This commit was generated by cvs2svn to compensate for changes in r120945,

which included commits to RCS files with non-trunk default branches.

16 files changed, 541 insertions, 281 deletions

diff --git a/crypto/heimdal/kdc/524.c b/crypto/heimdal/kdc/524.c
index 21bc6a1..225594e 100644
--- a/crypto/heimdal/kdc/524.c
+++ b/crypto/heimdal/kdc/524.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,9 +33,11 @@
 
 #include "kdc_locl.h"
 
-RCSID("$Id: 524.c,v 1.25 2002/07/31 09:43:20 joda Exp $");
+RCSID("$Id: 524.c,v 1.29 2003/03/17 05:35:47 assar Exp $");
 
-#ifdef KRB4
+#ifndef KRB4
+#include <krb5-v4compat.h>
+#endif
 
 /*
  * fetch the server from `t', returning the name in malloced memory in
@@ -173,6 +175,94 @@ set_address (EncTicketPart *et,
     return 0;
 }
 
+
+static krb5_error_code
+encrypt_v4_ticket(void *buf, 
+		  size_t len, 
+		  krb5_keyblock *skey, 
+		  EncryptedData *reply)
+{
+    krb5_crypto crypto;
+    krb5_error_code ret;
+    ret = krb5_crypto_init(context, skey, ETYPE_DES_PCBC_NONE, &crypto);
+    if (ret) {
+	free(buf);
+	kdc_log(0, "krb5_crypto_init failed: %s",
+		krb5_get_err_text(context, ret));
+	return ret;
+    }
+
+    ret = krb5_encrypt_EncryptedData(context, 
+				     crypto,
+				     KRB5_KU_TICKET,
+				     buf,
+				     len,
+				     0,
+				     reply);
+    krb5_crypto_destroy(context, crypto);
+    if(ret) {
+	kdc_log(0, "Failed to encrypt data: %s",
+		krb5_get_err_text(context, ret));
+	return ret;
+    }
+    return 0;
+}
+
+static krb5_error_code
+encode_524_response(const char *spn, const EncTicketPart et, const Ticket *t,
+		    hdb_entry *server, EncryptedData *ticket, int *kvno)
+{
+    krb5_error_code ret;
+    int use_2b;
+    size_t len;
+
+    use_2b = krb5_config_get_bool(context, NULL, "kdc", "use_2b", spn, NULL);
+    if(use_2b) {
+	ASN1_MALLOC_ENCODE(EncryptedData, 
+			   ticket->cipher.data, ticket->cipher.length, 
+			   &t->enc_part, &len, ret);
+	
+	if (ret) {
+	    kdc_log(0, "Failed to encode v4 (2b) ticket (%s)", spn);
+	    return ret;
+	}
+	
+	ticket->etype = 0;
+	ticket->kvno = NULL;
+	*kvno = 213; /* 2b's use this magic kvno */
+    } else {
+	unsigned char buf[MAX_KTXT_LEN + 4 * 4];
+	Key *skey;
+	
+	if (!enable_v4_cross_realm && strcmp (et.crealm, t->realm) != 0) {
+	    kdc_log(0, "524 cross-realm %s -> %s disabled", et.crealm,
+		    t->realm);
+	    return KRB5KDC_ERR_POLICY;
+	}
+
+	ret = encode_v4_ticket(buf + sizeof(buf) - 1, sizeof(buf),
+			       &et, &t->sname, &len);
+	if(ret){
+	    kdc_log(0, "Failed to encode v4 ticket (%s)", spn);
+	    return ret;
+	}
+	ret = get_des_key(server, TRUE, FALSE, &skey);
+	if(ret){
+	    kdc_log(0, "no suitable DES key for server (%s)", spn);
+	    return ret;
+	}
+	ret = encrypt_v4_ticket(buf + sizeof(buf) - len, len, 
+				&skey->key, ticket);
+	if(ret){
+	    kdc_log(0, "Failed to encrypt v4 ticket (%s)", spn);
+	    return ret;
+	}
+	*kvno = server->kvno;
+    }
+
+    return 0;
+}
+
 /*
  * process a 5->4 request, based on `t', and received `from, addr',
  * returning the reply in `reply'
@@ -193,6 +283,7 @@ do_524(const Ticket *t, krb5_data *reply,
     char *spn = NULL;
     unsigned char buf[MAX_KTXT_LEN + 4 * 4];
     size_t len;
+    int kvno;
     
     if(!enable_524) {
 	ret = KRB5KDC_ERR_POLICY;
@@ -251,31 +342,17 @@ do_524(const Ticket *t, krb5_data *reply,
 	free_EncTicketPart(&et);
 	goto out;
     }
-    ret = encode_v4_ticket(buf + sizeof(buf) - 1, sizeof(buf),
-			   &et, &t->sname, &len);
+
+    ret = encode_524_response(spn, et, t, server, &ticket, &kvno);
     free_EncTicketPart(&et);
-    if(ret){
-	kdc_log(0, "Failed to encode v4 ticket (%s)", spn);
-	goto out;
-    }
-    ret = get_des_key(server, TRUE, FALSE, &skey);
-    if(ret){
-	kdc_log(0, "no suitable DES key for server (%s)", spn);
-	goto out;
-    }
-    ret = encrypt_v4_ticket(buf + sizeof(buf) - len, len, 
-			    skey->key.keyvalue.data, &ticket);
-    if(ret){
-	kdc_log(0, "Failed to encrypt v4 ticket (%s)", spn);
-	goto out;
-    }
+
 out:
     /* make reply */
     memset(buf, 0, sizeof(buf));
     sp = krb5_storage_from_mem(buf, sizeof(buf));
     krb5_store_int32(sp, ret);
     if(ret == 0){
-	krb5_store_int32(sp, server->kvno); /* is this right? */
+	krb5_store_int32(sp, kvno);
 	krb5_store_data(sp, ticket.cipher);
 	/* Aargh! This is coded as a KTEXT_ST. */
 	krb5_storage_seek(sp, MAX_KTXT_LEN - ticket.cipher.length, SEEK_CUR);
@@ -292,5 +369,3 @@ out:
 	free_ent (server);
     return ret;
 }
-
-#endif /* KRB4 */
diff --git a/crypto/heimdal/kdc/Makefile.am b/crypto/heimdal/kdc/Makefile.am
index 3bb00f8..f41f46e 100644
--- a/crypto/heimdal/kdc/Makefile.am
+++ b/crypto/heimdal/kdc/Makefile.am
@@ -1,4 +1,4 @@
-# $Id: Makefile.am,v 1.43 2001/08/28 08:31:27 assar Exp $
+# $Id: Makefile.am,v 1.44 2003/01/14 05:47:06 lha Exp $
 
 include $(top_srcdir)/Makefile.am.common
 
@@ -20,9 +20,9 @@ kstash_SOURCES = kstash.c headers.h
 string2key_SOURCES = string2key.c headers.h
 
 if KRB4
-krb4_sources = 	524.c kerberos4.c kaserver.c rx.h
+krb4_sources = kaserver.c rx.h
 else
-krb4_sources = 
+krb4_sources =
 endif
 
 kdc_SOURCES = \
@@ -33,6 +33,8 @@ kdc_SOURCES = \
 	log.c		\
 	main.c		\
 	misc.c		\
+	524.c		\
+	kerberos4.c	\
 	$(krb4_sources)
 
 
diff --git a/crypto/heimdal/kdc/Makefile.in b/crypto/heimdal/kdc/Makefile.in
index 429deea..298d382 100644
--- a/crypto/heimdal/kdc/Makefile.in
+++ b/crypto/heimdal/kdc/Makefile.in
@@ -14,11 +14,11 @@
 
 @SET_MAKE@
 
-# $Id: Makefile.am,v 1.43 2001/08/28 08:31:27 assar Exp $
+# $Id: Makefile.am,v 1.44 2003/01/14 05:47:06 lha Exp $
 
 # $Id: Makefile.am.common,v 1.5 2002/05/19 18:35:37 joda Exp $
 
-# $Id: Makefile.am.common,v 1.36 2002/08/19 16:10:25 joda Exp $
+# $Id: Makefile.am.common,v 1.37.2.1 2003/05/08 17:08:09 joda Exp $
 SHELL = @SHELL@
 
 srcdir = @srcdir@
@@ -114,6 +114,7 @@ LIB_roken = @LIB_roken@
 LIB_security = @LIB_security@
 LN_S = @LN_S@
 LTLIBOBJS = @LTLIBOBJS@
+MAINT = @MAINT@
 NEED_WRITEAUTH_FALSE = @NEED_WRITEAUTH_FALSE@
 NEED_WRITEAUTH_TRUE = @NEED_WRITEAUTH_TRUE@
 NROFF = @NROFF@
@@ -192,7 +193,7 @@ LIB_readline = @LIB_readline@
 
 NROFF_MAN = groff -mandoc -Tascii
 
-@KRB4_TRUE@LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
+LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS)
 
 @KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \
 @KRB5_TRUE@	$(top_builddir)/lib/asn1/libasn1.la
@@ -216,7 +217,7 @@ kstash_SOURCES = kstash.c headers.h
 
 string2key_SOURCES = string2key.c headers.h
 
-@KRB4_TRUE@krb4_sources = 524.c kerberos4.c kaserver.c rx.h
+@KRB4_TRUE@krb4_sources = kaserver.c rx.h
 @KRB4_FALSE@krb4_sources = 
 
 kdc_SOURCES = \
@@ -227,6 +228,8 @@ kdc_SOURCES = \
 	log.c		\
 	main.c		\
 	misc.c		\
+	524.c		\
+	kerberos4.c	\
 	$(krb4_sources)
 
 
@@ -284,11 +287,11 @@ hpropd_DEPENDENCIES = $(top_builddir)/lib/hdb/libhdb.la \
 	$(top_builddir)/lib/krb5/libkrb5.la \
 	$(top_builddir)/lib/asn1/libasn1.la
 hpropd_LDFLAGS =
-@KRB4_TRUE@am__objects_1 = 524.$(OBJEXT) kerberos4.$(OBJEXT) \
-@KRB4_TRUE@	kaserver.$(OBJEXT)
+@KRB4_TRUE@am__objects_1 = kaserver.$(OBJEXT)
 @KRB4_FALSE@am__objects_1 =
 am_kdc_OBJECTS = config.$(OBJEXT) connect.$(OBJEXT) kerberos5.$(OBJEXT) \
-	log.$(OBJEXT) main.$(OBJEXT) misc.$(OBJEXT) $(am__objects_1)
+	log.$(OBJEXT) main.$(OBJEXT) misc.$(OBJEXT) 524.$(OBJEXT) \
+	kerberos4.$(OBJEXT) $(am__objects_1)
 kdc_OBJECTS = $(am_kdc_OBJECTS)
 kdc_DEPENDENCIES = $(top_builddir)/lib/hdb/libhdb.la \
 	$(top_builddir)/lib/krb5/libkrb5.la \
@@ -334,10 +337,10 @@ all: all-am
 
 .SUFFIXES:
 .SUFFIXES: .et .h .x .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj
-$(srcdir)/Makefile.in:  Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/configure.in $(ACLOCAL_M4)
+$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(top_srcdir)/configure.in $(ACLOCAL_M4)
 	cd $(top_srcdir) && \
 	  $(AUTOMAKE) --foreign  kdc/Makefile
-Makefile:  $(srcdir)/Makefile.in  $(top_builddir)/config.status
+Makefile: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.in  $(top_builddir)/config.status
 	cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)
 binPROGRAMS_INSTALL = $(INSTALL_PROGRAM)
 install-binPROGRAMS: $(bin_PROGRAMS)
@@ -614,7 +617,9 @@ info: info-am
 
 info-am:
 
-install-data-am: install-data-local install-man
+install-data-am: install-man
+	@$(NORMAL_INSTALL)
+	$(MAKE) $(AM_MAKEFLAGS) install-data-hook
 
 install-exec-am: install-binPROGRAMS install-libexecPROGRAMS \
 	install-sbinPROGRAMS
@@ -646,14 +651,13 @@ uninstall-man: uninstall-man8
 	clean-libtool clean-sbinPROGRAMS distclean distclean-compile \
 	distclean-generic distclean-libtool distclean-tags distdir dvi \
 	dvi-am info info-am install install-am install-binPROGRAMS \
-	install-data install-data-am install-data-local install-exec \
-	install-exec-am install-info install-info-am \
-	install-libexecPROGRAMS install-man install-man8 \
-	install-sbinPROGRAMS install-strip installcheck installcheck-am \
-	installdirs maintainer-clean maintainer-clean-generic \
-	mostlyclean mostlyclean-compile mostlyclean-generic \
-	mostlyclean-libtool tags uninstall uninstall-am \
-	uninstall-binPROGRAMS uninstall-info-am \
+	install-data install-data-am install-exec install-exec-am \
+	install-info install-info-am install-libexecPROGRAMS \
+	install-man install-man8 install-sbinPROGRAMS install-strip \
+	installcheck installcheck-am installdirs maintainer-clean \
+	maintainer-clean-generic mostlyclean mostlyclean-compile \
+	mostlyclean-generic mostlyclean-libtool tags uninstall \
+	uninstall-am uninstall-binPROGRAMS uninstall-info-am \
 	uninstall-libexecPROGRAMS uninstall-man uninstall-man8 \
 	uninstall-sbinPROGRAMS
 
@@ -781,7 +785,7 @@ dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans
 install-cat-mans:
 	$(SHELL) $(top_srcdir)/cf/install-catman.sh "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS)
 
-install-data-local: install-cat-mans
+install-data-hook: install-cat-mans
 
 .et.h:
 	$(COMPILE_ET) $<
diff --git a/crypto/heimdal/kdc/config.c b/crypto/heimdal/kdc/config.c
index 165e309..dbe952f 100644
--- a/crypto/heimdal/kdc/config.c
+++ b/crypto/heimdal/kdc/config.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -35,7 +35,7 @@
 #include <getarg.h>
 #include <parse_bytes.h>
 
-RCSID("$Id: config.c,v 1.43 2002/08/29 01:51:07 assar Exp $");
+RCSID("$Id: config.c,v 1.46 2003/03/18 00:22:23 lha Exp $");
 
 static const char *config_file;	/* location of kdc config file */
 
@@ -71,10 +71,12 @@ krb5_addresses explicit_addresses;
 #ifdef KRB4
 char *v4_realm;
 int enable_v4 = -1;
-int enable_524 = -1;
 int enable_kaserver = -1;
 #endif
 
+int enable_524 = -1;
+int enable_v4_cross_realm = -1;
+
 static int help_flag;
 static int version_flag;
 
@@ -98,22 +100,26 @@ static struct getargs args[] = {
     },
 #endif
     { "enable-http", 'H', arg_flag, &enable_http, "turn on HTTP support" },
-#ifdef KRB4
-    {	"kerberos4",	0, 	arg_negative_flag, &enable_v4,
-	"don't respond to kerberos 4 requests" 
-    },
     {	"524",		0, 	arg_negative_flag, &enable_524,
 	"don't respond to 524 requests" 
     },
-    { 
-	"v4-realm",	'r',	arg_string, &v4_realm, 
-	"realm to serve v4-requests for"
-    },
+#ifdef KRB4
     {
 	"kaserver", 'K', arg_flag,   &enable_kaserver,
 	"enable kaserver support"
     },
+    {	"kerberos4",	0, 	arg_flag, &enable_v4,
+	"respond to kerberos 4 requests" 
+    },
+    { 
+	"v4-realm",	'r',	arg_string, &v4_realm, 
+	"realm to serve v4-requests for"
+    },
 #endif
+    {	"kerberos4-cross-realm",	0, 	arg_flag,
+	&enable_v4_cross_realm,
+	"respond to kerberos 4 requests from foreign realms" 
+    },
     {	"ports",	'P', 	arg_string, &port_str,
 	"ports to listen to", "portspec"
     },
@@ -332,12 +338,20 @@ configure(int argc, char **argv)
 
 #ifdef KRB4
     if(enable_v4 == -1)
-	enable_v4 = krb5_config_get_bool_default(context, NULL, TRUE, "kdc", 
+	enable_v4 = krb5_config_get_bool_default(context, NULL, FALSE, "kdc", 
 					 "enable-kerberos4", NULL);
+#else
+#define enable_v4 0
+#endif
+    if(enable_v4_cross_realm == -1)
+	enable_v4_cross_realm =
+	    krb5_config_get_bool_default(context, NULL,
+					 FALSE, "kdc", 
+					 "enable-kerberos4-cross-realm",
+					 NULL);
     if(enable_524 == -1)
 	enable_524 = krb5_config_get_bool_default(context, NULL, enable_v4, 
 						  "kdc", "enable-524", NULL);
-#endif
 
     if(enable_http == -1)
 	enable_http = krb5_config_get_bool(context, NULL, "kdc", 
@@ -358,8 +372,11 @@ configure(int argc, char **argv)
 				    "kdc",
 				    "v4-realm",
 				    NULL);
-	if(p)
+	if(p != NULL) {
 	    v4_realm = strdup(p);
+	    if (v4_realm == NULL)
+		krb5_errx(context, 1, "out of memory");
+	}
     }
     if (enable_kaserver == -1)
 	enable_kaserver = krb5_config_get_bool_default(context, NULL, FALSE,
@@ -394,6 +411,8 @@ configure(int argc, char **argv)
 #ifdef KRB4
     if(v4_realm == NULL){
 	v4_realm = malloc(40); /* REALM_SZ */
+	if (v4_realm == NULL)
+	    krb5_errx(context, 1, "out of memory");
 	krb_get_lrealm(v4_realm, 1);
     }
 #endif
diff --git a/crypto/heimdal/kdc/connect.c b/crypto/heimdal/kdc/connect.c
index 54dff30..3ad1c1d 100644
--- a/crypto/heimdal/kdc/connect.c
+++ b/crypto/heimdal/kdc/connect.c
@@ -33,7 +33,7 @@
 
 #include "kdc_locl.h"
 
-RCSID("$Id: connect.c,v 1.86.4.1 2002/10/21 16:05:17 joda Exp $");
+RCSID("$Id: connect.c,v 1.90 2003/02/18 15:39:10 lha Exp $");
 
 /*
  * a tuple describing on what to listen
@@ -131,15 +131,15 @@ add_standard_ports (int family)
     add_port_service(family, "kerberos-sec", 88, "tcp");
     if(enable_http)
 	add_port_service(family, "http", 80, "tcp");
+    if(enable_524) {
+	add_port_service(family, "krb524", 4444, "udp");
+	add_port_service(family, "krb524", 4444, "tcp");
+    }
 #ifdef KRB4
     if(enable_v4) {
 	add_port_service(family, "kerberos-iv", 750, "udp");
 	add_port_service(family, "kerberos-iv", 750, "tcp");
     }
-    if(enable_524) {
-	add_port_service(family, "krb524", 4444, "udp");
-	add_port_service(family, "krb524", 4444, "tcp");
-    }
     if (enable_kaserver)
 	add_port_service(family, "afs3-kaserver", 7004, "udp");
 #endif
@@ -214,7 +214,7 @@ init_descr(struct descr *d)
 }
 
 /*
- * re-intialize all `n' ->sa in `d'.
+ * re-initialize all `n' ->sa in `d'.
  */
 
 static void
@@ -236,7 +236,7 @@ init_socket(struct descr *d, krb5_address *a, int family, int type, int port)
     krb5_error_code ret;
     struct sockaddr_storage __ss;
     struct sockaddr *sa = (struct sockaddr *)&__ss;
-    int sa_size;
+    int sa_size = sizeof(__ss);
 
     init_descr (d);
 
@@ -358,9 +358,7 @@ process_request(unsigned char *buf,
 		struct sockaddr *addr)
 {
     KDC_REQ req;
-#ifdef KRB4
     Ticket ticket;
-#endif
     krb5_error_code ret;
     size_t i;
 
@@ -373,21 +371,20 @@ process_request(unsigned char *buf,
 	ret = tgs_rep(&req, reply, from, addr);
 	free_TGS_REQ(&req);
 	return ret;
-    }
-#ifdef KRB4
-    else if(maybe_version4(buf, len)){
-	*sendlength = 0; /* elbitapmoc sdrawkcab XXX */
-	do_version4(buf, len, reply, from, (struct sockaddr_in*)addr);
-	return 0;
     }else if(decode_Ticket(buf, len, &ticket, &i) == 0){
 	ret = do_524(&ticket, reply, from, addr);
 	free_Ticket(&ticket);
 	return ret;
+#ifdef KRB4
+    } else if(maybe_version4(buf, len)){
+	*sendlength = 0; /* elbitapmoc sdrawkcab XXX */
+	do_version4(buf, len, reply, from, (struct sockaddr_in*)addr);
+	return 0;
     } else if (enable_kaserver) {
 	ret = do_kaserver (buf, len, reply, from, (struct sockaddr_in*)addr);
 	return ret;
-    }
 #endif
+    }
 			  
     return -1;
 }
diff --git a/crypto/heimdal/kdc/hprop.8 b/crypto/heimdal/kdc/hprop.8
index f9b3ba7..f5e3879 100644
--- a/crypto/heimdal/kdc/hprop.8
+++ b/crypto/heimdal/kdc/hprop.8
@@ -1,4 +1,35 @@
-.\" $Id: hprop.8,v 1.16 2002/08/20 17:18:38 joda Exp $
+.\" Copyright (c) 2000 - 2003 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden). 
+.\" All rights reserved. 
+.\"
+.\" Redistribution and use in source and binary forms, with or without 
+.\" modification, are permitted provided that the following conditions 
+.\" are met: 
+.\"
+.\" 1. Redistributions of source code must retain the above copyright 
+.\"    notice, this list of conditions and the following disclaimer. 
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright 
+.\"    notice, this list of conditions and the following disclaimer in the 
+.\"    documentation and/or other materials provided with the distribution. 
+.\"
+.\" 3. Neither the name of the Institute nor the names of its contributors 
+.\"    may be used to endorse or promote products derived from this software 
+.\"    without specific prior written permission. 
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+.\" SUCH DAMAGE. 
+.\" 
+.\" $Id: hprop.8,v 1.18 2003/02/16 21:10:19 lha Exp $
 .\"
 .Dd June 19, 2000
 .Dt HPROP 8
@@ -125,7 +156,7 @@ is compiled with support for Kerberos 4 (kaserver).
 .Fl r Ar string ,
 .Fl -v4-realm= Ns Ar string
 .Xc
-v4 realm to use
+v4 realm to use.
 .It Xo
 .Fl c Ar cell ,
 .Fl -cell= Ns Ar cell
diff --git a/crypto/heimdal/kdc/hpropd.8 b/crypto/heimdal/kdc/hpropd.8
index 2fa63f1..7bb2deb 100644
--- a/crypto/heimdal/kdc/hpropd.8
+++ b/crypto/heimdal/kdc/hpropd.8
@@ -1,4 +1,35 @@
-.\" $Id: hpropd.8,v 1.9 2002/08/20 16:37:13 joda Exp $
+.\" Copyright (c) 1997, 2000 - 2003 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden). 
+.\" All rights reserved. 
+.\"
+.\" Redistribution and use in source and binary forms, with or without 
+.\" modification, are permitted provided that the following conditions 
+.\" are met: 
+.\"
+.\" 1. Redistributions of source code must retain the above copyright 
+.\"    notice, this list of conditions and the following disclaimer. 
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright 
+.\"    notice, this list of conditions and the following disclaimer in the 
+.\"    documentation and/or other materials provided with the distribution. 
+.\"
+.\" 3. Neither the name of the Institute nor the names of its contributors 
+.\"    may be used to endorse or promote products derived from this software 
+.\"    without specific prior written permission. 
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+.\" SUCH DAMAGE. 
+.\" 
+.\" $Id: hpropd.8,v 1.11 2003/02/16 21:10:20 lha Exp $
 .\"
 .Dd August 27, 1997
 .Dt HPROPD 8
@@ -22,7 +53,7 @@
 .Op Fl 4 | Fl -v4dump
 .Sh DESCRIPTION
 .Nm
-receives databases sent by
+receives a database sent by
 .Nm hprop .
 and writes it as a local database.
 .Pp
@@ -58,7 +89,7 @@ print dump to stdout
 .Fl i ,
 .Fl -no-inetd
 .Xc
-Not started from inetd
+not started from inetd
 .It Xo
 .Fl k Ar keytab ,
 .Fl -keytab= Ns Ar keytab
diff --git a/crypto/heimdal/kdc/hpropd.c b/crypto/heimdal/kdc/hpropd.c
index b36ca4d..d27ff25 100644
--- a/crypto/heimdal/kdc/hpropd.c
+++ b/crypto/heimdal/kdc/hpropd.c
@@ -33,7 +33,7 @@
 
 #include "hprop.h"
 
-RCSID("$Id: hpropd.c,v 1.35 2002/04/18 10:18:50 joda Exp $");
+RCSID("$Id: hpropd.c,v 1.36 2003/04/16 15:46:32 lha Exp $");
 
 #ifdef KRB4
 static des_cblock mkey4;
@@ -87,11 +87,11 @@ dump_krb4(krb5_context context, hdb_entry *ent, int fd)
 
     if (ent->max_life) { 
 	asprintf(&p, "%d", krb_time_to_life(0, *ent->max_life));
-	strcat(buf, p);
+	strlcat(buf, p, sizeof(buf));
 	free(p);
     } else 
-	strcat(buf, "255"); 
-    strcat(buf, " ");
+	strlcat(buf, "255", sizeof(buf)); 
+    strlcat(buf, " ", sizeof(buf));
 
     i = 0;
     while (i < ent->keys.len &&
@@ -107,15 +107,15 @@ dump_krb4(krb5_context context, hdb_entry *ent, int fd)
 	asprintf(&p, "%d ", *ent->keys.val[i].mkvno);
     else
 	asprintf(&p, "%d ", 1);
-    strcat(buf, p);
+    strlcat(buf, p, sizeof(buf));
     free(p);
 
     asprintf(&p, "%d ", ent->kvno);
-    strcat(buf, p);
+    strlcat(buf, p, sizeof(buf));
     free(p);
 
     asprintf(&p, "%d ", 0); /* Attributes are always 0*/  
-    strcat(buf, p);
+    strlcat(buf, p, sizeof(buf));
     free(p);
 
     { 
@@ -123,15 +123,15 @@ dump_krb4(krb5_context context, hdb_entry *ent, int fd)
 	kdb_encrypt_key((des_cblock*)key, (des_cblock*)key,
 			&mkey4, msched4, DES_ENCRYPT);
 	asprintf(&p, "%x %x ", (int)htonl(*key), (int)htonl(*(key+1)));
-	strcat(buf, p);
+	strlcat(buf, p, sizeof(buf));
 	free(p);
     }
  
     if (ent->valid_end == NULL)
-	strcat(buf, time2str(60*60*24*365*50)); /* no expiration */
+	strlcat(buf, time2str(60*60*24*365*50), sizeof(buf)); /*no expiration*/
     else
-	strcat(buf, time2str(*ent->valid_end));
-    strcat(buf, " ");
+	strlcat(buf, time2str(*ent->valid_end), sizeof(buf));
+    strlcat(buf, " ", sizeof(buf));
 
     if (ent->modified_by == NULL) 
 	modifier = &ent->created_by;
@@ -149,7 +149,7 @@ dump_krb4(krb5_context context, hdb_entry *ent, int fd)
     asprintf(&p, "%s %s %s\n", time2str(modifier->time), 
 	     (strlen(name) != 0) ? name : "*", 
 	     (strlen(instance) != 0) ? instance : "*");
-    strcat(buf, p);
+    strlcat(buf, p, sizeof(buf));
     free(p);
 
     ret = write(fd, buf, strlen(buf));
diff --git a/crypto/heimdal/kdc/kaserver.c b/crypto/heimdal/kdc/kaserver.c
index 7eeff8a..1a998ee 100644
--- a/crypto/heimdal/kdc/kaserver.c
+++ b/crypto/heimdal/kdc/kaserver.c
@@ -33,7 +33,7 @@
 
 #include "kdc_locl.h"
 
-RCSID("$Id: kaserver.c,v 1.20.2.1 2002/10/21 14:30:51 joda Exp $");
+RCSID("$Id: kaserver.c,v 1.21 2002/10/21 12:59:41 joda Exp $");
 
 
 #include <rx.h>
diff --git a/crypto/heimdal/kdc/kdc.8 b/crypto/heimdal/kdc/kdc.8
index 20c180a..baae563 100644
--- a/crypto/heimdal/kdc/kdc.8
+++ b/crypto/heimdal/kdc/kdc.8
@@ -1,4 +1,35 @@
-.\" $Id: kdc.8,v 1.17 2002/08/28 21:09:05 joda Exp $
+.\" Copyright (c) 2003 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden). 
+.\" All rights reserved. 
+.\"
+.\" Redistribution and use in source and binary forms, with or without 
+.\" modification, are permitted provided that the following conditions 
+.\" are met: 
+.\"
+.\" 1. Redistributions of source code must retain the above copyright 
+.\"    notice, this list of conditions and the following disclaimer. 
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright 
+.\"    notice, this list of conditions and the following disclaimer in the 
+.\"    documentation and/or other materials provided with the distribution. 
+.\"
+.\" 3. Neither the name of the Institute nor the names of its contributors 
+.\"    may be used to endorse or promote products derived from this software 
+.\"    without specific prior written permission. 
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+.\" SUCH DAMAGE. 
+.\"
+.\" $Id: kdc.8,v 1.23 2003/04/06 17:48:40 lha Exp $
 .\"
 .Dd August 22, 2002
 .Dt KDC 8
@@ -15,23 +46,26 @@
 .Op Fl p | Fl -no-require-preauth
 .Op Fl -max-request= Ns Ar size
 .Op Fl H | Fl -enable-http
+.Op Fl -no-524
+.Op Fl -kerberos4
+.Op Fl -kerberos4-cross-realm
 .Oo Fl r Ar string \*(Ba Xo
 .Fl -v4-realm= Ns Ar string
 .Xc
 .Oc
-.Op Fl K | Fl -no-kaserver
-.Op Fl r Ar realm
-.Op Fl -v4-realm= Ns Ar realm
-.Oo Fl P Ar string \*(Ba Xo
-.Fl -ports= Ns Ar string
+.Op Fl K | Fl -kaserver
+.Oo Fl P Ar portspec \*(Ba Xo
+.Fl -ports= Ns Ar portspec
 .Xc
 .Oc
+.Op Fl -detach
 .Op Fl -addresses= Ns Ar list of addresses
 .Sh DESCRIPTION
 .Nm
-serves requests for tickets. When it starts, it first checks the flags
-passed, any options that are not specified with a command line flag is
-taken from a config file, or from a default compiled-in value.
+serves requests for tickets.
+When it starts, it first checks the flags passed, any options that are
+not specified with a command line flag are taken from a config file,
+or from a default compiled-in value.
 .Pp
 Options supported:
 .Bl -tag -width Ds
@@ -47,14 +81,17 @@ This is the only value that can't be specified in the config file.
 .Fl -no-require-preauth
 .Xc
 Turn off the requirement for pre-autentication in the initial AS-REQ
-for all principals. The use of pre-authentication makes it more
-difficult to do offline password attacks. You might want to turn it
-off if you have clients that doesn't do pre-authentication. Since the
-version 4 protocol doesn't support any pre-authentication, so serving
-version 4 clients is just about the same as not requiring
-pre-athentication. The default is to require
-pre-authentication. Adding the require-preauth per principal is a more
-flexible way of handling this.
+for all principals.
+The use of pre-authentication makes it more difficult to do offline
+password attacks.
+You might want to turn it off if you have clients
+that don't support pre-authentication.
+Since the version 4 protocol doesn't support any pre-authentication,
+serving version 4 clients is just about the same as not requiring
+pre-athentication.
+The default is to require pre-authentication.
+Adding the require-preauth per principal is a more flexible way of
+handling this.
 .It Xo
 .Fl -max-request= Ns Ar size
 .Xc
@@ -66,34 +103,53 @@ willing to handle.
 .Xc
 Makes the kdc listen on port 80 and handle requests encapsulated in HTTP.
 .It Xo
-.Fl K ,
-.Fl -no-kaserver
+.Fl -no-524
+.Xc
+don't respond to 524 requests
+.It Xo
+.Fl -kerberos4
 .Xc
-Disables kaserver emulation (in case it's compiled in).
+respond to Kerberos 4 requests
 .It Xo
-.Fl r Ar realm ,
-.Fl -v4-realm= Ns Ar realm
+.Fl -kerberos4-cross-realm
+.Xc
+respond to Kerberos 4 requests from foreign realms.
+This is a known security hole and should not be enabled unless you
+understand the consequences and are willing to live with them.
+.It Xo
+.Fl r Ar string ,
+.Fl -v4-realm= Ns Ar string
 .Xc
 What realm this server should act as when dealing with version 4
-requests. The database can contain any number of realms, but since the
-version 4 protocol doesn't contain a realm for the server, it must be
-explicitly specified. The default is whatever is returned by
+requests.
+The database can contain any number of realms, but since the version 4
+protocol doesn't contain a realm for the server, it must be explicitly
+specified.
+The default is whatever is returned by
 .Fn krb_get_lrealm .
 This option is only availabe if the KDC has been compiled with version
 4 support.
 .It Xo
-.Fl P Ar string ,
-.Fl -ports= Ns Ar string
+.Fl K ,
+.Fl -kaserver
 .Xc
-Specifies the set of ports the KDC should listen on.  It is given as a
+Enable kaserver emulation (in case it's compiled in).
+.It Xo
+.Fl P Ar portspec ,
+.Fl -ports= Ns Ar portspec
+.Xc
+Specifies the set of ports the KDC should listen on.
+It is given as a
 white-space separated list of services or port numbers.
 .It Fl -addresses= Ns Ar list of addresses
-The list of addresses to listen for requests on.  By default, the kdc
-will listen on all the locally configured addresses.  If only a subset
-is desired, or the automatic detection fails, this option might be used.
+The list of addresses to listen for requests on.
+By default, the kdc will listen on all the locally configured
+addresses.
+If only a subset is desired, or the automatic detection fails, this
+option might be used.
 .El
 .Pp
-All activities , are logged to one or more destinations, see
+All activities are logged to one or more destinations, see
 .Xr krb5.conf 5 ,
 and
 .Xr krb5_openlog 3 .
@@ -104,13 +160,14 @@ The configuration file has the same syntax as
 .Xr krb5.conf 5 ,
 but will be read before 
 .Pa /etc/krb5.conf ,
-so it may override settings found there. Options specific to the KDC
-only are found in the
+so it may override settings found there.
+Options specific to the KDC only are found in the
 .Dq [kdc] 
 section.
 All the command-line options can preferably be added in the
-configuration file.  The only difference is the pre-authentication flag,
-that has to be specified as:
+configuration file.
+The only difference is the pre-authentication flag, which has to be
+specified as:
 .Pp
 .Dl require-preauth = no
 .Pp
@@ -121,21 +178,28 @@ And there are some configuration options which do not have
 command-line equivalents:
 .Bl -tag -width "xxx" -offset indent
 .It Li check-ticket-addresses = Va boolean
-Check the addresses in the ticket when processing TGS requests.  The
-default is FALSE.
+Check the addresses in the ticket when processing TGS requests.
+The default is FALSE.
 .It Li allow-null-ticket-addresses = Va boolean
-Permit tickets with no addresses.  This option is only relevant when
-check-ticket-addresses is TRUE.
+Permit tickets with no addresses.
+This option is only relevant when check-ticket-addresses is TRUE.
 .It Li allow-anonymous = Va boolean
 Permit anonymous tickets with no addresses.
 .It encode_as_rep_as_tgs_rep = Va boolean
-Encode AS-Rep as TGS-Rep to be bug-compatible with old DCE code.  The
-Heimdal clients allow both.
+Encode AS-Rep as TGS-Rep to be bug-compatible with old DCE code.
+The Heimdal clients allow both.
 .It kdc_warn_pwexpire = Va time
 How long before password/principal expiration the KDC should start
 sending out warning messages.
 .El
 .Pp
+The configuration file is only read when the 
+.Nm
+is started.
+If changes made to the configuration file are to take effect, the
+.Nm
+needs to be restarted.
+.Pp
 An example of a config file:
 .Bd -literal -offset indent
 [kdc]
@@ -145,14 +209,15 @@ An example of a config file:
 .Ed
 .Sh BUGS
 If the machine running the KDC has new addresses added to it, the KDC
-will have to be restarted to listen to them. The reason it doesn't
-just listen to wildcarded (like INADDR_ANY) addresses, is that the
-replies has to come from the same address they were sent to, and most
-OS:es doesn't pass this information to the application. If your normal
-mode of operation require that you add and remove addresses, the best
-option is probably to listen to a wildcarded TCP socket, and make sure
-your clients use TCP to connect. For instance, this will listen to
-IPv4 TCP port 88 only:
+will have to be restarted to listen to them.
+The reason it doesn't just listen to wildcarded (like INADDR_ANY)
+addresses, is that the replies has to come from the same address they
+were sent to, and most OS:es doesn't pass this information to the
+application.
+If your normal mode of operation require that you add and remove
+addresses, the best option is probably to listen to a wildcarded TCP
+socket, and make sure your clients use TCP to connect.
+For instance, this will listen to IPv4 TCP port 88 only:
 .Bd -literal -offset indent
 kdc --addresses=0.0.0.0 --ports="88/tcp" 
 .Ed
diff --git a/crypto/heimdal/kdc/kdc_locl.h b/crypto/heimdal/kdc/kdc_locl.h
index 6ab28d0..9c19f54 100644
--- a/crypto/heimdal/kdc/kdc_locl.h
+++ b/crypto/heimdal/kdc/kdc_locl.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997-2002 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -32,7 +32,7 @@
  */
 
 /* 
- * $Id: kdc_locl.h,v 1.54 2002/08/19 12:18:07 joda Exp $ 
+ * $Id: kdc_locl.h,v 1.58 2003/03/18 00:23:06 lha Exp $ 
  */
 
 #ifndef __KDC_LOCL_H__
@@ -62,11 +62,12 @@ extern krb5_boolean encode_as_rep_as_tgs_rep;
 extern krb5_boolean check_ticket_addresses;
 extern krb5_boolean allow_null_ticket_addresses;
 extern krb5_boolean allow_anonymous;
+extern int enable_524;
+extern int enable_v4_cross_realm;
 
 #ifdef KRB4
 extern char *v4_realm;
 extern int enable_v4;
-extern int enable_524;
 extern krb5_boolean enable_kaserver;
 #endif
 
@@ -96,15 +97,15 @@ krb5_error_code check_flags(hdb_entry *client, const char *client_name,
 			    hdb_entry *server, const char *server_name,
 			    krb5_boolean is_as_req);
 
+krb5_error_code get_des_key(hdb_entry*, krb5_boolean, krb5_boolean, Key**);
+krb5_error_code encode_v4_ticket (void*, size_t, const EncTicketPart*, 
+				  const PrincipalName*, size_t*);
+krb5_error_code do_524 (const Ticket*, krb5_data*, const char*, struct sockaddr*);
+
 #ifdef KRB4
 krb5_error_code db_fetch4 (const char*, const char*, const char*, hdb_entry**);
-krb5_error_code do_524 (const Ticket*, krb5_data*, const char*, struct sockaddr*);
 krb5_error_code do_version4 (unsigned char*, size_t, krb5_data*, const char*, 
 			     struct sockaddr_in*);
-krb5_error_code encode_v4_ticket (void*, size_t, const EncTicketPart*, 
-				  const PrincipalName*, size_t*);
-krb5_error_code encrypt_v4_ticket (void*, size_t, des_cblock*, EncryptedData*);
-krb5_error_code get_des_key(hdb_entry*, krb5_boolean, krb5_boolean, Key**);
 int maybe_version4 (unsigned char*, int);
 #endif
 
diff --git a/crypto/heimdal/kdc/kerberos4.c b/crypto/heimdal/kdc/kerberos4.c
index c3a851b..8c6c3f0 100644
--- a/crypto/heimdal/kdc/kerberos4.c
+++ b/crypto/heimdal/kdc/kerberos4.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997 - 2002 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997 - 2003 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -33,7 +33,7 @@
 
 #include "kdc_locl.h"
 
-RCSID("$Id: kerberos4.c,v 1.41 2002/04/18 16:08:24 joda Exp $");
+RCSID("$Id: kerberos4.c,v 1.45 2003/03/17 05:37:55 assar Exp $");
 
 #ifdef KRB4
 
@@ -108,67 +108,6 @@ db_fetch4(const char *name, const char *instance, const char *realm,
     return ret;
 }
 
-krb5_error_code
-get_des_key(hdb_entry *principal, krb5_boolean is_server, 
-	    krb5_boolean prefer_afs_key, Key **ret_key)
-{
-    Key *v5_key = NULL, *v4_key = NULL, *afs_key = NULL, *server_key = NULL;
-    int i;
-    krb5_enctype etypes[] = { ETYPE_DES_CBC_MD5, 
-			      ETYPE_DES_CBC_MD4, 
-			      ETYPE_DES_CBC_CRC };
-
-    for(i = 0;
-	i < sizeof(etypes)/sizeof(etypes[0])
-	    && (v5_key == NULL || v4_key == NULL || 
-		afs_key == NULL || server_key == NULL);
-	++i) {
-	Key *key = NULL;
-	while(hdb_next_enctype2key(context, principal, etypes[i], &key) == 0) {
-	    if(key->salt == NULL) {
-		if(v5_key == NULL)
-		    v5_key = key;
-	    } else if(key->salt->type == hdb_pw_salt && 
-		      key->salt->salt.length == 0) {
-		if(v4_key == NULL)
-		    v4_key = key;
-	    } else if(key->salt->type == hdb_afs3_salt) {
-		if(afs_key == NULL)
-		    afs_key = key;
-	    } else if(server_key == NULL)
-		server_key = key;
-	}
-    }
-
-    if(prefer_afs_key) {
-	if(afs_key)
-	    *ret_key = afs_key;
-	else if(v4_key)
-	    *ret_key = v4_key;
-	else if(v5_key)
-	    *ret_key = v5_key;
-	else if(is_server && server_key)
-	    *ret_key = server_key;
-	else
-	    return KERB_ERR_NULL_KEY;
-    } else {
-	if(v4_key)
-	    *ret_key = v4_key;
-	else if(afs_key)
-	    *ret_key = afs_key;
-	else  if(v5_key)
-	    *ret_key = v5_key;
-	else if(is_server && server_key)
-	    *ret_key = server_key;
-	else
-	    return KERB_ERR_NULL_KEY;
-    }
-
-    if((*ret_key)->key.keyvalue.length == 0)
-	return KERB_ERR_NULL_KEY;
-    return 0;
-}
-
 #define RCHECK(X, L) if(X){make_err_reply(reply, KFAILURE, "Packet too short"); goto L;}
 
 /*
@@ -208,7 +147,7 @@ do_version4(unsigned char *buf,
     sp = krb5_storage_from_mem(buf, len);
     RCHECK(krb5_ret_int8(sp, &pvno), out);
     if(pvno != 4){
-	kdc_log(0, "Protocol version mismatch (%d)", pvno);
+	kdc_log(0, "Protocol version mismatch (krb4) (%d)", pvno);
 	make_err_reply(reply, KDC_PKT_VER, NULL);
 	goto out;
     }
@@ -231,7 +170,7 @@ do_version4(unsigned char *buf,
 	snprintf (server_name, sizeof(server_name),
 		  "%s.%s@%s", sname, sinst, v4_realm);
 	
-	kdc_log(0, "AS-REQ %s from %s for %s",
+	kdc_log(0, "AS-REQ (krb4) %s from %s for %s",
 		client_name, from, server_name);
 
 	ret = db_fetch4(name, inst, realm, &client);
@@ -354,7 +293,7 @@ do_version4(unsigned char *buf,
 	ret = krb5_425_conv_principal(context, "krbtgt", realm, v4_realm,
 				      &tgt_princ);
 	if(ret){
-	    kdc_log(0, "Converting krbtgt principal: %s", 
+	    kdc_log(0, "Converting krbtgt principal (krb4): %s", 
 		    krb5_get_err_text(context, ret));
 	    make_err_reply(reply, KFAILURE, 
 			   "Failed to convert v4 principal (krbtgt)");
@@ -365,7 +304,7 @@ do_version4(unsigned char *buf,
 	if(ret){
 	    char *s;
 	    s = kdc_log_msg(0, "Ticket-granting ticket not "
-			    "found in database: krbtgt.%s@%s: %s", 
+			    "found in database (krb4): krbtgt.%s@%s: %s", 
 			    realm, v4_realm,
 			    krb5_get_err_text(context, ret));
 	    make_err_reply(reply, KFAILURE, s);
@@ -374,7 +313,7 @@ do_version4(unsigned char *buf,
 	}
 	
 	if(tgt->kvno % 256 != kvno){
-	    kdc_log(0, "tgs-req with old kvno %d (current %d) for "
+	    kdc_log(0, "tgs-req (krb4) with old kvno %d (current %d) for "
 		    "krbtgt.%s@%s", kvno, tgt->kvno % 256, realm, v4_realm);
 	    make_err_reply(reply, KDC_AUTH_EXP,
 			   "old krbtgt kvno used");
@@ -383,7 +322,7 @@ do_version4(unsigned char *buf,
 
 	ret = get_des_key(tgt, TRUE, FALSE, &tkey);
 	if(ret){
-	    kdc_log(0, "no suitable DES key for krbtgt");
+	    kdc_log(0, "no suitable DES key for krbtgt (krb4)");
 	    /* XXX */
 	    make_err_reply(reply, KDC_NULL_KEY, 
 			   "no suitable DES key for krbtgt");
@@ -420,18 +359,25 @@ do_version4(unsigned char *buf,
 		  "%s.%s@%s",
 		  sname, sinst, v4_realm);
 
-	kdc_log(0, "TGS-REQ %s.%s@%s from %s for %s",
+	kdc_log(0, "TGS-REQ (krb4) %s.%s@%s from %s for %s",
 		ad.pname, ad.pinst, ad.prealm, from, server_name);
 	
 	if(strcmp(ad.prealm, realm)){
-	    kdc_log(0, "Can't hop realms %s -> %s", realm, ad.prealm);
+	    kdc_log(0, "Can't hop realms (krb4) %s -> %s", realm, ad.prealm);
+	    make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, 
+			   "Can't hop realms");
+	    goto out2;
+	}
+
+	if (!enable_v4_cross_realm && strcmp(realm, v4_realm) != 0) {
+	    kdc_log(0, "krb4 Cross-realm %s -> %s disabled", realm, v4_realm);
 	    make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, 
 			   "Can't hop realms");
 	    goto out2;
 	}
 
 	if(strcmp(sname, "changepw") == 0){
-	    kdc_log(0, "Bad request for changepw ticket");
+	    kdc_log(0, "Bad request for changepw ticket (krb4)");
 	    make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, 
 			   "Can't authorize password change based on TGT");
 	    goto out2;
@@ -441,7 +387,8 @@ do_version4(unsigned char *buf,
 	ret = db_fetch4(ad.pname, ad.pinst, ad.prealm, &client);
 	if(ret){
 	    char *s;
-	    s = kdc_log_msg(0, "Client not found in database: %s.%s@%s: %s", 
+	    s = kdc_log_msg(0, "Client not found in database: (krb4) "
+			    "%s.%s@%s: %s",
 			    ad.pname, ad.pinst, ad.prealm,
 			    krb5_get_err_text(context, ret));
 	    make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, s);
@@ -453,7 +400,7 @@ do_version4(unsigned char *buf,
 	ret = db_fetch4(sname, sinst, v4_realm, &server);
 	if(ret){
 	    char *s;
-	    s = kdc_log_msg(0, "Server not found in database: %s: %s",
+	    s = kdc_log_msg(0, "Server not found in database (krb4): %s: %s",
 			    server_name, krb5_get_err_text(context, ret));
 	    make_err_reply(reply, KERB_ERR_PRINCIPAL_UNKNOWN, s);
 	    free(s);
@@ -471,7 +418,7 @@ do_version4(unsigned char *buf,
 
 	ret = get_des_key(server, TRUE, FALSE, &skey);
 	if(ret){
-	    kdc_log(0, "no suitable DES key for server");
+	    kdc_log(0, "no suitable DES key for server (krb4)");
 	    /* XXX */
 	    make_err_reply(reply, KDC_NULL_KEY, 
 			   "no suitable DES key for server");
@@ -494,6 +441,7 @@ do_version4(unsigned char *buf,
 	    KTEXT r;
 	    des_cblock session;
 	    des_new_random_key(&session);
+
 	    krb_create_ticket(&ticket, 0, ad.pname, ad.pinst, ad.prealm,
 			      addr->sin_addr.s_addr, &session, life, kdc_time,
 			      sname, sinst, skey->key.keyvalue.data);
@@ -522,7 +470,7 @@ do_version4(unsigned char *buf,
     case AUTH_MSG_ERR_REPLY:
 	break;
     default:
-	kdc_log(0, "Unknown message type: %d from %s", 
+	kdc_log(0, "Unknown message type (krb4): %d from %s", 
 		msg_type, from);
 	
 	make_err_reply(reply, KFAILURE, "Unknown message type");
@@ -546,30 +494,11 @@ out:
     return 0;
 }
 
+#else /* KRB4 */
 
-#define ETYPE_DES_PCBC 17 /* XXX */
+#include <krb5-v4compat.h>
 
-krb5_error_code
-encrypt_v4_ticket(void *buf, size_t len, des_cblock *key, EncryptedData *reply)
-{
-    des_key_schedule schedule;
-
-    reply->etype = ETYPE_DES_PCBC;
-    reply->kvno = NULL;
-    reply->cipher.length = len;
-    reply->cipher.data = malloc(len);
-    if(len != 0 && reply->cipher.data == NULL)
-	return ENOMEM;
-    des_set_key(key, schedule);
-    des_pcbc_encrypt(buf,
-		     reply->cipher.data,
-		     len,
-		     schedule,
-		     key,
-		     DES_ENCRYPT);
-    memset(schedule, 0, sizeof(schedule));
-    return 0;
-}
+#endif /* KRB4 */
 
 krb5_error_code
 encode_v4_ticket(void *buf, size_t len, const EncTicketPart *et,
@@ -658,4 +587,64 @@ encode_v4_ticket(void *buf, size_t len, const EncTicketPart *et,
     return 0;
 }
 
-#endif /* KRB4 */
+krb5_error_code
+get_des_key(hdb_entry *principal, krb5_boolean is_server, 
+	    krb5_boolean prefer_afs_key, Key **ret_key)
+{
+    Key *v5_key = NULL, *v4_key = NULL, *afs_key = NULL, *server_key = NULL;
+    int i;
+    krb5_enctype etypes[] = { ETYPE_DES_CBC_MD5, 
+			      ETYPE_DES_CBC_MD4, 
+			      ETYPE_DES_CBC_CRC };
+
+    for(i = 0;
+	i < sizeof(etypes)/sizeof(etypes[0])
+	    && (v5_key == NULL || v4_key == NULL || 
+		afs_key == NULL || server_key == NULL);
+	++i) {
+	Key *key = NULL;
+	while(hdb_next_enctype2key(context, principal, etypes[i], &key) == 0) {
+	    if(key->salt == NULL) {
+		if(v5_key == NULL)
+		    v5_key = key;
+	    } else if(key->salt->type == hdb_pw_salt && 
+		      key->salt->salt.length == 0) {
+		if(v4_key == NULL)
+		    v4_key = key;
+	    } else if(key->salt->type == hdb_afs3_salt) {
+		if(afs_key == NULL)
+		    afs_key = key;
+	    } else if(server_key == NULL)
+		server_key = key;
+	}
+    }
+
+    if(prefer_afs_key) {
+	if(afs_key)
+	    *ret_key = afs_key;
+	else if(v4_key)
+	    *ret_key = v4_key;
+	else if(v5_key)
+	    *ret_key = v5_key;
+	else if(is_server && server_key)
+	    *ret_key = server_key;
+	else
+	    return KERB_ERR_NULL_KEY;
+    } else {
+	if(v4_key)
+	    *ret_key = v4_key;
+	else if(afs_key)
+	    *ret_key = afs_key;
+	else  if(v5_key)
+	    *ret_key = v5_key;
+	else if(is_server && server_key)
+	    *ret_key = server_key;
+	else
+	    return KERB_ERR_NULL_KEY;
+    }
+
+    if((*ret_key)->key.keyvalue.length == 0)
+	return KERB_ERR_NULL_KEY;
+    return 0;
+}
+
diff --git a/crypto/heimdal/kdc/kerberos5.c b/crypto/heimdal/kdc/kerberos5.c
index 7ba9680..232c3ad 100644
--- a/crypto/heimdal/kdc/kerberos5.c
+++ b/crypto/heimdal/kdc/kerberos5.c
@@ -33,7 +33,7 @@
 
 #include "kdc_locl.h"
 
-RCSID("$Id: kerberos5.c,v 1.143 2002/09/09 14:03:02 nectar Exp $");
+RCSID("$Id: kerberos5.c,v 1.145 2003/04/15 11:07:39 lha Exp $");
 
 #define MAX_TIME ((time_t)((1U << 31) - 1))
 
@@ -716,9 +716,10 @@ as_rep(KDC_REQ *req,
 	    if (ret == 0) {
 		kdc_log(5, "Using %s/%s", cet, set);
 		free(set);
-	    } else
-		free(cet);
-	} else
+	    }
+	    free(cet);
+	}
+	if (ret != 0)
 	    kdc_log(5, "Using e-types %d/%d", cetype, setype);
     }
     
@@ -914,8 +915,8 @@ as_rep(KDC_REQ *req,
 		       client->kvno, &ckey->key, &e_text, reply);
     free_EncTicketPart(&et);
     free_EncKDCRepPart(&ek);
-    free_AS_REP(&rep);
   out:
+    free_AS_REP(&rep);
     if(ret){
 	krb5_mk_error(context,
 		      ret,
@@ -1172,18 +1173,15 @@ tgs_make_reply(KDC_REQ_BODY *b,
     
     ret = check_tgs_flags(b, tgt, &et);
     if(ret)
-	return ret;
+	goto out;
 
     copy_TransitedEncoding(&tgt->transited, &et.transited);
     ret = fix_transited_encoding(&et.transited,
 				 *krb5_princ_realm(context, client_principal),
 				 *krb5_princ_realm(context, server->principal),
 				 *krb5_princ_realm(context, krbtgt->principal));
-    if(ret){
-	free_TransitedEncoding(&et.transited);
-	return ret;
-    }
-
+    if(ret)
+	goto out;
 
     copy_Realm(krb5_princ_realm(context, server->principal), 
 	       &rep.ticket.realm);
@@ -1457,6 +1455,7 @@ tgs_rep2(KDC_REQ_BODY *b,
     if(ret) {
 	char *p;
 	krb5_unparse_name(context, princ, &p);
+	krb5_free_principal(context, princ);
 	kdc_log(0, "Ticket-granting ticket not found in database: %s: %s",
 		p, krb5_get_err_text(context, ret));
 	free(p);
@@ -1469,6 +1468,7 @@ tgs_rep2(KDC_REQ_BODY *b,
 	char *p;
 
 	krb5_unparse_name (context, princ, &p);
+	krb5_free_principal(context, princ);
 	kdc_log(0, "Ticket kvno = %d, DB kvno = %d (%s)", 
 		*ap_req.ticket.enc_part.kvno,
 		krbtgt->kvno,
diff --git a/crypto/heimdal/kdc/string2key.8 b/crypto/heimdal/kdc/string2key.8
index 7b081d4..dc9d63b 100644
--- a/crypto/heimdal/kdc/string2key.8
+++ b/crypto/heimdal/kdc/string2key.8
@@ -1,4 +1,35 @@
-.\" $Id: string2key.8,v 1.5 2002/08/20 16:37:16 joda Exp $
+.\" Copyright (c) 2000 - 2002 Kungliga Tekniska Högskolan
+.\" (Royal Institute of Technology, Stockholm, Sweden). 
+.\" All rights reserved. 
+.\"
+.\" Redistribution and use in source and binary forms, with or without 
+.\" modification, are permitted provided that the following conditions 
+.\" are met: 
+.\"
+.\" 1. Redistributions of source code must retain the above copyright 
+.\"    notice, this list of conditions and the following disclaimer. 
+.\"
+.\" 2. Redistributions in binary form must reproduce the above copyright 
+.\"    notice, this list of conditions and the following disclaimer in the 
+.\"    documentation and/or other materials provided with the distribution. 
+.\"
+.\" 3. Neither the name of the Institute nor the names of its contributors 
+.\"    may be used to endorse or promote products derived from this software 
+.\"    without specific prior written permission. 
+.\"
+.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
+.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
+.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
+.\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
+.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
+.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
+.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
+.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
+.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
+.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
+.\" SUCH DAMAGE. 
+.\" 
+.\" $Id: string2key.8,v 1.6 2003/02/16 21:10:21 lha Exp $
 .\"
 .Dd March  4, 2000
 .Dt STRING2KEY 8
diff --git a/crypto/heimdal/kdc/string2key.c b/crypto/heimdal/kdc/string2key.c
index 677ada6..8a38442 100644
--- a/crypto/heimdal/kdc/string2key.c
+++ b/crypto/heimdal/kdc/string2key.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 1997, 1998, 1999, 2002 Kungliga Tekniska Högskolan
+ * Copyright (c) 1997-2003 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden). 
  * All rights reserved. 
  *
@@ -34,7 +34,7 @@
 #include "headers.h"
 #include <getarg.h>
 
-RCSID("$Id: string2key.c,v 1.19 2002/04/18 10:18:07 joda Exp $");
+RCSID("$Id: string2key.c,v 1.20 2003/03/25 12:28:52 joda Exp $");
 
 int version5;
 int version4;
@@ -42,7 +42,7 @@ int afs;
 char *principal;
 char *cell;
 char *password;
-const char *keytype_str = "des-cbc-md5";
+const char *keytype_str = "des3-cbc-sha1";
 int version;
 int help;
 
@@ -76,8 +76,11 @@ tokey(krb5_context context,
 {
     int i;
     krb5_keyblock key;
+    char *e;
     krb5_string_to_key_salt(context, enctype, password, salt, &key);
-    printf("%s: ", label);
+    krb5_enctype_to_string(context, enctype, &e);
+    printf(label, e);
+    printf(": ");
     for(i = 0; i < key.keyvalue.length; i++)
 	printf("%02x", ((unsigned char*)key.keyvalue.data)[i]);
     printf("\n");
@@ -115,23 +118,35 @@ main(int argc, char **argv)
 	version5 = 1;
 
     ret = krb5_string_to_enctype(context, keytype_str, &etype);
-#if 0
     if(ret) {
 	krb5_keytype keytype;
+	int *etypes;
+	unsigned num;
 	ret = krb5_string_to_keytype(context, keytype_str, &keytype);
-	ret = krb5_keytype_to_enctype(context, keytype, &etype);
+	if(ret)
+	    krb5_err(context, 1, ret, "%s", keytype_str);
+	ret = krb5_keytype_to_enctypes(context, keytype, &num, &etypes);
+	if(ret)
+	    krb5_err(context, 1, ret, "%s", keytype_str);
+	if(num == 0)
+	    krb5_errx(context, 1, "there are no encryption types for that keytype");
+	etype = etypes[0];
+	krb5_enctype_to_string(context, etype, &keytype_str);
+	if(num > 1 && version5)
+	    krb5_warnx(context, "ambiguous keytype, using %s", keytype_str);
     }
-#endif
-    if(ret)
-	krb5_err(context, 1, ret, "%s", keytype_str);
     
     if((etype != ETYPE_DES_CBC_CRC &&
 	etype != ETYPE_DES_CBC_MD4 &&
 	etype != ETYPE_DES_CBC_MD5) &&
-       (afs || version4))
-	krb5_errx(context, 1, 
-		  "DES is the only valid keytype for AFS and Kerberos 4");
-    
+       (afs || version4)) {
+	if(!version5) {
+	    etype = ETYPE_DES_CBC_CRC;
+	} else {
+	    krb5_errx(context, 1, 
+		      "DES is the only valid keytype for AFS and Kerberos 4");
+	}
+    }
 
     if(version5 && principal == NULL){
 	printf("Kerberos v5 principal: ");
@@ -160,20 +175,20 @@ main(int argc, char **argv)
     if(version5){
 	krb5_parse_name(context, principal, &princ);
 	krb5_get_pw_salt(context, princ, &salt);
-	tokey(context, etype, password, salt, "Kerberos v5 key");
+	tokey(context, etype, password, salt, "Kerberos 5 (%s)");
 	krb5_free_salt(context, salt);
     }
     if(version4){
 	salt.salttype = KRB5_PW_SALT;
 	salt.saltvalue.length = 0;
 	salt.saltvalue.data = NULL;
-	tokey(context, ETYPE_DES_CBC_MD5, password, salt, "Kerberos v4 key");
+	tokey(context, ETYPE_DES_CBC_MD5, password, salt, "Kerberos 4");
     }
     if(afs){
 	salt.salttype = KRB5_AFS3_SALT;
 	salt.saltvalue.length = strlen(cell);
 	salt.saltvalue.data = cell;
-	tokey(context, ETYPE_DES_CBC_MD5, password, salt, "AFS key");
+	tokey(context, ETYPE_DES_CBC_MD5, password, salt, "AFS");
     }
     return 0;
 }
diff --git a/crypto/heimdal/kdc/v4_dump.c b/crypto/heimdal/kdc/v4_dump.c
index dc0a8f2..ddf8222 100644
--- a/crypto/heimdal/kdc/v4_dump.c
+++ b/crypto/heimdal/kdc/v4_dump.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2000 Kungliga Tekniska Högskolan
+ * Copyright (c) 2000 - 2001, 2003 Kungliga Tekniska Högskolan
  * (Royal Institute of Technology, Stockholm, Sweden).
  * All rights reserved.
  * 
@@ -33,7 +33,7 @@
 
 #include "hprop.h"
 
-RCSID("$Id: v4_dump.c,v 1.4 2001/01/26 15:55:07 joda Exp $");
+RCSID("$Id: v4_dump.c,v 1.4.8.1 2003/04/28 12:24:54 lha Exp $");
 
 static time_t
 time_parse(const char *cp)
@@ -103,7 +103,7 @@ v4_prop_dump(void *arg, const char *file)
 	memset(&pr, 0, sizeof(pr));
 	errno = 0;
 	lineno++;
-	ret = sscanf(buf, "%s %s %d %d %d %d %lx %lx %s %s %s %s",
+	ret = sscanf(buf, "%63s %63s %d %d %d %d %lx %lx %63s %63s %63s %63s",
 		     pr.name, pr.instance,
 		     &pr.max_life, &pr.mkvno, &pr.kvno,
 		     &attributes,