication is disabled by default.  A
+   "-X" switch is added to both krb524d and krb5kdc to enable v4
+   cross-realm.  This switch logs a note that a security hole has been
+   opened in the KDC log.  We said while designing the patch, that we
+   were going to try to allow per-realm configuration; because of a
+   design problem in the kadm5 library, we could not do this without
+   bumping the ABI version of that library.  We are unwilling to bump
+   an ABI version in a security patch release to get that feature, so
+   the configuration of v4 cross-realm is a global switch.
+
+2) Code responsible for v5 TGTs has been changed to require that the
+   enctype of the ticket service key be the same as the enctype that
+   would currently be issued for that kvno.  This means that even if a
+   service has multiple keys, you cannot use a weak key to fake the
+   KDC into accepting tickets for that service.  If you have a non-DES
+   TGT key, this separates keys used for v4 and v5.  We actually relax
+   this requirement for cross-realm TGT keys (which in the new code
+   are only used for v5) because we cannot guarantee other Kerberos
+   implementations will choose keys the same way.
+
+3) We no longer issue 3DES v4 tickets either in the KDC or krb524d.
+   We add code to accept either DES or 3DES tickets for v4.  None of
+   the attacks discovered so far can be implemented given a KDC that
+   accepts but does not issue 3DES tickets, so we believe that leaving
+   this functionality in as compatibility for a version or two is
+   reasonable.  Note however that the attacks described do allow
+   successful attackers to print future tickets, so sites probably
+   want to rekey important keys after installing this update.  Note
+   also that even if issuance of 3DES v4 tickets has been disabled,
+   outstanding tickets may be used to perform the 3DES cut-and-paste
+   attack.
+
+* Test Cases
+============
+
+This code is difficult to test for two reasons.  First, you need a
+cross-realm  relationship between two KDCs.  Secondly, you need a KDC
+that will issue 3DES v4 tickets even though the code  with the patch
+applied can no longer do this.
+
+I propose to meet these requirements by setting up a cross-realm 3DES
+key between  a realm I control and the test environment.  In order to
+provide concrete examples of what I plan to test with the automated
+tests,  I assume a shared key between a realm PREPATCH.KRBTEST.COM and the
+test realm PATCH.
+
+In all of the following tests  I assume the following configuration.
+A principal v4test@PREPATCH.KRBTEST.COM exists with known password and
+without requiring preauthentication.  The PREPATCH.KRBTEST.COM KDC will
+issue v4 tickets for this principal.  A principal test@PATCH exists
+with known password and without requiring preauthentication.    A
+principal service@PATCH exists.  The TGT for the PATCH realm has a
+3des and des key.  The shared TGT keys between PATCH and
+PREPATCH.KRBTEST.COM are identical in both directions (required for v4) and
+support both 3DES and DES keys.
+
+1) Run krb524d and krb5kdc for PATCH with no special options using a
+   krb5.conf without permitted_enctypes (fully permissive).
+
+
+A) Get v4 tickets as v4test@PREPATCH.KRBTEST.COM.  Confirm that  kvno -4
+service@PATCH  fails with an unknown principal error and logs an error
+about cross-realm being denied to the PATCH KDC log. This confirms
+that v4 cross-realm is not accepted.
+
+B) Get v5 tickets as v4test@PREPATCH.KRBTEST.COM.  Confirm that krb524init
+-p service@PATCH fails with a prohibited by policy  error, but that
+klist -5 includes a ticket for service@PATCH.  This confirms that v5
+cross-realm works but the krb524d denies converting such a ticket into
+a cross-realm ticket. Note that the krb524init currently in the
+mainline source tree will not be useful for this test because the
+client denies cross-realm for the simple reason that the v4 ticket
+file format is not flexible enough to support it.  The krb524init in
+the  1.2.x release is useful for this test.
+
+
+2) Restart the krb5kdc and krb524d for PATCH with the -X option
+   enabling v4 cross-realm.
+
+A) Confirm that the security warning is written to kdc.log.
+
+B) Get v4 tickets as v4test@PREPATCH.KRBTEST.COM.  Confirm that kvno -4
+service@PATCH works and leaves a service@PATCH ticket in the cache.
+This confirms that v4 cross-realm works in the KDC.  It also  confirms
+that the KDC can accept 3DES v4 TGTs.  The code path for decrypting a
+TGT is the same for the local realm and for foreign realms, so I don't
+see a need to test local 3DES TGTs in an automated manner although I
+did test it manually.
+
+C) Get v5 tickets as v4test@PREPATCH.KRBTEST.COM.  Confirm that krb524init
+-p service@PATCH works.    This confirms that krb524d will issue
+cross-realm tickets.  They're completely useless because the v4 ticket
+file can't represent them, but that's not our problem today.
+
+3) Start the kdc and krb524d with a krb5.conf that  includes
+   permitted_enctypes only listing des-cbc-crc.  Get tickets as
+   test@PATCH.  Restart the KDC  and confirm that kvno service fails
+   logging an error about permitted enctypes.  This confirms that if
+   you manage to obtain a ticket of the wrong enctype it will not be
+   accepted later.
+
+These tests do not check to make sure that  3DES tickets are not
+issued by the v4 code.  I'm fairly certain that is true as I've
+physically remove the calls to the routine that generates 3DES tickets
+from the code in both the KDC and krb524d.  These tests also do not
+check to make sure that  cross-realm TGTs are not required to follow
+the strict enctype policy.  I've tested that manually  but don't know
+how to test that without  significantly complicating the test setup.
diff --git a/doc/krb425.texinfo b/doc/krb425.texinfo
index e78d4e6..12572e5 100644
--- a/doc/krb425.texinfo
+++ b/doc/krb425.texinfo
@@ -140,6 +140,14 @@ This subsection allows the administrator to configure exceptions to the
 default_domain mapping rule.  It contains V4 instances (tag name) which
 should be translated to some specific hostname (tag value) as the second
 component in a Kerberos V5 principal name.
+
+@itemx v4_realm
+This relation allows the administrator to configure a different
+realm name to be used when converting V5 principals to V4
+ones.  This should only be used when running separate V4 and V5
+realms, with some external means of password sychronization
+between the realms.
+
 @end table
 
 @node kdc.conf,  , krb5.conf, Configuration Files
diff --git a/doc/send-pr.texinfo b/doc/send-pr.texinfo
index 9209ffd..7cf9b70 100644
--- a/doc/send-pr.texinfo
+++ b/doc/send-pr.texinfo
@@ -4,7 +4,11 @@ built and installed @value{PRODUCT}, please use the
 
 Bug reports that include proposed fixes are especially welcome.  If you
 do include fixes, please send them using either context diffs or unified
-diffs (using @samp{diff -c} or @samp{diff -u}, respectively).
+diffs (using @samp{diff -c} or @samp{diff -u}, respectively).  Please be
+careful when using ``cut and paste'' or other such means to copy a patch
+into a bug report; depending on the system being used, that can result
+in converting TAB characters into spaces, which makes applying the
+patches more difficult.
 
 The @code{krb5-send-pr} program is installed in the directory
 @code{@value{ROOTDIR}/sbin}.
diff --git a/src/ChangeLog b/src/ChangeLog
index 25737d4..f7b13b1 100644
--- a/src/ChangeLog
+++ b/src/ChangeLog
@@ -1,3 +1,121 @@
+2002-11-03  Ken Raeburn  <raeburn@mit.edu>
+
+	* aclocal.m4 (AC_KRB5_TCL_FIND_CONFIG): Use 'eval' when setting
+	TCL_LIBS to force variable substitutions to take place.
+
+	* aclocal.m4 (AC_KRB5_TCL): If --with-tcl is given, failure to
+	find a library we can use is now an error.
+
+	[pullups from trunk]
+
+2002-11-03  Tom Yu  <tlyu@mit.edu>
+
+	* aclocal.m4 (AC_KRB5_TCL_FIND_CONFIG): Set TCL_LIBPATH and
+	TCL_RPATH.
+	[pullup from trunk]
+
+2001-11-03  Ken Raeburn  <raeburn@mit.edu>
+
+	* aclocal.m4 (AC_KRB5_TCL_FIND_CONFIG): Do put /usr/include/tcl$v
+	in TCL_INCLUDES if that's where tcl.h is found.  Don't include
+	tcl.h when testing to see if Tcl_CreateInterp is available.
+	[pullup from trunk]
+
+2001-12-18  Tom Yu  <tlyu@mit.edu>
+
+	* aclocal.m4 (KRB5_LIB_PARAMS): Fix hpux to deal with building
+	shared libs with gcc.  Patch from Doug Engert; fixes
+	krb5-build/1021.
+
+2001-11-27  Ken Raeburn  <raeburn@mit.edu>
+
+	* aclocal.m4 (KRB5_LIB_PARAMS): On Linux, add "-lc" to shared
+	library link line.
+
+2001-11-06  Danilo Almeida  <dalmeida@mit.edu>
+
+	* Makefile.in: Prepare Makefile for ms2mit.
+
+2001-01-31  Tom Yu  <tlyu@mit.edu>
+
+	* aclocal.m4 (KRB5_LIB_PARAMS): Fix up previous patch to avoid
+	ordering issues when calling sed, as well as some quoting
+	nastiness due to bugs in kadmin/testing/scripts/env_setup.shin.
+
+2001-01-31  Tom Yu  <tlyu@mit.edu>
+
+	* aclocal.m4 (KRB5_LIB_PARAMS): Fix up Irix RUN_ENV to work around
+	LD_LIBRARY*_PATH's inability to override rpaths.
+
+2001-01-28  Tom Yu  <tlyu@mit.edu>
+
+	* aclocal.m4 (KRB5_LIB_AUX): Smash some shared lib file extensions
+	so that AIX doesn't break, since static and shared libs are
+	mutually exclusive on AIX.
+
+2000-06-22  Tom Yu  <tlyu@mit.edu>
+
+	* aclocal.m4 (CC_LINK_STATIC): Another fix for freebsd shared libs
+	from David Cross.
+
+2000-06-21  Ken Raeburn  <raeburn@mit.edu>
+
+	* aclocal.m4 (KRB5_AC_ENABLE_DNS): Rewrite to fix logic.  Now
+	--enable-dns-for-XX really will be heeded for setting default
+	behavior.  Also, DNS support can now be compiled in while still
+	turned off by default.  Print out whether the DNS support will be
+	compiled in.
+
+2000-06-21  Tom Yu  <tlyu@mit.edu>
+
+	* aclocal.m4: Fix freebsd CC_LINK_SHARED to have correct rpath
+	flags.  Thanks to David Cross.
+
+2000-06-08  Tom Yu  <tlyu@mit.edu>
+
+	* aclocal.m4 (CC_LINK_STATIC): Fix to use old library search
+	order; otherwise if there are shared libraries with the same name
+	elsewhere in the search path, they'll take precedence over the
+	static ones in the tree.
+
+2000-05-08  Nalin Dahyabhai  <nalin@redhat.com>
+
+	* wconfig.c (main): Warn if copying command-line option string
+	will overflow internal buffer.
+
+2000-05-03  Tom Yu  <tlyu@mit.edu>
+
+	* aclocal.m4 (AC_KRB5_TCL_TRYOLD): Search by appending stuff to
+	CPPFLAGS and LDFLAGS to notice if there may be problems with stuff
+	earlier along in either variable overriding.
+
+2000-04-18  Ken Raeburn  <raeburn@mit.edu>
+
+	* aclocal.m4 (KRB5_AC_ENABLE_DNS): Set RESOLV_LIB, and substitute
+	it into the Makefile.
+	(AC_LIBRARY_NET): Set RESOLV_LIB.
+
+2000-04-18  Danilo Almeida  <dalmeida@mit.edu>
+
+	* Makefile.in (clean-windows): Actually clean gss-sample on Windows.
+
+2000-04-11  Danilo Almeida  <dalmeida@mit.edu>
+
+	* Makefile.in (clean-windows): Clean gss-sample on Windows.
+
+2000-04-04  Ken Raeburn  <raeburn@mit.edu>
+
+	* aclocal.m4 (KRB5_AC_ENABLE_DNS): Check for dns, dns-for-kdc, and
+	dns-for-realm separately.  Define KRB5_DNS_LOOKUP if either mode
+	is enabled.  Define KRB5_DNS_LOOKUP_KDC and KRB5_DNS_LOOKUP_REALM
+	if the appropriate modes are enabled.
+	* acconfig.h (KRB5_DNS_LOOKUP_KDC, KRB5_DNS_LOOKUP_REALM): Undef.
+
+2000-03-24  Ken Raeburn  <raeburn@mit.edu>
+
+	* aclocal.m4 (KRB5_LIB_PARAMS): Check for alpha*-dec-osf* instead
+	of alpha-dec-osf*.
+
 2000-03-15  Ken Raeburn  <raeburn@mit.edu>
 
 	* aclocal.m4 (KRB5_AC_ENABLE_DNS): Fix typo that caused the DNS
diff --git a/src/Makefile.in b/src/Makefile.in
index 57efe5e..229efb0 100644
--- a/src/Makefile.in
+++ b/src/Makefile.in
@@ -11,7 +11,7 @@ HDRS =
 
 DISTFILES = $(SRCS) $(HDRS) COPYING COPYING.LIB ChangeLog Makefile.in
 
-all-unix::
+all-unix:: krb5-config
 
 all-mac::
 
@@ -161,7 +161,8 @@ WINMAKEFILES=Makefile \
 	util\windows\Makefile \
 	windows\Makefile windows\lib\Makefile \
 	windows\cns\Makefile windows\gina\Makefile \
-	windows\gss\Makefile windows\wintel\Makefile
+	windows\gss\Makefile windows\ms2mit\Makefile \
+	windows\wintel\Makefile
 
 ##DOS##Makefile-windows:: $(MKFDEP) $(WINMAKEFILES)
 
@@ -271,6 +272,8 @@ WINMAKEFILES=Makefile \
 ##DOS##	$(WCONFIG) config < $@.in > $@
 ##DOS##windows\gss\Makefile: windows\gss\Makefile.in $(MKFDEP)
 ##DOS##	$(WCONFIG) config < $@.in > $@
+##DOS##windows\ms2mit\Makefile: windows\ms2mit\Makefile.in $(MKFDEP)
+##DOS##	$(WCONFIG) config < $@.in > $@
 ##DOS##windows\wintel\Makefile: windows\wintel\Makefile.in $(MKFDEP)
 ##DOS##	$(WCONFIG) config < $@.in > $@
 
@@ -290,7 +293,10 @@ clean-windows:: Makefile-windows
 	@echo Making clean in clients
 	cd ..\clients
 	$(MAKE) -$(MFLAGS) clean
-	cd ..
+	@echo Making in appl\gss-sample
+	cd ..\appl\gss-sample
+	$(MAKE) -$(MFLAGS) clean
+	cd ..\..
 	@echo Making clean in root
 
 #
@@ -324,7 +330,7 @@ FILES= ./* \
 	util/* util/et/* util/profile/*
 
 WINFILES= util/windows/* windows/* windows/lib/* windows/cns/* \
-	windows/wintel/* windows/gss/* windows/gina/*
+	windows/wintel/* windows/gss/* windows/gina/* windows/ms2mit/*
 
 MACFILES= mac/* mac/libraries/* config/* include/* \
 	include/krb5/* include/krb5/stock/* include/sys/* \
@@ -543,3 +549,11 @@ install-windows::
 	$(CP) clients\kpasswd\$(OUTPRE)kpasswd.exe "$(KRB_INSTALL_DIR)\bin\."
 	@if exist "$(KRB_INSTALL_DIR)\bin\krb4_32.dll" del "$(KRB_INSTALL_DIR)\bin\krb4_32.dll"
 	@if exist "$(KRB_INSTALL_DIR)\lib\krb4_32.lib" del "$(KRB_INSTALL_DIR)\lib\krb4_32.lib"
+
+install-unix:: 
+	$(INSTALL) krb5-config \
+		$(DESTDIR)$(CLIENT_BINDIR)/krb5-config
+
+krb5-config: $(srcdir)/krb5-config.in $(thisconfigdir)/config.status
+	cd $(thisconfigdir) && $(SHELL) config.status
+
diff --git a/src/acconfig.h b/src/acconfig.h
index e6f00c7..7ac14f0 100644
--- a/src/acconfig.h
+++ b/src/acconfig.h
@@ -32,6 +32,8 @@
 /* Define if DNS support for finding realms and KDC locations should
    be compiled in.  */
 #undef KRB5_DNS_LOOKUP
+#undef KRB5_DNS_LOOKUP_KDC
+#undef KRB5_DNS_LOOKUP_REALM
 
 /* Define to `long' if <sys/types.h> doesn't define. */
 #undef time_t
diff --git a/src/aclocal.m4 b/src/aclocal.m4
index 3228610..4785939 100644
--- a/src/aclocal.m4
+++ b/src/aclocal.m4
@@ -722,8 +722,7 @@ if test -n "$tcl_conf" ; then
       done
       LIBS="$old_LIBS `eval echo x $TCL_LIB_SPEC $TCL_LIBS | sed 's/^x//'`"
       LDFLAGS="$old_LDFLAGS $TCL_LD_FLAGS"
-      AC_TRY_LINK([#include <tcl.h>
-],[Tcl_CreateInterp ();],
+      AC_TRY_LINK( , [Tcl_CreateInterp ();],
 	tcl_ok_conf=$file
 	tcl_vers_maj=$TCL_MAJOR_VERSION
 	tcl_vers_min=$TCL_MINOR_VERSION
@@ -743,17 +742,19 @@ tcl_lib=no
 if test -n "$tcl_ok_conf" ; then
   . $tcl_ok_conf
   TCL_INCLUDES=
-  if test "$TCL_PREFIX" != /usr ; then
-    for incdir in "$TCL_PREFIX/include/tcl$v" "$TCL_PREFIX/include" ; do
-      if test -r "$incdir/tcl.h" -o -r "$incdir/tcl/tcl.h" ; then
+  for incdir in "$TCL_PREFIX/include/tcl$v" "$TCL_PREFIX/include" ; do
+    if test -r "$incdir/tcl.h" -o -r "$incdir/tcl/tcl.h" ; then
+      if test "$incdir" != "/usr/include" ; then
         TCL_INCLUDES=-I$incdir
-        break
       fi
-    done
-  fi
-  TCL_LIBS="$TCL_LIB_SPEC $TCL_LIBS $TCL_DL_LIBS"
-  TCL_LIBPATH=
-  TCL_RPATH=
+      break
+    fi
+  done
+  # Need eval because the first-level expansion could reference
+  # variables like ${TCL_DBGX}.
+  eval TCL_LIBS='"'$TCL_LIB_SPEC $TCL_LIBS $TCL_DL_LIBS'"'
+  TCL_LIBPATH="-L$TCL_EXEC_PREFIX/lib"
+  TCL_RPATH=":$TCL_EXEC_PREFIX/lib"
   CPPFLAGS="$old_CPPFLAGS $TCL_INCLUDES"
   AC_CHECK_HEADER(tcl.h,AC_DEFINE(HAVE_TCL_H) tcl_header=yes)
   if test $tcl_header=no; then
@@ -783,8 +784,8 @@ if test "$with_tcl" != no ; then
 	AC_CHECK_LIB(ld, main, DL_LIB=-lld)
 	krb5_save_CPPFLAGS="$CPPFLAGS"
 	krb5_save_LDFLAGS="$LDFLAGS"
-	CPPFLAGS="$TCL_INCLUDES $CPPFLAGS"
-	LDFLAGS="$TCL_LIBPATH $LDFLAGS"
+	CPPFLAGS="$CPPFLAGS $TCL_INCLUDES"
+	LDFLAGS="$LDFLAGS $TCL_LIBPATH"
 	tcl_header=no
 	AC_CHECK_HEADER(tcl.h,AC_DEFINE(HAVE_TCL_H) tcl_header=yes)
 	if test $tcl_header=no; then
@@ -857,12 +858,17 @@ if test "$with_tcl" != no ; then
   if test $tcl_lib = no ; then
     if test "$with_tcl" != try ; then
       AC_KRB5_TCL_TRYOLD
-dnl      AC_MSG_ERROR(Could not find Tcl)
     else
       AC_MSG_WARN(Could not find Tcl which is needed for some tests)
     fi
   fi
 fi
+# If "yes" or pathname, error out if not found.
+if test "$with_tcl" != no -a "$with_tcl" != try ; then
+  if test "$tcl_header $tcl_lib" != "yes yes" ; then
+    AC_MSG_ERROR(Could not find Tcl)
+  fi
+fi
 ])dnl
 
 dnl
@@ -1030,8 +1036,18 @@ AC_ARG_ENABLE([shared],
 			AC_MSG_RESULT([Forcing static libraries.])
 			# avoid duplicate rules generation for AIX and such
 			SHLIBEXT=.so-nobuild
+			SHLIBVEXT=.so.v-nobuild
+			SHLIBSEXT=.so.s-nobuild
 		else
 			AC_MSG_RESULT([Enabling shared libraries.])
+			# Clear some stuff in case of AIX, etc.
+			if test "$STLIBEXT" = "$SHLIBEXT" ; then
+				STLIBEXT=.a-nobuild
+				LIBLIST=
+				LIBLINKS=
+				OBJLISTS=
+				LIBINSTLIST=
+			fi
 			LIBLIST="$LIBLIST "'lib$(LIB)$(SHLIBEXT)'
 			LIBLINKS="$LIBLINKS "'$(TOPLIBD)/lib$(LIB)$(SHLIBEXT) $(TOPLIBD)/lib$(LIB)$(SHLIBVEXT)'
 			case "$SHLIBSEXT" in
@@ -1060,9 +1076,11 @@ else
 	SHLIBVEXT=.so.v-nobuild
 	SHLIBSEXT=.so.s-nobuild
 fi],
-	RUN_ENV=
+[	RUN_ENV=
 	CC_LINK="$CC_LINK_STATIC"
-)dnl
+	SHLIBEXT=.so-nobuild
+	SHLIBVEXT=.so.v-nobuild
+	SHLIBSEXT=.so.s-nobuild])dnl
 
 if test -z "$LIBLIST"; then
 	AC_MSG_ERROR([must enable one of shared or static libraries])
@@ -1119,7 +1137,7 @@ CC_LINK_STATIC='$(CC) $(PROG_LIBPATH)'
 
 # Set up architecture-specific variables.
 case $krb5_cv_host in
-alpha-dec-osf*)
+alpha*-dec-osf*)
 	SHLIBVEXT='.so.$(LIBMAJOR).$(LIBMINOR)'
 	SHLIBSEXT='.so.$(LIBMAJOR)'
 	SHLIBEXT=.so
@@ -1129,7 +1147,11 @@ alpha-dec-osf*)
 	SHLIB_EXPFLAGS='-rpath $(SHLIB_RDIRS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
 	PROFFLAGS=-pg
 	CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) -Wl,-rpath -Wl,$(PROG_RPATH)'
-	CC_LINK_STATIC='$(CC) $(PROG_LIBPATH)'
+	# Need -oldstyle_liblookup to avoid picking up shared libs from
+	# other builds.  OSF/1 / Tru64 ld programs look through the entire
+	# library path for shared libs prior to looking through the
+	# entire library path for static libs.
+	CC_LINK_STATIC='$(CC) $(PROG_LIBPATH) -Wl,-oldstyle_liblookup'
 	# $(PROG_RPATH) is here to handle things like a shared tcl library
 	RUN_ENV='LD_LIBRARY_PATH=`echo $(PROG_LIBPATH) | sed -e "s/-L//g" -e "s/ /:/g"`:$(PROG_RPATH):/usr/shlib:/usr/ccs/lib:/usr/lib/cmplrs/cc:/usr/lib:/usr/local/lib; export LD_LIBRARY_PATH; _RLD_ROOT=/dev/dummy/d; export _RLD_ROOT;'
 	;;
@@ -1145,13 +1167,22 @@ alpha-dec-osf*)
 # (compiled-in or SHLIB_PATH) will be searched first.
 #
 *-*-hpux*)
-	PICFLAGS=+z
+	if test "$krb5_cv_prog_gcc" = yes; then
+		PICFLAGS=-fPIC
+	else
+		PICFLAGS=+z
+	fi
 	INSTALL_SHLIB='$(INSTALL)'
 	SHLIBEXT=.sl
 	SHLIBVEXT='.$(LIBMAJOR).$(LIBMINOR)'
 	SHLIBSEXT='.$(LIBMAJOR)'
-	SHLIB_EXPFLAGS='+s +b $(SHLIB_RDIRS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
-	LDCOMBINE='ld -b +h lib$(LIB)$(SHLIBSEXT)'
+	if test "$krb5_cv_prog_gcc" = yes; then
+		SHLIB_EXPFLAGS='-Wl,+s -Wl,+b,$(SHLIB_RDIRS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
+		LDCOMBINE='gcc -fPIC -shared -Wl,+h,lib$(LIB)$(SHLIBSEXT)'
+	else
+		SHLIB_EXPFLAGS='+s +b $(SHLIB_RDIRS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
+		LDCOMBINE='ld -b +h lib$(LIB)$(SHLIBSEXT)'
+	fi
 	CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) -Wl,+s -Wl,+b,$(PROG_RPATH)'
 	CC_LINK_STATIC='$(CC) $(PROG_LIBPATH)'
 	RUN_ENV='SHLIB_PATH=`echo $(PROG_LIBPATH) | sed -e "s/-L//g" -e "s/ /:/g"`; export SHLIB_PATH;'
@@ -1173,7 +1204,15 @@ mips-sgi-irix6.3)	# This is a Kludge; see below
 	PROFFLAGS=-p
 	CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) -Wl,-rpath -Wl,$(PROG_RPATH)'
 	CC_LINK_STATIC='$(CC) $(PROG_LIBPATH)'
-	RUN_ENV='LD_LIBRARY_PATH=`echo $(PROG_LIBPATH) | sed -e "s/-L//g" -e "s/ /:/g"`; export LD_LIBRARY_PATH;'
+	# This grossness is necessary due to the presence of *three*
+	# supported ABIs on Irix, and the precedence of the rpath over
+	# LD_LIBRARY*_PATH.  Like OSF/1, _RLD*_ROOT needs to be set to
+	# work around this lossage.
+	add='`echo $(PROG_LIBPATH) | sed -e "s/-L//g" -e "s/ /:/g"`'
+	dummy=/dev/dummmy/d
+	# Set the N32 and 64 variables first because the unqualified
+	# variables affect all three and can cause the sed command to fail.
+	RUN_ENV="LD_LIBRARYN32_PATH=$add:/usr/lib32:/usr/lib32/internal:/lib32:/opt/lib32; export LD_LIBRARYN32_PATH; _RLDN32_ROOT=$dummy; export _RLDN32_ROOT; LD_LIBRARY64_PATH=$add:/usr/lib64:/usr/lib64/internal:/lib64:/opt/lib64; export LD_LIBRARY64_PATH; _RLD64_ROOT=$dummy; export _RLD64_ROOT; LD_LIBRARY_PATH=$add:/usr/lib:/usr/lib/internal:/lib:/lib/cmplrs/cc:/usr/lib/cmplrs/cc:/opt/lib; export LD_LIBRARY_PATH; _RLD_ROOT=$dummy; export _RLD_ROOT;"
 	;;
 
 mips-sgi-irix*)
@@ -1187,7 +1226,15 @@ mips-sgi-irix*)
 	PROFFLAGS=-p
 	CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) -Wl,-rpath -Wl,$(PROG_RPATH)'
 	CC_LINK_STATIC='$(CC) $(PROG_LIBPATH)'
-	RUN_ENV='LD_LIBRARY_PATH=`echo $(PROG_LIBPATH) | sed -e "s/-L//g" -e "s/ /:/g"`; export LD_LIBRARY_PATH;'
+	# This grossness is necessary due to the presence of *three*
+	# supported ABIs on Irix, and the precedence of the rpath over
+	# LD_LIBRARY*_PATH.  Like OSF/1, _RLD*_ROOT needs to be set to
+	# work around this lossage.
+	add='`echo $(PROG_LIBPATH) | sed -e "s/-L//g" -e "s/ /:/g"`'
+	dummy=/dev/dummmy/d
+	# Set the N32 and 64 variables first because the unqualified
+	# variables affect all three and can cause the sed command to fail.
+	RUN_ENV="LD_LIBRARYN32_PATH=$add:/usr/lib32:/usr/lib32/internal:/lib32:/opt/lib32; export LD_LIBRARYN32_PATH; _RLDN32_ROOT=$dummy; export _RLDN32_ROOT; LD_LIBRARY64_PATH=$add:/usr/lib64:/usr/lib64/internal:/lib64:/opt/lib64; export LD_LIBRARY64_PATH; _RLD64_ROOT=$dummy; export _RLD64_ROOT; LD_LIBRARY_PATH=$add:/usr/lib:/usr/lib/internal:/lib:/lib/cmplrs/cc:/usr/lib/cmplrs/cc:/opt/lib; export LD_LIBRARY_PATH; _RLD_ROOT=$dummy; export _RLD_ROOT;"
 	;;
 
 # untested...
@@ -1243,7 +1290,7 @@ mips-*-netbsd*)
 	PICFLAGS=-fpic
 	if test "x$objformat" = "xelf" ; then
 		SHLIBVEXT='.so.$(LIBMAJOR)'
-		CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) -Wl,-rpath -Wl,-R$(PROG_RPATH)'
+		CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) -Wl,-rpath -Wl,$(PROG_RPATH)'
 	else
 		SHLIBVEXT='.so.$(LIBMAJOR).$(LIBMINOR)'
 		CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) -R$(PROG_RPATH)'
@@ -1324,7 +1371,7 @@ mips-*-netbsd*)
 	# Linux ld doesn't default to stuffing the SONAME field...
 	# Use objdump -x to examine the fields of the library
 	LDCOMBINE='ld -shared -h lib$(LIB)$(SHLIBSEXT)'
-	SHLIB_EXPFLAGS='-R$(SHLIB_RDIRS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS)'
+	SHLIB_EXPFLAGS='-R$(SHLIB_RDIRS) $(SHLIB_DIRS) $(SHLIB_EXPLIBS) -lc'
 	PROFFLAGS=-pg
 	CC_LINK_SHARED='$(CC) $(PROG_LIBPATH) -Wl,-rpath -Wl,$(PROG_RPATH)'
 	CC_LINK_STATIC='$(CC) $(PROG_LIBPATH)'
@@ -1396,7 +1443,8 @@ AC_DEFUN(AC_LIBRARY_NET, [
           # ugliness is necessary:
           AC_CHECK_LIB(socket, gethostbyname,
              LIBS="-lsocket -lnsl $LIBS",
-               AC_CHECK_LIB(resolv, gethostbyname),
+               AC_CHECK_LIB(resolv, gethostbyname,
+			    LIBS="-lresolv $LIBS" ; RESOLV_LIB=-lresolv),
              -lnsl)
        )
      )
@@ -1406,20 +1454,61 @@ AC_DEFUN(AC_LIBRARY_NET, [
   KRB5_AC_ENABLE_DNS
   if test "$enable_dns" = yes ; then
     AC_CHECK_FUNC(res_search, , AC_CHECK_LIB(resolv, res_search,
-	LIBS="$LIBS -lresolv",
+	LIBS="$LIBS -lresolv" ; RESOLV_LIB=-lresolv,
 	AC_ERROR(Cannot find resolver support routine res_search in -lresolv.)
     ))
   fi
+  AC_SUBST(RESOLV_LIB)
   ])
 dnl
 dnl
 dnl KRB5_AC_ENABLE_DNS
 dnl
 AC_DEFUN(KRB5_AC_ENABLE_DNS, [
+AC_MSG_CHECKING(if DNS Kerberos lookup support should be compiled in)
+
   AC_ARG_ENABLE([dns],
-[  --enable-dns            enable DNS lookups of Kerberos realm and servers], ,
-[enable_dns=no])
-  if test "$enable_dns" = yes; then
+[  --enable-dns            build in support for Kerberos-related DNS lookups], ,
+[enable_dns=default])
+
+  AC_ARG_ENABLE([dns-for-kdc],
+[  --enable-dns-for-kdc    enable DNS lookups of Kerberos KDCs (default=YES)], ,
+[case "$enable_dns" in
+  yes | no) enable_dns_for_kdc=$enable_dns ;;
+  *) enable_dns_for_kdc=yes ;;
+esac])
+  if test "$enable_dns_for_kdc" = yes; then
+    AC_DEFINE(KRB5_DNS_LOOKUP_KDC)
+  fi
+
+  AC_ARG_ENABLE([dns-for-realm],
+[  --enable-dns-for-realm  enable DNS lookups of Kerberos realm names], ,
+[case "$enable_dns" in
+  yes | no) enable_dns_for_realm=$enable_dns ;;
+  *) enable_dns_for_realm=no ;;
+esac])
+  if test "$enable_dns_for_realm" = yes; then
+    AC_DEFINE(KRB5_DNS_LOOKUP_REALM)
+  fi
+
+  if test "$enable_dns_for_kdc,$enable_dns_for_realm" != no,no
+  then
+    # must compile in the support code
+    if test "$enable_dns" = no ; then
+      AC_MSG_ERROR(cannot both enable some DNS options and disable DNS support)
+    fi
+    enable_dns=yes
+  fi
+  if test "$enable_dns" = yes ; then
     AC_DEFINE(KRB5_DNS_LOOKUP)
+  else
+    enable_dns=no
   fi
+
+AC_MSG_RESULT($enable_dns)
+dnl AC_MSG_CHECKING(if DNS should be used to find KDCs by default)
+dnl AC_MSG_RESULT($enable_dns_for_kdc)
+dnl AC_MSG_CHECKING(if DNS should be used to find realm name by default)
+dnl AC_MSG_RESULT($enable_dns_for_realm)
+
 ])
diff --git a/src/appl/bsd/ChangeLog b/src/appl/bsd/ChangeLog
index d3314b0..73c12dc 100644
--- a/src/appl/bsd/ChangeLog
+++ b/src/appl/bsd/ChangeLog
@@ -1,3 +1,223 @@
+2002-01-25  Ken Raeburn  <raeburn@mit.edu>
+
+	* login.c (main): Fix fencepost error in last change.
+
+2001-12-21  Ken Raeburn  <raeburn@mit.edu>
+
+	* loginpaths.h [_PATH_DEFPATH]: Undefine LPATH and RPATH before
+	redefining them.
+	* login.c (main): If the supplied name is longer than the utmp
+	buffer, don't bother trying it as a username.
+	(dolastlog): Don't assume lastlog.ll_time is a time_t.
+
+2001-01-13  Sam Hartman  <hartmans@mit.edu>
+
+	* configure.in: Force SunOS to not use termios.
+	[pullup 5.89->5.90 from trunk]
+
+2001-01-12  Sam Hartman  <hartmans@mit.edu>
+
+	* krlogin.c: Previously, we only used TIOCGLTC  on systems with
+	termios.  This is sort of silly since its a BSD 4.[23] IOCTL.  We
+	then go out of our way not to use it on IRIX, Solaris or HPUX.  I
+	think all this comes about because you really want to use BSD
+	IOCTLS on Sunos rather than termios.  I propose to do that and
+	never [s/never/only/? --tlyu] use BSD IOCTLs on Sunos.
+	[pullup 5.68->5.69 from trunk]
+
+2001-09-07  Tom Yu  <tlyu@mit.edu>
+
+	* krlogind.c (protocol): Don't do TIOCPKT on systems with STREAMS
+	ptys, even if there is a TIOCPKT, since it may result in hangs on
+	some systems where BSD packet mode is (presumably) not implemented
+	properly, such as AIX 4.3.3.  Should get cleaned up at some later
+	point to actually I_PUSH "pckt" or equivalent and do translation
+	between STREAMS and BSD style packet mode.
+	[pullup from trunk]
+
+2001-02-16  Tom Yu  <tlyu@mit.edu>
+
+	* login.M: Don't include "= 0" as part of the "accept_passwd"
+	config option.
+
+2001-01-26  Tom Yu  <tlyu@mit.edu>
+
+	* krshd.c: Get path for NOLOGIN file from paths.h if present,
+	mirroring logic in login.c.  [patch from David MacKenzie
+	krb5-appl/913, pulled up from trunk]
+
+2001-01-26  Tom Yu  <tlyu@mit.edu>
+
+	* krlogin.c (read_wrapper): Copy from the current point and not
+ 	the start of the cached buffer. [pullup from trunk]
+
+2001-01-23  Tom Yu  <tlyu@mit.edu>
+
+	* forward.c (rd_and_store_for_creds): Overwrite any existing value
+	of the KRB5CCNAME environment variable.
+
+2000-07-19  Peter S Litwack  <plitwack@mit.edu>
+
+	* krlogin.c (writer): Improved bandwith efficiency by reading 
+	and sending more than one character at a time if multiple 
+	characters are available to be read from the terminal.
+	* krlogin.c (read_wrapper): Added this function as a helper
+	to writer.  It facilitates checking for escape sequences 
+	(~^Z etc.) when reading mulitple characters at a time.
+
+2000-06-29  Ken Raeburn  <raeburn@mit.edu>
+
+	Patch from Donn Cave and Leonard Peirce from 1.1 release cycle:
+	* login.c (k_init): Call krb5_cc_set_default_name right after
+	setting the environment variable.
+	(main): Likewise.
+
+2000-06-23  Ken Raeburn  <raeburn@mit.edu>
+
+	* rcp.M, rsh.M, rlogin.M: Add description of new -PO, -PN
+	options.
+
+2000-06-19  Tom Yu  <tlyu@mit.edu>
+
+	* krshd.c (recvauth): Call krb5_recvauth_version() rather than
+	calling krb5_recvauth() with arguments intended for
+	krb5_recvauth_version().
+
+	* kcmd.c: Conditionalize krb_sendauth prototype based on sense of
+	KRB5_KRB4_COMPAT.
+
+2000-06-15  Tom Yu  <tlyu@mit.edu>
+
+	* login.c (try_convert524): Add use_ccache argument.  Handle case
+	where we have gotten v5 creds via password being entered and don't
+	crash in that case, since previous code was assuming that v5 creds
+	were always being provided.  Adapted from patch by Bob Basch.
+
+2000-06-10  Ken Raeburn  <raeburn@mit.edu>
+
+	* krcp.c (main): Fix logic again, this time in the "success"
+	case.  If there's a problem retrieving the new-protocol subkey,
+	print a message and exit, don't fall back.
+	* krsh.c (main): Ditto; don't look at enctype to try to guess
+	protocol version.  Delete unused variable "similar".
+
+2000-06-09  Ken Raeburn  <raeburn@mit.edu>
+
+	* krlogin.c (main): Rework fallback logic.  Fall back to k4cmd
+	unless encryption and the new protocol were both requested.
+
+	* krsh.c (main): Rework fallback logic.  Fall back to k4cmd if new
+	protocol wasn't requested.
+
+	* krcp.c (main): Revert setting of AP_OPTS_MUTUAL_REQUIRED
+	unconditionally, which was added by mistake with last set of
+	patches.  If kcmd fails and the new protocol is requested, don't
+	fall back to v4.
+
+2000-05-31  Ken Raeburn  <raeburn@mit.edu>
+
+	* Makefile.in (kcmd.o, krcp.o, krlogin.o, krlogind.o, krsh.o,
+	krshd.o): Depend on defines.h.
+	* krlogind.c: Include defines.h.
+	* krcp.c: Ditto.
+
+	* defines.h (enum kcmd_proto): New type.
+	(rcmd_stream_read, rcmd_stream_write, getport,
+	rcmd_stream_init_krb5): Add prototypes.
+
+	* kcmd.c (use_ivecs): New variable.
+	(encivec_i, encivec_o): Each is now an array of two elements.
+	(input, output, twrite, krb5_write_message, krb5_net_read,
+	krb5_net_write, krb_sendauth): Add prototypes.
+	(kcmd): New argument PROTONUMP points to enum kcmd_proto.  If
+	value is KCMD_PROTOCOL_COMPAT_HACK, set it to KCMD_NEW_PROTOCOL or
+	KCMD_OLD_PROTOCOL depending on session key type.  Use subkeys for
+	new protocol.  Callers updated.
+	(normal_read, v5_des_read, v4_des_read, twrite, v5_des_write,
+	v4_des_write, rcmd_stream_write, rcmd_stream_read): Take
+	additional argument indicating whether the fd is for the secondary
+	channel; ignored except in some v5 cases.  Callers updated.
+	(rcmd_stream_init_krb5): New argument, kcmd protocol version.  Set
+	up ivecs for secondary channel in each direction with values 0x2
+	ior primary channel value.  Callers updated.
+	(v5_des_read, v5_des_write): For new protocol, plaintext now has
+	its length prepended but not counted.
+
+	* krcp.c (main): Set kcmd protocol version based on command line,
+	not on encryption type.  Default to COMPAT_HACK.
+	* krsh.c (main): Ditto.
+	* krlogin.c (main): Ditto.
+
+	* krlogind.c (recvauth): Use new krb5_compat_recvauth_version
+	routine.  Determine client's kcmd protocol version and initialize
+	based on it.
+	* krshd.c (recvauth): Ditto.
+
+2000-05-19  Nalin Dahyabhai  <nalin@redhat.com>
+	    Ken Raeburn  <raeburn@mit.edu>
+
+	* krcp.c (sink): bail if the target directory/file name is too long
+	* krlogind.c (recvauth, krb4 compat): truncate user name if the
+	principal's root would be too long to be valid
+	* v4rcp.c (sink): bail if the target directory/file name is too long
+
+2000-05-18  Tom Yu  <tlyu@mit.edu>
+
+	* krshd.c: Shuffle inclusion of defines.h so that some krb5
+	structures are declared prior to the kcmd() prototype.
+
+2000-05-16  Ken Raeburn  <raeburn@mit.edu>
+
+	* defines.h (kcmd): Add prototype.
+	* krcp.c (main): Add extra arg to a kcmd call I missed yesterday.
+
+2000-05-15  Ken Raeburn  <raeburn@mit.edu>
+
+	* krcp.c (main): Fix some conditionalizations to make proper
+	indentation easier.
+
+	* kcmd.c (encivec_i, encivec_o): New variables replace old single
+	variable encivec.
+	(rcmd_stream_init_krb5): New argument am_client, used to
+	initialize both ivec values.
+	* krcp.c (main, answer_auth): Pass new argument.
+	* krlogin.c (main): Ditto.
+	* krlogind.c (recvauth): Ditto.
+	* krsh.c (main): Ditto.
+	* krshd.c (recvauth): Ditto.
+
+	* defines.h (OPTS_FORWARD_CREDS, OPTS_FORWARDABLE_CREDS): Change
+	numbers so they don't conflict with AP_OPTS_USE_SUBKEY.
+	* kcmd.c (kcmd): New argument authconp, used to return the auth
+	context to the caller if desired.
+	* krlogin.c (auth_context): New variable.
+	(main): Request a subkey from sendauth.  Get the auth context from
+	kcmd so we can retrieve the subkey.  If non-DES session key is
+	being used, pass the subkey to rcmd_stream_init_krb5 instead of
+	the session key; fail if no subkey is found and encryption is
+	required.
+	* krlogind.c (recvauth): If a non-DES session key is being used,
+	pass the client-provided subkey to rcmd_stream_init_krb5.
+	* krcp.c (main): Set up and use subkey as above.
+	* krsh.c (main): Set up and use subkey as above.
+	* krshd.c (recvauth): Accept and use subkey as above.
+
+2000-05-08  Ken Raeburn  <raeburn@mit.edu>
+
+	* v4rcp.c (main, case 'k'): Make sure krb_realm is
+	null-terminated.
+
+2000-04-27  Nalin Dahyabhai  <nalin@redhat.com>
+
+	* krlogin.c (main): Don't overflow buffer "term".
+	* krshd.c (doit): Don't overflow buffer "cmdbuf".
+	* login.c (afs_login): Don't overflow buffer "aklog_path".
+
+2000-03-24  Ken Raeburn  <raeburn@mit.edu>
+
+	* configure.in: Check for alpha*-dec-osf* instead of
+	alpha-dec-osf*.
+
 2000-03-15  Ken Raeburn  <raeburn@mit.edu>
 	    Mark D. Roth  <roth@uiuc.edu>
 
diff --git a/src/appl/bsd/Makefile.in b/src/appl/bsd/Makefile.in
index eee13ca..93a6cba 100644
--- a/src/appl/bsd/Makefile.in
+++ b/src/appl/bsd/Makefile.in
@@ -90,3 +90,4 @@ install::
 
 getdtablesize.o: $(srcdir)/getdtablesize.c
 
+kcmd.o krcp.o krlogin.o krlogind.o krsh.o krshd.o : defines.h
diff --git a/src/appl/bsd/configure.in b/src/appl/bsd/configure.in
index 6d31f48..051af51 100644
--- a/src/appl/bsd/configure.in
+++ b/src/appl/bsd/configure.in
@@ -25,16 +25,20 @@ dnl Make our operating system-specific security checks and definitions for
 dnl login.
 dnl
 case $krb5_cv_host in
-*-*-aix3*) # AIX has streams include files but not streams TTY
-# Moreover, strops.h trashes sys/ioctl.h
-krb5_cv_has_streams=no
-;;
-alpha-dec-osf*)
+*-*-aix3*)
+	# AIX has streams include files but not streams TTY
+	# Moreover, strops.h trashes sys/ioctl.h
+	krb5_cv_has_streams=no
+	;;
+alpha*-dec-osf*)
 	AC_CHECK_LIB(security,setluid,
 		AC_DEFINE(HAVE_SETLUID)
 		LOGINLIBS="$LOGINLIBS -lsecurity"
 	)
 	;;
+*-*-sunos4*)
+	ac_cv_header_termios_h=no
+	;;
 esac
 dnl 
 dnl After beta6 this functionality will be integrated with aclocal.m4
diff --git a/src/appl/bsd/defines.h b/src/appl/bsd/defines.h
index fd9c3e1..6365d2c 100644
--- a/src/appl/bsd/defines.h
+++ b/src/appl/bsd/defines.h
@@ -1,3 +1,43 @@
-#define OPTS_FORWARD_CREDS           0x00000002
-#define OPTS_FORWARDABLE_CREDS       0x00000001
+#define OPTS_FORWARD_CREDS           0x00000020
+#define OPTS_FORWARDABLE_CREDS       0x00000010
 #define RCMD_BUFSIZ	5120
+
+enum kcmd_proto {
+  /* Old protocol: DES encryption only.  No subkeys.  No protection
+     for cleartext length.  No ivec supplied.  OOB hacks used for
+     rlogin.  Checksum may be omitted at connection startup.  */
+  KCMD_OLD_PROTOCOL = 1,
+  /* New protocol: Any encryption scheme.  Client-generated subkey
+     required.  Prepend cleartext-length to cleartext data (but don't
+     include it in count).  Starting ivec defined, chained.  In-band
+     signalling.  Checksum required.  */
+  KCMD_NEW_PROTOCOL,
+  /* Hack: Get credentials, and use the old protocol iff the session
+     key type is single-DES.  */
+  KCMD_PROTOCOL_COMPAT_HACK,
+  /* Using Kerberos version 4.  */
+  KCMD_V4_PROTOCOL,
+  /* ??? */
+  KCMD_UNKNOWN_PROTOCOL
+};
+
+extern int kcmd (int *sock, char **ahost, int /* u_short */ rport,
+		 char *locuser, char *remuser, char *cmd,
+		 int *fd2p, char *service, char *realm,
+		 krb5_creds **cred,
+		 krb5_int32 *seqno, krb5_int32 *server_seqno,
+		 struct sockaddr_in *laddr,
+		 struct sockaddr_in *faddr,
+		 krb5_auth_context *authconp,
+		 krb5_flags authopts,
+		 int anyport, int suppress_err,
+		 enum kcmd_proto *protonum /* input and output */
+		 );
+
+extern int rcmd_stream_read (int fd, char *buf, int len, int secondary);
+extern int rcmd_stream_write (int fd, char *buf, int len, int secondary);
+extern int getport (int *);
+
+extern void rcmd_stream_init_krb5 (krb5_keyblock *in_keyblock,
+				   int encrypt_flag, int lencheck,
+				   int am_client, enum kcmd_proto protonum);
diff --git a/src/appl/bsd/forward.c b/src/appl/bsd/forward.c
index e22fc1d..e47b8ff 100644
--- a/src/appl/bsd/forward.c
+++ b/src/appl/bsd/forward.c
@@ -51,7 +51,7 @@ rd_and_store_for_creds(context, auth_context, inbuf, ticket, ccache)
      */
   
     sprintf(ccname, "FILE:/tmp/krb5cc_p%d", getpid());
-    setenv("KRB5CCNAME", ccname, 0);
+    setenv("KRB5CCNAME", ccname, 1);
   
     if (retval = krb5_cc_resolve(context, ccname, ccache)) 
 	goto cleanup;
diff --git a/src/appl/bsd/kcmd.c b/src/appl/bsd/kcmd.c
index 0e68f88..3e401cc 100644
--- a/src/appl/bsd/kcmd.c
+++ b/src/appl/bsd/kcmd.c
@@ -117,14 +117,18 @@ static char des_inbuf[2*RCMD_BUFSIZ];	 /* needs to be > largest read size */
 static char des_outpkt[2*RCMD_BUFSIZ+4]; /* needs to be > largest write size */
 static krb5_data desinbuf;
 static krb5_data desoutbuf;
-static krb5_data encivec;
+
+/* XXX Overloaded: use_ivecs!=0 -> new protocol, inband signalling, etc.  */
+static int use_ivecs;
+static krb5_data encivec_i[2], encivec_o[2];
+
 static krb5_keyblock *keyblock;		 /* key for encrypt/decrypt */
-static int (*input)();
-static int (*output)();
+static int (*input)(int, char *, int, int);
+static int (*output)(int, char *, int, int);
 static char storage[2*RCMD_BUFSIZ];	 /* storage for the decryption */
 static int nstored = 0;
 static char *store_ptr = storage;
-static int twrite();
+static int twrite(int, char *, int, int);
 static int v5_des_read(), v5_des_write();
 #ifdef KRB5_KRB4_COMPAT
 static int v4_des_read(), v4_des_write();
@@ -133,8 +137,29 @@ static int right_justify;
 #endif
 static int do_lencheck;
 
+/* XXX: These should be internal to krb5 library, or declared in krb5.h.  */
+extern krb5_error_code krb5_write_message (krb5_context, krb5_pointer,
+					   krb5_data *);
+extern int krb5_net_read (krb5_context, int , char *, int);
+extern int krb5_net_write (krb5_context, int , const char *, int);
+/* XXX: And these should be declared in krb.h, or private.  */
+#ifdef KRB5_KRB4_COMPAT
+extern int
+krb_sendauth(long options, int fd, KTEXT ticket,
+	     char *service, char *inst, char *realm,
+	     unsigned KRB4_32 checksum,
+	     MSG_DAT *msg_data,
+	     CREDENTIALS *cred,
+	     Key_schedule schedule,
+	     struct sockaddr_in *laddr,
+	     struct sockaddr_in *faddr,
+	     char *version);
+#endif
+
+int
 kcmd(sock, ahost, rport, locuser, remuser, cmd, fd2p, service, realm,
-     cred, seqno, server_seqno, laddr, faddr, authopts, anyport, suppress_err)
+     cred, seqno, server_seqno, laddr, faddr, authconp, authopts, anyport,
+     suppress_err, protonump)
      int *sock;
      char **ahost;
      u_short rport;
@@ -142,15 +167,17 @@ kcmd(sock, ahost, rport, locuser, remuser, cmd, fd2p, service, realm,
      int *fd2p;
      char *service;
      char *realm;
-     krb5_creds **cred;
+     krb5_creds **cred; /* output only */
      krb5_int32 *seqno;
      krb5_int32 *server_seqno;
      struct sockaddr_in *laddr, *faddr;
+     krb5_auth_context *authconp;
      krb5_flags authopts;
      int anyport;
      int suppress_err;		/* Don't print if authentication fails */
+     enum kcmd_proto *protonump;
 {
-    int i, s, timo = 1, pid;
+    int s, pid;
 #ifdef POSIX_SIGNALS
     sigset_t oldmask, urgmask;
 #else
@@ -164,7 +191,6 @@ kcmd(sock, ahost, rport, locuser, remuser, cmd, fd2p, service, realm,
     int rc;
     char *host_save;
     krb5_error_code status;
-    krb5_error *err_ret;
     krb5_ap_rep_enc_part *rep_ret;
     krb5_error	*error = 0;
     int sin_len;
@@ -174,6 +200,8 @@ kcmd(sock, ahost, rport, locuser, remuser, cmd, fd2p, service, realm,
     krb5_auth_context auth_context = NULL;
     char *cksumbuf;
     krb5_data cksumdat;
+    char *kcmd_version;
+    enum kcmd_proto protonum = *protonump;
 
     if ((cksumbuf = malloc(strlen(cmd)+strlen(remuser)+64)) == 0 ) {
 	fprintf(stderr, "Unable to allocate memory for checksum buffer.\n");
@@ -361,12 +389,35 @@ kcmd(sock, ahost, rport, locuser, remuser, cmd, fd2p, service, realm,
 			KRB5_AUTH_CONTEXT_GENERATE_LOCAL_FULL_ADDR))
 	goto bad2;
 
-   /* call Kerberos library routine to obtain an authenticator,
+    if (protonum == KCMD_PROTOCOL_COMPAT_HACK) {
+	krb5_boolean is_des;
+	status = krb5_c_enctype_compare (bsd_context, ENCTYPE_DES_CBC_CRC,
+					 ret_cred->keyblock.enctype, &is_des);
+	if (status)
+	    goto bad2;
+	protonum = is_des ? KCMD_OLD_PROTOCOL : KCMD_NEW_PROTOCOL;
+    }
+
+    switch (protonum) {
+    case KCMD_NEW_PROTOCOL:
+	authopts |= AP_OPTS_USE_SUBKEY;
+	kcmd_version = "KCMDV0.2";
+	break;
+    case KCMD_OLD_PROTOCOL:
+	kcmd_version = "KCMDV0.1";
+	break;
+    default:
+	status = EINVAL;
+	goto bad2;
+    }
+
+    /* Call Kerberos library routine to obtain an authenticator,
        pass it over the socket to the server, and obtain mutual
-       authentication. */
+       authentication.  */
     status = krb5_sendauth(bsd_context, &auth_context, (krb5_pointer) &s,
-                           "KCMDV0.1", ret_cred->client, ret_cred->server,
-			   authopts, &cksumdat, ret_cred, 0,	&error, &rep_ret, NULL);
+			   kcmd_version, ret_cred->client, ret_cred->server,
+			   authopts, &cksumdat, ret_cred, 0,
+			   &error, &rep_ret, NULL);
     free(cksumbuf);
     if (status) {
 	if (!suppress_err)
@@ -440,10 +491,13 @@ kcmd(sock, ahost, rport, locuser, remuser, cmd, fd2p, service, realm,
     sigsetmask(oldmask);
 #endif /* POSIX_SIGNALS */
     *sock = s;
+    *protonump = protonum;
     
     /* pass back credentials if wanted */
     if (cred) krb5_copy_creds(bsd_context, ret_cred, cred);
     krb5_free_creds(bsd_context, ret_cred);
+    if (authconp)
+	*authconp = auth_context;
     
     return (0);
   bad2:
@@ -464,6 +518,7 @@ kcmd(sock, ahost, rport, locuser, remuser, cmd, fd2p, service, realm,
 
 
 #ifdef KRB5_KRB4_COMPAT
+int
 k4cmd(sock, ahost, rport, locuser, remuser, cmd, fd2p, ticket, service, realm,
       cred, schedule, msg_data, laddr, faddr, authopts, anyport)
      int *sock;
@@ -701,7 +756,7 @@ reread:
 #endif /* KRB5_KRB4_COMPAT */
 
 
-
+int
 getport(alport)
      int *alport;
 {
@@ -733,16 +788,25 @@ getport(alport)
     return -1;
 }
 
+static int
+normal_read (int fd, char *buf, int len, int secondary)
+{
+    return read (fd, buf, len);
+}
+
 void rcmd_stream_init_normal()
 {
-    input = read;
+    input = normal_read;
     output = twrite;
 }
 
-void rcmd_stream_init_krb5(in_keyblock, encrypt_flag, lencheck)
+void rcmd_stream_init_krb5(in_keyblock, encrypt_flag, lencheck, am_client,
+			   protonum)
      krb5_keyblock *in_keyblock;
      int encrypt_flag;
      int lencheck;
+     int am_client;
+     enum kcmd_proto protonum;
 {
     krb5_error_code status;
     size_t blocksize;
@@ -760,33 +824,35 @@ void rcmd_stream_init_krb5(in_keyblock, encrypt_flag, lencheck)
     input = v5_des_read;
     output = v5_des_write;
 
-    if (status = krb5_c_enctype_compare(bsd_context, ENCTYPE_DES_CBC_CRC,
-					keyblock->enctype,
-					&similar)) {
-	/* XXX what do I do? */
-	abort();
-    }
-
-    if (similar) {
-	encivec.length = 0;
+    if (protonum == KCMD_OLD_PROTOCOL) {
+	use_ivecs = 0;
 	return;
     }
 
+    use_ivecs = 1;
+
     if (status = krb5_c_block_size(bsd_context, keyblock->enctype,
 				   &blocksize)) {
 	/* XXX what do I do? */
 	abort();
     }
 
-    encivec.length = blocksize;
+    encivec_i[0].length = encivec_i[1].length = encivec_o[0].length
+	= encivec_o[1].length = blocksize;
 
-    if ((encivec.data = malloc(encivec.length)) == NULL) {
+    if ((encivec_i[0].data = malloc(encivec_i[0].length * 4)) == NULL) {
 	/* XXX what do I do? */
 	abort();
     }
+    encivec_i[1].data = encivec_i[0].data + encivec_i[0].length;
+    encivec_o[0].data = encivec_i[1].data + encivec_i[0].length;
+    encivec_o[1].data = encivec_o[0].data + encivec_i[0].length;
 
     /* is there a better way to initialize this? */
-    memset(encivec.data, '\0', blocksize);
+    memset(encivec_i[0].data, am_client, blocksize);
+    memset(encivec_o[0].data, 1 - am_client, blocksize);
+    memset(encivec_i[1].data, 2 | am_client, blocksize);
+    memset(encivec_o[1].data, 2 | (1 - am_client), blocksize);
 }
 
 #ifdef KRB5_KRB4_COMPAT
@@ -808,35 +874,39 @@ void rcmd_stream_init_krb4(session, encrypt_flag, lencheck, justify)
 }
 #endif
 
-int rcmd_stream_read(fd, buf, len)
+int rcmd_stream_read(fd, buf, len, sec)
      int fd;
      register char *buf;
      int len;
+     int sec;
 {
-    return (*input)(fd, buf, len);
+    return (*input)(fd, buf, len, sec);
 }
 
-int rcmd_stream_write(fd, buf, len)
+int rcmd_stream_write(fd, buf, len, sec)
      int fd;
      register char *buf;
      int len;
+     int sec;
 {
-    return (*output)(fd, buf, len);
+    return (*output)(fd, buf, len, sec);
 }
 
 /* Because of rcp lossage, translate fd 0 to 1 when writing. */
-static int twrite(fd, buf, len)
+static int twrite(fd, buf, len, secondary)
      int fd;
      char *buf;
      int len;
+     int secondary;
 {
     return write((fd == 0) ? 1 : fd, buf, len);
 }
 
-static int v5_des_read(fd, buf, len)
+static int v5_des_read(fd, buf, len, secondary)
      int fd;
      char *buf;
      int len;
+     int secondary;
 {
     int nreturned = 0;
     size_t net_len,rd_len;
@@ -879,7 +949,8 @@ static int v5_des_read(fd, buf, len)
     rd_len = (rd_len << 8) | c;
 
     if (ret = krb5_c_encrypt_length(bsd_context, keyblock->enctype,
-				  rd_len, &net_len)) {
+				    use_ivecs ? rd_len + 4 : rd_len,
+				    &net_len)) {
 	errno = ret;
 	return(-1);
     }
@@ -902,8 +973,8 @@ static int v5_des_read(fd, buf, len)
     plain.data = storage;
 
     /* decrypt info */
-    if (krb5_c_decrypt(bsd_context, keyblock, KCMD_KEYUSAGE,
-		       encivec.length?&encivec:0,
+    if (ret = krb5_c_decrypt(bsd_context, keyblock, KCMD_KEYUSAGE,
+		       use_ivecs ? encivec_i + secondary : 0,
 		       &cipher, &plain)) {
 	/* probably out of sync */
 	errno = EIO;
@@ -911,6 +982,19 @@ static int v5_des_read(fd, buf, len)
     }
     store_ptr = storage;
     nstored = rd_len;
+    if (use_ivecs) {
+	int rd_len2;
+	rd_len2 = storage[0] & 0xff;
+	rd_len2 <<= 8; rd_len2 |= storage[1] & 0xff;
+	rd_len2 <<= 8; rd_len2 |= storage[2] & 0xff;
+	rd_len2 <<= 8; rd_len2 |= storage[3] & 0xff;
+	if (rd_len2 != rd_len) {
+	    /* cleartext length trashed? */
+	    errno = EIO;
+	    return -1;
+	}
+	store_ptr += 4;
+    }
     if (nstored > len) {
 	memcpy(buf, store_ptr, len);
 	nreturned += len;
@@ -927,23 +1011,39 @@ static int v5_des_read(fd, buf, len)
 
 
 
-static int v5_des_write(fd, buf, len)
+static int v5_des_write(fd, buf, len, secondary)
      int fd;
      char *buf;
      int len;
+     int secondary;
 {
-    unsigned char *len_buf = (unsigned char *) des_outpkt;
     krb5_data plain;
     krb5_enc_data cipher;
-
-    plain.data = buf;
-    plain.length = len;
+    char tmpbuf[2*RCMD_BUFSIZ+8];
+    unsigned char *len_buf = (unsigned char *) tmpbuf;
+
+    if (use_ivecs) {
+	unsigned char *lenbuf2 = (unsigned char *) tmpbuf;
+	if (len + 4 > sizeof(tmpbuf))
+	    abort ();
+	lenbuf2[0] = (len & 0xff000000) >> 24;
+	lenbuf2[1] = (len & 0xff0000) >> 16;
+	lenbuf2[2] = (len & 0xff00) >> 8;
+	lenbuf2[3] = (len & 0xff);
+	memcpy (tmpbuf + 4, buf, len);
+
+	plain.data = tmpbuf;
+	plain.length = len + 4;
+    } else {
+	plain.data = buf;
+	plain.length = len;
+    }
 
     cipher.ciphertext.length = sizeof(des_outpkt)-4;
     cipher.ciphertext.data = desoutbuf.data;
 
     if (krb5_c_encrypt(bsd_context, keyblock, KCMD_KEYUSAGE,
-		       encivec.length?&encivec:0,
+		       use_ivecs ? encivec_o + secondary : 0,
 		       &plain, &cipher)) {
 	errno = EIO;
 	return(-1);
@@ -951,6 +1051,7 @@ static int v5_des_write(fd, buf, len)
 
     desoutbuf.length = cipher.ciphertext.length;
 
+    len_buf = (unsigned char *) des_outpkt;
     len_buf[0] = (len & 0xff000000) >> 24;
     len_buf[1] = (len & 0xff0000) >> 16;
     len_buf[2] = (len & 0xff00) >> 8;
@@ -1032,11 +1133,11 @@ int len;
 		errno = EIO;
 		return(-1);
 	}
-	(void) pcbc_encrypt(des_inbuf,
-			    storage,
+	(void) pcbc_encrypt((des_cblock *) des_inbuf,
+			    (des_cblock *) storage,
 			    (net_len < 8) ? 8 : net_len,
 			    v4_schedule,
-			    v4_session,
+			    &v4_session,
 			    DECRYPT);
 	/* 
 	 * when the cleartext block is < 8 bytes, it is "right-justified"
@@ -1092,11 +1193,11 @@ int len;
 		/* this "right-justifies" the data in the buffer */
 		(void) memcpy(garbage_buf + 8 - len, buf, len);
 	}
-	(void) pcbc_encrypt((len < 8) ? garbage_buf : buf,
-			    des_outpkt+4,
+	(void) pcbc_encrypt((des_cblock *) ((len < 8) ? garbage_buf : buf),
+			    (des_cblock *) (des_outpkt+4),
 			    (len < 8) ? 8 : len,
 			    v4_schedule,
-			    v4_session,
+			    &v4_session,
 			    ENCRYPT);
 
 	/* tell the other end the real amount, but send an 8-byte padded
diff --git a/src/appl/bsd/krcp.c b/src/appl/bsd/krcp.c
index 9670145..7292e72 100644
--- a/src/appl/bsd/krcp.c
+++ b/src/appl/bsd/krcp.c
@@ -71,6 +71,8 @@ char copyright[] =
 #include <k5-util.h>
 #include <com_err.h>
 
+#include "defines.h"
+
 #define RCP_BUFSIZ 4096
      
 int sock;
@@ -131,7 +133,7 @@ void 	error KRB5_STDARG_P((char *fmt, ...));
 void	error KRB5_STDARG_P((char *, va_list));
 #endif
 
-#define	ga()	 	(void) rcmd_stream_write(rem, "", 1)
+#define	ga()	 	(void) rcmd_stream_write(rem, "", 1, 0)
 
 int main(argc, argv)
      int argc;
@@ -153,6 +155,8 @@ int main(argc, argv)
     krb5_error_code status;	
     int euid;
     char **orig_argv = save_argv(argc, argv);
+    krb5_auth_context auth_context;
+    enum kcmd_proto kcmd_proto = KCMD_PROTOCOL_COMPAT_HACK;
 
     status = krb5_init_context(&bsd_context);
     if (status) {
@@ -224,6 +228,14 @@ int main(argc, argv)
 	    }
 	    strcpy(krb_config, *argv);	
 	    goto next_arg;
+	  case 'P':
+	    if (!strcmp (*argv, "O"))
+		kcmd_proto = KCMD_OLD_PROTOCOL;
+	    else if (!strcmp (*argv, "N"))
+		kcmd_proto = KCMD_NEW_PROTOCOL;
+	    else
+		usage ();
+	    goto next_arg;
 #endif /* KERBEROS */
 	    /* The rest of these are not for users. */
 	  case 'd':
@@ -376,20 +388,22 @@ int main(argc, argv)
 		      suser = pwd->pw_name;
 		    else if (!okname(suser))
 		      continue;
+		    (void) sprintf(buf,
 #if defined(hpux) || defined(__hpux)
-		    (void) sprintf(buf, "remsh %s -l %s -n %s %s '%s%s%s:%s'",
+				   "remsh %s -l %s -n %s %s '%s%s%s:%s'",
 #else
-		    (void) sprintf(buf, "rsh %s -l %s -n %s %s '%s%s%s:%s'",
+				   "rsh %s -l %s -n %s %s '%s%s%s:%s'",
 #endif
 				   host, suser, cmd, src,
 				   tuser ? tuser : "",
 				   tuser ? "@" : "",
 				   thost, targ);
 	       } else
+		   (void) sprintf(buf,
 #if defined(hpux) || defined(__hpux)
-		   (void) sprintf(buf, "remsh %s -n %s %s '%s%s%s:%s'",
+				  "remsh %s -n %s %s '%s%s%s:%s'",
 #else
-		    (void) sprintf(buf, "rsh %s -n %s %s '%s%s%s:%s'",
+				  "rsh %s -n %s %s '%s%s%s:%s'",
 #endif
 				   argv[i], cmd, src,
 				   tuser ? tuser : "",
@@ -397,7 +411,7 @@ int main(argc, argv)
 				   thost, targ);
 		(void) susystem(buf);
 	    } else {		/* local to remote */
-krb5_creds *cred;
+		krb5_creds *cred;
 		if (rem == -1) {
 		    (void) sprintf(buf, "%s -t %s",
 				   cmd, targ);
@@ -418,10 +432,14 @@ krb5_creds *cred;
 				  0,  /* No server seq # */
 				  &local,
 				  &foreign,
-				  authopts,
+				  &auth_context, authopts,
 				  0, /* Not any port # */
-				  0);
+				  0,
+				  &kcmd_proto);
 		    if (status) {
+			if (kcmd_proto == KCMD_NEW_PROTOCOL)
+			    /* Don't fall back to less safe methods.  */
+			    exit (1);
 #ifdef KRB5_KRB4_COMPAT
 			fprintf(stderr, "Trying krb4 rcp...\n");
 			if (strncmp(buf, "-x rcp", 6) == 0)
@@ -442,8 +460,29 @@ krb5_creds *cred;
 			try_normal(orig_argv);
 #endif
 		    }
-		    else
-			rcmd_stream_init_krb5(&cred->keyblock, encryptflag, 0);
+		    else {
+			krb5_boolean similar;
+			krb5_keyblock *key = &cred->keyblock;
+
+			if (status = krb5_c_enctype_compare(bsd_context,
+							    ENCTYPE_DES_CBC_CRC,
+							    cred->keyblock.enctype,
+							    &similar))
+			    try_normal(orig_argv); /* doesn't return */
+
+			if (!similar) {
+			    status = krb5_auth_con_getlocalsubkey (bsd_context,
+								   auth_context,
+								   &key);
+			    if ((status || !key) && encryptflag)
+				try_normal(orig_argv);
+			}
+			if (key == 0)
+			    key = &cred->keyblock;
+
+			rcmd_stream_init_krb5(key, encryptflag, 0, 1,
+					      kcmd_proto);
+		    }
 		    rem = sock;
 #else
 		    rem = rcmd(&host, port, pwd->pw_name,
@@ -521,10 +560,14 @@ krb5_creds *cred;
 			      0,  /* No server seq # */
 			      (struct sockaddr_in *) 0,
 			      &foreign,
-			      authopts,
+			      &auth_context, authopts,
 			      0, /* Not any port # */
-			      0);
+			      0,
+			      &kcmd_proto);
 		if (status) {
+			if (kcmd_proto == KCMD_NEW_PROTOCOL)
+			    /* Don't fall back to less safe methods.  */
+			    exit (1);
 #ifdef KRB5_KRB4_COMPAT
 			fprintf(stderr, "Trying krb4 rcp...\n");
 			if (strncmp(buf, "-x rcp", 6) == 0)
@@ -543,8 +586,27 @@ krb5_creds *cred;
 #else
 			try_normal(orig_argv);
 #endif
-		} else
-		    rcmd_stream_init_krb5(&cred->keyblock, encryptflag, 0);
+		} else {
+		    krb5_keyblock *key = &cred->keyblock;
+
+		    if (kcmd_proto == KCMD_NEW_PROTOCOL) {
+			status = krb5_auth_con_getlocalsubkey (bsd_context,
+							       auth_context,
+							       &key);
+			if (status) {
+			    com_err (argv[0], status,
+				     "determining subkey for session");
+			    exit (1);
+			}
+			if (!key) {
+			    com_err (argv[0], 0,
+				     "no subkey negotiated for connection");
+			    exit (1);
+			}
+		    }
+
+		    rcmd_stream_init_krb5(key, encryptflag, 0, 1, kcmd_proto);
+		}
 		rem = sock; 
 				   
 		euid = geteuid();
@@ -741,7 +803,7 @@ void source(argc, argv)
 	     */
 	    (void) sprintf(buf, "T%ld 0 %ld 0\n",
 			   stb.st_mtime, stb.st_atime);
-	    (void) rcmd_stream_write(rem, buf, strlen(buf));
+	    (void) rcmd_stream_write(rem, buf, strlen(buf), 0);
 	    if (response() < 0) {
 		(void) close(f);
 		continue;
@@ -749,7 +811,7 @@ void source(argc, argv)
 	}
 	(void) sprintf(buf, "C%04o %ld %s\n",
 		       (int) stb.st_mode&07777, (long ) stb.st_size, last);
-	(void) rcmd_stream_write(rem, buf, strlen(buf));
+	(void) rcmd_stream_write(rem, buf, strlen(buf), 0);
 	if (response() < 0) {
 	    (void) close(f);
 	    continue;
@@ -765,7 +827,7 @@ void source(argc, argv)
 	      amt = stb.st_size - i;
 	    if (readerr == 0 && read(f, bp->buf, amt) != amt)
 	      readerr = errno;
-	    (void) rcmd_stream_write(rem, bp->buf, amt);
+	    (void) rcmd_stream_write(rem, bp->buf, amt, 0);
 	}
 	(void) close(f);
 	if (readerr == 0)
@@ -810,14 +872,14 @@ void rsource(name, statp)
     if (pflag) {
 	(void) sprintf(buf, "T%ld 0 %ld 0\n",
 		       statp->st_mtime, statp->st_atime);
-	(void) rcmd_stream_write(rem, buf, strlen(buf));
+	(void) rcmd_stream_write(rem, buf, strlen(buf), 0);
 	if (response() < 0) {
 	    closedir(d);
 	    return;
 	}
     }
     (void) sprintf(buf, "D%04o %d %s\n", statp->st_mode&07777, 0, last);
-    (void) rcmd_stream_write(rem, buf, strlen(buf));
+    (void) rcmd_stream_write(rem, buf, strlen(buf), 0);
     if (response() < 0) {
 	closedir(d);
 	return;
@@ -836,7 +898,7 @@ void rsource(name, statp)
 	source(1, bufv);
     }
     closedir(d);
-    (void) rcmd_stream_write(rem, "E\n", 2);
+    (void) rcmd_stream_write(rem, "E\n", 2, 0);
     (void) response();
 }
 
@@ -845,7 +907,7 @@ void rsource(name, statp)
 int response()
 {
     char resp, c, rbuf[RCP_BUFSIZ], *cp = rbuf;
-    if (rcmd_stream_read(rem, &resp, 1) != 1)
+    if (rcmd_stream_read(rem, &resp, 1, 0) != 1)
       lostconn();
     switch (resp) {
 	
@@ -858,7 +920,7 @@ int response()
       case 1:				/* error, followed by err msg */
       case 2:				/* fatal error, "" */
 	do {
-	    if (rcmd_stream_read(rem, &c, 1) != 1)
+	    if (rcmd_stream_read(rem, &c, 1, 0) != 1)
 	      lostconn();
 	    *cp++ = c;
 	} while (cp < &rbuf[RCP_BUFSIZ] && c != '\n');
@@ -941,12 +1003,12 @@ void sink(argc, argv)
       targisdir = 1;
     for (first = 1; ; first = 0) {
 	cp = cmdbuf;
-	if (rcmd_stream_read(rem, cp, 1) <= 0)
+	if (rcmd_stream_read(rem, cp, 1, 0) <= 0)
 	  return;
 	if (*cp++ == '\n')
 	  SCREWUP("unexpected '\\n'");
 	do {
-	    if (rcmd_stream_read(rem, cp, 1) != 1)
+	    if (rcmd_stream_read(rem, cp, 1, 0) != 1)
 	      SCREWUP("lost connection");
 	} while (*cp++ != '\n');
 	*cp = 0;
@@ -1012,11 +1074,17 @@ void sink(argc, argv)
 	  size = size * 10 + (*cp++ - '0');
 	if (*cp++ != ' ')
 	  SCREWUP("size not delimited");
-	if (targisdir)
+	if (targisdir) {
+          if(strlen(targ) + strlen(cp) + 2 >= sizeof(nambuf))
+	    SCREWUP("target name too long");
 	  (void) sprintf(nambuf, "%s%s%s", targ,
 			 *targ ? "/" : "", cp);
-	else
-	  (void) strcpy(nambuf, targ);
+	} else {
+	  if (strlen(targ) + 1 >= sizeof (nambuf))
+	    SCREWUP("target name too long");
+	  (void) strncpy(nambuf, targ, sizeof(nambuf) - 1);
+	}
+	nambuf[sizeof(nambuf) - 1] = '\0';
 	exists = stat(nambuf, &stb) == 0;
 	if (cmdbuf[0] == 'D') {
 	    if (exists) {
@@ -1064,7 +1132,7 @@ void sink(argc, argv)
 	      amt = size - i;
 	    count += amt;
 	    do {
-		j = rcmd_stream_read(rem, cp, amt);
+		j = rcmd_stream_read(rem, cp, amt, 0);
 		if (j <= 0) {
 		    if (j == 0)
 		      error("rcp: dropped connection");
@@ -1159,7 +1227,7 @@ error(fmt, va_alist)
     va_end(ap);
 
     if (iamremote)
-      (void) rcmd_stream_write(rem, buf, strlen(buf));
+      (void) rcmd_stream_write(rem, buf, strlen(buf), 0);
     else
       (void) write(2, buf+1, strlen(buf+1));
 }
@@ -1170,7 +1238,7 @@ void usage()
 {
 #ifdef KERBEROS
     fprintf(stderr,
-	    "Usage: \trcp [-p] [-x] [-k realm] f1 f2; or:\n\trcp [-r] [-p] [-x] [-k realm] f1 ... fn d2\n");
+	    "Usage: \trcp [-PN | -PO] [-p] [-x] [-k realm] f1 f2; or:\n\trcp [-PN | -PO] [-r] [-p] [-x] [-k realm] f1 ... fn d2\n");
 #else
     fputs("usage: rcp [-p] f1 f2; or: rcp [-rp] f1 ... fn d2\n", stderr);
 #endif
@@ -1315,7 +1383,8 @@ void
 	exit(1);
     }
     
-    rcmd_stream_init_krb5(&new_creds->keyblock, encryptflag, 0);
+    rcmd_stream_init_krb5(&new_creds->keyblock, encryptflag, 0, 0,
+			  KCMD_OLD_PROTOCOL);
     
     /* cleanup */
     krb5_free_cred_contents(bsd_context, &creds);
diff --git a/src/appl/bsd/krlogin.c b/src/appl/bsd/krlogin.c
index da4a889..02a8d30 100644
--- a/src/appl/bsd/krlogin.c
+++ b/src/appl/bsd/krlogin.c
@@ -138,12 +138,6 @@ char copyright[] =
 #endif
 #endif
 
-/* how do we tell apart irix 5 and irix 4? */
-#if defined(__sgi) && defined(__mips)
-/* IRIX 5: TIOCGLTC doesn't actually work */
-#undef TIOCGLTC
-#endif
-
 #ifndef TIOCPKT_NOSTOP
 /* These values are over-the-wire protocol, *not* local values */
 #define TIOCPKT_NOSTOP          0x10
@@ -177,6 +171,7 @@ int fflag = 0, Fflag = 0;
 krb5_creds *cred;
 struct sockaddr_in local, foreign;
 krb5_context bsd_context;
+krb5_auth_context auth_context;
 
 #ifdef KRB5_KRB4_COMPAT
 Key_schedule v4_schedule;
@@ -377,7 +372,8 @@ main(argc, argv)
 #endif
 #endif
     int port, debug_port = 0;
-   
+    enum kcmd_proto kcmd_proto = KCMD_PROTOCOL_COMPAT_HACK;
+
     memset(&defaultservent, 0, sizeof(struct servent));
     if (strrchr(argv[0], '/'))
       argv[0] = strrchr(argv[0], '/')+1;
@@ -502,6 +498,16 @@ main(argc, argv)
 	argv++, argc--;
 	goto another;
     }
+    if (argc > 0 && !strcmp(*argv, "-PO")) {
+	kcmd_proto = KCMD_OLD_PROTOCOL;
+	argv++, argc--;
+	goto another;
+    }
+    if (argc > 0 && !strcmp(*argv, "-PN")) {
+	kcmd_proto = KCMD_NEW_PROTOCOL;
+	argv++, argc--;
+	goto another;
+    }
 #endif /* KERBEROS */
     if (host == 0)
       goto usage;
@@ -559,7 +565,8 @@ main(argc, argv)
 	if (tcgetattr(0, &ttyb) == 0) {
 		int ospeed = cfgetospeed (&ttyb);
 
-		(void) strcat(term, "/");
+                term[sizeof(term) - 1] = '\0';
+		(void) strncat(term, "/", sizeof(term) - 1 - strlen(term));
 		if (ospeed >= 50)
 			/* On some systems, ospeed is the baud rate itself,
 			   not a table index.  */
@@ -567,15 +574,16 @@ main(argc, argv)
 		else if (ospeed >= sizeof(speeds)/sizeof(char*))
 			/* Past end of table, but not high enough to
 			   look like a real speed.  */
-			(void) strcat (term, speeds[sizeof(speeds)/sizeof(char*) - 1]);
+			(void) strncat (term, speeds[sizeof(speeds)/sizeof(char*) - 1], sizeof(term) - 1 - strlen(term));
 		else {
-			(void) strcat(term, speeds[ospeed]);
+			(void) strncat(term, speeds[ospeed], sizeof(term) - 1 - strlen(term));
 		}
+                term[sizeof (term) - 1] = '\0';
 	}
 #else
     if (ioctl(0, TIOCGETP, &ttyb) == 0) {
-	(void) strcat(term, "/");
-	(void) strcat(term, speeds[ttyb.sg_ospeed]);
+	(void) strncat(term, "/", sizeof(term) - 1 - strlen(term));
+	(void) strncat(term, speeds[ttyb.sg_ospeed], sizeof(term) - 1 - strlen(term));
     }
 #endif
     (void) get_window_size(0, &winsize);
@@ -631,10 +639,14 @@ main(argc, argv)
 		  0,		/* No need for sequence number */
 		  0,		/* No need for server seq # */
 		  &local, &foreign,
-		  authopts,
+		  &auth_context, authopts,
 		  0,		/* Not any port # */
-		  0);
+		  0,
+		  &kcmd_proto);
     if (status) {
+	if (kcmd_proto == KCMD_NEW_PROTOCOL && encrypt_flag)
+	    /* Don't fall back to something less secure.  */
+	    exit (1);
 #ifdef KRB5_KRB4_COMPAT
 	fprintf(stderr, "Trying krb4 rlogin...\n");
 	status = k4cmd(&sock, &host, port,
@@ -650,19 +662,20 @@ main(argc, argv)
 	try_normal(orig_argv);
 #endif
     } else {
-	krb5_boolean similar;
-
-	rcmd_stream_init_krb5(&cred->keyblock, encrypt_flag, 1);
+	krb5_keyblock *key = 0;
 
-	if (status = krb5_c_enctype_compare(bsd_context, ENCTYPE_DES_CBC_CRC,
-					    cred->keyblock.enctype, &similar))
-	    try_normal(orig_argv); /* doesn't return */
-
-	if (!similar) {
+	if (kcmd_proto == KCMD_NEW_PROTOCOL) {
 	    do_inband = 1;
-	    if (debug_port)
-		fprintf(stderr, "DEBUG: setting do_inband\n");
+
+	    status = krb5_auth_con_getlocalsubkey (bsd_context, auth_context,
+						   &key);
+	    if ((status || !key) && encrypt_flag)
+		try_normal(orig_argv);
 	}
+	if (key == 0)
+	    key = &cred->keyblock;
+
+	rcmd_stream_init_krb5(key, encrypt_flag, 1, 1, kcmd_proto);
     }
 	
     rem = sock;
@@ -755,6 +768,8 @@ struct tchars {
 };
 #endif
 
+
+#ifndef POSIX_TERMIOS
 #ifdef TIOCGLTC
 /*
  * POSIX 1003.1-1988 does not define a 'suspend' character.
@@ -768,14 +783,8 @@ struct tchars {
 struct	ltchars defltc;
 struct	ltchars noltc =	{ -1, -1, -1, -1, -1, -1 };
 #endif
-
-#ifndef POSIX_TERMIOS
 struct	tchars deftc;
 struct	tchars notc =	{ -1, -1, -1, -1, -1, -1 };
-#ifndef TIOCGLTC
-struct	ltchars defltc;
-struct	ltchars noltc =	{ -1, -1, -1, -1, -1, -1 };
-#endif
 #endif
 
 doit(oldmask)
@@ -793,9 +802,6 @@ doit(oldmask)
     /* there's a POSIX way of doing this, but do we need it general? */
     deftty.c_cc[VLNEXT] = 0;
 #endif
-#ifdef TIOCGLTC
-    (void) ioctl(0, TIOCGLTC, (char *)&defltc);
-#endif
 #else
 #ifdef USE_TERMIO
     struct termio sb;
@@ -1035,13 +1041,15 @@ int signo;
  */
 writer()
 {
-    unsigned char c;
-    register n;
-    register bol = 1;               /* beginning of line */
-    register local = 0;
-    
+    int n_read;
+    char buf[1024];
+    int got_esc; /* set to true by read_wrapper if an escape char
+		    was encountered */
+    char c;
+
 #ifdef ultrix             
     fd_set waitread;
+    register n;
     
     /* we need to wait until the reader() has set up the terminal, else
        the read() below may block and not unblock when the terminal
@@ -1062,89 +1070,169 @@ writer()
 	  }
     }
 #endif /* ultrix */
+
+    /* This loop works as follows.  Call read_wrapper to get data until
+       we would block or until we read a cmdchar at the beginning of a line.
+       If got_esc is false, we just send everything we got back.  If got_esc 
+       is true, we send everything except the cmdchar at the end and look at 
+       the next char.  If its a "." we break out of the loop and terminate.
+       If its ^Z or ^Y we call stop with the value of the char and continue.
+       If its none of those, we send the cmdchar and then send the char we 
+       just read, unless that char is also the cmdchar (in which case we are
+       only supposed to send one of them).  When this loop ends, so does the
+       program.
+    */
+
     for (;;) {
-	n = read(0, &c, 1);
-	if (n <= 0) {
-	    if (n < 0 && errno == EINTR)
-	      continue;
+
+      /* read until we would block or we get a cmdchar */
+      n_read = read_wrapper(0,buf,sizeof(buf),&got_esc);
+  
+      /* if read returns an error or 0 bytes, just quit */
+      if (n_read <= 0) {
+	break;
+      }
+      
+      if (!got_esc) {
+	if (rcmd_stream_write(rem, buf, n_read, 0) == 0) {
+	  prf("line gone");
+	  break;
+	}
+	continue;
+      }
+      else {
+	/* This next test is necessary to avoid sending 0 bytes of data
+	   in the event that we got just a cmdchar */
+	if (n_read > 1) {
+	  if (rcmd_stream_write(rem, buf, n_read-1, 0) == 0) {
+	    prf("line gone");
 	    break;
+	  }
 	}
-	/*
-	 * If we're at the beginning of the line
-	 * and recognize a command character, then
-	 * we echo locally.  Otherwise, characters
-	 * are echo'd remotely.  If the command
-	 * character is doubled, this acts as a 
-	 * force and local echo is suppressed.
-	 */
-	if (bol) {
-	    bol = 0;
-	    if (c == cmdchar) {
-		bol = 0;
-		local = 1;
-		continue;
-	    }
-	} else if (local) {
-	    local = 0;
+	if (read_wrapper(0,&c,1,&got_esc) <= 0) {
+	  break;
+	}
+
 #ifdef POSIX_TERMIOS
-	    if (c == '.' || c == deftty.c_cc[VEOF]) {
+	if (c == '.' || c == deftty.c_cc[VEOF]) 
 #else
-	    if (c == '.' || c == deftc.t_eofc) {
+	  if (c == '.' || c == deftc.t_eofc) 
 #endif
-		if (confirm_death()) {
-		    echo(c);
-		    break;
-		}
-	    }
-#ifdef TIOCGLTC
-	    if ((c == defltc.t_suspc || c == defltc.t_dsuspc)
-		&& !no_local_escape) {
-		bol = 1;
+	    {
+	      if (confirm_death()) {
 		echo(c);
-		stop(c);
-		continue;
+		break; 
+	      }
 	    }
-#else
+
 #ifdef POSIX_TERMIOS
-	    if ( (
-		  (c == deftty.c_cc[VSUSP]) 
+	if ( (
+	      (c == deftty.c_cc[VSUSP]) 
 #ifdef VDSUSP
-		  || (c == deftty.c_cc[VDSUSP]) 
-#endif
-		  )
-		&& !no_local_escape) {
-	      bol = 1;
-	      echo(c);
-	      stop(c);
-	      continue;
-	    }
+	      || (c == deftty.c_cc[VDSUSP]) 
 #endif
+	      )
+	     && !no_local_escape) {
+	  echo(c);
+	  stop(c);
+	  continue;
+	}
+#else /*POSIX_TERMIOS*/
+#ifdef TIOCGLTC
+	if ((c == defltc.t_suspc || c == defltc.t_dsuspc)
+	    && !no_local_escape) {
+	  echo(c);
+	  stop(c);
+	  continue;
+	}
+#endif /*TIOCGLTC*/
 #endif
 
-	    if (c != cmdchar)
-	      (void) rcmd_stream_write(rem, &cmdchar, 1);
+      
+	if (c != cmdchar) {
+	  rcmd_stream_write(rem, &cmdchar, 1, 0);
 	}
-	if (rcmd_stream_write(rem, &c, 1) == 0) {
-	    prf("line gone");
-	    break;
+
+	if (rcmd_stream_write(rem,&c,1,0) == 0) {
+	  prf("line gone");
+	  break;
 	}
-#ifdef POSIX_TERMIOS
-	bol = (c == deftty.c_cc[VKILL] ||
-	       c == deftty.c_cc[VINTR] ||
-	       c == '\r' || c == '\n');
-#ifdef TIOCGLTC
-	if (!bol)
-	  bol = (c == defltc.t_suspc);
-#endif
-#else /* !POSIX_TERMIOS */
-	bol = c == defkill || c == deftc.t_eofc ||
-	  c == deftc.t_intrc || c == defltc.t_suspc ||
-	    c == '\r' || c == '\n';
-#endif
+      }
     }
 }
 
+/* This function reads up to size bytes from file desciptor fd into buf.
+   It will copy as much data as it can without blocking, but will never
+   copy more than size bytes.  In addition, if it encounters a cmdchar
+   at the beginning of a line, it will copy everything up to and including
+   the cmdchar, but nothing after that.  In this instance *esc_char is set
+   to true and any remaining data is buffered and copied on a subsequent 
+   call.  Otherwise, *esc_char will be set to false and the minimum of size,
+   1024, and the number of bytes that can be read without blocking will
+   be copied.  In all cases, a non-negative return value indicates the number 
+   of bytes actually copied and a return value of -1 indicates that there
+   was a read error (other than EINTR) and errno is set appropriately. 
+*/
+
+int read_wrapper(fd,buf,size,got_esc) 
+     int fd;
+     char *buf;
+     int size;
+     int *got_esc;
+{
+  static char tbuf[1024];
+  static char *data_start = tbuf;
+  static char *data_end = tbuf;
+  static int bol = 1;
+  int return_length = 0;
+  char c;
+
+  /* if we have no data buffered, get more */
+  if (data_start == data_end) {
+    int n_read;
+    while ((n_read = read(fd, tbuf, sizeof(tbuf))) <= 0) {
+      if (n_read < 0 && errno == EINTR)
+	continue;
+      return n_read;
+    }
+    data_start = tbuf;
+    data_end = tbuf+n_read;
+  }
+
+  *got_esc = 0;
 
+  /* We stop when we've fully checked the buffer or have checked size
+     bytes.  We break out and set *got_esc if we encounter a cmdchar
+     at the beginning of a line.
+  */
+
+  while (data_start+return_length < data_end && return_length < size) {
+    
+    c = *(data_start+return_length);
+    return_length++;
+
+    if (bol == 1 && c == cmdchar) {
+      bol = 0;
+      *got_esc = 1;
+      break;
+    }
+
+#ifdef POSIX_TERMIOS
+    bol = (c == deftty.c_cc[VKILL] ||
+	   c == deftty.c_cc[VINTR] ||
+	   c == '\r' || c == '\n');
+	
+#else /* !POSIX_TERMIOS */
+    bol = c == defkill || c == deftc.t_eofc ||
+      c == deftc.t_intrc || c == defltc.t_suspc ||
+      c == '\r' || c == '\n';
+#endif
+  }
+   
+  memcpy(buf, data_start, return_length);
+  data_start = data_start + return_length;
+  return return_length;
+}
 
 echo(c)
      register char c;
@@ -1187,14 +1275,13 @@ stop(cmdc)
     (void) signal(SIGCHLD, SIG_IGN);
 #endif
     
-#ifdef TIOCGLTC
-    (void) kill(cmdc == defltc.t_suspc ? 0 : getpid(), SIGTSTP);
-#else
 #ifdef POSIX_TERMIOS
     (void) kill(cmdc == deftty.c_cc[VSUSP] ? 0 : getpid(), SIGTSTP);
+#else
+#ifdef TIOCGLTC
+    (void) kill(cmdc == defltc.t_suspc ? 0 : getpid(), SIGTSTP);
 #endif
 #endif
-
 #ifdef POSIX_SIGNALS
     sa.sa_handler = catchild;
     (void) sigaction(SIGCHLD, &sa, (struct sigaction *)0);
@@ -1239,7 +1326,7 @@ sendwindow()
     wp->ws_col = htons(winsize.ws_col);
     wp->ws_xpixel = htons(winsize.ws_xpixel);
     wp->ws_ypixel = htons(winsize.ws_ypixel);
-    (void) rcmd_stream_write(rem, obuf, sizeof(obuf));
+    (void) rcmd_stream_write(rem, obuf, sizeof(obuf), 0);
 }
 
 
@@ -1458,7 +1545,7 @@ fd_set readset, excset, writeset;
 		bufp += n;
 	    }
 	    if (FD_ISSET(rem, &readset)) {
-	  	rcvcnt = rcmd_stream_read(rem, rcvbuf, sizeof (rcvbuf));
+	  	rcvcnt = rcmd_stream_read(rem, rcvbuf, sizeof (rcvbuf), 0);
 		if (rcvcnt == 0)
 		    return (0);
 		if (rcvcnt < 0)
@@ -1514,11 +1601,6 @@ mode(f)
 
     switch(f) {
     case 0:
-#ifdef TIOCGLTC
-#if !defined(sun)
-	(void) ioctl(0, TIOCSLTC, (char *)&defltc);
-#endif
-#endif
 	(void) tcsetattr(0, TCSADRAIN, &deftty);
 	break;
     case 1:
@@ -1555,14 +1637,6 @@ mode(f)
 	newtty.c_cc[VMIN] = 1;
 	newtty.c_cc[VTIME] = 0;
 	(void) tcsetattr(0, TCSADRAIN, &newtty);
-#ifdef TIOCGLTC
-	/* Do this after the tcsetattr() in case this version
-	 * of termio supports the VSUSP or VDSUSP characters */
-#if !defined(sun)
-	/* this forces ICRNL under Solaris... */
-	(void) ioctl(0, TIOCSLTC, (char *)&noltc);
-#endif
-#endif
 	break;
     default:
 	return;
diff --git a/src/appl/bsd/krlogind.c b/src/appl/bsd/krlogind.c
index e37b84c..9254449 100644
--- a/src/appl/bsd/krlogind.c
+++ b/src/appl/bsd/krlogind.c
@@ -250,6 +250,7 @@ AUTH_DAT	*v4_kdata;
 Key_schedule v4_schedule;
 
 #include "com_err.h"
+#include "defines.h"
      
 #define SECURE_MESSAGE  "This rlogin session is using DES encryption for all data transmissions.\r\n"
 
@@ -815,7 +816,7 @@ void doit(f, fromp)
 				    stripdomain, always_ip,
 				    &rhost_sane);
     if (retval)
-        fatalperror(2, "failed make_sane_hostname");
+        fatalperror(f, "failed make_sane_hostname");
     if (passwd_req)
         execl(login_program, "login", "-p", "-h", rhost_sane,
           lusername, 0);
@@ -825,8 +826,9 @@ void doit(f, fromp)
 #else /* USE_LOGIN_F */
 	execl(login_program, "login", "-r", rhost_sane, 0);
 #endif /* USE_LOGIN_F */
-	
-	fatalperror(2, login_program);
+	syslog(LOG_ERR, "failed exec of %s: %s",
+	       login_program, error_message(errno));
+	fatalperror(f, login_program);
 	/*NOTREACHED*/
     } /* if (pid == 0) */
 
@@ -850,7 +852,7 @@ void doit(f, fromp)
     
 #if defined(KERBEROS) 
     if (do_encrypt) {
-	if (rcmd_stream_write(f, SECURE_MESSAGE, sizeof(SECURE_MESSAGE)) < 0){
+	if (rcmd_stream_write(f, SECURE_MESSAGE, sizeof(SECURE_MESSAGE), 0) < 0){
 	    sprintf(buferror, "Cannot encrypt-write network.");
 	    fatal(p,buferror);
 	}
@@ -918,11 +920,11 @@ int sendoob(fd, byte)
 	message[3] = 'o';
 	message[4] = *byte;
 
-	cc = rcmd_stream_write(fd, message, sizeof(message));
+	cc = rcmd_stream_write(fd, message, sizeof(message), 0);
 	while (cc < 0 && ((errno == EWOULDBLOCK) || (errno == EAGAIN))) {
 	    /* also shouldn't happen */
 	    sleep(5);
-	    cc = rcmd_stream_write(fd, message, sizeof(message));
+	    cc = rcmd_stream_write(fd, message, sizeof(message), 0);
 	}
     } else {
 	send(fd, byte, 1, MSG_OOB);
@@ -984,7 +986,8 @@ void protocol(f, p)
     int on = 1;
 #endif
     
-#if defined(TIOCPKT) && !defined(__svr4__) || defined(solaris20)
+#if defined(TIOCPKT) && !(defined(__svr4__) || defined(HAVE_STREAMS)) \
+	|| defined(solaris20)
     /* if system has TIOCPKT, try to turn it on. Some drivers
      * may not support it. Save flag for later. 
      */
@@ -1033,7 +1036,7 @@ void protocol(f, p)
 	}
 #define	pkcontrol(c)	((c)&(TIOCPKT_FLUSHWRITE|TIOCPKT_NOSTOP|TIOCPKT_DOSTOP))
 	if (FD_ISSET(f, &ibits)) {
-	    fcc = rcmd_stream_read(f, fibuf, sizeof (fibuf));
+	    fcc = rcmd_stream_read(f, fibuf, sizeof (fibuf), 0);
 	    if (fcc < 0 && ((errno == EWOULDBLOCK) || (errno == EAGAIN))) {
 		fcc = 0;
 	    } else {
@@ -1121,7 +1124,7 @@ void protocol(f, p)
 	}
 
 	if (FD_ISSET(f, &obits) && pcc > 0) {
-	    cc = rcmd_stream_write(f, pbp, pcc);
+	    cc = rcmd_stream_write(f, pbp, pcc, 0);
 	    if (cc < 0 && ((errno == EWOULDBLOCK) || (errno == EAGAIN))) {
 		/* also shouldn't happen */
 		sleep(5);
@@ -1160,7 +1163,7 @@ void fatal(f, msg)
     buf[0] = '\01';		/* error indicator */
     (void) sprintf(buf + 1, "%s: %s.\r\n",progname, msg);
     if ((f == netf) && (pid > 0))
-      (void) rcmd_stream_write(f, buf, strlen(buf));
+      (void) rcmd_stream_write(f, buf, strlen(buf), 0);
     else
       (void) write(f, buf, strlen(buf));
     syslog(LOG_ERR,"%s\n",msg);
@@ -1377,9 +1380,11 @@ recvauth(valid_checksum)
     int len;
     krb5_data inbuf;
     char v4_instance[INST_SZ];	/* V4 Instance */
-    char v4_version[9];
+    krb5_data version;
     krb5_authenticator *authenticator;
     krb5_rcache rcache;
+    enum kcmd_proto kcmd_proto;
+    krb5_keyblock *key;
 
     *valid_checksum = 0;
     len = sizeof(laddr);
@@ -1423,8 +1428,8 @@ recvauth(valid_checksum)
 	if (status) return status;
     }
 
-    if ((status = krb5_compat_recvauth(bsd_context, &auth_context, &netf,
-				  "KCMDV0.1",
+    if ((status = krb5_compat_recvauth_version(bsd_context, &auth_context,
+					       &netf,
 				  NULL, 	/* Specify daemon principal */
 				  0, 		/* no flags */
 				  keytab, /* normally NULL to use v5srvtab */
@@ -1438,8 +1443,8 @@ recvauth(valid_checksum)
 
 				  &ticket, 	/* return ticket */
 				  &auth_sys, 	/* which authentication system*/
-				  &v4_kdata, v4_schedule, v4_version))) {
-
+				  &v4_kdata, v4_schedule,
+					       &version))) {
 	if (auth_sys == KRB5_RECVAUTH_V5) {
 	    /*
 	     * clean up before exiting
@@ -1453,7 +1458,25 @@ recvauth(valid_checksum)
 
     getstr(netf, lusername, sizeof (lusername), "locuser");
     getstr(netf, term, sizeof(term), "Terminal type");
-    if ((auth_sys == KRB5_RECVAUTH_V5) && !checksum_ignored) {
+
+    kcmd_proto = KCMD_UNKNOWN_PROTOCOL;
+    if (auth_sys == KRB5_RECVAUTH_V5) {
+	if (version.length != 9) {
+	    fatal (netf, "bad application version length");
+	}
+	if (!memcmp (version.data, "KCMDV0.1", 9))
+	    kcmd_proto = KCMD_OLD_PROTOCOL;
+	else if (!memcmp (version.data, "KCMDV0.2", 9))
+	    kcmd_proto = KCMD_NEW_PROTOCOL;
+    }
+#ifdef KRB5_KRB4_COMPAT
+    if (auth_sys == KRB5_RECVAUTH_V4)
+	kcmd_proto = KCMD_V4_PROTOCOL;
+#endif
+
+    if ((auth_sys == KRB5_RECVAUTH_V5)
+	&& !(checksum_ignored
+	     && kcmd_proto == KCMD_OLD_PROTOCOL)) {
       
       if ((status = krb5_auth_con_getauthenticator(bsd_context, auth_context,
 						   &authenticator)))
@@ -1500,7 +1523,8 @@ recvauth(valid_checksum)
          * Assume it to be the same as the first component of the
 	 * principal's name. 
          */
-	strcpy(rusername, v4_kdata->pname);
+	strncpy(rusername, v4_kdata->pname, sizeof(rusername) - 1);
+	rusername[sizeof(rusername) - 1] = '\0';
 
 	status = krb5_425_conv_principal(bsd_context, v4_kdata->pname,
 					 v4_kdata->pinst, v4_kdata->prealm,
@@ -1519,22 +1543,20 @@ recvauth(valid_checksum)
 				      &client)))
 	return status;
 
-    rcmd_stream_init_krb5(ticket->enc_part2->session, do_encrypt, 1);
-
-    {
-       krb5_boolean similar;
-
-       if (status = krb5_c_enctype_compare(bsd_context, ENCTYPE_DES_CBC_CRC,
-					   ticket->enc_part2->session->enctype,
-					   &similar))
-	  return(status);
+    key = 0;
+    status = krb5_auth_con_getremotesubkey (bsd_context, auth_context, &key);
+    if (status)
+	fatal (netf, "Server can't get session subkey");
+    if (!key && do_encrypt && kcmd_proto == KCMD_NEW_PROTOCOL)
+	fatal (netf, "No session subkey sent");
+    if (key && kcmd_proto == KCMD_OLD_PROTOCOL)
+	fatal (netf, "Session subkey not permitted under old kcmd protocol");
+    if (key == 0)
+	key = ticket->enc_part2->session;
 
-       if (!similar) {
-	  do_inband = 1;
-	  syslog(LOG_DEBUG, "setting do_inband");
-       }
-    }
+    rcmd_stream_init_krb5 (key, do_encrypt, 1, 0, kcmd_proto);
 
+    do_inband = (kcmd_proto == KCMD_NEW_PROTOCOL);
 
     getstr(netf, rusername, sizeof(rusername), "remuser");
 
diff --git a/src/appl/bsd/krsh.c b/src/appl/bsd/krsh.c
index 9d602b2..c1741d8 100644
--- a/src/appl/bsd/krsh.c
+++ b/src/appl/bsd/krsh.c
@@ -93,8 +93,6 @@ krb5_sigtype  sendsig();
 #define UCB_RSH "/usr/ucb/rsh"
 #endif
 
-
-
 krb5_context bsd_context;
 krb5_creds *cred;
 
@@ -137,7 +135,7 @@ main(argc, argv0)
     struct servent *sp;
     struct servent defaultservent;
     struct sockaddr_in local, foreign;
-    int suppress;
+    int suppress = 0;
 
 #ifdef POSIX_SIGNALS
     sigset_t omask, igmask;
@@ -148,6 +146,7 @@ main(argc, argv0)
 #ifdef KERBEROS
     krb5_flags authopts;
     krb5_error_code status;
+    krb5_auth_context auth_context;
     int fflag = 0, Fflag = 0;
 #ifdef KRB5_KRB4_COMPAT
     KTEXT_ST v4_ticket;
@@ -155,6 +154,7 @@ main(argc, argv0)
 #endif
 #endif  /* KERBEROS */
     int debug_port = 0;
+    enum kcmd_proto kcmd_proto = KCMD_PROTOCOL_COMPAT_HACK;
 
     memset(&defaultservent, 0, sizeof(struct servent));
     if (strrchr(argv[0], '/'))
@@ -239,6 +239,16 @@ main(argc, argv0)
 	argv++, argc--;
 	goto another;
     }
+    if (argc > 0 && !strcmp(*argv, "-PO")) {
+	argv++, argc--;
+	kcmd_proto = KCMD_OLD_PROTOCOL;
+	goto another;
+    }
+    if (argc > 0 && !strcmp(*argv, "-PN")) {
+	argv++, argc--;
+	kcmd_proto = KCMD_NEW_PROTOCOL;
+	goto another;
+    }
 #endif  /* KERBEROS */
     /*
      * Ignore the -L, -w, -e and -8 flags to allow aliases with rlogin
@@ -367,10 +377,15 @@ main(argc, argv0)
 		  0,           /* No need for sequence number */
 		  0,           /* No need for server seq # */
 		  &local, &foreign,
-		  authopts,
+		  &auth_context, authopts,
 		  1,	/* Always set anyport, there is no need not to. --proven */
-		  suppress);
+		  suppress,
+		  &kcmd_proto);
     if (status) {
+	/* If new protocol requested, don't fall back to less secure
+	   ones.  */
+	if (kcmd_proto == KCMD_NEW_PROTOCOL)
+	    exit (1);
 #ifdef KRB5_KRB4_COMPAT
 	/* No encrypted Kerberos 4 rsh. */
 	if (encrypt_flag)
@@ -391,8 +406,24 @@ main(argc, argv0)
 #else
 	try_normal(argv0);
 #endif
-    } else
-	rcmd_stream_init_krb5(&cred->keyblock, encrypt_flag, 0);
+    } else {
+	krb5_keyblock *key = &cred->keyblock;
+
+	if (kcmd_proto == KCMD_NEW_PROTOCOL) {
+	    status = krb5_auth_con_getlocalsubkey (bsd_context, auth_context,
+						   &key);
+	    if (status) {
+		com_err (argv[0], status, "determining subkey for session");
+		exit (1);
+	    }
+	    if (!key) {
+		com_err (argv[0], 0, "no subkey negotiated for connection");
+		exit (1);
+	    }
+	}
+
+	rcmd_stream_init_krb5(key, encrypt_flag, 0, 1, kcmd_proto);
+    }
 
 #ifdef HAVE_ISATTY
     if(encrypt_flag&&isatty(2)) {
@@ -489,7 +520,7 @@ main(argc, argv0)
 	}
 	if (FD_ISSET(rem, &rembits) == 0)
 	  goto rewrite;
-	wc = rcmd_stream_write(rem, bp, cc);
+	wc = rcmd_stream_write(rem, bp, cc, 0);
 	if (wc < 0) {
 	    if ((errno == EWOULDBLOCK) || (errno == EAGAIN))
 	      goto rewrite;
@@ -524,7 +555,7 @@ main(argc, argv0)
 	}
 	if (FD_ISSET(rfd2, &ready)) {
 	    errno = 0;
-	    cc = rcmd_stream_read(rfd2, buf, sizeof buf);
+	    cc = rcmd_stream_read(rfd2, buf, sizeof buf, 1);
 	    if (cc <= 0) {
 		if ((errno != EWOULDBLOCK) && (errno != EAGAIN))
 		    FD_CLR(rfd2, &readfrom);
@@ -533,7 +564,7 @@ main(argc, argv0)
 	}
 	if (FD_ISSET(rem, &ready)) {
 	    errno = 0;
-	    cc = rcmd_stream_read(rem, buf, sizeof buf);
+	    cc = rcmd_stream_read(rem, buf, sizeof buf, 0);
 	    if (cc <= 0) {
 		if ((errno != EWOULDBLOCK) && (errno != EAGAIN))
 		    FD_CLR(rem, &readfrom);
@@ -546,9 +577,9 @@ main(argc, argv0)
     exit(0);
   usage:
     fprintf(stderr,
-	    "usage: \trsh host [ -l login ] [ -n ] [ -x ] [ -f / -F] command\n");
+	    "usage: \trsh host [ -PN / -PO ] [ -l login ] [ -n ] [ -x ] [ -f / -F] command\n");
     fprintf(stderr,
-	    "OR \trsh [ -l login ] [-n ] [ -x ] [ -f / -F ] host command\n");
+	    "OR \trsh [ -PN / -PO ] [ -l login ] [-n ] [ -x ] [ -f / -F ] host command\n");
     exit(1);
 }
 
@@ -557,7 +588,7 @@ main(argc, argv0)
 krb5_sigtype sendsig(signo)
      char signo;
 {
-    (void) rcmd_stream_write(rfd2, &signo, 1);
+    (void) rcmd_stream_write(rfd2, &signo, 1, 1);
 }
 
 
diff --git a/src/appl/bsd/krshd.c b/src/appl/bsd/krshd.c
index 3844087..7bd8dbf 100644
--- a/src/appl/bsd/krshd.c
+++ b/src/appl/bsd/krshd.c
@@ -48,8 +48,8 @@ char copyright[] =
  * or by the name of the daemon. If command-line arguments are present, they 
  * take priority. The options are:
  * -k means trust krb4 or krb5
-* -5 means trust krb5
-* -4 means trust krb4 (using .klogin)
+ * -5 means trust krb5
+ * -4 means trust krb4 (using .klogin)
  * 
  */
      
@@ -73,9 +73,7 @@ char copyright[] =
 #define SERVE_NON_KRB     
 #define LOG_REMOTE_REALM
 #define LOG_CMD
-#include "defines.h"
    
-  
 #ifdef HAVE_UNISTD_H
 #include <unistd.h>
 #endif
@@ -162,6 +160,18 @@ char copyright[] =
 Key_schedule v4_schedule;
 #endif
 
+#ifdef HAVE_PATHS_H
+#include <paths.h>
+#endif
+
+#if defined(_PATH_NOLOGIN)
+#define NOLOGIN		_PATH_NOLOGIN
+#else
+#define NOLOGIN		"/etc/nologin"
+#endif
+
+#include "defines.h"
+
 #if HAVE_ARPA_NAMESER_H
 #include <arpa/nameser.h>
 #endif
@@ -1119,7 +1129,7 @@ void doit(f, fromp)
 	goto signout_please;
     }
     
-    if (pwd->pw_uid && !access("/etc/nologin", F_OK)) {
+    if (pwd->pw_uid && !access(NOLOGIN, F_OK)) {
 	error("Logins currently disabled.\n");
 	goto signout_please;
     }
@@ -1245,7 +1255,7 @@ if(port)
 			shutdown(s, 1+1);
 			FD_CLR(pv[0], &readfrom);
 		    } else {
-			(void) rcmd_stream_write(s, buf, cc);
+			(void) rcmd_stream_write(s, buf, cc, 1);
 		    }
 		}
 		if (FD_ISSET(pw[0], &ready)) {
@@ -1256,12 +1266,12 @@ if(port)
 			shutdown(f, 1+1);
 			FD_CLR(pw[0], &readfrom);
 		    } else {
-			(void) rcmd_stream_write(f, buf, cc);
+			(void) rcmd_stream_write(f, buf, cc, 0);
 		    }
 		}
 		if (port&&FD_ISSET(s, &ready)) {
 		    /* read from the alternate channel, signal the child */
-		    if (rcmd_stream_read(s, &sig, 1) <= 0) {
+		    if (rcmd_stream_read(s, &sig, 1, 1) <= 0) {
 			FD_CLR(s, &readfrom);
 		    } else {
 #ifdef POSIX_SIGNALS
@@ -1277,7 +1287,7 @@ if(port)
 		if (FD_ISSET(f, &ready)) {
 		    /* read from the net, write to child stdin */
 		    errno = 0;
-		    cc = rcmd_stream_read(f, buf, sizeof(buf));
+		    cc = rcmd_stream_read(f, buf, sizeof(buf), 0);
 		    if (cc <= 0) {
 			(void) close(px[1]);
 			FD_CLR(f, &readfrom);
@@ -1468,15 +1478,16 @@ if(port)
         strcpy((char *) cmdbuf + offst, kprogdir);
 	cp = copy + 3 + offst;
 
+	cmdbuf[sizeof(cmdbuf) - 1] = '\0';
 	if (auth_sys == KRB5_RECVAUTH_V4) {
-	  strcat(cmdbuf, "/v4rcp");
+	  strncat(cmdbuf, "/v4rcp", sizeof(cmdbuf) - 1 - strlen(cmdbuf));
 	} else {
-	  strcat(cmdbuf, "/rcp");
+	  strncat(cmdbuf, "/rcp", sizeof(cmdbuf) - 1 - strlen(cmdbuf));
 	}
 	if (stat((char *)cmdbuf + offst, &s) >= 0)
-	  strcat(cmdbuf, cp);
+	  strncat(cmdbuf, cp, sizeof(cmdbuf) - 1 - strlen(cmdbuf));
 	else
-	  strcpy(cmdbuf, copy);
+	  strncpy(cmdbuf, copy, sizeof(cmdbuf) - 1 - strlen(cmdbuf));
 	free(copy);
     }
 #endif
@@ -1775,7 +1786,6 @@ recvauth(netf, peersin, valid_checksum)
     krb5_data inbuf;
 #ifdef KRB5_KRB4_COMPAT
     char v4_instance[INST_SZ];	/* V4 Instance */
-    char v4_version[9];
 #endif
     krb5_authenticator *authenticator;
     krb5_ticket        *ticket;
@@ -1783,6 +1793,8 @@ recvauth(netf, peersin, valid_checksum)
     struct passwd *pwd;
     uid_t uid;
     gid_t gid;
+    enum kcmd_proto kcmd_proto;
+    krb5_data version;
 
     *valid_checksum = 0;
     len = sizeof(laddr);
@@ -1828,8 +1840,7 @@ recvauth(netf, peersin, valid_checksum)
     }
 
 #ifdef KRB5_KRB4_COMPAT
-    status = krb5_compat_recvauth(bsd_context, &auth_context, &netf,
-				  "KCMDV0.1",
+    status = krb5_compat_recvauth_version(bsd_context, &auth_context, &netf,
 				  NULL,		/* Specify daemon principal */
 				  0, 		/* no flags */
 				  keytab, /* normally NULL to use v5srvtab */
@@ -1842,14 +1853,14 @@ recvauth(netf, peersin, valid_checksum)
 
 				  &ticket, 	/* return ticket */
 				  &auth_sys, 	/* which authentication system*/
-				  &v4_kdata, 0, v4_version);
+				  &v4_kdata, 0, &version);
 #else
-    status = krb5_recvauth(bsd_context, &auth_context, &netf,
-                           "KCMDV0.1",
-                           NULL,        /* daemon principal */
-                           0,           /* no flags */
-		           keytab,      /* normally NULL to use v5srvtab */
-		           &ticket);    /* return ticket */
+    status = krb5_recvauth_version(bsd_context, &auth_context, &netf,
+				   NULL,        /* daemon principal */
+				   0,           /* no flags */
+				   keytab,      /* normally NULL to use v5srvtab */
+				   &ticket,    /* return ticket */
+				   &version); /* application version string */
     auth_sys = KRB5_RECVAUTH_V5;
 #endif
 
@@ -1891,6 +1902,14 @@ recvauth(netf, peersin, valid_checksum)
 
     /* Must be V5  */
 	
+    kcmd_proto = KCMD_UNKNOWN_PROTOCOL;
+    if (version.length != 9)
+	fatal (netf, "bad application version length");
+    if (!memcmp (version.data, "KCMDV0.1", 9))
+	kcmd_proto = KCMD_OLD_PROTOCOL;
+    if (!memcmp (version.data, "KCMDV0.2", 9))
+	kcmd_proto = KCMD_NEW_PROTOCOL;
+
     getstr(netf, remuser, sizeof(locuser), "remuser");
 
     if ((status = krb5_unparse_name(bsd_context, ticket->enc_part2->client, 
@@ -1939,7 +1958,21 @@ recvauth(netf, peersin, valid_checksum)
 
     if (!strncmp(cmdbuf, "-x ", 3))
 	do_encrypt = 1;
-    rcmd_stream_init_krb5(ticket->enc_part2->session, do_encrypt, 0);
+
+    {
+	krb5_keyblock *key;
+	status = krb5_auth_con_getremotesubkey (bsd_context, auth_context,
+						&key);
+	if (status)
+	    fatal (netf, "Server can't get session subkey");
+	if (!key && do_encrypt && kcmd_proto == KCMD_NEW_PROTOCOL)
+	    fatal (netf, "No session subkey sent");
+	if (key && kcmd_proto == KCMD_OLD_PROTOCOL)
+	    fatal (netf, "Session subkey not allowed in old kcmd protocol");
+	if (key == 0)
+	    key = ticket->enc_part2->session;
+	rcmd_stream_init_krb5 (key, do_encrypt, 0, 0, kcmd_proto);
+    }
 
     /* Null out the "session" because kcmd.c references the session
      * key here, and we do not want krb5_free_ticket() to destroy it. */
@@ -1990,7 +2023,7 @@ void fatal(f, msg)
     buf[0] = '\01';             /* error indicator */
     (void) sprintf(buf + 1, "%s: %s.\r\n",progname, msg);
     if ((f == netf) && (pid > 0))
-      (void) rcmd_stream_write(f, buf, strlen(buf));
+      (void) rcmd_stream_write(f, buf, strlen(buf), 0);
     else
       (void) write(f, buf, strlen(buf));
     syslog(LOG_ERR,"%s\n",msg);
diff --git a/src/appl/bsd/login.M b/src/appl/bsd/login.M
index f48fd0c..bcbddab 100644
--- a/src/appl/bsd/login.M
+++ b/src/appl/bsd/login.M
@@ -74,7 +74,7 @@ Attempt to run aklog. Default value true.
 .IP aklog_path
 Where to find it [not yet implemented.] Default value 
 .I $(prefix)/bin/aklog.
-.IP accept_passwd = 0
+.IP accept_passwd
 Don't accept plaintext passwords [not yet implemented]. Default value false.
 
 .SH DIAGNOSTICS
diff --git a/src/appl/bsd/login.c b/src/appl/bsd/login.c
index 40af3ce..13e8181 100644
--- a/src/appl/bsd/login.c
+++ b/src/appl/bsd/login.c
@@ -517,6 +517,7 @@ void k_init (ttyn)
     if (!getenv(KRB5_ENV_CCNAME)) {
 	sprintf(ccfile, "FILE:/tmp/krb5cc_p%d", getpid());
 	setenv(KRB5_ENV_CCNAME, ccfile, 1);
+	krb5_cc_set_default_name(kcontext, ccfile);
 	unlink(ccfile+strlen("FILE:"));
     } else {
 	/* note it correctly */
@@ -619,9 +620,10 @@ int have_v5_tickets (me)
 #endif /* KRB5_GET_TICKETS */
 
 #ifdef KRB4_CONVERT
-try_convert524 (kcontext, me)
-     krb5_context kcontext;
-     krb5_principal me;
+try_convert524(kcontext, me, use_ccache)
+    krb5_context kcontext;
+    krb5_principal me;
+    int use_ccache;
 {
     krb5_principal kpcserver;
     krb5_error_code kpccode;
@@ -632,38 +634,45 @@ try_convert524 (kcontext, me)
 
     /* or do this directly with krb524_convert_creds_kdc */
     krb524_init_ets(kcontext);
-    /* cc->ccache, already set up */
-    /* client->me, already set up */
-    if ((kpccode = krb5_build_principal(kcontext,
-				        &kpcserver, 
-				        krb5_princ_realm(kcontext, me)->length,
-				        krb5_princ_realm(kcontext, me)->data,
-				        "krbtgt",
-				        krb5_princ_realm(kcontext, me)->data,
-					NULL))) {
-      com_err("login/v4", kpccode,
-	      "while creating service principal name");
-      return 0;
-    }
 
-    memset((char *) &increds, 0, sizeof(increds));
-    increds.client = me;
-    increds.server = kpcserver;
-    increds.times.endtime = 0;
-    increds.keyblock.enctype = ENCTYPE_DES_CBC_CRC;
-    if ((kpccode = krb5_get_credentials(kcontext, 0, 
-					ccache,
-					&increds, 
-					&v5creds))) {
-	com_err("login/v4", kpccode,
-		"getting V5 credentials");
-	return 0;
-    }
-    if ((kpccode = krb524_convert_creds_kdc(kcontext, 
-					    v5creds,
-					    &v4creds))) {
-	com_err("login/v4", kpccode, 
-		"converting to V4 credentials");
+    /* If we have forwarded v5 tickets, retrieve the credentials from
+     * the cache; otherwise, the v5 credentials are in my_creds.
+     */
+    if (use_ccache) {
+	/* cc->ccache, already set up */
+	/* client->me, already set up */
+	kpccode = krb5_build_principal(kcontext, &kpcserver, 
+				       krb5_princ_realm(kcontext, me)->length,
+				       krb5_princ_realm(kcontext, me)->data,
+				       "krbtgt",
+				       krb5_princ_realm(kcontext, me)->data,
+				       NULL);
+	if (kpccode) {
+	    com_err("login/v4", kpccode,
+		    "while creating service principal name");
+	    return 0;
+	}
+
+	memset((char *) &increds, 0, sizeof(increds));
+	increds.client = me;
+	increds.server = kpcserver;
+	increds.times.endtime = 0;
+	increds.keyblock.enctype = ENCTYPE_DES_CBC_CRC;
+	kpccode = krb5_get_credentials(kcontext, 0, ccache,
+				       &increds, &v5creds);
+	krb5_free_principal(kcontext, kpcserver);
+	increds.server = NULL;
+	if (kpccode) {
+	    com_err("login/v4", kpccode, "getting V5 credentials");
+	    return 0;
+	}
+
+	kpccode = krb524_convert_creds_kdc(kcontext, v5creds, &v4creds);
+	krb5_free_creds(kcontext, v5creds);
+    } else
+	kpccode = krb524_convert_creds_kdc(kcontext, &my_creds, &v4creds);
+    if (kpccode) {
+	com_err("login/v4", kpccode, "converting to V4 credentials");
 	return 0;
     }
     /* this is stolen from the v4 kinit */
@@ -913,8 +922,9 @@ afs_login ()
 	struct stat st;
 	/* construct the name */
 	/* get this from profile later */
-	strcpy (aklog_path, KPROGDIR);
-	strcat (aklog_path, "/aklog");
+	aklog_path[sizeof(aklog_path) - 1] = '\0';
+	strncpy (aklog_path, KPROGDIR, sizeof(aklog_path) - 1);
+	strncat (aklog_path, "/aklog", sizeof(aklog_path) - 1 - strlen(aklog_path));
 	/* only run it if we can find it */
 	if (stat (aklog_path, &st) == 0) {
 	    system(aklog_path);
@@ -1145,8 +1155,13 @@ int main(argc, argv)
 	}
     argc -= optind;
     argv += optind;
-    if (*argv)
-	username = *argv;
+    /* Throw away too-long names, they can't be usernames.  */
+    if (*argv) {
+	if (strlen (*argv) <= UT_NAMESIZE)
+	    username = *argv;
+	else
+	    fprintf (stderr, "login name '%s' too long\n", *argv);
+    }
 
 #if !defined(POSIX_TERMIOS) && defined(TIOCLSET)
     ioctlval = 0;
@@ -1448,7 +1463,7 @@ int main(argc, argv)
 #if defined(KRB5_GET_TICKETS) && defined(KRB4_CONVERT)
     if (login_krb4_convert && !got_v4_tickets) {
 	if (got_v5_tickets||forwarded_v5_tickets)
-	    try_convert524 (kcontext, me);
+	    try_convert524(kcontext, me, forwarded_v5_tickets);
     }
 #endif
 
@@ -1746,8 +1761,10 @@ int main(argc, argv)
 
 #ifdef KRB5_GET_TICKETS
     /* ccfile[0] is only set if we got tickets above */
-    if (login_krb5_get_tickets && ccfile[0])
+    if (login_krb5_get_tickets && ccfile[0]) {
 	(void) setenv(KRB5_ENV_CCNAME, ccfile, 1);
+	krb5_cc_set_default_name(kcontext, ccfile);
+    }
 #endif /* KRB5_GET_TICKETS */
 
     if (tty[sizeof("tty")-1] == 'd')
@@ -2086,6 +2103,7 @@ void dolastlog(quiet, tty)
 {
 #if defined(HAVE_LASTLOG_H) || (defined(BSD) && (BSD >= 199103))
     struct lastlog ll;
+    time_t lltime;
     int fd;
 
     if ((fd = open(LASTLOG, O_RDWR, 0)) >= 0) {
@@ -2094,7 +2112,9 @@ void dolastlog(quiet, tty)
 	    if ((read(fd, (char *)&ll, sizeof(ll)) == sizeof(ll)) &&
 		(ll.ll_time != 0)) {
 
-		printf("Last login: %.*s ", 24-5, (char *)ctime(&ll.ll_time));
+		/* .ll_time may not be a time_t.  */
+		lltime = ll.ll_time;
+		printf("Last login: %.*s ", 24-5, (char *)ctime(&lltime));
 
 		if (*ll.ll_host != '\0')
 		    printf("from %.*s\n", sizeof(ll.ll_host), ll.ll_host);
@@ -2103,7 +2123,8 @@ void dolastlog(quiet, tty)
 	    }
 	    (void)lseek(fd, (off_t)pwd->pw_uid * sizeof(ll), SEEK_SET);
 	}
-	(void) time(&ll.ll_time);
+	(void) time(&lltime);
+	ll.ll_time = lltime;
 
 	(void) strncpy(ll.ll_line, tty, sizeof(ll.ll_line));
 	ll.ll_line[sizeof(ll.ll_line) - 1] = '\0';
diff --git a/src/appl/bsd/loginpaths.h b/src/appl/bsd/loginpaths.h
index 41683ee..e2f759c 100644
--- a/src/appl/bsd/loginpaths.h
+++ b/src/appl/bsd/loginpaths.h
@@ -96,6 +96,8 @@
 #endif
 
 #ifdef _PATH_DEFPATH
+#undef LPATH
+#undef RPATH
 #define LPATH _PATH_DEFPATH
 #define RPATH _PATH_DEFPATH
 #endif
diff --git a/src/appl/bsd/rcp.M b/src/appl/bsd/rcp.M
index 46267a5..e047db5 100644
--- a/src/appl/bsd/rcp.M
+++ b/src/appl/bsd/rcp.M
@@ -24,11 +24,13 @@ rcp \- remote file copy
 .B rcp
 [\fB\-p\fP] [\fB\-x\fP] [\fB\-k\fP \fIrealm\fP ] [\fB\-D\fP \fIport\fP]
 [\fB\-N\fP]
+[\fB\-PN | \-PO\fP]
 .I file1 file2
 .sp
 .B rcp
 [\fB\-p\fB] [\fB\-x\fP] [\fP\-k\fP \fIrealm\fP] [\fB\-r\fP] [\fB\-D\fP
 \fIport\fP] [\fB\-N\fP]
+[\fB\-PN | \-PO\fP]
 .I file ... directory
 .SH DESCRIPTION
 .B Rcp
@@ -93,6 +95,16 @@ instead of the remote host's realm as determined by
 if any of the source files are directories, copy each subtree rooted at
 that name; in this case the destination must be a directory.
 .TP
+\fB-PN\fP
+.TP
+\fB-PO\fP
+Explicitly request new or old version of the Kerberos ``rcmd''
+protocol.  The new protocol avoids many security problems found in the
+old one, but is not interoperable with older servers.  (An
+"input/output error" and a closed connection is the most likely result
+of attempting this combination.)  If neither option is specified, some
+simple heuristics are used to guess which to try.
+.TP
 \fB\-D\fP \fIport\fP
 connect to port
 .I port
diff --git a/src/appl/bsd/rlogin.M b/src/appl/bsd/rlogin.M
index 79ac327..601fe46 100644
--- a/src/appl/bsd/rlogin.M
+++ b/src/appl/bsd/rlogin.M
@@ -25,6 +25,7 @@ rlogin \- remote login
 .I rhost
 [\fB\-e\fP\fI\|c\fP] [\fB\-8\fP] [\fB\-c\fP] [ \fB\-a\fP] [\fB\-f\fP]
 [\fB\-F\fP] [\fB\-t\fP \fItermtype\fP] [\fB\-n\fP] [\fB\-7\fP]
+[\fB\-PN | \-PO\fP]
 [\fB\-d\fP] [\fB\-k\fP \fIrealm\fP] [\fB\-x\fP] [\fB\-L\fP] [\fB\-l\fP
 \fIusername\fP]
 .PP
@@ -133,6 +134,16 @@ instead of the remote host's realm as determined by
 turn on DES encryption for all data passed via the rlogin session.  This
 significantly reduces response time and significantly increases CPU
 utilization.
+.TP
+\fB-PN\fP
+.TP
+\fB-PO\fP
+Explicitly request new or old version of the Kerberos ``rcmd''
+protocol.  The new protocol avoids many security problems found in the
+old one, but is not interoperable with older servers.  (An
+"input/output error" and a closed connection is the most likely result
+of attempting this combination.)  If neither option is specified, some
+simple heuristics are used to guess which to try.
 .SH SEE ALSO
 rsh(1), kerberos(3), krb_sendauth(3), krb_realmofhost(3), rlogin(1) [UCB
 version]
diff --git a/src/appl/bsd/rsh.M b/src/appl/bsd/rsh.M
index 2b342c3..11a7290 100644
--- a/src/appl/bsd/rsh.M
+++ b/src/appl/bsd/rsh.M
@@ -25,6 +25,7 @@ rsh \- remote shell
 .I host
 [\fB\-l\fP \fIusername\fP] [\fB\-n\fP] [\fB\-d\fP] [\fB\-k\fP
 \fIrealm\fP] [\fB\-f\fP | \fB\-F\fP] [\fB\-x\fP]
+[\fB\-PN | \-PO\fP]
 .I command
 .SH DESCRIPTION
 .B Rsh
@@ -101,6 +102,16 @@ on the TCP sockets used for communication with the remote host.
 redirects input from the special device
 .I /dev/null
 (see the BUGS section below).
+.TP
+\fB-PN\fP
+.TP
+\fB-PO\fP
+Explicitly request new or old version of the Kerberos ``rcmd''
+protocol.  The new protocol avoids many security problems found in the
+old one, but is not interoperable with older servers.  (An
+"input/output error" and a closed connection is the most likely result
+of attempting this combination.)  If neither option is specified, some
+simple heuristics are used to guess which to try.
 .PP
 If you omit
 .IR command ,
diff --git a/src/appl/bsd/v4rcp.c b/src/appl/bsd/v4rcp.c
index 36754de..3267783 100644
--- a/src/appl/bsd/v4rcp.c
+++ b/src/appl/bsd/v4rcp.c
@@ -208,7 +208,7 @@ int kstream_read(krem, buf, len)
       /* decrypt it */
       des_pcbc_encrypt ((des_cblock *)krem->retbuf, 
 			(des_cblock *)krem->retbuf, 
-			sz, *krem->sched, *krem->ivec, 
+			sz, *krem->sched, krem->ivec, 
 			DECRYPT);
 
       /* now retbuf has sz bytes, return len or x of them to the user */
@@ -265,7 +265,7 @@ int kstream_write(krem, buf, len)
       abort ();
     /* memset(outbuf+4+4, 0x42, BUFSIZ); */
     st = des_pcbc_encrypt ((des_cblock *)buf, (des_cblock *)(krem->outbuf+4+4), outlen,
-			   *krem->sched, *krem->ivec, ENCRYPT);
+			   *krem->sched, krem->ivec, ENCRYPT);
 
     if (st) abort();
     return write(krem->write_fd, krem->outbuf+4, 4+outlen);
@@ -400,6 +400,7 @@ int main(argc, argv)
 			if (argc == 0) 
 			  usage();
 			strncpy(krb_realm,*argv,REALM_SZ);
+			krb_realm[REALM_SZ-1] = 0;
 			sprintf(realmarg, " -k %s", krb_realm);
 			goto next_arg;
 #endif /* KERBEROS */
@@ -782,11 +783,20 @@ void sink(argc, argv)
 			size = size * 10 + (*cp++ - '0');
 		if (*cp++ != ' ')
 			SCREWUP("size not delimited");
-		if (targisdir)
-			(void) sprintf(nambuf, "%s%s%s", targ,
-			    *targ ? "/" : "", cp);
-		else
-			(void) strcpy(nambuf, targ);
+		if (targisdir) {
+			if (strlen(targ) + strlen(cp) + 1 < sizeof(nambuf)) {
+				(void) sprintf(nambuf, "%s%s%s", targ,
+				    *targ ? "/" : "", cp);
+			} else {
+				SCREWUP("target directory name too long");
+			}
+		} else {
+		    if (strlen(targ) + 1 < sizeof(nambuf))
+			(void) strncpy(nambuf, targ, sizeof(nambuf)-1);
+		    else
+			SCREWUP("target pathname too long");
+		}
+		nambuf[sizeof(nambuf)-1] = '\0';
 		exists = stat(nambuf, &stb) == 0;
 		if (cmdbuf[0] == 'D') {
 			if (exists) {
diff --git a/src/appl/gssftp/ChangeLog b/src/appl/gssftp/ChangeLog
index 691a2e9..b8205e0 100644
--- a/src/appl/gssftp/ChangeLog
+++ b/src/appl/gssftp/ChangeLog
@@ -1,3 +1,12 @@
+2001-12-18  Ken Raeburn  <raeburn@mit.edu>
+
+	* configure.in: Check for strerror.
+
+2000-03-24  Ken Raeburn  <raeburn@mit.edu>
+
+	* configure.in: Check for alpha*-dec-osf* instead of
+	alpha-dec-osf*.
+
 1999-10-26  Tom Yu  <tlyu@mit.edu>
 
 	* Makefile.in: Clean up usage of CFLAGS, CPPFLAGS, DEFS, DEFINES,
diff --git a/src/appl/gssftp/configure.in b/src/appl/gssftp/configure.in
index f0c2bff..3851949 100644
--- a/src/appl/gssftp/configure.in
+++ b/src/appl/gssftp/configure.in
@@ -20,7 +20,7 @@ AC_CHECK_HEADERS(unistd.h stdlib.h string.h sys/select.h sys/sockio.h paths.h)
 CHECK_UTMP
 DECLARE_SYS_ERRLIST
 AC_REPLACE_FUNCS(getdtablesize)
-AC_HAVE_FUNCS(getcwd getusershell seteuid setreuid setresuid)
+AC_HAVE_FUNCS(getcwd getusershell seteuid setreuid setresuid strerror)
 AC_CHECK_LIB(crypt,crypt) dnl 
 AC_CHECK_LIB(util,logwtmp) dnl
 dnl 
@@ -67,7 +67,7 @@ else
 	FTPD_LIBS="../../../krb524/libkrb524.a"
 fi
 case $krb5_cv_host in
-alpha-dec-osf*)
+alpha*-dec-osf*)
 	AC_CHECK_LIB(security,setluid,
 		AC_DEFINE(HAVE_SETLUID)
 		FTPD_LIBS="$FTPD_LIBS -lsecurity"
diff --git a/src/appl/gssftp/ftp/ChangeLog b/src/appl/gssftp/ftp/ChangeLog
index 411aff7..63fe2f5 100644
--- a/src/appl/gssftp/ftp/ChangeLog
+++ b/src/appl/gssftp/ftp/ChangeLog
@@ -1,3 +1,50 @@
+2001-12-18  Ken Raeburn  <raeburn@mit.edu>
+
+	* cmds.c (strerror): Only define if not HAVE_STRERROR.
+	* ftp.c (strerror): Likewise.
+	* secure.c (secure_putbuf, secure_getbyte): Use strerror.
+
+2001-11-30  Tom Yu  <tlyu@mit.edu>
+
+	* glob.c (execbrc): Fix some fencepost errors.  Don't copy
+	uninitialized memory past the end of the pattern string.  Don't
+	increment pointer beyond string end.
+
+2001-11-02  Tom Yu  <tlyu@mit.edu>
+
+	* cmds.c (setpeer): Kludge to #define unix on BSD for now.
+
+2001-10-29  Ezra Peisach  <epeisach@mit.edu>
+
+	* secure.c: Instead of hard wiring the FUDGE_FACTOR, new variables
+	to keep track of the total buffer length desired and the actual
+	maximum that can be fitted. Add secure_determine_constants() to
+	determine the mechanism dependent overhead. This has a hard limit
+	for krb4 - for gssapi use gss_wrap_size_limit.
+	[pullup from trunk]
+
+2001-10-26  Ken Raeburn  <raeburn@mit.edu>
+
+	* cmds.c (setpeer): Use unsigned short for port number.  Patch
+	from Garry Zacheiss.
+
+2000-05-11  Nalin Dahyabhai  <nalin@redhat.com>
+
+	* domacro.c (domacro): Don't overflow "line2"
+	* ftp.c (getreply, krb4 compat): Bail if message data too big for buffer
+	(getreply, gssapi): Ditto.
+	(pswitch): Don't overflow "ntin", "ntout", "mapin", "mapout".
+	(do_auth, krb4 compat): Don't overflow "realm".
+
+2000-04-27  Nalin Dahyabhai  <nalin@redhat.com>
+
+	* cmds.c (remglob): Don't overflow buffer "temp".
+	(shell): Don't overflow buffer "shellnam".
+	(quote1): "buf"
+	* glob.c (ftpglob): Fix boundary in buffer "agpath".
+	(expand): Don't overflow buffer pointed to by "gpath".
+	(execbrc): Don't overflow buffer "restbuf".
+
 2000-02-18  Ken Raeburn  <raeburn@mit.edu>
 
 	* cmds.c (mls): Declare some variables volatile to protect against
diff --git a/src/appl/gssftp/ftp/cmds.c b/src/appl/gssftp/ftp/cmds.c
index 2a8e775..886327a 100644
--- a/src/appl/gssftp/ftp/cmds.c
+++ b/src/appl/gssftp/ftp/cmds.c
@@ -70,10 +70,12 @@ extern	char **ftpglob();
 extern	char *home;
 extern	char *remglob();
 extern	char *getenv();
+#ifndef HAVE_STRERROR
 #define strerror(error) (sys_errlist[error])
 #ifdef NEED_SYS_ERRLIST
 extern char *sys_errlist[];
 #endif
+#endif
 
 extern off_t restart_point;
 extern char reply_string[];
@@ -126,7 +128,7 @@ setpeer(argc, argv)
 	char *argv[];
 {
 	char *host, *hookup();
-	short port;
+	unsigned short port;
 
 	if (connected) {
 		printf("Already connected to %s, use close first.\n",
@@ -182,7 +184,7 @@ setpeer(argc, argv)
 				(void) login(argv[1]);
 		}
 
-#ifndef unix
+#ifndef unix			/* XXX */
 #ifdef _AIX
 #define unix
 #endif
@@ -190,6 +192,10 @@ setpeer(argc, argv)
 #ifdef __hpux
 #define unix
 #endif
+
+#ifdef BSD
+#define unix
+#endif
 #endif
 
 #if defined(unix) && (NBBY == 8 || defined(linux))
@@ -1049,7 +1055,8 @@ remglob(argv,doswitch)
 		return (cp);
 	}
 	if (ftemp == NULL) {
-		(void) strcpy(temp, _PATH_TMP);
+		(void) strncpy(temp, _PATH_TMP, sizeof(temp) - 1);
+		temp[sizeof(temp) - 1] = '\0';
 		(void) mktemp(temp);
 		oldverbose = verbose, verbose = 0;
 		oldhash = hash, hash = 0;
@@ -1510,7 +1517,8 @@ shell(argc, argv)
 		if (namep == NULL)
 			namep = shell;
 		(void) strcpy(shellnam,"-");
-		(void) strcat(shellnam, ++namep);
+		(void) strncat(shellnam, ++namep, sizeof(shellnam) - 1 - strlen(shellnam));
+		shellnam[sizeof(shellnam) - 1] = '\0';
 		if (strcmp(namep, "sh") != 0)
 			shellnam[0] = '+';
 		if (debug) {
@@ -1702,13 +1710,14 @@ quote1(initial, argc, argv)
 	register int i, len;
 	char buf[FTP_BUFSIZ];		/* must be >= sizeof(line) */
 
-	(void) strcpy(buf, initial);
+	(void) strncpy(buf, initial, sizeof(buf) - 1);
+	buf[sizeof(buf) - 1] = '\0';
 	if (argc > 1) {
 		len = strlen(buf);
-		len += strlen(strcpy(&buf[len], argv[1]));
+		len += strlen(strncpy(&buf[len], argv[1], sizeof(buf) - 1 - len));
 		for (i = 2; i < argc; i++) {
 			buf[len++] = ' ';
-			len += strlen(strcpy(&buf[len], argv[i]));
+			len += strlen(strncpy(&buf[len], argv[i], sizeof(buf) - 1 - len));
 		}
 	}
 	if (command(buf) == PRELIM) {
diff --git a/src/appl/gssftp/ftp/domacro.c b/src/appl/gssftp/ftp/domacro.c
index 9bc277b..ecfe9b4 100644
--- a/src/appl/gssftp/ftp/domacro.c
+++ b/src/appl/gssftp/ftp/domacro.c
@@ -71,7 +71,8 @@ domacro(argc, argv)
 		code = -1;
 		return;
 	}
-	(void) strcpy(line2, line);
+	(void) strncpy(line2, line, sizeof(line2) - 1);
+	line2[sizeof(line2) - 1] = '\0';
 TOP:
 	cp1 = macros[i].mac_start;
 	while (cp1 != macros[i].mac_end) {
@@ -92,7 +93,11 @@ TOP:
 				    }
 				    cp1--;
 				    if (argc - 2 >= j) {
-					(void) strcpy(cp2, argv[j+1]);
+                                        if(cp2 + strlen(argv[j+1]) - line < sizeof(line))
+					(void) strncpy(cp2, argv[j+1],
+						       sizeof(line) - 1 -
+						       (cp2 - line));
+					line[sizeof(line) - 1] = '\0';
 					cp2 += strlen(argv[j+1]);
 				    }
 				    break;
@@ -101,7 +106,11 @@ TOP:
 					loopflg = 1;
 					cp1++;
 					if (count < argc) {
-					   (void) strcpy(cp2, argv[count]);
+                                           if(cp2 + strlen(argv[j+1]) - line < sizeof(line))
+					   (void) strncpy(cp2, argv[count],
+							  sizeof(line) - 1 -
+							  (cp2 - line));
+					   line[sizeof(line) - 1] = '\0';
 					   cp2 += strlen(argv[count]);
 					}
 					break;
@@ -138,7 +147,8 @@ TOP:
 			if (bell && c->c_bell) {
 				(void) putchar('\007');
 			}
-			(void) strcpy(line, line2);
+			(void) strncpy(line, line2, sizeof(line) - 1);
+			line[sizeof(line) - 1] = '\0';
 			makeargv();
 			argc = margc;
 			argv = margv;
diff --git a/src/appl/gssftp/ftp/ftp.c b/src/appl/gssftp/ftp/ftp.c
index 11f583a..cc84f4b 100644
--- a/src/appl/gssftp/ftp/ftp.c
+++ b/src/appl/gssftp/ftp/ftp.c
@@ -154,10 +154,12 @@ uid_t	getuid();
 sig_t	lostpeer();
 off_t	restart_point = 0;
 
+#ifndef HAVE_STRERROR
 #define strerror(error) (sys_errlist[error])
 #ifdef NEED_SYS_ERRLIST
 extern char *sys_errlist[];
 #endif
+#endif
 
 extern int connected;
 
@@ -680,9 +682,13 @@ getreply(expecteof)
 				  n = '5';
 				} else {
 				  if (debug) printf("%c:", safe ? 'S' : 'P');
-				  memcpy(ibuf, msg_data.app_data,
-					msg_data.app_length);
-				  strcpy(&ibuf[msg_data.app_length], "\r\n");
+				  if(msg_data.app_length < sizeof(ibuf) - 2) {
+				    memcpy(ibuf, msg_data.app_data,
+					   msg_data.app_length);
+				    strcpy(&ibuf[msg_data.app_length], "\r\n");
+				  } else {
+			            printf("Message too long!");
+				  }
 				  continue;
 				}
 #endif
@@ -703,9 +709,14 @@ getreply(expecteof)
 						 "failed unsealing reply");
 				  n = '5';
 				} else {
-				  memcpy(ibuf, msg_buf.value, 
-					 msg_buf.length);
-				  strcpy(&ibuf[msg_buf.length], "\r\n");
+				  if(msg_buf.length < sizeof(ibuf) - 2 - 1) {
+				    memcpy(ibuf, msg_buf.value, 
+					   msg_buf.length);
+				    strcpy(&ibuf[msg_buf.length], "\r\n");
+				  } else {
+				    user_gss_error(maj_stat, min_stat, 
+						   "reply was too long");
+				  }
 				  gss_release_buffer(&min_stat,&msg_buf);
 				  continue;
 				}
@@ -1636,20 +1647,24 @@ pswitch(flag)
 	mcase = op->mcse;
 	ip->ntflg = ntflag;
 	ntflag = op->ntflg;
-	(void) strncpy(ip->nti, ntin, 16);
+	(void) strncpy(ip->nti, ntin, sizeof(ip->nti) - 1);
 	(ip->nti)[strlen(ip->nti)] = '\0';
-	(void) strcpy(ntin, op->nti);
-	(void) strncpy(ip->nto, ntout, 16);
+	(void) strncpy(ntin, op->nti, sizeof(ntin) - 1);
+	ntin[sizeof(ntin) - 1] = '\0';
+	(void) strncpy(ip->nto, ntout, sizeof(ip->nto) - 1);
 	(ip->nto)[strlen(ip->nto)] = '\0';
-	(void) strcpy(ntout, op->nto);
+	(void) strncpy(ntout, op->nto, sizeof(ntout) - 1);
+	ntout[sizeof(ntout) - 1] = '\0';
 	ip->mapflg = mapflag;
 	mapflag = op->mapflg;
 	(void) strncpy(ip->mi, mapin, MAXPATHLEN - 1);
 	(ip->mi)[strlen(ip->mi)] = '\0';
-	(void) strcpy(mapin, op->mi);
+	(void) strncpy(mapin, op->mi, sizeof(mapin) - 1);
+	mapin[sizeof(mapin) - 1] = '\0';
 	(void) strncpy(ip->mo, mapout, MAXPATHLEN - 1);
 	(ip->mo)[strlen(ip->mo)] = '\0';
-	(void) strcpy(mapout, op->mo);
+	(void) strncpy(mapout, op->mo, sizeof(mapout) - 1);
+	mapout[sizeof(mapout) - 1] = '\0';
 	ip->authtype = auth_type;
 	auth_type = op->authtype;
 	ip->clvl = clevel;
@@ -1846,7 +1861,8 @@ gunique(local)
 		fprintf(stderr, "local: %s: %s\n", local, strerror(errno));
 		return((char *) 0);
 	}
-	(void) strcpy(new, local);
+	(void) strncpy(new, local, sizeof(new) - 3);
+	new[sizeof(new) - 1] = '\0';
 	cp = new + strlen(new);
 	*cp++ = '.';
 	while (!d) {
@@ -2054,9 +2070,11 @@ do_auth()
 	    if (verbose)
 		printf("%s accepted as authentication type\n", "KERBEROS_V4");
 
-	    strcpy(inst, (char *) krb_get_phost(hostname));
+	    strncpy(inst, (char *) krb_get_phost(hostname), sizeof(inst) - 1);
+	    inst[sizeof(inst) - 1] = '\0';
 	    if (realm[0] == '\0')
-	    	strcpy(realm, (char *) krb_realmofhost(hostname));
+	    	strncpy(realm, (char *) krb_realmofhost(hostname), sizeof(realm) - 1);
+	    realm[sizeof(realm) - 1] = '\0';
 	    if ((kerror = krb_mk_req(&ticket, service = "ftp",
 					inst, realm, checksum))
 		&& (kerror != KDC_PR_UNKNOWN ||
diff --git a/src/appl/gssftp/ftp/glob.c b/src/appl/gssftp/ftp/glob.c
index f92ee5e..52b9899 100644
--- a/src/appl/gssftp/ftp/glob.c
+++ b/src/appl/gssftp/ftp/glob.c
@@ -118,7 +118,7 @@ ftpglob(v)
 
 	globerr = 0;
 	gpath = agpath; gpathp = gpath; *gpathp = 0;
-	lastgpathp = &gpath[sizeof agpath - 2];
+	lastgpathp = &gpath[sizeof(agpath) - 1];
 	ginit(agargv); globcnt = 0;
 	collect(v);
 	if (globcnt == 0 && (gflag&1)) {
@@ -198,7 +198,8 @@ expand(as)
 					globerr = "Unknown user name after ~";
 				(void) strcpy(gpath, gpath + 1);
 			} else
-				(void) strcpy(gpath, home);
+				(void) strncpy(gpath, home, FTP_BUFSIZ - 1);
+			gpath[FTP_BUFSIZ - 1] = '\0';
 			gpathp = strend(gpath);
 		}
 	}
@@ -283,6 +284,7 @@ execbrc(p, s)
 
 	for (lm = restbuf; *p != '{'; *lm++ = *p++)
 		continue;
+	/* pe starts pointing to one past the first '{'. */
 	for (pe = ++p; *pe; pe++)
 	switch (*pe) {
 
@@ -299,6 +301,8 @@ execbrc(p, s)
 	case '[':
 		for (pe++; *pe && *pe != ']'; pe++)
 			continue;
+		if (!*pe)
+			pe--;
 		continue;
 	}
 pend:
@@ -311,7 +315,7 @@ pend:
 		continue;
 
 	case '}':
-		if (brclev) {
+		if (brclev) {	/* brclev = 0 is outermost brace set */
 			brclev--;
 			continue;
 		}
@@ -324,8 +328,12 @@ pend:
 doit:
 		savec = *pm;
 		*pm = 0;
-		(void) strcpy(lm, pl);
-		(void) strcat(restbuf, pe + 1);
+		(void) strncpy(lm, pl, sizeof(restbuf) - 1 - (lm - restbuf));
+		restbuf[sizeof(restbuf) - 1] = '\0';
+		if (*pe) {
+			(void) strncat(restbuf, pe + 1,
+				       sizeof(restbuf) - 1 - strlen(restbuf));
+		}
 		*pm = savec;
 		if (s == 0) {
 			sgpathp = gpathp;
@@ -700,7 +708,7 @@ gethdir(home)
 {
 	register struct passwd *pp = getpwnam(home);
 
-	if (!pp || home + strlen(pp->pw_dir) >= lastgpathp)
+	if (!pp || ((home + strlen(pp->pw_dir)) >= lastgpathp))
 		return (1);
 	(void) strcpy(home, pp->pw_dir);
 	return (0);
diff --git a/src/appl/gssftp/ftp/main.c b/src/appl/gssftp/ftp/main.c
index 9c1e43a..6c7e1e9 100644
--- a/src/appl/gssftp/ftp/main.c
+++ b/src/appl/gssftp/ftp/main.c
@@ -193,7 +193,8 @@ main(argc, argv)
 		pw = getpwuid(getuid());
 	if (pw != NULL) {
 		home = homedir;
-		(void) strcpy(home, pw->pw_dir);
+		(void) strncpy(home, pw->pw_dir, sizeof(homedir) - 1);
+		homedir[sizeof(homedir) - 1] = '\0';
 	}
 	if (argc > 0) {
 		if (setjmp(toplevel))
diff --git a/src/appl/gssftp/ftp/secure.c b/src/appl/gssftp/ftp/secure.c
index 48f57f9..3f5b7c1 100644
--- a/src/appl/gssftp/ftp/secure.c
+++ b/src/appl/gssftp/ftp/secure.c
@@ -3,6 +3,11 @@
  * secure read(), write(), getc(), and putc().
  * Only one security context, thus only work on one fd at a time!
  */
+#ifdef GSSAPI
+#include <gssapi/gssapi.h>
+#include <gssapi/gssapi_generic.h>
+extern gss_ctx_id_t gcontext;
+#endif /* GSSAPI */
 
 #include <secure.h>	/* stuff which is specific to client or server */
 
@@ -31,9 +36,12 @@ extern gss_ctx_id_t gcontext;
 #include <netinet/in.h>
 #include <errno.h>
 
+#ifndef HAVE_STRERROR
+#define strerror(error) (sys_errlist[error])
 #ifdef NEED_SYS_ERRLIST
 extern char *sys_errlist[];
 #endif
+#endif
 
 #if (SIZEOF_SHORT == 4)
 typedef unsigned short ftp_uint32;
@@ -52,29 +60,29 @@ extern struct	sockaddr_in myaddr;
 extern int	dlevel;
 extern char	*auth_type;
 
+/* Some libc's (GNU libc, at least) define MAX as a macro. Forget that. */
+#ifdef MAX
+#undef MAX
+#endif
+
 #define MAX maxbuf
 extern unsigned int maxbuf; 	/* maximum output buffer size */
 extern unsigned char *ucbuf;	/* cleartext buffer */
 static unsigned int nout, bufp;	/* number of chars in ucbuf,
 				 * pointer into ucbuf */
+static unsigned int smaxbuf;    /* Internal saved value of maxbuf 
+				   in case changes on us */
+static unsigned int smaxqueue;  /* Maximum allowed to queue before 
+				   flush buffer. < smaxbuf by fudgefactor */
 
 #ifdef KRB5_KRB4_COMPAT
-#define FUDGE_FACTOR 32		/* Amount of growth
+#define KRB4_FUDGE_FACTOR 32	/* Amount of growth
 				 * from cleartext to ciphertext.
 				 * krb_mk_priv adds this # bytes.
 				 * Must be defined for each auth type.
 				 */
 #endif /* KRB5_KRB4_COMPAT */
 
-#ifdef GSSAPI
-#undef FUDGE_FACTOR
-#define FUDGE_FACTOR 64 /*It appears to add 52 byts, but I'm not usre it is a constant--hartmans*/
-#endif /*GSSAPI*/
-
-#ifndef FUDGE_FACTOR		/* In case no auth types define it. */
-#define FUDGE_FACTOR 0
-#endif
-
 #ifdef KRB5_KRB4_COMPAT
 /* XXX - The following must be redefined if KERBEROS_V4 is not used
  * but some other auth type is.  They must have the same properties. */
@@ -145,20 +153,63 @@ extern secure_error();
 
 #define ERR	-2
 
-static
+/* 
+ * Given maxbuf as a buffer size, determine how much can we
+ * really transfer given the overhead of different algorithms 
+ *
+ * Sets smaxbuf and smaxqueue
+ */
+
+static int secure_determine_constants()
+{
+    smaxbuf = maxbuf;
+    smaxqueue = maxbuf;
+
+#ifdef KRB5_KRB4_COMPAT
+    /* For KRB4 - we know the fudge factor to be 32 */
+    if (strcmp(auth_type, "KERBEROS_V4") == 0) {
+	smaxqueue = smaxbuf - KRB4_FUDGE_FACTOR;
+    }
+#endif
+#ifdef GSSAPI
+    if (strcmp(auth_type, "GSSAPI") == 0) {
+	OM_uint32 maj_stat, min_stat, mlen;
+	OM_uint32 msize = maxbuf;
+	maj_stat = gss_wrap_size_limit(&min_stat, gcontext, 
+				       (dlevel == PROT_P),
+				       GSS_C_QOP_DEFAULT,
+				       msize, &mlen);
+	if (maj_stat != GSS_S_COMPLETE) {
+			secure_gss_error(maj_stat, min_stat, 
+					 "GSSAPI fudge determination");
+			/* Return error how? */
+			return ERR;
+	}
+	smaxqueue = mlen;
+    }
+#endif
+    
+	return 0;
+}
+
+static int
 secure_putbyte(fd, c)
 int fd;
 unsigned char c;
 {
 	int ret;
 
+	if ((smaxbuf == 0) || (smaxqueue == 0) || (smaxbuf != maxbuf)) {
+	    ret = secure_determine_constants();
+	    if (ret) return ret;
+	}
 	ucbuf[nout++] = c;
-	if (nout == MAX - FUDGE_FACTOR) {
+	if (nout == smaxqueue) {
 	  nout = 0;
-	  ret = secure_putbuf(fd, ucbuf, MAX - FUDGE_FACTOR);
+	  ret = secure_putbuf(fd, ucbuf, smaxqueue);
 	  return(ret?ret:c);
 	}
-return (c);
+	return (c);
 }
 
 /* returns:
@@ -228,18 +279,20 @@ unsigned int nbyte;
 	static unsigned int bufsize;	/* size of outbuf */
 	ftp_int32 length;
 	ftp_uint32 net_len;
+	unsigned int fudge = smaxbuf - smaxqueue; /* Difference in length
+						     buffer lengths required */
 
 	/* Other auth types go here ... */
 #ifdef KRB5_KRB4_COMPAT
-	if (bufsize < nbyte + FUDGE_FACTOR) {
+	if (bufsize < nbyte + fudge) {
 		if (outbuf?
-		    (outbuf = realloc(outbuf, (unsigned) (nbyte + FUDGE_FACTOR))):
-		    (outbuf = malloc((unsigned) (nbyte + FUDGE_FACTOR)))) {
-		  			bufsize =nbyte + FUDGE_FACTOR;
+		    (outbuf = realloc(outbuf, (unsigned) (nbyte + fudge))):
+		    (outbuf = malloc((unsigned) (nbyte + fudge)))) {
+		    bufsize = nbyte + fudge;
 		} else {
 			bufsize = 0;
 			secure_error("%s (in malloc of PROT buffer)",
-				     sys_errlist[errno]);
+				     strerror(errno));
 			return(ERR);
 		}
 	}
@@ -286,7 +339,7 @@ unsigned int nbyte;
 			} else {
 				bufsize = 0;
 				secure_error("%s (in malloc of PROT buffer)",
-					     sys_errlist[errno]);
+					     strerror(errno));
 				return(ERR);
 			}
 		}
@@ -315,7 +368,7 @@ int fd;
 				!= sizeof(length)) {
 			secure_error("Couldn't read PROT buffer length: %d/%s",
 				     kerror,
-				     kerror == -1 ? sys_errlist[errno]
+				     kerror == -1 ? strerror(errno)
 				     : "premature EOF");
 			return(ERR);
 		}
@@ -327,7 +380,7 @@ int fd;
 		if ((kerror = looping_read(fd, ucbuf, length)) != length) {
 			secure_error("Couldn't read %u byte PROT buffer: %s",
 					length, kerror == -1 ?
-					sys_errlist[errno] : "premature EOF");
+					strerror(errno) : "premature EOF");
 			return(ERR);
 		}
 		/* Other auth types go here ... */
diff --git a/src/appl/gssftp/ftpd/ChangeLog b/src/appl/gssftp/ftpd/ChangeLog
index a459d30..274a881 100644
--- a/src/appl/gssftp/ftpd/ChangeLog
+++ b/src/appl/gssftp/ftpd/ChangeLog
@@ -1,3 +1,68 @@
+2002-11-05  Ezra Peisach  <epeisach@bu.edu>
+
+	* ftpcmd.y: Bison 1.75 cleanup. Essentially remove `=' before
+	statements to be executed. (ticket 1218).
+	[pullup from trunk]
+
+2001-12-18  Ken Raeburn  <raeburn@mit.edu>
+
+	* ftpd.c (strerror): Only define if not HAVE_STRERROR.
+
+2001-11-30  Tom Yu  <tlyu@mit.edu>
+
+	* ftpcmd.y (pathname): Handle returns from ftpglob() better so
+	that errors get sent via reply(), while causing some match
+	failures to match to simply return $1, so the higher level can
+	deal.  Previously, some failures would cause synch problems since
+	NULL would be returned and no reply was sent.
+
+2001-11-02  Tom Yu  <tlyu@mit.edu>
+
+	* ftpcmd.y: Kludge to #define unix on BSD for now.
+
+2001-10-29  Ken Raeburn  <raeburn@mit.edu>
+
+	* ftpd.c (login): New argument LOGINCODE, optional result code to
+	override local use of success code 230 when homedir is not
+	accessible but root directory is.
+	(user): Pass result code 232 to login.
+	(pass): Pass result code 0 to login.
+
+2001-08-28  Ezra Peisach  <epeisach@mit.edu>
+
+	* ftpd.c (auth_data): Iterate over all krb4 services instead of
+ 	trying to examine the srvtab file for a particular key (which
+ 	failes when falling back on the v5 keytab for des3 services).
+	[pullup from trunk]
+
+2001-04-25  Tom Yu  <tlyu@mit.edu>
+
+	* ftpcmd.y: Don't dereference a NULL pointer returned from
+	ftpglob().
+
+	* ftpd.c: Be more paranoid about return values from ftpglob().
+	Police uses of sprintf().  Account for expansion in
+	radix_encode().
+
+2000-08-25  Tom Yu  <tlyu@mit.edu>
+
+	* ftpcmd.y: Fix up grammar so that single character token names
+	are no longer used; this was breaking the build using bison on
+	HP/UX because some system headers declare structures with members
+	having all-uppercase field names and bison puts the token name
+	#define statements in front of the C declarations section in the
+	output, causing them to be in force while those headers get
+	#included.  There doesn't seem to be much purpose in not just
+	using character constants, anyway.
+
+2000-06-14  Tom Yu  <tlyu@mit.edu>
+
+	* ftpcmd.y (nonguest): Return $1, not 1, if (!guest).
+
+2000-05-11  Nalin Dahyabhai  <nalin@redhat.com>
+
+	* ftpd.c (gunique): Make sure that path stored in "new" isn't too long.
+
 2000-02-18  Ken Raeburn  <raeburn@mit.edu>
 
 	* ftpd.c (reply, lreply): Declare with format attribute under
diff --git a/src/appl/gssftp/ftpd/ftpcmd.y b/src/appl/gssftp/ftpd/ftpcmd.y
index acd1871..582b187 100644
--- a/src/appl/gssftp/ftpd/ftpcmd.y
+++ b/src/appl/gssftp/ftpd/ftpcmd.y
@@ -91,13 +91,16 @@ extern MSG_DAT msg_data;
 extern gss_ctx_id_t gcontext;
 #endif
 
-#ifndef unix
+#ifndef unix			/* XXX */
 #ifdef _AIX
 #define unix
 #endif
 #ifdef __hpux
 #define unix
 #endif
+#ifdef BSD
+#define unix
+#endif
 #endif
 
 #ifndef NBBY
@@ -172,9 +175,6 @@ struct tab sitetab[];
 %union { int num; char *str; }
 
 %token
-	A	B	C	E	F	I
-	L	N	P	R	S	T
-
 	SP	CRLF	COMMA	STRING	NUMBER
 
 	USER	PASS	ACCT	REIN	QUIT	PORT
@@ -204,7 +204,7 @@ struct tab sitetab[];
 
 cmd_list:	/* empty */
 	|	cmd_list cmd
-		= {
+		{
 			fromname = (char *) 0;
 			restart_point = (off_t) 0;
 		}
@@ -212,17 +212,17 @@ cmd_list:	/* empty */
 	;
 
 cmd:		USER SP username CRLF
-		= {
+		{
 			user((char *) $3);
 			free((char *) $3);
 		}
 	|	PASS SP password CRLF
-		= {
+		{
 			pass((char *) $3);
 			free((char *) $3);
 		}
 	|	PORT SP host_port CRLF
-		= {
+		{
 			/*
 			 * Don't allow a port < 1024 if we're not
 			 * connecting back to the original source address
@@ -241,19 +241,19 @@ cmd:		USER SP username CRLF
 			}
 		}
 	|	PASV check_login CRLF
-		= {
+		{
 			if ($2)
 				passive();
 		}
 	|	PROT SP prot_code CRLF
-		= {
+		{
 		    if (maxbuf)
 			setdlevel ($3);
 		    else
 			reply(503, "Must first set PBSZ");
 		}
 	|	CCC CRLF
-		= {
+		{
 			if (!allow_ccc) {
 			    reply(534, "CCC not supported");
 			}
@@ -267,7 +267,7 @@ cmd:		USER SP username CRLF
 			}
 		}
 	|	PBSZ SP STRING CRLF
-		= {
+		{
 			/* Others may want to do something more fancy here */
 			if (!auth_type)
 			    reply(503, "Must first perform authentication");
@@ -291,7 +291,7 @@ cmd:		USER SP username CRLF
 			}
 		}
 	|	TYPE SP type_code CRLF
-		= {
+		{
 			switch (cmd_type) {
 
 			case TYPE_A:
@@ -326,7 +326,7 @@ cmd:		USER SP username CRLF
 			}
 		}
 	|	STRU SP struct_code CRLF
-		= {
+		{
 			switch ($3) {
 
 			case STRU_F:
@@ -338,7 +338,7 @@ cmd:		USER SP username CRLF
 			}
 		}
 	|	MODE SP mode_code CRLF
-		= {
+		{
 			switch ($3) {
 
 			case MODE_S:
@@ -350,78 +350,78 @@ cmd:		USER SP username CRLF
 			}
 		}
 	|	ALLO SP NUMBER CRLF
-		= {
+		{
 			reply(202, "ALLO command ignored.");
 		}
-	|	ALLO SP NUMBER SP R SP NUMBER CRLF
-		= {
+	|	ALLO SP NUMBER SP 'R' SP NUMBER CRLF
+		{
 			reply(202, "ALLO command ignored.");
 		}
 	|	RETR check_login SP pathname CRLF
-		= {
+		{
 			if ($2 && $4 != NULL)
 				retrieve((char *) 0, (char *) $4);
 			if ($4 != NULL)
 				free((char *) $4);
 		}
 	|	STOR check_login SP pathname CRLF
-		= {
+		{
 			if ($2 && $4 != NULL)
 				store_file((char *) $4, "w", 0);
 			if ($4 != NULL)
 				free((char *) $4);
 		}
 	|	APPE check_login SP pathname CRLF
-		= {
+		{
 			if ($2 && $4 != NULL)
 				store_file((char *) $4, "a", 0);
 			if ($4 != NULL)
 				free((char *) $4);
 		}
 	|	NLST check_login CRLF
-		= {
+		{
 			if ($2)
 				send_file_list(".");
 		}
 	|	NLST check_login SP STRING CRLF
-		= {
+		{
 			if ($2 && $4 != NULL) 
 				send_file_list((char *) $4);
 			if ($4 != NULL)
 				free((char *) $4);
 		}
 	|	LIST check_login CRLF
-		= {
+		{
 			if ($2)
 				retrieve("/bin/ls -lgA", "");
 		}
 	|	LIST check_login SP pathname CRLF
-		= {
+		{
 			if ($2 && $4 != NULL)
 				retrieve("/bin/ls -lgA %s", (char *) $4);
 			if ($4 != NULL)
 				free((char *) $4);
 		}
 	|	STAT check_login SP pathname CRLF
-		= {
+		{
 			if ($2 && $4 != NULL)
 				statfilecmd((char *) $4);
 			if ($4 != NULL)
 				free((char *) $4);
 		}
 	|	STAT CRLF
-		= {
+		{
 			statcmd();
 		}
 	|	DELE check_login SP pathname CRLF
-		= {
+		{
 			if ($2 && $4 != NULL)
 				delete_file((char *) $4);
 			if ($4 != NULL)
 				free((char *) $4);
 		}
 	|	RNTO SP pathname CRLF
-		= {
+		{
 			if (fromname) {
 				renamecmd(fromname, (char *) $3);
 				free(fromname);
@@ -432,27 +432,27 @@ cmd:		USER SP username CRLF
 			free((char *) $3);
 		}
 	|	ABOR CRLF
-		= {
+		{
 			reply(225, "ABOR command successful.");
 		}
 	|	CWD check_login CRLF
-		= {
+		{
 			if ($2)
 				cwd(pw->pw_dir);
 		}
 	|	CWD check_login SP pathname CRLF
-		= {
+		{
 			if ($2 && $4 != NULL)
 				cwd((char *) $4);
 			if ($4 != NULL)
 				free((char *) $4);
 		}
 	|	HELP CRLF
-		= {
+		{
 			help(cmdtab, (char *) 0);
 		}
 	|	HELP SP STRING CRLF
-		= {
+		{
 			register char *cp = (char *)$3;
 
 			if (strncasecmp(cp, "SITE", 4) == 0) {
@@ -467,43 +467,43 @@ cmd:		USER SP username CRLF
 				help(cmdtab, (char *) $3);
 		}
 	|	NOOP CRLF
-		= {
+		{
 			reply(200, "NOOP command successful.");
 		}
 	|	MKD nonguest SP pathname CRLF
-		= {
+		{
 			if ($2 && $4 != NULL)
 				makedir((char *) $4);
 			if ($4 != NULL)
 				free((char *) $4);
 		}
 	|	RMD nonguest SP pathname CRLF
-		= {
+		{
 			if ($2 && $4 != NULL)
 				removedir((char *) $4);
 			if ($4 != NULL)
 				free((char *) $4);
 		}
 	|	PWD check_login CRLF
-		= {
+		{
 			if ($2)
 				pwd();
 		}
 	|	CDUP check_login CRLF
-		= {
+		{
 			if ($2)
 				cwd("..");
 		}
 	|	SITE SP HELP CRLF
-		= {
+		{
 			help(sitetab, (char *) 0);
 		}
 	|	SITE SP HELP SP STRING CRLF
-		= {
+		{
 			help(sitetab, (char *) $5);
 		}
 	|	SITE SP UMASK check_login CRLF
-		= {
+		{
 			int oldmask;
 
 			if ($4) {
@@ -513,7 +513,7 @@ cmd:		USER SP username CRLF
 			}
 		}
 	|	SITE SP UMASK nonguest SP octal_number CRLF
-		= {
+		{
 			int oldmask;
 
 			if ($4) {
@@ -528,7 +528,7 @@ cmd:		USER SP username CRLF
 			}
 		}
 	|	SITE SP CHMOD nonguest SP octal_number SP pathname CRLF
-		= {
+		{
 			if ($4 && ($8 != NULL)) {
 				if ($6 > 0777)
 					reply(501,
@@ -542,13 +542,13 @@ cmd:		USER SP username CRLF
 				free((char *) $8);
 		}
 	|	SITE SP IDLE CRLF
-		= {
+		{
 			reply(200,
 			    "Current IDLE time limit is %d seconds; max %d",
 				timeout, maxtimeout);
 		}
 	|	SITE SP IDLE SP NUMBER CRLF
-		= {
+		{
 			if ($5 < 30 || $5 > maxtimeout) {
 				reply(501,
 			"Maximum IDLE time must be between 30 and %d seconds",
@@ -562,14 +562,14 @@ cmd:		USER SP username CRLF
 			}
 		}
 	|	STOU check_login SP pathname CRLF
-		= {
+		{
 			if ($2 && $4 != NULL)
 				store_file((char *) $4, "w", 1);
 			if ($4 != NULL)
 				free((char *) $4);
 		}
 	|	SYST CRLF
-		= {
+		{
 #ifdef unix
 #ifdef __svr4__
 #undef BSD
@@ -593,7 +593,7 @@ cmd:		USER SP username CRLF
 		 * using with RESTART (we just count bytes).
 		 */
 	|	SIZE check_login SP pathname CRLF
-		= {
+		{
 			if ($2 && $4 != NULL)
 				sizecmd((char *) $4);
 			if ($4 != NULL)
@@ -610,7 +610,7 @@ cmd:		USER SP username CRLF
 		 * not necessarily 3 digits)
 		 */
 	|	MDTM check_login SP pathname CRLF
-		= {
+		{
 			if ($2 && $4 != NULL) {
 				struct stat stbuf;
 				if (stat((char *) $4, &stbuf) < 0)
@@ -633,26 +633,26 @@ cmd:		USER SP username CRLF
 				free((char *) $4);
 		}
 	|	AUTH SP STRING CRLF
-		= {
+		{
 			auth((char *) $3);
 		}
 	|	ADAT SP STRING CRLF
-		= {
+		{
 			auth_data((char *) $3);
 			free((char *) $3);
 		}
 	|	QUIT CRLF
-		= {
+		{
 			reply(221, "Goodbye.");
 			dologout(0);
 		}
 	|	error CRLF
-		= {
+		{
 			yyerrok;
 		}
 	;
 rcmd:		RNFR check_login SP pathname CRLF
-		= {
+		{
 			char *renamefrom();
 
 			restart_point = (off_t) 0;
@@ -664,7 +664,7 @@ rcmd:		RNFR check_login SP pathname CRLF
 			}
 		}
 	|	REST SP byte_size CRLF
-		= {
+		{
 			fromname = (char *) 0;
 			restart_point = $3;
 			reply(350, "Restarting at %ld. %s", restart_point,
@@ -676,7 +676,7 @@ username:	STRING
 	;
 
 password:	/* empty */
-		= {
+		{
 			*(char **)&($$) = (char *)calloc(1, sizeof(char));
 		}
 	|	STRING
@@ -687,7 +687,7 @@ byte_size:	NUMBER
 
 host_port:	NUMBER COMMA NUMBER COMMA NUMBER COMMA NUMBER COMMA 
 		NUMBER COMMA NUMBER
-		= {
+		{
 			register char *a, *p;
 
 			a = (char *)&host_port.sin_addr;
@@ -698,122 +698,129 @@ host_port:	NUMBER COMMA NUMBER COMMA NUMBER COMMA NUMBER COMMA
 		}
 	;
 
-form_code:	N
-	= {
+form_code:	'N'
+	{
 		$$ = FORM_N;
 	}
-	|	T
-	= {
+	|	'T'
+	{
 		$$ = FORM_T;
 	}
-	|	C
-	= {
+	|	'C'
+	{
 		$$ = FORM_C;
 	}
 	;
 
-prot_code:	C
-	= {
+prot_code:	'C'
+	{
 		$$ = PROT_C;
 	}
-	|	S
-	= {
+	|	'S'
+	{
 		$$ = PROT_S;
 	}
-	|	P
-	= {
+	|	'P'
+	{
 		$$ = PROT_P;
 	}
-	|	E
-	= {
+	|	'E'
+	{
 		$$ = PROT_E;
 	}
 	;
 
-type_code:	A
-	= {
+type_code:	'A'
+	{
 		cmd_type = TYPE_A;
 		cmd_form = FORM_N;
 	}
-	|	A SP form_code
-	= {
+	|	'A' SP form_code
+	{
 		cmd_type = TYPE_A;
 		cmd_form = $3;
 	}
-	|	E
-	= {
+	|	'E'
+	{
 		cmd_type = TYPE_E;
 		cmd_form = FORM_N;
 	}
-	|	E SP form_code
-	= {
+	|	'E' SP form_code
+	{
 		cmd_type = TYPE_E;
 		cmd_form = $3;
 	}
-	|	I
-	= {
+	|	'I'
+	{
 		cmd_type = TYPE_I;
 	}
-	|	L
-	= {
+	|	'L'
+	{
 		cmd_type = TYPE_L;
 		cmd_bytesz = NBBY;
 	}
-	|	L SP byte_size
-	= {
+	|	'L' SP byte_size
+	{
 		cmd_type = TYPE_L;
 		cmd_bytesz = $3;
 	}
 	/* this is for a bug in the BBN ftp */
-	|	L byte_size
-	= {
+	|	'L' byte_size
+	{
 		cmd_type = TYPE_L;
 		cmd_bytesz = $2;
 	}
 	;
 
-struct_code:	F
-	= {
+struct_code:	'F'
+	{
 		$$ = STRU_F;
 	}
-	|	R
-	= {
+	|	'R'
+	{
 		$$ = STRU_R;
 	}
-	|	P
-	= {
+	|	'P'
+	{
 		$$ = STRU_P;
 	}
 	;
 
-mode_code:	S
-	= {
+mode_code:	'S'
+	{
 		$$ = MODE_S;
 	}
-	|	B
-	= {
+	|	'B'
+	{
 		$$ = MODE_B;
 	}
-	|	C
-	= {
+	|	'C'
+	{
 		$$ = MODE_C;
 	}
 	;
 
 pathname:	pathstring
-	= {
+	{
 		/*
 		 * Problem: this production is used for all pathname
 		 * processing, but only gives a 550 error reply.
 		 * This is a valid reply in some cases but not in others.
 		 */
 		if (logged_in && $1 && strncmp((char *) $1, "~", 1) == 0) {
-			*(char **)&($$) = *ftpglob((char *) $1);
-			if (globerr != NULL) {
-				reply(550, globerr);
-				$$ = NULL;
-			}
-			free((char *) $1);
+			char **vv;
+
+			vv = ftpglob((char *) $1);
+			$$ = (vv != NULL) ? *vv : NULL;
+			if ($$ == NULL) {
+				if (globerr == NULL)
+					$$ = $1;
+				else {
+					reply(550, "%s", globerr);
+					free((char *) $1);
+				}
+			} else
+				free((char *) $1);
 		} else
 			$$ = $1;
 	}
@@ -823,7 +830,7 @@ pathstring:	STRING
 	;
 
 octal_number:	NUMBER
-	= {
+	{
 		register int ret, dec, multby, digit;
 
 		/*
@@ -848,7 +855,7 @@ octal_number:	NUMBER
 	;
 
 check_login:	/* empty */
-	= {
+	{
 		if (logged_in)
 			$$ = 1;
 		else {
@@ -859,13 +866,13 @@ check_login:	/* empty */
 	;
 
 nonguest: check_login
-	= {
+	{
 		if (guest) {
 			reply(550, "Operation prohibited for anonymous users.");
 			$$ = 0;
 		}
 		else
-			$$ = 1;
+			$$ = $1;
 	}
 	;
 %%
@@ -1349,51 +1356,51 @@ yylex()
 
 			case 'A':
 			case 'a':
-				return (A);
+				return ('A');
 
 			case 'B':
 			case 'b':
-				return (B);
+				return ('B');
 
 			case 'C':
 			case 'c':
-				return (C);
+				return ('C');
 
 			case 'E':
 			case 'e':
-				return (E);
+				return ('E');
 
 			case 'F':
 			case 'f':
-				return (F);
+				return ('F');
 
 			case 'I':
 			case 'i':
-				return (I);
+				return ('I');
 
 			case 'L':
 			case 'l':
-				return (L);
+				return ('L');
 
 			case 'N':
 			case 'n':
-				return (N);
+				return ('N');
 
 			case 'P':
 			case 'p':
-				return (P);
+				return ('P');
 
 			case 'R':
 			case 'r':
-				return (R);
+				return ('R');
 
 			case 'S':
 			case 's':
-				return (S);
+				return ('S');
 
 			case 'T':
 			case 't':
-				return (T);
+				return ('T');
 
 			}
 			break;
diff --git a/src/appl/gssftp/ftpd/ftpd.c b/src/appl/gssftp/ftpd/ftpd.c
index c7dfc8a..d4ded83 100644
--- a/src/appl/gssftp/ftpd/ftpd.c
+++ b/src/appl/gssftp/ftpd/ftpd.c
@@ -109,10 +109,12 @@ static char sccsid[] = "@(#)ftpd.c	5.40 (Berkeley) 7/2/91";
 #define L_INCR 1
 #endif
 
+#ifndef HAVE_STRERROR
 #define strerror(error)	(sys_errlist[error])
 #ifdef NEED_SYS_ERRLIST
 extern char *sys_errlist[];
 #endif
+#endif
 
 extern char *mktemp ();
 
@@ -761,7 +763,17 @@ user(name)
 		int result;
 #ifdef GSSAPI
 		if (auth_type && strcmp(auth_type, "GSSAPI") == 0) {
+			int len;
+
 			authorized = ftpd_gss_userok(&client_name, name) == 0;
+			len = sizeof("GSSAPI user  is not authorized as "
+				     "; Password required.")
+				+ strlen(client_name.value)
+				+ strlen(name);
+			if (len >= sizeof(buf)) {
+				syslog(LOG_ERR, "user: username too long");
+				name = "[username too long]";
+			}
 			sprintf(buf, "GSSAPI user %s is%s authorized as %s",
 				client_name.value, authorized ? "" : " not",
 				name);
@@ -772,7 +784,19 @@ user(name)
 #endif /* GSSAPI */
 #ifdef KRB5_KRB4_COMPAT
 		if (auth_type && strcmp(auth_type, "KERBEROS_V4") == 0) {
+			int len;
+
 			authorized = kuserok(&kdata,name) == 0;
+			len = sizeof("Kerberos user .@ is not authorized as "
+				     "; Password required.")
+				+ strlen(kdata.pname)
+				+ strlen(kdata.pinst)
+				+ strlen(kdata.prealm)
+				+ strlen(name);
+			if (len >= sizeof(buf)) {
+				syslog(LOG_ERR, "user: username too long");
+				name = "[username too long]";
+			}
 			sprintf(buf, "Kerberos user %s%s%s@%s is%s authorized as %s",
 				kdata.pname, *kdata.pinst ? "." : "",
 				kdata.pinst, kdata.prealm,
@@ -796,7 +820,7 @@ user(name)
 		syslog(authorized ? LOG_INFO : LOG_ERR, "%s", buf);
 
 		if (result == 232)
-			login(NULL);
+			login(NULL, result);
 		return;
 	}
 
@@ -1064,11 +1088,11 @@ pass(passwd)
 	}
 	login_attempts = 0;		/* this time successful */
 
-	login(passwd);
+	login(passwd, 0);
 	return;
 }
 
-login(passwd)
+login(passwd, logincode)
 	char *passwd;
 {
 	if (have_creds) {
@@ -1127,8 +1151,11 @@ login(passwd)
 			        reply(530, "User %s: can't change directory to %s.",
 				      pw->pw_name, pw->pw_dir);
 				goto bad;
-			} else
-			        lreply(230, "No directory! Logging in with home=/");
+			} else {
+				if (!logincode)
+					logincode = 230;
+			        lreply(logincode, "No directory! Logging in with home=/");
+			}
 		}
 	}
 	if (guest) {
@@ -1179,6 +1206,11 @@ retrieve(cmd, name)
 	} else {
 		char line[FTP_BUFSIZ];
 
+		if (strlen(cmd) + strlen(name) + 1 >= sizeof(line)) {
+			syslog(LOG_ERR, "retrieve: filename too long");
+			reply(501, "filename too long");
+			return;
+		}
 		(void) sprintf(line, cmd, name), name = line;
 		fin = ftpd_popen(line, "r"), closefunc = ftpd_pclose;
 		st.st_size = -1;
@@ -1417,6 +1449,10 @@ dataconn(name, size, mode)
 	return (file);
 }
 
+/*
+ * XXX callers need to limit total length of output string to
+ * FTP_BUFSIZ
+ */
 #ifdef STDARG
 secure_error(char *fmt, ...)
 #else
@@ -1616,13 +1652,19 @@ statfilecmd(filename)
 {
 	char line[FTP_BUFSIZ];
 	FILE *fin;
-	int c;
+	int c, n;
 	char str[FTP_BUFSIZ], *p;
 
+	if (strlen(filename) + sizeof("/bin/ls -lgA ")
+	    >= sizeof(line)) {
+		reply(501, "filename too long");
+		return;
+	}
 	(void) sprintf(line, "/bin/ls -lgA %s", filename);
 	fin = ftpd_popen(line, "r");
 	lreply(211, "status of %s:", filename);
 	p = str;
+	n = 0;
 	while ((c = getc(fin)) != EOF) {
 		if (c == '\n') {
 			if (ferror(stdout)){
@@ -1639,7 +1681,16 @@ statfilecmd(filename)
 			*p = '\0';
 			reply(0, "%s", str);
 			p = str;
-		} else	*p++ = c;
+			n = 0;
+		} else {
+			*p++ = c;
+			n++;
+			if (n >= sizeof(str)) {
+				reply(551, "output line too long");
+				(void) ftpd_pclose(fin);
+				return;
+			}
+		}
 	}
 	if (p != str) {
 		*p = '\0';
@@ -1723,6 +1774,10 @@ fatal(s)
 
 char cont_char = ' ';
 
+/*
+ * XXX callers need to limit total length of output string to
+ * FTP_BUFSIZ bytes for now.
+ */
 #ifdef STDARG
 reply(int n, char *fmt, ...)
 #else
@@ -1744,22 +1799,32 @@ reply(n, fmt, p0, p1, p2, p3, p4, p5)
 #endif
 
 	if (auth_type) {
-		char in[FTP_BUFSIZ], out[FTP_BUFSIZ];
+		/*
+		 * Deal with expansion in mk_{safe,priv},
+		 * radix_encode, gss_seal, plus slop.
+		 */
+		char in[FTP_BUFSIZ*3/2], out[FTP_BUFSIZ*3/2];
 		int length, kerror;
 		if (n) sprintf(in, "%d%c", n, cont_char);
 		else in[0] = '\0';
 		strncat(in, buf, sizeof (in) - strlen(in) - 1);
 #ifdef KRB5_KRB4_COMPAT
 		if (strcmp(auth_type, "KERBEROS_V4") == 0) {
-			if ((length = clevel == PROT_P ?
-			     krb_mk_priv((unsigned char *)in,
-					 (unsigned char *)out,
-					 strlen(in), schedule, &kdata.session,
-					 &ctrl_addr, &his_addr)
-			     : krb_mk_safe((unsigned char *)in,
-					   (unsigned char *)out,
-					   strlen(in), &kdata.session,
-					   &ctrl_addr, &his_addr)) == -1) {
+			if (clevel == PROT_P)
+				length = krb_mk_priv((unsigned char *)in,
+						     (unsigned char *)out,
+						     strlen(in),
+						     schedule, &kdata.session,
+						     &ctrl_addr,
+						     &his_addr);
+			else
+				length = krb_mk_safe((unsigned char *)in,
+						     (unsigned char *)out,
+						     strlen(in),
+						     &kdata.session,
+						     &ctrl_addr,
+						     &his_addr);
+			if (length == -1) {
 				syslog(LOG_ERR,
 				       "krb_mk_%s failed for KERBEROS_V4",
 				       clevel == PROT_P ? "priv" : "safe");
@@ -1803,13 +1868,16 @@ reply(n, fmt, p0, p1, p2, p3, p4, p5)
 		}
 #endif /* GSSAPI */
 		/* Other auth types go here ... */
-		if (kerror = radix_encode(out, in, &length, 0)) {
+		if (length >= sizeof(in) / 4 * 3) {
+			syslog(LOG_ERR, "input to radix_encode too long");
+			fputs(in, stdout);
+		} else if (kerror = radix_encode(out, in, &length, 0)) {
 			syslog(LOG_ERR, "Couldn't encode reply (%s)",
 					radix_error(kerror));
 			fputs(in,stdout);
 		} else
-		printf("%s%c%s", clevel == PROT_P ? "632" : "631",
-				 n ? cont_char : '-', in);
+			printf("%s%c%s", clevel == PROT_P ? "632" : "631",
+			       n ? cont_char : '-', in);
 	} else {
 		if (n) printf("%d%c", n, cont_char);
 		fputs(buf, stdout);
@@ -1822,6 +1890,10 @@ reply(n, fmt, p0, p1, p2, p3, p4, p5)
 	}
 }
 
+/*
+ * XXX callers need to limit total length of output string to
+ * FTP_BUFSIZ
+ */
 #ifdef STDARG
 lreply(int n, char *fmt, ...)
 #else
@@ -1866,7 +1938,8 @@ yyerror(s)
 
 	if (cp = strchr(cbuf,'\n'))
 		*cp = '\0';
-	reply(500, "'%s': command not understood.", cbuf);
+	reply(500, "'%.*s': command not understood.",
+	      FTP_BUFSIZ - sizeof("'': command not understood."), cbuf);
 }
 
 delete_file(name)
@@ -2123,7 +2196,8 @@ gunique(local)
 	}
 	if (cp)
 		*cp = '/';
-	(void) strcpy(new, local);
+	(void) strncpy(new, local, sizeof(new) - 1);
+	new[sizeof(new) - 1] = '\0';
 	cp = new + strlen(new);
 	*cp++ = '.';
 	for (count = 1; count < 100; count++) {
@@ -2142,7 +2216,23 @@ perror_reply(code, string)
 	int code;
 	char *string;
 {
-	reply(code, "%s: %s.", string, strerror(errno));
+	char *err_string;
+	size_t extra_len;
+
+	err_string = strerror(errno);
+	if (err_string == NULL)
+		err_string = "(unknown error)";
+	extra_len = strlen(err_string) + sizeof("(truncated): .");
+
+	/*
+	 * XXX knows about FTP_BUFSIZ in reply()
+	 */
+	if (strlen(string) + extra_len > FTP_BUFSIZ) {
+		reply(code, "(truncated)%.*s: %s.",
+		      FTP_BUFSIZ - extra_len, string, err_string);
+	} else {
+		reply(code, "%s: %s.", string, err_string);
+	}
 }
 
 auth(type)
@@ -2173,7 +2263,7 @@ char *data;
 	int kerror, length;
 #ifdef KRB5_KRB4_COMPAT
 	int i;
-	static char *service;
+	static char **service=NULL;
 	char instance[INST_SZ];
 	u_long cksum;
 	char buf[FTP_BUFSIZ];
@@ -2199,23 +2289,22 @@ char *data;
 		}
 		(void) memcpy((char *)ticket.dat, (char *)out_buf, ticket.length = length);
 		strcpy(instance, "*");
-		if (!service) {
-			char realm[REALM_SZ];
-			des_cblock key;
-			
-			service = "ftp";
-			if (krb_get_lrealm(realm, 1) == KSUCCESS &&
-			    read_service_key(service, instance, realm, 0, keyfile, key))
-				service = "rcmd";
-			else
-				(void) memset(key, 0, sizeof(key));
-		}
-		if (kerror = krb_rd_req(&ticket, service, instance,
-					his_addr.sin_addr.s_addr, &kdata, keyfile)) {
-			secure_error("ADAT: Kerberos V4 krb_rd_req: %s",
-				     krb_get_err_text(kerror));
-			return(0);
+
+		kerror = 255;
+		for (service = krb4_services; *service; service++) {
+		  kerror = krb_rd_req(&ticket, *service, instance,
+				      his_addr.sin_addr.s_addr, 
+				      &kdata, keyfile);
+		  /* Success */
+		  if(!kerror) break;
+		} 
+		/* rd_req failed.... */
+		if(kerror) {
+		  secure_error("ADAT: Kerberos V4 krb_rd_req: %s",
+			       krb_get_err_text(kerror));
+		  return(0);
 		}
+
 		/* add one to the (formerly) sealed checksum, and re-seal it */
 		cksum = kdata.checksum + 1;
 		cksum = htonl(cksum);
@@ -2225,6 +2314,10 @@ char *data;
 			secure_error("ADAT: krb_mk_safe failed");
 			return(0);
 		}
+		if (length >= (FTP_BUFSIZ - sizeof("ADAT=")) / 4 * 3) {
+			secure_error("ADAT: reply too long");
+			return(0);
+		}
 		if (kerror = radix_encode(out_buf, buf, &length, 0)) {
 			secure_error("Couldn't encode ADAT reply (%s)",
 				     radix_error(kerror));
@@ -2287,7 +2380,8 @@ char *data;
 			syslog(LOG_ERR, "Couldn't canonicalize local hostname");
 			return 0;
 		}
-		strcpy(localname, hp->h_name);
+		strncpy(localname, hp->h_name, sizeof(localname) - 1);
+		localname[sizeof(localname) - 1] = '\0';
 
 		for (service = gss_services; *service; service++) {
 			sprintf(service_name, "%s@%s", *service, localname);
@@ -2358,6 +2452,16 @@ char *data;
 		}
 
 		if (out_tok.length) {
+			if (out_tok.length >= ((FTP_BUFSIZ - sizeof("ADAT="))
+					       / 4 * 3)) {
+				secure_error("ADAT: reply too long");
+				syslog(LOG_ERR, "ADAT: reply too long");
+				(void) gss_release_cred(&stat_min, &server_creds);
+				if (ret_flags & GSS_C_DELEG_FLAG)
+					(void) gss_release_cred(&stat_min,
+								&deleg_creds);
+				return(0);
+			}
 			if (kerror = radix_encode(out_tok.value, gbuf, &out_tok.length, 0)) {
 				secure_error("Couldn't encode ADAT reply (%s)",
 					     radix_error(kerror));
@@ -2456,6 +2560,9 @@ static char *onefile[] = {
  *	n>=0 on success
  *	-1 on error
  *	-2 on security error
+ *
+ * XXX callers need to limit total length of output string to
+ * FTP_BUFSIZ
  */
 #ifdef STDARG
 secure_fprintf(FILE *stream, char *fmt, ...)
@@ -2573,6 +2680,15 @@ send_file_list(whichfiles)
 			    dir->d_name[2] == '\0')
 				continue;
 
+			if (strlen(dirname) + strlen(dir->d_name)
+			    + 1 /* slash */
+			    + 2	/* CRLF */
+			    + 1 > sizeof(nbuf)) {
+				syslog(LOG_ERR,
+				       "send_file_list: pathname too long");
+				ret = -2; /* XXX */
+				goto data_err;
+			}
 			sprintf(nbuf, "%s/%s", dirname, dir->d_name);
 
 			/*
diff --git a/src/appl/sample/sclient/ChangeLog b/src/appl/sample/sclient/ChangeLog
index 7603506..7e9c4f4 100644
--- a/src/appl/sample/sclient/ChangeLog
+++ b/src/appl/sample/sclient/ChangeLog
@@ -1,3 +1,9 @@
+2001-01-30  Ezra Peisach  <epeisach@mit.edu>
+
+	* sclient.c (main): Do not free auth_context unless
+	set. (krb5-appl/895 from tim.mann@compaq.com)
+
+
 2000-02-25  Ezra Peisach  <epeisach@mit.edu>
 
 	* sclient.c (main): Return type of main should by int, not void.
diff --git a/src/appl/sample/sclient/sclient.c b/src/appl/sample/sclient/sclient.c
index d2097b9..242092b 100644
--- a/src/appl/sample/sclient/sclient.c
+++ b/src/appl/sample/sclient/sclient.c
@@ -175,7 +175,7 @@ char *argv[];
     krb5_free_principal(context, server);	/* finished using it */
     krb5_free_principal(context, client);      
     krb5_cc_close(context, ccdef);
-    krb5_auth_con_free(context, auth_context);
+    if (auth_context) krb5_auth_con_free(context, auth_context);
 
     if (retval && retval != KRB5_SENDAUTH_REJECTED) {
 	com_err(argv[0], retval, "while using sendauth");
diff --git a/src/appl/telnet/libtelnet/ChangeLog b/src/appl/telnet/libtelnet/ChangeLog
index 67877b1..95906f3 100644
--- a/src/appl/telnet/libtelnet/ChangeLog
+++ b/src/appl/telnet/libtelnet/ChangeLog
@@ -1,3 +1,41 @@
+2003-04-01  Nalin Dahyabhai  <nalin@redhat.com>
+
+	* kerberos5.c (kerberos5_is): Check principal name length before
+	examining components.
+
+2002-03-29  Tom Yu  <tlyu@mit.edu>
+
+	* kerberos5.c, kerberos.c (Data): Don't overflow
+	buffer. [telnet/1073] [pullup and reindent from trunk]
+
+2001-02-21  Tom Yu  <tlyu@mit.edu>
+
+	* configure.in: Check for setenv, unsetenv, and getenv.  Compile
+	setenv.c if at least of these is undefined.
+
+	* setenv.c: Add conditionals for compilation of setenv, unsetenv,
+	and getenv such that they only get compiled if they don't already
+	exist.
+
+2000-05-11  Nalin Dahyabhai  <nalin@redhat.com>
+
+	* gettytab.c (nchktc): Don't overflow tcname if tty type name is too
+	long
+	* kerberos.c (kerberos4_status): Make sure "UserNameRequested" is
+	always properly terminated.
+	* kerberos5.c (kerberos5_is): If bad principal name is too long to fit
+	in "errbuf", don't print it.
+	(kerberos5_status): Make sure "UserNameRequested" is always properly
+	terminated.
+	* spx.c (spx_status): Ditto.
+
+2000-04-28  Nalin Dahyabhai  <nalin@redhat.com>
+
+	* kerberos5.c (kerberos5_is): Don't overflow buffer "errbuf".
+	* spx.c (spx_init, spx_send, spx_is): Don't overflow buffer
+	"targ_printable".
+	(spx_status): Don't overflow buffer "acl_file".
+
 1999-10-26  Tom Yu  <tlyu@mit.edu>
 
 	* Makefile.in: Clean up usage of CFLAGS, CPPFLAGS, DEFS, DEFINES,
diff --git a/src/appl/telnet/libtelnet/configure.in b/src/appl/telnet/libtelnet/configure.in
index 3bae866..9040a98 100644
--- a/src/appl/telnet/libtelnet/configure.in
+++ b/src/appl/telnet/libtelnet/configure.in
@@ -3,10 +3,14 @@ CONFIG_RULES
 AC_PROG_ARCHIVE
 AC_PROG_ARCHIVE_ADD
 AC_PROG_RANLIB
-AC_REPLACE_FUNCS([strcasecmp strdup setenv setsid strerror strftime getopt herror parsetos])
-AC_CHECK_FUNCS(gettosbyname cgetent)
+AC_REPLACE_FUNCS([strcasecmp strdup setsid strerror strftime getopt herror parsetos])
+AC_CHECK_FUNCS(setenv unsetenv getenv gettosbyname cgetent)
 AC_CHECK_HEADERS(stdlib.h string.h)
 LIBOBJS="$LIBOBJS getent.o"
+if test $ac_cv_func_setenv = no || test $ac_cv_func_unsetenv = no \
+  || test $ac_cv_func_getenv = no; then
+  LIBOBJS="$LIBOBJS setenv.o"
+fi
 AC_CONST
 if test "$KRB4_LIB" = ''; then
 	AC_MSG_RESULT(No Kerberos 4 authentication)
diff --git a/src/appl/telnet/libtelnet/gettytab.c b/src/appl/telnet/libtelnet/gettytab.c
index f6ffb7c..aaad43a 100644
--- a/src/appl/telnet/libtelnet/gettytab.c
+++ b/src/appl/telnet/libtelnet/gettytab.c
@@ -98,9 +98,10 @@ nchktc()
 	/* p now points to beginning of last field */
 	if (p[0] != 't' || p[1] != 'c')
 		return(1);
-	strcpy(tcname,p+3);
+	strncpy(tcname, p + 3, sizeof(tcname) - 1);
+	tcname[sizeof(tcname) - 1] = '\0';
 	q = tcname;
-	while (q && *q != ':')
+	while (*q && *q != ':')
 		q++;
 	*q = 0;
 	if (++hopcount > MAXHOP) {
diff --git a/src/appl/telnet/libtelnet/kerberos.c b/src/appl/telnet/libtelnet/kerberos.c
index 734466e..0fda99b 100644
--- a/src/appl/telnet/libtelnet/kerberos.c
+++ b/src/appl/telnet/libtelnet/kerberos.c
@@ -141,6 +141,7 @@ Data(ap, type, d, c)
 {
         unsigned char *p = str_data + 4;
 	unsigned char *cd = (unsigned char *)d;
+	size_t spaceleft = sizeof(str_data) - 4;
 
 	if (c == -1)
 		c = strlen((char *)cd);
@@ -156,9 +157,16 @@ Data(ap, type, d, c)
 	*p++ = ap->type;
 	*p++ = ap->way;
 	*p++ = type;
+	spaceleft -= 3;
         while (c-- > 0) {
-                if ((*p++ = *cd++) == IAC)
-                        *p++ = IAC;
+		if ((*p++ = *cd++) == IAC) {
+			*p++ = IAC;
+			spaceleft--;
+		}
+		if ((--spaceleft < 4) && c) {
+			errno = ENOMEM;
+			return -1;
+		}
         }
         *p++ = IAC;
         *p++ = SE;
@@ -602,7 +610,9 @@ kerberos4_status(ap, name, level)
 		return(level);
 
 	if (UserNameRequested && !kuserok(&adat, UserNameRequested)) {
-		strcpy(name, UserNameRequested);
+		/* the name buffer comes from telnetd/telnetd{-ktd}.c */
+		strncpy(name, UserNameRequested, 255);
+		name[255] = '\0';
 		return(AUTH_VALID);
 	} else
 		return(AUTH_USER);
diff --git a/src/appl/telnet/libtelnet/kerberos5.c b/src/appl/telnet/libtelnet/kerberos5.c
index 6a62f36..b9bbae8 100644
--- a/src/appl/telnet/libtelnet/kerberos5.c
+++ b/src/appl/telnet/libtelnet/kerberos5.c
@@ -95,7 +95,7 @@ void kerberos5_forward();
 
 #endif	/* FORWARD */
 
-static unsigned char str_data[2048] = { IAC, SB, TELOPT_AUTHENTICATION, 0,
+static unsigned char str_data[8192] = {IAC, SB, TELOPT_AUTHENTICATION, 0,
 			  		AUTHTYPE_KERBEROS_V5, };
 /*static unsigned char str_name[1024] = { IAC, SB, TELOPT_AUTHENTICATION,
 					TELQUAL_NAME, };*/
@@ -136,6 +136,7 @@ Data(ap, type, d, c)
 {
         unsigned char *p = str_data + 4;
 	unsigned char *cd = (unsigned char *)d;
+	size_t spaceleft = sizeof(str_data) - 4;
 
 	if (c == -1)
 		c = strlen((char *)cd);
@@ -151,9 +152,16 @@ Data(ap, type, d, c)
 	*p++ = ap->type;
 	*p++ = ap->way;
 	*p++ = type;
+	spaceleft -= 3;
         while (c-- > 0) {
-                if ((*p++ = *cd++) == IAC)
-                        *p++ = IAC;
+		if ((*p++ = *cd++) == IAC) {
+			*p++ = IAC;
+			spaceleft--;
+		}
+		if ((--spaceleft < 4) && c) {
+			errno = ENOMEM;
+			return -1;
+		}
         }
         *p++ = IAC;
         *p++ = SE;
@@ -423,7 +431,8 @@ kerberos5_is(ap, data, cnt)
 				    NULL, keytabid, NULL, &ticket);
 		if (r) {
 			(void) strcpy(errbuf, "krb5_rd_req failed: ");
-			(void) strcat(errbuf, error_message(r));
+			errbuf[sizeof(errbuf) - 1] = '\0';
+			(void) strncat(errbuf, error_message(r), sizeof(errbuf) - 1 - strlen(errbuf));
 			goto errout;
 		}
 
@@ -432,6 +441,10 @@ kerberos5_is(ap, data, cnt)
 		 * first component of a service name especially since
 		 * the default is of length 4.
 		 */
+		if (krb5_princ_size(telnet_context,ticket->server) < 1) {
+		    (void) strcpy(errbuf, "malformed service name");
+		    goto errout;
+		}
 		if (krb5_princ_component(telnet_context,ticket->server,0)->length < 256) {
 		    char princ[256];
 		    strncpy(princ,	
@@ -440,8 +453,12 @@ kerberos5_is(ap, data, cnt)
 		    princ[krb5_princ_component(telnet_context, 
 					       ticket->server,0)->length] = '\0';
 		    if (strcmp("host", princ)) {
-			(void) sprintf(errbuf, "incorrect service name: \"%s\" != \"%s\"",
-				       princ, "host");
+                        if(strlen(princ) < sizeof(errbuf) - 39) {
+                            (void) sprintf(errbuf, "incorrect service name: \"%s\" != \"host\"",
+                                           princ);
+                        } else {
+                            (void) sprintf(errbuf, "incorrect service name: principal != \"host\"");
+                        }
 			goto errout;
 		    }
 		} else {
@@ -455,7 +472,8 @@ kerberos5_is(ap, data, cnt)
 		if (r) {
 		    (void) strcpy(errbuf,
 				  "krb5_auth_con_getauthenticator failed: ");
-		    (void) strcat(errbuf, error_message(r));
+		    errbuf[sizeof(errbuf) - 1] = '\0';
+		    (void) strncat(errbuf, error_message(r), sizeof(errbuf) - 1 - strlen(errbuf));
 		    goto errout;
 		}
 		if ((ap->way & AUTH_ENCRYPT_MASK) == AUTH_ENCRYPT_ON &&
@@ -476,7 +494,8 @@ kerberos5_is(ap, data, cnt)
 					     &key);
 		    if (r) {
 			(void) strcpy(errbuf, "krb5_auth_con_getkey failed: ");
-			(void) strcat(errbuf, error_message(r));
+			errbuf[sizeof(errbuf) - 1] = '\0';
+			(void) strncat(errbuf, error_message(r), sizeof(errbuf) - 1 - strlen(errbuf));
 			goto errout;
 		    }
 		    r = krb5_verify_checksum(telnet_context,
@@ -495,7 +514,8 @@ kerberos5_is(ap, data, cnt)
 		    if (r) {
 			(void) strcpy(errbuf,
 				      "checksum verification failed: ");
-			(void) strcat(errbuf, error_message(r));
+		        errbuf[sizeof(errbuf) - 1] = '\0';
+			(void) strncat(errbuf, error_message(r), sizeof(errbuf) - 1 - strlen(errbuf));
 			goto errout;
 		    }
 		    krb5_free_keyblock(telnet_context, key);
@@ -506,7 +526,8 @@ kerberos5_is(ap, data, cnt)
 		    if ((r = krb5_mk_rep(telnet_context, auth_context,
 					 &outbuf))) {
 			(void) strcpy(errbuf, "Make reply failed: ");
-			(void) strcat(errbuf, error_message(r));
+		        errbuf[sizeof(errbuf) - 1] = '\0';
+			(void) strncat(errbuf, error_message(r), sizeof(errbuf) - 1 - strlen(errbuf));
 			goto errout;
 		    }
 
@@ -560,7 +581,8 @@ kerberos5_is(ap, data, cnt)
 		    char errbuf[128];
 		    
 		    (void) strcpy(errbuf, "Read forwarded creds failed: ");
-		    (void) strcat(errbuf, error_message(r));
+		    errbuf[sizeof(errbuf) - 1] = '\0';
+		    (void) strncat(errbuf, error_message(r), sizeof(errbuf) - 1 - strlen(errbuf));
 		    Data(ap, KRB_FORWARD_REJECT, errbuf, -1);
 		    if (auth_debug_mode)
 		      printf(
@@ -586,7 +608,8 @@ kerberos5_is(ap, data, cnt)
 	    char eerrbuf[329];
 
 	    strcpy(eerrbuf, "telnetd: ");
-	    strcat(eerrbuf, errbuf);
+	    eerrbuf[sizeof(eerrbuf) - 1] = '\0';
+	    strncat(eerrbuf, errbuf, sizeof(eerrbuf) - 1 - strlen(eerrbuf));
 	    Data(ap, KRB_REJECT, eerrbuf, -1);
 	}
 	if (auth_debug_mode)
@@ -706,7 +729,9 @@ kerberos5_status(ap, name, level)
 	    krb5_kuserok(telnet_context, ticket->enc_part2->client, 
 			 UserNameRequested))
 	{
-		strcpy(name, UserNameRequested);
+		/* the name buffer comes from telnetd/telnetd{-ktd}.c */
+		strncpy(name, UserNameRequested, 255);
+		name[255] = '\0';
 		return(AUTH_VALID);
 	} else
 		return(AUTH_USER);
diff --git a/src/appl/telnet/libtelnet/setenv.c b/src/appl/telnet/libtelnet/setenv.c
index 70695a3..bc4f22d 100644
--- a/src/appl/telnet/libtelnet/setenv.c
+++ b/src/appl/telnet/libtelnet/setenv.c
@@ -52,6 +52,7 @@ static char *__findenv __P((const char *, int *));
  *	Set the value of the environmental variable "name" to be
  *	"value".  If rewrite is set, replace any current value.
  */
+#ifndef HAVE_SETENV
 setenv(name, value, rewrite)
 	register const char *name;
 	register const char *value;
@@ -102,11 +103,13 @@ setenv(name, value, rewrite)
 	for (*c++ = '='; *c++ = *value++;);
 	return (0);
 }
+#endif
 
 /*
  * unsetenv(name) --
  *	Delete environmental variable "name".
  */
+#ifndef HAVE_UNSETENV
 void
 unsetenv(name)
 	const char *name;
@@ -120,11 +123,13 @@ unsetenv(name)
 			if (!(*p = *(p + 1)))
 				break;
 }
+#endif
 
 /*
  * getenv --
  *	Returns ptr to value associated with name, if any, else NULL.
  */
+#ifndef HAVE_GETENV
 char *
 getenv(name)
 	const char *name;
@@ -133,6 +138,7 @@ getenv(name)
 
 	return (__findenv(name, &offset));
 }
+#endif
 
 /*
  * __findenv --
diff --git a/src/appl/telnet/libtelnet/spx.c b/src/appl/telnet/libtelnet/spx.c
index f23490f..7285d0d 100644
--- a/src/appl/telnet/libtelnet/spx.c
+++ b/src/appl/telnet/libtelnet/spx.c
@@ -173,7 +173,8 @@ spx_init(ap, server)
 		str_data[3] = TELQUAL_REPLY;
 		gethostname(lhostname, sizeof(lhostname));
 		strcpy(targ_printable, "SERVICE:rcmd@");
-		strcat(targ_printable, lhostname);
+		strncat(targ_printable, lhostname, sizeof(targ_printable) - 1 - 13);
+		targ_printable[sizeof(targ_printable) - 1] = '\0';
 		input_name_buffer.length = strlen(targ_printable);
 		input_name_buffer.value = targ_printable;
 		major_status = gss_import_name(&status,
@@ -216,7 +217,8 @@ spx_send(ap)
 
 	printf("[ Trying SPX ... ]\n");
 	strcpy(targ_printable, "SERVICE:rcmd@");
-	strcat(targ_printable, RemoteHostName);
+	strncat(targ_printable, RemoteHostName, sizeof(targ_printable) - 1 - 13);
+	targ_printable[sizeof(targ_printable) - 1] = '\0';
 
 	input_name_buffer.length = strlen(targ_printable);
 	input_name_buffer.value = targ_printable;
@@ -324,7 +326,8 @@ spx_is(ap, data, cnt)
 		gethostname(lhostname, sizeof(lhostname));
 
 		strcpy(targ_printable, "SERVICE:rcmd@");
-		strcat(targ_printable, lhostname);
+		strncat(targ_printable, lhostname, sizeof(targ_printable) - 1 - 13);
+		targ_printable[sizeof(targ_printable) - 1] = '\0';
 
 		input_name_buffer.length = strlen(targ_printable);
 		input_name_buffer.value = targ_printable;
@@ -479,7 +482,7 @@ spx_status(ap, name, level)
 
 	gss_buffer_desc  fullname_buffer, acl_file_buffer;
 	gss_OID          fullname_type;
-        char acl_file[160], fullname[160];
+        char acl_file[MAXPATHLEN], fullname[160];
         int major_status, status = 0;
 	struct passwd  *pwd;
 
@@ -494,8 +497,9 @@ spx_status(ap, name, level)
           return(AUTH_USER);   /*  not authenticated  */
         }
 
-	strcpy(acl_file, pwd->pw_dir);
-	strcat(acl_file, "/.sphinx");
+	acl_file[sizeof(acl_file) - 1] = '\0';
+	strncpy(acl_file, pwd->pw_dir, sizeof(acl_file) - 1);
+	strncat(acl_file, "/.sphinx", sizeof(acl_file) - 1 - strlen(acl_file));
         acl_file_buffer.value = acl_file;
         acl_file_buffer.length = strlen(acl_file);
 
@@ -511,7 +515,9 @@ spx_status(ap, name, level)
                                       &acl_file_buffer);
 
         if (major_status == GSS_S_COMPLETE) {
-	  strcpy(name, UserNameRequested);
+          /* the name buffer comes from telnetd/telnetd{-ktd}.c */
+	  strncpy(name, UserNameRequested, 255);
+	  name[255] = '\0';
 	  return(AUTH_VALID);
         } else {
            return(AUTH_USER);
diff --git a/src/appl/telnet/telnet/ChangeLog b/src/appl/telnet/telnet/ChangeLog
index e3cfb63..fb7cc9394 100644
--- a/src/appl/telnet/telnet/ChangeLog
+++ b/src/appl/telnet/telnet/ChangeLog
@@ -1,3 +1,18 @@
+2000-05-11  Nalin Dahyabhai  <nalin@redhat.com>
+
+	* commands.c (makeargv): Don't overflow buffer "saveline".
+	(tn): Don't overflow buffer "_hostname".
+	(cmdrc): Don't overflow buffer "m1save".
+	* externs.h: Include the size of "tline", so that we can check for
+	overflows elsewhere.
+	* main.c(main, tn370): Don't overflow buffer "tline".
+	* utilities.c (SetNetTrace): Don't overflow buffer "NetTraceFile".
+
+2000-04-28  Nalin Dahyabhai  <nalin@redhat.com>
+
+	* commands.c (cmdrc): Don't overflow buffer "rcbuf".
+	* tn3270.c (settranscom): Don't overflow buffer "transcom".
+
 2000-02-24  Ezra Peisach  <epeisach@mit.edu>
 
 	* configure.in: Remove dependency on libdes425 when krb4 support
diff --git a/src/appl/telnet/telnet/commands.c b/src/appl/telnet/telnet/commands.c
index 2c80b0b..8ffba2e 100644
--- a/src/appl/telnet/telnet/commands.c
+++ b/src/appl/telnet/telnet/commands.c
@@ -138,7 +138,9 @@ makeargv()
     margc = 0;
     cp = line;
     if (*cp == '!') {		/* Special case shell escape */
-	strcpy(saveline, line);	/* save for shell command */
+	strncpy(saveline, line, sizeof(saveline) - 1);
+				/* save for shell command */
+	saveline[sizeof(saveline)  - 1] = '\0';
 	*argp++ = "!";		/* No room in string to get this */
 	margc++;
 	cp++;
@@ -2450,7 +2452,8 @@ tn(argc, argv)
 	if (temp & 0xffffffff != INADDR_NONE) {
 	    sin.sin_addr.s_addr = temp;
 	    sin.sin_family = AF_INET;
-	    (void) strcpy(_hostname, hostp);  
+	    (void) strncpy(_hostname, hostp, sizeof(_hostname) - 1);  
+	    _hostname[sizeof(_hostname) - 1] = '\0';
 	    hostname = _hostname;
 	} else {
 	    host = gethostbyname(hostp);
@@ -2855,16 +2858,18 @@ cmdrc(m1, m2)
     if (skiprc)
 	return;
 
-    strcpy(m1save, m1);
+    strncpy(m1save, m1, sizeof(m1save) - 1);
+    m1save[sizeof(m1save) - 1] = '\0';
     m1 = m1save;
 
     if (rcname == 0) {
 	rcname = getenv("HOME");
 	if (rcname)
-	    strcpy(rcbuf, rcname);
+	    strncpy(rcbuf, rcname, sizeof(rcbuf) - 1);
 	else
 	    rcbuf[0] = '\0';
-	strcat(rcbuf, "/.telnetrc");
+	rcbuf[sizeof(rcbuf) - 1] = '\0';
+	strncat(rcbuf, "/.telnetrc", sizeof(rcbuf) - 1 - strlen(rcbuf));
 	rcname = rcbuf;
     }
 
diff --git a/src/appl/telnet/telnet/externs.h b/src/appl/telnet/telnet/externs.h
index e993986..f35cded 100644
--- a/src/appl/telnet/telnet/externs.h
+++ b/src/appl/telnet/telnet/externs.h
@@ -486,7 +486,7 @@ extern char
     *Ibackp,		/* Oldest byte of 3270 data */
     Ibuf[],		/* 3270 buffer */
     *Ifrontp,		/* Where next 3270 byte goes */
-    tline[],
+    tline[200],
     *transcom;		/* Transparent command */
 
 extern int
diff --git a/src/appl/telnet/telnet/main.c b/src/appl/telnet/telnet/main.c
index da98ae6..7696857 100644
--- a/src/appl/telnet/telnet/main.c
+++ b/src/appl/telnet/telnet/main.c
@@ -274,7 +274,8 @@ main(argc, argv)
 		case 't':
 #if defined(TN3270) && defined(unix)
 			transcom = tline;
-			(void)strcpy(transcom, optarg);
+			(void)strncpy(transcom, optarg, sizeof(tline) - 1);
+			tline[sizeof(tline) - 1] = '\0';
 #else
 			fprintf(stderr,
 			   "%s: Warning: -t ignored, no TN3270 support.\n",
diff --git a/src/appl/telnet/telnet/tn3270.c b/src/appl/telnet/telnet/tn3270.c
index 77aedaf..c46ae7e 100644
--- a/src/appl/telnet/telnet/tn3270.c
+++ b/src/appl/telnet/telnet/tn3270.c
@@ -397,10 +397,11 @@ settranscom(argc, argv)
 	   return 1;
 	}
 	transcom = tline;
-	(void) strcpy(transcom, argv[1]);
+	(void) strncpy(transcom, argv[1], sizeof(tline) - 1);
+	tline[sizeof(tline) - 1] = '\0';
 	for (i = 2; i < argc; ++i) {
-	    (void) strcat(transcom, " ");
-	    (void) strcat(transcom, argv[i]);
+	    (void) strncat(transcom, " ", sizeof(tline) - 1 - (transcom - tline));
+	    (void) strncat(transcom, argv[i], sizeof(tline) - 1 - (transcom - tline));
 	}
 	return 1;
 }
diff --git a/src/appl/telnet/telnet/utilities.c b/src/appl/telnet/telnet/utilities.c
index 19f503b..82ad841 100644
--- a/src/appl/telnet/telnet/utilities.c
+++ b/src/appl/telnet/telnet/utilities.c
@@ -113,13 +113,15 @@ SetNetTrace(file)
     if (file  && (strcmp(file, "-") != 0)) {
 	NetTrace = fopen(file, "w");
 	if (NetTrace) {
-	    strcpy((char *)NetTraceFile, file);
+	    strncpy((char *)NetTraceFile, file, sizeof(NetTraceFile) - 1);
+	    NetTraceFile[sizeof(NetTraceFile) - 1] = '\0';
 	    return;
 	}
 	fprintf(stderr, "Cannot open %s.\n", file);
     }
     NetTrace = stdout;
-    strcpy((char *)NetTraceFile, "(standard output)");
+    strncpy((char *)NetTraceFile, "(standard output)", sizeof(NetTraceFile) - 1);
+    NetTraceFile[sizeof(NetTraceFile) - 1] = '\0';
 }
 
     void
diff --git a/src/appl/telnet/telnetd/ChangeLog b/src/appl/telnet/telnetd/ChangeLog
index 040a9af..5ab914a 100644
--- a/src/appl/telnet/telnetd/ChangeLog
+++ b/src/appl/telnet/telnetd/ChangeLog
@@ -1,3 +1,70 @@
+2002-01-18  Tom Yu  <tlyu@mit.edu>
+
+	* ext.h: Make stdarg prototypes unconditional, to avoid annoying
+	mostly-ANSI compilers that don't define __STDC__.
+
+2001-10-15  Ken Raeburn  <raeburn@mit.edu>
+
+	* telnetd.c (valid_opts): Note that 'w' takes a parameter.
+
+2001-08-02  Tom Yu  <tlyu@mit.edu>
+
+	* authenc.c (net_write): Rewrite in terms of netwrite().
+
+	* configure.in: Check for vsnprintf().
+
+	* ext.h: New prototypes for netprintf, netprintf_urg,
+	netprintf_noflush, netwrite, netputs.
+
+	* slc.c: Fix to use new NETOBUF-handling functions.
+
+	* state.c: Fix to use new NETOBUF-handling functions.
+
+	* telnetd.c: Fix to use new NETOBUF-handling functions.
+
+	* termstat.c: Fix to use new NETOBUF-handling functions.
+
+	* utility.c: General rework to be more paranoid about
+	bounds-checking of NETOBUF and NFRONTP.  Abstract away
+	interactions with NETOBUF to eliminate explicit references to
+	NFRONTP in many places.
+	(netwrite): New function; copies a buffer to the
+	NETOBUF "ring buffer", checking bounds and calling netflush() if
+	needed.
+	(netputs): New function; calls netwrite() with a nul-terminated
+	string.
+	(netprintf, netprintf_ext): New function; wrap sprintf() with
+	bounds checking for use with NETOBUF.
+	(netprintf_urg): New function; like netprintf() except sets neturg
+	to point at last char written.
+	(netprintf_noflush): New function; like netprintf() except
+	silently fails if NETOBUF is full.
+	(ttloop, printoption, printsub, printdata): Fix to use new
+	NETOBUF-handling functions.
+
+2001-01-25  Tom Yu  <tlyu@mit.edu>
+
+	* state.c (envvarok): Disallow LC_* and NLSPATH.
+
+2000-06-19  Tom Yu  <tlyu@mit.edu>
+
+	* telnetd.c (doit): Change test for "no authentication" as per
+	Jeffrey Altman's patch.
+
+2000-05-11  Nalin Dahyabhai  <nalin@redhat.com>
+
+	* sys_term.c (start_login, Solaris): forcefully terminate "termbuf"
+	in case the "TERM" environment variable isn't.
+	* telnet-ktd.c (getterminaltype): Don't overflow buffers "first" and
+	"netobuf".
+	(recv_ayt): Forcibly terminate buffer "netobuf".
+
+2000-03-20  Ken Raeburn  <raeburn@mit.edu>
+	    Jeffrey Altman  <jaltman@watsun.cc.columbia.edu>
+
+	* state.c (telrcv): Fix off-by-one error dealing with full
+	buffer.
+
 2000-02-24  Ezra Peisach  <epeisach@mit.edu>
 
 	* configure.in: Remove dependency on libdes425 when krb4 support
diff --git a/src/appl/telnet/telnetd/authenc.c b/src/appl/telnet/telnetd/authenc.c
index 5736698..4488954 100644
--- a/src/appl/telnet/telnetd/authenc.c
+++ b/src/appl/telnet/telnetd/authenc.c
@@ -37,20 +37,17 @@
 #include "telnetd.h"
 #include <libtelnet/misc.h>
 
-	int
+int
 net_write(str, len)
 	unsigned char *str;
 	int len;
 {
-	if (nfrontp + len < netobuf + BUFSIZ) {
-		memcpy((void *)nfrontp, (void *)str, len);
-		nfrontp += len;
-		return(len);
-	}
-	return(0);
+	if (len < 0)
+		return 0;
+	return netwrite(str, len);
 }
 
-	void
+void
 net_encrypt()
 {
 #ifdef	ENCRYPTION
@@ -87,7 +84,3 @@ telnet_gets(prompt, result, length, echo)
 	return((char *)0);
 }
 #endif	/* defined(AUTHENTICATION) || defined(ENCRYPTION) */
-
-
-
-
diff --git a/src/appl/telnet/telnetd/configure.in b/src/appl/telnet/telnetd/configure.in
index e11b270..2dc6099 100644
--- a/src/appl/telnet/telnetd/configure.in
+++ b/src/appl/telnet/telnetd/configure.in
@@ -23,7 +23,7 @@ fi
 fi
 AC_HEADER_TIME
 AC_CHECK_HEADERS(string.h arpa/nameser.h utmp.h sys/time.h sys/tty.h sac.h sys/ptyvar.h sys/filio.h sys/stream.h sys/utsname.h)
-AC_CHECK_FUNCS(gettosbyname)
+AC_CHECK_FUNCS(gettosbyname vsnprintf)
 dnl Make our operating system-specific security checks and definitions for
 dnl login.
 dnl
diff --git a/src/appl/telnet/telnetd/ext.h b/src/appl/telnet/telnetd/ext.h
index 2ff53e3..dc9fe5a 100644
--- a/src/appl/telnet/telnetd/ext.h
+++ b/src/appl/telnet/telnetd/ext.h
@@ -187,8 +187,13 @@ extern void
 	tty_setsofttab P((int)),
 	tty_tspeed P((int)),
 	willoption P((int)),
-	wontoption P((int)),
-	writenet P((unsigned char *, int));
+	wontoption P((int));
+
+extern void netprintf(const char *, ...);
+extern void netprintf_urg(const char *fmt, ...);
+extern void netprintf_noflush(const char *fmt, ...);
+extern int netwrite(const char *, size_t);
+extern void netputs(const char *);
 
 #ifdef	ENCRYPTION
 extern char	*nclearto;
diff --git a/src/appl/telnet/telnetd/slc.c b/src/appl/telnet/telnetd/slc.c
index 1c68b95..613674b 100644
--- a/src/appl/telnet/telnetd/slc.c
+++ b/src/appl/telnet/telnetd/slc.c
@@ -198,7 +198,7 @@ end_slc(bufp)
 			(void) sprintf((char *)slcptr, "%c%c", IAC, SE);
 			slcptr += 2;
 			len = slcptr - slcbuf;
-			writenet(slcbuf, len);
+			netwrite(slcbuf, len);
 			netflush();  /* force it out immediately */
 			DIAG(TD_OPTIONS, printsub('>', slcbuf+2, len-2););
 		}
diff --git a/src/appl/telnet/telnetd/state.c b/src/appl/telnet/telnetd/state.c
index 0f3b161..d783ed6 100644
--- a/src/appl/telnet/telnetd/state.c
+++ b/src/appl/telnet/telnetd/state.c
@@ -86,7 +86,7 @@ static void sb_auth_complete()
   if (!auth_negotiated) {
     static char *error =
       "An environment option was sent before authentication negotiation completed.\r\nThis may create a security hazard. Connection dropped.\r\n";
-    writenet(error, strlen(error));
+    netputs(error);
     netflush();
     exit(1);
   }
@@ -102,7 +102,7 @@ telrcv()
 #endif
 
 	while (ncc > 0) {
-		if ((&ptyobuf[BUFSIZ] - pfrontp) < 2)
+		if ((&ptyobuf[BUFSIZ] - pfrontp) < 1)
 			break;
 		c = *netip++ & 0377, ncc--;
 #ifdef	ENCRYPTION
@@ -209,9 +209,7 @@ gotiac:			switch (c) {
 				}
 
 				netclear();	/* clear buffer back */
-				*nfrontp++ = IAC;
-				*nfrontp++ = DM;
-				neturg = nfrontp-1; /* off by one XXX */
+				netprintf_urg("%c%c", IAC, DM);
 				DIAG(TD_OPTIONS,
 					printoption("td: send IAC", DM));
 				break;
@@ -381,9 +379,12 @@ gotiac:			switch (c) {
 		pfrontp = opfrontp;
 		pfrontp += term_input(xptyobuf, pfrontp, n, BUFSIZ+NETSLOP,
 					xbuf2, &oc, BUFSIZ);
-		for (cp = xbuf2; oc > 0; --oc)
-			if ((*nfrontp++ = *cp++) == IAC)
-				*nfrontp++ = IAC;
+		for (cp = xbuf2; oc > 0; --oc) {
+			if (*cp == IAC)
+				netprintf("%c%c", *cp++, IAC);
+			else
+				netprintf("%c", *cp++);
+		}
 	}
 #endif	/* defined(CRAY2) && defined(UNICOS5) */
 }  /* end of telrcv */
@@ -463,8 +464,7 @@ send_do(option, init)
 			set_his_want_state_will(option);
 		do_dont_resp[option]++;
 	}
-	(void) sprintf(nfrontp, (char *)doopt, option);
-	nfrontp += sizeof (dont) - 2;
+	netprintf((char *)doopt, option);
 
 	DIAG(TD_OPTIONS, printoption("td: send do", option));
 }
@@ -683,8 +683,7 @@ send_dont(option, init)
 		set_his_want_state_wont(option);
 		do_dont_resp[option]++;
 	}
-	(void) sprintf(nfrontp, (char *)dont, option);
-	nfrontp += sizeof (doopt) - 2;
+	netprintf((char *)dont, option);
 
 	DIAG(TD_OPTIONS, printoption("td: send dont", option));
 }
@@ -833,8 +832,7 @@ send_will(option, init)
 		set_my_want_state_will(option);
 		will_wont_resp[option]++;
 	}
-	(void) sprintf(nfrontp, (char *)will, option);
-	nfrontp += sizeof (doopt) - 2;
+	netprintf((char *)will, option);
 
 	DIAG(TD_OPTIONS, printoption("td: send will", option));
 }
@@ -993,8 +991,7 @@ send_wont(option, init)
 		set_my_want_state_wont(option);
 		will_wont_resp[option]++;
 	}
-	(void) sprintf(nfrontp, (char *)wont, option);
-	nfrontp += sizeof (wont) - 2;
+	netprintf((char *)wont, option);
 
 	DIAG(TD_OPTIONS, printoption("td: send wont", option));
 }
@@ -1393,10 +1390,8 @@ suboption()
 	    env_ovar_wrong:
 			env_ovar = OLD_ENV_VALUE;
 			env_ovalue = OLD_ENV_VAR;
-			DIAG(TD_OPTIONS, {sprintf(nfrontp,
-				"ENVIRON VALUE and VAR are reversed!\r\n");
-				nfrontp += strlen(nfrontp);});
-
+			DIAG(TD_OPTIONS,
+			     netputs("ENVIRON VALUE and VAR are reversed!\r\n"));
 		}
 	    }
 	    SB_RESTORE();
@@ -1633,7 +1628,7 @@ send_status()
 	ADD(IAC);
 	ADD(SE);
 
-	writenet(statusbuf, ncp - statusbuf);
+	netwrite(statusbuf, ncp - statusbuf);
 	netflush();	/* Send it on its way */
 
 	DIAG(TD_OPTIONS,
@@ -1663,6 +1658,8 @@ static int envvarok(varp)
 	    strcmp(varp, "KRB_REALMS") &&  /* cns v4 */
 	    strcmp(varp, "LIBPATH") &&     /* AIX */
 	    strcmp(varp, "RESOLV_HOST_CONF") && /* linux */
+	    strcmp(varp, "NLSPATH") && /* locale stuff */
+	    strncmp(varp, "LC_", strlen("LC_")) && /* locale stuff */
 	    strcmp(varp, "IFS")) {
 		return 1;
 	} else {
diff --git a/src/appl/telnet/telnetd/sys_term.c b/src/appl/telnet/telnetd/sys_term.c
index ee8d53d..b79209d 100644
--- a/src/appl/telnet/telnetd/sys_term.c
+++ b/src/appl/telnet/telnetd/sys_term.c
@@ -1257,6 +1257,7 @@ start_login(host, autologin, name)
 		} else {
 			strcpy(termbuf, "TERM=");
 			strncat(termbuf, term, sizeof(termbuf) - 6);
+			termbuf[sizeof(termbuf) - 1] = '\0';
 			term = termbuf;
 		}
 		argv = addarg(argv, term);
diff --git a/src/appl/telnet/telnetd/telnetd-ktd.c b/src/appl/telnet/telnetd/telnetd-ktd.c
index 9ec608f..5936e3b 100644
--- a/src/appl/telnet/telnetd/telnetd-ktd.c
+++ b/src/appl/telnet/telnetd/telnetd-ktd.c
@@ -360,7 +360,7 @@ main(argc, argv)
 	    }
 	    (void) setsockopt(s, SOL_SOCKET, SO_REUSEADDR,
 				(char *)&on, sizeof(on));
-	    if (bind(s, (struct sockaddr *)&sin, sizeof sin) < 0) {
+	    if (bind(s, (struct sockaddr *)&sin, sizeof(sin)) < 0) {
 		perror("bind");
 		exit(1);
 	    }
@@ -368,7 +368,7 @@ main(argc, argv)
 		perror("listen");
 		exit(1);
 	    }
-	    foo = sizeof sin;
+	    foo = sizeof(sin);
 	    ns = accept(s, (struct sockaddr *)&sin, &foo);
 	    if (ns < 0) {
 		perror("accept");
@@ -548,25 +548,33 @@ getterminaltype(name)
     if (his_state_is_will(TELOPT_TSPEED)) {
 	static char sbbuf[] = { IAC, SB, TELOPT_TSPEED, TELQUAL_SEND, IAC, SE };
 
-	memcpy(nfrontp, sbbuf, sizeof sbbuf);
-	nfrontp += sizeof sbbuf;
+	if(nfrontp - netobuf + sizeof(sbbuf) < sizeof(netobuf)) {
+		memcpy(nfrontp, sbbuf, sizeof(sbbuf));
+		nfrontp += sizeof(sbbuf);
+	}
     }
     if (his_state_is_will(TELOPT_XDISPLOC)) {
 	static char sbbuf[] = { IAC, SB, TELOPT_XDISPLOC, TELQUAL_SEND, IAC, SE };
 
-	memcpy(nfrontp, sbbuf, sizeof sbbuf);
-	nfrontp += sizeof sbbuf;
+	if(nfrontp - netobuf + sizeof(sbbuf) < sizeof(netobuf)) {
+		memcpy(nfrontp, sbbuf, sizeof(sbbuf));
+		nfrontp += sizeof(sbbuf);
+	}
     }
     if (his_state_is_will(TELOPT_ENVIRON)) {
 	static char sbbuf[] = { IAC, SB, TELOPT_ENVIRON, TELQUAL_SEND, IAC, SE };
 
-	memcpy(nfrontp, sbbuf, sizeof sbbuf);
-	nfrontp += sizeof sbbuf;
+	if(nfrontp - netobuf + sizeof(sbbuf) < sizeof(netobuf)) {
+		memcpy(nfrontp, sbbuf, sizeof(sbbuf));
+		nfrontp += sizeof(sbbuf);
+	}
     }
     if (his_state_is_will(TELOPT_TTYPE)) {
 
-	memcpy(nfrontp, ttytype_sbbuf, sizeof ttytype_sbbuf);
-	nfrontp += sizeof ttytype_sbbuf;
+	if(nfrontp - netobuf + sizeof(ttytype_sbbuf) < sizeof(netobuf)) {
+		memcpy(nfrontp, ttytype_sbbuf, sizeof(ttytype_sbbuf));
+		nfrontp += sizeof(ttytype_sbbuf);
+	}
     }
     if (his_state_is_will(TELOPT_TSPEED)) {
 	while (sequenceIs(tspeedsubopt, baseline))
@@ -591,12 +599,14 @@ getterminaltype(name)
 	 * we have to just go with what we (might) have already gotten.
 	 */
 	if (his_state_is_will(TELOPT_TTYPE) && !terminaltypeok(terminaltype)) {
-	    (void) strncpy(first, terminaltype, sizeof(first));
+	    (void) strncpy(first, terminaltype, sizeof(first) - 1);
+	    first[sizeof(first) - 1] = '\0';
 	    for(;;) {
 		/*
 		 * Save the unknown name, and request the next name.
 		 */
-		(void) strncpy(last, terminaltype, sizeof(last));
+		(void) strncpy(last, terminaltype, sizeof(last) - 1);
+	    	last[sizeof(last) - 1] = '\0';
 		_gettermname();
 		if (terminaltypeok(terminaltype))
 		    break;
@@ -615,7 +625,8 @@ getterminaltype(name)
 		     */
 		     _gettermname();
 		    if (strncmp(first, terminaltype, sizeof(first)) != 0)
-			(void) strncpy(terminaltype, first, sizeof(first));
+			(void) strncpy(terminaltype, first, sizeof(terminaltype) - 1);
+		    terminaltype[sizeof(terminaltype) - 1] = '\0';
 		    break;
 		}
 	    }
@@ -635,8 +646,8 @@ _gettermname()
     if (his_state_is_wont(TELOPT_TTYPE))
 	return;
     settimer(baseline);
-    memcpy(nfrontp, ttytype_sbbuf, sizeof ttytype_sbbuf);
-    nfrontp += sizeof ttytype_sbbuf;
+    memcpy(nfrontp, ttytype_sbbuf, sizeof(ttytype_sbbuf));
+    nfrontp += sizeof(ttytype_sbbuf);
     while (sequenceIs(ttypesubopt, baseline))
 	ttloop();
 }
@@ -922,7 +933,7 @@ telnet(f, p, host)
 
 #if	defined(SO_OOBINLINE)
 	(void) setsockopt(net, SOL_SOCKET, SO_OOBINLINE,
-				(char *)&on, sizeof on);
+				(char *)&on, sizeof(on));
 #endif	/* defined(SO_OOBINLINE) */
 
 #ifdef	SIGTSTP
@@ -989,8 +1000,10 @@ telnet(f, p, host)
 		HE = getstr("he", &cp);
 		HN = getstr("hn", &cp);
 		IM = getstr("im", &cp);
-		if (HN && *HN)
-			(void) strcpy(host_name, HN);
+		if (HN && *HN) {
+			(void) strncpy(host_name, HN, sizeof(host_name) - 1);
+			host_name[sizeof(host_name) - 1] = '\0';
+		}
 		if (IM == 0)
 			IM = "";
 	} else {
@@ -1426,8 +1439,10 @@ recv_ayt()
 		return;
 	}
 #endif
-	(void) strcpy(nfrontp, "\r\n[Yes]\r\n");
+	(void) strncpy(nfrontp, "\r\n[Yes]\r\n",
+		       sizeof(netobuf) - 1 - (nfrontp - netobuf));
 	nfrontp += 9;
+	*nfrontp = '\0';
 }
 
 	void
diff --git a/src/appl/telnet/telnetd/telnetd.c b/src/appl/telnet/telnetd/telnetd.c
index 7267469..5588d1a 100644
--- a/src/appl/telnet/telnetd/telnetd.c
+++ b/src/appl/telnet/telnetd/telnetd.c
@@ -153,7 +153,7 @@ extern void usage P((void));
  */
 char valid_opts[] = {
 	'd', ':', 'h', 'k', 'L', ':', 'n', 'S', ':', 'U',
-	'w',
+	'w', ':',
 #ifdef	AUTHENTICATION
 	'a', ':', 'X', ':',
 #endif
@@ -522,7 +522,7 @@ main(argc, argv)
 	    }
 	    (void) setsockopt(s, SOL_SOCKET, SO_REUSEADDR,
 				(char *)&on, sizeof(on));
-	    if (bind(s, (struct sockaddr *)&sin, sizeof sin) < 0) {
+	    if (bind(s, (struct sockaddr *)&sin, sizeof(sin)) < 0) {
 		perror("bind");
 		exit(1);
 	    }
@@ -530,7 +530,7 @@ main(argc, argv)
 		perror("listen");
 		exit(1);
 	    }
-	    foo = sizeof sin;
+	    foo = sizeof(sin);
 	    ns = accept(s, (struct sockaddr *)&sin, &foo);
 	    if (ns < 0) {
 		perror("accept");
@@ -693,7 +693,7 @@ static void encrypt_failure()
     char *error_message =
 	"Encryption was not successfully negotiated.  Goodbye.\r\n\r\n";
 
-    writenet(error_message, strlen(error_message));
+    netputs(error_message);
     netflush();
     exit(1);
 }
@@ -780,36 +780,26 @@ getterminaltype(name)
     if (his_state_is_will(TELOPT_TSPEED)) {
 	static unsigned char sb[] =
 			{ IAC, SB, TELOPT_TSPEED, TELQUAL_SEND, IAC, SE };
-
-	memcpy(nfrontp, sb, sizeof sb);
-	nfrontp += sizeof sb;
+	netwrite(sb, sizeof(sb));
     }
     if (his_state_is_will(TELOPT_XDISPLOC)) {
 	static unsigned char sb[] =
 			{ IAC, SB, TELOPT_XDISPLOC, TELQUAL_SEND, IAC, SE };
-
-	memcpy(nfrontp, sb, sizeof sb);
-	nfrontp += sizeof sb;
+	netwrite(sb, sizeof(sb));
     }
     if (his_state_is_will(TELOPT_NEW_ENVIRON)) {
 	static unsigned char sb[] =
 			{ IAC, SB, TELOPT_NEW_ENVIRON, TELQUAL_SEND, IAC, SE };
-
-	memcpy(nfrontp, sb, sizeof sb);
-	nfrontp += sizeof sb;
+	netwrite(sb, sizeof(sb));
     }
     else if (his_state_is_will(TELOPT_OLD_ENVIRON)) {
 	static unsigned char sb[] =
 			{ IAC, SB, TELOPT_OLD_ENVIRON, TELQUAL_SEND, IAC, SE };
-
-	memcpy(nfrontp, sb, sizeof sb);
-	nfrontp += sizeof sb;
+	netwrite(sb, sizeof(sb));
     }
-    if (his_state_is_will(TELOPT_TTYPE)) {
+    if (his_state_is_will(TELOPT_TTYPE))
+	netwrite(ttytype_sbbuf, sizeof(ttytype_sbbuf));
 
-	memcpy(nfrontp, ttytype_sbbuf, sizeof ttytype_sbbuf);
-	nfrontp += sizeof ttytype_sbbuf;
-    }
     if (his_state_is_will(TELOPT_TSPEED)) {
 	while (sequenceIs(tspeedsubopt, baseline))
 	    ttloop();
@@ -886,8 +876,7 @@ _gettermname()
     if (his_state_is_wont(TELOPT_TTYPE))
 	return;
     settimer(baseline);
-    memcpy(nfrontp, ttytype_sbbuf, sizeof ttytype_sbbuf);
-    nfrontp += sizeof ttytype_sbbuf;
+    netwrite(ttytype_sbbuf, sizeof(ttytype_sbbuf));
     while (sequenceIs(ttypesubopt, baseline))
 	ttloop();
 }
@@ -1009,7 +998,7 @@ pty_init();
 	setenv("TERM", *terminaltype ? terminaltype : "network", 1);
 
 #if defined (AUTHENTICATION)
-	if (user_name[0] == '\0') {
+	if (level < 0 && auth_level > 0) {
 		fatal (net, "No authentication provided");
 		exit (-1);
 	}
@@ -1159,9 +1148,7 @@ telnet(f, p, host)
 	 * mode, which we do not want.
 	 */
 	if (his_want_state_is_will(TELOPT_ECHO)) {
-		DIAG(TD_OPTIONS,
-			{sprintf(nfrontp, "td: simulating recv\r\n");
-			 nfrontp += strlen(nfrontp);});
+		DIAG(TD_OPTIONS, netputs("td: simulating recv\r\n"));
 		willoption(TELOPT_ECHO);
 	}
 
@@ -1205,7 +1192,7 @@ telnet(f, p, host)
 
 #if	defined(SO_OOBINLINE)
 	(void) setsockopt(net, SOL_SOCKET, SO_OOBINLINE,
-				(char *)&on, sizeof on);
+				(char *)&on, sizeof(on));
 #endif	/* defined(SO_OOBINLINE) */
 
 #ifdef	SIGTSTP
@@ -1266,7 +1253,8 @@ telnet(f, p, host)
 		HN = getstr("hn", &cp);
 		IM = getstr("im", &cp);
 		if (HN && *HN)
-			(void) strcpy(host_name, HN);
+			(void) strncpy(host_name, HN, sizeof(host_name) - 1);
+		host_name[sizeof(host_name) - 1] = '\0';
 		if (IM == 0)
 			IM = "";
 	} else {
@@ -1289,9 +1277,7 @@ telnet(f, p, host)
 	localstat();
 #endif	/* LINEMODE */
 
-	DIAG(TD_REPORT,
-		{sprintf(nfrontp, "td: Entering processing loop\r\n");
-		 nfrontp += strlen(nfrontp);});
+	DIAG(TD_REPORT, netputs("td: Entering processing loop\r\n"));
 
 #ifdef	convex
 	startslave(host);
@@ -1416,8 +1402,7 @@ telnet(f, p, host)
 			netip = netibuf;
 		    }
 		    DIAG((TD_REPORT | TD_NETDATA),
-			    {sprintf(nfrontp, "td: netread %d chars\r\n", ncc);
-			     nfrontp += strlen(nfrontp);});
+			 netprintf("td: netread %d chars\r\n", ncc));
 		    DIAG(TD_NETDATA, printdata("nd", netip, ncc));
 		}
 
@@ -1464,9 +1449,7 @@ telnet(f, p, host)
 					 * royally if we send them urgent
 					 * mode data.
 					 */
-					*nfrontp++ = IAC;
-					*nfrontp++ = DM;
-					neturg = nfrontp-1; /* off by one XXX */
+					netprintf_urg("%c%c", IAC, DM);
 #endif
 				}
 				if (his_state_is_will(TELOPT_LFLOW) &&
@@ -1476,13 +1459,11 @@ telnet(f, p, host)
 					    ptyibuf[0] & TIOCPKT_DOSTOP ? 1 : 0;
 					if (newflow != flowmode) {
 						flowmode = newflow;
-						(void) sprintf(nfrontp,
-							"%c%c%c%c%c%c",
+						netprintf("%c%c%c%c%c%c",
 							IAC, SB, TELOPT_LFLOW,
 							flowmode ? LFLOW_ON
 								 : LFLOW_OFF,
 							IAC, SE);
-						nfrontp += 6;
 					}
 				}
 				pcc--;
@@ -1505,19 +1486,19 @@ telnet(f, p, host)
 				break;
 			c = *ptyip++ & 0377, pcc--;
 			if (c == IAC)
-				*nfrontp++ = c;
+				netprintf("%c", c);
 #if	defined(CRAY2) && defined(UNICOS5)
 			else if (c == '\n' &&
 				     my_state_is_wont(TELOPT_BINARY) && newmap)
-				*nfrontp++ = '\r';
+				netputs("\r");
 #endif	/* defined(CRAY2) && defined(UNICOS5) */
-			*nfrontp++ = c;
+			netprintf("%c", c);
 			if ((c == '\r') && (my_state_is_wont(TELOPT_BINARY))) {
 				if (pcc > 0 && ((*ptyip & 0377) == '\n')) {
-					*nfrontp++ = *ptyip++ & 0377;
+					netprintf("%c", *ptyip++ & 0377);
 					pcc--;
 				} else
-					*nfrontp++ = '\0';
+					netprintf("%c", '\0');
 			}
 		}
 #if	defined(CRAY2) && defined(UNICOS5)
@@ -1679,7 +1660,7 @@ sendsusp()
  * When we get an AYT, if ^T is enabled, use that.  Otherwise,
  * just send back "[Yes]".
  */
-	void
+void
 recv_ayt()
 {
 #if	defined(SIGINFO) && defined(TCSIG)
@@ -1688,8 +1669,7 @@ recv_ayt()
 		return;
 	}
 #endif
-	(void) strcpy(nfrontp, "\r\n[Yes]\r\n");
-	nfrontp += 9;
+	netputs("\r\n[Yes]\r\n");
 }
 
 	void
diff --git a/src/appl/telnet/telnetd/termstat.c b/src/appl/telnet/telnetd/termstat.c
index 824a1a6..531e167 100644
--- a/src/appl/telnet/telnetd/termstat.c
+++ b/src/appl/telnet/telnetd/termstat.c
@@ -283,10 +283,9 @@ localstat()
 # endif	/* KLUDGELINEMODE */
 			send_do(TELOPT_LINEMODE, 1);
 			/* send along edit modes */
-			(void) sprintf(nfrontp, "%c%c%c%c%c%c%c", IAC, SB,
+			netprintf("%c%c%c%c%c%c%c", IAC, SB,
 				TELOPT_LINEMODE, LM_MODE, useeditmode,
 				IAC, SE);
-			nfrontp += 7;
 			editmode = useeditmode;
 # ifdef	KLUDGELINEMODE
 		}
@@ -312,10 +311,9 @@ localstat()
 			/*
 			 * Send along appropriate edit mode mask.
 			 */
-			(void) sprintf(nfrontp, "%c%c%c%c%c%c%c", IAC, SB,
+			(void) netprintf("%c%c%c%c%c%c%c", IAC, SB,
 				TELOPT_LINEMODE, LM_MODE, useeditmode,
 				IAC, SE);
-			nfrontp += 7;
 			editmode = useeditmode;
 		}
 							
@@ -359,20 +357,18 @@ flowstat()
 	if (his_state_is_will(TELOPT_LFLOW)) {
 		if (tty_flowmode() != flowmode) {
 			flowmode = tty_flowmode();
-			(void) sprintf(nfrontp, "%c%c%c%c%c%c",
+			netprintf("%c%c%c%c%c%c",
 					IAC, SB, TELOPT_LFLOW,
 					flowmode ? LFLOW_ON : LFLOW_OFF,
 					IAC, SE);
-			nfrontp += 6;
 		}
 		if (tty_restartany() != restartany) {
 			restartany = tty_restartany();
-			(void) sprintf(nfrontp, "%c%c%c%c%c%c",
+			netprintf("%c%c%c%c%c%c",
 					IAC, SB, TELOPT_LFLOW,
 					restartany ? LFLOW_RESTART_ANY
 						   : LFLOW_RESTART_XON,
 					IAC, SE);
-			nfrontp += 6;
 		}
 	}
 }
@@ -445,10 +441,9 @@ clientstat(code, parm1, parm2)
 					useeditmode |= MODE_SOFT_TAB;
 				if (tty_islitecho())
 					useeditmode |= MODE_LIT_ECHO;
-				(void) sprintf(nfrontp, "%c%c%c%c%c%c%c", IAC,
+				netprintf("%c%c%c%c%c%c%c", IAC,
 					SB, TELOPT_LINEMODE, LM_MODE,
-							useeditmode, IAC, SE);
-				nfrontp += 7;
+					useeditmode, IAC, SE);
 				editmode = useeditmode;
 			}
 
@@ -504,11 +499,10 @@ clientstat(code, parm1, parm2)
 			set_termbuf();
 
  			if (!ack) {
- 				(void) sprintf(nfrontp, "%c%c%c%c%c%c%c", IAC,
+ 				netprintf("%c%c%c%c%c%c%c", IAC,
 					SB, TELOPT_LINEMODE, LM_MODE,
  					useeditmode|MODE_ACK,
  					IAC, SE);
- 				nfrontp += 7;
  			}
  		
 			editmode = useeditmode;
diff --git a/src/appl/telnet/telnetd/utility.c b/src/appl/telnet/telnetd/utility.c
index 408c6f4..93a932d 100644
--- a/src/appl/telnet/telnetd/utility.c
+++ b/src/appl/telnet/telnetd/utility.c
@@ -33,6 +33,7 @@
 
 /* based on @(#)utility.c	8.1 (Berkeley) 6/4/93 */
 
+#include <stdarg.h>
 #define PRINTOPTIONS
 #include "telnetd.h"
 
@@ -58,8 +59,7 @@ ttloop()
 {
     void netflush();
 
-    DIAG(TD_REPORT, {sprintf(nfrontp, "td: ttloop\r\n");
-		     nfrontp += strlen(nfrontp);});
+    DIAG(TD_REPORT, netputs("td: ttloop\r\n"));
     if (nfrontp-nbackp) {
 	netflush();
     }
@@ -74,8 +74,7 @@ read_again:
 	syslog(LOG_INFO, "ttloop:  peer died: %m");
 	exit(1);
     }
-    DIAG(TD_REPORT, {sprintf(nfrontp, "td: ttloop read %d chars\r\n", ncc);
-		     nfrontp += strlen(nfrontp);});
+    DIAG(TD_REPORT, netprintf("td: ttloop read %d chars\r\n", ncc));
     netip = netibuf;
     telrcv();			/* state machine */
     if (ncc > 0) {
@@ -118,8 +117,7 @@ ptyflush()
 
 	if ((n = pfrontp - pbackp) > 0) {
 		DIAG((TD_REPORT | TD_PTYDATA),
-			{ sprintf(nfrontp, "td: ptyflush %d chars\r\n", n);
-			  nfrontp += strlen(nfrontp); });
+		     netprintf("td: ptyflush %d chars\r\n", n));
 		DIAG(TD_PTYDATA, printdata("pd", pbackp, n));
 		n = write(pty, pbackp, n);
 	}
@@ -244,18 +242,15 @@ netclear()
  *		Send as much data as possible to the network,
  *	handling requests for urgent data.
  */
-    void
+void
 netflush()
 {
     int n;
     extern int not42;
 
     if ((n = nfrontp - nbackp) > 0) {
-	DIAG(TD_REPORT,
-	    { sprintf(nfrontp, "td: netflush %d chars\r\n", n);
-	      n += strlen(nfrontp);  /* get count first */
-	      nfrontp += strlen(nfrontp);  /* then move pointer */
-	    });
+	DIAG(TD_REPORT, {netprintf_noflush("td: netflush %d chars\r\n", n);
+			 n = nfrontp - nbackp;});
 #ifdef	ENCRYPTION
 	if (encrypt_output) {
 		char *s = nclearto ? nclearto : nbackp;
@@ -312,33 +307,131 @@ netflush()
     return;
 }  /* end of netflush */
 
+/*
+ * L8_256(x) = log8(256**x), rounded up, including sign (for decimal
+ * strings too).  log8(256) = 8/3, but we use integer math to round
+ * up.
+ */
+#define L8_256(x) (((x * 8 + 2) / 3) + 1)
 
 /*
- * writenet
+ * netprintf
  *
- * Just a handy little function to write a bit of raw data to the net.
- * It will force a transmit of the buffer if necessary
+ * Do the equivalent of printf() to the NETOBUF "ring buffer",
+ * possibly calling netflush() if needed.
  *
- * arguments
- *    ptr - A pointer to a character string to write
- *    len - How many bytes to write
+ * Thou shalt not call this with a "%s" format; use netputs instead.
+ * We also don't deal with floating point widths in here.
  */
-	void
-writenet(ptr, len)
-	register unsigned char *ptr;
-	register int len;
+void
+netprintf_ext(int noflush, int seturg, const char *fmt, va_list args)
 {
-	/* flush buffer if no room for new data) */
-	if ((&netobuf[BUFSIZ] - nfrontp) < len) {
-		/* if this fails, don't worry, buffer is a little big */
-		netflush();
+	size_t remain;
+	size_t maxoutlen;
+	char buf[BUFSIZ];
+	const char *cp;
+	int len;
+
+	buf[0] = '\0';		/* nul-terminate */
+	remain = sizeof(netobuf) - (nfrontp - netobuf);
+	for (maxoutlen = 0, cp = fmt; *cp; cp++) {
+		if (*cp == '%')
+			/* Ok so this is slightly overkill... */
+			maxoutlen += L8_256(sizeof(long));
+		else
+			maxoutlen++;
 	}
+	if (maxoutlen >= sizeof(buf))
+		return;		/* highly unlikely */
 
-	memcpy(nfrontp, ptr, len);
+#ifdef HAVE_VSNPRINTF
+	len = vsnprintf(buf, sizeof(buf), fmt, args);
+#else
+	len = vsprintf(buf, fmt, args);	/* XXX need to fix for SunOS? */
+#endif
+
+	/*
+	 * The return value from sprintf()-like functions may be the
+	 * number of characters that *would* have been output, not the
+	 * number actually output.
+	 */
+	if (len <= 0 || len > sizeof(buf))
+		return;
+	if (remain < len && !noflush) {
+		netflush();
+		remain = sizeof(netobuf) - (nfrontp - netobuf);
+	}
+	if (remain < len)
+		return;		/* still not enough space? */
+	memcpy(nfrontp, buf, (size_t)len);
 	nfrontp += len;
+	if (seturg)
+		neturg = nfrontp - 1;
+}
+
+void
+netprintf(const char *fmt, ...)
+{
+	va_list args;
+
+	va_start(args, fmt);
+	netprintf_ext(0, 0, fmt, args);
+	va_end(args);
+}
+
+void
+netprintf_urg(const char *fmt, ...)
+{
+	va_list args;
+
+	va_start(args, fmt);
+	netprintf_ext(0, 1, fmt, args);
+	va_end(args);
+}
+
+void
+netprintf_noflush(const char *fmt, ...)
+{
+	va_list args;
 
-}  /* end of writenet */
+	va_start(args, fmt);
+	netprintf_ext(1, 0, fmt, args);
+	va_end(args);
+}
+
+/*
+ * netwrite
+ *
+ * Copy BUF into the NETOBUF "ring buffer", possibly calling
+ * netflush() if needed.
+ */
+int
+netwrite(const char *buf, size_t len)
+{
+	size_t remain;
+
+	remain = sizeof(netobuf) - (nfrontp - netobuf);
+	if (remain < len) {
+		netflush();
+		remain = sizeof(netobuf) - (nfrontp - netobuf);
+	}
+	if (remain < len)
+		return 0;
+	memcpy(nfrontp, buf, len);
+	nfrontp += len;
+	return len;
+}
 
+/*
+ * netputs
+ *
+ * Write S to the NETOBUF "ring buffer".  Does not write a '\n'.
+ */
+void
+netputs(const char *s)
+{
+	netwrite(s, strlen(s));
+}
 
 /*
  * miscellaneous functions doing a variety of little jobs follow ...
@@ -522,22 +615,26 @@ putf(cp, where)
 /*
  * Print telnet options and commands in plain text, if possible.
  */
-	void
+void
 printoption(fmt, option)
 	register char *fmt;
 	register int option;
 {
-	if (TELOPT_OK(option))
-		sprintf(nfrontp, "%s %s\r\n", fmt, TELOPT(option));
-	else if (TELCMD_OK(option))
-		sprintf(nfrontp, "%s %s\r\n", fmt, TELCMD(option));
-	else
-		sprintf(nfrontp, "%s %d\r\n", fmt, option);
-	nfrontp += strlen(nfrontp);
+	netputs(fmt);
+	netputs(" ");
+	if (TELOPT_OK(option)) {
+		netputs(TELOPT(option));
+		netputs("\r\n");
+	} else if (TELCMD_OK(option)) {
+		netputs(TELCMD(option));
+		netputs("\r\n");
+	} else {
+		netprintf("%d\r\n", option);
+	}
 	return;
 }
 
-    void
+void
 printsub(direction, pointer, length)
     char		direction;	/* '<' or '>' */
     unsigned char	*pointer;	/* where suboption data sits */
@@ -550,9 +647,9 @@ printsub(direction, pointer, length)
 		return;
 
 	if (direction) {
-	    sprintf(nfrontp, "td: %s suboption ",
-					direction == '<' ? "recv" : "send");
-	    nfrontp += strlen(nfrontp);
+	    netputs("td: ");
+	    netputs(direction == '<' ? "recv" : "send");
+	    netputs(" suboption ");
 	    if (length >= 3) {
 		register int j;
 
@@ -560,261 +657,223 @@ printsub(direction, pointer, length)
 		j = pointer[length-1];
 
 		if (i != IAC || j != SE) {
-		    sprintf(nfrontp, "(terminated by ");
-		    nfrontp += strlen(nfrontp);
+		    netputs("(terminated by ");
 		    if (TELOPT_OK(i))
-			sprintf(nfrontp, "%s ", TELOPT(i));
+			netputs(TELOPT(i));
 		    else if (TELCMD_OK(i))
-			sprintf(nfrontp, "%s ", TELCMD(i));
+			netputs(TELCMD(i));
 		    else
-			sprintf(nfrontp, "%d ", i);
-		    nfrontp += strlen(nfrontp);
+			netprintf("%d", i);
+		    netputs(" ");
 		    if (TELOPT_OK(j))
-			sprintf(nfrontp, "%s", TELOPT(j));
+			netputs(TELOPT(j));
 		    else if (TELCMD_OK(j))
-			sprintf(nfrontp, "%s", TELCMD(j));
+			netputs(TELCMD(j));
 		    else
-			sprintf(nfrontp, "%d", j);
-		    nfrontp += strlen(nfrontp);
-		    sprintf(nfrontp, ", not IAC SE!) ");
-		    nfrontp += strlen(nfrontp);
+			netprintf("%d", j);
+		    netputs(", not IAC SE!) ");
 		}
 	    }
 	    length -= 2;
 	}
 	if (length < 1) {
-	    sprintf(nfrontp, "(Empty suboption??\?)");
-	    nfrontp += strlen(nfrontp);
+	    netputs("(Empty suboption??\?)");
 	    return;
 	}
 	switch (pointer[0]) {
 	case TELOPT_TTYPE:
-	    sprintf(nfrontp, "TERMINAL-TYPE ");
-	    nfrontp += strlen(nfrontp);
+	    netputs("TERMINAL-TYPE ");
 	    switch (pointer[1]) {
 	    case TELQUAL_IS:
-		sprintf(nfrontp, "IS \"%.*s\"", length-2, (char *)pointer+2);
+		netputs("IS \"");
+		netwrite((char *)pointer + 2, (size_t)(length - 2));
+		netputs("\"");
 		break;
 	    case TELQUAL_SEND:
-		sprintf(nfrontp, "SEND");
+		netputs("SEND");
 		break;
 	    default:
-		sprintf(nfrontp,
-				"- unknown qualifier %d (0x%x).",
-				pointer[1], pointer[1]);
+		netprintf("- unknown qualifier %d (0x%x).",
+			  pointer[1], pointer[1]);
 	    }
-	    nfrontp += strlen(nfrontp);
 	    break;
 	case TELOPT_TSPEED:
-	    sprintf(nfrontp, "TERMINAL-SPEED");
-	    nfrontp += strlen(nfrontp);
+	    netputs("TERMINAL-SPEED ");
 	    if (length < 2) {
-		sprintf(nfrontp, " (empty suboption??\?)");
-		nfrontp += strlen(nfrontp);
+		netputs("(empty suboption??\?)");
 		break;
 	    }
 	    switch (pointer[1]) {
 	    case TELQUAL_IS:
-		sprintf(nfrontp, " IS %.*s", length-2, (char *)pointer+2);
-		nfrontp += strlen(nfrontp);
+		netputs("IS ");
+		netwrite((char *)pointer + 2, (size_t)(length - 2));
 		break;
 	    default:
 		if (pointer[1] == 1)
-		    sprintf(nfrontp, " SEND");
+		    netputs("SEND");
 		else
-		    sprintf(nfrontp, " %d (unknown)", pointer[1]);
-		nfrontp += strlen(nfrontp);
-		for (i = 2; i < length; i++) {
-		    sprintf(nfrontp, " ?%d?", pointer[i]);
-		    nfrontp += strlen(nfrontp);
-		}
+		    netprintf("%d (unknown)", pointer[1]);
+		for (i = 2; i < length; i++)
+		    netprintf(" ?%d?", pointer[i]);
 		break;
 	    }
 	    break;
 
 	case TELOPT_LFLOW:
-	    sprintf(nfrontp, "TOGGLE-FLOW-CONTROL");
-	    nfrontp += strlen(nfrontp);
+	    netputs("TOGGLE-FLOW-CONTROL ");
 	    if (length < 2) {
-		sprintf(nfrontp, " (empty suboption??\?)");
-		nfrontp += strlen(nfrontp);
+		netputs("(empty suboption??\?)");
 		break;
 	    }
 	    switch (pointer[1]) {
 	    case LFLOW_OFF:
-		sprintf(nfrontp, " OFF"); break;
+		netputs("OFF"); break;
 	    case LFLOW_ON:
-		sprintf(nfrontp, " ON"); break;
+		netputs("ON"); break;
 	    case LFLOW_RESTART_ANY:
-		sprintf(nfrontp, " RESTART-ANY"); break;
+		netputs("RESTART-ANY"); break;
 	    case LFLOW_RESTART_XON:
-		sprintf(nfrontp, " RESTART-XON"); break;
+		netputs("RESTART-XON"); break;
 	    default:
-		sprintf(nfrontp, " %d (unknown)", pointer[1]);
-	    }
-	    nfrontp += strlen(nfrontp);
-	    for (i = 2; i < length; i++) {
-		sprintf(nfrontp, " ?%d?", pointer[i]);
-		nfrontp += strlen(nfrontp);
+		netprintf("%d (unknown)", pointer[1]);
 	    }
+	    for (i = 2; i < length; i++)
+		netprintf(" ?%d?", pointer[i]);
 	    break;
 
 	case TELOPT_NAWS:
-	    sprintf(nfrontp, "NAWS");
-	    nfrontp += strlen(nfrontp);
+	    netputs("NAWS");
 	    if (length < 2) {
-		sprintf(nfrontp, " (empty suboption??\?)");
-		nfrontp += strlen(nfrontp);
+		netputs(" (empty suboption??\?)");
 		break;
 	    }
 	    if (length == 2) {
-		sprintf(nfrontp, " ?%d?", pointer[1]);
-		nfrontp += strlen(nfrontp);
+		netprintf(" ?%d?", pointer[1]);
 		break;
 	    }
-	    sprintf(nfrontp, " %d %d (%d)",
+	    netprintf(" %d %d (%d)",
 		pointer[1], pointer[2],
 		(int)((((unsigned int)pointer[1])<<8)|((unsigned int)pointer[2])));
-	    nfrontp += strlen(nfrontp);
 	    if (length == 4) {
-		sprintf(nfrontp, " ?%d?", pointer[3]);
-		nfrontp += strlen(nfrontp);
+		netprintf(" ?%d?", pointer[3]);
 		break;
 	    }
-	    sprintf(nfrontp, " %d %d (%d)",
+	    netprintf(" %d %d (%d)",
 		pointer[3], pointer[4],
 		(int)((((unsigned int)pointer[3])<<8)|((unsigned int)pointer[4])));
-	    nfrontp += strlen(nfrontp);
-	    for (i = 5; i < length; i++) {
-		sprintf(nfrontp, " ?%d?", pointer[i]);
-		nfrontp += strlen(nfrontp);
-	    }
+	    for (i = 5; i < length; i++)
+		netprintf(" ?%d?", pointer[i]);
 	    break;
 
 	case TELOPT_LINEMODE:
-	    sprintf(nfrontp, "LINEMODE ");
-	    nfrontp += strlen(nfrontp);
+	    netputs("LINEMODE ");
 	    if (length < 2) {
-		sprintf(nfrontp, " (empty suboption??\?)");
-		nfrontp += strlen(nfrontp);
+		netputs("(empty suboption??\?)");
 		break;
 	    }
 	    switch (pointer[1]) {
 	    case WILL:
-		sprintf(nfrontp, "WILL ");
+		netputs("WILL ");
 		goto common;
 	    case WONT:
-		sprintf(nfrontp, "WONT ");
+		netputs("WONT ");
 		goto common;
 	    case DO:
-		sprintf(nfrontp, "DO ");
+		netputs("DO ");
 		goto common;
 	    case DONT:
-		sprintf(nfrontp, "DONT ");
+		netputs("DONT ");
 	    common:
-		nfrontp += strlen(nfrontp);
 		if (length < 3) {
-		    sprintf(nfrontp, "(no option??\?)");
-		    nfrontp += strlen(nfrontp);
+		    netputs("(no option??\?)");
 		    break;
 		}
 		switch (pointer[2]) {
 		case LM_FORWARDMASK:
-		    sprintf(nfrontp, "Forward Mask");
-		    nfrontp += strlen(nfrontp);
-		    for (i = 3; i < length; i++) {
-			sprintf(nfrontp, " %x", pointer[i]);
-			nfrontp += strlen(nfrontp);
-		    }
+		    netputs("Forward Mask");
+		    for (i = 3; i < length; i++)
+			netprintf(" %x", pointer[i]);
 		    break;
 		default:
-		    sprintf(nfrontp, "%d (unknown)", pointer[2]);
-		    nfrontp += strlen(nfrontp);
-		    for (i = 3; i < length; i++) {
-			sprintf(nfrontp, " %d", pointer[i]);
-			nfrontp += strlen(nfrontp);
-		    }
+		    netprintf("%d (unknown)", pointer[2]);
+		    for (i = 3; i < length; i++)
+			netprintf(" %d", pointer[i]);
 		    break;
 		}
 		break;
 		
 	    case LM_SLC:
-		sprintf(nfrontp, "SLC");
-		nfrontp += strlen(nfrontp);
+		netputs("SLC");
 		for (i = 2; i < length - 2; i += 3) {
-		    if (SLC_NAME_OK(pointer[i+SLC_FUNC]))
-			sprintf(nfrontp, " %s", SLC_NAME(pointer[i+SLC_FUNC]));
-		    else
-			sprintf(nfrontp, " %d", pointer[i+SLC_FUNC]);
-		    nfrontp += strlen(nfrontp);
+		    if (SLC_NAME_OK(pointer[i+SLC_FUNC])) {
+			netputs(" ");
+			netputs(SLC_NAME(pointer[i+SLC_FUNC]));
+		    } else
+			netprintf(" %d", pointer[i+SLC_FUNC]);
 		    switch (pointer[i+SLC_FLAGS]&SLC_LEVELBITS) {
 		    case SLC_NOSUPPORT:
-			sprintf(nfrontp, " NOSUPPORT"); break;
+			netputs(" NOSUPPORT"); break;
 		    case SLC_CANTCHANGE:
-			sprintf(nfrontp, " CANTCHANGE"); break;
+			netputs(" CANTCHANGE"); break;
 		    case SLC_VARIABLE:
-			sprintf(nfrontp, " VARIABLE"); break;
+			netputs(" VARIABLE"); break;
 		    case SLC_DEFAULT:
-			sprintf(nfrontp, " DEFAULT"); break;
+			netputs(" DEFAULT"); break;
 		    }
-		    nfrontp += strlen(nfrontp);
-		    sprintf(nfrontp, "%s%s%s",
-			pointer[i+SLC_FLAGS]&SLC_ACK ? "|ACK" : "",
-			pointer[i+SLC_FLAGS]&SLC_FLUSHIN ? "|FLUSHIN" : "",
-			pointer[i+SLC_FLAGS]&SLC_FLUSHOUT ? "|FLUSHOUT" : "");
-		    nfrontp += strlen(nfrontp);
+		    netputs(pointer[i+SLC_FLAGS]&SLC_ACK
+			    ? "|ACK" : "");
+		    netputs(pointer[i+SLC_FLAGS]&SLC_FLUSHIN
+			    ? "|FLUSHIN" : "");
+		    netputs(pointer[i+SLC_FLAGS]&SLC_FLUSHOUT
+			    ? "|FLUSHOUT" : "");
 		    if (pointer[i+SLC_FLAGS]& ~(SLC_ACK|SLC_FLUSHIN|
 						SLC_FLUSHOUT| SLC_LEVELBITS)) {
-			sprintf(nfrontp, "(0x%x)", pointer[i+SLC_FLAGS]);
-			nfrontp += strlen(nfrontp);
+			netprintf("(0x%x)", pointer[i+SLC_FLAGS]);
 		    }
-		    sprintf(nfrontp, " %d;", pointer[i+SLC_VALUE]);
-		    nfrontp += strlen(nfrontp);
+		    netprintf(" %d;", pointer[i+SLC_VALUE]);
 		    if ((pointer[i+SLC_VALUE] == IAC) &&
 			(pointer[i+SLC_VALUE+1] == IAC))
 				i++;
 		}
-		for (; i < length; i++) {
-		    sprintf(nfrontp, " ?%d?", pointer[i]);
-		    nfrontp += strlen(nfrontp);
-		}
+		for (; i < length; i++)
+		    netprintf(" ?%d?", pointer[i]);
 		break;
 
 	    case LM_MODE:
-		sprintf(nfrontp, "MODE ");
-		nfrontp += strlen(nfrontp);
+		netputs("MODE ");
 		if (length < 3) {
-		    sprintf(nfrontp, "(no mode??\?)");
-		    nfrontp += strlen(nfrontp);
+		    netputs("(no mode??\?)");
 		    break;
 		}
 		{
-		    char tbuf[32];
-		    sprintf(tbuf, "%s%s%s%s%s",
-			pointer[2]&MODE_EDIT ? "|EDIT" : "",
-			pointer[2]&MODE_TRAPSIG ? "|TRAPSIG" : "",
-			pointer[2]&MODE_SOFT_TAB ? "|SOFT_TAB" : "",
-			pointer[2]&MODE_LIT_ECHO ? "|LIT_ECHO" : "",
-			pointer[2]&MODE_ACK ? "|ACK" : "");
-		    sprintf(nfrontp, "%s", tbuf[1] ? &tbuf[1] : "0");
-		    nfrontp += strlen(nfrontp);
-		}
-		if (pointer[2]&~(MODE_EDIT|MODE_TRAPSIG|MODE_ACK)) {
-		    sprintf(nfrontp, " (0x%x)", pointer[2]);
-		    nfrontp += strlen(nfrontp);
-		}
-		for (i = 3; i < length; i++) {
-		    sprintf(nfrontp, " ?0x%x?", pointer[i]);
-		    nfrontp += strlen(nfrontp);
+		    int wrotemode = 0;
+
+#define NETPUTS_MODE(x)				\
+do {						\
+	if (pointer[2] & (MODE_##x)) {		\
+		if (wrotemode) netputs("|");	\
+		netputs(#x);			\
+		wrotemode++;			\
+	}					\
+} while (0)
+		    NETPUTS_MODE(EDIT);
+		    NETPUTS_MODE(TRAPSIG);
+		    NETPUTS_MODE(SOFT_TAB);
+		    NETPUTS_MODE(LIT_ECHO);
+		    NETPUTS_MODE(ACK);
+#undef NETPUTS_MODE
+		    if (!wrotemode)
+			netputs("0");
 		}
+		if (pointer[2] & ~(MODE_EDIT|MODE_TRAPSIG|MODE_ACK))
+		    netprintf(" (0x%x)", pointer[2]);
+		for (i = 3; i < length; i++)
+		    netprintf(" ?0x%x?", pointer[i]);
 		break;
 	    default:
-		sprintf(nfrontp, "%d (unknown)", pointer[1]);
-		nfrontp += strlen(nfrontp);
-		for (i = 2; i < length; i++) {
-		    sprintf(nfrontp, " %d", pointer[i]);
-		    nfrontp += strlen(nfrontp);
-		}
+		netprintf("%d (unknown)", pointer[1]);
+		for (i = 2; i < length; i++)
+		    netprintf(" %d", pointer[i]);
 	    }
 	    break;
 
@@ -822,24 +881,19 @@ printsub(direction, pointer, length)
 	    register char *cp;
 	    register int j, k;
 
-	    sprintf(nfrontp, "STATUS");
-	    nfrontp += strlen(nfrontp);
+	    netputs("STATUS");
 
 	    switch (pointer[1]) {
 	    default:
 		if (pointer[1] == TELQUAL_SEND)
-		    sprintf(nfrontp, " SEND");
+		    netputs(" SEND");
 		else
-		    sprintf(nfrontp, " %d (unknown)", pointer[1]);
-		nfrontp += strlen(nfrontp);
-		for (i = 2; i < length; i++) {
-		    sprintf(nfrontp, " ?%d?", pointer[i]);
-		    nfrontp += strlen(nfrontp);
-		}
+		    netprintf(" %d (unknown)", pointer[1]);
+		for (i = 2; i < length; i++)
+		    netprintf(" ?%d?", pointer[i]);
 		break;
 	    case TELQUAL_IS:
-		sprintf(nfrontp, " IS\r\n");
-		nfrontp += strlen(nfrontp);
+		netputs(" IS\r\n");
 
 		for (i = 2; i < length; i++) {
 		    switch(pointer[i]) {
@@ -849,19 +903,19 @@ printsub(direction, pointer, length)
 		    case WONT:	cp = "WONT"; goto common2;
 		    common2:
 			i++;
+			netputs(" ");
+			netputs(cp);
+			netputs(" ");
 			if (TELOPT_OK(pointer[i]))
-			    sprintf(nfrontp, " %s %s", cp, TELOPT(pointer[i]));
+			    netputs(TELOPT(pointer[i]));
 			else
-			    sprintf(nfrontp, " %s %d", cp, pointer[i]);
-			nfrontp += strlen(nfrontp);
+			    netprintf("%d", pointer[i]);
 
-			sprintf(nfrontp, "\r\n");
-			nfrontp += strlen(nfrontp);
+			netputs("\r\n");
 			break;
 
 		    case SB:
-			sprintf(nfrontp, " SB ");
-			nfrontp += strlen(nfrontp);
+			netputs(" SB ");
 			i++;
 			j = k = i;
 			while (j < length) {
@@ -877,20 +931,17 @@ printsub(direction, pointer, length)
 			}
 			printsub(0, &pointer[i], k - i);
 			if (i < length) {
-			    sprintf(nfrontp, " SE");
-			    nfrontp += strlen(nfrontp);
+			    netputs(" SE");
 			    i = j;
 			} else
 			    i = j - 1;
 
-			sprintf(nfrontp, "\r\n");
-			nfrontp += strlen(nfrontp);
+			netputs("\r\n");
 
 			break;
 				
 		    default:
-			sprintf(nfrontp, " %d", pointer[i]);
-			nfrontp += strlen(nfrontp);
+			netprintf(" %d", pointer[i]);
 			break;
 		    }
 		}
@@ -900,86 +951,79 @@ printsub(direction, pointer, length)
 	  }
 
 	case TELOPT_XDISPLOC:
-	    sprintf(nfrontp, "X-DISPLAY-LOCATION ");
-	    nfrontp += strlen(nfrontp);
+	    netputs("X-DISPLAY-LOCATION ");
 	    switch (pointer[1]) {
 	    case TELQUAL_IS:
-		sprintf(nfrontp, "IS \"%.*s\"", length-2, (char *)pointer+2);
+		netputs("IS \"");
+		netwrite((char *)pointer + 2, (size_t)(length - 2));
+		netputs("\"");
 		break;
 	    case TELQUAL_SEND:
-		sprintf(nfrontp, "SEND");
+		netputs("SEND");
 		break;
 	    default:
-		sprintf(nfrontp, "- unknown qualifier %d (0x%x).",
-				pointer[1], pointer[1]);
+		netprintf("- unknown qualifier %d (0x%x).",
+			  pointer[1], pointer[1]);
 	    }
-	    nfrontp += strlen(nfrontp);
 	    break;
 
 	case TELOPT_NEW_ENVIRON:
-	    sprintf(nfrontp, "NEW-ENVIRON ");
+	    netputs("NEW-ENVIRON ");
 	    goto env_common1;
 	case TELOPT_OLD_ENVIRON:
-	    sprintf(nfrontp, "OLD-ENVIRON");
+	    netputs("OLD-ENVIRON ");
 	env_common1:
-	    nfrontp += strlen(nfrontp);
 	    switch (pointer[1]) {
 	    case TELQUAL_IS:
-		sprintf(nfrontp, "IS ");
+		netputs("IS ");
 		goto env_common;
 	    case TELQUAL_SEND:
-		sprintf(nfrontp, "SEND ");
+		netputs("SEND ");
 		goto env_common;
 	    case TELQUAL_INFO:
-		sprintf(nfrontp, "INFO ");
+		netputs("INFO ");
 	    env_common:
-		nfrontp += strlen(nfrontp);
 		{
 		    register int noquote = 2;
 		    for (i = 2; i < length; i++ ) {
 			switch (pointer[i]) {
 			case NEW_ENV_VAR:
-			    sprintf(nfrontp, "\" VAR " + noquote);
-			    nfrontp += strlen(nfrontp);
+			    netputs("\" VAR " + noquote);
 			    noquote = 2;
 			    break;
 
 			case NEW_ENV_VALUE:
-			    sprintf(nfrontp, "\" VALUE " + noquote);
-			    nfrontp += strlen(nfrontp);
+			    netputs("\" VALUE " + noquote);
 			    noquote = 2;
 			    break;
 
 			case ENV_ESC:
-			    sprintf(nfrontp, "\" ESC " + noquote);
-			    nfrontp += strlen(nfrontp);
+			    netputs("\" ESC " + noquote);
 			    noquote = 2;
 			    break;
 
 			case ENV_USERVAR:
-			    sprintf(nfrontp, "\" USERVAR " + noquote);
-			    nfrontp += strlen(nfrontp);
+			    netputs("\" USERVAR " + noquote);
 			    noquote = 2;
 			    break;
 
 			default:
 			    if (isprint(pointer[i]) && pointer[i] != '"') {
 				if (noquote) {
-				    *nfrontp++ = '"';
+				    netputs("\"");
 				    noquote = 0;
 				}
-				*nfrontp++ = pointer[i];
+				netprintf("%c", pointer[i]);
 			    } else {
-				sprintf(nfrontp, "\" %03o " + noquote,
-							pointer[i]);
-				nfrontp += strlen(nfrontp);
+				netprintf("\" %03o " + noquote,
+					  pointer[i]);
 				noquote = 2;
 			    }
 			    break;
 			}
 		    }
 		    if (!noquote)
-			*nfrontp++ = '"';
+			netputs("\"");
 		    break;
 		}
 	    }
@@ -987,91 +1031,74 @@ printsub(direction, pointer, length)
 
 #if	defined(AUTHENTICATION)
 	case TELOPT_AUTHENTICATION:
-	    sprintf(nfrontp, "AUTHENTICATION");
-	    nfrontp += strlen(nfrontp);
+	    netputs("AUTHENTICATION");
 	
 	    if (length < 2) {
-		sprintf(nfrontp, " (empty suboption??\?)");
-		nfrontp += strlen(nfrontp);
+		netputs(" (empty suboption??\?)");
 		break;
 	    }
 	    switch (pointer[1]) {
 	    case TELQUAL_REPLY:
 	    case TELQUAL_IS:
-		sprintf(nfrontp, " %s ", (pointer[1] == TELQUAL_IS) ?
-							"IS" : "REPLY");
-		nfrontp += strlen(nfrontp);
+		netputs((pointer[1] == TELQUAL_IS) ? " IS " : " REPLY ");
 		if (AUTHTYPE_NAME_OK(pointer[2]))
-		    sprintf(nfrontp, "%s ", AUTHTYPE_NAME(pointer[2]));
+		    netputs(AUTHTYPE_NAME(pointer[2]));
 		else
-		    sprintf(nfrontp, "%d ", pointer[2]);
-		nfrontp += strlen(nfrontp);
+		    netprintf(" %d ", pointer[2]);
 		if (length < 3) {
-		    sprintf(nfrontp, "(partial suboption??\?)");
-		    nfrontp += strlen(nfrontp);
+		    netputs("(partial suboption??\?)");
 		    break;
 		}
-		sprintf(nfrontp, "%s|%s%s",
-			((pointer[3] & AUTH_WHO_MASK) == AUTH_WHO_CLIENT) ?
-			"CLIENT" : "SERVER",
-			((pointer[3] & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) ?
-			"MUTUAL" : "ONE-WAY",
-			((pointer[3] & AUTH_ENCRYPT_MASK) == AUTH_ENCRYPT_ON) ?
-			"|ENCRYPT" : "");
-		nfrontp += strlen(nfrontp);
+		netputs(((pointer[3] & AUTH_WHO_MASK) == AUTH_WHO_CLIENT)
+			? "CLIENT|" : "SERVER|");
+		netputs(((pointer[3] & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL)
+			? "MUTUAL" : "ONE-WAY");
+		netputs(((pointer[3] & AUTH_ENCRYPT_MASK) == AUTH_ENCRYPT_ON)
+			? "|ENCRYPT" : "");
 
 		auth_printsub(&pointer[1], length - 1, buf, sizeof(buf));
-		sprintf(nfrontp, "%s", buf);
-		nfrontp += strlen(nfrontp);
+		netputs(buf);
 		break;
 
 	    case TELQUAL_SEND:
 		i = 2;
-		sprintf(nfrontp, " SEND ");
-		nfrontp += strlen(nfrontp);
+		netputs(" SEND ");
 		while (i < length) {
 		    if (AUTHTYPE_NAME_OK(pointer[i]))
-			sprintf(nfrontp, "%s ", AUTHTYPE_NAME(pointer[i]));
+			netputs(AUTHTYPE_NAME(pointer[i]));
 		    else
-			sprintf(nfrontp, "%d ", pointer[i]);
-		    nfrontp += strlen(nfrontp);
+			netprintf("%d", pointer[i]);
+		    netputs(" ");
 		    if (++i >= length) {
-			sprintf(nfrontp, "(partial suboption??\?)");
-			nfrontp += strlen(nfrontp);
+			netputs("(partial suboption??\?)");
 			break;
 		    }
-		    sprintf(nfrontp, "%s|%s%s ",
-			((pointer[i] & AUTH_WHO_MASK) == AUTH_WHO_CLIENT) ?
-							"CLIENT" : "SERVER",
-			((pointer[i] & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL) ?
-							"MUTUAL" : "ONE-WAY",
-			((pointer[3] & AUTH_ENCRYPT_MASK) == AUTH_ENCRYPT_ON) ?
-			"|ENCRYPT" : "");
-		    nfrontp += strlen(nfrontp);
+		    netputs(((pointer[i] & AUTH_WHO_MASK) == AUTH_WHO_CLIENT)
+			    ? "CLIENT|" : "SERVER|");
+		    netputs(((pointer[i] & AUTH_HOW_MASK) == AUTH_HOW_MUTUAL)
+			    ? "MUTUAL" : "ONE-WAY");
+		    if ((pointer[3] & AUTH_ENCRYPT_MASK) == AUTH_ENCRYPT_ON)
+			netputs("|ENCRYPT");
 		    ++i;
 		}
 		break;
 
 	    case TELQUAL_NAME:
 		i = 2;
-		sprintf(nfrontp, " NAME \"");
-		nfrontp += strlen(nfrontp);
+		netputs(" NAME \"");
 		while (i < length) {
 		    if (isprint(pointer[i]))
-			*nfrontp++ = pointer[i++];
+			netprintf("%c", pointer[i++]);
 		    else {
-			sprintf(nfrontp, "\"%03o",pointer[i++]);
-		    	nfrontp += strlen(nfrontp);
+			netprintf("\\%03o", pointer[i++]);
 		    }
 		}
-		*nfrontp++ = '"';
+		netputs("\"");
 		break;
 
 	    default:
-		    for (i = 2; i < length; i++) {
-			sprintf(nfrontp, " ?%d?", pointer[i]);
-			nfrontp += strlen(nfrontp);
-		    }
+		    for (i = 2; i < length; i++)
+			netprintf(" ?%d?", pointer[i]);
 		    break;
 	    }
 	    break;
@@ -1079,87 +1106,72 @@ printsub(direction, pointer, length)
 
 #ifdef	ENCRYPTION
 	case TELOPT_ENCRYPT:
-	    sprintf(nfrontp, "ENCRYPT");
-	    nfrontp += strlen(nfrontp);
+	    netputs("ENCRYPT");
 	    if (length < 2) {
-		sprintf(nfrontp, " (empty suboption??\?)");
-		nfrontp += strlen(nfrontp);
+		netputs(" (empty suboption??\?)");
 		break;
 	    }
 	    switch (pointer[1]) {
 	    case ENCRYPT_START:
-		sprintf(nfrontp, " START");
-		nfrontp += strlen(nfrontp);
+		netputs(" START");
 		break;
 
 	    case ENCRYPT_END:
-		sprintf(nfrontp, " END");
-		nfrontp += strlen(nfrontp);
+		netputs(" END");
 		break;
 
 	    case ENCRYPT_REQSTART:
-		sprintf(nfrontp, " REQUEST-START");
-		nfrontp += strlen(nfrontp);
+		netputs(" REQUEST-START");
 		break;
 
 	    case ENCRYPT_REQEND:
-		sprintf(nfrontp, " REQUEST-END");
-		nfrontp += strlen(nfrontp);
+		netputs(" REQUEST-END");
 		break;
 
 	    case ENCRYPT_IS:
 	    case ENCRYPT_REPLY:
-		sprintf(nfrontp, " %s ", (pointer[1] == ENCRYPT_IS) ?
-							"IS" : "REPLY");
-		nfrontp += strlen(nfrontp);
+		netputs((pointer[1] == ENCRYPT_IS)
+			? " IS " : " REPLY ");
 		if (length < 3) {
-		    sprintf(nfrontp, " (partial suboption??\?)");
-		    nfrontp += strlen(nfrontp);
+		    netputs(" (partial suboption??\?)");
 		    break;
 		}
 		if (ENCTYPE_NAME_OK(pointer[2]))
-		    sprintf(nfrontp, "%s ", ENCTYPE_NAME(pointer[2]));
+		    netputs(ENCTYPE_NAME(pointer[2]));
 		else
-		    sprintf(nfrontp, " %d (unknown)", pointer[2]);
-		nfrontp += strlen(nfrontp);
+		    netprintf("%d (unknown)", pointer[2]);
+		netputs(" ");
 
 		encrypt_printsub(&pointer[1], length - 1, buf, sizeof(buf));
-		sprintf(nfrontp, "%s", buf);
-		nfrontp += strlen(nfrontp);
+		netputs(buf);
 		break;
 
 	    case ENCRYPT_SUPPORT:
 		i = 2;
-		sprintf(nfrontp, " SUPPORT ");
-		nfrontp += strlen(nfrontp);
+		netputs(" SUPPORT ");
 		while (i < length) {
 		    if (ENCTYPE_NAME_OK(pointer[i]))
-			sprintf(nfrontp, "%s ", ENCTYPE_NAME(pointer[i]));
+			netputs(ENCTYPE_NAME(pointer[i]));
 		    else
-			sprintf(nfrontp, "%d ", pointer[i]);
-		    nfrontp += strlen(nfrontp);
+			netprintf("%d", pointer[i]);
+		    netputs(" ");
 		    i++;
 		}
 		break;
 
 	    case ENCRYPT_ENC_KEYID:
-		sprintf(nfrontp, " ENC_KEYID", pointer[1]);
-		nfrontp += strlen(nfrontp);
+		netputs(" ENC_KEYID");
 		goto encommon;
 
 	    case ENCRYPT_DEC_KEYID:
-		sprintf(nfrontp, " DEC_KEYID", pointer[1]);
-		nfrontp += strlen(nfrontp);
+		netputs(" DEC_KEYID");
 		goto encommon;
 
 	    default:
-		sprintf(nfrontp, " %d (unknown)", pointer[1]);
-		nfrontp += strlen(nfrontp);
+		netprintf(" %d (unknown)", pointer[1]);
 	    encommon:
-		for (i = 2; i < length; i++) {
-		    sprintf(nfrontp, " %d", pointer[i]);
-		    nfrontp += strlen(nfrontp);
-		}
+		for (i = 2; i < length; i++)
+		    netprintf(" %d", pointer[i]);
 		break;
 	    }
 	    break;
@@ -1167,18 +1179,15 @@ printsub(direction, pointer, length)
 
 	default:
 	    if (TELOPT_OK(pointer[0]))
-	        sprintf(nfrontp, "%s (unknown)", TELOPT(pointer[0]));
+	        netputs(TELOPT(pointer[0]));
 	    else
-	        sprintf(nfrontp, "%d (unknown)", pointer[i]);
-	    nfrontp += strlen(nfrontp);
-	    for (i = 1; i < length; i++) {
-		sprintf(nfrontp, " %d", pointer[i]);
-		nfrontp += strlen(nfrontp);
-	    }
+	        netprintf("%d", pointer[0]);
+	    netputs(" (unknown)");
+	    for (i = 1; i < length; i++)
+		netprintf(" %d", pointer[i]);
 	    break;
 	}
-	sprintf(nfrontp, "\r\n");
-	nfrontp += strlen(nfrontp);
+	netputs("\r\n");
 }
 
 /*
@@ -1194,32 +1203,25 @@ printdata(tag, ptr, cnt)
 	char xbuf[30];
 
 	while (cnt) {
-		/* flush net output buffer if no room for new data) */
-		if ((&netobuf[BUFSIZ] - nfrontp) < 80) {
-			netflush();
-		}
-
 		/* add a line of output */
-		sprintf(nfrontp, "%s: ", tag);
-		nfrontp += strlen(nfrontp);
+		netputs(tag);
+		netputs(": ");
 		for (i = 0; i < 20 && cnt; i++) {
-			sprintf(nfrontp, "%02x", *ptr);
-			nfrontp += strlen(nfrontp); 
+			netprintf("%02x", *ptr);
 			if (isprint(*ptr)) {
 				xbuf[i] = *ptr;
 			} else {
 				xbuf[i] = '.';
 			}
-			if (i % 2) { 
-				*nfrontp = ' ';
-				nfrontp++;
-			}
+			if (i % 2)
+				netputs(" ");
 			cnt--;
 			ptr++;
 		}
 		xbuf[i] = '\0';
-		sprintf(nfrontp, " %s\r\n", xbuf );
-		nfrontp += strlen(nfrontp);
+		netputs(" ");
+		netputs(xbuf);
+		netputs("\r\n");
 	} 
 }
 #endif /* DIAGNOSTICS */
diff --git a/src/clients/ChangeLog b/src/clients/ChangeLog
index 2ab67bd..de83ed9 100644
--- a/src/clients/ChangeLog
+++ b/src/clients/ChangeLog
@@ -1,3 +1,13 @@
+2001-02-21  Tom Yu  <tlyu@mit.edu>
+
+	* configure.in: Add checks for unsetenv and getenv.  Compile
+	setenv.o if any of setenv, unsetenv, or getenv are missing.
+
+2000-03-24  Ken Raeburn  <raeburn@mit.edu>
+
+	* configure.in: Check for alpha*-dec-osf* instead of
+	alpha-dec-osf*.
+
 2000-02-24  Ezra Peisach  <epeisach@mit.edu>
 
 	* configure.in: Test for <arpa/inet.h> include file for inet_ntop
diff --git a/src/clients/configure.in b/src/clients/configure.in
index bd2046d..5617168 100644
--- a/src/clients/configure.in
+++ b/src/clients/configure.in
@@ -3,8 +3,9 @@ CONFIG_RULES
 AC_PROG_INSTALL
 KRB5_BUILD_PROGRAM
 AC_HEADER_STDARG
-AC_CHECK_FUNCS(getusershell lstat setenv inet_ntop getipnodebyaddr)
-if test $ac_cv_func_setenv = no ; then
+AC_CHECK_FUNCS(getusershell lstat setenv unsetenv getenv inet_ntop getipnodebyaddr)
+if test $ac_cv_func_setenv = no || test $ac_cv_func_unsetenv = no \
+  || test $ac_cv_func_getenv = no; then
   SETENVOBJ=setenv.o
 else
   SETENVOBJ=
@@ -12,7 +13,7 @@ fi
 AC_SUBST(SETENVOBJ)
 AC_CHECK_HEADERS(unistd.h pwd.h arpa/inet.h)
 case $krb5_cv_host in
-alpha-dec-osf*)
+alpha*-dec-osf*)
 	AC_CHECK_LIB(security,setluid,
 		AC_DEFINE(HAVE_SETLUID)
 		KSU_LIBS="$KSU_LIBS -lsecurity"
diff --git a/src/clients/kinit/ChangeLog b/src/clients/kinit/ChangeLog
index 8939718..e99ef3f 100644
--- a/src/clients/kinit/ChangeLog
+++ b/src/clients/kinit/ChangeLog
@@ -1,3 +1,8 @@
+2001-12-10  Danilo Almeida  <dalmeida@mit.edu>
+
+	* kinit.c (main): Fix typo in #ifdef KRB5_KRB4_COMPAT.  Thanks to
+	rbasch@mit.edu
+
 2000-03-16  Ezra Peisach  <epeisach@mit.edu>
 
 	* kinit.c (k4_kinit): Fix the code that was broken with
diff --git a/src/clients/kinit/kinit.c b/src/clients/kinit/kinit.c
index f9245a8..a277738 100644
--- a/src/clients/kinit/kinit.c
+++ b/src/clients/kinit/kinit.c
@@ -1095,7 +1095,7 @@ main(argc, argv)
 #endif
     if (!authed_k4)
 	authed_k4 = k4_kinit(&opts, &k4, k5.ctx);
-#ifdef KRB5_KRB4_COMPATH
+#ifdef KRB5_KRB4_COMPAT
     memset(stash_password, 0, sizeof(stash_password));
 #endif
 
diff --git a/src/clients/klist/ChangeLog b/src/clients/klist/ChangeLog
index 86686bb..1016287 100644
--- a/src/clients/klist/ChangeLog
+++ b/src/clients/klist/ChangeLog
@@ -1,3 +1,15 @@
+2001-09-25  Ken Raeburn  <raeburn@mit.edu>
+
+	* klist.c (flags_string): Display transit-policy-checked,
+	ok-as-delegate, and anonymous ticket flags.
+
+2000-04-19  Danilo Almeida  <dalmeida@mit.edu>
+
+	* Makefile.in: Link in getopt library on Windows.
+
+	* klist.c: Use getopt so that we can parse combined options (e.g.,
+	-an or -45).
+
 2000-03-07  Danilo Almeida  <dalmeida@mit.edu>
 
 	* klist.M: Get man page up-to-date.
diff --git a/src/clients/klist/Makefile.in b/src/clients/klist/Makefile.in
index c33a4d0..4e067ea 100644
--- a/src/clients/klist/Makefile.in
+++ b/src/clients/klist/Makefile.in
@@ -14,7 +14,7 @@ all-mac::
 klist: klist.o $(KRB4COMPAT_DEPLIBS)
 	$(CC_LINK) -o $@ klist.o $(KRB4COMPAT_LIBS)
 
-$(OUTPRE)klist.exe: $(OUTPRE)klist.obj $(KLIB) $(CLIB)
+$(OUTPRE)klist.exe: $(OUTPRE)klist.obj $(BUILDTOP)\util\windows\$(OUTPRE)getopt.lib $(KLIB) $(CLIB)
 	link $(EXE_LINKOPTS) -out:$@ $** wsock32.lib
 
 clean-unix::
diff --git a/src/clients/klist/klist.c b/src/clients/klist/klist.c
index de435c4..2d77f7f 100644
--- a/src/clients/klist/klist.c
+++ b/src/clients/klist/klist.c
@@ -1,7 +1,7 @@
 /*
  * clients/klist/klist.c
  *
- * Copyright 1990 by the Massachusetts Institute of Technology.
+ * Copyright 1990,2001 by the Massachusetts Institute of Technology.
  * All Rights Reserved.
  *
  * Export of this software from the United States of America may
@@ -53,6 +53,8 @@
 #include <netdb.h>
 #endif
 
+extern int optind;
+
 int show_flags = 0, show_time = 0, status_only = 0, show_keys = 0;
 int show_etype = 0, show_addresses = 0, no_resolve = 0;
 char *defname;
@@ -130,6 +132,7 @@ main(argc, argv)
     int argc;
     char **argv;
 {
+    int c;
     char *name;
     int mode;
     int use_k5 = 0, use_k4 = 0;
@@ -141,14 +144,10 @@ main(argc, argv)
 
     progname = GET_PROGNAME(argv[0]);
 
-    argv++;
     name = NULL;
     mode = DEFAULT;
-    while (*argv) {
-	if ((*argv)[0] != '-') {
-	    if (name) usage();
-	    name = *argv;
-	} else switch ((*argv)[1]) {
+    while ((c = getopt(argc, argv, "fetKsnack45")) != -1) {
+	switch (c) {
 	case 'f':
 	    show_flags = 1;
 	    break;
@@ -202,7 +201,6 @@ main(argc, argv)
 	    usage();
 	    break;
 	}
-	argv++;
     }
 
     if (no_resolve && !show_addresses) {
@@ -217,6 +215,14 @@ main(argc, argv)
 	    usage();
     }
 
+    if (argc - optind > 1) {
+	fprintf(stderr, "Extra arguments (starting with \"%s\").\n",
+		argv[optind+1]);
+	usage();
+    }
+
+    name = (optind == argc-1) ? argv[optind] : 0;
+
     if (!use_k5 && !use_k4)
     {
 	use_k5 = default_k5;
@@ -514,6 +520,12 @@ flags_string(cred)
 	buf[i++] = 'H';
     if (cred->ticket_flags & TKT_FLG_PRE_AUTH)
 	buf[i++] = 'A';
+    if (cred->ticket_flags & TKT_FLG_TRANSIT_POLICY_CHECKED)
+	buf[i++] = 'T';
+    if (cred->ticket_flags & TKT_FLG_OK_AS_DELEGATE)
+	buf[i++] = 'O';		/* D/d are taken.  Use short strings?  */
+    if (cred->ticket_flags & TKT_FLG_ANONYMOUS)
+	buf[i++] = 'a';
     buf[i] = '\0';
     return(buf);
 }
diff --git a/src/clients/ksu/ChangeLog b/src/clients/ksu/ChangeLog
index f486004..9a643e4 100644
--- a/src/clients/ksu/ChangeLog
+++ b/src/clients/ksu/ChangeLog
@@ -1,3 +1,51 @@
+2003-04-01  Nalin Dahyabhai  <nalin@redhat.com>
+
+	* heuristic.c (get_closest_principal): Don't try to examine
+	principal name components after the last.
+	* krb_auth_su.c (get_best_principal): Check principal name length
+	before examining components.
+
+2001-10-18  Ken Raeburn  <raeburn@mit.edu>
+
+	Don't crash if .k[5]login file ownership is wrong.  Patch from
+	Emily Ratliff, ratliff@austin.ibm.com.
+	* authorization.c (fowner): Don't close the file even on error.
+	(krb5_authorization): Close the file if fowner returns FALSE.
+
+2001-02-21  Tom Yu  <tlyu@mit.edu>
+
+	* setenv.c: Add conditionals for compilation of setenv, unsetenv,
+	and getenv such that they only get compiled if they don't already
+	exist.
+
+2000-05-22  Tom Yu  <tlyu@mit.edu>
+
+	* Makefile.in (OBJS): Put @SETENVOBJ@ on same line as xmalloc.o to
+	avoid trailing backslash on the end of the variable.
+
+2000-05-15  Ken Raeburn  <raeburn@mit.edu>
+
+	* ccache.c (krb5_ccache_copy): Modify conditionalized code block
+	slightly to make automatic indentation work better.
+
+	* main.c (main): Complain and quit if prog_name is longer than 50
+	characters.
+
+2000-04-26  Ken Raeburn  <raeburn@mit.edu>
+	    Nalin Dahyabhai  <nalin@redhat.com>
+
+	* main.c (DEBUG): Don't define.
+	(usage): Remove -C option from description.
+	(sweep_up): Deleted second argument; all callers changed.
+	(main): Support -D option only if DEBUG is defined.  Initialize
+	ruid on entry.  Set effective uid to ruid before processing
+	argument list.  Removed -C option from -z/-Z conflict messages.
+	Report errors trying to stat source ccache using com_err.  Verify
+	that getpwuid's returned data for source user has correct uid.
+	Eliminate use_source_cache variable.
+
+	* ksu.M: Updates for removal of -C option.
+
 2000-01-27  Ken Raeburn  <raeburn@mit.edu>
 
 	* main.c (print_status): Now static.  Add format attribute if
diff --git a/src/clients/ksu/Makefile.in b/src/clients/ksu/Makefile.in
index c96de37..915d4b2 100644
--- a/src/clients/ksu/Makefile.in
+++ b/src/clients/ksu/Makefile.in
@@ -23,8 +23,7 @@ OBJS = \
 	authorization.o \
 	main.o \
 	heuristic.o \
-	xmalloc.o \
-	@SETENVOBJ@
+	xmalloc.o @SETENVOBJ@
 
 all:: ksu
 
diff --git a/src/clients/ksu/authorization.c b/src/clients/ksu/authorization.c
index a2e5409..d184993 100644
--- a/src/clients/ksu/authorization.c
+++ b/src/clients/ksu/authorization.c
@@ -40,12 +40,10 @@ krb5_boolean fowner(fp, uid)
      * the user himself, or by root.  Otherwise, don't grant access.
      */
     if (fstat(fileno(fp), &sbuf)) {
-	fclose(fp);
 	return(FALSE);
     }
 
     if ((sbuf.st_uid != uid) && sbuf.st_uid) {
-	fclose(fp);
 	return(FALSE);
     }
 
@@ -102,8 +100,10 @@ krb5_error_code krb5_authorization(context, principal, luser,
     if (!k5login_flag){
     	if ((login_fp = fopen(k5login_path, "r")) == NULL)
 	    return 0;
-	if ( fowner(login_fp, pwd->pw_uid) == FALSE)
+	if ( fowner(login_fp, pwd->pw_uid) == FALSE) {
+	    fclose(login_fp);
 	    return 0;
+	}
     }
 
     if (!k5users_flag){
@@ -111,6 +111,7 @@ krb5_error_code krb5_authorization(context, principal, luser,
 	    return 0;
     	}
 	if ( fowner(users_fp, pwd->pw_uid) == FALSE){
+	    fclose(users_fp);
 	    return 0;
     	}
     }
diff --git a/src/clients/ksu/ccache.c b/src/clients/ksu/ccache.c
index be77456..97a2084 100644
--- a/src/clients/ksu/ccache.c
+++ b/src/clients/ksu/ccache.c
@@ -75,7 +75,6 @@ struct stat st_temp;
     cc_def_name = krb5_cc_get_name(context, cc_def);    
     cc_other_name = krb5_cc_get_name(context, *cc_other);    
 
-
     if ( ! stat(cc_def_name, &st_temp)){
 	if((retval = krb5_get_nonexp_tkts(context,cc_def,&cc_def_creds_arr))){
 		return retval;
@@ -86,12 +85,11 @@ struct stat st_temp;
 					   primary_principal);
 
 #ifdef HAVE_LSTAT
-    if (!lstat( cc_other_name, &st_temp)) {
+    if (!lstat( cc_other_name, &st_temp))
 #else /*HAVE_LSTAT*/
-    if (!stat( cc_other_name, &st_temp)) {
+    if (!stat( cc_other_name, &st_temp))
 #endif
       return EINVAL;
-    }
     
       if (krb5_seteuid(0)||krb5_seteuid(target_uid)) {
 	return errno;
diff --git a/src/clients/ksu/heuristic.c b/src/clients/ksu/heuristic.c
index 269c059..ed526cf 100644
--- a/src/clients/ksu/heuristic.c
+++ b/src/clients/ksu/heuristic.c
@@ -354,8 +354,8 @@ krb5_error_code get_closest_principal(context, plist, client, found)
 		    krb5_princ_component(context, *client, j);
 		krb5_data *p2 =
 		    krb5_princ_component(context, temp_client, j);
-
-		if ((p1->length != p2->length) ||
+		
+		if (!p1 || !p2 || (p1->length != p2->length) ||
 		    memcmp(p1->data,p2->data,p1->length)){
 		    got_one = FALSE;
 		    break;
diff --git a/src/clients/ksu/krb_auth_su.c b/src/clients/ksu/krb_auth_su.c
index abc158c..29d72d4 100644
--- a/src/clients/ksu/krb_auth_su.c
+++ b/src/clients/ksu/krb_auth_su.c
@@ -620,7 +620,9 @@ int i = 0, nelem;
                   	      krb5_princ_realm(context, temp_client)->length))){
 
 
-			if(nelem){ 
+	    if (nelem &&
+		krb5_princ_size(context, *client) > 0 &&
+		krb5_princ_size(context, temp_client) > 0) {
 				krb5_data *p1 =
 				 krb5_princ_component(context, *client, 0);
         			krb5_data *p2 = 
diff --git a/src/clients/ksu/ksu.M b/src/clients/ksu/ksu.M
index 2eea2a0..325d2e8 100644
--- a/src/clients/ksu/ksu.M
+++ b/src/clients/ksu/ksu.M
@@ -37,9 +37,6 @@ ksu \- Kerberized super-user
 .B \-c
 .I source_cache_name
 ] [
-.B \-C
-.I target_cache_name
-] [
 .B \-k
 ] [
 .B \-D
@@ -169,10 +166,8 @@ The real and effective user ID are changed to that of the
 target user.  The target user's shell is then invoked
 (the shell name is specified in the password file).
 Upon termination of the shell, ksu deletes the target cache (unless
-ksu is invoked with
-.B \-k
- or '
-.B \-C .' options).
+ksu is invoked with the
+.B \-k option).
 This is implemented by first doing a fork and then an exec, instead
 of just exec, as done by su.
 .br
@@ -287,19 +282,7 @@ option is not used then the
 name is obtained from KRB5CCNAME environment variable.
 If KRB5CCNAME is not defined the source cache name
 is set to krb5cc_<source uid>.
-.TP 10
-\fB\-C \fItarget_cache_name
-Specify the target cache name (e.g.
-.B \-C
-FILE:/tmp/target_cache).
-If '.' is specified (e.g. ksu
-\-C .) ksu uses the source
-cache and does not create a new target cache. Note:
-this case requires both source and target user
-to have read and write permissions for the source cache.
-If
-.B \-C
-option is not used, the default target cache name is
+The target cache name is automatically
 set to krb5cc_<target uid>.(gen_sym()),
 where gen_sym generates a new number such that
 the resulting cache does not already exist.
@@ -313,8 +296,7 @@ target shell or a command (
 command).
 Without
 .B \-k,
-ksu deletes the target cache
-(unless ksu was invoked with '-C .' option).
+ksu deletes the target cache.
 .TP 10
 \fB\-D
 turn on debug mode.
@@ -359,7 +341,7 @@ if you want the tickets for other then the default
 principal. Note that the
 .B \-z 
 option is mutually
-exclusive with '-C .' and -Z options.
+exclusive with the -Z option.
 .TP 10
 \fB\-Z
 Don't copy any tickets from the source cache to the
@@ -368,7 +350,7 @@ where the default principal name of the cache is
 initialized to the target principal name.  Note that
 .B \-Z
 option is mutually
-exclusive with '-C .' and -z options.
+exclusive with the -z option.
 .TP 10
 \fB\-q
 suppress the printing of status messages.
diff --git a/src/clients/ksu/main.c b/src/clients/ksu/main.c
index 77a4996..58d3031 100644
--- a/src/clients/ksu/main.c
+++ b/src/clients/ksu/main.c
@@ -42,7 +42,7 @@ int quiet = 0;
 
 #define _DEF_CSH "/bin/csh" 
 static int set_env_var PROTOTYPE((char *, char *));
-static void sweep_up PROTOTYPE((krb5_context, int, krb5_ccache));
+static void sweep_up PROTOTYPE((krb5_context, krb5_ccache));
 static char * ontty PROTOTYPE((void));
 #ifdef HAVE_STDARG_H
 static void print_status( const char *fmt, ...)
@@ -61,7 +61,6 @@ char * get_dir_of_file();
 
 void usage (){
 	fprintf(stderr, "Usage: %s [target user] [-n principal] [-c source cachename] [-C target cachename] [-k] [-D] [-r time] [-pf] [-l lifetime] [-zZ] [-q] [-e command [args... ] ] [-a [args... ] ]\n", prog_name);
-
 }
 
 /* for Ultrix and friends ... */
@@ -69,8 +68,6 @@ void usage (){
 #define MAXHOSTNAMELEN 64
 #endif
 
-#define DEBUG
-
 /* These are file static so sweep_up can get to them*/
 static uid_t source_uid, target_uid;
 
@@ -86,7 +83,6 @@ char *localhostname = NULL;
 opt_info options;
 int option=0;
 int statusp=0;
-int use_source_cache = 0; 
 krb5_error_code retval = 0; 
 krb5_principal client = NULL;
 krb5_ccache cc_target = NULL;
@@ -106,7 +102,7 @@ krb5_boolean auth_val;
 krb5_boolean authorization_val = FALSE; 
 int path_passwd = 0;
 int done =0,i,j;
-uid_t ruid;
+uid_t ruid = getuid ();
 struct passwd *pwd=NULL,  *target_pwd ;
 char * shell;
 char ** params;
@@ -142,6 +138,11 @@ char * dir_of_cc_source;
     if (strrchr(argv[0], '/'))
 	argv[0] = strrchr(argv[0], '/')+1;
     prog_name = argv[0];
+    if (strlen (prog_name) > 50) {
+	/* this many chars *after* last / ?? */
+	com_err(prog_name, 0, "program name too long - quitting to avoid triggering system logging bugs");
+	exit (1);
+    }
 
 
 #ifndef LOG_NDELAY
@@ -176,7 +177,10 @@ char * dir_of_cc_source;
                 }
         }
 
-
+    if (krb5_seteuid (ruid)) {
+	com_err (prog_name, errno, "while setting euid to source user");
+	exit (1);
+    }
     while(!done && ((option = getopt(pargc, pargv,"n:c:r:a:zZDfpkql:e:")) != -1)){
 	switch (option) {
 	case 'r':
@@ -232,22 +236,24 @@ char * dir_of_cc_source;
     	    options.princ = 1;
 	    	
 	    break;
+#ifdef DEBUG
 	case 'D':
 	    auth_debug = 1;	
-	    break;	
+	    break;
+#endif
 	case 'z':
 	    some_rest_copy = 1;	
-	    if(all_rest_copy || use_source_cache){  	
+	    if(all_rest_copy) {  	
 		fprintf(stderr, 
-			"-z option is mutually exclusive with -Z and -C .\n"); 
+			"-z option is mutually exclusive with -Z.\n"); 
 		errflg++;
 	    }	
 	    break;	
 	case 'Z':
 	    all_rest_copy = 1;	
-	    if(some_rest_copy || use_source_cache){  	
+	    if(some_rest_copy) {  	
 		fprintf(stderr, 
-			"-Z option is mutually exclusive with -z and -C .\n"); 
+			"-Z option is mutually exclusive with -z.\n"); 
 		errflg++;
 	    } 	
 	    break;	
@@ -258,10 +264,10 @@ char * dir_of_cc_source;
 			cc_source_tag_tmp = strchr(cc_source_tag, ':') + 1;
 
 			if( stat( cc_source_tag_tmp, &st_temp)){
-				fprintf(stderr,"File %s does not exist\n",
-					cc_source_tag_tmp);	
-				errflg++;
-
+			    com_err (prog_name, errno,
+				     "while looking for credentials file %s",
+				     cc_source_tag_tmp);
+			    exit (1);
 			}
 		}
 		else { 
@@ -313,10 +319,9 @@ char * dir_of_cc_source;
     }	
 
 	/***********************************/
-	ruid = getuid();
 	source_user = getlogin(); /*checks for the the login name in /etc/utmp*/
 
-	/* verify that that the user exists and get his passwd structure */      
+	/* verify that that the user exists and get his passwd structure */
 
 	if (source_user == NULL ||(pwd = getpwnam(source_user)) == NULL ||
 	    pwd->pw_uid != ruid){
@@ -327,6 +332,12 @@ char * dir_of_cc_source;
     		fprintf(stderr, "ksu: who are you?\n");
     		exit(1);
 	}
+	if (pwd->pw_uid != ruid) {
+	    fprintf (stderr, "Your uid doesn't match your passwd entry?!\n");
+	    exit (1);
+	}
+	/* Okay, now we have *some* passwd entry that matches the
+	   current real uid.  */
 
 	/* allocate space and copy the usernamane there */        
 	source_user = xstrdup(pwd->pw_name);
@@ -357,23 +368,17 @@ char * dir_of_cc_source;
 		else
 			cc_source_tag_tmp++;
 	}
-	if (krb5_seteuid(source_uid)) {
-	  com_err ( prog_name, errno, "while setting euid to source user");
-	  exit(1);
-	}
-	
+
 	/* get a handle for the cache */      
 	if ((retval = krb5_cc_resolve(ksu_context, cc_source_tag, &cc_source))){
 		com_err(prog_name, retval,"while getting source cache");    
 		exit(1);
 	}
 
-	if(!use_source_cache) {
-	  if (((retval = krb5_cc_set_flags(ksu_context,  cc_source, 0x0)) != 0)
-	      && (retval != KRB5_FCC_NOFILE)) {
+	if (((retval = krb5_cc_set_flags(ksu_context,  cc_source, 0x0)) != 0)
+	    && (retval != KRB5_FCC_NOFILE)) {
 	    com_err(prog_name, retval, "while opening ccache");
 	    exit(1);
-	  }
 	}
 	if ((retval = get_best_princ_for_target(ksu_context, source_uid,
 			target_uid, source_user, target_user, cc_source, 
@@ -409,29 +414,6 @@ char * dir_of_cc_source;
 		exit(1);
 	}
 
-	if (stat(cc_source_tag_tmp, &st_temp)){ 
-		if (use_source_cache){
-
-			dir_of_cc_source = get_dir_of_file(cc_source_tag_tmp); 
-
-
-			if (access(dir_of_cc_source, R_OK | W_OK )){
-	   			fprintf(stderr,
-				"%s does not have correct permissions for %s\n",
-					            source_user, cc_source_tag);
-	    			exit(1); 	
-			}
-
-			if ((retval = krb5_cc_initialize(ksu_context, cc_source, 
-							 client))){  
-				com_err(prog_name, retval,
-					"while initializing source cache");    
-				exit(1);
-			}
-		}
-	}
-
-
 	if (cc_target_tag == NULL) {
 
 		cc_target_tag = (char *)xcalloc(KRB5_SEC_BUFFSIZE ,sizeof(char));
@@ -450,8 +432,7 @@ char * dir_of_cc_source;
 	}
 
 
-	dir_of_cc_target = get_dir_of_file( use_source_cache ?
-					 cc_source_tag_tmp: cc_target_tag_tmp);
+	dir_of_cc_target = get_dir_of_file(cc_target_tag_tmp);
 
 	if (access(dir_of_cc_target, R_OK | W_OK )){
 	    fprintf(stderr,
@@ -475,48 +456,33 @@ char * dir_of_cc_source;
 	   The cache is owned by the target user.*/
 	
 	
-	if (! use_source_cache){
-			
-		/* if root ksu's to a regular user, then      
-		   then only the credentials for that particular user 
-		   should be copied */            
+	/* if root ksu's to a regular user, then      
+	   then only the credentials for that particular user 
+	   should be copied */            
 
-		if ((source_uid == 0) && (target_uid != 0)) {
+	if ((source_uid == 0) && (target_uid != 0)) {
 
-			if ((retval = krb5_ccache_copy_restricted(ksu_context,  cc_source,
-				cc_target_tag, client, &cc_target, &stored, target_uid))){
-	    			com_err (prog_name, retval, 
-				     "while copying cache %s to %s",
-				     krb5_cc_get_name(ksu_context, cc_source),cc_target_tag);
-				exit(1);
-			}
-
-		} else{
-			if ((retval = krb5_ccache_copy(ksu_context, cc_source, cc_target_tag,
-					     client,&cc_target, &stored, target_uid))){
-	    			com_err (prog_name, retval, 
-					"while copying cache %s to %s",
-			     		krb5_cc_get_name(ksu_context, cc_source),
-					cc_target_tag);
-				exit(1);
-			}
-			
-		}
-
-	}
-	else{
-		cc_target = cc_source;
-		cc_target_tag = (char *) cc_source_tag;
-		cc_target_tag_tmp = (char *) cc_source_tag_tmp;
-
-		if ((retval=krb5_find_princ_in_cache(ksu_context, cc_target,client, &stored))){
-	    			com_err (prog_name, retval, 
-				"while searching for client in source ccache");
-				exit(1);
-		}
+	    if ((retval = krb5_ccache_copy_restricted(ksu_context,  cc_source,
+						      cc_target_tag, client, &cc_target, &stored, target_uid))){
+		com_err (prog_name, retval, 
+			 "while copying cache %s to %s",
+			 krb5_cc_get_name(ksu_context, cc_source),cc_target_tag);
+		exit(1);
+	    }
 
+	} else {
+	    if ((retval = krb5_ccache_copy(ksu_context, cc_source, cc_target_tag,
+					   client,&cc_target, &stored, target_uid))) {
+		com_err (prog_name, retval, 
+			 "while copying cache %s to %s",
+			 krb5_cc_get_name(ksu_context, cc_source),
+			 cc_target_tag);
+		exit(1);
+	    }
+	    
 	}
-		/* Become root for authentication*/
+	
+	/* Become root for authentication*/
 
 	if (krb5_seteuid(0)) {
 	com_err(prog_name, errno, "while reclaiming root uid");
@@ -532,7 +498,7 @@ char * dir_of_cc_source;
                               			   	  &kdc_server))){
 		                	com_err(prog_name, retval,
 					      "while creating tgt for local realm");
-					      sweep_up(ksu_context, use_source_cache, cc_target);
+					      sweep_up(ksu_context, cc_target);
 					exit(1);
 				}
 
@@ -544,8 +510,7 @@ char * dir_of_cc_source;
 
 					if (zero_password == FALSE){  
 						fprintf(stderr,"Goodbye\n");
-					        sweep_up(ksu_context, use_source_cache,
-							 cc_target);
+					        sweep_up(ksu_context, cc_target);
 						exit(1);
 					}
 
@@ -574,7 +539,7 @@ char * dir_of_cc_source;
 		  	 syslog(LOG_WARNING,
 				"'%s %s' authentication failed for %s%s",
 				prog_name,target_user,source_user,ontty());
-			sweep_up(ksu_context, use_source_cache, cc_target);
+			sweep_up(ksu_context, cc_target);
 			exit(1);
 		}
 
@@ -585,7 +550,7 @@ char * dir_of_cc_source;
 		   to properly handle races in chown if this code is ever re-enabled.
 		   */
 		/* cache the tickets if possible in the source cache */ 
-		if (!path_passwd && !use_source_cache){ 	
+		if (!path_passwd){ 	
 
 			if ((retval = krb5_ccache_overwrite(ksu_context, cc_target, cc_source,
 				      client))){
@@ -593,7 +558,7 @@ char * dir_of_cc_source;
 					"while copying cache %s to %s",
 				 	krb5_cc_get_name(ksu_context, cc_target),
 				 	krb5_cc_get_name(ksu_context, cc_source));
-				sweep_up(ksu_context, use_source_cache, cc_target);
+				sweep_up(ksu_context, cc_target);
 				exit(1);
 			}
 			if (chown(cc_source_tag_tmp, source_uid, source_gid)){  
@@ -607,7 +572,7 @@ char * dir_of_cc_source;
 
 		if ((retval = krb5_unparse_name(ksu_context, client, &client_name))) {
                		 com_err (prog_name, retval, "When unparsing name");
-			 sweep_up(ksu_context, use_source_cache, cc_target);
+			 sweep_up(ksu_context, cc_target);
 			 exit(1);
          	}     
 		
@@ -619,7 +584,7 @@ char * dir_of_cc_source;
 		/* Run authorization as target.*/
 		if (krb5_seteuid(target_uid)) {
 		  com_err(prog_name, errno, "while switching to target for authorization check");
-		    sweep_up(ksu_context, use_source_cache, cc_target);
+		    sweep_up(ksu_context, cc_target);
 		  exit(1);
 		}
 		
@@ -627,13 +592,13 @@ char * dir_of_cc_source;
 		 	 cmd, &authorization_val, &exec_cmd))){
                	       com_err(prog_name,retval,"while checking authorization");
 krb5_seteuid(0); /*So we have some chance of sweeping up*/
-		       sweep_up(ksu_context, use_source_cache, cc_target);
+		       sweep_up(ksu_context, cc_target);
 		       exit(1);
 		}
 
 		if (krb5_seteuid(0)) {
 		  com_err(prog_name, errno, "while switching back from  target after authorization check");
-		    sweep_up(ksu_context, use_source_cache, cc_target);
+		    sweep_up(ksu_context, cc_target);
 		  exit(1);
 		}
 		if (authorization_val == TRUE){
@@ -678,7 +643,7 @@ krb5_seteuid(0); /*So we have some chance of sweeping up*/
 
 		    }
 
-		    sweep_up(ksu_context, use_source_cache, cc_target);
+		    sweep_up(ksu_context, cc_target);
 		    exit(1);
 		}
 	}
@@ -686,7 +651,7 @@ krb5_seteuid(0); /*So we have some chance of sweeping up*/
 	if( some_rest_copy){ 
 		if ((retval = krb5_ccache_filter(ksu_context, cc_target, client))){ 	
                	       com_err(prog_name,retval,"while calling cc_filter");
-		       sweep_up(ksu_context, use_source_cache, cc_target);
+		       sweep_up(ksu_context, cc_target);
 		       exit(1);
 		}
 	}
@@ -715,7 +680,7 @@ krb5_seteuid(0); /*So we have some chance of sweeping up*/
 
        if (!standard_shell(target_pwd->pw_shell) && source_uid) {
 	       fprintf(stderr, "ksu: permission denied (shell).\n");
-	       sweep_up(ksu_context, use_source_cache, cc_target);
+	       sweep_up(ksu_context, cc_target);
 	       exit(1);
 	}
 #endif /* HAVE_GETUSERSHELL */
@@ -724,20 +689,20 @@ krb5_seteuid(0); /*So we have some chance of sweeping up*/
 	
 	      if(set_env_var("USER", target_pwd->pw_name)){
    		fprintf(stderr,"ksu: couldn't set environment variable USER\n");
-	        sweep_up(ksu_context, use_source_cache, cc_target);
+	        sweep_up(ksu_context, cc_target);
 	        exit(1);
 	      } 			
        }	
 
       if(set_env_var( "HOME", target_pwd->pw_dir)){
 		fprintf(stderr,"ksu: couldn't set environment variable USER\n");
-	        sweep_up(ksu_context, use_source_cache, cc_target);
+	        sweep_up(ksu_context, cc_target);
 	        exit(1);
       } 			
 
       if(set_env_var( "SHELL", shell)){
 		fprintf(stderr,"ksu: couldn't set environment variable USER\n");
-	        sweep_up(ksu_context, use_source_cache, cc_target);
+	        sweep_up(ksu_context, cc_target);
 	        exit(1);
       } 			
 
@@ -746,26 +711,21 @@ krb5_seteuid(0); /*So we have some chance of sweeping up*/
       if(set_env_var( KRB5_ENV_CCNAME, cc_target_tag)){
 		fprintf(stderr,"ksu: couldn't set environment variable %s\n",
 			KRB5_ENV_CCNAME);
-	        sweep_up(ksu_context, use_source_cache, cc_target);
+	        sweep_up(ksu_context, cc_target);
 	        exit(1);
       } 			
 
-
-	if (!use_source_cache){	
-
-	}
-	
    	/* set permissions */
         if (setgid(target_pwd->pw_gid) < 0) {
 		   perror("ksu: setgid");
-	           sweep_up(ksu_context, use_source_cache, cc_target);
+	           sweep_up(ksu_context, cc_target);
 		   exit(1);
 	   }
 
 
        if (initgroups(target_user, target_pwd->pw_gid)) {
    		fprintf(stderr, "ksu: initgroups failed.\n");
-	        sweep_up(ksu_context, use_source_cache, cc_target);
+	        sweep_up(ksu_context, cc_target);
 	        exit(1);
 	}
 
@@ -785,14 +745,14 @@ krb5_seteuid(0); /*So we have some chance of sweeping up*/
 	 */
  	if (setluid((uid_t) pwd->pw_uid) < 0) {
 		perror("setluid");
-		sweep_up(ksu_context, use_source_cache, cc_target);
+		sweep_up(ksu_context, cc_target);
 		exit(1);
 	}
 #endif	/* HAVE_SETLUID */
 
        if (setuid(target_pwd->pw_uid) < 0) {
 		   perror("ksu: setuid");
-	           sweep_up(ksu_context, use_source_cache, cc_target);
+	           sweep_up(ksu_context, cc_target);
 		   exit(1);
        }   
 
@@ -827,11 +787,11 @@ krb5_seteuid(0); /*So we have some chance of sweeping up*/
 		 fprintf(stderr, "program to be execed %s\n",params[0]);
 	}
 
-	if( keep_target_cache || use_source_cache ) {
+	if( keep_target_cache ) {
 		 execv(params[0], params);
 		 com_err(prog_name, errno, "while trying to execv %s",
 		 	 params[0]);
-		 sweep_up(ksu_context, use_source_cache, cc_target);
+		 sweep_up(ksu_context, cc_target);
 		 exit(1);
     }else{
 	statusp = 1;
@@ -858,11 +818,11 @@ krb5_seteuid(0); /*So we have some chance of sweeping up*/
 	    if (ret_pid == -1) {
 	    	com_err(prog_name, errno, "while calling waitpid");
 	    }
-	    sweep_up(ksu_context, use_source_cache, cc_target);
+	    sweep_up(ksu_context, cc_target);
 	    exit (statusp);
 	case -1:
 	    com_err(prog_name, errno, "while trying to fork.");
-	    sweep_up(ksu_context, use_source_cache, cc_target);
+	    sweep_up(ksu_context, cc_target);
 	    exit (1);
 	case 0:
 	    execv(params[0], params);
@@ -920,27 +880,24 @@ char * env_var_buf;
 
 }
 
-static void sweep_up(context, use_source_cache, cc)
+static void sweep_up(context, cc)
     krb5_context context;
-    int use_source_cache;
     krb5_ccache cc;
 {
-krb5_error_code retval; 
-char * cc_name;
-struct stat  st_temp;
+    krb5_error_code retval; 
+    char * cc_name;
+    struct stat  st_temp;
 
-krb5_seteuid(0);
-krb5_seteuid(target_uid);
+    krb5_seteuid(0);
+    krb5_seteuid(target_uid);
 
-if (! use_source_cache){
-		cc_name = krb5_cc_get_name(context, cc);
-		if ( ! stat(cc_name, &st_temp)){
-			if ((retval = krb5_cc_destroy(context, cc))){
-				com_err(prog_name, retval, 
-					"while destroying cache");   
-			}
-		}
+    cc_name = krb5_cc_get_name(context, cc);
+    if ( ! stat(cc_name, &st_temp)){
+	if ((retval = krb5_cc_destroy(context, cc))){
+	    com_err(prog_name, retval, 
+		    "while destroying cache");   
 	}
+    }
 }
 /*****************************************************************
 get_params is to be called for the -a option or -e option to
diff --git a/src/clients/ksu/setenv.c b/src/clients/ksu/setenv.c
index 96d4a1e..2633a9d 100644
--- a/src/clients/ksu/setenv.c
+++ b/src/clients/ksu/setenv.c
@@ -25,6 +25,7 @@
  *	Set the value of the environmental variable "name" to be
  *	"value".  If rewrite is set, replace any current value.
  */
+#ifndef HAVE_SETENV
 setenv(name, value, rewrite)
 	register char *name, *value;
 	int rewrite;
@@ -77,11 +78,13 @@ setenv(name, value, rewrite)
 	for (*C++ = '='; *C++ = *value++;);
 	return(0);
 }
+#endif
 
 /*
  * unsetenv(name) --
  *	Delete environmental variable "name".
  */
+#ifndef HAVE_UNSETENV
 void
 unsetenv(name)
 	char	*name;
@@ -96,6 +99,7 @@ unsetenv(name)
 			if (!(*P = *(P + 1)))
 				break;
 }
+#endif
 /*
  * Copyright (c) 1987 Regents of the University of California.
  * All rights reserved.
@@ -119,6 +123,7 @@ unsetenv(name)
  * getenv --
  *	Returns ptr to value associated with name, if any, else NULL.
  */
+#ifndef HAVE_GETENV
 char *
 getenv(name)
 	char *name;
@@ -128,6 +133,7 @@ getenv(name)
 
 	return(_findenv(name, &offset));
 }
+#endif
 
 /*
  * _findenv --
@@ -136,9 +142,8 @@ getenv(name)
  *	environmental array, for use by setenv(3) and unsetenv(3).
  *	Explicitly removes '=' in argument name.
  *
- *	This routine *should* be a static; don't use it.
  */
-char *
+static char *
 _findenv(name, offset)
 	register char *name;
 	int *offset;
diff --git a/src/config-files/ChangeLog b/src/config-files/ChangeLog
index 198614d..ef47129 100644
--- a/src/config-files/ChangeLog
+++ b/src/config-files/ChangeLog
@@ -1,3 +1,13 @@
+2001-01-30  Ken Raeburn  <raeburn@mit.edu>
+
+	* krb5.conf.M: Update description of safe_checksum_type for recent
+	changes.
+
+2000-05-31  Ken Raeburn  <raeburn@mit.edu>
+
+	* krb5.conf.M: Added description of v4_realm from Booker
+	C. Bense.
+
 2000-01-21  Ken Raeburn  <raeburn@mit.edu>
 
 	* krb5.conf: Put primary KDC for Cygnus first.  Add GNU.ORG
diff --git a/src/config-files/krb5.conf.M b/src/config-files/krb5.conf.M
index 143601e..3ca1a6a 100644
--- a/src/config-files/krb5.conf.M
+++ b/src/config-files/krb5.conf.M
@@ -136,15 +136,18 @@ earlier.
 This allows you to set the checksum type used in the authenticator of
 KRB_AP_REQ messages.  The default value for this type is
 CKSUMTYPE_RSA_MD5.  For compatibility with applications linked against
-DCE Kerberos libraries, use a value of 2 to use the CKSUMTYPE_RSA_MD4
-instead. This applies to DCE 1.1 and earlier.
+DCE version 1.1 or earlier Kerberos libraries, use a value of 2 to use
+the CKSUMTYPE_RSA_MD4
+instead.
 
 .IP safe_checksum_type 
-This allows you to set the keyed-checksum type used in KRB_SAFE
+This allows you to set the preferred keyed-checksum type for use in KRB_SAFE
 messages.  The default value for this type is CKSUMTYPE_RSA_MD5_DES.
-For compatibility with applications linked against DCE Kerberos
+For compatibility with applications linked against DCE version 1.1 or
+earlier Kerberos
 libraries, use a value of 3 to use the CKSUMTYPE_RSA_MD4_DES
-instead. This applies to DCE 1.1 and earlier.
+instead.  This field is ignored when its value is incompatible with
+the session key type.
 
 .IP ccache_type
 User this parameter on systems which are DCE clients, to specify the
@@ -179,6 +182,7 @@ subsection define the properties of that particular realm.  For example:
 			mit = mit.edu
 			lithium = lithium.lcs.mit.edu
 		}
+		v4_realm = LCS.MIT.EDU
 	}
 .in -1i
 .fi
@@ -208,6 +212,13 @@ default_domain mapping rule.  It contains V4 instances (the tag name)
 which should be translated to some specific hostname (the tag value) as
 the second component in a Kerberos V5 principal name.
 
+.IP v4_realm
+This relation is used by the krb524 library routines when converting 
+a V5 principal name to a V4 principal name. It is used when V4 realm
+name and the V5 realm are not the same, but still share the same 
+principal names and passwords. The tag value is the Kerberos V4 realm 
+name. 
+
 .SH DOMAIN_REALM SECTION
 
 The [domain_realm] section provides a translation from a hostname to the
@@ -397,8 +408,6 @@ would look like this:
 		NERSC.GOV = ANL.GOV
 		NERSC.GOV = ES.NET
 	}
-	
-	}
 .in -1i
 .fi
 .sp
diff --git a/src/config/ChangeLog b/src/config/ChangeLog
index 97bce15..56c3d9a 100644
--- a/src/config/ChangeLog
+++ b/src/config/ChangeLog
@@ -1,3 +1,29 @@
+2002-04-17  Danilo Almeida  <dalmeida@mit.edu>
+
+	* win-pre.in:  the proper #define is KRB5_DNS_LOOKUP_REALM
+	and not KRB5_DNS_LOOKUP_REALMS
+	(pullup from trunk - jaltman@columbia.edu)
+
+2002-04-05  Danilo Almeida  <dalmeida@mit.edu>
+
+	* win-pre.in: Define KRB5_PRIVATE=1.
+
+2000-06-21  Danilo Almeida  <dalmeida@mit.edu>
+
+	* win-pre.in: Fix up DNS build flags to correspond to new DNS
+	build flags.  Add support for not using wshelper.
+
+2000-06-08  Tom Yu  <tlyu@mit.edu>
+
+	* config.guess: Update to 2000-05-30 from FSF.
+
+	* config.sub: Update to 2000-05-30 from FSF.
+
+2000-05-03  Tom Yu  <tlyu@mit.edu>
+
+	* libobj.in, pre.in: Put $(LOCALINCLUDES) after $(CPPFLAGS) since
+	$(CPPFLAGS) should have its includes show up first.
+
 2000-03-01  Tom Yu  <tlyu@mit.edu>
 
 	* pre.in (INSTALL_SHLIB): New variable.
diff --git a/src/config/config.guess b/src/config/config.guess
index 98fea7b..b4faaed 100644
--- a/src/config/config.guess
+++ b/src/config/config.guess
@@ -1,7 +1,10 @@
 #! /bin/sh
 # Attempt to guess a canonical system name.
-#   Copyright (C) 1992, 93, 94, 95, 96, 97, 1998 Free Software Foundation, Inc.
-#
+#   Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000
+#   Free Software Foundation, Inc.
+
+version='2000-05-30'
+
 # This file is free software; you can redistribute it and/or modify it
 # under the terms of the GNU General Public License as published by
 # the Free Software Foundation; either version 2 of the License, or
@@ -22,7 +25,7 @@
 # the same distribution terms that you use for the rest of that program.
 
 # Written by Per Bothner <bothner@cygnus.com>.
-# The master version of this file is at the FSF in /home/gd/gnu/lib.
+# Please send patches to <config-patches@gnu.org>.
 #
 # This script attempts to guess a canonical system name similar to
 # config.sub.  If it succeeds, it prints the system name on stdout, and
@@ -35,6 +38,60 @@
 # (but try to keep the structure clean).
 #
 
+me=`echo "$0" | sed -e 's,.*/,,'`
+
+usage="\
+Usage: $0 [OPTION]
+
+Output the configuration name of this system.
+
+Operation modes:
+  -h, --help               print this help, then exit
+  -V, --version            print version number, then exit"
+
+help="
+Try \`$me --help' for more information."
+
+# Parse command line
+while test $# -gt 0 ; do
+  case "$1" in
+    --version | --vers* | -V )
+       echo "$version" ; exit 0 ;;
+    --help | --h* | -h )
+       echo "$usage"; exit 0 ;;
+    -- )     # Stop option processing
+       shift; break ;;
+    - )	# Use stdin as input.
+       break ;;
+    -* )
+       exec >&2
+       echo "$me: invalid option $1"
+       echo "$help"
+       exit 1 ;;
+    * )
+       break ;;
+  esac
+done
+
+if test $# != 0; then
+  echo "$me: too many arguments$help" >&2
+  exit 1
+fi
+
+# Use $HOST_CC if defined. $CC may point to a cross-compiler
+if test x"$CC_FOR_BUILD" = x; then
+  if test x"$HOST_CC" != x; then
+    CC_FOR_BUILD="$HOST_CC"
+  else
+    if test x"$CC" != x; then
+      CC_FOR_BUILD="$CC"
+    else
+      CC_FOR_BUILD=cc
+    fi
+  fi
+fi
+
+
 # This is needed to find uname on a Pyramid OSx when run in the BSD universe.
 # (ghazi@noc.rutgers.edu 8/24/94.)
 if (test -f /.attbin/uname) >/dev/null 2>&1 ; then
@@ -46,11 +103,49 @@ UNAME_RELEASE=`(uname -r) 2>/dev/null` || UNAME_RELEASE=unknown
 UNAME_SYSTEM=`(uname -s) 2>/dev/null` || UNAME_SYSTEM=unknown
 UNAME_VERSION=`(uname -v) 2>/dev/null` || UNAME_VERSION=unknown
 
-trap 'rm -f dummy.c dummy.o dummy; exit 1' 1 2 15
+dummy=dummy-$$
+trap 'rm -f $dummy.c $dummy.o $dummy; exit 1' 1 2 15
 
 # Note: order is significant - the case branches are not exclusive.
 
 case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
+    *:NetBSD:*:*)
+	# Netbsd (nbsd) targets should (where applicable) match one or
+	# more of the tupples: *-*-netbsdelf*, *-*-netbsdaout*,
+	# *-*-netbsdecoff* and *-*-netbsd*.  For targets that recently
+	# switched to ELF, *-*-netbsd* would select the old
+	# object file format.  This provides both forward
+	# compatibility and a consistent mechanism for selecting the
+	# object file format.
+	# Determine the machine/vendor (is the vendor relevant).
+	case "${UNAME_MACHINE}" in
+	    amiga) machine=m68k-cbm ;;
+	    arm32) machine=arm-unknown ;;
+	    atari*) machine=m68k-atari ;;
+	    sun3*) machine=m68k-sun ;;
+	    mac68k) machine=m68k-apple ;;
+	    macppc) machine=powerpc-apple ;;
+	    hp3[0-9][05]) machine=m68k-hp ;;
+	    ibmrt|romp-ibm) machine=romp-ibm ;;
+	    *) machine=${UNAME_MACHINE}-unknown ;;
+	esac
+	# The Operating System including object format.
+	if echo __ELF__ | $CC_FOR_BUILD -E - 2>/dev/null \
+		| grep __ELF__ >/dev/null
+	then
+	    # Once all utilities can be ECOFF (netbsdecoff) or a.out (netbsdaout).
+	    # Return netbsd for either.  FIX?
+	    os=netbsd
+	else
+	    os=netbsdelf
+	fi
+	# The OS release
+	release=`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'`
+	# Since CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM:
+	# contains redundant information, the shorter form:
+	# CPU_TYPE-MANUFACTURER-OPERATING_SYSTEM is used.
+	echo "${machine}-${os}${release}"
+	exit 0 ;;
     alpha:OSF1:*:*)
 	if test $UNAME_RELEASE = "V4.0"; then
 		UNAME_RELEASE=`/usr/sbin/sizer -v | awk '{print $3}'`
@@ -59,46 +154,62 @@ case "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" in
 	# A Tn.n version is a released field test version.
 	# A Xn.n version is an unreleased experimental baselevel.
 	# 1.2 uses "1.2" for uname -r.
-	cat <<EOF >dummy.s
+	cat <<EOF >$dummy.s
+	.data
+\$Lformat:
+	.byte 37,100,45,37,120,10,0	# "%d-%x\n"
+
+	.text
 	.globl main
+	.align 4
 	.ent main
 main:
-	.frame \$30,0,\$26,0
-	.prologue 0
-	.long 0x47e03d80 # implver $0
-	lda \$2,259
-	.long 0x47e20c21 # amask $2,$1
-	srl \$1,8,\$2
-	sll \$2,2,\$2
-	sll \$0,3,\$0
-	addl \$1,\$0,\$0
-	addl \$2,\$0,\$0
-	ret \$31,(\$26),1
+	.frame \$30,16,\$26,0
+	ldgp \$29,0(\$27)
+	.prologue 1
+	.long 0x47e03d80 # implver \$0
+	lda \$2,-1
+	.long 0x47e20c21 # amask \$2,\$1
+	lda \$16,\$Lformat
+	mov \$0,\$17
+	not \$1,\$18
+	jsr \$26,printf
+	ldgp \$29,0(\$26)
+	mov 0,\$16
+	jsr \$26,exit
 	.end main
 EOF
-	${CC-cc} dummy.s -o dummy 2>/dev/null
+	$CC_FOR_BUILD $dummy.s -o $dummy 2>/dev/null
 	if test "$?" = 0 ; then
-		./dummy
-		case "$?" in
-			7)
+		case `./$dummy` in
+			0-0)
 				UNAME_MACHINE="alpha"
 				;;
-			15)
+			1-0)
 				UNAME_MACHINE="alphaev5"
 				;;
-			14)
+			1-1)
 				UNAME_MACHINE="alphaev56"
 				;;
-			10)
+			1-101)
 				UNAME_MACHINE="alphapca56"
 				;;
-			16)
+			2-303)
 				UNAME_MACHINE="alphaev6"
 				;;
+			2-307)
+				UNAME_MACHINE="alphaev67"
+				;;
 		esac
 	fi
-	rm -f dummy.s dummy
-	echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[VTX]//' | tr [[A-Z]] [[a-z]]`
+	rm -f $dummy.s $dummy
+	echo ${UNAME_MACHINE}-dec-osf`echo ${UNAME_RELEASE} | sed -e 's/^[VTX]//' | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz'`
+	exit 0 ;;
+    Alpha\ *:Windows_NT*:*)
+	# How do we know it's Interix rather than the generic POSIX subsystem?
+	# Should we change UNAME_MACHINE based on the output of uname instead
+	# of the specific Alpha model?
+	echo alpha-pc-interix
 	exit 0 ;;
     21064:Windows_NT:50:3)
 	echo alpha-dec-winnt3.5
@@ -106,9 +217,6 @@ EOF
     Amiga*:UNIX_System_V:4.0:*)
 	echo m68k-cbm-sysv4
 	exit 0;;
-    amiga:NetBSD:*:*)
-      echo m68k-cbm-netbsd${UNAME_RELEASE}
-      exit 0 ;;
     amiga:OpenBSD:*:*)
 	echo m68k-unknown-openbsd${UNAME_RELEASE}
 	exit 0 ;;
@@ -133,16 +241,16 @@ EOF
     wgrisc:OpenBSD:*:*)
 	echo mipsel-unknown-openbsd${UNAME_RELEASE}
 	exit 0 ;;
+    *:OS/390:*:*)
+	echo i370-ibm-openedition
+	exit 0 ;;
     arm:RISC*:1.[012]*:*|arm:riscix:1.[012]*:*)
 	echo arm-acorn-riscix${UNAME_RELEASE}
 	exit 0;;
-    arm32:NetBSD:*:*)
-	echo arm-unknown-netbsd`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'`
-	exit 0 ;;
     SR2?01:HI-UX/MPP:*:*)
 	echo hppa1.1-hitachi-hiuxmpp
 	exit 0;;
-    Pyramid*:OSx*:*:*|MIS*:OSx*:*:*|MIS*:SMP_DC-OSx*:*:*)
+    Pyramid*:OSx*:*:* | MIS*:OSx*:*:* | MIS*:SMP_DC-OSx*:*:*)
 	# akee@wpdis03.wpafb.af.mil (Earle F. Ake) contributed MIS and NILE.
 	if test "`(/bin/universe) 2>/dev/null`" = att ; then
 		echo pyramid-pyramid-sysv3
@@ -150,7 +258,7 @@ EOF
 		echo pyramid-pyramid-bsd
 	fi
 	exit 0 ;;
-    NILE:*:*:dcosx)
+    NILE*:*:*:dcosx)
 	echo pyramid-pyramid-svr4
 	exit 0 ;;
     sun4H:SunOS:5.*:*)
@@ -195,21 +303,38 @@ EOF
     aushp:SunOS:*:*)
 	echo sparc-auspex-sunos${UNAME_RELEASE}
 	exit 0 ;;
-    atari*:NetBSD:*:*)
-	echo m68k-atari-netbsd${UNAME_RELEASE}
-	exit 0 ;;
     atari*:OpenBSD:*:*)
 	echo m68k-unknown-openbsd${UNAME_RELEASE}
 	exit 0 ;;
-    sun3*:NetBSD:*:*)
-	echo m68k-sun-netbsd${UNAME_RELEASE}
+    # The situation for MiNT is a little confusing.  The machine name
+    # can be virtually everything (everything which is not
+    # "atarist" or "atariste" at least should have a processor
+    # > m68000).  The system name ranges from "MiNT" over "FreeMiNT"
+    # to the lowercase version "mint" (or "freemint").  Finally
+    # the system name "TOS" denotes a system which is actually not
+    # MiNT.  But MiNT is downward compatible to TOS, so this should
+    # be no problem.
+    atarist[e]:*MiNT:*:* | atarist[e]:*mint:*:* | atarist[e]:*TOS:*:*)
+        echo m68k-atari-mint${UNAME_RELEASE}
+	exit 0 ;;
+    atari*:*MiNT:*:* | atari*:*mint:*:* | atarist[e]:*TOS:*:*)
+	echo m68k-atari-mint${UNAME_RELEASE}
+        exit 0 ;;
+    *falcon*:*MiNT:*:* | *falcon*:*mint:*:* | *falcon*:*TOS:*:*)
+        echo m68k-atari-mint${UNAME_RELEASE}
 	exit 0 ;;
+    milan*:*MiNT:*:* | milan*:*mint:*:* | *milan*:*TOS:*:*)
+        echo m68k-milan-mint${UNAME_RELEASE}
+        exit 0 ;;
+    hades*:*MiNT:*:* | hades*:*mint:*:* | *hades*:*TOS:*:*)
+        echo m68k-hades-mint${UNAME_RELEASE}
+        exit 0 ;;
+    *:*MiNT:*:* | *:*mint:*:* | *:*TOS:*:*)
+        echo m68k-unknown-mint${UNAME_RELEASE}
+        exit 0 ;;
     sun3*:OpenBSD:*:*)
 	echo m68k-unknown-openbsd${UNAME_RELEASE}
 	exit 0 ;;
-    mac68k:NetBSD:*:*)
-	echo m68k-apple-netbsd${UNAME_RELEASE}
-	exit 0 ;;
     mac68k:OpenBSD:*:*)
 	echo m68k-unknown-openbsd${UNAME_RELEASE}
 	exit 0 ;;
@@ -222,9 +347,6 @@ EOF
     powerpc:machten:*:*)
 	echo powerpc-apple-machten${UNAME_RELEASE}
 	exit 0 ;;
-    macppc:NetBSD:*:*)
-        echo powerpc-apple-netbsd${UNAME_RELEASE}
-        exit 0 ;;
     RISC*:Mach:*:*)
 	echo mips-dec-mach_bsd4.3
 	exit 0 ;;
@@ -234,12 +356,17 @@ EOF
     VAX*:ULTRIX*:*:*)
 	echo vax-dec-ultrix${UNAME_RELEASE}
 	exit 0 ;;
-    2020:CLIX:*:*)
+    2020:CLIX:*:* | 2430:CLIX:*:*)
 	echo clipper-intergraph-clix${UNAME_RELEASE}
 	exit 0 ;;
     mips:*:*:UMIPS | mips:*:*:RISCos)
-	sed 's/^	//' << EOF >dummy.c
-	int main (argc, argv) int argc; char **argv; {
+	sed 's/^	//' << EOF >$dummy.c
+#ifdef __cplusplus
+#include <stdio.h>  /* for printf() prototype */
+	int main (int argc, char *argv[]) {
+#else
+	int main (argc, argv) int argc; char *argv[]; {
+#endif
 	#if defined (host_mips) && defined (MIPSEB)
 	#if defined (SYSTYPE_SYSV)
 	  printf ("mips-mips-riscos%ssysv\n", argv[1]); exit (0);
@@ -254,10 +381,10 @@ EOF
 	  exit (-1);
 	}
 EOF
-	${CC-cc} dummy.c -o dummy \
-	  && ./dummy `echo "${UNAME_RELEASE}" | sed -n 's/\([0-9]*\).*/\1/p'` \
-	  && rm dummy.c dummy && exit 0
-	rm -f dummy.c dummy
+	$CC_FOR_BUILD $dummy.c -o $dummy \
+	  && ./$dummy `echo "${UNAME_RELEASE}" | sed -n 's/\([0-9]*\).*/\1/p'` \
+	  && rm $dummy.c $dummy && exit 0
+	rm -f $dummy.c $dummy
 	echo mips-mips-riscos${UNAME_RELEASE}
 	exit 0 ;;
     Night_Hawk:Power_UNIX:*:*)
@@ -275,15 +402,18 @@ EOF
     AViiON:dgux:*:*)
         # DG/UX returns AViiON for all architectures
         UNAME_PROCESSOR=`/usr/bin/uname -p`
-        if [ $UNAME_PROCESSOR = mc88100 -o $UNAME_PROCESSOR = mc88110 ] ; then
-	if [ ${TARGET_BINARY_INTERFACE}x = m88kdguxelfx \
-	     -o ${TARGET_BINARY_INTERFACE}x = x ] ; then
+	if [ $UNAME_PROCESSOR = mc88100 ] || [ $UNAME_PROCESSOR = mc88110 ]
+	then
+	    if [ ${TARGET_BINARY_INTERFACE}x = m88kdguxelfx ] || \
+	       [ ${TARGET_BINARY_INTERFACE}x = x ]
+	    then
 		echo m88k-dg-dgux${UNAME_RELEASE}
-	else
+	    else
 		echo m88k-dg-dguxbcs${UNAME_RELEASE}
+	    fi
+	else
+	    echo i586-dg-dgux${UNAME_RELEASE}
 	fi
-        else echo i586-dg-dgux${UNAME_RELEASE}
-        fi
  	exit 0 ;;
     M88*:DolphinOS:*:*)	# DolphinOS (SVR3)
 	echo m88k-dolphin-sysv3
@@ -309,7 +439,7 @@ EOF
 	exit 0 ;;
     *:AIX:2:3)
 	if grep bos325 /usr/include/stdio.h >/dev/null 2>&1; then
-		sed 's/^		//' << EOF >dummy.c
+		sed 's/^		//' << EOF >$dummy.c
 		#include <sys/systemcfg.h>
 
 		main()
@@ -320,8 +450,8 @@ EOF
 			exit(0);
 			}
 EOF
-		${CC-cc} dummy.c -o dummy && ./dummy && rm dummy.c dummy && exit 0
-		rm -f dummy.c dummy
+		$CC_FOR_BUILD $dummy.c -o $dummy && ./$dummy && rm $dummy.c $dummy && exit 0
+		rm -f $dummy.c $dummy
 		echo rs6000-ibm-aix3.2.5
 	elif grep bos324 /usr/include/stdio.h >/dev/null 2>&1; then
 		echo rs6000-ibm-aix3.2.4
@@ -349,7 +479,7 @@ EOF
     ibmrt:4.4BSD:*|romp-ibm:BSD:*)
 	echo romp-ibm-bsd4.4
 	exit 0 ;;
-    ibmrt:*BSD:*|romp-ibm:BSD:*)            # covers RT/PC NetBSD and
+    ibmrt:*BSD:*|romp-ibm:BSD:*)            # covers RT/PC BSD and
 	echo romp-ibm-bsd${UNAME_RELEASE}   # 4.3 with uname added to
 	exit 0 ;;                           # report: romp-ibm BSD 4.3
     *:BOSX:*:*)
@@ -368,25 +498,27 @@ EOF
 	case "${UNAME_MACHINE}" in
 	    9000/31? )            HP_ARCH=m68000 ;;
 	    9000/[34]?? )         HP_ARCH=m68k ;;
-	    9000/6?? | 9000/7?? | 9000/80[24] | 9000/8?[13679] | 9000/892 )
-              sed 's/^              //' << EOF >dummy.c
+	    9000/[678][0-9][0-9])
+              sed 's/^              //' << EOF >$dummy.c
+
+              #define _HPUX_SOURCE
               #include <stdlib.h>
               #include <unistd.h>
-              
+
               int main ()
               {
               #if defined(_SC_KERNEL_BITS)
                   long bits = sysconf(_SC_KERNEL_BITS);
-              #endif 
+              #endif
                   long cpu  = sysconf (_SC_CPU_VERSION);
-              
-                  switch (cpu) 
+
+                  switch (cpu)
               	{
               	case CPU_PA_RISC1_0: puts ("hppa1.0"); break;
               	case CPU_PA_RISC1_1: puts ("hppa1.1"); break;
-              	case CPU_PA_RISC2_0: 
+              	case CPU_PA_RISC2_0:
               #if defined(_SC_KERNEL_BITS)
-              	    switch (bits) 
+              	    switch (bits)
               		{
               		case 64: puts ("hppa2.0w"); break;
               		case 32: puts ("hppa2.0n"); break;
@@ -394,20 +526,20 @@ EOF
               		} break;
               #else  /* !defined(_SC_KERNEL_BITS) */
               	    puts ("hppa2.0"); break;
-              #endif 
+              #endif
               	default: puts ("hppa1.0"); break;
               	}
                   exit (0);
               }
 EOF
-	(${CC-cc} dummy.c -o dummy 2>/dev/null ) && HP_ARCH=`./dummy`
-	rm -f dummy.c dummy
+	(CCOPTS= $CC_FOR_BUILD $dummy.c -o $dummy 2>/dev/null ) && HP_ARCH=`./$dummy`
+	rm -f $dummy.c $dummy
 	esac
 	HPUX_REV=`echo ${UNAME_RELEASE}|sed -e 's/[^.]*.[0B]*//'`
 	echo ${HP_ARCH}-hp-hpux${HPUX_REV}
 	exit 0 ;;
     3050*:HI-UX:*:*)
-	sed 's/^	//' << EOF >dummy.c
+	sed 's/^	//' << EOF >$dummy.c
 	#include <unistd.h>
 	int
 	main ()
@@ -432,8 +564,8 @@ EOF
 	  exit (0);
 	}
 EOF
-	${CC-cc} dummy.c -o dummy && ./dummy && rm dummy.c dummy && exit 0
-	rm -f dummy.c dummy
+	$CC_FOR_BUILD $dummy.c -o $dummy && ./$dummy && rm $dummy.c $dummy && exit 0
+	rm -f $dummy.c $dummy
 	echo unknown-hitachi-hiuxwe2
 	exit 0 ;;
     9000/7??:4.3bsd:*:* | 9000/8?[79]:4.3bsd:*:* )
@@ -442,6 +574,9 @@ EOF
     9000/8??:4.3bsd:*:*)
 	echo hppa1.0-hp-bsd
 	exit 0 ;;
+    *9??*:MPE/iX:*:*)
+	echo hppa1.0-hp-mpeix
+	exit 0 ;;
     hp7??:OSF1:*:* | hp8?[79]:OSF1:*:* )
 	echo hppa1.1-hp-osf
 	exit 0 ;;
@@ -458,6 +593,9 @@ EOF
     parisc*:Lites*:*:*)
 	echo hppa1.1-hp-lites
 	exit 0 ;;
+    hppa*:OpenBSD:*:*)
+	echo hppa-unknown-openbsd
+	exit 0 ;;
     C1*:ConvexOS:*:* | convex:ConvexOS:C1*:*)
 	echo c1-convex-bsd
         exit 0 ;;
@@ -488,37 +626,40 @@ EOF
 	      -e y/ABCDEFGHIJKLMNOPQRSTUVWXYZ/abcdefghijklmnopqrstuvwxyz/
 	exit 0 ;;
     CRAY*TS:*:*:*)
-	echo t90-cray-unicos${UNAME_RELEASE}
+	echo t90-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
+	exit 0 ;;
+    CRAY*T3E:*:*:*)
+	echo alpha-cray-unicosmk${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
+	exit 0 ;;
+    CRAY*SV1:*:*:*)
+	echo sv1-cray-unicos${UNAME_RELEASE} | sed -e 's/\.[^.]*$/.X/'
 	exit 0 ;;
     CRAY-2:*:*:*)
 	echo cray2-cray-unicos
         exit 0 ;;
     F300:UNIX_System_V:*:*)
-        FUJITSU_SYS=`uname -p | tr [A-Z] [a-z] | sed -e 's/\///'`
+        FUJITSU_SYS=`uname -p | tr 'ABCDEFGHIJKLMNOPQRSTUVWXYZ' 'abcdefghijklmnopqrstuvwxyz' | sed -e 's/\///'`
         FUJITSU_REL=`echo ${UNAME_RELEASE} | sed -e 's/ /_/'`
         echo "f300-fujitsu-${FUJITSU_SYS}${FUJITSU_REL}"
         exit 0 ;;
     F301:UNIX_System_V:*:*)
        echo f301-fujitsu-uxpv`echo $UNAME_RELEASE | sed 's/ .*//'`
        exit 0 ;;
-    hp3[0-9][05]:NetBSD:*:*)
-	echo m68k-hp-netbsd${UNAME_RELEASE}
-	exit 0 ;;
     hp300:OpenBSD:*:*)
 	echo m68k-unknown-openbsd${UNAME_RELEASE}
 	exit 0 ;;
+    i?86:BSD/386:*:* | i?86:BSD/OS:*:* | *:Ascend\ Embedded/OS:*:*)
+	echo ${UNAME_MACHINE}-pc-bsdi${UNAME_RELEASE}
+	exit 0 ;;
     sparc*:BSD/OS:*:*)
 	echo sparc-unknown-bsdi${UNAME_RELEASE}
 	exit 0 ;;
-    i?86:BSD/386:*:* | *:BSD/OS:*:*)
-	echo ${UNAME_MACHINE}-pc-bsdi${UNAME_RELEASE}
+    *:BSD/OS:*:*)
+	echo ${UNAME_MACHINE}-unknown-bsdi${UNAME_RELEASE}
 	exit 0 ;;
     *:FreeBSD:*:*)
 	echo ${UNAME_MACHINE}-unknown-freebsd`echo ${UNAME_RELEASE}|sed -e 's/[-(].*//'`
 	exit 0 ;;
-    *:NetBSD:*:*)
-	echo ${UNAME_MACHINE}-unknown-netbsd`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'`
-	exit 0 ;;
     *:OpenBSD:*:*)
 	echo ${UNAME_MACHINE}-unknown-openbsd`echo ${UNAME_RELEASE}|sed -e 's/[-_].*/\./'`
 	exit 0 ;;
@@ -528,6 +669,15 @@ EOF
     i*:MINGW*:*)
 	echo ${UNAME_MACHINE}-pc-mingw32
 	exit 0 ;;
+    i*:Windows_NT*:* | Pentium*:Windows_NT*:*)
+	# How do we know it's Interix rather than the generic POSIX subsystem?
+	# It also conflicts with pre-2.0 versions of AT&T UWIN. Should we
+	# UNAME_MACHINE based on the output of uname instead of i386?
+	echo i386-pc-interix
+	exit 0 ;;
+    i*:UWIN*:*)
+	echo ${UNAME_MACHINE}-pc-uwin
+	exit 0 ;;
     p*:CYGWIN*:*)
 	echo powerpcle-unknown-cygwin
 	exit 0 ;;
@@ -538,15 +688,11 @@ EOF
 	echo `echo ${UNAME_MACHINE}|sed -e 's,[-/].*$,,'`-unknown-gnu`echo ${UNAME_RELEASE}|sed -e 's,/.*$,,'`
 	exit 0 ;;
     *:Linux:*:*)
-	# uname on the ARM produces all sorts of strangeness, and we need to
-	# filter it out.
-	case "$UNAME_MACHINE" in
-	  arm* | sa110*)	      UNAME_MACHINE="arm" ;;
-	esac
 
 	# The BFD linker knows what the default object file format is, so
-	# first see if it will tell us.
-	ld_help_string=`ld --help 2>&1`
+	# first see if it will tell us. cd to the root directory to prevent
+	# problems with other programs or directories called `ld' in the path.
+	ld_help_string=`cd /; ld --help 2>&1`
 	ld_supported_emulations=`echo $ld_help_string \
 			 | sed -ne '/supported emulations:/!d
 				    s/[ 	][ 	]*/ /g
@@ -554,68 +700,146 @@ EOF
 				    s/ .*//
 				    p'`
         case "$ld_supported_emulations" in
-	  i?86linux)  echo "${UNAME_MACHINE}-pc-linux-gnuaout"      ; exit 0 ;;
-	  i?86coff)   echo "${UNAME_MACHINE}-pc-linux-gnucoff"      ; exit 0 ;;
-	  sparclinux) echo "${UNAME_MACHINE}-unknown-linux-gnuaout" ; exit 0 ;;
-	  armlinux)   echo "${UNAME_MACHINE}-unknown-linux-gnuaout" ; exit 0 ;;
-	  m68klinux)  echo "${UNAME_MACHINE}-unknown-linux-gnuaout" ; exit 0 ;;
-	  elf32ppc)   echo "powerpc-unknown-linux-gnu"              ; exit 0 ;;
+	  *ia64)
+		echo "${UNAME_MACHINE}-unknown-linux"
+		exit 0
+		;;
+	  i?86linux)
+		echo "${UNAME_MACHINE}-pc-linux-gnuaout"
+		exit 0
+		;;
+	  elf_i?86)
+		echo "${UNAME_MACHINE}-pc-linux"
+		exit 0
+		;;
+	  i?86coff)
+		echo "${UNAME_MACHINE}-pc-linux-gnucoff"
+		exit 0
+		;;
+	  sparclinux)
+		echo "${UNAME_MACHINE}-unknown-linux-gnuaout"
+		exit 0
+		;;
+	  armlinux)
+		echo "${UNAME_MACHINE}-unknown-linux-gnuaout"
+		exit 0
+		;;
+	  elf32arm*)
+		echo "${UNAME_MACHINE}-unknown-linux-gnuoldld"
+		exit 0
+		;;
+	  armelf_linux*)
+		echo "${UNAME_MACHINE}-unknown-linux-gnu"
+		exit 0
+		;;
+	  m68klinux)
+		echo "${UNAME_MACHINE}-unknown-linux-gnuaout"
+		exit 0
+		;;
+	  elf32ppc | elf32ppclinux)
+		# Determine Lib Version
+		cat >$dummy.c <<EOF
+#include <features.h>
+#if defined(__GLIBC__)
+extern char __libc_version[];
+extern char __libc_release[];
+#endif
+main(argc, argv)
+     int argc;
+     char *argv[];
+{
+#if defined(__GLIBC__)
+  printf("%s %s\n", __libc_version, __libc_release);
+#else
+  printf("unkown\n");
+#endif
+  return 0;
+}
+EOF
+		LIBC=""
+		$CC_FOR_BUILD $dummy.c -o $dummy 2>/dev/null
+		if test "$?" = 0 ; then
+			./$dummy | grep 1\.99 > /dev/null
+			if test "$?" = 0 ; then
+				LIBC="libc1"
+			fi
+		fi
+		rm -f $dummy.c $dummy
+		echo powerpc-unknown-linux-gnu${LIBC}
+		exit 0
+		;;
+	  shelf_linux)
+		echo "${UNAME_MACHINE}-unknown-linux-gnu"
+		exit 0
+		;;
 	esac
 
 	if test "${UNAME_MACHINE}" = "alpha" ; then
-		sed 's/^	//'  <<EOF >dummy.s
-		.globl main
-		.ent main
-	main:
-		.frame \$30,0,\$26,0
-		.prologue 0
-		.long 0x47e03d80 # implver $0
-		lda \$2,259
-		.long 0x47e20c21 # amask $2,$1
-		srl \$1,8,\$2
-		sll \$2,2,\$2
-		sll \$0,3,\$0
-		addl \$1,\$0,\$0
-		addl \$2,\$0,\$0
-		ret \$31,(\$26),1
-		.end main
+		cat <<EOF >$dummy.s
+			.data
+		\$Lformat:
+			.byte 37,100,45,37,120,10,0	# "%d-%x\n"
+
+			.text
+			.globl main
+			.align 4
+			.ent main
+		main:
+			.frame \$30,16,\$26,0
+			ldgp \$29,0(\$27)
+			.prologue 1
+			.long 0x47e03d80 # implver \$0
+			lda \$2,-1
+			.long 0x47e20c21 # amask \$2,\$1
+			lda \$16,\$Lformat
+			mov \$0,\$17
+			not \$1,\$18
+			jsr \$26,printf
+			ldgp \$29,0(\$26)
+			mov 0,\$16
+			jsr \$26,exit
+			.end main
 EOF
 		LIBC=""
-		${CC-cc} dummy.s -o dummy 2>/dev/null
+		$CC_FOR_BUILD $dummy.s -o $dummy 2>/dev/null
 		if test "$?" = 0 ; then
-			./dummy
-			case "$?" in
-			7)
+			case `./$dummy` in
+			0-0)
 				UNAME_MACHINE="alpha"
 				;;
-			15)
+			1-0)
 				UNAME_MACHINE="alphaev5"
 				;;
-			14)
+			1-1)
 				UNAME_MACHINE="alphaev56"
 				;;
-			10)
+			1-101)
 				UNAME_MACHINE="alphapca56"
 				;;
-			16)
+			2-303)
 				UNAME_MACHINE="alphaev6"
 				;;
-			esac	
+			2-307)
+				UNAME_MACHINE="alphaev67"
+				;;
+			esac
 
-			objdump --private-headers dummy | \
+			objdump --private-headers $dummy | \
 			  grep ld.so.1 > /dev/null
 			if test "$?" = 0 ; then
 				LIBC="libc1"
 			fi
-		fi	
-		rm -f dummy.s dummy
+		fi
+		rm -f $dummy.s $dummy
 		echo ${UNAME_MACHINE}-unknown-linux-gnu${LIBC} ; exit 0
 	elif test "${UNAME_MACHINE}" = "mips" ; then
-	  cat >dummy.c <<EOF
-main(argc, argv)
-     int argc;
-     char *argv[];
-{
+	  cat >$dummy.c <<EOF
+#ifdef __cplusplus
+#include <stdio.h>  /* for printf() prototype */
+	int main (int argc, char *argv[]) {
+#else
+	int main (argc, argv) int argc; char *argv[]; {
+#endif
 #ifdef __MIPSEB__
   printf ("%s-unknown-linux-gnu\n", argv[1]);
 #endif
@@ -625,8 +849,10 @@ main(argc, argv)
   return 0;
 }
 EOF
-	  ${CC-cc} dummy.c -o dummy 2>/dev/null && ./dummy "${UNAME_MACHINE}" && rm dummy.c dummy && exit 0
-	  rm -f dummy.c dummy
+	  $CC_FOR_BUILD $dummy.c -o $dummy 2>/dev/null && ./$dummy "${UNAME_MACHINE}" && rm $dummy.c $dummy && exit 0
+	  rm -f $dummy.c $dummy
+	elif test "${UNAME_MACHINE}" = "s390"; then
+	  echo s390-ibm-linux && exit 0
 	else
 	  # Either a pre-BFD a.out linker (linux-gnuoldld)
 	  # or one that does not give us useful --help.
@@ -645,12 +871,14 @@ EOF
 	    ;;
 	  esac
 	  # Determine whether the default compiler is a.out or elf
-	  cat >dummy.c <<EOF
+	  cat >$dummy.c <<EOF
 #include <features.h>
-main(argc, argv)
-     int argc;
-     char *argv[];
-{
+#ifdef __cplusplus
+#include <stdio.h>  /* for printf() prototype */
+	int main (int argc, char *argv[]) {
+#else
+	int main (argc, argv) int argc; char *argv[]; {
+#endif
 #ifdef __ELF__
 # ifdef __GLIBC__
 #  if __GLIBC__ >= 2
@@ -667,8 +895,8 @@ main(argc, argv)
   return 0;
 }
 EOF
-	  ${CC-cc} dummy.c -o dummy 2>/dev/null && ./dummy "${UNAME_MACHINE}" && rm dummy.c dummy && exit 0
-	  rm -f dummy.c dummy
+	  $CC_FOR_BUILD $dummy.c -o $dummy 2>/dev/null && ./$dummy "${UNAME_MACHINE}" && rm $dummy.c $dummy && exit 0
+	  rm -f $dummy.c $dummy
 	fi ;;
 # ptx 4.0 does uname -s correctly, with DYNIX/ptx in there.  earlier versions
 # are messed up and put the nodename in both sysname and nodename.
@@ -684,10 +912,20 @@ EOF
 	echo ${UNAME_MACHINE}-pc-sysv4.2uw${UNAME_VERSION}
 	exit 0 ;;
     i?86:*:4.*:* | i?86:SYSTEM_V:4.*:*)
+	UNAME_REL=`echo ${UNAME_RELEASE} | sed 's/\/MP$//'`
 	if grep Novell /usr/include/link.h >/dev/null 2>/dev/null; then
-		echo ${UNAME_MACHINE}-univel-sysv${UNAME_RELEASE}
+		echo ${UNAME_MACHINE}-univel-sysv${UNAME_REL}
+	else
+		echo ${UNAME_MACHINE}-pc-sysv${UNAME_REL}
+	fi
+	exit 0 ;;
+    i?86:*:5:7*)
+        # Fixed at (any) Pentium or better
+        UNAME_MACHINE=i586
+        if [ ${UNAME_SYSTEM} = "UnixWare" ] ; then
+	    echo ${UNAME_MACHINE}-sco-sysv${UNAME_RELEASE}uw${UNAME_VERSION}
 	else
-		echo ${UNAME_MACHINE}-pc-sysv${UNAME_RELEASE}
+	    echo ${UNAME_MACHINE}-pc-sysv${UNAME_RELEASE}
 	fi
 	exit 0 ;;
     i?86:*:3.2:*)
@@ -699,19 +937,20 @@ EOF
 		(/bin/uname -X|egrep i80486 >/dev/null) && UNAME_MACHINE=i486
 		(/bin/uname -X|egrep '^Machine.*Pentium' >/dev/null) \
 			&& UNAME_MACHINE=i586
+		(/bin/uname -X|egrep '^Machine.*Pent ?II' >/dev/null) \
+			&& UNAME_MACHINE=i686
+		(/bin/uname -X|egrep '^Machine.*Pentium Pro' >/dev/null) \
+			&& UNAME_MACHINE=i686
 		echo ${UNAME_MACHINE}-pc-sco$UNAME_REL
 	else
 		echo ${UNAME_MACHINE}-pc-sysv32
 	fi
 	exit 0 ;;
-    i?86:UnixWare:*:*)
-	if /bin/uname -X 2>/dev/null >/dev/null ; then
-	  (/bin/uname -X|egrep '^Machine.*Pentium' >/dev/null) \
-	    && UNAME_MACHINE=i586
-	fi
-	echo ${UNAME_MACHINE}-unixware-${UNAME_RELEASE}-${UNAME_VERSION}
+    i?86:*DOS:*:*)
+	echo ${UNAME_MACHINE}-pc-msdosdjgpp
 	exit 0 ;;
     pc:*:*:*)
+	# Left here for compatibility:
         # uname -m prints for DJGPP always 'pc', but it prints nothing about
         # the processor, so we play safe by assuming i386.
 	echo i386-pc-msdosdjgpp
@@ -752,7 +991,7 @@ EOF
     mc68030:UNIX_System_V:4.*:*)
 	echo m68k-atari-sysv4
 	exit 0 ;;
-    i?86:LynxOS:2.*:*)
+    i?86:LynxOS:2.*:* | i?86:LynxOS:3.[01]*:*)
 	echo i386-unknown-lynxos${UNAME_RELEASE}
 	exit 0 ;;
     TSUNAMI:LynxOS:2.*:*)
@@ -764,6 +1003,9 @@ EOF
     SM[BE]S:UNIX_SV:*:*)
 	echo mips-dde-sysv${UNAME_RELEASE}
 	exit 0 ;;
+    RM*:ReliantUNIX-*:*:*)
+	echo mips-sni-sysv4
+	exit 0 ;;
     RM*:SINIX-*:*:*)
 	echo mips-sni-sysv4
 	exit 0 ;;
@@ -794,7 +1036,7 @@ EOF
     news*:NEWS-OS:*:6*)
 	echo mips-sony-newsos6
 	exit 0 ;;
-    R3000:*System_V*:*:* | R4000:UNIX_SYSV:*:* | R4000:UNIX_SV:*:*)
+    R[34]000:*System_V*:*:* | R4000:UNIX_SYSV:*:* | R*000:UNIX_SV:*:*)
 	if [ -d /usr/nec ]; then
 	        echo mips-nec-sysv${UNAME_RELEASE}
 	else
@@ -810,28 +1052,45 @@ EOF
     BePC:BeOS:*:*)	# BeOS running on Intel PC compatible.
 	echo i586-pc-beos
 	exit 0 ;;
-# MIT addition
-    Power\ Macintosh:Rhapsody:*:*)
-       echo powerpc-apple-rhapsody${UNAME_RELEASE}
-       exit 0 ;;
-# MIT addition
-    powerpc:Rhapsody:*:*)
-       echo powerpc-unknown-rhapsody${UNAME_RELEASE}
-       exit 0 ;;
-# MIT addition
-    i?86:Rhapsody:*:*)
-       echo i386-unknown-rhapsody${UNAME_RELEASE}
-       exit 0 ;;
-# MIT addition
-    Power\ Macintosh:Mac\ OS:*:*)
-	echo powerpc-apple-macos${UNAME_RELEASE}
+    SX-4:SUPER-UX:*:*)
+	echo sx4-nec-superux${UNAME_RELEASE}
+	exit 0 ;;
+    SX-5:SUPER-UX:*:*)
+	echo sx5-nec-superux${UNAME_RELEASE}
+	exit 0 ;;
+    Power*:Rhapsody:*:*)
+	echo powerpc-apple-rhapsody${UNAME_RELEASE}
+	exit 0 ;;
+    *:Rhapsody:*:*)
+	echo ${UNAME_MACHINE}-apple-rhapsody${UNAME_RELEASE}
+	exit 0 ;;
+    *:Darwin:*:*)
+	echo `uname -p`-apple-darwin${UNAME_RELEASE}
+	exit 0 ;;
+    *:procnto*:*:* | *:QNX:[0123456789]*:*)
+	if test "${UNAME_MACHINE}" = "x86pc"; then
+		UNAME_MACHINE=pc
+	fi
+	echo `uname -p`-${UNAME_MACHINE}-nto-qnx
+	exit 0 ;;
+    *:QNX:*:4*)
+	echo i386-pc-qnx
+	exit 0 ;;
+    NSR-W:NONSTOP_KERNEL:*:*)
+	echo nsr-tandem-nsk${UNAME_RELEASE}
+	exit 0 ;;
+    BS2000:POSIX*:*:*)
+	echo bs2000-siemens-sysv
+	exit 0 ;;
+    DS/*:UNIX_System_V:*:*)
+	echo ${UNAME_MACHINE}-${UNAME_SYSTEM}-${UNAME_RELEASE}
 	exit 0 ;;
 esac
 
 #echo '(No uname command or uname output not recognized.)' 1>&2
 #echo "${UNAME_MACHINE}:${UNAME_SYSTEM}:${UNAME_RELEASE}:${UNAME_VERSION}" 1>&2
 
-cat >dummy.c <<EOF
+cat >$dummy.c <<EOF
 #ifdef _SEQUENT_
 # include <sys/types.h>
 # include <sys/utsname.h>
@@ -869,7 +1128,10 @@ main ()
 #endif
   int version;
   version=`(hostinfo | sed -n 's/.*NeXT Mach \([0-9]*\).*/\1/p') 2>/dev/null`;
-  printf ("%s-next-nextstep%d\n", __ARCHITECTURE__, version);
+  if (version < 4)
+    printf ("%s-next-nextstep%d\n", __ARCHITECTURE__, version);
+  else
+    printf ("%s-next-openstep%d\n", __ARCHITECTURE__, version);
   exit (0);
 #endif
 
@@ -929,8 +1191,8 @@ main ()
 }
 EOF
 
-${CC-cc} dummy.c -o dummy 2>/dev/null && ./dummy && rm dummy.c dummy && exit 0
-rm -f dummy.c dummy
+$CC_FOR_BUILD $dummy.c -o $dummy 2>/dev/null && ./$dummy && rm $dummy.c $dummy && exit 0
+rm -f $dummy.c $dummy
 
 # Apollos put the system type in the environment.
 
@@ -962,6 +1224,47 @@ then
     esac
 fi
 
-#echo '(Unable to guess system type)' 1>&2
+cat >&2 <<EOF
+$0: unable to guess system type
+
+The $version version of this script cannot recognize your system type.
+Please download the most up to date version of the config scripts:
+
+    ftp://ftp.gnu.org/pub/gnu/config/
+
+If the version you run ($0) is already up to date, please
+send the following data and any information you think might be
+pertinent to <config-patches@gnu.org> in order to provide the needed
+information to handle your system.
+
+config.guess version = $version
+
+uname -m = `(uname -m) 2>/dev/null || echo unknown`
+uname -r = `(uname -r) 2>/dev/null || echo unknown`
+uname -s = `(uname -s) 2>/dev/null || echo unknown`
+uname -v = `(uname -v) 2>/dev/null || echo unknown`
+
+/usr/bin/uname -p = `(/usr/bin/uname -p) 2>/dev/null`
+/bin/uname -X     = `(/bin/uname -X) 2>/dev/null`
+
+hostinfo               = `(hostinfo) 2>/dev/null`
+/bin/universe          = `(/bin/universe) 2>/dev/null`
+/usr/bin/arch -k       = `(/usr/bin/arch -k) 2>/dev/null`
+/bin/arch              = `(/bin/arch) 2>/dev/null`
+/usr/bin/oslevel       = `(/usr/bin/oslevel) 2>/dev/null`
+/usr/convex/getsysinfo = `(/usr/convex/getsysinfo) 2>/dev/null`
+
+UNAME_MACHINE = ${UNAME_MACHINE}
+UNAME_RELEASE = ${UNAME_RELEASE}
+UNAME_SYSTEM  = ${UNAME_SYSTEM}
+UNAME_VERSION = ${UNAME_VERSION}
+EOF
 
 exit 1
+
+# Local variables:
+# eval: (add-hook 'write-file-hooks 'time-stamp)
+# time-stamp-start: "version='"
+# time-stamp-format: "%:y-%02m-%02d"
+# time-stamp-end: "'"
+# End:
diff --git a/src/config/config.sub b/src/config/config.sub
index 9952634..cb86fe1 100644
--- a/src/config/config.sub
+++ b/src/config/config.sub
@@ -1,6 +1,10 @@
 #! /bin/sh
 # Configuration validation subroutine script, version 1.1.
-#   Copyright (C) 1991, 92-97, 1998 Free Software Foundation, Inc.
+#   Copyright (C) 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000
+#   Free Software Foundation, Inc.
+
+version='2000-05-31'
+
 # This file is (in principle) common to ALL GNU software.
 # The presence of a machine in this file suggests that SOME GNU software
 # can handle that machine.  It does not imply ALL GNU software can.
@@ -25,6 +29,9 @@
 # configuration script generated by Autoconf, you may include it under
 # the same distribution terms that you use for the rest of that program.
 
+# Written by Per Bothner <bothner@cygnus.com>.
+# Please send patches to <config-patches@gnu.org>.
+#
 # Configuration subroutine to validate and canonicalize a configuration type.
 # Supply the specified configuration type as an argument.
 # If it is invalid, we print an error message on stderr and exit with code 1.
@@ -45,30 +52,61 @@
 #	CPU_TYPE-MANUFACTURER-KERNEL-OPERATING_SYSTEM
 # It is wrong to echo any other type of specification.
 
-if [ x$1 = x ]
-then
-	echo Configuration name missing. 1>&2
-	echo "Usage: $0 CPU-MFR-OPSYS" 1>&2
-	echo "or     $0 ALIAS" 1>&2
-	echo where ALIAS is a recognized configuration type. 1>&2
-	exit 1
-fi
+me=`echo "$0" | sed -e 's,.*/,,'`
 
-# First pass through any local machine types.
-case $1 in
-	*local*)
-		echo $1
-		exit 0
-		;;
-	*)
-	;;
+usage="\
+Usage: $0 [OPTION] CPU-MFR-OPSYS
+       $0 [OPTION] ALIAS
+
+Canonicalize a configuration name.
+
+Operation modes:
+  -h, --help               print this help, then exit
+  -V, --version            print version number, then exit"
+
+help="
+Try \`$me --help' for more information."
+
+# Parse command line
+while test $# -gt 0 ; do
+  case "$1" in
+    --version | --vers* | -V )
+       echo "$version" ; exit 0 ;;
+    --help | --h* | -h )
+       echo "$usage"; exit 0 ;;
+    -- )     # Stop option processing
+       shift; break ;;
+    - )	# Use stdin as input.
+       break ;;
+    -* )
+       exec >&2
+       echo "$me: invalid option $1"
+       echo "$help"
+       exit 1 ;;
+
+    *local*)
+       # First pass through any local machine types.
+       echo $1
+       exit 0;;
+
+    * )
+       break ;;
+  esac
+done
+
+case $# in
+ 0) echo "$me: missing argument$help" >&2
+    exit 1;;
+ 1) ;;
+ *) echo "$me: too many arguments$help" >&2
+    exit 1;;
 esac
 
 # Separate what the user gave into CPU-COMPANY and OS or KERNEL-OS (if any).
 # Here we must recognize all the valid KERNEL-OS combinations.
 maybe_os=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\2/'`
 case $maybe_os in
-  linux-gnu*)
+  nto-qnx* | linux-gnu*)
     os=-$maybe_os
     basic_machine=`echo $1 | sed 's/^\(.*\)-\([^-]*-[^-]*\)$/\1/'`
     ;;
@@ -98,11 +136,21 @@ case $os in
 		os=
 		basic_machine=$1
 		;;
+	-sim | -cisco | -oki | -wec | -winbond)
+		os=
+		basic_machine=$1
+		;;
+	-scout)
+		;;
+	-wrs)
+		os=-vxworks
+		basic_machine=$1
+		;;
 	-hiux*)
 		os=-hiuxwe2
 		;;
 	-sco5)
-		os=sco3.2v5
+		os=-sco3.2v5
 		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
 		;;
 	-sco4)
@@ -121,6 +169,9 @@ case $os in
 		os=-sco3.2v2
 		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
 		;;
+	-udk*)
+		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
+		;;
 	-isc)
 		os=-isc2.2
 		basic_machine=`echo $1 | sed -e 's/86-.*/86-pc/'`
@@ -143,22 +194,36 @@ case $os in
 	-psos*)
 		os=-psos
 		;;
+	-mint | -mint[0-9]*)
+		basic_machine=m68k-atari
+		os=-mint
+		;;
 esac
 
 # Decode aliases for certain CPU-COMPANY combinations.
 case $basic_machine in
 	# Recognize the basic CPU types without company name.
 	# Some are omitted here because they have special meanings below.
-	tahoe | i860 | m32r | m68k | m68000 | m88k | ns32k | arc | arm \
+	tahoe | i860 | ia64 | m32r | m68k | m68000 | m88k | ns32k | arc | arm \
 		| arme[lb] | pyramid | mn10200 | mn10300 | tron | a29k \
-		| 580 | i960 | h8300 | hppa | hppa1.0 | hppa1.1 | hppa2.0 \
-		| alpha | alphaev5 | alphaev56 | we32k | ns16k | clipper \
-		| i370 | sh | powerpc | powerpcle | 1750a | dsp16xx | pdp11 \
-		| mips64 | mipsel | mips64el | mips64orion | mips64orionel \
-		| mipstx39 | mipstx39el \
-		| sparc | sparclet | sparclite | sparc64 | v850)
+		| 580 | i960 | h8300 \
+		| x86 | ppcbe | mipsbe | mipsle | shbe | shle | armbe | armle \
+		| hppa | hppa1.0 | hppa1.1 | hppa2.0 | hppa2.0w | hppa2.0n \
+		| hppa64 \
+		| alpha | alphaev[4-8] | alphaev56 | alphapca5[67] \
+		| alphaev6[78] \
+		| we32k | ns16k | clipper | i370 | sh | powerpc | powerpcle \
+		| 1750a | dsp16xx | pdp11 | mips16 | mips64 | mipsel | mips64el \
+		| mips64orion | mips64orionel | mipstx39 | mipstx39el \
+		| mips64vr4300 | mips64vr4300el | mips64vr4100 | mips64vr4100el \
+		| mips64vr5000 | miprs64vr5000el | mcore \
+		| sparc | sparclet | sparclite | sparc64 | sparcv9 | v850 | c4x \
+		| thumb | d10v | fr30 | avr)
 		basic_machine=$basic_machine-unknown
 		;;
+	m88110 | m680[12346]0 | m683?2 | m68360 | m5200 | z8k | v70 | h8500 | w65 | pj | pjl)
+		;;
+
 	# We use `pc' rather than `unknown'
 	# because (1) that's what they normally are, and
 	# (2) the word "unknown" tends to confuse beginning users.
@@ -171,27 +236,49 @@ case $basic_machine in
 		exit 1
 		;;
 	# Recognize the basic CPU types with company name.
-	vax-* | tahoe-* | i[34567]86-* | i860-* | m32r-* | m68k-* | m68000-* \
+	# FIXME: clean up the formatting here.
+	vax-* | tahoe-* | i[34567]86-* | i860-* | ia64-* | m32r-* | m68k-* | m68000-* \
 	      | m88k-* | sparc-* | ns32k-* | fx80-* | arc-* | arm-* | c[123]* \
 	      | mips-* | pyramid-* | tron-* | a29k-* | romp-* | rs6000-* \
-	      | power-* | none-* | 580-* | cray2-* | h8300-* | i960-* \
-	      | xmp-* | ymp-* | hppa-* | hppa1.0-* | hppa1.1-* | hppa2.0-* \
-	      | alpha-* | alphaev5-* | alphaev56-* | we32k-* | cydra-* \
-	      | ns16k-* | pn-* | np1-* | xps100-* | clipper-* | orion-* \
+	      | power-* | none-* | 580-* | cray2-* | h8300-* | h8500-* | i960-* \
+	      | xmp-* | ymp-* \
+	      | x86-* | ppcbe-* | mipsbe-* | mipsle-* | shbe-* | shle-* | armbe-* | armle-* \
+	      | hppa-* | hppa1.0-* | hppa1.1-* | hppa2.0-* | hppa2.0w-* \
+	      | hppa2.0n-* | hppa64-* \
+	      | alpha-* | alphaev[4-8]-* | alphaev56-* | alphapca5[67]-* \
+	      | alphaev6[78]-* \
+	      | we32k-* | cydra-* | ns16k-* | pn-* | np1-* | xps100-* \
+	      | clipper-* | orion-* \
 	      | sparclite-* | pdp11-* | sh-* | powerpc-* | powerpcle-* \
-	      | sparc64-* | mips64-* | mipsel-* \
-	      | mips64el-* | mips64orion-* | mips64orionel-*  \
-	      | mipstx39-* | mipstx39el-* \
-	      | f301-*)
+	      | sparc64-* | sparcv9-* | sparc86x-* | mips16-* | mips64-* | mipsel-* \
+	      | mips64el-* | mips64orion-* | mips64orionel-* \
+	      | mips64vr4100-* | mips64vr4100el-* | mips64vr4300-* | mips64vr4300el-* \
+	      | mipstx39-* | mipstx39el-* | mcore-* \
+	      | f301-* | armv*-* | s390-* | sv1-* | t3e-* \
+	      | m88110-* | m680[01234]0-* | m683?2-* | m68360-* | z8k-* | d10v-* \
+	      | thumb-* | v850-* | d30v-* | tic30-* | c30-* | fr30-* \
+	      | bs2000-*)
 		;;
 	# Recognize the various machine names and aliases which stand
 	# for a CPU type and a company and sometimes even an OS.
+	386bsd)
+		basic_machine=i386-unknown
+		os=-bsd
+		;;
 	3b1 | 7300 | 7300-att | att-7300 | pc7300 | safari | unixpc)
 		basic_machine=m68000-att
 		;;
 	3b*)
 		basic_machine=we32k-att
 		;;
+	a29khif)
+		basic_machine=a29k-amd
+		os=-udi
+		;;
+	adobe68k)
+		basic_machine=m68010-adobe
+		os=-scout
+		;;
 	alliant | fx80)
 		basic_machine=fx80-alliant
 		;;
@@ -221,6 +308,10 @@ case $basic_machine in
 		basic_machine=m68k-apollo
 		os=-sysv
 		;;
+	apollo68bsd)
+		basic_machine=m68k-apollo
+		os=-bsd
+		;;
 	aux)
 		basic_machine=m68k-apple
 		os=-aux
@@ -297,6 +388,10 @@ case $basic_machine in
 	encore | umax | mmax)
 		basic_machine=ns32k-encore
 		;;
+	es1800 | OSE68k | ose68k | ose | OSE)
+		basic_machine=m68k-ericsson
+		os=-ose
+		;;
 	fx2800)
 		basic_machine=i860-alliant
 		;;
@@ -315,6 +410,14 @@ case $basic_machine in
 		basic_machine=h8300-hitachi
 		os=-hms
 		;;
+	h8300xray)
+		basic_machine=h8300-hitachi
+		os=-xray
+		;;
+	h8500hms)
+		basic_machine=h8500-hitachi
+		os=-hms
+		;;
 	harris)
 		basic_machine=m88k-harris
 		os=-sysv3
@@ -330,13 +433,30 @@ case $basic_machine in
 		basic_machine=m68k-hp
 		os=-hpux
 		;;
+	hp3k9[0-9][0-9] | hp9[0-9][0-9])
+		basic_machine=hppa1.0-hp
+		;;
 	hp9k2[0-9][0-9] | hp9k31[0-9])
 		basic_machine=m68000-hp
 		;;
 	hp9k3[2-9][0-9])
 		basic_machine=m68k-hp
 		;;
-	hp9k7[0-9][0-9] | hp7[0-9][0-9] | hp9k8[0-9]7 | hp8[0-9]7)
+	hp9k6[0-9][0-9] | hp6[0-9][0-9])
+		basic_machine=hppa1.0-hp
+		;;
+	hp9k7[0-79][0-9] | hp7[0-79][0-9])
+		basic_machine=hppa1.1-hp
+		;;
+	hp9k78[0-9] | hp78[0-9])
+		# FIXME: really hppa2.0-hp
+		basic_machine=hppa1.1-hp
+		;;
+	hp9k8[67]1 | hp8[67]1 | hp9k80[24] | hp80[24] | hp9k8[78]9 | hp8[78]9 | hp9k893 | hp893)
+		# FIXME: really hppa2.0-hp
+		basic_machine=hppa1.1-hp
+		;;
+	hp9k8[0-9][13679] | hp8[0-9][13679])
 		basic_machine=hppa1.1-hp
 		;;
 	hp9k8[0-9][0-9] | hp8[0-9][0-9])
@@ -345,9 +465,16 @@ case $basic_machine in
 	hppa-next)
 		os=-nextstep3
 		;;
+	hppaosf)
+		basic_machine=hppa1.1-hp
+		os=-osf
+		;;
+	hppro)
+		basic_machine=hppa1.1-hp
+		os=-proelf
+		;;
 	i370-ibm* | ibm*)
 		basic_machine=i370-ibm
-		os=-mvs
 		;;
 # I'm not sure what "Sysv32" means.  Should this be sysv3.2?
 	i[34567]86v32)
@@ -366,6 +493,22 @@ case $basic_machine in
 		basic_machine=`echo $1 | sed -e 's/86.*/86-pc/'`
 		os=-solaris2
 		;;
+	i386mach)
+		basic_machine=i386-mach
+		os=-mach
+		;;
+	i386-vsta | vsta)
+		basic_machine=i386-unknown
+		os=-vsta
+		;;
+	i386-go32 | go32)
+		basic_machine=i386-unknown
+		os=-go32
+		;;
+	i386-mingw32 | mingw32)
+		basic_machine=i386-unknown
+		os=-mingw32
+		;;
 	iris | iris4d)
 		basic_machine=mips-sgi
 		case $os in
@@ -394,6 +537,10 @@ case $basic_machine in
 	miniframe)
 		basic_machine=m68000-convergent
 		;;
+	*mint | -mint[0-9]* | *MiNT | *MiNT[0-9]*)
+		basic_machine=m68k-atari
+		os=-mint
+		;;
 	mipsel*-linux*)
 		basic_machine=mipsel-unknown
 		os=-linux-gnu
@@ -408,10 +555,34 @@ case $basic_machine in
 	mips3*)
 		basic_machine=`echo $basic_machine | sed -e 's/mips3/mips64/'`-unknown
 		;;
+	mmix*)
+		basic_machine=mmix-knuth
+		os=-mmixware
+		;;
+	monitor)
+		basic_machine=m68k-rom68k
+		os=-coff
+		;;
+	msdos)
+		basic_machine=i386-unknown
+		os=-msdos
+		;;
+	mvs)
+		basic_machine=i370-ibm
+		os=-mvs
+		;;
 	ncr3000)
 		basic_machine=i486-ncr
 		os=-sysv4
 		;;
+	netbsd386)
+		basic_machine=i386-unknown
+		os=-netbsd
+		;;
+	netwinder)
+		basic_machine=armv4l-rebel
+		os=-linux
+		;;
 	news | news700 | news800 | news900)
 		basic_machine=m68k-sony
 		os=-newsos
@@ -424,6 +595,10 @@ case $basic_machine in
 		basic_machine=mips-sony
 		os=-newsos
 		;;
+	necv70)
+		basic_machine=v70-nec
+		os=-sysv
+		;;
 	next | m*-next )
 		basic_machine=m68k-next
 		case $os in
@@ -449,9 +624,28 @@ case $basic_machine in
 		basic_machine=i960-intel
 		os=-nindy
 		;;
+	mon960)
+		basic_machine=i960-intel
+		os=-mon960
+		;;
 	np1)
 		basic_machine=np1-gould
 		;;
+	nsr-tandem)
+		basic_machine=nsr-tandem
+		;;
+	op50n-* | op60c-*)
+		basic_machine=hppa1.1-oki
+		os=-proelf
+		;;
+	OSE68000 | ose68000)
+		basic_machine=m68000-ericsson
+		os=-ose
+		;;
+	os68k)
+		basic_machine=m68k-none
+		os=-os68k
+		;;
 	pa-hitachi)
 		basic_machine=hppa1.1-hitachi
 		os=-hiuxwe2
@@ -469,19 +663,19 @@ case $basic_machine in
         pc532 | pc532-*)
 		basic_machine=ns32k-pc532
 		;;
-	pentium | p5 | k5 | nexen)
+	pentium | p5 | k5 | k6 | nexen)
 		basic_machine=i586-pc
 		;;
-	pentiumpro | p6 | k6 | 6x86)
+	pentiumpro | p6 | 6x86 | athlon)
 		basic_machine=i686-pc
 		;;
 	pentiumii | pentium2)
 		basic_machine=i786-pc
 		;;
-	pentium-* | p5-* | k5-* | nexen-*)
+	pentium-* | p5-* | k5-* | k6-* | nexen-*)
 		basic_machine=i586-`echo $basic_machine | sed 's/^[^-]*-//'`
 		;;
-	pentiumpro-* | p6-* | k6-* | 6x86-*)
+	pentiumpro-* | p6-* | 6x86-* | athlon-*)
 		basic_machine=i686-`echo $basic_machine | sed 's/^[^-]*-//'`
 		;;
 	pentiumii-* | pentium2-*)
@@ -505,12 +699,20 @@ case $basic_machine in
 	ps2)
 		basic_machine=i386-ibm
 		;;
+	rom68k)
+		basic_machine=m68k-rom68k
+		os=-coff
+		;;
 	rm[46]00)
 		basic_machine=mips-siemens
 		;;
 	rtpc | rtpc-*)
 		basic_machine=romp-ibm
 		;;
+	sa29200)
+		basic_machine=a29k-amd
+		os=-udi
+		;;
 	sequent)
 		basic_machine=i386-sequent
 		;;
@@ -518,6 +720,10 @@ case $basic_machine in
 		basic_machine=sh-hitachi
 		os=-hms
 		;;
+	sparclite-wrs)
+		basic_machine=sparclite-wrs
+		os=-vxworks
+		;;
 	sps7)
 		basic_machine=m68k-bull
 		os=-sysv2
@@ -525,6 +731,13 @@ case $basic_machine in
 	spur)
 		basic_machine=spur-unknown
 		;;
+	st2000)
+		basic_machine=m68k-tandem
+		;;
+	stratus)
+		basic_machine=i860-stratus
+		os=-sysv4
+		;;
 	sun2)
 		basic_machine=m68000-sun
 		;;
@@ -565,10 +778,18 @@ case $basic_machine in
 	sun386 | sun386i | roadrunner)
 		basic_machine=i386-sun
 		;;
+	sv1)
+		basic_machine=sv1-cray
+		os=-unicos
+		;;
 	symmetry)
 		basic_machine=i386-sequent
 		os=-dynix
 		;;
+	t3e)
+		basic_machine=t3e-cray
+		os=-unicos
+		;;
 	tx39)
 		basic_machine=mipstx39-unknown
 		;;
@@ -586,6 +807,10 @@ case $basic_machine in
 		basic_machine=a29k-nyu
 		os=-sym1
 		;;
+	v810 | necv810)
+		basic_machine=v810-nec
+		os=-none
+		;;
 	vaxv)
 		basic_machine=vax-dec
 		os=-sysv
@@ -609,6 +834,14 @@ case $basic_machine in
 		basic_machine=a29k-wrs
 		os=-vxworks
 		;;
+	w65*)
+		basic_machine=w65-wdc
+		os=-none
+		;;
+	w89k-*)
+		basic_machine=hppa1.1-winbond
+		os=-proelf
+		;;
 	xmp)
 		basic_machine=xmp-cray
 		os=-unicos
@@ -616,6 +849,10 @@ case $basic_machine in
         xps | xps100)
 		basic_machine=xps100-honeywell
 		;;
+	z8k-*-coff)
+		basic_machine=z8k-unknown
+		os=-sim
+		;;
 	none)
 		basic_machine=none-none
 		os=-none
@@ -623,6 +860,15 @@ case $basic_machine in
 
 # Here we handle the default manufacturer of certain CPU types.  It is in
 # some cases the only manufacturer, in others, it is the most popular.
+	w89k)
+		basic_machine=hppa1.1-winbond
+		;;
+	op50n)
+		basic_machine=hppa1.1-oki
+		;;
+	op60c)
+		basic_machine=hppa1.1-oki
+		;;
 	mips)
 		if [ x$os = x-linux-gnu ]; then
 			basic_machine=mips-unknown
@@ -645,7 +891,7 @@ case $basic_machine in
 	we32k)
 		basic_machine=we32k-att
 		;;
-	sparc)
+	sparc | sparcv9)
 		basic_machine=sparc-sun
 		;;
         cydra)
@@ -657,6 +903,16 @@ case $basic_machine in
 	orion105)
 		basic_machine=clipper-highlevel
 		;;
+	mac | mpw | mac-mpw)
+		basic_machine=m68k-apple
+		;;
+	pmac | pmac-mpw)
+		basic_machine=powerpc-apple
+		;;
+	c4x*)
+		basic_machine=c4x-none
+		os=-coff
+		;;
 	*)
 		echo Invalid configuration \`$1\': machine \`$basic_machine\' not recognized 1>&2
 		exit 1
@@ -710,13 +966,34 @@ case $os in
 	      | -nindy* | -vxsim* | -vxworks* | -ebmon* | -hms* | -mvs* \
 	      | -clix* | -riscos* | -uniplus* | -iris* | -rtu* | -xenix* \
 	      | -hiux* | -386bsd* | -netbsd* | -openbsd* | -freebsd* | -riscix* \
-	      | -lynxos* | -bosx* | -nextstep* | -cxux* | -aout* | -elf* \
+	      | -lynxos* | -bosx* | -nextstep* | -cxux* | -aout* | -elf* | -oabi* \
 	      | -ptx* | -coff* | -ecoff* | -winnt* | -domain* | -vsta* \
 	      | -udi* | -eabi* | -lites* | -ieee* | -go32* | -aux* \
 	      | -cygwin* | -pe* | -psos* | -moss* | -proelf* | -rtems* \
-	      | -mingw32* | -linux-gnu* | -uxpv* | -beos* | -macos* | -rhapsody*)
+	      | -mingw32* | -linux-gnu* | -uxpv* | -beos* | -mpeix* | -udk* \
+	      | -interix* | -uwin* | -rhapsody* | -darwin* | -opened* \
+	      | -openstep* | -oskit*)
 	# Remember, each alternative MUST END IN *, to match a version number.
 		;;
+	-qnx*)
+		case $basic_machine in
+		    x86-* | i[34567]86-*)
+			;;
+		    *)
+			os=-nto$os
+			;;
+		esac
+		;;
+	-nto*)
+		os=-nto-qnx
+		;;
+	-sim | -es1800* | -hms* | -xray | -os68k* | -none* | -v88r* \
+	      | -windows* | -osx | -abug | -netware* | -os9* | -beos* \
+	      | -macos* | -mpw* | -magic* | -mmixware* | -mon960* | -lnews*)
+		;;
+	-mac*)
+		os=`echo $os | sed -e 's|mac|macos|'`
+		;;
 	-linux*)
 		os=`echo $os | sed -e 's|linux|linux-gnu|'`
 		;;
@@ -726,6 +1003,12 @@ case $os in
 	-sunos6*)
 		os=`echo $os | sed -e 's|sunos6|solaris3|'`
 		;;
+	-opened*)
+		os=-openedition
+		;;
+	-wince*)
+		os=-wince
+		;;
 	-osfrose*)
 		os=-osfrose
 		;;
@@ -741,12 +1024,18 @@ case $os in
 	-acis*)
 		os=-aos
 		;;
+	-386bsd)
+		os=-bsd
+		;;
 	-ctix* | -uts*)
 		os=-sysv
 		;;
 	-ns2 )
 	        os=-nextstep2
 		;;
+	-nsk)
+		os=-nsk
+		;;
 	# Preserve the version number of sinix5.
 	-sinix5.*)
 		os=`echo $os | sed -e 's|sinix|sysv|'`
@@ -772,9 +1061,18 @@ case $os in
 	# This must come after -sysvr4.
 	-sysv*)
 		;;
+	-ose*)
+		os=-ose
+		;;
+	-es1800*)
+		os=-ose
+		;;
 	-xenix)
 		os=-xenix
 		;;
+        -*mint | -*MiNT)
+	        os=-mint
+		;;
 	-none)
 		;;
 	*)
@@ -800,6 +1098,9 @@ case $basic_machine in
 	*-acorn)
 		os=-riscix1.2
 		;;
+	arm*-rebel)
+		os=-linux
+		;;
 	arm*-semi)
 		os=-aout
 		;;
@@ -821,6 +1122,15 @@ case $basic_machine in
 		# default.
 		# os=-sunos4
 		;;
+	m68*-cisco)
+		os=-aout
+		;;
+	mips*-cisco)
+		os=-elf
+		;;
+	mips*-*)
+		os=-elf
+		;;
 	*-tti)	# must be before sparc entry or we get the wrong os.
 		os=-sysv3
 		;;
@@ -833,6 +1143,15 @@ case $basic_machine in
 	*-ibm)
 		os=-aix
 		;;
+	*-wec)
+		os=-proelf
+		;;
+	*-winbond)
+		os=-proelf
+		;;
+	*-oki)
+		os=-proelf
+		;;
 	*-hp)
 		os=-hpux
 		;;
@@ -896,6 +1215,18 @@ case $basic_machine in
 	f301-fujitsu)
 		os=-uxpv
 		;;
+	*-rom68k)
+		os=-coff
+		;;
+	*-*bug)
+		os=-coff
+		;;
+	*-apple)
+		os=-macos
+		;;
+	*-atari*)
+		os=-mint
+		;;
 	*)
 		os=-none
 		;;
@@ -917,9 +1248,15 @@ case $basic_machine in
 			-aix*)
 				vendor=ibm
 				;;
+			-beos*)
+				vendor=be
+				;;
 			-hpux*)
 				vendor=hp
 				;;
+			-mpeix*)
+				vendor=hp
+				;;
 			-hiux*)
 				vendor=hitachi
 				;;
@@ -935,7 +1272,7 @@ case $basic_machine in
 			-genix*)
 				vendor=ns
 				;;
-			-mvs*)
+			-mvs* | -opened*)
 				vendor=ibm
 				;;
 			-ptx*)
@@ -947,9 +1284,26 @@ case $basic_machine in
 			-aux*)
 				vendor=apple
 				;;
+			-hms*)
+				vendor=hitachi
+				;;
+			-mpw* | -macos*)
+				vendor=apple
+				;;
+			-*mint | -*MiNT)
+				vendor=atari
+				;;
 		esac
 		basic_machine=`echo $basic_machine | sed "s/unknown/$vendor/"`
 		;;
 esac
 
 echo $basic_machine$os
+exit 0
+
+# Local variables:
+# eval: (add-hook 'write-file-hooks 'time-stamp)
+# time-stamp-start: "version='"
+# time-stamp-format: "%:y-%02m-%02d"
+# time-stamp-end: "'"
+# End:
diff --git a/src/config/libobj.in b/src/config/libobj.in
index 5e2a2c1..0c85a59 100644
--- a/src/config/libobj.in
+++ b/src/config/libobj.in
@@ -29,10 +29,10 @@ PICFLAGS=@PICFLAGS@
 PROFFLAGS=@PROFFLAGS@
 .SUFFIXES: .c .so .po
 .c.so:
-	$(CC) $(DEFS) $(DEFINES) $(LOCALINCLUDES) $(PICFLAGS) $(CPPFLAGS) $(CFLAGS) -c $< -o $*.so.o && \
+	$(CC) $(DEFS) $(DEFINES) $(PICFLAGS) $(CPPFLAGS) $(LOCALINCLUDES) $(CFLAGS) -c $< -o $*.so.o && \
 		$(MV) $*.so.o $*.so
 .c.po:
-	$(CC) $(DEFS) $(DEFINES) $(LOCALINCLUDES) $(PROFFLAGS) $(CPPFLAGS) $(CFLAGS) -c $< -o $*.po.o && \
+	$(CC) $(DEFS) $(DEFINES) $(PROFFLAGS) $(CPPFLAGS) $(LOCALINCLUDES) $(CFLAGS) -c $< -o $*.po.o && \
 		$(MV) $*.po.o $*.po
 
 # rules to generate object file lists
diff --git a/src/config/pre.in b/src/config/pre.in
index abc3dff..cb97a47 100644
--- a/src/config/pre.in
+++ b/src/config/pre.in
@@ -70,7 +70,7 @@ SRCTOP = @srcdir@/$(BUILDTOP)
 VPATH = @srcdir@
 CONFIG_RELTOPDIR = @CONFIG_RELTOPDIR@
 
-ALL_CFLAGS = $(DEFS) $(DEFINES) $(LOCALINCLUDES) $(CPPFLAGS) $(CFLAGS)
+ALL_CFLAGS = $(DEFS) $(DEFINES) $(CPPFLAGS) $(LOCALINCLUDES) $(CFLAGS)
 CFLAGS = @CCOPTS@
 CPPFLAGS = @CPPFLAGS@
 DEFS = @DEFS@
diff --git a/src/config/win-pre.in b/src/config/win-pre.in
index 73fdb2e..049ca54 100644
--- a/src/config/win-pre.in
+++ b/src/config/win-pre.in
@@ -83,17 +83,29 @@ C=.^\
 srcdir = .
 SRCTOP = $(srcdir)\$(BUILDTOP)
 
-!if defined(KRB5_USE_DNS)
+!if defined(KRB5_USE_DNS) || defined(KRB5_USE_DNS_KDC) || defined(KRB5_USE_DNS_REALMS)
+!if defined(KRB5_NO_WSHELPER)
+DNSMSG=resolver
+!else
+DNSMSG=wshelper
+DNSFLAGS=-DWSHELPER=1
+!endif
 !if !defined(DNS_INC)
-!message Must define DNS_INC to point to wshelper includes dir!
+!message Must define DNS_INC to point to $(DNSMSG) includes dir!
 !error
 !endif
 !if !defined(DNS_LIB)
-!message Must define DNS_LIB to point to wshelper library!
+!message Must define DNS_LIB to point to $(DNSMSG) library!
 !error
 !endif
 DNSLIBS=$(DNS_LIB)
-DNSFLAGS=-I$(DNS_INC) -DKRB5_DNS_LOOKUP -DWSHELPER
+DNSFLAGS=-I$(DNS_INC) $(DNSFLAGS) -DKRB5_DNS_LOOKUP=1
+!if defined(KRB5_USE_DNS_KDC)
+DNSFLAGS=$(DNSFLAGS) -DKRB5_DNS_LOOKUP_KDC=1
+!endif
+!if defined(KRB5_USE_DNS_REALMS)
+DNSFLAGS=$(DNSFLAGS) -DKRB5_DNS_LOOKUP_REALM=1
+!endif
 !else
 DNSLIBS=
 DNSFLAGS=
@@ -105,7 +117,7 @@ DNSFLAGS=
 CC=cl
 
 PDB_OPTS=-Fd$(OUTPRE)\ -FD
-CPPFLAGS=-I$(SRCTOP)\include -I$(SRCTOP)\include\krb5 $(DNSFLAGS)
+CPPFLAGS=-I$(SRCTOP)\include -I$(SRCTOP)\include\krb5 $(DNSFLAGS) -DKRB5_PRIVATE=1
 CCOPTS=-nologo /W3 $(PDB_OPTS) $(DLL_FILE_DEF)
 LOPTS=-nologo -incremental:no
 
diff --git a/src/configure.in b/src/configure.in
index 3200c32..4516fa4 100644
--- a/src/configure.in
+++ b/src/configure.in
@@ -1,6 +1,15 @@
 AC_INIT(aclocal.m4)
 CONFIG_RULES
 dnl
+dnl Determine version from patchlevel.h
+eval `sed 's/#define \([A-Z0-9_]*\)[ \t]*\(.*\)/\1=\2/' < $srcdir/patchlevel.h`
+KRB5_VERSION="$KRB5_MAJOR_RELEASE.$KRB5_MINOR_RELEASE.$KRB5_PATCHLEVEL"
+AC_SUBST(KRB5_VERSION)
+dnl
+dnl This causes us to *always* set CPP, instead of doing it below only
+dnl when krb5_cv_prog_gcc isn't set.
+AC_REQUIRE_CPP
+dnl
 dnl
 dnl We cannot use the autoconf form as it is too generic and sets other
 dnl variables. This is only for the purpose of changing the link options.
@@ -50,6 +59,7 @@ AC_PROG_RANLIB
 AC_CHECK_FUNCS(memmove)
 KRB5_BUILD_LIBOBJS
 KRB5_BUILD_LIBRARY
+KRB5_BUILD_PROGRAM
 dnl
 dnl For util/makeshlib.  (Is SHLIB_TAIL_COMP still necessary?!?)
 dnl
@@ -65,6 +75,9 @@ AC_SUBST(SHLIB_TAIL_COMP)
 dnl
 dnl
 AC_CONFIG_SUBDIRS(util/et util/ss util/profile util/pty util/db2 include lib/crypto lib/krb5 lib/des425 $libkrb4 lib/krb5util lib/kdb lib/gssapi lib/rpc lib/kadm5 $krb524 kdc kadmin slave clients appl tests)
+AC_OUTPUT_COMMANDS([chmod +x krb5-config])
+AC_OUTPUT_COMMANDS([echo timestamp > krb5-stamp-h])
+K5_GEN_FILE(krb5-config)
 K5_GEN_MAKEFILE(.)
 K5_GEN_MAKEFILE(util)
 K5_GEN_MAKEFILE(util/send-pr)
diff --git a/src/include/ChangeLog b/src/include/ChangeLog
index 928ecb1..6cb6e7b 100644
--- a/src/include/ChangeLog
+++ b/src/include/ChangeLog
@@ -1,3 +1,168 @@
+2002-04-16  Danilo Almeida  <dalmeida@mit.edu>
+
+	* krb5.hin: Make krb5_get_host_realm() and krb5_free_host_realm()
+	public.
+
+	* win-mac.h: Since this file is now only Win32, remove non-Win32
+	stuff to make it easier to read.  Never used __declspec(dllexport)
+	so that we do not accidentally export symbols.
+
+2002-04-05 Alexandra Ellwood <lxs@mit.edu>
+    * krb5.hin: Conditionalize KRB5_CALLCONV_WRONG separately
+    because gssapi.h defines KRB5_CALLCONV but doesn't need
+    KRB5_CALLCONV_WRONG
+
+2002-04-05  Danilo Almeida  <dalmeida@mit.edu>
+
+	* win-mac.h: Add KRB5_CALLCONV_WRONG.
+
+	* krb5.hin: Rename krb5_kt_free_entry_contents as
+	krb5_free_keytab_entry_contents to make it consistent with rest of
+	API.  Add KRB5_CALLCONV_WRONG.  Fix up various calling
+	conventions.  For Win32, add KT an CC accessors and default to not
+	PRIVATE.
+
+2002-04-03  Danilo Almeida  <dalmeida@mit.edu>
+
+	* krb5.hin: Make krb5_build_principal_va() KRB5_CALLCONV.
+
+2002-04-03 Alexandra Ellwood <lxs@mit.edu>
+    * krb5.hin: When KRB5_KEYTAB_ACCESSOR_FUNCTIONS is defined, 
+    we still need actual definitions for krb5_kt_ops, etc defined 
+    because krb5_kt_register uses it as a type.  
+    Updated macros to define krb5_kt_ops when KRB5_PRIVATE is 1.
+    Also added a call to KRB5INT_BEGIN_DECLS so there isn't
+    a dangling }; in krb5.h when compiling C++
+    * k5-int.h: Added krb5_kt_dfl_ops for KRB5_KEYTAB_ACCESSOR_FUNCTIONS
+
+2002-04-02  Ken Raeburn  <raeburn@mit.edu>
+
+	* krb5.hin (krb5_c_valid_enctype, krb5_c_valid_cksumtype,
+	krb5_c_is_coll_proof_cksum, krb5_c_is_keyed_cksum,
+	krb5_kt_free_entry_contents): New decls.
+	(valid_enctype, valid_cksumtype, is_coll_proof_cksum,
+	is_keyed_cksum, krb5_kt_free_entry): Conditionalize on
+	KRB5_PRIVATE.
+
+2002-04-02  Tom Yu  <tlyu@mit.edu>
+
+	* krb5.hin: Allow override of KRB5_PRIVATE and KRB5_DEPRECATED on
+	compiler command line.  Make KRB5INT_BEGIN_DECLS and
+	KRB5INT_END_DECLS macros for C++ to keep indentation happy.  Make
+	krb5_{enc_priv_part,priv,safe} private.  Make most of rcache
+	functions and structs private.  Hide keytab structs if
+	KRB5_KEYTAB_ACCESSOR_FUNCTIONS is true.
+	(krb5_auth_con_getcksumtype): Remove declaration for unimplemented
+	function.
+
+2002-04-02  Sam Hartman  <hartmans@mit.edu>
+
+	* krb5.hin: Merge krb5_init_keyblock from mainline
+
+2002-04-01  Tom Yu  <tlyu@mit.edu>
+
+	* krb5.hin: Move a whole bunch of stuff under KRB5_DEPRECATED or
+	KRB5_PRIVATE as a first pass for cleaning up the API.  [merge from
+	trunk] Note that KRB5_DEPRECATED=1 by default, and KRB5_PRIVATE=1
+	on all but MacOS X.
+
+2000-04-01  Miro Jurisic  <meeroh@mit.edu>
+    * krb5.hin: Conditionalized krb5_kt_* macros vs. functions with
+        KRB5_KEYTAB_ACCESSOR_FUNCTIONS
+
+2002-03-28 Alexandra Ellwood <lxs@mit.edu>
+    * krb5.hin: Conditionalized pragmas for Metrowerks
+
+2002-03-07 Alexandra Ellwood <lxs@mit.edu>
+    * krb5.hin: Added check for CFM compiles.  Removed dependency on 
+    PRAGMA_* macros.
+
+2002-02-28 Alexandra Ellwood <lxs@mit.edu>
+    * krb5.hin: Updated Mac OS X headers to new framework layout
+    * k5-int.h: Removed conditionals now defined in prefix files
+    and updated header paths
+
+2001-12-19  Miro Jurisic  <meeroh@mit.edu>
+	* win-mac.h: Fixed EFBIG #define
+
+2001-10-29  Miro Jurisic  <meeroh@mit.edu>
+	* pullup from krb5-1-2 branch after krb5-1-2-2-bp
+	* krb5.hin, k5-int.h: Condintionally use cc_* macros or functions
+	* krb5.hin: Changed KerberosConditionalMacros.h to
+	KerberosSupport.h
+	* k5-int.h: Rearranged the #ifdef macintosh section to
+	work on Mac OS 9 and X
+	* win-mac.h, k5-int.h, krb5.hin: Updated Mac OS #defines
+	and #includes for new header layout and Mac OS X frameworks
+        
+2001-09-25  Ken Raeburn  <raeburn@mit.edu>
+
+	* krb5.hin (TKT_FLG_TRANSIT_POLICY_CHECKED,
+	TKT_FLG_OK_AS_DELEGATE, TKT_FLG_ANONYMOUS): New macros.
+	(KDC_OPT_REQUEST_ANONYMOUS, KDC_OPT_DISABLE_TRANSITED_CHECK):
+	Likewise.
+	(krb5_check_transited_list): Pointed-to krb5_data structures are
+	now all const.
+
+2000-10-16  Miro Jurisic  <meeroh@mit.edu>
+
+	* win-mac.h: #include <KerberosConditionalMacros.h> on Mac OS
+        
+2000-10-02  Alexandra Ellwood  <lxs@mit.edu>
+
+	* krb5-int.h: Added warning comment about #define macintosh
+        
+2000-09-19  Miro Jurisic  <meeroh@mit.edu>
+
+	* win-mac.h: Put #include <fcntl.h> back in
+
+2000-06-02  Danilo Almeida  <dalmeida@mit.edu>
+
+	* krb5.hin (krb5_get_tgs_ktypes, krb5_free_ktypes): Fix linkage to
+	be KRB5_CALLCONV.
+
+	* k5-int.h (krb5int_cc_default): Fix linkage to be consistent with
+	code.  (Note: We should dump KRB5_DLLIMP.)
+
+2000-05-31  Ken Raeburn  <raeburn@mit.edu>
+
+	* krb5.hin (krb5_recvauth_version): Declare.
+
+2000-5-19	Alexandra Ellwood <lxs@mit.edu>
+
+	* krb5-int.h: Added krb5int_cc_default.  This function supports the 
+	Kerberos Login Library and pops up a dialog if the cache does not
+	contain valid tickets.  This is used to automatically get a tgt before
+	obtaining service tickets.  Note that this should be an internal function
+	because callers don't expect krb5_cc_default to pop up a dialog!
+	(We found this out the hard way :-)
+
+2000-05-15      Jeffrey Altman          <jaltman@columbia.edu>
+
+        * krb5.hin -- Added prototypes for new public functions
+
+               krb5_appdefault_string
+               krb5_appdefault_boolean
+
+2000-04-18  Ken Raeburn  <raeburn@mit.edu>
+
+	* krb5.hin: Declare krb5_free_ktypes.
+
+2000-4-13	Alexandra Ellwood <lxs@mit.edu>
+
+	* krb5-int.h: Added support to store a krb5_principal in the os_context 
+	along with the default ccache name (if known, this principal is the same 
+	as the last time we looked at the ccache.
+	* win-mac.h: Set up the macintosh build to use KerberosLogin.
+
+2000-03-25  Miro Jurisic  <meeroh@mit.edu>
+
+	* k5-int.h: Fixed protos for krb5_locate_srv_* (naddrs is int*)
+
+2000-03-20  Miro Jurisic  <meeroh@mit.edu>
+
+	* krb5.hin: Add krb5_free_default_realm
+
 2000-03-15  Danilo Almeida  <dalmeida@mit.edu>
 
 	* krb5.hin: Add krb5_get_prompt_types() and related defs..
diff --git a/src/include/k5-int.h b/src/include/k5-int.h
index 1c48809..64c2667 100644
--- a/src/include/k5-int.h
+++ b/src/include/k5-int.h
@@ -92,14 +92,9 @@
  * Machine-type definitions: PC Clone 386 running Microloss Windows
  */
 
-#if defined(_MSDOS) || defined(_WIN32) || defined(macintosh)
+#if defined(_MSDOS) || defined(_WIN32)
 #include "win-mac.h"
-#if defined(macintosh) && defined(__CFM68K__) && !defined(__USING_STATIC_LIBS__)
-#pragma import on
-#endif
-#endif
 
-#if defined(_MSDOS) || defined(_WIN32)
 /* Kerberos Windows initialization file */
 #define KERBEROS_INI	"kerberos.ini"
 #define INI_FILES	"Files"
@@ -109,10 +104,12 @@
 #define ANSI_STDIO
 #endif
 
-
-#ifndef macintosh
-#if defined(__MWERKS__) || defined(applec) || defined(THINK_C)
+/* Note, this may shoot us in the foot if we switch to CW compilers for Mach-o builds */
+#if !defined(macintosh) && (defined(__MWERKS__) || defined(applec) || defined(THINK_C))
 #define macintosh
+#endif
+
+#ifdef macintosh
 #define SIZEOF_INT 4
 #define SIZEOF_SHORT 2
 #define HAVE_SRAND
@@ -120,15 +117,11 @@
 #define HAVE_LABS
 /*#define ENOMEM -1*/
 #define ANSI_STDIO
-#ifndef _SIZET
-typedef unsigned int size_t;
-#define _SIZET
-#endif
+#include <size_t.h>
 #include <unix.h>
 #include <ctype.h>
+#include <fcntl.h>
 #endif
-#endif
-
 
 #ifndef KRB5_AUTOCONF__
 #define KRB5_AUTOCONF__
@@ -511,7 +504,7 @@ krb5_error_code krb5_sendto_kdc
 		const krb5_data *,
 		const krb5_data *,
 		krb5_data *,
-		int *));
+		int));
 krb5_error_code krb5_get_krbhst
 	KRB5_PROTOTYPE((krb5_context,
 		const krb5_data *,
@@ -555,9 +548,8 @@ krb5_error_code krb5_locate_srv_conf
 			const krb5_data *,
 			const char *,
 			struct sockaddr **,
-			int *,
-			int *,
-			int *));
+			int*,
+            int));
 
 /* no context? */
 krb5_error_code krb5_locate_srv_dns
@@ -565,7 +557,7 @@ krb5_error_code krb5_locate_srv_dns
 			const char *,
 			const char *,
 			struct sockaddr **,
-			int *));
+			int*));
 
 #endif /* KRB5_LIBOS_PROTO__ */
 
@@ -788,11 +780,12 @@ KRB5_PROTOTYPE((krb5_context context, krb5_const krb5_keyblock *key,
 #define KRB5_LIBOS__
 
 typedef struct _krb5_os_context {
-	krb5_magic	magic;
-	krb5_int32	time_offset;
-	krb5_int32	usec_offset;
-	krb5_int32	os_flags;
-	char *		default_ccname;
+	krb5_magic		magic;
+	krb5_int32		time_offset;
+	krb5_int32		usec_offset;
+	krb5_int32		os_flags;
+	char *			default_ccname;
+	krb5_principal	default_ccprincipal;
 } *krb5_os_context;
 
 /*
@@ -965,7 +958,7 @@ KRB5_PROTOTYPE((krb5_context context,
 		krb5_get_init_creds_opt *options,
 		krb5_gic_get_as_key_fct gak,
 		void *gak_data,
-		int *master,
+		int master,
 		krb5_kdc_rep **as_reply));
 
 
@@ -998,7 +991,12 @@ KRB5_DLLIMP void KRB5_CALLCONV krb5_free_pa_enc_ts
 	KRB5_PROTOTYPE((krb5_context, krb5_pa_enc_ts FAR *));
 
 /* #include "krb5/wordsize.h" -- comes in through base-defs.h. */
+#if TARGET_OS_MAC
+#include <Kerberos/profile.h>
+#include <Kerberos/com_err.h>  /* Not included by Kerberos/profile.h */
+#else
 #include "profile.h"
+#endif
 
 struct _krb5_context {
 	krb5_magic	magic;
@@ -1506,6 +1504,8 @@ KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_ser_unpack_bytes
 		krb5_octet FAR * FAR *,
 		size_t FAR *));
 
+KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5int_cc_default
+	KRB5_PROTOTYPE((krb5_context, krb5_ccache FAR *));
 
 krb5_error_code KRB5_CALLCONV krb5_cc_retrieve_cred_default
 	KRB5_PROTOTYPE((krb5_context, krb5_ccache, krb5_flags,
@@ -1529,4 +1529,53 @@ int krb5_seteuid  KRB5_PROTOTYPE((int));
 /* to keep lint happy */
 #define krb5_xfree(val) free((char FAR *)(val))
 
+#if KRB5_CCACHE_ACCESSOR_FUNCTIONS
+/* temporary -- this should be under lib/krb5/ccache somewhere */
+
+struct _krb5_ccache {
+    krb5_magic magic;
+    struct _krb5_cc_ops FAR *ops;
+    krb5_pointer data;
+};
+
+struct _krb5_cc_ops {
+    krb5_magic magic;
+    char FAR *prefix;
+    char FAR * (KRB5_CALLCONV *get_name) KRB5_NPROTOTYPE((krb5_context, krb5_ccache));
+    krb5_error_code (KRB5_CALLCONV *resolve) KRB5_NPROTOTYPE((krb5_context, krb5_ccache FAR *,
+					    const char FAR *));
+    krb5_error_code (KRB5_CALLCONV *gen_new) KRB5_NPROTOTYPE((krb5_context, krb5_ccache FAR *));
+    krb5_error_code (KRB5_CALLCONV *init) KRB5_NPROTOTYPE((krb5_context, krb5_ccache,
+					    krb5_principal));
+    krb5_error_code (KRB5_CALLCONV *destroy) KRB5_NPROTOTYPE((krb5_context, krb5_ccache));
+    krb5_error_code (KRB5_CALLCONV *close) KRB5_NPROTOTYPE((krb5_context, krb5_ccache));
+    krb5_error_code (KRB5_CALLCONV *store) KRB5_NPROTOTYPE((krb5_context, krb5_ccache,
+					    krb5_creds FAR *));
+    krb5_error_code (KRB5_CALLCONV *retrieve) KRB5_NPROTOTYPE((krb5_context, krb5_ccache,
+					    krb5_flags, krb5_creds FAR *,
+					    krb5_creds FAR *));
+    krb5_error_code (KRB5_CALLCONV *get_princ) KRB5_NPROTOTYPE((krb5_context, krb5_ccache,
+					    krb5_principal FAR *));
+    krb5_error_code (KRB5_CALLCONV *get_first) KRB5_NPROTOTYPE((krb5_context, krb5_ccache,
+					    krb5_cc_cursor FAR *));
+    krb5_error_code (KRB5_CALLCONV *get_next) KRB5_NPROTOTYPE((krb5_context, krb5_ccache,
+					    krb5_cc_cursor FAR *, krb5_creds FAR *));
+    krb5_error_code (KRB5_CALLCONV *end_get) KRB5_NPROTOTYPE((krb5_context, krb5_ccache,
+					    krb5_cc_cursor FAR *));
+    krb5_error_code (KRB5_CALLCONV *remove_cred) KRB5_NPROTOTYPE((krb5_context, krb5_ccache,
+					    krb5_flags, krb5_creds FAR *));
+    krb5_error_code (KRB5_CALLCONV *set_flags) KRB5_NPROTOTYPE((krb5_context, krb5_ccache,
+					    krb5_flags));
+};
+
+extern krb5_cc_ops *krb5_cc_dfl_ops;
+#endif /* KRB5_CCACHE_ACCESSOR_FUNCTIONS */
+
+#if KRB5_KEYTAB_ACCESSOR_FUNCTIONS
+/* temporary -- this should be under lib/krb5/keytab somewhere */
+/* structures defined in krb5.h when KRB5_PRIVATE is 1 */
+extern krb5_kt_ops krb5_kt_dfl_ops;
+#endif /* KRB5_KEYTAB_ACCESSOR_FUNCTIONS */
+
+
 #endif /* _KRB5_INT_H */
diff --git a/src/include/kerberosIV/ChangeLog b/src/include/kerberosIV/ChangeLog
index 767d835..9954dca 100644
--- a/src/include/kerberosIV/ChangeLog
+++ b/src/include/kerberosIV/ChangeLog
@@ -1,3 +1,18 @@
+2000-06-02  Ken Raeburn  <raeburn@mit.edu>
+
+	* krb.h (krb4_swab16): Mask upper byte of input after shifting, in
+	case the input value is a signed short.
+
+2000-05-18  Ken Raeburn  <raeburn@mit.edu>
+
+	* krb.h (krb4_swab32): Mask high byte of input value after
+	shifting, to avoid "time out of bounds" error when byte orders are
+	different and low byte of timestamp has its high bit set and the
+	timestamp is stored as a signed value.
+
+	* krb.h (krb_get_err_text): Don't use "errno" as an argument
+	name.
+
 Mon Mar 15 15:58:34 1999  Tom Yu  <tlyu@mit.edu>
 
 	* des.h: Fix GSS_DLLIMP.
diff --git a/src/include/kerberosIV/krb.h b/src/include/kerberosIV/krb.h
index fe8830b..4e2b675 100644
--- a/src/include/kerberosIV/krb.h
+++ b/src/include/kerberosIV/krb.h
@@ -340,8 +340,8 @@ typedef struct msg_dat MSG_DAT;
 /*
  * New byte swapping routines, much cleaner
  */
-#define krb4_swab16(val)	(((val) >> 8) | ((val) << 8))
-#define krb4_swab32(val)	(((val)>>24) | (((val)>>8)&0xFF00) | \
+#define krb4_swab16(val)	((((val) >> 8)&0xFF) | ((val) << 8))
+#define krb4_swab32(val)	((((val)>>24)&0xFF) | (((val)>>8)&0xFF00) | \
 				  (((val)<<8)&0xFF0000) | ((val)<<24))
 
 /* Kerberos ticket flag field bit definitions */
@@ -466,7 +466,7 @@ KRB5_DLLIMP int KRB5_CALLCONV dest_tkt
 	PROTOTYPE((void));
 /* err_txt.c */
 KRB5_DLLIMP const char FAR * KRB5_CALLCONV krb_get_err_text
-	PROTOTYPE((int errno));
+	PROTOTYPE((int errnum));
 /* g_ad_tkt.c */
 int get_ad_tkt
 	PROTOTYPE((char *service, char *sinst, char *realm, int lifetime));
diff --git a/src/include/krb5.hin b/src/include/krb5.hin
index ea8f93e..7caf42c 100644
--- a/src/include/krb5.hin
+++ b/src/include/krb5.hin
@@ -1,7 +1,7 @@
 /*
  * include/krb5.h
  *
- * Copyright 1989,1990,1995 by the Massachusetts Institute of Technology.
+ * Copyright 1989,1990,1995,2001 by the Massachusetts Institute of Technology.
  * All Rights Reserved.
  *
  * Export of this software from the United States of America may
@@ -56,15 +56,40 @@
 #ifndef KRB5_GENERAL__
 #define KRB5_GENERAL__
 
-#if defined(_MSDOS) || defined(_WIN32) || defined(macintosh)
-#include <win-mac.h>
-/* Macintoh CFM-68K magic incantation */
-#if defined(macintosh) && defined(__CFM68K__) && !defined(__USING_STATIC_LIBS__)
-#pragma import on
+#ifndef KRB5_DEPRECATED
+#define KRB5_DEPRECATED 1 /* Expose deprecated things for now. */
+#endif
+
+#if defined(macintosh) || (defined(__MACH__) && defined(__APPLE__))
+	#include <TargetConditionals.h>
+    #if TARGET_RT_MAC_CFM
+        #error "Use KfM 4.0 SDK headers for CFM compilation."
+    #endif
+
+	/* This is an API divergence in 1.2.3 needed for proper functioning
+	on Mac OS X. This will be reconciled in 1.3 */
+	#define KRB5_CCACHE_ACCESSOR_FUNCTIONS 1
+	#define KRB5_KEYTAB_ACCESSOR_FUNCTIONS 1
+	#ifndef KRB5_PRIVATE /* Allow e.g. build system to override */
+		#define KRB5_PRIVATE 0
+	#endif
+#else
+#if defined(_WIN32)
+	#ifndef KRB5_PRIVATE
+		#define KRB5_PRIVATE 0
+	#endif
+	#define KRB5_CCACHE_ACCESSOR_FUNCTIONS 1
+	#define KRB5_KEYTAB_ACCESSOR_FUNCTIONS 1
+#else
+	#ifndef KRB5_PRIVATE
+		#define KRB5_PRIVATE 1
+	#endif
+	#define KRB5_CCACHE_ACCESSOR_FUNCTIONS 0
+	#define KRB5_KEYTAB_ACCESSOR_FUNCTIONS 0
 #endif
 #endif
 
-#if defined(_MSDOS) || defined(_WIN32) || defined(macintosh)
+#if defined(_MSDOS) || defined(_WIN32)
 #include <win-mac.h>
 #endif
 
@@ -80,6 +105,10 @@
 #endif /* !KRB5_CALLCONV */
 #endif /* !KRB5_CONFIG__ */
 
+#ifndef KRB5_CALLCONV_WRONG
+#define KRB5_CALLCONV_WRONG
+#endif
+
 #ifndef THREEPARAMOPEN
 #define THREEPARAMOPEN(x,y,z) open(x,y,z)
 #endif
@@ -95,15 +124,34 @@
  * begin "error_def.h"
  */
 
-#include <profile.h>
+#if TARGET_OS_MAC
+    #include <Kerberos/profile.h>
+#else
+    #include <profile.h>
+#endif
+
 #include <errno.h>
 
 /*
  * end "error_def.h"
  */
 
-#ifdef __cplusplus
-extern "C" {
+#if defined(__cplusplus) && !defined(KRB5INT_BEGIN_DECLS)
+#define KRB5INT_BEGIN_DECLS	extern "C" {
+#define KRB5INT_END_DECLS	}
+#else
+#define KRB5INT_BEGIN_DECLS
+#define KRB5INT_END_DECLS
+#endif
+
+KRB5INT_BEGIN_DECLS
+
+#if TARGET_OS_MAC
+    #if defined(__MWERKS__)
+        #pragma import on
+        #pragma enumsalwaysint on
+    #endif
+    #pragma options align=mac68k
 #endif
 
 /*
@@ -498,7 +546,17 @@ KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
 #define KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG	23
 #define KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV		24
 
+KRB5_DLLIMP krb5_boolean KRB5_CALLCONV krb5_c_valid_enctype
+	KRB5_PROTOTYPE((krb5_const krb5_enctype ktype));
+KRB5_DLLIMP krb5_boolean KRB5_CALLCONV krb5_c_valid_cksumtype
+	KRB5_PROTOTYPE((krb5_const krb5_cksumtype ctype));
+KRB5_DLLIMP krb5_boolean KRB5_CALLCONV krb5_c_is_coll_proof_cksum
+	KRB5_PROTOTYPE((krb5_const krb5_cksumtype ctype));
+KRB5_DLLIMP krb5_boolean KRB5_CALLCONV krb5_c_is_keyed_cksum
+	KRB5_PROTOTYPE((krb5_const krb5_cksumtype ctype));
 
+#if KRB5_PRIVATE
+/* use the above four instead */
 KRB5_DLLIMP krb5_boolean KRB5_CALLCONV valid_enctype
 	KRB5_PROTOTYPE((krb5_const krb5_enctype ktype));
 KRB5_DLLIMP krb5_boolean KRB5_CALLCONV valid_cksumtype
@@ -507,6 +565,7 @@ KRB5_DLLIMP krb5_boolean KRB5_CALLCONV is_coll_proof_cksum
 	KRB5_PROTOTYPE((krb5_const krb5_cksumtype ctype));
 KRB5_DLLIMP krb5_boolean KRB5_CALLCONV is_keyed_cksum
 	KRB5_PROTOTYPE((krb5_const krb5_cksumtype ctype));
+#endif
 
 #ifdef KRB5_OLD_CRYPTO
 /*
@@ -580,6 +639,7 @@ KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_verify_checksum
 		krb5_const krb5_pointer in, krb5_const size_t in_length,
 		krb5_const krb5_pointer seed, krb5_const size_t seed_length));
 
+#if KRB5_PRIVATE
 KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_random_confounder
 	KRB5_PROTOTYPE((size_t, krb5_pointer));
 
@@ -592,6 +652,7 @@ krb5_error_code krb5_decrypt_data
 	KRB5_PROTOTYPE((krb5_context context, krb5_keyblock *key, 
 		krb5_pointer ivec, krb5_enc_data *data, 
 		krb5_data *enc_data));
+#endif
 
 #endif /* KRB5_OLD_CRYPTO */
 
@@ -620,7 +681,7 @@ krb5_error_code krb5_decrypt_data
 /* #define	KDC_OPT_RESERVED	0x00100000 */
 /* #define	KDC_OPT_RESERVED	0x00080000 */
 /* #define	KDC_OPT_RESERVED	0x00040000 */
-/* #define	KDC_OPT_RESERVED	0x00020000 */
+#define	KDC_OPT_REQUEST_ANONYMOUS	0x00020000
 /* #define	KDC_OPT_RESERVED	0x00010000 */
 /* #define	KDC_OPT_RESERVED	0x00008000 */
 /* #define	KDC_OPT_RESERVED	0x00004000 */
@@ -632,7 +693,7 @@ krb5_error_code krb5_decrypt_data
 /* #define	KDC_OPT_RESERVED	0x00000100 */
 /* #define	KDC_OPT_RESERVED	0x00000080 */
 /* #define	KDC_OPT_RESERVED	0x00000040 */
-/* #define	KDC_OPT_RESERVED	0x00000020 */
+#define	KDC_OPT_DISABLE_TRANSITED_CHECK	0x00000020
 #define	KDC_OPT_RENEWABLE_OK		0x00000010
 #define	KDC_OPT_ENC_TKT_IN_SKEY		0x00000008
 /* #define	KDC_OPT_UNUSED		0x00000004 */
@@ -708,9 +769,9 @@ krb5_error_code krb5_decrypt_data
 #define	TKT_FLG_INITIAL			0x00400000
 #define	TKT_FLG_PRE_AUTH		0x00200000
 #define	TKT_FLG_HW_AUTH			0x00100000
-/* #define	TKT_FLG_RESERVED	0x00080000 */
-/* #define	TKT_FLG_RESERVED	0x00040000 */
-/* #define	TKT_FLG_RESERVED	0x00020000 */
+#define	TKT_FLG_TRANSIT_POLICY_CHECKED	0x00080000
+#define	TKT_FLG_OK_AS_DELEGATE		0x00040000
+#define	TKT_FLG_ANONYMOUS		0x00020000
 /* #define	TKT_FLG_RESERVED	0x00010000 */
 /* #define	TKT_FLG_RESERVED	0x00008000 */
 /* #define	TKT_FLG_RESERVED	0x00004000 */
@@ -1022,6 +1083,7 @@ typedef struct _krb5_response {
     krb5_timestamp request_time;   /* When we made the request */
 } krb5_response;
 
+#if KRB5_PRIVATE
 typedef struct _krb5_safe {
     krb5_magic magic;
     krb5_data user_data;		/* user data */
@@ -1048,6 +1110,7 @@ typedef struct _krb5_priv_enc_part {
     krb5_address FAR *s_address;	/* sender address */
     krb5_address FAR *r_address;	/* recipient address, optional */
 } krb5_priv_enc_part;
+#endif
 
 typedef struct _krb5_cred_info {
     krb5_magic magic;
@@ -1126,6 +1189,12 @@ typedef struct krb5_replay_data {
 
 typedef	krb5_pointer	krb5_cc_cursor;	/* cursor for sequential lookup */
 
+#if KRB5_CCACHE_ACCESSOR_FUNCTIONS
+struct _krb5_ccache;
+typedef struct _krb5_ccache FAR *krb5_ccache;
+struct _krb5_cc_ops;
+typedef struct _krb5_cc_ops krb5_cc_ops;
+#else 
 typedef struct _krb5_ccache {
     krb5_magic magic;
     struct _krb5_cc_ops FAR *ops;
@@ -1161,6 +1230,7 @@ typedef struct _krb5_cc_ops {
     krb5_error_code (KRB5_CALLCONV *set_flags) KRB5_NPROTOTYPE((krb5_context, krb5_ccache,
 					    krb5_flags));
 } krb5_cc_ops;
+#endif /* KRB5_CCACHE_ACCESSOR_FUNCTIONS */
 
 /* for retrieve_cred */
 #define	KRB5_TC_MATCH_TIMES		0x00000001
@@ -1177,6 +1247,58 @@ typedef struct _krb5_cc_ops {
 /* for set_flags and other functions */
 #define KRB5_TC_OPENCLOSE		0x00000001
 
+#if KRB5_CCACHE_ACCESSOR_FUNCTIONS
+KRB5_DLLIMP const char FAR * KRB5_CALLCONV
+krb5_cc_get_name (krb5_context context, krb5_ccache cache);
+
+KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
+krb5_cc_gen_new (krb5_context context, krb5_ccache FAR *cache);
+
+KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
+krb5_cc_initialize(krb5_context context, krb5_ccache cache,
+		   krb5_principal principal);
+
+KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
+krb5_cc_destroy (krb5_context context, krb5_ccache cache);
+
+KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
+krb5_cc_close (krb5_context context, krb5_ccache cache);
+
+KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
+krb5_cc_store_cred (krb5_context context, krb5_ccache cache,
+		    krb5_creds FAR *creds);
+
+KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
+krb5_cc_retrieve_cred (krb5_context context, krb5_ccache cache,
+		       krb5_flags flags, krb5_creds FAR *mcreds,
+		       krb5_creds FAR *creds);
+
+KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
+krb5_cc_get_principal (krb5_context context, krb5_ccache cache,
+		       krb5_principal FAR *principal);
+
+KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
+krb5_cc_start_seq_get (krb5_context context, krb5_ccache cache,
+		       krb5_cc_cursor FAR *cursor);
+
+KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
+krb5_cc_next_cred (krb5_context context, krb5_ccache cache,
+		   krb5_cc_cursor FAR *cursor, krb5_creds FAR *creds);
+
+KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
+krb5_cc_end_seq_get (krb5_context context, krb5_ccache cache,
+		     krb5_cc_cursor FAR *cursor);
+
+KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
+krb5_cc_remove_cred (krb5_context context, krb5_ccache cache, krb5_flags flags,
+		     krb5_creds FAR *creds);
+
+KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
+krb5_cc_set_flags (krb5_context context, krb5_ccache cache, krb5_flags flags);
+
+KRB5_DLLIMP const char * KRB5_CALLCONV
+krb5_cc_get_type (krb5_context context, krb5_ccache cache);
+#else
 #define krb5_cc_initialize(context, cache, principal)			krb5_x ((cache)->ops->init,(context, cache, principal))
 #define krb5_cc_gen_new(context, cache)					krb5_x ((*cache)->ops->gen_new,(context, cache))
 #define krb5_cc_destroy(context, cache)					krb5_x ((cache)->ops->destroy,(context, cache))
@@ -1193,6 +1315,7 @@ typedef struct _krb5_cc_ops {
 #define krb5_cc_get_type(context, cache)				((cache)->ops->prefix)
 
 extern krb5_cc_ops *krb5_cc_dfl_ops;
+#endif /* KRB5_CCACHE_ACCESSOR_FUNCTIONS */
 
 /*
  * end "ccache.h"
@@ -1202,12 +1325,18 @@ extern krb5_cc_ops *krb5_cc_dfl_ops;
  * begin "rcache.h"
  */
 
+#if KRB5_PRIVATE
 typedef struct krb5_rc_st {
     krb5_magic magic;
     struct _krb5_rc_ops FAR *ops;
     krb5_pointer data;
 } FAR *krb5_rcache;
+#else
+struct krb5_rc_st;
+typedef struct krb5_rc_st FAR *krb5_rcache;
+#endif
 
+#if KRB5_PRIVATE
 typedef struct _krb5_donot_replay {
     krb5_magic magic;
     char FAR *server;			/* null-terminated */
@@ -1275,6 +1404,7 @@ krb5_error_code krb5_auth_to_rep
 #define krb5_rc_resolve(context, id, name) krb5_x((id)->ops->resolve,(context, id, name))
 
 extern krb5_rc_ops krb5_rc_dfl_ops;
+#endif
 
 /*
  * end "rcache.h"
@@ -1298,14 +1428,18 @@ typedef struct krb5_keytab_entry_st {
     krb5_keyblock key;		/* the secret key */
 } krb5_keytab_entry;
 
-
+#if KRB5_KEYTAB_ACCESSOR_FUNCTIONS && !KRB5_PRIVATE
+/* Opaque definitions for krb5_kt_* functions */
+struct _krb5_kt;
+typedef struct _krb5_kt FAR *krb5_keytab;
+#else
+struct _krb5_kt_ops;
 typedef struct _krb5_kt {
     krb5_magic magic;
     struct _krb5_kt_ops FAR *ops;
     krb5_pointer data;
 } FAR *krb5_keytab;
 
-
 typedef struct _krb5_kt_ops {
     krb5_magic magic;
     char FAR *prefix;
@@ -1355,7 +1489,30 @@ typedef struct _krb5_kt_ops {
     /* Handle for serializer */
     void * serializer;
 } krb5_kt_ops;
-
+#endif /* !KRB5_KEYTAB_ACCESSOR_FUNCTIONS || KRB5_PRIVATE */
+
+#if KRB5_KEYTAB_ACCESSOR_FUNCTIONS
+char * KRB5_CALLCONV
+krb5_kt_get_type (krb5_context, krb5_keytab keytab);
+krb5_error_code KRB5_CALLCONV
+krb5_kt_get_name(krb5_context context, krb5_keytab keytab, char *name,
+		 unsigned int namelen);
+krb5_error_code KRB5_CALLCONV
+krb5_kt_close(krb5_context context, krb5_keytab keytab);
+krb5_error_code KRB5_CALLCONV
+krb5_kt_get_entry(krb5_context context, krb5_keytab keytab,
+		  krb5_const_principal principal, krb5_kvno vno,
+		  krb5_enctype enctype, krb5_keytab_entry *entry);
+krb5_error_code KRB5_CALLCONV
+krb5_kt_start_seq_get(krb5_context context, krb5_keytab keytab,
+		      krb5_kt_cursor *cursor);
+krb5_error_code KRB5_CALLCONV
+krb5_kt_next_entry(krb5_context context, krb5_keytab keytab,
+		   krb5_keytab_entry *entry, krb5_kt_cursor *cursor);
+krb5_error_code KRB5_CALLCONV
+krb5_kt_end_seq_get(krb5_context context, krb5_keytab keytab,
+		    krb5_kt_cursor *cursor);
+#else
 #define krb5_kt_get_type(context, keytab) ((keytab)->ops->prefix)
 #define krb5_kt_get_name(context, keytab, name, namelen) krb5_x((keytab)->ops->get_name,(context, keytab,name,namelen))
 #define krb5_kt_close(context, keytab) krb5_x((keytab)->ops->close,(context, keytab))
@@ -1363,11 +1520,12 @@ typedef struct _krb5_kt_ops {
 #define krb5_kt_start_seq_get(context, keytab, cursor) krb5_x((keytab)->ops->start_seq_get,(context, keytab, cursor))
 #define krb5_kt_next_entry(context, keytab, entry, cursor) krb5_x((keytab)->ops->get_next,(context, keytab, entry, cursor))
 #define krb5_kt_end_seq_get(context, keytab, cursor) krb5_x((keytab)->ops->end_get,(context, keytab, cursor))
-/* remove and add are functions, so that they can return NOWRITE
-   if not a writable keytab */
-
 
 extern krb5_kt_ops krb5_kt_dfl_ops;
+#endif
+
+/* remove and add are functions, so that they can return NOWRITE
+   if not a writable keytab */
 
 /*
  * end "keytab.h"
@@ -1384,6 +1542,7 @@ KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_init_secure_context
 KRB5_DLLIMP void KRB5_CALLCONV krb5_free_context
 	KRB5_PROTOTYPE((krb5_context));
 
+#if KRB5_PRIVATE
 krb5_error_code krb5_set_default_in_tkt_ktypes
 	KRB5_PROTOTYPE((krb5_context,
 		krb5_const krb5_enctype *));
@@ -1394,18 +1553,29 @@ krb5_error_code krb5_get_default_in_tkt_ktypes
 krb5_error_code krb5_set_default_tgs_ktypes
 	KRB5_PROTOTYPE((krb5_context,
 		krb5_const krb5_enctype *));
-krb5_error_code krb5_get_tgs_ktypes
+#endif
+
+krb5_error_code KRB5_CALLCONV krb5_set_default_tgs_enctypes
+	KRB5_PROTOTYPE((krb5_context,
+		krb5_const krb5_enctype *));
+
+#if KRB5_PRIVATE
+krb5_error_code KRB5_CALLCONV krb5_get_tgs_ktypes
 	KRB5_PROTOTYPE((krb5_context,
 		krb5_const_principal,
 		krb5_enctype **));
 
 krb5_error_code krb5_get_permitted_enctypes
 	KRB5_PROTOTYPE((krb5_context, krb5_enctype **));
+void KRB5_CALLCONV krb5_free_ktypes
+	KRB5_PROTOTYPE ((krb5_context, krb5_enctype *));
 
 krb5_boolean krb5_is_permitted_enctype
 	KRB5_PROTOTYPE((krb5_context, krb5_enctype));
+#endif
 
 /* libkrb.spec */
+#if KRB5_PRIVATE
 krb5_error_code krb5_kdc_rep_decrypt_proc
 	KRB5_PROTOTYPE((krb5_context,
 		krb5_const krb5_keyblock *,
@@ -1436,6 +1606,7 @@ krb5_error_code krb5_get_cred_from_kdc_renew
 		krb5_creds *,
 		krb5_creds **,
 		krb5_creds *** ));
+#endif
 KRB5_DLLIMP void KRB5_CALLCONV krb5_free_tgt_creds
 	KRB5_PROTOTYPE((krb5_context,
 		krb5_creds FAR * FAR* )); /* XXX too hard to do with const */
@@ -1461,6 +1632,7 @@ KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_get_credentials_renew
 		krb5_ccache,
 		krb5_creds FAR *,
 		krb5_creds FAR * FAR *));
+#if KRB5_PRIVATE
 krb5_error_code krb5_get_cred_via_tkt
 	KRB5_PROTOTYPE((krb5_context,
 		   krb5_creds *,
@@ -1468,6 +1640,7 @@ krb5_error_code krb5_get_cred_via_tkt
 		   krb5_address * krb5_const *,
 		   krb5_creds *,
 		   krb5_creds **));
+#endif
 KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_mk_req
 	KRB5_PROTOTYPE((krb5_context,
 		krb5_auth_context FAR *,
@@ -1530,19 +1703,19 @@ KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_unparse_name_ext
 KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_set_principal_realm
 	KRB5_PROTOTYPE((krb5_context, krb5_principal, const char FAR *));
 
-krb5_boolean krb5_address_search
+krb5_boolean KRB5_CALLCONV_WRONG krb5_address_search
 	KRB5_PROTOTYPE((krb5_context,
 		krb5_const krb5_address *,
 		krb5_address * krb5_const *));
-krb5_boolean krb5_address_compare
+krb5_boolean KRB5_CALLCONV krb5_address_compare
 	KRB5_PROTOTYPE((krb5_context,
 		krb5_const krb5_address *,
 		krb5_const krb5_address *));
-int krb5_address_order
+int KRB5_CALLCONV krb5_address_order
 	KRB5_PROTOTYPE((krb5_context,
 		krb5_const krb5_address *,
 		krb5_const krb5_address *));
-krb5_boolean krb5_realm_compare
+krb5_boolean KRB5_CALLCONV krb5_realm_compare
 	KRB5_PROTOTYPE((krb5_context,
 		krb5_const_principal,
 		krb5_const_principal));
@@ -1550,6 +1723,15 @@ KRB5_DLLIMP krb5_boolean KRB5_CALLCONV krb5_principal_compare
 	KRB5_PROTOTYPE((krb5_context,
 		krb5_const_principal,
 		krb5_const_principal));
+krb5_error_code KRB5_CALLCONV  krb5_init_keyblock
+		(krb5_context, krb5_enctype enctype,
+		size_t length, krb5_keyblock **out); 
+  		/* Initialize a new keyblock and allocate storage
+		 * for the contents of the key, which will be freed along
+		 * with the keyblock when krb5_free_keyblock is called.
+		 * It is legal to pass in a length of 0, in which
+		 * case contents are left unallocated.
+		 */
 KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_copy_keyblock
 	KRB5_PROTOTYPE((krb5_context,
 		krb5_const krb5_keyblock FAR *,
@@ -1570,10 +1752,12 @@ KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_copy_principal
 	KRB5_PROTOTYPE((krb5_context,
 		krb5_const_principal,
 		krb5_principal FAR *));
+#if KRB5_PRIVATE
 KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_copy_addr
 	KRB5_PROTOTYPE((krb5_context,
 		const krb5_address FAR *,
 		krb5_address FAR * FAR *));
+#endif
 KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_copy_addresses
 	KRB5_PROTOTYPE((krb5_context,
 		krb5_address FAR * krb5_const FAR *,
@@ -1594,6 +1778,7 @@ KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_copy_checksum
 	KRB5_PROTOTYPE((krb5_context,
 		krb5_const krb5_checksum FAR *,
 		krb5_checksum FAR * FAR *));
+#if KRB5_PRIVATE
 void krb5_init_ets
 	KRB5_PROTOTYPE((krb5_context));
 void krb5_free_ets
@@ -1604,6 +1789,7 @@ krb5_error_code krb5_generate_subkey
 krb5_error_code krb5_generate_seq_number
 	KRB5_PROTOTYPE((krb5_context,
 		krb5_const krb5_keyblock *, krb5_int32 *));
+#endif
 KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_get_server_rcache
 	KRB5_PROTOTYPE((krb5_context,
 		krb5_const krb5_data *, krb5_rcache *));
@@ -1613,7 +1799,7 @@ KRB5_DLLIMP krb5_error_code KRB5_CALLCONV_C krb5_build_principal
 	KRB5_STDARG_P((krb5_context, krb5_principal FAR *, int, krb5_const char FAR *, ...));
 #ifdef va_start
 /* XXX depending on varargs include file defining va_start... */
-krb5_error_code krb5_build_principal_va
+krb5_error_code KRB5_CALLCONV krb5_build_principal_va
 	KRB5_PROTOTYPE((krb5_context,
 		krb5_principal, int, krb5_const char *, va_list));
 #endif
@@ -1628,6 +1814,7 @@ KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_524_conv_principal
 	KRB5_PROTOTYPE((krb5_context context, krb5_const krb5_principal princ, 
 		char FAR *name, char FAR *inst, char FAR *realm));
 
+#if KRB5_PRIVATE
 KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_mk_chpw_req
 	KRB5_PROTOTYPE((krb5_context context, krb5_auth_context auth_context,
  			krb5_data *ap_req, char *passwd, krb5_data *packet));
@@ -1638,11 +1825,14 @@ KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_rd_chpw_rep
 KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_chpw_result_code_string
 	KRB5_PROTOTYPE((krb5_context context, int result_code,
 			char **result_codestr));
+#endif
 
 /* libkt.spec */
+#if KRB5_PRIVATE
 KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_kt_register
 	KRB5_PROTOTYPE((krb5_context,
 		krb5_kt_ops FAR * ));
+#endif
 KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_kt_resolve
 	KRB5_PROTOTYPE((krb5_context,
 		krb5_const char FAR *,
@@ -1654,9 +1844,15 @@ KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_kt_default_name
 KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_kt_default
 	KRB5_PROTOTYPE((krb5_context,
 		krb5_keytab FAR * ));
+KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_free_keytab_entry_contents
+	KRB5_PROTOTYPE((krb5_context,
+		krb5_keytab_entry FAR * ));
+#if KRB5_PRIVATE
+/* use krb5_kt_free_entry_contents instead */
 KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_kt_free_entry
 	KRB5_PROTOTYPE((krb5_context,
 		krb5_keytab_entry FAR * ));
+#endif
 /* remove and add are functions, so that they can return NOWRITE
    if not a writable keytab */
 KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_kt_remove_entry
@@ -1667,13 +1863,14 @@ KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_kt_add_entry
 	KRB5_PROTOTYPE((krb5_context,
 		krb5_keytab,
 		krb5_keytab_entry FAR * ));
+#if KRB5_PRIVATE
 krb5_error_code krb5_principal2salt
 	KRB5_PROTOTYPE((krb5_context,
 		krb5_const_principal, krb5_data *));
 krb5_error_code krb5_principal2salt_norealm
 	KRB5_PROTOTYPE((krb5_context,
 		krb5_const_principal, krb5_data *));
-
+#endif
 /* librc.spec--see rcache.h */
 
 /* libcc.spec */
@@ -1688,8 +1885,10 @@ KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_cc_set_default_name
 KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_cc_default
 	KRB5_PROTOTYPE((krb5_context,
 		krb5_ccache FAR *));
+#if KRB5_PRIVATE
 KRB5_DLLIMP unsigned int KRB5_CALLCONV krb5_get_notification_message
 	KRB5_PROTOTYPE((void));
+#endif
 
 KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_cc_copy_creds
 	KRB5_PROTOTYPE((krb5_context context,
@@ -1698,32 +1897,43 @@ KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_cc_copy_creds
 
 
 /* chk_trans.c */
+#if KRB5_PRIVATE
 krb5_error_code krb5_check_transited_list
-	KRB5_PROTOTYPE((krb5_context,
-		krb5_data *trans, krb5_data *realm1, krb5_data *realm2));
+	(krb5_context, const krb5_data *trans,
+	 const krb5_data *realm1, const krb5_data *realm2);
+#endif
 
 /* free_rtree.c */
+#if KRB5_PRIVATE
 void krb5_free_realm_tree
 	KRB5_PROTOTYPE((krb5_context,
 		krb5_principal *));
+#endif
 
 /* krb5_free.c */
 KRB5_DLLIMP void KRB5_CALLCONV krb5_free_principal
 	KRB5_PROTOTYPE((krb5_context, krb5_principal ));
 KRB5_DLLIMP void KRB5_CALLCONV krb5_free_authenticator
 	KRB5_PROTOTYPE((krb5_context, krb5_authenticator FAR * ));
+#if KRB5_PRIVATE
 KRB5_DLLIMP void KRB5_CALLCONV krb5_free_authenticator_contents
 	KRB5_PROTOTYPE((krb5_context, krb5_authenticator FAR * ));
+#endif
 KRB5_DLLIMP void KRB5_CALLCONV krb5_free_addresses
 	KRB5_PROTOTYPE((krb5_context, krb5_address FAR * FAR * ));
+#if KRB5_PRIVATE
 KRB5_DLLIMP void KRB5_CALLCONV krb5_free_address
 	KRB5_PROTOTYPE((krb5_context, krb5_address FAR * ));
+#endif
 KRB5_DLLIMP void KRB5_CALLCONV krb5_free_authdata
 	KRB5_PROTOTYPE((krb5_context, krb5_authdata FAR * FAR * ));
+#if KRB5_PRIVATE
 KRB5_DLLIMP void KRB5_CALLCONV krb5_free_enc_tkt_part
 	KRB5_PROTOTYPE((krb5_context, krb5_enc_tkt_part FAR * ));
+#endif
 KRB5_DLLIMP void KRB5_CALLCONV krb5_free_ticket
 	KRB5_PROTOTYPE((krb5_context, krb5_ticket FAR * ));
+#if KRB5_PRIVATE
 KRB5_DLLIMP void KRB5_CALLCONV krb5_free_tickets
 	KRB5_PROTOTYPE((krb5_context, krb5_ticket FAR * FAR * ));
 KRB5_DLLIMP void KRB5_CALLCONV krb5_free_kdc_req
@@ -1734,12 +1944,18 @@ KRB5_DLLIMP void KRB5_CALLCONV krb5_free_last_req
 	KRB5_PROTOTYPE((krb5_context, krb5_last_req_entry FAR * FAR * ));
 KRB5_DLLIMP void KRB5_CALLCONV krb5_free_enc_kdc_rep_part
 	KRB5_PROTOTYPE((krb5_context, krb5_enc_kdc_rep_part FAR * ));
+#endif
 KRB5_DLLIMP void KRB5_CALLCONV krb5_free_error
 	KRB5_PROTOTYPE((krb5_context, krb5_error FAR * ));
+#if KRB5_PRIVATE
 KRB5_DLLIMP void KRB5_CALLCONV krb5_free_ap_req
 	KRB5_PROTOTYPE((krb5_context, krb5_ap_req FAR * ));
 KRB5_DLLIMP void KRB5_CALLCONV krb5_free_ap_rep
 	KRB5_PROTOTYPE((krb5_context, krb5_ap_rep FAR * ));
+/*
+ * The following 3 fns were moved to k5-int.h on trunk, so are marked
+ * private here.
+ */
 KRB5_DLLIMP void KRB5_CALLCONV krb5_free_safe
 	KRB5_PROTOTYPE((krb5_context, krb5_safe FAR * ));
 KRB5_DLLIMP void KRB5_CALLCONV krb5_free_priv
@@ -1748,12 +1964,15 @@ KRB5_DLLIMP void KRB5_CALLCONV krb5_free_priv_enc_part
 	KRB5_PROTOTYPE((krb5_context, krb5_priv_enc_part FAR * ));
 KRB5_DLLIMP void KRB5_CALLCONV krb5_free_cred
 	KRB5_PROTOTYPE((krb5_context, krb5_cred FAR *));
+#endif
 KRB5_DLLIMP void KRB5_CALLCONV krb5_free_creds
 	KRB5_PROTOTYPE((krb5_context, krb5_creds FAR *));
 KRB5_DLLIMP void KRB5_CALLCONV krb5_free_cred_contents
 	KRB5_PROTOTYPE((krb5_context, krb5_creds FAR *));
+#if KRB5_PRIVATE
 KRB5_DLLIMP void KRB5_CALLCONV krb5_free_cred_enc_part
 	KRB5_PROTOTYPE((krb5_context, krb5_cred_enc_part FAR *));
+#endif
 KRB5_DLLIMP void KRB5_CALLCONV krb5_free_checksum
 	KRB5_PROTOTYPE((krb5_context, krb5_checksum FAR *));
 KRB5_DLLIMP void KRB5_CALLCONV krb5_free_checksum_contents
@@ -1762,16 +1981,20 @@ KRB5_DLLIMP void KRB5_CALLCONV krb5_free_keyblock
 	KRB5_PROTOTYPE((krb5_context, krb5_keyblock FAR *));
 KRB5_DLLIMP void KRB5_CALLCONV krb5_free_keyblock_contents
 	KRB5_PROTOTYPE((krb5_context, krb5_keyblock FAR *));
+#if KRB5_PRIVATE
 KRB5_DLLIMP void KRB5_CALLCONV krb5_free_pa_data
 	KRB5_PROTOTYPE((krb5_context, krb5_pa_data FAR * FAR *));
+#endif
 KRB5_DLLIMP void KRB5_CALLCONV krb5_free_ap_rep_enc_part
 	KRB5_PROTOTYPE((krb5_context, krb5_ap_rep_enc_part FAR *));
+#if KRB5_PRIVATE
 KRB5_DLLIMP void KRB5_CALLCONV krb5_free_tkt_authent
 	KRB5_PROTOTYPE((krb5_context, krb5_tkt_authent FAR *));
 KRB5_DLLIMP void KRB5_CALLCONV krb5_free_pwd_data
 	KRB5_PROTOTYPE((krb5_context, krb5_pwd_data FAR *));
 KRB5_DLLIMP void KRB5_CALLCONV krb5_free_pwd_sequences
 	KRB5_PROTOTYPE((krb5_context, passwd_phrase_element FAR * FAR *));
+#endif
 KRB5_DLLIMP void KRB5_CALLCONV krb5_free_data
 	KRB5_PROTOTYPE((krb5_context, krb5_data FAR *));
 KRB5_DLLIMP void KRB5_CALLCONV krb5_free_data_contents
@@ -1799,6 +2022,9 @@ KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_get_default_realm
 KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_set_default_realm
 	KRB5_PROTOTYPE((krb5_context,
 		   krb5_const char FAR * ));
+KRB5_DLLIMP void KRB5_CALLCONV krb5_free_default_realm
+	KRB5_PROTOTYPE((krb5_context,
+		   char FAR * ));
 KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_sname_to_principal
 	KRB5_PROTOTYPE((krb5_context,
 		krb5_const char FAR *,
@@ -1811,6 +2037,7 @@ krb5_change_password
 			int *result_code, krb5_data *result_code_string,
 			krb5_data *result_string));
 
+#if KRB5_PRIVATE
 #ifndef macintosh
 krb5_error_code krb5_set_config_files
 	KRB5_PROTOTYPE ((krb5_context, krb5_const char FAR * FAR *));
@@ -1822,11 +2049,13 @@ KRB5_DLLIMP void KRB5_CALLCONV krb5_free_config_files
 	KRB5_PROTOTYPE((char **filenames));
 
 #endif
+#endif
 
 KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
 krb5_get_profile
 	KRB5_PROTOTYPE((krb5_context, profile_t *));
 
+#if KRB5_PRIVATE
 krb5_error_code krb5_send_tgs
 	KRB5_PROTOTYPE((krb5_context,
 		krb5_const krb5_flags,
@@ -1839,7 +2068,9 @@ krb5_error_code krb5_send_tgs
 		krb5_const krb5_data *,
 		krb5_creds *,
 		krb5_response * ));
+#endif
 
+#if KRB5_DEPRECATED
 KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_get_in_tkt
 	KRB5_PROTOTYPE((krb5_context,
 		krb5_const krb5_flags,
@@ -1893,13 +2124,15 @@ KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_get_in_tkt_with_keytab
 		krb5_ccache,
 		krb5_creds FAR *,
 		krb5_kdc_rep FAR * FAR * ));
+#endif /* KRB5_DEPRECATED */
 
-
+#if KRB5_PRIVATE
 krb5_error_code krb5_decode_kdc_rep
 	KRB5_PROTOTYPE((krb5_context,
 		krb5_data *,
 		krb5_const krb5_keyblock *,
 		krb5_kdc_rep ** ));
+#endif
 
 KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_rd_req
 	KRB5_PROTOTYPE((krb5_context,
@@ -1910,6 +2143,7 @@ KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_rd_req
 		krb5_flags FAR *,
 		krb5_ticket FAR * FAR *));
 
+#if KRB5_PRIVATE
 krb5_error_code krb5_rd_req_decoded
 	KRB5_PROTOTYPE((krb5_context,
 		krb5_auth_context *,
@@ -1927,6 +2161,7 @@ krb5_error_code krb5_rd_req_decoded_anyflag
 		krb5_keytab,
 		krb5_flags *,
 		krb5_ticket **));
+#endif
 
 KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_kt_read_service_key
 	KRB5_PROTOTYPE((krb5_context,
@@ -1947,10 +2182,12 @@ KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_mk_priv
 		krb5_const krb5_data FAR *,
 		krb5_data FAR *,
 		krb5_replay_data FAR *));
+#if KRB5_PRIVATE
 KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_cc_register
 	KRB5_PROTOTYPE((krb5_context,
 		krb5_cc_ops FAR *,
 		krb5_boolean ));
+#endif
 
 KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_sendauth 
 	KRB5_PROTOTYPE((krb5_context,
@@ -1976,13 +2213,24 @@ KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_recvauth
 		krb5_int32, 
 		krb5_keytab,
 		krb5_ticket FAR * FAR *));
+KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_recvauth_version
+	KRB5_PROTOTYPE((krb5_context,
+		krb5_auth_context FAR *,
+		krb5_pointer,
+		krb5_principal,
+		krb5_int32, 
+		krb5_keytab,
+		krb5_ticket FAR * FAR *,
+		krb5_data FAR *));
 
+#if KRB5_PRIVATE
 krb5_error_code krb5_walk_realm_tree
 	KRB5_PROTOTYPE((krb5_context,
 		krb5_const krb5_data *,
 		krb5_const krb5_data *,
 		krb5_principal **,
 		int));
+#endif
 
 KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_mk_ncred
 	KRB5_PROTOTYPE((krb5_context,
@@ -2033,19 +2281,19 @@ KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_auth_con_getflags
 		krb5_auth_context,
 		krb5_int32 FAR *));
 
-krb5_error_code krb5_auth_con_setaddrs
+krb5_error_code KRB5_CALLCONV_WRONG krb5_auth_con_setaddrs
 	KRB5_PROTOTYPE((krb5_context,
 		krb5_auth_context,
 		krb5_address *,
 		krb5_address *));
 
-krb5_error_code krb5_auth_con_getaddrs
+krb5_error_code KRB5_CALLCONV krb5_auth_con_getaddrs
 	KRB5_PROTOTYPE((krb5_context,
 		krb5_auth_context,
 		krb5_address **,
 		krb5_address **));
 
-krb5_error_code krb5_auth_con_setports
+krb5_error_code KRB5_CALLCONV krb5_auth_con_setports
 	KRB5_PROTOTYPE((krb5_context,
 		krb5_auth_context,
 		krb5_address *,
@@ -2066,6 +2314,7 @@ KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_auth_con_getlocalsubkey
 		krb5_auth_context,
 		krb5_keyblock FAR * FAR *));
 
+#if KRB5_PRIVATE
 KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_auth_con_set_req_cksumtype
 	KRB5_PROTOTYPE((krb5_context,
 		krb5_auth_context,
@@ -2075,11 +2324,7 @@ krb5_error_code krb5_auth_con_set_safe_cksumtype
 	KRB5_PROTOTYPE((krb5_context,
 		krb5_auth_context,
 		krb5_cksumtype));
-
-krb5_error_code krb5_auth_con_getcksumtype
-	KRB5_PROTOTYPE((krb5_context,
-		krb5_auth_context,
-		krb5_cksumtype *));
+#endif
 
 KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_auth_con_getlocalseqnumber
 	KRB5_PROTOTYPE((krb5_context,
@@ -2091,10 +2336,13 @@ KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_auth_con_getremoteseqnumber
 		krb5_auth_context,
 		krb5_int32 FAR *));
 
-krb5_error_code krb5_auth_con_initivector
+#if KRB5_DEPRECATED
+krb5_error_code KRB5_CALLCONV krb5_auth_con_initivector
 	KRB5_PROTOTYPE((krb5_context,
 		krb5_auth_context));
+#endif
 
+#if KRB5_PRIVATE
 krb5_error_code krb5_auth_con_setivector
 	KRB5_PROTOTYPE((krb5_context,
 		krb5_auth_context,
@@ -2104,13 +2352,14 @@ krb5_error_code krb5_auth_con_getivector
 	KRB5_PROTOTYPE((krb5_context,
 		krb5_auth_context,
 		krb5_pointer *));
+#endif
 
 KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_auth_con_setrcache
 	KRB5_PROTOTYPE((krb5_context,
 		krb5_auth_context,
 		krb5_rcache));
 
-krb5_error_code krb5_auth_con_getrcache
+krb5_error_code KRB5_CALLCONV_WRONG krb5_auth_con_getrcache
 	KRB5_PROTOTYPE((krb5_context,
 		krb5_auth_context,
 		krb5_rcache *));
@@ -2141,7 +2390,7 @@ KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_read_password
 		const char FAR *,
 		char FAR *,
 		int FAR * ));
-krb5_error_code krb5_aname_to_localname
+krb5_error_code KRB5_CALLCONV krb5_aname_to_localname
 	KRB5_PROTOTYPE((krb5_context,
 		krb5_const_principal,
 		const int,
@@ -2153,10 +2402,12 @@ KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_get_host_realm
 KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_free_host_realm
 	KRB5_PROTOTYPE((krb5_context,
 		char FAR * const FAR * ));
+#if KRB5_PRIVATE
 KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_get_realm_domain
 	KRB5_PROTOTYPE((krb5_context,
 		const char *,
 		char ** ));
+#endif
 KRB5_DLLIMP krb5_boolean KRB5_CALLCONV krb5_kuserok
 	KRB5_PROTOTYPE((krb5_context,
 		krb5_principal, const char *));
@@ -2164,6 +2415,7 @@ KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_auth_con_genaddrs
 	KRB5_PROTOTYPE((krb5_context,
 		krb5_auth_context,
 		int, int));
+#if KRB5_PRIVATE
 krb5_error_code krb5_gen_portaddr
 	KRB5_PROTOTYPE((krb5_context,
 		const krb5_address *,
@@ -2175,8 +2427,10 @@ krb5_error_code krb5_make_fulladdr
 		krb5_address *,
 		krb5_address *));
 
+#if KRB5_PRIVATE /* In k5-int.h on trunk */
 krb5_error_code krb5_os_hostaddr
 	KRB5_PROTOTYPE((krb5_context, const char *, krb5_address ***));
+#endif
 
 krb5_error_code krb5_set_real_time
 	KRB5_PROTOTYPE((krb5_context, krb5_int32, krb5_int32));
@@ -2184,10 +2438,13 @@ krb5_error_code krb5_set_debugging_time
 	KRB5_PROTOTYPE((krb5_context, krb5_int32, krb5_int32));
 krb5_error_code krb5_use_natural_time
 	KRB5_PROTOTYPE((krb5_context));
-krb5_error_code krb5_get_time_offsets
+#endif
+krb5_error_code KRB5_CALLCONV krb5_get_time_offsets
 	KRB5_PROTOTYPE((krb5_context, krb5_int32 *, krb5_int32 *));
+#if KRB5_PRIVATE
 krb5_error_code krb5_set_time_offsets
 	KRB5_PROTOTYPE((krb5_context, krb5_int32, krb5_int32));
+#endif
 
 /* str_conv.c */
 KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_string_to_enctype
@@ -2384,6 +2641,25 @@ krb5_decode_ticket
 KRB5_PROTOTYPE((const krb5_data *code, 
 		krb5_ticket **rep));
 
+KRB5_DLLIMP void KRB5_CALLCONV
+krb5_appdefault_string
+KRB5_PROTOTYPE((krb5_context context,
+		const char *appname,  
+	        const krb5_data *realm,
+ 		const char *option,
+		const char *default_value,
+		char ** ret_value));
+
+KRB5_DLLIMP void KRB5_CALLCONV
+krb5_appdefault_boolean
+KRB5_PROTOTYPE((krb5_context context,
+		const char *appname,  
+	        const krb5_data *realm,
+ 		const char *option,
+		int default_value,
+		int *ret_value));
+
+#if KRB5_PRIVATE
 /*
  * The realm iterator functions
  */
@@ -2399,6 +2675,7 @@ KRB5_DLLIMP void KRB5_CALLCONV krb5_realm_iterator_free
 
 KRB5_DLLIMP void KRB5_CALLCONV krb5_free_realm_string
 	KRB5_PROTOTYPE((krb5_context context, char *str));
+#endif
 
 /*
  * Prompter enhancements
@@ -2414,14 +2691,15 @@ typedef krb5_int32 krb5_prompt_type;
 KRB5_DLLIMP krb5_prompt_type* KRB5_CALLCONV krb5_get_prompt_types
 	KRB5_PROTOTYPE((krb5_context context));
 
-#ifdef __cplusplus
-}
+#if TARGET_OS_MAC
+    #if defined(__MWERKS__)
+        #pragma enumsalwaysint reset
+        #pragma import reset
+    #endif
+	#pragma options align=reset
 #endif
 
-/* Macintoh CFM-68K magic incantation */
-#if defined(macintosh) && defined(__CFM68K__) && !defined(__USING_STATIC_LIBS__)
-#pragma import reset
-#endif
+KRB5INT_END_DECLS
 
 #endif /* KRB5_GENERAL__ */
 
diff --git a/src/include/krb5/ChangeLog b/src/include/krb5/ChangeLog
index 6fc5cc3..e0bd30e 100644
--- a/src/include/krb5/ChangeLog
+++ b/src/include/krb5/ChangeLog
@@ -1,3 +1,28 @@
+2001-10-29  Miro Jurisic  <meeroh@mit.edu>
+	* pullup from krb5-1-2 branch after krb5-1-2-2-bp
+	* macsock.h: Updated location of Utilities.h and Sockets headers
+	* macsock.h: #include <KerberosSupport/ErrorLib.h> 
+
+2001-09-25  Ken Raeburn  <raeburn@mit.edu>
+
+	* adm.h (struct __krb5_realm_params): Added fields
+	realm_reject_bad_transit, realm_reject_bad_transit_valid; deleted
+	field realm_filler.
+
+2000-10-02	Alexandra Ellwood <lxs@mit.edu>
+
+	* kdb.h: added Mac OS X #define (__MACH__) -- we're still a kerberos client
+
+2000-5-18	Alexandra Ellwood <lxs@mit.edu>
+
+	* macsock.h: local_addr_fallback_kludge defined to 0 again... fixed gethostname
+
+2000-5-9	Alexandra Ellwood <lxs@mit.edu>
+
+	* macsock.h: local_addr_fallback_kludge now defined to magic gethostaddr function
+	in the Sockets Library, which does exactly what we want if the search domain is not
+	specified.
+
 1998-11-22  Miro Jurisic  <meeroh@.mit.edu>
 
 	* macsock.h: MacOS: only #define MACHOSTNAMELEN when not
diff --git a/src/include/krb5/adm.h b/src/include/krb5/adm.h
index b3a2b6a..820f652 100644
--- a/src/include/krb5/adm.h
+++ b/src/include/krb5/adm.h
@@ -1,7 +1,7 @@
 /*
  * include/krb5/adm.h
  *
- * Copyright 1995 by the Massachusetts Institute of Technology.
+ * Copyright 1995,2001 by the Massachusetts Institute of Technology.
  * All Rights Reserved.
  *
  * Export of this software from the United States of America may
@@ -208,13 +208,14 @@ typedef struct __krb5_realm_params {
     krb5_timestamp	realm_expiration;
     krb5_flags		realm_flags;
     krb5_key_salt_tuple	*realm_keysalts;
+    unsigned int	realm_reject_bad_transit:1;
     unsigned int	realm_kadmind_port_valid:1;
     unsigned int	realm_enctype_valid:1;
     unsigned int	realm_max_life_valid:1;
     unsigned int	realm_max_rlife_valid:1;
     unsigned int	realm_expiration_valid:1;
     unsigned int	realm_flags_valid:1;
-    unsigned int	realm_filler:7;
+    unsigned int	realm_reject_bad_transit_valid:1;
     krb5_int32		realm_num_keysalts;
 } krb5_realm_params;
 #endif	/* KRB5_ADM_H__ */
diff --git a/src/include/krb5/kdb.h b/src/include/krb5/kdb.h
index 8316efe..60a08f4 100644
--- a/src/include/krb5/kdb.h
+++ b/src/include/krb5/kdb.h
@@ -84,7 +84,7 @@
 #define KRB5_KDB_CREATE_BTREE		0x00000001
 #define KRB5_KDB_CREATE_HASH		0x00000002
 
-#if !defined(macintosh) && !defined(_MSDOS) && !defined(_WIN32)
+#if !defined(macintosh) && !defined(_MSDOS) && !defined(_WIN32) && !defined(__MACH__)
 
 /*
  * Note --- these structures cannot be modified without changing the
diff --git a/src/include/krb5/macsock.h b/src/include/krb5/macsock.h
index 06b103a..ecc2375 100644
--- a/src/include/krb5/macsock.h
+++ b/src/include/krb5/macsock.h
@@ -22,9 +22,9 @@
 #ifndef macsock_h
 #define macsock_h
 
-#include <Sockets.h>
-#include <ErrorLib.h>
-#include <netdb.h>
+#include <KerberosSupport/Sockets.h>
+#include <KerberosSupport/ErrorLib.h>
+#include <KerberosSupport/netdb.h>
 
 /* Handle ANSI C versus traditional C */
 #ifndef __STDC__
@@ -93,7 +93,7 @@ typedef int SOCKET;
 #define	SOCKET_ERRNO		(GetMITLibError())
 #define	SOCKET_SET_ERRNO(x)	(SetMITLibError(x))
 
-#define local_addr_fallback_kludge() (0)
+#define local_addr_fallback_kludge() 0
 
 
 #endif /* macsock_h */
diff --git a/src/include/krb5/stock/ChangeLog b/src/include/krb5/stock/ChangeLog
index 60e3d30..b2db75f 100644
--- a/src/include/krb5/stock/ChangeLog
+++ b/src/include/krb5/stock/ChangeLog
@@ -1,3 +1,7 @@
+2002-05-16  Alexandra Ellwood <lxs@mit.edu>
+	* osconf.h (DEFAULT_PROFILE_PATH): Conditionalized for Mac OS X
+	to look in Mac OS X Preferences file locations.
+
 1999-09-20  Ken Raeburn  <raeburn@mit.edu>
 
 	* osconf.h (KPASSWD_PORTNAME): Define.
diff --git a/src/include/krb5/stock/osconf.h b/src/include/krb5/stock/osconf.h
index 452d9c6..bfe39c3 100644
--- a/src/include/krb5/stock/osconf.h
+++ b/src/include/krb5/stock/osconf.h
@@ -43,7 +43,11 @@
 #define	DEFAULT_LNAME_FILENAME	"/aname"
 #define	DEFAULT_KEYTAB_NAME	"FILE:%s\\krb5kt"
 #else /* !_WINDOWS */
+#if TARGET_OS_MAC
+#define DEFAULT_PROFILE_PATH	"/Library/Preferences/edu.mit.Kerberos:~/Library/Preferences/edu.mit.Kerberos"
+#else
 #define DEFAULT_PROFILE_PATH	"/etc/krb5.conf:@SYSCONFDIR/krb5.conf"
+#endif
 #define	DEFAULT_KEYTAB_NAME	"FILE:/etc/krb5.keytab"
 #define	DEFAULT_LNAME_FILENAME	"@PREFIX/lib/krb5.aname"
 #endif /* _WINDOWS  */
diff --git a/src/include/win-mac.h b/src/include/win-mac.h
index e2d37e0..27c5329 100644
--- a/src/include/win-mac.h
+++ b/src/include/win-mac.h
@@ -1,4 +1,8 @@
 /*
+ * This file is now only used on Windows
+ */
+
+/*
  * type functions split out of here to make things look nicer in the
  * various include files which need these definitions, as well as in
  * the util/ directories.
@@ -7,10 +11,7 @@
 #ifndef _KRB5_WIN_MAC_H
 #define _KRB5_WIN_MAC_H
 
-#if (defined(_MSDOS) || defined(_WIN32))
-/* 
- * Machine-type definitions: PC Clone 386 running Microloss Windows
- */
+#ifdef _WIN32
 
 #define ID_READ_PWD_DIALOG  10000
 #define ID_READ_PWD_PROMPT  10001
@@ -22,60 +23,27 @@
 #define APSTUDIO_HIDDEN_SYMBOLS
 #include <windows.h>
 
-#else
-
-#if defined(_MSDOS)
-	/* Windows 16 specific */
-#define BITS16
-#define SIZEOF_INT      2
-#define SIZEOF_SHORT    2
-#define SIZEOF_LONG     4
-
-#ifndef KRB5_CALLCONV
-#define KRB5_CALLCONV __far __export __pascal
-#define KRB5_CALLCONV_C __far __export __cdecl
-#define KRB5_EXPORTVAR __far __export
-#define KRB5_DLLIMP
-#endif /* !KRB5_CALLCONV */
-
-#include <windows.h>
-	
-/*
- * The following defines are needed to make <windows.h> work
- * in stdc mode (/Za flag). Winsock.h needs <windows.h>.
- */
-#ifndef FAR
-#define FAR     __far
-#define NEAR    __near
-#endif
-
-#ifndef _far
-#define _far    __far
-#define _near   __near
-#define _pascal __pascal
-#define _cdecl  __cdecl
-#define _huge   __huge
-#endif
+#else /* ! RES_ONLY */
 
-#else
-	/* Windows 32 specific */
+/* Windows 32 specific */
 #define SIZEOF_INT      4
 #define SIZEOF_SHORT    2
 #define SIZEOF_LONG     4
 
-#include <windows.h>   /* always include this here, to get correct FAR and NEAR */
+/* always include this here, to get correct FAR and NEAR */
+#include <windows.h>
 
 #define HAVE_LABS
 
 #ifndef KRB5_CALLCONV
-#  ifdef _MSC_VER
+#   ifdef _MSC_VER
 #    ifdef KRB5_DLL_FILE
-#      define KRB5_DLLIMP __declspec(dllexport)
+#      define KRB5_DLLIMP
 #    else
 #      define KRB5_DLLIMP __declspec(dllimport)
 #    endif
 #    ifdef GSS_DLL_FILE
-#      define GSS_DLLIMP __declspec(dllexport)
+#      define GSS_DLLIMP
 #    else
 #      define GSS_DLLIMP __declspec(dllimport)
 #    endif
@@ -85,11 +53,18 @@
 #  endif
 #  define KRB5_CALLCONV __stdcall
 #  define KRB5_CALLCONV_C __cdecl
+
+/*
+ * Use this to mark an incorrect calling convention that has been
+ * "immortalized" because it was incorrectly exported in a previous
+ * release.
+ */
+
+#  define KRB5_CALLCONV_WRONG KRB5_CALLCONV_C
+
 #  define KRB5_EXPORTVAR
 #endif /* !KRB5_CALLCONV */
 
-#endif /* _MSDOS */
-
 #ifndef KRB5_SYSTYPES__
 #define KRB5_SYSTYPES__
 #include <sys/types.h>
@@ -180,31 +155,6 @@ typedef unsigned char	u_char;
 #include <fcntl.h>
 #include <io.h>
 #include <process.h>
-#define THREEPARAMOPEN(x,y,z) open(x,y,z)
-#ifndef _WIN32
-#define O_RDONLY        _O_RDONLY
-#define O_WRONLY        _O_WRONLY
-#define O_RDWR          _O_RDWR
-#define O_APPEND        _O_APPEND
-#define O_CREAT         _O_CREAT
-#define O_TRUNC         _O_TRUNC
-#define O_EXCL          _O_EXCL
-#define O_TEXT          _O_TEXT
-#define O_BINARY        _O_BINARY
-#define O_NOINHERIT     _O_NOINHERIT
-#define stat            _stat
-#define unlink          _unlink
-#define lseek           _lseek
-#define write           _write
-#define open            _open
-#define close           _close
-#define read            _read
-#define fstat           _fstat
-#define mktemp          _mktemp
-#define dup             _dup
-
-#define getpid          _getpid
-#endif
 
 #ifdef NEED_SYSERROR
 /* Only needed by util/et/error_message.c but let's keep the source clean */
@@ -222,91 +172,26 @@ HINSTANCE get_lib_instance(void);
 
 #endif /* !RES_ONLY */
 
-#endif /* _MSDOS || _WIN32 */
+#endif /* _WIN32 */
 
-#ifdef macintosh
+#define THREEPARAMOPEN(x,y,z) open(x,y,z)
 
+#ifndef KRB5_CALLCONV
 #define KRB5_CALLCONV
-#define KRB5_CALLCONV_C
-#define KRB5_DLLIMP
-#define GSS_DLLIMP
-#ifndef FAR
-#define FAR
-#endif
-#ifndef NEAR
-#define NEAR
-#endif
-
-#define SIZEOF_INT 4
-#define SIZEOF_SHORT 2
-#define HAVE_SRAND
-#define NO_PASSWORD
-#define HAVE_LABS
-/*#define ENOMEM 12*/
-#include <unix.h>
-#include <ctype.h>
-
-#ifdef NEED_LOWLEVEL_IO
-#include <fcntl.h>
 #endif
 
-/*
- * Which encryption routines libcrypto will provide is controlled by
- * mac/libraries/KerberosHeaders.h.
- */
-
-/* there is no <stat.h> for mpw */
-#ifndef __MWERKS__
-typedef unsigned long size_t;
-typedef unsigned long	mode_t;
-typedef unsigned long	ino_t;
-typedef unsigned long	dev_t;
-typedef short			nlink_t;
-typedef unsigned long	uid_t;
-typedef unsigned long	gid_t;
-typedef long			off_t;
-
-struct stat
-{
-	mode_t		st_mode;	/* File mode; see #define's below */
-	ino_t		st_ino;		/* File serial number */
-	dev_t		st_dev;		/* ID of device containing this file */
-	nlink_t		st_nlink;	/* Number of links */
-	uid_t		st_uid;		/* User ID of the file's owner */
-	gid_t		st_gid;		/* Group ID of the file's group */
-	dev_t		st_rdev;	/* Device type */
-	off_t		st_size;	/* File size in bytes */
-	unsigned long	st_atime;	/* Time of last access */
-	unsigned long	st_mtime;	/* Time of last data modification */
-	unsigned long	st_ctime;	/* Time of last file status change */
-	long		st_blksize;	/* Optimal blocksize */
-	long		st_blocks;	/* blocks allocated for file */
-};
-
-int stat(const char *path, struct stat *buf);
+#ifndef KRB5_CALLCONV_C
+#define KRB5_CALLCONV_C
 #endif
 
-int fstat(int fildes, struct stat *buf);
-
-#define EFBIG 1000
-
-#define NOFCHMOD 1
-#define NOCHMOD 1
-#define _MACSOCKAPI_
-
-#define THREEPARAMOPEN(x,y,z) open(x,y)
-#else /* macintosh */
-#define THREEPARAMOPEN(x,y,z) open(x,y,z)
-#endif /* macintosh */
-
-#ifndef KRB5_CALLCONV
-#define KRB5_CALLCONV
-#define KRB5_CALLCONV_C
+#ifndef KRB5_DLLIMP
 #define KRB5_DLLIMP
 #endif
+
 #ifndef FAR
 #define FAR
 #endif
+
 #ifndef NEAR
 #define NEAR
 #endif
diff --git a/src/kadmin/cli/ChangeLog b/src/kadmin/cli/ChangeLog
index aa19760..ceb689c 100644
--- a/src/kadmin/cli/ChangeLog
+++ b/src/kadmin/cli/ChangeLog
@@ -1,3 +1,28 @@
+2001-10-11  Ken Raeburn  <raeburn@mit.edu>
+
+	* kadmin.c (kadmin_parse_name): Properly advance pointer in
+	certain error cases involving '@'.  Patch from Emily Ratliff,
+	<ratliff@austin.ibm.com>.
+	[pulled up 1.54->1.55 from trunk]
+
+2001-02-22  Tom Yu  <tlyu@mit.edu>
+
+	* kadmin.M: Remove references to "rename_principal".
+
+2000-06-09  Tom Yu  <tlyu@mit.edu>
+
+	* kadmin.M: Update to reflect new -e and -keepold flags.
+
+2000-06-06  Ken Raeburn  <raeburn@mit.edu>
+
+	* kadmin.c (kadmin_startup): Don't pass keytab_name to printf if
+	it's NULL.
+
+2000-05-31  Ken Raeburn  <raeburn@mit.edu>
+
+	* strftime.c: Replace with a copy of the one from libkrb5, which
+	isn't under GPL.
+
 2000-03-01  Tom Yu  <tlyu@mit.edu>
 
 	* kadmin.c (kadmin_cpw): Initialize ks_tuple to NULL.
diff --git a/src/kadmin/cli/kadmin.M b/src/kadmin/cli/kadmin.M
index a74874f..08e02e5 100644
--- a/src/kadmin/cli/kadmin.M
+++ b/src/kadmin/cli/kadmin.M
@@ -320,6 +320,12 @@ sets the key of the principal to a random value
 sets the key of the principal to the specified string and does not
 prompt for a password.  Note:  using this option in a shell script can
 be dangerous if unauthorized users gain read access to the script.
+.TP
+\fB\-e\fP \fI"enc:salt ..."\fP
+uses the specified list of enctype\-salttype pairs for setting the key
+of the principal.  The quotes are necessary if there are multiple
+enctype\-salttype pairs.  This will not function against kadmin
+daemons earlier than krb5\-1.2.
 .nf
 .TP
 EXAMPLE:
@@ -372,8 +378,8 @@ KADM5_UNK_PRINC (principal does not exist)
 modifies the specified principal, changing the fields as specified.  The
 options are as above for
 .BR add_principal ,
-except that password changing is forbidden by this command.  In
-addition, the option
+except that password changing and flags related to password changing
+are forbidden by this command.  In addition, the option
 .B \-clearpolicy
 will clear the current policy of a principal.  This command requires the
 .I modify
@@ -391,42 +397,6 @@ KADM5_BAD_MASK (shouldn't happen)
 .RE
 .fi
 .TP
-\fBrename_principal\fP [\fB-force\fP] \fIold new\fP
-rename the principal
-.I old
-to
-.IR new .
-Prompts for confirmation, unless the
-.B \-force
-option is given.  Requires both the
-.I add
-and
-.I delete
-privileges.  Aliased to
-.BR renprinc .
-.sp
-.nf
-.RS
-.TP
-EXAMPLE:
-kadmin: renprinc tlyutest test0
-Are you sure you want to rename the principal
-"tlyutest@BLEEP.COM" to
-"test0@BLEEP.COM"? (yes/no): yes
-Principal "tlyutest@BLEEP.COM" renamed to
-"test0@BLEEP.COM".
-Make sure that you have removed "tlyutest@BLEEP.COM" from
-all ACLs before reusing.
-kadmin:
-.TP
-ERRORS:
-KADM5_AUTH_ADD (requires "add" privilege)
-KADM5_AUTH_DELETE (requires "delete" privilege)
-KADM5_UNK_PRINC (source principal does not exist)
-KADM5_DUP (target principal already exists)
-.RE
-.fi
-.TP
 \fBchange_password\fP [\fIoptions\fP] \fIprincipal\fP
 changes the password of
 .IR principal .
@@ -447,6 +417,18 @@ sets the key of the principal to a random value
 .TP
 \fB\-pw\fP \fIpassword\fP
 set the password to the specified string.  Not recommended.
+.TP
+\fB\-e\fP \fI"enc:salt ..."\fP
+uses the specified list of enctype\-salttype pairs for setting the key
+of the principal.  The quotes are necessary if there are multiple
+enctype\-salttype pairs.  This will not function against kadmin
+daemons earlier than krb5\-1.2.
+.TP
+\fB\-keepold \fP 
+Keeps the previous kvno's keys around.  There is no
+easy way to delete the old keys, and this flag is usually not
+necessary except perhaps for TGS keys.  Don't use this flag unless you
+know what you're doing.
 .nf
 .TP
 EXAMPLE:
@@ -664,7 +646,10 @@ kadmin:
 .RE
 .fi
 .TP
-\fBktadd\fP [\fB\-k\fP \fIkeytab\fP] [\fB\-q\fP] [\fIprincipal\fP | \fB\-glob\fP \fIprinc-exp\fP] [\fI...\fP]
+\fBktadd\fP [\fB\-k\fP \fIkeytab\fP] [\fB\-q\fP] [\fB\-e\fP \fIkeysaltlist\fP]
+.br
+[\fIprincipal\fP | \fB\-glob\fP \fIprinc-exp\fP] [\fI...\fP]
+.br
 Adds a principal or all principals matching
 .I princ-exp
 to a keytab, randomizing each principal's key in the process.  Requires the
@@ -772,3 +757,9 @@ OpenVision Kerberos administration program.
 .SH BUGS
 .PP
 Command output needs to be cleaned up.
+
+There is no way to delete a key kept around from a "\-keepold" option
+to a password-changing command, other than to do a password change
+without the "\-keepold" option, which will of course cause problems if
+the key is a TGS key.  There will be more powerful key-manipulation
+commands in the future.
diff --git a/src/kadmin/cli/kadmin.c b/src/kadmin/cli/kadmin.c
index 8038532..0092eef 100644
--- a/src/kadmin/cli/kadmin.c
+++ b/src/kadmin/cli/kadmin.c
@@ -149,7 +149,7 @@ krb5_error_code kadmin_parse_name(name, principal)
 	if (cp - fullname && *(cp - 1) != '\\')
 	    break;
 	else
-	    cp = strchr(cp, '@');
+	    cp = strchr(cp + 1, '@');
     }
     if (cp == NULL) {
 	strcat(fullname, "@");
@@ -392,8 +392,12 @@ char *kadmin_startup(argc, argv)
 					KADM5_API_VERSION_2,
 					&handle);
     } else if (use_keytab) {
-	 printf("Authenticating as principal %s with keytab %s.\n",
-		princstr, keytab_name);
+	 if (keytab_name)
+	     printf("Authenticating as principal %s with keytab %s.\n",
+		    princstr, keytab_name);
+	 else
+	     printf("Authenticating as principal %s with default keytab.\n",
+		    princstr);
 	 retval = kadm5_init_with_skey(princstr, keytab_name,
 				       KADM5_ADMIN_SERVICE, 
 				       &params,
diff --git a/src/kadmin/cli/strftime.c b/src/kadmin/cli/strftime.c
index 484852a..6fb621e 100644
--- a/src/kadmin/cli/strftime.c
+++ b/src/kadmin/cli/strftime.c
@@ -1,469 +1,464 @@
-/* strftime - custom formatting of date and/or time
-   Copyright (C) 1989, 1991, 1992 Free Software Foundation, Inc.
-
-   This program is free software; you can redistribute it and/or modify
-   it under the terms of the GNU General Public License as published by
-   the Free Software Foundation; either version 2, or (at your option)
-   any later version.
-
-   This program is distributed in the hope that it will be useful,
-   but WITHOUT ANY WARRANTY; without even the implied warranty of
-   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-   GNU General Public License for more details.
-
-   You should have received a copy of the GNU General Public License
-   along with this program; if not, write to the Free Software
-   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.  */
-
-/* Note: this version of strftime lacks locale support,
-   but it is standalone.
-
-   Performs `%' substitutions similar to those in printf.  Except
-   where noted, substituted fields have a fixed size; numeric fields are
-   padded if necessary.  Padding is with zeros by default; for fields
-   that display a single number, padding can be changed or inhibited by
-   following the `%' with one of the modifiers described below.  Unknown
-   field specifiers are copied as normal characters.  All other
-   characters are copied to the output without change.
-
-   Supports a superset of the ANSI C field specifiers.
-
-   Literal character fields:
-   %	%
-   n	newline
-   t	tab
-
-   Numeric modifiers (a nonstandard extension):
-   -	do not pad the field
-   _	pad the field with spaces
-
-   Time fields:
-   %H	hour (00..23)
-   %I	hour (01..12)
-   %k	hour ( 0..23)
-   %l	hour ( 1..12)
-   %M	minute (00..59)
-   %p	locale's AM or PM
-   %r	time, 12-hour (hh:mm:ss [AP]M)
-   %R	time, 24-hour (hh:mm)
-   %s	time in seconds since 00:00:00, Jan 1, 1970 (a nonstandard extension)
-   %S	second (00..61)
-   %T	time, 24-hour (hh:mm:ss)
-   %X	locale's time representation (%H:%M:%S)
-   %Z	time zone (EDT), or nothing if no time zone is determinable
-
-   Date fields:
-   %a	locale's abbreviated weekday name (Sun..Sat)
-   %A	locale's full weekday name, variable length (Sunday..Saturday)
-   %b	locale's abbreviated month name (Jan..Dec)
-   %B	locale's full month name, variable length (January..December)
-   %c	locale's date and time (Sat Nov 04 12:02:33 EST 1989)
-   %C	century (00..99)
-   %d	day of month (01..31)
-   %e	day of month ( 1..31)
-   %D	date (mm/dd/yy)
-   %h	same as %b
-   %j	day of year (001..366)
-   %m	month (01..12)
-   %U	week number of year with Sunday as first day of week (00..53)
-   %w	day of week (0..6)
-   %W	week number of year with Monday as first day of week (00..53)
-   %x	locale's date representation (mm/dd/yy)
-   %y	last two digits of year (00..99)
-   %Y	year (1970...)
-
-   David MacKenzie <djm@gnu.ai.mit.edu> */
-
-#ifdef HAVE_CONFIG_H
-#include <config.h>
-#endif
-
-#include <stdio.h>
-#include <sys/types.h>
-#if defined(TM_IN_SYS_TIME) || (!defined(HAVE_TM_ZONE) && !defined(HAVE_TZNAME))
-#include <sys/time.h>
+/*	$NetBSD: strftime.c,v 1.8 1999/02/07 17:33:30 augustss Exp $	*/
+
+/*
+ * Copyright (c) 1989 The Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *	This product includes software developed by the University of
+ *	California, Berkeley and its contributors.
+ * 4. Neither the name of the University nor the names of its contributors
+ *    may be used to endorse or promote products derived from this software
+ *    without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#if defined(LIBC_SCCS) && !defined(lint)
+#if 0
+static char *sccsid = "@(#)strftime.c	5.11 (Berkeley) 2/24/91";
 #else
-#include <time.h>
-#endif
-
-#ifndef STDC_HEADERS
-time_t mktime ();
+__RCSID("$NetBSD: strftime.c,v 1.8 1999/02/07 17:33:30 augustss Exp $");
 #endif
+#endif /* LIBC_SCCS and not lint */
 
-#if defined(HAVE_TZNAME)
-extern char *tzname[2];
-#endif
-
-/* Types of padding for numbers in date and time. */
-enum padding
-{
-  none, blank, zero
-};
+#include <string.h>
+#include <time.h>
 
-static char const* const days[] =
-{
-  "Sunday", "Monday", "Tuesday", "Wednesday", "Thursday", "Friday", "Saturday"
+/* begin krb5 hack - replace stuff that would come from netbsd libc */
+#undef _CurrentTimeLocale
+#define _CurrentTimeLocale (&dummy_locale_info)
+
+struct dummy_locale_info_t {
+    char d_t_fmt[15];
+    char t_fmt_ampm[12];
+    char t_fmt[9];
+    char d_fmt[9];
+    char day[7][10];
+    char abday[7][4];
+    char mon[12][10];
+    char abmon[12][4];
+    char am_pm[2][3];
 };
-
-static char const * const months[] =
-{
-  "January", "February", "March", "April", "May", "June",
-  "July", "August", "September", "October", "November", "December"
+static const struct dummy_locale_info_t dummy_locale_info = {
+    "%a %b %d %X %Y",		/* %c */
+    "%I:%M:%S %p",		/* %r */
+    "%H:%M:%S",			/* %X */
+    "%m/%d/%y",			/* %x */
+    { "Sunday", "Monday", "Tuesday", "Wednesday", "Thursday", "Friday",
+      "Saturday" },
+    { "Sun", "Mon", "Tue", "Wed", "Thu", "Fri", "Sat" },
+    { "January", "February", "March", "April", "May", "June",
+      "July", "August", "September", "October", "November", "December" },
+    { "Jan", "Feb", "Mar", "Apr", "May", "Jun",
+      "Jul", "Aug", "Sep", "Oct", "Nov", "Dec" },
+    { "AM", "PM" },
 };
+#undef  TM_YEAR_BASE
+#define TM_YEAR_BASE 1900
+
+#undef  DAYSPERLYEAR
+#define DAYSPERLYEAR 366
+#undef  DAYSPERNYEAR
+#define DAYSPERNYEAR 365
+#undef  DAYSPERWEEK
+#define DAYSPERWEEK 7
+#undef  isleap
+#define isleap(N)	((N % 4) == 0 && (N % 100 != 0 || N % 400 == 0))
+#undef  tzname
+#define tzname my_tzname
+static const char *const tzname[2] = { 0, 0 };
+#undef  tzset
+#define tzset()
+#undef __P
+#define __P(X) X /* we already require ansi c in this tree */
+/* end krb5 hack */
+
+static	int _add __P((const char *, char **, const char *));
+static	int _conv __P((int, int, int, char **, const char *));
+static	int _secs __P((const struct tm *, char **, const char *));
+static	size_t _fmt __P((const char *, const struct tm *, char **,
+	    const char *));
 
-/* Add character C to STRING and increment LENGTH,
-   unless LENGTH would exceed MAX. */
-
-#define add_char(c)							\
-  do									\
-    {									\
-      if (length + 1 <= max)						\
-	string[length++] = (c);						\
-    }									\
-  while (0)
-
-/* Add a 2 digit number to STRING, padding if specified.
-   Return the number of characters added, up to MAX. */
-
-static int
-add_num2 (string, num, max, pad)
-     char *string;
-     int num;
-     int max;
-     enum padding pad;
-{
-  int top = num / 10;
-  int length = 0;
-
-  if (top == 0 && pad == blank)
-    add_char (' ');
-  else if (top != 0 || pad == zero)
-    add_char (top + '0');
-  add_char (num % 10 + '0');
-  return length;
-}
-
-/* Add a 3 digit number to STRING, padding if specified.
-   Return the number of characters added, up to MAX. */
-
-static int
-add_num3 (string, num, max, pad)
-     char *string;
-     int num;
-     int max;
-     enum padding pad;
+size_t
+strftime(s, maxsize, format, t)
+	char *s;
+	size_t maxsize;
+	const char *format;
+	const struct tm *t;
 {
-  int top = num / 100;
-  int mid = (num - top * 100) / 10;
-  int length = 0;
-
-  if (top == 0 && pad == blank)
-    add_char (' ');
-  else if (top != 0 || pad == zero)
-    add_char (top + '0');
-  if (mid == 0 && top == 0 && pad == blank)
-    add_char (' ');
-  else if (mid != 0 || top != 0 || pad == zero)
-    add_char (mid + '0');
-  add_char (num % 10 + '0');
-  return length;
+	char *pt;
+
+	tzset();
+	if (maxsize < 1)
+		return (0);
+
+	pt = s;
+	if (_fmt(format, t, &pt, s + maxsize)) {
+		*pt = '\0';
+		return (pt - s);
+	} else
+		return (0);
 }
 
-/* Like strncpy except return the number of characters copied. */
-
-static int
-add_str (to, from, max)
-     char *to;
-     const char *from;
-     int max;
+#define SUN_WEEK(t)	(((t)->tm_yday + 7 - \
+				((t)->tm_wday)) / 7)
+#define MON_WEEK(t)	(((t)->tm_yday + 7 - \
+				((t)->tm_wday ? (t)->tm_wday - 1 : 6)) / 7)
+
+static size_t
+_fmt(format, t, pt, ptlim)
+	const char *format;
+	const struct tm *t;
+	char **pt;
+	const char * const ptlim;
 {
-  int i;
-
-  for (i = 0; from[i] && i <= max; ++i)
-    to[i] = from[i];
-  return i;
+	for (; *format; ++format) {
+		if (*format == '%') {
+			++format;
+			if (*format == 'E') {
+				/* Alternate Era */
+				++format;
+			} else if (*format == 'O') {
+				/* Alternate numeric symbols */
+				++format;
+			}
+			switch (*format) {
+			case '\0':
+				--format;
+				break;
+			case 'A':
+				if (t->tm_wday < 0 || t->tm_wday > 6)
+					return (0);
+				if (!_add(_CurrentTimeLocale->day[t->tm_wday],
+				    pt, ptlim))
+					return (0);
+				continue;
+
+			case 'a':
+				if (t->tm_wday < 0 || t->tm_wday > 6)
+					return (0);
+				if (!_add(_CurrentTimeLocale->abday[t->tm_wday],
+				    pt, ptlim))
+					return (0);
+				continue;
+			case 'B':
+				if (t->tm_mon < 0 || t->tm_mon > 11)
+					return (0);
+				if (!_add(_CurrentTimeLocale->mon[t->tm_mon],
+				    pt, ptlim))
+					return (0);
+				continue;
+			case 'b':
+			case 'h':
+				if (t->tm_mon < 0 || t->tm_mon > 11)
+					return (0);
+				if (!_add(_CurrentTimeLocale->abmon[t->tm_mon],
+				    pt, ptlim))
+					return (0);
+				continue;
+			case 'C':
+				if (!_conv((t->tm_year + TM_YEAR_BASE) / 100,
+				    2, '0', pt, ptlim))
+					return (0);
+				continue;
+			case 'c':
+				if (!_fmt(_CurrentTimeLocale->d_t_fmt, t, pt,
+				    ptlim))
+					return (0);
+				continue;
+			case 'D':
+				if (!_fmt("%m/%d/%y", t, pt, ptlim))
+					return (0);
+				continue;
+			case 'd':
+				if (!_conv(t->tm_mday, 2, '0', pt, ptlim))
+					return (0);
+				continue;
+			case 'e':
+				if (!_conv(t->tm_mday, 2, ' ', pt, ptlim))
+					return (0);
+				continue;
+			case 'H':
+				if (!_conv(t->tm_hour, 2, '0', pt, ptlim))
+					return (0);
+				continue;
+			case 'I':
+				if (!_conv(t->tm_hour % 12 ?
+				    t->tm_hour % 12 : 12, 2, '0', pt, ptlim))
+					return (0);
+				continue;
+			case 'j':
+				if (!_conv(t->tm_yday + 1, 3, '0', pt, ptlim))
+					return (0);
+				continue;
+			case 'k':
+				if (!_conv(t->tm_hour, 2, ' ', pt, ptlim))
+					return (0);
+				continue;
+			case 'l':
+				if (!_conv(t->tm_hour % 12 ?
+				    t->tm_hour % 12: 12, 2, ' ', pt, ptlim))
+					return (0);
+				continue;
+			case 'M':
+				if (!_conv(t->tm_min, 2, '0', pt, ptlim))
+					return (0);
+				continue;
+			case 'm':
+				if (!_conv(t->tm_mon + 1, 2, '0', pt, ptlim))
+					return (0);
+				continue;
+			case 'n':
+				if (!_add("\n", pt, ptlim))
+					return (0);
+				continue;
+			case 'p':
+				if (!_add(_CurrentTimeLocale->am_pm[t->tm_hour
+				    >= 12], pt, ptlim))
+					return (0);
+				continue;
+			case 'R':
+				if (!_fmt("%H:%M", t, pt, ptlim))
+					return (0);
+				continue;
+			case 'r':
+				if (!_fmt(_CurrentTimeLocale->t_fmt_ampm, t, pt,
+				    ptlim))
+					return (0);
+				continue;
+			case 'S':
+				if (!_conv(t->tm_sec, 2, '0', pt, ptlim))
+					return (0);
+				continue;
+			case 's':
+				if (!_secs(t, pt, ptlim))
+					return (0);
+				continue;
+			case 'T':
+				if (!_fmt("%H:%M:%S", t, pt, ptlim))
+					return (0);
+				continue;
+			case 't':
+				if (!_add("\t", pt, ptlim))
+					return (0);
+				continue;
+			case 'U':
+				if (!_conv(SUN_WEEK(t), 2, '0', pt, ptlim))
+					return (0);
+				continue;
+			case 'u':
+				if (!_conv(t->tm_wday ? t->tm_wday : 7, 1, '0',
+				    pt, ptlim))
+					return (0);
+				continue;
+			case 'V':	/* ISO 8601 week number */
+			case 'G':	/* ISO 8601 year (four digits) */
+			case 'g':	/* ISO 8601 year (two digits) */
+/*
+** From Arnold Robbins' strftime version 3.0:  "the week number of the
+** year (the first Monday as the first day of week 1) as a decimal number
+** (01-53)."
+** (ado, 1993-05-24)
+**
+** From "http://www.ft.uni-erlangen.de/~mskuhn/iso-time.html" by Markus Kuhn:
+** "Week 01 of a year is per definition the first week which has the
+** Thursday in this year, which is equivalent to the week which contains
+** the fourth day of January. In other words, the first week of a new year
+** is the week which has the majority of its days in the new year. Week 01
+** might also contain days from the previous year and the week before week
+** 01 of a year is the last week (52 or 53) of the previous year even if
+** it contains days from the new year. A week starts with Monday (day 1)
+** and ends with Sunday (day 7).  For example, the first week of the year
+** 1997 lasts from 1996-12-30 to 1997-01-05..."
+** (ado, 1996-01-02)
+*/
+				{
+					int	year;
+					int	yday;
+					int	wday;
+					int	w;
+
+					year = t->tm_year + TM_YEAR_BASE;
+					yday = t->tm_yday;
+					wday = t->tm_wday;
+					for ( ; ; ) {
+						int	len;
+						int	bot;
+						int	top;
+
+						len = isleap(year) ?
+							DAYSPERLYEAR :
+							DAYSPERNYEAR;
+						/*
+						** What yday (-3 ... 3) does
+						** the ISO year begin on?
+						*/
+						bot = ((yday + 11 - wday) %
+							DAYSPERWEEK) - 3;
+						/*
+						** What yday does the NEXT
+						** ISO year begin on?
+						*/
+						top = bot -
+							(len % DAYSPERWEEK);
+						if (top < -3)
+							top += DAYSPERWEEK;
+						top += len;
+						if (yday >= top) {
+							++year;
+							w = 1;
+							break;
+						}
+						if (yday >= bot) {
+							w = 1 + ((yday - bot) /
+								DAYSPERWEEK);
+							break;
+						}
+						--year;
+						yday += isleap(year) ?
+							DAYSPERLYEAR :
+							DAYSPERNYEAR;
+					}
+#ifdef XPG4_1994_04_09
+					if ((w == 52
+					     && t->tm_mon == TM_JANUARY)
+					    || (w == 1
+						&& t->tm_mon == TM_DECEMBER))
+						w = 53;
+#endif /* defined XPG4_1994_04_09 */
+					if (*format == 'V') {
+						if (!_conv(w, 2, '0',
+							pt, ptlim))
+							return (0);
+					} else if (*format == 'g') {
+						if (!_conv(year % 100, 2, '0',
+							pt, ptlim))
+							return (0);
+					} else	if (!_conv(year, 4, '0',
+							pt, ptlim))
+							return (0);
+				}
+				continue;
+			case 'W':
+				if (!_conv(MON_WEEK(t), 2, '0', pt, ptlim))
+					return (0);
+				continue;
+			case 'w':
+				if (!_conv(t->tm_wday, 1, '0', pt, ptlim))
+					return (0);
+				continue;
+			case 'x':
+				if (!_fmt(_CurrentTimeLocale->d_fmt, t, pt,
+				    ptlim))
+					return (0);
+				continue;
+			case 'X':
+				if (!_fmt(_CurrentTimeLocale->t_fmt, t, pt,
+				    ptlim))
+					return (0);
+				continue;
+			case 'y':
+				if (!_conv((t->tm_year + TM_YEAR_BASE) % 100,
+				    2, '0', pt, ptlim))
+					return (0);
+				continue;
+			case 'Y':
+				if (!_conv((t->tm_year + TM_YEAR_BASE), 4, '0',
+				    pt, ptlim))
+					return (0);
+				continue;
+			case 'Z':
+				if (tzname[t->tm_isdst ? 1 : 0] &&
+				    !_add(tzname[t->tm_isdst ? 1 : 0], pt,
+				    ptlim))
+					return (0);
+				continue;
+			case '%':
+			/*
+			 * X311J/88-090 (4.12.3.5): if conversion char is
+			 * undefined, behavior is undefined.  Print out the
+			 * character itself as printf(3) does.
+			 */
+			default:
+				break;
+			}
+		}
+		if (*pt == ptlim)
+			return (0);
+		*(*pt)++ = *format;
+	}
+	return (ptlim - *pt);
 }
 
 static int
-add_num_time_t (string, max, num)
-     char *string;
-     int max;
-     time_t num;
+_secs(t, pt, ptlim)
+	const struct tm *t;
+	char **pt;
+	const char * const ptlim;
 {
-  /* This buffer is large enough to hold the character representation
-     (including the trailing NUL) of any unsigned decimal quantity
-     whose binary representation fits in 128 bits.  */
-  char buf[40];
-  int length;
-
-  if (sizeof (num) > 16)
-    abort ();
-  sprintf (buf, "%lu", (unsigned long) num);
-  length = add_str (string, buf, max);
-  return length;
+	char buf[15];
+	time_t s;
+	char *p;
+	struct tm tmp;
+
+	buf[sizeof (buf) - 1] = '\0';
+	/* Make a copy, mktime(3) modifies the tm struct. */
+	tmp = *t;
+	s = mktime(&tmp);
+	for (p = buf + sizeof(buf) - 2; s > 0 && p > buf; s /= 10)
+		*p-- = (char)(s % 10 + '0');
+	return (_add(++p, pt, ptlim));
 }
 
-/* Return the week in the year of the time in TM, with the weeks
-   starting on Sundays. */
-
 static int
-sun_week (tm)
-     struct tm *tm;
+_conv(n, digits, pad, pt, ptlim)
+	int n, digits;
+	int pad;
+	char **pt;
+	const char * const ptlim;
 {
-  int dl;
-
-  /* Set `dl' to the day in the year of the last day of the week previous
-     to the one containing the day specified in TM.  If the day specified
-     in TM is in the first week of the year, `dl' will be negative or 0.
-     Otherwise, calculate the number of complete weeks before our week
-     (dl / 7) and add any partial week at the start of the year (dl % 7). */
-  dl = tm->tm_yday - tm->tm_wday;
-  return dl <= 0 ? 0 : dl / 7 + (dl % 7 != 0);
+	char buf[10];
+	char *p;
+
+	buf[sizeof (buf) - 1] = '\0';
+	for (p = buf + sizeof(buf) - 2; n > 0 && p > buf; n /= 10, --digits)
+		*p-- = n % 10 + '0';
+	while (p > buf && digits-- > 0)
+		*p-- = pad;
+	return (_add(++p, pt, ptlim));
 }
 
-/* Return the week in the year of the time in TM, with the weeks
-   starting on Mondays. */
-
 static int
-mon_week (tm)
-     struct tm *tm;
-{
-  int dl, wday;
-
-  if (tm->tm_wday == 0)
-    wday = 6;
-  else
-    wday = tm->tm_wday - 1;
-  dl = tm->tm_yday - wday;
-  return dl <= 0 ? 0 : dl / 7 + (dl % 7 != 0);
-}
-
-#if !defined(HAVE_TM_ZONE) && !defined(HAVE_TZNAME)
-char *
-zone_name (tp)
-     struct tm *tp;
+_add(str, pt, ptlim)
+	const char *str;
+	char **pt;
+	const char * const ptlim;
 {
-  char *timezone ();
-  struct timeval tv;
-  struct timezone tz;
-
-  gettimeofday (&tv, &tz);
-  return timezone (tz.tz_minuteswest, tp->tm_isdst);
-}
-#endif
-
-/* Format the time given in TM according to FORMAT, and put the
-   results in STRING.
-   Return the number of characters (not including terminating null)
-   that were put into STRING, or 0 if the length would have
-   exceeded MAX. */
-
-size_t
-strftime (string, max, format, tm)
-     char *string;
-     size_t max;
-     const char *format;
-     const struct tm *tm;
-{
-  enum padding pad;		/* Type of padding to apply. */
-  size_t length = 0;		/* Characters put in STRING so far. */
-
-  for (; *format && length < max; ++format)
-    {
-      if (*format != '%')
-	add_char (*format);
-      else
-	{
-	  ++format;
-	  /* Modifiers: */
-	  if (*format == '-')
-	    {
-	      pad = none;
-	      ++format;
-	    }
-	  else if (*format == '_')
-	    {
-	      pad = blank;
-	      ++format;
-	    }
-	  else
-	    pad = zero;
-
-	  switch (*format)
-	    {
-	      /* Literal character fields: */
-	    case 0:
-	    case '%':
-	      add_char ('%');
-	      break;
-	    case 'n':
-	      add_char ('\n');
-	      break;
-	    case 't':
-	      add_char ('\t');
-	      break;
-	    default:
-	      add_char (*format);
-	      break;
-
-	      /* Time fields: */
-	    case 'H':
-	    case 'k':
-	      length +=
-		add_num2 (&string[length], tm->tm_hour, max - length,
-			  *format == 'H' ? pad : blank);
-	      break;
-	    case 'I':
-	    case 'l':
-	      {
-		int hour12;
-
-		if (tm->tm_hour == 0)
-		  hour12 = 12;
-		else if (tm->tm_hour > 12)
-		  hour12 = tm->tm_hour - 12;
-		else
-		  hour12 = tm->tm_hour;
-		length +=
-		  add_num2 (&string[length], hour12, max - length,
-			    *format == 'I' ? pad : blank);
-	      }
-	      break;
-	    case 'M':
-	      length +=
-		add_num2 (&string[length], tm->tm_min, max - length, pad);
-	      break;
-	    case 'p':
-	      if (tm->tm_hour < 12)
-		add_char ('A');
-	      else
-		add_char ('P');
-	      add_char ('M');
-	      break;
-	    case 'r':
-	      length +=
-		strftime (&string[length], max - length, "%I:%M:%S %p", tm);
-	      break;
-	    case 'R':
-	      length +=
-		strftime (&string[length], max - length, "%H:%M", tm);
-	      break;
-
-	    case 's':
-	      {
-		struct tm writable_tm;
-		writable_tm = *tm;
-		length += add_num_time_t (&string[length], max - length,
-					  mktime (&writable_tm));
-	      }
-	      break;
-
-	    case 'S':
-	      length +=
-		add_num2 (&string[length], tm->tm_sec, max - length, pad);
-	      break;
-	    case 'T':
-	      length +=
-		strftime (&string[length], max - length, "%H:%M:%S", tm);
-	      break;
-	    case 'X':
-	      length +=
-		strftime (&string[length], max - length, "%H:%M:%S", tm);
-	      break;
-	    case 'Z':
-#ifdef HAVE_TM_ZONE
-	      length += add_str (&string[length], tm->tm_zone, max - length);
-#else
-#ifdef HAVE_TZNAME
-	      if (tm->tm_isdst && tzname[1] && *tzname[1])
-		length += add_str (&string[length], tzname[1], max - length);
-	      else
-		length += add_str (&string[length], tzname[0], max - length);
-#else
-	      length += add_str (&string[length], zone_name (tm), max - length);
-#endif
-#endif
-	      break;
 
-	      /* Date fields: */
-	    case 'a':
-	      add_char (days[tm->tm_wday][0]);
-	      add_char (days[tm->tm_wday][1]);
-	      add_char (days[tm->tm_wday][2]);
-	      break;
-	    case 'A':
-	      length +=
-		add_str (&string[length], days[tm->tm_wday], max - length);
-	      break;
-	    case 'b':
-	    case 'h':
-	      add_char (months[tm->tm_mon][0]);
-	      add_char (months[tm->tm_mon][1]);
-	      add_char (months[tm->tm_mon][2]);
-	      break;
-	    case 'B':
-	      length +=
-		add_str (&string[length], months[tm->tm_mon], max - length);
-	      break;
-	    case 'c':
-	      length +=
-		strftime (&string[length], max - length,
-			  "%a %b %d %H:%M:%S %Z %Y", tm);
-	      break;
-	    case 'C':
-	      length +=
-		add_num2 (&string[length], (tm->tm_year + 1900) / 100,
-			  max - length, pad);
-	      break;
-	    case 'd':
-	      length +=
-		add_num2 (&string[length], tm->tm_mday, max - length, pad);
-	      break;
-	    case 'e':
-	      length +=
-		add_num2 (&string[length], tm->tm_mday, max - length, blank);
-	      break;
-	    case 'D':
-	      length +=
-		strftime (&string[length], max - length, "%m/%d/%y", tm);
-	      break;
-	    case 'j':
-	      length +=
-		add_num3 (&string[length], tm->tm_yday + 1, max - length, pad);
-	      break;
-	    case 'm':
-	      length +=
-		add_num2 (&string[length], tm->tm_mon + 1, max - length, pad);
-	      break;
-	    case 'U':
-	      length +=
-		add_num2 (&string[length], sun_week (tm), max - length, pad);
-	      break;
-	    case 'w':
-	      add_char (tm->tm_wday + '0');
-	      break;
-	    case 'W':
-	      length +=
-		add_num2 (&string[length], mon_week (tm), max - length, pad);
-	      break;
-	    case 'x':
-	      length +=
-		strftime (&string[length], max - length, "%m/%d/%y", tm);
-	      break;
-	    case 'y':
-	      length +=
-		add_num2 (&string[length], tm->tm_year % 100,
-			  max - length, pad);
-	      break;
-	    case 'Y':
-	      add_char ((tm->tm_year + 1900) / 1000 + '0');
-	      length +=
-		add_num3 (&string[length],
-			  (1900 + tm->tm_year) % 1000, max - length, zero);
-	      break;
-	    }
+	for (;; ++(*pt)) {
+		if (*pt == ptlim)
+			return (0);
+		if ((**pt = *str++) == '\0')
+			return (1);
 	}
-    }
-  add_char (0);
-  return length - 1;
 }
diff --git a/src/kadmin/dbutil/ChangeLog b/src/kadmin/dbutil/ChangeLog
index 9a309bd..2008272 100644
--- a/src/kadmin/dbutil/ChangeLog
+++ b/src/kadmin/dbutil/ChangeLog
@@ -1,3 +1,45 @@
+2002-08-23  Tom Yu  <tlyu@mit.edu>
+
+	* dump.c (dump_db): Update usage comment.  Add "-rev" and
+	"-recurse" flags to permit reverse and recursive dumping of the
+	database, respectively.  Check for dump filename beginning with
+	"-" to avoid accidental dumps to such filenames.
+
+	* kdb5_util.c (usage): Update to match reality, primarily by
+	updating the "dump" usage, but also showing global options before
+	the command, which is how they were being interpreted anyway.
+
+	* kdb5_util.M: Update to match reality.  Document "-mkey_convert",
+	"-new_mkey_file", "-rev", and "-recurse" options to "dump".
+	Document "dump to stdout" behavior.  Show global options before
+	the command.  Make some formatting fixes.  s/binary tree/btree/
+	since the btree back end is actually an n-ary tree.
+
+	[pullups from trunk]
+
+2002-08-12  Tom Yu  <tlyu@mit.edu>
+
+	* dump.c (master_key_convert): Iterate over freeing
+	key_data->key_data_contents[j] rather than attempting to free
+	key_data->key_data_contents.
+	[pullup from trunk]
+
+2001-10-23  Tom Yu  <tlyu@mit.edu>
+
+	* loadv4.c (fixup_database): Don't set SUPPORT_DESMD5 anymore.
+
+2001-02-05  Tom Yu  <tlyu@mit.edu>
+
+	* kdb5_util.M: Fix some formatting nits and document new flags
+	controlling dump formats.
+
+2000-06-30  Tom Yu  <tlyu@mit.edu>
+
+	* dump.c: Add a new dump version, r1_3_version, and make it the
+	default; it will be used in krb5-1.3 and will permit a principal's
+	kadm5 data to be dumped.  This is an interim measure until we
+	redesign the dump format somewhat.
+
 1999-10-26  Tom Yu  <tlyu@mit.edu>
 
 	* Makefile.in: Clean up usage of CFLAGS, CPPFLAGS, DEFS, DEFINES,
diff --git a/src/kadmin/dbutil/dump.c b/src/kadmin/dbutil/dump.c
index 4378e31..2023f7d 100644
--- a/src/kadmin/dbutil/dump.c
+++ b/src/kadmin/dbutil/dump.c
@@ -47,6 +47,9 @@ extern void usage();
 static int			mkey_convert;
 static krb5_keyblock		new_master_keyblock;
 
+static int	backwards;
+static int	recursive;
+
 /*
  * Use compile(3) if no regcomp present.
  */
@@ -74,8 +77,16 @@ static krb5_error_code dump_k5beta_iterator PROTOTYPE((krb5_pointer,
 						       krb5_db_entry *));
 static krb5_error_code dump_k5beta6_iterator PROTOTYPE((krb5_pointer,
 							krb5_db_entry *));
+static krb5_error_code dump_k5beta6_iterator_ext PROTOTYPE((krb5_pointer,
+							    krb5_db_entry *,
+							    int));
 static krb5_error_code dump_k5beta7_princ PROTOTYPE((krb5_pointer,
 						     krb5_db_entry *));
+static krb5_error_code dump_k5beta7_princ_ext PROTOTYPE((krb5_pointer,
+							 krb5_db_entry *,
+							 int));
+static krb5_error_code dump_k5beta7_princ_withpolicy
+			PROTOTYPE((krb5_pointer, krb5_db_entry *));
 static krb5_error_code dump_ov_princ PROTOTYPE((krb5_pointer,
 						krb5_db_entry *));
 static void dump_k5beta7_policy PROTOTYPE((void *, osa_policy_ent_t));
@@ -141,6 +152,16 @@ dump_version ov_version = {
      process_ov_record,
 };
 
+dump_version r1_3_version = {
+     "Kerberos version 5 release 1.3",
+     "kdb5_util load_dump version 5\n",
+     0,
+     0,
+     dump_k5beta7_princ_withpolicy,
+     dump_k5beta7_policy,
+     process_k5beta7_record,
+};
+
 /* External data */
 extern char		*current_dbname;
 extern krb5_boolean	dbactive;
@@ -220,6 +241,7 @@ static const char dfile_err_fmt[] = "%s: cannot open %s (%s)\n";
 
 static const char oldoption[] = "-old";
 static const char b6option[] = "-b6";
+static const char b7option[] = "-b7";
 static const char verboseoption[] = "-verbose";
 static const char updateoption[] = "-update";
 static const char hashoption[] = "-hash";
@@ -236,7 +258,7 @@ krb5_error_code master_key_convert(context, db_entry)
     krb5_error_code	retval;
     krb5_keyblock 	v5plainkey, *key_ptr;
     krb5_keysalt 	keysalt;
-    int	      i;
+    int	      i, j;
     krb5_key_data	new_key_data, *key_data;
     krb5_boolean	is_mkey;
 
@@ -265,7 +287,11 @@ krb5_error_code master_key_convert(context, db_entry)
 	if (retval)
 		return retval;
 	krb5_free_keyblock_contents(context, &v5plainkey);
-	free(key_data->key_data_contents);
+	for (j = 0; j < key_data->key_data_ver; j++) {
+	    if (key_data->key_data_length[j]) {
+		free(key_data->key_data_contents[j]);
+	    }
+	}
 	*key_data = new_key_data;
     }
     return 0;
@@ -634,6 +660,15 @@ dump_k5beta6_iterator(ptr, entry)
     krb5_pointer	ptr;
     krb5_db_entry	*entry;
 {
+    return dump_k5beta6_iterator_ext(ptr, entry, 0);
+}
+
+static krb5_error_code
+dump_k5beta6_iterator_ext(ptr, entry, kadm)
+    krb5_pointer	ptr;
+    krb5_db_entry	*entry;
+    int			kadm;
+{
     krb5_error_code	retval;
     struct dump_args	*arg;
     char		*name;
@@ -703,7 +738,10 @@ dump_k5beta6_iterator(ptr, entry)
 	      */
 	     switch (tlp->tl_data_type) {
 	     case KRB5_TL_KADM_DATA:
-		  skip++;
+		  if (kadm)
+		      counter++;
+		  else
+		      skip++;
 		  break;
 	     default:
 		  counter++;
@@ -731,7 +769,7 @@ dump_k5beta6_iterator(ptr, entry)
 		    entry->fail_auth_count);
 	    /* Pound out tagged data. */
 	    for (tlp = entry->tl_data; tlp; tlp = tlp->tl_data_next) {
-		if (tlp->tl_data_type == KRB5_TL_KADM_DATA)
+		if (tlp->tl_data_type == KRB5_TL_KADM_DATA && !kadm)
 		     continue; /* see above, [krb5-admin/89] */
 
 		fprintf(arg->ofile, "%d\t%d\t",
@@ -797,6 +835,15 @@ dump_k5beta7_princ(ptr, entry)
     krb5_pointer	ptr;
     krb5_db_entry	*entry;
 {
+    return dump_k5beta7_princ_ext(ptr, entry, 0);
+}
+
+static krb5_error_code
+dump_k5beta7_princ_ext(ptr, entry, kadm)
+    krb5_pointer	ptr;
+    krb5_db_entry	*entry;
+    int			kadm;
+{
      krb5_error_code retval;
      struct dump_args *arg;
      char *name;
@@ -826,7 +873,7 @@ dump_k5beta7_princ(ptr, entry)
 	  /* save the callee from matching the name again */
 	  tmp_nnames = arg->nnames;
 	  arg->nnames = 0;
-	  retval = dump_k5beta6_iterator(ptr, entry);
+	  retval = dump_k5beta6_iterator_ext(ptr, entry, kadm);
 	  arg->nnames = tmp_nnames;
      }
 
@@ -834,6 +881,14 @@ dump_k5beta7_princ(ptr, entry)
      return retval;
 }
 
+static krb5_error_code
+dump_k5beta7_princ_withpolicy(ptr, entry)
+    krb5_pointer	ptr;
+    krb5_db_entry	*entry;
+{
+    return dump_k5beta7_princ_ext(ptr, entry, 1);
+}
+
 void dump_k5beta7_policy(void *data, osa_policy_ent_t entry)
 {
      struct dump_args *arg;
@@ -953,7 +1008,9 @@ static krb5_error_code dump_ov_princ(krb5_pointer ptr, krb5_db_entry *kdb)
 
 /*
  * usage is:
- *	dump_db [-old] [-b6] [-ov] [-verbose] [filename [principals...]]
+ *	dump_db [-old] [-b6] [-b7] [-ov] [-verbose] [-mkey_convert]
+ *		[-new_mkey_file mkey_file] [-rev] [-recurse]
+ *		[filename [principals...]]
  */
 void
 dump_db(argc, argv)
@@ -980,10 +1037,12 @@ dump_db(argc, argv)
 	programname = strrchr(argv[0], (int) '/') + 1;
     ofile = (char *) NULL;
     error = 0;
-    dump = &beta7_version;
+    dump = &r1_3_version;
     arglist.verbose = 0;
     new_mkey_file = 0;
     mkey_convert = 0;
+    backwards = 0;
+    recursive = 0;
 
     /*
      * Parse the qualifiers.
@@ -993,6 +1052,8 @@ dump_db(argc, argv)
 	     dump = &old_version;
 	else if (!strcmp(argv[aindex], b6option))
 	     dump = &beta6_version;
+	else if (!strcmp(argv[aindex], b7option))
+	     dump = &beta7_version;
 	else if (!strcmp(argv[aindex], ovoption))
 	     dump = &ov_version;
 	else if (!strcmp(argv[aindex], verboseoption))
@@ -1002,7 +1063,11 @@ dump_db(argc, argv)
 	else if (!strcmp(argv[aindex], "-new_mkey_file")) {
 	    new_mkey_file = argv[++aindex];
 	    mkey_convert = 1;
-        } else
+        } else if (!strcmp(argv[aindex], "-rev"))
+	    backwards = 1;
+	else if (!strcmp(argv[aindex], "-recurse"))
+	    recursive = 1;
+	else
 	    break;
     }
 
@@ -1072,6 +1137,11 @@ dump_db(argc, argv)
     locked = 0;
     if (ofile && strcmp(ofile, "-")) {
 	/*
+	 * Discourage accidental dumping to filenames beginning with '-'.
+	 */
+	if (ofile[0] == '-')
+	    usage();
+	/*
 	 * Make sure that we don't open and truncate on the fopen,
 	 * since that may hose an on-going kprop process.
 	 * 
@@ -1108,9 +1178,10 @@ dump_db(argc, argv)
 	if (dump->header[strlen(dump->header)-1] != '\n')
 	     fputc('\n', arglist.ofile);
 	
-	if ((kret = krb5_db_iterate(util_context,
-				    dump->dump_princ,
-				    (krb5_pointer) &arglist))) {
+	if ((kret = krb5_db_iterate_ext(util_context,
+					dump->dump_princ,
+					(krb5_pointer) &arglist,
+					backwards, recursive))) {
 	     fprintf(stderr, dumprec_err,
 		     programname, dump->name, error_message(kret));
 	     exit_status++;
@@ -2008,7 +2079,8 @@ restore_dump(programname, kcontext, dumpfile, f, verbose, dump, pol_db)
 }
 
 /*
- * Usage: load_db [-old] [-ov] [-b6] [-verbose] [-update] [-hash] filename
+ * Usage: load_db [-old] [-ov] [-b6] [-b7] [-verbose] [-update] [-hash]
+ *		filename
  */
 void
 load_db(argc, argv)
@@ -2052,6 +2124,8 @@ load_db(argc, argv)
 	     load = &old_version;
 	else if (!strcmp(argv[aindex], b6option))
 	     load = &beta6_version;
+	else if (!strcmp(argv[aindex], b7option))
+	     load = &beta7_version;
 	else if (!strcmp(argv[aindex], ovoption))
 	     load = &ov_version;
 	else if (!strcmp(argv[aindex], verboseoption))
@@ -2129,6 +2203,8 @@ load_db(argc, argv)
 	      load = &beta6_version;
 	 else if (strcmp(buf, beta7_version.header) == 0)
 	      load = &beta7_version;
+	 else if (strcmp(buf, r1_3_version.header) == 0)
+	      load = &r1_3_version;
 	 else if (strncmp(buf, ov_version.header,
 			  strlen(ov_version.header)) == 0)
 	      load = &ov_version;
diff --git a/src/kadmin/dbutil/kdb5_util.M b/src/kadmin/dbutil/kdb5_util.M
index 829e55a..8080756 100644
--- a/src/kadmin/dbutil/kdb5_util.M
+++ b/src/kadmin/dbutil/kdb5_util.M
@@ -3,11 +3,12 @@
 kdb5_util \- Kerberos database maintainance utility
 .SH SYNOPSIS
 .B kdb5_util
-.I command
-[\fB\-r\fP \fIrealm\fP] [\fB\-d\fP \fIdbname\fP]
-[\fB\-k\fP \fImkeytype\fP] [\fB\-M\fP \fImkeyname\fP]
+[\fB\-r\fP\ \fIrealm\fP] [\fB\-d\fP\ \fIdbname\fP]
+[\fB\-k\fP\ \fImkeytype\fP] [\fB\-M\fP\ \fImkeyname\fP]
+[\fB\-sf\fP\ \fIstashfilename\fP]
 [\fB\-m\fP]
-.I command_options
+.I command
+.I [command_options]
 .SH DESCRIPTION
 .B kdb5_util
 allows an administrator to perform low-level maintainance procedures on
@@ -35,25 +36,25 @@ successfully opens the database, because the database may not exist yet
 or the stash file may be corrupt.
 .SH COMMAND-LINE OPTIONS
 .TP
-\fB\-r\fP \fIrealm\fP
+\fB\-r\fP\ \fIrealm\fP
 specifies the Kerberos realm of the database; by default the realm
 returned by
 .IR krb5_default_local_realm (3)
 is used.
 .TP
-\fB-d\fP \fIdbname\fP
+\fB\-d\fP\ \fIdbname\fP
 specifies the name under which the principal database is stored; by
 default the database is that listed in
 .IR kdc.conf (5).
 The KADM5 policy database and lock file are also derived from this
 value.
 .TP
-\fB\-k\fP \fImkeytype\fP
+\fB\-k\fP\ \fImkeytype\fP
 specifies the key type of the master key in the database; the default is
 that given in
 .IR kdc.conf .
 .TP
-\fB\-M\fP \fImkeyname\fP
+\fB\-M\fP\ \fImkeyname\fP
 principal name for the master key in the database; the default is
 that given in
 .IR kdc.conf .
@@ -63,7 +64,7 @@ specifies that the master database password should be read from the TTY
 rather than fetched from a file on disk.
 .SH COMMANDS
 .TP
-\fBcreate\fP [\fB-s\fP]
+\fBcreate\fP [\fB\-s\fP]
 Creates a new database.  If the
 .B \-s
 option is specified, the stash file is also created.  This command fails
@@ -78,15 +79,22 @@ the
 .B \-f
 argument, does not prompt the user.
 .TP
-\fBstash\fP [\fB\-f\fP \fIkeyfile\fP]
+\fBstash\fP [\fB\-f\fP\ \fIkeyfile\fP]
 Stores the master principal's keys in a stash file.  The
 .B \-f
 argument can be used to override the keyfile specified at startup.
 .TP
-\fBdump\fP [\fB\-old\fP] [\fB\-b6\fP] [\fB\-ov\fP] [\fB-verbose\fP] [\fIfilename\fP [\fIprincipals...\fP]]
+\fBdump\fP [\fB\-old\fP] [\fB\-b6\fP] [\fB\-b7\fP] [\fB\-ov\fP]
+[\fB\-verbose\fP] [\fB\-mkey_convert\fP]
+[\fB\-new_mkey_file\fP \fImkey_file\fP] [\fB\-rev\fP] [\fB\-recurse\fP]
+[\fIfilename\fP [\fIprincipals...\fP]]
+.br
 Dumps the current Kerberos and KADM5 database into an ASCII file.  By
 default, the database is dumped in current format, "kdb5_util
-load_dumpversion 4".  Options:
+load_dumpversion 5".  If
+.I filename
+is not specified, or is the string "\-", the dump is sent to standard
+output.  Options:
 .RS
 .TP
 .B \-old
@@ -97,6 +105,9 @@ causes the dump to be in the Kerberos 5 Beta 5 and earlier dump format
 causes the dump to be in the Kerberos 5 Beta 6 format ("kdb5_edit
 load_dump version 3.0").
 .TP
+.B \-b7
+causes the dump to be in the Kerberos 5 Beta 7 format ("kdb5_util load_dump version 4").  This was the dump format produced on releases prior to 1.2.2.
+.TP
 .B \-ov
 causes the dump to be in
 .I ovsec_adm_export
@@ -105,15 +116,38 @@ format.
 .B \-verbose
 causes the name of each principal and policy to be printed as it is
 dumped.
+.TP
+.B \-mkey_convert
+prompts for a new master key.  This new master key will be used to
+re-encrypt the key data in the dumpfile.  The key data in the database
+will not be changed.
+.TP
+.B \-new_mkey_file \fImkey_file\fP
+the filename of a stash file.  The master key in this stash file will
+be used to re-encrypt the key data in the dumpfile.  The key data in
+the database will not be changed.
+.TP
+.B \-rev
+dumps in reverse order.  This may recover principals that do not dump
+normally, in cases where database corruption has occured.
+.TP
+.B \-recurse
+causes the dump to walk the database recursively (btree only).  This
+may recover principals that do not dump normally, in cases where
+database corruption has occured.  In cases of such corruption, this
+option will probably retrieve more principals than the \fB\-rev\fP
+option will.
 .RE
 .TP
-\fBload\fP [\fB\-old\fP] [\fB\-b6\fP] [\fB\-ov\fP] [\fB-verbose\fP] [\fB-update\fP] \fIfilename dbname\fP [\fIadmin_dbname\fP]
+\fBload\fP [\fB\-old\fP] [\fB\-b6\fP] [\fB\-ov\fP]
+[\fB\-verbose\fP] [\fB\-update\fP] \fIfilename dbname\fP [\fIadmin_dbname\fP]
+.br
 Loads a database dump from the named file into the named database.
 Unless the 
 .B \-old
 or 
 .B \-b6
-option is givnen, the format of the dump file is detected
+option is given, the format of the dump file is detected
 automatically and handled as appropriate.  Unless the
 .B \-update
 option is given, 
@@ -130,6 +164,10 @@ requires the database to be in the Kerberos 5 Beta 5 and earlier format
 requires the database to be in the Kerberos 5 Beta 6 format ("kdb5_edit
 load_dump version 3.0").
 .TP
+.B \-b7
+requires the database to be in the Kerberos 5 Beta 7 format ("kdb5_util
+load_dump version 4").
+.TP
 .B \-ov
 requires the database to be in
 .I ovsec_adm_import
@@ -137,6 +175,12 @@ format.  Must be used with the
 .B \-update
 option.
 .TP
+.B \-hash
+requires the database to be stored as a hash.  If this option is not
+specified, the database will be stored as a btree.  This option
+is not recommended, as databases stored in hash format are known to
+corrupt data and lose principals.
+.TP
 .B \-verbose
 causes the name of each principal and policy to be printed as it is
 dumped.
@@ -159,7 +203,10 @@ if not specified.
 \fBdump_v4\fP [\fIfilename\fP]
 Dumps the current database into the Kerberos 4 database dump format.
 .TP
-\fBload_v4\fP [\fB\-t\fP] [\fB-n\fP] [\fB\-K\fP] [\fB-s \fIstashfile\fP] \fIinputfile\fP
+\fBload_v4\fP [\fB\-T\fP] [\fB\-v\fP] [\fB\-h\fP]
+[\fB\-t\fP] [\fB-n\fP] [\fB\-K\fP] [\fB\-s\fP\ \fIstashfile\fP]
+\fIinputfile\fP
+.br
 Loads a Kerberos 4 database dump file.  Options:
 .RS
 .TP
@@ -183,6 +230,11 @@ lists each principal as it is converted or ignored.
 .B \-t
 uses a temporary database, then moves that into place, instead of adding 
 the keys to the current database.
+.TP
+.B \-h
+Stores the database as a hash instead of a btree.  This option is
+not recommended, as databases stored in hash format are known to
+corrupt data and lose principals.
 .PP
 Note: if the Kerberos 4 database had a default expiration date of 12/31/1999
 or 12/31/2009 (the compiled in defaults for older or newer Kerberos
@@ -195,5 +247,9 @@ record; Version 5 stores a seperate modification time and last
 password change time.  In practice, Version 4 "modifications" were
 always password changes.  \fIload_v4\fP copies the value into both
 fields.
+.RE
+.TP
+\fBark\fP
+Adds a random key.
 .SH SEE ALSO
 kadmin(8)
diff --git a/src/kadmin/dbutil/kdb5_util.c b/src/kadmin/dbutil/kdb5_util.c
index 92b1c21..7eaa7f8 100644
--- a/src/kadmin/dbutil/kdb5_util.c
+++ b/src/kadmin/dbutil/kdb5_util.c
@@ -81,12 +81,14 @@ kadm5_config_params global_params;
 usage()
 {
      fprintf(stderr, "Usage: "
-	   "kdb5_util cmd [-r realm] [-d dbname] [-k mkeytype] [-M mkeyname]\n"
-	     "\t         [-m] [cmd options]\n"
+	   "kdb5_util [-r realm] [-d dbname] [-k mkeytype] [-M mkeyname]\n"
+	     "\t        [-sf stashfilename] [-m] cmd [cmd_options]\n"
 	     "\tcreate	[-s]\n"
 	     "\tdestroy	[-f]\n"
 	     "\tstash	[-f keyfile]\n"
-	     "\tdump	[-old] [-ov] [-b6] [-verbose] [filename	[princs...]]\n"
+	     "\tdump	[-old] [-ov] [-b6] [-verbose]\n"
+	     "\t	[-mkey_convert] [-new_mkey_file mkey_file]\n"
+	     "\t	[-rev] [-recurse] [filename [princs...]]\n"
 	     "\tload	[-old] [-ov] [-b6] [-verbose] [-update] filename\n"
 	     "\tdump_v4	[filename]\n"
 	     "\tload_v4	[-t] [-n] [-v] [-K] [-s stashfile] inputfile\n"
diff --git a/src/kadmin/dbutil/loadv4.c b/src/kadmin/dbutil/loadv4.c
index fb9c2e1..96f51cb 100644
--- a/src/kadmin/dbutil/loadv4.c
+++ b/src/kadmin/dbutil/loadv4.c
@@ -937,27 +937,7 @@ static krb5_error_code fixup_database(context, realm)
     krb5_context context;
     char * realm;
 {
-    krb5_db_entry entry;
-    krb5_error_code retval;
-    int nprincs;
-    krb5_boolean more;
-
-    nprincs = 1;
-    if (retval = krb5_db_get_principal(context, &tgt_princ, &entry, 
-				       &nprincs, &more))
-	return retval;
-    
-    if (nprincs == 0)
-	return 0;
-    
-    entry.attributes |= KRB5_KDB_SUPPORT_DESMD5;
-    
-    retval = krb5_db_put_principal(context, &entry, &nprincs);
-    
-    if (nprincs)
-	krb5_db_free_principal(context, &entry, nprincs);
-    
-    return retval;
+    return 0;
 }
     
 #else /* KRB5_KRB4_COMPAT */
diff --git a/src/kadmin/ktutil/ChangeLog b/src/kadmin/ktutil/ChangeLog
index fbd4611..9d6b310 100644
--- a/src/kadmin/ktutil/ChangeLog
+++ b/src/kadmin/ktutil/ChangeLog
@@ -1,3 +1,14 @@
+2002-02-04  Ken Raeburn  <raeburn@mit.edu>
+
+	* ktutil_funcs.c (ktutil_write_srvtab): When keeping only
+	highest-numbered kvno, with some heuristics to deal with
+	wrap-around at 256.
+
+2000-05-19  Ken Raeburn  <raeburn@mit.edu>
+
+	* ktutil_funcs.c (ktutil_write_keytab): Reject a filename that's
+	too long.
+
 1999-10-26  Tom Yu  <tlyu@mit.edu>
 
 	* Makefile.in: Clean up usage of CFLAGS, CPPFLAGS, DEFS, DEFINES,
diff --git a/src/kadmin/ktutil/ktutil_funcs.c b/src/kadmin/ktutil/ktutil_funcs.c
index d4c0ce9..74531fc 100644
--- a/src/kadmin/ktutil/ktutil_funcs.c
+++ b/src/kadmin/ktutil/ktutil_funcs.c
@@ -317,7 +317,9 @@ krb5_error_code ktutil_write_keytab(context, list, name)
     krb5_error_code retval = 0;
 
     strcpy(ktname, "WRFILE:");
-    strncat(ktname, name, MAXPATHLEN);
+    if (strlen (name) >= MAXPATHLEN)
+	return ENAMETOOLONG;
+    strncat (ktname, name, MAXPATHLEN);
     retval = krb5_kt_resolve(context, ktname, &kt);
     if (retval)
 	return retval;
@@ -500,9 +502,18 @@ krb5_error_code ktutil_write_srvtab(context, list, name)
 		lp1 = prev->next;
 	    }
 	    lp1->entry = lp->entry;
-	} else if (lp1->entry->vno < lp->entry->vno)
-	    /* Check if lp->entry is newer kvno; if so, update */
-	    lp1->entry = lp->entry;
+	} else {
+	    /* This heuristic should be roughly the same as in the
+	       keytab-reading code in libkrb5.  */
+	    int offset = 0;
+	    if (lp1->entry->vno > 240 || lp->entry->vno > 240) {
+		offset = 128;
+	    }
+#define M(X) (((X) + offset) % 256)
+	    if (M(lp1->entry->vno) < M(lp->entry->vno))
+		/* Check if lp->entry is newer kvno; if so, update */
+		lp1->entry = lp->entry;
+	}
     }
     fp = fopen(name, "w");
     if (!fp) {
diff --git a/src/kadmin/passwd/ChangeLog b/src/kadmin/passwd/ChangeLog
index 3833b63..e7ce2d6 100644
--- a/src/kadmin/passwd/ChangeLog
+++ b/src/kadmin/passwd/ChangeLog
@@ -1,3 +1,7 @@
+2000-05-08  Nalin Dahyabhai  <nalin@redhat.com>
+
+	* xm_kpasswd.c (motif_com_err): Don't overflow buffer "buf".
+
 1999-10-26  Tom Yu  <tlyu@mit.edu>
 
 	* Makefile.in: Clean up usage of CFLAGS, CPPFLAGS, DEFS, DEFINES,
diff --git a/src/kadmin/passwd/xm_kpasswd.c b/src/kadmin/passwd/xm_kpasswd.c
index 0db1111..4232e3b 100644
--- a/src/kadmin/passwd/xm_kpasswd.c
+++ b/src/kadmin/passwd/xm_kpasswd.c
@@ -111,13 +111,15 @@ motif_com_err (whoami, code, fmt, args)
 
   if (whoami)
     {
-      strcpy(buf, whoami);
-      strcat(buf, ": ");
+      strncpy(buf, whoami, sizeof(buf) - 1);
+      buf[sizeof(buf) - 1] = '\0';
+      strncat(buf, ": ", sizeof(buf) - 1 - strlen(buf));
     }
   if (code)
     {
-      strcat(buf, error_message(code));
-      strcat(buf, " ");
+      buf[sizeof(buf) - 1] = '\0';
+      strncat(buf, error_message(code), sizeof(buf) - 1 - strlen(buf));
+      strncat(buf, " ", sizeof(buf) - 1 - strlen(buf));
     }
   if (fmt)
     {
diff --git a/src/kadmin/server/ChangeLog b/src/kadmin/server/ChangeLog
index d5f932e..da07371 100644
--- a/src/kadmin/server/ChangeLog
+++ b/src/kadmin/server/ChangeLog
@@ -1,3 +1,33 @@
+2002-10-30  Tom Yu  <tlyu@mit.edu>
+
+	* misc.c (chpass_principal_wrapper_3): Renamed from
+	chpass_principal_wrapper; calls chpass_principal_3 now.
+	(randkey_principal_wrapper_3): Renamed from
+	randkey_principal_wrapper; calls randkey_principal_3 now.  Patch
+	from Ben Cox.
+
+	* server_stubs.c (chpass_principal_1_svc)
+	(chpass_principal3_1_svc): Call chpass_principal_wrapper_3.
+	(chrand_principal_1_svc, chrand_principal3_1_svc): Call
+	randkey_principal_wrapper_3.  Patch from Ben Cox.
+
+	[pullups from trunk]
+
+2002-08-12  Tom Yu  <tlyu@mit.edu>
+
+	* server_stubs.c: Check return value from unparse_name() in lots
+	of places.  Patch from Mark Levinson; fixes [krb5-admin/1140].
+	[pullup from trunk]
+
+2000-06-21  Tom Yu  <tlyu@mit.edu>
+
+	* server_stubs.c: Kludge to rename xdr_free() properly.
+
+2000-05-23  Tom Yu  <tlyu@mit.edu>
+
+	* schpw.c (process_chpw_request): Add new argument to call to
+	chpass_principal_util()
+
 2000-03-16  Ken Raeburn  <raeburn@mit.edu>
 	    Matt Crawford  <crawdad@fnal.gov>
 
diff --git a/src/kadmin/server/misc.c b/src/kadmin/server/misc.c
index 9dc3d9d..132a66e 100644
--- a/src/kadmin/server/misc.c
+++ b/src/kadmin/server/misc.c
@@ -14,7 +14,7 @@ static char *rcsid = "$Header$";
 #include    "misc.h"
 
 /*
- * Function: chpass_principal_wrapper
+ * Function: chpass_principal_wrapper_3
  * 
  * Purpose: wrapper to kadm5_chpass_principal that checks to see if
  *	    pw_min_life has been reached. if not it returns an error.
@@ -23,8 +23,12 @@ static char *rcsid = "$Header$";
  * Arguments:
  *	principal	(input) krb5_principals whose password we are
  *				changing
- *	passoword	(input) passowrd we are going to change to.
- * 	<return value>	0 on sucsess error code on failure.
+ *	keepold 	(input) whether to preserve old keys
+ *	n_ks_tuple	(input) the number of key-salt tuples in ks_tuple
+ *	ks_tuple	(input) array of tuples indicating the caller's
+ *				requested enctypes/salttypes
+ *	password	(input) password we are going to change to.
+ * 	<return value>	0 on success error code on failure.
  *
  * Requires:
  *	kadm5_init to have been run.
@@ -35,8 +39,12 @@ static char *rcsid = "$Header$";
  *
  */
 kadm5_ret_t
-chpass_principal_wrapper(void *server_handle,
-			 krb5_principal principal, char *password)
+chpass_principal_wrapper_3(void *server_handle,
+			   krb5_principal principal,
+			   krb5_boolean keepold,
+			   int n_ks_tuple,
+			   krb5_key_salt_tuple *ks_tuple,
+			   char *password)
 {
     krb5_int32			now;
     kadm5_ret_t			ret;
@@ -72,12 +80,14 @@ chpass_principal_wrapper(void *server_handle,
     if (ret = kadm5_free_principal_ent(handle->lhandle, &princ))
 	 return ret;
     
-    return kadm5_chpass_principal(server_handle, principal, password);
+    return kadm5_chpass_principal_3(server_handle, principal,
+				    keepold, n_ks_tuple, ks_tuple,
+				    password);
 }
 
 
 /*
- * Function: randkey_principal_wrapper
+ * Function: randkey_principal_wrapper_3
  * 
  * Purpose: wrapper to kadm5_randkey_principal which checks the
 	    passwords min. life.
@@ -85,6 +95,10 @@ chpass_principal_wrapper(void *server_handle,
  * Arguments:
  *	principal	    (input) krb5_principal whose password we are
  *				    changing
+ *	keepold 	(input) whether to preserve old keys
+ *	n_ks_tuple	(input) the number of key-salt tuples in ks_tuple
+ *	ks_tuple	(input) array of tuples indicating the caller's
+ *				requested enctypes/salttypes
  *	key		    (output) new random key
  * 	<return value>	    0, error code on error.
  *
@@ -96,9 +110,12 @@ chpass_principal_wrapper(void *server_handle,
  *
  */
 kadm5_ret_t
-randkey_principal_wrapper(void *server_handle,
-			  krb5_principal principal,
-			  krb5_keyblock **keys, int *n_keys)
+randkey_principal_wrapper_3(void *server_handle,
+			    krb5_principal principal,
+			    krb5_boolean keepold,
+			    int n_ks_tuple,
+			    krb5_key_salt_tuple *ks_tuple,
+			    krb5_keyblock **keys, int *n_keys)
 {
 
     krb5_int32			now;
@@ -134,5 +151,7 @@ randkey_principal_wrapper(void *server_handle,
     }
     if (ret = kadm5_free_principal_ent(handle->lhandle, &princ))
 	 return ret;
-    return kadm5_randkey_principal(server_handle, principal, keys, n_keys);
+    return kadm5_randkey_principal_3(server_handle, principal,
+				     keepold, n_ks_tuple, ks_tuple,
+				     keys, n_keys);
 }
diff --git a/src/kadmin/server/schpw.c b/src/kadmin/server/schpw.c
index f246571..9de8116 100644
--- a/src/kadmin/server/schpw.c
+++ b/src/kadmin/server/schpw.c
@@ -229,7 +229,7 @@ process_chpw_request(context, server_handle, realm, s, keytab, sin, req, rep)
     ptr[clear.length] = '\0';
 
     ret = kadm5_chpass_principal_util(server_handle, ticket->enc_part2->client,
-				      ptr, NULL, strresult);
+				      ptr, NULL, strresult, sizeof(strresult));
 
     /* zap the password */
     memset(clear.data, 0, clear.length);
diff --git a/src/kadmin/server/server_stubs.c b/src/kadmin/server/server_stubs.c
index 2eef601..4880331 100644
--- a/src/kadmin/server/server_stubs.c
+++ b/src/kadmin/server/server_stubs.c
@@ -18,6 +18,8 @@ static char *rcsid = "$Header$";
 #include <syslog.h>
 #include "misc.h"
 
+#define xdr_free gssrpc_xdr_free /* XXX kludge */
+
 #define LOG_UNAUTH  "Unauthorized request: %s, %s, client=%s, service=%s, addr=%s"
 #define	LOG_DONE    "Request: %s, %s, %s, client=%s, service=%s, addr=%s"
 
@@ -255,7 +257,10 @@ create_principal_1(cprinc_arg *arg, struct svc_req *rqstp)
 	 ret.code = KADM5_FAILURE;
 	 return &ret;
     }
-    krb5_unparse_name(handle->context, arg->rec.principal, &prime_arg);
+    if (krb5_unparse_name(handle->context, arg->rec.principal, &prime_arg)) {
+	 ret.code = KADM5_BAD_PRINCIPAL;
+	 return &ret;
+    }
 
     if (CHANGEPW_SERVICE(rqstp)
 	|| !acl_check(handle->context, rqstp->rq_clntcred, ACL_ADD,
@@ -309,7 +314,10 @@ create_principal3_1(cprinc3_arg *arg, struct svc_req *rqstp)
 	 ret.code = KADM5_FAILURE;
 	 return &ret;
     }
-    krb5_unparse_name(handle->context, arg->rec.principal, &prime_arg);
+    if (krb5_unparse_name(handle->context, arg->rec.principal, &prime_arg)) {
+	 ret.code = KADM5_BAD_PRINCIPAL;
+	 return &ret;
+    }
 
     if (CHANGEPW_SERVICE(rqstp)
 	|| !acl_check(handle->context, rqstp->rq_clntcred, ACL_ADD,
@@ -365,7 +373,10 @@ delete_principal_1(dprinc_arg *arg, struct svc_req *rqstp)
 	 ret.code = KADM5_FAILURE;
 	 return &ret;
     }
-    krb5_unparse_name(handle->context, arg->princ, &prime_arg);
+    if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) {
+	 ret.code = KADM5_BAD_PRINCIPAL;
+	 return &ret;
+    }
     
     if (CHANGEPW_SERVICE(rqstp)
 	|| !acl_check(handle->context, rqstp->rq_clntcred, ACL_DELETE,
@@ -413,7 +424,10 @@ modify_principal_1(mprinc_arg *arg, struct svc_req *rqstp)
 	 ret.code = KADM5_FAILURE;
 	 return &ret;
     }
-    krb5_unparse_name(handle->context, arg->rec.principal, &prime_arg);
+    if (krb5_unparse_name(handle->context, arg->rec.principal, &prime_arg)) {
+	 ret.code = KADM5_BAD_PRINCIPAL;
+	 return &ret;
+    }
 
     if (CHANGEPW_SERVICE(rqstp)
 	|| !acl_check(handle->context, rqstp->rq_clntcred, ACL_MODIFY,
@@ -467,8 +481,11 @@ rename_principal_1(rprinc_arg *arg, struct svc_req *rqstp)
 	 ret.code = KADM5_FAILURE;
 	 return &ret;
     }
-    krb5_unparse_name(handle->context, arg->src, &prime_arg1);
-    krb5_unparse_name(handle->context, arg->dest, &prime_arg2);
+    if (krb5_unparse_name(handle->context, arg->src, &prime_arg1) ||
+        krb5_unparse_name(handle->context, arg->dest, &prime_arg2)) {
+	 ret.code = KADM5_BAD_PRINCIPAL;
+	 return &ret;
+    }
     sprintf(prime_arg, "%s to %s", prime_arg1, prime_arg2);
 
     ret.code = KADM5_OK;
@@ -537,7 +554,10 @@ get_principal_1(gprinc_arg *arg, struct svc_req *rqstp)
 	 ret.code = KADM5_FAILURE;
 	 return &ret;
     }
-    krb5_unparse_name(handle->context, arg->princ, &prime_arg);
+    if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) {
+	 ret.code = KADM5_BAD_PRINCIPAL;
+	 return &ret;
+    }
 
     if (! cmp_gss_krb5_name(handle, rqstp->rq_clntcred, arg->princ) &&
 	(CHANGEPW_SERVICE(rqstp) || !acl_check(handle->context,
@@ -657,11 +677,14 @@ chpass_principal_1(chpass_arg *arg, struct svc_req *rqstp)
 	 ret.code = KADM5_FAILURE;
 	 return &ret;
     }
-    krb5_unparse_name(handle->context, arg->princ, &prime_arg);
+    if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) {
+	 ret.code = KADM5_BAD_PRINCIPAL;
+	 return &ret;
+    }
 
     if (cmp_gss_krb5_name(handle, rqstp->rq_clntcred, arg->princ)) {
-	 ret.code = chpass_principal_wrapper((void *)handle, arg->princ,
-					     arg->pass);
+	 ret.code = chpass_principal_wrapper_3((void *)handle, arg->princ,
+					       FALSE, 0, NULL, arg->pass);
     } else if (!(CHANGEPW_SERVICE(rqstp)) &&
 	       acl_check(handle->context, rqstp->rq_clntcred,
 			 ACL_CHANGEPW, arg->princ, NULL)) {
@@ -715,11 +738,17 @@ chpass_principal3_1(chpass3_arg *arg, struct svc_req *rqstp)
 	 ret.code = KADM5_FAILURE;
 	 return &ret;
     }
-    krb5_unparse_name(handle->context, arg->princ, &prime_arg);
+    if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) {
+	 ret.code = KADM5_BAD_PRINCIPAL;
+	 return &ret;
+    }
 
     if (cmp_gss_krb5_name(handle, rqstp->rq_clntcred, arg->princ)) {
-	 ret.code = chpass_principal_wrapper((void *)handle, arg->princ,
-					     arg->pass);
+	 ret.code = chpass_principal_wrapper_3((void *)handle, arg->princ,
+					       arg->keepold,
+					       arg->n_ks_tuple,
+					       arg->ks_tuple,
+					       arg->pass);
     } else if (!(CHANGEPW_SERVICE(rqstp)) &&
 	       acl_check(handle->context, rqstp->rq_clntcred,
 			 ACL_CHANGEPW, arg->princ, NULL)) {
@@ -776,7 +805,10 @@ setv4key_principal_1(setv4key_arg *arg, struct svc_req *rqstp)
 	 ret.code = KADM5_FAILURE;
 	 return &ret;
     }
-    krb5_unparse_name(handle->context, arg->princ, &prime_arg);
+    if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) {
+	 ret.code = KADM5_BAD_PRINCIPAL;
+	 return &ret;
+    }
 
     if (!(CHANGEPW_SERVICE(rqstp)) &&
 	       acl_check(handle->context, rqstp->rq_clntcred,
@@ -831,7 +863,10 @@ setkey_principal_1(setkey_arg *arg, struct svc_req *rqstp)
 	 ret.code = KADM5_FAILURE;
 	 return &ret;
     }
-    krb5_unparse_name(handle->context, arg->princ, &prime_arg);
+    if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) {
+	 ret.code = KADM5_BAD_PRINCIPAL;
+	 return &ret;
+    }
 
     if (!(CHANGEPW_SERVICE(rqstp)) &&
 	       acl_check(handle->context, rqstp->rq_clntcred,
@@ -886,7 +921,10 @@ setkey_principal3_1(setkey3_arg *arg, struct svc_req *rqstp)
 	 ret.code = KADM5_FAILURE;
 	 return &ret;
     }
-    krb5_unparse_name(handle->context, arg->princ, &prime_arg);
+    if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) {
+	 ret.code = KADM5_BAD_PRINCIPAL;
+	 return &ret;
+    }
 
     if (!(CHANGEPW_SERVICE(rqstp)) &&
 	       acl_check(handle->context, rqstp->rq_clntcred,
@@ -950,11 +988,14 @@ chrand_principal_1(chrand_arg *arg, struct svc_req *rqstp)
 	 free_server_handle(handle);
 	 return &ret;
     }
-    krb5_unparse_name(handle->context, arg->princ, &prime_arg);
+    if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) {
+	 ret.code = KADM5_BAD_PRINCIPAL;
+	 return &ret;
+    }
 
     if (cmp_gss_krb5_name(handle, rqstp->rq_clntcred, arg->princ)) {
-	 ret.code = randkey_principal_wrapper((void *)handle,
-					      arg->princ, &k, &nkeys); 
+	 ret.code = randkey_principal_wrapper_3((void *)handle, arg->princ,
+						FALSE, 0, NULL, &k, &nkeys);
     } else if (!(CHANGEPW_SERVICE(rqstp)) &&
 	       acl_check(handle->context, rqstp->rq_clntcred,
 			 ACL_CHANGEPW, arg->princ, NULL)) {
@@ -1023,11 +1064,17 @@ chrand_principal3_1(chrand3_arg *arg, struct svc_req *rqstp)
 	 free_server_handle(handle);
 	 return &ret;
     }
-    krb5_unparse_name(handle->context, arg->princ, &prime_arg);
+    if (krb5_unparse_name(handle->context, arg->princ, &prime_arg)) {
+	 ret.code = KADM5_BAD_PRINCIPAL;
+	 return &ret;
+    }
 
     if (cmp_gss_krb5_name(handle, rqstp->rq_clntcred, arg->princ)) {
-	 ret.code = randkey_principal_wrapper((void *)handle,
-					      arg->princ, &k, &nkeys); 
+	 ret.code = randkey_principal_wrapper_3((void *)handle, arg->princ,
+						arg->keepold,
+						arg->n_ks_tuple,
+						arg->ks_tuple,
+						&k, &nkeys);
     } else if (!(CHANGEPW_SERVICE(rqstp)) &&
 	       acl_check(handle->context, rqstp->rq_clntcred,
 			 ACL_CHANGEPW, arg->princ, NULL)) {
diff --git a/src/kadmin/testing/proto/ChangeLog b/src/kadmin/testing/proto/ChangeLog
index e1fedaf..a69cf30 100644
--- a/src/kadmin/testing/proto/ChangeLog
+++ b/src/kadmin/testing/proto/ChangeLog
@@ -1,3 +1,13 @@
+2000-05-31  Ken Raeburn  <raeburn@mit.edu>
+
+	* kdc.conf.proto: Use des3 master key.
+
+2000-05-09  Ken Raeburn  <raeburn@mit.edu>
+
+	* krb5.conf.proto: Set dns_fallback=no.
+
+	* kdc.conf.proto: Add des3 to supported_enctypes.
+
 Wed Jan 21 12:44:25 1998  Ezra Peisach  <epeisach@kangaroo.mit.edu>
 
 	* kdc.conf.proto: Add kpasswd_port line so kadmind can start as
diff --git a/src/kadmin/testing/proto/kdc.conf.proto b/src/kadmin/testing/proto/kdc.conf.proto
index 69d6041..6f9edeb 100644
--- a/src/kadmin/testing/proto/kdc.conf.proto
+++ b/src/kadmin/testing/proto/kdc.conf.proto
@@ -11,7 +11,6 @@
 		dict_file = __K5ROOT__/ovsec_adm.dict
 		kadmind_port = 1751
 		kpasswd_port = 1752
-		master_key_type = des-cbc-crc
-		supported_enctypes = des-cbc-crc:normal des-cbc-crc:v4 des-cbc-md5:normal des-cbc-raw:normal
+		master_key_type = des3-hmac-sha1
+		supported_enctypes = des3-hmac-sha1:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-md5:normal des-cbc-raw:normal
 	}
-
diff --git a/src/kadmin/testing/proto/krb5.conf.proto b/src/kadmin/testing/proto/krb5.conf.proto
index a063815..5521267 100644
--- a/src/kadmin/testing/proto/krb5.conf.proto
+++ b/src/kadmin/testing/proto/krb5.conf.proto
@@ -1,6 +1,7 @@
 [libdefaults]
 	default_realm = __REALM__
 	default_keytab_name = FILE:__K5ROOT__/v5srvtab
+	dns_fallback = no
 
 [realms]
 	__REALM__ = {
diff --git a/src/kadmin/testing/util/ChangeLog b/src/kadmin/testing/util/ChangeLog
index e3d88d1..d1d9c42 100644
--- a/src/kadmin/testing/util/ChangeLog
+++ b/src/kadmin/testing/util/ChangeLog
@@ -1,3 +1,14 @@
+2002-02-04  Ken Raeburn  <raeburn@mit.edu>
+
+	* tcl_kadm5.c (unparse_err): Print error message, not just number,
+	to stderr for unrecognized error code.
+	* tcl_ovsec_kadm.c (unparse_err): Likewise.
+
+2000-05-23  Tom Yu  <tlyu@mit.edu>
+
+	* tcl_kadm5.c (tcl_kadm5_chpass_principal_util): Add new argument
+	to call to chpass_principal_util().
+
 1999-10-26  Tom Yu  <tlyu@mit.edu>
 
 	* Makefile.in: Clean up usage of CFLAGS, CPPFLAGS, DEFS, DEFINES,
diff --git a/src/kadmin/testing/util/tcl_kadm5.c b/src/kadmin/testing/util/tcl_kadm5.c
index c334850..e85b4f5 100644
--- a/src/kadmin/testing/util/tcl_kadm5.c
+++ b/src/kadmin/testing/util/tcl_kadm5.c
@@ -403,7 +403,7 @@ static Tcl_DString *unparse_err(kadm5_ret_t code)
      case KRB5_CONFIG_BADFORMAT: code_string = "KRB5_CONFIG_BADFORMAT"; break;
      case EINVAL: code_string = "EINVAL"; break;
      case ENOENT: code_string = "ENOENT"; break;
-     default: fprintf(stderr, "**** CODE %d ***\n", code); code_string = "UNKNOWN"; break;
+     default: fprintf(stderr, "**** CODE %d (%s) ***\n", code, error_message (code)); code_string = "UNKNOWN"; break;
      }
 
      error_string = (char *) error_message(code);
@@ -1965,7 +1965,8 @@ int tcl_kadm5_chpass_principal_util(ClientData clientData,
 					    override_qual,
 #endif					    
 					    pw_ret_var ? &pw_ret : 0,
-					    msg_ret_var ? msg_ret : 0);
+					    msg_ret_var ? msg_ret : 0,
+				            msg_ret_var ? sizeof(msg_ret) : 0);
 
      if (ret == KADM5_OK) {
 	  if (pw_ret_var &&
diff --git a/src/kadmin/testing/util/tcl_ovsec_kadm.c b/src/kadmin/testing/util/tcl_ovsec_kadm.c
index 9e27e92..16684e2 100644
--- a/src/kadmin/testing/util/tcl_ovsec_kadm.c
+++ b/src/kadmin/testing/util/tcl_ovsec_kadm.c
@@ -372,7 +372,7 @@ static Tcl_DString *unparse_err(ovsec_kadm_ret_t code)
      case KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN: code_string = "KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN"; break;
      case EINVAL: code_string = "EINVAL"; break;
      case ENOENT: code_string = "ENOENT"; break;
-     default: fprintf(stderr, "**** CODE %d ***\n", code); code_string = "UNKNOWN"; break;
+     default: fprintf(stderr, "**** CODE %d (%s) ***\n", code, error_message (code)); code_string = "UNKNOWN"; break;
      }
 
      error_string = (char *) error_message(code);
diff --git a/src/kadmin/v4server/ChangeLog b/src/kadmin/v4server/ChangeLog
index c036eb8..76c0fe3 100644
--- a/src/kadmin/v4server/ChangeLog
+++ b/src/kadmin/v4server/ChangeLog
@@ -1,3 +1,42 @@
+2002-11-01  Tom Yu  <tlyu@mit.edu>
+
+	* kadm_ser_wrap.c (kadm_ser_in): Apply fix for MITKRB5-SA-2002-002
+	buffer overflow.
+	[pullup from trunk]
+
+2002-08-13  Tom Yu  <tlyu@mit.edu>
+
+	* acl_files.c (canon;): Properly handle appending of the local
+	realm, which was botched due to a buffer-overflow patch.
+	[pullup from trunk]
+
+2000-05-23  Ken Raeburn  <raeburn@mit.edu>
+
+	* admin_server.c (main, case 'r'): Reject realm name that's too
+	long.
+
+	* acl_files.c (acl_load): Return error if name too long.
+
+	* kadm_err.et (KADM_REALM_TOO_LONG): New error code.
+	* kadm_ser_wrap.c (kadm_ser_init): Return it instead of truncating
+	a too-long realm name.
+
+2000-05-23  Nalin Dahyabhai  <nalin@redhat.com>
+
+	* acl_files.c (acl_canonicalize_principal): If the principal name
+	would be too long, return a zero-length string to mark it as invalid.
+	(acl_load): Don't add the principal to the hash if it's invalid.
+	(acl_add): Don't check the principal if it's invalid.
+	(acl_delete): Don't try to delete the principal if it's invalid.
+
+	* kadm_ser_wrap.c (kadm_ser_init): Truncate "server_parm.krbrlm"
+	if "realm" is too long.
+
+2000-05-23  Tom Yu  <tlyu@mit.edu>
+
+	* kadm_server.c (kadm_ser_cpw): Add new arg to call to
+	chpass_principal_util().
+
 1999-10-26  Tom Yu  <tlyu@mit.edu>
 
 	* Makefile.in: Clean up usage of CFLAGS, CPPFLAGS, DEFS, DEFINES,
diff --git a/src/kadmin/v4server/acl_files.c b/src/kadmin/v4server/acl_files.c
index 22a0007..e68d384 100644
--- a/src/kadmin/v4server/acl_files.c
+++ b/src/kadmin/v4server/acl_files.c
@@ -69,7 +69,8 @@ void acl_canonicalize_principal(principal, canon)
 char *principal;
 char *canon;
 {
-    char *dot, *atsign, *end;
+    char *dot, *atsign, *end, *canon_save = canon;
+    char realm[REALM_SZ];
     int len;
 
     dot = strchr(principal, INST_SEP);
@@ -94,18 +95,33 @@ char *canon;
 
     /* Get the principal name */
     len = MIN(ANAME_SZ, COR(dot, COR(atsign, end)) - principal);
-    strncpy(canon, principal, len);
-    canon += len;
+    if(canon + len < canon_save + MAX_PRINCIPAL_SIZE) {
+    	strncpy(canon, principal, len);
+    	canon += len;
+    } else {
+	strcpy(canon, "");
+	return;
+    }
 
     /* Add INST_SEP */
-    *canon++ = INST_SEP;
+    if(canon + 1 < canon_save + MAX_PRINCIPAL_SIZE) {
+    	*canon++ = INST_SEP;
+    } else {
+	strcpy(canon, "");
+	return;
+    }
 
     /* Get the instance, if it exists */
     if(dot != NULL) {
 	++dot;
 	len = MIN(INST_SZ, COR(atsign, end) - dot);
-	strncpy(canon, dot, len);
-	canon += len;
+        if(canon + len < canon_save + MAX_PRINCIPAL_SIZE) {
+	    strncpy(canon, dot, len);
+	    canon += len;
+	} else {
+	    strcpy(canon, "");
+	    return;
+	}
     }
 
     /* Add REALM_SEP */
@@ -116,11 +132,28 @@ char *canon;
     if(atsign != NULL) {
 	++atsign;
 	len = MIN(REALM_SZ, end - atsign);
-	strncpy(canon, atsign, len);
-	canon += len;
-	*canon++ = '\0';
-    } else if(krb_get_lrealm(canon, 1) != KSUCCESS) {
-	strcpy(canon, KRB_REALM);
+        if(canon + len + 1 < canon_save + MAX_PRINCIPAL_SIZE) {
+	    strncpy(canon, atsign, len);
+	    canon += len;
+	    *canon++ = '\0';
+	} else {
+	    strcpy(canon, "");
+	    return;
+	}
+    } else if(krb_get_lrealm(realm, 1) != KSUCCESS) {
+        if(canon + strlen(KRB_REALM) < canon_save + MAX_PRINCIPAL_SIZE) {
+	    strcpy(canon, KRB_REALM);
+	} else {
+	    strcpy(canon, "");
+	    return;
+	}
+    } else {
+	if (canon + strlen(realm) < canon_save + MAX_PRINCIPAL_SIZE) {
+	    strcpy(canon, realm);
+	} else {
+	    strcpy(canon, "");
+	    return;
+	}
     }
 }
 	    
@@ -399,7 +432,11 @@ char *name;
     }
 
     /* Set up the acl */
-    strcpy(acl_cache[i].filename, name);
+    if (strlen (name) >= sizeof (acl_cache[i].filename) - 1) {
+	return -1;
+    }
+    strncpy(acl_cache[i].filename, name, sizeof(acl_cache[i].filename) - 1);
+    acl_cache[i].filename[sizeof(acl_cache[i].filename) - 1] = '\0';
     if((acl_cache[i].fd = open(name, O_RDONLY, 0)) < 0) return(-1);
     /* Force reload */
     acl_cache[i].acl = (struct hashtbl *) 0;
@@ -426,7 +463,9 @@ char *name;
 	   while(fgets(buf, sizeof(buf), f) != NULL) {
 	       nuke_whitespace(buf);
 	       acl_canonicalize_principal(buf, canon);
-	       add_hash(acl_cache[i].acl, canon);
+	       if(strlen(canon) > 0) {
+	           add_hash(acl_cache[i].acl, canon);
+	       }
 	   }
 	   fclose(f);
 	   acl_cache[i].status = s;
@@ -459,6 +498,9 @@ char *principal;
 
     acl_canonicalize_principal(principal, canon);
 
+    /* Is it an invalid principal name? */
+    if(strlen(canon) == 0) return(0);
+
     /* Is it there? */
     if(acl_exact_match(acl, canon)) return(1);
 
@@ -489,6 +531,9 @@ char *principal;
 
     acl_canonicalize_principal(principal, canon);
 
+    /* Is it an invalid principal name? */
+    if(strlen(canon) == 0) return(-1);
+
     if((new = acl_lock_file(acl)) == NULL) return(-1);
     if((acl_exact_match(acl, canon))
        || (idx = acl_load(acl)) < 0) {
@@ -523,6 +568,9 @@ char *principal;
 
     acl_canonicalize_principal(principal, canon);
 
+    /* Is it an invalid principal name? */
+    if(strlen(canon) == 0) return(-1);
+
     if((new = acl_lock_file(acl)) == NULL) return(-1);
     if((!acl_exact_match(acl, canon))
        || (idx = acl_load(acl)) < 0) {
diff --git a/src/kadmin/v4server/admin_server.c b/src/kadmin/v4server/admin_server.c
index 90bf087..cd8742d 100644
--- a/src/kadmin/v4server/admin_server.c
+++ b/src/kadmin/v4server/admin_server.c
@@ -149,6 +149,10 @@ char *argv[];
 	    fascist_cpw = 0;
 	    break;
 	case 'r':
+	    if (strlen (optarg) + 1 > REALM_SZ) {
+		com_err(argv[0], 0, "realm name `%s' too long", optarg);
+		exit(1);
+	    }
 	    (void) strncpy(krbrlm, optarg, sizeof(krbrlm) - 1);
 	    break;
         case 'k':
diff --git a/src/kadmin/v4server/kadm_err.et b/src/kadmin/v4server/kadm_err.et
index a192730..07ab9da 100644
--- a/src/kadmin/v4server/kadm_err.et
+++ b/src/kadmin/v4server/kadm_err.et
@@ -54,4 +54,5 @@ ec KADM_INSECURE_PW,	"Insecure password rejected"
 ec KADM_PW_MISMATCH,	"Cleartext password and DES key did not match"
 
 ec KADM_NOT_SERV_PRINC,	"Invalid principal for change srvtab request"
+ec KADM_REALM_TOO_LONG, "Realm name too long"
 end
diff --git a/src/kadmin/v4server/kadm_ser_wrap.c b/src/kadmin/v4server/kadm_ser_wrap.c
index bca814d..e98a47b 100644
--- a/src/kadmin/v4server/kadm_ser_wrap.c
+++ b/src/kadmin/v4server/kadm_ser_wrap.c
@@ -47,7 +47,7 @@ kadm_ser_init(inter, realm, params)
 kadm_ser_init(inter, realm)
     int inter;			/* interactive or from file */
     char realm[];
-#endif   
+#endif
 {
     struct servent *sep;
     struct hostent *hp;
@@ -64,7 +64,11 @@ kadm_ser_init(inter, realm)
     
     (void) strcpy(server_parm.sname, PWSERV_NAME);
     (void) strcpy(server_parm.sinst, KRB_MASTER);
-    (void) strcpy(server_parm.krbrlm, realm);
+    if (strlen (realm) > REALM_SZ)
+	return KADM_REALM_TOO_LONG;
+    (void) strncpy(server_parm.krbrlm, realm, sizeof(server_parm.krbrlm)-1);
+    server_parm.krbrlm[sizeof(server_parm.krbrlm) - 1] = '\0';
+
     if (krb5_425_conv_principal(kadm_context, server_parm.sname,
 				server_parm.sinst, server_parm.krbrlm,
 				&server_parm.sprinc))
@@ -166,14 +170,21 @@ int *dat_len;
     u_char *retdat, *tmpdat;
     int retval, retlen;
 
-    if (strncmp(KADM_VERSTR, (char *)*dat, KADM_VERSIZE)) {
+    if ((*dat_len < KADM_VERSIZE + sizeof(krb5_ui_4))
+	|| strncmp(KADM_VERSTR, (char *)*dat, KADM_VERSIZE)) {
 	errpkt(dat, dat_len, KADM_BAD_VER);
 	return KADM_BAD_VER;
     }
     in_len = KADM_VERSIZE;
     /* get the length */
-    if ((retc = stv_long(*dat, &r_len, in_len, *dat_len)) < 0)
+    if ((retc = stv_long(*dat, &r_len, in_len, *dat_len)) < 0
+	|| (r_len > *dat_len - KADM_VERSIZE - sizeof(krb5_ui_4))
+	|| (*dat_len - r_len - KADM_VERSIZE -
+	    sizeof(krb5_ui_4) > sizeof(authent.dat))) {
+	errpkt(dat, dat_len, KADM_LENGTH_ERROR);
 	return KADM_LENGTH_ERROR;
+    }
+
     in_len += retc;
     authent.length = *dat_len - r_len - KADM_VERSIZE - sizeof(krb5_ui_4);
     memcpy((char *)authent.dat, (char *)(*dat) + in_len, authent.length);
diff --git a/src/kadmin/v4server/kadm_server.c b/src/kadmin/v4server/kadm_server.c
index 687259b..886620f 100644
--- a/src/kadmin/v4server/kadm_server.c
+++ b/src/kadmin/v4server/kadm_server.c
@@ -309,7 +309,8 @@ int *outlen;
 	*msg_ret = '\0';
     } else {
 	retval = kadm5_chpass_principal_util(kadm5_handle, user_princ,
-					     pword, NULL, msg_ret);
+					     pword, NULL, msg_ret,
+					     sizeof(msg_ret));
 	msg_ptr = msg_ret;
     }
     (void) krb5_free_principal(kadm_context, user_princ);
diff --git a/src/kadmin/v5passwdd/ChangeLog b/src/kadmin/v5passwdd/ChangeLog
index a63cc97..1fedd80 100644
--- a/src/kadmin/v5passwdd/ChangeLog
+++ b/src/kadmin/v5passwdd/ChangeLog
@@ -1,3 +1,21 @@
+2000-05-24  Ken Raeburn  <raeburn@mit.edu>
+	    Ezra Peisach  <epeisach@mit.edu>
+
+	* proto_serv.c (proto_serv): Don't overflow err_str.  Pass data
+	pointer and not a krb5_data to sprintf.  Remove unused variable
+	adm_errmsg.  Remove unused label done.  Declare variable
+	mime_setting only if MIME_SUPPORTED is defined.  Make variables
+	db_opened and kret volatile.
+	(proto_fmt_reply_msg): Unused variable deleted.
+
+2000-05-23  Tom Yu  <tlyu@mit.edu>
+
+	* kadm5_defs.h: Add argument for length of error string.
+
+	* main.c (pwd_change): Add argument for length of error string.
+
+	* proto_serv.c (proto_serv): Fix up call to pwd_change().
+
 2000-02-28  Ezra Peisach  <epeisach@mit.edu>
 
 	* proto_serv.c (proto_serv): For error return,strdup the returned
diff --git a/src/kadmin/v5passwdd/kadm5_defs.h b/src/kadmin/v5passwdd/kadm5_defs.h
index 08650bd..17ec2e5 100644
--- a/src/kadmin/v5passwdd/kadm5_defs.h
+++ b/src/kadmin/v5passwdd/kadm5_defs.h
@@ -259,7 +259,8 @@ krb5_int32 pwd_change
 		   krb5_ticket *,
 		   krb5_data *,
 		   krb5_data *,
-		   char []));
+		   char [],
+		   int));
 
 #if 0
 
diff --git a/src/kadmin/v5passwdd/main.c b/src/kadmin/v5passwdd/main.c
index a9b381e..cec5bf8 100644
--- a/src/kadmin/v5passwdd/main.c
+++ b/src/kadmin/v5passwdd/main.c
@@ -230,7 +230,7 @@ krb5_error_code key_close_db(krb5_context context)
 
 krb5_int32
 pwd_change(kcontext, debug_level, auth_context, ticket,
-	      olddata, newdata, err_str)
+	      olddata, newdata, err_str, err_str_len)
     krb5_context	kcontext;
     int			debug_level;
     krb5_auth_context	auth_context;
@@ -238,6 +238,7 @@ pwd_change(kcontext, debug_level, auth_context, ticket,
     krb5_data		*olddata;
     krb5_data		*newdata;
     char		err_str[];
+    int			err_str_len;
 {
      kadm5_ret_t ret;
      krb5_int32			now;
@@ -301,7 +302,7 @@ pwd_change(kcontext, debug_level, auth_context, ticket,
 					  principal,
 					  newdata->data,
 					  NULL,
-					  err_str))
+					  err_str, err_str_len))
 	 return(KRB5_ADM_PW_UNACCEPT);
 
     return(KRB5_ADM_SUCCESS);
diff --git a/src/kadmin/v5passwdd/proto_serv.c b/src/kadmin/v5passwdd/proto_serv.c
index 413c5ef..419f861 100644
--- a/src/kadmin/v5passwdd/proto_serv.c
+++ b/src/kadmin/v5passwdd/proto_serv.c
@@ -52,7 +52,6 @@ static const char *proto_rd_cmd_msg = "\004%d: cannot read administrative protoc
 static const char *proto_db_open_msg = "\004%d: cannot open database";
 static const char *proto_db_close_msg = "\004%d: cannot close database";
 static const char *proto_wr_reply_msg = "\004%d: cannot write administrative protocol reply";
-static const char *proto_fmt_reply_msg = "\004%d: cannot format administrative protocol reply";
 extern char *programname;
 
 static int	proto_proto_timeout = -1;
@@ -109,7 +108,7 @@ proto_serv(kcontext, my_id, cl_sock, sv_p, cl_p)
     void		*sv_p;
     void		*cl_p;
 {
-    krb5_error_code	kret;
+    volatile krb5_error_code	kret;
     struct sockaddr_in	*cl_addr;
     struct sockaddr_in	*sv_addr;
 
@@ -127,12 +126,14 @@ proto_serv(kcontext, my_id, cl_sock, sv_p, cl_p)
 #endif	/* POSIX_SIGNALS */
 
     char		*curr_lang = (char *) NULL;
+#ifdef MIME_SUPPORTED
     krb5_boolean	mime_setting = 0;
+#endif
 
     krb5_int32		num_args;
     krb5_data		*arglist;
 
-    krb5_boolean	db_opened;
+    volatile krb5_boolean	db_opened;
 
     cl_addr = (struct sockaddr_in *) cl_p;
     sv_addr = (struct sockaddr_in *) sv_p;
@@ -286,6 +287,7 @@ proto_serv(kcontext, my_id, cl_sock, sv_p, cl_p)
 	 */
 	while (1) {
 	    krb5_int32	cmd_error;
+	    /* If this size changed, change the sprintf below */
 	    char	err_str[1024];
 	    krb5_int32	cmd_repl_ncomps;
 	    krb5_data	*cmd_repl_complist;
@@ -412,7 +414,8 @@ proto_serv(kcontext, my_id, cl_sock, sv_p, cl_p)
 					       ticket,
 					       &arglist[1],
 					       &arglist[2],
-					       &err_str);
+					       err_str,
+					       sizeof(err_str));
 		    }
 		    else {
 			DPRINT(DEBUG_REQUESTS, proto_debug_level,
@@ -732,7 +735,7 @@ proto_serv(kcontext, my_id, cl_sock, sv_p, cl_p)
 			   ("> %d:UNKNOWN command %s\n", my_id,
 			  arglist[0].data));
 		    cmd_error = KRB5_ADM_CMD_UNKNOWN;
-		    sprintf(err_str, "Command %s not supported.", arglist[0]);
+		    sprintf(err_str, "Command %-.900s not supported", arglist[0].data); /* XXX Knows size of err_str.  */
 		}
 	    }
 	    else {
@@ -770,7 +773,6 @@ proto_serv(kcontext, my_id, cl_sock, sv_p, cl_p)
 		}
 	    }
 	    else {
-		char		*adm_errmsg;
 		krb5_data	reply_comps;
 
 		reply_comps.data = err_str;
@@ -858,7 +860,6 @@ proto_serv(kcontext, my_id, cl_sock, sv_p, cl_p)
 	key_close_db(kcontext);
     close(cl_sock);
 
- done:
     DPRINT(DEBUG_CALLS, proto_debug_level, ("X proto_serv() = %d\n", kret));
     return(kret);
 }
diff --git a/src/kdc/ChangeLog b/src/kdc/ChangeLog
index d0bbda2..aa1c091 100644
--- a/src/kdc/ChangeLog
+++ b/src/kdc/ChangeLog
@@ -1,3 +1,161 @@
+2003-04-01  Nalin Dahyabhai  <nalin@redhat.com>
+
+	* do_tgs_req.c (process_tgs_req): Check that principal name
+	component 1 is present before examining it.
+	* kdc_util.c (krb5_is_tgs_principal, validate_tgs_request): Check
+	principal name length before examining components.
+
+2003-03-16  Sam Hartman  <hartmans@mit.edu>
+
+	* main.c (initialize_realms): Add support to call
+	enable_v4_crossrealm if the user wants insecure operation 
+
+	* kerberos_v4.c: Add enable_v4_crossrealm.  By default krb4
+	cross-realm is not allowed as it is insecure.  Also, remove
+	support for generating krb4 tickets encrypted in 3DES as they are
+	insecure. 
+
+	* kdc_util.h: Define enable_v4_crossrealm, new function to enable
+	secure krb4 cross-realm authentication 
+
+2002-11-03  Tom Yu  <tlyu@mit.edu>
+
+	* do_as_req.c (process_as_req): Fix previous patch; it caused an
+	uninitialized pointer to be dereferenced under certain error
+	conditions.
+	[pullup from trunk]
+
+2002-10-30  Sam Hartman  <hartmans@mit.edu>
+
+	* kdc_util.c (add_to_transited): Don't include trailing null in
+	transited encoding length; doing so breaks using codee
+	[pullup from trunk]
+
+2002-10-30  Tom Yu  <tlyu@mit.edu>
+
+	* do_as_req.c (process_as_req): Apply fix from Kevin Coffman to
+	avoid leaking padata.
+	[pullup from trunk]
+
+2002-08-15  Tom Yu  <tlyu@mit.edu>
+
+	* kerberos_v4.c: For consistency, check for both DISALLOW_ALL_TIX
+	and DISALLOW_SVR when looking up services.
+	[pullup from trunk]
+
+2002-08-12  Sam Hartman  <hartmans@mit.edu>
+
+	* kdc_preauth.c (get_etype_info): We get KRB5_KDB_NO_MATCHING_KEY
+	not ENOENT; per 5.27 of kdb_xdr.c.
+	[pullup from trunk]
+
+2001-10-29  Ken Raeburn  <raeburn@mit.edu>
+
+	* network.c: Don't cause net/if.h to be included multiple times.
+
+2001-10-25  Tom Yu  <tlyu@mit.edu>
+
+	* do_as_req.c (process_as_req: Treat SUPPORT_DESMD5 as if it were
+	always cleared.
+
+	* do_tgs_req.c (process_tgs_req): Treat SUPPORT_DESMD5 as if it
+	were always cleared.
+
+2001-10-24  Tom Yu  <tlyu@mit.edu>
+
+	* kdc_util.c (select_session_keytype): Don't issue session key
+	enctype that is not in permitted_enctypes.
+	(dbentry_supports_enctype): For now, always treat SUPPORT_DESMD5
+	as if it were cleared.
+
+2001-10-12  Tom Yu  <tlyu@mit.edu>
+
+	* kdc_util.c (ktypes2str): New function; construct a string
+	containing a list of enctypes, given a number and list of
+	enctypes.
+	(rep_etypes2str): New function; construct a string indicating all
+	three enctypes associated with a KDC reply.
+	[pullup 5.99->5.101 from trunk]
+
+	* kdc_util.h: Add prototypes for ktypes2str() and
+	rep_etypes2str().
+	[pullup 5.46->5.47 from trunk]
+
+	* do_as_req.c (process_as_req): Call ktypes2str() and
+	rep_etypes2str() as appropriate.
+	[pullup 5.80->5.81 from trunk]
+
+	* do_tgs_req.c (process_tgs_req): Call ktypes2str() and
+	rep_etypes2str() as appropriate.
+	[pullup 5.77->5.78 from trunk]
+
+2001-10-11  Ezra Peisach  <epeisach@kangaroo.mit.edu>
+
+	* do_as_req.c: If KRBCONF_KDC_MODIFIES_KDB defined, produce code
+	that compiles and works.
+	[pullup 5.78->5.79 from trunk]
+
+2001-10-05  Ken Raeburn  <raeburn@mit.edu>
+
+	* do_tgs_req.c (process_tgs_req): Fix logging of bad transit path
+	info.
+
+2001-09-25  Ken Raeburn  <raeburn@mit.edu>
+
+	* do_tgs_req.c (process_tgs_req): If disable-transited-check
+	option isn't set, try to verify transit path.  If
+	reject_bad_transit flag is set and transit path isn't verified,
+	reject the request.  Use a temporary variable to simplify
+	references to the second ticket.
+	* extern.h (struct __kdc_realm_data): Add new field
+	realm_reject_bad_transit.
+	(find_realm_data): Declare.
+	(reject_bad_transit): New macro.
+	* main.c (find_realm_data): Delete declaration.
+	(init_realm): Copy reject-bad-transit value or use default.
+	* rtest.c (find_realm_data): Define dummy version.
+
+2001-02-02  Ken Raeburn  <raeburn@mit.edu>
+
+	* network.c (foreach_localaddr): Sync with lib/krb5/os/localaddr.c
+	version.
+
+2000-05-17  Tom Yu  <tlyu@mit.edu>
+
+	* kerberos_v4.c (process_v4): Zero out v4_pkt.mbz.
+	(kerberos_v4): Fix handling of APPL_REQUEST messages to deal with
+	ridiculously long realms, etc.  Fix up some calls to
+	kerb_err_reply() to be more useful.  Set req_*_ptr before any
+	possible calls to kerb_err_reply().
+
+2000-05-11  Nalin Dahyabhai  <nalin@redhat.com>
+
+	* kdc_util.c (add_to_transited): Use strncpy/strncat when building
+        data in buffers so as not to overrun "prev", "current", and "exp".
+	* kerberos_v4.c (process_v4): Don't assume that the realm is null-
+	terminated.
+	(set_tgtkey): Truncate realm name if it's too long.
+
+2000-04-28  Ken Raeburn  <raeburn@mit.edu>
+	    Nalin Dahyabhai  <nalin@redhat.com>
+
+	* kdc_util.c (add_to_transited): Use strncpy/strncat when building
+	data in buffers.  Fix some limit checks.
+	* kerberos_v4.c (kerb_err_reply): Use strncat so as not to overrun
+	error buffer.
+
+2000-04-22  Ken Raeburn  <raeburn@mit.edu>
+
+	* network.c: Include stddef.h.
+	(foreach_localaddr): Check each address against previously used
+	addresses, and skip duplicates, in case multiple interfaces have
+	the same address.
+
+2000-04-21  Ken Raeburn  <raeburn@mit.edu>
+
+	* network.c (foreach_localaddr): If called functions fail, drop
+	out of loop and return nonzero.
+
 2000-03-14  Ken Raeburn  <raeburn@mit.edu>
 
 	* sock2p.c: New file.
diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index 158747e..0cdc9c37 100644
--- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
@@ -80,12 +80,18 @@ krb5_data **response;			/* filled in with a response packet */
     register int i;
     krb5_timestamp until, rtime;
     char *cname = 0, *sname = 0, *fromstring = 0;
+    char ktypestr[128];
+    char rep_etypestr[128];
 
     ticket_reply.enc_part.ciphertext.data = 0;
     e_data.data = 0;
     encrypting_key.contents = 0;
+    reply.padata = 0;
     session_key.contents = 0;
 
+    ktypes2str(ktypestr, sizeof(ktypestr),
+	       request->nktypes, request->ktype);
+
 #ifdef HAVE_NETINET_IN_H
     if (from->address->addrtype == ADDRTYPE_INET)
 	fromstring = (char *) inet_ntoa(*(struct in_addr *)from->address->contents);
@@ -318,9 +324,6 @@ krb5_data **response;			/* filled in with a response packet */
 	status = "DECRYPT_SERVER_KEY";
 	goto errout;
     }
-    if ((encrypting_key.enctype == ENCTYPE_DES_CBC_CRC) &&
-	(isflagset(server.attributes, KRB5_KDB_SUPPORT_DESMD5)))
-	encrypting_key.enctype = ENCTYPE_DES_CBC_MD5;
 	
     errcode = krb5_encrypt_tkt_part(kdc_context, &encrypting_key, &ticket_reply);
     krb5_free_keyblock_contents(kdc_context, &encrypting_key);
@@ -363,7 +366,6 @@ krb5_data **response;			/* filled in with a response packet */
 
     /* Start assembling the response */
     reply.msg_type = KRB5_AS_REP;
-    reply.padata = 0;
     reply.client = request->client;
     reply.ticket = &ticket_reply;
     reply_encpart.session = &session_key;
@@ -411,8 +413,14 @@ krb5_data **response;			/* filled in with a response packet */
     memset(reply.enc_part.ciphertext.data, 0, reply.enc_part.ciphertext.length);
     free(reply.enc_part.ciphertext.data);
 
-    krb5_klog_syslog(LOG_INFO, "AS_REQ %s(%d): ISSUE: authtime %d, %s for %s",
-	             fromstring, portnum, authtime, cname, sname);
+    rep_etypes2str(rep_etypestr, sizeof(rep_etypestr), &reply);
+    krb5_klog_syslog(LOG_INFO,
+		     "AS_REQ (%s) %s(%d): ISSUE: authtime %d, "
+		     "%s, %s for %s",
+		     ktypestr,
+	             fromstring, portnum, authtime,
+		     rep_etypestr,
+		     cname, sname);
 
 #ifdef	KRBCONF_KDC_MODIFIES_KDB
     /*
@@ -425,7 +433,8 @@ krb5_data **response;			/* filled in with a response packet */
 
 errout:
     if (status)
-        krb5_klog_syslog(LOG_INFO, "AS_REQ %s(%d): %s: %s for %s%s%s",
+        krb5_klog_syslog(LOG_INFO, "AS_REQ (%s) %s(%d): %s: %s for %s%s%s",
+			 ktypestr,
 	       fromstring, portnum, status, 
 	       cname ? cname : "<unknown client>",
 	       sname ? sname : "<unknown server>",
@@ -439,7 +448,10 @@ errout:
 	errcode = prepare_error_as(request, errcode, &e_data, response);
     }
 
-    krb5_free_keyblock_contents(kdc_context, &encrypting_key);
+    if (encrypting_key.contents)
+	krb5_free_keyblock_contents(kdc_context, &encrypting_key);
+    if (reply.padata)
+	krb5_free_pa_data(kdc_context, reply.padata);
 
     if (cname)
 	    free(cname);
@@ -458,7 +470,7 @@ errout:
 				 kdc_active_realm->realm_dbname);
 	    krb5_db_init(kdc_context);
 	    /* Reset master key */
-	    krb5_db_set_mkey(kdc_context, &kdc_active_realm->realm_encblock);
+	    krb5_db_set_mkey(kdc_context, &kdc_active_realm->realm_mkey);
 	}
 #endif	/* KRBCONF_KDC_MODIFIES_KDB */
 	krb5_db_free_principal(kdc_context, &client, c_nprincs);
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index e5c6d1a..6e0e067 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -1,7 +1,7 @@
 /*
  * kdc/do_tgs_req.c
  *
- * Copyright 1990,1991 by the Massachusetts Institute of Technology.
+ * Copyright 1990,1991,2001 by the Massachusetts Institute of Technology.
  * All Rights Reserved.
  *
  * Export of this software from the United States of America may
@@ -59,10 +59,10 @@ static krb5_error_code prepare_error_tgs PROTOTYPE((krb5_kdc_req *,
 /*ARGSUSED*/
 krb5_error_code
 process_tgs_req(pkt, from, portnum, response)
-krb5_data *pkt;
-const krb5_fulladdr *from;		/* who sent it ? */
-int	portnum;
-krb5_data **response;			/* filled in with a response packet */
+    krb5_data *pkt;
+    const krb5_fulladdr *from;	/* who sent it ? */
+    int	portnum;
+    krb5_data **response;	/* filled in with a response packet */
 {
     krb5_keyblock * subkey;
     krb5_kdc_req *request = 0;
@@ -90,6 +90,8 @@ krb5_data **response;			/* filled in with a response packet */
     register int i;
     int firstpass = 1;
     const char	*status = 0;
+    char ktypestr[128];
+    char rep_etypestr[128];
 
     session_key.contents = 0;
     
@@ -97,6 +99,8 @@ krb5_data **response;			/* filled in with a response packet */
     if (retval)
 	return retval;
 
+    ktypes2str(ktypestr, sizeof(ktypestr),
+	       request->nktypes, request->ktype);
     /*
      * setup_server_realm() sets up the global realm-specific data pointer.
      */
@@ -176,7 +180,7 @@ tgt_again:
 		krb5_data *tgs_1 =
 		    krb5_princ_component(kdc_context, tgs_server, 1);
 
-		if (server_1->length != tgs_1->length ||
+		if (!tgs_1 || server_1->length != tgs_1->length ||
 		    memcmp(server_1->data, tgs_1->data, tgs_1->length)) {
 		    krb5_db_free_principal(kdc_context, &server, nprincs);
 		    find_alternate_tgs(request, &server, &more, &nprincs);
@@ -491,6 +495,36 @@ tgt_again:
 	}
 	newtransited = 1;
     }
+    if (!isflagset (request->kdc_options, KDC_OPT_DISABLE_TRANSITED_CHECK)) {
+	errcode = krb5_check_transited_list (kdc_context,
+					     &enc_tkt_reply.transited.tr_contents,
+					     krb5_princ_realm (kdc_context, header_ticket->enc_part2->client),
+					     krb5_princ_realm (kdc_context, request->server));
+	if (errcode == 0) {
+	    setflag (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED);
+	} else if (errcode == KRB5KRB_AP_ERR_ILL_CR_TKT)
+	    krb5_klog_syslog (LOG_INFO,
+			      "bad realm transit path from '%s' to '%s' via '%.*s'",
+			      cname ? cname : "<unknown client>",
+			      sname ? sname : "<unknown server>",
+			      enc_tkt_reply.transited.tr_contents.length,
+			      enc_tkt_reply.transited.tr_contents.data);
+	else
+	    krb5_klog_syslog (LOG_ERR,
+			      "unexpected error checking transit from '%s' to '%s' via '%.*s': %s",
+			      cname ? cname : "<unknown client>",
+			      sname ? sname : "<unknown server>",
+			      enc_tkt_reply.transited.tr_contents.length,
+			      enc_tkt_reply.transited.tr_contents.data,
+			      error_message (errcode));
+    } else
+	krb5_klog_syslog (LOG_ERR, "not checking transit path");
+    if (reject_bad_transit
+	&& !isflagset (enc_tkt_reply.flags, TKT_FLG_TRANSIT_POLICY_CHECKED)) {
+	errcode = KRB5KDC_ERR_POLICY;
+	status = "BAD_TRANSIT";
+	goto cleanup;
+    }
 
     ticket_reply.enc_part2 = &enc_tkt_reply;
 
@@ -505,27 +539,26 @@ tgt_again:
 	 * Make sure the client for the second ticket matches
 	 * requested server.
 	 */
-	if (!krb5_principal_compare(kdc_context, request->server,
-				    request->second_ticket[st_idx]->enc_part2->client)) {
-		if ((errcode = krb5_unparse_name(kdc_context,
-						request->second_ticket[st_idx]->enc_part2->client,
-						&tmp)))
+	krb5_enc_tkt_part *t2enc = request->second_ticket[st_idx]->enc_part2;
+	krb5_principal client2 = t2enc->client;
+	if (!krb5_principal_compare(kdc_context, request->server, client2)) {
+		if ((errcode = krb5_unparse_name(kdc_context, client2, &tmp)))
 			tmp = 0;
-		krb5_klog_syslog(LOG_INFO, "TGS_REQ %s(%d): 2ND_TKT_MISMATCH: authtime %d, %s for %s, 2nd tkt client %s",
-		       fromstring, portnum, authtime,
-		       cname ? cname : "<unknown client>",
-		       sname ? sname : "<unknown server>",
-		       tmp ? tmp : "<unknown>");
+		krb5_klog_syslog(LOG_INFO,
+				 "TGS_REQ %s(%d): 2ND_TKT_MISMATCH: "
+				 "authtime %d, %s for %s, 2nd tkt client %s",
+				 fromstring, portnum, authtime,
+				 cname ? cname : "<unknown client>",
+				 sname ? sname : "<unknown server>",
+				 tmp ? tmp : "<unknown>");
 		errcode = KRB5KDC_ERR_SERVER_NOMATCH;
 		goto cleanup;
 	}
 	    
 	ticket_reply.enc_part.kvno = 0;
-	ticket_reply.enc_part.enctype =
-		request->second_ticket[st_idx]->enc_part2->session->enctype;
-	if ((errcode = krb5_encrypt_tkt_part(kdc_context, 
-					    request->second_ticket[st_idx]->enc_part2->session,
-					    &ticket_reply))) {
+	ticket_reply.enc_part.enctype = t2enc->session->enctype;
+	if ((errcode = krb5_encrypt_tkt_part(kdc_context, t2enc->session,
+					     &ticket_reply))) {
 	    status = "2ND_TKT_ENCRYPT";
 	    goto cleanup;
 	}
@@ -551,9 +584,6 @@ tgt_again:
 	    status = "DECRYPT_SERVER_KEY";
 	    goto cleanup;
 	}
-	if ((encrypting_key.enctype == ENCTYPE_DES_CBC_CRC) &&
-	    (isflagset(server.attributes, KRB5_KDB_SUPPORT_DESMD5)))
-	    encrypting_key.enctype = ENCTYPE_DES_CBC_MD5;
 	errcode = krb5_encrypt_tkt_part(kdc_context, &encrypting_key,
 					&ticket_reply);
 	krb5_free_keyblock_contents(kdc_context, &encrypting_key);
@@ -619,13 +649,22 @@ tgt_again:
     free(reply.enc_part.ciphertext.data);
     
 cleanup:
-    if (status)
-        krb5_klog_syslog(LOG_INFO, "TGS_REQ %s(%d): %s: authtime %d, %s for %s%s%s",
-	       fromstring, portnum, status, authtime, 
-	       cname ? cname : "<unknown client>",
-	       sname ? sname : "<unknown server>",
-	       errcode ? ", " : "",
-	       errcode ? error_message(errcode) : "");
+    if (status) {
+	if (!errcode)
+	    rep_etypes2str(rep_etypestr, sizeof(rep_etypestr), &reply);
+        krb5_klog_syslog(LOG_INFO,
+			 "TGS_REQ (%s) %s(%d): %s: authtime %d, "
+			 "%s%s %s for %s%s%s",
+			 ktypestr,
+			 fromstring, portnum, status, authtime,
+			 !errcode ? rep_etypestr : "",
+			 !errcode ? "," : "",
+			 cname ? cname : "<unknown client>",
+			 sname ? sname : "<unknown server>",
+			 errcode ? ", " : "",
+			 errcode ? error_message(errcode) : "");
+    }
+    
     if (errcode) {
 	errcode -= ERROR_TABLE_BASE_krb5;
 	if (errcode < 0 || errcode > 128)
diff --git a/src/kdc/extern.h b/src/kdc/extern.h
index 01a267d..556cc57 100644
--- a/src/kdc/extern.h
+++ b/src/kdc/extern.h
@@ -1,7 +1,7 @@
 /*
  * kdc/extern.h
  *
- * Copyright 1990 by the Massachusetts Institute of Technology.
+ * Copyright 1990,2001 by the Massachusetts Institute of Technology.
  *
  * Export of this software from the United States of America may
  *   require a specific license from the United States Government.
@@ -67,12 +67,15 @@ typedef struct __kdc_realm_data {
     krb5_deltat		realm_maxrlife;	/* Maximum renewable life for realm */
     void		*realm_kstypes;	/* Key/Salts supported for realm    */
     krb5_int32		realm_nkstypes;	/* Number of key/salts		    */
+    krb5_boolean	realm_reject_bad_transit; /* Accept unverifiable transited_realm ? */
 } kdc_realm_t;
 
 extern kdc_realm_t	**kdc_realmlist;
 extern int		kdc_numrealms;
 extern kdc_realm_t	*kdc_active_realm;
 
+kdc_realm_t *find_realm_data (char *, krb5_ui_4);
+
 /*
  * Replace previously used global variables with the active (e.g. request's)
  * realm data.  This allows us to support multiple realms with minimal logic
@@ -89,6 +92,7 @@ extern kdc_realm_t	*kdc_active_realm;
 #define	tgs_server			kdc_active_realm->realm_tgsprinc
 #define	dbm_db_name			kdc_active_realm->realm_dbname
 #define	primary_port			kdc_active_realm->realm_pport
+#define reject_bad_transit		kdc_active_realm->realm_reject_bad_transit
 
 /* various externs for KDC */
 extern krb5_data 	empty_string;	/* an empty string */
diff --git a/src/kdc/kdc_preauth.c b/src/kdc/kdc_preauth.c
index 41152f2..829b842 100644
--- a/src/kdc/kdc_preauth.c
+++ b/src/kdc/kdc_preauth.c
@@ -533,7 +533,7 @@ get_etype_info(context, request, client, server, pa_data)
     while (1) {
 	retval = krb5_dbe_search_enctype(context, client, &start, -1,
 					 -1, 0, &client_key);
-	if (retval == ENOENT)
+	if (retval == KRB5_KDB_NO_MATCHING_KEY)
 	    break;
 	if (retval)
 	    goto cleanup;
diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c
index f5a0016..034744d 100644
--- a/src/kdc/kdc_util.c
+++ b/src/kdc/kdc_util.c
@@ -31,9 +31,11 @@
 #include "kdc_util.h"
 #include "extern.h"
 #include <stdio.h>
+#include <ctype.h>
 #include <syslog.h>
 #include "adm.h"
 #include "adm_proto.h"
+#include <limits.h>
 
 #ifdef USE_RCACHE
 static char *kdc_current_rcname = (char *) NULL;
@@ -155,7 +157,8 @@ realm_compare(princ1, princ2)
 krb5_boolean krb5_is_tgs_principal(principal)
 	krb5_principal	principal;
 {
-	if ((krb5_princ_component(kdc_context, principal, 0)->length ==
+	if ((krb5_princ_size(kdc_context, principal) > 0) &&
+	    (krb5_princ_component(kdc_context, principal, 0)->length ==
 	     KRB5_TGS_NAME_SIZE) &&
 	    (!memcmp(krb5_princ_component(kdc_context, principal, 0)->data,
 		     KRB5_TGS_NAME, KRB5_TGS_NAME_SIZE)))
@@ -657,26 +660,30 @@ add_to_transited(tgt_trans, new_trans, tgs, client, server)
 
     clst = strlen(current) - 1;
     if (current[0] == ' ') {
-      strcpy(exp, current+1);
+      strncpy(exp, current+1, sizeof(exp) - 1);
+      exp[sizeof(exp) - 1] = '\0';
     }
     else if ((current[0] == '/') && (prev[0] == '/')) {
-      strcpy(exp, prev);
+      strncpy(exp, prev, sizeof(exp) - 1);
+      exp[sizeof(exp) - 1] = '\0';
       if (strlen(exp) + strlen(current) + 1 >= MAX_REALM_LN) {
 	retval = KRB5KRB_AP_ERR_ILL_CR_TKT;
 	goto fail;
       }
-      strcat(exp, current);
+      strncat(exp, current, sizeof(exp) - 1 - strlen(exp));
     }
     else if (current[clst] == '.') {
-      strcpy(exp, current);
-      if (strlen(exp) + strlen(current) + 1 >= MAX_REALM_LN) {
+      strncpy(exp, current, sizeof(exp) - 1);
+      exp[sizeof(exp) - 1] = '\0';
+      if (strlen(exp) + strlen(prev) + 1 >= MAX_REALM_LN) {
 	retval = KRB5KRB_AP_ERR_ILL_CR_TKT;
 	goto fail;
       }
-      strcat(exp, prev);
+      strncat(exp, prev, sizeof(exp) - 1 - strlen(exp));
     }
     else {
-      strcpy(exp, current);
+      strncpy(exp, current, sizeof(exp) - 1);
+      exp[sizeof(exp) - 1] = '\0';
     }
 
     /* read field into next */
@@ -718,11 +725,12 @@ add_to_transited(tgt_trans, new_trans, tgs, client, server)
       if ((next[nlst] != '.') && (next[0] != '/') &&
           (pl = subrealm(exp, realm))) {
         added = TRUE;
+	current[sizeof(current) - 1] = '\0';
 	if (strlen(current) + (pl>0?pl:-pl) + 2 >= MAX_REALM_LN) {
 	  retval = KRB5KRB_AP_ERR_ILL_CR_TKT;
 	  goto fail;
 	}
-        strcat(current, ",");
+        strncat(current, ",", sizeof(current) - 1 - strlen(current));
         if (pl > 0) {
           strncat(current, realm, pl);
         }
@@ -762,19 +770,22 @@ add_to_transited(tgt_trans, new_trans, tgs, client, server)
 	      retval = KRB5KRB_AP_ERR_ILL_CR_TKT;
 	      goto fail;
 	    }
-	    strcat(current, " ");
+	    strncat(current, " ", sizeof(current) - 1 - strlen(current));
+	    current[sizeof(current) - 1] = '\0';
           }
 	  if (strlen(current) + strlen(realm) + 1 >= MAX_REALM_LN) {
 	    retval = KRB5KRB_AP_ERR_ILL_CR_TKT;
 	    goto fail;
 	  }
-          strcat(current, realm);
+          strncat(current, realm, sizeof(current) - 1 - strlen(current));
+	  current[sizeof(current) - 1] = '\0';
         }
 	if (strlen(current) + (pl>0?pl:-pl) + 2 >= MAX_REALM_LN) {
 	  retval = KRB5KRB_AP_ERR_ILL_CR_TKT;
 	  goto fail;
 	}
-        strcat(current,",");
+        strncat(current,",", sizeof(current) - 1 - strlen(current));
+	current[sizeof(current) - 1] = '\0';
         if (pl > 0) {
           strncat(current, exp, pl);
         }
@@ -796,10 +807,12 @@ add_to_transited(tgt_trans, new_trans, tgs, client, server)
       goto fail;
     }
     strcat(trans, current);
-    new_trans->length = strlen(trans) + 1;
+    new_trans->length = strlen(trans);
 
-    strcpy(prev, exp);
-    strcpy(current, next);
+    strncpy(prev, exp, sizeof(prev) - 1);
+    prev[sizeof(prev) - 1] = '\0';
+    strncpy(current, next, sizeof(current) - 1);
+    current[sizeof(current) - 1] = '\0';
   }
 
   if (!added) {
@@ -822,7 +835,7 @@ add_to_transited(tgt_trans, new_trans, tgs, client, server)
       goto fail;
     }
     strcat(trans, realm);
-    new_trans->length = strlen(trans) + 1;
+    new_trans->length = strlen(trans);
   }
 
   retval = 0;
@@ -1183,7 +1196,8 @@ const char **status;
 	    return KRB_AP_ERR_NOT_US;
 	}
 	/* ...and that the second component matches the server realm... */
-	if ((krb5_princ_component(kdc_context, ticket->server, 1)->length !=
+	if ((krb5_princ_size(kdc_context, ticket->server) <= 1) ||
+	    (krb5_princ_component(kdc_context, ticket->server, 1)->length !=
 	     krb5_princ_realm(kdc_context, request->server)->length) ||
 	    memcmp(krb5_princ_component(kdc_context, ticket->server, 1)->data,
 		   krb5_princ_realm(kdc_context, request->server)->data,
@@ -1406,13 +1420,14 @@ dbentry_supports_enctype(context, client, enctype)
 {
     /*
      * If it's DES_CBC_MD5, there's a bit in the attribute mask which
-     * checks to see if we support it.
+     * checks to see if we support it.  For now, treat it as always
+     * clear.
      *
      * In theory everything's supposed to support DES_CBC_MD5, but
      * that's not the reality....
      */
     if (enctype == ENCTYPE_DES_CBC_MD5)
-	return isflagset(client->attributes, KRB5_KDB_SUPPORT_DESMD5);
+	return 0;
 
     /*
      * XXX we assume everything can understand DES_CBC_CRC
@@ -1446,6 +1461,9 @@ select_session_keytype(context, server, nktypes, ktype)
 	if (!valid_enctype(ktype[i]))
 	    continue;
 
+	if (!krb5_is_permitted_enctype(context, ktype[i]))
+	    continue;
+
 	if (dbentry_supports_enctype(context, server, ktype[i]))
 	    return ktype[i];
     }
@@ -1527,3 +1545,82 @@ void limit_string(char *name)
 	name[i] = '\0';
 	return;
 }
+
+/*
+ * L10_2 = log10(2**x), rounded up; log10(2) ~= 0.301.
+ */
+#define L10_2(x) ((int)(((x * 301) + 999) / 1000))
+
+/*
+ * Max length of sprintf("%ld") for an int of type T; includes leading
+ * minus sign and terminating NUL.
+ */
+#define D_LEN(t) (L10_2(sizeof(t) * CHAR_BIT) + 2)
+
+void
+ktypes2str(char *s, size_t len, int nktypes, krb5_enctype *ktype)
+{
+    int i;
+    char stmp[D_LEN(krb5_enctype) + 1];
+    char *p;
+
+    if (nktypes < 0
+	|| len < (sizeof(" etypes {...}") + D_LEN(int))) {
+	*s = '\0';
+	return;
+    }
+
+    sprintf(s, "%d etypes {", nktypes);
+    for (i = 0; i < nktypes; i++) {
+	sprintf(stmp, "%s%ld", i ? " " : "", (long)ktype[i]);
+	if (strlen(s) + strlen(stmp) + sizeof("}") > len)
+	    break;
+	strcat(s, stmp);
+    }
+    if (i < nktypes) {
+	/*
+	 * We broke out of the loop. Try to truncate the list.
+	 */
+	p = s + strlen(s);
+	while (p - s + sizeof("...}") > len) {
+	    while (p > s && *p != ' ' && *p != '{')
+		*p-- = '\0';
+	    if (p > s && *p == ' ') {
+		*p-- = '\0';
+		continue;
+	    }
+	}
+	strcat(s, "...");
+    }
+    strcat(s, "}");
+    return;
+}
+
+void
+rep_etypes2str(char *s, size_t len, krb5_kdc_rep *rep)
+{
+    char stmp[sizeof("ses=") + D_LEN(krb5_enctype)];
+
+    if (len < (3 * D_LEN(krb5_enctype)
+	       + sizeof("etypes {rep= tkt= ses=}"))) {
+	*s = '\0';
+	return;
+    }
+
+    sprintf(s, "etypes {rep=%ld", (long)rep->enc_part.enctype);
+
+    if (rep->ticket != NULL) {
+	sprintf(stmp, " tkt=%ld", (long)rep->ticket->enc_part.enctype);
+	strcat(s, stmp);
+    }
+
+    if (rep->ticket != NULL
+	&& rep->ticket->enc_part2 != NULL
+	&& rep->ticket->enc_part2->session != NULL) {
+	sprintf(stmp, " ses=%ld",
+		(long)rep->ticket->enc_part2->session->enctype);
+	strcat(s, stmp);
+    }
+    strcat(s, "}");
+    return;
+}
diff --git a/src/kdc/kdc_util.h b/src/kdc/kdc_util.h
index ce2377e..08a3a29 100644
--- a/src/kdc/kdc_util.h
+++ b/src/kdc/kdc_util.h
@@ -98,6 +98,12 @@ get_salt_from_key PROTOTYPE((krb5_context, krb5_principal,
 
 void limit_string PROTOTYPE((char *name));
 
+void
+ktypes2str(char *s, size_t len, int nktypes, krb5_enctype *ktype);
+
+void
+rep_etypes2str(char *s, size_t len, krb5_kdc_rep *rep);
+
 /* do_as_req.c */
 krb5_error_code process_as_req PROTOTYPE((krb5_kdc_req *,
 					  const krb5_fulladdr *,
@@ -177,6 +183,7 @@ krb5_error_code process_v4 PROTOTYPE((const krb5_data *,
 				      const krb5_fulladdr *,
 				      int is_secondary,
 				      krb5_data **));
+void enable_v4_crossrealm(char *);
 #else
 #define process_v4(foo,bar,quux,foobar)	KRB5KRB_AP_ERR_BADVERSION
 #endif
diff --git a/src/kdc/kerberos_v4.c b/src/kdc/kerberos_v4.c
index f05452e..3580c19 100644
--- a/src/kdc/kerberos_v4.c
+++ b/src/kdc/kerberos_v4.c
@@ -149,13 +149,13 @@ static krb5_data *response;
 
 void kerberos_v4 PROTOTYPE((struct sockaddr_in *, KTEXT));
 void kerb_err_reply PROTOTYPE((struct sockaddr_in *, KTEXT, long, char *));
-static int set_tgtkey PROTOTYPE((char *, krb5_kvno));
+static int set_tgtkey PROTOTYPE((char *, krb5_kvno, krb5_boolean));
 
 /* Attributes converted from V5 to V4 - internal representation */
 #define V4_KDB_REQUIRES_PREAUTH  0x1
 #define V4_KDB_DISALLOW_ALL_TIX  0x2
 #define V4_KDB_REQUIRES_PWCHANGE 0x4
-
+#define V4_KDB_DISALLOW_SVR      0x8
 
 /* v4 compatibitly mode switch */
 #define KDC_V4_NONE		0	/* Don't even respond to packets */
@@ -182,6 +182,7 @@ static const struct v4mode_lookup_entry  v4mode_table[] = {
 
 static const int v4mode_table_nents = sizeof(v4mode_table)/
 				      sizeof(v4mode_table[0]);
+static int allow_v4_crossrealm = 0;
 
 void process_v4_mode(progname, string)
     const char          *progname;
@@ -210,6 +211,11 @@ void process_v4_mode(progname, string)
     return;
 }
 
+void enable_v4_crossrealm ( char *programname) {
+    allow_v4_crossrealm = 1;
+    krb5_klog_syslog(LOG_ERR, "Enabling v4 cross-realm compatibility; this is a known security hole");
+}
+
 krb5_error_code
 process_v4( pkt, client_fulladdr, is_secondary, resp)
 const krb5_data *pkt;
@@ -233,11 +239,11 @@ krb5_data **resp;
         return(retval);
 
     if (!*local_realm) {		/* local-realm name already set up */
-	/* XXX assumes realm is null-terminated! */
 	lrealm = master_princ->realm.data;
-	if (strlen(lrealm) < sizeof(local_realm))
-	    strcpy(local_realm, lrealm);
-	else
+	if (master_princ->realm.length < sizeof(local_realm)) {
+	    memcpy(local_realm, lrealm, master_princ->realm.length);
+	    local_realm[master_princ->realm.length] = '\0';
+	} else
 	    retval = KRB5_CONFIG_NOTENUFSPACE;
     }
     /* convert client_fulladdr to client_sockaddr:
@@ -256,6 +262,7 @@ krb5_data **resp;
 	    return KRB5KRB_ERR_FIELD_TOOLONG;
     }
     v4_pkt.length = pkt->length;
+    v4_pkt.mbz = 0;
     memcpy( v4_pkt.dat, pkt->data, pkt->length);
 
     kerberos_v4( &client_sockaddr, &v4_pkt);
@@ -400,6 +407,14 @@ compat_decrypt_key (in5, out4, out5, issrv)
 #define MIN5 300
 #define HR21 255
 
+/*
+ * Previously this code returned either a v4 key or a v5 key  and you
+ * could tell from the enctype of the v5 key whether the v4 key was
+ * useful.  Now we return both keys so the code can try both des3 and
+ * des decryption.  We fail if the ticket doesn't have a v4 key.
+ * Also, note as a side effect, the v5 key is basically useless  in
+ * the client case.  It is still returned so the caller can free it.
+ */
 static int
 kerb_get_principal(name, inst, principal, maxn, more, k5key, kvno, issrv)
     char   *name;               /* could have wild card */
@@ -481,8 +496,28 @@ kerb_get_principal(name, inst, principal, maxn, more, k5key, kvno, issrv)
 	    return(0);
 	}
     } else {
-	/* XXX yes I know this is a hardcoded search order */
-	if (krb5_dbe_find_enctype(kdc_context, &entries,
+	if ( krb5_dbe_find_enctype(kdc_context, &entries,
+				  ENCTYPE_DES_CBC_CRC,
+				  KRB5_KDB_SALTTYPE_V4, kvno, &pkey) &&
+	    krb5_dbe_find_enctype(kdc_context, &entries,
+				  ENCTYPE_DES_CBC_CRC,
+				  -1, kvno, &pkey)) {
+	    lt = klog(L_KRB_PERR,
+		      "KDC V4: failed to find key for %s.%s #%d",
+		      name, inst, kvno);
+	    krb5_db_free_principal(kdc_context, &entries, nprinc);
+	    return(0);
+	}
+    }
+
+    if (!compat_decrypt_key(pkey, k, k5key, issrv)) {
+ 	memcpy( &principal->key_low, k, LONGLEN);
+       	memcpy( &principal->key_high, (krb5_ui_4 *) k + 1, LONGLEN);
+    }
+    memset(k, 0, sizeof k);
+    if (issrv) {
+	krb5_free_keyblock_contents (kdc_context, k5key);
+      	if (krb5_dbe_find_enctype(kdc_context, &entries,
 				  ENCTYPE_DES3_CBC_RAW,
 				  -1, kvno, &pkey) &&
 	    krb5_dbe_find_enctype(kdc_context, &entries,
@@ -503,12 +538,10 @@ kerb_get_principal(name, inst, principal, maxn, more, k5key, kvno, issrv)
 	    krb5_db_free_principal(kdc_context, &entries, nprinc);
 	    return(0);
 	}
+	compat_decrypt_key(pkey, k, k5key, issrv);
+	memset (k, 0, sizeof k);
     }
 
-    if (!compat_decrypt_key(pkey, k, k5key, issrv)) {
- 	memcpy( &principal->key_low, k, LONGLEN);
-       	memcpy( &principal->key_high, (krb5_ui_4 *) k + 1, LONGLEN);
-    }
     /* convert v5's entries struct to v4's Principal struct:
      * v5's time-unit for lifetimes is 1 sec, while v4 uses 5 minutes.
      */
@@ -539,6 +572,9 @@ kerb_get_principal(name, inst, principal, maxn, more, k5key, kvno, issrv)
     if (isflagset(entries.attributes,  KRB5_KDB_DISALLOW_ALL_TIX)) {
           principal->attributes |= V4_KDB_DISALLOW_ALL_TIX;
     }
+    if (issrv && isflagset(entries.attributes, KRB5_KDB_DISALLOW_SVR)) {
+	principal->attributes |= V4_KDB_DISALLOW_SVR;
+    }
     if (isflagset(entries.attributes,  KRB5_KDB_REQUIRES_PWCHANGE)) {
           principal->attributes |= V4_KDB_REQUIRES_PWCHANGE;
     }
@@ -622,6 +658,9 @@ kerberos_v4(client, pkt)
 
     req_act_vno = req_version;
 
+    /* set these to point to something safe */
+    req_name_ptr = req_inst_ptr = req_realm_ptr = "";
+
     /* check if disabled, but we tell client */
     if (kdc_v4 == KDC_V4_DISABLE) {
 	lt = klog(L_KRB_PERR,
@@ -700,7 +739,7 @@ kerberos_v4(client, pkt)
 
 	    if ((i = check_princ(req_name_ptr, req_inst_ptr, 0,
 				 &a_name_data, &k5key, 0))) {
-		kerb_err_reply(client, pkt, i, lt);
+		kerb_err_reply(client, pkt, i, "check_princ failed");
 		a_name_data.key_low = a_name_data.key_high = 0;
 		krb5_free_keyblock_contents(kdc_context, &k5key);
 		return;
@@ -715,7 +754,7 @@ kerberos_v4(client, pkt)
 	    /* this does all the checking */
 	    if ((i = check_princ(service, instance, lifetime,
 				 &s_name_data, &k5key, 1))) {
-		kerb_err_reply(client, pkt, i, lt);
+		kerb_err_reply(client, pkt, i, "check_princ failed");
 		a_name_data.key_high = a_name_data.key_low = 0;
 		s_name_data.key_high = s_name_data.key_low = 0;
 		krb5_free_keyblock_contents(kdc_context, &k5key);
@@ -739,21 +778,14 @@ kerberos_v4(client, pkt)
 	    kdb_encrypt_key(key, key, master_key,
 			    master_key_schedule, DECRYPT);
 	    /* construct and seal the ticket */
-	    if (K4KDC_ENCTYPE_OK(k5key.enctype)) {
-		krb_create_ticket(tk, k_flags, a_name_data.name,
-				  a_name_data.instance, local_realm,
-				  client_host.s_addr, (char *) session_key,
-				  lifetime, kerb_time.tv_sec,
-				  s_name_data.name, s_name_data.instance,
-				  key);
-	    } else {
-		krb_cr_tkt_krb5(tk, k_flags, a_name_data.name,
-				a_name_data.instance, local_realm,
-				client_host.s_addr, (char *) session_key,
-				lifetime, kerb_time.tv_sec,
-				s_name_data.name, s_name_data.instance,
-				&k5key);
-	    }
+	    /* We always issue des tickets; the 3des tickets are a broken hack*/
+	    krb_create_ticket(tk, k_flags, a_name_data.name,
+			      a_name_data.instance, local_realm,
+			      client_host.s_addr, (char *) session_key,
+			      lifetime, kerb_time.tv_sec,
+			      s_name_data.name, s_name_data.instance,
+			      key);
+
 	    krb5_free_keyblock_contents(kdc_context, &k5key);
 	    memset(key, 0, sizeof(key));
 	    memset(key_s, 0, sizeof(key_s));
@@ -806,23 +838,64 @@ kerberos_v4(client, pkt)
 	    tk->length = 0;
 	    k_flags = 0;	/* various kerberos flags */
 
+	    auth->mbz = 0;	/* pkt->mbz already zeroed */
 	    auth->length = 4 + strlen((char *)pkt->dat + 3);
+	    if (auth->length + 1 > MAX_KTXT_LEN) {
+		lt = klog(L_KRB_PERR,
+			  "APPL request with realm length too long from %s",
+			  inet_ntoa(client_host));
+		kerb_err_reply(client, pkt, RD_AP_INCON,
+			       "realm length too long");
+		return;
+	    }
+
 	    auth->length += (int) *(pkt->dat + auth->length) +
 		(int) *(pkt->dat + auth->length + 1) + 2;
+	    if (auth->length > MAX_KTXT_LEN) {
+		lt = klog(L_KRB_PERR,
+			  "APPL request with funky tkt or req_id length from %s",
+			  inet_ntoa(client_host));
+		kerb_err_reply(client, pkt, RD_AP_INCON,
+			       "funky tkt or req_id length");
+		return;
+	    }
 
 	    memcpy(auth->dat, pkt->dat, auth->length);
 
 	    strncpy(tktrlm, (char *)auth->dat + 3, REALM_SZ);
+	    tktrlm[REALM_SZ-1] = '\0';
 	    kvno = (krb5_kvno)auth->dat[2];
-	    if (set_tgtkey(tktrlm, kvno)) {
-		lt = klog(L_ERR_UNK,
+	    if ((!allow_v4_crossrealm)&&strcmp(tktrlm, local_realm) != 0) {
+	      lt = klog(L_ERR_UNK,
+			"Cross realm ticket from %s denied by policy,", tktrlm);
+	      kerb_err_reply(client, pkt,
+			       KERB_ERR_PRINCIPAL_UNKNOWN, lt);
+		return;
+	    }
+	    if (set_tgtkey(tktrlm, kvno, 0)) {
+	      lt = klog(L_ERR_UNK,
 			  "FAILED set_tgtkey realm %s, kvno %d. Host: %s ",
 			  tktrlm, kvno, inet_ntoa(client_host));
-		kerb_err_reply(client, pkt, kerno, lt);
+		/* no better error code */
+		kerb_err_reply(client, pkt,
+			       KERB_ERR_PRINCIPAL_UNKNOWN, lt);
 		return;
 	    }
 	    kerno = krb_rd_req(auth, "krbtgt", tktrlm, client_host.s_addr,
 		ad, 0);
+	    if (kerno) {
+		if (set_tgtkey(tktrlm, kvno, 1)) {
+		    lt = klog(L_ERR_UNK,
+			      "FAILED 3des set_tgtkey realm %s, kvno %d. Host: %s ",
+			      tktrlm, kvno, inet_ntoa(client_host));
+		    /* no better error code */
+		    kerb_err_reply(client, pkt,
+				   KERB_ERR_PRINCIPAL_UNKNOWN, lt);
+		    return;
+		}
+		kerno = krb_rd_req(auth, "krbtgt", tktrlm, client_host.s_addr,
+				   ad, 0);
+	    }
 
 	    if (kerno) {
 		klog(L_ERR_UNK, "FAILED krb_rd_req from %s: %s",
@@ -863,7 +936,7 @@ kerberos_v4(client, pkt)
 	    kerno = check_princ(service, instance, req_life,
 				&s_name_data, &k5key, 1);
 	    if (kerno) {
-		kerb_err_reply(client, pkt, kerno, lt);
+		kerb_err_reply(client, pkt, kerno, "check_princ failed");
 		s_name_data.key_high = s_name_data.key_low = 0;
 		krb5_free_keyblock_contents(kdc_context, &k5key);
 		return;
@@ -888,21 +961,13 @@ kerberos_v4(client, pkt)
 	    des_new_random_key(session_key);
 #endif
 
-	    if (K4KDC_ENCTYPE_OK(k5key.enctype)) {
-		krb_create_ticket(tk, k_flags, ad->pname, ad->pinst,
-				  ad->prealm, client_host.s_addr,
-				  (char *) session_key, lifetime,
-				  kerb_time.tv_sec,
-				  s_name_data.name, s_name_data.instance,
-				  key);
-	    } else {
-		krb_cr_tkt_krb5(tk, k_flags, ad->pname, ad->pinst,
-				ad->prealm, client_host.s_addr,
-				(char *) session_key, lifetime,
-				kerb_time.tv_sec,
-				s_name_data.name, s_name_data.instance,
-				&k5key);
-	    }
+	    /* ALways issue des tickets*/
+	    krb_create_ticket(tk, k_flags, ad->pname, ad->pinst,
+			      ad->prealm, client_host.s_addr,
+			      (char *) session_key, lifetime,
+			      kerb_time.tv_sec,
+			      s_name_data.name, s_name_data.instance,
+			      key);
 	    krb5_free_keyblock_contents(kdc_context, &k5key);
 	    memset(key, 0, sizeof(key));
 	    memset(key_s, 0, sizeof(key_s));
@@ -968,7 +1033,7 @@ kerb_err_reply(client, pkt, err, string)
     static char e_msg[128];
 
     strcpy(e_msg, "\nKerberos error -- ");
-    strcat(e_msg, string);
+    strncat(e_msg, string, sizeof(e_msg) - 1 - 19);
     cr_err_reply(e_pkt, req_name_ptr, req_inst_ptr, req_realm_ptr,
 		 req_time_ws, err, e_msg);
     krb4_sendto(f, (char *) e_pkt->dat, e_pkt->length, 0,
@@ -1066,6 +1131,13 @@ check_princ(p_name, instance, lifetime, p, k5key, issrv)
 	return KERB_ERR_NAME_EXP;
     }
 
+    if (isflagset(p->attributes, V4_KDB_DISALLOW_SVR)) {
+	lt = klog(L_ERR_SEXP, "V5 DISALLOW_SVR set: "
+		  "\"%s\" \"%s\"", p_name, instance);
+	/* Not sure of a better error to return */
+	return KERB_ERR_NAME_EXP;
+    }
+
     /*
      * Does the principal require preauthentication?
      */
@@ -1103,20 +1175,22 @@ check_princ(p_name, instance, lifetime, p, k5key, issrv)
 
 /* Set the key for krb_rd_req so we can check tgt */
 static int
-set_tgtkey(r, kvno)
+set_tgtkey(r, kvno, use_3des)
     char   *r;			/* Realm for desired key */
     krb5_kvno kvno;
+    krb5_boolean use_3des;
 {
     int     n;
     static char lastrealm[REALM_SZ] = "";
     static int last_kvno = 0;
+    static krb5_boolean last_use_3des = 0;
     Principal p_st;
     Principal *p = &p_st;
     C_Block key;
     krb5_keyblock k5key;
 
     k5key.contents = NULL;
-    if (!strcmp(lastrealm, r) && last_kvno == kvno)
+    if (!strcmp(lastrealm, r) && last_kvno == kvno && last_use_3des == use_3des)
 	return (KSUCCESS);
 
 /*  log("Getting key for %s", r); */
@@ -1125,10 +1199,25 @@ set_tgtkey(r, kvno)
     if (n == 0)
 	return (KFAILURE);
 
-    if (!K4KDC_ENCTYPE_OK(k5key.enctype)) {
+    if (isflagset(p->attributes, V4_KDB_DISALLOW_ALL_TIX)) {
+	lt = klog(L_ERR_SEXP,
+		  "V5 DISALLOW_ALL_TIX set: \"krbtgt\" \"%s\"", r);
+	krb5_free_keyblock_contents(kdc_context, &k5key);
+	return KFAILURE;
+    }
+
+    if (isflagset(p->attributes, V4_KDB_DISALLOW_SVR)) {
+	lt = klog(L_ERR_SEXP, "V5 DISALLOW_SVR set: \"krbtgt\" \"%s\"", r);
+	krb5_free_keyblock_contents(kdc_context, &k5key);
+	return KFAILURE;
+    }
+
+    if (use_3des&&!K4KDC_ENCTYPE_OK(k5key.enctype)) {
 	krb_set_key_krb5(kdc_context, &k5key);
-	strcpy(lastrealm, r);
+	strncpy(lastrealm, r, sizeof(lastrealm) - 1);
+	lastrealm[sizeof(lastrealm) - 1] = '\0';
 	last_kvno = kvno;
+	last_use_3des = use_3des;
     } else {
 	/* unseal tgt key from master key */
 	memcpy(key,                &p->key_low,  4);
@@ -1136,7 +1225,8 @@ set_tgtkey(r, kvno)
 	kdb_encrypt_key(key, key, master_key,
 			master_key_schedule, DECRYPT);
 	krb_set_key((char *) key, 0);
-	strcpy(lastrealm, r);
+	strncpy(lastrealm, r, sizeof(lastrealm) - 1);
+	lastrealm[sizeof(lastrealm) - 1] = '\0';
 	last_kvno = kvno;
     }
     krb5_free_keyblock_contents(kdc_context, &k5key);
diff --git a/src/kdc/main.c b/src/kdc/main.c
index 473b902..0e76420 100644
--- a/src/kdc/main.c
+++ b/src/kdc/main.c
@@ -1,7 +1,7 @@
 /*
  * kdc/main.c
  *
- * Copyright 1990 by the Massachusetts Institute of Technology.
+ * Copyright 1990,2001 by the Massachusetts Institute of Technology.
  *
  * Export of this software from the United States of America may
  *   require a specific license from the United States Government.
@@ -44,8 +44,6 @@
 #include <netinet/in.h>
 #endif
 
-kdc_realm_t *find_realm_data PROTOTYPE((char *, krb5_ui_4));
-
 void usage PROTOTYPE((char *));
 
 krb5_sigtype request_exit PROTOTYPE((int));
@@ -230,6 +228,12 @@ init_realm(progname, rdp, realm, def_dbname, def_mpname,
     else
 	rdp->realm_mkey.enctype = manual ? def_enctype : ENCTYPE_UNKNOWN;
 
+    /* Handle reject-bad-transit flag */
+    if (rparams && rparams->realm_reject_bad_transit_valid)
+	rdp->realm_reject_bad_transit = rparams->realm_reject_bad_transit;
+    else
+	rdp->realm_reject_bad_transit = 1;
+
     /* Handle ticket maximum life */
     rdp->realm_maxlife = (rparams && rparams->realm_max_life_valid) ?
 	rparams->realm_max_life : KRB5_KDB_MAX_LIFE;
@@ -555,7 +559,7 @@ void
 usage(name)
 char *name;
 {
-    fprintf(stderr, "usage: %s [-d dbpathname] [-r dbrealmname] [-R replaycachename ]\n\t[-m] [-k masterenctype] [-M masterkeyname] [-p port] [-4 v4mode] [-n]\n", name);
+    fprintf(stderr, "usage: %s [-d dbpathname] [-r dbrealmname] [-R replaycachename ]\n\t[-m] [-k masterenctype] [-M masterkeyname] [-p port] [-4 v4mode] [-X] [-n]\n", name);
     return;
 }
 
@@ -607,7 +611,7 @@ initialize_realms(kcontext, argc, argv)
      * Loop through the option list.  Each time we encounter a realm name,
      * use the previously scanned options to fill in for defaults.
      */
-    while ((c = getopt(argc, argv, "r:d:mM:k:R:e:p:s:n4:3")) != -1) {
+    while ((c = getopt(argc, argv, "r:d:mM:k:R:e:p:s:n4:X3")) != -1) {
 	switch(c) {
 	case 'r':			/* realm name for db */
 	    if (!find_realm_data(optarg, (krb5_ui_4) strlen(optarg))) {
@@ -657,6 +661,11 @@ initialize_realms(kcontext, argc, argv)
 	    v4mode = strdup(optarg);
 #endif
 	    break;
+	case 'X':
+#ifdef KRB5_KRB4_COMPAT
+		enable_v4_crossrealm(argv[0]);
+#endif
+		break;
 	case '3':
 #ifdef ATHENA_DES3_KLUDGE
 	    if (krb5_enctypes_list[krb5_enctypes_length-1].etype
diff --git a/src/kdc/network.c b/src/kdc/network.c
index 502682a..131b1df 100644
--- a/src/kdc/network.c
+++ b/src/kdc/network.c
@@ -1,7 +1,7 @@
 /*
  * kdc/network.c
  *
- * Copyright 1990 by the Massachusetts Institute of Technology.
+ * Copyright 1990,2000 by the Massachusetts Institute of Technology.
  *
  * Export of this software from the United States of America may
  *   require a specific license from the United States Government.
@@ -35,6 +35,7 @@
 #include <sys/ioctl.h>
 #include <syslog.h>
 
+#include <stddef.h>
 #include <ctype.h>
 #ifdef HAVE_NETINET_IN_H
 #include <sys/types.h>
@@ -50,7 +51,9 @@
 #endif
 #include <arpa/inet.h>
 
+#ifndef ARPHRD_ETHER		/* protect on OpenBSD */
 #include <net/if.h>
+#endif
 
 extern int errno;
 
@@ -120,13 +123,17 @@ foreach_localaddr (data, pass1fn, betweenfn, pass2fn)
     int (*betweenfn) (void *);
     int (*pass2fn) (void *, struct sockaddr *);
 {
-    struct ifreq *ifr, ifreq;
+    struct ifreq *ifr, ifreq, *ifr2;
     struct ifconf ifc;
-    int s, code, n, i;
+    int s, code, n, i, j;
     int est_if_count = 8, est_ifreq_size;
     char *buf = 0;
     size_t current_buf_size = 0;
-    
+    int fail = 0;
+#ifdef SIOCGSIZIFCONF
+    int ifconfsize = -1;
+#endif
+
     s = socket (USE_AF, USE_TYPE, USE_PROTO);
     if (s < 0)
 	return SOCKET_ERRNO;
@@ -134,8 +141,17 @@ foreach_localaddr (data, pass1fn, betweenfn, pass2fn)
     /* At least on NetBSD, an ifreq can hold an IPv4 address, but
        isn't big enough for an IPv6 or ethernet address.  So add a
        little more space.  */
-    est_ifreq_size = sizeof (struct ifreq) + 8;
-    current_buf_size = est_ifreq_size * est_if_count;
+    est_ifreq_size = sizeof (struct ifreq) + 16;
+#ifdef SIOCGSIZIFCONF
+    code = ioctl (s, SIOCGSIZIFCONF, &ifconfsize);
+    if (!code) {
+	current_buf_size = ifconfsize;
+	est_if_count = ifconfsize / est_ifreq_size;
+    }
+#endif
+    if (current_buf_size == 0) {
+	current_buf_size = est_ifreq_size * est_if_count;
+    }
     buf = malloc (current_buf_size);
 
  ask_again:
@@ -149,12 +165,35 @@ foreach_localaddr (data, pass1fn, betweenfn, pass2fn)
 	closesocket (s);
 	return retval;
     }
-    /* Test that the buffer was big enough that another ifreq could've
+    /* BSD 4.4 and similar systems truncate the address list if the
+       supplied buffer isn't big enough.
+
+       Test that the buffer was big enough that another ifreq could've
        fit easily, if the OS wanted to provide one.  That seems to be
        the only indication we get, complicated by the fact that the
        associated address may make the required storage a little
        bigger than the size of an ifreq.  */
-    if (current_buf_size - ifc.ifc_len < sizeof (struct ifreq) + 40) {
+#define SLOP (sizeof (struct ifreq) + 128)
+    if ((current_buf_size - ifc.ifc_len < sizeof (struct ifreq) + SLOP
+	/* On AIX 4.3.3, ifc.ifc_len may be set to a larger size than
+	   provided under some circumstances.  On my test system, a
+	   supplied value of 32..112 gets me 112, but with no data
+	   filled in even at 112.  But larger input ifc_len values get
+	   me larger output values, so it's not necessarily the full
+	   desired output buffer size.  And as near as I can tell, the
+	   ifc_len output has little to do with the offset of the last
+	   byte in the buffer actually modified, except that both
+	   input and output ifc_len values are higher (i.e., no buffer
+	   overrun takes place in my testing).  */
+	 || current_buf_size < ifc.ifc_len)
+	/* But let's let SIOCGSIZIFCONF dominate, unless we discover
+	   it's broken somewhere.  */
+#ifdef SIOCGSIZIFCONF
+	&& ifconfsize <= 0
+#endif
+	/* And we need *some* sort of bounds.  */
+	&& current_buf_size <= 100000
+	) {
 	int new_size;
 	char *newbuf;
 
@@ -172,7 +211,15 @@ foreach_localaddr (data, pass1fn, betweenfn, pass2fn)
     }
 
     n = ifc.ifc_len;
-
+    if (n > current_buf_size)
+	n = current_buf_size;
+
+    /* Note: Apparently some systems put the size (used or wanted?)
+       into the start of the buffer, just none that I'm actually
+       using.  Fix this when there's such a test system available.
+       The Samba mailing list archives mention that NTP looks for the
+       size on these systems: *-fujitsu-uxp* *-ncr-sysv4*
+       *-univel-sysv*.  [raeburn:20010201T2226-05]  */
     for (i = 0; i < n; i+= ifreq_size(*ifr) ) {
 	ifr = (struct ifreq *)((caddr_t) ifc.ifc_buf+i);
 
@@ -184,6 +231,7 @@ foreach_localaddr (data, pass1fn, betweenfn, pass2fn)
 
 	    continue;
 	}
+
 #ifdef IFF_LOOPBACK
 	    /* None of the current callers want loopback addresses.  */
 	if (ifreq.ifr_flags & IFF_LOOPBACK)
@@ -193,13 +241,32 @@ foreach_localaddr (data, pass1fn, betweenfn, pass2fn)
 	if (!(ifreq.ifr_flags & IFF_UP))
 	    goto skip;
 
+	/* Make sure we didn't process this address already.  */
+	for (j = 0; j < i; j += ifreq_size(*ifr2)) {
+	    ifr2 = (struct ifreq *)((caddr_t) ifc.ifc_buf+j);
+	    if (ifr2->ifr_name[0] == 0)
+		continue;
+	    if (ifr2->ifr_addr.sa_family == ifr->ifr_addr.sa_family
+		&& ifreq_size (*ifr) == ifreq_size (*ifr2)
+		/* Compare address info.  If this isn't good enough --
+		   i.e., if random padding bytes turn out to differ
+		   when the addresses are the same -- then we'll have
+		   to do it on a per address family basis.  */
+		&& !memcmp (&ifr2->ifr_addr.sa_data, &ifr->ifr_addr.sa_data,
+			    (ifreq_size (*ifr)
+			     - offsetof (struct ifreq, ifr_addr.sa_data))))
+		goto skip;
+	}
+
 	if ((*pass1fn) (data, &ifr->ifr_addr)) {
-	    abort ();
+	    fail = 1;
+	    goto punt;
 	}
     }
 
     if (betweenfn && (*betweenfn)(data)) {
-	abort ();
+	fail = 1;
+	goto punt;
     }
 
     if (pass2fn)
@@ -211,13 +278,15 @@ foreach_localaddr (data, pass1fn, betweenfn, pass2fn)
 		continue;
 
 	    if ((*pass2fn) (data, &ifr->ifr_addr)) {
-		abort ();
+		fail = 1;
+		goto punt;
 	    }
 	}
+ punt:
     closesocket(s);
     free (buf);
 
-    return 0;
+    return fail;
 }
 
 struct socksetup {
diff --git a/src/kdc/rtest.c b/src/kdc/rtest.c
index e5f1d89..e7f6fc2 100644
--- a/src/kdc/rtest.c
+++ b/src/kdc/rtest.c
@@ -112,3 +112,4 @@ main(argc,argv)
     }
 
 void krb5_klog_syslog() {}
+kdc_realm_t *find_realm_data (char *rname, krb5_ui_4 rsize) { return 0; }
diff --git a/src/krb5-config.in b/src/krb5-config.in
new file mode 100644
index 0000000..3738c3e
--- /dev/null
+++ b/src/krb5-config.in
@@ -0,0 +1,213 @@
+#!/bin/sh
+
+# Copyright 2001 by the Massachusetts Institute of Technology.
+# All Rights Reserved.
+#
+# Export of this software from the United States of America may
+#   require a specific license from the United States Government.
+#   It is the responsibility of any person or organization contemplating
+#   export to obtain such a license before exporting.
+# 
+# WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+# distribute this software and its documentation for any purpose and
+# without fee is hereby granted, provided that the above copyright
+# notice appear in all copies and that both that copyright notice and
+# this permission notice appear in supporting documentation, and that
+# the name of M.I.T. not be used in advertising or publicity pertaining
+# to distribution of the software without specific, written prior
+# permission.  Furthermore if you modify this software you must label
+# your software as modified software and not distribute it in such a
+# fashion that it might be confused with the original M.I.T. software.
+# M.I.T. makes no representations about the suitability of
+# this software for any purpose.  It is provided "as is" without express
+# or implied warranty.
+# 
+#
+
+# Configurable parameters set by autoconf
+version_string="Kerberos 5 release @KRB5_VERSION@"
+
+prefix=@prefix@
+exec_prefix=@exec_prefix@
+includedir=@includedir@
+libdir=@libdir@
+CC_LINK='@CC_LINK@'
+KRB4_LIB=@KRB4_LIB@
+DES425_LIB=@DES425_LIB@
+
+
+LIBS='@LIBS@'
+GEN_LIB=@GEN_LIB@
+
+# Defaults for program
+library=krb5
+
+# Some constants
+vendor_string="Massachusetts Institute of Technology"
+
+# Process arguments
+# Yes, we are sloppy, library specifications can come before options
+while test $# != 0; do
+    case $1 in
+	--all)
+	    do_all=1
+	    ;;
+	--cflags)
+	    do_cflags=1
+	    ;;
+	--deps)
+	    do_deps=1
+	    ;;
+	--exec-prefix)
+	    do_exec_prefix=1
+	    ;;
+	--help)
+	    do_help=1
+	    ;;
+	--libs)
+	    do_libs=1
+	    ;;
+	--prefix)
+	    do_prefix=1
+	    ;;
+	--vendor)
+	    do_vendor=1
+	    ;;
+	--version)
+	    do_version=1
+	    ;;
+	krb5)
+	    library=krb5
+	    ;;
+	gssapi)
+	    library=gssapi
+	    ;;
+	krb4)
+	    library=krb4
+	    ;;
+	kadm-client)
+	    library=kadm_client
+	    ;;
+	kadm-server)
+	    library=kadm_server
+	    ;;
+	kdb)
+	    library=kdb
+	    ;;
+	*)
+	    echo "$0: Unknown option \`$1' -- use \`--help' for usage"
+	    exit 1
+    esac
+    shift
+done
+
+# If required options - provide help
+if test -z "$do_all" -a -z "$do_version" -a -z "$do_vendor" -a -z "$do_prefix" -a -z "$do_vendor" -a -z "$do_exec_prefix" -a -z "$do_cflags" -a -z "$do_libs"; then
+    do_help=1
+fi
+
+
+if test -n "$do_help"; then
+    echo "Usage: $0 [OPTIONS] [LIBRARIES]"
+    echo "Options:"
+    echo "        [--help]          Help"
+    echo "        [--all]           Display version, vendor, and various values"
+    echo "        [--version]       Version information"
+    echo "        [--vendor]        Vendor information"
+    echo "        [--prefix]        Kerberos installed prefix"
+    echo "        [--exec-prefix]   Kerberos installed exec_prefix"
+    echo "        [--cflags]        Compile time CFLAGS"
+    echo "        [--libs]          List libraries required to link [LIBRARIES]"
+    echo "Libraries:"
+    echo "        krb5              Kerberos 5 application"
+    echo "        gssapi            GSSAPI application with Kerberos 5 bindings"
+    echo "        krb4              Kerberos 4 application"
+    echo "        kadm-client       Kadmin client"
+    echo "        kadm-server       Kadmin server"
+    echo "        kdb               Application that accesses the kerberos database"
+    exit 0
+fi
+
+if test -n "$do_all"; then
+    all_exit=
+    do_version=1
+    do_prefix=1
+    do_exec_prefix=1
+    do_vendor=1
+    title_version="Version:     "
+    title_prefix="Prefix:      "
+    title_exec_prefix="Exec_prefix: "
+    title_vendor="Vendor:      "
+else
+    all_exit="exit 0"
+fi
+
+if test -n "$do_version"; then
+    echo "$title_version$version_string"
+    $all_exit
+fi
+
+if test -n "$do_vendor"; then
+    echo "$title_vendor$vendor_string"
+    $all_exit
+fi
+
+if test -n "$do_prefix"; then
+    echo "$title_prefix$prefix"
+    $all_exit
+fi
+
+if test -n "$do_exec_prefix"; then
+    echo "$title_exec_prefix$exec_prefix"
+    $all_exit
+fi
+
+if test -n "$do_cflags"; then
+    echo "-I${includedir}"
+fi
+
+
+if test -n "$do_libs"; then
+    # Ugly gross hack for our build tree
+    lib_flags=`echo $CC_LINK | sed -e 's/\$(CC)//' \
+	    -e 's#\$(PROG_RPATH)#'$libdir'#' \
+	    -e 's#\$(PROG_LIBPATH)#-L'$libdir'#'`
+
+    if test $library = 'kdb'; then
+	lib_flags="$lib_flags -lkdb5 -ldb"
+	library=krb5
+    fi
+
+    if test $library = 'kadm_server'; then
+	lib_flags="$lib_flags -lkadm5srv -lkdb5 -ldb"
+	library=kadm_common
+    fi
+
+    if test $library = 'kadm_client'; then
+	lib_flags="$lib_flags -lkadm5clnt"
+	library=kadm_common
+    fi
+
+    if test $library = 'kadm_common'; then
+	lib_flags="$lib_flags -lgssrpc -ldyn"
+	library=gssapi
+    fi
+
+    if test $library = 'gssapi'; then
+	lib_flags="$lib_flags -lgssapi_krb5"
+	library=krb5
+    fi
+
+    if test $library = 'krb4'; then
+	lib_flags="$lib_flags $KRB4_LIB $DES425_LIB"
+	library=krb5
+    fi
+
+    if test $library = 'krb5'; then
+	lib_flags="$lib_flags -lkrb5 -lk5crypto -lcom_err $GEN_LIB"
+    fi
+
+    echo $lib_flags
+fi
+
+exit 0
diff --git a/src/krb524/ChangeLog b/src/krb524/ChangeLog
index e3c656b..3e3eab2 100644
--- a/src/krb524/ChangeLog
+++ b/src/krb524/ChangeLog
@@ -1,3 +1,96 @@
+2003-04-01  Nalin Dahyabhai  <nalin@redhat.com>
+
+	* krb524d.c (do_connection): Use krb5_princ_size rather than
+	direct structure field access.
+
+2003-03-16  Sam Hartman  <hartmans@mit.edu>
+
+	* krb524d.c (handle_classic_v4): Do not support 3des enctypes as
+	they are insecure.  Also, by default do not allow krb4
+	cross-realm.
+
+	* cnv_tkt_skey.c (krb524_convert_tkt_skey): Don't support 3des tickets
+
+2002-11-07  Tom Yu  <tlyu@mit.edu>
+
+	* sendmsg.c (krb524_sendto_kdc): Check for *addrlen > 0 (not
+	addrlen, which is a pointer).  Patch from Dan Riley.
+
+2002-08-29  Sam Hartman  <hartmans@mit.edu>
+
+	* README: Document  new afs_krb5 configuration information
+
+	* krb524d.c (afs_return_v4): New function  to determine if we have
+	been configured to return v4 tickets for afs or use the afs
+	krb5-encpart proposal
+	(do_connection):  Call afs_return_v4 and use its result
+
+	* RELEASE_NOTES: Delete OV release notes now with 100% incorrect
+	content
+
+	* krb524d.c (do_connection): Add support for  AFS
+	krb5-encpart-only per discussion with jhutz and lha
+	(handle_classic_v4): Split out code for handling v4 tickets since
+	it needs to be called multiple times
+
+	[pullups from trunk]
+
+2002-08-15  Tom Yu  <tlyu@mit.edu>
+
+	* krb524d.c (kdc_get_server_key): Check for DISALLOW_ALL_TIX and
+	DISALLOW_SVR when looking up server key.
+	[pullup from trunk]
+
+2002-05-22 Alexandra Ellwood <lxs@mit.edu>
+    * conv_creds.c, sendmsg.c: Added return values to krb524_sendto_kdc 
+    to return an IPv4 address for the KDC we talked to (if such an address
+    exists).  On Mac OS X we store this address in the Credentials Cache
+    so we can inform the user when the tickets become invalid.
+    
+2002-05-22 Alexandra Ellwood <lxs@mit.edu>
+    * krb524.h: Added #include of krb.h for Mac OS X so that CREDENTIALS 
+    is defined (and krb524.h compiles standalone.
+
+2002-05-16 Alexandra Ellwood <lxs@mit.edu>
+	conv_creds.c: call krb_time_to_life to get v4 lifetime on Mac OS
+	X.  This enables v4 long lifetime support.
+
+2002-05-05 Alexandra Ellwood <lxs@mit.edu>
+    * krb524.h: Mac OS X needs krb524.h to include krb5.h because it 
+    uses KRB5_PROTOTYPE, krb5_context, etc.  On Mac OS X this is a
+    public header to get krb524_convert_creds_kdc.  Everything else 
+    is private.
+
+2002-04-03 Alexandra Ellwood <lxs@mit.edu>
+    * krb524.h: Updated C++ protection to not interfere with emacs 
+    auto indentation and added KRB524_PRIVATE macro for Mac OS X
+    to control visibility of function prototypes
+
+2002-03-28 Alexandra Ellwood <lxs@mit.edu>
+    * krb524.h: Added C++ protection and Mac pragmas
+
+2002-03-1 Alexandra Ellwood <lxs@mit.edu>
+    * krb524.h, cnv_tkt_skey.c, conv_creds.c, conv_princ.c, encode.c, 
+    misc.c, sendmsg.c: Updated header paths on Mac OS X so that we
+    correctly include the autogenerated krb524.h
+    * conv_creds.c, cnv_tkt_skey.c: added cast to remove warning.
+
+2002-02-28 Alexandra Ellwood <lxs@mit.edu>
+    * krb524.h: Updated to new Mac OS header layout.
+    * sendmsg.c: k5-int.h should be included as a local header
+
+2001-12-07  Ken Raeburn  <raeburn@mit.edu>
+
+	* krb524d.c (cleanup_and_exit): Don't close keytab if it hasn't
+	been opened yet.
+	(lookup_service_key): Copy key block and free up keytab entry
+	data.
+
+2001-02-05  Tom Yu  <tlyu@mit.edu>
+
+	* cnv_tkt_skey.c (krb524_convert_tkt_skey): Avoid double-free;
+	caller should free v5tkt. [pullup from trunk]
+
 1999-10-26  Tom Yu  <tlyu@mit.edu>
 
 	* Makefile.in: Clean up usage of CFLAGS, CPPFLAGS, DEFS, DEFINES,
diff --git a/src/krb524/README b/src/krb524/README
index 1531de0..dd7ca9c 100644
--- a/src/krb524/README
+++ b/src/krb524/README
@@ -48,6 +48,16 @@ information in the V5 credential and {C,S}_4.
 Steps (2) through (4) are encapsulated in a single function call in
 the krb524 library.
 
+An alternate conversion is provided for AFS servers that support the
+encrypted part of a krb5 ticket as an AFS token.  If the krb524d is
+converting a principal whose first component is afs and if the
+encrypted part of the ticket fits in 344 bytes, then it will default
+to simply returning the encrypted part of the ticket as a token.  If
+it turns out that the AFS server does not support the ticket, then
+users will get an unknown key version error and the krb524d must be
+configured to use v4 tickets for this AFS service.
+
+
 Obviously, not all V5 credentials can be completely converted to V4
 credentials, since the former is a superset of the latter.  The
 precise semantics of the conversion function are still undecided.
@@ -82,6 +92,29 @@ default principal's realm if not specified.  The -n argument causes
 the new ticket to be added to the existing ticket file; otherwise, the
 ticket file is initialized.
 
+Configuring krb524d AFS Conversion
+======================================================================
+
+The krb524d looks in the appdefaults  section of krb5.conf for an
+application called afs_krb5 to determine whether  afs principals
+support encrypted ticket parts as tokens.  The following configuration
+fragment says that afs/sipb.mit.edu@ATHENA.MIT.EDU supports the new
+token format but afs@ATHENA.MIT.EDU and
+afs/athena.mit.edu@ATHENA.MIT.EDU do not.  Note that the default is to
+assume afs servers support the new format.
+
+[appdefaults]
+afs_krb5 = { 
+	ATHENA.MIT.EDU = {
+		# This stanza describes principals in the
+		#ATHENA.MIT.EDU realm
+		afs = false
+		afs/athena.mit.edu = false
+		afs/sipb.mit.edu = true
+	}
+}
+
+
 Using libkrb524.a
 ======================================================================
 
diff --git a/src/krb524/RELEASE_NOTES b/src/krb524/RELEASE_NOTES
deleted file mode 100644
index 8d1ea9f..0000000
--- a/src/krb524/RELEASE_NOTES
+++ /dev/null
@@ -1,16 +0,0 @@
-
-Kerberos V5 to Kerberos V4 Credentials Converting Service, ALPHA RELEASE
-========================================================================
-
-This is the ALPHA RELEASE of krb524.  Treat it accordingly.
-
-Soon, krb524 will be integrated into the standard MIT Kerberos 5
-distribution.  krb524's existence as a distinct distribution is
-temporary.
-
-If you have any questions, contact
-
-Barry Jaspan, bjaspan@cam.ov.com
-OpenVision Technologies, Inc.
-(617) 374-2225
-
diff --git a/src/krb524/cnv_tkt_skey.c b/src/krb524/cnv_tkt_skey.c
index fc25246..b57a0b2 100644
--- a/src/krb524/cnv_tkt_skey.c
+++ b/src/krb524/cnv_tkt_skey.c
@@ -25,8 +25,14 @@
 #include <sys/types.h>
 #include <sys/time.h>
 #include <netinet/in.h>
+#if TARGET_OS_MAC
+#include <Kerberos/krb.h>
+#include <Kerberos/krb524.h>
+#include "cr_tkt.h"
+#else
 #include <krb.h>
 #include "krb524.h"
+#endif
 
 /* rather than copying the cmu code, these values are derived from
    a calculation based on the table and comments found there.
@@ -72,7 +78,6 @@ int krb524_convert_tkt_skey(context, v5tkt, v4tkt, v5_skey, v4_skey,
 
      v5tkt->enc_part2 = NULL;
      if ((ret = krb5_decrypt_tkt_part(context, v5_skey, v5tkt))) {
-	  krb5_free_ticket(context, v5tkt);
 	  return ret;
      }
      v5etkt = v5tkt->enc_part2;
@@ -91,7 +96,7 @@ int krb524_convert_tkt_skey(context, v5tkt, v4tkt, v5_skey, v4_skey,
 	       fprintf(stderr, "v5 session keyblock type %d length %d != C_Block size %d\n",
 		       v5etkt->session->enctype,
 		       v5etkt->session->length,
-		       sizeof(C_Block));
+		       (int) sizeof(C_Block));
 	  krb5_free_enc_tkt_part(context, v5etkt);
 	  v5tkt->enc_part2 = NULL;
 	  return KRB524_BADKEY;
@@ -168,25 +173,7 @@ int krb524_convert_tkt_skey(context, v5tkt, v4tkt, v5_skey, v4_skey,
 				 sname,
 				 sinst,
 				 v4_skey->contents);
-     } else {
-	 /* Force enctype to be raw if using DES3. */
-	 if (v4_skey->enctype == ENCTYPE_DES3_CBC_SHA1 ||
-	     v4_skey->enctype == ENCTYPE_LOCAL_DES3_HMAC_SHA1)
-	     v4_skey->enctype = ENCTYPE_DES3_CBC_RAW;
-	 ret = krb_cr_tkt_krb5(v4tkt,
-			       0, /* flags */			     
-			       pname,
-			       pinst,
-			       prealm,
-			       *((unsigned long *)kaddr.contents),
-			       (char *) v5etkt->session->contents,
-			       lifetime,
-			       /* issue_data */
-			       server_time,
-			       sname,
-			       sinst,
-			       v4_skey);
-     }
+     } else  abort();
 
      krb5_free_enc_tkt_part(context, v5etkt);
      v5tkt->enc_part2 = NULL;
diff --git a/src/krb524/conv_creds.c b/src/krb524/conv_creds.c
index ae31f9c..0ad9f49 100644
--- a/src/krb524/conv_creds.c
+++ b/src/krb524/conv_creds.c
@@ -25,9 +25,13 @@
 #include <string.h>
 #include <sys/types.h>
 #include <netinet/in.h>
+#if TARGET_OS_MAC
+#include <Kerberos/krb.h>
+#include <Kerberos/krb524.h>
+#else
 #include <krb.h>
-
 #include "krb524.h"
+#endif
 
 krb5_error_code krb524_convert_creds_plain
 KRB5_PROTOTYPE((krb5_context context, krb5_creds *v5creds, 
@@ -35,7 +39,8 @@ KRB5_PROTOTYPE((krb5_context context, krb5_creds *v5creds,
 
 krb5_error_code krb524_sendto_kdc
 KRB5_PROTOTYPE((krb5_context context, const krb5_data *message,
-		krb5_data *realm, krb5_data *reply));
+		krb5_data *realm, krb5_data *reply, 
+        struct sockaddr *local_addr, int *addrlen));
 
 krb5_error_code
 krb524_convert_creds_kdc(context, v5creds, v4creds)
@@ -46,17 +51,30 @@ krb524_convert_creds_kdc(context, v5creds, v4creds)
      krb5_error_code ret;
      krb5_data reply;
      char *p;
+     struct sockaddr_in local_addr;  /* Ask for an IPv4 address */
+     int addrlen = sizeof (local_addr);
 
      ret = krb524_convert_creds_plain(context, v5creds, v4creds);
      if (ret)
 	 return ret;
 
      reply.data = NULL;
+
      ret = krb524_sendto_kdc(context, &v5creds->ticket,
-			     &v5creds->server->realm, &reply);
+			     &v5creds->server->realm, &reply,
+                 (struct sockaddr *)&local_addr, &addrlen);
      if (ret)
 	 return ret;
 
+#if TARGET_OS_MAC
+    /* On the Mac, we need our local address used to talk to the KDC
+       because we use this to determine validity of v4 tickets. */
+    if ((addrlen == sizeof (struct sockaddr_in))
+        && (local_addr.sin_family == AF_INET)) {
+        v4creds->address = local_addr.sin_addr.s_addr;
+    }
+#endif
+
      p = reply.data;
      ret = ntohl(*((krb5_error_code *) p));
      p += sizeof(krb5_error_code);
@@ -139,7 +157,7 @@ krb524_convert_creds_plain(context, v5creds, v4creds)
 	  if (krb524_debug)
 	       fprintf(stderr, "v5 session keyblock length %d != C_Block size %d\n",
 		       v5creds->keyblock.length,
-		       sizeof(C_Block));
+		       (int) sizeof(C_Block));
 	  return KRB524_BADKEY;
      } else
 	  memcpy(v4creds->session, (char *) v5creds->keyblock.contents,
@@ -147,10 +165,16 @@ krb524_convert_creds_plain(context, v5creds, v4creds)
 
      /* V4 has no concept of authtime or renew_till, so ignore them */
      /* V4 lifetime is 1 byte, in 5 minute increments */
+#if TARGET_OS_MAC
+    /* krb4 long lifetime support --- how should this be done on Unix? */
+    v4creds->lifetime = krb_time_to_life (v5creds->times.starttime, 
+                                          v5creds->times.endtime);
+#else
      lifetime = 
 	  ((v5creds->times.endtime - v5creds->times.starttime) / 300);
      v4creds->lifetime =
 	  ((lifetime > 0xff) ? 0xff : lifetime);
+#endif
      v4creds->issue_date = v5creds->times.starttime;
 
 #if 0
diff --git a/src/krb524/conv_princ.c b/src/krb524/conv_princ.c
index f55f4a2..a918a8b 100644
--- a/src/krb524/conv_princ.c
+++ b/src/krb524/conv_princ.c
@@ -26,10 +26,13 @@
 #include <sys/time.h>
 #include <sys/signal.h>
 #include <netinet/in.h>
-
+#if TARGET_OS_MAC
+#include <Kerberos/krb.h>
+#include <Kerberos/krb524.h>
+#else
 #include <krb.h>
-
 #include "krb524.h"
+#endif
 
 int krb524_convert_princs(context, client, server, pname, pinst, prealm, 
 			  sname, sinst)
diff --git a/src/krb524/encode.c b/src/krb524/encode.c
index fc40b79..f7d84b6 100644
--- a/src/krb524/encode.c
+++ b/src/krb524/encode.c
@@ -29,8 +29,13 @@
 #include <sys/signal.h>
 #include <netinet/in.h>
 
+#if TARGET_OS_MAC
+#include <Kerberos/krb.h>
+#include <Kerberos/krb524.h>
+#else
 #include <krb.h>
 #include "krb524.h"
+#endif
 
 /*
  * I'm sure that this is reinventing the wheel, but I don't know where
diff --git a/src/krb524/krb524.h b/src/krb524/krb524.h
index da9c008..211d921 100644
--- a/src/krb524/krb524.h
+++ b/src/krb524/krb524.h
@@ -26,8 +26,39 @@
 #define KRB524_SERVICE "krb524"
 #define KRB524_PORT 4444
 
-#include "krb524_err.h"
-
+#if defined(macintosh) || (defined(__MACH__) && defined(__APPLE__))
+	#include <TargetConditionals.h>
+    #include <Kerberos/krb5.h>
+    #include <Kerberos/krb.h>
+    #ifndef KRB524_PRIVATE /* Allow e.g. build system to override */
+		#define KRB524_PRIVATE 0
+	#endif
+#else
+    #include "krb524_err.h"
+	#ifndef KRB524_PRIVATE
+		#define KRB524_PRIVATE 1
+	#endif
+#endif	
+
+#if defined(__cplusplus) && !defined(KRB524INT_BEGIN_DECLS)
+#define KRB524INT_BEGIN_DECLS	extern "C" {
+#define KRB524INT_END_DECLS	}
+#else
+#define KRB524INT_BEGIN_DECLS
+#define KRB524INT_END_DECLS
+#endif
+
+#if TARGET_OS_MAC
+    #if defined(__MWERKS__)
+        #pragma import on
+        #pragma enumsalwaysint on
+    #endif
+    #pragma options align=mac68k
+#endif
+
+KRB524INT_BEGIN_DECLS
+
+#if KRB524_PRIVATE
 extern int krb524_debug;
 
 int krb524_convert_tkt_skey
@@ -47,11 +78,13 @@ int krb524_convert_princs
 int krb524_convert_creds_addr
 	KRB5_PROTOTYPE((krb5_context context, krb5_creds *v5creds, 
 		   CREDENTIALS *v4creds, struct sockaddr *saddr));
+#endif /* KRB524_PRIVATE */
 
 int krb524_convert_creds_kdc
 	KRB5_PROTOTYPE((krb5_context context, krb5_creds *v5creds, 
 		   CREDENTIALS *v4creds));
 
+#if KRB524_PRIVATE
 /* conv_tkt.c */
 
 int krb524_convert_tkt
@@ -77,5 +110,16 @@ void krb524_init_ets
 int krb524_send_message 
 	KRB5_PROTOTYPE((const struct sockaddr * addr, const krb5_data * message,
 		   krb5_data * reply));
+#endif /* KRB524_PRIVATE */
+
+#if TARGET_OS_MAC
+    #if defined(__MWERKS__)
+        #pragma enumsalwaysint reset
+        #pragma import reset
+    #endif
+	#pragma options align=reset
+#endif
+
+KRB524INT_END_DECLS
 
 #endif /* __KRB524_H__ */
diff --git a/src/krb524/krb524d.c b/src/krb524/krb524d.c
index cad0e31..9c4ab9b 100644
--- a/src/krb524/krb524d.c
+++ b/src/krb524/krb524d.c
@@ -1,4 +1,25 @@
 /*
+ * Copyright (C) 2002 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may
+ *   require a specific license from the United States Government.
+ *   It is the responsibility of any person or organization contemplating
+ *   export to obtain such a license before exporting.
+ * 
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
  * Copyright 1994 by OpenVision Technologies, Inc.
  * 
  * Permission to use, copy, modify, distribute, and sell this software
@@ -24,6 +45,7 @@
 #include <kadm5/admin.h>
 #include <com_err.h>
 
+#include <assert.h>
 #include <stdio.h>
 #ifdef HAVE_SYS_SELECT_H
 #include <sys/select.h>
@@ -48,12 +70,20 @@ static int debug = 0;
 void *handle;
 
 int use_keytab, use_master;
+int allow_v4_crossrealm = 0;
 char *keytab = NULL;
 krb5_keytab kt;
 
 void init_keytab(), init_master(), cleanup_and_exit();
 krb5_error_code do_connection(), lookup_service_key(), kdc_get_server_key();
 
+static krb5_error_code
+handle_classic_v4 (krb5_context context, krb5_ticket *v5tkt,
+		   struct sockaddr_in *saddr,
+		   krb5_data *tktdata, krb5_kvno *v4kvno);
+static krb5_error_code 
+afs_return_v4(krb5_context, const krb5_principal , int *use_v5);
+
 void usage(context)
      krb5_context context;
 {
@@ -105,7 +135,10 @@ int main(argc, argv)
      config_params.mask = 0;
      
      while (argc) {
-	  if (strncmp(*argv, "-k", 2) == 0)
+       if (strncmp(*argv, "-X", 2) == 0) {
+	 allow_v4_crossrealm = 1;
+       }
+       else if (strncmp(*argv, "-k", 2) == 0)
 	       use_keytab = 1;
 	  else if (strncmp(*argv, "-m", 2) == 0)
 	       use_master = 1;
@@ -201,7 +234,7 @@ void cleanup_and_exit(ret, context)
      if (use_master) {
 	  (void) kadm5_destroy(handle);
      }
-     if (use_keytab) krb5_kt_close(context, kt);
+     if (use_keytab && kt) krb5_kt_close(context, kt);
      krb5_free_context(context);
      exit(ret);
 }
@@ -248,19 +281,15 @@ krb5_error_code do_connection(s, context)
 {
      struct sockaddr saddr;
      krb5_ticket *v5tkt = 0;
-     KTEXT_ST v4tkt;
-     krb5_keyblock v5_service_key, v4_service_key;
      krb5_data msgdata, tktdata;
      char msgbuf[MSGSIZE], tktbuf[TKT_BUFSIZ], *p;
      int n, ret, saddrlen;
      krb5_kvno v4kvno;
 
-     /* Clear out keyblock contents so we don't accidentally free the stack.*/
-     v5_service_key.contents = v4_service_key.contents = 0;
-
      msgdata.data = msgbuf;
      msgdata.length = MSGSIZE;
-
+     tktdata.data = tktbuf;
+     tktdata.length = TKT_BUFSIZ;
      saddrlen = sizeof(struct sockaddr);
      ret = recvfrom(s, msgdata.data, msgdata.length, 0, &saddr, &saddrlen);
      if (ret < 0) {
@@ -292,51 +321,41 @@ krb5_error_code do_connection(s, context)
      if (debug)
 	  printf("V5 ticket decoded\n");
      
-     if ((ret = lookup_service_key(context, v5tkt->server,
-				   v5tkt->enc_part.enctype,
-				   v5tkt->enc_part.kvno,
-				   &v5_service_key, NULL)))
-	  goto error;
-
-     if ((ret = lookup_service_key(context, v5tkt->server,
-				   ENCTYPE_DES3_CBC_RAW,
-				   0, /* highest kvno */
-				   &v4_service_key, &v4kvno)) &&
-	 (ret = lookup_service_key(context, v5tkt->server,
-				   ENCTYPE_LOCAL_DES3_HMAC_SHA1,
-				   0,
-				   &v4_service_key, &v4kvno)) &&
-	 (ret = lookup_service_key(context, v5tkt->server,
-				   ENCTYPE_DES3_CBC_SHA1,
-				   0,
-				   &v4_service_key, &v4kvno)) &&
-	 (ret = lookup_service_key(context, v5tkt->server,
-				   ENCTYPE_DES_CBC_CRC,
-				   0,
-				   &v4_service_key, &v4kvno)))
-	 goto error;
-
-     if (debug)
-	  printf("service key retrieved\n");
-
-     ret = krb524_convert_tkt_skey(context, v5tkt, &v4tkt, &v5_service_key,
-				   &v4_service_key,
-				   (struct sockaddr_in *)&saddr);
-     if (ret)
-	  goto error;
-
-     if (debug)
-	  printf("credentials converted\n");
-
-     tktdata.data = tktbuf;
-     tktdata.length = TKT_BUFSIZ;
-     ret = encode_v4tkt(&v4tkt, tktdata.data, &tktdata.length);
-     if (ret)
-	  goto error;
-     if (debug)
-	  printf("v4 credentials encoded\n");
-
-error:
+     if( krb5_princ_size(context, v5tkt->server) >= 1
+	 &&krb5_princ_component(context, v5tkt->server, 0)->length == 3
+	 &&strncmp(krb5_princ_component(context, v5tkt->server, 0)->data,
+		   "afs", 3) == 0) {
+	 krb5_data *enc_part;
+	 int use_v5;
+	 if ((ret = afs_return_v4(context, v5tkt->server,
+				  &use_v5)) != 0) 
+	     goto error;
+	 if ((ret = encode_krb5_enc_data( &v5tkt->enc_part, &enc_part)) != 0) 
+	     goto error;
+	 if (!(use_v5 )|| enc_part->length >= 344) {
+	     krb5_free_data(context, enc_part);
+	     if ((ret = handle_classic_v4(context, v5tkt,
+					 (struct sockaddr_in *) &saddr, &tktdata,
+					 &v4kvno)) != 0)
+		 goto error;
+	 } else {
+	   KTEXT_ST fake_v4tkt;
+	   fake_v4tkt.mbz = 0;
+	   fake_v4tkt.length = enc_part->length;
+	   memcpy(fake_v4tkt.dat, enc_part->data, enc_part->length);
+	     v4kvno = (0x100-0x2b); /*protocol constant indicating  v5
+				     * enc part only*/
+	     krb5_free_data(context, enc_part);
+	     ret = encode_v4tkt(&fake_v4tkt, tktdata.data, &tktdata.length);
+	 }
+     } else {
+	 if ((ret = handle_classic_v4(context, v5tkt,
+				     (struct sockaddr_in *) &saddr, &tktdata,
+				     &v4kvno)) != 0)
+	     goto error;
+     }
+     
+	error:
      /* create the reply */
      p = msgdata.data;
      msgdata.length = 0;
@@ -366,11 +385,6 @@ write_msg:
 	       ret = errno;
      if (debug)
 	  printf("reply written\n");
-/* If we have keys to clean up, do so.*/
-     if (v5_service_key.contents)
-       krb5_free_keyblock_contents(context, &v5_service_key);
-     if (v4_service_key.contents)
-       krb5_free_keyblock_contents(context, &v4_service_key);
      if (v5tkt)
        krb5_free_ticket(context, v5tkt);
      
@@ -392,7 +406,18 @@ krb5_error_code lookup_service_key(context, p, ktype, kvno, key, kvnop)
      if (use_keytab) {
 	  if ((ret = krb5_kt_get_entry(context, kt, p, kvno, ktype, &entry)))
 	       return ret;
-	  memcpy(key, (char *) &entry.key, sizeof(krb5_keyblock));
+	  *key = entry.key;
+	  key->contents = malloc(key->length);
+	  if (key->contents)
+	      memcpy(key->contents, entry.key.contents, key->length);
+	  else if (key->length) {
+	      /* out of memory? */
+	      ret = errno;
+	      memset (key, 0, sizeof (*key));
+	      return ret;
+	  }
+
+	  krb5_kt_free_entry(context, &entry);
 	  return 0;
      } else if (use_master) {
 	  return kdc_get_server_key(context, p, key, kvnop, ktype, kvno);
@@ -412,9 +437,15 @@ krb5_error_code kdc_get_server_key(context, service, key, kvnop, ktype, kvno)
     kadm5_principal_ent_rec server;
     
     if ((ret = kadm5_get_principal(handle, service, &server,
-				   KADM5_KEY_DATA)))
+				   KADM5_KEY_DATA|KADM5_ATTRIBUTES)))
 	 return ret;
 
+    if (server.attributes & KRB5_KDB_DISALLOW_ALL_TIX
+	|| server.attributes & KRB5_KDB_DISALLOW_SVR) {
+	kadm5_free_principal_ent(handle, &server);
+	return KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
+    }
+
     /*
      * We try kadm5_decrypt_key twice because in the case of a
      * ENCTYPE_DES_CBC_CRC key, we prefer to find a krb4 salt type
@@ -442,3 +473,112 @@ krb5_error_code kdc_get_server_key(context, service, key, kvnop, ktype, kvno)
     kadm5_free_principal_ent(handle, &server);
     return ret;
 }
+
+/*
+ * We support two  kinds of v4 credentials.  There are real v4
+ *   credentials, and  a Kerberos v5 enc part masquerading as a krb4
+ *  credential to be used by modern AFS implementations; this function
+ *  handles the classic v4 case.
+ */
+
+static krb5_error_code
+handle_classic_v4 (krb5_context context, krb5_ticket *v5tkt,
+		   struct sockaddr_in *saddr,
+		   krb5_data *tktdata, krb5_kvno *v4kvno)
+{
+    krb5_error_code ret;
+    krb5_keyblock v5_service_key, v4_service_key;
+     KTEXT_ST v4tkt;
+
+    v5_service_key.contents = NULL;
+    v4_service_key.contents = NULL;
+    
+             if ((ret = lookup_service_key(context, v5tkt->server,
+				   v5tkt->enc_part.enctype,
+				   v5tkt->enc_part.kvno,
+				   &v5_service_key, NULL)))
+	  goto error;
+
+     if ( (ret = lookup_service_key(context, v5tkt->server,
+				   ENCTYPE_DES_CBC_CRC,
+				   0,
+				   &v4_service_key, v4kvno)))
+	 goto error;
+
+     if (debug)
+	  printf("service key retrieved\n");
+     if ((ret = krb5_decrypt_tkt_part(context, &v5_service_key, v5tkt))) {
+       goto error;
+     }
+
+    if (!(allow_v4_crossrealm || krb5_realm_compare(context, v5tkt->server,
+						    v5tkt->enc_part2->client))) {
+ret =  KRB5KDC_ERR_POLICY ;
+ goto error;
+    }
+    krb5_free_enc_tkt_part(context, v5tkt->enc_part2);
+    v5tkt->enc_part2= NULL;
+
+         ret = krb524_convert_tkt_skey(context, v5tkt, &v4tkt, &v5_service_key,
+				   &v4_service_key,
+				   (struct sockaddr_in *)saddr);
+     if (ret)
+	  goto error;
+
+     if (debug)
+	  printf("credentials converted\n");
+
+     ret = encode_v4tkt(&v4tkt, tktdata->data, &tktdata->length);
+     if (ret)
+	  goto error;
+     if (debug)
+	  printf("v4 credentials encoded\n");
+
+ error:
+     if (v5tkt->enc_part2)
+	 krb5_free_enc_tkt_part(context, v5tkt->enc_part2);
+
+     if(v5_service_key.contents)
+       krb5_free_keyblock_contents(context, &v5_service_key);
+     if (v4_service_key.contents)
+	 krb5_free_keyblock_contents(context, &v4_service_key);
+     return ret;
+}
+
+/*
+ * afs_return_v4: a predicate to determine whether we want to try
+ * using the afs krb5 encrypted part encoding or whether we  just
+ * return krb4.  Takes a principal, and checks the configuration file.
+ */
+static krb5_error_code 
+afs_return_v4 (krb5_context context, const krb5_principal princ,
+	       int *use_v5)
+{
+    krb5_error_code ret;
+    char *unparsed_name;
+    char *cp;
+    krb5_data realm;
+    assert(use_v5 != NULL);
+    ret = krb5_unparse_name(context, princ, &unparsed_name);
+        if (ret != 0)
+	return ret;
+/* Trim out trailing realm component into separate string.*/
+    for (cp = unparsed_name; *cp != '\0'; cp++) {
+	if (*cp == '\\') {
+	    cp++; /* We trust unparse_name not to leave a singleton
+		   * backslash*/
+	    continue;
+	}
+	if (*cp == '@') {
+	    *cp = '\0';
+	    realm.data = cp+1;
+	    realm.length = strlen((char *) realm.data);
+	    	    break;
+	}
+    }
+     krb5_appdefault_boolean(context, "afs_krb5",
+				  &realm, unparsed_name, 1,
+				  use_v5);
+    krb5_free_unparsed_name(context, unparsed_name);
+    return ret;
+}
diff --git a/src/krb524/misc.c b/src/krb524/misc.c
index e28f4d1..fe263c3 100644
--- a/src/krb524/misc.c
+++ b/src/krb524/misc.c
@@ -27,8 +27,13 @@
 #include <sys/signal.h>
 #include <netinet/in.h>
 
+#if TARGET_OS_MAC
+#include <Kerberos/krb.h>
+#include <Kerberos/krb524.h>
+#else
 #include <krb.h>
 #include "krb524.h"
+#endif
 
 void krb524_init_ets(context)
      krb5_context context;
diff --git a/src/krb524/sendmsg.c b/src/krb524/sendmsg.c
index 77e8f3b..48b6be3 100644
--- a/src/krb524/sendmsg.c
+++ b/src/krb524/sendmsg.c
@@ -40,11 +40,16 @@
 #include <sys/select.h>
 #endif
 
+#if TARGET_OS_MAC
+#include <Kerberos/krb.h>
+#include <Kerberos/krb524.h>
+#else
 #include <krb.h>
 #include "krb524.h"
+#endif
 
 /* For krb5_locate_kdc() */
-#include <k5-int.h>
+#include "k5-int.h"
 
 /*
  * krb524_sendto_kdc:
@@ -66,12 +71,17 @@ extern int krb5_max_skdc_timeout;
 extern int krb5_skdc_timeout_shift;
 extern int krb5_skdc_timeout_1;
 
+/* returns the local address of the socket used to connect to the KDC.
+   If you don't need this information, pass NULL for the last two parameters */
+
 krb5_error_code
-krb524_sendto_kdc (context, message, realm, reply)
+krb524_sendto_kdc (context, message, realm, reply, local_addr, addrlen)
     krb5_context context;
     const krb5_data * message;
     const krb5_data * realm;
     krb5_data * reply;
+    struct sockaddr * local_addr;
+    int * addrlen;
 {
     register int timeout, host, i;
     struct sockaddr *addr;
@@ -207,7 +217,7 @@ krb524_sendto_kdc (context, message, realm, reply)
 		      sent = 1;
 		    continue;
 		  }
-
+          
 		/* We might consider here verifying that the reply
 		   came from one of the KDC's listed for that address type,
 		   but that check can be fouled by some implementations of
@@ -215,6 +225,15 @@ krb524_sendto_kdc (context, message, realm, reply)
 		   address, for example, if the KDC is on the same host
 		   as the client. */
 
+		/* If the caller wants the local address of this socket
+		   store it here */
+		if ((local_addr != NULL) && (addrlen != NULL) && (*addrlen > 0)) {
+		    if (getsockname (socklist[host], local_addr, addrlen) == SOCKET_ERROR) {
+		        /* no address to get... tell the caller we got nothing */
+		        *addrlen = 0;
+		    }
+		}
+
 		reply->length = cc;
 		retval = 0;
 		goto out;
diff --git a/src/lib/ChangeLog b/src/lib/ChangeLog
index b5abe94..d1daec7 100644
--- a/src/lib/ChangeLog
+++ b/src/lib/ChangeLog
@@ -1,3 +1,63 @@
+2002-04-16  Danilo Almeida  <dalmeida@mit.edu>
+
+	* krb5_32.def: Remove krb5_mcc_ops and krb5_cc_register() as
+	GSSAPI no longer needs those.
+
+2002-04-16  Danilo Almeida  <dalmeida@mit.edu>
+
+	* krb5_32.def: Add krb5_free_ap_req() as private for GSSAPI.  Add
+	krb5_get_host_realm() and krb5_free_host_realm() as public
+	functions.  Reformat to make it easier to read and compare.
+
+2002-04-05  Danilo Almeida  <dalmeida@mit.edu>
+
+	* krb5_32.def: Hopefully final cut at consistent exports between
+	Windows and MacOS X.  Still has private stuff needed by gssapi and
+	krb4.
+
+2002-04-03  Danilo Almeida  <dalmeida@mit.edu>
+
+	* krb5_32.def: First cut at consistent exports between Windows and
+	MacOS X.  More work needs to be done.
+
+2001-11-29  Danilo Almeida  <dalmeida@mit.edu>
+
+	* gssapi32.def: Export gss_mech_krb5 as DATA.  Mark all exported
+	variables as DATA.  [Copied over from trunk.]
+
+2000-06-02  Danilo Almeida  <dalmeida@mit.edu>
+
+	* win_glue.c (GetCallingAppVerInfo, krb5_vercheck): Use
+	APPVERINFO_SIZE-sized buffers instead of hard-coding a number
+	everywhere.  Document the buffer size in funciton documentation.
+
+	* krb5_32.def: Add krb5int_cc_default for the benefit of GSS API DLL.
+
+2000-05-23  Nalin Dahyabhai  <nalin@redhat.com>
+
+	* win_glue.c (GetCallingAppVerInfo): Don't overfill buffers
+	"AppTitle", "AppVer", and "AppIni".
+
+2000-05-15      Jeffrey Altman          <jaltman@columbia.edu>
+
+        * krb5_32.def -- Added exports for new public functions
+
+               krb5_appdefault_string
+               krb5_appdefault_boolean
+
+2000-05-04  Danilo Almeida  <dalmeida@mit.edu>
+
+	* krb5_32.def: Reflect something closer to the reality of
+	what we would like to do for 1.3.
+
+2000-05-03  Nalin Dahyabhai  <nalin@redhat.com>
+
+	* win_glue.c (do_timebomb): Don't overflow buffer "buf".
+
+2000-04-29  Jeffrey Altman <jaltman@columbia.edu>
+
+        * krb5_32.def: Add krb5_get_tgs_ktypes, krb5_free_ktypes for gssapi
+
 2000-03-15  Danilo Almeida  <dalmeida@mit.edu>
 
 	* krb5_32.def: Add krb5_get_prompt_types.
diff --git a/src/lib/crypto/ChangeLog b/src/lib/crypto/ChangeLog
index a48ec1f..058576d 100644
--- a/src/lib/crypto/ChangeLog
+++ b/src/lib/crypto/ChangeLog
@@ -1,3 +1,24 @@
+2002-04-02  Ken Raeburn  <raeburn@mit.edu>
+
+	* valid_enctype.c (krb5_c_valid_enctype): New name on old
+	function, with old name kept as an alias (wrapper).
+	* keyed_cksum.c (krb5_c_is_keyed_cksum): Likewise.
+	* valid_cksumtype.c (krb5_c_valid_cksumtype): Likewise.
+	* coll_proof_cksum.c (krb5_c_is_coll_proof_cksum): Likewise.
+
+2002-02-28 Alexandra Ellwood <lxs@mit.edu>
+    * crypto_libinit.h: Changed macros so you can include crypto_libinit.h
+    and krb5_libinit.h at the same time
+
+2001-01-29  Ken Raeburn  <raeburn@mit.edu>
+
+	* make_checksum.c (krb5_c_make_checksum): Clear checksum contents
+	pointer after freeing it in error case.
+
+2000-06-03  Tom Yu  <tlyu@mit.edu>
+
+	* Makefile.in(LIBMAJOR, LIBMINOR): Bump library version.
+
 2000-01-24  Tom Yu  <tlyu@mit.edu>
 
 	* crypto_libinit.c: Add terminating newline; use 0 and 1 instead
diff --git a/src/lib/crypto/Makefile.in b/src/lib/crypto/Makefile.in
index 71bddf5..64f19d1 100644
--- a/src/lib/crypto/Makefile.in
+++ b/src/lib/crypto/Makefile.in
@@ -106,8 +106,8 @@ SRCS=\
 
 
 LIB=k5crypto
-LIBMAJOR=2
-LIBMINOR=1
+LIBMAJOR=3
+LIBMINOR=0
 RELDIR=crypto
 
 STOBJLISTS=crc32/OBJS.ST des/OBJS.ST dk/OBJS.ST enc_provider/OBJS.ST \
diff --git a/src/lib/crypto/coll_proof_cksum.c b/src/lib/crypto/coll_proof_cksum.c
index 31bf1fe..95a2aef 100644
--- a/src/lib/crypto/coll_proof_cksum.c
+++ b/src/lib/crypto/coll_proof_cksum.c
@@ -28,7 +28,7 @@
 #include "cksumtypes.h"
 
 KRB5_DLLIMP krb5_boolean KRB5_CALLCONV
-is_coll_proof_cksum(ctype)
+krb5_c_is_coll_proof_cksum(ctype)
      krb5_cksumtype ctype;
 {
     int i;
@@ -43,3 +43,10 @@ is_coll_proof_cksum(ctype)
        old code would have done */
     return(0);
 }
+
+#undef is_coll_proof_cksum
+KRB5_DLLIMP krb5_boolean KRB5_CALLCONV
+is_coll_proof_cksum(krb5_cksumtype ctype)
+{
+    return krb5_c_is_coll_proof_cksum (ctype);
+}
diff --git a/src/lib/crypto/crypto_libinit.h b/src/lib/crypto/crypto_libinit.h
index 3586a63..44c7e16 100644
--- a/src/lib/crypto/crypto_libinit.h
+++ b/src/lib/crypto/crypto_libinit.h
@@ -1,7 +1,7 @@
-#ifndef KRB5_LIBINIT_H
-#define KRB5_LIBINIT_H
+#ifndef K5CRYPTO_LIBINIT_H
+#define K5CRYPTO_LIBINIT_H
 
 int cryptoint_initialize_library (void);
 void cryptoint_cleanup_library (void);
 
-#endif /* KRB5_LIBINIT_H */
+#endif /* K5CRYPTO_LIBINIT_H */
diff --git a/src/lib/crypto/des/ChangeLog b/src/lib/crypto/des/ChangeLog
index 7a2155c..7438600 100644
--- a/src/lib/crypto/des/ChangeLog
+++ b/src/lib/crypto/des/ChangeLog
@@ -1,3 +1,21 @@
+2002-08-16  Tom Yu  <tlyu@mit.edu>
+
+	* string2key.c: Work around possible bug with AFS salts;
+	[krb5-clients/1146] from <Wolfgang.Friebel@cern.ch>.
+	[port from trunk]
+
+2002-03-14 Alexandra Ellwood <lxs@mit.edu>
+    * afsstring2key.c: made static data const to improve load time 
+    on Mach-O
+
+2002-02-28 Alexandra Ellwood <lxs@mit.edu>
+    * afsstring2key.c: fixed warnings about types defaulting to int
+    and two-dimensional array declaration without second-level braces
+
+2001-10-29  Miro Jurisic  <meeroh@mit.edu>
+	* pullup from krb5-1-2 branch after krb5-1-2-2-bp
+	* des_int.h: use "" includes for k5-int.h
+
 2000-02-25  Ezra Peisach  <epeisach@mit.edu>
 
 	* t_verify.c: Add "const" to casts in calls to mit_des_cbc_encrypt().
diff --git a/src/lib/crypto/des/afsstring2key.c b/src/lib/crypto/des/afsstring2key.c
index 7eac080..7c828ba 100644
--- a/src/lib/crypto/des/afsstring2key.c
+++ b/src/lib/crypto/des/afsstring2key.c
@@ -150,7 +150,7 @@ static void krb5_afs_encrypt PROTOTYPE((char*,long));
 /*
  * Initial permutation,
  */
-static char	IP[] = {
+static const char	IP[] = {
 	58,50,42,34,26,18,10, 2,
 	60,52,44,36,28,20,12, 4,
 	62,54,46,38,30,22,14, 6,
@@ -164,7 +164,7 @@ static char	IP[] = {
 /*
  * Final permutation, FP = IP^(-1)
  */
-static char	FP[] = {
+static const char	FP[] = {
 	40, 8,48,16,56,24,64,32,
 	39, 7,47,15,55,23,63,31,
 	38, 6,46,14,54,22,62,30,
@@ -179,14 +179,14 @@ static char	FP[] = {
  * Permuted-choice 1 from the key bits to yield C and D.
  * Note that bits 8,16... are left out: They are intended for a parity check.
  */
-static char	PC1_C[] = {
+static const char	PC1_C[] = {
 	57,49,41,33,25,17, 9,
 	 1,58,50,42,34,26,18,
 	10, 2,59,51,43,35,27,
 	19,11, 3,60,52,44,36,
 };
  
-static char	PC1_D[] = {
+static const char	PC1_D[] = {
 	63,55,47,39,31,23,15,
 	 7,62,54,46,38,30,22,
 	14, 6,61,53,45,37,29,
@@ -196,7 +196,7 @@ static char	PC1_D[] = {
 /*
  * Sequence of shifts used for the key schedule.
  */
-static char	shifts[] = {
+static const char	shifts[] = {
 	1,1,2,2,2,2,2,2,1,2,2,2,2,2,2,1,
 };
  
@@ -204,14 +204,14 @@ static char	shifts[] = {
  * Permuted-choice 2, to pick out the bits from
  * the CD array that generate the key schedule.
  */
-static char	PC2_C[] = {
+static const char	PC2_C[] = {
 	14,17,11,24, 1, 5,
 	 3,28,15, 6,21,10,
 	23,19,12, 4,26, 8,
 	16, 7,27,20,13, 2,
 };
  
-static char	PC2_D[] = {
+static const char	PC2_D[] = {
 	41,52,31,37,47,55,
 	30,40,51,45,33,48,
 	44,49,39,56,34,53,
@@ -222,7 +222,7 @@ static char	PC2_D[] = {
  * The E bit-selection table.
  */
 static char	E[48];
-static char	e[] = {
+static const char	e[] = {
 	32, 1, 2, 3, 4, 5,
 	 4, 5, 6, 7, 8, 9,
 	 8, 9,10,11,12,13,
@@ -237,7 +237,7 @@ static char	e[] = {
  * P is a permutation on the selected combination
  * of the current L and key.
  */
-static char	P[] = {
+static const char	P[] = {
 	16, 7,20,21,
 	29,12,28,17,
 	 1,15,23,26,
@@ -253,46 +253,46 @@ static char	P[] = {
  * For some reason, they give a 0-origin
  * index, unlike everything else.
  */
-static char	S[8][64] = {
-	14, 4,13, 1, 2,15,11, 8, 3,10, 6,12, 5, 9, 0, 7,
+static const char	S[8][64] = {
+	{14, 4,13, 1, 2,15,11, 8, 3,10, 6,12, 5, 9, 0, 7,
 	 0,15, 7, 4,14, 2,13, 1,10, 6,12,11, 9, 5, 3, 8,
 	 4, 1,14, 8,13, 6, 2,11,15,12, 9, 7, 3,10, 5, 0,
-	15,12, 8, 2, 4, 9, 1, 7, 5,11, 3,14,10, 0, 6,13,
+	15,12, 8, 2, 4, 9, 1, 7, 5,11, 3,14,10, 0, 6,13},
  
-	15, 1, 8,14, 6,11, 3, 4, 9, 7, 2,13,12, 0, 5,10,
+	{15, 1, 8,14, 6,11, 3, 4, 9, 7, 2,13,12, 0, 5,10,
 	 3,13, 4, 7,15, 2, 8,14,12, 0, 1,10, 6, 9,11, 5,
 	 0,14, 7,11,10, 4,13, 1, 5, 8,12, 6, 9, 3, 2,15,
-	13, 8,10, 1, 3,15, 4, 2,11, 6, 7,12, 0, 5,14, 9,
+	13, 8,10, 1, 3,15, 4, 2,11, 6, 7,12, 0, 5,14, 9},
  
-	10, 0, 9,14, 6, 3,15, 5, 1,13,12, 7,11, 4, 2, 8,
+	{10, 0, 9,14, 6, 3,15, 5, 1,13,12, 7,11, 4, 2, 8,
 	13, 7, 0, 9, 3, 4, 6,10, 2, 8, 5,14,12,11,15, 1,
 	13, 6, 4, 9, 8,15, 3, 0,11, 1, 2,12, 5,10,14, 7,
-	 1,10,13, 0, 6, 9, 8, 7, 4,15,14, 3,11, 5, 2,12,
+	 1,10,13, 0, 6, 9, 8, 7, 4,15,14, 3,11, 5, 2,12},
  
-	 7,13,14, 3, 0, 6, 9,10, 1, 2, 8, 5,11,12, 4,15,
+	 {7,13,14, 3, 0, 6, 9,10, 1, 2, 8, 5,11,12, 4,15,
 	13, 8,11, 5, 6,15, 0, 3, 4, 7, 2,12, 1,10,14, 9,
 	10, 6, 9, 0,12,11, 7,13,15, 1, 3,14, 5, 2, 8, 4,
-	 3,15, 0, 6,10, 1,13, 8, 9, 4, 5,11,12, 7, 2,14,
+	 3,15, 0, 6,10, 1,13, 8, 9, 4, 5,11,12, 7, 2,14},
  
-	 2,12, 4, 1, 7,10,11, 6, 8, 5, 3,15,13, 0,14, 9,
+	 {2,12, 4, 1, 7,10,11, 6, 8, 5, 3,15,13, 0,14, 9,
 	14,11, 2,12, 4, 7,13, 1, 5, 0,15,10, 3, 9, 8, 6,
 	 4, 2, 1,11,10,13, 7, 8,15, 9,12, 5, 6, 3, 0,14,
-	11, 8,12, 7, 1,14, 2,13, 6,15, 0, 9,10, 4, 5, 3,
+	11, 8,12, 7, 1,14, 2,13, 6,15, 0, 9,10, 4, 5, 3},
  
-	12, 1,10,15, 9, 2, 6, 8, 0,13, 3, 4,14, 7, 5,11,
+	{12, 1,10,15, 9, 2, 6, 8, 0,13, 3, 4,14, 7, 5,11,
 	10,15, 4, 2, 7,12, 9, 5, 6, 1,13,14, 0,11, 3, 8,
 	 9,14,15, 5, 2, 8,12, 3, 7, 0, 4,10, 1,13,11, 6,
-	 4, 3, 2,12, 9, 5,15,10,11,14, 1, 7, 6, 0, 8,13,
+	 4, 3, 2,12, 9, 5,15,10,11,14, 1, 7, 6, 0, 8,13},
  
-	 4,11, 2,14,15, 0, 8,13, 3,12, 9, 7, 5,10, 6, 1,
+	 {4,11, 2,14,15, 0, 8,13, 3,12, 9, 7, 5,10, 6, 1,
 	13, 0,11, 7, 4, 9, 1,10,14, 3, 5,12, 2,15, 8, 6,
 	 1, 4,11,13,12, 3, 7,14,10,15, 6, 8, 0, 5, 9, 2,
-	 6,11,13, 8, 1, 4,10, 7, 9, 5, 0,15,14, 2, 3,12,
+	 6,11,13, 8, 1, 4,10, 7, 9, 5, 0,15,14, 2, 3,12},
  
-	13, 2, 8, 4, 6,15,11, 1,10, 9, 3,14, 5, 0,12, 7,
+	{13, 2, 8, 4, 6,15,11, 1,10, 9, 3,14, 5, 0,12, 7,
 	 1,15,13, 8,10, 3, 7, 4,12, 5, 6,11, 0,14, 9, 2,
 	 7,11, 4, 1, 9,12,14, 2, 0, 6,10,13,15, 3, 5, 8,
-	 2, 1,14, 7, 4,10, 8,13,15,12, 9, 0, 3, 5, 6,11,
+	 2, 1,14, 7, 4,10, 8,13,15,12, 9, 0, 3, 5, 6,11},
 };
  
 /*
@@ -325,7 +325,7 @@ static char *afs_crypt(pw, salt)
      char *pw;
      char *salt;
 {
-	register i, j, c;
+	register int i, j, c;
 	int temp;
 	static char block[66], iobuf[16];
  
@@ -384,7 +384,7 @@ static char *afs_crypt(pw, salt)
 static void krb5_afs_crypt_setkey(key)
      char *key;
 {
-	register i, j, k;
+	register int i, j, k;
 	int t;
  
 	/*
@@ -439,7 +439,7 @@ static void krb5_afs_encrypt(block, edflag)
      long edflag;
 {
 	int i, ii;
-	register t, j, k;
+	register int t, j, k;
 
 	/*
 	 * First, permute the bits in the input
diff --git a/src/lib/crypto/des/des_int.h b/src/lib/crypto/des/des_int.h
index de8f2a4..bd591ae 100644
--- a/src/lib/crypto/des/des_int.h
+++ b/src/lib/crypto/des/des_int.h
@@ -57,7 +57,7 @@
 #ifndef DES_INTERNAL_DEFS
 #define DES_INTERNAL_DEFS
 
-#include <k5-int.h>
+#include "k5-int.h"
 /*
  * Begin "mit-des.h"
  */
diff --git a/src/lib/crypto/des/string2key.c b/src/lib/crypto/des/string2key.c
index 5381fdb..d51145b 100644
--- a/src/lib/crypto/des/string2key.c
+++ b/src/lib/crypto/des/string2key.c
@@ -99,6 +99,9 @@ const krb5_data FAR * salt;
     if (salt) {
       if (salt->length == -1) {
 	/* cheat and do AFS string2key instead */
+	char *c;
+	c = strchr(salt->data, '@');
+	if (c != NULL) *c = '\0'; /* workaround from krb5-clients/1146 */
 	return mit_afs_string_to_key (keyblock, data, salt);
       } else 
 	length = data->length + salt->length;
diff --git a/src/lib/crypto/dk/ChangeLog b/src/lib/crypto/dk/ChangeLog
index 90e34f8..7908f56 100644
--- a/src/lib/crypto/dk/ChangeLog
+++ b/src/lib/crypto/dk/ChangeLog
@@ -1,3 +1,17 @@
+2000-06-03  Tom Yu  <tlyu@mit.edu>
+
+	* dk_encrypt.c (krb5_dk_encrypt, krb5_marc_dk_encrypt): Chain
+	ivecs.
+	
+	* dk_decrypt.c (krb5_dk_decrypt, krb5_marc_dk_decrypt): Chain
+	ivecs.
+
+2000-04-28  Ken Raeburn  <raeburn@mit.edu>
+
+	* derive.c (krb5_derive_key): If memory allocation fails, release
+	other allocated blocks before returning, instead of trying to
+	release them after returning.
+
 2000-01-21  Ken Raeburn  <raeburn@mit.edu>
 
 	* checksum.c (krb5_dk_make_checksum): enc_providers are now
diff --git a/src/lib/crypto/dk/derive.c b/src/lib/crypto/dk/derive.c
index 8765605..dbd4a2a 100644
--- a/src/lib/crypto/dk/derive.c
+++ b/src/lib/crypto/dk/derive.c
@@ -51,14 +51,14 @@ krb5_derive_key(enc, inkey, outkey, in_constant)
 	return(ENOMEM);
 
     if ((outblockdata = (unsigned char *) malloc(blocksize)) == NULL) {
-	return(ENOMEM);
 	free(inblockdata);
+	return(ENOMEM);
     }
 
     if ((rawkey = (unsigned char *) malloc(keybytes)) == NULL) {
-	return(ENOMEM);
 	free(outblockdata);
 	free(inblockdata);
+	return(ENOMEM);
     }
 
     inblock.data = inblockdata;
diff --git a/src/lib/crypto/dk/dk_decrypt.c b/src/lib/crypto/dk/dk_decrypt.c
index d307761..d6e7c0d 100644
--- a/src/lib/crypto/dk/dk_decrypt.c
+++ b/src/lib/crypto/dk/dk_decrypt.c
@@ -41,7 +41,7 @@ krb5_dk_decrypt(enc, hash, key, usage, ivec, input, output)
 {
     krb5_error_code ret;
     size_t hashsize, blocksize, keybytes, keylength, enclen, plainlen;
-    unsigned char *plaindata, *kedata, *kidata, *cksum;
+    unsigned char *plaindata, *kedata, *kidata, *cksum, *cn;
     krb5_keyblock ke, ki;
     krb5_data d1, d2;
     unsigned char constantdata[K5CLENGTH];
@@ -108,6 +108,11 @@ krb5_dk_decrypt(enc, hash, key, usage, ivec, input, output)
     if ((ret = ((*(enc->decrypt))(&ke, ivec, &d1, &d2))) != 0)
 	goto cleanup;
 
+    if (ivec != NULL && ivec->length == blocksize)
+	cn = d1.data + d1.length - blocksize;
+    else
+	cn = NULL;
+
     /* verify the hash */
 
     d1.length = hashsize;
@@ -134,6 +139,9 @@ krb5_dk_decrypt(enc, hash, key, usage, ivec, input, output)
 
     memcpy(output->data, d2.data+blocksize, output->length);
 
+    if (cn != NULL)
+	memcpy(ivec->data, cn, blocksize);
+
     ret = 0;
 
 cleanup:
@@ -163,7 +171,7 @@ krb5_marc_dk_decrypt(enc, hash, key, usage, ivec, input, output)
 {
     krb5_error_code ret;
     size_t hashsize, blocksize, keybytes, keylength, enclen, plainlen;
-    unsigned char *plaindata, *kedata, *kidata, *cksum;
+    unsigned char *plaindata, *kedata, *kidata, *cksum, *cn;
     krb5_keyblock ke, ki;
     krb5_data d1, d2;
     unsigned char constantdata[K5CLENGTH];
@@ -230,6 +238,11 @@ krb5_marc_dk_decrypt(enc, hash, key, usage, ivec, input, output)
     if ((ret = ((*(enc->decrypt))(&ke, ivec, &d1, &d2))) != 0)
 	goto cleanup;
 
+    if (ivec != NULL && ivec->length == blocksize)
+	cn = d1.data + d1.length - blocksize;
+    else
+	cn = NULL;
+
     /* verify the hash */
 
     d1.length = hashsize;
@@ -264,6 +277,9 @@ krb5_marc_dk_decrypt(enc, hash, key, usage, ivec, input, output)
 
     memcpy(output->data, d2.data+4+blocksize, output->length);
 
+    if (cn != NULL)
+	memcpy(ivec->data, cn, blocksize);
+
     ret = 0;
 
 cleanup:
diff --git a/src/lib/crypto/dk/dk_encrypt.c b/src/lib/crypto/dk/dk_encrypt.c
index 8627353..2bc2b6b 100644
--- a/src/lib/crypto/dk/dk_encrypt.c
+++ b/src/lib/crypto/dk/dk_encrypt.c
@@ -65,7 +65,7 @@ krb5_dk_encrypt(enc, hash, key, usage, ivec, input, output)
     krb5_error_code ret;
     unsigned char constantdata[K5CLENGTH];
     krb5_data d1, d2;
-    unsigned char *plaintext, *kedata, *kidata;
+    unsigned char *plaintext, *kedata, *kidata, *cn;
     krb5_keyblock ke, ki;
 
     /* allocate and set up plaintext and to-be-derived keys */
@@ -142,6 +142,11 @@ krb5_dk_encrypt(enc, hash, key, usage, ivec, input, output)
     if ((ret = ((*(enc->encrypt))(&ke, ivec, &d1, &d2))))
 	goto cleanup;
 
+    if (ivec != NULL && ivec->length == blocksize)
+	cn = d2.data + d2.length - blocksize;
+    else
+	cn = NULL;
+
     /* hash the plaintext */
 
     d2.length = enclen - plainlen;
@@ -149,8 +154,14 @@ krb5_dk_encrypt(enc, hash, key, usage, ivec, input, output)
 
     output->length = enclen;
 
-    if ((ret = krb5_hmac(hash, &ki, 1, &d1, &d2)))
+    if ((ret = krb5_hmac(hash, &ki, 1, &d1, &d2))) {
 	memset(d2.data, 0, d2.length);
+	goto cleanup;
+    }
+
+    /* update ivec */
+    if (cn != NULL)
+	memcpy(ivec->data, cn, blocksize);
 
     /* ret is set correctly by the prior call */
 
@@ -196,7 +207,7 @@ krb5_marc_dk_encrypt(enc, hash, key, usage, ivec, input, output)
     krb5_error_code ret;
     unsigned char constantdata[K5CLENGTH];
     krb5_data d1, d2;
-    unsigned char *plaintext, *kedata, *kidata;
+    unsigned char *plaintext, *kedata, *kidata, *cn;
     krb5_keyblock ke, ki;
 
     /* allocate and set up plaintext and to-be-derived keys */
@@ -278,6 +289,11 @@ krb5_marc_dk_encrypt(enc, hash, key, usage, ivec, input, output)
     if ((ret = ((*(enc->encrypt))(&ke, ivec, &d1, &d2))))
 	goto cleanup;
 
+    if (ivec != NULL && ivec->length == blocksize)
+	cn = d2.data + d2.length - blocksize;
+    else
+	cn = NULL;
+
     /* hash the plaintext */
 
     d2.length = enclen - plainlen;
@@ -285,8 +301,14 @@ krb5_marc_dk_encrypt(enc, hash, key, usage, ivec, input, output)
 
     output->length = enclen;
 
-    if ((ret = krb5_hmac(hash, &ki, 1, &d1, &d2)))
+    if ((ret = krb5_hmac(hash, &ki, 1, &d1, &d2))) {
 	memset(d2.data, 0, d2.length);
+	goto cleanup;
+    }
+
+    /* update ivec */
+    if (cn != NULL)
+	memcpy(ivec->data, cn, blocksize);
 
     /* ret is set correctly by the prior call */
 
diff --git a/src/lib/crypto/keyed_cksum.c b/src/lib/crypto/keyed_cksum.c
index 39979c0..e32620e 100644
--- a/src/lib/crypto/keyed_cksum.c
+++ b/src/lib/crypto/keyed_cksum.c
@@ -28,7 +28,7 @@
 #include "cksumtypes.h"
 
 KRB5_DLLIMP krb5_boolean KRB5_CALLCONV
-is_keyed_cksum(ctype)
+krb5_c_is_keyed_cksum(ctype)
      krb5_cksumtype ctype;
 {
     int i;
@@ -48,3 +48,9 @@ is_keyed_cksum(ctype)
        old code would have done */
     return(-1);
 }
+
+KRB5_DLLIMP krb5_boolean KRB5_CALLCONV
+is_keyed_cksum(krb5_cksumtype ctype)
+{
+    return krb5_c_is_keyed_cksum (ctype);
+}
diff --git a/src/lib/crypto/make_checksum.c b/src/lib/crypto/make_checksum.c
index 300f375..64f6389 100644
--- a/src/lib/crypto/make_checksum.c
+++ b/src/lib/crypto/make_checksum.c
@@ -114,6 +114,7 @@ cleanup:
     if (ret) {
 	memset(cksum->contents, 0, cksum->length);
 	free(cksum->contents);
+	cksum->contents = NULL;
     }
 
     return(ret);
diff --git a/src/lib/crypto/old/ChangeLog b/src/lib/crypto/old/ChangeLog
index cada473..74f994b 100644
--- a/src/lib/crypto/old/ChangeLog
+++ b/src/lib/crypto/old/ChangeLog
@@ -1,3 +1,9 @@
+2000-06-03  Tom Yu  <tlyu@mit.edu>
+
+	* old_encrypt.c (krb5_old_encrypt): Chain ivecs.
+
+	* old_decrypt.c (krb5_old_decrypt): Chain ivecs.
+
 2000-01-21  Ken Raeburn  <raeburn@mit.edu>
 
 	* des_stringtokey.c (mit_des_string_to_key_int): Declare.
diff --git a/src/lib/crypto/old/old_decrypt.c b/src/lib/crypto/old/old_decrypt.c
index 1bcb0d3..bfbe56a 100644
--- a/src/lib/crypto/old/old_decrypt.c
+++ b/src/lib/crypto/old/old_decrypt.c
@@ -45,7 +45,7 @@ krb5_old_decrypt(enc, hash, key, usage, ivec, input, arg_output)
 {
     krb5_error_code ret;
     size_t blocksize, hashsize, plainsize;
-    unsigned char *cksumdata;
+    unsigned char *cksumdata, *cn;
     krb5_data output, cksum, crcivec;
     int alloced;
 
@@ -82,6 +82,17 @@ krb5_old_decrypt(enc, hash, key, usage, ivec, input, arg_output)
 
     /* decrypt it */
 
+    /* save last ciphertext block in case we decrypt in place */
+    if (ivec != NULL && ivec->length == blocksize) {
+	cn = malloc(blocksize);
+	if (cn == NULL) {
+	    ret = ENOMEM;
+	    goto cleanup;
+	}
+	memcpy(cn, input->data + input->length - blocksize, blocksize);
+    } else
+	cn = NULL;
+
     /* XXX this is gross, but I don't have much choice */
     if ((key->enctype == ENCTYPE_DES_CBC_CRC) && (ivec == 0)) {
 	crcivec.length = key->length;
@@ -119,6 +130,10 @@ krb5_old_decrypt(enc, hash, key, usage, ivec, input, arg_output)
     }
     arg_output->length = plainsize;
 
+    /* update ivec */
+    if (cn != NULL)
+	memcpy(ivec->data, cn, blocksize);
+
     ret = 0;
 
 cleanup:
@@ -127,6 +142,8 @@ cleanup:
 	free(output.data);
     }
 
+    if (cn != NULL)
+	free(cn);
     memset(cksumdata, 0, hashsize);
     free(cksumdata);
     return(ret);
diff --git a/src/lib/crypto/old/old_encrypt.c b/src/lib/crypto/old/old_encrypt.c
index d90d0f8..8860ba5 100644
--- a/src/lib/crypto/old/old_encrypt.c
+++ b/src/lib/crypto/old/old_encrypt.c
@@ -55,6 +55,7 @@ krb5_old_encrypt(enc, hash, key, usage, ivec, input, output)
     krb5_error_code ret;
     size_t blocksize, hashsize, enclen;
     krb5_data datain, crcivec;
+    int real_ivec;
 
     (*(enc->block_size))(&blocksize);
     (*(hash->hash_size))(&hashsize);
@@ -92,11 +93,17 @@ krb5_old_encrypt(enc, hash, key, usage, ivec, input, output)
 	crcivec.length = key->length;
 	crcivec.data = key->contents;
 	ivec = &crcivec;
-    }
+	real_ivec = 0;
+    } else
+	real_ivec = 1;
 
     if ((ret = ((*(enc->encrypt))(key, ivec, output, output))))
 	goto cleanup;
 
+    /* update ivec */
+    if (real_ivec && ivec != NULL && ivec->length == blocksize)
+	memcpy(ivec->data, output->data + output->length - blocksize,
+	       blocksize);
 cleanup:
     if (ret)
 	memset(output->data, 0, output->length);
diff --git a/src/lib/crypto/prng.c b/src/lib/crypto/prng.c
index 6d401a9..b22131e 100644
--- a/src/lib/crypto/prng.c
+++ b/src/lib/crypto/prng.c
@@ -158,4 +158,4 @@ void prng_cleanup (void)
 {
 	free (random_state);
 	inited = 0;
-}
\ No newline at end of file
+}
diff --git a/src/lib/crypto/sha1/ChangeLog b/src/lib/crypto/sha1/ChangeLog
index a6a00f3..0030dc9 100644
--- a/src/lib/crypto/sha1/ChangeLog
+++ b/src/lib/crypto/sha1/ChangeLog
@@ -1,3 +1,26 @@
+2001-10-29  Miro Jurisic  <meeroh@mit.edu>
+	* pullup from krb5-1-2 branch after krb5-1-2-2-bp
+	* shs.c: use "" include for k5-int.h
+	
+2001-07-16  Ken Raeburn  <raeburn@mit.edu>
+
+	* t_shs3.c: New test file from Marcus Watts.
+	(longReverse): Resurrected function long since deleted from
+	shs.c.
+	* Makefile.in (check-unix, check-windows): Use t_shs3 test.
+	(clean): Delete it.
+
+	* shs.c (SHSTransform): Make input data pointer point to const.
+	(SHSUpdate): Bugfixes suggested by Marcus Watts, to fix buffer
+	overruns, bugs with small or odd block sizes.
+
+2001-07-05  Danilo Almeida  <dalmeida@mit.edu>
+
+	* shs.h, shs.c, t_shs.c: Fix sha1 on Windows by renaming LONG to
+	SHS_LONG to avoid problem with LONG being signed on Windows.
+	Rename BYTE to SHS_BYTE to avoid any name colisions with Windows
+	(where BYTE and LONG are types defined in the Platform SDK).
+
 2000-01-21  Ken Raeburn  <raeburn@mit.edu>
 
 	* shs.c (ROTL): Change (a&b|c) construct to make meaning clear,
diff --git a/src/lib/crypto/sha1/Makefile.in b/src/lib/crypto/sha1/Makefile.in
index 5d1b69c..2d0e209 100644
--- a/src/lib/crypto/sha1/Makefile.in
+++ b/src/lib/crypto/sha1/Makefile.in
@@ -33,13 +33,28 @@ t_shs: t_shs.o shs.o
 $(OUTPRE)t_shs.exe: $(OUTPRE)t_shs.obj $(OUTPRE)shs.obj
 	link -out:$@ $**
 
-check-unix:: t_shs
+check-unix:: t_shs t_shs3
 	$(C)t_shs -x
+	$(C)t_shs3
 
-check-windows:: $(OUTPRE)t_shs.exe
+check-windows:: $(OUTPRE)t_shs.exe $(OUTPRE)t_shs3.exe
 	$(OUTPRE)$(C)t_shs.exe -x
+	$(OUTPRE)$(C)t_shs3.exe
 
 clean:: 
-	$(RM) t_shs$(EXEEXT) t_shs.$(OBJEXT)
+	$(RM) t_shs$(EXEEXT) t_shs.$(OBJEXT) t_shs3$(EXEEXT) t_shs3.$(OBJEXT)
 
 clean-unix:: clean-libobjs
+
+t_shs3: t_shs3.o shs.o
+	$(CC) $(ALL_CFLAGS) $(LDFLAGS) -o t_shs3 t_shs3.o shs.o
+# +++ Dependency line eater +++
+# 
+# Makefile dependencies follow.  This must be the last section in
+# the Makefile.in file
+#
+shs.o: shs.c shs.h $(SRCTOP)/include/k5-int.h $(BUILDTOP)/include/krb5/osconf.h \
+  $(BUILDTOP)/include/krb5/autoconf.h $(BUILDTOP)/include/krb5.h \
+  $(BUILDTOP)/include/profile.h $(BUILDTOP)/include/com_err.h \
+  $(SRCTOP)/include/krb5/kdb.h
+
diff --git a/src/lib/crypto/sha1/shs.c b/src/lib/crypto/sha1/shs.c
index 358e6ba..873f878 100644
--- a/src/lib/crypto/sha1/shs.c
+++ b/src/lib/crypto/sha1/shs.c
@@ -97,15 +97,15 @@ void shsInit(shsInfo)
 
    Note that this corrupts the shsInfo->data area */
 
-static void SHSTransform KRB5_PROTOTYPE((LONG *digest, LONG *data));
+static void SHSTransform (SHS_LONG *digest, const SHS_LONG *data);
 
 static
 void SHSTransform(digest, data)
-    LONG *digest;
-    LONG *data;
+    SHS_LONG *digest;
+    const SHS_LONG *data;
 {
-    LONG A, B, C, D, E;     /* Local vars */
-    LONG eData[ 16 ];       /* Expanded data */
+    SHS_LONG A, B, C, D, E;     /* Local vars */
+    SHS_LONG eData[ 16 ];       /* Expanded data */
 
     /* Set up first buffer and local data buffer */
     A = digest[ 0 ];
@@ -217,16 +217,16 @@ void SHSTransform(digest, data)
 
 void shsUpdate(shsInfo, buffer, count)
     SHS_INFO *shsInfo;
-    BYTE *buffer;
+    SHS_BYTE *buffer;
     int count;
 {
-    LONG tmp;
+    SHS_LONG tmp;
     int dataCount, canfill;
-    LONG *lp;
+    SHS_LONG *lp;
 
     /* Update bitcount */
     tmp = shsInfo->countLo;
-    shsInfo->countLo = tmp + (((LONG) count) << 3 );
+    shsInfo->countLo = tmp + (((SHS_LONG) count) << 3 );
     if ((shsInfo->countLo &= 0xffffffff) < tmp)
         shsInfo->countHi++;	/* Carry from low to high */
     shsInfo->countHi += count >> 29;
@@ -237,37 +237,38 @@ void shsUpdate(shsInfo, buffer, count)
     /* Handle any leading odd-sized chunks */
     if (dataCount) {
 	lp = shsInfo->data + dataCount / 4;
-	canfill = (count >= dataCount);
 	dataCount = SHS_DATASIZE - dataCount;
+	canfill = (count >= dataCount);
 
 	if (dataCount % 4) {
 	    /* Fill out a full 32 bit word first if needed -- this
 	       is not very efficient (computed shift amount),
 	       but it shouldn't happen often. */
 	    while (dataCount % 4 && count > 0) {
-		*lp |= (LONG) *buffer++ << ((3 - dataCount++ % 4) * 8);
+		*lp |= (SHS_LONG) *buffer++ << ((--dataCount % 4) * 8);
 		count--;
 	    }
 	    lp++;
 	}
 	while (lp < shsInfo->data + 16) {
-	    *lp = (LONG) *buffer++ << 24;
-	    *lp |= (LONG) *buffer++ << 16;
-	    *lp |= (LONG) *buffer++ << 8;
-	    *lp++ |= (LONG) *buffer++;
-	    if ((count -= 4) < 4 && lp < shsInfo->data + 16) {
+	    if (count < 4) {
 		*lp = 0;
 		switch (count % 4) {
 		case 3:
-		    *lp |= (LONG) buffer[2] << 8;
+		    *lp |= (SHS_LONG) buffer[2] << 8;
 		case 2:
-		    *lp |= (LONG) buffer[1] << 16;
+		    *lp |= (SHS_LONG) buffer[1] << 16;
 		case 1:
-		    *lp |= (LONG) buffer[0] << 24;
+		    *lp |= (SHS_LONG) buffer[0] << 24;
 		}
-		break;
 		count = 0;
+		break;		/* out of while loop */
 	    }
+	    *lp = (SHS_LONG) *buffer++ << 24;
+	    *lp |= (SHS_LONG) *buffer++ << 16;
+	    *lp |= (SHS_LONG) *buffer++ << 8;
+	    *lp++ |= (SHS_LONG) *buffer++;
+	    count -= 4;
 	}
 	if (canfill) {
 	    SHSTransform(shsInfo->digest, shsInfo->data);
@@ -278,10 +279,10 @@ void shsUpdate(shsInfo, buffer, count)
     while (count >= SHS_DATASIZE) {
 	lp = shsInfo->data;
 	while (lp < shsInfo->data + 16) {
-	    *lp = ((LONG) *buffer++) << 24;
-	    *lp |= ((LONG) *buffer++) << 16;
-	    *lp |= ((LONG) *buffer++) << 8;
-	    *lp++ |= (LONG) *buffer++;
+	    *lp = ((SHS_LONG) *buffer++) << 24;
+	    *lp |= ((SHS_LONG) *buffer++) << 16;
+	    *lp |= ((SHS_LONG) *buffer++) << 8;
+	    *lp++ |= (SHS_LONG) *buffer++;
 	}
 	SHSTransform(shsInfo->digest, shsInfo->data);
 	count -= SHS_DATASIZE;
@@ -290,22 +291,22 @@ void shsUpdate(shsInfo, buffer, count)
     if (count > 0) {
 	lp = shsInfo->data;
 	while (count > 4) {
-	    *lp = ((LONG) *buffer++) << 24;
-	    *lp |= ((LONG) *buffer++) << 16;
-	    *lp |= ((LONG) *buffer++) << 8;
-	    *lp++ |= (LONG) *buffer++;
+	    *lp = ((SHS_LONG) *buffer++) << 24;
+	    *lp |= ((SHS_LONG) *buffer++) << 16;
+	    *lp |= ((SHS_LONG) *buffer++) << 8;
+	    *lp++ |= (SHS_LONG) *buffer++;
 	    count -= 4;
 	}
 	*lp = 0;
 	switch (count % 4) {
 	case 0:
-	    *lp |= ((LONG) buffer[3]);
+	    *lp |= ((SHS_LONG) buffer[3]);
 	case 3:
-	    *lp |= ((LONG) buffer[2]) << 8;
+	    *lp |= ((SHS_LONG) buffer[2]) << 8;
 	case 2:
-	    *lp |= ((LONG) buffer[1]) << 16;
+	    *lp |= ((SHS_LONG) buffer[1]) << 16;
 	case 1:
-	    *lp |= ((LONG) buffer[0]) << 24;
+	    *lp |= ((SHS_LONG) buffer[0]) << 24;
 	}
     }
 }
@@ -317,7 +318,7 @@ void shsFinal(shsInfo)
     SHS_INFO *shsInfo;
 {
     int count;
-    LONG *lp;
+    SHS_LONG *lp;
 
     /* Compute number of bytes mod 64 */
     count = (int) shsInfo->countLo;
@@ -328,16 +329,16 @@ void shsFinal(shsInfo)
     lp = shsInfo->data + count / 4;
     switch (count % 4) {
     case 3:
-	*lp++ |= (LONG) 0x80;
+	*lp++ |= (SHS_LONG) 0x80;
 	break;
     case 2:
-	*lp++ |= (LONG) 0x80 << 8;
+	*lp++ |= (SHS_LONG) 0x80 << 8;
 	break;
     case 1:
-	*lp++ |= (LONG) 0x80 << 16;
+	*lp++ |= (SHS_LONG) 0x80 << 16;
 	break;
     case 0:
-	*lp++ = (LONG) 0x80 << 24;
+	*lp++ = (SHS_LONG) 0x80 << 24;
     }
 
     /* at this point, lp can point *past* shsInfo->data.  If it points
diff --git a/src/lib/crypto/sha1/shs.h b/src/lib/crypto/sha1/shs.h
index 01acddb..24eda9e 100644
--- a/src/lib/crypto/sha1/shs.h
+++ b/src/lib/crypto/sha1/shs.h
@@ -1,18 +1,13 @@
 #ifndef _SHS_DEFINED
 
-#include <k5-int.h>
+#include "k5-int.h"
 
 #define _SHS_DEFINED
 
 /* Some useful types */
 
-typedef krb5_octet	BYTE;
-
-/* Old DOS/Windows compilers are case-insensitive */
-#if !defined(_MSDOS) && !defined(_WIN32)
-typedef krb5_ui_4	LONG;
-#endif
-
+typedef krb5_octet	SHS_BYTE;
+typedef krb5_ui_4	SHS_LONG;
 
 /* Define the following to use the updated SHS implementation */
 #define NEW_SHS         /**/
@@ -25,16 +20,16 @@ typedef krb5_ui_4	LONG;
 /* The structure for storing SHS info */
 
 typedef struct {
-               LONG digest[ 5 ];            /* Message digest */
-               LONG countLo, countHi;       /* 64-bit bit count */
-               LONG data[ 16 ];             /* SHS data buffer */
+               SHS_LONG digest[ 5 ];            /* Message digest */
+               SHS_LONG countLo, countHi;       /* 64-bit bit count */
+               SHS_LONG data[ 16 ];             /* SHS data buffer */
                } SHS_INFO;
 
 /* Message digest functions (shs.c) */
 void shsInit
 	KRB5_PROTOTYPE((SHS_INFO *shsInfo));
 void shsUpdate
-	KRB5_PROTOTYPE((SHS_INFO *shsInfo, BYTE *buffer, int count));
+	KRB5_PROTOTYPE((SHS_INFO *shsInfo, SHS_BYTE *buffer, int count));
 void shsFinal
 	KRB5_PROTOTYPE((SHS_INFO *shsInfo));
 
diff --git a/src/lib/crypto/sha1/t_shs.c b/src/lib/crypto/sha1/t_shs.c
index da55992..de021bb 100644
--- a/src/lib/crypto/sha1/t_shs.c
+++ b/src/lib/crypto/sha1/t_shs.c
@@ -13,7 +13,7 @@
 
 #ifdef NEW_SHS
 
-static LONG shsTestResults[][ 5 ] = {
+static SHS_LONG shsTestResults[][ 5 ] = {
     { 0xA9993E36L, 0x4706816AL, 0xBA3E2571L, 0x7850C26CL, 0x9CD0D89DL, },
     { 0x84983E44L, 0x1C3BD26EL, 0xBAAE4AA1L, 0xF95129E5L, 0xE54670F1L, },
     { 0x34AA973CL, 0xD4C4DAA4L, 0xF61EEB2BL, 0xDBAD2731L, 0x6534016FL, }
@@ -21,7 +21,7 @@ static LONG shsTestResults[][ 5 ] = {
 
 #else
 
-static LONG shsTestResults[][ 5 ] = {
+static SHS_LONG shsTestResults[][ 5 ] = {
     { 0x0164B8A9L, 0x14CD2A5EL, 0x74C4F7FFL, 0x082C4D97L, 0xF1EDF880L },
     { 0xD2516EE1L, 0xACFA5BAFL, 0x33DFC1C4L, 0x71E43844L, 0x9EF134C8L },
     { 0x3232AFFAL, 0x48628A26L, 0x653B5AAAL, 0x44541FD9L, 0x0D690603L }
@@ -58,7 +58,7 @@ main()
     SHS_INFO shsInfo;
     unsigned int i;
     time_t secondCount;
-    BYTE data[ 200 ];
+    SHS_BYTE data[ 200 ];
 
     /* Make sure we've got the endianness set right.  If the machine is
        big-endian (up to 64 bits) the following value will be signed,
@@ -69,7 +69,7 @@ main()
     /* Test SHS against values given in SHS standards document */
     printf( "Running SHS test 1 ... " );
     shsInit( &shsInfo );
-    shsUpdate( &shsInfo, ( BYTE * ) "abc", 3 );
+    shsUpdate( &shsInfo, ( SHS_BYTE * ) "abc", 3 );
     shsFinal( &shsInfo );
     if( compareSHSresults( &shsInfo, 0 ) == -1 )
         {
@@ -85,7 +85,7 @@ main()
 
     printf( "Running SHS test 2 ... " );
     shsInit( &shsInfo );
-    shsUpdate( &shsInfo, ( BYTE * ) "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq", 56 );
+    shsUpdate( &shsInfo, ( SHS_BYTE * ) "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq", 56 );
     shsFinal( &shsInfo );
     if( compareSHSresults( &shsInfo, 1 ) == -1 )
         {
@@ -102,7 +102,7 @@ main()
     printf( "Running SHS test 3 ... " );
     shsInit( &shsInfo );
     for( i = 0; i < 15625; i++ )
-        shsUpdate( &shsInfo, ( BYTE * ) "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", 64 );
+        shsUpdate( &shsInfo, ( SHS_BYTE * ) "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", 64 );
     shsFinal( &shsInfo );
     if( compareSHSresults( &shsInfo, 2 ) == -1 )
         {
diff --git a/src/lib/crypto/sha1/t_shs3.c b/src/lib/crypto/sha1/t_shs3.c
new file mode 100644
index 0000000..1ba030d
--- /dev/null
+++ b/src/lib/crypto/sha1/t_shs3.c
@@ -0,0 +1,583 @@
+/* test shs code */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <time.h>
+#include "shs.h"
+
+/* When run on a little-endian CPU we need to perform byte reversal on an
+   array of longwords.  It is possible to make the code endianness-
+   independant by fiddling around with data at the byte level, but this
+   makes for very slow code, so we rely on the user to sort out endianness
+   at compile time */
+
+void longReverse( SHS_LONG *buffer, int byteCount )
+{
+    SHS_LONG value;
+    static int init = 0;
+    char *cp;
+
+    switch (init) {
+    case 0:
+	init=1;
+	cp = (char *) &init;
+	if (*cp == 1) {
+	    init=2;
+	    break;
+	}
+	init=1;
+	/* fall through - MSB */
+    case 1:
+	return;
+    }
+
+    byteCount /= sizeof( SHS_LONG );
+    while( byteCount-- ) {
+        value = *buffer;
+        value = ( ( value & 0xFF00FF00L ) >> 8  ) | 
+                ( ( value & 0x00FF00FFL ) << 8 );
+        *buffer++ = ( value << 16 ) | ( value >> 16 );
+    }
+}
+
+int rc;
+int mode;
+int Dflag;
+
+main(argc,argv)
+	char **argv;
+{
+	int f = 0;
+	char *argp;
+
+	while (--argc > 0) if (*(argp = *++argv)=='-')
+	while (*++argp) switch(*argp)
+	{
+	case '1':
+	case '2':
+	case '3':
+	case '4':
+	case '5':
+	case '6':
+	case '7':
+		if (mode) goto Usage;
+		mode = *argp;
+		break;
+	case 'D':
+		if (argc <= 1) goto Usage;
+		--argc;
+		Dflag = atoi(*++argv);
+		break;
+	case '-':
+		break;
+	default:
+		fprintf (stderr,"Bad switch char <%c>\n", *argp);
+	Usage:
+		fprintf(stderr, "Usage: t_shs [-1234567] [-D #]\n");
+		exit(1);
+	}
+	else goto Usage;
+
+	process();
+	exit(rc);
+}
+
+process()
+{
+	switch(mode)
+	{
+	case '1':
+		test1();
+		break;
+	case '2':
+		test2();
+		break;
+	case '3':
+		test3();
+		break;
+	case '4':
+		test4();
+		break;
+	case '5':
+		test5();
+		break;
+	case '6':
+		test6();
+		break;
+	case '7':
+		test7();
+		break;
+	default:
+		test1();
+		test2();
+		test3();
+		test4();
+		test5();
+		test6();
+		test7();
+	}
+}
+
+#ifndef shsDigest
+unsigned char *
+shsDigest(si)
+	SHS_INFO *si;
+{
+	longReverse(si->digest, SHS_DIGESTSIZE);
+	return (unsigned char*) si->digest;
+}
+#endif
+
+unsigned char results1[SHS_DIGESTSIZE] = {
+0xa9,0x99,0x3e,0x36,0x47,0x06,0x81,0x6a,0xba,0x3e,
+0x25,0x71,0x78,0x50,0xc2,0x6c,0x9c,0xd0,0xd8,0x9d};
+
+test1()
+{
+	SHS_INFO si[1];
+	unsigned char digest[SHS_DIGESTSIZE];
+	int failed;
+	int i;
+
+	printf("Running SHS test 1 ...\n");
+	shsInit(si);
+	shsUpdate(si, "abc", 3);
+	shsFinal(si);
+	memcpy(digest, shsDigest(si), SHS_DIGESTSIZE);
+	if (failed = memcmp(digest, results1, SHS_DIGESTSIZE))
+	{
+		fprintf(stderr,"SHS test 1 failed!\n");
+		rc = 1;
+	}
+	printf ("%s, results = ", failed ? "Failed" : "Passed");
+	for (i = 0; i < SHS_DIGESTSIZE; ++i)
+		printf("%02x",digest[i]);
+	if (failed)
+	{
+		printf ("\n, expected ");
+		for (i = 0; i < SHS_DIGESTSIZE; ++i)
+			printf("%02x",results1[i]);
+	}
+	printf("\n");
+}
+
+unsigned char results2[SHS_DIGESTSIZE] = {
+0x84,0x98,0x3e,0x44,0x1c,0x3b,0xd2,0x6e,0xba,0xae,
+0x4a,0xa1,0xf9,0x51,0x29,0xe5,0xe5,0x46,0x70,0xf1};
+
+test2()
+{
+	SHS_INFO si[1];
+	unsigned char digest[SHS_DIGESTSIZE];
+	int failed;
+	int i;
+
+	printf("Running SHS test 2 ...\n");
+	shsInit(si);
+	shsUpdate(si,
+"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
+		56);
+	shsFinal(si);
+	memcpy(digest, shsDigest(si), SHS_DIGESTSIZE);
+	if (failed = memcmp(digest, results2, SHS_DIGESTSIZE))
+	{
+		fprintf(stderr,"SHS test 2 failed!\n");
+		rc = 1;
+	}
+	printf ("%s, results = ", failed ? "Failed" : "Passed");
+	for (i = 0; i < SHS_DIGESTSIZE; ++i)
+		printf("%02x",digest[i]);
+	if (failed)
+	{
+		printf ("\n, expected ");
+		for (i = 0; i < SHS_DIGESTSIZE; ++i)
+			printf("%02x",results2[i]);
+	}
+	printf("\n");
+}
+
+unsigned char results3[SHS_DIGESTSIZE] = {
+0x34,0xaa,0x97,0x3c,0xd4,0xc4,0xda,0xa4,0xf6,0x1e,
+0xeb,0x2b,0xdb,0xad,0x27,0x31,0x65,0x34,0x01,0x6f};
+
+test3()
+{
+	SHS_INFO si[1];
+	unsigned char digest[SHS_DIGESTSIZE];
+	int failed;
+	int i;
+
+	printf("Running SHS test 3 ...\n");
+	shsInit(si);
+	for (i = 0; i < 15625; ++i)
+		shsUpdate(si,
+"aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
+			64);
+	shsFinal(si);
+	memcpy(digest, shsDigest(si), SHS_DIGESTSIZE);
+	if (failed = memcmp(digest, results3, SHS_DIGESTSIZE))
+	{
+		fprintf(stderr,"SHS test 3 failed!\n");
+		rc = 1;
+	}
+	printf ("%s, results = ", failed ? "Failed" : "Passed");
+	for (i = 0; i < SHS_DIGESTSIZE; ++i)
+		printf("%02x",digest[i]);
+	if (failed)
+	{
+		printf ("\n, expected ");
+		for (i = 0; i < SHS_DIGESTSIZE; ++i)
+			printf("%02x",results3[i]);
+	}
+	printf("\n");
+}
+
+unsigned char randdata[] = {
+0xfe,0x28,0x79,0x25,0xf5,0x03,0xf9,0x1c,0xcd,0x70,0x7b,0xb0,0x42,0x02,0xb8,0x2f,
+0xf3,0x63,0xa2,0x79,0x8e,0x9b,0x33,0xd7,0x2b,0xc4,0xb4,0xd2,0xcb,0x61,0xec,0xbb,
+0x94,0xe1,0x8f,0x53,0x80,0x55,0xd9,0x90,0xb2,0x03,0x58,0xfa,0xa6,0xe5,0x18,0x57,
+0x68,0x04,0x24,0x98,0x41,0x7e,0x84,0xeb,0xc1,0x39,0xbc,0x1d,0xf7,0x4e,0x92,0x72,
+0x1a,0x5b,0xb6,0x99,0x43,0xa5,0x0a,0x45,0x73,0x55,0xfd,0x57,0x83,0x45,0x36,0x5c,
+0xfd,0x39,0x08,0x6e,0xe2,0x01,0x9a,0x8c,0x4e,0x39,0xd2,0x0d,0x5f,0x0e,0x35,0x15,
+0xb9,0xac,0x5f,0xa1,0x8a,0xe6,0xdd,0x6e,0x68,0x9d,0xf6,0x29,0x95,0xf6,0x7d,0x7b,
+0xd9,0x5e,0xf4,0x67,0x25,0xbd,0xee,0xed,0x53,0x60,0xb0,0x47,0xdf,0xef,0xf4,0x41,
+0xbd,0x45,0xcf,0x5c,0x93,0x41,0x87,0x97,0x82,0x39,0x20,0x66,0xb4,0xda,0xcb,0x66,
+0x93,0x02,0x2e,0x7f,0x94,0x4c,0xc7,0x3b,0x2c,0xcf,0xf6,0x99,0x6f,0x13,0xf1,0xc5,
+0x28,0x2b,0xa6,0x6c,0x39,0x26,0x7f,0x76,0x24,0x4a,0x6e,0x01,0x40,0x63,0xf8,0x00,
+0x06,0x23,0x5a,0xaa,0xa6,0x2f,0xd1,0x37,0xc7,0xcc,0x76,0xe9,0x54,0x1e,0x57,0x73,
+0xf5,0x33,0xaa,0x96,0xbe,0x35,0xcd,0x1d,0xd5,0x7d,0xac,0x50,0xd5,0xf8,0x47,0x2d,
+0xd6,0x93,0x5f,0x6e,0x38,0xd3,0xac,0xd0,0x7e,0xad,0x9e,0xf8,0x87,0x95,0x63,0x15,
+0x65,0xa3,0xd4,0xb3,0x9a,0x6c,0xac,0xcd,0x2a,0x54,0x83,0x13,0xc4,0xb4,0x94,0xfa,
+0x76,0x87,0xc5,0x8b,0x4a,0x10,0x92,0x05,0xd1,0x0e,0x97,0xfd,0xc8,0xfb,0xc5,0xdc,
+0x21,0x4c,0xc8,0x77,0x5c,0xed,0x32,0x22,0x77,0xc1,0x38,0x30,0xd7,0x8e,0x2a,0x70,
+0x72,0x67,0x13,0xe4,0xb7,0x18,0xd4,0x76,0xdd,0x32,0x12,0xf4,0x5d,0xc9,0xec,0xc1,
+0x2c,0x8a,0xfe,0x08,0x6c,0xea,0xf6,0xab,0x5a,0x0e,0x8e,0x81,0x1d,0xc8,0x5a,0x4b,
+0xed,0xb9,0x7f,0x4b,0x67,0xe3,0x65,0x46,0xc9,0xf2,0xab,0x37,0x0a,0x98,0x67,0x5b,
+0xb1,0x3b,0x02,0x91,0x38,0x71,0xea,0x62,0x88,0xae,0xb6,0xdb,0xfc,0x55,0x79,0x33,
+0x69,0x95,0x51,0xb6,0xe1,0x3b,0xab,0x22,0x68,0x54,0xf9,0x89,0x9c,0x94,0xe0,0xe3,
+0xd3,0x48,0x5c,0xe9,0x78,0x5b,0xb3,0x4b,0xba,0xd8,0x48,0xd8,0xaf,0x91,0x4e,0x23,
+0x38,0x23,0x23,0x6c,0xdf,0x2e,0xf0,0xff,0xac,0x1d,0x2d,0x27,0x10,0x45,0xa3,0x2d,
+0x8b,0x00,0xcd,0xe2,0xfc,0xb7,0xdb,0x52,0x13,0xb7,0x66,0x79,0xd9,0xd8,0x29,0x0e,
+0x32,0xbd,0x52,0x6b,0x75,0x71,0x08,0x83,0x1b,0x67,0x28,0x93,0x97,0x97,0x32,0xff,
+0x8b,0xd3,0x98,0xa3,0xce,0x2b,0x88,0x37,0x1c,0xcc,0xa0,0xd1,0x19,0x9b,0xe6,0x11,
+0xfc,0xc0,0x3c,0x4e,0xe1,0x35,0x49,0x29,0x19,0xcf,0x1d,0xe1,0x60,0x74,0xc0,0xe9,
+0xf7,0xb4,0x99,0xa0,0x23,0x50,0x51,0x78,0xcf,0xc0,0xe5,0xc2,0x1c,0x16,0xd2,0x24,
+0x5a,0x63,0x54,0x83,0xaa,0x74,0x3d,0x41,0x0d,0x52,0xee,0xfe,0x0f,0x4d,0x13,0xe1,
+0x27,0x00,0xc4,0xf3,0x2b,0x55,0xe0,0x9c,0x81,0xe0,0xfc,0xc2,0x13,0xd4,0x39,0x09
+};
+
+unsigned char results4[SHS_DIGESTSIZE] = {
+0x13,0x62,0xfc,0x87,0x68,0x33,0xd5,0x1d,0x2f,0x0c,
+0x73,0xe3,0xfb,0x87,0x6a,0x6b,0xc3,0x25,0x54,0xfc};
+
+test4()
+{
+	SHS_INFO si[1];
+	unsigned char digest[SHS_DIGESTSIZE];
+	int failed;
+	int i, j, k;
+
+	printf("Running SHS test 4 ...\n");
+	shsInit(si);
+	shsUpdate(si, randdata, 19);
+	shsFinal(si);
+	memcpy(digest, shsDigest(si), SHS_DIGESTSIZE);
+	if (failed = memcmp(digest, results4, SHS_DIGESTSIZE))
+	{
+		fprintf(stderr,"SHS test 4 failed!\n");
+		rc = 1;
+	}
+	printf ("%s, results = ", failed ? "Failed" : "Passed");
+	for (i = 0; i < SHS_DIGESTSIZE; ++i)
+		printf("%02x",digest[i]);
+	if (failed)
+	{
+		printf ("\n, expected ");
+		for (i = 0; i < SHS_DIGESTSIZE; ++i)
+			printf("%02x",results4[i]);
+	}
+	printf("\n");
+}
+
+unsigned char results5[SHS_DIGESTSIZE] = {
+0x19,0x4d,0xf6,0xeb,0x8e,0x02,0x6d,0x37,0x58,0x64,
+0xe5,0x95,0x19,0x2a,0xdd,0x1c,0xc4,0x3c,0x24,0x86};
+
+test5()
+{
+	SHS_INFO si[1];
+	unsigned char digest[SHS_DIGESTSIZE];
+	int failed;
+	int i, j, k;
+
+	printf("Running SHS test 5 ...\n");
+	shsInit(si);
+	shsUpdate(si, randdata, 19);
+	shsUpdate(si, randdata+32, 15);
+	shsFinal(si);
+	memcpy(digest, shsDigest(si), SHS_DIGESTSIZE);
+	if (failed = memcmp(digest, results5, SHS_DIGESTSIZE))
+	{
+		fprintf(stderr,"SHS test 5 failed!\n");
+		rc = 1;
+	}
+	printf ("%s, results = ", failed ? "Failed" : "Passed");
+	for (i = 0; i < SHS_DIGESTSIZE; ++i)
+		printf("%02x",digest[i]);
+	if (failed)
+	{
+		printf ("\n, expected ");
+		for (i = 0; i < SHS_DIGESTSIZE; ++i)
+			printf("%02x",results5[i]);
+	}
+	printf("\n");
+}
+
+unsigned char results6[SHS_DIGESTSIZE] = {
+0x4e,0x16,0x57,0x9d,0x4b,0x48,0xa9,0x1c,0x88,0x72,
+0x83,0xdb,0x88,0xd1,0xea,0x3a,0x45,0xdf,0xa1,0x10};
+
+test6()
+{
+	struct {
+		long pad1;
+		SHS_INFO si1;
+		long pad2;
+		SHS_INFO si2;
+		long pad3;
+	} sdata;
+	unsigned char digest[SHS_DIGESTSIZE];
+	int failed;
+	int i, j, k;
+
+	printf("Running SHS test 6 ...\n");
+	sdata.pad1 = 0x12345678;
+	sdata.pad2 = 0x87654321;
+	sdata.pad3 = 0x78563412;
+	shsInit((&sdata.si2));
+if (sdata.pad2 != 0x87654321) {
+printf ("Overrun #20 %#lx\n",
+sdata.pad2);
+sdata.pad2 = 0x87654321;
+}
+if (sdata.pad3 != 0x78563412) {
+printf ("Overrun #21 %#lx\n",
+sdata.pad3);
+sdata.pad3 = 0x78563412;
+}
+	for (i = 0; i < 400; ++i)
+	{
+		shsInit(&sdata.si1);
+if (sdata.pad1 != 0x12345678) {
+printf ("Overrun #22 %#lx at %d\n",
+sdata.pad1, i);
+sdata.pad1 = 0x12345678;
+}
+if (sdata.pad2 != 0x87654321) {
+printf ("Overrun #23 %#lx at %d\n",
+sdata.pad2, i);
+sdata.pad2 = 0x87654321;
+}
+		shsUpdate(&sdata.si1, (randdata+sizeof(randdata))-i, i);
+if (sdata.pad1 != 0x12345678) {
+printf ("Overrun #24 %#lx at %d\n",
+sdata.pad1, i);
+sdata.pad1 = 0x12345678;
+}
+if (sdata.pad2 != 0x87654321) {
+printf ("Overrun #25 %#lx at %d\n",
+sdata.pad2, i);
+sdata.pad2 = 0x87654321;
+}
+		shsFinal(&sdata.si1);
+if (sdata.pad1 != 0x12345678) {
+printf ("Overrun #26 %#lx at %d\n",
+sdata.pad1, i);
+sdata.pad1 = 0x12345678;
+}
+if (sdata.pad2 != 0x87654321) {
+printf ("Overrun #27 %#lx at %d\n",
+sdata.pad2, i);
+sdata.pad2 = 0x87654321;
+}
+		memcpy(digest, shsDigest(&sdata.si1), SHS_DIGESTSIZE);
+		if (Dflag & 1)
+		{
+			printf ("%d: ", i);
+			for (j = 0; j < SHS_DIGESTSIZE; ++j)
+				printf("%02x",digest[j]);
+			printf("\n");
+		}
+		shsUpdate((&sdata.si2), digest, SHS_DIGESTSIZE);
+if (sdata.pad2 != 0x87654321) {
+printf ("Overrun #28 %#lx at %d\n",
+sdata.pad2, i);
+sdata.pad2 = 0x87654321;
+}
+if (sdata.pad3 != 0x78563412) {
+printf ("Overrun #29 %#lx at %d\n",
+sdata.pad3, i);
+sdata.pad3 = 0x78563412;
+}
+		if (Dflag & 2)
+			printf ("%d: %08lx%08lx%08lx%08lx%08lx\n",
+				i,
+				sdata.si2.digest[0],
+				sdata.si2.digest[1],
+				sdata.si2.digest[2],
+				sdata.si2.digest[3],
+				sdata.si2.digest[4]);
+	}
+	shsFinal((&sdata.si2));
+if (sdata.pad2 != 0x87654321) {
+printf ("Overrun #30 %#lx\n",
+sdata.pad2);
+sdata.pad2 = 0x87654321;
+}
+if (sdata.pad3 != 0x78563412) {
+printf ("Overrun #31 %#lx\n",
+sdata.pad3);
+sdata.pad3 = 0x78563412;
+}
+	memcpy(digest, shsDigest((&sdata.si2)), SHS_DIGESTSIZE);
+	if (failed = memcmp(digest, results6, SHS_DIGESTSIZE))
+	{
+		fprintf(stderr,"SHS test 6 failed!\n");
+		rc = 1;
+	}
+	printf ("%s, results = ", failed ? "Failed" : "Passed");
+	for (i = 0; i < SHS_DIGESTSIZE; ++i)
+		printf("%02x",digest[i]);
+	if (failed)
+	{
+		printf ("\n, expected ");
+		for (i = 0; i < SHS_DIGESTSIZE; ++i)
+			printf("%02x",results6[i]);
+	}
+	printf("\n");
+}
+
+unsigned char results7[SHS_DIGESTSIZE] = {
+0x89,0x41,0x65,0xce,0x76,0xc1,0xd1,0xd1,0xc3,0x6f,
+0xab,0x92,0x79,0x30,0x01,0x71,0x63,0x1f,0x74,0xfe};
+
+int jfsize[] = {0,1,31,32,
+	33,55,56,63,
+	64,65,71,72,
+	73,95,96,97,
+	119,120,123,127};
+int kfsize[] = {0,1,31,32,33,55,56,63};
+
+test7()
+{
+	struct {
+		long pad1;
+		SHS_INFO si1;
+		long pad2;
+		SHS_INFO si2;
+		long pad3;
+	} sdata;
+	unsigned char digest[SHS_DIGESTSIZE];
+	int failed;
+	int i, j, k, l;
+
+	printf("Running SHS test 7 ...\n");
+	sdata.pad1 = 0x12345678;
+	sdata.pad2 = 0x87654321;
+	sdata.pad3 = 0x78563412;
+	shsInit((&sdata.si2));
+	for (i = 1; i <= 128; ++i)
+	for (j = 0; j < 20; ++j)
+	for (k = 0; k < 8; ++k)
+	{
+		shsInit(&sdata.si1);
+		shsUpdate(&sdata.si1, (randdata+80+j), i);
+if (sdata.pad1 != 0x12345678) {
+printf ("Overrun #1 %#lx at %d,%d,%d\n",
+sdata.pad1, i,j,k);
+sdata.pad1 = 0x12345678;
+}
+if (sdata.pad2 != 0x87654321) {
+printf ("Overrun #2 %#lx at %d,%d,%d\n",
+sdata.pad2, i,j,k);
+sdata.pad2 = 0x87654321;
+}
+		shsUpdate(&sdata.si1, randdata+i, jfsize[j]);
+if (sdata.pad1 != 0x12345678) {
+printf ("Overrun #3 %#lx at %d,%d,%d\n",
+sdata.pad1, i,j,k);
+sdata.pad1 = 0x12345678;
+}
+if (sdata.pad2 != 0x87654321) {
+printf ("Overrun #4 %#lx at %d,%d,%d\n",
+sdata.pad2, i,j,k);
+sdata.pad2 = 0x87654321;
+}
+		if (k) shsUpdate(&sdata.si1, randdata+(i^j), kfsize[k]);
+if (sdata.pad1 != 0x12345678) {
+printf ("Overrun #5 %#lx at %d,%d,%d\n",
+sdata.pad1, i,j,k);
+sdata.pad1 = 0x12345678;
+}
+if (sdata.pad2 != 0x87654321) {
+printf ("Overrun #6 %#lx at %d,%d,%d\n",
+sdata.pad2, i,j,k);
+sdata.pad2 = 0x87654321;
+}
+		shsFinal(&sdata.si1);
+if (sdata.pad1 != 0x12345678) {
+printf ("Overrun #7 %#lx at %d,%d,%d\n",
+sdata.pad1, i,j,k);
+sdata.pad1 = 0x12345678;
+}
+if (sdata.pad2 != 0x87654321) {
+printf ("Overrun #8 %#lx at %d,%d,%d\n",
+sdata.pad2, i,j,k);
+sdata.pad2 = 0x87654321;
+}
+		memcpy(digest, shsDigest(&sdata.si1), SHS_DIGESTSIZE);
+		if (Dflag & 1)
+		{
+			printf ("%d,%d,%d: ", i, j, k);
+			for (l = 0; l < SHS_DIGESTSIZE; ++l)
+				printf("%02x",digest[l]);
+			printf("\n");
+		}
+		shsUpdate((&sdata.si2), digest, SHS_DIGESTSIZE);
+if (sdata.pad2 != 0x87654321) {
+printf ("Overrun #9 %#lx at %d,%d,%d\n",
+sdata.pad2, i,j,k);
+sdata.pad2 = 0x87654321;
+}
+if (sdata.pad3 != 0x78563412) {
+printf ("Overrun #10 %#lx at %d,%d,%d\n",
+sdata.pad3, i,j,k);
+sdata.pad3 = 0x78563412;
+}
+		if (Dflag & 2)
+			printf ("%d,%d,%d: %08lx%08lx%08lx%08lx%08lx\n",
+				i,j,k,
+				sdata.si2.digest[0],
+				sdata.si2.digest[1],
+				sdata.si2.digest[2],
+				sdata.si2.digest[3],
+				sdata.si2.digest[4]);
+	}
+	shsFinal((&sdata.si2));
+	memcpy(digest, shsDigest((&sdata.si2)), SHS_DIGESTSIZE);
+	if (failed = memcmp(digest, results7, SHS_DIGESTSIZE))
+	{
+		fprintf(stderr,"SHS test 7 failed!\n");
+		rc = 1;
+	}
+	printf ("%s, results = ", failed ? "Failed" : "Passed");
+	for (i = 0; i < SHS_DIGESTSIZE; ++i)
+		printf("%02x",digest[i]);
+	if (failed)
+	{
+		printf ("\n, expected ");
+		for (i = 0; i < SHS_DIGESTSIZE; ++i)
+			printf("%02x",results7[i]);
+	}
+	printf("\n");
+}
diff --git a/src/lib/crypto/valid_cksumtype.c b/src/lib/crypto/valid_cksumtype.c
index 68000be..16efdc6 100644
--- a/src/lib/crypto/valid_cksumtype.c
+++ b/src/lib/crypto/valid_cksumtype.c
@@ -28,7 +28,7 @@
 #include "cksumtypes.h"
 
 KRB5_DLLIMP krb5_boolean KRB5_CALLCONV
-valid_cksumtype(ctype)
+krb5_c_valid_cksumtype(ctype)
      krb5_cksumtype ctype;
 {
     int i;
@@ -40,3 +40,9 @@ valid_cksumtype(ctype)
 
     return(0);
 }
+
+KRB5_DLLIMP krb5_boolean KRB5_CALLCONV
+valid_cksumtype(krb5_cksumtype ctype)
+{
+    return krb5_c_valid_cksumtype (ctype);
+}
diff --git a/src/lib/crypto/valid_enctype.c b/src/lib/crypto/valid_enctype.c
index 39e48c0..ce955d8 100644
--- a/src/lib/crypto/valid_enctype.c
+++ b/src/lib/crypto/valid_enctype.c
@@ -28,7 +28,7 @@
 #include "etypes.h"
 
 KRB5_DLLIMP krb5_boolean KRB5_CALLCONV
-valid_enctype(etype)
+krb5_c_valid_enctype(etype)
      krb5_enctype etype;
 {
     int i;
@@ -40,3 +40,9 @@ valid_enctype(etype)
 
     return(0);
 }
+
+KRB5_DLLIMP krb5_boolean KRB5_CALLCONV
+valid_enctype(krb5_enctype etype)
+{
+    return krb5_c_valid_enctype (etype);
+}
diff --git a/src/lib/gssapi/ChangeLog b/src/lib/gssapi/ChangeLog
index 1e0213f..37b9d26 100644
--- a/src/lib/gssapi/ChangeLog
+++ b/src/lib/gssapi/ChangeLog
@@ -1,3 +1,16 @@
+2002-05-22 Alexandra Ellwood <lxs@mit.edu>
+    * gss_libinit.c: Conditionalized error table loading for
+    Mac OS X.  Error tables should always be loaded on other 
+    platforms.
+
+2002-03-03 Alexandra Ellwood <lxs@mit.edu>
+    * gss_libinit.c: updated for Mac OS X header paths and added
+    include of gssapiP_krb5.h to get function prototypes.
+
+2000-06-03  Tom Yu  <tlyu@mit.edu>
+
+	* Makefile.in(LIBMINOR): Bump library version.
+
 Tue Feb 22 10:23:19 2000  Ezra Peisach  <epeisach@mit.edu>
 
 	* Makefile.in (clean-unix): Add clean-libobjs.
diff --git a/src/lib/gssapi/Makefile.in b/src/lib/gssapi/Makefile.in
index bee2b85..20936da 100644
--- a/src/lib/gssapi/Makefile.in
+++ b/src/lib/gssapi/Makefile.in
@@ -24,7 +24,7 @@ SRCS=\
 
 LIB=gssapi_krb5
 LIBMAJOR=2
-LIBMINOR=1
+LIBMINOR=2
 STOBJLISTS=OBJS.ST generic/OBJS.ST krb5/OBJS.ST
 SHLIB_EXPDEPS=\
 	$(TOPLIBD)/libkrb5$(SHLIBEXT) \
diff --git a/src/lib/gssapi/generic/ChangeLog b/src/lib/gssapi/generic/ChangeLog
index 234c953..1bbf501 100644
--- a/src/lib/gssapi/generic/ChangeLog
+++ b/src/lib/gssapi/generic/ChangeLog
@@ -1,3 +1,50 @@
+2002-05-05 Alexandra Ellwood <lxs@mit.edu>
+    * gssapi_generic.h: allow inclusion by C++
+
+2002-03-28 Alexandra Ellwood <lxs@mit.edu>
+    * gssapi.hin: Conditionalized pragmas for Metrowerks
+
+2002-03-07 Alexandra Ellwood <lxs@mit.edu>
+    * gssapi.hin: Added check for CFM compiles.  Removed dependency on 
+    PRAGMA_* macros.  Moved check struct alignment check before struct declarations.
+
+2002-03-03 Alexandra Ellwood <lxs@mit.edu>
+    * disp_com_err_status.c: Updated Mac OS X headers to new 
+    framework layout... this time for real.
+
+2002-02-28 Alexandra Ellwood <lxs@mit.edu>
+    * disp_com_err_status.c, gssapi.hin, gssapi_generic.h: 
+    Updated Mac OS X headers to new framework layout
+
+2000-11-19  Alexandra Ellwood <lxs@mit.edu>
+        * gssapi_generic.h: Fixed check for Mac OS X includes.
+
+2001-10-29  Miro Jurisic  <meeroh@mit.edu>
+	* pullup from krb5-1-2 branch after krb5-1-2-2-bp
+	* gssapi.hin, gssapi_generic.h, gssapi_generic.c: 
+	added oids from rfc 2744.  Kept old oids for compatibility.
+	* gssapi.hin: Changed KerberosConditionalMacros.h to
+	KerberosSupport.h.
+	* gssapi.hin: Fixed Mac OS preprocessor test
+	* gssapi_generic.h: corrected Mac OS include to <GSS/gssapi.h>
+	* gssapiP_generic.h: use "" include for krb5.h
+	* disp_com_err_status.c, gssapi.hin: Updated Mac OS #defines
+	and #includes for new header layout and Mac OS X frameworks
+	* gssapi_generic.h: Added check for Mac OS X includes.  This will
+	not break autoconf-style builds because they do not include
+	ConditionalMacros.h.
+        
+2001-10-20  Ken Raeburn  <raeburn@mit.edu>
+
+	* gssapiP_generic.h (g_*): For every g_ function declared here,
+	first define the name as a macro using a gssint_ prefix to avoid
+	conflicting with glib function names.
+
+2000-09-11  Alexandra Ellwood <lxs@mit.edu>
+        * gssapi_generic.h: Added check for Mac OS X includes.  This will
+        not break autoconf-style builds because they do not include
+        ConditionalMacros.h.
+        
 1999-10-26  Tom Yu  <tlyu@mit.edu>
 
 	* Makefile.in: Clean up usage of CFLAGS, CPPFLAGS, DEFS, DEFINES,
diff --git a/src/lib/gssapi/generic/disp_com_err_status.c b/src/lib/gssapi/generic/disp_com_err_status.c
index c4db913..71c7505 100644
--- a/src/lib/gssapi/generic/disp_com_err_status.c
+++ b/src/lib/gssapi/generic/disp_com_err_status.c
@@ -25,7 +25,12 @@
  */
 
 #include "gssapiP_generic.h"
+
+#if TARGET_OS_MAC
+#include <Kerberos/com_err.h>
+#else
 #include "com_err.h"
+#endif
 
 /* XXXX internationalization!! */
 
diff --git a/src/lib/gssapi/generic/gssapi.hin b/src/lib/gssapi/generic/gssapi.hin
index f6a0f57..05edd74 100644
--- a/src/lib/gssapi/generic/gssapi.hin
+++ b/src/lib/gssapi/generic/gssapi.hin
@@ -27,13 +27,33 @@
  * Determine platform-dependent configuration.
  */
 
-#if defined(_MSDOS) || defined(_WIN32) || defined(macintosh)
-#include <win-mac.h>
+#if defined(macintosh) || (defined(__MACH__) && defined(__APPLE__))
+	#include <TargetConditionals.h>
+    #if TARGET_RT_MAC_CFM
+        #error "Use KfM 4.0 SDK headers for CFM compilation."
+    #endif
+	
+	/* This is an API divergence in 1.2.3. This will be reconciled in 1.3, when
+	all platforms will have RFC-compliant OID declarations. */
+	#define GSS_RFC_COMPLIANT_OIDS 1
+#else
+	#define GSS_RFC_COMPLIANT_OIDS 0
+#endif
 
-/* Macintoh CFM-68K magic incantation */
-#if defined(macintosh) && defined(__CFM68K__) && !defined(__USING_STATIC_LIBS__)
-#pragma import on
+#ifdef __cplusplus
+extern "C" {
+#endif /* __cplusplus */
+
+#if TARGET_OS_MAC
+    #if defined(__MWERKS__)
+        #pragma import on
+        #pragma enumsalwaysint on
+    #endif
+    #pragma options align=mac68k
 #endif
+
+#if defined(_MSDOS) || defined(_WIN32)
+#include <win-mac.h>
 #endif
 
 #ifndef KRB5_CALLCONV
@@ -327,9 +347,106 @@ typedef	int		gss_cred_usage_t;
  * Finally, function prototypes for the GSSAPI routines.
  */
 
-#ifdef __cplusplus
-extern "C" {
-#endif
+/* RFC-compliant GSS_oids will be present on all platforms in 1.3 */
+#if GSS_RFC_COMPLIANT_OIDS
+
+/* Reserved static storage for GSS_oids.  Comments are quotes from RFC 2744.
+ *
+ * The implementation must reserve static storage for a
+ * gss_OID_desc object containing the value
+ * {10, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x01"},
+ * corresponding to an object-identifier value of
+ * {iso(1) member-body(2) United States(840) mit(113554)
+ * infosys(1) gssapi(2) generic(1) user_name(1)}.  The constant
+ * GSS_C_NT_USER_NAME should be initialized to point
+ * to that gss_OID_desc.
+ */
+GSS_DLLIMP extern gss_OID GSS_C_NT_USER_NAME;
+
+/*
+ * The implementation must reserve static storage for a
+ * gss_OID_desc object containing the value
+ * {10, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x02"},
+ * corresponding to an object-identifier value of
+ * {iso(1) member-body(2) United States(840) mit(113554)
+ * infosys(1) gssapi(2) generic(1) machine_uid_name(2)}.
+ * The constant GSS_C_NT_MACHINE_UID_NAME should be
+ * initialized to point to that gss_OID_desc.
+ */
+GSS_DLLIMP extern gss_OID GSS_C_NT_MACHINE_UID_NAME;
+
+/*
+ * The implementation must reserve static storage for a
+ * gss_OID_desc object containing the value
+ * {10, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x03"},
+ * corresponding to an object-identifier value of
+ * {iso(1) member-body(2) United States(840) mit(113554)
+ * infosys(1) gssapi(2) generic(1) string_uid_name(3)}.
+ * The constant GSS_C_NT_STRING_UID_NAME should be
+ * initialized to point to that gss_OID_desc.
+ */
+GSS_DLLIMP extern gss_OID GSS_C_NT_STRING_UID_NAME;
+
+/*
+ * The implementation must reserve static storage for a
+ * gss_OID_desc object containing the value
+ * {6, (void *)"\x2b\x06\x01\x05\x06\x02"},
+ * corresponding to an object-identifier value of
+ * {iso(1) org(3) dod(6) internet(1) security(5)
+ * nametypes(6) gss-host-based-services(2)).  The constant
+ * GSS_C_NT_HOSTBASED_SERVICE_X should be initialized to point
+ * to that gss_OID_desc.  This is a deprecated OID value, and
+ * implementations wishing to support hostbased-service names
+ * should instead use the GSS_C_NT_HOSTBASED_SERVICE OID,
+ * defined below, to identify such names;
+ * GSS_C_NT_HOSTBASED_SERVICE_X should be accepted a synonym
+ * for GSS_C_NT_HOSTBASED_SERVICE when presented as an input
+ * parameter, but should not be emitted by GSS-API
+ * implementations
+ */
+GSS_DLLIMP extern gss_OID GSS_C_NT_HOSTBASED_SERVICE_X;
+
+/*
+ * The implementation must reserve static storage for a
+ * gss_OID_desc object containing the value
+ * {10, (void *)"\x2a\x86\x48\x86\xf7\x12"
+ *              "\x01\x02\x01\x04"}, corresponding to an
+ * object-identifier value of {iso(1) member-body(2)
+ * Unites States(840) mit(113554) infosys(1) gssapi(2)
+ * generic(1) service_name(4)}.  The constant
+ * GSS_C_NT_HOSTBASED_SERVICE should be initialized
+ * to point to that gss_OID_desc.
+ */
+GSS_DLLIMP extern gss_OID GSS_C_NT_HOSTBASED_SERVICE;
+
+/*
+ * The implementation must reserve static storage for a
+ * gss_OID_desc object containing the value
+ * {6, (void *)"\x2b\x06\01\x05\x06\x03"},
+ * corresponding to an object identifier value of
+ * {1(iso), 3(org), 6(dod), 1(internet), 5(security),
+ * 6(nametypes), 3(gss-anonymous-name)}.  The constant
+ * and GSS_C_NT_ANONYMOUS should be initialized to point
+ * to that gss_OID_desc.
+ */
+GSS_DLLIMP extern gss_OID GSS_C_NT_ANONYMOUS;
+
+
+/*
+ * The implementation must reserve static storage for a
+ * gss_OID_desc object containing the value
+ * {6, (void *)"\x2b\x06\x01\x05\x06\x04"},
+ * corresponding to an object-identifier value of
+ * {1(iso), 3(org), 6(dod), 1(internet), 5(security),
+ * 6(nametypes), 4(gss-api-exported-name)}.  The constant
+ * GSS_C_NT_EXPORT_NAME should be initialized to point
+ * to that gss_OID_desc.
+ */
+GSS_DLLIMP extern gss_OID GSS_C_NT_EXPORT_NAME;
+
+#endif /* GSS_RFC_COMPLIANT_OIDS */
+
+/* Function Prototypes */
 
 GSS_DLLIMP OM_uint32 KRB5_CALLCONV gss_acquire_cred
 PROTOTYPE( (OM_uint32 FAR *,		/* minor_status */
@@ -684,9 +801,17 @@ PROTOTYPE(	(OM_uint32  *,		/* minor_status */
 		 gss_name_t *		/* output_name */
 	));
 
+#if TARGET_OS_MAC
+    #if defined(__MWERKS__)
+        #pragma enumsalwaysint reset
+        #pragma import reset
+    #endif
+	#pragma options align=reset
+#endif
+
 #ifdef __cplusplus
 }
-#endif
+#endif /* __cplusplus */
 
 /* XXXX these are not part of the GSSAPI C bindings!  (but should be) */
 
@@ -700,9 +825,4 @@ PROTOTYPE(	(OM_uint32  *,		/* minor_status */
 /* XXXX This is a necessary evil until the spec is fixed */
 #define GSS_S_CRED_UNAVAIL GSS_S_FAILURE
 
-/* Macintoh CFM-68K magic incantation */
-#if defined(macintosh) && defined(__CFM68K__) && !defined(__USING_STATIC_LIBS__)
-#pragma import reset
-#endif
-
 #endif /* _GSSAPI_H_ */
diff --git a/src/lib/gssapi/generic/gssapiP_generic.h b/src/lib/gssapi/generic/gssapiP_generic.h
index a0fa7c4..3f7fd75 100644
--- a/src/lib/gssapi/generic/gssapiP_generic.h
+++ b/src/lib/gssapi/generic/gssapiP_generic.h
@@ -28,7 +28,7 @@
  */
 
 #if (defined(_MSDOS) || defined(_WIN32) || defined(macintosh))
-#include <k5-int.h>
+#include "k5-int.h"
 #else
 #ifdef HAVE_STDLIB_H
 #include <stdlib.h>
@@ -97,6 +97,38 @@
 
 /** helper functions **/
 
+/* hide names from applications, especially glib applications */
+#define	g_set_init		gssint_g_set_init
+#define	g_set_destroy		gssint_g_set_destroy
+#define	g_set_entry_add		gssint_g_set_entry_add
+#define	g_set_entry_delete	gssint_g_set_entry_delete
+#define	g_set_entry_get		gssint_g_set_entry_get
+#define	g_save_name		gssint_g_save_name
+#define	g_save_cred_id		gssint_g_save_cred_id
+#define	g_save_ctx_id		gssint_g_save_ctx_id
+#define	g_validate_name		gssint_g_validate_name
+#define	g_validate_cred_id	gssint_g_validate_cred_id
+#define	g_validate_ctx_id	gssint_g_validate_ctx_id
+#define	g_delete_name		gssint_g_delete_name
+#define	g_delete_cred_id	gssint_g_delete_cred_id
+#define	g_delete_ctx_id		gssint_g_delete_ctx_id
+#define	g_make_string_buffer	gssint_g_make_string_buffer
+#define	g_copy_OID_set		gssint_g_copy_OID_set
+#define	g_token_size		gssint_g_token_size
+#define	g_make_token_header	gssint_g_make_token_header
+#define	g_verify_token_header	gssint_g_verify_token_header
+#define	g_display_major_status	gssint_g_display_major_status
+#define	g_display_com_err_status gssint_g_display_com_err_status
+#define	g_order_init		gssint_g_order_init
+#define	g_order_check		gssint_g_order_check
+#define	g_order_free		gssint_g_order_free
+#define	g_queue_size		gssint_g_queue_size
+#define	g_queue_externalize	gssint_g_queue_externalize
+#define	g_queue_internalize	gssint_g_queue_internalize
+#define	g_canonicalize_host	gssint_g_canonicalize_host
+#define	g_local_host_name	gssint_g_local_host_name
+#define	g_strdup		gssint_g_strdup
+
 typedef struct _g_set *g_set;
 
 int g_set_init PROTOTYPE((g_set *s));
diff --git a/src/lib/gssapi/generic/gssapi_generic.c b/src/lib/gssapi/generic/gssapi_generic.c
index 10cc4d7..ea7cb82 100644
--- a/src/lib/gssapi/generic/gssapi_generic.c
+++ b/src/lib/gssapi/generic/gssapi_generic.c
@@ -53,17 +53,111 @@
  */
 
 static gss_OID_desc oids[] = {
-   {10, "\052\206\110\206\367\022\001\002\001\001"},
-   {10, "\052\206\110\206\367\022\001\002\001\002"},
-   {10, "\052\206\110\206\367\022\001\002\001\003"},
-   {10, "\052\206\110\206\367\022\001\002\001\004"},
-   { 6, "\053\006\001\005\006\004"},
-   { 6, "\053\006\001\005\006\002"},
+    /*
+     * The implementation must reserve static storage for a
+	 * gss_OID_desc object containing the value */
+    {10, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x01"},
+    /* corresponding to an object-identifier value of
+	 * {iso(1) member-body(2) United States(840) mit(113554)
+	 * infosys(1) gssapi(2) generic(1) user_name(1)}.  The constant
+	 * GSS_C_NT_USER_NAME should be initialized to point
+	 * to that gss_OID_desc.
+	 */                                
+    
+    /*
+	 * The implementation must reserve static storage for a
+	 * gss_OID_desc object containing the value */
+    {10, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x02"},
+    /* corresponding to an object-identifier value of
+	 * {iso(1) member-body(2) United States(840) mit(113554)
+	 * infosys(1) gssapi(2) generic(1) machine_uid_name(2)}.
+	 * The constant GSS_C_NT_MACHINE_UID_NAME should be
+	 * initialized to point to that gss_OID_desc.
+	 */
+     
+    /*
+    * The implementation must reserve static storage for a
+    * gss_OID_desc object containing the value */
+    {10, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x03"},
+    /* corresponding to an object-identifier value of
+    * {iso(1) member-body(2) United States(840) mit(113554)
+    * infosys(1) gssapi(2) generic(1) string_uid_name(3)}.
+    * The constant GSS_C_NT_STRING_UID_NAME should be
+    * initialized to point to that gss_OID_desc.
+    */
+    
+    /*
+     * The implementation must reserve static storage for a
+     * gss_OID_desc object containing the value */
+    {6, (void *)"\x2b\x06\x01\x05\x06\x02"},
+    /* corresponding to an object-identifier value of
+     * {iso(1) org(3) dod(6) internet(1) security(5)
+     * nametypes(6) gss-host-based-services(2)).  The constant
+     * GSS_C_NT_HOSTBASED_SERVICE_X should be initialized to point
+     * to that gss_OID_desc.  This is a deprecated OID value, and
+     * implementations wishing to support hostbased-service names
+     * should instead use the GSS_C_NT_HOSTBASED_SERVICE OID,
+     * defined below, to identify such names;
+     * GSS_C_NT_HOSTBASED_SERVICE_X should be accepted a synonym
+     * for GSS_C_NT_HOSTBASED_SERVICE when presented as an input
+     * parameter, but should not be emitted by GSS-API
+     * implementations
+     */
+    
+    /*
+     * The implementation must reserve static storage for a
+     * gss_OID_desc object containing the value */
+    {10, (void *)"\x2a\x86\x48\x86\xf7\x12\x01\x02\x01\x04"}, 
+    /* corresponding to an object-identifier value of 
+     * {iso(1) member-body(2) Unites States(840) mit(113554) 
+     * infosys(1) gssapi(2) generic(1) service_name(4)}.  
+     * The constant GSS_C_NT_HOSTBASED_SERVICE should be 
+     * initialized to point to that gss_OID_desc.
+     */
+
+    /*
+     * The implementation must reserve static storage for a
+     * gss_OID_desc object containing the value */
+    {6, (void *)"\x2b\x06\01\x05\x06\x03"},
+    /* corresponding to an object identifier value of
+     * {1(iso), 3(org), 6(dod), 1(internet), 5(security),
+     * 6(nametypes), 3(gss-anonymous-name)}.  The constant
+     * and GSS_C_NT_ANONYMOUS should be initialized to point
+     * to that gss_OID_desc.
+     */
+    
+    /*
+     * The implementation must reserve static storage for a
+     * gss_OID_desc object containing the value */
+    {6, (void *)"\x2b\x06\x01\x05\x06\x04"},
+    /* corresponding to an object-identifier value of
+     * {1(iso), 3(org), 6(dod), 1(internet), 5(security),
+     * 6(nametypes), 4(gss-api-exported-name)}.  The constant
+     * GSS_C_NT_EXPORT_NAME should be initialized to point
+     * to that gss_OID_desc.
+     */
 };
 
-GSS_DLLIMP gss_OID gss_nt_user_name = oids+0;
-GSS_DLLIMP gss_OID gss_nt_machine_uid_name = oids+1;
-GSS_DLLIMP gss_OID gss_nt_string_uid_name = oids+2;
-GSS_DLLIMP gss_OID gss_nt_service_name = oids+3;
-GSS_DLLIMP gss_OID gss_nt_exported_name = oids+4;
-GSS_DLLIMP gss_OID gss_nt_service_name_v2 = oids+5;
+/* Here are the constants which point to the static structure above.
+ *
+ * Constants of the form GSS_C_NT_* are specified by rfc 2744.
+ *
+ * Constants of the form gss_nt_* are the original MIT krb5 names 
+ * found in gssapi_generic.h.  They are provided for compatibility. */ 
+
+#if GSS_RFC_COMPLIANT_OIDS
+GSS_DLLIMP gss_OID GSS_C_NT_USER_NAME           = oids+0;
+GSS_DLLIMP gss_OID GSS_C_NT_MACHINE_UID_NAME    = oids+1;
+GSS_DLLIMP gss_OID GSS_C_NT_STRING_UID_NAME     = oids+2;
+GSS_DLLIMP gss_OID GSS_C_NT_HOSTBASED_SERVICE_X = oids+3;
+GSS_DLLIMP gss_OID GSS_C_NT_HOSTBASED_SERVICE   = oids+4;
+GSS_DLLIMP gss_OID GSS_C_NT_ANONYMOUS           = oids+5;
+GSS_DLLIMP gss_OID GSS_C_NT_EXPORT_NAME         = oids+6;
+#endif /* GSS_RFC_COMPLIANT_OIDS */
+
+GSS_DLLIMP gss_OID gss_nt_user_name             = oids+0;
+GSS_DLLIMP gss_OID gss_nt_machine_uid_name      = oids+1;
+GSS_DLLIMP gss_OID gss_nt_string_uid_name       = oids+2;
+GSS_DLLIMP gss_OID gss_nt_service_name_v2       = oids+3;
+GSS_DLLIMP gss_OID gss_nt_service_name          = oids+4;
+GSS_DLLIMP gss_OID gss_nt_exported_name         = oids+6;
diff --git a/src/lib/gssapi/generic/gssapi_generic.h b/src/lib/gssapi/generic/gssapi_generic.h
index 8317cad..337558a 100644
--- a/src/lib/gssapi/generic/gssapi_generic.h
+++ b/src/lib/gssapi/generic/gssapi_generic.h
@@ -27,17 +27,33 @@
  * $Id$
  */
 
-#if defined(__MWERKS__) || defined(applec) || defined(THINK_C)
-#include <gssapi.h>
+#if defined(macintosh) || (defined(__MACH__) && defined(__APPLE__))
+#include <Kerberos/gssapi.h>
 #else
 #include <gssapi/gssapi.h>
 #endif
 
+#if defined(__cplusplus) && !defined(GSSAPIGENERIC_BEGIN_DECLS)
+#define GSSAPIGENERIC_BEGIN_DECLS	extern "C" {
+#define GSSAPIGENERIC_END_DECLS	}
+#else
+#define GSSAPIGENERIC_BEGIN_DECLS
+#define GSSAPIGENERIC_END_DECLS
+#endif
+
+GSSAPIGENERIC_BEGIN_DECLS
+
+/* Deprecated MIT krb5 oid names provided for compatibility.
+ * The correct oids (GSS_C_NT_USER_NAME, etc) from rfc 2744 
+ * are defined in gssapi.h. */
+
 GSS_DLLIMP extern gss_OID gss_nt_user_name;
 GSS_DLLIMP extern gss_OID gss_nt_machine_uid_name;
 GSS_DLLIMP extern gss_OID gss_nt_string_uid_name;
+GSS_DLLIMP extern gss_OID gss_nt_service_name_v2;
 GSS_DLLIMP extern gss_OID gss_nt_service_name;
 GSS_DLLIMP extern gss_OID gss_nt_exported_name;
-GSS_DLLIMP extern gss_OID gss_nt_service_name_v2;
+
+GSSAPIGENERIC_END_DECLS
 
 #endif /* _GSSAPI_GENERIC_H_ */
diff --git a/src/lib/gssapi/gss_libinit.c b/src/lib/gssapi/gss_libinit.c
index e011ebd..3c57203 100644
--- a/src/lib/gssapi/gss_libinit.c
+++ b/src/lib/gssapi/gss_libinit.c
@@ -1,5 +1,11 @@
 #include <assert.h>
 
+#if TARGET_OS_MAC
+// Mac OS X com_err files do not include com_err for you
+#include <Kerberos/com_err.h>
+#endif
+
+#include "gssapiP_krb5.h"
 #include "gssapi_err_generic.h"
 #include "gssapi_err_krb5.h"
 
@@ -15,8 +21,10 @@ OM_uint32 gssint_initialize_library (void)
 {
 	
 	if (!initialized) {
+#if !TARGET_OS_MAC || USE_HARDCODED_FALLBACK_ERROR_TABLES
 	    add_error_table(&et_k5g_error_table);
 	    add_error_table(&et_ggss_error_table);
+#endif
 
 		initialized = 1;
 	}
diff --git a/src/lib/gssapi/krb5/3des.txt b/src/lib/gssapi/krb5/3des.txt
new file mode 100644
index 0000000..f39c6fc
--- /dev/null
+++ b/src/lib/gssapi/krb5/3des.txt
@@ -0,0 +1,274 @@
+CAT Working Group                                           K. Raeburn
+Internet-draft                                                     MIT
+Category:                                                June xx, 2000
+Updates: RFC 1964
+Document: draft-raeburn-gssapi-krb5-3des-XX.txt
+
+        Triple-DES Support for the Kerberos 5 GSSAPI Mechanism
+
+Status of this Memo
+ 
+   This document is an Internet-Draft and is in full conformance with
+   all provisions of Section 10 of RFC2026 [1]. Internet-Drafts are
+   working documents of the Internet Engineering Task Force (IETF),
+   its areas, and its working groups. Note that other groups may also
+   distribute working documents as Internet-Drafts. Internet-Drafts
+   are draft documents valid for a maximum of six months and may be
+   updated, replaced, or obsoleted by other documents at any time. It
+   is inappropriate to use Internet-Drafts as reference material or to
+   cite them other than as "work in progress."
+     
+   The list of current Internet-Drafts can be accessed at 
+   http://www.ietf.org/ietf/1id-abstracts.txt  
+
+   The list of Internet-Draft Shadow Directories can be accessed at 
+   http://www.ietf.org/shadow.html. 
+    
+1. Abstract 
+
+   The MIT Kerberos 5 release version 1.2 includes support for
+   triple-DES with key derivation [KrbRev].  Recent work by the EFF
+   [EFF] has demonstrated the vulnerability of single-DES mechanisms
+   to brute-force attacks by sufficiently motivated and well-funded
+   parties.
+
+   The GSSAPI Kerberos 5 mechanism definition [GSSAPI-KRB5]
+   specifically enumerates encryption and checksum types,
+   independently of how such schemes may be used in Kerberos.  In the
+   long run, a new Kerberos-based mechanism, which does not require
+   separately enumerating for the GSSAPI mechanism each of the various
+   encryption types defined by Kerberos, is a better approach.
+   Efforts to produce such a specification are under way.
+
+   In the interest of providing increased security in the near term,
+   however, MIT is adding support for triple-DES to the existing
+   mechanism implementation we ship, as described here.
+
+2. New Algorithm Identifiers
+
+   One new sealing algorithm is defined, for use in WRAP tokens:
+
+   02 00 - DES3-KD
+
+   This algorithm uses triple-DES with key derivation, with a usage
+   value KG_USAGE_SEAL.  Padding is still to 8-byte multiples, and the
+   IV for encrypting application data is zero.
+
+   One new signing algorithm is defined, for use in MIC, Wrap, and
+   Delete tokens:
+
+   04 00 - HMAC SHA1 DES3-KD
+
+   This algorithm generates an HMAC using SHA-1 and a derived DES3 key
+   with usage KG_USAGE_SIGN, as (should be described) in [KrbRev].
+   [XXX: The current [KrbRev] description refers to out-of-date I-Ds
+   from Marc Horowitz.  The text in [KrbRev] may be inadequate to
+   produce an interoperable implementation.]
+
+   The checksum size for this algorithm is 20 octets.  See section 4.3
+   below for the use of checksum lengths of other than eight bytes.
+
+3. Key Derivation
+
+   For purposes of key derivation, we add three new usage values to the
+   list defined in [KrbRev]; one for signing messages, one for
+   sealing messages, and one for encrypting sequence numbers:
+
+   #define KG_USAGE_SEAL 22
+   #define KG_USAGE_SIGN 23
+   #define KG_USAGE_SEQ  24
+
+4. Adjustments to Previous Definitions
+
+4.1. Quality of Protection
+
+   The GSSAPI specification [GSSAPI] says that a zero QOP value
+   indicates the "default".  The original specification for the
+   Kerberos 5 mechanism says that a zero QOP value (or a QOP value
+   with the appropriate bits clear) means DES encryption.
+
+   Rather than continue to force the use of plain DES when the
+   application doesn't use mechanism-specific QOP values, the better
+   choice appears to be to redefine the DES QOP value as some non-zero
+   value, and define a triple-DES value as well.  Then a zero value
+   continues to imply the default, which would be triple-DES
+   protection when given a triple-DES session key.
+
+   Our values are:
+
+   GSS_KRB5_INTEG_C_QOP_HMAC_SHA1        0x0004
+            /* SHA-1 checksum encrypted with key derivation */
+
+   GSS_KRB5_CONF_C_QOP_DES               0x0100
+            /* plain DES encryption */
+   GSS_KRB5_CONF_C_QOP_DES3_KD           0x0200
+            /* triple-DES with key derivation */
+
+   Rather than open the question of whether to specify means for
+   deriving a key of one type given a key of another type, and the
+   security implications of whether to generate a long key from a
+   shorter one, our implementation will simply return an error if the
+   QOP value specified does not correspond to the session key type.
+
+   [XXX: Not implemented yet.  Currently an error is reported for all
+   non-zero values.  This should be changed before the release, so an
+   application can insist on getting no less than triple-DES
+   protection.]
+
+4.2. MIC Sequence Number Encryption
+
+   The sequence numbers are encrypted in the context key (as defined
+   in [GSSAPI-KRB5] -- this will be either the Kerberos session key or
+   asubkey provided by the context initiator), using whatever
+   encryption system is designated by the type of that context key.
+   The IV is formed from the first N bytes of the SGN_CKSUM field,
+   where N is the number of bytes needed for the IV.  (With all
+   algorithms described here and in [GSSAPI-KRB5], the checksum is at
+   least as large as the IV.)
+
+4.3. Message Layout
+
+   Both MIC and Wrap tokens, as defined in [GSSAPI-KRB5], contain an
+   checksum field SGN_CKSUM.  In [GSSAPI-KRB5], this field was
+   specified as being 8 bytes long.  We now change this size to be
+   "defined by the checksum algorithm", and retroactively amend the
+   descriptions of all the checksum algorithms described in
+   [GSSAPI-KRB5] to explicitly specify 8-byte output.  Application
+   data continues to immediately follow the checksum field in the Wrap
+   token.
+
+   The revised message descriptions are thus:
+
+   MIC:
+
+   Byte no          Name           Description
+    0..1           TOK_ID          Identification field.
+    2..3           SGN_ALG         Integrity algorithm indicator.
+    4..7           Filler          Contains ff ff ff ff
+    8..15          SND_SEQ         Sequence number field.
+    16..s+15       SGN_CKSUM       Checksum of "to-be-signed data",
+                                   calculated according to algorithm
+                                   specified in SGN_ALG field.
+
+   Wrap:
+
+   Byte no          Name           Description
+    0..1           TOK_ID          Identification field.
+                                   Tokens emitted by GSS_Wrap() contain
+                                   the hex value 02 01 in this field.
+    2..3           SGN_ALG         Checksum algorithm indicator.
+    4..5           SEAL_ALG        Sealing algorithm indicator.
+    6..7           Filler          Contains ff ff
+    8..15          SND_SEQ         Encrypted sequence number field.
+    16..s+15       SGN_CKSUM       Checksum of plaintext padded data,
+                                   calculated according to algorithm
+                                   specified in SGN_ALG field.
+    s+16..last     Data            encrypted or plaintext padded data
+
+   Where "s" indicates the size of the checksum.
+
+   As indicated above in section 2, we define the HMAC SHA1 DES3-KD
+   checksum algorithm to produce a 20-byte output, so encrypted data
+   begins at byte 36.
+
+5. Backwards Compatibility Considerations
+
+   The context initiator should request of the KDC credentials using
+   session-key cryptosystem types supported by that implementation; if
+   the only types returned by the KDC are not supported by the
+   mechanism implementation, it should indicate a failure.  This may
+   seem obvious, but early implementations of both Kerberos and the
+   GSSAPI Kerberos mechanism supported only DES keys, so the
+   cryptosystem compatibility question was easy to overlook.
+
+   Under the current mechanism, no negotiation of algorithm types
+   occurs, so server-side (acceptor) implementations cannot request
+   that clients not use algorithm types not understood by the server.
+   However, administration of the server's Kerberos data has to be
+   done in communication with the KDC, and it is from the KDC that the
+   client will request credentials.  The KDC could therefore be tasked
+   with limiting session keys for a given service to types actually
+   supported by the Kerberos and GSSAPI software on the server.
+
+   This does have a drawback for cases where a service principal name
+   is used both for GSSAPI-based and non-GSSAPI-based communication,
+   if the GSSAPI implementation does not understand triple-DES but the
+   Kerberos implementation does.  It means that triple-DES session
+   keys cannot be issued for that service principal, which keeps the
+   protection of non-GSSAPI services weaker than necessary.  However,
+   in the most recent MIT releases thus far, while triple-DES support
+   has been present, it has required additional work to enable, so it
+   should not be in use for many services.
+
+   It would also be possible to have clients attempt to get single-DES
+   session keys before trying to get triple-DES session keys, and have
+   the KDC refuse to issue the single-DES keys only for the most
+   critical of services, for which single-DES protection is considered
+   inadequate.  However, that would eliminate the possibility of
+   connecting with the more secure cryptosystem to any service that
+   can be accessed with the weaker cryptosystem.
+
+   We have chosen to go with the former approach, putting the burden
+   on the KDC administration and gaining the best protection possible
+   for GSSAPI services, possibly at the cost of protection of
+   non-GSSAPI Kerberos services running earlier versions of the
+   software.
+   [XXX: Actually, we haven't entirely decided and cast it in stone
+   yet, it's just what I've implemented; it's easy to change.]
+
+6. Security Considerations
+
+   Various tradeoffs arise regarding the mixing of new and old
+   software, or GSSAPI-based and non-GSSAPI Kerberos authentication.
+   They are discussed in section 4.
+
+7. References
+
+   [EFF] Electronic Frontier Foundation, "Cracking DES: Secrets of
+   Encryption Research, Wiretap Politics, and Chip Design", O'Reilly &
+   Associates, Inc., May, 1998.
+
+   [GSSAPI] Linn, J., "Generic Security Service Application Program
+   Interface Version 2, Update 1", RFC 2743, January, 2000.
+
+   [GSSAPI-KRB5] Linn, J., "The Kerberos Version 5 GSS-API Mechanism",
+   RFC 1964, June, 1996.
+
+   [KrbRev] Neuman, C., Kohl, J., Ts'o, T., "The Kerberos Network
+   Authentication Service (V5)",
+   draft-ietf-cat-kerberos-revisions-05.txt, March 10, 2000.
+
+8. Author's Address
+
+   Kenneth Raeburn
+   Massachusetts Institute of Technology
+   77 Massachusetts Avenue
+   Cambridge, MA 02139
+
+9. Full Copyright Statement
+
+   Copyright (C) The Internet Society (2000).  All Rights Reserved. 
+    
+   This document and translations of it may be copied and furnished to 
+   others, and derivative works that comment on or otherwise explain it 
+   or assist in its implementation may be prepared, copied, published 
+   and distributed, in whole or in part, without restriction of any 
+   kind, provided that the above copyright notice and this paragraph 
+   are included on all such copies and derivative works.  However, this   
+   document itself may not be modified in any way, such as by removing   
+   the copyright notice or references to the Internet Society or other   
+   Internet organizations, except as needed for the purpose of 
+   developing Internet standards in which case the procedures for 
+   copyrights defined in the Internet Standards process must be 
+   followed, or as required to translate it into languages other than 
+   English. 
+    
+   The limited permissions granted above are perpetual and will not be 
+   revoked by the Internet Society or its successors or assigns. 
+    
+   This document and the information contained herein is provided on an 
+   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING 
+   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING 
+   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION 
+   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF 
+   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE." 
diff --git a/src/lib/gssapi/krb5/ChangeLog b/src/lib/gssapi/krb5/ChangeLog
index 06639d4..3803df1 100644
--- a/src/lib/gssapi/krb5/ChangeLog
+++ b/src/lib/gssapi/krb5/ChangeLog
@@ -1,4 +1,195 @@
-2000-01-27  Ken Raeburn  <raeburn@raeburn.org>
+2002-04-16  Danilo Almeida  <dalmeida@mit.edu>
+
+	* accept_sec_context.c (rd_and_store_for_creds): Remove
+	registration of MEMORY cache type since that's already registered.
+
+2002-04-16	Alexandra Ellwood <lxs@mit.edu>
+        * gssapi_krb5.h: Added #include of gssapi.h and gssapi_generic.h for the
+        Mac because we can't assume people will include them and get the OID 
+        macro and the old names on the Mac.
+
+2002-03-03  Sam Hartman  <hartmans@mit.edu>
+
+        * accept_sec_context.c (rd_and_store_for_creds): Patch from Steven
+	        Michaud <smch@midway.uchicago.edu>  to accept encrypted or
+		        unencrypted credentials.  This is important because Heimdal (and
+			        sometimes Microsoft) send encrypted credentials.
+
+2002-03-03 Alexandra Ellwood <lxs@mit.edu>
+    * accept_sec_context.c, ser_sctx.c, util_crypt.c, wrap_size_limit.c: 
+    Removed unused variables.
+    * acquire_cred.c: Added include of k5-int.h to get prototypes.
+    * disp_status.c: Updated Mac OS X header paths.
+    * gssapi_krb5.c: Added include of k5-int.h to get prototypes.
+    * gssapiP_krb5.h: Updated Mac OS X header paths and added prototype on Mac.
+    * init_sec_context.c: Removed unused function on the mac to avoid warning.
+
+2002-02-28 Alexandra Ellwood <lxs@mit.edu>
+    * gssapi_krb5.h: Updated Mac OS X headers to new framework layout
+
+2002-02-19  Danilo Almeida  <dalmeida@mit.edu>
+
+	* init_sec_context.c (krb5_gss_init_sec_context): Remove unsused
+	variables.  Fix fencepost error in loop that prevents duplicates
+	while trying to figure out the desired enctype.  Make the loop
+	structure in a little more readable.
+	(get_credentials): Remove unused variable.
+
+2001-12-07  Ken Raeburn  <raeburn@mit.edu>
+
+	* init_sec_context.c (krb5_gss_init_sec_context): When supplying a
+	list of enctypes to use, use the subset and ordering indicated by
+	krb5.conf.
+
+2001-10-29  Miro Jurisic  <meeroh@mit.edu>
+	* pullup from krb5-1-2 branch after krb5-1-2-2-bp
+	* add_cred.c (krb5_gss_add_cred): Added constness to some char*s to make
+	them compiler with strict compilers.
+	* gssapi_krb5.h, gssapi_krb5.c: Added oids from rfc 1964 using the 
+	suggested names.
+	* gssapi_krb5.h: Added #include of KerberosSupport.h in case this header
+	is included by itself.
+	* disp-status.c, gssapiP_krb5.h, gssapi_krb5.h: Updated Mac OS #defines
+	and #includes for new header layout and Mac OS X frameworks
+	
+2001-10-04  Tom Yu  <tlyu@mit.edu>
+
+	* accept_sec_context.c (krb5_gss_accept_sec_context): Ignore
+	unrecognized options properly. [krb5-libs/738]
+
+2001-10-01  Tom Yu  <tlyu@mit.edu>
+
+	* accept_sec_context.c (rd_and_store_for_creds): Handle error
+	returns from krb5_rd_cred more sanely.
+
+2001-01-30  Ezra Peisach  <epeisach@mit.edu>
+
+	* accept_sec_context.c (krb5_gss_accept_sec_context): If an error
+	occurs after the auth_context is established, but before the
+	krb5_gss_ctx_id_rec is established, release our pointer to the
+	replay cache and invoke krb5_auth_con_free(). [krb5-libs/855]
+
+2000-09-19  Miro Jurisic  <meeroh@mit.edu>
+
+	* accept_sec_context.c (krb5_gss_accept_sec_context)
+	* acquire_cred.c (krb5_gss_acquire_cred)
+	* import_sec_context.c (krb5_gss_convert_static_mech_oid)
+	* init_sec_context.c (krb5_gss_init_sec_context)
+	* inq_cred.c (krb5_gss_inquire_cred)
+		Cast away constness from gss_OID where necessary to compile
+		with strict compilers
+
+2000-06-27  Tom Yu  <tlyu@mit.edu>
+
+	* init_sec_context.c (get_credentials): Add initial iteration of
+	krb5_get_credentials in order to differentiate between an actual
+	missing credential and merely a bad match based on enctype.  This
+	was causing problems with kadmin.
+
+2000-06-09  Tom Yu  <tlyu@mit.edu>
+
+	* init_sec_context.c (get_credentials): The KDC as well as the
+	ccache may indicate that an enctype is not supported; reflect that
+	in the loop breakout condition.
+
+2000-06-07  Tom Yu  <tlyu@mit.edu>
+
+	* init_sec_context.c (get_credentials): Rework the enctype loop
+	again.
+
+	* accept_sec_context.c (krb5_gss_accept_sec_context): Remove
+	explicit check of mech OID against credential.
+
+2000-06-04  Tom Yu  <tlyu@mit.edu>
+
+	* init_sec_context.c (get_credentials): Reverse sense of test;
+	break out of enctype loop if one succeeds.
+
+2000-06-03  Tom Yu  <tlyu@mit.edu>
+
+	* util_crypt.c (kg_encrypt): Copy ivec, since c_encrypt() now
+	updates ivecs.
+	(kg_decrypt): Copy ivec, since c_decrypt() now updates ivecs.
+
+2000-06-02  Ken Raeburn  <raeburn@mit.edu>
+
+	* init_sec_context.c (get_credentials): Don't check each enctype
+	against a list from the krb5 library; instead, just try to use it,
+	and go on to the next if the error code indicates we can't use it.
+
+2000-05-31  Ken Raeburn  <raeburn@mit.edu>
+
+	* gssapiP_krb5.h (KG_USAGE_SEQ): New value.
+	(enum qop): New type, derived from spec but currently not used.
+	* util_crypt.c (kg_encrypt, kg_decrypt): Added key derivation
+	usage value as an argument.  Prototypes and callers updated; all
+	callers use KG_USAGE_SEAL, except KG_USAGE_SEQ when encrypting
+	sequence numbers.
+	* 3des.txt: New file.
+
+2000-5-19	Alexandra Ellwood <lxs@mit.edu>
+
+	* acquire_cred.c: Changed to use krb5int_cc_default.  This function 
+	supports the Kerberos Login Library and pops up a dialog if the cache does 
+	not contain valid tickets.  This is used to automatically get a tgt before
+	obtaining service tickets.  Note that this should be an internal function
+	because callers don't expect krb5_cc_default to pop up a dialog!
+	(We found this out the hard way :-)
+
+2000-05-03  Nalin Dahyabhai  <nalin@redhat.com>
+
+	* add_cred.c (krb5_gss_add_cred): Don't overflow buffers "ktboth"
+	or "ccboth".
+
+2000-04-21  Ken Raeburn  <raeburn@mit.edu>
+
+	* gssapiP_krb5.h (struct _krb5_gss_ctx_id_rec): Delete field
+	gsskrb5_version.
+	(struct _krb5_gss_cred_id_rec): Delete field rfcv2_mech.
+	* accept_sec_context.c, acquire_cred.c, add_cred.c, inq_cred.c,
+	k5seal.c, k5unseal.c, ser_ctx.c:
+	Delete krb5-mech2 support.
+
+	* init_sec_context.c (get_credentials): Enctype argument is now a
+	pointer to a list of enctypes.  Explicitly try each in order until
+	success or an error other than cryptosystem not being supported.
+	(krb5_gss_init_sec_context): Pass list of cryptosystems, starting
+	with 3DES.
+
+	* gssapiP_krb5.h (enum sgn_alg, enum seal_alg): New types,
+	giving symbolic names for values from RFC 1964, a Microsoft win2k
+	I-D, and our proposed 3des-sha1 values.
+	(KG_USAGE_SEAL, KG_USAGE_SIGN): New macros.
+
+	* accept_sec_context.c (rd_req_keyproc): Already-disabled routine
+	deleted.
+	(krb5_gss_accept_sec_context): Use sgn_alg and seal_alg symbolic
+	names.  Add a case for des3-hmac-sha1.
+	* k5seal.c (make_seal_token_v1): Likewise.  Do key derivation for
+	checksums.
+	* k5unseal.c (kg_unseal_v1): Likewise.
+	* util_crypt.c (kg_encrypt, kg_decrypt): Do key derivation for
+	encryption.
+
+	* util_crypt.c (zeros): Unused variable deleted.
+
+2000-04-18  Ken Raeburn  <raeburn@mit.edu>
+
+	* wrap_size_limit.c: Remove mech2 support.  Add MIT copyright.
+
+2000-04-08  Tom Yu  <tlyu@mit.edu>
+
+	* wrap_size_limit.c (krb5_gss_wrap_size_limit): Fix up
+	wrap_size_limit() to deal with integrity wrap tokens properly.
+	The rfc1964 mech always pads and confounds regardless of whether
+	confidentiality is requested.
+
+2000-03-20  Ken Raeburn  <raeburn@mit.edu>
+
+	* accept_sec_context.c, init_sec_context.c: Disable krb5-mech2
+	stuff for now.  (Tom Yu's krb5-1.1 patch.)
+
+2000-01-27  Ken Raeburn  <raeburn@mit.edu>
 
 	* init_sec_context.c (krb5_gss_init_sec_context): Default to
 	des-cbc-crc.
diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c
index fc920ec..c8e7916 100644
--- a/src/lib/gssapi/krb5/accept_sec_context.c
+++ b/src/lib/gssapi/krb5/accept_sec_context.c
@@ -1,4 +1,28 @@
 /*
+ * Copyright 2000 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ *   require a specific license from the United States Government.
+ *   It is the responsibility of any person or organization contemplating
+ *   export to obtain such a license before exporting.
+ * 
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ * 
+ */
+/*
  * Copyright 1993 by OpenVision Technologies, Inc.
  * 
  * Permission to use, copy, modify, distribute, and sell this software
@@ -49,65 +73,61 @@
 #include "k5-int.h"
 #include "gssapiP_krb5.h"
 #include <memory.h>
+#include <assert.h>
 
 /*
  * $Id$
  */
 
-#if 0
-
-/* XXXX This widen/narrow stuff is bletcherous, but it seems to be
-   necessary.  Perhaps there is a "better" way, but I don't know what it
-   is */
-
-#include <krb5/widen.h>
-static krb5_error_code
-rd_req_keyproc(krb5_pointer keyprocarg, krb5_principal server,
-	       krb5_kvno kvno, krb5_keyblock **keyblock)
-#include <krb5/narrow.h>
-{
-   krb5_error_code code;
-   krb5_keytab_entry ktentry;
-
-   if (code = krb5_kt_get_entry((krb5_keytab) keyprocarg, server, kvno,
-				&ktentry))
-      return(code);
-
-   code = krb5_copy_keyblock(&ktentry.key, keyblock);
-
-   (void) krb5_kt_free_entry(&ktentry);
-
-   return(code);
-}
-
-#endif
-
 /* Decode, decrypt and store the forwarded creds in the local ccache. */
 static krb5_error_code
-rd_and_store_for_creds(context, inbuf, out_cred)
+rd_and_store_for_creds(context, auth_context, inbuf, out_cred)
     krb5_context context;
+    krb5_auth_context auth_context;
     krb5_data *inbuf;
     krb5_gss_cred_id_t *out_cred;
 {
-    krb5_creds ** creds;
+    krb5_creds ** creds = NULL;
     krb5_error_code retval;
-    krb5_ccache ccache;
+    krb5_ccache ccache = NULL;
     krb5_gss_cred_id_t cred = NULL;
-    extern krb5_cc_ops krb5_mcc_ops;
-    krb5_auth_context auth_context = NULL;
-
-    if ((retval = krb5_auth_con_init(context, &auth_context)))
-	return(retval);
-
-    krb5_auth_con_setflags(context, auth_context, 0);
-
-    if ((retval = krb5_rd_cred(context, auth_context, inbuf, &creds, NULL))) 
-	goto cleanup;
+    krb5_auth_context new_auth_ctx = NULL;
+	krb5_int32 flags_org;
+
+	if (retval = krb5_auth_con_getflags(context, auth_context, &flags_org))
+		return retval;
+	krb5_auth_con_setflags(context, auth_context, 0);
+
+	/* By the time krb5_rd_cred is called here (after krb5_rd_req has been */
+	/* called in krb5_gss_accept_sec_context), the "keyblock" field of */
+	/* auth_context contains a pointer to the session key, and the */
+	/* "remote_subkey" field might contain a session subkey.  Either of */
+	/* these (the "remote_subkey" if it isn't NULL, otherwise the */
+	/* "keyblock") might have been used to encrypt the encrypted part of */
+	/* the KRB_CRED message that contains the forwarded credentials.  (The */
+	/* Java Crypto and Security Implementation from the DSTC in Australia */
+	/* always uses the session key.  But apparently it never negotiates a */
+	/* subkey, so this code works fine against a JCSI client.)  Up to the */
+	/* present, though, GSSAPI clients linked against the MIT code (which */
+	/* is almost all GSSAPI clients) don't encrypt the KRB_CRED message at */
+	/* all -- at this level.  So if the first call to krb5_rd_cred fails, */
+	/* we should call it a second time with another auth context freshly */
+	/* created by krb5_auth_con_init.  All of its keyblock fields will be */
+	/* NULL, so krb5_rd_cred will assume that the KRB_CRED message is */
+	/* unencrypted.  (The MIT code doesn't actually send the KRB_CRED */
+	/* message in the clear -- the "authenticator" whose "checksum" ends up */
+	/* containing the KRB_CRED message does get encrypted.) */
+	if (krb5_rd_cred(context, auth_context, inbuf, &creds, NULL)) {
+		if (retval = krb5_auth_con_init(context, &new_auth_ctx))
+			goto cleanup;
+		krb5_auth_con_setflags(context, new_auth_ctx, 0);
+		if (retval = krb5_rd_cred(context, new_auth_ctx, inbuf, &creds, NULL))
+			goto cleanup;
+		}
 
     /* Lots of kludging going on here... Some day the ccache interface
        will be rewritten though */
 
-    krb5_cc_register(context, &krb5_mcc_ops, 0);
     if ((retval = krb5_cc_resolve(context, "MEMORY:GSSAPI", &ccache)))
         goto cleanup;
 
@@ -145,7 +165,6 @@ rd_and_store_for_creds(context, inbuf, out_cred)
 	/* cred->princ already set */
 	cred->prerfc_mech = 1; /* this cred will work with all three mechs */
 	cred->rfc_mech = 1;
-	cred->rfcv2_mech = 1; 
 	cred->keytab = NULL; /* no keytab associated with this... */
 	cred->ccache = ccache; /* but there is a credential cache */
 	cred->tgt_expire = creds[0]->times.endtime; /* store the end time */
@@ -157,7 +176,8 @@ rd_and_store_for_creds(context, inbuf, out_cred)
        goto cleanup;
     */
 cleanup:
-    krb5_free_tgt_creds(context, creds);
+    if (creds)
+	krb5_free_tgt_creds(context, creds);
 
     if (!cred && ccache)
 	(void)krb5_cc_close(context, ccache);
@@ -165,8 +185,10 @@ cleanup:
     if (out_cred)
 	*out_cred = cred; /* return credential */
 
-    if (auth_context)
-	krb5_auth_con_free(context, auth_context);
+	if (new_auth_ctx)
+		krb5_auth_con_free(context, new_auth_ctx);
+
+	krb5_auth_con_setflags(context, auth_context, flags_org);
 
     return retval;
 }
@@ -206,9 +228,6 @@ krb5_gss_accept_sec_context(minor_status, context_handle,
    krb5_ui_4 gss_flags = 0;
    int decode_req_message = 0;
    krb5_gss_ctx_id_rec *ctx = 0;
-#if 0
-   krb5_enctype enctype;
-#endif
    krb5_timestamp now;
    gss_buffer_desc token;
    krb5_auth_context auth_context = NULL;
@@ -221,11 +240,7 @@ krb5_gss_accept_sec_context(minor_status, context_handle,
    krb5_data scratch;
    gss_cred_id_t cred_handle = NULL;
    krb5_gss_cred_id_t deleg_cred = NULL;
-   int token_length;
-   int gsskrb5_vers;
-   int nctypes;
    krb5_cksumtype *ctypes = 0;
-   struct kg2_option fwcred;
 
    if (GSS_ERROR(kg_get_context(minor_status, &context)))
       return(GSS_S_FAILURE);
@@ -296,13 +311,7 @@ krb5_gss_accept_sec_context(minor_status, context_handle,
 				      &(ap_req.length),
 				      &ptr, KG_TOK_CTX_AP_REQ,
 				      input_token->length))) {
-       if (! cred->rfc_mech) {
-	   code = G_WRONG_MECH;
-	   major_status = GSS_S_DEFECTIVE_TOKEN;
-	   goto fail;
-       }
        mech_used = gss_mech_krb5;
-       gsskrb5_vers = 1000;
    } else if ((code == G_WRONG_MECH) &&
 	      !(code = g_verify_token_header((gss_OID) gss_mech_krb5_old,
 					     &(ap_req.length), 
@@ -315,56 +324,15 @@ krb5_gss_accept_sec_context(minor_status, context_handle,
 	* compatibility, and use it to decide when to use the
 	* old behavior.
 	*/
-       if (! cred->prerfc_mech) {
-	   code = G_WRONG_MECH;
-	   major_status = GSS_S_DEFECTIVE_TOKEN;
-	   goto fail;
-       }
        mech_used = gss_mech_krb5_old;
-       gsskrb5_vers = 1000;
-   } else if ((code == G_WRONG_MECH) &&
-	      !(code = g_verify_token_header((gss_OID) gss_mech_krb5_v2,
-					     &token_length, 
-					     &ptr, KG2_TOK_INITIAL,
-					     input_token->length))) {
-       if (! cred->rfcv2_mech) {
-	   code = G_WRONG_MECH;
-	   major_status = GSS_S_DEFECTIVE_TOKEN;
-	   goto fail;
-       }
-       mech_used = gss_mech_krb5_v2;
-       gsskrb5_vers = 2000;
    } else {
        major_status = GSS_S_DEFECTIVE_TOKEN;
        goto fail;
    }
 
-   if (gsskrb5_vers == 2000) {
-       /* gss krb5 v2 */
-
-       fwcred.option_id = KRB5_GSS_FOR_CREDS_OPTION;
-       fwcred.data = NULL;
-
-       if (GSS_ERROR(major_status =
-		     kg2_parse_token(&code, ptr, token_length,
-				     &gss_flags, &nctypes, &ctypes,
-				     delegated_cred_handle?1:0,
-				     &fwcred, &ap_req, NULL))) {
-	   goto fail;
-       }
-
-       gss_flags = (ptr[0]<<24) | (ptr[1]<<16) | (ptr[2]<<8) | ptr[3];
-
-       gss_flags &= ~GSS_C_DELEG_FLAG; /* mask out the delegation flag;
-					  if there's a delegation, we'll
-					  set it below */
-   } else {
-       /* gss krb5 v1 */
-
-       sptr = (char *) ptr;
-       TREAD_STR(sptr, ap_req.data, ap_req.length);
-       decode_req_message = 1;
-   }
+   sptr = (char *) ptr;
+   TREAD_STR(sptr, ap_req.data, ap_req.length);
+   decode_req_message = 1;
 
    /* construct the sender_addr */
 
@@ -416,9 +384,7 @@ krb5_gss_accept_sec_context(minor_status, context_handle,
    }
 #endif
 
-   if (gsskrb5_vers == 2000) {
-       bigend = 1;
-   } else {
+   {
        /* gss krb5 v1 */
 
        /* stash this now, for later. */
@@ -480,12 +446,16 @@ krb5_gss_accept_sec_context(minor_status, context_handle,
 	   goto fail;
        }
 
-       TREAD_STR(ptr, ptr2, reqcksum.length);
-       if (memcmp(ptr2, reqcksum.contents, reqcksum.length) != 0) {
-	   code = 0;
-	   major_status = GSS_S_BAD_BINDINGS;
-	   goto fail;
-       }
+		TREAD_STR(ptr, ptr2, reqcksum.length);
+		/* If server has chosen not to use channel bindings, ignore */
+		/* any channel bindings sent by the client. */
+		if (input_chan_bindings != GSS_C_NO_CHANNEL_BINDINGS) {
+			if (memcmp(ptr2, reqcksum.contents, reqcksum.length) != 0) {
+				code = 0;
+				major_status = GSS_S_BAD_BINDINGS;
+				goto fail;
+				}
+			}
 
        xfree(reqcksum.contents);
        reqcksum.contents = 0;
@@ -502,33 +472,41 @@ krb5_gss_accept_sec_context(minor_status, context_handle,
 
 	   i = authdat->checksum->length - 24;
 
-	   while(i>0) {
+	   while (i >= 4) {
 
 	       TREAD_INT16(ptr, option_id, bigend);
 
-	       switch(option_id) {
+	       TREAD_INT16(ptr, option.length, bigend);
 
-	       case KRB5_GSS_FOR_CREDS_OPTION:
+	       i -= 4;
 
-		   TREAD_INT16(ptr, option.length, bigend);
+	       /* have to use ptr2, since option.data is wrong type and
+		  macro uses ptr as both lvalue and rvalue */
 
-		   /* have to use ptr2, since option.data is wrong type and
-		      macro uses ptr as both lvalue and rvalue */
+	       if (i < option.length || option.length < 0) {
+		   code = KG_BAD_LENGTH;
+		   major_status = GSS_S_FAILURE;
+		   goto fail;
+	       }
+
+	       TREAD_STR(ptr, ptr2, bigend);
+	       option.data = (char FAR *) ptr2;
+
+	       i -= option.length;
+
+	       switch(option_id) {
 
-		   TREAD_STR(ptr, ptr2, bigend);
-		   option.data = (char FAR *) ptr2;
+	       case KRB5_GSS_FOR_CREDS_OPTION:
 
 		   /* store the delegated credential */
 
-		   if (code = rd_and_store_for_creds(context, &option,
+		   if (code = rd_and_store_for_creds(context, auth_context, &option,
 						     (delegated_cred_handle) ?
 						     &deleg_cred : NULL)) {
 		       major_status = GSS_S_FAILURE;
 		       goto fail;
 		   }
 
-		   i -= option.length + 4;
-
 		   gss_flags |= GSS_C_DELEG_FLAG; /* got a delegation */
 
 		   break;
@@ -551,13 +529,12 @@ krb5_gss_accept_sec_context(minor_status, context_handle,
    }
 
    memset(ctx, 0, sizeof(krb5_gss_ctx_id_rec));
-   ctx->mech_used = mech_used;
+   ctx->mech_used = (gss_OID) mech_used;
    ctx->auth_context = auth_context;
    ctx->initiate = 0;
    ctx->gss_flags = KG_IMPLFLAGS(gss_flags);
    ctx->seed_init = 0;
    ctx->big_endian = bigend;
-   ctx->gsskrb5_version = gsskrb5_vers;
 
    /* Intern the ctx pointer so that delete_sec_context works */
    if (! kg_save_ctx_id((gss_ctx_id_t) ctx)) {
@@ -603,114 +580,37 @@ krb5_gss_accept_sec_context(minor_status, context_handle,
        goto fail;
    }
 
-   if (gsskrb5_vers == 2000) {
-       int cblen;
-       krb5_boolean valid;
-
-       /* intersect the token ctypes with the local ctypes */
-
-       if (code = krb5_c_keyed_checksum_types(context, ctx->subkey->enctype,
-					      &ctx->nctypes, &ctx->ctypes))
-	   goto fail;
-
-       if (nctypes == 0) {
-	   code = KRB5_CRYPTO_INTERNAL;
-	   goto fail;
-       }
-
-       kg2_intersect_ctypes(&ctx->nctypes, ctx->ctypes, nctypes, ctypes);
-
-       if (nctypes == 0) {
-	   code = KG_NO_CTYPES;
-	   goto fail;
-       }
-
-       /* process the delegated cred, if any */
-
-       if (fwcred.data) {
-	   krb5_data option;
-
-	   option.length = fwcred.length;
-	   option.data = fwcred.data;
-
-	   if (code = rd_and_store_for_creds(context, &option, &deleg_cred)) {
-	       major_status = GSS_S_FAILURE;
-	       goto fail;
-	   }
-
-	   gss_flags |= GSS_C_DELEG_FLAG; /* got a delegation */
-       }
-
-       /* construct the checksum buffer */
-
-       cblen = 4*5;
-       if (input_chan_bindings)
-	   cblen += (input_chan_bindings->initiator_address.length+
-		     input_chan_bindings->acceptor_address.length+
-		     input_chan_bindings->application_data.length);
+   switch(ctx->subkey->enctype) {
+   case ENCTYPE_DES_CBC_MD5:
+   case ENCTYPE_DES_CBC_CRC:
+       ctx->subkey->enctype = ENCTYPE_DES_CBC_RAW;
+       ctx->signalg = SGN_ALG_DES_MAC_MD5;
+       ctx->cksum_size = 8;
+       ctx->sealalg = SEAL_ALG_DES;
 
-       cksumdata.length = cblen + ((char *)(ap_req.data-2) - (char *)(ptr-2));
+       /* fill in the encryption descriptors */
 
-       if ((cksumdata.data = (char *) malloc(cksumdata.length)) == NULL) {
-	   code = ENOMEM;
+       if ((code = krb5_copy_keyblock(context, ctx->subkey, &ctx->enc))) {
 	   major_status = GSS_S_FAILURE;
 	   goto fail;
        }
 
-       ptr2 = cksumdata.data;
-
-       if (input_chan_bindings) {
-	   TWRITE_INT(ptr2, input_chan_bindings->initiator_addrtype, 1);
-	   TWRITE_BUF(ptr2, input_chan_bindings->initiator_address, 1);
-	   TWRITE_INT(ptr2, input_chan_bindings->acceptor_addrtype, 1);
-	   TWRITE_BUF(ptr2, input_chan_bindings->acceptor_address, 1);
-	   TWRITE_BUF(ptr2, input_chan_bindings->application_data, 1);
-       } else {
-	   memset(ptr2, 0, cblen);
-	   ptr2 += cblen;
-       }
-
-       memcpy(ptr2, ptr-2, ((char *)(ap_req.data-2) - (char *)(ptr-2)));
+       for (i=0; i<ctx->enc->length; i++)
+	   /*SUPPRESS 113*/
+	   ctx->enc->contents[i] ^= 0xf0;
 
-       if (code = krb5_c_verify_checksum(context, ctx->subkey,
-					 KRB5_KEYUSAGE_AP_REQ_AUTH_CKSUM,
-					 &cksumdata, authdat->checksum,
-					 &valid)) {
+       if ((code = krb5_copy_keyblock(context, ctx->subkey, &ctx->seq))) {
 	   major_status = GSS_S_FAILURE;
 	   goto fail;
        }
 
-       free(cksumdata.data);
-       cksumdata.data = 0;
+       break;
 
-       if (!valid) {
-	   code = 0;
-	   major_status = GSS_S_BAD_SIG;
-	   goto fail;
-       }
-   } else {
-       /* gss krb5 v1 */
-
-       switch(ctx->subkey->enctype) {
-       case ENCTYPE_DES_CBC_MD5:
-       case ENCTYPE_DES_CBC_CRC:
-	   ctx->subkey->enctype = ENCTYPE_DES_CBC_RAW;
-	   ctx->signalg = 0;
-	   ctx->cksum_size = 8;
-	   ctx->sealalg = 0;
-	   break;
-#if 0
-       case ENCTYPE_DES3_CBC_MD5:
-	   enctype = ENCTYPE_DES3_CBC_RAW;
-	   ctx->signalg = 3;
-	   ctx->cksum_size = 16;
-	   ctx->sealalg = 1;
-	   break;
-#endif
-       default:
-	   code = KRB5_BAD_ENCTYPE;
-	   goto fail;
-       }
+   case ENCTYPE_DES3_CBC_SHA1:
+       ctx->subkey->enctype = ENCTYPE_DES3_CBC_RAW;
+       ctx->signalg = SGN_ALG_HMAC_SHA1_DES3_KD;
+       ctx->cksum_size = 20;
+       ctx->sealalg = SEAL_ALG_DES3KD;
 
        /* fill in the encryption descriptors */
 
@@ -719,14 +619,16 @@ krb5_gss_accept_sec_context(minor_status, context_handle,
 	   goto fail;
        }
 
-       for (i=0; i<ctx->enc->length; i++)
-	   /*SUPPRESS 113*/
-	   ctx->enc->contents[i] ^= 0xf0;
-
        if ((code = krb5_copy_keyblock(context, ctx->subkey, &ctx->seq))) {
 	   major_status = GSS_S_FAILURE;
 	   goto fail;
        }
+
+       break;
+
+   default:
+       code = KRB5_BAD_ENCTYPE;
+       goto fail;
    }
 
    ctx->endtime = ticket->enc_part2->times.endtime;
@@ -769,122 +671,22 @@ krb5_gss_accept_sec_context(minor_status, context_handle,
        /* the reply token hasn't been sent yet, but that's ok. */
        ctx->established = 1;
 
-       if (ctx->gsskrb5_version == 2000) {
-	   krb5_ui_4 tok_flags;
-
-	   tok_flags =
-	       (ctx->gss_flags & GSS_C_DELEG_FLAG)?KG2_RESP_FLAG_DELEG_OK:0;
-
-	   cksumdata.length = 8 + 4*ctx->nctypes + 4;
-
-	   if ((cksumdata.data = (char *) malloc(cksumdata.length)) == NULL) {
-	       code = ENOMEM;
-	       major_status = GSS_S_FAILURE;
-	       goto fail;
-	   }
-
-	   /* construct the token fields */
-
-	   ptr = cksumdata.data;
-
-	   ptr[0] = (KG2_TOK_RESPONSE >> 8) & 0xff;
-	   ptr[1] = KG2_TOK_RESPONSE & 0xff;
-
-	   ptr[2] = (tok_flags >> 24) & 0xff;
-	   ptr[3] = (tok_flags >> 16) & 0xff;
-	   ptr[4] = (tok_flags >> 8) & 0xff;
-	   ptr[5] = tok_flags & 0xff;
-
-	   ptr[6] = (ctx->nctypes >> 8) & 0xff;
-	   ptr[7] = ctx->nctypes & 0xff;
-
-	   ptr += 8;
-
-	   for (i=0; i<ctx->nctypes; i++) {
-	       ptr[i] = (ctx->ctypes[i] >> 24) & 0xff;
-	       ptr[i+1] = (ctx->ctypes[i] >> 16) & 0xff;
-	       ptr[i+2] = (ctx->ctypes[i] >> 8) & 0xff;
-	       ptr[i+3] = ctx->ctypes[i] & 0xff;
-
-	       ptr += 4;
-	   }
-
-	   memset(ptr, 0, 4);
-
-	   /* make the MIC token */
-
-	   {
-	       gss_buffer_desc text, token;
-
-	       text.length = cksumdata.length;
-	       text.value = cksumdata.data;
-
-	       /* ctx->seq_send must be set before this call */
-
-	       if (GSS_ERROR(major_status =
-			     krb5_gss_get_mic(&code, ctx,
-					      GSS_C_QOP_DEFAULT,
-					      &text, &token)))
-		   goto fail;
-
-	       mic.length = token.length;
-	       mic.data = token.value;
-	   }
-
-	   token.length = g_token_size((gss_OID) mech_used,
-				       (cksumdata.length-2)+4+ap_rep.length+
-				       mic.length);
-
-	   if ((token.value = (unsigned char *) xmalloc(token.length))
-	       == NULL) {
-	       code = ENOMEM;
-	       major_status = GSS_S_FAILURE;
-	       goto fail;
-	   }
-	   ptr = token.value;
-	   g_make_token_header((gss_OID) mech_used,
-			       (cksumdata.length-2)+4+ap_rep.length+mic.length,
-			       &ptr, KG2_TOK_RESPONSE);
-
-	   memcpy(ptr, cksumdata.data+2, cksumdata.length-2);
-	   ptr += cksumdata.length-2;
-
-	   ptr[0] = (ap_rep.length >> 8) & 0xff;
-	   ptr[1] = ap_rep.length & 0xff;
-	   memcpy(ptr+2, ap_rep.data, ap_rep.length);
-
-	   ptr += (2+ap_rep.length);
-
-	   ptr[0] = (mic.length >> 8) & 0xff;
-	   ptr[1] = mic.length & 0xff;
-	   memcpy(ptr+2, mic.data, mic.length);
-
-	   ptr += (2+mic.length);
-
-	   free(cksumdata.data);
-	   cksumdata.data = 0;
+       token.length = g_token_size((gss_OID) mech_used, ap_rep.length);
 
-	   /* gss krb5 v2 */
-       } else {
-	   /* gss krb5 v1 */
-
-	   token.length = g_token_size((gss_OID) mech_used, ap_rep.length);
-
-	   if ((token.value = (unsigned char *) xmalloc(token.length))
-	       == NULL) {
-	       major_status = GSS_S_FAILURE;
-	       code = ENOMEM;
-	       goto fail;
-	   }
-	   ptr = token.value;
-	   g_make_token_header((gss_OID) mech_used, ap_rep.length,
-			       &ptr, KG_TOK_CTX_AP_REP);
+       if ((token.value = (unsigned char *) xmalloc(token.length))
+	   == NULL) {
+	   major_status = GSS_S_FAILURE;
+	   code = ENOMEM;
+	   goto fail;
+       }
+       ptr = token.value;
+       g_make_token_header((gss_OID) mech_used, ap_rep.length,
+			   &ptr, KG_TOK_CTX_AP_REP);
 
-	   TWRITE_STR(ptr, ap_rep.data, ap_rep.length);
+       TWRITE_STR(ptr, ap_rep.data, ap_rep.length);
 
-	   ctx->established = 1;
+       ctx->established = 1;
 
-       }
    } else {
        token.length = 0;
        token.value = NULL;
@@ -943,6 +745,11 @@ krb5_gss_accept_sec_context(minor_status, context_handle,
        free(ctypes);
    if (authdat)
        krb5_free_authenticator(context, authdat);
+   /* The ctx structure has the handle of the auth_context */
+   if (auth_context && !ctx) {
+       (void)krb5_auth_con_setrcache(context, auth_context, NULL);
+       krb5_auth_con_free(context, auth_context);
+   }
    if (reqcksum.contents)
        xfree(reqcksum.contents);
    if (ap_rep.data)
@@ -1014,13 +821,8 @@ krb5_gss_accept_sec_context(minor_status, context_handle,
        if (code)
 	   return (major_status);
 
-       if (gsskrb5_vers == 2000) {
-	   tmsglen = 12+scratch.length;
-	   toktype = KG2_TOK_RESPONSE;
-       } else {
-	   tmsglen = scratch.length;
-	   toktype = KG_TOK_CTX_ERROR;
-       }
+       tmsglen = scratch.length;
+       toktype = KG_TOK_CTX_ERROR;
 
        token.length = g_token_size((gss_OID) mech_used, tmsglen);
        token.value = (unsigned char *) xmalloc(token.length);
@@ -1030,24 +832,6 @@ krb5_gss_accept_sec_context(minor_status, context_handle,
        ptr = token.value;
        g_make_token_header((gss_OID) mech_used, tmsglen, &ptr, toktype);
 
-       if (gsskrb5_vers == 2000) {
-	   krb5_ui_4 flags;
-
-	   flags = KG2_RESP_FLAG_ERROR;
-
-	   ptr[0] = (flags << 24) & 0xff;
-	   ptr[1] = (flags << 16) & 0xff;
-	   ptr[2] = (flags << 8) & 0xff;
-	   ptr[3] = flags & 0xff;
-
-	   memset(ptr+4, 0, 6);
-
-	   ptr[10] = (scratch.length << 8) & 0xff;
-	   ptr[11] = scratch.length & 0xff;
-
-	   ptr += 12;
-       }
-
        TWRITE_STR(ptr, scratch.data, scratch.length);
        xfree(scratch.data);
 
diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c
index b67eb4f..0cdff4a 100644
--- a/src/lib/gssapi/krb5/acquire_cred.c
+++ b/src/lib/gssapi/krb5/acquire_cred.c
@@ -1,4 +1,28 @@
 /*
+ * Copyright 2000 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ *   require a specific license from the United States Government.
+ *   It is the responsibility of any person or organization contemplating
+ *   export to obtain such a license before exporting.
+ * 
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ * 
+ */
+/*
  * Copyright 1993 by OpenVision Technologies, Inc.
  * 
  * Permission to use, copy, modify, distribute, and sell this software
@@ -47,6 +71,7 @@
  */
 
 #include "gssapiP_krb5.h"
+#include "k5-int.h"
 #ifdef HAVE_STRING_H
 #include <string.h>
 #else
@@ -154,7 +179,7 @@ acquire_init_cred(context, minor_status, desired_name, output_princ, cred)
 
    /* open the default credential cache */
 
-   if ((code = krb5_cc_default(context, &ccache))) {
+   if ((code = krb5int_cc_default(context, &ccache))) {
       *minor_status = code;
       return(GSS_S_CRED_UNAVAIL);
    }
@@ -283,7 +308,7 @@ krb5_gss_acquire_cred(minor_status, desired_name, time_req,
    size_t i;
    krb5_gss_cred_id_t cred;
    gss_OID_set ret_mechs;
-   int req_old, req_new, req_v2;
+   int req_old, req_new;
    OM_uint32 ret;
    krb5_error_code code;
 
@@ -313,22 +338,18 @@ krb5_gss_acquire_cred(minor_status, desired_name, time_req,
    if (desired_mechs == GSS_C_NULL_OID_SET) {
       req_old = 1;
       req_new = 1;
-      req_v2 = 1;
    } else {
       req_old = 0;
       req_new = 0;
-      req_v2 = 0;
 
       for (i=0; i<desired_mechs->count; i++) {
 	 if (g_OID_equal(gss_mech_krb5_old, &(desired_mechs->elements[i])))
 	    req_old++;
 	 if (g_OID_equal(gss_mech_krb5, &(desired_mechs->elements[i])))
 	    req_new++;
-	 if (g_OID_equal(gss_mech_krb5_v2, &(desired_mechs->elements[i])))
-	    req_v2++;
       }
 
-      if (!req_old && !req_new && !req_v2) {
+      if (!req_old && !req_new) {
 	 *minor_status = 0;
 	 return(GSS_S_BAD_MECH);
       }
@@ -347,7 +368,6 @@ krb5_gss_acquire_cred(minor_status, desired_name, time_req,
    cred->princ = NULL;
    cred->prerfc_mech = req_old;
    cred->rfc_mech = req_new;
-   cred->rfcv2_mech = req_v2;
 
    cred->keytab = NULL;
    cred->ccache = NULL;
@@ -442,15 +462,11 @@ krb5_gss_acquire_cred(minor_status, desired_name, time_req,
 							    &ret_mechs)) ||
 	   (cred->prerfc_mech &&
 	    GSS_ERROR(ret = generic_gss_add_oid_set_member(minor_status,
-							   gss_mech_krb5_old,
+							   (gss_OID) gss_mech_krb5_old,
 							   &ret_mechs))) ||
 	   (cred->rfc_mech &&
 	    GSS_ERROR(ret = generic_gss_add_oid_set_member(minor_status,
-							   gss_mech_krb5,
-							   &ret_mechs))) ||
-	   (cred->rfcv2_mech &&
-	    GSS_ERROR(ret = generic_gss_add_oid_set_member(minor_status,
-							   gss_mech_krb5_v2,
+							   (gss_OID) gss_mech_krb5,
 							   &ret_mechs)))) {
 	   if (cred->ccache)
 	       (void)krb5_cc_close(context, cred->ccache);
diff --git a/src/lib/gssapi/krb5/add_cred.c b/src/lib/gssapi/krb5/add_cred.c
index 2a6fdb4..a13ba52 100644
--- a/src/lib/gssapi/krb5/add_cred.c
+++ b/src/lib/gssapi/krb5/add_cred.c
@@ -1,4 +1,28 @@
 /*
+ * Copyright 2000 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ *   require a specific license from the United States Government.
+ *   It is the responsibility of any person or organization contemplating
+ *   export to obtain such a license before exporting.
+ * 
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ * 
+ */
+/*
  * Copyright (C) 1998 by the FundsXpress, INC.
  * 
  * All rights reserved.
@@ -110,8 +134,7 @@ krb5_gss_add_cred(minor_status, input_cred_handle,
     /* check that desired_mech isn't already in the credential */
 
     if ((g_OID_equal(desired_mech, gss_mech_krb5_old) && cred->prerfc_mech) ||
-	(g_OID_equal(desired_mech, gss_mech_krb5) && cred->rfc_mech) ||
-	(g_OID_equal(desired_mech, gss_mech_krb5_v2) && cred->rfcv2_mech)) {
+	(g_OID_equal(desired_mech, gss_mech_krb5) && cred->rfc_mech)) {
 	*minor_status = 0;
 	return(GSS_S_DUPLICATE_ELEMENT);
     }
@@ -143,7 +166,9 @@ krb5_gss_add_cred(minor_status, input_cred_handle,
 	/* make a copy */
 	krb5_gss_cred_id_t new_cred;
 	char *kttype, ktboth[1024];
-	char *cctype, *ccname, ccboth[1024];
+	char ccboth[1024];
+	const char *ccname;
+	const char *cctype;
 
 	if ((new_cred =
 	     (krb5_gss_cred_id_t) xmalloc(sizeof(krb5_gss_cred_id_rec)))
@@ -156,7 +181,6 @@ krb5_gss_add_cred(minor_status, input_cred_handle,
 	new_cred->usage = cred_usage;
 	new_cred->prerfc_mech = cred->prerfc_mech;
 	new_cred->rfc_mech = cred->rfc_mech;
-	new_cred->rfcv2_mech = cred->rfcv2_mech;
 	new_cred->tgt_expire = cred->tgt_expire;
 
 	if (code = krb5_copy_principal(context, cred->princ,
@@ -177,8 +201,9 @@ krb5_gss_add_cred(minor_status, input_cred_handle,
 		return(GSS_S_FAILURE);
 	    }
 
-	    strcpy(ktboth, kttype);
-	    strcat(ktboth, ":");
+	    strncpy(ktboth, kttype, sizeof(ktboth) - 1);
+	    ktboth[sizeof(ktboth) - 1] = '\0';
+	    strncat(ktboth, ":", sizeof(ktboth) - 1 - strlen(ktboth));
 
 	    if (code = krb5_kt_get_name(context, cred->keytab,
 					ktboth+strlen(ktboth),
@@ -234,9 +259,10 @@ krb5_gss_add_cred(minor_status, input_cred_handle,
 		return(GSS_S_FAILURE);
 	    }
 
-	    strcpy(ccboth, cctype);
-	    strcat(ccboth, ":");
-	    strcat(ccboth, ccname);
+	    strncpy(ccboth, cctype, sizeof(ccboth) - 1);
+	    ccboth[sizeof(ccboth) - 1] = '\0';
+	    strncat(ccboth, ":", sizeof(ccboth) - 1 - strlen(ccboth));
+	    strncat(ccboth, ccname, sizeof(ccboth) - 1 - strlen(ccboth));
 
 	    if (code = krb5_cc_resolve(context, ccboth, &new_cred->ccache)) {
 		if (new_cred->rcache)
@@ -280,8 +306,6 @@ krb5_gss_add_cred(minor_status, input_cred_handle,
 	cred->prerfc_mech = 1;
     else if (g_OID_equal(desired_mech, gss_mech_krb5))
 	cred->rfc_mech = 1;
-    else if (g_OID_equal(desired_mech, gss_mech_krb5_v2))
-	cred->rfcv2_mech = 1;
 
     /* set the outputs */
 
diff --git a/src/lib/gssapi/krb5/disp_status.c b/src/lib/gssapi/krb5/disp_status.c
index 3a6ba7b..5991f87 100644
--- a/src/lib/gssapi/krb5/disp_status.c
+++ b/src/lib/gssapi/krb5/disp_status.c
@@ -21,7 +21,12 @@
  */
 
 #include "gssapiP_krb5.h"
+
+#if TARGET_OS_MAC
+#include <Kerberos/com_err.h>
+#else
 #include "com_err.h"
+#endif
 
 /* XXXX internationalization!! */
 
diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h
index e344b4f..a234530 100644
--- a/src/lib/gssapi/krb5/gssapiP_krb5.h
+++ b/src/lib/gssapi/krb5/gssapiP_krb5.h
@@ -1,4 +1,28 @@
 /*
+ * Copyright 2000 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ *   require a specific license from the United States Government.
+ *   It is the responsibility of any person or organization contemplating
+ *   export to obtain such a license before exporting.
+ * 
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ * 
+ */
+/*
  * Copyright 1993 by OpenVision Technologies, Inc.
  * 
  * Permission to use, copy, modify, distribute, and sell this software
@@ -27,7 +51,12 @@
  * $Id$
  */
 
+#if TARGET_OS_MAC
+#include <Kerberos/krb5.h>
+#else
 #include <krb5.h>
+#endif
+
 #include <memory.h>
 
 /* work around sunos braindamage */
@@ -38,11 +67,7 @@
 #undef minor
 #endif
 
-#ifndef macintosh
-#include "../generic/gssapiP_generic.h"
-#else
 #include "gssapiP_generic.h"
-#endif
 
 /* The include of gssapi_krb5.h will dtrt with the above #defines in
  * effect.
@@ -79,6 +104,39 @@
 #define KG2_RESP_FLAG_ERROR		0x0001
 #define KG2_RESP_FLAG_DELEG_OK		0x0002
 
+/* These are to be stored in little-endian order, i.e., des-mac is
+   stored as 02 00.  */
+enum sgn_alg {
+  SGN_ALG_DES_MAC_MD5           = 0x0000,
+  SGN_ALG_MD2_5                 = 0x0001,
+  SGN_ALG_DES_MAC               = 0x0002,
+  SGN_ALG_3			= 0x0003, /* not published */
+  SGN_ALG_HMAC_MD5              = 0x0011, /* microsoft w2k; no support */
+  SGN_ALG_HMAC_SHA1_DES3_KD     = 0x0004
+};
+enum seal_alg {
+  SEAL_ALG_NONE            = 0xffff,
+  SEAL_ALG_DES             = 0x0000,
+  SEAL_ALG_1		   = 0x0001, /* not published */
+  SEAL_ALG_MICROSOFT_RC4   = 0x0010, /* microsoft w2k; no support */
+  SEAL_ALG_DES3KD          = 0x0002
+};
+
+#define KG_USAGE_SEAL 22
+#define KG_USAGE_SIGN 23
+#define KG_USAGE_SEQ  24
+
+enum qop {
+  GSS_KRB5_INTEG_C_QOP_MD5       = 0x0001, /* *partial* MD5 = "MD2.5" */
+  GSS_KRB5_INTEG_C_QOP_DES_MD5   = 0x0002,
+  GSS_KRB5_INTEG_C_QOP_DES_MAC   = 0x0003,
+  GSS_KRB5_INTEG_C_QOP_HMAC_SHA1 = 0x0004,
+  GSS_KRB5_INTEG_C_QOP_MASK      = 0x00ff,
+  GSS_KRB5_CONF_C_QOP_DES        = 0x0100,
+  GSS_KRB5_CONF_C_QOP_DES3_KD    = 0x0200,
+  GSS_KRB5_CONF_C_QOP_MASK       = 0xff00
+};
+
 /** internal types **/
 
 typedef krb5_principal krb5_gss_name_t;
@@ -89,7 +147,6 @@ typedef struct _krb5_gss_cred_id_rec {
    krb5_principal princ;	/* this is not interned as a gss_name_t */
    int prerfc_mech;
    int rfc_mech;
-   int rfcv2_mech;
 
    /* keytab (accept) data */
    krb5_keytab keytab;
@@ -125,7 +182,6 @@ typedef struct _krb5_gss_ctx_id_rec {
    int big_endian;
    krb5_auth_context auth_context;
    gss_OID_desc *mech_used;
-   int gsskrb5_version;
    int nctypes;
    krb5_cksumtype *ctypes;
 } krb5_gss_ctx_id_rec, *krb5_gss_ctx_id_t;
@@ -190,12 +246,18 @@ int kg_encrypt_size PROTOTYPE((krb5_context context,
 			       krb5_keyblock *key, int n));
 
 krb5_error_code kg_encrypt PROTOTYPE((krb5_context context, 
-            krb5_keyblock *key,
-            krb5_pointer iv, krb5_pointer in, krb5_pointer out, int length));
+				      krb5_keyblock *key, int usage,
+				      krb5_pointer iv,
+				      krb5_pointer in,
+				      krb5_pointer out,
+				      int length));
 
 krb5_error_code kg_decrypt PROTOTYPE((krb5_context context,
-                           krb5_keyblock *key, 
-			   krb5_pointer iv, krb5_pointer in, krb5_pointer out, int length));
+				      krb5_keyblock *key,  int usage,
+				      krb5_pointer iv,
+				      krb5_pointer in,
+				      krb5_pointer out,
+				      int length));
 
 OM_uint32 kg_seal PROTOTYPE((krb5_context context,
 		  OM_uint32 *minor_status,
@@ -517,7 +579,8 @@ PROTOTYPE( (OM_uint32 *,		/* minor_status */
 	    gss_ctx_id_t *		/* context_handle */
 	    ));
 
-#if 0
+#if TARGET_OS_MAC 
+/* need prototypes on Mac OS X -- why *was* this #if 0? */
 OM_uint32 krb5_gss_release_oid
 PROTOTYPE( (OM_uint32 *,		/* minor_status */
 	    gss_OID *			/* oid */
diff --git a/src/lib/gssapi/krb5/gssapi_krb5.c b/src/lib/gssapi/krb5/gssapi_krb5.c
index e700bb8..70ef491 100644
--- a/src/lib/gssapi/krb5/gssapi_krb5.c
+++ b/src/lib/gssapi/krb5/gssapi_krb5.c
@@ -51,6 +51,7 @@
  */
 
 #include "gssapiP_krb5.h"
+#include "k5-int.h"
 
 /** exported constants defined in gssapi_krb5{,_nx}.h **/
 
@@ -90,16 +91,28 @@ const gss_OID_desc krb5_gss_oid_array[] = {
    /* this is the v2 assigned OID */
    {9, "\052\206\110\206\367\022\001\002\003"},
    /* these two are name type OID's */
+
+    /* 2.1.1. Kerberos Principal Name Form:  (rfc 1964)
+     * This name form shall be represented by the Object Identifier {iso(1)
+     * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
+     * krb5(2) krb5_name(1)}.  The recommended symbolic name for this type
+     * is "GSS_KRB5_NT_PRINCIPAL_NAME". */
    {10, "\052\206\110\206\367\022\001\002\002\001"},
+
+   /* gss_nt_krb5_principal.  Object identifier for a krb5_principal. Do not use. */
    {10, "\052\206\110\206\367\022\001\002\002\002"},
    { 0, 0 }
 };
 
-const gss_OID_desc * const gss_mech_krb5 = krb5_gss_oid_array+0;
-const gss_OID_desc * const gss_mech_krb5_old = krb5_gss_oid_array+1;
-const gss_OID_desc * const gss_mech_krb5_v2 = krb5_gss_oid_array+2;
-const gss_OID_desc * const gss_nt_krb5_name = krb5_gss_oid_array+3;
-const gss_OID_desc * const gss_nt_krb5_principal = krb5_gss_oid_array+4;
+const gss_OID_desc * const gss_mech_krb5              = krb5_gss_oid_array+0;
+const gss_OID_desc * const gss_mech_krb5_old          = krb5_gss_oid_array+1;
+const gss_OID_desc * const gss_mech_krb5_v2           = krb5_gss_oid_array+2;
+const gss_OID_desc * const gss_nt_krb5_name           = krb5_gss_oid_array+3;
+const gss_OID_desc * const gss_nt_krb5_principal      = krb5_gss_oid_array+4;
+#if GSS_RFC_COMPLIANT_OIDS
+const gss_OID_desc * const GSS_KRB5_NT_PRINCIPAL_NAME = krb5_gss_oid_array+3;
+#endif /* GSS_RFC_COMPLIANT_OIDS */
+
 
 static const gss_OID_set_desc oidsets[] = {
    {1, (gss_OID) krb5_gss_oid_array+0},
diff --git a/src/lib/gssapi/krb5/gssapi_krb5.h b/src/lib/gssapi/krb5/gssapi_krb5.h
index e4bac76..c1ad99f 100644
--- a/src/lib/gssapi/krb5/gssapi_krb5.h
+++ b/src/lib/gssapi/krb5/gssapi_krb5.h
@@ -23,13 +23,65 @@
 #ifndef _GSSAPI_KRB5_H_
 #define _GSSAPI_KRB5_H_
 
-#include <krb5.h>
+#if defined(macintosh) || (defined(__MACH__) && defined(__APPLE__))
+	#include <TargetConditionals.h>
+#endif
+
+#if TARGET_OS_MAC
+    #include <Kerberos/krb5.h>
+    #include <Kerberos/gssapi.h>
+    #include <Kerberos/gssapi_generic.h>
+#else
+    #include <krb5.h>
+#endif
 
 /* C++ friendlyness */
 #ifdef __cplusplus
 extern "C" {
 #endif /* __cplusplus */
 
+#if GSS_RFC_COMPLIANT_OIDS
+/* Reserved static storage for GSS_oids.  See rfc 1964 for more details. */
+
+/* 2.1.1. Kerberos Principal Name Form: */
+GSS_DLLIMP extern const gss_OID_desc * const GSS_KRB5_NT_PRINCIPAL_NAME;
+/* This name form shall be represented by the Object Identifier {iso(1)
+ * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
+ * krb5(2) krb5_name(1)}.  The recommended symbolic name for this type
+ * is "GSS_KRB5_NT_PRINCIPAL_NAME". */
+
+/* 2.1.2. Host-Based Service Name Form */
+#define GSS_KRB5_NT_HOSTBASED_SERVICE_NAME GSS_C_NT_HOSTBASED_SERVICE
+/* This name form shall be represented by the Object Identifier {iso(1)
+ * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
+ * generic(1) service_name(4)}.  The previously recommended symbolic
+ * name for this type is "GSS_KRB5_NT_HOSTBASED_SERVICE_NAME".  The
+ * currently preferred symbolic name for this type is
+ * "GSS_C_NT_HOSTBASED_SERVICE". */
+
+/* 2.2.1. User Name Form */
+#define GSS_KRB5_NT_USER_NAME GSS_C_NT_USER_NAME    
+/* This name form shall be represented by the Object Identifier {iso(1)
+ * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
+ * generic(1) user_name(1)}.  The recommended symbolic name for this
+ * type is "GSS_KRB5_NT_USER_NAME". */
+
+/* 2.2.2. Machine UID Form */
+#define GSS_KRB5_NT_MACHINE_UID_NAME GSS_C_NT_MACHINE_UID_NAME
+/* This name form shall be represented by the Object Identifier {iso(1)
+ * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
+ * generic(1) machine_uid_name(2)}.  The recommended symbolic name for
+ * this type is "GSS_KRB5_NT_MACHINE_UID_NAME". */
+
+/* 2.2.3. String UID Form */
+#define GSS_KRB5_NT_STRING_UID_NAME GSS_C_NT_STRING_UID_NAME
+/* This name form shall be represented by the Object Identifier {iso(1)
+ * member-body(2) United States(840) mit(113554) infosys(1) gssapi(2)
+ * generic(1) string_uid_name(3)}.  The recommended symbolic name for
+ * this type is "GSS_KRB5_NT_STRING_UID_NAME". */ 
+
+#endif /* GSS_RFC_COMPLIANT_OIDS */
+
 extern const gss_OID_desc * const gss_mech_krb5;
 extern const gss_OID_desc * const gss_mech_krb5_old;
 extern const gss_OID_desc * const gss_mech_krb5_v2;
diff --git a/src/lib/gssapi/krb5/import_sec_context.c b/src/lib/gssapi/krb5/import_sec_context.c
index fd5415a..659cdc2 100644
--- a/src/lib/gssapi/krb5/import_sec_context.c
+++ b/src/lib/gssapi/krb5/import_sec_context.c
@@ -44,7 +44,7 @@ gss_OID krb5_gss_convert_static_mech_oid(oid)
 		if ((oid->length == p->length) &&
 		    (memcmp(oid->elements, p->elements, p->length) == 0)) {
 			gss_release_oid(&minor_status, &oid);
-			return p;
+			return (gss_OID) p;
 		}
 	}
 	return oid;
diff --git a/src/lib/gssapi/krb5/init_sec_context.c b/src/lib/gssapi/krb5/init_sec_context.c
index d0c8bc9..40c50cb 100644
--- a/src/lib/gssapi/krb5/init_sec_context.c
+++ b/src/lib/gssapi/krb5/init_sec_context.c
@@ -1,4 +1,28 @@
 /*
+ * Copyright 2000 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ *   require a specific license from the United States Government.
+ *   It is the responsibility of any person or organization contemplating
+ *   export to obtain such a license before exporting.
+ * 
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ * 
+ */
+/*
  * Copyright 1993 by OpenVision Technologies, Inc.
  * 
  * Permission to use, copy, modify, distribute, and sell this software
@@ -49,6 +73,7 @@
 #include "gssapiP_krb5.h"
 #include <memory.h>
 #include <stdlib.h>
+#include <assert.h>
 
 /*
  * $Id$
@@ -63,13 +88,13 @@ int krb5_gss_dbg_client_expcreds = 0;
  * ccache.
  */
 static krb5_error_code get_credentials(context, cred, server, now,
-				       endtime, enctype, out_creds)
+				       endtime, enctypes, out_creds)
     krb5_context context;
     krb5_gss_cred_id_t cred;
     krb5_principal server;
     krb5_timestamp now;
     krb5_timestamp endtime;
-    krb5_enctype enctype;
+    const krb5_enctype *enctypes;
     krb5_creds **out_creds;
 {
     krb5_error_code	code;
@@ -82,10 +107,15 @@ static krb5_error_code get_credentials(context, cred, server, now,
     if ((code = krb5_copy_principal(context, server, &in_creds.server)))
 	goto cleanup;
     in_creds.times.endtime = endtime;
-    in_creds.keyblock.enctype = enctype;
 
-    if ((code = krb5_get_credentials(context, 0, cred->ccache, 
-				     &in_creds, out_creds)))
+    in_creds.keyblock.enctype = 0;
+
+    code = krb5_set_default_tgs_enctypes (context, enctypes);
+    if (code)
+      goto cleanup;
+        code = krb5_get_credentials(context, 0, cred->ccache,
+				&in_creds, out_creds);
+    if (code)
 	goto cleanup;
 
     /*
@@ -93,7 +123,8 @@ static krb5_error_code get_credentials(context, cred, server, now,
      * boundaries) because accept_sec_context code is also similarly
      * non-forgiving.
      */
-    if (!krb5_gss_dbg_client_expcreds && (*out_creds)->times.endtime < now) {
+    if (!krb5_gss_dbg_client_expcreds && *out_creds != NULL &&
+	(*out_creds)->times.endtime < now) {
 	code = KRB5KRB_AP_ERR_TKT_EXPIRED;
 	goto cleanup;
     }
@@ -106,7 +137,7 @@ cleanup:
     return code;
 }
 
-
+#if !defined(TARGET_OS_MAC) || !TARGET_OS_MAC
 static krb5_error_code
 make_ap_req_v2(context, ctx, cred, k_cred, chan_bindings, mech_type, token)
     krb5_context context;
@@ -117,197 +148,10 @@ make_ap_req_v2(context, ctx, cred, k_cred, chan_bindings, mech_type, token)
     gss_OID mech_type;
     gss_buffer_t token;
 {
-    krb5_flags mk_req_flags = 0;
-    krb5_int32 con_flags;
-    krb5_error_code code;
-    krb5_data credmsg, cksumdata, ap_req;
-    int i, tlen, cblen, nctypes;
-    krb5_cksumtype *ctypes;
-    unsigned char *t, *ptr;
-
-    credmsg.data = 0;
-    cksumdata.data = 0;
-    ap_req.data = 0;
-    ctypes = 0;
-
-    /* create the option data if necessary */
-    if (ctx->gss_flags & GSS_C_DELEG_FLAG) {
-	/* first get KRB_CRED message, so we know its length */
-
-	/* clear the time check flag that was set in krb5_auth_con_init() */
-	krb5_auth_con_getflags(context, ctx->auth_context, &con_flags);
-	krb5_auth_con_setflags(context, ctx->auth_context,
-			       con_flags & ~KRB5_AUTH_CONTEXT_DO_TIME);
-
-	code = krb5_fwd_tgt_creds(context, ctx->auth_context, 0,
-				  cred->princ, ctx->there, cred->ccache, 1,
-				  &credmsg);
-
-	/* turn KRB5_AUTH_CONTEXT_DO_TIME back on */
-	krb5_auth_con_setflags(context, ctx->auth_context, con_flags);
-
-	if (code) {
-	    /* don't fail here; just don't accept/do the delegation
-               request */
-	    ctx->gss_flags &= ~GSS_C_DELEG_FLAG;
-	} else {
-	    if (credmsg.length > KRB5_INT16_MAX) {
-		krb5_free_data_contents(context, &credmsg);
-		return(KRB5KRB_ERR_FIELD_TOOLONG);
-	    }
-	}
-    } else {
-       credmsg.length = 0;
-    }
-       
-    /* construct the list of compatible cksum types */
-
-    if ((code = krb5_c_keyed_checksum_types(context,
-					    k_cred->keyblock.enctype,
-					    &nctypes, &ctypes)))
-	goto cleanup;
-
-    if (nctypes == 0) {
-	code = KRB5_CRYPTO_INTERNAL;
-	goto cleanup;
-    }
-
-    /* construct the checksum fields */
-
-    cblen = 4*5;
-    if (chan_bindings)
-	cblen += (chan_bindings->initiator_address.length+
-		  chan_bindings->acceptor_address.length+
-		  chan_bindings->application_data.length);
-
-    cksumdata.length = cblen + 8 + 4*nctypes + 4;
-    if (credmsg.length)
-	cksumdata.length += 4 + credmsg.length;
-
-    if ((cksumdata.data = (char *) malloc(cksumdata.length)) == NULL)
-	goto cleanup;
-
-    /* helper macros.  This code currently depends on a long being 32
-       bits, and htonl dtrt. */
-
-    ptr = cksumdata.data;
-
-    if (chan_bindings) {
-	TWRITE_INT(ptr, chan_bindings->initiator_addrtype, 1);
-	TWRITE_BUF(ptr, chan_bindings->initiator_address, 1);
-	TWRITE_INT(ptr, chan_bindings->acceptor_addrtype, 1);
-	TWRITE_BUF(ptr, chan_bindings->acceptor_address, 1);
-	TWRITE_BUF(ptr, chan_bindings->application_data, 1);
-    } else {
-	memset(ptr, 0, cblen);
-	ptr += cblen;
-    }
-
-    /* construct the token fields */
-
-    ptr[0] = (KG2_TOK_INITIAL >> 8) & 0xff;
-    ptr[1] = KG2_TOK_INITIAL & 0xff;
-
-    ptr[2] = (ctx->gss_flags >> 24) & 0xff;
-    ptr[3] = (ctx->gss_flags >> 16) & 0xff;
-    ptr[4] = (ctx->gss_flags >> 8) & 0xff;
-    ptr[5] = ctx->gss_flags & 0xff;
-
-    ptr[6] = (nctypes >> 8) & 0xff;
-    ptr[7] = nctypes & 0xff;
-
-    ptr += 8;
-
-    for (i=0; i<nctypes; i++) {
-	ptr[0] = (ctypes[i] >> 24) & 0xff;
-	ptr[1] = (ctypes[i] >> 16) & 0xff;
-	ptr[2] = (ctypes[i] >> 8) & 0xff;
-	ptr[3] = ctypes[i] & 0xff;
-
-	ptr += 4;
-    }
-
-    if (credmsg.length) {
-	ptr[0] = (KRB5_GSS_FOR_CREDS_OPTION >> 8) & 0xff;
-	ptr[1] = KRB5_GSS_FOR_CREDS_OPTION & 0xff;
-
-	ptr[2] = (credmsg.length >> 8) & 0xff;
-	ptr[3] = credmsg.length & 0xff;
-
-	ptr += 4;
-
-	memcpy(ptr, credmsg.data, credmsg.length);
-
-	ptr += credmsg.length;
-    }
-
-    memset(ptr, 0, 4);
-
-    /* call mk_req.  subkey and ap_req need to be used or destroyed */
-
-    mk_req_flags = AP_OPTS_USE_SUBKEY;
-
-    if (ctx->gss_flags & GSS_C_MUTUAL_FLAG)
-	mk_req_flags |= AP_OPTS_MUTUAL_REQUIRED;
-
-    if ((code = krb5_mk_req_extended(context, &ctx->auth_context, mk_req_flags,
-				     &cksumdata, k_cred, &ap_req)))
-	goto cleanup;
-
-   /* store the interesting stuff from creds and authent */
-   ctx->endtime = k_cred->times.endtime;
-   ctx->krb_flags = k_cred->ticket_flags;
-
-   /* build up the token */
-
-   /* allocate space for the token */
-   tlen = g_token_size((gss_OID) mech_type,
-		       (cksumdata.length-(2+cblen))+2+ap_req.length);
-
-   if ((t = (unsigned char *) xmalloc(tlen)) == NULL) {
-      code = ENOMEM;
-      goto cleanup;
-   }
-
-   ptr = t;
-
-   g_make_token_header((gss_OID) mech_type,
-		       (cksumdata.length-(2+cblen))+2+ap_req.length,
-		       &ptr, KG2_TOK_INITIAL);
-
-   /* skip over the channel bindings and the token id */
-   memcpy(ptr, cksumdata.data+cblen+2, cksumdata.length-(cblen+2));
-   ptr += cksumdata.length-(cblen+2);
-   ptr[0] = (ap_req.length >> 8) & 0xff;
-   ptr[1] = ap_req.length & 0xff;
-   ptr += 2;
-   memcpy(ptr, ap_req.data, ap_req.length);
-
-   /* pass allocated data back */
-
-   ctx->nctypes = nctypes;
-   ctx->ctypes = ctypes;
-
-   token->length = tlen;
-   token->value = (void *) t;
-
-   code = 0;
-
-cleanup:
-   if (code) {
-       if (ctypes)
-	   krb5_free_cksumtypes(context, ctypes);
-   }
-
-   if (credmsg.data)
-       free(credmsg.data);
-   if (ap_req.data)
-       free(ap_req.data);
-   if (cksumdata.data)
-       free(cksumdata.data);
-
-   return(code);
+    int krb5_mech2_supported = 0;
+    assert(krb5_mech2_supported);
 }
+#endif
 
 static krb5_error_code
 make_ap_req_v1(context, ctx, cred, k_cred, chan_bindings, mech_type, token)
@@ -480,15 +324,22 @@ krb5_gss_init_sec_context(minor_status, claimant_cred_handle,
    krb5_context context;
    krb5_gss_cred_id_t cred;
    krb5_creds *k_cred = 0;
-   krb5_enctype enctype = ENCTYPE_DES_CBC_CRC;
+   static const krb5_enctype wanted_enctypes[] = {
+#if 1
+     ENCTYPE_DES3_CBC_SHA1,
+#endif
+     ENCTYPE_DES_CBC_CRC,
+     ENCTYPE_DES_CBC_MD5, ENCTYPE_DES_CBC_MD4,
+   };
+#define N_WANTED_ENCTYPES (sizeof(wanted_enctypes)/sizeof(wanted_enctypes[0]))
+   krb5_enctype requested_enctypes[N_WANTED_ENCTYPES + 1];
+   krb5_enctype *default_enctypes = 0;
    krb5_error_code code; 
    krb5_gss_ctx_id_rec *ctx, *ctx_free;
    krb5_timestamp now;
    gss_buffer_desc token;
-   int gsskrb5_vers = 0;
-   int i, err;
+   int i, j, k, err;
    int default_mech = 0;
-   krb5_ui_4 resp_flags;
    OM_uint32 major_status;
 
    if (GSS_ERROR(kg_get_context(minor_status, &context)))
@@ -528,32 +379,19 @@ krb5_gss_init_sec_context(minor_status, claimant_cred_handle,
    err = 0;
    if (mech_type == GSS_C_NULL_OID) {
        default_mech = 1;
-       if (cred->rfcv2_mech) {
-	   mech_type = gss_mech_krb5_v2;
-	   gsskrb5_vers = 2000;
-       } else if (cred->rfc_mech) {
-	   mech_type = gss_mech_krb5;
-	   gsskrb5_vers = 1000;
-	   enctype = ENCTYPE_DES_CBC_CRC;
+       if (cred->rfc_mech) {
+	   mech_type = (gss_OID) gss_mech_krb5;
        } else if (cred->prerfc_mech) {
-	   mech_type = gss_mech_krb5_old;
-	   gsskrb5_vers = 1000;
-	   enctype = ENCTYPE_DES_CBC_CRC;
+	   mech_type = (gss_OID) gss_mech_krb5_old;
        } else {
 	   err = 1;
        }
-   } else if (g_OID_equal(mech_type, gss_mech_krb5_v2)) {
-       if (!cred->rfcv2_mech)
-	   err = 1;
-       gsskrb5_vers = 2000;
    } else if (g_OID_equal(mech_type, gss_mech_krb5)) {
        if (!cred->rfc_mech)
 	   err = 1;
-       gsskrb5_vers = 1000;
    } else if (g_OID_equal(mech_type, gss_mech_krb5_old)) {
        if (!cred->prerfc_mech)
 	   err = 1;
-       gsskrb5_vers = 1000;
    } else {
        err = 1;
    }
@@ -607,7 +445,6 @@ krb5_gss_init_sec_context(minor_status, claimant_cred_handle,
       ctx->seed_init = 0;
       ctx->big_endian = 0;  /* all initiators do little-endian, as per spec */
       ctx->seqstate = 0;
-      ctx->gsskrb5_version = gsskrb5_vers;
       ctx->nctypes = 0;
       ctx->ctypes = 0;
 
@@ -627,28 +464,57 @@ krb5_gss_init_sec_context(minor_status, claimant_cred_handle,
 				      &ctx->there)))
 	  goto fail;
 
+      code = krb5_get_tgs_ktypes (context, 0, &default_enctypes);
+      if (code)
+	  goto fail;
+      /* "i" denotes *next* slot to fill.  Don't forget to save room
+	 for a trailing zero.  */
+      i = 0;
+      for (j = 0;
+	   (default_enctypes[j] != 0
+	    /* This part should be redundant, but let's be paranoid.  */
+	    && i < N_WANTED_ENCTYPES);
+	   j++) {
+
+	  int is_duplicate_enctype;
+	  int is_wanted_enctype;
+
+	  krb5_enctype e = default_enctypes[j];
+
+	  /* Is this enctype one of the ones we want for GSSAPI?  */
+	  is_wanted_enctype = 0;
+	  for (k = 0; k < N_WANTED_ENCTYPES; k++) {
+	      if (wanted_enctypes[k] == e) {
+		  is_wanted_enctype = 1;
+		  break;
+	      }
+	  }
+	  /* If unwanted, go to the next one. */
+	  if (!is_wanted_enctype)
+	      continue;
+
+	  /* Is this enctype already in the list of enctypes to
+	     request?  (Is it a duplicate?)  */
+	  is_duplicate_enctype = 0;
+	  for (k = 0; k < i; k++) {
+	      if (requested_enctypes[k] == e) {
+		  is_duplicate_enctype = 1;
+		  break;
+	      }
+	  }
+	  /* If it is not a duplicate, add it. */
+	  if (!is_duplicate_enctype)
+	      requested_enctypes[i++] = e;
+      }
+      requested_enctypes[i++] = 0;
+
       if ((code = get_credentials(context, cred, ctx->there, now,
-				       ctx->endtime, enctype, &k_cred)))
+				  ctx->endtime, requested_enctypes, &k_cred)))
 	  goto fail;
 
-      /*
-       * If the default mechanism was requested, and the keytype is
-       * DES_CBC, force the old mechanism
-       */
-      if (default_mech &&
-	  ((k_cred->keyblock.enctype == ENCTYPE_DES_CBC_CRC) ||
-	   (k_cred->keyblock.enctype == ENCTYPE_DES_CBC_MD4) ||
-	   (k_cred->keyblock.enctype == ENCTYPE_DES_CBC_MD5))) {
-	 ctx->gsskrb5_version = gsskrb5_vers = 1000;
-	 mech_type = gss_mech_krb5;
-	 if (k_cred->keyblock.enctype != ENCTYPE_DES_CBC_CRC) {
-	     krb5_free_creds(context, k_cred);
-	     enctype = ENCTYPE_DES_CBC_CRC;
-	     if ((code = get_credentials(context, cred, ctx->there, now,
-					 ctx->endtime, enctype, &k_cred)))
-		 goto fail;
-         }
-     }
+      if (default_mech) {
+	 mech_type = (gss_OID) gss_mech_krb5;
+      }
 
       if (generic_gss_copy_oid(minor_status, mech_type, &ctx->mech_used)
 	  != GSS_S_COMPLETE) {
@@ -660,24 +526,7 @@ krb5_gss_init_sec_context(minor_status, claimant_cred_handle,
        */
       ctx->mech_used = krb5_gss_convert_static_mech_oid(ctx->mech_used);
 
-      if (ctx->gsskrb5_version == 2000) {
-	  /* gsskrb5 v2 */
-	  if ((code = make_ap_req_v2(context, ctx,
-				     cred, k_cred, input_chan_bindings, 
-				     mech_type, &token))) {
-	      if ((code == KRB5_FCC_NOFILE) || (code == KRB5_CC_NOTFOUND) ||
-		  (code == KG_EMPTY_CCACHE))
-		  major_status = GSS_S_NO_CRED;
-	      if (code == KRB5KRB_AP_ERR_TKT_EXPIRED)
-		  major_status = GSS_S_CREDENTIALS_EXPIRED;
-	      goto fail;
-	  }
-
-	  krb5_auth_con_getlocalseqnumber(context, ctx->auth_context,
-					  &ctx->seq_send);
-	  krb5_auth_con_getlocalsubkey(context, ctx->auth_context,
-				       &ctx->subkey);
-      } else {
+      {
 	  /* gsskrb5 v1 */
 	  if ((code = make_ap_req_v1(context, ctx,
 				     cred, k_cred, input_chan_bindings, 
@@ -699,11 +548,41 @@ krb5_gss_init_sec_context(minor_status, claimant_cred_handle,
 
 	  switch(ctx->subkey->enctype) {
 	  case ENCTYPE_DES_CBC_MD5:
+	  case ENCTYPE_DES_CBC_MD4:
 	  case ENCTYPE_DES_CBC_CRC:
 	      ctx->subkey->enctype = ENCTYPE_DES_CBC_RAW;
-	      ctx->signalg = 0;
+	      ctx->signalg = SGN_ALG_DES_MAC_MD5;
 	      ctx->cksum_size = 8;
-	      ctx->sealalg = 0;
+	      ctx->sealalg = SEAL_ALG_DES;
+
+	      /* The encryption key is the session key XOR
+		 0xf0f0f0f0f0f0f0f0.  */
+	      if ((code = krb5_copy_keyblock(context, ctx->subkey, &ctx->enc)))
+		  goto fail;
+
+	      for (i=0; i<ctx->enc->length; i++)
+		  /*SUPPRESS 113*/
+		  ctx->enc->contents[i] ^= 0xf0;
+
+	      if ((code = krb5_copy_keyblock(context, ctx->subkey, &ctx->seq)))
+		  goto fail;
+
+	      break;
+
+	  case ENCTYPE_DES3_CBC_SHA1:
+	      ctx->subkey->enctype = ENCTYPE_DES3_CBC_RAW;
+	      ctx->signalg = SGN_ALG_HMAC_SHA1_DES3_KD;
+	      ctx->cksum_size = 20;
+	      ctx->sealalg = SEAL_ALG_DES3KD;
+
+	      code = krb5_copy_keyblock (context, ctx->subkey, &ctx->enc);
+	      if (code)
+		  goto fail;
+	      code = krb5_copy_keyblock (context, ctx->subkey, &ctx->seq);
+	      if (code) {
+		  krb5_free_keyblock (context, ctx->enc);
+		  goto fail;
+	      }
 	      break;
 #if 0
 	  case ENCTYPE_DES3_CBC_MD5:
@@ -714,20 +593,10 @@ krb5_gss_init_sec_context(minor_status, claimant_cred_handle,
 	      break;
 #endif
 	  default:
+	      *minor_status = KRB5_BAD_ENCTYPE;
 	      return GSS_S_FAILURE;
 	  }
 
-	  /* the encryption key is the session key XOR 0xf0f0f0f0f0f0f0f0 */
-
-	  if ((code = krb5_copy_keyblock(context, ctx->subkey, &ctx->enc)))
-	      goto fail;
-
-	  for (i=0; i<ctx->enc->length; i++)
-	      /*SUPPRESS 113*/
-	      ctx->enc->contents[i] ^= 0xf0;
-
-	  if ((code = krb5_copy_keyblock(context, ctx->subkey, &ctx->seq)))
-	      goto fail;
       }
 
       if (k_cred) {
@@ -780,7 +649,7 @@ krb5_gss_init_sec_context(minor_status, claimant_cred_handle,
    } else {
       unsigned char *ptr;
       char *sptr;
-      krb5_data ap_rep, mic;
+      krb5_data ap_rep;
       krb5_ap_rep_enc_part *ap_rep_data;
       krb5_error *krb_error;
 
@@ -824,94 +693,38 @@ krb5_gss_init_sec_context(minor_status, claimant_cred_handle,
 
       ptr = (unsigned char *) input_token->value;
 
-      if (ctx->gsskrb5_version == 2000) {
-	  int token_length;
-	  int nctypes;
-	  krb5_cksumtype *ctypes = 0;
-
-	  /* gsskrb5 v2 */
-
-	  if ((code = g_verify_token_header((gss_OID) ctx->mech_used,
-					   &token_length,
-					   &ptr, KG2_TOK_RESPONSE,
-					   input_token->length))) {
-	      major_status = GSS_S_DEFECTIVE_TOKEN;
-	      goto fail;
-	  }
-
-	  if (GSS_ERROR(major_status =
-			kg2_parse_token(minor_status, ptr, token_length,
-					&resp_flags, &nctypes, &ctypes,
-					0, NULL, &ap_rep, &mic))) {
-	      if (ctypes)
-		  free(ctypes);
-	      code = *minor_status;
-	      goto fail;
-	  }
-	  major_status = GSS_S_FAILURE;
-
-	  kg2_intersect_ctypes(&ctx->nctypes, ctx->ctypes, nctypes, ctypes);
+      if ((err = g_verify_token_header((gss_OID) ctx->mech_used,
+				       &(ap_rep.length),
+				       &ptr, KG_TOK_CTX_AP_REP,
+				       input_token->length))) {
+	  if (g_verify_token_header((gss_OID) ctx->mech_used,
+				    &(ap_rep.length),
+				    &ptr, KG_TOK_CTX_ERROR,
+				    input_token->length) == 0) {
 
-	  free(ctypes);
+	      /* Handle a KRB_ERROR message from the server */
 
-	  if (ctx->nctypes == 0) {
-	      code = KG_NO_CTYPES;
-	      goto fail;
-	  }
-
-	  if (resp_flags & KG2_RESP_FLAG_ERROR) {
-	      if ((code = krb5_rd_error(context, &ap_rep, &krb_error)))
+	      sptr = (char *) ptr;           /* PC compiler bug */
+	      TREAD_STR(sptr, ap_rep.data, ap_rep.length);
+		      
+	      code = krb5_rd_error(context, &ap_rep, &krb_error);
+	      if (code)
 		  goto fail;
-
 	      if (krb_error->error)
 		  code = krb_error->error + ERROR_TABLE_BASE_krb5;
 	      else
 		  code = 0;
-
 	      krb5_free_error(context, krb_error);
 	      goto fail;
+	  } else {
+	      *minor_status = 0;
+	      return(GSS_S_DEFECTIVE_TOKEN);
 	  }
-
-	  if (resp_flags & KG2_RESP_FLAG_DELEG_OK)
-	      ctx->gss_flags |= GSS_C_DELEG_FLAG;
-
-	  /* drop through to ap_rep handling */
-      } else {
-	  /* gsskrb5 v1 */
-
-	  if ((err = g_verify_token_header((gss_OID) ctx->mech_used,
-					   &(ap_rep.length),
-					   &ptr, KG_TOK_CTX_AP_REP,
-					   input_token->length))) {
-	      if (g_verify_token_header((gss_OID) ctx->mech_used,
-					&(ap_rep.length),
-					&ptr, KG_TOK_CTX_ERROR,
-					input_token->length) == 0) {
-
-		  /* Handle a KRB_ERROR message from the server */
-
-		  sptr = (char *) ptr;           /* PC compiler bug */
-		  TREAD_STR(sptr, ap_rep.data, ap_rep.length);
-		      
-		  code = krb5_rd_error(context, &ap_rep, &krb_error);
-		  if (code)
-		      goto fail;
-		  if (krb_error->error)
-		      code = krb_error->error + ERROR_TABLE_BASE_krb5;
-		  else
-		      code = 0;
-		  krb5_free_error(context, krb_error);
-		  goto fail;
-	      } else {
-		  *minor_status = 0;
-		  return(GSS_S_DEFECTIVE_TOKEN);
-	      }
-	  }
-
-	  sptr = (char *) ptr;                      /* PC compiler bug */
-	  TREAD_STR(sptr, ap_rep.data, ap_rep.length);
       }
 
+      sptr = (char *) ptr;                      /* PC compiler bug */
+      TREAD_STR(sptr, ap_rep.data, ap_rep.length);
+
       /* decode the ap_rep */
       if ((code = krb5_rd_rep(context, ctx->auth_context, &ap_rep,
 			      &ap_rep_data))) {
@@ -938,26 +751,6 @@ krb5_gss_init_sec_context(minor_status, claimant_cred_handle,
       /* set established */
       ctx->established = 1;
 
-      if (ctx->gsskrb5_version == 2000) {
-	  gss_buffer_desc mic_data, mic_token;
-
-	  /* start with the token id */
-	  mic_data.value = ptr-2;
-	  /* end before the ap-rep length */
-	  mic_data.length = ((char*)(ap_rep.data-2)-(char*)(ptr-2));
-
-	  mic_token.length = mic.length;
-	  mic_token.value = mic.data;
-
-	  if (GSS_ERROR(major_status = 
-			krb5_gss_verify_mic(minor_status, *context_handle,
-					    &mic_data, &mic_token, NULL))) {
-	      code = *minor_status;
-	      goto fail;
-	  }
-	  major_status = GSS_S_FAILURE;
-      }
-
       /* set returns */
 
       if (time_rec) {
diff --git a/src/lib/gssapi/krb5/inq_cred.c b/src/lib/gssapi/krb5/inq_cred.c
index c800012..6fbbadc 100644
--- a/src/lib/gssapi/krb5/inq_cred.c
+++ b/src/lib/gssapi/krb5/inq_cred.c
@@ -1,4 +1,28 @@
 /*
+ * Copyright 2000 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ *   require a specific license from the United States Government.
+ *   It is the responsibility of any person or organization contemplating
+ *   export to obtain such a license before exporting.
+ * 
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ * 
+ */
+/*
  * Copyright 1993 by OpenVision Technologies, Inc.
  * 
  * Permission to use, copy, modify, distribute, and sell this software
@@ -116,15 +140,11 @@ krb5_gss_inquire_cred(minor_status, cred_handle, name, lifetime_ret,
 							    &mechs)) ||
 	   (cred->prerfc_mech &&
 	    GSS_ERROR(ret = generic_gss_add_oid_set_member(minor_status,
-							   gss_mech_krb5_old,
+							   (gss_OID) gss_mech_krb5_old,
 							   &mechs))) ||
 	   (cred->rfc_mech &&
 	    GSS_ERROR(ret = generic_gss_add_oid_set_member(minor_status,
-							   gss_mech_krb5,
-							   &mechs))) ||
-	   (cred->rfcv2_mech &&
-	    GSS_ERROR(ret = generic_gss_add_oid_set_member(minor_status,
-							   gss_mech_krb5_v2,
+							   (gss_OID) gss_mech_krb5,
 							   &mechs)))) {
 	   krb5_free_principal(context, ret_name);
 	   /* *minor_status set above */
diff --git a/src/lib/gssapi/krb5/k5seal.c b/src/lib/gssapi/krb5/k5seal.c
index ae8cc75..1ca108e 100644
--- a/src/lib/gssapi/krb5/k5seal.c
+++ b/src/lib/gssapi/krb5/k5seal.c
@@ -1,6 +1,6 @@
 /*
  * Copyright 1993 by OpenVision Technologies, Inc.
- * 
+ *
  * Permission to use, copy, modify, distribute, and sell this software
  * and its documentation for any purpose is hereby granted without fee,
  * provided that the above copyright notice appears in all copies and
@@ -10,7 +10,7 @@
  * without specific, written prior permission. OpenVision makes no
  * representations about the suitability of this software for any
  * purpose.  It is provided "as is" without express or implied warranty.
- * 
+ *
  * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
  * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
  * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
@@ -22,14 +22,14 @@
 
 /*
  * Copyright (C) 1998 by the FundsXpress, INC.
- * 
+ *
  * All rights reserved.
- * 
+ *
  * Export of this software from the United States of America may require
  * a specific license from the United States Government.  It is the
  * responsibility of any person or organization contemplating export to
  * obtain such a license before exporting.
- * 
+ *
  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
  * distribute this software and its documentation for any purpose and
  * without fee is hereby granted, provided that the above copyright
@@ -40,7 +40,7 @@
  * permission.  FundsXpress makes no representations about the suitability of
  * this software for any purpose.  It is provided "as is" without express
  * or implied warranty.
- * 
+ *
  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
  * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
  * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
@@ -49,196 +49,280 @@
 #include "gssapiP_krb5.h"
 
 static krb5_error_code
-make_priv_token_v2 PROTOTYPE((krb5_context context,
-			      krb5_keyblock *subkey,
+make_seal_token_v1 PROTOTYPE((krb5_context context,
+			      krb5_keyblock *enc,
+			      krb5_keyblock *seq,
 			      krb5_int32 *seqnum,
 			      int direction,
 			      gss_buffer_t text,
 			      gss_buffer_t token,
+			      int signalg,
+			      int cksum_size,
+			      int sealalg,
+			      int encrypt,
+			      int toktype,
+			      int bigend,
 			      gss_OID oid));
 
 static krb5_error_code
-make_priv_token_v2(context, subkey, seqnum, direction, text, token, oid)
-     krb5_context context;
-     krb5_keyblock *subkey;
-     krb5_int32 *seqnum;
-     int direction;
-     gss_buffer_t text;
-     gss_buffer_t token;
-     gss_OID oid;
-{
-   krb5_data plain;
-   krb5_enc_data cipher;
-   krb5_error_code code;
-   size_t enclen;
-   int tlen;
-   unsigned char *t, *ptr;
-
-   plain.data = 0;
-   cipher.ciphertext.data = 0;
-   t = 0;
-
-   plain.length = 7+text->length;
-   if ((plain.data = (void *) malloc(plain.length)) == NULL) {
-       code = ENOMEM;
-       goto cleanup;
-   }
-
-   plain.data[0] = (*seqnum >> 24) & 0xff;
-   plain.data[1] = (*seqnum >> 16) & 0xff;
-   plain.data[2] = (*seqnum >> 8) & 0xff;
-   plain.data[3] = *seqnum & 0xff;
-
-   plain.data[4] = direction?0:0xff;
-   
-   plain.data[5] = (text->length >> 8) & 0xff;
-   plain.data[6] = text->length & 0xff;
-
-   memcpy(plain.data+7, text->value, text->length);
-
-   if (code = krb5_c_encrypt_length(context, subkey->enctype, 
-				    plain.length, &enclen))
-       goto cleanup;
-
-   tlen = g_token_size((gss_OID) oid, 2+enclen);
-
-   if ((t = (unsigned char *) xmalloc(tlen)) == NULL)
-      return(ENOMEM);
-
-   ptr = t;
-
-   g_make_token_header((gss_OID) oid, 2+enclen, &ptr,
-		       KG2_TOK_WRAP_PRIV);
-
-   ptr[0] = (enclen >> 8) & 0xff;
-   ptr[1] = enclen & 0xff;
-
-   cipher.ciphertext.length = enclen;
-   cipher.ciphertext.data = ptr+2;
-
-   if (code = krb5_c_encrypt(context, subkey,
-			     KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV,
-			     0, &plain, &cipher))
-       goto cleanup;
-
-   /* that's it.  return the token */
-
-   (*seqnum)++;
-
-   token->length = tlen;
-   token->value = (void *) t;
-
-   code = 0;
-
-cleanup:
-   if (plain.data)
-       free(plain.data);
-   if (code) {
-       if (t)
-	   free(t);
-   }
-
-   return(code);
-}
-
-static krb5_error_code
-make_integ_token_v2 PROTOTYPE((krb5_context context,
-			       krb5_keyblock *subkey,
-			       krb5_cksumtype ctype,
-			       krb5_int32 *seqnum,
-			       int direction,
-			       gss_buffer_t text,
-			       gss_buffer_t token,
-			       int toktype,
-			       gss_OID oid));
-
-static krb5_error_code
-make_integ_token_v2(context, subkey, ctype, seqnum, direction, text, token, 
-		    toktype, oid)
-     krb5_context context;
-     krb5_keyblock *subkey;
-     krb5_cksumtype ctype;
-     krb5_int32 *seqnum;
-     int direction;
-     gss_buffer_t text;
-     gss_buffer_t token;
-     int toktype;
-     gss_OID oid;
+make_seal_token_v1(context, enc, seq, seqnum, direction, text, token,
+		   signalg, cksum_size, sealalg, encrypt, toktype,
+		   bigend, oid)
+    krb5_context context;
+    krb5_keyblock *enc;
+    krb5_keyblock *seq;
+    krb5_int32 *seqnum;
+    int direction;
+    gss_buffer_t text;
+    gss_buffer_t token;
+    int signalg;
+    int cksum_size;
+    int sealalg;
+    int encrypt;
+    int toktype;
+    int bigend;
+    gss_OID oid;
 {
     krb5_error_code code;
-    int tmp, tlen;
-    unsigned char *t, *ptr;
-    krb5_data plain;
+    size_t sumlen;
+    char *data_ptr;
+    krb5_data plaind;
+    krb5_checksum md5cksum;
     krb5_checksum cksum;
+    int conflen=0, tmsglen, tlen;
+    unsigned char *t, *ptr;
 
-    plain.data = 0;
-    t = 0;
-    cksum.contents = 0;
+    int encblksize, sumblksize;
+
+    switch (signalg) {
+    case SGN_ALG_DES_MAC_MD5:
+    case SGN_ALG_MD2_5:
+    case SGN_ALG_HMAC_MD5:
+	sumblksize = 1;
+	break;
+    case SGN_ALG_DES_MAC:
+	sumblksize = 8;
+	break;
+    case SGN_ALG_HMAC_SHA1_DES3_KD:
+	sumblksize = 1;
+	break;
+    default:
+	abort ();
+	return 123; /* find error code */
+    }
 
-    /* assemble the checksum buffer and compute the checksum */
+    switch (sealalg) {
+    case SEAL_ALG_NONE:
+    case SEAL_ALG_DES:
+    case SEAL_ALG_DES3KD:
+	encblksize = 8;
+	break;
+    default:
+	abort ();
+	return 12345654321;
+    }
 
-    plain.length = 7+text->length;
+    /* create the token buffer */
 
-    if ((plain.data = (char *) malloc(plain.length)) == NULL) {
-	code = errno;
-	goto cleanup;
+    if (toktype == KG_TOK_SEAL_MSG) {
+	if (bigend && !encrypt) {
+	    tmsglen = text->length;
+	} else {
+	    conflen = kg_confounder_size(context, enc);
+	    /* XXX knows that des block size is 8 */
+	    tmsglen = (conflen+text->length+8)&(~7);
+	}
+    } else {
+	tmsglen = 0;
     }
 
-    plain.data[0] = (*seqnum >> 24) & 0xff;
-    plain.data[1] = (*seqnum >> 16) & 0xff;
-    plain.data[2] = (*seqnum >> 8) & 0xff;
-    plain.data[3] = *seqnum & 0xff;
+    tlen = g_token_size((gss_OID) oid, 14+cksum_size+tmsglen);
 
-    plain.data[4] = direction?0:0xff;
+    if ((t = (unsigned char *) xmalloc(tlen)) == NULL)
+	return(ENOMEM);
 
-    plain.data[5] = (text->length >> 8) & 0xff;
-    plain.data[6] = text->length & 0xff;
+    /*** fill in the token */
 
-    memcpy(plain.data+7, text->value, text->length);
+    ptr = t;
 
-    if (code = krb5_c_make_checksum(context, ctype, subkey,
-				    (toktype == KG2_TOK_WRAP_INTEG)?
-				    KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG:
-				    KRB5_KEYUSAGE_GSS_TOK_MIC,
-				    &plain, &cksum))
-	goto cleanup;
+    g_make_token_header((gss_OID) oid, 14+cksum_size+tmsglen, &ptr, toktype);
 
-    /* assemble the token itself */
+    /* 0..1 SIGN_ALG */
 
-    if (toktype == KG2_TOK_WRAP_INTEG)
-	tmp = 4+(7+text->length)+2+cksum.length;
-    else
-	tmp = 4+(5)+2+cksum.length;
+    ptr[0] = signalg & 0xff;
+    ptr[1] = (signalg >> 8) & 0xff;
 
-    tlen = g_token_size((gss_OID) oid, tmp);
+    /* 2..3 SEAL_ALG or Filler */
 
-    if ((t = (unsigned char *) xmalloc(tlen)) == NULL)
-	return(ENOMEM);
+    if ((toktype == KG_TOK_SEAL_MSG) && encrypt) {
+	ptr[2] = sealalg & 0xff;
+	ptr[3] = (sealalg >> 8) & 0xff;
+    } else {
+	/* No seal */
+	ptr[2] = 0xff;
+	ptr[3] = 0xff;
+    }
 
-    ptr = t;
+    /* 4..5 Filler */
+
+    ptr[4] = 0xff;
+    ptr[5] = 0xff;
+
+    /* pad the plaintext, encrypt if needed, and stick it in the token */
+
+    /* initialize the the cksum */
+    switch (signalg) {
+    case SGN_ALG_DES_MAC_MD5:
+    case SGN_ALG_MD2_5:
+    case SGN_ALG_HMAC_MD5:
+	md5cksum.checksum_type = CKSUMTYPE_RSA_MD5;
+	break;
+    case SGN_ALG_HMAC_SHA1_DES3_KD:
+	md5cksum.checksum_type = CKSUMTYPE_HMAC_SHA1_DES3;
+	break;
+    default:
+    case SGN_ALG_DES_MAC:
+	abort ();
+    }
 
-    g_make_token_header((gss_OID) oid, tmp, &ptr, toktype);
+    if (code = krb5_c_checksum_length(context, md5cksum.checksum_type, &sumlen))
+	return(code);
+    md5cksum.length = sumlen;
+
+    if (toktype == KG_TOK_SEAL_MSG) {
+	unsigned char *plain;
+	unsigned char pad;
+
+	if (!bigend || encrypt) {
+	    if ((plain = (unsigned char *) xmalloc(tmsglen)) == NULL) {
+		xfree(t);
+		return(ENOMEM);
+	    }
+
+	    if ((code = kg_make_confounder(context, enc, plain))) {
+		xfree(plain);
+		xfree(t);
+		return(code);
+	    }
+
+	    memcpy(plain+conflen, text->value, text->length);
+
+	    /* XXX 8 is DES cblock size */
+	    pad = 8-(text->length%8);
+
+	    memset(plain+conflen+text->length, pad, pad);
+	} else {
+	    /* plain is never used in the bigend && !encrypt case */
+	    plain = NULL;
+	}
+
+	if (encrypt) {
+	    if ((code = kg_encrypt(context, enc, KG_USAGE_SEAL, NULL,
+				   (krb5_pointer) plain,
+				   (krb5_pointer) (ptr+cksum_size+14),
+				   tmsglen))) {
+		if (plain)
+		    xfree(plain);
+		xfree(t);
+		return(code);
+	    }
+	} else {
+	    if (bigend)
+		memcpy(ptr+14+cksum_size, text->value, text->length);
+	    else
+		memcpy(ptr+14+cksum_size, plain, tmsglen);
+	}
+
+	/* compute the checksum */
+
+	/* 8 = head of token body as specified by mech spec */
+	if (! (data_ptr =
+	       (char *) xmalloc(8 + (bigend ? text->length : tmsglen)))) {
+	    if (plain)
+		xfree(plain);
+	    xfree(t);
+	    return(ENOMEM);
+	}
+	(void) memcpy(data_ptr, ptr-2, 8);
+	if (bigend)
+	    (void) memcpy(data_ptr+8, text->value, text->length);
+	else
+	    (void) memcpy(data_ptr+8, plain, tmsglen);
+	plaind.length = 8 + (bigend ? text->length : tmsglen);
+	plaind.data = data_ptr;
+	code = krb5_c_make_checksum(context, md5cksum.checksum_type, seq,
+				    KG_USAGE_SIGN, &plaind, &md5cksum);
+	xfree(data_ptr);
+
+	if (code) {
+	    if (plain)
+		xfree(plain);
+	    xfree(t);
+	    return(code);
+	}
 
-    ptr[0] = (ctype >> 24) & 0xff;
-    ptr[1] = (ctype >> 16) & 0xff;
-    ptr[2] = (ctype >> 8) & 0xff;
-    ptr[3] = ctype & 0xff;
+	if (plain)
+	    xfree(plain);
+    } else {
+	/* Sign only.  */
+	/* compute the checksum */
 
-    ptr += 4;
+	if (! (data_ptr = (char *) xmalloc(8 + text->length))) {
+	    xfree(t);
+	    return(ENOMEM);
+	}
+	(void) memcpy(data_ptr, ptr-2, 8);
+	(void) memcpy(data_ptr+8, text->value, text->length);
+	plaind.length = 8 + text->length;
+	plaind.data = data_ptr;
+	code = krb5_c_make_checksum(context, md5cksum.checksum_type, seq,
+				    KG_USAGE_SIGN, &plaind, &md5cksum);
+	xfree(data_ptr);
+	if (code) {
+	    xfree(t);
+	    return(code);
+	}
+    }
 
-    if (toktype == KG2_TOK_WRAP_INTEG) {
-	memcpy(ptr, plain.data, 7+text->length);
-	ptr += 7+text->length;
-    } else {
-	memcpy(ptr, plain.data, 5);
-	ptr += 5;
+    switch(signalg) {
+    case SGN_ALG_DES_MAC_MD5:
+    case 3:
+
+       if ((code = kg_encrypt(context, seq, KG_USAGE_SEAL,
+			       (g_OID_equal(oid, gss_mech_krb5_old) ?
+				seq->contents : NULL),
+			       md5cksum.contents, md5cksum.contents, 16))) {
+	    xfree(md5cksum.contents);
+	    xfree(t);
+	    return code;
+	}
+
+	cksum.length = cksum_size;
+	cksum.contents = md5cksum.contents + 16 - cksum.length;
+
+	memcpy(ptr+14, cksum.contents, cksum.length);
+	break;
+
+    case SGN_ALG_HMAC_SHA1_DES3_KD:
+	/*
+	 * Using key derivation, the call to krb5_c_make_checksum
+	 * already dealt with encrypting.
+	 */
+	if (md5cksum.length != cksum_size)
+	    abort ();
+	memcpy (ptr+14, md5cksum.contents, md5cksum.length);
+	break;
     }
 
-    ptr[0] = (cksum.length >> 8) & 0xff;
-    ptr[1] = cksum.length & 0xff;
-    ptr += 2;
+    xfree(md5cksum.contents);
+
+    /* create the seq_num */
 
-    memcpy(ptr, cksum.contents, cksum.length);
+    if ((code = kg_make_seq_num(context, seq, direction?0:0xff, *seqnum,
+				ptr+14, ptr+6))) {
+	xfree(t);
+	return(code);
+    }
 
     /* that's it.  return the token */
 
@@ -247,372 +331,110 @@ make_integ_token_v2(context, subkey, ctype, seqnum, direction, text, token,
     token->length = tlen;
     token->value = (void *) t;
 
-    code = 0;
-
-cleanup:
-    if (plain.data)
-	free(plain.data);
-    if (cksum.contents)
-	krb5_free_checksum_contents(context, &cksum);
-    if (code) {
-	if (t)
-	    free(t);
-    }
-
-   return(code);
+    return(0);
 }
 
-static krb5_error_code
-make_seal_token_v1 PROTOTYPE((krb5_context context,
-			      krb5_keyblock *enc,
-			      krb5_keyblock *seq,
-			      krb5_int32 *seqnum,
-			      int direction,
-			      gss_buffer_t text,
-			      gss_buffer_t token,
-			      int signalg,
-			      int cksum_size,
-			      int sealalg,
-			      int encrypt,
-			      int toktype,
-			      int bigend,
-			      gss_OID oid));
+/* if signonly is true, ignore conf_req, conf_state,
+   and do not encode the ENC_TYPE, MSG_LENGTH, or MSG_TEXT fields */
 
-static krb5_error_code
-make_seal_token_v1(context, enc, seq, seqnum, direction, text, token,
-		   signalg, cksum_size, sealalg, encrypt, toktype,
-		   bigend, oid)
-     krb5_context context;
-     krb5_keyblock *enc;
-     krb5_keyblock *seq;
-     krb5_int32 *seqnum;
-     int direction;
-     gss_buffer_t text;
-     gss_buffer_t token;
-     int signalg;
-     int cksum_size;
-     int sealalg;
-     int encrypt;
-     int toktype;
-     int bigend;
-     gss_OID oid;
+OM_uint32
+kg_seal(context, minor_status, context_handle, conf_req_flag, qop_req,
+	input_message_buffer, conf_state, output_message_buffer, toktype)
+    krb5_context context;
+    OM_uint32 *minor_status;
+    gss_ctx_id_t context_handle;
+    int conf_req_flag;
+    int qop_req;
+    gss_buffer_t input_message_buffer;
+    int *conf_state;
+    gss_buffer_t output_message_buffer;
+    int toktype;
 {
-   krb5_error_code code;
-   size_t sumlen;
-   char *data_ptr;
-   krb5_data plaind;
-   krb5_checksum md5cksum;
-   krb5_checksum cksum;
-   int conflen=0, tmsglen, tlen;
-   unsigned char *t, *ptr;
-
-   /* create the token buffer */
-
-   if (toktype == KG_TOK_SEAL_MSG) {
-      if (bigend && !encrypt) {
-	 tmsglen = text->length;
-      } else {
-	 conflen = kg_confounder_size(context, enc);
-	 /* XXX knows that des block size is 8 */
-	 tmsglen = (conflen+text->length+8)&(~7);
-      }
-   } else {
-      tmsglen = 0;
-   }
-
-   tlen = g_token_size((gss_OID) oid, 14+cksum_size+tmsglen);
-
-   if ((t = (unsigned char *) xmalloc(tlen)) == NULL)
-      return(ENOMEM);
-
-   /*** fill in the token */
-
-   ptr = t;
-
-   g_make_token_header((gss_OID) oid, 14+cksum_size+tmsglen, &ptr, toktype);
-
-   /* 0..1 SIGN_ALG */
-
-   ptr[0] = signalg;
-   ptr[1] = 0;
-   
-   /* 2..3 SEAL_ALG or Filler */
-
-   if ((toktype == KG_TOK_SEAL_MSG) && encrypt) {
-      ptr[2] = sealalg;
-      ptr[3] = 0;
-   } else {
-      /* No seal */
-      ptr[2] = 0xff;
-      ptr[3] = 0xff;
-   }
-
-   /* 4..5 Filler */
-
-   ptr[4] = 0xff;
-   ptr[5] = 0xff;
-
-   /* pad the plaintext, encrypt if needed, and stick it in the token */
-
-   /* initialize the the cksum */
-   if (code = krb5_c_checksum_length(context, CKSUMTYPE_RSA_MD5, &sumlen))
-       return(code);
-
-   md5cksum.checksum_type = CKSUMTYPE_RSA_MD5;
-   md5cksum.length = sumlen;
-   if (toktype == KG_TOK_SEAL_MSG) {
-      unsigned char *plain;
-      unsigned char pad;
-
-      if (!bigend || encrypt) {
-	 if ((plain = (unsigned char *) xmalloc(tmsglen)) == NULL) {
-	    xfree(t);
-	    return(ENOMEM);
-	 }
-
-	 if ((code = kg_make_confounder(context, enc, plain))) {
-	    xfree(plain);
-	    xfree(t);
-	    return(code);
-	 }
-
-	 memcpy(plain+conflen, text->value, text->length);
-
-	 /* XXX 8 is DES cblock size */
-	 pad = 8-(text->length%8);
-
-	 memset(plain+conflen+text->length, pad, pad);
-      } else {
-	 /* plain is never used in the bigend && !encrypt case */
-	 plain = NULL;
-      }
+    krb5_gss_ctx_id_rec *ctx;
+    krb5_error_code code;
+    krb5_timestamp now;
 
-      if (encrypt) {
-	 if ((code = kg_encrypt(context, enc, NULL, (krb5_pointer) plain,
-				(krb5_pointer) (ptr+cksum_size+14),
-				tmsglen))) {
-	    if (plain)
-	       xfree(plain);
-	    xfree(t);
-	    return(code);
-	 }
-      } else {
-	 if (bigend)
-	    memcpy(ptr+14+cksum_size, text->value, text->length);
-	 else
- 	    memcpy(ptr+14+cksum_size, plain, tmsglen);
-      }
-
-      /* compute the checksum */
-
-      /* 8 = head of token body as specified by mech spec */
-      if (! (data_ptr =
-	     (char *) xmalloc(8 + (bigend ? text->length : tmsglen)))) {
-	  if (plain)
-	      xfree(plain);
-	  xfree(t);
-	  return(ENOMEM);
-      }
-      (void) memcpy(data_ptr, ptr-2, 8);
-      if (bigend)
-	  (void) memcpy(data_ptr+8, text->value, text->length);
-      else
-	  (void) memcpy(data_ptr+8, plain, tmsglen);
-      plaind.length = 8 + (bigend ? text->length : tmsglen);
-      plaind.data = data_ptr;
-      code = krb5_c_make_checksum(context, md5cksum.checksum_type,
-				  0, 0, &plaind, &md5cksum);
-      xfree(data_ptr);
-
-      if (code) {
-	  if (plain)
-	      xfree(plain);
-	  xfree(t);
-	  return(code);
-	  memcpy(ptr+14+cksum_size, plain, tmsglen);
-      }
-
-      if (plain)
-	 xfree(plain);
-   } else {
-      /* compute the checksum */
-
-      if (! (data_ptr = (char *) xmalloc(8 + text->length))) {
-	  xfree(t);
-	  return(ENOMEM);
-      }
-      (void) memcpy(data_ptr, ptr-2, 8);
-      (void) memcpy(data_ptr+8, text->value, text->length);
-      plaind.length = 8 + text->length;
-      plaind.data = data_ptr;
-      code = krb5_c_make_checksum(context, md5cksum.checksum_type, 0, 0,
-				  &plaind, &md5cksum);
-      xfree(data_ptr);
-      if (code) {
-	  xfree(t);
-	  return(code);
-      }
-   }
-
-   switch(signalg) {
-   case 0:
-   case 3:
+    output_message_buffer->length = 0;
+    output_message_buffer->value = NULL;
 
+    /* only default qop or matching established cryptosystem is allowed */
+    
 #if 0
-       /* XXX this depends on the key being a single-des key */
-
-       /* DES CBC doesn't use a zero IV like it should in some
-	  krb5 implementations (beta5+).  So we just do the
-	  DES encryption the long way, and keep the last block
-	  as the MAC */
-
-       /* XXX not converted to new api since it's inside an #if 0 */
-
-       /* initialize the the cksum and allocate the contents buffer */
-       cksum.checksum_type = CKSUMTYPE_DESCBC;
-       cksum.length = krb5_checksum_size(context, CKSUMTYPE_DESCBC);
-       if ((cksum.contents = (krb5_octet *) xmalloc(cksum.length)) == NULL)
-	   return(ENOMEM);
-
-       /* XXX not converted to new api since it's inside an #if 0 */
-       if (code = krb5_calculate_checksum(context, cksum.checksum_type,
-					  md5cksum.contents, 16,
-					  seq->contents, 
-					  seq->length,
-					  &cksum)) {
-	  xfree(cksum.contents);
-	  xfree(md5cksum.contents);
-	  xfree(t);
-	  return(code);
-       }
-
-       memcpy(ptr+14, cksum.contents, 8);
-
-       xfree(cksum.contents);
+    switch (qop_req & GSS_KRB5_CONF_C_QOP_MASK) {
+    case GSS_C_QOP_DEFAULT:
+	break;
+    default:
+    unknown_qop:
+	*minor_status = (OM_uint32) G_UNKNOWN_QOP;
+	return GSS_S_FAILURE;
+    case GSS_KRB5_CONF_C_QOP_DES:
+	if (ctx->sealalg != SEAL_ALG_DES) {
+	bad_qop:
+	    *minor_status = (OM_uint32) G_BAD_QOP;
+	    return GSS_S_FAILURE;
+	}
+	break;
+    case GSS_KRB5_CONF_C_QOP_DES3:
+	if (ctx->sealalg != SEAL_ALG_DES3)
+	    goto bad_qop;
+	break;
+    }
+    switch (qop_req & GSS_KRB5_INTEG_C_QOP_MASK) {
+    case GSS_C_QOP_DEFAULT:
+	break;
+    default:
+	goto unknown_qop;
+    case GSS_KRB5_INTEG_C_QOP_MD5:
+    case GSS_KRB5_INTEG_C_QOP_DES_MD5:
+    case GSS_KRB5_INTEG_C_QOP_DES_MAC:
+	if (ctx->sealalg != SEAL_ALG_DES)
+	    goto bad_qop;
+	break;
+    case GSS_KRB5_INTEG_C_QOP_HMAC_SHA1:
+	if (ctx->sealalg != SEAL_ALG_DES3KD)
+	    goto bad_qop;
+	break;
+    }
 #else
-       if ((code = kg_encrypt(context, seq,
-			      (g_OID_equal(oid, gss_mech_krb5_old) ?
-			       seq->contents : NULL),
-			      md5cksum.contents, md5cksum.contents, 16))) {
-	  xfree(md5cksum.contents);
-	  xfree(t);
-	  return code;
-       }
-       
-       cksum.length = cksum_size;
-       cksum.contents = md5cksum.contents + 16 - cksum.length;
-
-       memcpy(ptr+14, cksum.contents, cksum.length);
+    if (qop_req != 0) {
+	*minor_status = (OM_uint32) G_UNKNOWN_QOP;
+	return GSS_S_FAILURE;
+    }
 #endif
 
-       break;
-   }
-
-   xfree(md5cksum.contents);
-
-   /* create the seq_num */
+    /* validate the context handle */
+    if (! kg_validate_ctx_id(context_handle)) {
+	*minor_status = (OM_uint32) G_VALIDATE_FAILED;
+	return(GSS_S_NO_CONTEXT);
+    }
 
-   if ((code = kg_make_seq_num(context, seq, direction?0:0xff, *seqnum,
-			       ptr+14, ptr+6))) {
-      xfree(t);
-      return(code);
-   }
+    ctx = (krb5_gss_ctx_id_rec *) context_handle;
 
-   /* that's it.  return the token */
+    if (! ctx->established) {
+	*minor_status = KG_CTX_INCOMPLETE;
+	return(GSS_S_NO_CONTEXT);
+    }
 
-   (*seqnum)++;
+    if ((code = krb5_timeofday(context, &now))) {
+	*minor_status = code;
+	return(GSS_S_FAILURE);
+    }
 
-   token->length = tlen;
-   token->value = (void *) t;
+    code = make_seal_token_v1(context, ctx->enc, ctx->seq,
+			      &ctx->seq_send, ctx->initiate,
+			      input_message_buffer, output_message_buffer,
+			      ctx->signalg, ctx->cksum_size, ctx->sealalg,
+			      conf_req_flag, toktype, ctx->big_endian,
+			      ctx->mech_used);
 
-   return(0);
-}
+    if (code) {
+	*minor_status = code;
+	return(GSS_S_FAILURE);
+    }
 
-/* if signonly is true, ignore conf_req, conf_state, 
-   and do not encode the ENC_TYPE, MSG_LENGTH, or MSG_TEXT fields */
+    if (conf_state)
+	*conf_state = conf_req_flag;
 
-OM_uint32
-kg_seal(context, minor_status, context_handle, conf_req_flag, qop_req, 
-	input_message_buffer, conf_state, output_message_buffer, toktype)
-     krb5_context context;
-     OM_uint32 *minor_status;
-     gss_ctx_id_t context_handle;
-     int conf_req_flag;
-     int qop_req;
-     gss_buffer_t input_message_buffer;
-     int *conf_state;
-     gss_buffer_t output_message_buffer;
-     int toktype;
-{
-   krb5_gss_ctx_id_rec *ctx;
-   krb5_error_code code;
-   krb5_timestamp now;
-
-   output_message_buffer->length = 0;
-   output_message_buffer->value = NULL;
-
-   /* only default qop is allowed */
-   if (qop_req != GSS_C_QOP_DEFAULT) {
-      *minor_status = (OM_uint32) G_UNKNOWN_QOP;
-      return(GSS_S_FAILURE);
-   }
-
-   /* validate the context handle */
-   if (! kg_validate_ctx_id(context_handle)) {
-      *minor_status = (OM_uint32) G_VALIDATE_FAILED;
-      return(GSS_S_NO_CONTEXT);
-   }
-
-   ctx = (krb5_gss_ctx_id_rec *) context_handle;
-
-   if (! ctx->established) {
-      *minor_status = KG_CTX_INCOMPLETE;
-      return(GSS_S_NO_CONTEXT);
-   }
-
-   if ((code = krb5_timeofday(context, &now))) {
-      *minor_status = code;
-      return(GSS_S_FAILURE);
-   }
-
-   if (ctx->gsskrb5_version == 2000) {
-       if (toktype == KG_TOK_WRAP_MSG) {
-	   if (conf_req_flag)
-	       toktype = KG2_TOK_WRAP_PRIV;
-	   else
-	       toktype = KG2_TOK_WRAP_INTEG;
-       } else {
-	   toktype = KG2_TOK_MIC;
-       }
-
-       if (conf_req_flag) {
-	   code = make_priv_token_v2(context, ctx->subkey, &ctx->seq_send,
-				     ctx->initiate, input_message_buffer,
-				     output_message_buffer, ctx->mech_used);
-       } else {
-	   code = make_integ_token_v2(context, ctx->subkey, ctx->ctypes[0],
-				      &ctx->seq_send, ctx->initiate,
-				      input_message_buffer,
-				      output_message_buffer, toktype,
-				      ctx->mech_used);
-       }
-   } else {
-       code = make_seal_token_v1(context, ctx->enc, ctx->seq,
-				 &ctx->seq_send, ctx->initiate,
-				 input_message_buffer, output_message_buffer,
-				 ctx->signalg, ctx->cksum_size, ctx->sealalg,
-				 conf_req_flag, toktype, ctx->big_endian,
-				 ctx->mech_used);
-   }
-
-   if (code) {
-      *minor_status = code;
-      return(GSS_S_FAILURE);
-   }
-
-   if (conf_state)
-      *conf_state = conf_req_flag;
-
-   *minor_status = 0;
-   return((ctx->endtime < now)?GSS_S_CONTEXT_EXPIRED:GSS_S_COMPLETE);
+    *minor_status = 0;
+    return((ctx->endtime < now)?GSS_S_CONTEXT_EXPIRED:GSS_S_COMPLETE);
 }
diff --git a/src/lib/gssapi/krb5/k5unseal.c b/src/lib/gssapi/krb5/k5unseal.c
index 64a9539..9e4d353 100644
--- a/src/lib/gssapi/krb5/k5unseal.c
+++ b/src/lib/gssapi/krb5/k5unseal.c
@@ -1,6 +1,6 @@
 /*
  * Copyright 1993 by OpenVision Technologies, Inc.
- * 
+ *
  * Permission to use, copy, modify, distribute, and sell this software
  * and its documentation for any purpose is hereby granted without fee,
  * provided that the above copyright notice appears in all copies and
@@ -10,7 +10,7 @@
  * without specific, written prior permission. OpenVision makes no
  * representations about the suitability of this software for any
  * purpose.  It is provided "as is" without express or implied warranty.
- * 
+ *
  * OPENVISION DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE,
  * INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS, IN NO
  * EVENT SHALL OPENVISION BE LIABLE FOR ANY SPECIAL, INDIRECT OR
@@ -22,14 +22,14 @@
 
 /*
  * Copyright (C) 1998 by the FundsXpress, INC.
- * 
+ *
  * All rights reserved.
- * 
+ *
  * Export of this software from the United States of America may require
  * a specific license from the United States Government.  It is the
  * responsibility of any person or organization contemplating export to
  * obtain such a license before exporting.
- * 
+ *
  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
  * distribute this software and its documentation for any purpose and
  * without fee is hereby granted, provided that the above copyright
@@ -40,7 +40,7 @@
  * permission.  FundsXpress makes no representations about the suitability of
  * this software for any purpose.  It is provided "as is" without express
  * or implied warranty.
- * 
+ *
  * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
  * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
  * WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
@@ -53,834 +53,438 @@
  * $Id$
  */
 
-static OM_uint32
-kg2_verify_mic(context, minor_status, ctx, ptr, bodysize,
-	       text, qop_state)
-     krb5_context context;
-     OM_uint32 *minor_status;
-     krb5_gss_ctx_id_rec *ctx;
-     unsigned char *ptr;
-     int bodysize;
-     gss_buffer_t text;
-     gss_qop_t *qop_state;
+/* message_buffer is an input if SIGN, output if SEAL, and ignored if DEL_CTX
+   conf_state is only valid if SEAL. */
+
+OM_uint32
+kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer,
+	     conf_state, qop_state, toktype)
+    krb5_context context;
+    OM_uint32 *minor_status;
+    krb5_gss_ctx_id_rec *ctx;
+    unsigned char *ptr;
+    int bodysize;
+    gss_buffer_t message_buffer;
+    int *conf_state;
+    int *qop_state;
+    int toktype;
 {
-    size_t cksumlen;
     krb5_error_code code;
-    krb5_data plain;
-    krb5_cksumtype tctype;
-    krb5_ui_4 tseqnum;
-    int tdirection;
+    int tmsglen;
+    int conflen = 0;
+    int signalg;
+    int sealalg;
+    gss_buffer_desc token;
     krb5_checksum cksum;
-    krb5_boolean ckvalid;
+    krb5_checksum md5cksum;
+    krb5_data plaind;
+    char *data_ptr;
     krb5_timestamp now;
+    unsigned char *plain;
+    int cksum_len = 0;
+    int plainlen;
+    int direction;
+    krb5_int32 seqnum;
     OM_uint32 retval;
+    size_t sumlen;
 
-    plain.data = 0;
-    cksum.contents = 0;
-
-    /* verify the header */
-
-    if (bodysize < 11) {
-	free(plain.data);
-	*minor_status = G_TOK_TRUNC;
-	return(GSS_S_DEFECTIVE_TOKEN);
+    if (toktype == KG_TOK_SEAL_MSG) {
+	message_buffer->length = 0;
+	message_buffer->value = NULL;
     }
 
-    /* allocate the checksum buffer */
-
-    plain.length = 7+text->length;
-
-    if ((plain.data = (char *) malloc(plain.length)) == NULL) {
-	*minor_status = ENOMEM;
-	return(GSS_S_FAILURE);
-    }
+    /* get the sign and seal algorithms */
 
-    /* suck out the body parts from the token */
+    signalg = ptr[0] + (ptr[1]<<8);
+    sealalg = ptr[2] + (ptr[3]<<8);
 
-    tctype = (krb5_cksumtype) ((ptr[0]<<24) | (ptr[1]<<16) |
-			       (ptr[2]<<8) | ptr[3]);
-    ptr += 4;
+    /* Sanity checks */
 
-    memcpy(plain.data, ptr, 5);
-    tseqnum = ((ptr[0]<<24) | (ptr[1]<<16) | (ptr[2]<<8) | ptr[3]);
-    ptr += 4;
-    tdirection = ptr[0];
-    ptr += 1;
-
-    cksum.length = (ptr[0]<<8) | ptr[1];
-    ptr += 2;
-    bodysize -= 11;
-
-    if (cksum.length != bodysize) {
-	free(plain.data);
-	*minor_status = G_TOK_TRUNC;
-	return(GSS_S_DEFECTIVE_TOKEN);
+    if ((ptr[4] != 0xff) || (ptr[5] != 0xff)) {
+	*minor_status = 0;
+	return GSS_S_DEFECTIVE_TOKEN;
     }
 
-    cksum.contents = ptr;
-    cksum.checksum_type = tctype;
+    if ((toktype != KG_TOK_SEAL_MSG) &&
+	(sealalg != 0xffff)) {
+	*minor_status = 0;
+	return GSS_S_DEFECTIVE_TOKEN;
+    }
 
-    /* finish assembling the checksum buffer and compute the checksum */
+    /* in the current spec, there is only one valid seal algorithm per
+       key type, so a simple comparison is ok */
 
-    plain.data[5] = (text->length >> 8) & 0xff;
-    plain.data[6] = text->length & 0xff;
+    if ((toktype == KG_TOK_SEAL_MSG) &&
+	!((sealalg == 0xffff) ||
+	  (sealalg == ctx->sealalg))) {
+	*minor_status = 0;
+	return GSS_S_DEFECTIVE_TOKEN;
+    }
 
-    memcpy(plain.data+7, text->value, text->length);
+    /* there are several mappings of seal algorithms to sign algorithms,
+       but few enough that we can try them all. */
 
-    if (code = krb5_c_verify_checksum(context, ctx->subkey,
-				      KRB5_KEYUSAGE_GSS_TOK_MIC,
-				      &plain, &cksum, &ckvalid)) {
-	free(plain.data);
-	*minor_status = code;
-	return(GSS_S_FAILURE);
+    if ((ctx->sealalg == SEAL_ALG_NONE && signalg > 1) ||
+	(ctx->sealalg == SEAL_ALG_1 && signalg != SGN_ALG_3) ||
+	(ctx->sealalg == SEAL_ALG_DES3KD &&
+	 signalg != SGN_ALG_HMAC_SHA1_DES3_KD)) {
+	*minor_status = 0;
+	return GSS_S_DEFECTIVE_TOKEN;
     }
 
-    if (!ckvalid) {
-	free(plain.data);
+    switch (signalg) {
+    case SGN_ALG_DES_MAC_MD5:
+    case SGN_ALG_MD2_5:
+	cksum_len = 8;
+	break;
+    case SGN_ALG_3:
+	cksum_len = 16;
+	break;
+    case SGN_ALG_HMAC_SHA1_DES3_KD:
+	cksum_len = 20;
+	break;
+    default:
 	*minor_status = 0;
-	return(GSS_S_BAD_SIG);
+	return GSS_S_DEFECTIVE_TOKEN;
     }
 
-    /* check context expiry */
+    if (toktype == KG_TOK_SEAL_MSG)
+	tmsglen = bodysize-(14+cksum_len);
 
-   if ((code = krb5_timeofday(context, &now))) {
-       free(plain.data);
-       *minor_status = code;
-       return(GSS_S_FAILURE);
-   }
+    /* get the token parameters */
 
-   if (now > ctx->endtime) {
-       free(plain.data);
-       *minor_status = 0;
-       return(GSS_S_CONTEXT_EXPIRED);
-   }
+    /* decode the message, if SEAL */
 
-   /* do sequencing checks */
+    if (toktype == KG_TOK_SEAL_MSG) {
+	if (sealalg != 0xffff) {
+	    if ((plain = (unsigned char *) xmalloc(tmsglen)) == NULL) {
+		*minor_status = ENOMEM;
+		return(GSS_S_FAILURE);
+	    }
 
-   if ((ctx->initiate && tdirection != 0xff) ||
-       (!ctx->initiate && tdirection != 0)) {
-       free(plain.data);
-       *minor_status = G_BAD_DIRECTION;
-       return(GSS_S_BAD_SIG);
-   }
+	    if ((code = kg_decrypt(context, ctx->enc, KG_USAGE_SEAL, NULL,
+				   ptr+14+cksum_len, plain, tmsglen))) {
+		xfree(plain);
+		*minor_status = code;
+		return(GSS_S_FAILURE);
+	    }
+	} else {
+	    plain = ptr+14+cksum_len;
+	}
 
-   retval = g_order_check(&(ctx->seqstate), tseqnum);
+	plainlen = tmsglen;
 
-   free(plain.data);
+	if ((sealalg == 0xffff) && ctx->big_endian) {
+	    token.length = tmsglen;
+	} else {
+	    conflen = kg_confounder_size(context, ctx->enc);
+	    token.length = tmsglen - conflen - plain[tmsglen-1];
+	}
 
-   if (retval) {
-       *minor_status = 0;
-       return(retval);
-   }
+	if (token.length) {
+	    if ((token.value = (void *) xmalloc(token.length)) == NULL) {
+		if (sealalg != 0xffff)
+		    xfree(plain);
+		*minor_status = ENOMEM;
+		return(GSS_S_FAILURE);
+	    }
+	    memcpy(token.value, plain+conflen, token.length);
+	}
+    } else if (toktype == KG_TOK_SIGN_MSG) {
+	token = *message_buffer;
+	plain = token.value;
+	plainlen = token.length;
+    } else {
+	token.length = 0;
+	token.value = NULL;
+	plain = token.value;
+	plainlen = token.length;
+    }
 
-   if (qop_state)
-       *qop_state = GSS_C_QOP_DEFAULT;
+    /* compute the checksum of the message */
+
+    /* initialize the the cksum */
+    switch (signalg) {
+    case SGN_ALG_DES_MAC_MD5:
+    case SGN_ALG_MD2_5:
+    case SGN_ALG_HMAC_MD5:
+    case SGN_ALG_DES_MAC:
+    case SGN_ALG_3:
+	md5cksum.checksum_type = CKSUMTYPE_RSA_MD5;
+	break;
+    case SGN_ALG_HMAC_SHA1_DES3_KD:
+	md5cksum.checksum_type = CKSUMTYPE_HMAC_SHA1_DES3;
+	break;
+    default:
+	abort ();
+    }
 
-   *minor_status = 0;
-   return(GSS_S_COMPLETE);
-}
+    if (code = krb5_c_checksum_length(context, md5cksum.checksum_type, &sumlen))
+	return(code);
+    md5cksum.length = sumlen;
 
-static OM_uint32
-kg2_unwrap_integ(context, minor_status, ctx, ptr, bodysize, output, qop_state)
-     krb5_context context;
-     OM_uint32 *minor_status;
-     krb5_gss_ctx_id_rec *ctx;
-     unsigned char *ptr;
-     int bodysize;
-     gss_buffer_t output;
-     gss_qop_t *qop_state;
-{
-    krb5_error_code code;
-    OM_uint32 retval;
-    krb5_ui_4 tseqnum;
-    int tdirection;
-    int tmsglen;
-    unsigned char *tmsg;
-    krb5_data plain;
-    krb5_checksum tcksum;
-    krb5_boolean ckvalid;
-    krb5_timestamp now;
+    switch (signalg) {
+    case SGN_ALG_DES_MAC_MD5:
+    case SGN_ALG_3:
+	/* compute the checksum of the message */
 
-    output->length = 0;
-    output->value = NULL;
+	/* 8 = bytes of token body to be checksummed according to spec */
 
-    /* read the body parts out of the message */
+	if (! (data_ptr = (void *)
+	       xmalloc(8 + (ctx->big_endian ? token.length : plainlen)))) {
+	    if (sealalg != 0xffff)
+		xfree(plain);
+	    if (toktype == KG_TOK_SEAL_MSG)
+		xfree(token.value);
+	    *minor_status = ENOMEM;
+	    return(GSS_S_FAILURE);
+	}
 
-    if (bodysize < 11) {
-	*minor_status = G_TOK_TRUNC;
-	return(GSS_S_DEFECTIVE_TOKEN);
-    }
+	(void) memcpy(data_ptr, ptr-2, 8);
 
-    tcksum.checksum_type = (krb5_cksumtype) ((ptr[0]<<24) | (ptr[1]<<16) |
-					     (ptr[2]<<8) | ptr[3]);
-    ptr += 4;
+	if (ctx->big_endian)
+	    (void) memcpy(data_ptr+8, token.value, token.length);
+	else
+	    (void) memcpy(data_ptr+8, plain, plainlen);
 
-    plain.data = ptr;
+	plaind.length = 8 + (ctx->big_endian ? token.length : plainlen);
+	plaind.data = data_ptr;
+	code = krb5_c_make_checksum(context, md5cksum.checksum_type,
+				    ctx->seq, KG_USAGE_SIGN,
+				    &plaind, &md5cksum);
+	xfree(data_ptr);
+
+	if (code) {
+	    if (toktype == KG_TOK_SEAL_MSG)
+		xfree(token.value);
+	    *minor_status = code;
+	    return(GSS_S_FAILURE);
+	}
 
-    tseqnum = ((ptr[0]<<24) | (ptr[1]<<16) | (ptr[2]<<8) | ptr[3]);
-    ptr += 4;
-    tdirection = ptr[0];
-    ptr += 1;
+	if ((code = kg_encrypt(context, ctx->seq, KG_USAGE_SEAL,
+			       (g_OID_equal(ctx->mech_used, gss_mech_krb5_old) ?
+				ctx->seq->contents : NULL),
+			       md5cksum.contents, md5cksum.contents, 16))) {
+	    xfree(md5cksum.contents);
+	    if (toktype == KG_TOK_SEAL_MSG)
+		xfree(token.value);
+	    *minor_status = code;
+	    return GSS_S_FAILURE;
+	}
 
-    tmsglen = (ptr[0]<<8) | ptr[1];
-    ptr += 2;
-    bodysize -= 11;
+	if (signalg == 0)
+	    cksum.length = 8;
+	else
+	    cksum.length = 16;
+	cksum.contents = md5cksum.contents + 16 - cksum.length;
 
-    if (bodysize < tmsglen) {
-	*minor_status = G_TOK_TRUNC;
-	return(GSS_S_DEFECTIVE_TOKEN);
-    }
+	code = memcmp(cksum.contents, ptr+14, cksum.length);
+	break;
 
-    tmsg = ptr;
-    ptr += tmsglen;
-    bodysize -= tmsglen;
+    case SGN_ALG_MD2_5:
+	if (!ctx->seed_init &&
+	    (code = kg_make_seed(context, ctx->subkey, ctx->seed))) {
+	    xfree(md5cksum.contents);
+	    if (sealalg != 0xffff)
+		xfree(plain);
+	    if (toktype == KG_TOK_SEAL_MSG)
+		xfree(token.value);
+	    *minor_status = code;
+	    return GSS_S_FAILURE;
+	}
 
-    plain.length = ((char*)ptr) - ((char *)plain.data);
+	if (! (data_ptr = (void *)
+	       xmalloc(sizeof(ctx->seed) + 8 +
+		       (ctx->big_endian ? token.length : plainlen)))) {
+	    xfree(md5cksum.contents);
+	    if (sealalg == 0)
+		xfree(plain);
+	    if (toktype == KG_TOK_SEAL_MSG)
+		xfree(token.value);
+	    *minor_status = ENOMEM;
+	    return(GSS_S_FAILURE);
+	}
+	(void) memcpy(data_ptr, ptr-2, 8);
+	(void) memcpy(data_ptr+8, ctx->seed, sizeof(ctx->seed));
+	if (ctx->big_endian)
+	    (void) memcpy(data_ptr+8+sizeof(ctx->seed),
+			  token.value, token.length);
+	else
+	    (void) memcpy(data_ptr+8+sizeof(ctx->seed),
+			  plain, plainlen);
+	plaind.length = 8 + sizeof(ctx->seed) +
+	    (ctx->big_endian ? token.length : plainlen);
+	plaind.data = data_ptr;
+	xfree(md5cksum.contents);
+	code = krb5_c_make_checksum(context, md5cksum.checksum_type,
+				    ctx->seq, KG_USAGE_SIGN,
+				    &plaind, &md5cksum);
+	xfree(data_ptr);
+
+	if (code) {
+	    if (sealalg == 0)
+		xfree(plain);
+	    if (toktype == KG_TOK_SEAL_MSG)
+		xfree(token.value);
+	    *minor_status = code;
+	    return(GSS_S_FAILURE);
+	}
 
-    tcksum.length = (ptr[0]<<8) | ptr[1];
-    ptr += 2;
-    bodysize -= 2;
+	code = memcmp(md5cksum.contents, ptr+14, 8);
+	/* Falls through to defective-token??  */
 
-    if (bodysize != tcksum.length) {
-	*minor_status = G_TOK_TRUNC;
+    default:
+	*minor_status = 0;
 	return(GSS_S_DEFECTIVE_TOKEN);
-    }
-
-    tcksum.contents = ptr;
 
-    /* verify the MIC */
+    case SGN_ALG_HMAC_SHA1_DES3_KD:
+	/* compute the checksum of the message */
 
-    if (code = krb5_c_verify_checksum(context, ctx->subkey,
-				      KRB5_KEYUSAGE_GSS_TOK_WRAP_INTEG,
-				      &plain, &tcksum, &ckvalid)) {
-	*minor_status = code;
-	return(GSS_S_FAILURE);
-    }
+	/* 8 = bytes of token body to be checksummed according to spec */
 
-    if (!ckvalid) {
-	*minor_status = 0;
-	return(GSS_S_BAD_SIG);
-    }
+	if (! (data_ptr = (void *)
+	       xmalloc(8 + (ctx->big_endian ? token.length : plainlen)))) {
+	    if (sealalg != 0xffff)
+		xfree(plain);
+	    if (toktype == KG_TOK_SEAL_MSG)
+		xfree(token.value);
+	    *minor_status = ENOMEM;
+	    return(GSS_S_FAILURE);
+	}
 
-    /* check context expiry */
-
-   if ((code = krb5_timeofday(context, &now))) {
-       *minor_status = code;
-       return(GSS_S_FAILURE);
-   }
-
-   if (now > ctx->endtime) {
-       *minor_status = 0;
-       return(GSS_S_CONTEXT_EXPIRED);
-   }
-
-   /* do sequencing checks */
-
-   if ((ctx->initiate && tdirection != 0xff) ||
-       (!ctx->initiate && tdirection != 0)) {
-       *minor_status = G_BAD_DIRECTION;
-       return(GSS_S_BAD_SIG);
-   }
-
-   if (retval = g_order_check(&(ctx->seqstate), tseqnum)) {
-       *minor_status = 0;
-       return(retval);
-   }
-
-   if (tmsglen) {
-       if ((output->value = (void *) malloc(tmsglen)) == NULL) {
-	   *minor_status = ENOMEM;
-	   return(GSS_S_FAILURE);
-       }
-       memcpy(output->value, tmsg, tmsglen);
-       output->length = tmsglen;
-   }
-
-   if (qop_state)
-       *qop_state = GSS_C_QOP_DEFAULT;
-
-   *minor_status = 0;
-   return(GSS_S_COMPLETE);
-}
+	(void) memcpy(data_ptr, ptr-2, 8);
 
-static OM_uint32
-kg2_unwrap_priv(context, minor_status, ctx, ptr, bodysize, output, qop_state)
-     krb5_context context;
-     OM_uint32 *minor_status;
-     krb5_gss_ctx_id_rec *ctx;
-     unsigned char *ptr;
-     int bodysize;
-     gss_buffer_t output;
-     gss_qop_t *qop_state;
-{
-    krb5_error_code code;
-    OM_uint32 retval;
-    krb5_enc_data cipher;
-    krb5_data plain;
-    krb5_ui_4 tseqnum;
-    int tdirection;
-    int tmsglen;
-    unsigned char *tmsg;
-    krb5_timestamp now;
+	if (ctx->big_endian)
+	    (void) memcpy(data_ptr+8, token.value, token.length);
+	else
+	    (void) memcpy(data_ptr+8, plain, plainlen);
 
-    output->length = 0;
-    output->value = NULL;
+	plaind.length = 8 + (ctx->big_endian ? token.length : plainlen);
+	plaind.data = data_ptr;
+	code = krb5_c_make_checksum(context, md5cksum.checksum_type,
+				    ctx->seq, KG_USAGE_SIGN,
+				    &plaind, &md5cksum);
+	xfree(data_ptr);
 
-    /* read the body parts out of the message */
+	if (code) {
+	    if (toktype == KG_TOK_SEAL_MSG)
+		xfree(token.value);
+	    *minor_status = code;
+	    return(GSS_S_FAILURE);
+	}
 
-    if (bodysize < 2) {
-	*minor_status = G_TOK_TRUNC;
-	return(GSS_S_DEFECTIVE_TOKEN);
+	code = memcmp(md5cksum.contents, ptr+14, md5cksum.length);
+	break;
     }
 
-    cipher.ciphertext.length = (ptr[0]<<8) | ptr[1];
-    ptr += 2;
-    bodysize -= 2;
+    xfree(md5cksum.contents);
+    if (sealalg != 0xffff)
+	xfree(plain);
 
-    if (bodysize != cipher.ciphertext.length) {
-	*minor_status = G_TOK_TRUNC;
-	return(GSS_S_DEFECTIVE_TOKEN);
-    }
+    /* compare the computed checksum against the transmitted checksum */
 
-    cipher.ciphertext.data = ptr;
-    cipher.enctype = ENCTYPE_UNKNOWN;
-
-    plain.length = cipher.ciphertext.length;
-    if ((plain.data = (char *) malloc(plain.length)) == NULL) {
+    if (code) {
+	if (toktype == KG_TOK_SEAL_MSG)
+	    xfree(token.value);
 	*minor_status = 0;
-	return(GSS_S_FAILURE);
-    }
-
-    /* decrypt (and implicitly verify) the encrypted data */
-
-    if (code = krb5_c_decrypt(context, ctx->subkey,
-			      KRB5_KEYUSAGE_GSS_TOK_WRAP_PRIV,
-			      0, &cipher, &plain)) {
-	free(plain.data);
-	*minor_status = code;
-	return(GSS_S_FAILURE);
+	return(GSS_S_BAD_SIG);
     }
 
-    /* parse out the encrypted fields */
 
-    ptr = plain.data;
-    bodysize = plain.length;
+    /* it got through unscathed.  Make sure the context is unexpired */
 
-    if (bodysize < 7) {
-	free(plain.data);
-	*minor_status = G_TOK_TRUNC;
-	return(GSS_S_DEFECTIVE_TOKEN);
-    }
+    if (toktype == KG_TOK_SEAL_MSG)
+	*message_buffer = token;
 
-    tseqnum = ((ptr[0]<<24) | (ptr[1]<<16) | (ptr[2]<<8) | ptr[3]);
-    ptr += 4;
-    tdirection = ptr[0];
-    ptr += 1;
+    if (conf_state)
+	*conf_state = (sealalg != 0xffff);
 
-    tmsglen = (ptr[0]<<8) | ptr[1];
-    ptr += 2;
-    bodysize -= 7;
-
-    /* check context expiry */
+    if (qop_state)
+	*qop_state = GSS_C_QOP_DEFAULT;
 
     if ((code = krb5_timeofday(context, &now))) {
-	free(plain.data);
 	*minor_status = code;
 	return(GSS_S_FAILURE);
     }
 
     if (now > ctx->endtime) {
-	free(plain.data);
 	*minor_status = 0;
 	return(GSS_S_CONTEXT_EXPIRED);
     }
 
     /* do sequencing checks */
 
-    if ((ctx->initiate && tdirection != 0xff) ||
-	(!ctx->initiate && tdirection != 0)) {
-	free(plain.data);
-	*minor_status = G_BAD_DIRECTION;
+    if ((code = kg_get_seq_num(context, ctx->seq, ptr+14, ptr+6, &direction,
+			       &seqnum))) {
+	if (toktype == KG_TOK_SEAL_MSG)
+	    xfree(token.value);
+	*minor_status = code;
 	return(GSS_S_BAD_SIG);
     }
 
-    if (retval = g_order_check(&(ctx->seqstate), tseqnum)) {
-	free(plain.data);
-	*minor_status = 0;
-	return(retval);
-    }
-
-    /* now copy out the data.  can't do a strict equality check here,
-       since the output could be padded.  */
-
-    if (bodysize < tmsglen) {
-	free(plain.data);
-	*minor_status = G_TOK_TRUNC;
-	return(GSS_S_DEFECTIVE_TOKEN);
-    }
-
-    tmsg = ptr;
-
-    if (tmsglen) {
-        if ((output->value = (void *) malloc(tmsglen)) == NULL) {
-	    free(plain.data);
-	    *minor_status = ENOMEM;
-            return(GSS_S_FAILURE);
-	}
-	memcpy(output->value, tmsg, tmsglen);
-	output->length = tmsglen;
+    if ((ctx->initiate && direction != 0xff) ||
+	(!ctx->initiate && direction != 0)) {
+	if (toktype == KG_TOK_SEAL_MSG)
+	    xfree(token.value);
+	*minor_status = G_BAD_DIRECTION;
+	return(GSS_S_BAD_SIG);
     }
 
-    if (qop_state)
-	*qop_state = GSS_C_QOP_DEFAULT;
+    retval = g_order_check(&(ctx->seqstate), seqnum);
 
-    free(plain.data);
+    /* success or ordering violation */
 
     *minor_status = 0;
-    return(GSS_S_COMPLETE);
+    return(retval);
 }
 
 /* message_buffer is an input if SIGN, output if SEAL, and ignored if DEL_CTX
    conf_state is only valid if SEAL. */
 
 OM_uint32
-kg_unseal_v1(context, minor_status, ctx, ptr, bodysize, message_buffer,
-	     conf_state, qop_state, toktype)
-     krb5_context context;
-     OM_uint32 *minor_status;
-     krb5_gss_ctx_id_rec *ctx;
-     unsigned char *ptr;
-     int bodysize;
-     gss_buffer_t message_buffer;
-     int *conf_state;
-     int *qop_state;
-     int toktype;
+kg_unseal(context, minor_status, context_handle, input_token_buffer,
+	  message_buffer, conf_state, qop_state, toktype)
+    krb5_context context;
+    OM_uint32 *minor_status;
+    gss_ctx_id_t context_handle;
+    gss_buffer_t input_token_buffer;
+    gss_buffer_t message_buffer;
+    int *conf_state;
+    int *qop_state;
+    int toktype;
 {
-   krb5_error_code code;
-   int tmsglen;
-   int conflen = 0;
-   int signalg;
-   int sealalg;
-   gss_buffer_desc token;
-   krb5_checksum cksum;
-   krb5_checksum desmac;
-   krb5_checksum md5cksum;
-   krb5_data plaind;
-   char *data_ptr;
-   krb5_timestamp now;
-   unsigned char *plain;
-   int cksum_len = 0;
-   int plainlen;
-   int err;
-   int direction;
-   krb5_int32 seqnum;
-   OM_uint32 retval;
-   size_t sumlen;
-
-   if (toktype == KG_TOK_SEAL_MSG) {
-      message_buffer->length = 0;
-      message_buffer->value = NULL;
-   }
-
-   /* get the sign and seal algorithms */
-
-   signalg = ptr[0] + (ptr[1]<<8);
-   sealalg = ptr[2] + (ptr[3]<<8);
-
-   /* Sanity checks */
-
-   if ((ptr[4] != 0xff) || (ptr[5] != 0xff)) {
-       *minor_status = 0;
-       return GSS_S_DEFECTIVE_TOKEN;
-   }
-
-   if ((toktype != KG_TOK_SEAL_MSG) &&
-       (sealalg != 0xffff)) {
-       *minor_status = 0;
-       return GSS_S_DEFECTIVE_TOKEN;
-   }
-
-   /* in the current spec, there is only one valid seal algorithm per
-      key type, so a simple comparison is ok */
-
-   if ((toktype == KG_TOK_SEAL_MSG) &&
-       !((sealalg == 0xffff) ||
-	 (sealalg == ctx->sealalg))) {
-       *minor_status = 0;
-       return GSS_S_DEFECTIVE_TOKEN;
-   }
-
-   /* there are several mappings of seal algorithms to sign algorithms,
-      but few enough that we can try them all. */
-
-   if (((ctx->sealalg == 0) &&
-	(signalg > 1)) ||
-       ((ctx->sealalg == 1) &&
-	(signalg != 3))) {
-       *minor_status = 0;
-       return GSS_S_DEFECTIVE_TOKEN;
-   }
-
-   switch (signalg) {
-   case 0:
-   case 1:
-      cksum_len = 8;
-      break;
-   case 3:
-      cksum_len = 16;
-      break;
-   }
-
-   if (toktype == KG_TOK_SEAL_MSG)
-       tmsglen = bodysize-(14+cksum_len);
-
-   /* get the token parameters */
-
-   /* decode the message, if SEAL */
-
-   if (toktype == KG_TOK_SEAL_MSG) {
-      if (sealalg != 0xffff) {
-	 if ((plain = (unsigned char *) xmalloc(tmsglen)) == NULL) {
-	    *minor_status = ENOMEM;
-	    return(GSS_S_FAILURE);
-	 }
+    krb5_gss_ctx_id_rec *ctx;
+    unsigned char *ptr;
+    int bodysize;
+    int err;
+
+    /* validate the context handle */
+    if (! kg_validate_ctx_id(context_handle)) {
+	*minor_status = (OM_uint32) G_VALIDATE_FAILED;
+	return(GSS_S_NO_CONTEXT);
+    }
 
-	 if ((code = kg_decrypt(context, ctx->enc, NULL,
-				ptr+14+cksum_len, plain, tmsglen))) {
-	    xfree(plain);
-	    *minor_status = code;
-	    return(GSS_S_FAILURE);
-	 }
-      } else {
-	 plain = ptr+14+cksum_len;
-      }
-
-      plainlen = tmsglen;
-
-      if ((sealalg == 0xffff) && ctx->big_endian) {
-	 token.length = tmsglen;
-      } else {
-	 conflen = kg_confounder_size(context, ctx->enc);
-	 token.length = tmsglen - conflen - plain[tmsglen-1];
-      }
-
-      if (token.length) {
-	 if ((token.value = (void *) xmalloc(token.length)) == NULL) {
-	    if (sealalg != 0xffff)
-	       xfree(plain);
-	    *minor_status = ENOMEM;
-	    return(GSS_S_FAILURE);
-	 }
-	 memcpy(token.value, plain+conflen, token.length);
-      }
-   } else if (toktype == KG_TOK_SIGN_MSG) {
-      token = *message_buffer;
-      plain = token.value;
-      plainlen = token.length;
-   } else {
-      token.length = 0;
-      token.value = NULL;
-      plain = token.value;
-      plainlen = token.length;
-   }
-
-   /* compute the checksum of the message */
-
-   /* initialize the the cksum */
-   if (code = krb5_c_checksum_length(context, CKSUMTYPE_RSA_MD5, &sumlen))
-       return(code);
-
-   md5cksum.checksum_type = CKSUMTYPE_RSA_MD5;
-   md5cksum.length = sumlen;
-
-   switch (signalg) {
-   case 0:
-   case 3:
-      /* compute the checksum of the message */
-
-      /* 8 = bytes of token body to be checksummed according to spec */
-
-      if (! (data_ptr = (void *)
-	     xmalloc(8 + (ctx->big_endian ? token.length : plainlen)))) {
-	  if (sealalg != 0xffff)
-	      xfree(plain);
-	  if (toktype == KG_TOK_SEAL_MSG)
-	      xfree(token.value);
-	  *minor_status = ENOMEM;
-	  return(GSS_S_FAILURE);
-      }
-
-      (void) memcpy(data_ptr, ptr-2, 8);
-
-      if (ctx->big_endian)
-	  (void) memcpy(data_ptr+8, token.value, token.length);
-      else
-	  (void) memcpy(data_ptr+8, plain, plainlen);
-
-      plaind.length = 8 + (ctx->big_endian ? token.length : plainlen);
-      plaind.data = data_ptr;
-      code = krb5_c_make_checksum(context, md5cksum.checksum_type, 0, 0,
-				  &plaind, &md5cksum);
-      xfree(data_ptr);
-
-      if (code) {
-	  if (toktype == KG_TOK_SEAL_MSG)
-	      xfree(token.value);
-	  *minor_status = code;
-	  return(GSS_S_FAILURE);
-      }
-
-#if 0
-      /* XXX this depends on the key being a single-des key, but that's
-	 all that kerberos supports right now */
-
-      /* initialize the the cksum and allocate the contents buffer */
-      cksum.checksum_type = CKSUMTYPE_DESCBC;
-      cksum.length = krb5_checksum_size(context, CKSUMTYPE_DESCBC);
-      if ((cksum.contents = (krb5_octet *) xmalloc(cksum.length)) == NULL) {
-	  xfree(md5cksum.contents);
-	  if (toktype == KG_TOK_SEAL_MSG)
-	      xfree(token.value);
-	  *minor_status = ENOMEM;
-	  return(GSS_S_FAILURE);
-      }
-
-      /* XXX not converted to new api since it's inside an #if 0 */
-      if (code = krb5_calculate_checksum(context, cksum.checksum_type,
-					 md5cksum.contents, 16,
-					 ctx->seq.key->contents, 
-					 ctx->seq.key->length,
-					 &cksum)) {
-	 xfree(cksum.contents);
-	 xfree(md5cksum.contents);
-	 if (toktype == KG_TOK_SEAL_MSG)
-	    xfree(token.value);
-	 *minor_status = code;
-	 return(GSS_S_FAILURE);
-      }
-
-      code = memcmp(cksum.contents, ptr+14, cksum.length);
-
-      xfree(cksum.contents);
-#else
-      if ((code = kg_encrypt(context, ctx->seq,
-			     (g_OID_equal(ctx->mech_used, gss_mech_krb5_old) ?
-			      ctx->seq->contents : NULL),
-			     md5cksum.contents, md5cksum.contents, 16))) {
-	 xfree(md5cksum.contents);
-	 if (toktype == KG_TOK_SEAL_MSG)
-	    xfree(token.value);
-	 *minor_status = code;
-	 return GSS_S_FAILURE;
-      }
-
-      if (signalg == 0)
-	 cksum.length = 8;
-      else
-	 cksum.length = 16;
-      cksum.contents = md5cksum.contents + 16 - cksum.length;
-
-      code = memcmp(cksum.contents, ptr+14, cksum.length);
-#endif
-      break;
-
-   case 1:
-       if (!ctx->seed_init &&
-	   (code = kg_make_seed(context, ctx->subkey, ctx->seed))) {
-	   xfree(md5cksum.contents);
-	   if (sealalg != 0xffff)
-	       xfree(plain);
-	   if (toktype == KG_TOK_SEAL_MSG)
-	       xfree(token.value);
-	   *minor_status = code;
-	   return GSS_S_FAILURE;
-       }
-
-      if (! (data_ptr = (void *)
-	     xmalloc(sizeof(ctx->seed) + 8 +
-		     (ctx->big_endian ? token.length : plainlen)))) {
-	  xfree(md5cksum.contents);
-	  if (sealalg == 0)
-	      xfree(plain);
-	  if (toktype == KG_TOK_SEAL_MSG)
-	      xfree(token.value);
-	  *minor_status = ENOMEM;
-	  return(GSS_S_FAILURE);
-      }
-      (void) memcpy(data_ptr, ptr-2, 8);
-      (void) memcpy(data_ptr+8, ctx->seed, sizeof(ctx->seed));
-      if (ctx->big_endian)
-	  (void) memcpy(data_ptr+8+sizeof(ctx->seed),
-			token.value, token.length);
-      else
-	  (void) memcpy(data_ptr+8+sizeof(ctx->seed),
-			plain, plainlen);
-      plaind.length = 8 + sizeof(ctx->seed) +
-	  (ctx->big_endian ? token.length : plainlen);
-      plaind.data = data_ptr;
-      xfree(md5cksum.contents);
-      code = krb5_c_make_checksum(context, md5cksum.checksum_type, 0, 0,
-				  &plaind, &md5cksum);
-      xfree(data_ptr);
-
-      if (code) {
-	  if (sealalg == 0)
-	      xfree(plain);
-	  if (toktype == KG_TOK_SEAL_MSG)
-	      xfree(token.value);
-	  *minor_status = code;
-	  return(GSS_S_FAILURE);
-      }
-
-      code = memcmp(md5cksum.contents, ptr+14, 8);
-
-   default:
-      *minor_status = 0;
-      return(GSS_S_DEFECTIVE_TOKEN);
-   }
-
-   xfree(md5cksum.contents);
-   if (sealalg != 0xffff)
-      xfree(plain);
-
-   /* compare the computed checksum against the transmitted checksum */
-
-   if (code) {
-      if (toktype == KG_TOK_SEAL_MSG)
-	 xfree(token.value);
-      *minor_status = 0;
-      return(GSS_S_BAD_SIG);
-   }
-      
-
-   /* it got through unscathed.  Make sure the context is unexpired */
-
-   if (toktype == KG_TOK_SEAL_MSG)
-      *message_buffer = token;
-
-   if (conf_state)
-      *conf_state = (sealalg != 0xffff);
-
-   if (qop_state)
-      *qop_state = GSS_C_QOP_DEFAULT;
-
-   if ((code = krb5_timeofday(context, &now))) {
-      *minor_status = code;
-      return(GSS_S_FAILURE);
-   }
-
-   if (now > ctx->endtime) {
-      *minor_status = 0;
-      return(GSS_S_CONTEXT_EXPIRED);
-   }
-
-   /* do sequencing checks */
-
-   if ((code = kg_get_seq_num(context, ctx->seq, ptr+14, ptr+6, &direction,
-			      &seqnum))) {
-      if (toktype == KG_TOK_SEAL_MSG)
-	 xfree(token.value);
-      *minor_status = code;
-      return(GSS_S_BAD_SIG);
-   }
-
-   if ((ctx->initiate && direction != 0xff) ||
-       (!ctx->initiate && direction != 0)) {
-      if (toktype == KG_TOK_SEAL_MSG)
-	 xfree(token.value);
-      *minor_status = G_BAD_DIRECTION;
-      return(GSS_S_BAD_SIG);
-   }
-
-   retval = g_order_check(&(ctx->seqstate), seqnum);
-   
-   /* success or ordering violation */
-
-   *minor_status = 0;
-   return(retval);
-}
+    ctx = (krb5_gss_ctx_id_rec *) context_handle;
 
-/* message_buffer is an input if SIGN, output if SEAL, and ignored if DEL_CTX
-   conf_state is only valid if SEAL. */
+    if (! ctx->established) {
+	*minor_status = KG_CTX_INCOMPLETE;
+	return(GSS_S_NO_CONTEXT);
+    }
 
-OM_uint32
-kg_unseal(context, minor_status, context_handle, input_token_buffer,
-	  message_buffer, conf_state, qop_state, toktype)
-     krb5_context context;
-     OM_uint32 *minor_status;
-     gss_ctx_id_t context_handle;
-     gss_buffer_t input_token_buffer;
-     gss_buffer_t message_buffer;
-     int *conf_state;
-     int *qop_state;
-     int toktype;
-{
-   krb5_gss_ctx_id_rec *ctx;
-   unsigned char *ptr;
-   int bodysize;
-   int err;
-   OM_uint32 retval;
-
-   /* validate the context handle */
-   if (! kg_validate_ctx_id(context_handle)) {
-      *minor_status = (OM_uint32) G_VALIDATE_FAILED;
-      return(GSS_S_NO_CONTEXT);
-   }
-
-   ctx = (krb5_gss_ctx_id_rec *) context_handle;
-
-   if (! ctx->established) {
-      *minor_status = KG_CTX_INCOMPLETE;
-      return(GSS_S_NO_CONTEXT);
-   }
-
-   /* parse the token, leave the data in message_buffer, setting conf_state */
-
-   /* verify the header */
-
-   ptr = (unsigned char *) input_token_buffer->value;
-
-   if (ctx->gsskrb5_version == 2000) {
-       if (!(err = g_verify_token_header((gss_OID) ctx->mech_used,
-					 &bodysize, &ptr, KG2_TOK_MIC,
-					 input_token_buffer->length))) {
-	   return(kg2_verify_mic(context, minor_status, ctx, ptr, bodysize,
-				 message_buffer, qop_state));
-       } else if (!(err = g_verify_token_header((gss_OID) ctx->mech_used,
-						&bodysize, &ptr,
-						KG2_TOK_WRAP_INTEG,
-						input_token_buffer->length))) {
-	   if (GSS_ERROR(retval = kg2_unwrap_integ(context, minor_status,
-						   ctx, ptr, bodysize,
-						   message_buffer, qop_state)))
-	       return(retval);
-
-	   if (conf_state)
-	       *conf_state = 0;
-	   return(GSS_S_COMPLETE);
-       } else if (!(err = g_verify_token_header((gss_OID) ctx->mech_used,
-						&bodysize, &ptr,
-						KG2_TOK_WRAP_PRIV,
-						input_token_buffer->length))) {
-	   if (GSS_ERROR(retval = kg2_unwrap_priv(context, minor_status,
-						  ctx, ptr, bodysize,
-						  message_buffer, qop_state)))
-	       return(retval);
-
-	   if (conf_state)
-	       *conf_state = 1;
-	   return(GSS_S_COMPLETE);
-       }
-   } else {
-       if (!(err = g_verify_token_header((gss_OID) ctx->mech_used,
-					 &bodysize, &ptr, toktype,
-					 input_token_buffer->length))) {
-	   return(kg_unseal_v1(context, minor_status, ctx, ptr, bodysize,
-			       message_buffer, conf_state, qop_state,
-			       toktype));
-       }
-   }
-
-   *minor_status = err;
-   return(GSS_S_DEFECTIVE_TOKEN);
+    /* parse the token, leave the data in message_buffer, setting conf_state */
+
+    /* verify the header */
+
+    ptr = (unsigned char *) input_token_buffer->value;
+
+    if (!(err = g_verify_token_header((gss_OID) ctx->mech_used,
+				      &bodysize, &ptr, toktype,
+				      input_token_buffer->length))) {
+	return(kg_unseal_v1(context, minor_status, ctx, ptr, bodysize,
+			    message_buffer, conf_state, qop_state,
+			    toktype));
+    }
+
+    *minor_status = err;
+    return(GSS_S_DEFECTIVE_TOKEN);
 }
diff --git a/src/lib/gssapi/krb5/ser_sctx.c b/src/lib/gssapi/krb5/ser_sctx.c
index 2a6231e..781e8ee 100644
--- a/src/lib/gssapi/krb5/ser_sctx.c
+++ b/src/lib/gssapi/krb5/ser_sctx.c
@@ -155,7 +155,6 @@ kg_queue_internalize(kcontext, argp, buffer, lenremain)
     size_t		*lenremain;
 {
      krb5_error_code	kret;
-     gss_OID oid;
      krb5_int32 ibuf;
      krb5_octet		*bp;
      size_t		remain;
@@ -233,7 +232,6 @@ kg_ctx_size(kcontext, arg, sizep)
      *	krb5_int32	for seq_recv.
      *	krb5_int32	for established.
      *	krb5_int32	for big_endian.
-     *	krb5_int32	for gsskrb5_version.
      *	krb5_int32	for nctypes.
      *	krb5_int32	for trailer.
      */
@@ -349,8 +347,6 @@ kg_ctx_externalize(kcontext, arg, buffer, lenremain)
 				       &bp, &remain);
 	    (void) krb5_ser_pack_int32((krb5_int32) ctx->big_endian,
 				       &bp, &remain);
-	    (void) krb5_ser_pack_int32((krb5_int32) ctx->gsskrb5_version,
-				       &bp, &remain);
 	    (void) krb5_ser_pack_int32((krb5_int32) ctx->nctypes,
 				       &bp, &remain);
 
@@ -477,8 +473,6 @@ kg_ctx_internalize(kcontext, argp, buffer, lenremain)
 	    (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain);
 	    ctx->big_endian = (int) ibuf;
 	    (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain);
-	    ctx->gsskrb5_version = (int) ibuf;
-	    (void) krb5_ser_unpack_int32(&ibuf, &bp, &remain);
 	    ctx->nctypes = (int) ibuf;
 
 	    if ((kret = kg_oid_internalize(kcontext, &ctx->mech_used, &bp,
diff --git a/src/lib/gssapi/krb5/util_cksum.c b/src/lib/gssapi/krb5/util_cksum.c
index 10e6b65..47ffc5b 100644
--- a/src/lib/gssapi/krb5/util_cksum.c
+++ b/src/lib/gssapi/krb5/util_cksum.c
@@ -27,6 +27,7 @@
 #include "gssapiP_krb5.h"
 #include <memory.h>
 
+/* Checksumming the channel bindings always uses plain MD5.  */
 krb5_error_code
 kg_checksum_channel_bindings(context, cb, cksum, bigend)
      krb5_context context;
diff --git a/src/lib/gssapi/krb5/util_crypt.c b/src/lib/gssapi/krb5/util_crypt.c
index 93d4694..33562bc 100644
--- a/src/lib/gssapi/krb5/util_crypt.c
+++ b/src/lib/gssapi/krb5/util_crypt.c
@@ -54,8 +54,6 @@
  * $Id$
  */
 
-static unsigned char zeros[8] = {0,0,0,0,0,0,0,0};
-
 int
 kg_confounder_size(context, key)
      krb5_context context;
@@ -105,9 +103,10 @@ kg_encrypt_size(context, key, n)
 }
 
 krb5_error_code
-kg_encrypt(context, key, iv, in, out, length)
+kg_encrypt(context, key, usage, iv, in, out, length)
      krb5_context context;
      krb5_keyblock *key;
+     int usage;
      krb5_pointer iv;
      krb5_pointer in;
      krb5_pointer out;
@@ -123,7 +122,10 @@ kg_encrypt(context, key, iv, in, out, length)
 	   return(code);
 
        ivd.length = blocksize;
-       ivd.data = iv;
+       ivd.data = malloc(ivd.length);
+       if (ivd.data == NULL)
+	   return ENOMEM;
+       memcpy(ivd.data, iv, ivd.length);
        pivd = &ivd;
    } else {
        pivd = NULL;
@@ -135,25 +137,26 @@ kg_encrypt(context, key, iv, in, out, length)
    outputd.ciphertext.length = length;
    outputd.ciphertext.data = out;
 
-   return(krb5_c_encrypt(context, key,
-			 /* XXX this routine is only used for the old
-			    bare-des stuff which doesn't use the
-			    key usage */ 0, pivd, &inputd, &outputd));
+   code = krb5_c_encrypt(context, key, usage, pivd, &inputd, &outputd);
+   if (pivd != NULL)
+       krb5_free_data_contents(context, pivd);
+   return code;
 }
 
 /* length is the length of the cleartext. */
 
 krb5_error_code
-kg_decrypt(context, key, iv, in, out, length)
+kg_decrypt(context, key, usage, iv, in, out, length)
      krb5_context context;
      krb5_keyblock *key;
+     int usage;
      krb5_pointer iv;
      krb5_pointer in;
      krb5_pointer out;
      int length;
 {
    krb5_error_code code;
-   size_t blocksize, enclen;
+   size_t blocksize;
    krb5_data ivd, *pivd, outputd;
    krb5_enc_data inputd;
 
@@ -162,7 +165,10 @@ kg_decrypt(context, key, iv, in, out, length)
 	   return(code);
 
        ivd.length = blocksize;
-       ivd.data = iv;
+       ivd.data = malloc(ivd.length);
+       if (ivd.data == NULL)
+	   return ENOMEM;
+       memcpy(ivd.data, iv, ivd.length);
        pivd = &ivd;
    } else {
        pivd = NULL;
@@ -175,8 +181,8 @@ kg_decrypt(context, key, iv, in, out, length)
    outputd.length = length;
    outputd.data = out;
 
-   return(krb5_c_decrypt(context, key,
-			 /* XXX this routine is only used for the old
-			    bare-des stuff which doesn't use the
-			    key usage */ 0, pivd, &inputd, &outputd));
+   code = krb5_c_decrypt(context, key, usage, pivd, &inputd, &outputd);
+   if (pivd != NULL)
+       krb5_free_data_contents(context, pivd);
+   return code;
 }
diff --git a/src/lib/gssapi/krb5/util_seed.c b/src/lib/gssapi/krb5/util_seed.c
index 206ee68..b4a9044 100644
--- a/src/lib/gssapi/krb5/util_seed.c
+++ b/src/lib/gssapi/krb5/util_seed.c
@@ -47,7 +47,7 @@ kg_make_seed(context, key, seed)
    for (i=0; i<tmpkey->length; i++)
       tmpkey->contents[i] = key->contents[key->length - 1 - i];
 
-   code = kg_encrypt(context, tmpkey, NULL, zeros, seed, 16);
+   code = kg_encrypt(context, tmpkey, KG_USAGE_SEAL, NULL, zeros, seed, 16);
 
    krb5_free_keyblock(context, tmpkey);
 
diff --git a/src/lib/gssapi/krb5/util_seqnum.c b/src/lib/gssapi/krb5/util_seqnum.c
index e14b2f3..b8f2b38 100644
--- a/src/lib/gssapi/krb5/util_seqnum.c
+++ b/src/lib/gssapi/krb5/util_seqnum.c
@@ -47,7 +47,7 @@ kg_make_seq_num(context, key, direction, seqnum, cksum, buf)
    plain[6] = direction;
    plain[7] = direction;
 
-   return(kg_encrypt(context, key, cksum, plain, buf, 8));
+   return(kg_encrypt(context, key, KG_USAGE_SEQ, cksum, plain, buf, 8));
 }
 
 krb5_error_code kg_get_seq_num(context, key, cksum, buf, direction, seqnum)
@@ -61,7 +61,7 @@ krb5_error_code kg_get_seq_num(context, key, cksum, buf, direction, seqnum)
    krb5_error_code code;
    unsigned char plain[8];
 
-   if (code = kg_decrypt(context, key, cksum, buf, plain, 8))
+   if (code = kg_decrypt(context, key, KG_USAGE_SEQ, cksum, buf, plain, 8))
       return(code);
 
    if ((plain[4] != plain[5]) ||
diff --git a/src/lib/gssapi/krb5/wrap_size_limit.c b/src/lib/gssapi/krb5/wrap_size_limit.c
index f7fee73..1f2db4a 100644
--- a/src/lib/gssapi/krb5/wrap_size_limit.c
+++ b/src/lib/gssapi/krb5/wrap_size_limit.c
@@ -1,4 +1,28 @@
 /*
+ * Copyright 2000 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ *   require a specific license from the United States Government.
+ *   It is the responsibility of any person or organization contemplating
+ *   export to obtain such a license before exporting.
+ * 
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ * 
+ */
+/*
  * Copyright 1993 by OpenVision Technologies, Inc.
  * 
  * Permission to use, copy, modify, distribute, and sell this software
@@ -65,7 +89,9 @@ krb5_gss_wrap_size_limit(minor_status, context_handle, conf_req_flag,
 {
     krb5_context	context;
     krb5_gss_ctx_id_rec	*ctx;
-    krb5_error_code code;
+    OM_uint32		data_size, conflen;
+    OM_uint32		ohlen;
+    int			overhead;
 
     if (GSS_ERROR(kg_get_context(minor_status, &context)))
        return(GSS_S_FAILURE);
@@ -88,92 +114,23 @@ krb5_gss_wrap_size_limit(minor_status, context_handle, conf_req_flag,
 	return(GSS_S_NO_CONTEXT);
     }
 
-    if (ctx->gsskrb5_version == 2000) {
-	if (conf_req_flag) {
-	    /* this is pretty gross.  take the max output, and call
-	       krb5_c_encrypt_length to see how much overhead is added
-	       on.  subtract that much, and see if it fits in the
-	       requested space.  If not, start subtracting 1 until it
-	       does.  This doesn't necessarily give us the optimal
-	       packing, but I think that's ok (I could start adding 1
-	       until I went over, but that seems like it's not worth
-	       the effort).  This is probably O(blocksize), but that's
-	       never going to be large. */
-
-	    OM_uint32 headerlen, plainlen;
-	    size_t enclen;
-
-	    headerlen = g_token_size((gss_OID) ctx->mech_used, 2);
-	    plainlen = req_output_size - headerlen;
-
-	    if (code = krb5_c_encrypt_length(context, ctx->enc->enctype,
-					     plainlen, &enclen)) {
-		*minor_status = code;
-		return(GSS_S_FAILURE);
-	    }
-
-	    plainlen -= plainlen - (enclen - plainlen);
-
-	    if (code = krb5_c_encrypt_length(context, ctx->enc->enctype,
-					     plainlen, &enclen)) {
-		*minor_status = code;
-		return(GSS_S_FAILURE);
-	    }
-
-	    while (headerlen + enclen > req_output_size) {
-		plainlen--;
-
-		if (code = krb5_c_encrypt_length(context, ctx->enc->enctype,
-						 plainlen, &enclen)) {
-		    *minor_status = code;
-		    return(GSS_S_FAILURE);
-		}
-	    }
-
-	    /* subtract off the fixed size inside the encrypted part */
-
-	    plainlen -= 7;
-
-	    *max_input_size = plainlen;
-	} else {
-	    size_t cksumlen;
-	    OM_uint32 headerlen;
-
-	    if (code = krb5_c_checksum_length(context, ctx->ctypes[0],
-					      &cksumlen)) {
-		*minor_status = code;
-		return(GSS_S_FAILURE);
-	    }
-
-	    headerlen = g_token_size((gss_OID) ctx->mech_used, 13 + cksumlen);
-
-	    *max_input_size = req_output_size - headerlen;
-	}
-    } else {
-	OM_uint32		data_size, conflen;
-	OM_uint32		ohlen;
-	int			overhead;
-
-	/* Calculate the token size and subtract that from the output size */
-	overhead = 7 + ctx->mech_used->length;
-	data_size = req_output_size;
-	if (conf_req_flag) {
-		conflen = kg_confounder_size(context, ctx->enc);
-		data_size = (conflen + data_size + 8) & (~7);
-	}
-	ohlen = g_token_size((gss_OID) ctx->mech_used,
-			     (unsigned int) (data_size + ctx->cksum_size + 14))
-		- req_output_size;
-
-	if (ohlen+overhead < req_output_size)
-	    /*
-	     * Cannot have trailer length that will cause us to pad over
-	     * our length
-	     */
-	    *max_input_size = (req_output_size - ohlen - overhead) & (~7);
-	else
-	    *max_input_size = 0;
-    }
+    /* Calculate the token size and subtract that from the output size */
+    overhead = 7 + ctx->mech_used->length;
+    data_size = req_output_size;
+    conflen = kg_confounder_size(context, ctx->enc);
+    data_size = (conflen + data_size + 8) & (~(OM_uint32)7);
+    ohlen = g_token_size((gss_OID) ctx->mech_used,
+			 (unsigned int) (data_size + ctx->cksum_size + 14))
+      - req_output_size;
+
+    if (ohlen+overhead < req_output_size)
+      /*
+       * Cannot have trailer length that will cause us to pad over our
+       * length.
+       */
+      *max_input_size = (req_output_size - ohlen - overhead) & (~(OM_uint32)7);
+    else
+      *max_input_size = 0;
 
     *minor_status = 0;
     return(GSS_S_COMPLETE);
diff --git a/src/lib/gssapi32.def b/src/lib/gssapi32.def
index 5132ea4..3a43be2 100644
--- a/src/lib/gssapi32.def
+++ b/src/lib/gssapi32.def
@@ -72,7 +72,7 @@ EXPORTS
 ;
 ; GSS-API variables
 ;
-	gss_nt_user_name
-	gss_nt_machine_uid_name
-	gss_nt_string_uid_name
-	gss_nt_service_name
+	gss_nt_user_name	DATA
+	gss_nt_machine_uid_name	DATA
+	gss_nt_string_uid_name	DATA
+	gss_nt_service_name	DATA
diff --git a/src/lib/kadm5/ChangeLog b/src/lib/kadm5/ChangeLog
index 8706ec0..54e1bc5 100644
--- a/src/lib/kadm5/ChangeLog
+++ b/src/lib/kadm5/ChangeLog
@@ -1,3 +1,56 @@
+2002-02-05  Ken Raeburn  <raeburn@mit.edu>
+
+	* kadm_rpc_xdr.c (xdr_krb5_kvno): Disable previous change.
+
+2002-01-25  Ken Raeburn  <raeburn@mit.edu>
+
+	* kadm_rpc_xdr.c (xdr_krb5_kvno): Return an error if the key
+	version number won't fit in the one-byte encoding we currently
+	use.
+
+2001-10-31  Ezra Peisach  <epeisach@mit.edu>
+
+	* str_conv.c (krb5_string_to_keysalts): When parsing string, allow
+	for extra separator characters (like spaces) between keysalts.
+	[pullup 1.7->1.8 from trunk]
+
+2001-09-25  Ken Raeburn  <raeburn@mit.edu>
+
+	* admin.h (krb5_realm_params): Add fields realm_reject_bad_transit
+	and realm_reject_bad_transit_valid; delete field realm_filler.
+	* alt_prof.c (string_to_boolean, krb5_aprof_get_boolean): New
+	functions.
+	(krb5_read_realm_params): Parse "reject_bad_transit" value as
+	boolean and save it.
+
+2001-09-07  Tom Yu  <tlyu@mit.edu>
+
+	* adb.h: Add btinfo. [pullup from trunk]
+
+2000-05-31  Ken Raeburn  <raeburn@mit.edu>
+
+	* alt_prof.c (kadm5_get_config_params): Include des3 in supported
+	enctypes by default.
+
+2000-05-19  Ken Raeburn  <raeburn@mit.edu>
+
+	* ovsec_glue.c (ovsec_kadm_chpass_principal_util): Use 1024 for
+	hard-coded length, to match existing callers.
+
+2000-05-11  Nalin Dahyabhai  <nalin@redhat.com>
+
+	* admin.h: Add a length parameter to kadm5_chpass_principal_util().
+	* admin_internal.h: Add a length parameter to
+	_kadm5_chpass_principal_util().
+	* chpass_util.c (_kadm5_chpass_principal_util): Add a length parameter,
+	and use it to avoid overflowing "msg_ret".
+	* ovsec_glue.c (ovsec_kadm_chpass_principal_util): Adjust for new
+	parameter in kadm5_chpass_principal_util().
+
+2000-05-01  Nalin Dahyabhai  <nalin@redhat.com>
+
+	* logger.c (klog_com_err_proc): Don't overflow buffer "outbuf".
+
 2000-02-26  Tom Yu  <tlyu@mit.edu>
 
 	* kadm_rpc_xdr.c (xdr_cprinc3_arg): Don't XDR the nonexistent
diff --git a/src/lib/kadm5/adb.h b/src/lib/kadm5/adb.h
index ce0d600..81ff96c 100644
--- a/src/lib/kadm5/adb.h
+++ b/src/lib/kadm5/adb.h
@@ -44,6 +44,7 @@ typedef struct _osa_adb_db_ent_t {
      int	magic;
      DB		*db;
      HASHINFO	info;
+     BTREEINFO	btinfo;
      char	*filename;
      osa_adb_lock_t lock;
 } osa_adb_db_ent, *osa_adb_db_t, *osa_adb_princ_t, *osa_adb_policy_t;
diff --git a/src/lib/kadm5/admin.h b/src/lib/kadm5/admin.h
index 159c7fb..6e06636 100644
--- a/src/lib/kadm5/admin.h
+++ b/src/lib/kadm5/admin.h
@@ -1,4 +1,30 @@
 /*
+ * lib/kadm5/admin.h
+ *
+ * Copyright 2001 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ *   require a specific license from the United States Government.
+ *   It is the responsibility of any person or organization contemplating
+ *   export to obtain such a license before exporting.
+ * 
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ * 
+ */
+/*
  * Copyright 1993 OpenVision Technologies, Inc., All Rights Reserved
  *
  * $Header$
@@ -234,13 +260,14 @@ typedef struct __krb5_realm_params {
     krb5_timestamp	realm_expiration;
     krb5_flags		realm_flags;
     krb5_key_salt_tuple	*realm_keysalts;
+    unsigned int	realm_reject_bad_transit:1;
     unsigned int	realm_kadmind_port_valid:1;
     unsigned int	realm_enctype_valid:1;
     unsigned int	realm_max_life_valid:1;
     unsigned int	realm_max_rlife_valid:1;
     unsigned int	realm_expiration_valid:1;
     unsigned int	realm_flags_valid:1;
-    unsigned int	realm_filler:7;
+    unsigned int	realm_reject_bad_transit_valid:1;
     krb5_int32		realm_num_keysalts;
 } krb5_realm_params;
 
@@ -411,7 +438,8 @@ kadm5_ret_t    kadm5_chpass_principal_util(void *server_handle,
 					   krb5_principal princ,
 					   char *new_pw, 
 					   char **ret_pw,
-					   char *msg_ret);
+					   char *msg_ret,
+					   int msg_len);
 
 kadm5_ret_t    kadm5_free_principal_ent(void *server_handle,
 					kadm5_principal_ent_t
diff --git a/src/lib/kadm5/admin_internal.h b/src/lib/kadm5/admin_internal.h
index d2d1533..97cb5e5 100644
--- a/src/lib/kadm5/admin_internal.h
+++ b/src/lib/kadm5/admin_internal.h
@@ -62,7 +62,8 @@ kadm5_ret_t _kadm5_chpass_principal_util(void *server_handle,
 					 krb5_principal princ,
 					 char *new_pw, 
 					 char **ret_pw,
-					 char *msg_ret);
+					 char *msg_ret,
+					 int msg_len);
 
 /* this is needed by the alt_prof code I stole.  The functions
    maybe shouldn't be named krb5_*, but they are. */
diff --git a/src/lib/kadm5/alt_prof.c b/src/lib/kadm5/alt_prof.c
index 5582df0..50f0b6a 100644
--- a/src/lib/kadm5/alt_prof.c
+++ b/src/lib/kadm5/alt_prof.c
@@ -1,7 +1,7 @@
 /*
  * lib/kadm/alt_prof.c
  *
- * Copyright 1995 by the Massachusetts Institute of Technology.
+ * Copyright 1995,2001 by the Massachusetts Institute of Technology.
  * All Rights Reserved.
  *
  * Export of this software from the United States of America may
@@ -117,6 +117,64 @@ krb5_aprof_getvals(acontext, hierarchy, retdata)
 }
 
 /*
+ * krb5_aprof_get_boolean()
+ *
+ * Parameters:
+ *	acontext	- opaque context for alternate profile
+ *	hierarchy	- hierarchy of value to retrieve
+ *	retdata		- Returned data value
+ * Returns:
+ *	error codes
+ */
+
+static krb5_error_code
+string_to_boolean (const char *string, krb5_boolean *out)
+{
+    static const char *const yes[] = { "y", "yes", "true", "t", "1", "on" };
+    static const char *const no[] = { "n", "no", "false", "f", "nil", "0", "off" };
+    int i;
+
+    for (i = 0; i < sizeof(yes)/sizeof(yes[0]); i++)
+	if (!strcasecmp(string, yes[i])) {
+	    *out = 1;
+	    return 0;
+	}
+    for (i = 0; i < sizeof(no)/sizeof(no[0]); i++)
+	if (!strcasecmp(string, no[i])) {
+	    *out = 0;
+	    return 0;
+	}
+    return PROF_BAD_BOOLEAN;
+}
+
+krb5_error_code
+krb5_aprof_get_boolean(krb5_pointer acontext, const char **hierarchy,
+		       int uselast, int *retdata)
+{
+    krb5_error_code kret;
+    char **values;
+    char *valp;
+    int idx;
+    krb5_boolean val;
+
+    kret = krb5_aprof_getvals (acontext, hierarchy, &values);
+    if (kret)
+	return kret;
+    idx = 0;
+    if (uselast) {
+	while (values[idx])
+	    idx++;
+	idx--;
+    }
+    valp = values[idx];
+    kret = string_to_boolean (valp, &val);
+    if (kret)
+	return kret;
+    *retdata = val;
+    return 0;
+}
+
+/*
  * krb5_aprof_get_deltat()	- Get a delta time value from the alternate
  *				  profile.
  *
@@ -644,8 +702,8 @@ krb5_error_code kadm5_get_config_params(context, kdcprofile, kdcenv,
 	 if (aprofile)
 	      krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue);
 	 if (svalue == NULL)
-	      svalue = strdup("des-cbc-crc:normal");
-	 
+	      svalue = strdup("des3-hmac-sha1:normal des-cbc-crc:normal");
+
 	 params.keysalts = NULL;
 	 params.num_keysalts = 0;
 	 krb5_string_to_keysalts(svalue,
@@ -736,6 +794,7 @@ krb5_read_realm_params(kcontext, realm, kdcprofile, kdcenv, rparamp)
     const char		*hierarchy[4];
     char		*svalue;
     krb5_int32		ivalue;
+    krb5_boolean	bvalue;
     krb5_deltat		dtvalue;
 
     krb5_error_code	kret;
@@ -832,7 +891,13 @@ krb5_read_realm_params(kcontext, realm, kdcprofile, kdcenv, rparamp)
 	    rparams->realm_expiration_valid = 1;
 	krb5_xfree(svalue);
     }
-	    
+
+    hierarchy[2] = "reject_bad_transit";
+    if (!krb5_aprof_get_boolean(aprofile, hierarchy, TRUE, &bvalue)) {
+	rparams->realm_reject_bad_transit = bvalue;
+	rparams->realm_reject_bad_transit_valid = 1;
+    }
+
     /* Get the value for the default principal flags */
     hierarchy[2] = "default_principal_flags";
     if (!krb5_aprof_get_string(aprofile, hierarchy, TRUE, &svalue)) {
diff --git a/src/lib/kadm5/chpass_util.c b/src/lib/kadm5/chpass_util.c
index dbf610c..ec97a0e 100644
--- a/src/lib/kadm5/chpass_util.c
+++ b/src/lib/kadm5/chpass_util.c
@@ -61,7 +61,8 @@ kadm5_ret_t _kadm5_chpass_principal_util(void *server_handle,
 					 krb5_principal princ,
 					 char *new_pw, 
 					 char **ret_pw,
-					 char *msg_ret)
+					 char *msg_ret,
+					 int msg_len)
 {
   int code, code2, pwsize;
   static char buffer[255];
@@ -94,12 +95,18 @@ kadm5_ret_t _kadm5_chpass_principal_util(void *server_handle,
       memset(buffer, 0, sizeof(buffer));
 #endif      
       if (code == KRB5_LIBOS_BADPWDMATCH) {
-	strcpy(msg_ret, string_text(CHPASS_UTIL_NEW_PASSWORD_MISMATCH));
+	strncpy(msg_ret, string_text(CHPASS_UTIL_NEW_PASSWORD_MISMATCH),
+		msg_len - 1);
+	msg_ret[msg_len - 1] = '\0';
 	return(code);
       } else {
-	sprintf(msg_ret, "%s %s\n%s\n", error_message(code), 
-		string_text(CHPASS_UTIL_WHILE_READING_PASSWORD),
-		string_text(CHPASS_UTIL_PASSWORD_NOT_CHANGED));
+        strncpy(msg_ret, error_message(code), msg_len - 1);
+        strncat(msg_ret, " ", msg_len - 1);
+        strncat(msg_ret, string_text(CHPASS_UTIL_WHILE_READING_PASSWORD),
+		msg_len - 1);
+        strncat(msg_ret, string_text(CHPASS_UTIL_PASSWORD_NOT_CHANGED),
+		msg_len - 1);
+	msg_ret[msg_len - 1] = '\0';
 	return(code);
       }
     }
@@ -107,7 +114,8 @@ kadm5_ret_t _kadm5_chpass_principal_util(void *server_handle,
 #ifdef ZEROPASSWD    
       memset(buffer, 0, sizeof(buffer));
 #endif      
-      strcpy(msg_ret, string_text(CHPASS_UTIL_NO_PASSWORD_READ));
+      strncpy(msg_ret, string_text(CHPASS_UTIL_NO_PASSWORD_READ), msg_len - 1);
+      msg_ret[msg_len - 1] = '\0';
       return(KRB5_LIBOS_CANTREADPWD); /* could do better */
     }
   }
@@ -123,7 +131,8 @@ kadm5_ret_t _kadm5_chpass_principal_util(void *server_handle,
 #endif    
 
   if (code == KADM5_OK) {
-    strcpy(msg_ret, string_text(CHPASS_UTIL_PASSWORD_CHANGED));
+    strncpy(msg_ret, string_text(CHPASS_UTIL_PASSWORD_CHANGED), msg_len - 1);
+    msg_ret[msg_len - 1] = '\0';
     return(0);
   }
 
@@ -141,12 +150,15 @@ kadm5_ret_t _kadm5_chpass_principal_util(void *server_handle,
   /* Ok, we have a password quality error. Return a good message */
 
   if (code == KADM5_PASS_REUSE) {
-    strcpy(msg_ret, string_text(CHPASS_UTIL_PASSWORD_REUSE));
+    strncpy(msg_ret, string_text(CHPASS_UTIL_PASSWORD_REUSE), msg_len - 1);
+    msg_ret[msg_len - 1] = '\0';
     return(code);
   }
 
   if (code == KADM5_PASS_Q_DICT) {
-    strcpy(msg_ret, string_text(CHPASS_UTIL_PASSWORD_IN_DICTIONARY));
+    strncpy(msg_ret, string_text(CHPASS_UTIL_PASSWORD_IN_DICTIONARY),
+	    msg_len - 1);
+    msg_ret[msg_len - 1] = '\0';
     return(code);
   }
   
@@ -155,18 +167,32 @@ kadm5_ret_t _kadm5_chpass_principal_util(void *server_handle,
   code2 = kadm5_get_principal (lhandle, princ, &princ_ent,
 			       KADM5_PRINCIPAL_NORMAL_MASK);
   if (code2 != 0) {
-    sprintf(msg_ret, "%s %s\n%s %s\n\n%s\n ", error_message(code2), 
-	    string_text(CHPASS_UTIL_GET_PRINC_INFO),
-	    error_message(code),
-	    string_text(CHPASS_UTIL_WHILE_TRYING_TO_CHANGE),
-	    string_text(CHPASS_UTIL_PASSWORD_NOT_CHANGED));
+    strncpy(msg_ret, error_message(code2), msg_len - 1);
+    strncat(msg_ret, " ", msg_len - 1 - strlen(msg_ret));
+    strncat(msg_ret, string_text(CHPASS_UTIL_GET_PRINC_INFO), msg_len - 1 - strlen(msg_ret));
+    strncat(msg_ret, "\n", msg_len - 1 - strlen(msg_ret));
+    strncat(msg_ret, error_message(code), msg_len - 1 - strlen(msg_ret));
+    strncat(msg_ret, " ", msg_len - 1 - strlen(msg_ret));
+    strncat(msg_ret, string_text(CHPASS_UTIL_WHILE_TRYING_TO_CHANGE),
+	    msg_len - 1 - strlen(msg_ret));
+    strncat(msg_ret, "\n\n", msg_len - 1 - strlen(msg_ret));
+    strncat(msg_ret, string_text(CHPASS_UTIL_PASSWORD_NOT_CHANGED),
+	    msg_len - 1 - strlen(msg_ret));
+    strncat(msg_ret, "\n", msg_len - 1 - strlen(msg_ret));
+    msg_ret[msg_len - 1] = '\0';
     return(code);
   }
   
   if ((princ_ent.aux_attributes & KADM5_POLICY) == 0) {
-    sprintf(msg_ret, "%s %s\n\n%s", error_message(code), 
-	    string_text(CHPASS_UTIL_NO_POLICY_YET_Q_ERROR),
-	    string_text(CHPASS_UTIL_PASSWORD_NOT_CHANGED));
+    strncpy(msg_ret, error_message(code), msg_len - 1 - strlen(msg_ret));
+    strncat(msg_ret, " ", msg_len - 1 - strlen(msg_ret));
+    strncpy(msg_ret, string_text(CHPASS_UTIL_NO_POLICY_YET_Q_ERROR),
+	    msg_len - 1 - strlen(msg_ret));
+    strncat(msg_ret, "\n\n", msg_len - 1 - strlen(msg_ret));
+    strncpy(msg_ret, string_text(CHPASS_UTIL_PASSWORD_NOT_CHANGED),
+	    msg_len - 1 - strlen(msg_ret));
+    msg_ret[msg_len - 1] = '\0';
+
     (void) kadm5_free_principal_ent(lhandle, &princ_ent);
     return(code);
   }
diff --git a/src/lib/kadm5/clnt/ChangeLog b/src/lib/kadm5/clnt/ChangeLog
index 79dc124..ac8850a 100644
--- a/src/lib/kadm5/clnt/ChangeLog
+++ b/src/lib/kadm5/clnt/ChangeLog
@@ -1,3 +1,23 @@
+2001-11-05  Tom Yu  <tlyu@mit.edu>
+
+	* Makefile.in (LIBMAJOR): Bump to avoid Heimdal conflict.
+
+2000-05-11  Nalin Dahyabhai  <nalin@redhat.com>
+
+	* clnt_chpass_util.c (kadm5_chpass_principal_util): Adjust for new
+	length parameter in both kadm5_chpass_principal_util() and in
+	_kadm5_chpass_principal_util().
+
+2000-05-09  Ken Raeburn  <raeburn@mit.edu>
+
+	* client_init.c (enctypes): Add des3 and des-md5 to the list of
+	permitted enctypes.
+
+2000-05-01  Nalin Dahyabhai  <nalin@redhat.com>
+
+	* client_init.c (_kadm5_init_any): Fix determination of client
+	name length for overflow checking.
+
 2000-02-26  Tom Yu  <tlyu@mit.edu>
 
 	* client_principal.c (kadm5_create_principal_3): Remove keepold
diff --git a/src/lib/kadm5/clnt/Makefile.in b/src/lib/kadm5/clnt/Makefile.in
index 2d69cdc..e434236 100644
--- a/src/lib/kadm5/clnt/Makefile.in
+++ b/src/lib/kadm5/clnt/Makefile.in
@@ -5,7 +5,7 @@ BUILDTOP=$(REL)$(U)$(S)$(U)$(S)$(U)
 LOCALINCLUDES = -I$(BUILDTOP)/include/kadm5
 
 LIB=kadm5clnt
-LIBMAJOR=4
+LIBMAJOR=5
 LIBMINOR=0
 STOBJLISTS=../OBJS.ST OBJS.ST
 SHLIB_EXPDEPS=\
diff --git a/src/lib/kadm5/clnt/client_init.c b/src/lib/kadm5/clnt/client_init.c
index a3d2613..b3832bb 100644
--- a/src/lib/kadm5/clnt/client_init.c
+++ b/src/lib/kadm5/clnt/client_init.c
@@ -134,6 +134,8 @@ static int preauth_search_list[] = {
 };
 
 static krb5_enctype enctypes[] = {
+    ENCTYPE_DES3_CBC_SHA1,
+    ENCTYPE_DES_CBC_MD5,
     ENCTYPE_DES_CBC_CRC,
     0,
 };
@@ -282,9 +284,15 @@ static kadm5_ret_t _kadm5_init_any(char *client_name,
 	  goto error;
 
      if (realm) {
+          if(strlen(service_name) + strlen(realm) + 1 >= sizeof(full_service_name)) {
+	      goto error;
+	  }
 	  sprintf(full_service_name, "%s@%s", service_name, realm);
      } else {
 	  /* krb5_princ_realm(creds.client) is not null terminated */
+          if(strlen(service_name) + krb5_princ_realm(handle->context, creds.client)->length + 1 >= sizeof(full_service_name)) {
+	      goto error;
+	  }
 	  strcpy(full_service_name, service_name);
 	  strcat(full_service_name, "@");
 	  strncat(full_service_name, krb5_princ_realm(handle->context,
diff --git a/src/lib/kadm5/clnt/clnt_chpass_util.c b/src/lib/kadm5/clnt/clnt_chpass_util.c
index d6c7f0b..ae9ced0 100644
--- a/src/lib/kadm5/clnt/clnt_chpass_util.c
+++ b/src/lib/kadm5/clnt/clnt_chpass_util.c
@@ -5,11 +5,12 @@ kadm5_ret_t kadm5_chpass_principal_util(void *server_handle,
 					krb5_principal princ,
 					char *new_pw, 
 					char **ret_pw,
-					char *msg_ret)
+					char *msg_ret,
+					int msg_len)
 {
   kadm5_server_handle_t handle = server_handle;
 
   CHECK_HANDLE(server_handle);
   return _kadm5_chpass_principal_util(handle, handle->lhandle, princ,
-				      new_pw, ret_pw, msg_ret);
+				      new_pw, ret_pw, msg_ret, msg_len);
 }
diff --git a/src/lib/kadm5/kadm_rpc_xdr.c b/src/lib/kadm5/kadm_rpc_xdr.c
index bf40048..c92dc60 100644
--- a/src/lib/kadm5/kadm_rpc_xdr.c
+++ b/src/lib/kadm5/kadm_rpc_xdr.c
@@ -135,8 +135,16 @@ xdr_krb5_kvno(XDR *xdrs, krb5_kvno *objp)
 
 	tmp = '\0'; /* for purify, else xdr_u_char performs a umr */
 
-	if (xdrs->x_op == XDR_ENCODE)
+	if (xdrs->x_op == XDR_ENCODE) {
 		tmp = (unsigned char) *objp;
+#if 0
+		/* We can't change the protocol right now, so let's
+		   just reject (legitimate!) values that won't fit in
+		   our broken one-byte encoding.  */
+		if (tmp != *objp)
+		    return FALSE;
+#endif
+	}
 
 	if (!xdr_u_char(xdrs, &tmp))
 		return (FALSE);
diff --git a/src/lib/kadm5/logger.c b/src/lib/kadm5/logger.c
index 4f2ad20..bf6bbfd 100644
--- a/src/lib/kadm5/logger.c
+++ b/src/lib/kadm5/logger.c
@@ -199,8 +199,9 @@ klog_com_err_proc(whoami, code, format, ap)
 
     /* If reporting an error message, separate it. */
     if (code) {
-	strcat(outbuf, error_message(code));
-	strcat(outbuf, " - ");
+        outbuf[sizeof(outbuf) - 1] = '\0';
+	strncat(outbuf, error_message(code), sizeof(outbuf) - 1 - strlen(outbuf));
+	strncat(outbuf, " - ", sizeof(outbuf) - 1 - strlen(outbuf));
     }
     cp = &outbuf[strlen(outbuf)];
     
diff --git a/src/lib/kadm5/ovsec_glue.c b/src/lib/kadm5/ovsec_glue.c
index 6118282..ce81893 100644
--- a/src/lib/kadm5/ovsec_glue.c
+++ b/src/lib/kadm5/ovsec_glue.c
@@ -102,8 +102,10 @@ ovsec_kadm_ret_t ovsec_kadm_chpass_principal_util(void *server_handle,
 						  char **ret_pw,
 						  char *msg_ret)
 {
-     return kadm5_chpass_principal_util(server_handle, princ, new_pw,
-						  ret_pw, msg_ret);
+    /* Oh crap.  Can't change the API without bumping the API version... */
+    memset(msg_ret, '\0', 1024);
+    return kadm5_chpass_principal_util(server_handle, princ, new_pw,
+				       ret_pw, msg_ret, 1024);
 }
 
 ovsec_kadm_ret_t ovsec_kadm_randkey_principal(void *server_handle,
diff --git a/src/lib/kadm5/srv/ChangeLog b/src/lib/kadm5/srv/ChangeLog
index 792936d..6d45fa3 100644
--- a/src/lib/kadm5/srv/ChangeLog
+++ b/src/lib/kadm5/srv/ChangeLog
@@ -1,3 +1,47 @@
+2002-11-07  Tom Yu  <tlyu@mit.edu>
+
+	* svr_principal.c (kadm5_setkey_principal_3): Apply patch from
+	Emily Ratliff to allow n_ks_tuple to be zero, which is the case if
+	being called from kadmind answering a client's setkey_principal
+	request.
+	[pullup from trunk]
+
+2001-11-05  Tom Yu  <tlyu@mit.edu>
+
+	* Makefile.in (LIBMAJOR): Bump to avoid Heimdal conflict.
+
+2001-10-22  Tom Yu  <tlyu@mit.edu>
+
+	* svr_principal.c (kadm5_decrypt_key): For now, coerce enctype of
+	output keyblock in case we got a match on a similar enctype.
+
+2001-10-16  Mitchell Berger  <mitchb@mit.edu>
+	    Matt Crawford  <crawdad@fnal.gov>
+
+	* svr_principal.c (add_to_history): If the policy a principal uses has
+	been changed to hold a lesser number of history entries than it did
+	before, extract the correct number and value of old keys from the
+	history array into a newly allocated array of the proper size.  Failing
+	to do this made kadmind vulnerable to a crash upon changing such a
+	principal's password.  Original patch written by Matt Crawford, with
+	a few changes.
+	[pullup from trunk]
+
+2001-09-07  Tom Yu  <tlyu@mit.edu>
+
+	* adb_openclose.c (osa_adb_create_db): Default to btree.
+	(osa_adb_init_db): Set up btinfo as well.
+	(osa_adb_open_and_lock): Try btree, then hash.
+	[pullup from trunk]
+
+2000-05-11  Nalin Dahyabhai  <nalin@redhat.com>
+
+	* adb_openclose.c (osa_adb_create_db): Open lock files using O_EXCL
+	and fdopen() the descriptor instead of using fopen().
+	* svr_chpass_util.c (kadm5_chpass_principal_util): Adjust for new
+	length parameter in both kadm5_chpass_principal_util() and in
+	_kadm5_chpass_principal_util().
+
 2000-03-16  Ken Raeburn  <raeburn@mit.edu>
 	    Matt Crawford  <crawdad@fnal.gov>
 
diff --git a/src/lib/kadm5/srv/Makefile.in b/src/lib/kadm5/srv/Makefile.in
index a0d18e4..3459760 100644
--- a/src/lib/kadm5/srv/Makefile.in
+++ b/src/lib/kadm5/srv/Makefile.in
@@ -9,7 +9,7 @@ DEFINES = @HESIOD_DEFS@
 ##DOSLIBNAME = libkadm5srv.lib
 
 LIB=kadm5srv
-LIBMAJOR=4
+LIBMAJOR=5
 LIBMINOR=0
 STOBJLISTS=../OBJS.ST OBJS.ST
 SHLIB_EXPDEPS=\
diff --git a/src/lib/kadm5/srv/adb_openclose.c b/src/lib/kadm5/srv/adb_openclose.c
index e776192..dbbc3b6 100644
--- a/src/lib/kadm5/srv/adb_openclose.c
+++ b/src/lib/kadm5/srv/adb_openclose.c
@@ -24,27 +24,29 @@ struct _locklist {
 osa_adb_ret_t osa_adb_create_db(char *filename, char *lockfilename,
 				int magic)
 {
-     FILE *lf;
+     int lf;
      DB *db;
-     HASHINFO info;
+     BTREEINFO btinfo;
      
-     memset(&info, 0, sizeof(info));
-     info.hash = NULL;
-     info.bsize = 256;
-     info.ffactor = 8;
-     info.nelem = 25000;
-     info.lorder = 0;
-     db = dbopen(filename, O_RDWR | O_CREAT | O_EXCL, 0600, DB_HASH, &info);
+     memset(&btinfo, 0, sizeof(btinfo));
+     btinfo.flags = 0;
+     btinfo.cachesize = 0;
+     btinfo.psize = 4096;
+     btinfo.lorder = 0;
+     btinfo.minkeypage = 0;
+     btinfo.compare = NULL;
+     btinfo.prefix = NULL;
+     db = dbopen(filename, O_RDWR | O_CREAT | O_EXCL, 0600, DB_BTREE, &btinfo);
      if (db == NULL)
 	  return errno;
      if (db->close(db) < 0)
 	  return errno;
 
      /* only create the lock file if we successfully created the db */
-     lf = fopen(lockfilename, "w+");
-     if (lf == NULL)
+     lf = THREEPARAMOPEN(lockfilename, O_RDWR | O_CREAT | O_EXCL, 0600);
+     if (lf == -1)
 	  return errno;
-     (void) fclose(lf);
+     (void) close(lf);
      
      return OSA_ADB_OK;
 }
@@ -128,6 +130,13 @@ osa_adb_ret_t osa_adb_init_db(osa_adb_db_t *dbp, char *filename,
      db->info.nelem = 25000;
      db->info.lorder = 0;
 
+     db->btinfo.flags = 0;
+     db->btinfo.cachesize = 0;
+     db->btinfo.psize = 4096;
+     db->btinfo.lorder = 0;
+     db->btinfo.minkeypage = 0;
+     db->btinfo.compare = NULL;
+     db->btinfo.prefix = NULL;
      /*
       * A process is allowed to open the same database multiple times
       * and access it via different handles.  If the handles use
@@ -333,7 +342,7 @@ osa_adb_ret_t osa_adb_get_lock(osa_adb_db_t db, int mode)
 
 osa_adb_ret_t osa_adb_release_lock(osa_adb_db_t db)
 {
-     int ret;
+     int ret, fd;
      
      if (!db->lock->lockcnt)		/* lock already unlocked */
 	  return OSA_ADB_NOTLOCKED;
@@ -341,8 +350,9 @@ osa_adb_ret_t osa_adb_release_lock(osa_adb_db_t db)
      if (--db->lock->lockcnt == 0) {
 	  if (db->lock->lockmode == OSA_ADB_PERMANENT) {
 	       /* now we need to create the file since it does not exist */
-	       if ((db->lock->lockfile = fopen(db->lock->filename,
-					       "w+")) == NULL)
+               fd = THREEPARAMOPEN(db->lock->filename,O_RDWR | O_CREAT | O_EXCL,
+                                   0600);
+	       if ((db->lock->lockfile = fdopen(fd, "w+")) == NULL)
 		    return OSA_ADB_NOLOCKFILE;
 	  } else if (ret = krb5_lock_file(db->lock->context,
 					  fileno(db->lock->lockfile),
@@ -362,14 +372,23 @@ osa_adb_ret_t osa_adb_open_and_lock(osa_adb_princ_t db, int locktype)
      if (ret != OSA_ADB_OK)
 	  return ret;
      
-     db->db = dbopen(db->filename, O_RDWR, 0600, DB_HASH, &db->info);
-     if (db->db == NULL) {
+     db->db = dbopen(db->filename, O_RDWR, 0600, DB_BTREE, &db->btinfo);
+     if (db->db != NULL)
+	  return OSA_ADB_OK;
+     switch (errno) {
+#ifdef EFTYPE
+     case EFTYPE:
+#endif
+     case EINVAL:
+	  db->db = dbopen(db->filename, O_RDWR, 0600, DB_HASH, &db->info);
+	  if (db->db != NULL)
+	       return OSA_ADB_OK;
+     default:
 	  (void) osa_adb_release_lock(db);
-	  if(errno == EINVAL)
+	  if (errno == EINVAL)
 	       return OSA_ADB_BAD_DB;
 	  return errno;
      }
-     return OSA_ADB_OK;
 }
 
 osa_adb_ret_t osa_adb_close_and_unlock(osa_adb_princ_t db)
diff --git a/src/lib/kadm5/srv/svr_chpass_util.c b/src/lib/kadm5/srv/svr_chpass_util.c
index df2bf4c..4c4c6bb 100644
--- a/src/lib/kadm5/srv/svr_chpass_util.c
+++ b/src/lib/kadm5/srv/svr_chpass_util.c
@@ -5,11 +5,12 @@ kadm5_ret_t kadm5_chpass_principal_util(void *server_handle,
 					krb5_principal princ,
 					char *new_pw, 
 					char **ret_pw,
-					char *msg_ret)
+					char *msg_ret,
+					int msg_len)
 {
   kadm5_server_handle_t handle = server_handle;
 
   CHECK_HANDLE(server_handle);
   return _kadm5_chpass_principal_util(handle, handle->lhandle, princ,
-				      new_pw, ret_pw, msg_ret);
+				      new_pw, ret_pw, msg_ret, msg_len);
 }
diff --git a/src/lib/kadm5/srv/svr_principal.c b/src/lib/kadm5/srv/svr_principal.c
index 4981703..aeae090 100644
--- a/src/lib/kadm5/srv/svr_principal.c
+++ b/src/lib/kadm5/srv/svr_principal.c
@@ -974,6 +974,7 @@ int free_history_entry(krb5_context context, osa_pw_hist_ent *hist)
  * array where the next element should be written, and must be [0,
  * adb->old_key_len).
  */
+#define KADM_MOD(x) (x + adb->old_key_next) % adb->old_key_len
 static kadm5_ret_t add_to_history(krb5_context context,
 				  osa_princ_ent_t adb,
 				  kadm5_policy_ent_t pol,
@@ -1001,6 +1002,39 @@ static kadm5_ret_t add_to_history(krb5_context context,
 	  
 	  memset(&adb->old_keys[adb->old_key_len],0,sizeof(osa_pw_hist_ent)); 
      	  adb->old_key_len++;
+     } else if (adb->old_key_len > pol->pw_history_num-1) {
+	 /*
+	  * The policy must have changed!  Shrink the array.
+	  * Can't simply realloc() down, since it might be wrapped.
+	  * To understand the arithmetic below, note that we are
+	  * copying into new positions 0 .. N-1 from old positions
+	  * old_key_next-N .. old_key_next-1, modulo old_key_len,
+	  * where N = pw_history_num - 1 is the length of the
+	  * shortened list.        Matt Crawford, FNAL
+	  */
+	 int j;
+	 histp = (osa_pw_hist_ent *)
+	     malloc((pol->pw_history_num - 1) * sizeof (osa_pw_hist_ent));
+	 if (histp) {
+	     for (i = 0; i < pol->pw_history_num - 1; i++) {
+		 /* We need the number we use the modulus operator on to be
+		    positive, so after subtracting pol->pw_history_num-1, we
+		    add back adb->old_key_len. */
+		 j = KADM_MOD(i - (pol->pw_history_num - 1) + adb->old_key_len);
+		 histp[i] = adb->old_keys[j];
+	     }
+	     /* Now free the ones we don't keep (the oldest ones) */
+	     for (i = 0; i < adb->old_key_len - (pol->pw_history_num - 1); i++)
+		 for (j = 0; j < adb->old_keys[KADM_MOD(i)].n_key_data; j++)
+		     krb5_free_key_data_contents(context,
+				&adb->old_keys[KADM_MOD(i)].key_data[j]);
+	     free((void *)adb->old_keys);
+	     adb->old_keys = histp;
+	     adb->old_key_len = pol->pw_history_num - 1;
+	     adb->old_key_next = 0;
+	 } else {
+	     return(ENOMEM);
+	 }
      }
 
      /* free the old pw history entry if it contains data */
@@ -1017,6 +1051,7 @@ static kadm5_ret_t add_to_history(krb5_context context,
 
      return(0);
 }
+#undef KADM_MOD
 
 kadm5_ret_t
 kadm5_chpass_principal(void *server_handle,
@@ -1482,7 +1517,7 @@ kadm5_setkey_principal_3(void *server_handle,
 	}
     }
 
-    if (n_ks_tuple != n_keys)
+    if (n_ks_tuple && n_ks_tuple != n_keys)
 	return KADM5_SETKEY3_ETYPE_MISMATCH;
 
     if ((ret = kdb_get_entry(handle, principal, &kdb, &adb)))
@@ -1703,6 +1738,13 @@ kadm5_ret_t kadm5_decrypt_key(void *server_handle,
 					  keyblock, keysalt))
 	 return ret;
 
+    /*
+     * Coerce the enctype of the output keyblock in case we got an
+     * inexact match on the enctype; this behavior will go away when
+     * the key storage architecture gets redesigned for 1.3.
+     */
+    keyblock->enctype = ktype;
+
     if (kvnop)
 	 *kvnop = key_data->key_data_kvno;
 
diff --git a/src/lib/kadm5/str_conv.c b/src/lib/kadm5/str_conv.c
index 16ad534..f4f572a 100644
--- a/src/lib/kadm5/str_conv.c
+++ b/src/lib/kadm5/str_conv.c
@@ -361,7 +361,22 @@ krb5_string_to_keysalts(string, tupleseps, ksaltseps, dups, ksaltp, nksaltp)
 	if (ep)
 	    ep[-1] = trailchar;
 	kp = ep;
-    }
+
+	/* Skip over extra separators - like spaces */
+	if (kp && *tseplist) {
+	  septmp = tseplist;
+	  while(*septmp && *kp) {
+	    if(*septmp == *kp) {
+	      /* Increment string - reset separator list */
+	      kp++;
+	      septmp = tseplist;
+	    } else {
+	      septmp++;
+	    }
+	  }
+	  if (!*kp) kp = NULL;
+	}
+    } /* while kp */
     return(kret);
 }
 
diff --git a/src/lib/kadm5/unit-test/ChangeLog b/src/lib/kadm5/unit-test/ChangeLog
index b8e4b71..2e9b74f 100644
--- a/src/lib/kadm5/unit-test/ChangeLog
+++ b/src/lib/kadm5/unit-test/ChangeLog
@@ -1,3 +1,16 @@
+2002-11-03  Tom Yu  <tlyu@mit.edu>
+
+	* config/unix.exp: Work around tcl 8.4's (incorrect?) output EOL
+	translation.
+	[pullup from trunk]
+
+2000-05-09  Ken Raeburn  <raeburn@mit.edu>
+
+	* api.2/chpass-principal-v2.exp (test200): Expect an additional
+	key to be reported, since des3 has been added to the list.
+	* api.2/get-principal-v2.exp (test101_102): Likewise.
+	* api.2/randkey-principal-v2.exp (test100): Likewise.
+
 2000-02-08  Tom Yu  <tlyu@mit.edu>
 
 	* api.1/lock.exp: Since a "wait" directive to the command list of
diff --git a/src/lib/kadm5/unit-test/api.2/chpass-principal-v2.exp b/src/lib/kadm5/unit-test/api.2/chpass-principal-v2.exp
index 40a78c9..ef45510 100644
--- a/src/lib/kadm5/unit-test/api.2/chpass-principal-v2.exp
+++ b/src/lib/kadm5/unit-test/api.2/chpass-principal-v2.exp
@@ -53,10 +53,10 @@ proc test200 {} {
     }
 
     # XXX Perhaps I should actually check the key type returned.
-    if {$num_keys == 2} {
+    if {$num_keys == 3} {
 	pass "$test"
     } else {
-	fail "$test: $num_keys keys, should be 2"
+	fail "$test: $num_keys keys, should be 3"
     }
     if { ! [cmd {kadm5_destroy $server_handle}]} {
 	error "$test: unexpected failure in destroy"
diff --git a/src/lib/kadm5/unit-test/api.2/get-principal-v2.exp b/src/lib/kadm5/unit-test/api.2/get-principal-v2.exp
index 0e3e1b5..d2eb85a 100644
--- a/src/lib/kadm5/unit-test/api.2/get-principal-v2.exp
+++ b/src/lib/kadm5/unit-test/api.2/get-principal-v2.exp
@@ -143,8 +143,8 @@ proc test101_102 {rpc} {
     }
 
     set failed 0
-    if {$num_keys != 2} {
-	fail "$test: num_keys $num_keys should be 2"
+    if {$num_keys != 3} {
+	fail "$test: num_keys $num_keys should be 3"
 	set failed 1
     }
     for {set i 0} {$i < $num_keys} {incr i} {
diff --git a/src/lib/kadm5/unit-test/api.2/randkey-principal-v2.exp b/src/lib/kadm5/unit-test/api.2/randkey-principal-v2.exp
index 5c8fdc5..d9cc971 100644
--- a/src/lib/kadm5/unit-test/api.2/randkey-principal-v2.exp
+++ b/src/lib/kadm5/unit-test/api.2/randkey-principal-v2.exp
@@ -47,10 +47,10 @@ proc test100 {} {
     }
 
     # XXX Perhaps I should actually check the key type returned.
-    if {$num_keys == 1} {
+    if {$num_keys == 2} {
 	pass "$test"
     } else {
-	fail "$test: $num_keys keys, should be 1"
+	fail "$test: $num_keys keys, should be 2"
     }
     if { ! [cmd {kadm5_destroy $server_handle}]} {
 	error "$test: unexpected failure in destroy"
diff --git a/src/lib/kadm5/unit-test/config/unix.exp b/src/lib/kadm5/unit-test/config/unix.exp
index 2aab9e4..0472789 100644
--- a/src/lib/kadm5/unit-test/config/unix.exp
+++ b/src/lib/kadm5/unit-test/config/unix.exp
@@ -58,6 +58,14 @@ proc api_start {} {
 	if {! [info exists env(TCLUTIL)]} {
 		error "TCLUTIL environment variable isn't set"
 	}
+	# tcl 8.4 for some reason screws up autodetection of output
+	# EOL translation.  Work around it for now.
+	send "if { \[info commands fconfigure\] ne \"\" } { fconfigure stdout -translation lf }\n"
+	expect {
+		-re "$prompt$" {}
+		eof { error "EOF starting API" }
+		timeout { error "Timeout starting API" }
+	}
 	send "source $env(TCLUTIL)\n"
 	expect {
 		-re "$prompt$" {}
diff --git a/src/lib/kdb/ChangeLog b/src/lib/kdb/ChangeLog
index a710eb7..4aeb862 100644
--- a/src/lib/kdb/ChangeLog
+++ b/src/lib/kdb/ChangeLog
@@ -1,3 +1,76 @@
+2003-03-16  Sam Hartman  <hartmans@mit.edu>
+
+	* keytab.c (krb5_ktkdb_get_entry):  Match only against the first
+	enctype  for non-cross-realm tickets so we will only accept
+	tickets that the current configuration would have issued.  For
+	cross-realm tickets be liberal and match against the specified
+	enctype. 
+
+2002-08-26  Tom Yu  <tlyu@mit.edu>
+
+	* kdb_db2.h: Add prototype and rename for
+	krb5_db2_db_iterate_ext().
+
+	* kdb_db2.c (krb5_db2_db_iterate_ext): New function; allow
+	optional backwards or recursive (if btree) traversal of the
+	database.
+
+	* Makefile.in (LIBMINOR): Bump due to addition of
+	krb5_db_iterate_ext().
+
+	[pullups from trunk]
+
+2002-08-15  Tom Yu  <tlyu@mit.edu>
+
+	* keytab.c (krb5_ktkdb_get_entry): For consistency, check for
+	DISALLOW_ALL_TIX and DISALLOW_SVR when looking up keys.
+	[pullup from trunk]
+
+2002-08-12  Sam Hartman  <hartmans@mit.edu>
+
+	* kdb_xdr.c (krb5_dbe_search_enctype): Initialize ret to 0; thanks
+	to  Lubos Kejzlar <kejzlar@civ.zcu.cz> 
+	[pullup from trunk]
+
+2001-11-05  Tom Yu  <tlyu@mit.edu>
+
+	* Makefile.in (LIBMINOR): Bump due to some behavior changes
+	regarding enctype similarity.
+
+2001-10-22  Tom Yu  <tlyu@mit.edu>
+
+	* kdb_xdr.c (krb5_dbe_search_enctype): Filter out enctypes that
+	aren't in permitted_enctypes.  This prevents the KDC from issuing
+	a ticket whose enctype that it won't accept.
+
+2001-10-20  Tom Yu  <tlyu@mit.edu>
+
+	* keytab.c (krb5_ktkdb_get_entry): For now, coerce enctype of
+	output keyblock in case we got a match on a similar enctype.
+
+2000-05-11  Nalin Dahyabhai  <nalin@redhat.com>
+
+	* t_kdb.c (gen_principal): Don't overflow "pnamebuf" if bad data was
+	passed in.
+
+2000-05-03  Nalin Dahyabhai  <nalin@redhat.com>
+
+	* setup_mkey.c (krb5_db_setup_mkey_name): Use REALM_SEP_STRING
+	when computing size of buffer that is to include it.
+
+	* fetch_mkey.c (krb5_db_fetch_mkey): Make sure "defkeyfile" is
+	null terminated after construction.
+	* store_mkey.c (krb5_db_store_mkey): Likewise.
+
+2000-04-27  Ken Raeburn  <raeburn@mit.edu>
+	    Ezra Peisach  <epeisach@mit.edu>
+
+	* t_kdb.c (gen_principal): Force argument to isalnum to be in
+	range 0..255.
+	(do_testing): Cast pid_t to long before passing to fprintf, and
+	use %ld format.  Fix argument lists to find_principal and
+	delete_principal.
+
 2000-03-16  Ezra Peisach  <epeisach@mit.edu>
 
 	* kdb_xdr.c (krb5_dbe_lookup_mod_princ_data): Get rid of
diff --git a/src/lib/kdb/Makefile.in b/src/lib/kdb/Makefile.in
index 68c6361..10f7580 100644
--- a/src/lib/kdb/Makefile.in
+++ b/src/lib/kdb/Makefile.in
@@ -9,7 +9,7 @@ PROG_RPATH=$(KRB5_LIBDIR)
 
 LIB=kdb5
 LIBMAJOR=3
-LIBMINOR=0
+LIBMINOR=2
 RELDIR=kdb
 # Depends on libk5crypto and libkrb5
 SHLIB_EXPDEPS = \
diff --git a/src/lib/kdb/fetch_mkey.c b/src/lib/kdb/fetch_mkey.c
index 2ff5c29..7ae26bb 100644
--- a/src/lib/kdb/fetch_mkey.c
+++ b/src/lib/kdb/fetch_mkey.c
@@ -133,7 +133,7 @@ krb5_db_fetch_mkey(context, mname, etype, fromkeyboard, twice, keyfile,
 	(void) strncat(defkeyfile, realm->data,
 		       min(sizeof(defkeyfile)-sizeof(DEFAULT_KEYFILE_STUB)-1,
 			   realm->length));
-	(void) strcat(defkeyfile, "");
+	defkeyfile[sizeof(defkeyfile) - 1] = '\0';
 	
 #ifdef ANSI_STDIO
 	if (!(kf = fopen((keyfile) ? keyfile : defkeyfile, "rb")))
diff --git a/src/lib/kdb/kdb_db2.c b/src/lib/kdb/kdb_db2.c
index 627aa75..6420acc 100644
--- a/src/lib/kdb/kdb_db2.c
+++ b/src/lib/kdb/kdb_db2.c
@@ -1115,10 +1115,11 @@ cleanup:
 }
 
 krb5_error_code
-krb5_db2_db_iterate (context, func, func_arg)
+krb5_db2_db_iterate_ext(context, func, func_arg, backwards, recursive)
     krb5_context context;
     krb5_error_code (*func) PROTOTYPE((krb5_pointer, krb5_db_entry *));
     krb5_pointer func_arg;
+    int backwards, recursive;
 {
     krb5_db2_context *db_ctx;
     DB *db;
@@ -1127,17 +1128,31 @@ krb5_db2_db_iterate (context, func, func_arg)
     krb5_db_entry entries;
     krb5_error_code retval;
     int dbret;
-    
+    void *cookie;
+
+    cookie = NULL;
     if (!k5db2_inited(context))
 	return KRB5_KDB_DBNOTINITED;
 
     db_ctx = (krb5_db2_context *) context->db_context;
     retval = krb5_db2_db_lock(context, KRB5_LOCKMODE_SHARED);
+
     if (retval)
 	return retval;
 
     db = db_ctx->db;
-    dbret = (*db->seq)(db, &key, &contents, R_FIRST);
+    if (recursive && db->type != DB_BTREE) {
+	(void)krb5_db2_db_unlock(context);
+	return KRB5_KDB_UK_RERROR; /* Not optimal, but close enough. */
+    }
+
+    if (!recursive) {
+	dbret = (*db->seq)(db, &key, &contents,
+			   backwards ? R_LAST : R_FIRST);
+    } else {
+	dbret = bt_rseq(db, &key, &contents, &cookie,
+			backwards ? R_LAST : R_FIRST);
+    }
     while (dbret == 0) {
 	contdata.data = contents.data;
 	contdata.length = contents.size;
@@ -1148,7 +1163,13 @@ krb5_db2_db_iterate (context, func, func_arg)
 	krb5_dbe_free_contents(context, &entries);
 	if (retval)
 	    break;
-	dbret = (*db->seq)(db, &key, &contents, R_NEXT);
+	if (!recursive) {
+	    dbret = (*db->seq)(db, &key, &contents,
+			       backwards ? R_PREV : R_NEXT);
+	} else {
+	    dbret = bt_rseq(db, &key, &contents, &cookie,
+			    backwards ? R_PREV : R_NEXT);
+	}
     }
     switch (dbret) {
     case 1:
@@ -1162,6 +1183,15 @@ krb5_db2_db_iterate (context, func, func_arg)
     return retval;
 }
 
+krb5_error_code
+krb5_db2_db_iterate(context, func, func_arg)
+    krb5_context context;
+    krb5_error_code (*func) (krb5_pointer, krb5_db_entry *);
+    krb5_pointer func_arg;
+{
+    return krb5_db2_db_iterate_ext(context, func, func_arg, 0, 0);
+}
+
 krb5_boolean
 krb5_db2_db_set_lockmode(context, mode)
     krb5_context context;
diff --git a/src/lib/kdb/kdb_db2.h b/src/lib/kdb/kdb_db2.h
index fd35c81..d8f7ba5 100644
--- a/src/lib/kdb/kdb_db2.h
+++ b/src/lib/kdb/kdb_db2.h
@@ -41,6 +41,7 @@
 #define krb5_db2_db_free_principal	krb5_db_free_principal
 #define krb5_db2_db_put_principal	krb5_db_put_principal
 #define krb5_db2_db_delete_principal	krb5_db_delete_principal
+#define krb5_db2_db_iterate_ext		krb5_db_iterate_ext
 #define krb5_db2_db_iterate		krb5_db_iterate
 #define krb5_db2_db_lock		krb5_db_lock
 #define krb5_db2_db_unlock		krb5_db_unlock
@@ -104,6 +105,11 @@ krb5_error_code krb5_db2_db_put_principal
 	KRB5_PROTOTYPE((krb5_context,
 		   krb5_db_entry *,
 		   int * ));
+krb5_error_code krb5_db2_db_iterate_ext
+    	KRB5_PROTOTYPE((krb5_context,
+		   krb5_error_code (*) (krb5_pointer,
+					          krb5_db_entry *),
+	           krb5_pointer, int, int ));
 krb5_error_code krb5_db2_db_iterate
     	KRB5_PROTOTYPE((krb5_context,
 		   krb5_error_code (*) KRB5_PROTOTYPE((krb5_pointer,
diff --git a/src/lib/kdb/kdb_xdr.c b/src/lib/kdb/kdb_xdr.c
index 5d1911e2..b7b8b4a 100644
--- a/src/lib/kdb/kdb_xdr.c
+++ b/src/lib/kdb/kdb_xdr.c
@@ -724,7 +724,9 @@ krb5_dbe_search_enctype(kcontext, dbentp, start, ktype, stype, kvno, kdatap)
     int			i, index;
     int			maxkvno;
     krb5_key_data	*datap;
+    krb5_error_code	ret;
 
+    ret = 0;
     if (kvno == -1 && stype == -1 && ktype == -1)
 	kvno = 0;
 
@@ -741,15 +743,25 @@ krb5_dbe_search_enctype(kcontext, dbentp, start, ktype, stype, kvno, kdatap)
     datap = (krb5_key_data *) NULL;
     for (i = *start; i < dbentp->n_key_data; i++) {
         krb5_boolean    similar;
-	krb5_error_code ret;
         krb5_int32      db_stype;
 
+	ret = 0;
 	if (dbentp->key_data[i].key_data_ver > 1) {
 	    db_stype = dbentp->key_data[i].key_data_type[1];
 	} else {
 	    db_stype = KRB5_KDB_SALTTYPE_NORMAL;
 	}
+
+	/*
+	 * Filter out non-permitted enctypes.
+	 */
+	if (!krb5_is_permitted_enctype(kcontext,
+				       dbentp->key_data[i].key_data_type[0])) {
+	    ret = KRB5_KDB_NO_PERMITTED_KEY;
+	    continue;
+	}
 	
+
 	if (ktype >= 0) {
 	    if ((ret = krb5_c_enctype_compare(kcontext, (krb5_enctype) ktype,
 					      dbentp->key_data[i].key_data_type[0],
@@ -776,7 +788,7 @@ krb5_dbe_search_enctype(kcontext, dbentp, start, ktype, stype, kvno, kdatap)
 	}
     }
     if (maxkvno < 0)
-	return ENOENT;
+	return ret ? ret : KRB5_KDB_NO_MATCHING_KEY;
     *kdatap = datap;
     *start = index+1;
     return 0;
diff --git a/src/lib/kdb/keytab.c b/src/lib/kdb/keytab.c
index 1e5025c..5881fa1 100644
--- a/src/lib/kdb/keytab.c
+++ b/src/lib/kdb/keytab.c
@@ -28,6 +28,8 @@
 #include "k5-int.h"
 #include "kdb_kt.h"
 
+static int
+is_xrealm_tgt(krb5_context, krb5_const_principal);
 krb5_error_code krb5_ktkdb_close KRB5_PROTOTYPE((krb5_context, krb5_keytab));
 
 krb5_error_code krb5_ktkdb_get_entry KRB5_PROTOTYPE((krb5_context, krb5_keytab, krb5_const_principal,
@@ -98,6 +100,8 @@ krb5_ktkdb_get_entry(context, id, principal, kvno, enctype, entry)
     krb5_db_entry 	  db_entry;
     krb5_boolean 	  more = 0;
     int 	 	  n = 0;
+    int xrealm_tgt = is_xrealm_tgt(context, principal);
+    int similar;
 
     /* Open database */
     /* krb5_db_init(context); */
@@ -116,21 +120,49 @@ krb5_ktkdb_get_entry(context, id, principal, kvno, enctype, entry)
 	return KRB5_KT_NOTFOUND;
     }
 
+    if (db_entry.attributes & KRB5_KDB_DISALLOW_SVR
+	|| db_entry.attributes & KRB5_KDB_DISALLOW_ALL_TIX) {
+	kerror = KRB5_KT_NOTFOUND;
+	goto error;
+    }
+
     /* match key */
     kerror = krb5_db_get_mkey(context, &master_key);
     if (kerror)
 	goto error;
 
+    /* For cross realm tgts, we match whatever enctype is provided;
+     * for other principals, we only match the first enctype that is
+     * found.  Since the TGS and AS code do the same thing, then we
+     * will only successfully decrypt  tickets we have issued.*/
     kerror = krb5_dbe_find_enctype(context, &db_entry,
-				   enctype, -1, kvno, &key_data);
+				   xrealm_tgt?enctype:-1,
+				   -1, kvno, &key_data);
     if (kerror)
 	goto error;
 
+
     kerror = krb5_dbekd_decrypt_key_data(context, master_key,
 					 key_data, &entry->key, NULL);
     if (kerror)
 	goto error;
 
+    kerror = krb5_c_enctype_compare(context, enctype, entry->key.enctype, &similar);
+    if (kerror)
+	goto error;
+
+    if (!similar) {
+		kerror = KRB5_KDB_NO_PERMITTED_KEY;
+	goto error;
+    }
+
+    /*
+     * Coerce the enctype of the output keyblock in case we got an
+     * inexact match on the enctype; this behavior will go away when
+     * the key storage architecture gets redesigned for 1.3.
+     */
+    entry->key.enctype = enctype;
+
     kerror = krb5_copy_principal(context, principal, &entry->principal);
     if (kerror)
 	goto error;
@@ -141,3 +173,27 @@ krb5_ktkdb_get_entry(context, id, principal, kvno, enctype, entry)
     krb5_db_close_database(context);
     return(kerror);
 }
+
+/*
+ * is_xrealm_tgt: Returns true if the principal is a cross-realm  TGT
+ * principal-- a principal with first component  krbtgt and second
+ * component not equal to realm.
+ */
+static int
+is_xrealm_tgt(krb5_context context, krb5_const_principal princ)
+{
+    krb5_data *dat;
+    if (krb5_princ_size(context, princ) != 2)
+	return 0;
+    dat = krb5_princ_component(context, princ, 0);
+    if (strncmp("krbtgt", dat->data, dat->length) != 0)
+	return 0;
+    dat = krb5_princ_component(context, princ, 1);
+    if (dat->length != princ->realm.length)
+	return 1;
+    if (strcmp(dat->data, princ->realm.data) == 0)
+	return 0;
+    return 1;
+
+}
+
diff --git a/src/lib/kdb/setup_mkey.c b/src/lib/kdb/setup_mkey.c
index 0898a63..1788ecd 100644
--- a/src/lib/kdb/setup_mkey.c
+++ b/src/lib/kdb/setup_mkey.c
@@ -56,7 +56,7 @@ krb5_db_setup_mkey_name(context, keyname, realm, fullname, principal)
 
     keylen = strlen(keyname);
 	 
-    fname = malloc(keylen+rlen+2);
+    fname = malloc(keylen+rlen+strlen(REALM_SEP_STRING)+1);
     if (!fname)
 	return ENOMEM;
 
diff --git a/src/lib/kdb/store_mkey.c b/src/lib/kdb/store_mkey.c
index d18630a..47e0bc9 100644
--- a/src/lib/kdb/store_mkey.c
+++ b/src/lib/kdb/store_mkey.c
@@ -68,7 +68,7 @@ krb5_db_store_mkey(context, keyfile, mname, key)
 	(void) strncat(defkeyfile, realm->data,
 		       min(sizeof(defkeyfile)-sizeof(DEFAULT_KEYFILE_STUB)-1,
 			   realm->length));
-	(void) strcat(defkeyfile, "");
+	defkeyfile[sizeof(defkeyfile) - 1] = '\0';
 	keyfile = defkeyfile;
     }
 
diff --git a/src/lib/kdb/t_kdb.c b/src/lib/kdb/t_kdb.c
index 8358088..10e6163 100644
--- a/src/lib/kdb/t_kdb.c
+++ b/src/lib/kdb/t_kdb.c
@@ -363,15 +363,23 @@ gen_principal(kcontext, realm, do_rand, n, princp, namep)
 	    complen = RANDOM(1,MAX_COMP_SIZE);
 	    for (j=0; j<complen; j++) {
 		*cp = (char) RANDOM(0,256);
-		while (!isalnum(*cp))
+		while (!isalnum(*cp & 0xff))
 		    *cp = (char) RANDOM(0,256);
 		cp++;
+	        if(cp + strlen(realm) >= pnamebuf + sizeof(pnamebuf))
+		    break;
 	    }
+	    if(cp + strlen(realm) >= pnamebuf + sizeof(pnamebuf))
+		break;
 	    *cp = '/';
 	    cp++;
 	}
-	cp[-1] = '@';
-	strcpy(cp, realm);
+	if(cp + strlen(realm) < pnamebuf + sizeof(pnamebuf)) {
+	    cp[-1] = '@';
+	    strcpy(cp, realm);
+	} else {
+            strcpy(cp , "");
+	}
     }
     else {
 	instname = instnames[n % (sizeof(instnames)/sizeof(instnames[0]))];
@@ -894,45 +902,40 @@ do_testing(db, passes, verbose, timing, rcases, check, save_db, dontclean,
 					      &stat_kb,
 					      rseed))) {
 			fprintf(stderr,
-				"%d: (%d,%d) Failed add of %s with %s\n",
-				getpid(), i, j, playback_name(base+j),
+				"%ld: (%d,%d) Failed add of %s with %s\n",
+				(long) getpid(), i, j, playback_name(base+j),
 				error_message(kret));
 			break;
 		    }
 		    if (verbose > 4)
-			fprintf(stderr, "*A[%d](%s)\n", getpid(),
+			fprintf(stderr, "*A[%ld](%s)\n", (long) getpid(),
 				playback_name(base+j));
 		}   
 		for (j=0; (j<nper) && (!kret); j++) {
 		    if ((kret = find_principal(ccontext,
 					       playback_principal(base+j),
-					       &master_encblock,
-					       &stat_kb,
-					       rseed))) {
+					       check))) {
 			fprintf(stderr,
-				"%d: (%d,%d) Failed lookup of %s with %s\n",
-				getpid(), i, j, playback_name(base+j),
+				"%ld: (%d,%d) Failed lookup of %s with %s\n",
+				(long) getpid(), i, j, playback_name(base+j),
 				error_message(kret));
 			break;
 		    }
 		    if (verbose > 4)
-			fprintf(stderr, "-S[%d](%s)\n", getpid(),
+			fprintf(stderr, "-S[%ld](%s)\n", (long) getpid(),
 				playback_name(base+j));
 		}   
 		for (j=0; (j<nper) && (!kret); j++) {
 		    if ((kret = delete_principal(ccontext,
-						 playback_principal(base+j),
-						 &master_encblock,
-						 &stat_kb,
-						 rseed))) {
+					       playback_principal(base+j)))) {
 			fprintf(stderr,
-				"%d: (%d,%d) Failed delete of %s with %s\n",
-				getpid(), i, j, playback_name(base+j),
+				"%ld: (%d,%d) Failed delete of %s with %s\n",
+				(long) getpid(), i, j, playback_name(base+j),
 				error_message(kret));
 			break;
 		    }
 		    if (verbose > 4)
-			fprintf(stderr, "XD[%d](%s)\n", getpid(),
+			fprintf(stderr, "XD[%ld](%s)\n", (long) getpid(),
 				playback_name(base+j));
 		}
 		krb5_db_fini(ccontext);
@@ -949,13 +952,13 @@ do_testing(db, passes, verbose, timing, rcases, check, save_db, dontclean,
 	for (i=0; i<nprocs; i++) {
 	    if (waitpid(children[i], &existat, 0) == children[i]) {
 		if (verbose) 
-		    fprintf(stderr, "%d finished with %d\n", children[i],
-			    existat);
+		    fprintf(stderr, "%ld finished with %d\n",
+			    (long) children[i], existat);
 		if (existat)
 		    kret = KRB5KRB_ERR_GENERIC;
 	    }
 	    else
-		fprintf(stderr, "Wait for %d failed\n", children[i]);
+		fprintf(stderr, "Wait for %ld failed\n", (long) children[i]);
 	}
     }
 
diff --git a/src/lib/krb4/ChangeLog b/src/lib/krb4/ChangeLog
index 187505b..a55bd6c 100644
--- a/src/lib/krb4/ChangeLog
+++ b/src/lib/krb4/ChangeLog
@@ -1,3 +1,106 @@
+2001-10-28  Ezra Peisach  <epeisach@mit.edu>
+
+	* rd_svc_key.c (krb54_get_service_keyblock): If the keytab
+ 	encryption type is a non-raw des3 key, bash its enctype. This
+ 	matches kdc/kerberos_v4.c.
+	[pullup from trunk]
+
+2001-01-26  Tom Yu  <tlyu@mit.edu>
+
+	* dest_tkt.c: Clean up uid handling.  Fix stat checks.
+
+	* in_tkt.c: Clean up uid handling.  Fix stat checks.
+
+	* tf_util.c: Clean up uid handling.  Fix stat checks.
+
+2000-06-09  Tom Yu  <tlyu@mit.edu>
+
+	* configure.in: Check for strdup().
+
+	* kparse.c: Remove strsave() and replace with an inlined static
+	version of strdup() if HAVE_STRDUP is not defined.
+
+	* g_ad_tkt.c (get_ad_tkt): ptr may be signed; cast while
+	assigning to larger types.  [from Charles Hannum by way of
+	ghudson]
+
+2000-05-23  Ken Raeburn  <raeburn@mit.edu>
+
+	* decomp_tkt.c (dcmp_tkt_int): Add a couple more length checks.
+	Reject names that are exactly ANAME_SZ (etc) bytes long without
+	the trailing nul, because krb.h says the *_SZ macros are "maximum
+	sizes ... +1".
+	* mk_auth.c (krb_mk_auth): Force nul termination of inst.
+	* sendauth.c (krb_sendauth): Force nul termination of srv_inst.
+
+2000-05-11  Nalin Dahyabhai  <nalin@redhat.com>
+
+	* Password.c (GetUserInfo): Truncate user name if it's too long
+	to fit.
+	* cr_auth_repl.c (cr_auth_reply): Bail if the reply packet won't
+	fit into its buffer.
+	* cr_ciph.c (create_ciph): Ditto.
+	* cr_death_pkt.c (krb_create_death_packet): Truncate "aname" to
+	make it fit into the packet's data buffer.
+	* cr_err_repl.c (cr_err_reply): Bail if the reply packet won't
+	fit into its buffer.
+	* cr_tkt.c (krb_create_ticket): Ditto.
+	* g_ad_tkt.c (get_ad_tkt): Stop if data being added to buffer
+	would overflow it.  Add more sanity checks when decomposing the
+	credential received.
+	* g_in_tkt.c (krb_mk_in_tkt_preauth): Bail if the request packet
+	won't fit into its buffer.
+	* g_krbhst.c (get_krbhst_default): Truncate the guessed KDC's
+	hostname if it is too long.
+	* g_pw_in_tkt.c: Remove useless strcpy() prototype.
+	* kntoln.c (krb_kntoln): Don't overflow buffer "lname".
+	* mk_err.c (krb_mk_err): Return the needed buffer length if the
+	pointer passed in is NULL.
+	* mk_req.c (krb_mk_req): Bail if the reply packet won't 
+        fit into its buffer.
+	* rd_req.c (krb_rd_req): Sanity check the realm name being read,
+	and truncate the service name, nstance, and realm from credential
+	read from keytab.
+	* realmofhost.c (krb_realmofhost): Truncate realm names read
+	from file if they are too long.
+	* send_to_kdc.c (send_to_kdc): Truncate passed-in realm name.
+
+2000-05-08  Ken Raeburn  <raeburn@mit.edu>
+
+	* rd_req.c (krb_rd_req): Mask length byte with 0xff in case the
+	length is over 127 and char is signed.
+
+	* recvauth.c (krb_recvauth): If the number of bytes to be read
+	from the net is not positive, just return an error.
+
+2000-05-03  Tom Yu  <tlyu@mit.edu>
+
+	* cr_tkt.c: Delete prototype for krb_cr_tkt_int(), since the
+	definition is K&R style and contains narrow types.  Thank you
+	HP/UX for having a compiler that actually makes this a fatal
+	error.
+
+2000-04-28  Ken Raeburn  <raeburn@mit.edu>
+	    Nalin Dahyabhai  <nalin@redhat.com>
+
+	* dest_tkt.c (dest_tkt): Don't overflow buffer "shmidname".
+	* in_tkt.c (in_tkt): Don't overflow buffer "shmidname".
+	* kuserok.c (kuserok): Don't overflow buffer "pbuf".
+	* tf_util.c (tf_init): Don't overflow buffer "shmidname".
+	* win_store.c (krb__get_cnffile): Don't overflow buffers "defname"
+	and "cnfname".
+	(krb__get_realmsfile): Don't overflow buffers "defname" and
+	"realmsname".
+
+2000-04-28  Tom Yu  <tlyu@mit.edu>
+
+	* rd_req.c (krb_rd_req): Fix some uses of strcpy().
+
+2000-03-12  Ezra Peisach  <epeisach@mit.edu>
+
+	* cr_tkt.c (krb_cr_tkt_int): Add static prototype.
+	* decomp_tkt.c: (dcmp_tkt_int): Add static prototype
+
 1999-10-26  Tom Yu  <tlyu@mit.edu>
 
 	* Makefile.in: Clean up usage of CFLAGS, CPPFLAGS, DEFS, DEFINES,
diff --git a/src/lib/krb4/Password.c b/src/lib/krb4/Password.c
index b296630..5862e0e 100644
--- a/src/lib/krb4/Password.c
+++ b/src/lib/krb4/Password.c
@@ -177,7 +177,8 @@ OSErr GetUserInfo( char *password )
 	// already got a password, just get the initial ticket
 	//////////////////////////////////////////////////////
 	if (*gPassword)	{
-		strcpy (UserName, krb_get_default_user( ));
+		strncpy (UserName, krb_get_default_user( ), sizeof(UserName)-1);
+		UserName[sizeof(UserName) - 1] = '\0';
 		/* FIXME jcm - if we have a password then no dialog 
 		   comes up for setting the uinstance. */
 		rc = kname_parse(uname, uinst, realm, UserName);
@@ -201,7 +202,8 @@ OSErr GetUserInfo( char *password )
 	}
 
 	// Insert user's name in dialog
-	strcpy (UserName, krb_get_default_user( ));
+	strncpy (UserName, krb_get_default_user( ), sizeof(UserName) - 1);
+	UserName[sizeof(UserName) - 1] = '\0';
 	if (*UserName) {
 		tempStr[0] = strlen(UserName);
 		memcpy( &(tempStr[1]), UserName, tempStr[0]);
@@ -417,7 +419,8 @@ CacheInitialTicket( serviceName )
 	if (!serviceName || (serviceName[0] == '\0'))
 		return err;
 	
-	strcpy (UserName, krb_get_default_user());
+	strncpy (UserName, krb_get_default_user(), sizeof(UserName) - 1);
+	UserName[sizeof(UserName) - 1] = '\0';
 			
  	err = kname_parse(uname, uinst, urealm, UserName);
  	if (err) return err;
diff --git a/src/lib/krb4/configure.in b/src/lib/krb4/configure.in
index 0434c7d..59937e1 100644
--- a/src/lib/krb4/configure.in
+++ b/src/lib/krb4/configure.in
@@ -38,7 +38,7 @@ else
 	AC_DEFINE(BITS32)
 fi
 AC_DEFINE(KRB4_USE_KEYTAB)
-AC_HAVE_FUNCS(strsave seteuid setreuid setresuid)
+AC_HAVE_FUNCS(strdup seteuid setreuid setresuid)
 AC_PROG_AWK
 KRB5_BUILD_LIBOBJS
 KRB5_BUILD_LIBRARY_WITH_DEPS
diff --git a/src/lib/krb4/cr_auth_repl.c b/src/lib/krb4/cr_auth_repl.c
index 5203506..a0562d9 100644
--- a/src/lib/krb4/cr_auth_repl.c
+++ b/src/lib/krb4/cr_auth_repl.c
@@ -83,6 +83,16 @@ create_auth_reply(pname,pinst,prealm,time_ws,n,x_date,kvno,cipher)
     if (n != 0)
 	*v = 3;
 
+    /* Make sure the response will actually fit into its buffer. */
+    if(sizeof(pkt->dat) < 3 + strlen(pname) +
+		    	  1 + strlen(pinst) +
+			  1 + strlen(prealm) +
+			  4 + 1 + 4 +
+			  1 + 2 + cipher->length) {
+	pkt->length = 0;
+        return NULL;
+    }
+			  
     /* Add the basic info */
     (void) strcpy((char *) (pkt->dat+2), pname);
     pkt->length = 3 + strlen(pname);
diff --git a/src/lib/krb4/cr_ciph.c b/src/lib/krb4/cr_ciph.c
index d15a4e0..d9c7512 100644
--- a/src/lib/krb4/cr_ciph.c
+++ b/src/lib/krb4/cr_ciph.c
@@ -71,6 +71,17 @@ create_ciph(c, session, service, instance, realm, life, kvno, tkt,
 
     ptr = (char *) c->dat;
 
+    if(sizeof(c->dat) / 8 < (8 +
+		             strlen(service) + 1 +
+		             strlen(instance) + 1 +
+		             strlen(realm) + 1 +
+			     1 + 1 + 1 +
+			     tkt->length + 4 +
+			     7) / 8) {
+        c->length = 0;
+        return(KFAILURE);
+    }
+
     memcpy(ptr, (char *) session, 8);
     ptr += 8;
 
diff --git a/src/lib/krb4/cr_death_pkt.c b/src/lib/krb4/cr_death_pkt.c
index 8daa2d6..c356267 100644
--- a/src/lib/krb4/cr_death_pkt.c
+++ b/src/lib/krb4/cr_death_pkt.c
@@ -52,8 +52,9 @@ krb_create_death_packet(a_name)
     *v = (unsigned char) KRB_PROT_VERSION;
     *t = (unsigned char) AUTH_MSG_DIE;
     *t |= HOST_BYTE_ORDER;
-    (void) strcpy((char *) (pkt->dat+2),a_name);
-    pkt->length = 3 + strlen(a_name);
+    (void) strncpy((char *) (pkt->dat+2),a_name,sizeof(pkt->dat) - 3);
+    pkt->dat[sizeof(pkt->dat) - 1] = '\0';
+    pkt->length = 3 + strlen(pkt->dat+2);
     return pkt;
 }
 #endif /* DEBUG */
diff --git a/src/lib/krb4/cr_err_repl.c b/src/lib/krb4/cr_err_repl.c
index 7f68bda..54e87d8 100644
--- a/src/lib/krb4/cr_err_repl.c
+++ b/src/lib/krb4/cr_err_repl.c
@@ -78,6 +78,15 @@ cr_err_reply(pkt,pname,pinst,prealm,time_ws,e,e_string)
     *t = (unsigned char) AUTH_MSG_ERR_REPLY;
     *t |= HOST_BYTE_ORDER;
 
+    /* Make sure the reply will fit into the buffer. */
+    if(sizeof(pkt->dat) < 3 + strlen(pname) +
+		    	  1 + strlen(pinst) +
+			  1 + strlen(prealm) +
+			  4 + 4 +
+			  1 + strlen(e_string)) {
+        pkt->length = 0;
+	return;
+    }
     /* Add the basic info */
     (void) strcpy((char *) (pkt->dat+2),pname);
     pkt->length = 3 + strlen(pname);
diff --git a/src/lib/krb4/cr_tkt.c b/src/lib/krb4/cr_tkt.c
index a8224f8..34bec48 100644
--- a/src/lib/krb4/cr_tkt.c
+++ b/src/lib/krb4/cr_tkt.c
@@ -14,6 +14,7 @@
 #include "prot.h"
 #include <string.h>
 #include <krb5.h>
+
 /*
  * Create ticket takes as arguments information that should be in a
  * ticket, and the KTEXT object in which the ticket should be
@@ -134,6 +135,23 @@ krb_cr_tkt_int(tkt, flags, pname, pinstance, prealm, paddress,
     register char *data;        /* running index into ticket */
 
     tkt->length = 0;            /* Clear previous data  */
+
+    /* Check length of ticket */
+    if (sizeof(tkt->dat) < (sizeof(flags) +
+                            1 + strlen(pname) +
+                            1 + strlen(pinstance) +
+                            1 + strlen(prealm) +
+                            4 +                         /* address */
+			    8 +                         /* session */
+			    1 +                         /* life */
+			    4 +                         /* issue time */
+                            1 + strlen(sname) +
+                            1 + strlen(sinstance) +
+			    7) / 8) {                   /* roundoff */
+        memset(tkt->dat, 0, sizeof(tkt->dat));
+        return KFAILURE /* XXX */;
+    }
+
     flags |= HOST_BYTE_ORDER;   /* ticket byte order   */
     memcpy((char *) (tkt->dat), (char *) &flags, sizeof(flags));
     data = ((char *)tkt->dat) + sizeof(flags);
diff --git a/src/lib/krb4/decomp_tkt.c b/src/lib/krb4/decomp_tkt.c
index 03398ac..06e9e31 100644
--- a/src/lib/krb4/decomp_tkt.c
+++ b/src/lib/krb4/decomp_tkt.c
@@ -19,6 +19,12 @@
 extern int krb_debug;
 #endif
 
+static int dcmp_tkt_int PROTOTYPE((KTEXT tkt, unsigned char *flags, 
+				   char *pname, char *pinstance, char *prealm,
+				   unsigned KRB4_32 *paddress, C_Block session,
+				   int *life, unsigned KRB4_32 *time_sec, 
+				   char *sname, char *sinstance, C_Block key, 
+				   Key_schedule key_s, krb5_keyblock *k5key));
 /*
  * This routine takes a ticket and pointers to the variables that
  * should be filled in based on the information in the ticket.  It
@@ -186,17 +192,17 @@ dcmp_tkt_int(tkt, flags, pname, pinstance, prealm, paddress, session,
     if (HOST_BYTE_ORDER != ((*flags >> K_FLAG_ORDER)& 1))
         tkt_swap_bytes++;
 
-    if (strlen(ptr) > ANAME_SZ)
+    if (strlen(ptr) >= ANAME_SZ)
         return(KFAILURE);
     (void) strcpy(pname,ptr);   /* pname */
     ptr += strlen(pname) + 1;
 
-    if (strlen(ptr) > INST_SZ)
+    if (strlen(ptr) >= INST_SZ)
         return(KFAILURE);
     (void) strcpy(pinstance,ptr); /* instance */
     ptr += strlen(pinstance) + 1;
 
-    if (strlen(ptr) > REALM_SZ)
+    if (strlen(ptr) >= REALM_SZ)
         return(KFAILURE);
     (void) strcpy(prealm,ptr);  /* realm */
     ptr += strlen(prealm) + 1;
@@ -223,9 +229,13 @@ dcmp_tkt_int(tkt, flags, pname, pinstance, prealm, paddress, session,
     if (tkt_swap_bytes)
         *time_sec = krb4_swab32(*time_sec);
 
+    if (strlen(ptr) >= ANAME_SZ)
+	return KFAILURE;
     (void) strcpy(sname,ptr);   /* service name */
     ptr += 1 + strlen(sname);
 
+    if (strlen (ptr) >= INST_SZ)
+	return KFAILURE;
     (void) strcpy(sinstance,ptr); /* instance */
     ptr += 1 + strlen(sinstance);
 
diff --git a/src/lib/krb4/dest_tkt.c b/src/lib/krb4/dest_tkt.c
index 7057818..7887822 100644
--- a/src/lib/krb4/dest_tkt.c
+++ b/src/lib/krb4/dest_tkt.c
@@ -1,14 +1,29 @@
 /*
- * dest_tkt.c
+ * lib/krb4/dest_tkt.c
  *
- * Copyright 1985, 1986, 1987, 1988 by the Massachusetts Institute
- * of Technology.
+ * Copyright 1985, 1986, 1987, 1988, 2000, 2001 by the Massachusetts
+ * Institute of Technology.  All Rights Reserved.
  *
- * For copying and distribution information, please see the file
- * <mit-copyright.h>.
+ * Export of this software from the United States of America may
+ *   require a specific license from the United States Government.
+ *   It is the responsibility of any person or organization contemplating
+ *   export to obtain such a license before exporting.
+ * 
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
  */
 
-#include "mit-copyright.h"
 #include "krb.h"
 #include <stdio.h>
 #include <string.h>
@@ -17,12 +32,29 @@
 #ifdef TKT_SHMEM
 #include <sys/param.h>
 #endif
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
 #include <errno.h>
 
 #ifndef O_SYNC
 #define O_SYNC 0
 #endif
 
+#ifdef HAVE_SETEUID
+#define do_seteuid(e) seteuid((e))
+#else
+#ifdef HAVE_SETRESUID
+#define do_seteuid(e) setresuid(-1, (e), -1)
+#else
+#ifdef HAVE_SETREUID
+#define do_seteuid(e) setreuid(geteuid(), (e))
+#else
+#define do_seteuid(e) (errno = EPERM, -1)
+#endif
+#endif
+#endif
+
 /*
  * dest_tkt() is used to destroy the ticket store upon logout.
  * If the ticket file does not exist, dest_tkt() returns RET_TKFIL.
@@ -38,10 +70,13 @@ dest_tkt()
     char *file = TKT_FILE;
     int i,fd;
     extern int errno;
-    struct stat statb;
+    int ret;
+    struct stat statpre, statpost;
     char buf[BUFSIZ];
+    uid_t me, metoo;
 #ifdef TKT_SHMEM
     char shmidname[MAXPATHLEN];
+    size_t shmidlen;
 #endif /* TKT_SHMEM */
 
     /* If ticket cache selector is null, use default cache.  */
@@ -49,22 +84,56 @@ dest_tkt()
 	file = tkt_string();
 
     errno = 0;
-    if (lstat(file,&statb) < 0)
-	goto out;
+    ret = KSUCCESS;
+    me = getuid();
+    metoo = geteuid();
 
-    if (!(statb.st_mode & S_IFREG)
-#ifdef notdef
-	|| statb.st_mode & 077
-#endif
-	)
+    if (lstat(file, &statpre) < 0)
+	return (errno == ENOENT) ? RET_TKFIL : KFAILURE;
+    /*
+     * This does not guard against certain cases that are vulnerable
+     * to race conditions, such as world-writable or group-writable
+     * directories that are not stickybitted, or untrusted path
+     * components.  In all other cases, the following checks should be
+     * sufficient.  It is assumed that the aforementioned certain
+     * vulnerable cases are unlikely to arise on a well-administered
+     * system where the user is not deliberately being stupid.
+     */
+    if (!(statpre.st_mode & S_IFREG) || me != statpre.st_uid
+	|| statpre.st_nlink != 1)
+	return KFAILURE;
+    /*
+     * Yes, we do uid twiddling here.  It's not optimal, but some
+     * applications may expect that the ruid is what should really own
+     * the ticket file, e.g. setuid applications.
+     */
+    if (me != metoo && do_seteuid(me) < 0)
+	return KFAILURE;
+    if ((fd = open(file, O_RDWR|O_SYNC, 0)) < 0) {
+	ret = (errno == ENOENT) ? RET_TKFIL : KFAILURE;
 	goto out;
-
-    if ((fd = open(file, O_RDWR|O_SYNC, 0)) < 0)
+    }
+    /*
+     * Do some additional paranoid things.  The worst-case situation
+     * is that a user may be fooled into opening a non-regular file
+     * briefly if the file is in a directory with improper
+     * permissions.
+     */
+    if (fstat(fd, &statpost) < 0) {
+	(void)close(fd);
+	ret = KFAILURE;
+	goto out;
+    }
+    if (statpre.st_dev != statpost.st_dev
+	|| statpre.st_ino != statpost.st_ino) {
+	(void)close(fd);
+	errno = 0;
+	ret = KFAILURE;
 	goto out;
+    }
 
     memset(buf, 0, BUFSIZ);
-
-    for (i = 0; i < statb.st_size; i += BUFSIZ)
+    for (i = 0; i < statpost.st_size; i += BUFSIZ)
 	if (write(fd, buf, BUFSIZ) != BUFSIZ) {
 #ifndef NO_FSYNC
 	    (void) fsync(fd);
@@ -81,16 +150,22 @@ dest_tkt()
     (void) unlink(file);
 
 out:
-    if (errno == ENOENT) return RET_TKFIL;
-    else if (errno != 0) return KFAILURE;
+    if (me != metoo && do_seteuid(metoo) < 0)
+	return KFAILURE;
+    if (ret != KSUCCESS)
+	return ret;
+
 #ifdef TKT_SHMEM
     /* 
      * handle the shared memory case 
      */
-    (void) strcpy(shmidname, file);
-    (void) strcat(shmidname, ".shm");
-    if ((i = krb_shm_dest(shmidname)) != KSUCCESS)
-	return(i);
-#endif /* TKT_SHMEM */
-    return(KSUCCESS);
+    shmidlen = strlen(file) + sizeof(".shm");
+    if (shmidlen > sizeof(shmidname))
+	return RET_TKFIL;
+    (void)strcpy(shmidname, file);
+    (void)strcat(shmidname, ".shm");
+    return krb_shm_dest(shmidname);
+#else  /* !TKT_SHMEM */
+    return KSUCCESS;
+#endif /* !TKT_SHMEM */
 }
diff --git a/src/lib/krb4/g_ad_tkt.c b/src/lib/krb4/g_ad_tkt.c
index b3abb2d..afcd0c6 100644
--- a/src/lib/krb4/g_ad_tkt.c
+++ b/src/lib/krb4/g_ad_tkt.c
@@ -19,6 +19,19 @@
 extern int krb_debug;
 extern int swap_bytes;
 
+/* Return the length of the string if a NUL is found within the first
+ * max_len bytes, otherwise, -1. */
+static int krb_strnlen(const char *str, int max_len)
+{
+    int i;
+    for(i = 0; i < max_len; i++) {
+        if(str[i] == '\0') {
+            return i;
+        }
+    }
+    return -1;
+}
+
 /*
  * get_ad_tkt obtains a new service ticket from Kerberos, using
  * the ticket-granting ticket which must be in the ticket file.
@@ -136,11 +149,22 @@ get_ad_tkt(service,sinstance,realm,lifetime)
 	return(AD_NOTGT);
 
     /* timestamp */   /* FIXME -- always 0 now, should we fill it in??? */
+    if(pkt->length + 4 > sizeof(pkt->dat))
+        return(INTK_ERR);
     memcpy((char *) (pkt->dat+pkt->length), (char *) &time_ws, 4);
     pkt->length += 4;
+
+    if(pkt->length + 1 > sizeof(pkt->dat))
+        return(INTK_ERR);
     *(pkt->dat+(pkt->length)++) = (char) lifetime;
+
+    if(pkt->length + 1 + strlen(service) > sizeof(pkt->dat))
+        return(INTK_ERR);
     (void) strcpy((char *) (pkt->dat+pkt->length),service);
     pkt->length += 1 + strlen(service);
+
+    if(pkt->length + 1 + strlen(sinstance) > sizeof(pkt->dat))
+        return(INTK_ERR);
     (void) strcpy((char *)(pkt->dat+pkt->length),sinstance);
     pkt->length += 1 + strlen(sinstance);
 
@@ -199,18 +223,27 @@ get_ad_tkt(service,sinstance,realm,lifetime)
     memcpy((char *)ses, ptr, 8);
     ptr += 8;
 
-    (void) strcpy(s_name,ptr);
+    if(krb_strnlen(ptr, sizeof(s_name)) < 0)
+        return RD_AP_MODIFIED;
+    (void) strncpy(s_name,ptr,sizeof(s_name) - 1);
+    s_name[sizeof(s_name) - 1] = '\0';
     ptr += strlen(s_name) + 1;
 
-    (void) strcpy(s_instance,ptr);
+    if(krb_strnlen(ptr, sizeof(s_instance)) < 0)
+        return RD_AP_MODIFIED;
+    (void) strncpy(s_instance,ptr,sizeof(s_instance)-1);
+    s_instance[sizeof(s_instance)-1] = '\0';
     ptr += strlen(s_instance) + 1;
 
-    (void) strcpy(rlm,ptr);
+    if(krb_strnlen(ptr, sizeof(rlm)) < 0)
+        return RD_AP_MODIFIED;
+    (void) strncpy(rlm,ptr,sizeof(rlm) - 1);
+    rlm[sizeof(rlm)-1];
     ptr += strlen(rlm) + 1;
 
-    lifetime = (unsigned long) ptr[0];
-    kvno = (unsigned long) ptr[1];
-    tkt->length = (int) ptr[2];
+    lifetime = (unsigned char) ptr[0];
+    kvno = (unsigned char) ptr[1];
+    tkt->length = (unsigned char) ptr[2];
     ptr += 3;
     memcpy((char *)(tkt->dat), ptr, tkt->length);
     ptr += tkt->length;
diff --git a/src/lib/krb4/g_in_tkt.c b/src/lib/krb4/g_in_tkt.c
index c9d6183..361273c 100644
--- a/src/lib/krb4/g_in_tkt.c
+++ b/src/lib/krb4/g_in_tkt.c
@@ -152,6 +152,20 @@ krb_mk_in_tkt_preauth(user, instance, realm, service, sinstance, life,
     *t = (unsigned char) AUTH_MSG_KDC_REQUEST;
     *t |= HOST_BYTE_ORDER;
 
+    /* Make sure the ticket data will fit into the buffer. */
+    if(sizeof(pkt->dat) < 2 +			/* protocol version + flags */
+		          3 + strlen(user) +
+			  1 + strlen(instance) +
+			  1 + strlen(realm) +
+			  4 +			/* timestamp */
+			  1 +			/* lifetime */
+			  1 + strlen(service) +
+			  1 + strlen(sinstance) +
+			  preauth_len) {
+        pkt->length = 0;
+	return INTK_ERR;
+    }
+
     /* Now for the variable info */
     (void) strcpy((char *)(pkt->dat+2),user); /* aname */
     pkt->length = 3 + strlen(user);
diff --git a/src/lib/krb4/g_krbhst.c b/src/lib/krb4/g_krbhst.c
index 529ac07..4e0fd6d 100644
--- a/src/lib/krb4/g_krbhst.c
+++ b/src/lib/krb4/g_krbhst.c
@@ -52,9 +52,11 @@ get_krbhst_default(h, r, n)
      int n;
 {
     if (n==1) {
-        (void) strcpy(h,KRB_HOST);
-	(void) strcat(h,".");
-	(void) strcat(h,r);	/* KRB_HOST.REALM (ie. kerberos.CYGNUS.COM) */
+        (void) strncpy(h,KRB_HOST,MAXHOSTNAMELEN-1);
+	h[MAXHOSTNAMELEN-1] = '\0';
+	(void) strncat(h,".",MAXHOSTNAMELEN-1-strlen(h));
+	(void) strncat(h,r,MAXHOSTNAMELEN-1-strlen(h));
+				/* KRB_HOST.REALM (ie. kerberos.CYGNUS.COM) */
 	return(KSUCCESS);
     }
     else
diff --git a/src/lib/krb4/g_krbrlm.c b/src/lib/krb4/g_krbrlm.c
index 983150c..c750231 100644
--- a/src/lib/krb4/g_krbrlm.c
+++ b/src/lib/krb4/g_krbrlm.c
@@ -44,7 +44,8 @@ krb_get_lrealm(r,n)
     cnffile = krb__get_cnffile();
     if (!cnffile) {
 	if (n == 1) {
-	    (void) strcpy(r, KRB_REALM);
+	    (void) strncpy(r, KRB_REALM, REALM_SZ);
+	    r[REALM_SZ - 1] = '\0';
 	    return(KSUCCESS);
 	}
 	else
diff --git a/src/lib/krb4/g_pw_in_tkt.c b/src/lib/krb4/g_pw_in_tkt.c
index 6723df8..13f762b 100644
--- a/src/lib/krb4/g_pw_in_tkt.c
+++ b/src/lib/krb4/g_pw_in_tkt.c
@@ -176,7 +176,6 @@ krb_get_pw_in_tkt_preauth(user,instance,realm,service,sinstance,life,password)
 #include <signal.h>
 #include <setjmp.h>
 #else
-char     *strcpy();
 int      strcmp();
 #endif
 #if defined(__svr4__) || defined(__SVR4)
diff --git a/src/lib/krb4/in_tkt.c b/src/lib/krb4/in_tkt.c
index ea17be8..a34f318 100644
--- a/src/lib/krb4/in_tkt.c
+++ b/src/lib/krb4/in_tkt.c
@@ -1,14 +1,29 @@
 /*
- * in_tkt.c
+ * lib/krb4/in_tkt.c
  *
- * Copyright 1985, 1986, 1987, 1988 by the Massachusetts Institute
- * of Technology.
+ * Copyright 1985, 1986, 1987, 1988, 2000, 2001 by the Massachusetts
+ * Institute of Technology.  All Rights Reserved.
  *
- * For copying and distribution information, please see the file
- * <mit-copyright.h>.
+ * Export of this software from the United States of America may
+ *   require a specific license from the United States Government.
+ *   It is the responsibility of any person or organization contemplating
+ *   export to obtain such a license before exporting.
+ * 
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
  */
 
-#include "mit-copyright.h"
 #include <stdio.h>
 #include <string.h>
 #include "krb.h"
@@ -34,7 +49,7 @@ extern int krb_debug;
 #define do_seteuid(e) seteuid((e))
 #else
 #ifdef HAVE_SETRESUID
-#define do_seteuid(e) setresuid(getuid(), (e), geteuid())
+#define do_seteuid(e) setresuid(-1, (e), -1)
 #else
 #ifdef HAVE_SETREUID
 #define do_seteuid(e) setreuid(geteuid(), (e))
@@ -55,7 +70,7 @@ in_tkt(pname,pinst)
 {
     int tktfile;
     uid_t me, metoo, getuid(), geteuid();
-    struct stat buf;
+    struct stat statpre, statpost;
     int count;
     char *file = TKT_FILE;
     int fd;
@@ -72,20 +87,49 @@ in_tkt(pname,pinst)
 
     me = getuid ();
     metoo = geteuid();
-    if (lstat(file,&buf) == 0) {
-	if (buf.st_uid != me || !(buf.st_mode & S_IFREG) ||
-	    buf.st_mode & 077) {
+    if (lstat(file, &statpre) == 0) {
+	if (statpre.st_uid != me || !(statpre.st_mode & S_IFREG)
+	    || statpre.st_nlink != 1 || statpre.st_mode & 077) {
 	    if (krb_debug)
 		fprintf(stderr,"Error initializing %s",file);
 	    return(KFAILURE);
 	}
+	/*
+	 * Yes, we do uid twiddling here.  It's not optimal, but some
+	 * applications may expect that the ruid is what should really
+	 * own the ticket file, e.g. setuid applications.
+	 */
+	if (me != metoo && do_seteuid(me) < 0)
+	    return KFAILURE;
 	/* file already exists, and permissions appear ok, so nuke it */
-	if ((fd = open(file, O_RDWR|O_SYNC, 0)) < 0)
+	fd = open(file, O_RDWR|O_SYNC, 0);
+	(void)unlink(file);
+	if (me != metoo && do_seteuid(metoo) < 0)
+	    return KFAILURE;
+	if (fd < 0) {
 	    goto out; /* can't zero it, but we can still try truncating it */
+	}
+
+	/*
+	 * Do some additional paranoid things.  The worst-case
+	 * situation is that a user may be fooled into opening a
+	 * non-regular file briefly if the file is in a directory with
+	 * improper permissions.
+	 */
+	if (fstat(fd, &statpost) < 0) {
+	    (void)close(fd);
+	    goto out;
+	}
+	if (statpre.st_dev != statpost.st_dev
+	    || statpre.st_ino != statpost.st_ino) {
+	    (void)close(fd);
+	    errno = 0;
+	    goto out;
+	}
 
 	memset(charbuf, 0, sizeof(charbuf));
 
-	for (i = 0; i < buf.st_size; i += sizeof(charbuf))
+	for (i = 0; i < statpost.st_size; i += sizeof(charbuf))
 	    if (write(fd, charbuf, sizeof(charbuf)) != sizeof(charbuf)) {
 #ifndef NO_FSYNC
 		(void) fsync(fd);
@@ -117,12 +161,7 @@ in_tkt(pname,pinst)
     /* Set umask to ensure that we have write access on the created
        ticket file.  */
     mask = umask(077);
-    if ((tktfile = creat(file,0600)) < 0) {
-	umask(mask);
-	if (krb_debug)
-	    fprintf(stderr,"Error initializing %s",TKT_FILE);
-        return(KFAILURE);
-    }
+    tktfile = open(file, O_RDWR|O_SYNC|O_CREAT|O_EXCL, 0600);
     umask(mask);
     if (me != metoo) {
 	if (do_seteuid(metoo) < 0) {
@@ -134,19 +173,11 @@ in_tkt(pname,pinst)
 	    if (krb_debug)
 		printf("swapped UID's %d and %d\n",me,metoo);
     }
-    if (lstat(file,&buf) < 0) {
+    if (tktfile < 0) {
 	if (krb_debug)
 	    fprintf(stderr,"Error initializing %s",TKT_FILE);
         return(KFAILURE);
     }
-
-    if (buf.st_uid != me || !(buf.st_mode & S_IFREG) ||
-        buf.st_mode & 077) {
-	if (krb_debug)
-	    fprintf(stderr,"Error initializing %s",TKT_FILE);
-        return(KFAILURE);
-    }
-
     count = strlen(pname)+1;
     if (write(tktfile,pname,count) != count) {
         (void) close(tktfile);
@@ -159,8 +190,9 @@ in_tkt(pname,pinst)
     }
     (void) close(tktfile);
 #ifdef TKT_SHMEM
-    (void) strcpy(shmidname, file);
-    (void) strcat(shmidname, ".shm");
+    (void) strncpy(shmidname, file, sizeof(shmidname) - 1);
+    shmidname[sizeof(shmidname) - 1] = '\0';
+    (void) strncat(shmidname, ".shm", sizeof(shmidname) - 1 - strlen(shmidname));
     return(krb_shm_create(shmidname));
 #else /* !TKT_SHMEM */
     return(KSUCCESS);
diff --git a/src/lib/krb4/kntoln.c b/src/lib/krb4/kntoln.c
index 8b6cdfe..f86599c 100644
--- a/src/lib/krb4/kntoln.c
+++ b/src/lib/krb4/kntoln.c
@@ -38,6 +38,10 @@
  * KSUCCESS if all goes well, otherwise KFAILURE.
  */
 
+/* The definition of MAX_USERNAME here MUST agree with kuserok.c, or bad
+ * things will happen. */
+#define MAX_USERNAME 10
+
 krb_kntoln(ad,lname)
     AUTH_DAT *ad;
     char *lname;
@@ -51,6 +55,7 @@ krb_kntoln(ad,lname)
         return(KFAILURE);
     if (strcmp(ad->prealm,lrealm))
         return(KFAILURE);
-    (void) strcpy(lname,ad->pname);
+    (void) strncpy(lname,ad->pname,MAX_USERNAME-1);
+    lname[MAX_USERNAME - 1] = '\0';
     return(KSUCCESS);
 }
diff --git a/src/lib/krb4/kparse.c b/src/lib/krb4/kparse.c
index 98e48fb..e72295c 100644
--- a/src/lib/krb4/kparse.c
+++ b/src/lib/krb4/kparse.c
@@ -54,8 +54,8 @@
 
 static char *strutol();
 
-#ifndef HAVE_STRSAVE
-static char *strsave();
+#ifndef HAVE_STRDUP
+static char *strdup();
 #endif
 #ifndef HAVE_STDLIB_H
 extern char *malloc();
@@ -104,7 +104,7 @@ int fGetParameterSet( fp,parm,parmcount )
                                 keyword);
                         return(PS_BAD_KEYWORD);
                     }
-                    parm[i].value = strsave( value );
+                    parm[i].value = strdup(value);
                     break;
                 }
             }
@@ -552,34 +552,6 @@ int fGetChar(fp)
     return(ch);
 }
 
-
-/*
- * Routine Name: strsave
- *
- * Function: return a pointer to a saved copy of the
- * input string. the copy will be allocated
- * as large as necessary.
- *
- * Explicit Parameters: pointer to string to save
- *
- * Implicit Parameters: None
- *
- * External Procedures: malloc,strcpy,strlen
- *
- * Side Effects: None
- *
- * Return Value: pointer to copied string
- *
- */
-#ifndef HAVE_STRSAVE
-static char * strsave(p)
-    char *p;
-{
-    return(strcpy(malloc(strlen(p)+1),p));
-}
-#endif
-
-
 /*
  * strutol changes all characters in a string to lower case, in place.
  * the pointer to the beginning of the string is returned.
@@ -770,3 +742,42 @@ main(argc,argv)
     exit(0);
 }
 #endif
+
+/*
+ * Copyright (c) 1988 The Regents of the University of California.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms are permitted
+ * provided that: (1) source distributions retain this entire copyright
+ * notice and comment, and (2) distributions including binaries display
+ * the following acknowledgement:  ``This product includes software
+ * developed by the University of California, Berkeley and its contributors''
+ * in the documentation or other materials provided with the distribution
+ * and in all advertising materials mentioning features or use of this
+ * software. Neither the name of the University nor the names of its
+ * contributors may be used to endorse or promote products derived
+ * from this software without specific prior written permission.
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
+ * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
+ */
+
+/* based on @(#)strdup.c	5.3 (Berkeley) 6/1/90 */
+
+#ifndef HAVE_STRDUP
+static char *
+strdup(str)
+	const char *str;
+{
+	int len;
+	char *copy;
+
+	if (!str)
+		return((char *)0);
+	len = strlen(str) + 1;
+	if (!(copy = malloc((u_int)len)))
+		return((char *)0);
+	memcpy(copy, str, len);
+	return(copy);
+}
+#endif
diff --git a/src/lib/krb4/kuserok.c b/src/lib/krb4/kuserok.c
index 0aee893..20587cb 100644
--- a/src/lib/krb4/kuserok.c
+++ b/src/lib/krb4/kuserok.c
@@ -118,8 +118,11 @@ kuserok(kdata, luser)
     if ((pwd = getpwnam(luser)) == NULL) {
 	return(NOTOK);
     }
-    (void) strcpy(pbuf, pwd->pw_dir);
-    (void) strcat(pbuf, "/.klogin");
+    if (strlen (pwd->pw_dir) + sizeof ("/.klogin") >= sizeof (pbuf))
+	return NOTOK;
+    (void) strncpy(pbuf, pwd->pw_dir, sizeof(pbuf) - 1);
+    pbuf[sizeof(pbuf) - 1] = '\0';
+    (void) strncat(pbuf, "/.klogin", sizeof(pbuf) - 1 - strlen(pbuf));
 
     if (access(pbuf, F_OK)) {	 /* not accessible */
 	/*
diff --git a/src/lib/krb4/mk_auth.c b/src/lib/krb4/mk_auth.c
index 39a2e2f..a94a25d 100644
--- a/src/lib/krb4/mk_auth.c
+++ b/src/lib/krb4/mk_auth.c
@@ -124,8 +124,10 @@ krb_mk_auth(options, ticket, service, inst, realm, checksum, version, buf)
 	realm = krb_realm;
     }
 
-    if (!(options & KOPT_DONT_CANON))
-	(void) strncpy(inst, krb_get_phost(inst), INST_SZ);
+    if (!(options & KOPT_DONT_CANON)) {
+	(void) strncpy(inst, krb_get_phost(inst), INST_SZ - 1);
+	inst[INST_SZ-1] = 0;
+    }
 
     /* get the ticket if desired */
     if (!(options & KOPT_DONT_MK_REQ)) {
diff --git a/src/lib/krb4/mk_err.c b/src/lib/krb4/mk_err.c
index e30e299..029aa9f 100644
--- a/src/lib/krb4/mk_err.c
+++ b/src/lib/krb4/mk_err.c
@@ -41,6 +41,14 @@ krb_mk_err(p,e,e_string)
 {
     u_char      *start;
 
+    /* Just return the buffer length if p is NULL, because writing to the
+     * buffer would be a bad idea.  Note that this feature is a change from
+     * previous versions, and can therefore only be used safely in this
+     * source tree, where we know this function supports it. */
+    if(p == NULL) {
+        return 2 + sizeof(e) + strlen(e_string);
+    }
+
     start = p;
 
     /* Create fixed part of packet */
diff --git a/src/lib/krb4/mk_req.c b/src/lib/krb4/mk_req.c
index 1936cb2..468dccd 100644
--- a/src/lib/krb4/mk_req.c
+++ b/src/lib/krb4/mk_req.c
@@ -130,6 +130,19 @@ krb_mk_req(authent,service,instance,realm,checksum)
 
     if (retval != KSUCCESS) return (retval);
 
+    if(sizeof(authent->dat) / 8 < (3 +
+			           strlen(realm) + 1 + 2 +
+				   3 + ticket->length +
+				   strlen(cr.pname) + 1 +
+				   strlen(cr.pinst) + 1 +
+				   strlen(myrealm) + 1 +
+				   4 +				/* checksum */
+				   4 +				/* timestamp */
+				   7) / 8) {			/* round-up */
+	    authent->length = 0;
+	    return KFAILURE;
+    }
+
     if (krb_ap_req_debug)
         DEB (("%s %s %s %s %s\n", service, instance, realm,
                cr.pname, cr.pinst));
diff --git a/src/lib/krb4/rd_req.c b/src/lib/krb4/rd_req.c
index c9b6ac7..09f914d 100644
--- a/src/lib/krb4/rd_req.c
+++ b/src/lib/krb4/rd_req.c
@@ -108,6 +108,19 @@ krb_clear_key_krb5(ctx)
     krb5_key = 0;
 }
 
+/* A helper function to let us see if a buffer is properly terminated. */
+static int
+krb_strnlen(const char *str, size_t max_len)
+{
+    int i = 0;
+    for(i = 0; i < max_len; i++) {
+        if(str[i] == '\0') {
+            return i;
+	}
+    }
+    return -1;
+}
+
 /*
  * krb_rd_req() takes an AUTH_MSG_APPL_REQUEST or
  * AUTH_MSG_APPL_REQUEST_MUTUAL message created by krb_mk_req(),
@@ -184,6 +197,8 @@ krb_rd_req(authent,service,instance,from_addr,ad,fn)
     krb5_keyblock keyblock;
     int status;
 
+    tkt->mbz = req_id->mbz = 0;
+
     if (authent->length <= 0)
 	return(RD_AP_MODIFIED);
 
@@ -219,8 +234,13 @@ krb_rd_req(authent,service,instance,from_addr,ad,fn)
         mutual = 0;
 #endif /* lint */
     s_kvno = *ptr++;		/* get server key version */
-    (void) strcpy(realm,ptr);   /* And the realm of the issuing KDC */
-    ptr += strlen(ptr) + 1;     /* skip the realm "hint" */
+    if(krb_strnlen(ptr, sizeof(realm)) < 0) {
+	return RD_AP_MODIFIED;  /* must have been modified, the client wouldn't
+	                           try to trick us with wacky data */
+    }
+    (void) strncpy(realm,ptr,REALM_SZ);	/* And the realm of the issuing KDC */
+    realm[REALM_SZ-1] = '\0';
+    ptr += strlen(realm) + 1;	/* skip the realm "hint" */
 
     /*
      * If "fn" is NULL, key info should already be set; don't
@@ -249,13 +269,16 @@ krb_rd_req(authent,service,instance,from_addr,ad,fn)
 		return(RD_AP_UNDEC);
 	
 #endif /* !NOENCRYPTION */
-        (void) strcpy(st_rlm,realm);
-        (void) strcpy(st_nam,service);
-        (void) strcpy(st_inst,instance);
+        (void) strncpy(st_rlm,realm, sizeof(st_rlm) - 1);
+	st_rlm[sizeof(st_rlm) - 1] = '\0';
+        (void) strncpy(st_nam,service, sizeof(st_nam) - 1);
+	st_nam[sizeof(st_nam) - 1] = '\0';
+        (void) strncpy(st_inst,instance, sizeof(st_inst) - 1);
+	st_inst[sizeof(st_inst) - 1] = '\0';
     }
 
     /* Get ticket from authenticator */
-    tkt->length = (int) *ptr++;
+    tkt->length = (int) *ptr++ & 0xff;
     if ((tkt->length + (ptr+1 - (char *) authent->dat)) > authent->length)
 	return(RD_AP_MODIFIED);
     memcpy((char *)(tkt->dat), ptr+1, tkt->length);
@@ -324,13 +347,16 @@ krb_rd_req(authent,service,instance,from_addr,ad,fn)
 #define check_ptr() if ((ptr - (char *) req_id->dat) > req_id->length) return(RD_AP_MODIFIED);
 
     ptr = (char *) req_id->dat;
-    (void) strcpy(r_aname,ptr);	/* Authentication name */
+    (void) strncpy(r_aname,ptr,ANAME_SZ); /* Authentication name */
+    r_aname[ANAME_SZ-1] = '\0';
     ptr += strlen(r_aname)+1;
     check_ptr();
-    (void) strcpy(r_inst,ptr);	/* Authentication instance */
+    (void) strncpy(r_inst,ptr,INST_SZ);	/* Authentication instance */
+    r_inst[INST_SZ-1] = '\0';
     ptr += strlen(r_inst)+1;
     check_ptr();
-    (void) strcpy(r_realm,ptr);	/* Authentication name */
+    (void) strncpy(r_realm,ptr,REALM_SZ); /* Authentication name */
+    r_realm[REALM_SZ-1] = '\0';
     ptr += strlen(r_realm)+1;
     check_ptr();
     memcpy((char *)&ad->checksum, ptr, 4);	/* Checksum */
diff --git a/src/lib/krb4/rd_svc_key.c b/src/lib/krb4/rd_svc_key.c
index 831becd..a9b6fd5 100644
--- a/src/lib/krb4/rd_svc_key.c
+++ b/src/lib/krb4/rd_svc_key.c
@@ -183,7 +183,7 @@ krb54_get_service_keyblock(service,instance,realm,kvno,file,keyblock)
     
     if ((retval = krb5_kt_resolve(krb5__krb4_context, keytabname, &kt_id)))
 	    goto errout;
-    
+
     if ((retval = krb5_kt_get_entry(krb5__krb4_context, kt_id, princ, kvno,
 				    0, &kt_entry))) {
 	krb5_kt_close(krb5__krb4_context, kt_id);
@@ -192,6 +192,12 @@ krb54_get_service_keyblock(service,instance,realm,kvno,file,keyblock)
 
     retval = krb5_copy_keyblock_contents(krb5__krb4_context,
 					 &kt_entry.key, keyblock);
+    /* Bash types */
+    /* KLUDGE! If it's a non-raw des3 key, bash its enctype */
+    /* See kdc/kerberos_v4.c */
+    if (keyblock->enctype == ENCTYPE_DES3_CBC_SHA1 ||
+	keyblock->enctype == ENCTYPE_LOCAL_DES3_HMAC_SHA1)
+      keyblock->enctype = ENCTYPE_DES3_CBC_RAW;
     
     krb5_kt_free_entry(krb5__krb4_context, &kt_entry);
     krb5_kt_close (krb5__krb4_context, kt_id);
diff --git a/src/lib/krb4/realmofhost.c b/src/lib/krb4/realmofhost.c
index 90e01bb..1e4b786 100644
--- a/src/lib/krb4/realmofhost.c
+++ b/src/lib/krb4/realmofhost.c
@@ -131,14 +131,18 @@ krb_realmofhost(host)
 		  if (domain && (strlen(trans_host) == strlen(domain))
 		      && !strcasecmp (trans_host, domain)) {
 		    /* got domain match, save for later */
-		    (void) strcpy (ret_realm, trans_realm);
+		    (void) strncpy (ret_realm, trans_realm,
+				    sizeof(ret_realm) - 1);
+		    ret_realm[sizeof(ret_realm) - 1] = '\0';
 		    continue;
 		  }
 		} else {
 		  /* want exact match of hostname */
 		  if ((strlen(lhost) == strlen(trans_host)) &&
 		      !strcasecmp (trans_host, lhost)) {
-		    (void) strcpy (ret_realm, trans_realm);
+		    (void) strncpy (ret_realm, trans_realm,
+				    sizeof(ret_realm) - 1);
+		    ret_realm[sizeof(ret_realm) - 1] = '\0';
 		    break;
 		  }
 		}
diff --git a/src/lib/krb4/recvauth.c b/src/lib/krb4/recvauth.c
index e62e3f9..2a66656 100644
--- a/src/lib/krb4/recvauth.c
+++ b/src/lib/krb4/recvauth.c
@@ -188,9 +188,12 @@ krb_recvauth(options, fd, ticket, service, instance, faddr, laddr, kdata,
 	if (i < KRB_SENDAUTH_VLEN) {
 	    /* since we already got the space, and part of the ticket,
 	       we read fewer bytes to get the rest of the ticket */
+	    int len_to_read = tkt_len - KRB_SENDAUTH_VLEN + 1 + i;
+	    if (len_to_read <= 0)
+		return KFAILURE;
 	    if (krb_net_read(fd, (char *)(tmp_buf+KRB_SENDAUTH_VLEN),
-			     (int) (tkt_len - KRB_SENDAUTH_VLEN + 1 + i))
-		!= (int)(tkt_len - KRB_SENDAUTH_VLEN + 1 + i))
+			     len_to_read)
+		!= len_to_read)
 		return(errno);
 	} else {
 	    if (krb_net_read(fd, (char *)(tmp_buf+i), (int)tkt_len) !=
diff --git a/src/lib/krb4/send_to_kdc.c b/src/lib/krb4/send_to_kdc.c
index c7e0fb3..f93b9d0 100644
--- a/src/lib/krb4/send_to_kdc.c
+++ b/src/lib/krb4/send_to_kdc.c
@@ -94,12 +94,13 @@ send_to_kdc(pkt,rpkt,realm)
      * local realm.
      */
     if (realm)
-	(void) strcpy(lrealm, realm);
+	(void) strncpy(lrealm, realm, sizeof(lrealm) - 1);
     else
 	if (krb_get_lrealm(lrealm,1)) {
 	    DEB (("%s: can't get local realm\n", prog));
 	    return(SKDC_CANT);
 	}
+    lrealm[sizeof(lrealm) - 1] = '\0';
     DEB (("lrealm is %s\n", lrealm));
 
     if (SOCKET_INITIALIZE()) {
diff --git a/src/lib/krb4/sendauth.c b/src/lib/krb4/sendauth.c
index 9b8fb39..76c470c 100644
--- a/src/lib/krb4/sendauth.c
+++ b/src/lib/krb4/sendauth.c
@@ -208,7 +208,8 @@ krb_sendauth(options, fd, ticket, service, inst, realm, checksum,
     }
 
     /* copy instance into local storage, so mk_auth can canonicalize */
-    (void) strncpy(srv_inst, inst, INST_SZ);
+    (void) strncpy(srv_inst, inst, INST_SZ-1);
+    srv_inst[INST_SZ-1] = 0;
     rem = krb_mk_auth (options, ticket, service, srv_inst, realm, checksum,
    			   version, packet);
     if (rem != KSUCCESS)
diff --git a/src/lib/krb4/tf_util.c b/src/lib/krb4/tf_util.c
index ebf500b..faf115e 100644
--- a/src/lib/krb4/tf_util.c
+++ b/src/lib/krb4/tf_util.c
@@ -1,20 +1,38 @@
 /*
- * tf_util.c
+ * lib/krb4/tf_util.c
  *
- * Copyright 1987, 1988 by the Massachusetts Institute of Technology.
+ * Copyright 1985, 1986, 1987, 1988, 2000, 2001 by the Massachusetts
+ * Institute of Technology.  All Rights Reserved.
  *
- * For copying and distribution information, please see the file
- * <mit-copyright.h>.
+ * Export of this software from the United States of America may
+ *   require a specific license from the United States Government.
+ *   It is the responsibility of any person or organization contemplating
+ *   export to obtain such a license before exporting.
+ * 
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
  */
 
-#include "mit-copyright.h"
-
 #include "krb.h"
 #include "k5-int.h"
 
 #include <stdio.h>
 #include <string.h>
 #include <errno.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
 #include <sys/stat.h>
 #include <fcntl.h>
 
@@ -44,7 +62,6 @@ char *shmat();
 #ifdef NEED_UTIMES
 
 #include <sys/time.h>
-#include <unistd.h>
 #ifdef __SCO__
 #include <utime.h>
 #endif
@@ -62,6 +79,20 @@ int utimes(path, times)
 }
 #endif
 
+#ifdef HAVE_SETEUID
+#define do_seteuid(e) seteuid((e))
+#else
+#ifdef HAVE_SETRESUID
+#define do_seteuid(e) setresuid(-1, (e), -1)
+#else
+#ifdef HAVE_SETREUID
+#define do_seteuid(e) setreuid(geteuid(), (e))
+#else
+#define do_seteuid(e) (errno = EPERM, -1)
+#endif
+#endif
+#endif
+
 /*
  * fd must be initialized to something that won't ever occur as a real
  * file descriptor. Since open(2) returns only non-negative numbers as
@@ -149,7 +180,7 @@ int tf_init(tf_name, rw)
     int rw;
 {
     int     wflag;
-    uid_t   me= getuid();
+    uid_t   me, metoo;
     struct stat stat_buf, stat_buffd;
 #ifdef TKT_SHMEM
     char shmidname[MAXPATHLEN]; 
@@ -163,6 +194,7 @@ int tf_init(tf_name, rw)
     }
 
     me = getuid();
+    metoo = geteuid();
 
     switch (rw) {
     case R_TKT_FIL:
@@ -181,8 +213,9 @@ int tf_init(tf_name, rw)
 	tf_name = tkt_string();
 
 #ifdef TKT_SHMEM
-    (void) strcpy(shmidname, tf_name);
-    (void) strcat(shmidname, ".shm");
+    (void) strncpy(shmidname, tf_name, sizeof(shmidname) - 1);
+    shmidname[sizeof(shmidname) - 1] = '\0';
+    (void) strncat(shmidname, ".shm", sizeof(shmidname) - 1 - strlen(shmidname));
 #endif /* TKT_SHMEM */
 
     /*
@@ -195,8 +228,30 @@ int tf_init(tf_name, rw)
     curpos = sizeof(tfbfr);
 
 #ifdef TKT_SHMEM
+    if (lstat(shmidname, &stat_buf) < 0) {
+	switch (errno) {
+	case ENOENT:
+	    return NO_TKT_FIL;
+	default:
+	    return TKT_FIL_ACC;
+	}
+    }
+    if (stat_buf.st_uid != me || !(stat_buf.st_mode & S_IFREG)
+	|| stat_buf.st_nlink != 1 || stat_buf.st_mode & 077) {
+	return TKT_FIL_ACC;
+    }
+
+    /*
+     * Yes, we do uid twiddling here.  It's not optimal, but some
+     * applications may expect that the ruid is what should really own
+     * the ticket file, e.g. setuid applications.
+     */
+    if (me != metoo && do_seteuid(me) < 0)
+	return KFAILURE;
     sfp = fopen(shmidname, "r");	/* only need read/write on the
 					   actual tickets */
+    if (me != metoo && do_seteuid(metoo) < 0)
+	return KFAILURE;
     if (sfp == 0) {
         switch(errno) {
         case ENOENT:
@@ -206,10 +261,11 @@ int tf_init(tf_name, rw)
 	}
     }
 
-    /* lstat() and fstat() the file to check that the file we opened is the *
-     * one we think it is, and to check ownership.                          */
-    if ((fstat(sfp->_file, &stat_buffd) < 0) || 
-	(lstat(shmidname, &stat_buf) < 0)) {
+    /*
+     * fstat() the file to check that the file we opened is the one we
+     * think it is.
+     */
+    if (fstat(fileno(sfp), &stat_buffd) < 0) {
         (void) close(fd);
 	fd = -1;
 	switch(errno) {
@@ -270,8 +326,25 @@ int tf_init(tf_name, rw)
     tmp_shm_addr = krb_shm_addr;
 #endif /* TKT_SHMEM */
     
+    if (lstat(tf_name, &stat_buf) < 0) {
+	switch (errno) {
+	case ENOENT:
+	    return NO_TKT_FIL;
+	default:
+	    return TKT_FIL_ACC;
+	}
+    }
+    if (stat_buf.st_uid != me || !(stat_buf.st_mode & S_IFREG)
+	|| stat_buf.st_nlink != 1 || stat_buf.st_mode & 077) {
+	return TKT_FIL_ACC;
+    }
+
     if (wflag) {
+	if (me != metoo && do_seteuid(me) < 0)
+	    return KFAILURE;
 	fd = open(tf_name, O_RDWR, 0600);
+	if (me != metoo && do_seteuid(metoo) < 0)
+	    return KFAILURE;
 	if (fd < 0) {
 	    switch(errno) {
 	    case ENOENT:
@@ -280,10 +353,11 @@ int tf_init(tf_name, rw)
 	        return TKT_FIL_ACC;
 	  }
 	}
-	/* lstat() and fstat() the file to check that the file we opened is the *
-	 * one we think it is, and to check ownership.                          */
-	if ((fstat(fd, &stat_buffd) < 0) || 
-	    (lstat(tf_name, &stat_buf) < 0)) {
+	/*
+	 * fstat() the file to check that the file we opened is the
+	 * one we think it is, and to check ownership.
+	 */
+	if (fstat(fd, &stat_buffd) < 0) {
 	    (void) close(fd);
 	    fd = -1;
 	    switch(errno) {
@@ -326,7 +400,11 @@ int tf_init(tf_name, rw)
      * for read-only operations and locked for shared access. 
      */
 
+    if (me != metoo && do_seteuid(me) < 0)
+	return KFAILURE;
     fd = open(tf_name, O_RDONLY, 0600);
+    if (me != metoo && do_seteuid(metoo) < 0)
+	return KFAILURE;
     if (fd < 0) {
         switch(errno) {
 	case ENOENT:
@@ -335,10 +413,11 @@ int tf_init(tf_name, rw)
 	    return TKT_FIL_ACC;
 	}
     }
-    /* lstat() and fstat() the file to check that the file we opened is the *
-     * one we think it is, and to check ownership.                          */
-    if ((fstat(fd, &stat_buffd) < 0) || 
-	(lstat(tf_name, &stat_buf) < 0)) {
+    /*
+     * fstat() the file to check that the file we opened is the one we
+     * think it is, and to check ownership.
+     */
+    if (fstat(fd, &stat_buffd) < 0) {
         (void) close(fd);
 	fd = -1;
 	switch(errno) {
diff --git a/src/lib/krb4/win_store.c b/src/lib/krb4/win_store.c
index 50507aa..28d11bd 100644
--- a/src/lib/krb4/win_store.c
+++ b/src/lib/krb4/win_store.c
@@ -62,15 +62,17 @@ krb__get_cnffile()
 	char defname[FILENAME_MAX];
 	UINT rc;
 
-	rc = GetWindowsDirectory(defname, sizeof(defname));
+	defname[sizeof(defname) - 1] = '\0';
+	rc = GetWindowsDirectory(defname, sizeof(defname) - 1);
 	assert(rc > 0);
 
-	strcat(defname, "\\");
+	strncat(defname, "\\", sizeof(defname) - 1 - strlen(defname));
 
-	strcat(defname, DEF_KRB_CONF);
+	strncat(defname, DEF_KRB_CONF, sizeof(defname) - 1 - strlen(defname));
 
+	cnfname[sizeof(cnfname) - 1] = '\0';
 	GetPrivateProfileString(INI_FILES, INI_KRB_CONF, defname,
-		cnfname, sizeof(cnfname), KERBEROS_INI);
+		cnfname, sizeof(cnfname) - 1, KERBEROS_INI);
 
 	cnffile = fopen(cnfname, "r");
 
@@ -94,15 +96,17 @@ krb__get_realmsfile()
 	char defname[FILENAME_MAX];
 	UINT rc;
 
-	rc = GetWindowsDirectory(defname, sizeof(defname));
+	defname[sizeof(defname) - 1] = '\0';
+	rc = GetWindowsDirectory(defname, sizeof(defname) - 1);
 	assert(rc > 0);
 
-	strcat(defname, "\\");
+	strncat(defname, "\\", sizeof(defname) - 1 - strlen(defname));
 
-	strcat(defname, DEF_KRB_REALMS);
+	strncat(defname, DEF_KRB_REALMS, sizeof(defname) - 1 - strlen(defname));
 
+	defname[sizeof(defname) - 1] = '\0';
 	GetPrivateProfileString(INI_FILES, INI_KRB_REALMS, defname,
-		realmsname, sizeof(realmsname), KERBEROS_INI);
+		realmsname, sizeof(realmsname) - 1, KERBEROS_INI);
 
 	realmsfile = fopen(realmsname, "r");
 
diff --git a/src/lib/krb5/ChangeLog b/src/lib/krb5/ChangeLog
index a2ab81a..13007dd 100644
--- a/src/lib/krb5/ChangeLog
+++ b/src/lib/krb5/ChangeLog
@@ -1,3 +1,41 @@
+2002-05-22 Alexandra Ellwood <lxs@mit.edu>
+    * krb5_libinit.c: Conditionalized error table loading for
+    Mac OS X.  Error tables should always be loaded on other 
+    platforms.
+
+2002-02-28 Alexandra Ellwood <lxs@mit.edu>
+    * krb5_libinit.c: Added an include for com_err.h since
+    it is not included by error table headers on Mac OS X.  Also
+    fixed busted check for Mac OS
+
+2001-12-03	Miro Jurisic <meeroh@mit.edu>
+
+	* krb5_libinit.c: punted the Mac OS 9 sleep notification code
+
+2001-11-05  Tom Yu  <tlyu@mit.edu>
+
+	* Makefile.in (LIBMINOR): Bump due to changes in error tables.
+
+2000-11-29	Miro Jurisic <meeroh@mit.edu>
+
+	* krb5_libinit.c: Install a callback in the Mac OS sleep
+	queue to get notification of the machine coming out
+	of sleep, in order to refresh the cached uptime to
+	real time offset
+
+2000-10-02  Alexandra Ellwood <lxs@mit.edu
+
+   * krb5_libinit.c: added #define for Mac OS X so
+   that krb5int_cleanup_library calls krb5_stdcc_shutdown.
+
+2000-06-03  Tom Yu  <tlyu@mit.edu>
+
+	* Makefile.in (LIBMAJOR, LIBMINOR): Bump version.
+
+2000-04-18  Ken Raeburn  <raeburn@mit.edu>
+
+	* Makefile.in (SHLIB_EXPLIBS): Add @RESOLV_LIB@.
+
 2000-03-14  Ken Raeburn  <raeburn@mit.edu>
 
 	* configure.in: Check for gethostbyname2.
diff --git a/src/lib/krb5/Makefile.in b/src/lib/krb5/Makefile.in
index 0dab1f3..3b42585 100644
--- a/src/lib/krb5/Makefile.in
+++ b/src/lib/krb5/Makefile.in
@@ -32,8 +32,8 @@ LIBDONE= error_tables/DONE asn.1/DONE ccache/DONE ccache/stdio/DONE \
 STLIBOBJS=krb5_libinit.o
 
 LIB=krb5
-LIBMAJOR=2
-LIBMINOR=2
+LIBMAJOR=3
+LIBMINOR=1
 
 STOBJLISTS= \
 	OBJS.ST \
@@ -58,7 +58,7 @@ RELDIR=krb5
 SHLIB_EXPDEPS = \
 	$(TOPLIBD)/libk5crypto$(SHLIBEXT) \
 	$(TOPLIBD)/libcom_err$(SHLIBEXT)
-SHLIB_EXPLIBS=-lk5crypto -lcom_err @GEN_LIB@
+SHLIB_EXPLIBS=-lk5crypto -lcom_err @GEN_LIB@ @RESOLV_LIB@
 SHLIB_DIRS=-L$(TOPLIBD)
 SHLIB_RDIRS=$(KRB5_LIBDIR)
 
diff --git a/src/lib/krb5/asn.1/ChangeLog b/src/lib/krb5/asn.1/ChangeLog
index 96f7098..bc8b40a 100644
--- a/src/lib/krb5/asn.1/ChangeLog
+++ b/src/lib/krb5/asn.1/ChangeLog
@@ -1,3 +1,94 @@
+2002-04-08  Tom Yu  <tlyu@mit.edu>
+
+	* asn1_get.c (asn1_get_length): Check for negative length.
+
+2002-03-06 Alexandra Ellwood <lxs@mit.edu>
+    * asn1_encode.c: Removed unused Mac OS 9 code
+
+2002-02-28 Alexandra Ellwood <lxs@mit.edu>
+    * asn1_get.c: removed unused variable to reduce warnings
+
+2001-10-29  Miro Jurisic  <meeroh@mit.edu>
+	* pullup from krb5-1-2 branch after krb5-1-2-2-bp
+	* asn1_encode.c: Updated Utilities.h #include
+
+2001-01-31  Tom Yu  <tlyu@mit.edu>
+
+	* asn1buf.c (asn1buf_sync): Add new arguments to include the full
+	complement of data about a prefetched tag, as well as to indicate
+	whether the prefetched tag or the surrounding sequence is of an
+	indefinite length.
+	(asn1buf_skiptail): Add new arguments to indicate whether the
+	prefetched tag is indefinite, as well as its length.  This
+	facilitates proper skipping of trailing garbage.
+	(asn1buf_remains): Add new argument to indicate whether the
+	surrounding encoding is indefinite.  Don't advance buf->next if an
+	EOC encoding is detected; the caller will do that.
+	[pullup from trunk]
+
+	* asn1buf.h: Update prototypes. [pullup from trunk]
+
+	* asn1_get.c (asn1_get_tag_indef): Don't treat EOC encoding as
+	special anymore, since previous behavior was overloading the
+	tag number in a bad way.  Also, report a MISMATCH_INDEF error if
+	the tag encoding is for the forbidden primitive constructed
+	encoding. [pullup from trunk]
+
+	* asn1_k_decode.c (next_tag): Call get_tag_indef() in order to get
+	information about whether the length is indefinite.  Don't check
+	the tag class and construction explicitly.
+	(get_eoc): New macro to get a tag and check if it is an EOC
+	encoding.
+	(get_field, opt_field): Move the check for the tag class and
+	construction to here.
+	(get_field_body, get_lenfield_body): Call get_eoc() instead of
+	next_tag() if we are decoding a constructed indefinite encoding.
+	(begin_structure): Use a different variable to indicate whether
+	the sequence is indefinite as opposed to whether an individual
+	field is indefinite.
+	(end_structure): Update to new calling convention of
+	asn1buf_sync().
+	(sequence_of): Rewrite significantly.
+	(sequence_of_common): Move the bulk of previous sequence_of()
+	macro to here.  Does not declare some variables that sequence_of()
+	declares.
+	(sequence_of_no_tagvars): Similar to sequence_of() macro but
+	declares different variables for the purpose of prefetching the
+	final tag.
+	(end_sequence_of_no_tagvars): Similar to end_sequence_of() macro
+	but uses variables declared by the sequence_of_no_tagvars() macro
+	to prefetch the final tag.
+	(asn1_decode_principal_name): Update for new asn1buf_remains()
+	calling convention.  Call sequence_of_no_tagvars(), etc. instead
+	of sequence_of(), etc. in order to not declare shadowing
+	block-local variables.
+	(decode_array_body): Update for new asn1buf_remains() calling
+	convention.
+	(asn1_decode_sequence_of_enctype): Update for new
+	asn1buf_remains() calling convention.
+	[pullup from trunk]
+	
+	* krb5_decode.c (next_tag): Call get_tag_indef() in order to get
+	information about whether the length is indefinite.  Don't check
+	the tag class and construction explicitly.
+	(get_eoc): New macro to get a tag and check if it is an EOC
+	encoding.
+	(get_field, opt_field): Move the check for the tag class and
+	construction to here.
+	(get_field_body, get_lenfield_body): Call get_eoc() instead of
+	next_tag() if we are decoding a constructed indefinite encoding.
+	(begin_structure): Use a different variable to indicate whether
+	the sequence is indefinite as opposed to whether an individual
+	field is indefinite.
+	(end_structure): Update to new calling convention of
+	asn1buf_sync().
+	[pullup from trunk]
+
+2000-09-28  Miro Jurisic  <meeroh@mit.edu>
+
+	* asn1_encode.c (asn1_encode_generaltime): Fixed the Mac code to
+	use the correct epoch.
+
 2000-02-06  Ken Raeburn  <raeburn@mit.edu>
 
 	Patches from Frank Cusack for helping in preauth replay
diff --git a/src/lib/krb5/asn.1/asn1_encode.c b/src/lib/krb5/asn.1/asn1_encode.c
index 7ef89c8..7cc8042 100644
--- a/src/lib/krb5/asn.1/asn1_encode.c
+++ b/src/lib/krb5/asn.1/asn1_encode.c
@@ -186,12 +186,6 @@ asn1_error_code asn1_encode_ia5string(buf, len, val, retlen)
   return 0;
 }
 
-#ifdef macintosh
-#define EPOCH ((70 * 365 * 24 * 60 * 60) + (17 *  24 * 60 * 60) + (getTimeZoneOffset() * 60 * 60))
-#else
-#define EPOCH (0)
-#endif
-
 asn1_error_code asn1_encode_generaltime(buf, val, retlen)
      asn1buf * buf;
      const time_t val;
@@ -201,9 +195,11 @@ asn1_error_code asn1_encode_generaltime(buf, val, retlen)
   struct tm *gtime;
   char s[16];
   int length, sum=0;
-  time_t gmt_time;
+  time_t gmt_time = val;
 
-  gmt_time = val + EPOCH;
+#ifdef macintosh
+  unix_time_to_msl_time (&gmt_time);
+#endif
   gtime = gmtime(&gmt_time);
 
   /*
diff --git a/src/lib/krb5/asn.1/asn1_get.c b/src/lib/krb5/asn.1/asn1_get.c
index 20334a2..90f5dd9 100644
--- a/src/lib/krb5/asn.1/asn1_get.c
+++ b/src/lib/krb5/asn.1/asn1_get.c
@@ -42,12 +42,6 @@ asn1_get_tag_indef(buf, class, construction, tagnum, retlen, indef)
       *tagnum = ASN1_TAGNUM_CEILING;
       return 0;
   }
-  /* Allow for the indefinite encoding */
-  if ( !*(buf->next) && !*(buf->next + 1)) {
-    buf->next += 2;
-    *tagnum = ASN1_TAGNUM_CEILING;
-    return 0;
-  }
   retval = asn1_get_id(buf,class,construction,tagnum);
   if(retval) return retval;
   retval = asn1_get_length(buf,retlen,indef);
@@ -63,7 +57,6 @@ asn1_get_tag(buf, class, construction, tagnum, retlen)
      asn1_tagnum *tagnum;
      int *retlen;
 {
-  asn1_error_code retval;
   int indef;
 
   return asn1_get_tag_indef(buf, class, construction, tagnum, retlen, &indef);
@@ -149,6 +142,8 @@ asn1_error_code asn1_get_length(buf, retlen, indef)
       if(retval) return retval;
       len = (len<<8) + (int)o;
     }
+    if (len < 0)
+      return ASN1_OVERRUN;
     if (indef != NULL && !len)
       *indef = 1;
     if(retlen != NULL) *retlen = len;
diff --git a/src/lib/krb5/asn.1/asn1_k_decode.c b/src/lib/krb5/asn.1/asn1_k_decode.c
index 6f72d8e..a855527 100644
--- a/src/lib/krb5/asn.1/asn1_k_decode.c
+++ b/src/lib/krb5/asn.1/asn1_k_decode.c
@@ -39,10 +39,16 @@ int length,taglen
 #define unused_var(x) if(0) x=0
 
 #define next_tag()\
-retval = asn1_get_tag(&subbuf,&class,&construction,&tagnum,&taglen);\
-if(retval) return retval;\
-if(class != CONTEXT_SPECIFIC || construction != CONSTRUCTED)\
-  return ASN1_BAD_ID
+retval = asn1_get_tag_indef(&subbuf,&class,&construction,\
+			    &tagnum,&taglen,&indef);\
+if(retval) return retval;
+
+#define get_eoc()						\
+retval = asn1_get_tag_indef(&subbuf,&class,&construction,	\
+			    &tagnum,&taglen,&indef);		\
+if(retval) return retval;					\
+if(class != UNIVERSAL || tagnum || indef)			\
+  return ASN1_MISSING_EOC
 
 #define alloc_field(var,type)\
 var = (type*)calloc(1,sizeof(type));\
@@ -59,15 +65,21 @@ if(class != APPLICATION || construction != CONSTRUCTED ||\
 #define get_field_body(var,decoder)\
 retval = decoder(&subbuf,&(var));\
 if(retval) return retval;\
-if(!taglen) { next_tag(); }\
+if(!taglen && indef) { get_eoc(); }\
 next_tag()
 
 #define get_field(var,tagexpect,decoder)\
 if(tagnum > (tagexpect)) return ASN1_MISSING_FIELD;\
 if(tagnum < (tagexpect)) return ASN1_MISPLACED_FIELD;\
+if((class != CONTEXT_SPECIFIC || construction != CONSTRUCTED) \
+   && (tagnum || taglen || class != UNIVERSAL)) \
+  return ASN1_BAD_ID;\
 get_field_body(var,decoder)
 
 #define opt_field(var,tagexpect,decoder,optvalue)\
+if((class != CONTEXT_SPECIFIC || construction != CONSTRUCTED) \
+   && (tagnum || taglen || class != UNIVERSAL)) \
+  return ASN1_BAD_ID;\
 if(tagnum == (tagexpect)){\
   get_field_body(var,decoder); }\
 else var = optvalue
@@ -76,12 +88,15 @@ else var = optvalue
 #define get_lenfield_body(len,var,decoder)\
 retval = decoder(&subbuf,&(len),&(var));\
 if(retval) return retval;\
-if(!taglen) { next_tag(); }\
+if(!taglen && indef) { get_eoc(); }\
 next_tag()
 
 #define get_lenfield(len,var,tagexpect,decoder)\
 if(tagnum > (tagexpect)) return ASN1_MISSING_FIELD;\
 if(tagnum < (tagexpect)) return ASN1_MISPLACED_FIELD;\
+if((class != CONTEXT_SPECIFIC || construction != CONSTRUCTED) \
+   && (tagnum || taglen || class != UNIVERSAL)) \
+  return ASN1_BAD_ID;\
 get_lenfield_body(len,var,decoder)
 
 #define opt_lenfield(len,var,tagexpect,decoder)\
@@ -92,30 +107,58 @@ else { len = 0; var = 0; }
 
 #define begin_structure()\
 asn1buf subbuf;\
+int seqindef;\
 int indef;\
-retval = asn1_get_sequence(buf,&length,&indef);\
+retval = asn1_get_sequence(buf,&length,&seqindef);\
 if(retval) return retval;\
-retval = asn1buf_imbed(&subbuf,buf,length,indef);\
+retval = asn1buf_imbed(&subbuf,buf,length,seqindef);\
 if(retval) return retval;\
 next_tag()
 
 #define end_structure()\
-retval = asn1buf_sync(buf,&subbuf,tagnum,length);\
+retval = asn1buf_sync(buf,&subbuf,class,tagnum,length,indef,seqindef);\
 if(retval) return retval
 
-#define sequence_of(buf)\
-int size=0;\
-asn1buf seqbuf;\
-int length;\
-int indef;\
-retval = asn1_get_sequence(buf,&length,&indef);\
-if(retval) return retval;\
-retval = asn1buf_imbed(&seqbuf,buf,length,indef);\
+#define sequence_of(buf)			\
+unsigned int length, taglen;			\
+asn1_class class;				\
+asn1_construction construction;			\
+asn1_tagnum tagnum;				\
+int indef;					\
+sequence_of_common(buf)
+
+#define sequence_of_common(buf)				\
+int size=0;						\
+asn1buf seqbuf;						\
+int seqofindef;						\
+retval = asn1_get_sequence(buf,&length,&seqofindef);	\
+if(retval) return retval;				\
+retval = asn1buf_imbed(&seqbuf,buf,length,seqofindef);	\
 if(retval) return retval
 
-#define end_sequence_of(buf)\
-retval = asn1buf_sync(buf,&seqbuf,ASN1_TAGNUM_CEILING,length);\
-if(retval) return retval
+#define sequence_of_no_tagvars(buf)		\
+asn1_class eseqclass;				\
+asn1_construction eseqconstr;			\
+asn1_tagnum eseqnum;				\
+unsigned int eseqlen;				\
+int eseqindef;					\
+sequence_of_common(buf)
+
+#define end_sequence_of_no_tagvars(buf)				\
+retval = asn1_get_tag_indef(&seqbuf,&eseqclass,&eseqconstr,	\
+			    &eseqnum,&eseqlen,&eseqindef);	\
+if(retval) return retval;					\
+retval = asn1buf_sync(buf,&seqbuf,eseqclass,eseqnum,		\
+		      eseqlen,eseqindef,seqofindef);		\
+if(retval) return retval;
+
+#define end_sequence_of(buf)					\
+retval = asn1_get_tag_indef(&seqbuf,&class,&construction,	\
+			    &tagnum,&taglen,&indef);		\
+if(retval) return retval;					\
+retval = asn1buf_sync(buf,&seqbuf,class,tagnum,			\
+		      length,indef,seqofindef);			\
+if(retval) return retval;
 
 #define cleanup()\
 return 0
@@ -206,8 +249,8 @@ asn1_error_code asn1_decode_principal_name(buf, val)
   { begin_structure();
     get_field((*val)->type,0,asn1_decode_int32);
   
-    { sequence_of(&subbuf);
-      while(asn1buf_remains(&seqbuf)){
+    { sequence_of_no_tagvars(&subbuf);
+      while(asn1buf_remains(&seqbuf,seqofindef) > 0){
 	size++;
 	if ((*val)->data == NULL)
 	  (*val)->data = (krb5_data*)malloc(size*sizeof(krb5_data));
@@ -221,8 +264,12 @@ asn1_error_code asn1_decode_principal_name(buf, val)
 	if(retval) return retval;
       }
       (*val)->length = size;
-      end_sequence_of(&subbuf);
+      end_sequence_of_no_tagvars(&subbuf);
+    }
+    if (indef) {
+	get_eoc();
     }
+    next_tag();
     end_structure();
     (*val)->magic = KV5M_PRINCIPAL;
   }
@@ -528,7 +575,7 @@ if(*(array) == NULL) return ENOMEM;\
   type *elt;\
 \
   { sequence_of(buf);\
-    while(asn1buf_remains(&seqbuf) > 0){\
+    while(asn1buf_remains(&seqbuf,seqofindef) > 0){\
       alloc_field(elt,type);\
       get_element(elt,decoder);\
       array_append(val,size,elt,type);\
@@ -660,7 +707,7 @@ asn1_error_code asn1_decode_sequence_of_enctype(buf, num, val)
 {
   asn1_error_code retval;
   { sequence_of(buf);
-    while(asn1buf_remains(&seqbuf) > 0){
+    while(asn1buf_remains(&seqbuf,seqofindef) > 0){
       size++;
       if (*val == NULL)
         *val = (krb5_enctype*)malloc(size*sizeof(krb5_enctype));
diff --git a/src/lib/krb5/asn.1/asn1buf.c b/src/lib/krb5/asn.1/asn1buf.c
index 9c63927..4be82fb 100644
--- a/src/lib/krb5/asn.1/asn1buf.c
+++ b/src/lib/krb5/asn.1/asn1buf.c
@@ -54,6 +54,9 @@
 #include <stdio.h>
 #include "asn1_get.h"
 
+#define asn1_is_eoc(class, num, indef)	\
+((class) == UNIVERSAL && !(num) && !(indef))
+
 asn1_error_code asn1buf_create(buf)
      asn1buf ** buf;
 {
@@ -91,34 +94,35 @@ asn1_error_code asn1buf_imbed(subbuf, buf, length, indef)
   return 0;
 }
 
-asn1_error_code asn1buf_sync(buf, subbuf, lasttag, length)
+asn1_error_code asn1buf_sync(buf, subbuf, class, lasttag, length, indef, seqindef)
      asn1buf * buf;
      asn1buf * subbuf;
+     const asn1_class class;
      const asn1_tagnum lasttag;
      const int length;
+     const int indef;
+     const int seqindef;
 {
   asn1_error_code retval;
 
-  if (length) {
+  if (!seqindef) {
+    /* sequence was encoded as definite length */
     buf->next = subbuf->bound + 1;
+  } else if (!asn1_is_eoc(class, lasttag, indef)) {
+      retval = asn1buf_skiptail(subbuf, length, indef);
+      if (retval)
+	  return retval;
   } else {
-    /*
-     * indefinite length:
-     *
-     * Note that asn1_get_tag() returns ASN1_TAGNUM_CEILING
-     * for an EOC encoding.
-     */
-    if (lasttag != ASN1_TAGNUM_CEILING) {
-      retval = asn1buf_skiptail(subbuf);
-      if (retval) return retval;
-    }
+    /* We have just read the EOC octets. */
     buf->next = subbuf->next;
   }
   return 0;
 }
 
-asn1_error_code asn1buf_skiptail(buf)
+asn1_error_code asn1buf_skiptail(buf, length, indef)
      asn1buf *buf;
+     const int length;
+     const int indef;
 {
   asn1_error_code retval;
   asn1_class class;
@@ -126,15 +130,29 @@ asn1_error_code asn1buf_skiptail(buf)
   asn1_tagnum tagnum;
   int taglen;
   int nestlevel;
+  int tagindef;
 
-  nestlevel = 1;
+  nestlevel = 1 + indef;
+  if (!indef) {
+    if (length <= buf->bound - buf->next + 1)
+      buf->next += length;
+    else
+      return ASN1_OVERRUN;
+  }
   while (nestlevel > 0) {
-    retval = asn1_get_tag(buf, &class, &construction, &tagnum, &taglen);
+    retval = asn1_get_tag_indef(buf, &class, &construction, &tagnum,
+				&taglen, &tagindef);
     if (retval) return retval;
-    if (construction == CONSTRUCTED && taglen == 0)
+    if (!tagindef) {
+      if (taglen <= buf->bound - buf->next + 1)
+	buf->next += taglen;
+      else
+	return ASN1_OVERRUN;
+    }
+    if (tagindef)
       nestlevel++;
-    if (tagnum == ASN1_TAGNUM_CEILING)
-      nestlevel--;
+    if (asn1_is_eoc(class, tagnum, tagindef))
+      nestlevel--;		/* got an EOC encoding */
   }
   return 0;
 }
@@ -247,8 +265,9 @@ asn1_error_code asn1buf_remove_charstring(buf, len, s)
   return 0;
 }
 
-int asn1buf_remains(buf)
+int asn1buf_remains(buf, indef)
     asn1buf *buf;
+    int indef;
 {
   int remain;
   if(buf == NULL || buf->base == NULL) return 0;
@@ -256,15 +275,9 @@ int asn1buf_remains(buf)
   if (remain <= 0) return remain;
   /*
    * Two 0 octets means the end of an indefinite encoding.
-   * 
-   * XXX  Do we need to test to make sure we'er actually doing an
-   * indefinite encoding here?
    */
-  if ( !*(buf->next) && !*(buf->next + 1)) {
-   /* buf->bound = buf->next + 1;  */
-      buf->next += 2;
+  if (indef && remain >= 2 && !*(buf->next) && !*(buf->next + 1))
       return 0;
-  }
   else return remain;
 }
 
@@ -379,9 +392,9 @@ asn1_error_code asn1buf_ensure_space(buf, amount)
      asn1buf * buf;
      const int amount;
 {
-  int free = asn1buf_free(buf);
-  if(free < amount){
-    asn1_error_code retval = asn1buf_expand(buf, amount-free);
+  int avail = asn1buf_free(buf);
+  if(avail < amount){
+    asn1_error_code retval = asn1buf_expand(buf, amount-avail);
     if(retval) return retval;
   }
   return 0;
diff --git a/src/lib/krb5/asn.1/asn1buf.h b/src/lib/krb5/asn.1/asn1buf.h
index 52fc0d6..3f4a6ac 100644
--- a/src/lib/krb5/asn.1/asn1buf.h
+++ b/src/lib/krb5/asn.1/asn1buf.h
@@ -121,14 +121,17 @@ asn1_error_code asn1buf_imbed
 	      position starts at the beginning of *subbuf. */
 
 asn1_error_code asn1buf_sync
-	PROTOTYPE((asn1buf *buf, asn1buf *subbuf, const asn1_tagnum lasttag,
-		   const int length));
+	PROTOTYPE((asn1buf *buf, asn1buf *subbuf, const asn1_class class, 
+		   const asn1_tagnum lasttag,
+		   const int length, const int indef,
+		   const int seqindef));
 /* requires  *subbuf is a sub-buffer of *buf, as created by asn1buf_imbed.
-             lasttag is a pointer to the last tagnumber read.
+             lasttag is the last tagnumber read.
    effects   Synchronizes *buf's current position to match that of *subbuf. */
 
 asn1_error_code asn1buf_skiptail
-	PROTOTYPE((asn1buf *buf));
+	PROTOTYPE((asn1buf *buf, const int length,
+		   const int indef));
 /* requires  *buf is a subbuffer used in a decoding of a
              constructed indefinite sequence.
    effects   skips trailing fields. */
@@ -143,7 +146,7 @@ asn1_error_code asn1buf_insert_octet
    effects   Inserts o into the buffer *buf, expanding the buffer if
              necessary.  Returns ENOMEM memory is exhausted. */
 #if ((__GNUC__ >= 2) && !defined(ASN1BUF_OMIT_INLINE_FUNCS))
-extern inline asn1_error_code asn1buf_insert_octet(buf, o)
+extern __inline__ asn1_error_code asn1buf_insert_octet(buf, o)
      asn1buf * buf;
      const int o;
 {
@@ -221,7 +224,7 @@ asn1_error_code asn12krb5_buf
 
 
 int asn1buf_remains
-	PROTOTYPE((asn1buf *buf));
+	PROTOTYPE((asn1buf *buf, int indef));
 /* requires  *buf is a buffer containing an asn.1 structure or array
    modifies  *buf
    effects   Returns the number of unprocessed octets remaining in *buf. */
diff --git a/src/lib/krb5/asn.1/krb5_decode.c b/src/lib/krb5/asn.1/krb5_decode.c
index 69028b9..ff935c6 100644
--- a/src/lib/krb5/asn.1/krb5_decode.c
+++ b/src/lib/krb5/asn.1/krb5_decode.c
@@ -77,23 +77,29 @@ if(tagnum != (tagexpect)) clean_return(KRB5_BADMSGTYPE)
 
 /* decode an explicit tag and place the number in tagnum */
 #define next_tag()\
-retval = asn1_get_tag(&subbuf,&class,&construction,&tagnum,NULL);\
-if(retval) clean_return(retval);\
-if(class != CONTEXT_SPECIFIC || construction != CONSTRUCTED)\
-  clean_return(ASN1_BAD_ID)
+retval = asn1_get_tag_indef(&subbuf,&class,&construction,&tagnum,NULL,&indef);\
+if(retval) clean_return(retval)
+
+#define get_eoc()						\
+retval = asn1_get_tag_indef(&subbuf,&class,&construction,	\
+			    &tagnum,NULL,&indef);		\
+if(retval) return retval;					\
+if(class != UNIVERSAL || tagnum || indef)			\
+  return ASN1_MISSING_EOC
 
 /* decode sequence header and initialize tagnum with the first field */
 #define begin_structure()\
 asn1buf subbuf;\
+int seqindef;\
 int indef;\
-retval = asn1_get_sequence(&buf,&length,&indef);\
+retval = asn1_get_sequence(&buf,&length,&seqindef);\
 if(retval) clean_return(retval);\
-retval = asn1buf_imbed(&subbuf,&buf,length,indef);\
+retval = asn1buf_imbed(&subbuf,&buf,length,seqindef);\
 if(retval) clean_return(retval);\
 next_tag()
 
 #define end_structure()\
-retval = asn1buf_sync(&buf,&subbuf,tagnum,length);\
+retval = asn1buf_sync(&buf,&subbuf,class,tagnum,length,indef,seqindef);\
 if (retval) clean_return(retval)
 
 /* process fields *******************************************/
@@ -101,6 +107,7 @@ if (retval) clean_return(retval)
 #define get_field_body(var,decoder)\
 retval = decoder(&subbuf,&(var));\
 if(retval) clean_return(retval);\
+if (indef) { get_eoc(); }\
 next_tag()
 
 /* decode a field (<[UNIVERSAL id]> <length> <contents>)
@@ -110,26 +117,35 @@ next_tag()
 #define get_field(var,tagexpect,decoder)\
 if(tagnum > (tagexpect)) clean_return(ASN1_MISSING_FIELD);\
 if(tagnum < (tagexpect)) clean_return(ASN1_MISPLACED_FIELD);\
+if(class != CONTEXT_SPECIFIC || construction != CONSTRUCTED)\
+  clean_return(ASN1_BAD_ID);\
 get_field_body(var,decoder)
 
 /* decode (or skip, if not present) an optional field */
 #define opt_field(var,tagexpect,decoder)\
+if(class != CONTEXT_SPECIFIC || construction != CONSTRUCTED)\
+  clean_return(ASN1_BAD_ID);\
 if(tagnum == (tagexpect)){ get_field_body(var,decoder); }
 
 /* field w/ accompanying length *********/
 #define get_lenfield_body(len,var,decoder)\
 retval = decoder(&subbuf,&(len),&(var));\
 if(retval) clean_return(retval);\
+if (indef) { get_eoc(); }\
 next_tag()
 
 /* decode a field w/ its length (for string types) */
 #define get_lenfield(len,var,tagexpect,decoder)\
 if(tagnum > (tagexpect)) clean_return(ASN1_MISSING_FIELD);\
 if(tagnum < (tagexpect)) clean_return(ASN1_MISPLACED_FIELD);\
+if(class != CONTEXT_SPECIFIC || construction != CONSTRUCTED)\
+  clean_return(ASN1_BAD_ID);\
 get_lenfield_body(len,var,decoder)
 
 /* decode an optional field w/ length */
 #define opt_lenfield(len,var,tagexpect,decoder)\
+if(class != CONTEXT_SPECIFIC || construction != CONSTRUCTED)\
+  clean_return(ASN1_BAD_ID);\
 if(tagnum == (tagexpect)){\
   get_lenfield_body(len,var,decoder);\
 }
diff --git a/src/lib/krb5/ccache/ChangeLog b/src/lib/krb5/ccache/ChangeLog
index 2f74235..b9f1516 100644
--- a/src/lib/krb5/ccache/ChangeLog
+++ b/src/lib/krb5/ccache/ChangeLog
@@ -1,3 +1,64 @@
+2002-04-05  Danilo Almeida  <dalmeida@mit.edu>
+
+	* Makefile.in: Build cc accessor functions on Windows.
+
+2002-04-2 Alexandra Ellwood <lxs@mit.edu>
+    * ccdefault.c: updated to new KLL function name
+
+2002-03-03 Alexandra Ellwood <lxs@mit.edu>
+    * ccdefault.c: swapped include of KerberosLoginPrivate with k5-int.h
+    to avoid problems with including CoreServices.h after profile.h and krb.h
+
+2002-02-28 Alexandra Ellwood <lxs@mit.edu>
+    * ccdefault.c: Updated Mac OS X headers to new framework layout
+
+2002-01-29  Tom Yu  <tlyu@mit.edu>
+
+	* ccdefault.c: Add terminal newline.  Fixes [krb5-build/1041].
+
+2001-11-16  Miro Jurisic  <meeroh@mit.edu>
+	* pullup from krb5-1-2 branch: LoginLib #include changes
+	
+2001-10-29  Miro Jurisic  <meeroh@mit.edu>
+	* pullup from krb5-1-2 branch after krb5-1-2-2-bp
+	* Makefile.in: Added ccfns.c
+	* ccdefault.h: Updated Mac OS #defines and #includes for new header layout 
+	and Mac OS X frameworks
+	
+2000-09-12	Alexandra Ellwood <lxs@mit.edu>
+
+        * ccdefops.c: created #define for USE_CCAPI now that both Mac OS 9 and
+        Mac OS 10 use ccapi.
+
+2000-5-31	Alexandra Ellwood <lxs@mit.edu>
+
+	* ccdefault.c: Changed kerberosPrincipal_V5 to kerberosVersion_V5 to reflect 
+	the new constant name.
+
+2000-5-19	Alexandra Ellwood <lxs@mit.edu>
+
+	* ccdefault.c: Added krb5int_cc_default.  This function 
+	supports the Kerberos Login Library and pops up a dialog if the cache does 
+	not contain valid tickets.  This is used to automatically get a tgt before
+	obtaining service tickets.  Note that this should be an internal function
+	because callers don't expect krb5_cc_default to pop up a dialog!
+	(We found this out the hard way :-)
+
+2000-4-26	Alexandra Ellwood <lxs@mit.edu>
+
+	* ccdefault.c: Added version number to internal Kerberos Login Library 
+	routine.
+
+2000-4-13	Alexandra Ellwood <lxs@mit.edu>
+
+	* ccdefault.c: Added Kerberos Login library support (with ifdefs to control 
+	whether or not it is on.  Also added support to store a krb5_principal in the
+	os_context along with the default ccache name (if known, this principal is 
+	the same as the last time we looked at the ccache.
+	* ccdefname.c: Added support to store a krb5_principal in the os_context 
+	along with the default ccache name (if known, this principal is the same 
+	as the last time we looked at the ccache.
+
 1999-10-26  Tom Yu  <tlyu@mit.edu>
 
 	* Makefile.in: Clean up usage of CFLAGS, CPPFLAGS, DEFS, DEFINES,
diff --git a/src/lib/krb5/ccache/Makefile.in b/src/lib/krb5/ccache/Makefile.in
index 37abee4..ae09347 100644
--- a/src/lib/krb5/ccache/Makefile.in
+++ b/src/lib/krb5/ccache/Makefile.in
@@ -35,9 +35,12 @@ SRCS=	$(srcdir)/ccbase.c \
 	$(srcdir)/cccopy.c \
 	$(srcdir)/ccdefault.c \
 	$(srcdir)/ccdefops.c \
+	$(srcdir)/ccfns.c \
 	$(srcdir)/cc_retr.c \
 	$(srcdir)/ser_cc.c
 
+##DOS##OBJS=$(OBJS) $(OUTPRE)ccfns.$(OBJEXT)
+
 all-unix:: all-libobjs
 
 all-windows:: subdirs $(OBJFILE) 
diff --git a/src/lib/krb5/ccache/ccapi/ChangeLog b/src/lib/krb5/ccache/ccapi/ChangeLog
index e4dac98..9b07b33 100644
--- a/src/lib/krb5/ccache/ccapi/ChangeLog
+++ b/src/lib/krb5/ccache/ccapi/ChangeLog
@@ -1,3 +1,93 @@
+2002-04-05  Danilo Almeida  <dalmeida@mit.edu>
+
+	* winccld.c: Include k5-int.h to get hidden ops struct.
+
+2002-04-03  Danilo Almeida  <dalmeida@mit.edu>
+
+	* stdcc.h: Remove KRB5_DLLIMP, KRB5_CALLCONV from
+	krb5_stdcc_shutdown() prototype (to fix Windows build).
+
+2002-02-28 Alexandra Ellwood <lxs@mit.edu>
+    * stdcc.h: Added prototype for krb5_stdcc_shutdown.
+    
+2002-02-28 Alexandra Ellwood <lxs@mit.edu>
+    * stdcc.h, stdcc_util.h, stdcc_util.c: Updated Mac OS X headers to new 
+    framework layout
+    * stdcc.c: Removed unused variables and fixed macros to reduce warnings
+    
+2001-10-29  Miro Jurisic  <meeroh@mit.edu>
+	* pullup from krb5-1-2 branch after krb5-1-2-2-bp
+	* stdcc.c: Replaced cc_* macros with functions
+	* stdcc.h, stdcc_util.h: Updated Mac OS #defines and #includes for new 
+	header layout and Mac OS X frameworks
+
+2000-10-02	Alexandra Ellwood <lxs@mit.edu>
+
+        * stdcc_util.c: now Mac OS X uses get_time_offsets to store offset time
+        like Mac OS 9.
+
+2000-09-12	Alexandra Ellwood <lxs@mit.edu>
+
+        * stdcc.h, stdcc_util.h: created #define for USE_CCAPI now that 
+        both Mac OS 9 and Mac OS 10 use ccapi.
+
+2000-06-08  Alexandra Ellwood  <lxs@mit.edu>
+
+	* stdcc_util.c (dupCCtoK5, dupK5toCC): 
+		Fixed code that stores times in localtime, not in kdc time.
+
+2000-05-18  Danilo Almeida  <dalmeida@mit.edu>
+
+	* stdcc_util.c (dupK5toCC): Remove unused variables.
+
+	* stdcc_util.c: Reindent to krb5 coding style.  Remove whitespace
+	at end of lines.  Replace C++ comments with C comments.
+
+	* stdcc_util.h: Replace C++ comments with C comments.
+
+	* winccld.h: Define CC_API_VER2 for all Windows code using ccapi.
+	Update dynamic loading declarations to use CC_API_VER2.
+
+	* winccld.h: Do not define or try to load cc_lock_request, which is
+	not actually used anywhere in the code.
+
+	* stdcc.c: Define CC_API_VER2 if not defined rather than just if
+	not Windows.
+
+	* winccld.c (LoadFuncs): Get error on DLL load failure even though
+	we do not use it in case we are doing source-level debugging.
+
+2000-05-04  Miro Jurisic  <meeroh@mit.edu>
+
+	* stdcc_util.c (dupCCtoK5, dupK5toCC): 
+		Conditionalized local/KDC time conversions for Mac-only
+		until we figure out what to do about that
+
+2000-04-07  Jeffrey Altman <jaltman@columbia.edu>
+
+	* stdcc_util.c (copyCCDataArrayToK5, copyCCDataArrayToK5): 
+	* stdcc_util.c (dupCCtoK5, dupK5toCC): 
+
+          memory was being allocated as   (sizeof(foo) * count + 1)
+          instead of                      (sizeof(foo) * (count + 1))
+
+2000-04-03  Jeffrey Altman <jaltman@columbia.edu>
+
+	* stdcc_util.c (copyCCDataArrayToK5, copyCCDataArrayToK5): 
+	* stdcc_util.c (dupCCtoK5, dupK5toCC): 
+
+          Changed all references to the type UInt32 to unsigned int
+          since UInt32 is not a standard type on Unix or Win32    
+
+2000-03-24  Alexandra Ellwood  <lxs@mit.edu>
+
+	* stdcc_util.c (copyCCDataArrayToK5, copyCCDataArrayToK5): 
+		Modified to copy authdata as well... this code may have 
+		bugs since I couldn't get a good case where authdata != NULL
+	
+	* stdcc_util.c (dupCCtoK5, dupK5toCC): 
+		Added code to store times in localtime, not in kdc time.
+
 2000-03-15  Danilo Almeida  <dalmeida@mit.edu>
 
 	* stdcc.c (krb5_stdcc_destroy): Do not mask KRB5_FCC_NOFILE error
diff --git a/src/lib/krb5/ccache/ccapi/stdcc.c b/src/lib/krb5/ccache/ccapi/stdcc.c
index a17cd02..b885885 100644
--- a/src/lib/krb5/ccache/ccapi/stdcc.c
+++ b/src/lib/krb5/ccache/ccapi/stdcc.c
@@ -32,6 +32,7 @@
 #include "stdcc.h"
 #include "stdcc_util.h"
 #include "string.h"
+#include "k5-int.h"
 #include <stdio.h>
 
 apiCB *gCntrlBlock = NULL;
@@ -40,7 +41,7 @@ apiCB *gCntrlBlock = NULL;
 #include "winccld.h"	
 #endif
 
-#if !defined(_MSDOS) && !defined(_WIN32)
+#ifndef CC_API_VER2
 #define CC_API_VER2
 #endif
 
@@ -264,7 +265,7 @@ krb5_error_code KRB5_CALLCONV  krb5_stdcc_resolve
 	stdccCacheDataPtr	ccapi_data = NULL;
 	int 			err;
 	krb5_error_code		retval;
-	char 			*cName;
+	char 			*cName = NULL;
 	
 	if ((retval = stdcc_setup(context, NULL)))
 		return retval;
@@ -548,7 +549,9 @@ krb5_error_code KRB5_CALLCONV krb5_stdcc_end_seq_get
 	krb5_error_code		retval;
 	stdccCacheDataPtr	ccapi_data = NULL;
 	int			err;
+#ifndef CC_API_VER2
 	cred_union 		*credU = NULL;
+#endif
 
 	ccapi_data = id->data;
 	
@@ -656,7 +659,6 @@ krb5_stdcc_destroy (krb5_context context, krb5_ccache id)
 char * KRB5_CALLCONV krb5_stdcc_get_name 
         (krb5_context context, krb5_ccache id )
 {
-	char *name = NULL;
 	stdccCacheDataPtr	ccapi_data = id->data;
 
 	if (!ccapi_data)
diff --git a/src/lib/krb5/ccache/ccapi/stdcc.h b/src/lib/krb5/ccache/ccapi/stdcc.h
index 109c4fc..a9825b7 100644
--- a/src/lib/krb5/ccache/ccapi/stdcc.h
+++ b/src/lib/krb5/ccache/ccapi/stdcc.h
@@ -1,7 +1,7 @@
 #include "krb5.h"
 	
-#if defined(macintosh)
-#include "CCache2.h"
+#if TARGET_OS_MAC
+#include <Kerberos/CredentialsCache2.h>
 #endif
 
 #if defined(_MSDOS) || defined(_WIN32)
@@ -24,6 +24,8 @@ typedef struct _stdccCacheData {
 
 /* function protoypes  */
 
+void krb5_stdcc_shutdown(void);
+
 KRB5_DLLIMP krb5_error_code KRB5_CALLCONV krb5_stdcc_close
         KRB5_PROTOTYPE((krb5_context, krb5_ccache id ));
 
diff --git a/src/lib/krb5/ccache/ccapi/stdcc_util.c b/src/lib/krb5/ccache/ccapi/stdcc_util.c
index 4262eed..cf2054e 100644
--- a/src/lib/krb5/ccache/ccapi/stdcc_util.c
+++ b/src/lib/krb5/ccache/ccapi/stdcc_util.c
@@ -23,112 +23,170 @@
  * - copy and translate the null terminated arrays of data records
  * 	 used in k5 tickets
  */
-int copyCCDataArrayToK5(cc_creds *cc, krb5_creds *kc, char whichArray) {
-
-	cc_data *ccAdr, **cbase;
-	krb5_address *kAdr, **kbase, **constKBase;
-	int numRecords = 0;
-		
-	
-	if (whichArray == kAddressArray) {
-		/* check pointer */
-		if (cc->addresses == NULL) {
-			kc->addresses = NULL;
-			return 0;
-		}
-	} else if (whichArray == kAuthDataArray) {
-		/* check pointer */
-		if (cc->authdata == NULL) {
-			kc->authdata = NULL;
-			return 0;
-		}
-	} else
-		return -1;
-	
-
-	cbase = (whichArray == kAddressArray) ? cc->addresses : cc->authdata;
-	/* calc number of records */
-	while (*cbase++ != NULL) numRecords++;
-	/* allocate new array */
-	constKBase = kbase = (krb5_address **)malloc((numRecords+1)*sizeof(char *));
-	//reset base
-	cbase = (whichArray == kAddressArray) ? cc->addresses : cc->authdata;
-		
-		
-	//copy records
-	while (*cbase != NULL) {
-		*kbase = (krb5_address *)malloc(sizeof(krb5_address));
-		kAdr = *kbase;
-		ccAdr = *cbase;
-		kAdr->magic = (whichArray == kAddressArray) ? KV5M_ADDRESS : KV5M_AUTHDATA;
-		kAdr->addrtype = ccAdr->type;
-		kAdr->length = ccAdr->length;
-		kAdr->contents = (krb5_octet *)malloc(kAdr->length);
-		memcpy(kAdr->contents, ccAdr->data, kAdr->length);
-		//next element please
-		kbase++; cbase++;
+int copyCCDataArrayToK5(cc_creds *ccCreds, krb5_creds *v5Creds, char whichArray) {
+
+    if (whichArray == kAddressArray) {
+	if (ccCreds->addresses == NULL) {
+	    v5Creds->addresses = NULL;
+	} else {
+
+	    krb5_address 	**addrPtr, *addr;
+	    cc_data			**dataPtr, *data;
+	    unsigned int		numRecords = 0;
+
+	    /* Allocate the array of pointers: */
+	    for (dataPtr = ccCreds->addresses; *dataPtr != NULL; numRecords++, dataPtr++) {}
+
+	    v5Creds->addresses = (krb5_address **) malloc (sizeof(krb5_address *) * (numRecords + 1));
+	    if (v5Creds->addresses == NULL)
+		return ENOMEM;
+
+	    /* Fill in the array, allocating the address structures: */
+	    for (dataPtr = ccCreds->addresses, addrPtr = v5Creds->addresses; *dataPtr != NULL; addrPtr++, dataPtr++) {
+
+		*addrPtr = (krb5_address *) malloc (sizeof(krb5_address));
+		if (*addrPtr == NULL)
+		    return ENOMEM;
+		data = *dataPtr;
+		addr = *addrPtr;
+
+		addr->addrtype = data->type;
+		addr->magic    = KV5M_ADDRESS;
+		addr->length   = data->length;
+		addr->contents = (krb5_octet *) malloc (sizeof(krb5_octet) * addr->length);
+		if (addr->contents == NULL)
+		    return ENOMEM;
+		memmove(addr->contents, data->data, addr->length); /* copy contents */
+	    }
+
+	    /* Write terminator: */
+	    *addrPtr = NULL;
+	}
+    }
+
+    if (whichArray == kAuthDataArray) {
+	if (ccCreds->authdata == NULL) {
+	    v5Creds->authdata = NULL;
+	} else {
+	    krb5_authdata 	**authPtr, *auth;
+	    cc_data			**dataPtr, *data;
+	    unsigned int		numRecords = 0;
+
+	    /* Allocate the array of pointers: */
+	    for (dataPtr = ccCreds->authdata; *dataPtr != NULL; numRecords++, dataPtr++) {}
+
+	    v5Creds->authdata = (krb5_authdata **) malloc (sizeof(krb5_authdata *) * (numRecords + 1));
+	    if (v5Creds->authdata == NULL)
+		return ENOMEM;
+
+	    /* Fill in the array, allocating the address structures: */
+	    for (dataPtr = ccCreds->authdata, authPtr = v5Creds->authdata; *dataPtr != NULL; authPtr++, dataPtr++) {
+
+		*authPtr = (krb5_authdata *) malloc (sizeof(krb5_authdata));
+		if (*authPtr == NULL)
+		    return ENOMEM;
+		data = *dataPtr;
+		auth = *authPtr;
+
+		auth->ad_type  = data->type;
+		auth->magic    = KV5M_AUTHDATA;
+		auth->length   = data->length;
+		auth->contents = (krb5_octet *) malloc (sizeof(krb5_octet) * auth->length);
+		if (auth->contents == NULL)
+		    return ENOMEM;
+		memmove(auth->contents, data->data, auth->length); /* copy contents */
+	    }
+
+	    /* Write terminator: */
+	    *authPtr = NULL;
 	}
-	
-	//write terminator
-	*kbase = NULL;
-	if (whichArray == kAddressArray) kc->addresses = constKBase;
-	else kc->authdata = (krb5_authdata **)constKBase;
+    }
 
-	return 0;
+    return 0;
 }
 
 /*
  * copyK5DataArrayToCC
  * - analagous to above, but in the other direction
  */
-int copyK5DataArrayToCC(krb5_creds *kc, cc_creds *cc, char whichArray) {
-
-	cc_data *ccAdr, **cbase, **constCBase;
-	krb5_address *kAdr, **kbase;
-	int numRecords = 0;
-		
-	
-	if (whichArray == kAddressArray) {
-		//check pointer
-		if (kc->addresses == NULL) {
-			cc->addresses = NULL;
-			return 0; }
-	} else if (whichArray == kAuthDataArray) {
-		//check pointer
-		if (kc->authdata == NULL) {
-			cc->authdata = NULL;
-			return 0; }
-	} else return -1;
-	
-
-	kbase = (whichArray == kAddressArray) ? kc->addresses : (krb5_address **)kc->authdata;
-	//calc number of records
-	while (*kbase++ != NULL) numRecords++;
-	//allocate new array
-	constCBase = cbase = (cc_data **)malloc((numRecords+1)*sizeof(char *));
-	//reset base
-	kbase = (whichArray == kAddressArray) ? kc->addresses : (krb5_address **)kc->authdata;
-		
-		
-	//copy records
-	while (*kbase != NULL) {
-		*cbase = (cc_data *)malloc(sizeof(krb5_address));
-		kAdr = *kbase;
-		ccAdr = *cbase;
-		ccAdr->type = kAdr->addrtype;
-		ccAdr->length = kAdr->length;
-		ccAdr->data = (unsigned char *)malloc(ccAdr->length);
-		memcpy(ccAdr->data, kAdr->contents, kAdr->length);
-		//next element please
-		kbase++; cbase++;
+int copyK5DataArrayToCC(krb5_creds *v5Creds, cc_creds *ccCreds, char whichArray)
+{
+    if (whichArray == kAddressArray) {
+	if (v5Creds->addresses == NULL) {
+	    ccCreds->addresses = NULL;
+	} else {
+
+	    krb5_address 	**addrPtr, *addr;
+	    cc_data			**dataPtr, *data;
+	    unsigned int			numRecords = 0;
+
+	    /* Allocate the array of pointers: */
+	    for (addrPtr = v5Creds->addresses; *addrPtr != NULL; numRecords++, addrPtr++) {}
+
+	    ccCreds->addresses = (cc_data **) malloc (sizeof(cc_data *) * (numRecords + 1));
+	    if (ccCreds->addresses == NULL)
+		return ENOMEM;
+
+	    /* Fill in the array, allocating the address structures: */
+	    for (dataPtr = ccCreds->addresses, addrPtr = v5Creds->addresses; *addrPtr != NULL; addrPtr++, dataPtr++) {
+
+		*dataPtr = (cc_data *) malloc (sizeof(cc_data));
+		if (*dataPtr == NULL)
+		    return ENOMEM;
+		data = *dataPtr;
+		addr = *addrPtr;
+
+		data->type   = addr->addrtype;
+		data->length = addr->length;
+		data->data   = malloc (sizeof(char) * data->length);
+		if (data->data == NULL)
+		    return ENOMEM;
+		memmove(data->data, addr->contents, data->length); /* copy contents */
+	    }
+
+	    /* Write terminator: */
+	    *dataPtr = NULL;
+	}
+    }
+
+    if (whichArray == kAuthDataArray) {
+	if (v5Creds->authdata == NULL) {
+	    ccCreds->authdata = NULL;
+	} else {
+	    krb5_authdata 	**authPtr, *auth;
+	    cc_data			**dataPtr, *data;
+	    unsigned int			numRecords = 0;
+
+	    /* Allocate the array of pointers: */
+	    for (authPtr = v5Creds->authdata; *authPtr != NULL; numRecords++, authPtr++) {}
+
+	    ccCreds->authdata = (cc_data **) malloc (sizeof(cc_data *) * (numRecords + 1));
+	    if (ccCreds->authdata == NULL)
+		return ENOMEM;
+
+	    /* Fill in the array, allocating the address structures: */
+	    for (dataPtr = ccCreds->authdata, authPtr = v5Creds->authdata; *authPtr != NULL; authPtr++, dataPtr++) {
+
+		*dataPtr = (cc_data *) malloc (sizeof(cc_data));
+		if (*dataPtr == NULL)
+		    return ENOMEM;
+		data = *dataPtr;
+		auth = *authPtr;
+
+		data->type   = auth->ad_type;
+		data->length = auth->length;
+		data->data   = malloc (sizeof(char) * data->length);
+		if (data->data == NULL)
+		    return ENOMEM;
+		memmove(data->data, auth->contents, data->length); /* copy contents */
+	    }
+
+	    /* Write terminator: */
+	    *dataPtr = NULL;
 	}
-	
-	//write terminator
-	*cbase = NULL;
-	if (whichArray == kAddressArray) cc->addresses = (cc_data **)constCBase;
-	else cc->authdata = (cc_data **)constCBase;
+    }
 
-	return 0;
+    return 0;
 }
 
 /*
@@ -136,52 +194,56 @@ int copyK5DataArrayToCC(krb5_creds *kc, cc_creds *cc, char whichArray) {
  * - allocate an empty k5 style ticket and copy info from the cc_creds ticket
  */
 
-void dupCCtoK5(krb5_context context, cc_creds *src, krb5_creds *dest) {
-
-	int err;
-	
-	/*
-	 * allocate and copy
-	 * copy all of those damn fields back
-	 */
-	err = krb5_parse_name(context, src->client, &(dest->client));
-	err = krb5_parse_name(context, src->server, &(dest->server));
-	if (err) return; //parsename fails w/o krb5.ini for example
-	
-	/* copy keyblock */
-	dest->keyblock.enctype = src->keyblock.type;
-	dest->keyblock.length = src->keyblock.length;
-	dest->keyblock.contents = (krb5_octet *)malloc(dest->keyblock.length);
-	memcpy(dest->keyblock.contents, src->keyblock.data, dest->keyblock.length);
-	
-	/* copy times */
-	dest->times.authtime = src->authtime;
-	dest->times.starttime = src->starttime;
-	dest->times.endtime = src->endtime;
-	dest->times.renew_till = src->renew_till;
-	dest->is_skey = src->is_skey;
-	dest->ticket_flags = src->ticket_flags;
-	
-	/* more branching fields */
-	copyCCDataArrayToK5(src, dest, kAddressArray);
-	dest->ticket.length = src->ticket.length;
-	dest->ticket.data = (char *)malloc(src->ticket.length);
-	memcpy(dest->ticket.data, src->ticket.data, src->ticket.length);
-	dest->second_ticket.length = src->second_ticket.length;
-	(dest->second_ticket).data = ( char *)malloc(src->second_ticket.length);
-	memcpy(dest->second_ticket.data, src->second_ticket.data, src->second_ticket.length);
-	
-	/* zero out magic number */
-	dest->magic = 0;
-	/*
-	 * later
-	 * copyCCDataArrayToK5(src, dest, kAuthDataArray);
-	 * krb5 docs say that authdata can be nulled out if we 
-	 * only want default behavior
-	 */
-	dest->authdata = NULL;
-	
-	return;
+void dupCCtoK5(krb5_context context, cc_creds *src, krb5_creds *dest)
+{
+    krb5_int32 offset_seconds = 0, offset_microseconds = 0;
+    int err;
+
+    /*
+     * allocate and copy
+     * copy all of those damn fields back
+     */
+    err = krb5_parse_name(context, src->client, &(dest->client));
+    err = krb5_parse_name(context, src->server, &(dest->server));
+    if (err) return; /* parsename fails w/o krb5.ini for example */
+
+    /* copy keyblock */
+    dest->keyblock.enctype = src->keyblock.type;
+    dest->keyblock.length = src->keyblock.length;
+    dest->keyblock.contents = (krb5_octet *)malloc(dest->keyblock.length);
+    memcpy(dest->keyblock.contents, src->keyblock.data, dest->keyblock.length);
+
+    /* copy times */
+#if TARGET_OS_MAC
+    err = krb5_get_time_offsets(context, &offset_seconds, &offset_microseconds);
+    if (err) return;
+#endif
+    dest->times.authtime   = src->authtime     + offset_seconds;
+    dest->times.starttime  = src->starttime    + offset_seconds;
+    dest->times.endtime    = src->endtime      + offset_seconds;
+    dest->times.renew_till = src->renew_till   + offset_seconds;
+    dest->is_skey          = src->is_skey;
+    dest->ticket_flags     = src->ticket_flags;
+
+    /* more branching fields */
+    err = copyCCDataArrayToK5(src, dest, kAddressArray);
+    if (err) return;
+
+    dest->ticket.length = src->ticket.length;
+    dest->ticket.data = (char *)malloc(src->ticket.length);
+    memcpy(dest->ticket.data, src->ticket.data, src->ticket.length);
+    dest->second_ticket.length = src->second_ticket.length;
+    (dest->second_ticket).data = ( char *)malloc(src->second_ticket.length);
+    memcpy(dest->second_ticket.data, src->second_ticket.data, src->second_ticket.length);
+
+    /* zero out magic number */
+    dest->magic = 0;
+
+    /* authdata */
+    err = copyCCDataArrayToK5(src, dest, kAuthDataArray);
+    if (err) return;
+
+    return;
 }
 
 /*
@@ -190,90 +252,97 @@ void dupCCtoK5(krb5_context context, cc_creds *src, krb5_creds *dest) {
  */
 void dupK5toCC(krb5_context context, krb5_creds *creds, cred_union **cu)
 {
-	cc_creds *c;
-	int err;
+    cc_creds *c;
+    int err;
+    krb5_int32 offset_seconds = 0, offset_microseconds = 0;
 #ifdef macintosh
-	char *tempname = NULL;
+    char *tempname = NULL;
 #endif
-	  
-	if (cu == NULL) return;
-		
-	/* allocate the cred_union */
-	*cu = (cred_union *)malloc(sizeof(cred_union));
-	if ((*cu) == NULL)
-		return;
-		
-	(*cu)->cred_type = CC_CRED_V5;
-		
-	/* allocate creds structure (and install) */
-	c  = (cc_creds *)malloc(sizeof(cc_creds));
-	if (c == NULL) return;
-	(*cu)->cred.pV5Cred = c;
-		
-	/* convert krb5 principals to flat principals */
+
+    if (cu == NULL) return;
+
+    /* allocate the cred_union */
+    *cu = (cred_union *)malloc(sizeof(cred_union));
+    if ((*cu) == NULL)
+	return;
+
+    (*cu)->cred_type = CC_CRED_V5;
+
+    /* allocate creds structure (and install) */
+    c  = (cc_creds *)malloc(sizeof(cc_creds));
+    if (c == NULL) return;
+    (*cu)->cred.pV5Cred = c;
+
+    /* convert krb5 principals to flat principals */
 #ifdef macintosh
-	/*
-	 * and make sure the memory for c->client and c->server is on
-	 * the system heap with NewPtr for the Mac (krb5_unparse_name
-	 * puts it in appl heap with malloc)
-	 */
-	err = krb5_unparse_name(context, creds->client, &tempname);
-	c->client = malloc(strlen(tempname)+1);
-	if (c->client != NULL)
-		strcpy(c->client,tempname);
-	free(tempname);
-	tempname = NULL;
-		
-	err = krb5_unparse_name(context, creds->server, &tempname);
-	c->server = malloc(strlen(tempname)+1);
-	if (c->server != NULL)
-		strcpy(c->server,tempname);
-	free(tempname);
+    /*
+     * and make sure the memory for c->client and c->server is on
+     * the system heap with NewPtr for the Mac (krb5_unparse_name
+     * puts it in appl heap with malloc)
+     */
+    err = krb5_unparse_name(context, creds->client, &tempname);
+    c->client = malloc(strlen(tempname)+1);
+    if (c->client != NULL)
+	strcpy(c->client,tempname);
+    free(tempname);
+    tempname = NULL;
+
+    err = krb5_unparse_name(context, creds->server, &tempname);
+    c->server = malloc(strlen(tempname)+1);
+    if (c->server != NULL)
+	strcpy(c->server,tempname);
+    free(tempname);
 #else
-	err = krb5_unparse_name(context, creds->client, &(c->client));
-	err = krb5_unparse_name(context, creds->server, &(c->server));
+    err = krb5_unparse_name(context, creds->client, &(c->client));
+    err = krb5_unparse_name(context, creds->server, &(c->server));
 #endif
-	if (err) return;
-		
-	/* copy more fields */
-	c->keyblock.type = creds->keyblock.enctype;
-	c->keyblock.length = creds->keyblock.length;
-		
-	if (creds->keyblock.contents != NULL) {
-		c->keyblock.data = (unsigned char *)malloc(creds->keyblock.length);
-		memcpy(c->keyblock.data, creds->keyblock.contents, creds->keyblock.length);
-	} else {
-		c->keyblock.data = NULL;
-	}
-		
-	c->authtime = creds->times.authtime;
-	c->starttime = creds->times.starttime;
-	c->endtime = creds->times.endtime;
-	c->renew_till = creds->times.renew_till;
-	c->is_skey = creds->is_skey;
-	c->ticket_flags = creds->ticket_flags;
-
-	copyK5DataArrayToCC(creds, c, kAddressArray);	
-
-	c->ticket.length = creds->ticket.length;
-	if (creds->ticket.data != NULL) {
-		c->ticket.data = (unsigned char *)malloc(creds->ticket.length);
-		memcpy(c->ticket.data, creds->ticket.data, creds->ticket.length);
-	} else {
-		c->ticket.data = NULL;
-	}
-		
-	c->second_ticket.length = creds->second_ticket.length;
-	if (creds->second_ticket.data != NULL) {
-		c->second_ticket.data = (unsigned char *)malloc(creds->second_ticket.length);
-		memcpy(c->second_ticket.data, creds->second_ticket.data, creds->second_ticket.length);
-	} else {
-		c->second_ticket.data = NULL;
-	}
-		
-	c->authdata = NULL;
-	
-	return;
+    if (err) return;
+
+    /* copy more fields */
+    c->keyblock.type = creds->keyblock.enctype;
+    c->keyblock.length = creds->keyblock.length;
+
+    if (creds->keyblock.contents != NULL) {
+	c->keyblock.data = (unsigned char *)malloc(creds->keyblock.length);
+	memcpy(c->keyblock.data, creds->keyblock.contents, creds->keyblock.length);
+    } else {
+	c->keyblock.data = NULL;
+    }
+
+#if TARGET_OS_MAC
+    err = krb5_get_time_offsets(context, &offset_seconds, &offset_microseconds);
+    if (err) return;
+#endif
+    c->authtime     = creds->times.authtime   - offset_seconds;
+    c->starttime    = creds->times.starttime  - offset_seconds;
+    c->endtime      = creds->times.endtime    - offset_seconds;
+    c->renew_till   = creds->times.renew_till - offset_seconds;
+    c->is_skey      = creds->is_skey;
+    c->ticket_flags = creds->ticket_flags;
+
+    err = copyK5DataArrayToCC(creds, c, kAddressArray);
+    if (err) return;
+
+    c->ticket.length = creds->ticket.length;
+    if (creds->ticket.data != NULL) {
+	c->ticket.data = (unsigned char *)malloc(creds->ticket.length);
+	memcpy(c->ticket.data, creds->ticket.data, creds->ticket.length);
+    } else {
+	c->ticket.data = NULL;
+    }
+
+    c->second_ticket.length = creds->second_ticket.length;
+    if (creds->second_ticket.data != NULL) {
+	c->second_ticket.data = (unsigned char *)malloc(creds->second_ticket.length);
+	memcpy(c->second_ticket.data, creds->second_ticket.data, creds->second_ticket.length);
+    } else {
+	c->second_ticket.data = NULL;
+    }
+
+    err = copyK5DataArrayToCC(creds, c, kAuthDataArray);
+    if (err) return;
+
+    return;
 }
 
 /*
@@ -281,7 +350,7 @@ void dupK5toCC(krb5_context context, krb5_creds *creds, cred_union **cu)
  */
 static krb5_boolean
 times_match(t1, t2)
-register const krb5_ticket_times *t1;
+    register const krb5_ticket_times *t1;
 register const krb5_ticket_times *t2;
 {
     if (t1->renew_till) {
@@ -308,7 +377,7 @@ times_match_exact (t1, t2)
 
 static krb5_boolean
 standard_fields_match(context, mcreds, creds)
-   krb5_context context;
+    krb5_context context;
 register const krb5_creds *mcreds, *creds;
 {
     return (krb5_principal_compare(context, mcreds->client,creds->client) &&
@@ -319,12 +388,12 @@ register const krb5_creds *mcreds, *creds;
 
 static krb5_boolean
 srvname_match(context, mcreds, creds)
-   krb5_context context;
+    krb5_context context;
 register const krb5_creds *mcreds, *creds;
 {
     krb5_boolean retval;
     krb5_principal_data p1, p2;
-    
+
     retval = krb5_principal_compare(context, mcreds->client,creds->client);
     if (retval != TRUE)
 	return retval;
@@ -368,7 +437,7 @@ authdata_match(mdata, data)
 
 static krb5_boolean
 data_match(data1, data2)
-register const krb5_data *data1, *data2;
+    register const krb5_data *data1, *data2;
 {
     if (!data1) {
 	if (!data2)
@@ -396,117 +465,113 @@ register const krb5_data *data1, *data2;
 int stdccCredsMatch(krb5_context context, krb5_creds *base,
 		    krb5_creds *match, int whichfields)
 {
-	krb5_ticket_times b, m;
-	krb5_authdata **bp, **mp;
-	krb5_boolean retval;
-
-	if (((MATCH_SET(KRB5_TC_MATCH_SRV_NAMEONLY) &&
-	      srvname_match(context, match, base)) ||
-	     standard_fields_match(context, match, base))
-	    &&
-	    (! MATCH_SET(KRB5_TC_MATCH_IS_SKEY) ||
-	     match->is_skey == base->is_skey)
-	    &&
-	    (! MATCH_SET(KRB5_TC_MATCH_FLAGS_EXACT) ||
-	     match->ticket_flags == base->ticket_flags)
-	    &&
-	    (! MATCH_SET(KRB5_TC_MATCH_FLAGS) ||
-	     flags_match(match->ticket_flags, base->ticket_flags))
-	    &&
-	    (! MATCH_SET(KRB5_TC_MATCH_TIMES_EXACT) ||
-	     times_match_exact(&match->times, &base->times))
-	    &&
-	    (! MATCH_SET(KRB5_TC_MATCH_TIMES) ||
-	     times_match(&match->times, &base->times))
-	    &&
-	    (! MATCH_SET(KRB5_TC_MATCH_AUTHDATA) ||
-	     authdata_match (match->authdata, base->authdata))
-	    &&
-	    (! MATCH_SET(KRB5_TC_MATCH_2ND_TKT) ||
-	     data_match (&match->second_ticket, &base->second_ticket))
-	    &&
-	    ((! MATCH_SET(KRB5_TC_MATCH_KTYPE))||
-	     (match->keyblock.enctype == base->keyblock.enctype))
-	    )
-		return TRUE;
-	return FALSE;
-	
+    if (((MATCH_SET(KRB5_TC_MATCH_SRV_NAMEONLY) &&
+	  srvname_match(context, match, base)) ||
+	 standard_fields_match(context, match, base))
+	&&
+	(! MATCH_SET(KRB5_TC_MATCH_IS_SKEY) ||
+	 match->is_skey == base->is_skey)
+	&&
+	(! MATCH_SET(KRB5_TC_MATCH_FLAGS_EXACT) ||
+	 match->ticket_flags == base->ticket_flags)
+	&&
+	(! MATCH_SET(KRB5_TC_MATCH_FLAGS) ||
+	 flags_match(match->ticket_flags, base->ticket_flags))
+	&&
+	(! MATCH_SET(KRB5_TC_MATCH_TIMES_EXACT) ||
+	 times_match_exact(&match->times, &base->times))
+	&&
+	(! MATCH_SET(KRB5_TC_MATCH_TIMES) ||
+	 times_match(&match->times, &base->times))
+	&&
+	(! MATCH_SET(KRB5_TC_MATCH_AUTHDATA) ||
+	 authdata_match (match->authdata, base->authdata))
+	&&
+	(! MATCH_SET(KRB5_TC_MATCH_2ND_TKT) ||
+	 data_match (&match->second_ticket, &base->second_ticket))
+	&&
+	((! MATCH_SET(KRB5_TC_MATCH_KTYPE))||
+	 (match->keyblock.enctype == base->keyblock.enctype))
+	)
+	return TRUE;
+    return FALSE;
 }
 
-// ----- free_cc_cred_union, etc --------------
+/* ----- free_cc_cred_union, etc -------------- */
 /*
-   Since the Kerberos5 library allocates a credentials cache structure
-   (in dupK5toCC() above) with its own memory allocation routines - which
-   may be different than how the CCache allocates memory - the Kerb5 library
-   must have its own version of cc_free_creds() to deallocate it.  These
-   functions do that.  The top-level function to substitue for cc_free_creds()
-   is krb5_free_cc_cred_union().
-   
-   If the CCache library wants to use a cred_union structure created by
-   the Kerb5 library, it should make a deep copy of it to "translate" to its
-   own memory allocation space.
+  Since the Kerberos5 library allocates a credentials cache structure
+  (in dupK5toCC() above) with its own memory allocation routines - which
+  may be different than how the CCache allocates memory - the Kerb5 library
+  must have its own version of cc_free_creds() to deallocate it.  These
+  functions do that.  The top-level function to substitue for cc_free_creds()
+  is krb5_free_cc_cred_union().
+
+  If the CCache library wants to use a cred_union structure created by
+  the Kerb5 library, it should make a deep copy of it to "translate" to its
+  own memory allocation space.
 */
-static void deep_free_cc_data (cc_data data) {
-	
-	if (data.data != NULL)
-		free (data.data);
+static void deep_free_cc_data (cc_data data)
+{
+    if (data.data != NULL)
+	free (data.data);
 }
 
 static void deep_free_cc_data_array (cc_data** data) {
-	
-	unsigned int	index;
-	
-	if (data == NULL)
-		return;
-		
-	for (index = 0; data [index] != NULL; index++) {
-		deep_free_cc_data (*(data [index]));
-		free (data [index]);
-	}
-	
-	free (data);
+
+    unsigned int	index;
+
+    if (data == NULL)
+	return;
+
+    for (index = 0; data [index] != NULL; index++) {
+	deep_free_cc_data (*(data [index]));
+	free (data [index]);
+    }
+
+    free (data);
 }
 
-static void deep_free_cc_v5_creds (cc_creds* creds) {
-	
-	if (creds == NULL)
-		return;
-		
-	if (creds -> client != NULL)
-		free (creds -> client);
-	if (creds -> server != NULL)
-		free (creds -> server);
-	
-	deep_free_cc_data (creds -> keyblock);
-	deep_free_cc_data (creds -> ticket);
-	deep_free_cc_data (creds -> second_ticket);
-	
-	deep_free_cc_data_array (creds -> addresses);
-	deep_free_cc_data_array (creds -> authdata);
-	
-	free(creds);
+static void deep_free_cc_v5_creds (cc_creds* creds)
+{
+    if (creds == NULL)
+	return;
+
+    if (creds -> client != NULL)
+	free (creds -> client);
+    if (creds -> server != NULL)
+	free (creds -> server);
+
+    deep_free_cc_data (creds -> keyblock);
+    deep_free_cc_data (creds -> ticket);
+    deep_free_cc_data (creds -> second_ticket);
+
+    deep_free_cc_data_array (creds -> addresses);
+    deep_free_cc_data_array (creds -> authdata);
+
+    free(creds);
 }
 
-static void deep_free_cc_creds (cred_union creds) {
-	
-	if (creds.cred_type == CC_CRED_V4) {  // we shouldn't get this, of course
-		free (creds.cred.pV4Cred);
-	} else if (creds.cred_type == CC_CRED_V5) {
-		deep_free_cc_v5_creds (creds.cred.pV5Cred);
-	}
+static void deep_free_cc_creds (cred_union creds)
+{
+    if (creds.cred_type == CC_CRED_V4) {
+	/* we shouldn't get this, of course */
+	free (creds.cred.pV4Cred);
+    } else if (creds.cred_type == CC_CRED_V5) {
+	deep_free_cc_v5_creds (creds.cred.pV5Cred);
+    }
 }
 
-// top-level exported function
-cc_int32 krb5_free_cc_cred_union (cred_union** creds) {
-		
-	if (creds == NULL)
-		return CC_BAD_PARM;
-	
-	if (*creds != NULL) {
-		deep_free_cc_creds (**creds);
-		free (*creds);
-		*creds = NULL;
-	}
-		
-	return CC_NOERROR;
+/* top-level exported function */
+cc_int32 krb5_free_cc_cred_union (cred_union** creds)
+{
+    if (creds == NULL)
+	return CC_BAD_PARM;
+
+    if (*creds != NULL) {
+	deep_free_cc_creds (**creds);
+	free (*creds);
+	*creds = NULL;
+    }
+
+    return CC_NOERROR;
 }
diff --git a/src/lib/krb5/ccache/ccapi/stdcc_util.h b/src/lib/krb5/ccache/ccapi/stdcc_util.h
index 93538bf..e8426d4 100644
--- a/src/lib/krb5/ccache/ccapi/stdcc_util.h
+++ b/src/lib/krb5/ccache/ccapi/stdcc_util.h
@@ -1,9 +1,10 @@
-//stdcc_util.h
-// 
-// Frank Dabek, July 1998
+/* stdcc_util.h
+ *
+ * Frank Dabek, July 1998
+ */
 
-#if defined(macintosh)
-#include "CCache2.h"
+#if TARGET_OS_MAC
+#include <Kerberos/CredentialsCache2.h>
 #endif
 
 #if defined(_MSDOS) || defined(_WIN32)
@@ -12,7 +13,7 @@
 
 #include "krb5.h"
 
-//protoypes for private functions declared in stdcc_util.c
+/* protoypes for private functions declared in stdcc_util.c */
 int copyCCDataArrayToK5(cc_creds *cc, krb5_creds *kc, char whichArray);
 int copyK5DataArrayToCC(krb5_creds *kc, cc_creds *cc, char whichArray);
 void dupCCtoK5(krb5_context context, cc_creds *src, krb5_creds *dest);
diff --git a/src/lib/krb5/ccache/ccapi/winccld.c b/src/lib/krb5/ccache/ccapi/winccld.c
index 2792cee..e6e4d58 100644
--- a/src/lib/krb5/ccache/ccapi/winccld.c
+++ b/src/lib/krb5/ccache/ccapi/winccld.c
@@ -7,6 +7,7 @@
 #include <windows.h>
 #include <stdio.h>
 #include "stdcc.h"
+#include "k5-int.h"
 
 /* from fcc-proto.h */
 KRB5_DLLIMP extern krb5_cc_ops krb5_fcc_ops;
@@ -45,6 +46,8 @@ static int LoadFuncs(const char* dll_name, FUNC_INFO fi[],
     }
 
     if (!(h = LoadLibrary(dll_name))) {
+	/* Get error for source debugging purposes. */
+	error = (int)GetLastError();
 	return LF_NODLL;
     }
 
diff --git a/src/lib/krb5/ccache/ccapi/winccld.h b/src/lib/krb5/ccache/ccapi/winccld.h
index 09a7ef5..e285d1f 100644
--- a/src/lib/krb5/ccache/ccapi/winccld.h
+++ b/src/lib/krb5/ccache/ccapi/winccld.h
@@ -6,6 +6,10 @@
 #ifndef KRB5_WINCCLD_H_
 #define KRB5_WINCCLD_H_
 
+#ifndef CC_API_VER2
+#define CC_API_VER2
+#endif
+
 #include "cacheapi.h"
 
 typedef cc_int32 (*FP_cc_initialize)(apiCB**, const cc_int32, 
@@ -19,6 +23,9 @@ typedef cc_int32 (*FP_cc_open)(apiCB*, const char*, const enum cc_cred_vers,
 typedef cc_int32 (*FP_cc_close)(apiCB*, ccache_p**);
 typedef cc_int32 (*FP_cc_destroy)(apiCB*, ccache_p**);
 typedef cc_int32 (*FP_cc_seq_fetch_NCs)(apiCB*, ccache_p**, ccache_cit**);
+typedef cc_int32 (*FP_cc_seq_fetch_NCs_begin)(apiCB*, ccache_cit**);
+typedef cc_int32 (*FP_cc_seq_fetch_NCs_next)(apiCB*, ccache_p**, ccache_cit*);
+typedef cc_int32 (*FP_cc_seq_fetch_NCs_end)(apiCB*, ccache_cit**);
 typedef cc_int32 (*FP_cc_get_NC_info)(apiCB*, struct _infoNC***);
 typedef cc_int32 (*FP_cc_free_NC_info)(apiCB*, struct _infoNC***);
 typedef cc_int32 (*FP_cc_get_name)(apiCB*, const ccache_p*, char**);
@@ -34,6 +41,11 @@ typedef cc_int32 (*FP_cc_remove_cred)(apiCB*, const ccache_p*,
 			const cred_union);
 typedef cc_int32 (*FP_cc_seq_fetch_creds)(apiCB*, const ccache_p*, 
 			cred_union**, ccache_cit**);
+typedef cc_int32 (*FP_cc_seq_fetch_creds_begin)(apiCB*, const ccache_p*, 
+			ccache_cit**);
+typedef cc_int32 (*FP_cc_seq_fetch_creds_next)(apiCB*, cred_union**, 
+			ccache_cit*);
+typedef cc_int32 (*FP_cc_seq_fetch_creds_end)(apiCB*, ccache_cit**);
 typedef cc_int32 (*FP_cc_free_principal)(apiCB*, char**);
 typedef cc_int32 (*FP_cc_free_name)(apiCB*, char** name);
 typedef cc_int32 (*FP_cc_free_creds)(apiCB*, cred_union** pCred);
@@ -58,17 +70,33 @@ DECL_FUNC_PTR(cc_create);
 DECL_FUNC_PTR(cc_open);
 DECL_FUNC_PTR(cc_close);
 DECL_FUNC_PTR(cc_destroy);
+#if 0 /* Not used */
+#ifdef CC_API_VER2
+DECL_FUNC_PTR(cc_seq_fetch_NCs_begin);
+DECL_FUNC_PTR(cc_seq_fetch_NCs_next);
+DECL_FUNC_PTR(cc_seq_fetch_NCs_end);
+#else
 DECL_FUNC_PTR(cc_seq_fetch_NCs);
+#endif
 DECL_FUNC_PTR(cc_get_NC_info);
 DECL_FUNC_PTR(cc_free_NC_info);
+#endif
 DECL_FUNC_PTR(cc_get_name);
 DECL_FUNC_PTR(cc_set_principal);
 DECL_FUNC_PTR(cc_get_principal);
 DECL_FUNC_PTR(cc_get_cred_version);
+#if 0 /* Not used */
 DECL_FUNC_PTR(cc_lock_request);
+#endif
 DECL_FUNC_PTR(cc_store);
 DECL_FUNC_PTR(cc_remove_cred);
+#ifdef CC_API_VER2
+DECL_FUNC_PTR(cc_seq_fetch_creds_begin);
+DECL_FUNC_PTR(cc_seq_fetch_creds_next);
+DECL_FUNC_PTR(cc_seq_fetch_creds_end);
+#else
 DECL_FUNC_PTR(cc_seq_fetch_creds);
+#endif
 DECL_FUNC_PTR(cc_free_principal);
 DECL_FUNC_PTR(cc_free_name);
 DECL_FUNC_PTR(cc_free_creds);
@@ -82,17 +110,27 @@ FUNC_INFO krbcc_fi[] = {
     MAKE_FUNC_INFO(cc_open),
     MAKE_FUNC_INFO(cc_close),
     MAKE_FUNC_INFO(cc_destroy),
+#if 0 /* Not used */
     MAKE_FUNC_INFO(cc_seq_fetch_NCs),
     MAKE_FUNC_INFO(cc_get_NC_info),
     MAKE_FUNC_INFO(cc_free_NC_info),
+#endif
     MAKE_FUNC_INFO(cc_get_name),
     MAKE_FUNC_INFO(cc_set_principal),
     MAKE_FUNC_INFO(cc_get_principal),
     MAKE_FUNC_INFO(cc_get_cred_version),
+#if 0 /* Not used */
     MAKE_FUNC_INFO(cc_lock_request),
+#endif
     MAKE_FUNC_INFO(cc_store),
     MAKE_FUNC_INFO(cc_remove_cred),
+#ifdef CC_API_VER2
+    MAKE_FUNC_INFO(cc_seq_fetch_creds_begin),
+    MAKE_FUNC_INFO(cc_seq_fetch_creds_next),
+    MAKE_FUNC_INFO(cc_seq_fetch_creds_end),
+#else
     MAKE_FUNC_INFO(cc_seq_fetch_creds),
+#endif
     MAKE_FUNC_INFO(cc_free_principal),
     MAKE_FUNC_INFO(cc_free_name),
     MAKE_FUNC_INFO(cc_free_creds),
@@ -109,17 +147,33 @@ FUNC_INFO krbcc_fi[] = {
 #define cc_open pcc_open
 #define cc_close pcc_close
 #define cc_destroy pcc_destroy
+#if 0 /* Not used */
+#ifdef CC_API_VER2
+#define cc_seq_fetch_NCs_begin pcc_seq_fetch_NCs_begin
+#define cc_seq_fetch_NCs_next pcc_seq_fetch_NCs_next
+#define cc_seq_fetch_NCs_end pcc_seq_fetch_NCs_end
+#else
 #define cc_seq_fetch_NCs pcc_seq_fetch_NCs
+#endif
 #define cc_get_NC_info pcc_get_NC_info
 #define cc_free_NC_info pcc_free_NC_info
+#endif /* End of Not used */
 #define cc_get_name pcc_get_name
 #define cc_set_principal pcc_set_principal
 #define cc_get_principal pcc_get_principal
 #define cc_get_cred_version pcc_get_cred_version
+#if 0 /* Not used */
 #define cc_lock_request pcc_lock_request
+#endif
 #define cc_store pcc_store
 #define cc_remove_cred pcc_remove_cred
+#ifdef CC_API_VER2
+#define cc_seq_fetch_creds_begin pcc_seq_fetch_creds_begin
+#define cc_seq_fetch_creds_next pcc_seq_fetch_creds_next
+#define cc_seq_fetch_creds_end pcc_seq_fetch_creds_end
+#else
 #define cc_seq_fetch_creds pcc_seq_fetch_creds
+#endif
 #define cc_free_principal pcc_free_principal
 #define cc_free_name pcc_free_name
 #define cc_free_creds pcc_free_creds
diff --git a/src/lib/krb5/ccache/ccdefault.c b/src/lib/krb5/ccache/ccdefault.c
index 3e2699c..fc3e0ad 100644
--- a/src/lib/krb5/ccache/ccdefault.c
+++ b/src/lib/krb5/ccache/ccdefault.c
@@ -27,6 +27,10 @@
  * Find default credential cache
  */
 
+#ifdef USE_LOGIN_LIBRARY
+#include <Kerberos/KerberosLoginPrivate.h>
+#endif
+
 #include "k5-int.h"
 
 KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
@@ -34,5 +38,83 @@ krb5_cc_default(context, ccache)
    krb5_context context;
    krb5_ccache FAR *ccache;
 {
-    return krb5_cc_resolve(context, krb5_cc_default_name(context), ccache);
+    krb5_error_code retval;
+	krb5_os_context	os_ctx;
+
+	if (!context || context->magic != KV5M_CONTEXT)
+		return KV5M_CONTEXT;
+	
+	os_ctx = context->os_context;
+	
+    retval = krb5_cc_resolve(context, krb5_cc_default_name(context), ccache);
+    if (!retval && ccache && !os_ctx->default_ccprincipal) {
+    	/* We got a ccache... remember what principal is associated with it */
+    	if (krb5_cc_get_principal (context, *ccache, &os_ctx->default_ccprincipal) != 0)
+    		os_ctx->default_ccprincipal = 0;
+    }
+    return retval; 
+}
+
+/* This is the internal function which opens the default ccache.  On platforms supporting
+   the login library's automatic popup dialog to get tickets, this function also updated the
+   library's internal view of the current principal associated with this cache. 
+   
+   All krb5 and GSS functions which need to open a cache to get a tgt to obtain service tickets
+   should call this function, not krb5_cc_default() */
+
+KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
+krb5int_cc_default(context, ccache)
+	krb5_context context;
+	krb5_ccache FAR *ccache;
+{
+#ifdef USE_LOGIN_LIBRARY
+	{
+		/* make sure the default cache has tix before you open it */
+		char 				*outCacheName;
+		KLPrincipal			desiredPrincipal = nil;
+		krb5_principal		desiredKrb5Principal;
+		krb5_error_code 	err;
+		krb5_os_context		os_ctx;
+
+		if (!context || context->magic != KV5M_CONTEXT)
+			return KV5M_CONTEXT;
+	
+		os_ctx = context->os_context;
+				
+		desiredKrb5Principal = os_ctx->default_ccprincipal;
+		
+		/* do we want a specific client principal? */
+		if (desiredKrb5Principal != NULL) {
+			char		*desiredName;
+			
+			err = krb5_unparse_name (context, desiredKrb5Principal, &desiredName);
+			if (!err) {
+				err = KLCreatePrincipalFromString (desiredName, 
+								kerberosVersion_V5, &desiredPrincipal);
+				krb5_free_unparsed_name (context, desiredName);
+				if (err != klNoErr)
+					desiredPrincipal = nil;
+			}
+		}
+		
+		/* Try to make sure a krb5 tgt is in the cache */
+		err = __KLInternalAcquireInitialTicketsForCache (desiredPrincipal, NULL, 
+                                                    krb5_cc_default_name (context), 
+													kerberosVersion_V5, nil, &outCacheName);
+		if (err == klNoErr) {
+			/* This function tries to get tickets and put them in the specified 
+			   cache, however, if the cache does not exist, it may choose to put 
+			   them elsewhere (ie: the system default) so we set that here */
+			if (strcmp (krb5_cc_default_name (context), outCacheName) != 0) {
+				krb5_cc_set_default_name (context, outCacheName);
+			}
+			KLDisposeString (outCacheName);
+		}
+		
+		if (desiredPrincipal != nil)
+			KLDisposePrincipal (desiredPrincipal);
+	}
+#endif
+
+    return krb5_cc_default (context, ccache);
 }
diff --git a/src/lib/krb5/ccache/ccdefops.c b/src/lib/krb5/ccache/ccdefops.c
index 2651273..092503e 100644
--- a/src/lib/krb5/ccache/ccdefops.c
+++ b/src/lib/krb5/ccache/ccdefops.c
@@ -30,7 +30,7 @@
 
 #include "k5-int.h"
 
-#if defined(macintosh) 
+#if defined(USE_CCAPI)
 
 /*
  * Macs use the shared, memory based credentials cache
diff --git a/src/lib/krb5/ccache/ccfns.c b/src/lib/krb5/ccache/ccfns.c
new file mode 100644
index 0000000..b12c93e
--- /dev/null
+++ b/src/lib/krb5/ccache/ccfns.c
@@ -0,0 +1,131 @@
+/*
+ * lib/krb5/ccache/ccfns.c
+ *
+ * Copyright 2000 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ *   require a specific license from the United States Government.
+ *   It is the responsibility of any person or organization contemplating
+ *   export to obtain such a license before exporting.
+ * 
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ */
+
+/*
+ * Dispatch methods for credentials cache code.
+ */
+
+#include "k5-int.h"
+#include "krb5.h"
+
+#if KRB5_CCACHE_ACCESSOR_FUNCTIONS
+
+const char FAR * KRB5_CALLCONV
+krb5_cc_get_name (krb5_context context, krb5_ccache cache)
+{
+    return cache->ops->get_name(context, cache);
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_cc_gen_new (krb5_context context, krb5_ccache FAR *cache)
+{
+    return (*cache)->ops->gen_new(context, cache);
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_cc_initialize(krb5_context context, krb5_ccache cache,
+		   krb5_principal principal)
+{
+    return cache->ops->init(context, cache, principal);
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_cc_destroy (krb5_context context, krb5_ccache cache)
+{
+    return cache->ops->destroy(context, cache);
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_cc_close (krb5_context context, krb5_ccache cache)
+{
+    return cache->ops->close(context, cache);
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_cc_store_cred (krb5_context context, krb5_ccache cache,
+		    krb5_creds FAR *creds)
+{
+    return cache->ops->store(context, cache, creds);
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_cc_retrieve_cred (krb5_context context, krb5_ccache cache,
+		       krb5_flags flags, krb5_creds FAR *mcreds,
+		       krb5_creds FAR *creds)
+{
+    return cache->ops->retrieve(context, cache, flags, mcreds, creds);
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_cc_get_principal (krb5_context context, krb5_ccache cache,
+		       krb5_principal FAR *principal)
+{
+    return cache->ops->get_princ(context, cache, principal);
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_cc_start_seq_get (krb5_context context, krb5_ccache cache,
+		       krb5_cc_cursor FAR *cursor)
+{
+    return cache->ops->get_first(context, cache, cursor);
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_cc_next_cred (krb5_context context, krb5_ccache cache,
+		   krb5_cc_cursor FAR *cursor, krb5_creds FAR *creds)
+{
+    return cache->ops->get_next(context, cache, cursor, creds);
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_cc_end_seq_get (krb5_context context, krb5_ccache cache,
+		     krb5_cc_cursor FAR *cursor)
+{
+    return cache->ops->end_get(context, cache, cursor);
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_cc_remove_cred (krb5_context context, krb5_ccache cache, krb5_flags flags,
+		     krb5_creds FAR *creds)
+{
+    return cache->ops->remove_cred(context, cache, flags, creds);
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_cc_set_flags (krb5_context context, krb5_ccache cache, krb5_flags flags)
+{
+    return cache->ops->set_flags(context, cache, flags);
+}
+
+const char FAR * KRB5_CALLCONV
+krb5_cc_get_type (krb5_context context, krb5_ccache cache)
+{
+    return cache->ops->prefix;
+}
+#else
+/* Dummy variable for compilers which don't like empty files */
+static krb5_int dummy = 0;
+#endif /* KRB5_CCACHE_ACCESSOR_FUNCTIONS */
\ No newline at end of file
diff --git a/src/lib/krb5/ccache/file/ChangeLog b/src/lib/krb5/ccache/file/ChangeLog
index 298360b..cda7184 100644
--- a/src/lib/krb5/ccache/file/ChangeLog
+++ b/src/lib/krb5/ccache/file/ChangeLog
@@ -1,3 +1,6 @@
+2002-02-28 Alexandra Ellwood <lxs@mit.edu>
+    * fcc_gprinc.c: removed unused data variable to reduce warnings
+
 1999-10-26  Tom Yu  <tlyu@mit.edu>
 
 	* Makefile.in: Clean up usage of CFLAGS, CPPFLAGS, DEFS, DEFINES,
diff --git a/src/lib/krb5/ccache/file/fcc_gprin.c b/src/lib/krb5/ccache/file/fcc_gprin.c
index b8a2595..bbac185 100644
--- a/src/lib/krb5/ccache/file/fcc_gprin.c
+++ b/src/lib/krb5/ccache/file/fcc_gprin.c
@@ -50,7 +50,6 @@ krb5_fcc_get_principal(context, id, princ)
    krb5_principal *princ;
 {
      krb5_error_code kret = KRB5_OK;
-     krb5_fcc_data *data = (krb5_fcc_data *)id->data;
 
      MAYBE_OPEN(context, id, FCC_OPEN_RDONLY);
      
diff --git a/src/lib/krb5/ccache/stdio/ChangeLog b/src/lib/krb5/ccache/stdio/ChangeLog
index c520ca3..1379190 100644
--- a/src/lib/krb5/ccache/stdio/ChangeLog
+++ b/src/lib/krb5/ccache/stdio/ChangeLog
@@ -1,3 +1,6 @@
+2002-02-28 Alexandra Ellwood <lxs@mit.edu>
+    * scc_skip.c: removed unused princ variable to reduce warnings
+
 1999-10-26  Tom Yu  <tlyu@mit.edu>
 
 	* Makefile.in: Clean up usage of CFLAGS, CPPFLAGS, DEFS, DEFINES,
diff --git a/src/lib/krb5/ccache/stdio/scc_skip.c b/src/lib/krb5/ccache/stdio/scc_skip.c
index c203c71..9c86cb7 100644
--- a/src/lib/krb5/ccache/stdio/scc_skip.c
+++ b/src/lib/krb5/ccache/stdio/scc_skip.c
@@ -37,7 +37,6 @@ krb5_scc_skip_header(context, id)
    krb5_ccache id;
 {
      krb5_error_code kret;
-     krb5_principal princ;
      krb5_scc_data *data = (krb5_scc_data *) id->data;
      krb5_ui_2 scc_flen;
 
diff --git a/src/lib/krb5/error_tables/ChangeLog b/src/lib/krb5/error_tables/ChangeLog
index d93bf5e..710d7a4 100644
--- a/src/lib/krb5/error_tables/ChangeLog
+++ b/src/lib/krb5/error_tables/ChangeLog
@@ -1,3 +1,19 @@
+2001-10-29  Miro Jurisic  <meeroh@mit.edu>
+	* pullup from krb5-1-2 branch after krb5-1-2-2-bp
+	* krb5_err.et: Changed Credentials Cache file to Credentials Cache 
+	because on Mac and Windows, the credentials cache is in memory.
+
+2001-10-24  Tom Yu  <tlyu@mit.edu>
+
+	* kdb5_err.et: Add KRB5_KDB_NO_PERMITTED_KEY,
+	KRB5_KDB_NO_MATCHING_KEY for libkdb so we can return something
+	other than ENOENT (which was Just Wrong).
+
+2001-01-31  Tom Yu  <tlyu@mit.edu>
+
+	* asn1_err.et: Add error codes MISMATCH_INDEF and MISSING_EOC.
+	[pullup from trunk]
+
 1999-12-01  Ken Raeburn  <raeburn@mit.edu>
 
 	* krb5_err.et (KRB5_OBSOLETE_FN): New error code.
diff --git a/src/lib/krb5/error_tables/asn1_err.et b/src/lib/krb5/error_tables/asn1_err.et
index f0136cf..06078ff 100644
--- a/src/lib/krb5/error_tables/asn1_err.et
+++ b/src/lib/krb5/error_tables/asn1_err.et
@@ -10,4 +10,6 @@ error_code ASN1_BAD_LENGTH, "ASN.1 length doesn't match expected value"
 error_code ASN1_BAD_FORMAT, "ASN.1 badly-formatted encoding"
 error_code ASN1_PARSE_ERROR, "ASN.1 parse error"
 error_code ASN1_BAD_GMTIME, "ASN.1 bad return from gmtime"
+error_code ASN1_MISMATCH_INDEF, "ASN.1 non-constructed indefinite encoding"
+error_code ASN1_MISSING_EOC, "ASN.1 missing expected EOC"
 end
diff --git a/src/lib/krb5/error_tables/kdb5_err.et b/src/lib/krb5/error_tables/kdb5_err.et
index 982a9c1..aee3c4a 100644
--- a/src/lib/krb5/error_tables/kdb5_err.et
+++ b/src/lib/krb5/error_tables/kdb5_err.et
@@ -66,4 +66,6 @@ ec KRB5_KDB_BAD_VERSION,	"Unsupported version in database entry"
 ec KRB5_KDB_BAD_SALTTYPE,	"Unsupported salt type"
 ec KRB5_KDB_BAD_ENCTYPE,	"Unsupported encryption type"
 ec KRB5_KDB_BAD_CREATEFLAGS,	"Bad database creation flags"
+ec KRB5_KDB_NO_PERMITTED_KEY,	"No matching key in entry having a permitted enctype"
+ec KRB5_KDB_NO_MATCHING_KEY,	"No matching key in entry"
 end
diff --git a/src/lib/krb5/error_tables/krb5_err.et b/src/lib/krb5/error_tables/krb5_err.et
index 6135a9d..8ff5ff3 100644
--- a/src/lib/krb5/error_tables/krb5_err.et
+++ b/src/lib/krb5/error_tables/krb5_err.et
@@ -259,10 +259,10 @@ error_code KRB5_CC_TYPE_EXISTS,		"Credentials cache type is already registered."
 error_code KRB5_KT_TYPE_EXISTS,		"Key table type is already registered."
 
 error_code KRB5_CC_IO,			"Credentials cache I/O operation failed XXX"
-error_code KRB5_FCC_PERM,		"Credentials cache file permissions incorrect"
-error_code KRB5_FCC_NOFILE,		"No credentials cache file found"
-error_code KRB5_FCC_INTERNAL,		"Internal file credentials cache error"
-error_code KRB5_CC_WRITE,		"Error writing to credentials cache file"
+error_code KRB5_FCC_PERM,		"Credentials cache permissions incorrect"
+error_code KRB5_FCC_NOFILE,		"No credentials cache found"
+error_code KRB5_FCC_INTERNAL,		"Internal credentials cache error"
+error_code KRB5_CC_WRITE,		"Error writing to credentials cache"
 error_code KRB5_CC_NOMEM,		"No more memory to allocate (in credentials cache code)"
 error_code KRB5_CC_FORMAT,		"Bad format in credentials cache"
 error_code KRB5_CC_NOT_KTYPE,		"No credentials found with supported encryption types"
diff --git a/src/lib/krb5/keytab/ChangeLog b/src/lib/krb5/keytab/ChangeLog
index fa1e715..ab4e5e4 100644
--- a/src/lib/krb5/keytab/ChangeLog
+++ b/src/lib/krb5/keytab/ChangeLog
@@ -1,3 +1,27 @@
+2003-04-01  Nalin Dahyabhai  <nalin@redhat.com>
+
+	* kt_file.c (krb5_ktfileint_internal_read_entry): Use
+	krb5_princ_size instead of direct field access.
+	(krb5_ktfileint_write_entry, krb5_ktfileint_size_entry):
+	Likewise.
+
+2002-04-05  Danilo Almeida  <dalmeida@mit.edu>
+
+	* Makefile.in: Build kt accessor functions on Windows.
+
+	* ktfr_entry.c: Rename krb5_kt_free_entry_contents as
+	krb5_free_keytab_entry_contents to make it consistent with rest of
+	API.
+
+2002-04-02  Ken Raeburn  <raeburn@mit.edu>
+
+	* ktfr_entry.c (krb5_kt_free_entry_contents): Rename from
+	krb5_kt_free_entry, keep old name as wrapper.
+
+2000-04-01  Miro Jurisic  <meeroh@mit.edu>
+
+	* ktfns.c: Merged from trunk
+
 2000-03-12  Ezra Peisach  <epeisach@mit.edu>
 
 	* ktbase.c (krb5_kt_resolve): Change prototype from const to
diff --git a/src/lib/krb5/keytab/Makefile.in b/src/lib/krb5/keytab/Makefile.in
index 66677a1..7d2b023 100644
--- a/src/lib/krb5/keytab/Makefile.in
+++ b/src/lib/krb5/keytab/Makefile.in
@@ -35,6 +35,8 @@ SRCS=	\
 	$(srcdir)/ktremove.c	\
 	$(srcdir)/read_servi.c
 
+##DOS##OBJS=$(OBJS) $(OUTPRE)ktfns.$(OBJEXT)
+
 all-windows:: subdirs $(OBJFILE)
 
 ##DOSsubdirs:: file\$(OUTPRE)file.lst srvtab\$(OUTPRE)srvtab.lst
diff --git a/src/lib/krb5/keytab/file/ChangeLog b/src/lib/krb5/keytab/file/ChangeLog
index 4be401b..d0ececa 100644
--- a/src/lib/krb5/keytab/file/ChangeLog
+++ b/src/lib/krb5/keytab/file/ChangeLog
@@ -1,3 +1,16 @@
+2002-01-30  Ken Raeburn  <raeburn@mit.edu>
+
+	* ktf_g_ent.c (krb5_ktfile_get_entry): For non-zero kvno, match
+	only low 8 bits.  For zero kvno, if any kvno in the keytab is over
+	240, assume we're dealing with numbers 128 through (127+256)
+	instead.  This allows for wrapping at 256 while retaining a small
+	set of consecutively numbered prior keys in the keytab.
+
+2001-11-19  Tom Yu  <tlyu@mit.edu>
+
+	* ktf_g_ent.c (krb5_ktfile_get_entry): Coerce enctype for now to
+	restore 1.0.x enctype similarity behavior.
+
 1999-10-26  Tom Yu  <tlyu@mit.edu>
 
 	* Makefile.in: Clean up usage of CFLAGS, CPPFLAGS, DEFS, DEFINES,
diff --git a/src/lib/krb5/keytab/file/ktf_g_ent.c b/src/lib/krb5/keytab/file/ktf_g_ent.c
index b45ab6f..905ff6c 100644
--- a/src/lib/krb5/keytab/file/ktf_g_ent.c
+++ b/src/lib/krb5/keytab/file/ktf_g_ent.c
@@ -45,6 +45,7 @@ krb5_ktfile_get_entry(context, id, principal, kvno, enctype, entry)
     krb5_error_code kerror = 0;
     int found_wrong_kvno = 0;
     krb5_boolean similar;
+    int kvno_offset = 0;
 
     /* Open the keyfile for reading */
     if ((kerror = krb5_ktfileint_openr(context, id)))
@@ -81,6 +82,14 @@ krb5_ktfile_get_entry(context, id, principal, kvno, enctype, entry)
 		krb5_kt_free_entry(context, &new_entry);
 		continue;
 	    }
+	    /*
+	     * Coerce the enctype of the output keyblock in case we
+	     * got an inexact match on the enctype; this behavior will
+	     * go away when the key storage architecture gets
+	     * redesigned for 1.3.
+	     */
+	    new_entry.key.enctype = enctype;
+
 	}
 
 	/* if the principal isn't the one requested, free new_entry
@@ -95,9 +104,24 @@ krb5_ktfile_get_entry(context, id, principal, kvno, enctype, entry)
 	    /* if this is the first match, or if the new vno is
 	       bigger, free the current and keep the new.  Otherwise,
 	       free the new. */
-	       
+	    /* A 1.2.x keytab contains only the low 8 bits of the key
+	       version number.  Since it can be much bigger, and thus
+	       the 8-bit value can wrap, we need some heuristics to
+	       figure out the "highest" numbered key if some numbers
+	       close to 255 and some near 0 are used.
+
+	       The heuristic here:
+
+	       If we have any keys with versions over 240, then assume
+	       that all version numbers 0-127 refer to 256+N instead.
+	       Not perfect, but maybe good enough?  */
+
+#define M(VNO) (((VNO) - kvno_offset + 256) % 256)
+
+	    if (new_entry.vno > 240)
+		kvno_offset = 128;
 	    if (! cur_entry.principal ||
-		(new_entry.vno > cur_entry.vno)) {
+		M(new_entry.vno) > M(cur_entry.vno)) {
 		krb5_kt_free_entry(context, &cur_entry);
 		cur_entry = new_entry;
 	    } else {
@@ -108,8 +132,12 @@ krb5_ktfile_get_entry(context, id, principal, kvno, enctype, entry)
 	       be one?), keep the new, and break out.  Otherwise, remember
 	       that we were here so we can return the right error, and
 	       free the new */
+	    /* Yuck.  The krb5-1.2.x keytab format only stores one byte
+	       for the kvno, so we're toast if the kvno requested is
+	       higher than that.  Short-term workaround: only compare
+	       the low 8 bits.  */
 
-	    if (new_entry.vno == kvno) {
+	    if (new_entry.vno == (kvno & 0xff)) {
 		krb5_kt_free_entry(context, &cur_entry);
 		cur_entry = new_entry;
 		break;
diff --git a/src/lib/krb5/keytab/ktfns.c b/src/lib/krb5/keytab/ktfns.c
new file mode 100644
index 0000000..5bd6b40
--- /dev/null
+++ b/src/lib/krb5/keytab/ktfns.c
@@ -0,0 +1,80 @@
+/*
+ * lib/krb5/keytab/ktfns.c
+ *
+ * Copyright 2001 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ *   require a specific license from the United States Government.
+ *   It is the responsibility of any person or organization contemplating
+ *   export to obtain such a license before exporting.
+ * 
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ */
+
+/*
+ * Dispatch methods for keytab code.
+ */
+
+#include "krb5.h"
+#include "k5-int.h"
+
+char * KRB5_CALLCONV
+krb5_kt_get_type (krb5_context context, krb5_keytab keytab)
+{
+    return keytab->ops->prefix;
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_kt_get_name(krb5_context context, krb5_keytab keytab, char *name,
+		 unsigned int namelen)
+{
+    return krb5_x((keytab)->ops->get_name,(context, keytab,name,namelen));
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_kt_close(krb5_context context, krb5_keytab keytab)
+{
+    return krb5_x((keytab)->ops->close,(context, keytab));
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_kt_get_entry(krb5_context context, krb5_keytab keytab,
+		  krb5_const_principal principal, krb5_kvno vno,
+		  krb5_enctype enctype, krb5_keytab_entry *entry)
+{
+    return krb5_x((keytab)->ops->get,(context, keytab, principal, vno, enctype, entry));
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_kt_start_seq_get(krb5_context context, krb5_keytab keytab,
+		      krb5_kt_cursor *cursor)
+{
+    return krb5_x((keytab)->ops->start_seq_get,(context, keytab, cursor));
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_kt_next_entry(krb5_context context, krb5_keytab keytab,
+		   krb5_keytab_entry *entry, krb5_kt_cursor *cursor)
+{
+    return krb5_x((keytab)->ops->get_next,(context, keytab, entry, cursor));
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_kt_end_seq_get(krb5_context context, krb5_keytab keytab,
+		    krb5_kt_cursor *cursor)
+{
+    return krb5_x((keytab)->ops->end_get,(context, keytab, cursor));
+}
diff --git a/src/lib/krb5/keytab/ktfr_entry.c b/src/lib/krb5/keytab/ktfr_entry.c
index ddccb17..abd5d4d 100644
--- a/src/lib/krb5/keytab/ktfr_entry.c
+++ b/src/lib/krb5/keytab/ktfr_entry.c
@@ -30,7 +30,7 @@
 #include "k5-int.h"
 
 KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_kt_free_entry (context, entry)
+krb5_free_keytab_entry_contents (context, entry)
     krb5_context context;
     krb5_keytab_entry FAR *entry;
 {
@@ -44,3 +44,11 @@ krb5_kt_free_entry (context, entry)
     }
     return 0;
 }
+
+KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
+krb5_kt_free_entry (context, entry)
+    krb5_context context;
+    krb5_keytab_entry FAR *entry;
+{
+    return krb5_free_keytab_entry_contents (context, entry);
+}
diff --git a/src/lib/krb5/keytab/srvtab/ChangeLog b/src/lib/krb5/keytab/srvtab/ChangeLog
index a4157a0..8724b71 100644
--- a/src/lib/krb5/keytab/srvtab/ChangeLog
+++ b/src/lib/krb5/keytab/srvtab/ChangeLog
@@ -1,9 +1,17 @@
+2002-02-28 Alexandra Ellwood <lxs@mit.edu>
+    * kts_util.c: removed unused variable n
+
+2002-02-05  Ken Raeburn  <raeburn@mit.edu>
+
+	* kts_g_ent.c (krb5_ktsrvtab_get_entry): If a specific DES enctype
+	was requested, set the key's enctype to it, instead of always
+	returning des-cbc-crc.
+
 Fri Jan 28 19:53:44 2000  Ezra Peisach  <epeisach@mit.edu>
 
 	* kts_g_ent.c, ktsrvtab.h (krb5_ktsrvtab_get_entry): Change the
  	third argument to krb5_const_principal (from krb5_principal) to
  	agree with krb5_kts_ops entries.
-	
 
 1999-10-26  Tom Yu  <tlyu@mit.edu>
 
diff --git a/src/lib/krb5/keytab/srvtab/kts_g_ent.c b/src/lib/krb5/keytab/srvtab/kts_g_ent.c
index e422c38..0237241 100644
--- a/src/lib/krb5/keytab/srvtab/kts_g_ent.c
+++ b/src/lib/krb5/keytab/srvtab/kts_g_ent.c
@@ -65,6 +65,7 @@ krb5_ktsrvtab_get_entry(context, id, principal, kvno, enctype, entry)
     best_entry.vno = 0;
     best_entry.key.contents = 0;
     while ((kerror = krb5_ktsrvint_read_entry(context, id, &ent)) == 0) {
+	ent.key.enctype = enctype;
 	if (krb5_principal_compare(context, principal, ent.principal)) {
 	    if (kvno == IGNORE_VNO) {
 		if (!best_entry.principal || (best_entry.vno < ent.vno)) {
diff --git a/src/lib/krb5/keytab/srvtab/kts_util.c b/src/lib/krb5/keytab/srvtab/kts_util.c
index d95aceb..35f4a16 100644
--- a/src/lib/krb5/keytab/srvtab/kts_util.c
+++ b/src/lib/krb5/keytab/srvtab/kts_util.c
@@ -62,7 +62,7 @@ read_field(fp, s, len)
     char *s;
     int len;
 {
-    int c, n = 0;
+    int c = 0;
 
     while ((c = getc(fp)) != 0) {
 	if (c == EOF || len <= 1)
diff --git a/src/lib/krb5/krb/ChangeLog b/src/lib/krb5/krb/ChangeLog
index 59d8765..1cc8d59 100644
--- a/src/lib/krb5/krb/ChangeLog
+++ b/src/lib/krb5/krb/ChangeLog
@@ -1,3 +1,301 @@
+2003-04-01  Nalin Dahyabhai  <nalin@redhat.com>
+
+	* gc_frm_kdc.c (krb5_get_cred_from_kdc_opt): Check principal name
+	length before examining components.
+
+	* parse.c (krb5_parse_name): Double-check principal name length
+	before filling in components.
+
+	* srv_rcache.c (krb5_get_server_rcache): Check for null pointer
+	supplied in place of name.
+
+	* unparse.c (krb5_unparse_name_ext): Don't move buffer pointer
+	backwards if nothing has been put into the buffer yet.
+
+2002-10-30  Tom Yu  <tlyu@mit.edu>
+
+	* chk_trans.c (krb5_check_transited_list): Style nit: check
+	character against '\0' not NULL.
+	[pullup from trunk]
+
+2002-10-30  Sam Hartman  <hartmans@mit.edu>
+
+	* chk_trans.c: Ignore trailing null in transited  encoding; older
+	versions  of MIT code included this.
+	[pullup from trunk]
+
+2002-08-12  Tom Yu  <tlyu@mit.edu>
+
+	* unparse.c (krb5_unparse_name_ext): Error out if passed a NULL
+	pointer.  Patch from Mark Levinson; fixes [krb5-admin/1140].
+	[pullup from trunk]
+
+2002-04-05  Danilo Almeida  <dalmeida@mit.edu>
+
+	* princ_comp.c (krb5_realm_compare), auth_con.c
+	(krb5_auth_con_setports, krb5_auth_con_getaddrs,
+	krb5_auth_con_initivector), addr_order.c (krb5_address_order),
+	addr_comp.c (krb5_address_compare): Make KRB5_CALLCONV.
+
+2002-04-03  Danilo Almeida  <dalmeida@mit.edu>
+
+	* bld_princ.c (krb5_build_principal_va): Make
+	krb5_build_principal_va() KRB5_CALLCONV.
+
+2002-04-02  Sam Hartman  <hartmans@mit.edu>
+
+	* init_keyblock.c: Merge from mainline
+
+2002-03-15  Sam Hartman  <hartmans@mit.edu>
+
+	* walk_rtree.c (krb5_walk_realm_tree): Fix handling of null realms
+
+2002-03-14 Alexandra Ellwood <lxs@mit.edu>
+    * appdefault.c, get_in_tkt.c: made conf_yes and conf_no const to 
+    improve load time on Mach-O
+
+2002-03-13  Sam Hartman  <hartmans@mit.edu>
+
+	* rd_cred.c (krb5_rd_cred): Don't  check IP addresses; improves
+	Heimdal compatibility.
+
+2002-02-28 Alexandra Ellwood <lxs@mit.edu>
+    * conv_princ.c: removed unused variable cpp to reduce warnings
+    * get_creds.c: removed unused variables fields and mcreds to 
+    reduce warnings
+    * get_in_tkt.c: removed unused variables cpp and preauth_to_use
+    to reduce warnings
+    * init_ctx: fixed Mac OS macros
+    * parse.c: added type in to avoid "defaults to int" warning
+    * send_tgs.c: removed unused variable enclen
+
+2001-12-20  Ken Raeburn  <raeburn@mit.edu>
+
+	* ser_actx.c (krb5_auth_context_externalize): Pass address of a
+	size_t, not a krb5_int32, to krb5_c_block_size.
+
+2001-11-29  Ken Raeburn  <raeburn@mit.edu>
+
+	* fwd_tgt.c (krb5_fwd_tgt_creds): If no session key has been set,
+	try getting credentials and use the session key type as a hint
+	for the enctype to use for the forwarded credentials.
+
+ 2001-11-24  Sam Hartman  <hartmans@mit.edu>
+ 
+ 	* fwd_tgt.c (krb5_fwd_tgt_creds): Get a session key for the
+ 	forwarded tgt that is the same as the  session key for  the
+ 	auth_context.  This  is an enctype we know the remote side
+ 	supports.  
+ 
+2001-10-29  Miro Jurisic  <meeroh@mit.edu>
+	* pullup from krb5-1-2 branch after krb5-1-2-2-bp
+	* rd_safe.c, rd_priv.c, rd_cred.c, preauth.c, mk_safe.c,
+	mk_cred.c, appdefault.c: use "" includes for krb5.h, k5-int.h and
+	syslog.h
+	* gic_pwd.c, sendauth.c, recvauth.c: com_err.h is already included by 
+	k5-int.h.  Removed #include because it was confusing the Mac OS X builds
+	
+2001-09-25  Ken Raeburn  <raeburn@mit.edu>
+
+	* chk_trans.c: Reimplemented from scratch.
+
+2001-01-30  Tom Yu  <tlyu@mit.edu>
+
+	* preauth.c (krb5_obtain_padata): Don't dereference a NULL pointer
+	if we receive an empty ETYPE_INFO preauth. [krb5-libs/903 from
+	craziboy77@hotmail.com]
+
+	* preauth2.c (krb5_do_preauth): Don't dereference a NULL pointer
+	if we receive an empty ETYPE_INFO preauth. [krb5-libs/903 from
+	craziboy77@hotmail.com]
+
+2001-01-30  Ezra Peisach  <epeisach@mit.edu>
+
+	* rd_req_dec.c (krb5_rd_req_decrypt_tkt_part): Free
+	krb5_keytab_entry if call to krb5_decrypt_tkt_part()
+	fails. [krb5-libs/855 reported by guy@packeteer.com]
+
+2001-01-30  Ken Raeburn  <raeburn@mit.edu>
+
+	* mk_safe.c (krb5_mk_safe): Only use safe_cksumtype from the
+	auth_context (derived from the config file or hardcoded default)
+	if it's suitable for the enctype of the key we're going to use.
+
+2001-01-29	Alexandra Ellwood <lxs@mit.edu>
+
+	* conv_princ.c (krb5_524_conv_principal): Fixed strncmp bug where principals 
+	which are left substrings of "changepw" were being remapped into "changepw".  
+	Added length check to if() statement.
+
+2001-01-29  Ken Raeburn  <raeburn@mit.edu>
+
+	* preauth2.c (pa_sam): Check for a null prompter function pointer,
+	and return an error for that case rather than crashing.
+
+2000-10-02	Alexandra Ellwood <lxs@mit.edu>
+
+	* init_ctx.c: Added #defines for Mac OS X (__MACH__) 
+
+2000-06-29  Tom Yu  <tlyu@mit.edu>
+
+	* conv_princ.c (krb5_425_conv_principal): NULL, not nil.
+
+2000-06-28  Miro Jurisic  <meeroh@mit.edu>
+
+	* conv_princ.c (krb5_425_conv_principal): Fixed a memory leak
+
+2000-06-17  Miro Jurisic  <meeroh@mit.edu>
+
+	* conv_princ.c (krb5_425_conv_principal): Fixed v4->v5 realm
+	name conversion
+
+2000-06-17  Miro Jurisic  <meeroh@mit.edu>
+
+	* conv_princ.c (krb5_425_conv_principal): Honor v4/v5 realm name
+	differences when convertion from v4 principals to v5.
+
+2000-06-07  Tom Yu  <tlyu@mit.edu>
+
+	* get_creds.c (krb5_get_credentials): Translate KRB5_CC_NOTFOUND
+	returned from krb5_get_cred_from_kdc() if a prior call to
+	krb5_cc_retrieve_cred() returned KRB5_CC_NOT_KTYPE.
+
+2000-06-03  Tom Yu  <tlyu@mit.edu>
+
+	* rd_priv.c (krb5_rd_priv_basic): Delete code that was incorrectly
+	doing explicit ivec chaining; c_decrypt() does it now.
+
+	* mk_priv.c (krb5_mk_priv_basic): Delete code that was incorrectly
+	doing explicit ivec chaining; c_encrypt() does it now.
+
+2000-06-03  Ken Raeburn  <raeburn@mit.edu>
+
+	* get_in_tkt.c (krb5_get_in_tkt): If enctypes are specified, send
+	the server the intersection of that list and the supported types,
+	in the order requested.
+
+2000-06-02  Danilo Almeida  <dalmeida@mit.edu>
+
+	* init_ctx.c (krb5_get_tgs_ktypes, krb5_free_ktypes): Fix linkage to
+	be KRB5_CALLCONV.
+
+2000-05-31  Ken Raeburn  <raeburn@mit.edu>
+
+	* recvauth.c (krb5_recvauth_version): New routine, takes a
+	krb5_data in which to store the client's application version
+	string.
+	(recvauth_common): Renamed from krb5_recvauth, added above
+	functionality depending on extra argument values.
+	(krb5_recvauth): New stub, calls above routine with extra dummy
+	values.
+
+2000-5-19	Alexandra Ellwood <lxs@mit.edu>
+
+	* sendauth.c, fwd_tgt.c: Changed to use krb5int_cc_default.  This function 
+	supports the Kerberos Login Library and pops up a dialog if the cache does 
+	not contain valid tickets.  This is used to automatically get a tgt before
+	obtaining service tickets.  Note that this should be an internal function
+	because callers don't expect krb5_cc_default to pop up a dialog!
+	(We found this out the hard way :-)
+
+2000-05-16  Ken Raeburn  <raeburn@mit.edu>
+            Nalin Dahyabhai  <nalin@redhat.com>
+
+	* conv_princ.c (krb5_524_conv_principal): Return an error if name
+	is too long.  Use memcpy for character data since we already know
+	the length.
+
+2000-05-16  Ken Raeburn  <raeburn@mit.edu>
+
+	* kfree.c: Remove unneeded "return" statements at the end of many
+	functions.
+	(krb5_free_*_content, krb5_free_*_contents,
+	krb5_free_cred_enc_part, krb5_free_pwd_sequences): Set freed
+	pointer members to null when containing structure isn't being
+	freed.
+
+2000-05-16  Tom Yu  <tlyu@mit.edu>
+
+	* conv_princ.c (krb5_524_conv_principal): Make a copy of the krb5
+	realm that is nul-terminated to avoid falling off the end of the
+	krb5 realm, which is not necessarily nul-terminated.
+
+2000-05-16  Nalin Dahyabhai  <nalin@redhat.com>
+
+	* kfree.c (krb5_free_keyblock_contents): Set contents pointer to
+	null after freeing.
+
+2000-05-15      Jeffrey Altman          <jaltman@columbia.edu>
+
+        * Added new source file appdefault.c
+          Implements new public functions
+
+               krb5_appdefault_string
+               krb5_appdefault_boolean
+
+2000-05-12  Ken Raeburn  <raeburn@mit.edu>
+
+	* t_kerb.c (test_524_conv_principal): New test code, to exercise
+	yesterday's code addition.
+	(main, usage): Updated.
+	* t_krb5.conf: Added stanford.edu->IR.STANFORD.EDU mapping, and a
+	test case for improperly long v4 realm names.
+	* Makefile.in (check-unix): Run 524 conversion test for some test
+	Athena and Stanford names.
+	* t_ref_kerb.out: Updated.
+
+	* init_ctx.c (init_common): Feed current-microsecond time and
+	process-id into PRNG, instead of just current-second time.
+	* mk_req_ext.c (krb5_mk_req_extended): Feed current time into
+	PRNG if a subkey will be generated.
+	* sendauth.c (krb5_sendauth): Feed local and remote addresses of
+	socket, if they can be determined, into the PRNG if a subkey will
+	be used.
+
+2000-05-11  Ken Raeburn  <raeburn@mit.edu>
+	    Booker C. Bense  <bbense@networking.stanford.edu>
+
+	* conv_princ.c (krb5_524_conv_principal): Look up v4_realm in
+	config file, in case site's krb4 realm name isn't the same as the
+	krb5 realm name.
+
+2000-04-28  Nalin Dahyabhai  <nalin@redhat.com>
+
+	* chk_trans.c (krb5_check_transited_list): Don't overflow buffers
+	"prev" and "next".
+	* conv_princ.c (krb5_425_conv_principal): Don't overflow buffer
+	"buf".
+
+2000-04-28	Alexandra Ellwood	<lxs@mit.edu>
+
+	* gic_pwd.c (krb5_init_creds_password) added code to return to
+	login library if the password is expired (login library handles
+	this error appropriately).
+
+2000-04-18  Ken Raeburn  <raeburn@mit.edu>
+
+	* init_ctx.c (krb5_free_ktypes): New routine, to free values
+	returned by krb5_get_tgs_ktypes, krb5_get_permitted_enctypes, and
+	krb5_get_default_in_tkt_ktypes.
+	(krb5_set_default_tgs_ktypes, krb5_is_permitted_enctype): Use it.
+	(get_profile_etype_list): Use passed-in enctype list if the
+	passed-in count is non-zero, instead of checking the
+	in_tkt_ktype_count value in the context.
+
+2000-04-08  Tom Yu  <tlyu@mit.edu>
+
+	* vfy_increds.c (krb5_verify_init_creds): appdefault_boolean ->
+	libdefault_boolean; it somehow got missed earlier.
+
+2000-04-07  Jeffrey Altman  <jaltman@columbia.edu>
+
+	* gic_pwd.c (krb5_get_init_creds_keytab), gic_pwd.c
+	(krb5_get_init_creds_password) when determining whether or not to
+	retry with a "master kdc" do not retry if the return value from
+	the first attempt was KRB5_REALM_CANT_RESOLV.  Also, do not
+	overwrite the return code if the return value from the access to
+	the "master kdc" was KRB5_REALM_CANT_RESOLV.
+
 2000-03-15  Danilo Almeida  <dalmeida@mit.edu>
 
 	* init_ctx.c (init_common), gic_pwd.c (krb5_get_as_key_password,
diff --git a/src/lib/krb5/krb/Makefile.in b/src/lib/krb5/krb/Makefile.in
index ba76662..484cd39 100644
--- a/src/lib/krb5/krb/Makefile.in
+++ b/src/lib/krb5/krb/Makefile.in
@@ -15,6 +15,7 @@ STLIBOBJS= \
 	addr_comp.o	\
 	addr_order.o	\
 	addr_srch.o	\
+	appdefault.o	\
 	auth_con.o	\
 	bld_pr_ext.o	\
 	bld_princ.o	\
@@ -52,6 +53,7 @@ STLIBOBJS= \
 	in_tkt_pwd.o	\
 	in_tkt_sky.o	\
 	init_ctx.o	\
+	init_keyblock.o \
 	kdc_rep_dc.o	\
 	kfree.o		\
 	mk_cred.o	\
@@ -99,6 +101,7 @@ STLIBOBJS= \
 OBJS=	$(OUTPRE)addr_comp.$(OBJEXT)	\
 	$(OUTPRE)addr_order.$(OBJEXT)	\
 	$(OUTPRE)addr_srch.$(OBJEXT)	\
+	$(OUTPRE)appdefault.$(OBJEXT)	\
 	$(OUTPRE)auth_con.$(OBJEXT)	\
 	$(OUTPRE)bld_pr_ext.$(OBJEXT)	\
 	$(OUTPRE)bld_princ.$(OBJEXT)	\
@@ -136,6 +139,7 @@ OBJS=	$(OUTPRE)addr_comp.$(OBJEXT)	\
 	$(OUTPRE)in_tkt_pwd.$(OBJEXT)	\
 	$(OUTPRE)in_tkt_sky.$(OBJEXT)	\
 	$(OUTPRE)init_ctx.$(OBJEXT)	\
+	$(OUTPRE)init_keyblock.$(OBJEXT) \
 	$(OUTPRE)kdc_rep_dc.$(OBJEXT)	\
 	$(OUTPRE)kfree.$(OBJEXT)		\
 	$(OUTPRE)mk_cred.$(OBJEXT)	\
@@ -183,6 +187,7 @@ OBJS=	$(OUTPRE)addr_comp.$(OBJEXT)	\
 SRCS=	$(srcdir)/addr_comp.c	\
 	$(srcdir)/addr_order.c	\
 	$(srcdir)/addr_srch.c	\
+	$(srcdir)/appdefault.c	\
 	$(srcdir)/auth_con.c	\
 	$(srcdir)/bld_pr_ext.c	\
 	$(srcdir)/bld_princ.c	\
@@ -221,6 +226,7 @@ SRCS=	$(srcdir)/addr_comp.c	\
 	$(srcdir)/in_tkt_pwd.c	\
 	$(srcdir)/in_tkt_sky.c	\
 	$(srcdir)/init_ctx.c	\
+	$(srcdir)/init_keyblock.c \
 	$(srcdir)/kdc_rep_dc.c	\
 	$(srcdir)/kfree.c	\
 	$(srcdir)/mk_cred.c	\
@@ -324,6 +330,8 @@ check-unix:: $(TEST_PROGS)
 		425_conv_principal rcmd uunet UU.NET \
 		425_conv_principal zephyr zephyr ATHENA.MIT.EDU \
 		425_conv_principal kadmin ATHENA.MIT.EDU ATHENA.MIT.EDU \
+		524_conv_principal host/e40-po.mit.edu@ATHENA.MIT.EDU \
+		524_conv_principal host/foobar.stanford.edu@stanford.edu \
 		set_realm marc@MIT.EDU CYGNUS.COM \
 		> test.out
 	cmp test.out $(srcdir)/t_ref_kerb.out
diff --git a/src/lib/krb5/krb/addr_comp.c b/src/lib/krb5/krb/addr_comp.c
index 587bd5f..f9e10bb 100644
--- a/src/lib/krb5/krb/addr_comp.c
+++ b/src/lib/krb5/krb/addr_comp.c
@@ -32,7 +32,7 @@
 /*
  * If the two addresses are the same, return TRUE, else return FALSE
  */
-krb5_boolean
+krb5_boolean KRB5_CALLCONV
 krb5_address_compare(context, addr1, addr2)
     krb5_context context;
     krb5_const krb5_address *addr1;
diff --git a/src/lib/krb5/krb/addr_order.c b/src/lib/krb5/krb/addr_order.c
index 800fa2b..2598205 100644
--- a/src/lib/krb5/krb/addr_order.c
+++ b/src/lib/krb5/krb/addr_order.c
@@ -37,7 +37,7 @@
  * Return an ordering on two addresses:  0 if the same,
  * < 0 if first is less than 2nd, > 0 if first is greater than 2nd.
  */
-int
+int KRB5_CALLCONV
 krb5_address_order(context, addr1, addr2)
     krb5_context context;
     register krb5_const krb5_address *addr1;
diff --git a/src/lib/krb5/krb/appdefault.c b/src/lib/krb5/krb/appdefault.c
new file mode 100644
index 0000000..65a9459
--- /dev/null
+++ b/src/lib/krb5/krb/appdefault.c
@@ -0,0 +1,183 @@
+/*
+ * appdefault - routines designed to be called from applications to
+ *		 handle the [appdefaults] profile section
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include "k5-int.h"
+
+
+
+ /*xxx Duplicating this is annoying; try to work on a better way.*/
+static const char *conf_yes[] = {
+	"y", "yes", "true", "t", "1", "on",
+	0,
+};
+
+static const char *conf_no[] = {
+	"n", "no", "false", "nil", "0", "off",
+	0,
+};
+
+static int conf_boolean(s)
+	char *s;
+{
+	char **p;
+	for(p=conf_yes; *p; p++) {
+		if (!strcasecmp(*p,s))
+			return 1;
+	}
+	for(p=conf_no; *p; p++) {
+		if (!strcasecmp(*p,s))
+		return 0;
+	}
+	/* Default to "no" */
+	return 0;
+}
+
+static krb5_error_code appdefault_get(context, appname, realm, option,
+				ret_value)
+        krb5_context context;
+	const char *appname, *option;
+        const krb5_data *realm;
+	char **ret_value;
+{
+        profile_t profile;
+        const char *names[5];
+	char **nameval = NULL;
+	krb5_error_code retval;
+	const char * realmstr =  realm?realm->data:NULL;
+
+	    if (!context || (context->magic != KV5M_CONTEXT)) 
+	    return KV5M_CONTEXT;
+
+	    profile = context->profile;
+	    
+	/*
+	 * Try number one:
+	 *
+	 * [appdefaults]
+	 *	app = {
+	 *		SOME.REALM = {
+	 *			option = <boolean>
+	 *		}
+	 *	}
+	 */
+
+	names[0] = "appdefaults";
+	names[1] = appname;
+
+	if (realmstr) {
+		names[2] = realmstr;
+		names[3] = option;
+		names[4] = 0;
+		retval = profile_get_values(profile, names, &nameval);
+		if (retval == 0 && nameval && nameval[0]) {
+			*ret_value = strdup(nameval[0]);
+			goto goodbye;
+		}
+	}
+
+	/*
+	 * Try number two:
+	 *
+	 * [appdefaults]
+	 *	app = {
+	 *		option = <boolean>
+	 *      }
+	 */
+
+	names[2] = option;
+	names[3] = 0;
+	retval = profile_get_values(profile, names, &nameval);
+	if (retval == 0 && nameval && nameval[0]) {
+		*ret_value = strdup(nameval[0]);
+		goto goodbye;
+	}
+
+	/*
+	 * Try number three:
+	 *
+	 * [appdefaults]
+	 *	realm = {
+	 *		option = <boolean>
+	 */
+	
+	if (realmstr) {
+		names[1] = realmstr;
+		names[2] = option;
+		names[3] = 0;
+		retval = profile_get_values(profile, names, &nameval);
+		if (retval == 0 && nameval && nameval[0]) {
+			*ret_value = strdup(nameval[0]);
+			goto goodbye;
+		}
+	}
+
+	/*
+	 * Try number four:
+	 *
+	 * [appdefaults]
+	 *	option = <boolean>
+	 */
+
+	names[1] = option;
+	names[2] = 0;
+	retval = profile_get_values(profile, names, &nameval);
+	if (retval == 0 && nameval && nameval[0]) {
+		*ret_value = strdup(nameval[0]);
+	} else {
+		return retval;
+	}
+
+goodbye:
+	if (nameval) {
+		char **cpp;
+		for (cpp = nameval; *cpp; cpp++)
+			free(*cpp);
+		free(nameval);
+	}
+	return 0;
+}
+
+KRB5_DLLIMP void KRB5_CALLCONV 
+krb5_appdefault_boolean(context, appname, realm, option,
+			default_value, ret_value)
+        krb5_context context;
+	const char *appname,  *option;
+        const krb5_data *realm;
+	int default_value;
+	int *ret_value;
+{
+	char *string = NULL;
+	krb5_error_code retval;
+
+	retval = appdefault_get(context, appname, realm, option, &string);
+
+	if (! retval && string) {
+		*ret_value = conf_boolean(string);
+		free(string);
+	} else
+		*ret_value = default_value;
+}
+
+KRB5_DLLIMP void KRB5_CALLCONV 
+krb5_appdefault_string(context, appname, realm, option, default_value,
+		       ret_value)
+     krb5_context context;
+	const char *appname, *option, *default_value;
+	char **ret_value;
+     const krb5_data *realm;
+	{
+	krb5_error_code retval;
+	char *string;
+
+	retval = appdefault_get(context, appname, realm, option, &string);
+
+	if (! retval && string) {
+		*ret_value = string;
+	} else {
+		*ret_value = strdup(default_value);
+	}
+}
diff --git a/src/lib/krb5/krb/auth_con.c b/src/lib/krb5/krb/auth_con.c
index 335f7ae..f80a167 100644
--- a/src/lib/krb5/krb/auth_con.c
+++ b/src/lib/krb5/krb/auth_con.c
@@ -109,7 +109,7 @@ krb5_auth_con_setaddrs(context, auth_context, local_addr, remote_addr)
     return retval;
 }
 
-krb5_error_code
+krb5_error_code KRB5_CALLCONV
 krb5_auth_con_getaddrs(context, auth_context, local_addr, remote_addr)
     krb5_context      	  context;
     krb5_auth_context 	  auth_context;
@@ -132,7 +132,7 @@ krb5_auth_con_getaddrs(context, auth_context, local_addr, remote_addr)
     return retval;
 }
 
-krb5_error_code
+krb5_error_code KRB5_CALLCONV
 krb5_auth_con_setports(context, auth_context, local_port, remote_port)
     krb5_context      	  context;
     krb5_auth_context     auth_context;
@@ -270,7 +270,7 @@ krb5_auth_con_getremoteseqnumber(context, auth_context, seqnumber)
     return 0;
 }
 
-krb5_error_code
+krb5_error_code KRB5_CALLCONV
 krb5_auth_con_initivector(context, auth_context)
     krb5_context      	  context;
     krb5_auth_context 	  auth_context;
diff --git a/src/lib/krb5/krb/bld_princ.c b/src/lib/krb5/krb/bld_princ.c
index bf49105..34b50c0 100644
--- a/src/lib/krb5/krb/bld_princ.c
+++ b/src/lib/krb5/krb/bld_princ.c
@@ -37,6 +37,7 @@
 #endif
 
 krb5_error_code
+KRB5_CALLCONV
 krb5_build_principal_va(context, princ, rlen, realm, ap)
     krb5_context context;
     krb5_principal princ;
diff --git a/src/lib/krb5/krb/chk_trans.c b/src/lib/krb5/krb/chk_trans.c
index c2ac716..9fe73c8 100644
--- a/src/lib/krb5/krb/chk_trans.c
+++ b/src/lib/krb5/krb/chk_trans.c
@@ -1,12 +1,14 @@
 /*
- * Copyright (c) 1994 CyberSAFE Corporation.
- * All rights reserved.
+ * lib/krb5/krb/chk_trans.c
+ *
+ * Copyright 2001 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
  *
  * Export of this software from the United States of America may
  *   require a specific license from the United States Government.
  *   It is the responsibility of any person or organization contemplating
  *   export to obtain such a license before exporting.
- *
+ * 
  * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
  * distribute this software and its documentation for any purpose and
  * without fee is hereby granted, provided that the above copyright
@@ -14,97 +16,426 @@
  * this permission notice appear in supporting documentation, and that
  * the name of M.I.T. not be used in advertising or publicity pertaining
  * to distribution of the software without specific, written prior
- * permission.  Neither M.I.T., the Open Computing Security Group, nor
- * CyberSAFE Corporation make any representations about the suitability of
+ * permission.  Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
  * this software for any purpose.  It is provided "as is" without express
  * or implied warranty.
+ * 
+ *
+ * krb5_check_transited_list()
  */
-
 #include "k5-int.h"
-#include <stdio.h>
+#include <stdarg.h>
 
-#define MAX_REALM_LN 500
+#if defined (TEST) || defined (TEST2)
+# undef DEBUG
+# define DEBUG
+#endif
 
-krb5_error_code
-krb5_check_transited_list(context, trans, realm1, realm2)
-    krb5_context context;
-krb5_data      *trans;
-krb5_data      *realm1;
-krb5_data      *realm2;
+#ifdef DEBUG
+#define verbose krb5int_chk_trans_verbose
+static int verbose = 0;
+# define Tprintf(ARGS) if (verbose) printf ARGS
+#else
+# define Tprintf(ARGS) (void)(0)
+#endif
+
+#define MAXLEN 512
+
+static krb5_error_code
+process_intermediates (krb5_error_code (*fn)(krb5_data *, void *), void *data,
+		       const krb5_data *n1, const krb5_data *n2) {
+    unsigned int len1, len2, i;
+    char *p1, *p2;
+
+    Tprintf (("process_intermediates(%.*s,%.*s)\n",
+	      (int) n1->length, n1->data, (int) n2->length, n2->data));
+
+    len1 = n1->length;
+    len2 = n2->length;
+
+    Tprintf (("(walking intermediates now)\n"));
+    /* Simplify...  */
+    if (len1 > len2) {
+	const krb5_data *p;
+	int tmp = len1;
+	len1 = len2;
+	len2 = tmp;
+	p = n1;
+	n1 = n2;
+	n2 = p;
+    }
+    /* Okay, now len1 is always shorter or equal.  */
+    if (len1 == len2) {
+	if (memcmp (n1->data, n2->data, len1)) {
+	    Tprintf (("equal length but different strings in path: '%.*s' '%.*s'\n",
+		      (int) n1->length, n1->data, (int) n2->length, n2->data));
+	    return KRB5KRB_AP_ERR_ILL_CR_TKT;
+	}
+	Tprintf (("(end intermediates)\n"));
+	return 0;
+    }
+    /* Now len1 is always shorter.  */
+    if (len1 == 0)
+	/* Shouldn't be possible.  Internal error?  */
+	return KRB5KRB_AP_ERR_ILL_CR_TKT;
+    p1 = n1->data;
+    p2 = n2->data;
+    if (p1[0] == '/') {
+	/* X.500 style names, with common prefix.  */
+	if (p2[0] != '/') {
+	    Tprintf (("mixed name formats in path: x500='%.*s' domain='%.*s'\n",
+		      (int) len1, p1, (int) len2, p2));
+	    return KRB5KRB_AP_ERR_ILL_CR_TKT;
+	}
+	if (memcmp (p1, p2, len1)) {
+	    Tprintf (("x500 names with different prefixes '%.*s' '%.*s'\n",
+		      (int) len1, p1, (int) len2, p2));
+	    return KRB5KRB_AP_ERR_ILL_CR_TKT;
+	}
+	for (i = len1 + 1; i < len2; i++)
+	    if (p2[i] == '/') {
+		krb5_data d;
+		krb5_error_code r;
+
+		d.data = p2;
+		d.length = i;
+		r = (*fn) (&d, data);
+		if (r)
+		    return r;
+	    }
+    } else {
+	/* Domain style names, with common suffix.  */
+	if (p2[0] == '/') {
+	    Tprintf (("mixed name formats in path: domain='%.*s' x500='%.*s'\n",
+		      (int) len1, p1, (int) len2, p2));
+	    return KRB5KRB_AP_ERR_ILL_CR_TKT;
+	}
+	if (memcmp (p1, p2 + (len2 - len1), len1)) {
+	    Tprintf (("domain names with different suffixes '%.*s' '%.*s'\n",
+		      (int) len1, p1, (int) len2, p2));
+	    return KRB5KRB_AP_ERR_ILL_CR_TKT;
+	}
+	for (i = len2 - len1 - 1; i > 0; i--) {
+	    Tprintf (("looking at '%.*s'\n", (int) (len2 - i), p2+i));
+	    if (p2[i-1] == '.') {
+		krb5_data d;
+		krb5_error_code r;
+
+		d.data = p2+i;
+		d.length = len2 - i;
+		r = (*fn) (&d, data);
+		if (r)
+		    return r;
+	    }
+	}
+    }
+    Tprintf (("(end intermediates)\n"));
+    return 0;
+}
+
+static krb5_error_code
+maybe_join (krb5_data *last, krb5_data *buf, int bufsiz)
+{
+    if (buf->length == 0)
+	return 0;
+    if (buf->data[0] == '/') {
+	if (last->length + buf->length > bufsiz) {
+	    Tprintf (("too big: last=%d cur=%d max=%d\n", last->length, buf->length, bufsiz));
+	    return KRB5KRB_AP_ERR_ILL_CR_TKT;
+	}
+	memmove (buf->data+last->length, buf->data, buf->length);
+	memcpy (buf->data, last->data, last->length);
+	buf->length += last->length;
+    } else if (buf->data[buf->length-1] == '.') {
+	/* We can ignore the case where the previous component was
+	   empty; the strcat will be a no-op.  It should probably
+	   be an error case, but let's be flexible.  */
+	if (last->length+buf->length > bufsiz) {
+	    Tprintf (("too big\n"));
+	    return KRB5KRB_AP_ERR_ILL_CR_TKT;
+	}
+	memcpy (buf->data + buf->length, last->data, last->length);
+	buf->length += last->length;
+    }
+    /* Otherwise, do nothing.  */
+    return 0;
+}
+
+/* The input strings cannot contain any \0 bytes, according to the
+   spec, but our API is such that they may not be \0 terminated
+   either.  Thus we keep on treating them as krb5_data objects instead
+   of C strings.  */
+static krb5_error_code
+foreach_realm (krb5_error_code (*fn)(krb5_data *comp,void *data), void *data,
+	       const krb5_data *crealm, const krb5_data *srealm,
+	       const krb5_data *transit)
+{
+    char buf[MAXLEN], last[MAXLEN];
+    char *p, *bufp;
+    int next_lit, intermediates, l;
+    krb5_data this_component;
+    krb5_error_code r;
+    krb5_data last_component;
+
+    /* Invariants:
+       - last_component points to last[]
+       - this_component points to buf[]
+       - last_component has length of last
+       - this_component has length of buf when calling out
+       Keep these consistent, and we should be okay.  */
+
+    next_lit = 0;
+    intermediates = 0;
+    memset (buf, 0, sizeof (buf));
+
+    this_component.data = buf;
+    last_component.data = last;
+    last_component.length = 0;
+
+#define print_data(fmt,d) Tprintf((fmt,(int)(d)->length,(d)->data))
+    print_data ("client realm: %.*s\n", crealm);
+    print_data ("server realm: %.*s\n", srealm);
+    print_data ("transit enc.: %.*s\n", transit);
+
+    if (transit->length == 0) {
+	Tprintf (("no other realms transited\n"));
+	return 0;
+    }
+
+    bufp = buf;
+    for (p = transit->data, l = transit->length; l; p++, l--) {
+	if (next_lit) {
+	    *bufp++ = *p;
+	    if (bufp == buf+sizeof(buf))
+		return KRB5KRB_AP_ERR_ILL_CR_TKT;
+	    next_lit = 0;
+	} else if (*p == '\\') {
+	    next_lit = 1;
+	} else if (*p == ',') {
+	    if (bufp != buf) {
+		this_component.length = bufp - buf;
+		r = maybe_join (&last_component, &this_component, sizeof(buf));
+		if (r)
+		    return r;
+		r = (*fn) (&this_component, data);
+		if (r)
+		    return r;
+		if (intermediates) {
+		    if (p == transit->data)
+			r = process_intermediates (fn, data,
+						   &this_component, crealm);
+		    else {
+			r = process_intermediates (fn, data, &this_component,
+						   &last_component);
+		    }
+		    if (r)
+			return r;
+		}
+		intermediates = 0;
+		memcpy (last, buf, sizeof (buf));
+		last_component.length = this_component.length;
+		memset (buf, 0, sizeof (buf));
+		bufp = buf;
+	    } else {
+		intermediates = 1;
+		if (p == transit->data) {
+		    if (crealm->length >= MAXLEN)
+			return KRB5KRB_AP_ERR_ILL_CR_TKT;
+		    memcpy (last, crealm->data, crealm->length);
+		    last[crealm->length] = '\0';
+		    last_component.length = crealm->length;
+		}
+	    }
+	} else if (*p == ' ' && bufp == buf) {
+	    /* This next component stands alone, even if it has a
+	       trailing dot or leading slash.  */
+	    memset (last, 0, sizeof (last));
+	    last_component.length = 0;
+	} else {
+	    /* Not a special character; literal.  */
+	    *bufp++ = *p;
+	    if (bufp == buf+sizeof(buf))
+		return KRB5KRB_AP_ERR_ILL_CR_TKT;
+	}
+    }
+    /* At end.  Must be normal state.  */
+    if (next_lit)
+	Tprintf (("ending in next-char-literal state\n"));
+    /* Process trailing element or comma.  */
+    if (bufp == buf) {
+	/* Trailing comma.  */
+	r = process_intermediates (fn, data, &last_component, srealm);
+    } else {
+	/* Trailing component.  */
+	this_component.length = bufp - buf;
+	r = maybe_join (&last_component, &this_component, sizeof(buf));
+	if (r)
+	    return r;
+	r = (*fn) (&this_component, data);
+	if (r)
+	    return r;
+	if (intermediates)
+	    r = process_intermediates (fn, data, &this_component,
+				       &last_component);
+    }
+    if (r != 0)
+	return r;
+    return 0;
+}
+
+
+struct check_data {
+    krb5_context ctx;
+    krb5_principal *tgs;
+};
+
+static int
+same_data (krb5_data *d1, krb5_data *d2)
 {
-  char            prev[MAX_REALM_LN+1];
-  char            next[MAX_REALM_LN+1];
-  char            *nextp;
-  int             i, j;
-  int             trans_length;
-  krb5_error_code retval = 0;
-  krb5_principal  *tgs_list;
-
-  if (trans == NULL || trans->data == NULL || trans->length == 0)
-    return(0);
-  trans_length = trans->data[trans->length-1] ?
-    trans->length : trans->length - 1;
-
-  for (i = 0; i < trans_length; i++)
-    if (trans->data[i] == '\0') {
-      /* Realms may not contain ASCII NUL character. */
-      return(KRB5KRB_AP_ERR_ILL_CR_TKT);
+    return (d1->length == d2->length
+	    && !memcmp (d1->data, d2->data, d1->length));
+}
+
+static krb5_error_code
+check_realm_in_list (krb5_data *realm, void *data)
+{
+    struct check_data *cdata = data;
+    int i;
+
+    Tprintf ((".. checking '%.*s'\n", (int) realm->length, realm->data));
+    for (i = 0; cdata->tgs[i]; i++) {
+	if (same_data (krb5_princ_realm (cdata->ctx, cdata->tgs[i]), realm))
+	    return 0;
     }
+    Tprintf (("BAD!\n"));
+    return KRB5KRB_AP_ERR_ILL_CR_TKT;
+}
+
+krb5_error_code
+krb5_check_transited_list (krb5_context ctx, const krb5_data *trans_in,
+			   const krb5_data *crealm, const krb5_data *srealm)
+{
+    krb5_data trans;
+    struct check_data cdata;
+    krb5_error_code r;
 
-  if ((retval = krb5_walk_realm_tree(context, realm1, realm2, &tgs_list,
-                                    KRB5_REALM_BRANCH_CHAR))) {
-    return(retval);
-  }
-
-  memset(prev, 0, MAX_REALM_LN + 1);
-  memset(next, 0, MAX_REALM_LN + 1), nextp = next;
-  for (i = 0; i < trans_length; i++) {
-    if (i < trans_length-1 && trans->data[i] == '\\') {
-      i++;
-      *nextp++ = trans->data[i];
-      if (nextp - next > MAX_REALM_LN) {
-	retval = KRB5KRB_AP_ERR_ILL_CR_TKT;
-	goto finish;
-      }
-      continue;
+    trans.length = trans_in->length;
+    trans.data = (char *) trans_in->data;
+    if (trans.length && (trans.data[trans.length-1] == '\0'))
+	trans.length--;
+
+    Tprintf (("krb5_check_transited_list(trans=\"%.*s\", crealm=\"%.*s\", srealm=\"%.*s\")\n",
+	      (int) trans.length, trans.data,
+	      (int) crealm->length, crealm->data,
+	      (int) srealm->length, srealm->data));
+    if (trans.length == 0)
+	return 0;
+    r = krb5_walk_realm_tree (ctx, crealm, srealm, &cdata.tgs,
+			      KRB5_REALM_BRANCH_CHAR);
+    if (r) {
+	Tprintf (("error %ld\n", (long) r));
+	return r;
+    }
+#ifdef DEBUG /* avoid compiler warning about 'd' unused */
+    {
+	int i;
+	Tprintf (("tgs list = {\n"));
+	for (i = 0; cdata.tgs[i]; i++) {
+	    char *name;
+	    r = krb5_unparse_name (ctx, cdata.tgs[i], &name);
+	    Tprintf (("\t'%s'\n", name));
+	    free (name);
+	}
+	Tprintf (("}\n"));
     }
-    if (i < trans_length && trans->data[i] != ',') {
-      *nextp++ = trans->data[i];
-      if (nextp - next > MAX_REALM_LN) {
-	retval = KRB5KRB_AP_ERR_ILL_CR_TKT;
-	goto finish;
-      }
-      continue;
+#endif
+    cdata.ctx = ctx;
+    r = foreach_realm (check_realm_in_list, &cdata, crealm, srealm, &trans);
+    krb5_free_realm_tree (ctx, cdata.tgs);
+    return r;
+}
+
+#ifdef TEST
+
+static krb5_error_code
+print_a_realm (krb5_data *realm, void *data)
+{
+    printf ("%.*s\n", (int) realm->length, realm->data);
+    return 0;
+}
+
+int main (int argc, char *argv[]) {
+    const char *me;
+    krb5_data crealm, srealm, transit;
+    krb5_error_code r;
+    int expand_only = 0;
+
+    me = strrchr (argv[0], '/');
+    me = me ? me+1 : argv[0];
+
+    while (argc > 3 && argv[1][0] == '-') {
+	if (!strcmp ("-v", argv[1]))
+	    verbose++, argc--, argv++;
+	else if (!strcmp ("-x", argv[1]))
+	    expand_only++, argc--, argv++;
+	else
+	    goto usage;
     }
-    if (strlen(next) > 0) {
-      if (next[0] != '/') {
-        if (*(nextp-1) == '.' && strlen(next) + strlen(prev) <= MAX_REALM_LN)
-	  strcat(next, prev);
-        retval = KRB5KRB_AP_ERR_ILL_CR_TKT;
-        for (j = 0; tgs_list[j]; j++) {
-          if (strlen(next) == (size_t) krb5_princ_realm(context, tgs_list[j])->length &&
-              !memcmp(next, krb5_princ_realm(context, tgs_list[j])->data,
-                      strlen(next))) {
-            retval = 0;
-            break; 
-          }
-        }
-        if (retval)  goto finish;
-      }
-      if (i+1 < trans_length && trans->data[i+1] == ' ') {
-        i++;
-        memset(next, 0, MAX_REALM_LN + 1), nextp = next;
-        continue;
-      }
-      if (i+1 < trans_length && trans->data[i+1] != '/') {
-        strcpy(prev, next);
-        memset(next, 0, MAX_REALM_LN + 1), nextp = next;
-        continue;
-      }
+
+    if (argc != 4) {
+    usage:
+	printf ("usage: %s [-v] [-x] clientRealm serverRealm transitEncoding\n",
+		me);
+	return 1;
     }
-  }
 
-finish:
-  krb5_free_realm_tree(context, tgs_list);
-  return(retval);
+    crealm.data = argv[1];
+    crealm.length = strlen(argv[1]);
+    srealm.data = argv[2];
+    srealm.length = strlen(argv[2]);
+    transit.data = argv[3];
+    transit.length = strlen(argv[3]);
+
+    if (expand_only) {
+
+	printf ("client realm: %s\n", argv[1]);
+	printf ("server realm: %s\n", argv[2]);
+	printf ("transit enc.: %s\n", argv[3]);
+
+	if (argv[3][0] == 0) {
+	    printf ("no other realms transited\n");
+	    return 0;
+	}
+
+	r = foreach_realm (print_a_realm, NULL, &crealm, &srealm, &transit);
+	if (r)
+	    printf ("--> returned error %ld\n", (long) r);
+	return r != 0;
+
+    } else {
+
+	/* Actually check the values against the supplied krb5.conf file.  */
+	krb5_context ctx;
+	r = krb5_init_context (&ctx);
+	if (r) {
+	    com_err (me, r, "initializing krb5 context");
+	    return 1;
+	}
+	r = krb5_check_transited_list (ctx, &transit, &crealm, &srealm);
+	if (r == KRB5KRB_AP_ERR_ILL_CR_TKT) {
+	    printf ("NO\n");
+	} else if (r == 0) {
+	    printf ("YES\n");
+	} else {
+	    printf ("kablooey!\n");
+	    com_err (me, r, "checking transited-realm list");
+	    return 1;
+	}
+	return 0;
+    }
 }
+
+#endif /* TEST */
diff --git a/src/lib/krb5/krb/conv_princ.c b/src/lib/krb5/krb/conv_princ.c
index b90289a..e7aab77 100644
--- a/src/lib/krb5/krb/conv_princ.c
+++ b/src/lib/krb5/krb/conv_princ.c
@@ -137,7 +137,8 @@ krb5_524_conv_principal(context, princ, name, inst, realm)
 {
      const struct krb_convert *p;
      krb5_data *compo;
-     char *c;
+     char *c, *tmp_realm, *tmp_prealm;
+     int tmp_realm_len, retval; 
 
      *name = *inst = '\0';
      switch (krb5_princ_size(context, princ)) {
@@ -146,19 +147,24 @@ krb5_524_conv_principal(context, princ, name, inst, realm)
 	  compo = krb5_princ_component(context, princ, 0);
 	  p = sconv_list;
 	  while (p->v4_str) {
-	       if (strncmp(p->v5_str, compo->data, compo->length) == 0) {
-		    /* It is, so set the new name now, and chop off */
-		    /* instance's domain name if requested */
-		    strcpy(name, p->v4_str);
-		    if (p->flags & DO_REALM_CONVERSION) {
-			 compo = krb5_princ_component(context, princ, 1);
-			 c = strnchr(compo->data, '.', compo->length);
-			 if (!c || (c - compo->data) > INST_SZ - 1)
-			      return KRB5_INVALID_PRINCIPAL;
-			 strncpy(inst, compo->data, c - compo->data);
-			 inst[c - compo->data] = '\0';
-		    }
-		    break;
+	       if (strncmp(p->v5_str, compo->data, compo->length) == 0 && 
+	           strlen(p->v5_str) == compo->length) {
+		   /*
+		    * It is, so set the new name now, and chop off
+		    * instance's domain name if requested.
+		    */
+		   if (strlen (p->v4_str) > ANAME_SZ - 1)
+		       return KRB5_INVALID_PRINCIPAL;
+		   strcpy(name, p->v4_str);
+		   if (p->flags & DO_REALM_CONVERSION) {
+		       compo = krb5_princ_component(context, princ, 1);
+		       c = strnchr(compo->data, '.', compo->length);
+		       if (!c || (c - compo->data) >= INST_SZ - 1)
+			   return KRB5_INVALID_PRINCIPAL;
+		       memcpy(inst, compo->data, c - compo->data);
+		       inst[c - compo->data] = '\0';
+		   }
+		   break;
 	       }
 	       p++;
 	  }
@@ -168,7 +174,7 @@ krb5_524_conv_principal(context, princ, name, inst, realm)
 	       compo = krb5_princ_component(context, princ, 1);
 	       if (compo->length >= INST_SZ - 1)
 		    return KRB5_INVALID_PRINCIPAL;
-	       strncpy(inst, compo->data, compo->length);
+	       memcpy(inst, compo->data, compo->length);
 	       inst[compo->length] = '\0';
 	  }
 	  /* fall through */
@@ -178,7 +184,7 @@ krb5_524_conv_principal(context, princ, name, inst, realm)
 	       compo = krb5_princ_component(context, princ, 0);
 	       if (compo->length >= ANAME_SZ)
 		    return KRB5_INVALID_PRINCIPAL;
-	       strncpy(name, compo->data, compo->length);
+	       memcpy(name, compo->data, compo->length);
 	       name[compo->length] = '\0';
 	  }
 	  break;
@@ -187,11 +193,39 @@ krb5_524_conv_principal(context, princ, name, inst, realm)
      }
 
      compo = krb5_princ_realm(context, princ);
-     if (compo->length > REALM_SZ - 1)
-	  return KRB5_INVALID_PRINCIPAL;
-     strncpy(realm, compo->data, compo->length);
-     realm[compo->length] = '\0';
 
+     tmp_prealm = malloc(compo->length + 1);
+     if (tmp_prealm == NULL)
+	 return ENOMEM;
+     strncpy(tmp_prealm, compo->data, compo->length);
+     tmp_prealm[compo->length] = '\0';
+
+     /* Ask for v4_realm corresponding to 
+	krb5 principal realm from krb5.conf realms stanza */
+
+     if (context->profile == 0)
+       return KRB5_CONFIG_CANTOPEN;
+     retval = profile_get_string(context->profile, "realms",
+				 tmp_prealm, "v4_realm", 0,
+				 &tmp_realm);
+     free(tmp_prealm);
+     if (retval) { 
+	 return retval;
+     } else {
+	 if (tmp_realm == 0) {
+	     if (compo->length > REALM_SZ - 1)
+		 return KRB5_INVALID_PRINCIPAL;
+	     strncpy(realm, compo->data, compo->length);
+	     realm[compo->length] = '\0';
+	 } else {
+	     tmp_realm_len =  strlen(tmp_realm);
+	     if (tmp_realm_len > REALM_SZ - 1)
+		 return KRB5_INVALID_PRINCIPAL;
+	     strncpy(realm, tmp_realm, tmp_realm_len);
+	     realm[tmp_realm_len] = '\0';
+	     profile_release_string(tmp_realm);
+	 }
+     }
      return 0;
 }
 
@@ -207,8 +241,47 @@ krb5_425_conv_principal(context, name, instance, realm, princ)
      char buf[256];		/* V4 instances are limited to 40 characters */
      krb5_error_code retval;
      char *domain, *cp;
-     char **full_name = 0, **cpp;
+     char **full_name = 0;
      const char *names[5];
+     void*	iterator = NULL;
+     char** v4realms = NULL;
+     char* realm_name = NULL;
+     char* dummy_value = NULL;
+     
+     /* First, convert the realm, since the v4 realm is not necessarily the same as the v5 realm
+        To do that, iterate over all the realms in the config file, looking for a matching 
+        v4_realm line */
+     names [0] = "realms";
+     names [1] = NULL;
+     retval = profile_iterator_create (context -> profile, names, PROFILE_ITER_LIST_SECTION | PROFILE_ITER_SECTIONS_ONLY, &iterator);
+     while (retval == 0) {
+     	retval = profile_iterator (&iterator, &realm_name, &dummy_value);
+     	if ((retval == 0) && (realm_name != NULL)) {
+     		names [0] = "realms";
+     		names [1] = realm_name;
+     		names [2] = "v4_realm";
+     		names [3] = NULL;
+
+     		retval = profile_get_values (context -> profile, names, &v4realms);
+     		if ((retval == 0) && (v4realms != NULL) && (v4realms [0] != NULL) && (strcmp (v4realms [0], realm) == 0)) {
+     			realm = realm_name;
+     			break;
+     		} else if (retval == PROF_NO_RELATION) {
+     			/* If it's not found, just keep going */
+     			retval = 0;
+     		}
+     	} else if ((retval == 0) && (realm_name == NULL)) {
+     		break;
+     	}
+     	if (realm_name != NULL) {
+     		profile_release_string (realm_name);
+     		realm_name = NULL;
+     	}
+     	if (dummy_value != NULL) {
+     		profile_release_string (dummy_value);
+     		dummy_value = NULL;
+     	}
+     }
      
      if (instance) {
 	  if (instance[0] == '\0') {
@@ -234,7 +307,8 @@ krb5_425_conv_principal(context, name, instance, realm, princ)
 	      if (retval == 0 && full_name && full_name[0]) {
 		  instance = full_name[0];
 	      } else {
-		  strcpy(buf, instance);
+		  strncpy(buf, instance, sizeof(buf));
+		  buf[sizeof(buf) - 1] = '\0';
 		  retval = krb5_get_realm_domain(context, realm, &domain);
 		  if (retval)
 		      return retval;
@@ -242,8 +316,8 @@ krb5_425_conv_principal(context, name, instance, realm, princ)
 		      for (cp = domain; *cp; cp++)
 			  if (isupper(*cp))
 			      *cp = tolower(*cp);
-		      strcat(buf, ".");
-		      strcat(buf, domain);
+		      strncat(buf, ".", sizeof(buf) - 1 - strlen(buf));
+		      strncat(buf, domain, sizeof(buf) - 1 - strlen(buf));
 		      krb5_xfree(domain);
 		  }
 		  instance = buf;
@@ -254,6 +328,10 @@ krb5_425_conv_principal(context, name, instance, realm, princ)
 not_service:	
      retval = krb5_build_principal(context, princ, strlen(realm), realm, name,
 				   instance, 0);
+     profile_iterator_free (&iterator);
      profile_free_list(full_name);
+     profile_free_list(v4realms);
+     profile_release_string (realm_name);
+     profile_release_string (dummy_value);
      return retval;
 }
diff --git a/src/lib/krb5/krb/fwd_tgt.c b/src/lib/krb5/krb/fwd_tgt.c
index 814195a..2e2c5db 100644
--- a/src/lib/krb5/krb/fwd_tgt.c
+++ b/src/lib/krb5/krb/fwd_tgt.c
@@ -53,6 +53,8 @@ krb5_fwd_tgt_creds(context, auth_context, rhost, client, server, cc,
     krb5_flags kdcoptions;
     int close_cc = 0;
     int free_rhost = 0;
+    krb5_enctype enctype = 0;
+    krb5_keyblock *session_key;
 
     memset((char *)&creds, 0, sizeof(creds));
     memset((char *)&tgt, 0, sizeof(creds));
@@ -71,7 +73,36 @@ krb5_fwd_tgt_creds(context, auth_context, rhost, client, server, cc,
 	memcpy(rhost, server->data[1].data, server->data[1].length);
 	rhost[server->data[1].length] = '\0';
     }
-
+    retval = krb5_auth_con_getkey (context, auth_context, &session_key);
+    if (retval)
+      goto errout;
+    if (session_key) {
+	enctype = session_key->enctype;
+	krb5_free_keyblock (context, session_key);
+	session_key = NULL;
+    } else if (server) { /* must server be non-NULL when rhost is given? */
+	/* Try getting credentials to see what the remote side supports.
+	   Not bulletproof, just a heuristic.  */
+	krb5_creds in, *out = 0;
+	memset (&in, 0, sizeof(in));
+
+	retval = krb5_copy_principal (context, server, &in.server);
+	if (retval)
+	    goto punt;
+	retval = krb5_copy_principal (context, client, &in.client);
+	if (retval)
+	    goto punt;
+	retval = krb5_get_credentials (context, 0, cc, &in, &out);
+	if (retval)
+	    goto punt;
+	/* Got the credentials.  Okay, now record the enctype and
+	   throw them away.  */
+	enctype = out->keyblock.enctype;
+	krb5_free_creds (context, out);
+    punt:
+	krb5_free_cred_contents (context, &in);
+    }
+    
     retval = krb5_os_hostaddr(context, rhost, &addrs);
     if (retval)
 	goto errout;
@@ -90,7 +121,7 @@ krb5_fwd_tgt_creds(context, auth_context, rhost, client, server, cc,
 	goto errout;
 	
     if (cc == 0) {
-	if ((retval = krb5_cc_default(context, &cc)))
+	if ((retval = krb5int_cc_default(context, &cc)))
 	    goto errout;
 	close_cc = 1;
     }
@@ -111,7 +142,8 @@ krb5_fwd_tgt_creds(context, auth_context, rhost, client, server, cc,
 	retval = KRB5_NO_TKT_SUPPLIED;
 	goto errout;
     }
-
+    
+    creds.keyblock.enctype = enctype;
     creds.times = tgt.times;
     creds.times.starttime = 0;
     kdcoptions = flags2options(tgt.ticket_flags)|KDC_OPT_FORWARDED;
diff --git a/src/lib/krb5/krb/gc_frm_kdc.c b/src/lib/krb5/krb/gc_frm_kdc.c
index 1e315fe..fd36385 100644
--- a/src/lib/krb5/krb/gc_frm_kdc.c
+++ b/src/lib/krb5/krb/gc_frm_kdc.c
@@ -347,7 +347,9 @@ krb5_get_cred_from_kdc_opt(context, ccache, in_cred, out_cred, tgts, kdcopt)
 	for (next_server = top_server; *next_server; next_server++) {
             krb5_data *realm_1 = krb5_princ_component(context, next_server[0], 1);
             krb5_data *realm_2 = krb5_princ_component(context, tgtr->server, 1);
-            if (realm_1->length == realm_2->length &&
+	    if (realm_1 != NULL &&
+		realm_2 != NULL &&
+                realm_1->length == realm_2->length &&
                 !memcmp(realm_1->data, realm_2->data, realm_1->length)) {
 		break;
             }
diff --git a/src/lib/krb5/krb/get_creds.c b/src/lib/krb5/krb/get_creds.c
index 3bcaa0b..de8d29f 100644
--- a/src/lib/krb5/krb/get_creds.c
+++ b/src/lib/krb5/krb/get_creds.c
@@ -102,6 +102,7 @@ krb5_get_credentials(context, options, ccache, in_creds, out_creds)
     krb5_creds *ncreds;
     krb5_creds **tgts;
     krb5_flags fields;
+    int not_ktype;
 
     retval = krb5_get_credentials_core(context, options, ccache, 
 				       in_creds, out_creds,
@@ -128,6 +129,11 @@ krb5_get_credentials(context, options, ccache, in_creds, out_creds)
 	|| options & KRB5_GC_CACHED)
 	return retval;
 
+    if (retval == KRB5_CC_NOT_KTYPE)
+	not_ktype = 1;
+    else
+	not_ktype = 0;
+
     retval = krb5_get_cred_from_kdc(context, ccache, ncreds, out_creds, &tgts);
     if (tgts) {
 	register int i = 0;
@@ -141,6 +147,21 @@ krb5_get_credentials(context, options, ccache, in_creds, out_creds)
 	}
 	krb5_free_tgt_creds(context, tgts);
     }
+    /*
+     * Translate KRB5_CC_NOTFOUND if we previously got
+     * KRB5_CC_NOT_KTYPE from krb5_cc_retrieve_cred(), in order to
+     * handle the case where there is no TGT in the ccache and the
+     * input enctype didn't match.  This handling is necessary because
+     * some callers, such as GSSAPI, iterate through enctypes and
+     * KRB5_CC_NOTFOUND passed through from the
+     * krb5_get_cred_from_kdc() is semantically incorrect, since the
+     * actual failure was the non-existence of a ticket of the correct
+     * enctype rather than the missing TGT.
+     */
+    if ((retval == KRB5_CC_NOTFOUND || retval == KRB5_CC_NOT_KTYPE)
+	&& not_ktype)
+	retval = KRB5_CC_NOT_KTYPE;
+
     if (!retval)
 	retval = krb5_cc_store_cred(context, ccache, *out_creds);
     return retval;
@@ -160,10 +181,8 @@ krb5_get_credentials_val_renew_core(context, options, ccache,
     int which;
 {
     krb5_error_code retval;
-    krb5_creds mcreds;
     krb5_principal tmp;
     krb5_creds **tgts = 0;
-    krb5_flags fields;
 
     switch(which) {
     case INT_GC_VALIDATE:
diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c
index c1c6df1..57d0313 100644
--- a/src/lib/krb5/krb/get_in_tkt.c
+++ b/src/lib/krb5/krb/get_in_tkt.c
@@ -84,13 +84,13 @@ static krb5_error_code make_preauth_list PROTOTYPE((krb5_context,
  */
 static krb5_error_code
 send_as_request(context, request, time_now, ret_err_reply, ret_as_reply,
-		master)
+		use_master)
     krb5_context 		context;
     krb5_kdc_req		*request;
     krb5_timestamp 		*time_now;
     krb5_error ** 		ret_err_reply;
     krb5_kdc_rep ** 		ret_as_reply;
-    int *			master;
+    int 			use_master;
 {
     krb5_kdc_rep *as_reply = 0;
     krb5_error_code retval;
@@ -116,7 +116,7 @@ send_as_request(context, request, time_now, ret_err_reply, ret_as_reply,
     k4_version = packet->data[0];
     retval = krb5_sendto_kdc(context, packet, 
 			     krb5_princ_realm(context, request->client),
-			     &reply, master);
+			     &reply, use_master);
     krb5_free_data(context, packet);
     if (retval)
 	goto cleanup;
@@ -367,7 +367,6 @@ make_preauth_list(context, ptypes, nptypes, ret_list)
 {
     krb5_preauthtype *		ptypep;
     krb5_pa_data **		preauthp;
-    krb5_pa_data **		preauth_to_use;
     int				i;
 
     if (nptypes < 0) {
@@ -457,12 +456,35 @@ krb5_get_in_tkt(context, options, addrs, ktypes, ptypes, key_proc, keyseed,
     request.from = creds->times.starttime;
     request.till = creds->times.endtime;
     request.rtime = creds->times.renew_till;
-    if (ktypes)
-	request.ktype = ktypes;
-    else
-    	if ((retval = krb5_get_default_in_tkt_ktypes(context, &request.ktype)))
-	    goto cleanup;
+    if ((retval = krb5_get_default_in_tkt_ktypes(context, &request.ktype)))
+	goto cleanup;
     for (request.nktypes = 0;request.ktype[request.nktypes];request.nktypes++);
+    if (ktypes) {
+	int i, req, next = 0;
+	for (req = 0; ktypes[req]; req++) {
+	    if (ktypes[req] == request.ktype[next]) {
+		next++;
+		continue;
+	    }
+	    for (i = next + 1; i < request.nktypes; i++)
+		if (ktypes[req] == request.ktype[i]) {
+		    /* Found the enctype we want, but not in the
+		       position we want.  Move it, but keep the old
+		       one from the desired slot around in case it's
+		       later in our requested-ktypes list.  */
+		    krb5_enctype t;
+		    t = request.ktype[next];
+		    request.ktype[next] = request.ktype[i];
+		    request.ktype[i] = t;
+		    next++;
+		    break;
+		}
+	    /* If we didn't find it, don't do anything special, just
+	       drop it.  */
+	}
+	request.ktype[next] = 0;
+	request.nktypes = next;
+    }
     request.authorization_data.ciphertext.length = 0;
     request.authorization_data.ciphertext.data = 0;
     request.unenc_authdata = 0;
@@ -538,7 +560,7 @@ krb5_get_in_tkt(context, options, addrs, ktypes, ptypes, key_proc, keyseed,
 	goto cleanup;
 
 cleanup:
-    if (!ktypes && request.ktype)
+    if (request.ktype)
 	free(request.ktype);
     if (!addrs && request.addresses)
 	krb5_free_addresses(context, request.addresses);
@@ -559,17 +581,17 @@ cleanup:
     return (retval);
 }
 
-/* begin appdefaults parsing code.  This should almost certainly move
+/* begin libdefaults parsing code.  This should almost certainly move
    somewhere else, but I don't know where the correct somewhere else
    is yet. */
 
 /* XXX Duplicating this is annoying; try to work on a better way.*/
-static char *conf_yes[] = {
+static const char *conf_yes[] = {
     "y", "yes", "true", "t", "1", "on",
     0,
 };
 
-static char *conf_no[] = {
+static const char *conf_no[] = {
     "n", "no", "false", "nil", "0", "off",
     0,
 };
@@ -595,7 +617,7 @@ _krb5_conf_boolean(s)
 }
 
 static krb5_error_code
-krb5_appdefault_string(context, realm, option, ret_value)
+krb5_libdefault_string(context, realm, option, ret_value)
      krb5_context context;
      const krb5_data *realm;
      const char *option;
@@ -606,7 +628,6 @@ krb5_appdefault_string(context, realm, option, ret_value)
     char **nameval = NULL;
     krb5_error_code retval;
     char realmstr[1024];
-    char **cpp;
 
     if (realm->length > sizeof(realmstr)-1)
 	return(EINVAL);
@@ -673,7 +694,7 @@ goodbye:
 /* as well as the DNS code */
 
 krb5_error_code
-krb5_appdefault_boolean(context, realm, option, ret_value)
+krb5_libdefault_boolean(context, realm, option, ret_value)
      krb5_context context;
      const char *option;
      const krb5_data *realm;
@@ -682,7 +703,7 @@ krb5_appdefault_boolean(context, realm, option, ret_value)
     char *string = NULL;
     krb5_error_code retval;
 
-    retval = krb5_appdefault_string(context, realm, option, &string);
+    retval = krb5_libdefault_string(context, realm, option, &string);
 
     if (retval)
 	return(retval);
@@ -696,7 +717,7 @@ krb5_appdefault_boolean(context, realm, option, ret_value)
 KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
 krb5_get_init_creds(context, creds, client, prompter, prompter_data,
 		    start_time, in_tkt_service, options, gak_fct, gak_data,
-		    master, as_reply)
+		    use_master, as_reply)
      krb5_context context;
      krb5_creds *creds;
      krb5_principal client;
@@ -707,7 +728,7 @@ krb5_get_init_creds(context, creds, client, prompter, prompter_data,
      krb5_get_init_creds_opt *options;
      krb5_gic_get_as_key_fct gak_fct;
      void *gak_data;
-     int *master;
+     int  use_master;
      krb5_kdc_rep **as_reply;
 {
     krb5_error_code ret;
@@ -751,7 +772,7 @@ krb5_get_init_creds(context, creds, client, prompter, prompter_data,
 
     if (options && (options->flags & KRB5_GET_INIT_CREDS_OPT_FORWARDABLE))
 	tempint = options->forwardable;
-    else if ((ret = krb5_appdefault_boolean(context, &client->realm,
+    else if ((ret = krb5_libdefault_boolean(context, &client->realm,
 					    "forwardable", &tempint)) == 0)
 	    ;
     else
@@ -763,7 +784,7 @@ krb5_get_init_creds(context, creds, client, prompter, prompter_data,
 
     if (options && (options->flags & KRB5_GET_INIT_CREDS_OPT_PROXIABLE))
 	tempint = options->proxiable;
-    else if ((ret = krb5_appdefault_boolean(context, &client->realm,
+    else if ((ret = krb5_libdefault_boolean(context, &client->realm,
 					    "proxiable", &tempint)) == 0)
 	    ;
     else
@@ -775,7 +796,7 @@ krb5_get_init_creds(context, creds, client, prompter, prompter_data,
 
     if (options && (options->flags & KRB5_GET_INIT_CREDS_OPT_RENEW_LIFE)) {
 	renew_life = options->renew_life;
-    } else if ((ret = krb5_appdefault_string(context, &client->realm,
+    } else if ((ret = krb5_libdefault_string(context, &client->realm,
 					     "renew_lifetime", &tempstr))
 	       == 0) {
 	if (ret = krb5_string_to_deltat(tempstr, &renew_life)) {
@@ -868,7 +889,7 @@ krb5_get_init_creds(context, creds, client, prompter, prompter_data,
     }
     /* it would be nice if this parsed out an address list, but
        that would be work. */
-    else if (((ret = krb5_appdefault_boolean(context, &client->realm,
+    else if (((ret = krb5_libdefault_boolean(context, &client->realm,
 					    "noaddresses", &tempint)) == 0)
 	     && tempint) {
 	    ;
@@ -923,7 +944,7 @@ krb5_get_init_creds(context, creds, client, prompter, prompter_data,
 	err_reply = 0;
 	local_as_reply = 0;
 	if ((ret = send_as_request(context, &request, &time_now, &err_reply,
-				   &local_as_reply, master)))
+				   &local_as_reply, use_master)))
 	    goto cleanup;
 
 	if (err_reply) {
diff --git a/src/lib/krb5/krb/gic_keytab.c b/src/lib/krb5/krb/gic_keytab.c
index 8b6f231..98bbbd0 100644
--- a/src/lib/krb5/krb/gic_keytab.c
+++ b/src/lib/krb5/krb/gic_keytab.c
@@ -61,7 +61,7 @@ krb5_get_init_creds_keytab(context, creds, client, arg_keytab,
      krb5_get_init_creds_opt *options;
 {
    krb5_error_code ret, ret2;
-   int master;
+   int use_master;
    krb5_keytab keytab;
 
    if (arg_keytab == NULL) {
@@ -71,14 +71,14 @@ krb5_get_init_creds_keytab(context, creds, client, arg_keytab,
        keytab = arg_keytab;
    }
 
-   master = 0;
+   use_master = 0;
 
    /* first try: get the requested tkt from any kdc */
 
    ret = krb5_get_init_creds(context, creds, client, NULL, NULL,
 			     start_time, in_tkt_service, options,
 			     krb5_get_as_key_keytab, (void *) keytab,
-			     &master, NULL);
+			     use_master,NULL);
 
    /* check for success */
 
@@ -87,19 +87,19 @@ krb5_get_init_creds_keytab(context, creds, client, arg_keytab,
 
    /* If all the kdc's are unavailable fail */
 
-   if (ret == KRB5_KDC_UNREACH)
+   if ((ret == KRB5_KDC_UNREACH) || (ret == KRB5_REALM_CANT_RESOLVE))
       goto cleanup;
 
    /* if the reply did not come from the master kdc, try again with
       the master kdc */
 
-   if (!master) {
-      master = 1;
+   if (!use_master) {
+      use_master = 1;
 
       ret2 = krb5_get_init_creds(context, creds, client, NULL, NULL,
 				 start_time, in_tkt_service, options,
 				 krb5_get_as_key_keytab, (void *) keytab,
-				 &master, NULL);
+				 use_master, NULL);
       
       if (ret2 == 0) {
 	 ret = 0;
@@ -109,7 +109,7 @@ krb5_get_init_creds_keytab(context, creds, client, arg_keytab,
       /* if the master is unreachable, return the error from the
 	 slave we were able to contact */
 
-      if (ret2 == KRB5_KDC_UNREACH)
+      if ((ret2 == KRB5_KDC_UNREACH) || (ret == KRB5_REALM_CANT_RESOLVE))
 	 goto cleanup;
 
       ret = ret2;
diff --git a/src/lib/krb5/krb/gic_pwd.c b/src/lib/krb5/krb/gic_pwd.c
index 7ca4343..f867989 100644
--- a/src/lib/krb5/krb/gic_pwd.c
+++ b/src/lib/krb5/krb/gic_pwd.c
@@ -1,5 +1,4 @@
 #include "k5-int.h"
-#include "com_err.h"
 
 static krb5_error_code
 krb5_get_as_key_password(context, client, etype, prompter, prompter_data,
@@ -97,7 +96,7 @@ krb5_get_init_creds_password(context, creds, client, password, prompter, data,
      krb5_get_init_creds_opt *options;
 {
    krb5_error_code ret, ret2;
-   int master;
+   int use_master;
    krb5_kdc_rep *as_reply;
    int tries;
    krb5_creds chpw_creds;
@@ -107,7 +106,7 @@ krb5_get_init_creds_password(context, creds, client, password, prompter, data,
    krb5_prompt prompt[2];
    krb5_prompt_type prompt_types[sizeof(prompt)/sizeof(prompt[0])];
 
-   master = 0;
+   use_master = 0;
    as_reply = NULL;
    memset(&chpw_creds, 0, sizeof(chpw_creds));
 
@@ -133,7 +132,7 @@ krb5_get_init_creds_password(context, creds, client, password, prompter, data,
    ret = krb5_get_init_creds(context, creds, client, prompter, data,
 			     start_time, in_tkt_service, options,
 			     krb5_get_as_key_password, (void *) &pw0,
-			     &master, &as_reply);
+			     use_master, &as_reply);
 
    /* check for success */
 
@@ -144,19 +143,20 @@ krb5_get_init_creds_password(context, creds, client, password, prompter, data,
       user interrupt, fail */
 
    if ((ret == KRB5_KDC_UNREACH) ||
-       (ret == KRB5_LIBOS_PWDINTR))
+       (ret == KRB5_LIBOS_PWDINTR) ||
+	   (ret == KRB5_REALM_CANT_RESOLVE))
       goto cleanup;
 
    /* if the reply did not come from the master kdc, try again with
       the master kdc */
 
-   if (!master) {
-      master = 1;
+   if (!use_master) {
+      use_master = 1;
 
       ret2 = krb5_get_init_creds(context, creds, client, prompter, data,
 				 start_time, in_tkt_service, options,
 				 krb5_get_as_key_password, (void *) &pw0,
-				 &master, &as_reply);
+				 use_master, &as_reply);
       
       if (ret2 == 0) {
 	 ret = 0;
@@ -166,12 +166,18 @@ krb5_get_init_creds_password(context, creds, client, password, prompter, data,
       /* if the master is unreachable, return the error from the
 	 slave we were able to contact */
 
-      if (ret2 == KRB5_KDC_UNREACH)
+      if ((ret2 == KRB5_KDC_UNREACH) ||
+		  (ret2 == KRB5_REALM_CANT_RESOLVE))
 	 goto cleanup;
 
       ret = ret2;
    }
 
+#ifdef USE_LOGIN_LIBRARY
+	if (ret == KRB5KDC_ERR_KEY_EXP)
+		goto cleanup;	/* Login library will deal appropriately with this error */
+#endif
+
    /* at this point, we have an error from the master.  if the error
       is not password expired, or if it is but there's no prompter,
       return this error */
@@ -195,7 +201,7 @@ krb5_get_init_creds_password(context, creds, client, password, prompter, data,
 				  prompter, data,
 				  start_time, "kadmin/changepw", &chpw_opts,
 				  krb5_get_as_key_password, (void *) &pw0,
-				  &master, NULL)))
+				  use_master, NULL)))
       goto cleanup;
 
    prompt[0].prompt = "Enter new password";
@@ -282,7 +288,7 @@ krb5_get_init_creds_password(context, creds, client, password, prompter, data,
    ret = krb5_get_init_creds(context, creds, client, prompter, data,
 			     start_time, in_tkt_service, options,
 			     krb5_get_as_key_password, (void *) &pw0,
-			     &master, &as_reply);
+			     use_master, &as_reply);
 
 cleanup:
    krb5int_set_prompt_types(context, 0);
diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c
index e2eccc4..abcb573 100644
--- a/src/lib/krb5/krb/init_ctx.c
+++ b/src/lib/krb5/krb/init_ctx.c
@@ -1,7 +1,7 @@
 /*
  * lib/krb5/krb/init_ctx.c
  *
- * Copyright 1994 by the Massachusetts Institute of Technology.
+ * Copyright 1994,1999,2000 by the Massachusetts Institute of Technology.
  * All Rights Reserved.
  *
  * Export of this software from the United States of America may
@@ -84,7 +84,10 @@ init_common (context, secure)
 {
 	krb5_context ctx = 0;
 	krb5_error_code retval;
-	krb5_timestamp now;
+	struct {
+	    krb5_int32 now, now_usec;
+	    long pid;
+	} seed_data;
 	krb5_data seed;
 	int tmp;
 
@@ -129,10 +132,11 @@ init_common (context, secure)
 		goto cleanup;
 
 	/* initialize the prng (not well, but passable) */
-	if ((retval = krb5_timeofday(ctx, &now)))
+	if ((retval = krb5_crypto_us_timeofday(&seed_data.now, &seed_data.now_usec)))
 		goto cleanup;
-	seed.length = sizeof(now);
-	seed.data = (char *) &now;
+	seed_data.pid = getpid ();
+	seed.length = sizeof(seed_data);
+	seed.data = (char *) &seed_data;
 	if ((retval = krb5_c_random_seed(ctx, &seed)))
 		goto cleanup;
 
@@ -169,7 +173,7 @@ init_common (context, secure)
 			    "kdc_default_options", 0,
 			    KDC_OPT_RENEWABLE_OK, &tmp);
 	ctx->kdc_default_options = KDC_OPT_RENEWABLE_OK;
-#ifdef macintosh
+#if TARGET_OS_MAC
 #define DEFAULT_KDC_TIMESYNC 1
 #else
 #define DEFAULT_KDC_TIMESYNC 0
@@ -187,7 +191,7 @@ init_common (context, secure)
 	 * Note: DCE 1.0.3a only supports a cache type of 1
 	 * 	DCE 1.1 supports a cache type of 2.
 	 */
-#ifdef macintosh
+#if TARGET_OS_MAC
 #define DEFAULT_CCACHE_TYPE 4
 #else
 #define DEFAULT_CCACHE_TYPE 3
@@ -281,7 +285,7 @@ get_profile_etype_list(context, ktypes, profstr, ctx_count, ctx_list)
 {
     krb5_enctype *old_ktypes;
 
-    if (context->in_tkt_ktype_count) {
+    if (ctx_count) {
 	/* application-set defaults */
 	if ((old_ktypes = 
 	     (krb5_enctype *)malloc(sizeof(krb5_enctype) *
@@ -370,8 +374,8 @@ krb5_get_default_in_tkt_ktypes(context, ktypes)
 				  context->in_tkt_ktypes));
 }
 
-krb5_error_code
-krb5_set_default_tgs_ktypes(context, ktypes)
+krb5_error_code KRB5_CALLCONV
+krb5_set_default_tgs_enctypes (context, ktypes)
 	krb5_context context;
 	const krb5_enctype *ktypes;
 {
@@ -396,13 +400,30 @@ krb5_set_default_tgs_ktypes(context, ktypes)
     }
 
     if (context->tgs_ktypes) 
-        free(context->tgs_ktypes);
+        krb5_free_ktypes(context, context->tgs_ktypes);
     context->tgs_ktypes = new_ktypes;
     context->tgs_ktype_count = i;
     return 0;
 }
 
+krb5_error_code krb5_set_default_tgs_ktypes
+(krb5_context context, const krb5_enctype *etypes)
+{
+  return (krb5_set_default_tgs_enctypes (context, etypes));
+}
+
+
+void
+KRB5_CALLCONV
+krb5_free_ktypes (context, val)
+     krb5_context context;
+     krb5_enctype FAR *val;
+{
+    free (val);
+}
+
 krb5_error_code
+KRB5_CALLCONV
 krb5_get_tgs_ktypes(context, princ, ktypes)
     krb5_context context;
     krb5_const_principal princ;
@@ -441,7 +462,7 @@ krb5_is_permitted_enctype(context, etype)
 	if (*ptr == etype)
 	    ret = 1;
 
-    krb5_xfree(list);
+    krb5_free_ktypes (context, list);
 
     return(ret);
 }
diff --git a/src/lib/krb5/krb/init_keyblock.c b/src/lib/krb5/krb/init_keyblock.c
new file mode 100644
index 0000000..eb60b06
--- /dev/null
+++ b/src/lib/krb5/krb/init_keyblock.c
@@ -0,0 +1,61 @@
+/*
+ * lib/krb5/krb/init_keyblock.c
+ *
+ * Copyright (C) 2002 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may
+ *   require a specific license from the United States Government.
+ *   It is the responsibility of any person or organization contemplating
+ *   export to obtain such a license before exporting.
+ * 
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ * 
+ * 
+ *
+ * krb5_init_keyblock- a function to set up 
+ *  an empty keyblock
+ */
+
+
+#include "k5-int.h"
+#include <assert.h>
+
+krb5_error_code KRB5_CALLCONV
+krb5_init_keyblock(krb5_context context, krb5_enctype enctype,
+		   size_t length, krb5_keyblock **out)
+{
+    krb5_keyblock *kb;
+    kb = malloc (sizeof(krb5_keyblock));
+    assert (out);
+    *out = NULL;
+    if (!kb) {
+	return ENOMEM;
+    }
+    kb->magic = KV5M_KEYBLOCK;
+    kb->enctype = enctype;
+    kb->length = length;
+    if(length) {
+	kb->contents = malloc (length);
+	if(!kb->contents) {
+	    free (kb);
+	    return ENOMEM;
+	}
+    } else {
+	kb->contents = NULL;
+    }
+    *out = kb;
+    return 0;
+}
diff --git a/src/lib/krb5/krb/kfree.c b/src/lib/krb5/krb/kfree.c
index 24d8aaf..8e57f83 100644
--- a/src/lib/krb5/krb/kfree.c
+++ b/src/lib/krb5/krb/kfree.c
@@ -36,7 +36,6 @@ krb5_free_address(context, val)
     if (val->contents)
 	krb5_xfree(val->contents);
     krb5_xfree(val);
-    return;
 }
 
 KRB5_DLLIMP void KRB5_CALLCONV
@@ -52,7 +51,6 @@ krb5_free_addresses(context, val)
 	krb5_xfree(*temp);
     }
     krb5_xfree(val);
-    return;
 }
 
 
@@ -64,7 +62,6 @@ krb5_free_ap_rep(context, val)
     if (val->enc_part.ciphertext.data)
 	krb5_xfree(val->enc_part.ciphertext.data);
     krb5_xfree(val);
-    return;
 }
 
 KRB5_DLLIMP void KRB5_CALLCONV
@@ -77,7 +74,6 @@ krb5_free_ap_req(context, val)
     if (val->authenticator.ciphertext.data)
 	krb5_xfree(val->authenticator.ciphertext.data);
     krb5_xfree(val);
-    return;
 }
 
 KRB5_DLLIMP void KRB5_CALLCONV
@@ -88,7 +84,6 @@ krb5_free_ap_rep_enc_part(context, val)
     if (val->subkey)
 	krb5_free_keyblock(context, val->subkey);
     krb5_xfree(val);
-    return;
 }
 
 KRB5_DLLIMP void KRB5_CALLCONV
@@ -96,15 +91,22 @@ krb5_free_authenticator_contents(context, val)
     krb5_context context;
     krb5_authenticator FAR *val;
 {
-    if (val->checksum)
+    if (val->checksum) {
 	krb5_free_checksum(context, val->checksum);
-    if (val->client)
+	val->checksum = 0;
+    }
+    if (val->client) {
 	krb5_free_principal(context, val->client);
-    if (val->subkey)
+	val->client = 0;
+    }
+    if (val->subkey) {
 	krb5_free_keyblock(context, val->subkey);
-    if (val->authorization_data)        
-       krb5_free_authdata(context, val->authorization_data);
-    return;
+	val->subkey = 0;
+    }
+    if (val->authorization_data) {
+	krb5_free_authdata(context, val->authorization_data);
+	val->authorization_data = 0;
+    }
 }
 
 KRB5_DLLIMP void KRB5_CALLCONV
@@ -120,7 +122,6 @@ krb5_free_authdata(context, val)
 	krb5_xfree(*temp);
     }
     krb5_xfree(val);
-    return;
 }
 
 KRB5_DLLIMP void KRB5_CALLCONV
@@ -128,16 +129,8 @@ krb5_free_authenticator(context, val)
     krb5_context context;
     krb5_authenticator FAR *val;
 {
-    if (val->checksum)
-	krb5_free_checksum(context, val->checksum);
-    if (val->client)
-	krb5_free_principal(context, val->client);
-    if (val->subkey)
-	krb5_free_keyblock(context, val->subkey);
-    if (val->authorization_data)        
-       krb5_free_authdata(context, val->authorization_data);
+    krb5_free_authenticator_contents(context, val);
     krb5_xfree(val);
-    return;
 }
 
 KRB5_DLLIMP void KRB5_CALLCONV
@@ -145,10 +138,8 @@ krb5_free_checksum(context, val)
     krb5_context context;
     register krb5_checksum *val;
 {
-    if (val->contents)
-	krb5_xfree(val->contents);
+    krb5_free_checksum_contents(context, val);
     krb5_xfree(val);
-    return;
 }
 
 KRB5_DLLIMP void KRB5_CALLCONV
@@ -156,9 +147,10 @@ krb5_free_checksum_contents(context, val)
     krb5_context context;
     register krb5_checksum *val;
 {
-    if (val->contents)
+    if (val->contents) {
 	krb5_xfree(val->contents);
-    return;
+	val->contents = 0;
+    }
 }
 
 KRB5_DLLIMP void KRB5_CALLCONV
@@ -171,7 +163,6 @@ krb5_free_cred(context, val)
     if (val->enc_part.ciphertext.data)
 	krb5_xfree(val->enc_part.ciphertext.data);
     krb5_xfree(val);
-    return;
 }
 
 /*
@@ -184,23 +175,35 @@ krb5_free_cred_contents(context, val)
     krb5_context context;
     krb5_creds FAR *val;
 {
-    if (val->client)
+    if (val->client) {
 	krb5_free_principal(context, val->client);
-    if (val->server)
+	val->client = 0;
+    }
+    if (val->server) {
 	krb5_free_principal(context, val->server);
+	val->server = 0;
+    }
     if (val->keyblock.contents) {
 	memset((char *)val->keyblock.contents, 0, val->keyblock.length);
 	krb5_xfree(val->keyblock.contents);
+	val->keyblock.contents = 0;
     }
-    if (val->ticket.data)
+    if (val->ticket.data) {
 	krb5_xfree(val->ticket.data);
-    if (val->second_ticket.data)
+	val->ticket.data = 0;
+    }
+    if (val->second_ticket.data) {
 	krb5_xfree(val->second_ticket.data);
-    if (val->addresses)
+	val->second_ticket.data = 0;
+    }
+    if (val->addresses) {
 	krb5_free_addresses(context, val->addresses);
-    if (val->authdata)
+	val->addresses = 0;
+    }
+    if (val->authdata) {
 	krb5_free_authdata(context, val->authdata);
-    return;
+	val->authdata = 0;
+    }
 }
 
 KRB5_DLLIMP void KRB5_CALLCONV 
@@ -210,10 +213,14 @@ krb5_free_cred_enc_part(context, val)
 {
     register krb5_cred_info **temp;
     
-    if (val->r_address)
-      krb5_free_address(context, val->r_address);
-    if (val->s_address)
-      krb5_free_address(context, val->s_address);
+    if (val->r_address) {
+	krb5_free_address(context, val->r_address);
+	val->r_address = 0;
+    }
+    if (val->s_address) {
+	krb5_free_address(context, val->s_address);
+	val->s_address = 0;
+    }
 
     if (val->ticket_info) {
 	for (temp = val->ticket_info; *temp; temp++) {
@@ -228,8 +235,8 @@ krb5_free_cred_enc_part(context, val)
 	    krb5_xfree((*temp));
 	}
 	krb5_xfree(val->ticket_info);
+	val->ticket_info = 0;
     }
-    return;
 }
 
 
@@ -240,7 +247,6 @@ krb5_free_creds(context, val)
 {
     krb5_free_cred_contents(context, val);
     krb5_xfree(val);
-    return;
 }
 
 
@@ -252,7 +258,6 @@ krb5_free_data(context, val)
     if (val->data)
 	krb5_xfree(val->data);
     krb5_xfree(val);
-    return;
 }
 
 KRB5_DLLIMP void KRB5_CALLCONV
@@ -260,9 +265,10 @@ krb5_free_data_contents(context, val)
     krb5_context context;
     krb5_data FAR * val;
 {
-    if (val->data)
+    if (val->data) {
 	krb5_xfree(val->data);
-    return;
+	val->data = 0;
+    }
 }
 
 void krb5_free_etype_info(context, info)
@@ -294,7 +300,6 @@ krb5_free_enc_kdc_rep_part(context, val)
     if (val->caddrs)
 	krb5_free_addresses(context, val->caddrs);
     krb5_xfree(val);
-    return;
 }
 
 KRB5_DLLIMP void KRB5_CALLCONV
@@ -313,7 +318,6 @@ krb5_free_enc_tkt_part(context, val)
     if (val->authorization_data)
 	krb5_free_authdata(context, val->authorization_data);
     krb5_xfree(val);
-    return;
 }
 
 
@@ -331,7 +335,6 @@ krb5_free_error(context, val)
     if (val->e_data.data)
 	krb5_xfree(val->e_data.data);
     krb5_xfree(val);
-    return;
 }
 
 KRB5_DLLIMP void KRB5_CALLCONV
@@ -350,7 +353,6 @@ krb5_free_kdc_rep(context, val)
     if (val->enc_part2)
 	krb5_free_enc_kdc_rep_part(context, val->enc_part2);
     krb5_xfree(val);
-    return;
 }
 
 
@@ -376,7 +378,6 @@ krb5_free_kdc_req(context, val)
     if (val->second_ticket)
 	krb5_free_tickets(context, val->second_ticket);
     krb5_xfree(val);
-    return;
 }
 
 KRB5_DLLIMP void KRB5_CALLCONV
@@ -387,8 +388,8 @@ krb5_free_keyblock_contents(context, key)
      if (key->contents) {
 	  memset(key->contents, 0, key->length);
 	  krb5_xfree(key->contents);
+	  key->contents = 0;
      }
-     return;
 }
 
 KRB5_DLLIMP void KRB5_CALLCONV
@@ -398,7 +399,6 @@ krb5_free_keyblock(context, val)
 {
     krb5_free_keyblock_contents(context, val);
     krb5_xfree(val);
-    return;
 }
 
 
@@ -413,7 +413,6 @@ krb5_free_last_req(context, val)
     for (temp = val; *temp; temp++)
 	krb5_xfree(*temp);
     krb5_xfree(val);
-    return;
 }
 
 KRB5_DLLIMP void KRB5_CALLCONV
@@ -429,7 +428,6 @@ krb5_free_pa_data(context, val)
 	krb5_xfree(*temp);
     }
     krb5_xfree(val);
-    return;
 }
 
 KRB5_DLLIMP void KRB5_CALLCONV
@@ -451,7 +449,6 @@ krb5_free_principal(context, val)
     if (val->realm.data)
 	krb5_xfree(val->realm.data);
     krb5_xfree(val);
-    return;
 }
 
 KRB5_DLLIMP void KRB5_CALLCONV
@@ -462,7 +459,6 @@ krb5_free_priv(context, val)
     if (val->enc_part.ciphertext.data)
 	krb5_xfree(val->enc_part.ciphertext.data);
     krb5_xfree(val);
-    return;
 }
 
 KRB5_DLLIMP void KRB5_CALLCONV
@@ -477,7 +473,6 @@ krb5_free_priv_enc_part(context, val)
     if (val->s_address)
 	krb5_free_address(context, val->s_address);
     krb5_xfree(val);
-    return;
 }
 
 KRB5_DLLIMP void KRB5_CALLCONV
@@ -488,7 +483,6 @@ krb5_free_pwd_data(context, val)
     if (val->element)
 	krb5_free_pwd_sequences(context, val->element);
     krb5_xfree(val);
-    return;
 }
 
 
@@ -497,11 +491,14 @@ krb5_free_pwd_sequences(context, val)
     krb5_context context;
     passwd_phrase_element FAR * FAR *val;
 {
-    if ((*val)->passwd)
+    if ((*val)->passwd) {
 	krb5_xfree((*val)->passwd);
-    if ((*val)->phrase)
+	(*val)->passwd = 0;
+    }
+    if ((*val)->phrase) {
 	krb5_xfree((*val)->phrase);
-    return;
+	(*val)->phrase = 0;
+    }
 }
 
 
@@ -519,7 +516,6 @@ krb5_free_safe(context, val)
     if (val->checksum)
 	krb5_free_checksum(context, val->checksum);
     krb5_xfree(val);
-    return;
 }
 
 
@@ -535,7 +531,6 @@ krb5_free_ticket(context, val)
     if (val->enc_part2)
 	krb5_free_enc_tkt_part(context, val->enc_part2);
     krb5_xfree(val);
-    return;
 }
 
 KRB5_DLLIMP void KRB5_CALLCONV
@@ -548,7 +543,6 @@ krb5_free_tickets(context, val)
     for (temp = val; *temp; temp++)
         krb5_free_ticket(context, *temp);
     krb5_xfree(val);
-    return;
 }
 
 
@@ -573,7 +567,6 @@ krb5_free_tkt_authent(context, val)
     if (val->authenticator)
 	    krb5_free_authenticator(context, val->authenticator);
     krb5_xfree(val);
-    return;
 }
 
 KRB5_DLLIMP void KRB5_CALLCONV
@@ -583,7 +576,6 @@ krb5_free_unparsed_name(context, val)
 {
     if (val)
 	krb5_xfree(val);
-    return;
 }
 
 KRB5_DLLIMP void KRB5_CALLCONV
@@ -612,8 +604,10 @@ krb5_free_sam_challenge_contents(krb5_context ctx, krb5_sam_challenge FAR *sc)
 	krb5_free_data_contents(ctx, &sc->sam_response_prompt);
     if (sc->sam_pk_for_sad.data)
 	krb5_free_data_contents(ctx, &sc->sam_pk_for_sad);
-    if (sc->sam_cksum.contents)
+    if (sc->sam_cksum.contents) {
 	krb5_xfree(sc->sam_cksum.contents);
+	sc->sam_cksum.contents = 0;
+    }
 }
 
 KRB5_DLLIMP void KRB5_CALLCONV
@@ -656,8 +650,10 @@ krb5_free_predicted_sam_response_contents(krb5_context ctx,
 	return;
     if (psr->sam_key.contents)
 	krb5_free_keyblock_contents(ctx, &psr->sam_key);
-    if (psr->client)
+    if (psr->client) {
 	krb5_free_principal(ctx, psr->client);
+	psr->client = 0;
+    }
     if (psr->msd.data)
 	krb5_free_data_contents(ctx, &psr->msd);
 }
@@ -689,4 +685,3 @@ krb5_free_pa_enc_ts(krb5_context ctx, krb5_pa_enc_ts FAR *pa_enc_ts)
 	return;
     krb5_xfree(pa_enc_ts);
 }
-
diff --git a/src/lib/krb5/krb/mk_cred.c b/src/lib/krb5/krb/mk_cred.c
index cdda80d..9bcfe84 100644
--- a/src/lib/krb5/krb/mk_cred.c
+++ b/src/lib/krb5/krb/mk_cred.c
@@ -7,7 +7,7 @@
  *    structures.
  *
  */
-#include <k5-int.h>
+#include "k5-int.h"
 #include "cleanup.h"
 #include "auth_con.h"
 
diff --git a/src/lib/krb5/krb/mk_priv.c b/src/lib/krb5/krb/mk_priv.c
index 7685817..d72f6b2 100644
--- a/src/lib/krb5/krb/mk_priv.c
+++ b/src/lib/krb5/krb/mk_priv.c
@@ -93,14 +93,6 @@ krb5_mk_priv_basic(context, userdata, keyblock, replaydata, local_addr,
 				 scratch1, &privmsg.enc_part)))
 	goto clean_encpart;
 
-    /* put last block into the i_vector */
-
-    if (i_vector)
-	memcpy(i_vector,
-	       privmsg.enc_part.ciphertext.data +
-	       (privmsg.enc_part.ciphertext.length - blocksize),
-	       blocksize);
-	   
     if ((retval = encode_krb5_priv(&privmsg, &scratch2)))
         goto clean_encpart;
 
diff --git a/src/lib/krb5/krb/mk_req_ext.c b/src/lib/krb5/krb/mk_req_ext.c
index a8b20eb..88daab5 100644
--- a/src/lib/krb5/krb/mk_req_ext.c
+++ b/src/lib/krb5/krb/mk_req_ext.c
@@ -126,10 +126,24 @@ krb5_mk_req_extended(context, auth_context, ap_req_options, in_data, in_creds,
 	
 
     /* generate subkey if needed */
-    if ((ap_req_options & AP_OPTS_USE_SUBKEY)&&(!(*auth_context)->local_subkey))
+    if ((ap_req_options & AP_OPTS_USE_SUBKEY)&&(!(*auth_context)->local_subkey)) {
+	/* Provide some more fodder for random number code.
+	   This isn't strong cryptographically; the point here is not
+	   to guarantee randomness, but to make it less likely that multiple
+	   sessions could pick the same subkey.  */
+	struct {
+	    krb5_int32 sec, usec;
+	} rnd_data;
+	krb5_data d;
+	krb5_crypto_us_timeofday (&rnd_data.sec, &rnd_data.usec);
+	d.length = sizeof (rnd_data);
+	d.data = (char *) &rnd_data;
+	(void) krb5_c_random_seed (context, &d);
+
 	if ((retval = krb5_generate_subkey(context, &(in_creds)->keyblock, 
 					   &(*auth_context)->local_subkey)))
 	    goto cleanup;
+    }
 
     if (in_data) {
 	if ((*auth_context)->req_cksumtype == 0x8003) {
diff --git a/src/lib/krb5/krb/mk_safe.c b/src/lib/krb5/krb/mk_safe.c
index 781e256..dd7d1ef 100644
--- a/src/lib/krb5/krb/mk_safe.c
+++ b/src/lib/krb5/krb/mk_safe.c
@@ -27,7 +27,7 @@
  * krb5_mk_safe()
  */
 
-#include <k5-int.h>
+#include "k5-int.h"
 #include "cleanup.h"
 #include "auth_con.h"
 
@@ -169,6 +169,7 @@ krb5_mk_safe(context, auth_context, userdata, outbuf, outdata)
     krb5_address * plocal_fulladdr = NULL;
     krb5_address remote_fulladdr;
     krb5_address local_fulladdr;
+    krb5_cksumtype sumtype;
 
     CLEANUP_INIT(2);
 
@@ -204,9 +205,33 @@ krb5_mk_safe(context, auth_context, userdata, outbuf, outdata)
         }
     }
 
+    {
+	unsigned int nsumtypes;
+	unsigned int i;
+	krb5_cksumtype *sumtypes;
+	retval = krb5_c_keyed_checksum_types (context, keyblock->enctype,
+					      &nsumtypes, &sumtypes);
+	if (retval) {
+	    CLEANUP_DONE ();
+	    goto error;
+	}
+	if (nsumtypes == 0) {
+		retval = KRB5_BAD_ENCTYPE;
+		krb5_free_cksumtypes (context, sumtypes);
+		CLEANUP_DONE ();
+		goto error;
+	}
+	for (i = 0; i < nsumtypes; i++)
+		if (auth_context->safe_cksumtype == sumtypes[i])
+			break;
+	if (i == nsumtypes)
+		i = 0;
+	sumtype = sumtypes[i];
+	krb5_free_cksumtypes (context, sumtypes);
+    }
     if ((retval = krb5_mk_safe_basic(context, userdata, keyblock, &replaydata, 
 				     plocal_fulladdr, premote_fulladdr,
-				     auth_context->safe_cksumtype, outbuf))) {
+				     sumtype, outbuf))) {
 	CLEANUP_DONE();
 	goto error;
     }
diff --git a/src/lib/krb5/krb/parse.c b/src/lib/krb5/krb/parse.c
index b628a0d..43faf32 100644
--- a/src/lib/krb5/krb/parse.c
+++ b/src/lib/krb5/krb/parse.c
@@ -71,7 +71,7 @@ krb5_parse_name(context, name, nprincipal)
 {
 	register const char	*cp;
 	register char	*q;
-	register i,c,size;
+	register int i,c,size;
 	int		components = 0;
 	const char	*parsed_realm = NULL;
 	int		fcompsize[FCOMPNUM];
@@ -173,11 +173,13 @@ krb5_parse_name(context, name, nprincipal)
 				cp++;
 				size++;
 			} else if (c == COMPONENT_SEP) {
-				krb5_princ_component(context, principal, i)->length = size;
+				if (krb5_princ_size(context, principal) > i)
+					krb5_princ_component(context, principal, i)->length = size;
 				size = 0;
 				i++;
 			} else if (c == REALM_SEP) {
-				krb5_princ_component(context, principal, i)->length = size;
+				if (krb5_princ_size(context, principal) > i)
+					krb5_princ_component(context, principal, i)->length = size;
 				size = 0;
 				parsed_realm = cp+1;
 			} else
@@ -186,7 +188,8 @@ krb5_parse_name(context, name, nprincipal)
 		if (parsed_realm)
 			krb5_princ_realm(context, principal)->length = size;
 		else
-			krb5_princ_component(context, principal, i)->length = size;
+			if (krb5_princ_size(context, principal) > i)
+				krb5_princ_component(context, principal, i)->length = size;
 		if (i + 1 != components) {
 #if !defined(_MSDOS) && !defined(_WIN32) && !defined(macintosh)
 			fprintf(stderr,
diff --git a/src/lib/krb5/krb/preauth.c b/src/lib/krb5/krb/preauth.c
index 9f301da..173170a 100644
--- a/src/lib/krb5/krb/preauth.c
+++ b/src/lib/krb5/krb/preauth.c
@@ -32,7 +32,6 @@
 #include "k5-int.h"
 #include <stdio.h>
 #include <time.h>
-#include <syslog.h>
 #ifdef _MSDOS
 #define getpid _getpid
 #include <process.h>
@@ -172,6 +171,10 @@ krb5_error_code krb5_obtain_padata(context, preauth_to_use, key_proc,
 	    retval = decode_krb5_etype_info(&scratch, &etype_info);
 	    if (retval)
 		return retval;
+	    if (etype_info[0] == NULL) {
+		krb5_free_etype_info(context, etype_info);
+		etype_info = NULL;
+	    }
 	}
     }
 
diff --git a/src/lib/krb5/krb/preauth2.c b/src/lib/krb5/krb/preauth2.c
index 5ea61c9..78afab9 100644
--- a/src/lib/krb5/krb/preauth2.c
+++ b/src/lib/krb5/krb/preauth2.c
@@ -256,6 +256,9 @@ krb5_error_code pa_sam(krb5_context context,
     krb5_data *			scratch;
     krb5_pa_data *		pa;
 
+    if (prompter == NULL)
+	return KRB5_LIBOS_CANTREADPWD;
+
     tmpsam.length = in_padata->length;
     tmpsam.data = (char *) in_padata->contents;
     if (ret = decode_krb5_sam_challenge(&tmpsam, &sam_challenge))
@@ -530,6 +533,11 @@ krb5_do_preauth(krb5_context context,
 		    }
 		    return ret;
 		}
+		if (etype_info[0] == NULL) {
+		    krb5_free_etype_info(context, etype_info);
+		    etype_info = NULL;
+		    break;
+		}
 		salt->data = (char *) etype_info[0]->salt;
 		salt->length = etype_info[0]->length;
 		*etype = etype_info[0]->etype;
diff --git a/src/lib/krb5/krb/princ_comp.c b/src/lib/krb5/krb/princ_comp.c
index cba26a6..dbcd29d 100644
--- a/src/lib/krb5/krb/princ_comp.c
+++ b/src/lib/krb5/krb/princ_comp.c
@@ -30,7 +30,7 @@
 
 #include "k5-int.h"
 
-krb5_boolean
+krb5_boolean KRB5_CALLCONV
 krb5_realm_compare(context, princ1, princ2)
     krb5_context context;
     krb5_const_principal princ1;
diff --git a/src/lib/krb5/krb/rd_cred.c b/src/lib/krb5/krb/rd_cred.c
index 86c5ccf..593eb42 100644
--- a/src/lib/krb5/krb/rd_cred.c
+++ b/src/lib/krb5/krb/rd_cred.c
@@ -1,4 +1,4 @@
-#include <k5-int.h>
+#include "k5-int.h"
 #include "cleanup.h"
 #include "auth_con.h"
 
@@ -55,24 +55,22 @@ cleanup:
 /*----------------------- krb5_rd_cred_basic -----------------------*/
 
 static krb5_error_code 
-krb5_rd_cred_basic(context, pcreddata, pkeyblock, local_addr, remote_addr,
+krb5_rd_cred_basic(context, pcreddata, pkeyblock, 
 		   replaydata, pppcreds)
     krb5_context          context;
     krb5_data		* pcreddata;
     krb5_keyblock 	* pkeyblock;
-    krb5_address  	* local_addr;
-    krb5_address  	* remote_addr;
     krb5_replay_data    * replaydata;
     krb5_creds        *** pppcreds;
 {
-    krb5_error_code       retval;
-    krb5_cred 		* pcred;
+  krb5_error_code       retval;
+  krb5_cred 		* pcred;
     krb5_int32 		  ncreds;
     krb5_int32 		  i = 0;
     krb5_cred_enc_part 	  encpart;
 
     /* decode cred message */
-    if ((retval = decode_krb5_cred(pcreddata, &pcred)))
+        if ((retval = decode_krb5_cred(pcreddata, &pcred)))
     	return retval;
 
     memset(&encpart, 0, sizeof(encpart));
@@ -80,38 +78,6 @@ krb5_rd_cred_basic(context, pcreddata, pkeyblock, local_addr, remote_addr,
     if ((retval = decrypt_credencdata(context, pcred, pkeyblock, &encpart)))
 	goto cleanup_cred;
 
-    /*
-     * Only check the remote address if the KRB_CRED message was
-     * protected by encryption.  If it came in the checksum field of
-     * an init_sec_context message, skip over this check.
-     */
-    if (remote_addr && encpart.s_address && pkeyblock != NULL) {
-	if (!krb5_address_compare(context, remote_addr, encpart.s_address)) {
-	    retval = KRB5KRB_AP_ERR_BADADDR;
-	    goto cleanup_cred;
-	}
-    }
-
-    if (encpart.r_address) {
-        if (local_addr) {
-            if (!krb5_address_compare(context, local_addr, encpart.r_address)) {
-                retval = KRB5KRB_AP_ERR_BADADDR;
-                goto cleanup_cred;
-            }
-        } else {
-            krb5_address **our_addrs;
-
-            if ((retval = krb5_os_localaddr(context, &our_addrs))) {
-                goto cleanup_cred;
-            }
-            if (!krb5_address_search(context, encpart.r_address, our_addrs)) {
-                krb5_free_addresses(context, our_addrs);
-                retval =  KRB5KRB_AP_ERR_BADADDR;
-                goto cleanup_cred;
-            }
-            krb5_free_addresses(context, our_addrs);
-        }
-    }
 
     replaydata->timestamp = encpart.timestamp;
     replaydata->usec = encpart.usec;
@@ -232,54 +198,12 @@ krb5_rd_cred(context, auth_context, pcreddata, pppcreds, outdata)
       (auth_context->rcache == NULL))
         return KRB5_RC_REQUIRED;
 
-{
-    krb5_address * premote_fulladdr = NULL;
-    krb5_address * plocal_fulladdr = NULL;
-    krb5_address remote_fulladdr;
-    krb5_address local_fulladdr;
-    CLEANUP_INIT(2);
-
-    if (auth_context->local_addr) {
-    	if (auth_context->local_port) {
-            if (!(retval = krb5_make_fulladdr(context,auth_context->local_addr,
-                                 	      auth_context->local_port, 
-					      &local_fulladdr))){
-                CLEANUP_PUSH(local_fulladdr.contents, free);
-	        plocal_fulladdr = &local_fulladdr;
-            } else {
-	        return retval;
-            }
-	} else {
-            plocal_fulladdr = auth_context->local_addr;
-        }
-    }
-
-    if (auth_context->remote_addr) {
-    	if (auth_context->remote_port) {
-            if (!(retval = krb5_make_fulladdr(context,auth_context->remote_addr,
-                                 	      auth_context->remote_port, 
-					      &remote_fulladdr))){
-                CLEANUP_PUSH(remote_fulladdr.contents, free);
-	        premote_fulladdr = &remote_fulladdr;
-            } else {
-	        return retval;
-            }
-	} else {
-            premote_fulladdr = auth_context->remote_addr;
-        }
-    }
 
     if ((retval = krb5_rd_cred_basic(context, pcreddata, keyblock,
-				     plocal_fulladdr, premote_fulladdr,
 				     &replaydata, pppcreds))) {
-        CLEANUP_DONE();
-	return retval;
+      return retval;
     }
 
-    CLEANUP_DONE();
-}
-
-
     if (auth_context->auth_context_flags & KRB5_AUTH_CONTEXT_DO_TIME) {
         krb5_donot_replay replay;
         krb5_timestamp currenttime;
@@ -327,4 +251,3 @@ error:;
     return retval;
 }
 
-
diff --git a/src/lib/krb5/krb/rd_priv.c b/src/lib/krb5/krb/rd_priv.c
index 9629b0c..bf33ad2 100644
--- a/src/lib/krb5/krb/rd_priv.c
+++ b/src/lib/krb5/krb/rd_priv.c
@@ -27,7 +27,7 @@
  * krb5_rd_priv()
  */
 
-#include <k5-int.h>
+#include "k5-int.h"
 #include "cleanup.h"
 #include "auth_con.h"
 
@@ -101,13 +101,6 @@ krb5_rd_priv_basic(context, inbuf, keyblock, local_addr, remote_addr,
 				 &privmsg->enc_part, &scratch)))
 	goto cleanup_scratch;
 
-    /* if i_vector is set, put last block into the i_vector */
-    if (i_vector)
-	memcpy(i_vector,
-	       privmsg->enc_part.ciphertext.data +
-	       (privmsg->enc_part.ciphertext.length - blocksize),
-	       blocksize);
-
     /*  now decode the decrypted stuff */
     if ((retval = decode_krb5_enc_priv_part(&scratch, &privmsg_enc_part)))
         goto cleanup_scratch;
diff --git a/src/lib/krb5/krb/rd_req_dec.c b/src/lib/krb5/krb/rd_req_dec.c
index 442e78b..4e9f44e 100644
--- a/src/lib/krb5/krb/rd_req_dec.c
+++ b/src/lib/krb5/krb/rd_req_dec.c
@@ -83,8 +83,8 @@ krb5_rd_req_decrypt_tkt_part(context, req, keytab)
 				    enctype, &ktent)))
 	return retval;
 
-    if ((retval = krb5_decrypt_tkt_part(context, &ktent.key, req->ticket)))
-	return retval;
+    retval = krb5_decrypt_tkt_part(context, &ktent.key, req->ticket);
+    /* Upon error, Free keytab entry first, then return */
 
     (void) krb5_kt_free_entry(context, &ktent);
     return retval;
diff --git a/src/lib/krb5/krb/rd_safe.c b/src/lib/krb5/krb/rd_safe.c
index 19c541f..3909f16 100644
--- a/src/lib/krb5/krb/rd_safe.c
+++ b/src/lib/krb5/krb/rd_safe.c
@@ -27,7 +27,7 @@
  * krb5_rd_safe()
  */
 
-#include <k5-int.h>
+#include "k5-int.h"
 #include "cleanup.h"
 #include "auth_con.h"
 
diff --git a/src/lib/krb5/krb/recvauth.c b/src/lib/krb5/krb/recvauth.c
index 3d5bce4..7458cb9 100644
--- a/src/lib/krb5/krb/recvauth.c
+++ b/src/lib/krb5/krb/recvauth.c
@@ -30,27 +30,24 @@
 #define NEED_SOCKETS
 #include "k5-int.h"
 #include "auth_con.h"
-#include "com_err.h"
 #include <errno.h>
 #include <stdio.h>
 #include <string.h>
 
 static char *sendauth_version = "KRB5_SENDAUTH_V1.0";
 
-KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
-krb5_recvauth(context, auth_context,
-	      /* IN */
-	      fd, appl_version, server, flags, keytab,
-	      /* OUT */
-	      ticket)
-    krb5_context 	  context;
-    krb5_auth_context   FAR * auth_context;
-    krb5_pointer	  fd;
-    char		FAR * appl_version;
-    krb5_principal	  server;
-    krb5_int32		  flags;
-    krb5_keytab		  keytab;
-    krb5_ticket	       FAR * FAR * ticket;
+krb5_error_code
+recvauth_common(krb5_context context,
+		krb5_auth_context FAR * auth_context,
+		/* IN */
+		krb5_pointer fd,
+		char FAR *appl_version,
+		krb5_principal server,
+		krb5_int32 flags,
+		krb5_keytab keytab,
+		/* OUT */
+		krb5_ticket FAR * FAR * ticket,
+		krb5_data FAR *version)
 {
     krb5_auth_context	  new_auth_context;
     krb5_flags		  ap_option;
@@ -91,12 +88,15 @@ krb5_recvauth(context, auth_context,
 	 */
 	if ((retval = krb5_read_message(context, fd, &inbuf)))
 		return(retval);
-	if (strcmp(inbuf.data, appl_version)) {
+	if (appl_version && strcmp(inbuf.data, appl_version)) {
 		krb5_xfree(inbuf.data);
 		if (!problem)
 			problem = KRB5_SENDAUTH_BADAPPLVERS;
 	}
-	krb5_xfree(inbuf.data);
+	if (version && !problem)
+	    *version = inbuf;
+	else
+	    krb5_xfree(inbuf.data);
 	/*
 	 * OK, now check the problem variable.  If it's zero, we're
 	 * fine and we can continue.  Otherwise, we have to signal an
@@ -243,3 +243,38 @@ cleanup:;
     }
     return retval;
 }
+
+KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
+krb5_recvauth(context, auth_context,
+	      /* IN */
+	      fd, appl_version, server, flags, keytab,
+	      /* OUT */
+	      ticket)
+    krb5_context 	  context;
+    krb5_auth_context   FAR * auth_context;
+    krb5_pointer	  fd;
+    char		FAR * appl_version;
+    krb5_principal	  server;
+    krb5_int32		  flags;
+    krb5_keytab		  keytab;
+    krb5_ticket	       FAR * FAR * ticket;
+{
+    return recvauth_common (context, auth_context, fd, appl_version,
+			    server, flags, keytab, ticket, 0);
+}
+
+KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
+krb5_recvauth_version(krb5_context context,
+		      krb5_auth_context FAR *auth_context,
+		      /* IN */
+		      krb5_pointer fd,
+		      krb5_principal server,
+		      krb5_int32 flags,
+		      krb5_keytab keytab,
+		      /* OUT */
+		      krb5_ticket FAR * FAR *ticket,
+		      krb5_data FAR *version)
+{
+    return recvauth_common (context, auth_context, fd, 0,
+			    server, flags, keytab, ticket, version);
+}
diff --git a/src/lib/krb5/krb/send_tgs.c b/src/lib/krb5/krb/send_tgs.c
index 520c0e2..49bc1c9 100644
--- a/src/lib/krb5/krb/send_tgs.c
+++ b/src/lib/krb5/krb/send_tgs.c
@@ -150,7 +150,6 @@ krb5_send_tgs(context, kdcoptions, timestruct, ktypes, sname, addrs,
     krb5_timestamp time_now;
     krb5_pa_data **combined_padata;
     krb5_pa_data ap_req_padata;
-    size_t enclen;
 
     /* 
      * in_creds MUST be a valid credential NOT just a partially filled in
diff --git a/src/lib/krb5/krb/sendauth.c b/src/lib/krb5/krb/sendauth.c
index 4e7c3a7..24d8a8e 100644
--- a/src/lib/krb5/krb/sendauth.c
+++ b/src/lib/krb5/krb/sendauth.c
@@ -30,7 +30,6 @@
 #define NEED_SOCKETS
 
 #include "k5-int.h"
-#include "com_err.h"
 #include "auth_con.h"
 #include <errno.h>
 #include <stdio.h>
@@ -119,7 +118,7 @@ krb5_sendauth(context, auth_context,
 	if (!in_creds || !in_creds->ticket.length) {
 		if (ccache)
 			use_ccache = ccache;
-		else if ((retval = krb5_cc_default(context, &use_ccache)))
+		else if ((retval = krb5int_cc_default(context, &use_ccache)))
 			goto error_return;
 	}
 	if (!in_creds) {
@@ -152,9 +151,32 @@ krb5_sendauth(context, auth_context,
 	    credsp = in_creds;
 	}
 
-    if ((retval = krb5_mk_req_extended(context, auth_context, ap_req_options,
-				       in_data, credsp, &outbuf)))
-	goto error_return;
+	if (ap_req_options & AP_OPTS_USE_SUBKEY) {
+	    /* Provide some more fodder for random number code.
+	       This isn't strong cryptographically; the point here is
+	       not to guarantee randomness, but to make it less likely
+	       that multiple sessions could pick the same subkey.  */
+	    char rnd_data[1024];
+	    size_t len;
+	    krb5_data d;
+	    d.length = sizeof (rnd_data);
+	    d.data = rnd_data;
+	    len = sizeof (rnd_data);
+	    if (getpeername (*(int*)fd, (struct sockaddr *) rnd_data, &len) == 0) {
+		d.length = len;
+		(void) krb5_c_random_seed (context, &d);
+	    }
+	    len = sizeof (rnd_data);
+	    if (getsockname (*(int*)fd, (struct sockaddr *) rnd_data, &len) == 0) {
+		d.length = len;
+		(void) krb5_c_random_seed (context, &d);
+	    }
+	}
+
+	if ((retval = krb5_mk_req_extended(context, auth_context,
+					   ap_req_options, in_data, credsp,
+					   &outbuf)))
+	    goto error_return;
 
 	/*
 	 * First write the length of the AP_REQ message, then write
diff --git a/src/lib/krb5/krb/ser_actx.c b/src/lib/krb5/krb/ser_actx.c
index bac90e3..fdebbe3 100644
--- a/src/lib/krb5/krb/ser_actx.c
+++ b/src/lib/krb5/krb/ser_actx.c
@@ -208,6 +208,7 @@ krb5_auth_context_externalize(kcontext, arg, buffer, lenremain)
     krb5_octet		*bp;
     size_t		remain;
     krb5_int32		obuf;
+    size_t		vecsize;
 
     required = 0;
     bp = *buffer;
@@ -237,11 +238,14 @@ krb5_auth_context_externalize(kcontext, arg, buffer, lenremain)
 	    if (auth_context->i_vector) {
 		kret = krb5_c_block_size(kcontext,
 					 auth_context->keyblock->enctype,
-					 &obuf);
+					 &vecsize);
 	    } else {
-		obuf = 0;
+		vecsize = 0;
 	    }
-		
+	    obuf = vecsize;
+	    if (obuf != vecsize)
+		kret = EINVAL;
+
 	    if (!kret)
 		(void) krb5_ser_pack_int32(obuf, &bp, &remain);
 
diff --git a/src/lib/krb5/krb/srv_rcache.c b/src/lib/krb5/krb/srv_rcache.c
index c94201b..04e9707 100644
--- a/src/lib/krb5/krb/srv_rcache.c
+++ b/src/lib/krb5/krb/srv_rcache.c
@@ -48,6 +48,9 @@ krb5_get_server_rcache(context, piece, rcptr)
     unsigned long uid = geteuid();
 #endif
     
+    if (piece == NULL)
+	return ENOMEM;
+    
     rcache = (krb5_rcache) malloc(sizeof(*rcache));
     if (!rcache)
 	return ENOMEM;
diff --git a/src/lib/krb5/krb/t_kerb.c b/src/lib/krb5/krb/t_kerb.c
index 2feef39..458015d 100644
--- a/src/lib/krb5/krb/t_kerb.c
+++ b/src/lib/krb5/krb/t_kerb.c
@@ -4,6 +4,7 @@
  */
 
 #include "krb5.h"
+#include "kerberosIV/krb.h"
 #include <stdio.h>
 #include <stdlib.h>
 #include <unistd.h>
@@ -56,6 +57,32 @@ void test_425_conv_principal(ctx, name, inst, realm)
     krb5_free_principal(ctx, princ);
 }
 
+void test_524_conv_principal(ctx, name)
+     krb5_context ctx;
+     char *name;
+{
+    krb5_principal princ = 0;
+    krb5_error_code retval;
+    char aname[ANAME_SZ+1], inst[INST_SZ+1], realm[REALM_SZ+1];
+
+    aname[ANAME_SZ] = inst[INST_SZ] = realm[REALM_SZ] = 0;
+    retval = krb5_parse_name(ctx, name, &princ);
+    if (retval) {
+	com_err("krb5_parse_name", retval, 0);
+	goto fail;
+    }
+    retval = krb5_524_conv_principal(ctx, princ, aname, inst, realm);
+    if (retval) {
+	com_err("krb5_524_conv_principal", retval, 0);
+	goto fail;
+    }
+    printf("524_converted_principal(%s): '%s' '%s' '%s'\n",
+	   name, aname, inst, realm);
+ fail:
+    if (princ)
+	krb5_free_principal (ctx, princ);
+}
+
 void test_parse_name(ctx, name)
 	krb5_context ctx;
 	const char *name;
@@ -131,6 +158,7 @@ void usage(progname)
 {
 	fprintf(stderr, "%s: Usage: %s 425_conv_principal <name> <inst> <realm\n",
 		progname, progname);
+	fprintf(stderr, "\t%s 524_conv_principal <name>\n", progname);
 	fprintf(stderr, "\t%s parse_name <name>\n", progname);
 	fprintf(stderr, "\t%s set_realm <name> <realm>\n", progname);
 	fprintf(stderr, "\t%s string_to_timestamp <time>\n", progname);
@@ -186,6 +214,10 @@ main(argc, argv)
 		  argc--; argv++;
 		  if (!argc) usage(progname);
 		  test_string_to_timestamp(ctx, *argv);
+	  } else if (strcmp(*argv, "524_conv_principal") == 0) {
+	      argc--; argv++;
+	      if (!argc) usage(progname);
+	      test_524_conv_principal(ctx, *argv);
 	  }
 	  else
 	      usage(progname);
diff --git a/src/lib/krb5/krb/t_krb5.conf b/src/lib/krb5/krb/t_krb5.conf
index 5882d97..8d7a4d9 100644
--- a/src/lib/krb5/krb/t_krb5.conf
+++ b/src/lib/krb5/krb/t_krb5.conf
@@ -19,6 +19,12 @@
 		kdc = KERBEROS.CYGNUS.COM
 		admin_server = KERBEROS.MIT.EDU
 	}
+	stanford.edu = {
+		v4_realm = IR.STANFORD.EDU
+	}
+	LONGNAMES.COM = {
+		v4_realm = SOME-REALLY-LONG-REALM-NAME-V4-CANNOT-HANDLE.COM
+	}
 
 [domain_realm]
 	.mit.edu = ATHENA.MIT.EDU
diff --git a/src/lib/krb5/krb/t_ref_kerb.out b/src/lib/krb5/krb/t_ref_kerb.out
index 9423944..08a5334 100644
--- a/src/lib/krb5/krb/t_ref_kerb.out
+++ b/src/lib/krb5/krb/t_ref_kerb.out
@@ -14,4 +14,6 @@ parsed (and unparsed) principal(\/slash/\@atsign/octa\/thorpe@\/slash\@at\/sign)
 425_converted principal(rcmd, uunet, UU.NET): 'host/uunet.uu.net@UU.NET'
 425_converted principal(zephyr, zephyr, ATHENA.MIT.EDU): 'zephyr/zephyr@ATHENA.MIT.EDU'
 425_converted principal(kadmin, ATHENA.MIT.EDU, ATHENA.MIT.EDU): 'kadmin/ATHENA.MIT.EDU@ATHENA.MIT.EDU'
+524_converted_principal(host/e40-po.mit.edu@ATHENA.MIT.EDU): 'rcmd' 'e40-po' 'ATHENA.MIT.EDU'
+524_converted_principal(host/foobar.stanford.edu@stanford.edu): 'rcmd' 'foobar' 'IR.STANFORD.EDU'
 old principal: marc@MIT.EDU, modified principal: marc@CYGNUS.COM
diff --git a/src/lib/krb5/krb/unparse.c b/src/lib/krb5/krb/unparse.c
index f7df6ab..d0dfadc 100644
--- a/src/lib/krb5/krb/unparse.c
+++ b/src/lib/krb5/krb/unparse.c
@@ -70,6 +70,9 @@ krb5_unparse_name_ext(context, principal, name, size)
 	krb5_int32 nelem;
 	register int totalsize = 0;
 
+	if (!principal)
+		return KRB5_PARSE_MALFORMED;
+
 	cp = krb5_princ_realm(context, principal)->data;
 	length = krb5_princ_realm(context, principal)->length;
 	totalsize += length;
@@ -150,7 +153,8 @@ krb5_unparse_name_ext(context, principal, name, size)
 		*q++ = COMPONENT_SEP;
 	}
 
-	q--;			/* Back up last component separator */
+	if (i > 0)
+	    q--;		/* Back up last component separator */
 	*q++ = REALM_SEP;
 	
 	cp = krb5_princ_realm(context, principal)->data;
diff --git a/src/lib/krb5/krb/vfy_increds.c b/src/lib/krb5/krb/vfy_increds.c
index 85a8465..f046ab5 100644
--- a/src/lib/krb5/krb/vfy_increds.c
+++ b/src/lib/krb5/krb/vfy_increds.c
@@ -109,7 +109,7 @@ krb5_verify_init_creds(krb5_context context,
 	   (options->flags & KRB5_VERIFY_INIT_CREDS_OPT_AP_REQ_NOFAIL)) {
 	   if (options->ap_req_nofail)
 	       goto cleanup;
-       } else if ((ret2 = krb5_appdefault_boolean(context,
+       } else if ((ret2 = krb5_libdefault_boolean(context,
 						  &creds->client->realm,
 						  "verify_ap_req_nofail",
 						  &nofail))
diff --git a/src/lib/krb5/krb/walk_rtree.c b/src/lib/krb5/krb/walk_rtree.c
index 833ec61..163b7bb 100644
--- a/src/lib/krb5/krb/walk_rtree.c
+++ b/src/lib/krb5/krb/walk_rtree.c
@@ -93,6 +93,27 @@
 #define max(x,y) ((x) > (y) ? (x) : (y))
 #endif
 
+/*
+ * xxx The following function is very confusing to read and probably
+ * is buggy.  It should be documented better.  Here is what I've
+ * learned about it doing a quick bug fixing walk through.  The
+ * function takes a client and server realm name and returns the set
+ * of realms (in a field called tree) that you need to get tickets in
+ * in order to get from the source realm to the destination realm.  It
+ * takes a realm separater character (normally ., but presumably there
+ * for all those X.500 realms) .  There are two modes it runs in: the
+ * ANL krb5.confmode and the hierarchy mode.  The ANL mode is
+ * fairly obvious.  The hierarchy mode looks for common components in
+ * both the client and server realms.  In general, the pointer scp and
+ * ccp are used to walk through the client and server realms.  The
+ * com_sdot and com_cdot pointers point to (I think) the beginning of
+ * the common part of the realm names.  I.E. strcmp(com_cdot,
+ * com_sdot) ==0 is roughly an invarient.  However, there are cases
+ * where com_sdot and com_cdot are set to point before the start of
+ * the client or server strings.  I think this only happens when there
+ * are no common components.  --hartmans 2002/03/14
+ */
+
 krb5_error_code
 krb5_walk_realm_tree(context, client, server, tree, realm_branch_char)
     krb5_context context;
@@ -115,6 +136,10 @@ krb5_walk_realm_tree(context, client, server, tree, realm_branch_char)
 	char *cap_client, *cap_server;
 	char **cap_nodes;
         krb5_error_code cap_code;
+#endif
+	if (!(client->data &&server->data))
+	  return KRB5_NO_TKT_IN_RLM;
+#ifdef CONFIGURABLE_AUTHENTICATION_PATH
 	if ((cap_client = (char *)malloc(client->length + 1)) == NULL)
 		return ENOMEM;
 	strncpy(cap_client, client->data, client->length);
diff --git a/src/lib/krb5/krb5_libinit.c b/src/lib/krb5/krb5_libinit.c
index beeb06d..547be4d 100644
--- a/src/lib/krb5/krb5_libinit.c
+++ b/src/lib/krb5/krb5_libinit.c
@@ -1,5 +1,9 @@
 #include <assert.h>
 
+#if TARGET_OS_MAC
+    #include <Kerberos/com_err.h>
+#endif
+
 #include "krb5.h"
 #include "krb5_err.h"
 #include "kv5m_err.h"
@@ -16,10 +20,12 @@ krb5_error_code krb5int_initialize_library (void)
 {
 	
 	if (!initialized) {
+#if !TARGET_OS_MAC || USE_HARDCODED_FALLBACK_ERROR_TABLES
 	    add_error_table(&et_krb5_error_table);
 	    add_error_table(&et_kv5m_error_table);
 	    add_error_table(&et_kdb5_error_table);
 	    add_error_table(&et_asn1_error_table);
+#endif
 
 		initialized = 1;
 	}
@@ -35,14 +41,16 @@ void krb5int_cleanup_library (void)
 {
 	assert (initialized);
 
-#if defined(_MSDOS) || defined(_WIN32) || defined(macintosh)
+#if defined(_MSDOS) || defined(_WIN32) || TARGET_OS_MAC
 	krb5_stdcc_shutdown();
 #endif
 	
+#if !TARGET_OS_MAC || USE_HARDCODED_FALLBACK_ERROR_TABLES
 	remove_error_table(&et_krb5_error_table);
 	remove_error_table(&et_kv5m_error_table);
 	remove_error_table(&et_kdb5_error_table);
 	remove_error_table(&et_asn1_error_table);
+#endif
 	
 	initialized = 0;
 }
diff --git a/src/lib/krb5/os/ChangeLog b/src/lib/krb5/os/ChangeLog
index 8f8c018..ee721ce 100644
--- a/src/lib/krb5/os/ChangeLog
+++ b/src/lib/krb5/os/ChangeLog
@@ -1,3 +1,212 @@
+2002-10-31  Tom Yu  <tlyu@mit.edu>
+
+	* hst_realm.c (krb5_try_realm_txt_rr): Apply patch from Nalin
+	Dahyabhai to bounds-check return value from res_search().
+
+	* locate_kdc.c (krb5_locate_srv_dns_1): Apply patch from Nalin
+	Dahyabhai to bounds-check return value from res_search().
+
+	[pullups from trunk]
+
+2002-05-24 Alexandra Ellwood <lxs@mit.edu>
+	* init_os_ctx.c: krb4 needs to get the os config files so it can use
+    the profile too.  Define these functions on Mac OS X now.
+
+2002-02-28 Alexandra Ellwood <lxs@mit.edu>
+	* init_os_ctx.c: Removed use of FSSpecs because these cause serious
+	performance problems on Mac OS X.  We now search paths the same way
+	the rest of the Unix platforms do.
+	
+2002-04-05  Danilo Almeida  <dalmeida@mit.edu>
+
+	* toffset.c (krb5_get_time_offsets), an_to_ln.c
+	(krb5_aname_to_localname): Make KRB5_CALLCONV.
+
+2002-02-28 Alexandra Ellwood <lxs@mit.edu>
+    * init_os_ctx.c: Add CoreServices.h before k5-int.h so we don't get 
+    multiple definitions for FSSpec.  Also removed an unused variable in
+    Mac OS X code and added casts for Mac OS X code so FSSpecs are cast
+    to profile file types (code deals properly on the other side)
+    * timeofday.c: Added casts to remove warnings
+
+2002-02-28 Alexandra Ellwood <lxs@mit.edu>
+    * ccdefname.c, init_os_ctx.c, timeofday.c: Updated Mac OS X headers to new 
+    framework layout and updated Mac OS macros
+    * changepw.c: removed unused variable
+    * gmt_mktime.c: added int to removed warning about type defaulting to int
+
+2002-01-29  Tom Yu  <tlyu@mit.edu>
+
+	* def_realm.c: Add terminal newline.  Fixes [krb5-build/1041].
+
+2001-12-03	Miro Jurisic <meeroh@mit.edu>
+
+	* c_ustime.c: punted the accurate microseconds timing code because it
+	wasn't so accurate after all.
+
+2000-11-27	Alexandra Ellwood <lxs@mit.edu>
+
+	* read_pwd.c: Removed #defines for Mac OS X (__MACH__) because we 
+    now export krb5_read_password on Mac OS X
+
+2001-10-29  Miro Jurisic  <meeroh@mit.edu>
+	* pullup from krb5-1-2 branch after krb5-1-2-2-bp
+	* localaddr.c: Fixed typo.
+	* localaddr.c: Added a special krb5_os_localaddr for Mac OS 9
+	which looks up the addresses without querying DNS synchronously
+	* prompter.c, promptusr.c, read_pwd.c: We now export 
+	krb5_prompter_posix and krb5_read_password on Mac OS X
+	* c_us_time.c: Updated Utilities.h #include
+	* c_us_time.c: Fix the sleep queue notification code to
+		only run on machines with power management
+	* ccdefname.c, init_os_ctx.c: Updated Mac OS #defines and #includes 
+	for new header layout and Mac OS X frameworks
+
+2001-02-05  Tom Yu  <tlyu@mit.edu>
+
+	* prompter.c (krb5_prompter_posix): Fix up terminal modes if we're
+	interrupted. [reported by Booker Bense] [pullup from trunk]
+
+2001-02-02  Ken Raeburn  <raeburn@mit.edu>
+
+	* localaddr.c (foreach_localaddr): Increase buffer space initially
+	allocated.  Add more slop space at the end that must remain unused
+	before we stop growing the buffer.  Impose a maximum size on the
+	buffer.  Handle possibility of returned ifc_len being larger than
+	the supplied buffer.
+
+2001-01-30  Ken Raeburn  <raeburn@mit.edu>
+
+	* changepw.c (fixup_ports): New function, uses correct level of
+	indirection for elements of socket address array.
+	(krb5_locate_kpasswd): Call fixup_ports.
+
+2001-01-24	Miro Jurisic <meeroh@mit.edu>
+
+	* c_us_time.c: Fix the sleep queue notification code to
+		avoid denying sleep requests
+
+2000-12-19	Miro Jurisic <meeroh@mit.edu>
+
+	* c_us_time.c: Fix the sleep queue notification code to
+		build with Universal Headers 3.3
+
+2000-11-29	Miro Jurisic <meeroh@mit.edu>
+
+	* c_us_time.c: Install a callback in the Mac OS sleep
+	queue to get notification of the machine coming out
+	of sleep, in order to refresh the cached uptime to
+	real time offset
+
+2000-10-28	Miro Jurisic <meeroh@mit.edu>
+
+	* c_ustime.c: Fixed epoch calculation under Mac OS 9 Carbon and Mac OS X
+
+2000-10-16	Miro Jurisic <meeroh@mit.edu>
+
+	* init_os_ctx.c: Use PreferencesLib to discover config files on Mac OS X
+
+2000-10-02	Alexandra Ellwood <lxs@mit.edu>
+
+	* ccdefname.c, init_os_ctx.c, prompter.c, prompterusr.c. read_pwd.c
+        timeofday.c: Added #defines for Mac OS X (__MACH__) to mimic macintosh
+        behavior
+
+2000-09-28  Miro Jurisic  <meeroh@mit.edu>
+
+	* c_us_time.c: Fixed Mac code to use the correct epoch
+
+2000-09-23  Miro Jurisic  <meeroh@mit.edu>
+
+	* c_us_time.c: Added modifications to Mac OS Microseconds timing
+	to work properly under Carbon.
+
+2000-06-19  Ken Raeburn  <raeburn@mit.edu>
+
+	* localaddr.c (foreach_localaddr): Use SIOCGSIZIFCONF ioctl if
+	available to get the buffer size needed for SIOCGIFCONF, and skip
+	the silly heuristics if it returns a reasonable value.
+
+2000-06-14  Miro Jurisic  <meeroh@mit.edu>
+
+	* init_os_ctx.c (os_get_default_config_files):  
+	Return ENOENT when file is not found on MacOS (not ENFILE)
+
+2000-06-09  Miro Jurisic  <meeroh@mit.edu>
+
+	* init_os_ctx.c (os_get_default_config_files):  
+	Eliminated some dead code
+
+2000-06-09  Miro Jurisic  <meeroh@mit.edu>
+
+	* init_os_ctx.c (os_get_default_config_files):  Use Kerberos
+	Preferences library to locate the config files on Mac OS
+
+2000-05-17  Nalin Dahyabhai  <nalin@redhat.com>
+
+	* an_to_ln.c (do_replacement):  Don't overflow buffers "in" or "out".
+	* hst_realm.c (krb5_try_realm_txt_rr):  Don't overfill "host" when
+	malformed DNS responses are received.
+
+2000-05-15  Jeffrey Altman <jaltman@columbia.edu>
+
+        * hst_realm.c (krb5_get_host_realm)
+          remove the searchlist and defaultrealm _kerberos queries
+
+2000-05-09	Alexandra Ellwood <lxs@mit.edu>
+
+	*localaddr.c: Fixed the local_addr_fallback_kludge so that it actually does something.
+	Before that the error code it was handling was blowing it away in cleanup.
+
+2000-04-28  Nalin Dahyabhai  <nalin@redhat.com>
+
+	* ccdefname.c (get_from_os): Don't overflow buffer "name_buf".
+	* kuserok.c (krb5_kuserok): Don't overflow buffer "pbuf".
+
+2000-04-22  Ken Raeburn  <raeburn@mit.edu>
+
+	* localaddr.c: Include stddef.h.
+	(foreach_localaddr): Check each address against previously used
+	addresses, and skip duplicates, in case multiple interfaces have
+	the same address.  If called functions fail, drop out of loop and
+	return nonzero.
+	(krb5_os_localaddr): Increment count of addresses to include null
+	pointer terminator.  Delete check for zero count.
+
+2000-04-18  Danilo Almeida  <dalmeida@mit.edu>
+
+	* prompter.c (krb5int_set_prompt_types): Set to actual value
+	intead of 0.
+
+2000-4-13	Alexandra Ellwood <lxs@mit.edu>
+
+	* init_os_ctx.c: Added support to store a krb5_principal in the os_context 
+	along with the default ccache name (if known, this principal is the same 
+	as the last time we looked at the ccache.
+	* ccdefname.c: Added support to store a krb5_principal in the os_context 
+	along with the default ccache name (if known, this principal is the same 
+	as the last time we looked at the ccache.
+
+2000-04-04  Ken Raeburn  <raeburn@mit.edu>
+
+	* locate_kdc.c (maybe_use_dns): Renamed from _krb5_use_dns.  Now
+	takes an arg to indicate a key to look up in krb5.conf, falling
+	back to "dns_fallback", and an arg indicating the default value if
+	no config file entries match.
+	(_krb5_use_dns_realm): New routine; use "dns_lookup_realm" and
+	KRB5_DNS_LOOKUP_REALM setting.
+	(_krb5_use_dns_kdc): New routine; use "dns_lookup_kdc" and
+	KRB5_DNS_LOOKUP_KDC.
+	(krb5_locate_kdc): Call _krb5_use_dns_kdc.
+	* changepw.c (krb5_locate_kpasswd): Call _krb5_use_dns_kdc.
+	* def_realm.c (krb5_get_default_realm): Call _krb5_use_dns_realm.
+	* hst_realm.c (krb5_get_host_realm): Call _krb5_use_dns_realm.
+
+2000-03-20  Miro Jurisic  <meeroh@mit.edu>
+
+	* def_realm.c (krb5_free_default_realm): Added, use to free
+	result of krb5_get_default_realm
+
 2000-03-15  Danilo Almeida  <dalmeida@mit.edu>
 
 	* prompter.c: Add krb5int_set_prompt_types() and
diff --git a/src/lib/krb5/os/an_to_ln.c b/src/lib/krb5/os/an_to_ln.c
index 3c721fb..df4b5d5 100644
--- a/src/lib/krb5/os/an_to_ln.c
+++ b/src/lib/krb5/os/an_to_ln.c
@@ -298,15 +298,15 @@ do_replacement(regexp, repl, doall, in, out)
 		    strncpy(op, cp, match_match.rm_so);
 		    op += match_match.rm_so;
 		}
-		strcpy(op, repl);
-		op += strlen(repl);
+		strncpy(op, repl, MAX_FORMAT_BUFFER - 1 - (op - out));
+		op += strlen(op);
 		cp += match_match.rm_eo;
 		if (!doall)
-		    strcpy(op, cp);
+		    strncpy(op, cp, MAX_FORMAT_BUFFER - 1 - (op - out));
 		matched = 1;
 	    }
 	    else {
-		strcpy(op, cp);
+		strncpy(op, cp, MAX_FORMAT_BUFFER - 1 - (op - out));
 		matched = 0;
 	    }
 	} while (doall && matched);
@@ -333,20 +333,20 @@ do_replacement(regexp, repl, doall, in, out)
 		strncpy(op, cp, sdispl);
 		op += sdispl;
 	    }
-	    strcpy(op, repl);
+	    strncpy(op, repl, MAX_FORMAT_BUFFER - 1 - (op - out));
 	    op += strlen(repl);
 	    cp += edispl;
 	    if (!doall)
-		strcpy(op, cp);
+		strncpy(op, cp, MAX_FORMAT_BUFFER - 1 - (op - out));
 	    matched = 1;
 	}
 	else {
-	    strcpy(op, cp);
+	    strncpy(op, cp, MAX_FORMAT_BUFFER - 1 - (op - out));
 	    matched = 0;
 	}
     } while (doall && matched);
 #else	/* HAVE_REGEXP_H */
-    strcpy(out, in);
+    memcpy(out, in, MAX_FORMAT_BUFFER);
 #endif	/* HAVE_REGCOMP */
 }
 
@@ -379,7 +379,8 @@ aname_replacer(string, contextp, result)
 	 * Prime the buffers.  Copy input string to "out" to simulate it
 	 * being the result of an initial iteration.
 	 */
-	strcpy(out, string);
+	strncpy(out, string, MAX_FORMAT_BUFFER - 1);
+	out[MAX_FORMAT_BUFFER - 1] = '\0';
 	in[0] = '\0';
 	kret = 0;
 	/*
@@ -421,6 +422,7 @@ aname_replacer(string, contextp, result)
 		    out = ep;
 
 		    /* Do the replacemenbt */
+		    memset(out, '\0', MAX_FORMAT_BUFFER);
 		    do_replacement(rule, repl, doglobal, in, out);
 		    free(rule);
 		    free(repl);
@@ -651,7 +653,7 @@ default_an_to_ln(context, aname, lnsize, lname)
  returns system errors, NOT_ENOUGH_SPACE
 */
 
-krb5_error_code
+krb5_error_code KRB5_CALLCONV
 krb5_aname_to_localname(context, aname, lnsize, lname)
     krb5_context context;
     krb5_const_principal aname;
diff --git a/src/lib/krb5/os/c_ustime.c b/src/lib/krb5/os/c_ustime.c
index 5f73587..d294e01 100644
--- a/src/lib/krb5/os/c_ustime.c
+++ b/src/lib/krb5/os/c_ustime.c
@@ -51,12 +51,17 @@
 #include <DriverServices.h> /* Nanosecond timing */
 #include <CodeFragments.h>	/* Check for presence of UpTime */
 #include <Math64.h>			/* 64-bit integer math */
+#include <KerberosSupport/Utilities.h>		/* Mac time -> UNIX time conversion */
+#include <Power.h>			/* Sleep queue */
 
 /* Mac Cincludes */
 #include <string.h>
 #include <stddef.h>
 
 static krb5_int32 last_sec = 0, last_usec = 0;
+static int gResetCachedDifference = 0;
+static SleepQRec gSleepQRecord;
+static SleepQUPP gSleepQUPP;
 
 /* Check for availability of microseconds or better timer */
 Boolean HaveAccurateTime ();
@@ -68,6 +73,21 @@ void AbsoluteToSecsNanosecs (
       UInt32			*residualNanoseconds    /* Fractional second  */
    );
 
+/* Convert Microseconds to date and time */
+void MicrosecondsToSecsMicrosecs (
+      UnsignedWide		eventTime,              /* Value to convert   */
+      UInt32			*eventSeconds,         /* Result goes here   */
+      UInt32			*residualMicroseconds    /* Fractional second  */
+   );
+
+/* Sleep notification callback in needed to reset cached
+difference when the machine goes to sleep */
+void InstallSleepNotification ();
+void RemoveSleepNotification ();
+pascal long SleepNotification (
+	SInt32 message,
+	SleepQRecPtr qRecPtr);
+
 /*
  * The Unix epoch is 1/1/70, the Mac epoch is 1/1/04.
  *
@@ -101,14 +121,6 @@ getTimeZoneOffset()
 
 /* Returns the GMT in seconds (and fake microseconds) using the Unix epoch */
 
-/*
- * Note that unix timers are guaranteed that consecutive calls to timing functions will
- * always return monotonically increasing values for time; even if called within one microsecond,
- * they must increase from one call to another. We must preserve this property in this code,
- * even though Mac UpTime does not make such guarantees... (actually it does, but it measures in 
- * units that can be finer than 1 microsecond, so conversion can cause repeat microsecond values
- */
-
 krb5_error_code
 krb5_crypto_us_timeofday(seconds, microseconds)
     krb5_int32 *seconds, *microseconds;
@@ -116,34 +128,13 @@ krb5_crypto_us_timeofday(seconds, microseconds)
     krb5_int32 sec, usec;
     time_t the_time;
 
-    GetDateTime (&the_time);
-
-    sec = the_time - 
-    	((66 * 365 * 24 * 60 * 60) + (17 *  24 * 60 * 60) + 
-    	(getTimeZoneOffset() * 60 * 60));
-
-#if TARGET_CPU_PPC	    						/* Only PPC has accurate time */
-    if (HaveAccurateTime ()) {					/* Does hardware support accurate time? */
-    
-    	AbsoluteTime 	absoluteTime;
-    	UInt32			nanoseconds;
-    	
-    	absoluteTime = UpTime ();
-    	AbsoluteToSecsNanosecs (absoluteTime, &sec, &nanoseconds);
-    	
-    	usec = nanoseconds / 1000;
-    } else
-#endif /* TARGET_CPU_PPC */
-    {
-	    GetDateTime (&sec);
-	    usec = 0;
-	}
+    GetDateTime (&sec);
+    usec = 0;
 	
 	/* Fix secs to UNIX epoch */
 	
-    sec -= ((66 * 365 * 24 * 60 * 60) + (17 *  24 * 60 * 60) + 
-    	(getTimeZoneOffset() * 60 * 60));
-
+	mac_time_to_unix_time (&sec);
+	
 	/* Make sure that we are _not_ repeating */
 	
 	if (sec < last_sec) {	/* Seconds should be at least equal to last seconds */
@@ -170,90 +161,6 @@ krb5_crypto_us_timeofday(seconds, microseconds)
     return 0;
 }
 
-/* Check if we have microsecond or better timer */
-
-Boolean HaveAccurateTime ()
-{
-	static	Boolean alreadyChecked = false;
-	static	haveAccurateTime = false;
-	
-	if (!alreadyChecked) {
-		alreadyChecked = true;
-		haveAccurateTime = false;
-#if TARGET_CPU_PPC
-		if ((Ptr) UpTime != (Ptr) kUnresolvedCFragSymbolAddress) {
-			UInt32	minAbsoluteTimeDelta;
-			UInt32	theAbsoluteTimeToNanosecondNumerator;
-			UInt32	theAbsoluteTimeToNanosecondDenominator;
-			UInt32	theProcessorToAbsoluteTimeNumerator;
-			UInt32	theProcessorToAbsoluteTimeDenominator;
-
-			GetTimeBaseInfo (
-				&minAbsoluteTimeDelta,
-				&theAbsoluteTimeToNanosecondNumerator,
-				&theAbsoluteTimeToNanosecondDenominator,
-				&theProcessorToAbsoluteTimeNumerator,
-				&theProcessorToAbsoluteTimeDenominator);
-				
-			/* minAbsoluteTimeDelta is the period in which Uptime is updated, in absolute time */
-			/* We convert it to nanoseconds and compare it with .5 microsecond */
-			
-			if (minAbsoluteTimeDelta * theAbsoluteTimeToNanosecondNumerator <
-				500 * theAbsoluteTimeToNanosecondDenominator) {
-				haveAccurateTime = true;
-			}
-		}
-#endif /* TARGET_CPU_PPC */
-	}
-	
-	return haveAccurateTime;
-}
-
-/* Convert nanoseconds to date and time */
-
-void AbsoluteToSecsNanosecs (
-      AbsoluteTime		eventTime,              /* Value to convert   */
-      UInt32			*eventSeconds,         /* Result goes here   */
-      UInt32			*residualNanoseconds    /* Fractional second  */
-   )
-{
-   UInt64					eventNanoseconds;
-   UInt64					eventSeconds64;
-   static const UInt64		kTenE9 = U64SetU (1000000000);
-   static UInt64			gNanosecondsAtStart = U64SetU (0);
-
-   /*
-    * If this is the first call, compute the offset between
-    * GetDateTime and UpTime.
-    */
-   if (U64Compare (gNanosecondsAtStart, U64SetU (0)) == 0) {
-      UInt32				secondsAtStart;
-      AbsoluteTime			absoluteTimeAtStart;
-      UInt64				upTimeAtStart;
-	  UInt64				nanosecondsAtStart;
-
-      GetDateTime (&secondsAtStart);
-      upTimeAtStart = UnsignedWideToUInt64 (AbsoluteToNanoseconds (UpTime()));
-	  nanosecondsAtStart = U64SetU (secondsAtStart);
-      nanosecondsAtStart = U64Multiply (nanosecondsAtStart, kTenE9);
-      gNanosecondsAtStart = U64Subtract (nanosecondsAtStart, upTimeAtStart);
-   }
-   /*
-    * Convert the event time (UpTime value) to nanoseconds and add
-    * the local time epoch.
-    */
-   eventNanoseconds = UnsignedWideToUInt64 (AbsoluteToNanoseconds (eventTime));
-   eventNanoseconds = U64Add (gNanosecondsAtStart, eventNanoseconds);
-   /*
-    * eventSeconds = eventNanoseconds /= 10e9;
-    * residualNanoseconds = eventNanoseconds % 10e9;
-    * Finally, compute the local time (seconds) and fraction.
-    */
-   eventSeconds64 = U64Div (eventNanoseconds, kTenE9);
-   eventNanoseconds = U64Subtract (eventNanoseconds, U64Multiply (eventSeconds64, kTenE9));
-   *eventSeconds = (UInt64ToUnsignedWide (eventSeconds64)).lo;
-   *residualNanoseconds = (UInt64ToUnsignedWide (eventNanoseconds)).lo;
-}
 #elif defined(_WIN32)
 
    /* Microsoft Windows NT and 95   (32bit)  */
diff --git a/src/lib/krb5/os/ccdefname.c b/src/lib/krb5/os/ccdefname.c
index 53e7888..76c7528 100644
--- a/src/lib/krb5/os/ccdefname.c
+++ b/src/lib/krb5/os/ccdefname.c
@@ -31,8 +31,8 @@
 #include "k5-int.h"
 #include <stdio.h>
 
-#ifdef macintosh
-#include "CCache.h"
+#if TARGET_OS_MAC
+#include <Kerberos/CredentialsCache.h>
 #endif
 
 #if defined(_WIN32)
@@ -160,7 +160,7 @@ static krb5_error_code get_from_os(char *name_buf, int name_size)
 	if (get_from_registry_indirect(name_buf, name_size) != 0)
 		return 0;
 
-        strncpy(name_buf, prefix, name_size);       
+        strncpy(name_buf, prefix, name_size - 1);
         name_buf[name_size - 1] = 0;
         size = name_size - strlen(prefix);
         if (size > 0)
@@ -186,7 +186,7 @@ static krb5_error_code get_from_os(char *name_buf, int name_size)
 }
 #endif
 
-#if defined (macintosh)
+#if TARGET_OS_MAC
 
 static krb5_error_code get_from_os(char *name_buf, int name_size)
 {
@@ -261,6 +261,13 @@ krb5_cc_set_default_name(context, name)
 		return ENOMEM;
 	strcpy(new_name, name_buf);
 	
+	if (!os_ctx->default_ccname || (strcmp(os_ctx->default_ccname, new_name) != 0)) {
+		/* the ccache changed... forget the old principal */
+		if (os_ctx->default_ccprincipal)
+			krb5_free_principal (context, os_ctx->default_ccprincipal);
+		os_ctx->default_ccprincipal = 0;  /* we don't care until we use it */
+	}
+	
 	if (os_ctx->default_ccname)
 		free(os_ctx->default_ccname);
 
diff --git a/src/lib/krb5/os/changepw.c b/src/lib/krb5/os/changepw.c
index 6ed95bc..44161d6 100644
--- a/src/lib/krb5/os/changepw.c
+++ b/src/lib/krb5/os/changepw.c
@@ -52,45 +52,50 @@
  * Wrapper function for the two backends
  */
 
+static void
+fixup_ports (struct sockaddr *addr_p, int naddrs, int port)
+{
+    /* Ick: In this version of krb5_locate_foo, we have a pointer to a
+       pointer to an array of sockaddr_in structures -- NOT an array
+       of pointers like we should have.  */
+    int i;
+    port = htons (port);
+    if (addr_p->sa_family != AF_INET)
+	abort ();
+    for (i = 0; i < naddrs; i++) {
+	struct sockaddr_in *sinp = (struct sockaddr_in *) &addr_p[i];
+	sinp->sin_port = port;
+    }
+}
+
 static krb5_error_code
-krb5_locate_kpasswd(context, realm, addr_pp, naddrs, master_index, nmasters)
+krb5_locate_kpasswd(context, realm, addr_pp, naddrs)
     krb5_context context;
     const krb5_data *realm;
     struct sockaddr **addr_pp;
     int *naddrs;
-    int *master_index;
-    int *nmasters;
 {
     krb5_error_code code;
-    int i;
-#ifdef KRB5_DNS_LOOKUP
-    struct sockaddr *admin_addr_p, *kdc_addr_p;
-    int nadmin_addrs, nkdc_addrs;
-    int j;
-#endif /* KRB5_DNS_LOOKUP */
 
     /*
      * We always try the local file first
      */
 
-    code = krb5_locate_srv_conf(context, realm, "kpasswd_server", addr_pp, naddrs,
-                                 master_index, nmasters);
+    code = krb5_locate_srv_conf(context, realm, "kpasswd_server",
+                                 addr_pp, naddrs, 0);
     if (code) {
-        code = krb5_locate_srv_conf(context, realm, "admin_server", addr_pp, naddrs,
-                                     master_index, nmasters);
+        code = krb5_locate_srv_conf(context, realm, "admin_server", 
+                                     addr_pp, naddrs, 0);
         if ( !code ) {
-            /* success with admin_server but now we need to change the port */
-            /* number to use DEFAULT_KPASSWD_PORT.                          */
-            for ( i=0;i<*naddrs;i++ ) {
-                struct sockaddr_in *sin = (struct sockaddr_in *) addr_pp[i];
-                sin->sin_port = htons(DEFAULT_KPASSWD_PORT);
-            }
+            /* Success with admin_server but now we need to change the
+	       port number to use DEFAULT_KPASSWD_PORT.  */
+	    fixup_ports (*addr_pp, *naddrs, DEFAULT_KPASSWD_PORT);
         }
     }
 
 #ifdef KRB5_DNS_LOOKUP
     if (code) {
-        int use_dns = _krb5_use_dns(context);
+        int use_dns = _krb5_use_dns_kdc(context);
         if ( use_dns ) {
             code = krb5_locate_srv_dns(realm, "_kpasswd", "_udp",
                                         addr_pp, naddrs);
@@ -100,18 +105,12 @@ krb5_locate_kpasswd(context, realm, addr_pp, naddrs, master_index, nmasters)
                                             "_tcp",
                                             addr_pp, naddrs);
                 if ( !code ) {
-                    /* success with admin_server but now we need to change the port */
-                    /* number to use DEFAULT_KPASSWD_PORT.                          */
-                    for ( i=0;i<*naddrs;i++ ) {
-                        struct sockaddr_in *sin = (struct sockaddr_in *) addr_pp[i];
-                        sin->sin_port = htons(DEFAULT_KPASSWD_PORT);
-                    }
+                    /* Success with admin_server but now we need to
+		       change the port number to use
+		       DEFAULT_KPASSWD_PORT.  */
+		    fixup_ports (*addr_pp, *naddrs, DEFAULT_KPASSWD_PORT);
                 }
             }
-            if ( !code && master_index && nmasters ) {
-                *master_index = 1;
-                *nmasters = *naddrs;
-            }
         }
     }
 #endif /* KRB5_DNS_LOOKUP */
@@ -158,7 +157,7 @@ krb5_change_password(context, creds, newpw, result_code,
 
     if (code = krb5_locate_kpasswd(context, 
                                     krb5_princ_realm(context, creds->client), 
-                                    &addr_p, &naddr_p,NULL,NULL))
+                                    &addr_p, &naddr_p))
         goto cleanup;
 
     /* this is really obscure.  s1 is used for all communications.  it
diff --git a/src/lib/krb5/os/def_realm.c b/src/lib/krb5/os/def_realm.c
index 8647f89..b2a9e1d 100644
--- a/src/lib/krb5/os/def_realm.c
+++ b/src/lib/krb5/os/def_realm.c
@@ -24,7 +24,8 @@
  * or implied warranty.
  * 
  *
- * krb5_get_default_realm() function.
+ * krb5_get_default_realm(), krb5_set_default_realm(),
+ * krb5_free_default_realm() functions.
  */
 
 #include "k5-int.h"
@@ -103,7 +104,7 @@ krb5_get_default_realm(context, lrealm)
 
 #ifdef KRB5_DNS_LOOKUP
         if (context->default_realm == 0) {
-            int use_dns =  _krb5_use_dns(context);
+            int use_dns =  _krb5_use_dns_realm(context);
             if ( use_dns ) {
 		/*
 		 * Since this didn't appear in our config file, try looking
@@ -202,3 +203,11 @@ krb5_set_default_realm(context, lrealm)
     return(0);
 
 }
+
+KRB5_DLLIMP void KRB5_CALLCONV
+krb5_free_default_realm(context, lrealm)
+	krb5_context context;
+	char FAR* lrealm;
+{
+	free (lrealm);
+}
diff --git a/src/lib/krb5/os/gmt_mktime.c b/src/lib/krb5/os/gmt_mktime.c
index b231790..1e3eebd 100644
--- a/src/lib/krb5/os/gmt_mktime.c
+++ b/src/lib/krb5/os/gmt_mktime.c
@@ -19,7 +19,7 @@
 /* like mktime, this ignores tm_wday and tm_yday. */
 /* unlike mktime, this does not set them... it only passes a return value. */
 
-static const days_in_month[12] = {
+static const int days_in_month[12] = {
 0,				/* jan 31 */
 31,				/* feb 28 */
 59,				/* mar 31 */
diff --git a/src/lib/krb5/os/hst_realm.c b/src/lib/krb5/os/hst_realm.c
index 3c0005c..6aa3083 100644
--- a/src/lib/krb5/os/hst_realm.c
+++ b/src/lib/krb5/os/hst_realm.c
@@ -117,6 +117,8 @@ krb5_try_realm_txt_rr(prefix, name, realm)
      */
 
     if (name == NULL || name[0] == '\0') {
+	if (strlen (prefix) >= sizeof(host)-1)
+	    return KRB5_ERR_HOST_REALM_UNKNOWN;
         strcpy(host,prefix);
     } else {
         if ( strlen(prefix) + strlen(name) + 3 > MAX_DNS_NAMELEN )
@@ -134,12 +136,12 @@ krb5_try_realm_txt_rr(prefix, name, realm)
         */
 
         h = host + strlen (host);
-        if (h > host && h[-1] != '.')
+        if ((h > host) && (h[-1] != '.') && ((h - host + 1) < sizeof(host)))
             strcpy (h, ".");
     }
     size = res_search(host, C_IN, T_TXT, answer.bytes, sizeof(answer.bytes));
 
-    if (size < 0)
+    if ((size < sizeof(HEADER)) || (size > sizeof(answer.bytes)))
 	return KRB5_ERR_HOST_REALM_UNKNOWN;
 
     p = answer.bytes;
@@ -312,7 +314,7 @@ krb5_get_host_realm(context, host, realmsp)
 
 #ifdef KRB5_DNS_LOOKUP
     if (realm == (char *)NULL) {
-        int use_dns = _krb5_use_dns(context);
+        int use_dns = _krb5_use_dns_realm(context);
         if ( use_dns ) {
             /*
              * Since this didn't appear in our config file, try looking
@@ -330,17 +332,6 @@ krb5_get_host_realm(context, host, realmsp)
                 if (cp) 
                     cp++;
             } while (retval && cp && cp[0]);
-            if (retval)
-                retval = krb5_try_realm_txt_rr("_kerberos", "", &realm);
-            if (retval && default_realm) {
-                cp = default_realm;
-                do {
-                    retval = krb5_try_realm_txt_rr("_kerberos", cp, &realm);
-                    cp = strchr(cp,'.');
-                    if (cp) 
-                        cp++;
-                } while (retval && cp && cp[0]);
-            }
         }
     }
 #endif /* KRB5_DNS_LOOKUP */
diff --git a/src/lib/krb5/os/init_os_ctx.c b/src/lib/krb5/os/init_os_ctx.c
index 48d8bc2..7cc456c 100644
--- a/src/lib/krb5/os/init_os_ctx.c
+++ b/src/lib/krb5/os/init_os_ctx.c
@@ -27,26 +27,8 @@
  */
 
 #define NEED_WINDOWS
-#include "k5-int.h"
-
-#ifdef macintosh
-OSErr
-GetMacProfileFileSpec (FSSpec* outFileSpec, StringPtr inName, UInt32 whichFolder)
-{
-	OSErr err;
-	
-	
-	
-	err = FindFolder (kOnSystemDisk, whichFolder, kCreateFolder,
-		&(outFileSpec -> vRefNum) , &(outFileSpec -> parID));
-	
-	if (err == noErr) {
-		BlockMoveData (inName, &(outFileSpec -> name), strlen (inName) + 1);
-	}
 
-	return err;
-}
-#endif /* macintosh */
+#include "k5-int.h"
 
 #if defined(_MSDOS) || defined(_WIN32)
 
@@ -185,7 +167,7 @@ static void
 free_filespecs(files)
 	profile_filespec_t *files;
 {
-#ifndef macintosh
+#if !TARGET_OS_MAC
     char **cp;
 
     if (files == 0)
@@ -203,44 +185,6 @@ os_get_default_config_files(pfiles, secure)
 	krb5_boolean secure;
 {
     profile_filespec_t* files;
-#ifdef macintosh
-	files = malloc(7 * sizeof(FSSpec));
-
-    if (files != 0) {
-    	OSErr err = GetMacProfileFileSpec(&(files [3]), "\pKerberos Preferences", kApplicationSupportFolderType);
-		if (err == noErr) {
-			err = GetMacProfileFileSpec( &(files [4]), "\pkrb5.ini", kApplicationSupportFolderType);
-		}
-    		if (err == noErr) {
-			err = GetMacProfileFileSpec( &(files [5]), "\pKerberos5 Configuration", kApplicationSupportFolderType);
-		}
-
-    	if (err == noErr) {
-			files[6].vRefNum = 0;
-			files[6].parID = 0;
-			files[6].name[0] = '\0';
-		} else {
-			files[3].vRefNum = 0;
-			files[3].parID = 0;
-			files[3].name[0] = '\0';
-		}
-
-		err = GetMacProfileFileSpec(&(files [0]), "\pKerberos Preferences", kPreferencesFolderType);
-		if (err == noErr) {
-			err = GetMacProfileFileSpec( &(files [1]), "\pkrb5.ini", kPreferencesFolderType);
-		}
-		if (err == noErr) {
-			err = GetMacProfileFileSpec( &(files [2]), "\pKerberos5 Configuration", kPreferencesFolderType);
-		}
-		
-		if (err != noErr) {
-			free (files);
-			return ENFILE;
-		}
-	} else {
-		return ENOMEM;
-	}
-#else /* !macintosh */
 #if defined(_MSDOS) || defined(_WIN32)
     krb5_error_code retval = 0;
     char *name = 0;
@@ -327,8 +271,7 @@ os_get_default_config_files(pfiles, secure)
     /* cap the array */
     files[i] = 0;
 #endif /* !_MSDOS && !_WIN32 */
-#endif /* !macintosh */
-    *pfiles = files;
+    *pfiles = (profile_filespec_t *)files;
     return 0;
 }
 
@@ -349,10 +292,11 @@ os_init_paths(ctx)
 #endif /* KRB5_DNS_LOOKUP */
 
     retval = os_get_default_config_files(&files, secure);
-
+    
     if (!retval) {
         retval = profile_init((const_profile_filespec_t *) files,
 			      &ctx->profile);
+
 #ifdef KRB5_DNS_LOOKUP
         /* if none of the filenames can be opened use an empty profile */
         if (retval == ENOENT) {
@@ -404,6 +348,7 @@ krb5_os_init_context(ctx)
 	os_ctx->usec_offset = 0;
 	os_ctx->os_flags = 0;
 	os_ctx->default_ccname = 0;
+	os_ctx->default_ccprincipal = 0;
 
 	krb5_cc_set_default_name(ctx, NULL);
 
@@ -427,8 +372,10 @@ krb5_get_profile (ctx, profile)
 
     retval = os_get_default_config_files(&files, ctx->profile_secure);
 
-    if (!retval)
-        retval = profile_init((const_profile_filespec_t *) files, profile);
+    if (!retval) {
+        retval = profile_init((const_profile_filespec_t *) files,
+			      profile);
+    }
 
     if (files)
         free_filespecs(files);
@@ -446,7 +393,6 @@ krb5_get_profile (ctx, profile)
     return retval;
 }	
 
-#ifndef macintosh
 
 krb5_error_code
 krb5_set_config_files(ctx, filenames)
@@ -483,7 +429,6 @@ krb5_free_config_files(filenames)
     free_filespecs(filenames);
 }
 
-#endif /* macintosh */
 
 krb5_error_code
 krb5_secure_config_files(ctx)
@@ -524,6 +469,11 @@ krb5_os_free_context(ctx)
                 os_ctx->default_ccname = 0;
         }
 
+	if (os_ctx->default_ccprincipal) {
+		krb5_free_principal (ctx, os_ctx->default_ccprincipal);
+		os_ctx->default_ccprincipal = 0;
+	}
+
 	os_ctx->magic = 0;
 	free(os_ctx);
 	ctx->os_context = 0;
diff --git a/src/lib/krb5/os/kuserok.c b/src/lib/krb5/os/kuserok.c
index ef08037..6d2adb1 100644
--- a/src/lib/krb5/os/kuserok.c
+++ b/src/lib/krb5/os/kuserok.c
@@ -80,8 +80,9 @@ krb5_kuserok(context, principal, luser)
     if ((pwd = getpwnam(luser)) == NULL) {
 	return(FALSE);
     }
-    (void) strcpy(pbuf, pwd->pw_dir);
-    (void) strcat(pbuf, "/.k5login");
+    (void) strncpy(pbuf, pwd->pw_dir, sizeof(pbuf) - 1);
+    pbuf[sizeof(pbuf) - 1] = '\0';
+    (void) strncat(pbuf, "/.k5login", sizeof(pbuf) - 1 - strlen(pbuf));
 
     if (access(pbuf, F_OK)) {	 /* not accessible */
 	/*
diff --git a/src/lib/krb5/os/localaddr.c b/src/lib/krb5/os/localaddr.c
index 9079500..aaeade6 100644
--- a/src/lib/krb5/os/localaddr.c
+++ b/src/lib/krb5/os/localaddr.c
@@ -1,7 +1,7 @@
 /*
  * lib/krb5/os/localaddr.c
  *
- * Copyright 1990,1991 by the Massachusetts Institute of Technology.
+ * Copyright 1990,1991,2000 by the Massachusetts Institute of Technology.
  * All Rights Reserved.
  *
  * Export of this software from the United States of America may
@@ -39,6 +39,7 @@
 #include <sys/ioctl.h>
 #include <sys/time.h>
 #include <errno.h>
+#include <stddef.h>
 
 /*
  * The SIOCGIF* ioctls require a socket.
@@ -248,6 +249,45 @@ add_addr (void *P_data, struct sockaddr *a)
 #define ifreq_size(i) sizeof(struct ifreq)
 #endif /* HAVE_SA_LEN*/
 
+/* SIOCGIFCONF:
+
+   The behavior of this ioctl varies across systems.
+
+   NetBSD 1.5-alpha: The returned ifc_len is the desired amount of
+   space, always.  The returned list may be truncated if there isn't
+   enough room; no overrun.
+
+   Solaris 2.7: Return EINVAL if the buffer space is too small,
+   including ifc_len==0.  (Not sure if this is "too small for a single
+   entry" or "too small for the entire list"; my Sun has only one
+   interface.)  Solaris is the only system I've found so far that
+   actually returns an error.
+
+   AIX 4.3.3: Sometimes the returned ifc_len is bigger than the
+   supplied one, but it may not be big enough for *all* the
+   interfaces.  Sometimes it's smaller than the supplied value, even
+   if the returned list is truncated.  The list is filled in with as
+   many entries as will fit; no overrun.
+
+   Linux 2.2.12 (RH 6.1 dist, x86): The buffer is filled in with as
+   many entries as will fit, and the size used is returned in ifc_len.
+   The list is truncated if needed, with no indication.
+
+   IRIX 6.5: The buffer is filled in with as many entries as will fit
+   in N-1 bytes, and the size used is returned in ifc_len.  Providing
+   exactly the desired number of bytes is inadequate; the buffer must
+   be *bigger* than needed.  (E.g., 32->0, 33->32.)  The returned
+   ifc_len is always less than the supplied one.
+
+   Digital UNIX 4.0F: If input ifc_len is zero, return an ifc_len
+   that's big enough to include all entries.  (Actually, on our
+   system, it appears to be larger than that by 32.)  If input ifc_len
+   is nonzero, fill in as many entries as will fit, and set ifc_len
+   accordingly.
+
+   Using this ioctl is going to be messy.  Let's just hope that
+   getifaddrs() catches on quickly....  */
+
 static int
 foreach_localaddr (data, pass1fn, betweenfn, pass2fn)
     void *data;
@@ -255,13 +295,17 @@ foreach_localaddr (data, pass1fn, betweenfn, pass2fn)
     int (*betweenfn) (void *);
     int (*pass2fn) (void *, struct sockaddr *);
 {
-    struct ifreq *ifr, ifreq;
+    struct ifreq *ifr, ifreq, *ifr2;
     struct ifconf ifc;
-    int s, code, n, i;
+    int s, code, n, i, j;
     int est_if_count = 8, est_ifreq_size;
     char *buf = 0;
     size_t current_buf_size = 0;
-    
+    int fail = 0;
+#ifdef SIOCGSIZIFCONF
+    int ifconfsize = -1;
+#endif
+
     s = socket (USE_AF, USE_TYPE, USE_PROTO);
     if (s < 0)
 	return SOCKET_ERRNO;
@@ -269,8 +313,17 @@ foreach_localaddr (data, pass1fn, betweenfn, pass2fn)
     /* At least on NetBSD, an ifreq can hold an IPv4 address, but
        isn't big enough for an IPv6 or ethernet address.  So add a
        little more space.  */
-    est_ifreq_size = sizeof (struct ifreq) + 8;
-    current_buf_size = est_ifreq_size * est_if_count;
+    est_ifreq_size = sizeof (struct ifreq) + 16;
+#ifdef SIOCGSIZIFCONF
+    code = ioctl (s, SIOCGSIZIFCONF, &ifconfsize);
+    if (!code) {
+	current_buf_size = ifconfsize;
+	est_if_count = ifconfsize / est_ifreq_size;
+    }
+#endif
+    if (current_buf_size == 0) {
+	current_buf_size = est_ifreq_size * est_if_count;
+    }
     buf = malloc (current_buf_size);
 
  ask_again:
@@ -284,12 +337,35 @@ foreach_localaddr (data, pass1fn, betweenfn, pass2fn)
 	closesocket (s);
 	return retval;
     }
-    /* Test that the buffer was big enough that another ifreq could've
+    /* BSD 4.4 and similar systems truncate the address list if the
+       supplied buffer isn't big enough.
+
+       Test that the buffer was big enough that another ifreq could've
        fit easily, if the OS wanted to provide one.  That seems to be
        the only indication we get, complicated by the fact that the
        associated address may make the required storage a little
        bigger than the size of an ifreq.  */
-    if (current_buf_size - ifc.ifc_len < sizeof (struct ifreq) + 40) {
+#define SLOP (sizeof (struct ifreq) + 128)
+    if ((current_buf_size - ifc.ifc_len < sizeof (struct ifreq) + SLOP
+	/* On AIX 4.3.3, ifc.ifc_len may be set to a larger size than
+	   provided under some circumstances.  On my test system, a
+	   supplied value of 32..112 gets me 112, but with no data
+	   filled in even at 112.  But larger input ifc_len values get
+	   me larger output values, so it's not necessarily the full
+	   desired output buffer size.  And as near as I can tell, the
+	   ifc_len output has little to do with the offset of the last
+	   byte in the buffer actually modified, except that both
+	   input and output ifc_len values are higher (i.e., no buffer
+	   overrun takes place in my testing).  */
+	 || current_buf_size < ifc.ifc_len)
+	/* But let's let SIOCGSIZIFCONF dominate, unless we discover
+	   it's broken somewhere.  */
+#ifdef SIOCGSIZIFCONF
+	&& ifconfsize <= 0
+#endif
+	/* And we need *some* sort of bounds.  */
+	&& current_buf_size <= 100000
+	) {
 	int new_size;
 	char *newbuf;
 
@@ -307,31 +383,62 @@ foreach_localaddr (data, pass1fn, betweenfn, pass2fn)
     }
 
     n = ifc.ifc_len;
-
+    if (n > current_buf_size)
+	n = current_buf_size;
+
+    /* Note: Apparently some systems put the size (used or wanted?)
+       into the start of the buffer, just none that I'm actually
+       using.  Fix this when there's such a test system available.
+       The Samba mailing list archives mention that NTP looks for the
+       size on these systems: *-fujitsu-uxp* *-ncr-sysv4*
+       *-univel-sysv*.  [raeburn:20010201T2226-05]  */
     for (i = 0; i < n; i+= ifreq_size(*ifr) ) {
 	ifr = (struct ifreq *)((caddr_t) ifc.ifc_buf+i);
 
 	strncpy(ifreq.ifr_name, ifr->ifr_name, sizeof (ifreq.ifr_name));
-	if (ioctl (s, SIOCGIFFLAGS, (char *)&ifreq) < 0
-#ifdef IFF_LOOPBACK
-	    /* None of the current callers want loopback addresses.  */
-	    || (ifreq.ifr_flags & IFF_LOOPBACK)
-#endif
-	    /* Ignore interfaces that are down.  */
-	    || !(ifreq.ifr_flags & IFF_UP)) {
+	if (ioctl (s, SIOCGIFFLAGS, (char *)&ifreq) < 0) {
+	skip:
 	    /* mark for next pass */
 	    ifr->ifr_name[0] = 0;
 
 	    continue;
 	}
 
+#ifdef IFF_LOOPBACK
+	    /* None of the current callers want loopback addresses.  */
+	if (ifreq.ifr_flags & IFF_LOOPBACK)
+	    goto skip;
+#endif
+	/* Ignore interfaces that are down.  */
+	if (!(ifreq.ifr_flags & IFF_UP))
+	    goto skip;
+
+	/* Make sure we didn't process this address already.  */
+	for (j = 0; j < i; j += ifreq_size(*ifr2)) {
+	    ifr2 = (struct ifreq *)((caddr_t) ifc.ifc_buf+j);
+	    if (ifr2->ifr_name[0] == 0)
+		continue;
+	    if (ifr2->ifr_addr.sa_family == ifr->ifr_addr.sa_family
+		&& ifreq_size (*ifr) == ifreq_size (*ifr2)
+		/* Compare address info.  If this isn't good enough --
+		   i.e., if random padding bytes turn out to differ
+		   when the addresses are the same -- then we'll have
+		   to do it on a per address family basis.  */
+		&& !memcmp (&ifr2->ifr_addr.sa_data, &ifr->ifr_addr.sa_data,
+			    (ifreq_size (*ifr)
+			     - offsetof (struct ifreq, ifr_addr.sa_data))))
+		goto skip;
+	}
+
 	if ((*pass1fn) (data, &ifr->ifr_addr)) {
-	    abort ();
+	    fail = 1;
+	    goto punt;
 	}
     }
 
     if (betweenfn && (*betweenfn)(data)) {
-	abort ();
+	fail = 1;
+	goto punt;
     }
 
     if (pass2fn)
@@ -343,13 +450,15 @@ foreach_localaddr (data, pass1fn, betweenfn, pass2fn)
 		continue;
 
 	    if ((*pass2fn) (data, &ifr->ifr_addr)) {
-		abort ();
+		fail = 1;
+		goto punt;
 	    }
 	}
+ punt:
     closesocket(s);
     free (buf);
 
-    return 0;
+    return fail;
 }
 
 
@@ -376,10 +485,9 @@ krb5_os_localaddr(context, addr)
 	    return r;
     }
 
+    data.cur_idx++; /* null termination */
     if (data.mem_err)
 	return ENOMEM;
-    else if (data.cur_idx == 0)
-	abort ();
     else if (data.cur_idx == data.count)
 	*addr = data.addr_temp;
     else {
@@ -396,14 +504,13 @@ krb5_os_localaddr(context, addr)
     return 0;
 }
 
-#else /* Windows/Mac version */
+#elif defined(_MSDOS) || defined(_WIN32) /* Windows version */
 
 /*
  * Hold on to your lunch!  Backup kludge method of obtaining your
  * local IP address, courtesy of Windows Socket Network Programming,
  * by Robert Quinn
  */
-#if defined(_MSDOS) || defined(_WIN32)
 static struct hostent *local_addr_fallback_kludge()
 {
 	static struct hostent	host;
@@ -442,7 +549,6 @@ static struct hostent *local_addr_fallback_kludge()
 
 	return &host;
 }
-#endif
 
 /* No ioctls in winsock so we just assume there is only one networking 
  * card per machine, so gethostent is good enough. 
@@ -473,6 +579,8 @@ krb5_os_localaddr (krb5_context context, krb5_address ***addr) {
 	    hostrec = local_addr_fallback_kludge();
 	    if (!hostrec)
 		    return err;
+		else
+			err = 0;  /* otherwise we will die at cleanup */
     }
 
     for (count = 0; hostrec->h_addr_list[count]; count++);
@@ -526,4 +634,79 @@ krb5_os_localaddr (krb5_context context, krb5_address ***addr) {
 
     return(err);
 }
+
+#else
+
+/* Mac OS 9 version */
+KRB5_DLLIMP krb5_error_code KRB5_CALLCONV
+krb5_os_localaddr (krb5_context context, krb5_address ***addr) 
+{
+	// First, build the new list
+    krb5_address ** 		addresses = NULL;
+	SInt32					interfaceCount;
+	SInt32					interfaceIndex;
+	InetInterfaceInfo		info;
+	krb5_error_code			err = 0;
+
+	// Loop over the addressed once so we know how many there are
+	for (interfaceCount = 0; err == noErr; interfaceCount++) {
+		err = OTInetGetInterfaceInfo (&info, interfaceCount);
+	}
+	
+	// Allocate storage for the address list
+	addresses = (krb5_address **) malloc( sizeof (krb5_address *) * (interfaceCount + 1));
+	if (addresses == NULL) {
+        err = ENOMEM;
+        goto cleanup;
+    }
+
+	// Set the pointers to NULL so we will have a termination pointer
+	memset (addresses, 0, sizeof (krb5_address *) * (interfaceCount + 1));
+
+	// Look up the addresses and store them in the list
+	for (interfaceIndex = 0; interfaceIndex < interfaceCount; interfaceIndex++) {
+		err = OTInetGetInterfaceInfo (&info, interfaceIndex);
+		if (err != noErr) {
+			err = 0;
+			break;
+		}
+        
+		addresses[interfaceIndex] = (krb5_address *) malloc (sizeof (krb5_address));
+		if (addresses[interfaceIndex] == NULL) {
+			err = ENOMEM;
+			goto cleanup;
+		}
+
+		addresses[interfaceIndex]->magic = KV5M_ADDRESS;
+		addresses[interfaceIndex]->addrtype = AF_INET;
+		addresses[interfaceIndex]->length = INADDRSZ;
+		addresses[interfaceIndex]->contents = (unsigned char *) malloc (addresses[interfaceIndex]->length);
+		if (addresses[interfaceIndex]->contents == NULL) {
+			err = ENOMEM;
+			goto cleanup;
+		}
+		
+		memcpy(addresses[interfaceIndex]->contents, &info.fAddress, addresses[interfaceIndex]->length);
+	}
+
+cleanup:
+	if (err) {
+		if (addresses != NULL) {
+			for (interfaceIndex = 0; interfaceIndex < interfaceCount; interfaceIndex++) {
+				if (addresses[interfaceIndex] != NULL) {
+					if (addresses[interfaceIndex]->contents != NULL) {
+						free (addresses[interfaceIndex]->contents);
+					}
+					free (addresses[interfaceIndex]);
+				}
+			}
+			free(addresses);
+		}
+	} else {
+		*addr = addresses;
+	}
+	
+    return(err);
+
+}
 #endif
diff --git a/src/lib/krb5/os/locate_kdc.c b/src/lib/krb5/os/locate_kdc.c
index fcdfa03..6668bbf 100644
--- a/src/lib/krb5/os/locate_kdc.c
+++ b/src/lib/krb5/os/locate_kdc.c
@@ -53,29 +53,57 @@
 #define KPASSWD_PORTNAME "kpasswd"
 #endif
 
-int
-_krb5_use_dns(context)
-    krb5_context context;
+#if KRB5_DNS_LOOKUP_KDC
+#define DEFAULT_LOOKUP_KDC 1
+#else
+#define DEFAULT_LOOKUP_KDC 0
+#endif
+#if KRB5_DNS_LOOKUP_REALM
+#define DEFAULT_LOOKUP_REALM 1
+#else
+#define DEFAULT_LOOKUP_REALM 0
+#endif
+
+static int
+maybe_use_dns (context, name, defalt)
+     krb5_context context;
+     const char *name;
+     int defalt;
 {
     krb5_error_code code;
     char * value = NULL;
     int use_dns = 0;
 
     code = profile_get_string(context->profile, "libdefaults",
-                              "dns_fallback", 0, 
-                              context->profile_in_memory?"1":"0",
-                              &value);
+                              name, 0, 0, &value);
+    if (value == 0 && code == 0)
+	code = profile_get_string(context->profile, "libdefaults",
+				  "dns_fallback", 0, 0, &value);
     if (code)
-        return(code);
+        return defalt;
 
-    if (value) {
-        use_dns = _krb5_conf_boolean(value);
-        profile_release_string(value);
-    }
+    if (value == 0)
+	return defalt;
 
+    use_dns = _krb5_conf_boolean(value);
+    profile_release_string(value);
     return use_dns;
 }
 
+int
+_krb5_use_dns_kdc(context)
+    krb5_context context;
+{
+    return maybe_use_dns (context, "dns_lookup_kdc", DEFAULT_LOOKUP_KDC);
+}
+
+int
+_krb5_use_dns_realm(context)
+    krb5_context context;
+{
+    return maybe_use_dns (context, "dns_lookup_realm", DEFAULT_LOOKUP_REALM);
+}
+
 #endif /* KRB5_DNS_LOOKUP */
 
 /*
@@ -85,14 +113,13 @@ _krb5_use_dns(context)
  */
 
 krb5_error_code
-krb5_locate_srv_conf(context, realm, name, addr_pp, naddrs, master_index, nmasters)
+krb5_locate_srv_conf(context, realm, name, addr_pp, naddrs, get_masters)
     krb5_context context;
     const krb5_data *realm;
     const char * name;
     struct sockaddr **addr_pp;
     int *naddrs;
-    int *master_index;
-    int *nmasters;
+    int get_masters;
 {
     const char	*realm_srv_names[4];
     char **masterlist, **hostlist, *host, *port, *cp;
@@ -162,10 +189,7 @@ krb5_locate_srv_conf(context, realm, name, addr_pp, naddrs, master_index, nmaste
 	return 0;
     }
     
-    if (master_index) {
-        *master_index = 0;
-	*nmasters = 0;
-
+    if (get_masters) {
 	realm_srv_names[0] = "realms";
 	realm_srv_names[1] = host;
 	realm_srv_names[2] = "admin_server";
@@ -209,8 +233,10 @@ krb5_locate_srv_conf(context, realm, name, addr_pp, naddrs, master_index, nmaste
 
     addr_p = (struct sockaddr *)malloc (sizeof (struct sockaddr) * count);
     if (addr_p == NULL) {
-        profile_free_list(hostlist);
-        profile_free_list(masterlist);
+        if (hostlist)
+            profile_free_list(hostlist);
+        if (masterlist)
+            profile_free_list(masterlist);
 	return ENOMEM;
     }
 
@@ -239,12 +265,12 @@ krb5_locate_srv_conf(context, realm, name, addr_pp, naddrs, master_index, nmaste
 	if (masterlist) {
 	    for (j=0; masterlist[j]; j++) {
 		if (strcasecmp(hostlist[i], masterlist[j]) == 0) {
-		    *master_index = out;
 		    ismaster = 1;
 		}
 	    }
 	}
 
+        if ( !get_masters || ismaster ) {
 	switch (hp->h_addrtype) {
 
 #ifdef HAVE_NETINET_IN_H
@@ -263,8 +289,10 @@ krb5_locate_srv_conf(context, realm, name, addr_pp, naddrs, master_index, nmaste
 			realloc ((char *)addr_p,
 				 sizeof(struct sockaddr) * count);
 		    if (addr_p == NULL) {
-                        profile_free_list(hostlist);
-                        profile_free_list(masterlist);
+                        if (hostlist)
+                            profile_free_list(hostlist);
+                        if (masterlist)
+                            profile_free_list(masterlist);
 			return ENOMEM;
                     }
 		}
@@ -279,12 +307,13 @@ krb5_locate_srv_conf(context, realm, name, addr_pp, naddrs, master_index, nmaste
 	default:
 	    break;
 	}
-	if (ismaster)
-	    *nmasters = out - *master_index;
+        }
     }
 
-    profile_free_list(hostlist);
-    profile_free_list(masterlist);
+    if (hostlist)
+        profile_free_list(hostlist);
+    if (masterlist)
+        profile_free_list(masterlist);
 
     if (out == 0) {     /* Couldn't resolve any KDC names */
         free (addr_p);
@@ -362,7 +391,7 @@ krb5_locate_srv_dns(realm, service, protocol, addr_pp, naddrs)
 
     size = res_search(host, C_IN, T_SRV, answer.bytes, sizeof(answer.bytes));
 
-    if (size < hdrsize)
+    if ((size < hdrsize) || (size > sizeof(answer.bytes)))
 	goto out;
 
     /*
@@ -564,78 +593,29 @@ krb5_locate_srv_dns(realm, service, protocol, addr_pp, naddrs)
  */
 
 krb5_error_code
-krb5_locate_kdc(context, realm, addr_pp, naddrs, master_index, nmasters)
+krb5_locate_kdc(context, realm, addr_pp, naddrs, get_masters)
     krb5_context context;
     const krb5_data *realm;
     struct sockaddr **addr_pp;
     int *naddrs;
-    int *master_index;
-    int *nmasters;
+    int get_masters;
 {
     krb5_error_code code;
-#ifdef KRB5_DNS_LOOKUP
-    struct sockaddr *admin_addr_p, *kdc_addr_p;
-    int nadmin_addrs, nkdc_addrs;
-    int i,j;
-#endif /* KRB5_DNS_LOOKUP */
 
     /*
      * We always try the local file first
      */
 
     code = krb5_locate_srv_conf(context, realm, "kdc", addr_pp, naddrs,
-                                 master_index, nmasters);
+                                 get_masters);
 
 #ifdef KRB5_DNS_LOOKUP
     if (code) {
-        int use_dns = _krb5_use_dns(context);
+        int use_dns = _krb5_use_dns_kdc(context);
         if ( use_dns ) {
-            code = krb5_locate_srv_dns(realm, "_kerberos", "_udp",
-                                        addr_pp, naddrs);
-            if ( master_index && nmasters ) {
-
-                code = krb5_locate_srv_dns(realm, "_kerberos-adm", "_tcp",
-                                            &admin_addr_p, &nadmin_addrs);
-                if ( code ) {
-                    free(*addr_pp);
-                    *addr_pp = NULL;
-                    *naddrs = 0;
-                    return(code);
-                } 
-
-                kdc_addr_p = *addr_pp;
-                nkdc_addrs = *naddrs;
-
-                *naddrs = 0;
-                *addr_pp = (struct sockaddr *) malloc(sizeof(*kdc_addr_p));
-                if ( *addr_pp == NULL ) {
-                    free(kdc_addr_p);
-                    free(admin_addr_p);
-                    return ENOMEM;
-                }
-
-                for ( i=0; i<nkdc_addrs; i++ ) {
-                    for ( j=0 ; j<nadmin_addrs; j++) {
-                        if ( !memcmp(&kdc_addr_p[i].sa_data[2],&admin_addr_p[j].sa_data[2],4) ) {
-                            memcpy(&(*addr_pp)[(*naddrs)],&kdc_addr_p[i],
-                                    sizeof(struct sockaddr));
-                            (*naddrs)++;
-                            break;
-                        }
-                    }
-                }
-
-                free(kdc_addr_p);
-                free(admin_addr_p);
-
-                if ( *naddrs == 0 ) {
-                    free(*addr_pp);
-                    *addr_pp = NULL;
-                    return KRB5_REALM_CANT_RESOLVE;
-                }
-                *master_index = 1;
-                *nmasters = *naddrs;
-            }
+            code = krb5_locate_srv_dns(realm, 
+                                        get_masters ? "_kerberos-master" : "_kerberos",
+                                        "_udp", addr_pp, naddrs);
         }
     }
 #endif /* KRB5_DNS_LOOKUP */
diff --git a/src/lib/krb5/os/os-proto.h b/src/lib/krb5/os/os-proto.h
index fed7a81..a6b67f1 100644
--- a/src/lib/krb5/os/os-proto.h
+++ b/src/lib/krb5/os/os-proto.h
@@ -36,8 +36,7 @@ krb5_error_code krb5_locate_kdc
 	       const krb5_data *,
 	       struct sockaddr **,
 	       int *,
-	       int *,
-	       int *));
+	       int));
 #endif
 
 #ifdef HAVE_NETINET_IN_H
diff --git a/src/lib/krb5/os/prompter.c b/src/lib/krb5/os/prompter.c
index 933ff2c..8dc985c 100644
--- a/src/lib/krb5/os/prompter.c
+++ b/src/lib/krb5/os/prompter.c
@@ -117,6 +117,18 @@ krb5_prompter_posix(krb5_context context,
 
 cleanup:
     (void) signal(SIGINT, ointrfunc);
+#ifndef ECHO_PASSWORD
+    if (i < num_prompts) {
+	if (prompts[i].hidden) {
+	    (void)putchar('\n');
+	    if (isatty(fd) == 1) {
+		if ((tcsetattr(fd, TCSANOW, &save_control) == -1
+		     && errcode == 0))
+		    return errno;
+	    }
+	}
+    }
+#endif
     return(errcode);
 }
 #else /* MSDOS */
@@ -235,7 +247,7 @@ krb5int_set_prompt_types(context, types)
     krb5_context context;
     krb5_prompt_type *types;
 {
-    context->prompt_types = 0;
+    context->prompt_types = types;
 }
 
 KRB5_DLLIMP
diff --git a/src/lib/krb5/os/promptusr.c b/src/lib/krb5/os/promptusr.c
index 3ac3d4f..a3a185b 100644
--- a/src/lib/krb5/os/promptusr.c
+++ b/src/lib/krb5/os/promptusr.c
@@ -162,4 +162,4 @@ main(int argc, char **argv)
 
 #endif
 	
-#endif /* !_MSODS || _!MACINTOSH */
+#endif /* !_MSDOS || _!MACINTOSH */
diff --git a/src/lib/krb5/os/sendto_kdc.c b/src/lib/krb5/os/sendto_kdc.c
index 01b797e..47f2408 100644
--- a/src/lib/krb5/os/sendto_kdc.c
+++ b/src/lib/krb5/os/sendto_kdc.c
@@ -60,16 +60,16 @@ extern int krb5_skdc_timeout_shift;
 extern int krb5_skdc_timeout_1;
 
 krb5_error_code
-krb5_sendto_kdc (context, message, realm, reply, master)
+krb5_sendto_kdc (context, message, realm, reply, use_master)
     krb5_context context;
     const krb5_data * message;
     const krb5_data * realm;
     krb5_data * reply;
-    int *master;
+    int use_master;
 {
     register int timeout, host, i;
     struct sockaddr *addr;
-    int naddr, master_index, nmasters;
+    int naddr;
     int sent, nready;
     krb5_error_code retval;
     SOCKET *socklist;
@@ -81,14 +81,10 @@ krb5_sendto_kdc (context, message, realm, reply, master)
      * find KDC location(s) for realm
      */
 
-    if (retval = krb5_locate_kdc (context, realm, &addr, &naddr,
-				  master?&master_index:NULL,
-				  master?&nmasters:NULL))
+    if (retval = krb5_locate_kdc (context, realm, &addr, &naddr, use_master))
 	return retval;
     if (naddr == 0)
-	return KRB5_REALM_UNKNOWN;
-    if (master && (*master == 1) && (nmasters == 0))
-	return KRB5_KDC_UNREACH;
+	return (use_master ? KRB5_KDC_UNREACH : KRB5_REALM_UNKNOWN);
 
     socklist = (SOCKET *)malloc(naddr * sizeof(SOCKET));
     if (socklist == NULL) {
@@ -128,12 +124,6 @@ krb5_sendto_kdc (context, message, realm, reply, master)
 	 timeout <<= krb5_skdc_timeout_shift) {
 	sent = 0;
 	for (host = 0; host < naddr; host++) {
-	    /* if a master kdc is required, skip the non-master kdc's */
-
-	    if (master && (*master == 1) &&
-		((host < master_index) || (host >= (master_index+nmasters))))
-		continue;
-
 	    /* send to the host, wait timeout seconds for a response,
 	       then move on. */
 	    /* cache some sockets for each host */
@@ -211,12 +201,6 @@ krb5_sendto_kdc (context, message, realm, reply, master)
 		reply->length = cc;
 		retval = 0;
 
-		/* if the caller asked to be informed if it
-		   got a master kdc, tell it */
-		if (master)
-		    *master = ((host >= master_index) &&
-			       (host < (master_index+nmasters)));
-
 		goto out;
 	    } else if (nready == 0) {
 		/* timeout */
diff --git a/src/lib/krb5/os/t_std_conf.c b/src/lib/krb5/os/t_std_conf.c
index 0846b1c..a95c67a 100644
--- a/src/lib/krb5/os/t_std_conf.c
+++ b/src/lib/krb5/os/t_std_conf.c
@@ -110,14 +110,14 @@ void test_locate_kdc(ctx, realm)
     	struct sockaddr *addrs;
 	struct sockaddr_in *sin;
 	int	i, naddrs;
-	int	master_index, nmasters;
+	int	get_masters=0;
 	krb5_data rlm;
 	krb5_error_code	retval;
 
 	rlm.data = realm;
 	rlm.length = strlen(realm);
 	retval = krb5_locate_kdc(ctx, &rlm, &addrs, &naddrs,
-				 &master_index, &nmasters);
+				 get_masters);
 	if (retval) {
 		com_err("krb5_get_krbhst", retval, 0);
 		return;
diff --git a/src/lib/krb5/os/timeofday.c b/src/lib/krb5/os/timeofday.c
index 11dffd7..9ae528e 100644
--- a/src/lib/krb5/os/timeofday.c
+++ b/src/lib/krb5/os/timeofday.c
@@ -48,12 +48,12 @@ krb5_timeofday(context, timeret)
 	    *timeret = os_ctx->time_offset;
 	    return 0;
     }
-#ifdef macintosh
+#if TARGET_OS_MAC
 {
-	long usecs;
+	krb5_int32 usecs;
 	krb5_error_code	kret;
 
-	if (kret = krb5_crypto_us_timeofday(&tval, &usecs))
+	if (kret = krb5_crypto_us_timeofday((krb5_int32 *)&tval, &usecs))
 		return kret;
 }
 #else
diff --git a/src/lib/krb5/os/toffset.c b/src/lib/krb5/os/toffset.c
index 72d301d..59c7252 100644
--- a/src/lib/krb5/os/toffset.c
+++ b/src/lib/krb5/os/toffset.c
@@ -91,7 +91,7 @@ krb5_use_natural_time(context)
 /*
  * This routine returns the current time offsets in use.
  */
-krb5_error_code
+krb5_error_code KRB5_CALLCONV
 krb5_get_time_offsets(context, seconds, microseconds)
     krb5_context context;
     krb5_int32 *seconds, *microseconds;
diff --git a/src/lib/krb5/posix/ChangeLog b/src/lib/krb5/posix/ChangeLog
index e90e47b..c2527aa 100644
--- a/src/lib/krb5/posix/ChangeLog
+++ b/src/lib/krb5/posix/ChangeLog
@@ -1,3 +1,14 @@
+2002-02-28 Alexandra Ellwood <lxs@mit.edu>
+    * setenv.c: Updated macros to removed warning about prototype
+    with no function definition
+
+2000-04-28  Ken Raeburn  <raeburn@mit.edu>
+	    Nalin Dahyabhai  <nalin@redhat.com>
+
+	* syslog.c (vsyslog): Use strncpy and strncat instead of strcpy
+	and strcat when adding to buffer "tbuf".  If calling vsprintf,
+	abort if it appears to have overrun the buffer.
+
 1999-10-26  Tom Yu  <tlyu@mit.edu>
 
 	* Makefile.in: Clean up usage of CFLAGS, CPPFLAGS, DEFS, DEFINES,
diff --git a/src/lib/krb5/posix/setenv.c b/src/lib/krb5/posix/setenv.c
index 7072d7e..422c962 100644
--- a/src/lib/krb5/posix/setenv.c
+++ b/src/lib/krb5/posix/setenv.c
@@ -45,7 +45,9 @@
 #ifndef	__P
 #define __P(x)	()
 #endif
+#if (!HAVE_GETENV || !HAVE_SETENV || !HAVE_UNSETENV)
 static char *__findenv __P((const char *, int *)); 
+#endif
 
 /*
  * setenv --
diff --git a/src/lib/krb5/posix/syslog.c b/src/lib/krb5/posix/syslog.c
index 31e7874..f7ddbff 100644
--- a/src/lib/krb5/posix/syslog.c
+++ b/src/lib/krb5/posix/syslog.c
@@ -115,7 +115,7 @@ vsyslog(pri, fmt, ap)
 	(void)sprintf(tbuf, "<%d>%.15s ", pri, ctime(&now) + 4);
 	for (p = tbuf; *p; ++p);
 	if (LogTag) {
-		(void)strcpy(p, LogTag);
+		(void)strncpy(p, LogTag, sizeof(tbuf) - 1 - (p - tbuf));
 		for (; *p; ++p);
 	}
 	if (LogStat & LOG_PID) {
@@ -146,6 +146,11 @@ vsyslog(pri, fmt, ap)
 	}
 
 	(void)vsprintf(p, fmt_cpy, ap);
+	/* Bounds checking??  If a system doesn't have syslog, we
+	   probably can't rely on it having vsnprintf either.  Try not
+	   to let a buffer overrun be exploited.  */
+	if (strlen (tbuf) >= sizeof (tbuf))
+	  abort ();
 
 	/* output the message to the local logger */
 	if (send(LogFile, tbuf, cnt = strlen(tbuf), 0) >= 0 ||
@@ -169,7 +174,8 @@ vsyslog(pri, fmt, ap)
 		if ((fd = open(CONSOLE, O_WRONLY, 0)) < 0)
 			return;
 		(void)alarm((u_int)0);
-		(void)strcat(tbuf, "\r");
+		tbuf[sizeof(tbuf) - 1] = '\0';
+		(void)strncat(tbuf, "\r", sizeof(tbuf) - 1 - strlen(tbuf));
 		p = strchr(tbuf, '>') + 1;
 		(void)write(fd, p, cnt + 1 - (p - tbuf));
 		(void)close(fd);
diff --git a/src/lib/krb5/rcache/ChangeLog b/src/lib/krb5/rcache/ChangeLog
index a3b8b4f..9683a88 100644
--- a/src/lib/krb5/rcache/ChangeLog
+++ b/src/lib/krb5/rcache/ChangeLog
@@ -1,3 +1,25 @@
+2001-10-29  Miro Jurisic  <meeroh@mit.edu>
+	* pullup from krb5-1-2 branch after krb5-1-2-2-bp
+	* rc_io.c, rc_dfl.c: use "" includes for krb5.h and k5-int.h
+
+2001-01-23  Tom Yu  <tlyu@mit.edu>
+
+	* rc_io.c (getdir, krb5_rc_io_creat): Undo prior fudge; dirlen
+	will now not include trailing NUL character.
+
+2001-01-17  Tom Yu  <tlyu@mit.edu>
+
+	* rc_io.c (krb5_rc_io_creat): Fudge for dirlen including trailing
+	NUL character.
+	(krb5_rc_io_move): When renaming OLD to NEW, don't copy the
+	filename.  This was causing temporary files to get leaked.
+	(krb5_rc_io_close): Don't FREE if d->fn is NULL.
+
+2000-04-28  Nalin Dahyabhai  <nalin@redhat.com>
+
+	* rc_io.c (getdir): Don't check dirlen again, the call sites
+	always do.  Fix dirlen calculation.
+
 1999-10-26  Tom Yu  <tlyu@mit.edu>
 
 	* Makefile.in: Clean up usage of CFLAGS, CPPFLAGS, DEFS, DEFINES,
diff --git a/src/lib/krb5/rcache/rc_dfl.c b/src/lib/krb5/rcache/rc_dfl.c
index a86f42e..4760e59 100644
--- a/src/lib/krb5/rcache/rc_dfl.c
+++ b/src/lib/krb5/rcache/rc_dfl.c
@@ -14,7 +14,7 @@
 #include "rc_base.h"
 #include "rc_dfl.h"
 #include "rc_io.h"
-#include <k5-int.h>
+#include "k5-int.h"
 
 /*
 If NOIOSTUFF is defined at compile time, dfl rcaches will be per-process.
diff --git a/src/lib/krb5/rcache/rc_io.c b/src/lib/krb5/rcache/rc_io.c
index d45c7a1..f29c161 100644
--- a/src/lib/krb5/rcache/rc_io.c
+++ b/src/lib/krb5/rcache/rc_io.c
@@ -21,7 +21,7 @@
 #define NEED_SOCKETS
 #define NEED_LOWLEVEL_IO         
 
-#include <krb5.h>
+#include "krb5.h"
 #include <stdio.h> /* for P_tmpdir */
 #include "rc_base.h"
 #include "rc_dfl.h"
@@ -57,13 +57,11 @@ static char *dir;
 
 static void getdir()
 {
- if (!dirlen)
-  {
    if (!(dir = getenv("KRB5RCACHEDIR")))
 #if defined(_MSDOS) || defined(_WIN32)
      if (!(dir = getenv("TEMP")))
 	 if (!(dir = getenv("TMP")))
-	     dir = "C:\\";
+	     dir = "C:";
 #else
      if (!(dir = getenv("TMPDIR")))
 #ifdef RCTMPDIR
@@ -72,8 +70,7 @@ static void getdir()
        dir = "/tmp";
 #endif
 #endif
-   dirlen = strlen(dir) + 1;
-  }
+   dirlen = strlen(dir) + sizeof(PATH_SEPARATOR) - 1;
 }
 
 krb5_error_code krb5_rc_io_creat (context, d, fn)
@@ -245,33 +242,32 @@ krb5_error_code krb5_rc_io_move (context, new, old)
     krb5_rc_iostuff *new;
     krb5_rc_iostuff *old;
 {
+    char *fn = NULL;
+
 #if defined(_MSDOS) || defined(_WIN32)
     /*
      * Work around provided by Tom Sanfilippo to work around poor
      * Windows emulation of POSIX functions.  Rename and dup has
      * different semantics!
      */
-    char *fn = NULL;
     GETDIR;
     close(new->fd);
     unlink(new->fn);
     close(old->fd);
     if (rename(old->fn,new->fn) == -1) /* MUST be atomic! */
 	return KRB5_RC_IO_UNKNOWN;
-    if (!(fn = malloc(strlen(new->fn) - dirlen + 1)))
-	return KRB5_RC_IO_MALLOC;
-    strcpy(fn, new->fn + dirlen);
+    fn = new->fn;
+    new->fn = NULL;		/* avoid clobbering */
     krb5_rc_io_close(context, new);
     krb5_rc_io_open(context, new, fn);
     free(fn);
 #else
     if (rename(old->fn,new->fn) == -1) /* MUST be atomic! */
 	return KRB5_RC_IO_UNKNOWN;
+    fn = new->fn;
+    new->fn = NULL;		/* avoid clobbering */
     (void) krb5_rc_io_close(context, new);
-    new->fn = malloc(strlen(old->fn)+1);
-    if (new->fn == 0)
-	return ENOMEM;
-    strcpy(new->fn, old->fn);
+    new->fn = fn;
 #ifdef macintosh
     new->fd = fcntl(old->fd, F_DUPFD);
 #else
@@ -342,7 +338,8 @@ krb5_error_code krb5_rc_io_close (context, d)
     krb5_context context;
     krb5_rc_iostuff *d;
 {
- FREE(d->fn);
+ if (d->fn != NULL)
+   FREE(d->fn);
  d->fn = NULL;
  if (close(d->fd) == -1) /* can't happen */
    return KRB5_RC_IO_UNKNOWN;
diff --git a/src/lib/krb5_32.def b/src/lib/krb5_32.def
index 4c5f271..f4e1598 100644
--- a/src/lib/krb5_32.def
+++ b/src/lib/krb5_32.def
@@ -9,19 +9,84 @@
 
 ; Key:
 ;
-; gssapi    - used by GSS API (not part of krb5 API)
-; !CALLCONV - entrypoint that should have used KRB5_CALLCONV, but did not due
-;             developer error
-
-;LIBRARY		KRB5
-DESCRIPTION	'DLL for Kerberos 5'
-HEAPSIZE	8192
+; PRIVATE   - Private entrypoint.  It should not be called by anything other
+;             than gssapi32.dll or krb4_32.dll.
+; GSSAPI    - Private entrypoint used by gssapi32.dll.
+; KRB4      - Private entrypoint used by krb4_32.dll.
+; KRB5_CALLCONV_WRONG - entrypoint that should have used KRB5_CALLCONV, but
+;                       did not due to developer error
 
 EXPORTS
-; Kerberos 5
+
+	krb5_425_conv_principal
+	krb5_524_conv_principal
+	krb5_address_compare
+	krb5_address_order
+	krb5_address_search			; KRB5_CALLCONV_WRONG
+	krb5_aname_to_localname
+	krb5_appdefault_boolean
+	krb5_appdefault_string
+	krb5_auth_con_free
+	krb5_auth_con_genaddrs
+	krb5_auth_con_getaddrs
+	krb5_auth_con_getauthenticator
+	krb5_auth_con_getflags
+	krb5_auth_con_getkey
+	krb5_auth_con_getlocalseqnumber
+	krb5_auth_con_getlocalsubkey
+	krb5_auth_con_getrcache			; KRB5_CALLCONV_WRONG
+	krb5_auth_con_getremoteseqnumber
+	krb5_auth_con_getremotesubkey
+	krb5_auth_con_init
+	krb5_auth_con_initivector		; DEPRECATED
+	krb5_auth_con_setaddrs			; KRB5_CALLCONV_WRONG
+	krb5_auth_con_setflags
+	krb5_auth_con_setports
+	krb5_auth_con_setrcache
+	krb5_auth_con_setuseruserkey
 	krb5_build_principal
 	krb5_build_principal_ext
-	krb5_copy_addr
+	krb5_build_principal_va
+	krb5_c_block_size
+	krb5_c_checksum_length
+	krb5_c_decrypt
+	krb5_c_encrypt
+	krb5_c_encrypt_length
+	krb5_c_enctype_compare
+	krb5_c_is_coll_proof_cksum
+	krb5_c_is_keyed_cksum
+	krb5_c_keyed_checksum_types
+	krb5_c_make_checksum
+	krb5_c_make_random_key
+	krb5_c_random_make_octets
+	krb5_c_random_seed
+	krb5_c_string_to_key
+	krb5_c_valid_cksumtype
+	krb5_c_valid_enctype
+	krb5_c_verify_checksum
+	krb5_calculate_checksum
+	krb5_cc_close
+	krb5_cc_copy_creds
+	krb5_cc_default
+	krb5_cc_default_name
+	krb5_cc_destroy
+	krb5_cc_end_seq_get
+	krb5_cc_gen_new
+	krb5_cc_get_name
+	krb5_cc_get_principal
+	krb5_cc_get_type
+	krb5_cc_initialize
+	krb5_cc_next_cred
+	krb5_cc_remove_cred
+	krb5_cc_resolve
+	krb5_cc_retrieve_cred
+	krb5_cc_set_default_name
+	krb5_cc_set_flags
+	krb5_cc_start_seq_get
+	krb5_cc_store_cred
+	krb5_change_password
+	krb5_checksum_size
+	krb5_cksumtype_to_string
 	krb5_copy_addresses
 	krb5_copy_authdata
 	krb5_copy_authenticator
@@ -32,75 +97,86 @@ EXPORTS
 	krb5_copy_keyblock_contents
 	krb5_copy_principal
 	krb5_copy_ticket
-	krb5_decrypt_tkt_part
-	krb5_free_address
+	krb5_decode_ticket
+	krb5_decrypt
+	krb5_deltat_to_string
+	krb5_eblock_enctype
+	krb5_encrypt
+	krb5_encrypt_size
+	krb5_enctype_to_string
+	krb5_finish_key
+	krb5_finish_random_key
 	krb5_free_addresses
-	krb5_free_ap_rep
 	krb5_free_ap_rep_enc_part
-	krb5_free_ap_req
 	krb5_free_authdata
 	krb5_free_authenticator
-	krb5_free_authenticator_contents
 	krb5_free_checksum
-        krb5_free_config_files
+	krb5_free_checksum_contents
+	krb5_free_cksumtypes
+	krb5_free_config_files
 	krb5_free_context
-	krb5_free_cred
 	krb5_free_cred_contents
-	krb5_free_cred_enc_part
 	krb5_free_creds
 	krb5_free_data
 	krb5_free_data_contents
-	krb5_free_enc_kdc_rep_part
-	krb5_free_enc_tkt_part
+	krb5_free_default_realm
 	krb5_free_error
 	krb5_free_host_realm
-	krb5_free_kdc_rep
-	krb5_free_kdc_req
 	krb5_free_keyblock
 	krb5_free_keyblock_contents
-	krb5_free_last_req
-	krb5_free_pa_data
+	krb5_free_keytab_entry_contents
 	krb5_free_principal
-	krb5_free_priv
-	krb5_free_priv_enc_part
-	krb5_free_pwd_data
-	krb5_free_pwd_sequences
-	krb5_free_safe
 	krb5_free_tgt_creds
 	krb5_free_ticket
-	krb5_free_tickets
-	krb5_free_tkt_authent
-	krb5_free_checksum_contents
-	krb5_free_cksumtypes
+	krb5_free_unparsed_name
 	krb5_fwd_tgt_creds
 	krb5_get_credentials
 	krb5_get_credentials_renew
 	krb5_get_credentials_validate
-        krb5_get_default_config_files
+	krb5_get_default_config_files
 	krb5_get_default_realm
 	krb5_get_host_realm
-	krb5_get_realm_domain
-	krb5_get_in_tkt
-	krb5_get_in_tkt_with_keytab
-	krb5_get_in_tkt_with_password
-	krb5_get_in_tkt_with_skey
+	krb5_get_in_tkt				; DEPRECATED
+	krb5_get_in_tkt_with_keytab		; DEPRECATED
+	krb5_get_in_tkt_with_password		; DEPRECATED
+	krb5_get_in_tkt_with_skey		; DEPRECATED
+	krb5_get_init_creds_keytab
 	krb5_get_init_creds_opt_init
-	krb5_get_init_creds_opt_set_tkt_life
-	krb5_get_init_creds_opt_set_renew_life
-	krb5_get_init_creds_opt_set_forwardable
-	krb5_get_init_creds_opt_set_proxiable
-	krb5_get_init_creds_opt_set_etype_list
 	krb5_get_init_creds_opt_set_address_list
+	krb5_get_init_creds_opt_set_etype_list
+	krb5_get_init_creds_opt_set_forwardable
 	krb5_get_init_creds_opt_set_preauth_list
+	krb5_get_init_creds_opt_set_proxiable
+	krb5_get_init_creds_opt_set_renew_life
 	krb5_get_init_creds_opt_set_salt
+	krb5_get_init_creds_opt_set_tkt_life
 	krb5_get_init_creds_password
-	krb5_get_init_creds_keytab
-	krb5_get_init_creds_opt_init
-	krb5_get_validated_creds
+	krb5_get_prompt_types
 	krb5_get_renewed_creds
-	krb5_get_notification_message
+	krb5_get_server_rcache
+	krb5_get_time_offsets
+	krb5_get_validated_creds
 	krb5_init_context
+	krb5_init_keyblock
+	krb5_init_random_key
+	krb5_init_secure_context
+	krb5_kt_add_entry
+	krb5_kt_close
+	krb5_kt_default
+	krb5_kt_default_name
+	krb5_kt_end_seq_get
+	krb5_kt_get_entry
+	krb5_kt_get_name
+	krb5_kt_get_type
+	krb5_kt_next_entry
+	krb5_kt_read_service_key
+	krb5_kt_remove_entry
+	krb5_kt_resolve
+	krb5_kt_start_seq_get
+	krb5_kuserok
+	krb5_mk_1cred
 	krb5_mk_error
+	krb5_mk_ncred
 	krb5_mk_priv
 	krb5_mk_rep
 	krb5_mk_req
@@ -109,8 +185,9 @@ EXPORTS
 	krb5_os_localaddr
 	krb5_parse_name
 	krb5_principal_compare
+	krb5_process_key
 	krb5_prompter_posix
-	krb5_get_prompt_types
+	krb5_random_key
 	krb5_rd_cred
 	krb5_rd_error
 	krb5_rd_priv
@@ -118,136 +195,65 @@ EXPORTS
 	krb5_rd_req
 	krb5_rd_safe
 	krb5_read_password
+	krb5_realm_compare
 	krb5_recvauth
+	krb5_recvauth_version
+	krb5_salttype_to_string
 	krb5_sendauth
+	krb5_set_default_realm
+	krb5_set_default_tgs_enctypes
+	krb5_set_principal_realm
 	krb5_sname_to_principal
-	krb5_timeofday
-	krb5_unparse_name
-	krb5_unparse_name_ext
-	krb5_free_unparsed_name
-	krb5_us_timeofday
-	krb5_get_server_rcache
-;
-	krb5_use_enctype
-	krb5_checksum_size
-	krb5_encrypt_size
-	krb5_calculate_checksum
-	krb5_verify_checksum
-	krb5_eblock_enctype
-;
-	krb5_decrypt
-	krb5_encrypt
-	krb5_string_to_key
-	krb5_process_key
-	krb5_finish_key
-	krb5_init_random_key
-	krb5_finish_random_key
-	krb5_random_key
-;
-	krb5_c_decrypt
-	krb5_c_encrypt
-	krb5_c_encrypt_length
-	krb5_c_checksum_length
-	krb5_c_block_size
-	krb5_c_make_checksum
-	krb5_c_verify_checksum
-	krb5_c_random_make_octets
-	krb5_c_keyed_checksum_types
-;
-	krb5_425_conv_principal
-	krb5_524_conv_principal
-;
-	krb5_cksumtype_to_string
-	krb5_deltat_to_string
-	krb5_enctype_to_string
-	krb5_salttype_to_string
 	krb5_string_to_cksumtype
 	krb5_string_to_deltat
 	krb5_string_to_enctype
+	krb5_string_to_key
 	krb5_string_to_salttype
 	krb5_string_to_timestamp
+	krb5_timeofday
 	krb5_timestamp_to_sfstring
 	krb5_timestamp_to_string
-;
-	krb5_auth_con_free
-	krb5_auth_con_genaddrs
-	krb5_auth_con_getflags
-	krb5_auth_con_getkey
-	krb5_auth_con_getlocalsubkey
-	krb5_auth_con_getremotesubkey
-	krb5_auth_con_init
-	krb5_auth_con_setaddrs		; !CALLCONV
-	krb5_auth_con_setflags
-	krb5_auth_con_getlocalseqnumber
-	krb5_auth_con_getremoteseqnumber
-	krb5_auth_con_setuseruserkey
-	krb5_auth_con_getauthenticator
-	krb5_auth_con_set_req_cksumtype
-	krb5_auth_con_setrcache
-;
-	krb5_cc_default
-	krb5_cc_default_name
-	krb5_cc_register
-	krb5_cc_resolve
-	krb5_cc_set_default_name
-;
-	krb5_kt_default
-	krb5_kt_register
-	krb5_kt_resolve
-	krb5_kt_add_entry
-	krb5_kt_free_entry
-	krb5_kt_read_service_key
-	krb5_kt_remove_entry
+	krb5_unparse_name
+	krb5_unparse_name_ext
+	krb5_us_timeofday
+	krb5_use_enctype
+	krb5_verify_checksum
+	krb5_verify_init_creds
+	krb5_verify_init_creds_opt_init
+	krb5_verify_init_creds_opt_set_ap_req_nofail
 
-;Kadm routines
-;	krb5_adm_connect
-;	krb5_adm_disconnect
-;	krb5_free_adm_data
-;	krb5_read_adm_reply
-;	krb5_send_adm_cmd
+; To Add (exported on Mac OS X):
+;	krb5_get_profile
 
-	krb5_change_password
-;
-        krb5_write_message
-        krb5_read_message
-        krb5_net_write
-        krb5_net_read
-        krb5_encrypt
-        krb5_decrypt
-        krb5_encrypt_size
-;
-; Added for Kermit 95
-        krb5_address_search	; !CALLCONV
-        krb5_auth_con_getrcache	; !CALLCONV
-        krb5_c_enctype_compare
-;
-	krb5_kuserok
-;
-; Added for 1.2:
-	krb5_decode_ticket
-;
 ; Temporary exports (DO NOT USE)
-;	decode_krb5_ticket	-- no longer in library
-	des_ecb_encrypt
-	des_new_random_key
-	des_key_sched
-	des_pcbc_encrypt
-	des_quad_cksum
-	des_string_to_key
-;	des_set_random_generator_seed     -- no longer in library
-	des_init_random_number_generator
-	krb5_random_confounder
-	krb5_size_opaque
-	krb5_internalize_opaque
-	krb5_externalize_opaque
-	krb5_ser_pack_int32
-	krb5_ser_unpack_int32
-	krb5_ser_pack_bytes
-	krb5_ser_unpack_bytes
-	krb5_ser_auth_context_init
-	krb5_ser_context_init
-	krb5_ser_ccache_init
-	krb5_ser_keytab_init
-	krb5_ser_rcache_init
-	decode_krb5_ap_req	; gssapi
-	krb5_mcc_ops
+
+; DO NOT USE -- Currently required for krb4_32.dll
+	des_ecb_encrypt				; PRIVATE KRB4
+	des_new_random_key			; PRIVATE KRB4
+	des_key_sched				; PRIVATE KRB4
+	des_pcbc_encrypt			; PRIVATE KRB4
+	des_quad_cksum				; PRIVATE KRB4
+	des_string_to_key			; PRIVATE KRB4
+	des_init_random_number_generator	; PRIVATE KRB4
+
+; DO NOT USE -- Currently required to implement gssapi32.dll
+	decode_krb5_ap_req			; PRIVATE GSSAPI k5-int.h KRB5_CALLCONV_WRONG
+	krb5_externalize_opaque			; PRIVATE GSSAPI k5-int.h
+	krb5_internalize_opaque			; PRIVATE GSSAPI k5-int.h
+	krb5_ser_auth_context_init		; PRIVATE GSSAPI k5-int.h
+	krb5_ser_ccache_init			; PRIVATE GSSAPI k5-int.h
+	krb5_ser_context_init			; PRIVATE GSSAPI k5-int.h
+	krb5_ser_keytab_init			; PRIVATE GSSAPI k5-int.h
+	krb5_ser_pack_bytes			; PRIVATE GSSAPI k5-int.h
+	krb5_ser_pack_int32			; PRIVATE GSSAPI k5-int.h
+	krb5_ser_rcache_init			; PRIVATE GSSAPI k5-int.h
+	krb5_ser_unpack_bytes			; PRIVATE GSSAPI k5-int.h
+	krb5_ser_unpack_int32			; PRIVATE GSSAPI k5-int.h
+	krb5_size_opaque			; PRIVATE GSSAPI k5-int.h
+	krb5int_cc_default			; PRIVATE GSSAPI k5-int.h
+
+	krb5_free_ap_req			; PRIVATE GSSAPI krb5.hin
+	krb5_free_ktypes			; PRIVATE GSSAPI krb5.hin
+	krb5_get_tgs_ktypes			; PRIVATE GSSAPI krb5.hin
+	krb5_auth_con_set_req_cksumtype		; PRIVATE GSSAPI krb5.hin
+	krb5_kt_free_entry			; PRIVATE GSSAPI krb5.hin
diff --git a/src/lib/krb5util/ChangeLog b/src/lib/krb5util/ChangeLog
index ec629cb..8f671a0 100644
--- a/src/lib/krb5util/ChangeLog
+++ b/src/lib/krb5util/ChangeLog
@@ -1,3 +1,8 @@
+2000-05-31  Ken Raeburn  <raeburn@mit.edu>
+
+	* compat_recv.c (krb5_compat_recvauth_version): Variant of
+	krb5_compat_recvauth, similar to krb5_recvauth_version.
+
 1999-10-26  Tom Yu  <tlyu@mit.edu>
 
 	* Makefile.in: Clean up usage of CFLAGS, CPPFLAGS, DEFS, DEFINES,
diff --git a/src/lib/krb5util/compat_recv.c b/src/lib/krb5util/compat_recv.c
index ec6b151..ee7df24 100644
--- a/src/lib/krb5util/compat_recv.c
+++ b/src/lib/krb5util/compat_recv.c
@@ -193,6 +193,151 @@ krb5_compat_recvauth(context, auth_context,
 	return retval;
 }
 
+krb5_error_code
+krb5_compat_recvauth_version(context, auth_context,
+			     /* IN */
+			     fdp, server, flags, keytab,
+			     v4_options, v4_service, v4_instance, v4_faddr,
+			     v4_laddr,
+			     v4_filename, 
+			     /* OUT */
+			     ticket,
+			     auth_sys, v4_kdata, v4_schedule,
+			     version)
+    krb5_context context;
+    krb5_auth_context  *auth_context;
+	krb5_pointer	fdp;
+	krb5_principal	server;
+	krb5_int32	flags;
+	krb5_keytab    	keytab;
+	krb5_ticket  ** ticket;
+        krb5_int32      *auth_sys;
+
+	/*
+	 * Version 4 arguments
+	 */
+	krb5_int32 v4_options;	 /* bit-pattern of options */
+	char *v4_service;	 /* service expected */
+	char *v4_instance;	 /* inst expected (may be filled in) */
+	struct sockaddr_in *v4_faddr; /* foreign address */
+	struct sockaddr_in *v4_laddr; /* local address */
+	AUTH_DAT **v4_kdata;	 /* kerberos data (returned) */
+	char *v4_filename;	 /* name of file with service keys */
+	Key_schedule v4_schedule; /* key schedule (return) */
+    krb5_data *version;		/* application version filled in */
+{
+	union verslen {
+		krb5_int32	len;
+		char		vers[4];
+	} vers;
+	char	*buf;
+	int	len, length;
+	krb5_int32	retval;
+	int		fd = *( (int *) fdp);
+#ifdef KRB5_KRB4_COMPAT
+	KTEXT		v4_ticket;	 /* storage for client's ticket */
+#endif
+		
+	if ((retval = krb5_net_read(context, fd, vers.vers, 4)) != 4)
+		return((retval < 0) ? errno : ECONNABORTED);
+
+#ifdef KRB5_KRB4_COMPAT
+	if (!strncmp(vers.vers, KRB_V4_SENDAUTH_VERS, 4)) {
+		/*
+		 * We must be talking to a V4 sendauth; read in the
+		 * rest of the version string and make sure.
+		 */
+		if ((retval = krb5_net_read(context, fd, vers.vers, 4)) != 4)
+			return((retval < 0) ? errno : ECONNABORTED);
+		
+		if (strncmp(vers.vers, KRB_V4_SENDAUTH_VERS+4, 4))
+			return KRB5_SENDAUTH_BADAUTHVERS;
+
+		*auth_sys = KRB5_RECVAUTH_V4;
+
+		*v4_kdata = (AUTH_DAT *) malloc( sizeof(AUTH_DAT) );
+		v4_ticket = (KTEXT) malloc(sizeof(KTEXT_ST));
+
+		version->length = KRB_SENDAUTH_VLEN; /* no trailing \0! */
+		version->data = malloc (KRB_SENDAUTH_VLEN + 1);
+		version->data[KRB_SENDAUTH_VLEN] = 0;
+		if (version->data == 0)
+		    return errno;
+		retval = krb_v4_recvauth(v4_options, fd, v4_ticket,
+					 v4_service, v4_instance, v4_faddr,
+					 v4_laddr, *v4_kdata, v4_filename,
+					 v4_schedule, version->data);
+		krb5_xfree(v4_ticket);
+		/*
+		 * XXX error code translation?
+		 */
+		switch (retval) {
+		case RD_AP_OK:
+		    return 0;
+		case RD_AP_TIME:
+		    return KRB5KRB_AP_ERR_SKEW;
+		case RD_AP_EXP:
+		    return KRB5KRB_AP_ERR_TKT_EXPIRED;
+		case RD_AP_NYV:
+		    return KRB5KRB_AP_ERR_TKT_NYV;
+		case RD_AP_NOT_US:
+		    return KRB5KRB_AP_ERR_NOT_US;
+		case RD_AP_UNDEC:
+		    return KRB5KRB_AP_ERR_BAD_INTEGRITY;
+		case RD_AP_REPEAT:
+		    return KRB5KRB_AP_ERR_REPEAT;
+		case RD_AP_MSG_TYPE:
+		    return KRB5KRB_AP_ERR_MSG_TYPE;
+		case RD_AP_MODIFIED:
+		    return KRB5KRB_AP_ERR_MODIFIED;
+		case RD_AP_ORDER:
+		    return KRB5KRB_AP_ERR_BADORDER;
+		case RD_AP_BADD:
+		    return KRB5KRB_AP_ERR_BADADDR;
+		default:
+		    return KRB5_SENDAUTH_BADRESPONSE;
+		}
+	}
+#endif
+
+	/*
+	 * Assume that we're talking to a V5 recvauth; read in the
+	 * the version string, and make sure it matches.
+	 */
+	
+	len = (int) ntohl(vers.len);
+
+	if (len < 0 || len > 255)
+		return KRB5_SENDAUTH_BADAUTHVERS;
+
+	buf = malloc(len);
+	if (!buf)
+		return ENOMEM;
+	
+	length = krb5_net_read(context, fd, buf, len);
+	if (len != length) {
+		krb5_xfree(buf);
+		if (len < 0)
+			return errno;
+		else
+			return ECONNABORTED;
+	}
+
+	if (strcmp(buf, KRB_V5_SENDAUTH_VERS)) {
+		krb5_xfree(buf);
+		return KRB5_SENDAUTH_BADAUTHVERS;
+	}
+	krb5_xfree(buf);
+
+	*auth_sys = KRB5_RECVAUTH_V5;
+	
+	retval = krb5_recvauth_version(context, auth_context, fdp, server,
+				       flags | KRB5_RECVAUTH_SKIP_VERSION, 
+				       keytab, ticket, version);
+
+	return retval;
+}
+
 
 #ifndef max
 #define	max(a,b) (((a) > (b)) ? (a) : (b))
diff --git a/src/lib/rpc/ChangeLog b/src/lib/rpc/ChangeLog
index 8467267..f1ffbeb 100644
--- a/src/lib/rpc/ChangeLog
+++ b/src/lib/rpc/ChangeLog
@@ -1,3 +1,67 @@
+2003-03-24  Tom Yu  <tlyu@mit.edu>
+
+	* xdr_mem.c (xdrmem_create): Perform some additional size checks.
+	(xdrmem_getlong, xdrmem_putlong, xdrmem_getbytes): Check x_handy
+	prior to decrementing it.
+
+2002-08-12  Tom Yu  <tlyu@mit.edu>
+
+	* xdr.c (xdr_string): Fix off-by-one error; we're not vulnerable,
+	since we don't call it.
+
+	* xdr_array.c (xdr_array): Account for elsize when checking
+	encoded array count.
+
+	[pullups from trunk]
+
+2001-12-18  Ken Raeburn  <raeburn@mit.edu>
+
+	* configure.in: Check for strerror.
+	* clnt_perror.c (strerror) [!HAVE_STRERROR]: Define, with
+	out-of-range check using sys_nerr.
+	(sys_nerr) [!HAVE_STRERROR]: Declare at top level instead of in
+	clnt_spcreateerror.
+	(clnt_sperror, clnt_spcreateerror): Use strerror always.  Skip
+	range check.
+
+2000-06-21  Tom Yu  <tlyu@mit.edu>
+
+	* svc_auth_gssapi.c (_svcauth_gssapi): Missed a rename.  From
+	Nathan Neulinger.
+
+2000-05-31  Ken Raeburn  <raeburn@mit.edu>
+
+	* pmap_rmt.c (GIFCONF_BUFSIZE): New macro.
+	(getbroadcastnets): Use it for buffer size.
+	(clnt_broadcast): Make buffer at least that big.
+
+	* get_myaddress.c (get_myaddress): Increase buffer size.
+
+2000-05-18  Ken Raeburn  <raeburn@mit.edu>
+
+	* auth_gssapi_misc.c (auth_gssapi_display_status_1): Don't pass a
+	gss_buffer_desc to fprintf.
+
+	* clnt_tcp.c (clnttcp_create): Initialize "ct".
+	* clnt_udp.c (clntudp_bufcreate): Initialize "cu".
+
+	* svc_auth_gssapi.c (_svcauth_gssapi, create_client,
+	destroy_client, dump_db, clean_client): Use %p format for
+	displaying pointers.  Remove unused variables.
+
+2000-05-17  Ken Raeburn  <raeburn@mit.edu>
+            Nalin Dahyabhai  <nalin@redhat.com>
+
+	* clnt_perror.c (clnt_sperror): Don't overflow buffer "str" beyond
+	known allocation size.
+	* clnt_simple.c (gssrpc_callrpc): Don't overfill buffer "crp->oldhost".
+
+2000-05-03  Nalin Dahyabhai  <nalin@redhat.com>
+
+	* clnt_perror.c (_buf): Use bigger buffer.
+	(clnt_spcreateerror): Don't overflow buffer "buf" beyond known
+	allocation size.
+
 2000-02-22  Donn Cave  <donn@u.washington.edu>
 
 	* Makefile.in (includes): Extract basename of header file to be
diff --git a/src/lib/rpc/auth_gssapi_misc.c b/src/lib/rpc/auth_gssapi_misc.c
index fd9393c..e7c38a8 100644
--- a/src/lib/rpc/auth_gssapi_misc.c
+++ b/src/lib/rpc/auth_gssapi_misc.c
@@ -162,15 +162,17 @@ static void auth_gssapi_display_status_1(m, code, type, rec)
 		    auth_gssapi_display_status_1(m,gssstat,GSS_C_GSS_CODE,1); 
 		    auth_gssapi_display_status_1(m, minor_stat,
 						 GSS_C_MECH_CODE, 1);
-	       } else
-		    fprintf(stderr,
-			    "GSS-API authentication error %s: recursive failure!\n",
-			    msg);
+	       } else {
+		   fputs ("GSS-API authentication error ", stderr);
+		   fwrite (msg.value, msg.length, 1, stderr);
+		   fputs (": recursive failure!\n", stderr);
+	       }
 	       return;
 	  }
-	  
-	  fprintf(stderr, "GSS-API authentication error %s: %s\n", m,
-		  (char *)msg.value); 
+
+	  fprintf (stderr, "GSS-API authentication error %s: ", m);
+	  fwrite (msg.value, msg.length, 1, stderr);
+	  putc ('\n', stderr);
 	  (void) gss_release_buffer(&minor_stat, &msg);
 	  
 	  if (!msg_ctx)
diff --git a/src/lib/rpc/clnt_perror.c b/src/lib/rpc/clnt_perror.c
index 560cb27..7d05cc4 100644
--- a/src/lib/rpc/clnt_perror.c
+++ b/src/lib/rpc/clnt_perror.c
@@ -45,9 +45,14 @@ static char sccsid[] = "@(#)clnt_perror.c 1.15 87/10/07 Copyr 1984 Sun Micro";
 #include <gssrpc/auth.h>
 #include <gssrpc/clnt.h>
 
+#ifndef HAVE_STRERROR
 #ifdef NEED_SYS_ERRLIST
 extern char *sys_errlist[];
 #endif
+extern int sys_nerr;
+#undef strerror
+#define strerror(N) (((N) > 0 && (N) < sys_nerr) ? sys_errlist[N] : (char *)0)
+#endif /* HAVE_STRERROR */
 static char *auth_errmsg();
 
 
@@ -57,9 +62,8 @@ static char *buf;
 static char *
 _buf()
 {
-
-	if (buf == 0)
-		buf = (char *)malloc(256);
+	if (buf == NULL)
+		buf = (char *)malloc(BUFSIZ);
 	return (buf);
 }
 
@@ -74,17 +78,20 @@ clnt_sperror(rpch, s)
 	struct rpc_err e;
 	void clnt_perrno();
 	char *err;
-	char *str = _buf();
+	char *bufstart = _buf();
+	char *str = bufstart;
 	char *strstart = str;
 
 	if (str == 0)
 		return (0);
 	CLNT_GETERR(rpch, &e);
 
-	(void) sprintf(str, "%s: ", s);  
+	strncpy (str, s, BUFSIZ - 1);
+	str[BUFSIZ - 1] = 0;
+	strncat (str, ": ", BUFSIZ - 1 - strlen (bufstart));
 	str += strlen(str);
-
-	(void) strcpy(str, clnt_sperrno(e.re_status));  
+	strncat (str, clnt_sperrno(e.re_status), BUFSIZ - 1 - strlen (bufstart));
+	str[BUFSIZ - 1] = '\0';
 	str += strlen(str);
 
 	switch (e.re_status) {
@@ -105,47 +112,64 @@ clnt_sperror(rpch, s)
 
 	case RPC_CANTSEND:
 	case RPC_CANTRECV:
-		(void) sprintf(str, "; errno = %s",
-		    sys_errlist[e.re_errno]); 
+		/* 10 for the string */
+		if(str - bufstart + 10 + strlen(strerror(e.re_errno)) < BUFSIZ)
+		    (void) sprintf(str, "; errno = %s",
+				   strerror(e.re_errno)); 
 		str += strlen(str);
 		break;
 
 	case RPC_VERSMISMATCH:
-		(void) sprintf(str,
-			"; low version = %lu, high version = %lu", 
-			e.re_vers.low, e.re_vers.high);
+		/* 33 for the string, 22 for the numbers */
+		if(str - bufstart + 33 + 22 < BUFSIZ)
+		    (void) sprintf(str,
+				   "; low version = %lu, high version = %lu", 
+				   (unsigned long) e.re_vers.low,
+				   (unsigned long) e.re_vers.high);
 		str += strlen(str);
 		break;
 
 	case RPC_AUTHERROR:
 		err = auth_errmsg(e.re_why);
-		(void) sprintf(str,"; why = ");
+		/* 8 for the string */
+		if(str - bufstart + 8 < BUFSIZ)
+		    (void) sprintf(str,"; why = ");
 		str += strlen(str);
 		if (err != NULL) {
-			(void) sprintf(str, "%s",err);
+			if(str - bufstart + strlen(err) < BUFSIZ)
+			    (void) sprintf(str, "%s",err);
 		} else {
+		    /* 33 for the string, 11 for the number */
+		    if(str - bufstart + 33 + 11 < BUFSIZ)
 			(void) sprintf(str,
-				"(unknown authentication error - %d)",
-				(int) e.re_why);
+				       "(unknown authentication error - %d)",
+				       (int) e.re_why);
 		}
 		str += strlen(str);
 		break;
 
 	case RPC_PROGVERSMISMATCH:
-		(void) sprintf(str, 
-			"; low version = %lu, high version = %lu", 
-			e.re_vers.low, e.re_vers.high);
+		/* 33 for the string, 22 for the numbers */
+		if(str - bufstart + 33 + 22 < BUFSIZ)
+		    (void) sprintf(str,
+				   "; low version = %lu, high version = %lu",
+				   (unsigned long) e.re_vers.low,
+				   (unsigned long) e.re_vers.high);
 		str += strlen(str);
 		break;
 
 	default:	/* unknown */
-		(void) sprintf(str, 
-			"; s1 = %lu, s2 = %lu", 
-			e.re_lb.s1, e.re_lb.s2);
+		/* 14 for the string, 22 for the numbers */
+		if(str - bufstart + 14 + 22 < BUFSIZ)
+		    (void) sprintf(str,
+				   "; s1 = %lu, s2 = %lu",
+				   (unsigned long) e.re_lb.s1,
+				   (unsigned long) e.re_lb.s2);
 		str += strlen(str);
 		break;
 	}
-	(void) sprintf(str, "\n");
+	if(str - bufstart + 1 < BUFSIZ)
+	    (void) sprintf(str, "\n");
 	return(strstart) ;
 }
 
@@ -232,32 +256,34 @@ char *
 clnt_spcreateerror(s)
 	char *s;
 {
-	extern int sys_nerr;
 	char *str = _buf();
 
 	if (str == 0)
 		return(0);
 	(void) sprintf(str, "%s: ", s);
-	(void) strcat(str, clnt_sperrno(rpc_createerr.cf_stat));
+	str[BUFSIZ - 1] = '\0';
+	(void) strncat(str, clnt_sperrno(rpc_createerr.cf_stat), BUFSIZ - 1);
 	switch (rpc_createerr.cf_stat) {
 	case RPC_PMAPFAILURE:
-		(void) strcat(str, " - ");
-		(void) strcat(str,
-		    clnt_sperrno(rpc_createerr.cf_error.re_status));
+		(void) strncat(str, " - ", BUFSIZ - 1 - strlen(str));
+		(void) strncat(str,
+		    clnt_sperrno(rpc_createerr.cf_error.re_status),
+		    BUFSIZ - 1 - strlen(str));
 		break;
 
 	case RPC_SYSTEMERROR:
-		(void) strcat(str, " - ");
-		if (rpc_createerr.cf_error.re_errno > 0
-		    && rpc_createerr.cf_error.re_errno < sys_nerr)
-			(void) strcat(str,
-			    sys_errlist[rpc_createerr.cf_error.re_errno]);
-		else
+		(void) strncat(str, " - ", BUFSIZ - 1 - strlen(str));
+		{
+		    const char *m = strerror(rpc_createerr.cf_error.re_errno);
+		    if (m)
+			(void) strncat(str, m, BUFSIZ - 1 - strlen(str));
+		    else
 			(void) sprintf(&str[strlen(str)], "Error %d",
-			    rpc_createerr.cf_error.re_errno);
+				       rpc_createerr.cf_error.re_errno);
+		}
 		break;
 	}
-	(void) strcat(str, "\n");
+	(void) strncat(str, "\n", BUFSIZ - 1 - strlen(str));
 	return (str);
 }
 
diff --git a/src/lib/rpc/clnt_simple.c b/src/lib/rpc/clnt_simple.c
index b3d2eb3..2f203d7 100644
--- a/src/lib/rpc/clnt_simple.c
+++ b/src/lib/rpc/clnt_simple.c
@@ -70,6 +70,8 @@ gssrpc_callrpc(host, prognum, versnum, procnum, inproc, in, outproc, out)
 	}
 	if (crp->oldhost == NULL) {
 		crp->oldhost = mem_alloc(256);
+		if (crp->oldhost == 0)
+		    return 0;
 		crp->oldhost[0] = 0;
 		crp->socket = RPC_ANYSOCK;
 	}
@@ -98,7 +100,8 @@ gssrpc_callrpc(host, prognum, versnum, procnum, inproc, in, outproc, out)
 		crp->valid = 1;
 		crp->oldprognum = prognum;
 		crp->oldversnum = versnum;
-		(void) strcpy(crp->oldhost, host);
+		(void) strncpy(crp->oldhost, host, 255);
+		crp->oldhost[255] = '\0';
 	}
 	tottimeout.tv_sec = 25;
 	tottimeout.tv_usec = 0;
diff --git a/src/lib/rpc/clnt_tcp.c b/src/lib/rpc/clnt_tcp.c
index 4e10a48..f87da78 100644
--- a/src/lib/rpc/clnt_tcp.c
+++ b/src/lib/rpc/clnt_tcp.c
@@ -116,7 +116,7 @@ clnttcp_create(raddr, prog, vers, sockp, sendsz, recvsz)
 	unsigned int recvsz;
 {
 	CLIENT *h;
-	register struct ct_data *ct;
+	register struct ct_data *ct = 0;
 	struct timeval now;
 	struct rpc_msg call_msg;
 
diff --git a/src/lib/rpc/clnt_udp.c b/src/lib/rpc/clnt_udp.c
index 6046942..df3945a 100644
--- a/src/lib/rpc/clnt_udp.c
+++ b/src/lib/rpc/clnt_udp.c
@@ -117,7 +117,7 @@ clntudp_bufcreate(raddr, program, version, wait, sockp, sendsz, recvsz)
 	unsigned int recvsz;
 {
 	CLIENT *cl;
-	register struct cu_data *cu;
+	register struct cu_data *cu = 0;
 	struct timeval now;
 	struct rpc_msg call_msg;
 
diff --git a/src/lib/rpc/configure.in b/src/lib/rpc/configure.in
index f4b9f9e..a4e2cfd 100644
--- a/src/lib/rpc/configure.in
+++ b/src/lib/rpc/configure.in
@@ -49,6 +49,8 @@ AC_CHECK_SIZEOF(long)
 SIZEOF_LONG=$ac_cv_sizeof_long
 AC_SUBST(SIZEOF_LONG)
 
+AC_CHECK_FUNCS(strerror)
+
 AC_MSG_CHECKING([return type of setrpcent])
 AC_CACHE_VAL(k5_cv_type_setrpcent,
 [AC_TRY_COMPILE([#include <netdb.h>
diff --git a/src/lib/rpc/get_myaddress.c b/src/lib/rpc/get_myaddress.c
index 4c9bf29..13bafa0 100644
--- a/src/lib/rpc/get_myaddress.c
+++ b/src/lib/rpc/get_myaddress.c
@@ -81,7 +81,7 @@ get_myaddress(addr)
 	struct sockaddr_in *addr;
 {
 	int s;
-	char buf[BUFSIZ];
+	char buf[256 * sizeof (struct ifconf)];
 	struct ifconf ifc;
 	struct ifreq ifreq, *ifr;
 	int len;
diff --git a/src/lib/rpc/pmap_rmt.c b/src/lib/rpc/pmap_rmt.c
index 7cafe6e..dc9735d 100644
--- a/src/lib/rpc/pmap_rmt.c
+++ b/src/lib/rpc/pmap_rmt.c
@@ -165,6 +165,8 @@ xdr_rmtcallres(xdrs, crp)
  * routines which only support udp/ip .
  */
 
+#define GIFCONF_BUFSIZE (256 * sizeof (struct ifconf))
+
 static int
 getbroadcastnets(addrs, sock, buf)
 	struct in_addr *addrs;
@@ -176,8 +178,9 @@ getbroadcastnets(addrs, sock, buf)
 	struct sockaddr_in *sin;
         int n, i;
 
-        ifc.ifc_len = UDPMSGSIZE;
+        ifc.ifc_len = GIFCONF_BUFSIZE;
         ifc.ifc_buf = buf;
+	memset (buf, 0, GIFCONF_BUFSIZE);
         if (ioctl(sock, SIOCGIFCONF, (char *)&ifc) < 0) {
                 perror("broadcast: ioctl (get interface configuration)");
                 return (0);
@@ -255,7 +258,11 @@ clnt_broadcast(prog, vers, proc, xargs, argsp, xresults, resultsp, eachresult)
 	struct rmtcallres r;
 	struct rpc_msg msg;
 	struct timeval t; 
-	char outbuf[MAX_BROADCAST_SIZE], inbuf[UDPMSGSIZE];
+	char outbuf[MAX_BROADCAST_SIZE];
+#ifndef MAX
+#define MAX(A,B) ((A)<(B)?(B):(A))
+#endif
+	char inbuf[MAX (UDPMSGSIZE, GIFCONF_BUFSIZE)];
 
 	/*
 	 * initialization: create a socket, a broadcast address, and
diff --git a/src/lib/rpc/svc_auth_gssapi.c b/src/lib/rpc/svc_auth_gssapi.c
index 827596a..9d831ad 100644
--- a/src/lib/rpc/svc_auth_gssapi.c
+++ b/src/lib/rpc/svc_auth_gssapi.c
@@ -134,7 +134,6 @@ enum auth_stat _svcauth_gssapi(rqst, msg, no_dispatch)
      svc_auth_gssapi_data *client_data;
      int ret_flags, ret, i;
      rpc_u_int32 seq_num;
-     int flag;
 
      PRINTF(("svcauth_gssapi: starting\n"));
      
@@ -307,8 +306,6 @@ enum auth_stat _svcauth_gssapi(rqst, msg, no_dispatch)
 #endif
 
 	  if (call_arg.version >= 3) {
-	       int len;
-
 	       memset(&bindings, 0, sizeof(bindings));
 	       bindings.application_data.length = 0;
 	       bindings.initiator_addrtype = GSS_C_AF_INET;
@@ -551,7 +548,7 @@ enum auth_stat _svcauth_gssapi(rqst, msg, no_dispatch)
 				      &call_arg)) {
 			 PRINTF(("svcauth_gssapi: cannot decode args\n"));
 			 LOG_MISCERR("protocol error in call arguments");
-			 xdr_free(xdr_authgssapi_init_arg, &call_arg);
+			 gssrpc_xdr_free(xdr_authgssapi_init_arg, &call_arg);
 			 ret = AUTH_BADCRED;
 			 goto error;
 		    }
@@ -657,7 +654,6 @@ static svc_auth_gssapi_data *create_client()
      client_list *c;
      svc_auth_gssapi_data *client_data;
      static int client_key = 1;
-     int ret;
      
      PRINTF(("svcauth_gssapi: empty creds, creating\n"));
 
@@ -665,7 +661,7 @@ static svc_auth_gssapi_data *create_client()
      if (client_data == NULL)
 	  return NULL;
      memset((char *) client_data, 0, sizeof(*client_data));
-     L_PRINTF(2, ("create_client: new client_data = %#x\n", client_data));
+     L_PRINTF(2, ("create_client: new client_data = %p\n", client_data));
      
      /* set up client data structure */
      client_data->established = 0;
@@ -783,10 +779,9 @@ static void destroy_client(client_data)
      OM_uint32 gssstat, minor_stat;
      gss_buffer_desc out_buf;
      client_list *c, *c2;
-     int ret;
 
      PRINTF(("destroy_client: destroying client_data\n"));
-     L_PRINTF(2, ("destroy_client: client_data = %#x\n", client_data));
+     L_PRINTF(2, ("destroy_client: client_data = %p\n", client_data));
 
 #ifdef DEBUG_GSSAPI
      if (svc_debug_gssapi >= 3)
@@ -852,7 +847,7 @@ static void dump_db(msg)
      c = clients;
      while (c) {
 	  client_data = c->client;
-	  L_PRINTF(3, ("\tclient_data = %#x, exp = %d\n",
+	  L_PRINTF(3, ("\tclient_data = %p, exp = %d\n",
 		       client_data, client_data->expiration));
 	  c = c->next;
      }
@@ -871,7 +866,7 @@ static void clean_client()
      while (c) {
 	  client_data = c->client;
 	  
-	  L_PRINTF(2, ("clean_client: client_data = %#x\n",
+	  L_PRINTF(2, ("clean_client: client_data = %p\n",
 		       client_data));
 	  
 	  if (client_data->expiration < time(0)) {
@@ -884,7 +879,6 @@ static void clean_client()
 	  }
      }
 
-done:
      PRINTF(("clean_client: done\n"));
 }
 
diff --git a/src/lib/rpc/unit-test/ChangeLog b/src/lib/rpc/unit-test/ChangeLog
index 1c3d401..920304c 100644
--- a/src/lib/rpc/unit-test/ChangeLog
+++ b/src/lib/rpc/unit-test/ChangeLog
@@ -1,3 +1,22 @@
+2002-11-07  Tom Yu  <tlyu@mit.edu>
+
+	* rpc_test.0/expire.exp (overlap): Add another call to
+	flush_server to make a race condition a little less likely.  There
+	really should be better synchronization, as this test suite is
+	just full of race conditions waiting to happen.
+	[pullup from trunk]
+
+2000-06-21  Tom Yu  <tlyu@mit.edu>
+
+	* server.c: Include gssrpc/pmap_clnt.h in order to get renaming of
+	pmap_unset().  From Nathan Neulinger.
+
+2000-06-08  Tom Yu  <tlyu@mit.edu>
+
+	* lib/helpers.exp (kinit): Move "expect eof" into the commands
+	that send the prompt.  Don't "expect eof" outside of the main
+	expect, as the main expect may have already read eof.
+
 2000-02-15  Tom Yu  <tlyu@mit.edu>
 
 	* server.c: Add code to set a signal handler for SIGHUP and a few
diff --git a/src/lib/rpc/unit-test/lib/helpers.exp b/src/lib/rpc/unit-test/lib/helpers.exp
index 3d7b167..c4b76aa 100644
--- a/src/lib/rpc/unit-test/lib/helpers.exp
+++ b/src/lib/rpc/unit-test/lib/helpers.exp
@@ -23,10 +23,10 @@ proc kinit {princ pass lifetime} {
 
 	spawn -noecho $kinit -5 -l $lifetime $princ
 	expect {
-		-re "Password for $princ.*: " { send "$pass\n" }
+		-re "Password for $princ.*: " { send "$pass\n"; expect eof }
 		timeout { perror "Timeout waiting for kinit"; close }
+		eof
 	}
-	expect { eof {} }
 
 	set ret [wait]
 	if {[lindex $ret $wait_error_index] == -1} {
@@ -117,7 +117,7 @@ proc wait_client {testname ccname id status} {
 
 	set env(KRB5CCNAME) FILE:/tmp/krb5cc_rpc_test_$ccname
  	if {[catch "exec $kdestroy -5"] != 0} {
- 		error "$testname: cannot destroy client $ccname ccache"
+ 		perror "$testname: cannot destroy client $ccname ccache"
  	}
 
 	unset env(KRB5CCNAME)
diff --git a/src/lib/rpc/unit-test/rpc_test.0/expire.exp b/src/lib/rpc/unit-test/rpc_test.0/expire.exp
index 6f7aa93..5c33ffd 100644
--- a/src/lib/rpc/unit-test/rpc_test.0/expire.exp
+++ b/src/lib/rpc/unit-test/rpc_test.0/expire.exp
@@ -38,6 +38,8 @@ proc overlap {} {
     eof_client expire 1 $client1_id 0
     eof_client expire 2 $client2_id 0
     eof_client expire 3 $client3_id 0
+
+    flush_server
 }
 overlap
 
diff --git a/src/lib/rpc/unit-test/server.c b/src/lib/rpc/unit-test/server.c
index 7270ea4..32f5de3 100644
--- a/src/lib/rpc/unit-test/server.c
+++ b/src/lib/rpc/unit-test/server.c
@@ -14,6 +14,7 @@ static char *rcsid = "$Header$";
 #include <string.h>
 #include <signal.h>
 #include <gssrpc/rpc.h>
+#include <gssrpc/pmap_clnt.h>
 #include <arpa/inet.h>  /* inet_ntoa */
 #include <gssapi/gssapi.h>
 #include <gssapi/gssapi_generic.h>
diff --git a/src/lib/rpc/xdr.c b/src/lib/rpc/xdr.c
index df277fe..168aba1 100644
--- a/src/lib/rpc/xdr.c
+++ b/src/lib/rpc/xdr.c
@@ -623,7 +623,7 @@ xdr_string(xdrs, cpp, maxsize)
 	if (! xdr_u_int(xdrs, &size)) {
 		return (FALSE);
 	}
-	if (size > maxsize) {
+	if (size >= maxsize) {
 		return (FALSE);
 	}
 	nodesize = size + 1;
diff --git a/src/lib/rpc/xdr_array.c b/src/lib/rpc/xdr_array.c
index 7c4c70e..9d2674e 100644
--- a/src/lib/rpc/xdr_array.c
+++ b/src/lib/rpc/xdr_array.c
@@ -75,7 +75,8 @@ xdr_array(xdrs, addrp, sizep, maxsize, elsize, elproc)
 		return (FALSE);
 	}
 	c = *sizep;
-	if ((c > maxsize) && (xdrs->x_op != XDR_FREE)) {
+	if ((c > maxsize || c > LASTUNSIGNED / elsize)
+	    && (xdrs->x_op != XDR_FREE)) {
 		return (FALSE);
 	}
 	nodesize = c * elsize;
diff --git a/src/lib/rpc/xdr_mem.c b/src/lib/rpc/xdr_mem.c
index d32b391..506bc75 100644
--- a/src/lib/rpc/xdr_mem.c
+++ b/src/lib/rpc/xdr_mem.c
@@ -47,6 +47,7 @@ static char sccsid[] = "@(#)xdr_mem.c 1.19 87/08/11 Copyr 1984 Sun Micro";
 #include <gssrpc/xdr.h>
 #include <netinet/in.h>
 #include <stdio.h>
+#include <limits.h>
 
 static bool_t	xdrmem_getlong();
 static bool_t	xdrmem_putlong();
@@ -83,7 +84,7 @@ xdrmem_create(xdrs, addr, size, op)
 	xdrs->x_op = op;
 	xdrs->x_ops = &xdrmem_ops;
 	xdrs->x_private = xdrs->x_base = addr;
-	xdrs->x_handy = size;
+	xdrs->x_handy = (size > INT_MAX) ? INT_MAX : size; /* XXX */
 }
 
 static void
@@ -98,8 +99,10 @@ xdrmem_getlong(xdrs, lp)
 	long *lp;
 {
 
-	if ((xdrs->x_handy -= sizeof(rpc_int32)) < 0)
+	if (xdrs->x_handy < sizeof(rpc_int32))
 		return (FALSE);
+	else
+		xdrs->x_handy -= sizeof(rpc_int32);
 	*lp = (long)ntohl(*((rpc_u_int32 *)(xdrs->x_private)));
 	xdrs->x_private += sizeof(rpc_int32);
 	return (TRUE);
@@ -111,8 +114,10 @@ xdrmem_putlong(xdrs, lp)
 	long *lp;
 {
 
-	if ((xdrs->x_handy -= sizeof(rpc_int32)) < 0)
+	if (xdrs->x_handy < sizeof(rpc_int32))
 		return (FALSE);
+	else
+		xdrs->x_handy -= sizeof(rpc_int32);
 	*(rpc_int32 *)xdrs->x_private = (rpc_int32)htonl((rpc_u_int32)(*lp));
 	xdrs->x_private += sizeof(rpc_int32);
 	return (TRUE);
@@ -125,8 +130,10 @@ xdrmem_getbytes(xdrs, addr, len)
 	register unsigned int len;
 {
 
-	if ((xdrs->x_handy -= len) < 0)
+	if (xdrs->x_handy < len)
 		return (FALSE);
+	else
+		xdrs->x_handy -= len;
 	memmove(addr, xdrs->x_private, len);
 	xdrs->x_private += len;
 	return (TRUE);
@@ -139,8 +146,10 @@ xdrmem_putbytes(xdrs, addr, len)
 	register unsigned int len;
 {
 
-	if ((xdrs->x_handy -= len) < 0)
+	if (xdrs->x_handy < len)
 		return (FALSE);
+	else
+		xdrs->x_handy -= len;
 	memmove(xdrs->x_private, addr, len);
 	xdrs->x_private += len;
 	return (TRUE);
@@ -179,7 +188,7 @@ xdrmem_inline(xdrs, len)
 {
 	rpc_int32 *buf = 0;
 
-	if (xdrs->x_handy >= len) {
+	if (len >= 0 && xdrs->x_handy >= len) {
 		xdrs->x_handy -= len;
 		buf = (rpc_int32 *) xdrs->x_private;
 		xdrs->x_private += len;
diff --git a/src/lib/win_glue.c b/src/lib/win_glue.c
index ab3e1a1..6dc9e10 100644
--- a/src/lib/win_glue.c
+++ b/src/lib/win_glue.c
@@ -90,8 +90,13 @@ extern void krb5_stdcc_shutdown();
  * arbitrary third party applications.  If there is an error, or we
  * decide that we should not version check the calling application
  * then VSflag will be FALSE when the function returns.
+ *
+ * The buffers passed into this function must be at least
+ * APPVERINFO_SIZE bytes long.
  */
-	
+
+#define APPVERINFO_SIZE 256
+
 void GetCallingAppVerInfo( char *AppTitle, char *AppVer, char *AppIni,
 			  BOOL *VSflag)
 {
@@ -187,11 +192,15 @@ void GetCallingAppVerInfo( char *AppTitle, char *AppVer, char *AppIni,
 	 * We don't have a way to determine that INI file of the
 	 * application at the moment so let's just use krb5.ini
 	 */
-	strcpy( locAppIni, KERBEROS_INI );
+	strncpy( locAppIni, KERBEROS_INI, sizeof(locAppIni) - 1 );
+	locAppIni[ sizeof(locAppIni) - 1 ] = '\0';
 
-	strcpy( AppTitle, locAppTitle);
-	strcpy( AppVer, locAppVer);
-	strcpy( AppIni, locAppIni);
+	strncpy( AppTitle, locAppTitle, APPVERINFO_SIZE);
+	AppTitle[APPVERINFO_SIZE - 1] = '\0';
+	strncpy( AppVer, locAppVer, APPVERINFO_SIZE);
+	AppVer[APPVERINFO_SIZE - 1] = '\0';
+	strncpy( AppIni, locAppIni, APPVERINFO_SIZE);
+	AppIni[APPVERINFO_SIZE - 1] = '\0';
 
 	/*
 	 * We also need to determine if we want to suppress version
@@ -271,9 +280,10 @@ static krb5_error_code do_timebomb()
 		if (first_time) {
 			sprintf(buf, "Your version of %s has expired.\n",
 				TIMEBOMB_PRODUCT);
-			strcat(buf, "Please upgrade it.");
+			buf[sizeof(buf) - 1] = '\0';
+			strncat(buf, "Please upgrade it.", sizeof(buf) - 1 - strlen(buf));
 #ifdef TIMEBOMB_INFO
-			strcat(buf, TIMEBOMB_INFO);
+			strncat(buf, TIMEBOMB_INFO, sizeof(buf) - 1 - strlen(buf));
 #endif
 			MessageBox(NULL, buf, "", MB_OK);
 			first_time = 0;
@@ -285,9 +295,9 @@ static krb5_error_code do_timebomb()
 		if (first_time) {
 			sprintf(buf, "Your version of %s will expire in %ld days.\n",
 				TIMEBOMB_PRODUCT, timeleft);
-			strcat(buf, "Please upgrade it soon.");
+			strncat(buf, "Please upgrade it soon.", sizeof(buf) - 1 - strlen(buf));
 #ifdef TIMEBOMB_INFO
-			strcat(buf, TIMEBOMB_INFO);
+			strncat(buf, TIMEBOMB_INFO, sizeof(buf) - 1 - strlen(buf));
 #endif
 			MessageBox(NULL, buf, "", MB_OK);
 			first_time = 0;
@@ -323,9 +333,9 @@ krb5_error_code krb5_vercheck()
 		if (CallVersionServer(APP_TITLE, APP_VER, APP_INI, NULL))
 			return VERSERV_ERROR;
 #else
-		char AppTitle[256];
-		char AppVer[256];
-		char AppIni[256];
+		char AppTitle[APPVERINFO_SIZE];
+		char AppVer[APPVERINFO_SIZE];
+		char AppIni[APPVERINFO_SIZE];
 		BOOL VSflag=TRUE;
 
 		GetCallingAppVerInfo( AppTitle, AppVer, AppIni, &VSflag);
diff --git a/src/mac/CFMGlue.pl b/src/mac/CFMGlue.pl
index f6386bb..cf6fb9c 100644
--- a/src/mac/CFMGlue.pl
+++ b/src/mac/CFMGlue.pl
@@ -1,5 +1,3 @@
-#!/usr/local/bin/perl -w
-
 use strict; # Turn on careful syntax checking
 use 5.002;  # Require Perl 5.002 or later
 
diff --git a/src/mac/DylibStub.c b/src/mac/DylibStub.c
new file mode 100644
index 0000000..e1d3725
--- /dev/null
+++ b/src/mac/DylibStub.c
@@ -0,0 +1,5 @@
+/*
+ * This file here is because ProjectBuilder won't let me link a dylib without
+ * a .c file. Oddly enough, it doesn't need to contain any symbols...
+ */
+ 
diff --git a/src/mac/ErrorTables.jam b/src/mac/ErrorTables.jam
new file mode 100644
index 0000000..595056c
--- /dev/null
+++ b/src/mac/ErrorTables.jam
@@ -0,0 +1,120 @@
+#include "$(JAMBASE_DIR)/Jambase" ;
+include "/Developer/Makefiles/pbx_jamfiles/Jambase" ;
+
+SED = /usr/bin/sed ;
+AWK = /usr/bin/awk ;
+
+GSSKRB5_TEMP_DIR = "$(SYMROOT)/GSSKerberos5.intermediates" ;
+COMPILE_ET_SCRIPT = "$(GSSKRB5_TEMP_DIR)/compile_et" ;
+
+COMERR_DIR = "$(SRCROOT)/../util/et" ;
+COMPILE_ET_SH = "$(COMERR_DIR)/compile_et.sh" ;
+CONFIG_SCRIPT = "$(COMERR_DIR)/config_script" ;
+
+COMPILE_ET_SH_EXEC = "$(GSSKRB5_TEMP_DIR)/compile_et.sh" ;
+CONFIG_SCRIPT_EXEC = "$(GSSKRB5_TEMP_DIR)/config_script" ;
+
+PROFILE_DIR = "$(SRCROOT)/../util/profile" ;
+ERROR_TABLES_DIR = "$(SRCROOT)/../lib/krb5/error_tables" ;
+GSS_GENERIC_DIR = "$(SRCROOT)/../lib/gssapi/generic" ;
+GSS_KRB5_DIR = "$(SRCROOT)/../lib/gssapi/krb5" ;
+
+# We need these error tables to install and to build the public headers (ie: krb5.h)
+DEPENDS install :		all ;
+DEPENDS installhdrs : 	all ;
+
+# The list of error tables we need to generate to build:
+DEPENDS all : 			"$(GSSKRB5_TEMP_DIR)"
+                        "$(GSSKRB5_TEMP_DIR)/prof_err.c"
+                        "$(GSSKRB5_TEMP_DIR)/prof_err.h"
+                        "$(GSSKRB5_TEMP_DIR)/adm_err.c"
+                        "$(GSSKRB5_TEMP_DIR)/adm_err.h"
+                        "$(GSSKRB5_TEMP_DIR)/asn1_err.c"
+                        "$(GSSKRB5_TEMP_DIR)/asn1_err.h"
+                        "$(GSSKRB5_TEMP_DIR)/kdb5_err.c"
+                        "$(GSSKRB5_TEMP_DIR)/kdb5_err.h"
+                        "$(GSSKRB5_TEMP_DIR)/krb5_err.c"
+                        "$(GSSKRB5_TEMP_DIR)/krb5_err.h"
+                        "$(GSSKRB5_TEMP_DIR)/kv5m_err.c"
+                        "$(GSSKRB5_TEMP_DIR)/kv5m_err.h"
+                        "$(GSSKRB5_TEMP_DIR)/gssapi_err_generic.c"
+                        "$(GSSKRB5_TEMP_DIR)/gssapi_err_generic.h"
+                        "$(GSSKRB5_TEMP_DIR)/gssapi_err_krb5.c"
+                        "$(GSSKRB5_TEMP_DIR)/gssapi_err_krb5.h" ;
+
+# The header files and scripts we need to remove
+Clean.Remove clean : 	"$(GSSKRB5_TEMP_DIR)/prof_err.c"
+                        "$(GSSKRB5_TEMP_DIR)/prof_err.h"
+                        "$(GSSKRB5_TEMP_DIR)/adm_err.c"
+                        "$(GSSKRB5_TEMP_DIR)/adm_err.h"
+                        "$(GSSKRB5_TEMP_DIR)/asn1_err.c"
+                        "$(GSSKRB5_TEMP_DIR)/asn1_err.h"
+                        "$(GSSKRB5_TEMP_DIR)/kdb5_err.c"
+                        "$(GSSKRB5_TEMP_DIR)/kdb5_err.h"
+                        "$(GSSKRB5_TEMP_DIR)/krb5_err.c"
+                        "$(GSSKRB5_TEMP_DIR)/krb5_err.h"
+                        "$(GSSKRB5_TEMP_DIR)/kv5m_err.c"
+                        "$(GSSKRB5_TEMP_DIR)/kv5m_err.h"
+                        "$(GSSKRB5_TEMP_DIR)/gssapi_err_generic.c"
+                        "$(GSSKRB5_TEMP_DIR)/gssapi_err_generic.h"
+                        "$(GSSKRB5_TEMP_DIR)/gssapi_err_krb5.c"
+                        "$(GSSKRB5_TEMP_DIR)/gssapi_err_krb5.h"
+                        "$(COMPILE_ET_SCRIPT)" ;
+
+# JAM Rules:
+
+rule CompileEt
+{
+    DEPENDS "$(1)" : "$(2)" ;
+    DEPENDS "$(1)" : "$(COMPILE_ET_SCRIPT)" ;
+}
+
+actions CompileEt
+{
+    ( cd "$(1[1]:D)" && "$(COMPILE_ET_SCRIPT)" "$(2)" ) ;
+}
+
+rule GenerateCompileEt
+{
+    DEPENDS "$(1)" : "$(2[1]:D)/et_c.awk" "$(2[1]:D)/et_h.awk" ;
+    Cp "$(2[1]:D)/et_c.awk" : "$(COMERR_DIR)/et_c.awk" ;
+    Cp "$(2[1]:D)/et_h.awk" : "$(COMERR_DIR)/et_h.awk" ;
+    DEPENDS "$(1)" : "$(2)" ;
+}
+
+actions GenerateCompileEt
+{
+    chmod 755 "$(2)" ;
+    "$(2)" "$(AWK)" "$(SED)" > "$(1)";
+    chmod 755 "$(1)" ;
+}
+
+# Rule to make the temporary directory
+Mkdir				"$(GSSKRB5_TEMP_DIR)" ;
+
+# Copy the scripts to temp space so we can make them +x
+Cp "$(CONFIG_SCRIPT_EXEC)" : "$(CONFIG_SCRIPT)" ;
+Cp "$(COMPILE_ET_SH_EXEC)" : "$(COMPILE_ET_SH)" ;
+
+# Rule to generate compile_et, which builds the scripts
+GenerateCompileEt "$(COMPILE_ET_SCRIPT)" : "$(CONFIG_SCRIPT_EXEC)" "$(COMPILE_ET_SH_EXEC)" ;
+
+# Rules to generate the error tables
+CompileEt	"$(GSSKRB5_TEMP_DIR)/prof_err.c"
+            "$(GSSKRB5_TEMP_DIR)/prof_err.h" 			: "$(PROFILE_DIR)/prof_err.et" ;
+CompileEt 	"$(GSSKRB5_TEMP_DIR)/adm_err.c" 
+            "$(GSSKRB5_TEMP_DIR)/adm_err.h" 			: "$(ERROR_TABLES_DIR)/adm_err.et" ;
+CompileEt 	"$(GSSKRB5_TEMP_DIR)/asn1_err.c" 
+            "$(GSSKRB5_TEMP_DIR)/asn1_err.h" 			: "$(ERROR_TABLES_DIR)/asn1_err.et" ;
+CompileEt 	"$(GSSKRB5_TEMP_DIR)/kdb5_err.c" 
+            "$(GSSKRB5_TEMP_DIR)/kdb5_err.h" 			: "$(ERROR_TABLES_DIR)/kdb5_err.et" ;
+CompileEt 	"$(GSSKRB5_TEMP_DIR)/krb5_err.c" 
+            "$(GSSKRB5_TEMP_DIR)/krb5_err.h" 			: "$(ERROR_TABLES_DIR)/krb5_err.et" ;
+CompileEt 	"$(GSSKRB5_TEMP_DIR)/kv5m_err.c" 
+            "$(GSSKRB5_TEMP_DIR)/kv5m_err.h" 			: "$(ERROR_TABLES_DIR)/kv5m_err.et" ;
+CompileEt 	"$(GSSKRB5_TEMP_DIR)/gssapi_err_generic.c" 
+            "$(GSSKRB5_TEMP_DIR)/gssapi_err_generic.h" 	: "$(GSS_GENERIC_DIR)/gssapi_err_generic.et" ;
+CompileEt 	"$(GSSKRB5_TEMP_DIR)/gssapi_err_krb5.c" 
+            "$(GSSKRB5_TEMP_DIR)/gssapi_err_krb5.h" 	: "$(GSS_KRB5_DIR)/gssapi_err_krb5.et" ;
+
+
diff --git a/src/mac/GSS.CFM.c b/src/mac/GSS.CFM.c
index 985ccd2..c35134b 100644
--- a/src/mac/GSS.CFM.c
+++ b/src/mac/GSS.CFM.c
@@ -16,32 +16,43 @@
  * without express or implied warranty.
  */
  
- 
-#include <CodeFragments.h>
- 
 #include "gss_libinit.h"
 
+#if TARGET_RT_MAC_CFM
+#include <CodeFragments.h>
+
 OSErr __initializeGSS(CFragInitBlockPtr ibp);
 void __terminateGSS(void);
 
 OSErr __initializeGSS(CFragInitBlockPtr ibp)
 {
 	OSErr	err = noErr;
-	
+        
 	/* Do normal init of the shared library */
 	err = __initialize();
-	
+#else
+#define noErr	0
+void __initializeGSS(void);
+void __initializeGSS(void)
+{
+        int	err = noErr;
+#endif
+
 	/* Initialize the error tables */
 	if (err == noErr) {
 		err = gssint_initialize_library ();
 	}
-	
+
+#if TARGET_RT_MAC_CFM
 	return err;
+#endif
 }
 
+#if TARGET_RT_MAC_CFM
 void __terminateGSS(void)
 {
 	gssint_cleanup_library ();
 
 	__terminate();
 }
+#endif
diff --git a/src/mac/GSS.h b/src/mac/GSS.h
new file mode 100644
index 0000000..eb1f7c0
--- /dev/null
+++ b/src/mac/GSS.h
@@ -0,0 +1,7 @@
+#ifndef GSS_H_
+#define GSS_H_
+
+#include <GSS/gssapi.h>
+#include <GSS/gssapi_krb5.h>
+
+#endif /* GSS_H_ */
diff --git a/src/mac/GSSKerberos5.pbproj/project.pbxproj b/src/mac/GSSKerberos5.pbproj/project.pbxproj
new file mode 100644
index 0000000..96eb067
--- /dev/null
+++ b/src/mac/GSSKerberos5.pbproj/project.pbxproj
@@ -0,0 +1,9269 @@
+// !$*UTF8*$!
+{
+	archiveVersion = 1;
+	classes = {
+	};
+	objectVersion = 34;
+	objects = {
+		00CC63ED00975A877F000001 = {
+			isa = PBXFileReference;
+			name = adm_err.c;
+			path = GSSKerberos5.intermediates/adm_err.c;
+			refType = 3;
+		};
+		00CC63EE00975A877F000001 = {
+			isa = PBXFileReference;
+			name = adm_err.h;
+			path = GSSKerberos5.intermediates/adm_err.h;
+			refType = 3;
+		};
+		00CC63EF00975A877F000001 = {
+			isa = PBXFileReference;
+			name = asn1_err.c;
+			path = GSSKerberos5.intermediates/asn1_err.c;
+			refType = 3;
+		};
+		00CC63F000975A877F000001 = {
+			isa = PBXFileReference;
+			name = asn1_err.h;
+			path = GSSKerberos5.intermediates/asn1_err.h;
+			refType = 3;
+		};
+		00CC63F100975A877F000001 = {
+			isa = PBXFileReference;
+			name = autoconf.h;
+			path = GSSKerberos5.intermediates/autoconf.h;
+			refType = 3;
+		};
+		00CC63F200975A877F000001 = {
+			isa = PBXExecutableFileReference;
+			name = compile_et;
+			path = GSSKerberos5.intermediates/compile_et;
+			refType = 3;
+		};
+		00CC63F300975A877F000001 = {
+			isa = PBXFileReference;
+			name = GSS.h;
+			path = GSSKerberos5.intermediates/GSS.h;
+			refType = 3;
+		};
+		00CC63F400975A877F000001 = {
+			isa = PBXFileReference;
+			name = gssapi_err_generic.c;
+			path = GSSKerberos5.intermediates/gssapi_err_generic.c;
+			refType = 3;
+		};
+		00CC63F500975A877F000001 = {
+			isa = PBXFileReference;
+			name = gssapi_err_generic.h;
+			path = GSSKerberos5.intermediates/gssapi_err_generic.h;
+			refType = 3;
+		};
+		00CC63F600975A877F000001 = {
+			isa = PBXFileReference;
+			name = gssapi_err_krb5.c;
+			path = GSSKerberos5.intermediates/gssapi_err_krb5.c;
+			refType = 3;
+		};
+		00CC63F700975A877F000001 = {
+			isa = PBXFileReference;
+			name = gssapi_err_krb5.h;
+			path = GSSKerberos5.intermediates/gssapi_err_krb5.h;
+			refType = 3;
+		};
+		00CC63F800975A877F000001 = {
+			isa = PBXFileReference;
+			name = gssapi.h;
+			path = GSSKerberos5.intermediates/gssapi.h;
+			refType = 3;
+		};
+		00CC63F900975A877F000001 = {
+			isa = PBXFileReference;
+			name = kdb5_err.c;
+			path = GSSKerberos5.intermediates/kdb5_err.c;
+			refType = 3;
+		};
+		00CC63FA00975A877F000001 = {
+			isa = PBXFileReference;
+			name = kdb5_err.h;
+			path = GSSKerberos5.intermediates/kdb5_err.h;
+			refType = 3;
+		};
+		00CC63FB00975A877F000001 = {
+			isa = PBXFileReference;
+			name = Kerberos5.h;
+			path = GSSKerberos5.intermediates/Kerberos5.h;
+			refType = 3;
+		};
+		00CC63FD00975A877F000001 = {
+			isa = PBXFileReference;
+			name = KerberosProfile.h;
+			path = GSSKerberos5.intermediates/KerberosProfile.h;
+			refType = 3;
+		};
+		00CC63FE00975A877F000001 = {
+			isa = PBXFileReference;
+			name = krb5_err.c;
+			path = GSSKerberos5.intermediates/krb5_err.c;
+			refType = 3;
+		};
+		00CC63FF00975A877F000001 = {
+			isa = PBXFileReference;
+			name = krb5_err.h;
+			path = GSSKerberos5.intermediates/krb5_err.h;
+			refType = 3;
+		};
+		00CC640000975A877F000001 = {
+			isa = PBXFileReference;
+			name = krb5.h;
+			path = GSSKerberos5.intermediates/krb5.h;
+			refType = 3;
+		};
+		00CC640100975A877F000001 = {
+			isa = PBXFileReference;
+			name = kv5m_err.c;
+			path = GSSKerberos5.intermediates/kv5m_err.c;
+			refType = 3;
+		};
+		00CC640200975A877F000001 = {
+			isa = PBXFileReference;
+			name = kv5m_err.h;
+			path = GSSKerberos5.intermediates/kv5m_err.h;
+			refType = 3;
+		};
+		00CC640300975A877F000001 = {
+			isa = PBXFileReference;
+			name = prof_err.c;
+			path = GSSKerberos5.intermediates/prof_err.c;
+			refType = 3;
+		};
+		00CC640400975A877F000001 = {
+			isa = PBXFileReference;
+			name = prof_err.h;
+			path = GSSKerberos5.intermediates/prof_err.h;
+			refType = 3;
+		};
+		00CC640500975A877F000001 = {
+			isa = PBXFileReference;
+			name = profile.h;
+			path = GSSKerberos5.intermediates/profile.h;
+			refType = 3;
+		};
+		00CC641F00975C167F000001 = {
+			isa = PBXFileReference;
+			name = autoconf.h;
+			path = GSSKerberos5.intermediates/autoconf.h;
+			refType = 3;
+		};
+		00CC642300975C167F000001 = {
+			fileRef = 00CC640300975A877F000001;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		00CC642C00975C167F000001 = {
+			fileRef = 00CC63F900975A877F000001;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		00CC642D00975C167F000001 = {
+			fileRef = 00CC63FE00975A877F000001;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		00CC642E00975C167F000001 = {
+			fileRef = 00CC640100975A877F000001;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		00CC642F00975C167F000001 = {
+			fileRef = 00CC63ED00975A877F000001;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		00CC643000975C167F000001 = {
+			fileRef = 00CC63EF00975A877F000001;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		00CC643600975C167F000001 = {
+			fileRef = 00CC63F600975A877F000001;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		00CC643700975C167F000001 = {
+			fileRef = 00CC63F400975A877F000001;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		00CC643800975EFF7F000001 = {
+			isa = PBXFileReference;
+			name = KerberosComErr.h;
+			path = GSSKerberos5.intermediates/KerberosComErr.h;
+			refType = 3;
+		};
+		00CFB46AFF6D81A212120111 = {
+			isa = PBXFileReference;
+			path = krb5_libinit.c;
+			refType = 4;
+		};
+		00CFB46BFF6D81A212120111 = {
+			isa = PBXFileReference;
+			path = krb5_libinit.h;
+			refType = 4;
+		};
+		00CFB46CFF6D81A212120111 = {
+			fileRef = 00CFB46BFF6D81A212120111;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		00CFB46DFF6D81A212120111 = {
+			fileRef = 00CFB46AFF6D81A212120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		00CFB46EFF6D85D612120111 = {
+			isa = PBXFileReference;
+			path = util_canonhost.c;
+			refType = 4;
+		};
+		00CFB46FFF6D85D612120111 = {
+			fileRef = 00CFB46EFF6D85D612120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		00CFB470FF6D8BB312120111 = {
+			isa = PBXFileReference;
+			name = "port-sockets.h";
+			path = "../include/port-sockets.h";
+			refType = 2;
+		};
+		00CFB471FF6D8BB412120111 = {
+			fileRef = 00CFB470FF6D8BB312120111;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		00CFB472FF6EA33F12120111 = {
+			children = (
+				00CFB473FF6EA33F12120111,
+				00CFB474FF6EA33F12120111,
+				00CFB475FF6EA33F12120111,
+				00CFB476FF6EA33F12120111,
+			);
+			isa = PBXGroup;
+			path = ccapi;
+			refType = 4;
+		};
+		00CFB473FF6EA33F12120111 = {
+			isa = PBXFileReference;
+			path = stdcc.c;
+			refType = 4;
+		};
+		00CFB474FF6EA33F12120111 = {
+			isa = PBXFileReference;
+			path = stdcc.h;
+			refType = 4;
+		};
+		00CFB475FF6EA33F12120111 = {
+			isa = PBXFileReference;
+			path = stdcc_util.c;
+			refType = 4;
+		};
+		00CFB476FF6EA33F12120111 = {
+			isa = PBXFileReference;
+			path = stdcc_util.h;
+			refType = 4;
+		};
+		00CFB477FF6EA33F12120111 = {
+			fileRef = 00CFB474FF6EA33F12120111;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		00CFB478FF6EA33F12120111 = {
+			fileRef = 00CFB476FF6EA33F12120111;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		00CFB479FF6EA33F12120111 = {
+			fileRef = 00CFB473FF6EA33F12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		00CFB47AFF6EA33F12120111 = {
+			fileRef = 00CFB475FF6EA33F12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		00CFB47BFF6EA3C312120111 = {
+			isa = PBXFrameworkReference;
+			path = CredentialsCache.framework;
+			refType = 3;
+		};
+		00CFB47CFF6EA3C312120111 = {
+			fileRef = 00CFB47BFF6EA3C312120111;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		00F189640074D4357F000001 = {
+			children = (
+				00F1896B0074D48F7F000001,
+				00F189650074D4357F000001,
+				00F189850074D7B97F000001,
+				00F189700074D6497F000001,
+				00F189860074D7B97F000001,
+				00F189710074D6497F000001,
+				00F189870074D7B97F000001,
+				00F189720074D6497F000001,
+				00F1896E0074D52F7F000001,
+			);
+			isa = PBXGroup;
+			name = clients;
+			path = "";
+			refType = 2;
+		};
+		00F189650074D4357F000001 = {
+			isa = PBXExecutableFileReference;
+			path = kinit;
+			refType = 3;
+		};
+		00F189660074D4357F000001 = {
+			buildPhases = (
+				00F189670074D4357F000001,
+				00F189680074D4357F000001,
+				00F189690074D4357F000001,
+				00F1896A0074D4357F000001,
+			);
+			buildSettings = {
+				HEADER_SEARCH_PATHS = "";
+				IMPLICITLY_INCLUDED_HEADERS = "\"$(SRCROOT)/GSSKerberosPrefix.h\"";
+				INSTALL_PATH = /usr/bin;
+				OPTIMIZATION_CFLAGS = "-O0";
+				OTHER_CFLAGS = "-DTARGET_HEADER_FRAMEWORK -DKRB5_KRB4_COMPAT -DKINIT_DEFAULT_BOTH";
+				OTHER_LDFLAGS = "-dylib_file /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks/KerberosSupport.framework/Versions/A/KerberosSupport:$(SYMROOT)/Kerberos.framework/Versions/A/Frameworks/KerberosSupport.framework/Versions/A/KerberosSupport -dylib_file /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks/KerberosPreferences.framework/Versions/A/KerberosPreferences:$(SYMROOT)/Kerberos.framework/Versions/A/Frameworks/KerberosPreferences.framework/Versions/A/KerberosPreferences -dylib_file /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks/KerberosDES.framework/Versions/A/KerberosDES:$(SYMROOT)/Kerberos.framework/Versions/A/Frameworks/KerberosDES.framework/Versions/A/KerberosDES -dylib_file /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks/CredentialsCache.framework/Versions/A/CredentialsCache:$(SYMROOT)/Kerberos.framework/Versions/A/Frameworks/CredentialsCache.framework/Versions/A/CredentialsCache -dylib_file /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks/KerberosLoginPrivate.framework/Versions/A/KerberosLoginPrivate:$(SYMROOT)/Kerberos.framework/Versions/A/Frameworks/KerberosLoginPrivate.framework/Versions/A/KerberosLoginPrivate -dylib_file /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks/KerberosLoginCore.framework/Versions/A/KerberosLoginCore:$(SYMROOT)/Kerberos.framework/Versions/A/Frameworks/KerberosLoginCore.framework/Versions/A/KerberosLoginCore -dylib_file /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks/KerberosLogin.framework/Versions/A/KerberosLogin:$(SYMROOT)/Kerberos.framework/Versions/A/Frameworks/KerberosLogin.framework/Versions/A/KerberosLogin -dylib_file /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks/KerberosComErr.framework/Versions/A/KerberosComErr:$(SYMROOT)/Kerberos.framework/Versions/A/Frameworks/KerberosComErr.framework/Versions/A/KerberosComErr -dylib_file /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks/KerberosProfile.framework/Versions/A/KerberosProfile:$(SYMROOT)/Kerberos.framework/Versions/A/Frameworks/KerberosProfile.framework/Versions/A/KerberosProfile -dylib_file /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks/Kerberos5Private.framework/Versions/A/Kerberos5Private:$(SYMROOT)/Kerberos.framework/Versions/A/Frameworks/Kerberos5Private.framework/Versions/A/Kerberos5Private -dylib_file /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks/Kerberos5Core.framework/Versions/A/Kerberos5Core:$(SYMROOT)/Kerberos.framework/Versions/A/Frameworks/Kerberos5Core.framework/Versions/A/Kerberos5Core -dylib_file /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks/Kerberos5.framework/Versions/A/Kerberos5:$(SYMROOT)/Kerberos.framework/Versions/A/Frameworks/Kerberos5.framework/Versions/A/Kerberos5 -dylib_file /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks/GSS.framework/Versions/A/GSS:$(SYMROOT)/Kerberos.framework/Versions/A/Frameworks/GSS.framework/Versions/A/GSS -dylib_file /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks/Kerberos4.framework/Versions/A/Kerberos4:$(SYMROOT)/Kerberos.framework/Versions/A/Frameworks/Kerberos4.framework/Versions/A/Kerberos4 -dylib_file /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks/KerberosWrappers.framework/Versions/A/KerberosWrappers:$(SYMROOT)/Kerberos.framework/Versions/A/Frameworks/KerberosWrappers.framework/Versions/A/KerberosWrappers -dylib_file /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks/KClient.framework/Versions/A/KClient:$(SYMROOT)/Kerberos.framework/Versions/A/Frameworks/KClient.framework/Versions/A/KClient -dylib_file /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks/KClientCompat.framework/Versions/A/KClientCompat:$(SYMROOT)/Kerberos.framework/Versions/A/Frameworks/KClientCompat.framework/Versions/A/KClientCompat -dylib_file /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks/KClientDeprecated.framework/Versions/A/KClientDeprecated:$(SYMROOT)/Kerberos.framework/Versions/A/Frameworks/KClientDeprecated.framework/Versions/A/KClientDeprecated";
+				OTHER_REZFLAGS = "";
+				PRODUCT_NAME = kinit;
+				REZ_EXECUTABLE = YES;
+				SECTORDER_FLAGS = "";
+				WARNING_CFLAGS = "-Wmost -Wno-four-char-constants -Wno-unknown-pragmas";
+			};
+			dependencies = (
+			);
+			isa = PBXToolTarget;
+			name = kinit;
+			productInstallPath = /usr/bin;
+			productName = kinit;
+			productReference = 00F189650074D4357F000001;
+			shouldUseHeadermap = 0;
+		};
+		00F189670074D4357F000001 = {
+			buildActionMask = 2147483647;
+			files = (
+			);
+			isa = PBXHeadersBuildPhase;
+			name = Headers;
+		};
+		00F189680074D4357F000001 = {
+			buildActionMask = 2147483647;
+			files = (
+				00F1896C0074D4907F000001,
+			);
+			isa = PBXSourcesBuildPhase;
+			name = Sources;
+		};
+		00F189690074D4357F000001 = {
+			buildActionMask = 2147483647;
+			files = (
+				F529691701E9E5C20123322A,
+			);
+			isa = PBXFrameworksBuildPhase;
+			name = "Frameworks & Libraries";
+		};
+		00F1896A0074D4357F000001 = {
+			buildActionMask = 2147483647;
+			files = (
+			);
+			isa = PBXRezBuildPhase;
+			name = "ResourceManager Resources";
+		};
+		00F1896B0074D48F7F000001 = {
+			isa = PBXFileReference;
+			path = kinit.c;
+			refType = 2;
+		};
+		00F1896C0074D4907F000001 = {
+			fileRef = 00F1896B0074D48F7F000001;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		00F1896E0074D52F7F000001 = {
+			isa = PBXFrameworkReference;
+			path = Kerberos.framework;
+			refType = 3;
+		};
+		00F189700074D6497F000001 = {
+			isa = PBXExecutableFileReference;
+			path = klist;
+			refType = 3;
+		};
+		00F189710074D6497F000001 = {
+			isa = PBXExecutableFileReference;
+			path = kpasswd;
+			refType = 3;
+		};
+		00F189720074D6497F000001 = {
+			isa = PBXExecutableFileReference;
+			path = kdestroy;
+			refType = 3;
+		};
+		00F189730074D6497F000001 = {
+			buildPhases = (
+				00F189740074D6497F000001,
+				00F189750074D6497F000001,
+				00F189760074D6497F000001,
+				00F189770074D6497F000001,
+			);
+			buildSettings = {
+				HEADER_SEARCH_PATHS = "";
+				IMPLICITLY_INCLUDED_HEADERS = "\"$(SRCROOT)/GSSKerberosPrefix.h\"";
+				INSTALL_PATH = /usr/bin;
+				OPTIMIZATION_CFLAGS = "-O0";
+				OTHER_CFLAGS = "-DTARGET_HEADER_FRAMEWORK -DKRB5_KRB4_COMPAT";
+				OTHER_LDFLAGS = "-dylib_file /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks/KerberosSupport.framework/Versions/A/KerberosSupport:$(SYMROOT)/Kerberos.framework/Versions/A/Frameworks/KerberosSupport.framework/Versions/A/KerberosSupport -dylib_file /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks/KerberosPreferences.framework/Versions/A/KerberosPreferences:$(SYMROOT)/Kerberos.framework/Versions/A/Frameworks/KerberosPreferences.framework/Versions/A/KerberosPreferences -dylib_file /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks/KerberosDES.framework/Versions/A/KerberosDES:$(SYMROOT)/Kerberos.framework/Versions/A/Frameworks/KerberosDES.framework/Versions/A/KerberosDES -dylib_file /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks/CredentialsCache.framework/Versions/A/CredentialsCache:$(SYMROOT)/Kerberos.framework/Versions/A/Frameworks/CredentialsCache.framework/Versions/A/CredentialsCache -dylib_file /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks/KerberosLoginPrivate.framework/Versions/A/KerberosLoginPrivate:$(SYMROOT)/Kerberos.framework/Versions/A/Frameworks/KerberosLoginPrivate.framework/Versions/A/KerberosLoginPrivate -dylib_file /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks/KerberosLoginCore.framework/Versions/A/KerberosLoginCore:$(SYMROOT)/Kerberos.framework/Versions/A/Frameworks/KerberosLoginCore.framework/Versions/A/KerberosLoginCore -dylib_file /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks/KerberosLogin.framework/Versions/A/KerberosLogin:$(SYMROOT)/Kerberos.framework/Versions/A/Frameworks/KerberosLogin.framework/Versions/A/KerberosLogin -dylib_file /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks/KerberosComErr.framework/Versions/A/KerberosComErr:$(SYMROOT)/Kerberos.framework/Versions/A/Frameworks/KerberosComErr.framework/Versions/A/KerberosComErr -dylib_file /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks/KerberosProfile.framework/Versions/A/KerberosProfile:$(SYMROOT)/Kerberos.framework/Versions/A/Frameworks/KerberosProfile.framework/Versions/A/KerberosProfile -dylib_file /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks/Kerberos5Private.framework/Versions/A/Kerberos5Private:$(SYMROOT)/Kerberos.framework/Versions/A/Frameworks/Kerberos5Private.framework/Versions/A/Kerberos5Private -dylib_file /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks/Kerberos5Core.framework/Versions/A/Kerberos5Core:$(SYMROOT)/Kerberos.framework/Versions/A/Frameworks/Kerberos5Core.framework/Versions/A/Kerberos5Core -dylib_file /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks/Kerberos5.framework/Versions/A/Kerberos5:$(SYMROOT)/Kerberos.framework/Versions/A/Frameworks/Kerberos5.framework/Versions/A/Kerberos5 -dylib_file /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks/GSS.framework/Versions/A/GSS:$(SYMROOT)/Kerberos.framework/Versions/A/Frameworks/GSS.framework/Versions/A/GSS -dylib_file /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks/Kerberos4.framework/Versions/A/Kerberos4:$(SYMROOT)/Kerberos.framework/Versions/A/Frameworks/Kerberos4.framework/Versions/A/Kerberos4 -dylib_file /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks/KerberosWrappers.framework/Versions/A/KerberosWrappers:$(SYMROOT)/Kerberos.framework/Versions/A/Frameworks/KerberosWrappers.framework/Versions/A/KerberosWrappers -dylib_file /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks/KClient.framework/Versions/A/KClient:$(SYMROOT)/Kerberos.framework/Versions/A/Frameworks/KClient.framework/Versions/A/KClient -dylib_file /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks/KClientCompat.framework/Versions/A/KClientCompat:$(SYMROOT)/Kerberos.framework/Versions/A/Frameworks/KClientCompat.framework/Versions/A/KClientCompat -dylib_file /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks/KClientDeprecated.framework/Versions/A/KClientDeprecated:$(SYMROOT)/Kerberos.framework/Versions/A/Frameworks/KClientDeprecated.framework/Versions/A/KClientDeprecated";
+				OTHER_REZFLAGS = "";
+				PRODUCT_NAME = klist;
+				REZ_EXECUTABLE = YES;
+				SECTORDER_FLAGS = "";
+				WARNING_CFLAGS = "-Wmost -Wno-four-char-constants -Wno-unknown-pragmas";
+			};
+			dependencies = (
+			);
+			isa = PBXToolTarget;
+			name = klist;
+			productInstallPath = /usr/bin;
+			productName = klist;
+			productReference = 00F189700074D6497F000001;
+			shouldUseHeadermap = 0;
+		};
+		00F189740074D6497F000001 = {
+			buildActionMask = 2147483647;
+			files = (
+			);
+			isa = PBXHeadersBuildPhase;
+			name = Headers;
+		};
+		00F189750074D6497F000001 = {
+			buildActionMask = 2147483647;
+			files = (
+				00F189880074D7B97F000001,
+			);
+			isa = PBXSourcesBuildPhase;
+			name = Sources;
+		};
+		00F189760074D6497F000001 = {
+			buildActionMask = 2147483647;
+			files = (
+				00F189890074D7B97F000001,
+			);
+			isa = PBXFrameworksBuildPhase;
+			name = "Frameworks & Libraries";
+		};
+		00F189770074D6497F000001 = {
+			buildActionMask = 2147483647;
+			files = (
+			);
+			isa = PBXRezBuildPhase;
+			name = "ResourceManager Resources";
+		};
+		00F189780074D6497F000001 = {
+			buildPhases = (
+				00F189790074D6497F000001,
+				00F1897A0074D6497F000001,
+				00F1897B0074D6497F000001,
+				00F1897C0074D6497F000001,
+			);
+			buildSettings = {
+				HEADER_SEARCH_PATHS = "";
+				IMPLICITLY_INCLUDED_HEADERS = "\"$(SRCROOT)/GSSKerberosPrefix.h\"";
+				INSTALL_PATH = /usr/bin;
+				OPTIMIZATION_CFLAGS = "-O0";
+				OTHER_CFLAGS = "-DTARGET_HEADER_FRAMEWORK";
+				OTHER_LDFLAGS = "-dylib_file /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks/KerberosSupport.framework/Versions/A/KerberosSupport:$(SYMROOT)/Kerberos.framework/Versions/A/Frameworks/KerberosSupport.framework/Versions/A/KerberosSupport -dylib_file /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks/KerberosPreferences.framework/Versions/A/KerberosPreferences:$(SYMROOT)/Kerberos.framework/Versions/A/Frameworks/KerberosPreferences.framework/Versions/A/KerberosPreferences -dylib_file /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks/KerberosDES.framework/Versions/A/KerberosDES:$(SYMROOT)/Kerberos.framework/Versions/A/Frameworks/KerberosDES.framework/Versions/A/KerberosDES -dylib_file /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks/CredentialsCache.framework/Versions/A/CredentialsCache:$(SYMROOT)/Kerberos.framework/Versions/A/Frameworks/CredentialsCache.framework/Versions/A/CredentialsCache -dylib_file /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks/KerberosLoginPrivate.framework/Versions/A/KerberosLoginPrivate:$(SYMROOT)/Kerberos.framework/Versions/A/Frameworks/KerberosLoginPrivate.framework/Versions/A/KerberosLoginPrivate -dylib_file /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks/KerberosLoginCore.framework/Versions/A/KerberosLoginCore:$(SYMROOT)/Kerberos.framework/Versions/A/Frameworks/KerberosLoginCore.framework/Versions/A/KerberosLoginCore -dylib_file /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks/KerberosLogin.framework/Versions/A/KerberosLogin:$(SYMROOT)/Kerberos.framework/Versions/A/Frameworks/KerberosLogin.framework/Versions/A/KerberosLogin -dylib_file /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks/KerberosComErr.framework/Versions/A/KerberosComErr:$(SYMROOT)/Kerberos.framework/Versions/A/Frameworks/KerberosComErr.framework/Versions/A/KerberosComErr -dylib_file /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks/KerberosProfile.framework/Versions/A/KerberosProfile:$(SYMROOT)/Kerberos.framework/Versions/A/Frameworks/KerberosProfile.framework/Versions/A/KerberosProfile -dylib_file /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks/Kerberos5Private.framework/Versions/A/Kerberos5Private:$(SYMROOT)/Kerberos.framework/Versions/A/Frameworks/Kerberos5Private.framework/Versions/A/Kerberos5Private -dylib_file /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks/Kerberos5Core.framework/Versions/A/Kerberos5Core:$(SYMROOT)/Kerberos.framework/Versions/A/Frameworks/Kerberos5Core.framework/Versions/A/Kerberos5Core -dylib_file /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks/Kerberos5.framework/Versions/A/Kerberos5:$(SYMROOT)/Kerberos.framework/Versions/A/Frameworks/Kerberos5.framework/Versions/A/Kerberos5 -dylib_file /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks/GSS.framework/Versions/A/GSS:$(SYMROOT)/Kerberos.framework/Versions/A/Frameworks/GSS.framework/Versions/A/GSS -dylib_file /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks/Kerberos4.framework/Versions/A/Kerberos4:$(SYMROOT)/Kerberos.framework/Versions/A/Frameworks/Kerberos4.framework/Versions/A/Kerberos4 -dylib_file /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks/KerberosWrappers.framework/Versions/A/KerberosWrappers:$(SYMROOT)/Kerberos.framework/Versions/A/Frameworks/KerberosWrappers.framework/Versions/A/KerberosWrappers -dylib_file /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks/KClient.framework/Versions/A/KClient:$(SYMROOT)/Kerberos.framework/Versions/A/Frameworks/KClient.framework/Versions/A/KClient -dylib_file /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks/KClientCompat.framework/Versions/A/KClientCompat:$(SYMROOT)/Kerberos.framework/Versions/A/Frameworks/KClientCompat.framework/Versions/A/KClientCompat -dylib_file /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks/KClientDeprecated.framework/Versions/A/KClientDeprecated:$(SYMROOT)/Kerberos.framework/Versions/A/Frameworks/KClientDeprecated.framework/Versions/A/KClientDeprecated";
+				OTHER_REZFLAGS = "";
+				PRODUCT_NAME = kpasswd;
+				REZ_EXECUTABLE = YES;
+				SECTORDER_FLAGS = "";
+				WARNING_CFLAGS = "-Wmost -Wno-four-char-constants -Wno-unknown-pragmas";
+			};
+			dependencies = (
+			);
+			isa = PBXToolTarget;
+			name = kpasswd;
+			productInstallPath = /usr/bin;
+			productName = kpasswd;
+			productReference = 00F189710074D6497F000001;
+			shouldUseHeadermap = 0;
+		};
+		00F189790074D6497F000001 = {
+			buildActionMask = 2147483647;
+			files = (
+			);
+			isa = PBXHeadersBuildPhase;
+			name = Headers;
+		};
+		00F1897A0074D6497F000001 = {
+			buildActionMask = 2147483647;
+			files = (
+				00F1898A0074D7B97F000001,
+			);
+			isa = PBXSourcesBuildPhase;
+			name = Sources;
+		};
+		00F1897B0074D6497F000001 = {
+			buildActionMask = 2147483647;
+			files = (
+				00F1898B0074D7B97F000001,
+			);
+			isa = PBXFrameworksBuildPhase;
+			name = "Frameworks & Libraries";
+		};
+		00F1897C0074D6497F000001 = {
+			buildActionMask = 2147483647;
+			files = (
+			);
+			isa = PBXRezBuildPhase;
+			name = "ResourceManager Resources";
+		};
+		00F1897D0074D6497F000001 = {
+			buildPhases = (
+				00F1897E0074D6497F000001,
+				00F1897F0074D6497F000001,
+				00F189800074D6497F000001,
+				00F189810074D6497F000001,
+			);
+			buildSettings = {
+				IMPLICITLY_INCLUDED_HEADERS = "\"$(SRCROOT)/GSSKerberosPrefix.h\"";
+				INSTALL_PATH = /usr/bin;
+				OPTIMIZATION_CFLAGS = "-O0";
+				OTHER_CFLAGS = "-DTARGET_HEADER_FRAMEWORK -DKRB5_KRB4_COMPAT -DUSE_CCAPI";
+				OTHER_LDFLAGS = "-dylib_file /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks/KerberosSupport.framework/Versions/A/KerberosSupport:$(SYMROOT)/Kerberos.framework/Versions/A/Frameworks/KerberosSupport.framework/Versions/A/KerberosSupport -dylib_file /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks/KerberosPreferences.framework/Versions/A/KerberosPreferences:$(SYMROOT)/Kerberos.framework/Versions/A/Frameworks/KerberosPreferences.framework/Versions/A/KerberosPreferences -dylib_file /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks/KerberosDES.framework/Versions/A/KerberosDES:$(SYMROOT)/Kerberos.framework/Versions/A/Frameworks/KerberosDES.framework/Versions/A/KerberosDES -dylib_file /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks/CredentialsCache.framework/Versions/A/CredentialsCache:$(SYMROOT)/Kerberos.framework/Versions/A/Frameworks/CredentialsCache.framework/Versions/A/CredentialsCache -dylib_file /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks/KerberosLoginPrivate.framework/Versions/A/KerberosLoginPrivate:$(SYMROOT)/Kerberos.framework/Versions/A/Frameworks/KerberosLoginPrivate.framework/Versions/A/KerberosLoginPrivate -dylib_file /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks/KerberosLoginCore.framework/Versions/A/KerberosLoginCore:$(SYMROOT)/Kerberos.framework/Versions/A/Frameworks/KerberosLoginCore.framework/Versions/A/KerberosLoginCore -dylib_file /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks/KerberosLogin.framework/Versions/A/KerberosLogin:$(SYMROOT)/Kerberos.framework/Versions/A/Frameworks/KerberosLogin.framework/Versions/A/KerberosLogin -dylib_file /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks/KerberosComErr.framework/Versions/A/KerberosComErr:$(SYMROOT)/Kerberos.framework/Versions/A/Frameworks/KerberosComErr.framework/Versions/A/KerberosComErr -dylib_file /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks/KerberosProfile.framework/Versions/A/KerberosProfile:$(SYMROOT)/Kerberos.framework/Versions/A/Frameworks/KerberosProfile.framework/Versions/A/KerberosProfile -dylib_file /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks/Kerberos5Private.framework/Versions/A/Kerberos5Private:$(SYMROOT)/Kerberos.framework/Versions/A/Frameworks/Kerberos5Private.framework/Versions/A/Kerberos5Private -dylib_file /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks/Kerberos5Core.framework/Versions/A/Kerberos5Core:$(SYMROOT)/Kerberos.framework/Versions/A/Frameworks/Kerberos5Core.framework/Versions/A/Kerberos5Core -dylib_file /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks/Kerberos5.framework/Versions/A/Kerberos5:$(SYMROOT)/Kerberos.framework/Versions/A/Frameworks/Kerberos5.framework/Versions/A/Kerberos5 -dylib_file /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks/GSS.framework/Versions/A/GSS:$(SYMROOT)/Kerberos.framework/Versions/A/Frameworks/GSS.framework/Versions/A/GSS -dylib_file /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks/Kerberos4.framework/Versions/A/Kerberos4:$(SYMROOT)/Kerberos.framework/Versions/A/Frameworks/Kerberos4.framework/Versions/A/Kerberos4 -dylib_file /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks/KerberosWrappers.framework/Versions/A/KerberosWrappers:$(SYMROOT)/Kerberos.framework/Versions/A/Frameworks/KerberosWrappers.framework/Versions/A/KerberosWrappers -dylib_file /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks/KClient.framework/Versions/A/KClient:$(SYMROOT)/Kerberos.framework/Versions/A/Frameworks/KClient.framework/Versions/A/KClient -dylib_file /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks/KClientCompat.framework/Versions/A/KClientCompat:$(SYMROOT)/Kerberos.framework/Versions/A/Frameworks/KClientCompat.framework/Versions/A/KClientCompat -dylib_file /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks/KClientDeprecated.framework/Versions/A/KClientDeprecated:$(SYMROOT)/Kerberos.framework/Versions/A/Frameworks/KClientDeprecated.framework/Versions/A/KClientDeprecated";
+				OTHER_REZFLAGS = "";
+				PRODUCT_NAME = kdestroy;
+				REZ_EXECUTABLE = YES;
+				SECTORDER_FLAGS = "";
+				WARNING_CFLAGS = "-Wmost -Wno-four-char-constants -Wno-unknown-pragmas";
+			};
+			dependencies = (
+			);
+			isa = PBXToolTarget;
+			name = kdestroy;
+			productInstallPath = /usr/bin;
+			productName = kdestroy;
+			productReference = 00F189720074D6497F000001;
+			shouldUseHeadermap = 0;
+		};
+		00F1897E0074D6497F000001 = {
+			buildActionMask = 2147483647;
+			files = (
+			);
+			isa = PBXHeadersBuildPhase;
+			name = Headers;
+		};
+		00F1897F0074D6497F000001 = {
+			buildActionMask = 2147483647;
+			files = (
+				00F1898C0074D7B97F000001,
+			);
+			isa = PBXSourcesBuildPhase;
+			name = Sources;
+		};
+		00F189800074D6497F000001 = {
+			buildActionMask = 2147483647;
+			files = (
+				00F1898D0074D7B97F000001,
+			);
+			isa = PBXFrameworksBuildPhase;
+			name = "Frameworks & Libraries";
+		};
+		00F189810074D6497F000001 = {
+			buildActionMask = 2147483647;
+			files = (
+			);
+			isa = PBXRezBuildPhase;
+			name = "ResourceManager Resources";
+		};
+		00F189850074D7B97F000001 = {
+			isa = PBXFileReference;
+			path = klist.c;
+			refType = 4;
+		};
+		00F189860074D7B97F000001 = {
+			isa = PBXFileReference;
+			path = kpasswd.c;
+			refType = 4;
+		};
+		00F189870074D7B97F000001 = {
+			isa = PBXFileReference;
+			path = kdestroy.c;
+			refType = 4;
+		};
+		00F189880074D7B97F000001 = {
+			fileRef = 00F189850074D7B97F000001;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		00F189890074D7B97F000001 = {
+			fileRef = 00F1896E0074D52F7F000001;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		00F1898A0074D7B97F000001 = {
+			fileRef = 00F189860074D7B97F000001;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		00F1898B0074D7B97F000001 = {
+			fileRef = 00F1896E0074D52F7F000001;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		00F1898C0074D7B97F000001 = {
+			fileRef = 00F189870074D7B97F000001;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		00F1898D0074D7B97F000001 = {
+			fileRef = 00F1896E0074D52F7F000001;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		00F24292FFB75B2612120156 = {
+			isa = PBXLibraryReference;
+			path = libkrb5.dylib;
+			refType = 3;
+		};
+		00F24293FFB75B2612120156 = {
+			buildPhases = (
+				00F24294FFB75B2612120156,
+				00F24295FFB75B2612120156,
+				00F24296FFB75B2612120156,
+				00F24297FFB75B2612120156,
+			);
+			buildSettings = {
+				DYLIB_COMPATIBILITY_VERSION = 4;
+				DYLIB_CURRENT_VERSION = 4;
+				FRAMEWORK_SEARCH_PATHS = "";
+				INSTALL_PATH = /usr/lib;
+				LIBRARY_STYLE = DYNAMIC;
+				OPTIMIZATION_CFLAGS = "-O0";
+				OTHER_CFLAGS = "-DTHIS_PREVENTS_BUILD_FAILURE";
+				OTHER_LDFLAGS = "-sub_umbrella Kerberos5 -sub_umbrella KerberosProfile -seg_addr_table $(SRCROOT)/../../Common/Sources/KerberosSegAddrs";
+				OTHER_LIBTOOL_FLAGS = "";
+				OTHER_REZFLAGS = "";
+				PRODUCT_NAME = libkrb5.dylib;
+				REZ_EXECUTABLE = YES;
+				SECTORDER_FLAGS = "";
+				WARNING_CFLAGS = "-Wmost -Wno-four-char-constants -Wno-unknown-pragmas";
+			};
+			dependencies = (
+			);
+			isa = PBXLibraryTarget;
+			name = libkrb5;
+			productInstallPath = /usr/lib;
+			productName = libkrb5.dylib;
+			productReference = 00F24292FFB75B2612120156;
+			shouldUseHeadermap = 0;
+		};
+		00F24294FFB75B2612120156 = {
+			buildActionMask = 2147483647;
+			files = (
+			);
+			isa = PBXHeadersBuildPhase;
+			name = Headers;
+		};
+		00F24295FFB75B2612120156 = {
+			buildActionMask = 2147483647;
+			files = (
+				F529691001E9E46A0123322A,
+			);
+			isa = PBXSourcesBuildPhase;
+			name = Sources;
+		};
+		00F24296FFB75B2612120156 = {
+			buildActionMask = 2147483647;
+			files = (
+				F529691301E9E53B0123322A,
+				F529691401E9E53B0123322A,
+			);
+			isa = PBXFrameworksBuildPhase;
+			name = "Frameworks & Libraries";
+		};
+		00F24297FFB75B2612120156 = {
+			buildActionMask = 2147483647;
+			files = (
+			);
+			isa = PBXRezBuildPhase;
+			name = "ResourceManager Resources";
+		};
+		00F24299FFB75CD112120156 = {
+			children = (
+				F5438CB5017E478201D06BDA,
+				F5438CB6017E478201D06BDA,
+				00F24292FFB75B2612120156,
+				F5438CB7017E478201D06BDA,
+				F5438CB8017E478201D06BDA,
+				00F2429DFFB75F1512120156,
+				F5438CB9017E478201D06BDA,
+				F5438CBA017E478201D06BDA,
+				00F242A4FFB75FA712120156,
+				F5438CBB017E478201D06BDA,
+				F5438CBC017E478201D06BDA,
+				00F242ACFFB760BC12120156,
+				F5438CC8017E47A601D06BDA,
+				F529690D01E9E46A0123322A,
+			);
+			isa = PBXGroup;
+			name = Dylibs;
+			refType = 4;
+		};
+		00F2429DFFB75F1512120156 = {
+			isa = PBXLibraryReference;
+			path = libk5crypto.dylib;
+			refType = 3;
+		};
+		00F2429EFFB75F1512120156 = {
+			buildPhases = (
+				00F2429FFFB75F1512120156,
+				00F242A0FFB75F1512120156,
+				00F242A2FFB75F1512120156,
+				00F242A3FFB75F1512120156,
+			);
+			buildSettings = {
+				DYLIB_COMPATIBILITY_VERSION = 4;
+				DYLIB_CURRENT_VERSION = 4;
+				FRAMEWORK_SEARCH_PATHS = "";
+				INSTALL_PATH = /usr/lib;
+				LIBRARY_STYLE = DYNAMIC;
+				OPTIMIZATION_CFLAGS = "-O0";
+				OTHER_CFLAGS = "-DTHIS_PREVENTS_DOUBLE_QUOTES_OF_DOOM";
+				OTHER_LDFLAGS = "-seg_addr_table $(SRCROOT)/../../Common/Sources/KerberosSegAddrs";
+				OTHER_LIBTOOL_FLAGS = "";
+				OTHER_REZFLAGS = "";
+				PRODUCT_NAME = libk5crypto.dylib;
+				REZ_EXECUTABLE = YES;
+				SECTORDER_FLAGS = "";
+				WARNING_CFLAGS = "-Wmost -Wno-four-char-constants -Wno-unknown-pragmas";
+			};
+			dependencies = (
+			);
+			isa = PBXLibraryTarget;
+			name = libk5crypto;
+			productInstallPath = /usr/lib;
+			productName = libk5crypto.dylib;
+			productReference = 00F2429DFFB75F1512120156;
+			shouldUseHeadermap = 0;
+		};
+		00F2429FFFB75F1512120156 = {
+			buildActionMask = 2147483647;
+			files = (
+			);
+			isa = PBXHeadersBuildPhase;
+			name = Headers;
+		};
+		00F242A0FFB75F1512120156 = {
+			buildActionMask = 2147483647;
+			files = (
+				F529690E01E9E46A0123322A,
+			);
+			isa = PBXSourcesBuildPhase;
+			name = Sources;
+		};
+		00F242A2FFB75F1512120156 = {
+			buildActionMask = 2147483647;
+			files = (
+			);
+			isa = PBXFrameworksBuildPhase;
+			name = "Frameworks & Libraries";
+		};
+		00F242A3FFB75F1512120156 = {
+			buildActionMask = 2147483647;
+			files = (
+			);
+			isa = PBXRezBuildPhase;
+			name = "ResourceManager Resources";
+		};
+		00F242A4FFB75FA712120156 = {
+			isa = PBXLibraryReference;
+			path = libcom_err.dylib;
+			refType = 3;
+		};
+		00F242A5FFB75FA712120156 = {
+			buildPhases = (
+				00F242A6FFB75FA712120156,
+				00F242A7FFB75FA712120156,
+				00F242A9FFB75FA712120156,
+				00F242ABFFB75FA712120156,
+			);
+			buildSettings = {
+				DYLIB_COMPATIBILITY_VERSION = 4;
+				DYLIB_CURRENT_VERSION = 4;
+				FRAMEWORK_SEARCH_PATHS = "";
+				INSTALL_PATH = /usr/lib;
+				LIBRARY_STYLE = DYNAMIC;
+				OPTIMIZATION_CFLAGS = "-O0";
+				OTHER_CFLAGS = "-DTHIS_PREVENTS_BUILD_FAILURE";
+				OTHER_LDFLAGS = "-sub_umbrella KerberosComErr -seg_addr_table $(SRCROOT)/../../Common/Sources/KerberosSegAddrs";
+				OTHER_LIBTOOL_FLAGS = "";
+				OTHER_REZFLAGS = "";
+				PRODUCT_NAME = libcom_err.dylib;
+				REZ_EXECUTABLE = YES;
+				SECTORDER_FLAGS = "";
+				WARNING_CFLAGS = "-Wmost -Wno-four-char-constants -Wno-unknown-pragmas";
+			};
+			dependencies = (
+			);
+			isa = PBXLibraryTarget;
+			name = libcom_err;
+			productInstallPath = /usr/lib;
+			productName = libcom_err.dylib;
+			productReference = 00F242A4FFB75FA712120156;
+			shouldUseHeadermap = 0;
+		};
+		00F242A6FFB75FA712120156 = {
+			buildActionMask = 2147483647;
+			files = (
+			);
+			isa = PBXHeadersBuildPhase;
+			name = Headers;
+		};
+		00F242A7FFB75FA712120156 = {
+			buildActionMask = 2147483647;
+			files = (
+				F529690F01E9E46A0123322A,
+			);
+			isa = PBXSourcesBuildPhase;
+			name = Sources;
+		};
+		00F242A9FFB75FA712120156 = {
+			buildActionMask = 2147483647;
+			files = (
+				F529691201E9E5130123322A,
+			);
+			isa = PBXFrameworksBuildPhase;
+			name = "Frameworks & Libraries";
+		};
+		00F242ABFFB75FA712120156 = {
+			buildActionMask = 2147483647;
+			files = (
+			);
+			isa = PBXRezBuildPhase;
+			name = "ResourceManager Resources";
+		};
+		00F242ACFFB760BC12120156 = {
+			isa = PBXLibraryReference;
+			path = libgssapi_krb5.dylib;
+			refType = 3;
+		};
+		00F242ADFFB760BC12120156 = {
+			buildPhases = (
+				00F242AEFFB760BC12120156,
+				00F242AFFFB760BC12120156,
+				00F242B1FFB760BC12120156,
+				00F242B3FFB760BC12120156,
+			);
+			buildSettings = {
+				DYLIB_COMPATIBILITY_VERSION = 4;
+				DYLIB_CURRENT_VERSION = 4;
+				FRAMEWORK_SEARCH_PATHS = "";
+				INSTALL_PATH = /usr/lib;
+				LIBRARY_STYLE = DYNAMIC;
+				OPTIMIZATION_CFLAGS = "-O0";
+				OTHER_CFLAGS = "-DTHIS_PREVENTS_BUILD_FAILURE";
+				OTHER_LDFLAGS = "-sub_umbrella GSS -seg_addr_table $(SRCROOT)/../../Common/Sources/KerberosSegAddrs";
+				OTHER_LIBTOOL_FLAGS = "";
+				OTHER_REZFLAGS = "";
+				PRODUCT_NAME = libgssapi_krb5.dylib;
+				REZ_EXECUTABLE = YES;
+				SECTORDER_FLAGS = "";
+				WARNING_CFLAGS = "-Wmost -Wno-four-char-constants -Wno-unknown-pragmas";
+			};
+			dependencies = (
+			);
+			isa = PBXLibraryTarget;
+			name = libgssapi_krb5;
+			productInstallPath = /usr/lib;
+			productName = libgssapi_krb5.dylib;
+			productReference = 00F242ACFFB760BC12120156;
+			shouldUseHeadermap = 0;
+		};
+		00F242AEFFB760BC12120156 = {
+			buildActionMask = 2147483647;
+			files = (
+			);
+			isa = PBXHeadersBuildPhase;
+			name = Headers;
+		};
+		00F242AFFFB760BC12120156 = {
+			buildActionMask = 2147483647;
+			files = (
+				F529691101E9E46A0123322A,
+			);
+			isa = PBXSourcesBuildPhase;
+			name = Sources;
+		};
+		00F242B1FFB760BC12120156 = {
+			buildActionMask = 2147483647;
+			files = (
+				F529691501E9E5530123322A,
+			);
+			isa = PBXFrameworksBuildPhase;
+			name = "Frameworks & Libraries";
+		};
+		00F242B3FFB760BC12120156 = {
+			buildActionMask = 2147483647;
+			files = (
+			);
+			isa = PBXRezBuildPhase;
+			name = "ResourceManager Resources";
+		};
+		00F516F500692E197F000001 = {
+			isa = PBXFileReference;
+			path = gssapiP_generic.h;
+			refType = 4;
+		};
+		00F516F600692E197F000001 = {
+			fileRef = 00F516F500692E197F000001;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		00F89AD20046F2B47F000001 = {
+			isa = PBXTargetDependency;
+			target = 174475FDFF5EFB1212120111;
+		};
+		00F89AD30046F2EC7F000001 = {
+			isa = PBXTargetDependency;
+			target = 174475CBFF5EEEE312120111;
+		};
+		00F89AD50046F2EC7F000001 = {
+			isa = PBXTargetDependency;
+			target = 174475FDFF5EFB1212120111;
+		};
+//000
+//001
+//002
+//003
+//004
+//010
+//011
+//012
+//013
+//014
+		0101EC5DFF8FDD1B7F000001 = {
+			isa = PBXFileReference;
+			path = ErrorTables.jam;
+			refType = 4;
+		};
+		0101EC5EFF8FE67C7F000001 = {
+			isa = PBXFileReference;
+			path = HeaderFiles.jam;
+			refType = 4;
+		};
+		0106E994003C39D77F000001 = {
+			isa = PBXFileReference;
+			path = profile.hin;
+			refType = 4;
+		};
+		0106E999003C5FB27F000001 = {
+			isa = PBXFileReference;
+			name = krb5.hin;
+			path = ../include/krb5.hin;
+			refType = 2;
+		};
+		0106E99A003C767A7F000001 = {
+			isa = PBXFrameworkReference;
+			path = KerberosSupport.framework;
+			refType = 3;
+		};
+		0106E99B003C767A7F000001 = {
+			fileRef = 0106E99A003C767A7F000001;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		0106E99C003C77187F000001 = {
+			isa = PBXFileReference;
+			path = gssapi.hin;
+			refType = 4;
+		};
+		0106E99D003C7A057F000001 = {
+			isa = PBXFrameworkReference;
+			path = CredentialsCache.framework;
+			refType = 3;
+		};
+		0106E99E003C7A057F000001 = {
+			isa = PBXFrameworkReference;
+			path = KerberosSupport.framework;
+			refType = 3;
+		};
+		0106E99F003C7A057F000001 = {
+			fileRef = 0106E99D003C7A057F000001;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		0106E9A0003C7A057F000001 = {
+			fileRef = 0106E99E003C7A057F000001;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		0106E9A1003C7A5A7F000001 = {
+			isa = PBXFrameworkReference;
+			path = KerberosPreferences.framework;
+			refType = 3;
+		};
+		0106E9A2003C7A5A7F000001 = {
+			fileRef = 0106E9A1003C7A5A7F000001;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		012574A5FF7A9C8212120111 = {
+			isa = PBXFrameworkReference;
+			path = KerberosComErr.framework;
+			refType = 3;
+		};
+		012574A6FF7A9C8212120111 = {
+			isa = PBXFrameworkReference;
+			path = KerberosProfile.framework;
+			refType = 3;
+		};
+		012574A7FF7A9C8212120111 = {
+			isa = PBXFrameworkReference;
+			path = Kerberos5Core.framework;
+			refType = 3;
+		};
+		012574A8FF7A9C8212120111 = {
+			isa = PBXFrameworkReference;
+			path = GSS.framework;
+			refType = 3;
+		};
+		0156F76F002F5A1112120114 = {
+			buildRules = (
+			);
+			buildSettings = {
+				COPY_PHASE_STRIP = NO;
+				OPTIMIZATION_CFLAGS = "-O0";
+			};
+			isa = PBXBuildStyle;
+			name = Development;
+		};
+		0156F770002F5A1112120114 = {
+			buildRules = (
+			);
+			buildSettings = {
+				COPY_PHASE_STRIP = YES;
+			};
+			isa = PBXBuildStyle;
+			name = Deployment;
+		};
+		017B1C7C00F26FAD7F000001 = {
+			fileRef = 0F801490FF9A7E5D126500C7;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		017F047100FA63557F000001 = {
+			isa = PBXFrameworkReference;
+			name = CoreServices.framework;
+			path = /System/Library/Frameworks/CoreServices.framework;
+			refType = 0;
+		};
+		017F047200FA63557F000001 = {
+			fileRef = 017F047100FA63557F000001;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		017F047300FA63557F000001 = {
+			fileRef = 017F047100FA63557F000001;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+//010
+//011
+//012
+//013
+//014
+//0A0
+//0A1
+//0A2
+//0A3
+//0A4
+		0A53389B00C407D37F000001 = {
+			buildActionMask = 2147483647;
+			files = (
+			);
+			generatedFileNames = (
+			);
+			isa = PBXShellScriptBuildPhase;
+			name = "Shell Script";
+			neededFileNames = (
+			);
+			shellPath = /bin/sh;
+			shellScript = "ln -sf Versions/Current/Headers \"${SYMROOT}/KerberosComErr.${WRAPPER_EXTENSION}/Headers\"";
+		};
+		0A53389C00C414E17F000001 = {
+			buildActionMask = 2147483647;
+			files = (
+			);
+			generatedFileNames = (
+			);
+			isa = PBXShellScriptBuildPhase;
+			name = "Shell Script";
+			neededFileNames = (
+			);
+			shellPath = /bin/sh;
+			shellScript = "ln -sf \"Versions/Current/Headers\" \"${SYMROOT}/KerberosProfile.${WRAPPER_EXTENSION}\"";
+		};
+//0A0
+//0A1
+//0A2
+//0A3
+//0A4
+//0F0
+//0F1
+//0F2
+//0F3
+//0F4
+		0F80148EFF9A7E33126500C7 = {
+			isa = PBXFrameworkReference;
+			name = CoreServices.framework;
+			path = /System/Library/Frameworks/CoreServices.framework;
+			refType = 0;
+		};
+		0F80148FFF9A7E33126500C7 = {
+			fileRef = 0F80148EFF9A7E33126500C7;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		0F801490FF9A7E5D126500C7 = {
+			isa = PBXFrameworkReference;
+			path = KerberosSupport.framework;
+			refType = 3;
+		};
+		0F801491FF9A7E5D126500C7 = {
+			fileRef = 0F801490FF9A7E5D126500C7;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		0F801492FF9A8D33126500C7 = {
+			isa = PBXFrameworkReference;
+			path = KerberosPreferences.framework;
+			refType = 3;
+		};
+		0F801493FF9A8D33126500C7 = {
+			fileRef = 0F801492FF9A8D33126500C7;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+//0F0
+//0F1
+//0F2
+//0F3
+//0F4
+//130
+//131
+//132
+//133
+//134
+		13CD711900D835ED7F000001 = {
+			isa = PBXFileReference;
+			path = ccfns.c;
+			refType = 4;
+		};
+		13CD711A00D835ED7F000001 = {
+			fileRef = 13CD711900D835ED7F000001;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+//130
+//131
+//132
+//133
+//134
+//170
+//171
+//172
+//173
+//174
+		174475CBFF5EEEE312120111 = {
+			buildArgumentsString = "-d3 -f $(SRCROOT)/ErrorTables.jam $(ACTION)";
+			buildPhases = (
+			);
+			buildSettings = {
+				FRAMEWORK_SEARCH_PATHS = "";
+				HEADER_SEARCH_PATHS = "";
+				LIBRARY_SEARCH_PATHS = "";
+				OTHER_CFLAGS = "";
+				OTHER_LDFLAGS = "";
+				OTHER_REZFLAGS = "";
+				PRODUCT_NAME = "Error Tables";
+				SECTORDER_FLAGS = "";
+				WARNING_CFLAGS = "-Wmost -Wno-four-char-constants -Wno-unknown-pragmas";
+			};
+			buildToolPath = /usr/bin/jam;
+			dependencies = (
+			);
+			isa = PBXLegacyTarget;
+			name = "Error Tables";
+			productName = "Error Tables";
+			settingsToExpand = 6;
+			settingsToPassInEnvironment = 25;
+			settingsToPassOnCommandLine = 280;
+			shouldUseHeadermap = 0;
+		};
+		174475CDFF5EF33612120111 = {
+			children = (
+				012574A5FF7A9C8212120111,
+				4E933A40FF828AEA12120111,
+				174475CEFF5EF33612120111,
+				174475CFFF5EF33612120111,
+				174475D0FF5EF33612120111,
+				174475D1FF5EF33612120111,
+				174475DDFF5EF35112120111,
+				00CC643800975EFF7F000001,
+				4E933A44FF82905F12120111,
+				4E933A45FF82905F12120111,
+				00CC63F200975A877F000001,
+			);
+			isa = PBXGroup;
+			name = KerberosComErr;
+			path = ../util/et;
+			refType = 2;
+		};
+		174475CEFF5EF33612120111 = {
+			isa = PBXFileReference;
+			path = com_err.c;
+			refType = 4;
+		};
+		174475CFFF5EF33612120111 = {
+			isa = PBXFileReference;
+			path = error_message.c;
+			refType = 4;
+		};
+		174475D0FF5EF33612120111 = {
+			isa = PBXFileReference;
+			path = et_name.c;
+			refType = 4;
+		};
+		174475D1FF5EF33612120111 = {
+			isa = PBXFileReference;
+			path = init_et.c;
+			refType = 4;
+		};
+		174475D2FF5EF33612120111 = {
+			buildPhases = (
+				174475D4FF5EF33612120111,
+				174475D5FF5EF33612120111,
+				174475D6FF5EF33612120111,
+				174475DBFF5EF33612120111,
+				174475DCFF5EF33612120111,
+				F529E971019AE09101120112,
+				0A53389B00C407D37F000001,
+			);
+			buildSettings = {
+				DYLIB_COMPATIBILITY_VERSION = 1;
+				DYLIB_CURRENT_VERSION = 1;
+				EXPORTED_SYMBOLS_FILE = "$(SRCROOT)/../util/et/et.pbexp";
+				FRAMEWORK_SEARCH_PATHS = "";
+				FRAMEWORK_VERSION = A;
+				HEADER_SEARCH_PATHS = "\"$(SYMROOT)/GSSKerberos5.intermediates\"";
+				INSTALL_PATH = /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks;
+				LIBRARY_SEARCH_PATHS = "";
+				OPTIMIZATION_CFLAGS = "-O0";
+				OTHER_CFLAGS = "";
+				OTHER_LDFLAGS = "-seg_addr_table $(SRCROOT)/../../Common/Sources/KerberosSegAddrs";
+				OTHER_LIBTOOL_FLAGS = "";
+				OTHER_REZFLAGS = "";
+				PRINCIPAL_CLASS = "";
+				PRODUCT_NAME = KerberosComErr;
+				SECTORDER_FLAGS = "";
+				SKIP_INSTALL = YES;
+				WARNING_CFLAGS = "-Wmost -Wno-four-char-constants -Wno-unknown-pragmas";
+				WRAPPER_EXTENSION = framework;
+			};
+			dependencies = (
+				174475D3FF5EF33612120111,
+				00F89AD20046F2B47F000001,
+			);
+			isa = PBXFrameworkTarget;
+			name = KerberosComErr;
+			productInstallPath = /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks;
+			productName = ComErr;
+			productReference = 012574A5FF7A9C8212120111;
+			productSettingsXML = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>
+<!DOCTYPE plist SYSTEM \"file://localhost/System/Library/DTDs/PropertyList.dtd\">
+<plist version=\"0.9\">
+<dict>
+	<key>CFBundleDevelopmentRegion</key>
+	<string>English</string>
+	<key>CFBundleExecutable</key>
+	<string>KerberosComErr</string>
+	<key>CFBundleGetInfoString</key>
+	<string></string>
+	<key>CFBundleIconFile</key>
+	<string></string>
+	<key>CFBundleIdentifier</key>
+	<string>edu.mit.Kerberos.KerberosComErr</string>
+	<key>CFBundleInfoDictionaryVersion</key>
+	<string>6.0</string>
+	<key>CFBundleName</key>
+	<string>Kerberos ComErr Framework</string>
+	<key>CFBundlePackageType</key>
+	<string>FMWK</string>
+	<key>CFBundleSignature</key>
+	<string>????</string>
+</dict>
+</plist>
+";
+			shouldUseHeadermap = 0;
+		};
+		174475D3FF5EF33612120111 = {
+			isa = PBXTargetDependency;
+			target = 174475CBFF5EEEE312120111;
+		};
+		174475D4FF5EF33612120111 = {
+			buildActionMask = 2147483647;
+			files = (
+				174475DEFF5EF35112120111,
+			);
+			isa = PBXHeadersBuildPhase;
+			name = Headers;
+		};
+		174475D5FF5EF33612120111 = {
+			buildActionMask = 2147483647;
+			files = (
+				4E933A41FF828AEA12120111,
+			);
+			isa = PBXResourcesBuildPhase;
+			name = "Bundle Resources";
+		};
+		174475D6FF5EF33612120111 = {
+			buildActionMask = 2147483647;
+			files = (
+				174475D7FF5EF33612120111,
+				174475D8FF5EF33612120111,
+				174475D9FF5EF33612120111,
+				174475DAFF5EF33612120111,
+			);
+			isa = PBXSourcesBuildPhase;
+			name = Sources;
+		};
+		174475D7FF5EF33612120111 = {
+			fileRef = 174475CFFF5EF33612120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174475D8FF5EF33612120111 = {
+			fileRef = 174475D0FF5EF33612120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174475D9FF5EF33612120111 = {
+			fileRef = 174475D1FF5EF33612120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174475DAFF5EF33612120111 = {
+			fileRef = 174475CEFF5EF33612120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174475DBFF5EF33612120111 = {
+			buildActionMask = 2147483647;
+			files = (
+				017B1C7C00F26FAD7F000001,
+			);
+			isa = PBXFrameworksBuildPhase;
+			name = "Frameworks & Libraries";
+		};
+		174475DCFF5EF33612120111 = {
+			buildActionMask = 2147483647;
+			files = (
+			);
+			isa = PBXRezBuildPhase;
+			name = "ResourceManager Resources";
+		};
+		174475DDFF5EF35112120111 = {
+			isa = PBXFileReference;
+			path = com_err.h;
+			refType = 4;
+		};
+		174475DEFF5EF35112120111 = {
+			fileRef = 174475DDFF5EF35112120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+					Public,
+				);
+			};
+		};
+		174475E2FF5EF80312120111 = {
+			buildPhases = (
+				174475E3FF5EF80312120111,
+				174475E4FF5EF80312120111,
+				174475E5FF5EF80312120111,
+				174475E6FF5EF80312120111,
+				174475E7FF5EF80312120111,
+				F529E978019AEB1D01120112,
+				0A53389C00C414E17F000001,
+			);
+			buildSettings = {
+				DYLIB_COMPATIBILITY_VERSION = 1;
+				DYLIB_CURRENT_VERSION = 1;
+				EXPORTED_SYMBOLS_FILE = "$(SRCROOT)/../util/profile/profile.pbexp";
+				FRAMEWORK_SEARCH_PATHS = "";
+				FRAMEWORK_VERSION = A;
+				HEADER_SEARCH_PATHS = "\"$(SYMROOT)/GSSKerberos5.intermediates\"";
+				IMPLICITLY_INCLUDED_HEADERS = "\"$(SRCROOT)/GSSKerberosPrefix.h\"";
+				INSTALL_PATH = /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks;
+				LIBRARY_SEARCH_PATHS = "";
+				OPTIMIZATION_CFLAGS = "-O0";
+				OTHER_CFLAGS = "";
+				OTHER_LDFLAGS = "-init ___InitializeProfileLib -seg_addr_table $(SRCROOT)/../../Common/Sources/KerberosSegAddrs";
+				OTHER_LIBTOOL_FLAGS = "";
+				OTHER_REZFLAGS = "";
+				PRINCIPAL_CLASS = "";
+				PRODUCT_NAME = KerberosProfile;
+				SECTORDER_FLAGS = "";
+				SKIP_INSTALL = YES;
+				WARNING_CFLAGS = "-Wmost -Wno-four-char-constants -Wno-unknown-pragmas";
+				WRAPPER_EXTENSION = framework;
+			};
+			dependencies = (
+				00F89AD30046F2EC7F000001,
+				17447600FF5EFBEA12120111,
+			);
+			isa = PBXFrameworkTarget;
+			name = KerberosProfile;
+			productInstallPath = /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks;
+			productName = Profile;
+			productReference = 012574A6FF7A9C8212120111;
+			productSettingsXML = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>
+<!DOCTYPE plist SYSTEM \"file://localhost/System/Library/DTDs/PropertyList.dtd\">
+<plist version=\"0.9\">
+<dict>
+	<key>CFBundleDevelopmentRegion</key>
+	<string>English</string>
+	<key>CFBundleExecutable</key>
+	<string>KerberosProfile</string>
+	<key>CFBundleGetInfoString</key>
+	<string></string>
+	<key>CFBundleIconFile</key>
+	<string></string>
+	<key>CFBundleIdentifier</key>
+	<string>edu.mit.Kerberos.KerberosProfile</string>
+	<key>CFBundleInfoDictionaryVersion</key>
+	<string>6.0</string>
+	<key>CFBundleName</key>
+	<string>Kerberos Profile Framework</string>
+	<key>CFBundlePackageType</key>
+	<string>FMWK</string>
+	<key>CFBundleSignature</key>
+	<string>????</string>
+</dict>
+</plist>
+";
+			shouldUseHeadermap = 0;
+		};
+		174475E3FF5EF80312120111 = {
+			buildActionMask = 2147483647;
+			files = (
+				174475F9FF5EF9C012120111,
+				17447608FF5F046812120111,
+			);
+			isa = PBXHeadersBuildPhase;
+			name = Headers;
+		};
+		174475E4FF5EF80312120111 = {
+			buildActionMask = 2147483647;
+			files = (
+				4E933A43FF828B8612120111,
+			);
+			isa = PBXResourcesBuildPhase;
+			name = "Bundle Resources";
+		};
+		174475E5FF5EF80312120111 = {
+			buildActionMask = 2147483647;
+			files = (
+				174475EFFF5EF8A512120111,
+				174475F0FF5EF8A512120111,
+				174475F1FF5EF8A512120111,
+				174475F2FF5EF8A512120111,
+				174475F3FF5EF8A512120111,
+				174475F4FF5EF8A512120111,
+				61622FDDFF8535E112120111,
+				00CC642300975C167F000001,
+			);
+			isa = PBXSourcesBuildPhase;
+			name = Sources;
+		};
+		174475E6FF5EF80312120111 = {
+			buildActionMask = 2147483647;
+			files = (
+				17447604FF5EFCC612120111,
+				0F80148FFF9A7E33126500C7,
+				0F801491FF9A7E5D126500C7,
+			);
+			isa = PBXFrameworksBuildPhase;
+			name = "Frameworks & Libraries";
+		};
+		174475E7FF5EF80312120111 = {
+			buildActionMask = 2147483647;
+			files = (
+			);
+			isa = PBXRezBuildPhase;
+			name = "ResourceManager Resources";
+		};
+		174475E8FF5EF8A512120111 = {
+			children = (
+				012574A6FF7A9C8212120111,
+				17447603FF5EFCC612120111,
+				0F80148EFF9A7E33126500C7,
+				0F801490FF9A7E5D126500C7,
+				61622FDCFF8535E112120111,
+				4E933A42FF828B8512120111,
+				0106E994003C39D77F000001,
+				00CC640500975A877F000001,
+				00CC63FD00975A877F000001,
+				00CC640300975A877F000001,
+				00CC640400975A877F000001,
+				174475E9FF5EF8A512120111,
+				174475EAFF5EF8A512120111,
+				174475EBFF5EF8A512120111,
+				174475ECFF5EF8A512120111,
+				174475EDFF5EF8A512120111,
+				174475EEFF5EF8A512120111,
+				174475F7FF5EF9C012120111,
+			);
+			isa = PBXGroup;
+			name = KerberosProfile;
+			path = ../util/profile;
+			refType = 2;
+		};
+		174475E9FF5EF8A512120111 = {
+			isa = PBXFileReference;
+			path = prof_file.c;
+			refType = 4;
+		};
+		174475EAFF5EF8A512120111 = {
+			isa = PBXFileReference;
+			path = prof_get.c;
+			refType = 4;
+		};
+		174475EBFF5EF8A512120111 = {
+			isa = PBXFileReference;
+			path = prof_init.c;
+			refType = 4;
+		};
+		174475ECFF5EF8A512120111 = {
+			isa = PBXFileReference;
+			path = prof_parse.c;
+			refType = 4;
+		};
+		174475EDFF5EF8A512120111 = {
+			isa = PBXFileReference;
+			path = prof_set.c;
+			refType = 4;
+		};
+		174475EEFF5EF8A512120111 = {
+			isa = PBXFileReference;
+			path = prof_tree.c;
+			refType = 4;
+		};
+		174475EFFF5EF8A512120111 = {
+			fileRef = 174475E9FF5EF8A512120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174475F0FF5EF8A512120111 = {
+			fileRef = 174475EAFF5EF8A512120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174475F1FF5EF8A512120111 = {
+			fileRef = 174475EBFF5EF8A512120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174475F2FF5EF8A512120111 = {
+			fileRef = 174475ECFF5EF8A512120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174475F3FF5EF8A512120111 = {
+			fileRef = 174475EDFF5EF8A512120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174475F4FF5EF8A512120111 = {
+			fileRef = 174475EEFF5EF8A512120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174475F7FF5EF9C012120111 = {
+			isa = PBXFileReference;
+			path = prof_int.h;
+			refType = 4;
+		};
+		174475F9FF5EF9C012120111 = {
+			fileRef = 174475F7FF5EF9C012120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174475FDFF5EFB1212120111 = {
+			buildArgumentsString = "-d3 -f $(SRCROOT)/HeaderFiles.jam $(ACTION)";
+			buildPhases = (
+			);
+			buildSettings = {
+				FRAMEWORK_SEARCH_PATHS = "";
+				HEADER_SEARCH_PATHS = "";
+				LIBRARY_SEARCH_PATHS = "";
+				OTHER_CFLAGS = "";
+				OTHER_LDFLAGS = "";
+				OTHER_REZFLAGS = "";
+				PRODUCT_NAME = "Header Files";
+				SECTORDER_FLAGS = "";
+				WARNING_CFLAGS = "-Wmost -Wno-four-char-constants -Wno-unknown-pragmas";
+			};
+			buildToolPath = /usr/bin/jam;
+			dependencies = (
+				17447609FF5FF54A12120111,
+			);
+			isa = PBXLegacyTarget;
+			name = "Header Files";
+			productName = "Header Files";
+			settingsToExpand = 6;
+			settingsToPassInEnvironment = 287;
+			settingsToPassOnCommandLine = 280;
+			shouldUseHeadermap = 0;
+		};
+		17447600FF5EFBEA12120111 = {
+			isa = PBXTargetDependency;
+			target = 174475FDFF5EFB1212120111;
+		};
+		17447603FF5EFCC612120111 = {
+			isa = PBXFrameworkReference;
+			path = KerberosComErr.framework;
+			refType = 3;
+		};
+		17447604FF5EFCC612120111 = {
+			fileRef = 17447603FF5EFCC612120111;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		17447607FF5F046812120111 = {
+			isa = PBXFileReference;
+			path = GSSKerberosPrefix.h;
+			refType = 2;
+		};
+		17447608FF5F046812120111 = {
+			fileRef = 17447607FF5F046812120111;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		17447609FF5FF54A12120111 = {
+			isa = PBXTargetDependency;
+			target = 174475CBFF5EEEE312120111;
+		};
+		1744760AFF5FF8DB12120111 = {
+			children = (
+				012574A7FF7A9C8212120111,
+				174476CCFF60088512120111,
+				174476CDFF60088512120111,
+				00CFB47BFF6EA3C312120111,
+				0F801492FF9A8D33126500C7,
+				0106E99A003C767A7F000001,
+				F5163F38019B5D0601120112,
+				F5163F28019B35A801120112,
+				017F047100FA63557F000001,
+				61622FDAFF85346F12120111,
+				F529E976019AE3D601120112,
+				174476B8FF5FFFA512120111,
+				0106E999003C5FB27F000001,
+				00CC641F00975C167F000001,
+				174476BDFF6001C412120111,
+				174476BFFF60027612120111,
+				174476C3FF60070212120111,
+				17447616FF5FFA3A12120111,
+			);
+			isa = PBXGroup;
+			name = Kerberos5Core;
+			path = "";
+			refType = 2;
+		};
+		1744760CFF5FF8DB12120111 = {
+			buildPhases = (
+				17447611FF5FF8DB12120111,
+				17447612FF5FF8DB12120111,
+				17447613FF5FF8DB12120111,
+				17447614FF5FF8DB12120111,
+				17447615FF5FF8DB12120111,
+			);
+			buildSettings = {
+				DYLIB_COMPATIBILITY_VERSION = 1;
+				DYLIB_CURRENT_VERSION = 1;
+				EXPORTED_SYMBOLS_FILE = "$(SYMROOT)/GSSKerberos5.intermediates/Kerberos5Core.pbexp";
+				FRAMEWORK_SEARCH_PATHS = "";
+				FRAMEWORK_VERSION = A;
+				HEADER_SEARCH_PATHS = "\"$(SYMROOT)/GSSKerberos5.intermediates\"";
+				IMPLICITLY_INCLUDED_HEADERS = "\"$(SRCROOT)/GSSKerberosPrefix.h\"";
+				INSTALL_PATH = /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks;
+				LIBRARY_SEARCH_PATHS = "";
+				OPTIMIZATION_CFLAGS = "-O0";
+				OTHER_CFLAGS = "";
+				OTHER_LDFLAGS = "-init ___initializeK5 -seg_addr_table $(SRCROOT)/../../Common/Sources/KerberosSegAddrs";
+				OTHER_LIBTOOL_FLAGS = "";
+				OTHER_REZFLAGS = "";
+				PRINCIPAL_CLASS = "";
+				PRODUCT_NAME = Kerberos5Core;
+				SECTORDER_FLAGS = "";
+				SKIP_INSTALL = YES;
+				WARNING_CFLAGS = "-Wmost -Wno-four-char-constants -Wno-unknown-pragmas";
+				WRAPPER_EXTENSION = framework;
+			};
+			dependencies = (
+				1744760DFF5FF8DB12120111,
+				1744760EFF5FF8DB12120111,
+				F5163F37019B593201120112,
+			);
+			isa = PBXFrameworkTarget;
+			name = Kerberos5Core;
+			productInstallPath = /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks;
+			productName = Kerberos5;
+			productReference = 012574A7FF7A9C8212120111;
+			productSettingsXML = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>
+<!DOCTYPE plist SYSTEM \"file://localhost/System/Library/DTDs/PropertyList.dtd\">
+<plist version=\"0.9\">
+<dict>
+	<key>CFBundleDevelopmentRegion</key>
+	<string>English</string>
+	<key>CFBundleExecutable</key>
+	<string>Kerberos5Core</string>
+	<key>CFBundleGetInfoString</key>
+	<string></string>
+	<key>CFBundleIconFile</key>
+	<string></string>
+	<key>CFBundleIdentifier</key>
+	<string>edu.mit.Kerberos.Kerberos5Core</string>
+	<key>CFBundleInfoDictionaryVersion</key>
+	<string>6.0</string>
+	<key>CFBundleName</key>
+	<string>Kerberos v5 Core Framework</string>
+	<key>CFBundlePackageType</key>
+	<string>FMWK</string>
+	<key>CFBundleSignature</key>
+	<string>????</string>
+</dict>
+</plist>
+";
+			shouldUseHeadermap = 0;
+		};
+		1744760DFF5FF8DB12120111 = {
+			isa = PBXTargetDependency;
+			target = 174475CBFF5EEEE312120111;
+		};
+		1744760EFF5FF8DB12120111 = {
+			isa = PBXTargetDependency;
+			target = 174475FDFF5EFB1212120111;
+		};
+		17447611FF5FF8DB12120111 = {
+			buildActionMask = 2147483647;
+			files = (
+				1744763FFF5FFA3A12120111,
+				17447640FF5FFA3A12120111,
+				17447641FF5FFA3A12120111,
+				17447679FF5FFBE212120111,
+				1744767AFF5FFBE212120111,
+				1744767BFF5FFBE212120111,
+				1744767CFF5FFBE212120111,
+				1744767DFF5FFBE212120111,
+				1744767EFF5FFBE212120111,
+				1744769AFF5FFC2C12120111,
+				174476ABFF5FFF5B12120111,
+				174476ACFF5FFF5B12120111,
+				174476ADFF5FFF5B12120111,
+				174476AEFF5FFF5B12120111,
+				174476AFFF5FFF5B12120111,
+				174476BAFF5FFFA512120111,
+				174476BCFF5FFFDB12120111,
+				174476BEFF6001C412120111,
+				174476C0FF60027612120111,
+				174476F4FF60088512120111,
+				174476F5FF60088512120111,
+				174476F6FF60088512120111,
+				174476F7FF60088512120111,
+				174476F8FF60088512120111,
+				174476F9FF60088512120111,
+				174476FAFF60088512120111,
+				174476FBFF60088512120111,
+				174476FCFF60088512120111,
+				174476FDFF60088512120111,
+				17447726FF6024DB12120111,
+				1744779DFF60261D12120111,
+				1744779EFF60261D12120111,
+				1744779FFF60261D12120111,
+				174477A0FF60261D12120111,
+				17447807FF60269512120111,
+				17447808FF60269512120111,
+				17447809FF60269512120111,
+				1744783AFF60313B12120111,
+				5C1373B3FF68306D12120111,
+				5C1373B4FF68306D12120111,
+				5C1373F1FF683B8012120111,
+				5C1373F2FF683B8012120111,
+				5C1373F3FF683B8012120111,
+				5C1373F4FF683B8012120111,
+				00CFB46CFF6D81A212120111,
+				00CFB477FF6EA33F12120111,
+				00CFB478FF6EA33F12120111,
+			);
+			isa = PBXHeadersBuildPhase;
+			name = Headers;
+		};
+		17447612FF5FF8DB12120111 = {
+			buildActionMask = 2147483647;
+			files = (
+				61622FD2FF82A36412120111,
+			);
+			isa = PBXResourcesBuildPhase;
+			name = "Bundle Resources";
+		};
+		17447613FF5FF8DB12120111 = {
+			buildActionMask = 2147483647;
+			files = (
+				17447642FF5FFA3A12120111,
+				17447643FF5FFA3A12120111,
+				17447644FF5FFA3A12120111,
+				17447645FF5FFA3A12120111,
+				17447646FF5FFA3A12120111,
+				17447647FF5FFA3A12120111,
+				17447648FF5FFA3A12120111,
+				17447649FF5FFA3A12120111,
+				1744764AFF5FFA3A12120111,
+				1744764BFF5FFA3A12120111,
+				1744764CFF5FFA3A12120111,
+				1744764DFF5FFA3A12120111,
+				1744764EFF5FFA3A12120111,
+				1744764FFF5FFA3A12120111,
+				17447650FF5FFA3A12120111,
+				17447651FF5FFA3A12120111,
+				17447652FF5FFA3A12120111,
+				17447653FF5FFA3A12120111,
+				17447654FF5FFA3A12120111,
+				17447655FF5FFA3A12120111,
+				17447656FF5FFA3A12120111,
+				17447657FF5FFA3A12120111,
+				17447658FF5FFA3A12120111,
+				17447659FF5FFA3A12120111,
+				1744765AFF5FFA3A12120111,
+				1744765BFF5FFA3A12120111,
+				1744767FFF5FFBE212120111,
+				17447680FF5FFBE212120111,
+				17447681FF5FFBE212120111,
+				17447682FF5FFBE212120111,
+				17447683FF5FFBE212120111,
+				17447684FF5FFBE212120111,
+				17447685FF5FFBE212120111,
+				17447686FF5FFBE212120111,
+				17447687FF5FFBE212120111,
+				17447688FF5FFBE212120111,
+				17447689FF5FFBE212120111,
+				1744768AFF5FFBE212120111,
+				1744768BFF5FFBE212120111,
+				1744768CFF5FFBE212120111,
+				1744768DFF5FFBE212120111,
+				1744768EFF5FFBE212120111,
+				1744768FFF5FFBE212120111,
+				17447690FF5FFBE212120111,
+				17447691FF5FFBE212120111,
+				17447692FF5FFBE212120111,
+				17447693FF5FFBE212120111,
+				17447694FF5FFBE212120111,
+				17447695FF5FFBE212120111,
+				1744769BFF5FFC2C12120111,
+				1744769CFF5FFC2C12120111,
+				1744769DFF5FFC2C12120111,
+				174476B0FF5FFF5B12120111,
+				174476B1FF5FFF5B12120111,
+				174476B2FF5FFF5B12120111,
+				174476B3FF5FFF5B12120111,
+				174476B4FF5FFF5B12120111,
+				174476B5FF5FFF5B12120111,
+				174476B6FF5FFF5B12120111,
+				174476B7FF5FFF5B12120111,
+				17447700FF60088512120111,
+				17447704FF60088512120111,
+				17447705FF60088512120111,
+				17447706FF60088512120111,
+				17447707FF60088512120111,
+				17447708FF60088512120111,
+				17447709FF60088512120111,
+				1744770AFF60088512120111,
+				1744770BFF60088512120111,
+				1744770CFF60088512120111,
+				1744770DFF60088512120111,
+				17447727FF6024DB12120111,
+				17447728FF6024DB12120111,
+				17447729FF6024DB12120111,
+				1744772AFF6024DB12120111,
+				1744772BFF6024DB12120111,
+				1744772CFF6024DB12120111,
+				1744772DFF6024DB12120111,
+				1744772EFF6024DB12120111,
+				1744772FFF6024DB12120111,
+				17447730FF6024DB12120111,
+				17447731FF6024DB12120111,
+				17447732FF6024DB12120111,
+				17447733FF6024DB12120111,
+				17447734FF6024DB12120111,
+				17447735FF6024DB12120111,
+				17447736FF6024DB12120111,
+				17447737FF6024DB12120111,
+				17447738FF6024DB12120111,
+				17447739FF6024DB12120111,
+				1744773AFF6024DB12120111,
+				1744773BFF6024DB12120111,
+				174477A1FF60261D12120111,
+				174477A2FF60261D12120111,
+				174477A3FF60261D12120111,
+				174477A4FF60261D12120111,
+				174477A5FF60261D12120111,
+				174477A6FF60261D12120111,
+				174477A7FF60261D12120111,
+				174477A8FF60261D12120111,
+				174477A9FF60261D12120111,
+				174477AAFF60261D12120111,
+				174477ABFF60261D12120111,
+				174477ACFF60261D12120111,
+				174477ADFF60261D12120111,
+				174477AEFF60261D12120111,
+				174477AFFF60261D12120111,
+				174477B0FF60261D12120111,
+				174477B1FF60261D12120111,
+				174477B2FF60261D12120111,
+				174477B3FF60261D12120111,
+				174477B4FF60261D12120111,
+				174477B5FF60261D12120111,
+				174477B6FF60261D12120111,
+				174477B7FF60261D12120111,
+				174477B8FF60261D12120111,
+				174477B9FF60261D12120111,
+				174477BAFF60261D12120111,
+				174477BBFF60261D12120111,
+				174477BCFF60261D12120111,
+				174477BDFF60261D12120111,
+				174477BEFF60261D12120111,
+				174477BFFF60261D12120111,
+				174477C0FF60261D12120111,
+				174477C1FF60261D12120111,
+				174477C2FF60261D12120111,
+				174477C3FF60261D12120111,
+				174477C4FF60261D12120111,
+				174477C5FF60261D12120111,
+				174477C6FF60261D12120111,
+				174477C7FF60261D12120111,
+				174477C8FF60261D12120111,
+				174477C9FF60261D12120111,
+				174477CAFF60261D12120111,
+				174477CBFF60261D12120111,
+				174477CCFF60261D12120111,
+				174477CDFF60261D12120111,
+				174477CEFF60261D12120111,
+				174477CFFF60261D12120111,
+				174477D0FF60261D12120111,
+				174477D1FF60261D12120111,
+				174477D2FF60261D12120111,
+				174477D3FF60261D12120111,
+				174477D4FF60261D12120111,
+				174477D5FF60261D12120111,
+				174477D6FF60261D12120111,
+				174477D7FF60261D12120111,
+				174477D8FF60261D12120111,
+				174477D9FF60261D12120111,
+				174477DAFF60261D12120111,
+				174477DBFF60261D12120111,
+				174477DCFF60261D12120111,
+				174477DDFF60261D12120111,
+				174477DEFF60261D12120111,
+				174477DFFF60261D12120111,
+				174477E0FF60261D12120111,
+				174477E1FF60261D12120111,
+				174477E2FF60261D12120111,
+				174477E3FF60261D12120111,
+				174477E4FF60261D12120111,
+				174477E5FF60261D12120111,
+				174477E6FF60261D12120111,
+				174477E7FF60261D12120111,
+				174477E8FF60261D12120111,
+				174477E9FF60261D12120111,
+				174477EAFF60261D12120111,
+				174477EBFF60261D12120111,
+				174477ECFF60261D12120111,
+				174477EDFF60261D12120111,
+				174477EEFF60261D12120111,
+				174477EFFF60261D12120111,
+				174477F0FF60261D12120111,
+				174477F1FF60261D12120111,
+				174477F2FF60261D12120111,
+				174477F3FF60261D12120111,
+				174477F4FF60261D12120111,
+				174477F5FF60261D12120111,
+				174477F6FF60261D12120111,
+				174477F7FF60261D12120111,
+				174477F8FF60261D12120111,
+				174477F9FF60261D12120111,
+				174477FAFF60261D12120111,
+				174477FBFF60261D12120111,
+				174477FCFF60261D12120111,
+				174477FDFF60261D12120111,
+				1744780AFF60269512120111,
+				1744780BFF60269512120111,
+				1744780CFF60269512120111,
+				1744780DFF60269512120111,
+				1744780EFF60269512120111,
+				1744780FFF60269512120111,
+				1744783CFF60313B12120111,
+				1744783DFF60313B12120111,
+				1744783EFF60313B12120111,
+				1744783FFF60313B12120111,
+				17447840FF60313B12120111,
+				17447841FF60313B12120111,
+				17447842FF60313B12120111,
+				17447843FF60313B12120111,
+				17447844FF60313B12120111,
+				17447845FF60313B12120111,
+				17447846FF60313B12120111,
+				17447847FF60313B12120111,
+				17447848FF60313B12120111,
+				17447849FF60313B12120111,
+				1744784AFF60313B12120111,
+				1744784BFF60313B12120111,
+				1744784CFF60313B12120111,
+				1744784DFF60313B12120111,
+				1744784EFF60313B12120111,
+				1744784FFF60313B12120111,
+				17447850FF60313B12120111,
+				17447851FF60313B12120111,
+				17447852FF60313B12120111,
+				17447853FF60313B12120111,
+				17447854FF60313B12120111,
+				17447855FF60313B12120111,
+				17447856FF60313B12120111,
+				17447857FF60313B12120111,
+				17447858FF60313B12120111,
+				17447859FF60313B12120111,
+				1744785AFF60313B12120111,
+				1744785BFF60313B12120111,
+				1744785CFF60313B12120111,
+				1744785DFF60313B12120111,
+				1744785EFF60313B12120111,
+				1744785FFF60313B12120111,
+				17447860FF60313B12120111,
+				17447861FF60313B12120111,
+				17447862FF60313B12120111,
+				17447863FF60313B12120111,
+				17447873FF60323212120111,
+				17447874FF60323212120111,
+				17447875FF60323212120111,
+				17447876FF60323212120111,
+				17447877FF60323212120111,
+				1744787BFF60323212120111,
+				1744787DFF60323212120111,
+				5C1373B5FF68306D12120111,
+				5C1373B6FF68306D12120111,
+				5C1373B7FF68306D12120111,
+				5C1373B8FF68306D12120111,
+				5C1373B9FF68306D12120111,
+				5C1373BAFF68306D12120111,
+				5C1373BBFF68306D12120111,
+				5C1373BCFF68306D12120111,
+				5C1373BDFF68306D12120111,
+				5C1373BEFF68306D12120111,
+				5C1373BFFF68306D12120111,
+				5C1373C0FF68306D12120111,
+				5C1373C1FF68306D12120111,
+				5C1373C2FF68306D12120111,
+				5C1373C3FF68306D12120111,
+				5C1373C4FF68306D12120111,
+				5C1373C5FF68306D12120111,
+				5C1373C6FF68306D12120111,
+				5C1373C7FF68306D12120111,
+				5C1373C8FF68306D12120111,
+				5C1373F5FF683B8012120111,
+				5C1373F6FF683B8012120111,
+				5C1373F7FF683B8012120111,
+				5C1373F8FF683B8012120111,
+				5C1373F9FF683B8012120111,
+				5C1373FAFF683B8012120111,
+				5C1373FBFF683B8012120111,
+				5C1373FCFF683B8012120111,
+				5C1373FDFF683B8012120111,
+				5C1373FEFF683B8012120111,
+				5C1373FFFF683B8012120111,
+				5C137400FF683B8012120111,
+				5C137401FF683B8012120111,
+				5C137402FF683B8012120111,
+				5C137403FF683B8012120111,
+				5C137404FF683B8012120111,
+				5C137405FF683B8012120111,
+				5C137406FF683B8012120111,
+				5C137407FF683B8012120111,
+				5C137408FF683B8012120111,
+				5C137409FF683B8012120111,
+				5C13740AFF683B8012120111,
+				5C13740BFF683B8012120111,
+				5C13740CFF683B8012120111,
+				5C13740DFF683B8012120111,
+				5C13740EFF683B8012120111,
+				5C13740FFF683B8012120111,
+				5C137410FF683B8012120111,
+				5C137411FF683B8012120111,
+				5C137412FF683B8012120111,
+				5C137413FF683B8012120111,
+				5C137414FF683B8012120111,
+				5C137415FF683B8012120111,
+				5C137416FF683B8012120111,
+				00CFB46DFF6D81A212120111,
+				00CFB479FF6EA33F12120111,
+				00CFB47AFF6EA33F12120111,
+				61622FDBFF85346F12120111,
+				00CC642C00975C167F000001,
+				00CC642D00975C167F000001,
+				00CC642E00975C167F000001,
+				00CC642F00975C167F000001,
+				00CC643000975C167F000001,
+				13CD711A00D835ED7F000001,
+			);
+			isa = PBXSourcesBuildPhase;
+			name = Sources;
+		};
+		17447614FF5FF8DB12120111 = {
+			buildActionMask = 2147483647;
+			files = (
+				1744770EFF60088512120111,
+				1744770FFF60088512120111,
+				00CFB47CFF6EA3C312120111,
+				0F801493FF9A8D33126500C7,
+				0106E99B003C767A7F000001,
+				017F047200FA63557F000001,
+				F5163F2A019B35A801120112,
+				F5163F39019B5D0701120112,
+			);
+			isa = PBXFrameworksBuildPhase;
+			name = "Frameworks & Libraries";
+		};
+		17447615FF5FF8DB12120111 = {
+			buildActionMask = 2147483647;
+			files = (
+			);
+			isa = PBXRezBuildPhase;
+			name = "ResourceManager Resources";
+		};
+		17447616FF5FFA3A12120111 = {
+			children = (
+				17447617FF5FFA3A12120111,
+				17447618FF5FFA3A12120111,
+				17447619FF5FFA3A12120111,
+				1744761AFF5FFA3A12120111,
+				1744761BFF5FFA3A12120111,
+				1744761CFF5FFA3A12120111,
+				1744761DFF5FFA3A12120111,
+				1744761EFF5FFA3A12120111,
+				1744761FFF5FFA3A12120111,
+				17447620FF5FFA3A12120111,
+				17447621FF5FFA3A12120111,
+				17447622FF5FFA3A12120111,
+				17447623FF5FFA3A12120111,
+				17447624FF5FFA3A12120111,
+				17447625FF5FFA3A12120111,
+				17447626FF5FFA3A12120111,
+				17447627FF5FFA3A12120111,
+				17447628FF5FFA3A12120111,
+				17447629FF5FFA3A12120111,
+				1744762AFF5FFA3A12120111,
+				1744762BFF5FFA3A12120111,
+				1744762CFF5FFA3A12120111,
+				1744762DFF5FFA3A12120111,
+				1744762EFF5FFA3A12120111,
+				1744762FFF5FFA3A12120111,
+				17447630FF5FFA3A12120111,
+				17447631FF5FFA3A12120111,
+				17447632FF5FFA3A12120111,
+				17447633FF5FFA3A12120111,
+				17447634FF5FFA3A12120111,
+				17447635FF5FFA3A12120111,
+				17447636FF5FFA3A12120111,
+				17447637FF5FFA3A12120111,
+				17447638FF5FFA3A12120111,
+				17447639FF5FFA3A12120111,
+				1744763AFF5FFA3A12120111,
+				1744763BFF5FFA3A12120111,
+				1744763CFF5FFA3A12120111,
+				1744763DFF5FFA3A12120111,
+				1744763EFF5FFA3A12120111,
+			);
+			isa = PBXGroup;
+			name = crypto;
+			path = ../lib/crypto;
+			refType = 2;
+		};
+		17447617FF5FFA3A12120111 = {
+			isa = PBXFileReference;
+			path = block_size.c;
+			refType = 4;
+		};
+		17447618FF5FFA3A12120111 = {
+			isa = PBXFileReference;
+			path = checksum_length.c;
+			refType = 4;
+		};
+		17447619FF5FFA3A12120111 = {
+			isa = PBXFileReference;
+			path = cksumtypes.c;
+			refType = 4;
+		};
+		1744761AFF5FFA3A12120111 = {
+			isa = PBXFileReference;
+			path = cksumtypes.h;
+			refType = 4;
+		};
+		1744761BFF5FFA3A12120111 = {
+			isa = PBXFileReference;
+			path = cksumtype_to_string.c;
+			refType = 4;
+		};
+		1744761CFF5FFA3A12120111 = {
+			isa = PBXFileReference;
+			path = coll_proof_cksum.c;
+			refType = 4;
+		};
+		1744761DFF5FFA3A12120111 = {
+			isa = PBXFileReference;
+			path = crypto_libinit.c;
+			refType = 4;
+		};
+		1744761EFF5FFA3A12120111 = {
+			isa = PBXFileReference;
+			path = crypto_libinit.h;
+			refType = 4;
+		};
+		1744761FFF5FFA3A12120111 = {
+			isa = PBXFileReference;
+			path = decrypt.c;
+			refType = 4;
+		};
+		17447620FF5FFA3A12120111 = {
+			isa = PBXFileReference;
+			path = encrypt.c;
+			refType = 4;
+		};
+		17447621FF5FFA3A12120111 = {
+			isa = PBXFileReference;
+			path = encrypt_length.c;
+			refType = 4;
+		};
+		17447622FF5FFA3A12120111 = {
+			isa = PBXFileReference;
+			path = enctype_compare.c;
+			refType = 4;
+		};
+		17447623FF5FFA3A12120111 = {
+			isa = PBXFileReference;
+			path = enctype_to_string.c;
+			refType = 4;
+		};
+		17447624FF5FFA3A12120111 = {
+			isa = PBXFileReference;
+			path = etypes.c;
+			refType = 4;
+		};
+		17447625FF5FFA3A12120111 = {
+			isa = PBXFileReference;
+			path = etypes.h;
+			refType = 4;
+		};
+		17447626FF5FFA3A12120111 = {
+			isa = PBXFileReference;
+			path = hmac.c;
+			refType = 4;
+		};
+		17447627FF5FFA3A12120111 = {
+			isa = PBXFileReference;
+			path = keyed_checksum_types.c;
+			refType = 4;
+		};
+		17447628FF5FFA3A12120111 = {
+			isa = PBXFileReference;
+			path = keyed_cksum.c;
+			refType = 4;
+		};
+		17447629FF5FFA3A12120111 = {
+			isa = PBXFileReference;
+			path = make_checksum.c;
+			refType = 4;
+		};
+		1744762AFF5FFA3A12120111 = {
+			isa = PBXFileReference;
+			path = make_random_key.c;
+			refType = 4;
+		};
+		1744762BFF5FFA3A12120111 = {
+			isa = PBXFileReference;
+			path = nfold.c;
+			refType = 4;
+		};
+		1744762CFF5FFA3A12120111 = {
+			isa = PBXFileReference;
+			path = old_api_glue.c;
+			refType = 4;
+		};
+		1744762DFF5FFA3A12120111 = {
+			isa = PBXFileReference;
+			path = prng.c;
+			refType = 4;
+		};
+		1744762EFF5FFA3A12120111 = {
+			isa = PBXFileReference;
+			path = string_to_cksumtype.c;
+			refType = 4;
+		};
+		1744762FFF5FFA3A12120111 = {
+			isa = PBXFileReference;
+			path = string_to_enctype.c;
+			refType = 4;
+		};
+		17447630FF5FFA3A12120111 = {
+			isa = PBXFileReference;
+			path = string_to_key.c;
+			refType = 4;
+		};
+		17447631FF5FFA3A12120111 = {
+			isa = PBXFileReference;
+			path = valid_cksumtype.c;
+			refType = 4;
+		};
+		17447632FF5FFA3A12120111 = {
+			isa = PBXFileReference;
+			path = valid_enctype.c;
+			refType = 4;
+		};
+		17447633FF5FFA3A12120111 = {
+			isa = PBXFileReference;
+			path = verify_checksum.c;
+			refType = 4;
+		};
+		17447634FF5FFA3A12120111 = {
+			children = (
+				1744765CFF5FFBE212120111,
+				1744765DFF5FFBE212120111,
+			);
+			isa = PBXGroup;
+			path = crc32;
+			refType = 4;
+		};
+		17447635FF5FFA3A12120111 = {
+			children = (
+				1744765EFF5FFBE212120111,
+				1744765FFF5FFBE212120111,
+				17447660FF5FFBE212120111,
+				17447661FF5FFBE212120111,
+				17447662FF5FFBE212120111,
+				17447663FF5FFBE212120111,
+				17447664FF5FFBE212120111,
+				17447665FF5FFBE212120111,
+				17447666FF5FFBE212120111,
+				17447667FF5FFBE212120111,
+				17447668FF5FFBE212120111,
+				17447669FF5FFBE212120111,
+				1744766AFF5FFBE212120111,
+			);
+			isa = PBXGroup;
+			path = des;
+			refType = 4;
+		};
+		17447636FF5FFA3A12120111 = {
+			children = (
+				1744766BFF5FFBE212120111,
+				1744766CFF5FFBE212120111,
+				1744766DFF5FFBE212120111,
+				1744766EFF5FFBE212120111,
+				1744766FFF5FFBE212120111,
+				17447670FF5FFBE212120111,
+			);
+			isa = PBXGroup;
+			path = dk;
+			refType = 4;
+		};
+		17447637FF5FFA3A12120111 = {
+			children = (
+				17447671FF5FFBE212120111,
+				17447672FF5FFBE212120111,
+				17447673FF5FFBE212120111,
+			);
+			isa = PBXGroup;
+			path = enc_provider;
+			refType = 4;
+		};
+		17447638FF5FFA3A12120111 = {
+			children = (
+				17447674FF5FFBE212120111,
+				17447675FF5FFBE212120111,
+				17447676FF5FFBE212120111,
+				17447677FF5FFBE212120111,
+				17447678FF5FFBE212120111,
+			);
+			isa = PBXGroup;
+			path = hash_provider;
+			refType = 4;
+		};
+		17447639FF5FFA3A12120111 = {
+			children = (
+				17447696FF5FFC2C12120111,
+				17447697FF5FFC2C12120111,
+				17447698FF5FFC2C12120111,
+				17447699FF5FFC2C12120111,
+			);
+			isa = PBXGroup;
+			path = keyhash_provider;
+			refType = 4;
+		};
+		1744763AFF5FFA3A12120111 = {
+			children = (
+				1744769EFF5FFF5B12120111,
+				1744769FFF5FFF5B12120111,
+			);
+			isa = PBXGroup;
+			path = md4;
+			refType = 4;
+		};
+		1744763BFF5FFA3A12120111 = {
+			children = (
+				174476A0FF5FFF5B12120111,
+				174476A1FF5FFF5B12120111,
+			);
+			isa = PBXGroup;
+			path = md5;
+			refType = 4;
+		};
+		1744763CFF5FFA3A12120111 = {
+			children = (
+				174476A2FF5FFF5B12120111,
+				174476A3FF5FFF5B12120111,
+				174476A4FF5FFF5B12120111,
+				174476A5FF5FFF5B12120111,
+			);
+			isa = PBXGroup;
+			path = old;
+			refType = 4;
+		};
+		1744763DFF5FFA3A12120111 = {
+			children = (
+				174476A6FF5FFF5B12120111,
+				174476A7FF5FFF5B12120111,
+				174476A8FF5FFF5B12120111,
+			);
+			isa = PBXGroup;
+			path = raw;
+			refType = 4;
+		};
+		1744763EFF5FFA3A12120111 = {
+			children = (
+				174476A9FF5FFF5B12120111,
+				174476AAFF5FFF5B12120111,
+			);
+			isa = PBXGroup;
+			path = sha1;
+			refType = 4;
+		};
+		1744763FFF5FFA3A12120111 = {
+			fileRef = 1744761AFF5FFA3A12120111;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		17447640FF5FFA3A12120111 = {
+			fileRef = 1744761EFF5FFA3A12120111;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		17447641FF5FFA3A12120111 = {
+			fileRef = 17447625FF5FFA3A12120111;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		17447642FF5FFA3A12120111 = {
+			fileRef = 17447617FF5FFA3A12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447643FF5FFA3A12120111 = {
+			fileRef = 17447618FF5FFA3A12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447644FF5FFA3A12120111 = {
+			fileRef = 17447619FF5FFA3A12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447645FF5FFA3A12120111 = {
+			fileRef = 1744761BFF5FFA3A12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447646FF5FFA3A12120111 = {
+			fileRef = 1744761CFF5FFA3A12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447647FF5FFA3A12120111 = {
+			fileRef = 1744761DFF5FFA3A12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447648FF5FFA3A12120111 = {
+			fileRef = 1744761FFF5FFA3A12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447649FF5FFA3A12120111 = {
+			fileRef = 17447620FF5FFA3A12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		1744764AFF5FFA3A12120111 = {
+			fileRef = 17447621FF5FFA3A12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		1744764BFF5FFA3A12120111 = {
+			fileRef = 17447622FF5FFA3A12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		1744764CFF5FFA3A12120111 = {
+			fileRef = 17447623FF5FFA3A12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		1744764DFF5FFA3A12120111 = {
+			fileRef = 17447624FF5FFA3A12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		1744764EFF5FFA3A12120111 = {
+			fileRef = 17447626FF5FFA3A12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		1744764FFF5FFA3A12120111 = {
+			fileRef = 17447627FF5FFA3A12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447650FF5FFA3A12120111 = {
+			fileRef = 17447628FF5FFA3A12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447651FF5FFA3A12120111 = {
+			fileRef = 17447629FF5FFA3A12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447652FF5FFA3A12120111 = {
+			fileRef = 1744762AFF5FFA3A12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447653FF5FFA3A12120111 = {
+			fileRef = 1744762BFF5FFA3A12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447654FF5FFA3A12120111 = {
+			fileRef = 1744762CFF5FFA3A12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447655FF5FFA3A12120111 = {
+			fileRef = 1744762DFF5FFA3A12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447656FF5FFA3A12120111 = {
+			fileRef = 1744762EFF5FFA3A12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447657FF5FFA3A12120111 = {
+			fileRef = 1744762FFF5FFA3A12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447658FF5FFA3A12120111 = {
+			fileRef = 17447630FF5FFA3A12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447659FF5FFA3A12120111 = {
+			fileRef = 17447631FF5FFA3A12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		1744765AFF5FFA3A12120111 = {
+			fileRef = 17447632FF5FFA3A12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		1744765BFF5FFA3A12120111 = {
+			fileRef = 17447633FF5FFA3A12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		1744765CFF5FFBE212120111 = {
+			isa = PBXFileReference;
+			path = crc32.c;
+			refType = 4;
+		};
+		1744765DFF5FFBE212120111 = {
+			isa = PBXFileReference;
+			path = "crc-32.h";
+			refType = 4;
+		};
+		1744765EFF5FFBE212120111 = {
+			isa = PBXFileReference;
+			path = afsstring2key.c;
+			refType = 4;
+		};
+		1744765FFF5FFBE212120111 = {
+			isa = PBXFileReference;
+			path = d3_cbc.c;
+			refType = 4;
+		};
+		17447660FF5FFBE212120111 = {
+			isa = PBXFileReference;
+			path = d3_kysched.c;
+			refType = 4;
+		};
+		17447661FF5FFBE212120111 = {
+			isa = PBXFileReference;
+			path = des_int.h;
+			refType = 4;
+		};
+		17447662FF5FFBE212120111 = {
+			isa = PBXFileReference;
+			path = f_cbc.c;
+			refType = 4;
+		};
+		17447663FF5FFBE212120111 = {
+			isa = PBXFileReference;
+			path = f_cksum.c;
+			refType = 4;
+		};
+		17447664FF5FFBE212120111 = {
+			isa = PBXFileReference;
+			path = f_parity.c;
+			refType = 4;
+		};
+		17447665FF5FFBE212120111 = {
+			isa = PBXFileReference;
+			path = f_sched.c;
+			refType = 4;
+		};
+		17447666FF5FFBE212120111 = {
+			isa = PBXFileReference;
+			path = f_tables.c;
+			refType = 4;
+		};
+		17447667FF5FFBE212120111 = {
+			isa = PBXFileReference;
+			path = f_tables.h;
+			refType = 4;
+		};
+		17447668FF5FFBE212120111 = {
+			isa = PBXFileReference;
+			path = key_sched.c;
+			refType = 4;
+		};
+		17447669FF5FFBE212120111 = {
+			isa = PBXFileReference;
+			path = string2key.c;
+			refType = 4;
+		};
+		1744766AFF5FFBE212120111 = {
+			isa = PBXFileReference;
+			path = weak_key.c;
+			refType = 4;
+		};
+		1744766BFF5FFBE212120111 = {
+			isa = PBXFileReference;
+			path = checksum.c;
+			refType = 4;
+		};
+		1744766CFF5FFBE212120111 = {
+			isa = PBXFileReference;
+			path = derive.c;
+			refType = 4;
+		};
+		1744766DFF5FFBE212120111 = {
+			isa = PBXFileReference;
+			path = dk.h;
+			refType = 4;
+		};
+		1744766EFF5FFBE212120111 = {
+			isa = PBXFileReference;
+			path = dk_decrypt.c;
+			refType = 4;
+		};
+		1744766FFF5FFBE212120111 = {
+			isa = PBXFileReference;
+			path = dk_encrypt.c;
+			refType = 4;
+		};
+		17447670FF5FFBE212120111 = {
+			isa = PBXFileReference;
+			path = stringtokey.c;
+			refType = 4;
+		};
+		17447671FF5FFBE212120111 = {
+			isa = PBXFileReference;
+			path = des.c;
+			refType = 4;
+		};
+		17447672FF5FFBE212120111 = {
+			isa = PBXFileReference;
+			path = des3.c;
+			refType = 4;
+		};
+		17447673FF5FFBE212120111 = {
+			isa = PBXFileReference;
+			path = enc_provider.h;
+			refType = 4;
+		};
+		17447674FF5FFBE212120111 = {
+			isa = PBXFileReference;
+			path = hash_crc32.c;
+			refType = 4;
+		};
+		17447675FF5FFBE212120111 = {
+			isa = PBXFileReference;
+			path = hash_md4.c;
+			refType = 4;
+		};
+		17447676FF5FFBE212120111 = {
+			isa = PBXFileReference;
+			path = hash_md5.c;
+			refType = 4;
+		};
+		17447677FF5FFBE212120111 = {
+			isa = PBXFileReference;
+			path = hash_provider.h;
+			refType = 4;
+		};
+		17447678FF5FFBE212120111 = {
+			isa = PBXFileReference;
+			path = hash_sha1.c;
+			refType = 4;
+		};
+		17447679FF5FFBE212120111 = {
+			fileRef = 1744765DFF5FFBE212120111;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		1744767AFF5FFBE212120111 = {
+			fileRef = 17447661FF5FFBE212120111;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		1744767BFF5FFBE212120111 = {
+			fileRef = 17447667FF5FFBE212120111;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		1744767CFF5FFBE212120111 = {
+			fileRef = 1744766DFF5FFBE212120111;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		1744767DFF5FFBE212120111 = {
+			fileRef = 17447673FF5FFBE212120111;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		1744767EFF5FFBE212120111 = {
+			fileRef = 17447677FF5FFBE212120111;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		1744767FFF5FFBE212120111 = {
+			fileRef = 1744765CFF5FFBE212120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447680FF5FFBE212120111 = {
+			fileRef = 1744765EFF5FFBE212120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447681FF5FFBE212120111 = {
+			fileRef = 1744765FFF5FFBE212120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447682FF5FFBE212120111 = {
+			fileRef = 17447660FF5FFBE212120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447683FF5FFBE212120111 = {
+			fileRef = 17447662FF5FFBE212120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447684FF5FFBE212120111 = {
+			fileRef = 17447663FF5FFBE212120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447685FF5FFBE212120111 = {
+			fileRef = 17447664FF5FFBE212120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447686FF5FFBE212120111 = {
+			fileRef = 17447665FF5FFBE212120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447687FF5FFBE212120111 = {
+			fileRef = 17447666FF5FFBE212120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447688FF5FFBE212120111 = {
+			fileRef = 17447668FF5FFBE212120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447689FF5FFBE212120111 = {
+			fileRef = 17447669FF5FFBE212120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		1744768AFF5FFBE212120111 = {
+			fileRef = 1744766AFF5FFBE212120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		1744768BFF5FFBE212120111 = {
+			fileRef = 1744766BFF5FFBE212120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		1744768CFF5FFBE212120111 = {
+			fileRef = 1744766CFF5FFBE212120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		1744768DFF5FFBE212120111 = {
+			fileRef = 1744766EFF5FFBE212120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		1744768EFF5FFBE212120111 = {
+			fileRef = 1744766FFF5FFBE212120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		1744768FFF5FFBE212120111 = {
+			fileRef = 17447670FF5FFBE212120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447690FF5FFBE212120111 = {
+			fileRef = 17447671FF5FFBE212120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447691FF5FFBE212120111 = {
+			fileRef = 17447672FF5FFBE212120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447692FF5FFBE212120111 = {
+			fileRef = 17447674FF5FFBE212120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447693FF5FFBE212120111 = {
+			fileRef = 17447675FF5FFBE212120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447694FF5FFBE212120111 = {
+			fileRef = 17447676FF5FFBE212120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447695FF5FFBE212120111 = {
+			fileRef = 17447678FF5FFBE212120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447696FF5FFC2C12120111 = {
+			isa = PBXFileReference;
+			path = descbc.c;
+			refType = 4;
+		};
+		17447697FF5FFC2C12120111 = {
+			isa = PBXFileReference;
+			path = k5_md4des.c;
+			refType = 4;
+		};
+		17447698FF5FFC2C12120111 = {
+			isa = PBXFileReference;
+			path = k5_md5des.c;
+			refType = 4;
+		};
+		17447699FF5FFC2C12120111 = {
+			isa = PBXFileReference;
+			path = keyhash_provider.h;
+			refType = 4;
+		};
+		1744769AFF5FFC2C12120111 = {
+			fileRef = 17447699FF5FFC2C12120111;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		1744769BFF5FFC2C12120111 = {
+			fileRef = 17447696FF5FFC2C12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		1744769CFF5FFC2C12120111 = {
+			fileRef = 17447697FF5FFC2C12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		1744769DFF5FFC2C12120111 = {
+			fileRef = 17447698FF5FFC2C12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		1744769EFF5FFF5B12120111 = {
+			isa = PBXFileReference;
+			path = md4.c;
+			refType = 4;
+		};
+		1744769FFF5FFF5B12120111 = {
+			isa = PBXFileReference;
+			path = "rsa-md4.h";
+			refType = 4;
+		};
+		174476A0FF5FFF5B12120111 = {
+			isa = PBXFileReference;
+			path = md5.c;
+			refType = 4;
+		};
+		174476A1FF5FFF5B12120111 = {
+			isa = PBXFileReference;
+			path = "rsa-md5.h";
+			refType = 4;
+		};
+		174476A2FF5FFF5B12120111 = {
+			isa = PBXFileReference;
+			path = des_stringtokey.c;
+			refType = 4;
+		};
+		174476A3FF5FFF5B12120111 = {
+			isa = PBXFileReference;
+			path = old.h;
+			refType = 4;
+		};
+		174476A4FF5FFF5B12120111 = {
+			isa = PBXFileReference;
+			path = old_decrypt.c;
+			refType = 4;
+		};
+		174476A5FF5FFF5B12120111 = {
+			isa = PBXFileReference;
+			path = old_encrypt.c;
+			refType = 4;
+		};
+		174476A6FF5FFF5B12120111 = {
+			isa = PBXFileReference;
+			path = raw.h;
+			refType = 4;
+		};
+		174476A7FF5FFF5B12120111 = {
+			isa = PBXFileReference;
+			path = raw_decrypt.c;
+			refType = 4;
+		};
+		174476A8FF5FFF5B12120111 = {
+			isa = PBXFileReference;
+			path = raw_encrypt.c;
+			refType = 4;
+		};
+		174476A9FF5FFF5B12120111 = {
+			isa = PBXFileReference;
+			path = shs.c;
+			refType = 4;
+		};
+		174476AAFF5FFF5B12120111 = {
+			isa = PBXFileReference;
+			path = shs.h;
+			refType = 4;
+		};
+		174476ABFF5FFF5B12120111 = {
+			fileRef = 174476A1FF5FFF5B12120111;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		174476ACFF5FFF5B12120111 = {
+			fileRef = 1744769FFF5FFF5B12120111;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		174476ADFF5FFF5B12120111 = {
+			fileRef = 174476A3FF5FFF5B12120111;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		174476AEFF5FFF5B12120111 = {
+			fileRef = 174476A6FF5FFF5B12120111;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		174476AFFF5FFF5B12120111 = {
+			fileRef = 174476AAFF5FFF5B12120111;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		174476B0FF5FFF5B12120111 = {
+			fileRef = 1744769EFF5FFF5B12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174476B1FF5FFF5B12120111 = {
+			fileRef = 174476A0FF5FFF5B12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174476B2FF5FFF5B12120111 = {
+			fileRef = 174476A2FF5FFF5B12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174476B3FF5FFF5B12120111 = {
+			fileRef = 174476A4FF5FFF5B12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174476B4FF5FFF5B12120111 = {
+			fileRef = 174476A5FF5FFF5B12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174476B5FF5FFF5B12120111 = {
+			fileRef = 174476A7FF5FFF5B12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174476B6FF5FFF5B12120111 = {
+			fileRef = 174476A8FF5FFF5B12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174476B7FF5FFF5B12120111 = {
+			fileRef = 174476A9FF5FFF5B12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174476B8FF5FFFA512120111 = {
+			isa = PBXFileReference;
+			name = "k5-int.h";
+			path = "../include/k5-int.h";
+			refType = 2;
+		};
+		174476BAFF5FFFA512120111 = {
+			fileRef = 174476B8FF5FFFA512120111;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		174476BCFF5FFFDB12120111 = {
+			fileRef = 17447607FF5F046812120111;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		174476BDFF6001C412120111 = {
+			isa = PBXFileReference;
+			name = kdb.h;
+			path = ../include/krb5/kdb.h;
+			refType = 2;
+		};
+		174476BEFF6001C412120111 = {
+			fileRef = 174476BDFF6001C412120111;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		174476BFFF60027612120111 = {
+			isa = PBXFileReference;
+			name = osconf.h;
+			path = ../include/krb5/stock/osconf.h;
+			refType = 2;
+		};
+		174476C0FF60027612120111 = {
+			fileRef = 174476BFFF60027612120111;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		174476C3FF60070212120111 = {
+			children = (
+				00CFB46AFF6D81A212120111,
+				00CFB46BFF6D81A212120111,
+				174476C4FF60076112120111,
+				174476C5FF60076112120111,
+				174476C6FF60076112120111,
+				174476C7FF60076112120111,
+				174476C8FF60076112120111,
+				174476C9FF60076112120111,
+				174476CAFF60076112120111,
+				174476CBFF60076112120111,
+			);
+			isa = PBXGroup;
+			name = krb5;
+			path = ../lib/krb5;
+			refType = 2;
+		};
+		174476C4FF60076112120111 = {
+			children = (
+				00CC63ED00975A877F000001,
+				00CC63EE00975A877F000001,
+				00CC63EF00975A877F000001,
+				00CC63F000975A877F000001,
+				00CC63F900975A877F000001,
+				00CC63FA00975A877F000001,
+				00CC63FE00975A877F000001,
+				00CC63FF00975A877F000001,
+				00CC640100975A877F000001,
+				00CC640200975A877F000001,
+				174476D2FF60088512120111,
+			);
+			isa = PBXGroup;
+			path = error_tables;
+			refType = 4;
+		};
+		174476C5FF60076112120111 = {
+			children = (
+				174476D9FF60088512120111,
+				174476DAFF60088512120111,
+				174476DBFF60088512120111,
+				174476DCFF60088512120111,
+				174476DDFF60088512120111,
+				174476DEFF60088512120111,
+				174476DFFF60088512120111,
+				174476E0FF60088512120111,
+				174476E1FF60088512120111,
+				174476E2FF60088512120111,
+				174476E3FF60088512120111,
+				174476E4FF60088512120111,
+				174476E5FF60088512120111,
+				174476E6FF60088512120111,
+				174476E7FF60088512120111,
+				174476E8FF60088512120111,
+				174476E9FF60088512120111,
+				174476EAFF60088512120111,
+				174476EBFF60088512120111,
+				174476ECFF60088512120111,
+			);
+			isa = PBXGroup;
+			path = asn.1;
+			refType = 4;
+		};
+		174476C6FF60076112120111 = {
+			children = (
+				00CFB472FF6EA33F12120111,
+				5C1373C9FF683B8012120111,
+				5C1373DAFF683B8012120111,
+				5C137387FF682C2F12120111,
+				17447864FF60323212120111,
+				17447865FF60323212120111,
+				17447866FF60323212120111,
+				17447867FF60323212120111,
+				13CD711900D835ED7F000001,
+				1744786BFF60323212120111,
+				1744786FFF60323212120111,
+			);
+			isa = PBXGroup;
+			path = ccache;
+			refType = 4;
+		};
+		174476C7FF60076112120111 = {
+			children = (
+				17447710FF6024DB12120111,
+				17447711FF6024DB12120111,
+				17447712FF6024DB12120111,
+				17447713FF6024DB12120111,
+				17447714FF6024DB12120111,
+				17447715FF6024DB12120111,
+				174476EDFF60088512120111,
+				174476EEFF60088512120111,
+			);
+			isa = PBXGroup;
+			path = keytab;
+			refType = 4;
+		};
+		174476C8FF60076112120111 = {
+			children = (
+				17447746FF60261D12120111,
+				17447747FF60261D12120111,
+				17447748FF60261D12120111,
+				17447749FF60261D12120111,
+				1744774AFF60261D12120111,
+				1744774BFF60261D12120111,
+				1744774CFF60261D12120111,
+				1744774DFF60261D12120111,
+				1744774EFF60261D12120111,
+				1744774FFF60261D12120111,
+				17447750FF60261D12120111,
+				17447751FF60261D12120111,
+				17447752FF60261D12120111,
+				17447753FF60261D12120111,
+				17447754FF60261D12120111,
+				17447755FF60261D12120111,
+				17447756FF60261D12120111,
+				17447757FF60261D12120111,
+				17447758FF60261D12120111,
+				17447759FF60261D12120111,
+				1744775AFF60261D12120111,
+				1744775BFF60261D12120111,
+				1744775CFF60261D12120111,
+				1744775DFF60261D12120111,
+				1744775EFF60261D12120111,
+				1744775FFF60261D12120111,
+				17447760FF60261D12120111,
+				17447761FF60261D12120111,
+				17447762FF60261D12120111,
+				17447763FF60261D12120111,
+				17447764FF60261D12120111,
+				17447765FF60261D12120111,
+				17447766FF60261D12120111,
+				17447767FF60261D12120111,
+				17447768FF60261D12120111,
+				17447769FF60261D12120111,
+				1744776AFF60261D12120111,
+				1744776BFF60261D12120111,
+				1744776CFF60261D12120111,
+				1744776DFF60261D12120111,
+				1744776EFF60261D12120111,
+				1744776FFF60261D12120111,
+				17447770FF60261D12120111,
+				17447773FF60261D12120111,
+				17447771FF60261D12120111,
+				17447772FF60261D12120111,
+				17447774FF60261D12120111,
+				17447775FF60261D12120111,
+				17447776FF60261D12120111,
+				17447777FF60261D12120111,
+				17447778FF60261D12120111,
+				17447779FF60261D12120111,
+				1744777AFF60261D12120111,
+				1744777BFF60261D12120111,
+				1744777CFF60261D12120111,
+				1744777DFF60261D12120111,
+				1744777EFF60261D12120111,
+				1744777FFF60261D12120111,
+				17447780FF60261D12120111,
+				17447781FF60261D12120111,
+				17447782FF60261D12120111,
+				17447783FF60261D12120111,
+				17447784FF60261D12120111,
+				17447785FF60261D12120111,
+				17447786FF60261D12120111,
+				17447787FF60261D12120111,
+				17447788FF60261D12120111,
+				17447789FF60261D12120111,
+				1744778AFF60261D12120111,
+				1744778BFF60261D12120111,
+				1744778CFF60261D12120111,
+				1744778DFF60261D12120111,
+				1744778EFF60261D12120111,
+				1744778FFF60261D12120111,
+				17447790FF60261D12120111,
+				17447791FF60261D12120111,
+				17447792FF60261D12120111,
+				17447793FF60261D12120111,
+				17447794FF60261D12120111,
+				17447795FF60261D12120111,
+				17447796FF60261D12120111,
+				17447797FF60261D12120111,
+				17447798FF60261D12120111,
+				17447799FF60261D12120111,
+				1744779AFF60261D12120111,
+				1744779BFF60261D12120111,
+				1744779CFF60261D12120111,
+			);
+			isa = PBXGroup;
+			path = krb;
+			refType = 4;
+		};
+		174476C9FF60076112120111 = {
+			children = (
+				174477FEFF60269512120111,
+				174477FFFF60269512120111,
+				17447800FF60269512120111,
+				17447801FF60269512120111,
+				17447802FF60269512120111,
+				17447803FF60269512120111,
+				17447804FF60269512120111,
+				17447805FF60269512120111,
+				17447806FF60269512120111,
+			);
+			isa = PBXGroup;
+			path = rcache;
+			refType = 4;
+		};
+		174476CAFF60076112120111 = {
+			children = (
+				17447811FF60313B12120111,
+				17447812FF60313B12120111,
+				17447813FF60313B12120111,
+				17447814FF60313B12120111,
+				17447815FF60313B12120111,
+				17447816FF60313B12120111,
+				17447817FF60313B12120111,
+				17447818FF60313B12120111,
+				17447819FF60313B12120111,
+				1744781AFF60313B12120111,
+				1744781BFF60313B12120111,
+				1744781CFF60313B12120111,
+				1744781DFF60313B12120111,
+				1744781EFF60313B12120111,
+				1744781FFF60313B12120111,
+				17447820FF60313B12120111,
+				17447821FF60313B12120111,
+				17447822FF60313B12120111,
+				17447823FF60313B12120111,
+				17447824FF60313B12120111,
+				17447825FF60313B12120111,
+				17447826FF60313B12120111,
+				17447827FF60313B12120111,
+				17447828FF60313B12120111,
+				17447829FF60313B12120111,
+				1744782AFF60313B12120111,
+				1744782BFF60313B12120111,
+				1744782CFF60313B12120111,
+				1744782DFF60313B12120111,
+				1744782EFF60313B12120111,
+				1744782FFF60313B12120111,
+				17447830FF60313B12120111,
+				17447831FF60313B12120111,
+				17447832FF60313B12120111,
+				17447833FF60313B12120111,
+				17447834FF60313B12120111,
+				17447835FF60313B12120111,
+				17447836FF60313B12120111,
+				17447837FF60313B12120111,
+				17447838FF60313B12120111,
+				17447839FF60313B12120111,
+			);
+			isa = PBXGroup;
+			path = os;
+			refType = 4;
+		};
+		174476CBFF60076112120111 = {
+			children = (
+				17447870FF60323212120111,
+			);
+			isa = PBXGroup;
+			path = posix;
+			refType = 4;
+		};
+		174476CCFF60088512120111 = {
+			isa = PBXFrameworkReference;
+			path = KerberosComErr.framework;
+			refType = 3;
+		};
+		174476CDFF60088512120111 = {
+			isa = PBXFrameworkReference;
+			path = KerberosProfile.framework;
+			refType = 3;
+		};
+		174476D2FF60088512120111 = {
+			isa = PBXFileReference;
+			path = init_ets.c;
+			refType = 4;
+		};
+		174476D9FF60088512120111 = {
+			isa = PBXFileReference;
+			path = asn1buf.c;
+			refType = 4;
+		};
+		174476DAFF60088512120111 = {
+			isa = PBXFileReference;
+			path = asn1buf.h;
+			refType = 4;
+		};
+		174476DBFF60088512120111 = {
+			isa = PBXFileReference;
+			path = asn1_decode.c;
+			refType = 4;
+		};
+		174476DCFF60088512120111 = {
+			isa = PBXFileReference;
+			path = asn1_decode.h;
+			refType = 4;
+		};
+		174476DDFF60088512120111 = {
+			isa = PBXFileReference;
+			path = asn1_encode.c;
+			refType = 4;
+		};
+		174476DEFF60088512120111 = {
+			isa = PBXFileReference;
+			path = asn1_encode.h;
+			refType = 4;
+		};
+		174476DFFF60088512120111 = {
+			isa = PBXFileReference;
+			path = asn1_get.c;
+			refType = 4;
+		};
+		174476E0FF60088512120111 = {
+			isa = PBXFileReference;
+			path = asn1_get.h;
+			refType = 4;
+		};
+		174476E1FF60088512120111 = {
+			isa = PBXFileReference;
+			path = asn1glue.h;
+			refType = 4;
+		};
+		174476E2FF60088512120111 = {
+			isa = PBXFileReference;
+			path = asn1_k_decode.c;
+			refType = 4;
+		};
+		174476E3FF60088512120111 = {
+			isa = PBXFileReference;
+			path = asn1_k_decode.h;
+			refType = 4;
+		};
+		174476E4FF60088512120111 = {
+			isa = PBXFileReference;
+			path = asn1_k_encode.c;
+			refType = 4;
+		};
+		174476E5FF60088512120111 = {
+			isa = PBXFileReference;
+			path = asn1_k_encode.h;
+			refType = 4;
+		};
+		174476E6FF60088512120111 = {
+			isa = PBXFileReference;
+			path = asn1_make.c;
+			refType = 4;
+		};
+		174476E7FF60088512120111 = {
+			isa = PBXFileReference;
+			path = asn1_make.h;
+			refType = 4;
+		};
+		174476E8FF60088512120111 = {
+			isa = PBXFileReference;
+			path = asn1_misc.c;
+			refType = 4;
+		};
+		174476E9FF60088512120111 = {
+			isa = PBXFileReference;
+			path = asn1_misc.h;
+			refType = 4;
+		};
+		174476EAFF60088512120111 = {
+			isa = PBXFileReference;
+			path = krb5_decode.c;
+			refType = 4;
+		};
+		174476EBFF60088512120111 = {
+			isa = PBXFileReference;
+			path = krb5_encode.c;
+			refType = 4;
+		};
+		174476ECFF60088512120111 = {
+			isa = PBXFileReference;
+			path = krbasn1.h;
+			refType = 4;
+		};
+		174476EDFF60088512120111 = {
+			children = (
+				17447716FF6024DB12120111,
+				17447717FF6024DB12120111,
+				17447718FF6024DB12120111,
+				17447719FF6024DB12120111,
+				1744771AFF6024DB12120111,
+				1744771BFF6024DB12120111,
+				1744771CFF6024DB12120111,
+				1744771DFF6024DB12120111,
+				1744771EFF6024DB12120111,
+				1744771FFF6024DB12120111,
+				17447720FF6024DB12120111,
+				17447721FF6024DB12120111,
+				17447722FF6024DB12120111,
+				17447723FF6024DB12120111,
+				17447724FF6024DB12120111,
+				17447725FF6024DB12120111,
+			);
+			isa = PBXGroup;
+			path = file;
+			refType = 4;
+		};
+		174476EEFF60088512120111 = {
+			children = (
+				1744773CFF60261D12120111,
+				1744773DFF60261D12120111,
+				1744773EFF60261D12120111,
+				1744773FFF60261D12120111,
+				17447740FF60261D12120111,
+				17447741FF60261D12120111,
+				17447742FF60261D12120111,
+				17447743FF60261D12120111,
+				17447744FF60261D12120111,
+				17447745FF60261D12120111,
+			);
+			isa = PBXGroup;
+			path = srvtab;
+			refType = 4;
+		};
+		174476F4FF60088512120111 = {
+			fileRef = 174476DAFF60088512120111;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		174476F5FF60088512120111 = {
+			fileRef = 174476DCFF60088512120111;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		174476F6FF60088512120111 = {
+			fileRef = 174476DEFF60088512120111;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		174476F7FF60088512120111 = {
+			fileRef = 174476E0FF60088512120111;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		174476F8FF60088512120111 = {
+			fileRef = 174476E1FF60088512120111;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		174476F9FF60088512120111 = {
+			fileRef = 174476E3FF60088512120111;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		174476FAFF60088512120111 = {
+			fileRef = 174476E5FF60088512120111;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		174476FBFF60088512120111 = {
+			fileRef = 174476E7FF60088512120111;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		174476FCFF60088512120111 = {
+			fileRef = 174476E9FF60088512120111;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		174476FDFF60088512120111 = {
+			fileRef = 174476ECFF60088512120111;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		17447700FF60088512120111 = {
+			fileRef = 174476D2FF60088512120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447704FF60088512120111 = {
+			fileRef = 174476D9FF60088512120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447705FF60088512120111 = {
+			fileRef = 174476DBFF60088512120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447706FF60088512120111 = {
+			fileRef = 174476DDFF60088512120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447707FF60088512120111 = {
+			fileRef = 174476DFFF60088512120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447708FF60088512120111 = {
+			fileRef = 174476E2FF60088512120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447709FF60088512120111 = {
+			fileRef = 174476E4FF60088512120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		1744770AFF60088512120111 = {
+			fileRef = 174476E6FF60088512120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		1744770BFF60088512120111 = {
+			fileRef = 174476E8FF60088512120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		1744770CFF60088512120111 = {
+			fileRef = 174476EAFF60088512120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		1744770DFF60088512120111 = {
+			fileRef = 174476EBFF60088512120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		1744770EFF60088512120111 = {
+			fileRef = 174476CCFF60088512120111;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		1744770FFF60088512120111 = {
+			fileRef = 174476CDFF60088512120111;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		17447710FF6024DB12120111 = {
+			isa = PBXFileReference;
+			path = ktadd.c;
+			refType = 4;
+		};
+		17447711FF6024DB12120111 = {
+			isa = PBXFileReference;
+			path = ktbase.c;
+			refType = 4;
+		};
+		17447712FF6024DB12120111 = {
+			isa = PBXFileReference;
+			path = ktdefault.c;
+			refType = 4;
+		};
+		17447713FF6024DB12120111 = {
+			isa = PBXFileReference;
+			path = ktfr_entry.c;
+			refType = 4;
+		};
+		17447714FF6024DB12120111 = {
+			isa = PBXFileReference;
+			path = ktremove.c;
+			refType = 4;
+		};
+		17447715FF6024DB12120111 = {
+			isa = PBXFileReference;
+			path = read_servi.c;
+			refType = 4;
+		};
+		17447716FF6024DB12120111 = {
+			isa = PBXFileReference;
+			path = ktf_add.c;
+			refType = 4;
+		};
+		17447717FF6024DB12120111 = {
+			isa = PBXFileReference;
+			path = ktf_close.c;
+			refType = 4;
+		};
+		17447718FF6024DB12120111 = {
+			isa = PBXFileReference;
+			path = ktf_defops.c;
+			refType = 4;
+		};
+		17447719FF6024DB12120111 = {
+			isa = PBXFileReference;
+			path = ktf_endget.c;
+			refType = 4;
+		};
+		1744771AFF6024DB12120111 = {
+			isa = PBXFileReference;
+			path = ktf_g_ent.c;
+			refType = 4;
+		};
+		1744771BFF6024DB12120111 = {
+			isa = PBXFileReference;
+			path = ktf_g_name.c;
+			refType = 4;
+		};
+		1744771CFF6024DB12120111 = {
+			isa = PBXFileReference;
+			path = ktfile.h;
+			refType = 4;
+		};
+		1744771DFF6024DB12120111 = {
+			isa = PBXFileReference;
+			path = ktf_next.c;
+			refType = 4;
+		};
+		1744771EFF6024DB12120111 = {
+			isa = PBXFileReference;
+			path = ktf_ops.c;
+			refType = 4;
+		};
+		1744771FFF6024DB12120111 = {
+			isa = PBXFileReference;
+			path = ktf_remove.c;
+			refType = 4;
+		};
+		17447720FF6024DB12120111 = {
+			isa = PBXFileReference;
+			path = ktf_resolv.c;
+			refType = 4;
+		};
+		17447721FF6024DB12120111 = {
+			isa = PBXFileReference;
+			path = ktf_ssget.c;
+			refType = 4;
+		};
+		17447722FF6024DB12120111 = {
+			isa = PBXFileReference;
+			path = ktf_util.c;
+			refType = 4;
+		};
+		17447723FF6024DB12120111 = {
+			isa = PBXFileReference;
+			path = ktf_wops.c;
+			refType = 4;
+		};
+		17447724FF6024DB12120111 = {
+			isa = PBXFileReference;
+			path = ktf_wreslv.c;
+			refType = 4;
+		};
+		17447725FF6024DB12120111 = {
+			isa = PBXFileReference;
+			path = ser_ktf.c;
+			refType = 4;
+		};
+		17447726FF6024DB12120111 = {
+			fileRef = 1744771CFF6024DB12120111;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		17447727FF6024DB12120111 = {
+			fileRef = 17447710FF6024DB12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447728FF6024DB12120111 = {
+			fileRef = 17447711FF6024DB12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447729FF6024DB12120111 = {
+			fileRef = 17447712FF6024DB12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		1744772AFF6024DB12120111 = {
+			fileRef = 17447713FF6024DB12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		1744772BFF6024DB12120111 = {
+			fileRef = 17447714FF6024DB12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		1744772CFF6024DB12120111 = {
+			fileRef = 17447715FF6024DB12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		1744772DFF6024DB12120111 = {
+			fileRef = 17447716FF6024DB12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		1744772EFF6024DB12120111 = {
+			fileRef = 17447717FF6024DB12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		1744772FFF6024DB12120111 = {
+			fileRef = 17447718FF6024DB12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447730FF6024DB12120111 = {
+			fileRef = 17447719FF6024DB12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447731FF6024DB12120111 = {
+			fileRef = 1744771AFF6024DB12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447732FF6024DB12120111 = {
+			fileRef = 1744771BFF6024DB12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447733FF6024DB12120111 = {
+			fileRef = 1744771DFF6024DB12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447734FF6024DB12120111 = {
+			fileRef = 1744771EFF6024DB12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447735FF6024DB12120111 = {
+			fileRef = 1744771FFF6024DB12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447736FF6024DB12120111 = {
+			fileRef = 17447720FF6024DB12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447737FF6024DB12120111 = {
+			fileRef = 17447721FF6024DB12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447738FF6024DB12120111 = {
+			fileRef = 17447722FF6024DB12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447739FF6024DB12120111 = {
+			fileRef = 17447723FF6024DB12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		1744773AFF6024DB12120111 = {
+			fileRef = 17447724FF6024DB12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		1744773BFF6024DB12120111 = {
+			fileRef = 17447725FF6024DB12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		1744773CFF60261D12120111 = {
+			isa = PBXFileReference;
+			path = kts_close.c;
+			refType = 4;
+		};
+		1744773DFF60261D12120111 = {
+			isa = PBXFileReference;
+			path = kts_endget.c;
+			refType = 4;
+		};
+		1744773EFF60261D12120111 = {
+			isa = PBXFileReference;
+			path = kts_g_ent.c;
+			refType = 4;
+		};
+		1744773FFF60261D12120111 = {
+			isa = PBXFileReference;
+			path = kts_g_name.c;
+			refType = 4;
+		};
+		17447740FF60261D12120111 = {
+			isa = PBXFileReference;
+			path = kts_next.c;
+			refType = 4;
+		};
+		17447741FF60261D12120111 = {
+			isa = PBXFileReference;
+			path = kts_ops.c;
+			refType = 4;
+		};
+		17447742FF60261D12120111 = {
+			isa = PBXFileReference;
+			path = kts_resolv.c;
+			refType = 4;
+		};
+		17447743FF60261D12120111 = {
+			isa = PBXFileReference;
+			path = ktsrvtab.h;
+			refType = 4;
+		};
+		17447744FF60261D12120111 = {
+			isa = PBXFileReference;
+			path = kts_ssget.c;
+			refType = 4;
+		};
+		17447745FF60261D12120111 = {
+			isa = PBXFileReference;
+			path = kts_util.c;
+			refType = 4;
+		};
+		17447746FF60261D12120111 = {
+			isa = PBXFileReference;
+			path = addr_comp.c;
+			refType = 4;
+		};
+		17447747FF60261D12120111 = {
+			isa = PBXFileReference;
+			path = addr_order.c;
+			refType = 4;
+		};
+		17447748FF60261D12120111 = {
+			isa = PBXFileReference;
+			path = addr_srch.c;
+			refType = 4;
+		};
+		17447749FF60261D12120111 = {
+			isa = PBXFileReference;
+			path = appdefault.c;
+			refType = 4;
+		};
+		1744774AFF60261D12120111 = {
+			isa = PBXFileReference;
+			path = auth_con.c;
+			refType = 4;
+		};
+		1744774BFF60261D12120111 = {
+			isa = PBXFileReference;
+			path = auth_con.h;
+			refType = 4;
+		};
+		1744774CFF60261D12120111 = {
+			isa = PBXFileReference;
+			path = bld_pr_ext.c;
+			refType = 4;
+		};
+		1744774DFF60261D12120111 = {
+			isa = PBXFileReference;
+			path = bld_princ.c;
+			refType = 4;
+		};
+		1744774EFF60261D12120111 = {
+			isa = PBXFileReference;
+			path = chk_trans.c;
+			refType = 4;
+		};
+		1744774FFF60261D12120111 = {
+			isa = PBXFileReference;
+			path = chpw.c;
+			refType = 4;
+		};
+		17447750FF60261D12120111 = {
+			isa = PBXFileReference;
+			path = cleanup.h;
+			refType = 4;
+		};
+		17447751FF60261D12120111 = {
+			isa = PBXFileReference;
+			path = conv_princ.c;
+			refType = 4;
+		};
+		17447752FF60261D12120111 = {
+			isa = PBXFileReference;
+			path = copy_addrs.c;
+			refType = 4;
+		};
+		17447753FF60261D12120111 = {
+			isa = PBXFileReference;
+			path = copy_athctr.c;
+			refType = 4;
+		};
+		17447754FF60261D12120111 = {
+			isa = PBXFileReference;
+			path = copy_auth.c;
+			refType = 4;
+		};
+		17447755FF60261D12120111 = {
+			isa = PBXFileReference;
+			path = copy_cksum.c;
+			refType = 4;
+		};
+		17447756FF60261D12120111 = {
+			isa = PBXFileReference;
+			path = copy_creds.c;
+			refType = 4;
+		};
+		17447757FF60261D12120111 = {
+			isa = PBXFileReference;
+			path = copy_data.c;
+			refType = 4;
+		};
+		17447758FF60261D12120111 = {
+			isa = PBXFileReference;
+			path = copy_key.c;
+			refType = 4;
+		};
+		17447759FF60261D12120111 = {
+			isa = PBXFileReference;
+			path = copy_princ.c;
+			refType = 4;
+		};
+		1744775AFF60261D12120111 = {
+			isa = PBXFileReference;
+			path = copy_tick.c;
+			refType = 4;
+		};
+		1744775BFF60261D12120111 = {
+			isa = PBXFileReference;
+			path = cp_key_cnt.c;
+			refType = 4;
+		};
+		1744775CFF60261D12120111 = {
+			isa = PBXFileReference;
+			path = decode_kdc.c;
+			refType = 4;
+		};
+		1744775DFF60261D12120111 = {
+			isa = PBXFileReference;
+			path = decrypt_tk.c;
+			refType = 4;
+		};
+		1744775EFF60261D12120111 = {
+			isa = PBXFileReference;
+			path = deltat.c;
+			refType = 4;
+		};
+		1744775FFF60261D12120111 = {
+			isa = PBXFileReference;
+			path = enc_helper.c;
+			refType = 4;
+		};
+		17447760FF60261D12120111 = {
+			isa = PBXFileReference;
+			path = encode_kdc.c;
+			refType = 4;
+		};
+		17447761FF60261D12120111 = {
+			isa = PBXFileReference;
+			path = encrypt_tk.c;
+			refType = 4;
+		};
+		17447762FF60261D12120111 = {
+			isa = PBXFileReference;
+			path = free_rtree.c;
+			refType = 4;
+		};
+		17447763FF60261D12120111 = {
+			isa = PBXFileReference;
+			path = fwd_tgt.c;
+			refType = 4;
+		};
+		17447764FF60261D12120111 = {
+			isa = PBXFileReference;
+			path = gc_frm_kdc.c;
+			refType = 4;
+		};
+		17447765FF60261D12120111 = {
+			isa = PBXFileReference;
+			path = gc_via_tkt.c;
+			refType = 4;
+		};
+		17447766FF60261D12120111 = {
+			isa = PBXFileReference;
+			path = gen_seqnum.c;
+			refType = 4;
+		};
+		17447767FF60261D12120111 = {
+			isa = PBXFileReference;
+			path = gen_subkey.c;
+			refType = 4;
+		};
+		17447768FF60261D12120111 = {
+			isa = PBXFileReference;
+			path = get_creds.c;
+			refType = 4;
+		};
+		17447769FF60261D12120111 = {
+			isa = PBXFileReference;
+			path = get_in_tkt.c;
+			refType = 4;
+		};
+		1744776AFF60261D12120111 = {
+			isa = PBXFileReference;
+			path = gic_keytab.c;
+			refType = 4;
+		};
+		1744776BFF60261D12120111 = {
+			isa = PBXFileReference;
+			path = gic_opt.c;
+			refType = 4;
+		};
+		1744776CFF60261D12120111 = {
+			isa = PBXFileReference;
+			path = gic_pwd.c;
+			refType = 4;
+		};
+		1744776DFF60261D12120111 = {
+			isa = PBXFileReference;
+			path = init_ctx.c;
+			refType = 4;
+		};
+		1744776EFF60261D12120111 = {
+			isa = PBXFileReference;
+			path = in_tkt_ktb.c;
+			refType = 4;
+		};
+		1744776FFF60261D12120111 = {
+			isa = PBXFileReference;
+			path = in_tkt_pwd.c;
+			refType = 4;
+		};
+		17447770FF60261D12120111 = {
+			isa = PBXFileReference;
+			path = in_tkt_sky.c;
+			refType = 4;
+		};
+		17447771FF60261D12120111 = {
+			isa = PBXFileReference;
+			path = "int-proto.h";
+			refType = 4;
+		};
+		17447772FF60261D12120111 = {
+			isa = PBXFileReference;
+			path = kdc_rep_dc.c;
+			refType = 4;
+		};
+		17447773FF60261D12120111 = {
+			isa = PBXFileReference;
+			path = kfree.c;
+			refType = 4;
+		};
+		17447774FF60261D12120111 = {
+			isa = PBXFileReference;
+			path = mk_cred.c;
+			refType = 4;
+		};
+		17447775FF60261D12120111 = {
+			isa = PBXFileReference;
+			path = mk_error.c;
+			refType = 4;
+		};
+		17447776FF60261D12120111 = {
+			isa = PBXFileReference;
+			path = mk_priv.c;
+			refType = 4;
+		};
+		17447777FF60261D12120111 = {
+			isa = PBXFileReference;
+			path = mk_rep.c;
+			refType = 4;
+		};
+		17447778FF60261D12120111 = {
+			isa = PBXFileReference;
+			path = mk_req.c;
+			refType = 4;
+		};
+		17447779FF60261D12120111 = {
+			isa = PBXFileReference;
+			path = mk_req_ext.c;
+			refType = 4;
+		};
+		1744777AFF60261D12120111 = {
+			isa = PBXFileReference;
+			path = mk_safe.c;
+			refType = 4;
+		};
+		1744777BFF60261D12120111 = {
+			isa = PBXFileReference;
+			path = parse.c;
+			refType = 4;
+		};
+		1744777CFF60261D12120111 = {
+			isa = PBXFileReference;
+			path = preauth.c;
+			refType = 4;
+		};
+		1744777DFF60261D12120111 = {
+			isa = PBXFileReference;
+			path = preauth2.c;
+			refType = 4;
+		};
+		1744777EFF60261D12120111 = {
+			isa = PBXFileReference;
+			path = princ_comp.c;
+			refType = 4;
+		};
+		1744777FFF60261D12120111 = {
+			isa = PBXFileReference;
+			path = pr_to_salt.c;
+			refType = 4;
+		};
+		17447780FF60261D12120111 = {
+			isa = PBXFileReference;
+			path = rd_cred.c;
+			refType = 4;
+		};
+		17447781FF60261D12120111 = {
+			isa = PBXFileReference;
+			path = rd_error.c;
+			refType = 4;
+		};
+		17447782FF60261D12120111 = {
+			isa = PBXFileReference;
+			path = rd_priv.c;
+			refType = 4;
+		};
+		17447783FF60261D12120111 = {
+			isa = PBXFileReference;
+			path = rd_rep.c;
+			refType = 4;
+		};
+		17447784FF60261D12120111 = {
+			isa = PBXFileReference;
+			path = rd_req.c;
+			refType = 4;
+		};
+		17447785FF60261D12120111 = {
+			isa = PBXFileReference;
+			path = rd_req_dec.c;
+			refType = 4;
+		};
+		17447786FF60261D12120111 = {
+			isa = PBXFileReference;
+			path = rd_safe.c;
+			refType = 4;
+		};
+		17447787FF60261D12120111 = {
+			isa = PBXFileReference;
+			path = recvauth.c;
+			refType = 4;
+		};
+		17447788FF60261D12120111 = {
+			isa = PBXFileReference;
+			path = sendauth.c;
+			refType = 4;
+		};
+		17447789FF60261D12120111 = {
+			isa = PBXFileReference;
+			path = send_tgs.c;
+			refType = 4;
+		};
+		1744778AFF60261D12120111 = {
+			isa = PBXFileReference;
+			path = ser_actx.c;
+			refType = 4;
+		};
+		1744778BFF60261D12120111 = {
+			isa = PBXFileReference;
+			path = ser_adata.c;
+			refType = 4;
+		};
+		1744778CFF60261D12120111 = {
+			isa = PBXFileReference;
+			path = ser_addr.c;
+			refType = 4;
+		};
+		1744778DFF60261D12120111 = {
+			isa = PBXFileReference;
+			path = ser_auth.c;
+			refType = 4;
+		};
+		1744778EFF60261D12120111 = {
+			isa = PBXFileReference;
+			path = ser_cksum.c;
+			refType = 4;
+		};
+		1744778FFF60261D12120111 = {
+			isa = PBXFileReference;
+			path = ser_ctx.c;
+			refType = 4;
+		};
+		17447790FF60261D12120111 = {
+			isa = PBXFileReference;
+			path = ser_eblk.c;
+			refType = 4;
+		};
+		17447791FF60261D12120111 = {
+			isa = PBXFileReference;
+			path = serialize.c;
+			refType = 4;
+		};
+		17447792FF60261D12120111 = {
+			isa = PBXFileReference;
+			path = ser_key.c;
+			refType = 4;
+		};
+		17447793FF60261D12120111 = {
+			isa = PBXFileReference;
+			path = ser_princ.c;
+			refType = 4;
+		};
+		17447794FF60261D12120111 = {
+			isa = PBXFileReference;
+			path = set_realm.c;
+			refType = 4;
+		};
+		17447795FF60261D12120111 = {
+			isa = PBXFileReference;
+			path = srv_rcache.c;
+			refType = 4;
+		};
+		17447796FF60261D12120111 = {
+			isa = PBXFileReference;
+			path = str_conv.c;
+			refType = 4;
+		};
+		17447797FF60261D12120111 = {
+			isa = PBXFileReference;
+			path = tgtname.c;
+			refType = 4;
+		};
+		17447798FF60261D12120111 = {
+			isa = PBXFileReference;
+			path = unparse.c;
+			refType = 4;
+		};
+		17447799FF60261D12120111 = {
+			isa = PBXFileReference;
+			path = valid_times.c;
+			refType = 4;
+		};
+		1744779AFF60261D12120111 = {
+			isa = PBXFileReference;
+			path = vfy_increds.c;
+			refType = 4;
+		};
+		1744779BFF60261D12120111 = {
+			isa = PBXFileReference;
+			path = vic_opt.c;
+			refType = 4;
+		};
+		1744779CFF60261D12120111 = {
+			isa = PBXFileReference;
+			path = walk_rtree.c;
+			refType = 4;
+		};
+		1744779DFF60261D12120111 = {
+			fileRef = 17447743FF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		1744779EFF60261D12120111 = {
+			fileRef = 1744774BFF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		1744779FFF60261D12120111 = {
+			fileRef = 17447750FF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		174477A0FF60261D12120111 = {
+			fileRef = 17447771FF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		174477A1FF60261D12120111 = {
+			fileRef = 1744773CFF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477A2FF60261D12120111 = {
+			fileRef = 1744773DFF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477A3FF60261D12120111 = {
+			fileRef = 1744773EFF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477A4FF60261D12120111 = {
+			fileRef = 1744773FFF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477A5FF60261D12120111 = {
+			fileRef = 17447740FF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477A6FF60261D12120111 = {
+			fileRef = 17447741FF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477A7FF60261D12120111 = {
+			fileRef = 17447742FF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477A8FF60261D12120111 = {
+			fileRef = 17447744FF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477A9FF60261D12120111 = {
+			fileRef = 17447745FF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477AAFF60261D12120111 = {
+			fileRef = 17447746FF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477ABFF60261D12120111 = {
+			fileRef = 17447747FF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477ACFF60261D12120111 = {
+			fileRef = 17447748FF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477ADFF60261D12120111 = {
+			fileRef = 17447749FF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477AEFF60261D12120111 = {
+			fileRef = 1744774AFF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477AFFF60261D12120111 = {
+			fileRef = 1744774CFF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477B0FF60261D12120111 = {
+			fileRef = 1744774DFF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477B1FF60261D12120111 = {
+			fileRef = 1744774EFF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477B2FF60261D12120111 = {
+			fileRef = 1744774FFF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477B3FF60261D12120111 = {
+			fileRef = 17447751FF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477B4FF60261D12120111 = {
+			fileRef = 17447752FF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477B5FF60261D12120111 = {
+			fileRef = 17447753FF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477B6FF60261D12120111 = {
+			fileRef = 17447754FF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477B7FF60261D12120111 = {
+			fileRef = 17447755FF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477B8FF60261D12120111 = {
+			fileRef = 17447756FF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477B9FF60261D12120111 = {
+			fileRef = 17447757FF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477BAFF60261D12120111 = {
+			fileRef = 17447758FF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477BBFF60261D12120111 = {
+			fileRef = 17447759FF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477BCFF60261D12120111 = {
+			fileRef = 1744775AFF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477BDFF60261D12120111 = {
+			fileRef = 1744775BFF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477BEFF60261D12120111 = {
+			fileRef = 1744775CFF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477BFFF60261D12120111 = {
+			fileRef = 1744775DFF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477C0FF60261D12120111 = {
+			fileRef = 1744775EFF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477C1FF60261D12120111 = {
+			fileRef = 1744775FFF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477C2FF60261D12120111 = {
+			fileRef = 17447760FF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477C3FF60261D12120111 = {
+			fileRef = 17447761FF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477C4FF60261D12120111 = {
+			fileRef = 17447762FF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477C5FF60261D12120111 = {
+			fileRef = 17447763FF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477C6FF60261D12120111 = {
+			fileRef = 17447764FF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477C7FF60261D12120111 = {
+			fileRef = 17447765FF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477C8FF60261D12120111 = {
+			fileRef = 17447766FF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477C9FF60261D12120111 = {
+			fileRef = 17447767FF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477CAFF60261D12120111 = {
+			fileRef = 17447768FF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477CBFF60261D12120111 = {
+			fileRef = 17447769FF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477CCFF60261D12120111 = {
+			fileRef = 1744776AFF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477CDFF60261D12120111 = {
+			fileRef = 1744776BFF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477CEFF60261D12120111 = {
+			fileRef = 1744776CFF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477CFFF60261D12120111 = {
+			fileRef = 1744776DFF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477D0FF60261D12120111 = {
+			fileRef = 1744776EFF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477D1FF60261D12120111 = {
+			fileRef = 1744776FFF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477D2FF60261D12120111 = {
+			fileRef = 17447770FF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477D3FF60261D12120111 = {
+			fileRef = 17447772FF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477D4FF60261D12120111 = {
+			fileRef = 17447773FF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477D5FF60261D12120111 = {
+			fileRef = 17447774FF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477D6FF60261D12120111 = {
+			fileRef = 17447775FF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477D7FF60261D12120111 = {
+			fileRef = 17447776FF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477D8FF60261D12120111 = {
+			fileRef = 17447777FF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477D9FF60261D12120111 = {
+			fileRef = 17447778FF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477DAFF60261D12120111 = {
+			fileRef = 17447779FF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477DBFF60261D12120111 = {
+			fileRef = 1744777AFF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477DCFF60261D12120111 = {
+			fileRef = 1744777BFF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477DDFF60261D12120111 = {
+			fileRef = 1744777CFF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477DEFF60261D12120111 = {
+			fileRef = 1744777DFF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477DFFF60261D12120111 = {
+			fileRef = 1744777EFF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477E0FF60261D12120111 = {
+			fileRef = 1744777FFF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477E1FF60261D12120111 = {
+			fileRef = 17447780FF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477E2FF60261D12120111 = {
+			fileRef = 17447781FF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477E3FF60261D12120111 = {
+			fileRef = 17447782FF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477E4FF60261D12120111 = {
+			fileRef = 17447783FF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477E5FF60261D12120111 = {
+			fileRef = 17447784FF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477E6FF60261D12120111 = {
+			fileRef = 17447785FF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477E7FF60261D12120111 = {
+			fileRef = 17447786FF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477E8FF60261D12120111 = {
+			fileRef = 17447787FF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477E9FF60261D12120111 = {
+			fileRef = 17447788FF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477EAFF60261D12120111 = {
+			fileRef = 17447789FF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477EBFF60261D12120111 = {
+			fileRef = 1744778AFF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477ECFF60261D12120111 = {
+			fileRef = 1744778BFF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477EDFF60261D12120111 = {
+			fileRef = 1744778CFF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477EEFF60261D12120111 = {
+			fileRef = 1744778DFF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477EFFF60261D12120111 = {
+			fileRef = 1744778EFF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477F0FF60261D12120111 = {
+			fileRef = 1744778FFF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477F1FF60261D12120111 = {
+			fileRef = 17447790FF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477F2FF60261D12120111 = {
+			fileRef = 17447791FF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477F3FF60261D12120111 = {
+			fileRef = 17447792FF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477F4FF60261D12120111 = {
+			fileRef = 17447793FF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477F5FF60261D12120111 = {
+			fileRef = 17447794FF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477F6FF60261D12120111 = {
+			fileRef = 17447795FF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477F7FF60261D12120111 = {
+			fileRef = 17447796FF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477F8FF60261D12120111 = {
+			fileRef = 17447797FF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477F9FF60261D12120111 = {
+			fileRef = 17447798FF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477FAFF60261D12120111 = {
+			fileRef = 17447799FF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477FBFF60261D12120111 = {
+			fileRef = 1744779AFF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477FCFF60261D12120111 = {
+			fileRef = 1744779BFF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477FDFF60261D12120111 = {
+			fileRef = 1744779CFF60261D12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		174477FEFF60269512120111 = {
+			isa = PBXFileReference;
+			path = rc_base.c;
+			refType = 4;
+		};
+		174477FFFF60269512120111 = {
+			isa = PBXFileReference;
+			path = rc_base.h;
+			refType = 4;
+		};
+		17447800FF60269512120111 = {
+			isa = PBXFileReference;
+			path = rc_conv.c;
+			refType = 4;
+		};
+		17447801FF60269512120111 = {
+			isa = PBXFileReference;
+			path = rcdef.c;
+			refType = 4;
+		};
+		17447802FF60269512120111 = {
+			isa = PBXFileReference;
+			path = rc_dfl.c;
+			refType = 4;
+		};
+		17447803FF60269512120111 = {
+			isa = PBXFileReference;
+			path = rc_dfl.h;
+			refType = 4;
+		};
+		17447804FF60269512120111 = {
+			isa = PBXFileReference;
+			path = rc_io.c;
+			refType = 4;
+		};
+		17447805FF60269512120111 = {
+			isa = PBXFileReference;
+			path = rc_io.h;
+			refType = 4;
+		};
+		17447806FF60269512120111 = {
+			isa = PBXFileReference;
+			path = ser_rc.c;
+			refType = 4;
+		};
+		17447807FF60269512120111 = {
+			fileRef = 174477FFFF60269512120111;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		17447808FF60269512120111 = {
+			fileRef = 17447803FF60269512120111;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		17447809FF60269512120111 = {
+			fileRef = 17447805FF60269512120111;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		1744780AFF60269512120111 = {
+			fileRef = 174477FEFF60269512120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		1744780BFF60269512120111 = {
+			fileRef = 17447800FF60269512120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		1744780CFF60269512120111 = {
+			fileRef = 17447801FF60269512120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		1744780DFF60269512120111 = {
+			fileRef = 17447802FF60269512120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		1744780EFF60269512120111 = {
+			fileRef = 17447804FF60269512120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		1744780FFF60269512120111 = {
+			fileRef = 17447806FF60269512120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447811FF60313B12120111 = {
+			isa = PBXFileReference;
+			path = an_to_ln.c;
+			refType = 4;
+		};
+		17447812FF60313B12120111 = {
+			isa = PBXFileReference;
+			path = ccdefname.c;
+			refType = 4;
+		};
+		17447813FF60313B12120111 = {
+			isa = PBXFileReference;
+			path = changepw.c;
+			refType = 4;
+		};
+		17447814FF60313B12120111 = {
+			isa = PBXFileReference;
+			path = c_ustime.c;
+			refType = 4;
+		};
+		17447815FF60313B12120111 = {
+			isa = PBXFileReference;
+			path = def_realm.c;
+			refType = 4;
+		};
+		17447816FF60313B12120111 = {
+			isa = PBXFileReference;
+			path = free_hstrl.c;
+			refType = 4;
+		};
+		17447817FF60313B12120111 = {
+			isa = PBXFileReference;
+			path = free_krbhs.c;
+			refType = 4;
+		};
+		17447818FF60313B12120111 = {
+			isa = PBXFileReference;
+			path = full_ipadr.c;
+			refType = 4;
+		};
+		17447819FF60313B12120111 = {
+			isa = PBXFileReference;
+			path = genaddrs.c;
+			refType = 4;
+		};
+		1744781AFF60313B12120111 = {
+			isa = PBXFileReference;
+			path = gen_port.c;
+			refType = 4;
+		};
+		1744781BFF60313B12120111 = {
+			isa = PBXFileReference;
+			path = gen_rname.c;
+			refType = 4;
+		};
+		1744781CFF60313B12120111 = {
+			isa = PBXFileReference;
+			path = get_krbhst.c;
+			refType = 4;
+		};
+		1744781DFF60313B12120111 = {
+			isa = PBXFileReference;
+			path = gmt_mktime.c;
+			refType = 4;
+		};
+		1744781EFF60313B12120111 = {
+			isa = PBXFileReference;
+			path = hostaddr.c;
+			refType = 4;
+		};
+		1744781FFF60313B12120111 = {
+			isa = PBXFileReference;
+			path = hst_realm.c;
+			refType = 4;
+		};
+		17447820FF60313B12120111 = {
+			isa = PBXFileReference;
+			path = init_os_ctx.c;
+			refType = 4;
+		};
+		17447821FF60313B12120111 = {
+			isa = PBXFileReference;
+			path = krbfileio.c;
+			refType = 4;
+		};
+		17447822FF60313B12120111 = {
+			isa = PBXFileReference;
+			path = ktdefname.c;
+			refType = 4;
+		};
+		17447823FF60313B12120111 = {
+			isa = PBXFileReference;
+			path = kuserok.c;
+			refType = 4;
+		};
+		17447824FF60313B12120111 = {
+			isa = PBXFileReference;
+			path = localaddr.c;
+			refType = 4;
+		};
+		17447825FF60313B12120111 = {
+			isa = PBXFileReference;
+			path = locate_kdc.c;
+			refType = 4;
+		};
+		17447826FF60313B12120111 = {
+			isa = PBXFileReference;
+			path = lock_file.c;
+			refType = 4;
+		};
+		17447827FF60313B12120111 = {
+			isa = PBXFileReference;
+			path = mk_faddr.c;
+			refType = 4;
+		};
+		17447828FF60313B12120111 = {
+			isa = PBXFileReference;
+			path = net_read.c;
+			refType = 4;
+		};
+		17447829FF60313B12120111 = {
+			isa = PBXFileReference;
+			path = net_write.c;
+			refType = 4;
+		};
+		1744782AFF60313B12120111 = {
+			isa = PBXFileReference;
+			path = osconfig.c;
+			refType = 4;
+		};
+		1744782BFF60313B12120111 = {
+			isa = PBXFileReference;
+			path = "os-proto.h";
+			refType = 4;
+		};
+		1744782CFF60313B12120111 = {
+			isa = PBXFileReference;
+			path = port2ip.c;
+			refType = 4;
+		};
+		1744782DFF60313B12120111 = {
+			isa = PBXFileReference;
+			path = prompter.c;
+			refType = 4;
+		};
+		1744782EFF60313B12120111 = {
+			isa = PBXFileReference;
+			path = promptusr.c;
+			refType = 4;
+		};
+		1744782FFF60313B12120111 = {
+			isa = PBXFileReference;
+			path = read_msg.c;
+			refType = 4;
+		};
+		17447830FF60313B12120111 = {
+			isa = PBXFileReference;
+			path = read_pwd.c;
+			refType = 4;
+		};
+		17447831FF60313B12120111 = {
+			isa = PBXFileReference;
+			path = realm_dom.c;
+			refType = 4;
+		};
+		17447832FF60313B12120111 = {
+			isa = PBXFileReference;
+			path = realm_iter.c;
+			refType = 4;
+		};
+		17447833FF60313B12120111 = {
+			isa = PBXFileReference;
+			path = sendto_kdc.c;
+			refType = 4;
+		};
+		17447834FF60313B12120111 = {
+			isa = PBXFileReference;
+			path = sn2princ.c;
+			refType = 4;
+		};
+		17447835FF60313B12120111 = {
+			isa = PBXFileReference;
+			path = timeofday.c;
+			refType = 4;
+		};
+		17447836FF60313B12120111 = {
+			isa = PBXFileReference;
+			path = toffset.c;
+			refType = 4;
+		};
+		17447837FF60313B12120111 = {
+			isa = PBXFileReference;
+			path = unlck_file.c;
+			refType = 4;
+		};
+		17447838FF60313B12120111 = {
+			isa = PBXFileReference;
+			path = ustime.c;
+			refType = 4;
+		};
+		17447839FF60313B12120111 = {
+			isa = PBXFileReference;
+			path = write_msg.c;
+			refType = 4;
+		};
+		1744783AFF60313B12120111 = {
+			fileRef = 1744782BFF60313B12120111;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		1744783CFF60313B12120111 = {
+			fileRef = 17447811FF60313B12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		1744783DFF60313B12120111 = {
+			fileRef = 17447812FF60313B12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		1744783EFF60313B12120111 = {
+			fileRef = 17447813FF60313B12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		1744783FFF60313B12120111 = {
+			fileRef = 17447814FF60313B12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447840FF60313B12120111 = {
+			fileRef = 17447815FF60313B12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447841FF60313B12120111 = {
+			fileRef = 17447816FF60313B12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447842FF60313B12120111 = {
+			fileRef = 17447817FF60313B12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447843FF60313B12120111 = {
+			fileRef = 17447818FF60313B12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447844FF60313B12120111 = {
+			fileRef = 17447819FF60313B12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447845FF60313B12120111 = {
+			fileRef = 1744781AFF60313B12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447846FF60313B12120111 = {
+			fileRef = 1744781BFF60313B12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447847FF60313B12120111 = {
+			fileRef = 1744781CFF60313B12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447848FF60313B12120111 = {
+			fileRef = 1744781DFF60313B12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447849FF60313B12120111 = {
+			fileRef = 1744781EFF60313B12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		1744784AFF60313B12120111 = {
+			fileRef = 1744781FFF60313B12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		1744784BFF60313B12120111 = {
+			fileRef = 17447820FF60313B12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		1744784CFF60313B12120111 = {
+			fileRef = 17447821FF60313B12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		1744784DFF60313B12120111 = {
+			fileRef = 17447822FF60313B12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		1744784EFF60313B12120111 = {
+			fileRef = 17447823FF60313B12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		1744784FFF60313B12120111 = {
+			fileRef = 17447824FF60313B12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447850FF60313B12120111 = {
+			fileRef = 17447825FF60313B12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447851FF60313B12120111 = {
+			fileRef = 17447826FF60313B12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447852FF60313B12120111 = {
+			fileRef = 17447827FF60313B12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447853FF60313B12120111 = {
+			fileRef = 17447828FF60313B12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447854FF60313B12120111 = {
+			fileRef = 17447829FF60313B12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447855FF60313B12120111 = {
+			fileRef = 1744782AFF60313B12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447856FF60313B12120111 = {
+			fileRef = 1744782CFF60313B12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447857FF60313B12120111 = {
+			fileRef = 1744782DFF60313B12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447858FF60313B12120111 = {
+			fileRef = 1744782EFF60313B12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447859FF60313B12120111 = {
+			fileRef = 1744782FFF60313B12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		1744785AFF60313B12120111 = {
+			fileRef = 17447830FF60313B12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		1744785BFF60313B12120111 = {
+			fileRef = 17447831FF60313B12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		1744785CFF60313B12120111 = {
+			fileRef = 17447832FF60313B12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		1744785DFF60313B12120111 = {
+			fileRef = 17447833FF60313B12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		1744785EFF60313B12120111 = {
+			fileRef = 17447834FF60313B12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		1744785FFF60313B12120111 = {
+			fileRef = 17447835FF60313B12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447860FF60313B12120111 = {
+			fileRef = 17447836FF60313B12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447861FF60313B12120111 = {
+			fileRef = 17447837FF60313B12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447862FF60313B12120111 = {
+			fileRef = 17447838FF60313B12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447863FF60313B12120111 = {
+			fileRef = 17447839FF60313B12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447864FF60323212120111 = {
+			isa = PBXFileReference;
+			path = ccbase.c;
+			refType = 4;
+		};
+		17447865FF60323212120111 = {
+			isa = PBXFileReference;
+			path = cccopy.c;
+			refType = 4;
+		};
+		17447866FF60323212120111 = {
+			isa = PBXFileReference;
+			path = ccdefault.c;
+			refType = 4;
+		};
+		17447867FF60323212120111 = {
+			isa = PBXFileReference;
+			path = ccdefops.c;
+			refType = 4;
+		};
+		1744786BFF60323212120111 = {
+			isa = PBXFileReference;
+			path = cc_retr.c;
+			refType = 4;
+		};
+		1744786FFF60323212120111 = {
+			isa = PBXFileReference;
+			path = ser_cc.c;
+			refType = 4;
+		};
+		17447870FF60323212120111 = {
+			isa = PBXFileReference;
+			path = setenv.c;
+			refType = 4;
+		};
+		17447873FF60323212120111 = {
+			fileRef = 17447870FF60323212120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447874FF60323212120111 = {
+			fileRef = 17447864FF60323212120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447875FF60323212120111 = {
+			fileRef = 17447865FF60323212120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447876FF60323212120111 = {
+			fileRef = 17447866FF60323212120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		17447877FF60323212120111 = {
+			fileRef = 17447867FF60323212120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		1744787BFF60323212120111 = {
+			fileRef = 1744786BFF60323212120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		1744787DFF60323212120111 = {
+			fileRef = 1744786FFF60323212120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+//170
+//171
+//172
+//173
+//174
+//250
+//251
+//252
+//253
+//254
+		25C77492FF52D03A12120111 = {
+			buildStyles = (
+				0156F76F002F5A1112120114,
+				0156F770002F5A1112120114,
+			);
+			isa = PBXProject;
+			mainGroup = 25C77493FF52D03A12120111;
+			productRefGroup = 25C77493FF52D03A12120111;
+			projectDirPath = "";
+			targets = (
+				174475CBFF5EEEE312120111,
+				174475FDFF5EFB1212120111,
+				174475D2FF5EF33612120111,
+				174475E2FF5EF80312120111,
+				F529E968019ADAD101120112,
+				1744760CFF5FF8DB12120111,
+				F529E9DA019B294F01120112,
+				F529E9DB019B294F01120112,
+				F529E9340199D56601120112,
+				F529E9350199D56601120112,
+				5C1372EBFF6546C412120111,
+				F5438CAD017E457701D06BDA,
+				00F2429EFFB75F1512120156,
+				F5438CAF017E462801D06BDA,
+				00F242A5FFB75FA712120156,
+				F5438CB1017E462801D06BDA,
+				00F24293FFB75B2612120156,
+				F5438CB3017E468B01D06BDA,
+				00F242ADFFB760BC12120156,
+				00F189660074D4357F000001,
+				00F189730074D6497F000001,
+				00F189780074D6497F000001,
+				00F1897D0074D6497F000001,
+			);
+		};
+		25C77493FF52D03A12120111 = {
+			children = (
+				0101EC5EFF8FE67C7F000001,
+				0101EC5DFF8FDD1B7F000001,
+				F529E969019ADE3501120112,
+				17447607FF5F046812120111,
+				174475CDFF5EF33612120111,
+				174475E8FF5EF8A512120111,
+				1744760AFF5FF8DB12120111,
+				F529E9E8019B2B6A01120112,
+				5C1372E8FF6546C412120111,
+				00F24299FFB75CD112120156,
+				00F189640074D4357F000001,
+				F529E9D9019B294E01120112,
+			);
+			isa = PBXGroup;
+			refType = 4;
+		};
+//250
+//251
+//252
+//253
+//254
+//410
+//411
+//412
+//413
+//414
+		41D6B54B0029FA1112120111 = {
+			fileRef = 174476B8FF5FFFA512120111;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+//410
+//411
+//412
+//413
+//414
+//4E0
+//4E1
+//4E2
+//4E3
+//4E4
+		4E933A40FF828AEA12120111 = {
+			isa = PBXFileReference;
+			path = et.pbexp;
+			refType = 4;
+		};
+		4E933A41FF828AEA12120111 = {
+			fileRef = 4E933A40FF828AEA12120111;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		4E933A42FF828B8512120111 = {
+			isa = PBXFileReference;
+			path = profile.pbexp;
+			refType = 4;
+		};
+		4E933A43FF828B8612120111 = {
+			fileRef = 4E933A42FF828B8512120111;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		4E933A44FF82905F12120111 = {
+			isa = PBXFileReference;
+			path = et_c.awk;
+			refType = 4;
+		};
+		4E933A45FF82905F12120111 = {
+			isa = PBXFileReference;
+			path = et_h.awk;
+			refType = 4;
+		};
+//4E0
+//4E1
+//4E2
+//4E3
+//4E4
+//5C0
+//5C1
+//5C2
+//5C3
+//5C4
+		5C1372E8FF6546C412120111 = {
+			children = (
+				012574A8FF7A9C8212120111,
+				5C137376FF654C0212120111,
+				5C137384FF6824DB12120111,
+				F529E96F019ADFF701120112,
+				F529E9F4019B2C9001120112,
+				0106E99D003C7A057F000001,
+				0106E99E003C7A057F000001,
+				0106E9A1003C7A5A7F000001,
+				F529E96D019ADFCF01120112,
+				61622FDEFF88D9AF12120111,
+				61622FD8FF85304012120111,
+				5C1372F4FF65475012120111,
+				5C1372F5FF65475012120111,
+				5C137379FF659EB012120111,
+				5C13737BFF65A0CC12120111,
+				5C13737FFF65A41212120111,
+				00CFB470FF6D8BB312120111,
+				00CC63F800975A877F000001,
+				00CC63F300975A877F000001,
+				00CC63F100975A877F000001,
+				5C1372F6FF65475012120111,
+				5C1372F7FF65475012120111,
+			);
+			isa = PBXGroup;
+			name = GSS;
+			path = ../lib/gssapi;
+			refType = 2;
+		};
+		5C1372EBFF6546C412120111 = {
+			buildPhases = (
+				5C1372EDFF6546C412120111,
+				5C1372EFFF6546C412120111,
+				5C1372F0FF6546C412120111,
+				5C1372F1FF6546C412120111,
+				5C1372F3FF6546C412120111,
+				F529E97B019AEB1D01120112,
+				F579576501C027FC01120112,
+			);
+			buildSettings = {
+				DYLIB_COMPATIBILITY_VERSION = 1;
+				DYLIB_CURRENT_VERSION = 1;
+				EXPORTED_SYMBOLS_FILE = "$(SRCROOT)/GSSLibrary.pbexp";
+				FRAMEWORK_SEARCH_PATHS = "";
+				FRAMEWORK_VERSION = A;
+				HEADER_SEARCH_PATHS = "\"$(SYMROOT)/GSSKerberos5.intermediates\"";
+				IMPLICITLY_INCLUDED_HEADERS = "\"$(SRCROOT)/GSSKerberosPrefix.h\"";
+				INSTALL_PATH = /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks;
+				LIBRARY_SEARCH_PATHS = "";
+				OPTIMIZATION_CFLAGS = "-O0";
+				OTHER_CFLAGS = "";
+				OTHER_LDFLAGS = "-init ___initializeGSS -seg_addr_table $(SRCROOT)/../../Common/Sources/KerberosSegAddrs";
+				OTHER_LIBTOOL_FLAGS = "";
+				OTHER_REZFLAGS = "";
+				PRINCIPAL_CLASS = "";
+				PRODUCT_NAME = GSS;
+				SECTORDER_FLAGS = "";
+				SKIP_INSTALL = YES;
+				WARNING_CFLAGS = "-Wmost -Wno-four-char-constants -Wno-unknown-pragmas";
+				WRAPPER_EXTENSION = framework;
+			};
+			dependencies = (
+				00F89AD50046F2EC7F000001,
+				F529E9E1019B294F01120112,
+				F529E9E2019B294F01120112,
+			);
+			isa = PBXFrameworkTarget;
+			name = GSS;
+			productInstallPath = /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks;
+			productName = GSS;
+			productReference = 012574A8FF7A9C8212120111;
+			productSettingsXML = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>
+<!DOCTYPE plist SYSTEM \"file://localhost/System/Library/DTDs/PropertyList.dtd\">
+<plist version=\"0.9\">
+<dict>
+	<key>CFBundleDevelopmentRegion</key>
+	<string>English</string>
+	<key>CFBundleExecutable</key>
+	<string></string>
+	<key>CFBundleGetInfoString</key>
+	<string></string>
+	<key>CFBundleIconFile</key>
+	<string></string>
+	<key>CFBundleIdentifier</key>
+	<string>edi.mit.Kerberos.GSS</string>
+	<key>CFBundleInfoDictionaryVersion</key>
+	<string>6.0</string>
+	<key>CFBundleName</key>
+	<string>Kerberos General Security Services Framework</string>
+	<key>CFBundlePackageType</key>
+	<string>FMWK</string>
+	<key>CFBundleSignature</key>
+	<string>????</string>
+</dict>
+</plist>
+";
+			shouldUseHeadermap = 0;
+		};
+		5C1372EDFF6546C412120111 = {
+			buildActionMask = 2147483647;
+			files = (
+				5C1372EEFF6546C412120111,
+				5C1372F8FF65475012120111,
+				5C137338FF654A8C12120111,
+				5C137339FF654A8C12120111,
+				5C13737EFF65A0CC12120111,
+				5C137380FF65A41212120111,
+				00CFB471FF6D8BB412120111,
+				41D6B54B0029FA1112120111,
+				00F516F600692E197F000001,
+			);
+			isa = PBXHeadersBuildPhase;
+			name = Headers;
+		};
+		5C1372EEFF6546C412120111 = {
+			fileRef = 17447607FF5F046812120111;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		5C1372EFFF6546C412120111 = {
+			buildActionMask = 2147483647;
+			files = (
+				61622FD9FF85304012120111,
+			);
+			isa = PBXResourcesBuildPhase;
+			name = "Bundle Resources";
+		};
+		5C1372F0FF6546C412120111 = {
+			buildActionMask = 2147483647;
+			files = (
+				5C1372F9FF65475012120111,
+				5C13733AFF654A8C12120111,
+				5C13733BFF654A8C12120111,
+				5C13733DFF654A8C12120111,
+				5C13733EFF654A8C12120111,
+				5C13733FFF654A8C12120111,
+				5C137340FF654A8C12120111,
+				5C137341FF654A8C12120111,
+				5C137342FF654A8C12120111,
+				5C137343FF654A8C12120111,
+				5C137344FF654A8C12120111,
+				5C137345FF654A8C12120111,
+				5C137346FF654A8C12120111,
+				5C137347FF654A8C12120111,
+				5C137348FF654A8C12120111,
+				5C137349FF654A8C12120111,
+				5C13734AFF654A8C12120111,
+				5C13734BFF654A8C12120111,
+				5C13734CFF654A8C12120111,
+				5C13734DFF654A8C12120111,
+				5C13734EFF654A8C12120111,
+				5C13734FFF654A8C12120111,
+				5C137350FF654A8C12120111,
+				5C137351FF654A8C12120111,
+				5C137352FF654A8C12120111,
+				5C137353FF654A8C12120111,
+				5C137354FF654A8C12120111,
+				5C137355FF654A8C12120111,
+				5C137356FF654A8C12120111,
+				5C137357FF654A8C12120111,
+				5C137358FF654A8C12120111,
+				5C137359FF654A8C12120111,
+				5C13735AFF654A8C12120111,
+				5C13735BFF654A8C12120111,
+				5C13735CFF654A8C12120111,
+				5C13735DFF654A8C12120111,
+				5C13735EFF654A8C12120111,
+				5C13735FFF654A8C12120111,
+				5C137360FF654A8C12120111,
+				5C137361FF654A8C12120111,
+				5C137362FF654A8C12120111,
+				5C137363FF654A8C12120111,
+				5C137364FF654A8C12120111,
+				5C137365FF654A8C12120111,
+				5C137366FF654A8C12120111,
+				5C137367FF654A8C12120111,
+				5C137368FF654A8C12120111,
+				5C137369FF654A8C12120111,
+				5C13736AFF654A8C12120111,
+				5C13736BFF654A8C12120111,
+				5C13736CFF654A8C12120111,
+				5C13736DFF654A8C12120111,
+				5C13736EFF654A8C12120111,
+				5C13736FFF654A8C12120111,
+				5C137370FF654A8C12120111,
+				5C137371FF654A8C12120111,
+				00CFB46FFF6D85D612120111,
+				61622FDFFF88D9AF12120111,
+				00CC643600975C167F000001,
+				00CC643700975C167F000001,
+			);
+			isa = PBXSourcesBuildPhase;
+			name = Sources;
+		};
+		5C1372F1FF6546C412120111 = {
+			buildActionMask = 2147483647;
+			files = (
+				5C137378FF654C0212120111,
+				5C137385FF6824DB12120111,
+				0106E99F003C7A057F000001,
+				0106E9A0003C7A057F000001,
+				0106E9A2003C7A5A7F000001,
+				017F047300FA63557F000001,
+				F529E96E019ADFD001120112,
+				F529E970019ADFF801120112,
+				F529E9F5019B2C9101120112,
+			);
+			isa = PBXFrameworksBuildPhase;
+			name = "Frameworks & Libraries";
+		};
+		5C1372F3FF6546C412120111 = {
+			buildActionMask = 2147483647;
+			files = (
+			);
+			isa = PBXRezBuildPhase;
+			name = "ResourceManager Resources";
+		};
+		5C1372F4FF65475012120111 = {
+			isa = PBXFileReference;
+			path = gss_libinit.c;
+			refType = 4;
+		};
+		5C1372F5FF65475012120111 = {
+			isa = PBXFileReference;
+			path = gss_libinit.h;
+			refType = 4;
+		};
+		5C1372F6FF65475012120111 = {
+			children = (
+				5C1372FAFF654A8C12120111,
+				5C1372FBFF654A8C12120111,
+				00CC63F400975A877F000001,
+				00CC63F500975A877F000001,
+				5C1372FFFF654A8C12120111,
+				5C137300FF654A8C12120111,
+				00F516F500692E197F000001,
+				5C137301FF654A8C12120111,
+				5C137302FF654A8C12120111,
+				5C137303FF654A8C12120111,
+				5C137304FF654A8C12120111,
+				00CFB46EFF6D85D612120111,
+				5C137305FF654A8C12120111,
+				5C137306FF654A8C12120111,
+				5C137307FF654A8C12120111,
+				5C137308FF654A8C12120111,
+				5C137309FF654A8C12120111,
+				5C13730AFF654A8C12120111,
+				0106E99C003C77187F000001,
+			);
+			isa = PBXGroup;
+			path = generic;
+			refType = 4;
+		};
+		5C1372F7FF65475012120111 = {
+			children = (
+				5C13730BFF654A8C12120111,
+				5C13730CFF654A8C12120111,
+				5C13730DFF654A8C12120111,
+				5C13730EFF654A8C12120111,
+				5C13730FFF654A8C12120111,
+				5C137310FF654A8C12120111,
+				5C137311FF654A8C12120111,
+				5C137312FF654A8C12120111,
+				5C137313FF654A8C12120111,
+				5C137314FF654A8C12120111,
+				5C137315FF654A8C12120111,
+				5C137316FF654A8C12120111,
+				5C137317FF654A8C12120111,
+				5C137318FF654A8C12120111,
+				00CC63F600975A877F000001,
+				00CC63F700975A877F000001,
+				5C137319FF654A8C12120111,
+				5C13731AFF654A8C12120111,
+				5C13731BFF654A8C12120111,
+				5C13731CFF654A8C12120111,
+				5C13731DFF654A8C12120111,
+				5C13731EFF654A8C12120111,
+				5C13731FFF654A8C12120111,
+				5C137320FF654A8C12120111,
+				5C137321FF654A8C12120111,
+				5C137322FF654A8C12120111,
+				5C137323FF654A8C12120111,
+				5C137324FF654A8C12120111,
+				5C137325FF654A8C12120111,
+				5C137326FF654A8C12120111,
+				5C137327FF654A8C12120111,
+				5C137328FF654A8C12120111,
+				5C137329FF654A8C12120111,
+				5C13732AFF654A8C12120111,
+				5C13732BFF654A8C12120111,
+				5C13732CFF654A8C12120111,
+				5C13732DFF654A8C12120111,
+				5C13732EFF654A8C12120111,
+				5C13732FFF654A8C12120111,
+				5C137330FF654A8C12120111,
+				5C137331FF654A8C12120111,
+				5C137332FF654A8C12120111,
+				5C137333FF654A8C12120111,
+				5C137334FF654A8C12120111,
+				5C137335FF654A8C12120111,
+			);
+			isa = PBXGroup;
+			path = krb5;
+			refType = 4;
+		};
+		5C1372F8FF65475012120111 = {
+			fileRef = 5C1372F5FF65475012120111;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		5C1372F9FF65475012120111 = {
+			fileRef = 5C1372F4FF65475012120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C1372FAFF654A8C12120111 = {
+			isa = PBXFileReference;
+			path = disp_com_err_status.c;
+			refType = 4;
+		};
+		5C1372FBFF654A8C12120111 = {
+			isa = PBXFileReference;
+			path = disp_major_status.c;
+			refType = 4;
+		};
+		5C1372FFFF654A8C12120111 = {
+			isa = PBXFileReference;
+			path = gssapi_generic.c;
+			refType = 4;
+		};
+		5C137300FF654A8C12120111 = {
+			isa = PBXFileReference;
+			path = gssapi_generic.h;
+			refType = 4;
+		};
+		5C137301FF654A8C12120111 = {
+			isa = PBXFileReference;
+			path = oid_ops.c;
+			refType = 4;
+		};
+		5C137302FF654A8C12120111 = {
+			isa = PBXFileReference;
+			path = rel_buffer.c;
+			refType = 4;
+		};
+		5C137303FF654A8C12120111 = {
+			isa = PBXFileReference;
+			path = rel_oid_set.c;
+			refType = 4;
+		};
+		5C137304FF654A8C12120111 = {
+			isa = PBXFileReference;
+			path = util_buffer.c;
+			refType = 4;
+		};
+		5C137305FF654A8C12120111 = {
+			isa = PBXFileReference;
+			path = util_dup.c;
+			refType = 4;
+		};
+		5C137306FF654A8C12120111 = {
+			isa = PBXFileReference;
+			path = util_oid.c;
+			refType = 4;
+		};
+		5C137307FF654A8C12120111 = {
+			isa = PBXFileReference;
+			path = util_ordering.c;
+			refType = 4;
+		};
+		5C137308FF654A8C12120111 = {
+			isa = PBXFileReference;
+			path = util_set.c;
+			refType = 4;
+		};
+		5C137309FF654A8C12120111 = {
+			isa = PBXFileReference;
+			path = util_token.c;
+			refType = 4;
+		};
+		5C13730AFF654A8C12120111 = {
+			isa = PBXFileReference;
+			path = util_validate.c;
+			refType = 4;
+		};
+		5C13730BFF654A8C12120111 = {
+			isa = PBXFileReference;
+			path = accept_sec_context.c;
+			refType = 4;
+		};
+		5C13730CFF654A8C12120111 = {
+			isa = PBXFileReference;
+			path = acquire_cred.c;
+			refType = 4;
+		};
+		5C13730DFF654A8C12120111 = {
+			isa = PBXFileReference;
+			path = add_cred.c;
+			refType = 4;
+		};
+		5C13730EFF654A8C12120111 = {
+			isa = PBXFileReference;
+			path = canon_name.c;
+			refType = 4;
+		};
+		5C13730FFF654A8C12120111 = {
+			isa = PBXFileReference;
+			path = compare_name.c;
+			refType = 4;
+		};
+		5C137310FF654A8C12120111 = {
+			isa = PBXFileReference;
+			path = context_time.c;
+			refType = 4;
+		};
+		5C137311FF654A8C12120111 = {
+			isa = PBXFileReference;
+			path = copy_ccache.c;
+			refType = 4;
+		};
+		5C137312FF654A8C12120111 = {
+			isa = PBXFileReference;
+			path = delete_sec_context.c;
+			refType = 4;
+		};
+		5C137313FF654A8C12120111 = {
+			isa = PBXFileReference;
+			path = disp_name.c;
+			refType = 4;
+		};
+		5C137314FF654A8C12120111 = {
+			isa = PBXFileReference;
+			path = disp_status.c;
+			refType = 4;
+		};
+		5C137315FF654A8C12120111 = {
+			isa = PBXFileReference;
+			path = duplicate_name.c;
+			refType = 4;
+		};
+		5C137316FF654A8C12120111 = {
+			isa = PBXFileReference;
+			path = export_name.c;
+			refType = 4;
+		};
+		5C137317FF654A8C12120111 = {
+			isa = PBXFileReference;
+			path = export_sec_context.c;
+			refType = 4;
+		};
+		5C137318FF654A8C12120111 = {
+			isa = PBXFileReference;
+			path = get_tkt_flags.c;
+			refType = 4;
+		};
+		5C137319FF654A8C12120111 = {
+			isa = PBXFileReference;
+			path = gssapi_krb5.c;
+			refType = 4;
+		};
+		5C13731AFF654A8C12120111 = {
+			isa = PBXFileReference;
+			path = gssapi_krb5.h;
+			refType = 4;
+		};
+		5C13731BFF654A8C12120111 = {
+			isa = PBXFileReference;
+			path = import_name.c;
+			refType = 4;
+		};
+		5C13731CFF654A8C12120111 = {
+			isa = PBXFileReference;
+			path = import_sec_context.c;
+			refType = 4;
+		};
+		5C13731DFF654A8C12120111 = {
+			isa = PBXFileReference;
+			path = indicate_mechs.c;
+			refType = 4;
+		};
+		5C13731EFF654A8C12120111 = {
+			isa = PBXFileReference;
+			path = init_sec_context.c;
+			refType = 4;
+		};
+		5C13731FFF654A8C12120111 = {
+			isa = PBXFileReference;
+			path = inq_context.c;
+			refType = 4;
+		};
+		5C137320FF654A8C12120111 = {
+			isa = PBXFileReference;
+			path = inq_cred.c;
+			refType = 4;
+		};
+		5C137321FF654A8C12120111 = {
+			isa = PBXFileReference;
+			path = inq_names.c;
+			refType = 4;
+		};
+		5C137322FF654A8C12120111 = {
+			isa = PBXFileReference;
+			path = k5seal.c;
+			refType = 4;
+		};
+		5C137323FF654A8C12120111 = {
+			isa = PBXFileReference;
+			path = k5unseal.c;
+			refType = 4;
+		};
+		5C137324FF654A8C12120111 = {
+			isa = PBXFileReference;
+			path = krb5_gss_glue.c;
+			refType = 4;
+		};
+		5C137325FF654A8C12120111 = {
+			isa = PBXFileReference;
+			path = process_context_token.c;
+			refType = 4;
+		};
+		5C137326FF654A8C12120111 = {
+			isa = PBXFileReference;
+			path = rel_cred.c;
+			refType = 4;
+		};
+		5C137327FF654A8C12120111 = {
+			isa = PBXFileReference;
+			path = rel_name.c;
+			refType = 4;
+		};
+		5C137328FF654A8C12120111 = {
+			isa = PBXFileReference;
+			path = rel_oid.c;
+			refType = 4;
+		};
+		5C137329FF654A8C12120111 = {
+			isa = PBXFileReference;
+			path = seal.c;
+			refType = 4;
+		};
+		5C13732AFF654A8C12120111 = {
+			isa = PBXFileReference;
+			path = ser_sctx.c;
+			refType = 4;
+		};
+		5C13732BFF654A8C12120111 = {
+			isa = PBXFileReference;
+			path = set_ccache.c;
+			refType = 4;
+		};
+		5C13732CFF654A8C12120111 = {
+			isa = PBXFileReference;
+			path = sign.c;
+			refType = 4;
+		};
+		5C13732DFF654A8C12120111 = {
+			isa = PBXFileReference;
+			path = unseal.c;
+			refType = 4;
+		};
+		5C13732EFF654A8C12120111 = {
+			isa = PBXFileReference;
+			path = util_cksum.c;
+			refType = 4;
+		};
+		5C13732FFF654A8C12120111 = {
+			isa = PBXFileReference;
+			path = util_crypt.c;
+			refType = 4;
+		};
+		5C137330FF654A8C12120111 = {
+			isa = PBXFileReference;
+			path = util_ctxsetup.c;
+			refType = 4;
+		};
+		5C137331FF654A8C12120111 = {
+			isa = PBXFileReference;
+			path = util_seed.c;
+			refType = 4;
+		};
+		5C137332FF654A8C12120111 = {
+			isa = PBXFileReference;
+			path = util_seqnum.c;
+			refType = 4;
+		};
+		5C137333FF654A8C12120111 = {
+			isa = PBXFileReference;
+			path = val_cred.c;
+			refType = 4;
+		};
+		5C137334FF654A8C12120111 = {
+			isa = PBXFileReference;
+			path = verify.c;
+			refType = 4;
+		};
+		5C137335FF654A8C12120111 = {
+			isa = PBXFileReference;
+			path = wrap_size_limit.c;
+			refType = 4;
+		};
+		5C137338FF654A8C12120111 = {
+			fileRef = 5C137300FF654A8C12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+					Public,
+				);
+			};
+		};
+		5C137339FF654A8C12120111 = {
+			fileRef = 5C13731AFF654A8C12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+					Public,
+				);
+			};
+		};
+		5C13733AFF654A8C12120111 = {
+			fileRef = 5C1372FAFF654A8C12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C13733BFF654A8C12120111 = {
+			fileRef = 5C1372FBFF654A8C12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C13733DFF654A8C12120111 = {
+			fileRef = 5C1372FFFF654A8C12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C13733EFF654A8C12120111 = {
+			fileRef = 5C137301FF654A8C12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C13733FFF654A8C12120111 = {
+			fileRef = 5C137302FF654A8C12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C137340FF654A8C12120111 = {
+			fileRef = 5C137303FF654A8C12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C137341FF654A8C12120111 = {
+			fileRef = 5C137304FF654A8C12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C137342FF654A8C12120111 = {
+			fileRef = 5C137305FF654A8C12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C137343FF654A8C12120111 = {
+			fileRef = 5C137306FF654A8C12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C137344FF654A8C12120111 = {
+			fileRef = 5C137307FF654A8C12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C137345FF654A8C12120111 = {
+			fileRef = 5C137308FF654A8C12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C137346FF654A8C12120111 = {
+			fileRef = 5C137309FF654A8C12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C137347FF654A8C12120111 = {
+			fileRef = 5C13730AFF654A8C12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C137348FF654A8C12120111 = {
+			fileRef = 5C13730BFF654A8C12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C137349FF654A8C12120111 = {
+			fileRef = 5C13730CFF654A8C12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C13734AFF654A8C12120111 = {
+			fileRef = 5C13730DFF654A8C12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C13734BFF654A8C12120111 = {
+			fileRef = 5C13730EFF654A8C12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C13734CFF654A8C12120111 = {
+			fileRef = 5C13730FFF654A8C12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C13734DFF654A8C12120111 = {
+			fileRef = 5C137310FF654A8C12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C13734EFF654A8C12120111 = {
+			fileRef = 5C137311FF654A8C12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C13734FFF654A8C12120111 = {
+			fileRef = 5C137312FF654A8C12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C137350FF654A8C12120111 = {
+			fileRef = 5C137313FF654A8C12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C137351FF654A8C12120111 = {
+			fileRef = 5C137314FF654A8C12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C137352FF654A8C12120111 = {
+			fileRef = 5C137315FF654A8C12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C137353FF654A8C12120111 = {
+			fileRef = 5C137316FF654A8C12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C137354FF654A8C12120111 = {
+			fileRef = 5C137317FF654A8C12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C137355FF654A8C12120111 = {
+			fileRef = 5C137318FF654A8C12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C137356FF654A8C12120111 = {
+			fileRef = 5C137319FF654A8C12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C137357FF654A8C12120111 = {
+			fileRef = 5C13731BFF654A8C12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C137358FF654A8C12120111 = {
+			fileRef = 5C13731CFF654A8C12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C137359FF654A8C12120111 = {
+			fileRef = 5C13731DFF654A8C12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C13735AFF654A8C12120111 = {
+			fileRef = 5C13731EFF654A8C12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C13735BFF654A8C12120111 = {
+			fileRef = 5C13731FFF654A8C12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C13735CFF654A8C12120111 = {
+			fileRef = 5C137320FF654A8C12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C13735DFF654A8C12120111 = {
+			fileRef = 5C137321FF654A8C12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C13735EFF654A8C12120111 = {
+			fileRef = 5C137322FF654A8C12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C13735FFF654A8C12120111 = {
+			fileRef = 5C137323FF654A8C12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C137360FF654A8C12120111 = {
+			fileRef = 5C137324FF654A8C12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C137361FF654A8C12120111 = {
+			fileRef = 5C137325FF654A8C12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C137362FF654A8C12120111 = {
+			fileRef = 5C137326FF654A8C12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C137363FF654A8C12120111 = {
+			fileRef = 5C137327FF654A8C12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C137364FF654A8C12120111 = {
+			fileRef = 5C137328FF654A8C12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C137365FF654A8C12120111 = {
+			fileRef = 5C137329FF654A8C12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C137366FF654A8C12120111 = {
+			fileRef = 5C13732AFF654A8C12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C137367FF654A8C12120111 = {
+			fileRef = 5C13732BFF654A8C12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C137368FF654A8C12120111 = {
+			fileRef = 5C13732CFF654A8C12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C137369FF654A8C12120111 = {
+			fileRef = 5C13732DFF654A8C12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C13736AFF654A8C12120111 = {
+			fileRef = 5C13732EFF654A8C12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C13736BFF654A8C12120111 = {
+			fileRef = 5C13732FFF654A8C12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C13736CFF654A8C12120111 = {
+			fileRef = 5C137330FF654A8C12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C13736DFF654A8C12120111 = {
+			fileRef = 5C137331FF654A8C12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C13736EFF654A8C12120111 = {
+			fileRef = 5C137332FF654A8C12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C13736FFF654A8C12120111 = {
+			fileRef = 5C137333FF654A8C12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C137370FF654A8C12120111 = {
+			fileRef = 5C137334FF654A8C12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C137371FF654A8C12120111 = {
+			fileRef = 5C137335FF654A8C12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C137376FF654C0212120111 = {
+			isa = PBXFrameworkReference;
+			path = KerberosComErr.framework;
+			refType = 3;
+		};
+		5C137378FF654C0212120111 = {
+			fileRef = 5C137376FF654C0212120111;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		5C137379FF659EB012120111 = {
+			isa = PBXFileReference;
+			name = "k5-int.h";
+			path = "../include/k5-int.h";
+			refType = 2;
+		};
+		5C13737BFF65A0CC12120111 = {
+			isa = PBXFileReference;
+			name = osconf.h;
+			path = ../include/krb5/stock/osconf.h;
+			refType = 2;
+		};
+		5C13737EFF65A0CC12120111 = {
+			fileRef = 5C13737BFF65A0CC12120111;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		5C13737FFF65A41212120111 = {
+			isa = PBXFileReference;
+			name = kdb.h;
+			path = ../include/krb5/kdb.h;
+			refType = 2;
+		};
+		5C137380FF65A41212120111 = {
+			fileRef = 5C13737FFF65A41212120111;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		5C137384FF6824DB12120111 = {
+			isa = PBXFrameworkReference;
+			path = KerberosProfile.framework;
+			refType = 3;
+		};
+		5C137385FF6824DB12120111 = {
+			fileRef = 5C137384FF6824DB12120111;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		5C137387FF682C2F12120111 = {
+			children = (
+				5C137388FF682C2F12120111,
+				5C137389FF682C2F12120111,
+				5C13738AFF682C2F12120111,
+				5C13738BFF682C2F12120111,
+				5C13738CFF682C2F12120111,
+				5C13738DFF682C2F12120111,
+				5C13738EFF682C2F12120111,
+				5C13738FFF682C2F12120111,
+				5C137390FF682C2F12120111,
+				5C137391FF682C2F12120111,
+				5C137392FF682C2F12120111,
+				5C137393FF682C2F12120111,
+				5C137394FF682C2F12120111,
+				5C137395FF682C2F12120111,
+				5C137396FF682C2F12120111,
+				5C137397FF682C2F12120111,
+				5C137398FF682C2F12120111,
+				5C137399FF682C2F12120111,
+				5C13739AFF682C2F12120111,
+				5C13739BFF682C2F12120111,
+				5C13739CFF682C2F12120111,
+				5C13739DFF682C2F12120111,
+			);
+			isa = PBXGroup;
+			path = file;
+			refType = 4;
+		};
+		5C137388FF682C2F12120111 = {
+			isa = PBXFileReference;
+			path = fcc.h;
+			refType = 4;
+		};
+		5C137389FF682C2F12120111 = {
+			isa = PBXFileReference;
+			path = fcc_close.c;
+			refType = 4;
+		};
+		5C13738AFF682C2F12120111 = {
+			isa = PBXFileReference;
+			path = fcc_defops.c;
+			refType = 4;
+		};
+		5C13738BFF682C2F12120111 = {
+			isa = PBXFileReference;
+			path = fcc_destry.c;
+			refType = 4;
+		};
+		5C13738CFF682C2F12120111 = {
+			isa = PBXFileReference;
+			path = fcc_errs.c;
+			refType = 4;
+		};
+		5C13738DFF682C2F12120111 = {
+			isa = PBXFileReference;
+			path = fcc_eseq.c;
+			refType = 4;
+		};
+		5C13738EFF682C2F12120111 = {
+			isa = PBXFileReference;
+			path = fcc_gennew.c;
+			refType = 4;
+		};
+		5C13738FFF682C2F12120111 = {
+			isa = PBXFileReference;
+			path = fcc_getnam.c;
+			refType = 4;
+		};
+		5C137390FF682C2F12120111 = {
+			isa = PBXFileReference;
+			path = fcc_gprin.c;
+			refType = 4;
+		};
+		5C137391FF682C2F12120111 = {
+			isa = PBXFileReference;
+			path = fcc_init.c;
+			refType = 4;
+		};
+		5C137392FF682C2F12120111 = {
+			isa = PBXFileReference;
+			path = fcc_maybe.c;
+			refType = 4;
+		};
+		5C137393FF682C2F12120111 = {
+			isa = PBXFileReference;
+			path = fcc_nseq.c;
+			refType = 4;
+		};
+		5C137394FF682C2F12120111 = {
+			isa = PBXFileReference;
+			path = fcc_ops.c;
+			refType = 4;
+		};
+		5C137395FF682C2F12120111 = {
+			isa = PBXFileReference;
+			path = "fcc-proto.h";
+			refType = 4;
+		};
+		5C137396FF682C2F12120111 = {
+			isa = PBXFileReference;
+			path = fcc_read.c;
+			refType = 4;
+		};
+		5C137397FF682C2F12120111 = {
+			isa = PBXFileReference;
+			path = fcc_reslv.c;
+			refType = 4;
+		};
+		5C137398FF682C2F12120111 = {
+			isa = PBXFileReference;
+			path = fcc_retrv.c;
+			refType = 4;
+		};
+		5C137399FF682C2F12120111 = {
+			isa = PBXFileReference;
+			path = fcc_sflags.c;
+			refType = 4;
+		};
+		5C13739AFF682C2F12120111 = {
+			isa = PBXFileReference;
+			path = fcc_skip.c;
+			refType = 4;
+		};
+		5C13739BFF682C2F12120111 = {
+			isa = PBXFileReference;
+			path = fcc_sseq.c;
+			refType = 4;
+		};
+		5C13739CFF682C2F12120111 = {
+			isa = PBXFileReference;
+			path = fcc_store.c;
+			refType = 4;
+		};
+		5C13739DFF682C2F12120111 = {
+			isa = PBXFileReference;
+			path = fcc_write.c;
+			refType = 4;
+		};
+		5C1373B3FF68306D12120111 = {
+			fileRef = 5C137388FF682C2F12120111;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		5C1373B4FF68306D12120111 = {
+			fileRef = 5C137395FF682C2F12120111;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		5C1373B5FF68306D12120111 = {
+			fileRef = 5C137389FF682C2F12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C1373B6FF68306D12120111 = {
+			fileRef = 5C13738AFF682C2F12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C1373B7FF68306D12120111 = {
+			fileRef = 5C13738BFF682C2F12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C1373B8FF68306D12120111 = {
+			fileRef = 5C13738CFF682C2F12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C1373B9FF68306D12120111 = {
+			fileRef = 5C13738DFF682C2F12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C1373BAFF68306D12120111 = {
+			fileRef = 5C13738EFF682C2F12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C1373BBFF68306D12120111 = {
+			fileRef = 5C13738FFF682C2F12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C1373BCFF68306D12120111 = {
+			fileRef = 5C137390FF682C2F12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C1373BDFF68306D12120111 = {
+			fileRef = 5C137391FF682C2F12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C1373BEFF68306D12120111 = {
+			fileRef = 5C137392FF682C2F12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C1373BFFF68306D12120111 = {
+			fileRef = 5C137394FF682C2F12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C1373C0FF68306D12120111 = {
+			fileRef = 5C137393FF682C2F12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C1373C1FF68306D12120111 = {
+			fileRef = 5C137396FF682C2F12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C1373C2FF68306D12120111 = {
+			fileRef = 5C137397FF682C2F12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C1373C3FF68306D12120111 = {
+			fileRef = 5C137398FF682C2F12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C1373C4FF68306D12120111 = {
+			fileRef = 5C137399FF682C2F12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C1373C5FF68306D12120111 = {
+			fileRef = 5C13739AFF682C2F12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C1373C6FF68306D12120111 = {
+			fileRef = 5C13739BFF682C2F12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C1373C7FF68306D12120111 = {
+			fileRef = 5C13739CFF682C2F12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C1373C8FF68306D12120111 = {
+			fileRef = 5C13739DFF682C2F12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C1373C9FF683B8012120111 = {
+			children = (
+				5C1373CAFF683B8012120111,
+				5C1373CBFF683B8012120111,
+				5C1373CCFF683B8012120111,
+				5C1373CDFF683B8012120111,
+				5C1373CEFF683B8012120111,
+				5C1373CFFF683B8012120111,
+				5C1373D0FF683B8012120111,
+				5C1373D1FF683B8012120111,
+				5C1373D2FF683B8012120111,
+				5C1373D3FF683B8012120111,
+				5C1373D4FF683B8012120111,
+				5C1373D5FF683B8012120111,
+				5C1373D6FF683B8012120111,
+				5C1373D7FF683B8012120111,
+				5C1373D8FF683B8012120111,
+				5C1373D9FF683B8012120111,
+			);
+			isa = PBXGroup;
+			path = memory;
+			refType = 4;
+		};
+		5C1373CAFF683B8012120111 = {
+			isa = PBXFileReference;
+			path = mcc.h;
+			refType = 4;
+		};
+		5C1373CBFF683B8012120111 = {
+			isa = PBXFileReference;
+			path = mcc_close.c;
+			refType = 4;
+		};
+		5C1373CCFF683B8012120111 = {
+			isa = PBXFileReference;
+			path = mcc_destry.c;
+			refType = 4;
+		};
+		5C1373CDFF683B8012120111 = {
+			isa = PBXFileReference;
+			path = mcc_eseq.c;
+			refType = 4;
+		};
+		5C1373CEFF683B8012120111 = {
+			isa = PBXFileReference;
+			path = mcc_gennew.c;
+			refType = 4;
+		};
+		5C1373CFFF683B8012120111 = {
+			isa = PBXFileReference;
+			path = mcc_getnam.c;
+			refType = 4;
+		};
+		5C1373D0FF683B8012120111 = {
+			isa = PBXFileReference;
+			path = mcc_gprin.c;
+			refType = 4;
+		};
+		5C1373D1FF683B8012120111 = {
+			isa = PBXFileReference;
+			path = mcc_init.c;
+			refType = 4;
+		};
+		5C1373D2FF683B8012120111 = {
+			isa = PBXFileReference;
+			path = mcc_nseq.c;
+			refType = 4;
+		};
+		5C1373D3FF683B8012120111 = {
+			isa = PBXFileReference;
+			path = mcc_ops.c;
+			refType = 4;
+		};
+		5C1373D4FF683B8012120111 = {
+			isa = PBXFileReference;
+			path = "mcc-proto.h";
+			refType = 4;
+		};
+		5C1373D5FF683B8012120111 = {
+			isa = PBXFileReference;
+			path = mcc_reslv.c;
+			refType = 4;
+		};
+		5C1373D6FF683B8012120111 = {
+			isa = PBXFileReference;
+			path = mcc_retrv.c;
+			refType = 4;
+		};
+		5C1373D7FF683B8012120111 = {
+			isa = PBXFileReference;
+			path = mcc_sflags.c;
+			refType = 4;
+		};
+		5C1373D8FF683B8012120111 = {
+			isa = PBXFileReference;
+			path = mcc_sseq.c;
+			refType = 4;
+		};
+		5C1373D9FF683B8012120111 = {
+			isa = PBXFileReference;
+			path = mcc_store.c;
+			refType = 4;
+		};
+		5C1373DAFF683B8012120111 = {
+			children = (
+				5C1373DBFF683B8012120111,
+				5C1373DCFF683B8012120111,
+				5C1373DDFF683B8012120111,
+				5C1373DEFF683B8012120111,
+				5C1373DFFF683B8012120111,
+				5C1373E0FF683B8012120111,
+				5C1373E1FF683B8012120111,
+				5C1373E2FF683B8012120111,
+				5C1373E3FF683B8012120111,
+				5C1373E4FF683B8012120111,
+				5C1373E5FF683B8012120111,
+				5C1373E6FF683B8012120111,
+				5C1373E7FF683B8012120111,
+				5C1373E8FF683B8012120111,
+				5C1373E9FF683B8012120111,
+				5C1373EAFF683B8012120111,
+				5C1373EBFF683B8012120111,
+				5C1373ECFF683B8012120111,
+				5C1373EDFF683B8012120111,
+				5C1373EEFF683B8012120111,
+				5C1373EFFF683B8012120111,
+				5C1373F0FF683B8012120111,
+			);
+			isa = PBXGroup;
+			path = stdio;
+			refType = 4;
+		};
+		5C1373DBFF683B8012120111 = {
+			isa = PBXFileReference;
+			path = scc.h;
+			refType = 4;
+		};
+		5C1373DCFF683B8012120111 = {
+			isa = PBXFileReference;
+			path = scc_close.c;
+			refType = 4;
+		};
+		5C1373DDFF683B8012120111 = {
+			isa = PBXFileReference;
+			path = scc_defops.c;
+			refType = 4;
+		};
+		5C1373DEFF683B8012120111 = {
+			isa = PBXFileReference;
+			path = scc_destry.c;
+			refType = 4;
+		};
+		5C1373DFFF683B8012120111 = {
+			isa = PBXFileReference;
+			path = scc_errs.c;
+			refType = 4;
+		};
+		5C1373E0FF683B8012120111 = {
+			isa = PBXFileReference;
+			path = scc_eseq.c;
+			refType = 4;
+		};
+		5C1373E1FF683B8012120111 = {
+			isa = PBXFileReference;
+			path = scc_gennew.c;
+			refType = 4;
+		};
+		5C1373E2FF683B8012120111 = {
+			isa = PBXFileReference;
+			path = scc_getnam.c;
+			refType = 4;
+		};
+		5C1373E3FF683B8012120111 = {
+			isa = PBXFileReference;
+			path = scc_gprin.c;
+			refType = 4;
+		};
+		5C1373E4FF683B8012120111 = {
+			isa = PBXFileReference;
+			path = scc_init.c;
+			refType = 4;
+		};
+		5C1373E5FF683B8012120111 = {
+			isa = PBXFileReference;
+			path = scc_maybe.c;
+			refType = 4;
+		};
+		5C1373E6FF683B8012120111 = {
+			isa = PBXFileReference;
+			path = scc_nseq.c;
+			refType = 4;
+		};
+		5C1373E7FF683B8012120111 = {
+			isa = PBXFileReference;
+			path = scc_ops.c;
+			refType = 4;
+		};
+		5C1373E8FF683B8012120111 = {
+			isa = PBXFileReference;
+			path = "scc-proto.h";
+			refType = 4;
+		};
+		5C1373E9FF683B8012120111 = {
+			isa = PBXFileReference;
+			path = scc_read.c;
+			refType = 4;
+		};
+		5C1373EAFF683B8012120111 = {
+			isa = PBXFileReference;
+			path = scc_reslv.c;
+			refType = 4;
+		};
+		5C1373EBFF683B8012120111 = {
+			isa = PBXFileReference;
+			path = scc_retrv.c;
+			refType = 4;
+		};
+		5C1373ECFF683B8012120111 = {
+			isa = PBXFileReference;
+			path = scc_sflags.c;
+			refType = 4;
+		};
+		5C1373EDFF683B8012120111 = {
+			isa = PBXFileReference;
+			path = scc_skip.c;
+			refType = 4;
+		};
+		5C1373EEFF683B8012120111 = {
+			isa = PBXFileReference;
+			path = scc_sseq.c;
+			refType = 4;
+		};
+		5C1373EFFF683B8012120111 = {
+			isa = PBXFileReference;
+			path = scc_store.c;
+			refType = 4;
+		};
+		5C1373F0FF683B8012120111 = {
+			isa = PBXFileReference;
+			path = scc_write.c;
+			refType = 4;
+		};
+		5C1373F1FF683B8012120111 = {
+			fileRef = 5C1373CAFF683B8012120111;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		5C1373F2FF683B8012120111 = {
+			fileRef = 5C1373D4FF683B8012120111;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		5C1373F3FF683B8012120111 = {
+			fileRef = 5C1373DBFF683B8012120111;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		5C1373F4FF683B8012120111 = {
+			fileRef = 5C1373E8FF683B8012120111;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		5C1373F5FF683B8012120111 = {
+			fileRef = 5C1373CBFF683B8012120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C1373F6FF683B8012120111 = {
+			fileRef = 5C1373CCFF683B8012120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C1373F7FF683B8012120111 = {
+			fileRef = 5C1373CDFF683B8012120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C1373F8FF683B8012120111 = {
+			fileRef = 5C1373CEFF683B8012120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C1373F9FF683B8012120111 = {
+			fileRef = 5C1373CFFF683B8012120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C1373FAFF683B8012120111 = {
+			fileRef = 5C1373D0FF683B8012120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C1373FBFF683B8012120111 = {
+			fileRef = 5C1373D1FF683B8012120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C1373FCFF683B8012120111 = {
+			fileRef = 5C1373D2FF683B8012120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C1373FDFF683B8012120111 = {
+			fileRef = 5C1373D3FF683B8012120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C1373FEFF683B8012120111 = {
+			fileRef = 5C1373D5FF683B8012120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C1373FFFF683B8012120111 = {
+			fileRef = 5C1373D6FF683B8012120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C137400FF683B8012120111 = {
+			fileRef = 5C1373D7FF683B8012120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C137401FF683B8012120111 = {
+			fileRef = 5C1373D8FF683B8012120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C137402FF683B8012120111 = {
+			fileRef = 5C1373D9FF683B8012120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C137403FF683B8012120111 = {
+			fileRef = 5C1373DCFF683B8012120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C137404FF683B8012120111 = {
+			fileRef = 5C1373DDFF683B8012120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C137405FF683B8012120111 = {
+			fileRef = 5C1373DEFF683B8012120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C137406FF683B8012120111 = {
+			fileRef = 5C1373DFFF683B8012120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C137407FF683B8012120111 = {
+			fileRef = 5C1373E0FF683B8012120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C137408FF683B8012120111 = {
+			fileRef = 5C1373E1FF683B8012120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C137409FF683B8012120111 = {
+			fileRef = 5C1373E2FF683B8012120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C13740AFF683B8012120111 = {
+			fileRef = 5C1373E3FF683B8012120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C13740BFF683B8012120111 = {
+			fileRef = 5C1373E4FF683B8012120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C13740CFF683B8012120111 = {
+			fileRef = 5C1373E5FF683B8012120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C13740DFF683B8012120111 = {
+			fileRef = 5C1373E6FF683B8012120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C13740EFF683B8012120111 = {
+			fileRef = 5C1373E7FF683B8012120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C13740FFF683B8012120111 = {
+			fileRef = 5C1373E9FF683B8012120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C137410FF683B8012120111 = {
+			fileRef = 5C1373EAFF683B8012120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C137411FF683B8012120111 = {
+			fileRef = 5C1373EBFF683B8012120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C137412FF683B8012120111 = {
+			fileRef = 5C1373ECFF683B8012120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C137413FF683B8012120111 = {
+			fileRef = 5C1373EDFF683B8012120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C137414FF683B8012120111 = {
+			fileRef = 5C1373EEFF683B8012120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C137415FF683B8012120111 = {
+			fileRef = 5C1373EFFF683B8012120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		5C137416FF683B8012120111 = {
+			fileRef = 5C1373F0FF683B8012120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+//5C0
+//5C1
+//5C2
+//5C3
+//5C4
+//610
+//611
+//612
+//613
+//614
+		61622FD1FF82A36412120111 = {
+			isa = PBXFileReference;
+			path = Kerberos5Lib.pbexp;
+			refType = 4;
+		};
+		61622FD2FF82A36412120111 = {
+			fileRef = 61622FD1FF82A36412120111;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		61622FD8FF85304012120111 = {
+			isa = PBXFileReference;
+			path = GSSLibrary.pbexp;
+			refType = 2;
+		};
+		61622FD9FF85304012120111 = {
+			fileRef = 61622FD8FF85304012120111;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		61622FDAFF85346F12120111 = {
+			isa = PBXFileReference;
+			path = K5.CFM.c;
+			refType = 4;
+		};
+		61622FDBFF85346F12120111 = {
+			fileRef = 61622FDAFF85346F12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		61622FDCFF8535E112120111 = {
+			isa = PBXFileReference;
+			path = ProfileLib.CFM.c;
+			refType = 2;
+		};
+		61622FDDFF8535E112120111 = {
+			fileRef = 61622FDCFF8535E112120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		61622FDEFF88D9AF12120111 = {
+			isa = PBXFileReference;
+			path = GSS.CFM.c;
+			refType = 2;
+		};
+		61622FDFFF88D9AF12120111 = {
+			fileRef = 61622FDEFF88D9AF12120111;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+//610
+//611
+//612
+//613
+//614
+//F50
+//F51
+//F52
+//F53
+//F54
+		F5163F18019B328401120112 = {
+			isa = PBXTargetDependency;
+			target = 174475FDFF5EFB1212120111;
+		};
+		F5163F19019B328401120112 = {
+			isa = PBXTargetDependency;
+			target = F529E9DA019B294F01120112;
+		};
+		F5163F28019B35A801120112 = {
+			isa = PBXFrameworkReference;
+			path = KerberosLoginPrivate.framework;
+			refType = 3;
+		};
+		F5163F2A019B35A801120112 = {
+			fileRef = F5163F28019B35A801120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5163F37019B593201120112 = {
+			isa = PBXTargetDependency;
+			target = F529E968019ADAD101120112;
+		};
+		F5163F38019B5D0601120112 = {
+			isa = PBXFrameworkReference;
+			path = KerberosLogin.framework;
+			refType = 3;
+		};
+		F5163F39019B5D0701120112 = {
+			fileRef = F5163F38019B5D0601120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F529690D01E9E46A0123322A = {
+			isa = PBXFileReference;
+			path = DylibStub.c;
+			refType = 4;
+		};
+		F529690E01E9E46A0123322A = {
+			fileRef = F529690D01E9E46A0123322A;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F529690F01E9E46A0123322A = {
+			fileRef = F529690D01E9E46A0123322A;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F529691001E9E46A0123322A = {
+			fileRef = F529690D01E9E46A0123322A;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F529691101E9E46A0123322A = {
+			fileRef = F529690D01E9E46A0123322A;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F529691201E9E5130123322A = {
+			fileRef = 012574A5FF7A9C8212120111;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F529691301E9E53B0123322A = {
+			fileRef = 012574A6FF7A9C8212120111;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F529691401E9E53B0123322A = {
+			fileRef = F529E9330199D56601120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F529691501E9E5530123322A = {
+			fileRef = 012574A8FF7A9C8212120111;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F529691701E9E5C20123322A = {
+			fileRef = 00F1896E0074D52F7F000001;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F529E9320199D42601120112 = {
+			isa = PBXFileReference;
+			path = Kerberos5PrivateLib.pbexp;
+			refType = 2;
+		};
+		F529E9330199D56601120112 = {
+			isa = PBXFrameworkReference;
+			path = Kerberos5.framework;
+			refType = 3;
+		};
+		F529E9340199D56601120112 = {
+			buildArgumentsString = "-d3 \"JAMFILE=$(SRCROOT)/../../Common/Scripts/Shared/DylibShims.jam\" \"-sLIB=Kerberos5\" \"-sPROJECT=GSSKerberos5\" \"-sSYMFILE1=$(SRCROOT)/Kerberos5Lib.pbexp\" \"-sSUBLOAD=/Frameworks/Kerberos5Core.framework\" \"-sSRCROOT=$(SRCROOT)\" \"-sOBJROOT=$(OBJROOT)\" \"-sDSTROOT=$(DSTROOT)\" \"-sSYMROOT=$(SYMROOT)\" $(ACTION)";
+			buildPhases = (
+			);
+			buildSettings = {
+				OTHER_CFLAGS = "";
+				OTHER_LDFLAGS = "";
+				OTHER_REZFLAGS = "";
+				PRODUCT_NAME = "Kerberos5-gen";
+				SECTORDER_FLAGS = "";
+				WARNING_CFLAGS = "-Wmost -Wno-four-char-constants -Wno-unknown-pragmas";
+			};
+			buildToolPath = /usr/bin/jam;
+			buildWorkingDirectory = "";
+			dependencies = (
+			);
+			isa = PBXLegacyTarget;
+			name = "Kerberos5-gen";
+			productName = "Kerberos5-gen";
+			settingsToExpand = 6;
+			settingsToPassInEnvironment = 287;
+			settingsToPassOnCommandLine = 280;
+			shouldUseHeadermap = 0;
+		};
+		F529E9350199D56601120112 = {
+			buildPhases = (
+				F529E9380199D56601120112,
+				F529E9390199D56601120112,
+				F529E93A0199D56601120112,
+				F529E93B0199D56601120112,
+				F529E93D0199D56601120112,
+				F529E96A019ADEC301120112,
+				F529E9530199DD1301120112,
+			);
+			buildSettings = {
+				DYLIB_COMPATIBILITY_VERSION = 1;
+				DYLIB_CURRENT_VERSION = 1;
+				EXPORTED_SYMBOLS_FILE = "$(SYMROOT)/GSSKerberos5.intermediates/Kerberos5.pbexp";
+				FRAMEWORK_VERSION = A;
+				INSTALL_PATH = /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks;
+				OPTIMIZATION_CFLAGS = "-O0";
+				OTHER_CFLAGS = "-DTHIS_PREVENTS_DOUBLE_QUOTES_OF_DOOM";
+				OTHER_LDFLAGS = "-init ___Kerberos5_LoadKerberosFramework -seg_addr_table $(SRCROOT)/../../Common/Sources/KerberosSegAddrs";
+				OTHER_LIBTOOL_FLAGS = "";
+				OTHER_REZFLAGS = "";
+				PRINCIPAL_CLASS = "";
+				PRODUCT_NAME = Kerberos5;
+				SECTORDER_FLAGS = "";
+				WARNING_CFLAGS = "-Wmost -Wno-four-char-constants -Wno-unknown-pragmas";
+				WRAPPER_EXTENSION = framework;
+			};
+			dependencies = (
+				F529E963019AD5F301120112,
+				F529E9360199D56601120112,
+			);
+			isa = PBXFrameworkTarget;
+			name = Kerberos5;
+			productInstallPath = /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks;
+			productName = Kerberos5;
+			productReference = F529E9330199D56601120112;
+			productSettingsXML = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>
+<!DOCTYPE plist SYSTEM \"file://localhost/System/Library/DTDs/PropertyList.dtd\">
+<plist version=\"0.9\">
+<dict>
+	<key>CFBundleDevelopmentRegion</key>
+	<string>English</string>
+	<key>CFBundleExecutable</key>
+	<string>Kerberos5</string>
+	<key>CFBundleGetInfoString</key>
+	<string></string>
+	<key>CFBundleIconFile</key>
+	<string></string>
+	<key>CFBundleIdentifier</key>
+	<string>edu.mit.Kerberos.Kerberos5</string>
+	<key>CFBundleInfoDictionaryVersion</key>
+	<string>6.0</string>
+	<key>CFBundleName</key>
+	<string>Kerberos v5 Framework</string>
+	<key>CFBundlePackageType</key>
+	<string>FMWK</string>
+	<key>CFBundleSignature</key>
+	<string>????</string>
+</dict>
+</plist>
+";
+			shouldUseHeadermap = 0;
+		};
+		F529E9360199D56601120112 = {
+			isa = PBXTargetDependency;
+			target = F529E9340199D56601120112;
+		};
+		F529E9380199D56601120112 = {
+			buildActionMask = 2147483647;
+			files = (
+			);
+			isa = PBXHeadersBuildPhase;
+			name = Headers;
+		};
+		F529E9390199D56601120112 = {
+			buildActionMask = 2147483647;
+			files = (
+			);
+			isa = PBXResourcesBuildPhase;
+			name = "Bundle Resources";
+		};
+		F529E93A0199D56601120112 = {
+			buildActionMask = 2147483647;
+			files = (
+				F529E94A0199D6E801120112,
+				F529E94B0199D6E801120112,
+			);
+			isa = PBXSourcesBuildPhase;
+			name = Sources;
+		};
+		F529E93B0199D56601120112 = {
+			buildActionMask = 2147483647;
+			files = (
+				F529E9520199DB9F01120112,
+			);
+			isa = PBXFrameworksBuildPhase;
+			name = "Frameworks & Libraries";
+		};
+		F529E93D0199D56601120112 = {
+			buildActionMask = 2147483647;
+			files = (
+			);
+			isa = PBXRezBuildPhase;
+			name = "ResourceManager Resources";
+		};
+		F529E9440199D68001120112 = {
+			children = (
+				F529E9330199D56601120112,
+				F529E9480199D6E701120112,
+				F529E9490199D6E701120112,
+			);
+			isa = PBXGroup;
+			name = Kerberos5;
+			path = "";
+			refType = 4;
+		};
+		F529E9480199D6E701120112 = {
+			isa = PBXFileReference;
+			name = Kerberos5Loader.c;
+			path = GSSKerberos5.intermediates/Kerberos5Loader.c;
+			refType = 3;
+		};
+		F529E9490199D6E701120112 = {
+			isa = PBXFileReference;
+			name = Kerberos5Shims.s;
+			path = GSSKerberos5.intermediates/Kerberos5Shims.s;
+			refType = 3;
+		};
+		F529E94A0199D6E801120112 = {
+			fileRef = F529E9480199D6E701120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F529E94B0199D6E801120112 = {
+			fileRef = F529E9490199D6E701120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F529E9510199DB9E01120112 = {
+			isa = PBXFrameworkReference;
+			name = CoreFoundation.framework;
+			path = /System/Library/Frameworks/CoreFoundation.framework;
+			refType = 0;
+		};
+		F529E9520199DB9F01120112 = {
+			fileRef = F529E9510199DB9E01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F529E9530199DD1301120112 = {
+			buildActionMask = 2147483647;
+			files = (
+			);
+			generatedFileNames = (
+			);
+			isa = PBXShellScriptBuildPhase;
+			name = "Shell Script";
+			neededFileNames = (
+			);
+			shellPath = /bin/sh;
+			shellScript = "ln -sf Versions/Current/Headers \"${SYMROOT}/Kerberos5.${WRAPPER_EXTENSION}/Headers\"";
+		};
+		F529E963019AD5F301120112 = {
+			isa = PBXTargetDependency;
+			target = 174475FDFF5EFB1212120111;
+		};
+		F529E968019ADAD101120112 = {
+			buildArgumentsString = "-d3 -f $(SRCROOT)/Kerberos5CoreExport.jam $(ACTION)";
+			buildPhases = (
+			);
+			buildSettings = {
+				OTHER_CFLAGS = "";
+				OTHER_LDFLAGS = "";
+				OTHER_REZFLAGS = "";
+				PRODUCT_NAME = "Kerberos5PrivatePbexp-gen";
+				SECTORDER_FLAGS = "";
+				WARNING_CFLAGS = "-Wmost -Wno-four-char-constants -Wno-unknown-pragmas";
+			};
+			buildToolPath = /usr/bin/jam;
+			dependencies = (
+			);
+			isa = PBXLegacyTarget;
+			name = "Kerberos5CoreExport-gen";
+			productName = "Kerberos5PrivatePbexp-gen";
+			settingsToExpand = 6;
+			settingsToPassInEnvironment = 287;
+			settingsToPassOnCommandLine = 280;
+			shouldUseHeadermap = 0;
+		};
+		F529E969019ADE3501120112 = {
+			isa = PBXFileReference;
+			path = Kerberos5CoreExport.jam;
+			refType = 2;
+		};
+		F529E96A019ADEC301120112 = {
+			buildActionMask = 2147483647;
+			dstPath = ../Headers;
+			dstSubfolderSpec = 7;
+			files = (
+				F529E96B019ADF8601120112,
+				F529E96C019ADF8601120112,
+			);
+			isa = PBXCopyFilesBuildPhase;
+			name = "Copy Files";
+		};
+		F529E96B019ADF8601120112 = {
+			fileRef = 00CC640000975A877F000001;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F529E96C019ADF8601120112 = {
+			fileRef = 00CC63FB00975A877F000001;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F529E96D019ADFCF01120112 = {
+			isa = PBXFrameworkReference;
+			name = CoreFoundation.framework;
+			path = /System/Library/Frameworks/CoreFoundation.framework;
+			refType = 0;
+		};
+		F529E96E019ADFD001120112 = {
+			fileRef = F529E96D019ADFCF01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F529E96F019ADFF701120112 = {
+			isa = PBXFrameworkReference;
+			path = Kerberos5.framework;
+			refType = 3;
+		};
+		F529E970019ADFF801120112 = {
+			fileRef = F529E96F019ADFF701120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F529E971019AE09101120112 = {
+			buildActionMask = 2147483647;
+			dstPath = ../Headers;
+			dstSubfolderSpec = 7;
+			files = (
+				F529E972019AE09101120112,
+			);
+			isa = PBXCopyFilesBuildPhase;
+			name = "Copy Files";
+		};
+		F529E972019AE09101120112 = {
+			fileRef = 00CC643800975EFF7F000001;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F529E976019AE3D601120112 = {
+			isa = PBXFileReference;
+			name = Kerberos5Core.pbexp;
+			path = GSSKerberos5.intermediates/Kerberos5Core.pbexp;
+			refType = 3;
+		};
+		F529E978019AEB1D01120112 = {
+			buildActionMask = 2147483647;
+			dstPath = ../Headers;
+			dstSubfolderSpec = 7;
+			files = (
+				F529E979019AEB1D01120112,
+				F529E97A019AEB1D01120112,
+			);
+			isa = PBXCopyFilesBuildPhase;
+			name = "Copy Files";
+		};
+		F529E979019AEB1D01120112 = {
+			fileRef = 00CC640500975A877F000001;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F529E97A019AEB1D01120112 = {
+			fileRef = 00CC63FD00975A877F000001;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F529E97B019AEB1D01120112 = {
+			buildActionMask = 2147483647;
+			dstPath = ../Headers;
+			dstSubfolderSpec = 7;
+			files = (
+				F529E97C019AEB1D01120112,
+				F529E97D019AEB1D01120112,
+			);
+			isa = PBXCopyFilesBuildPhase;
+			name = "Copy Files";
+		};
+		F529E97C019AEB1D01120112 = {
+			fileRef = 00CC63F800975A877F000001;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F529E97D019AEB1D01120112 = {
+			fileRef = 00CC63F300975A877F000001;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F529E9D9019B294E01120112 = {
+			isa = PBXFrameworkReference;
+			path = Kerberos5Private.framework;
+			refType = 3;
+		};
+		F529E9DA019B294F01120112 = {
+			buildArgumentsString = "-d3 \"JAMFILE=$(SRCROOT)/../../Common/Scripts/Shared/DylibShims.jam\" \"-sLIB=Kerberos5Private\" \"-sPROJECT=GSSKerberos5\" \"-sSYMFILE1=$(SRCROOT)/Kerberos5PrivateLib.pbexp\" \"-sSUBLOAD=/Frameworks/Kerberos5Core.framework\" \"-sSRCROOT=$(SRCROOT)\" \"-sOBJROOT=$(OBJROOT)\" \"-sDSTROOT=$(DSTROOT)\" \"-sSYMROOT=$(SYMROOT)\" $(ACTION)";
+			buildPhases = (
+			);
+			buildSettings = {
+				OTHER_CFLAGS = "";
+				OTHER_LDFLAGS = "";
+				OTHER_REZFLAGS = "";
+				PRODUCT_NAME = "Kerberos5Private-gen";
+				SECTORDER_FLAGS = "";
+				WARNING_CFLAGS = "-Wmost -Wno-four-char-constants -Wno-unknown-pragmas";
+			};
+			buildToolPath = /usr/bin/jam;
+			dependencies = (
+			);
+			isa = PBXLegacyTarget;
+			name = "Kerberos5Private-gen";
+			productName = "Kerberos5Private-gen";
+			settingsToExpand = 6;
+			settingsToPassInEnvironment = 287;
+			settingsToPassOnCommandLine = 280;
+			shouldUseHeadermap = 0;
+		};
+		F529E9DB019B294F01120112 = {
+			buildPhases = (
+				F529E9DC019B294F01120112,
+				F529E9DD019B294F01120112,
+				F529E9DE019B294F01120112,
+				F529E9DF019B294F01120112,
+				F529E9E0019B294F01120112,
+				F529E9F2019B2C4801120112,
+				F529E9F3019B2C4801120112,
+			);
+			buildSettings = {
+				DYLIB_COMPATIBILITY_VERSION = 1;
+				DYLIB_CURRENT_VERSION = 1;
+				EXPORTED_SYMBOLS_FILE = "$(SYMROOT)/GSSKerberos5.intermediates/Kerberos5Private.pbexp";
+				FRAMEWORK_VERSION = A;
+				INSTALL_PATH = /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks;
+				OPTIMIZATION_CFLAGS = "-O0";
+				OTHER_CFLAGS = "-DTHIS_PREVENTS_DOUBLE_QUOTES_OF_DOOM";
+				OTHER_LDFLAGS = "-init ___Kerberos5Private_LoadKerberosFramework -seg_addr_table $(SRCROOT)/../../Common/Sources/KerberosSegAddrs";
+				OTHER_LIBTOOL_FLAGS = "";
+				OTHER_REZFLAGS = "";
+				PRINCIPAL_CLASS = "";
+				PRODUCT_NAME = Kerberos5Private;
+				SECTORDER_FLAGS = "";
+				WARNING_CFLAGS = "-Wmost -Wno-four-char-constants -Wno-unknown-pragmas";
+				WRAPPER_EXTENSION = framework;
+			};
+			dependencies = (
+				F5163F18019B328401120112,
+				F5163F19019B328401120112,
+			);
+			isa = PBXFrameworkTarget;
+			name = Kerberos5Private;
+			productInstallPath = /System/Library/Frameworks/Kerberos.framework/Versions/A/Frameworks;
+			productName = Kerberos5Private;
+			productReference = F529E9D9019B294E01120112;
+			productSettingsXML = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>
+<!DOCTYPE plist SYSTEM \"file://localhost/System/Library/DTDs/PropertyList.dtd\">
+<plist version=\"0.9\">
+<dict>
+	<key>CFBundleDevelopmentRegion</key>
+	<string>English</string>
+	<key>CFBundleExecutable</key>
+	<string>Kerberos5Private</string>
+	<key>CFBundleGetInfoString</key>
+	<string></string>
+	<key>CFBundleIconFile</key>
+	<string></string>
+	<key>CFBundleIdentifier</key>
+	<string>edu.mit.Kerberos.Kerberos5Private</string>
+	<key>CFBundleInfoDictionaryVersion</key>
+	<string>6.0</string>
+	<key>CFBundleName</key>
+	<string>Kerberos v5 Private Framework</string>
+	<key>CFBundlePackageType</key>
+	<string>FMWK</string>
+	<key>CFBundleSignature</key>
+	<string>????</string>
+</dict>
+</plist>
+";
+			shouldUseHeadermap = 0;
+		};
+		F529E9DC019B294F01120112 = {
+			buildActionMask = 2147483647;
+			files = (
+			);
+			isa = PBXHeadersBuildPhase;
+			name = Headers;
+		};
+		F529E9DD019B294F01120112 = {
+			buildActionMask = 2147483647;
+			files = (
+			);
+			isa = PBXResourcesBuildPhase;
+			name = "Bundle Resources";
+		};
+		F529E9DE019B294F01120112 = {
+			buildActionMask = 2147483647;
+			files = (
+				F529E9E6019B2AB701120112,
+				F529E9E7019B2AB701120112,
+			);
+			isa = PBXSourcesBuildPhase;
+			name = Sources;
+		};
+		F529E9DF019B294F01120112 = {
+			buildActionMask = 2147483647;
+			files = (
+				F529E9EB019B2B6A01120112,
+			);
+			isa = PBXFrameworksBuildPhase;
+			name = "Frameworks & Libraries";
+		};
+		F529E9E0019B294F01120112 = {
+			buildActionMask = 2147483647;
+			files = (
+			);
+			isa = PBXRezBuildPhase;
+			name = "ResourceManager Resources";
+		};
+		F529E9E1019B294F01120112 = {
+			isa = PBXTargetDependency;
+			target = F529E9350199D56601120112;
+		};
+		F529E9E2019B294F01120112 = {
+			isa = PBXTargetDependency;
+			target = F529E9DB019B294F01120112;
+		};
+		F529E9E3019B2A6F01120112 = {
+			children = (
+				F529E9E4019B2AB701120112,
+				F529E9E5019B2AB701120112,
+			);
+			isa = PBXGroup;
+			name = Kerberos5Private;
+			path = "";
+			refType = 4;
+		};
+		F529E9E4019B2AB701120112 = {
+			isa = PBXFileReference;
+			name = Kerberos5PrivateLoader.c;
+			path = GSSKerberos5.intermediates/Kerberos5PrivateLoader.c;
+			refType = 3;
+		};
+		F529E9E5019B2AB701120112 = {
+			isa = PBXFileReference;
+			name = Kerberos5PrivateShims.s;
+			path = GSSKerberos5.intermediates/Kerberos5PrivateShims.s;
+			refType = 3;
+		};
+		F529E9E6019B2AB701120112 = {
+			fileRef = F529E9E4019B2AB701120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F529E9E7019B2AB701120112 = {
+			fileRef = F529E9E5019B2AB701120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F529E9E8019B2B6A01120112 = {
+			children = (
+				F529E9510199DB9E01120112,
+				00CC640000975A877F000001,
+				00CC63FB00975A877F000001,
+				61622FD1FF82A36412120111,
+				F529E9320199D42601120112,
+				F529E9E3019B2A6F01120112,
+				F529E9440199D68001120112,
+			);
+			isa = PBXGroup;
+			name = KerberosShimFrameworks;
+			path = "";
+			refType = 4;
+		};
+		F529E9E9019B2B6A01120112 = {
+			fileRef = 00CC640000975A877F000001;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		F529E9EA019B2B6A01120112 = {
+			fileRef = 00CC63FB00975A877F000001;
+			isa = PBXBuildFile;
+			settings = {
+				ATTRIBUTES = (
+				);
+			};
+		};
+		F529E9EB019B2B6A01120112 = {
+			fileRef = F529E9510199DB9E01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F529E9F2019B2C4801120112 = {
+			buildActionMask = 2147483647;
+			dstPath = ../PrivateHeaders;
+			dstSubfolderSpec = 7;
+			files = (
+				F529E9E9019B2B6A01120112,
+				F529E9EA019B2B6A01120112,
+			);
+			isa = PBXCopyFilesBuildPhase;
+			name = "Copy Files";
+		};
+		F529E9F3019B2C4801120112 = {
+			buildActionMask = 2147483647;
+			files = (
+			);
+			generatedFileNames = (
+			);
+			isa = PBXShellScriptBuildPhase;
+			name = "Shell Script";
+			neededFileNames = (
+			);
+			shellPath = /bin/sh;
+			shellScript = "ln -sf Versions/Current/PrivateHeaders \"${SYMROOT}/Kerberos5Private.${WRAPPER_EXTENSION}/PrivateHeaders\"";
+		};
+		F529E9F4019B2C9001120112 = {
+			isa = PBXFrameworkReference;
+			path = Kerberos5Private.framework;
+			refType = 3;
+		};
+		F529E9F5019B2C9101120112 = {
+			fileRef = F529E9F4019B2C9001120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5438CAD017E457701D06BDA = {
+			buildArgumentsString = "-d3 \"JAMFILE=$(SRCROOT)/../../Common/Scripts/Shared/DylibShims.jam\" \"-sSRCROOT=$(SRCROOT)\" \"-sOBJROOT=$(OBJROOT)\" \"-sDSTROOT=$(DSTROOT)\" \"-sSYMROOT=$(SYMROOT)\" \"-sLIB=libk5crypto\" \"-sPROJECT=GSSKerberos5\" $(ACTION)";
+			buildPhases = (
+			);
+			buildSettings = {
+				OTHER_CFLAGS = "";
+				OTHER_LDFLAGS = "";
+				OTHER_REZFLAGS = "";
+				PRODUCT_NAME = "libk5crypto-gen";
+				SECTORDER_FLAGS = "";
+				WARNING_CFLAGS = "-Wmost -Wno-four-char-constants -Wno-unknown-pragmas";
+			};
+			buildToolPath = /usr/bin/jam;
+			dependencies = (
+			);
+			isa = PBXLegacyTarget;
+			name = "libk5crypto-gen";
+			productName = "libk5crypto-gen";
+			settingsToExpand = 6;
+			settingsToPassInEnvironment = 287;
+			settingsToPassOnCommandLine = 280;
+			shouldUseHeadermap = 0;
+		};
+		F5438CAF017E462801D06BDA = {
+			buildArgumentsString = "-d3 \"JAMFILE=$(SRCROOT)/../../Common/Scripts/Shared/DylibShims.jam\" \"-sSRCROOT=$(SRCROOT)\" \"-sOBJROOT=$(OBJROOT)\" \"-sDSTROOT=$(DSTROOT)\" \"-sSYMROOT=$(SYMROOT)\" \"-sLIB=libcom_err\" \"-sPROJECT=GSSKerberos5\" \"-sSYMFILE1=$(SRCROOT)/../util/et/et.pbexp\" $(ACTION)";
+			buildPhases = (
+			);
+			buildSettings = {
+				OTHER_CFLAGS = "";
+				OTHER_LDFLAGS = "";
+				OTHER_REZFLAGS = "";
+				PRODUCT_NAME = "libcom_err-gen";
+				SECTORDER_FLAGS = "";
+				WARNING_CFLAGS = "-Wmost -Wno-four-char-constants -Wno-unknown-pragmas";
+			};
+			buildToolPath = /usr/bin/jam;
+			dependencies = (
+			);
+			isa = PBXLegacyTarget;
+			name = "libcom_err-gen";
+			productName = "libcom_err-gen";
+			settingsToExpand = 6;
+			settingsToPassInEnvironment = 287;
+			settingsToPassOnCommandLine = 280;
+			shouldUseHeadermap = 0;
+		};
+		F5438CB1017E462801D06BDA = {
+			buildArgumentsString = "-d3 \"JAMFILE=$(SRCROOT)/../../Common/Scripts/Shared/DylibShims.jam\" \"-sLIB=libkrb5\" \"-sPROJECT=GSSKerberos5\" \"-sSYMFILE1=$(SRCROOT)/Kerberos5Lib.pbexp\" \"-sSYMFILE2=$(SRCROOT)/../util/profile/profile.pbexp\" \"-sSRCROOT=$(SRCROOT)\" \"-sOBJROOT=$(OBJROOT)\" \"-sDSTROOT=$(DSTROOT)\" \"-sSYMROOT=$(SYMROOT)\" $(ACTION)";
+			buildPhases = (
+			);
+			buildSettings = {
+				OTHER_CFLAGS = "";
+				OTHER_LDFLAGS = "";
+				OTHER_REZFLAGS = "";
+				PRODUCT_NAME = "libkrb5-gen";
+				SECTORDER_FLAGS = "";
+				WARNING_CFLAGS = "-Wmost -Wno-four-char-constants -Wno-unknown-pragmas";
+			};
+			buildToolPath = /usr/bin/jam;
+			dependencies = (
+			);
+			isa = PBXLegacyTarget;
+			name = "libkrb5-gen";
+			productName = "libkrb5-gen";
+			settingsToExpand = 6;
+			settingsToPassInEnvironment = 287;
+			settingsToPassOnCommandLine = 280;
+			shouldUseHeadermap = 0;
+		};
+		F5438CB3017E468B01D06BDA = {
+			buildArgumentsString = "-d3 \"JAMFILE=$(SRCROOT)/../../Common/Scripts/Shared/DylibShims.jam\" \"-sSRCROOT=$(SRCROOT)\" \"-sOBJROOT=$(OBJROOT)\" \"-sDSTROOT=$(DSTROOT)\" \"-sSYMROOT=$(SYMROOT)\" \"-sLIB=libgssapi_krb5\" \"-sPROJECT=GSSKerberos5\" \"-sSYMFILE1=$(SRCROOT)/GSSLibrary.pbexp\" $(ACTION)";
+			buildPhases = (
+			);
+			buildSettings = {
+				OTHER_CFLAGS = "";
+				OTHER_LDFLAGS = "";
+				OTHER_REZFLAGS = "";
+				PRODUCT_NAME = "libgssapi_krb5-gen";
+				SECTORDER_FLAGS = "";
+				WARNING_CFLAGS = "-Wmost -Wno-four-char-constants -Wno-unknown-pragmas";
+			};
+			buildToolPath = /usr/bin/jam;
+			dependencies = (
+			);
+			isa = PBXLegacyTarget;
+			name = "libgssapi_krb5-gen";
+			productName = "libgssapi_krb5-gen";
+			settingsToExpand = 6;
+			settingsToPassInEnvironment = 287;
+			settingsToPassOnCommandLine = 280;
+			shouldUseHeadermap = 0;
+		};
+		F5438CB5017E478201D06BDA = {
+			isa = PBXFileReference;
+			name = libkrb5Loader.c;
+			path = GSSKerberos5.intermediates/libkrb5Loader.c;
+			refType = 3;
+		};
+		F5438CB6017E478201D06BDA = {
+			isa = PBXFileReference;
+			name = libkrb5Shims.s;
+			path = GSSKerberos5.intermediates/libkrb5Shims.s;
+			refType = 3;
+		};
+		F5438CB7017E478201D06BDA = {
+			isa = PBXFileReference;
+			name = libk5cryptoLoader.c;
+			path = GSSKerberos5.intermediates/libk5cryptoLoader.c;
+			refType = 3;
+		};
+		F5438CB8017E478201D06BDA = {
+			isa = PBXFileReference;
+			name = libk5cryptoShims.s;
+			path = GSSKerberos5.intermediates/libk5cryptoShims.s;
+			refType = 3;
+		};
+		F5438CB9017E478201D06BDA = {
+			isa = PBXFileReference;
+			name = libcom_errLoader.c;
+			path = GSSKerberos5.intermediates/libcom_errLoader.c;
+			refType = 3;
+		};
+		F5438CBA017E478201D06BDA = {
+			isa = PBXFileReference;
+			name = libcom_errShims.s;
+			path = GSSKerberos5.intermediates/libcom_errShims.s;
+			refType = 3;
+		};
+		F5438CBB017E478201D06BDA = {
+			isa = PBXFileReference;
+			name = libgssapi_krb5Loader.c;
+			path = GSSKerberos5.intermediates/libgssapi_krb5Loader.c;
+			refType = 3;
+		};
+		F5438CBC017E478201D06BDA = {
+			isa = PBXFileReference;
+			name = libgssapi_krb5Shims.s;
+			path = GSSKerberos5.intermediates/libgssapi_krb5Shims.s;
+			refType = 3;
+		};
+		F5438CC8017E47A601D06BDA = {
+			isa = PBXFrameworkReference;
+			name = CoreFoundation.framework;
+			path = /System/Library/Frameworks/CoreFoundation.framework;
+			refType = 0;
+		};
+		F579576501C027FC01120112 = {
+			buildActionMask = 2147483647;
+			files = (
+			);
+			generatedFileNames = (
+			);
+			isa = PBXShellScriptBuildPhase;
+			name = "Shell Script";
+			neededFileNames = (
+			);
+			shellPath = /bin/sh;
+			shellScript = "ln -sf Versions/Current/Headers \"${SYMROOT}/GSS.${WRAPPER_EXTENSION}/Headers\"";
+		};
+	};
+	rootObject = 25C77492FF52D03A12120111;
+}
diff --git a/src/mac/GSSKerberosPrefix.h b/src/mac/GSSKerberosPrefix.h
new file mode 100644
index 0000000..bf473e0
--- /dev/null
+++ b/src/mac/GSSKerberosPrefix.h
@@ -0,0 +1,69 @@
+#ifndef __ASSEMBLER__
+#include <KerberosSupport/KerberosConditionalMacros.h>
+
+#define SIZEOF_LONG		4
+#define SIZEOF_INT		4
+#define SIZEOF_SHORT		2
+
+#define	KRB5_DLLIMP		
+#define	GSS_DLLIMP		
+#define KRB5_CALLCONV		
+#define KRB5_CALLCONV_C		
+#define	FAR			
+
+#define	krb5_sigtype		void
+
+#define USE_CCAPI			1
+#define USE_LOGIN_LIBRARY	1
+#define NO_PASSWORD			1
+
+#define HAVE_SRAND			1
+#define HAVE_LABS			1
+
+#define HAVE_NETINET_IN_H	1
+#define HAVE_ARPA_INET_H	1
+#define HAVE_SYS_STAT_H		1
+#define	HAVE_SYS_PARAM_H	1
+#define	HAVE_UNISTD_H		1
+#define	HAVE_STDLIB_H		1
+#define	HAVE_STDARG_H		1
+#define HAVE_SYS_TYPES_H	1
+#define	HAVE_PATHS_H		1
+#define	HAVE_REGEX_H		1
+#define	HAVE_REGEXP_H		1
+#define	HAVE_FCNTL_H		1
+#define	HAVE_MEMORY_H		1
+#define HAVE_PWD_H			1
+
+#define	HAVE_STAT		1
+#define	HAVE_ACCESS		1
+#define	HAVE_FLOCK		1
+
+#define	HAVE_FCHMOD		1
+#define	HAVE_CHMOD		1
+
+#define	HAVE_STRFTIME		1
+#define	HAVE_GETEUID		1
+
+#define	HAVE_SETENV		1
+#define	HAVE_UNSETENV		1
+#define	HAVE_GETENV		1
+
+#define	HAVE_SETSID		1
+#define	HAVE_GETHOSTBYNAME2	1
+
+#define	HAVE_VFPRINTF		1
+#define	HAVE_VSPRINTF		1
+
+#define	HAVE_STRDUP		1
+#define	HAVE_STRCASECMP		1
+#define	HAVE_STRERROR		1
+#define	HAVE_MEMMOVE		1
+#define	HAVE_DAEMON		1
+#define	HAVE_GETUID		1
+#define	HAVE_SSCANF		1
+#define	HAVE_SYSLOG		1
+#define	HAVE_REGEXEC		1
+#define	HAVE_REGCOMP		1
+#define	HAVE_SA_LEN		1
+#endif
diff --git a/src/mac/GSSLibrary.exp b/src/mac/GSSLibrary.exp
index 8adbf9f..e818cbd 100644
--- a/src/mac/GSSLibrary.exp
+++ b/src/mac/GSSLibrary.exp
@@ -63,6 +63,33 @@
 #
 	gss_krb5_ccache_name
 	
+#
+# GSS-API object identifiers from rfc 2744
+#
 	
+	GSS_C_NT_USER_NAME
+	GSS_C_NT_MACHINE_UID_NAME
+	GSS_C_NT_STRING_UID_NAME
+	GSS_C_NT_HOSTBASED_SERVICE_X
+	GSS_C_NT_HOSTBASED_SERVICE
+	GSS_C_NT_ANONYMOUS
+	GSS_C_NT_EXPORT_NAME
+  
+#
+# GSS-API compatibility symbols from gssapi_generic.h 
+# (the same as rfc 2744 symbols)
+# (Only exported on Mac OS X, not on Mac OS 9)
+#
+    
+#	gss_nt_user_name
+#	gss_nt_machine_uid_name
+#	gss_nt_string_uid_name
+#	gss_nt_service_name_v2
+#	gss_nt_service_name
+#	gss_nt_exported_name
+
+#
+# KRB5 Mechanism GSS-API object identifier from rfc 1964
+#
 	
-	
+	GSS_KRB5_NT_PRINCIPAL_NAME
diff --git a/src/mac/GSSLibrary.pbexp b/src/mac/GSSLibrary.pbexp
new file mode 100644
index 0000000..89360c7
--- /dev/null
+++ b/src/mac/GSSLibrary.pbexp
@@ -0,0 +1,96 @@
+#----------------------------------------------------
+#   GSSAPI.EXP - GSSAPI.DLL module definition file
+#----------------------------------------------------
+
+        ___initializeGSS
+
+	_gss_acquire_cred
+	_gss_release_cred
+	_gss_init_sec_context
+	_gss_accept_sec_context
+	_gss_process_context_token
+	_gss_delete_sec_context
+	_gss_context_time
+	_gss_sign
+	_gss_verify
+	_gss_seal
+	_gss_unseal
+	_gss_display_status
+	_gss_indicate_mechs
+	_gss_compare_name
+	_gss_display_name
+	_gss_import_name
+	_gss_release_name
+	_gss_release_buffer
+	_gss_release_oid_set
+	_gss_inquire_cred
+#
+# GSS-API v2  additional credential calls
+#
+	_gss_add_cred
+	_gss_inquire_cred_by_mech
+#
+# GSS-API v2  additional context-level calls
+#
+	_gss_inquire_context
+	_gss_wrap_size_limit
+	_gss_export_sec_context
+	_gss_import_sec_context
+#
+# GSS-API v2  additional calls for OID and OID_set operations
+#
+	_gss_release_oid
+	_gss_create_empty_oid_set
+	_gss_add_oid_set_member
+	_gss_test_oid_set_member
+	_gss_oid_to_str
+	_gss_str_to_oid
+#
+# GSS-API v2  renamed message protection calls
+#
+	_gss_wrap
+	_gss_unwrap
+	_gss_get_mic
+	_gss_verify_mic
+#
+# GSS-API v2  future extensions
+#
+	_gss_inquire_names_for_mech
+#	_gss_inquire_mechs_for_name
+	_gss_canonicalize_name
+	_gss_export_name
+	_gss_duplicate_name
+#
+# krb5-specific CCache name	stuff
+#
+	_gss_krb5_ccache_name
+
+#
+# GSS-API object identifiers from rfc 2744
+#
+	
+_GSS_C_NT_USER_NAME
+_GSS_C_NT_MACHINE_UID_NAME
+_GSS_C_NT_STRING_UID_NAME
+_GSS_C_NT_HOSTBASED_SERVICE_X
+_GSS_C_NT_HOSTBASED_SERVICE
+_GSS_C_NT_ANONYMOUS
+_GSS_C_NT_EXPORT_NAME
+  
+#
+# GSS-API compatibility symbols from gssapi_generic.h 
+# (the same as rfc 2744 symbols)
+#
+    
+_gss_nt_user_name
+_gss_nt_machine_uid_name
+_gss_nt_string_uid_name
+_gss_nt_service_name_v2
+_gss_nt_service_name
+_gss_nt_exported_name
+
+#
+# KRB5 Mechanism GSS-API object identifier from rfc 1964
+#
+	
+_GSS_KRB5_NT_PRINCIPAL_NAME
diff --git a/src/mac/GenerateErrorTables.sh b/src/mac/GenerateErrorTables.sh
new file mode 100644
index 0000000..24f8525
--- /dev/null
+++ b/src/mac/GenerateErrorTables.sh
@@ -0,0 +1,40 @@
+#!/bin/sh
+
+COMERR_DIR=$SRCROOT/../util/et
+COMPILE_ET_SH=$COMERR_DIR/compile_et.sh
+COMPILE_ET=$COMERR_DIR/compile_et
+
+PROFILE_DIR=$SRCROOT/../util/profile
+ERROR_TABLES_DIR=$SRCROOT/../lib/krb5/error_tables
+GSS_GENERIC_DIR=$SRCROOT/../lib/gssapi/generic
+GSS_KRB5_DIR=$SRCROOT/../lib/gssapi/krb5
+
+if [ ! -x $COMPILE_ET ] || [ $COMPILE_ET_SH -nt $COMPILE_ET ]; then
+    echo "Building compile_et"
+    $COMERR_DIR/config_script $COMPILE_ET_SH /usr/bin/awk /usr/bin/sed > $COMPILE_ET
+    /bin/chmod 755 $COMPILE_ET
+fi
+
+if [ -x $COMPILE_ET ]; then
+    echo "Generating profile error tables"
+    cd $PROFILE_DIR && $COMPILE_ET $PROFILE_DIR/prof_err.et
+    
+    echo "Generating adm error tables"
+    cd $ERROR_TABLES_DIR && $COMPILE_ET $ERROR_TABLES_DIR/adm_err.et
+
+    echo "Generating asn1 error tables"
+    cd $ERROR_TABLES_DIR && $COMPILE_ET $ERROR_TABLES_DIR/asn1_err.et
+
+    echo "Generating kdb5 error tables"
+    cd $ERROR_TABLES_DIR && $COMPILE_ET $ERROR_TABLES_DIR/kdb5_err.et
+
+    echo "Generating krb5 error tables"
+    cd $ERROR_TABLES_DIR && $COMPILE_ET $ERROR_TABLES_DIR/krb5_err.et
+
+    echo "Generating kv5m error tables"
+    cd $ERROR_TABLES_DIR && $COMPILE_ET $ERROR_TABLES_DIR/kv5m_err.et
+
+    echo "Generating gss error tables"
+    cd $GSS_GENERIC_DIR && $COMPILE_ET $GSS_GENERIC_DIR/gssapi_err_generic.et
+    cd $GSS_KRB5_DIR && $COMPILE_ET $GSS_KRB5_DIR/gssapi_err_krb5.et
+fi
diff --git a/src/mac/GenerateHeaderFiles.sh b/src/mac/GenerateHeaderFiles.sh
new file mode 100644
index 0000000..e0e0ade
--- /dev/null
+++ b/src/mac/GenerateHeaderFiles.sh
@@ -0,0 +1,48 @@
+#!/bin/sh
+
+PROFILE_DIR=$SRCROOT/../util/profile
+echo "Generating profile.h"
+cat $PROFILE_DIR/profile.hin $PROFILE_DIR/prof_err.h > $PROFILE_DIR/profile.h
+
+INCLUDE_DIR=$SRCROOT/../include
+ERROR_TABLE_DIR=$SRCROOT/../lib/krb5/error_tables
+GSS_DIR=$SRCROOT/../lib/gssapi
+
+echo "Symlinking error table header files"
+ln -sf $ERROR_TABLE_DIR/adm_err.h $INCLUDE_DIR
+ln -sf $ERROR_TABLE_DIR/asn1_err.h $INCLUDE_DIR
+ln -sf $ERROR_TABLE_DIR/kdb5_err.h $INCLUDE_DIR
+ln -sf $ERROR_TABLE_DIR/krb5_err.h $INCLUDE_DIR
+ln -sf $ERROR_TABLE_DIR/kv5m_err.h $INCLUDE_DIR
+
+if [ -f $INCLUDE_DIR/krb5.h ]; then
+    echo "Removing previous krb5.h"
+    rm $INCLUDE_DIR/krb5.h
+fi
+
+echo "Generating krb5.h"
+echo "/* This is the prologue to krb5.h */" > $INCLUDE_DIR/krb5.h
+echo "/* Unfortunately some of these defines are compiler dependent */" >> $INCLUDE_DIR/krb5.h
+grep SIZEOF $SRCROOT/GSSKerberosPrefix.h >> $INCLUDE_DIR/krb5.h
+grep HAVE_STDARG_H $SRCROOT/GSSKerberosPrefix.h >> $INCLUDE_DIR/krb5.h
+grep HAVE_SYS_TYPES_H $SRCROOT/GSSKerberosPrefix.h >> $INCLUDE_DIR/krb5.h
+echo "/* End of prologue section */"  >> $INCLUDE_DIR/krb5.h
+cat $INCLUDE_DIR/krb5.hin $INCLUDE_DIR/krb5_err.h $INCLUDE_DIR/kdb5_err.h \
+    $INCLUDE_DIR/kv5m_err.h $INCLUDE_DIR/asn1_err.h >> $INCLUDE_DIR/krb5.h
+
+if [ -f $GSS_DIR/gssapi.h ]; then
+    echo "Removing previous gssapi.h"
+    rm $GSS_DIR/gssapi.h
+fi
+
+echo "Generating gssapi.h"
+echo "/* This is the gssapi.h prologue. */" > $GSS_DIR/gssapi.h
+echo "/* It contains some choice pieces of autoconf.h */" >> $GSS_DIR/gssapi.h
+grep SIZEOF $SRCROOT/GSSKerberosPrefix.h >> $GSS_DIR/gssapi.h
+grep 'HAVE_.*_H' $SRCROOT/GSSKerberosPrefix.h >> $GSS_DIR/gssapi.h
+grep 'USE_.*_H' $SRCROOT/GSSKerberosPrefix.h >> $GSS_DIR/gssapi.h
+echo "/* End of gssapi.h prologue. */"  >> $GSS_DIR/gssapi.h
+cat $GSS_DIR/generic/gssapi.hin  >> $GSS_DIR/gssapi.h
+
+echo "Generating fake autoconf.h; the real one is included as a prefix file."
+touch $INCLUDE_DIR/autoconf.h
diff --git a/src/mac/HeaderFiles.jam b/src/mac/HeaderFiles.jam
new file mode 100644
index 0000000..70bd5c4
--- /dev/null
+++ b/src/mac/HeaderFiles.jam
@@ -0,0 +1,210 @@
+include "/Developer/Makefiles/pbx_jamfiles/Jambase" ;
+
+GSSKRB5_TEMP_DIR = "$(SYMROOT)/GSSKerberos5.intermediates" ;
+
+COM_ERR_DIR = "$(SRCROOT)/../util/et" ;
+PROFILE_DIR = "$(SRCROOT)/../util/profile" ;
+GSS_DIR = "$(SRCROOT)/../lib/gssapi" ;
+INCLUDE_DIR = "$(SRCROOT)/../include" ;
+ERROR_TABLES_DIR = "$(SRCROOT)/../lib/krb5/error_tables" ;
+
+ERROR_CODE_REGEXP = "/^\\s*#define\\s+\\w+\(\\s+\\(-?\\d+L\\)\)|\(initialize_\\w+_error_table\\(\\)\)\\s*$/" ;
+EXTRACT_ERROR_CODES = "perl -e 'while (<STDIN>) { if ($(ERROR_CODE_REGEXP)) { print; } }'" ;
+
+# install and installhdrs depends on the existence of the autogenerated headers
+DEPENDS install 	: all ;
+DEPENDS installhdrs	: all ;
+
+# all depends on autogenerating the headers in the temporary directory
+DEPENDS	all : 		"$(GSSKRB5_TEMP_DIR)"
+                    "$(GSSKRB5_TEMP_DIR)/KerberosComErr.h"
+                    "$(GSSKRB5_TEMP_DIR)/profile.h"
+					"$(GSSKRB5_TEMP_DIR)/KerberosProfile/profile.h"
+                    "$(GSSKRB5_TEMP_DIR)/KerberosProfile.h"
+                    "$(GSSKRB5_TEMP_DIR)/adm_err.h"
+                    "$(GSSKRB5_TEMP_DIR)/asn1_err.h"
+                    "$(GSSKRB5_TEMP_DIR)/kdb5_err.h"
+                    "$(GSSKRB5_TEMP_DIR)/krb5_err.h"
+                    "$(GSSKRB5_TEMP_DIR)/kv5m_err.h"
+                    "$(GSSKRB5_TEMP_DIR)/krb5.h"
+					"$(GSSKRB5_TEMP_DIR)/Kerberos5/krb5.h"
+                    "$(GSSKRB5_TEMP_DIR)/Kerberos5.h"
+                    "$(GSSKRB5_TEMP_DIR)/gssapi.h"
+                    "$(GSSKRB5_TEMP_DIR)/GSS/gssapi.h"
+                    "$(GSSKRB5_TEMP_DIR)/GSS.h"
+                    "$(GSSKRB5_TEMP_DIR)/autoconf.h" ;
+
+
+# Delete these files when we clean
+Clean.Remove 	clean : 	"$(GSSKRB5_TEMP_DIR)"
+                            "$(GSSKRB5_TEMP_DIR)/KerberosComErr.h"
+                            "$(GSSKRB5_TEMP_DIR)/profile.h"
+                            "$(GSSKRB5_TEMP_DIR)/KerberosProfile.h"
+                            "$(GSSKRB5_TEMP_DIR)/adm_err.h"
+                            "$(GSSKRB5_TEMP_DIR)/asn1_err.h"
+                            "$(GSSKRB5_TEMP_DIR)/kdb5_err.h"
+                            "$(GSSKRB5_TEMP_DIR)/krb5_err.h"
+                            "$(GSSKRB5_TEMP_DIR)/kv5m_err.h"
+                            "$(GSSKRB5_TEMP_DIR)/krb5.h"
+                            "$(GSSKRB5_TEMP_DIR)/Kerberos5.h"
+                            "$(GSSKRB5_TEMP_DIR)/gssapi.h"
+                            "$(GSSKRB5_TEMP_DIR)/GSS.h"
+                            "$(GSSKRB5_TEMP_DIR)/autoconf.h" ;
+
+# JAM rules to autogenerate files
+
+rule KerberosComErr.h
+{
+    DEPENDS "$(1)" : "$(2)" ;
+}
+
+actions KerberosComErr.h
+{
+    echo "#ifndef __KERBEROSCOMERR__"				> "$(1)" ;
+    echo "#define __KERBEROSCOMERR__"				>> "$(1)" ;
+    echo ""											>> "$(1)" ;
+    echo "#include <KerberosComErr/com_err.h>"		>> "$(1)" ;
+    echo ""											>> "$(1)" ;
+    echo "#endif /* __KERBEROSCOMERR__ */"			>> "$(1)" ;
+}
+
+rule profile.h
+{
+    DEPENDS "$(1)" : "$(2)" ;
+}
+
+actions profile.h
+{
+    cat "$(2[1])" > "$(1)" ;
+    for header in "$(2[2-])" ; do 
+        cat $header | $(EXTRACT_ERROR_CODES) >> "$(1)" ;
+    done
+}
+
+rule KerberosProfile.h
+{
+    DEPENDS "$(1)" : "$(2)" ;
+}
+
+actions KerberosProfile.h
+{
+    echo "#ifndef __KERBEROSPROFILE__"				> "$(1)" ;
+    echo "#define __KERBEROSPROFILE__"				>> "$(1)" ;
+    echo ""											>> "$(1)" ;
+    echo "#include <KerberosProfile/profile.h>"		>> "$(1)" ;
+    echo ""											>> "$(1)" ;
+    echo "#endif /* __KERBEROSPROFILE__ */"			>> "$(1)" ;
+}
+
+rule krb5.h
+{
+    DEPENDS "$(1)" : "$(2)" ;
+    DEPENDS "$(1)" : "$(PREFIX)" ;
+}
+
+actions krb5.h
+{
+    echo "/* This is the prologue to krb5.h */" > "$(1)" ;
+    echo "/* Unfortunately some of these defines are compiler dependent */" >> "$(1)" ;
+    grep SIZEOF "$(SRCROOT)/GSSKerberosPrefix.h" >> "$(1)" ;
+    grep HAVE_STDARG_H "$(SRCROOT)/GSSKerberosPrefix.h" >> "$(1)" ;
+    grep HAVE_SYS_TYPES_H "$(SRCROOT)/GSSKerberosPrefix.h" >> "$(1)" ;
+    cat "$(2[1])" >> "$(1)" ;
+    for header in "$(2[2-])" ; do
+        echo Processing $header
+        cat $header | $(EXTRACT_ERROR_CODES) >> "$(1)" ;
+    done
+}
+
+
+rule Kerberos5.h
+{
+    DEPENDS "$(1)" : "$(2)" ;
+}
+
+actions Kerberos5.h
+{
+    echo "#ifndef __KERBEROS5__"				> "$(1)" ;
+    echo "#define __KERBEROS5__"				>> "$(1)" ;
+    echo ""										>> "$(1)" ;
+    echo "#include <Kerberos5/krb5.h>"			>> "$(1)" ;
+    echo ""										>> "$(1)" ;
+    echo "#endif /* __KERBEROS5__ */"			>> "$(1)" ;
+}
+
+rule gssapi.h
+{
+    DEPENDS "$(1)" : "$(2)" ;
+    DEPENDS "$(1)" : "$(PREFIX)" ;
+}
+
+actions gssapi.h
+{
+    echo "/* This is the prologue to gssapi.h */" > "$(1)" ;
+    echo "/* It contains some choice pieces of autoconf.h */" >>  "$(1)" ;
+    grep SIZEOF "$(SRCROOT)/GSSKerberosPrefix.h" >>  "$(1)" ;
+    grep 'HAVE_.*_H' "$(SRCROOT)/GSSKerberosPrefix.h" >>  "$(1)" ;
+    grep 'USE_.*_H' "$(SRCROOT)/GSSKerberosPrefix.h" >>  "$(1)" ;
+    echo "/* End of gssapi.h prologue. */" >>  "$(1)" ;
+    cat "$(2[1])" >> "$(1)" ;
+    for header in "$(2[2-])" ; do 
+        cat $header | $(EXTRACT_ERROR_CODES) >> "$(1)" ;
+    done
+}
+
+
+rule GSS.h
+{
+    DEPENDS "$(1)" : "$(2)" ;
+}
+
+actions GSS.h
+{
+    echo "#ifndef __GSS__"					> "$(1)" ;
+    echo "#define __GSS__"					>> "$(1)" ;
+    echo ""									>> "$(1)" ;
+    echo "#include <GSS/gssapi.h>"			>> "$(1)" ;
+    echo "#include <GSS/gssapi_krb5.h>"		>> "$(1)" ;
+    echo ""									>> "$(1)" ;
+    echo "#endif /* __GSS__ */"				>> "$(1)" ;
+}
+
+rule autoconf.h
+{
+}
+
+actions autoconf.h
+{
+    touch "$(1)" ;
+}
+
+# Dependencies to make the autogenerated headers in the temporary directory
+Mkdir				"$(GSSKRB5_TEMP_DIR)" ;
+KerberosComErr.h	"$(GSSKRB5_TEMP_DIR)/KerberosComErr.h" : 	"$(COM_ERR_DIR)/com_err.h" ;
+profile.h 			"$(GSSKRB5_TEMP_DIR)/profile.h" : 			"$(PROFILE_DIR)/profile.hin"
+                                                                "$(GSSKRB5_TEMP_DIR)/prof_err.h" ;
+KerberosProfile.h 	"$(GSSKRB5_TEMP_DIR)/KerberosProfile.h" : 	"$(GSSKRB5_TEMP_DIR)/profile.h" ;
+krb5.h				"$(GSSKRB5_TEMP_DIR)/krb5.h" :				"$(INCLUDE_DIR)/krb5.hin" 
+                                                                "$(GSSKRB5_TEMP_DIR)/krb5_err.h"
+                                                                "$(GSSKRB5_TEMP_DIR)/kdb5_err.h" 
+                                                                "$(GSSKRB5_TEMP_DIR)/kv5m_err.h" 
+                                                                "$(GSSKRB5_TEMP_DIR)/asn1_err.h" ;
+Kerberos5.h 		"$(GSSKRB5_TEMP_DIR)/Kerberos5.h" :			"$(GSSKRB5_TEMP_DIR)/krb5.h" ;
+gssapi.h 			"$(GSSKRB5_TEMP_DIR)/gssapi.h" : 			"$(GSS_DIR)/generic/gssapi.hin" ;
+GSS.h 				"$(GSSKRB5_TEMP_DIR)/GSS.h" : 				"$(GSSKRB5_TEMP_DIR)/gssapi.h" ;
+autoconf.h 			"$(GSSKRB5_TEMP_DIR)/autoconf.h" ;
+
+# We need to also make copies in the appropriate subdirectories, so that <foo/bar.h> paths work
+# correctly inside the foo framework target. This is due to a Project Builder bug which causes
+# builds to fail if an autogenerated SYMROOT-relative file is added to a target
+Mkdir "$(GSSKRB5_TEMP_DIR)/GSS" ;
+DEPENDS "$(GSSKRB5_TEMP_DIR)/GSS/gssapi.h" : "$(GSSKRB5_TEMP_DIR)/GSS" ;
+Cp	"$(GSSKRB5_TEMP_DIR)/GSS/gssapi.h" : "$(GSSKRB5_TEMP_DIR)/gssapi.h" ;			
+
+Mkdir "$(GSSKRB5_TEMP_DIR)/Kerberos5" ;
+DEPENDS "$(GSSKRB5_TEMP_DIR)/Kerberos5/krb5.h" : "$(GSSKRB5_TEMP_DIR)/Kerberos5" ;
+Cp	"$(GSSKRB5_TEMP_DIR)/Kerberos5/krb5.h" : "$(GSSKRB5_TEMP_DIR)/krb5.h" ;
+
+Mkdir "$(GSSKRB5_TEMP_DIR)/KerberosProfile" ;
+DEPENDS "$(GSSKRB5_TEMP_DIR)/KerberosProfile/profile.h" : "$(GSSKRB5_TEMP_DIR)/KerberosProfile" ;
+Cp	"$(GSSKRB5_TEMP_DIR)/KerberosProfile/profile.h" : "$(GSSKRB5_TEMP_DIR)/profile.h" ;
diff --git a/src/mac/K5.CFM.c b/src/mac/K5.CFM.c
index efb918c..4523280 100644
--- a/src/mac/K5.CFM.c
+++ b/src/mac/K5.CFM.c
@@ -16,7 +16,7 @@
  * without express or implied warranty.
  */
  
- 
+#if defined(macintosh)
 #include <CodeFragments.h>
 
 #include "krb5_libinit.h"
@@ -31,7 +31,13 @@ OSErr __initializeK5(CFragInitBlockPtr ibp)
 	OSErr	err = noErr;
 	
 	err = __initialize();
-	
+#else
+#define noErr	0
+void __initializeK5 (void);
+void __initializeK5 (void)
+{
+        int err = noErr;
+#endif
 	if (err == noErr) {
 		err = krb5int_initialize_library ();
 	}
@@ -39,10 +45,12 @@ OSErr __initializeK5(CFragInitBlockPtr ibp)
 	if (err == noErr) {
 		err = cryptoint_initialize_library ();
 	}
-	
+#if defined(macintosh)	
 	return err;
+#endif
 }
 
+#if defined(macintosh)
 void __terminateK5(void)
 {
 
@@ -51,3 +59,4 @@ void __terminateK5(void)
 
 	__terminate();
 }
+#endif
diff --git a/src/mac/K5.CFMglue.proto.h b/src/mac/K5.CFMglue.proto.h
index ddf86ad..02b7a1b 100644
--- a/src/mac/K5.CFMglue.proto.h
+++ b/src/mac/K5.CFMglue.proto.h
@@ -1,20 +1,3 @@
-krb5_error_code krb5_c_encrypt (krb5_context context, const krb5_keyblock*key, krb5_keyusage usage, const krb5_data*ivec, const krb5_data*input, krb5_enc_data*output);
-krb5_error_code krb5_c_decrypt (krb5_context context, const krb5_keyblock*key, krb5_keyusage usage, const krb5_data*ivec, const krb5_enc_data*input, krb5_data*output);
-krb5_error_code krb5_c_encrypt_length (krb5_context context, krb5_enctype enctype, size_t inputlen, size_t*length);
-krb5_error_code krb5_c_block_size (krb5_context context, krb5_enctype enctype, size_t*blocksize);
-krb5_error_code krb5_c_make_random_key (krb5_context context, krb5_enctype enctype, krb5_keyblock*random_key);
-krb5_error_code krb5_c_random_make_octets (krb5_context context, krb5_data*data);
-krb5_error_code krb5_c_random_seed (krb5_context context, krb5_data*data);
-krb5_error_code krb5_c_string_to_key (krb5_context context, krb5_enctype enctype, const krb5_data*string, const krb5_data*salt, krb5_keyblock*key);
-krb5_error_code krb5_c_enctype_compare (krb5_context context, krb5_enctype e1, krb5_enctype e2, krb5_boolean*similar);
-krb5_error_code krb5_c_make_checksum (krb5_context context, krb5_cksumtype cksumtype, const krb5_keyblock*key, krb5_keyusage usage, const krb5_data*input, krb5_checksum*cksum);
-krb5_error_code krb5_c_verify_checksum (krb5_context context, const krb5_keyblock*key, krb5_keyusage usage, const krb5_data*data, const krb5_checksum*cksum, krb5_boolean*valid);
-krb5_error_code krb5_c_checksum_length (krb5_context context, krb5_cksumtype cksumtype, size_t*length);
-krb5_error_code krb5_c_keyed_checksum_types (krb5_context context, krb5_enctype enctype, unsigned int*count, krb5_cksumtype**cksumtypes);
-krb5_boolean valid_enctype (const krb5_enctype ktype);
-krb5_boolean valid_cksumtype (const krb5_cksumtype ctype);
-krb5_boolean is_coll_proof_cksum (const krb5_cksumtype ctype);
-krb5_boolean is_keyed_cksum (const krb5_cksumtype ctype);
 krb5_error_code krb5_encrypt (krb5_context context, const krb5_pointer inptr, krb5_pointer outptr, const size_t size, krb5_encrypt_block* eblock, krb5_pointer ivec);
 krb5_error_code krb5_decrypt (krb5_context context, const krb5_pointer inptr, krb5_pointer outptr, const size_t size, krb5_encrypt_block* eblock, krb5_pointer ivec);
 krb5_error_code krb5_process_key (krb5_context context, krb5_encrypt_block* eblock, const krb5_keyblock* key);
@@ -29,35 +12,13 @@ size_t krb5_encrypt_size (const size_t length, krb5_enctype crypto);
 size_t krb5_checksum_size (krb5_context context, const krb5_cksumtype ctype);
 krb5_error_code krb5_calculate_checksum (krb5_context context, const krb5_cksumtype ctype, const krb5_pointer in, const size_t in_length, const krb5_pointer seed, const size_t seed_length, krb5_checksum* outcksum);
 krb5_error_code krb5_verify_checksum (krb5_context context, const krb5_cksumtype ctype, const krb5_checksum* cksum, const krb5_pointer in, const size_t in_length, const krb5_pointer seed, const size_t seed_length);
-krb5_error_code krb5_random_confounder (size_t, krb5_pointer);
-krb5_error_code krb5_encrypt_data (krb5_context context, krb5_keyblock*key, krb5_pointer ivec, krb5_data*data, krb5_enc_data*enc_data);
-krb5_error_code krb5_decrypt_data (krb5_context context, krb5_keyblock*key, krb5_pointer ivec, krb5_enc_data*data, krb5_data*enc_data);
-krb5_error_code krb5_rc_default (krb5_context, krb5_rcache*);
-krb5_error_code krb5_rc_register_type (krb5_context, krb5_rc_ops*);
-krb5_error_code krb5_rc_resolve_type (krb5_context, krb5_rcache*,char*);
-krb5_error_code krb5_rc_resolve_full (krb5_context, krb5_rcache*,char*);
-char* krb5_rc_get_type (krb5_context, krb5_rcache);
-char* krb5_rc_default_type (krb5_context);
-char* krb5_rc_default_name (krb5_context);
-krb5_error_code krb5_auth_to_rep (krb5_context, krb5_tkt_authent*, krb5_donot_replay*);
 krb5_error_code krb5_init_context (krb5_context*);
 void krb5_free_context (krb5_context);
-krb5_error_code krb5_set_default_in_tkt_ktypes (krb5_context, const krb5_enctype*);
-krb5_error_code krb5_get_default_in_tkt_ktypes (krb5_context, krb5_enctype**);
-krb5_error_code krb5_set_default_tgs_ktypes (krb5_context, const krb5_enctype*);
-krb5_error_code krb5_get_tgs_ktypes (krb5_context, krb5_const_principal, krb5_enctype**);
-krb5_error_code krb5_get_permitted_enctypes (krb5_context, krb5_enctype**);
-krb5_boolean krb5_is_permitted_enctype (krb5_context, krb5_enctype);
-krb5_error_code krb5_kdc_rep_decrypt_proc (krb5_context, const krb5_keyblock*, krb5_const_pointer, krb5_kdc_rep* );
 krb5_error_code krb5_decrypt_tkt_part (krb5_context, const krb5_keyblock*, krb5_ticket* );
-krb5_error_code krb5_get_cred_from_kdc (krb5_context, krb5_ccache, krb5_creds*, krb5_creds**, krb5_creds*** );
-krb5_error_code krb5_get_cred_from_kdc_validate (krb5_context, krb5_ccache, krb5_creds*, krb5_creds**, krb5_creds***);
-krb5_error_code krb5_get_cred_from_kdc_renew (krb5_context, krb5_ccache, krb5_creds*, krb5_creds**, krb5_creds***);
 void krb5_free_tgt_creds (krb5_context, krb5_creds**);
 krb5_error_code krb5_get_credentials (krb5_context, const krb5_flags, krb5_ccache, krb5_creds*, krb5_creds**);
 krb5_error_code krb5_get_credentials_validate (krb5_context, const krb5_flags, krb5_ccache, krb5_creds*, krb5_creds**);
 krb5_error_code krb5_get_credentials_renew (krb5_context, const krb5_flags, krb5_ccache, krb5_creds*, krb5_creds**);
-krb5_error_code krb5_get_cred_via_tkt (krb5_context, krb5_creds*, const krb5_flags, krb5_address* const*, krb5_creds*, krb5_creds**);
 krb5_error_code krb5_mk_req (krb5_context, krb5_auth_context*, const krb5_flags, char*, char*, krb5_data*, krb5_ccache, krb5_data*);
 krb5_error_code krb5_mk_req_extended (krb5_context, krb5_auth_context*, const krb5_flags, krb5_data*, krb5_creds*, krb5_data*);
 krb5_error_code krb5_mk_rep (krb5_context, krb5_auth_context, krb5_data*);
@@ -69,11 +30,6 @@ krb5_error_code krb5_rd_priv (krb5_context, krb5_auth_context, const krb5_data*,
 krb5_error_code krb5_parse_name (krb5_context, const char*, krb5_principal*);
 krb5_error_code krb5_unparse_name (krb5_context, krb5_const_principal, char**);
 krb5_error_code krb5_unparse_name_ext (krb5_context, krb5_const_principal, char**, int*);
-krb5_error_code krb5_set_principal_realm (krb5_context, krb5_principal, const char*);
-krb5_boolean krb5_address_search (krb5_context, const krb5_address*, krb5_address* const*);
-krb5_boolean krb5_address_compare (krb5_context, const krb5_address*, const krb5_address*);
-int krb5_address_order (krb5_context, const krb5_address*, const krb5_address*);
-krb5_boolean krb5_realm_compare (krb5_context, krb5_const_principal, krb5_const_principal);
 krb5_boolean krb5_principal_compare (krb5_context, krb5_const_principal, krb5_const_principal);
 krb5_error_code krb5_copy_keyblock (krb5_context, const krb5_keyblock*, krb5_keyblock**);
 krb5_error_code krb5_copy_keyblock_contents (krb5_context, const krb5_keyblock*, krb5_keyblock*);
@@ -86,34 +42,20 @@ krb5_error_code krb5_copy_ticket (krb5_context, const krb5_ticket*, krb5_ticket*
 krb5_error_code krb5_copy_authdata (krb5_context, krb5_authdata* const*, krb5_authdata***);
 krb5_error_code krb5_copy_authenticator (krb5_context, const krb5_authenticator*, krb5_authenticator**);
 krb5_error_code krb5_copy_checksum (krb5_context, const krb5_checksum*, krb5_checksum**);
-void krb5_init_ets (krb5_context);
-void krb5_free_ets (krb5_context);
-krb5_error_code krb5_generate_subkey (krb5_context, const krb5_keyblock*, krb5_keyblock**);
-krb5_error_code krb5_generate_seq_number (krb5_context, const krb5_keyblock*, krb5_int32*);
 krb5_error_code krb5_get_server_rcache (krb5_context, const krb5_data*, krb5_rcache*);
-krb5_error_code krb5_build_principal_va (krb5_context, krb5_principal, int, const char*, va_list);
 krb5_error_code krb5_425_conv_principal (krb5_context, const char*name, const char*instance, const char*realm, krb5_principal*princ);
 krb5_error_code krb5_524_conv_principal (krb5_context context, const krb5_principal princ, char*name, char*inst, char*realm);
-krb5_error_code krb5_mk_chpw_req (krb5_context context, krb5_auth_context auth_context, krb5_data*ap_req, char*passwd, krb5_data*packet);
-krb5_error_code krb5_rd_chpw_rep (krb5_context context, krb5_auth_context auth_context, krb5_data*packet, int*result_code, krb5_data*result_data);
-krb5_error_code krb5_chpw_result_code_string (krb5_context context, int result_code, char**result_codestr);
 krb5_error_code krb5_kt_register (krb5_context, krb5_kt_ops*);
 krb5_error_code krb5_kt_resolve (krb5_context, const char*, krb5_keytab*);
-krb5_error_code krb5_kt_default_name (krb5_context, char*, int);
 krb5_error_code krb5_kt_default (krb5_context, krb5_keytab*);
 krb5_error_code krb5_kt_free_entry (krb5_context, krb5_keytab_entry*);
 krb5_error_code krb5_kt_remove_entry (krb5_context, krb5_keytab, krb5_keytab_entry*);
 krb5_error_code krb5_kt_add_entry (krb5_context, krb5_keytab, krb5_keytab_entry*);
-krb5_error_code krb5_principal2salt (krb5_context, krb5_const_principal, krb5_data*);
-krb5_error_code krb5_principal2salt_norealm (krb5_context, krb5_const_principal, krb5_data*);
 krb5_error_code krb5_cc_resolve (krb5_context, const char*, krb5_ccache*);
 const char* krb5_cc_default_name (krb5_context);
 krb5_error_code krb5_cc_set_default_name (krb5_context, const char*);
 krb5_error_code krb5_cc_default (krb5_context, krb5_ccache*);
 unsigned int krb5_get_notification_message (void);
-krb5_error_code krb5_cc_copy_creds (krb5_context context, krb5_ccache incc, krb5_ccache outcc);
-krb5_error_code krb5_check_transited_list (krb5_context, krb5_data*trans, krb5_data*realm1, krb5_data*realm2);
-void krb5_free_realm_tree (krb5_context, krb5_principal*);
 void krb5_free_principal (krb5_context, krb5_principal);
 void krb5_free_authenticator (krb5_context, krb5_authenticator*);
 void krb5_free_authenticator_contents (krb5_context, krb5_authenticator*);
@@ -154,28 +96,19 @@ krb5_error_code krb5_us_timeofday (krb5_context, krb5_int32*, krb5_int32*);
 krb5_error_code krb5_timeofday (krb5_context, krb5_int32*);
 krb5_error_code krb5_os_localaddr (krb5_context, krb5_address***);
 krb5_error_code krb5_get_default_realm (krb5_context, char**);
-krb5_error_code krb5_set_default_realm (krb5_context, const char*);
 krb5_error_code krb5_sname_to_principal (krb5_context, const char*, const char*, krb5_int32, krb5_principal*);
 krb5_error_code krb5_change_password (krb5_context context, krb5_creds*creds, char*newpw, int*result_code, krb5_data*result_code_string, krb5_data*result_string);
 krb5_error_code krb5_get_profile (krb5_context, profile_t*);
-krb5_error_code krb5_secure_config_files (krb5_context);
-krb5_error_code krb5_send_tgs (krb5_context, const krb5_flags, const krb5_ticket_times*, const krb5_enctype*, krb5_const_principal, krb5_address* const*, krb5_authdata* const*, krb5_pa_data* const*, const krb5_data*, krb5_creds*, krb5_response*);
 krb5_error_code krb5_get_in_tkt_with_password (krb5_context, const krb5_flags, krb5_address* const*, krb5_enctype*, krb5_preauthtype*, const char*, krb5_ccache, krb5_creds*, krb5_kdc_rep**);
 krb5_error_code krb5_get_in_tkt_with_skey (krb5_context, const krb5_flags, krb5_address* const*, krb5_enctype*, krb5_preauthtype*, const krb5_keyblock*, krb5_ccache, krb5_creds*, krb5_kdc_rep**);
 krb5_error_code krb5_get_in_tkt_with_keytab (krb5_context, const krb5_flags, krb5_address* const*, krb5_enctype*, krb5_preauthtype*, const krb5_keytab, krb5_ccache, krb5_creds*, krb5_kdc_rep**);
-krb5_error_code krb5_decode_kdc_rep (krb5_context, krb5_data*, const krb5_keyblock*, krb5_kdc_rep**);
 krb5_error_code krb5_rd_req (krb5_context, krb5_auth_context*, const krb5_data*, krb5_const_principal, krb5_keytab, krb5_flags*, krb5_ticket**);
-krb5_error_code krb5_rd_req_decoded (krb5_context, krb5_auth_context*, const krb5_ap_req*, krb5_const_principal, krb5_keytab, krb5_flags*, krb5_ticket**);
-krb5_error_code krb5_rd_req_decoded_anyflag (krb5_context, krb5_auth_context*, const krb5_ap_req*, krb5_const_principal, krb5_keytab, krb5_flags*, krb5_ticket**);
 krb5_error_code krb5_kt_read_service_key (krb5_context, krb5_pointer, krb5_principal, krb5_kvno, krb5_enctype, krb5_keyblock**);
 krb5_error_code krb5_mk_safe (krb5_context, krb5_auth_context, const krb5_data*, krb5_data*, krb5_replay_data*);
 krb5_error_code krb5_mk_priv (krb5_context, krb5_auth_context, const krb5_data*, krb5_data*, krb5_replay_data*);
 krb5_error_code krb5_cc_register (krb5_context, krb5_cc_ops*, krb5_boolean);
 krb5_error_code krb5_sendauth (krb5_context, krb5_auth_context*, krb5_pointer, char*, krb5_principal, krb5_principal, krb5_flags, krb5_data*, krb5_creds*, krb5_ccache, krb5_error**, krb5_ap_rep_enc_part**, krb5_creds**);
 krb5_error_code krb5_recvauth (krb5_context, krb5_auth_context*, krb5_pointer, char*, krb5_principal, krb5_int32, krb5_keytab, krb5_ticket**);
-krb5_error_code krb5_walk_realm_tree (krb5_context, const krb5_data*, const krb5_data*, krb5_principal**, int);
-krb5_error_code krb5_mk_ncred (krb5_context, krb5_auth_context, krb5_creds**, krb5_data**, krb5_replay_data*);
-krb5_error_code krb5_mk_1cred (krb5_context, krb5_auth_context, krb5_creds*, krb5_data**, krb5_replay_data*);
 krb5_error_code krb5_rd_cred (krb5_context, krb5_auth_context, krb5_data*, krb5_creds***, krb5_replay_data*);
 krb5_error_code krb5_fwd_tgt_creds (krb5_context, krb5_auth_context, char*, krb5_principal, krb5_principal, krb5_ccache, int forwardable, krb5_data*);
 krb5_error_code krb5_auth_con_init (krb5_context, krb5_auth_context*);
@@ -190,7 +123,6 @@ krb5_error_code krb5_auth_con_getkey (krb5_context, krb5_auth_context, krb5_keyb
 krb5_error_code krb5_auth_con_getlocalsubkey (krb5_context, krb5_auth_context, krb5_keyblock**);
 krb5_error_code krb5_auth_con_set_req_cksumtype (krb5_context, krb5_auth_context, krb5_cksumtype);
 krb5_error_code krb5_auth_con_set_safe_cksumtype (krb5_context, krb5_auth_context, krb5_cksumtype);
-krb5_error_code krb5_auth_con_getcksumtype (krb5_context, krb5_auth_context, krb5_cksumtype*);
 krb5_error_code krb5_auth_con_getlocalseqnumber (krb5_context, krb5_auth_context, krb5_int32*);
 krb5_error_code krb5_auth_con_getremoteseqnumber (krb5_context, krb5_auth_context, krb5_int32*);
 krb5_error_code krb5_auth_con_initivector (krb5_context, krb5_auth_context);
@@ -201,20 +133,10 @@ krb5_error_code krb5_auth_con_getrcache (krb5_context, krb5_auth_context, krb5_r
 krb5_error_code krb5_auth_con_getauthenticator (krb5_context, krb5_auth_context, krb5_authenticator**);
 krb5_error_code krb5_auth_con_getremotesubkey (krb5_context, krb5_auth_context, krb5_keyblock**);
 krb5_error_code krb5_read_password (krb5_context, const char*, const char*, char*, int*);
-krb5_error_code krb5_aname_to_localname (krb5_context, krb5_const_principal, const int, char*);
 krb5_error_code krb5_get_host_realm (krb5_context, const char*, char***);
 krb5_error_code krb5_free_host_realm (krb5_context, char* const*);
-krb5_error_code krb5_get_realm_domain (krb5_context, const char*, char**);
-krb5_boolean krb5_kuserok (krb5_context, krb5_principal, const char*);
 krb5_error_code krb5_auth_con_genaddrs (krb5_context, krb5_auth_context, int, int);
-krb5_error_code krb5_gen_portaddr (krb5_context, const krb5_address*, krb5_const_pointer, krb5_address**);
-krb5_error_code krb5_make_fulladdr (krb5_context, krb5_address*, krb5_address*, krb5_address*);
-krb5_error_code krb5_os_hostaddr (krb5_context, const char*, krb5_address***);
-krb5_error_code krb5_set_real_time (krb5_context, krb5_int32, krb5_int32);
-krb5_error_code krb5_set_debugging_time (krb5_context, krb5_int32, krb5_int32);
-krb5_error_code krb5_use_natural_time (krb5_context);
 krb5_error_code krb5_get_time_offsets (krb5_context, krb5_int32*, krb5_int32*);
-krb5_error_code krb5_set_time_offsets (krb5_context, krb5_int32, krb5_int32);
 krb5_error_code krb5_string_to_enctype (char*, krb5_enctype*);
 krb5_error_code krb5_string_to_salttype (char*, krb5_int32*);
 krb5_error_code krb5_string_to_cksumtype (char*, krb5_cksumtype*);
@@ -226,7 +148,6 @@ krb5_error_code krb5_cksumtype_to_string (krb5_cksumtype, char*, size_t);
 krb5_error_code krb5_timestamp_to_string (krb5_timestamp, char*, size_t);
 krb5_error_code krb5_timestamp_to_sfstring (krb5_timestamp, char*, size_t, char*);
 krb5_error_code krb5_deltat_to_string (krb5_deltat, char*, size_t);
-krb5_error_code krb5_prompter_posix (krb5_context context, void*data, const char*name, const char*banner, int num_prompts, krb5_prompt prompts[]);
 void krb5_get_init_creds_opt_init (krb5_get_init_creds_opt*opt);
 void krb5_get_init_creds_opt_set_tkt_life (krb5_get_init_creds_opt*opt, krb5_deltat tkt_life);
 void krb5_get_init_creds_opt_set_renew_life (krb5_get_init_creds_opt*opt, krb5_deltat renew_life);
@@ -238,12 +159,5 @@ void krb5_get_init_creds_opt_set_preauth_list (krb5_get_init_creds_opt*opt, krb5
 void krb5_get_init_creds_opt_set_salt (krb5_get_init_creds_opt*opt, krb5_data*salt);
 krb5_error_code krb5_get_init_creds_password (krb5_context context, krb5_creds*creds, krb5_principal client, char*password, krb5_prompter_fct prompter, void*data, krb5_deltat start_time, char*in_tkt_service, krb5_get_init_creds_opt*options);
 krb5_error_code krb5_get_init_creds_keytab (krb5_context context, krb5_creds*creds, krb5_principal client, krb5_keytab arg_keytab, krb5_deltat start_time, char*in_tkt_service, krb5_get_init_creds_opt*options);
-void krb5_verify_init_creds_opt_init (krb5_verify_init_creds_opt*options);
-void krb5_verify_init_creds_opt_set_ap_req_nofail (krb5_verify_init_creds_opt*options, int ap_req_nofail);
-krb5_error_code krb5_verify_init_creds (krb5_context context, krb5_creds*creds, krb5_principal ap_req_server, krb5_keytab ap_req_keytab, krb5_ccache*ccache, krb5_verify_init_creds_opt*options);
 krb5_error_code krb5_get_validated_creds (krb5_context context, krb5_creds*creds, krb5_principal client, krb5_ccache ccache, char*in_tkt_service);
 krb5_error_code krb5_get_renewed_creds (krb5_context context, krb5_creds*creds, krb5_principal client, krb5_ccache ccache, char*in_tkt_service);
-krb5_error_code krb5_realm_iterator_create (krb5_context context, void**iter_p);
-krb5_error_code krb5_realm_iterator (krb5_context context, void**iter_p, char**ret_realm);
-void krb5_realm_iterator_free (krb5_context context, void**iter_p);
-void krb5_free_realm_string (krb5_context context, char*str);
diff --git a/src/mac/K5Library.exp b/src/mac/K5Library.exp
index cf710dc..49f70c4 100644
--- a/src/mac/K5Library.exp
+++ b/src/mac/K5Library.exp
@@ -33,6 +33,7 @@
 	krb5_free_creds
 	krb5_free_data
 	krb5_free_data_contents
+	krb5_free_default_realm
 	krb5_free_enc_kdc_rep_part
 	krb5_free_enc_tkt_part
 	krb5_free_error
@@ -41,6 +42,7 @@
 	krb5_free_kdc_req
 	krb5_free_keyblock
 	krb5_free_keyblock_contents
+	krb5_free_ktypes
 	krb5_free_last_req
 	krb5_free_pa_data
 	krb5_free_principal
@@ -77,7 +79,11 @@
 	krb5_get_init_creds_password
 	krb5_get_init_creds_keytab
 	krb5_get_init_creds_opt_init
+	krb5_get_validated_creds
+	krb5_get_renewed_creds
 	krb5_get_notification_message
+	krb5_get_tgs_ktypes
+	krb5_get_time_offsets
 	krb5_init_context
 	krb5_mk_error
 	krb5_mk_priv
@@ -88,6 +94,7 @@
 	krb5_os_localaddr
 	krb5_parse_name
 	krb5_principal_compare
+	krb5_get_prompt_types
 	krb5_rd_cred
 	krb5_rd_error
 	krb5_rd_priv
@@ -121,16 +128,6 @@
 	krb5_finish_random_key
 	krb5_random_key
 #
-	krb5_c_decrypt
-	krb5_c_encrypt
-	krb5_c_encrypt_length
-	krb5_c_checksum_length
-	krb5_c_block_size
-	krb5_c_make_checksum
-	krb5_c_verify_checksum
-	krb5_c_random_make_octets
-	krb5_c_keyed_checksum_types
-#
 	krb5_425_conv_principal
 	krb5_524_conv_principal
 #
@@ -193,31 +190,50 @@
 #
 	krb5_cc_set_default_name
 #
-	krb5_rc_default 
-	krb5_rc_register_type 
-	krb5_rc_resolve_type 
-	krb5_rc_resolve_full 
-	krb5_rc_get_type 
-	krb5_rc_default_type 
-	krb5_rc_default_name 
-	krb5_auth_to_rep 
-#
 	krb5_get_profile
+#
+# Added for 1.2:
+	krb5_decode_ticket
+	
+# Added post 1.2.2
+	krb5_cc_get_name
+	krb5_cc_gen_new
+	krb5_cc_initialize
+	krb5_cc_destroy
+	krb5_cc_close
+	krb5_cc_store_cred
+	krb5_cc_retrieve_cred
+	krb5_cc_get_principal
+	krb5_cc_start_seq_get
+	krb5_cc_next_cred
+	krb5_cc_end_seq_get
+	krb5_cc_remove_cred
+	krb5_cc_set_flags
+	krb5_cc_get_type
+
+
 
 #Temporary exports (DO NOT USE)
-	decode_krb5_ticket					# remove in next version
-	krb5_random_confounder
-	krb5_size_opaque
-	krb5_internalize_opaque
-	krb5_externalize_opaque
-	krb5_ser_pack_int32
-	krb5_ser_unpack_int32
-	krb5_ser_pack_bytes
-	krb5_ser_unpack_bytes
-	krb5_ser_auth_context_init
-	krb5_ser_context_init
-	krb5_ser_ccache_init
-	krb5_ser_keytab_init
-	krb5_ser_rcache_init
-	decode_krb5_ap_req					# remove in next version
-	krb5_mcc_ops
+	krb5_size_opaque					# GSSAPI
+	krb5_internalize_opaque				# GSSAPI
+	krb5_externalize_opaque				# GSSAPI
+	krb5_ser_pack_int32					# GSSAPI
+	krb5_ser_unpack_int32				# GSSAPI
+	krb5_ser_pack_bytes					# GSSAPI
+	krb5_ser_unpack_bytes				# GSSAPI
+	krb5_ser_auth_context_init			# GSSAPI
+	krb5_ser_context_init				# GSSAPI
+	krb5_ser_ccache_init				# GSSAPI
+	krb5_ser_keytab_init				# GSSAPI
+	krb5_ser_rcache_init				# GSSAPI
+	decode_krb5_ap_req					# GSSAPI
+	krb5_mcc_ops						# GSSAPI
+	krb5_c_keyed_checksum_types 		# GSSAPI
+	krb5_c_random_make_octets			# GSSAPI
+	krb5_c_encrypt						# GSSAPI
+	krb5_c_make_checksum				# GSSAPI
+	krb5_c_decrypt						# GSSAPI
+	krb5_c_verify_checksum				# GSSAPI
+	krb5_c_block_size					# GSSAPI
+	krb5_c_checksum_length				# GSSAPI
+	krb5_c_encrypt_length				# GSSAPI
\ No newline at end of file
diff --git a/src/mac/Kerberos5CoreExport.jam b/src/mac/Kerberos5CoreExport.jam
new file mode 100644
index 0000000..baaa8ac
--- /dev/null
+++ b/src/mac/Kerberos5CoreExport.jam
@@ -0,0 +1,21 @@
+include "/Developer/Makefiles/pbx_jamfiles/Jambase" ;
+
+rule Kerberos5Core.pbexp
+{
+    DEPENDS "$(1)" : "$(2)" ;
+}
+
+actions Kerberos5Core.pbexp
+{
+    cat "$(2)" > "$(1)"
+}
+
+GSSKRB5_TEMP_DIR = "$(SYMROOT)/GSSKerberos5.intermediates" ;
+EXPORT_DIR = "$(SRCROOT)" ;
+Kerberos5Core.pbexp 		"$(GSSKRB5_TEMP_DIR)/Kerberos5Core.pbexp" : 
+                            "$(EXPORT_DIR)/Kerberos5Lib.pbexp"
+                            "$(EXPORT_DIR)/Kerberos5PrivateLib.pbexp" ;
+
+DEPENDS install 	: all ;
+DEPENDS	all			: "$(GSSKRB5_TEMP_DIR)/Kerberos5Core.pbexp" ;
+Clean.Remove clean	: "$(GSSKRB5_TEMP_DIR)/Kerberos5Core.pbexp" ;
diff --git a/src/mac/Kerberos5Lib.exp b/src/mac/Kerberos5Lib.exp
new file mode 100644
index 0000000..36d7a80
--- /dev/null
+++ b/src/mac/Kerberos5Lib.exp
@@ -0,0 +1,225 @@
+#----------------------------------------------------
+#   Kerberos5Lib.exp
+#
+# Public Kerberos v5 API
+#----------------------------------------------------
+
+# Kerberos 5
+	krb5_build_principal
+	krb5_build_principal_ext
+	krb5_copy_addr
+	krb5_copy_addresses
+	krb5_copy_authdata
+	krb5_copy_authenticator
+	krb5_copy_checksum
+	krb5_copy_creds
+	krb5_copy_data
+	krb5_copy_keyblock
+	krb5_copy_keyblock_contents
+	krb5_copy_principal
+	krb5_copy_ticket
+	krb5_decrypt_tkt_part
+	krb5_free_address
+	krb5_free_addresses
+	krb5_free_ap_rep
+	krb5_free_ap_rep_enc_part
+	krb5_free_ap_req
+	krb5_free_authdata
+	krb5_free_authenticator
+	krb5_free_authenticator_contents
+	krb5_free_checksum
+	krb5_free_context
+	krb5_free_cred
+	krb5_free_cred_contents
+	krb5_free_cred_enc_part
+	krb5_free_creds
+	krb5_free_data
+	krb5_free_data_contents
+	krb5_free_default_realm
+	krb5_free_enc_kdc_rep_part
+	krb5_free_enc_tkt_part
+	krb5_free_error
+	krb5_free_host_realm
+	krb5_free_kdc_rep
+	krb5_free_kdc_req
+	krb5_free_keyblock
+	krb5_free_keyblock_contents
+	krb5_free_last_req
+	krb5_free_pa_data
+	krb5_free_principal
+	krb5_free_priv
+	krb5_free_priv_enc_part
+	krb5_free_pwd_data
+	krb5_free_pwd_sequences
+	krb5_free_safe
+	krb5_free_tgt_creds
+	krb5_free_ticket
+	krb5_free_tickets
+	krb5_free_tkt_authent
+	krb5_free_checksum_contents
+	krb5_free_cksumtypes
+	krb5_fwd_tgt_creds
+	krb5_get_credentials
+	krb5_get_credentials_renew
+	krb5_get_credentials_validate
+	krb5_get_default_realm
+	krb5_get_host_realm
+	krb5_get_in_tkt
+	krb5_get_in_tkt_with_keytab
+	krb5_get_in_tkt_with_password
+	krb5_get_in_tkt_with_skey
+	krb5_get_init_creds_opt_init
+	krb5_get_init_creds_opt_set_tkt_life
+	krb5_get_init_creds_opt_set_renew_life
+	krb5_get_init_creds_opt_set_forwardable
+	krb5_get_init_creds_opt_set_proxiable
+	krb5_get_init_creds_opt_set_etype_list
+	krb5_get_init_creds_opt_set_address_list
+	krb5_get_init_creds_opt_set_preauth_list
+	krb5_get_init_creds_opt_set_salt
+	krb5_get_init_creds_password
+	krb5_get_init_creds_keytab
+	krb5_get_validated_creds
+	krb5_get_renewed_creds
+	krb5_get_notification_message
+	krb5_get_time_offsets
+	krb5_init_context
+	krb5_mk_error
+	krb5_mk_priv
+	krb5_mk_rep
+	krb5_mk_req
+	krb5_mk_req_extended
+	krb5_mk_safe
+	krb5_os_localaddr
+	krb5_parse_name
+	krb5_principal_compare
+	krb5_get_prompt_types
+	krb5_rd_cred
+	krb5_rd_error
+	krb5_rd_priv
+	krb5_rd_rep
+	krb5_rd_req
+	krb5_rd_safe
+	krb5_read_password
+	krb5_recvauth
+	krb5_sendauth
+	krb5_sname_to_principal
+	krb5_timeofday
+	krb5_unparse_name
+	krb5_unparse_name_ext
+	krb5_free_unparsed_name
+	krb5_us_timeofday
+	krb5_get_server_rcache
+#
+	krb5_use_enctype
+	krb5_checksum_size
+	krb5_encrypt_size
+	krb5_calculate_checksum
+	krb5_verify_checksum
+	krb5_eblock_enctype
+#
+	krb5_decrypt
+	krb5_encrypt
+	krb5_string_to_key
+	krb5_process_key
+	krb5_finish_key
+	krb5_init_random_key
+	krb5_finish_random_key
+	krb5_random_key
+#
+	krb5_425_conv_principal
+	krb5_524_conv_principal
+#
+	krb5_cksumtype_to_string
+	krb5_deltat_to_string
+	krb5_enctype_to_string
+	krb5_salttype_to_string
+	krb5_string_to_cksumtype
+	krb5_string_to_deltat
+	krb5_string_to_enctype
+	krb5_string_to_salttype
+	krb5_string_to_timestamp
+	krb5_timestamp_to_sfstring
+	krb5_timestamp_to_string
+#
+	krb5_auth_con_init
+	krb5_auth_con_free
+	krb5_auth_con_setflags
+	krb5_auth_con_getflags
+	krb5_auth_con_setaddrs
+	krb5_auth_con_getaddrs
+	krb5_auth_con_setports
+	krb5_auth_con_setuseruserkey
+	krb5_auth_con_getkey
+	krb5_auth_con_getlocalsubkey
+	krb5_auth_con_set_req_cksumtype
+	krb5_auth_con_set_safe_cksumtype
+#	krb5_auth_con_getcksumtype				Why is this missing from sources?
+	krb5_auth_con_getlocalseqnumber
+	krb5_auth_con_getremoteseqnumber
+	krb5_auth_con_initivector
+	krb5_auth_con_getivector
+	krb5_auth_con_setivector
+	krb5_auth_con_setrcache
+	krb5_auth_con_getrcache
+	krb5_auth_con_getremotesubkey
+	krb5_auth_con_getauthenticator
+	krb5_auth_con_genaddrs
+#
+	krb5_cc_default
+	krb5_cc_default_name
+	krb5_cc_register
+	krb5_cc_resolve
+#
+	krb5_kt_default
+	krb5_kt_register
+	krb5_kt_resolve
+	krb5_kt_add_entry
+	krb5_kt_free_entry
+	krb5_kt_read_service_key
+	krb5_kt_remove_entry
+	
+#
+	krb5_change_password
+#
+	krb5_cc_set_default_name
+#
+	krb5_get_profile
+#
+# Added for 1.2:
+	krb5_decode_ticket
+
+# Added post 1.2.2
+	krb5_cc_get_name
+	krb5_cc_gen_new
+	krb5_cc_initialize
+	krb5_cc_destroy
+	krb5_cc_close
+	krb5_cc_store_cred
+	krb5_cc_retrieve_cred
+	krb5_cc_get_principal
+	krb5_cc_start_seq_get
+	krb5_cc_next_cred
+	krb5_cc_end_seq_get
+	krb5_cc_remove_cred
+	krb5_cc_set_flags
+	krb5_cc_get_type
+
+# Added for 4.0 Carbon compat in Mac OS X
+	krb5_kuserok
+	krb5_aname_to_localname
+	krb5_build_principal_va
+	krb5_rc_default
+	krb5_rc_default_name
+	krb5_rc_default_type
+	krb5_rc_get_type
+	krb5_rc_register_type
+	krb5_rc_resolve_full
+	krb5_rc_resolve_type
+    krb5_verify_init_creds
+	krb5_verify_init_creds_opt_init
+	krb5_verify_init_creds_opt_set_ap_req_nofail
+	krb5_address_compare
+	krb5_address_order
+	krb5_address_search
+	
\ No newline at end of file
diff --git a/src/mac/Kerberos5Lib.pbexp b/src/mac/Kerberos5Lib.pbexp
new file mode 100644
index 0000000..0e082f8
--- /dev/null
+++ b/src/mac/Kerberos5Lib.pbexp
@@ -0,0 +1,225 @@
+#----------------------------------------------------
+#   Kerberos5Lib.pbexp
+#
+# Public Kerberos v5 API
+#----------------------------------------------------
+
+# Kerberos 5
+	_krb5_build_principal
+	_krb5_build_principal_ext
+	_krb5_copy_addr
+	_krb5_copy_addresses
+	_krb5_copy_authdata
+	_krb5_copy_authenticator
+	_krb5_copy_checksum
+	_krb5_copy_creds
+	_krb5_copy_data
+	_krb5_copy_keyblock
+	_krb5_copy_keyblock_contents
+	_krb5_copy_principal
+	_krb5_copy_ticket
+	_krb5_decrypt_tkt_part
+	_krb5_free_address
+	_krb5_free_addresses
+	_krb5_free_ap_rep
+	_krb5_free_ap_rep_enc_part
+	_krb5_free_ap_req
+	_krb5_free_authdata
+	_krb5_free_authenticator
+	_krb5_free_authenticator_contents
+	_krb5_free_checksum
+	_krb5_free_context
+	_krb5_free_cred
+	_krb5_free_cred_contents
+	_krb5_free_cred_enc_part
+	_krb5_free_creds
+	_krb5_free_data
+	_krb5_free_data_contents
+	_krb5_free_default_realm
+	_krb5_free_enc_kdc_rep_part
+	_krb5_free_enc_tkt_part
+	_krb5_free_error
+	_krb5_free_host_realm
+	_krb5_free_kdc_rep
+	_krb5_free_kdc_req
+	_krb5_free_keyblock
+	_krb5_free_keyblock_contents
+	_krb5_free_last_req
+	_krb5_free_pa_data
+	_krb5_free_principal
+	_krb5_free_priv
+	_krb5_free_priv_enc_part
+	_krb5_free_pwd_data
+	_krb5_free_pwd_sequences
+	_krb5_free_safe
+	_krb5_free_tgt_creds
+	_krb5_free_ticket
+	_krb5_free_tickets
+	_krb5_free_tkt_authent
+	_krb5_free_checksum_contents
+	_krb5_free_cksumtypes
+	_krb5_fwd_tgt_creds
+	_krb5_get_credentials
+	_krb5_get_credentials_renew
+	_krb5_get_credentials_validate
+	_krb5_get_default_realm
+	_krb5_get_host_realm
+	_krb5_get_in_tkt
+	_krb5_get_in_tkt_with_keytab
+	_krb5_get_in_tkt_with_password
+	_krb5_get_in_tkt_with_skey
+    _krb5_get_init_creds_opt_init
+	_krb5_get_init_creds_opt_set_tkt_life
+	_krb5_get_init_creds_opt_set_renew_life
+	_krb5_get_init_creds_opt_set_forwardable
+	_krb5_get_init_creds_opt_set_proxiable
+	_krb5_get_init_creds_opt_set_etype_list
+	_krb5_get_init_creds_opt_set_address_list
+	_krb5_get_init_creds_opt_set_preauth_list
+	_krb5_get_init_creds_opt_set_salt
+	_krb5_get_init_creds_password
+	_krb5_get_init_creds_keytab
+	_krb5_get_validated_creds
+	_krb5_get_renewed_creds
+	_krb5_get_notification_message
+	_krb5_get_time_offsets
+	_krb5_init_context
+	_krb5_mk_error
+	_krb5_mk_priv
+	_krb5_mk_rep
+	_krb5_mk_req
+	_krb5_mk_req_extended
+	_krb5_mk_safe
+	_krb5_os_localaddr
+	_krb5_parse_name
+	_krb5_principal_compare
+	_krb5_get_prompt_types
+	_krb5_rd_cred
+	_krb5_rd_error
+	_krb5_rd_priv
+	_krb5_rd_rep
+	_krb5_rd_req
+	_krb5_rd_safe
+	_krb5_recvauth
+	_krb5_sendauth
+	_krb5_sname_to_principal
+	_krb5_timeofday
+	_krb5_unparse_name
+	_krb5_unparse_name_ext
+	_krb5_free_unparsed_name
+	_krb5_us_timeofday
+	_krb5_get_server_rcache
+#
+	_krb5_use_enctype
+	_krb5_checksum_size
+	_krb5_encrypt_size
+	_krb5_calculate_checksum
+	_krb5_verify_checksum
+	_krb5_eblock_enctype
+#
+	_krb5_decrypt
+	_krb5_encrypt
+	_krb5_string_to_key
+	_krb5_process_key
+	_krb5_finish_key
+	_krb5_init_random_key
+	_krb5_finish_random_key
+	_krb5_random_key
+#
+	_krb5_425_conv_principal
+	_krb5_524_conv_principal
+#
+	_krb5_cksumtype_to_string
+	_krb5_deltat_to_string
+	_krb5_enctype_to_string
+	_krb5_salttype_to_string
+	_krb5_string_to_cksumtype
+	_krb5_string_to_deltat
+	_krb5_string_to_enctype
+	_krb5_string_to_salttype
+	_krb5_string_to_timestamp
+	_krb5_timestamp_to_sfstring
+	_krb5_timestamp_to_string
+#
+	_krb5_auth_con_init
+	_krb5_auth_con_free
+	_krb5_auth_con_setflags
+	_krb5_auth_con_getflags
+	_krb5_auth_con_setaddrs
+	_krb5_auth_con_getaddrs
+	_krb5_auth_con_setports
+	_krb5_auth_con_setuseruserkey
+	_krb5_auth_con_getkey
+	_krb5_auth_con_getlocalsubkey
+	_krb5_auth_con_set_req_cksumtype
+	_krb5_auth_con_set_safe_cksumtype
+#	_krb5_auth_con_getcksumtype				Why is this missing from sources?
+	_krb5_auth_con_getlocalseqnumber
+	_krb5_auth_con_getremoteseqnumber
+	_krb5_auth_con_initivector
+	_krb5_auth_con_getivector
+	_krb5_auth_con_setivector
+	_krb5_auth_con_setrcache
+	_krb5_auth_con_getrcache
+	_krb5_auth_con_getremotesubkey
+	_krb5_auth_con_getauthenticator
+	_krb5_auth_con_genaddrs
+#
+	_krb5_cc_default
+	_krb5_cc_default_name
+	_krb5_cc_register
+	_krb5_cc_resolve
+#
+	_krb5_kt_default
+	_krb5_kt_register
+	_krb5_kt_resolve
+	_krb5_kt_add_entry
+	_krb5_kt_free_entry
+	_krb5_kt_read_service_key
+	_krb5_kt_remove_entry
+	
+#
+	_krb5_change_password
+#
+	_krb5_cc_set_default_name
+#
+	_krb5_get_profile
+#
+# Added for 1.2:
+	_krb5_decode_ticket
+
+# Added post 1.2.2
+	_krb5_cc_get_name
+	_krb5_cc_gen_new
+	_krb5_cc_initialize
+	_krb5_cc_destroy
+	_krb5_cc_close
+	_krb5_cc_store_cred
+	_krb5_cc_retrieve_cred
+	_krb5_cc_get_principal
+	_krb5_cc_start_seq_get
+	_krb5_cc_next_cred
+	_krb5_cc_end_seq_get
+	_krb5_cc_remove_cred
+	_krb5_cc_set_flags
+	_krb5_cc_get_type
+    
+# Added for Mac OS X (used by command line apps)
+    _krb5_read_password
+    _krb5_prompter_posix
+    _krb5_kuserok
+    _krb5_aname_to_localname
+	_krb5_build_principal_va
+	_krb5_rc_default
+	_krb5_rc_default_name
+	_krb5_rc_default_type
+	_krb5_rc_get_type
+	_krb5_rc_register_type
+	_krb5_rc_resolve_full
+	_krb5_rc_resolve_type
+    _krb5_verify_init_creds
+	_krb5_verify_init_creds_opt_init
+	_krb5_verify_init_creds_opt_set_ap_req_nofail
+	_krb5_address_compare
+	_krb5_address_order
+	_krb5_address_search
diff --git a/src/mac/Kerberos5PrivateLib.pbexp b/src/mac/Kerberos5PrivateLib.pbexp
new file mode 100644
index 0000000..320e008
--- /dev/null
+++ b/src/mac/Kerberos5PrivateLib.pbexp
@@ -0,0 +1,36 @@
+#----------------------------------------------------
+#   Kerberos5PrivateLib.pbexp
+#
+# Exports from Kerberos v5 library which are not
+# a part of the public API, but are needed by some
+# critical clients. Each call is annotated by the
+# offending client.
+#----------------------------------------------------
+    ___initializeK5
+
+	_krb5_size_opaque
+	_krb5_internalize_opaque
+	_krb5_externalize_opaque
+	_krb5_ser_pack_int32
+	_krb5_ser_unpack_int32
+	_krb5_ser_pack_bytes
+	_krb5_ser_unpack_bytes
+	_krb5_ser_auth_context_init
+	_krb5_ser_context_init
+	_krb5_ser_ccache_init
+	_krb5_ser_keytab_init
+	_krb5_ser_rcache_init
+	_decode_krb5_ap_req
+	_krb5_mcc_ops
+	_krb5_c_keyed_checksum_types
+	_krb5_c_random_make_octets
+	_krb5_c_encrypt
+	_krb5_c_make_checksum
+	_krb5_c_decrypt
+	_krb5_c_verify_checksum
+	_krb5_c_block_size
+	_krb5_c_checksum_length
+	_krb5_c_encrypt_length
+	_krb5int_cc_default
+    _krb5_set_default_tgs_enctypes
+    _krb5_get_tgs_ktypes
\ No newline at end of file
diff --git a/src/mac/MacOSX/Headers/GSSInit.h b/src/mac/MacOSX/Headers/GSSInit.h
new file mode 100644
index 0000000..33c3668
--- /dev/null
+++ b/src/mac/MacOSX/Headers/GSSInit.h
@@ -0,0 +1,22 @@
+/* Copyright 2002 by the Massachusetts Institute of Technology.
+ *
+ * Permission to use, copy, modify, and distribute this
+ * software and its documentation for any purpose and without
+ * fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright
+ * notice and this permission notice appear in supporting
+ * documentation, and that the name of M.I.T. not be used in
+ * advertising or publicity pertaining to distribution of the
+ * software without specific, written prior permission.
+ * Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is"
+ * without express or implied warranty.
+ */
+
+#include <CoreFoundation/CoreFoundation.h>
+
+extern "C" void GSSInit (CFStringRef inBundleID);
+extern "C" void GSSTerminate (void);
\ No newline at end of file
diff --git a/src/mac/MacOSX/Headers/Kerberos5Init.h b/src/mac/MacOSX/Headers/Kerberos5Init.h
new file mode 100644
index 0000000..75385f5
--- /dev/null
+++ b/src/mac/MacOSX/Headers/Kerberos5Init.h
@@ -0,0 +1,22 @@
+/* Copyright 2002 by the Massachusetts Institute of Technology.
+ *
+ * Permission to use, copy, modify, and distribute this
+ * software and its documentation for any purpose and without
+ * fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright
+ * notice and this permission notice appear in supporting
+ * documentation, and that the name of M.I.T. not be used in
+ * advertising or publicity pertaining to distribution of the
+ * software without specific, written prior permission.
+ * Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is"
+ * without express or implied warranty.
+ */
+
+#include <CoreFoundation/CoreFoundation.h>
+
+extern "C" void Kerberos5Init (CFStringRef inBundleID);
+extern "C" void Kerberos5Terminate (void);
diff --git a/src/mac/MacOSX/Headers/Kerberos5Prefix.h b/src/mac/MacOSX/Headers/Kerberos5Prefix.h
new file mode 100644
index 0000000..5d7618f
--- /dev/null
+++ b/src/mac/MacOSX/Headers/Kerberos5Prefix.h
@@ -0,0 +1,87 @@
+#ifndef __ASSEMBLER__
+#include <TargetConditionals.h>
+
+/* Macros for crypto types so they don't conflict with KerberosDES */
+#define make_key_sched 	mit_make_key_sched
+#define des_FP_table 	mit_des_FP_table
+#define des_IP_table  	mit_des_IP_table
+#define des_SP_table  	mit_des_SP_table
+
+#define SIZEOF_LONG		4
+#define SIZEOF_INT		4
+#define SIZEOF_SHORT	2
+
+/* define while building krb5 libraries */
+#define KRB5_PRIVATE		1
+#define KRB524_PRIVATE		1
+
+#define	KRB5_DLLIMP		
+#define	GSS_DLLIMP		
+#define KRB5_CALLCONV		
+#define KRB5_CALLCONV_C		
+#define	FAR			
+
+#define	krb5_sigtype		void
+
+/* Note: code only checks #ifdef <foo> */
+#define USE_CCAPI			1
+#define USE_LOGIN_LIBRARY	1
+#define NO_PASSWORD			1
+#define KRB5_KRB4_COMPAT	1
+#define KINIT_DEFAULT_BOTH	1
+
+#define HAVE_SRAND			1
+#define HAVE_LABS			1
+
+#define HAVE_NETINET_IN_H	1
+#define HAVE_ARPA_INET_H	1
+#define HAVE_SYS_STAT_H		1
+#define	HAVE_SYS_PARAM_H	1
+#define	HAVE_UNISTD_H		1
+#define	HAVE_STDLIB_H		1
+#define	HAVE_STDARG_H		1
+#define HAVE_SYS_TYPES_H	1
+#define	HAVE_PATHS_H		1
+#define	HAVE_REGEX_H		1
+#define	HAVE_REGEXP_H		1
+#define	HAVE_FCNTL_H		1
+#define	HAVE_MEMORY_H		1
+#define HAVE_PWD_H			1
+
+#define HAVE_PTHREADS	1
+
+#define	HAVE_STAT		1
+#define HAVE_LSTAT		1
+#define	HAVE_ACCESS		1
+#define	HAVE_FLOCK		1
+
+#define	HAVE_FCHMOD		1
+#define	HAVE_CHMOD		1
+
+#define	HAVE_STRFTIME		1
+#define	HAVE_GETEUID		1
+
+#define	HAVE_SETENV		1
+#define	HAVE_UNSETENV		1
+#define	HAVE_GETENV		1
+
+#define HAVE_GETUSERSHELL 1
+
+#define	HAVE_SETSID		1
+#define	HAVE_GETHOSTBYNAME2	1
+
+#define	HAVE_VFPRINTF		1
+#define	HAVE_VSPRINTF		1
+
+#define	HAVE_STRDUP		1
+#define	HAVE_STRCASECMP		1
+#define	HAVE_STRERROR		1
+#define	HAVE_MEMMOVE		1
+#define	HAVE_DAEMON		1
+#define	HAVE_GETUID		1
+#define	HAVE_SSCANF		1
+#define	HAVE_SYSLOG		1
+#define	HAVE_REGEXEC		1
+#define	HAVE_REGCOMP		1
+#define	HAVE_SA_LEN		1
+#endif
diff --git a/src/mac/MacOSX/Headers/KerberosProfileInit.h b/src/mac/MacOSX/Headers/KerberosProfileInit.h
new file mode 100644
index 0000000..09fa926
--- /dev/null
+++ b/src/mac/MacOSX/Headers/KerberosProfileInit.h
@@ -0,0 +1,22 @@
+/* Copyright 2002 by the Massachusetts Institute of Technology.
+ *
+ * Permission to use, copy, modify, and distribute this
+ * software and its documentation for any purpose and without
+ * fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright
+ * notice and this permission notice appear in supporting
+ * documentation, and that the name of M.I.T. not be used in
+ * advertising or publicity pertaining to distribution of the
+ * software without specific, written prior permission.
+ * Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is"
+ * without express or implied warranty.
+ */
+
+#include <CoreFoundation/CoreFoundation.h>
+
+extern "C" void KerberosProfileInit (CFStringRef inBundleID);
+extern "C" void KerberosProfileTerminate (void);
\ No newline at end of file
diff --git a/src/mac/MacOSX/Headers/cr_tkt.h b/src/mac/MacOSX/Headers/cr_tkt.h
new file mode 100644
index 0000000..4a09c44
--- /dev/null
+++ b/src/mac/MacOSX/Headers/cr_tkt.h
@@ -0,0 +1,32 @@
+#include <Kerberos/krb5.h>
+#include <Kerberos/krb.h>
+
+int
+krb_create_ticket(
+    KTEXT   tkt,                /* Gets filled in by the ticket */
+    unsigned char flags,        /* Various Kerberos flags */
+    char    *pname,             /* Principal's name */
+    char    *pinstance,         /* Principal's instance */
+    char    *prealm,            /* Principal's authentication domain */
+    long    paddress,           /* Net address of requesting entity */
+    char    *session,           /* Session key inserted in ticket */
+    short   life,               /* Lifetime of the ticket */
+    long    time_sec,           /* Issue time and date */
+    char    *sname,             /* Service Name */
+    char    *sinstance,         /* Instance Name */
+    C_Block key);                /* Service's secret key */
+
+extern int
+krb_cr_tkt_krb5(
+    KTEXT   tkt,                /* Gets filled in by the ticket */
+    unsigned char flags,        /* Various Kerberos flags */
+    char    *pname,             /* Principal's name */
+    char    *pinstance,         /* Principal's instance */
+    char    *prealm,            /* Principal's authentication domain */
+    long    paddress,           /* Net address of requesting entity */
+    char    *session,           /* Session key inserted in ticket */
+    short   life,               /* Lifetime of the ticket */
+    long    time_sec,           /* Issue time and date */
+    char    *sname,             /* Service Name */
+    char    *sinstance,         /* Instance Name */
+    krb5_keyblock *k5key);	/* NULL if not present */
diff --git a/src/mac/MacOSX/Projects/GSS.pbexp b/src/mac/MacOSX/Projects/GSS.pbexp
new file mode 100644
index 0000000..e61e856
--- /dev/null
+++ b/src/mac/MacOSX/Projects/GSS.pbexp
@@ -0,0 +1,96 @@
+#----------------------------------------------------
+#   GSSAPI.EXP - GSSAPI.DLL module definition file
+#----------------------------------------------------
+
+	_gss_acquire_cred
+	_gss_release_cred
+	_gss_init_sec_context
+	_gss_accept_sec_context
+	_gss_process_context_token
+	_gss_delete_sec_context
+	_gss_context_time
+	_gss_sign
+	_gss_verify
+	_gss_seal
+	_gss_unseal
+	_gss_display_status
+	_gss_indicate_mechs
+	_gss_compare_name
+	_gss_display_name
+	_gss_import_name
+	_gss_release_name
+	_gss_release_buffer
+	_gss_release_oid_set
+	_gss_inquire_cred
+#
+# GSS-API v2  additional credential calls
+#
+	_gss_add_cred
+	_gss_inquire_cred_by_mech
+#
+# GSS-API v2  additional context-level calls
+#
+	_gss_inquire_context
+	_gss_wrap_size_limit
+	_gss_export_sec_context
+	_gss_import_sec_context
+#
+# GSS-API v2  additional calls for OID and OID_set operations
+#
+	_gss_release_oid
+	_gss_create_empty_oid_set
+	_gss_add_oid_set_member
+	_gss_test_oid_set_member
+	_gss_oid_to_str
+	_gss_str_to_oid
+#
+# GSS-API v2  renamed message protection calls
+#
+	_gss_wrap
+	_gss_unwrap
+	_gss_get_mic
+	_gss_verify_mic
+#
+# GSS-API v2  future extensions
+#
+	_gss_inquire_names_for_mech
+#	_gss_inquire_mechs_for_name
+	_gss_canonicalize_name
+	_gss_export_name
+	_gss_duplicate_name
+#
+# krb5-specific CCache name	stuff
+#
+	_gss_krb5_get_tkt_flags
+    _gss_krb5_copy_ccache
+    _gss_krb5_ccache_name
+
+#
+# GSS-API object identifiers from rfc 2744
+#
+	
+_GSS_C_NT_USER_NAME
+_GSS_C_NT_MACHINE_UID_NAME
+_GSS_C_NT_STRING_UID_NAME
+_GSS_C_NT_HOSTBASED_SERVICE_X
+_GSS_C_NT_HOSTBASED_SERVICE
+_GSS_C_NT_ANONYMOUS
+_GSS_C_NT_EXPORT_NAME
+  
+#
+# GSS-API compatibility symbols from gssapi_generic.h 
+# (the same as rfc 2744 symbols)
+#
+    
+_gss_nt_user_name
+_gss_nt_machine_uid_name
+_gss_nt_string_uid_name
+_gss_nt_service_name_v2
+_gss_nt_service_name
+_gss_nt_exported_name
+
+#
+# KRB5 Mechanism GSS-API object identifier from rfc 1964
+#
+	
+_GSS_KRB5_NT_PRINCIPAL_NAME
diff --git a/src/mac/MacOSX/Projects/Kerberos5.pbexp b/src/mac/MacOSX/Projects/Kerberos5.pbexp
new file mode 100644
index 0000000..7660c62
--- /dev/null
+++ b/src/mac/MacOSX/Projects/Kerberos5.pbexp
@@ -0,0 +1,331 @@
+#----------------------------------------------------
+#   Kerberos5Lib.pbexp
+#
+# Public Kerberos v5 API
+#----------------------------------------------------
+#
+	_krb5_realm_compare
+	_krb5_principal_compare
+#
+	_krb5_address_compare
+	_krb5_address_order
+	_krb5_address_search
+#
+	_krb5_init_context
+	_krb5_init_secure_context
+	_krb5_free_context
+#
+# Crypto API (Commented out ones needed for LPRng)
+	_krb5_c_encrypt
+	_krb5_c_decrypt
+	_krb5_c_encrypt_length
+	_krb5_c_block_size
+	_krb5_c_make_random_key
+	_krb5_c_random_make_octets
+	_krb5_c_random_seed
+#
+# Will be added for 1.3
+#	_krb5_c_random_os_entropy
+#	_krb5_c_random_add_entropy
+#	_krb5_c_init_state
+#	_krb5_c_free_state
+#
+	_krb5_c_string_to_key
+	_krb5_c_enctype_compare
+	_krb5_c_make_checksum
+	_krb5_c_verify_checksum
+	_krb5_c_checksum_length
+	_krb5_c_keyed_checksum_types
+#
+# Needs to be renamed to krb5_c_
+	_krb5_c_valid_enctype
+	_krb5_c_valid_cksumtype
+	_krb5_c_is_coll_proof_cksum
+	_krb5_c_is_keyed_cksum
+#
+	_krb5_auth_con_genaddrs
+	_krb5_auth_con_init
+	_krb5_auth_con_free
+	_krb5_auth_con_setflags
+	_krb5_auth_con_getflags
+	_krb5_auth_con_setaddrs
+	_krb5_auth_con_getaddrs
+	_krb5_auth_con_setports
+	_krb5_auth_con_setuseruserkey
+	_krb5_auth_con_getkey
+	_krb5_auth_con_getlocalsubkey
+	_krb5_auth_con_getremotesubkey
+	_krb5_auth_con_getlocalseqnumber
+	_krb5_auth_con_getremoteseqnumber
+	_krb5_auth_con_setrcache
+	_krb5_auth_con_getrcache
+	_krb5_auth_con_getauthenticator
+#
+# Krb5 Credentials Cache API
+	_krb5_cc_get_name
+	_krb5_cc_gen_new
+	_krb5_cc_initialize
+	_krb5_cc_destroy
+	_krb5_cc_close
+	_krb5_cc_store_cred
+	_krb5_cc_retrieve_cred
+	_krb5_cc_get_principal
+	_krb5_cc_start_seq_get
+	_krb5_cc_next_cred
+	_krb5_cc_end_seq_get
+	_krb5_cc_remove_cred
+	_krb5_cc_set_flags
+	_krb5_cc_get_type
+#
+	_krb5_cc_default
+	_krb5_cc_default_name
+	_krb5_cc_set_default_name
+	_krb5_cc_resolve
+	_krb5_cc_copy_creds
+#
+# Keytab interface (add macros)
+	_krb5_kt_get_type
+	_krb5_kt_get_name
+	_krb5_kt_close
+	_krb5_kt_get_entry
+	_krb5_kt_start_seq_get
+	_krb5_kt_next_entry
+	_krb5_kt_end_seq_get
+#
+	_krb5_kt_resolve
+	_krb5_kt_default_name
+	_krb5_kt_default
+	_krb5_kt_add_entry
+	_krb5_kt_remove_entry
+	_krb5_kt_read_service_key
+#
+	_krb5_prompter_posix
+#
+	_krb5_get_init_creds_opt_init
+	_krb5_get_init_creds_opt_set_tkt_life
+	_krb5_get_init_creds_opt_set_renew_life
+	_krb5_get_init_creds_opt_set_forwardable
+	_krb5_get_init_creds_opt_set_proxiable
+	_krb5_get_init_creds_opt_set_etype_list
+	_krb5_get_init_creds_opt_set_address_list
+	_krb5_get_init_creds_opt_set_preauth_list
+	_krb5_get_init_creds_opt_set_salt
+#
+	_krb5_get_init_creds_password
+	_krb5_get_init_creds_keytab
+#
+	_krb5_get_prompt_types
+#
+	_krb5_verify_init_creds
+	_krb5_verify_init_creds_opt_init
+	_krb5_verify_init_creds_opt_set_ap_req_nofail
+#
+	_krb5_set_default_tgs_enctypes
+#
+	_krb5_free_tgt_creds
+#
+	_krb5_get_credentials
+	_krb5_get_credentials_renew
+	_krb5_get_credentials_validate
+#
+	_krb5_mk_req
+	_krb5_mk_req_extended
+	_krb5_rd_req
+	_krb5_mk_rep
+	_krb5_rd_rep
+	_krb5_mk_error
+	_krb5_rd_error
+	_krb5_mk_priv
+	_krb5_rd_priv
+	_krb5_mk_safe
+	_krb5_rd_safe
+#
+	_krb5_mk_ncred
+	_krb5_mk_1cred
+	_krb5_rd_cred
+#
+	_krb5_recvauth
+	_krb5_sendauth
+	_krb5_recvauth_version
+#
+	_krb5_fwd_tgt_creds
+#
+	_krb5_parse_name
+	_krb5_unparse_name
+	_krb5_unparse_name_ext
+	_krb5_set_principal_realm
+	_krb5_free_unparsed_name
+#
+	_krb5_get_server_rcache
+	_krb5_build_principal
+	_krb5_build_principal_ext
+	_krb5_build_principal_va
+#
+	_krb5_425_conv_principal
+	_krb5_524_conv_principal
+#
+	_krb5_get_host_realm
+	_krb5_free_host_realm
+#
+	_krb5_copy_principal
+	_krb5_free_principal
+#
+	_krb5_copy_authenticator
+	_krb5_free_authenticator
+#
+	_krb5_copy_addresses
+	_krb5_free_addresses
+#
+	_krb5_copy_authdata
+	_krb5_free_authdata
+#
+	_krb5_copy_ticket
+	_krb5_free_ticket
+#
+	_krb5_free_error
+#
+	_krb5_copy_creds
+	_krb5_free_creds
+	_krb5_free_cred_contents
+#
+	_krb5_copy_checksum
+	_krb5_free_checksum
+	_krb5_free_checksum_contents
+#
+	_krb5_init_keyblock
+	_krb5_copy_keyblock
+	_krb5_copy_keyblock_contents
+	_krb5_free_keyblock
+	_krb5_free_keyblock_contents
+#
+	_krb5_free_keytab_entry_contents
+#
+	_krb5_free_ap_rep_enc_part
+#
+	_krb5_copy_data
+	_krb5_free_data
+	_krb5_free_data_contents
+#
+	_krb5_free_cksumtypes
+#
+	_krb5_timeofday
+	_krb5_us_timeofday
+#
+	_krb5_os_localaddr
+#
+	_krb5_get_default_realm
+	_krb5_set_default_realm
+	_krb5_free_default_realm
+#
+	_krb5_sname_to_principal
+	_krb5_change_password
+#
+	_krb5_get_profile
+#
+	_krb5_read_password
+#
+	_krb5_aname_to_localname
+#
+	_krb5_kuserok
+#
+	_krb5_get_time_offsets
+#
+	_krb5_string_to_cksumtype
+	_krb5_cksumtype_to_string
+#
+	_krb5_string_to_deltat
+	_krb5_deltat_to_string
+#
+	_krb5_string_to_enctype
+	_krb5_enctype_to_string
+#
+	_krb5_string_to_salttype
+	_krb5_salttype_to_string
+#
+	_krb5_string_to_timestamp
+	_krb5_timestamp_to_sfstring
+	_krb5_timestamp_to_string
+#
+	_krb5_get_validated_creds
+	_krb5_get_renewed_creds
+#
+	_krb5_decode_ticket
+#
+	_krb5_appdefault_string
+	_krb5_appdefault_boolean
+#
+	_krb524_convert_creds_kdc
+#
+#
+# DEPRECATED:
+#
+# Used by LPRng, deprecated
+	_krb5_auth_con_initivector
+# Old initial tickets API
+	_krb5_get_in_tkt
+	_krb5_get_in_tkt_with_keytab
+	_krb5_get_in_tkt_with_password
+	_krb5_get_in_tkt_with_skey
+#
+# Old crypto API
+	_krb5_decrypt
+	_krb5_encrypt
+	_krb5_process_key
+	_krb5_finish_key
+	_krb5_string_to_key
+	_krb5_init_random_key
+	_krb5_finish_random_key
+	_krb5_random_key
+	_krb5_eblock_enctype
+	_krb5_use_enctype
+	_krb5_encrypt_size
+	_krb5_checksum_size
+	_krb5_calculate_checksum
+	_krb5_verify_checksum
+#
+#
+# PRIVATE
+#
+#	_krb5_decrypt_tkt_part
+#
+#	_krb5_auth_con_set_req_cksumtype
+#	_krb5_auth_con_set_safe_cksumtype
+#
+#	_krb5_auth_con_getivector
+#	_krb5_auth_con_setivector
+#
+#	_krb5_cc_register
+#	_krb5_kt_register
+#
+#	_krb5_free_pwd_data
+#	_krb5_free_pwd_sequences
+#
+#	_krb5_rc_default
+#	_krb5_rc_register_type
+#	_krb5_rc_resolve_type
+#	_krb5_rc_resolve_full
+#	_krb5_rc_get_type
+#	_krb5_rc_default_type
+#	_krb5_rc_default_name
+#
+#	_krb5_get_notification_message
+#
+#	_krb5_copy_addr
+#	_krb5_free_address
+#	_krb5_free_authenticator_contents
+#	_krb5_free_enc_tkt_part
+#	_krb5_free_enc_kdc_rep_part
+#	_krb5_free_tickets
+#	_krb5_free_kdc_rep
+#	_krb5_free_kdc_req
+#	_krb5_free_last_req
+#	_krb5_free_ap_req
+#	_krb5_free_ap_rep
+#	_krb5_free_cred_enc_part
+#	_krb5_free_pa_data
+#	_krb5_free_cred
+#	_krb5_free_tkt_authent
+#	_krb5_free_priv
+#	_krb5_free_priv_enc_part
+#	_krb5_free_safe
+#
diff --git a/src/mac/MacOSX/Projects/Kerberos5.pbproj/project.pbxproj b/src/mac/MacOSX/Projects/Kerberos5.pbproj/project.pbxproj
new file mode 100644
index 0000000..46f40e0
--- /dev/null
+++ b/src/mac/MacOSX/Projects/Kerberos5.pbproj/project.pbxproj
@@ -0,0 +1,7013 @@
+// !$*UTF8*$!
+{
+	archiveVersion = 1;
+	classes = {
+	};
+	objectVersion = 38;
+	objects = {
+		F52B1677022FD39801120112 = {
+			isa = PBXFileReference;
+			path = cr_tkt.c;
+			refType = 4;
+		};
+		F52B167A022FD68601120112 = {
+			isa = PBXFileReference;
+			path = cr_tkt.h;
+			refType = 4;
+		};
+		F57B73370259188901120155 = {
+			isa = PBXFileReference;
+			path = ktfns.c;
+			refType = 4;
+		};
+		F57B73380259188901120155 = {
+			fileRef = F57B73370259188901120155;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F58182FE02536D4501120112 = {
+			fileRef = F5CFD59B022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F58182FF02536D4501120112 = {
+			fileRef = F5CFD59D022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F581830002536D4601120112 = {
+			fileRef = F5CFD59E022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F581830102536D4601120112 = {
+			fileRef = F5CFD59F022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F581830202536D4701120112 = {
+			fileRef = F5CFD5A1022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F581830302536D4801120112 = {
+			fileRef = F5CFD5A8022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F581830402536D4901120112 = {
+			fileRef = F5CFD5AB022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F581830802536E1A01120112 = {
+			fileRef = F52B1677022FD39801120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F581830902536E2501120112 = {
+			fileRef = F52B167A022FD68601120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F58183510253A2F201120112 = {
+			fileRef = F5C2DF200240F9F601650119;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F58183520253A2F301120112 = {
+			fileRef = F5C2DF210240F9F601650119;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F58602F2022EDA8301120112 = {
+			isa = PBXFileReference;
+			path = prof_threads.c;
+			refType = 4;
+		};
+		F58602F3022EDA8301120112 = {
+			isa = PBXFileReference;
+			path = prof_threads.h;
+			refType = 4;
+		};
+		F58602F4022EDA8301120112 = {
+			fileRef = F58602F3022EDA8301120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F58602F5022EDA8301120112 = {
+			fileRef = F58602F2022EDA8301120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C2DF100240F9F601650119 = {
+			children = (
+				F5C2DF110240F9F601650119,
+				F5C2DF120240F9F601650119,
+				F5C2DF130240F9F601650119,
+				F5C2DF140240F9F601650119,
+				F5C2DF150240F9F601650119,
+				F5C2DF160240F9F601650119,
+				F5C2DF170240F9F601650119,
+				F5C2DF180240F9F601650119,
+				F5C2DF190240F9F601650119,
+				F5C2DF1A0240F9F601650119,
+				F5C2DF1B0240F9F601650119,
+				F5C2DF1C0240F9F601650119,
+				F5C2DF1D0240F9F601650119,
+				F5C2DF1E0240F9F601650119,
+				F5C2DF1F0240F9F601650119,
+				F5C2DF200240F9F601650119,
+				F5C2DF210240F9F601650119,
+				F5C2DF220240F9F601650119,
+				F5C2DF230240F9F601650119,
+				F5C2DF240240F9F601650119,
+				F5C2DF250240F9F601650119,
+				F5C2DF260240F9F601650119,
+				F5C2DF270240F9F601650119,
+				F5C2DF280240F9F601650119,
+				F5C2DF290240F9F601650119,
+				F5C2DF2A0240F9F601650119,
+				F5C2DF2B0240F9F601650119,
+			);
+			isa = PBXGroup;
+			path = ErrorTables;
+			refType = 4;
+		};
+		F5C2DF110240F9F601650119 = {
+			isa = PBXFileReference;
+			path = adm_err.c;
+			refType = 4;
+		};
+		F5C2DF120240F9F601650119 = {
+			isa = PBXFileReference;
+			path = adm_err.h;
+			refType = 4;
+		};
+		F5C2DF130240F9F601650119 = {
+			isa = PBXFileReference;
+			path = adm_err.strings;
+			refType = 4;
+		};
+		F5C2DF140240F9F601650119 = {
+			isa = PBXFileReference;
+			path = asn1_err.c;
+			refType = 4;
+		};
+		F5C2DF150240F9F601650119 = {
+			isa = PBXFileReference;
+			path = asn1_err.h;
+			refType = 4;
+		};
+		F5C2DF160240F9F601650119 = {
+			isa = PBXFileReference;
+			path = asn1_err.strings;
+			refType = 4;
+		};
+		F5C2DF170240F9F601650119 = {
+			isa = PBXFileReference;
+			path = gssapi_err_generic.c;
+			refType = 4;
+		};
+		F5C2DF180240F9F601650119 = {
+			isa = PBXFileReference;
+			path = gssapi_err_generic.h;
+			refType = 4;
+		};
+		F5C2DF190240F9F601650119 = {
+			isa = PBXFileReference;
+			path = gssapi_err_generic.strings;
+			refType = 4;
+		};
+		F5C2DF1A0240F9F601650119 = {
+			isa = PBXFileReference;
+			path = gssapi_err_krb5.c;
+			refType = 4;
+		};
+		F5C2DF1B0240F9F601650119 = {
+			isa = PBXFileReference;
+			path = gssapi_err_krb5.h;
+			refType = 4;
+		};
+		F5C2DF1C0240F9F601650119 = {
+			isa = PBXFileReference;
+			path = gssapi_err_krb5.strings;
+			refType = 4;
+		};
+		F5C2DF1D0240F9F601650119 = {
+			isa = PBXFileReference;
+			path = kdb5_err.c;
+			refType = 4;
+		};
+		F5C2DF1E0240F9F601650119 = {
+			isa = PBXFileReference;
+			path = kdb5_err.h;
+			refType = 4;
+		};
+		F5C2DF1F0240F9F601650119 = {
+			isa = PBXFileReference;
+			path = kdb5_err.strings;
+			refType = 4;
+		};
+		F5C2DF200240F9F601650119 = {
+			isa = PBXFileReference;
+			path = krb524_err.c;
+			refType = 4;
+		};
+		F5C2DF210240F9F601650119 = {
+			isa = PBXFileReference;
+			path = krb524_err.h;
+			refType = 4;
+		};
+		F5C2DF220240F9F601650119 = {
+			isa = PBXFileReference;
+			path = krb524_err.strings;
+			refType = 4;
+		};
+		F5C2DF230240F9F601650119 = {
+			isa = PBXFileReference;
+			path = krb5_err.c;
+			refType = 4;
+		};
+		F5C2DF240240F9F601650119 = {
+			isa = PBXFileReference;
+			path = krb5_err.h;
+			refType = 4;
+		};
+		F5C2DF250240F9F601650119 = {
+			isa = PBXFileReference;
+			path = krb5_err.strings;
+			refType = 4;
+		};
+		F5C2DF260240F9F601650119 = {
+			isa = PBXFileReference;
+			path = kv5m_err.c;
+			refType = 4;
+		};
+		F5C2DF270240F9F601650119 = {
+			isa = PBXFileReference;
+			path = kv5m_err.h;
+			refType = 4;
+		};
+		F5C2DF280240F9F601650119 = {
+			isa = PBXFileReference;
+			path = kv5m_err.strings;
+			refType = 4;
+		};
+		F5C2DF290240F9F601650119 = {
+			isa = PBXFileReference;
+			path = prof_err.c;
+			refType = 4;
+		};
+		F5C2DF2A0240F9F601650119 = {
+			isa = PBXFileReference;
+			path = prof_err.h;
+			refType = 4;
+		};
+		F5C2DF2B0240F9F601650119 = {
+			isa = PBXFileReference;
+			path = prof_err.strings;
+			refType = 4;
+		};
+		F5C2DF2C0240F9F601650119 = {
+			fileRef = F5C2DF110240F9F601650119;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C2DF2D0240F9F601650119 = {
+			fileRef = F5C2DF120240F9F601650119;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C2DF2E0240F9F601650119 = {
+			fileRef = F5C2DF140240F9F601650119;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C2DF2F0240F9F601650119 = {
+			fileRef = F5C2DF150240F9F601650119;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C2DF340240F9F601650119 = {
+			fileRef = F5C2DF1D0240F9F601650119;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C2DF350240F9F601650119 = {
+			fileRef = F5C2DF1E0240F9F601650119;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C2DF380240F9F601650119 = {
+			fileRef = F5C2DF230240F9F601650119;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C2DF390240F9F601650119 = {
+			fileRef = F5C2DF240240F9F601650119;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C2DF3A0240F9F601650119 = {
+			fileRef = F5C2DF260240F9F601650119;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C2DF3B0240F9F601650119 = {
+			fileRef = F5C2DF270240F9F601650119;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C2DF3E0240F9FC01650119 = {
+			fileRef = F5C2DF290240F9F601650119;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C2DF3F0240F9FD01650119 = {
+			fileRef = F5C2DF2A0240F9F601650119;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C2DF420240FA1301650119 = {
+			fileRef = F5C2DF1B0240F9F601650119;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C2DF430240FA1401650119 = {
+			fileRef = F5C2DF1A0240F9F601650119;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C2DF440240FA1501650119 = {
+			fileRef = F5C2DF180240F9F601650119;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C2DF450240FA1601650119 = {
+			fileRef = F5C2DF170240F9F601650119;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C2DF490240FA3601650119 = {
+			children = (
+				F5C2DF4A0240FA3601650119,
+				F5C2DF4B0240FA3601650119,
+				F5C2DF4D0240FA3601650119,
+				F5C2DF4E0240FA3601650119,
+				F5C2DF4F0240FA3601650119,
+				F5C2DF500240FA3601650119,
+				F5C2DF510240FA3601650119,
+			);
+			isa = PBXGroup;
+			path = Kerberos;
+			refType = 4;
+		};
+		F5C2DF4A0240FA3601650119 = {
+			isa = PBXFileReference;
+			path = gssapi.h;
+			refType = 4;
+		};
+		F5C2DF4B0240FA3601650119 = {
+			isa = PBXFileReference;
+			path = GSSInit.h;
+			refType = 4;
+		};
+		F5C2DF4D0240FA3601650119 = {
+			isa = PBXFileReference;
+			path = Kerberos5Init.h;
+			refType = 4;
+		};
+		F5C2DF4E0240FA3601650119 = {
+			isa = PBXFileReference;
+			path = KerberosProfileInit.h;
+			refType = 4;
+		};
+		F5C2DF4F0240FA3601650119 = {
+			isa = PBXFileReference;
+			path = krb5.h;
+			refType = 4;
+		};
+		F5C2DF500240FA3601650119 = {
+			isa = PBXFileReference;
+			path = krb524.h;
+			refType = 4;
+		};
+		F5C2DF510240FA3601650119 = {
+			isa = PBXFileReference;
+			path = profile.h;
+			refType = 4;
+		};
+		F5C2DF570240FA3601650119 = {
+			fileRef = F5C2DF4D0240FA3601650119;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C2DF590240FA3601650119 = {
+			fileRef = F5C2DF4F0240FA3601650119;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C2DF5B0240FA3601650119 = {
+			fileRef = F5C2DF510240FA3601650119;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C2DF5C0240FA5A01650119 = {
+			children = (
+				F5C2DF5D0240FA5A01650119,
+				F5C2DF5E0240FA5A01650119,
+			);
+			isa = PBXGroup;
+			path = PrivateHeaders;
+			refType = 4;
+		};
+		F5C2DF5D0240FA5A01650119 = {
+			isa = PBXFileReference;
+			path = autoconf.h;
+			refType = 4;
+		};
+		F5C2DF5E0240FA5A01650119 = {
+			isa = PBXFileReference;
+			path = osconf.h;
+			refType = 4;
+		};
+		F5C2DF5F0240FA5A01650119 = {
+			fileRef = F5C2DF5D0240FA5A01650119;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C2DF600240FA5A01650119 = {
+			fileRef = F5C2DF5E0240FA5A01650119;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C2DF610240FA5F01650119 = {
+			fileRef = F5C2DF5D0240FA5A01650119;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C2DF620240FA6001650119 = {
+			fileRef = F5C2DF5E0240FA5A01650119;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C2DF650240FA6801650119 = {
+			fileRef = F5C2DF5D0240FA5A01650119;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C2DF660240FA6801650119 = {
+			fileRef = F5C2DF5E0240FA5A01650119;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C2DF690240FA7E01650119 = {
+			fileRef = F5C2DF4B0240FA3601650119;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C2DF6A0240FA7E01650119 = {
+			fileRef = F5C2DF4A0240FA3601650119;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C2DF6D0240FA9901650119 = {
+			fileRef = F5C2DF510240FA3601650119;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C2DF6E0240FA9A01650119 = {
+			fileRef = F5C2DF4E0240FA3601650119;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C2DF6F0240FA9F01650119 = {
+			fileRef = F5C2DF4F0240FA3601650119;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C2DF700240FAA201650119 = {
+			fileRef = F5C2DF510240FA3601650119;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C44D6E0231639F01120112 = {
+			isa = PBXFileReference;
+			path = Kerberos5Init.h;
+			refType = 4;
+		};
+		F5C44D6F0231639F01120112 = {
+			fileRef = F5C44D6E0231639F01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C44D70023163F601120112 = {
+			isa = PBXFileReference;
+			path = KerberosProfileInit.h;
+			refType = 4;
+		};
+		F5C44D71023163F601120112 = {
+			fileRef = F5C44D70023163F601120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C44D740231645A01120112 = {
+			isa = PBXFileReference;
+			path = GSSInit.h;
+			refType = 4;
+		};
+		F5C44DB002316F5B01120112 = {
+			fileRef = F5CFD44B022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C44DB102316F5B01120112 = {
+			fileRef = F5CFD44C022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C44E900231BD6801120112 = {
+			isa = PBXLibraryReference;
+			path = libGSS.a;
+			refType = 3;
+		};
+		F5C44E910231BD6801120112 = {
+			buildPhases = (
+				F5C44E920231BD6801120112,
+				F5C44E9C0231BD6801120112,
+				F5C44EDD0231BD6801120112,
+				F5C44EDE0231BD6801120112,
+			);
+			buildSettings = {
+				DYLIB_COMPATIBILITY_VERSION = 1;
+				DYLIB_CURRENT_VERSION = 1;
+				HEADER_SEARCH_PATHS = "\"$(SRCROOT)/../../KerberosErrors/Headers\" \"$(BUILT_PRODUCTS_DIR)/Kerberos5.intermediates\"";
+				LIBRARY_STYLE = STATIC;
+				PREFIX_HEADER = "$(SRCROOT)/../Headers/MacOSX/Kerberos5Prefix.h";
+				PRODUCT_NAME = libGSS.a;
+				REZ_EXECUTABLE = YES;
+				WARNING_CFLAGS = "-Wmost -Wno-four-char-constants -Wno-unknown-pragmas";
+			};
+			dependencies = (
+				F5C44EE80231CEA101120112,
+				F5C44EE90231CEA101120112,
+			);
+			isa = PBXLibraryTarget;
+			name = GSS;
+			productInstallPath = /usr/local/lib;
+			productName = GSS;
+			productReference = F5C44E900231BD6801120112;
+			shouldUseHeadermap = 0;
+		};
+		F5C44E920231BD6801120112 = {
+			buildActionMask = 2147483647;
+			files = (
+				F5C44E930231BD6801120112,
+				F5C44E940231BD6801120112,
+				F5C44E950231BD6801120112,
+				F5C44E960231BD6801120112,
+				F5C44E980231BD6801120112,
+				F5C44E9B0231BD6801120112,
+				F5C44EDF0231BF0801120112,
+				F5C44EE00231BF0801120112,
+				F5C44EE30231C02501120112,
+				F5C44EE50231C1C301120112,
+				F5C2DF420240FA1301650119,
+				F5C2DF440240FA1501650119,
+				F5C2DF650240FA6801650119,
+				F5C2DF660240FA6801650119,
+				F5C2DF690240FA7E01650119,
+				F5C2DF6A0240FA7E01650119,
+				F5C2DF6F0240FA9F01650119,
+				F5C2DF700240FAA201650119,
+			);
+			isa = PBXHeadersBuildPhase;
+			runOnlyForDeploymentPostprocessing = 0;
+		};
+		F5C44E930231BD6801120112 = {
+			fileRef = F5CFD38C022D86AC01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C44E940231BD6801120112 = {
+			fileRef = F5CFD62C022D96AB01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C44E950231BD6801120112 = {
+			fileRef = F5C44D740231645A01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C44E960231BD6801120112 = {
+			fileRef = F5CFD39F022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C44E980231BD6801120112 = {
+			fileRef = F5CFD37C022D86AC01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C44E9B0231BD6801120112 = {
+			fileRef = F5CFD37D022D86AC01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C44E9C0231BD6801120112 = {
+			buildActionMask = 2147483647;
+			files = (
+				F5C44E9D0231BD6801120112,
+				F5C44E9F0231BD6801120112,
+				F5C44EA00231BD6801120112,
+				F5C44EA10231BD6801120112,
+				F5C44EA20231BD6801120112,
+				F5C44EA30231BD6801120112,
+				F5C44EA40231BD6801120112,
+				F5C44EA50231BD6801120112,
+				F5C44EA60231BD6801120112,
+				F5C44EA70231BD6801120112,
+				F5C44EA80231BD6801120112,
+				F5C44EA90231BD6801120112,
+				F5C44EAA0231BD6801120112,
+				F5C44EAB0231BD6801120112,
+				F5C44EAC0231BD6801120112,
+				F5C44EAD0231BD6801120112,
+				F5C44EAE0231BD6801120112,
+				F5C44EAF0231BD6801120112,
+				F5C44EB00231BD6801120112,
+				F5C44EB10231BD6801120112,
+				F5C44EB20231BD6801120112,
+				F5C44EB30231BD6801120112,
+				F5C44EB40231BD6801120112,
+				F5C44EB60231BD6801120112,
+				F5C44EB70231BD6801120112,
+				F5C44EB80231BD6801120112,
+				F5C44EBA0231BD6801120112,
+				F5C44EBB0231BD6801120112,
+				F5C44EBC0231BD6801120112,
+				F5C44EBD0231BD6801120112,
+				F5C44EBE0231BD6801120112,
+				F5C44EBF0231BD6801120112,
+				F5C44EC00231BD6801120112,
+				F5C44EC10231BD6801120112,
+				F5C44EC20231BD6801120112,
+				F5C44EC30231BD6801120112,
+				F5C44EC40231BD6801120112,
+				F5C44EC50231BD6801120112,
+				F5C44EC60231BD6801120112,
+				F5C44EC70231BD6801120112,
+				F5C44EC80231BD6801120112,
+				F5C44EC90231BD6801120112,
+				F5C44ECA0231BD6801120112,
+				F5C44ECB0231BD6801120112,
+				F5C44ECC0231BD6801120112,
+				F5C44ECD0231BD6801120112,
+				F5C44ED00231BD6801120112,
+				F5C44ED10231BD6801120112,
+				F5C44ED20231BD6801120112,
+				F5C44ED30231BD6801120112,
+				F5C44ED40231BD6801120112,
+				F5C44ED50231BD6801120112,
+				F5C44ED70231BD6801120112,
+				F5C44ED80231BD6801120112,
+				F5C44ED90231BD6801120112,
+				F5C44EDA0231BD6801120112,
+				F5C44EDB0231BD6801120112,
+				F5C2DF430240FA1401650119,
+				F5C2DF450240FA1601650119,
+			);
+			isa = PBXSourcesBuildPhase;
+			runOnlyForDeploymentPostprocessing = 0;
+		};
+		F5C44E9D0231BD6801120112 = {
+			fileRef = F5CFD38B022D86AC01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C44E9F0231BD6801120112 = {
+			fileRef = F5CFD38E022D86AC01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C44EA00231BD6801120112 = {
+			fileRef = F5CFD38F022D86AC01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C44EA10231BD6801120112 = {
+			fileRef = F5CFD390022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C44EA20231BD6801120112 = {
+			fileRef = F5CFD391022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C44EA30231BD6801120112 = {
+			fileRef = F5CFD393022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C44EA40231BD6801120112 = {
+			fileRef = F5CFD395022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C44EA50231BD6801120112 = {
+			fileRef = F5CFD394022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C44EA60231BD6801120112 = {
+			fileRef = F5CFD396022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C44EA70231BD6801120112 = {
+			fileRef = F5CFD397022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C44EA80231BD6801120112 = {
+			fileRef = F5CFD398022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C44EA90231BD6801120112 = {
+			fileRef = F5CFD399022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C44EAA0231BD6801120112 = {
+			fileRef = F5CFD39A022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C44EAB0231BD6801120112 = {
+			fileRef = F5CFD39B022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C44EAC0231BD6801120112 = {
+			fileRef = F5CFD39C022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C44EAD0231BD6801120112 = {
+			fileRef = F5CFD39E022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C44EAE0231BD6801120112 = {
+			fileRef = F5CFD3A1022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C44EAF0231BD6801120112 = {
+			fileRef = F5CFD3A2022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C44EB00231BD6801120112 = {
+			fileRef = F5CFD3A3022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C44EB10231BD6801120112 = {
+			fileRef = F5CFD3A4022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C44EB20231BD6801120112 = {
+			fileRef = F5CFD3A5022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C44EB30231BD6801120112 = {
+			fileRef = F5CFD3A6022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C44EB40231BD6801120112 = {
+			fileRef = F5CFD3A7022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C44EB60231BD6801120112 = {
+			fileRef = F5CFD3A9022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C44EB70231BD6801120112 = {
+			fileRef = F5CFD3AA022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C44EB80231BD6801120112 = {
+			fileRef = F5CFD3AB022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C44EBA0231BD6801120112 = {
+			fileRef = F5CFD3AD022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C44EBB0231BD6801120112 = {
+			fileRef = F5CFD3AE022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C44EBC0231BD6801120112 = {
+			fileRef = F5CFD3AF022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C44EBD0231BD6801120112 = {
+			fileRef = F5CFD3B0022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C44EBE0231BD6801120112 = {
+			fileRef = F5CFD3B1022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C44EBF0231BD6801120112 = {
+			fileRef = F5CFD3B2022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C44EC00231BD6801120112 = {
+			fileRef = F5CFD3B3022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C44EC10231BD6801120112 = {
+			fileRef = F5CFD3B4022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C44EC20231BD6801120112 = {
+			fileRef = F5CFD3B5022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C44EC30231BD6801120112 = {
+			fileRef = F5CFD3B6022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C44EC40231BD6801120112 = {
+			fileRef = F5CFD3B7022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C44EC50231BD6801120112 = {
+			fileRef = F5CFD3B8022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C44EC60231BD6801120112 = {
+			fileRef = F5CFD3B9022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C44EC70231BD6801120112 = {
+			fileRef = F5CFD3BA022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C44EC80231BD6801120112 = {
+			fileRef = F5CFD3BB022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C44EC90231BD6801120112 = {
+			fileRef = F5CFD3BC022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C44ECA0231BD6801120112 = {
+			fileRef = F5CFD3BD022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C44ECB0231BD6801120112 = {
+			fileRef = F5CFD377022D86AC01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C44ECC0231BD6801120112 = {
+			fileRef = F5CFD378022D86AC01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C44ECD0231BD6801120112 = {
+			fileRef = F5CFD37B022D86AC01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C44ED00231BD6801120112 = {
+			fileRef = F5CFD37F022D86AC01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C44ED10231BD6801120112 = {
+			fileRef = F5CFD37E022D86AC01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C44ED20231BD6801120112 = {
+			fileRef = F5CFD380022D86AC01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C44ED30231BD6801120112 = {
+			fileRef = F5CFD381022D86AC01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C44ED40231BD6801120112 = {
+			fileRef = F5CFD382022D86AC01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C44ED50231BD6801120112 = {
+			fileRef = F5CFD383022D86AC01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C44ED70231BD6801120112 = {
+			fileRef = F5CFD385022D86AC01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C44ED80231BD6801120112 = {
+			fileRef = F5CFD386022D86AC01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C44ED90231BD6801120112 = {
+			fileRef = F5CFD387022D86AC01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C44EDA0231BD6801120112 = {
+			fileRef = F5CFD388022D86AC01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C44EDB0231BD6801120112 = {
+			fileRef = F5CFD389022D86AC01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C44EDD0231BD6801120112 = {
+			buildActionMask = 2147483647;
+			files = (
+			);
+			isa = PBXFrameworksBuildPhase;
+			runOnlyForDeploymentPostprocessing = 0;
+		};
+		F5C44EDE0231BD6801120112 = {
+			buildActionMask = 2147483647;
+			files = (
+			);
+			isa = PBXRezBuildPhase;
+			runOnlyForDeploymentPostprocessing = 0;
+		};
+		F5C44EDF0231BF0801120112 = {
+			fileRef = F5CFD617022D911001120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C44EE00231BF0801120112 = {
+			fileRef = F5CFD7C6022DE7DC01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C44EE30231C02501120112 = {
+			fileRef = F5CFD3A0022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C44EE40231C1C301120112 = {
+			isa = PBXFileReference;
+			path = "port-sockets.h";
+			refType = 4;
+		};
+		F5C44EE50231C1C301120112 = {
+			fileRef = F5C44EE40231C1C301120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5C44EE80231CEA101120112 = {
+			isa = PBXTargetDependency;
+			target = F5CFD629022D922C01120112;
+		};
+		F5C44EE90231CEA101120112 = {
+			isa = PBXTargetDependency;
+			target = F5CFD5E6022D8A9901120112;
+		};
+		F5CFD36E022D854401120112 = {
+			buildStyles = (
+				F5CFD370022D854401120112,
+				F5CFD371022D854401120112,
+			);
+			isa = PBXProject;
+			mainGroup = F5CFD36F022D854401120112;
+			productRefGroup = F5CFD5CB022D86AD01120112;
+			projectDirPath = "";
+			targets = (
+				F5CFD5E6022D8A9901120112,
+				F5CFD629022D922C01120112,
+				F5CFD5CD022D86AD01120112,
+				F5CFD639022DD45401120112,
+				F5C44E910231BD6801120112,
+			);
+		};
+		F5CFD36F022D854401120112 = {
+			children = (
+				F5CFD5EC022D8B6001120112,
+				F5CFD5ED022D8B6001120112,
+				F5CFD5C1022D86AD01120112,
+				F5CFD5EE022D8B6001120112,
+				F5CFD60E022D911001120112,
+				F5CFD372022D86AC01120112,
+				F5CFD5E4022D891701120112,
+				F5CFD5CB022D86AD01120112,
+			);
+			isa = PBXGroup;
+			refType = 4;
+		};
+		F5CFD370022D854401120112 = {
+			buildRules = (
+			);
+			buildSettings = {
+				COPY_PHASE_STRIP = NO;
+			};
+			isa = PBXBuildStyle;
+			name = Development;
+		};
+		F5CFD371022D854401120112 = {
+			buildRules = (
+			);
+			buildSettings = {
+				COPY_PHASE_STRIP = YES;
+			};
+			isa = PBXBuildStyle;
+			name = Deployment;
+		};
+		F5CFD372022D86AC01120112 = {
+			children = (
+				F5CFD373022D86AC01120112,
+				F5CFD3BE022D86AD01120112,
+				F5CFD598022D86AD01120112,
+				F5CFD5AD022D86AD01120112,
+				F5CFD5C7022D86AD01120112,
+			);
+			isa = PBXGroup;
+			name = Sources;
+			path = ../Sources;
+			refType = 2;
+		};
+		F5CFD373022D86AC01120112 = {
+			children = (
+				F5CFD374022D86AC01120112,
+				F5CFD375022D86AC01120112,
+				F5CFD38B022D86AC01120112,
+				F5CFD38C022D86AC01120112,
+				F5CFD38D022D86AC01120112,
+			);
+			isa = PBXGroup;
+			path = GSS;
+			refType = 4;
+		};
+		F5CFD374022D86AC01120112 = {
+			isa = PBXFileReference;
+			path = ChangeLog;
+			refType = 4;
+		};
+		F5CFD375022D86AC01120112 = {
+			children = (
+				F5CFD376022D86AC01120112,
+				F5CFD377022D86AC01120112,
+				F5CFD378022D86AC01120112,
+				F5CFD379022D86AC01120112,
+				F5CFD37A022D86AC01120112,
+				F5CFD37B022D86AC01120112,
+				F5CFD37C022D86AC01120112,
+				F5CFD37D022D86AC01120112,
+				F5CFD37E022D86AC01120112,
+				F5CFD37F022D86AC01120112,
+				F5CFD380022D86AC01120112,
+				F5CFD381022D86AC01120112,
+				F5CFD382022D86AC01120112,
+				F5CFD383022D86AC01120112,
+				F5CFD384022D86AC01120112,
+				F5CFD385022D86AC01120112,
+				F5CFD386022D86AC01120112,
+				F5CFD387022D86AC01120112,
+				F5CFD388022D86AC01120112,
+				F5CFD389022D86AC01120112,
+				F5CFD38A022D86AC01120112,
+			);
+			isa = PBXGroup;
+			path = generic;
+			refType = 4;
+		};
+		F5CFD376022D86AC01120112 = {
+			isa = PBXFileReference;
+			path = ChangeLog;
+			refType = 4;
+		};
+		F5CFD377022D86AC01120112 = {
+			isa = PBXFileReference;
+			path = disp_com_err_status.c;
+			refType = 4;
+		};
+		F5CFD378022D86AC01120112 = {
+			isa = PBXFileReference;
+			path = disp_major_status.c;
+			refType = 4;
+		};
+		F5CFD379022D86AC01120112 = {
+			isa = PBXFileReference;
+			path = gssapi.hin;
+			refType = 4;
+		};
+		F5CFD37A022D86AC01120112 = {
+			isa = PBXFileReference;
+			path = gssapi_err_generic.et;
+			refType = 4;
+		};
+		F5CFD37B022D86AC01120112 = {
+			isa = PBXFileReference;
+			path = gssapi_generic.c;
+			refType = 4;
+		};
+		F5CFD37C022D86AC01120112 = {
+			isa = PBXFileReference;
+			path = gssapi_generic.h;
+			refType = 4;
+		};
+		F5CFD37D022D86AC01120112 = {
+			isa = PBXFileReference;
+			path = gssapiP_generic.h;
+			refType = 4;
+		};
+		F5CFD37E022D86AC01120112 = {
+			isa = PBXFileReference;
+			path = oid_ops.c;
+			refType = 4;
+		};
+		F5CFD37F022D86AC01120112 = {
+			isa = PBXFileReference;
+			path = rel_buffer.c;
+			refType = 4;
+		};
+		F5CFD380022D86AC01120112 = {
+			isa = PBXFileReference;
+			path = rel_oid_set.c;
+			refType = 4;
+		};
+		F5CFD381022D86AC01120112 = {
+			isa = PBXFileReference;
+			path = util_buffer.c;
+			refType = 4;
+		};
+		F5CFD382022D86AC01120112 = {
+			isa = PBXFileReference;
+			path = util_canonhost.c;
+			refType = 4;
+		};
+		F5CFD383022D86AC01120112 = {
+			isa = PBXFileReference;
+			path = util_dup.c;
+			refType = 4;
+		};
+		F5CFD384022D86AC01120112 = {
+			isa = PBXFileReference;
+			path = util_localhost.c;
+			refType = 4;
+		};
+		F5CFD385022D86AC01120112 = {
+			isa = PBXFileReference;
+			path = util_oid.c;
+			refType = 4;
+		};
+		F5CFD386022D86AC01120112 = {
+			isa = PBXFileReference;
+			path = util_ordering.c;
+			refType = 4;
+		};
+		F5CFD387022D86AC01120112 = {
+			isa = PBXFileReference;
+			path = util_set.c;
+			refType = 4;
+		};
+		F5CFD388022D86AC01120112 = {
+			isa = PBXFileReference;
+			path = util_token.c;
+			refType = 4;
+		};
+		F5CFD389022D86AC01120112 = {
+			isa = PBXFileReference;
+			path = util_validate.c;
+			refType = 4;
+		};
+		F5CFD38A022D86AC01120112 = {
+			isa = PBXFileReference;
+			path = utl_nohash_validate.c;
+			refType = 4;
+		};
+		F5CFD38B022D86AC01120112 = {
+			isa = PBXFileReference;
+			path = gss_libinit.c;
+			refType = 4;
+		};
+		F5CFD38C022D86AC01120112 = {
+			isa = PBXFileReference;
+			path = gss_libinit.h;
+			refType = 4;
+		};
+		F5CFD38D022D86AC01120112 = {
+			children = (
+				F5CFD38E022D86AC01120112,
+				F5CFD38F022D86AC01120112,
+				F5CFD390022D86AD01120112,
+				F5CFD391022D86AD01120112,
+				F5CFD393022D86AD01120112,
+				F5CFD394022D86AD01120112,
+				F5CFD395022D86AD01120112,
+				F5CFD396022D86AD01120112,
+				F5CFD397022D86AD01120112,
+				F5CFD398022D86AD01120112,
+				F5CFD399022D86AD01120112,
+				F5CFD39A022D86AD01120112,
+				F5CFD39B022D86AD01120112,
+				F5CFD39C022D86AD01120112,
+				F5CFD39D022D86AD01120112,
+				F5CFD39E022D86AD01120112,
+				F5CFD39F022D86AD01120112,
+				F5CFD3A0022D86AD01120112,
+				F5CFD3A1022D86AD01120112,
+				F5CFD3A2022D86AD01120112,
+				F5CFD3A3022D86AD01120112,
+				F5CFD3A4022D86AD01120112,
+				F5CFD3A5022D86AD01120112,
+				F5CFD3A6022D86AD01120112,
+				F5CFD3A7022D86AD01120112,
+				F5CFD3A9022D86AD01120112,
+				F5CFD3AA022D86AD01120112,
+				F5CFD3AB022D86AD01120112,
+				F5CFD3AC022D86AD01120112,
+				F5CFD3AD022D86AD01120112,
+				F5CFD3AE022D86AD01120112,
+				F5CFD3AF022D86AD01120112,
+				F5CFD3B0022D86AD01120112,
+				F5CFD3B1022D86AD01120112,
+				F5CFD3B2022D86AD01120112,
+				F5CFD3B3022D86AD01120112,
+				F5CFD3B4022D86AD01120112,
+				F5CFD3B5022D86AD01120112,
+				F5CFD3B6022D86AD01120112,
+				F5CFD3B7022D86AD01120112,
+				F5CFD3B8022D86AD01120112,
+				F5CFD3B9022D86AD01120112,
+				F5CFD3BA022D86AD01120112,
+				F5CFD3BB022D86AD01120112,
+				F5CFD3BC022D86AD01120112,
+				F5CFD3BD022D86AD01120112,
+			);
+			isa = PBXGroup;
+			path = krb5;
+			refType = 4;
+		};
+		F5CFD38E022D86AC01120112 = {
+			isa = PBXFileReference;
+			path = accept_sec_context.c;
+			refType = 4;
+		};
+		F5CFD38F022D86AC01120112 = {
+			isa = PBXFileReference;
+			path = acquire_cred.c;
+			refType = 4;
+		};
+		F5CFD390022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = add_cred.c;
+			refType = 4;
+		};
+		F5CFD391022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = canon_name.c;
+			refType = 4;
+		};
+		F5CFD393022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = compare_name.c;
+			refType = 4;
+		};
+		F5CFD394022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = context_time.c;
+			refType = 4;
+		};
+		F5CFD395022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = copy_ccache.c;
+			refType = 4;
+		};
+		F5CFD396022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = delete_sec_context.c;
+			refType = 4;
+		};
+		F5CFD397022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = disp_name.c;
+			refType = 4;
+		};
+		F5CFD398022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = disp_status.c;
+			refType = 4;
+		};
+		F5CFD399022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = duplicate_name.c;
+			refType = 4;
+		};
+		F5CFD39A022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = export_name.c;
+			refType = 4;
+		};
+		F5CFD39B022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = export_sec_context.c;
+			refType = 4;
+		};
+		F5CFD39C022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = get_tkt_flags.c;
+			refType = 4;
+		};
+		F5CFD39D022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = gssapi_err_krb5.et;
+			refType = 4;
+		};
+		F5CFD39E022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = gssapi_krb5.c;
+			refType = 4;
+		};
+		F5CFD39F022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = gssapi_krb5.h;
+			refType = 4;
+		};
+		F5CFD3A0022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = gssapiP_krb5.h;
+			refType = 4;
+		};
+		F5CFD3A1022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = import_name.c;
+			refType = 4;
+		};
+		F5CFD3A2022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = import_sec_context.c;
+			refType = 4;
+		};
+		F5CFD3A3022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = indicate_mechs.c;
+			refType = 4;
+		};
+		F5CFD3A4022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = init_sec_context.c;
+			refType = 4;
+		};
+		F5CFD3A5022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = inq_context.c;
+			refType = 4;
+		};
+		F5CFD3A6022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = inq_cred.c;
+			refType = 4;
+		};
+		F5CFD3A7022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = inq_names.c;
+			refType = 4;
+		};
+		F5CFD3A9022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = k5seal.c;
+			refType = 4;
+		};
+		F5CFD3AA022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = k5unseal.c;
+			refType = 4;
+		};
+		F5CFD3AB022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = krb5_gss_glue.c;
+			refType = 4;
+		};
+		F5CFD3AC022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = pname_to_uid.c;
+			refType = 4;
+		};
+		F5CFD3AD022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = process_context_token.c;
+			refType = 4;
+		};
+		F5CFD3AE022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = rel_cred.c;
+			refType = 4;
+		};
+		F5CFD3AF022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = rel_name.c;
+			refType = 4;
+		};
+		F5CFD3B0022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = rel_oid.c;
+			refType = 4;
+		};
+		F5CFD3B1022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = seal.c;
+			refType = 4;
+		};
+		F5CFD3B2022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = ser_sctx.c;
+			refType = 4;
+		};
+		F5CFD3B3022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = set_ccache.c;
+			refType = 4;
+		};
+		F5CFD3B4022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = sign.c;
+			refType = 4;
+		};
+		F5CFD3B5022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = unseal.c;
+			refType = 4;
+		};
+		F5CFD3B6022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = util_cksum.c;
+			refType = 4;
+		};
+		F5CFD3B7022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = util_crypt.c;
+			refType = 4;
+		};
+		F5CFD3B8022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = util_ctxsetup.c;
+			refType = 4;
+		};
+		F5CFD3B9022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = util_seed.c;
+			refType = 4;
+		};
+		F5CFD3BA022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = util_seqnum.c;
+			refType = 4;
+		};
+		F5CFD3BB022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = val_cred.c;
+			refType = 4;
+		};
+		F5CFD3BC022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = verify.c;
+			refType = 4;
+		};
+		F5CFD3BD022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = wrap_size_limit.c;
+			refType = 4;
+		};
+		F5CFD3BE022D86AD01120112 = {
+			children = (
+				F5CFD3BF022D86AD01120112,
+				F5CFD3D5022D86AD01120112,
+				F5CFD42C022D86AD01120112,
+				F5CFD4A4022D86AD01120112,
+				F5CFD4AF022D86AD01120112,
+				F5CFD4E0022D86AD01120112,
+				F5CFD545022D86AD01120112,
+				F5CFD546022D86AD01120112,
+				F5CFD547022D86AD01120112,
+				F5CFD579022D86AD01120112,
+				F5CFD588022D86AD01120112,
+			);
+			isa = PBXGroup;
+			path = Kerberos5;
+			refType = 4;
+		};
+		F5CFD3BF022D86AD01120112 = {
+			children = (
+				F5CFD3C0022D86AD01120112,
+				F5CFD3C1022D86AD01120112,
+				F5CFD3C2022D86AD01120112,
+				F5CFD3C3022D86AD01120112,
+				F5CFD3C4022D86AD01120112,
+				F5CFD3C5022D86AD01120112,
+				F5CFD3C6022D86AD01120112,
+				F5CFD3C7022D86AD01120112,
+				F5CFD3C8022D86AD01120112,
+				F5CFD3C9022D86AD01120112,
+				F5CFD3CA022D86AD01120112,
+				F5CFD3CB022D86AD01120112,
+				F5CFD3CC022D86AD01120112,
+				F5CFD3CD022D86AD01120112,
+				F5CFD3CE022D86AD01120112,
+				F5CFD3CF022D86AD01120112,
+				F5CFD3D0022D86AD01120112,
+				F5CFD3D2022D86AD01120112,
+				F5CFD3D3022D86AD01120112,
+				F5CFD3D4022D86AD01120112,
+			);
+			isa = PBXGroup;
+			path = asn.1;
+			refType = 4;
+		};
+		F5CFD3C0022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = asn1_decode.c;
+			refType = 4;
+		};
+		F5CFD3C1022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = asn1_decode.h;
+			refType = 4;
+		};
+		F5CFD3C2022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = asn1_encode.c;
+			refType = 4;
+		};
+		F5CFD3C3022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = asn1_encode.h;
+			refType = 4;
+		};
+		F5CFD3C4022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = asn1_get.c;
+			refType = 4;
+		};
+		F5CFD3C5022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = asn1_get.h;
+			refType = 4;
+		};
+		F5CFD3C6022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = asn1_k_decode.c;
+			refType = 4;
+		};
+		F5CFD3C7022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = asn1_k_decode.h;
+			refType = 4;
+		};
+		F5CFD3C8022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = asn1_k_encode.c;
+			refType = 4;
+		};
+		F5CFD3C9022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = asn1_k_encode.h;
+			refType = 4;
+		};
+		F5CFD3CA022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = asn1_make.c;
+			refType = 4;
+		};
+		F5CFD3CB022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = asn1_make.h;
+			refType = 4;
+		};
+		F5CFD3CC022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = asn1_misc.c;
+			refType = 4;
+		};
+		F5CFD3CD022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = asn1_misc.h;
+			refType = 4;
+		};
+		F5CFD3CE022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = asn1buf.c;
+			refType = 4;
+		};
+		F5CFD3CF022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = asn1buf.h;
+			refType = 4;
+		};
+		F5CFD3D0022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = asn1glue.h;
+			refType = 4;
+		};
+		F5CFD3D2022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = krb5_decode.c;
+			refType = 4;
+		};
+		F5CFD3D3022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = krb5_encode.c;
+			refType = 4;
+		};
+		F5CFD3D4022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = krbasn1.h;
+			refType = 4;
+		};
+		F5CFD3D5022D86AD01120112 = {
+			children = (
+				F5CFD3D7022D86AD01120112,
+				F5CFD3E4022D86AD01120112,
+				F5CFD3FD022D86AD01120112,
+				F5CFD411022D86AD01120112,
+				F5CFD3D6022D86AD01120112,
+				F5CFD3DF022D86AD01120112,
+				F5CFD3E0022D86AD01120112,
+				F5CFD3E1022D86AD01120112,
+				F5CFD3E2022D86AD01120112,
+				F5CFD3E3022D86AD01120112,
+				F5CFD410022D86AD01120112,
+			);
+			isa = PBXGroup;
+			path = ccache;
+			refType = 4;
+		};
+		F5CFD3D6022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = cc_retr.c;
+			refType = 4;
+		};
+		F5CFD3D7022D86AD01120112 = {
+			children = (
+				F5CFD3D9022D86AD01120112,
+				F5CFD3DA022D86AD01120112,
+				F5CFD3DB022D86AD01120112,
+				F5CFD3DC022D86AD01120112,
+			);
+			isa = PBXGroup;
+			path = ccapi;
+			refType = 4;
+		};
+		F5CFD3D9022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = stdcc.c;
+			refType = 4;
+		};
+		F5CFD3DA022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = stdcc.h;
+			refType = 4;
+		};
+		F5CFD3DB022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = stdcc_util.c;
+			refType = 4;
+		};
+		F5CFD3DC022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = stdcc_util.h;
+			refType = 4;
+		};
+		F5CFD3DF022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = ccbase.c;
+			refType = 4;
+		};
+		F5CFD3E0022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = cccopy.c;
+			refType = 4;
+		};
+		F5CFD3E1022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = ccdefault.c;
+			refType = 4;
+		};
+		F5CFD3E2022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = ccdefops.c;
+			refType = 4;
+		};
+		F5CFD3E3022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = ccfns.c;
+			refType = 4;
+		};
+		F5CFD3E4022D86AD01120112 = {
+			children = (
+				F5CFD3E6022D86AD01120112,
+				F5CFD3E7022D86AD01120112,
+				F5CFD3E8022D86AD01120112,
+				F5CFD3E9022D86AD01120112,
+				F5CFD3EA022D86AD01120112,
+				F5CFD3EB022D86AD01120112,
+				F5CFD3EC022D86AD01120112,
+				F5CFD3ED022D86AD01120112,
+				F5CFD3EE022D86AD01120112,
+				F5CFD3EF022D86AD01120112,
+				F5CFD3F0022D86AD01120112,
+				F5CFD3F1022D86AD01120112,
+				F5CFD3F2022D86AD01120112,
+				F5CFD3F3022D86AD01120112,
+				F5CFD3F4022D86AD01120112,
+				F5CFD3F5022D86AD01120112,
+				F5CFD3F6022D86AD01120112,
+				F5CFD3F7022D86AD01120112,
+				F5CFD3F8022D86AD01120112,
+				F5CFD3F9022D86AD01120112,
+				F5CFD3FA022D86AD01120112,
+				F5CFD3FC022D86AD01120112,
+			);
+			isa = PBXGroup;
+			path = file;
+			refType = 4;
+		};
+		F5CFD3E6022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = "fcc-proto.h";
+			refType = 4;
+		};
+		F5CFD3E7022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = fcc.h;
+			refType = 4;
+		};
+		F5CFD3E8022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = fcc_close.c;
+			refType = 4;
+		};
+		F5CFD3E9022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = fcc_defops.c;
+			refType = 4;
+		};
+		F5CFD3EA022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = fcc_destry.c;
+			refType = 4;
+		};
+		F5CFD3EB022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = fcc_errs.c;
+			refType = 4;
+		};
+		F5CFD3EC022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = fcc_eseq.c;
+			refType = 4;
+		};
+		F5CFD3ED022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = fcc_gennew.c;
+			refType = 4;
+		};
+		F5CFD3EE022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = fcc_getnam.c;
+			refType = 4;
+		};
+		F5CFD3EF022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = fcc_gprin.c;
+			refType = 4;
+		};
+		F5CFD3F0022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = fcc_init.c;
+			refType = 4;
+		};
+		F5CFD3F1022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = fcc_maybe.c;
+			refType = 4;
+		};
+		F5CFD3F2022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = fcc_nseq.c;
+			refType = 4;
+		};
+		F5CFD3F3022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = fcc_ops.c;
+			refType = 4;
+		};
+		F5CFD3F4022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = fcc_read.c;
+			refType = 4;
+		};
+		F5CFD3F5022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = fcc_reslv.c;
+			refType = 4;
+		};
+		F5CFD3F6022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = fcc_retrv.c;
+			refType = 4;
+		};
+		F5CFD3F7022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = fcc_sflags.c;
+			refType = 4;
+		};
+		F5CFD3F8022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = fcc_skip.c;
+			refType = 4;
+		};
+		F5CFD3F9022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = fcc_sseq.c;
+			refType = 4;
+		};
+		F5CFD3FA022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = fcc_store.c;
+			refType = 4;
+		};
+		F5CFD3FC022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = fcc_write.c;
+			refType = 4;
+		};
+		F5CFD3FD022D86AD01120112 = {
+			children = (
+				F5CFD3FF022D86AD01120112,
+				F5CFD400022D86AD01120112,
+				F5CFD401022D86AD01120112,
+				F5CFD402022D86AD01120112,
+				F5CFD403022D86AD01120112,
+				F5CFD404022D86AD01120112,
+				F5CFD405022D86AD01120112,
+				F5CFD406022D86AD01120112,
+				F5CFD407022D86AD01120112,
+				F5CFD408022D86AD01120112,
+				F5CFD409022D86AD01120112,
+				F5CFD40A022D86AD01120112,
+				F5CFD40B022D86AD01120112,
+				F5CFD40C022D86AD01120112,
+				F5CFD40D022D86AD01120112,
+				F5CFD40E022D86AD01120112,
+			);
+			isa = PBXGroup;
+			path = memory;
+			refType = 4;
+		};
+		F5CFD3FF022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = "mcc-proto.h";
+			refType = 4;
+		};
+		F5CFD400022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = mcc.h;
+			refType = 4;
+		};
+		F5CFD401022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = mcc_close.c;
+			refType = 4;
+		};
+		F5CFD402022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = mcc_destry.c;
+			refType = 4;
+		};
+		F5CFD403022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = mcc_eseq.c;
+			refType = 4;
+		};
+		F5CFD404022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = mcc_gennew.c;
+			refType = 4;
+		};
+		F5CFD405022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = mcc_getnam.c;
+			refType = 4;
+		};
+		F5CFD406022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = mcc_gprin.c;
+			refType = 4;
+		};
+		F5CFD407022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = mcc_init.c;
+			refType = 4;
+		};
+		F5CFD408022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = mcc_nseq.c;
+			refType = 4;
+		};
+		F5CFD409022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = mcc_ops.c;
+			refType = 4;
+		};
+		F5CFD40A022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = mcc_reslv.c;
+			refType = 4;
+		};
+		F5CFD40B022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = mcc_retrv.c;
+			refType = 4;
+		};
+		F5CFD40C022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = mcc_sflags.c;
+			refType = 4;
+		};
+		F5CFD40D022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = mcc_sseq.c;
+			refType = 4;
+		};
+		F5CFD40E022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = mcc_store.c;
+			refType = 4;
+		};
+		F5CFD410022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = ser_cc.c;
+			refType = 4;
+		};
+		F5CFD411022D86AD01120112 = {
+			children = (
+				F5CFD413022D86AD01120112,
+				F5CFD414022D86AD01120112,
+				F5CFD415022D86AD01120112,
+				F5CFD416022D86AD01120112,
+				F5CFD417022D86AD01120112,
+				F5CFD418022D86AD01120112,
+				F5CFD419022D86AD01120112,
+				F5CFD41A022D86AD01120112,
+				F5CFD41B022D86AD01120112,
+				F5CFD41C022D86AD01120112,
+				F5CFD41D022D86AD01120112,
+				F5CFD41E022D86AD01120112,
+				F5CFD41F022D86AD01120112,
+				F5CFD420022D86AD01120112,
+				F5CFD421022D86AD01120112,
+				F5CFD422022D86AD01120112,
+				F5CFD423022D86AD01120112,
+				F5CFD424022D86AD01120112,
+				F5CFD425022D86AD01120112,
+				F5CFD426022D86AD01120112,
+				F5CFD427022D86AD01120112,
+				F5CFD429022D86AD01120112,
+			);
+			isa = PBXGroup;
+			path = stdio;
+			refType = 4;
+		};
+		F5CFD413022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = "scc-proto.h";
+			refType = 4;
+		};
+		F5CFD414022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = scc.h;
+			refType = 4;
+		};
+		F5CFD415022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = scc_close.c;
+			refType = 4;
+		};
+		F5CFD416022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = scc_defops.c;
+			refType = 4;
+		};
+		F5CFD417022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = scc_destry.c;
+			refType = 4;
+		};
+		F5CFD418022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = scc_errs.c;
+			refType = 4;
+		};
+		F5CFD419022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = scc_eseq.c;
+			refType = 4;
+		};
+		F5CFD41A022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = scc_gennew.c;
+			refType = 4;
+		};
+		F5CFD41B022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = scc_getnam.c;
+			refType = 4;
+		};
+		F5CFD41C022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = scc_gprin.c;
+			refType = 4;
+		};
+		F5CFD41D022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = scc_init.c;
+			refType = 4;
+		};
+		F5CFD41E022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = scc_maybe.c;
+			refType = 4;
+		};
+		F5CFD41F022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = scc_nseq.c;
+			refType = 4;
+		};
+		F5CFD420022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = scc_ops.c;
+			refType = 4;
+		};
+		F5CFD421022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = scc_read.c;
+			refType = 4;
+		};
+		F5CFD422022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = scc_reslv.c;
+			refType = 4;
+		};
+		F5CFD423022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = scc_retrv.c;
+			refType = 4;
+		};
+		F5CFD424022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = scc_sflags.c;
+			refType = 4;
+		};
+		F5CFD425022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = scc_skip.c;
+			refType = 4;
+		};
+		F5CFD426022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = scc_sseq.c;
+			refType = 4;
+		};
+		F5CFD427022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = scc_store.c;
+			refType = 4;
+		};
+		F5CFD429022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = scc_write.c;
+			refType = 4;
+		};
+		F5CFD42C022D86AD01120112 = {
+			children = (
+				F5CFD435022D86AD01120112,
+				F5CFD43F022D86AD01120112,
+				F5CFD453022D86AD01120112,
+				F5CFD45B022D86AD01120112,
+				F5CFD466022D86AD01120112,
+				F5CFD470022D86AD01120112,
+				F5CFD479022D86AD01120112,
+				F5CFD47D022D86AD01120112,
+				F5CFD484022D86AD01120112,
+				F5CFD48E022D86AD01120112,
+				F5CFD495022D86AD01120112,
+				F5CFD42E022D86AD01120112,
+				F5CFD430022D86AD01120112,
+				F5CFD431022D86AD01120112,
+				F5CFD432022D86AD01120112,
+				F5CFD433022D86AD01120112,
+				F5CFD434022D86AD01120112,
+				F5CFD43C022D86AD01120112,
+				F5CFD43D022D86AD01120112,
+				F5CFD43E022D86AD01120112,
+				F5CFD460022D86AD01120112,
+				F5CFD461022D86AD01120112,
+				F5CFD462022D86AD01120112,
+				F5CFD463022D86AD01120112,
+				F5CFD464022D86AD01120112,
+				F5CFD465022D86AD01120112,
+				F5CFD46D022D86AD01120112,
+				F5CFD46E022D86AD01120112,
+				F5CFD46F022D86AD01120112,
+				F5CFD477022D86AD01120112,
+				F5CFD478022D86AD01120112,
+				F5CFD483022D86AD01120112,
+				F5CFD48B022D86AD01120112,
+				F5CFD48D022D86AD01120112,
+				F5CFD49C022D86AD01120112,
+				F5CFD49D022D86AD01120112,
+				F5CFD49E022D86AD01120112,
+				F5CFD4A0022D86AD01120112,
+				F5CFD4A1022D86AD01120112,
+				F5CFD4A2022D86AD01120112,
+			);
+			isa = PBXGroup;
+			path = crypto;
+			refType = 4;
+		};
+		F5CFD42E022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = block_size.c;
+			refType = 4;
+		};
+		F5CFD430022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = checksum_length.c;
+			refType = 4;
+		};
+		F5CFD431022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = cksumtype_to_string.c;
+			refType = 4;
+		};
+		F5CFD432022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = cksumtypes.c;
+			refType = 4;
+		};
+		F5CFD433022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = cksumtypes.h;
+			refType = 4;
+		};
+		F5CFD434022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = coll_proof_cksum.c;
+			refType = 4;
+		};
+		F5CFD435022D86AD01120112 = {
+			children = (
+				F5CFD437022D86AD01120112,
+				F5CFD43A022D86AD01120112,
+			);
+			isa = PBXGroup;
+			path = crc32;
+			refType = 4;
+		};
+		F5CFD437022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = "crc-32.h";
+			refType = 4;
+		};
+		F5CFD43A022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = crc32.c;
+			refType = 4;
+		};
+		F5CFD43C022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = crypto_libinit.c;
+			refType = 4;
+		};
+		F5CFD43D022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = crypto_libinit.h;
+			refType = 4;
+		};
+		F5CFD43E022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = decrypt.c;
+			refType = 4;
+		};
+		F5CFD43F022D86AD01120112 = {
+			children = (
+				F5CFD440022D86AD01120112,
+				F5CFD442022D86AD01120112,
+				F5CFD443022D86AD01120112,
+				F5CFD444022D86AD01120112,
+				F5CFD448022D86AD01120112,
+				F5CFD449022D86AD01120112,
+				F5CFD44A022D86AD01120112,
+				F5CFD44B022D86AD01120112,
+				F5CFD44C022D86AD01120112,
+				F5CFD44D022D86AD01120112,
+				F5CFD44E022D86AD01120112,
+				F5CFD450022D86AD01120112,
+				F5CFD452022D86AD01120112,
+			);
+			isa = PBXGroup;
+			path = des;
+			refType = 4;
+		};
+		F5CFD440022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = afsstring2key.c;
+			refType = 4;
+		};
+		F5CFD442022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = d3_cbc.c;
+			refType = 4;
+		};
+		F5CFD443022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = d3_kysched.c;
+			refType = 4;
+		};
+		F5CFD444022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = des_int.h;
+			refType = 4;
+		};
+		F5CFD448022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = f_cbc.c;
+			refType = 4;
+		};
+		F5CFD449022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = f_cksum.c;
+			refType = 4;
+		};
+		F5CFD44A022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = f_parity.c;
+			refType = 4;
+		};
+		F5CFD44B022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = f_sched.c;
+			refType = 4;
+		};
+		F5CFD44C022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = f_tables.c;
+			refType = 4;
+		};
+		F5CFD44D022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = f_tables.h;
+			refType = 4;
+		};
+		F5CFD44E022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = key_sched.c;
+			refType = 4;
+		};
+		F5CFD450022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = string2key.c;
+			refType = 4;
+		};
+		F5CFD452022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = weak_key.c;
+			refType = 4;
+		};
+		F5CFD453022D86AD01120112 = {
+			children = (
+				F5CFD455022D86AD01120112,
+				F5CFD456022D86AD01120112,
+				F5CFD457022D86AD01120112,
+				F5CFD458022D86AD01120112,
+				F5CFD459022D86AD01120112,
+				F5CFD45A022D86AD01120112,
+			);
+			isa = PBXGroup;
+			path = dk;
+			refType = 4;
+		};
+		F5CFD455022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = checksum.c;
+			refType = 4;
+		};
+		F5CFD456022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = derive.c;
+			refType = 4;
+		};
+		F5CFD457022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = dk.h;
+			refType = 4;
+		};
+		F5CFD458022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = dk_decrypt.c;
+			refType = 4;
+		};
+		F5CFD459022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = dk_encrypt.c;
+			refType = 4;
+		};
+		F5CFD45A022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = stringtokey.c;
+			refType = 4;
+		};
+		F5CFD45B022D86AD01120112 = {
+			children = (
+				F5CFD45D022D86AD01120112,
+				F5CFD45E022D86AD01120112,
+				F5CFD45F022D86AD01120112,
+			);
+			isa = PBXGroup;
+			path = enc_provider;
+			refType = 4;
+		};
+		F5CFD45D022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = des.c;
+			refType = 4;
+		};
+		F5CFD45E022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = des3.c;
+			refType = 4;
+		};
+		F5CFD45F022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = enc_provider.h;
+			refType = 4;
+		};
+		F5CFD460022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = encrypt.c;
+			refType = 4;
+		};
+		F5CFD461022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = encrypt_length.c;
+			refType = 4;
+		};
+		F5CFD462022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = enctype_compare.c;
+			refType = 4;
+		};
+		F5CFD463022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = enctype_to_string.c;
+			refType = 4;
+		};
+		F5CFD464022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = etypes.c;
+			refType = 4;
+		};
+		F5CFD465022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = etypes.h;
+			refType = 4;
+		};
+		F5CFD466022D86AD01120112 = {
+			children = (
+				F5CFD468022D86AD01120112,
+				F5CFD469022D86AD01120112,
+				F5CFD46A022D86AD01120112,
+				F5CFD46B022D86AD01120112,
+				F5CFD46C022D86AD01120112,
+			);
+			isa = PBXGroup;
+			path = hash_provider;
+			refType = 4;
+		};
+		F5CFD468022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = hash_crc32.c;
+			refType = 4;
+		};
+		F5CFD469022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = hash_md4.c;
+			refType = 4;
+		};
+		F5CFD46A022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = hash_md5.c;
+			refType = 4;
+		};
+		F5CFD46B022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = hash_provider.h;
+			refType = 4;
+		};
+		F5CFD46C022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = hash_sha1.c;
+			refType = 4;
+		};
+		F5CFD46D022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = hmac.c;
+			refType = 4;
+		};
+		F5CFD46E022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = keyed_checksum_types.c;
+			refType = 4;
+		};
+		F5CFD46F022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = keyed_cksum.c;
+			refType = 4;
+		};
+		F5CFD470022D86AD01120112 = {
+			children = (
+				F5CFD472022D86AD01120112,
+				F5CFD473022D86AD01120112,
+				F5CFD474022D86AD01120112,
+				F5CFD475022D86AD01120112,
+			);
+			isa = PBXGroup;
+			path = keyhash_provider;
+			refType = 4;
+		};
+		F5CFD472022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = descbc.c;
+			refType = 4;
+		};
+		F5CFD473022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = k5_md4des.c;
+			refType = 4;
+		};
+		F5CFD474022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = k5_md5des.c;
+			refType = 4;
+		};
+		F5CFD475022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = keyhash_provider.h;
+			refType = 4;
+		};
+		F5CFD477022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = make_checksum.c;
+			refType = 4;
+		};
+		F5CFD478022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = make_random_key.c;
+			refType = 4;
+		};
+		F5CFD479022D86AD01120112 = {
+			children = (
+				F5CFD47B022D86AD01120112,
+				F5CFD47C022D86AD01120112,
+			);
+			isa = PBXGroup;
+			path = md4;
+			refType = 4;
+		};
+		F5CFD47B022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = md4.c;
+			refType = 4;
+		};
+		F5CFD47C022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = "rsa-md4.h";
+			refType = 4;
+		};
+		F5CFD47D022D86AD01120112 = {
+			children = (
+				F5CFD47F022D86AD01120112,
+				F5CFD480022D86AD01120112,
+			);
+			isa = PBXGroup;
+			path = md5;
+			refType = 4;
+		};
+		F5CFD47F022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = md5.c;
+			refType = 4;
+		};
+		F5CFD480022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = "rsa-md5.h";
+			refType = 4;
+		};
+		F5CFD483022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = nfold.c;
+			refType = 4;
+		};
+		F5CFD484022D86AD01120112 = {
+			children = (
+				F5CFD486022D86AD01120112,
+				F5CFD488022D86AD01120112,
+				F5CFD489022D86AD01120112,
+				F5CFD48A022D86AD01120112,
+			);
+			isa = PBXGroup;
+			path = old;
+			refType = 4;
+		};
+		F5CFD486022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = des_stringtokey.c;
+			refType = 4;
+		};
+		F5CFD488022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = old.h;
+			refType = 4;
+		};
+		F5CFD489022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = old_decrypt.c;
+			refType = 4;
+		};
+		F5CFD48A022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = old_encrypt.c;
+			refType = 4;
+		};
+		F5CFD48B022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = old_api_glue.c;
+			refType = 4;
+		};
+		F5CFD48D022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = prng.c;
+			refType = 4;
+		};
+		F5CFD48E022D86AD01120112 = {
+			children = (
+				F5CFD491022D86AD01120112,
+				F5CFD492022D86AD01120112,
+				F5CFD493022D86AD01120112,
+			);
+			isa = PBXGroup;
+			path = raw;
+			refType = 4;
+		};
+		F5CFD491022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = raw.h;
+			refType = 4;
+		};
+		F5CFD492022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = raw_decrypt.c;
+			refType = 4;
+		};
+		F5CFD493022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = raw_encrypt.c;
+			refType = 4;
+		};
+		F5CFD495022D86AD01120112 = {
+			children = (
+				F5CFD498022D86AD01120112,
+				F5CFD499022D86AD01120112,
+			);
+			isa = PBXGroup;
+			path = sha1;
+			refType = 4;
+		};
+		F5CFD498022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = shs.c;
+			refType = 4;
+		};
+		F5CFD499022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = shs.h;
+			refType = 4;
+		};
+		F5CFD49C022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = string_to_cksumtype.c;
+			refType = 4;
+		};
+		F5CFD49D022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = string_to_enctype.c;
+			refType = 4;
+		};
+		F5CFD49E022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = string_to_key.c;
+			refType = 4;
+		};
+		F5CFD4A0022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = valid_cksumtype.c;
+			refType = 4;
+		};
+		F5CFD4A1022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = valid_enctype.c;
+			refType = 4;
+		};
+		F5CFD4A2022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = verify_checksum.c;
+			refType = 4;
+		};
+		F5CFD4A4022D86AD01120112 = {
+			children = (
+				F5CFD4A7022D86AD01120112,
+				F5CFD4A8022D86AD01120112,
+				F5CFD4AA022D86AD01120112,
+				F5CFD4AB022D86AD01120112,
+				F5CFD4AC022D86AD01120112,
+				F5CFD4AD022D86AD01120112,
+			);
+			isa = PBXGroup;
+			path = error_tables;
+			refType = 4;
+		};
+		F5CFD4A7022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = adm_err.et;
+			refType = 4;
+		};
+		F5CFD4A8022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = asn1_err.et;
+			refType = 4;
+		};
+		F5CFD4AA022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = init_ets.c;
+			refType = 4;
+		};
+		F5CFD4AB022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = kdb5_err.et;
+			refType = 4;
+		};
+		F5CFD4AC022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = krb5_err.et;
+			refType = 4;
+		};
+		F5CFD4AD022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = kv5m_err.et;
+			refType = 4;
+		};
+		F5CFD4AF022D86AD01120112 = {
+			children = (
+				F5CFD4B7022D86AD01120112,
+				F5CFD4CB022D86AD01120112,
+				F5CFD4CC022D86AD01120112,
+				F5CFD4CD022D86AD01120112,
+				F57B73370259188901120155,
+				F5CFD4CE022D86AD01120112,
+				F5CFD4CF022D86AD01120112,
+				F5CFD4D1022D86AD01120112,
+				F5CFD4D2022D86AD01120112,
+			);
+			isa = PBXGroup;
+			path = keytab;
+			refType = 4;
+		};
+		F5CFD4B7022D86AD01120112 = {
+			children = (
+				F5CFD4BA022D86AD01120112,
+				F5CFD4BB022D86AD01120112,
+				F5CFD4BC022D86AD01120112,
+				F5CFD4BD022D86AD01120112,
+				F5CFD4BE022D86AD01120112,
+				F5CFD4BF022D86AD01120112,
+				F5CFD4C0022D86AD01120112,
+				F5CFD4C1022D86AD01120112,
+				F5CFD4C2022D86AD01120112,
+				F5CFD4C3022D86AD01120112,
+				F5CFD4C4022D86AD01120112,
+				F5CFD4C5022D86AD01120112,
+				F5CFD4C6022D86AD01120112,
+				F5CFD4C7022D86AD01120112,
+				F5CFD4C8022D86AD01120112,
+				F5CFD4CA022D86AD01120112,
+			);
+			isa = PBXGroup;
+			path = file;
+			refType = 4;
+		};
+		F5CFD4BA022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = ktf_add.c;
+			refType = 4;
+		};
+		F5CFD4BB022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = ktf_close.c;
+			refType = 4;
+		};
+		F5CFD4BC022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = ktf_defops.c;
+			refType = 4;
+		};
+		F5CFD4BD022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = ktf_endget.c;
+			refType = 4;
+		};
+		F5CFD4BE022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = ktf_g_ent.c;
+			refType = 4;
+		};
+		F5CFD4BF022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = ktf_g_name.c;
+			refType = 4;
+		};
+		F5CFD4C0022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = ktf_next.c;
+			refType = 4;
+		};
+		F5CFD4C1022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = ktf_ops.c;
+			refType = 4;
+		};
+		F5CFD4C2022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = ktf_remove.c;
+			refType = 4;
+		};
+		F5CFD4C3022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = ktf_resolv.c;
+			refType = 4;
+		};
+		F5CFD4C4022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = ktf_ssget.c;
+			refType = 4;
+		};
+		F5CFD4C5022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = ktf_util.c;
+			refType = 4;
+		};
+		F5CFD4C6022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = ktf_wops.c;
+			refType = 4;
+		};
+		F5CFD4C7022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = ktf_wreslv.c;
+			refType = 4;
+		};
+		F5CFD4C8022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = ktfile.h;
+			refType = 4;
+		};
+		F5CFD4CA022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = ser_ktf.c;
+			refType = 4;
+		};
+		F5CFD4CB022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = ktadd.c;
+			refType = 4;
+		};
+		F5CFD4CC022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = ktbase.c;
+			refType = 4;
+		};
+		F5CFD4CD022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = ktdefault.c;
+			refType = 4;
+		};
+		F5CFD4CE022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = ktfr_entry.c;
+			refType = 4;
+		};
+		F5CFD4CF022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = ktremove.c;
+			refType = 4;
+		};
+		F5CFD4D1022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = read_servi.c;
+			refType = 4;
+		};
+		F5CFD4D2022D86AD01120112 = {
+			children = (
+				F5CFD4D5022D86AD01120112,
+				F5CFD4D6022D86AD01120112,
+				F5CFD4D7022D86AD01120112,
+				F5CFD4D8022D86AD01120112,
+				F5CFD4D9022D86AD01120112,
+				F5CFD4DA022D86AD01120112,
+				F5CFD4DB022D86AD01120112,
+				F5CFD4DC022D86AD01120112,
+				F5CFD4DD022D86AD01120112,
+				F5CFD4DE022D86AD01120112,
+			);
+			isa = PBXGroup;
+			path = srvtab;
+			refType = 4;
+		};
+		F5CFD4D5022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = kts_close.c;
+			refType = 4;
+		};
+		F5CFD4D6022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = kts_endget.c;
+			refType = 4;
+		};
+		F5CFD4D7022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = kts_g_ent.c;
+			refType = 4;
+		};
+		F5CFD4D8022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = kts_g_name.c;
+			refType = 4;
+		};
+		F5CFD4D9022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = kts_next.c;
+			refType = 4;
+		};
+		F5CFD4DA022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = kts_ops.c;
+			refType = 4;
+		};
+		F5CFD4DB022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = kts_resolv.c;
+			refType = 4;
+		};
+		F5CFD4DC022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = kts_ssget.c;
+			refType = 4;
+		};
+		F5CFD4DD022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = kts_util.c;
+			refType = 4;
+		};
+		F5CFD4DE022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = ktsrvtab.h;
+			refType = 4;
+		};
+		F5CFD4E0022D86AD01120112 = {
+			children = (
+				F5CFD4E2022D86AD01120112,
+				F5CFD4E3022D86AD01120112,
+				F5CFD4E4022D86AD01120112,
+				F5CFD4E5022D86AD01120112,
+				F5CFD4E6022D86AD01120112,
+				F5CFD4E7022D86AD01120112,
+				F5CFD4E8022D86AD01120112,
+				F5CFD4E9022D86AD01120112,
+				F5CFD4EC022D86AD01120112,
+				F5CFD4ED022D86AD01120112,
+				F5CFD4EE022D86AD01120112,
+				F5CFD4EF022D86AD01120112,
+				F5CFD4F0022D86AD01120112,
+				F5CFD4F1022D86AD01120112,
+				F5CFD4F2022D86AD01120112,
+				F5CFD4F3022D86AD01120112,
+				F5CFD4F4022D86AD01120112,
+				F5CFD4F5022D86AD01120112,
+				F5CFD4F6022D86AD01120112,
+				F5CFD4F7022D86AD01120112,
+				F5CFD4F8022D86AD01120112,
+				F5CFD4F9022D86AD01120112,
+				F5CFD4FA022D86AD01120112,
+				F5CFD4FB022D86AD01120112,
+				F5CFD4FC022D86AD01120112,
+				F5CFD4FD022D86AD01120112,
+				F5CFD4FE022D86AD01120112,
+				F5CFD4FF022D86AD01120112,
+				F5CFD500022D86AD01120112,
+				F5CFD501022D86AD01120112,
+				F5CFD502022D86AD01120112,
+				F5CFD503022D86AD01120112,
+				F5CFD504022D86AD01120112,
+				F5CFD505022D86AD01120112,
+				F5CFD506022D86AD01120112,
+				F5CFD507022D86AD01120112,
+				F5CFD508022D86AD01120112,
+				F5CFD509022D86AD01120112,
+				F5CFD50A022D86AD01120112,
+				F5CFD50B022D86AD01120112,
+				F5CFD50C022D86AD01120112,
+				F5CFD50D022D86AD01120112,
+				F5CFD50E022D86AD01120112,
+				F5F49B5E025A5AB901890E3A,
+				F5CFD50F022D86AD01120112,
+				F5CFD510022D86AD01120112,
+				F5CFD511022D86AD01120112,
+				F5CFD513022D86AD01120112,
+				F5CFD514022D86AD01120112,
+				F5CFD515022D86AD01120112,
+				F5CFD516022D86AD01120112,
+				F5CFD517022D86AD01120112,
+				F5CFD518022D86AD01120112,
+				F5CFD519022D86AD01120112,
+				F5CFD51A022D86AD01120112,
+				F5CFD51B022D86AD01120112,
+				F5CFD51C022D86AD01120112,
+				F5CFD51D022D86AD01120112,
+				F5CFD51E022D86AD01120112,
+				F5CFD51F022D86AD01120112,
+				F5CFD520022D86AD01120112,
+				F5CFD521022D86AD01120112,
+				F5CFD522022D86AD01120112,
+				F5CFD523022D86AD01120112,
+				F5CFD524022D86AD01120112,
+				F5CFD525022D86AD01120112,
+				F5CFD526022D86AD01120112,
+				F5CFD527022D86AD01120112,
+				F5CFD528022D86AD01120112,
+				F5CFD529022D86AD01120112,
+				F5CFD52A022D86AD01120112,
+				F5CFD52B022D86AD01120112,
+				F5CFD52C022D86AD01120112,
+				F5CFD52D022D86AD01120112,
+				F5CFD52E022D86AD01120112,
+				F5CFD52F022D86AD01120112,
+				F5CFD530022D86AD01120112,
+				F5CFD531022D86AD01120112,
+				F5CFD532022D86AD01120112,
+				F5CFD533022D86AD01120112,
+				F5CFD534022D86AD01120112,
+				F5CFD535022D86AD01120112,
+				F5CFD53E022D86AD01120112,
+				F5CFD53F022D86AD01120112,
+				F5CFD540022D86AD01120112,
+				F5CFD541022D86AD01120112,
+				F5CFD542022D86AD01120112,
+				F5CFD543022D86AD01120112,
+			);
+			isa = PBXGroup;
+			path = krb;
+			refType = 4;
+		};
+		F5CFD4E2022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = addr_comp.c;
+			refType = 4;
+		};
+		F5CFD4E3022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = addr_order.c;
+			refType = 4;
+		};
+		F5CFD4E4022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = addr_srch.c;
+			refType = 4;
+		};
+		F5CFD4E5022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = appdefault.c;
+			refType = 4;
+		};
+		F5CFD4E6022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = auth_con.c;
+			refType = 4;
+		};
+		F5CFD4E7022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = auth_con.h;
+			refType = 4;
+		};
+		F5CFD4E8022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = bld_pr_ext.c;
+			refType = 4;
+		};
+		F5CFD4E9022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = bld_princ.c;
+			refType = 4;
+		};
+		F5CFD4EC022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = chk_trans.c;
+			refType = 4;
+		};
+		F5CFD4ED022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = chpw.c;
+			refType = 4;
+		};
+		F5CFD4EE022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = cleanup.h;
+			refType = 4;
+		};
+		F5CFD4EF022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = conv_princ.c;
+			refType = 4;
+		};
+		F5CFD4F0022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = copy_addrs.c;
+			refType = 4;
+		};
+		F5CFD4F1022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = copy_athctr.c;
+			refType = 4;
+		};
+		F5CFD4F2022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = copy_auth.c;
+			refType = 4;
+		};
+		F5CFD4F3022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = copy_cksum.c;
+			refType = 4;
+		};
+		F5CFD4F4022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = copy_creds.c;
+			refType = 4;
+		};
+		F5CFD4F5022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = copy_data.c;
+			refType = 4;
+		};
+		F5CFD4F6022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = copy_key.c;
+			refType = 4;
+		};
+		F5CFD4F7022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = copy_princ.c;
+			refType = 4;
+		};
+		F5CFD4F8022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = copy_tick.c;
+			refType = 4;
+		};
+		F5CFD4F9022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = cp_key_cnt.c;
+			refType = 4;
+		};
+		F5CFD4FA022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = decode_kdc.c;
+			refType = 4;
+		};
+		F5CFD4FB022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = decrypt_tk.c;
+			refType = 4;
+		};
+		F5CFD4FC022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = deltat.c;
+			refType = 4;
+		};
+		F5CFD4FD022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = enc_helper.c;
+			refType = 4;
+		};
+		F5CFD4FE022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = encode_kdc.c;
+			refType = 4;
+		};
+		F5CFD4FF022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = encrypt_tk.c;
+			refType = 4;
+		};
+		F5CFD500022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = free_rtree.c;
+			refType = 4;
+		};
+		F5CFD501022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = fwd_tgt.c;
+			refType = 4;
+		};
+		F5CFD502022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = gc_frm_kdc.c;
+			refType = 4;
+		};
+		F5CFD503022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = gc_via_tkt.c;
+			refType = 4;
+		};
+		F5CFD504022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = gen_seqnum.c;
+			refType = 4;
+		};
+		F5CFD505022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = gen_subkey.c;
+			refType = 4;
+		};
+		F5CFD506022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = get_creds.c;
+			refType = 4;
+		};
+		F5CFD507022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = get_in_tkt.c;
+			refType = 4;
+		};
+		F5CFD508022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = gic_keytab.c;
+			refType = 4;
+		};
+		F5CFD509022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = gic_opt.c;
+			refType = 4;
+		};
+		F5CFD50A022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = gic_pwd.c;
+			refType = 4;
+		};
+		F5CFD50B022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = in_tkt_ktb.c;
+			refType = 4;
+		};
+		F5CFD50C022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = in_tkt_pwd.c;
+			refType = 4;
+		};
+		F5CFD50D022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = in_tkt_sky.c;
+			refType = 4;
+		};
+		F5CFD50E022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = init_ctx.c;
+			refType = 4;
+		};
+		F5CFD50F022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = "int-proto.h";
+			refType = 4;
+		};
+		F5CFD510022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = kdc_rep_dc.c;
+			refType = 4;
+		};
+		F5CFD511022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = kfree.c;
+			refType = 4;
+		};
+		F5CFD513022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = mk_cred.c;
+			refType = 4;
+		};
+		F5CFD514022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = mk_error.c;
+			refType = 4;
+		};
+		F5CFD515022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = mk_priv.c;
+			refType = 4;
+		};
+		F5CFD516022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = mk_rep.c;
+			refType = 4;
+		};
+		F5CFD517022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = mk_req.c;
+			refType = 4;
+		};
+		F5CFD518022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = mk_req_ext.c;
+			refType = 4;
+		};
+		F5CFD519022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = mk_safe.c;
+			refType = 4;
+		};
+		F5CFD51A022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = parse.c;
+			refType = 4;
+		};
+		F5CFD51B022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = pr_to_salt.c;
+			refType = 4;
+		};
+		F5CFD51C022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = preauth.c;
+			refType = 4;
+		};
+		F5CFD51D022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = preauth2.c;
+			refType = 4;
+		};
+		F5CFD51E022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = princ_comp.c;
+			refType = 4;
+		};
+		F5CFD51F022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = rd_cred.c;
+			refType = 4;
+		};
+		F5CFD520022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = rd_error.c;
+			refType = 4;
+		};
+		F5CFD521022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = rd_priv.c;
+			refType = 4;
+		};
+		F5CFD522022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = rd_rep.c;
+			refType = 4;
+		};
+		F5CFD523022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = rd_req.c;
+			refType = 4;
+		};
+		F5CFD524022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = rd_req_dec.c;
+			refType = 4;
+		};
+		F5CFD525022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = rd_safe.c;
+			refType = 4;
+		};
+		F5CFD526022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = recvauth.c;
+			refType = 4;
+		};
+		F5CFD527022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = send_tgs.c;
+			refType = 4;
+		};
+		F5CFD528022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = sendauth.c;
+			refType = 4;
+		};
+		F5CFD529022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = ser_actx.c;
+			refType = 4;
+		};
+		F5CFD52A022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = ser_adata.c;
+			refType = 4;
+		};
+		F5CFD52B022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = ser_addr.c;
+			refType = 4;
+		};
+		F5CFD52C022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = ser_auth.c;
+			refType = 4;
+		};
+		F5CFD52D022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = ser_cksum.c;
+			refType = 4;
+		};
+		F5CFD52E022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = ser_ctx.c;
+			refType = 4;
+		};
+		F5CFD52F022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = ser_eblk.c;
+			refType = 4;
+		};
+		F5CFD530022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = ser_key.c;
+			refType = 4;
+		};
+		F5CFD531022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = ser_princ.c;
+			refType = 4;
+		};
+		F5CFD532022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = serialize.c;
+			refType = 4;
+		};
+		F5CFD533022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = set_realm.c;
+			refType = 4;
+		};
+		F5CFD534022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = srv_rcache.c;
+			refType = 4;
+		};
+		F5CFD535022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = str_conv.c;
+			refType = 4;
+		};
+		F5CFD53E022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = tgtname.c;
+			refType = 4;
+		};
+		F5CFD53F022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = unparse.c;
+			refType = 4;
+		};
+		F5CFD540022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = valid_times.c;
+			refType = 4;
+		};
+		F5CFD541022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = vfy_increds.c;
+			refType = 4;
+		};
+		F5CFD542022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = vic_opt.c;
+			refType = 4;
+		};
+		F5CFD543022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = walk_rtree.c;
+			refType = 4;
+		};
+		F5CFD545022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = krb5_libinit.c;
+			refType = 4;
+		};
+		F5CFD546022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = krb5_libinit.h;
+			refType = 4;
+		};
+		F5CFD547022D86AD01120112 = {
+			children = (
+				F5CFD549022D86AD01120112,
+				F5CFD54A022D86AD01120112,
+				F5CFD54B022D86AD01120112,
+				F5CFD54D022D86AD01120112,
+				F5CFD54E022D86AD01120112,
+				F5CFD54F022D86AD01120112,
+				F5CFD550022D86AD01120112,
+				F5CFD551022D86AD01120112,
+				F5CFD552022D86AD01120112,
+				F5CFD553022D86AD01120112,
+				F5CFD554022D86AD01120112,
+				F5CFD555022D86AD01120112,
+				F5CFD556022D86AD01120112,
+				F5CFD557022D86AD01120112,
+				F5CFD558022D86AD01120112,
+				F5CFD559022D86AD01120112,
+				F5CFD55A022D86AD01120112,
+				F5CFD55B022D86AD01120112,
+				F5CFD55C022D86AD01120112,
+				F5CFD55D022D86AD01120112,
+				F5CFD55E022D86AD01120112,
+				F5CFD55F022D86AD01120112,
+				F5CFD561022D86AD01120112,
+				F5CFD562022D86AD01120112,
+				F5CFD563022D86AD01120112,
+				F5CFD564022D86AD01120112,
+				F5CFD565022D86AD01120112,
+				F5CFD566022D86AD01120112,
+				F5CFD567022D86AD01120112,
+				F5CFD568022D86AD01120112,
+				F5CFD569022D86AD01120112,
+				F5CFD56A022D86AD01120112,
+				F5CFD56B022D86AD01120112,
+				F5CFD56C022D86AD01120112,
+				F5CFD56E022D86AD01120112,
+				F5CFD56F022D86AD01120112,
+				F5CFD574022D86AD01120112,
+				F5CFD575022D86AD01120112,
+				F5CFD576022D86AD01120112,
+				F5CFD577022D86AD01120112,
+				F5CFD578022D86AD01120112,
+			);
+			isa = PBXGroup;
+			path = os;
+			refType = 4;
+		};
+		F5CFD549022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = an_to_ln.c;
+			refType = 4;
+		};
+		F5CFD54A022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = c_ustime.c;
+			refType = 4;
+		};
+		F5CFD54B022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = ccdefname.c;
+			refType = 4;
+		};
+		F5CFD54D022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = changepw.c;
+			refType = 4;
+		};
+		F5CFD54E022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = def_realm.c;
+			refType = 4;
+		};
+		F5CFD54F022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = free_hstrl.c;
+			refType = 4;
+		};
+		F5CFD550022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = free_krbhs.c;
+			refType = 4;
+		};
+		F5CFD551022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = full_ipadr.c;
+			refType = 4;
+		};
+		F5CFD552022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = gen_port.c;
+			refType = 4;
+		};
+		F5CFD553022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = gen_rname.c;
+			refType = 4;
+		};
+		F5CFD554022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = genaddrs.c;
+			refType = 4;
+		};
+		F5CFD555022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = get_krbhst.c;
+			refType = 4;
+		};
+		F5CFD556022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = gmt_mktime.c;
+			refType = 4;
+		};
+		F5CFD557022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = hostaddr.c;
+			refType = 4;
+		};
+		F5CFD558022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = hst_realm.c;
+			refType = 4;
+		};
+		F5CFD559022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = init_os_ctx.c;
+			refType = 4;
+		};
+		F5CFD55A022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = krbfileio.c;
+			refType = 4;
+		};
+		F5CFD55B022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = ktdefname.c;
+			refType = 4;
+		};
+		F5CFD55C022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = kuserok.c;
+			refType = 4;
+		};
+		F5CFD55D022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = localaddr.c;
+			refType = 4;
+		};
+		F5CFD55E022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = locate_kdc.c;
+			refType = 4;
+		};
+		F5CFD55F022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = lock_file.c;
+			refType = 4;
+		};
+		F5CFD561022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = mk_faddr.c;
+			refType = 4;
+		};
+		F5CFD562022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = net_read.c;
+			refType = 4;
+		};
+		F5CFD563022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = net_write.c;
+			refType = 4;
+		};
+		F5CFD564022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = "os-proto.h";
+			refType = 4;
+		};
+		F5CFD565022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = osconfig.c;
+			refType = 4;
+		};
+		F5CFD566022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = port2ip.c;
+			refType = 4;
+		};
+		F5CFD567022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = prompter.c;
+			refType = 4;
+		};
+		F5CFD568022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = promptusr.c;
+			refType = 4;
+		};
+		F5CFD569022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = read_msg.c;
+			refType = 4;
+		};
+		F5CFD56A022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = read_pwd.c;
+			refType = 4;
+		};
+		F5CFD56B022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = realm_dom.c;
+			refType = 4;
+		};
+		F5CFD56C022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = realm_iter.c;
+			refType = 4;
+		};
+		F5CFD56E022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = sendto_kdc.c;
+			refType = 4;
+		};
+		F5CFD56F022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = sn2princ.c;
+			refType = 4;
+		};
+		F5CFD574022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = timeofday.c;
+			refType = 4;
+		};
+		F5CFD575022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = toffset.c;
+			refType = 4;
+		};
+		F5CFD576022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = unlck_file.c;
+			refType = 4;
+		};
+		F5CFD577022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = ustime.c;
+			refType = 4;
+		};
+		F5CFD578022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = write_msg.c;
+			refType = 4;
+		};
+		F5CFD579022D86AD01120112 = {
+			children = (
+				F5CFD580022D86AD01120112,
+			);
+			isa = PBXGroup;
+			path = posix;
+			refType = 4;
+		};
+		F5CFD580022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = setenv.c;
+			refType = 4;
+		};
+		F5CFD588022D86AD01120112 = {
+			children = (
+				F5CFD58D022D86AD01120112,
+				F5CFD58E022D86AD01120112,
+				F5CFD58F022D86AD01120112,
+				F5CFD590022D86AD01120112,
+				F5CFD591022D86AD01120112,
+				F5CFD592022D86AD01120112,
+				F5CFD593022D86AD01120112,
+				F5CFD594022D86AD01120112,
+				F5CFD597022D86AD01120112,
+			);
+			isa = PBXGroup;
+			path = rcache;
+			refType = 4;
+		};
+		F5CFD58D022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = rc_base.c;
+			refType = 4;
+		};
+		F5CFD58E022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = rc_base.h;
+			refType = 4;
+		};
+		F5CFD58F022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = rc_conv.c;
+			refType = 4;
+		};
+		F5CFD590022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = rc_dfl.c;
+			refType = 4;
+		};
+		F5CFD591022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = rc_dfl.h;
+			refType = 4;
+		};
+		F5CFD592022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = rc_io.c;
+			refType = 4;
+		};
+		F5CFD593022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = rc_io.h;
+			refType = 4;
+		};
+		F5CFD594022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = rcdef.c;
+			refType = 4;
+		};
+		F5CFD597022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = ser_rc.c;
+			refType = 4;
+		};
+		F5CFD598022D86AD01120112 = {
+			children = (
+				F5CFD59B022D86AD01120112,
+				F5CFD59D022D86AD01120112,
+				F5CFD59E022D86AD01120112,
+				F5CFD59F022D86AD01120112,
+				F5CFD5A1022D86AD01120112,
+				F5CFD5A3022D86AD01120112,
+				F5CFD5A4022D86AD01120112,
+				F5CFD5A8022D86AD01120112,
+				F5CFD5AB022D86AD01120112,
+			);
+			isa = PBXGroup;
+			path = Kerberos524;
+			refType = 4;
+		};
+		F5CFD59B022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = cnv_tkt_skey.c;
+			refType = 4;
+		};
+		F5CFD59D022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = conv_creds.c;
+			refType = 4;
+		};
+		F5CFD59E022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = conv_princ.c;
+			refType = 4;
+		};
+		F5CFD59F022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = encode.c;
+			refType = 4;
+		};
+		F5CFD5A1022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = globals.c;
+			refType = 4;
+		};
+		F5CFD5A3022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = krb524.h;
+			refType = 4;
+		};
+		F5CFD5A4022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = krb524_err.et;
+			refType = 4;
+		};
+		F5CFD5A8022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = misc.c;
+			refType = 4;
+		};
+		F5CFD5AB022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = sendmsg.c;
+			refType = 4;
+		};
+		F5CFD5AD022D86AD01120112 = {
+			children = (
+				F5CFD5B6022D86AD01120112,
+				F5CFD5B7022D86AD01120112,
+				F5CFD5B8022D86AD01120112,
+				F5CFD5B9022D86AD01120112,
+				F5CFD5BA022D86AD01120112,
+				F5CFD5BB022D86AD01120112,
+				F5CFD5BC022D86AD01120112,
+				F5CFD5BD022D86AD01120112,
+				F5CFD5C0022D86AD01120112,
+				F58602F2022EDA8301120112,
+				F58602F3022EDA8301120112,
+			);
+			isa = PBXGroup;
+			path = KerberosProfile;
+			refType = 4;
+		};
+		F5CFD5B6022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = prof_err.et;
+			refType = 4;
+		};
+		F5CFD5B7022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = prof_file.c;
+			refType = 4;
+		};
+		F5CFD5B8022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = prof_get.c;
+			refType = 4;
+		};
+		F5CFD5B9022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = prof_init.c;
+			refType = 4;
+		};
+		F5CFD5BA022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = prof_int.h;
+			refType = 4;
+		};
+		F5CFD5BB022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = prof_parse.c;
+			refType = 4;
+		};
+		F5CFD5BC022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = prof_set.c;
+			refType = 4;
+		};
+		F5CFD5BD022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = prof_tree.c;
+			refType = 4;
+		};
+		F5CFD5C0022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = profile.hin;
+			refType = 4;
+		};
+		F5CFD5C1022D86AD01120112 = {
+			isa = PBXFileReference;
+			name = profile.pbexp;
+			path = ../Sources/KerberosProfile/profile.pbexp;
+			refType = 2;
+		};
+		F5CFD5C7022D86AD01120112 = {
+			children = (
+				F5CFD5C8022D86AD01120112,
+				F5CFD5C9022D86AD01120112,
+				F5CFD5CA022D86AD01120112,
+				F52B1677022FD39801120112,
+			);
+			isa = PBXGroup;
+			path = MacOSX;
+			refType = 4;
+		};
+		F5CFD5C8022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = GSSInit.cp;
+			refType = 4;
+		};
+		F5CFD5C9022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = Kerberos5Init.cp;
+			refType = 4;
+		};
+		F5CFD5CA022D86AD01120112 = {
+			isa = PBXFileReference;
+			path = ProfileInit.cp;
+			refType = 4;
+		};
+		F5CFD5CB022D86AD01120112 = {
+			children = (
+				F5CFD5CC022D86AD01120112,
+				F5CFD638022DD45401120112,
+				F5C44E900231BD6801120112,
+			);
+			isa = PBXGroup;
+			name = Products;
+			refType = 4;
+		};
+		F5CFD5CC022D86AD01120112 = {
+			isa = PBXLibraryReference;
+			path = libKerberosProfile.a;
+			refType = 3;
+		};
+		F5CFD5CD022D86AD01120112 = {
+			buildPhases = (
+				F5CFD5CE022D86AD01120112,
+				F5CFD5CF022D86AD01120112,
+				F5CFD5D0022D86AD01120112,
+				F5CFD5D1022D86AD01120112,
+			);
+			buildSettings = {
+				DYLIB_COMPATIBILITY_VERSION = 1;
+				DYLIB_CURRENT_VERSION = 1;
+				HEADER_SEARCH_PATHS = "\"$(SRCROOT)/../../KerberosErrors/Headers\" \"$(SRCROOT)/../../KerberosDebug/Headers\" \"$(SRCROOT)/../../KerberosPreferences/Headers\" \"$(SRCROOT)/../../MoreFiles/Headers\"";
+				LIBRARY_STYLE = STATIC;
+				PREFIX_HEADER = "$(SRCROOT)/../Headers/MacOSX/Kerberos5Prefix.h";
+				PRODUCT_NAME = libKerberosProfile.a;
+				REZ_EXECUTABLE = YES;
+				WARNING_CFLAGS = "-Wmost -Wno-four-char-constants -Wno-unknown-pragmas";
+			};
+			dependencies = (
+				F5CFD5E7022D8A9901120112,
+				F5CFD62B022D922C01120112,
+			);
+			isa = PBXLibraryTarget;
+			name = KerberosProfile;
+			productInstallPath = /usr/local/lib;
+			productName = KerberosProfile;
+			productReference = F5CFD5CC022D86AD01120112;
+			shouldUseHeadermap = 0;
+		};
+		F5CFD5CE022D86AD01120112 = {
+			buildActionMask = 2147483647;
+			files = (
+				F5CFD5D2022D87C301120112,
+				F5CFD62D022D96AC01120112,
+				F5CFD7CC022DE7DC01120112,
+				F5CFD7CD022DE7DC01120112,
+				F5CFD7CE022DE7DC01120112,
+				F5CFD7CF022DE7DC01120112,
+				F5CFD7D0022DE7DC01120112,
+				F5CFD7D1022DE7DC01120112,
+				F5CFD7D2022DE7DC01120112,
+				F5CFD7D3022DE7DC01120112,
+				F5CFD7D4022DE7DC01120112,
+				F58602F4022EDA8301120112,
+				F5C44D71023163F601120112,
+				F5C2DF3F0240F9FD01650119,
+				F5C2DF610240FA5F01650119,
+				F5C2DF620240FA6001650119,
+				F5C2DF6D0240FA9901650119,
+				F5C2DF6E0240FA9A01650119,
+			);
+			isa = PBXHeadersBuildPhase;
+			runOnlyForDeploymentPostprocessing = 0;
+		};
+		F5CFD5CF022D86AD01120112 = {
+			buildActionMask = 2147483647;
+			files = (
+				F5CFD5D3022D87C301120112,
+				F5CFD5D4022D87C301120112,
+				F5CFD5D5022D87C301120112,
+				F5CFD5D6022D87C301120112,
+				F5CFD5D7022D87C301120112,
+				F5CFD5D8022D87C301120112,
+				F58602F5022EDA8301120112,
+				F5C2DF3E0240F9FC01650119,
+			);
+			isa = PBXSourcesBuildPhase;
+			runOnlyForDeploymentPostprocessing = 0;
+		};
+		F5CFD5D0022D86AD01120112 = {
+			buildActionMask = 2147483647;
+			files = (
+			);
+			isa = PBXFrameworksBuildPhase;
+			runOnlyForDeploymentPostprocessing = 0;
+		};
+		F5CFD5D1022D86AD01120112 = {
+			buildActionMask = 2147483647;
+			files = (
+			);
+			isa = PBXRezBuildPhase;
+			runOnlyForDeploymentPostprocessing = 0;
+		};
+		F5CFD5D2022D87C301120112 = {
+			fileRef = F5CFD5BA022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD5D3022D87C301120112 = {
+			fileRef = F5CFD5BD022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD5D4022D87C301120112 = {
+			fileRef = F5CFD5BB022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD5D5022D87C301120112 = {
+			fileRef = F5CFD5BC022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD5D6022D87C301120112 = {
+			fileRef = F5CFD5B9022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD5D7022D87C301120112 = {
+			fileRef = F5CFD5B8022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD5D8022D87C301120112 = {
+			fileRef = F5CFD5B7022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD5E4022D891701120112 = {
+			children = (
+				F5CFD5E5022D891701120112,
+				F5CFD60D022D8BD601120112,
+			);
+			isa = PBXGroup;
+			name = Scripts;
+			path = ../Scripts;
+			refType = 2;
+		};
+		F5CFD5E5022D891701120112 = {
+			isa = PBXFileReference;
+			path = Kerberos5Errors.jam;
+			refType = 4;
+		};
+		F5CFD5E6022D8A9901120112 = {
+			buildArgumentsString = "-d3 \"-sJAMFILE=$(SRCROOT)/../Scripts/Kerberos5Errors.jam\" \"-sSRCROOT=$(SRCROOT)\" \"-sSYMROOT=$(SYMROOT)\" \"-sOBJROOT=$(OBJROOT)\" \"-sDSTROOT=$(DSTROOT)\" \"-sTARGET_BUILD_DIR=$(TARGET_BUILD_DIR)\" \"-sBUILT_PRODUCTS_DIR=$(BUILT_PRODUCTS_DIR)\"  \"-sOTHER_CFLAGS=$(OTHER_CFLAGS)\" \"-sOTHER_CPLUSPLUSFLAGS=$(OTHER_CPLUSPLUSFLAGS)\" \"-sOPTIMIZATION_CFLAGS=$(OPTIMIZATION_CFLAGS)\" \"-sINSTALL_MODE_FLAG=$(INSTALL_MODE_FLAG)\" \"-sKERBEROS_ORDER_FILE=$(KERBEROS_ORDER_FILE)\" $(ACTION)";
+			buildPhases = (
+			);
+			buildSettings = {
+				OTHER_CFLAGS = "";
+				OTHER_LDFLAGS = "";
+				OTHER_REZFLAGS = "";
+				PRODUCT_NAME = "Error Table Generation";
+				SECTORDER_FLAGS = "";
+				WARNING_CFLAGS = "-Wmost -Wno-four-char-constants -Wno-unknown-pragmas";
+			};
+			buildToolPath = /usr/bin/jam;
+			dependencies = (
+			);
+			isa = PBXLegacyTarget;
+			name = "Error Table Generation";
+			productName = "Error Table Generation";
+			settingsToExpand = 6;
+			settingsToPassInEnvironment = 287;
+			settingsToPassOnCommandLine = 280;
+			shouldUseHeadermap = 0;
+		};
+		F5CFD5E7022D8A9901120112 = {
+			isa = PBXTargetDependency;
+			target = F5CFD5E6022D8A9901120112;
+		};
+		F5CFD5EC022D8B6001120112 = {
+			isa = PBXFileReference;
+			path = GSS.pbexp;
+			refType = 2;
+		};
+		F5CFD5ED022D8B6001120112 = {
+			isa = PBXFileReference;
+			path = Kerberos5.pbexp;
+			refType = 2;
+		};
+		F5CFD5EE022D8B6001120112 = {
+			children = (
+				F5C2DF100240F9F601650119,
+				F5C2DF490240FA3601650119,
+				F5C2DF5C0240FA5A01650119,
+			);
+			isa = PBXGroup;
+			path = Kerberos5.intermediates;
+			refType = 3;
+		};
+		F5CFD60D022D8BD601120112 = {
+			isa = PBXFileReference;
+			path = Kerberos5Headers.jam;
+			refType = 4;
+		};
+		F5CFD60E022D911001120112 = {
+			children = (
+				F5CFD60F022D911001120112,
+				F5CFD61F022D911001120112,
+			);
+			isa = PBXGroup;
+			name = Headers;
+			path = ../Headers;
+			refType = 2;
+		};
+		F5CFD60F022D911001120112 = {
+			children = (
+				F5CFD7C0022DE7DC01120112,
+				F5CFD612022D911001120112,
+				F5CFD613022D911001120112,
+				F5CFD617022D911001120112,
+				F5CFD618022D911001120112,
+				F5CFD619022D911001120112,
+				F5CFD61A022D911001120112,
+				F5C44EE40231C1C301120112,
+			);
+			isa = PBXGroup;
+			path = Kerberos5;
+			refType = 4;
+		};
+		F5CFD612022D911001120112 = {
+			isa = PBXFileReference;
+			path = bsdlib.h;
+			refType = 4;
+		};
+		F5CFD613022D911001120112 = {
+			isa = PBXFileReference;
+			path = bstring.h;
+			refType = 4;
+		};
+		F5CFD617022D911001120112 = {
+			isa = PBXFileReference;
+			path = "k5-int.h";
+			refType = 4;
+		};
+		F5CFD618022D911001120112 = {
+			isa = PBXFileReference;
+			path = "k5-util.h";
+			refType = 4;
+		};
+		F5CFD619022D911001120112 = {
+			isa = PBXFileReference;
+			path = krb5.hin;
+			refType = 4;
+		};
+		F5CFD61A022D911001120112 = {
+			isa = PBXFileReference;
+			path = krb54proto.h;
+			refType = 4;
+		};
+		F5CFD61F022D911001120112 = {
+			children = (
+				F5CFD62C022D96AB01120112,
+				F52B167A022FD68601120112,
+				F5C44D6E0231639F01120112,
+				F5C44D70023163F601120112,
+				F5C44D740231645A01120112,
+			);
+			isa = PBXGroup;
+			path = MacOSX;
+			refType = 4;
+		};
+		F5CFD629022D922C01120112 = {
+			buildArgumentsString = "-d3 \"-sJAMFILE=$(SRCROOT)/../Scripts/Kerberos5Headers.jam\" \"-sSRCROOT=$(SRCROOT)\" \"-sSYMROOT=$(SYMROOT)\" \"-sOBJROOT=$(OBJROOT)\" \"-sDSTROOT=$(DSTROOT)\" \"-sTARGET_BUILD_DIR=$(TARGET_BUILD_DIR)\" \"-sBUILT_PRODUCTS_DIR=$(BUILT_PRODUCTS_DIR)\"  \"-sOTHER_CFLAGS=$(OTHER_CFLAGS)\" \"-sOTHER_CPLUSPLUSFLAGS=$(OTHER_CPLUSPLUSFLAGS)\" \"-sOPTIMIZATION_CFLAGS=$(OPTIMIZATION_CFLAGS)\" \"-sINSTALL_MODE_FLAG=$(INSTALL_MODE_FLAG)\" \"-sKERBEROS_ORDER_FILE=$(KERBEROS_ORDER_FILE)\" $(ACTION)";
+			buildPhases = (
+			);
+			buildSettings = {
+				OTHER_CFLAGS = "";
+				OTHER_LDFLAGS = "";
+				OTHER_REZFLAGS = "";
+				PRODUCT_NAME = "Header Generation";
+				SECTORDER_FLAGS = "";
+				WARNING_CFLAGS = "-Wmost -Wno-four-char-constants -Wno-unknown-pragmas";
+			};
+			buildToolPath = /usr/bin/jam;
+			dependencies = (
+				F5CFD62A022D922C01120112,
+			);
+			isa = PBXLegacyTarget;
+			name = "Header Generation";
+			productName = "Header Generation";
+			settingsToExpand = 6;
+			settingsToPassInEnvironment = 287;
+			settingsToPassOnCommandLine = 280;
+			shouldUseHeadermap = 0;
+		};
+		F5CFD62A022D922C01120112 = {
+			isa = PBXTargetDependency;
+			target = F5CFD5E6022D8A9901120112;
+		};
+		F5CFD62B022D922C01120112 = {
+			isa = PBXTargetDependency;
+			target = F5CFD629022D922C01120112;
+		};
+		F5CFD62C022D96AB01120112 = {
+			isa = PBXFileReference;
+			name = Kerberos5Prefix.h;
+			path = ../Headers/MacOSX/Kerberos5Prefix.h;
+			refType = 2;
+		};
+		F5CFD62D022D96AC01120112 = {
+			fileRef = F5CFD62C022D96AB01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD638022DD45401120112 = {
+			isa = PBXLibraryReference;
+			path = libKerberos5.a;
+			refType = 3;
+		};
+		F5CFD639022DD45401120112 = {
+			buildPhases = (
+				F5CFD63A022DD45401120112,
+				F5CFD63B022DD45401120112,
+				F5CFD63C022DD45401120112,
+				F5CFD63D022DD45401120112,
+			);
+			buildSettings = {
+				DYLIB_COMPATIBILITY_VERSION = 1;
+				DYLIB_CURRENT_VERSION = 1;
+				HEADER_SEARCH_PATHS = "\"$(BUILT_PRODUCTS_DIR)/Kerberos5.intermediates\" \"$(BUILT_PRODUCTS_DIR)/Kerberos4.intermediates\" \"$(SRCROOT)/../../KerberosDebug/Headers\" \"$(SRCROOT)/../../KerberosErrors/Headers\" \"$(SRCROOT)/../../KerberosPreferences/Headers\" \"$(SRCROOT)/../../KerberosDES/Headers\" \"$(SRCROOT)/../../CredentialsCache/Headers\" \"$(SRCROOT)/../../KerberosLogin/Headers\"";
+				LIBRARY_STYLE = STATIC;
+				PREFIX_HEADER = "$(SRCROOT)/../Headers/MacOSX/Kerberos5Prefix.h";
+				PRODUCT_NAME = libKerberos5.a;
+				REZ_EXECUTABLE = YES;
+				WARNING_CFLAGS = "-Wmost -Wno-four-char-constants -Wno-unknown-pragmas";
+			};
+			dependencies = (
+				F5CFD7D8022DE82501120112,
+				F5CFD7D9022DE82501120112,
+			);
+			isa = PBXLibraryTarget;
+			name = Kerberos5;
+			productInstallPath = /usr/local/lib;
+			productName = Kerberos5;
+			productReference = F5CFD638022DD45401120112;
+			shouldUseHeadermap = 0;
+		};
+		F5CFD63A022DD45401120112 = {
+			buildActionMask = 2147483647;
+			files = (
+				F5CFD647022DD6E701120112,
+				F5CFD648022DD6E701120112,
+				F5CFD650022DD73201120112,
+				F5CFD651022DD73201120112,
+				F5CFD652022DD73201120112,
+				F5CFD66E022DD8A301120112,
+				F5CFD670022DD9A501120112,
+				F5CFD671022DD9A501120112,
+				F5CFD672022DD9A501120112,
+				F5CFD673022DD9A501120112,
+				F5CFD674022DD9A501120112,
+				F5CFD675022DD9A501120112,
+				F5CFD676022DD9A501120112,
+				F5CFD677022DD9A501120112,
+				F5CFD678022DD9A501120112,
+				F5CFD679022DD9A501120112,
+				F5CFD67A022DD9A501120112,
+				F5CFD69C022DDA0101120112,
+				F5CFD69D022DDA0101120112,
+				F5CFD69E022DDA0101120112,
+				F5CFD69F022DDA0101120112,
+				F5CFD6A0022DDA0101120112,
+				F5CFD6A1022DDA0101120112,
+				F5CFD6A2022DDA0101120112,
+				F5CFD6A3022DDA0101120112,
+				F5CFD6A4022DDA0101120112,
+				F5CFD6A5022DDA0101120112,
+				F5CFD6A6022DDA0101120112,
+				F5CFD6B2022DDB2D01120112,
+				F5CFD6B3022DDB2D01120112,
+				F5CFD6B4022DDB2D01120112,
+				F5CFD6B5022DDB2D01120112,
+				F5CFD6B6022DDB2D01120112,
+				F5CFD6B7022DDB2D01120112,
+				F5CFD6B8022DDB2D01120112,
+				F5CFD6B9022DDB2D01120112,
+				F5CFD6BA022DDB2D01120112,
+				F5CFD712022DDB6201120112,
+				F5CFD71D022DDC6301120112,
+				F5CFD71E022DDC6301120112,
+				F5CFD71F022DDC6301120112,
+				F5CFD774022DDE1301120112,
+				F5CFD775022DDE1301120112,
+				F5CFD776022DDE1301120112,
+				F5CFD777022DDE1301120112,
+				F5CFD7D6022DE7DC01120112,
+				F5C44D6F0231639F01120112,
+				F5C2DF2D0240F9F601650119,
+				F5C2DF2F0240F9F601650119,
+				F5C2DF350240F9F601650119,
+				F5C2DF390240F9F601650119,
+				F5C2DF3B0240F9F601650119,
+				F5C2DF570240FA3601650119,
+				F5C2DF590240FA3601650119,
+				F5C2DF5B0240FA3601650119,
+				F5C2DF5F0240FA5A01650119,
+				F5C2DF600240FA5A01650119,
+				F581830902536E2501120112,
+				F58183520253A2F301120112,
+			);
+			isa = PBXHeadersBuildPhase;
+			runOnlyForDeploymentPostprocessing = 0;
+		};
+		F5CFD63B022DD45401120112 = {
+			buildActionMask = 2147483647;
+			files = (
+				F5CFD653022DD73201120112,
+				F5CFD654022DD73201120112,
+				F5CFD655022DD73201120112,
+				F5CFD656022DD73201120112,
+				F5CFD657022DD73201120112,
+				F5CFD658022DD73201120112,
+				F5CFD659022DD73201120112,
+				F5CFD65A022DD73201120112,
+				F5CFD65B022DD73201120112,
+				F5CFD65C022DD73201120112,
+				F5CFD65D022DD73201120112,
+				F5CFD65E022DD73201120112,
+				F5CFD65F022DD73201120112,
+				F5CFD660022DD73201120112,
+				F5CFD661022DD73201120112,
+				F5CFD662022DD73201120112,
+				F5CFD663022DD73201120112,
+				F5CFD664022DD76E01120112,
+				F5CFD665022DD76E01120112,
+				F5CFD666022DD76E01120112,
+				F5CFD667022DD76E01120112,
+				F5CFD668022DD76E01120112,
+				F5CFD669022DD76E01120112,
+				F5CFD66B022DD76E01120112,
+				F5CFD66C022DD76E01120112,
+				F5CFD66D022DD76E01120112,
+				F5CFD66F022DD8A301120112,
+				F5CFD67B022DD9A501120112,
+				F5CFD67C022DD9A501120112,
+				F5CFD67D022DD9A501120112,
+				F5CFD67E022DD9A501120112,
+				F5CFD67F022DD9A501120112,
+				F5CFD680022DD9A501120112,
+				F5CFD683022DD9A501120112,
+				F5CFD684022DD9A501120112,
+				F5CFD685022DD9A501120112,
+				F5CFD686022DD9A501120112,
+				F5CFD687022DD9A501120112,
+				F5CFD688022DD9A501120112,
+				F5CFD689022DD9A501120112,
+				F5CFD68A022DD9A501120112,
+				F5CFD68B022DD9A501120112,
+				F5CFD68C022DD9A501120112,
+				F5CFD68D022DD9A501120112,
+				F5CFD68E022DD9A501120112,
+				F5CFD68F022DD9A501120112,
+				F5CFD690022DD9A501120112,
+				F5CFD691022DD9A501120112,
+				F5CFD692022DD9A501120112,
+				F5CFD693022DD9A501120112,
+				F5CFD694022DD9A501120112,
+				F5CFD695022DD9A501120112,
+				F5CFD696022DD9A501120112,
+				F5CFD697022DD9A501120112,
+				F5CFD698022DD9A501120112,
+				F5CFD699022DD9A501120112,
+				F5CFD69A022DD9A501120112,
+				F5CFD69B022DD9A501120112,
+				F5CFD6A7022DDA0101120112,
+				F5CFD6A8022DDA0101120112,
+				F5CFD6A9022DDA0101120112,
+				F5CFD6AA022DDA0101120112,
+				F5CFD6AB022DDA0101120112,
+				F5CFD6AC022DDA0101120112,
+				F5CFD6AD022DDA0101120112,
+				F5CFD6AE022DDA0101120112,
+				F5CFD6AF022DDA0101120112,
+				F5CFD6B0022DDA0101120112,
+				F5CFD6B1022DDA0101120112,
+				F5CFD6BB022DDB2D01120112,
+				F5CFD6BC022DDB2D01120112,
+				F5CFD6BD022DDB2D01120112,
+				F5CFD6BE022DDB2D01120112,
+				F5CFD6BF022DDB2D01120112,
+				F5CFD6C0022DDB2D01120112,
+				F5CFD6C1022DDB2D01120112,
+				F5CFD6C2022DDB2D01120112,
+				F5CFD6C3022DDB2D01120112,
+				F5CFD6C4022DDB2D01120112,
+				F5CFD6C5022DDB2D01120112,
+				F5CFD6C6022DDB2D01120112,
+				F5CFD6C7022DDB2D01120112,
+				F5CFD6C8022DDB2D01120112,
+				F5CFD6C9022DDB2D01120112,
+				F5CFD6CA022DDB2D01120112,
+				F5CFD6CB022DDB2D01120112,
+				F5CFD6CC022DDB2D01120112,
+				F5CFD6CD022DDB2D01120112,
+				F5CFD6CE022DDB2D01120112,
+				F5CFD6CF022DDB2D01120112,
+				F5CFD6D0022DDB2D01120112,
+				F5CFD6D1022DDB2D01120112,
+				F5CFD6D2022DDB2D01120112,
+				F5CFD6D3022DDB2D01120112,
+				F5CFD6D4022DDB2D01120112,
+				F5CFD6D5022DDB2D01120112,
+				F5CFD6D6022DDB2D01120112,
+				F5CFD6D8022DDB2D01120112,
+				F5CFD6D9022DDB2D01120112,
+				F5CFD6DA022DDB2D01120112,
+				F5CFD6DB022DDB2D01120112,
+				F5CFD6DC022DDB2D01120112,
+				F5CFD6DD022DDB2D01120112,
+				F5CFD6DE022DDB2D01120112,
+				F5CFD6DF022DDB2D01120112,
+				F5CFD6E0022DDB2D01120112,
+				F5CFD6E1022DDB2D01120112,
+				F5CFD6E2022DDB2D01120112,
+				F5CFD6E3022DDB2D01120112,
+				F5CFD6E4022DDB2D01120112,
+				F5CFD6E5022DDB2D01120112,
+				F5CFD6E6022DDB2D01120112,
+				F5CFD6E8022DDB2D01120112,
+				F5CFD6E9022DDB2D01120112,
+				F5CFD6EA022DDB2D01120112,
+				F5CFD6EB022DDB2D01120112,
+				F5CFD6EC022DDB2D01120112,
+				F5CFD6ED022DDB2D01120112,
+				F5CFD6EE022DDB2D01120112,
+				F5CFD6EF022DDB2D01120112,
+				F5CFD6F0022DDB2D01120112,
+				F5CFD6F1022DDB2D01120112,
+				F5CFD6F2022DDB2D01120112,
+				F5CFD6F3022DDB2D01120112,
+				F5CFD6F4022DDB2D01120112,
+				F5CFD6F5022DDB2D01120112,
+				F5CFD6F6022DDB2D01120112,
+				F5CFD6F7022DDB2D01120112,
+				F5CFD6F8022DDB2D01120112,
+				F5CFD6F9022DDB2D01120112,
+				F5CFD6FA022DDB2D01120112,
+				F5CFD6FC022DDB2D01120112,
+				F5CFD6FD022DDB2D01120112,
+				F5CFD6FE022DDB2D01120112,
+				F5CFD6FF022DDB2D01120112,
+				F5CFD700022DDB2D01120112,
+				F5CFD701022DDB2D01120112,
+				F5CFD702022DDB2D01120112,
+				F5CFD703022DDB2D01120112,
+				F5CFD704022DDB2D01120112,
+				F5CFD705022DDB2D01120112,
+				F5CFD706022DDB2D01120112,
+				F5CFD707022DDB2D01120112,
+				F5CFD708022DDB2D01120112,
+				F5CFD709022DDB2D01120112,
+				F5CFD70A022DDB2D01120112,
+				F5CFD70B022DDB2D01120112,
+				F5CFD70C022DDB2D01120112,
+				F5CFD70D022DDB2D01120112,
+				F5CFD70E022DDB2D01120112,
+				F5CFD70F022DDB2D01120112,
+				F5CFD710022DDB2D01120112,
+				F5CFD711022DDB2D01120112,
+				F5CFD713022DDB6201120112,
+				F5CFD714022DDB6201120112,
+				F5CFD715022DDB6201120112,
+				F5CFD716022DDB6201120112,
+				F5CFD717022DDB6201120112,
+				F5CFD718022DDB6201120112,
+				F5CFD719022DDB6201120112,
+				F5CFD71A022DDB6201120112,
+				F5CFD71B022DDB6201120112,
+				F5CFD720022DDC6301120112,
+				F5CFD721022DDC6301120112,
+				F5CFD722022DDC6301120112,
+				F5CFD723022DDC6301120112,
+				F5CFD724022DDC6301120112,
+				F5CFD725022DDC6301120112,
+				F5CFD726022DDC6301120112,
+				F5CFD727022DDC6301120112,
+				F5CFD728022DDC6301120112,
+				F5CFD729022DDC6301120112,
+				F5CFD72A022DDC6301120112,
+				F5CFD72B022DDC6301120112,
+				F5CFD72C022DDC6301120112,
+				F5CFD72D022DDC6301120112,
+				F5CFD72E022DDC6301120112,
+				F5CFD72F022DDC6301120112,
+				F5CFD730022DDC6301120112,
+				F5CFD731022DDC6301120112,
+				F5CFD732022DDC6301120112,
+				F5CFD733022DDC6301120112,
+				F5CFD734022DDC6301120112,
+				F5CFD735022DDC6301120112,
+				F5CFD736022DDC6301120112,
+				F5CFD737022DDC6301120112,
+				F5CFD738022DDC6301120112,
+				F5CFD739022DDC6301120112,
+				F5CFD73A022DDC6301120112,
+				F5CFD73B022DDC6301120112,
+				F5CFD73C022DDC6301120112,
+				F5CFD73D022DDC6301120112,
+				F5CFD73E022DDC6301120112,
+				F5CFD73F022DDC6301120112,
+				F5CFD740022DDC6301120112,
+				F5CFD741022DDC6301120112,
+				F5CFD742022DDC6301120112,
+				F5CFD743022DDC6301120112,
+				F5CFD744022DDC6301120112,
+				F5CFD745022DDC6301120112,
+				F5CFD746022DDC6301120112,
+				F5CFD747022DDC6301120112,
+				F5CFD748022DDC6301120112,
+				F5CFD749022DDC6301120112,
+				F5CFD74A022DDC6301120112,
+				F5CFD74B022DDC6301120112,
+				F5CFD74C022DDC6301120112,
+				F5CFD74D022DDC6301120112,
+				F5CFD74E022DDC6301120112,
+				F5CFD74F022DDC6301120112,
+				F5CFD750022DDC6301120112,
+				F5CFD751022DDC6301120112,
+				F5CFD752022DDC6301120112,
+				F5CFD753022DDC6301120112,
+				F5CFD754022DDC6301120112,
+				F5CFD755022DDC6301120112,
+				F5CFD756022DDC6301120112,
+				F5CFD757022DDCA701120112,
+				F5CFD758022DDCA701120112,
+				F5CFD759022DDCA701120112,
+				F5CFD75A022DDCA701120112,
+				F5CFD75B022DDCA701120112,
+				F5CFD75C022DDCA701120112,
+				F5CFD75D022DDCA701120112,
+				F5CFD75E022DDCA701120112,
+				F5CFD75F022DDCA701120112,
+				F5CFD760022DDCA701120112,
+				F5CFD761022DDCA701120112,
+				F5CFD762022DDCA701120112,
+				F5CFD763022DDCA701120112,
+				F5CFD764022DDCA701120112,
+				F5CFD765022DDCA701120112,
+				F5CFD766022DDCA701120112,
+				F5CFD767022DDCA701120112,
+				F5CFD768022DDCA701120112,
+				F5CFD769022DDCA701120112,
+				F5CFD76A022DDCA701120112,
+				F5CFD76B022DDCA701120112,
+				F5CFD76C022DDCA701120112,
+				F5CFD76D022DDCA701120112,
+				F5CFD76E022DDCE301120112,
+				F5CFD76F022DDCE301120112,
+				F5CFD770022DDCE301120112,
+				F5CFD771022DDCE301120112,
+				F5CFD772022DDCE301120112,
+				F5CFD773022DDCE301120112,
+				F5CFD778022DDE1301120112,
+				F5CFD779022DDE1301120112,
+				F5CFD77A022DDE1301120112,
+				F5CFD77B022DDE1301120112,
+				F5CFD77C022DDE1301120112,
+				F5CFD77D022DDE1301120112,
+				F5CFD77E022DDE1301120112,
+				F5CFD77F022DDE1301120112,
+				F5CFD780022DDE1301120112,
+				F5CFD781022DDE1301120112,
+				F5CFD782022DDE1301120112,
+				F5CFD783022DDE1301120112,
+				F5CFD784022DDE1301120112,
+				F5CFD785022DDE1301120112,
+				F5CFD786022DDE1301120112,
+				F5CFD787022DDE1301120112,
+				F5CFD788022DDE1301120112,
+				F5CFD789022DDE1301120112,
+				F5CFD78A022DDE1301120112,
+				F5CFD78B022DDE1301120112,
+				F5CFD78C022DDE1301120112,
+				F5CFD78D022DDE1301120112,
+				F5CFD78E022DDE1301120112,
+				F5CFD78F022DDE1301120112,
+				F5CFD790022DDE1301120112,
+				F5CFD791022DDE1301120112,
+				F5CFD792022DDE1301120112,
+				F5CFD793022DDE1301120112,
+				F5CFD794022DDE1301120112,
+				F5CFD795022DDE1301120112,
+				F5CFD796022DDE1301120112,
+				F5CFD797022DDE1301120112,
+				F5CFD798022DDE1301120112,
+				F5CFD799022DDE1301120112,
+				F5CFD79A022DDE1301120112,
+				F5CFD79B022DDE1301120112,
+				F5CFD79C022DDE1301120112,
+				F5CFD79D022DDE1301120112,
+				F5CFD79E022DDE1301120112,
+				F5CFD79F022DDE1301120112,
+				F5CFD7A0022DDE1301120112,
+				F5CFD7A1022DDE1301120112,
+				F5CFD7A2022DDE1301120112,
+				F5CFD7A3022DDE1301120112,
+				F5CFD7A4022DDE1301120112,
+				F5CFD7A5022DDE1301120112,
+				F5CFD7A6022DDE1301120112,
+				F5CFD7A7022DDE1301120112,
+				F5C44DB002316F5B01120112,
+				F5C44DB102316F5B01120112,
+				F5C2DF2C0240F9F601650119,
+				F5C2DF2E0240F9F601650119,
+				F5C2DF340240F9F601650119,
+				F5C2DF380240F9F601650119,
+				F5C2DF3A0240F9F601650119,
+				F58182FE02536D4501120112,
+				F58182FF02536D4501120112,
+				F581830002536D4601120112,
+				F581830102536D4601120112,
+				F581830202536D4701120112,
+				F581830302536D4801120112,
+				F581830402536D4901120112,
+				F581830802536E1A01120112,
+				F58183510253A2F201120112,
+				F57B73380259188901120155,
+				F5F49B5F025A5AB901890E3A,
+			);
+			isa = PBXSourcesBuildPhase;
+			runOnlyForDeploymentPostprocessing = 0;
+		};
+		F5CFD63C022DD45401120112 = {
+			buildActionMask = 2147483647;
+			files = (
+			);
+			isa = PBXFrameworksBuildPhase;
+			runOnlyForDeploymentPostprocessing = 0;
+		};
+		F5CFD63D022DD45401120112 = {
+			buildActionMask = 2147483647;
+			files = (
+			);
+			isa = PBXRezBuildPhase;
+			runOnlyForDeploymentPostprocessing = 0;
+		};
+		F5CFD647022DD6E701120112 = {
+			fileRef = F5CFD617022D911001120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD648022DD6E701120112 = {
+			fileRef = F5CFD62C022D96AB01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD650022DD73201120112 = {
+			fileRef = F5CFD433022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD651022DD73201120112 = {
+			fileRef = F5CFD43D022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD652022DD73201120112 = {
+			fileRef = F5CFD465022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD653022DD73201120112 = {
+			fileRef = F5CFD42E022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD654022DD73201120112 = {
+			fileRef = F5CFD430022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD655022DD73201120112 = {
+			fileRef = F5CFD431022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD656022DD73201120112 = {
+			fileRef = F5CFD432022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD657022DD73201120112 = {
+			fileRef = F5CFD434022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD658022DD73201120112 = {
+			fileRef = F5CFD43C022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD659022DD73201120112 = {
+			fileRef = F5CFD43E022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD65A022DD73201120112 = {
+			fileRef = F5CFD460022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD65B022DD73201120112 = {
+			fileRef = F5CFD461022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD65C022DD73201120112 = {
+			fileRef = F5CFD462022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD65D022DD73201120112 = {
+			fileRef = F5CFD463022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD65E022DD73201120112 = {
+			fileRef = F5CFD464022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD65F022DD73201120112 = {
+			fileRef = F5CFD46D022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD660022DD73201120112 = {
+			fileRef = F5CFD46E022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD661022DD73201120112 = {
+			fileRef = F5CFD477022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD662022DD73201120112 = {
+			fileRef = F5CFD478022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD663022DD73201120112 = {
+			fileRef = F5CFD483022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD664022DD76E01120112 = {
+			fileRef = F5CFD46F022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD665022DD76E01120112 = {
+			fileRef = F5CFD48B022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD666022DD76E01120112 = {
+			fileRef = F5CFD48D022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD667022DD76E01120112 = {
+			fileRef = F5CFD49C022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD668022DD76E01120112 = {
+			fileRef = F5CFD49D022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD669022DD76E01120112 = {
+			fileRef = F5CFD49E022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD66B022DD76E01120112 = {
+			fileRef = F5CFD4A0022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD66C022DD76E01120112 = {
+			fileRef = F5CFD4A1022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD66D022DD76E01120112 = {
+			fileRef = F5CFD4A2022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD66E022DD8A301120112 = {
+			fileRef = F5CFD437022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD66F022DD8A301120112 = {
+			fileRef = F5CFD43A022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD670022DD9A501120112 = {
+			fileRef = F5CFD444022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD671022DD9A501120112 = {
+			fileRef = F5CFD44D022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD672022DD9A501120112 = {
+			fileRef = F5CFD457022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD673022DD9A501120112 = {
+			fileRef = F5CFD45F022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD674022DD9A501120112 = {
+			fileRef = F5CFD46B022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD675022DD9A501120112 = {
+			fileRef = F5CFD475022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD676022DD9A501120112 = {
+			fileRef = F5CFD47C022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD677022DD9A501120112 = {
+			fileRef = F5CFD480022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD678022DD9A501120112 = {
+			fileRef = F5CFD488022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD679022DD9A501120112 = {
+			fileRef = F5CFD491022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD67A022DD9A501120112 = {
+			fileRef = F5CFD499022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD67B022DD9A501120112 = {
+			fileRef = F5CFD440022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD67C022DD9A501120112 = {
+			fileRef = F5CFD442022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD67D022DD9A501120112 = {
+			fileRef = F5CFD443022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD67E022DD9A501120112 = {
+			fileRef = F5CFD448022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD67F022DD9A501120112 = {
+			fileRef = F5CFD449022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD680022DD9A501120112 = {
+			fileRef = F5CFD44A022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD683022DD9A501120112 = {
+			fileRef = F5CFD450022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD684022DD9A501120112 = {
+			fileRef = F5CFD44E022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD685022DD9A501120112 = {
+			fileRef = F5CFD452022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD686022DD9A501120112 = {
+			fileRef = F5CFD455022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD687022DD9A501120112 = {
+			fileRef = F5CFD456022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD688022DD9A501120112 = {
+			fileRef = F5CFD458022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD689022DD9A501120112 = {
+			fileRef = F5CFD459022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD68A022DD9A501120112 = {
+			fileRef = F5CFD45A022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD68B022DD9A501120112 = {
+			fileRef = F5CFD45E022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD68C022DD9A501120112 = {
+			fileRef = F5CFD45D022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD68D022DD9A501120112 = {
+			fileRef = F5CFD468022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD68E022DD9A501120112 = {
+			fileRef = F5CFD469022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD68F022DD9A501120112 = {
+			fileRef = F5CFD46A022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD690022DD9A501120112 = {
+			fileRef = F5CFD46C022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD691022DD9A501120112 = {
+			fileRef = F5CFD473022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD692022DD9A501120112 = {
+			fileRef = F5CFD472022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD693022DD9A501120112 = {
+			fileRef = F5CFD474022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD694022DD9A501120112 = {
+			fileRef = F5CFD47B022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD695022DD9A501120112 = {
+			fileRef = F5CFD47F022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD696022DD9A501120112 = {
+			fileRef = F5CFD486022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD697022DD9A501120112 = {
+			fileRef = F5CFD489022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD698022DD9A501120112 = {
+			fileRef = F5CFD48A022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD699022DD9A501120112 = {
+			fileRef = F5CFD492022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD69A022DD9A501120112 = {
+			fileRef = F5CFD493022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD69B022DD9A501120112 = {
+			fileRef = F5CFD498022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD69C022DDA0101120112 = {
+			fileRef = F5CFD546022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD69D022DDA0101120112 = {
+			fileRef = F5CFD3D4022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD69E022DDA0101120112 = {
+			fileRef = F5CFD3D0022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD69F022DDA0101120112 = {
+			fileRef = F5CFD3CF022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6A0022DDA0101120112 = {
+			fileRef = F5CFD3CD022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6A1022DDA0101120112 = {
+			fileRef = F5CFD3CB022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6A2022DDA0101120112 = {
+			fileRef = F5CFD3C9022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6A3022DDA0101120112 = {
+			fileRef = F5CFD3C7022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6A4022DDA0101120112 = {
+			fileRef = F5CFD3C5022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6A5022DDA0101120112 = {
+			fileRef = F5CFD3C3022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6A6022DDA0101120112 = {
+			fileRef = F5CFD3C1022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6A7022DDA0101120112 = {
+			fileRef = F5CFD545022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6A8022DDA0101120112 = {
+			fileRef = F5CFD3D3022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6A9022DDA0101120112 = {
+			fileRef = F5CFD3D2022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6AA022DDA0101120112 = {
+			fileRef = F5CFD3CE022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6AB022DDA0101120112 = {
+			fileRef = F5CFD3CC022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6AC022DDA0101120112 = {
+			fileRef = F5CFD3CA022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6AD022DDA0101120112 = {
+			fileRef = F5CFD3C8022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6AE022DDA0101120112 = {
+			fileRef = F5CFD3C6022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6AF022DDA0101120112 = {
+			fileRef = F5CFD3C4022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6B0022DDA0101120112 = {
+			fileRef = F5CFD3C2022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6B1022DDA0101120112 = {
+			fileRef = F5CFD3C0022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6B2022DDB2D01120112 = {
+			fileRef = F5CFD3DA022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6B3022DDB2D01120112 = {
+			fileRef = F5CFD3DC022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6B4022DDB2D01120112 = {
+			fileRef = F5CFD3E6022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6B5022DDB2D01120112 = {
+			fileRef = F5CFD3E7022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6B6022DDB2D01120112 = {
+			fileRef = F5CFD3FF022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6B7022DDB2D01120112 = {
+			fileRef = F5CFD400022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6B8022DDB2D01120112 = {
+			fileRef = F5CFD413022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6B9022DDB2D01120112 = {
+			fileRef = F5CFD414022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6BA022DDB2D01120112 = {
+			fileRef = F5CFD4C8022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6BB022DDB2D01120112 = {
+			fileRef = F5CFD3D6022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6BC022DDB2D01120112 = {
+			fileRef = F5CFD3DF022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6BD022DDB2D01120112 = {
+			fileRef = F5CFD3E0022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6BE022DDB2D01120112 = {
+			fileRef = F5CFD3E1022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6BF022DDB2D01120112 = {
+			fileRef = F5CFD3E2022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6C0022DDB2D01120112 = {
+			fileRef = F5CFD3E3022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6C1022DDB2D01120112 = {
+			fileRef = F5CFD410022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6C2022DDB2D01120112 = {
+			fileRef = F5CFD3D9022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6C3022DDB2D01120112 = {
+			fileRef = F5CFD3DB022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6C4022DDB2D01120112 = {
+			fileRef = F5CFD3E8022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6C5022DDB2D01120112 = {
+			fileRef = F5CFD3E9022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6C6022DDB2D01120112 = {
+			fileRef = F5CFD3EA022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6C7022DDB2D01120112 = {
+			fileRef = F5CFD3EB022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6C8022DDB2D01120112 = {
+			fileRef = F5CFD3EC022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6C9022DDB2D01120112 = {
+			fileRef = F5CFD3ED022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6CA022DDB2D01120112 = {
+			fileRef = F5CFD3EE022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6CB022DDB2D01120112 = {
+			fileRef = F5CFD3EF022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6CC022DDB2D01120112 = {
+			fileRef = F5CFD3F0022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6CD022DDB2D01120112 = {
+			fileRef = F5CFD3F1022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6CE022DDB2D01120112 = {
+			fileRef = F5CFD3F2022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6CF022DDB2D01120112 = {
+			fileRef = F5CFD3F3022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6D0022DDB2D01120112 = {
+			fileRef = F5CFD3F4022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6D1022DDB2D01120112 = {
+			fileRef = F5CFD3F5022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6D2022DDB2D01120112 = {
+			fileRef = F5CFD3F6022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6D3022DDB2D01120112 = {
+			fileRef = F5CFD3F7022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6D4022DDB2D01120112 = {
+			fileRef = F5CFD3F8022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6D5022DDB2D01120112 = {
+			fileRef = F5CFD3F9022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6D6022DDB2D01120112 = {
+			fileRef = F5CFD3FA022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6D8022DDB2D01120112 = {
+			fileRef = F5CFD3FC022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6D9022DDB2D01120112 = {
+			fileRef = F5CFD401022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6DA022DDB2D01120112 = {
+			fileRef = F5CFD402022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6DB022DDB2D01120112 = {
+			fileRef = F5CFD403022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6DC022DDB2D01120112 = {
+			fileRef = F5CFD404022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6DD022DDB2D01120112 = {
+			fileRef = F5CFD405022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6DE022DDB2D01120112 = {
+			fileRef = F5CFD406022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6DF022DDB2D01120112 = {
+			fileRef = F5CFD407022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6E0022DDB2D01120112 = {
+			fileRef = F5CFD408022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6E1022DDB2D01120112 = {
+			fileRef = F5CFD409022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6E2022DDB2D01120112 = {
+			fileRef = F5CFD40A022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6E3022DDB2D01120112 = {
+			fileRef = F5CFD40B022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6E4022DDB2D01120112 = {
+			fileRef = F5CFD40C022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6E5022DDB2D01120112 = {
+			fileRef = F5CFD40D022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6E6022DDB2D01120112 = {
+			fileRef = F5CFD40E022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6E8022DDB2D01120112 = {
+			fileRef = F5CFD415022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6E9022DDB2D01120112 = {
+			fileRef = F5CFD416022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6EA022DDB2D01120112 = {
+			fileRef = F5CFD417022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6EB022DDB2D01120112 = {
+			fileRef = F5CFD418022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6EC022DDB2D01120112 = {
+			fileRef = F5CFD419022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6ED022DDB2D01120112 = {
+			fileRef = F5CFD41A022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6EE022DDB2D01120112 = {
+			fileRef = F5CFD41B022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6EF022DDB2D01120112 = {
+			fileRef = F5CFD41C022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6F0022DDB2D01120112 = {
+			fileRef = F5CFD41D022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6F1022DDB2D01120112 = {
+			fileRef = F5CFD41E022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6F2022DDB2D01120112 = {
+			fileRef = F5CFD41F022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6F3022DDB2D01120112 = {
+			fileRef = F5CFD420022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6F4022DDB2D01120112 = {
+			fileRef = F5CFD421022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6F5022DDB2D01120112 = {
+			fileRef = F5CFD423022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6F6022DDB2D01120112 = {
+			fileRef = F5CFD422022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6F7022DDB2D01120112 = {
+			fileRef = F5CFD424022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6F8022DDB2D01120112 = {
+			fileRef = F5CFD425022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6F9022DDB2D01120112 = {
+			fileRef = F5CFD426022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6FA022DDB2D01120112 = {
+			fileRef = F5CFD427022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6FC022DDB2D01120112 = {
+			fileRef = F5CFD429022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6FD022DDB2D01120112 = {
+			fileRef = F5CFD4CB022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6FE022DDB2D01120112 = {
+			fileRef = F5CFD4CC022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD6FF022DDB2D01120112 = {
+			fileRef = F5CFD4CD022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD700022DDB2D01120112 = {
+			fileRef = F5CFD4CE022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD701022DDB2D01120112 = {
+			fileRef = F5CFD4CF022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD702022DDB2D01120112 = {
+			fileRef = F5CFD4D1022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD703022DDB2D01120112 = {
+			fileRef = F5CFD4BB022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD704022DDB2D01120112 = {
+			fileRef = F5CFD4BA022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD705022DDB2D01120112 = {
+			fileRef = F5CFD4BC022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD706022DDB2D01120112 = {
+			fileRef = F5CFD4BD022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD707022DDB2D01120112 = {
+			fileRef = F5CFD4BE022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD708022DDB2D01120112 = {
+			fileRef = F5CFD4BF022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD709022DDB2D01120112 = {
+			fileRef = F5CFD4C0022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD70A022DDB2D01120112 = {
+			fileRef = F5CFD4C1022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD70B022DDB2D01120112 = {
+			fileRef = F5CFD4C2022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD70C022DDB2D01120112 = {
+			fileRef = F5CFD4C3022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD70D022DDB2D01120112 = {
+			fileRef = F5CFD4C4022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD70E022DDB2D01120112 = {
+			fileRef = F5CFD4C5022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD70F022DDB2D01120112 = {
+			fileRef = F5CFD4C6022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD710022DDB2D01120112 = {
+			fileRef = F5CFD4C7022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD711022DDB2D01120112 = {
+			fileRef = F5CFD4CA022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD712022DDB6201120112 = {
+			fileRef = F5CFD4DE022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD713022DDB6201120112 = {
+			fileRef = F5CFD4D5022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD714022DDB6201120112 = {
+			fileRef = F5CFD4D6022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD715022DDB6201120112 = {
+			fileRef = F5CFD4D7022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD716022DDB6201120112 = {
+			fileRef = F5CFD4D8022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD717022DDB6201120112 = {
+			fileRef = F5CFD4D9022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD718022DDB6201120112 = {
+			fileRef = F5CFD4DA022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD719022DDB6201120112 = {
+			fileRef = F5CFD4DB022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD71A022DDB6201120112 = {
+			fileRef = F5CFD4DD022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD71B022DDB6201120112 = {
+			fileRef = F5CFD4DC022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD71D022DDC6301120112 = {
+			fileRef = F5CFD4E7022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD71E022DDC6301120112 = {
+			fileRef = F5CFD4EE022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD71F022DDC6301120112 = {
+			fileRef = F5CFD50F022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD720022DDC6301120112 = {
+			fileRef = F5CFD4E2022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD721022DDC6301120112 = {
+			fileRef = F5CFD4E3022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD722022DDC6301120112 = {
+			fileRef = F5CFD4E4022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD723022DDC6301120112 = {
+			fileRef = F5CFD4E5022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD724022DDC6301120112 = {
+			fileRef = F5CFD4E6022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD725022DDC6301120112 = {
+			fileRef = F5CFD4E8022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD726022DDC6301120112 = {
+			fileRef = F5CFD4E9022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD727022DDC6301120112 = {
+			fileRef = F5CFD4EC022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD728022DDC6301120112 = {
+			fileRef = F5CFD4ED022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD729022DDC6301120112 = {
+			fileRef = F5CFD4EF022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD72A022DDC6301120112 = {
+			fileRef = F5CFD4F0022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD72B022DDC6301120112 = {
+			fileRef = F5CFD4F1022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD72C022DDC6301120112 = {
+			fileRef = F5CFD4F2022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD72D022DDC6301120112 = {
+			fileRef = F5CFD4F3022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD72E022DDC6301120112 = {
+			fileRef = F5CFD4F4022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD72F022DDC6301120112 = {
+			fileRef = F5CFD4F5022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD730022DDC6301120112 = {
+			fileRef = F5CFD4F6022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD731022DDC6301120112 = {
+			fileRef = F5CFD4F7022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD732022DDC6301120112 = {
+			fileRef = F5CFD4F8022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD733022DDC6301120112 = {
+			fileRef = F5CFD4F9022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD734022DDC6301120112 = {
+			fileRef = F5CFD4FA022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD735022DDC6301120112 = {
+			fileRef = F5CFD4FB022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD736022DDC6301120112 = {
+			fileRef = F5CFD4FC022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD737022DDC6301120112 = {
+			fileRef = F5CFD4FD022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD738022DDC6301120112 = {
+			fileRef = F5CFD4FE022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD739022DDC6301120112 = {
+			fileRef = F5CFD4FF022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD73A022DDC6301120112 = {
+			fileRef = F5CFD500022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD73B022DDC6301120112 = {
+			fileRef = F5CFD501022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD73C022DDC6301120112 = {
+			fileRef = F5CFD502022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD73D022DDC6301120112 = {
+			fileRef = F5CFD503022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD73E022DDC6301120112 = {
+			fileRef = F5CFD504022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD73F022DDC6301120112 = {
+			fileRef = F5CFD505022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD740022DDC6301120112 = {
+			fileRef = F5CFD506022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD741022DDC6301120112 = {
+			fileRef = F5CFD507022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD742022DDC6301120112 = {
+			fileRef = F5CFD508022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD743022DDC6301120112 = {
+			fileRef = F5CFD509022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD744022DDC6301120112 = {
+			fileRef = F5CFD50A022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD745022DDC6301120112 = {
+			fileRef = F5CFD50E022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD746022DDC6301120112 = {
+			fileRef = F5CFD50B022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD747022DDC6301120112 = {
+			fileRef = F5CFD50C022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD748022DDC6301120112 = {
+			fileRef = F5CFD50D022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD749022DDC6301120112 = {
+			fileRef = F5CFD510022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD74A022DDC6301120112 = {
+			fileRef = F5CFD511022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD74B022DDC6301120112 = {
+			fileRef = F5CFD513022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD74C022DDC6301120112 = {
+			fileRef = F5CFD514022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD74D022DDC6301120112 = {
+			fileRef = F5CFD515022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD74E022DDC6301120112 = {
+			fileRef = F5CFD516022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD74F022DDC6301120112 = {
+			fileRef = F5CFD517022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD750022DDC6301120112 = {
+			fileRef = F5CFD518022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD751022DDC6301120112 = {
+			fileRef = F5CFD519022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD752022DDC6301120112 = {
+			fileRef = F5CFD51A022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD753022DDC6301120112 = {
+			fileRef = F5CFD51B022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD754022DDC6301120112 = {
+			fileRef = F5CFD51C022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD755022DDC6301120112 = {
+			fileRef = F5CFD51D022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD756022DDC6301120112 = {
+			fileRef = F5CFD51E022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD757022DDCA701120112 = {
+			fileRef = F5CFD51F022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD758022DDCA701120112 = {
+			fileRef = F5CFD520022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD759022DDCA701120112 = {
+			fileRef = F5CFD521022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD75A022DDCA701120112 = {
+			fileRef = F5CFD522022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD75B022DDCA701120112 = {
+			fileRef = F5CFD523022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD75C022DDCA701120112 = {
+			fileRef = F5CFD524022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD75D022DDCA701120112 = {
+			fileRef = F5CFD525022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD75E022DDCA701120112 = {
+			fileRef = F5CFD526022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD75F022DDCA701120112 = {
+			fileRef = F5CFD528022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD760022DDCA701120112 = {
+			fileRef = F5CFD527022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD761022DDCA701120112 = {
+			fileRef = F5CFD529022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD762022DDCA701120112 = {
+			fileRef = F5CFD52A022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD763022DDCA701120112 = {
+			fileRef = F5CFD52B022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD764022DDCA701120112 = {
+			fileRef = F5CFD52C022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD765022DDCA701120112 = {
+			fileRef = F5CFD52D022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD766022DDCA701120112 = {
+			fileRef = F5CFD52E022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD767022DDCA701120112 = {
+			fileRef = F5CFD52F022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD768022DDCA701120112 = {
+			fileRef = F5CFD532022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD769022DDCA701120112 = {
+			fileRef = F5CFD530022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD76A022DDCA701120112 = {
+			fileRef = F5CFD531022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD76B022DDCA701120112 = {
+			fileRef = F5CFD533022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD76C022DDCA701120112 = {
+			fileRef = F5CFD534022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD76D022DDCA701120112 = {
+			fileRef = F5CFD535022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD76E022DDCE301120112 = {
+			fileRef = F5CFD53E022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD76F022DDCE301120112 = {
+			fileRef = F5CFD53F022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD770022DDCE301120112 = {
+			fileRef = F5CFD540022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD771022DDCE301120112 = {
+			fileRef = F5CFD541022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD772022DDCE301120112 = {
+			fileRef = F5CFD542022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD773022DDCE301120112 = {
+			fileRef = F5CFD543022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD774022DDE1301120112 = {
+			fileRef = F5CFD58E022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD775022DDE1301120112 = {
+			fileRef = F5CFD591022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD776022DDE1301120112 = {
+			fileRef = F5CFD593022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD777022DDE1301120112 = {
+			fileRef = F5CFD564022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD778022DDE1301120112 = {
+			fileRef = F5CFD58D022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD779022DDE1301120112 = {
+			fileRef = F5CFD58F022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD77A022DDE1301120112 = {
+			fileRef = F5CFD590022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD77B022DDE1301120112 = {
+			fileRef = F5CFD592022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD77C022DDE1301120112 = {
+			fileRef = F5CFD594022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD77D022DDE1301120112 = {
+			fileRef = F5CFD597022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD77E022DDE1301120112 = {
+			fileRef = F5CFD549022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD77F022DDE1301120112 = {
+			fileRef = F5CFD54A022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD780022DDE1301120112 = {
+			fileRef = F5CFD54B022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD781022DDE1301120112 = {
+			fileRef = F5CFD54D022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD782022DDE1301120112 = {
+			fileRef = F5CFD54E022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD783022DDE1301120112 = {
+			fileRef = F5CFD54F022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD784022DDE1301120112 = {
+			fileRef = F5CFD550022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD785022DDE1301120112 = {
+			fileRef = F5CFD551022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD786022DDE1301120112 = {
+			fileRef = F5CFD552022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD787022DDE1301120112 = {
+			fileRef = F5CFD553022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD788022DDE1301120112 = {
+			fileRef = F5CFD554022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD789022DDE1301120112 = {
+			fileRef = F5CFD555022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD78A022DDE1301120112 = {
+			fileRef = F5CFD556022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD78B022DDE1301120112 = {
+			fileRef = F5CFD557022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD78C022DDE1301120112 = {
+			fileRef = F5CFD558022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD78D022DDE1301120112 = {
+			fileRef = F5CFD559022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD78E022DDE1301120112 = {
+			fileRef = F5CFD55A022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD78F022DDE1301120112 = {
+			fileRef = F5CFD55B022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD790022DDE1301120112 = {
+			fileRef = F5CFD55C022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD791022DDE1301120112 = {
+			fileRef = F5CFD55D022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD792022DDE1301120112 = {
+			fileRef = F5CFD55E022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD793022DDE1301120112 = {
+			fileRef = F5CFD55F022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD794022DDE1301120112 = {
+			fileRef = F5CFD561022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD795022DDE1301120112 = {
+			fileRef = F5CFD562022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD796022DDE1301120112 = {
+			fileRef = F5CFD563022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD797022DDE1301120112 = {
+			fileRef = F5CFD565022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD798022DDE1301120112 = {
+			fileRef = F5CFD566022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD799022DDE1301120112 = {
+			fileRef = F5CFD567022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD79A022DDE1301120112 = {
+			fileRef = F5CFD568022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD79B022DDE1301120112 = {
+			fileRef = F5CFD569022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD79C022DDE1301120112 = {
+			fileRef = F5CFD56A022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD79D022DDE1301120112 = {
+			fileRef = F5CFD56B022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD79E022DDE1301120112 = {
+			fileRef = F5CFD56C022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD79F022DDE1301120112 = {
+			fileRef = F5CFD56E022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD7A0022DDE1301120112 = {
+			fileRef = F5CFD56F022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD7A1022DDE1301120112 = {
+			fileRef = F5CFD578022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD7A2022DDE1301120112 = {
+			fileRef = F5CFD577022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD7A3022DDE1301120112 = {
+			fileRef = F5CFD576022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD7A4022DDE1301120112 = {
+			fileRef = F5CFD575022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD7A5022DDE1301120112 = {
+			fileRef = F5CFD574022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD7A6022DDE1301120112 = {
+			fileRef = F5CFD580022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD7A7022DDE1301120112 = {
+			fileRef = F5CFD4AA022D86AD01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD7C0022DE7DC01120112 = {
+			children = (
+				F5CFD7C1022DE7DC01120112,
+				F5CFD7C2022DE7DC01120112,
+				F5CFD7C3022DE7DC01120112,
+				F5CFD7C4022DE7DC01120112,
+				F5CFD7C5022DE7DC01120112,
+				F5CFD7C6022DE7DC01120112,
+				F5CFD7C7022DE7DC01120112,
+				F5CFD7C8022DE7DC01120112,
+				F5CFD7C9022DE7DC01120112,
+				F5CFD7CA022DE7DC01120112,
+			);
+			isa = PBXGroup;
+			path = krb5;
+			refType = 4;
+		};
+		F5CFD7C1022DE7DC01120112 = {
+			isa = PBXFileReference;
+			path = adm.h;
+			refType = 4;
+		};
+		F5CFD7C2022DE7DC01120112 = {
+			isa = PBXFileReference;
+			path = adm_defs.h;
+			refType = 4;
+		};
+		F5CFD7C3022DE7DC01120112 = {
+			isa = PBXFileReference;
+			path = adm_proto.h;
+			refType = 4;
+		};
+		F5CFD7C4022DE7DC01120112 = {
+			isa = PBXFileReference;
+			path = copyright.h;
+			refType = 4;
+		};
+		F5CFD7C5022DE7DC01120112 = {
+			isa = PBXFileReference;
+			path = "k5-config.h";
+			refType = 4;
+		};
+		F5CFD7C6022DE7DC01120112 = {
+			isa = PBXFileReference;
+			path = kdb.h;
+			refType = 4;
+		};
+		F5CFD7C7022DE7DC01120112 = {
+			isa = PBXFileReference;
+			path = kdb_dbc.h;
+			refType = 4;
+		};
+		F5CFD7C8022DE7DC01120112 = {
+			isa = PBXFileReference;
+			path = kdb_dbm.h;
+			refType = 4;
+		};
+		F5CFD7C9022DE7DC01120112 = {
+			isa = PBXFileReference;
+			path = kdb_kt.h;
+			refType = 4;
+		};
+		F5CFD7CA022DE7DC01120112 = {
+			children = (
+				F5CFD7CB022DE7DC01120112,
+			);
+			isa = PBXGroup;
+			path = stock;
+			refType = 4;
+		};
+		F5CFD7CB022DE7DC01120112 = {
+			isa = PBXFileReference;
+			path = osconf.h;
+			refType = 4;
+		};
+		F5CFD7CC022DE7DC01120112 = {
+			fileRef = F5CFD7C1022DE7DC01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD7CD022DE7DC01120112 = {
+			fileRef = F5CFD7C2022DE7DC01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD7CE022DE7DC01120112 = {
+			fileRef = F5CFD7C3022DE7DC01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD7CF022DE7DC01120112 = {
+			fileRef = F5CFD7C4022DE7DC01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD7D0022DE7DC01120112 = {
+			fileRef = F5CFD7C5022DE7DC01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD7D1022DE7DC01120112 = {
+			fileRef = F5CFD7C6022DE7DC01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD7D2022DE7DC01120112 = {
+			fileRef = F5CFD7C7022DE7DC01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD7D3022DE7DC01120112 = {
+			fileRef = F5CFD7C8022DE7DC01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD7D4022DE7DC01120112 = {
+			fileRef = F5CFD7C9022DE7DC01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD7D6022DE7DC01120112 = {
+			fileRef = F5CFD7C6022DE7DC01120112;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+		F5CFD7D8022DE82501120112 = {
+			isa = PBXTargetDependency;
+			target = F5CFD5E6022D8A9901120112;
+		};
+		F5CFD7D9022DE82501120112 = {
+			isa = PBXTargetDependency;
+			target = F5CFD629022D922C01120112;
+		};
+		F5F49B5E025A5AB901890E3A = {
+			isa = PBXFileReference;
+			path = init_keyblock.c;
+			refType = 4;
+		};
+		F5F49B5F025A5AB901890E3A = {
+			fileRef = F5F49B5E025A5AB901890E3A;
+			isa = PBXBuildFile;
+			settings = {
+			};
+		};
+	};
+	rootObject = F5CFD36E022D854401120112;
+}
diff --git a/src/mac/MacOSX/Projects/Kerberos524.pbexp b/src/mac/MacOSX/Projects/Kerberos524.pbexp
new file mode 100644
index 0000000..00c39e6
--- /dev/null
+++ b/src/mac/MacOSX/Projects/Kerberos524.pbexp
@@ -0,0 +1 @@
+_krb524_convert_creds_kdc
diff --git a/src/mac/MacOSX/Scripts/Kerberos5Errors.jam b/src/mac/MacOSX/Scripts/Kerberos5Errors.jam
new file mode 100644
index 0000000..f12cfb9
--- /dev/null
+++ b/src/mac/MacOSX/Scripts/Kerberos5Errors.jam
@@ -0,0 +1,86 @@
+include "$(SRCROOT)/../../KerberosErrors/Scripts/compile_et.jam" ;
+
+IntermediateErrorTables = "$(BUILT_PRODUCTS_DIR)/Kerberos5.intermediates/ErrorTables" ;
+
+compile_et 	"$(IntermediateErrorTables)/prof_err.h"
+            "$(IntermediateErrorTables)/prof_err.c"
+            "$(IntermediateErrorTables)/prof_err.strings" : 
+            "$(SRCROOT)/../Sources/KerberosProfile/prof_err.et" ;
+
+compile_et 	"$(IntermediateErrorTables)/krb524_err.h"
+            "$(IntermediateErrorTables)/krb524_err.c"
+            "$(IntermediateErrorTables)/krb524_err.strings" : 
+            "$(SRCROOT)/../Sources/Kerberos524/krb524_err.et" ;
+
+compile_et 	"$(IntermediateErrorTables)/adm_err.h"
+            "$(IntermediateErrorTables)/adm_err.c"
+            "$(IntermediateErrorTables)/adm_err.strings" : 
+            "$(SRCROOT)/../Sources/Kerberos5/error_tables/adm_err.et" ;
+
+compile_et 	"$(IntermediateErrorTables)/asn1_err.h"
+            "$(IntermediateErrorTables)/asn1_err.c"
+            "$(IntermediateErrorTables)/asn1_err.strings" : 
+            "$(SRCROOT)/../Sources/Kerberos5/error_tables/asn1_err.et" ;
+
+compile_et 	"$(IntermediateErrorTables)/kdb5_err.h"
+            "$(IntermediateErrorTables)/kdb5_err.c"
+            "$(IntermediateErrorTables)/kdb5_err.strings" : 
+            "$(SRCROOT)/../Sources/Kerberos5/error_tables/kdb5_err.et" ;
+
+compile_et 	"$(IntermediateErrorTables)/krb5_err.h"
+            "$(IntermediateErrorTables)/krb5_err.c"
+            "$(IntermediateErrorTables)/krb5_err.strings" : 
+            "$(SRCROOT)/../Sources/Kerberos5/error_tables/krb5_err.et" ;
+
+compile_et 	"$(IntermediateErrorTables)/kv5m_err.h"
+            "$(IntermediateErrorTables)/kv5m_err.c"
+            "$(IntermediateErrorTables)/kv5m_err.strings" : 
+            "$(SRCROOT)/../Sources/Kerberos5/error_tables/kv5m_err.et" ;
+
+compile_et 	"$(IntermediateErrorTables)/gssapi_err_generic.h"
+            "$(IntermediateErrorTables)/gssapi_err_generic.c"
+            "$(IntermediateErrorTables)/gssapi_err_generic.strings" : 
+            "$(SRCROOT)/../Sources/GSS/generic/gssapi_err_generic.et" ;
+
+compile_et 	"$(IntermediateErrorTables)/gssapi_err_krb5.h"
+            "$(IntermediateErrorTables)/gssapi_err_krb5.c"
+            "$(IntermediateErrorTables)/gssapi_err_krb5.strings" : 
+            "$(SRCROOT)/../Sources/GSS/krb5/gssapi_err_krb5.et" ;
+                        
+DEPENDS all :	"$(IntermediateErrorTables)/prof_err.h"
+                "$(IntermediateErrorTables)/prof_err.c"
+                "$(IntermediateErrorTables)/prof_err.strings"
+                
+                "$(IntermediateErrorTables)/krb524_err.h"
+                "$(IntermediateErrorTables)/krb524_err.c"
+                "$(IntermediateErrorTables)/krb524_err.strings"
+                
+                "$(IntermediateErrorTables)/adm_err.h"
+                "$(IntermediateErrorTables)/adm_err.c"
+                "$(IntermediateErrorTables)/adm_err.strings"
+                
+                "$(IntermediateErrorTables)/asn1_err.h"
+                "$(IntermediateErrorTables)/asn1_err.c"
+                "$(IntermediateErrorTables)/asn1_err.strings"
+                
+                "$(IntermediateErrorTables)/kdb5_err.h"
+                "$(IntermediateErrorTables)/kdb5_err.c"
+                "$(IntermediateErrorTables)/kdb5_err.strings"
+                
+                "$(IntermediateErrorTables)/krb5_err.h"
+                "$(IntermediateErrorTables)/krb5_err.c"
+                "$(IntermediateErrorTables)/krb5_err.strings"
+            
+                "$(IntermediateErrorTables)/kv5m_err.h"
+                "$(IntermediateErrorTables)/kv5m_err.c"
+                "$(IntermediateErrorTables)/kv5m_err.strings"
+                
+                "$(IntermediateErrorTables)/gssapi_err_generic.h"
+                "$(IntermediateErrorTables)/gssapi_err_generic.c"
+                "$(IntermediateErrorTables)/gssapi_err_generic.strings" 
+            
+                "$(IntermediateErrorTables)/gssapi_err_krb5.h"
+                "$(IntermediateErrorTables)/gssapi_err_krb5.c"
+                "$(IntermediateErrorTables)/gssapi_err_krb5.strings" ;
+DEPENDS install : all ;
+DEPENDS installhdrs : all ;
diff --git a/src/mac/MacOSX/Scripts/Kerberos5Headers.jam b/src/mac/MacOSX/Scripts/Kerberos5Headers.jam
new file mode 100644
index 0000000..3432c39
--- /dev/null
+++ b/src/mac/MacOSX/Scripts/Kerberos5Headers.jam
@@ -0,0 +1,113 @@
+Kerberos5Prefix = "$(SRCROOT)/../Headers/MacOSX/Kerberos5Prefix.h" ;
+ErrorTableRegexp = "/^\\s*#define\\s+\\w+\(\\s+\\(-?\\d+L\\)\)|\(initialize_\\w+_error_table\\(\\)\)\\s*$/" ;
+ExtractErrorCodes = "perl -e 'while (<STDIN>) { if ($(ErrorTableRegexp)) { print; } }'" ;
+
+# CatHeader <header> : <macro name> <header.hin> <error tables>
+rule CatHeader
+{
+    NOTFILE "$(>[1])" ;
+    DEPENDS "$(1)" : "$(>[2-])" ;
+    Clean clean "$(1)" ;
+}
+actions CatHeader
+{
+    mkdir -p "$(<:D)"
+    echo "/*"                                   > "$(1)"
+    echo " * This file is auto generated."     >> "$(1)"
+    echo " * Please do not edit it."           >> "$(1)"
+    echo " */"                                 >> "$(1)"
+    echo ""                                    >> "$(1)"
+    echo "#ifndef $(>[1])"                     >> "$(1)"
+    echo ""                                    >> "$(1)"
+    echo "/* Environment dependent macros */"  >> "$(1)"
+    grep SIZEOF           "$(Kerberos5Prefix)" >> "$(1)"
+    grep HAVE_STDARG_H    "$(Kerberos5Prefix)" >> "$(1)"
+    grep HAVE_SYS_TYPES_H "$(Kerberos5Prefix)" >> "$(1)"
+    echo ""                                    >> "$(1)"
+    for header in "$(>[3-])" ; do
+        base=`basename "${header}"`
+        echo ""                                >> "$(1)"
+        echo "/* Error tables from ${base} */" >> "$(1)"
+        cat "${header}" | $(ExtractErrorCodes) >> "$(1)"
+    done
+    cat "$(>[2])"                              >> "$(1)"
+    echo "#endif /* $(>[1]) */"                >> "$(1)"
+}
+
+rule OSConf
+{
+    DEPENDS "$(1)" : "$(2)" ;
+    Clean clean "$(1)" ;
+}
+actions OSConf
+{
+    mkdir -p "$(<:D)"
+    echo "/*"                                   > "$(1)"
+    echo " * This file is auto generated."     >> "$(1)"
+    echo " * Please do not edit it."           >> "$(1)"
+    echo " */"                                 >> "$(1)"
+    echo ""                                    >> "$(1)"
+    cat "$(2)" | $(SED)	               \
+        -e 's+@KRB5RCTMPDIR+/var/tmp+' \
+        -e 's+@PREFIX+/usr+'           \
+        -e 's+@EXEC_PREFIX+/usr+'      \
+        -e 's+@LOCALSTATEDIR+/var+'    \
+        -e 's+@SYSCONFDIR+/usr/etc+'           >> "$(1)"
+}
+rule CopyHeader
+{
+    DEPENDS "$(1)" : "$(2)" ;
+    Clean clean "$(1)" ;
+
+}
+actions CopyHeader
+{
+    mkdir -p "$(<:D)"
+    cp -fRP "$(2)" "$(1)"
+}
+
+
+Intermediates = "$(BUILT_PRODUCTS_DIR)/Kerberos5.intermediates" ;
+IntermediateErrorTables = "$(Intermediates)/ErrorTables" ;
+IntermediateHeaders = "$(Intermediates)/Kerberos" ;
+IntermediatePrivateHeaders = "$(Intermediates)/PrivateHeaders" ;
+
+CatHeader "$(IntermediateHeaders)/profile.h" : 		"_KRB5_PROFILE_H"
+                                                    "$(SRCROOT)/../Sources/KerberosProfile/profile.hin"
+                                                    "$(IntermediateErrorTables)/prof_err.h" ;
+CatHeader "$(IntermediateHeaders)/krb5.h" : 		"KRB5_GENERAL__"
+                                                    "$(SRCROOT)/../Headers/Kerberos5/krb5.hin"
+                                                    "$(IntermediateErrorTables)/adm_err.h"
+                                                    "$(IntermediateErrorTables)/asn1_err.h"
+                                                    "$(IntermediateErrorTables)/kdb5_err.h"
+                                                    "$(IntermediateErrorTables)/krb5_err.h"
+                                                    "$(IntermediateErrorTables)/kv5m_err.h" ;
+CatHeader "$(IntermediateHeaders)/krb524.h" : 		"__KRB524_H__"
+                                                    "$(SRCROOT)/../Sources/Kerberos524/krb524.h"
+                                                    "$(IntermediateErrorTables)/krb524_err.h" ;
+CatHeader "$(IntermediateHeaders)/gssapi.h" : 		"_GSSAPI_H_"
+                                                    "$(SRCROOT)/../Sources/GSS/generic/gssapi.hin"
+                                                    "$(IntermediateErrorTables)/gssapi_err_generic.h"
+                                                    "$(IntermediateErrorTables)/gssapi_err_krb5.h" ;
+OSConf "$(IntermediatePrivateHeaders)/osconf.h" :	"$(SRCROOT)/../Headers/Kerberos5/krb5/stock/osconf.h" ;
+CopyHeader "$(IntermediateHeaders)/gssapi_generic.h" :		"$(SRCROOT)/../Sources/GSS/generic/gssapi_generic.h" ;
+CopyHeader "$(IntermediateHeaders)/gssapi_krb5.h" :			"$(SRCROOT)/../Sources/GSS/krb5/gssapi_krb5.h" ;
+CopyHeader "$(IntermediatePrivateHeaders)/autoconf.h" : 	"$(SRCROOT)/../Headers/MacOSX/Kerberos5Prefix.h" ;
+CopyHeader "$(IntermediateHeaders)/KerberosProfileInit.h" :	"$(SRCROOT)/../Headers/MacOSX/KerberosProfileInit.h" ;
+CopyHeader "$(IntermediateHeaders)/Kerberos5Init.h" :		"$(SRCROOT)/../Headers/MacOSX/Kerberos5Init.h" ;
+CopyHeader "$(IntermediateHeaders)/GSSInit.h" :				"$(SRCROOT)/../Headers/MacOSX/GSSInit.h" ;
+
+DEPENDS all :	"$(IntermediateHeaders)/profile.h"
+                "$(IntermediateHeaders)/krb5.h"
+                "$(IntermediateHeaders)/krb524.h"
+                "$(IntermediateHeaders)/gssapi.h"
+                "$(IntermediateHeaders)/gssapi_generic.h"
+                "$(IntermediateHeaders)/gssapi_krb5.h"
+                "$(IntermediatePrivateHeaders)/osconf.h"
+                "$(IntermediatePrivateHeaders)/autoconf.h" 
+                "$(IntermediateHeaders)/KerberosProfileInit.h"
+                "$(IntermediateHeaders)/Kerberos5Init.h"
+                "$(IntermediateHeaders)/GSSInit.h" ;
+
+DEPENDS install : all ;
+DEPENDS installhdrs : all ;
diff --git a/src/mac/MacOSX/Sources/GSSInit.cp b/src/mac/MacOSX/Sources/GSSInit.cp
new file mode 100644
index 0000000..77fddc1
--- /dev/null
+++ b/src/mac/MacOSX/Sources/GSSInit.cp
@@ -0,0 +1,32 @@
+/* Copyright 1998 by the Massachusetts Institute of Technology.
+ *
+ * Permission to use, copy, modify, and distribute this
+ * software and its documentation for any purpose and without
+ * fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright
+ * notice and this permission notice appear in supporting
+ * documentation, and that the name of M.I.T. not be used in
+ * advertising or publicity pertaining to distribution of the
+ * software without specific, written prior permission.
+ * Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is"
+ * without express or implied warranty.
+ */
+ 
+#include "GSSInit.h"
+extern "C" {
+#include "gss_libinit.h"
+};
+
+void GSSInit (CFStringRef inBundleID)
+{
+	gssint_initialize_library ();
+}
+
+void GSSTerminate (void)
+{
+    gssint_cleanup_library ();
+}
\ No newline at end of file
diff --git a/src/mac/MacOSX/Sources/Kerberos5Init.cp b/src/mac/MacOSX/Sources/Kerberos5Init.cp
new file mode 100644
index 0000000..0559671
--- /dev/null
+++ b/src/mac/MacOSX/Sources/Kerberos5Init.cp
@@ -0,0 +1,45 @@
+/* Copyright 1998 by the Massachusetts Institute of Technology.
+ *
+ * Permission to use, copy, modify, and distribute this
+ * software and its documentation for any purpose and without
+ * fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright
+ * notice and this permission notice appear in supporting
+ * documentation, and that the name of M.I.T. not be used in
+ * advertising or publicity pertaining to distribution of the
+ * software without specific, written prior permission.
+ * Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is"
+ * without express or implied warranty.
+ */
+
+#include <Kerberos/com_err.h>
+
+#include "Kerberos5Init.h"
+extern "C" {
+#include "krb5_libinit.h"
+#include "crypto_libinit.h"
+#include "krb524_err.h"
+};
+
+void Kerberos5Init (CFStringRef inBundleID)
+{
+	krb5int_initialize_library ();
+    cryptoint_initialize_library ();
+#if USE_HARDCODED_FALLBACK_ERROR_TABLES
+    add_error_table (&et_k524_error_table);
+#endif
+}
+
+void Kerberos5Terminate (void)
+{
+ 	krb5int_cleanup_library ();
+    cryptoint_cleanup_library ();   
+
+#if USE_HARDCODED_FALLBACK_ERROR_TABLES
+    remove_error_table (&et_k524_error_table);
+#endif
+}
diff --git a/src/mac/MacOSX/Sources/ProfileInit.cp b/src/mac/MacOSX/Sources/ProfileInit.cp
new file mode 100644
index 0000000..c5f352b
--- /dev/null
+++ b/src/mac/MacOSX/Sources/ProfileInit.cp
@@ -0,0 +1,50 @@
+/* Copyright 1998 by the Massachusetts Institute of Technology.
+ *
+ * Permission to use, copy, modify, and distribute this
+ * software and its documentation for any purpose and without
+ * fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright
+ * notice and this permission notice appear in supporting
+ * documentation, and that the name of M.I.T. not be used in
+ * advertising or publicity pertaining to distribution of the
+ * software without specific, written prior permission.
+ * Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is"
+ * without express or implied warranty.
+ */
+ 
+#include <Kerberos/com_err.h>
+#include <Kerberos/KerberosDebug.h>
+
+#include "KerberosProfileInit.h"
+#include "prof_int.h"
+#include "prof_err.h"
+
+void KerberosProfileInit (CFStringRef inBundleID)
+{
+    int err = 0;
+    
+#if USE_HARDCODED_FALLBACK_ERROR_TABLES
+	/* Initialize the error tables */
+	add_error_table(&et_prof_error_table);
+#endif
+
+    err = prof_mutex_init (&g_shared_trees_mutex);
+    if (err) {
+        dprintf ("prof_mutex_init returned %ld\n", err);
+    }
+}
+
+void KerberosProfileTerminate (void)
+{
+#if USE_HARDCODED_FALLBACK_ERROR_TABLES
+	/* Initialize the error tables */
+	remove_error_table(&et_prof_error_table);
+#endif
+   
+    prof_mutex_destroy (&g_shared_trees_mutex);
+}
+
diff --git a/src/mac/MacOSX/Sources/cr_tkt.c b/src/mac/MacOSX/Sources/cr_tkt.c
new file mode 100644
index 0000000..ea39f3b
--- /dev/null
+++ b/src/mac/MacOSX/Sources/cr_tkt.c
@@ -0,0 +1,254 @@
+/* 
+ * cr_tkt.c
+ *
+ * Copyright 1985, 1986, 1987, 1988 by the Massachusetts Institute
+ * of Technology.
+ *
+ * For copying and distribution information, please see the file
+ * <mit-copyright.h>.
+ */
+
+#include <Kerberos/krb5.h>
+#include <Kerberos/des.h>
+#include <Kerberos/krb.h>
+#include <string.h>
+#include "cr_tkt.h"
+
+#define	MSB_FIRST		0	/* 68000, IBM RT/PC */
+#define	LSB_FIRST		1	/* Vax, PC8086 */
+#if defined(__ppc__)
+    #define	HOST_BYTE_ORDER		MSB_FIRST
+#elif defined(__i386__)
+    #define	HOST_BYTE_ORDER		LSB_FIRST
+#else
+    #error Unknown architecture!
+#endif
+
+static int
+krb_cr_tkt_int(
+    KTEXT   tkt,                /* Gets filled in by the ticket */
+    unsigned char flags,        /* Various Kerberos flags */
+    char    *pname,             /* Principal's name */
+    char    *pinstance,         /* Principal's instance */
+    char    *prealm,            /* Principal's authentication domain */
+    long    paddress,           /* Net address of requesting entity */
+    char    *session,           /* Session key inserted in ticket */
+    short   life,               /* Lifetime of the ticket */
+    long    time_sec,           /* Issue time and date */
+    char    *sname,             /* Service Name */
+    char    *sinstance,         /* Instance Name */
+    C_Block key,                /* Service's secret key */
+    krb5_keyblock *k5key);	/* NULL if not present */
+
+/*
+ * Create ticket takes as arguments information that should be in a
+ * ticket, and the KTEXT object in which the ticket should be
+ * constructed.  It then constructs a ticket and returns, leaving the
+ * newly created ticket in tkt.
+#ifndef NOENCRYPTION
+ * The data in tkt->dat is encrypted in the server's key.
+#endif
+ * The length of the ticket is a multiple of
+ * eight bytes and is in tkt->length.
+ *
+ * If the ticket is too long, the ticket will contain nulls.
+ * The return value of the routine is undefined.
+ *
+ * The corresponding routine to extract information from a ticket it
+ * decomp_ticket.  When changes are made to this routine, the
+ * corresponding changes should also be made to that file.
+ *
+ * The packet is built in the following format:
+ * 
+ * 			variable
+ * type			or constant	   data
+ * ----			-----------	   ----
+ *
+ * tkt->length		length of ticket (multiple of 8 bytes)
+ * 
+#ifdef NOENCRYPTION
+ * tkt->dat:
+#else
+ * tkt->dat:		(encrypted in server's key)
+#endif
+ * 
+ * unsigned char	flags		   namely, HOST_BYTE_ORDER
+ * 
+ * string		pname		   client's name
+ * 
+ * string		pinstance	   client's instance
+ * 
+ * string		prealm		   client's realm
+ * 
+ * 4 bytes		paddress	   client's address
+ * 
+ * 8 bytes		session		   session key
+ * 
+ * 1 byte		life		   ticket lifetime
+ * 
+ * 4 bytes		time_sec	   KDC timestamp
+ * 
+ * string		sname		   service's name
+ * 
+ * string		sinstance	   service's instance
+ * 
+ * <=7 bytes		null		   null pad to 8 byte multiple
+ *
+ */
+int
+krb_create_ticket(tkt, flags, pname, pinstance, prealm, paddress,
+		  session, life, time_sec, sname, sinstance, key)
+    KTEXT   tkt;                /* Gets filled in by the ticket */
+    unsigned char flags;        /* Various Kerberos flags */
+    char    *pname;             /* Principal's name */
+    char    *pinstance;         /* Principal's instance */
+    char    *prealm;            /* Principal's authentication domain */
+    long    paddress;           /* Net address of requesting entity */
+    char    *session;           /* Session key inserted in ticket */
+    short   life;               /* Lifetime of the ticket */
+    long    time_sec;           /* Issue time and date */
+    char    *sname;             /* Service Name */
+    char    *sinstance;         /* Instance Name */
+    C_Block key;                /* Service's secret key */
+{
+    return krb_cr_tkt_int(tkt, flags, pname, pinstance, prealm, paddress,
+			  session, life, time_sec, sname, sinstance,
+			  key, NULL);
+}
+
+int
+krb_cr_tkt_krb5(tkt, flags, pname, pinstance, prealm, paddress,
+		  session, life, time_sec, sname, sinstance, k5key)
+    KTEXT   tkt;                /* Gets filled in by the ticket */
+    unsigned char flags;        /* Various Kerberos flags */
+    char    *pname;             /* Principal's name */
+    char    *pinstance;         /* Principal's instance */
+    char    *prealm;            /* Principal's authentication domain */
+    long    paddress;           /* Net address of requesting entity */
+    char    *session;           /* Session key inserted in ticket */
+    short   life;               /* Lifetime of the ticket */
+    long    time_sec;           /* Issue time and date */
+    char    *sname;             /* Service Name */
+    char    *sinstance;         /* Instance Name */
+    krb5_keyblock *k5key;	/* NULL if not present */
+{
+    C_Block key;
+
+    return krb_cr_tkt_int(tkt, flags, pname, pinstance, prealm, paddress,
+			  session, life, time_sec, sname, sinstance,
+			  key, k5key);
+}
+
+static int
+krb_cr_tkt_int(tkt, flags, pname, pinstance, prealm, paddress,
+	       session, life, time_sec, sname, sinstance, key, k5key)
+    KTEXT   tkt;                /* Gets filled in by the ticket */
+    unsigned char flags;        /* Various Kerberos flags */
+    char    *pname;             /* Principal's name */
+    char    *pinstance;         /* Principal's instance */
+    char    *prealm;            /* Principal's authentication domain */
+    long    paddress;           /* Net address of requesting entity */
+    char    *session;           /* Session key inserted in ticket */
+    short   life;               /* Lifetime of the ticket */
+    long    time_sec;           /* Issue time and date */
+    char    *sname;             /* Service Name */
+    char    *sinstance;         /* Instance Name */
+    C_Block key;                /* Service's secret key */
+    krb5_keyblock *k5key;	/* NULL if not present */
+{
+    Key_schedule key_s;
+    register char *data;        /* running index into ticket */
+
+    tkt->length = 0;            /* Clear previous data  */
+
+    /* Check length of ticket */
+    if (sizeof(tkt->dat) < (sizeof(flags) +
+                            1 + strlen(pname) +
+                            1 + strlen(pinstance) +
+                            1 + strlen(prealm) +
+                            4 +                         /* address */
+			    8 +                         /* session */
+			    1 +                         /* life */
+			    4 +                         /* issue time */
+                            1 + strlen(sname) +
+                            1 + strlen(sinstance) +
+			    7) / 8) {                   /* roundoff */
+        memset(tkt->dat, 0, sizeof(tkt->dat));
+        return KFAILURE /* XXX */;
+    }
+
+    flags |= HOST_BYTE_ORDER;   /* ticket byte order   */
+    memcpy((char *) (tkt->dat), (char *) &flags, sizeof(flags));
+    data = ((char *)tkt->dat) + sizeof(flags);
+    (void) strcpy(data, pname);
+    data += 1 + strlen(pname);
+    (void) strcpy(data, pinstance);
+    data += 1 + strlen(pinstance);
+    (void) strcpy(data, prealm);
+    data += 1 + strlen(prealm);
+    memcpy(data, (char *) &paddress, 4);
+    data += 4;
+
+    memcpy(data, (char *) session, 8);
+    data += 8;
+    *(data++) = (char) life;
+    /* issue time */
+    memcpy(data, (char *) &time_sec, 4);
+    data += 4;
+    (void) strcpy(data, sname);
+    data += 1 + strlen(sname);
+    (void) strcpy(data, sinstance);
+    data += 1 + strlen(sinstance);
+
+    /* guarantee null padded ticket to multiple of 8 bytes */
+    memset(data, 0, 7);
+    tkt->length = ((data - ((char *)tkt->dat) + 7)/8)*8;
+
+    /* Check length of ticket */
+    if (tkt->length > (sizeof(KTEXT_ST) - 7)) {
+        memset(tkt->dat, 0, tkt->length);
+        tkt->length = 0;
+        return KFAILURE /* XXX */;
+    }
+
+#ifndef NOENCRYPTION
+    /* Encrypt the ticket in the services key */
+    if (k5key != NULL) {
+	/* block locals */
+	krb5_data in;
+	krb5_enc_data out;
+	krb5_error_code ret;
+	size_t enclen;
+
+	in.length = tkt->length;
+	in.data = tkt->dat;
+	/* XXX assumes context arg is ignored */
+	ret = krb5_c_encrypt_length(NULL, k5key->enctype,
+				    (size_t)in.length, &enclen);
+	if (ret)
+	    return KFAILURE;
+	out.ciphertext.length = enclen;
+	out.ciphertext.data = malloc(enclen);
+	if (out.ciphertext.data == NULL)
+	    return KFAILURE;	/* XXX maybe ENOMEM? */
+
+	/* XXX assumes context arg is ignored */
+	ret = krb5_c_encrypt(NULL, k5key, KRB5_KEYUSAGE_KDC_REP_TICKET,
+			     NULL, &in, &out);
+	if (ret) {
+	    free(out.ciphertext.data);
+	    return KFAILURE;
+	} else {
+	    tkt->length = out.ciphertext.length;
+	    memcpy(tkt->dat, out.ciphertext.data, out.ciphertext.length);
+	    memset(out.ciphertext.data, 0, out.ciphertext.length);
+	    free(out.ciphertext.data);
+	}
+    } else {
+	key_sched(key,key_s);
+	pcbc_encrypt((C_Block *)tkt->dat,(C_Block *)tkt->dat,
+		     (long) tkt->length,key_s,(C_Block *)key,1);
+    }
+#endif /* !NOENCRYPTION */
+    return 0;
+}
diff --git a/src/mac/Makefile b/src/mac/Makefile
index 95cc9ba..1048008 100644
--- a/src/mac/Makefile
+++ b/src/mac/Makefile
@@ -6,14 +6,23 @@ root-folder											= ::
 mitsupportlib-root-folder							= {root-folder}:::MITSupportLib:
 mitkerberoslib-root-folder							= {root-folder}:
 makefile-name										= {root-folder}mac:Makefile
+makefile-dependency									= #{root-folder}mac:Makefile
 
 library-output-folder								= {root-folder}bin:
 
-library-platform-PPC					= .PPC
+library-target-macos9					= .9
+library-target-carbon					= .CB
 
-library-kind-debug						= .debug
+library-kind-debug						= d
 library-kind-final						=
 
+fragment-name-macos9					=
+fragment-name-carbon					= ";Carbon"
+fragment-name-debug-macos9				= ".debug"
+fragment-name-debug-carbon				= ";Debug"
+fragment-name-final-macos9				= 
+fragment-name-final-carbon				= 
+
 ##############################################################################################################
 ###			Top-level targets -- abstract targets for convenient grouping
 ##############################################################################################################
@@ -22,12 +31,16 @@ library-kind-final						=
 all Ä unset-echo all-debug all-final
 
 #	Debugging versions
-all-debug Ä unset-echo ppc-debug
+all-debug Ä unset-echo macos9-debug-build carbon-debug-build
+carbon-debug Ä unset-echo carbon-debug-build
+macos9-debug Ä unset-echo macos9-debug-build
 
 #	Final versions
-all-final Ä unset-echo ppc-final
+all-final Ä unset-echo macos9-final-build carbon-final-build
+carbon-final Ä unset-echo carbon-final-build
+macos9-final Ä unset-echo macos9-final-build
 
-#	Clasic 68K glue
+#	Clasic 69K glue
 glue Ä unset-echo glue-gss glue-krb5
 
 unset-echo Ä
@@ -42,37 +55,49 @@ unset-echo Ä
 ##############################################################################################################
 
 gss-library-output-folder							= {root-folder}:GSSLib:Binaries:
+privatekrb5-library-output-folder					= {root-folder}:Kerberos5Lib:Binaries:
 krb5-library-output-folder							= {root-folder}:Kerberos5Lib:Binaries:
 profile-library-output-folder						= {root-folder}:KerberosProfileLib:Binaries:
 comerr-library-output-folder						= {root-folder}:ComErrLib:Binaries:
 
 gss-library-name									= GSSLib
+privatekrb5-library-name							= PrivateKrb5Lib
 krb5-library-name									= Kerberos5Lib
 profile-library-name								= KrbProfileLib
 comerr-library-name									= ComErrLib
 
 gss-library-export									= {root-folder}mac:GSSLibrary.exp
-krb5-library-export									= {root-folder}mac:K5Library.exp
+privatekrb5-library-export							= {root-folder}mac:PrivateKerberos5Lib.exp
+krb5-library-export									= {root-folder}mac:Kerberos5Lib.exp
 profile-library-export								= {root-folder}util:profile:profile.exp
 comerr-library-export								= {root-folder}util:et:et.exp
 
 gss-library-fragment-name							= "GSSLibrary"
+gss-library-fragment-name-carbon					= "GSSLibrary"
+privatekrb5-library-fragment-name					= "MIT Kerberos¥PrivateKerberos5Lib"
+privatekrb5-library-fragment-name-carbon			= "MIT Kerberos;PrivateKerberos5Lib"
 krb5-library-fragment-name							= "MIT Kerberos¥Kerberos5Lib"
+krb5-library-fragment-name-carbon					= "MIT Kerberos;Kerberos5Lib"
 profile-library-fragment-name						= "MIT Kerberos¥KerberosProfileLib"
+profile-library-fragment-name-carbon				= "MIT Kerberos;KerberosProfileLib"
 comerr-library-fragment-name						= "MIT Kerberos¥ComErrLib"
+comerr-library-fragment-name-carbon					= "MIT Kerberos;ComErrLib"
 
 gss-library-main									= ¶"¶"
+privatekrb5-library-main							= ¶"¶"
 krb5-library-main									= ¶"¶"
 profile-library-main								= ¶"¶"
 comerr-library-main									= ¶"¶"
 
 gss-library-init									= __initializeGSS
-krb5-library-init									= __initializeK5
+privatekrb5-library-init							= __initializeK5
+krb5-library-init									= ¶"¶"
 profile-library-init								= InitializeProfileLib
 comerr-library-init									= __initialize
 	
 gss-library-term 									= __terminateGSS
-krb5-library-term									= __terminateK5
+privatekrb5-library-term							= __terminateK5
+krb5-library-term									= ¶"¶"
 profile-library-term								= TerminateProfileLib
 comerr-library-term									= __terminate
 
@@ -80,9 +105,13 @@ gss-library-current-version							= 1
 gss-library-definition-version						= 0
 gss-library-implementation-version					= 1
 
-krb5-library-current-version						= 2
-krb5-library-definition-version						= 2
-krb5-library-implementation-version					= 2
+privatekrb5-library-current-version					= 5
+privatekrb5-library-definition-version				= 5
+privatekrb5-library-implementation-version			= 5
+
+krb5-library-current-version						= 6
+krb5-library-definition-version						= 5
+krb5-library-implementation-version					= 5
 
 profile-library-current-version						= 0
 profile-library-definition-version					= 0
@@ -98,7 +127,8 @@ comerr-library-implementation-version				= 0
 
 list-generation-script-working-folder = "{root-folder}mac:"
 list-generation-script-folder = "{root-folder}mac:"
-list-generation-script = "{list-generation-script-folder}macfile_gen.pl"
+list-generation-script = "{list-generation-script-folder}macfile_gen.macpl"
+list-generation-script-source = "{list-generation-script-folder}macfile_gen.pl"
 list-generation-script-root = ".."
 
 all-files-list									= {root-folder}"All files.list"
@@ -110,17 +140,25 @@ gss-sources-list								= {root-folder}"GSS sources.list"
 krb5-sources-list								= {root-folder}"Krb5 sources.list"
 profile-sources-list							= {root-folder}"Profile sources.list"
 
-gss-objects-ppc-debug-list						= {root-folder}"GSS objects PPC debug.list"
-gss-objects-ppc-final-list						= {root-folder}"GSS objects PPC final.list"
+gss-objects-macos9-debug-list					= {root-folder}"GSS objects 9 debug.list"
+gss-objects-macos9-final-list					= {root-folder}"GSS objects 9 final.list"
+gss-objects-carbon-debug-list					= {root-folder}"GSS objects CB debug.list"
+gss-objects-carbon-final-list					= {root-folder}"GSS objects CB final.list"
 
-krb5-objects-ppc-debug-list						= {root-folder}"Krb5 objects PPC debug.list"
-krb5-objects-ppc-final-list						= {root-folder}"Krb5 objects PPC final.list"
+krb5-objects-macos9-debug-list					= {root-folder}"Krb5 objects 9 debug.list"
+krb5-objects-macos9-final-list					= {root-folder}"Krb5 objects 9 final.list"
+krb5-objects-carbon-debug-list					= {root-folder}"Krb5 objects CB debug.list"
+krb5-objects-carbon-final-list					= {root-folder}"Krb5 objects CB final.list"
 
-profile-objects-ppc-debug-list					= {root-folder}"Profile objects PPC debug.list"
-profile-objects-ppc-final-list					= {root-folder}"Profile objects PPC final.list"
+profile-objects-macos9-debug-list				= {root-folder}"Profile objects 9 debug.list"
+profile-objects-macos9-final-list				= {root-folder}"Profile objects 9 final.list"
+profile-objects-carbon-debug-list				= {root-folder}"Profile objects CB debug.list"
+profile-objects-carbon-final-list				= {root-folder}"Profile objects CB final.list"
 
-comerr-objects-ppc-debug-list					= {root-folder}"ComErr objects PPC debug.list"
-comerr-objects-ppc-final-list					= {root-folder}"ComErr objects PPC final.list"
+comerr-objects-macos9-debug-list				= {root-folder}"ComErr objects 9 debug.list"
+comerr-objects-macos9-final-list				= {root-folder}"ComErr objects 9 final.list"
+comerr-objects-carbon-debug-list				= {root-folder}"ComErr objects CB debug.list"
+comerr-objects-carbon-final-list				= {root-folder}"ComErr objects CB final.list"
 
 all-lists = ¶
 	{all-files-list} ¶
@@ -129,83 +167,128 @@ all-lists = ¶
 	{include-folders-list} ¶
 	{gss-sources-list} ¶
 	{krb5-sources-list} ¶
-	{gss-objects-ppc-debug-list} ¶
-	{gss-objects-ppc-final-list} ¶
-	{krb5-objects-ppc-debug-list} ¶
-	{krb5-objects-ppc-final-list} ¶
-	{profile-objects-ppc-debug-list} ¶
-	{profile-objects-ppc-final-list} ¶
-	{comerr-objects-ppc-debug-list} ¶
-	{comerr-objects-ppc-final-list}
+	{gss-objects-macos9-debug-list} ¶
+	{gss-objects-macos9-final-list} ¶
+	{gss-objects-carbon-debug-list} ¶
+	{gss-objects-carbon-final-list} ¶
+	{krb5-objects-macos9-debug-list} ¶
+	{krb5-objects-macos9-final-list} ¶
+	{krb5-objects-carbon-debug-list} ¶
+	{krb5-objects-carbon-final-list} ¶
+	{profile-objects-macos9-debug-list} ¶
+	{profile-objects-macos9-final-list} ¶
+	{profile-objects-carbon-debug-list} ¶
+	{profile-objects-carbon-final-list} ¶
+	{comerr-objects-macos9-debug-list} ¶
+	{comerr-objects-macos9-final-list} ¶
+	{comerr-objects-carbon-debug-list} ¶
+	{comerr-objects-carbon-final-list}
 
 file-lists Ä {all-lists}
 
+{list-generation-script} Ä {list-generation-script-source}
+	perl -p -e 's/\r/\n/g;' < {list-generation-script-source} > {list-generation-script}
+
 # Note that even though the list generation script tries to have a mechanism allowing you to run it
 # in different directories, it actually doesn't work too well because it wants a UNIX-style relative
 # path to root Makefile.in. This is why we run it with -x to specify the root.
 
-{all-files-list} Ä {list-generation-script} {makefile-name}
+{all-files-list} Ä {list-generation-script} {makefile-dependency}
 	perl -x"{list-generation-script-working-folder}" {list-generation-script} all-files {list-generation-script-root} ¶
  > {Targ}
 
-{all-sources-list} Ä {all-files-list} {list-generation-script} {makefile-name}
+{all-sources-list} Ä {all-files-list} {list-generation-script} {makefile-dependency}
 	perl -x"{list-generation-script-working-folder}" {list-generation-script} all-sources {list-generation-script-root} ¶
  < {all-files-list} > {Targ}
 
-{all-folders-list} Ä {all-files-list} {list-generation-script} {makefile-name}
+{all-folders-list} Ä {all-files-list} {list-generation-script} {makefile-dependency}
 	perl -x"{list-generation-script-working-folder}" {list-generation-script} all-folders {list-generation-script-root} ¶
  < {all-files-list} > {Targ}
 
-{include-folders-list} Ä {all-files-list} {list-generation-script} {makefile-name}
+{include-folders-list} Ä {all-files-list} {list-generation-script} {makefile-dependency}
 	perl -x"{list-generation-script-working-folder}" {list-generation-script} include-folders {list-generation-script-root} ¶
  < {all-files-list} > {Targ}
 
-{gss-sources-list} Ä {all-files-list} {list-generation-script} {makefile-name}
+{gss-sources-list} Ä {all-files-list} {list-generation-script} {makefile-dependency}
 	perl -x"{list-generation-script-working-folder}" {list-generation-script} gss-sources {list-generation-script-root} ¶
  < {all-files-list} > {Targ}
 
-{krb5-sources-list} Ä {all-files-list} {list-generation-script} {makefile-name}
+{krb5-sources-list} Ä {all-files-list} {list-generation-script} {makefile-dependency}
 	perl -x"{list-generation-script-working-folder}" {list-generation-script} krb5-sources {list-generation-script-root} ¶
  < {all-files-list} > {Targ}
 
-{gss-objects-ppc-debug-list} Ä {all-files-list} {list-generation-script} {makefile-name}
-	perl -x"{list-generation-script-working-folder}" {list-generation-script} gss-objects-ppc-debug {list-generation-script-root} ¶
+{gss-objects-macos9-debug-list} Ä {all-files-list} {list-generation-script} {makefile-dependency}
+	perl -x"{list-generation-script-working-folder}" {list-generation-script} gss-objects-macos9-debug {list-generation-script-root} ¶
+ < {all-files-list} > {Targ}
+
+{gss-objects-macos9-final-list} Ä {all-files-list} {list-generation-script} {makefile-dependency}
+	perl -x"{list-generation-script-working-folder}" {list-generation-script} gss-objects-macos9-final {list-generation-script-root} ¶
+ < {all-files-list} > {Targ}
+
+{gss-objects-carbon-debug-list} Ä {all-files-list} {list-generation-script} {makefile-dependency}
+	perl -x"{list-generation-script-working-folder}" {list-generation-script} gss-objects-carbon-debug {list-generation-script-root} ¶
+ < {all-files-list} > {Targ}
+
+{gss-objects-carbon-final-list} Ä {all-files-list} {list-generation-script} {makefile-dependency}
+	perl -x"{list-generation-script-working-folder}" {list-generation-script} gss-objects-carbon-final {list-generation-script-root} ¶
+ < {all-files-list} > {Targ}
+
+{krb5-objects-macos9-debug-list} Ä {all-files-list} {list-generation-script} {makefile-dependency}
+	perl -x"{list-generation-script-working-folder}" {list-generation-script} krb5-objects-macos9-debug {list-generation-script-root} ¶
  < {all-files-list} > {Targ}
 
-{gss-objects-ppc-final-list} Ä {all-files-list} {list-generation-script} {makefile-name}
-	perl -x"{list-generation-script-working-folder}" {list-generation-script} gss-objects-ppc-final {list-generation-script-root} ¶
+{krb5-objects-macos9-final-list} Ä {all-files-list} {list-generation-script} {makefile-dependency}
+	perl -x"{list-generation-script-working-folder}" {list-generation-script} krb5-objects-macos9-final {list-generation-script-root} ¶
  < {all-files-list} > {Targ}
 
-{krb5-objects-ppc-debug-list} Ä {all-files-list} {list-generation-script} {makefile-name}
-	perl -x"{list-generation-script-working-folder}" {list-generation-script} krb5-objects-ppc-debug {list-generation-script-root} ¶
+{krb5-objects-carbon-debug-list} Ä {all-files-list} {list-generation-script} {makefile-dependency}
+	perl -x"{list-generation-script-working-folder}" {list-generation-script} krb5-objects-carbon-debug {list-generation-script-root} ¶
  < {all-files-list} > {Targ}
 
-{krb5-objects-ppc-final-list} Ä {all-files-list} {list-generation-script} {makefile-name}
-	perl -x"{list-generation-script-working-folder}" {list-generation-script} krb5-objects-ppc-final {list-generation-script-root} ¶
+{krb5-objects-carbon-final-list} Ä {all-files-list} {list-generation-script} {makefile-dependency}
+	perl -x"{list-generation-script-working-folder}" {list-generation-script} krb5-objects-carbon-final {list-generation-script-root} ¶
  < {all-files-list} > {Targ}
 
-{profile-objects-ppc-debug-list} Ä {all-files-list} {list-generation-script} {makefile-name}
-	perl -x"{list-generation-script-working-folder}" {list-generation-script} profile-objects-ppc-debug {list-generation-script-root} ¶
+{profile-objects-macos9-debug-list} Ä {all-files-list} {list-generation-script} {makefile-dependency}
+	perl -x"{list-generation-script-working-folder}" {list-generation-script} profile-objects-macos9-debug {list-generation-script-root} ¶
  < {all-files-list} > {Targ}
 
-{profile-objects-ppc-final-list} Ä {all-files-list} {list-generation-script} {makefile-name}
-	perl -x"{list-generation-script-working-folder}" {list-generation-script} profile-objects-ppc-final {list-generation-script-root} ¶
+{profile-objects-macos9-final-list} Ä {all-files-list} {list-generation-script} {makefile-dependency}
+	perl -x"{list-generation-script-working-folder}" {list-generation-script} profile-objects-macos9-final {list-generation-script-root} ¶
  < {all-files-list} > {Targ}
 
-{comerr-objects-ppc-debug-list} Ä {all-files-list} {list-generation-script} {makefile-name}
-	perl -x"{list-generation-script-working-folder}" {list-generation-script} comerr-objects-ppc-debug {list-generation-script-root} ¶
+{profile-objects-carbon-debug-list} Ä {all-files-list} {list-generation-script} {makefile-dependency}
+	perl -x"{list-generation-script-working-folder}" {list-generation-script} profile-objects-carbon-debug {list-generation-script-root} ¶
  < {all-files-list} > {Targ}
 
-{comerr-objects-ppc-final-list} Ä {all-files-list} {list-generation-script} {makefile-name}
-	perl -x"{list-generation-script-working-folder}" {list-generation-script} comerr-objects-ppc-final {list-generation-script-root} ¶
+{profile-objects-carbon-final-list} Ä {all-files-list} {list-generation-script} {makefile-dependency}
+	perl -x"{list-generation-script-working-folder}" {list-generation-script} profile-objects-carbon-final {list-generation-script-root} ¶
+ < {all-files-list} > {Targ}
+
+{comerr-objects-macos9-debug-list} Ä {all-files-list} {list-generation-script} {makefile-dependency}
+	perl -x"{list-generation-script-working-folder}" {list-generation-script} comerr-objects-macos9-debug {list-generation-script-root} ¶
+ < {all-files-list} > {Targ}
+
+{comerr-objects-macos9-final-list} Ä {all-files-list} {list-generation-script} {makefile-dependency}
+	perl -x"{list-generation-script-working-folder}" {list-generation-script} comerr-objects-macos9-final {list-generation-script-root} ¶
+ < {all-files-list} > {Targ}
+
+{comerr-objects-carbon-debug-list} Ä {all-files-list} {list-generation-script} {makefile-dependency}
+	perl -x"{list-generation-script-working-folder}" {list-generation-script} comerr-objects-carbon-debug {list-generation-script-root} ¶
+ < {all-files-list} > {Targ}
+
+{comerr-objects-carbon-final-list} Ä {all-files-list} {list-generation-script} {makefile-dependency}
+	perl -x"{list-generation-script-working-folder}" {list-generation-script} comerr-objects-carbon-final {list-generation-script-root} ¶
  < {all-files-list} > {Targ}
 
 ##############################################################################################################
 ###			Autogenerated files
 ##############################################################################################################
 
-autogeneration-h-script = {root-folder}util:et:et_h.perl
-autogeneration-c-script = {root-folder}util:et:et_c.perl
+autogeneration-h-script = {root-folder}util:et:et_h.macpl
+autogeneration-h-script-source = {root-folder}util:et:et_h.pl
+autogeneration-c-script = {root-folder}util:et:et_c.macpl
+autogeneration-c-script-source = {root-folder}util:et:et_c.pl
 
 autogenerated-files = ¶
 	{root-folder}include:asn1_err.h ¶
@@ -228,60 +311,81 @@ autogenerated-files = ¶
 	{root-folder}util:profile:profile.h ¶
 	{root-folder}include:profile.h ¶
 	{root-folder}include:krb5:osconf.h ¶
-	{root-folder}lib:gssapi:generic:gssapi.h ¶
-	{root-folder}include:autoconf.h
+	{root-folder}lib:gssapi:generic:gssapi.h
 
 ###			error table headers
 
-{root-folder}include:asn1_err.h Ä {root-folder}lib:krb5:error_tables:asn1_err.et {makefile-name} {autogeneration-h-script}
-	perl {autogeneration-h-script} outfile="{root-folder}include:asn1_err.h" < "{root-folder}lib:krb5:error_tables:asn1_err.et"
+{autogeneration-h-script} Ä {autogeneration-h-script-source}
+	perl -p -e 's/\r/\n/g;' < {autogeneration-h-script-source} > {autogeneration-h-script}
+
+{root-folder}include:asn1_err.h Ä {root-folder}lib:krb5:error_tables:asn1_err.et {makefile-dependency} {autogeneration-h-script}
+	Catenate {root-folder}lib:krb5:error_tables:asn1_err.et | perl -p -e 's/\r/\n/g;' | Catenate | ¶
+		perl {autogeneration-h-script} outfile="{root-folder}include:asn1_err.h"
 
-{root-folder}include:kdb5_err.h Ä {root-folder}lib:krb5:error_tables:kdb5_err.et {makefile-name} {autogeneration-h-script}
-	perl {autogeneration-h-script} outfile="{root-folder}include:kdb5_err.h" < "{root-folder}lib:krb5:error_tables:kdb5_err.et"
+{root-folder}include:kdb5_err.h Ä {root-folder}lib:krb5:error_tables:kdb5_err.et {makefile-dependency} {autogeneration-h-script}
+	Catenate {root-folder}lib:krb5:error_tables:kdb5_err.et | perl -p -e 's/\r/\n/g;' | Catenate | ¶
+		perl {autogeneration-h-script} outfile="{root-folder}include:kdb5_err.h"
 
-{root-folder}include:krb5_err.h Ä {root-folder}lib:krb5:error_tables:krb5_err.et {makefile-name} {autogeneration-h-script}
-	perl {autogeneration-h-script} outfile="{root-folder}include:krb5_err.h" < "{root-folder}lib:krb5:error_tables:krb5_err.et"
+{root-folder}include:krb5_err.h Ä {root-folder}lib:krb5:error_tables:krb5_err.et {makefile-dependency} {autogeneration-h-script}
+	Catenate {root-folder}lib:krb5:error_tables:krb5_err.et | perl -p -e 's/\r/\n/g;' | Catenate | ¶
+		perl {autogeneration-h-script} outfile="{root-folder}include:krb5_err.h"
 
-{root-folder}include:kv5m_err.h Ä {root-folder}lib:krb5:error_tables:kv5m_err.et {makefile-name} {autogeneration-h-script}
-	perl {autogeneration-h-script} outfile="{root-folder}include:kv5m_err.h" < "{root-folder}lib:krb5:error_tables:kv5m_err.et"
+{root-folder}include:kv5m_err.h Ä {root-folder}lib:krb5:error_tables:kv5m_err.et {makefile-dependency} {autogeneration-h-script}
+	Catenate {root-folder}lib:krb5:error_tables:kv5m_err.et | perl -p -e 's/\r/\n/g;' | Catenate | ¶
+		perl {autogeneration-h-script} outfile="{root-folder}include:kv5m_err.h"
 
-{root-folder}include:adm_err.h Ä {root-folder}lib:krb5:error_tables:adm_err.et {makefile-name} {autogeneration-h-script}
-	perl {autogeneration-h-script} outfile="{root-folder}include:adm_err.h" < "{root-folder}lib:krb5:error_tables:adm_err.et"
+{root-folder}include:adm_err.h Ä {root-folder}lib:krb5:error_tables:adm_err.et {makefile-dependency} {autogeneration-h-script}
+	Catenate {root-folder}lib:krb5:error_tables:adm_err.et | perl -p -e 's/\r/\n/g;' | Catenate | ¶
+		perl {autogeneration-h-script} outfile="{root-folder}include:adm_err.h" 
 	
-{root-folder}lib:gssapi:generic:gssapi_err_generic.h Ä {root-folder}lib:gssapi:generic:gssapi_err_generic.et {makefile-name} {autogeneration-h-script}
-	perl {autogeneration-h-script} outfile="{root-folder}lib:gssapi:generic:gssapi_err_generic.h" < "{root-folder}lib:gssapi:generic:gssapi_err_generic.et"
+{root-folder}lib:gssapi:generic:gssapi_err_generic.h Ä {root-folder}lib:gssapi:generic:gssapi_err_generic.et {makefile-dependency} {autogeneration-h-script}
+	Catenate {root-folder}lib:gssapi:generic:gssapi_err_generic.et | perl -p -e 's/\r/\n/g;' | Catenate | ¶
+		perl {autogeneration-h-script} outfile="{root-folder}lib:gssapi:generic:gssapi_err_generic.h"
 	
-{root-folder}lib:gssapi:krb5:gssapi_err_krb5.h Ä {root-folder}lib:gssapi:krb5:gssapi_err_krb5.et {makefile-name} {autogeneration-h-script}
-	perl {autogeneration-h-script} outfile="{root-folder}lib:gssapi:krb5:gssapi_err_krb5.h" < "{root-folder}lib:gssapi:krb5:gssapi_err_krb5.et"
+{root-folder}lib:gssapi:krb5:gssapi_err_krb5.h Ä {root-folder}lib:gssapi:krb5:gssapi_err_krb5.et {makefile-dependency} {autogeneration-h-script}
+	Catenate {root-folder}lib:gssapi:krb5:gssapi_err_krb5.et | perl -p -e 's/\r/\n/g;' | Catenate | ¶
+		perl {autogeneration-h-script} outfile="{root-folder}lib:gssapi:krb5:gssapi_err_krb5.h"
 
-{root-folder}util:profile:prof_err.h Ä {root-folder}util:profile:prof_err.et {makefile-name} {autogeneration-h-script}
-	perl {autogeneration-h-script} outfile="{root-folder}util:profile:prof_err.h" < "{root-folder}util:profile:prof_err.et"
+{root-folder}util:profile:prof_err.h Ä {root-folder}util:profile:prof_err.et {makefile-dependency} {autogeneration-h-script}
+	Catenate {root-folder}util:profile:prof_err.et | perl -p -e 's/\r/\n/g;' | Catenate | ¶
+		perl {autogeneration-h-script} outfile="{root-folder}util:profile:prof_err.h"
 
 ###			error table sources
 
-{root-folder}lib:krb5:error_tables:asn1_err.c Ä {root-folder}lib:krb5:error_tables:asn1_err.et {makefile-name} {autogeneration-c-script}
-	perl {autogeneration-c-script} outfile="{root-folder}lib:krb5:error_tables:asn1_err.c" < "{root-folder}lib:krb5:error_tables:asn1_err.et"
+{autogeneration-c-script} Ä {autogeneration-c-script-source}
+	perl -p -e 's/\r/\n/g;' < {autogeneration-c-script-source} > {autogeneration-c-script}
 
-{root-folder}lib:krb5:error_tables:kdb5_err.c Ä {root-folder}lib:krb5:error_tables:kdb5_err.et {makefile-name} {autogeneration-c-script}
-	perl {autogeneration-c-script} outfile="{root-folder}lib:krb5:error_tables:kdb5_err.c" < "{root-folder}lib:krb5:error_tables:kdb5_err.et"
+{root-folder}lib:krb5:error_tables:asn1_err.c Ä {root-folder}lib:krb5:error_tables:asn1_err.et {makefile-dependency} {autogeneration-c-script}
+	Catenate {root-folder}lib:krb5:error_tables:asn1_err.et | perl -p -e 's/\r/\n/g;' | Catenate | ¶
+		perl {autogeneration-c-script} outfile="{root-folder}lib:krb5:error_tables:asn1_err.c"
 
-{root-folder}lib:krb5:error_tables:krb5_err.c Ä {root-folder}lib:krb5:error_tables:krb5_err.et {makefile-name} {autogeneration-c-script}
-	perl {autogeneration-c-script} outfile="{root-folder}lib:krb5:error_tables:krb5_err.c" < "{root-folder}lib:krb5:error_tables:krb5_err.et"
+{root-folder}lib:krb5:error_tables:kdb5_err.c Ä {root-folder}lib:krb5:error_tables:kdb5_err.et {makefile-dependency} {autogeneration-c-script}
+	Catenate {root-folder}lib:krb5:error_tables:kdb5_err.et | perl -p -e 's/\r/\n/g;' | Catenate | ¶
+		perl {autogeneration-c-script} outfile="{root-folder}lib:krb5:error_tables:kdb5_err.c"
 
-{root-folder}lib:krb5:error_tables:kv5m_err.c Ä {root-folder}lib:krb5:error_tables:kv5m_err.et {makefile-name} {autogeneration-c-script}
-	perl {autogeneration-c-script} outfile="{root-folder}lib:krb5:error_tables:kv5m_err.c" < "{root-folder}lib:krb5:error_tables:kv5m_err.et"
+{root-folder}lib:krb5:error_tables:krb5_err.c Ä {root-folder}lib:krb5:error_tables:krb5_err.et {makefile-dependency} {autogeneration-c-script}
+	Catenate {root-folder}lib:krb5:error_tables:krb5_err.et | perl -p -e 's/\r/\n/g;' | Catenate | ¶
+		perl {autogeneration-c-script} outfile="{root-folder}lib:krb5:error_tables:krb5_err.c"
 
-{root-folder}lib:krb5:error_tables:adm_err.c Ä {root-folder}lib:krb5:error_tables:adm_err.et {makefile-name} {autogeneration-c-script}
-	perl {autogeneration-c-script} outfile="{root-folder}lib:krb5:error_tables:adm_err.c" < "{root-folder}lib:krb5:error_tables:adm_err.et"
+{root-folder}lib:krb5:error_tables:kv5m_err.c Ä {root-folder}lib:krb5:error_tables:kv5m_err.et {makefile-dependency} {autogeneration-c-script}
+	Catenate {root-folder}lib:krb5:error_tables:kv5m_err.et | perl -p -e 's/\r/\n/g;' | Catenate | ¶
+		perl {autogeneration-c-script} outfile="{root-folder}lib:krb5:error_tables:kv5m_err.c"
 
-{root-folder}lib:gssapi:generic:gssapi_err_generic.c Ä {root-folder}lib:gssapi:generic:gssapi_err_generic.et {makefile-name} {autogeneration-c-script}
-	perl {autogeneration-c-script} outfile="{root-folder}lib:gssapi:generic:gssapi_err_generic.c" < "{root-folder}lib:gssapi:generic:gssapi_err_generic.et"
+{root-folder}lib:krb5:error_tables:adm_err.c Ä {root-folder}lib:krb5:error_tables:adm_err.et {makefile-dependency} {autogeneration-c-script}
+	Catenate {root-folder}lib:krb5:error_tables:adm_err.et | perl -p -e 's/\r/\n/g;' | Catenate | ¶
+		perl {autogeneration-c-script} outfile="{root-folder}lib:krb5:error_tables:adm_err.c"
 
-{root-folder}lib:gssapi:krb5:gssapi_err_krb5.c Ä {root-folder}lib:gssapi:krb5:gssapi_err_krb5.et {makefile-name} {autogeneration-c-script}
-	perl {autogeneration-c-script} outfile="{root-folder}lib:gssapi:krb5:gssapi_err_krb5.c" < "{root-folder}lib:gssapi:krb5:gssapi_err_krb5.et"
+{root-folder}lib:gssapi:generic:gssapi_err_generic.c Ä {root-folder}lib:gssapi:generic:gssapi_err_generic.et {makefile-dependency} {autogeneration-c-script}
+	Catenate {root-folder}lib:gssapi:generic:gssapi_err_generic.et | perl -p -e 's/\r/\n/g;' | Catenate | ¶
+		perl {autogeneration-c-script} outfile="{root-folder}lib:gssapi:generic:gssapi_err_generic.c"
 
-{root-folder}util:profile:prof_err.c Ä {root-folder}util:profile:prof_err.et {makefile-name} {autogeneration-c-script}
-	perl {autogeneration-c-script} outfile="{root-folder}util:profile:prof_err.c" < "{root-folder}util:profile:prof_err.et"
+{root-folder}lib:gssapi:krb5:gssapi_err_krb5.c Ä {root-folder}lib:gssapi:krb5:gssapi_err_krb5.et {makefile-dependency} {autogeneration-c-script}
+	Catenate {root-folder}lib:gssapi:krb5:gssapi_err_krb5.et | perl -p -e 's/\r/\n/g;' | Catenate | ¶
+		perl {autogeneration-c-script} outfile="{root-folder}lib:gssapi:krb5:gssapi_err_krb5.c"
+
+{root-folder}util:profile:prof_err.c Ä {root-folder}util:profile:prof_err.et {makefile-dependency} {autogeneration-c-script}
+	Catenate {root-folder}util:profile:prof_err.et | perl -p -e 's/\r/\n/g;' | Catenate | ¶
+		perl {autogeneration-c-script} outfile="{root-folder}util:profile:prof_err.c"
 
 ###			other autogenerated files
 
@@ -289,26 +393,27 @@ autogenerated-files = ¶
 	{root-folder}include:kdb5_err.h {root-folder}include:kv5m_err.h {root-folder}include:asn1_err.h
 	Catenate {root-folder}include:krb5.hin {root-folder}include:krb5_err.h {root-folder}include:kdb5_err.h ¶
 	{root-folder}include:kv5m_err.h {root-folder}include:asn1_err.h > {root-folder}include:krb5.h
+	Catenate {root-folder}include:krb5.h | perl -p -e 's/\n/\r/g;' | Catenate > {root-folder}include:krb5.h
 	
 {root-folder}util:profile:profile.h Ä {root-folder}util:profile:profile.hin {root-folder}util:profile:prof_err.h
 	Catenate {root-folder}util:profile:profile.hin {root-folder}util:profile:prof_err.h > {root-folder}util:profile:profile.h
+	Catenate {root-folder}util:profile:profile.h | perl -p -e 's/\n/\r/g;' | Catenate > {root-folder}util:profile:profile.h
 	
 {root-folder}include:profile.h Ä {root-folder}util:profile:profile.h
 	Catenate {root-folder}util:profile:profile.h > {root-folder}include:profile.h
+	Catenate {root-folder}include:profile.h | perl -p -e 's/\n/\r/g;' | Catenate > {root-folder}include:profile.h
 	SetFile -a l "{Targ}"
 
 {root-folder}include:krb5:osconf.h Ä {root-folder}include:krb5:stock:osconf.h
 	Catenate {root-folder}include:krb5:stock:osconf.h > {root-folder}include:krb5:osconf.h
+	Catenate {root-folder}include:krb5:osconf.h | perl -p -e 's/\n/\r/g;' | Catenate > {root-folder}include:krb5:osconf.h
 	SetFile -a l "{Targ}"
 
 {root-folder}lib:gssapi:generic:gssapi.h Ä {root-folder}lib:gssapi:generic:gssapi.hin
 	Catenate {root-folder}lib:gssapi:generic:gssapi.hin > {root-folder}lib:gssapi:generic:gssapi.h
+	Catenate {root-folder}lib:gssapi:generic:gssapi.h | perl -p -e 's/\n/\r/g;' | Catenate > {root-folder}lib:gssapi:generic:gssapi.h
 	SetFile -a l "{Targ}"
 	
-{root-folder}include:autoconf.h Ä {root-folder}mac:libraries:autoconf.h
-	Catenate {root-folder}mac:libraries:autoconf.h > {root-folder}include:autoconf.h
-	SetFile -a l "{Targ}"
-
 ##############################################################################################################
 ###			High-level abstract targets -- this is where we decide on options
 ##############################################################################################################
@@ -360,90 +465,200 @@ autogenerated-files = ¶
 ###		General
 ###			library-linker									-- linker to use
 ###			autogenerated-files								-- list of autogenerated files
-###			library-platform								-- platform name (68K or PPC)
-###			library-kind									-- library kind (".debug" or "")
-###			object-suffix									-- object file suffix (.ppcf.o, .ppcd.o, .68kf.o, .68kd.o)
-###			object-suffix-data								-- object file suffix fdor data libraries (.ppc.o, .68k.o)
+###			library-target									-- platform name (Mac OS 9 or Carbon)
+###			library-kind									-- library kind (debug on non-debug)
+###			object-suffix									-- object file suffix (.9d.o, .CBd.o, .9.o, .CB.o)
+###			object-suffix-data								-- object file suffix for data libraries (.9.o, .CB.o)
 
 
 ### The following variables are platform- or kind-specific, but constant
 
-clib-ppc-debug						= {mitsupportlib-root-folder}CLib:Binaries:CLib.PPC.debug
-clib-ppc-final						= {mitsupportlib-root-folder}CLib:Binaries:CLib.PPC
-
-runtimelib-ppc-debug				= {mitsupportlib-root-folder}RuntimeLib:Binaries:RuntimeLib.PPC.debug
-runtimelib-ppc-final				= {mitsupportlib-root-folder}RuntimeLib:Binaries:RuntimeLib.PPC
-
-runtimelib-static-ppc-debug			= {mitsupportlib-root-folder}"RuntimeLib:Binaries:ShlibRuntime.Lib.PPC.debug"
-runtimelib-static-ppc-final			= {mitsupportlib-root-folder}"RuntimeLib:Binaries:ShlibRuntime.Lib.PPC"
-
-standard-libraries-ppc-debug			= ¶
-	"{clib-ppc-debug}" ¶
-	"{runtimelib-ppc-debug}" ¶
-	"{runtimelib-static-ppc-debug}" ¶
+clib-macos9-debug					= {mitsupportlib-root-folder}CLib:Binaries:CLib.9d
+clib-macos9-final					= {mitsupportlib-root-folder}CLib:Binaries:CLib.9
+clib-carbon-debug					= {mitsupportlib-root-folder}CLib:Binaries:CLib.CBd
+clib-carbon-final					= {mitsupportlib-root-folder}CLib:Binaries:CLib.CB
+
+runtimelib-macos9-debug				= {mitsupportlib-root-folder}RuntimeLib:Binaries:RuntimeLib.9d
+runtimelib-macos9-final				= {mitsupportlib-root-folder}RuntimeLib:Binaries:RuntimeLib.9
+runtimelib-carbon-debug				= {mitsupportlib-root-folder}RuntimeLib:Binaries:RuntimeLib.CBd
+runtimelib-carbon-final				= {mitsupportlib-root-folder}RuntimeLib:Binaries:RuntimeLib.CB
+
+runtimelib-static-macos9-debug		= {mitsupportlib-root-folder}"RuntimeLib:Binaries:Runtime.9d.lib"
+runtimelib-static-macos9-final		= {mitsupportlib-root-folder}"RuntimeLib:Binaries:Runtime.9.lib"
+runtimelib-static-carbon-debug		= {mitsupportlib-root-folder}"RuntimeLib:Binaries:Runtime.CBd.lib"
+runtimelib-static-carbon-final		= {mitsupportlib-root-folder}"RuntimeLib:Binaries:Runtime.CB.lib"
+
+standard-libraries-macos9-debug			= ¶
+	"{clib-macos9-debug}" ¶
+	"{runtimelib-macos9-debug}" ¶
+	"{runtimelib-static-macos9-debug}" ¶
 	¶"{SharedLibraries}InterfaceLib¶" ¶
+	¶"{SharedLibraries}OpenTptInternetLib¶" ¶
 	¶"{SharedLibraries}MathLib¶"
-standard-libraries-ppc-final			= ¶
-	"{clib-ppc-final}" ¶
-	"{runtimelib-ppc-final}" ¶
-	"{runtimelib-static-ppc-final}" ¶
+standard-libraries-macos9-final			= ¶
+	"{clib-macos9-final}" ¶
+	"{runtimelib-macos9-final}" ¶
+	"{runtimelib-static-macos9-final}" ¶
 	¶"{SharedLibraries}InterfaceLib¶" ¶
+	¶"{SharedLibraries}OpenTptInternetLib¶" ¶
 	¶"{SharedLibraries}MathLib¶"
-
-ccachelib-ppc-debug						= {mitkerberoslib-root-folder}CCacheLib:Binaries:CCacheLib.PPC.debug
-ccachelib-ppc-final						= {mitkerberoslib-root-folder}CCacheLib:Binaries:CCacheLib.PPC
-
-socketslib-ppc-debug					= {mitsupportlib-root-folder}SocketsLib:Binaries:SocketsLib.PPC.debug
-socketslib-ppc-final					= {mitsupportlib-root-folder}SocketsLib:Binaries:SocketsLib.PPC
-
-errorlib-ppc-debug						= {mitsupportlib-root-folder}ErrorLib:Binaries:ErrorLib.PPC.debug
-errorlib-ppc-final						= {mitsupportlib-root-folder}ErrorLib:Binaries:ErrorLib.PPC
-
-object-suffix-ppc-debug					= .ppcd.o
-object-suffix-ppc-final					= .ppcf.o
-object-suffix-ppc-data					= .ppc.o
-
-gss-library-libraries-ppc-debug = ¶
-	{standard-libraries-ppc-debug} ¶
-	{krb5-library-output-folder}{krb5-library-name}{library-platform-ppc}{library-kind-debug} ¶
-	{profile-library-output-folder}{profile-library-name}{library-platform-ppc}{library-kind-debug} ¶
-	{comerr-library-output-folder}{comerr-library-name}{library-platform-ppc}{library-kind-debug}
-gss-library-libraries-ppc-final = ¶
-	{standard-libraries-ppc-final} ¶
-	{krb5-library-output-folder}{krb5-library-name}{library-platform-ppc}{library-kind-final} ¶
-	{profile-library-output-folder}{profile-library-name}{library-platform-ppc}{library-kind-final} ¶
-	{comerr-library-output-folder}{comerr-library-name}{library-platform-ppc}{library-kind-final}
-
-krb5-library-libraries-ppc-debug = ¶
-	{standard-libraries-ppc-debug} ¶
-	{ccachelib-ppc-debug} ¶
-	{socketslib-ppc-debug} ¶
-	{errorlib-ppc-debug} ¶
-	{profile-library-output-folder}{profile-library-name}{library-platform-ppc}{library-kind-debug} ¶
-	{comerr-library-output-folder}{comerr-library-name}{library-platform-ppc}{library-kind-debug} ¶
-	¶"{PPCLibraries}PPCMath64Lib.o¶" ¶
-	¶"{SharedLibraries}DriverServicesLib¶"
-krb5-library-libraries-ppc-final = ¶
-	{standard-libraries-ppc-final} ¶
-	{ccachelib-ppc-final} ¶
-	{socketslib-ppc-final} ¶
-	{errorlib-ppc-final} ¶
-	{profile-library-output-folder}{profile-library-name}{library-platform-ppc}{library-kind-final} ¶
-	{comerr-library-output-folder}{comerr-library-name}{library-platform-ppc}{library-kind-final} ¶
-	¶"{PPCLibraries}PPCMath64Lib.o¶" ¶
-	¶"{SharedLibraries}DriverServicesLib¶"
-
-profile-library-libraries-ppc-debug = ¶
-	{standard-libraries-ppc-debug} ¶
-	{comerr-library-output-folder}{comerr-library-name}{library-platform-ppc}{library-kind-debug}
-profile-library-libraries-ppc-final = ¶
-	{standard-libraries-ppc-final} ¶
-	{comerr-library-output-folder}{comerr-library-name}{library-platform-ppc}{library-kind-final}
-
-comerr-library-libraries-ppc-debug = ¶
-	{standard-libraries-ppc-debug} {errorlib-ppc-debug}
-comerr-library-libraries-ppc-final = ¶
-	{standard-libraries-ppc-final} {errorlib-ppc-final}
+standard-libraries-carbon-debug			= ¶
+	"{clib-carbon-debug}" ¶
+	"{runtimelib-carbon-debug}" ¶
+	"{runtimelib-static-carbon-debug}" ¶
+	¶"{SharedLibraries}CarbonLib¶"
+standard-libraries-carbon-final			= ¶
+	"{clib-carbon-final}" ¶
+	"{runtimelib-carbon-final}" ¶
+	"{runtimelib-static-carbon-final}" ¶
+	¶"{SharedLibraries}CarbonLib¶"
+
+ccachelib-macos9-debug					= {mitkerberoslib-root-folder}CCacheLib:Binaries:CCacheLib.9d
+ccachelib-macos9-final					= {mitkerberoslib-root-folder}CCacheLib:Binaries:CCacheLib.9
+ccachelib-carbon-debug					= {mitkerberoslib-root-folder}CCacheLib:Binaries:CCacheLib.CBd
+ccachelib-carbon-final					= {mitkerberoslib-root-folder}CCacheLib:Binaries:CCacheLib.CB
+
+loginlib-macos9-debug					= {mitkerberoslib-root-folder}LoginLib:Binaries:KrbLoginLib.stub.9d
+loginlib-macos9-final					= {mitkerberoslib-root-folder}LoginLib:Binaries:KrbLoginLib.stub.9
+loginlib-carbon-debug					= {mitkerberoslib-root-folder}LoginLib:Binaries:KrbLoginLib.stub.CBd
+loginlib-carbon-final					= {mitkerberoslib-root-folder}LoginLib:Binaries:KrbLoginLib.stub.CB
+
+preferenceslib-macos9-debug				= {mitkerberoslib-root-folder}PreferencesLib:Binaries:PreferencesLib.9d
+preferenceslib-macos9-final				= {mitkerberoslib-root-folder}PreferencesLib:Binaries:PreferencesLib.9
+preferenceslib-carbon-debug				= {mitkerberoslib-root-folder}PreferencesLib:Binaries:PreferencesLib.CBd
+preferenceslib-carbon-final				= {mitkerberoslib-root-folder}PreferencesLib:Binaries:PreferencesLib.CB
+
+socketslib-macos9-debug					= {mitsupportlib-root-folder}SocketsLib:Binaries:SocketsLib.9d
+socketslib-macos9-final					= {mitsupportlib-root-folder}SocketsLib:Binaries:SocketsLib.9
+socketslib-carbon-debug					= {mitsupportlib-root-folder}SocketsLib:Binaries:SocketsLib.CBd
+socketslib-carbon-final					= {mitsupportlib-root-folder}SocketsLib:Binaries:SocketsLib.CB
+
+errorlib-macos9-debug					= {mitsupportlib-root-folder}ErrorLib:Binaries:ErrorLib.9d
+errorlib-macos9-final					= {mitsupportlib-root-folder}ErrorLib:Binaries:ErrorLib.9
+errorlib-carbon-debug					= {mitsupportlib-root-folder}ErrorLib:Binaries:ErrorLib.CBd
+errorlib-carbon-final					= {mitsupportlib-root-folder}ErrorLib:Binaries:ErrorLib.CB
+
+utilitieslib-macos9-debug				= {mitsupportlib-root-folder}UtilitiesLib:Binaries:UtilitiesLib.9d
+utilitieslib-macos9-final				= {mitsupportlib-root-folder}UtilitiesLib:Binaries:UtilitiesLib.9
+utilitieslib-carbon-debug				= {mitsupportlib-root-folder}UtilitiesLib:Binaries:UtilitiesLib.CBd
+utilitieslib-carbon-final				= {mitsupportlib-root-folder}UtilitiesLib:Binaries:UtilitiesLib.CB
+
+morefileslib-macos9-debug				= {mitsupportlib-root-folder}MoreFilesLib:Binaries:MoreFilesLib.9d
+morefileslib-macos9-final				= {mitsupportlib-root-folder}MoreFilesLib:Binaries:MoreFilesLib.9
+morefileslib-carbon-debug				= {mitsupportlib-root-folder}MoreFilesLib:Binaries:MoreFilesLib.CBd
+morefileslib-carbon-final				= {mitsupportlib-root-folder}MoreFilesLib:Binaries:MoreFilesLib.CB
+
+object-suffix-macos9-debug				= .9d.o
+object-suffix-macos9-final				= .9.o
+object-suffix-macos9-data				= .9.o
+object-suffix-carbon-debug				= .CBd.o
+object-suffix-carbon-final				= .CB.o
+object-suffix-carbon-data				= .CB.o
+
+gss-library-libraries-macos9-debug = ¶
+	{standard-libraries-macos9-debug} ¶
+	{privatekrb5-library-output-folder}{privatekrb5-library-name}{library-target-macos9}{library-kind-debug} ¶
+	{profile-library-output-folder}{profile-library-name}{library-target-macos9}{library-kind-debug} ¶
+	{comerr-library-output-folder}{comerr-library-name}{library-target-macos9}{library-kind-debug}
+gss-library-libraries-macos9-final = ¶
+	{standard-libraries-macos9-final} ¶
+	{privatekrb5-library-output-folder}{privatekrb5-library-name}{library-target-macos9}{library-kind-final} ¶
+	{profile-library-output-folder}{profile-library-name}{library-target-macos9}{library-kind-final} ¶
+	{comerr-library-output-folder}{comerr-library-name}{library-target-macos9}{library-kind-final}
+gss-library-libraries-carbon-debug = ¶
+	{standard-libraries-carbon-debug} ¶
+	{privatekrb5-library-output-folder}{privatekrb5-library-name}{library-target-carbon}{library-kind-debug} ¶
+	{profile-library-output-folder}{profile-library-name}{library-target-carbon}{library-kind-debug} ¶
+	{comerr-library-output-folder}{comerr-library-name}{library-target-carbon}{library-kind-debug}
+gss-library-libraries-carbon-final = ¶
+	{standard-libraries-carbon-final} ¶
+	{privatekrb5-library-output-folder}{privatekrb5-library-name}{library-target-carbon}{library-kind-final} ¶
+	{profile-library-output-folder}{profile-library-name}{library-target-carbon}{library-kind-final} ¶
+	{comerr-library-output-folder}{comerr-library-name}{library-target-carbon}{library-kind-final}
+
+krb5-library-libraries-macos9-debug = ¶
+	{privatekrb5-library-output-folder}{privatekrb5-library-name}{library-target-macos9}{library-kind-debug}
+krb5-library-libraries-macos9-final = ¶
+	{privatekrb5-library-output-folder}{privatekrb5-library-name}{library-target-macos9}{library-kind-final}
+krb5-library-libraries-carbon-debug = ¶
+	{privatekrb5-library-output-folder}{privatekrb5-library-name}{library-target-carbon}{library-kind-debug}
+krb5-library-libraries-carbon-final = ¶
+	{privatekrb5-library-output-folder}{privatekrb5-library-name}{library-target-carbon}{library-kind-final}
+
+privatekrb5-library-libraries-macos9-debug = ¶
+	¶"{SharedLibraries}DriverServicesLib¶" ¶
+	{standard-libraries-macos9-debug} ¶
+	{utilitieslib-macos9-debug} ¶
+	{ccachelib-macos9-debug} ¶
+	{preferenceslib-macos9-debug} ¶
+	{loginlib-macos9-debug} ¶
+	{socketslib-macos9-debug} ¶
+	{errorlib-macos9-debug} ¶
+	{profile-library-output-folder}{profile-library-name}{library-target-macos9}{library-kind-debug} ¶
+	{comerr-library-output-folder}{comerr-library-name}{library-target-macos9}{library-kind-debug} ¶
+	¶"{PPCLibraries}PPCMath64Lib.o¶"
+privatekrb5-library-libraries-macos9-final = ¶
+	¶"{SharedLibraries}DriverServicesLib¶" ¶
+	{standard-libraries-macos9-final} ¶
+	{utilitieslib-macos9-final} ¶
+	{ccachelib-macos9-final} ¶
+	{preferenceslib-macos9-final} ¶
+	{loginlib-macos9-final} ¶
+	{socketslib-macos9-final} ¶
+	{errorlib-macos9-final} ¶
+	{profile-library-output-folder}{profile-library-name}{library-target-macos9}{library-kind-final} ¶
+	{comerr-library-output-folder}{comerr-library-name}{library-target-macos9}{library-kind-final} ¶
+	¶"{PPCLibraries}PPCMath64Lib.o¶"
+privatekrb5-library-libraries-carbon-debug = ¶
+	{standard-libraries-carbon-debug} ¶
+	{utilitieslib-carbon-debug} ¶
+	{ccachelib-carbon-debug} ¶
+	{preferenceslib-carbon-debug} ¶
+	{loginlib-carbon-debug} ¶
+	{socketslib-carbon-debug} ¶
+	{errorlib-carbon-debug} ¶
+	{profile-library-output-folder}{profile-library-name}{library-target-carbon}{library-kind-debug} ¶
+	{comerr-library-output-folder}{comerr-library-name}{library-target-carbon}{library-kind-debug}
+privatekrb5-library-libraries-carbon-final = ¶
+	{standard-libraries-carbon-final} ¶
+	{utilitieslib-carbon-final} ¶
+	{ccachelib-carbon-final} ¶
+	{preferenceslib-carbon-final} ¶
+	{loginlib-carbon-final} ¶
+	{socketslib-carbon-final} ¶
+	{errorlib-carbon-final} ¶
+	{profile-library-output-folder}{profile-library-name}{library-target-carbon}{library-kind-final} ¶
+	{comerr-library-output-folder}{comerr-library-name}{library-target-carbon}{library-kind-final}
+
+profile-library-libraries-macos9-debug = ¶
+	{standard-libraries-macos9-debug} ¶
+	{morefileslib-macos9-debug} ¶
+	{utilitieslib-macos9-debug} ¶
+	{comerr-library-output-folder}{comerr-library-name}{library-target-macos9}{library-kind-debug}
+profile-library-libraries-macos9-final = ¶
+	{standard-libraries-macos9-final} ¶
+	{morefileslib-macos9-final} ¶
+	{utilitieslib-macos9-final} ¶
+	{comerr-library-output-folder}{comerr-library-name}{library-target-macos9}{library-kind-final}
+profile-library-libraries-carbon-debug = ¶
+	{standard-libraries-carbon-debug} ¶
+	{morefileslib-carbon-debug} ¶
+	{utilitieslib-carbon-debug} ¶
+	{comerr-library-output-folder}{comerr-library-name}{library-target-carbon}{library-kind-debug}
+profile-library-libraries-carbon-final = ¶
+	{standard-libraries-carbon-final} ¶
+	{morefileslib-carbon-final} ¶
+	{utilitieslib-carbon-final} ¶
+	{comerr-library-output-folder}{comerr-library-name}{library-target-carbon}{library-kind-final}
+
+comerr-library-libraries-macos9-debug = ¶
+	{standard-libraries-macos9-debug} {errorlib-macos9-debug}
+comerr-library-libraries-macos9-final = ¶
+	{standard-libraries-macos9-final} {errorlib-macos9-final}
+comerr-library-libraries-carbon-debug = ¶
+	{standard-libraries-carbon-debug} {errorlib-carbon-debug}
+comerr-library-libraries-carbon-final = ¶
+	{standard-libraries-carbon-final} {errorlib-carbon-final}
 
 ### Construct linker options. 
 
@@ -456,93 +671,148 @@ gss-library-common-linker-options = ¶
 	-dv {gss-library-definition-version} ¶
 	-uv {gss-library-implementation-version}
 
-gss-library-linker-options-ppc-debug = {common-linker-options-debug} {gss-library-common-linker-options}
-gss-library-linker-options-ppc-final = {common-linker-options-final} {gss-library-common-linker-options}
+gss-library-linker-options-macos9-debug = {common-linker-options-debug} {gss-library-common-linker-options}
+gss-library-linker-options-macos9-final = {common-linker-options-final} {gss-library-common-linker-options}
+gss-library-linker-options-carbon-debug = {common-linker-options-debug} {gss-library-common-linker-options}
+gss-library-linker-options-carbon-final = {common-linker-options-final} {gss-library-common-linker-options}
 
 krb5-library-common-linker-options = ¶
 	-cv {krb5-library-current-version} ¶
 	-dv {krb5-library-definition-version} ¶
 	-uv {krb5-library-implementation-version}
 
-krb5-library-linker-options-ppc-debug = {common-linker-options-debug} {krb5-library-common-linker-options} -weaklib "DriverServicesLib"
-krb5-library-linker-options-ppc-final = {common-linker-options-final} {krb5-library-common-linker-options} -weaklib "DriverServicesLib"
+krb5-library-linker-options-macos9-debug = {common-linker-options-debug} {krb5-library-common-linker-options}
+krb5-library-linker-options-macos9-final = {common-linker-options-final} {krb5-library-common-linker-options}
+krb5-library-linker-options-carbon-debug = {common-linker-options-debug} {krb5-library-common-linker-options}
+krb5-library-linker-options-carbon-final = {common-linker-options-final} {krb5-library-common-linker-options}
+
+privatekrb5-library-common-linker-options = ¶
+	-cv {privatekrb5-library-current-version} ¶
+	-dv {privatekrb5-library-definition-version} ¶
+	-uv {privatekrb5-library-implementation-version}
+
+privatekrb5-library-linker-options-macos9-debug = {common-linker-options-debug} {privatekrb5-library-common-linker-options} -weaklib "DriverServicesLib"
+privatekrb5-library-linker-options-macos9-final = {common-linker-options-final} {privatekrb5-library-common-linker-options} -weaklib "DriverServicesLib"
+privatekrb5-library-linker-options-carbon-debug = {common-linker-options-debug} {privatekrb5-library-common-linker-options}
+privatekrb5-library-linker-options-carbon-final = {common-linker-options-final} {privatekrb5-library-common-linker-options}
 
 profile-library-common-linker-options = ¶
 	-cv {profile-library-current-version} ¶
 	-dv {profile-library-definition-version} ¶
 	-uv {profile-library-implementation-version}
 
-profile-library-linker-options-ppc-debug = {common-linker-options-debug} {profile-library-common-linker-options}
-profile-library-linker-options-ppc-final = {common-linker-options-final} {profile-library-common-linker-options}
+profile-library-linker-options-macos9-debug = {common-linker-options-debug} {profile-library-common-linker-options}
+profile-library-linker-options-macos9-final = {common-linker-options-final} {profile-library-common-linker-options}
+profile-library-linker-options-carbon-debug = {common-linker-options-debug} {profile-library-common-linker-options}
+profile-library-linker-options-carbon-final = {common-linker-options-final} {profile-library-common-linker-options}
 
 comerr-library-common-linker-options = ¶
 	-cv {comerr-library-current-version} ¶
 	-dv {comerr-library-definition-version} ¶
 	-uv {comerr-library-implementation-version}
 
-comerr-library-linker-options-ppc-debug = {common-linker-options-debug} {comerr-library-common-linker-options}
-comerr-library-linker-options-ppc-final = {common-linker-options-final} {comerr-library-common-linker-options}
-
-gss-library-objects-ppc-debug = `catenate {gss-objects-ppc-debug-list} | StreamEdit -d -set prefix="{root-folder}" -e "/¥:(Å)¨2/ Print prefix¨2"` ¶
-	{root-folder}mac:GSS.CFM{object-suffix-ppc-debug}
-gss-library-objects-ppc-final = `catenate {gss-objects-ppc-final-list} | StreamEdit -d -set prefix="{root-folder}" -e "/¥:(Å)¨2/ Print prefix¨2"` ¶
-	{root-folder}mac:GSS.CFM{object-suffix-ppc-final}
-
-krb5-library-objects-ppc-debug = `catenate {krb5-objects-ppc-debug-list} | StreamEdit -d -set prefix="{root-folder}" -e "/¥:(Å)¨2/ Print prefix¨2"` ¶
-	{root-folder}mac:K5.CFM{object-suffix-ppc-debug}
-krb5-library-objects-ppc-final = `catenate {krb5-objects-ppc-final-list} | StreamEdit -d -set prefix="{root-folder}" -e "/¥:(Å)¨2/ Print prefix¨2"` ¶
-	{root-folder}mac:K5.CFM{object-suffix-ppc-final}
-
-profile-library-objects-ppc-debug = `catenate {profile-objects-ppc-debug-list} | StreamEdit -d -set prefix="{root-folder}" -e "/¥:(Å)¨2/ Print prefix¨2"` ¶
-	{root-folder}mac:ProfileLib.CFM{object-suffix-ppc-debug}
-profile-library-objects-ppc-final = `catenate {profile-objects-ppc-final-list} | StreamEdit -d -set prefix="{root-folder}" -e "/¥:(Å)¨2/ Print prefix¨2"` ¶
-	{root-folder}mac:ProfileLib.CFM{object-suffix-ppc-final}
-
-comerr-library-objects-ppc-debug = `catenate {comerr-objects-ppc-debug-list} | StreamEdit -d -set prefix="{root-folder}" -e "/¥:(Å)¨2/ Print prefix¨2"`
-comerr-library-objects-ppc-final = `catenate {comerr-objects-ppc-final-list} | StreamEdit -d -set prefix="{root-folder}" -e "/¥:(Å)¨2/ Print prefix¨2"`
-
-library-linker-ppc						= MWLinkPPC
+comerr-library-linker-options-macos9-debug = {common-linker-options-debug} {comerr-library-common-linker-options}
+comerr-library-linker-options-macos9-final = {common-linker-options-final} {comerr-library-common-linker-options}
+comerr-library-linker-options-carbon-debug = {common-linker-options-debug} {comerr-library-common-linker-options}
+comerr-library-linker-options-carbon-final = {common-linker-options-final} {comerr-library-common-linker-options}
+
+gss-library-objects-macos9-debug = `catenate {gss-objects-macos9-debug-list} | StreamEdit -d -set prefix="{root-folder}" -e "/¥:(Å)¨2/ Print prefix¨2"` ¶
+	{root-folder}mac:GSS.CFM{object-suffix-macos9-debug}
+gss-library-objects-macos9-final = `catenate {gss-objects-macos9-final-list} | StreamEdit -d -set prefix="{root-folder}" -e "/¥:(Å)¨2/ Print prefix¨2"` ¶
+	{root-folder}mac:GSS.CFM{object-suffix-macos9-final}
+gss-library-objects-carbon-debug = `catenate {gss-objects-carbon-debug-list} | StreamEdit -d -set prefix="{root-folder}" -e "/¥:(Å)¨2/ Print prefix¨2"` ¶
+	{root-folder}mac:GSS.CFM{object-suffix-carbon-debug}
+gss-library-objects-carbon-final = `catenate {gss-objects-carbon-final-list} | StreamEdit -d -set prefix="{root-folder}" -e "/¥:(Å)¨2/ Print prefix¨2"` ¶
+	{root-folder}mac:GSS.CFM{object-suffix-carbon-final}
+
+privatekrb5-library-objects-macos9-debug = `catenate {krb5-objects-macos9-debug-list} | StreamEdit -d -set prefix="{root-folder}" -e "/¥:(Å)¨2/ Print prefix¨2"` ¶
+	{root-folder}mac:K5.CFM{object-suffix-macos9-debug}
+privatekrb5-library-objects-macos9-final = `catenate {krb5-objects-macos9-final-list} | StreamEdit -d -set prefix="{root-folder}" -e "/¥:(Å)¨2/ Print prefix¨2"` ¶
+	{root-folder}mac:K5.CFM{object-suffix-macos9-final}
+privatekrb5-library-objects-carbon-debug = `catenate {krb5-objects-carbon-debug-list} | StreamEdit -d -set prefix="{root-folder}" -e "/¥:(Å)¨2/ Print prefix¨2"` ¶
+	{root-folder}mac:K5.CFM{object-suffix-carbon-debug}
+privatekrb5-library-objects-carbon-final = `catenate {krb5-objects-carbon-final-list} | StreamEdit -d -set prefix="{root-folder}" -e "/¥:(Å)¨2/ Print prefix¨2"` ¶
+	{root-folder}mac:K5.CFM{object-suffix-carbon-final}
+
+profile-library-objects-macos9-debug = `catenate {profile-objects-macos9-debug-list} | StreamEdit -d -set prefix="{root-folder}" -e "/¥:(Å)¨2/ Print prefix¨2"` ¶
+	{root-folder}mac:ProfileLib.CFM{object-suffix-macos9-debug}
+profile-library-objects-macos9-final = `catenate {profile-objects-macos9-final-list} | StreamEdit -d -set prefix="{root-folder}" -e "/¥:(Å)¨2/ Print prefix¨2"` ¶
+	{root-folder}mac:ProfileLib.CFM{object-suffix-macos9-final}
+profile-library-objects-carbon-debug = `catenate {profile-objects-carbon-debug-list} | StreamEdit -d -set prefix="{root-folder}" -e "/¥:(Å)¨2/ Print prefix¨2"` ¶
+	{root-folder}mac:ProfileLib.CFM{object-suffix-carbon-debug}
+profile-library-objects-carbon-final = `catenate {profile-objects-carbon-final-list} | StreamEdit -d -set prefix="{root-folder}" -e "/¥:(Å)¨2/ Print prefix¨2"` ¶
+	{root-folder}mac:ProfileLib.CFM{object-suffix-carbon-final}
+
+comerr-library-objects-macos9-debug = `catenate {comerr-objects-macos9-debug-list} | StreamEdit -d -set prefix="{root-folder}" -e "/¥:(Å)¨2/ Print prefix¨2"`
+comerr-library-objects-macos9-final = `catenate {comerr-objects-macos9-final-list} | StreamEdit -d -set prefix="{root-folder}" -e "/¥:(Å)¨2/ Print prefix¨2"`
+comerr-library-objects-carbon-debug = `catenate {comerr-objects-carbon-debug-list} | StreamEdit -d -set prefix="{root-folder}" -e "/¥:(Å)¨2/ Print prefix¨2"`
+comerr-library-objects-carbon-final = `catenate {comerr-objects-carbon-final-list} | StreamEdit -d -set prefix="{root-folder}" -e "/¥:(Å)¨2/ Print prefix¨2"`
+
+library-linker-macos9					= MWLinkPPC
+library-linker-carbon					= MWLinkPPC
 
 ### Construct compiler options.
 
 common-compiler-options = ¶
-		-enum int -opt all -strings pool -mapcr ¶
-        -mpw_pointers -warnings off -fatext -nosyspath -maxerrors 1000 ¶
+		-enum int -opt all -strings pool -mapcr -strings readonly ¶
+        -relax_pointers -warnings off -fatext -convertpaths -maxerrors 10 ¶
         -align mac68k -opt off -toc_data on -fp_contract on ¶
 		-model farData
 
 # Don't put the prefix file in these options because they are used to precompile the prefix file
-ppc-compiler-options = -tb on
+macos9-compiler-options = -tb on
+carbon-compiler-options = -tb on
 debug-compiler-options = -sym on
 final-compiler-options = -sym off
 
 mitsupportlib-include-paths = ¶
+	-i {mitsupportlib-root-folder}MoreFilesLib:Headers: ¶
+	-i {mitsupportlib-root-folder}Common:Headers: ¶
+	-i {mitsupportlib-root-folder}CLib:Headers: ¶
 	-i {mitsupportlib-root-folder}SocketsLib:Headers: ¶
 	-i {mitsupportlib-root-folder}ErrorLib:Headers: ¶
 	-i {mitsupportlib-root-folder}UtilitiesLib:Headers:
 
-include-paths = `catenate {include-folders-list} | StreamEdit -d -set prefix="{root-folder}mac:" -e "/-i (Å)¨1/ Print '-i 'prefix¨1"` ¶
+include-paths = -i {root-folder}mac:libraries: ¶
+	`catenate {include-folders-list} | StreamEdit -d -set prefix="{root-folder}mac:" -e "/-i (Å)¨1/ Print '-i 'prefix¨1"` ¶
+	-I- ¶
 	-i {mitkerberoslib-root-folder}CCacheLib:Headers: ¶
+	-i {mitkerberoslib-root-folder}LoginLib:Headers: ¶
+	-i {mitkerberoslib-root-folder}PreferencesLib:Headers: ¶
+	-i {mitkerberoslib-root-folder}Kerberos5Lib:Headers: ¶
+	-i {mitkerberoslib-root-folder}GSSLib:Headers: ¶
+	-i {mitkerberoslib-root-folder}KerberosProfileLib:Headers: ¶
+	-i {mitkerberoslib-root-folder}ComErrLib:Headers: ¶
 	{mitsupportlib-include-paths}
 		
-compiler-options-ppc-debug = {include-paths} {common-compiler-options} {ppc-compiler-options} ¶
-	{debug-compiler-options} -prefix {precompiled-headers-ppc}
-compiler-options-ppc-final = {include-paths} {common-compiler-options} {ppc-compiler-options} ¶
-	{final-compiler-options} -prefix {precompiled-headers-ppc}
-
-compiler-ppc							= MWCPPC
+compiler-options-macos9-debug = {common-compiler-options} {include-paths} {macos9-compiler-options} ¶
+	{debug-compiler-options} -i {precompiled-headers-folder} -prefix KerberosHeaders.9
+compiler-options-macos9-final = {common-compiler-options} {include-paths} {macos9-compiler-options} ¶
+	{final-compiler-options} -i {precompiled-headers-folder} -prefix KerberosHeaders.9
+compiler-options-carbon-debug = {common-compiler-options} {include-paths} {carbon-compiler-options} ¶
+	{debug-compiler-options} -i {precompiled-headers-folder} -prefix KerberosHeaders.CB
+compiler-options-carbon-final = {common-compiler-options} {include-paths} {carbon-compiler-options} ¶
+	{final-compiler-options} -i {precompiled-headers-folder} -prefix KerberosHeaders.CB
+
+compiler-macos9							= MWCPPC
+compiler-carbon							= MWCPPC
 
 ### Precompiled headers
 
 precompiled-headers-folder = {root-folder}mac:libraries:
 
-precompiled-headers-ppc = {precompiled-headers-folder}KerberosHeaders.PPC
+precompiled-headers-macos9 = {precompiled-headers-folder}KerberosHeaders.9
+precompiled-headers-carbon = {precompiled-headers-folder}KerberosHeaders.CB
 
-precompiled-headers-source = {precompiled-headers-folder}KerberosHeaders.pch
+precompiled-headers-source-macos9 = {precompiled-headers-folder}KerberosHeaders.9.pch
+precompiled-headers-source-carbon = {precompiled-headers-folder}KerberosHeaders.CB.pch
 
-{precompiled-headers-ppc} Ä {precompiled-headers-source} {precompiled-headers-folder}KerberosHeaders.h
-	{compiler-ppc} {precompiled-headers-source} {common-compiler-options} {ppc-compiler-options} ¶
-		-precompile {Targ} -i {precompiled-headers-folder} {mitsupportlib-include-paths}
+{precompiled-headers-macos9} Ä {precompiled-headers-source-macos9} {precompiled-headers-folder}KerberosHeaders.h
+	{compiler-macos9} -convertpaths {precompiled-headers-source-macos9} {common-compiler-options} {macos9-compiler-options} ¶
+		-precompile {Targ} -i {precompiled-headers-folder} {include-paths} -i "{CWANSIIncludes}sys"
+{precompiled-headers-carbon} Ä {precompiled-headers-source-carbon} {precompiled-headers-folder}KerberosHeaders.h
+	{compiler-carbon} -convertpaths {precompiled-headers-source-carbon} {common-compiler-options} {carbon-compiler-options} ¶
+		-precompile {Targ} -i {precompiled-headers-folder} {include-paths} -i "{CWANSIIncludes}sys"
 
 make-options-common = ¶
 	-f {makefile-name} ¶
@@ -551,88 +821,190 @@ make-options-common = ¶
 	-d gss-library-output-folder="{gss-library-output-folder}" ¶
 	-d gss-library-name="{gss-library-name}" ¶
 	-d gss-library-export="{gss-library-export}" ¶
-	-d gss-library-fragment-name={gss-library-fragment-name} ¶
 	-d gss-library-main="{gss-library-main}" ¶
 	-d gss-library-init="{gss-library-init}" ¶
 	-d gss-library-term="{gss-library-term}" ¶
 	-d krb5-library-output-folder="{krb5-library-output-folder}" ¶
 	-d krb5-library-name="{krb5-library-name}" ¶
 	-d krb5-library-export="{krb5-library-export}" ¶
-	-d krb5-library-fragment-name={krb5-library-fragment-name} ¶
 	-d krb5-library-main="{krb5-library-main}" ¶
 	-d krb5-library-init="{krb5-library-init}" ¶
 	-d krb5-library-term="{krb5-library-term}" ¶
+	-d privatekrb5-library-output-folder="{privatekrb5-library-output-folder}" ¶
+	-d privatekrb5-library-name="{privatekrb5-library-name}" ¶
+	-d privatekrb5-library-export="{privatekrb5-library-export}" ¶
+	-d privatekrb5-library-main="{privatekrb5-library-main}" ¶
+	-d privatekrb5-library-init="{privatekrb5-library-init}" ¶
+	-d privatekrb5-library-term="{privatekrb5-library-term}" ¶
 	-d profile-library-output-folder="{profile-library-output-folder}" ¶
 	-d profile-library-name="{profile-library-name}" ¶
 	-d profile-library-export="{profile-library-export}" ¶
-	-d profile-library-fragment-name={profile-library-fragment-name} ¶
 	-d profile-library-main="{profile-library-main}" ¶
 	-d profile-library-init="{profile-library-init}" ¶
 	-d profile-library-term="{profile-library-term}" ¶
 	-d comerr-library-output-folder="{comerr-library-output-folder}" ¶
 	-d comerr-library-name="{comerr-library-name}" ¶
 	-d comerr-library-export="{comerr-library-export}" ¶
-	-d comerr-library-fragment-name={comerr-library-fragment-name} ¶
 	-d comerr-library-main="{comerr-library-main}" ¶
 	-d comerr-library-init="{comerr-library-init}" ¶
 	-d comerr-library-term="{comerr-library-term}"
 
-make-options-ppc-debug = ¶
-	-d library-linker="{library-linker-ppc}" ¶
-	-d library-platform="{library-platform-ppc}" ¶
+make-options-macos9-debug = ¶
+	-d library-linker="{library-linker-macos9}" ¶
+	-d library-platform="{library-target-macos9}" ¶
+	-d library-kind="{library-kind-debug}" ¶
+	-d fragment-kind={fragment-name-macos9}{fragment-name-debug-macos9} ¶
+	-d gss-library-fragment-name={gss-library-fragment-name} ¶
+	-d krb5-library-fragment-name={krb5-library-fragment-name} ¶
+	-d privatekrb5-library-fragment-name={privatekrb5-library-fragment-name} ¶
+	-d profile-library-fragment-name={profile-library-fragment-name} ¶
+	-d comerr-library-fragment-name={comerr-library-fragment-name} ¶
+	-d gss-library-libraries="{gss-library-libraries-macos9-debug}" ¶
+	-d gss-library-objects="{gss-library-objects-macos9-debug}" ¶
+	-d gss-library-linker-options="{gss-library-linker-options-macos9-debug}" ¶
+	-d krb5-library-libraries="{krb5-library-libraries-macos9-debug}" ¶
+	-d krb5-library-objects="{krb5-library-objects-macos9-debug}" ¶
+	-d krb5-library-linker-options="{krb5-library-linker-options-macos9-debug}" ¶
+	-d privatekrb5-library-libraries="{privatekrb5-library-libraries-macos9-debug}" ¶
+	-d privatekrb5-library-objects="{privatekrb5-library-objects-macos9-debug}" ¶
+	-d privatekrb5-library-linker-options="{privatekrb5-library-linker-options-macos9-debug}" ¶
+	-d profile-library-libraries="{profile-library-libraries-macos9-debug}" ¶
+	-d profile-library-objects="{profile-library-objects-macos9-debug}" ¶
+	-d profile-library-linker-options="{profile-library-linker-options-macos9-debug}" ¶
+	-d comerr-library-libraries="{comerr-library-libraries-macos9-debug}" ¶
+	-d comerr-library-objects="{comerr-library-objects-macos9-debug}" ¶
+	-d comerr-library-linker-options="{comerr-library-linker-options-macos9-debug}" ¶
+	-d object-suffix="{object-suffix-macos9-debug}" ¶
+	-d object-suffix-data="{object-suffix-macos9-data}" ¶
+	-d compiler-options="{compiler-options-macos9-debug}" ¶
+	-d compiler="{compiler-macos9}" ¶
+	-d precompiled-headers="{precompiled-headers-macos9}"
+	
+make-options-macos9-final = ¶
+	-d library-linker="{library-linker-macos9}" ¶
+	-d library-platform="{library-target-macos9}" ¶
+	-d library-kind="{library-kind-final}" ¶
+	-d fragment-kind={fragment-name-macos9}{fragment-name-final-macos9} ¶
+	-d gss-library-fragment-name={gss-library-fragment-name} ¶
+	-d krb5-library-fragment-name={krb5-library-fragment-name} ¶
+	-d privatekrb5-library-fragment-name={privatekrb5-library-fragment-name} ¶
+	-d profile-library-fragment-name={profile-library-fragment-name} ¶
+	-d comerr-library-fragment-name={comerr-library-fragment-name} ¶
+	-d gss-library-libraries="{gss-library-libraries-macos9-final}" ¶
+	-d gss-library-objects="{gss-library-objects-macos9-final}" ¶
+	-d gss-library-linker-options="{gss-library-linker-options-macos9-final}" ¶
+	-d krb5-library-libraries="{krb5-library-libraries-macos9-final}" ¶
+	-d krb5-library-objects="{krb5-library-objects-macos9-final}" ¶
+	-d krb5-library-linker-options="{krb5-library-linker-options-macos9-final}" ¶
+	-d privatekrb5-library-libraries="{privatekrb5-library-libraries-macos9-final}" ¶
+	-d privatekrb5-library-objects="{privatekrb5-library-objects-macos9-final}" ¶
+	-d privatekrb5-library-linker-options="{privatekrb5-library-linker-options-macos9-final}" ¶
+	-d profile-library-libraries="{profile-library-libraries-macos9-final}" ¶
+	-d profile-library-objects="{profile-library-objects-macos9-final}" ¶
+	-d profile-library-linker-options="{profile-library-linker-options-macos9-final}" ¶
+	-d comerr-library-libraries="{comerr-library-libraries-macos9-final}" ¶
+	-d comerr-library-objects="{comerr-library-objects-macos9-final}" ¶
+	-d comerr-library-linker-options="{comerr-library-linker-options-macos9-final}" ¶
+	-d object-suffix="{object-suffix-macos9-final}" ¶
+	-d object-suffix-data="{object-suffix-macos9-data}" ¶
+	-d compiler-options="{compiler-options-macos9-final}" ¶
+	-d compiler="{compiler-macos9}" ¶
+	-d precompiled-headers="{precompiled-headers-macos9}"
+	
+make-options-carbon-debug = ¶
+	-d library-linker="{library-linker-carbon}" ¶
+	-d library-platform="{library-target-carbon}" ¶
 	-d library-kind="{library-kind-debug}" ¶
-	-d gss-library-libraries="{gss-library-libraries-ppc-debug}" ¶
-	-d gss-library-objects="{gss-library-objects-ppc-debug}" ¶
-	-d gss-library-linker-options="{gss-library-linker-options-ppc-debug}" ¶
-	-d krb5-library-libraries="{krb5-library-libraries-ppc-debug}" ¶
-	-d krb5-library-objects="{krb5-library-objects-ppc-debug}" ¶
-	-d krb5-library-linker-options="{krb5-library-linker-options-ppc-debug}" ¶
-	-d profile-library-libraries="{profile-library-libraries-ppc-debug}" ¶
-	-d profile-library-objects="{profile-library-objects-ppc-debug}" ¶
-	-d profile-library-linker-options="{profile-library-linker-options-ppc-debug}" ¶
-	-d comerr-library-libraries="{comerr-library-libraries-ppc-debug}" ¶
-	-d comerr-library-objects="{comerr-library-objects-ppc-debug}" ¶
-	-d comerr-library-linker-options="{comerr-library-linker-options-ppc-debug}" ¶
-	-d object-suffix="{object-suffix-ppc-debug}" ¶
-	-d object-suffix-data="{object-suffix-ppc-data}" ¶
-	-d compiler-options="{compiler-options-ppc-debug}" ¶
-	-d compiler="{compiler-ppc}" ¶
-	-d precompiled-headers="{precompiled-headers-ppc}"
+	-d fragment-kind={fragment-name-carbon}{fragment-name-debug-carbon} ¶
+	-d gss-library-fragment-name={gss-library-fragment-name-carbon} ¶
+	-d krb5-library-fragment-name={krb5-library-fragment-name-carbon} ¶
+	-d privatekrb5-library-fragment-name={privatekrb5-library-fragment-name-carbon} ¶
+	-d profile-library-fragment-name={profile-library-fragment-name-carbon} ¶
+	-d comerr-library-fragment-name={comerr-library-fragment-name-carbon} ¶
+	-d gss-library-libraries="{gss-library-libraries-carbon-debug}" ¶
+	-d gss-library-objects="{gss-library-objects-carbon-debug}" ¶
+	-d gss-library-linker-options="{gss-library-linker-options-carbon-debug}" ¶
+	-d krb5-library-libraries="{krb5-library-libraries-carbon-debug}" ¶
+	-d krb5-library-objects="{krb5-library-objects-carbon-debug}" ¶
+	-d krb5-library-linker-options="{krb5-library-linker-options-carbon-debug}" ¶
+	-d privatekrb5-library-libraries="{privatekrb5-library-libraries-carbon-debug}" ¶
+	-d privatekrb5-library-objects="{privatekrb5-library-objects-carbon-debug}" ¶
+	-d privatekrb5-library-linker-options="{privatekrb5-library-linker-options-carbon-debug}" ¶
+	-d profile-library-libraries="{profile-library-libraries-carbon-debug}" ¶
+	-d profile-library-objects="{profile-library-objects-carbon-debug}" ¶
+	-d profile-library-linker-options="{profile-library-linker-options-carbon-debug}" ¶
+	-d comerr-library-libraries="{comerr-library-libraries-carbon-debug}" ¶
+	-d comerr-library-objects="{comerr-library-objects-carbon-debug}" ¶
+	-d comerr-library-linker-options="{comerr-library-linker-options-carbon-debug}" ¶
+	-d object-suffix="{object-suffix-carbon-debug}" ¶
+	-d object-suffix-data="{object-suffix-carbon-data}" ¶
+	-d compiler-options="{compiler-options-carbon-debug}" ¶
+	-d compiler="{compiler-carbon}" ¶
+	-d precompiled-headers="{precompiled-headers-carbon}"
 	
-make-options-ppc-final = ¶
-	-d library-linker="{library-linker-ppc}" ¶
-	-d library-platform="{library-platform-ppc}" ¶
+make-options-carbon-final = ¶
+	-d library-linker="{library-linker-carbon}" ¶
+	-d library-platform="{library-target-carbon}" ¶
 	-d library-kind="{library-kind-final}" ¶
-	-d gss-library-libraries="{gss-library-libraries-ppc-final}" ¶
-	-d gss-library-objects="{gss-library-objects-ppc-final}" ¶
-	-d gss-library-linker-options="{gss-library-linker-options-ppc-final}" ¶
-	-d krb5-library-libraries="{krb5-library-libraries-ppc-final}" ¶
-	-d krb5-library-objects="{krb5-library-objects-ppc-final}" ¶
-	-d krb5-library-linker-options="{krb5-library-linker-options-ppc-final}" ¶
-	-d profile-library-libraries="{profile-library-libraries-ppc-final}" ¶
-	-d profile-library-objects="{profile-library-objects-ppc-final}" ¶
-	-d profile-library-linker-options="{profile-library-linker-options-ppc-final}" ¶
-	-d comerr-library-libraries="{comerr-library-libraries-ppc-final}" ¶
-	-d comerr-library-objects="{comerr-library-objects-ppc-final}" ¶
-	-d comerr-library-linker-options="{comerr-library-linker-options-ppc-final}" ¶
-	-d object-suffix="{object-suffix-ppc-final}" ¶
-	-d object-suffix-data="{object-suffix-ppc-data}" ¶
-	-d compiler-options="{compiler-options-ppc-final}" ¶
-	-d compiler="{compiler-ppc}" ¶
-	-d precompiled-headers="{precompiled-headers-ppc}"
+	-d fragment-kind={fragment-name-carbon}{fragment-name-final-carbon} ¶
+	-d gss-library-fragment-name={gss-library-fragment-name-carbon} ¶
+	-d krb5-library-fragment-name={krb5-library-fragment-name-carbon} ¶
+	-d privatekrb5-library-fragment-name={privatekrb5-library-fragment-name-carbon} ¶
+	-d profile-library-fragment-name={profile-library-fragment-name-carbon} ¶
+	-d comerr-library-fragment-name={comerr-library-fragment-name-carbon} ¶
+	-d gss-library-libraries="{gss-library-libraries-carbon-final}" ¶
+	-d gss-library-objects="{gss-library-objects-carbon-final}" ¶
+	-d gss-library-linker-options="{gss-library-linker-options-carbon-final}" ¶
+	-d krb5-library-libraries="{krb5-library-libraries-carbon-final}" ¶
+	-d krb5-library-objects="{krb5-library-objects-carbon-final}" ¶
+	-d krb5-library-linker-options="{krb5-library-linker-options-carbon-final}" ¶
+	-d privatekrb5-library-libraries="{privatekrb5-library-libraries-carbon-final}" ¶
+	-d privatekrb5-library-objects="{privatekrb5-library-objects-carbon-final}" ¶
+	-d privatekrb5-library-linker-options="{privatekrb5-library-linker-options-carbon-final}" ¶
+	-d profile-library-libraries="{profile-library-libraries-carbon-final}" ¶
+	-d profile-library-objects="{profile-library-objects-carbon-final}" ¶
+	-d profile-library-linker-options="{profile-library-linker-options-carbon-final}" ¶
+	-d comerr-library-libraries="{comerr-library-libraries-carbon-final}" ¶
+	-d comerr-library-objects="{comerr-library-objects-carbon-final}" ¶
+	-d comerr-library-linker-options="{comerr-library-linker-options-carbon-final}" ¶
+	-d object-suffix="{object-suffix-carbon-final}" ¶
+	-d object-suffix-data="{object-suffix-carbon-data}" ¶
+	-d compiler-options="{compiler-options-carbon-final}" ¶
+	-d compiler="{compiler-carbon}" ¶
+	-d precompiled-headers="{precompiled-headers-carbon}"
 	
 make-output = "{TempFolder}GSS/Kerberos Makefile script"
-submakefile-target = gss-library
+submakefile-gss-target = gss-library
+submakefile-krb5-target = krb5-library
 
-ppc-debug Ä glue headers documentation {makefile-name} {gss-objects-ppc-debug-list} {krb5-objects-ppc-debug-list} ¶
-	{profile-objects-ppc-debug-list} {comerr-objects-ppc-debug-list} {include-folders-list}
-	Make {make-options-common} {make-options-ppc-debug} {submakefile-target} > {make-output}
+macos9-debug-build Ä glue headers documentation {makefile-dependency} {gss-objects-macos9-debug-list} {krb5-objects-macos9-debug-list} ¶
+	{profile-objects-macos9-debug-list} {comerr-objects-macos9-debug-list} {include-folders-list}
+	Make {make-options-common} {make-options-macos9-debug} {submakefile-gss-target} > {make-output}
+	{make-output}
+	Make {make-options-common} {make-options-macos9-debug} {submakefile-krb5-target} > {make-output}
+	{make-output}
+	
+macos9-final-build Ä glue headers documentation  {makefile-dependency} {gss-objects-macos9-final-list} {krb5-objects-macos9-final-list} ¶
+	{profile-objects-macos9-final-list} {comerr-objects-macos9-final-list} {include-folders-list}
+	Make {make-options-common} {make-options-macos9-final} {submakefile-gss-target} > {make-output}
+	{make-output}
+	Make {make-options-common} {make-options-macos9-final} {submakefile-krb5-target} > {make-output}
 	{make-output}
 	
-ppc-final Ä glue headers documentation  {makefile-name} {gss-objects-ppc-final-list} {krb5-objects-ppc-final-list} ¶
-	{profile-objects-ppc-final-list} {comerr-objects-ppc-final-list} {include-folders-list}
-	Make {make-options-common} {make-options-ppc-final} {submakefile-target} > {make-output}
+carbon-debug-build Ä glue headers documentation {makefile-dependency} {gss-objects-carbon-debug-list} {krb5-objects-carbon-debug-list} ¶
+	{profile-objects-carbon-debug-list} {comerr-objects-carbon-debug-list} {include-folders-list}
+	Make {make-options-common} {make-options-carbon-debug} {submakefile-gss-target} > {make-output}
 	{make-output}
+	Make {make-options-common} {make-options-carbon-debug} {submakefile-krb5-target} > {make-output}
+	{make-output}
+	
+carbon-final-build Ä glue headers documentation  {makefile-dependency} {gss-objects-carbon-final-list} {krb5-objects-carbon-final-list} ¶
+	{profile-objects-carbon-final-list} {comerr-objects-carbon-final-list} {include-folders-list}
+	Make {make-options-common} {make-options-carbon-final} {submakefile-gss-target} > {make-output}
+	{make-output}
+	Make {make-options-common} {make-options-carbon-final} {submakefile-krb5-target} > {make-output}
+	{make-output}
+	
 	
 ##############################################################################################################
 ###			Variable targets -- these depend on which target we select in the above make invocations
@@ -660,6 +1032,17 @@ ppc-final Ä glue headers documentation  {makefile-name} {gss-objects-ppc-final-l
 ###			krb5-library-init								-- name of Krb5 library initialization routine
 ###			krb5-library-term								-- name of Krb5 library termination routine
 ###			krb5-library-linker-options						-- all other Krb5 library linker options
+###		For PrivateKrb5 library
+###			privatekrb5-library-output-folder				-- destination of PrivateKrb5 library output
+###			privatekrb5-library-name						-- name of the PrivateKrb5 library
+###			privatekrb5-library-export						-- name of PrivateKrb5 library export file
+###			privatekrb5-library-libraries					-- list of libraries PrivateKrb5 library links against
+###			privatekrb5-library-objects						-- list of object files PrivateKrb5 library links
+###			privatekrb5-library-fragment-name				-- name of PrivateKrb5 library fragment
+###			privatekrb5-library-main						-- name of PrivateKrb5 library main entry point
+###			privatekrb5-library-init						-- name of PrivateKrb5 library initialization routine
+###			privatekrb5-library-term						-- name of PrivateKrb5 library termination routine
+###			privatekrb5-library-linker-options				-- all other PrivateKrb5 library linker options
 ###		For profile library
 ###			profile-library-output-folder					-- destination of profile library output
 ###			profile-library-name							-- name of the profile library
@@ -685,8 +1068,9 @@ ppc-final Ä glue headers documentation  {makefile-name} {gss-objects-ppc-final-l
 ###		General
 ###			library-linker									-- linker to use
 ###			autogenerated-files								-- list of autogenerated files
-###			library-platform								-- platform name (68K or PPC)
-###			library-kind									-- library kind (".debug" or "")
+###			library-platform								-- platform name (69K or PPC)
+###			library-kind									-- library kind ("d" or "")
+###			fragment-kind									-- fragment kind (Carbon, debug, etc)
 
 
 ### script to create a folder if it does not exist
@@ -697,12 +1081,16 @@ create-folder = {root-folder}mac:create-folder.mpw
 library-linker =
 library-platform =
 library-kind =
+fragment-kind =
 gss-library-libraries =
 gss-library-objects =
 gss-library-linker-options =
 krb5-library-libraries =
 krb5-library-objects =
 krb5-library-linker-options =
+privatekrb5-library-libraries =
+privatekrb5-library-objects =
+privatekrb5-library-linker-options =
 precompiled-headers =
 object-suffix = .ignore.me
 object-suffix-data = .ignore.me.too
@@ -717,10 +1105,10 @@ comerr-library-linker-options =
 gss-library-output-files = ¶
 	{gss-library-output-folder}{gss-library-name}{library-platform}{library-kind}
 gss-library-dependencies = ¶
-	{autogenerated-files} {gss-library-export} {gss-library-libraries} {gss-library-objects}
+	headers {autogenerated-files} {gss-library-export} {gss-library-libraries} {gss-library-objects}
 gss-library-build-command = ¶
 	{library-linker} ¶
-	-name "{gss-library-fragment-name}{library-kind}" ¶
+	-name "{gss-library-fragment-name}{fragment-kind}" ¶
 	-main {gss-library-main} ¶
 	-init {gss-library-init} ¶
 	-term {gss-library-term} ¶
@@ -733,10 +1121,10 @@ gss-library-build-command = ¶
 krb5-library-output-files = ¶
 	{krb5-library-output-folder}{krb5-library-name}{library-platform}{library-kind}
 krb5-library-dependencies = ¶
-	{autogenerated-files} {krb5-library-export} {krb5-library-libraries} {krb5-library-objects}
+	headers {autogenerated-files} {krb5-library-export} {krb5-library-libraries} {krb5-library-objects}
 krb5-library-build-command = ¶
 	{library-linker} ¶
-	-name "{krb5-library-fragment-name}{library-kind}" ¶
+	-name "{krb5-library-fragment-name}{fragment-kind}" ¶
 	-main {krb5-library-main} ¶
 	-init {krb5-library-init} ¶
 	-term {krb5-library-term} ¶
@@ -746,13 +1134,30 @@ krb5-library-build-command = ¶
 	{krb5-library-linker-options} ¶
 	{krb5-library-objects} {krb5-library-libraries}
 
+privatekrb5-library-output-files = ¶
+	{privatekrb5-library-output-folder}{privatekrb5-library-name}{library-platform}{library-kind}
+privatekrb5-library-dependencies = ¶
+	headers {autogenerated-files} {privatekrb5-library-export} {privatekrb5-library-libraries} {privatekrb5-library-objects}
+privatekrb5-library-build-command = ¶
+	{library-linker} ¶
+	-name "{privatekrb5-library-fragment-name}{fragment-kind}" ¶
+	-main {privatekrb5-library-main} ¶
+	-init {privatekrb5-library-init} ¶
+	-term {privatekrb5-library-term} ¶
+	-@export {privatekrb5-library-export} ¶
+	-@export {krb5-library-export} ¶
+	-map {privatekrb5-library-output-folder}{privatekrb5-library-name}{library-platform}{library-kind}.MAP ¶
+	-o {privatekrb5-library-output-folder}{privatekrb5-library-name}{library-platform}{library-kind} ¶
+	{privatekrb5-library-linker-options} ¶
+	{privatekrb5-library-objects} {privatekrb5-library-libraries}
+
 profile-library-output-files = ¶
 	{profile-library-output-folder}{profile-library-name}{library-platform}{library-kind}
 profile-library-dependencies = ¶
-	{autogenerated-files} {profile-library-export} {profile-library-libraries} {profile-library-objects}
+	headers {autogenerated-files} {profile-library-export} {profile-library-libraries} {profile-library-objects}
 profile-library-build-command = ¶
 	{library-linker} ¶
-	-name "{profile-library-fragment-name}{library-kind}" ¶
+	-name "{profile-library-fragment-name}{fragment-kind}" ¶
 	-main {profile-library-main} ¶
 	-init {profile-library-init} ¶
 	-term {profile-library-term} ¶
@@ -765,10 +1170,10 @@ profile-library-build-command = ¶
 comerr-library-output-files = ¶
 	{comerr-library-output-folder}{comerr-library-name}{library-platform}{library-kind}
 comerr-library-dependencies = ¶
-	{autogenerated-files} {comerr-library-export} {comerr-library-libraries} {comerr-library-objects}
+	headers {autogenerated-files} {comerr-library-export} {comerr-library-libraries} {comerr-library-objects}
 comerr-library-build-command = ¶
 	{library-linker} ¶
-	-name "{comerr-library-fragment-name}{library-kind}" ¶
+	-name "{comerr-library-fragment-name}{fragment-kind}" ¶
 	-main {comerr-library-main} ¶
 	-init {comerr-library-init} ¶
 	-term {comerr-library-term} ¶
@@ -782,22 +1187,27 @@ comerr-library-build-command = ¶
 
 gss-library Ä {gss-library-output-files}
 krb5-library Ä {krb5-library-output-files}
+privatekrb5-library Ä {privatekrb5-library-output-files}
 profile-library Ä {profile-library-output-files}
 comerr-library Ä {comerr-library-output-files}
 
-{gss-library-output-files} ÄÄ {gss-library-dependencies} {makefile-name}
+{gss-library-output-files} ÄÄ {gss-library-dependencies} {makefile-dependency}
 	{create-folder} {gss-library-output-folder}
 	{gss-library-build-command}
 	
-{krb5-library-output-files} ÄÄ {krb5-library-dependencies} {makefile-name}
+{krb5-library-output-files} ÄÄ {krb5-library-dependencies} {makefile-dependency}
 	{create-folder} {krb5-library-output-folder}
 	{krb5-library-build-command}
 
-{profile-library-output-files} ÄÄ {profile-library-dependencies} {makefile-name}
+{privatekrb5-library-output-files} ÄÄ {privatekrb5-library-dependencies} {makefile-dependency}
+	{create-folder} {privatekrb5-library-output-folder}
+	{privatekrb5-library-build-command}
+
+{profile-library-output-files} ÄÄ {profile-library-dependencies} {makefile-dependency}
 	{create-folder} {profile-library-output-folder}
 	{profile-library-build-command}
 
-{comerr-library-output-files} ÄÄ {comerr-library-dependencies} {makefile-name}
+{comerr-library-output-files} ÄÄ {comerr-library-dependencies} {makefile-dependency}
 	{create-folder} {comerr-library-output-folder}
 	{comerr-library-build-command}
 
@@ -805,13 +1215,13 @@ comerr-library Ä {comerr-library-output-files}
 ###			Default compilation rules
 ##############################################################################################################
 
-{object-suffix} Ä .c {autogenerated-files} {makefile-name} {precompiled-headers}
+{object-suffix} Ä .c {autogenerated-files} {makefile-dependency} {precompiled-headers}
 	echo {DepDir}{Default}{object-suffix}
-	{compiler} {DepDir}{Default}.c -o {DepDir}{Default}{object-suffix} {compiler-options}
+	{compiler} {DepDir}{Default}.c -o {DepDir}{Default}{object-suffix} {compiler-options} -i "{CWANSIIncludes}sys" 
 
-{object-suffix-data} Ä .c {autogenerated-files} {makefile-name} {precompiled-headers}
+{object-suffix-data} Ä .c {autogenerated-files} {makefile-dependency} {precompiled-headers}
 	echo {DepDir}{Default}{object-suffix-data}
-	{compiler} {DepDir}{Default}.c -o {DepDir}{Default}{object-suffix-data} {compiler-options}
+	{compiler} {DepDir}{Default}.c -o {DepDir}{Default}{object-suffix-data} {compiler-options} -i "{CWANSIIncludes}sys" 
 
 ##############################################################################################################
 ###			Autogenerating classic 68K glue files
@@ -823,10 +1233,10 @@ krb5-library-glue-output-folder						= {root-folder}:Kerberos5Lib:ClassicGlue:
 profile-library-glue-output-folder					= {root-folder}:KerberosProfileLib:ClassicGlue:
 comerr-library-glue-output-folder					= {root-folder}:ComErrLib:ClassicGlue:
 
-gss-library-glue-output								= {gss-library-glue-output-folder}GSSLib.glue.c
-krb5-library-glue-output							= {krb5-library-glue-output-folder}Kerberos5Lib.glue.c
-profile-library-glue-output							= {profile-library-glue-output-folder}KrbProfileLib.glue.c
-comerr-library-glue-output							= {comerr-library-glue-output-folder}ComErrLib.glue.c
+gss-library-glue-output								= {gss-library-glue-output-folder}GSSLib.glue.c {gss-library-glue-output-folder}GSSLib.glue.h
+krb5-library-glue-output							= {krb5-library-glue-output-folder}Kerberos5Lib.glue.c {krb5-library-glue-output-folder}Kerberos5Lib.glue.h
+profile-library-glue-output							= {profile-library-glue-output-folder}KrbProfileLib.glue.c {profile-library-glue-output-folder}KrbProfileLib.glue.h
+comerr-library-glue-output							= {comerr-library-glue-output-folder}ComErrLib.glue.c {comerr-library-glue-output-folder}ComErrLib.glue.h
 
 classic-glue-output = ¶
 	{gss-library-glue-output} ¶
@@ -842,32 +1252,36 @@ glue-profile Ä {profile-library-glue-output}
 glue-comerr Ä {comerr-library-glue-output}
 
 {krb5-library-glue-output} Ä {root-folder}mac:K5.CFMglue.cin {root-folder}mac:K5.CFMglue.proto.h ¶
-	{root-folder}mac:CFMglue.c {root-folder}mac:K5.moreCFMglue.cin {classic-glue-generation-script}
+	{root-folder}mac:CFMglue.c {root-folder}mac:GSSLib.glue.h {root-folder}mac:K5.moreCFMglue.cin {classic-glue-generation-script}
 	{create-folder} {krb5-library-glue-output-folder}
 	perl {classic-glue-generation-script} < {root-folder}mac:K5.CFMglue.proto.h > {root-folder}mac:K5.CFMglue.c
 	Catenate {root-folder}mac:K5.CFMglue.cin {root-folder}mac:CFMglue.c {root-folder}mac:K5.CFMglue.c ¶
-	{root-folder}mac:K5.moreCFMglue.cin | Catenate > {krb5-library-glue-output}
+	{root-folder}mac:K5.moreCFMglue.cin | Catenate > {krb5-library-glue-output-folder}Kerberos5Lib.glue.c
+	Duplicate -y {root-folder}mac:Kerberos5Lib.glue.h {krb5-library-glue-output-folder}Kerberos5Lib.glue.h
 
 {gss-library-glue-output} Ä {root-folder}mac:GSS.CFMglue.cin {root-folder}mac:GSS.CFMglue.proto.h ¶
-	{root-folder}mac:CFMglue.c {root-folder}mac:GSS.moreCFMglue.cin {classic-glue-generation-script}
+	{root-folder}mac:CFMglue.c {root-folder}mac:Kerberos5Lib.glue.h {root-folder}mac:GSS.moreCFMglue.cin {classic-glue-generation-script}
 	{create-folder} {gss-library-glue-output-folder}
 	perl {classic-glue-generation-script} < {root-folder}mac:GSS.CFMglue.proto.h > {root-folder}mac:GSS.CFMglue.c
 	Catenate {root-folder}mac:GSS.CFMglue.cin {root-folder}mac:CFMglue.c {root-folder}mac:GSS.CFMglue.c ¶
-	{root-folder}mac:GSS.moreCFMglue.cin | Catenate > {gss-library-glue-output}
+	{root-folder}mac:GSS.moreCFMglue.cin | Catenate > {gss-library-glue-output-folder}GSSLib.glue.c
+	Duplicate -y {root-folder}mac:GSSLib.glue.h {gss-library-glue-output-folder}GSSLib.glue.h
 
 {profile-library-glue-output} Ä {root-folder}mac:KrbProfileLib.glue.pre.cin {root-folder}mac:KrbProfileLib.glue.proto.h ¶
-	{root-folder}mac:CFMglue.c {root-folder}mac:KrbProfileLib.glue.post.cin {classic-glue-generation-script}
+	{root-folder}mac:CFMglue.c {root-folder}mac:KrbProfileLib.glue.h {root-folder}mac:KrbProfileLib.glue.post.cin {classic-glue-generation-script}
 	{create-folder} {profile-library-glue-output-folder}
 	perl {classic-glue-generation-script} < {root-folder}mac:KrbProfileLib.glue.proto.h > {root-folder}mac:KrbProfileLib.CFMglue.c
 	Catenate {root-folder}mac:KrbProfileLib.glue.pre.cin {root-folder}mac:CFMglue.c {root-folder}mac:KrbProfileLib.CFMglue.c ¶
-	{root-folder}mac:KrbProfileLib.glue.post.cin | Catenate > {profile-library-glue-output}
+	{root-folder}mac:KrbProfileLib.glue.post.cin | Catenate > {profile-library-glue-output-folder}KrbProfileLib.glue.c
+	Duplicate -y {root-folder}mac:KrbProfileLib.glue.h {profile-library-glue-output-folder}KrbProfileLib.glue.h
 
 {comerr-library-glue-output} Ä {root-folder}mac:ComErrLib.glue.pre.cin {root-folder}mac:ComErrLib.glue.proto.h ¶
-	{root-folder}mac:CFMglue.c {root-folder}mac:ComErrLib.glue.post.cin {classic-glue-generation-script}
+	{root-folder}mac:CFMglue.c {root-folder}mac:ComErrLib.glue.h {root-folder}mac:ComErrLib.glue.post.cin {classic-glue-generation-script}
 	{create-folder} {comerr-library-glue-output-folder}
 	perl {classic-glue-generation-script} < {root-folder}mac:ComErrLib.glue.proto.h > {root-folder}mac:ComErrLib.CFMglue.c
 	Catenate {root-folder}mac:ComErrLib.glue.pre.cin {root-folder}mac:CFMglue.c {root-folder}mac:ComErrLib.CFMglue.c ¶
-	{root-folder}mac:ComErrLib.glue.post.cin | Catenate > {comerr-library-glue-output}
+	{root-folder}mac:ComErrLib.glue.post.cin | Catenate > {comerr-library-glue-output-folder}ComErrLib.glue.c
+	Duplicate -y {root-folder}mac:ComErrLib.glue.h {comerr-library-glue-output-folder}ComErrLib.glue.h
 
 ##############################################################################################################
 ###			Clean target deletes all generated files
@@ -875,40 +1289,56 @@ glue-comerr Ä {comerr-library-glue-output}
 
 clean Ä
 	# Need a dummy invalid name at the end to cover the case when nothing is found
-	Delete -i `files -r -s -o -f "{root-folder}" | StreamEdit  -d -e "/Å{object-suffix-ppc-debug}/ Print"` supercalifragilisticexpialidoucious
-	Delete -i `files -r -s -o -f "{root-folder}" | StreamEdit  -d -e "/Å{object-suffix-ppc-final}/ Print"` supercalifragilisticexpialidoucious
-	Delete -i `files -r -s -o -f "{root-folder}" | StreamEdit  -d -e "/Å{object-suffix-ppc-data}/ Print"` supercalifragilisticexpialidoucious
-	Delete -i {all-lists}
+	Delete -i `files -r -s -o -f "{root-folder}" | StreamEdit  -d -e "/Å{object-suffix-macos9-debug}/ Print"` supercalifragilisticexpialidoucious
+	Delete -i `files -r -s -o -f "{root-folder}" | StreamEdit  -d -e "/Å{object-suffix-macos9-final}/ Print"` supercalifragilisticexpialidoucious
+	Delete -i `files -r -s -o -f "{root-folder}" | StreamEdit  -d -e "/Å{object-suffix-macos9-data}/ Print"` supercalifragilisticexpialidoucious
+	Delete -i `files -r -s -o -f "{root-folder}" | StreamEdit  -d -e "/Å{object-suffix-carbon-debug}/ Print"` supercalifragilisticexpialidoucious
+	Delete -i `files -r -s -o -f "{root-folder}" | StreamEdit  -d -e "/Å{object-suffix-carbon-final}/ Print"` supercalifragilisticexpialidoucious
+	Delete -i `files -r -s -o -f "{root-folder}" | StreamEdit  -d -e "/Å{object-suffix-carbon-data}/ Print"` supercalifragilisticexpialidoucious
+	Delete -i {all-lists} {autogenerated-files}
 	
 ##############################################################################################################
 ###			Copying headers around
 ##############################################################################################################
 
-gss-headers-output-folder							= {root-folder}:GSSLib:Headers:
-krb5-headers-output-folder							= {root-folder}:Kerberos5Lib:Headers:
-comerr-headers-output-folder						= {root-folder}:ComErrLib:Headers:
-profile-headers-output-folder						= {root-folder}:KerberosProfileLib:Headers:
+gss-headers-output-folder							= {root-folder}:GSSLib:Headers:GSS:
+krb5-headers-output-folder							= {root-folder}:Kerberos5Lib:Headers:Kerberos5:
+comerr-headers-output-folder						= {root-folder}:ComErrLib:Headers:KerberosComErr:
+profile-headers-output-folder						= {root-folder}:KerberosProfileLib:Headers:KerberosProfile:
 
 gss-headers-output = ¶
 	"{gss-headers-output-folder}gssapi.h" ¶
+	"{gss-headers-output-folder}GSS.h" ¶
 	"{gss-headers-output-folder}gssapi_krb5.h"
 
 krb5-headers-output = ¶
 	"{krb5-headers-output-folder}krb5.h" ¶
+	"{krb5-headers-output-folder}Kerberos5.h" ¶
 	"{krb5-headers-output-folder}win-mac.h"
 
 comerr-headers-output = ¶
-	"{comerr-headers-output-folder}com_err.h"
+	"{comerr-headers-output-folder}com_err.h" ¶
+	"{comerr-headers-output-folder}KerberosComErr.h"
 	
 profile-headers-output = ¶
-	"{profile-headers-output-folder}profile.h"
+	"{profile-headers-output-folder}profile.h" ¶
+	"{profile-headers-output-folder}KerberosProfile.h"
 	
 headers-output = {gss-headers-output} {krb5-headers-output} ¶
 	{comerr-headers-output} {profile-headers-output} 
 
 headers Ä unset-echo {headers-output}
 
-"{gss-headers-output-folder}gssapi.h" Ä "{root-folder}lib:gssapi:generic:gssapi.h" {makefile-name}
+"{gss-headers-output-folder}GSS.h" Ä {makefile-dependency}
+	"{create-folder}" "{TargDir}"
+	If (`Exists "{Targ}" | Count -l`)
+		SetFile -a l "{Targ}"
+	End
+	Echo "#include <GSS/gssapi.h>" > "{Targ}"
+	Echo "#include <GSS/gssapi_krb5.h>" >> "{Targ}"
+	SetFile -a l "{Targ}"
+
+"{gss-headers-output-folder}gssapi.h" Ä "{root-folder}lib:gssapi:generic:gssapi.h" {makefile-dependency}
 	"{create-folder}" "{TargDir}"
 	If (`Exists "{Targ}" | Count -l`)
 		SetFile -a l "{Targ}"
@@ -916,7 +1346,7 @@ headers Ä unset-echo {headers-output}
 	Catenate "{root-folder}lib:gssapi:generic:gssapi.h" > "{Targ}"
 	SetFile -a l "{Targ}"
 
-"{gss-headers-output-folder}gssapi_krb5.h" Ä "{root-folder}lib:gssapi:krb5:gssapi_krb5.h" {makefile-name}
+"{gss-headers-output-folder}gssapi_krb5.h" Ä "{root-folder}lib:gssapi:krb5:gssapi_krb5.h" {makefile-dependency}
 	"{create-folder}" "{TargDir}"
 	If (`Exists "{Targ}" | Count -l`)
 		SetFile -a l "{Targ}"
@@ -924,7 +1354,15 @@ headers Ä unset-echo {headers-output}
 	Catenate "{root-folder}lib:gssapi:krb5:gssapi_krb5.h" > "{Targ}"
 	SetFile -a l "{Targ}"
 
-"{krb5-headers-output-folder}krb5.h" Ä "{root-folder}include:krb5.h" {makefile-name}
+"{krb5-headers-output-folder}Kerberos5.h" Ä "{root-folder}include:krb5.h" {makefile-dependency}
+	"{create-folder}" "{TargDir}"
+	If (`Exists "{Targ}" | Count -l`)
+		SetFile -a l "{Targ}"
+	End
+	Echo "#include <Kerberos5/krb5.h>" > "{Targ}"
+	SetFile -a l "{Targ}"
+
+"{krb5-headers-output-folder}krb5.h" Ä "{root-folder}include:krb5.h" {makefile-dependency}
 	"{create-folder}" "{TargDir}"
 	If (`Exists "{Targ}" | Count -l`)
 		SetFile -a l "{Targ}"
@@ -932,7 +1370,7 @@ headers Ä unset-echo {headers-output}
 	Catenate "{root-folder}include:krb5.h" > "{Targ}"
 	SetFile -a l "{Targ}"
 
-"{krb5-headers-output-folder}win-mac.h" Ä "{root-folder}include:win-mac.h" {makefile-name}
+"{krb5-headers-output-folder}win-mac.h" Ä "{root-folder}include:win-mac.h" {makefile-dependency}
 	"{create-folder}" "{TargDir}"
 	If (`Exists "{Targ}" | Count -l`)
 		SetFile -a l "{Targ}"
@@ -940,7 +1378,15 @@ headers Ä unset-echo {headers-output}
 	Catenate "{root-folder}include:win-mac.h" > "{Targ}"
 	SetFile -a l "{Targ}"
 
-"{comerr-headers-output-folder}com_err.h" Ä "{root-folder}util:et:com_err.h" {makefile-name}
+"{comerr-headers-output-folder}KerberosComErr.h" Ä "{root-folder}util:et:com_err.h" {makefile-dependency}
+	"{create-folder}" "{TargDir}"
+	If (`Exists "{Targ}" | Count -l`)
+		SetFile -a l "{Targ}"
+	End
+	Echo "#include <KerberosComErr/com_err.h>" > "{Targ}"
+	SetFile -a l "{Targ}"
+
+"{comerr-headers-output-folder}com_err.h" Ä "{root-folder}util:et:com_err.h" {makefile-dependency}
 	"{create-folder}" "{TargDir}"
 	If (`Exists "{Targ}" | Count -l`)
 		SetFile -a l "{Targ}"
@@ -948,7 +1394,15 @@ headers Ä unset-echo {headers-output}
 	Catenate "{root-folder}util:et:com_err.h" > "{Targ}"
 	SetFile -a l "{Targ}"
 
-"{profile-headers-output-folder}profile.h" Ä "{root-folder}util:profile:profile.h" {makefile-name}
+"{profile-headers-output-folder}KerberosProfile.h" Ä "{root-folder}util:profile:profile.h" {makefile-dependency}
+	"{create-folder}" "{TargDir}"
+	If (`Exists "{Targ}" | Count -l`)
+		SetFile -a l "{Targ}"
+	End
+	Echo "#include <KerberosProfile/profile.h>" > "{Targ}"
+	SetFile -a l "{Targ}"
+
+"{profile-headers-output-folder}profile.h" Ä "{root-folder}util:profile:profile.h" {makefile-dependency}
 	"{create-folder}" "{TargDir}"
 	If (`Exists "{Targ}" | Count -l`)
 		SetFile -a l "{Targ}"
@@ -982,7 +1436,7 @@ documentation-output = {gss-documentation-output} {krb5-documentation-output} ¶
 
 documentation Ä unset-echo {documentation-output}
 
-{gss-documentation-output-folder}"GSSLib ReadMe" Ä {root-folder}"mac:GSSLib ReadMe" {makefile-name}
+{gss-documentation-output-folder}"GSSLib ReadMe" Ä {root-folder}"mac:GSSLib ReadMe" {makefile-dependency}
 	"{create-folder}" "{TargDir}"
 	If (`Exists "{Targ}" | Count -l`)
 		SetFile -a l {Targ}
@@ -990,7 +1444,7 @@ documentation Ä unset-echo {documentation-output}
 	Catenate {root-folder}"mac:GSSLib ReadMe" > {Targ}
 	SetFile -a l {Targ}
 
-{krb5-documentation-output-folder}"krb5api.pdf" Ä {makefile-name}
+{krb5-documentation-output-folder}"krb5api.pdf" Ä {makefile-dependency}
 	"{create-folder}" "{TargDir}"
 	If (`Exists "{Targ}" | Count -l`)
 		SetFile -a l {Targ}
@@ -1000,7 +1454,7 @@ documentation Ä unset-echo {documentation-output}
 		SetFile -a l -t 'PDF ' -c 'CARO' {Targ}
 	End
 
-{comerr-documentation-output-folder}"ComErrLib ReadMe" Ä {root-folder}"mac:ComErrLib ReadMe" {makefile-name}
+{comerr-documentation-output-folder}"ComErrLib ReadMe" Ä {root-folder}"mac:ComErrLib ReadMe" {makefile-dependency}
 	"{create-folder}" "{TargDir}"
 	If (`Exists "{Targ}" | Count -l`)
 		SetFile -a l {Targ}
@@ -1008,7 +1462,7 @@ documentation Ä unset-echo {documentation-output}
 	Catenate {root-folder}"mac:ComErrLib ReadMe" > {Targ}
 	SetFile -a l {Targ}
 
-{profile-documentation-output-folder}"KerberosProfileLib ReadMe" Ä {root-folder}"mac:KerberosProfileLib ReadMe" {makefile-name}
+{profile-documentation-output-folder}"KerberosProfileLib ReadMe" Ä {root-folder}"mac:KerberosProfileLib ReadMe" {makefile-dependency}
 	"{create-folder}" "{TargDir}"
 	If (`Exists "{Targ}" | Count -l`)
 		SetFile -a l {Targ}
diff --git a/src/mac/PrivateKerberos5Lib.exp b/src/mac/PrivateKerberos5Lib.exp
new file mode 100644
index 0000000..352a812
--- /dev/null
+++ b/src/mac/PrivateKerberos5Lib.exp
@@ -0,0 +1,36 @@
+#----------------------------------------------------
+#   PrivateKerberos5Lib.exp
+#
+# Exports from Kerberos v5 library which are not
+# a part of the public API, but are needed by some
+# critical clients. Each call is annotated by the
+# offending client.
+#----------------------------------------------------
+
+	krb5_size_opaque					# GSSAPI
+	krb5_internalize_opaque				# GSSAPI
+	krb5_externalize_opaque				# GSSAPI
+	krb5_ser_pack_int32					# GSSAPI
+	krb5_ser_unpack_int32				# GSSAPI
+	krb5_ser_pack_bytes					# GSSAPI
+	krb5_ser_unpack_bytes				# GSSAPI
+	krb5_ser_auth_context_init			# GSSAPI
+	krb5_ser_context_init				# GSSAPI
+	krb5_ser_ccache_init				# GSSAPI
+	krb5_ser_keytab_init				# GSSAPI
+	krb5_ser_rcache_init				# GSSAPI
+	decode_krb5_ap_req					# GSSAPI
+	krb5_mcc_ops						# GSSAPI
+	krb5_c_keyed_checksum_types 		# GSSAPI
+	krb5_c_random_make_octets			# GSSAPI
+	krb5_c_encrypt						# GSSAPI
+	krb5_c_make_checksum				# GSSAPI
+	krb5_c_decrypt						# GSSAPI
+	krb5_c_verify_checksum				# GSSAPI
+	krb5_c_block_size					# GSSAPI
+	krb5_c_checksum_length				# GSSAPI
+	krb5_c_encrypt_length				# GSSAPI
+	krb5int_cc_default					# GSSAPI
+    krb5_set_default_tgs_enctypes		# GSSAPI
+    krb5_get_tgs_ktypes					# GSSAPI
+    
\ No newline at end of file
diff --git a/src/mac/ProfileLib.CFM.c b/src/mac/ProfileLib.CFM.c
index 9b5ea87..12d58e4 100644
--- a/src/mac/ProfileLib.CFM.c
+++ b/src/mac/ProfileLib.CFM.c
@@ -16,11 +16,11 @@
  * without express or implied warranty.
  */
  
- 
-#include <CodeFragments.h>
-
 #include "profile.h"
+#include "prof_err.h"
 
+#if TARGET_RT_MAC_CFM
+#include <CodeFragments.h>
 
 OSErr InitializeProfileLib (
 	CFragInitBlockPtr ibp);
@@ -33,17 +33,28 @@ OSErr InitializeProfileLib(
 	
 	/* Do normal init of the shared library */
 	err = __initialize(ibp);
+#else
+#define noErr	0
+void __InitializeProfileLib (void);
+void __InitializeProfileLib (void)
+{
+	int	err = noErr;
+#endif
 	
 	/* Initialize the error tables */
 	if (err == noErr) {
 	    add_error_table(&et_prof_error_table);
 	}
 	
+#if TARGET_RT_MAC_CFM
 	return err;
+#endif
 }
 
+#if TARGET_RT_MAC_CFM
 void TerminateProfileLib(void)
 {
     remove_error_table(&et_prof_error_table);
 	__terminate();
 }
+#endif
diff --git a/src/mac/Release notes b/src/mac/Release notes
index d087037..1cac274 100644
--- a/src/mac/Release notes
+++ b/src/mac/Release notes
@@ -91,7 +91,7 @@ Changes in 1.1a3:
  
 2.0.1b1
  Microseconds support added
- Microseconds fixed on machines that don't have hardware support (Chas Williams)
+ Microseconds fixed on machines that do not have hardware support (Chas Williams)
  Fixed a bunch of missing krb5_auth_con_* exports
  Added NRL config file name (Chas Williams)
  Fixed profile layer to handle missing files correctly when looking for multiple ones
@@ -153,4 +153,167 @@ Changes in 1.1a3:
 3.0d3
  from tag Mac_GSSKerberos5_3_0d3
  no changes on the Mac side
- fixed crash in get_init_creds when no network
\ No newline at end of file
+ fixed crash in get_init_creds when no network 
+ 
+3.0d4
+ from tag Mac_GSSKerberos5_3_0d4
+ no changes on the Mac side
+ 
+3.0d5
+ from tag Mac_GSSKerberos5_3_0d5
+ no changes on the Mac side
+
+3.0d6
+ from tag Mac_GSSKerberos5_3_0d6
+ login lib support
+ fixed to ccache v5 creds copying code
+
+3.0d7
+ from tag Mac_GSSKerberos5_3_0d7
+ support for login library in expired passwords
+
+3.0d8
+ from tag Mac_GSSKerberos5_3_0d8
+ now following the krb5-1-2 branch (except in util/profile)
+
+3.0a1
+ from tag Mac_GSSKerberos5_3_0a1
+ fixed krb5_cc_default
+ workaround for hostname resolution problems
+ 
+3.0a2
+ from tag Mac_GSSKerberos5_3_0a2
+ no changes on the Mac side
+
+3.0b1
+ from tag Mac_GSSKerberos5_3_0b1
+ Kerberos5Lib now uses PreferencesLib
+ fixed get_credentials [BZ 323]
+
+3.0b2
+ from tag Mac_GSSKerberos5_3_0b2
+ changed error in krb5_init_context from ENFILE to ENOENT when file not found
+
+3.0fc1
+ from tag Mac_GSSKerberos5_3_0fc1
+ no changes on the Mac side
+
+3.0fc2
+ from tag Mac_GSSKerberos5_3_0fc2
+ fixed memory leak in krb5_425_conv_principal
+
+3.0
+ from tag Mac_GSSKerberos5_3_0
+
+3.1d1
+ from tag Mac_GSSKerberos5_3_1d1
+ Carbon and CWP 6 builds
+ 
+3.1d2
+ from tag Mac_GSSKerberos5_3_1d2
+ Fixed epoch conversion throughout
+ Rebuilt with fixed CWP 6 fcntl.h
+ 
+3.1d3
+ from tag Mac_GSSKerberos5_3_1d3
+ Fixed profile library to support FSpecs under X
+ Fixed build system to work with UNIX newlines under 9
+ 
+3.1d4
+ from tag Mac_GSSKerberos5_3_1d4
+ first Mac OS X release
+
+3.1d5
+ from tag Mac_GSSKerberos5_3_1d5
+ fixed Carbon fragment names
+ 
+3.1d6
+ from tag Mac_GSSKerberos5_3_1d6
+ fixed sleep time bug
+ fixed dependencies on 8.5+ InterfaceLib
+
+3.1a1
+ from tag Mac_GSSKerberos5_3_1a1
+ alpha
+
+3.1a2
+ from tag Mac_GSSKerberos5_3_1a2
+ no longer prevents idle sleep
+ override carbon errno with Kerberos Support Library
+ fix NULL prompter crash
+ 
+3.1a3
+ from tag Mac_GSSKerberos5_3_1a3
+ updated for new Mac OS X header layout
+ fixed bug on newline conversion in profile when reading files bigger than 1K
+
+3.1a4
+ from tag Mac_GSSKerberos5_3_1a4
+ fixed SleepQInstall crash on NuBus Macs
+ 
+3.1b1
+ from tag Mac_GSSKerberos5_3_1b1
+ Upped the dylib version numbers.
+ added com_err to the export list on X
+ added krb5_prompter_posix and krb5_read_password to the Kerberos 5 exports
+ added new rfc 2744 GSS oids
+ added gssapi_generic.h to the public headers for GSS.framework
+ added kinit, klist, kdestroy, kpasswd command line tools
+ added kerberosIV directory to /usr/include headers
+
+3.1b2
+ from tag Mac_GSSKerberos5_3_1b2
+ changes to jam files for Mac OS X build integration
+ 
+3.1fc1
+ from tag Mac_GSSKerberos5_3_1fc1
+ replaced cc_* macros with functions
+ more fixes for Mac OS X build integration
+
+3.1
+from tag Mac_GSSKerberos5_3_1
+final for KL 4.0/KfM 3.5/KfM 4.0a16
+
+3.2a2
+from tag Mac_GSSKerberos5_3_2a2
+updated for Mac OS X 10.1
+
+3.2b1
+from tag Mac_GSSKerberos5_3_2b1
+synced with 1.2.3
+
+3.2b2
+from tag Mac_GSSKerberos5_3_2b2
+Separated private and public krb5 APIs
+
+3.2b3
+from tag Mac_GSSKerberos5_3_2b3
+Fixed gssapi_generic.h Mac OS conditionals and synced with 1.2.3b2
+
+3.2b4
+from tag Mac_GSSKerberos5_3_2b4
+Removed the broken microsecond timing code
+Fixed prebinding on Mac OS X
+
+3.2b5
+from tag Mac_GSSKerberos5_3_2b5
+Removed version strings from the Mac OS X project
+
+3.2b6
+from tag Mac_GSSKerberos5_3_2b6
+Fixed resource fork handling in profile lib
+
+3.2b7
+from tag Mac_GSSKerberos5_3_2b7
+Fixed GSS FTP forwarding
+Fixed profile library handling unreadable files
+
+3.2fc1
+from tag Mac_GSSKerberos5_3_2fc1
+Moved to final candidate
+
+3.2fc2
+from tag Mac_GSSKerberos5_3_2fc2
+
+3.2
+from tag Mac_GSSKerberos5_3_2
diff --git a/src/mac/kdestroy.c b/src/mac/kdestroy.c
new file mode 100644
index 0000000..c720e98
--- /dev/null
+++ b/src/mac/kdestroy.c
@@ -0,0 +1,293 @@
+/*
+ * clients/kdestroy/kdestroy.c
+ *
+ * Copyright 1990 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ *   require a specific license from the United States Government.
+ *   It is the responsibility of any person or organization contemplating
+ *   export to obtain such a license before exporting.
+ * 
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ * 
+ *
+ * Destroy the contents of your credential cache.
+ */
+
+#if TARGET_HEADER_FRAMEWORK
+    #include <Kerberos/Kerberos.h>
+#else
+    #include <krb5.h>
+    #include <com_err.h>
+    #ifdef KRB5_KRB4_COMPAT
+        #include <kerberosIV/krb.h>
+    #endif
+    #if USE_CCAPI
+        #include <CredentialsCache.h>
+    #endif
+#endif
+
+#include <string.h>
+#include <stdio.h>
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#endif
+
+
+#ifdef __STDC__
+#define BELL_CHAR '\a'
+#else
+#define BELL_CHAR '\007'
+#endif
+
+extern int optind;
+extern char *optarg;
+
+#ifndef _WIN32
+#define GET_PROGNAME(x) (strrchr((x), '/') ? strrchr((x), '/')+1 : (x))
+#else
+#define GET_PROGNAME(x) max(max(strrchr((x), '/'), strrchr((x), '\\')) + 1,(x))
+#endif
+
+char *progname;
+
+int got_k5 = 0;
+int got_k4 = 0;
+
+int default_k5 = 1;
+#ifdef KRB5_KRB4_COMPAT
+int default_k4 = 1;
+#else
+int default_k4 = 0;
+#endif
+
+
+static void usage()
+{
+#define KRB_AVAIL_STRING(x) ((x)?"available":"not available")
+
+    fprintf(stderr, "Usage: %s [-5] [-4] [-q] [-c cache_name]\n", progname);
+    fprintf(stderr, "\t-5 Kerberos 5 (%s)\n", KRB_AVAIL_STRING(got_k5));
+    fprintf(stderr, "\t-4 Kerberos 4 (%s)\n", KRB_AVAIL_STRING(got_k4));
+    fprintf(stderr, "\t   (Default is %s%s%s%s)\n",
+	    default_k5?"Kerberos 5":"",
+	    (default_k5 && default_k4)?" and ":"",
+	    default_k4?"Kerberos 4":"",
+	    (!default_k5 && !default_k4)?"neither":"");
+    fprintf(stderr, "\t-q quiet mode\n");
+    fprintf(stderr, "\t-c specify name of credentials cache\n");
+    exit(2);
+}
+
+int
+main(argc, argv)
+    int argc;
+    char **argv;
+{
+    char *cache_name = NULL;
+#ifndef USE_CCAPI
+    krb5_context kcontext;
+    krb5_error_code retval;
+    krb5_ccache cache = NULL;
+    int code = 0;
+#ifdef KRB5_KRB4_COMPAT
+    int v4code = 0;
+    int v4 = 1;
+#endif
+#endif /* !USE_CCAPI */
+    int c;
+    int errflg = 0;
+    int quiet = 0;
+
+    int use_k5 = 0;
+    int use_k4 = 0;
+
+    progname = GET_PROGNAME(argv[0]);
+
+    got_k5 = 1;
+#ifdef KRB5_KRB4_COMPAT
+    got_k4 = 1;
+#endif
+
+    while ((c = getopt(argc, argv, "54qc:")) != -1) {
+	switch (c) {
+	case 'q':
+	    quiet = 1;
+	    break;	
+	case 'c':
+	    if (cache_name) {
+		fprintf(stderr, "Only one -c option allowed\n");
+		errflg++;
+	    } else {
+		cache_name = optarg;
+	    }
+	    break;
+	case '4':
+	    if (!got_k4)
+	    {
+#ifdef KRB5_KRB4_COMPAT
+		fprintf(stderr, "Kerberos 4 support could not be loaded\n");
+#else
+		fprintf(stderr, "This was not built with Kerberos 4 support\n");
+#endif
+		exit(3);
+	    }
+	    use_k4 = 1;
+	    break;
+	case '5':
+	    if (!got_k5)
+	    {
+		fprintf(stderr, "Kerberos 5 support could not be loaded\n");
+		exit(3);
+	    }
+	    use_k5 = 1;
+	    break;
+	case '?':
+	default:
+	    errflg++;
+	    break;
+	}
+    }
+
+    if (optind != argc)
+	errflg++;
+    
+    if (errflg) {
+	usage();
+    }
+
+    if (!use_k5 && !use_k4)
+    {
+	use_k5 = default_k5;
+	use_k4 = default_k4;
+    }
+
+    if (!use_k5)
+	got_k5 = 0;
+    if (!use_k4)
+	got_k4 = 0;
+
+#ifdef USE_CCAPI
+    {
+        /* CCAPI version 4 has joint caches for v4 and v5 */
+        cc_context_t				context = NULL;
+        cc_ccache_t					cache = NULL;
+        cc_int32					cc_err;
+    
+        cc_err = cc_initialize (&context, ccapi_version_4, nil, nil);
+        if (cc_err != ccNoError) {
+            fprintf(stderr, "%s: Unable to initialize credentials cache (error = %ld)\n", progname, cc_err);
+            exit(1);
+        }
+
+
+        /* Open the default cache */
+        if (cache_name) {
+            char *name = strchr (cache_name, '.');
+            if (strlen (name) > 0) {
+                cc_err = cc_context_open_ccache (context, name, &cache);
+                if (cc_err == ccErrCCacheNotFound) {
+                    fprintf(stderr, "%s: No credentials cache found while destroying '%s'\n", 
+                            progname, cache_name);
+                    exit(1);                   
+                }
+                if (cc_err != ccNoError) {
+                    fprintf(stderr, "%s: Unable to open cache '%s' (error = %ld)\n", 
+                            progname, cache_name, cc_err);
+                    exit(1);
+                }
+            }
+        }
+        
+        /* if we didn't just open a cache, open the default */
+        if (cache == NULL) {
+            cc_err = cc_context_open_default_ccache (context, &cache);
+            if (cc_err == ccErrCCacheNotFound) {
+                fprintf(stderr, "%s: No credentials cache found while destroying default cache\n", 
+                        progname);
+                exit(1);                   
+            }
+            if (cc_err != ccNoError) {
+                fprintf(stderr, "%s: Unable to open default cache (error = %ld)\n", 
+                        progname, cc_err);
+                exit(1);
+            }
+        }
+        
+        cc_err = cc_ccache_destroy (cache);
+        if (cc_err != ccNoError) {
+            fprintf(stderr, "%s: Unable to destroy cache (error = %ld)\n", 
+                    progname, cc_err);
+            exit(1);
+        }
+    }
+#else
+    if (got_k5) {
+	retval = krb5_init_context(&kcontext);
+	if (retval) {
+	    com_err(progname, retval, "while initializing krb5");
+	    exit(1);
+	}
+
+	if (cache_name) {
+#ifdef KRB5_KRB4_COMPAT
+	    v4 = 0;	/* Don't do v4 if doing v5 and cache name given. */
+#endif
+	    code = krb5_cc_resolve (kcontext, cache_name, &cache);
+	    if (code != 0) {
+		com_err (progname, code, "while resolving %s", cache_name);
+		exit(1);
+	    }
+	} else {
+	    code = krb5_cc_default(kcontext, &cache);
+	    if (code) {
+		com_err(progname, code, "while getting default ccache");
+		exit(1);
+	    }
+	}
+
+	code = krb5_cc_destroy (kcontext, cache);
+	if (code != 0) {
+	    com_err (progname, code, "while destroying cache");
+	    if (code != KRB5_FCC_NOFILE) {
+		if (quiet)
+		    fprintf(stderr, "Ticket cache NOT destroyed!\n");
+		else {
+		    fprintf(stderr, "Ticket cache %cNOT%c destroyed!\n", 
+			    BELL_CHAR, BELL_CHAR);
+		}
+		errflg = 1;
+	    }
+	}
+    }
+#ifdef KRB5_KRB4_COMPAT
+    if (got_k4 && v4) {
+	v4code = dest_tkt();
+	if (v4code == KSUCCESS && code != 0)
+	    fprintf(stderr, "Kerberos 4 ticket cache destroyed.\n");
+	if (v4code != KSUCCESS && v4code != RET_TKFIL) {
+	    if (quiet)
+		fprintf(stderr, "Kerberos 4 ticket cache NOT destroyed!\n");
+	    else
+		fprintf(stderr, "Kerberos 4 ticket cache %cNOT%c destroyed!\n",
+			BELL_CHAR, BELL_CHAR);
+	    errflg = 1;
+	}
+    }
+#endif
+#endif /* USE_CCAPI */
+    return errflg;
+}
diff --git a/src/mac/kinit.c b/src/mac/kinit.c
new file mode 100644
index 0000000..aa8785a
--- /dev/null
+++ b/src/mac/kinit.c
@@ -0,0 +1,1137 @@
+/*
+ * clients/kinit/kinit.c
+ *
+ * Copyright 1990 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ *   require a specific license from the United States Government.
+ *   It is the responsibility of any person or organization contemplating
+ *   export to obtain such a license before exporting.
+ * 
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ * 
+ *
+ * Initialize a credentials cache.
+ */
+
+#if TARGET_HEADER_FRAMEWORK
+    #include <Kerberos/Kerberos.h>
+#else
+    #include <krb5.h>
+    #ifdef KRB5_KRB4_COMPAT
+        #include <kerberosIV/krb.h>
+    #endif
+#endif
+
+#include <string.h>
+#include <stdio.h>
+#include <time.h>
+
+#ifdef GETOPT_LONG
+#include <getopt.h>
+#else
+#ifdef HAVE_UNISTD_H
+#include <unistd.h>
+#ifdef sun
+/* SunOS4 unistd didn't declare these; okay to make unconditional?  */
+extern int optind;
+extern char *optarg;
+#endif /* sun */
+#else
+extern int optind;
+extern char *optarg;
+extern int getopt();
+#endif /* HAVE_UNISTD_H */
+#endif /* GETOPT_LONG */
+
+#ifdef HAVE_KRB524
+#include "krb524.h"
+#endif
+
+#ifndef _WIN32
+#define GET_PROGNAME(x) (strrchr((x), '/') ? strrchr((x), '/')+1 : (x))
+#else
+#define GET_PROGNAME(x) max(max(strrchr((x), '/'), strrchr((x), '\\')) + 1,(x))
+#endif
+
+#ifdef HAVE_PWD_H
+#include <pwd.h>
+static 
+char * get_name_from_os()
+{
+    struct passwd *pw;
+    if ((pw = getpwuid((int) getuid())))
+	return pw->pw_name;
+    return 0;
+}
+#else /* HAVE_PWD_H */
+#ifdef _WIN32
+static
+char * get_name_from_os()
+{
+    static char name[1024];
+    DWORD name_size = sizeof(name);
+    if (GetUserName(name, &name_size)) {
+	name[sizeof(name)-1] = 0; /* Just to be extra safe */
+	return name;
+    } else {
+	return 0;
+    }
+}
+#else /* _WIN32 */
+static
+char * get_name_from_os()
+{
+    return 0;
+}
+#endif /* _WIN32 */
+#endif /* HAVE_PWD_H */
+
+static char* progname_v5 = 0;
+#ifdef KRB5_KRB4_COMPAT
+static char* progname_v4 = 0;
+static char* progname_v524 = 0;
+#endif
+
+static int got_k5 = 0;
+static int got_k4 = 0;
+
+static int default_k5 = 1;
+#if defined(KRB5_KRB4_COMPAT) && defined(KINIT_DEFAULT_BOTH)
+static int default_k4 = 1;
+#else
+static int default_k4 = 0;
+#endif
+
+static int authed_k5 = 0;
+static int authed_k4 = 0;
+
+#define KRB4_BACKUP_DEFAULT_LIFE_SECS 10*60*60 /* 10 hours */
+
+typedef enum { INIT_PW, INIT_KT, RENEW, VALIDATE } action_type;
+
+struct k_opts
+{
+    /* in seconds */
+    krb5_deltat starttime;
+    krb5_deltat lifetime;
+    krb5_deltat rlife;
+
+    int forwardable;
+    int proxiable;
+    int addresses;
+
+    int not_forwardable;
+    int not_proxiable;
+    int no_addresses;
+
+    int verbose;
+
+    char* principal_name;
+    char* service_name;
+    char* keytab_name;
+    char* k5_cache_name;
+    char* k4_cache_name;
+
+    action_type action;
+};
+
+struct k5_data
+{
+    krb5_context ctx;
+    krb5_ccache cc;
+    krb5_principal me;
+    char* name;
+};
+
+struct k4_data
+{
+    krb5_deltat lifetime;
+#ifdef KRB5_KRB4_COMPAT
+    char aname[ANAME_SZ + 1];
+    char inst[INST_SZ + 1];
+    char realm[REALM_SZ + 1];
+    char name[ANAME_SZ + 1 + INST_SZ + 1 + REALM_SZ + 1];
+#endif
+};
+
+#ifdef GETOPT_LONG
+/* if struct[2] == NULL, then long_getopt acts as if the short flag
+   struct[3] was specified.  If struct[2] != NULL, then struct[3] is
+   stored in *(struct[2]), the array index which was specified is
+   stored in *index, and long_getopt() returns 0. */
+
+struct option long_options[] = {
+    { "noforwardable", 0, NULL, 'F' },
+    { "noproxiable", 0, NULL, 'P' },
+    { "addresses", 0, NULL, 'a'},
+    { "forwardable", 0, NULL, 'f' },
+    { "proxiable", 0, NULL, 'p' },
+    { "noaddresses", 0, NULL, 'A' },
+    { NULL, 0, NULL, 0 }
+};
+
+#define GETOPT(argc, argv, str) getopt_long(argc, argv, str, long_options, 0)
+#else
+#define GETOPT(argc, argv, str) getopt(argc, argv, str)
+#endif
+
+static void
+usage(progname)
+     char *progname;
+{
+#define USAGE_BREAK "\n\t"
+
+#ifdef GETOPT_LONG
+#define USAGE_LONG_FORWARDABLE " | --forwardable | --noforwardable"
+#define USAGE_LONG_PROXIABLE   " | --proxiable | --noproxiable"
+#define USAGE_LONG_ADDRESSES   " | --addresses | --noaddresses"
+#define USAGE_BREAK_LONG       USAGE_BREAK
+#else
+#define USAGE_LONG_FORWARDABLE ""
+#define USAGE_LONG_PROXIABLE   ""
+#define USAGE_LONG_ADDRESSES   ""
+#define USAGE_BREAK_LONG       ""
+#endif
+
+    fprintf(stderr, "Usage: %s [-5] [-4] [-V] "
+	    "[-l lifetime] [-s start_time] "
+	    USAGE_BREAK
+	    "[-r renewable_life] "
+	    "[-f | -F" USAGE_LONG_FORWARDABLE "] "
+	    USAGE_BREAK_LONG
+	    "[-p | -P" USAGE_LONG_PROXIABLE "] "
+	    USAGE_BREAK_LONG
+	    "[-A" USAGE_LONG_ADDRESSES "] "
+	    USAGE_BREAK
+	    "[-v] [-R] "
+	    "[-k [-t keytab_file]] "
+	    USAGE_BREAK
+	    "[-c cachename] "
+	    "[-S service_name] [principal]"
+	    "\n\n", 
+	    progname);
+
+#define KRB_AVAIL_STRING(x) ((x)?"available":"not available")
+
+#define OPTTYPE_KRB5   "5"
+#define OPTTYPE_KRB4   "4"
+#define OPTTYPE_EITHER "Either 4 or 5"
+#ifdef HAVE_KRB524
+#define OPTTYPE_BOTH "5, or both 5 and 4"
+#else
+#define OPTTYPE_BOTH "5"
+#endif
+
+#ifdef KRB5_KRB4_COMPAT
+#define USAGE_OPT_FMT "%s%-50s%s\n"
+#else
+#define USAGE_OPT_FMT "%s%s\n"
+#endif
+
+#define ULINE(indent, col1, col2) \
+fprintf(stderr, USAGE_OPT_FMT, indent, col1, col2)
+
+    ULINE("    ", "options:", "valid with Kerberos:");
+    fprintf(stderr, "\t-5 Kerberos 5 (%s)\n", KRB_AVAIL_STRING(got_k5));
+    fprintf(stderr, "\t-4 Kerberos 4 (%s)\n", KRB_AVAIL_STRING(got_k4));
+    fprintf(stderr, "\t   (Default behavior is to try %s%s%s%s)\n",
+	    default_k5?"Kerberos 5":"",
+	    (default_k5 && default_k4)?" and ":"",
+	    default_k4?"Kerberos 4":"",
+	    (!default_k5 && !default_k4)?"neither":"");
+    ULINE("\t", "-V verbose",                   OPTTYPE_EITHER);
+    ULINE("\t", "-l lifetime",                  OPTTYPE_EITHER);
+    ULINE("\t", "-s start time",                OPTTYPE_KRB5);
+    ULINE("\t", "-r renewable lifetime",        OPTTYPE_KRB5);
+    ULINE("\t", "-f forwardable",               OPTTYPE_KRB5);
+    ULINE("\t", "-F not forwardable",           OPTTYPE_KRB5);
+    ULINE("\t", "-p proxiable",                 OPTTYPE_KRB5);
+    ULINE("\t", "-P not proxiable",             OPTTYPE_KRB5);
+    ULINE("\t", "-A do not include addresses",  OPTTYPE_KRB5);
+    ULINE("\t", "-v validate",                  OPTTYPE_KRB5);
+    ULINE("\t", "-R renew",                     OPTTYPE_BOTH);
+    ULINE("\t", "-k use keytab",                OPTTYPE_BOTH);
+    ULINE("\t", "-t filename of keytab to use", OPTTYPE_BOTH);
+    ULINE("\t", "-c Kerberos 5 cache name",     OPTTYPE_KRB5);
+    /* This options is not yet available: */
+    /* ULINE("\t", "-C Kerberos 4 cache name",     OPTTYPE_KRB4); */
+    ULINE("\t", "-S service",                   OPTTYPE_BOTH);
+    exit(2);
+}
+
+static char *
+parse_options(argc, argv, opts, progname)
+    int argc;
+    char **argv;
+    struct k_opts* opts;
+    char *progname;
+{
+    krb5_error_code code;
+    int errflg = 0;
+    int use_k4 = 0;
+    int use_k5 = 0;
+    int i;
+
+    while ((i = GETOPT(argc, argv, "r:fpFP54AVl:s:c:kt:RS:v"))
+	   != -1) {
+	switch (i) {
+	case 'V':
+	    opts->verbose = 1;
+	    break;
+	case 'l':
+	    /* Lifetime */
+	    code = krb5_string_to_deltat(optarg, &opts->lifetime);
+	    if (code != 0 || opts->lifetime == 0) {
+		fprintf(stderr, "Bad lifetime value %s\n", optarg);
+		errflg++;
+	    }
+	    break;
+	case 'r':
+	    /* Renewable Time */
+	    code = krb5_string_to_deltat(optarg, &opts->rlife);
+	    if (code != 0 || opts->rlife == 0) {
+		fprintf(stderr, "Bad lifetime value %s\n", optarg);
+		errflg++;
+	    }
+	    break;
+	case 'f':
+	    opts->forwardable = 1;
+	    break;
+	case 'F':
+	    opts->not_forwardable = 1;
+	    break;
+	case 'p':
+	    opts->proxiable = 1;
+	    break;
+	case 'P':
+	    opts->not_proxiable = 1;
+	    break;
+	case 'a':
+	    /* Note: This is supported only with GETOPT_LONG */
+	    opts->addresses = 1;
+	    break;
+	case 'A':
+	    opts->no_addresses = 1;
+	    break;
+       	case 's':
+	    code = krb5_string_to_deltat(optarg, &opts->starttime);
+	    if (code != 0 || opts->starttime == 0) {
+		krb5_timestamp abs_starttime;
+
+		code = krb5_string_to_timestamp(optarg, &abs_starttime);
+		if (code != 0 || abs_starttime == 0) {
+		    fprintf(stderr, "Bad start time value %s\n", optarg);
+		    errflg++;
+		} else {
+		    opts->starttime = abs_starttime - time(0);
+		}
+	    }
+	    break;
+	case 'S':
+	    opts->service_name = optarg;
+	    break;
+	case 'k':
+	    opts->action = INIT_KT;
+	    break;
+	case 't':
+	    if (opts->keytab_name)
+	    {
+		fprintf(stderr, "Only one -t option allowed.\n");
+		errflg++;
+	    } else {
+		opts->keytab_name = optarg;
+	    }
+	    break;
+	case 'R':
+	    opts->action = RENEW;
+	    break;
+	case 'v':
+	    opts->action = VALIDATE;
+	    break;
+       	case 'c':
+	    if (opts->k5_cache_name)
+	    {
+		fprintf(stderr, "Only one -c option allowed\n");
+		errflg++;
+	    } else {
+		opts->k5_cache_name = optarg;
+	    }
+	    break;
+#if 0
+	    /*
+	      A little more work is needed before we can enable this
+	      option.
+	    */
+	case 'C':
+	    if (opts->k4_cache_name)
+	    {
+		fprintf(stderr, "Only one -C option allowed\n");
+		errflg++;
+	    } else {
+		opts->k4_cache_name = optarg;
+	    }
+	    break;
+#endif
+	case '4':
+	    if (!got_k4)
+	    {
+#ifdef KRB5_KRB4_COMPAT
+		fprintf(stderr, "Kerberos 4 support could not be loaded\n");
+#else
+		fprintf(stderr, "This was not built with Kerberos 4 support\n");
+#endif
+		exit(3);
+	    }
+	    use_k4 = 1;
+	    break;
+	case '5':
+	    if (!got_k5)
+	    {
+		fprintf(stderr, "Kerberos 5 support could not be loaded\n");
+		exit(3);
+	    }
+	    use_k5 = 1;
+	    break;
+	default:
+	    errflg++;
+	    break;
+	}
+    }
+
+    if (opts->forwardable && opts->not_forwardable)
+    {
+	fprintf(stderr, "Only one of -f and -F allowed\n");
+	errflg++;
+    }
+    if (opts->proxiable && opts->not_proxiable)
+    {
+	fprintf(stderr, "Only one of -p and -P allowed\n");
+	errflg++;
+    }
+    if (opts->addresses && opts->no_addresses)
+    {
+	fprintf(stderr, "Only one of -a and -A allowed\n");
+	errflg++;
+    }
+
+    if (argc - optind > 1) {
+	fprintf(stderr, "Extra arguments (starting with \"%s\").\n",
+		argv[optind+1]);
+	errflg++;
+    }
+
+    /* At this point, if errorless, we know we only have one option
+       selection */
+    if (!use_k5 && !use_k4) {
+	use_k5 = default_k5;
+	use_k4 = default_k4;
+    }
+
+    /* Now, we encode the OPTTYPE stuff here... */
+    if (!use_k5 &&
+	(opts->starttime || opts->rlife || opts->forwardable || 
+	 opts->proxiable || opts->addresses || opts->not_forwardable || 
+	 opts->not_proxiable || opts->no_addresses || 
+	 (opts->action == VALIDATE) || opts->k5_cache_name))
+    {
+	fprintf(stderr, "Specified option that requires Kerberos 5\n");
+	errflg++;
+    }
+    if (!use_k4 &&
+	opts->k4_cache_name)
+    {
+	fprintf(stderr, "Specified option that require Kerberos 4\n");
+	errflg++;
+    }
+    if (
+#ifdef HAVE_KRB524
+	!use_k5
+#else
+	use_k4
+#endif
+	&& (opts->service_name || opts->keytab_name || 
+	    (opts->action == INIT_KT) || (opts->action == RENEW))
+	)
+    {
+	fprintf(stderr, "Specified option that requires Kerberos 5\n");
+	errflg++;
+    }
+
+    if (errflg) {
+	usage(progname);
+    }
+
+    got_k5 = got_k5 && use_k5;
+    got_k4 = got_k4 && use_k4;
+
+    opts->principal_name = (optind == argc-1) ? argv[optind] : 0;
+    return opts->principal_name;
+}
+
+
+static int
+k5_begin(opts, k5, k4)
+    struct k_opts* opts;
+struct k5_data* k5;
+struct k4_data* k4;
+{
+    char* progname = progname_v5;
+    krb5_error_code code = 0;
+
+    if (!got_k5)
+	return 0;
+
+    code = krb5_init_context(&k5->ctx);
+    if (code) {
+	com_err(progname, code, "while initializing Kerberos 5 library");
+	return 0;
+    }
+    if (opts->k5_cache_name)
+    {
+	code = krb5_cc_resolve(k5->ctx, opts->k5_cache_name, &k5->cc);
+	if (code != 0) {
+	    com_err(progname, code, "resolving ccache %s",
+		    opts->k5_cache_name);
+	    return 0;
+	}
+    } 
+    else
+    {
+	if ((code = krb5_cc_default(k5->ctx, &k5->cc))) {
+	    com_err(progname, code, "while getting default ccache");
+	    return 0;
+	}
+    }
+
+    if (opts->principal_name)
+    {
+	/* Use specified name */
+	if ((code = krb5_parse_name(k5->ctx, opts->principal_name, 
+				    &k5->me))) {
+	    com_err(progname, code, "when parsing name %s", 
+		    opts->principal_name);
+	    return 0;
+	}
+    }
+    else
+    {
+	/* No principal name specified */
+	if (opts->action == INIT_KT) {
+	    /* Use the default host/service name */
+	  code = krb5_sname_to_principal(k5->ctx, NULL, NULL,
+					 KRB5_NT_SRV_HST, &k5->me);
+	  if (code) {
+	    com_err(progname, code,
+		    "when creating default server principal name");
+	    return 0;
+	  }
+	} else {
+	  /* Get default principal from cache if one exists */
+	  code = krb5_cc_get_principal(k5->ctx, k5->cc, 
+				       &k5->me);
+	  if (code)
+	    {
+	      char *name = get_name_from_os();
+	      if (!name)
+		{
+		  fprintf(stderr, "Unable to identify user\n");
+		  return 0;
+		}
+	      if ((code = krb5_parse_name(k5->ctx, name, 
+					  &k5->me)))
+		{
+		  com_err(progname, code, "when parsing name %s", 
+			  name);
+		  return 0;
+		}
+	    }
+	}
+    }
+
+    code = krb5_unparse_name(k5->ctx, k5->me, &k5->name);
+    if (code) {
+	com_err(progname, code, "when unparsing name");
+	return 0;
+    }
+    opts->principal_name = k5->name;
+
+#ifdef KRB5_KRB4_COMPAT
+    if (got_k4)
+    {
+	/* Translate to a Kerberos 4 principal */
+	code = krb5_524_conv_principal(k5->ctx, k5->me,
+				       k4->aname, k4->inst, k4->realm);
+	if (code) {
+	    k4->aname[0] = 0;
+	    k4->inst[0] = 0;
+	    k4->realm[0] = 0;
+	}
+    }
+#endif
+    return 1;
+}
+
+static void
+k5_end(k5)
+    struct k5_data* k5;
+{
+    if (k5->name)
+	krb5_free_unparsed_name(k5->ctx, k5->name);
+    if (k5->me)
+	krb5_free_principal(k5->ctx, k5->me);
+    if (k5->cc)
+	krb5_cc_close(k5->ctx, k5->cc);
+    if (k5->ctx)
+	krb5_free_context(k5->ctx);
+    memset(k5, 0, sizeof(*k5));
+}
+
+static int
+k4_begin(opts, k4)
+    struct k_opts* opts;
+    struct k4_data* k4;
+{
+#ifdef KRB5_KRB4_COMPAT
+    char* progname = progname_v4;
+    int k_errno = 0;
+#endif
+
+    if (!got_k4)
+	return 0;
+
+#ifdef KRB5_KRB4_COMPAT
+    if (k4->aname[0])
+	goto skip;
+
+    if (opts->principal_name)
+    {
+	/* Use specified name */
+        k_errno = kname_parse(k4->aname, k4->inst, k4->realm, 
+			      opts->principal_name);
+	if (k_errno)
+	{
+	    fprintf(stderr, "%s: %s\n", progname, 
+		    krb_get_err_text(k_errno));
+	    return 0;
+	}
+    } else {
+	/* No principal name specified */
+	if (opts->action == INIT_KT) {
+	    /* Use the default host/service name */
+	    /* XXX - need to add this functionality */
+	    fprintf(stderr, "%s: Kerberos 4 srvtab support is not "
+		    "implemented\n", progname);
+	    return 0;
+	} else {
+	    /* Get default principal from cache if one exists */
+	    k_errno = krb_get_tf_fullname(tkt_string(), k4->aname, 
+					  k4->inst, k4->realm);
+	    if (k_errno)
+	    {
+		char *name = get_name_from_os();
+		if (!name)
+		{
+		    fprintf(stderr, "Unable to identify user\n");
+		    return 0;
+		}
+		if (k_errno = kname_parse(k4->aname, k4->inst, k4->realm,
+					  name))
+		{
+		    fprintf(stderr, "%s: %s\n", progname, 
+			    krb_get_err_text(k_errno));
+		    return 0;
+		}
+	    }
+	}
+    }
+
+    if (!k4->realm[0])
+	krb_get_lrealm(k4->realm, 1);
+
+    if (k4->inst[0])
+	sprintf(k4->name, "%s.%s@%s", k4->aname, k4->inst, k4->realm);
+    else
+	sprintf(k4->name, "%s@%s", k4->aname, k4->realm);
+    opts->principal_name = k4->name;
+
+ skip:
+    if (k4->aname[0] && !k_isname(k4->aname))
+    {
+	fprintf(stderr, "%s: bad Kerberos 4 name format\n", progname);
+	return 0;
+    }
+
+    if (k4->inst[0] && !k_isinst(k4->inst))
+    {
+	fprintf(stderr, "%s: bad Kerberos 4 instance format\n", progname);
+	return 0;
+    }
+
+    if (k4->realm[0] && !k_isrealm(k4->realm))
+    {
+	fprintf(stderr, "%s: bad Kerberos 4 realm format\n", progname);
+	return 0;
+    }
+#endif /* KRB5_KRB4_COMPAT */
+    return 1;
+}
+
+static void
+k4_end(k4)
+    struct k4_data* k4;
+{
+    memset(k4, 0, sizeof(*k4));
+}
+
+#ifdef KRB5_KRB4_COMPAT
+static char stash_password[1024];
+static int got_password = 0;
+#endif /* KRB5_KRB4_COMPAT */
+
+static krb5_error_code
+KRB5_CALLCONV
+kinit_prompter(
+    krb5_context ctx,
+    void *data,
+    const char *name,
+    const char *banner,
+    int num_prompts,
+    krb5_prompt prompts[]
+    )
+{
+    int i;
+    krb5_prompt_type *types;
+    krb5_error_code rc =
+	krb5_prompter_posix(ctx, data, name, banner, num_prompts, prompts);
+    if (!rc && (types = krb5_get_prompt_types(ctx)))
+	for (i = 0; i < num_prompts; i++)
+	    if ((types[i] == KRB5_PROMPT_TYPE_PASSWORD) ||
+		(types[i] == KRB5_PROMPT_TYPE_NEW_PASSWORD_AGAIN))
+	    {
+#ifdef KRB5_KRB4_COMPAT
+		strncpy(stash_password, prompts[i].reply->data,
+			sizeof(stash_password));
+		got_password = 1;
+#endif
+	    }
+    return rc;
+}
+
+static int
+k5_kinit(opts, k5)
+    struct k_opts* opts;
+    struct k5_data* k5;
+{
+    char* progname = progname_v5;
+    int notix = 1;
+    krb5_keytab keytab = 0;
+    krb5_creds my_creds;
+    krb5_error_code code = 0;
+    krb5_get_init_creds_opt options;
+
+    if (!got_k5)
+	return 0;
+
+    krb5_get_init_creds_opt_init(&options);
+    memset(&my_creds, 0, sizeof(my_creds));
+
+    /*
+      From this point on, we can goto cleanup because my_creds is
+      initialized.
+    */
+
+    if (opts->lifetime)
+	krb5_get_init_creds_opt_set_tkt_life(&options, opts->lifetime);
+    if (opts->rlife)
+	krb5_get_init_creds_opt_set_renew_life(&options, opts->rlife);
+    if (opts->forwardable)
+	krb5_get_init_creds_opt_set_forwardable(&options, 1);
+    if (opts->not_forwardable)
+	krb5_get_init_creds_opt_set_forwardable(&options, 0);
+    if (opts->proxiable)
+	krb5_get_init_creds_opt_set_proxiable(&options, 1);
+    if (opts->not_proxiable)
+	krb5_get_init_creds_opt_set_proxiable(&options, 0);
+    if (opts->addresses)
+    {
+	krb5_address **addresses = NULL;
+	code = krb5_os_localaddr(k5->ctx, &addresses);
+	if (code != 0) {
+	    com_err(progname, code, "getting local addresses");
+	    goto cleanup;
+	}
+	krb5_get_init_creds_opt_set_address_list(&options, addresses);
+	krb5_free_addresses(k5->ctx, addresses);
+    }
+    if (opts->no_addresses)
+	krb5_get_init_creds_opt_set_address_list(&options, NULL);
+
+    if ((opts->action == INIT_KT) && opts->keytab_name)
+    {
+	code = krb5_kt_resolve(k5->ctx, opts->keytab_name, &keytab);
+	if (code != 0) {
+	    com_err(progname, code, "resolving keytab %s", 
+		    opts->keytab_name);
+	    goto cleanup;
+	}
+    }
+
+    switch (opts->action) {
+    case INIT_PW:
+	code = krb5_get_init_creds_password(k5->ctx, &my_creds, k5->me,
+					    0, kinit_prompter, 0,
+					    opts->starttime, 
+					    opts->service_name,
+					    &options);
+	break;
+    case INIT_KT:
+	code = krb5_get_init_creds_keytab(k5->ctx, &my_creds, k5->me,
+					  keytab,
+					  opts->starttime, 
+					  opts->service_name,
+					  &options);
+	break;
+    case VALIDATE:
+	code = krb5_get_validated_creds(k5->ctx, &my_creds, k5->me, k5->cc,
+					opts->service_name);
+	break;
+    case RENEW:
+	code = krb5_get_renewed_creds(k5->ctx, &my_creds, k5->me, k5->cc,
+				      opts->service_name);
+	break;
+    }
+
+    if (code) {
+	char *doing = 0;
+	switch (opts->action) {
+	case INIT_PW:
+	case INIT_KT:
+	    doing = "getting initial credentials";
+	    break;
+	case VALIDATE:
+	    doing = "validating credentials";
+	    break;
+	case RENEW:
+	    doing = "renewing credentials";
+	    break;
+	}
+
+	/* If got code == KRB5_AP_ERR_V4_REPLY && got_k4, we should
+	   let the user know that maybe he/she wants -4. */
+	if (code == KRB5KRB_AP_ERR_V4_REPLY && got_k4)
+	    com_err(progname, code, "while %s\n"
+		    "The KDC doesn't support v5.  "
+		    "You may want the -4 option in the future",
+		    doing);
+	else if (code == KRB5KRB_AP_ERR_BAD_INTEGRITY)
+	    fprintf(stderr, "%s: Password incorrect while %s\n", progname,
+		    doing);
+	else
+	    com_err(progname, code, "while %s", doing);
+	goto cleanup;
+    }
+
+    if (!opts->lifetime) {
+	/* We need to figure out what lifetime to use for Kerberos 4. */
+	opts->lifetime = my_creds.times.endtime - my_creds.times.authtime;
+    }
+
+    code = krb5_cc_initialize(k5->ctx, k5->cc, k5->me);
+    if (code) {
+	com_err(progname, code, "when initializing cache %s",
+		opts->k5_cache_name?opts->k5_cache_name:"");
+	goto cleanup;
+    }
+
+    code = krb5_cc_store_cred(k5->ctx, k5->cc, &my_creds);
+    if (code) {
+	com_err(progname, code, "while storing credentials");
+	goto cleanup;
+    }
+
+    notix = 0;
+
+ cleanup:
+    if (my_creds.client == k5->me) {
+	my_creds.client = 0;
+    }
+    krb5_free_cred_contents(k5->ctx, &my_creds);
+    if (keytab)
+	krb5_kt_close(k5->ctx, keytab);
+    return notix?0:1;
+}
+
+static int
+k4_kinit(opts, k4, ctx)
+    struct k_opts* opts;
+    struct k4_data* k4;
+    krb5_context ctx;
+{
+#ifdef KRB5_KRB4_COMPAT
+    char* progname = progname_v4;
+    int k_errno = 0;
+#endif
+
+    if (!got_k4)
+	return 0;
+
+    if (opts->starttime)
+	return 0;
+
+#ifdef KRB5_KRB4_COMPAT
+    if (!k4->lifetime)
+	k4->lifetime = opts->lifetime;
+    if (!k4->lifetime)
+	k4->lifetime = KRB4_BACKUP_DEFAULT_LIFE_SECS;
+
+    k4->lifetime = krb_time_to_life(0, k4->lifetime);
+
+    switch (opts->action)
+    {
+    case INIT_PW:
+	if (!got_password) {
+	    unsigned int pwsize = sizeof(stash_password);
+	    krb5_error_code code;
+	    char prompt[1024];
+
+	    sprintf(prompt, "Password for %s: ", opts->principal_name);
+	    stash_password[0] = 0;
+	    /*
+	      Note: krb5_read_password does not actually look at the
+	      context, so we're ok even if we don't have a context.  If
+	      we cannot dynamically load krb5, we can substitute any
+	      decent read password function instead of the krb5 one.
+	    */
+	    code = krb5_read_password(ctx, prompt, 0, stash_password, &pwsize);
+	    if (code || pwsize == 0)
+	    {
+		fprintf(stderr, "Error while reading password for '%s'\n",
+			opts->principal_name);
+		memset(stash_password, 0, sizeof(stash_password));
+		return 0;
+	    }
+	    got_password = 1;
+	}
+	k_errno = krb_get_pw_in_tkt(k4->aname, k4->inst, k4->realm, "krbtgt", 
+				    k4->realm, k4->lifetime, stash_password);
+
+	if (k_errno) {
+	    fprintf(stderr, "%s: %s\n", progname, 
+		    krb_get_err_text(k_errno));
+	    if (authed_k5)
+	        fprintf(stderr, "Maybe your KDC does not support v4.  %s",
+			"Try the -5 option next time.\n");
+	    return 0;
+	}
+	return 1;
+#ifndef HAVE_KRB524
+    case INIT_KT:
+	fprintf(stderr, "%s: srvtabs are not supported\n", progname);
+	return 0;
+    case RENEW:
+	fprintf(stderr, "%s: renewal of krb4 tickets is not supported\n",
+		progname);
+	return 0;
+#else
+    /* These cases are handled by the 524 code - this prevents the compiler 
+       warnings of not using all the enumerated types.
+    */ 
+    case INIT_KT:
+    case RENEW:
+    case VALIDATE:
+        return 0;
+#endif
+    }
+#endif
+    return 0;
+}
+
+static char*
+getvprogname(v, progname)
+    char *v, *progname;
+{
+    unsigned int len = strlen(progname) + 2 + strlen(v) + 2;
+    char *ret = malloc(len);
+    if (ret)
+	sprintf(ret, "%s(v%s)", progname, v);
+    else
+	ret = progname;
+    return ret;
+}
+
+#ifdef HAVE_KRB524
+/* Convert krb5 tickets to krb4. */
+static int try_convert524(k5)
+    struct k5_data* k5;
+{
+    char * progname = progname_v524;
+    krb5_error_code code = 0;
+    int icode = 0;
+    krb5_principal kpcserver = 0;
+    krb5_creds *v5creds = 0;
+    krb5_creds increds;
+    CREDENTIALS v4creds;
+
+    if (!got_k4 || !got_k5)
+	return 0;
+
+    memset((char *) &increds, 0, sizeof(increds));
+    /*
+      From this point on, we can goto cleanup because increds is
+      initialized.
+    */
+
+    /* or do this directly with krb524_convert_creds_kdc */
+    krb524_init_ets(k5->ctx);
+
+    if ((code = krb5_build_principal(k5->ctx,
+				     &kpcserver, 
+				     krb5_princ_realm(k5->ctx, k5->me)->length,
+				     krb5_princ_realm(k5->ctx, k5->me)->data,
+				     "krbtgt",
+				     krb5_princ_realm(k5->ctx, k5->me)->data,
+				     NULL))) {
+	com_err(progname, code,
+		"while creating service principal name");
+	goto cleanup;
+    }
+
+    increds.client = k5->me;
+    increds.server = kpcserver;
+    /* Prevent duplicate free calls.  */
+    kpcserver = 0;
+
+    increds.times.endtime = 0;
+    increds.keyblock.enctype = ENCTYPE_DES_CBC_CRC;
+    if ((code = krb5_get_credentials(k5->ctx, 0, 
+				     k5->cc,
+				     &increds, 
+				     &v5creds))) {
+	com_err(progname, code,
+		"getting V5 credentials");
+	goto cleanup;
+    }
+    if ((icode = krb524_convert_creds_kdc(k5->ctx,
+					  v5creds,
+					  &v4creds))) {
+	com_err(progname, icode, 
+		"converting to V4 credentials");
+	goto cleanup;
+    }
+    /* this is stolen from the v4 kinit */
+    /* initialize ticket cache */
+    if ((icode = in_tkt(v4creds.pname, v4creds.pinst)
+	 != KSUCCESS)) {
+	com_err(progname, icode,
+		"trying to create the V4 ticket file");
+	goto cleanup;
+    }
+    /* stash ticket, session key, etc. for future use */
+    if ((icode = krb_save_credentials(v4creds.service,
+				      v4creds.instance,
+				      v4creds.realm, 
+				      v4creds.session,
+				      v4creds.lifetime,
+				      v4creds.kvno,
+				      &(v4creds.ticket_st), 
+				      v4creds.issue_date))) {
+	com_err(progname, icode,
+		"trying to save the V4 ticket");
+	goto cleanup;
+    }
+
+ cleanup:
+    memset(&v4creds, 0, sizeof(v4creds));
+    if (v5creds)
+	krb5_free_creds(k5->ctx, v5creds);
+    increds.client = 0;
+    krb5_free_cred_contents(k5->ctx, &increds);
+    if (kpcserver)
+	krb5_free_principal(k5->ctx, kpcserver);
+    return !(code || icode);
+}
+#endif /* HAVE_KRB524 */
+
+int
+main(argc, argv)
+    int argc;
+    char **argv;
+{
+    struct k_opts opts;
+    struct k5_data k5;
+    struct k4_data k4;
+    char *progname;
+
+
+    progname = GET_PROGNAME(argv[0]);
+    progname_v5 = getvprogname("5", progname);
+#ifdef KRB5_KRB4_COMPAT
+    progname_v4 = getvprogname("4", progname);
+    progname_v524 = getvprogname("524", progname);
+#endif
+
+    /* Ensure we can be driven from a pipe */
+    if(!isatty(fileno(stdin)))
+	setvbuf(stdin, 0, _IONBF, 0);
+    if(!isatty(fileno(stdout)))
+	setvbuf(stdout, 0, _IONBF, 0);
+    if(!isatty(fileno(stderr)))
+	setvbuf(stderr, 0, _IONBF, 0);
+
+    /*
+      This is where we would put in code to dynamically load Kerberos
+      libraries.  Currenlty, we just get them implicitly.
+    */
+    got_k5 = 1;
+#ifdef KRB5_KRB4_COMPAT
+    got_k4 = 1;
+#endif
+
+    memset(&opts, 0, sizeof(opts));
+    opts.action = INIT_PW;
+
+    memset(&k5, 0, sizeof(k5));
+    memset(&k4, 0, sizeof(k4));
+
+    parse_options(argc, argv, &opts, progname);
+
+    got_k5 = k5_begin(&opts, &k5, &k4);
+    got_k4 = k4_begin(&opts, &k4);
+
+    authed_k5 = k5_kinit(&opts, &k5);
+#ifdef HAVE_KRB524
+    if (authed_k5)
+	authed_k4 = try_convert524(&k5);
+#endif
+    if (!authed_k4)
+	authed_k4 = k4_kinit(&opts, &k4, k5.ctx);
+#ifdef KRB5_KRB4_COMPAT
+    memset(stash_password, 0, sizeof(stash_password));
+#endif
+
+    if (authed_k5 && opts.verbose)
+	fprintf(stderr, "Authenticated to Kerberos v5\n");
+    if (authed_k4 && opts.verbose)
+	fprintf(stderr, "Authenticated to Kerberos v4\n");
+
+    k5_end(&k5);
+    k4_end(&k4);
+
+    if ((got_k5 && !authed_k5) || (got_k4 && !authed_k4))
+	exit(1);
+    return 0;
+}
diff --git a/src/mac/klist.c b/src/mac/klist.c
new file mode 100644
index 0000000..8aa2e48
--- /dev/null
+++ b/src/mac/klist.c
@@ -0,0 +1,912 @@
+/*
+ * clients/klist/klist.c
+ *
+ * Copyright 1990 by the Massachusetts Institute of Technology.
+ * All Rights Reserved.
+ *
+ * Export of this software from the United States of America may
+ *   require a specific license from the United States Government.
+ *   It is the responsibility of any person or organization contemplating
+ *   export to obtain such a license before exporting.
+ * 
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ * 
+ *
+ * List out the contents of your credential cache or keytab.
+ */
+
+#if TARGET_HEADER_FRAMEWORK
+    #include <Kerberos/Kerberos.h>
+#else
+    #include <krb5.h>
+    #ifdef KRB5_KRB4_COMPAT
+        #include <kerberosIV/krb.h>
+    #endif
+    #include <com_err.h>
+#endif
+
+#include <stdlib.h>
+#include <string.h>
+#include <stdio.h>
+#include <time.h>
+#if defined(HAVE_ARPA_INET_H)
+#include <arpa/inet.h>
+#endif
+
+#ifndef _WIN32
+#define GET_PROGNAME(x) (strrchr((x), '/') ? strrchr((x), '/')+1 : (x))
+#else
+#define GET_PROGNAME(x) max(max(strrchr((x), '/'), strrchr((x), '\\')) + 1,(x))
+#endif
+
+#if (defined(_MSDOS) || defined(_WIN32))
+#include <winsock.h>
+#else
+#include <sys/socket.h>
+#include <netdb.h>
+#endif
+
+extern int optind;
+
+int show_flags = 0, show_time = 0, status_only = 0, show_keys = 0;
+int show_etype = 0, show_addresses = 0, no_resolve = 0;
+char *defname;
+char *progname;
+krb5_int32 now;
+unsigned int timestamp_width;
+
+krb5_context kcontext;
+
+char * etype_string KRB5_PROTOTYPE((krb5_enctype ));
+void show_credential KRB5_PROTOTYPE((krb5_creds *));
+	
+void do_ccache KRB5_PROTOTYPE((char *));
+void do_keytab KRB5_PROTOTYPE((char *));
+void printtime KRB5_PROTOTYPE((time_t));
+void one_addr KRB5_PROTOTYPE((krb5_address *));
+void fillit KRB5_PROTOTYPE((FILE *, unsigned int, int));
+
+#ifdef KRB5_KRB4_COMPAT
+void do_v4_ccache KRB5_PROTOTYPE((char *));
+#endif /* KRB5_KRB4_COMPAT */
+
+#define DEFAULT 0
+#define CCACHE 1
+#define KEYTAB 2
+
+/*
+ * The reason we start out with got_k4 and got_k5 as zero (false) is
+ * so that we can easily add dynamic loading support for determining
+ * whether Kerberos 4 and Keberos 5 libraries are available
+ */
+
+static int got_k5 = 0; 
+static int got_k4 = 0;
+
+static int default_k5 = 1;
+#ifdef KRB5_KRB4_COMPAT
+static int default_k4 = 1;
+#else
+static int default_k4 = 0;
+#endif
+
+static void usage()
+{
+#define KRB_AVAIL_STRING(x) ((x)?"available":"not available")
+
+    fprintf(stderr, "Usage: %s [-5] [-4] [-e] [[-c] [-f] [-s] [-a [-n]]] %s",
+	     progname, "[-k [-t] [-K]] [name]\n"); 
+    fprintf(stderr, "\t-5 Kerberos 5 (%s)\n", KRB_AVAIL_STRING(got_k5));
+    fprintf(stderr, "\t-4 Kerberos 4 (%s)\n", KRB_AVAIL_STRING(got_k4));
+    fprintf(stderr, "\t   (Default is %s%s%s%s)\n",
+	    default_k5?"Kerberos 5":"",
+	    (default_k5 && default_k4)?" and ":"",
+	    default_k4?"Kerberos 4":"",
+	    (!default_k5 && !default_k4)?"neither":"");
+    fprintf(stderr, "\t-c specifies credentials cache\n");
+    fprintf(stderr, "\t-k specifies keytab\n");
+    fprintf(stderr, "\t   (Default is credentials cache)\n");
+    fprintf(stderr, "\t-e shows the encryption type\n");
+    fprintf(stderr, "\toptions for credential caches:\n");
+    fprintf(stderr, "\t\t-f shows credentials flags\n");
+    fprintf(stderr, "\t\t-s sets exit status based on valid tgt existence\n");
+    fprintf(stderr, "\t\t-a displays the address list\n");
+    fprintf(stderr, "\t\t\t-n do not reverse-resolve\n");
+    fprintf(stderr, "\toptions for keytabs:\n");
+    fprintf(stderr, "\t\t-t shows keytab entry timestamps\n");
+    fprintf(stderr, "\t\t-K shows keytab entry DES keys\n");
+    exit(1);
+}
+
+int
+main(argc, argv)
+    int argc;
+    char **argv;
+{
+    int c;
+    char *name;
+    int mode;
+    int use_k5 = 0, use_k4 = 0;
+
+    got_k5 = 1;
+#ifdef KRB5_KRB4_COMPAT
+    got_k4 = 1;
+#endif
+
+    progname = GET_PROGNAME(argv[0]);
+
+    name = NULL;
+    mode = DEFAULT;
+    while ((c = getopt(argc, argv, "fetKsnack45")) != -1) {
+	switch (c) {
+	case 'f':
+	    show_flags = 1;
+	    break;
+	case 'e':
+	    show_etype = 1;
+	    break;
+	case 't':
+	    show_time = 1;
+	    break;
+	case 'K':
+	    show_keys = 1;
+	    break;
+	case 's':
+	    status_only = 1;
+	    break;
+	case 'n':
+	    no_resolve = 1;
+	    break;
+	case 'a':
+	    show_addresses = 1;
+	    break;
+	case 'c':
+	    if (mode != DEFAULT) usage();
+	    mode = CCACHE;
+	    break;
+	case 'k':
+	    if (mode != DEFAULT) usage();
+	    mode = KEYTAB;
+	    break;
+	case '4':
+	    if (!got_k4)
+	    {
+#ifdef KRB5_KRB4_COMPAT
+		fprintf(stderr, "Kerberos 4 support could not be loaded\n");
+#else
+		fprintf(stderr, "This was not built with Kerberos 4 support\n");
+#endif
+		exit(3);
+	    }
+	    use_k4 = 1;
+	    break;
+	case '5':
+	    if (!got_k5)
+	    {
+		fprintf(stderr, "Kerberos 5 support could not be loaded\n");
+		exit(3);
+	    }
+	    use_k5 = 1;
+	    break;
+	default:
+	    usage();
+	    break;
+	}
+    }
+
+    if (no_resolve && !show_addresses) {
+	usage();
+    }
+
+    if (mode == DEFAULT || mode == CCACHE) {
+	if (show_time || show_keys)
+	    usage();
+    } else {
+	if (show_flags || status_only || show_addresses)
+	    usage();
+    }
+
+    if (argc - optind > 1) {
+	fprintf(stderr, "Extra arguments (starting with \"%s\").\n",
+		argv[optind+1]);
+	usage();
+    }
+
+    name = (optind == argc-1) ? argv[optind] : 0;
+
+    if (!use_k5 && !use_k4)
+    {
+	use_k5 = default_k5;
+	use_k4 = default_k4;
+    }
+
+    if (!use_k5)
+	got_k5 = 0;
+    if (!use_k4)
+	got_k4 = 0;
+
+    now = time(0);
+    {
+	char tmp[BUFSIZ];
+
+	if (!krb5_timestamp_to_sfstring(now, tmp, 20, (char *) NULL) ||
+	    !krb5_timestamp_to_sfstring(now, tmp, sizeof(tmp), 
+					(char *) NULL))
+	    timestamp_width = (int) strlen(tmp);
+	else
+	    timestamp_width = 15;
+    }
+
+    if (got_k5)
+    {
+	krb5_error_code retval;
+	retval = krb5_init_context(&kcontext);
+	if (retval) {
+	    com_err(progname, retval, "while initializing krb5");
+	    exit(1);
+	}
+
+	if (mode == DEFAULT || mode == CCACHE)
+	    do_ccache(name);
+	else
+	    do_keytab(name);
+    } else {
+#ifdef KRB5_KRB4_COMPAT
+	if (mode == DEFAULT || mode == CCACHE)
+	    do_v4_ccache(name);
+	else {
+	    /* We may want to add v4 srvtab support */
+	    fprintf(stderr, 
+		    "%s: srvtab option not supported for Kerberos 4\n", 
+		    progname);
+	    exit(1);
+	}
+#endif /* KRB4_KRB5_COMPAT */
+    }
+
+    return 0;
+}    
+
+void do_keytab(name)
+   char *name;
+{
+     krb5_keytab kt;
+     krb5_keytab_entry entry;
+     krb5_kt_cursor cursor;
+     char buf[BUFSIZ]; /* hopefully large enough for any type */
+     char *pname;
+     int code;
+     
+     if (name == NULL) {
+	  if ((code = krb5_kt_default(kcontext, &kt))) {
+	       com_err(progname, code, "while getting default keytab");
+	       exit(1);
+	  }
+     } else {
+	  if ((code = krb5_kt_resolve(kcontext, name, &kt))) {
+	       com_err(progname, code, "while resolving keytab %s",
+		       name);
+	       exit(1);
+	  }
+     }
+
+     if ((code = krb5_kt_get_name(kcontext, kt, buf, BUFSIZ))) {
+	  com_err(progname, code, "while getting keytab name");
+	  exit(1);
+     }
+
+     printf("Keytab name: %s\n", buf);
+     
+     if ((code = krb5_kt_start_seq_get(kcontext, kt, &cursor))) {
+	  com_err(progname, code, "while starting keytab scan");
+	  exit(1);
+     }
+
+     if (show_time) {
+	  printf("KVNO Timestamp");
+	  fillit(stdout, timestamp_width - sizeof("Timestamp") + 2, (int) ' ');
+	  printf("Principal\n");
+	  printf("---- ");
+	  fillit(stdout, timestamp_width, (int) '-');
+	  printf(" ");
+	  fillit(stdout, 78 - timestamp_width - sizeof("KVNO"), (int) '-');
+	  printf("\n");
+     } else {
+	  printf("KVNO Principal\n");
+	  printf("---- --------------------------------------------------------------------------\n");
+     }
+     
+     while ((code = krb5_kt_next_entry(kcontext, kt, &entry, &cursor)) == 0) {
+	  if ((code = krb5_unparse_name(kcontext, entry.principal, &pname))) {
+	       com_err(progname, code, "while unparsing principal name");
+	       exit(1);
+	  }
+	  printf("%4d ", entry.vno);
+	  if (show_time) {
+	       printtime(entry.timestamp);
+	       printf(" ");
+	  }
+	  printf("%s", pname);
+	  if (show_etype)
+	      printf(" (%s) " , etype_string(entry.key.enctype));
+	  if (show_keys) {
+	       printf(" (0x");
+	       {
+		    int i;
+		    for (i = 0; i < entry.key.length; i++)
+			 printf("%02x", entry.key.contents[i]);
+	       }
+	       printf(")");
+	  }
+	  printf("\n");
+	  krb5_free_unparsed_name(kcontext, pname);
+     }
+     if (code && code != KRB5_KT_END) {
+	  com_err(progname, code, "while scanning keytab");
+	  exit(1);
+     }
+     if ((code = krb5_kt_end_seq_get(kcontext, kt, &cursor))) {
+	  com_err(progname, code, "while ending keytab scan");
+	  exit(1);
+     }
+     exit(0);
+}
+void do_ccache(name)
+   char *name;
+{
+    krb5_ccache cache = NULL;
+    krb5_cc_cursor cur;
+    krb5_creds creds;
+    krb5_principal princ;
+    krb5_flags flags;
+    krb5_error_code code;
+    int	exit_status = 0;
+	    
+    if (status_only)
+	/* exit_status is set back to 0 if a valid tgt is found */
+	exit_status = 1;
+
+    if (name == NULL) {
+	if ((code = krb5_cc_default(kcontext, &cache))) {
+	    if (!status_only)
+		com_err(progname, code, "while getting default ccache");
+	    exit(1);
+	    }
+    } else {
+	if ((code = krb5_cc_resolve(kcontext, name, &cache))) {
+	    if (!status_only)
+		com_err(progname, code, "while resolving ccache %s",
+			name);
+	    exit(1);
+	}
+    }
+ 
+    flags = 0;				/* turns off OPENCLOSE mode */
+    if ((code = krb5_cc_set_flags(kcontext, cache, flags))) {
+	if (code == KRB5_FCC_NOFILE) {
+	    if (!status_only) {
+		com_err(progname, code, "(ticket cache %s:%s)",
+			krb5_cc_get_type(kcontext, cache),
+			krb5_cc_get_name(kcontext, cache));
+#ifdef KRB5_KRB4_COMPAT
+		if (name == NULL)
+		    do_v4_ccache(0);
+#endif
+	    }
+	} else {
+	    if (!status_only)
+		com_err(progname, code,
+			"while setting cache flags (ticket cache %s:%s)",
+			krb5_cc_get_type(kcontext, cache),
+			krb5_cc_get_name(kcontext, cache));
+	}
+	exit(1);
+    }
+    if ((code = krb5_cc_get_principal(kcontext, cache, &princ))) {
+	if (!status_only)
+	    com_err(progname, code, "while retrieving principal name");
+	exit(1);
+    }
+    if ((code = krb5_unparse_name(kcontext, princ, &defname))) {
+	if (!status_only)
+	    com_err(progname, code, "while unparsing principal name");
+	exit(1);
+    }
+    if (!status_only) {
+	printf("Ticket cache: %s:%s\nDefault principal: %s\n\n",
+	       krb5_cc_get_type(kcontext, cache),
+	       krb5_cc_get_name(kcontext, cache), defname);
+	fputs("Valid starting", stdout);
+	fillit(stdout, timestamp_width - sizeof("Valid starting") + 3,
+	       (int) ' ');
+	fputs("Expires", stdout);
+	fillit(stdout, timestamp_width - sizeof("Expires") + 3,
+	       (int) ' ');
+	fputs("Service principal\n", stdout);
+    }
+    if ((code = krb5_cc_start_seq_get(kcontext, cache, &cur))) {
+	if (!status_only)
+	    com_err(progname, code, "while starting to retrieve tickets");
+	exit(1);
+    }
+    while (!(code = krb5_cc_next_cred(kcontext, cache, &cur, &creds))) {
+	if (status_only) {
+	    if (exit_status && creds.server->length == 2 &&
+		strcmp(creds.server->realm.data, princ->realm.data) == 0 &&
+		strcmp((char *)creds.server->data[0].data, "krbtgt") == 0 &&
+		strcmp((char *)creds.server->data[1].data,
+		       princ->realm.data) == 0 && 
+		creds.times.endtime > now)
+		exit_status = 0;
+	} else {
+	    show_credential(&creds);
+	}
+	krb5_free_cred_contents(kcontext, &creds);
+    }
+    if (code == KRB5_CC_END) {
+	if ((code = krb5_cc_end_seq_get(kcontext, cache, &cur))) {
+	    if (!status_only)
+		com_err(progname, code, "while finishing ticket retrieval");
+	    exit(1);
+	}
+	flags = KRB5_TC_OPENCLOSE;	/* turns on OPENCLOSE mode */
+	if ((code = krb5_cc_set_flags(kcontext, cache, flags))) {
+	    if (!status_only)
+		com_err(progname, code, "while closing ccache");
+	    exit(1);
+	}
+#ifdef KRB5_KRB4_COMPAT
+	if (name == NULL && !status_only)
+	    do_v4_ccache(0);
+#endif
+	exit(exit_status);
+    } else {
+	if (!status_only)
+	    com_err(progname, code, "while retrieving a ticket");
+	exit(1);
+    }	
+}
+
+char *
+etype_string(enctype)
+    krb5_enctype enctype;
+{
+    static char buf[100];
+    krb5_error_code retval;
+    
+    if ((retval = krb5_enctype_to_string(enctype, buf, sizeof(buf)))) {
+	/* XXX if there's an error != EINVAL, I should probably report it */
+	sprintf(buf, "etype %d", enctype);
+    }
+
+    return buf;
+}
+
+static char *
+flags_string(cred)
+    register krb5_creds *cred;
+{
+    static char buf[32];
+    int i = 0;
+	
+    if (cred->ticket_flags & TKT_FLG_FORWARDABLE)
+	buf[i++] = 'F';
+    if (cred->ticket_flags & TKT_FLG_FORWARDED)
+	buf[i++] = 'f';
+    if (cred->ticket_flags & TKT_FLG_PROXIABLE)
+	buf[i++] = 'P';
+    if (cred->ticket_flags & TKT_FLG_PROXY)
+	buf[i++] = 'p';
+    if (cred->ticket_flags & TKT_FLG_MAY_POSTDATE)
+	buf[i++] = 'D';
+    if (cred->ticket_flags & TKT_FLG_POSTDATED)
+	buf[i++] = 'd';
+    if (cred->ticket_flags & TKT_FLG_INVALID)
+	buf[i++] = 'i';
+    if (cred->ticket_flags & TKT_FLG_RENEWABLE)
+	buf[i++] = 'R';
+    if (cred->ticket_flags & TKT_FLG_INITIAL)
+	buf[i++] = 'I';
+    if (cred->ticket_flags & TKT_FLG_HW_AUTH)
+	buf[i++] = 'H';
+    if (cred->ticket_flags & TKT_FLG_PRE_AUTH)
+	buf[i++] = 'A';
+    buf[i] = '\0';
+    return(buf);
+}
+
+void 
+printtime(tv)
+    time_t tv;
+{
+    char timestring[BUFSIZ];
+    char fill;
+
+    fill = ' ';
+    if (!krb5_timestamp_to_sfstring((krb5_timestamp) tv,
+				    timestring,
+				    timestamp_width+1,
+				    &fill)) {
+	printf(timestring);
+    }
+}
+
+void
+show_credential(cred)
+    register krb5_creds * cred;
+{
+    krb5_error_code retval;
+    krb5_ticket *tkt;
+    char *name, *sname, *flags;
+    int	extra_field = 0;
+
+    retval = krb5_unparse_name(kcontext, cred->client, &name);
+    if (retval) {
+	com_err(progname, retval, "while unparsing client name");
+	return;
+    }
+    retval = krb5_unparse_name(kcontext, cred->server, &sname);
+    if (retval) {
+	com_err(progname, retval, "while unparsing server name");
+	krb5_free_unparsed_name(kcontext, name);
+	return;
+    }
+    if (!cred->times.starttime)
+	cred->times.starttime = cred->times.authtime;
+
+    printtime(cred->times.starttime);
+    putchar(' '); putchar(' ');
+    printtime(cred->times.endtime);
+    putchar(' '); putchar(' ');
+
+    printf("%s\n", sname);
+
+    if (strcmp(name, defname)) {
+	    printf("\tfor client %s", name);
+	    extra_field++;
+    }
+    
+    if (cred->ticket_flags & TKT_FLG_RENEWABLE) {
+	if (!extra_field)
+		fputs("\t",stdout);
+	else
+		fputs(", ",stdout);
+	fputs("renew until ", stdout);
+	printtime(cred->times.renew_till);
+	extra_field += 2;
+    }
+
+    if (extra_field > 3) {
+	fputs("\n", stdout);
+	extra_field = 0;
+    }
+
+    if (show_flags) {
+	flags = flags_string(cred);
+	if (flags && *flags) {
+	    if (!extra_field)
+		fputs("\t",stdout);
+	    else
+		fputs(", ",stdout);
+	    printf("Flags: %s", flags);
+	    extra_field++;
+	}
+    }
+
+    if (extra_field > 2) {
+	fputs("\n", stdout);
+	extra_field = 0;
+    }
+
+    if (show_etype) {
+	retval = krb5_decode_ticket(&cred->ticket, &tkt);
+	if (!extra_field)
+	    fputs("\t",stdout);
+	else
+	    fputs(", ",stdout);
+	printf("Etype (skey, tkt): %s, ",
+	       etype_string(cred->keyblock.enctype));
+	printf("%s ",
+	       etype_string(tkt->enc_part.enctype));
+	krb5_free_ticket(kcontext, tkt);
+	extra_field++;
+    }
+
+    /* if any additional info was printed, extra_field is non-zero */
+    if (extra_field)
+	putchar('\n');
+
+
+    if (show_addresses) {
+	if (!cred->addresses || !cred->addresses[0]) {
+	    printf("\tAddresses: (none)\n");
+	} else {
+	    int i;
+
+	    printf("\tAddresses: ");
+	    one_addr(cred->addresses[0]);
+
+	    for (i=1; cred->addresses[i]; i++) {
+		printf(", ");
+		one_addr(cred->addresses[i]);
+	    }
+
+	    printf("\n");
+	}
+    }
+
+    krb5_free_unparsed_name(kcontext, name);
+    krb5_free_unparsed_name(kcontext, sname);
+}
+
+void one_addr(a)
+    krb5_address *a;
+{
+    struct hostent *h;
+
+    if ((a->addrtype == ADDRTYPE_INET && a->length == 4)
+#ifdef AF_INET6
+	|| (a->addrtype == ADDRTYPE_INET6 && a->length == 16)
+#endif
+	) {
+	int af = AF_INET;
+#ifdef AF_INET6
+	if (a->addrtype == ADDRTYPE_INET6)
+	    af = AF_INET6;
+#endif
+	if (!no_resolve) {
+#ifdef HAVE_GETIPNODEBYADDR
+	    int err;
+	    h = getipnodebyaddr(a->contents, a->length, af, &err);
+	    if (h) {
+		printf("%s", h->h_name);
+		freehostent(h);
+	    }
+#else
+	    h = gethostbyaddr(a->contents, (int) a->length, af);
+	    if (h) {
+		printf("%s", h->h_name);
+	    }
+#endif
+	    if (h)
+		return;
+	}
+	if (no_resolve || !h) {
+#ifdef HAVE_INET_NTOP
+	    char buf[46];
+	    const char *name = inet_ntop(a->addrtype, a->contents, buf, sizeof(buf));
+	    if (name) {
+		printf ("%s", name);
+		return;
+	    }
+#else
+	    if (a->addrtype == ADDRTYPE_INET) {
+		printf("%d.%d.%d.%d", a->contents[0], a->contents[1],
+		       a->contents[2], a->contents[3]);
+		return;
+	    }
+#endif
+	}
+    }
+    printf("unknown addr type %d", a->addrtype);
+}
+
+void
+fillit(f, num, c)
+    FILE		*f;
+    unsigned int	num;
+    int			c;
+{
+    int i;
+
+    for (i=0; i<num; i++)
+	fputc(c, f);
+}
+
+#ifdef KRB5_KRB4_COMPAT
+void
+do_v4_ccache(name)
+    char * name;
+{
+#if USE_CCAPI
+    cc_context_t				context = nil;
+    cc_ccache_t					cache = nil;
+    cc_credentials_iterator_t	credsIterator = nil;
+    cc_credentials_t			creds = nil;
+    cc_string_t					cacheName = nil, principalName = nil;
+    cc_int32					err;
+#else
+    char    pname[ANAME_SZ];
+    char    pinst[INST_SZ];
+    char    prealm[REALM_SZ];
+    int     k_errno;
+    CREDENTIALS c;
+#endif
+    char    *file;
+    int     header = 1;
+
+    if (!got_k4)
+        return;
+
+    file = name?name:tkt_string();
+
+    if (status_only) {
+        fprintf(stderr, "%s: exit status option not supported for Kerberos 4\n", progname);
+        exit(1);
+    }
+
+    if (got_k5)
+        printf("\n\n");
+
+    printf("Kerberos 4 ticket cache: %s\n", file);
+
+#if USE_CCAPI
+    /* Initialize the CCache library */
+    err = cc_initialize (&context, ccapi_version_4, nil, nil);
+    if (err != ccNoError) {
+        fprintf(stderr, "%s: cc_initialize returned error = %ld\n", progname, err);
+        exit(1);
+    }
+  
+    /* Get the default cache */  
+    err = cc_context_get_default_ccache_name (context, &cacheName);
+    if (err != ccNoError) {
+        fprintf(stderr, "%s: cc_context_get_default_ccache_name returned error = %ld\n", progname, err);
+        exit(1);
+    }
+    
+    /* Open the default cache */
+    err = cc_context_open_default_ccache (context, &cache);
+    if ((err != ccNoError) && (err != ccErrCCacheNotFound)) {
+        fprintf(stderr, "%s: cc_context_open_default_ccache returned error = %ld\n", progname, err);
+        exit(1);
+    } else if (err == ccErrCCacheNotFound) {
+        printf("%s: No tickets in Credentials Cache\n", progname);
+        exit(0);
+    }
+    
+    /* get the v4 principal of the ccache */
+    err = cc_ccache_get_principal (cache, cc_credentials_v4, &principalName);
+    if ((err != ccNoError) && (err != ccErrBadCredentialsVersion)) {
+        fprintf(stderr, "%s: cc_ccache_get_principal returned error = %ld\n", progname, err);
+        exit(1);
+    } else if (err == ccErrBadCredentialsVersion) {
+        printf("%s: No v4 tickets in Credentials Cache\n", progname);
+        exit(0);
+    }
+
+    /* display the principal */
+    printf("Default Principal: %s\n\n", principalName -> data);
+
+    /* Loop over the credentials and display them */
+    err = cc_ccache_new_credentials_iterator (cache, &credsIterator);
+    if (err != ccNoError) {
+        fprintf(stderr, "%s: cc_ccache_new_credentials_iterator returned error = %ld\n", progname, err);
+        exit(1);
+    }
+        
+    for (;;) {
+        err = cc_credentials_iterator_next (credsIterator, &creds);
+        if ((err != ccNoError) && (err != ccIteratorEnd)) {
+            fprintf(stderr, "%s: cc_credentials_iterator_next returned error = %ld\n", progname, err);
+            exit(1);
+        } else if (err == ccIteratorEnd) {
+            err = ccNoError; // this is an error we can deal with, so reset so we continue to dump data
+            break;
+        }
+        
+        
+        /* print out any v4 credentials */
+        if (creds -> data -> version == cc_credentials_v4) {
+            cc_credentials_v4_t *creds4 = creds -> data -> credentials.credentials_v4;
+            
+            if (header) {
+                printf("%-18s  %-18s  %s\n", "  Issued", "  Expires", "  Principal");
+                header = 0;
+            }
+            printtime(creds4 -> issue_date);
+            fputs("  ", stdout);
+            
+            /* ccapi_version_4 compensates for long lifetimes so we just add here: */
+            printtime(creds4 -> issue_date + creds4 -> lifetime);
+            
+            printf("  %s%s%s%s%s\n", creds4 -> service, (creds4 -> service_instance[0] ? "." : ""), 
+                        creds4 -> service_instance, (creds4 -> realm[0] ? "@" : ""), creds4 -> realm);
+        }
+        
+        cc_credentials_release (creds);
+        creds = nil;
+    }
+    
+    cc_credentials_iterator_release (credsIterator);
+    credsIterator = nil;
+    
+    cc_ccache_release (cache);
+    cache = nil;
+
+#else
+
+    /* 
+     * Since krb_get_tf_realm will return a ticket_file error, 
+     * we will call tf_init and tf_close first to filter out
+     * things like no ticket file.  Otherwise, the error that 
+     * the user would see would be 
+     * klist: can't find realm of ticket file: No ticket file (tf_util)
+     * instead of
+     * klist: No ticket file (tf_util)
+     */
+
+    /* Open ticket file */
+    k_errno = tf_init(file, R_TKT_FIL);
+    if (k_errno) {
+	fprintf(stderr, "%s: %s\n", progname, krb_get_err_text (k_errno));
+	exit(1);
+    }
+    /* Close ticket file */
+    (void) tf_close();
+
+    /* 
+     * We must find the realm of the ticket file here before calling
+     * tf_init because since the realm of the ticket file is not
+     * really stored in the principal section of the file, the
+     * routine we use must itself call tf_init and tf_close.
+     */
+    if ((k_errno = krb_get_tf_realm(file, prealm)) != KSUCCESS) {
+	fprintf(stderr, "%s: can't find realm of ticket file: %s\n",
+		progname, krb_get_err_text (k_errno));
+	exit(1);
+    }
+
+    /* Open ticket file */
+    if ((k_errno = tf_init(file, R_TKT_FIL))) {
+	fprintf(stderr, "%s: %s\n", progname, krb_get_err_text (k_errno));
+	exit(1);
+    }
+    /* Get principal name and instance */
+    if ((k_errno = tf_get_pname(pname)) ||
+	(k_errno = tf_get_pinst(pinst))) {
+	fprintf(stderr, "%s: %s\n", progname, krb_get_err_text (k_errno));
+	exit(1);
+    }
+
+    /* 
+     * You may think that this is the obvious place to get the
+     * realm of the ticket file, but it can't be done here as the
+     * routine to do this must open the ticket file.  This is why 
+     * it was done before tf_init.
+     */
+       
+    printf("Principal: %s%s%s%s%s\n\n", pname,
+	   (pinst[0] ? "." : ""), pinst,
+	   (prealm[0] ? "@" : ""), prealm);
+    while ((k_errno = tf_get_cred(&c)) == KSUCCESS) {
+	if (header) {
+	    printf("%-18s  %-18s  %s\n",
+		   "  Issued", "  Expires", "  Principal");
+	    header = 0;
+	}
+	printtime(c.issue_date);
+	fputs("  ", stdout);
+	printtime(krb_life_to_time(c.issue_date, c.lifetime));
+	printf("  %s%s%s%s%s\n",
+	       c.service, (c.instance[0] ? "." : ""), c.instance,
+	       (c.realm[0] ? "@" : ""), c.realm);
+    }
+    if (header && k_errno == EOF) {
+        printf("No tickets in file.\n");
+    }
+#endif
+}
+#endif /* KRB4_KRB5_COMPAT */
diff --git a/src/mac/kpasswd.c b/src/mac/kpasswd.c
new file mode 100644
index 0000000..03db03f
--- /dev/null
+++ b/src/mac/kpasswd.c
@@ -0,0 +1,151 @@
+#include <stdio.h>
+#include <sys/types.h>
+
+#ifndef _WIN32
+#include <unistd.h>
+#endif
+
+#if TARGET_HEADER_FRAMEWORK
+    #include <Kerberos/Kerberos.h>
+#else
+    #include <krb5.h>
+#endif
+
+#define P1 "Enter new password: "
+#define P2 "Enter it again: "
+
+#ifdef HAVE_PWD_H
+#include <pwd.h>
+
+static
+void get_name_from_passwd_file(program_name, kcontext, me)
+    char * program_name;
+    krb5_context kcontext;
+    krb5_principal * me;
+{
+    struct passwd *pw;
+    krb5_error_code code;
+    if ((pw = getpwuid((int) getuid()))) {
+	if ((code = krb5_parse_name(kcontext, pw->pw_name, me))) {
+	    com_err (program_name, code, "when parsing name %s", pw->pw_name);
+	    exit(1);
+	}
+    } else {
+	fprintf(stderr, "Unable to identify user from password file\n");
+	exit(1);
+    }
+}
+#else /* HAVE_PWD_H */
+void get_name_from_passwd_file(kcontext, me)
+    krb5_context kcontext;
+    krb5_principal * me;
+{
+    fprintf(stderr, "Unable to identify user\n");
+    exit(1);
+}
+#endif /* HAVE_PWD_H */
+
+int main(int argc, char *argv[])
+{
+   krb5_error_code ret;
+   krb5_context context;
+   krb5_principal princ;
+   char *pname;
+   krb5_ccache ccache;
+   krb5_get_init_creds_opt opts;
+   krb5_creds creds;
+
+   char pw[1024];
+   unsigned int pwlen;
+   int result_code;
+   krb5_data result_code_string, result_string;
+
+   if (argc > 2) {
+      fprintf(stderr, "usage: %s [principal]\n", argv[0]);
+      exit(1);
+   }
+
+   pname = argv[1];
+
+   ret = krb5_init_context(&context);
+   if (ret) {
+      com_err(argv[0], ret, "initializing kerberos library");
+      exit(1);
+   }
+
+   /* in order, use the first of:
+      - a name specified on the command line
+      - the principal name from an existing ccache
+      - the name corresponding to the ruid of the process
+
+      otherwise, it's an error.
+      */
+
+   if (pname) {
+      if ((ret = krb5_parse_name(context, pname, &princ))) {
+	 com_err(argv[0], ret, "parsing client name");
+	 exit(1);
+      }
+   } else if ((ret = krb5_cc_default(context, &ccache)) != KRB5_CC_NOTFOUND) {
+      if (ret) {
+	 com_err(argv[0], ret, "opening default ccache");
+	 exit(1);
+      }
+
+      if ((ret = krb5_cc_get_principal(context, ccache, &princ))) {
+	 com_err(argv[0], ret, "getting principal from ccache");
+	 exit(1);
+      }
+
+      if ((ret = krb5_cc_close(context, ccache))) {
+	 com_err(argv[0], ret, "closing ccache");
+	 exit(1);
+      }
+   } else {
+       get_name_from_passwd_file(argv[0], context, &princ);
+   }
+
+   krb5_get_init_creds_opt_init(&opts);
+   krb5_get_init_creds_opt_set_tkt_life(&opts, 5*60);
+   krb5_get_init_creds_opt_set_renew_life(&opts, 0);
+   krb5_get_init_creds_opt_set_forwardable(&opts, 0);
+   krb5_get_init_creds_opt_set_proxiable(&opts, 0);
+
+   if ((ret = krb5_get_init_creds_password(context, &creds, princ, NULL,
+					   krb5_prompter_posix, NULL, 
+					   0, "kadmin/changepw", &opts))) {
+      if (ret == KRB5KRB_AP_ERR_BAD_INTEGRITY)
+	 com_err(argv[0], 0,
+		 "Password incorrect while getting initial ticket");
+      else
+	 com_err(argv[0], ret, "getting initial ticket");
+      exit(1);
+   }
+
+   pwlen = sizeof(pw);
+   if ((ret = krb5_read_password(context, P1, P2, pw, &pwlen))) {
+      com_err(argv[0], ret, "while reading password");
+      exit(1);
+   }
+
+   if ((ret = krb5_change_password(context, &creds, pw,
+				   &result_code, &result_code_string,
+				   &result_string))) {
+      com_err(argv[0], ret, "changing password");
+      exit(1);
+   }
+
+   if (result_code) {
+      printf("%.*s%s%.*s\n",
+	     (int) result_code_string.length, result_code_string.data,
+	     result_string.length?": ":"",
+	     (int) result_string.length, result_string.data);
+      exit(2);
+   }
+
+   free(result_string.data);
+   free(result_code_string.data);
+
+   printf("Password changed.\n");
+   exit(0);
+}
diff --git a/src/mac/libraries/KerberosHeaders.9.pch b/src/mac/libraries/KerberosHeaders.9.pch
new file mode 100644
index 0000000..b8a8f88
--- /dev/null
+++ b/src/mac/libraries/KerberosHeaders.9.pch
@@ -0,0 +1,2 @@
+#include "KerberosHeaders.h"
+#include "MacHeaders.c"
diff --git a/src/mac/libraries/KerberosHeaders.CB.pch b/src/mac/libraries/KerberosHeaders.CB.pch
new file mode 100644
index 0000000..73d04ab
--- /dev/null
+++ b/src/mac/libraries/KerberosHeaders.CB.pch
@@ -0,0 +1,4 @@
+#define TARGET_API_MAC_CARBON 1
+
+#include "KerberosHeaders.h"
+#include "MacHeaders.c"
diff --git a/src/mac/libraries/KerberosHeaders.h b/src/mac/libraries/KerberosHeaders.h
index 1a07404..0cc0f7e 100644
--- a/src/mac/libraries/KerberosHeaders.h
+++ b/src/mac/libraries/KerberosHeaders.h
@@ -5,22 +5,24 @@
  *  Copyright © 1993 metrowerks inc.  All rights reserved.
  * Modified for Kerberos5 Mac port to include compile options
  */
+ 
+#include "autoconf.h"
 
 /*
  * Add the compile flag switches for kerberos compile
  */
 #define KRB5 1
 
-#define SIZEOF_INT 4
-#define SIZEOF_SHORT 2
 #define HAVE_SRAND
 #define NO_PASSWORD
 #define HAVE_LABS
 #define ANSI_STDIO
+#define USE_CCAPI
 
 #include <unix.h>
 #include <ctype.h>
-#include <SocketErrors.h>
+#include <KerberosSupport/SocketErrors.h>
+#include <unistd.h>
 
 #define PROVIDE_RSA_MD4
 #define PROVIDE_RSA_MD5
@@ -35,12 +37,11 @@
 
 #define NO_SYS_TYPES_H
 #define NO_SYS_STAT_H
-#define HAVE_STDLIB_H 1
 
 //jfm need to reimplement
 #define mktemp(a)
 
 enum {
 EROFS  = 30,
-ENFILE = 23
+/*ENFILE = 23*/
 };
diff --git a/src/mac/macfile_gen.pl b/src/mac/macfile_gen.pl
index 00d5365..e0de100 100644
--- a/src/mac/macfile_gen.pl
+++ b/src/mac/macfile_gen.pl
@@ -3,29 +3,29 @@
 # Usage:
 # macfile_gen.pl list-type start-path prefix
 # 	list-type is one of:
-#		all-files					-- complete list of mac sources, relative to root
-#		all-folders					-- complete list of mac directories, relative to root
-#		gss-sources					-- complete list of mac GSS sources, relative to root
-#		krb5-sources				-- complete list of mac Krb5 sources, relative to root
-#		profile-sources				-- complete list of mac profile sources, relative to root
-#		comerr-sources				-- complete list of mac com_err sources, relative to root
-#		gss-objects-ppc-debug		-- complete list of mac GSS PPC debug objects, relative to root
-#		gss-objects-68k-debug		-- complete list of mac GSS 68K debug objects, relative to root
-#		gss-objects-ppc-final		-- complete list of mac GSS PPC final objects, relative to root
-#		gss-objects-68k-final		-- complete list of mac GSS 68K final objects, relative to root
-#		krb5-objects-ppc-debug		-- complete list of mac Kerberos v5 PPC debug objects, relative to root
-#		krb5-objects-68k-debug		-- complete list of mac Kerberos v5 68K debug objects, relative to root
-#		krb5-objects-ppc-final		-- complete list of mac Kerberos v5 PPC final objects, relative to root
-#		krb5-objects-68k-final		-- complete list of mac Kerberos v5 68K final objects, relative to root
-#		profile-objects-ppc-debug	-- complete list of mac profile PPC debug objects, relative to root
-#		profile-objects-68k-debug	-- complete list of mac profile v5 68K debug objects, relative to root
-#		profile-objects-ppc-final	-- complete list of mac profile v5 PPC final objects, relative to root
-#		profile-objects-68k-final	-- complete list of mac profile v5 68K final objects, relative to root
-#		comerr-objects-ppc-debug	-- complete list of mac com_err PPC debug objects, relative to root
-#		comerr-objects-68k-debug	-- complete list of mac com_err v5 68K debug objects, relative to root
-#		comerr-objects-ppc-final	-- complete list of mac com_err v5 PPC final objects, relative to root
-#		comerr-objects-68k-final	-- complete list of mac com_err v5 68K final objects, relative to root
-#		include-folders				-- complete list of include paths, relative to root
+#		all-files						-- complete list of mac sources, relative to root
+#		all-folders						-- complete list of mac directories, relative to root
+#		gss-sources						-- complete list of mac GSS sources, relative to root
+#		krb5-sources					-- complete list of mac Krb5 sources, relative to root
+#		profile-sources					-- complete list of mac profile sources, relative to root
+#		comerr-sources					-- complete list of mac com_err sources, relative to root
+#		gss-objects-macos9-debug		-- complete list of mac GSS Mac OS 9 debug objects, relative to root
+#		gss-objects-macos9-final		-- complete list of mac GSS Mac OS 9 final objects, relative to root
+#		krb5-objects-macos9-debug		-- complete list of mac Kerberos v5 Mac OS 9 debug objects, relative to root
+#		krb5-objects-macos9-final		-- complete list of mac Kerberos v5 Mac OS 9 final objects, relative to root
+#		profile-objects-macos9-debug	-- complete list of mac profile Mac OS 9 debug objects, relative to root
+#		profile-objects-macos9-final	-- complete list of mac profile v5 Mac OS 9 final objects, relative to root
+#		comerr-objects-macos9-debug		-- complete list of mac com_err Mac OS 9 debug objects, relative to root
+#		comerr-objects-macos9-final		-- complete list of mac com_err v5 Mac OS 9 final objects, relative to root
+#		gss-objects-carbon-debug		-- complete list of mac GSS Carbon debug objects, relative to root
+#		gss-objects-carbon-final		-- complete list of mac GSS Carbon final objects, relative to root
+#		krb5-objects-carbon-debug		-- complete list of mac Kerberos v5 Carbon debug objects, relative to root
+#		krb5-objects-carbon-final		-- complete list of mac Kerberos v5 Carbon final objects, relative to root
+#		profile-objects-carbon-debug	-- complete list of mac profile Carbon debug objects, relative to root
+#		profile-objects-carbon-final	-- complete list of mac profile v5 Carbon final objects, relative to root
+#		comerr-objects-carbon-debug		-- complete list of mac com_err Carbon debug objects, relative to root
+#		comerr-objects-carbon-final		-- complete list of mac com_err v5 Carbon final objects, relative to root
+#		include-folders					-- complete list of include paths, relative to root
 #
 #	input on stdin
 #	output on stdout
@@ -103,115 +103,115 @@ if ($action eq "all-folders") {
 	@outputList = grep (/:et:/, @sourceList);
 	print (STDERR "Done. \n");
 	
-} elsif ($action eq "gss-objects-ppc-debug") {
+} elsif ($action eq "gss-objects-macos9-debug") {
 
-	print (STDERR "# Building GSS PPC debug object listÉ ");
-	@outputList = grep (s/\.c$/\.ppcd.o/, @sourceList);
+	print (STDERR "# Building GSS Mac OS 9 debug object listÉ ");
+	@outputList = grep (s/\.c$/\.9d.o/, @sourceList);
 	@outputList = grep (/:gssapi:/, @outputList);
 	print (STDERR "Done. \n");
 
-} elsif ($action eq "gss-objects-68k-debug") {
+} elsif ($action eq "gss-objects-macos9-final") {
 
-	print (STDERR "# Building GSS 68K debug object listÉ ");
-	@outputList = grep (s/\.c$/\.68kd.o/, @sourceList);
+	print (STDERR "# Building GSS Mac OS 9 final object listÉ ");
+	@outputList = grep (s/\.c$/\.9.o/, @sourceList);
 	@outputList = grep (/:gssapi:/, @outputList);
 	print (STDERR "Done. \n");
 
-} elsif ($action eq "gss-objects-ppc-final") {
+} elsif ($action eq "krb5-objects-macos9-debug") {
 
-	print (STDERR "# Building GSS PPC final object listÉ ");
-	@outputList = grep (s/\.c$/\.ppcf.o/, @sourceList);
-	@outputList = grep (/:gssapi:/, @outputList);
+	print (STDERR "# Building Kerberos v5 Mac OS 9 debug object listÉ ");
+	@outputList = grep (s/\.c$/\.9d.o/, @sourceList);
+	@outputList = grep (!/:gssapi:|:profile:|:et:/, @outputList);
 	print (STDERR "Done. \n");
 
-} elsif ($action eq "gss-objects-68k-final") {
+} elsif ($action eq "krb5-objects-macos9-final") {
 
-	print (STDERR "# Building GSS 68K final object listÉ ");
-	@outputList = grep (s/\.c$/\.68kf.o/, @sourceList);
-	@outputList = grep (/:gssapi:/, @outputList);
+	print (STDERR "# Building Kerberos v5 Mac OS 9 final object listÉ ");
+	@outputList = grep (s/\.c$/\.9.o/, @sourceList);
+	@outputList = grep (!/:gssapi:|:profile:|:et:/, @outputList);
 	print (STDERR "Done. \n");
 
-} elsif ($action eq "krb5-objects-ppc-debug") {
+} elsif ($action eq "profile-objects-macos9-debug") {
 
-	print (STDERR "# Building Kerberos v5 PPC debug object listÉ ");
-	@outputList = grep (s/\.c$/\.ppcd.o/, @sourceList);
-	@outputList = grep (!/:gssapi:|:profile:|:et:/, @outputList);
+	print (STDERR "# Building profile Mac OS 9 debug object listÉ ");
+	@outputList = grep (s/\.c$/\.9d.o/, @sourceList);
+	@outputList = grep (/:profile:/, @outputList);
 	print (STDERR "Done. \n");
 
-} elsif ($action eq "krb5-objects-68k-debug") {
+} elsif ($action eq "profile-objects-macos9-final") {
 
-	print (STDERR "# Building Kerberos v5 68K debug object listÉ ");
-	@outputList = grep (s/\.c$/\.68kd.o/, @sourceList);
-	@outputList = grep (!/:gssapi:|:profile:|:et:/, @outputList);
+	print (STDERR "# Building profile Mac OS 9 final object listÉ ");
+	@outputList = grep (s/\.c$/\.9.o/, @sourceList);
+	@outputList = grep (/:profile:/, @outputList);
 	print (STDERR "Done. \n");
 
-} elsif ($action eq "krb5-objects-ppc-final") {
+} elsif ($action eq "comerr-objects-macos9-debug") {
 
-	print (STDERR "# Building Kerberos v5 PPC final object listÉ ");
-	@outputList = grep (s/\.c$/\.ppcf.o/, @sourceList);
-	@outputList = grep (!/:gssapi:|:profile:|:et:/, @outputList);
+	print (STDERR "# Building com_err Mac OS 9 debug object listÉ ");
+	@outputList = grep (s/\.c$/\.9d.o/, @sourceList);
+	@outputList = grep (/:et:/, @outputList);
 	print (STDERR "Done. \n");
 
-} elsif ($action eq "krb5-objects-68k-final") {
+} elsif ($action eq "comerr-objects-macos9-final") {
 
-	print (STDERR "# Building Kerberos v5 68K final object listÉ ");
-	@outputList = grep (s/\.c$/\.68kf.o/, @sourceList);
-	@outputList = grep (!/:gssapi:|:profile:|:et:/, @outputList);
+	print (STDERR "# Building com_err Mac OS 9 final object listÉ ");
+	@outputList = grep (s/\.c$/\.9.o/, @sourceList);
+	@outputList = grep (/:et:/, @outputList);
 	print (STDERR "Done. \n");
 
-} elsif ($action eq "profile-objects-ppc-debug") {
+} elsif ($action eq "gss-objects-carbon-debug") {
 
-	print (STDERR "# Building profile PPC debug object listÉ ");
-	@outputList = grep (s/\.c$/\.ppcd.o/, @sourceList);
-	@outputList = grep (/:profile:/, @outputList);
+	print (STDERR "# Building GSS Carbon debug object listÉ ");
+	@outputList = grep (s/\.c$/\.CBd.o/, @sourceList);
+	@outputList = grep (/:gssapi:/, @outputList);
 	print (STDERR "Done. \n");
 
-} elsif ($action eq "profile-objects-68k-debug") {
+} elsif ($action eq "gss-objects-carbon-final") {
 
-	print (STDERR "# Building profile 68K debug object listÉ ");
-	@outputList = grep (s/\.c$/\.68kd.o/, @sourceList);
-	@outputList = grep (/:profile:/, @outputList);
+	print (STDERR "# Building GSS Carbon final object listÉ ");
+	@outputList = grep (s/\.c$/\.CB.o/, @sourceList);
+	@outputList = grep (/:gssapi:/, @outputList);
 	print (STDERR "Done. \n");
 
-} elsif ($action eq "profile-objects-ppc-final") {
+} elsif ($action eq "krb5-objects-carbon-debug") {
 
-	print (STDERR "# Building profile PPC final object listÉ ");
-	@outputList = grep (s/\.c$/\.ppcf.o/, @sourceList);
-	@outputList = grep (/:profile:/, @outputList);
+	print (STDERR "# Building Kerberos v5 Carbon debug object listÉ ");
+	@outputList = grep (s/\.c$/\.CBd.o/, @sourceList);
+	@outputList = grep (!/:gssapi:|:profile:|:et:/, @outputList);
 	print (STDERR "Done. \n");
 
-} elsif ($action eq "profile-objects-68k-final") {
+} elsif ($action eq "krb5-objects-carbon-final") {
 
-	print (STDERR "# Building profile 68K final object listÉ ");
-	@outputList = grep (s/\.c$/\.68kf.o/, @sourceList);
-	@outputList = grep (/:profile:/, @outputList);
+	print (STDERR "# Building Kerberos v5 Carbon final object listÉ ");
+	@outputList = grep (s/\.c$/\.CB.o/, @sourceList);
+	@outputList = grep (!/:gssapi:|:profile:|:et:/, @outputList);
 	print (STDERR "Done. \n");
 
-} elsif ($action eq "comerr-objects-ppc-debug") {
+} elsif ($action eq "profile-objects-carbon-debug") {
 
-	print (STDERR "# Building com_err PPC debug object listÉ ");
-	@outputList = grep (s/\.c$/\.ppcd.o/, @sourceList);
-	@outputList = grep (/:et:/, @outputList);
+	print (STDERR "# Building profile Carbon debug object listÉ ");
+	@outputList = grep (s/\.c$/\.CBd.o/, @sourceList);
+	@outputList = grep (/:profile:/, @outputList);
 	print (STDERR "Done. \n");
 
-} elsif ($action eq "comerr-objects-68k-debug") {
+} elsif ($action eq "profile-objects-carbon-final") {
 
-	print (STDERR "# Building com_err 68K debug object listÉ ");
-	@outputList = grep (s/\.c$/\.68kd.o/, @sourceList);
-	@outputList = grep (/:et:/, @outputList);
+	print (STDERR "# Building profile Carbon final object listÉ ");
+	@outputList = grep (s/\.c$/\.CB.o/, @sourceList);
+	@outputList = grep (/:profile:/, @outputList);
 	print (STDERR "Done. \n");
 
-} elsif ($action eq "comerr-objects-ppc-final") {
+} elsif ($action eq "comerr-objects-carbon-debug") {
 
-	print (STDERR "# Building com_err PPC final object listÉ ");
-	@outputList = grep (s/\.c$/\.ppcf.o/, @sourceList);
+	print (STDERR "# Building com_err Carbon debug object listÉ ");
+	@outputList = grep (s/\.c$/\.CBd.o/, @sourceList);
 	@outputList = grep (/:et:/, @outputList);
 	print (STDERR "Done. \n");
 
-} elsif ($action eq "comerr-objects-68k-final") {
+} elsif ($action eq "comerr-objects-carbon-final") {
 
-	print (STDERR "# Building com_err 68K final object listÉ ");
-	@outputList = grep (s/\.c$/\.68kf.o/, @sourceList);
+	print (STDERR "# Building com_err Carbon final object listÉ ");
+	@outputList = grep (s/\.c$/\.CB.o/, @sourceList);
 	@outputList = grep (/:et:/, @outputList);
 	print (STDERR "Done. \n");
 
@@ -448,7 +448,7 @@ sub read_file
 {
 	die("Bad call to read_file") unless defined $_[0];
 	local($FN) = (&chew_on_filename($_[0]));
-	local (@LINES, @NLFREE_LINES);
+	local ($CONTENTS, @NLFREE_LINES);
 
 	if (!open(FILE, $FN))
 	{
@@ -456,16 +456,23 @@ sub read_file
 		exit(1);
 	}
 
-	@LINES=<FILE>;
-	@NLFREE_LINES=grep(s/\n$//, @LINES);
-	
-	if (!close(FILE))
 	{
-		print(STDERR "Can't close $FN.\n");
-		exit(1);
-	}
+		local ($/);
+		undef $/;
+		$CONTENTS = <FILE>;
+		
+		$CONTENTS =~ s/\012/\015/g;
+		
+		@NLFREE_LINES = split ('\015', $CONTENTS);
+		
+		if (!close(FILE))
+		{
+			print(STDERR "Can't close $FN.\n");
+			exit(1);
+		}
 
-	@NLFREE_LINES;
+		return @NLFREE_LINES;
+	}
 }
 
 # lists files that match $PATTERN in $DIR.
diff --git a/src/slave/ChangeLog b/src/slave/ChangeLog
index e80bb38..3a72951 100644
--- a/src/slave/ChangeLog
+++ b/src/slave/ChangeLog
@@ -1,3 +1,9 @@
+2000-05-08  Nalin Dahyabhai  <nalin@redhat.com>
+
+	* kprop.c (open_connection): New argument indicates output buffer
+	size.  Don't overrun it.
+	(get_tickets): Pass size of Errmsg.
+
 1999-10-26  Tom Yu  <tlyu@mit.edu>
 
 	* Makefile.in: Clean up usage of CFLAGS, CPPFLAGS, DEFS, DEFINES,
diff --git a/src/slave/kprop.c b/src/slave/kprop.c
index 5b6b596..fa32f11 100644
--- a/src/slave/kprop.c
+++ b/src/slave/kprop.c
@@ -72,7 +72,7 @@ void	get_tickets
 static void usage 
 	PROTOTYPE((void));
 krb5_error_code open_connection 
-	PROTOTYPE((char *, int *, char *));
+	PROTOTYPE((char *, int *, char *, int));
 void	kerberos_authenticate 
 	PROTOTYPE((krb5_context, krb5_auth_context *, 
 		   int, krb5_principal, krb5_creds **));
@@ -116,7 +116,7 @@ main(argc, argv)
 	get_tickets(context);
 
 	database_fd = open_database(context, file, &database_size);
-	if (retval = open_connection(slave_host, &fd, Errmsg)) {
+	if (retval = open_connection(slave_host, &fd, Errmsg, sizeof(Errmsg))) {
 		com_err(progname, retval, "%s while opening connection to %s",
 			Errmsg, slave_host);
 		exit(1);
@@ -307,10 +307,11 @@ void get_tickets(context)
 }
 
 krb5_error_code
-open_connection(host, fd, Errmsg)
+open_connection(host, fd, Errmsg, ErrmsgSz)
 	char	*host;
 	int	*fd;
 	char	*Errmsg;
+	int	 ErrmsgSz;
 {
 	int	s;
 	krb5_error_code	retval;
@@ -331,8 +332,9 @@ open_connection(host, fd, Errmsg)
 	if(!port) {
 		sp = getservbyname(KPROP_SERVICE, "tcp");
 		if (sp == 0) {
-			(void) strcpy(Errmsg, KPROP_SERVICE);
-			(void) strcat(Errmsg, "/tcp: unknown service");
+			(void) strncpy(Errmsg, KPROP_SERVICE, ErrmsgSz - 1);
+			Errmsg[ErrmsgSz - 1] = '\0';
+			(void) strncat(Errmsg, "/tcp: unknown service", ErrmsgSz - 1 - strlen(Errmsg));
 			*fd = -1;
 			return(0);
 		}
@@ -481,7 +483,8 @@ open_database(context, data_fn, size)
 		com_err(progname, ENOMEM, "while trying to malloc data_ok_fn");
 		exit(1);
 	}
-	strcat(strcpy(data_ok_fn, data_fn), ok);
+	strcpy(data_ok_fn, data_fn);
+	strcat(data_ok_fn, ok);
 	if (stat(data_ok_fn, &stbuf_ok)) {
 		com_err(progname, errno, "while trying to stat %s",
 			data_ok_fn);
diff --git a/src/tests/ChangeLog b/src/tests/ChangeLog
index 04f6509..b4212fc 100644
--- a/src/tests/ChangeLog
+++ b/src/tests/ChangeLog
@@ -1,3 +1,21 @@
+2000-11-08  Tom Yu  <tlyu@mit.edu>
+
+	* configure.in: Change KRB4_DEJAGNU_TEST variable to KRBIV from
+	KRB4; dejagnu-1.3 doesn't like digits in passed-in variables.
+	[pullup from trunk]
+
+2000-11-01  Ezra Peisach  <epeisach@mit.edu>
+
+	* configure.in: Use AC_C_CONST and AC_TYPE_SIGNAL instead of
+	AC_RETSIGTYPE and AC_TYPE_SIGNAL.
+	[pullup from trunk]
+
+2000-08-08  Ezra Peisach  <epeisach@mit.edu>
+
+	* configure.in: Define KRB4_DEJAGNU_TEST depending on if krb4
+	support is enabled.
+	[pullup from trunk]
+
 1999-10-26  Tom Yu  <tlyu@mit.edu>
 
 	* Makefile.in: Clean up usage of CFLAGS, CPPFLAGS, DEFS, DEFINES,
diff --git a/src/tests/asn.1/ChangeLog b/src/tests/asn.1/ChangeLog
index e0eaa33..ffc3797 100644
--- a/src/tests/asn.1/ChangeLog
+++ b/src/tests/asn.1/ChangeLog
@@ -1,3 +1,17 @@
+2001-01-31  Tom Yu  <tlyu@mit.edu>
+
+	* krb5_decode_test.c (main): Add new test cases for indefinite
+	length ticket and as_rep.  Fix up calls to decode_run() to have
+	the modifier be in the description parameter.
+	(decode_run): If the ASN1 decoder returns an error, add one to the
+	error count so there will be a non-zero exit. Sometimes, the
+	decoded structure is complete enoght to pass the test, even with
+	an ASN.1 error - which can easilly get missed in the output run.
+	[pullup from trunk]
+
+	* utility.c (asn1_krb5_data_unparse): signed char
+	paranoia. [pullup from trunk]
+
 1999-11-01  Tom Yu  <tlyu@mit.edu>
 
 	* krb5_decode_test.c (main): Add test case for zero-length
diff --git a/src/tests/asn.1/krb5_decode_test.c b/src/tests/asn.1/krb5_decode_test.c
index 8ec075b..24efb54 100644
--- a/src/tests/asn.1/krb5_decode_test.c
+++ b/src/tests/asn.1/krb5_decode_test.c
@@ -40,6 +40,7 @@ int main(argc, argv)
     retval = decoder(&code,&var);\
     if(retval){\
       com_err("krb5_decode_test", retval, "while decoding %s", typestring);\
+      error_count++;\
     }\
     assert(comparator(&ref,var),typestring);\
     printf("%s\n",description)
@@ -67,6 +68,49 @@ int main(argc, argv)
   {
     setup(krb5_ticket,"krb5_ticket",ktest_make_sample_ticket);
     decode_run("ticket","","61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_ticket,ktest_equal_ticket);
+    decode_run("ticket","(+ trailing [4] INTEGER","61 61 30 5F A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 A4 03 02 01 01",decode_krb5_ticket,ktest_equal_ticket);
+
+/*
+  "61 80 30 80 "
+  "  A0 03 02 01 05 "
+  "  A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 "
+  "  A2 80 30 80 "
+  "    A0 03 02 01 01 "
+  "    A1 80 30 80 "
+  "      1B 06 68 66 74 73 61 69 "
+  "      1B 05 65 78 74 72 61 "
+  "    00 00 00 00 "
+  "  00 00 00 00 "
+  "  A3 80 30 80 "
+  "    A0 03 02 01 00 "
+  "    A1 03 02 01 05 "
+  "    A2 17 04 15 6B 72 62 41 53 4E 2E 31 "
+  "      20 74 65 73 74 20 6D 65 73 73 61 67 65 "
+  "  00 00 00 00"
+  "00 00 00 00"
+*/
+    decode_run("ticket","(indefinite lengths)", "61 80 30 80 A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 80 30 80 A0 03 02 01 01 A1 80 30 80 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 00 00 00 00 00 00 00 00 A3 80 30 80 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 00 00 00 00 00 00 00 00" ,decode_krb5_ticket,ktest_equal_ticket);
+/*
+  "61 80 30 80 "
+  "  A0 03 02 01 05 "
+  "  A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 "
+  "  A2 80 30 80 "
+  "    A0 03 02 01 01 "
+  "    A1 80 30 80 "
+  "      1B 06 68 66 74 73 61 69 "
+  "      1B 05 65 78 74 72 61 "
+  "    00 00 00 00 "
+  "  00 00 00 00 "
+  "  A3 80 30 80 "
+  "    A0 03 02 01 00 "
+  "    A1 03 02 01 05 "
+  "    A2 17 04 15 6B 72 62 41 53 4E 2E 31 "
+  "      20 74 65 73 74 20 6D 65 73 73 61 67 65 "
+  "  00 00 00 00"
+  "  A4 03 02 01 01 "
+  "00 00 00 00"
+*/
+    decode_run("ticket","(indefinite lengths + trailing [4] INTEGER)", "61 80 30 80 A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 80 30 80 A0 03 02 01 01 A1 80 30 80 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 00 00 00 00 00 00 00 00 A3 80 30 80 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 00 00 00 00 A4 03 02 01 01 00 00 00 00",decode_krb5_ticket,ktest_equal_ticket);
   }
 
   /****************************************************************/
@@ -74,21 +118,22 @@ int main(argc, argv)
   {
     setup(krb5_keyblock,"krb5_keyblock",ktest_make_sample_keyblock);
     decode_run("encryption_key","","30 11 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38",decode_krb5_encryption_key,ktest_equal_encryption_key);
-    decode_run("encryption_key(+ trailing [2] INTEGER)","","30 16 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 03 02 01 01",decode_krb5_encryption_key,ktest_equal_encryption_key);
-    decode_run("encryption_key(+ trailing [2] SEQUENCE {[0] INTEGER})","","30 16 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 07 30 05 A0 03 02 01 01",decode_krb5_encryption_key,ktest_equal_encryption_key);
-    decode_run("encryption_key(indefinite lengths)","","30 80 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 00 00",decode_krb5_encryption_key,ktest_equal_encryption_key);
-    decode_run("encryption_key(indefinite lengths + trailing [2] INTEGER)","","30 80 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 03 02 01 01 00 00",decode_krb5_encryption_key,ktest_equal_encryption_key);
-    decode_run("encryption_key(indefinite lengths + trailing [2] SEQUENCE {[0] INTEGER})","","30 80 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 80 30 80 A0 03 02 01 01 00 00 00 00 00 00",decode_krb5_encryption_key,ktest_equal_encryption_key);
+    decode_run("encryption_key","(+ trailing [2] INTEGER)","30 16 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 03 02 01 01",decode_krb5_encryption_key,ktest_equal_encryption_key);
+    decode_run("encryption_key","(+ trailing [2] SEQUENCE {[0] INTEGER})","30 1A A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 07 30 05 A0 03 02 01 01",decode_krb5_encryption_key,ktest_equal_encryption_key);
+    decode_run("encryption_key","(indefinite lengths)","30 80 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 00 00",decode_krb5_encryption_key,ktest_equal_encryption_key);
+    decode_run("encryption_key","(indefinite lengths + trailing [2] INTEGER)","30 80 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 03 02 01 01 00 00",decode_krb5_encryption_key,ktest_equal_encryption_key);
+    decode_run("encryption_key","(indefinite lengths + trailing [2] SEQUENCE {[0] INTEGER})","30 80 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 A2 80 30 80 A0 03 02 01 01 00 00 00 00 00 00",decode_krb5_encryption_key,ktest_equal_encryption_key);
+    decode_run("encryption_key","(indefinite lengths + trailing SEQUENCE {[0] INTEGER})","30 80 A0 03 02 01 01 A1 0A 04 08 31 32 33 34 35 36 37 38 30 80 A0 03 02 01 01 00 00 00 00",decode_krb5_encryption_key,ktest_equal_encryption_key);
     ref.enctype = -1;
-    decode_run("encryption_key(enctype = -1)","","30 11 A0 03 02 01 FF A1 0A 04 08 31 32 33 34 35 36 37 38",decode_krb5_encryption_key,ktest_equal_encryption_key);
+    decode_run("encryption_key","(enctype = -1)","30 11 A0 03 02 01 FF A1 0A 04 08 31 32 33 34 35 36 37 38",decode_krb5_encryption_key,ktest_equal_encryption_key);
     ref.enctype = -255;
-    decode_run("encryption_key(enctype = -255)","","30 12 A0 04 02 02 FF 01 A1 0A 04 08 31 32 33 34 35 36 37 38",decode_krb5_encryption_key,ktest_equal_encryption_key);
+    decode_run("encryption_key","(enctype = -255)","30 12 A0 04 02 02 FF 01 A1 0A 04 08 31 32 33 34 35 36 37 38",decode_krb5_encryption_key,ktest_equal_encryption_key);
     ref.enctype = 255;
-    decode_run("encryption_key(enctype = 255)","","30 12 A0 04 02 02 00 FF A1 0A 04 08 31 32 33 34 35 36 37 38",decode_krb5_encryption_key,ktest_equal_encryption_key);
+    decode_run("encryption_key","(enctype = 255)","30 12 A0 04 02 02 00 FF A1 0A 04 08 31 32 33 34 35 36 37 38",decode_krb5_encryption_key,ktest_equal_encryption_key);
     ref.enctype = -2147483648;
-    decode_run("encryption_key(enctype = -2147483648)","","30 14 A0 06 02 04 80 00 00 00 A1 0A 04 08 31 32 33 34 35 36 37 38",decode_krb5_encryption_key,ktest_equal_encryption_key);
+    decode_run("encryption_key","(enctype = -2147483648)","30 14 A0 06 02 04 80 00 00 00 A1 0A 04 08 31 32 33 34 35 36 37 38",decode_krb5_encryption_key,ktest_equal_encryption_key);
     ref.enctype = 2147483647;
-    decode_run("encryption_key(enctype = 2147483647)","","30 14 A0 06 02 04 7F FF FF FF A1 0A 04 08 31 32 33 34 35 36 37 38",decode_krb5_encryption_key,ktest_equal_encryption_key);
+    decode_run("encryption_key","(enctype = 2147483647)","30 14 A0 06 02 04 7F FF FF FF A1 0A 04 08 31 32 33 34 35 36 37 38",decode_krb5_encryption_key,ktest_equal_encryption_key);
   }  
   
   /****************************************************************/
@@ -146,6 +191,57 @@ int main(argc, argv)
     ref.msg_type = KRB5_AS_REP;
 
     decode_run("as_rep","","6B 81 EA 30 81 E7 A0 03 02 01 05 A1 03 02 01 0B A2 26 30 24 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 30 10 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 A3 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A4 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A5 5E 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 A6 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_as_rep,ktest_equal_as_rep);
+
+/*
+  6B 80 30 80
+    A0 03 02 01 05
+    A1 03 02 01 0B
+    A2 80 30 80
+      30 80
+	A1 03 02 01 0D
+	A2 09 04 07 70 61 2D 64 61 74 61
+      00 00
+      30 80
+	A1 03 02 01 0D
+	A2 09 04 07 70 61 2D 64 61 74 61
+      00 00
+    00 00 00 00
+    A3 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55
+    A4 80 30 80
+      A0 03 02 01 01
+      A1 80 30 80
+	1B 06 68 66 74 73 61 69
+	1B 05 65 78 74 72 61
+      00 00 00 00
+    00 00 00 00
+    A5 80 61 80 30 80
+      A0 03 02 01 05
+      A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55
+      A2 80 30 80
+	A0 03 02 01 01
+	A1 80 30 80
+	  1B 06 68 66 74 73 61 69
+	  1B 05 65 78 74 72 61
+	00 00 00 00
+      00 00 00 00
+      A3 80 30 80
+	A0 03 02 01 00
+	A1 03 02 01 05
+	A2 17 04 15 6B 72 62 41 53 4E 2E 31
+	  20 74 65 73 74 20 6D 65
+	  73 73 61 67 65
+      00 00 00 00
+    00 00 00 00 00 00
+    A6 80 30 80
+      A0 03 02 01 00
+      A1 03 02 01 05
+      A2 17 04 15 6B 72 62 41 53 4E 2E 31
+	20 74 65 73 74 20 6D 65
+	73 73 61 67 65
+    00 00 00 00
+  00 00 00 00
+*/
+    decode_run("as_rep","(indefinite lengths)","6B 80 30 80 A0 03 02 01 05 A1 03 02 01 0B A2 80 30 80 30 80 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 00 00 30 80 A1 03 02 01 0D A2 09 04 07 70 61 2D 64 61 74 61 00 00 00 00 00 00 A3 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A4 80 30 80 A0 03 02 01 01 A1 80 30 80 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 00 00 00 00 00 00 00 00 A5 80 61 80 30 80 A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 80 30 80 A0 03 02 01 01 A1 80 30 80 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 00 00 00 00 00 00 00 00 A3 80 30 80 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 00 00 00 00 00 00 00 00 00 00 A6 80 30 80 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 00 00 00 00 00 00 00 00",decode_krb5_as_rep,ktest_equal_as_rep);
     ktest_destroy_pa_data_array(&(ref.padata));
     decode_run("as_rep","(optionals NULL)","6B 81 C2 30 81 BF A0 03 02 01 05 A1 03 02 01 0B A3 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A4 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A5 5E 61 5C 30 5A A0 03 02 01 05 A1 10 1B 0E 41 54 48 45 4E 41 2E 4D 49 54 2E 45 44 55 A2 1A 30 18 A0 03 02 01 01 A1 11 30 0F 1B 06 68 66 74 73 61 69 1B 05 65 78 74 72 61 A3 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65 A6 25 30 23 A0 03 02 01 00 A1 03 02 01 05 A2 17 04 15 6B 72 62 41 53 4E 2E 31 20 74 65 73 74 20 6D 65 73 73 61 67 65",decode_krb5_as_rep,ktest_equal_as_rep);
   }  
diff --git a/src/tests/asn.1/utility.c b/src/tests/asn.1/utility.c
index 739d639..0831a08 100644
--- a/src/tests/asn.1/utility.c
+++ b/src/tests/asn.1/utility.c
@@ -22,11 +22,11 @@ asn1_error_code asn1_krb5_data_unparse(code, s)
   }else{
     int i;
 
-    *s = (char*)calloc(3*(code->length), sizeof(char));
+    *s = (char*)calloc((size_t) 3*(code->length), sizeof(char));
     if(*s == NULL) return ENOMEM;
     for(i = 0; i < code->length; i++){
-      (*s)[3*i] = hexchar(((code->data)[i]&0xF0)>>4);
-      (*s)[3*i+1] = hexchar((code->data)[i]&0x0F);
+      (*s)[3*i] = hexchar((unsigned char) (((code->data)[i]&0xF0)>>4));
+      (*s)[3*i+1] = hexchar((unsigned char) ((code->data)[i]&0x0F));
       (*s)[3*i+2] = ' ';
     }
     (*s)[3*(code->length)-1] = '\0';
diff --git a/src/tests/configure.in b/src/tests/configure.in
index dc9df5b..8ce1986 100644
--- a/src/tests/configure.in
+++ b/src/tests/configure.in
@@ -5,11 +5,18 @@ KRB5_BUILD_PROGRAM
 AC_HEADER_STDC
 AC_CHECK_FUNCS(strchr)
 AC_CHECK_HEADERS(unistd.h stdlib.h sys/param.h sys/socket.h)
-AC_CONST
+AC_C_CONST
 AC_PROG_INSTALL
 AC_CHECK_PROG(RUNTEST,runtest,runtest)
-AC_RETSIGTYPE
+AC_TYPE_SIGNAL
 CHECK_SIGNALS
+if test "$KRB4_LIB" = ''; then
+	KRB4_DEJAGNU_TEST="KRBIV=0"
+else
+	AC_MSG_RESULT(Kerberos 4 testing enabled)
+	KRB4_DEJAGNU_TEST="KRBIV=1"
+fi
+AC_SUBST(KRB4_DEJAGNU_TEST)
 K5_GEN_MAKEFILE(.)
 K5_GEN_MAKEFILE(resolve)
 K5_GEN_MAKEFILE(asn.1)
diff --git a/src/tests/create/ChangeLog b/src/tests/create/ChangeLog
index 5573352..bc57b0c 100644
--- a/src/tests/create/ChangeLog
+++ b/src/tests/create/ChangeLog
@@ -1,3 +1,13 @@
+2000-05-11  Nalin Dahyabhai  <nalin@redhat.com>
+
+	* kdb5_mkdums.c (main): Make sure buffer 'principal' is terminated.
+
+2000-05-08  Ken Raeburn  <raeburn@mit.edu>
+	    Nalin Dahyabhai  <nalin@redhat.com>
+
+	* kdb5_mkdums.c (main): Make sure buffer "tmp" is
+	null-terminated.  Don't overflow buffer "tmp" or "tmp2".
+
 1999-10-26  Tom Yu  <tlyu@mit.edu>
 
 	* Makefile.in: Clean up usage of CFLAGS, CPPFLAGS, DEFS, DEFINES,
diff --git a/src/tests/create/kdb5_mkdums.c b/src/tests/create/kdb5_mkdums.c
index 3cacc19..aa1854c 100644
--- a/src/tests/create/kdb5_mkdums.c
+++ b/src/tests/create/kdb5_mkdums.c
@@ -130,7 +130,8 @@ char *argv[];
 	    mkey_password = optarg;
 	    break;
 	case 'p':                       /* prefix name to create */
-	    strcpy(principal_string, optarg);
+	    strncpy(principal_string, optarg, sizeof(principal_string) - 1);
+	    principal_string[sizeof(principal_string) - 1] = '\0';
 	    suffix = principal_string + strlen(principal_string);
 	    break;
 	case 'n':                        /* how many to create */
@@ -195,13 +196,14 @@ char *argv[];
 	 again given a prefix and count to test the db lib and kdb */
       (void) sprintf(suffix, "%d", n);
       (void) sprintf(tmp, "%s-DEPTH-1", principal_string);
+      tmp[sizeof(tmp) - 1] = '\0';
       str_newprinc = tmp;
       add_princ(test_context, str_newprinc);
 
       for (i = 2; i <= depth; i++) {
-	tmp2[0] = '\0';
 	(void) sprintf(tmp2, "/%s-DEPTH-%d", principal_string, i);
-	strcat(tmp, tmp2);
+	tmp2[sizeof(tmp2) - 1] = '\0';
+	strncat(tmp, tmp2, sizeof(tmp) - 1 - strlen(tmp));
 	str_newprinc = tmp;
 	add_princ(test_context, str_newprinc);
       }
diff --git a/src/tests/dejagnu/ChangeLog b/src/tests/dejagnu/ChangeLog
index ee65f85..a9062b2 100644
--- a/src/tests/dejagnu/ChangeLog
+++ b/src/tests/dejagnu/ChangeLog
@@ -1,3 +1,9 @@
+2000-08-08  Ezra Peisach  <epeisach@mit.edu>
+
+	* Makefile.in (KRB4_RUNTESTFLAGS): Set from configure.in and pass
+	to runtest if krb4 compatibility is enabled.
+	[pullup from trunk]
+
 1999-10-26  Tom Yu  <tlyu@mit.edu>
 
 	* Makefile.in: Clean up usage of CFLAGS, CPPFLAGS, DEFS, DEFINES,
diff --git a/src/tests/dejagnu/Makefile.in b/src/tests/dejagnu/Makefile.in
index a93bae0..668e118 100644
--- a/src/tests/dejagnu/Makefile.in
+++ b/src/tests/dejagnu/Makefile.in
@@ -7,6 +7,7 @@ RUNTESTFLAGS =
 KRB5_RUN_ENV= @KRB5_RUN_ENV@
 PROG_LIBPATH=-L$(TOPLIBD)
 PROG_RPATH=$(KRB5_LIBDIR)
+KRB4_RUNTESTFLAGS=@KRB4_DEJAGNU_TEST@
 
 SRCS=$(srcdir)/t_inetd.c
 
@@ -21,7 +22,7 @@ check-::
 	@echo "+++"
 
 check-runtest:: t_inetd site.exp
-	$(HAVE_RUNTEST) --tool krb --srcdir $(srcdir) $(RUNTESTFLAGS)
+	$(HAVE_RUNTEST) --tool krb --srcdir $(srcdir) $(KRB4_RUNTESTFLAGS) $(RUNTESTFLAGS)
 
 t_inetd:: t_inetd.o $(KRB5_BASE_DEPLIBS)
 	$(CC_LINK) -o t_inetd t_inetd.o $(KRB5_BASE_LIBS)
diff --git a/src/tests/dejagnu/config/ChangeLog b/src/tests/dejagnu/config/ChangeLog
index 54d0e4b..b499111 100644
--- a/src/tests/dejagnu/config/ChangeLog
+++ b/src/tests/dejagnu/config/ChangeLog
@@ -1,3 +1,219 @@
+2003-03-26  Tom Yu  <tlyu@mit.edu>
+
+	* default.exp (v4kinit): Expect failure when kiniting to a des3
+	TGT, due to fix for MITKRB5-SA-2003-004.
+
+2002-11-08  Tom Yu  <tlyu@mit.edu>
+
+	* default.exp: Add (disabled) debugging code for catching leaking
+	ptys.  expect eof from the correct spawn_ids when killing kdc and
+	kadmind to avoid leaking ptys.
+	(do_klist, v4klist, v4klist_none): Check for eof to avoid leaking
+	ptys.
+	[pullup from trunk]
+
+2002-11-03  Tom Yu  <tlyu@mit.edu>
+
+	* default.exp (stop_kerberos_daemons): Kill, expect eof, wait, in
+	that order.  Avoids delivery of multiple signals (HUP+TERM) to KDC
+	daemons when shutting down.
+
+	* default.exp (start_kerberos_daemons): Fix to use "tail -f" to
+	check for setup messages from daemons; this avoids a few race
+	conditions.
+
+	[pullups from trunk]
+
+2002-11-03  Ken Raeburn  <raeburn@mit.edu>
+
+	* default.exp (start_kerberos_daemons): When standalone, delete
+	KDC replay cache before starting it up.
+	[pullup from trunk]
+
+2002-02-07  Ken Raeburn  <raeburn@mit.edu>
+
+	* default.exp (modify_principal): Call check_exit_status.
+
+2002-02-05  Ken Raeburn  <raeburn@mit.edu>
+
+	* default.exp (modify_principal, kinit_kt, v4kinit_kt, do_klist,
+	do_klist_kt, do_klist_err, do_kdestroy, xst, v4klist, v4kdestroy,
+	v4klist_none): New procs.
+	(add_random_key): No need to call expect_after in 'body' since
+	both branches at invocation site will do it.
+	(setup_root_shell, setup_root_shell_remote): Set correct value for
+	KRB5_CONFIG.
+	(passes): Add des-crc and des-md5 krb4 passes.
+	(top level): Set KLIST and KDESTROY.
+	(spawn_xterm): New proc useful for debugging only.
+
+2001-10-31  Tom Yu  <tlyu@mit.edu>
+
+	* default.exp (check_k5login, check_klogin): Error out if there is
+	a nonexistent .k5login or .klogin for root.
+	(setup_{kadmind_,}srvtab, add_{random,kerberos}_key): Notice
+	unmatched output to avoid timing out on certain errors.  Look for
+	command echoes.  Clear the expect_after list in places to avoid
+	problems with lingering expect_after clauses against invalid
+	spawn_ids.  expect eof in places to avoid pty deadlock.
+
+2001-10-27  Tom Yu  <tlyu@mit.edu>
+
+	* default.exp: Mark as unused the test passes that won't
+	accomplish anything due to disabling of SUPPORT_DESMD5 in the
+	code.
+	[pullup from trunk]
+
+2001-10-24  Tom Yu  <tlyu@mit.edu>
+
+	* default.exp: Add support for setting SUPPORT_DESMD5 flag on the
+	TGT principal.  Add test pass des.md5-tgt for exercising enctype
+	similarity inconsistency.  Add test pass des.no-kdc-md5 for
+	exercising failure to constrain session key issuance to
+	permitted_enctypes.  Pepper the code with null calls to
+	expect_after to prevent misfiring of expect_after clauses.
+	(setup_srvtab): Look for some possible error cases to avoid timing
+	out.
+	(setup_root_shell): Restore timeout so we don't wait 5 minutes in
+	other places.
+	[pullup from trunk]
+
+2001-08-06    <epeisach@mit.edu>
+
+	* default.exp (setup_root_shell): Also recognize "nection reset by
+	peer" as a failure to get a root shell. This happens if
+	tcp_wrappers are in use in inetd.conf, but rlogind is not prsent
+	on the machine.
+	[pullup from trunk]
+
+2001-06-22  Tom Yu  <tlyu@mit.edu>
+
+	* default.exp: Use the interface variable $TMPDIR to allow the
+	specification of an alternative temporary directory.  Wrap a loop
+	around various testings and settings of interface variables that
+	specify the locations of programs to be tested, e.g. $KADMIND.
+	Add some support for having different sets of enctypes on client,
+	server, and kdc.  The envstack changes and multiple config file
+	support should get cleaned up somewhat later to possibly allow for
+	programs to execute on different hosts.
+	(check_k5login): Fix up to reflect actual (perhaps bogus) behavior
+	of krb5_kuserok(), which doesn't do quite what we expect, so there
+	really does need to be something like "luser@KRBTEST.COM" in the
+	.k5login file.
+	(check_klogin): New procedure; .klogin also needs to be checked
+	for the v4gssftp test.
+	(envstack_push, envstack_pop): New procedure; keep a stack of
+	environment variable state, which is useful for running different
+	programs with different config files.
+	(setup_runtime_flags, setup_kerberos_env): Rewrite somewhat so
+	they play nice with the envstack.
+	(setup_krb5_conf): New procedure; write a config file with the
+	contents parameterized based on the type of program that will use
+	it.
+	(setup_kerberos_files): Create different krb5.conf files for
+	client, server, and kdc.
+	(setup_kadmind_srvtab, setup_kerberos_db, start_kerberos_daemons):
+	Rewrite to play nice with envstack.
+	(setup_root_shell_noremote): New procedure from raeburn; handle
+	the case where we're already running as root.
+	(setup_root_shell): Call setup_root_shell_noremote as appropriate.
+	[pullup from trunk]
+	
+2001-06-17  Ezra Peisach  <epeisach@mit.edu>
+
+	* default.exp: Add an entry for krb524_server for the localhost
+	with a non-standard port number.
+	[pullup from trunk]
+
+2001-04-25  Ezra Peisach  <epeisach@mit.edu>
+
+	* default.exp: For Kerberos 4 tests, use a different ticket file
+	name from the V5 tests.
+	[pullup from trunk]
+
+2000-11-08  Tom Yu  <tlyu@mit.edu>
+
+	* default.exp: Use $KRBIV rather than $KRB4 since dejagnu-1.3
+	doesn't deal with digits in passed-in variables.
+	[pullup from trunk]
+
+Thu Oct 12 12:06:03 2000  Ezra Peisach  <epeisach@mit.edu>
+
+	* default.exp: Add dict_file entry (and create one) for kdc.conf
+	[pullup from trunk]
+
+Tue Aug 22 09:47:50 2000  Ezra Peisach  <epeisach@mit.edu>
+
+	* default.exp: Create a properly formatted krb.conf file.  Also
+ 	provide a krb4_srvtab stanza (even though we are falling back on
+ 	the keytab file) so the tests do not try to access an installed
+ 	systems /etc/srvtab file.
+	[pullup from trunk]
+
+2000-08-09  Tom Yu  <tlyu@mit.edu>
+
+	* default.exp: Add an eof clause to avoid breakage if rlogin exits
+	too quickly.
+	[pullup from trunk]
+
+2000-08-08  Ezra Peisach  <epeisach@mit.edu>
+
+	* default.exp: Create krb.conf and krb.realms files for v4
+	compatibility. Set KRBTKFILE environment variable. Add
+	v4_compatible_enctype() proc to test if krb4 tests are being run
+	and if the current encryption type being tested is compatible with
+	V4.  Added v4kinit() proc. Quoting of lists in mutipass variable
+	assignments is unnecessary.
+	[pullup from trunk]
+
+2000-08-07  Ezra Peisach  <epeisach@mit.edu>
+
+	* default.exp: Protect Quote quotation marks in multipass variable
+	assignments. Dejagnu (June 1999 release) fails overwise. 
+	[pullup from trunk]
+
+2000-07-22  Tom Yu  <tlyu@mit.edu>
+
+	* default.exp: Add code to handle setting of PASS to constrain
+	multipass testing to particular passes.  dejagnu-1.3 doesn't have
+	support for PASS, so we kludge it here, though some later versions
+	handle it by themselves.
+	(krb_exit): Add new proc to clean up on exit.
+	(kinit): Remove "expect \r" since "expect eof" will drain the pty
+	buffer properly anyway.
+	[pullup from trunk]
+
+2000-07-02  Tom Yu  <tlyu@mit.edu>
+
+	* default.exp: Add rudimentary support for multiple passes.  For
+	now, iterate over a few combinations of des_krbtgt and assorted
+	enctype lists.  Will eventually allow for separate krb5.conf files
+	for clients and servers.  Add varibles RLOGIN and RLOGIN_FLAGS to
+	permit run-time configuration of rlogin program if necessary.  Set
+	up an onexit handler that calls stop_kerberos_daemons.  Replace
+	many uses of doubled-up send_log and verbose with single calls to
+	verbose -log.  Replace instances of send_error with perror where
+	appropriate, since this will cause successor test to fail, which
+	is usually what we want.
+	(setup_root_shell): Replace calls to untested with calls to
+	unsupported; also use note for explanatory text previously printed
+	using untested.  Add match string for "connection refused" and
+	collapse common code into a single expect clause by using the -re
+	flag.
+	(start_kerberos_daemons): Conditionalize calls to fail based on
+	$standalone; in the !$standalone case, call perror instead.  Calls
+	to fail and pass for a given test should have consistent strings,
+	and extraneous calls to fail should not be made in order to keep
+	the total number of passed and failed tests constant regardless of
+	success of setup steps.  Much remains to be done in this area
+	though.
+	[pullup from trunk]
+
+2000-05-31  Ken Raeburn  <raeburn@mit.edu>
+
+	* default.exp (setup_kerberos_files): Include des3 in supported
+	enctypes.
+
 2000-02-07  Tom Yu  <tlyu@mit.edu>
 
 	* default.exp: Remove default_tgs_enctypes for now as it was
diff --git a/src/tests/dejagnu/config/default.exp b/src/tests/dejagnu/config/default.exp
index 44ffab7..1443ba6 100644
--- a/src/tests/dejagnu/config/default.exp
+++ b/src/tests/dejagnu/config/default.exp
@@ -7,7 +7,7 @@
 # This file provides several functions which deal with a local
 # Kerberos database.  We have to do this such that we don't interfere
 # with any existing Kerberos database.  We will create all the files
-# in the directory tmpdir, which will have been created by the
+# in the directory $tmppwd, which will have been created by the
 # testsuite default script.  We will use $REALMNAME as our Kerberos
 # realm name, defaulting to KRBTEST.COM.
 
@@ -15,12 +15,249 @@ set timeout 100
 set stty_init {erase \^h kill \^u}
 set env(TERM) dumb
 
-set des3_krbtgt 1
+set des3_krbtgt 0
+set tgt_support_desmd5 0
+set supported_enctypes "des-cbc-crc:normal"
+set kdc_supported_enctypes "des-cbc-crc:normal"
+
+# The names of the individual passes must be unique; lots of things
+# depend on it.  The PASSES variable may not contain comments; only
+# small pieces get evaluated, so comments will do strange things.
+
+# Most of the purpose of using multiple passes is to exercise the
+# dependency of various bugs on configuration file settings,
+# particularly with regards to encryption types.
+
+# The des.no-kdc-md5 pass will fail if the KDC does not constrain
+# session key enctypes to those in its permitted_enctypes list.  It
+# works by assuming enctype similarity, thus allowing the client to
+# request a des-cbc-md4 session key.  Since only des-cbc-crc is in the
+# KDC's permitted_enctypes list, the TGT will be unusable.
+
+# KLUDGE for tracking down leaking ptys
+if 0 {
+    rename spawn oldspawn
+    rename wait oldwait
+    proc spawn { args } {
+	upvar 1 spawn_id spawn_id
+	verbose "spawn: args=$args"
+	set pid [eval oldspawn $args]
+	verbose "spawn: pid=$pid spawn_id=$spawn_id"
+	return $pid
+    }
+    proc wait { args } {
+	upvar 1 spawn_id spawn_id
+	verbose "wait: args=$args"
+	set ret [eval oldwait $args]
+	verbose "wait: $ret"
+	return $ret
+    }
+}
 
-# We do everything in a temporary directory.
-if ![file isdirectory tmpdir] {catch "exec mkdir tmpdir" status}
+# The des.des3-tgt.no-kdc-des3 pass will fail if the KDC doesn't
+# constrain ticket key enctypes to those in permitted_enctypes.  It
+# does this by not putting des3 in the permitted_enctypes, while
+# creating a TGT princpal that has a des3 key as well as a des key.
+
+# XXX -- master_key_type is fragile w.r.t. permitted_enctypes; it is
+# possible to configure things such that you have a master_key_type
+# that is not permitted, and the error message used to be cryptic.
+
+set passes {
+    {
+	des
+	des3_krbtgt=0
+	{supported_enctypes=des-cbc-crc:normal}
+	{kdc_supported_enctypes=des-cbc-crc:normal}
+	{dummy=[verbose -log "DES TGT, DES enctype"]}
+    }
+    {
+	des.des3tgt
+	des3_krbtgt=1
+	{supported_enctypes=des-cbc-crc:normal}
+	{kdc_supported_enctypes=des3-cbc-sha1:normal des-cbc-crc:normal}
+	{dummy=[verbose -log "DES3 TGT, DES enctype"]}
+    }
+    {
+	des3
+	des3_krbtgt=1
+	{supported_enctypes=des3-cbc-sha1:normal des-cbc-crc:normal}
+	{kdc_supported_enctypes=des3-cbc-sha1:normal des-cbc-crc:normal}
+	{dummy=[verbose -log "DES3 TGT, DES3 + DES enctypes"]}
+    }
+    {
+	des-v4
+	des3_krbtgt=0
+	{supported_enctypes=des-cbc-crc:v4}
+	{kdc_supported_enctypes=des-cbc-crc:v4}
+	{default_tkt_enctypes(client)=des-cbc-crc}
+	{dummy=[verbose -log "DES TGT, DES-CRC enctype, V4 salt"]}
+    }
+    {
+	des-md5-v4
+	des3_krbtgt=0
+	{supported_enctypes=des-cbc-md5:v4 des-cbc-crc:v4}
+	{kdc_supported_enctypes=des-cbc-md5:v4 des-cbc-crc:v4}
+	{default_tkt_enctypes(client)=des-cbc-md5 des-cbc-crc}
+	{dummy=[verbose -log "DES TGT, DES-MD5 and -CRC enctypes, V4 salt"]}
+    }
+    {
+	all-des-des3-enctypes
+	des3_krbtgt=1
+	{supported_enctypes=des3-cbc-sha1:normal des-cbc-crc:normal \
+		des-cbc-md5:normal des-cbc-crc:v4 des-cbc-md5:norealm \
+		des-cbc-md4:normal}
+	{kdc_supported_enctypes=des3-cbc-sha1:normal des-cbc-crc:normal \
+		des-cbc-md5:normal des-cbc-crc:v4 des-cbc-md5:norealm \
+		des-cbc-md4:normal}
+	{dummy=[verbose -log "DES3 TGT, many DES3 + DES enctypes"]}
+    }
+    {
+	des.no-kdc-md5
+	des3_krbtgt=0
+	tgt_support_desmd5=0
+	{permitted_enctypes(kdc)=des-cbc-crc}
+	{default_tgs_enctypes(client)=des-cbc-md5 des-cbc-md4 des-cbc-crc}
+	{default_tkt_enctypes(client)=des-cbc-md5 des-cbc-md4 des-cbc-crc}
+	{supported_enctypes=des-cbc-crc:normal}
+	{kdc_supported_enctypes=des-cbc-crc:normal}
+	{master_key_type=des-cbc-crc}
+	{dummy=[verbose -log \
+		"DES TGT, KDC permitting only des-cbc-crc"]}
+    }
+    {
+	des.des3-tgt.no-kdc-des3
+	tgt_support_desmd5=0
+	{permitted_enctypes(kdc)=des-cbc-crc}
+	{default_tgs_enctypes(client)=des-cbc-crc}
+	{default_tkt_enctypes(client)=des-cbc-crc}
+	{supported_enctypes=des3-cbc-sha1:normal des-cbc-crc:normal}
+	{kdc_supported_enctypes=des3-cbc-sha1:normal des-cbc-crc:normal}
+	{master_key_type=des-cbc-crc}
+	{dummy=[verbose -log \
+		"DES3 TGT, KDC permitting only des-cbc-crc"]}
+    }
+}
 
-set tmppwd "[pwd]/tmpdir"
+# des.md5-tgt is set as unused, since it won't trigger the error case
+# if SUPPORT_DESMD5 isn't honored.
+
+# The des.md5-tgt pass will fail if enctype similarity is inconsisent;
+# between 1.0.x and 1.1, the decrypt functions became more strict
+# about matching enctypes, while the KDB retrieval functions didn't
+# coerce the enctype to match what was requested.  It works by setting
+# SUPPORT_DESMD5 on the TGT principal, forcing an enctype of
+# des-cbc-md5 on the TGT key.  Since the database only contains a
+# des-cbc-crc key, the decrypt will fail if enctypes are not coerced.
+
+# des.no-kdc-md5.client-md4-skey is retained in unsed_passes, even
+# though des.no-kdc-md5 is roughly equivalent, since the associated
+# comment needs additional investigation at some point re the kadmin
+# client.
+
+# The des.no-kdc-md5.client-md4-skey will fail on TGS requests due to
+# the KDC issuing session keys that it won't accept.  It will also
+# fail for a kadmin client, but for different reasons, since the kadm5
+# library does some curious filtering of enctypes, and also uses
+# get_in_tkt() rather than get_init_creds(); the former does an
+# intersection of the enctypes provided by the caller and those listed
+# in the config file!
+
+set unused_passes {
+    {
+	des.md5-tgt
+	des3_krbtgt=0
+	tgt_support_desmd5=1
+	supported_enctypes=des-cbc-crc:normal
+	kdc_supported_enctypes=des-cbc-crc:normal
+	{permitted_enctypes(kdc)=des-cbc-md5 des-cbc-md4 des-cbc-crc}
+	{permitted_enctypes(client)=des-cbc-md5 des-cbc-md4 des-cbc-crc}
+	{dummy=[verbose -log "DES TGT, SUPPORTS_DESMD5"]}
+    }
+    {
+	des.md5-tgt.no-kdc-md5
+	des3_krbtgt=0
+	tgt_support_desmd5=1
+	{permitted_enctypes(kdc)=des-cbc-crc}
+	{default_tgs_enctypes(client)=des-cbc-crc}
+	{default_tkt_enctypes(client)=des-cbc-crc}
+	{supported_enctypes=des-cbc-crc:normal}
+	{kdc_supported_enctypes=des-cbc-crc:normal}
+	{master_key_type=des-cbc-crc}
+	{dummy=[verbose -log \
+		"DES TGT, SUPPORTS_DESMD5, KDC permitting only des-cbc-crc"]}
+    }
+    {
+	des.no-kdc-md5.client-md4-skey
+	des3_krbtgt=0
+	{permitted_enctypes(kdc)=des-cbc-crc}
+	{permitted_enctypes(client)=des-cbc-crc des-cbc-md4}
+	{default_tgs_enctypes(client)=des-cbc-crc des-cbc-md4}
+	{default_tkt_enctypes(client)=des-cbc-md4}
+	{supported_enctypes=des-cbc-crc:normal}
+	{kdc_supported_enctypes=des-cbc-crc:normal}
+	{dummy=[verbose -log \
+		"DES TGT, DES enctype, KDC permitting only des-cbc-crc, client requests des-cbc-md4 session key"]}
+    }
+    {
+	all-enctypes
+	des3_krbtgt=1
+	{supported_enctypes=\
+	rijndael256-hmac-sha1:normal rijndael192-hmac-sha1:normal rijndael128-hmac-sha1:normal \
+	serpent256-hmac-sha1:normal serpent192-hmac-sha1:norealm serpent128-hmac-sha1:normal \
+	twofish256-hmac-sha1:normal twofish192-hmac-sha1:norealm twofish128-hmac-sha1:normal \
+	des3-cbc-sha1:normal des3-cbc-sha1:none \
+	des-cbc-md5:normal des-cbc-md4:normal des-cbc-crc:normal \
+	des-cbc-md5:v4 des-cbc-md4:v4 des-cbc-crc:v4 \
+	}
+	{kdc_supported_enctypes=\
+	rijndael256-hmac-sha1:normal rijndael192-hmac-sha1:normal rijndael128-hmac-sha1:normal \
+	serpent256-hmac-sha1:normal serpent192-hmac-sha1:norealm serpent128-hmac-sha1:normal \
+	twofish256-hmac-sha1:normal twofish192-hmac-sha1:norealm twofish128-hmac-sha1:normal \
+	des3-cbc-sha1:normal des3-cbc-sha1:none \
+	des-cbc-md5:normal des-cbc-md4:normal des-cbc-crc:normal \
+	des-cbc-md5:v4 des-cbc-md4:v4 des-cbc-crc:v4 \
+	}
+	{dummy=[verbose -log "DES3 TGT, default enctypes"]}
+    }
+    {
+	aes
+	des3_krbtgt=0
+	{supported_enctypes=des-cbc-md5:normal des-cbc-crc:normal twofish256-hmac-sha1:normal}
+	{kdc_supported_enctypes=des-cbc-md5:normal des-cbc-crc:normal twofish256-hmac-sha1:normal}
+	{default_tgs_enctypes=rijndael256-hmac-sha1 des-cbc-crc}
+	{default_tkt_enctypes=rijndael256-hmac-sha1 des-cbc-crc}
+	{dummy=[verbose -log "DES3 TGT, default enctypes"]}
+    }
+}
+#	{supported_enctypes=des-cbc-md5:normal des-cbc-crc:normal twofish256-hmac-sha1:normal }
+#	{kdc_supported_enctypes= des-cbc-md5:normal des-cbc-crc:normal twofish256-hmac-sha1:normal}
+
+# This shouldn't be necessary on dejagnu-1.4 and later, but 1.3 seems
+# to need it because its runtest.exp doesn't deal with PASS at all.
+if [info exists PASS] {
+    foreach pass $passes {
+	if { [lsearch -exact $PASS [lindex $pass 0]] >= 0 } {
+	    lappend MULTIPASS $pass
+	}
+    }
+} else {
+    set MULTIPASS $passes
+}
+
+set last_passname_conf ""
+set last_passname_db ""
+
+# We do everything in a temporary directory.
+if ![info exists TMPDIR] {
+    set tmppwd "[pwd]/tmpdir"
+    if ![file isdirectory $tmppwd] {
+	catch "exec mkdir $tmppwd" status
+    }
+} else {
+    set tmppwd $TMPDIR
+}
+verbose "tmppwd=$tmppwd"
 
 # On Ultrix, use /bin/sh5 in preference to /bin/sh.
 if ![info exists BINSH] {
@@ -41,7 +278,7 @@ if ![info exists BINSH] {
 if ![info exists KEY] {
     catch {exec $BINSH -c "echo $$"} KEY
     verbose "KEY is $KEY"
-    set keyfile [open tmpdir/KEY w]
+    set keyfile [open $tmppwd/KEY w]
     puts $keyfile "$KEY"
     close $keyfile
 }
@@ -49,7 +286,7 @@ if ![info exists KEY] {
 # Clear away any files left over from a previous run.
 # We can't use them now because we don't know the right KEY.
 # krb5.conf might change if running tests on another host
-catch "exec rm -f tmpdir/db.ok tmpdir/srvtab tmpdir/krb5.conf tmpdir/kdc.conf tmpdir/cpw_srvtab"
+catch "exec rm -f $tmppwd/db.ok $tmppwd/srvtab $tmppwd/krb5.conf $tmppwd/kdc.conf $tmppwd/cpw_srvtab $tmppwd/krb.realms $tmppwd/krb.conf"
 
 # Put the installed kerberos directories on PATH.
 # This needs to be fixed for V5.
@@ -79,41 +316,37 @@ verbose "Test realm is $REALMNAME"
 # if they exist.  If they do not, then they must be in PATH.  We
 # expect $objdir to be ...tests/dejagnu.
 
-if ![info exists KDB5_UTIL] {
-    set KDB5_UTIL [findfile $objdir/../../kadmin/dbutil/kdb5_util]
-}
-
-if ![info exists KRB5KDC] {
-    set KRB5KDC [findfile $objdir/../../kdc/krb5kdc]
-}
-
-if ![info exists KADMIND] {
-    set KADMIND [findfile $objdir/../../kadmin/server/kadmind]
-}
-
-if ![info exists KADMIN] {
-    set KADMIN [findfile $objdir/../../kadmin/cli/kadmin]
-}
-
-if ![info exists KADMIN_LOCAL] {
-    set KADMIN_LOCAL [findfile $objdir/../../kadmin/cli/kadmin.local]
-}
-
-
-if ![info exists KINIT] {
-    set KINIT [findfile $objdir/../../clients/kinit/kinit]
-}
-
-if ![info exists KTUTIL] {
-    set KTUTIL [findfile $objdir/../../kadmin/ktutil/ktutil]
+foreach i {
+    {KDB5_UTIL $objdir/../../kadmin/dbutil/kdb5_util}
+    {KRB5KDC $objdir/../../kdc/krb5kdc}
+    {KADMIND $objdir/../../kadmin/server/kadmind}
+    {KADMIN $objdir/../../kadmin/cli/kadmin}
+    {KADMIN_LOCAL $objdir/../../kadmin/cli/kadmin.local}
+    {KINIT $objdir/../../clients/kinit/kinit}
+    {KTUTIL $objdir/../../kadmin/ktutil/ktutil}
+    {KLIST $objdir/../../clients/klist/klist}
+    {KDESTROY $objdir/../../clients/kdestroy/kdestroy}
+    {RESOLVE $objdir/../resolve/resolve}
+    {T_INETD $objdir/t_inetd}
+} {
+    set varname [lindex $i 0]
+    if ![info exists $varname] {
+	eval set varval [lindex $i 1]
+	set varval [findfile $varval]
+	set $varname $varval
+	verbose "$varname=$varval"
+    } {
+	eval set varval \$$varname
+	verbose "$varname already set to $varval"
+    }
 }
 
-if ![info exists RESOLVE] {
-    set RESOLVE [findfile $objdir/../resolve/resolve]
+if ![info exists RLOGIN] {
+    set RLOGIN rlogin
 }
 
-if ![info exists T_INETD] {
-    set T_INETD [findfile $objdir/t_inetd]
+if ![info exists RLOGIN_FLAGS] {
+    set RLOGIN_FLAGS ""
 }
 
 # We use a couple of variables to hold shell prompts which may be
@@ -127,23 +360,40 @@ if ![info exists SHELL_PROMPT] {
     set SHELL_PROMPT "(%|#|>|\\$) $"
 }
 
+verbose "setting up onexit handler (old handler=[exit -onexit])"
+exit -onexit [concat {
+    verbose "calling stop_kerberos_daemons (onexit handler)"
+    stop_kerberos_daemons;
+} [exit -onexit]]
+
 # check_k5login
+
 # Most of the tests won't work if the user has a .k5login file, unless
-# the user's name appears unadorned in .k5login (in which case kuserok
-# will assume a null instance and the local realm).  This procedure
-# returns 1 if the .k5login file appears to be OK, 0 otherwise.  This
-# check is not foolproof.
+# the user's name appears with $REALMNAME in .k5login
+
+# This procedure returns 1 if the .k5login file appears to be OK, 0
+# otherwise.  This check is not foolproof.
+
+# Note that this previously checked for a username with no realm; this
+# works for krb4's kuserok() but not for krb5_kuserok(), due to some
+# implementation details.  *sigh*
 
 proc check_k5login { testname } {
     global env
     global REALMNAME
 
-    if ![file exists ~/.k5login] {
-	return 1
+    if {![file exists ~/.k5login]} {
+	if {$env(USER) == "root"} {
+	    return 0
+	} else {
+	    return 1
+	}
     }
 
+    verbose "looking for $env(USER)@$REALMNAME in ~/.k5login" 2
     set file [open ~/.k5login r]
     while { [gets $file principal] != -1 } {
+	verbose " found $principal" 2
 	if { $principal == "$env(USER)@$REALMNAME" } {
 	    close $file
 	    return 1
@@ -151,8 +401,40 @@ proc check_k5login { testname } {
     }
     close $file
 
-    untested "$testname test requires that your name appear in your ~/.k5login"
-    untested "file with no realm or instance."
+    note "$testname test requires that your name appear in your ~/.k5login"
+    note "file in the form $env(USER)@$REALMNAME"
+    unsupported "$testname"
+
+    return 0
+}
+
+proc check_klogin { testname } {
+    global env
+    global REALMNAME
+
+    if {![file exists ~/.klogin]} {
+	if {$env(USER) == "root"} {
+	    return 0
+	} else {
+	    return 1
+	}
+    }
+
+    verbose "looking for $env(USER) in ~/.klogin" 2
+    set file [open ~/.klogin r]
+    while { [gets $file principal] != -1 } {
+	verbose " found $principal" 2
+	if { $principal == "$env(USER)" \
+		|| $principal == "$env(USER)@$REALMNAME" } {
+	    close $file
+	    return 1
+	}
+    }
+    close $file
+
+    note "$testname test requires that your name appear in your ~/.klogin"
+    note "file without a realm."
+    unsupported "$testname"
 
     return 0
 }
@@ -169,8 +451,7 @@ proc check_exit_status { testname } {
     verbose "wait -i $spawn_id returned $status_list ($testname)"
     catch "close -i $spawn_id"
     if { [lindex $status_list 2] != 0 || [lindex $status_list 3] != 0 } {
-	send_log "exit status: $status_list\n"
-	verbose "exit status: $status_list"
+	verbose -log "exit status: $status_list"
 	fail "$testname"
 	return 0
     } else {
@@ -178,73 +459,126 @@ proc check_exit_status { testname } {
     }
 }
 
-# setup_runtime_flags
-# Sets the proper flags for shared libraries. 
-# Configuration is through a site.exp and the runvarlist variable
-# Returns 1 if variables were already set, otherwise 0
-proc setup_runtime_env { } {
-    global env
-    global runvarlist
-    global krb5_init_vars
-    global krb5_old_vars
-    global runtime_setup
+#
+# ENVSTACK
+#
 
-    if [info exists runtime_setup] {
-	return 1
-    }
+# These procedures implement an environment variable stack.  They use
+# the global variable $envvars_tosave for the purpose of identifying
+# which environment variables to save.  They also track which ones are
+# unset at any particular point.  The stack pointer is $envstackp,
+# which is an integer.  The arrays $envstack$envstackp and
+# $unenvstack$envstackp store respectively the set of old environment
+# variables/values pushed onto the stack and the set of old unset
+# environment variables for a given value of $envstackp.
 
-    set runtime_setup 1
-    set krb5_init_vars [list ]
-    set krb5_old_vars [list ]
+# Changing the value of $envvars_tosave after performing the first
+# push operation may result in strangeness.
 
-    # Only keep the foo=bar and ignore export commands...
-    foreach i $runvarlist {
-	if {[regexp ".*=.*" $i]} {
-		lappend krb5_init_vars $i
+#
+# envstack_push
+#
+# Push set of current environment variables.
+#
+proc envstack_push { } {
+    global env
+    global envvars_tosave
+    global envstackp
+    global envstack$envstackp
+    global unenvstack$envstackp
+
+    verbose "envstack_push: starting, sp=$envstackp"
+    foreach i $envvars_tosave {
+	if [info exists env($i)] {
+	    verbose "envstack_push: saving $i=$env($i)"
+	    set envstack${envstackp}($i) $env($i)
+	} {
+	    verbose "envstack_push: marking $i as unset"
+	    set unenvstack${envstackp}($i) unset
 	}
     }
+    incr envstackp
+    verbose "envstack_push: exiting, sp=$envstackp"
+}
 
-
-    # Set the variables... (and save the old ones)
-    foreach i $krb5_init_vars {
-	regexp "^(\[^=\]*)=(.*)" $i foo evar evalue
-	if [info exists env($evar)] {
-		lappend krb5_old_vars $evar=$env($evar) 
-	} 
-	set env($evar) "$evalue"
-	verbose "$evar=$evalue"
+#
+# envstack_pop
+#
+# Pop set of current environment variables.
+#
+proc envstack_pop { } {
+    global env
+    global envstackp
+
+    verbose "envstack_pop: starting, sp=$envstackp"
+    incr envstackp -1
+    global envstack$envstackp	# YUCK!!! no obvious better way though...
+    global unenvstack$envstackp
+    if {$envstackp < 0} {
+	perror "envstack_pop: stack underflow!"
+	return
+    }
+    if [info exists envstack$envstackp] {
+	foreach i [array names envstack$envstackp] {
+	    if [info exists env($i)] {
+		verbose "envstack_pop: $i was $env($i)"
+	    }
+	    eval set env($i) \$envstack${envstackp}($i)
+	    verbose "envstack_pop: restored $i to $env($i)"
+	}
+	unset envstack$envstackp
+    }
+    if [info exists unenvstack$envstackp] {
+	foreach i [array names unenvstack$envstackp] {
+	    if [info exists env($i)] {
+		verbose "envstack_pop: $i was $env($i)"
+		unset env($i)
+		verbose "envstack_pop: $i unset"
+	    } {
+		verbose "envstack_pop: ignoring already unset $i"
+	    }
+	}
+	unset unenvstack$envstackp
     }
+    verbose "envstack_pop: exiting, sp=$envstackp"
+}
 
-    return 0
+#
+# Initialize the envstack
+#
+set envvars_tosave {
+    KRB5_CONFIG KRB5CCNAME KRBTKFILE KRB5RCACHEDIR
+    KERBEROS_SERVER KRB5_KDC_PROFILE
 }
+set krb5_init_vars [list ]
+# XXX -- fix me later!
+foreach i $runvarlist {
+    verbose "processing $i"
+    if {[regexp "^(\[^=\]*)=(.*)" $i foo evar evalue]} {
+	verbose "adding $evar to savelist"
+	lappend envvars_tosave $evar
+	verbose "savelist $envvars_tosave"
+	lappend krb5_init_vars $i
+    }
+}
+set envstackp 0
+envstack_push
 
+# setup_runtime_flags
+# Sets the proper flags for shared libraries. 
 # Configuration is through a site.exp and the runvarlist variable
-proc restore_runtime_env { } {
+# Returns 1 if variables were already set, otherwise 0
+proc setup_runtime_env { } {
     global env
     global krb5_init_vars
-    global krb5_old_vars
-    global runtime_setup
 
-
-    if ![info exists runtime_setup] {
-	return 1
-    }
-
-    # restore the variables...
+    # Set the variables
     foreach i $krb5_init_vars {
 	regexp "^(\[^=\]*)=(.*)" $i foo evar evalue
-	set idx [lsearch -regexp $krb5_old_vars "^$evar=" ]
-	if {$idx >= 0} {
-	
-		regexp "^(\[^=\]*)=(.*)" [lindex $krb5_old_vars $idx] foo evar evalue
-		set env($evar) "$evalue"
-
-	} else  {
-		catch "unset env($evar)"
-	}
+	set env($evar) "$evalue"
+	verbose "$evar=$evalue"
     }
-
-    unset runtime_setup
+    return 0
 }
 
 # get_hostname
@@ -257,37 +591,65 @@ proc get_hostname { } {
     global hostname
     global localhostname
     global domain
+    global tmppwd
 
     if {[info exists hostname] && [info exists localhostname]} {
 	return 1
     }
 
-    set setup [setup_runtime_env]
-
-    catch "exec $RESOLVE -q >tmpdir/hostname" exec_output
+    envstack_push
+    setup_runtime_env
+    catch "exec $RESOLVE -q >$tmppwd/hostname" exec_output
+    envstack_pop
     if ![string match "" $exec_output] {
-	send_log "$exec_output\n"
-	verbose $exec_output
-	send_error "ERROR: can't get hostname\n"
-	if {$setup == 0} restore_runtime_env
+	verbose -log $exec_output
+	perror "can't get hostname"
 	return 0
     }
-    set file [open tmpdir/hostname r]
+    set file [open $tmppwd/hostname r]
     if { [ gets $file hostname ] == -1 } {
-	send_error "ERROR: no output from hostname\n"
-	if {$setup == 0} restore_runtime_env
+	perror "no output from hostname"
 	return 0
     }
     close $file
-    catch "exec rm -f tmpdir/hostname" exec_output
-    regexp "^(\[^.\]*)\.(.*)$" $hostname foo localhostname domain
+    catch "exec rm -f $tmppwd/hostname" exec_output
+    regexp "^(\[^.\]*)\\.(.*)$" $hostname foo localhostname domain
 
     set hostname [string tolower $hostname]
     set localhostname [string tolower $localhostname]
     set domain [string tolower $domain]
     verbose "hostname: $hostname; localhostname: $localhostname; domain $domain"
 
-    if {$setup == 0} restore_runtime_env
+    return 1
+}
+
+# modify_principal name options...
+
+proc modify_principal { name args } {
+    global KADMIN_LOCAL
+    global REALMNAME
+
+    spawn $KADMIN_LOCAL -r $REALMNAME
+    expect_after {
+	eof {
+	    fail "modprinc (kadmin.local)"
+	    return 0
+	}
+	timeout {
+	    fail "modprinc (kadmin.local)"
+	    return 0
+	}
+    }
+    expect "kadmin.local: "
+    send "modprinc $args $name\r"
+    expect -re "modprinc \[^\n\r\]* $name"
+    expect -re "Principal .* modified."
+    send "quit\r"
+    expect eof
+    catch expect_after
+    if ![check_exit_status "kadmin.local modprinc"] {
+	perror "kadmin.local modprinc exited abnormally"
+    }
     return 1
 }
 
@@ -301,40 +663,27 @@ proc setup_kerberos_files { } {
     global hostname
     global domain
     global tmppwd
+    global supported_enctypes
+    global kdc_supported_enctypes
+    global last_passname_conf
+    global multipass_name
+    global master_key_type
 
     if ![get_hostname] { 
 	return 0
     }
 
-    # Create a krb5.conf file.
-    if ![file exists tmpdir/krb5.conf] {
-    set conffile [open tmpdir/krb5.conf w]
-    puts $conffile "\[libdefaults\]"
-    puts $conffile "	default_realm = $REALMNAME"
-#    puts $conffile "default_tgs_enctypes = des-cbc-md5 des-cbc-crc"
-    puts $conffile ""
-    puts $conffile "\[realms\]"
-    puts $conffile "	$REALMNAME = \{"
-    puts $conffile "		kdc = $hostname:3088"
-    puts $conffile "		admin_server = $hostname:3750"
-    puts $conffile "		kpasswd_server = $hostname:3751"
-    puts $conffile "		default_domain = $domain"
-    puts $conffile "	\}"
-    puts $conffile ""
-    puts $conffile "\[domain_realm\]"
-    puts $conffile "	.$domain = $REALMNAME"
-    puts $conffile "	$domain = $REALMNAME"
-    puts $conffile ""
-    puts $conffile "\[logging\]"
-    puts $conffile "	admin_server = FILE:$tmppwd/kadmind5.log"
-    puts $conffile "	kdc = FILE:$tmppwd/kdc.log"
-    puts $conffile "	default = FILE:$tmppwd/others.log"
-    close $conffile
-    }
+    setup_krb5_conf client
+    setup_krb5_conf server
+    setup_krb5_conf kdc
 
     # Create a kdc.conf file.
-    if ![file exists tmpdir/kdc.conf] {
-	set conffile [open tmpdir/kdc.conf w]
+    if { ![file exists $tmppwd/kdc.conf] \
+	    || $last_passname_conf != $multipass_name } {
+	if ![info exists master_key_type] {
+	    set master_key_type des-cbc-md5
+	}
+	set conffile [open $tmppwd/kdc.conf w]
 	puts $conffile "\[kdcdefaults\]"
 	puts $conffile "	kdc_ports = 3085,3086,3087,3088,3089"
 	puts $conffile ""
@@ -350,34 +699,114 @@ proc setup_kerberos_files { } {
 	puts $conffile "		kpasswd_port = 3751"
 	puts $conffile "		max_life = 1:00:00"
 	puts $conffile "		max_renewable_life = 3:00:00"
-	puts $conffile "		master_key_type = des-cbc-md5"
+	puts $conffile "		master_key_type = $master_key_type"
 	puts $conffile "		master_key_name = master/key"
-# des3-cbc-sha1:normal
-	puts $conffile "		supported_enctypes =  des-cbc-crc:normal des-cbc-md5:normal des-cbc-crc:v4 des-cbc-md5:norealm"
-	puts $conffile "		kdc_supported_enctypes = des3-cbc-sha1:normal des-cbc-crc:normal des-cbc-md5:normal des-cbc-crc:v4 des-cbc-md5:norealm"
+	puts $conffile "		supported_enctypes = $supported_enctypes"
+	puts $conffile "		kdc_supported_enctypes = $kdc_supported_enctypes"
 	puts $conffile "		kdc_ports = 3088"
 	puts $conffile "		default_principal_expiration = 2037.12.31.23.59.59"
 	puts $conffile "		default_principal_flags = -postdateable forwardable"
+	puts $conffile "		dict_file = $tmppwd/dictfile"
 	puts $conffile "	\}"
 	puts $conffile ""
 	close $conffile
     }
 
     # Create ACL file.
-    if ![file exists tmpdir/acl] {
-	set aclfile [open tmpdir/acl w]
+    if ![file exists $tmppwd/acl] {
+	set aclfile [open $tmppwd/acl w]
 	puts $aclfile "krbtest/admin@$REALMNAME *"
 	close $aclfile
     }
 
+    # Create krb.conf file
+    if ![file exists $tmppwd/krb.conf] {
+	set conffile [open $tmppwd/krb.conf w]
+	puts $conffile "$REALMNAME"
+	puts $conffile "$REALMNAME $hostname:3088 admin server"
+	close $conffile
+    }
+
+    # Create krb.realms file
+    if ![file exists $tmppwd/krb.realms] {
+	set conffile [open $tmppwd/krb.realms w]
+	puts $conffile ".[string toupper $domain] $REALMNAME"
+	puts $conffile "[string toupper $domain]. $REALMNAME"
+	close $conffile
+    }
+
+    # Create dictfile file.
+    if ![file exists $tmppwd/dictfile] {
+	set dictfile [open $tmppwd/dictfile w]
+	puts $dictfile "weak_password"
+	close $dictfile
+    }
+
+    set last_passname_conf $multipass_name
     return 1
 }
 
+proc setup_krb5_conf { {type client} } {
+    global tmppwd
+    global hostname
+    global domain
+    global REALMNAME
+    global last_passname_conf
+    global multipass_name
+    global default_tgs_enctypes
+    global default_tkt_enctypes
+    global permitted_enctypes
+
+    # Create a krb5.conf file.
+    if { ![file exists $tmppwd/krb5.$type.conf] \
+	    || $last_passname_conf != $multipass_name } {
+	set conffile [open $tmppwd/krb5.$type.conf w]
+	puts $conffile "\[libdefaults\]"
+	puts $conffile "	default_realm = $REALMNAME"
+	if [info exists default_tgs_enctypes($type)] {
+	    puts $conffile \
+		    "	default_tgs_enctypes = $default_tgs_enctypes($type)"
+	}
+	if [info exists default_tkt_enctypes($type)] {
+	    puts $conffile \
+		    "	default_tkt_enctypes = $default_tkt_enctypes($type)"
+	}
+	if [info exists permitted_enctypes($type)] {
+	    puts $conffile \
+		    "	permitted_enctypes = $permitted_enctypes($type)"
+	}
+	puts $conffile "	krb4_config = $tmppwd/krb.conf"
+	puts $conffile "	krb4_realms = $tmppwd/krb.realms"
+	puts $conffile "	krb4_srvtab = $tmppwd/v4srvtab"
+	puts $conffile ""
+	puts $conffile "\[realms\]"
+	puts $conffile "	$REALMNAME = \{"
+	puts $conffile "		kdc = $hostname:3088"
+	puts $conffile "		admin_server = $hostname:3750"
+	puts $conffile "		kpasswd_server = $hostname:3751"
+	puts $conffile "		default_domain = $domain"
+	puts $conffile "                krb524_server = $hostname:3752"
+	puts $conffile "	\}"
+	puts $conffile ""
+	puts $conffile "\[domain_realm\]"
+	puts $conffile "	.$domain = $REALMNAME"
+	puts $conffile "	$domain = $REALMNAME"
+	puts $conffile ""
+	puts $conffile "\[logging\]"
+	puts $conffile "	admin_server = FILE:$tmppwd/kadmind5.log"
+	puts $conffile "	kdc = FILE:$tmppwd/kdc.log"
+	puts $conffile "	default = FILE:$tmppwd/others.log"
+	close $conffile
+    }
+}
+
 # Save the original values of the environment variables we are going
 # to muck with.
 
+# XXX deal with envstack later.
+
 if [info exists env(KRB5_CONFIG)] {
-    set orig_krb_conf $env(KRB5_CONFIG)
+    set orig_krb5_conf $env(KRB5_CONFIG)
 } else {
     catch "unset orig_krb5_config"
 }
@@ -403,7 +832,7 @@ if [ info exists env(KERBEROS_SERVER)] {
 # setup_kerberos_env
 # Set the environment variables needed to run Kerberos programs.
 
-proc setup_kerberos_env { } {
+proc setup_kerberos_env { {type client} } {
     global REALMNAME
     global env
     global tmppwd
@@ -413,13 +842,17 @@ proc setup_kerberos_env { } {
     # Set the environment variable KRB5_CONFIG to point to our krb5.conf file.
     # All the Kerberos tools check KRB5_CONFIG.
     # Actually, V5 doesn't currently use this.
-    set env(KRB5_CONFIG) $tmppwd/krb5.conf
+    set env(KRB5_CONFIG) $tmppwd/krb5.$type.conf
     verbose "KRB5_CONFIG=$env(KRB5_CONFIG)"
 
     # Direct the Kerberos programs at a local ticket file.
     set env(KRB5CCNAME) $tmppwd/tkt
     verbose "KRB5CCNAME=$env(KRB5CCNAME)"
 
+    # Direct the Kerberos programs at a local ticket file.
+    set env(KRBTKFILE) $tmppwd/tktv4
+    verbose "KRBTKFILE=$env(KRBTKFILE)"
+
     # Direct the Kerberos server at a cache file stored in the
     # temporary directory.
     set env(KRB5RCACHEDIR) $tmppwd
@@ -437,8 +870,8 @@ proc setup_kerberos_env { } {
     verbose "KRB5_KDC_PROFILE=$env(KRB5_KDC_PROFILE)"
 
     # Create an environment setup script.  (For convenience)
-    if ![file exists tmpdir/env.sh] {
-	set envfile [open tmpdir/env.sh w]
+    if ![file exists $tmppwd/env.sh] {
+	set envfile [open $tmppwd/env.sh w]
 	puts $envfile "KRB5_CONFIG=$env(KRB5_CONFIG)"
 	puts $envfile "KRB5CCNAME=$env(KRB5CCNAME)"
 	puts $envfile "KRB5RCACHEDIR=$env(KRB5RCACHEDIR)"
@@ -453,8 +886,8 @@ proc setup_kerberos_env { } {
 	}
 	close $envfile
     }
-    if ![file exists tmpdir/env.csh] {
-	set envfile [open tmpdir/env.csh w]
+    if ![file exists $tmppwd/env.csh] {
+	set envfile [open $tmppwd/env.csh w]
 	puts $envfile "setenv KRB5_CONFIG $env(KRB5_CONFIG)"
 	puts $envfile "setenv KRB5CCNAME $env(KRB5CCNAME)"
 	puts $envfile "setenv KRB5RCACHEDIR $env(KRB5RCACHEDIR)"
@@ -503,7 +936,6 @@ proc restore_kerberos_env { } {
 	catch "unset env(KERBEROS_SERVER)"
     }
 
-    restore_runtime_env
 }
 
 # setup_kadmind_srvtab
@@ -516,58 +948,69 @@ proc setup_kadmind_srvtab {  } {
     global KEY
     global tmppwd
 
-    catch "exec rm -f tmpdir/admin-keytab"
+    catch "exec rm -f $tmppwd/admin-keytab"
+    envstack_push
+    setup_kerberos_env kdc
     spawn $KADMIN_LOCAL -r $REALMNAME
+    envstack_pop
+    catch expect_after
     expect_after {
+	-re "(.*)\r\nkadmin.local:  " {
+	    fail "kadmin.local admin-keytab (unmatched output: $expect_out(1,string)"
+	    catch "exec rm -f $tmppwd/admin-keytab"
+	    catch "expect_after"
+	    return 0
+	}
 	timeout {
 	    fail "kadmin.local admin-keytab (timeout)"
-	    catch "exec rm -f tmpdir/admin-keytab"
+	    catch "exec rm -f $tmppwd/admin-keytab"
 	    catch "expect_after"
 	    return 0
 	}
 	eof {
 	    fail "kadmin.local admin-keytab (eof)"
-	    catch "exec rm -f tmpdir/admin-keytab"
+	    catch "exec rm -f $tmppwd/admin-keytab"
 	    catch "expect_after"
 	    return 0
 	}
     }
     expect "kadmin.local:  "
     send "xst -k admin-new-srvtab kadmin/admin\r"
+    expect "xst -k admin-new-srvtab kadmin/admin\r\n"
     expect -re ".*Entry for principal kadmin/admin.* added to keytab WRFILE:admin-new-srvtab."
     expect "kadmin.local:  "
 
     catch "exec mv -f admin-new-srvtab changepw-new-srvtab" exec_output
     if ![string match "" $exec_output] {
-	send_log "$exec_output\n"
-	verbose $exec_output
-	send_error "ERROR: can't mv admin-new-srvtab\n"
+	verbose -log "$exec_output"
+	perror "can't mv admin-new-srvtab"
+	catch expect_after
 	return 0
     }
 
     send "xst -k changepw-new-srvtab kadmin/changepw\r"
+    expect "xst -k changepw-new-srvtab kadmin/changepw\r\n"
     expect -re ".*Entry for principal kadmin/changepw.* added to keytab WRFILE:changepw-new-srvtab."
     expect "kadmin.local:  "
     send "quit\r"
-    expect "\r"
-    expect_after
+    expect eof
+    catch expect_after
     if ![check_exit_status "kadmin.local admin-keytab"] {
-	catch "exec rm -f tmpdir/admin-keytab"
-	send_error "ERROR: kadmin.local admin-keytab exited abnormally\n"
+	catch "exec rm -f $tmppwd/admin-keytab"
+	perror "kadmin.local admin-keytab exited abnormally"
 	return 0
     }
 
-    catch "exec mv -f changepw-new-srvtab tmpdir/admin-keytab" exec_output
+    catch "exec mv -f changepw-new-srvtab $tmppwd/admin-keytab" exec_output
     if ![string match "" $exec_output] {
-	send_log "$exec_output\n"
-	verbose $exec_output
-	send_error "ERROR: can't mv new admin-keytab\n"
+	verbose -log "$exec_output"
+	perror "can't mv new admin-keytab"
 	return 0
     }
 
     # Make the srvtab file globally readable in case we are using a
     # root shell and the srvtab is NFS mounted.
-    catch "exec chmod a+r tmpdir/admin-keytab"
+    catch "exec chmod a+r $tmppwd/admin-keytab"
 
     return 1
 }
@@ -584,208 +1027,260 @@ proc setup_kerberos_db { standalone } {
     global tmppwd
     global spawn_id
     global des3_krbtgt
+    global tgt_support_desmd5
+    global multipass_name
+    global last_passname_db
+
+    set failall 0
 
-    if {!$standalone && [file exists tmpdir/db.ok]} {
+    if {!$standalone && [file exists $tmppwd/db.ok] \
+	&& $last_passname_db == $multipass_name} {
 	return 1
     }
 
-    catch "exec rm -f [glob -nocomplain tmpdir/db* tmpdir/adb*]"
+    catch "exec rm -f [glob -nocomplain $tmppwd/db* $tmppwd/adb*]"
 
     # Creating a new database means we need a new srvtab.
-    catch "exec rm -f tmpdir/srvtab"
+    catch "exec rm -f $tmppwd/srvtab"
 
-    if { ![setup_kerberos_files] || ![setup_kerberos_env] } {
-	return 0
+    envstack_push
+    if { ![setup_kerberos_files] || ![setup_kerberos_env kdc] } {
+	set failall 1
     }
 
-    spawn $KDB5_UTIL -r $REALMNAME create
-
-    expect {
-	"Enter KDC database master key:" {
-	    verbose "kdb5_util started"
-	}
+    # Set up a common expect_after for use in multiple places.
+    set def_exp_after {
 	timeout {
-	    fail "kdb5_util - create"
-	    return 0
+	    set test "$test (timeout)"
+	    break
 	}
 	eof {
-	    fail "kdb5_util - create"
-	    return 0
+	    set test "$test (eof)"
+	    break
 	}
     }
-    send "masterkey$KEY\r"
-    set failed 0
-    expect {
-	"Re-enter KDC database master key to verify:" { }
-	timeout {
-	    fail "kdb5_util create - verify"
-	    return 0
-	}
-	eof {
-	    fail "kdb5_util create - verify"
-	    return 0
+
+    set test "kdb5_util create"
+    set body {
+	if $failall {
+	    break
 	}
-    }
-    send "masterkey$KEY\r"
-    expect {
-	-re "\[Cc\]ouldn't" {
-	    fail "kdb5_util - create"
-	    return 0
+	#exec xterm
+	verbose "starting $test"
+	spawn $KDB5_UTIL -r $REALMNAME create
+	expect_after $def_exp_after
+
+	expect "Enter KDC database master key:"
+
+	set test "kdb5_util create (verify)"
+	send "masterkey$KEY\r"
+	expect "Re-enter KDC database master key to verify:"
+
+	set test "kdb5_util create"
+	send "masterkey$KEY\r"
+	expect {
+	    -re "\[Cc\]ouldn't" {
+		expect eof
+		break
+	    }
+	    "Cannot find/read stored" exp_continue
+	    "Warning: proceeding without master key" exp_continue
+	    eof { }
 	}
-	"Cannot find/read stored" {
-	    exp_continue
+	catch expect_after
+	if ![check_exit_status kdb5_util] {
+	    break
 	}
-	"Warning: proceeding without master key" {
-	    exp_continue
+    }
+    set ret [catch $body]
+    catch expect_after
+    if $ret {
+	set failall 1
+	if $standalone {
+	    fail $test
 	}
-	timeout {
-	    fail "kdb5_util - create"
-	    return 0
+    } else {
+	if $standalone {
+	    pass $test
 	}
-	eof { }
-    }
-    if ![check_exit_status kdb5_util] {
-	return 0
-    }
-
-    if {$standalone} {
-	pass "kdb5_util - create"
     }
 
     # Stash the master key in a file.
-    spawn $KDB5_UTIL  -r $REALMNAME stash
-    expect {
-	"Enter KDC database master key:" {
-	    verbose "kdb5_util stash started"
+    set test "kdb5_util stash"
+    set body {
+	if $failall {
+	    break
 	}
-	timeout {
-	    fail "kdb5_util stash"
-	    if {!$standalone} {
-		catch "exec rm -f tmpdir/db.ok tmpdir/adb.db"
-	    }
-	    return 0
-	}
-	eof {
-	    fail "kdb5_util stash"
-	    if {!$standalone} {
-		catch "exec rm -f tmpdir/db.ok tmpdir/adb.db"
-	    }
-	    return 0
+	spawn $KDB5_UTIL  -r $REALMNAME stash
+	verbose "starting $test"
+	expect_after $def_exp_after
+	expect "Enter KDC database master key:"
+	send "masterkey$KEY\r"
+	expect eof
+	catch expect_after
+	if ![check_exit_status kdb5_util] {
+	    break
 	}
     }
-    send "masterkey$KEY\r"
-    expect {
-	eof { }
-	timeout {
-	    fail "kdb5_util stash"
-	    if {!$standalone} {
-		catch "exec rm -f tmpdir/db.ok tmpdir/adb.db"
-	    }
-	    return 0
+    set ret [catch $body]
+    catch "expect eof"
+    catch expect_after
+    if $ret {
+	set failall 1
+	if $standalone {
+	    fail $test
+	} else {
+	    catch "exec rm -f $tmppwd/db.ok $tmppwd/adb.db"
+	}
+    } else {
+	if $standalone {
+	    pass $test
 	}
-    }
-    if ![check_exit_status kdb5_util] {
-	return 0
-    }
-
-    if {$standalone} {
-	pass "kdb5_util stash"
     }
 
     # Add an admin user.
-    spawn $KADMIN_LOCAL -r $REALMNAME
-    expect_after {
-	timeout {
-	    catch "expect_after"
-	    fail "kadmin.local (timeout)"
-	    if {!$standalone} {
-		catch "exec rm -f tmpdir/db.ok tmpdir/adb.db"
-	    }
-	    return 0
+#send_user "will run: $KADMIN_LOCAL -r $REALMNAME\n"
+#exec xterm
+    set test "kadmin.local ank krbtest/admin"
+    set body {
+	if $failall {
+	    break
 	}
-	eof {
-	    catch "expect_after"
-	    fail "kadmin.local (eof)"
-	    if {!$standalone} {
-		catch "exec rm -f tmpdir/db.ok tmpdir/adb.db"
-	    }
-	    return 0
+	spawn $KADMIN_LOCAL -r $REALMNAME
+	verbose "starting $test"
+	expect_after $def_exp_after
+
+	expect "kadmin.local: "
+	send "ank krbtest/admin@$REALMNAME\r"
+	# It echos...
+	expect "ank krbtest/admin@$REALMNAME\r"
+	expect "Enter password for principal \"krbtest/admin@$REALMNAME\":"
+	send "adminpass$KEY\r"
+	expect "Re-enter password for principal \"krbtest/admin@$REALMNAME\":"
+	send "adminpass$KEY\r"
+	expect {
+	    "Principal \"krbtest/admin@$REALMNAME\" created" { }
+	    "Principal or policy already exists while creating*" { }
+	}
+	expect "kadmin.local: "
+	send "quit\r"
+	expect eof
+	catch expect_after
+	if ![check_exit_status kadmin_local] {
+	    break
 	}
     }
-    expect "kadmin.local: "
-    send "ank krbtest/admin@$REALMNAME\r"
-    # It echos...
-    expect "ank krbtest/admin@$REALMNAME\r"
-    expect "Enter password for principal \"krbtest/admin@$REALMNAME\":"
-    send "adminpass$KEY\r"
-    expect "Re-enter password for principal \"krbtest/admin@$REALMNAME\":"
-    send "adminpass$KEY\r"
-    expect {
-	"Principal \"krbtest/admin@$REALMNAME\" created" { }
-	"Principal or policy already exists while creating*" { expect eof }
-    }
-    expect "kadmin.local: "
-    send "quit\r"
-    expect "\r"
-    expect_after
-    if ![check_exit_status kadmin_local] {
-	if {!$standalone} {
-	    catch "exec rm -f tmpdir/db.ok tmpdir/adb.db"
+    set ret [catch $body]
+    catch "expect eof"
+    catch expect_after
+    if $ret {
+	set failall 1
+	if $standalone {
+	    fail $test
+	} else {
+	    catch "exec rm -f $tmppwd/db.ok $tmppwd/adb.db"
+	}
+    } else {
+	if $standalone {
+	    pass $test
 	}
-	return 0
     }
 
     if $des3_krbtgt {
 	# Set the TGT key to DES3.
-	spawn $KADMIN_LOCAL -r $REALMNAME -e des3-cbc-sha1:normal
-	expect_after {
-	    timeout {
-		catch "expect_after"
-		fail "kadmin.local (timeout)"
-		if {!$standalone} {
-		    catch "exec rm -f tmpdir/db.ok tmpdir/adb.db"
-		}
-		return 0
+	set test "kadmin.local TGT to DES3"
+	set body {
+	    if $failall {
+		break
 	    }
-	    eof {
-		catch "expect_after"
-		fail "kadmin.local (eof)"
-		if {!$standalone} {
-		    catch "exec rm -f tmpdir/db.ok tmpdir/adb.db"
-		}
-		return 0
+	    spawn $KADMIN_LOCAL -r $REALMNAME -e des3-cbc-sha1:normal
+	    verbose "starting $test"
+	    expect_after $def_exp_after
+
+	    expect "kadmin.local: "
+	    send "cpw -randkey krbtgt/$REALMNAME@$REALMNAME\r"
+	    # It echos...
+	    expect "cpw -randkey krbtgt/$REALMNAME@$REALMNAME\r"
+	    expect {
+		"Key for \"krbtgt/$REALMNAME@$REALMNAME\" randomized." { }
+	    }
+	    expect "kadmin.local: "
+	    send "quit\r"
+	    expect eof
+	    catch expect_after
+	    if ![check_exit_status kadmin_local] {
+		break
 	    }
 	}
-	expect "kadmin.local: "
-	send "cpw -randkey krbtgt/$REALMNAME@$REALMNAME\r"
-	# It echos...
-	expect "cpw -randkey krbtgt/$REALMNAME@$REALMNAME\r"
-	expect {
-	    "Key for \"krbtgt/$REALMNAME@$REALMNAME\" randomized." { }
+	set ret [catch $body]
+	catch "expect eof"
+	catch expect_after
+	if $ret {
+	    set failall 1
+	    if $standalone {
+		fail $test
+	    } else {
+		catch "exec rm -f $tmppwd/db.ok $tmppwd/adb.db"
+	    }
+	} else {
+	    if $standalone {
+		pass $test
+	    }
 	}
-	expect "kadmin.local: "
-	send "quit\r"
-	expect "\r"
-	expect_after
-	if ![check_exit_status kadmin_local] {
-	    if {!$standalone} {
-		catch "exec rm -f tmpdir/db.ok tmpdir/adb.db"
+    }
+    if $tgt_support_desmd5 {
+	# Make TGT support des-cbc-md5
+	set test "kadmin.local TGT to SUPPORT_DESMD5"
+	set body {
+	    if $failall {
+		break
+	    }
+	    spawn $KADMIN_LOCAL -r $REALMNAME
+	    verbose "starting $test"
+	    expect_after $def_exp_after
+
+	    expect "kadmin.local: "
+	    send "modprinc +support_desmd5 krbtgt/$REALMNAME@$REALMNAME\r"
+	    # It echos...
+	    expect "modprinc +support_desmd5 krbtgt/$REALMNAME@$REALMNAME\r"
+	    expect {
+		"Principal \"krbtgt/$REALMNAME@$REALMNAME\" modified.\r\n" { }
+	    }
+	    expect "kadmin.local: "
+	    send "quit\r"
+	    expect eof
+	    catch expect_after
+	    if ![check_exit_status kadmin_local] {
+		break
+	    }
+	}
+	set ret [catch $body]
+	catch "expect eof"
+	catch expect_after
+	if $ret {
+	    set failall 1
+	    if $standalone {
+		fail $test
+	    } else {
+		catch "exec rm -f $tmppwd/db.ok $tmppwd/adb.db"
+	    }
+	} else {
+	    if $standalone {
+		pass $test
 	    }
-	    return 0
 	}
     }
-
-    if ![setup_kadmind_srvtab] {
+    # XXX should deal with envstack inside setup_kadmind_srvtab too
+    set ret [setup_kadmind_srvtab]
+    envstack_pop
+    if !$ret {
 	return 0
     }
 
     # create the admin database lock file
-    catch "exec touch tmpdir/adb.lock"
-
-    if {$standalone} {
-	pass "kadmin_local"
-    }
+    catch "exec touch $tmppwd/adb.lock"
 
+    set last_passname_db $multipass_name
     return 1
 }
 
@@ -815,8 +1310,9 @@ proc start_kerberos_daemons { standalone } {
     }
 
     if {$standalone} {
-        catch "exec rm -f tmpdir/krb.log"
-	catch "exec rm -f tmpdir/kadmind.log"
+        catch "exec rm -f $tmppwd/krb.log"
+	catch "exec rm -f $tmppwd/kadmind.log"
+	catch "exec rm -f $tmppwd/krb5kdc_rcache"
     }
 
     # Start up the kerberos daemon
@@ -829,43 +1325,72 @@ proc start_kerberos_daemons { standalone } {
     # The same thing is done a little later for the kadmind
     set kdc_lfile $tmppwd/kdc.log
     set kadmind_lfile $tmppwd/kadmind5.log
-    set retry 30
 
     if ![file exists $kdc_lfile] then {
 	catch [touch $kdc_lfile]
     }
-		sleep 2
-    set kdc_start [file mtime $kdc_lfile]
 
-    spawn $KRB5KDC -r $REALMNAME -n
-    set kdc_pid [exp_pid]
-    set kdc_spawn_id $spawn_id
+    spawn tail -f $kdc_lfile
+    set tailf_spawn_id $spawn_id
+    set tailf_pid [exp_pid]
 
-    for {set count 0} {$count < $retry} {incr count} {
-	if { [file mtime $kdc_lfile] != $kdc_start } then  {
-		break;
-	}	
-	sleep 2
-    }
+    set markstr "===MARK $tailf_pid [exec date] ==="
+    set f [open $kdc_lfile a]
+    puts $f $markstr
+    close $f
 
-    if {$count >= $retry} {
-	fail "krb5kdc"
-	stop_kerberos_daemons
-	return 0
+    expect {
+	-i $tailf_spawn_id
+	-ex "$markstr\r\n" { }
+	timeout {
+	    if {$standalone} {
+		verbose -log "tail -f timed out looking for mark"
+		fail "krb5kdc"
+	    } else {
+		perror "krbkdc tail -f timed out looking for mark"
+	    }
+	    stop_kerberos_daemons
+	    exec kill $tailf_pid
+	    expect -i $tailf_spawn_id eof
+	    wait -i $tailf_spawn_id
+	    return 0
+	}
     }
 
-    if ![regexp "commencing operation" [tail1 $kdc_lfile]] {
-	fail "krb5kdc"
-	stop_kerberos_daemons
-	return 0
+    envstack_push
+    setup_kerberos_env kdc
+    spawn $KRB5KDC -r $REALMNAME -n
+    envstack_pop
+    set kdc_pid [exp_pid]
+    set kdc_spawn_id $spawn_id
+
+    expect {
+	-i $tailf_spawn_id
+	-re "commencing operation\r\n" { }
+	timeout {
+	    if {$standalone} {
+		verbose -log "krb5kdc startup timed out"
+		fail "krb5kdc"
+	    } else {
+		perror "krb5kdc startup timed out"
+	    }
+	    stop_kerberos_daemons
+	    exec kill $tailf_pid
+	    expect -i $tailf_spawn_id eof
+	    wait -i $tailf_spawn_id
+	    return 0
+	}
     }
+    exec kill $tailf_pid
+    expect -i $tailf_spawn_id eof
+    wait -i $tailf_spawn_id
 
     if {$standalone} {
 	pass "krb5kdc"
     }
 
     # Give the kerberos daemon a few seconds to get set up.
-    sleep 2
+#    sleep 2
 
 
     #
@@ -880,66 +1405,107 @@ proc start_kerberos_daemons { standalone } {
 
     if ![file exists $kadmind_lfile] then {
 	catch [touch $kadmind_lfile]
-	sleep 1
     }
 
-    set kadmind_start [file mtime $kadmind_lfile]
+    spawn tail -f $kadmind_lfile
+    set tailf_spawn_id $spawn_id
+    set tailf_pid [exp_pid]
+
+    set markstr "===MARK $tailf_pid [exec date] ==="
+    set f [open $kadmind_lfile a]
+    puts $f $markstr
+    close $f
+
+    expect {
+	-i $tailf_spawn_id
+	-ex "$markstr\r\n" { }
+	timeout {
+	    if {$standalone} {
+		verbose -log "tail -f timed out looking for mark"
+		fail "kadmind"
+	    } else {
+		perror "kadmind tail -f timed out looking for mark"
+	    }
+	    stop_kerberos_daemons
+	    exec kill $tailf_pid
+	    expect -i $tailf_spawn_id eof
+	    wait -i $tailf_spawn_id
+	    return 0
+	}
+    }
 
     # Start up the kadmind daemon
     # XXXX kadmind uses stderr a lot.  the sh -c and redirect can be
-    # removed when this is fixed	
+    # removed when this is fixed
+    envstack_push
+    setup_kerberos_env kdc
     spawn $BINSH -c "exec $KADMIND -r $REALMNAME -nofork 2>>$kadmind_lfile"
+    envstack_pop
     set kadmind_pid [exp_pid]
     set kadmind_spawn_id $spawn_id
 
-    for {set count 0} {$count < $retry} {incr count} {
-	if { [file mtime $kadmind_lfile] != $kadmind_start } then  {
-		break;
-	}	
-	sleep 1
-    }
-
-    if {$count >= $retry} {
-	fail "kadmin5 (starting)"
-	if [info exists start_save_ktname] {
-	   set env(KRB5_KTNAME) $start_save_ktname
-	   unset start_save_ktname
-	}
-	stop_kerberos_daemons
-	return 0
-    }
-
     # Restore KRB5_KTNAME
     if [info exists start_save_ktname] {
         set env(KRB5_KTNAME) $start_save_ktname
         unset start_save_ktname
     }
 
-    switch -regexp [tail1 $kadmind_lfile] {
-	"cannot initialize network" {
-	    fail "kadmind (network init)"
+    expect {
+	-i $tailf_spawn_id
+	"Seeding random number" exp_continue
+	"cannont initialize network" {
+	    if {$standalone} {
+		verbose -log "kadmind failed network init"
+		fail "kadmind"
+	    } else {
+		perror "kadmind failed network init"
+	    }
 	    stop_kerberos_daemons
+	    exec kill $tailf_pid
+	    expect -i $tailf_spawn_id eof
+	    wait -i $tailf_spawn_id
 	    return 0
 	}
 	"cannot bind to network address" {
-	    fail "kadmind (bind)"
+	    if {$standalone} {
+		verbose -log "kadmind failed to bind socket"
+		fail "kadmind"
+	    } else {
+		perror "kadmind failed to bind socket"
+	    }
 	    stop_kerberos_daemons
+	    exec kill $tailf_pid
+	    expect -i $tailf_spawn_id eof
+	    wait -i $tailf_spawn_id
 	    return 0
 	}
 	"starting" { }
-	default {
-	    fail "kadmind (startup)"
+	timeout {
+	    if {$standalone} {
+		verbose -log "kadmind failed to start"
+		fail "kadmind"
+	    } else {
+		verbose -log "kadmind failed to start"
+		perror "kadmind failed to start"
+	    }
+#sleep 10
 	    stop_kerberos_daemons
+	    exec kill $tailf_pid
+	    expect -i $tailf_spawn_id eof
+	    wait -i $tailf_spawn_id
 	    return 0
 	}
     }
+    exec kill $tailf_pid
+    expect -i $tailf_spawn_id eof
+    wait -i $tailf_spawn_id
 
     if {$standalone} {
 	pass "kadmind"
     }
 
     # Give the kadmind daemon a few seconds to get set up.
-    sleep 2
+#    sleep 2
 
     return 1
 }
@@ -953,9 +1519,15 @@ proc stop_kerberos_daemons { } {
     global kadmind_pid
     global kadmind_spawn_id
 
+    verbose "entered stop_kerberos_daemons"
+
     if [info exists kdc_pid] {
-	catch "close -i $kdc_spawn_id"
-	catch "exec kill $kdc_pid"
+	if [catch "exec kill $kdc_pid" msg] {
+	    verbose "kill kdc: $msg"
+	}
+	if [catch "expect -i $kdc_spawn_id eof" msg] {
+	    verbose "expect kdc eof: $msg"
+	}
 	set kdc_list [wait -i $kdc_spawn_id]
 	verbose "wait -i $kdc_spawn_id returned $kdc_list (kdc)"
 	unset kdc_pid
@@ -963,14 +1535,20 @@ proc stop_kerberos_daemons { } {
     }
 
     if [info exists kadmind_pid] {
-	catch "close -i $kadmind_spawn_id"
-	catch "exec kill $kadmind_pid"
+	if [catch "exec kill $kadmind_pid" msg] {
+	    verbose "kill kadmind: $msg"
+	}
+	if [catch "expect -i $kadmind_spawn_id eof" msg] {
+	    verbose "expect kadmind eof: $msg"
+	}
 	set kadmind_list [wait -i $kadmind_spawn_id]
 	verbose "wait -i $kadmind_spawn_id returned $kadmind_list (kadmind5)"
 	unset kadmind_pid
 	unset kadmind_list
     }
 
+    verbose "exiting stop_kerberos_daemons"
+
     return 1
 }
 
@@ -987,45 +1565,58 @@ proc add_kerberos_key { kkey standalone } {
     global spawn_id
 
     # Use kadmin to add an key.
-    spawn $KADMIN -p krbtest/admin@$REALMNAME -q "ank $kkey@$REALMNAME"
-    expect_after {
-	"Cannot contact any KDC" {
-	    fail "kadmin interactive add $kkey lost KDC"
-	    catch "expect_after"
-	    return 0
+    set test "kadmin ank $kkey"
+    set body {
+	envstack_push
+	setup_kerberos_env client
+	spawn $KADMIN -p krbtest/admin@$REALMNAME -q "ank $kkey@$REALMNAME"
+	envstack_pop
+	verbose "starting $test"
+	expect_after {
+	    "Cannot contact any KDC" {
+		set test "$test (lost KDC)"
+		break
+	    }
+	    timeout {
+		set test "$test (timeout)"
+		break
+	    }
+	    eof {
+		set test "$test (eof)"
+		break
+	    }
 	}
-	timeout {
-	    fail "kadmin $kkey"
-	    catch "expect_after"
-	    return 0
+	expect "Enter password:"
+	send "adminpass$KEY\r"
+	expect "Enter password for principal \"$kkey@$REALMNAME\":"
+	send "$kkey"
+	send "$KEY\r"
+	expect "Re-enter password for principal \"$kkey@$REALMNAME\":"
+	send "$kkey"
+	send "$KEY\r"
+	expect {
+	    "Principal \"$kkey@$REALMNAME\" created" { }
+	    "Principal or policy already exists while creating*" { }
 	}
-	eof {
-	    fail "kadmin $kkey"
-	    return 0
+	expect eof
+	if ![check_exit_status kadmin] {
+	    break
 	}
     }
-    expect "Enter password:"
-    send "adminpass$KEY\r"
-    expect "Enter password for principal \"$kkey@$REALMNAME\":"
-    send "$kkey"
-    send "$KEY\r"
-    expect "Re-enter password for principal \"$kkey@$REALMNAME\":"
-    send "$kkey"
-    send "$KEY\r"
-    expect {
-	"Principal \"$kkey@$REALMNAME\" created" { }
-	"Principal or policy already exists while creating*" { expect eof }
-    }
-    catch "expect_after"
-    if ![check_exit_status kadmin] {
+    set ret [catch $body]
+    catch "expect eof"
+    catch expect_after
+    if $ret {
+	if $standalone {
+	    fail $test
+	}
 	return 0
+    } else {
+	if $standalone {
+	    pass $test
+	}
+	return 1
     }
-
-    if {$standalone} {
-	pass "kadmin $kkey"
-    }
-
-    return 1
 }
 
 # add_random_key
@@ -1041,35 +1632,46 @@ proc add_random_key { kkey standalone } {
     global spawn_id
 
     # Use kadmin to add an key.
-    spawn $KADMIN -p krbtest/admin@$REALMNAME -q "ank -randkey $kkey@$REALMNAME"
-    expect_after {
-	timeout {
-	    fail "kadmin $kkey"
-	    catch "expect_after"
-	    return 0
+    set test "kadmin ark $kkey"
+    set body {
+	envstack_push
+	setup_kerberos_env client
+	spawn $KADMIN -p krbtest/admin@$REALMNAME -q "ank -randkey $kkey@$REALMNAME"
+	envstack_pop
+	expect_after {
+	    timeout {
+		set test "$test (timeout)"
+		break
+	    }
+	    eof {
+		set test "$test (eof)"
+		break
+	    }
 	}
-	eof {
-	    fail "kadmin $kkey"
-	    catch "expect_after"
-	    return 0
+	expect "Enter password:"
+	send "adminpass$KEY\r"
+	expect {
+	    "Principal \"$kkey@$REALMNAME\" created" { }
+	    "Principal or policy already exists while creating*" { }
+	}
+	expect eof
+	if ![check_exit_status kadmin] {
+	    break
 	}
     }
-    expect "Enter password:"
-    send "adminpass$KEY\r"
-    expect {
-	"Principal \"$kkey@$REALMNAME\" created" { }
-	"Principal or policy already exists while creating*" { expect eof}
-    }
-    catch "expect_after"
-    if ![check_exit_status kadmin] {
+    if [catch $body] {
+	catch expect_after
+	if $standalone {
+	    fail $test
+	}
 	return 0
+    } else {
+	catch expect_after
+	if $standalone {
+	    pass $test
+	}
+	return 1
     }
-
-    if {$standalone} {
-	pass "kadmin $kkey"
-    }
-
-    return 1
 }
 
 # setup_srvtab
@@ -1087,11 +1689,11 @@ proc setup_srvtab { standalone {id host} } {
     global spawn_id
     global last_service
 
-    if {!$standalone && [file exists tmpdir/srvtab] && $last_service == $id} {
+    if {!$standalone && [file exists $tmppwd/srvtab] && $last_service == $id} {
 	return 1
     }
 
-    catch "exec rm -f tmpdir/srvtab tmpdir/srvtab.old"
+    catch "exec rm -f $tmppwd/srvtab $tmppwd/srvtab.old"
 
     if ![get_hostname] {
 	return 0
@@ -1099,12 +1701,23 @@ proc setup_srvtab { standalone {id host} } {
 
     catch "exec rm -f $hostname-new-srvtab"
 
+    envstack_push
+    setup_kerberos_env kdc
     spawn $KADMIN_LOCAL -r $REALMNAME
+    envstack_pop
     expect_after {
+	-re "(.*)\r\nkadmin.local:  " {
+	    fail "kadmin.local srvtab (unmatched output: $expect_out(1,string))"
+	    if {!$standalone} {
+		catch "exec rm -f $tmppwd/srvtab"
+	    }
+	    catch "expect_after"
+	    return 0
+	}
 	timeout {
 	    fail "kadmin.local srvtab"
 	    if {!$standalone} {
-		catch "exec rm -f tmpdir/srvtab"
+		catch "exec rm -f $tmppwd/srvtab"
 	    }
 	    catch "expect_after"
 	    return 0
@@ -1112,7 +1725,7 @@ proc setup_srvtab { standalone {id host} } {
 	eof {
 	    fail "kadmin.local srvtab"
 	    if {!$standalone} {
-		catch "exec rm -f tmpdir/srvtab"
+		catch "exec rm -f $tmppwd/srvtab"
 	    }
 	    catch "expect_after"
 	    return 0
@@ -1120,23 +1733,34 @@ proc setup_srvtab { standalone {id host} } {
     }
     expect "kadmin.local:  "
     send "xst -k $hostname-new-srvtab $id/$hostname\r"
-    expect -re ".*Entry for principal $id/$hostname.* added to keytab WRFILE:$hostname-new-srvtab."
+    expect "xst -k $hostname-new-srvtab $id/$hostname\r\n"
+    expect {
+	-re ".*Entry for principal $id/$hostname.* added to keytab WRFILE:$hostname-new-srvtab." { }
+	-re "\r\nkadmin.local:  " {
+	    if {$standalone} {
+		fail "kadmin.local srvtab"
+	    } else {
+		catch "exec rm -f $tmppwd/srvtab"
+	    }
+	    catch expect_after
+	    return 0
+	}
+    }
     expect "kadmin.local:  "
     send "quit\r"
-    expect "\r"
-    expect_after
+    expect eof
+    catch expect_after
     if ![check_exit_status "kadmin.local srvtab"] {
 	if {!$standalone} {
-	    catch "exec rm -f tmpdir/srvtab"
+	    catch "exec rm -f $tmppwd/srvtab"
 	}
 	return 0
     }
 
-    catch "exec mv -f $hostname-new-srvtab tmpdir/srvtab" exec_output
+    catch "exec mv -f $hostname-new-srvtab $tmppwd/srvtab" exec_output
     if ![string match "" $exec_output] {
-	send_log "$exec_output\n"
-	verbose $exec_output
-	send_error "ERROR: can't mv new srvtab\n"
+	verbose -log "$exec_output"
+	perror "can't mv new srvtab"
 	return 0
     }
 
@@ -1146,7 +1770,7 @@ proc setup_srvtab { standalone {id host} } {
 
     # Make the srvtab file globally readable in case we are using a
     # root shell and the srvtab is NFS mounted.
-    catch "exec chmod a+r tmpdir/srvtab"
+    catch "exec chmod a+r $tmppwd/srvtab"
 
     # Remember what we just extracted
     set last_service $id
@@ -1184,22 +1808,378 @@ proc kinit { name pass standalone } {
 	}
     }
     send "$pass\r"
-    # This last expect seems useless, but without it the test hangs on
-    # AIX.
+    expect eof
+    if ![check_exit_status kinit] {
+	return 0
+    }
+
+    if {$standalone} {
+	pass "kinit"
+    }
+
+    return 1
+}
+
+proc kinit_kt { name keytab standalone testname } {
+    global REALMNAME
+    global KINIT
+    global spawn_id
+
+    # Use kinit to get a ticket.
+	#
+	# For now always get forwardable tickets. Later when we need to make
+	# tests that distiguish between forwardable tickets and otherwise
+	# we should but another option to this proc. --proven
+	#
+    spawn $KINIT -5 -f -k -t $keytab $name@$REALMNAME
+    expect {
+	timeout {
+	    fail "kinit $testname"
+	    return 0
+	}
+	eof { }
+    }
+    if ![check_exit_status "kinit $testname"] {
+	return 0
+    }
+
+    if {$standalone} {
+	pass "kinit $testname"
+    }
+
+    return 1
+}
+
+# List tickets.  Requires client and server names, and test name.
+# Checks that klist exist status is zero.
+# Records pass or fail, and returns 1 or 0.
+proc do_klist { myname servname testname } {
+    global KLIST
+    global tmppwd
+
+    spawn $KLIST -5 -e
+    expect {
+	-re "Ticket cache:\[ 	\]*(.+:)?$tmppwd/tkt.*Default principal:\[ 	\]*$myname.*$servname\r\n" {
+	    verbose "klist started"
+	}
+	timeout {
+	    fail $testname
+	    return 0
+	}
+	eof {
+	    fail $testname
+	    return 0
+	}
+    }
+
+    expect eof
+
+    if ![check_exit_status $testname] {
+	return 0
+    }
+    pass $testname
+    return 1
+}
+
+proc do_klist_kt { keytab testname } {
+    global KLIST
+    global tmppwd
+
+    spawn $KLIST -5 -e -k $keytab
     expect {
-        "\r" { }
+	-re "Keytab name:\[ 	\]*(.+:)?.*KVNO Principal\r\n---- -*\r\n" {
+	    verbose "klist started"
+	}
+	timeout {
+	    fail $testname
+	    return 0
+	}
+	eof {
+	    fail $testname
+	    return 0
+	}
+    }
+    set more 1
+    while {$more} {
+	expect {
+	    -re { *[0-9][0-9]* *[a-zA-Z/@.-]* \([/a-zA-Z 0-9-]*\) *\r\n} {
+		verbose -log "key: $expect_out(buffer)"
+	    }
+	    eof { set more 0 }
+	}
+    }
+
+    if ![check_exit_status $testname] {
+	return 0
+    }
+    pass $testname
+    return 1
+}
+
+proc do_klist_err { testname } {
+    global KLIST
+    global spawn_id
+
+    spawn $KLIST -5
+    expect {
+	-re "klist: No credentials cache found.*\r\n" {
+	    verbose "klist started"
+	}
+	timeout {
+	    fail $testname
+	    return 0
+	}
+	eof {
+	    fail $testname
+	    return 0
+	}
+    }
+    # We can't use check_exit_status, because we expect an exit status
+    # of 1.
+    catch "expect eof"
+    set status_list [wait -i $spawn_id]
+    verbose "wait -i $spawn_id returned $status_list ($testname)"
+    if { [lindex $status_list 2] != 0 } {
+	fail "$testname (bad exit status) $status_list"
+	return 0
+    } else { if { [lindex $status_list 3] != 1 } {
+	fail "$testname (bad exit status) $status_list"
+	return 0
+    } else {
+	pass $testname
+    } }
+    return 1
+}
+
+proc do_kdestroy { testname } {
+    global KDESTROY
+    spawn $KDESTROY -5
+    if ![check_exit_status $testname] {
+	fail $testname
+	return 0
     }
+    pass $testname
+    return 1
+}
+
+proc xst { keytab name } {
+    global KADMIN_LOCAL
+    global REALMNAME
+
+    envstack_push
+    setup_kerberos_env kdc
+    spawn $KADMIN_LOCAL -r $REALMNAME
+    envstack_pop
+    catch expect_after
+    expect_after {
+	-re "(.*)\r\nkadmin.local:  " {
+	    fail "kadmin.local xst $keytab (unmatched output: $expect_out(1,string)"
+	    catch "expect_after"
+	    return 0
+	}
+	timeout {
+	    fail "kadmin.local xst $keytab (timeout)"
+	    catch "expect_after"
+	    return 0
+	}
+	eof {
+	    fail "kadmin.local xst $keytab (eof)"
+	    catch "expect_after"
+	    return 0
+	}
+    }
+    expect "kadmin.local:  "
+    send "xst -k $keytab $name\r"
+    expect -re "xst -k \[^\r\n\]*\r\n.*Entry for principal .* added to keytab WRFILE:.*\r\nkadmin.local:  "
+    send "quit\r"
+    expect eof
+    catch expect_after
+    if ![check_exit_status "kadmin.local $keytab"] {
+	perror "kadmin.local xst $keytab exited abnormally"
+	return 0
+    }
+    return 1
+}
+
+# v4_compatible_enctype
+# Returns 1 if v4 testing is enabled this passes encryption types are compatable with kerberos 4 work
+proc v4_compatible_enctype {} {
+    global supported_enctypes
+    global KRBIV
+
+    if ![info exists KRBIV] {
+	return 0;
+    }
+
+    if { $KRBIV && [string first des-cbc-crc:v4 "$supported_enctypes"] >= 0} {
+	return 1
+    } else {
+	return 0
+    }
+}
+
+# kinit
+# Use kinit to get a ticket.  If the argument is non-zero, call pass
+# at relevant points.  Returns 1 on success, 0 on failure.
+
+proc v4kinit { name pass standalone } {
+    global REALMNAME
+    global KINIT
+    global spawn_id
+    global des3_krbtgt
 
+    # Use kinit to get a ticket.
+	#
+	# For now always get forwardable tickets. Later when we need to make
+	# tests that distiguish between forwardable tickets and otherwise
+	# we should but another option to this proc. --proven
+	#
+    spawn $KINIT -4 $name@$REALMNAME
+    expect {
+	"Password for $name@$REALMNAME:" {
+	    verbose "v4kinit started"
+	}
+	timeout {
+	    fail "v4kinit"
+	    return 0
+	}
+	eof {
+	    fail "v4kinit"
+	    return 0
+	}
+    }
+    send "$pass\r"
     expect eof
+    if {$des3_krbtgt == 0} {
+	if ![check_exit_status v4kinit] {
+	    return 0
+	}
+    } else {
+	# Fail if kinit is successful with a des3 TGT.
+	set status_list [wait -i $spawn_id]
+	set testname v4kinit
+	verbose "wait -i $spawn_id returned $status_list ($testname)"
+	if { [lindex $status_list 2] != 0 || [lindex $status_list 3] != 1 } {
+	    verbose -log "exit status: $status_list"
+	    fail "$testname (exit status)"
+	}
+     }
+    if {$standalone} {
+	pass "v4kinit"
+    }
 
+    return 1
+}
+
+proc v4kinit_kt { name keytab standalone } {
+    global REALMNAME
+    global KINIT
+    global spawn_id
+
+    # Use kinit to get a ticket.
+	#
+	# For now always get forwardable tickets. Later when we need to make
+	# tests that distiguish between forwardable tickets and otherwise
+	# we should but another option to this proc. --proven
+	#
+    spawn $KINIT -4 -k -t $keytab $name@$REALMNAME
+    expect {
+	timeout {
+	    fail "v4kinit"
+	    return 0
+	}
+	eof { }
+    }
     if ![check_exit_status kinit] {
 	return 0
     }
 
     if {$standalone} {
-	pass "kinit"
+	pass "v4kinit"
+    }
+
+    return 1
+}
+
+# List v4 tickets.
+# Client and server are regular expressions.
+proc v4klist { client server testname } {
+    global KLIST
+    global tmppwd
+
+    spawn $KLIST -4
+    expect {
+	-re "Kerberos 4 ticket cache:\[ 	\]*(.+:)?$tmppwd/tkt.*Principal:\[ 	\]*$client.*$server\r\n" {
+	    verbose "klist started"
+	}
+	timeout {
+	    fail $testname
+	    return 0
+	}
+	eof {
+	    fail $testname
+	    return 0
+	}
     }
 
+    expect eof
+
+    if ![check_exit_status $testname] {
+	return 0
+    }
+    pass $testname
+    return 1
+}
+
+# Destroy tickets.
+proc v4kdestroy { testname } {
+    global KDESTROY
+    spawn $KDESTROY -4
+    if ![check_exit_status $testname] {
+	return 0
+    }
+    pass $testname
+    return 1
+}
+
+# Try to list the krb4 tickets -- there shouldn't be any ticket file.
+proc v4klist_none { testname } {
+    global KLIST
+    global tmppwd
+
+    # Double check that the ticket was destroyed.
+    spawn $KLIST -4
+    expect {
+	-re "Kerberos 4 ticket cache:\[ 	\]*(.+:)?$tmppwd/tkt.*klist: You have no tickets cached.*\r\n" {
+	    verbose "v4klist started"
+	    pass "$testname (output)"
+	}
+	timeout {
+	    fail "$testname (output)"
+	    # Skip the 'wait' below, if it's taking too long.
+	    untested "$testname (exit status)"
+	    return 0
+	}
+	eof {
+	    fail "$testname (output)"
+	}
+    }
+    # We can't use check_exit_status, because we expect an exit status
+    # of 1.
+    expect eof
+    set status_list [wait -i $spawn_id]
+    verbose "wait -i $spawn_id returned $status_list (v4klist)"
+    if { [lindex $status_list 2] != 0 } {
+	fail "$testname (exit status)"
+	return 0
+    } else {
+	if { [lindex $status_list 3] != 1 } {
+	    fail "$testname (exit status)"
+	    return 0
+	} else {
+	    pass "$testname (exit status)"
+	}
+    }
     return 1
 }
 
@@ -1217,6 +2197,8 @@ proc setup_root_shell { testname } {
     global BINSH
     global ROOT_PROMPT
     global KEY
+    global RLOGIN
+    global RLOGIN_FLAGS
     global hostname
     global rlogin_spawn_id
     global rlogin_pid
@@ -1224,15 +2206,22 @@ proc setup_root_shell { testname } {
     global env
     global krb5_init_vars
 
+    global timeout
 
     # Make sure we are using the original values of the environment
     # variables.  This means that the caller must call
     # setup_kerberos_env after calling this procedure.
 
+    # XXX fixme to deal with envstack
     restore_kerberos_env
 
     setup_runtime_env
 
+    set me [exec whoami]
+    if [string match root $me] {
+	return [setup_root_shell_noremote $testname]
+    }
+
     if ![get_hostname] {
 	return 0
     }
@@ -1248,45 +2237,50 @@ proc setup_root_shell { testname } {
     #    send "rootpassword\r"
     #    exp_continue
 
-    spawn rlogin $hostname -l root
+    eval spawn $RLOGIN $hostname -l root $RLOGIN_FLAGS
     set rlogin_spawn_id $spawn_id
     set rlogin_pid [exp_pid]
+    set old_timeout $timeout
+    set timeout 300
+
     expect {
-	"word:" {
-	    untested "$testname test requires ability to rlogin as root"
+	-re "word:|erberos rlogin failed|ection refused|ection reset by peer" {
+	    note "$testname test requires ability to rlogin as root"
+	    unsupported "$testname"
+	    set timeout $old_timeout
 	    stop_root_shell
 	    return 0
 	}
-	"Kerberos rlogin failed" {
-	    untested "$testname test requires ability to rlogin as root"
+	-re "$ROOT_PROMPT" { }
+	timeout {
+	    perror "timeout from rlogin $hostname -l root"
+	    perror "If you have an unusual root prompt,"
+	    perror "try running with ROOT_PROMPT=\"regexp\""
+	    set timeout $old_timeout
 	    stop_root_shell
 	    return 0
 	}
 	eof {
-	    untested "$testname test requires ability to rlogin as root"
-	    stop_root_shell
-	    return 0
-	}
-	-re "$ROOT_PROMPT" { }
-	timeout {
-	    send_error "ERROR: timeout from rlogin $hostname -l root\n"
-	    send_error "ERROR: If you have an unusual root prompt,\n"
-	    send_error "ERROR: try running with ROOT_PROMPT=\"regexp\"\n"
+	    perror "eof from rlogin $hostname -l root"
 	    stop_root_shell
+	    set timeout $old_timeout
+	    catch "expect_after"
 	    return 0
 	}
     }
 
     expect_after {
 	timeout {
-	    send_error "ERROR: timeout from rlogin $hostname -l root\n"
+	    perror "timeout from rlogin $hostname -l root"
 	    stop_root_shell
+	    set timeout $old_timeout
 	    catch "expect_after"
 	    return 0
 	}
 	eof {
-	    send_error "ERROR: eof from rlogin $hostname -l root\n"
+	    perror "eof from rlogin $hostname -l root"
 	    stop_root_shell
+	    set timeout $old_timeout
 	    catch "expect_after"
 	    return 0
 	}
@@ -1308,7 +2302,7 @@ proc setup_root_shell { testname } {
     }
 
     # Set up our krb5.conf
-    send "KRB5_CONFIG=$tmppwd/krb5.conf\r"
+    send "KRB5_CONFIG=$tmppwd/krb5.server.conf\r"
     expect {
 	-re "$ROOT_PROMPT" { }
     }
@@ -1337,13 +2331,96 @@ proc setup_root_shell { testname } {
     expect {
 	-re "$ROOT_PROMPT" { }
 	"$dir:" {
-	    send_error "ERROR: root shell can not cd to $dir\n"
+	    perror "root shell can not cd to $dir"
+	    set timeout $old_timeout
 	    stop_root_shell
 	    return 0
 	}
     }
 
-    restore_runtime_env
+    expect_after
+    set timeout $old_timeout
+
+    return 1
+}
+
+proc setup_root_shell_noremote { testname } {
+    global BINSH
+    global ROOT_PROMPT
+    global KEY
+    global hostname
+    global rlogin_spawn_id
+    global rlogin_pid
+    global tmppwd
+    global env
+    global krb5_init_vars
+
+    eval spawn $BINSH
+    set rlogin_spawn_id $spawn_id
+    set rlogin_pid [exp_pid]
+
+    expect_after {
+	timeout {
+	    perror "timeout from root shell"
+	    stop_root_shell
+	    catch "expect_after"
+	    return 0
+	}
+	eof {
+	    perror "eof from root shell"
+	    stop_root_shell
+	    catch "expect_after"
+	    return 0
+	}
+    }
+    expect {
+	-re "$ROOT_PROMPT" { }
+    }
+
+    # Set up a shell variable tmppwd.  The callers use this to keep
+    # command line lengths down.  The command line length is important
+    # because we are feeding input to a shell via a pty.  On some
+    # systems a pty will only accept 255 characters.
+    send "tmppwd=$tmppwd\r"
+    expect {
+	-re "$ROOT_PROMPT" { }
+    }
+
+    # Set up our krb5.conf
+    send "KRB5_CONFIG=$tmppwd/krb5.server.conf\r"
+    expect {
+	-re "$ROOT_PROMPT" { }
+    }
+    send "export KRB5_CONFIG\r"
+    expect {
+	-re "$ROOT_PROMPT" { }
+    }
+
+    # For all of our runtime environment variables - send them over...
+    foreach i $krb5_init_vars {
+	regexp "^(\[^=\]*)=(.*)" $i foo evar evalue
+	send "$evar=$env($evar)\r"
+	expect {
+		-re "$ROOT_PROMPT" { }
+        }
+
+        send "export $evar\r"
+        expect {
+		-re "$ROOT_PROMPT" { }
+        }
+    }
+
+    # Move over to the right directory.
+    set dir [pwd]
+    send "cd $dir\r"
+    expect {
+	-re "$ROOT_PROMPT" { }
+	"$dir:" {
+	    perror "root shell can not cd to $dir"
+	    stop_root_shell
+	    return 0
+	}
+    }
 
     expect_after
 
@@ -1377,8 +2454,7 @@ proc check_date { date } {
     scan $date "%s %s %d %d:%d:%d %s %d" adow amon adom ahr amn asc atz ayr
     scan $ndate "%s %s %d %d:%d:%d %s %d" ndow nmon ndom nhr nmn nsc ntz nyr
     if { $atz != $ntz } {
-	verbose "date check failed: $atz != $ntz"
-	send_log "date check failed: $atz != $ntz\n"
+	verbose -log "date check failed: $atz != $ntz"
 	return 0
     }
     return 1
@@ -1421,5 +2497,17 @@ proc setup_wrapper { file command } {
     
     return 1
 }
-	
 
+proc krb_exit { } {
+    stop_kerberos_daemons
+}
+
+# helpful sometimes for debugging the test suite
+proc spawn_xterm { } {
+    global env
+    foreach i {KDB5_UTIL KRB5KDC KADMIND KADMIN KADMIN_LOCAL KINIT KTUTIL KLIST} {
+	global $i
+	set env($i) [set $i]
+    }
+    exec "xterm"
+}
diff --git a/src/tests/dejagnu/krb-root/ChangeLog b/src/tests/dejagnu/krb-root/ChangeLog
index 3744efd..81ec954 100644
--- a/src/tests/dejagnu/krb-root/ChangeLog
+++ b/src/tests/dejagnu/krb-root/ChangeLog
@@ -1,3 +1,9 @@
+Wed Jan 31 12:32:37 2001  Ezra Peisach  <epeisach@mit.edu>
+
+	* rlogin.exp: Use the build tree's version of krlogin instead of
+ 	using the one found in the users path that might have been used in the
+	root login.
+
 Thu Nov 14 15:20:19 1996  Barry Jaspan  <bjaspan@mit.edu>
 
 	* telnet.exp: telnet may output fqdn in upper-case
diff --git a/src/tests/dejagnu/krb-root/rlogin.exp b/src/tests/dejagnu/krb-root/rlogin.exp
index 4e84970..ac39520 100644
--- a/src/tests/dejagnu/krb-root/rlogin.exp
+++ b/src/tests/dejagnu/krb-root/rlogin.exp
@@ -7,8 +7,8 @@
 # if they exist.  If they do not, then they must be in PATH.  We
 # expect $objdir to be .../kerberos/src.
 
-if ![info exists RLOGIN] {
-    set RLOGIN [findfile $objdir/../../appl/bsd/rlogin]
+if ![info exists KRLOGIN] {
+    set KRLOGIN [findfile $objdir/../../appl/bsd/rlogin]
 }
 
 if ![info exists KRLOGIND] {
@@ -119,7 +119,7 @@ proc stop_rlogin_daemon { } {
 
 proc rlogin_test { } {
     global REALMNAME
-    global RLOGIN
+    global KRLOGIN
     global BINSH
     global SHELL_PROMPT
     global KEY
@@ -141,7 +141,7 @@ proc rlogin_test { } {
     start_rlogin_daemon -k
 
     # Make an rlogin connection.
-    spawn $RLOGIN $hostname -k $REALMNAME -D 3543
+    spawn $KRLOGIN $hostname -k $REALMNAME -D 3543
 
     expect_after {
 	timeout {
@@ -215,7 +215,7 @@ proc rlogin_test { } {
 
     # Try an encrypted connection.
     start_rlogin_daemon -e
-    spawn $RLOGIN $hostname -x -k $REALMNAME -D 3543
+    spawn $KRLOGIN $hostname -x -k $REALMNAME -D 3543
 
     expect_after {
 	timeout {
diff --git a/src/tests/dejagnu/krb-standalone/ChangeLog b/src/tests/dejagnu/krb-standalone/ChangeLog
index 649fb43..e8b10f1 100644
--- a/src/tests/dejagnu/krb-standalone/ChangeLog
+++ b/src/tests/dejagnu/krb-standalone/ChangeLog
@@ -1,3 +1,207 @@
+2003-03-26  Tom Yu  <tlyu@mit.edu>
+
+	* v4gssftp.exp (v4ftp_test): Return early if $des3_krbtgt set.
+
+	* v4krb524d.exp (doit): Return early if $des3_krbtgt set.
+
+	* v4standalone.exp (check_and_destroy_v4_tix): Return early if
+	$des3_krbtgt set.
+
+2002-11-03  Tom Yu  <tlyu@mit.edu>
+
+	* rsh.exp (rsh_test): Explicitly call stop_rsh_daemon upon pass
+	for "encrypted rsh" test, to avoid zombies.
+	[pullup from trunk]
+
+2002-02-06  Ken Raeburn  <raeburn@mit.edu>
+
+	* standalone.exp (doit): Don't use "file delete", it isn't in Tcl
+	version 7.
+
+2002-02-05  Ken Raeburn  <raeburn@mit.edu>
+
+	* standalone.exp: Move setting of KLIST and KDESTROY into
+	default.exp.
+	(doit): Call do_klist instead of implementing it here.  Add a new
+	principal to the database, and test getting tickets using a
+	keytab, with multiple kvnos starting at 253 and going up past
+	256; if first supported enctype supports v4, convert the keytab to
+	a srvtab and try getting tickets using it too.  Verify that
+	kadmin.local can read the high kvno correctly.
+
+	* v4standalone.exp: Move setting of KLIST and KDESTROY into
+	default.exp.  Print correct filename in top-level error message.
+	(check_and_destroy_v4_tix): New proc.
+	(doit): Call v4kinit and check_and_destroy_v4_tix.
+
+	* gssftp.exp (ftp_test): Bump kvno past 256, with multiple entries
+	in the keytab, before running test.
+
+2001-11-06  Tom Yu  <tlyu@mit.edu>
+
+	* rsh.exp: Fix date-grabbing regexp to deal with older versions of
+	expect/tcl that have limited regexp capabilities.
+
+2001-11-02  Tom Yu  <tlyu@mit.edu>
+
+	* rsh.exp: Fix date grabbing code so we don't try to parse the
+	timezone-less date out of of a syslog message.  expect eof in
+	places to drain pty buffers and avoid deadlock.
+
+2001-11-02  Tom Yu  <tlyu@mit.edu>
+
+	* gssftp.exp: Remove -U flag from ftpd invocation for now, since
+	1.2.x won't have it.
+
+2001-11-02  Tom Yu  <tlyu@mit.edu>
+
+	* v4gssftp.exp: Calling send_error from within a dejagnu test is
+	wrong.  So is calling exit.  Fix to not do these things.  Expect
+	eof rather than "\r" so as to drain pty buffers and avoid
+	deadlock.
+
+2001-11-02  Tom Yu  <tlyu@mit.edu>
+
+	* gssftp.exp: Calling send_error from within a dejagnu test is
+	wrong.  So is calling exit.  Fix to not do these things.  Expect
+	eof rather than "\r" so as to drain pty buffers and avoid
+	deadlock.
+
+2001-10-30  Tom Yu  <tlyu@mit.edu>
+
+	* standalone.exp: Change check for missing ccache to look for "No
+	credentials cache found" instead of "No credentials cache file
+	found" due to change in message text.
+
+	* v4gssftp.exp: Remove -U flag frmo ftpd invocation for now, since
+	1.2.x won't have it.  Change check for missing ccache to look for
+	"No credentials cache found" instead of "No credentials cache file
+	found" due to change in message text.
+
+	* v4krb524d.exp: Remove -p flag from krb524d invocation for now,
+	since 1.2.x won't have it.
+
+2001-10-26  Ezra Peisach  <epeisach@mit.edu>
+
+	* rcp.exp, rsh_exp (stop_rsh_daemon): Do not close a process and
+	then look for eof. Some versions of expect go through a full
+	timeout in this scenario and others return immediately. New order:
+	kill process, expect eof, close, and then wait.
+	[pullup from trunk]
+
+2001-10-25  Ezra Peisach  <epeisach@mit.edu>
+
+	* rsh.exp (rsh_test): Add stop_rsh_daemon before invoking
+	start_rsh_daemon again to prevent running out of ptys.
+	[pullup from trunk]
+
+2001-10-24  Mitchell Berger  <mitchb@mit.edu>
+
+	* kadmin.exp: Corrected a couple of unimportant typos.  Added procedures
+	kadmin_addpol, kadmin_delpol, kadmin_listpols, kadmin_modpol, and
+	kadmin_showpol, which provide the tools with which to perform policy
+	tests.  Added some basic policy operations to the tests of basic
+	kadmin functions.  Added a test case to exercise the kadmind crash
+	that used to occur when the history number of a policy was decreased.
+	[pullup from trunk]
+
+2001-10-24  Tom Yu  <tlyu@mit.edu>
+
+	* rcp.exp (stop_rsh_daemon): Call "expect eof" to drain pty buffer
+	and avoid deadlock.
+
+	* rsh.exp (stop_rsh_daemon, rsh_test): Call "expect eof" to drain
+	pty buffer and avoid deadlock.
+	[pullups from trunk]
+
+2001-07-04  Ezra Peisach  <epeisach@mit.edu>
+
+	* v4gssftp.exp, gssftp.exp: Test transfering a file > 1MB to
+ 	exercise PBSZ failure.
+	[pullup from trunk]
+
+2001-06-22  Tom Yu  <tlyu@mit.edu>
+
+	* gssftp.exp: Use $tmppwd rather than hardcoding tmpdir.
+
+	* kadmin.exp: Use $tmppwd rather than hardcoding tmpdir.
+
+	* rcp.exp: Use $tmppwd rather than hardcoding tmpdir.
+
+	* rsh.exp: Rearrange ordering of environment setup slightly.
+
+	* standalone.exp: Use $KLIST -5 -e so as to better debug enctype
+	problems.
+
+	* v4gssftp.exp: Do check_klogin as well as check_k5login.  Use
+	$tmppwd rather than hardcoding tmpdir.
+	[pullups from trunk]
+
+2001-06-17  Ezra Peisach  <epeisach@mit.edu>
+
+	* v4krb524d.exp: New tests for the krb524d and k524init programs. 
+	[pullup from trunk]
+
+2001-06-08  Ezra Peisach  <epeisach@mit.edu>
+
+	* v4gssftp.exp: During test, set KRB5CCNAME to a non-existant
+	cache. Restore at end to previous setting. This prevents failures
+	caused when the krb5 cache contains valid information - as in the
+	case of this test being run immediately after the gssftp.exp test.
+	[pullup from trunk]
+
+2001-06-08  Mitchell Berger  <mitchb@mit.edu>
+
+	* gssftp.exp: Invocation of ftpd changed to use -U /dev/null and
+	-a so that the test may successfully be run by root without failing
+	(i.e. root is granted ftp access) and without opening the running
+	ftpd to a password attack (i.e. authorization is required).
+	Check for successful login messages added.
+
+	* v4gssftp.exp: Same changes.
+	[pullups from trunk]
+
+2001-06-06  Ezra Peisach  <epeisach@mit.edu>
+
+	* v4gssftp.exp: Allow for "decrypt integrity check failed" error
+	minor code from GSSAPI as well.
+	[pullup from trunk]
+
+2001-04-26  Tom Yu  <tlyu@mit.edu>
+
+	* v4gssftp.exp: Allow for "no credentials cache found" error minor
+	code from GSSAPI.
+	[pullup from trunk]
+
+2000-11-08  Tom Yu  <tlyu@mit.edu>
+
+	* v4gssftp.exp: Fix to handle some cases of krb4 failure prior to
+	timing out.
+	[pullup from trunk]
+
+Tue Aug 22 11:43:14 2000  Ezra Peisach  <epeisach@mit.edu>
+
+	* v4gssftp.exp: New tests for the krb4 compatible interface to gssftp. 
+	[pullup from trunk]
+
+2000-08-08  Ezra Peisach  <epeisach@engrailed.mit.edu>
+
+	* v4standalone.exp: New set of tests for basic V4 functionality.
+	[pullup from trunk]
+
+2000-07-04  Tom Yu  <tlyu@mit.edu>
+
+	* rsh.exp: Drain buffers on klist test to avoid wedging rsh on
+	exit under HP/UX.
+	[pullup from trunk]
+
+	* gssapi.exp: Rework significantly to deal with HP/UX lossage that
+	probably resulted from when either the client or the server wound
+	up blocking on tty output.  Abstract things a little more.  Remove
+	dead duplicate code that used to deal with "-v2".  Should figure
+	out why the "-v2" stuff disappeared mysteriously.
+	[pullup from trunk]
+
 2000-02-07  Tom Yu  <tlyu@mit.edu>
 
 	* kadmin.exp: Use $KDESTROY -5 to deal with changed behavior.
diff --git a/src/tests/dejagnu/krb-standalone/gssapi.exp b/src/tests/dejagnu/krb-standalone/gssapi.exp
index 8f932cb..fa71728 100644
--- a/src/tests/dejagnu/krb-standalone/gssapi.exp
+++ b/src/tests/dejagnu/krb-standalone/gssapi.exp
@@ -113,6 +113,81 @@ proc gss_restore_env { } {
     }
 }
 
+proc run_client {test tkfile client} {
+    global env
+    global hostname
+    global GSSCLIENT
+    global spawn_id
+    global gss_server_spawn_id
+    global REALMNAME
+
+    set env(KRB5CCNAME) $tkfile
+    verbose "KRB5CCNAME=$env(KRB5CCNAME)"
+    verbose "spawning gssclient, identity=$client"
+    spawn $GSSCLIENT -port 5556 $hostname gssservice@$hostname "message from $client"
+    set got_client 0
+    set got_server 0
+    expect_after {
+	-i $spawn_id
+	timeout {
+	    if {!$got_client} {
+		verbose -log "client timeout"
+		fail $test
+		catch "expect_after"
+		return
+	    }
+	}
+	eof {
+	    if {!$got_client} {
+		verbose -log "client eof"
+		fail $test
+		catch "expect_after"
+		return
+	    }
+	}
+	-i $gss_server_spawn_id
+	timeout {
+	    if {!$got_server} {
+		verbose -log "server timeout"
+		fail $test
+		catch "expect_after"
+		return
+	    }
+	}
+	eof {
+	    if {!$got_server} {
+		verbose -log "server eof"
+		fail $test
+		catch "expect_after"
+		return
+	    }
+	}
+    }
+    expect {
+	-i $gss_server_spawn_id
+	"Accepted connection: \"$client@$REALMNAME\"" exp_continue
+	"Received message: \"message from $client\"" {
+	    set got_server 1
+	    if {!$got_client} {
+		exp_continue
+	    }
+	}
+	-i $spawn_id
+	"Signature verified" {
+	    set got_client 1
+	    if {!$got_server} {
+		exp_continue
+	    }
+	}
+    }
+    catch "expect_after"
+    if ![check_exit_status $test] {
+	# check_exit_staus already calls fail for us
+	return
+    }
+    pass $test
+}
+
 proc doit { } {
     global REALMNAME
     global env
@@ -133,70 +208,59 @@ proc doit { } {
 
     # Start up the kerberos and kadmind daemons.
     if ![start_kerberos_daemons 0] {
-	fail gsstest
-	return
+	perror "failed to start kerberos daemons"
     }
 
     # Use kadmin to add a key for us.
     if ![add_kerberos_key gsstest0 0] {
-	fail gsstest
-	return
+	perror "failed to set up gsstest0 key"
     }
 
     # Use kadmin to add a key for us.
     if ![add_kerberos_key gsstest1 0] {
-	fail gsstest
-	return
+	perror "failed to set up gsstest1 key"
     }
 
     # Use kadmin to add a key for us.
     if ![add_kerberos_key gsstest2 0] {
-	fail gsstest
-	return
+	perror "failed to set up gsstest2 key"
     }
 
     # Use kadmin to add a key for us.
     if ![add_kerberos_key gsstest3 0] {
-	fail gsstest
-	return
+	perror "faild to set up gsstest3 key"
     }
 
     # Use kadmin to add a service key for us.
     if ![add_random_key gssservice/$hostname 0] {
-	fail gsstest
-	return
+	perror "failed to set up gssservice/$hostname key"
     }
 
     # Use kdb5_edit to create a srvtab entry for gssservice
     if ![setup_srvtab 0 gssservice] {
-	fail gsstest
-	return
+	perror "failed to set up gssservice srvtab"
     }
 
     catch "exec rm -f $tmppwd/gss_tk_0 $tmppwd/gss_tk_1 $tmppwd/gss_tk_2 $tmppwd/gss_tk_3"
 
     # Use kinit to get a ticket.
     if ![our_kinit gsstest0 gsstest0$KEY $tmppwd/gss_tk_0] {
-	fail gsstest
-	return
+	perror "failed to kinit gsstest0"
     }
 
     # Use kinit to get a ticket.
     if ![our_kinit gsstest1 gsstest1$KEY $tmppwd/gss_tk_1] {
-	fail gsstest
-	return
+	perror "failed to kinit gsstest1"
     }
 
     # Use kinit to get a ticket.
     if ![our_kinit gsstest2 gsstest2$KEY $tmppwd/gss_tk_2] {
-	fail gsstest
-	return
+	perror "failed to kinit gsstest2"
     }
 
     # Use kinit to get a ticket.
     if ![our_kinit gsstest3 gsstest3$KEY $tmppwd/gss_tk_3] {
-	fail gsstest
-	return
+	perror "failed to kinit gsstest3"
     }
 
     #
@@ -219,377 +283,30 @@ proc doit { } {
     spawn $GSSSERVER -port 5556 gssservice@$hostname
     set gss_server_pid [exp_pid]
     set gss_server_spawn_id $spawn_id
-    catch "exec sleep 4"
-
-    # Start the client with client identity 0
-    set env(KRB5CCNAME) $tmppwd/gss_tk_0
-    verbose "KRB5CCNAME=$env(KRB5CCNAME)"
-    spawn $GSSCLIENT -port 5556 $hostname gssservice@$hostname "message from gsstest0"
-    expect_after {
-	-i $spawn_id
-	timeout {
-	    fail gssclient0
-	    catch "expect_after"
-	    return
-	}
-	eof {
-	    fail gssclient0
-	    catch "expect_after"
-	    return
-	}
-    }
-    expect -i $spawn_id "Signature verified"
-    catch "expect_after"
-    expect_after {
-	-i $gss_server_spawn_id
-	timeout {
-	    fail gssclient0
-	    catch "expect_after"
-	    return
-	}
-	eof {
-	    fail gssclient0
-	    catch "expect_after"
-	    return
-	}
-    }
-    expect -i $gss_server_spawn_id "Accepted connection: \"gsstest0@$REALMNAME\""
-    expect -i $gss_server_spawn_id "Received message: \"message from gsstest0\""
-    catch "expect_after"
-    if ![check_exit_status gssclient0] {
-	fail gssclient0
-	return
-    }
-    pass gssclient0
-
-    # Start the client with client identity 1
-    set env(KRB5CCNAME) $tmppwd/gss_tk_1
-    verbose "KRB5CCNAME=$env(KRB5CCNAME)"
-    spawn $GSSCLIENT -port 5556 $hostname gssservice@$hostname "message from gsstest1"
-    expect_after {
-	-i $spawn_id
-	timeout {
-	    fail gssclient1
-	    catch "expect_after"
-	    return
-	}
-	eof {
-	    fail gssclient1
-	    catch "expect_after"
-	    return
-	}
-    }
-    expect -i $spawn_id "Signature verified"
-    catch "expect_after"
-    expect_after {
-	-i $gss_server_spawn_id
-	timeout {
-	    fail gssclient1
-	    catch "expect_after"
-	    return
-	}
-	eof {
-	    fail gssclient1
-	    catch "expect_after"
-	    return
-	}
-    }
-    expect -i $gss_server_spawn_id "Accepted connection: \"gsstest1@$REALMNAME\""
-    expect -i $gss_server_spawn_id "Received message: \"message from gsstest1\""
-    catch "expect_after"
-    if ![check_exit_status gssclient1] {
-	fail gssclient1
-	return
-    }
-    pass gssclient1
-
-    # Start the client with client identity 2
-    set env(KRB5CCNAME) $tmppwd/gss_tk_2
-    verbose "KRB5CCNAME=$env(KRB5CCNAME)"
-    spawn $GSSCLIENT -port 5556 $hostname gssservice@$hostname "message from gsstest2"
-    expect_after {
-	-i $spawn_id
-	timeout {
-	    fail gssclient2
-	    catch "expect_after"
-	    return
-	}
-	eof {
-	    fail gssclient2
-	    catch "expect_after"
-	    return
-	}
-    }
-    expect -i $spawn_id "Signature verified"
-    catch "expect_after"
-    expect_after {
-	-i $gss_server_spawn_id
-	timeout {
-	    fail gssclient2
-	    catch "expect_after"
-	    return
-	}
-	eof {
-	    fail gssclient2
-	    catch "expect_after"
-	    return
-	}
-    }
-    expect -i $gss_server_spawn_id "Accepted connection: \"gsstest2@$REALMNAME\""
-    expect -i $gss_server_spawn_id "Received message: \"message from gsstest2\""
-    catch "expect_after"
-    if ![check_exit_status gssclient2] {
-	fail gssclient2
-	return
-    }
-    pass gssclient2
-
-    # Start the client with client identity 3
-    set env(KRB5CCNAME) $tmppwd/gss_tk_3
-    verbose "KRB5CCNAME=$env(KRB5CCNAME)"
-    spawn $GSSCLIENT -port 5556 $hostname gssservice@$hostname "message from gsstest3"
-    expect_after {
-	-i $gss_server_spawn_id
-	timeout {
-	    fail "gssclient3 (server timeout)"
-	    catch "expect_after"
-	    return
-	}
-	eof {
-	    fail "gssclient3 (server eof)"
-	    catch "expect_after"
-	    return
-	}
-    }
-    expect -i $gss_server_spawn_id "Accepted connection: \"gsstest3@$REALMNAME\""
-    # Drain some output from the verbose client side.  Otherwise, this
-    # test sometimes fails under HP-UX.
-    expect -i $spawn_id "\"gsstest3@KRBTEST.COM\" to \"gssservice"
-    expect -i $spawn_id "Mechanism { * } supports * name"
-
-    expect -i $gss_server_spawn_id "Received message: \"message from gsstest3\""
-    catch "expect_after"
-    expect_after {
-	-i $spawn_id
-	timeout {
-	    fail "gssclient3 (timeout)"
-	    catch "expect_after"
-	    return
-	}
-	eof {
-	    fail "gssclient3 (eof)"
-	    catch "expect_after"
-	    return
-	}
-    }
-    expect -i $spawn_id "Signature verified"
-    catch "expect_after"
-    if ![check_exit_status gssclient3] {
-	fail "gssclient3 (exit status)"
-	return
-    }
-    pass gssclient3
-
-    stop_gss_server
-
-    # Try some V2 services.
-    # Now start the gss-server.
-    spawn $GSSSERVER -port 5557 gssservice@$hostname
-    set gss_server_pid [exp_pid]
-    set gss_server_spawn_id $spawn_id
-    catch "exec sleep 4"
+    sleep 2
 
-    # Start the client with client identity 0
-    set env(KRB5CCNAME) $tmppwd/gss_tk_0
-    verbose "KRB5CCNAME=$env(KRB5CCNAME)"
-    spawn $GSSCLIENT -port 5557 $hostname gssservice@$hostname "message from gsstest0"
-    expect_after {
-	-i $spawn_id
-	timeout {
-	    fail gssclient0
-	    catch "expect_after"
-	    return
-	}
-	eof {
-	    fail gssclient0
-	    catch "expect_after"
-	    return
-	}
-    }
-    expect -i $spawn_id "Signature verified"
-    catch "expect_after"
-    expect_after {
-	-i $gss_server_spawn_id
-	timeout {
-	    fail gssclient0
-	    catch "expect_after"
-	    return
-	}
-	eof {
-	    fail gssclient0
-	    catch "expect_after"
-	    return
-	}
-    }
-    expect -i $gss_server_spawn_id "Accepted connection: \"gsstest0@$REALMNAME\""
-    expect -i $gss_server_spawn_id "Received message: \"message from gsstest0\""
-    catch "expect_after"
-    if ![check_exit_status gssclient0] {
-	fail gssclient0
-	return
-    }
-    pass gssclient0
-
-    # Start the client with client identity 1
-    set env(KRB5CCNAME) $tmppwd/gss_tk_1
-    verbose "KRB5CCNAME=$env(KRB5CCNAME)"
-    spawn $GSSCLIENT -port 5557 $hostname gssservice@$hostname "message from gsstest1"
-    expect_after {
-	-i $spawn_id
-	timeout {
-	    fail gssclient1
-	    catch "expect_after"
-	    return
-	}
-	eof {
-	    fail gssclient1
-	    catch "expect_after"
-	    return
-	}
-    }
-    expect -i $spawn_id "Signature verified"
-    catch "expect_after"
-    expect_after {
-	-i $gss_server_spawn_id
-	timeout {
-	    fail gssclient1
-	    catch "expect_after"
-	    return
-	}
-	eof {
-	    fail gssclient1
-	    catch "expect_after"
-	    return
-	}
-    }
-    expect -i $gss_server_spawn_id "Accepted connection: \"gsstest1@$REALMNAME\""
-    expect -i $gss_server_spawn_id "Received message: \"message from gsstest1\""
-    catch "expect_after"
-    if ![check_exit_status gssclient1] {
-	fail gssclient1
-	return
-    }
-    pass gssclient1
-
-    # Start the client with client identity 2
-    set env(KRB5CCNAME) $tmppwd/gss_tk_2
-    verbose "KRB5CCNAME=$env(KRB5CCNAME)"
-    spawn $GSSCLIENT -port 5557 $hostname gssservice@$hostname "message from gsstest2"
-    expect_after {
-	-i $spawn_id
-	timeout {
-	    fail gssclient2
-	    catch "expect_after"
-	    return
-	}
-	eof {
-	    fail gssclient2
-	    catch "expect_after"
-	    return
-	}
-    }
-    expect -i $spawn_id "Signature verified"
-    catch "expect_after"
-    expect_after {
-	-i $gss_server_spawn_id
-	timeout {
-	    fail gssclient2
-	    catch "expect_after"
-	    return
-	}
-	eof {
-	    fail gssclient2
-	    catch "expect_after"
-	    return
-	}
-    }
-    expect -i $gss_server_spawn_id "Accepted connection: \"gsstest2@$REALMNAME\""
-    expect -i $gss_server_spawn_id "Received message: \"message from gsstest2\""
-    catch "expect_after"
-    if ![check_exit_status gssclient2] {
-	fail gssclient2
-	return
-    }
-    pass gssclient2
-
-    # Start the client with client identity 3
-    set env(KRB5CCNAME) $tmppwd/gss_tk_3
-    verbose "KRB5CCNAME=$env(KRB5CCNAME)"
-    spawn $GSSCLIENT -port 5557 $hostname gssservice@$hostname "message from gsstest3"
-    expect_after {
-	-i $gss_server_spawn_id
-	timeout {
-	    fail gssclient3
-	    catch "expect_after"
-	    return
-	}
-	eof {
-	    fail gssclient3
-	    catch "expect_after"
-	    return
-	}
-    }
-    expect -i $gss_server_spawn_id "Accepted connection: \"gsstest3@$REALMNAME\""
-
-    # Drain some output from the verbose client side.  Otherwise, this
-    # test sometimes fails under HP-UX.
-    expect -i $spawn_id "\"gsstest3@KRBTEST.COM\" to \"gssservice"
-    expect -i $spawn_id "Mechanism { * } supports * name"
-
-    expect -i $gss_server_spawn_id "Received message: \"message from gsstest3\""
-    catch "expect_after"
-    expect_after {
-	-i $spawn_id
-	timeout {
-	    fail gssclient3
-	    catch "expect_after"
-	    return
-	}
-	eof {
-	    fail gssclient3
-	    catch "expect_after"
-	    return
-	}
-    }
-    expect -i $spawn_id "Signature verified"
-    catch "expect_after"
-    if ![check_exit_status gssclient3] {
-	fail gssclient3
-	return
-    }
-    pass gssclient3
+    run_client gssclient0 $tmppwd/gss_tk_0 gssclient0
+    run_client gssclient1 $tmppwd/gss_tk_1 gssclient1
+    run_client gssclient2 $tmppwd/gss_tk_2 gssclient2
+    run_client gssclient3 $tmppwd/gss_tk_3 gssclient3
 
     stop_gss_server
     gss_restore_env
 
     if ![our_kdestroy $tmppwd/gss_tk_0] {
-	fail gsstest
-	return
+	perror "failed kdestroy gss_tk_0" 0
     }
 
     if ![our_kdestroy $tmppwd/gss_tk_1] {
-	fail gsstest
-	return
+	perror "failed kdestroy gss_tk_1" 0
     }
 
     if ![our_kdestroy $tmppwd/gss_tk_2] {
-	fail gsstest
-	return
+	perror "failed kdestroy gss_tk_2" 0
     }
 
     if ![our_kdestroy $tmppwd/gss_tk_3] {
-	fail gsstest
-	return
+	perror "failed kdestroy gss_tk_3" 0
     }
 
     catch "exec rm -f $tmppwd/gss_tk_0 $tmppwd/gss_tk_1 $tmppwd/gss_tk_2 $tmppwd/gss_tk_3"
@@ -604,7 +321,6 @@ gss_restore_env
 stop_kerberos_daemons
 
 if { $status != 0 } {
-    send_error "ERROR: error in gssapi.exp\n"
-    send_error "$msg\n"
-    exit 1
+    perror "error in gssapi.exp" 0
+    perror $msg 0
 }
diff --git a/src/tests/dejagnu/krb-standalone/gssftp.exp b/src/tests/dejagnu/krb-standalone/gssftp.exp
index 2dea3a5..bda1d12 100644
--- a/src/tests/dejagnu/krb-standalone/gssftp.exp
+++ b/src/tests/dejagnu/krb-standalone/gssftp.exp
@@ -41,7 +41,9 @@ proc start_ftp_daemon { } {
     # don't need to use inetd.  The 3021 is the port to listen at.
     # We rely on KRB5_KTNAME being set to the proper keyfile as there is
     # no way to cleanly set it with the gssapi API.
-    spawn $FTPD -p 3021 -r $tmppwd/krb5.conf
+    # The -a argument requires authorization, to mitigate any
+    # vulnerability introduced by circumventing ftpusers.
+    spawn $FTPD -p 3021 -a -r $tmppwd/krb5.conf
     set ftpd_spawn_id $spawn_id
     set ftpd_pid [exp_pid]
 
@@ -64,12 +66,21 @@ proc stop_ftp_daemon { } {
 }
 
 # Create a file to use for ftp testing.
-set file [open tmpdir/ftp-test w]
+set file [open $tmppwd/ftp-test w]
 puts $file "This file is used for ftp testing."
 close $file
 
+# Create a large file to use for ftp testing. File needs to be 
+# larger that 2^20 or 1MB for PBSZ testing.
+set file [open $tmppwd/bigftp-test w]
+puts $file "This file is used for ftp testing.\n"
+seek $file 1048576 current
+puts $file "This file is used for ftp testing."
+close $file
+
+
 # Test that a file was copied correctly.
-proc check_file { filename } {
+proc check_file { filename {bigfile 0}} {
     if ![file exists $filename] {
 	verbose "$filename does not exist"
 	send_log "$filename does not exist\n"
@@ -91,6 +102,24 @@ proc check_file { filename } {
 	return 0
     }
 
+    if {$bigfile} {
+	# + 1 for the newline
+	seek $file 1048577 current
+	if { [gets $file line] == -1 } {
+	    verbose "$filename is truncated"
+	    send_log "$filename is truncated\n"
+	    close $file
+	    return 0
+	}
+
+	if ![string match "This file is used for ftp testing." $line] {
+	    verbose "$filename contains $line"
+	    send_log "$filename contains $line\n"
+	    close $file
+	    return 0
+	}
+    }
+
     if { [gets $file line] != -1} {
 	verbose "$filename is too long ($line)"
 	send_log "$filename is too long ($line)\n"
@@ -123,6 +152,7 @@ proc ftp_restore_env { } {
 proc ftp_test { } {
     global FTP
     global KEY
+    global REALMNAME
     global hostname
     global localhostname
     global env
@@ -136,7 +166,12 @@ proc ftp_test { } {
     # ticket file.
     if {![start_kerberos_daemons 0] \
         || ![add_random_key ftp/$hostname 0] \
+	|| ![modify_principal ftp/$hostname -kvno 254] \
         || ![setup_srvtab 0 ftp] \
+	|| ![xst $tmppwd/srvtab ftp/$hostname]
+	|| ![xst $tmppwd/srvtab ftp/$hostname]
+	|| ![xst $tmppwd/srvtab ftp/$hostname]
+	|| ![do_klist_kt $tmppwd/srvtab "gssftp keytab list"]
 	|| ![add_kerberos_key $env(USER) 0] \
 	|| ![kinit $env(USER) $env(USER)$KEY 0]} {
 	return
@@ -185,9 +220,9 @@ proc ftp_test { } {
     }
     expect -nocase "name ($hostname:$env(USER)): "
     send "$env(USER)\r"
-#    expect "User $env(USER) logged in."
-#    expect "Remote system type is UNIX."
-#    expect "Using binary mode to transfer files."
+    expect "GSSAPI user $env(USER)@$REALMNAME is authorized as $env(USER)"
+    expect "Remote system type is UNIX."
+    expect "Using binary mode to transfer files."
     expect "ftp> " {
 	pass $testname
     }
@@ -236,26 +271,26 @@ proc ftp_test { } {
 
 
     set testname "get"
-    catch "exec rm -f tmpdir/copy"
+    catch "exec rm -f $tmppwd/copy"
     send "get $tmppwd/ftp-test $tmppwd/copy\r"
     expect "Opening BINARY mode data connection for $tmppwd/ftp-test"
     expect "Transfer complete"
     expect -re "\[0-9\]+ bytes received in \[0-9.e-\]+ seconds"
     expect "ftp> "
-    if [check_file tmpdir/copy] {
+    if [check_file $tmppwd/copy] {
 	pass $testname
     } else {
 	fail $testname
     }
 
     set testname "put"
-    catch "exec rm -f tmpdir/copy"
+    catch "exec rm -f $tmppwd/copy"
     send "put $tmppwd/ftp-test $tmppwd/copy\r"
     expect "Opening BINARY mode data connection for $tmppwd/copy"
     expect "Transfer complete"
     expect -re "\[0-9\]+ bytes sent in \[0-9.e-\]+ seconds"
     expect "ftp> "
-    if [check_file tmpdir/copy] {
+    if [check_file $tmppwd/copy] {
 	pass $testname
     } else {
 	fail $testname
@@ -269,20 +304,33 @@ proc ftp_test { } {
     }
 
     set testname "lcd"
-    send "lcd tmpdir\r"
+    send "lcd $tmppwd\r"
     expect "Local directory now $tmppwd"
     expect "ftp> " {
 	pass $testname
     }
 
     set testname "local get"
-    catch "exec rm -f tmpdir/copy"
+    catch "exec rm -f $tmppwd/copy"
     send "get ftp-test copy\r"
     expect "Opening BINARY mode data connection for ftp-test"
     expect "Transfer complete"
     expect -re "\[0-9\]+ bytes received in \[0-9.e-\]+ seconds"
     expect "ftp> "
-    if [check_file tmpdir/copy] {
+    if [check_file $tmppwd/copy] {
+	pass $testname
+    } else {
+	fail $testname
+    }
+
+    set testname "big local get"
+    catch "exec rm -f $tmppwd/copy"
+    send "get bigftp-test copy\r"
+    expect "Opening BINARY mode data connection for bigftp-test"
+    expect "Transfer complete"
+    expect -re "\[0-9\]+ bytes received in \[0-9.e-\]+ seconds"
+    expect "ftp> "
+    if [check_file $tmppwd/copy 1] {
 	pass $testname
     } else {
 	fail $testname
@@ -303,18 +351,38 @@ proc ftp_test { } {
     }
 
     set testname "encrypted get"
-    catch "exec rm -f tmpdir/copy"
+    catch "exec rm -f $tmppwd/copy"
     send "get ftp-test copy\r"
     expect "Opening BINARY mode data connection for ftp-test"
     expect "Transfer complete"
     expect -re "\[0-9\]+ bytes received in \[0-9.e-\]+ seconds"
     expect "ftp> "
-    if [check_file tmpdir/copy] {
+    if [check_file $tmppwd/copy] {
 	pass $testname
     } else {
 	fail $testname
     }
 
+    set testname "big encrypted get"
+    catch "exec rm -f $tmppwd/copy"
+    send "get bigftp-test copy\r"
+    expect "Opening BINARY mode data connection for bigftp-test"
+    expect {
+	-timeout 300
+	"Transfer complete" {}
+	-re "Length .* of PROT buffer > PBSZ" {
+	    fail "$testname (PBSZ)"
+	    return 0
+	}
+    }
+    expect -re "\[0-9\]+ bytes received in \[0-9.e+-\]+ seconds"
+    expect "ftp> "
+    if [check_file $tmppwd/copy 1] {
+	pass $testname
+    } else {
+	fail $testname
+    }
+    
     set testname "close"
     send "close\r"
     expect "Goodbye."
@@ -333,7 +401,8 @@ proc ftp_test { } {
 
     set testname "quit"
     send "quit\r"
-    expect "\r"
+    expect_after
+    expect eof
     if [check_exit_status $testname] {
 	pass $testname
     }
@@ -371,7 +440,5 @@ if [info exists home] {
 }
 
 if { $status != 0 } {
-    send_error "ERROR: error in ftp.exp\n"
-    send_error "$msg\n"
-    exit 1
+    perror "error in gssftp.exp: $msg"
 }
diff --git a/src/tests/dejagnu/krb-standalone/kadmin.exp b/src/tests/dejagnu/krb-standalone/kadmin.exp
index 8167b02..d4754e4 100644
--- a/src/tests/dejagnu/krb-standalone/kadmin.exp
+++ b/src/tests/dejagnu/krb-standalone/kadmin.exp
@@ -37,7 +37,7 @@ proc kadmin_add { pname password } {
     spawn $KADMIN -p krbtest/admin@$REALMNAME -q "ank $pname"
     expect_after {
 	"Cannot contact any KDC" {
-	    fail "kadmin add$pname lost KDC"
+	    fail "kadmin add $pname lost KDC"
 	    catch "expect_after"
 	    return 0
 	}
@@ -162,7 +162,7 @@ proc kadmin_add_rnd { pname } {
     expect_after
     expect eof
     set k_stat [wait -i $spawn_id]
-    verbose "wait -i $spawn_id returned $k_stat (kadmin add_rnt)"
+    verbose "wait -i $spawn_id returned $k_stat (kadmin add_rnd)"
     catch "close -i $spawn_id"
     if { $good == 1 } {
 	#
@@ -437,10 +437,11 @@ proc kadmin_extract { instance name } {
     global KADMIN
     global KEY
     global spawn_id
+    global tmppwd
 
-    catch "exec rm -f tmpdir/keytab"
+    catch "exec rm -f $tmppwd/keytab"
 
-    spawn $KADMIN -p krbtest/admin@$REALMNAME -q "xst -k tmpdir/keytab $name/$instance"
+    spawn $KADMIN -p krbtest/admin@$REALMNAME -q "xst -k $tmppwd/keytab $name/$instance"
     expect_after {
 	"Cannot contact any KDC" {
 	    fail "kadmin xst $instance $name lost KDC"
@@ -461,7 +462,7 @@ proc kadmin_extract { instance name } {
     expect "Enter password:" {
 	send "adminpass$KEY\r"
     }
-#    expect -re "kadmin: Entry for principal $name/$instance with kvno [0-9], encryption type .* added to keytab WRFILE:tmpdir/keytab."
+#    expect -re "kadmin: Entry for principal $name/$instance with kvno [0-9], encryption type .* added to keytab WRFILE:$tmppwd/keytab."
     expect_after
     expect eof
     set k_stat [wait -i $spawn_id]
@@ -644,6 +645,292 @@ proc kpasswd_cpw { princ opw npw } {
 }
 
 #++
+# kadmin_addpol	- Test add new policy function of kadmin.
+#
+# Adds policy $pname.  Returns 1 on success.
+#--
+proc kadmin_addpol { pname } {
+    global REALMNAME
+    global KADMIN
+    global KADMIN_LOCAL
+    global KEY
+    global spawn_id
+    global tmppwd
+
+    set good 0
+    spawn $KADMIN -p krbtest/admin@$REALMNAME -q "addpol $pname"
+    expect_after {
+	"Cannot contact any KDC" {
+	    fail "kadmin addpol $pname lost KDC"
+	    catch "expect_after"
+	    return 0
+	}
+	timeout {
+	    fail "kadmin addpol $pname"
+	    catch "expect_after"
+	    return 0
+	}
+	eof {
+	    fail "kadmin addpol $pname"
+	    catch "expect_after"
+	    return 0
+	}
+    }
+    expect "Enter password:" {
+	send "adminpass$KEY\r"
+    }
+    expect_after
+    expect eof
+    set k_stat [wait -i $spawn_id]
+    verbose "wait -i $spawn_id returned $k_stat (kadmin addpol)"
+    catch "close -i $spawn_id"
+    #
+    # use kadmin.local to verify that a policy was created
+    #
+    spawn $KADMIN_LOCAL -r $REALMNAME
+    expect_after {
+        -i $spawn_id
+        timeout {
+	    fail "kadmin addpol $pname"
+	    catch "expect_after"
+	    return 0
+        }
+        eof {
+	    fail "kadmin addpol $pname"
+	    catch "expect_after"
+	    return 0
+        }
+    }
+    set good 0
+    expect "kadmin.local: " { send "getpol $pname\r" }
+    expect "Policy: $pname" { set good 1 }
+    expect "Maximum password life:" { verbose "got max pw life" }
+    expect "Minimum password life:" { verbose "got min pw life" }
+    expect "Minimum password length:" { verbose "got min pw length" }
+    expect "Minimum number of password character classes:" {
+        verbose "got min pw character classes" }
+    expect "Number of old keys kept:" { verbose "got num old keys kept" }
+    expect "Reference count:" { verbose "got refcount" }
+    expect "kadmin.local: " { send "q\r" }
+
+    expect_after
+    expect eof
+    set k_stat [wait -i $spawn_id]
+    verbose "wait -i $spawn_id returned $k_stat (kadmin.local showpol)"
+    catch "close -i $spawn_id"
+    if { $good == 1 } {
+        pass "kadmin addpol $pname"
+        return 1
+    }
+    else {
+        fail "kadmin addpol $pname"
+        return 0
+    }
+}
+
+#++
+# kadmin_delpol	- Test delete policy function of kadmin.
+#
+# Deletes policy $pname.  Returns 1 on success.
+#--
+proc kadmin_delpol { pname } {
+    global REALMNAME
+    global KADMIN
+    global KADMIN_LOCAL
+    global KEY
+    global spawn_id
+    global tmppwd
+
+    spawn $KADMIN -p krbtest/admin@$REALMNAME -q "delpol -force $pname"
+    expect_after {
+	"Cannot contact any KDC" {
+	    fail "kadmin_delpol $pname lost KDC"
+	    catch "expect_after"
+	    return 0
+	}
+	timeout {
+	    fail "kadmin delpol $pname"
+	    catch "expect_after"
+	    return 0
+	}
+	eof {
+	    fail "kadmin delpol $pname"
+	    catch "expect_after"
+	    return 0
+	}
+    }
+    expect "Enter password:" {
+	send "adminpass$KEY\r"
+    }
+    expect_after
+    expect eof
+    set k_stat [wait -i $spawn_id]
+    verbose "wait -i $spawn_id returned $k_stat (kadmin delpol)"
+    catch "close -i $spawn_id"
+    #
+    # use kadmin.local to verify that the old policy is not present.
+    #
+    spawn $KADMIN_LOCAL -r $REALMNAME
+    expect_after {
+        -i $spawn_id
+        timeout {
+	    fail "kadmin delpol $pname"
+	    catch "expect_after"
+	    return 0
+        }
+        eof {
+	    fail "kadmin delpol $pname"
+	    catch "expect_after"
+	    return 0
+        }
+    }
+    set good 0
+    expect "kadmin.local: " { send "getpol $pname\r" }
+    expect "Policy does not exist while retrieving policy \"$pname\"." {
+	set good 1
+    }
+    expect "kadmin.local: " { send "quit\r" }
+    expect_after
+    expect eof
+    set k_stat [wait -i $spawn_id]
+    verbose "wait -i $spawn_id returned $k_stat (kadmin.local showpol)"
+    catch "close -i $spawn_id"
+    if { $good == 1 } {
+        pass "kadmin delpol $pname"
+        return 1
+    }
+    else {
+        fail "kadmin delpol $pname"
+        return 0
+    }
+}
+
+#++
+# kadmin_listpols	- Test list policy database function of kadmin.
+#
+# Lists the policies.  Returns 1 on success.
+#--
+proc kadmin_listpols {  } {
+    global REALMNAME
+    global KADMIN
+    global KEY
+    global spawn_id
+
+    spawn $KADMIN -p krbtest/admin@$REALMNAME -q "get_policies *"
+    expect_after {
+	"Cannot contact any KDC" {
+	    fail "kadmin lpols lost KDC"
+	    catch "expect_after"
+	    return 0
+	}
+	timeout {
+	    fail "kadmin lpols"
+	    catch "expect_after"
+	    return 0
+	}
+	eof {
+	    fail "kadmin lpols"
+	    catch "expect_after"
+	    return 0
+	}
+    }
+    expect "Enter password:" {
+	send "adminpass$KEY\r"
+    }
+    expect_after
+    expect eof
+    set k_stat [wait -i $spawn_id]
+    verbose "wait -i $spawn_id returned $k_stat (kadmin listpols)"
+    catch "close -i $spawn_id"
+    pass "kadmin lpols"
+    return 1
+}
+
+#++
+# kadmin_modpol	- Test modify policy function of kadmin.
+#
+# Modifies policy $pname with flags $flags.  Returns 1 on success.
+#--
+proc kadmin_modpol { pname flags } {
+    global REALMNAME
+    global KADMIN
+    global KEY
+    global spawn_id
+
+    spawn $KADMIN -p krbtest/admin@$REALMNAME -q "modpol $flags $pname"
+    expect_after {
+	"Cannot contact any KDC" {
+	    fail "kadmin modpol $pname ($flags) lost KDC"
+	    catch "expect_after"
+	    return 0
+	}
+	timeout {
+	    fail "kadmin modpol $pname"
+	    catch "expect_after"
+	    return 0
+	}
+	eof {
+	    fail "kadmin modpol $pname"
+	    catch "expect_after"
+	    return 0
+	}
+    }
+    expect "Enter password:"
+    send "adminpass$KEY\r"
+    # When in doubt, jam one of these in there.
+    expect "\r"
+    # Sadly, kadmin doesn't print a confirmation message for policy operations.
+    expect_after
+    expect eof
+    set k_stat [wait -i $spawn_id]
+    verbose "wait -i $spawn_id returned $k_stat (kadmin modpol)"
+    catch "close -i $spawn_id"
+    pass "kadmin modpol $pname"
+    return 1
+}
+
+#++
+# kadmin_showpol	- Test show policy function of kadmin.
+# 
+# Retrieves entry for $pname.  Returns 1 on success.
+#--
+proc kadmin_showpol { pname } {
+    global REALMNAME
+    global KADMIN
+    global KEY
+    global spawn_id
+
+    spawn $KADMIN -p krbtest/admin@$REALMNAME -q "get_policy $pname"
+    expect_after {
+	"Cannot contact any KDC" {
+	    fail "kadmin showpol $pname lost KDC"
+	    catch "expect_after"
+	    return 0
+	}
+	timeout {
+	    fail "kadmin showpol $pname"
+	    catch "expect_after"
+	    return 0
+	}
+	eof {
+	    fail "kadmin showpol $pname"
+	    catch "expect_after"
+	    return 0
+	}
+    }
+    expect "Enter password:"
+    send "adminpass$KEY\r"
+    expect -re "\r.*Policy: $pname.*Number of old keys kept: .*Reference count: .*\r"
+    expect_after
+    expect eof
+    set k_stat [wait -i $spawn_id]
+    verbose "wait -i $spawn_id returned $k_stat (kadmin showpol)"
+    catch "close -i $spawn_id"
+    pass "kadmin showpol $pname"
+    return 1
+}
+
+#++
 # kdestroy
 #--
 proc kdestroy { } {
@@ -668,6 +955,10 @@ proc kadmin_test { } {
 
     # Test basic kadmin functions.
     if {![kadmin_add v5principal/instance1 v5principal] \
+	|| ![kadmin_addpol standardpol] \
+	|| ![kadmin_showpol standardpol] \
+	|| ![kadmin_listpols] \
+	|| ![kadmin_modpol standardpol "-minlength 5"] \
 	|| ![kadmin_add v4principal/instance2 v4principal] \
 	|| ![kadmin_add_rnd v5random] \
 	|| ![kadmin_show v5principal/instance1] \
@@ -678,11 +969,13 @@ proc kadmin_test { } {
 	|| ![kadmin_cpw_rnd v5random] \
 	|| ![kadmin_modify v5random -allow_tix] \
 	|| ![kadmin_modify v5random +allow_tix] \
+	|| ![kadmin_modify v5random "-policy standardpol"] \
 	|| ![kadmin_list] \
 	|| ![kadmin_extract instance1 v5principal] \
 	|| ![kadmin_delete v5random] \
 	|| ![kadmin_delete v4principal/instance2] \
-	|| ![kadmin_delete v5principal/instance1]} {
+	|| ![kadmin_delete v5principal/instance1] \
+	|| ![kadmin_delpol standardpol]} {
 	return
     }
 
@@ -713,9 +1006,10 @@ proc kadmin_test { } {
 	    || ![kadmin_delete testprinc1/instance]} {
 	return
     }
+
     # now test modify changes.
     if {![kadmin_add testuser longtestpw] \
-            || ![kinit testuser longtestpw 0] \
+	    || ![kinit testuser longtestpw 0] \
 	    || ![kdestroy] \
 	    || ![kadmin_modify testuser "-maxlife \"2500 seconds\""] \
 	    || ![kinit testuser longtestpw 0] \
@@ -724,6 +1018,21 @@ proc kadmin_test { } {
 	return
     }
 
+    # now test that reducing the history number doesn't make kadmind vulnerable.
+    if {![kadmin_addpol crashpol] \
+	    || ![kadmin_modpol crashpol "-history 5"] \
+	    || ![kadmin_add crash first] \
+	    || ![kadmin_modify crash "-policy crashpol"] \
+	    || ![kadmin_cpw crash second] \
+	    || ![kadmin_cpw crash third] \
+	    || ![kadmin_cpw crash fourth] \
+	    || ![kadmin_modpol crashpol "-history 3"] \
+	    || ![kadmin_cpw crash fifth] \
+	    || ![kadmin_delete crash] \
+	    || ![kadmin_delpol crashpol]} {
+	return
+    }
+
     verbose "kadmin_test succeeded"
 }
 
diff --git a/src/tests/dejagnu/krb-standalone/rcp.exp b/src/tests/dejagnu/krb-standalone/rcp.exp
index a51196c..3367b3a 100644
--- a/src/tests/dejagnu/krb-standalone/rcp.exp
+++ b/src/tests/dejagnu/krb-standalone/rcp.exp
@@ -72,15 +72,16 @@ proc stop_rsh_daemon { } {
     global krshd_pid
 
     if [info exists krshd_pid] {
-	catch "close -i $krshd_spawn_id"
 	catch "exec kill $krshd_pid"
+	catch "expect -i $krshd_spawn_id eof"
+	catch "close -i $krshd_spawn_id"
 	catch "wait -i $krshd_spawn_id"
 	unset krshd_pid
     }
 }
 
 # Create a file to use for rcp testing.
-set file [open tmpdir/rcp-test w]
+set file [open $tmppwd/rcp-test w]
 puts $file "This file is used for rcp testing."
 close $file
 
@@ -125,9 +126,9 @@ proc rcp_one_test { testname options frompref topref } {
     global RCP
     global tmppwd
 
-    send_log "rm -f tmpdir/copy\n"
-    verbose "exec rm -f tmpdir/copy"
-    catch "exec rm -f tmpdir/copy"
+    send_log "rm -f $tmppwd/copy\n"
+    verbose "exec rm -f $tmppwd/copy"
+    catch "exec rm -f $tmppwd/copy"
 
     set from [format "%s%s" $frompref $tmppwd/rcp-test]
     set to [format "%s%s" $topref $tmppwd/copy]
@@ -143,7 +144,7 @@ proc rcp_one_test { testname options frompref topref } {
 	return 0
     }
 
-    if ![check_file tmpdir/copy] {
+    if ![check_file $tmppwd/copy] {
 	fail $testname
 	return 0
     }
diff --git a/src/tests/dejagnu/krb-standalone/rsh.exp b/src/tests/dejagnu/krb-standalone/rsh.exp
index 09b5222..2cd6802 100644
--- a/src/tests/dejagnu/krb-standalone/rsh.exp
+++ b/src/tests/dejagnu/krb-standalone/rsh.exp
@@ -27,7 +27,6 @@ if ![check_k5login rsh] {
 # Set up the kerberos database.
 if {![get_hostname] \
     || ![setup_kerberos_files] \
-    || ![setup_kerberos_env] \
     || ![setup_kerberos_db 0]} {
     return
 }
@@ -58,8 +57,9 @@ proc stop_rsh_daemon { } {
     global krshd_pid
 
     if [info exists krshd_pid] {
-	catch "close -i $krshd_spawn_id"
 	catch "exec kill $krshd_pid"
+	catch "expect -i $krshd_spawn_id eof"
+	catch "close -i $krshd_spawn_id"
 	catch "wait -i $krshd_spawn_id"
 	unset krshd_pid
     }
@@ -85,6 +85,7 @@ proc rsh_test { } {
         || ![add_kerberos_key host/$hostname 0] \
         || ![setup_srvtab 0] \
 	|| ![add_kerberos_key $env(USER) 0] \
+	|| ![setup_kerberos_env client] \
 	|| ![kinit $env(USER) $env(USER)$KEY 0]} {
 	return
     }
@@ -96,7 +97,7 @@ proc rsh_test { } {
     set testname "date"
     spawn $RSH $hostname -k $REALMNAME -D 3544 -A date
     expect {
-	-re "\[A-Za-z0-9 :\]+\[\r\n\]+$" {
+	-re "\[A-Za-z0-9\]+ \[A-Za-z0-9\]+ +\[0-9\]+ \[0-9\]+:\[0-9\]+:\[0-9\]+ \[A-Za-z0-9\]+ \[0-9\]+\r\n" {
 	    set result $expect_out(0,string)
 	}
 	timeout {
@@ -129,7 +130,7 @@ proc rsh_test { } {
     set testname "encrypted rsh"
     spawn $RSH $hostname -x -k $REALMNAME -D 3544 -A echo hello
     expect {
-	"hello" { }
+	"hello" { expect eof }
 	timeout {
 	    fail "$testname (timeout)"
 	    set failed yes
@@ -140,11 +141,13 @@ proc rsh_test { } {
 	}
     }
 
+    catch "expect eof"
     if { $failed == "no" } {
 	if ![check_exit_status $testname] {
 	    return
 	}
 	pass $testname
+	stop_rsh_daemon
     } else {
 	catch "wait -i $spawn_id"
 	catch "close -i $spawn_id"
@@ -162,7 +165,9 @@ proc rsh_test { } {
 
     spawn $RSH $hostname -f -k $REALMNAME -D 3544 -A $BINSH -c $tmppwd/klist.wrap 
     expect {
-	"Ticket cache:" { }
+	"Ticket cache:*\r" {
+	    expect eof
+	}
  	"klist: No credentials cache file found" {
 	    fail "$testname (not forwarded)"
 	    return
@@ -191,7 +196,9 @@ proc rsh_test { } {
     set testname "encrypted rsh forwarding tickets"
     spawn $RSH $hostname -x -f -k $REALMNAME -D 3544 -A $BINSH -c $tmppwd/klist.wrap 
     expect {
-	"Ticket cache:" { }
+	"Ticket cache:*\r" {
+	    expect eof
+	}
  	"klist: No credentials cache file found" {
 	    fail "$testname (not forwarded)"
 	    return
@@ -214,13 +221,12 @@ proc rsh_test { } {
 
     stop_rsh_daemon
 
-
     # Check stderr
     start_rsh_daemon -k
     set testname "rsh to stderr"
     spawn $RSH $hostname -k $REALMNAME -D 3544 -A $BINSH -c "'echo hello 1>&2'"
     expect {
-	"hello" { }
+	"hello" { expect eof }
 	timeout {
 	    fail "$testname (timeout)"
 	    return
@@ -237,11 +243,13 @@ proc rsh_test { } {
 
     pass $testname
 
+    stop_rsh_daemon
+
     start_rsh_daemon -e
     set testname "encrypted rsh to stderr"
     spawn $RSH $hostname -x -k $REALMNAME -D 3544 -A $BINSH -c "'echo hello 1>&2'"
     expect {
-	"hello" { }
+	"hello" { expect eof }
 	timeout {
 	    fail "$testname (timeout)"
 	    return
diff --git a/src/tests/dejagnu/krb-standalone/standalone.exp b/src/tests/dejagnu/krb-standalone/standalone.exp
index e925b53..e493b65 100644
--- a/src/tests/dejagnu/krb-standalone/standalone.exp
+++ b/src/tests/dejagnu/krb-standalone/standalone.exp
@@ -4,14 +4,6 @@
 
 # This mostly just calls procedures in testsuite/config/default.exp.
 
-if ![info exists KLIST] {
-    set KLIST [findfile $objdir/../../clients/klist/klist]
-}
-
-if ![info exists KDESTROY] {
-    set KDESTROY [findfile $objdir/../../clients/kdestroy/kdestroy]
-}
-
 # Set up the Kerberos files and environment.
 if {![get_hostname] || ![setup_kerberos_files] || ![setup_kerberos_env]} {
     return
@@ -32,9 +24,12 @@ proc doit { } {
     global KLIST
     global KDESTROY
     global KEY
+    global KADMIN_LOCAL
+    global KTUTIL
     global hostname
     global tmppwd
     global spawn_id
+    global supported_enctypes
 
     # Start up the kerberos and kadmind daemons.
     if ![start_kerberos_daemons 1] {
@@ -57,30 +52,9 @@ proc doit { } {
     }
 
     # Make sure that klist can see the ticket.
-    spawn $KLIST -5
-    expect {
-	-re "Ticket cache:\[ 	\]*(.+:)?$tmppwd/tkt.*Default principal:\[ 	\]*krbtest/admin@$REALMNAME.*krbtgt/$REALMNAME@$REALMNAME\r\n" {
-	    verbose "klist started"
-	}
-	timeout {
-	    fail "klist"
-	    return
-	}
-	eof {
-	    fail "klist"
-	    return
-	}
-    }
-
-    expect {
-        "\r" { }
-	eof { }
-    }
-
-    if ![check_exit_status "klist"] {
+    if ![do_klist "krbtest/admin@$REALMNAME" "krbtgt/$REALMNAME@$REALMNAME" "klist"] {
 	return
     }
-    pass "klist"
 
     # Destroy the ticket.
     spawn $KDESTROY -5
@@ -90,33 +64,83 @@ proc doit { } {
     pass "kdestroy"
 
     # Double check that the ticket was destroyed.
-    spawn $KLIST -5
-    expect {
-	-re "klist: No credentials cache file found.*\r\n" {
-	    verbose "klist started"
-	}
-	timeout {
-	    fail "klist after kdestroy"
-	    return
+    if ![do_klist_err "klist after destroy"] { return }
+
+    if ![add_random_key foo/bar 1] {
+	return
+    }
+
+    set keytab $tmppwd/fookeytab
+    catch "exec rm -f $keytab"
+
+    modify_principal foo/bar -kvno 252
+    foreach vno {253 254 255 256 257 258} {
+	xst $tmppwd/fookeytab foo/bar
+	do_klist_kt $tmppwd/fookeytab "klist keytab foo/bar vno $vno"
+	kinit_kt "foo/bar" $tmppwd/fookeytab 1 "kt kvno $vno"
+	do_klist "foo/bar" "krbtgt/$REALMNAME@$REALMNAME" "klist kt foo/bar vno $vno"
+	do_kdestroy "kdestroy foo/bar vno $vno"
+	
+	if [regexp {des-cbc-[a-z0-9-]*:v4} [lindex $supported_enctypes 0]] {
+	    catch "exec rm -f $tmppwd/foosrvtab"
+	    spawn $KTUTIL
+	    expect_after {
+		timeout	{ fail "ktutil converting keytab to srvtab" ; set ok 0 }
+		eof	{ fail "ktutil converting keytab to srvtab" ; set ok 0 }
+	    }
+	    expect "ktutil: "
+	    send "rkt $tmppwd/fookeytab\r"
+	    expect -ex "rkt $tmppwd/fookeytab\r"
+	    expect "ktutil: "
+# for debugging, just log this
+#	    send "list\r"
+#	    expect "ktutil: "
+	    #
+	    send "wst $tmppwd/foosrvtab\r"
+	    expect -ex "wst $tmppwd/foosrvtab\r"
+	    expect "ktutil: "
+# for debugging, just log this
+#	    send "clear\r"
+#	    expect "ktutil: "
+#	    send "rst $tmppwd/foosrvtab\r"
+#	    expect "ktutil: "
+#	    send "list\r"
+#	    expect "ktutil: "
+	    # okay, now quit and finish testing
+	    send "quit\r"
+	    expect eof
+	    catch expect_after
+	    if [check_exit_status "ktutil converting keytab to srvtab (vno $vno)"] {
+		pass "ktutil converting keytab to srvtab (vno $vno)"
+		do_klist_kt $tmppwd/fookeytab "klist srvtab foo/bar vno $vno"
+		kinit_kt "foo/bar" "SRVTAB:$tmppwd/foosrvtab" 1 "st kvno $vno"
+		do_klist "foo/bar" "krbtgt/$REALMNAME@$REALMNAME" "klist st foo/bar vno $vno"
+		do_kdestroy "kdestroy st foo/bar vno $vno"
+	    }
+	} else {
+	    verbose "skipping v5kinit/srvtab tests because of non-v4 enctype"
 	}
-	eof {
-	    fail "klist after kdestroy"
-	    return
+    }
+    catch "exec rm -f $keytab"
+    # Check that kadmin.local can actually read the correct kvno, even
+    # if we don't expect kadmin to be able to.
+    spawn $KADMIN_LOCAL -r $REALMNAME
+    set ok 1
+    expect_after {
+	timeout		{ fail "kadmin.local correct high kvno" ; set ok 0 }
+	eof		{ fail "kadmin.local correct high kvno" ; set ok 0 }
+    }
+    expect "kadmin.local: "
+    send "getprinc foo/bar\r"
+#    exec sleep 10
+    expect "Key: vno $vno,"
+    send "quit\r"
+    expect eof
+    if [check_exit_status "kadmin.local examine foo/bar for high kvno"] {
+	if $ok {
+	    pass "kadmin.local correct high kvno"
 	}
     }
-    # We can't use check_exit_status, because we expect an exit status
-    # of 1.
-    set status_list [wait -i $spawn_id]
-    verbose "wait -i $spawn_id returned $status_list (klist)"
-    if { [lindex $status_list 2] != 0 } {
-	fail "klist (bad exit status) $status_list"
-	return
-    } else { if { [lindex $status_list 3] != 1 } {
-	fail "klist (bad exit status) $status_list"
-	return
-    } else {
-	pass klist
-    } }
 }
 
 set status [catch doit msg]
diff --git a/src/tests/dejagnu/krb-standalone/v4gssftp.exp b/src/tests/dejagnu/krb-standalone/v4gssftp.exp
new file mode 100644
index 0000000..1e90b2a
--- /dev/null
+++ b/src/tests/dejagnu/krb-standalone/v4gssftp.exp
@@ -0,0 +1,501 @@
+# Kerberos ftp test.
+# This is a DejaGnu test script.
+# This script tests Kerberos ftp.
+# Originally written by Ian Lance Taylor, Cygnus Support, <ian@cygnus.com>.
+# Modified bye Ezra Peisach for GSSAPI support.
+
+# Find the programs we need.  We use the binaries from the build tree
+# if they exist.  If they do not, then they must be in PATH.  We
+# expect $objdir to be .../kerberos/build/tests/dejagnu
+
+if ![info exists FTP] {
+    set FTP [findfile $objdir/../../appl/gssftp/ftp/ftp]
+}
+
+if ![info exists FTPD] {
+    set FTPD [findfile $objdir/../../appl/gssftp/ftpd/ftpd]
+}
+
+# If we do not have what is for a V4 test - return
+if ![v4_compatible_enctype] {
+    return
+}
+
+# Make sure .klogin is reasonable.
+if ![check_k5login ftp] {
+    return
+}
+
+if ![check_klogin ftp] {
+    return
+}
+
+# Set up the kerberos database.
+if {![get_hostname] \
+    || ![setup_kerberos_files] \
+    || ![setup_kerberos_env] \
+    || ![setup_kerberos_db 0]} {
+    return
+}
+
+# A procedure to start up the ftp daemon.
+
+proc start_ftp_daemon { } {
+    global FTPD
+    global tmppwd
+    global ftpd_spawn_id
+    global ftpd_pid
+
+    # The -p argument tells it to accept a single connection, so we
+    # don't need to use inetd.  The 3021 is the port to listen at.
+    # We rely on KRB5_KTNAME being set to the proper keyfile as there is
+    # no way to cleanly set it with the gssapi API.
+    # The -a argument requires authorization, to mitigate any
+    # vulnerability introduced by circumventing ftpusers.
+    spawn $FTPD -p 3021 -a -r $tmppwd/krb.conf
+    set ftpd_spawn_id $spawn_id
+    set ftpd_pid [exp_pid]
+
+    # Give the ftp daemon a few seconds to get set up.
+    catch "exec sleep 2"
+}
+
+# A procedure to stop the ftp daemon.
+
+proc stop_ftp_daemon { } {
+    global ftpd_spawn_id
+    global ftpd_pid
+
+    if [info exists ftpd_pid] {
+	catch "close -i $ftpd_spawn_id"
+	catch "exec kill $ftpd_pid"
+	catch "wait -i $ftpd_spawn_id"
+	unset ftpd_pid
+    }
+}
+
+# Create a file to use for ftp testing.
+set file [open $tmppwd/ftp-test w]
+puts $file "This file is used for ftp testing."
+close $file
+
+# Create a large file to use for ftp testing. File needs to be 
+# larger that 2^20 or 1MB for PBSZ testing.
+set file [open $tmppwd/bigftp-test w]
+puts $file "This file is used for ftp testing.\n"
+seek $file 1048576 current
+puts $file "This file is used for ftp testing."
+close $file
+
+# Test that a file was copied correctly.
+proc check_file { filename {bigfile 0}} {
+    if ![file exists $filename] {
+	verbose "$filename does not exist"
+	send_log "$filename does not exist\n"
+	return 0
+    }
+
+    set file [open $filename r]
+    if { [gets $file line] == -1 } {
+	verbose "$filename is empty"
+	send_log "$filename is empty\n"
+	close $file
+	return 0
+    }
+
+    if ![string match "This file is used for ftp testing." $line] {
+	verbose "$filename contains $line"
+	send_log "$filename contains $line\n"
+	close $file
+	return 0
+    }
+
+    if {$bigfile} {
+	# + 1 for the newline
+	seek $file 1048577 current
+	if { [gets $file line] == -1 } {
+	    verbose "$filename is truncated"
+	    send_log "$filename is truncated\n"
+	    close $file
+	    return 0
+	}
+
+	if ![string match "This file is used for ftp testing." $line] {
+	    verbose "$filename contains $line"
+	    send_log "$filename contains $line\n"
+	    close $file
+	    return 0
+	}
+    }
+
+    if { [gets $file line] != -1} {
+	verbose "$filename is too long ($line)"
+	send_log "$filename is too long ($line)\n"
+	close $file
+	return 0
+    }
+
+    close $file
+
+    return 1
+}
+
+#
+# Restore environment variables possibly set.
+#
+proc ftp_restore_env { } {
+    global env
+    global ftp_save_ktname
+    global ftp_save_ccname
+
+    catch "unset env(KRB5_KTNAME)"
+    if [info exists ftp_save_ktname] {
+	set env(KRB5_KTNAME) $ftp_save_ktname
+	unset ftp_save_ktname
+    }
+
+    catch "unset env(KRB5CCNAME)"
+    if [info exists ftp_save_ccname] {
+	set env(KRB5CCNAME) $ftp_save_ccname
+	unset ftp_save_ccname
+    }
+}
+
+# Wrap the tests in a procedure, so that we can kill the daemons if
+# we get some sort of error.
+
+proc v4ftp_test { } {
+    global FTP
+    global KEY
+    global REALMNAME
+    global hostname
+    global localhostname
+    global env
+    global ftpd_spawn_id
+    global ftpd_pid
+    global spawn_id
+    global tmppwd
+    global ftp_save_ktname
+    global ftp_save_ccname
+    global des3_krbtgt
+
+    if {$des3_krbtgt} {
+	return
+    }
+    # Start up the kerberos and kadmind daemons and get a srvtab and a
+    # ticket file.
+    if {![start_kerberos_daemons 0] \
+        || ![add_random_key ftp/$hostname 0] \
+        || ![setup_srvtab 0 ftp] \
+	|| ![add_kerberos_key $env(USER) 0] \
+	|| ![v4kinit $env(USER) $env(USER)$KEY 0]} {
+	return
+    }
+
+    #
+    # Save settings of KRB5_KTNAME
+    #
+    if [info exists env(KRB5_KTNAME)] {
+	set ftp_save_ktname $env(KRB5_KTNAME)
+    }
+
+    #
+    # set KRB5_KTNAME
+    #
+    set env(KRB5_KTNAME) FILE:$tmppwd/srvtab
+    verbose "KRB5_KTNAME=$env(KRB5_KTNAME)"
+
+    #
+    # Save settings of KRB5CCNAME
+    # These tests fail if the krb5 cache happens to have a valid credential
+    # which can result from running the gssftp.exp test immediately
+    # preceeding these tests.
+    #
+    if [info exists env(KRB5CCNAME)] {
+	set ftp_save_ccname $env(KRB5CCNAME)
+    }
+
+    #
+    # set KRB5_KTNAME
+    #
+    set env(KRB5CCNAME) FILE:$tmppwd/non-existant-cache
+    verbose "KRB5CCNAME=$env(KRB5CCNAME)"
+
+    # Start the ftp daemon.
+    start_ftp_daemon
+
+    # Make an ftp client connection to it.
+    spawn $FTP $hostname 3021
+
+    expect_after {
+	timeout {
+	    fail "$testname (timeout)"
+	    catch "expect_after"
+	    return
+	}
+	eof {
+	    fail "$testname (eof)"
+	    catch "expect_after"
+	    return
+	}
+    }
+
+    set testname "ftp connection(v4)"
+    expect -nocase "connected to $hostname"
+    expect -nocase -re "$localhostname.*ftp server .version \[0-9.\]*. ready."
+    expect -re "Using authentication type GSSAPI; ADAT must follow"
+    expect "GSSAPI accepted as authentication type"
+    expect "GSSAPI error major: Miscellaneous failure"
+    expect {
+	"GSSAPI error minor: Unsupported credentials cache format version number" {}
+	"GSSAPI error minor: No credentials cache found" {}
+	"GSSAPI error minor: Decrypt integrity check failed" {}
+    }
+    expect "GSSAPI error: initializing context"
+    expect "GSSAPI authentication failed"
+    expect -re "Using authentication type KERBEROS_V4; ADAT must follow"
+    expect {
+	"Kerberos V4 authentication succeeded" { pass "ftp authentication" }
+	eof	{ fail "ftp authentication" ; catch "expect_after" ; return }
+	-re "Kerberos V4 .* failed.*\r" {
+	    fail "ftp authentication";
+	    send "quit\r"; catch "expect_after";
+	    return
+	}
+    }
+    expect -nocase "name ($hostname:$env(USER)): "
+    send "$env(USER)\r"
+    expect "Kerberos user $env(USER)@$REALMNAME is authorized as $env(USER)"
+    expect "Remote system type is UNIX."
+    expect "Using binary mode to transfer files."
+    expect "ftp> " {
+	pass $testname
+    }
+
+    set testname "binary(v4)"
+    send "binary\r"
+    expect "ftp> " {
+	pass $testname
+    }
+
+    set testname "status(v4)"
+    send "status\r"
+    expect -nocase "connected to $hostname."
+    expect "Authentication type: KERBEROS_V4"
+    expect "ftp> " {
+	pass $testname
+    }
+
+    set testname "ls(v4)"
+    send "ls $tmppwd/ftp-test\r"
+    expect -re "Opening ASCII mode data connection for .*ls."
+    expect -re ".* $tmppwd/ftp-test"
+    expect "ftp> " {
+	pass $testname
+    } 
+
+    set testname "nlist(v4)"
+    send "nlist $tmppwd/ftp-test\r"
+    expect -re "Opening ASCII mode data connection for file list."
+    expect -re "$tmppwd/ftp-test"
+    expect -re ".* Transfer complete."
+    expect "ftp> " {
+	pass $testname
+    } 
+
+    set testname "ls missing(v4)"
+    send "ls $tmppwd/ftp-testmiss\r"
+    expect -re "Opening ASCII mode data connection for .*ls."
+    expect {
+	-re "$tmppwd/ftp-testmiss not found" {}
+	-re "$tmppwd/ftp-testmiss: No such file or directory"
+    }
+    expect "ftp> " {
+	pass $testname
+    } 
+
+
+    set testname "get(v4)"
+    catch "exec rm -f $tmppwd/copy"
+    send "get $tmppwd/ftp-test $tmppwd/copy\r"
+    expect "Opening BINARY mode data connection for $tmppwd/ftp-test"
+    expect "Transfer complete"
+    expect -re "\[0-9\]+ bytes received in \[0-9.e-\]+ seconds"
+    expect "ftp> "
+    if [check_file $tmppwd/copy] {
+	pass $testname
+    } else {
+	fail $testname
+    }
+
+    set testname "put(v4)"
+    catch "exec rm -f $tmppwd/copy"
+    send "put $tmppwd/ftp-test $tmppwd/copy\r"
+    expect "Opening BINARY mode data connection for $tmppwd/copy"
+    expect "Transfer complete"
+    expect -re "\[0-9\]+ bytes sent in \[0-9.e-\]+ seconds"
+    expect "ftp> "
+    if [check_file $tmppwd/copy] {
+	pass $testname
+    } else {
+	fail $testname
+    }
+
+    set testname "cd(v4)"
+    send "cd $tmppwd\r"
+    expect "CWD command successful."
+    expect "ftp> " {
+	pass $testname
+    }
+
+    set testname "lcd(v4)"
+    send "lcd $tmppwd\r"
+    expect "Local directory now $tmppwd"
+    expect "ftp> " {
+	pass $testname
+    }
+
+    set testname "local get(v4)"
+    catch "exec rm -f $tmppwd/copy"
+    send "get ftp-test copy\r"
+    expect "Opening BINARY mode data connection for ftp-test"
+    expect "Transfer complete"
+    expect -re "\[0-9\]+ bytes received in \[0-9.e-\]+ seconds"
+    expect "ftp> "
+    if [check_file $tmppwd/copy] {
+	pass $testname
+    } else {
+	fail $testname
+    }
+
+    set testname "big local get(v4)"
+    catch "exec rm -f $tmppwd/copy"
+    send "get bigftp-test copy\r"
+    expect "Opening BINARY mode data connection for bigftp-test"
+    expect "Transfer complete"
+    expect -re "\[0-9\]+ bytes received in \[0-9.e-\]+ seconds"
+    expect "ftp> "
+    if [check_file $tmppwd/copy 1] {
+	pass $testname
+    } else {
+	fail $testname
+    }
+
+    set testname "start encryption(v4)"
+    send "private\r"
+    expect "Data channel protection level set to private"
+    expect "ftp> " {
+	pass $testname
+    }
+
+    set testname "status(v4)"
+    send "status\r"
+    expect "Protection Level: private"
+    expect "ftp> " {
+	pass $testname
+    }
+
+    set testname "encrypted get(v4)"
+    catch "exec rm -f $tmppwd/copy"
+    send "get ftp-test copy\r"
+    expect "Opening BINARY mode data connection for ftp-test"
+    expect "Transfer complete"
+    expect {
+	-re "\[0-9\]+ bytes received in \[0-9.e-\]+ seconds" {}
+	-re "krb_rd_priv failed for KERBEROS_V4" {
+	    fail $testname
+	    send "quit\r"
+	    catch "expect_after"
+	    return
+	}
+    }
+    expect "ftp> "
+    if [check_file $tmppwd/copy] {
+	pass $testname
+    } else {
+	fail $testname
+    }
+
+
+    # Test a large file that will overflow PBSZ size
+    set testname "big encrypted get(v4)"
+    catch "exec rm -f $tmppwd/copy"
+    send "get bigftp-test copy\r"
+    expect "Opening BINARY mode data connection for bigftp-test"
+    expect "Transfer complete"
+    expect {
+	-re "\[0-9\]+ bytes received in \[0-9.e+-\]+ seconds" {}
+	-re "krb_rd_priv failed for KERBEROS_V4" {
+	    fail $testname
+	    send "quit\r"
+	    catch "expect_after"
+	    return
+	}
+    }
+    expect "ftp> "
+    if [check_file $tmppwd/copy 1] {
+	pass $testname
+    } else {
+	fail $testname
+    }
+
+    set testname "close(v4)"
+    send "close\r"
+    expect "Goodbye."
+    expect "ftp> "
+    set status_list [wait -i $ftpd_spawn_id]
+    verbose "wait -i $ftpd_spawn_id returned $status_list ($testname)"
+    catch "close -i $ftpd_spawn_id"
+    if { [lindex $status_list 2] != 0 || [lindex $status_list 3] != 0 } {
+	send_log "exit status: $status_list\n"
+	verbose "exit status: $status_list"
+	fail $testname
+    } else {
+	pass $testname
+	unset ftpd_pid
+    }
+
+    set testname "quit(v4)"
+    send "quit\r"
+    expect_after
+    expect eof
+    if [check_exit_status $testname] {
+	pass $testname
+    }
+
+}
+
+# The ftp client will look in $HOME/.netrc for the user name to use.
+# To avoid confusing the testsuite, point $HOME at a directory where
+# we know there is no .netrc file.
+if [info exists env(HOME)] {
+    set home $env(HOME)
+} elseif [info exists home] {
+    unset home
+}
+set env(HOME) $tmppwd
+
+# Run the test.  Logging in sometimes takes a while, so increase the
+# timeout.
+set oldtimeout $timeout
+set timeout 60
+set status [catch v4ftp_test msg]
+set timeout $oldtimeout
+
+# Shut down the kerberos daemons and the ftp daemon.
+stop_kerberos_daemons
+
+stop_ftp_daemon
+
+ftp_restore_env
+
+# Reset $HOME, for safety in case we are going to run more tests.
+if [info exists home] {
+    set env(HOME) $home
+} else {
+    unset env(HOME)
+}
+
+if { $status != 0 } {
+    perror "error in gssftp.exp: $msg"
+}
diff --git a/src/tests/dejagnu/krb-standalone/v4krb524d.exp b/src/tests/dejagnu/krb-standalone/v4krb524d.exp
new file mode 100644
index 0000000..2e17020
--- /dev/null
+++ b/src/tests/dejagnu/krb-standalone/v4krb524d.exp
@@ -0,0 +1,167 @@
+# Standalone Kerberos test.
+# This is a DejaGnu test script.
+# This script tests that the Kerberos tools can talk to each other.
+
+# This mostly just calls procedures in testsuite/config/default.exp.
+
+if ![info exists K524INIT] {
+    set K524INIT [findfile $objdir/../../krb524/k524init]
+}
+
+if ![info exists KRB524D] {
+    set KRB524D [findfile $objdir/../../krb524/krb524d]
+}
+
+if ![info exists KLIST] {
+    set KLIST [findfile $objdir/../../clients/klist/klist]
+}
+
+if ![info exists KDESTROY] {
+    set KDESTROY [findfile $objdir/../../clients/kdestroy/kdestroy]
+}
+
+# Set up the Kerberos files and environment.
+if {![get_hostname] || ![setup_kerberos_files] || ![setup_kerberos_env]} {
+    return
+}
+
+# If we do not have what is for a V4 test - return
+if ![v4_compatible_enctype] {
+    return
+}
+
+# Initialize the Kerberos database.  The argument tells
+# setup_kerberos_db that it is being called from here.
+if ![setup_kerberos_db 1] {
+    return
+}
+
+# A procedure to stop the krb524 daemon.
+proc start_k524_daemon { } {
+    global KRB524D
+    global k524d_spawn_id
+    global k524d_pid
+    global REALMNAME
+
+    spawn $KRB524D -m -r $REALMNAME -nofork
+    set k524d_spawn_id $spawn_id
+    set k524d_pid [exp_pid]
+
+    # Give the krb524d daemon a few seconds to get set up.
+    catch "exec sleep 2"
+}
+
+# A procedure to stop the krb524 daemon.
+proc stop_k524_daemon { } {
+    global k524d_spawn_id
+    global k524d_pid
+
+    if [info exists k524d_pid] {
+	catch "close -i $k524d_spawn_id"
+	catch "exec kill $k524d_pid"
+	catch "wait -i $k524d_spawn_id"
+	unset k524d_pid
+    }
+}
+
+# We are about to start up a couple of daemon processes.  We do all
+# the rest of the tests inside a proc, so that we can easily kill the
+# processes when the procedure ends.
+
+proc doit { } {
+    global env
+    global KEY
+    global K524INIT
+    # To pass spawn_id to the wait process
+    global spawn_id
+    global KLIST
+    global KDESTROY
+    global tmppwd
+    global REALMNAME
+    global des3_krbtgt
+
+    if {$des3_krbtgt} {
+	return
+    }
+    # Start up the kerberos and kadmind daemons.
+    if ![start_kerberos_daemons 1] {
+	return
+    }
+
+    # Add a user key and get a V5 ticket
+    if {![add_kerberos_key $env(USER) 0] \
+	|| ![kinit $env(USER) $env(USER)$KEY 0]} {
+	return
+    }
+
+    # Start the krb524d daemon.
+    start_k524_daemon
+
+    # The k524init program does not advertise anything on success -
+    #only failure.
+    spawn $K524INIT
+    expect {
+	-timeout 10 
+	-re "k524init: .*\r" {
+	    fail "k524init"
+	    return
+	}
+	eof {}
+	timeout {}
+    }
+
+
+    if ![check_exit_status "k524init"] {
+	return
+    }
+    pass "k524init"
+
+    # Make sure that klist can see the ticket.
+    spawn $KLIST -4
+    expect {
+	-re "Kerberos 4 ticket cache:\[ 	\]*(.+:)?$tmppwd/tkt.*Principal:\[ 	\]*$env(USER)@$REALMNAME.*krbtgt\.$REALMNAME@$REALMNAME\r\n" {
+	    verbose "klist started"
+	}
+	timeout {
+	    fail "v4klist"
+	    return
+	}
+	eof {
+	    fail "v4klist"
+	    return
+	}
+    }
+
+    expect {
+        "\r" { }
+	eof { }
+    }
+
+    if ![check_exit_status "klist"] {
+	return
+    }
+    pass "krb524d: v4klist"
+
+    # Destroy the ticket.
+    spawn $KDESTROY -4
+    if ![check_exit_status "kdestroy"] {
+	return
+    }
+    pass "krb524d: v4kdestroy"
+
+    pass "krb524d: krb524d"
+}
+
+set status [catch doit msg]
+
+stop_kerberos_daemons
+
+stop_k524_daemon
+
+if { $status != 0 } {
+    send_error "ERROR: error in v4krb524d.exp\n"
+    send_error "$msg\n"
+    exit 1
+}
+
+
diff --git a/src/tests/dejagnu/krb-standalone/v4standalone.exp b/src/tests/dejagnu/krb-standalone/v4standalone.exp
new file mode 100644
index 0000000..cc42e8d
--- /dev/null
+++ b/src/tests/dejagnu/krb-standalone/v4standalone.exp
@@ -0,0 +1,95 @@
+# Standalone Kerberos test.
+# This is a DejaGnu test script.
+# This script tests that the Kerberos tools can talk to each other.
+
+# This mostly just calls procedures in testsuite/config/default.exp.
+
+# Set up the Kerberos files and environment.
+if {![get_hostname] || ![setup_kerberos_files] || ![setup_kerberos_env]} {
+    return
+}
+
+# If we do not have what is for a V4 test - return
+if ![v4_compatible_enctype] {
+    return
+}
+
+# Initialize the Kerberos database.  The argument tells
+# setup_kerberos_db that it is being called from here.
+if ![setup_kerberos_db 1] {
+    return
+}
+
+# We are about to start up a couple of daemon processes.  We do all
+# the rest of the tests inside a proc, so that we can easily kill the
+# processes when the procedure ends.
+
+proc check_and_destroy_v4_tix { client server } {
+    global REALMNAME
+    global des3_krbtgt
+
+    # Skip this if we're using a des3 TGT, since that's supposed to fail.
+    if {$des3_krbtgt} {
+	return
+    }
+    # Make sure that klist can see the ticket.
+    if ![v4klist "$client" "$server" "v4klist"] {
+	return
+    }
+
+    # Destroy the ticket.
+    if ![v4kdestroy "v4kdestroy"] {
+	return
+    }
+
+    if ![v4klist_none "v4klist no tix 1"] {
+	return
+    }
+}
+
+proc doit { } {
+    global REALMNAME
+    global KLIST
+    global KDESTROY
+    global KEY
+    global hostname
+    global spawn_id
+    global tmppwd
+
+    # Start up the kerberos and kadmind daemons.
+    if ![start_kerberos_daemons 1] {
+	return
+    }
+
+    # Use kadmin to add an host key.
+    if ![add_random_key host/$hostname 1] {
+	return
+    }
+
+    # Use ksrvutil to create a srvtab entry.
+    if ![setup_srvtab 1] {
+	return
+    }
+
+    # Use kinit to get a ticket.
+    if [v4kinit krbtest.admin adminpass$KEY 1] {
+	check_and_destroy_v4_tix krbtest.admin@$REALMNAME krbtgt.$REALMNAME@$REALMNAME
+    }
+
+    # Use kinit with srvtab to get a ticket.
+    # XXX - Currently kinit doesn't support "-4 -k"!
+#    set shorthost [string range $hostname 0 [expr [string first . $hostname] - 1]]
+#    if [v4kinit_kt host.$shorthost SRVTAB:$tmppwd/srvtab 1] {
+#	check_and_destroy_v4_tix host.$shorthost@$REALMNAME krbtgt.$REALMNAME@$REALMNAME
+#    }
+}
+
+set status [catch doit msg]
+
+stop_kerberos_daemons
+
+if { $status != 0 } {
+    send_error "ERROR: error in v4standalone.exp\n"
+    send_error "$msg\n"
+    exit 1
+}
diff --git a/src/tests/hammer/ChangeLog b/src/tests/hammer/ChangeLog
index 1504de4..fcdd391 100644
--- a/src/tests/hammer/ChangeLog
+++ b/src/tests/hammer/ChangeLog
@@ -1,3 +1,12 @@
+2000-05-11  Nalin Dahyabhai  <nalin@redhat.com>
+
+	* kdc5_hammer.c (main): Make sure buffer 'prefix' is null-terminated.
+
+2000-05-08  Ken Raeburn  <raeburn@mit.edu>
+	    Nalin Dahyabhai  <nalin@redhat.com>
+
+	* kdc5_hammer.c (main): Don't overflow buffers "ctmp" or "stmp".
+
 1999-10-26  Tom Yu  <tlyu@mit.edu>
 
 	* Makefile.in: Clean up usage of CFLAGS, CPPFLAGS, DEFS, DEFINES,
diff --git a/src/tests/hammer/kdc5_hammer.c b/src/tests/hammer/kdc5_hammer.c
index 780f92d..6429a38 100644
--- a/src/tests/hammer/kdc5_hammer.c
+++ b/src/tests/hammer/kdc5_hammer.c
@@ -169,7 +169,8 @@ main(argc, argv)
 	    depth = atoi(optarg);       /* how deep to go */
 	    break;
 	case 'p':                       /* prefix name to check */
-	    strcpy(prefix, optarg);
+	    strncpy(prefix, optarg, sizeof(prefix) - 1);
+	    prefix[sizeof(prefix) - 1] = '\0';
 	    break;
        case 'n':                        /* how many to check */
 	    num_to_check = atoi(optarg);
@@ -240,10 +241,11 @@ main(argc, argv)
 	   again given a prefix and count to test the db lib and kdb */
 	ctmp[0] = '\0';
 	for (i = 1; i <= depth; i++) {
-	  ctmp2[0] = '\0';
 	  (void) sprintf(ctmp2, "%s%s%d-DEPTH-%d", (i != 1) ? "/" : "",
 			 prefix, n, i);
-	  strcat(ctmp, ctmp2);
+	  ctmp2[sizeof(ctmp2) - 1] = '\0';
+	  strncat(ctmp, ctmp2, sizeof(ctmp) - 1 - strlen(ctmp));
+	  ctmp[sizeof(ctmp) - 1] = '\0';
 	  sprintf(client, "%s@%s", ctmp, cur_realm);
 
 	  if (get_tgt (test_context, client, &client_princ, ccache)) {
@@ -255,10 +257,11 @@ main(argc, argv)
 
 	  stmp[0] = '\0';
 	  for (j = 1; j <= depth; j++) {
-	    stmp2[0] = '\0';
 	    (void) sprintf(stmp2, "%s%s%d-DEPTH-%d", (j != 1) ? "/" : "",
 			   prefix, n, j);
-	    strcat(stmp, stmp2);
+	    stmp2[sizeof (stmp2) - 1] = '\0';
+	    strncat(stmp, stmp2, sizeof(stmp) - 1 - strlen(stmp));
+	    stmp[sizeof(stmp) - 1] = '\0';
 	    sprintf(server, "%s@%s", stmp, cur_realm);
 	    if (verify_cs_pair(test_context, client, client_princ, 
 			       stmp, cur_realm, n, i, j, ccache))
diff --git a/src/tests/verify/ChangeLog b/src/tests/verify/ChangeLog
index 7d0a88f..f73710b 100644
--- a/src/tests/verify/ChangeLog
+++ b/src/tests/verify/ChangeLog
@@ -1,3 +1,12 @@
+2000-05-11  Nalin Dahyabhai  <nalin@redhat.com>
+
+	* kdb5_verify.c (main): Make sure buffer "principal_string" is
+	properly terminated.
+
+2000-05-08  Nalin Dahyabhai  <nalin@redhat.com>
+
+	* kdb5_verify.c (main): Don't overflow buffer "tmp".
+
 1999-10-26  Tom Yu  <tlyu@mit.edu>
 
 	* Makefile.in: Clean up usage of CFLAGS, CPPFLAGS, DEFS, DEFINES,
diff --git a/src/tests/verify/kdb5_verify.c b/src/tests/verify/kdb5_verify.c
index bfb0661..e4277b1 100644
--- a/src/tests/verify/kdb5_verify.c
+++ b/src/tests/verify/kdb5_verify.c
@@ -131,7 +131,8 @@ char *argv[];
 	    mkey_password = optarg;
 	    break;
 	case 'p':                       /* prefix name to check */
-	    strcpy(principal_string, optarg);
+	    strncpy(principal_string, optarg, sizeof(principal_string) - 1);
+	    principal_string[sizeof(principal_string) - 1] = '\0';
 	    suffix = principal_string + strlen(principal_string);
 	    break;
        case 'n':                        /* how many to check */
@@ -199,9 +200,9 @@ char *argv[];
       if (check_princ(context, str_princ)) errors++;
 
       for (i = 2; i <= depth; i++) {
-	tmp2[0] = '\0';
 	(void) sprintf(tmp2, "/%s-DEPTH-%d", principal_string, i);
-	strcat(tmp, tmp2);
+	tmp2[sizeof(tmp2) - 1] = '\0';
+	strncat(tmp, tmp2, sizeof(tmp) - 1 - strlen(tmp));
 	str_princ = tmp;
 	if (check_princ(context, str_princ)) errors++;
       }
diff --git a/src/util/ChangeLog b/src/util/ChangeLog
index 3862b25..39731b1 100644
--- a/src/util/ChangeLog
+++ b/src/util/ChangeLog
@@ -1,3 +1,22 @@
+2001-02-21  Tom Yu  <tlyu@mit.edu>
+
+	* mkrel: When generating multiple tarballs, also generate a
+	consolidated tarball.
+
+2001-02-06  Tom Yu  <tlyu@mit.edu>
+
+	* mkrel: Default to making a single tarball.
+
+2001-01-28  Tom Yu  <tlyu@mit.edu>
+
+	* Makefile.in (all-prerecurse): Move aix.bincmds rule to
+	all-prerecurse so it gets built before the subdirectories of
+	src/util.
+
+	* makeshlib.sh: Use the linker flag -berok so that unresolved
+	symbols don't turn into link-time errors for building shared libs
+	on AIX.
+
 1999-10-26  Tom Yu  <tlyu@mit.edu>
 
 	* Makefile.in: Clean up usage of CFLAGS, CPPFLAGS, DEFS, DEFINES,
diff --git a/src/util/Makefile.in b/src/util/Makefile.in
index 3b4fd5d..f5d91d4 100644
--- a/src/util/Makefile.in
+++ b/src/util/Makefile.in
@@ -77,7 +77,7 @@ makeshlib: $(srcdir)/makeshlib.sh Makefile
 #
 # We only need this for AIX, but we generate it for all systems.
 #
-all-unix:: aix.bincmds
+all-prerecurse:: aix.bincmds
 
 aix.bincmds: Makefile
 	 echo libpath $(KRB5_LIBDIR):`pwd`/$(TOPLIBD):/usr/lib:/lib >aix.bincmds
diff --git a/src/util/autoconf/autoconf.info b/src/util/autoconf/autoconf.info
index bd1806e..66effd8 100644
--- a/src/util/autoconf/autoconf.info
+++ b/src/util/autoconf/autoconf.info
@@ -1,5 +1,5 @@
-This is Info file autoconf.info, produced by Makeinfo version 1.67 from
-the input file /home/bje/autoconf-2.13/autoconf.texi.
+This is Info file autoconf.info, produced by Makeinfo version 1.68 from
+the input file ./autoconf.texi.
 
 START-INFO-DIR-ENTRY
 * Autoconf: (autoconf).         Create source code configuration scripts.
@@ -759,7 +759,7 @@ macro is `AC_INIT' (*note Input::.).
 `make' variable `MAKE'.  Most versions of `make' set `MAKE' to the name
 of the `make' program plus any options it was given.  (But many do not
 include in it the values of any variables set on the command line, so
-those are not passed on automatically.) Some old versions of `make' do
+those are not passed on automatically.)  Some old versions of `make' do
 not set this variable.  The following macro allows you to use it even
 with those versions.
 
@@ -4824,9 +4824,9 @@ Changed Macro Writing
    When defining your own macros, you should now use `AC_DEFUN' instead
 of `define'.  `AC_DEFUN' automatically calls `AC_PROVIDE' and ensures
 that macros called via `AC_REQUIRE' do not interrupt other macros, to
-prevent nested `checking...' messages on the screen.  There's no actual
-harm in continuing to use the older way, but it's less convenient and
-attractive.  *Note Macro Definitions::.
+prevent nested `checking...'  messages on the screen.  There's no
+actual harm in continuing to use the older way, but it's less
+convenient and attractive.  *Note Macro Definitions::.
 
    You probably looked at the macros that came with Autoconf as a guide
 for how to do things.  It would be a good idea to take a look at the new
@@ -5047,7 +5047,7 @@ added some auxiliary utilities that I had developed to help convert
 source code packages to use Autoconf.  With the help of Franc,ois
 Pinard, I made the macros not interrupt each others' messages.  (That
 feature revealed some performance bottlenecks in GNU `m4', which he
-hastily corrected!) I reorganized the documentation around problems
+hastily corrected!)  I reorganized the documentation around problems
 people want to solve.  And I began a testsuite, because experience had
 shown that Autoconf has a pronounced tendency to regress when we change
 it.
@@ -5298,8 +5298,8 @@ how this is done.
 * build_cpu:                             System Type Variables.
 * build_os:                              System Type Variables.
 * build_vendor:                          System Type Variables.
-* CC <1>:                                UNIX Variants.
-* CC:                                    Particular Programs.
+* CC <1>:                                Particular Programs.
+* CC:                                    UNIX Variants.
 * CFLAGS <1>:                            Particular Programs.
 * CFLAGS:                                Preset Output Variables.
 * configure_input:                       Preset Output Variables.
@@ -5307,8 +5307,8 @@ how this is done.
 * CPPFLAGS:                              Preset Output Variables.
 * CXX:                                   Particular Programs.
 * CXXCPP:                                Particular Programs.
-* CXXFLAGS <1>:                          Particular Programs.
-* CXXFLAGS:                              Preset Output Variables.
+* CXXFLAGS <1>:                          Preset Output Variables.
+* CXXFLAGS:                              Particular Programs.
 * datadir:                               Preset Output Variables.
 * DEFS:                                  Preset Output Variables.
 * exec_prefix:                           Preset Output Variables.
@@ -5335,11 +5335,11 @@ how this is done.
 * LEXLIB:                                Particular Programs.
 * libdir:                                Preset Output Variables.
 * libexecdir:                            Preset Output Variables.
-* LIBOBJS <1>:                           Structures.
+* LIBOBJS <1>:                           Particular Functions.
 * LIBOBJS <2>:                           Generic Functions.
-* LIBOBJS:                               Particular Functions.
-* LIBS <1>:                              UNIX Variants.
-* LIBS:                                  Preset Output Variables.
+* LIBOBJS:                               Structures.
+* LIBS <1>:                              Preset Output Variables.
+* LIBS:                                  UNIX Variants.
 * LN_S:                                  Particular Programs.
 * localstatedir:                         Preset Output Variables.
 * mandir:                                Preset Output Variables.
@@ -5636,8 +5636,8 @@ list easier to use, the macros are listed without their preceding `AC_'.
 * ST_BLKSIZE:                            Old Macro Names.
 * ST_BLOCKS:                             Old Macro Names.
 * ST_RDEV:                               Old Macro Names.
-* STAT_MACROS_BROKEN <1>:                Old Macro Names.
-* STAT_MACROS_BROKEN:                    Structures.
+* STAT_MACROS_BROKEN <1>:                Structures.
+* STAT_MACROS_BROKEN:                    Old Macro Names.
 * STDC_HEADERS:                          Old Macro Names.
 * STRCOLL:                               Old Macro Names.
 * STRUCT_ST_BLKSIZE:                     Structures.
@@ -5685,119 +5685,119 @@ list easier to use, the macros are listed without their preceding `AC_'.
 
 
 Tag Table:
-Node: Top1209
-Node: Introduction9711
-Node: Making configure Scripts13551
-Node: Writing configure.in16632
-Node: Invoking autoscan20365
-Node: Invoking ifnames22670
-Node: Invoking autoconf24160
-Node: Invoking autoreconf25998
-Node: Setup28834
-Node: Input29739
-Node: Output31476
-Node: Makefile Substitutions35113
-Node: Preset Output Variables36716
-Node: Build Directories41585
-Node: Automatic Remaking43218
-Node: Configuration Headers45304
-Node: Header Templates47818
-Node: Invoking autoheader49027
-Node: Subdirectories52175
-Node: Default Prefix53570
-Node: Versions54974
-Node: Existing Tests56878
-Node: Alternative Programs58426
-Node: Particular Programs59113
-Node: Generic Programs67165
-Node: Libraries70471
-Node: Library Functions73545
-Node: Particular Functions74103
-Node: Generic Functions81297
-Node: Header Files83401
-Node: Particular Headers83960
-Node: Generic Headers90952
-Node: Structures92254
-Node: Typedefs94491
-Node: Particular Typedefs94997
-Node: Generic Typedefs96214
-Node: C Compiler Characteristics96671
-Node: Fortran 77 Compiler Characteristics99542
-Node: System Services101245
-Node: UNIX Variants104381
-Node: Writing Tests106400
-Node: Examining Declarations108393
-Node: Examining Syntax110885
-Node: Examining Libraries112330
-Node: Run Time116040
-Node: Test Programs117028
-Node: Guidelines119356
-Node: Test Functions120545
-Node: Portable Shell122088
-Node: Testing Values and Files124020
-Node: Multiple Cases125675
-Node: Language Choice126873
-Node: Results128975
-Node: Defining Symbols129737
-Node: Setting Output Variables133033
-Node: Caching Results134879
-Node: Cache Variable Names137625
-Node: Cache Files139109
-Node: Printing Messages141946
-Node: Writing Macros145394
-Node: Macro Definitions146041
-Node: Macro Names147169
-Node: Quoting149620
-Node: Dependencies Between Macros151522
-Node: Prerequisite Macros152169
-Node: Suggested Ordering153660
-Node: Obsolete Macros155190
-Node: Manual Configuration156414
-Node: Specifying Names157313
-Node: Canonicalizing159214
-Node: System Type Variables160726
-Node: Using System Type161473
-Node: Site Configuration162967
-Node: External Software163740
-Node: Package Options166943
-Node: Site Details169690
-Node: Transforming Names170913
-Node: Transformation Options172091
-Node: Transformation Examples172584
-Node: Transformation Rules174152
-Node: Site Defaults175561
-Node: Invoking configure179467
-Node: Basic Installation180416
-Node: Compilers and Options182996
-Node: Multiple Architectures183645
-Node: Installation Names184631
-Node: Optional Features185815
-Node: System Type186585
-Node: Sharing Defaults187607
-Node: Operation Controls188231
-Node: Invoking config.status189217
-Node: Questions192605
-Node: Distributing193137
-Node: Why GNU m4194281
-Node: Bootstrapping195094
-Node: Why Not Imake195710
-Node: Upgrading200119
-Node: Changed File Names201640
-Node: Changed Makefiles202394
-Node: Changed Macros203490
-Node: Invoking autoupdate204737
-Node: Changed Results206328
-Node: Changed Macro Writing208430
-Node: History209693
-Node: Genesis210485
-Node: Exodus211674
-Node: Leviticus214723
-Node: Numbers216246
-Node: Deuteronomy218162
-Node: Old Macro Names220826
-Node: Environment Variable Index223875
-Node: Output Variable Index224889
-Node: Preprocessor Symbol Index230087
-Node: Macro Index235373
+Node: Top1187
+Node: Introduction9689
+Node: Making configure Scripts13529
+Node: Writing configure.in16610
+Node: Invoking autoscan20343
+Node: Invoking ifnames22648
+Node: Invoking autoconf24138
+Node: Invoking autoreconf25976
+Node: Setup28812
+Node: Input29717
+Node: Output31454
+Node: Makefile Substitutions35092
+Node: Preset Output Variables36695
+Node: Build Directories41564
+Node: Automatic Remaking43197
+Node: Configuration Headers45283
+Node: Header Templates47797
+Node: Invoking autoheader49006
+Node: Subdirectories52154
+Node: Default Prefix53549
+Node: Versions54953
+Node: Existing Tests56857
+Node: Alternative Programs58405
+Node: Particular Programs59092
+Node: Generic Programs67144
+Node: Libraries70450
+Node: Library Functions73524
+Node: Particular Functions74082
+Node: Generic Functions81276
+Node: Header Files83380
+Node: Particular Headers83939
+Node: Generic Headers90931
+Node: Structures92233
+Node: Typedefs94470
+Node: Particular Typedefs94976
+Node: Generic Typedefs96193
+Node: C Compiler Characteristics96650
+Node: Fortran 77 Compiler Characteristics99521
+Node: System Services101224
+Node: UNIX Variants104360
+Node: Writing Tests106379
+Node: Examining Declarations108372
+Node: Examining Syntax110864
+Node: Examining Libraries112309
+Node: Run Time116019
+Node: Test Programs117007
+Node: Guidelines119335
+Node: Test Functions120524
+Node: Portable Shell122067
+Node: Testing Values and Files123999
+Node: Multiple Cases125654
+Node: Language Choice126852
+Node: Results128954
+Node: Defining Symbols129716
+Node: Setting Output Variables133012
+Node: Caching Results134858
+Node: Cache Variable Names137604
+Node: Cache Files139088
+Node: Printing Messages141925
+Node: Writing Macros145373
+Node: Macro Definitions146020
+Node: Macro Names147148
+Node: Quoting149599
+Node: Dependencies Between Macros151501
+Node: Prerequisite Macros152148
+Node: Suggested Ordering153639
+Node: Obsolete Macros155169
+Node: Manual Configuration156393
+Node: Specifying Names157292
+Node: Canonicalizing159193
+Node: System Type Variables160705
+Node: Using System Type161452
+Node: Site Configuration162946
+Node: External Software163719
+Node: Package Options166922
+Node: Site Details169669
+Node: Transforming Names170892
+Node: Transformation Options172070
+Node: Transformation Examples172563
+Node: Transformation Rules174131
+Node: Site Defaults175540
+Node: Invoking configure179446
+Node: Basic Installation180395
+Node: Compilers and Options182975
+Node: Multiple Architectures183624
+Node: Installation Names184610
+Node: Optional Features185794
+Node: System Type186564
+Node: Sharing Defaults187586
+Node: Operation Controls188210
+Node: Invoking config.status189196
+Node: Questions192584
+Node: Distributing193116
+Node: Why GNU m4194260
+Node: Bootstrapping195073
+Node: Why Not Imake195689
+Node: Upgrading200098
+Node: Changed File Names201619
+Node: Changed Makefiles202373
+Node: Changed Macros203469
+Node: Invoking autoupdate204716
+Node: Changed Results206307
+Node: Changed Macro Writing208409
+Node: History209673
+Node: Genesis210465
+Node: Exodus211654
+Node: Leviticus214703
+Node: Numbers216226
+Node: Deuteronomy218142
+Node: Old Macro Names220807
+Node: Environment Variable Index223856
+Node: Output Variable Index224870
+Node: Preprocessor Symbol Index230068
+Node: Macro Index235354
 
 End Tag Table
diff --git a/src/util/db2/ChangeLog b/src/util/db2/ChangeLog
index 7972728..9c9768c 100644
--- a/src/util/db2/ChangeLog
+++ b/src/util/db2/ChangeLog
@@ -1,3 +1,50 @@
+2002-08-28  Tom Yu  <tlyu@mit.edu>
+
+	* btree/bt_split.c (bt_psplit): Correctly account for
+	sizeof(indx_t) when computing space used in a page by an item.
+	[patch from www.sleepycat.com]
+	[pullup from trunk]
+
+2002-08-26  Tom Yu  <tlyu@mit.edu>
+
+	* Makefile.in (LIBMINOR): Bump due to addition of bt_rseq().
+
+	* hash/hash_debug.c: Remove inclusion of compat.h, as we don't
+	have it in our build system.
+
+	* btree/extern.h: Add missing prototypes/renames for
+	__bt_dmpage().  Add renames for bt_rseq() support functions.
+
+	* btree/bt_seq.c (bt_rseq): New function; like __bt_seq() but does
+	recursive descent rather than using the prev/next pointers.  This
+	will catch some pages that might be missed if the database is
+	inconsistent.  Added support functions for bt_rseq() as well.
+
+	* btree/bt_page.c (__bt_free): Set B_METADIRTY when updating free
+	list.
+	(__bt_new): Set B_METADIRTY when updating free list.
+	[patch from www.sleepycat.com]
+
+	* btree/bt_debug.c (__bt_dump): Bound loop by number of pages
+	actually in file to avoid getting a nigh-infinite number of
+	all-zeroes pages.
+	(__bt_dmpage): Print a newline after dumping the meta page.
+	(__bt_dpage): Add DB* parameter; use this to get pagesize in order
+	to limit dumping of page contents, in case NEXTINDEX(h) happens to
+	be bogus.
+	(__bt_stat): Bound loop by number of pages actually in file so as
+	to stop counting pages after the actual end of file.
+
+	* btree/bt_close.c (__bt_sync): Apply a Kerbnet fix from long ago;
+	don't return prematurely when B_METADIRTY is set but B_MODIFIED is
+	clear.
+
+	[pullups from trunk]
+
+2000-05-01  Nalin Dahyabhai  <nalin@redhat.com>
+
+	* hash/dbm.c (kdb2_dbm_open): Don't overflow buffer "path".
+
 1999-08-15  Tom Yu  <tlyu@mit.edu>
 
 	* README.NOT.SLEEPYCAT.DB: New file; pointer to README to
diff --git a/src/util/db2/btree/bt_close.c b/src/util/db2/btree/bt_close.c
index b731dcb..11be134 100644
--- a/src/util/db2/btree/bt_close.c
+++ b/src/util/db2/btree/bt_close.c
@@ -137,7 +137,8 @@ __bt_sync(dbp, flags)
 		return (RET_ERROR);
 	}
 
-	if (F_ISSET(t, B_INMEM | B_RDONLY) || !F_ISSET(t, B_MODIFIED))
+	if (F_ISSET(t, B_INMEM | B_RDONLY)
+	    || !F_ISSET(t, B_MODIFIED | B_METADIRTY))
 		return (RET_SUCCESS);
 
 	if (F_ISSET(t, B_METADIRTY) && bt_meta(t) == RET_ERROR)
diff --git a/src/util/db2/btree/bt_debug.c b/src/util/db2/btree/bt_debug.c
index 8cf1cda..d36256b 100644
--- a/src/util/db2/btree/bt_debug.c
+++ b/src/util/db2/btree/bt_debug.c
@@ -114,10 +114,9 @@ __bt_dump(dbp)
 		(void)fprintf(tracefp, ")\n");
 	}
 #undef X
-
-	for (i = P_ROOT;
+	for (i = P_ROOT; i < t->bt_mp->npages &&
 	    (h = mpool_get(t->bt_mp, i, MPOOL_IGNOREPIN)) != NULL; ++i)
-		__bt_dpage(h);
+		__bt_dpage(dbp, h);
 	(void)fflush(tracefp);
 	return (0);
 }
@@ -156,6 +155,7 @@ __bt_dmpage(h)
 		X(R_RECNO,	"RECNO");
 		(void)fprintf(tracefp, ")");
 	}
+	(void)fprintf(tracefp, "\n");
 	(void)fflush(tracefp);
 	return (0);
 }
@@ -178,7 +178,7 @@ __bt_dnpage(dbp, pgno)
 
 	t = dbp->internal;
 	if ((h = mpool_get(t->bt_mp, pgno, MPOOL_IGNOREPIN)) != NULL)
-		__bt_dpage(h);
+		__bt_dpage(dbp, h);
 	(void)fflush(tracefp);
 	return (0);
 }
@@ -190,14 +190,16 @@ __bt_dnpage(dbp, pgno)
  *	h:	pointer to the PAGE
  */
 int
-__bt_dpage(h)
+__bt_dpage(dbp, h)
+	DB *dbp;
 	PAGE *h;
 {
 	BINTERNAL *bi;
 	BLEAF *bl;
 	RINTERNAL *ri;
 	RLEAF *rl;
-	indx_t cur, top;
+	u_long pgsize;
+	indx_t cur, top, lim;
 	char *sep;
 
 	__bt_dinit();
@@ -223,10 +225,13 @@ __bt_dpage(h)
 	if (h->flags & P_OVERFLOW)
 		return;
 
+	pgsize = ((BTREE *)dbp->internal)->bt_mp->pagesize;
+	lim = (pgsize - BTDATAOFF) / sizeof(indx_t);
 	top = NEXTINDEX(h);
+	lim = top > lim ? lim : top;
 	(void)fprintf(tracefp, " lower %3d upper %3d nextind %d\n",
 	    h->lower, h->upper, top);
-	for (cur = 0; cur < top; cur++) {
+	for (cur = 0; cur < lim; cur++) {
 		(void)fprintf(tracefp, "\t[%03d] %4d ", cur, h->linp[cur]);
 		switch (h->flags & P_TYPE) {
 		case P_BINTERNAL:
@@ -307,7 +312,7 @@ __bt_stat(dbp)
 	t = dbp->internal;
 	pcont = pinternal = pleaf = 0;
 	nkeys = ifree = lfree = 0;
-	for (i = P_ROOT;
+	for (i = P_ROOT; i < t->bt_mp->npages &&
 	    (h = mpool_get(t->bt_mp, i, MPOOL_IGNOREPIN)) != NULL; ++i)
 		switch (h->flags & P_TYPE) {
 		case P_BINTERNAL:
diff --git a/src/util/db2/btree/bt_page.c b/src/util/db2/btree/bt_page.c
index cb65040..3663cf7 100644
--- a/src/util/db2/btree/bt_page.c
+++ b/src/util/db2/btree/bt_page.c
@@ -65,6 +65,7 @@ __bt_free(t, h)
 	h->prevpg = P_INVALID;
 	h->nextpg = t->bt_free;
 	t->bt_free = h->pgno;
+	F_SET(t, B_METADIRTY);
 
 	/* Make sure the page gets written back. */
 	return (mpool_put(t->bt_mp, h, MPOOL_DIRTY));
@@ -92,6 +93,7 @@ __bt_new(t, npg)
 	    (h = mpool_get(t->bt_mp, t->bt_free, 0)) != NULL) {
 		*npg = t->bt_free;
 		t->bt_free = h->nextpg;
+		F_SET(t, B_METADIRTY);
 		return (h);
 	}
 	return (mpool_new(t->bt_mp, npg, MPOOL_PAGE_NEXT));
diff --git a/src/util/db2/btree/bt_seq.c b/src/util/db2/btree/bt_seq.c
index 3e68c66..c16d4a2 100644
--- a/src/util/db2/btree/bt_seq.c
+++ b/src/util/db2/btree/bt_seq.c
@@ -1,3 +1,27 @@
+/*
+ * Copyright (C) 2002 by the Massachusetts Institute of Technology.
+ * All rights reserved.
+ *
+ * Export of this software from the United States of America may
+ *   require a specific license from the United States Government.
+ *   It is the responsibility of any person or organization contemplating
+ *   export to obtain such a license before exporting.
+ * 
+ * WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
+ * distribute this software and its documentation for any purpose and
+ * without fee is hereby granted, provided that the above copyright
+ * notice appear in all copies and that both that copyright notice and
+ * this permission notice appear in supporting documentation, and that
+ * the name of M.I.T. not be used in advertising or publicity pertaining
+ * to distribution of the software without specific, written prior
+ * permission.  Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability of
+ * this software for any purpose.  It is provided "as is" without express
+ * or implied warranty.
+ */
+
 /*-
  * Copyright (c) 1990, 1993, 1994
  *	The Regents of the University of California.  All rights reserved.
@@ -488,3 +512,389 @@ __bt_setcur(t, pgno, index)
 	t->bt_cursor.pg.index = index;
 	F_SET(&t->bt_cursor, CURS_INIT);
 }
+
+/* Recursive descent cursor. */
+typedef struct rcursor_ {
+	CURSOR	cursor;
+	size_t	ssize;
+	EPGNO	*stack;
+	EPGNO	*sp;
+} RCURSOR;
+#define RCURSOR_MINSS	64
+
+static int	 bt_rcinit(void **);
+static void	 bt_rcdestroy(void **);
+static int	 bt_rcpush(RCURSOR *, db_pgno_t, u_int);
+static EPGNO	*bt_rcpop(RCURSOR *);
+static void	 bt_rcclr(RCURSOR *);
+static int	 bt_rcgrowstk(RCURSOR *);
+static int	 bt_rseqset(BTREE *, EPG *, DBT *, RCURSOR *, int);
+static int	 bt_rseqadv(BTREE *, EPG *, RCURSOR *, int);
+
+static int
+bt_rcinit(curs)
+	void **curs;
+{
+	RCURSOR *rc;
+
+	rc = *curs = malloc(sizeof(RCURSOR));
+	if (rc == NULL) {
+		errno = ENOMEM;
+		return RET_ERROR;
+	}
+	memset(rc, 0, sizeof(*rc));
+
+	rc->ssize = RCURSOR_MINSS;
+	rc->stack = malloc(rc->ssize * sizeof(EPGNO));
+	if (rc->stack == NULL) {
+		free(rc);
+		errno = ENOMEM;
+		return RET_ERROR;
+	}
+	bt_rcclr(rc);
+	return RET_SUCCESS;
+}
+
+static void
+bt_rcdestroy(curs)
+	void **curs;
+{
+	RCURSOR *rc;
+
+	rc = *curs;
+	free(rc->stack);
+	free(rc);
+	*curs = NULL;
+}
+
+static int
+bt_rcpush(rc, p, i)
+	RCURSOR *rc;
+	db_pgno_t p;
+	u_int i;
+{
+	int status;
+
+	rc->sp->pgno = p;
+	rc->sp->index = i;
+	if (++rc->sp > rc->stack + rc->ssize) {
+		status = bt_rcgrowstk(rc);
+		if (status != RET_SUCCESS)
+			return status;
+	}
+	return RET_SUCCESS;
+}
+
+static EPGNO *
+bt_rcpop(rc)
+	RCURSOR *rc;
+{
+	return (rc->sp == rc->stack) ? NULL : --rc->sp;
+}
+
+static void
+bt_rcclr(rc)
+	RCURSOR *rc;
+{
+	rc->sp = rc->stack;
+}
+
+static int
+bt_rcgrowstk(rc)
+	RCURSOR *rc;
+{
+	size_t osize;
+	EPGNO *e;
+
+	osize = rc->ssize;
+	rc->ssize *= 2;
+	e = realloc(rc->stack, rc->ssize * sizeof(EPGNO));
+	if (e == NULL) {
+		rc->ssize = osize;
+		errno = ENOMEM;
+		return RET_ERROR;
+	}
+	rc->stack = e;
+	return RET_SUCCESS;
+}
+
+/*
+ * bt_rseq --
+ *	Like __bt_seq but does recursive descent tree traversal
+ *	instead of using the prev/next pointers.
+ */
+int
+bt_rseq(dbp, key, data, curs, flags)
+	const DB *dbp;
+	DBT *key, *data;
+	void **curs;
+	u_int flags;
+{
+	RCURSOR *rc;
+	BTREE *t;
+	EPG e;
+	int status;
+
+	t = dbp->internal;
+
+	/* Toss any page pinned across calls. */
+	if (t->bt_pinned != NULL) {
+		mpool_put(t->bt_mp, t->bt_pinned, 0);
+		t->bt_pinned = NULL;
+	}
+
+	if (curs == NULL) {
+		errno = EINVAL;
+		return RET_ERROR;
+	}
+	if (*curs == NULL) {
+		status = bt_rcinit(curs);
+		if (status != RET_SUCCESS)
+			return RET_ERROR;
+	}
+	rc = *curs;
+
+	/*
+	 * If scan unitialized as yet, or starting at a specific record, set
+	 * the scan to a specific key.  Both bt_rseqset and bt_rseqadv pin
+	 * the page the cursor references if they're successful.
+	 */
+	switch (flags) {
+	case R_NEXT:
+	case R_PREV:
+		if (F_ISSET(&rc->cursor, CURS_INIT)) {
+			status = bt_rseqadv(t, &e, rc, flags);
+			break;
+		}
+		/* FALLTHROUGH */
+	case R_FIRST:
+	case R_LAST:
+	case R_CURSOR:
+		status = bt_rseqset(t, &e, key, rc, flags);
+		break;
+	default:
+		errno = EINVAL;
+		return (RET_ERROR);
+	}
+
+	if (status == RET_SUCCESS) {
+		status =
+		    __bt_ret(t, &e, key, &t->bt_rkey, data, &t->bt_rdata, 0);
+
+		/*
+		 * If the user is doing concurrent access, we copied the
+		 * key/data, toss the page.
+		 */
+		if (F_ISSET(t, B_DB_LOCK))
+			mpool_put(t->bt_mp, e.page, 0);
+		else
+			t->bt_pinned = e.page;
+	} else if (status == RET_SPECIAL)
+		bt_rcdestroy(curs);
+	return (status);
+}
+
+/*
+ * bt_rseqset --
+ *	Set the sequential scan to a specific key.
+ *
+ * Parameters:
+ *	t:	tree
+ *	ep:	storage for returned key
+ *	key:	key for initial scan position
+ *	rc:	recursion cursor
+ *	flags:	R_CURSOR, R_FIRST, R_LAST, R_NEXT, R_PREV
+ *
+ * Side effects:
+ *	Pins the page the cursor references.
+ *	Updates rc's stack and cursor.
+ *
+ * Returns:
+ *	RET_ERROR, RET_SUCCESS or RET_SPECIAL if there's no next key.
+ */
+static int
+bt_rseqset(t, ep, key, rc, flags)
+	BTREE *t;
+	EPG *ep;
+	DBT *key;
+	RCURSOR *rc;
+	int flags;
+{
+	PAGE *h;
+	db_pgno_t pg;
+	int status;
+
+	/*
+	 * Find the first, last or specific key in the tree and point the
+	 * cursor at it.  The cursor may not be moved until a new key has
+	 * been found.
+	 */
+	switch (flags) {
+	case R_CURSOR:		/* Not implemented. */
+		errno = EINVAL;
+		return RET_ERROR;
+	case R_FIRST:				/* First record. */
+	case R_NEXT:
+		bt_rcclr(rc);
+		/* Walk down the left-hand side of the tree. */
+		for (pg = P_ROOT;;) {
+			if ((h = mpool_get(t->bt_mp, pg, 0)) == NULL)
+				return (RET_ERROR);
+
+			/* Check for an empty tree. */
+			if (NEXTINDEX(h) == 0) {
+				mpool_put(t->bt_mp, h, 0);
+				return (RET_SPECIAL);
+			}
+
+			if (h->flags & (P_BLEAF | P_RLEAF))
+				break;
+			pg = GETBINTERNAL(h, 0)->pgno;
+			status = bt_rcpush(rc, h->pgno, 0);
+			mpool_put(t->bt_mp, h, 0);
+			if (status != RET_SUCCESS)
+				return status;
+		}
+		ep->page = h;
+		ep->index = 0;
+		break;
+	case R_LAST:				/* Last record. */
+	case R_PREV:
+		bt_rcclr(rc);
+		/* Walk down the right-hand side of the tree. */
+		for (pg = P_ROOT;;) {
+			if ((h = mpool_get(t->bt_mp, pg, 0)) == NULL)
+				return (RET_ERROR);
+
+			/* Check for an empty tree. */
+			if (NEXTINDEX(h) == 0) {
+				mpool_put(t->bt_mp, h, 0);
+				return (RET_SPECIAL);
+			}
+
+			if (h->flags & (P_BLEAF | P_RLEAF))
+				break;
+			pg = GETBINTERNAL(h, NEXTINDEX(h) - 1)->pgno;
+			status = bt_rcpush(rc, h->pgno, NEXTINDEX(h) - 1);
+			mpool_put(t->bt_mp, h, 0);
+			if (status != RET_SUCCESS)
+				return status;
+		}
+		ep->page = h;
+		ep->index = NEXTINDEX(h) - 1;
+		break;
+	}
+	rc->cursor.pg.pgno = ep->page->pgno;
+	rc->cursor.pg.index = ep->index;
+	F_CLR(&rc->cursor, CURS_ACQUIRE | CURS_AFTER | CURS_BEFORE);
+	F_SET(&rc->cursor, CURS_INIT);
+	return (RET_SUCCESS);
+}
+
+/*
+ * bt_rseqadvance --
+ *	Advance the sequential scan.
+ *
+ * Parameters:
+ *	t:	tree
+ *	ep:	return page
+ *	rc:	recursion cursor
+ *	flags:	R_NEXT, R_PREV
+ *
+ * Side effects:
+ *	Pins the page the new key/data record is on.
+ *	Updates rc's stack and cursor.
+ *
+ * Returns:
+ *	RET_ERROR, RET_SUCCESS or RET_SPECIAL if there's no next key.
+ */
+static int
+bt_rseqadv(t, ep, rc, flags)
+	BTREE *t;
+	EPG *ep;
+	RCURSOR *rc;
+	int flags;
+{
+	CURSOR *c;
+	PAGE *h;
+	indx_t idx;
+	db_pgno_t pg;
+	int status;
+	EPGNO *e;
+
+	/*
+	 * There are a couple of states that we can be in.  The cursor has
+	 * been initialized by the time we get here, but that's all we know.
+	 */
+	c = &rc->cursor;
+
+	/* Get the page referenced by the cursor. */
+	if ((h = mpool_get(t->bt_mp, c->pg.pgno, 0)) == NULL)
+		return (RET_ERROR);
+
+	/*
+ 	 * Find the next/previous record in the tree and point the cursor at
+	 * it.  The cursor may not be moved until a new key has been found.
+	 */
+	switch (flags) {
+	case R_NEXT:			/* Next record. */
+		idx = c->pg.index;
+		while (++idx == NEXTINDEX(h)) {
+			/* Crawl up if we hit the right edge. */
+			e = bt_rcpop(rc);
+			mpool_put(t->bt_mp, h, 0);
+			if (e == NULL) /* Hit the right edge of root. */
+				return RET_SPECIAL;
+			idx = e->index;
+			pg = e->pgno;
+			if ((h = mpool_get(t->bt_mp, pg, 0)) == NULL)
+				return (RET_ERROR);
+		}
+		while (!(h->flags & (P_BLEAF | P_RLEAF))) {
+			/* Crawl down the left until we hit a leaf. */
+			status = bt_rcpush(rc, h->pgno, idx);
+			pg = GETBINTERNAL(h, idx)->pgno;
+			mpool_put(t->bt_mp, h, 0);
+			if (status != RET_SUCCESS)
+				return status;
+			if ((h = mpool_get(t->bt_mp, pg, 0)) == NULL)
+				return (RET_ERROR);
+			idx = 0;
+		}
+		break;
+	case R_PREV:			/* Previous record. */
+		idx = c->pg.index;
+		while (!idx) {
+			/* Crawl up if we hit the left edge. */
+			e = bt_rcpop(rc);
+			mpool_put(t->bt_mp, h, 0);
+			if (e == NULL) /* Hit the left edge of root. */
+				return RET_SPECIAL;
+			idx = e->index;
+			pg = e->pgno;
+			if ((h = mpool_get(t->bt_mp, pg, 0)) == NULL)
+				return (RET_ERROR);
+		}
+		idx--;
+		while (!(h->flags & (P_BLEAF | P_RLEAF))) {
+			/* Crawl down the right until we hit a leaf. */
+			status = bt_rcpush(rc, h->pgno, idx);
+			pg = GETBINTERNAL(h, idx)->pgno;
+			mpool_put(t->bt_mp, h, 0);
+			if (status != RET_SUCCESS)
+				return status;
+			if ((h = mpool_get(t->bt_mp, pg, 0)) == NULL)
+				return (RET_ERROR);
+			idx = NEXTINDEX(h) - 1;
+		}
+		break;
+	}
+
+	ep->page = h;
+	ep->index = idx;
+	c->pg.pgno = h->pgno;
+	c->pg.index = idx;
+	F_CLR(c, CURS_ACQUIRE | CURS_AFTER | CURS_BEFORE);
+	F_SET(c, CURS_INIT);
+	return (RET_SUCCESS);
+}
diff --git a/src/util/db2/btree/bt_split.c b/src/util/db2/btree/bt_split.c
index 0fc95ba..0cc6cf0 100644
--- a/src/util/db2/btree/bt_split.c
+++ b/src/util/db2/btree/bt_split.c
@@ -673,7 +673,8 @@ bt_psplit(t, h, l, r, pskip, ilen)
 		 * where we decide to try and copy too much onto the left page.
 		 * Make sure that doesn't happen.
 		 */
-		if (skip <= off && used + nbytes >= full || nxt == top - 1) {
+		if ((skip <= off && used + nbytes + sizeof(indx_t) >= full)
+		    || nxt == top - 1) {
 			--off;
 			break;
 		}
@@ -686,7 +687,7 @@ bt_psplit(t, h, l, r, pskip, ilen)
 			memmove((char *)l + l->upper, src, nbytes);
 		}
 
-		used += nbytes;
+		used += nbytes + sizeof(indx_t);
 		if (used >= half) {
 			if (!isbigkey || bigkeycnt == 3)
 				break;
diff --git a/src/util/db2/btree/extern.h b/src/util/db2/btree/extern.h
index 70a8807..3aa8841 100644
--- a/src/util/db2/btree/extern.h
+++ b/src/util/db2/btree/extern.h
@@ -58,10 +58,20 @@
 #define __ovfl_get	__kdb2_ovfl_get
 #define __ovfl_put	__kdb2_ovfl_put
 #define __bt_dnpage	__kdb2_bt_dnpage
+#define __bt_dmpage	__kdb2_bt_dmpage
 #define __bt_dpage	__kdb2_bt_dpage
 #define __bt_dump	__kdb2_bt_dump
 #define __bt_stat	__kdb2_bt_stat
 
+#define bt_rcinit	kdb2_bt_rcinit
+#define bt_rcdestroy	kdb2_bt_rcdestroy
+#define bt_rcpush	kdb2_bt_rcpush
+#define bt_rcpop	kdb2_bt_rcpop
+#define bt_rcclr	kdb2_bt_rcclr
+#define bt_rcgrowstk	kdb2_bt_rcgrowstk
+#define bt_rseqset	kdb2_bt_rseqset
+#define bt_rseqadv	kdb2_bt_rseqadv
+
 int	 __bt_close __P((DB *));
 int	 __bt_cmp __P((BTREE *, const DBT *, EPG *));
 int	 __bt_crsrdel __P((BTREE *, EPGNO *));
@@ -91,7 +101,8 @@ int	 __ovfl_put __P((BTREE *, const DBT *, db_pgno_t *));
 
 #ifdef DEBUG
 int	 __bt_dnpage __P((DB *, db_pgno_t));
-int	 __bt_dpage __P((PAGE *));
+int	 __bt_dpage __P((DB *, PAGE *));
+int	 __bt_dmpage __P((PAGE *));
 int	 __bt_dump __P((DB *));
 #endif
 #ifdef STATISTICS
diff --git a/src/util/db2/hash/dbm.c b/src/util/db2/hash/dbm.c
index 50921de..aa96766 100644
--- a/src/util/db2/hash/dbm.c
+++ b/src/util/db2/hash/dbm.c
@@ -168,8 +168,9 @@ kdb2_dbm_open(file, flags, mode)
 	info.cachesize = 0;
 	info.hash = NULL;
 	info.lorder = 0;
-	(void)strcpy(path, file);
-	(void)strcat(path, DBM_SUFFIX);
+	(void)strncpy(path, file, sizeof(path) - 1);
+	path[sizeof(path) - 1] = '\0';
+	(void)strncat(path, DBM_SUFFIX, sizeof(path) - 1 - strlen(path));
 	return ((DBM *)__hash_open(path, flags, mode, &info, 0));
 }
 
diff --git a/src/util/db2/hash/hash_debug.c b/src/util/db2/hash/hash_debug.c
index ed99c69..69229fc 100644
--- a/src/util/db2/hash/hash_debug.c
+++ b/src/util/db2/hash/hash_debug.c
@@ -56,7 +56,6 @@ static char sccsid[] = "@(#)hash_debug.c	8.4 (Berkeley) 11/7/95";
 #include "hash.h"
 #include "page.h"
 #include "extern.h"
-#include "compat.h"
 
 void
 __dump_bucket(hashp, bucket)
diff --git a/src/util/db2/include/ChangeLog b/src/util/db2/include/ChangeLog
index 4d3d16d..7b25e55 100644
--- a/src/util/db2/include/ChangeLog
+++ b/src/util/db2/include/ChangeLog
@@ -1,3 +1,9 @@
+2002-08-26  Tom Yu  <tlyu@mit.edu>
+
+	* db.h: Add rename and prototype for bt_rseq(); this is a kludge
+	to avoid stuffing more things into the DB handle.
+	[pullup from trunk]
+
 Fri Feb 13 14:39:25 1998  Tom Yu  <tlyu@mit.edu>
 
 	* db-int.h: Additional renaming.
diff --git a/src/util/db2/include/db.h b/src/util/db2/include/db.h
index 2eaf0bc..980145a 100644
--- a/src/util/db2/include/db.h
+++ b/src/util/db2/include/db.h
@@ -166,8 +166,10 @@ typedef struct {
 #endif
 
 #define dbopen	kdb2_dbopen
+#define bt_rseq		kdb2_bt_rseq /* XXX kludge */
 __BEGIN_DECLS
 DB *dbopen __P((const char *, int, int, DBTYPE, const void *));
+int	 bt_rseq(const DB*, DBT *, DBT *, void **, u_int); /* XXX kludge */
 __END_DECLS
 
 #endif /* !_DB_H_ */
diff --git a/src/util/db2/test/ChangeLog b/src/util/db2/test/ChangeLog
index 4e147d7..fc2f691 100644
--- a/src/util/db2/test/ChangeLog
+++ b/src/util/db2/test/ChangeLog
@@ -1,3 +1,17 @@
+2002-08-26  Tom Yu  <tlyu@mit.edu>
+
+	* dbtest.c: Include btree.h if we're compiled with -DSTATISTICS.
+	[pullup from trunk]
+
+2001-12-21  Ken Raeburn  <raeburn@mit.edu>
+
+	* dbtest.c (compare): Make comparison failures fatal.
+	(get): Make no-such-key errors fatal.
+
+	* run.test (main, test3, test8): Use "/bin/." instead of "/bin" in
+	find commands, in case /bin itself is a symlink.
+	(test8): Do check exit status of program.
+
 1998-05-06  Theodore Ts'o  <tytso@rsts-11.mit.edu>
 
 	* dbtest.c (main): POSIX states that getopt returns -1
diff --git a/src/util/db2/test/btree.tests/ChangeLog b/src/util/db2/test/btree.tests/ChangeLog
index cfd0b18..b70f64e 100644
--- a/src/util/db2/test/btree.tests/ChangeLog
+++ b/src/util/db2/test/btree.tests/ChangeLog
@@ -1,3 +1,17 @@
+2002-08-26  Tom Yu  <tlyu@mit.edu>
+
+	* main.c: Disable append(); we don't have R_APPEND in this release
+	of DB for some reason.  Disable load() due to lack of fgetline().
+	Conditionalize lots of things on -DSTATISTICS or -DDEBUG as
+	appropriate.
+	(rlist): New function; does recursive listing of principals.
+	(main): Fix up naming of *_ENDIAN macros.  Default to read-only
+	open, with new "-w" option for opening read/write.  Actually call
+	db->sync with the correct number of arguments.
+	(show): Update call to __bt_dpage().
+	(usage): Update.
+	[pullup from trunk]
+
 1998-05-06  Theodore Ts'o  <tytso@rsts-11.mit.edu>
 
 	* main.c (main): POSIX states that getopt returns -1
diff --git a/src/util/db2/test/btree.tests/main.c b/src/util/db2/test/btree.tests/main.c
index bbf1fcf..06f02b3 100644
--- a/src/util/db2/test/btree.tests/main.c
+++ b/src/util/db2/test/btree.tests/main.c
@@ -59,12 +59,18 @@ typedef struct cmd_table {
 int stopstop;
 DB *globaldb;
 
+#if 0
 void append	__P((DB *, char **));
+#endif
+#ifdef STATISTICS
 void bstat	__P((DB *, char **));
+#endif
 void cursor	__P((DB *, char **));
 void delcur	__P((DB *, char **));
 void delete	__P((DB *, char **));
+#ifdef DEBUG
 void dump	__P((DB *, char **));
+#endif
 void first	__P((DB *, char **));
 void get	__P((DB *, char **));
 void help	__P((DB *, char **));
@@ -75,23 +81,36 @@ void insert	__P((DB *, char **));
 void keydata	__P((DBT *, DBT *));
 void last	__P((DB *, char **));
 void list	__P((DB *, char **));
+#if 0
 void load	__P((DB *, char **));
+#endif
+#ifdef STATISTICS
 void mstat	__P((DB *, char **));
+#endif
 void next	__P((DB *, char **));
 int  parse	__P((char *, char **, int));
 void previous	__P((DB *, char **));
+#ifdef DEBUG
 void show	__P((DB *, char **));
+#endif
+void rlist	__P((DB *, char **));
 void usage	__P((void));
 void user	__P((DB *));
 
 cmd_table commands[] = {
 	"?",	0, 0, help, "help", NULL,
+#if 0
 	"a",	2, 1, append, "append key def", "append key with data def",
+#endif
+#ifdef STATISTICS
 	"b",	0, 0, bstat, "bstat", "stat btree",
+#endif
 	"c",	1, 1, cursor,  "cursor word", "move cursor to word",
 	"delc",	0, 0, delcur, "delcur", "delete key the cursor references",
 	"dele",	1, 1, delete, "delete word", "delete word",
+#ifdef DEBUG
 	"d",	0, 0, dump, "dump", "dump database",
+#endif
 	"f",	0, 0, first, "first", "move cursor to first record",
 	"g",	1, 1, get, "get key", "locate key",
 	"h",	0, 0, help, "help", "print command summary",
@@ -101,13 +120,20 @@ cmd_table commands[] = {
 	"in",	2, 1, insert, "insert key def", "insert key with data def",
 	"la",	0, 0, last, "last", "move cursor to last record",
 	"li",	1, 1, list, "list file", "list to a file",
+#if 0
 	"loa",	1, 0, load, "load file", NULL,
+#endif
 	"loc",	1, 1, get, "get key", NULL,
+#ifdef STATISTICS
 	"m",	0, 0, mstat, "mstat", "stat memory pool",
+#endif
 	"n",	0, 0, next, "next", "move cursor forward one record",
 	"p",	0, 0, previous, "previous", "move cursor back one record",
 	"q",	0, 0, NULL, "quit", "quit",
+	"rli",	1, 1, rlist, "rlist file", "list to a file (recursive)",
+#ifdef DEBUG
 	"sh",	1, 0, show, "show page", "dump a page",
+#endif
 	{ NULL },
 };
 
@@ -121,11 +147,13 @@ main(argc, argv)
 	char **argv;
 {
 	int c;
+	int omode;
 	DB *db;
 	BTREEINFO b;
 
 	progname = *argv;
 
+	omode = O_RDONLY;
 	b.flags = 0;
 	b.cachesize = 0;
 	b.maxkeypage = 0;
@@ -135,10 +163,10 @@ main(argc, argv)
 	b.prefix = NULL;
 	b.lorder = 0;
 
-	while ((c = getopt(argc, argv, "bc:di:lp:ru")) != -1) {
+	while ((c = getopt(argc, argv, "bc:di:lp:ruw")) != -1) {
 		switch (c) {
 		case 'b':
-			b.lorder = BIG_ENDIAN;
+			b.lorder = DB_BIG_ENDIAN;
 			break;
 		case 'c':
 			b.cachesize = atoi(optarg);
@@ -150,7 +178,7 @@ main(argc, argv)
 			dict = optarg;
 			break;
 		case 'l':
-			b.lorder = LITTLE_ENDIAN;
+			b.lorder = DB_LITTLE_ENDIAN;
 			break;
 		case 'p':
 			b.psize = atoi(optarg);
@@ -161,6 +189,9 @@ main(argc, argv)
 		case 'u':
 			b.flags = 0;
 			break;
+		case 'w':
+			omode = O_RDWR;
+			break;
 		default:
 			usage();
 		}
@@ -169,10 +200,10 @@ main(argc, argv)
 	argv += optind;
 
 	if (recno)
-		db = dbopen(*argv == NULL ? NULL : *argv, O_RDWR|O_BINARY,
+		db = dbopen(*argv == NULL ? NULL : *argv, omode|O_BINARY,
 		    0, DB_RECNO, NULL);
 	else
-		db = dbopen(*argv == NULL ? NULL : *argv, O_CREAT|O_RDWR|O_BINARY,
+		db = dbopen(*argv == NULL ? NULL : *argv, O_CREAT|omode|O_BINARY,
 		    0600, DB_BTREE, &b);
 
 	if (db == NULL) {
@@ -240,7 +271,7 @@ user(db)
 uselast:	last = i;
 		(*commands[i].func)(db, argv);
 	}
-	if ((db->sync)(db) == RET_ERROR)
+	if ((db->sync)(db, 0) == RET_ERROR)
 		perror("dbsync");
 	else if ((db->close)(db) == RET_ERROR)
 		perror("dbclose");
@@ -269,6 +300,7 @@ parse(lbuf, argv, maxargc)
 	return (argc);
 }
 
+#if 0
 void
 append(db, argv)
 	DB *db;
@@ -298,6 +330,7 @@ append(db, argv)
 		break;
 	}
 }
+#endif
 
 void
 cursor(db, argv)
@@ -366,6 +399,7 @@ delete(db, argv)
 	}
 }
 
+#ifdef DEBUG
 void
 dump(db, argv)
 	DB *db;
@@ -373,6 +407,7 @@ dump(db, argv)
 {
 	__bt_dump(db);
 }
+#endif
 
 void
 first(db, argv)
@@ -598,10 +633,37 @@ list(db, argv)
 		(void)fprintf(fp, "%s\n", key.data);
 		status = (*db->seq)(db, &key, &data, R_NEXT);
 	}
+	(void)fclose(fp);
+	if (status == RET_ERROR)
+		perror("list/seq");
+}
+
+void
+rlist(db, argv)
+	DB *db;
+	char **argv;
+{
+	DBT data, key;
+	FILE *fp;
+	int status;
+	void *cookie;
+
+	cookie = NULL;
+	if ((fp = fopen(argv[1], "w")) == NULL) {
+		(void)fprintf(stderr, "%s: %s\n", argv[1], strerror(errno));
+		return;
+	}
+	status = bt_rseq(db, &key, &data, &cookie, R_FIRST);
+	while (status == RET_SUCCESS) {
+		(void)fprintf(fp, "%s\n", key.data);
+		status = bt_rseq(db, &key, &data, &cookie, R_NEXT);
+	}
+	(void)fclose(fp);
 	if (status == RET_ERROR)
 		perror("list/seq");
 }
 
+#if 0
 DB *BUGdb;
 void
 load(db, argv)
@@ -657,6 +719,7 @@ load(db, argv)
 	}
 	(void)fclose(fp);
 }
+#endif
 
 void
 next(db, argv)
@@ -704,6 +767,7 @@ previous(db, argv)
 	}
 }
 
+#ifdef DEBUG
 void
 show(db, argv)
 	DB *db;
@@ -722,10 +786,12 @@ show(db, argv)
 	if (pg == 0)
 		__bt_dmpage(h);
 	else
-		__bt_dpage(h);
+		__bt_dpage(db, h);
 	mpool_put(t->bt_mp, h, 0);
 }
+#endif
 
+#ifdef STATISTICS
 void
 bstat(db, argv)
 	DB *db;
@@ -743,6 +809,7 @@ mstat(db, argv)
 	(void)printf("MPOOL\n");
 	mpool_stat(((BTREE *)db->internal)->bt_mp);
 }
+#endif
 
 void
 keydata(key, data)
@@ -759,7 +826,7 @@ void
 usage()
 {
 	(void)fprintf(stderr,
-	    "usage: %s [-bdlu] [-c cache] [-i file] [-p page] [file]\n",
+	    "usage: %s [-bdluw] [-c cache] [-i file] [-p page] [file]\n",
 	    progname);
 	exit (1);
 }
diff --git a/src/util/db2/test/dbtest.c b/src/util/db2/test/dbtest.c
index f499047..315b13c 100644
--- a/src/util/db2/test/dbtest.c
+++ b/src/util/db2/test/dbtest.c
@@ -54,6 +54,9 @@ static char sccsid[] = "@(#)dbtest.c	8.17 (Berkeley) 9/1/94";
 #include <unistd.h>
 
 #include "db-int.h"
+#ifdef STATISTICS
+#include "btree.h"
+#endif
 
 enum S { COMMAND, COMPARE, GET, PUT, REMOVE, SEQ, SEQFLAG, KEY, DATA };
 
@@ -344,13 +347,13 @@ compare(db1, db2)
 	register u_char *p1, *p2;
 
 	if (db1->size != db2->size)
-		printf("compare failed: key->data len %lu != data len %lu\n",
+		err("compare failed: key->data len %lu != data len %lu\n",
 		    db1->size, db2->size);
 
 	len = MIN(db1->size, db2->size);
 	for (p1 = db1->data, p2 = db2->data; len--;)
 		if (*p1++ != *p2++) {
-			printf("compare failed at offset %d\n",
+			err("compare failed at offset %d\n",
 			    p1 - (u_char *)db1->data);
 			break;
 		}
@@ -374,10 +377,11 @@ get(dbp, kp)
 		/* NOTREACHED */
 	case 1:
 #define	NOSUCHKEY	"get failed, no such key\n"
-		if (ofd != STDOUT_FILENO)
+		if (ofd != STDOUT_FILENO) {
 			(void)write(ofd, NOSUCHKEY, sizeof(NOSUCHKEY) - 1);
-		else
-			(void)fprintf(stderr, "%d: %.*s: %s",
+			exit (1);
+		} else
+			err(stderr, "%d: %.*s: %s",
 			    lineno, MIN(kp->size, 20), kp->data, NOSUCHKEY);
 #undef	NOSUCHKEY
 		break;
diff --git a/src/util/db2/test/run.test b/src/util/db2/test/run.test
index 462a9c2..c3922c8 100644
--- a/src/util/db2/test/run.test
+++ b/src/util/db2/test/run.test
@@ -31,6 +31,8 @@ main()
 	
 	dictsize=`wc -l < $DICT`
 
+	bindir=/bin/.
+
 	if [ $# -eq 0 ]; then
 		for t in 1 2 3 4 5 6 7 8 9 10 11 12 13 20; do
 			test$t
@@ -141,15 +143,15 @@ test2()
 	fi
 }
 
-# Insert the programs in /bin with their paths as their keys.
+# Insert the programs in $bindir with their paths as their keys.
 test3()
 {
 	echo "Test 3: hash: small key, big data pairs"
 	rm -f $TMP1
-	(find /bin -type f -exec test -r {} \; -print | xargs cat) > $TMP1
+	(find $bindir -type f -exec test -r {} \; -print | xargs cat) > $TMP1
 	for type in hash; do
 		rm -f $TMP2 $TMP3
-		for i in `find /bin -type f -exec test -r {} \; -print`; do
+		for i in `find $bindir -type f -exec test -r {} \; -print`; do
 			echo p
 			echo k$i
 			echo D$i
@@ -168,7 +170,7 @@ test3()
 		echo "    page size $psize"
 		for type in btree; do
 			rm -f $TMP2 $TMP3
-			for i in `find /bin -type f -exec test -r {} \; -print`; do
+			for i in `find $bindir -type f -exec test -r {} \; -print`; do
 				echo p
 				echo k$i
 				echo D$i
@@ -185,7 +187,7 @@ test3()
 	done
 	echo "Test 3: recno: big data pairs"
 	rm -f $TMP2 $TMP3
-	find /bin -type f -exec test -r {} \; -print | 
+	find $bindir -type f -exec test -r {} \; -print | 
 	awk '{
 		++i;
 		printf("p\nk%d\nD%s\ng\nk%d\n", i, $0, i);
@@ -415,7 +417,12 @@ test8()
 			printf("r\nkkey1\nr\nkkey2\n");
 		}
 	}' > $TMP1
-	$PROG btree $TMP1
+	if $PROG btree $TMP1 ; then
+	    true
+	else
+	    echo "test8: btree tests failed"
+	    exit 1
+	fi
 #	$PROG hash $TMP1
 	# No explicit test for success.
 }
diff --git a/src/util/et/ChangeLog b/src/util/et/ChangeLog
index 345416e..b277f07 100644
--- a/src/util/et/ChangeLog
+++ b/src/util/et/ChangeLog
@@ -1,3 +1,55 @@
+2001-12-18  Ken Raeburn  <raeburn@mit.edu>
+
+	* test_et.c (main): Only use sys_nerr tests if HAVE_SYS_ERRLIST.
+
+2001-10-31  Miro Jurisic  <meeroh@mit.edu>
+
+	* et_c.awk, et_c.pl, et_h.awk, et_h.pl: Fixed the incorrect
+		#if defined(unix) ... which was accidentally reintroduced
+
+2001-10-31  Danilo Almeida  <dalmeida@mit.edu>
+
+	* com_err.h: Windows should include <win-mac.h> as opposed
+	to <Kerberos5/win-mac.h>
+
+2001-10-29  Miro Jurisic  <meeroh@mit.edu>
+	* pullup from krb5-1-2 branch after krb5-1-2-2-bp
+	* error_message.c: fixed busted parentheses
+	* error_message.c: call through to strerror on Mac OS X
+	* error_message.c: call through to ErrorLib on Mac OS X
+	* et.pbexp: export com_err() on Mac OS X
+	* error_massage.c: #include <KerberosSupport/ErrorLib.h> on Mac OS
+	* com_err.h: #include <Kerberos5/win-mac.h> on Mac OS
+	* et_c.awk, et_c.pl, et_h.awk, et_h.pl: Updated Mac OS #defines 
+	and #includes for new header layout and Mac OS X frameworks
+
+2000-10-08  Miro Jurisic  <meeroh@mit.edu>
+
+	* et_c.perl, et_h.perl: 
+        Renamed to et_c.pl and et_h.pl because the extension is used
+        as a newline separator heuristic in MacPerl parser
+
+2000-10-08  Miro Jurisic  <meeroh@mit.edu>
+
+	* et_c.perl, et_h.perl: 
+        Removed #! from the first line to avoid confusing MacPerl
+
+2000-10-02  Alexandra Ellwood  <lxs@mit.edu>
+
+	* com_err.h, error_message.c, et.pbexp, et_c.awk, et_h.awk: 
+        conditionalized com_err so it doesn't need to export et_list 
+        on Mac OS X 
+
+2000-05-07  Miro Jurisic  <meeroh@mit.edu>
+
+	* com_err.c (default_com_err_proc): use strncpy
+	where strncpy was meant (typo in Nalin's patch)
+
+2000-05-01  Nalin Dahyabhai  <nalin@redhat.com>
+
+	* com_err.c (default_com_err_proc) [_MSDOS || _WIN32 ||
+	macintosh]: Don't overflow buffer "errbuf".
+
 2000-02-23  Ken Raeburn  <raeburn@mit.edu>
 
 	* Makefile.in (com_err.o): Depends on com_err.c.
diff --git a/src/util/et/com_err.c b/src/util/et/com_err.c
index 31da130..7bb0810 100644
--- a/src/util/et/com_err.c
+++ b/src/util/et/com_err.c
@@ -50,15 +50,18 @@ static void default_com_err_proc(whoami, code, fmt, ap)
 	char errbuf[1024] = "";
 
 	if (whoami) {
-		strcat (errbuf, whoami);
-		strcat (errbuf, ": ");
+		errbuf[sizeof(errbuf) - 1] = '\0';
+		strncat (errbuf, whoami, sizeof(errbuf) - 1 - strlen(errbuf));
+		strncat (errbuf, ": ", sizeof(errbuf) - 1 - strlen(errbuf));
 	}
 	if (code) {
-		strcat (errbuf, error_message(code));
-		strcat (errbuf, " ");
+		errbuf[sizeof(errbuf) - 1] = '\0';
+		strncat (errbuf, error_message(code), sizeof(errbuf) - 1 - strlen(errbuf));
+		strncat (errbuf, " ", sizeof(errbuf) - 1 - strlen(errbuf));
 	}
 	if (fmt)
 		vsprintf (errbuf + strlen (errbuf), fmt, ap);
+	errbuf[sizeof(errbuf) - 1] = '\0';
 
 #ifdef macintosh
 	MacMessageBox(errbuf);
diff --git a/src/util/et/com_err.h b/src/util/et/com_err.h
index 7a8858b..f1acb70 100644
--- a/src/util/et/com_err.h
+++ b/src/util/et/com_err.h
@@ -13,7 +13,11 @@
 #ifndef __COM_ERR_H
 
 #if defined(_MSDOS) || defined(_WIN32) || defined(macintosh)
+#ifdef _WIN32
 #include <win-mac.h>
+#else
+#include <Kerberos5/win-mac.h>
+#endif
 #if defined(macintosh) && defined(__CFM68K__) && !defined(__USING_STATIC_LIBS__)
 #pragma import on
 #endif
@@ -80,7 +84,7 @@ KRB5_DLLIMP extern errcode_t KRB5_CALLCONV add_error_table
 KRB5_DLLIMP extern errcode_t KRB5_CALLCONV remove_error_table
 	ET_P((const struct error_table FAR *));
 
-#if !defined(_MSDOS) && !defined(_WIN32) && !defined(macintosh)
+#if !defined(_MSDOS) && !defined(_WIN32) && !defined(macintosh) && !defined(__MACH__)
 /*
  * The display routine should be application specific.  A global hook,
  * may cause inappropriate display procedures to be called between
diff --git a/src/util/et/error_message.c b/src/util/et/error_message.c
index b4a0537..4a5de74 100644
--- a/src/util/et/error_message.c
+++ b/src/util/et/error_message.c
@@ -27,8 +27,9 @@
 #include "com_err.h"
 #include "error_table.h"
 
-#ifdef macintosh
-#include <ErrorLib.h>
+#if defined(macintosh) || (defined(__MACH__) && defined(__APPLE__))
+    #include <KerberosSupport/KerberosSupport.h>
+    #include <KerberosSupport/ErrorLib.h>
 #endif
 
 #if defined(_MSDOS) || defined(_WIN32)
@@ -48,7 +49,7 @@ extern const int sys_nerr;
 
 static char buffer[ET_EBUFSIZ];
 
-#if (defined(_MSDOS) || defined(_WIN32) || defined(macintosh))
+#if (defined(_MSDOS) || defined(_WIN32) || defined(macintosh) || (defined(__MACH__) && defined(__APPLE__)))
 static struct et_list * _et_list = (struct et_list *) NULL;
 #else
 /* Old interface compatibility */
@@ -150,12 +151,19 @@ KRB5_DLLIMP const char FAR * KRB5_CALLCONV error_message(code)
 
 oops:
 
-#if defined(macintosh)
+#if TARGET_OS_MAC
 	{
 		/* This may be a Mac OS Toolbox error or an MIT Support Library Error.  Ask ErrorLib */
 		if (GetErrorLongString(code, buffer, ET_EBUFSIZ - 1) == noErr) {
 			return buffer;
 		}
+
+#if TARGET_API_MAC_OSX
+		/* ComErr and ErrorLib don't know about this error, ask the system */
+		/* Of course there's no way to tell if it knew what error it got */
+		return (strerror (code));
+#endif
+
 	}
 #endif
 	
diff --git a/src/util/et/et.pbexp b/src/util/et/et.pbexp
new file mode 100644
index 0000000..3109761
--- /dev/null
+++ b/src/util/et/et.pbexp
@@ -0,0 +1,10 @@
+#
+# comerr library Macintosh export file
+#
+# $Header$
+
+_com_err
+_com_err_va
+_error_message
+_add_error_table
+_remove_error_table
diff --git a/src/util/et/et_c.awk b/src/util/et/et_c.awk
index 94b258f..c9ecc6f 100644
--- a/src/util/et/et_c.awk
+++ b/src/util/et/et_c.awk
@@ -209,14 +209,14 @@ END {
 		tab_base_low, table_item_count) > outfile
 	}
 	print "" > outfile
-	print "#if !defined(_MSDOS) && !defined(_WIN32) && !defined(macintosh)" > outfile
+	print "#if !defined(_MSDOS) && !defined(_WIN32) && !defined(macintosh) && !(defined(__MACH__) && defined(__APPLE__))" > outfile
 	print "struct et_list {" > outfile
 	print "	   struct et_list *next;" > outfile
 	print "	   const struct error_table * table;" > outfile
 	print "};" > outfile
 	print "extern struct et_list *_et_list;" > outfile
 	print "static struct et_list link = { 0, 0 };" > outfile
-	print "void initialize_" table_name "_error_table (NOARGS) {" > outfile
+	print "void initialize_" table_name "_error_table (NOARGS) {" > outfile    
 	print "	   if (!link.table) {" > outfile
 	print "	       link.next = _et_list;" > outfile
 	print "	       link.table = &et_" table_name "_error_table;" > outfile
diff --git a/src/util/et/et_c.perl b/src/util/et/et_c.pl
index 6af7179..83bce3b 100644
--- a/src/util/et/et_c.perl
+++ b/src/util/et/et_c.pl
@@ -1,9 +1,3 @@
-#!/afs/athena/contrib/perl5/p
-eval 'exec /afs/athena/contrib/perl5/arch/sun4x_55/bin/perl -S $0 ${1+"$@"}'
-    if $running_under_some_shell;
-			# this emulates #! processing on NIH machines.
-			# (remove #! line above if indigestible)
-
 eval '$'.$1.'$2;' while $ARGV[0] =~ /^([A-Za-z_0-9]+=)(.*)/ && shift;
 			# process any FOO=bar switches
 
@@ -279,7 +273,7 @@ else {
 &Pick('>', $outfile) &&
     (print $fh '');
 &Pick('>', $outfile) &&
-    (print $fh '#if defined(unix) || defined(_AIX)');
+    (print $fh '#if !defined(_MSDOS) && !defined(_WIN32) && !defined(macintosh) && !(defined(__MACH__) && defined(__APPLE__))');
 &Pick('>', $outfile) &&
     (print $fh 'struct et_list {');
 &Pick('>', $outfile) &&
diff --git a/src/util/et/et_h.awk b/src/util/et/et_h.awk
index 2521886..2ce75bf 100644
--- a/src/util/et/et_h.awk
+++ b/src/util/et/et_h.awk
@@ -111,7 +111,11 @@ c2n["_"]=63
 	print " * This file is automatically generated; please do not edit it." > outfile
 	print " */" > outfile
 	print "" > outfile
+        print "#if defined(macintosh) || (defined(__MACH__) && defined(__APPLE__))" > outfile
+        print "#include <KerberosComErr/KerberosComErr.h>" > outfile
+        print "#else" > outfile
 	print "#include <com_err.h>" > outfile
+        print "#endif" > outfile
 	print "" > outfile
 }
 
@@ -148,7 +152,7 @@ END {
 	print "" > outfile
 	print "extern struct error_table et_" table_name "_error_table;" > outfile
 	print "" > outfile
-	print "#if !defined(_MSDOS) && !defined(_WIN32) && !defined(macintosh)" > outfile
+	print "#if !defined(_MSDOS) && !defined(_WIN32) && !defined(macintosh) && !(defined(__MACH__) && defined(__APPLE__))" > outfile
 	print "/* for compatibility with older versions... */" > outfile
 	print "extern void initialize_" table_name "_error_table ();" > outfile
 	print "#define init_" table_name "_err_tbl initialize_" table_name "_error_table" > outfile
diff --git a/src/util/et/et_h.perl b/src/util/et/et_h.pl
index b477faf..a5d5507 100644
--- a/src/util/et/et_h.perl
+++ b/src/util/et/et_h.pl
@@ -1,9 +1,3 @@
-#!/afs/athena/contrib/perl5/p
-eval 'exec /afs/athena/contrib/perl5/arch/sun4x_55/bin/perl -S $0 ${1+"$@"}'
-    if $running_under_some_shell;
-			# this emulates #! processing on NIH machines.
-			# (remove #! line above if indigestible)
-
 eval '$'.$1.'$2;' while $ARGV[0] =~ /^([A-Za-z_0-9]+=)(.*)/ && shift;
 			# process any FOO=bar switches
 
@@ -138,8 +132,16 @@ line: while (<>) {
 	&Pick('>', $outfile) &&
 	    (print $fh '');
 	&Pick('>', $outfile) &&
+	    (print $fh '#if defined(macintosh) || (defined(__MACH__) && defined(__APPLE__))');
+	&Pick('>', $outfile) &&
+	    (print $fh '#include <KerberosComErr/KerberosComErr.h>');
+	&Pick('>', $outfile) &&
+	    (print $fh '#else');
+	&Pick('>', $outfile) &&
 	    (print $fh '#include <com_err.h>');
 	&Pick('>', $outfile) &&
+	    (print $fh '#endif');
+	&Pick('>', $outfile) &&
 	    (print $fh '');
     }
 
@@ -192,7 +194,7 @@ else {
 &Pick('>', $outfile) &&
     (print $fh '');
 &Pick('>', $outfile) &&
-    (print $fh '#if defined(unix) || defined(_AIX)');
+    (print $fh '#if !defined(_MSDOS) && !defined(_WIN32) && !defined(macintosh) && !(defined(__MACH__) && defined(__APPLE__))');
 &Pick('>', $outfile) &&
     (print $fh '/* for compatibility with older versions... */');
 &Pick('>', $outfile) &&
diff --git a/src/util/et/test_et.c b/src/util/et/test_et.c
index ff638a2..efeaf62 100644
--- a/src/util/et/test_et.c
+++ b/src/util/et/test_et.c
@@ -14,8 +14,10 @@ main()
 	printf("Msg TGT-expired is '%s'\n", error_message(KRB_MK_AP_TGTEXP));
 	printf("Msg EPERM is '%s'\n", error_message(EPERM));
 	printf("Msg FOO_ERR is '%s'\n", error_message(FOO_ERR));
+#ifdef HAVE_SYS_ERRLIST
 	printf("Msg {sys_nerr-1} is '%s'\n", error_message(sys_nerr-1));
 	printf("Msg {sys_nerr} is '%s'\n", error_message(sys_nerr));
+#endif
 	printf("Msg 0 is '%s'\n", error_message(0));
 
 	printf("With 0: tgt-expired -> %s\n", error_message(KRB_MK_AP_TGTEXP));
@@ -35,7 +37,9 @@ main()
 
 	printf("Msg for TGT-expired is '%s'\n",
 	       error_message(KRB_MK_AP_TGTEXP));
+#ifdef HAVE_SYS_ERRLIST
 	printf("Msg {sys_nerr-1} is '%s'\n", error_message(sys_nerr-1));
+#endif
 	printf("Msg FOO_ERR is '%s'\n", error_message(FOO_ERR));
 	printf("Msg KRB_SKDC_CANT is '%s'\n",
 		    error_message(KRB_SKDC_CANT));
diff --git a/src/util/makeshlib.sh b/src/util/makeshlib.sh
index ec485ca..303c0ce 100644
--- a/src/util/makeshlib.sh
+++ b/src/util/makeshlib.sh
@@ -38,16 +38,14 @@ case $host  in
 	stat=$?
 	if [ $stat -eq 0 ] ; then
 	    if test "$HAVE_GCC" = "yes" ; then
-
-
-		$CC -o shr.o.$version $library  -nostartfiles -Xlinker -bgcbypass:1 -Xlinker -bfilelist -Xlinker -bM:SRE -Xlinker -bE:${library}.syms   $LDFLAGS -lc
+		$CC -o shr.o.$version $library  -nostartfiles -Xlinker -bgcbypass:1 -Xlinker -bfilelist -Xlinker -bM:SRE -Xlinker -bE:${library}.syms -Xlinker -berok $LDFLAGS -lc
 	    else
 		# Pull in by explicit pathname so we don't get gnu ld if
 		# installed (it could be even if we chose not to use gcc).
 		# Better still would be to do this through $CC -- how do
 		# we get crt0.o left out?
-    echo	/bin/ld -o shr.o.$version $library -H512 -T512 -bnoentry -bM:SRE $LDFLAGS -bgcbypass:1 -bnodelcsect -bE:${library}.syms $libdirfl $liblist -lc
-		/bin/ld -o shr.o.$version $library -H512 -T512 -bnoentry -bM:SRE $LDFLAGS -bgcbypass:1 -bnodelcsect -bE:${library}.syms  -lc
+    echo	/bin/ld -o shr.o.$version $library -H512 -T512 -bnoentry -bM:SRE $LDFLAGS -bgcbypass:1 -bnodelcsect -bE:${library}.syms -berok $libdirfl $liblist -lc
+		/bin/ld -o shr.o.$version $library -H512 -T512 -bnoentry -bM:SRE $LDFLAGS -bgcbypass:1 -bnodelcsect -bE:${library}.syms -berok -lc
 	    fi
 	    stat=$?
 	    if [ $stat -eq 0 ] ; then
diff --git a/src/util/mkrel b/src/util/mkrel
index e534a47..a086450 100644
--- a/src/util/mkrel
+++ b/src/util/mkrel
@@ -3,12 +3,15 @@ repository=:kserver:cvs.mit.edu:/cvs/krbdev
 dodoc=t
 dosrc=t
 checkout=t
+multitar=nil
 while test $# -gt 2; do
 	case $1 in
 	--srconly)
 		dodoc=nil;;
 	--doconly)
 		dosrc=nil;;
+	--multi*)
+		multitar=t;;
 	--repository)
 		shift; repository=$1;;
 	--nocheckout)
@@ -136,22 +139,25 @@ fi
 
 echo "Generating tarfiles..."
 GZIP=-9; export GZIP
-if test $dosrc = t; then
-	gtar --exclude $reldir/src/lib/crypto \
-		--exclude $reldir/src/lib/des425 \
-		--exclude $reldir/doc \
-		-zcf ${reldir}.src.tar.gz $reldir
-
-	gtar zcf ${reldir}.crypto.tar.gz \
-		$reldir/src/lib/crypto \
-		$reldir/src/lib/des425
-fi
-
-if test $dodoc = t; then
-	gtar zcf ${reldir}.doc.tar.gz $reldir/doc $reldir/README
+if test $multitar = t; then
+	if test $dosrc = t; then
+		gtar --exclude $reldir/src/lib/crypto \
+			--exclude $reldir/src/lib/des425 \
+			--exclude $reldir/doc \
+			-zcf ${reldir}.src.tar.gz $reldir
+
+		gtar zcf ${reldir}.crypto.tar.gz \
+			$reldir/src/lib/crypto \
+			$reldir/src/lib/des425
+	fi
+	if test $dodoc = t; then
+		gtar zcf ${reldir}.doc.tar.gz $reldir/doc $reldir/README
+	fi
+	ls -l ${reldir}.*.tar.gz
 fi
 
-ls -l ${reldir}.*.tar.gz
+gtar zcf ${reldir}.tar.gz $reldir
+ls -l ${reldir}.tar.gz
 
 echo "Done."
 
diff --git a/src/util/profile/ChangeLog b/src/util/profile/ChangeLog
index 172d7ac..9a1da21 100644
--- a/src/util/profile/ChangeLog
+++ b/src/util/profile/ChangeLog
@@ -1,3 +1,35 @@
+2002-02-28 Alexandra Ellwood <lxs@mit.edu>
+    * profile.pbexp: Restrict Mac OS X export list to public functions
+
+2001-11-05  Tom Yu  <tlyu@mit.edu>
+
+	* Makefile.in (LIBMINOR): Bump due to error table changes.
+
+2001-09-25  Ken Raeburn  <raeburn@mit.edu>
+
+	* prof_err.et (PROF_BAD_BOOLEAN, PROF_BAD_INTEGER): New error
+	codes.
+
+2001-02-02  Tom Yu  <tlyu@mit.edu>
+
+	* krb5.conf: Test with trailing whitespace on "default_realm"
+	line. [pullup from trunk]
+
+	* krb5.conf: Test with a space after ']' and '{' [pullup from trunk]
+
+	* prof_parse.c (parse_std_line): Spaces after '{' or ']' should
+	not be a fatal error. This is a common lossage in krb5.conf files.
+	[pullup from trunk]
+
+2000-10-7  Miro Jurisic  <meeroh@mit.edu>
+
+	* et.pbexp: Added the Mach-O initializer function
+
+2000-10-7  Miro Jurisic  <meeroh@mit.edu>
+
+	* et.pbexp: Added the Mac OS X export file (hopefully temporary,
+	until Apple fixes their tools to use the same format as Mac OS 9)
+
 1999-10-26  Tom Yu  <tlyu@mit.edu>
 
 	* Makefile.in: Clean up usage of CFLAGS, CPPFLAGS, DEFS, DEFINES,
diff --git a/src/util/profile/Makefile.in b/src/util/profile/Makefile.in
index 3955ca8..fa3f6db 100644
--- a/src/util/profile/Makefile.in
+++ b/src/util/profile/Makefile.in
@@ -40,7 +40,7 @@ MLIBS = -lcom_err $(GEN_LIB)
 
 LIB=profile
 LIBMAJOR=1
-LIBMINOR=0
+LIBMINOR=1
 SHLIB_EXPDEPS = $(TOPLIBD)/libcom_err$(SHLIBEXT)
 SHLIB_EXPLIBS = -lcom_err
 SHLIB_DIRS = -L$(TOPLIBD)
diff --git a/src/util/profile/krb5.conf b/src/util/profile/krb5.conf
index 01eb66c..19c59c6 100644
--- a/src/util/profile/krb5.conf
+++ b/src/util/profile/krb5.conf
@@ -1,5 +1,5 @@
 [libdefaults]
-	default_realm = ATHENA.MIT.EDU
+	default_realm = ATHENA.MIT.EDU 
 	default_tgs_enctypes = des-cbc-crc
 	default_tkt_enctypes = des-cbc-crc
 	krb4_config = /etc/athena/krb.conf
@@ -8,8 +8,8 @@
 	kdc_timesync = 1
 	ccache_type = 4
 
-[realms]
-	ATHENA.MIT.EDU = {
+[realms] 
+	ATHENA.MIT.EDU = { 
 #		kdc = kerberos-2000.mit.edu
 		kdc = kerberos.mit.edu:88
 		kdc = kerberos-1.mit.edu:88
@@ -17,7 +17,7 @@
 		kdc = kerberos-3.mit.edu:88
 		admin_server = kerberos.mit.edu
 		default_domain = mit.edu
-	}
+	} 
 	MEDIA-LAB.MIT.EDU = {
 		kdc = kerberos.media.mit.edu
 		admin_server = kerberos.media.mit.edu
diff --git a/src/util/profile/prof_err.et b/src/util/profile/prof_err.et
index e6e35db..dc248f4 100644
--- a/src/util/profile/prof_err.et
+++ b/src/util/profile/prof_err.et
@@ -54,4 +54,10 @@ error_code	PROF_FAIL_OPEN,		"Couldn't open profile file"
 #
 error_code	PROF_EXISTS,		"Section already exists"
 
+#
+# generated by prof_get.c
+#
+error_code	PROF_BAD_BOOLEAN,		"Invalid boolean value"
+error_code	PROF_BAD_INTEGER,		"Invalid integer value"
+
 end
diff --git a/src/util/profile/prof_parse.c b/src/util/profile/prof_parse.c
index 0e3cffe..7e8bcb8 100644
--- a/src/util/profile/prof_parse.c
+++ b/src/util/profile/prof_parse.c
@@ -130,6 +130,10 @@ static errcode_t parse_std_line(line, state)
 			profile_make_node_final(state->current_section);
 			cp++;
 		}
+		/*
+		 * A space after ']' should not be fatal 
+		 */
+		cp = skip_over_blanks(cp);
 		if (*cp)
 			return PROF_SECTION_SYNTAX;
 		return 0;
@@ -169,7 +173,7 @@ static errcode_t parse_std_line(line, state)
 	} else if (value[0] == 0) {
 		do_subsection++;
 		state->state = STATE_GET_OBRACE;
-	} else if (value[0] == '{' && value[1] == 0) 
+	} else if (value[0] == '{' && *(skip_over_blanks(value+1)) == 0)
 		do_subsection++;
 	else {
 		cp = value + strlen(value) - 1;
diff --git a/src/util/profile/profile.pbexp b/src/util/profile/profile.pbexp
new file mode 100644
index 0000000..427a9d4
--- /dev/null
+++ b/src/util/profile/profile.pbexp
@@ -0,0 +1,24 @@
+#
+# _profile library Macintosh export file
+#
+# $Header$
+
+_profile_init
+_profile_init_path
+_profile_flush
+_profile_abandon
+_profile_release
+_profile_get_values
+_profile_free_list
+_profile_get_string
+_profile_get_integer
+_profile_get_relation_names
+_profile_get_subsection_names
+_profile_iterator_create
+_profile_iterator_free
+_profile_iterator
+_profile_release_string
+_profile_update_relation
+_profile_clear_relation
+_profile_rename_section
+_profile_add_relation
diff --git a/src/util/pty/ChangeLog b/src/util/pty/ChangeLog
index ff815b7..3dac1a3 100644
--- a/src/util/pty/ChangeLog
+++ b/src/util/pty/ChangeLog
@@ -1,3 +1,169 @@
+2001-11-28  Tom Yu  <tlyu@mit.edu>
+
+	* update_utmp.c (PTY_GETUTXENT): Fix typo.  Thanks to Shawn
+	Stepper. [fixes krb5-build/1020]
+
+2001-11-19  Tom Yu  <tlyu@mit.edu>
+
+	* update_utmp.c (pty_update_utmp): Patch from Garry Zacheiss to
+	kludge around cases where we need to use more than 2 characters of
+	LINE in order to avoid conflicts in UT_ID.
+
+2001-11-05  Tom Yu  <tlyu@mit.edu>
+
+	* Makefile.in (LIBMINOR): Bump due to changes to internals.
+
+2001-09-25  Tom Yu  <tlyu@mit.edu>
+
+	* pty-int.h: Fix up botched merge: cause prototypes for
+	ptyint_update_wtmp{,x} to be correct.
+
+2001-09-07  Tom Yu  <tlyu@mit.edu>
+
+	* update_utmp.c (pty_update_utmp): Remember to chop off leading
+	"/dev/" for the non-sysV case.  Handle lseek() returning non-zero
+	yet non-negative values (it usually does... :-), so that we can
+	actually write somewhere not at the beginning of the utmp file if
+	necessary.
+
+	* update_utmp.c (pty_update_utmp): Don't copy host if it's a null
+	pointer.
+
+	* dump-utmp.c (print_ut): Use size of ut_name field, not ut_user,
+	which may not exist, for width when printing ut_name field value.
+	Specify width when printing hostname, it may be unterminated.
+	(main): Move utp and utxp declarations closer to their usages, and
+	make both conditionalized so they're not declared if they're not
+	used.
+
+	* getpty.c: Make pty_getpty() into ptyint_getpty_ext(), which has
+	an extra argument that determines whether to call grantpt() and
+	unlockpt() on systems that support it.  The new pty_getpty() will
+	simply call the extended version.  This is to support some
+	wackiness needed by pty_paranoia.c tests.
+
+	* pty-int.h: Add prototype for ptyint_getpty_ext().
+
+	* pty_paranoia.c: Add rant about ptys and quirks therein.  Needs
+	to be updated somewhat.  Add some more paranoia for the case where
+	we actually succeed in opening the slave of a closed master and
+	then succeed in opening the same master.  This program will get
+	rewritten at some point to actually see what things result in EOFs
+	and under what conditions data will actually get passed between
+	master and slave.
+
+	* pty_paranoia.c: New file; do many paranoid checks about ctty
+	handling by the pty drivers.
+
+	* Makefile.in: Add rules for pty_paranoia and check-paranoia,
+	which runs pty_paranoia.
+
+	* configure.in: Define REVOKE_NEEDS_OPEN for Tru64.  Add support
+	for program building and run flags for the sake of pty_paranoia.
+
+	* open_slave.c: Fix somewhat; AIX doesn't like opening the ctty
+	twice, so only do initial open if we special-case it in
+	configure.in, e.g. for Tru64.
+
+	* logwtmp.c: Delete code under "#if 0".  Fix reversed test for
+	loggingin.  Don't forget to set the ut_tv or ut_time for the
+	entry.
+
+	* update_utmp.c: Update rant about Tru64; remove fetching of
+	ut_user from old entry.  The existence of the old ut_user in the
+	logout entry in wtmp was confusing last.
+
+	* cleanup.c: Call update_utmp() with the correct pid to assist in
+	finding the old utmp entry.
+
+	* open_ctty.c: Reformat somewhat and revise comment.
+
+	* open_slave.c: Rework significantly.  Primarily, keep a fd open
+	to the slave if we need to reopen the slave device following
+	vhangup() or revoke(), to accommodate various OS quirks.
+
+	* update_utmp.c: Revise history section somewhat to document more
+	HP-UX brokenness.  Search via ut_pid before searching via
+	ut_line.  Copy stuff around because entuxent() will clobber some
+	things.
+
+	* void_assoc.c: Revise comment and reformat somewhat.
+
+	* open_slave.c (pty_open_slave): If revoke() present on system but
+	VHANG_FIRST is not defined, declare local variable.
+
+	* dump-utmp.c: Fix some off-by-one errors.  Handle cases where we
+	have utmpname() but not utmpname().
+
+	* pty-int.h: Fix typo; VHANG_first -> VHANG_FIRST.
+
+	* open_slave.c (pty_open_slave): Add workaround for Tru64 v5.0,
+	since its revoke() will fail if the slave isn't open already.
+
+	* cleanup.c (pty_cleanup): Delcare local variable only if
+	VHANG_LAST defined.
+
+	* logwtmp.c (pty_logwtmp): Only declare local variables if
+	logwtmp() not available on system.
+
+	* update_utmp.c (pty_update_utmp): Fix typo (OWRONLY ->
+	O_WRONLY).
+
+	* update_wtmp.c (ptyint_update_wtmpx): Add missing semi-colon in
+ 	code path if PTY_UTMP_E_EXIT and PTY_UTMPX_E_EXIT exist.
+
+	* configure.in: Fix some quoting of shell variables when passing
+	to "test".  Reorder some logic in consistency checks to validate
+	cache variables against "yes" to account for possible empty or
+	nonexistent values.
+
+	* pty-int.h: Fix conditional prototype of update_wtmp().
+
+	* update_wtmp.c: Fix conditional compilation of update_wtmp() to
+	cover the case where we have setutxent() but don't have updwtmpx()
+	and WTMPX_FILE, as is the case on some Linux installations.
+
+	* configure.in(K5_CHECK_UT_MEMBER): Fix typo in previous; make
+	sure to include the correct header when checking structure
+	members.
+
+	* configure.in: Many changes to support the rewriting of the utmp
+	pieces of libpty.  Do a large amount of checking for consistency
+	of various utmp and utmpx APIs as currently understood.  See rant
+	in update_utmp.c.
+
+	* dump-utmp.c: Rewrite; now has capability to use utmp{,x}name()
+	to extract entries from utmp and utmpx files.  Adjusts field
+	widths when printing as appropriate.
+
+	* libpty.h: Update call signature for update_utmp() and logwtmp();
+	make prototypes unconditional.
+
+	* logwtmp.c: Rewrite.  Use pututline() or pututxline() API
+	whenever possible.
+
+	* pty-int.h: Update call signatures for update_wtmp{,x}(); make
+	prototypes unconditional.
+
+	* sane_hostname.c: Use the autoconf-correct macro names.
+
+	* update_utmp.c: Rewrite.  Basically, use functions from the
+	pututline() or pututxline() API whenever possible, to avoid
+	lossage.  Inserted large rant about the conjectured history of BSD
+	utmp, sysV utmp, and utmpx, as well as documentation about some
+	known quirks.
+
+	* update_wtmp.c: Rewrite.  Add new function ptyint_logwtmpx() that
+	takes a utmpx rather than a utmp, so it can fail to lose data
+	converting to and from utmp.
+
+	[many pullups from trunk]
+
+2000-03-24  Ken Raeburn  <raeburn@mit.edu>
+
+	* configure.in: Check for alpha*-dec-osf* instead of
+	alpha-dec-osf*.
+
 1999-10-26  Tom Yu  <tlyu@mit.edu>
 
 	* Makefile.in: Clean up usage of CFLAGS, CPPFLAGS, DEFS, DEFINES,
diff --git a/src/util/pty/Makefile.in b/src/util/pty/Makefile.in
index 83d61dc..135fc7b 100644
--- a/src/util/pty/Makefile.in
+++ b/src/util/pty/Makefile.in
@@ -6,9 +6,13 @@ RELDIR=../util/pty
 
 SED = sed
 
+KRB5_RUN_ENV= @KRB5_RUN_ENV@
+PROG_LIBPATH=-L$(TOPLIBD)
+PROG_RPATH=$(KRB5_LIBDIR)
+
 LIB=pty
 LIBMAJOR=1
-LIBMINOR=1
+LIBMINOR=2
 
 STLIBOBJS= cleanup.o getpty.o init_slave.o open_ctty.o open_slave.o \
 	update_utmp.o update_wtmp.o vhangup.o void_assoc.o pty_err.o \
@@ -49,6 +53,12 @@ dump-utmp: dump-utmp.o
 	$(CC) $(LDFLAGS) -o dump-utmp dump-utmp.o
 dump-utmp.o: dump-utmp.c
 
+pty_paranoia: pty_paranoia.o $(COM_ERR_DEPLIB) $(PTY_DEPLIB)
+	$(CC_LINK) -o pty_paranoia pty_paranoia.o $(PTY_LIB) $(COM_ERR_LIB) $(LIBS)
+
+check-paranoia: pty_paranoia
+	$(KRB5_RUN_ENV) ./pty_paranoia
+
 install-unix:: install-libs
 
 clean-unix::
diff --git a/src/util/pty/cleanup.c b/src/util/pty/cleanup.c
index cf0b451..87a77c1 100644
--- a/src/util/pty/cleanup.c
+++ b/src/util/pty/cleanup.c
@@ -32,10 +32,12 @@ long pty_cleanup (slave, pid, update_utmp)
     int pid; /* May be zero for unknown.*/
     int update_utmp;
 {
+#ifdef VHANG_LAST
     int retval, fd;
+#endif
     
     if (update_utmp)
-	pty_update_utmp(PTY_DEAD_PROCESS,0,  "", slave, (char *)0, PTY_UTMP_USERNAME_VALID);
+	pty_update_utmp(PTY_DEAD_PROCESS, pid,  "", slave, (char *)0, PTY_UTMP_USERNAME_VALID);
     
     (void)chmod(slave, 0666);
     (void)chown(slave, 0, 0);
@@ -79,7 +81,7 @@ long pty_cleanup (slave, pid, update_utmp)
 	return errno;
       case 0:
 	ptyint_void_association();
-	if ( retval = ( pty_open_ctty( slave, &fd ))) 
+	if ((retval = pty_open_ctty(slave, &fd)))
 	  exit(retval);
 	ptyint_vhangup();
 	exit(0);
diff --git a/src/util/pty/configure.in b/src/util/pty/configure.in
index 398b182..27fac92 100644
--- a/src/util/pty/configure.in
+++ b/src/util/pty/configure.in
@@ -30,11 +30,13 @@ ac_cv_func_setsid=no # setsid doesn't do the right thing under Ultrix even thoug
 # Moreover, strops.h trashes sys/ioctl.h
 krb5_cv_has_streams=no
 ;;
-alpha-dec-osf*)
+alpha*-dec-osf*)
 	AC_CHECK_LIB(security,main,
 		AC_DEFINE(HAVE_SETLUID)
 		LOGINLIBS="$LOGINLIBS -lsecurity"
 	)
+	AC_MSG_RESULT(will open ctty prior to revoke due to OSF/1 lossage)
+	AC_DEFINE(REVOKE_NEEDS_OPEN)
 	;;
 *-*-solaris*)
      AC_DEFINE(PUSH_PTEM)
@@ -48,23 +50,144 @@ esac
 dnl
 AC_SUBST(LOGINLIBS)
 dnl
-AC_CHECK_LIB(util,openpty, AC_DEFINE(HAVE_OPENPTY) LIBS="$LIBS -lutil")
+AC_CHECK_LIB(util,openpty, [AC_DEFINE(HAVE_OPENPTY) LIBS="$LIBS -lutil"])
 AC_TYPE_MODE_T
 AC_CHECK_TYPE(time_t, long)
-AC_FUNC_CHECK(strsave,AC_DEFINE(HAS_STRSAVE))
-AC_HAVE_FUNCS(getutent setreuid gettosbyname setsid ttyname line_push ptsname grantpt openpty logwtmp getutmpx)
-AC_CHECK_HEADERS(unistd.h stdlib.h string.h utmpx.h utmp.h sys/filio.h sys/sockio.h sys/label.h sys/tty.h ttyent.h lastlog.h sys/select.h sys/ptyvar.h)
+AC_CHECK_FUNC(strsave,[AC_DEFINE(HAS_STRSAVE)])
+AC_CHECK_FUNCS(setreuid gettosbyname setsid ttyname line_push ptsname grantpt openpty)
+AC_CHECK_HEADERS(unistd.h stdlib.h string.h pty.h sys/filio.h sys/sockio.h sys/label.h sys/tty.h ttyent.h lastlog.h sys/select.h sys/ptyvar.h)
 AC_CHECK_HEADERS(sys/wait.h)
-AC_CHECK_FUNCS(waitpid updwtmpx)
+AC_CHECK_FUNCS(waitpid)
 DECLARE_SYS_ERRLIST
 KRB5_SIGTYPE
 CHECK_SIGNALS
 CHECK_SETJMP
 CHECK_DIRENT
-AC_HEADER_CHECK(termios.h,AC_FUNC_CHECK(cfsetispeed,AC_DEFINE(POSIX_TERMIOS)))
-CHECK_UTMP
-dnl
-dnl
+AC_CHECK_HEADER(termios.h,AC_CHECK_FUNC(cfsetispeed,AC_DEFINE(POSIX_TERMIOS)))
+
+######################################################################
+#
+# utmp related hair here.  There's lots of it.
+#
+
+AC_CHECK_HEADERS(utmp.h utmpx.h)
+AC_CHECK_FUNCS(setutent setutxent updwtmp updwtmpx logwtmp getutmp getutmpx)
+AC_CHECK_FUNCS(utmpname utmpxname)
+
+AC_DEFUN(K5_CHECK_UT_MEMBER,
+[AC_MSG_CHECKING([for $2 in struct $1])
+AC_CACHE_VAL([krb5_cv_struct_$1_$2],
+[AC_TRY_COMPILE([#include <sys/types.h>
+#include <$1.h>], [struct $1 u; u.$2;],
+eval "krb5_cv_struct_$1_$2=yes", eval "krb5_cv_struct_$1_$2=no")])
+if eval "test \"`echo '$krb5_cv_struct_'$1'_'$2`\" = yes"; then
+  AC_MSG_RESULT(yes)
+  krb5_tr_ut=HAVE_STRUCT_`echo $1'_'$2 | tr 'abcdefghijklmnopqrstuvwxyz' 'ABCDEFGHIJKLMNOPQRSTUVWXYZ'`
+  AC_DEFINE_UNQUOTED($krb5_tr_ut)
+else
+  AC_MSG_RESULT(no)
+fi])
+
+if test "$ac_cv_header_utmp_h" = yes; then
+  AC_MSG_RESULT(checking struct utmp members)
+  for krb5_mem in ut_host ut_syslen ut_addr ut_id ut_pid ut_type ut_exit; do
+    K5_CHECK_UT_MEMBER(utmp, $krb5_mem)
+  done
+fi
+
+if test "$ac_cv_header_utmpx_h" = yes; then
+  AC_MSG_RESULT(checking struct utmpx members)
+  for krb5_mem in ut_host ut_syslen ut_addr ut_id ut_pid ut_type ut_exit; do
+    K5_CHECK_UT_MEMBER(utmpx, $krb5_mem)
+  done
+fi
+
+AC_DEFUN(K5_CHECK_UT_EXIT_MEMBER,
+[AC_MSG_CHECKING([for ut_exit.$2 in struct $1])
+AC_CACHE_VAL([krb5_cv_struct_$1_ut_exit_$2],
+[AC_TRY_COMPILE([#include <sys/types.h>
+#include <$1.h>], [struct $1 u; u.ut_exit.$2;],
+eval "krb5_cv_struct_$1_ut_exit_$2=yes",
+eval "krb5_cv_struct_$1_ut_exit_$2=no")])
+if eval "test \"`echo '$krb5_cv_struct_'$1'_ut_exit_'$2`\" = yes"; then
+  AC_MSG_RESULT(yes)
+  ifelse([$3], , :, [$3])
+else
+  AC_MSG_RESULT(no)
+  ifelse([$4], , :, [$4])
+fi])
+
+if test "$krb5_cv_struct_utmp_ut_exit" = yes; then
+  AC_MSG_RESULT(checking for working ut_exit.e_exit in struct utmp)
+  for krb5_mem in __e_exit ut_e_exit ut_exit e_exit; do
+    K5_CHECK_UT_EXIT_MEMBER(utmp, $krb5_mem,
+[krb5_utmp_e_exit=$krb5_mem
+krb5_utmp_e_termination=`echo $krb5_mem|sed -e 's%_exit$%_termination%'`], )
+  done
+  if test "${krb5_utmp_e_exit+set}" = set; then
+    AC_MSG_RESULT([working ut_exit.e_exit in utmp is $krb5_utmp_e_exit])
+    AC_DEFINE_UNQUOTED(PTY_UTMP_E_EXIT, $krb5_utmp_e_exit)
+    AC_DEFINE_UNQUOTED(PTY_UTMP_E_TERMINATION, $krb5_utmp_e_termination)
+  else
+    AC_MSG_RESULT([cannot find working ut_exit.e_exit in utmp])
+  fi
+fi
+
+if test "$krb5_cv_struct_utmpx_ut_exit" = yes; then
+  AC_MSG_RESULT(checking for working ut_exit.e_exit in struct utmpx)
+  for krb5_mem in __e_exit ut_e_exit ut_exit e_exit; do
+    K5_CHECK_UT_EXIT_MEMBER(utmpx, $krb5_mem,
+[krb5_utmpx_e_exit=$krb5_mem
+krb5_utmpx_e_termination=`echo $krb5_mem|sed -e 's%_exit$%_termination%'`], )
+  done
+  if test "${krb5_utmpx_e_exit+set}" = set; then
+    AC_MSG_RESULT([working ut_exit.e_exit in utmpx is $krb5_utmpx_e_exit])
+    AC_DEFINE_UNQUOTED(PTY_UTMPX_E_EXIT, $krb5_utmpx_e_exit)
+    AC_DEFINE_UNQUOTED(PTY_UTMPX_E_TERMINATION, $krb5_utmpx_e_termination)
+  else
+    AC_MSG_RESULT([cannot find working ut_exit.e_exit in utmpx])
+  fi
+fi
+
+if test "$ac_cv_func_setutent" = yes; then
+  AC_MSG_CHECKING(consistency of sysV-ish utmp API)
+  if test "$ac_cv_header_utmp_h" = yes; then
+    if test "$krb5_cv_struct_utmp_ut_id" = yes \
+      && test "$krb5_cv_struct_utmp_ut_type" = yes \
+      && test "$krb5_cv_struct_utmp_ut_pid" = yes; then
+      AC_MSG_RESULT(ok)
+    else
+      AC_MSG_RESULT(not ok)
+      AC_MSG_ERROR([have setutent but no ut_id, ut_type, or ut_pid in utmp])
+    fi
+  else
+    AC_MSG_RESULT(not ok)
+    AC_MSG_ERROR([have setutent but no utmp.h])
+  fi
+fi
+
+if test "$ac_cv_header_utmpx_h" = yes; then
+  AC_MSG_CHECKING(consistency of utmpx API)
+  if test "$ac_cv_func_setutxent" = yes; then
+    if test "$krb5_cv_struct_utmpx_ut_id" = yes \
+      && test "$krb5_cv_struct_utmpx_ut_type" = yes \
+      && test "$krb5_cv_struct_utmpx_ut_pid" = yes; then
+      AC_MSG_RESULT(ok)
+    else
+      AC_MSG_RESULT(not ok)
+      AC_MSG_ERROR([have setutxent but no ut_id, ut_type, or ut_pid in utmpx])
+    fi
+  else
+    AC_MSG_RESULT(not ok)
+    AC_MSG_ERROR([have utmpx.h but no setutxent])
+  fi
+fi
+
+#
+# end of utmp-related hair
+#
+######################################################################
+
 AC_MSG_CHECKING([streams interface])
 AC_CACHE_VAL(krb5_cv_has_streams,
 [AC_TRY_COMPILE(
@@ -131,24 +254,10 @@ if test $krb5_cv_setpgrp_args = two; then
 AC_DEFINE(SETPGRP_TWOARG)
 fi
 dnl
-dnl
-if test $ac_cv_header_utmpx_h  = yes -a $ac_cv_func_getutmpx = no; then
-AC_MSG_CHECKING([if utmpx and utmp ut_exit structures differ])
-AC_CACHE_VAL(krb5_cv_utmp_utmpx_diff_exit_struct,
-[AC_TRY_COMPILE(
-[#include <sys/types.h>
-#include <utmp.h>
-#include <utmpx.h>],[struct utmpx utx; struct utmp ut;
-utx.ut_exit.ut_exit = ut.ut_exit.e_exit],
-krb5_cv_utmp_utmpx_diff_exit_struct=yes, krb5_cv_utmp_utmpx_diff_exit_struct=no)])
-AC_MSG_RESULT($krb5_cv_utmp_utmpx_diff_exit_struct)
-if test $krb5_cv_utmp_utmpx_diff_exit_struct = yes; then
-AC_DEFINE(UT_EXIT_STRUCTURE_DIFFER)
-fi
-fi
-dnl
 ADD_DEF(-DKERBEROS)
-AC_CONST
+AC_C_CONST
 KRB5_BUILD_LIBRARY_WITH_DEPS
 KRB5_BUILD_LIBOBJS
+KRB5_BUILD_PROGRAM
+KRB5_RUN_FLAGS
 V5_AC_OUTPUT_MAKEFILE
diff --git a/src/util/pty/dump-utmp.c b/src/util/pty/dump-utmp.c
index 7cc8469..d4c303f 100644
--- a/src/util/pty/dump-utmp.c
+++ b/src/util/pty/dump-utmp.c
@@ -1,6 +1,29 @@
-#include <stdio.h>
+/*
+ * Copyright 2001 by the Massachusetts Institute of Technology.
+ *
+ * Permission to use, copy, modify, and distribute this software and
+ * its documentation for any purpose and without fee is hereby
+ * granted, provided that the above copyright notice appear in all
+ * copies and that both that copyright notice and this permission
+ * notice appear in supporting documentation, and that the name of
+ * M.I.T. not be used in advertising or publicity pertaining to
+ * distribution of the software without specific, written prior
+ * permission.  Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability
+ * of this software for any purpose.  It is provided "as is" without
+ * express or implied warranty.
+ *
+ * dump-utmp.c: dump utmp and utmpx format files for debugging purposes.
+ */
+
+#include <sys/types.h>
 #include <sys/file.h>
 #include <fcntl.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <unistd.h>
 
 #ifndef UTMPX
 #ifdef HAVE_UTMPX_H
@@ -8,138 +31,251 @@
 #endif
 #endif
 
+#if defined(HAVE_UTMPNAME) || defined(HAVE_UTMPXNAME)
+#define UTN			/* we can set utmp or utmpx for getut*() */
+#endif
+
 #ifdef UTMPX
 #include <utmpx.h>
+void print_utx(int, const struct utmpx *);
 #endif
 #include <utmp.h>
 
-extern char *ctime ();
+void print_ut(int, const struct utmp *);
+
+void usage(const char *);
 
 #if defined (HAVE_STRUCT_UTMP_UT_TYPE) || defined (UTMPX)
-char *ut_typename (t) {
-  switch (t) {
+char *ut_typename(int);
+
+char *
+ut_typename(int t) {
+    switch (t) {
 #define S(N) case N : return #N
 #define S2(N,N2) case N : return #N2
-  S(EMPTY);
-  S(RUN_LVL);
-  S(BOOT_TIME);
-  S(OLD_TIME);
-  S(NEW_TIME);
-  S2(INIT_PROCESS,INIT);
-  S2(LOGIN_PROCESS,LOGIN);
-  S2(USER_PROCESS,USER);
-  S2(DEAD_PROCESS,DEAD);
-  S(ACCOUNTING);
-  default: return "??";
-  }
+	S(EMPTY);
+	S(RUN_LVL);
+	S(BOOT_TIME);
+	S(OLD_TIME);
+	S(NEW_TIME);
+	S2(INIT_PROCESS,INIT);
+	S2(LOGIN_PROCESS,LOGIN);
+	S2(USER_PROCESS,USER);
+	S2(DEAD_PROCESS,DEAD);
+	S(ACCOUNTING);
+    default: return "??";
+    }
 }
 #endif
 
-int main (argc, argv) int argc; char *argv[]; {
-  int f;
-  char id[5], user[50], host[100];
-  char *file = 0;
-  int all = 0;
-  int is_utmpx = 0;
-
-  while (*++argv)
-    {
-      char *arg = *argv;
-      if (!arg)
-	break;
-      if (!strcmp ("-a", arg))
-	all = 1;
-      else if (!strcmp ("-x", arg))
-	is_utmpx = 1;
-      else if (arg[0] == '-')
-	{
-	  fprintf (stderr, "unknown arg `%s'\n", arg);
-	  return 1;
-	}
-      else if (file)
-	{
-	  fprintf (stderr, "already got a file\n");
-	  return 1;
+#define S2D(x) (sizeof(x) * 2.4 + 1.5)
+
+void
+print_ut(int all, const struct utmp *u)
+{
+    int lu, ll;
+#ifdef HAVE_STRUCT_UTMP_UT_ID
+    int lid;
+#endif
+#ifdef HAVE_STRUCT_UTMP_UT_PID
+    int lpid;
+#endif
+#ifdef PTY_UTMP_E_EXIT
+    int let, lee;
+#endif
+
+#ifdef HAVE_STRUCT_UTMP_UT_TYPE
+    if (!all && ((u->ut_type == EMPTY) || (u->ut_type == DEAD_PROCESS)))
+	return;
+#endif
+
+    lu = sizeof(u->ut_name);
+    ll = sizeof(u->ut_line);
+    printf("%-*.*s:", lu, lu, u->ut_name);
+    printf("%-*.*s:", ll, ll, u->ut_line);
+#ifdef HAVE_STRUCT_UTMP_UT_ID
+    lid = sizeof(u->ut_id);
+    printf("%-*.*s:", lid, lid, u->ut_id);
+#endif
+#ifdef HAVE_STRUCT_UTMP_UT_PID
+    lpid = S2D(u->ut_pid);
+    printf("%*ld", lpid, (long)u->ut_pid);
+#endif
+#ifdef PTY_UTMP_E_EXIT
+    let = S2D(u->ut_exit.PTY_UTMP_E_TERMINATION);
+    lee = S2D(u->ut_exit.PTY_UTMP_E_EXIT);
+    printf("(%*ld,", let, (long)u->ut_exit.PTY_UTMP_E_TERMINATION);
+    printf("%*ld)", lee, (long)u->ut_exit.PTY_UTMP_E_EXIT);
+#endif
+#ifdef HAVE_STRUCT_UTMP_UT_TYPE
+    printf(" %-9s", ut_typename(u->ut_type));
+#endif
+    printf(" %s", ctime(&u->ut_time) + 4);
+#ifdef HAVE_STRUCT_UTMP_UT_HOST
+    if (u->ut_host[0])
+	printf(" %.*s\n", (int) sizeof(u->ut_host), u->ut_host);
+#endif
+
+    return;
+}
+
+#ifdef UTMPX
+void
+print_utx(int all, const struct utmpx *u)
+{
+    int lu, ll, lid, lpid;
+#ifdef PTY_UTMPX_E_EXIT
+    int let, lee;
+#endif
+
+    if (!all && ((u->ut_type == EMPTY) || (u->ut_type == DEAD_PROCESS)))
+	return;
+
+    lu = sizeof(u->ut_user);
+    ll = sizeof(u->ut_line);
+    lid = sizeof(u->ut_id);
+    printf("%-*.*s:", lu, lu, u->ut_user);
+    printf("%-*.*s:", ll, ll, u->ut_line);
+    printf("%-*.*s", lid, lid, u->ut_id);
+    if (lu + ll + lid >= 60)
+	printf("\n");
+    else
+	printf(":");
+    lpid = S2D(u->ut_pid);
+    printf("%*ld", lpid, (long)u->ut_pid);
+#ifdef PTY_UTMPX_E_EXIT
+    let = S2D(u->ut_exit.PTY_UTMPX_E_TERMINATION);
+    lee = S2D(u->ut_exit.PTY_UTMPX_E_EXIT);
+    printf("(%*ld,", let, (long)u->ut_exit.PTY_UTMPX_E_TERMINATION);
+    printf("%*ld)", lee, (long)u->ut_exit.PTY_UTMPX_E_EXIT);
+#endif
+    printf(" %-9s", ut_typename(u->ut_type));
+    printf(" %s", ctime(&u->ut_tv.tv_sec) + 4);
+#ifdef HAVE_STRUCT_UTMPX_UT_HOST
+    if (u->ut_host[0])
+	printf(" %s\n", u->ut_host);
+#endif
+
+    return;
+}
+#endif
+
+#ifdef UTMPX
+#define OPTX "x"
+#else
+#define OPTX
+#endif
+#ifdef UTN
+#define OPTG "g"
+#else
+#define OPTG
+#endif
+#define OPTS "a" OPTX OPTG
+
+void
+usage(const char *prog)
+{
+    fprintf(stderr, "usage: %s [-" OPTS "] file\n", prog);
+    exit(1);
+}
+
+int
+main(int argc, char **argv)
+{
+    int c;
+    int all, is_utmpx, do_getut;
+    int f;
+    char *fn;
+    size_t recsize;
+    size_t nread;
+    union {
+	struct utmp ut;
+#ifdef UTMPX
+	struct utmpx utx;
+#endif
+    } u;
+
+    all = is_utmpx = do_getut = 0;
+    recsize = sizeof(struct utmp);
+
+    while ((c = getopt(argc, argv, OPTS)) != EOF) {
+	switch (c) {
+	case 'a':
+	    all = 1;
+	    break;
+#ifdef UTMPX
+	case 'x':
+	    is_utmpx = 1;
+	    recsize = sizeof(struct utmpx);
+	    break;
+#endif
+#ifdef UTN
+	case 'g':
+	    do_getut = 1;
+	    break;
+#endif
+	default:
+	    usage(argv[0]);
 	}
-      else
-	file = arg;
     }
-  f = open (file, O_RDONLY);
-  if (f < 0) {
-    perror (file);
-    exit (1);
-  }
-  id[4] = 0;
-  if (is_utmpx) {
+    if (argc <= optind)
+	usage(argv[0]);
+    fn = argv[optind];
+    if (!do_getut) {
+	f = open(fn, O_RDONLY);
+	if (f == -1) {
+	    perror(fn);
+	    exit(1);
+	}
+	while ((nread = read(f, &u, recsize)) > 0) {
+	    if (nread < recsize) {
+		fprintf(stderr, "short read");
+		close(f);
+		exit(1);
+	    }
+	    if (is_utmpx) {
 #ifdef UTMPX
-    struct utmpx u;
-    while (1) {
-      int nread = read (f, &u, sizeof (u));
-      if (nread == 0) {
-	/* eof */
-	return 0;
-      } else if (nread == -1) {
-	/* error */
-	perror ("read");
-	return 1;
-      }
-      if ((u.ut_type == DEAD_PROCESS
-	   || u.ut_type == EMPTY)
-	  && !all)
-	continue;
-      strncpy (id, u.ut_id, 4);
-      printf ("%-8s:%-12s:%-4s", u.ut_user, u.ut_line, id);
-      printf (":%5d", u.ut_pid);
-      printf ("(%5d,%5d)", u.ut_exit.e_termination, u.ut_exit.e_exit);
-      printf (" %-9s %s", ut_typename (u.ut_type), ctime (&u.ut_xtime) + 4);
-      if (u.ut_syslen && u.ut_host[0])
-	printf (" %s\n", u.ut_host);
-    }
-    abort ();
+		print_utx(all, &u.utx);
 #else
-    fprintf (stderr, "utmpx support not compiled in\n");
-    return 1;
-#endif
-  }
-  /* else */
-  {
-    struct utmp u;
-    while (read (f, &u, sizeof (u)) == sizeof (u)) {
-#ifdef EMPTY
-      if ((u.ut_type == DEAD_PROCESS
-	   || u.ut_type == EMPTY)
-	  && !all)
-	continue;
+		abort();
 #endif
-#ifdef HAVE_STRUCT_UTMP_UT_PID
-      strncpy (id, u.ut_id, 4);
-      strncpy (user, u.ut_user, sizeof (u.ut_user));
-      user[sizeof(u.ut_user)] = 0;
-      printf ("%-8s:%-12s:%-4s", user, u.ut_line, id);
-      printf (":%5d", u.ut_pid);
+	    } else {
+		print_ut(all, &u.ut);
+	    }
+	}
+	if (nread == -1) {
+	    perror("read");
+	    exit(1);
+	}
+	close(f);
+    } else {
+	if (is_utmpx) {
+#ifdef UTMPX
+#ifdef HAVE_UTMPXNAME
+	    struct utmpx *utxp;
+	    utmpxname(fn);
+	    setutxent();
+	    while ((utxp = getutxent()) != NULL)
+		print_utx(all, utxp);
 #else
-      strncpy (user, u.ut_name, sizeof (u.ut_name));
-      user[sizeof(u.ut_name)] = 0;
-      printf ("%-8s:%-12s", user, u.ut_line);
-#endif
-#ifdef HAVE_STRUCT_UTMP_UT_HOST
-      {
-	char host[sizeof (u.ut_host) + 1];
-	strncpy (host, u.ut_host, sizeof(u.ut_host));
-	host[sizeof (u.ut_host)] = 0;
-	printf (":%-*s", sizeof (u.ut_host), host);
-      }
+	    fprintf(stderr, "no utmpxname(); can't use getutxent()\n");
+	    exit(1);
 #endif
-#ifdef HAVE_STRUCT_UTMP_UT_EXIT
-      printf ("(%5d,%5d)", u.ut_exit.e_termination, u.ut_exit.e_exit);
+#else
+	    abort();
 #endif
-#ifdef HAVE_STRUCT_UTMP_UT_TYPE
-      printf (" %-9s", ut_typename (u.ut_type));
+	} else {
+#ifdef HAVE_UTMPNAME
+	    struct utmp *utp;
+	    utmpname(fn);
+	    setutxent();
+	    while ((utp = getutent()) != NULL)
+		print_ut(all, utp);
+#else
+	    fprintf(stderr, "no utmpname(); can't use getutent()\n");
+	    exit(1);
 #endif
-      /* this ends with a newline */
-      printf (" %s", ctime (&u.ut_time) + 4);
+	}
     }
-  }
-
-  return 0;
+    exit(0);    
 }
diff --git a/src/util/pty/getpty.c b/src/util/pty/getpty.c
index 3683ba6..0e86514 100644
--- a/src/util/pty/getpty.c
+++ b/src/util/pty/getpty.c
@@ -24,15 +24,17 @@
 #include "libpty.h"
 #include "pty-int.h"
 
-long pty_getpty (fd, slave, slavelength)
-    int slavelength;
-    int *fd; char *slave;
+long
+ptyint_getpty_ext(int *fd, char *slave, int slavelength, int do_grantpt)
 {
+#if !defined(HAVE__GETPTY) && !defined(HAVE_OPENPTY)
     char *cp;
     char *p;
     int i,ptynum;
     struct stat stb;
     char slavebuf[1024];
+#endif
+
 #ifdef HAVE__GETPTY
     char *slaveret; /*Temporary to hold pointer to slave*/
 #endif /*HAVE__GETPTY*/
@@ -76,7 +78,8 @@ long pty_getpty (fd, slave, slavelength)
     if (*fd >= 0) {
 
 #if defined(HAVE_GRANTPT)&&defined(HAVE_STREAMS)
-	if (grantpt(*fd) || unlockpt(*fd)) return PTY_GETPTY_STREAMS;
+	if (do_grantpt)
+	    if (grantpt(*fd) || unlockpt(*fd)) return PTY_GETPTY_STREAMS;
 #endif
     
 #ifdef HAVE_PTSNAME
@@ -139,3 +142,9 @@ long pty_getpty (fd, slave, slavelength)
 #endif /*HAVE__GETPTY*/
 #endif /* HAVE_OPENPTY */
 }
+
+long
+pty_getpty(int *fd, char *slave, int slavelength)
+{
+    return ptyint_getpty_ext(fd, slave, slavelength, 1);
+}
diff --git a/src/util/pty/libpty.h b/src/util/pty/libpty.h
index 82d2d81..ddd20c1 100644
--- a/src/util/pty/libpty.h
+++ b/src/util/pty/libpty.h
@@ -30,7 +30,6 @@
 /* flags to update_utmp*/
 #define PTY_TTYSLOT_USABLE (0x1)
 #define PTY_UTMP_USERNAME_VALID (0x2)
-#ifdef __STDC__ /* use prototypes */
 
 long pty_init(void);
 long pty_getpty ( int *fd, char *slave, int slavelength);
@@ -39,24 +38,17 @@ long pty_open_slave (const char *slave, int *fd);
 long pty_open_ctty (const char *slave, int *fd);
 
 long pty_initialize_slave ( int fd);
-long pty_update_utmp (int process_type,int pid,  char *user, char *line, char *host, int flags);
+long pty_update_utmp(int process_type, int pid, const char *user,
+		     const char *line, const char *host, int flags);
 
-long pty_logwtmp (char *tty, char * user, char *host);
+long pty_logwtmp(const char *tty, const char *user, const char *host);
 
 long pty_cleanup(char *slave, int pid, int update_utmp);
+
+#ifndef SOCK_DGRAM
+struct sockaddr_in;
+#endif
+
 long pty_make_sane_hostname(struct sockaddr_in *, int, int, int, char **);
-#else /*__STDC__*/
-long pty_init();
-long pty_getpty();
-
-long pty_open_slave();
-long pty_open_ctty();
-long pty_initialize_slave();
-
-long pty_update_utmp();
-long pty_logwtmp();
-long pty_cleanup();
-long pty_make_sane_hostname();
-#endif /* __STDC__*/
 #define __LIBPTY_H__
 #endif
diff --git a/src/util/pty/logwtmp.c b/src/util/pty/logwtmp.c
index e3611f6..2047278 100644
--- a/src/util/pty/logwtmp.c
+++ b/src/util/pty/logwtmp.c
@@ -1,8 +1,7 @@
 /*
  * pty_logwtmp: Implement the logwtmp function if not present.
  *
- * Copyright 1995 by the Massachusetts Institute of Technology.
- *
+ * Copyright 1995, 2001 by the Massachusetts Institute of Technology.
  * 
  * Permission to use, copy, modify, and distribute this software and
  * its documentation for any purpose and without fee is hereby
@@ -24,42 +23,86 @@
 #include "libpty.h"
 #include "pty-int.h"
 
-long pty_logwtmp (tty, user, host )
-    char *user, *tty, *host;
+#if defined(HAVE_SETUTXENT) || defined(HAVE_SETUTENT)
+#ifdef HAVE_SETUTXENT
+#define PTY_STRUCT_UTMPX struct utmpx
+#else
+#define PTY_STRUCT_UTMPX struct utmp
+#endif
+
+long
+pty_logwtmp(const char *tty, const char *user, const char *host)
 {
+#ifndef HAVE_LOGWTMP
+    PTY_STRUCT_UTMPX utx;
+    int loggingin;
+    size_t len;
+    const char *cp;
+    char utmp_id[5];
+#endif
+
 #ifdef HAVE_LOGWTMP
     logwtmp(tty,user,host);
     return 0;
 #else
-        struct utmp ut;
-    char *tmpx;
-    char utmp_id[5];
 
-    /* Will be empty for logout */
-    int loggingin = user[0];
+    loggingin = (user[0] != '\0');
 
+    memset(&utx, 0, sizeof(utx));
+    strncpy(utx.ut_line, tty, sizeof(utx.ut_line));
+    strncpy(utx.ut_user, user, sizeof(utx.ut_user));
+#if (defined(HAVE_SETUTXENT) && defined(HAVE_STRUCT_UTMPX_UT_HOST))	   \
+	|| (!defined(HAVE_SETUTXENT) && defined(HAVE_STRUCT_UTMP_UT_HOST))
+    strncpy(utx.ut_host, host, sizeof(utx.ut_host));
+    utx.ut_host[sizeof(utx.ut_host) - 1] = '\0';
+#endif
+#ifdef HAVE_SETUTXENT
+    gettimeofday(&utx.ut_tv, NULL);
+#else
+    (void)time(&utx.ut_time);
+#endif
+    utx.ut_pid = (loggingin ? getpid() : 0);
+    utx.ut_type = (loggingin ? USER_PROCESS : DEAD_PROCESS);
 
-#ifndef NO_UT_HOST
-    strncpy(ut.ut_host, host, sizeof(ut.ut_host));
+    len = strlen(tty);
+    if (len >= 2)
+	cp = tty + len - 2;
+    else
+	cp = tty;
+    sprintf(utmp_id, "kr%s", cp);
+    strncpy(utx.ut_id, utmp_id, sizeof(utx.ut_id));
+
+#ifdef HAVE_SETUTXENT
+    return ptyint_update_wtmpx(&utx);
+#else
+    return ptyint_update_wtmp(&utx);
 #endif
 
-    strncpy(ut.ut_line, tty, sizeof(ut.ut_line));
-    ut.ut_time = time(0);
-    
-#ifndef NO_UT_PID
-    ut.ut_pid = getpid();
-    strncpy(ut.ut_user, user, sizeof(ut.ut_user));
+#endif /* !HAVE_LOGWTMP */
+}
 
-    tmpx = tty + strlen(tty) - 2;
-    sprintf(utmp_id, "kr%s", tmpx);
-    strncpy(ut.ut_id, utmp_id, sizeof(ut.ut_id));
-    ut.ut_pid = (loggingin ? getpid() : 0);
-    ut.ut_type = (loggingin ? USER_PROCESS : DEAD_PROCESS);
+#else  /* !(defined(HAVE_SETUTXENT) || defined(HAVE_SETUTENT)) */
+
+long
+pty_logwtmp(const char *tty, const char *user, const char *host)
+{
+    struct utmp ut;
+
+#ifdef HAVE_LOGWTMP
+    logwtmp(tty,user,host);
+    return 0;
 #else
-    strncpy(ut.ut_name, user, sizeof(ut.ut_name));
+
+    memset(&ut, 0, sizeof(ut));
+#ifdef HAVE_STRUCT_UTMP_UT_HOST
+    strncpy(ut.ut_host, host, sizeof(ut.ut_host));
+    ut.ut_host[sizeof(ut.ut_host) - 1] = '\0';
 #endif
+    strncpy(ut.ut_line, tty, sizeof(ut.ut_line));
+    strncpy(ut.ut_name, user, sizeof(ut.ut_name));
+    return ptyint_update_wtmp(&ut);
 
-    return ptyint_update_wtmp(&ut, host, user);
-#endif /*HAVE_LOGWTMP*/
+#endif /* !HAVE_LOGWTMP */
 }
 
+#endif /* !(defined(HAVE_SETUTXENT) || defined(HAVE_SETUTENT)) */
diff --git a/src/util/pty/open_ctty.c b/src/util/pty/open_ctty.c
index d02a8c1..5e41d95 100644
--- a/src/util/pty/open_ctty.c
+++ b/src/util/pty/open_ctty.c
@@ -24,35 +24,37 @@
 #include "pty-int.h"
 
 /* 
- * This routine will be called twice.  It's not particularly important
- * that the setsid() or TIOCSTTY ioctls succeed (they may not the
- * second time), but rather that we have a controlling terminal at the
- * end.  It is assumed that vhangup doesn't exist and confuse the
- * process's notion of controlling terminal on any system without
- * TIOCNOTTY.  That is, either vhangup() leaves the controlling
- * terminal in tact, breaks the association completely, or the system
- * provides TIOCNOTTY to get things back into a reasonable state.  In
- * practice, vhangup() either breaks the association completely or
- * doesn't effect controlling terminals, so this condition is met.
+ * This function will be called twice.  The first time it will acquire
+ * a controlling terminal from which to vhangup() or revoke() (see
+ * comments in open_slave.c); the second time, it will be to open the
+ * actual slave device for use by the application.  We no longer call
+ * ptyint_void_association(), as that will be called in
+ * pty_open_slave() to avoid spurious calls to setsid(), etc.
+ *
+ * It is assumed that systems where vhangup() exists and does break
+ * the ctty association will allow the slave to be re-acquired as the
+ * ctty.  Also, if revoke() or vhangup() doesn't break the ctty
+ * association, we assume that we can successfully reopen the slave.
+ *
+ * This function doesn't check whether we actually acquired the ctty;
+ * we assume that the caller will check that, or that it doesn't
+ * matter in the particular case.
  */
 long
-pty_open_ctty (slave, fd)
-    const char * slave;
-    int *fd;
+pty_open_ctty(const char *slave, int *fd)
 {
-    int retval;
 
-/* First, dissociate from previous terminal */
-    if ( (retval = ptyint_void_association()) != 0 )
-	return retval;
 #ifdef ultrix
-    /* The Ultrix (and other BSD tty drivers) require the process group
-     * to be zero, in order to acquire the new tty as a controlling tty. */
+    /*
+     * The Ultrix (and other BSD tty drivers) require the process
+     * group to be zero, in order to acquire the new tty as a
+     * controlling tty.  This may actually belong in
+     * ptyint_void_association().
+     */
     (void) setpgrp(0, 0);
 #endif
-
     *fd = open(slave, O_RDWR);
-    if (*fd < 0 )
+    if (*fd < 0)
 	return PTY_OPEN_SLAVE_OPENFAIL;
 #ifdef ultrix
     setpgrp(0, getpid());
diff --git a/src/util/pty/open_slave.c b/src/util/pty/open_slave.c
index aea04de..cc52228 100644
--- a/src/util/pty/open_slave.c
+++ b/src/util/pty/open_slave.c
@@ -1,7 +1,8 @@
 /*
  * pty_open_slave: open slave side of terminal, clearing for use.
  *
- * Copyright 1995, 1996 by the Massachusetts Institute of Technology.
+ * Copyright 1995, 1996, 2001 by the Massachusetts Institute of
+ * Technology.
  *
  * 
  * Permission to use, copy, modify, and distribute this software and
@@ -24,76 +25,77 @@
 #include "libpty.h"
 #include "pty-int.h"
 
-
-long pty_open_slave ( slave, fd)
-    const char *slave;
-    int *fd;
+long
+pty_open_slave(const char *slave, int *fd)
 {
-    int vfd, testfd;
+    int tmpfd;
     long retval;
-#ifdef POSIX_SIGNALS
-    struct sigaction sa;
-    /* Initialize "sa" structure. */
-    (void) sigemptyset(&sa.sa_mask);
-    sa.sa_flags = 0;
-    
-#endif
 
+    /* Sanity check. */
+    if (slave == NULL || *slave == '\0')
+	return PTY_OPEN_SLAVE_TOOSHORT;
+
+    /* First, set up a new session and void old associations. */
+    ptyint_void_association();
 
-    /* First, chmod and chown the slave*/
     /*
-       * If we have vhangup then we really need pty_open_ctty to make sure
-       * Our controlling terminal is the pty we're opening.  However, if we
-       * are using revoke or nothing then we just need  a file descriiptor
-       * for the pty.  Considering some OSes in this category break on
-       * the second call to open_ctty (currently OSF but others may),
-       * we simply use a descriptor if we can.
-       */
-#ifdef VHANG_FIRST
-    if (( retval = pty_open_ctty ( slave, &vfd )) != 0 )
-      return retval;
-        if (vfd < 0)
+     * Make a first attempt at acquiring the ctty under certain
+     * condisions.  This is necessary for several reasons:
+     *
+     * Under Irix, if you open a pty slave and then close it, a
+     * subsequent open of the slave will cause the master to read EOF.
+     * To prevent this, don't close the first fd until we do the real
+     * open following vhangup().
+     *
+     * Under Tru64 v5.0, if there isn't a fd open on the slave,
+     * revoke() fails with ENOTTY, curiously enough.
+     *
+     * Anyway, sshd seems to make a practice of doing this.
+     */
+#if defined(VHANG_FIRST) || defined(REVOKE_NEEDS_OPEN)
+    retval = pty_open_ctty(slave, fd);
+    if (retval)
+	return retval;
+    if (*fd < 0)
 	return PTY_OPEN_SLAVE_OPENFAIL;
-
 #endif
-    
 
-	if (slave == NULL || *slave == '\0')
-	    return PTY_OPEN_SLAVE_TOOSHORT;
-        if (chmod(slave, 0))
-	    return PTY_OPEN_SLAVE_CHMODFAIL;
-	if ( chown(slave, 0, 0 ) == -1 ) 
-	  return PTY_OPEN_SLAVE_CHOWNFAIL;
+    /* chmod and chown the slave. */
+    if (chmod(slave, 0))
+	return PTY_OPEN_SLAVE_CHMODFAIL;
+    if (chown(slave, 0, 0) == -1)
+	return PTY_OPEN_SLAVE_CHOWNFAIL;
 
-#ifdef VHANG_FIRST
-    ptyint_vhangup();
-    (void) close(vfd);
-#endif
-    
-    if ( (retval = ptyint_void_association()) != 0)
-      return retval;
-    
 #ifdef HAVE_REVOKE
-    if (revoke (slave) < 0 ) {
+    if (revoke(slave) < 0) {
 	return PTY_OPEN_SLAVE_REVOKEFAIL;
     }
-#endif /*HAVE_REVOKE*/
+#else /* !HAVE_REVOKE */
+#ifdef VHANG_FIRST
+    ptyint_vhangup();
+#endif
+#endif /* !HAVE_REVOKE */
 
-/* Open the pty for real. */
-    if  (( retval = pty_open_ctty ( slave, fd))  != 0 ) {
+    /* Open the pty for real. */
+    retval = pty_open_ctty(slave, &tmpfd);
+#if defined(VHANG_FIRST) || defined(REVOKE_NEEDS_OPEN)
+    close(*fd);
+#endif
+    if (retval) {
+	*fd = -1;
 	return PTY_OPEN_SLAVE_OPENFAIL;
     }
-    retval =  pty_initialize_slave (*fd);
-
+    *fd = tmpfd;
+    retval = pty_initialize_slave(*fd);
     if (retval)
-      return retval;
-    testfd = open("/dev/tty", O_RDWR|O_NDELAY);
-    if ( testfd < 0 )
-      {
+	return retval;
+    /* Make sure it's really our ctty. */
+    tmpfd = open("/dev/tty", O_RDWR|O_NDELAY);
+    if (tmpfd < 0) {
 	close(*fd);
 	*fd = -1;
 	return PTY_OPEN_SLAVE_NOCTTY;
-      }
-    close(testfd);
+    }
+    close(tmpfd);
     return 0;
 }
diff --git a/src/util/pty/pty-int.h b/src/util/pty/pty-int.h
index 2c47780..0135165 100644
--- a/src/util/pty/pty-int.h
+++ b/src/util/pty/pty-int.h
@@ -82,8 +82,13 @@
 #endif
 #endif
 
-#if defined(HAVE_VHANGUP) && !defined(OPEN_CTTY_ONLY_ONCE) 
-#define VHANG_first /* Breaks under Ultrix and others where you cannot get controlling terminal twice.*/
+#if defined(HAVE_VHANGUP) && !defined(OPEN_CTTY_ONLY_ONCE) \
+	&& !defined(HAVE_REVOKE)
+/*
+ * Breaks under Ultrix and others where you cannot get controlling
+ * terminal twice.
+ */
+#define VHANG_FIRST
 #define VHANG_LAST
 #endif
 
@@ -91,14 +96,27 @@
 #ifdef __STDC__
 long ptyint_void_association(void);
 long ptyint_open_ctty (char *slave, int *fd);
-long ptyint_update_wtmp (struct utmp *ut, char *host, char *user);
-
+long ptyint_getpty_ext(int *, char *, int, int);
+#ifdef HAVE_SETUTXENT
+long ptyint_update_wtmpx(struct utmpx *utx);
+#endif
+#if !(defined(WTMPX_FILE) && defined(HAVE_UPDWTMPX)) \
+	|| !defined(HAVE_SETUXENT)
+long ptyint_update_wtmp(struct utmp *ut);
+#endif
 void ptyint_vhangup(void);
 #else /*__STDC__*/
 
 long ptyint_void_association();
-void ptyint_vhangup();
+long ptyint_getpty_ext();
+#ifdef HAVE_SETUTXENT
+long ptyint_update_wtmpx();
+#endif
+#if !(defined(WTMPX_FILE) && defined(HAVE_UPDWTMPX)) \
+	|| !defined(HAVE_SETUXENT)
 long ptyint_update_wtmp();
+#endif
+void ptyint_vhangup();
 #endif /* __STDC__*/
 
 #define __PTY_INT_H__
diff --git a/src/util/pty/pty_paranoia.c b/src/util/pty/pty_paranoia.c
new file mode 100644
index 0000000..7311e08
--- /dev/null
+++ b/src/util/pty/pty_paranoia.c
@@ -0,0 +1,650 @@
+/*
+ * Copyright 2001 by the Massachusetts Institute of Technology.
+ * 
+ * Permission to use, copy, modify, and distribute this software and
+ * its documentation for any purpose and without fee is hereby
+ * granted, provided that the above copyright notice appear in all
+ * copies and that both that copyright notice and this permission
+ * notice appear in supporting documentation, and that the name of
+ * M.I.T. not be used in advertising or publicity pertaining to
+ * distribution of the software without specific, written prior
+ * permission.  Furthermore if you modify this software you must label
+ * your software as modified software and not distribute it in such a
+ * fashion that it might be confused with the original M.I.T. software.
+ * M.I.T. makes no representations about the suitability
+ * of this software for any purpose.  It is provided "as is" without
+ * express or implied warranty.
+ */
+
+/*
+ * A rant on the nature of pseudo-terminals:
+ * -----------------------------------------
+ *
+ * Controlling terminals and job control:
+ *
+ * First, some explanation of job control and controlling terminals is
+ * necessary for background.  This discussion applies to hardwired
+ * terminals as well as ptys.  On most modern systems, all processes
+ * belong to a process group.  A process whose process group id (pgid)
+ * is the sames as its pid is the process group leader of its process
+ * group.  Process groups belong to sessions.  On a modern system, a
+ * process that is not currently a process group leader may create a
+ * new session by calling setsid(), which makes it a session leader as
+ * well as a process group leader, and also removes any existing
+ * controlling terminal (ctty) association.  Only a session leader may
+ * acquire a ctty.  It's not clear how systems that don't have
+ * setsid() handle ctty acquisition, though probably any process group
+ * leader that doesn't have a ctty may acquire one that way.
+ *
+ * A terminal that is a ctty has an associated foreground process
+ * group, which is a member of the terminal's associated session.
+ * This process group gets read/write access to the terminal and will
+ * receive terminal-generated signals (e.g. SIGINT, SIGTSTP).  Process
+ * groups belonging to the session but not in the foreground may get
+ * signals that suspend them if they try to read/write from the ctty,
+ * depending on various terminal settings.
+ *
+ * On many systems, the controlling process (the session leader
+ * associated with a ctty) exiting will cause the session to lose its
+ * ctty, even though some processes may continue to have open file
+ * descriptors on the former ctty.  It is possible for a process to
+ * have no file descriptors open on its controlling tty, but to
+ * reacquire such by opening /dev/tty, as long as its session still
+ * has a ctty.
+ *
+ * On ptys in general:
+ *
+ * Ptys have a slave side and a master side.  The slave side looks
+ * like a hardwired serial line to the application that opens it;
+ * usually, telnetd or rlogind, etc. opens the slave and hands it to
+ * the login program as stdin/stdout/stderr.  The master side usually
+ * gets the actual network traffic written to/from it.  Roughly, the
+ * master and slave are two ends of a bidirectional pair of FIFOs,
+ * though this can get complicated by other things.
+ *
+ * The master side of a pty is theoretically a single-open device.
+ * This MUST be true on systems that have BSD-style ptys, since there
+ * is usually no way to allocate an unused pty except by attempting to
+ * open all the master pty nodes in the system.
+ *
+ * Often, but not always, the last close of a slave device will cause
+ * the master to get an EOF.  Closing the master device will sometimes
+ * cause the foreground process group of the slave to get a SIGHUP,
+ * but that may depend on terminal settings.
+ *
+ * BSD ptys:
+ *
+ * On a BSD-derived system, the master nodes are named like
+ * /dev/ptyp0, and the slave nodes are named like /dev/ttyp0.  The
+ * last two characters are the variable ones, and a shell-glob type
+ * pattern for a slave device is usually of the form
+ * /dev/tty[p-z][0-9a-f], though variants are known to exist.
+ *
+ * System V cloning ptys:
+ *
+ * There is a cloning master device (usually /dev/ptmx, but the name
+ * can vary) that gets opened.  Each open of the cloning master
+ * results in an open file descriptor of a unique master device.  The
+ * application calls ptsname() to find the pathname to the slave node.
+ *
+ * In theory, the slave side of the pty is locked out until the
+ * process opening the master calls grantpt() to adjust permissions
+ * and unlockpt() to unlock the slave.  It turns out that Unix98
+ * doesn't require that the slave actually get locked out, or that
+ * unlockpt() actually do anything on such systems.  At least AIX
+ * allows the slave to be opened prior to calling unlockpt(), but most
+ * other SysV-ish systems seem to actually lock out the slave.
+ *
+ * Pty security:
+ *
+ * It's not guaranteed on a BSD-ish system that a slave can't be
+ * opened when the master isn't open.  It's even possible to acquire
+ * the slave as a ctty (!) if the open is done as non-blocking.  It's
+ * possible to open the master corresponding to an open slave, which
+ * creates some security issues: once this master is open, data
+ * written to the slave will actually pass to the master.
+ *
+ * On a SysV-ish system, the close of the master will invalidate any
+ * open file descriptors on the slave.
+ *
+ * In general, there are two functions that can be used to "clean" a
+ * pty slave, revoke() and vhangup().  revoke() will invalidate all
+ * file descriptors open on a particular pathname (often this only
+ * works on terminal devices), usually by invalidating the underlying
+ * vnode.  vhangup() will send a SIGHUP to the foreground process
+ * group of the control terminal.  On many systems, it also has
+ * revoke() semantics.
+ *
+ * If a process acquires a controlling terminal in order to perform a
+ * vhangup(), the reopen of the controlling terminal after the
+ * vhangup() call should be done prior to the close of the file
+ * descriptor used to initially acquire the controlling terminal,
+ * since that will likely prevent the process on the master side from
+ * reading a spurious EOF due to all file descriptors to the slave
+ * being closed.
+ *
+ * Known quirks of various OSes:
+ *
+ * AIX 4.3.3:
+ *
+ * If the environment variable XPG_SUS_ENV is not equal to "ON", then
+ * it's possible to open the slave prior to calling unlockpt().
+ */
+
+/*
+ * NOTE: this program will get reworked at some point to actually test
+ * passing of data between master and slave, and to do general cleanup.
+ *
+ * This is rather complex, so it bears some explanation.
+ *
+ * There are multiple child processes and a parent process.  These
+ * communicate via pipes (which we assume here to be unidirectional).
+ * The pipes are:
+ *
+ * pp1 - parent -> any children
+ *
+ * p1p - any children -> parent
+ *
+ * p21 - only child2 -> child1
+ *
+ * A parent process will acquire a pty master and slave via
+ * pty_getpty().  It will then fork a process, child1.  It then does a
+ * waitpid() for child1, and then writes to child2 via syncpipe pp1.
+ * It then reads from child3 via syncpipe p1p, then closes the
+ * master.  It writes to child3 via syncpipe pp1 to indicate that it
+ * has closed the master.  It then reads from child3 via syncpipe p1p
+ * and exits with a value appropriate to what it read from child3.
+ *
+ * child1 will acquire the slave as its ctty and fork child2; child1
+ * will exit once it reads from the syncpipe p21 from child2.
+ *
+ * child2 will set a signal handler for SIGHUP and then write to
+ * child1 via syncpipe p21 to indicate that child2 has set up the
+ * handler.  It will then read from the syncpipe pp1 from the parent
+ * to confirm that the parent has seen child1 exit, and then checks to
+ * see if it still has a ctty.  Under Unix98, and likely earlier
+ * System V derivatives, the exiting of the session leader associated
+ * with a ctty (in this case, child1) will cause the entire session to
+ * lose its ctty.
+ *
+ * child2 will then check to see if it can reopen the slave, and
+ * whether it has a ctty after reopening it.  This should fail on most
+ * systems.
+ *
+ * child2 will then fork child3 and immediately exit.
+ *
+ * child3 will write to the syncpipe p1p and read from the syncpipe
+ * pp1.  It will then check if it has a ctty and then attempt to
+ * reopen the slave.  This should fail.  It will then write to the
+ * parent via syncpipe p1p and exit.
+ *
+ * If this doesn't fail, child3 will attempt to write to the open
+ * slave fd.  This should fail unless a prior call to revoke(),
+ * etc. failed due to lack of permissions, e.g. NetBSD when running as
+ * non-root.
+ */
+
+#include <com_err.h>
+#include "libpty.h"
+#include "pty-int.h"
+#include <sys/wait.h>
+#include <stdlib.h>
+
+char *prog;
+int masterfd, slavefd;
+char slave[64], slave2[64];
+pid_t pid1, pid2, pid3;
+int status1, status2;
+int pp1[2], p1p[2], p21[2];
+
+void handler(int);
+void rdsync(int, int *, const char *);
+void wrsync(int, int, const char *);
+void testctty(const char *);
+void testex(int, const char *);
+void testwr(int, const char *);
+void child1(void);
+void child2(void);
+void child3(void);
+
+void
+handler(int sig)
+{
+    printf("pid %ld got signal %d\n", (long)getpid(), sig);
+    fflush(stdout);
+    return;
+}
+
+void
+rdsync(int fd, int *status, const char *caller)
+{
+    int n;
+    char c;
+
+#if 0
+    printf("rdsync: %s: starting\n", caller);
+    fflush(stdout);
+#endif
+    while ((n = read(fd, &c, 1)) < 0) {
+	if (errno != EINTR) {
+	    fprintf(stderr, "rdsync: %s", caller);
+	    perror("");
+	    exit(1);
+	} else {
+	    printf("rdsync: %s: got EINTR; looping\n", caller);
+	    fflush(stdout);
+	}
+    }
+    if (!n) {
+	fprintf(stderr, "rdsync: %s: unexpected EOF\n", caller);
+	exit(1);
+    }
+    printf("rdsync: %s: got sync byte\n", caller);
+    fflush(stdout);
+    if (status != NULL)
+	*status = c;
+}
+
+void
+wrsync(int fd, int status, const char *caller)
+{
+    int n;
+    char c;
+
+    c = status;
+    while ((n = write(fd, &c, 1)) < 0) {
+	if (errno != EINTR) {
+	    fprintf(stderr, "wrsync: %s", caller);
+	    perror("");
+	    exit(1);
+	} else {
+	    printf("wrsync: %s: got EINTR; looping\n", caller);
+	    fflush(stdout);
+	}
+    }
+#if 0
+    printf("wrsync: %s: sent sync byte\n", caller);
+#endif
+    fflush(stdout);
+}
+
+void
+testctty(const char *caller)
+{
+    int fd;
+
+    fd = open("/dev/tty", O_RDWR|O_NONBLOCK);
+    if (fd < 0) {
+	printf("%s: no ctty\n", caller);
+    } else {
+	printf("%s: have ctty\n", caller);
+    }
+}
+
+void
+testex(int fd, const char *caller)
+{
+    fd_set rfds, xfds;
+    struct timeval timeout;
+    int n;
+    char c;
+
+    timeout.tv_sec = 0;
+    timeout.tv_usec = 0;
+    FD_ZERO(&rfds);
+    FD_ZERO(&xfds);
+    FD_SET(fd, &rfds);
+    FD_SET(fd, &xfds);
+
+    n = select(fd + 1, &rfds, NULL, &xfds, &timeout);
+    if (n < 0) {
+	fprintf(stderr, "testex: %s: ", caller);
+	perror("select");
+    }
+    if (n) {
+	if (FD_ISSET(fd, &rfds) || FD_ISSET(fd, &xfds)) {
+	    n = read(fd, &c, 1);
+	    if (!n) {
+		printf("testex: %s: got EOF\n", caller);
+		fflush(stdout);
+		return;
+	    } else if (n == -1) {
+		printf("testex: %s: got errno=%ld (%s)\n",
+		       caller, (long)errno, strerror(errno));
+	    } else {
+		printf("testex: %s: read 1 byte!?\n", caller);
+	    }
+	}
+    } else {
+	printf("testex: %s: no exceptions or readable fds\n", caller);
+    }
+}
+
+void
+testwr(int fd, const char *caller)
+{
+    fd_set wfds;
+    struct timeval timeout;
+    int n;
+
+    timeout.tv_sec = 0;
+    timeout.tv_usec = 0;
+    FD_ZERO(&wfds);
+    FD_SET(fd, &wfds);
+
+    n = select(fd + 1, NULL, &wfds, NULL, &timeout);
+    if (n < 0) {
+	fprintf(stderr, "testwr: %s: ", caller);
+	perror("select");
+    }
+    if (n) {
+	if (FD_ISSET(fd, &wfds)) {
+	    printf("testwr: %s: is writable\n", caller);
+	    fflush(stdout);
+	}
+    }
+}
+
+
+void
+child3(void)
+{
+    int n;
+
+    ptyint_void_association();
+    slavefd = open(slave, O_RDWR|O_NONBLOCK);
+    if (slavefd < 0) {
+	wrsync(p1p[1], 1, "[02] child3->parent");
+	printf("child3: failed reopen of slave\n");
+	fflush(stdout);
+	exit(1);
+    }
+#ifdef TIOCSCTTY
+    ioctl(slavefd, TIOCSCTTY, 0);
+#endif
+
+    printf("child3: reopened slave\n");
+    testctty("child3: after reopen of slave");
+    testwr(slavefd, "child3: after reopen of slave");
+    testex(slavefd, "child3: after reopen of slave");
+    close(slavefd);
+    testctty("child3: after close of slave");
+
+    /*
+     * Sync for parent to close master.
+     */
+    wrsync(p1p[1], 0, "[02] child3->parent");
+    rdsync(pp1[0], NULL, "[03] parent->child3");
+
+    testctty("child3: after close of master");
+    printf("child3: attempting reopen of slave\n");
+    fflush(stdout);
+    slavefd = open(slave, O_RDWR|O_NONBLOCK);
+    if (slavefd < 0) {
+	printf("child3: failed reopen of slave after master close: "
+	       "errno=%ld (%s)\n", (long)errno, strerror(errno));
+	wrsync(p1p[1], 0, "[04] child3->parent");
+	fflush(stdout);
+	exit(0);
+    }
+    if (fcntl(slavefd, F_SETFL, 0) == -1) {
+	perror("child3: fcntl");
+	wrsync(p1p[1], 2, "[04] child3->parent");
+	exit(1);
+    }
+#ifdef TIOCSCTTY
+    ioctl(slavefd, TIOCSCTTY, 0);
+#endif
+    printf("child3: reopened slave after master close\n");
+    testctty("child3: after reopen of slave after master close");
+    testwr(slavefd, "child3: after reopen of slave after master close");
+    testex(slavefd, "child3: after reopen of slave after master close");
+    n = write(slavefd, "foo", 4);
+    if (n < 0) {
+	printf("child3: writing to slave of closed master: errno=%ld (%s)\n",
+	       (long)errno, strerror(errno));
+	wrsync(p1p[1], 1, "[04] child3->parent");
+    } else {
+	printf("child3: wrote %d byes to slave of closed master\n", n);
+	fflush(stdout);
+	wrsync(p1p[1], 2, "[04] child3->parent");
+    }
+    rdsync(pp1[0], NULL, "[05] parent->child3");
+    testex(slavefd, "child3: after parent reopen of master");
+    testwr(slavefd, "child3: after parent reopen of master");
+    fflush(stdout);
+    n = write(slavefd, "bar", 4);
+    if (n < 0) {
+	perror("child3: writing to slave");
+    } else {
+	printf("child3: wrote %d bytes to slave\n", n);
+	fflush(stdout);
+    }
+    wrsync(p1p[1], 0, "[06] child3->parent");
+    rdsync(pp1[0], NULL, "[07] parent->child3");
+    wrsync(p1p[1], 0, "[08] child3->parent");
+    exit(0);
+}
+
+void
+child2(void)
+{
+    struct sigaction sa;
+
+    close(p21[0]);
+    setpgid(0, 0);
+    sa.sa_flags = 0;
+    sigemptyset(&sa.sa_mask);
+    sa.sa_handler = handler;
+    if (sigaction(SIGHUP, &sa, NULL) < 0) {
+	wrsync(p21[1], 1, "[00] child2->child1");
+	perror("child2: sigaction");
+	fflush(stdout);
+	exit(1);
+    }
+    printf("child2: set up signal handler\n");
+    testctty("child2: after start");
+    testwr(slavefd, "child2: after start");
+    wrsync(p21[1], 0, "[00] child2->child1");
+    rdsync(pp1[0], NULL, "[01] parent->child2");
+
+    testctty("child2: after child1 exit");
+    testex(slavefd, "child2: after child1 exit");
+    testwr(slavefd, "child2: after child1 exit");
+    close(slavefd);
+    testctty("child2: after close of slavefd");
+    slavefd = open(slave, O_RDWR|O_NONBLOCK);
+    if (slavefd < 0) {
+	wrsync(p1p[1], 1, "[02] child2->parent");
+	printf("child2: failed reopen of slave\n");
+	fflush(stdout);
+	exit(1);
+    }
+#ifdef TIOCSCTTY
+    ioctl(slavefd, TIOCSCTTY, 0);
+#endif
+    printf("child2: reopened slave\n");
+    testctty("child2: after reopen of slave");
+    fflush(stdout);
+    close(slavefd);
+    pid3 = fork();
+    if (!pid3) {
+	child3();
+    } else if (pid3 == -1) {
+	wrsync(p1p[1], 1, "[02] child2->parent");
+	perror("child2: fork of child3");
+	exit(1);
+    }
+    printf("child2: forked child3=%ld\n", (long)pid3);
+    fflush(stdout);
+    exit(0);
+}
+
+void
+child1(void)
+{
+    int status;
+
+#if 0
+    setuid(1);
+#endif
+    close(pp1[1]);
+    close(p1p[0]);
+    close(masterfd);
+    ptyint_void_association();
+    slavefd = open(slave, O_RDWR|O_NONBLOCK);
+    if (slavefd < 0) {
+	perror("child1: open slave");
+	exit(1);
+    }
+#ifdef TIOCSCTTY
+    ioctl(slavefd, TIOCSCTTY, 0);
+#endif
+
+    printf("child1: opened slave\n");
+    testctty("child1: after slave open");
+
+    if (pipe(p21) < 0) {
+	perror("pipe child2->child1");
+	exit(1);
+    }
+    pid2 = fork();
+    if (!pid2) {
+	child2();
+    } else if (pid2 == -1) {
+	perror("child1: fork child2");
+	exit(1);
+    }
+    close(p21[1]);
+    printf("child1: forked child2=%ld\n", (long)pid2);
+    fflush(stdout);
+    rdsync(p21[0], &status, "[00] child2->child1");
+    exit(status);
+}
+
+int
+main(int argc, char *argv[])
+{
+    long retval;
+    int status;
+    char buf[4];
+    int n;
+
+    prog = argv[0];
+
+    printf("parent: pid=%ld\n", (long)getpid());
+
+    retval = ptyint_getpty_ext(&masterfd, slave, sizeof(slave), 0);
+
+    if (retval) {
+	com_err(prog, retval, "open master");
+	exit(1);
+    }
+#if 0
+    chown(slave, 1, -1);
+#endif
+    printf("parent: master opened; slave=%s\n", slave);
+    fflush(stdout);
+
+#if defined(HAVE_GRANTPT) && defined(HAVE_STREAMS)
+#ifdef O_NOCTTY
+    printf("parent: attempting to open slave before unlockpt\n");
+    fflush(stdout);
+    slavefd = open(slave, O_RDWR|O_NONBLOCK|O_NOCTTY);
+    if (slavefd < 0) {
+	printf("parent: failed slave open before unlockpt errno=%ld (%s)\n",
+	       (long)errno, strerror(errno));
+    } else {
+	printf("parent: WARNING: "
+	       "succeeded in opening slave before unlockpt\n");
+    }
+    close(slavefd);
+#endif
+    if (grantpt(masterfd) < 0) {
+	perror("parent: grantpt");
+	exit(1);
+    }
+    if (unlockpt(masterfd) < 0) {
+	perror("parent: unlockpt");
+	exit(1);
+    }
+#endif /* HAVE_GRANTPT && HAVE_STREAMS */
+
+    if (pipe(pp1) < 0) {
+	perror("pipe parent->child1");
+	exit(1);
+    }
+    if (pipe(p1p) < 0) {
+	perror("pipe child1->parent");
+	exit(1);
+    }
+
+    pid1 = fork();
+    if (!pid1) {
+	child1();
+    } else if (pid1 == -1) {
+	perror("fork of child1");
+	exit(1);
+    }
+    printf("parent: forked child1=%ld\n", (long)pid1);
+    fflush(stdout);
+    if (waitpid(pid1, &status1, 0) < 0) {
+	perror("waitpid for child1");
+	exit(1);
+    }
+    printf("parent: child1 exited, status=%d\n", status1);
+    if (status1)
+	exit(status1);
+
+    wrsync(pp1[1], 0, "[01] parent->child2");
+    rdsync(p1p[0], &status, "[02] child3->parent");
+    if (status) {
+	fprintf(stderr, "child2 or child3 got an error\n");
+	exit(1);
+    }
+
+    printf("parent: closing master\n");
+    fflush(stdout);
+    close(masterfd);
+    chmod(slave, 0666);
+    printf("parent: closed master\n");
+    wrsync(pp1[1], 0, "[03] parent->child3");
+
+    rdsync(p1p[0], &status, "[04] child3->parent");
+    switch (status) {
+    case 1:
+	break;
+    case 0:
+	exit(0);
+    default:
+	fprintf(stderr, "child3 got an error\n");
+	fflush(stdout);
+	exit(1);
+    }
+
+    retval = pty_getpty(&masterfd, slave2, sizeof(slave2));
+    printf("parent: new master opened; slave=%s\n", slave2);
+#if 0
+#ifdef HAVE_REVOKE
+    printf("parent: revoking\n");
+    revoke(slave2);
+#endif
+#endif
+    fflush(stdout);
+    wrsync(pp1[1], 0, "[05] parent->child3");
+    rdsync(p1p[0], NULL, "[06] child3->parent");
+
+    n = read(masterfd, buf, 4);
+    if (n < 0) {
+	perror("parent: reading from master");
+    } else {
+	printf("parent: read %d bytes (%.*s) from master\n", n, n, buf);
+	fflush(stdout);
+    }
+    chmod(slave2, 0666);
+    close(masterfd);
+    wrsync(pp1[1], 0, "[07] parent->child3");
+    rdsync(p1p[0], NULL, "[08] child3->parent");
+    fflush(stdout);
+    exit(0);
+}
diff --git a/src/util/pty/sane_hostname.c b/src/util/pty/sane_hostname.c
index 43814df..8881fde 100644
--- a/src/util/pty/sane_hostname.c
+++ b/src/util/pty/sane_hostname.c
@@ -42,7 +42,7 @@ pty_make_sane_hostname(struct sockaddr_in *addr,
 		       char **out)
 {
     struct hostent *hp;
-#ifndef NO_UT_HOST
+#ifdef HAVE_STRUCT_UTMP_UT_HOST
     struct utmp ut;
 #else
     struct utmpx utx;
@@ -55,7 +55,7 @@ pty_make_sane_hostname(struct sockaddr_in *addr,
     if (maxlen && maxlen < 16)
 	/* assume they meant 16, otherwise IP addr won't fit */
 	maxlen = 16;
-#ifndef NO_UT_HOST
+#ifdef HAVE_STRUCT_UTMP_UT_HOST
     ut_host_len = sizeof (ut.ut_host);
 #else
     ut_host_len = sizeof (utx.ut_host);
diff --git a/src/util/pty/update_utmp.c b/src/util/pty/update_utmp.c
index 0c089d6..72c41be 100644
--- a/src/util/pty/update_utmp.c
+++ b/src/util/pty/update_utmp.c
@@ -1,8 +1,7 @@
 /*
  * pty_update_utmp: Update or create a utmp entry
  * 
- * Copyright 1995 by the Massachusetts Institute of Technology.
- *
+ * Copyright 1995, 2001 by the Massachusetts Institute of Technology.
  * 
  * Permission to use, copy, modify, and distribute this software and
  * its documentation for any purpose and without fee is hereby
@@ -17,7 +16,296 @@
  * M.I.T. makes no representations about the suitability
  * of this software for any purpose.  It is provided "as is" without
  * express or implied warranty.
- * 
+ */
+
+/*
+ * Rant about the historical vagaries of utmp:
+ * -------------------------------------------
+ *
+ * There exist many subtly incompatible incarnations of utmp, ranging
+ * from BSD to System V to Unix98 and everywhere in between.  This
+ * rant attempts to collect in one place as much knowledge as possible
+ * about this portability nightmare.
+ *
+ * BSD:
+ * ----
+ *
+ * The simplest (and earliest? possibly dating back to Version 7...)
+ * case is 4.x BSD utmp/wtmp.  There are no auxiliary files.  There is
+ * only a struct utmp, declared in utmp.h.  Its contents usually
+ * include:
+ *
+ *	char ut_line[]
+ *	char ut_name[]
+ *	char ut_host[]
+ *	long ut_time
+ *
+ * The meanings of these fields follow their names reasonbly well.
+ * The ut_line field usually is the pathname of the tty device
+ * associated with the login, with the leading "/dev/" stripped off.
+ *
+ * It is believed that ut_host is nul-terminated, while the other
+ * strings are merely nul-padded.
+ *
+ * Generally, ut_name is an empty string for a logout record in both
+ * utmp and wtmp.  For entries made by the window system or other
+ * terminal emulation stuff, ut_host is an empty string (at least
+ * under SunOS 4.x, it seems).  The macro nonuser() is used to
+ * determine this if a utmp entry is made by the window system on at
+ * least SunOS 4.x.
+ *
+ * The native login never clears its own utmp entry or writes its own
+ * logout record; its parent (one of init, rlogind, telnetd, etc.)
+ * should handle that.  In theory, getty could do that, but getty
+ * usually doesn't fork to exec login.
+ *
+ * Old (c. 1984) System V:
+ * -----------------------
+ *
+ * This is partially conjecture, based on some reading of
+ * /usr/xpg2include/utmp.h on a SunOS 4.x system.  There appears to
+ * only be a struct utmp, declared in utmp.h.  It is likely used for
+ * both utmp and wtmp files.  It is quite likely that the utmp is only
+ * supposed to be accessed via the getutline()/pututline() API.  The
+ * contents of struct utmp seem to include:
+ *
+ *	char	ut_user[]
+ *	char	ut_id[]
+ *	char	ut_line[]
+ *	short	ut_pid
+ *	short	ut_type
+ *	struct exit_status ut_exit
+ *	time_t	ut_time
+ *
+ * On these systems, ut_name is often #define'ed to be ut_user to be
+ * somewhat compatible with the BSD-style utmp.  Note that there is
+ * not necessarily a ut_host field in this utmp structure.
+ *
+ * The ut_id field bears some explanation.  The systems that use this
+ * style of utmp also use a sysV-ish init, which starts processes out
+ * of /etc/inittab rather than /etc/ttys, and has the concept of
+ * runlevels.  The first field in each line of /etc/inittab contains a
+ * unique ID field.  init probably gets really confused if there are
+ * conflicts here.  Every process that init starts gets its own entry
+ * written to utmp.
+ *
+ * It is possible for multiple entries to have the same ut_line but
+ * different ut_id values, since the sysadmin will be responsible for
+ * assigning values to ut_id.  Usually, ut_id is four characters,
+ * while the permissible unique ID values for entries in /etc/inittab
+ * are constrained to two characters, but this is not always the
+ * case.  In the case where we are emulating the vendor's login
+ * program and being run out of getty, we need to account for which
+ * value of ut_id was used by the getty, since pututline() will search
+ * based on ut_id and not ut_line for some reason.
+ *
+ * The ut_pid and ut_type fields are used for bookkeeping by init.
+ * The ut_type field gets the value INIT_PROCESS for processes started
+ * by init.  It gets the value LOGIN_PROCESS if it is a process that
+ * is prompting for a login name, and it gets the value USER_PROCESS
+ * for an actual valid login.  When the process dies, either init
+ * cleans up after it and records a DEAD_PROCESS entry in utmp, or the
+ * process itself does so.  It's not completely clear which actually
+ * happens, though it is quite possible that init only cleans up after
+ * processes that it starts itself.
+ *
+ * Other values of ut_type exist; they're largely internal bookkeeping
+ * for init's runlevels and such, and don't really interest this
+ * library at all.
+ *
+ * The ut_exit field contains the following members:
+ *
+ *	short	e_termination
+ *	short	e_exit
+ *
+ * It is not clear how these values are used; presumably they record
+ * the process termination status of dead processes.
+ *
+ * There is no uniform API for manipulating wtmp on systems that use
+ * this sort of utmp structure; it can be assumed that the structure
+ * can be directly written to the wtmp file.
+ *
+ * Unix98:
+ * -------
+ *
+ * This description also likely applies to later System V derivatives
+ * as well as systems conforming to earlier X/Open standards such as
+ * XPG4.  There is a new header, utmpx.h, which defines a struct utmpx
+ * and a new getutxline()/pututxline() API for accessing it.  Some
+ * systems actually have a utmpx file on disk; others use the utmpx
+ * API to access a file named utmp, just to further confuse matters.
+ *
+ * The utmpx structure is guaranteed (by Unix98) to contain at least
+ * the following:
+ *
+ *	char	ut_user[]
+ *	char	ut_line[]
+ *	char	ut_id[]
+ *	pid_t	ut_pid
+ *	short	ut_type
+ *	struct timeval ut_tv
+ *
+ * It is not guaranteed to contain, but often does contain, the
+ * following:
+ *
+ *	char	ut_host[]
+ *	int	ut_syslen
+ *	int	ut_session
+ *	struct exit_status ut_exit
+ *
+ * The ut_syslen field, on systems that contain it, contains the
+ * number of significant characters in ut_host, including the
+ * terminating nul character.
+ *
+ * The main difference between this struct utmpx and the struct utmp
+ * used by early sysV derivatives is the change from a time_t or long
+ * for ut_time to a struct timeval for ut_tv.
+ *
+ * Comments in various header files imply that ut_session is used for
+ * window systems, but it's not clear how.  Perhaps it contains the
+ * session ID of the session running the window system, e.g. the xdm
+ * or X server on an X11 system.
+ *
+ * Most of the description of the earlier sysV format probably applies
+ * here, with suitable changes of names.  On systems that maintain
+ * utmpx and utmp files in parallel, it is assumed that using the
+ * pututxline() API is sufficient to keep them in sync.  There are no
+ * known counterexamples to this.
+ *
+ * Nevertheless, there are, on some systems, API functions getutmp()
+ * and getutmpx() that appear to convert from struct utmpx to struct
+ * utmp and vice versa.  This could be useful when there is a wtmp
+ * file but not a corresponding wtmpx file.
+ *
+ * Incidentally, ut_exit is sometimes present in the struct utmp but
+ * not the struct utmpx for a given system.  Sometimes, it exists in
+ * both, but contains differently named members.  It's probably one of
+ * the least portable pieces in this whole mess.
+ *
+ * Known Quirks of Specific OSes:
+ * ------------------------------
+ *
+ * Solaris 2.x:
+ *
+ * Has utmpd, which will automatically clean up utmpx, utmp, wtmpx,
+ * wtmp after process termination, provided that pututxline() was
+ * used.
+ *
+ * Solaris 8 seems to have a bug in utmpname() that causes
+ * garbage filenames to be generated.  Solaris 7 (and possibly Solaris
+ * 8) have a bug in utmpxname() that prevents them from looking at
+ * anything other than /var/adm/utmpx, it seems.  For some reason,
+ * though, utmpname() goes and looks at the corresponding utmpx file.
+ *
+ * Solaris 7 (and may be 8 as well) has a bug in pututline() that
+ * interacts badly with prior invocation of getutline(): if
+ * getutline() finds an entry, calling pututline() without first
+ * calling setutent() will overwrite the record following the one that
+ * was intended.
+ *
+ * Also, ut_exit in utmpx contains ut_e_termination and
+ * ut_e_exit (otherwise it contains the expected e_termination and
+ * e_exit) only if _XPG4_2 is defined and __EXTENSIONS__ is not, which
+ * is not a compilation environment we're likely to encourage.  The
+ * ut_exit field of utmp contains the expected fields.
+ *
+ * If _XPG4_2 is not defined or __EXTENSIONS__ is defined, the
+ * functions getutmp(), getutmpx(), updwtmp(), and updwtmpx() are
+ * available, as well as the undocumented functions makeutx() and
+ * modutx().
+ *
+ * All the files utmp, utmpx, wtmp, and wtmpx exist.
+ *
+ * HP-UX 10.x:
+ *
+ * There is a curious interaction between how we allocate pty masters
+ * and how ttyname() works.  It seems that if /dev/ptmx/clone is
+ * opened, a call to ptsname() on the master fd gets a filename of the
+ * form /dev/pty/tty[pqrs][0-9a-f], while ttyname() called on a fd
+ * opened with that filename returns a filename of the form
+ * /dev/tty[pqrs][0-9a-f] instead.  These two filenames are actually
+ * hardlinks to the same special device node, so it shouldn't be a
+ * security problem.
+ *
+ * We can't call ttyname() in the parent because it would involve
+ * possibly acquiring a controlling terminal (which would be
+ * potentially problematic), so we have to resort to some trickery in
+ * order to ensure that the ut_line in the wtmp logout and login
+ * records match.  If they don't match, various utilities such as last
+ * will get confused.  Of course it's likely an OS bug that ttyname()
+ * and ptsname() are inconsistent in this way, but it's one that isn't
+ * too painful to work around.
+ *
+ * It seems that the HP-UX native telnetd has problems similar to ours
+ * in this area, though it manages to write the correct logout record
+ * to wtmp somehow.  It probably does basically what we do here:
+ * search for a record with a matching ut_pid and grab its ut_line for
+ * writing into the logout record.  Interestingly enough, its
+ * LOGIN_PROCESS record is of the form pty/tty[pqrs][0-9][a-f].
+ *
+ * Uses four-character unique IDs for /etc/inittab, which means that
+ * programs not running out of init should use two-character ut_id
+ * fields to avoid conflict.
+ *
+ * In utmpx, ut_exit contains __e_termination and __e_exit, while
+ * ut_exit in utmp contains the expected fields.
+ *
+ * There is no wtmpx file, despite there being utmp and utmpx files.
+ *
+ * Irix 6.x:
+ *
+ * In utmpx, ut_exit contains __e_termination and __e_exit, which get
+ * #define aliases e_termination and e_exit if _NO_XOPEN4 is true.
+ * Curiously enough, utmp.h declares ut_exit to have __e_termination
+ * and __e_exit as well, but does #define e_termination
+ * __e_termination, etc. if another header (utmpx.h) hasn't already
+ * declared struct __exit_status.  It seems that the default
+ * compilation environment has the effect of making _NO_XOPEN4 true
+ * though.
+ *
+ * If _NO_XOPEN4 is true, getutmp(), getutmpx(), updwtmp(), and
+ * updwtmpx() are available, as well as the undocumented functions
+ * makeutx() and modutx().
+ *
+ * All the files utmp, utmpx, wtmp, and wtmpx exist.
+ *
+ * Tru64 Unix 4.x:
+ *
+ * In utmpx, ut_exit contains ut_termination and ut_exit, while utmp
+ * contains the expected fields.  The files utmp and wtmp seem to
+ * exist, but not utmpx or wtmpx.
+ *
+ * When writing a logout entry, the presence of a non-empty username
+ * confuses last.
+ *
+ * AIX 4.3.x:
+ *
+ * The ut_exit field seems to exist in utmp, but not utmpx. The files
+ * utmp and wtmp seem to exist, but not utmpx, or wtmpx.
+ *
+ * libpty Implementation Decisions:
+ * --------------------------------
+ *
+ * We choose to use the pututxline() whenever possible, falling back
+ * to pututline() and calling write() to write out struct utmp if
+ * necessary.  The code to handle pututxline() and pututline() is
+ * rather similar, since the structure members are quite similar, and
+ * we make the assumption that it will never be necessary to call
+ * both.  This allows us to avoid duplicating lots of code, by means
+ * of some slightly demented macros.
+ *
+ * If neither pututxline() nor pututline() are available, we assume
+ * BSD-style utmp files and behave accordingly, writing the structure
+ * out to disk ourselves.
+ *
+ * On systems where updwtmpx() or updwtmp() are available, we use
+ * those to update the wtmpx or wtmp file.  When they're not
+ * available, we write the utmpx or utmp structure out to disk
+ * ourselves, though sometimes conversion from utmpx to utmp format is
+ * needed.
+ *
+ * We assume that at logout the system is ok with with having an empty
+ * username both in utmp and wtmp.
  */
 
 #include <com_err.h>
@@ -32,178 +320,387 @@
 #ifndef UTMP_FILE
 #define	UTMP_FILE	"/etc/utmp"
 #endif
-#ifndef NO_UT_PID
-#define WTMP_REQUIRES_USERNAME
-#endif
-long pty_update_utmp (process_type, pid, username, line, host, flags)
-    int process_type;
-    int pid;
-    char *username, *line, *host;
-    int flags;
-{
-    struct utmp ent, ut;
-#ifndef HAVE_SETUTENT
-    struct stat statb;
-    int tty;
-#endif
+
+/*
+ * The following grossness exists to avoid duplicating lots of code
+ * between the cases where we have an old-style sysV utmp and where we
+ * have a modern (Unix98 or XPG4) utmpx.  See the above history rant
+ * for further explanation.
+ */
+#if defined(HAVE_SETUTXENT) || defined(HAVE_SETUTENT)
 #ifdef HAVE_SETUTXENT
-    struct utmpx utx;
-#endif
-#ifndef NO_UT_PID
-    char *tmpx;
-    char utmp_id[5];
+#define PTY_STRUCT_UTMPX struct utmpx
+#define PTY_SETUTXENT setutxent
+#define PTY_GETUTXENT getutxent
+#define PTY_GETUTXLINE getutxline
+#define PTY_PUTUTXLINE pututxline
+#define PTY_ENDUTXENT endutxent
+#else
+#define PTY_STRUCT_UTMPX struct utmp
+#define PTY_SETUTXENT setutent
+#define PTY_GETUTXENT getutent
+#define PTY_GETUTXLINE getutline
+#define PTY_PUTUTXLINE pututline
+#define PTY_ENDUTXENT endutent
 #endif
-    char userbuf[32];
-    int fd;
 
-    strncpy(ent.ut_line, line+sizeof("/dev/")-1, sizeof(ent.ut_line));
-    ent.ut_time = time(0);
-#ifdef NO_UT_PID
-    if (process_type == PTY_LOGIN_PROCESS)
+static int better(const PTY_STRUCT_UTMPX *, const PTY_STRUCT_UTMPX *,
+		  const PTY_STRUCT_UTMPX *);
+static int match_pid(const PTY_STRUCT_UTMPX *,
+		     const PTY_STRUCT_UTMPX *);
+static PTY_STRUCT_UTMPX *best_utxent(const PTY_STRUCT_UTMPX *);
+
+/*
+ * Utility function to determine whether A is a better match for
+ * SEARCH than B.  Should only be called by best_utxent().
+ */
+static int
+better(const PTY_STRUCT_UTMPX *search,
+       const PTY_STRUCT_UTMPX *a, const PTY_STRUCT_UTMPX *b)
+{
+    if (strncmp(search->ut_id, b->ut_id, sizeof(b->ut_id))) {
+	if (!strncmp(search->ut_id, a->ut_id, sizeof(a->ut_id))) {
+	    return 1;
+	}
+    }
+
+    if (strncmp(a->ut_id, b->ut_id, sizeof(b->ut_id))) {
+	/* Got different UT_IDs; find the right one. */
+	if (!strncmp(search->ut_id, b->ut_id, sizeof(b->ut_id))) {
+	    /* Old entry already matches; use it. */
+	    return 0;
+	}
+	if (a->ut_type == LOGIN_PROCESS
+	    && b->ut_type != LOGIN_PROCESS) {
+	    /* Prefer LOGIN_PROCESS */
+	    return 1;
+	}
+	if (search->ut_type == DEAD_PROCESS
+	    && a->ut_type == USER_PROCESS
+	    && b->ut_type != USER_PROCESS) {
+	    /*
+	     * Try USER_PROCESS if we're entering a DEAD_PROCESS.
+	     */
+	    return 1;
+	}
+	return 0;
+    } else {
+	/*
+	 * Bad juju.  We shouldn't get two entries with identical
+	 * ut_id fields for the same value of ut_line.  pututxline()
+	 * will probably pick the first entry, in spite of the strange
+	 * state of utmpx, if we rewind with setutxent() first.
+	 *
+	 * For now, return 0, to force the earlier entry to be used.
+	 */
+	return 0;
+    }
+}
+
+static int
+match_pid(const PTY_STRUCT_UTMPX *search, const PTY_STRUCT_UTMPX *u)
+{
+    if (u->ut_type != LOGIN_PROCESS && u->ut_type != USER_PROCESS)
 	return 0;
-#else /* NO_UT_PID */
-    ent.ut_pid = pid;
+    if (u->ut_pid == search->ut_pid) {
+	/*
+	 * One of ut_line or ut_id should match, else some nastiness
+	 * may result.  We can fall back to searching by ut_line if
+	 * need be.  This should only really break if we're login.krb5
+	 * running out of getty, or we're cleaning up after the vendor
+	 * login, and either the vendor login or the getty has
+	 * different ideas than we do of what both ut_id and ut_line
+	 * should be.  It should be rare, though.  We may want to
+	 * remove this restriction later.
+	 */
+	if (!strncmp(u->ut_line, search->ut_line, sizeof(u->ut_line)))
+	    return 1;
+	if (!strncmp(u->ut_id, search->ut_id, sizeof(u->ut_id)))
+	    return 1;
+    }
+    return 0;
+}
+
+/*
+ * This expects to be called with SEARCH pointing to a struct utmpx
+ * with its ut_type equal to USER_PROCESS or DEAD_PROCESS, since if
+ * we're making a LOGIN_PROCESS entry, we presumably don't care about
+ * preserving existing state.  At the very least, the ut_pid, ut_line,
+ * ut_id, and ut_type fields must be filled in by the caller.
+ */
+static PTY_STRUCT_UTMPX *
+best_utxent(const PTY_STRUCT_UTMPX *search)
+{
+    PTY_STRUCT_UTMPX utxtmp, *utxp;
+    int i, best;
+
+    memset(&utxtmp, 0, sizeof(utxtmp));
+
+    /*
+     * First, search based on pid, but only if non-zero.
+     */
+    if (search->ut_pid) {
+	i = 0;
+	PTY_SETUTXENT();
+	while ((utxp = PTY_GETUTXENT()) != NULL) {
+	    if (match_pid(search, utxp)) {
+		return utxp;
+	    }
+	    i++;
+	}
+    }
+    /*
+     * Uh-oh, someone didn't enter our pid.  Try valiantly to search
+     * by terminal line.
+     */
+    i = 0;
+    best = -1;
+    PTY_SETUTXENT();
+    while ((utxp = PTY_GETUTXLINE(search)) != NULL) {
+	if (better(search, utxp, &utxtmp)) {
+	    utxtmp = *utxp;
+	    best = i;
+	}
+	memset(utxp, 0, sizeof(*utxp));
+	i++;
+    }
+    if (best == -1)
+	return NULL;
+    PTY_SETUTXENT();
+    for (i = 0; i <= best; i++) {
+	if (utxp != NULL)
+	    memset(utxp, 0, sizeof(*utxp));
+	utxp = PTY_GETUTXLINE(search);
+    }
+    return utxp;
+}
+
+/*
+ * All calls to this function for a given login session must have the
+ * pids be equal; various things will break if this is not the case,
+ * since we do some searching based on the pid.  Note that if a parent
+ * process calls this via pty_cleanup(), it should still pass the
+ * child's pid rather than its own.
+ */
+long
+pty_update_utmp(int process_type, int pid, const char *username,
+		    const char *line, const char *host, int flags)
+{
+    PTY_STRUCT_UTMPX utx, *utxtmp, utx2;
+    const char *cp;
+    size_t len;
+    char utmp_id[5];
+
+    /*
+     * Zero things out in case there are fields we don't handle here.
+     * They tend to be non-portable anyway.
+     */
+    memset(&utx, 0, sizeof(utx));
+    utxtmp = NULL;
+    cp = line;
+    if (strncmp(cp, "/dev/", sizeof("/dev/") - 1) == 0)
+	cp += sizeof("/dev/") - 1;
+    strncpy(utx.ut_line, cp, sizeof(utx.ut_line));
+    utx.ut_pid = pid;
     switch (process_type) {
     case PTY_LOGIN_PROCESS:
-	ent.ut_type = LOGIN_PROCESS;
+	utx.ut_type = LOGIN_PROCESS;
 	break;
     case PTY_USER_PROCESS:
-	ent.ut_type = USER_PROCESS;
+	utx.ut_type = USER_PROCESS;
 	break;
     case PTY_DEAD_PROCESS:
-	ent.ut_type = DEAD_PROCESS;
+	utx.ut_type = DEAD_PROCESS;
 	break;
     default:
 	return PTY_UPDATE_UTMP_PROCTYPE_INVALID;
     }
-#endif /*NO_UT_PID*/
-
-#ifndef NO_UT_HOST
-    if (host)
-	strncpy(ent.ut_host, host, sizeof(ent.ut_host));
+    len = strlen(line);
+    if (len >= 2) {
+	cp = line + len - 1;
+	if (*(cp - 1) != '/')
+	    cp--;		/* last two characters, unless it's a / */
+    } else
+	cp = line;
+    /*
+     * HP-UX has mostly 4-character inittab ids, while most other sysV
+     * variants use only 2-charcter inittab ids, so to avoid
+     * conflicts, we pick 2-character ut_ids for our own use.  We may
+     * want to feature-test for this, but it would be somewhat of a
+     * pain, and would eit cross-compiling.
+     */
+#ifdef __hpux
+    strcpy(utmp_id, cp);
+#else
+    if (len > 2 && *(cp - 1) != '/')
+      sprintf(utmp_id, "k%s", cp - 1);
     else
-	ent.ut_host[0] = '\0';
+      sprintf(utmp_id, "k0%s", cp);
 #endif
+    strncpy(utx.ut_id, utmp_id, sizeof(utx.ut_id));
+    /*
+     * Get existing utmpx entry for PID or LINE, if any, so we can
+     * copy some stuff from it.  This is particularly important if we
+     * are login.krb5 and are running out of getty, since getty will
+     * have written the entry for the line with ut_type ==
+     * LOGIN_PROCESS, and what it has recorded in ut_id may not be
+     * what we come up with, since that's up to the whim of the
+     * sysadmin who writes the inittab entry.
+     *
+     * Note that we may be screwed if we try to write a logout record
+     * for a vendor's login program, since it may construct ut_line
+     * and ut_id differently from us; even though we search on ut_pid,
+     * we validate against ut_id or ut_line to sanity-check.  We may
+     * want to rethink whether to actually include this check, since
+     * it should be highly unlikely that there will be a bogus entry
+     * in utmpx matching our pid.
+     */
+    if (process_type != PTY_LOGIN_PROCESS)
+	utxtmp = best_utxent(&utx);
 
-#ifndef NO_UT_PID
-    if (!strcmp (line, "/dev/console")) {
-#if (defined(sun) && defined(__SVR4))
-      strncpy (ent.ut_id, "co", 4);
-#else
-      strncpy (ent.ut_id, "cons", 4);
-#endif
-    } else {
-      tmpx = line + strlen(line)-1;
-      if (*(tmpx-1) != '/') tmpx--; /* last two characters, unless it's a / */
-#ifdef __hpux
-      strcpy(utmp_id, tmpx);
+#ifdef HAVE_SETUTXENT
+    if (gettimeofday(&utx.ut_tv, NULL))
+	return errno;
 #else
-      sprintf(utmp_id, "kl%s", tmpx);
+    (void)time(&utx.ut_time);
 #endif
-      strncpy(ent.ut_id, utmp_id, sizeof(ent.ut_id));
-    }
-    strncpy(ent.ut_user, username, sizeof(ent.ut_user));
-#else
-    strncpy(ent.ut_name, username, sizeof(ent.ut_name));
+    /*
+     * On what system is there not ut_host?  Unix98 doesn't mandate
+     * this field, but we have yet to see a system that supports utmpx
+     * that doesn't have it.  For what it's worth, some ancient utmp
+     * headers on svr4 systems imply that there's no ut_host in struct
+     * utmp...
+     */
+#if (defined(HAVE_SETUTXENT) && defined(HAVE_STRUCT_UTMPX_UT_HOST))	\
+	|| (!defined(HAVE_SETUTXENT) && defined(HAVE_STRUCT_UTMP_UT_HOST))
+    if (host != NULL) {
+	strncpy(utx.ut_host, host, sizeof(utx.ut_host));
+	/* Unlike other things in utmpx, ut_host is nul-terminated? */
+	utx.ut_host[sizeof(utx.ut_host) - 1] = '\0';
+    } else
+	utx.ut_host[0] = '\0';
+#if (defined(HAVE_SETUTXENT) && defined(HAVE_STRUCT_UTMPX_UT_SYSLEN))	\
+	|| (!defined (HAVE_SETUTXENT) && defined(HAVE_STRUCT_UTMP_UT_SYSLEN))
+    if (host != NULL)
+	utx.ut_syslen = strlen(utx.ut_host) + 1;
+    else
+	utx.ut_syslen = 0;
 #endif
-    if(username[0])
-	strncpy(userbuf, username, sizeof(userbuf));
-    else userbuf[0] = '\0';
-
-#ifdef HAVE_SETUTENT
-
-    utmpname(UTMP_FILE);
-    setutent();
-/* If we need to preserve the user name in the wtmp structure and
- * Our flags tell us we can obtain it from the utmp and we succeed in
- * obtaining it, we then save the utmp structure we obtain, write
- * out the utmp structure and change the username pointer so  it is used by
- * update_wtmp.*/
-#ifdef WTMP_REQUIRES_USERNAME
-    if (( !username[0]) && (flags&PTY_UTMP_USERNAME_VALID)
-	&&line)  
-	{
-	  struct utmp *utptr;
-	  strncpy(ut.ut_line, line, sizeof(ut.ut_line));
-	  utptr = getutline(&ut);
-	  if (utptr)
-	    strncpy(userbuf,utptr->ut_user,sizeof(ut.ut_user));
-	}
 #endif
 
-    pututline(&ent);
-    endutent();
-    
+    /* XXX deal with ut_addr? */
+
+    if (utxtmp != NULL) {
+	/*
+	 * For entries not of type LOGIN_PROCESS, override some stuff
+	 * with what was in the previous entry we found, if any.
+	 */
+	strncpy(utx.ut_id, utxtmp->ut_id, sizeof(utx.ut_id));
+	utx.ut_pid = utxtmp->ut_pid;
+    }
+
+    strncpy(utx.ut_user, username, sizeof(utx.ut_user));
+
+    /*
+     * Make a copy now and deal with copying relevant things out of
+     * utxtmp in case setutxline() or pututxline() clobbers utxtmp.
+     * (After all, the returned pointer from the getutx*() functions
+     * is allowed to point to static storage that may get overwritten
+     * by subsequent calls to related functions.)
+     */
+    utx2 = utx;
+    if (process_type == PTY_DEAD_PROCESS && utxtmp != NULL) {
+	/*
+	 * Use ut_line from old entry to avoid confusing last on
+	 * HP-UX.
+	 */
+	strncpy(utx2.ut_line, utxtmp->ut_line, sizeof(utx2.ut_line));
+    }
+
+    PTY_SETUTXENT();
+    PTY_PUTUTXLINE(&utx);
+    PTY_ENDUTXENT();
+
+    /* Don't record LOGIN_PROCESS entries. */
+    if (process_type == PTY_LOGIN_PROCESS)
+	return 0;
+
 #ifdef HAVE_SETUTXENT
-    setutxent();
-#ifdef HAVE_GETUTMPX
-    getutmpx(&ent, &utx);
+    return ptyint_update_wtmpx(&utx2);
 #else
-    /* For platforms like HPUX and Dec Unix which don't have getutmpx */
-    strncpy(utx.ut_user, ent.ut_user, sizeof(ent.ut_user));
-    strncpy(utx.ut_id, ent.ut_id, sizeof(ent.ut_id));
-    strncpy(utx.ut_line, ent.ut_line, sizeof(ent.ut_line));
-    utx.ut_pid = pid;		/* kludge for Irix, etc. to avoid trunc. */
-    utx.ut_type = ent.ut_type;
-#ifdef UT_EXIT_STRUCTURE_DIFFER
-    utx.ut_exit.ut_exit = ent.ut_exit.e_exit;
-#else
-/* KLUDGE for now; eventually this will be a feature test... See PR#[40] */
-#ifdef __hpux	
-    utx.ut_exit.__e_termination = ent.ut_exit.e_termination;
-    utx.ut_exit.__e_exit = ent.ut_exit.e_exit;
-#else
-    /*xxx do nothing for now; we don't even know the structure member exists*/
-#endif
-#endif
-    utx.ut_tv.tv_sec = ent.ut_time;
-    utx.ut_tv.tv_usec = 0;
+    return ptyint_update_wtmp(&utx2);
 #endif
+}
+
+#else /* !(HAVE_SETUTXENT || HAVE_SETUTENT) */
+
+long
+pty_update_utmp(int process_type, int pid, const char *username,
+		const char *line, const char *host, int flags)
+{
+    struct utmp ent, ut;
+    const char *cp;
+    int tty, lc, fd;
+    off_t seekpos;
+    ssize_t ret;
+    struct stat statb;
+
+    memset(&ent, 0, sizeof(ent));
+#ifdef HAVE_STRUCT_UTMP_UT_HOST
     if (host)
-      strncpy(utx.ut_host, host, sizeof(utx.ut_host));
-    else
-      utx.ut_host[0] = 0;
-    pututxline(&utx);
-    endutxent();
-#endif /* HAVE_SETUTXENT */
+	strncpy(ent.ut_host, host, sizeof(ent.ut_host));
+#endif
+    strncpy(ent.ut_name, username, sizeof(ent.ut_name));
+    cp = line;
+    if (strncmp(cp, "/dev/", sizeof("/dev/") - 1) == 0)
+	cp += sizeof("/dev/") - 1;
+    strncpy(ent.ut_line, cp, sizeof(ent.ut_line));
+    (void)time(&ent.ut_time);
 
-#else /* HAVE_SETUTENT */
-    if (flags&PTY_TTYSLOT_USABLE) 
+    if (flags & PTY_TTYSLOT_USABLE)
 	tty = ttyslot();
     else {
-      int lc;
-      tty = -1;
-      if ((fd = open(UTMP_FILE, O_RDWR)) < 0)
-	return errno;
-      for (lc = 0;
-	   lseek(fd, (off_t)(lc * sizeof(struct utmp)), SEEK_SET) != -1;
-	   lc++) {
-	if (read(fd, (char *) &ut, sizeof(struct utmp)) != sizeof(struct utmp))
-	  break;
-	if (strncmp(ut.ut_line, ent.ut_line, sizeof(ut.ut_line)) == 0) {
-	  tty = lc;
-#ifdef WTMP_REQUIRES_USERNAME
-	  if (!username&&(flags&PTY_UTMP_USERNAME_VALID))
-	    strncpy(userbuf, ut.ut_user, sizeof(ut.ut_user));
-#endif
-	  break;
+	tty = -1;
+	fd = open(UTMP_FILE, O_RDONLY);
+	if (fd == -1)
+	    return errno;
+	for (lc = 0; ; lc++) {
+	    seekpos = lseek(fd, (off_t)(lc * sizeof(struct utmp)), SEEK_SET);
+	    if (seekpos != (off_t)(lc * sizeof(struct utmp)))
+		break;
+	    if (read(fd, (char *) &ut, sizeof(struct utmp))
+		!= sizeof(struct utmp))
+		break;
+	    if (strncmp(ut.ut_line, ent.ut_line, sizeof(ut.ut_line)) == 0) {
+		tty = lc;
+		break;
+	    }
 	}
-      }
-      close(fd);
+	close(fd);
     }
-    
-    if (tty > 0 && (fd = open(UTMP_FILE, O_WRONLY, 0)) >= 0) {
-      (void)lseek(fd, (off_t)(tty * sizeof(struct utmp)), SEEK_SET);
-      (void)write(fd, (char *)&ent, sizeof(struct utmp));
-      (void)close(fd);
+    if (tty > 0) {
+	fd = open(UTMP_FILE, O_WRONLY);
+	if (fd == -1)
+	    return 0;
+	if (fstat(fd, &statb)) {
+	    close(fd);
+	    return 0;
+	}
+	seekpos = lseek(fd, (off_t)(tty * sizeof(struct utmp)), SEEK_SET);
+	if (seekpos != (off_t)(tty * sizeof(struct utmp))) {
+	    close(fd);
+	    return 0;
+	}
+	ret = write(fd, (char *)&ent, sizeof(struct utmp));
+	if (ret != sizeof(struct utmp)) {
+	    ftruncate(fd, statb.st_size);
+	}
+	close(fd);
     }
-
-
-#endif /* HAVE_SETUTENT */
-
     /* Don't record LOGIN_PROCESS entries. */
     if (process_type == PTY_LOGIN_PROCESS)
-      return 0;
+	return 0;
     else
-      return ptyint_update_wtmp(&ent, host, userbuf);
+	return ptyint_update_wtmp(&ent);
 }
+#endif
diff --git a/src/util/pty/update_wtmp.c b/src/util/pty/update_wtmp.c
index 7e8d573..f557d36 100644
--- a/src/util/pty/update_wtmp.c
+++ b/src/util/pty/update_wtmp.c
@@ -1,8 +1,7 @@
 /*
- * ptyint_update_utmp: Update or create a utmp entry
- *
- * Copyright 1995 by the Massachusetts Institute of Technology.
+ * ptyint_update_wtmp: Update wtmp.
  *
+ * Copyright 1995, 2001 by the Massachusetts Institute of Technology.
  * 
  * Permission to use, copy, modify, and distribute this software and
  * its documentation for any purpose and without fee is hereby
@@ -28,7 +27,7 @@
 #define WTMP_FILE _PATH_WTMP
 #endif
 
-#if !defined(WTMPX_FILE) && defined(_PATH_WTMPX) && defined(HAVE_UPDWTMPX)
+#if !defined(WTMPX_FILE) && defined(_PATH_WTMPX)
 #define WTMPX_FILE _PATH_WTMPX
 #endif
 
@@ -37,82 +36,88 @@
 #define	WTMP_FILE	"/usr/adm/wtmp"
 #endif
 
-#if defined(__GLIBC__) && (__GLIBC__ >= 2) && (__GLIBC_MINOR__ >= 1)
-/* This is ugly, but the lack of standardization in the utmp/utmpx
- * space, and what glibc implements and doesn't make available, is
- * even worse.
- */
-#undef HAVE_UPDWTMPX		/* Don't use updwtmpx for glibc 2.1 */
-#endif
+#ifdef HAVE_SETUTXENT
 
-long ptyint_update_wtmp (ent , host, user)
-    struct utmp *ent;
-    char *host;
-    char *user;
+/*
+ * Welcome to conditional salad.
+ *
+ * This really wants to take a (const struct utmpx *) but updutmpx()
+ * on Solaris at least doesn't take a const argument.  *sigh*
+ */
+long
+ptyint_update_wtmpx(struct utmpx *ent)
 {
+#if !(defined(HAVE_UPDWTMPX) && defined(WTMPX_FILE))
     struct utmp ut;
-    struct stat statb;
-    int fd;
-    time_t uttime;
-#ifdef HAVE_UPDWTMPX
-    struct utmpx utx;
-
-    getutmpx(ent, &utx);
-    if (host)
-      strncpy(utx.ut_host, host, sizeof(utx.ut_host) );
-    else
-      utx.ut_host[0] = 0;
-    if (user)
-      strncpy(utx.ut_user, user, sizeof(utx.ut_user));
-    updwtmpx(WTMPX_FILE, &utx);
 #endif
 
-#ifdef HAVE_UPDWTMP
-#ifndef HAVE_UPDWTMPX
-/* This is already performed byupdwtmpx if present.*/
-    updwtmp(WTMP_FILE, ent);
-#endif /* HAVE_UPDWTMPX*/
-#else /* HAVE_UPDWTMP */
+#if defined(HAVE_UPDWTMPX) && defined(WTMPX_FILE)
+    updwtmpx(WTMPX_FILE, ent);
+    return 0;
+#else
 
-    if ((fd = open(WTMP_FILE, O_WRONLY|O_APPEND, 0)) >= 0) {
-	if (!fstat(fd, &statb)) {
-	  (void)memset((char *)&ut, 0, sizeof(ut));
-#ifdef __hpux
-	  strncpy (ut.ut_id, ent->ut_id, sizeof (ut.ut_id));
+#ifdef HAVE_GETUTMP
+    getutmp(ent, &ut);
+#else  /* Emulate getutmp().  Yuck. */
+    memset(&ut, 0, sizeof(ut));
+    strncpy(ut.ut_name, ent->ut_user, sizeof(ut.ut_name));
+    strncpy(ut.ut_line, ent->ut_line, sizeof(ut.ut_line));
+    ut.ut_time = ent->ut_tv.tv_sec;
+#ifdef HAVE_STRUCT_UTMP_UT_HOST
+    strncpy(ut.ut_host, ent->ut_host, sizeof(ut.ut_host));
+    ut.ut_host[sizeof(ut.ut_host) - 1] = '\0';
+#ifdef HAVE_STRUCT_UTMP_UT_SYSLEN
+    ut.ut_syslen = strlen(ut.ut_host) + 1;
 #endif
-	  (void)strncpy(ut.ut_line, ent->ut_line, sizeof(ut.ut_line));
-	  (void)strncpy(ut.ut_name, ent->ut_name, sizeof(ut.ut_name));
-#ifndef NO_UT_HOST
-	  (void)strncpy(ut.ut_host, ent->ut_host, sizeof(ut.ut_host));
 #endif
-	  (void)time(&uttime);
-	  ut.ut_time = uttime;
-#if defined(HAVE_GETUTENT) && defined(USER_PROCESS)
-	  if (ent->ut_name) {
-	    if (!ut.ut_pid)
-	      ut.ut_pid = getpid();
-#ifndef __hpux
-	    ut.ut_type = USER_PROCESS;
-#else
-	    ut.ut_type = ent->ut_type;
+#ifdef HAVE_STRUCT_UTMP_UT_ID
+    strncpy(ut.ut_id, ent->ut_id, sizeof(ut.ut_id));
 #endif
-	  } else {
-#ifdef EMPTY
-	    ut.ut_type = EMPTY;
-#else
-	    ut.ut_type = DEAD_PROCESS; /* For Linux brokenness*/
-#endif	    
+#ifdef HAVE_STRUCT_UTMP_UT_PID
+    ut.ut_pid = ent->ut_pid;
+#endif
+#ifdef HAVE_STRUCT_UTMP_UT_TYPE
+    ut.ut_type = ent->ut_type;
+#endif
+#if defined(PTY_UTMP_E_EXIT) && defined(PTY_UTMPX_E_EXIT)
+    ut.ut_exit.PTY_UTMP_E_EXIT = ent->ut_exit.PTY_UTMPX_E_EXIT;
+    ut.ut_exit.PTY_UTMP_E_TERMINATION =
+	ent->ut_exit.PTY_UTMPX_E_TERMINATION;
+#endif
+#endif /* !HAVE_GETUTMP */
+
+    return ptyint_update_wtmp(&ut);
+#endif /* !(defined(WTMPX_FILE) && defined(HAVE_UPDWTMPX)) */
+}
 
-	  }
+#endif  /* HAVE_SETUTXENT */
+
+#if !(defined(WTMPX_FILE) && defined(HAVE_UPDWTMPX)) \
+	|| !defined(HAVE_SETUTXENT)
+
+long
+ptyint_update_wtmp(struct utmp *ent)
+{
+#ifndef HAVE_UPDWTMP
+    int fd;
+    struct stat statb;
 #endif
-	    if (write(fd, (char *)&ut, sizeof(struct utmp)) !=
-		sizeof(struct utmp))
-	      (void)ftruncate(fd, statb.st_size);
-	}
+
+#ifdef HAVE_UPDWTMP
+    updwtmp(WTMP_FILE, ent);
+#else
+    fd = open(WTMP_FILE, O_WRONLY | O_APPEND, 0);
+    if (fd != -1 && !fstat(fd, &statb)) {
+	if (write(fd, (char *)ent, sizeof(struct utmp))
+	    != sizeof(struct utmp))
+	    (void)ftruncate(fd, statb.st_size);
 	(void)close(fd);
     }
-#endif /* HAVE_UPDWTMP */
-    return 0; /* no current failure cases; file not found is not failure!*/
-    
+#endif
+    /*
+     * no current failure cases; file not found is not failure!
+     */
+    return 0;
 }
 
+#endif
diff --git a/src/util/pty/void_assoc.c b/src/util/pty/void_assoc.c
index a6ec33d..4b7e26c 100644
--- a/src/util/pty/void_assoc.c
+++ b/src/util/pty/void_assoc.c
@@ -23,32 +23,27 @@
 #include <com_err.h>
 #include "libpty.h"
 #include "pty-int.h"
-/* 
- * This routine will be called twice.  It's not particularly important
- * that the setsid() or TIOCSTTY ioctls succeed (they may not the
- * second time), but rather that we have a controlling terminal at the
- * end.  It is assumed that vhangup doesn't exist and confuse the
- * process's notion of controlling terminal on any system without
- * TIOCNOTTY.  That is, either vhangup() leaves the controlling
- * terminal in tact, breaks the association completely, or the system
- * provides TIOCNOTTY to get things back into a reasonable state.  In
- * practice, vhangup() either breaks the association completely or
- * doesn't effect controlling terminals, so this condition is met.
- */
 
-long ptyint_void_association()
+/*
+ * This function gets called to set up the current process as a
+ * session leader (hence, can't be called except from a process that
+ * isn't already a session leader) and dissociates the controlling
+ * terminal (if any) from the session.
+ */
+long
+ptyint_void_association(void)
 {
-            int con_fd;
+    int fd;
 #ifdef HAVE_SETSID
     (void) setsid();
 #endif
-
-        /* Void tty association first */
+    /* Void tty association first */
 #ifdef TIOCNOTTY
-        if ((con_fd = open("/dev/tty", O_RDWR)) >= 0) {
-          ioctl(con_fd, TIOCNOTTY, 0);
-          close(con_fd);
-	}
+    fd = open("/dev/tty", O_RDWR);
+    if (fd >= 0) {
+	ioctl(fd, TIOCNOTTY, 0);
+	close(fd);
+    }
 #endif
-	    return 0;
+    return 0;
 }
diff --git a/src/util/ss/ChangeLog b/src/util/ss/ChangeLog
index 8cac4b7..72063d7 100644
--- a/src/util/ss/ChangeLog
+++ b/src/util/ss/ChangeLog
@@ -1,3 +1,11 @@
+2000-05-01  Nalin Dahyabhai  <nalin@redhat.com>
+
+	* help.c (ss_help): Don't overflow buffers "buffer" or "buf".
+	* list_rqs.c (ss_list_requests): Don't overflow buffer "buffer".
+	* mk_cmds.c (main): Don't overflow buffer "c_file".
+	* utils.c (generate_rqte): Update lengths of constant strings in
+	computing buffer size.
+
 2000-02-01  Ken Raeburn  <raeburn@mit.edu>
 
 	* listen.c (ss_listen): Local var END should be volatile.
diff --git a/src/util/ss/help.c b/src/util/ss/help.c
index e09b777..3c9cbec 100644
--- a/src/util/ss/help.c
+++ b/src/util/ss/help.c
@@ -53,16 +53,18 @@ void ss_help (argc, argv, sci_idx, info_ptr)
 	return;
     }
     for (idx = 0; info->info_dirs[idx] != (char *)NULL; idx++) {
-	(void) strcpy(buffer, info->info_dirs[idx]);
-	(void) strcat(buffer, "/");
-	(void) strcat(buffer, argv[1]);
-	(void) strcat(buffer, ".info");
+	(void) strncpy(buffer, info->info_dirs[idx], sizeof(buffer) - 1);
+	buffer[sizeof(buffer) - 1] = '\0';
+	(void) strncat(buffer, "/", sizeof(buffer) - 1 - strlen(buffer));
+	(void) strncat(buffer, argv[1], sizeof(buffer) - 1 - strlen(buffer));
+	(void) strncat(buffer, ".info", sizeof(buffer) - 1 - strlen(buffer));
 	if ((fd = open(&buffer[0], O_RDONLY)) >= 0) goto got_it;
     }
     if ((fd = open(&buffer[0], O_RDONLY)) < 0) {
 	char buf[MAXPATHLEN];
-	strcpy(buf, "No info found for ");
-	strcat(buf, argv[1]);
+	strncpy(buf, "No info found for ", sizeof(buf) - 1);
+	buf[sizeof(buf) - 1] = '\0';
+	strncat(buf, argv[1], sizeof(buf) - 1 - strlen(buf));
 	ss_perror(sci_idx, 0, buf);
 	return;
     }
diff --git a/src/util/ss/list_rqs.c b/src/util/ss/list_rqs.c
index cf2c931..045a0c8 100644
--- a/src/util/ss/list_rqs.c
+++ b/src/util/ss/list_rqs.c
@@ -87,23 +87,24 @@ ss_list_requests(argc, argv, sci_idx, info_ptr)
             buffer[0] = '\0';
             if (entry->flags & SS_OPT_DONT_LIST)
                 continue;
+            buffer[sizeof(buffer) - 1] = '\0';
             for (name = entry->command_names; *name; name++) {
                 register int len = strlen(*name);
-                strncat(buffer, *name, len);
+                strncat(buffer, *name, sizeof(buffer) - 1 - strlen(buffer));
                 spacing += len + 2;
                 if (name[1]) {
-                    strcat(buffer, ", ");
+                    strncat(buffer, ", ", sizeof(buffer) - 1 - strlen(buffer));
                 }
             }
             if (spacing > 23) {
-                strcat(buffer, NL);
+                strncat(buffer, NL, sizeof(buffer) - 1 - strlen(buffer));
                 fputs(buffer, output);
                 spacing = 0;
                 buffer[0] = '\0';
             }
-            strncat(buffer, twentyfive_spaces, 25-spacing);
-            strcat(buffer, entry->info_string);
-            strcat(buffer, NL);
+            strncat(buffer, twentyfive_spaces, sizeof(buffer) - 1 - (25-spacing));
+            strncpy(buffer + 25, entry->info_string, sizeof(buffer) - 1 - 25);
+            strncat(buffer, NL, sizeof(buffer) - 1 - strlen(buffer));
             fputs(buffer, output);
         }
     }
diff --git a/src/util/ss/mk_cmds.c b/src/util/ss/mk_cmds.c
index 0bcd770..bba5edd 100644
--- a/src/util/ss/mk_cmds.c
+++ b/src/util/ss/mk_cmds.c
@@ -62,8 +62,9 @@ int main(argc, argv)
     p = strrchr(path, '.');
     *p = '\0';
     q = rindex(path, '/');
-    strcpy(c_file, (q) ? q + 1 : path);
-    strcat(c_file, ".c");
+    strncpy(c_file, (q) ? q + 1 : path, sizeof(c_file) - 1);
+    c_file[sizeof(c_file) - 1] = '\0';
+    strncat(c_file, ".c", sizeof(c_file) - 1 - strlen(c_file));
     *p = '.';
 
     output_file = fopen(c_file, "w+");
diff --git a/src/util/ss/utils.c b/src/util/ss/utils.c
index 9698e70..c578001 100644
--- a/src/util/ss/utils.c
+++ b/src/util/ss/utils.c
@@ -61,13 +61,12 @@ char * generate_rqte(func_name, info_string, cmds, options)
     var_name = generate_cmds_string(cmds);
     generate_function_definition(func_name);
     size = 6;		/* "    { " */
-    size += strlen(var_name)+7; /* "quux, " */
-    size += strlen(func_name)+7; /* "foo, " */
-    size += strlen(info_string)+9; /* "\"Info!\", " */
+    size += strlen(var_name)+8; /* "quux, " */
+    size += strlen(func_name)+8; /* "foo, " */
+    size += strlen(info_string)+8; /* "\"Info!\", " */
     sprintf(numbuf, "%d", options);
-    size += strlen(numbuf);
-    size += 4;		/* " }," + NL */
-    string = malloc(size * sizeof(char *));
+    size += strlen(numbuf)+5;		/* " }," + NL + NUL */
+    string = malloc(size);
     strcpy(string, "    { ");
     strcat(string, var_name);
     strcat(string, ",\n      ");
diff --git a/src/wconfig.c b/src/wconfig.c
index 0671a1e..fdbc0d9 100644
--- a/src/wconfig.c
+++ b/src/wconfig.c
@@ -76,6 +76,13 @@ int main(int argc, char *argv[])
 	ignore_len = strlen(ignore_str);
 	argc--; argv++;
 	while (*argv && *argv[0] == '-') {
+		wflags[sizeof(wflags) - 1] = '\0';
+		if (strlen (wflags) + 1 + strlen (*argv) > sizeof (wflags) - 1) {
+			fprintf (stderr,
+				 "wconfig: argument list too long (internal limit %d)",
+				 sizeof (wflags));
+			exit (1);
+		}
 		if (wflags[0])
 			strcat(wflags, " ");
 		strcat(wflags, *argv);
diff --git a/src/windows/ChangeLog b/src/windows/ChangeLog
index ce20631..d32a4e6 100644
--- a/src/windows/ChangeLog
+++ b/src/windows/ChangeLog
@@ -1,3 +1,86 @@
+2003-04-08  Tom Yu  <tlyu@mit.edu>
+
+	* version.rc: 1.2.8 final.
+
+2002-11-15  Tom Yu  <tlyu@mit.edu>
+
+	* version.rc: 1.2.7 final.
+
+2002-11-08  Tom Yu  <tlyu@mit.edu>
+
+	* version.rc: 1.2.7-beta2.
+
+2002-11-04  Tom Yu  <tlyu@mit.edu>
+
+	* version.rc: 1.2.7-beta1.
+
+2002-09-11  Tom Yu  <tlyu@mit.edu>
+
+	* version.rc: 1.2.6 final.
+
+2002-08-30  Tom Yu  <tlyu@mit.edu>
+
+	* version.rc: 1.2.6 beta2.
+
+2002-08-16  Tom Yu  <tlyu@mit.edu>
+
+	* version.rc: 1.2.6 beta1.
+
+2002-04-16  Danilo Almeida  <dalmeida@mit.edu>
+
+	* version.rc: 1.2.5 beta 2 (in anticipation).
+
+2002-04-04  Danilo Almeida  <dalmeida@mit.edu>
+
+	* version.rc: 1.2.5 beta 1.
+
+2002-02-27  Danilo Almeida  <dalmeida@mit.edu>
+
+	* version.rc: 1.2.4 (final)
+
+2002-02-21  Tom Yu  <tlyu@mit.edu>
+
+	* version.rc: 1.2.4-beta2.
+
+2002-02-06  Danilo Almeida  <dalmeida@mit.edu>
+
+	* version.rc: 1.2.4 beta 1.
+
+2002-01-09  Danilo Almeida  <dalmeida@mit.edu>
+
+	* version.rc: 1.2.3 (final).
+
+2001-12-21  Danilo Almeida  <dalmeida@mit.edu>
+
+	* version.rc: Beta 4.
+
+2001-11-28  Danilo Almeida  <dalmeida@mit.edu>
+
+	* version.rc: Beta 3.
+
+2001-11-19  Danilo Almeida  <dalmeida@mit.edu>
+
+	* version.rc: Beta 2.
+
+2001-11-06  Danilo Almeida  <dalmeida@mit.edu>
+
+	* Makefile.in: Build ms2mit.
+	* version.rc: 1.2.3 beta 1 (pre-release)
+	* README: Note on building ms2mit.
+
+2000-07-07  Danilo Almeida  <dalmeida@mit.edu>
+
+	* version.rc: No longer pre-release.
+
+2000-06-21  Danilo Almeida  <dalmeida@mit.edu>
+
+	* README: Update documentation with DNS information.  Fix up the
+	language a bit.
+
+2000-04-25  Danilo Almeida  <dalmeida@mit.edu>
+
+	* version.rc: Bump version to 1.2 beta.
+
 2000-02-06  Danilo Almeida  <dalmeida@mit.edu>
 
 	* README: Add documentation about debug vs. release builds.
diff --git a/src/windows/Makefile.in b/src/windows/Makefile.in
index 0cd8e91..ebfc6e3 100644
--- a/src/windows/Makefile.in
+++ b/src/windows/Makefile.in
@@ -20,6 +20,9 @@ all-windows::
 	@echo Making in windows\gina
 	cd ..\gina
 	$(MAKE) -$(MFLAGS)
+	@echo Making in windows\ms2mit
+	cd ..\ms2mit
+	$(MAKE) -$(MFLAGS)
 	cd ..
 
 clean-windows::
@@ -38,4 +41,7 @@ clean-windows::
 	@echo Making clean in windows\gina
 	cd ..\gina
 	$(MAKE) -$(MFLAGS) clean
+	@echo Making clean in windows\ms2mit
+	cd ..\ms2mit
+	$(MAKE) -$(MFLAGS) clean
 	cd ..
diff --git a/src/windows/README b/src/windows/README
index f30d029..eb221bc 100644
--- a/src/windows/README
+++ b/src/windows/README
@@ -1,29 +1,39 @@
 	       Building & Running Kerberos 5 on Windows
 	       ----------------------------------------
 
-Kerberos 5 Windows support now only includes Win32 and no longer
-includes Win16.
+Kerberos 5 builds on Windows with MSVC++ 6.0.  It may or may not build
+with other compilers or make utilities.
 
-We build Kerberos 5 on Windows just with MSVC++ 6.0.  You should
-not need anything else.  We do not know whether it currently
-builds with other compilers or make utilities.
-
-These build instructions assume that you got a standalong source
-distribution of Kerberos 5 rather than the MIT Kerberos for Win32
+These build instructions assume that you have the standalone source
+distribution of Kerberos 5 rather than the MIT Kerberos for Windows
 distribution (which includes a working Kerberos 4).
 
 There are two methods for building a Windows version of Kerberos 5.
 The traditional method involves starting on a Unix machine and
 creating a distribution that can be built on Windows.  The second
 method works from the sources that come from the Unix distribution if
-you have certain Unix-type utilities.
+you have certain Unix-type utilities (see below).
 
-IMPORTANT NOTE: By default, the sources are build with debug
+IMPORTANT NOTE: By default, the sources are built with debug
 information and linked against the debug version of the Microsoft C
-Runtime library, which is not found on most Win32 systems unless they
-have development tools.  To build a release version, you need to
+Runtime library, which is not found on most Windows systems unless
+they have development tools.  To build a release version, you need to
 define NODEBUG either in the environment or the nmake command-line.
 
+DNS Support: To support DNS lookups, you will need to define
+KRB5_DNS_LOOKUP, KRB5_DNS_LOOKUP_KDC, or KRB5_DNS_LOOKUP_REALMS.  The
+DNS code will default to trying to use the wshelper library.  If you
+would rather use a resolver library whose include files more closely
+match the Unix resolver library, define KRB5_NO_WSHELPER.  You will
+also need to define DNS_INC to point to the include directory for the
+library and DNS_LIB to library itself.  The default is not to support
+DNS because the build cannot know whether there is a DNS resolver
+library around for it to use.
+
+Building ms2mit requires that you have a reasonably recent Microsoft
+Platform SDK installed.  Anything starting at the Windows 2000 edition
+should be fine.
+
 
 Traditional Build Method:
 ------------------------
@@ -36,13 +46,13 @@ On the Unix side
 
 
 On the PC side
-1) md \krb5                            # Create where we'll put the tree
+1) md \krb5                            # Create dir where we'll put the tree
 2) cd \krb5
 3) unzip kerbsrc.zip
         - or -
    pkunzip -d kerbsrc.zip
-4) nmake [NODEBUG=1]                   # Build the sources
-5) nmake install [NODEBUG=1]	       # Copy headers, libs, executables
+4) nmake [NODEBUG=1] [DNS-options]     # Build the sources
+5) nmake install [NODEBUG=1]           # Copy headers, libs, executables
 
 
 All-Windows Build Method:
@@ -52,8 +62,8 @@ First, make sure you have sed, gawk, cat, and cp.
 
 1) cd xxx/src                          # Go to where the source lives
 2) nmake -f Makefile.in prep-windows   # Create Makefile for Windows
-3) nmake [NODEBUG=1]                   # Build the sources
-4) nmake install [NODEBUG=1]	       # Copy headers, libs, executables
+3) nmake [NODEBUG=1] [DNS-options      # Build the sources
+4) nmake install [NODEBUG=1]           # Copy headers, libs, executables
 
 
 Notes on the install Target:
@@ -82,7 +92,7 @@ able to run the applications that are built.  Note that Kerberos 5
 will not look for the krb5.ini file in your path.
 
 
-Krb5.ini File:
+krb5.ini File:
 -------------
 
 WARNING: Despite its name, this is not a Windows .ini file.
@@ -128,7 +138,7 @@ Othes Issues:
 
 The krb4_32.dll that is built (but not installed) is not supported.
 If you need Kerberos 4, you can use the krbv4w32.dll that MIT
-distributes as part of the MIT Kerberos for Win32 distribution.
+distributes as part of the MIT Kerberos for Windows distribution.
 
 
 More Information:
diff --git a/src/windows/cns/ChangeLog b/src/windows/cns/ChangeLog
index f99c56a..dc32c85 100644
--- a/src/windows/cns/ChangeLog
+++ b/src/windows/cns/ChangeLog
@@ -1,3 +1,17 @@
+2002-04-16  Danilo Almeida  <dalmeida@mit.edu>
+
+	* cns.c: Do not use krb_get_notification_message() or
+	krb5_get_notification_message().
+
+2000-05-08  Ken Raeburn  <raeburn@mit.edu>
+	    Nalin Dahyabhai  <nalin@redhat.com>
+	
+	* cns.c (kwin_push_login): Don't overflow buffer "fullname".
+	(kwin_command): Don't overflow buffer "copyright".
+	* cns_reg.c (cns_load_registry): Don't overflow buffer
+	"cns_res.def_confname".
+	* tktlist.c (ticket_init_list): Don't overflow buffer "buf".
+
 1999-12-03  Danilo Almeida  <dalmeida@mit.edu>
 
 	* Makefile.in: Windows fix for updated win-pre.in.
diff --git a/src/windows/cns/cns.c b/src/windows/cns/cns.c
index 7af81fc..d57c685 100644
--- a/src/windows/cns/cns.c
+++ b/src/windows/cns/cns.c
@@ -41,7 +41,9 @@ HFONT hfontdialog = NULL;	       /* Font in which the dialog is drawn. */
 static HFONT hfonticon = NULL;	       /* Font for icon label */
 HINSTANCE hinstance;
 static int dlgncmdshow;		       /* ncmdshow from WinMain */
+#if 0
 static UINT wm_kerberos_changed;       /* message for cache changing */
+#endif
 static int action;		       /* After login actions */
 static UINT kwin_timer_id;	       /* Timer being used for update */
 BOOL alert;		       	       /* Actions on ticket expiration */
@@ -384,12 +386,13 @@ kwin_push_login(HWND hwnd, char *name, char *instance, char *realm)
   char menuitem[MAX_K_NAME_SZ + 3];
   BOOL rc;
 
-  strcpy(fullname, "&x ");
-  strcat(fullname, name);
-  strcat(fullname, ".");
-  strcat(fullname, instance);
-  strcat(fullname, "@");
-  strcat(fullname, realm);
+  fullname[sizeof(fullname) - 1] = '\0';
+  strncpy(fullname, "&x ", sizeof(fullname) - 1);
+  strncat(fullname, name, sizeof(fullname) - 1 - strlen(fullname));
+  strncat(fullname, ".", sizeof(fullname) - 1 - strlen(fullname));
+  strncat(fullname, instance, sizeof(fullname) - 1 - strlen(fullname));
+  strncat(fullname, "@", sizeof(fullname) - 1 - strlen(fullname));
+  strncat(fullname, realm, sizeof(fullname) - 1 - strlen(fullname));
 
   hmenu = GetMenu(hwnd);
   assert(hmenu != NULL);
@@ -1339,14 +1342,16 @@ kwin_command(HWND hwnd, int cid, HWND hwndCtl, UINT codeNotify)
     strcpy(copyright, "        Kerberos V5 for Windows ");
 #endif
 #ifdef _WIN32
-    strcat(copyright, "32-bit\n");
+    strncat(copyright, "32-bit\n", sizeof(copyright) - 1 - strlen(copyright));
 #else
-    strcat(copyright, "16-bit\n");
+    strncat(copyright, "16-bit\n", sizeof(copyright) - 1 - strlen(copyright));
 #endif
-    strcat(copyright, "\n                Version 1.12\n\n");
+    strncat(copyright, "\n                Version 1.12\n\n",
+            sizeof(copyright) - 1 - strlen(copyright));
 #ifdef ORGANIZATION
-    strcat(copyright, "          For information, contact:\n");
-    strcat(copyright, ORGANIZATION);
+    strncat(copyright, "          For information, contact:\n",
+	    sizeof(copyright) - 1 - strlen(copyright));
+    strncat(copyright, ORGANIZATION, sizeof(copyright) - 1 - strlen(copyright));
 #endif
     MessageBox(hwnd, copyright, KWIN_DIALOG_NAME, MB_OK);
 
@@ -1469,8 +1474,9 @@ kwin_paint(HWND hwnd)
       sprintf(buf, "%s - %ld hr", KWIN_DIALOG_NAME, dt);
     }
 
+    buf[sizeof(buf) - 1] = '\0';
     if (dt > 1)
-      strcat(buf, "s");
+      strncat(buf, "s", sizeof(buf) - 1 - strlen(buf));
   }
 
   DrawIcon(hdc, r.left, r.top, hicon);
@@ -1487,12 +1493,14 @@ kwin_wnd_proc(HWND hwnd, UINT message, WPARAM wParam, LPARAM lParam)
 {
   int n;
 
+#if 0
   if (message == wm_kerberos_changed) {       /* Message from the ccache */
     n = ticket_init_list(GetDlgItem(hwnd, IDD_TICKET_LIST));
     EnableWindow(GetDlgItem(hwnd, IDD_TICKET_DELETE), n > 0);
 
     return 0;
   }
+#endif
 
   switch (message) {
     HANDLE_MSG(hwnd, WM_GETMINMAXINFO, kwin_getminmaxinfo);
@@ -1597,6 +1605,7 @@ init_application(HINSTANCE hinstance)
 {
   BOOL rc;
 
+#if 0
 #ifdef KRB4
   wm_kerberos_changed = krb_get_notification_message();
 #endif
@@ -1604,6 +1613,7 @@ init_application(HINSTANCE hinstance)
 #ifdef KRB5
   wm_kerberos_changed = krb5_get_notification_message();
 #endif
+#endif
 
   rc = kwin_init(hinstance);
 
diff --git a/src/windows/cns/cns_reg.c b/src/windows/cns/cns_reg.c
index 400d72d..160eb15 100644
--- a/src/windows/cns/cns_reg.c
+++ b/src/windows/cns/cns_reg.c
@@ -74,8 +74,12 @@ cns_load_registry(void)
   if (key != INVALID_HANDLE_VALUE) {
 	if (registry_string_get(key, KERBNET_HOME, &ts) == 0) {
 		cns_res.conf_override = 0;
-		strcpy(cns_res.def_confname, ts);
-		strcat(cns_res.def_confname, "\\etc\\krb5.conf");
+		cns_res.def_confname[sizeof(cns_res.def_confname) - 1];
+		strncpy(cns_res.def_confname, ts,
+		        sizeof(cns_res.def_confname) - 1);
+		strncat(cns_res.def_confname, "\\etc\\krb5.conf",
+			sizeof(cns_res.def_confname) - 1 -
+			strlen(cns_res.def_confname));
 		free(ts);
 	  }
 
diff --git a/src/windows/cns/tktlist.c b/src/windows/cns/tktlist.c
index 62b6eb8..5e15201 100644
--- a/src/windows/cns/tktlist.c
+++ b/src/windows/cns/tktlist.c
@@ -122,11 +122,12 @@ ticket_init_list (HWND hwnd)
     krb_get_nth_cred(service, instance, realm, i);
     krb_get_cred(service, instance, realm, &c);
     strcpy(buf, " ");
-    strcat(buf, short_date(c.issue_date - kwin_get_epoch()));
+    strncat(buf, short_date(c.issue_date - kwin_get_epoch()),
+            sizeof(buf) - 1 - strlen(buf));
     expiration = c.issue_date - kwin_get_epoch() + (long) c.lifetime * 5L * 60L;
-    strcat (buf, "      ");
-    strcat(buf, short_date(expiration));
-    strcat (buf, "      ");
+    strncat(buf, "      ", sizeof(buf) - 1 - strlen(buf));
+    strncat(buf, short_date(expiration), sizeof(buf) - 1 - strlen(buf));
+    strncat(buf, "      ", sizeof(buf) - 1 - strlen(buf));
     l = strlen(buf);
     sprintf(&buf[l], "%s%s%s%s%s (%d)",
 	    c.service, (c.instance[0] ? "." : ""), c.instance,
@@ -172,10 +173,12 @@ ticket_init_list (HWND hwnd)
       
       ncred++;
       strcpy (buf, "  ");
-      strcat (buf, short_date (c.times.starttime - kwin_get_epoch()));
-      strcat (buf, "      ");
-      strcat (buf, short_date (c.times.endtime - kwin_get_epoch()));
-      strcat (buf, "      ");
+      strncat(buf, short_date (c.times.starttime - kwin_get_epoch()),
+	      sizeof(buf) - 1 - strlen(buf));
+      strncat(buf, "      ", sizeof(buf) - 1 - strlen(buf));
+      strncat(buf, short_date (c.times.endtime - kwin_get_epoch()),
+	      sizeof(buf) - 1 - strlen(buf));
+      strncat(buf, "      ", sizeof(buf) - 1 - strlen(buf));
       
       /* Add ticket service name and realm */
       code = krb5_unparse_name (k5_context, c.server, &sname);
@@ -183,9 +186,9 @@ ticket_init_list (HWND hwnd)
 	com_err (NULL, code, "while unparsing server name");
 	break;
       }
-      strcat (buf, sname);
+      strncat (buf, sname, sizeof(buf) - 1 - strlen(buf));
 
-      strcat (buf, flags_string (&c)); /* Add flag info */
+      strncat (buf, flags_string (&c), sizeof(buf) - 1 - strlen(buf)); /* Add flag info */
       
       l = strlen(buf);
       lpinfo = (LPTICKETINFO) malloc(sizeof(TICKETINFO) + l + 1);
diff --git a/src/windows/lib/ChangeLog b/src/windows/lib/ChangeLog
index 25f20f4..160a899 100644
--- a/src/windows/lib/ChangeLog
+++ b/src/windows/lib/ChangeLog
@@ -1,3 +1,7 @@
+2000-05-18  Danilo Almeida  <dalmeida@mit.edu>
+
+	* cacheapi.h: Update to v2.
+
 1999-12-03  Danilo Almeida  <dalmeida@mit.edu>
 
 	* Makefile.in: Fix of build flags with updated win-pre.in.
diff --git a/src/windows/lib/cacheapi.h b/src/windows/lib/cacheapi.h
index d23b8d4..7661599 100644
--- a/src/windows/lib/cacheapi.h
+++ b/src/windows/lib/cacheapi.h
@@ -49,74 +49,64 @@
 **
 */
 
-#include <krb5.h>
-
 #ifndef Krb_CCacheAPI_h_
 #define Krb_CCacheAPI_h_
 
 #include <windows.h>
 
-#define CC_API_VER_1    1
+//typedef int cc_int32;
+#define cc_int32  long
+#define cc_uint32 unsigned long
 
-#define CCACHE_API __declspec(dllexport) cc_int32
-//#define CCACHE_API __declspec( dllexport ) cc_int32 __stdcall 
+typedef cc_int32  cc_time_t;
 
-/*
-** Decisions I haven't nailed down yet
-*/
-// determines if cred_type precedes ptrs to creds in cred_union
-//#define CRED_TYPE_IN_UNION
-//
-// JENNYEXT - modifications Jenny made to cacheapi for MIT code
-// 			  not blessed, but reproduced temporarily
-#ifndef JENNYEXT
-#define JENNYEXT
-#endif
+#define CC_API_VER_1	1
+#define CC_API_VER_2	2
+
+//enum {
+//	CC_API_VER_1 = 1,
+//	CC_API_VER_2 = 2
+//};
+
+#define CCACHE_API __declspec(dllexport) cc_int32
 
 /*
 ** The Official Error Codes
 */
-#define CC_NOERROR  0
-#define CC_BADNAME  1
-#define CC_NOTFOUND 2
-#define CC_END      3
-#define CC_IO       4
-#define CC_WRITE    5
-#define CC_NOMEM    6
-#define CC_FORMAT   7
-#define CC_LOCKED   8
-#define CC_BAD_API_VERSION  9
-#define CC_NO_EXIST 10
-#define CC_NOT_SUPP 11
-#define CC_BAD_PARM 12
-#define CC_ERR_CACHE_ATTACH 13
-#define CC_ERR_CACHE_RELEASE    14
-#define CC_ERR_CACHE_FULL   15
-#define CC_ERR_CRED_VERSION 16
+#define CC_NOERROR           0
+#define CC_BADNAME           1
+#define CC_NOTFOUND          2
+#define CC_END               3
+#define CC_IO                4
+#define CC_WRITE             5
+#define CC_NOMEM             6
+#define CC_FORMAT            7
+#define CC_LOCKED            8
+#define CC_BAD_API_VERSION   9
+#define CC_NO_EXIST          10
+#define CC_NOT_SUPP          11
+#define CC_BAD_PARM          12
+#define CC_ERR_CACHE_ATTACH  13
+#define CC_ERR_CACHE_RELEASE 14
+#define CC_ERR_CACHE_FULL    15
+#define CC_ERR_CRED_VERSION  16
 
 
 /*
 ** types, structs, & constants
 */
-typedef int cc_int32;
-typedef cc_int32 cc_time_t;
-
 // Flag bits promised by Ted "RSN"
 #define CC_FLAGS_RESERVED 0xFFFFFFFF
 
-typedef cc_int32 cc_nc_flags;       // set via constants above
+typedef cc_uint32 cc_nc_flags;       // set via constants above
 
-typedef struct opaque_ccache_pointer_type* ccache_p;
 typedef struct opaque_dll_control_block_type* apiCB;
+typedef struct opaque_ccache_pointer_type* ccache_p;
 typedef struct opaque_credential_iterator_type* ccache_cit;
 
-enum { KRB5_CLIENT_SZ = 256};
-enum { KRB5_SERVER_SZ = 256};
-enum { KRB5_DATA_SZ = 1024};
-enum { KRB5_DATA_CNT = 20};
-
+#if 0
 enum _cc_data_type { 
-    type_ticket = 0,                // 0 for ticket, second_ticket
+    type_ticket = 0,                /* 0 for ticket, second_ticket */
     /* Ted's draft spec says these are to be 
        "as defined in the Kerberos V5 protocol"
        all I can find are typdefs, 
@@ -125,22 +115,17 @@ enum _cc_data_type {
     type_address,           /* =  <"as defined in the Kerberos V5 protocol"> */
     type_authdata,          /* = <"as defined in the Kerberos V5 protocol"> */
     type_encryption,        /* = <"as defined in the Kerberos V5 protocol"> */
-    cc_data_type_max };             // for validation
+    cc_data_type_max        /* for validation */
+};
+#endif
 
 typedef struct _cc_data
 {
-    cc_int32        type;           // should be one of _cc_data_type
-    cc_int32        length; 
-    unsigned char*  data;           // the proverbial bag-o-bits
+    cc_uint32       type;		// should be one of _cc_data_type
+    cc_uint32       length; 
+    unsigned char*  data;		// the proverbial bag-o-bits
 } cc_data;
 
-typedef struct _cc_data1
-{
-    cc_int32        type;           // should be one of _cc_data_type
-    cc_int32        length; 
-    unsigned char	data[KRB5_DATA_SZ];           // the proverbial bag-o-bits
-} cc_data1;
-
 // V5 Credentials
 typedef struct _cc_creds {
     char*           client;
@@ -150,75 +135,53 @@ typedef struct _cc_creds {
     cc_time_t       starttime;
     cc_time_t       endtime;
     cc_time_t       renew_till;
-    cc_int32        is_skey;
-    cc_int32        ticket_flags;
+    cc_uint32       is_skey;
+    cc_uint32       ticket_flags;
     cc_data FAR **  addresses;
     cc_data         ticket;
     cc_data         second_ticket;
     cc_data FAR **  authdata;
 } cc_creds;
 
-typedef struct _cc_cache_creds {
-    char            client[KRB5_CLIENT_SZ];
-    char            server[KRB5_SERVER_SZ];
-    cc_data1		keyblock;
-    cc_time_t       authtime;
-    cc_time_t       starttime;
-    cc_time_t       endtime;
-    cc_time_t       renew_till;
-    cc_int32        is_skey;
-    cc_int32        ticket_flags;
-	cc_data1		addresses[KRB5_DATA_CNT];
-    cc_data1        ticket;
-    cc_data1        second_ticket;
-    cc_data1		authdata[KRB5_DATA_CNT];
-} cc_cache_creds;
-
 
 // begin V4 stuff
-
-enum { KRB_PRINCIPAL_SZ = 40 };
-enum { KRB_SERVICE_SZ = 40};
-enum { KRB_INSTANCE_SZ = 40};
-enum { KRB_REALM_SZ = 40};
-#ifndef ADDR_SZ
-enum { ADDR_SZ = 16};
-#endif
-
 // use an enumerated type so all callers infer the same meaning
 // these values are what krbv4win uses internally.
-enum StringToKey_Type { STK_AFS = 0, STK_DES = 1 };
+#define STK_AFS	0
+#define STK_DES	1
 
 // K4 uses a MAX_KTXT_LEN of 1250 to hold a ticket
 // K95 uses 256
 // To be safe I'll use the larger number, but a factor of 5!!!
-enum { MAX_V4_CRED_LEN = 1250 };
+#define MAX_V4_CRED_LEN	1250
 
 // V4 Credentials
+
+enum {
+    KRB_NAME_SZ = 40,
+    KRB_INSTANCE_SZ = 40,
+    KRB_REALM_SZ = 40
+};
+
 typedef struct cc_V4credential {
-    unsigned char	kversion;
-    char			principal[KRB_PRINCIPAL_SZ];
-    char			principal_instance[KRB_INSTANCE_SZ];
-    char			service[KRB_SERVICE_SZ];
-    char			service_instance[KRB_INSTANCE_SZ];
-    char			realm[KRB_REALM_SZ];
-    unsigned char	session_key[8];
-    cc_int32		kvno;                   // k95 used BYTE skvno
-    enum StringToKey_Type 
-					str_to_key;				// k4 infers dynamically, k95 stores
-    long			issue_date;             // k95 called this issue_time
-    cc_int32		lifetime;               // k95 used LONG expiration_time
-    char			address[ADDR_SZ];       // IP Address of local host
-    cc_int32		ticket_sz;              // k95 used BYTE, k4 ktext uses int to hold up to 1250
-    unsigned char	ticket[MAX_V4_CRED_LEN];
-    unsigned long	oops;                   // zero to catch runaways
+    unsigned char  kversion;
+    char           principal[KRB_NAME_SZ + 1];
+    char           principal_instance[KRB_INSTANCE_SZ + 1];
+    char       	   service[KRB_NAME_SZ + 1];
+    char       	   service_instance[KRB_INSTANCE_SZ + 1];
+    char           realm[KRB_REALM_SZ + 1];
+    unsigned char  session_key[8];
+    cc_int32       kvno;           // k95 used BYTE skvno
+    cc_int32       str_to_key;     // k4 infers dynamically, k95 stores
+    long           issue_date;     // k95 called this issue_time
+    cc_int32       lifetime;       // k95 used LONG expiration_time
+    cc_uint32      address;        // IP Address of local host
+    cc_int32       ticket_sz;      // k95 used BYTE, k4 ktext uses int to hold up to 1250
+    unsigned char  ticket[MAX_V4_CRED_LEN];
+    unsigned long  oops;           // zero to catch runaways
 } V4Cred_type;
 
-#ifdef JENNYEXT
-typedef struct cc_V4credential CCV4CREDENTIALS;	// JENNYEXT
-#endif
-
-enum cc_cred_vers {  
+enum {
     CC_CRED_VUNKNOWN = 0,       // For validation
     CC_CRED_V4 = 1,
     CC_CRED_V5 = 2,
@@ -226,17 +189,21 @@ enum cc_cred_vers {
 };
 
 typedef union cred_ptr_union_type {
-    V4Cred_type*	pV4Cred;
-    cc_creds*	pV5Cred;
+    V4Cred_type* pV4Cred;
+    cc_creds*    pV5Cred;
 } cred_ptr_union;
 
 typedef struct cred_union_type {
-//#ifdef CRED_TYPE_IN_UNION
-    enum cc_cred_vers cred_type;
-//#endif
-    cred_ptr_union cred;
+    cc_int32        cred_type;
+    cred_ptr_union  cred;
 } cred_union;
 
+typedef struct _infoNC {
+    char*     name;
+    char*     principal;
+    cc_int32  vers;
+} infoNC;
+
 
 /*
 ** The official (externally visible) API
@@ -251,113 +218,147 @@ extern "C" /* this entire list of functions */
 ** Main cache routines : initialize, shutdown, get_cache_names, & get_change_time
 */
 CCACHE_API
-cc_initialize(apiCB** cc_ctx,           // <  DLL's primary control structure. 
-                                        //    returned here, passed everywhere else
-              const cc_int32 api_version,// > ver supported by caller (use CC_API_VER_1)
-              cc_int32*  api_supported, // <  if ~NULL, max ver supported by DLL
-              const char** vendor);     // <  if ~NULL, vendor name in read only C string
+cc_initialize(
+    apiCB** cc_ctx,           // <  DLL's primary control structure. 
+                              //    returned here, passed everywhere else
+    cc_int32 api_version,     // >  ver supported by caller (use CC_API_VER_1)
+    cc_int32*  api_supported, // <  if ~NULL, max ver supported by DLL
+    const char** vendor       // <  if ~NULL, vendor name in read only C string
+    );
 
 CCACHE_API
-cc_shutdown(apiCB** cc_ctx);            // <> DLL's primary control structure. NULL after call.
+cc_shutdown(
+    apiCB** cc_ctx            // <> DLL's primary control structure. NULL after call.
+    );
 
 CCACHE_API
-cc_get_change_time(apiCB* cc_ctx,       // >  DLL's primary control structure
-                   cc_time_t* time);    // <  time of last change to main cache
+cc_get_change_time(
+    apiCB* cc_ctx,       // >  DLL's primary control structure
+    cc_time_t* time      // <  time of last change to main cache
+    );
 
 
 /*
 ** Named Cache (NC) routines
-** create, open, close, destroy, get_principal, get_cred_version, & lock_request
+**   create, open, close, destroy, get_principal, get_cred_version, & 
+**   lock_request
 **
-** Multiple NCs are allowed within the main cache.  Each has a Name and kerberos
-** version # (V4 or V5).  Caller gets "ccache_ptr"s for NCs.
+** Multiple NCs are allowed within the main cache.  Each has a Name
+** and kerberos version # (V4 or V5).  Caller gets "ccache_ptr"s for
+** NCs.
 */
 CCACHE_API
-cc_create(apiCB* cc_ctx,                // >  DLL's primary control structure
-          const char* name,             // >  name of cache to be [destroyed if exists, then] created
-          const char* principal,        // >  name of principal associated with NC
-          const enum cc_cred_vers vers, // >  ticket version (CC_CRED_V4 or CC_CRED_V5)
-          const cc_int32 cc_flags,      // >  options
-          ccache_p** ccache_ptr);       // <  NC control structure
+cc_create(
+    apiCB* cc_ctx,          // >  DLL's primary control structure
+    const char* name,       // >  name of cache to be [destroyed if exists, then] created
+    const char* principal,
+    cc_int32 vers,          // >  ticket version (CC_CRED_V4 or CC_CRED_V5)
+    cc_uint32 cc_flags,     // >  options
+    ccache_p** ccache_ptr   // <  NC control structure
+    );
 
 CCACHE_API
-cc_open(apiCB* cc_ctx,                  // >  DLL's primary control structure
-        const char* name,               // >  name of pre-created cache
-        const enum cc_cred_vers vers,   // >  ticket version (CC_CRED_V4 or CC_CRED_V5)
-        const cc_int32 cc_flags,        // >  options
-        ccache_p** ccache_ptr);         // <  NC control structure
+cc_open(
+    apiCB* cc_ctx,          // >  DLL's primary control structure
+    const char* name,       // >  name of pre-created cache
+    cc_int32 vers,          // >  ticket version (CC_CRED_V4 or CC_CRED_V5)
+    cc_uint32 cc_flags,     // >  options
+    ccache_p** ccache_ptr   // <  NC control structure
+    );
 
 CCACHE_API
-cc_close(apiCB* cc_ctx,                 // >  DLL's primary control structure
-         ccache_p** ccache_ptr);        // <> NC control structure. NULL after call.
+cc_close(
+    apiCB* cc_ctx,         // >  DLL's primary control structure
+    ccache_p** ccache_ptr  // <> NC control structure. NULL after call.
+    );
 
 CCACHE_API
-cc_destroy(apiCB* cc_ctx,               // >  DLL's primary control structure
-           ccache_p** ccache_ptr);      // <> NC control structure. NULL after call.
-
+cc_destroy(
+    apiCB* cc_ctx,         // >  DLL's primary control structure
+    ccache_p** ccache_ptr  // <> NC control structure. NULL after call.
+    );
 
 /*
 ** Ways to get information about the NCs
 */
 
 CCACHE_API
-cc_seq_fetch_NCs(apiCB* cc_ctx,         // >  DLL's primary control structure
-                 ccache_p** ccache_ptr, // <  NC control structure (free via cc_close())
-                 ccache_cit** itNCs);   // <> iterator used by DLL, 
-                                        //    set to NULL before first call
-                                        //    returned NULL at CC_END
+cc_seq_fetch_NCs_begin(
+    apiCB* cc_ctx, 
+    ccache_cit** itNCs
+    );
 
-typedef struct _infoNC {
-    char*   name;
-    enum cc_cred_vers vers;
-} infoNC;
+CCACHE_API
+cc_seq_fetch_NCs_end(
+    apiCB* cc_ctx, 
+    ccache_cit** itNCs
+    );
+
+CCACHE_API
+cc_seq_fetch_NCs_next(
+    apiCB* cc_ctx,
+    ccache_p** ccache_ptr,
+    ccache_cit* itNCs
+    );
 
 CCACHE_API
-cc_get_NC_info(apiCB* cc_ctx,           // >  DLL's primary control structure
-            struct _infoNC*** ppNCi);   // <  (NULL before call) null terminated, 
-                                        //    list of a structs (free via cc_free_infoNC())
+cc_seq_fetch_NCs(
+    apiCB* cc_ctx,         // >  DLL's primary control structure
+    ccache_p** ccache_ptr, // <  NC control structure (free via cc_close())
+    ccache_cit** itNCs     // <> iterator used by DLL, 
+                           //    set to NULL before first call
+                           //    returned NULL at CC_END
+    );
 
 CCACHE_API
-cc_free_NC_info(apiCB* cc_ctx,
-            struct _infoNC*** ppNCi);   // <  free list of structs returned by cc_get_cache_names()
-                                        //    set to NULL on return
+cc_get_NC_info(
+    apiCB* cc_ctx,          // >  DLL's primary control structure
+    struct _infoNC*** ppNCi // <  (NULL before call) null terminated, 
+                            //    list of a structs (free via cc_free_infoNC())
+    );
+
+CCACHE_API
+cc_free_NC_info(
+    apiCB* cc_ctx,
+    struct _infoNC*** ppNCi // <  free list of structs returned by 
+                            //    cc_get_cache_names().  set to NULL on return
+    );
 
 /*
 ** Functions that provide distinguishing characteristics of NCs.
 */
 
 CCACHE_API
-cc_get_name(apiCB* cc_ctx,				// > DLL's primary control structure
-            const ccache_p* ccache_ptr, // > NC control structure
-            char** name);               // < name of NC associated with ccache_ptr (free via cc_free_name())
+cc_get_name(
+    apiCB* cc_ctx,              // > DLL's primary control structure
+    const ccache_p* ccache_ptr, // > NC control structure
+    char** name                 // < name of NC associated with ccache_ptr 
+                                //   (free via cc_free_name())
+    );
 
 CCACHE_API
-cc_set_principal(apiCB* cc_ctx,                 // > DLL's primary control structure
-				 const ccache_p* ccache_pointer,// < name of principal associated with NC
-				 const enum cc_cred_vers vers,       //   Free via cc_free_principal()
-				 const char* principal); 	
+cc_set_principal(
+    apiCB* cc_ctx,                  // > DLL's primary control structure
+    const ccache_p* ccache_pointer, // > NC control structure
+    const cc_int32 vers,
+    const char* principal           // > name of principal associated with NC
+                                    //   Free via cc_free_principal()
+    ); 	
 				  
 CCACHE_API
-cc_get_principal(apiCB* cc_ctx,             // > DLL's primary control structure
-                 ccache_p* ccache_pointer,  // < name of principal associated with NC
-                 char** principal);         //   Free via cc_free_principal()
+cc_get_principal(
+    apiCB* cc_ctx,                  // > DLL's primary control structure
+    const ccache_p* ccache_pointer, // > NC control structure
+    char** principal                // < name of principal associated with NC
+                                    //   Free via cc_free_principal()
+    );
 
-#ifdef JENNYEXT
-
-CCACHE_API
-cc_set_instance(apiCB* cc_ctx,          // > DLL's primary control structure
-                const char* instance);  // < name of principal_instance associated with NC
-                                        //   Free via cc_free_instance()
 CCACHE_API
-cc_get_instance(apiCB* cc_ctx,          // > DLL's primary control structure
-                char** instance);		// < name of principal_instance associated with NC
-                                        //   Free via cc_free_instance()
-#endif	/* JENNYEXT */
-
-CCACHE_API
-cc_get_cred_version(apiCB* cc_ctx,		// > DLL's primary control structure
-                const ccache_p* ccache_ptr,// > NC control structure
-                enum cc_cred_vers* vers);// < ticket version associated with NC
+cc_get_cred_version(
+    apiCB* cc_ctx,              // > DLL's primary control structure
+    const ccache_p* ccache_ptr, // > NC control structure
+    cc_int32* vers              // < ticket version associated with NC
+    );
 
 #define CC_LOCK_UNLOCK   1
 #define CC_LOCK_READER   2
@@ -365,9 +366,12 @@ cc_get_cred_version(apiCB* cc_ctx,		// > DLL's primary control structure
 #define CC_LOCK_NOBLOCK 16
 
 CCACHE_API
-cc_lock_request(apiCB* cc_ctx,			// > DLL's primary control structure
-               const ccache_p* ccache_ptr,// > NC control structure
-               const cc_int32 lock_type);// > one (or combination) of above defined lock types
+cc_lock_request(
+    apiCB* cc_ctx,     	        // > DLL's primary control structure
+    const ccache_p* ccache_ptr, // > NC control structure
+    const cc_int32 lock_type    // > one (or combination) of above defined 
+                                //   lock types
+    );
 
 
 /*
@@ -375,23 +379,49 @@ cc_lock_request(apiCB* cc_ctx,			// > DLL's primary control structure
 ** store, remove_cred, seq_fetch_creds 
 */
 CCACHE_API
-cc_store(apiCB* cc_ctx,                     // > DLL's primary control structure
-         const ccache_p* ccache_ptr,        // > NC control structure
-         const cred_union creds);           // > credentials to be copied into NC
+cc_store(
+    apiCB* cc_ctx,               // > DLL's primary control structure
+    ccache_p* ccache_ptr,        // > NC control structure
+    const cred_union creds       // > credentials to be copied into NC
+    );
 
 CCACHE_API
-cc_remove_cred(apiCB* cc_ctx,               // > DLL's primary control structure
-               const ccache_p* ccache_ptr,  // > NC control structure
-               const cred_union cred);      // > credentials to remove from NC
+cc_remove_cred(
+    apiCB* cc_ctx,            // > DLL's primary control structure
+    ccache_p* ccache_ptr,     // > NC control structure
+    const cred_union cred     // > credentials to remove from NC
+    );
 
 CCACHE_API
-cc_seq_fetch_creds(apiCB* cc_ctx,           // > DLL's primary control structure
-                   const ccache_p* ccache_ptr, // > NC control structure
-                   cred_union** creds,       // < filled in by DLL, free via cc_free_creds()
-                   ccache_cit** itCreds);   // <> iterator used by DLL, set to NULL before first call
-                                            //    Also NULL for final call if loop ends before CC_END
+cc_seq_fetch_creds(
+    apiCB* cc_ctx,              // > DLL's primary control structure
+    const ccache_p* ccache_ptr, // > NC control structure
+    cred_union** creds,         // < filled in by DLL, free via cc_free_creds()
+    ccache_cit** itCreds        // <> iterator used by DLL, set to NULL 
+                                //    before first call -- Also NULL for final
+                                //    call if loop ends before CC_END
+    );
+
+CCACHE_API
+cc_seq_fetch_creds_begin(
+    apiCB* cc_ctx, 
+    const ccache_p* ccache_ptr, 
+    ccache_cit** itCreds
+    );
+
+CCACHE_API
+cc_seq_fetch_creds_end(
+    apiCB* cc_ctx, 
+    ccache_cit** itCreds
+    );
+
+CCACHE_API
+cc_seq_fetch_creds_next(
+    apiCB* cc_ctx, 
+    cred_union** cred, 
+    ccache_cit* itCreds
+    );
 
-
 /*
 ** methods of liberation, 
 ** or freeing space via the free that goes with the malloc used to get it
@@ -401,37 +431,28 @@ cc_seq_fetch_creds(apiCB* cc_ctx,           // > DLL's primary control structure
 ** freeing a NULL pointer is not treated as an error
 */
 CCACHE_API
-cc_free_principal(apiCB* cc_ctx,		// > DLL's primary control structure
-                  char** principal);	// <> ptr to principal to be freed, returned as NULL
-										//   (from cc_get_principal())
-
-#ifdef JENNYEXT
-
-CCACHE_API
-cc_free_instance(apiCB* cc_ctx,			// > DLL's primary control structure
-                  char** instance);		// <> ptr to instance to be freed, returned as NULL
-										//   (from cc_get_instance())
-
-#endif
+cc_free_principal(
+    apiCB* cc_ctx,   // >  DLL's primary control structure
+    char** principal // <> ptr to principal to be freed, returned as NULL
+                     //    (from cc_get_principal())
+    );
 
 CCACHE_API
-cc_free_name(apiCB* cc_ctx,				// > DLL's primary control structure
-             char** name);				// <> ptr to name to be freed, returned as NULL
-										//   (from cc_get_name())
+cc_free_name(
+    apiCB* cc_ctx,   // >  DLL's primary control structure
+    char** name      // <> ptr to name to be freed, returned as NULL
+                     //    (from cc_get_name())
+    );
 
 CCACHE_API
-cc_free_name_list(apiCB* cc_ctx,		// > DLL's primary control structure
-             char*** name_list);		// <> ptr to null terminated list of names to be freed
-										//   (from cc_get_cache_names()), returned as NULL
-
-CCACHE_API
-cc_free_creds(apiCB* cc_ctx,			// > DLL's primary control structure
-              cred_union** pCred);		// <> cred (from cc_seq_fetch_creds()) to be freed
-										//    Returned as NULL.
+cc_free_creds(
+    apiCB* cc_ctx,     // > DLL's primary control structure
+    cred_union** pCred // <> cred (from cc_seq_fetch_creds()) to be freed
+                       //    Returned as NULL.
+    );
 
 #ifdef __cplusplus
 } /* end extern "C" */
 #endif /* __cplusplus */
 
 #endif /* Krb_CCacheAPI_h_ */
-
diff --git a/src/windows/ms2mit/ChangeLog b/src/windows/ms2mit/ChangeLog
new file mode 100644
index 0000000..f2731ff
--- /dev/null
+++ b/src/windows/ms2mit/ChangeLog
@@ -0,0 +1,8 @@
+2001-11-28  Danilo Almeida  <dalmeida@mit.edu>
+
+	* ms2mit.c: Make sure we get a des-cbc-crc session key instead of
+	potentially getting whatever happens to be in the cache.  Remove
+	unnecessary static variables.  Make function headers use a
+	consistent format.  Rename ShowLastError() to ShowWinError() and
+	ShowNTError() to ShowLsaError().
+
diff --git a/src/windows/ms2mit/Makefile.in b/src/windows/ms2mit/Makefile.in
new file mode 100644
index 0000000..7a73d6c
--- /dev/null
+++ b/src/windows/ms2mit/Makefile.in
@@ -0,0 +1,22 @@
+# Makefile for the Microsoft to MIT cache converter.
+# Works for k5 release only.
+#
+
+thisconfigdir=./..
+myfulldir=windows/ms2mit
+mydir=.
+MY_SUBDIRS=.
+BUILDTOP=$(REL)$(U)$(S)$(U)
+DEFINES = 
+PROG_LIBPATH=-L$(TOPLIBD) -L$(KRB5_LIBDIR)
+
+all-windows:: $(OUTPRE)ms2mit.exe
+
+$(OUTPRE)ms2mit.exe: $(OUTPRE)ms2mit.obj
+    link $(EXE_LINKOPTS) -out:$@ $(OUTPRE)ms2mit.obj user32.lib secur32.lib advapi32.lib $(KLIB) $(CLIB)
+
+install::
+	copy $(OUTPRE)ms2mit.exe $(DESTDIR)
+
+clean:: 
+	$(RM) $(OUTPRE)*.exe
diff --git a/src/windows/ms2mit/ms2mit.c b/src/windows/ms2mit/ms2mit.c
new file mode 100644
index 0000000..4ec6941
--- /dev/null
+++ b/src/windows/ms2mit/ms2mit.c
@@ -0,0 +1,560 @@
+/*
+ * ms2mit.c
+ *
+ */
+/***********************************************************
+        Copyright 2000 by Carnegie Mellon University
+
+                      All Rights Reserved
+
+Permission to use, copy, modify, and distribute this software and its
+documentation for any purpose and without fee is hereby granted,
+provided that the above copyright notice appear in all copies and that
+both that copyright notice and this permission notice appear in
+supporting documentation, and that the name of Carnegie Mellon
+University not be used in advertising or publicity pertaining to
+distribution of the software without specific, written prior
+permission.
+
+CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO
+THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND
+FITNESS, IN NO EVENT SHALL CARNEGIE MELLON UNIVERSITY BE LIABLE FOR
+ANY SPECIAL, INDIRECT OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
+OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+******************************************************************/
+
+
+#define UNICODE
+#define _UNICODE
+
+#include <windows.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <conio.h>
+#include <time.h>
+#define SECURITY_WIN32
+#include <security.h>
+#include <ntsecapi.h>
+
+#include <krb5.h>
+#include <com_err.h>
+#include <assert.h>
+
+VOID
+ShowWinError(
+    LPSTR szAPI,
+    DWORD dwError
+    )
+{
+#define MAX_MSG_SIZE 256
+
+    // TODO - Write errors to event log so that scripts that don't
+    // check for errors will still get something in the event log
+
+    WCHAR szMsgBuf[MAX_MSG_SIZE];
+    DWORD dwRes;
+
+    printf("Error calling function %s: %lu\n", szAPI, dwError);
+
+    dwRes = FormatMessage (
+        FORMAT_MESSAGE_FROM_SYSTEM,
+        NULL,
+        dwError,
+        MAKELANGID (LANG_ENGLISH, SUBLANG_ENGLISH_US),
+        szMsgBuf,
+        MAX_MSG_SIZE,
+        NULL);
+    if (0 == dwRes) {
+        printf("FormatMessage failed with %d\n", GetLastError());
+        ExitProcess(EXIT_FAILURE);
+    }
+
+    printf("%S",szMsgBuf);
+}
+
+VOID
+ShowLsaError(
+    LPSTR szAPI,
+    NTSTATUS Status
+    )
+{
+    //
+    // Convert the NTSTATUS to Winerror. Then call ShowWinError().
+    //
+    ShowWinError(szAPI, LsaNtStatusToWinError(Status));
+}
+
+
+
+BOOL
+WINAPI
+UnicodeToANSI(
+    LPTSTR lpInputString,
+    LPSTR lpszOutputString,
+    int nOutStringLen
+    )
+{
+#ifndef WIN32S
+    CPINFO CodePageInfo;
+
+    GetCPInfo(CP_ACP, &CodePageInfo);
+
+    if (CodePageInfo.MaxCharSize > 1)
+        // Only supporting non-Unicode strings
+        return FALSE;
+    else if (((LPBYTE) lpInputString)[1] == '\0')
+    {
+        // Looks like unicode, better translate it
+        WideCharToMultiByte(CP_ACP, 0, (LPCWSTR) lpInputString, -1,
+                            lpszOutputString, nOutStringLen, NULL, NULL);
+    }
+    else
+        lstrcpyA(lpszOutputString, (LPSTR) lpInputString);
+#else
+    lstrcpy(lpszOutputString, (LPSTR) lpInputString);
+#endif
+    return TRUE;
+}  // UnicodeToANSI
+
+VOID
+WINAPI
+ANSIToUnicode(
+    LPSTR  lpInputString,
+    LPTSTR lpszOutputString,
+    int nOutStringLen
+    )
+{
+
+#ifndef WIN32S
+    CPINFO CodePageInfo;
+
+    lstrcpy(lpszOutputString, (LPTSTR) lpInputString);
+
+    GetCPInfo(CP_ACP, &CodePageInfo);
+
+    if (CodePageInfo.MaxCharSize > 1)
+        // It must already be a Unicode string
+        return;
+    else if (((LPBYTE) lpInputString)[1] != '\0')
+    {
+        // Looks like ANSI, better translate it
+        MultiByteToWideChar(CP_ACP, 0, (LPCSTR) lpInputString, -1,
+                            (LPWSTR) lpszOutputString, nOutStringLen);
+    }
+    else
+        lstrcpy(lpszOutputString, (LPTSTR) lpInputString);
+#endif
+}  // ANSIToUnicode
+
+
+void
+MSPrincToMITPrinc(
+    KERB_EXTERNAL_NAME *msprinc,
+    WCHAR *realm,
+    krb5_context context,
+    krb5_principal *principal
+    )
+{
+    WCHAR princbuf[512],tmpbuf[128];
+    char aname[512];
+    USHORT i;
+    princbuf[0]=0;
+    for (i=0;i<msprinc->NameCount;i++) {
+        wcsncpy(tmpbuf, msprinc->Names[i].Buffer,
+                msprinc->Names[i].Length/sizeof(WCHAR));
+        tmpbuf[msprinc->Names[i].Length/sizeof(WCHAR)]=0;
+        if (princbuf[0])
+            wcscat(princbuf, L"/");
+        wcscat(princbuf, tmpbuf);
+    }
+    wcscat(princbuf, L"@");
+    wcscat(princbuf, realm);
+    UnicodeToANSI(princbuf, aname, sizeof(aname));
+    krb5_parse_name(context, aname, principal);
+}
+
+
+time_t
+FileTimeToUnixTime(
+    LARGE_INTEGER *ltime
+    )
+{
+    FILETIME filetime, localfiletime;
+    SYSTEMTIME systime;
+    struct tm utime;
+    filetime.dwLowDateTime=ltime->LowPart;
+    filetime.dwHighDateTime=ltime->HighPart;
+    FileTimeToLocalFileTime(&filetime, &localfiletime);
+    FileTimeToSystemTime(&localfiletime, &systime);
+    utime.tm_sec=systime.wSecond;
+    utime.tm_min=systime.wMinute;
+    utime.tm_hour=systime.wHour;
+    utime.tm_mday=systime.wDay;
+    utime.tm_mon=systime.wMonth-1;
+    utime.tm_year=systime.wYear-1900;
+    utime.tm_isdst=-1;
+    return(mktime(&utime));
+}
+
+void
+MSSessionKeyToMITKeyblock(
+    KERB_CRYPTO_KEY *mskey,
+    krb5_context context,
+    krb5_keyblock *keyblock
+    )
+{
+    krb5_keyblock tmpblock;
+    tmpblock.magic=KV5M_KEYBLOCK;
+    tmpblock.enctype=mskey->KeyType;
+    tmpblock.length=mskey->Length;
+    tmpblock.contents=mskey->Value;
+    krb5_copy_keyblock_contents(context, &tmpblock, keyblock);
+}
+
+
+void
+MSFlagsToMITFlags(
+    ULONG msflags,
+    ULONG *mitflags
+    )
+{
+    *mitflags=msflags;
+}
+
+void
+MSTicketToMITTicket(
+    KERB_EXTERNAL_TICKET *msticket,
+    krb5_context context,
+    krb5_data *ticket
+    )
+{
+    krb5_data tmpdata, *newdata;
+    tmpdata.magic=KV5M_DATA;
+    tmpdata.length=msticket->EncodedTicketSize;
+    tmpdata.data=msticket->EncodedTicket;
+    // todo: fix this up a little. this is ugly and will break krb_free_data()
+    krb5_copy_data(context, &tmpdata, &newdata);
+    memcpy(ticket, newdata, sizeof(krb5_data));
+}
+
+void
+MSCredToMITCred(
+    KERB_EXTERNAL_TICKET *msticket,
+    krb5_context context,
+    krb5_creds *creds
+    )
+{
+    WCHAR wtmp[128];
+    ZeroMemory(creds, sizeof(krb5_creds));
+    creds->magic=KV5M_CREDS;
+    wcsncpy(wtmp, msticket->TargetDomainName.Buffer,
+            msticket->TargetDomainName.Length/sizeof(WCHAR));
+    wtmp[msticket->TargetDomainName.Length/sizeof(WCHAR)]=0;
+    MSPrincToMITPrinc(msticket->ClientName, wtmp, context, &creds->client);
+    wcsncpy(wtmp, msticket->DomainName.Buffer,
+            msticket->DomainName.Length/sizeof(WCHAR));
+    wtmp[msticket->DomainName.Length/sizeof(WCHAR)]=0;
+    MSPrincToMITPrinc(msticket->ServiceName, wtmp, context, &creds->server);
+    MSSessionKeyToMITKeyblock(&msticket->SessionKey, context, 
+                              &creds->keyblock);
+    MSFlagsToMITFlags(msticket->TicketFlags, &creds->ticket_flags);
+    creds->times.starttime=FileTimeToUnixTime(&msticket->StartTime);
+    creds->times.endtime=FileTimeToUnixTime(&msticket->EndTime);
+    creds->times.renew_till=FileTimeToUnixTime(&msticket->RenewUntil);
+
+    // krb5_cc_store_cred crashes downstream if creds->addresses is NULL.
+    // unfortunately, the MS interface doesn't seem to return a list of
+    // addresses as part of the credentials information. for now i'll just
+    // use krb5_os_localaddr to mock up the address list. is this sufficient?
+    krb5_os_localaddr(context, &creds->addresses);
+
+    MSTicketToMITTicket(msticket, context, &creds->ticket);
+}
+
+BOOL
+PackageConnectLookup(
+    HANDLE *pLogonHandle,
+    ULONG *pPackageId
+    )
+{
+    LSA_STRING Name;
+    NTSTATUS Status;
+
+    Status = LsaConnectUntrusted(
+        pLogonHandle
+        );
+
+    if (FAILED(Status))
+    {
+        ShowLsaError("LsaConnectUntrusted", Status);
+        return FALSE;
+    }
+
+    Name.Buffer = MICROSOFT_KERBEROS_NAME_A;
+    Name.Length = strlen(Name.Buffer);
+    Name.MaximumLength = Name.Length + 1;
+
+    Status = LsaLookupAuthenticationPackage(
+        *pLogonHandle,
+        &Name,
+        pPackageId
+        );
+
+    if (FAILED(Status))
+    {
+        ShowLsaError("LsaLookupAuthenticationPackage", Status);
+        return FALSE;
+    }
+
+    return TRUE;
+
+}
+
+
+DWORD
+ConcatenateUnicodeStrings(
+    UNICODE_STRING *pTarget,
+    UNICODE_STRING Source1,
+    UNICODE_STRING Source2
+    )
+{
+    //
+    // The buffers for Source1 and Source2 cannot overlap pTarget's
+    // buffer.  Source1.Length + Source2.Length must be <= 0xFFFF,
+    // otherwise we overflow...
+    //
+
+    USHORT TotalSize = Source1.Length + Source2.Length;
+    PBYTE buffer = (PBYTE) pTarget->Buffer;
+
+    if (TotalSize > pTarget->MaximumLength)
+        return ERROR_INSUFFICIENT_BUFFER;
+
+    pTarget->Length = TotalSize;
+    memcpy(buffer, Source1.Buffer, Source1.Length);
+    memcpy(buffer + Source1.Length, Source2.Buffer, Source2.Length);
+    return ERROR_SUCCESS;
+}
+
+BOOL
+GetMSTGT(
+    HANDLE LogonHandle,
+    ULONG PackageId,
+    KERB_EXTERNAL_TICKET **ticket
+    )
+{
+    //
+    // INVARIANTS:
+    //
+    //   (FAILED(Status) || FAILED(SubStatus)) ==> error
+    //   bIsLsaError ==> LsaCallAuthenticationPackage() error
+    //
+
+    //
+    // NOTE:
+    //
+    // The updated code leaks memory, but so does the old code.  The
+    // whole program is full of leaks.  Since it's short-lived
+    // process, it is ok.
+    //
+
+    BOOL bIsLsaError = FALSE;
+    NTSTATUS Status = 0;
+    NTSTATUS SubStatus = 0;
+
+    UNICODE_STRING TargetPrefix;
+
+    KERB_QUERY_TKT_CACHE_REQUEST CacheRequest;
+    PKERB_RETRIEVE_TKT_REQUEST pTicketRequest;
+    PKERB_RETRIEVE_TKT_RESPONSE pTicketResponse = NULL;
+    ULONG RequestSize;
+    ULONG ResponseSize;
+    USHORT TargetSize;
+
+    CacheRequest.MessageType = KerbRetrieveTicketMessage;
+    CacheRequest.LogonId.LowPart = 0;
+    CacheRequest.LogonId.HighPart = 0;
+
+    pTicketResponse = NULL;
+
+    Status = LsaCallAuthenticationPackage(
+        LogonHandle,
+        PackageId,
+        &CacheRequest,
+        sizeof(CacheRequest),
+        &pTicketResponse,
+        &ResponseSize,
+        &SubStatus
+        );
+
+    if (FAILED(Status) || FAILED(SubStatus))
+    {
+        bIsLsaError = TRUE;
+        goto cleanup;
+    }
+
+    if (pTicketResponse->Ticket.SessionKey.KeyType == KERB_ETYPE_DES_CBC_CRC)
+    {
+        // all done!
+        goto cleanup;
+    }
+
+    //
+    // Set up the "krbtgt/" target prefix into a UNICODE_STRING so we
+    // can easily concatenate it later.
+    //
+
+    TargetPrefix.Buffer = L"krbtgt/";
+    TargetPrefix.Length = wcslen(TargetPrefix.Buffer) * sizeof(WCHAR);
+    TargetPrefix.MaximumLength = TargetPrefix.Length;
+
+    //
+    // We will need to concatenate the "krbtgt/" prefix and the previous
+    // response's target domain into our request's target name.
+    //
+    // Therefore, first compute the necessary buffer size for that.
+    //
+    // Note that we might theoretically have integer overflow.
+    //
+
+    TargetSize = TargetPrefix.Length +
+        pTicketResponse->Ticket.TargetDomainName.Length;
+
+    //
+    // The ticket request buffer needs to be a single buffer.  That buffer
+    // needs to include the buffer for the target name.
+    //
+
+    RequestSize = sizeof(*pTicketRequest) + TargetSize;
+
+    //
+    // Allocate the request buffer and make sure it's zero-filled.
+    //
+
+    pTicketRequest = (PKERB_RETRIEVE_TKT_REQUEST)
+        LocalAlloc(LMEM_ZEROINIT, RequestSize);
+    if (!pTicketRequest)
+    {
+        Status = GetLastError();
+        goto cleanup;
+    }
+
+    //
+    // Concatenate the target prefix with the previous reponse's
+    // target domain.
+    //
+
+    pTicketRequest->TargetName.Length = 0;
+    pTicketRequest->TargetName.MaximumLength = TargetSize;
+    pTicketRequest->TargetName.Buffer = (PWSTR) (pTicketRequest + 1);
+    Status = ConcatenateUnicodeStrings(&(pTicketRequest->TargetName),
+                                       TargetPrefix,
+                                       pTicketResponse->Ticket.TargetDomainName);
+    assert(SUCCEEDED(Status));
+
+    //
+    // Intialize the requst of the request.
+    //
+
+    pTicketRequest->MessageType = KerbRetrieveEncodedTicketMessage;
+    pTicketRequest->LogonId.LowPart = 0;
+    pTicketRequest->LogonId.HighPart = 0;
+    // Note: pTicketRequest->TargetName set up above
+    pTicketRequest->CacheOptions = KERB_RETRIEVE_TICKET_DONT_USE_CACHE;
+    pTicketRequest->TicketFlags = 0L;
+    pTicketRequest->EncryptionType = ENCTYPE_DES_CBC_CRC;
+
+    //
+    // Free the previous response buffer so we can get the new response.
+    //
+
+    LsaFreeReturnBuffer(pTicketResponse);
+    pTicketResponse = NULL;
+
+    Status = LsaCallAuthenticationPackage(
+        LogonHandle,
+        PackageId,
+        pTicketRequest,
+        RequestSize,
+        &pTicketResponse,
+        &ResponseSize,
+        &SubStatus
+        );
+
+    if (FAILED(Status) || FAILED(SubStatus))
+    {
+        bIsLsaError = TRUE;
+        goto cleanup;
+    }
+
+ cleanup:
+    if (FAILED(Status) || FAILED(SubStatus))
+    {
+        if (bIsLsaError)
+        {
+            // XXX - Will be fixed later
+            if (FAILED(Status))
+                ShowLsaError("LsaCallAuthenticationPackage", Status);
+            if (FAILED(SubStatus))
+                ShowLsaError("LsaCallAuthenticationPackage", SubStatus);
+        }
+        else
+        {
+            ShowWinError("GetMSTGT", Status);
+        }
+
+        if (pTicketResponse)
+            LsaFreeReturnBuffer(pTicketResponse);
+
+        return(FALSE);
+    }
+
+    *ticket = &(pTicketResponse->Ticket);
+    return(TRUE);
+}
+
+void
+main(
+    int argc,
+    char *argv[]
+    )
+{
+    krb5_context kcontext;
+    krb5_error_code code;
+    krb5_creds creds;
+    krb5_ccache ccache=NULL;
+    krb5_get_init_creds_opt opts;
+    char *cache_name=NULL;
+    HANDLE LogonHandle=NULL;
+    ULONG PackageId;
+
+    KERB_EXTERNAL_TICKET *msticket;
+    if(!PackageConnectLookup(&LogonHandle, &PackageId))
+        exit(1);
+
+    if (GetMSTGT(LogonHandle, PackageId, &msticket)==FALSE)
+        exit(1);
+    if (code = krb5_init_context(&kcontext)) {
+        com_err(argv[0], code, "while initializing kerberos library");
+        exit(1);
+    }
+    krb5_get_init_creds_opt_init(&opts);
+    MSCredToMITCred(msticket, kcontext, &creds);
+    if (code = krb5_cc_default(kcontext, &ccache)) {
+        com_err(argv[0], code, "while getting default ccache");
+        exit(1);
+    }
+    if (code = krb5_cc_initialize(kcontext, ccache, creds.client)) {
+        com_err (argv[0], code, "when initializing cache %s",
+                 cache_name?cache_name:"");
+        exit(1);
+    }
+    if (code = krb5_cc_store_cred(kcontext, ccache, &creds)) {
+        com_err (argv[0], code, "while storing credentials");
+        exit(1);
+    }
+    krb5_cc_close(kcontext, ccache);
+    krb5_free_context(kcontext);
+}
diff --git a/src/windows/version.rc b/src/windows/version.rc
index 67660fc..854db3a 100644
--- a/src/windows/version.rc
+++ b/src/windows/version.rc
@@ -5,6 +5,16 @@
  * BEGIN COMMON VERSION INFO for GSS and Kerberos version resources
  */
 
+// #define PRE_RELEASE
+
+#ifdef PRE_RELEASE
+#define BETA_STR  " beta 2"
+#define BETA_FLAG VS_FF_PRERELEASE
+#else
+#define BETA_STR  ""
+#define BETA_FLAG 0
+#endif
+
 #if !defined(_WIN32)
 #define Targ_OS VOS__WINDOWS16
 #else
@@ -13,10 +23,10 @@
 
 /* we're going to stamp all the DLLs with the same version number */
 
-#define K5_PRODUCT_VERSION_STRING "1.1.1\0"
-#define K5_PRODUCT_VERSION        1, 1, 1, 0
+#define K5_PRODUCT_VERSION_STRING "1.2.8" BETA_STR "\0"
+#define K5_PRODUCT_VERSION        1, 2, 8, 0
 
-#define K5_COPYRIGHT "Copyright (C) 1997-1999 by the Massachusetts Institute of Technology\0"
+#define K5_COPYRIGHT "Copyright (C) 1997-2001 by the Massachusetts Institute of Technology\0"
 #define K5_COMPANY_NAME "Massachusetts Institute of Technology.\0"
 
 /* 
@@ -134,7 +144,7 @@ VS_VERSION_INFO VERSIONINFO
 FILEVERSION	K5_PRODUCT_VERSION
 PRODUCTVERSION	K5_PRODUCT_VERSION
 FILEFLAGSMASK   VS_FFI_FILEFLAGSMASK
-FILEFLAGS	(VS_FF_DEBUG | VS_FF_PRIVATEBUILD)
+FILEFLAGS	(VS_FF_DEBUG | VS_FF_PRIVATEBUILD | BETA_FLAG)
 FILEOS		Targ_OS
 FILETYPE        K5_FILETYPE
 BEGIN
diff --git a/src/windows/wintel/ChangeLog b/src/windows/wintel/ChangeLog
index a9d6900..f8526d9 100644
--- a/src/windows/wintel/ChangeLog
+++ b/src/windows/wintel/ChangeLog
@@ -1,3 +1,9 @@
+2000-05-08  Nalin Dahyabhai  <nalin@redhat.com>
+
+	* auth.c (auth_abort): Don't overflow buffer "strTmp".
+	(k4_auth_send): Don't overflow buffer "dbgbuf".
+	* encrypt.c (printsub): Don't overflow buffer "p".
+
 1999-12-03  Danilo Almeida  <dalmeida@mit.edu>
 
 	* Makefile.in: Windows fix for updated win-pre.in.
diff --git a/src/windows/wintel/auth.c b/src/windows/wintel/auth.c
index 5e9d1d2..28f515b 100644
--- a/src/windows/wintel/auth.c
+++ b/src/windows/wintel/auth.c
@@ -151,10 +151,11 @@ auth_abort(kstream ks, char *errmsg, long r)
   TelnetSend(ks, (LPSTR)buf, 8, 0);
   
   if (errmsg != NULL) {
-    strcpy(strTmp, errmsg);
+    strTmp[sizeof(strTmp) - 1] = '\0';
+    strncpy(strTmp, errmsg, sizeof(strTmp) - 1);
     
     if (r != KSUCCESS) {
-      strcat(strTmp, "\n");
+      strncat(strTmp, "\n", sizeof(strTmp) - 1 - strlen(strTmp));
 #ifdef KRB4
       lstrcat(strTmp, krb_get_err_text((int)r));
 #endif
@@ -423,8 +424,8 @@ k4_auth_send(kstream ks)
 
   if (!realm) {
     strcpy(buf, "Can't find realm for host \"");
-    strcat(buf, szHostName);
-    strcat(buf, "\"");
+    strncat(buf, szHostName, sizeof(buf) - 1 - strlen(buf));
+    strncat(buf, "\"", sizeof(buf) - 1 - strlen(buf));
     auth_abort(ks, buf, 0);
     return KFAILURE;
   }
@@ -436,14 +437,14 @@ k4_auth_send(kstream ks)
 
   if (r) {
     strcpy(buf, "Can't get \"");
-    strcat(buf, KRB_SERVICE_NAME);
+    strncat(buf, KRB_SERVICE_NAME, sizeof(buf) - 1 - strlen(buf));
     if (instance[0] != 0) {
-      strcat(buf, ".");
+      strncat(buf, ".", sizeof(buf) - 1 - strlen(buf));
       lstrcat(buf, instance);
     }
-    strcat(buf, "@");
+    strncat(buf, "@", sizeof(buf) - 1 - strlen(buf));
     lstrcat(buf, realm);
-    strcat(buf, "\" ticket");
+    strncat(buf, "\" ticket", sizeof(buf) - 1 - strlen(buf));
     auth_abort(ks, buf, r);
 
     return r;
diff --git a/src/windows/wintel/encrypt.c b/src/windows/wintel/encrypt.c
index f1a1301..bbb5496 100644
--- a/src/windows/wintel/encrypt.c
+++ b/src/windows/wintel/encrypt.c
@@ -230,10 +230,11 @@ printsub(char c, unsigned char *s, size_t len)
 
   *p++ = c;
 
-  for (i = 0 ; i < len ; i++)
+  for (i = 0 ; (i < len) && (p - dbgbuf + 3 < sizeof(dbgbuf)) ; i++)
     p += sprintf(p, "%02x ", s[i]);
+  dbgbuf[sizeof(dbgbuf) - 1] = '\0';
 
-  strcat(p, "\n");
+  strncat(p, "\n", sizeof(dbgbuf) - 1 - (p - dbgbuf));
 
   OutputDebugString(dbgbuf);